From dd213ea9a9df1f4c1d8b5bd64bfc79d7284262cd Mon Sep 17 00:00:00 2001
From: Luca Prete <preteluca@gmail.com>
Date: Tue, 23 Apr 2024 15:19:38 +0200
Subject: [PATCH 01/31] Fix permissions for branch network dev - read sa
 (#2233)

Co-authored-by: Luca Prete <lucaprete@google.com>
---
 fast/stages/1-resman/branch-networking.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fast/stages/1-resman/branch-networking.tf b/fast/stages/1-resman/branch-networking.tf
index e57a874ff6..e886234bdb 100644
--- a/fast/stages/1-resman/branch-networking.tf
+++ b/fast/stages/1-resman/branch-networking.tf
@@ -101,10 +101,10 @@ module "branch-network-dev-folder" {
     )
     # read-only (plan) automation service accounts
     "roles/compute.networkViewer" = concat(
-      local.branch_optional_r_sa_lists.dp-prod,
-      local.branch_optional_r_sa_lists.gke-prod,
+      local.branch_optional_r_sa_lists.dp-dev,
+      local.branch_optional_r_sa_lists.gke-dev,
       local.branch_optional_r_sa_lists.gcve-dev,
-      local.branch_optional_r_sa_lists.pf-prod,
+      local.branch_optional_r_sa_lists.pf-dev,
     )
     (local.custom_roles.gcve_network_admin) = local.branch_optional_sa_lists.gcve-dev
   }

From d9019926076cbaec824d8aeee47824d073d2f26a Mon Sep 17 00:00:00 2001
From: luigi-bitonti <93377317+luigi-bitonti@users.noreply.github.com>
Date: Tue, 23 Apr 2024 19:20:38 +0200
Subject: [PATCH 02/31] Added build env vars in cloud function v1 (#2234)

---
 modules/cloud-function-v1/README.md    | 39 +++++++++++++-------------
 modules/cloud-function-v1/main.tf      |  5 ++--
 modules/cloud-function-v1/variables.tf |  6 ++++
 3 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/modules/cloud-function-v1/README.md b/modules/cloud-function-v1/README.md
index 2d52842bb8..7099946e2d 100644
--- a/modules/cloud-function-v1/README.md
+++ b/modules/cloud-function-v1/README.md
@@ -264,26 +264,27 @@ module "cf-http" {
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [bucket_name](variables.tf#L26) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code>string</code> | ✓ |  |
-| [bundle_config](variables.tf#L38) | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object&#40;&#123;&#10;  source_dir  &#61; string&#10;  output_path &#61; optional&#40;string&#41;&#10;  excludes    &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [name](variables.tf#L103) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L118) | Project id used for all resources. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L123) | Region used for all resources. | <code>string</code> | ✓ |  |
+| [bundle_config](variables.tf#L44) | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object&#40;&#123;&#10;  source_dir  &#61; string&#10;  output_path &#61; optional&#40;string&#41;&#10;  excludes    &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [name](variables.tf#L109) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L124) | Project id used for all resources. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L129) | Region used for all resources. | <code>string</code> | ✓ |  |
 | [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object&#40;&#123;&#10;  location                  &#61; optional&#40;string&#41;&#10;  lifecycle_delete_age_days &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [build_worker_pool](variables.tf#L32) | Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format. | <code>string</code> |  | <code>null</code> |
-| [description](variables.tf#L47) | Optional description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
-| [environment_variables](variables.tf#L53) | Cloud function environment variables. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [function_config](variables.tf#L59) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | <code title="object&#40;&#123;&#10;  entry_point     &#61; optional&#40;string, &#34;main&#34;&#41;&#10;  instance_count  &#61; optional&#40;number, 1&#41;&#10;  memory_mb       &#61; optional&#40;number, 256&#41; &#35; Memory in MB&#10;  cpu             &#61; optional&#40;string, &#34;0.166&#34;&#41;&#10;  runtime         &#61; optional&#40;string, &#34;python310&#34;&#41;&#10;  timeout_seconds &#61; optional&#40;number, 180&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  entry_point     &#61; &#34;main&#34;&#10;  instance_count  &#61; 1&#10;  memory_mb       &#61; 256&#10;  cpu             &#61; &#34;0.166&#34;&#10;  runtime         &#61; &#34;python310&#34;&#10;  timeout_seconds &#61; 180&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [https_security_level](variables.tf#L79) | The security level for the function: Allowed values are SECURE_ALWAYS, SECURE_OPTIONAL. | <code>string</code> |  | <code>null</code> |
-| [iam](variables.tf#L85) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [ingress_settings](variables.tf#L91) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | <code>string</code> |  | <code>null</code> |
-| [labels](variables.tf#L97) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [prefix](variables.tf#L108) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
-| [secrets](variables.tf#L128) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_account](variables.tf#L140) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
-| [service_account_create](variables.tf#L146) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
-| [trigger_config](variables.tf#L152) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event    &#61; string&#10;  resource &#61; string&#10;  retry    &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector](variables.tf#L162) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector_config](variables.tf#L172) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [build_environment_variables](variables.tf#L32) | A set of key/value environment variable pairs available during build time. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [build_worker_pool](variables.tf#L38) | Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format. | <code>string</code> |  | <code>null</code> |
+| [description](variables.tf#L53) | Optional description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
+| [environment_variables](variables.tf#L59) | Cloud function environment variables. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [function_config](variables.tf#L65) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | <code title="object&#40;&#123;&#10;  entry_point     &#61; optional&#40;string, &#34;main&#34;&#41;&#10;  instance_count  &#61; optional&#40;number, 1&#41;&#10;  memory_mb       &#61; optional&#40;number, 256&#41; &#35; Memory in MB&#10;  cpu             &#61; optional&#40;string, &#34;0.166&#34;&#41;&#10;  runtime         &#61; optional&#40;string, &#34;python310&#34;&#41;&#10;  timeout_seconds &#61; optional&#40;number, 180&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  entry_point     &#61; &#34;main&#34;&#10;  instance_count  &#61; 1&#10;  memory_mb       &#61; 256&#10;  cpu             &#61; &#34;0.166&#34;&#10;  runtime         &#61; &#34;python310&#34;&#10;  timeout_seconds &#61; 180&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [https_security_level](variables.tf#L85) | The security level for the function: Allowed values are SECURE_ALWAYS, SECURE_OPTIONAL. | <code>string</code> |  | <code>null</code> |
+| [iam](variables.tf#L91) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [ingress_settings](variables.tf#L97) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | <code>string</code> |  | <code>null</code> |
+| [labels](variables.tf#L103) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [prefix](variables.tf#L114) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
+| [secrets](variables.tf#L134) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_account](variables.tf#L146) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
+| [service_account_create](variables.tf#L152) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
+| [trigger_config](variables.tf#L158) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event    &#61; string&#10;  resource &#61; string&#10;  retry    &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector](variables.tf#L168) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector_config](variables.tf#L178) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/cloud-function-v1/main.tf b/modules/cloud-function-v1/main.tf
index 8a9af6df6c..b57d8431cb 100644
--- a/modules/cloud-function-v1/main.tf
+++ b/modules/cloud-function-v1/main.tf
@@ -68,8 +68,9 @@ resource "google_cloudfunctions_function" "function" {
   trigger_http                 = var.trigger_config == null ? true : null
   https_trigger_security_level = var.https_security_level == null ? "SECURE_ALWAYS" : var.https_security_level
 
-  ingress_settings  = var.ingress_settings
-  build_worker_pool = var.build_worker_pool
+  ingress_settings            = var.ingress_settings
+  build_worker_pool           = var.build_worker_pool
+  build_environment_variables = var.build_environment_variables
 
   vpc_connector = local.vpc_connector
   vpc_connector_egress_settings = try(
diff --git a/modules/cloud-function-v1/variables.tf b/modules/cloud-function-v1/variables.tf
index 567a8c7a7d..73964d0b18 100644
--- a/modules/cloud-function-v1/variables.tf
+++ b/modules/cloud-function-v1/variables.tf
@@ -29,6 +29,12 @@ variable "bucket_name" {
   nullable    = false
 }
 
+variable "build_environment_variables" {
+  description = "A set of key/value environment variable pairs available during build time."
+  type        = map(string)
+  default     = {}
+}
+
 variable "build_worker_pool" {
   description = "Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format."
   type        = string

From 99129d54a37da4c2d977b7db705de5024d530944 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 25 Apr 2024 09:31:51 +0300
Subject: [PATCH 03/31] Update FAST logging (#2235)

* Update FAST logging

* Fix readme

* Fix tests
---
 fast/stages/0-bootstrap/README.md             | 20 +++++++++-------
 fast/stages/0-bootstrap/automation.tf         | 18 ++++++++++++++
 fast/stages/0-bootstrap/variables.tf          | 24 ++++++++++++++++---
 tests/fast/stages/s0_bootstrap/checklist.yaml | 10 ++++----
 tests/fast/stages/s0_bootstrap/simple.yaml    | 10 ++++----
 5 files changed, 60 insertions(+), 22 deletions(-)

diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 83031f5d2a..ee5c7f52e7 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -138,7 +138,9 @@ Because of limitations of API availability, manual steps have to be followed to
 
 ### Organization-level logging
 
-We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning.  By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) and [Workspace Logs](https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs) into logging buckets in the top-level audit logging project.
+We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) and [Workspace Logs](https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs) into logging buckets in the top-level audit logging project.
+
+An organization-level sink captures IAM data access logs, including authentication and impersonation events for service accounts. To manage logging costs, the default configuration enables IAM data access logging only within the automation project (where sensitive service accounts reside). For enhanced security across the entire organization, consider enabling these logs at the organization level.
 
 The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination.
 
@@ -626,8 +628,8 @@ The `fast_features` variable consists of 4 toggles:
 | name | description | type | required | default | producer |
 |---|---|:---:|:---:|:---:|:---:|
 | [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object&#40;&#123;&#10;  id           &#61; string&#10;  is_org_level &#61; optional&#40;bool, true&#41;&#10;  no_iam       &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
-| [organization](variables.tf#L223) | Organization details. | <code title="object&#40;&#123;&#10;  id          &#61; number&#10;  domain      &#61; optional&#40;string&#41;&#10;  customer_id &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
-| [prefix](variables.tf#L238) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  |  |
+| [organization](variables.tf#L241) | Organization details. | <code title="object&#40;&#123;&#10;  id          &#61; number&#10;  domain      &#61; optional&#40;string&#41;&#10;  customer_id &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
+| [prefix](variables.tf#L256) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  |  |
 | [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | <code>string</code> |  | <code>null</code> |  |
 | [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object&#40;&#123;&#10;  bootstrap &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  resman &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
 | [custom_roles](variables.tf#L79) | Map of role names => list of permissions to additionally create at the organization level. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
@@ -639,12 +641,12 @@ The `fast_features` variable consists of 4 toggles:
 | [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [locations](variables.tf#L163) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  gcs     &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10;  pubsub  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10;  filter &#61; string&#10;  type   &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  audit-logs &#61; &#123;&#10;    filter &#61; &#34;logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Factivity&#92;&#34; OR logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Fsystem_event&#92;&#34; OR protoPayload.metadata.&#64;type&#61;&#92;&#34;type.googleapis.com&#47;google.cloud.audit.TransparencyLog&#92;&#34;&#34;&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  vpc-sc &#61; &#123;&#10;    filter &#61; &#34;protoPayload.metadata.&#64;type&#61;&#92;&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#92;&#34;&#34;&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  workspace-audit-logs &#61; &#123;&#10;    filter &#61; &#34;logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Fdata_access&#92;&#34; and protoPayload.serviceName:&#92;&#34;login.googleapis.com&#92;&#34;&#34;&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
-| [org_policies_config](variables.tf#L206) | Organization policies customization. | <code title="object&#40;&#123;&#10;  constraints &#61; optional&#40;object&#40;&#123;&#10;    allowed_policy_member_domains &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  import_defaults &#61; optional&#40;bool, false&#41;&#10;  tag_name        &#61; optional&#40;string, &#34;org-policies&#34;&#41;&#10;  tag_values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [outputs_location](variables.tf#L232) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
-| [project_parent_ids](variables.tf#L247) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object&#40;&#123;&#10;  automation &#61; optional&#40;string&#41;&#10;  billing    &#61; optional&#40;string&#41;&#10;  logging    &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [workforce_identity_providers](variables.tf#L258) | Workforce Identity Federation pools. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  display_name        &#61; string&#10;  description         &#61; string&#10;  disabled            &#61; optional&#40;bool, false&#41;&#10;  saml &#61; optional&#40;object&#40;&#123;&#10;    idp_metadata_xml &#61; string&#10;  &#125;&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [workload_identity_providers](variables.tf#L274) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  custom_settings &#61; optional&#40;object&#40;&#123;&#10;    issuer_uri &#61; optional&#40;string&#41;&#10;    audiences  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    jwks_json  &#61; optional&#40;string&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10;  filter &#61; string&#10;  type   &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;activity&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;system_event&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;policy&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;access_transparency&#34;&#41;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  iam &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.serviceName&#61;&#34;iamcredentials.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;iam.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;sts.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  vpc-sc &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.metadata.&#64;type:&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  workspace-audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;data_access&#34;&#41;&#10;      protoPayload.serviceName:&#34;login.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
+| [org_policies_config](variables.tf#L224) | Organization policies customization. | <code title="object&#40;&#123;&#10;  constraints &#61; optional&#40;object&#40;&#123;&#10;    allowed_policy_member_domains &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  import_defaults &#61; optional&#40;bool, false&#41;&#10;  tag_name        &#61; optional&#40;string, &#34;org-policies&#34;&#41;&#10;  tag_values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [outputs_location](variables.tf#L250) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
+| [project_parent_ids](variables.tf#L265) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object&#40;&#123;&#10;  automation &#61; optional&#40;string&#41;&#10;  billing    &#61; optional&#40;string&#41;&#10;  logging    &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [workforce_identity_providers](variables.tf#L276) | Workforce Identity Federation pools. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  display_name        &#61; string&#10;  description         &#61; string&#10;  disabled            &#61; optional&#40;bool, false&#41;&#10;  saml &#61; optional&#40;object&#40;&#123;&#10;    idp_metadata_xml &#61; string&#10;  &#125;&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [workload_identity_providers](variables.tf#L292) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  custom_settings &#61; optional&#40;object&#40;&#123;&#10;    issuer_uri &#61; optional&#40;string&#41;&#10;    audiences  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    jwks_json  &#61; optional&#40;string&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 
 ## Outputs
 
diff --git a/fast/stages/0-bootstrap/automation.tf b/fast/stages/0-bootstrap/automation.tf
index 6200deab38..8463ff16b6 100644
--- a/fast/stages/0-bootstrap/automation.tf
+++ b/fast/stages/0-bootstrap/automation.tf
@@ -156,6 +156,24 @@ module "automation-project" {
       "container.googleapis.com",
     ]
   )
+
+  # Enable IAM data access logs to capture impersonation and service
+  # account token generation events. This is implemented within the
+  # automation project to limit log volume. For heightened security,
+  # consider enabling it at the organization level. A log sink within
+  # the organization will collect and store these logs in a logging
+  # bucket. See
+  # https://cloud.google.com/iam/docs/audit-logging#audited_operations
+  logging_data_access = {
+    "iam.googleapis.com" = {
+      # ADMIN_READ captures impersonation and token generation/exchanges
+      ADMIN_READ = []
+      # enable DATA_WRITE if you want to capture configuration changes
+      # to IAM-related resources (roles, deny policies, service
+      # accounts, identity pools, etc)
+      # DATA_WRITE = []
+    }
+  }
 }
 
 # output files bucket
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index 64978dc30f..b769f1088f 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -182,15 +182,33 @@ variable "log_sinks" {
   }))
   default = {
     audit-logs = {
-      filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\" OR protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.TransparencyLog\""
+      filter = <<-FILTER
+        log_id("cloudaudit.googleapis.com/activity") OR
+        log_id("cloudaudit.googleapis.com/system_event") OR
+        log_id("cloudaudit.googleapis.com/policy") OR
+        log_id("cloudaudit.googleapis.com/access_transparency")
+      FILTER
+      type   = "logging"
+    }
+    iam = {
+      filter = <<-FILTER
+        protoPayload.serviceName="iamcredentials.googleapis.com" OR
+        protoPayload.serviceName="iam.googleapis.com" OR
+        protoPayload.serviceName="sts.googleapis.com"
+      FILTER
       type   = "logging"
     }
     vpc-sc = {
-      filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\""
+      filter = <<-FILTER
+        protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
+      FILTER
       type   = "logging"
     }
     workspace-audit-logs = {
-      filter = "logName:\"/logs/cloudaudit.googleapis.com%2Fdata_access\" and protoPayload.serviceName:\"login.googleapis.com\""
+      filter = <<-FILTER
+        log_id("cloudaudit.googleapis.com/data_access")
+        protoPayload.serviceName:"login.googleapis.com"
+      FILTER
       type   = "logging"
     }
   }
diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml
index 91fe60eb76..8c24a1fdfe 100644
--- a/tests/fast/stages/s0_bootstrap/checklist.yaml
+++ b/tests/fast/stages/s0_bootstrap/checklist.yaml
@@ -360,15 +360,15 @@ counts:
   google_bigquery_dataset: 1
   google_bigquery_default_service_account: 3
   google_essential_contacts_contact: 3
-  google_logging_organization_sink: 3
-  google_logging_project_bucket_config: 3
+  google_logging_organization_sink: 4
+  google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
   google_organization_iam_binding: 27
   google_organization_iam_custom_role: 7
   google_organization_iam_member: 35
   google_project: 3
   google_project_iam_binding: 19
-  google_project_iam_member: 6
+  google_project_iam_member: 7
   google_project_service: 31
   google_project_service_identity: 4
   google_service_account: 4
@@ -380,5 +380,5 @@ counts:
   google_storage_project_service_account: 3
   google_tags_tag_key: 1
   google_tags_tag_value: 1
-  modules: 17
-  resources: 198
+  modules: 18
+  resources: 202
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 904471a061..69908ad358 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -39,15 +39,15 @@ counts:
   google_bigquery_dataset: 1
   google_bigquery_default_service_account: 3
   google_essential_contacts_contact: 3
-  google_logging_organization_sink: 3
-  google_logging_project_bucket_config: 3
+  google_logging_organization_sink: 4
+  google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
   google_organization_iam_binding: 27
   google_organization_iam_custom_role: 7
   google_organization_iam_member: 22
   google_project: 3
   google_project_iam_binding: 19
-  google_project_iam_member: 6
+  google_project_iam_member: 7
   google_project_service: 31
   google_project_service_identity: 4
   google_service_account: 4
@@ -60,8 +60,8 @@ counts:
   google_tags_tag_key: 1
   google_tags_tag_value: 1
   local_file: 7
-  modules: 16
-  resources: 189
+  modules: 17
+  resources: 193
 
 outputs:
   custom_roles:

From 2446b4dd7c48f4c118514f55d31bb1a4398b17ac Mon Sep 17 00:00:00 2001
From: Vince Gonzalez <vicenteg@users.noreply.github.com>
Date: Thu, 25 Apr 2024 19:14:32 -0400
Subject: [PATCH 04/31] Update README.md (#2239)

---
 blueprints/data-solutions/data-playground/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/blueprints/data-solutions/data-playground/README.md b/blueprints/data-solutions/data-playground/README.md
index a2eceeba91..ef490ab27c 100644
--- a/blueprints/data-solutions/data-playground/README.md
+++ b/blueprints/data-solutions/data-playground/README.md
@@ -1,6 +1,6 @@
 # Data Playground
 
-This blueprint creates a minimum viable architecture for a data experimentation project with the needed APIs enabled, VPC and Firewall set in place, BigQuesy dataset, GCS bucket and an AI notebook to get started.
+This blueprint creates a minimum viable architecture for a data experimentation project with the needed APIs enabled, VPC and Firewall set in place, BigQuery dataset, GCS bucket and an AI notebook to get started.
 
 This is the high level diagram:
 

From 64ac89d59c18e3b6b4034b3fd521cf60e33dcaba Mon Sep 17 00:00:00 2001
From: Deepak Kumar <21131061+kumadee@users.noreply.github.com>
Date: Fri, 26 Apr 2024 09:17:48 +0200
Subject: [PATCH 05/31] fix: allow disabling node autoprovisioning (#2238)

- This fix allows a GKE Standard cluster to be configured with no auto-provisioned node pool,
  but allow setting autocluster profile for user-provisioned node pools like created via `gke-nodepool` module.

Co-authored-by: Julio Castillo <jccb@google.com>
---
 modules/gke-cluster-standard/README.md    | 42 +++++++++++------------
 modules/gke-cluster-standard/main.tf      |  2 +-
 modules/gke-cluster-standard/variables.tf |  1 +
 3 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/modules/gke-cluster-standard/README.md b/modules/gke-cluster-standard/README.md
index 286b20a3dc..c53017267f 100644
--- a/modules/gke-cluster-standard/README.md
+++ b/modules/gke-cluster-standard/README.md
@@ -310,28 +310,28 @@ module "cluster-1" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [location](variables.tf#L233) | Cluster zone or region. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L368) | Cluster name. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L404) | Cluster project id. | <code>string</code> | ✓ |  |
-| [vpc_config](variables.tf#L415) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [location](variables.tf#L234) | Cluster zone or region. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L369) | Cluster name. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L405) | Cluster project id. | <code>string</code> | ✓ |  |
+| [vpc_config](variables.tf#L416) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
 | [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region                            &#61; string&#10;    applications                      &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    schedule                          &#61; optional&#40;string&#41;&#10;    retention_policy_days             &#61; optional&#40;number&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    upgrade_settings &#61; optional&#40;object&#40;&#123;&#10;      blue_green &#61; optional&#40;object&#40;&#123;&#10;        node_pool_soak_duration &#61; optional&#40;string&#41;&#10;        standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10;          batch_percentage    &#61; optional&#40;number&#41;&#10;          batch_node_count    &#61; optional&#40;number&#41;&#10;          batch_soak_duration &#61; optional&#40;string&#41;&#10;        &#125;&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      surge &#61; optional&#40;object&#40;&#123;&#10;        max         &#61; optional&#40;number&#41;&#10;        unavailable &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  gpu_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; number&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [default_nodepool](variables.tf#L116) | Enable default nodepool. | <code title="object&#40;&#123;&#10;  remove_pool        &#61; optional&#40;bool, true&#41;&#10;  initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [deletion_protection](variables.tf#L134) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
-| [description](variables.tf#L141) | Cluster description. | <code>string</code> |  | <code>null</code> |
-| [enable_addons](variables.tf#L147) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun                       &#61; optional&#40;bool, false&#41;&#10;  config_connector               &#61; optional&#40;bool, false&#41;&#10;  dns_cache                      &#61; optional&#40;bool, false&#41;&#10;  gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10;  gcp_filestore_csi_driver       &#61; optional&#40;bool, false&#41;&#10;  gcs_fuse_csi_driver            &#61; optional&#40;bool, false&#41;&#10;  horizontal_pod_autoscaling     &#61; optional&#40;bool, false&#41;&#10;  http_load_balancing            &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm           &#61; optional&#40;bool, false&#41;&#10;  network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  horizontal_pod_autoscaling &#61; true&#10;  http_load_balancing        &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [enable_features](variables.tf#L171) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis                         &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization              &#61; optional&#40;bool, false&#41;&#10;  cilium_clusterwide_network_policy &#61; optional&#40;bool, false&#41;&#10;  cost_management                   &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  dataplane_v2         &#61; optional&#40;bool, false&#41;&#10;  fqdn_network_policy  &#61; optional&#40;bool, false&#41;&#10;  gateway_api          &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac      &#61; optional&#40;string&#41;&#10;  image_streaming      &#61; optional&#40;bool, false&#41;&#10;  intranode_visibility &#61; optional&#40;bool, false&#41;&#10;  l4_ilb_subsetting    &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates    &#61; optional&#40;bool&#41;&#10;  pod_security_policy  &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  shielded_nodes       &#61; optional&#40;bool, false&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;  workload_identity        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  workload_identity &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [issue_client_certificate](variables.tf#L221) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
-| [labels](variables.tf#L227) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
-| [logging_config](variables.tf#L238) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_system_logs             &#61; optional&#40;bool, true&#41;&#10;  enable_workloads_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [maintenance_config](variables.tf#L259) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [max_pods_per_node](variables.tf#L282) | Maximum number of pods per node in this cluster. | <code>number</code> |  | <code>110</code> |
-| [min_master_version](variables.tf#L288) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
-| [monitoring_config](variables.tf#L294) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_system_metrics &#61; optional&#40;bool, true&#41;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;  advanced_datapath_observability &#61; optional&#40;object&#40;&#123;&#10;    enable_metrics &#61; bool&#10;    enable_relay   &#61; optional&#40;bool&#41;&#10;    relay_mode     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_config](variables.tf#L373) | Node-level configuration. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_locations](variables.tf#L383) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [private_cluster_config](variables.tf#L390) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [release_channel](variables.tf#L409) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
+| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  enabled             &#61; optional&#40;bool, true&#41;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    upgrade_settings &#61; optional&#40;object&#40;&#123;&#10;      blue_green &#61; optional&#40;object&#40;&#123;&#10;        node_pool_soak_duration &#61; optional&#40;string&#41;&#10;        standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10;          batch_percentage    &#61; optional&#40;number&#41;&#10;          batch_node_count    &#61; optional&#40;number&#41;&#10;          batch_soak_duration &#61; optional&#40;string&#41;&#10;        &#125;&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      surge &#61; optional&#40;object&#40;&#123;&#10;        max         &#61; optional&#40;number&#41;&#10;        unavailable &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  gpu_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; number&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [default_nodepool](variables.tf#L117) | Enable default nodepool. | <code title="object&#40;&#123;&#10;  remove_pool        &#61; optional&#40;bool, true&#41;&#10;  initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [deletion_protection](variables.tf#L135) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
+| [description](variables.tf#L142) | Cluster description. | <code>string</code> |  | <code>null</code> |
+| [enable_addons](variables.tf#L148) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun                       &#61; optional&#40;bool, false&#41;&#10;  config_connector               &#61; optional&#40;bool, false&#41;&#10;  dns_cache                      &#61; optional&#40;bool, false&#41;&#10;  gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10;  gcp_filestore_csi_driver       &#61; optional&#40;bool, false&#41;&#10;  gcs_fuse_csi_driver            &#61; optional&#40;bool, false&#41;&#10;  horizontal_pod_autoscaling     &#61; optional&#40;bool, false&#41;&#10;  http_load_balancing            &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm           &#61; optional&#40;bool, false&#41;&#10;  network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  horizontal_pod_autoscaling &#61; true&#10;  http_load_balancing        &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [enable_features](variables.tf#L172) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis                         &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization              &#61; optional&#40;bool, false&#41;&#10;  cilium_clusterwide_network_policy &#61; optional&#40;bool, false&#41;&#10;  cost_management                   &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  dataplane_v2         &#61; optional&#40;bool, false&#41;&#10;  fqdn_network_policy  &#61; optional&#40;bool, false&#41;&#10;  gateway_api          &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac      &#61; optional&#40;string&#41;&#10;  image_streaming      &#61; optional&#40;bool, false&#41;&#10;  intranode_visibility &#61; optional&#40;bool, false&#41;&#10;  l4_ilb_subsetting    &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates    &#61; optional&#40;bool&#41;&#10;  pod_security_policy  &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  shielded_nodes       &#61; optional&#40;bool, false&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;  workload_identity        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  workload_identity &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [issue_client_certificate](variables.tf#L222) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
+| [labels](variables.tf#L228) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [logging_config](variables.tf#L239) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_system_logs             &#61; optional&#40;bool, true&#41;&#10;  enable_workloads_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [maintenance_config](variables.tf#L260) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [max_pods_per_node](variables.tf#L283) | Maximum number of pods per node in this cluster. | <code>number</code> |  | <code>110</code> |
+| [min_master_version](variables.tf#L289) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
+| [monitoring_config](variables.tf#L295) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_system_metrics &#61; optional&#40;bool, true&#41;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;  advanced_datapath_observability &#61; optional&#40;object&#40;&#123;&#10;    enable_metrics &#61; bool&#10;    enable_relay   &#61; optional&#40;bool&#41;&#10;    relay_mode     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_config](variables.tf#L374) | Node-level configuration. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_locations](variables.tf#L384) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [private_cluster_config](variables.tf#L391) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [release_channel](variables.tf#L410) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/gke-cluster-standard/main.tf b/modules/gke-cluster-standard/main.tf
index 6ab4c9d881..99db49f80d 100644
--- a/modules/gke-cluster-standard/main.tf
+++ b/modules/gke-cluster-standard/main.tf
@@ -132,7 +132,7 @@ resource "google_container_cluster" "cluster" {
   dynamic "cluster_autoscaling" {
     for_each = local.cas == null ? [] : [""]
     content {
-      enabled             = true
+      enabled             = var.cluster_autoscaling.enabled
       autoscaling_profile = var.cluster_autoscaling.autoscaling_profile
       dynamic "auto_provisioning_defaults" {
         for_each = local.cas_apd != null ? [""] : []
diff --git a/modules/gke-cluster-standard/variables.tf b/modules/gke-cluster-standard/variables.tf
index 6644595494..5580320f8f 100644
--- a/modules/gke-cluster-standard/variables.tf
+++ b/modules/gke-cluster-standard/variables.tf
@@ -38,6 +38,7 @@ variable "backup_configs" {
 variable "cluster_autoscaling" {
   description = "Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler."
   type = object({
+    enabled             = optional(bool, true)
     autoscaling_profile = optional(string, "BALANCED")
     auto_provisioning_defaults = optional(object({
       boot_disk_kms_key = optional(string)

From d831d328648b1a539215360f91f4e0f9f3c4e1ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Sat, 27 Apr 2024 07:07:04 +0000
Subject: [PATCH 06/31] Use default labels on pubsub subscription when no
 override is provided

---
 modules/pubsub/README.md                         | 1 +
 modules/pubsub/main.tf                           | 2 +-
 tests/modules/pubsub/examples/subscriptions.yaml | 6 ++++--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/modules/pubsub/README.md b/modules/pubsub/README.md
index 6d924d90d2..4aaa4a4812 100644
--- a/modules/pubsub/README.md
+++ b/modules/pubsub/README.md
@@ -60,6 +60,7 @@ module "pubsub" {
   source     = "./fabric/modules/pubsub"
   project_id = var.project_id
   name       = "my-topic"
+  labels     = { test = "default" }
   subscriptions = {
     test-pull = {}
     test-pull-override = {
diff --git a/modules/pubsub/main.tf b/modules/pubsub/main.tf
index b65d372f11..a090f861b0 100644
--- a/modules/pubsub/main.tf
+++ b/modules/pubsub/main.tf
@@ -54,7 +54,7 @@ resource "google_pubsub_subscription" "default" {
   project                      = var.project_id
   name                         = each.key
   topic                        = google_pubsub_topic.default.name
-  labels                       = each.value.labels
+  labels                       = coalesce(each.value.labels, var.labels)
   ack_deadline_seconds         = each.value.ack_deadline_seconds
   message_retention_duration   = each.value.message_retention_duration
   retain_acked_messages        = each.value.retain_acked_messages
diff --git a/tests/modules/pubsub/examples/subscriptions.yaml b/tests/modules/pubsub/examples/subscriptions.yaml
index 89acf08b22..267f4ebc5c 100644
--- a/tests/modules/pubsub/examples/subscriptions.yaml
+++ b/tests/modules/pubsub/examples/subscriptions.yaml
@@ -20,7 +20,8 @@ values:
     enable_exactly_once_delivery: false
     enable_message_ordering: false
     filter: null
-    labels: null
+    labels:
+      test: default
     message_retention_duration: 604800s
     name: test-pull
     project: project-id
@@ -52,7 +53,8 @@ values:
     topic: my-topic
   module.pubsub.google_pubsub_topic.default:
     kms_key_name: null
-    labels: null
+    labels:
+      test: default
     message_retention_duration: null
     name: my-topic
     project: project-id

From a95e681f059af9e112636befd03efb124439115f Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Sun, 28 Apr 2024 12:11:07 +0200
Subject: [PATCH 07/31] Removed BFD settings from net-vpn-ha module as it is
 not supported (#2244)

* Removed bfd settings from net-vpn-ha as it is not supported

* Removed bfd settings from net-vpn-ha as it is not supported
---
 modules/net-vpn-ha/README.md    | 6 +++---
 modules/net-vpn-ha/main.tf      | 9 ---------
 modules/net-vpn-ha/variables.tf | 6 ------
 3 files changed, 3 insertions(+), 18 deletions(-)

diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md
index 2de72f54ea..164e009f7e 100644
--- a/modules/net-vpn-ha/README.md
+++ b/modules/net-vpn-ha/README.md
@@ -213,9 +213,9 @@ module "vpn_ha" {
 | [region](variables.tf#L52) | Region used for resources. | <code>string</code> | ✓ |  |
 | [router_config](variables.tf#L57) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object&#40;&#123;&#10;  asn    &#61; number&#10;  create &#61; optional&#40;bool, true&#41;&#10;  custom_advertise &#61; optional&#40;object&#40;&#123;&#10;    all_subnets &#61; bool&#10;    ip_ranges   &#61; map&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  keepalive &#61; optional&#40;number&#41;&#10;  name      &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
 | [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | <code title="map&#40;object&#40;&#123;&#10;  external &#61; optional&#40;object&#40;&#123;&#10;    redundancy_type &#61; string&#10;    interfaces      &#61; list&#40;string&#41;&#10;    description     &#61; optional&#40;string, &#34;Terraform managed external VPN gateway&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  gcp &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [tunnels](variables.tf#L72) | VPN tunnel configurations. | <code title="map&#40;object&#40;&#123;&#10;  bgp_peer &#61; object&#40;&#123;&#10;    address        &#61; string&#10;    asn            &#61; number&#10;    route_priority &#61; optional&#40;number, 1000&#41;&#10;    bfd &#61; optional&#40;object&#40;&#123;&#10;      min_receive_interval        &#61; optional&#40;number&#41;&#10;      min_transmit_interval       &#61; optional&#40;number&#41;&#10;      multiplier                  &#61; optional&#40;number&#41;&#10;      session_initialization_mode &#61; optional&#40;string, &#34;ACTIVE&#34;&#41;&#10;    &#125;&#41;&#41;&#10;    custom_advertise &#61; optional&#40;object&#40;&#123;&#10;      all_subnets          &#61; bool&#10;      all_vpc_subnets      &#61; bool&#10;      all_peer_vpc_subnets &#61; bool&#10;      ip_ranges            &#61; map&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    md5_authentication_key &#61; optional&#40;object&#40;&#123;&#10;      name &#61; string&#10;      key  &#61; string&#10;    &#125;&#41;&#41;&#10;    ipv6 &#61; optional&#40;object&#40;&#123;&#10;      nexthop_address      &#61; optional&#40;string&#41;&#10;      peer_nexthop_address &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#10;  bgp_session_range               &#61; string&#10;  ike_version                     &#61; optional&#40;number, 2&#41;&#10;  peer_external_gateway_interface &#61; optional&#40;number&#41;&#10;  peer_gateway                    &#61; optional&#40;string, &#34;default&#34;&#41;&#10;  router                          &#61; optional&#40;string&#41;&#10;  shared_secret                   &#61; optional&#40;string&#41;&#10;  vpn_gateway_interface           &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [vpn_gateway](variables.tf#L114) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> |  | <code>null</code> |
-| [vpn_gateway_create](variables.tf#L120) | Create HA VPN Gateway. Set to null to avoid creation. | <code title="object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Terraform managed external VPN gateway&#34;&#41;&#10;  ipv6        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tunnels](variables.tf#L72) | VPN tunnel configurations. | <code title="map&#40;object&#40;&#123;&#10;  bgp_peer &#61; object&#40;&#123;&#10;    address        &#61; string&#10;    asn            &#61; number&#10;    route_priority &#61; optional&#40;number, 1000&#41;&#10;    custom_advertise &#61; optional&#40;object&#40;&#123;&#10;      all_subnets          &#61; bool&#10;      all_vpc_subnets      &#61; bool&#10;      all_peer_vpc_subnets &#61; bool&#10;      ip_ranges            &#61; map&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    md5_authentication_key &#61; optional&#40;object&#40;&#123;&#10;      name &#61; string&#10;      key  &#61; string&#10;    &#125;&#41;&#41;&#10;    ipv6 &#61; optional&#40;object&#40;&#123;&#10;      nexthop_address      &#61; optional&#40;string&#41;&#10;      peer_nexthop_address &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#10;  bgp_session_range               &#61; string&#10;  ike_version                     &#61; optional&#40;number, 2&#41;&#10;  peer_external_gateway_interface &#61; optional&#40;number&#41;&#10;  peer_gateway                    &#61; optional&#40;string, &#34;default&#34;&#41;&#10;  router                          &#61; optional&#40;string&#41;&#10;  shared_secret                   &#61; optional&#40;string&#41;&#10;  vpn_gateway_interface           &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [vpn_gateway](variables.tf#L108) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> |  | <code>null</code> |
+| [vpn_gateway_create](variables.tf#L114) | Create HA VPN Gateway. Set to null to avoid creation. | <code title="object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Terraform managed external VPN gateway&#34;&#41;&#10;  ipv6        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/net-vpn-ha/main.tf b/modules/net-vpn-ha/main.tf
index 20af29015a..bbb7ca0295 100644
--- a/modules/net-vpn-ha/main.tf
+++ b/modules/net-vpn-ha/main.tf
@@ -117,15 +117,6 @@ resource "google_compute_router_peer" "bgp_peer" {
       description = range.value
     }
   }
-  dynamic "bfd" {
-    for_each = each.value.bgp_peer.bfd != null ? [each.value.bgp_peer.bfd] : []
-    content {
-      session_initialization_mode = bfd.value.session_initialization_mode
-      min_receive_interval        = bfd.value.min_receive_interval
-      min_transmit_interval       = bfd.value.min_transmit_interval
-      multiplier                  = bfd.value.multiplier
-    }
-  }
   dynamic "md5_authentication_key" {
     for_each = each.value.bgp_peer.md5_authentication_key != null ? toset([each.value.bgp_peer.md5_authentication_key]) : []
     content {
diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf
index d507c89881..ba86eee6e9 100644
--- a/modules/net-vpn-ha/variables.tf
+++ b/modules/net-vpn-ha/variables.tf
@@ -76,12 +76,6 @@ variable "tunnels" {
       address        = string
       asn            = number
       route_priority = optional(number, 1000)
-      bfd = optional(object({
-        min_receive_interval        = optional(number)
-        min_transmit_interval       = optional(number)
-        multiplier                  = optional(number)
-        session_initialization_mode = optional(string, "ACTIVE")
-      }))
       custom_advertise = optional(object({
         all_subnets          = bool
         all_vpc_subnets      = bool

From ab174274de35c6b73f44e23d312c86a25c729d72 Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Sun, 28 Apr 2024 17:31:42 +0200
Subject: [PATCH 08/31] Added new attributes Apigee organization and bumped up
 providers version (#2243)

---
 .../patterns/autopilot-cluster/versions.tf    |  4 +-
 blueprints/gke/patterns/batch/versions.tf     |  4 +-
 blueprints/gke/patterns/kafka/versions.tf     |  4 +-
 blueprints/gke/patterns/mysql/versions.tf     |  4 +-
 .../gke/patterns/redis-cluster/versions.tf    |  4 +-
 default-versions.tf                           |  4 +-
 .../alloydb-instance/versions.tf              |  4 +-
 .../net-neg/versions.tf                       |  4 +-
 .../project-iam-magic/versions.tf             |  4 +-
 modules/analytics-hub/versions.tf             |  4 +-
 modules/api-gateway/versions.tf               |  4 +-
 modules/apigee/README.md                      |  8 +--
 modules/apigee/main.tf                        | 33 ++++++++----
 modules/apigee/variables.tf                   | 50 ++++++++++---------
 modules/apigee/versions.tf                    |  4 +-
 modules/artifact-registry/versions.tf         |  4 +-
 modules/bigquery-dataset/versions.tf          |  4 +-
 modules/bigtable-instance/versions.tf         |  4 +-
 modules/billing-account/versions.tf           |  4 +-
 modules/binauthz/versions.tf                  |  4 +-
 .../__need_fixing/onprem/versions.tf          |  4 +-
 .../__need_fixing/squid/versions.tf           |  4 +-
 .../coredns/versions.tf                       |  4 +-
 .../cos-generic-metadata/versions.tf          |  4 +-
 .../envoy-sni-dyn-fwd-proxy/versions.tf       |  4 +-
 .../envoy-traffic-director/versions.tf        |  4 +-
 .../cloud-config-container/mysql/versions.tf  |  4 +-
 .../nginx-tls/versions.tf                     |  4 +-
 .../cloud-config-container/nginx/versions.tf  |  4 +-
 .../simple-nva/versions.tf                    |  4 +-
 modules/cloud-function-v1/versions.tf         |  4 +-
 modules/cloud-function-v2/versions.tf         |  4 +-
 modules/cloud-identity-group/versions.tf      |  4 +-
 modules/cloud-run-v2/versions.tf              |  4 +-
 modules/cloud-run/versions.tf                 |  4 +-
 modules/cloudsql-instance/versions.tf         |  4 +-
 modules/compute-mig/versions.tf               |  4 +-
 modules/compute-vm/versions.tf                |  4 +-
 modules/container-registry/versions.tf        |  4 +-
 modules/data-catalog-policy-tag/versions.tf   |  4 +-
 modules/data-catalog-tag-template/versions.tf |  4 +-
 modules/data-catalog-tag/versions.tf          |  4 +-
 modules/dataform-repository/versions.tf       |  4 +-
 modules/datafusion/versions.tf                |  4 +-
 modules/dataplex-datascan/versions.tf         |  4 +-
 modules/dataplex/versions.tf                  |  4 +-
 modules/dataproc/versions.tf                  |  4 +-
 modules/dns-response-policy/versions.tf       |  4 +-
 modules/dns/versions.tf                       |  4 +-
 modules/endpoints/versions.tf                 |  4 +-
 modules/folder/versions.tf                    |  4 +-
 modules/gcs/versions.tf                       |  4 +-
 modules/gcve-private-cloud/versions.tf        |  4 +-
 modules/gke-cluster-autopilot/versions.tf     |  4 +-
 modules/gke-cluster-standard/versions.tf      |  4 +-
 modules/gke-hub/versions.tf                   |  4 +-
 modules/gke-nodepool/versions.tf              |  4 +-
 modules/iam-service-account/versions.tf       |  4 +-
 modules/kms/versions.tf                       |  4 +-
 modules/logging-bucket/versions.tf            |  4 +-
 modules/ncc-spoke-ra/versions.tf              |  4 +-
 modules/net-address/versions.tf               |  4 +-
 modules/net-cloudnat/versions.tf              |  4 +-
 modules/net-firewall-policy/versions.tf       |  4 +-
 .../net-ipsec-over-interconnect/versions.tf   |  4 +-
 modules/net-lb-app-ext-regional/versions.tf   |  4 +-
 modules/net-lb-app-ext/versions.tf            |  4 +-
 .../net-lb-app-int-cross-region/versions.tf   |  4 +-
 modules/net-lb-app-int/versions.tf            |  4 +-
 modules/net-lb-ext/versions.tf                |  4 +-
 modules/net-lb-int/versions.tf                |  4 +-
 modules/net-lb-proxy-int/versions.tf          |  4 +-
 modules/net-swp/versions.tf                   |  4 +-
 modules/net-vlan-attachment/versions.tf       |  4 +-
 modules/net-vpc-firewall/versions.tf          |  4 +-
 modules/net-vpc-peering/versions.tf           |  4 +-
 modules/net-vpc/versions.tf                   |  4 +-
 modules/net-vpn-dynamic/versions.tf           |  4 +-
 modules/net-vpn-ha/versions.tf                |  4 +-
 modules/net-vpn-static/versions.tf            |  4 +-
 modules/organization/versions.tf              |  4 +-
 modules/project/versions.tf                   |  4 +-
 modules/projects-data-source/versions.tf      |  4 +-
 modules/pubsub/versions.tf                    |  4 +-
 modules/secret-manager/versions.tf            |  4 +-
 modules/service-directory/versions.tf         |  4 +-
 modules/source-repository/versions.tf         |  4 +-
 modules/vpc-sc/versions.tf                    |  4 +-
 modules/workstation-cluster/versions.tf       |  4 +-
 tests/examples_e2e/setup_module/versions.tf   |  4 +-
 90 files changed, 229 insertions(+), 210 deletions(-)

diff --git a/blueprints/gke/patterns/autopilot-cluster/versions.tf b/blueprints/gke/patterns/autopilot-cluster/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/blueprints/gke/patterns/autopilot-cluster/versions.tf
+++ b/blueprints/gke/patterns/autopilot-cluster/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/blueprints/gke/patterns/batch/versions.tf b/blueprints/gke/patterns/batch/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/blueprints/gke/patterns/batch/versions.tf
+++ b/blueprints/gke/patterns/batch/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/blueprints/gke/patterns/kafka/versions.tf b/blueprints/gke/patterns/kafka/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/blueprints/gke/patterns/kafka/versions.tf
+++ b/blueprints/gke/patterns/kafka/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/blueprints/gke/patterns/mysql/versions.tf b/blueprints/gke/patterns/mysql/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/blueprints/gke/patterns/mysql/versions.tf
+++ b/blueprints/gke/patterns/mysql/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/blueprints/gke/patterns/redis-cluster/versions.tf b/blueprints/gke/patterns/redis-cluster/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/blueprints/gke/patterns/redis-cluster/versions.tf
+++ b/blueprints/gke/patterns/redis-cluster/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/default-versions.tf b/default-versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/default-versions.tf
+++ b/default-versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/__experimental_deprecated/alloydb-instance/versions.tf b/modules/__experimental_deprecated/alloydb-instance/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/__experimental_deprecated/alloydb-instance/versions.tf
+++ b/modules/__experimental_deprecated/alloydb-instance/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/__experimental_deprecated/net-neg/versions.tf b/modules/__experimental_deprecated/net-neg/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/__experimental_deprecated/net-neg/versions.tf
+++ b/modules/__experimental_deprecated/net-neg/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/__experimental_deprecated/project-iam-magic/versions.tf b/modules/__experimental_deprecated/project-iam-magic/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/__experimental_deprecated/project-iam-magic/versions.tf
+++ b/modules/__experimental_deprecated/project-iam-magic/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/analytics-hub/versions.tf b/modules/analytics-hub/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/analytics-hub/versions.tf
+++ b/modules/analytics-hub/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/api-gateway/versions.tf b/modules/api-gateway/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/api-gateway/versions.tf
+++ b/modules/api-gateway/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/apigee/README.md b/modules/apigee/README.md
index 24c6f4166a..ebae675f31 100644
--- a/modules/apigee/README.md
+++ b/modules/apigee/README.md
@@ -359,13 +359,13 @@ module "apigee" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L126) | Project ID. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L130) | Project ID. | <code>string</code> | ✓ |  |
 | [addons_config](variables.tf#L17) | Addons configuration. | <code title="object&#40;&#123;&#10;  advanced_api_ops    &#61; optional&#40;bool, false&#41;&#10;  api_security        &#61; optional&#40;bool, false&#41;&#10;  connectors_platform &#61; optional&#40;bool, false&#41;&#10;  integration         &#61; optional&#40;bool, false&#41;&#10;  monetization        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [endpoint_attachments](variables.tf#L29) | Endpoint attachments. | <code title="map&#40;object&#40;&#123;&#10;  region             &#61; string&#10;  service_attachment &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [envgroups](variables.tf#L39) | Environment groups (NAME => [HOSTNAMES]). | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [environments](variables.tf#L46) | Environments. | <code title="map&#40;object&#40;&#123;&#10;  display_name    &#61; optional&#40;string&#41;&#10;  description     &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  deployment_type &#61; optional&#40;string&#41;&#10;  api_proxy_type  &#61; optional&#40;string&#41;&#10;  type            &#61; optional&#40;string&#41;&#10;  node_config &#61; optional&#40;object&#40;&#123;&#10;    min_node_count &#61; optional&#40;number&#41;&#10;    max_node_count &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role   &#61; string&#10;    member &#61; string&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  envgroups &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [instances](variables.tf#L73) | Instances ([REGION] => [INSTANCE]). | <code title="map&#40;object&#40;&#123;&#10;  name                          &#61; optional&#40;string&#41;&#10;  display_name                  &#61; optional&#40;string&#41;&#10;  description                   &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  runtime_ip_cidr_range         &#61; optional&#40;string&#41;&#10;  troubleshooting_ip_cidr_range &#61; optional&#40;string&#41;&#10;  disk_encryption_key           &#61; optional&#40;string&#41;&#10;  consumer_accept_list          &#61; optional&#40;list&#40;string&#41;&#41;&#10;  enable_nat                    &#61; optional&#40;bool, false&#41;&#10;  environments                  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [organization](variables.tf#L98) | Apigee organization. If set to null the organization must already exist. | <code title="object&#40;&#123;&#10;  display_name            &#61; optional&#40;string&#41;&#10;  description             &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  authorized_network      &#61; optional&#40;string&#41;&#10;  runtime_type            &#61; optional&#40;string, &#34;CLOUD&#34;&#41;&#10;  billing_type            &#61; optional&#40;string&#41;&#10;  database_encryption_key &#61; optional&#40;string&#41;&#10;  analytics_region        &#61; optional&#40;string, &#34;europe-west1&#34;&#41;&#10;  retention               &#61; optional&#40;string&#41;&#10;  disable_vpc_peering     &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [environments](variables.tf#L46) | Environments. | <code title="map&#40;object&#40;&#123;&#10;  api_proxy_type  &#61; optional&#40;string&#41;&#10;  description     &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  display_name    &#61; optional&#40;string&#41;&#10;  deployment_type &#61; optional&#40;string&#41;&#10;  envgroups       &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  iam             &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role   &#61; string&#10;    member &#61; string&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  node_config &#61; optional&#40;object&#40;&#123;&#10;    min_node_count &#61; optional&#40;number&#41;&#10;    max_node_count &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;  type &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [instances](variables.tf#L73) | Instances ([REGION] => [INSTANCE]). | <code title="map&#40;object&#40;&#123;&#10;  consumer_accept_list          &#61; optional&#40;list&#40;string&#41;&#41;&#10;  description                   &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  disk_encryption_key           &#61; optional&#40;string&#41;&#10;  display_name                  &#61; optional&#40;string&#41;&#10;  enable_nat                    &#61; optional&#40;bool, false&#41;&#10;  environments                  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  name                          &#61; optional&#40;string&#41;&#10;  runtime_ip_cidr_range         &#61; optional&#40;string&#41;&#10;  troubleshooting_ip_cidr_range &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [organization](variables.tf#L98) | Apigee organization. If set to null the organization must already exist. | <code title="object&#40;&#123;&#10;  analytics_region                 &#61; optional&#40;string&#41;&#10;  api_consumer_data_encryption_key &#61; optional&#40;string&#41;&#10;  api_consumer_data_location       &#61; optional&#40;string&#41;&#10;  authorized_network               &#61; optional&#40;string&#41;&#10;  billing_type                     &#61; optional&#40;string&#41;&#10;  control_plane_encryption_key     &#61; optional&#40;string&#41;&#10;  database_encryption_key          &#61; optional&#40;string&#41;&#10;  description                      &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  disable_vpc_peering              &#61; optional&#40;bool, false&#41;&#10;  display_name                     &#61; optional&#40;string&#41;&#10;  properties                       &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  runtime_type                     &#61; optional&#40;string, &#34;CLOUD&#34;&#41;&#10;  retention                        &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/apigee/main.tf b/modules/apigee/main.tf
index bb0417b279..afbc1e5af6 100644
--- a/modules/apigee/main.tf
+++ b/modules/apigee/main.tf
@@ -20,15 +20,30 @@ locals {
 }
 
 resource "google_apigee_organization" "organization" {
-  count                                = var.organization == null ? 0 : 1
-  analytics_region                     = var.organization.analytics_region
-  project_id                           = var.project_id
-  authorized_network                   = var.organization.authorized_network
-  billing_type                         = var.organization.billing_type
-  runtime_type                         = var.organization.runtime_type
-  runtime_database_encryption_key_name = var.organization.database_encryption_key
-  retention                            = var.organization.retention
-  disable_vpc_peering                  = var.organization.disable_vpc_peering
+  count                                 = var.organization == null ? 0 : 1
+  analytics_region                      = var.organization.analytics_region
+  project_id                            = var.project_id
+  authorized_network                    = var.organization.authorized_network
+  billing_type                          = var.organization.billing_type
+  runtime_type                          = var.organization.runtime_type
+  runtime_database_encryption_key_name  = var.organization.database_encryption_key
+  retention                             = var.organization.retention
+  disable_vpc_peering                   = var.organization.disable_vpc_peering
+  api_consumer_data_location            = var.organization.api_consumer_data_location
+  api_consumer_data_encryption_key_name = var.organization.api_consumer_data_encryption_key
+  control_plane_encryption_key_name     = var.organization.control_plane_encryption_key
+  dynamic "properties" {
+    for_each = length(var.organization.properties) > 0 ? [""] : []
+    content {
+      dynamic "property" {
+        for_each = var.organization.properties
+        content {
+          name  = properties.key
+          value = properties.value
+        }
+      }
+    }
+  }
 }
 
 resource "google_apigee_envgroup" "envgroups" {
diff --git a/modules/apigee/variables.tf b/modules/apigee/variables.tf
index 027ad05e47..6ce9fdcf1f 100644
--- a/modules/apigee/variables.tf
+++ b/modules/apigee/variables.tf
@@ -46,16 +46,12 @@ variable "envgroups" {
 variable "environments" {
   description = "Environments."
   type = map(object({
-    display_name    = optional(string)
+    api_proxy_type  = optional(string)
     description     = optional(string, "Terraform-managed")
+    display_name    = optional(string)
     deployment_type = optional(string)
-    api_proxy_type  = optional(string)
-    type            = optional(string)
-    node_config = optional(object({
-      min_node_count = optional(number)
-      max_node_count = optional(number)
-    }))
-    iam = optional(map(list(string)), {})
+    envgroups       = optional(list(string), [])
+    iam             = optional(map(list(string)), {})
     iam_bindings = optional(map(object({
       role    = string
       members = list(string)
@@ -64,7 +60,11 @@ variable "environments" {
       role   = string
       member = string
     })), {})
-    envgroups = optional(list(string), [])
+    node_config = optional(object({
+      min_node_count = optional(number)
+      max_node_count = optional(number)
+    }))
+    type = optional(string)
   }))
   default  = {}
   nullable = false
@@ -73,15 +73,15 @@ variable "environments" {
 variable "instances" {
   description = "Instances ([REGION] => [INSTANCE])."
   type = map(object({
-    name                          = optional(string)
-    display_name                  = optional(string)
+    consumer_accept_list          = optional(list(string))
     description                   = optional(string, "Terraform-managed")
-    runtime_ip_cidr_range         = optional(string)
-    troubleshooting_ip_cidr_range = optional(string)
     disk_encryption_key           = optional(string)
-    consumer_accept_list          = optional(list(string))
+    display_name                  = optional(string)
     enable_nat                    = optional(bool, false)
     environments                  = optional(list(string), [])
+    name                          = optional(string)
+    runtime_ip_cidr_range         = optional(string)
+    troubleshooting_ip_cidr_range = optional(string)
   }))
   validation {
     condition = alltrue([
@@ -98,15 +98,19 @@ variable "instances" {
 variable "organization" {
   description = "Apigee organization. If set to null the organization must already exist."
   type = object({
-    display_name            = optional(string)
-    description             = optional(string, "Terraform-managed")
-    authorized_network      = optional(string)
-    runtime_type            = optional(string, "CLOUD")
-    billing_type            = optional(string)
-    database_encryption_key = optional(string)
-    analytics_region        = optional(string, "europe-west1")
-    retention               = optional(string)
-    disable_vpc_peering     = optional(bool, false)
+    analytics_region                 = optional(string)
+    api_consumer_data_encryption_key = optional(string)
+    api_consumer_data_location       = optional(string)
+    authorized_network               = optional(string)
+    billing_type                     = optional(string)
+    control_plane_encryption_key     = optional(string)
+    database_encryption_key          = optional(string)
+    description                      = optional(string, "Terraform-managed")
+    disable_vpc_peering              = optional(bool, false)
+    display_name                     = optional(string)
+    properties                       = optional(map(string), {})
+    runtime_type                     = optional(string, "CLOUD")
+    retention                        = optional(string)
   })
   validation {
     condition = var.organization == null || (
diff --git a/modules/apigee/versions.tf b/modules/apigee/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/apigee/versions.tf
+++ b/modules/apigee/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/artifact-registry/versions.tf b/modules/artifact-registry/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/artifact-registry/versions.tf
+++ b/modules/artifact-registry/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/bigquery-dataset/versions.tf b/modules/bigquery-dataset/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/bigquery-dataset/versions.tf
+++ b/modules/bigquery-dataset/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/bigtable-instance/versions.tf b/modules/bigtable-instance/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/bigtable-instance/versions.tf
+++ b/modules/bigtable-instance/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/billing-account/versions.tf b/modules/billing-account/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/billing-account/versions.tf
+++ b/modules/billing-account/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/binauthz/versions.tf b/modules/binauthz/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/binauthz/versions.tf
+++ b/modules/binauthz/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/__need_fixing/onprem/versions.tf b/modules/cloud-config-container/__need_fixing/onprem/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/versions.tf
+++ b/modules/cloud-config-container/__need_fixing/onprem/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/__need_fixing/squid/versions.tf b/modules/cloud-config-container/__need_fixing/squid/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/__need_fixing/squid/versions.tf
+++ b/modules/cloud-config-container/__need_fixing/squid/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/coredns/versions.tf b/modules/cloud-config-container/coredns/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/coredns/versions.tf
+++ b/modules/cloud-config-container/coredns/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/cos-generic-metadata/versions.tf b/modules/cloud-config-container/cos-generic-metadata/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/cos-generic-metadata/versions.tf
+++ b/modules/cloud-config-container/cos-generic-metadata/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/envoy-traffic-director/versions.tf b/modules/cloud-config-container/envoy-traffic-director/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/envoy-traffic-director/versions.tf
+++ b/modules/cloud-config-container/envoy-traffic-director/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/mysql/versions.tf b/modules/cloud-config-container/mysql/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/mysql/versions.tf
+++ b/modules/cloud-config-container/mysql/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/nginx-tls/versions.tf b/modules/cloud-config-container/nginx-tls/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/nginx-tls/versions.tf
+++ b/modules/cloud-config-container/nginx-tls/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/nginx/versions.tf b/modules/cloud-config-container/nginx/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/nginx/versions.tf
+++ b/modules/cloud-config-container/nginx/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/simple-nva/versions.tf b/modules/cloud-config-container/simple-nva/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/simple-nva/versions.tf
+++ b/modules/cloud-config-container/simple-nva/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-function-v1/versions.tf b/modules/cloud-function-v1/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-function-v1/versions.tf
+++ b/modules/cloud-function-v1/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-function-v2/versions.tf b/modules/cloud-function-v2/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-function-v2/versions.tf
+++ b/modules/cloud-function-v2/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-identity-group/versions.tf b/modules/cloud-identity-group/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-identity-group/versions.tf
+++ b/modules/cloud-identity-group/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-run-v2/versions.tf b/modules/cloud-run-v2/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-run-v2/versions.tf
+++ b/modules/cloud-run-v2/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-run/versions.tf b/modules/cloud-run/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-run/versions.tf
+++ b/modules/cloud-run/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloudsql-instance/versions.tf b/modules/cloudsql-instance/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloudsql-instance/versions.tf
+++ b/modules/cloudsql-instance/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/compute-mig/versions.tf b/modules/compute-mig/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/compute-mig/versions.tf
+++ b/modules/compute-mig/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/compute-vm/versions.tf b/modules/compute-vm/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/compute-vm/versions.tf
+++ b/modules/compute-vm/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/container-registry/versions.tf b/modules/container-registry/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/container-registry/versions.tf
+++ b/modules/container-registry/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/data-catalog-policy-tag/versions.tf b/modules/data-catalog-policy-tag/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/data-catalog-policy-tag/versions.tf
+++ b/modules/data-catalog-policy-tag/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/data-catalog-tag-template/versions.tf b/modules/data-catalog-tag-template/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/data-catalog-tag-template/versions.tf
+++ b/modules/data-catalog-tag-template/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/data-catalog-tag/versions.tf b/modules/data-catalog-tag/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/data-catalog-tag/versions.tf
+++ b/modules/data-catalog-tag/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dataform-repository/versions.tf b/modules/dataform-repository/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dataform-repository/versions.tf
+++ b/modules/dataform-repository/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/datafusion/versions.tf b/modules/datafusion/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/datafusion/versions.tf
+++ b/modules/datafusion/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dataplex-datascan/versions.tf b/modules/dataplex-datascan/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dataplex-datascan/versions.tf
+++ b/modules/dataplex-datascan/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dataplex/versions.tf b/modules/dataplex/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dataplex/versions.tf
+++ b/modules/dataplex/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dataproc/versions.tf b/modules/dataproc/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dataproc/versions.tf
+++ b/modules/dataproc/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dns-response-policy/versions.tf b/modules/dns-response-policy/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dns-response-policy/versions.tf
+++ b/modules/dns-response-policy/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dns/versions.tf b/modules/dns/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dns/versions.tf
+++ b/modules/dns/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/endpoints/versions.tf b/modules/endpoints/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/endpoints/versions.tf
+++ b/modules/endpoints/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/folder/versions.tf b/modules/folder/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/folder/versions.tf
+++ b/modules/folder/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gcs/versions.tf b/modules/gcs/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gcs/versions.tf
+++ b/modules/gcs/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gcve-private-cloud/versions.tf b/modules/gcve-private-cloud/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gcve-private-cloud/versions.tf
+++ b/modules/gcve-private-cloud/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gke-cluster-autopilot/versions.tf b/modules/gke-cluster-autopilot/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gke-cluster-autopilot/versions.tf
+++ b/modules/gke-cluster-autopilot/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gke-cluster-standard/versions.tf b/modules/gke-cluster-standard/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gke-cluster-standard/versions.tf
+++ b/modules/gke-cluster-standard/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gke-hub/versions.tf b/modules/gke-hub/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gke-hub/versions.tf
+++ b/modules/gke-hub/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gke-nodepool/versions.tf b/modules/gke-nodepool/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gke-nodepool/versions.tf
+++ b/modules/gke-nodepool/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/iam-service-account/versions.tf b/modules/iam-service-account/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/iam-service-account/versions.tf
+++ b/modules/iam-service-account/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/kms/versions.tf b/modules/kms/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/kms/versions.tf
+++ b/modules/kms/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/logging-bucket/versions.tf b/modules/logging-bucket/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/logging-bucket/versions.tf
+++ b/modules/logging-bucket/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/ncc-spoke-ra/versions.tf b/modules/ncc-spoke-ra/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/ncc-spoke-ra/versions.tf
+++ b/modules/ncc-spoke-ra/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-address/versions.tf b/modules/net-address/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-address/versions.tf
+++ b/modules/net-address/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-cloudnat/versions.tf b/modules/net-cloudnat/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-cloudnat/versions.tf
+++ b/modules/net-cloudnat/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-firewall-policy/versions.tf b/modules/net-firewall-policy/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-firewall-policy/versions.tf
+++ b/modules/net-firewall-policy/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-ipsec-over-interconnect/versions.tf b/modules/net-ipsec-over-interconnect/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-ipsec-over-interconnect/versions.tf
+++ b/modules/net-ipsec-over-interconnect/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-app-ext-regional/versions.tf b/modules/net-lb-app-ext-regional/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-app-ext-regional/versions.tf
+++ b/modules/net-lb-app-ext-regional/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-app-ext/versions.tf b/modules/net-lb-app-ext/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-app-ext/versions.tf
+++ b/modules/net-lb-app-ext/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-app-int-cross-region/versions.tf b/modules/net-lb-app-int-cross-region/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-app-int-cross-region/versions.tf
+++ b/modules/net-lb-app-int-cross-region/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-app-int/versions.tf b/modules/net-lb-app-int/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-app-int/versions.tf
+++ b/modules/net-lb-app-int/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-ext/versions.tf b/modules/net-lb-ext/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-ext/versions.tf
+++ b/modules/net-lb-ext/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-int/versions.tf b/modules/net-lb-int/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-int/versions.tf
+++ b/modules/net-lb-int/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-proxy-int/versions.tf b/modules/net-lb-proxy-int/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-proxy-int/versions.tf
+++ b/modules/net-lb-proxy-int/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-swp/versions.tf b/modules/net-swp/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-swp/versions.tf
+++ b/modules/net-swp/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vlan-attachment/versions.tf b/modules/net-vlan-attachment/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vlan-attachment/versions.tf
+++ b/modules/net-vlan-attachment/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpc-firewall/versions.tf b/modules/net-vpc-firewall/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpc-firewall/versions.tf
+++ b/modules/net-vpc-firewall/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpc-peering/versions.tf b/modules/net-vpc-peering/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpc-peering/versions.tf
+++ b/modules/net-vpc-peering/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpc/versions.tf b/modules/net-vpc/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpc/versions.tf
+++ b/modules/net-vpc/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpn-dynamic/versions.tf b/modules/net-vpn-dynamic/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpn-dynamic/versions.tf
+++ b/modules/net-vpn-dynamic/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpn-ha/versions.tf b/modules/net-vpn-ha/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpn-ha/versions.tf
+++ b/modules/net-vpn-ha/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpn-static/versions.tf b/modules/net-vpn-static/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpn-static/versions.tf
+++ b/modules/net-vpn-static/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/organization/versions.tf b/modules/organization/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/organization/versions.tf
+++ b/modules/organization/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/project/versions.tf b/modules/project/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/project/versions.tf
+++ b/modules/project/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/projects-data-source/versions.tf b/modules/projects-data-source/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/projects-data-source/versions.tf
+++ b/modules/projects-data-source/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/pubsub/versions.tf b/modules/pubsub/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/pubsub/versions.tf
+++ b/modules/pubsub/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/secret-manager/versions.tf b/modules/secret-manager/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/secret-manager/versions.tf
+++ b/modules/secret-manager/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/service-directory/versions.tf b/modules/service-directory/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/service-directory/versions.tf
+++ b/modules/service-directory/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/source-repository/versions.tf b/modules/source-repository/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/source-repository/versions.tf
+++ b/modules/source-repository/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/vpc-sc/versions.tf b/modules/vpc-sc/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/vpc-sc/versions.tf
+++ b/modules/vpc-sc/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/workstation-cluster/versions.tf b/modules/workstation-cluster/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/workstation-cluster/versions.tf
+++ b/modules/workstation-cluster/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/tests/examples_e2e/setup_module/versions.tf b/tests/examples_e2e/setup_module/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/tests/examples_e2e/setup_module/versions.tf
+++ b/tests/examples_e2e/setup_module/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }

From be966c4f3273beff68ad51250ca3b5ae49ecbc35 Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Sun, 28 Apr 2024 22:18:02 +0200
Subject: [PATCH 09/31] Fixed issue with service networking DNS peering (#2246)

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 modules/net-vpc/psa.tf                         | 2 +-
 tests/modules/net_vpc/examples/psa-routes.yaml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf
index 1e44a9accb..913cebfb3a 100644
--- a/modules/net-vpc/psa.tf
+++ b/modules/net-vpc/psa.tf
@@ -28,7 +28,7 @@ locals {
   _psa_peered_domains = flatten([
     for config in local.psa_configs : [
       for v in config.peered_domains : {
-        key              = "${config.key}-${replace(v, ".", "-")}"
+        key              = "${config.key}-${trimsuffix(replace(v, ".", "-"), "-")}"
         dns_suffix       = v
         service_producer = config.service_producer
       }
diff --git a/tests/modules/net_vpc/examples/psa-routes.yaml b/tests/modules/net_vpc/examples/psa-routes.yaml
index c64353b788..a9a8bfddb3 100644
--- a/tests/modules/net_vpc/examples/psa-routes.yaml
+++ b/tests/modules/net_vpc/examples/psa-routes.yaml
@@ -84,9 +84,9 @@ values:
     - servicenetworking-googleapis-com-myrange
     service: servicenetworking.googleapis.com
     timeouts: null
-  module.vpc.google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-gcp-example-com-"]:
+  module.vpc.google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-gcp-example-com"]:
     dns_suffix: gcp.example.com.
-    name: servicenetworking-googleapis-com-gcp-example-com-
+    name: servicenetworking-googleapis-com-gcp-example-com
     network: my-network
     project: project-id
     service: servicenetworking.googleapis.com

From e1226676fdb5f9bc918e8734ee8348c9b1968963 Mon Sep 17 00:00:00 2001
From: jnahelou <nahelou.jerome@gmail.com>
Date: Tue, 30 Apr 2024 19:21:35 +0200
Subject: [PATCH 10/31] Added missing identity when connectors API is enabled
 (#2248)

---
 modules/project/service-agents.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml
index 66c95a4640..455287e807 100644
--- a/modules/project/service-agents.yaml
+++ b/modules/project/service-agents.yaml
@@ -121,6 +121,7 @@
   service_agent: "service-%s@gcp-sa-anthossupport.iam.gserviceaccount.com"
 - name: "connectors"
   service_agent: "service-%s@gcp-sa-connectors.iam.gserviceaccount.com"
+  jit: true
 - name: "contactcenteraiplatform"
   service_agent: "service-%s@gcp-sa-ccaip.iam.gserviceaccount.com"
 - name: "contactcenterinsights"

From 27a055a9cbffda216250af736ec2a68241bec12e Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Wed, 1 May 2024 18:50:30 +0200
Subject: [PATCH 11/31] fix factory ingress policies (#2251)

---
 modules/vpc-sc/README.md                   | 23 +++++++++++++++++++---
 modules/vpc-sc/factory.tf                  |  2 +-
 tests/modules/vpc_sc/examples/factory.yaml | 20 ++++++++++++++++++-
 3 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index 2bdeebe9fe..fb99c10657 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -233,7 +233,7 @@ module "test" {
         resources           = ["projects/11111", "projects/111111"]
         restricted_services = ["storage.googleapis.com"]
         egress_policies     = ["gcs-sa-foo"]
-        ingress_policies    = ["sa-tf-test"]
+        ingress_policies    = ["sa-tf-test-geo", "sa-tf-test"]
         vpc_accessible_services = {
           allowed_services   = ["storage.googleapis.com"]
           enable_restriction = true
@@ -242,7 +242,7 @@ module "test" {
     }
   }
 }
-# tftest modules=1 resources=3 files=a1,a2,e1,i1 inventory=factory.yaml
+# tftest modules=1 resources=3 files=a1,a2,e1,i1,i2 inventory=factory.yaml
 ```
 
 ```yaml
@@ -282,12 +282,29 @@ from:
     - serviceAccount:test-tf@myproject.iam.gserviceaccount.com
 to:
   operations:
-    - service_name: "*"
+    - service_name: compute.googleapis.com
+      method_selectors:
+        - ProjectsService.Get
+        - RegionsService.Get
   resources:
     - "*"
 # tftest-file id=i1 path=data/ingress-policies/sa-tf-test.yaml
 ```
 
+```yaml
+from:
+  access_levels:
+    - geo-it
+  identities:
+    - serviceAccount:test-tf@myproject.iam.gserviceaccount.com
+to:
+  operations:
+    - service_name: "*"
+  resources:
+    - projects/1234567890
+# tftest-file id=i2 path=data/ingress-policies/sa-tf-test-geo.yaml
+```
+
 ## Notes
 
 - To remove an access level, first remove the binding between perimeter and the access level in `status` and/or `spec` without removing the access level itself. Once you have run `terraform apply`, you'll then be able to remove the access level and run `terraform apply` again.
diff --git a/modules/vpc-sc/factory.tf b/modules/vpc-sc/factory.tf
index eca5867a7e..d8a0a53622 100644
--- a/modules/vpc-sc/factory.tf
+++ b/modules/vpc-sc/factory.tf
@@ -74,7 +74,7 @@ locals {
         }, try(v.from, {}))
         to = {
           operations = [
-            for o in try(v.operations, []) : merge({
+            for o in try(v.to.operations, []) : merge({
               method_selectors     = []
               permission_selectors = []
               service_name         = null
diff --git a/tests/modules/vpc_sc/examples/factory.yaml b/tests/modules/vpc_sc/examples/factory.yaml
index 475c4d1e89..4496566709 100644
--- a/tests/modules/vpc_sc/examples/factory.yaml
+++ b/tests/modules/vpc_sc/examples/factory.yaml
@@ -81,9 +81,27 @@ values:
           - access_level: '*'
             resource: null
         ingress_to:
-        - operations: []
+        - operations:
+          - method_selectors:
+            - method: ProjectsService.Get
+              permission: null
+            - method: RegionsService.Get
+              permission: null
+            service_name: compute.googleapis.com
           resources:
           - '*'
+      - ingress_from:
+        - identities:
+          - serviceAccount:test-tf@myproject.iam.gserviceaccount.com
+          identity_type: null
+          sources:
+          - resource: null
+        ingress_to:
+        - operations:
+          - method_selectors: []
+            service_name: '*'
+          resources:
+          - projects/1234567890
       resources:
       - projects/11111
       - projects/111111

From fdcd309729b6c99f4ce2672e71d64df430529ff8 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Wed, 1 May 2024 20:20:21 +0200
Subject: [PATCH 12/31] add support for labels to GKE backup plans (#2252)

---
 modules/gke-cluster-autopilot/README.md    | 38 +++++++++----------
 modules/gke-cluster-autopilot/main.tf      |  1 +
 modules/gke-cluster-autopilot/variables.tf |  1 +
 modules/gke-cluster-standard/README.md     | 44 +++++++++++-----------
 modules/gke-cluster-standard/main.tf       |  1 +
 modules/gke-cluster-standard/variables.tf  |  1 +
 6 files changed, 45 insertions(+), 41 deletions(-)

diff --git a/modules/gke-cluster-autopilot/README.md b/modules/gke-cluster-autopilot/README.md
index bf8affbe51..0091d6e04d 100644
--- a/modules/gke-cluster-autopilot/README.md
+++ b/modules/gke-cluster-autopilot/README.md
@@ -206,25 +206,25 @@ module "cluster-1" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [location](variables.tf#L112) | Autopilot clusters are always regional. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L189) | Cluster name. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L225) | Cluster project ID. | <code>string</code> | ✓ |  |
-| [vpc_config](variables.tf#L241) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    region                            &#61; string&#10;    schedule                          &#61; string&#10;    retention_policy_days             &#61; optional&#40;string&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [deletion_protection](variables.tf#L37) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
-| [description](variables.tf#L44) | Cluster description. | <code>string</code> |  | <code>null</code> |
-| [enable_addons](variables.tf#L50) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun         &#61; optional&#40;bool, false&#41;&#10;  config_connector &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [enable_features](variables.tf#L64) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis            &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization &#61; optional&#40;bool, false&#41;&#10;  cost_management      &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  gateway_api         &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac     &#61; optional&#40;string&#41;&#10;  l4_ilb_subsetting   &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates   &#61; optional&#40;bool&#41;&#10;  pod_security_policy &#61; optional&#40;bool, false&#41;&#10;  allow_net_admin     &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [issue_client_certificate](variables.tf#L100) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
-| [labels](variables.tf#L106) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
-| [logging_config](variables.tf#L117) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [maintenance_config](variables.tf#L128) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [min_master_version](variables.tf#L151) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
-| [monitoring_config](variables.tf#L157) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_config](variables.tf#L194) | Configuration for nodes and nodepools. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_locations](variables.tf#L204) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [private_cluster_config](variables.tf#L211) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [release_channel](variables.tf#L230) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | <code>string</code> |  | <code>&#34;REGULAR&#34;</code> |
+| [location](variables.tf#L113) | Autopilot clusters are always regional. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L190) | Cluster name. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L226) | Cluster project ID. | <code>string</code> | ✓ |  |
+| [vpc_config](variables.tf#L242) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    labels                            &#61; optional&#40;map&#40;string&#41;&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    region                            &#61; string&#10;    schedule                          &#61; string&#10;    retention_policy_days             &#61; optional&#40;string&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [deletion_protection](variables.tf#L38) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
+| [description](variables.tf#L45) | Cluster description. | <code>string</code> |  | <code>null</code> |
+| [enable_addons](variables.tf#L51) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun         &#61; optional&#40;bool, false&#41;&#10;  config_connector &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [enable_features](variables.tf#L65) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis            &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization &#61; optional&#40;bool, false&#41;&#10;  cost_management      &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  gateway_api         &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac     &#61; optional&#40;string&#41;&#10;  l4_ilb_subsetting   &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates   &#61; optional&#40;bool&#41;&#10;  pod_security_policy &#61; optional&#40;bool, false&#41;&#10;  allow_net_admin     &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [issue_client_certificate](variables.tf#L101) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
+| [labels](variables.tf#L107) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [logging_config](variables.tf#L118) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [maintenance_config](variables.tf#L129) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [min_master_version](variables.tf#L152) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
+| [monitoring_config](variables.tf#L158) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_config](variables.tf#L195) | Configuration for nodes and nodepools. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_locations](variables.tf#L205) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [private_cluster_config](variables.tf#L212) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [release_channel](variables.tf#L231) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | <code>string</code> |  | <code>&#34;REGULAR&#34;</code> |
 
 ## Outputs
 
diff --git a/modules/gke-cluster-autopilot/main.tf b/modules/gke-cluster-autopilot/main.tf
index 825c8739e5..6824d22309 100644
--- a/modules/gke-cluster-autopilot/main.tf
+++ b/modules/gke-cluster-autopilot/main.tf
@@ -322,6 +322,7 @@ resource "google_gke_backup_backup_plan" "backup_plan" {
   cluster  = google_container_cluster.cluster.id
   location = each.value.region
   project  = var.project_id
+  labels   = each.value.labels
   retention_policy {
     backup_delete_lock_days = try(each.value.retention_policy_delete_lock_days)
     backup_retain_days      = try(each.value.retention_policy_days)
diff --git a/modules/gke-cluster-autopilot/variables.tf b/modules/gke-cluster-autopilot/variables.tf
index 570899274e..a31596a6e6 100644
--- a/modules/gke-cluster-autopilot/variables.tf
+++ b/modules/gke-cluster-autopilot/variables.tf
@@ -22,6 +22,7 @@ variable "backup_configs" {
       encryption_key                    = optional(string)
       include_secrets                   = optional(bool, true)
       include_volume_data               = optional(bool, true)
+      labels                            = optional(map(string))
       namespaces                        = optional(list(string))
       region                            = string
       schedule                          = string
diff --git a/modules/gke-cluster-standard/README.md b/modules/gke-cluster-standard/README.md
index c53017267f..dd8ad0f444 100644
--- a/modules/gke-cluster-standard/README.md
+++ b/modules/gke-cluster-standard/README.md
@@ -310,28 +310,28 @@ module "cluster-1" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [location](variables.tf#L234) | Cluster zone or region. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L369) | Cluster name. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L405) | Cluster project id. | <code>string</code> | ✓ |  |
-| [vpc_config](variables.tf#L416) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region                            &#61; string&#10;    applications                      &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    schedule                          &#61; optional&#40;string&#41;&#10;    retention_policy_days             &#61; optional&#40;number&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  enabled             &#61; optional&#40;bool, true&#41;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    upgrade_settings &#61; optional&#40;object&#40;&#123;&#10;      blue_green &#61; optional&#40;object&#40;&#123;&#10;        node_pool_soak_duration &#61; optional&#40;string&#41;&#10;        standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10;          batch_percentage    &#61; optional&#40;number&#41;&#10;          batch_node_count    &#61; optional&#40;number&#41;&#10;          batch_soak_duration &#61; optional&#40;string&#41;&#10;        &#125;&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      surge &#61; optional&#40;object&#40;&#123;&#10;        max         &#61; optional&#40;number&#41;&#10;        unavailable &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  gpu_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; number&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [default_nodepool](variables.tf#L117) | Enable default nodepool. | <code title="object&#40;&#123;&#10;  remove_pool        &#61; optional&#40;bool, true&#41;&#10;  initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [deletion_protection](variables.tf#L135) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
-| [description](variables.tf#L142) | Cluster description. | <code>string</code> |  | <code>null</code> |
-| [enable_addons](variables.tf#L148) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun                       &#61; optional&#40;bool, false&#41;&#10;  config_connector               &#61; optional&#40;bool, false&#41;&#10;  dns_cache                      &#61; optional&#40;bool, false&#41;&#10;  gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10;  gcp_filestore_csi_driver       &#61; optional&#40;bool, false&#41;&#10;  gcs_fuse_csi_driver            &#61; optional&#40;bool, false&#41;&#10;  horizontal_pod_autoscaling     &#61; optional&#40;bool, false&#41;&#10;  http_load_balancing            &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm           &#61; optional&#40;bool, false&#41;&#10;  network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  horizontal_pod_autoscaling &#61; true&#10;  http_load_balancing        &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [enable_features](variables.tf#L172) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis                         &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization              &#61; optional&#40;bool, false&#41;&#10;  cilium_clusterwide_network_policy &#61; optional&#40;bool, false&#41;&#10;  cost_management                   &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  dataplane_v2         &#61; optional&#40;bool, false&#41;&#10;  fqdn_network_policy  &#61; optional&#40;bool, false&#41;&#10;  gateway_api          &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac      &#61; optional&#40;string&#41;&#10;  image_streaming      &#61; optional&#40;bool, false&#41;&#10;  intranode_visibility &#61; optional&#40;bool, false&#41;&#10;  l4_ilb_subsetting    &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates    &#61; optional&#40;bool&#41;&#10;  pod_security_policy  &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  shielded_nodes       &#61; optional&#40;bool, false&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;  workload_identity        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  workload_identity &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [issue_client_certificate](variables.tf#L222) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
-| [labels](variables.tf#L228) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
-| [logging_config](variables.tf#L239) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_system_logs             &#61; optional&#40;bool, true&#41;&#10;  enable_workloads_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [maintenance_config](variables.tf#L260) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [max_pods_per_node](variables.tf#L283) | Maximum number of pods per node in this cluster. | <code>number</code> |  | <code>110</code> |
-| [min_master_version](variables.tf#L289) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
-| [monitoring_config](variables.tf#L295) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_system_metrics &#61; optional&#40;bool, true&#41;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;  advanced_datapath_observability &#61; optional&#40;object&#40;&#123;&#10;    enable_metrics &#61; bool&#10;    enable_relay   &#61; optional&#40;bool&#41;&#10;    relay_mode     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_config](variables.tf#L374) | Node-level configuration. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_locations](variables.tf#L384) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [private_cluster_config](variables.tf#L391) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [release_channel](variables.tf#L410) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
+| [location](variables.tf#L235) | Cluster zone or region. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L370) | Cluster name. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L406) | Cluster project id. | <code>string</code> | ✓ |  |
+| [vpc_config](variables.tf#L417) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region                            &#61; string&#10;    applications                      &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    labels                            &#61; optional&#40;map&#40;string&#41;&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    schedule                          &#61; optional&#40;string&#41;&#10;    retention_policy_days             &#61; optional&#40;number&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [cluster_autoscaling](variables.tf#L39) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  enabled             &#61; optional&#40;bool, true&#41;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    upgrade_settings &#61; optional&#40;object&#40;&#123;&#10;      blue_green &#61; optional&#40;object&#40;&#123;&#10;        node_pool_soak_duration &#61; optional&#40;string&#41;&#10;        standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10;          batch_percentage    &#61; optional&#40;number&#41;&#10;          batch_node_count    &#61; optional&#40;number&#41;&#10;          batch_soak_duration &#61; optional&#40;string&#41;&#10;        &#125;&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      surge &#61; optional&#40;object&#40;&#123;&#10;        max         &#61; optional&#40;number&#41;&#10;        unavailable &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  gpu_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; number&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [default_nodepool](variables.tf#L118) | Enable default nodepool. | <code title="object&#40;&#123;&#10;  remove_pool        &#61; optional&#40;bool, true&#41;&#10;  initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [deletion_protection](variables.tf#L136) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
+| [description](variables.tf#L143) | Cluster description. | <code>string</code> |  | <code>null</code> |
+| [enable_addons](variables.tf#L149) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun                       &#61; optional&#40;bool, false&#41;&#10;  config_connector               &#61; optional&#40;bool, false&#41;&#10;  dns_cache                      &#61; optional&#40;bool, false&#41;&#10;  gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10;  gcp_filestore_csi_driver       &#61; optional&#40;bool, false&#41;&#10;  gcs_fuse_csi_driver            &#61; optional&#40;bool, false&#41;&#10;  horizontal_pod_autoscaling     &#61; optional&#40;bool, false&#41;&#10;  http_load_balancing            &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm           &#61; optional&#40;bool, false&#41;&#10;  network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  horizontal_pod_autoscaling &#61; true&#10;  http_load_balancing        &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [enable_features](variables.tf#L173) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis                         &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization              &#61; optional&#40;bool, false&#41;&#10;  cilium_clusterwide_network_policy &#61; optional&#40;bool, false&#41;&#10;  cost_management                   &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  dataplane_v2         &#61; optional&#40;bool, false&#41;&#10;  fqdn_network_policy  &#61; optional&#40;bool, false&#41;&#10;  gateway_api          &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac      &#61; optional&#40;string&#41;&#10;  image_streaming      &#61; optional&#40;bool, false&#41;&#10;  intranode_visibility &#61; optional&#40;bool, false&#41;&#10;  l4_ilb_subsetting    &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates    &#61; optional&#40;bool&#41;&#10;  pod_security_policy  &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  shielded_nodes       &#61; optional&#40;bool, false&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;  workload_identity        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  workload_identity &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [issue_client_certificate](variables.tf#L223) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
+| [labels](variables.tf#L229) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [logging_config](variables.tf#L240) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_system_logs             &#61; optional&#40;bool, true&#41;&#10;  enable_workloads_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [maintenance_config](variables.tf#L261) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [max_pods_per_node](variables.tf#L284) | Maximum number of pods per node in this cluster. | <code>number</code> |  | <code>110</code> |
+| [min_master_version](variables.tf#L290) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
+| [monitoring_config](variables.tf#L296) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_system_metrics &#61; optional&#40;bool, true&#41;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;  advanced_datapath_observability &#61; optional&#40;object&#40;&#123;&#10;    enable_metrics &#61; bool&#10;    enable_relay   &#61; optional&#40;bool&#41;&#10;    relay_mode     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_config](variables.tf#L375) | Node-level configuration. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_locations](variables.tf#L385) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [private_cluster_config](variables.tf#L392) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [release_channel](variables.tf#L411) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/gke-cluster-standard/main.tf b/modules/gke-cluster-standard/main.tf
index 99db49f80d..bc743fc5ce 100644
--- a/modules/gke-cluster-standard/main.tf
+++ b/modules/gke-cluster-standard/main.tf
@@ -511,6 +511,7 @@ resource "google_gke_backup_backup_plan" "backup_plan" {
   cluster  = google_container_cluster.cluster.id
   location = each.value.region
   project  = var.project_id
+  labels   = each.value.labels
   retention_policy {
     backup_delete_lock_days = try(each.value.retention_policy_delete_lock_days)
     backup_retain_days      = try(each.value.retention_policy_days)
diff --git a/modules/gke-cluster-standard/variables.tf b/modules/gke-cluster-standard/variables.tf
index 5580320f8f..2436b467cd 100644
--- a/modules/gke-cluster-standard/variables.tf
+++ b/modules/gke-cluster-standard/variables.tf
@@ -24,6 +24,7 @@ variable "backup_configs" {
       encryption_key                    = optional(string)
       include_secrets                   = optional(bool, true)
       include_volume_data               = optional(bool, true)
+      labels                            = optional(map(string))
       namespaces                        = optional(list(string))
       schedule                          = optional(string)
       retention_policy_days             = optional(number)

From dccf5735c58f26fb08814eff7845ebab1297ac30 Mon Sep 17 00:00:00 2001
From: simonebruzzechesse
 <60114646+simonebruzzechesse@users.noreply.github.com>
Date: Thu, 2 May 2024 08:09:10 +0200
Subject: [PATCH 13/31] fis issues with private workstation-cluster module and
 persistent_directories (#2247)

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 modules/workstation-cluster/README.md |  3 +++
 modules/workstation-cluster/main.tf   | 21 ++++++++++++++++++---
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/modules/workstation-cluster/README.md b/modules/workstation-cluster/README.md
index cf45451479..05a0acdea2 100644
--- a/modules/workstation-cluster/README.md
+++ b/modules/workstation-cluster/README.md
@@ -59,6 +59,9 @@ module "workstation-cluster" {
   }
   workstation_configs = {
     my-workstation-config = {
+      gce_instance = {
+        disable_public_ip_addresses = true
+      }
       workstations = {
         my-workstation = {
           labels = {
diff --git a/modules/workstation-cluster/main.tf b/modules/workstation-cluster/main.tf
index 07399df4c8..b26a9fe579 100644
--- a/modules/workstation-cluster/main.tf
+++ b/modules/workstation-cluster/main.tf
@@ -70,8 +70,8 @@ resource "google_workstations_workstation_config" "configs" {
         pool_size                    = each.value.gce_instance.pool_size
         boot_disk_size_gb            = each.value.gce_instance.boot_disk_size_gb
         tags                         = each.value.gce_instance.tags
-        disable_public_ip_addresses  = each.value.disable_public_ip_addresses
-        enable_nested_virtualization = each.value.enable_nested_virtualization
+        disable_public_ip_addresses  = each.value.gce_instance.disable_public_ip_addresses
+        enable_nested_virtualization = each.value.gce_instance.enable_nested_virtualization
         dynamic "shielded_instance_config" {
           for_each = each.value.gce_instance.shielded_instance_config == null ? [] : [""]
           content {
@@ -81,7 +81,7 @@ resource "google_workstations_workstation_config" "configs" {
           }
         }
         dynamic "confidential_instance_config" {
-          for_each = each.value.gce_instance.enable_confidential_compute ? [] : [""]
+          for_each = each.value.gce_instance.enable_confidential_compute ? [""] : []
           content {
             enable_confidential_compute = true
           }
@@ -114,6 +114,21 @@ resource "google_workstations_workstation_config" "configs" {
       kms_key_service_account = each.value.encryption_key.kms_key_service_account
     }
   }
+  dynamic "persistent_directories" {
+    for_each = each.value.persistent_directories
+    content {
+      mount_path = persistent_directories.value.mount_path
+      dynamic "gce_pd" {
+        for_each = persistent_directories.value.gce_pd == null ? [] : [""]
+        content {
+          size_gb        = persistent_directories.value.gce_pd.size_gb
+          fs_type        = persistent_directories.value.gce_pd.fs_type
+          disk_type      = persistent_directories.value.gce_pd.disk_type
+          reclaim_policy = persistent_directories.value.gce_pd.reclaim_policy
+        }
+      }
+    }
+  }
 }
 
 resource "google_workstations_workstation" "workstations" {

From 94c32c1d71e96d8332b8e74f71045aa4e4b5e0a6 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 2 May 2024 08:56:26 +0200
Subject: [PATCH 14/31] Misc FAST fixes (#2253)

* Misc FAST fixes

* Fix readme

* Fix FAST nva bgp tests
---
 .../0-bootstrap-tenant/README.md              |  2 +-
 .../0-bootstrap-tenant/variables.tf           |  4 ++--
 fast/stages/0-bootstrap/README.md             | 18 +++++++++++++--
 fast/stages/0-bootstrap/variables.tf          |  2 +-
 fast/stages/1-resman/README.md                | 22 +++++++++----------
 fast/stages/1-resman/outputs.tf               |  2 +-
 fast/stages/1-resman/variables.tf             | 17 +++++---------
 .../data/hierarchical-ingress-rules.yaml      |  4 ++--
 .../data/hierarchical-ingress-rules.yaml      |  4 ++--
 .../data/hierarchical-ingress-rules.yaml      |  4 ++--
 .../data/hierarchical-ingress-rules.yaml      |  4 ++--
 .../data/hierarchical-ingress-rules.yaml      |  4 ++--
 tests/fast/stages/s0_bootstrap/checklist.yaml | 22 +++++++++----------
 tests/fast/stages/s0_bootstrap/simple.yaml    |  2 +-
 tests/fast/stages/s1_resman/checklist.tfvars  |  2 +-
 tests/fast/stages/s1_resman/simple.tfvars     |  2 +-
 .../s2_networking_a_peering/simple.tfvars     |  2 +-
 .../stages/s2_networking_b_vpn/simple.tfvars  |  2 +-
 .../stages/s2_networking_c_nva/simple.tfvars  |  2 +-
 .../simple.tfvars                             |  2 +-
 .../s2_networking_e_nva_bgp/simple.tfvars     |  2 +-
 .../s2_networking_e_nva_bgp/simple.yaml       |  3 ++-
 .../s0_bootstrap_tenant/simple.tfvars         |  2 +-
 .../s1_resman_tenant/simple.tfvars            |  2 +-
 24 files changed, 71 insertions(+), 61 deletions(-)

diff --git a/fast/stages-multitenant/0-bootstrap-tenant/README.md b/fast/stages-multitenant/0-bootstrap-tenant/README.md
index 9e3a74d84a..a1b3ba367b 100644
--- a/fast/stages-multitenant/0-bootstrap-tenant/README.md
+++ b/fast/stages-multitenant/0-bootstrap-tenant/README.md
@@ -208,7 +208,7 @@ This configuration is possible but unsupported and only exists for development p
 | [custom_roles](variables.tf#L95) | Custom roles defined at the organization level, in key => id format. | <code title="object&#40;&#123;&#10;  service_project_network_admin &#61; string&#10;  tenant_network_admin          &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>0-bootstrap</code> |
 | [fast_features](variables.tf#L105) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10;  data_platform   &#61; optional&#40;bool, true&#41;&#10;  gke             &#61; optional&#40;bool, true&#41;&#10;  project_factory &#61; optional&#40;bool, true&#41;&#10;  sandbox         &#61; optional&#40;bool, true&#41;&#10;  teams           &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
 | [federated_identity_providers](variables.tf#L119) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  custom_settings &#61; optional&#40;object&#40;&#123;&#10;    issuer_uri &#61; optional&#40;string&#41;&#10;    audiences  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [groups](variables.tf#L133) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-devops          &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins  &#61; optional&#40;string, &#34;gcp-network-admins&#34;&#41;&#10;  gcp-security-admins &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
+| [groups](variables.tf#L133) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-devops          &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins  &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10;  gcp-security-admins &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
 | [iam](variables.tf#L146) | Tenant-level custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_bindings_additive](variables.tf#L152) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_by_principals](variables.tf#L167) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
diff --git a/fast/stages-multitenant/0-bootstrap-tenant/variables.tf b/fast/stages-multitenant/0-bootstrap-tenant/variables.tf
index 74daa0a9f1..5fa964beee 100644
--- a/fast/stages-multitenant/0-bootstrap-tenant/variables.tf
+++ b/fast/stages-multitenant/0-bootstrap-tenant/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -136,7 +136,7 @@ variable "groups" {
   description = "Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated."
   type = object({
     gcp-devops          = optional(string, "gcp-devops")
-    gcp-network-admins  = optional(string, "gcp-network-admins")
+    gcp-network-admins  = optional(string, "gcp-vpc-network-admins")
     gcp-security-admins = optional(string, "gcp-security-admins")
   })
   nullable = false
diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index ee5c7f52e7..43060232fe 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -39,6 +39,7 @@ Use the following diagram as a simple high level reference for the following sec
   - [Log sinks and log destinations](#log-sinks-and-log-destinations)
   - [Names and naming convention](#names-and-naming-convention)
   - [Workload Identity Federation](#workload-identity-federation)
+  - [Project folders](#project-folders)
   - [CI/CD repositories](#cicd-repositories)
   - [Toggling features](#toggling-features)
 - [Files](#files)
@@ -533,6 +534,18 @@ workload_identity_providers = {
 }
 ```
 
+### Project folders
+
+By default this stage creates all its projects directly under the orgaization node. If desired, projects can be moved under a folder using the `project_parent_ids` variable.
+
+```tfvars
+project_parent_ids = {
+  automation = "folders/1234567890"
+  billing    = "folders/9876543210"
+  logging    = "folders/1234567890"
+}
+```
+
 ### CI/CD repositories
 
 FAST is designed to directly support running in automated workflows from separate repositories for each stage. The `cicd_repositories` variable allows you to configure impersonation from external repositories leveraging Workload identity Federation, and pre-configures a FAST workflow file that can be used to validate and apply the code in each repository.
@@ -595,9 +608,10 @@ The remaining configuration is manual, as it regards the repositories themselves
 
 Some FAST features can be enabled or disabled using the `fast_features` variables. While this variable is not directly used in the bootstrap stage, it can instruct the following stages to create certain resources only if needed.
 
-The `fast_features` variable consists of 4 toggles:
+The `fast_features` variable consists of 6 toggles:
 
 - **`data_platform`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-data-platform](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-data-platform) stage
+- **`gcve`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gcve](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gcve) stage
 - **`gke`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gke-multitenant](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gke-multitenant) stage
 - **`project_factory`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-project-factory](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-project-factory) stage
 - **`sandbox`** controls the creation of a "Sandbox" top level folder with relaxed policies, intended for sandbox environments where users can experiment
@@ -636,7 +650,7 @@ The `fast_features` variable consists of 4 toggles:
 | [essential_contacts](variables.tf#L86) | Email used for essential contacts, unset if null. | <code>string</code> |  | <code>null</code> |  |
 | [factories_config](variables.tf#L92) | Configuration for the resource factories or external data. | <code title="object&#40;&#123;&#10;  checklist_data    &#61; optional&#40;string&#41;&#10;  checklist_org_iam &#61; optional&#40;string&#41;&#10;  custom_roles      &#61; optional&#40;string, &#34;data&#47;custom-roles&#34;&#41;&#10;  org_policy        &#61; optional&#40;string, &#34;data&#47;org-policies&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [fast_features](variables.tf#L104) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10;  data_platform   &#61; optional&#40;bool, false&#41;&#10;  gcve            &#61; optional&#40;bool, false&#41;&#10;  gke             &#61; optional&#40;bool, false&#41;&#10;  project_factory &#61; optional&#40;bool, false&#41;&#10;  sandbox         &#61; optional&#40;bool, false&#41;&#10;  teams           &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;  gcp-support &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;  gcp-support &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam](variables.tf#L134) | Organization-level custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index b769f1088f..26ec513ac9 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -121,7 +121,7 @@ variable "groups" {
   type = object({
     gcp-billing-admins      = optional(string, "gcp-billing-admins")
     gcp-devops              = optional(string, "gcp-devops")
-    gcp-network-admins      = optional(string, "gcp-network-admins")
+    gcp-network-admins      = optional(string, "gcp-vpc-network-admins")
     gcp-organization-admins = optional(string, "gcp-organization-admins")
     gcp-security-admins     = optional(string, "gcp-security-admins")
     # aliased to gcp-devops as the checklist does not create it
diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index 6b7836fd8b..5ac024870b 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -358,21 +358,21 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
 |---|---|:---:|:---:|:---:|:---:|
 | [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | <code title="object&#40;&#123;&#10;  outputs_bucket          &#61; string&#10;  project_id              &#61; string&#10;  project_number          &#61; string&#10;  federated_identity_pool &#61; string&#10;  federated_identity_providers &#61; map&#40;object&#40;&#123;&#10;    audiences        &#61; list&#40;string&#41;&#10;    issuer           &#61; string&#10;    issuer_uri       &#61; string&#10;    name             &#61; string&#10;    principal_branch &#61; string&#10;    principal_repo   &#61; string&#10;  &#125;&#41;&#41;&#10;  service_accounts &#61; object&#40;&#123;&#10;    resman-r &#61; string&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
 | [billing_account](variables.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object&#40;&#123;&#10;  id           &#61; string&#10;  is_org_level &#61; optional&#40;bool, true&#41;&#10;  no_iam       &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
-| [organization](variables.tf#L232) | Organization details. | <code title="object&#40;&#123;&#10;  domain      &#61; string&#10;  id          &#61; number&#10;  customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
-| [prefix](variables.tf#L248) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  | <code>0-bootstrap</code> |
+| [organization](variables.tf#L227) | Organization details. | <code title="object&#40;&#123;&#10;  domain      &#61; string&#10;  id          &#61; number&#10;  customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
+| [prefix](variables.tf#L243) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  | <code>0-bootstrap</code> |
 | [cicd_repositories](variables.tf#L53) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object&#40;&#123;&#10;  data_platform_dev &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  data_platform_prod &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  gke_dev &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  gke_prod &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  gcve_dev &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  gcve_prod &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  networking &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  project_factory_dev &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  project_factory_prod &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  security &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
 | [custom_roles](variables.tf#L147) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10;  gcve_network_admin            &#61; string&#10;  organization_admin_viewer     &#61; string&#10;  service_project_network_admin &#61; string&#10;  storage_viewer                &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>0-bootstrap</code> |
 | [factories_config](variables.tf#L159) | Configuration for the resource factories or external data. | <code title="object&#40;&#123;&#10;  checklist_data &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [fast_features](variables.tf#L168) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10;  data_platform   &#61; optional&#40;bool, false&#41;&#10;  gke             &#61; optional&#40;bool, false&#41;&#10;  gcve            &#61; optional&#40;bool, false&#41;&#10;  project_factory &#61; optional&#40;bool, false&#41;&#10;  sandbox         &#61; optional&#40;bool, false&#41;&#10;  teams           &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-0-bootstrap</code> |
 | [folder_iam](variables.tf#L183) | Authoritative IAM for top-level folders. | <code title="object&#40;&#123;&#10;  data_platform &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  gcve          &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  gke           &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  sandbox       &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  security      &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  network       &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  teams         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  tenants       &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [groups](variables.tf#L199) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
-| [locations](variables.tf#L214) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; string&#10;  gcs     &#61; string&#10;  logging &#61; string&#10;  pubsub  &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  bq      &#61; &#34;EU&#34;&#10;  gcs     &#61; &#34;EU&#34;&#10;  logging &#61; &#34;global&#34;&#10;  pubsub  &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>0-bootstrap</code> |
-| [outputs_location](variables.tf#L242) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
-| [tag_names](variables.tf#L259) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10;  context     &#61; optional&#40;string, &#34;context&#34;&#41;&#10;  environment &#61; optional&#40;string, &#34;environment&#34;&#41;&#10;  tenant      &#61; optional&#40;string, &#34;tenant&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [tags](variables.tf#L274) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [team_folders](variables.tf#L295) | Team folders to be created. Format is described in a code comment. | <code title="map&#40;object&#40;&#123;&#10;  descriptive_name         &#61; string&#10;  iam_by_principals        &#61; map&#40;list&#40;string&#41;&#41;&#10;  impersonation_principals &#61; list&#40;string&#41;&#10;  cicd &#61; optional&#40;object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |  |
-| [tenants](variables.tf#L311) | Lightweight tenant definitions. | <code title="map&#40;object&#40;&#123;&#10;  admin_principal  &#61; string&#10;  descriptive_name &#61; string&#10;  billing_account  &#61; optional&#40;string&#41;&#10;  organization &#61; optional&#40;object&#40;&#123;&#10;    customer_id &#61; string&#10;    domain      &#61; string&#10;    id          &#61; number&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [tenants_config](variables.tf#L327) | Lightweight tenants shared configuration. Roles will be assigned to tenant admin group and service accounts. | <code title="object&#40;&#123;&#10;  core_folder_roles   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  tenant_folder_roles &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  top_folder_roles    &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [groups](variables.tf#L199) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
+| [locations](variables.tf#L214) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  gcs     &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10;  pubsub  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
+| [outputs_location](variables.tf#L237) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
+| [tag_names](variables.tf#L254) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10;  context     &#61; optional&#40;string, &#34;context&#34;&#41;&#10;  environment &#61; optional&#40;string, &#34;environment&#34;&#41;&#10;  tenant      &#61; optional&#40;string, &#34;tenant&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [tags](variables.tf#L269) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [team_folders](variables.tf#L290) | Team folders to be created. Format is described in a code comment. | <code title="map&#40;object&#40;&#123;&#10;  descriptive_name         &#61; string&#10;  iam_by_principals        &#61; map&#40;list&#40;string&#41;&#41;&#10;  impersonation_principals &#61; list&#40;string&#41;&#10;  cicd &#61; optional&#40;object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |  |
+| [tenants](variables.tf#L306) | Lightweight tenant definitions. | <code title="map&#40;object&#40;&#123;&#10;  admin_principal  &#61; string&#10;  descriptive_name &#61; string&#10;  billing_account  &#61; optional&#40;string&#41;&#10;  organization &#61; optional&#40;object&#40;&#123;&#10;    customer_id &#61; string&#10;    domain      &#61; string&#10;    id          &#61; number&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [tenants_config](variables.tf#L322) | Lightweight tenants shared configuration. Roles will be assigned to tenant admin group and service accounts. | <code title="object&#40;&#123;&#10;  core_folder_roles   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  tenant_folder_roles &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  top_folder_roles    &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 
 ## Outputs
 
@@ -380,7 +380,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
 |---|---|:---:|---|
 | [cicd_repositories](outputs.tf#L391) | WIF configuration for CI/CD repositories. |  |  |
 | [dataplatform](outputs.tf#L405) | Data for the Data Platform stage. |  |  |
-| [gcve](outputs.tf#L421) | Data for the GCVE stage. |  | <code>03-gke-multitenant</code> |
+| [gcve](outputs.tf#L421) | Data for the GCVE stage. |  | <code>03-gcve</code> |
 | [gke_multitenant](outputs.tf#L442) | Data for the GKE multitenant stage. |  | <code>03-gke-multitenant</code> |
 | [networking](outputs.tf#L463) | Data for the networking stage. |  |  |
 | [project_factories](outputs.tf#L472) | Data for the project factories stage. |  |  |
diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf
index 31e9590203..de411b9115 100644
--- a/fast/stages/1-resman/outputs.tf
+++ b/fast/stages/1-resman/outputs.tf
@@ -419,7 +419,7 @@ output "dataplatform" {
 }
 
 output "gcve" {
-  # tfdoc:output:consumers 03-gke-multitenant
+  # tfdoc:output:consumers 03-gcve
   description = "Data for the GCVE stage."
   value = (
     var.fast_features.gcve
diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf
index 8417466730..3256b9bb74 100644
--- a/fast/stages/1-resman/variables.tf
+++ b/fast/stages/1-resman/variables.tf
@@ -203,7 +203,7 @@ variable "groups" {
   type = object({
     gcp-billing-admins      = optional(string, "gcp-billing-admins")
     gcp-devops              = optional(string, "gcp-devops")
-    gcp-network-admins      = optional(string, "gcp-network-admins")
+    gcp-network-admins      = optional(string, "gcp-vpc-network-admins")
     gcp-organization-admins = optional(string, "gcp-organization-admins")
     gcp-security-admins     = optional(string, "gcp-security-admins")
   })
@@ -215,18 +215,13 @@ variable "locations" {
   # tfdoc:variable:source 0-bootstrap
   description = "Optional locations for GCS, BigQuery, and logging buckets created here."
   type = object({
-    bq      = string
-    gcs     = string
-    logging = string
-    pubsub  = list(string)
+    bq      = optional(string, "EU")
+    gcs     = optional(string, "EU")
+    logging = optional(string, "global")
+    pubsub  = optional(list(string), [])
   })
-  default = {
-    bq      = "EU"
-    gcs     = "EU"
-    logging = "global"
-    pubsub  = []
-  }
   nullable = false
+  default  = {}
 }
 
 variable "organization" {
diff --git a/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml
index 93d42fbee8..e444dd3f0b 100644
--- a/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml
@@ -11,14 +11,14 @@
 #       - rfc1918
 
 allow-healthchecks:
-  description: Enable HTTP and HTTPS healthchecks
+  description: Enable SSH, HTTP and HTTPS healthchecks
   priority: 1001
   match:
     source_ranges:
       - healthchecks
     layer4_configs:
       - protocol: tcp
-        ports: ["80", "443"]
+        ports: ["22", "80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
diff --git a/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml
index 0504f376c8..817be2e99d 100644
--- a/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml
@@ -11,14 +11,14 @@
 #       - rfc1918
 
 allow-healthchecks:
-  description: Enable HTTP and HTTPS healthchecks
+  description: Enable SSH, HTTP and HTTPS healthchecks
   priority: 1001
   match:
     source_ranges:
       - healthchecks
     layer4_configs:
       - protocol: tcp
-        ports: ["80", "443"]
+        ports: ["22", "80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
diff --git a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml
index 0504f376c8..817be2e99d 100644
--- a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml
@@ -11,14 +11,14 @@
 #       - rfc1918
 
 allow-healthchecks:
-  description: Enable HTTP and HTTPS healthchecks
+  description: Enable SSH, HTTP and HTTPS healthchecks
   priority: 1001
   match:
     source_ranges:
       - healthchecks
     layer4_configs:
       - protocol: tcp
-        ports: ["80", "443"]
+        ports: ["22", "80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
diff --git a/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml
index 0504f376c8..817be2e99d 100644
--- a/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml
@@ -11,14 +11,14 @@
 #       - rfc1918
 
 allow-healthchecks:
-  description: Enable HTTP and HTTPS healthchecks
+  description: Enable SSH, HTTP and HTTPS healthchecks
   priority: 1001
   match:
     source_ranges:
       - healthchecks
     layer4_configs:
       - protocol: tcp
-        ports: ["80", "443"]
+        ports: ["22", "80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
diff --git a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml
index 0504f376c8..817be2e99d 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml
@@ -11,14 +11,14 @@
 #       - rfc1918
 
 allow-healthchecks:
-  description: Enable HTTP and HTTPS healthchecks
+  description: Enable SSH, HTTP and HTTPS healthchecks
   priority: 1001
   match:
     source_ranges:
       - healthchecks
     layer4_configs:
       - protocol: tcp
-        ports: ["80", "443"]
+        ports: ["22", "80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml
index 8c24a1fdfe..0b1d71d48f 100644
--- a/tests/fast/stages/s0_bootstrap/checklist.yaml
+++ b/tests/fast/stages/s0_bootstrap/checklist.yaml
@@ -55,9 +55,9 @@ values:
   module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]:
     condition: []
     members:
-    - group:gcp-network-admins@fast.example.com
     - group:gcp-organization-admins@fast.example.com
     - group:gcp-security-admins@fast.example.com
+    - group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/cloudasset.owner
   module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]:
@@ -70,8 +70,8 @@ values:
     condition: []
     members:
     - group:gcp-devops@fast.example.com
-    - group:gcp-network-admins@fast.example.com
     - group:gcp-security-admins@fast.example.com
+    - group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/cloudsupport.techSupportEditor
   module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]:
@@ -131,7 +131,7 @@ values:
     condition: []
     members:
     - group:gcp-devops@fast.example.com
-    - group:gcp-network-admins@fast.example.com
+    - group:gcp-vpc-network-admins@fast.example.com
     - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
     - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
     org_id: '123456789012'
@@ -240,19 +240,19 @@ values:
     member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
     org_id: '123456789012'
     role: roles/billing.viewer
-  ? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-network-admins@fast.example.com"]
+  ? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-vpc-network-admins@fast.example.com"]
   : condition: []
-    member: group:gcp-network-admins@fast.example.com
+    member: group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/compute.networkAdmin
-  ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-network-admins@fast.example.com"]
+  ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"]
   : condition: []
-    member: group:gcp-network-admins@fast.example.com
+    member: group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/compute.orgFirewallPolicyAdmin
-  ? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-network-admins@fast.example.com"]
+  ? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-vpc-network-admins@fast.example.com"]
   : condition: []
-    member: group:gcp-network-admins@fast.example.com
+    member: group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/compute.securityAdmin
   ? module.organization.google_organization_iam_member.bindings["roles/compute.viewer-group:gcp-security-admins@fast.example.com"]
@@ -260,9 +260,9 @@ values:
     member: group:gcp-security-admins@fast.example.com
     org_id: '123456789012'
     role: roles/compute.viewer
-  ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-network-admins@fast.example.com"]
+  ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"]
   : condition: []
-    member: group:gcp-network-admins@fast.example.com
+    member: group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/compute.xpnAdmin
   ? module.organization.google_organization_iam_member.bindings["roles/container.viewer-group:gcp-security-admins@fast.example.com"]
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 69908ad358..bdc0ec68cb 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -16,9 +16,9 @@ values:
   module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]:
     condition: []
     members:
-    - group:gcp-network-admins@fast.example.com
     - group:gcp-security-admins@fast.example.com
     - group:gcp-support@example.com
+    - group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/cloudsupport.techSupportEditor
   module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]:
diff --git a/tests/fast/stages/s1_resman/checklist.tfvars b/tests/fast/stages/s1_resman/checklist.tfvars
index 88df6b629c..0e303043d1 100644
--- a/tests/fast/stages/s1_resman/checklist.tfvars
+++ b/tests/fast/stages/s1_resman/checklist.tfvars
@@ -24,7 +24,7 @@ factories_config = {
 groups = {
   gcp-billing-admins      = "gcp-billing-admins",
   gcp-devops              = "gcp-devops",
-  gcp-network-admins      = "gcp-network-admins",
+  gcp-network-admins      = "gcp-vpc-network-admins",
   gcp-organization-admins = "gcp-organization-admins",
   gcp-security-admins     = "gcp-security-admins",
   gcp-support             = "gcp-support"
diff --git a/tests/fast/stages/s1_resman/simple.tfvars b/tests/fast/stages/s1_resman/simple.tfvars
index 9cb8528817..8086201d88 100644
--- a/tests/fast/stages/s1_resman/simple.tfvars
+++ b/tests/fast/stages/s1_resman/simple.tfvars
@@ -21,7 +21,7 @@ custom_roles = {
 groups = {
   gcp-billing-admins      = "gcp-billing-admins",
   gcp-devops              = "gcp-devops",
-  gcp-network-admins      = "gcp-network-admins",
+  gcp-network-admins      = "gcp-vpc-network-admins",
   gcp-organization-admins = "gcp-organization-admins",
   gcp-security-admins     = "gcp-security-admins",
   gcp-support             = "gcp-support"
diff --git a/tests/fast/stages/s2_networking_a_peering/simple.tfvars b/tests/fast/stages/s2_networking_a_peering/simple.tfvars
index bdff7a433f..9a117062e3 100644
--- a/tests/fast/stages/s2_networking_a_peering/simple.tfvars
+++ b/tests/fast/stages/s2_networking_a_peering/simple.tfvars
@@ -19,7 +19,7 @@ folder_ids = {
   networking-prod = null
 }
 groups = {
-  gcp-network-admins = "gcp-network-admins"
+  gcp-network-admins = "gcp-vpc-network-admins"
 }
 service_accounts = {
   data-platform-dev    = "string"
diff --git a/tests/fast/stages/s2_networking_b_vpn/simple.tfvars b/tests/fast/stages/s2_networking_b_vpn/simple.tfvars
index 24d3a8e039..b9c4ec9ddb 100644
--- a/tests/fast/stages/s2_networking_b_vpn/simple.tfvars
+++ b/tests/fast/stages/s2_networking_b_vpn/simple.tfvars
@@ -19,7 +19,7 @@ folder_ids = {
   networking-prod = null
 }
 groups = {
-  gcp-network-admins = "gcp-network-admins"
+  gcp-network-admins = "gcp-vpc-network-admins"
 }
 service_accounts = {
   data-platform-dev    = "string"
diff --git a/tests/fast/stages/s2_networking_c_nva/simple.tfvars b/tests/fast/stages/s2_networking_c_nva/simple.tfvars
index fca8913f8a..c2a9cef0bd 100644
--- a/tests/fast/stages/s2_networking_c_nva/simple.tfvars
+++ b/tests/fast/stages/s2_networking_c_nva/simple.tfvars
@@ -19,7 +19,7 @@ folder_ids = {
   networking-prod = null
 }
 groups = {
-  gcp-network-admins = "gcp-network-admins"
+  gcp-network-admins = "gcp-vpc-network-admins"
 }
 service_accounts = {
   data-platform-dev    = "string"
diff --git a/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars b/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars
index 071011dd5e..8522e2b2f0 100644
--- a/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars
+++ b/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars
@@ -20,7 +20,7 @@ folder_ids = {
   networking-prod = null
 }
 groups = {
-  gcp-network-admins = "gcp-network-admins"
+  gcp-network-admins = "gcp-vpc-network-admins"
 }
 service_accounts = {
   data-platform-dev    = "string"
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars b/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars
index fca8913f8a..c2a9cef0bd 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars
@@ -19,7 +19,7 @@ folder_ids = {
   networking-prod = null
 }
 groups = {
-  gcp-network-admins = "gcp-network-admins"
+  gcp-network-admins = "gcp-vpc-network-admins"
 }
 service_accounts = {
   data-platform-dev    = "string"
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
index f0594c4ca6..993910f7e7 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
@@ -740,7 +740,7 @@ values:
     timeouts: null
   ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]
   : action: allow
-    description: Enable HTTP and HTTPS healthchecks
+    description: Enable SSH, HTTP and HTTPS healthchecks
     direction: INGRESS
     disabled: false
     enable_logging: null
@@ -753,6 +753,7 @@ values:
         layer4_configs:
           - ip_protocol: tcp
             ports:
+              - "22"
               - "80"
               - "443"
         src_address_groups: null
diff --git a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars
index 52ca76a3db..e3691e9ca5 100644
--- a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars
+++ b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars
@@ -16,7 +16,7 @@ custom_roles = {
 groups = {
   gcp-billing-admins      = "gcp-billing-admins",
   gcp-devops              = "gcp-devops",
-  gcp-network-admins      = "gcp-network-admins",
+  gcp-network-admins      = "gcp-vpc-network-admins",
   gcp-organization-admins = "gcp-organization-admins",
   gcp-security-admins     = "gcp-security-admins",
   gcp-support             = "gcp-support"
diff --git a/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars b/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars
index 33cf461989..9cc9d46c69 100644
--- a/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars
+++ b/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars
@@ -34,7 +34,7 @@ fast_features = {
 }
 groups = {
   gcp-devops          = "gcp-devops",
-  gcp-network-admins  = "gcp-network-admins",
+  gcp-network-admins  = "gcp-vpc-network-admins",
   gcp-security-admins = "gcp-security-admins",
 }
 organization = {

From 7aa6c7e059d5e46a8630259ae5bd1edeefaa3336 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 2 May 2024 22:11:33 +0200
Subject: [PATCH 15/31] Style fixes to FAST log sinks expressions

---
 fast/stages/0-bootstrap/variables.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index 26ec513ac9..09c0e08567 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -200,14 +200,14 @@ variable "log_sinks" {
     }
     vpc-sc = {
       filter = <<-FILTER
-        protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
+        protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
       FILTER
       type   = "logging"
     }
     workspace-audit-logs = {
       filter = <<-FILTER
-        log_id("cloudaudit.googleapis.com/data_access")
-        protoPayload.serviceName:"login.googleapis.com"
+        log_id("cloudaudit.googleapis.com/data_access") AND
+        protoPayload.serviceName="login.googleapis.com"
       FILTER
       type   = "logging"
     }

From c9503d5ac506f4bd4c83afdc57f99a97463bdb62 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Thu, 9 May 2024 15:09:54 +0200
Subject: [PATCH 16/31] Remove data source from folder module (#2260)

* remove data source from folder module

* fix fast tfdoc

* fix locals type error

* fix folder test

* fix fast test
---
 fast/stages/0-bootstrap/README.md                 |  2 +-
 modules/folder/iam.tf                             |  6 +++---
 modules/folder/logging.tf                         |  9 ++++-----
 modules/folder/main.tf                            | 15 +++++----------
 modules/folder/organization-policies.tf           |  4 ++--
 modules/folder/outputs.tf                         |  6 +++---
 modules/folder/tags.tf                            |  2 +-
 .../stages/s2_networking_e_nva_bgp/simple.yaml    |  2 --
 .../s0_bootstrap_tenant/simple.yaml               |  4 ++--
 .../test_plan_org_policies_modules.py             |  8 ++++----
 10 files changed, 25 insertions(+), 33 deletions(-)

diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 43060232fe..5d456302f5 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -655,7 +655,7 @@ The `fast_features` variable consists of 6 toggles:
 | [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [locations](variables.tf#L163) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  gcs     &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10;  pubsub  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10;  filter &#61; string&#10;  type   &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;activity&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;system_event&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;policy&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;access_transparency&#34;&#41;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  iam &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.serviceName&#61;&#34;iamcredentials.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;iam.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;sts.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  vpc-sc &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.metadata.&#64;type:&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  workspace-audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;data_access&#34;&#41;&#10;      protoPayload.serviceName:&#34;login.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
+| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10;  filter &#61; string&#10;  type   &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;activity&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;system_event&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;policy&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;access_transparency&#34;&#41;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  iam &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.serviceName&#61;&#34;iamcredentials.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;iam.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;sts.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  vpc-sc &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.metadata.&#64;type&#61;&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  workspace-audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;data_access&#34;&#41; AND&#10;      protoPayload.serviceName&#61;&#34;login.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 | [org_policies_config](variables.tf#L224) | Organization policies customization. | <code title="object&#40;&#123;&#10;  constraints &#61; optional&#40;object&#40;&#123;&#10;    allowed_policy_member_domains &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  import_defaults &#61; optional&#40;bool, false&#41;&#10;  tag_name        &#61; optional&#40;string, &#34;org-policies&#34;&#41;&#10;  tag_values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [outputs_location](variables.tf#L250) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
 | [project_parent_ids](variables.tf#L265) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object&#40;&#123;&#10;  automation &#61; optional&#40;string&#41;&#10;  billing    &#61; optional&#40;string&#41;&#10;  logging    &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
diff --git a/modules/folder/iam.tf b/modules/folder/iam.tf
index ba852837cb..68d3e606b0 100644
--- a/modules/folder/iam.tf
+++ b/modules/folder/iam.tf
@@ -35,14 +35,14 @@ locals {
 
 resource "google_folder_iam_binding" "authoritative" {
   for_each = local.iam
-  folder   = local.folder.name
+  folder   = local.folder_id
   role     = each.key
   members  = each.value
 }
 
 resource "google_folder_iam_binding" "bindings" {
   for_each = var.iam_bindings
-  folder   = local.folder.name
+  folder   = local.folder_id
   role     = each.value.role
   members  = each.value.members
   dynamic "condition" {
@@ -57,7 +57,7 @@ resource "google_folder_iam_binding" "bindings" {
 
 resource "google_folder_iam_member" "bindings" {
   for_each = var.iam_bindings_additive
-  folder   = local.folder.name
+  folder   = local.folder_id
   role     = each.value.role
   member   = each.value.member
   dynamic "condition" {
diff --git a/modules/folder/logging.tf b/modules/folder/logging.tf
index f6942baa4b..817c4d1e06 100644
--- a/modules/folder/logging.tf
+++ b/modules/folder/logging.tf
@@ -37,7 +37,7 @@ locals {
 
 resource "google_folder_iam_audit_config" "default" {
   for_each = var.logging_data_access
-  folder   = local.folder.name
+  folder   = local.folder_id
   service  = each.key
   dynamic "audit_log_config" {
     for_each = each.value
@@ -53,7 +53,7 @@ resource "google_logging_folder_sink" "sink" {
   for_each         = local.logging_sinks
   name             = each.key
   description      = coalesce(each.value.description, "${each.key} (Terraform-managed).")
-  folder           = local.folder.name
+  folder           = local.folder_id
   destination      = "${each.value.type}.googleapis.com/${each.value.destination}"
   filter           = each.value.filter
   include_children = each.value.include_children
@@ -108,10 +108,9 @@ resource "google_project_iam_member" "bucket-sinks-binding" {
   project  = split("/", each.value.destination)[1]
   role     = "roles/logging.bucketWriter"
   member   = google_logging_folder_sink.sink[each.key].writer_identity
-
   condition {
     title       = "${each.key} bucket writer"
-    description = "Grants bucketWriter to ${google_logging_folder_sink.sink[each.key].writer_identity} used by log sink ${each.key} on ${local.folder.id}"
+    description = "Grants bucketWriter to ${google_logging_folder_sink.sink[each.key].writer_identity} used by log sink ${each.key} on ${local.folder_id}"
     expression  = "resource.name.endsWith('${each.value.destination}')"
   }
 }
@@ -126,7 +125,7 @@ resource "google_project_iam_member" "project-sinks-binding" {
 resource "google_logging_folder_exclusion" "logging-exclusion" {
   for_each    = var.logging_exclusions
   name        = each.key
-  folder      = local.folder.name
+  folder      = local.folder_id
   description = "${each.key} (Terraform-managed)."
   filter      = each.value
 }
diff --git a/modules/folder/main.tf b/modules/folder/main.tf
index 4335dbe515..8bb46a533c 100644
--- a/modules/folder/main.tf
+++ b/modules/folder/main.tf
@@ -15,18 +15,13 @@
  */
 
 locals {
-  folder = (
+  folder_id = (
     var.folder_create
-    ? try(google_folder.folder[0], null)
-    : try(data.google_folder.folder[0], null)
+    ? try(google_folder.folder[0].id, null)
+    : var.id
   )
 }
 
-data "google_folder" "folder" {
-  count  = var.folder_create ? 0 : 1
-  folder = var.id
-}
-
 resource "google_folder" "folder" {
   count        = var.folder_create ? 1 : 0
   display_name = var.name
@@ -36,7 +31,7 @@ resource "google_folder" "folder" {
 resource "google_essential_contacts_contact" "contact" {
   provider                            = google-beta
   for_each                            = var.contacts
-  parent                              = local.folder.name
+  parent                              = local.folder_id
   email                               = each.key
   language_tag                        = "en"
   notification_category_subscriptions = each.value
@@ -49,7 +44,7 @@ resource "google_essential_contacts_contact" "contact" {
 
 resource "google_compute_firewall_policy_association" "default" {
   count             = var.firewall_policy == null ? 0 : 1
-  attachment_target = local.folder.id
+  attachment_target = local.folder_id
   name              = var.firewall_policy.name
   firewall_policy   = var.firewall_policy.policy
 }
diff --git a/modules/folder/organization-policies.tf b/modules/folder/organization-policies.tf
index 38b69871c9..6de3081ce8 100644
--- a/modules/folder/organization-policies.tf
+++ b/modules/folder/organization-policies.tf
@@ -52,8 +52,8 @@ locals {
   org_policies = {
     for k, v in local._org_policies :
     k => merge(v, {
-      name   = "${local.folder.name}/policies/${k}"
-      parent = local.folder.name
+      name   = "${local.folder_id}/policies/${k}"
+      parent = local.folder_id
       is_boolean_policy = (
         alltrue([for r in v.rules : r.allow == null && r.deny == null])
       )
diff --git a/modules/folder/outputs.tf b/modules/folder/outputs.tf
index aec28f7152..79ff37cb7d 100644
--- a/modules/folder/outputs.tf
+++ b/modules/folder/outputs.tf
@@ -16,12 +16,12 @@
 
 output "folder" {
   description = "Folder resource."
-  value       = local.folder
+  value       = try(google_folder.folder[0], null)
 }
 
 output "id" {
   description = "Fully qualified folder id."
-  value       = local.folder.name
+  value       = local.folder_id
   depends_on = [
     google_folder_iam_binding.authoritative,
     google_folder_iam_binding.bindings,
@@ -32,7 +32,7 @@ output "id" {
 
 output "name" {
   description = "Folder name."
-  value       = local.folder.display_name
+  value       = try(google_folder.folder[0].display_name, null)
 }
 
 output "sink_writer_identities" {
diff --git a/modules/folder/tags.tf b/modules/folder/tags.tf
index 2cd2f2fd1a..323886ef50 100644
--- a/modules/folder/tags.tf
+++ b/modules/folder/tags.tf
@@ -16,6 +16,6 @@
 
 resource "google_tags_tag_binding" "binding" {
   for_each  = coalesce(var.tag_bindings, {})
-  parent    = "//cloudresourcemanager.googleapis.com/${local.folder.id}"
+  parent    = "//cloudresourcemanager.googleapis.com/${local.folder_id}"
   tag_value = each.value
 }
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
index 993910f7e7..d9b2d67c9c 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
@@ -1520,8 +1520,6 @@ values:
     log_config:
       - enable: false
         filter: ALL
-    max_ports_per_vm: 65536
-    min_ports_per_vm: 64
     name: ew1
     nat_ip_allocate_option: AUTO_ONLY
     nat_ips: null
diff --git a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml
index 3e84c00ef6..f6f0d3ea26 100644
--- a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml
+++ b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml
@@ -14,7 +14,7 @@
 
 counts:
   google_bigquery_default_service_account: 2
-  google_folder: 2
+  google_folder: 1
   google_folder_iam_binding: 5
   google_organization_iam_member: 39
   google_project: 2
@@ -30,4 +30,4 @@ counts:
   google_tags_tag_binding: 1
   google_tags_tag_value: 1
   modules: 19
-  resources: 129
+  resources: 128
diff --git a/tests/modules/organization/test_plan_org_policies_modules.py b/tests/modules/organization/test_plan_org_policies_modules.py
index 632b45e726..f8839fc251 100644
--- a/tests/modules/organization/test_plan_org_policies_modules.py
+++ b/tests/modules/organization/test_plan_org_policies_modules.py
@@ -37,8 +37,8 @@ def test_policy_implementation():
       '@@ -55,2 +55,2 @@\n',
       '-      name   = "projects/${local.project.project_id}/policies/${k}"\n',
       '-      parent = "projects/${local.project.project_id}"\n',
-      '+      name   = "${local.folder.name}/policies/${k}"\n',
-      '+      parent = local.folder.name\n',
+      '+      name   = "${local.folder_id}/policies/${k}"\n',
+      '+      parent = local.folder_id\n',
   ]
 
   diff2 = difflib.unified_diff(lines['folder'], lines['organization'], 'folder',
@@ -50,8 +50,8 @@ def test_policy_implementation():
       '-# tfdoc:file:description Folder-level organization policies.\n',
       '+# tfdoc:file:description Organization-level organization policies.\n',
       '@@ -55,2 +55,2 @@\n',
-      '-      name   = "${local.folder.name}/policies/${k}"\n',
-      '-      parent = local.folder.name\n',
+      '-      name   = "${local.folder_id}/policies/${k}"\n',
+      '-      parent = local.folder_id\n',
       '+      name   = "${var.organization_id}/policies/${k}"\n',
       '+      parent = var.organization_id\n',
       '@@ -113,0 +114,9 @@\n',

From c58850c096df0a194dc1437512267f99e4ca2d9d Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 9 May 2024 15:24:41 +0200
Subject: [PATCH 17/31] Add Hybrid NAT support (#2261)

* Updates to support hybid NAT

* Fix readme

* Fix variable order
---
 modules/net-cloudnat/README.md                | 61 +++++++++++-
 modules/net-cloudnat/main.tf                  | 25 +++--
 modules/net-cloudnat/variables.tf             | 42 ++++++---
 modules/net-vpc/README.md                     | 12 ++-
 modules/net-vpc/outputs.tf                    |  7 +-
 modules/net-vpc/subnets.tf                    | 20 +++-
 modules/net-vpc/variables.tf                  | 14 ++-
 .../s2_networking_e_nva_bgp/simple.yaml       |  4 +-
 .../modules/net_cloudnat/examples/hybrid.yaml | 94 +++++++++++++++++++
 9 files changed, 247 insertions(+), 32 deletions(-)
 create mode 100644 tests/modules/net_cloudnat/examples/hybrid.yaml

diff --git a/modules/net-cloudnat/README.md b/modules/net-cloudnat/README.md
index 407bce3f08..34fb560660 100644
--- a/modules/net-cloudnat/README.md
+++ b/modules/net-cloudnat/README.md
@@ -6,6 +6,7 @@ Simple Cloud NAT management, with optional router creation.
 - [Basic Example](#basic-example)
 - [Subnetwork configuration](#subnetwork-configuration)
 - [Reserved IPs and custom rules](#reserved-ips-and-custom-rules)
+- [Hybrid NAT](#hybrid-nat)
 - [Variables](#variables)
 - [Outputs](#outputs)
 <!-- END TOC -->
@@ -102,6 +103,59 @@ module "nat" {
 }
 # tftest modules=2 resources=5 inventory=rules.yaml e2e
 ```
+## Hybrid NAT
+```hcl
+module "vpc1" {
+  source     = "./fabric/modules/net-vpc"
+  project_id = var.project_id
+  name       = "vpc1"
+  subnets = [
+    {
+      ip_cidr_range = "10.0.0.0/24"
+      name          = "vpc1-subnet"
+      region        = var.region
+    }
+  ]
+  subnets_private_nat = [
+    {
+      ip_cidr_range = "192.168.15.0/24"
+      name          = "vpc1-nat"
+      region        = var.region
+    }
+  ]
+}
+
+module "vpc1-nat" {
+  source         = "./fabric/modules/net-cloudnat"
+  project_id     = var.project_id
+  region         = var.region
+  name           = "vpc1-nat"
+  type           = "PRIVATE"
+  router_network = module.vpc1.id
+  config_source_subnetworks = {
+    all = false
+    subnetworks = [
+      {
+        self_link = module.vpc1.subnet_ids["${var.region}/vpc1-subnet"]
+      }
+    ]
+  }
+  config_port_allocation = {
+    enable_endpoint_independent_mapping = false
+    enable_dynamic_port_allocation      = true
+  }
+  rules = [
+    {
+      description = "private nat"
+      match       = "nexthop.is_hybrid"
+      source_ranges = [
+        module.vpc1.subnets_private_nat["${var.region}/vpc1-nat"].id
+      ]
+    }
+  ]
+}
+# tftest modules=2 resources=7 inventory=hybrid.yaml
+```
 <!-- BEGIN TFDOC -->
 ## Variables
 
@@ -111,15 +165,16 @@ module "nat" {
 | [project_id](variables.tf#L82) | Project where resources will be created. | <code>string</code> | ✓ |  |
 | [region](variables.tf#L87) | Region where resources will be created. | <code>string</code> | ✓ |  |
 | [addresses](variables.tf#L17) | Optional list of external address self links. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [config_port_allocation](variables.tf#L23) | Configuration for how to assign ports to virtual machines. min_ports_per_vm and max_ports_per_vm have no effect unless enable_dynamic_port_allocation is set to 'true'. | <code title="object&#40;&#123;&#10;  enable_endpoint_independent_mapping &#61; optional&#40;bool, true&#41;&#10;  enable_dynamic_port_allocation      &#61; optional&#40;bool, false&#41;&#10;  min_ports_per_vm                    &#61; optional&#40;number, 64&#41;&#10;  max_ports_per_vm                    &#61; optional&#40;number, 65536&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [config_port_allocation](variables.tf#L23) | Configuration for how to assign ports to virtual machines. min_ports_per_vm and max_ports_per_vm have no effect unless enable_dynamic_port_allocation is set to 'true'. | <code title="object&#40;&#123;&#10;  enable_endpoint_independent_mapping &#61; optional&#40;bool, true&#41;&#10;  enable_dynamic_port_allocation      &#61; optional&#40;bool, false&#41;&#10;  min_ports_per_vm                    &#61; optional&#40;number&#41;&#10;  max_ports_per_vm                    &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [config_source_subnetworks](variables.tf#L39) | Subnetwork configuration. | <code title="object&#40;&#123;&#10;  all                 &#61; optional&#40;bool, true&#41;&#10;  primary_ranges_only &#61; optional&#40;bool&#41;&#10;  subnetworks &#61; optional&#40;list&#40;object&#40;&#123;&#10;    self_link        &#61; string&#10;    all_ranges       &#61; optional&#40;bool, true&#41;&#10;    secondary_ranges &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [config_timeouts](variables.tf#L58) | Timeout configurations. | <code title="object&#40;&#123;&#10;  icmp            &#61; optional&#40;number, 30&#41;&#10;  tcp_established &#61; optional&#40;number, 1200&#41;&#10;  tcp_time_wait   &#61; optional&#40;number, 120&#41;&#10;  tcp_transitory  &#61; optional&#40;number, 30&#41;&#10;  udp             &#61; optional&#40;number, 30&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [config_timeouts](variables.tf#L58) | Timeout configurations. | <code title="object&#40;&#123;&#10;  icmp            &#61; optional&#40;number&#41;&#10;  tcp_established &#61; optional&#40;number&#41;&#10;  tcp_time_wait   &#61; optional&#40;number&#41;&#10;  tcp_transitory  &#61; optional&#40;number&#41;&#10;  udp             &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [logging_filter](variables.tf#L71) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | <code>string</code> |  | <code>null</code> |
 | [router_asn](variables.tf#L92) | Router ASN used for auto-created router. | <code>number</code> |  | <code>null</code> |
 | [router_create](variables.tf#L98) | Create router. | <code>bool</code> |  | <code>true</code> |
 | [router_name](variables.tf#L104) | Router name, leave blank if router will be created to use auto generated name. | <code>string</code> |  | <code>null</code> |
 | [router_network](variables.tf#L110) | Name of the VPC used for auto-created router. | <code>string</code> |  | <code>null</code> |
-| [rules](variables.tf#L116) | List of rules associated with this NAT. | <code title="list&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string&#41;,&#10;  match       &#61; string&#10;  source_ips  &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [rules](variables.tf#L116) | List of rules associated with this NAT. | <code title="list&#40;object&#40;&#123;&#10;  description   &#61; optional&#40;string&#41;&#10;  match         &#61; string&#10;  source_ips    &#61; optional&#40;list&#40;string&#41;&#41;&#10;  source_ranges &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [type](variables.tf#L136) | Whether this Cloud NAT is used for public or private IP translation. One of 'PUBLIC' or 'PRIVATE'. | <code>string</code> |  | <code>&#34;PUBLIC&#34;</code> |
 
 ## Outputs
 
diff --git a/modules/net-cloudnat/main.tf b/modules/net-cloudnat/main.tf
index 7a537d8eee..bf5b7bc785 100644
--- a/modules/net-cloudnat/main.tf
+++ b/modules/net-cloudnat/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,13 +47,21 @@ resource "google_compute_router" "router" {
 }
 
 resource "google_compute_router_nat" "nat" {
-  project = var.project_id
-  region  = var.region
-  name    = var.name
-  router  = local.router_name
-  nat_ips = var.addresses
+  provider = google-beta
+  project  = var.project_id
+  region   = var.region
+  name     = var.name
+  type     = var.type
+  router   = local.router_name
+  nat_ips  = var.addresses
   nat_ip_allocate_option = (
-    length(var.addresses) > 0 ? "MANUAL_ONLY" : "AUTO_ONLY"
+    var.type == "PRIVATE"
+    ? null
+    : (
+      length(var.addresses) > 0
+      ? "MANUAL_ONLY"
+      : "AUTO_ONLY"
+    )
   )
   source_subnetwork_ip_ranges_to_nat = local.subnet_config
   icmp_idle_timeout_sec              = var.config_timeouts.icmp
@@ -114,7 +122,8 @@ resource "google_compute_router_nat" "nat" {
       description = rules.value.description
       match       = rules.value.match
       action {
-        source_nat_active_ips = rules.value.source_ips
+        source_nat_active_ips    = rules.value.source_ips
+        source_nat_active_ranges = rules.value.source_ranges
       }
     }
   }
diff --git a/modules/net-cloudnat/variables.tf b/modules/net-cloudnat/variables.tf
index 0ec05e4221..27484ee319 100644
--- a/modules/net-cloudnat/variables.tf
+++ b/modules/net-cloudnat/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,8 +25,8 @@ variable "config_port_allocation" {
   type = object({
     enable_endpoint_independent_mapping = optional(bool, true)
     enable_dynamic_port_allocation      = optional(bool, false)
-    min_ports_per_vm                    = optional(number, 64)
-    max_ports_per_vm                    = optional(number, 65536)
+    min_ports_per_vm                    = optional(number)
+    max_ports_per_vm                    = optional(number)
   })
   default  = {}
   nullable = false
@@ -58,11 +58,11 @@ output "foo" {
 variable "config_timeouts" {
   description = "Timeout configurations."
   type = object({
-    icmp            = optional(number, 30)
-    tcp_established = optional(number, 1200)
-    tcp_time_wait   = optional(number, 120)
-    tcp_transitory  = optional(number, 30)
-    udp             = optional(number, 30)
+    icmp            = optional(number)
+    tcp_established = optional(number)
+    tcp_time_wait   = optional(number)
+    tcp_transitory  = optional(number)
+    udp             = optional(number)
   })
   default  = {}
   nullable = false
@@ -116,10 +116,30 @@ variable "router_network" {
 variable "rules" {
   description = "List of rules associated with this NAT."
   type = list(object({
-    description = optional(string),
-    match       = string
-    source_ips  = list(string)
+    description   = optional(string)
+    match         = string
+    source_ips    = optional(list(string))
+    source_ranges = optional(list(string))
   }))
   default  = []
   nullable = false
+  validation {
+    condition = alltrue([
+      for r in var.rules :
+      r.source_ips != null || r.source_ranges != null
+    ])
+
+    error_message = "All rules must specify either source_ips or source_ranges."
+  }
+}
+
+variable "type" {
+  description = "Whether this Cloud NAT is used for public or private IP translation. One of 'PUBLIC' or 'PRIVATE'."
+  type        = string
+  default     = "PUBLIC"
+  nullable    = false
+  validation {
+    condition     = var.type == "PUBLIC" || var.type == "PRIVATE"
+    error_message = "Field type must be either PUBLIC or PRIVATE."
+  }
 }
diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index feee775cc6..d29251cc96 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -662,9 +662,10 @@ module "vpc" {
 | [shared_vpc_host](variables.tf#L238) | Enable shared VPC for this project. | <code>bool</code> |  | <code>false</code> |
 | [shared_vpc_service_projects](variables.tf#L244) | Shared VPC service projects to register with this host. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
 | [subnets](variables.tf#L250) | Subnet configuration. | <code title="list&#40;object&#40;&#123;&#10;  name                  &#61; string&#10;  ip_cidr_range         &#61; string&#10;  region                &#61; string&#10;  description           &#61; optional&#40;string&#41;&#10;  enable_private_access &#61; optional&#40;bool, true&#41;&#10;  flow_logs_config &#61; optional&#40;object&#40;&#123;&#10;    aggregation_interval &#61; optional&#40;string&#41;&#10;    filter_expression    &#61; optional&#40;string&#41;&#10;    flow_sampling        &#61; optional&#40;number&#41;&#10;    metadata             &#61; optional&#40;string&#41;&#10;    metadata_fields &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ipv6 &#61; optional&#40;object&#40;&#123;&#10;    access_type &#61; optional&#40;string, &#34;INTERNAL&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  secondary_ip_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [subnets_proxy_only](variables.tf#L297) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;  active        &#61; optional&#40;bool, true&#41;&#10;  global        &#61; optional&#40;bool, false&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [subnets_psc](variables.tf#L331) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [vpc_create](variables.tf#L363) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> |  | <code>true</code> |
+| [subnets_private_nat](variables.tf#L297) | List of private NAT subnets. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [subnets_proxy_only](variables.tf#L309) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;  active        &#61; optional&#40;bool, true&#41;&#10;  global        &#61; optional&#40;bool, false&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [subnets_psc](variables.tf#L343) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [vpc_create](variables.tf#L375) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> |  | <code>true</code> |
 
 ## Outputs
 
@@ -684,6 +685,7 @@ module "vpc" {
 | [subnet_secondary_ranges](outputs.tf#L122) | Map of subnet secondary ranges keyed by name. |  |
 | [subnet_self_links](outputs.tf#L133) | Map of subnet self links keyed by name. |  |
 | [subnets](outputs.tf#L142) | Subnet resources. |  |
-| [subnets_proxy_only](outputs.tf#L151) | L7 ILB or L7 Regional LB subnet resources. |  |
-| [subnets_psc](outputs.tf#L156) | Private Service Connect subnet resources. |  |
+| [subnets_private_nat](outputs.tf#L151) | Private NAT subnet resources. |  |
+| [subnets_proxy_only](outputs.tf#L156) | L7 ILB or L7 Regional LB subnet resources. |  |
+| [subnets_psc](outputs.tf#L161) | Private Service Connect subnet resources. |  |
 <!-- END TFDOC -->
diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf
index 412e363a4a..4d143e829f 100644
--- a/modules/net-vpc/outputs.tf
+++ b/modules/net-vpc/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -148,6 +148,11 @@ output "subnets" {
   ]
 }
 
+output "subnets_private_nat" {
+  description = "Private NAT subnet resources."
+  value       = { for k, v in google_compute_subnetwork.private_nat : k => v }
+}
+
 output "subnets_proxy_only" {
   description = "L7 ILB or L7 Regional LB subnet resources."
   value       = { for k, v in google_compute_subnetwork.proxy_only : k => v }
diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf
index ca3541450c..09d4748d00 100644
--- a/modules/net-vpc/subnets.tf
+++ b/modules/net-vpc/subnets.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -124,6 +124,10 @@ locals {
     { for s in var.subnets_proxy_only : "${s.region}/${s.name}" => s },
     { for k, v in local._factory_subnets : k => v if v._is_proxy_only },
   )
+  subnets_private_nat = merge(
+    { for s in var.subnets_private_nat : "${s.region}/${s.name}" => s },
+    # { for k, v in local._factory_subnets : k => v if v._is_proxy_only },
+  )
   subnets_psc = merge(
     { for s in var.subnets_psc : "${s.region}/${s.name}" => s },
     { for k, v in local._factory_subnets : k => v if v._is_psc }
@@ -185,6 +189,20 @@ resource "google_compute_subnetwork" "proxy_only" {
   role    = each.value.active ? "ACTIVE" : "BACKUP"
 }
 
+resource "google_compute_subnetwork" "private_nat" {
+  for_each      = local.subnets_private_nat
+  project       = var.project_id
+  network       = local.network.name
+  name          = each.value.name
+  region        = each.value.region
+  ip_cidr_range = each.value.ip_cidr_range
+  description = coalesce(
+    each.value.description,
+    "Terraform-managed private NAT subnet."
+  )
+  purpose = "PRIVATE_NAT"
+}
+
 resource "google_compute_subnetwork" "psc" {
   for_each      = local.subnets_psc
   project       = var.project_id
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index d8948a2640..6fd011bec8 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -294,6 +294,18 @@ variable "subnets" {
   nullable = false
 }
 
+variable "subnets_private_nat" {
+  description = "List of private NAT subnets."
+  type = list(object({
+    name          = string
+    ip_cidr_range = string
+    region        = string
+    description   = optional(string)
+  }))
+  default  = []
+  nullable = false
+}
+
 variable "subnets_proxy_only" {
   description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
   type = list(object({
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
index d9b2d67c9c..38a23789d5 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
@@ -1520,6 +1520,7 @@ values:
     log_config:
       - enable: false
         filter: ALL
+    max_ports_per_vm: null
     name: ew1
     nat_ip_allocate_option: AUTO_ONLY
     nat_ips: null
@@ -1551,8 +1552,7 @@ values:
     log_config:
       - enable: false
         filter: ALL
-    max_ports_per_vm: 65536
-    min_ports_per_vm: 64
+    max_ports_per_vm: null
     name: ew4
     nat_ip_allocate_option: AUTO_ONLY
     nat_ips: null
diff --git a/tests/modules/net_cloudnat/examples/hybrid.yaml b/tests/modules/net_cloudnat/examples/hybrid.yaml
new file mode 100644
index 0000000000..4dd1939598
--- /dev/null
+++ b/tests/modules/net_cloudnat/examples/hybrid.yaml
@@ -0,0 +1,94 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.vpc1-nat.google_compute_router.router[0]:
+    bgp: []
+    description: null
+    encrypted_interconnect_router: null
+    name: vpc1-nat-nat
+    project: project-id
+    region: europe-west8
+  module.vpc1-nat.google_compute_router_nat.nat:
+    drain_nat_ips: null
+    enable_dynamic_port_allocation: true
+    enable_endpoint_independent_mapping: false
+    icmp_idle_timeout_sec: 30
+    log_config:
+    - enable: false
+      filter: ALL
+    max_ports_per_vm: null
+    name: vpc1-nat
+    nat_ip_allocate_option: null
+    nat_ips: null
+    project: project-id
+    region: europe-west8
+    router: vpc1-nat-nat
+    rules:
+    - action:
+      - source_nat_active_ips: []
+        source_nat_drain_ips: []
+        source_nat_drain_ranges: []
+      description: private nat
+      match: nexthop.is_hybrid
+      rule_number: 0
+    source_subnetwork_ip_ranges_to_nat: LIST_OF_SUBNETWORKS
+    subnetwork:
+    - secondary_ip_range_names: []
+      source_ip_ranges_to_nat:
+      - ALL_IP_RANGES
+    tcp_established_idle_timeout_sec: 1200
+    tcp_time_wait_timeout_sec: 120
+    tcp_transitory_idle_timeout_sec: 30
+    type: PRIVATE
+    udp_idle_timeout_sec: 30
+  module.vpc1.google_compute_network.network[0]:
+    auto_create_subnetworks: false
+    delete_default_routes_on_create: false
+    description: Terraform-managed.
+    enable_ula_internal_ipv6: null
+    name: vpc1
+    network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+    project: project-id
+    routing_mode: GLOBAL
+  module.vpc1.google_compute_subnetwork.private_nat["europe-west8/vpc1-nat"]:
+    description: Terraform-managed private NAT subnet.
+    ip_cidr_range: 192.168.15.0/24
+    ipv6_access_type: null
+    log_config: []
+    name: vpc1-nat
+    network: vpc1
+    project: project-id
+    purpose: PRIVATE_NAT
+    region: europe-west8
+    role: null
+  module.vpc1.google_compute_subnetwork.subnetwork["europe-west8/vpc1-subnet"]:
+    description: Terraform-managed.
+    ip_cidr_range: 10.0.0.0/24
+    ipv6_access_type: null
+    log_config: []
+    name: vpc1-subnet
+    network: vpc1
+    private_ip_google_access: true
+    project: project-id
+    region: europe-west8
+    role: null
+    secondary_ip_range: []
+
+counts:
+  google_compute_network: 1
+  google_compute_route: 2
+  google_compute_router: 1
+  google_compute_router_nat: 1
+  google_compute_subnetwork: 2

From d838c4ac478ea71ec30f69c06dcbe7173b07f08d Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 9 May 2024 18:29:25 +0200
Subject: [PATCH 18/31] Make Simple NVA route IAP traffic through NIC 0 (#2262)

---
 .../simple-nva/cloud-config.yaml              |    5 +-
 .../s2_networking_e_nva_bgp/simple.yaml       | 1889 +++++++++--------
 2 files changed, 949 insertions(+), 945 deletions(-)

diff --git a/modules/cloud-config-container/simple-nva/cloud-config.yaml b/modules/cloud-config-container/simple-nva/cloud-config.yaml
index 328ace7e2c..b5553793c0 100644
--- a/modules/cloud-config-container/simple-nva/cloud-config.yaml
+++ b/modules/cloud-config-container/simple-nva/cloud-config.yaml
@@ -1,6 +1,6 @@
 #cloud-config
 
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -51,6 +51,9 @@ write_files:
 %{ endfor ~}
       iptables -t nat -A POSTROUTING -o ${interface.name} -j MASQUERADE
 %{ endif ~}
+%{ if interface.number == 0 ~}
+      ip route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway -H "Metadata-Flavor:Google"` dev ${interface.name}
+%{ endif ~}
 %{ for route in interface.routes ~}
       ip route add ${route} via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/${interface.number}/gateway -H "Metadata-Flavor:Google"` dev ${interface.name}
 %{ endfor ~}
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
index 38a23789d5..25ba7ccf9b 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
@@ -10,7 +10,6 @@
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
-# limitations under the License.
 
 values:
   google_compute_address.nva_static_ip_dmz["primary-b"]:
@@ -113,22 +112,21 @@ values:
     alert_strategy: []
     combiner: OR
     conditions:
-      - condition_absent: []
-        condition_matched_log: []
-        condition_monitoring_query_language:
-          - duration: 120s
-            evaluation_missing_data: null
-            query:
-              fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count;
-              metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)|
-              group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition
-              val() > 187.5 "MBy/s"
-            trigger:
-              - count: 1
-                percent: null
-        condition_prometheus_query_language: []
-        condition_threshold: []
-        display_name: VPN Tunnel Bandwidth usage
+    - condition_absent: []
+      condition_matched_log: []
+      condition_monitoring_query_language:
+      - duration: 120s
+        evaluation_missing_data: null
+        query: fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count;
+          metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)|
+          group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition
+          val() > 187.5 "MBy/s"
+        trigger:
+        - count: 1
+          percent: null
+      condition_prometheus_query_language: []
+      condition_threshold: []
+      display_name: VPN Tunnel Bandwidth usage
     display_name: VPN Tunnel Bandwidth usage
     documentation: []
     enabled: true
@@ -141,21 +139,20 @@ values:
     alert_strategy: []
     combiner: OR
     conditions:
-      - condition_absent: []
-        condition_matched_log: []
-        condition_monitoring_query_language:
-          - duration: 120s
-            evaluation_missing_data: null
-            query:
-              "fetch vpn_gateway| metric vpn.googleapis.com/tunnel_established| group_by
-              5m, [value_tunnel_established_max: max(value.tunnel_established)]| every
-              5m| condition val() < 1 '1'"
-            trigger:
-              - count: 1
-                percent: null
-        condition_prometheus_query_language: []
-        condition_threshold: []
-        display_name: VPN Tunnel Established
+    - condition_absent: []
+      condition_matched_log: []
+      condition_monitoring_query_language:
+      - duration: 120s
+        evaluation_missing_data: null
+        query: 'fetch vpn_gateway| metric vpn.googleapis.com/tunnel_established| group_by
+          5m, [value_tunnel_established_max: max(value.tunnel_established)]| every
+          5m| condition val() < 1 ''1'''
+        trigger:
+        - count: 1
+          percent: null
+      condition_prometheus_query_language: []
+      condition_threshold: []
+      display_name: VPN Tunnel Established
     display_name: VPN Tunnel Established
     documentation: []
     enabled: true
@@ -165,17 +162,15 @@ values:
     timeouts: null
     user_labels: null
   google_monitoring_dashboard.dashboard["firewall_insights.json"]:
-    dashboard_json:
-      '{"displayName":"Firewall Insights Monitoring","gridLayout":{"columns":"2","widgets":[{"title":"Subnet
+    dashboard_json: '{"displayName":"Firewall Insights Monitoring","gridLayout":{"columns":"2","widgets":[{"title":"Subnet
       Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/subnet/firewall_hit_count\"
       resource.type=\"gce_subnetwork\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},{"title":"VM
       Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/vm/firewall_hit_count\"
       resource.type=\"gce_instance\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}}]}}'
     project: fast2-prod-net-landing-0
     timeouts: null
-  ? google_monitoring_dashboard.dashboard["vpc_and_vpc_peering_group_quotas.json"]
-  : dashboard_json:
-      '{"dashboardFilters":[],"displayName":"VPC \u0026 VPC Peering
+  google_monitoring_dashboard.dashboard["vpc_and_vpc_peering_group_quotas.json"]:
+    dashboard_json: '{"dashboardFilters":[],"displayName":"VPC \u0026 VPC Peering
       Group Quotas","labels":{},"mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Internal
       network (L4) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
       compute.googleapis.com/VpcNetwork\n|{ metric\n      compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/usage\n    |
@@ -228,8 +223,7 @@ values:
     project: fast2-prod-net-landing-0
     timeouts: null
   google_monitoring_dashboard.dashboard["vpn.json"]:
-    dashboard_json:
-      '{"displayName":"VPN Monitoring","mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Number
+    dashboard_json: '{"displayName":"VPN Monitoring","mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Number
       of connections","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/gateway/connections\"
       resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4},{"height":4,"widget":{"title":"Tunnel
       established","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/tunnel_established\"
@@ -279,9 +273,9 @@ values:
     source: null
     temporary_hold: null
     timeouts: null
-  ? module.dev-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]
-  : cloud_logging_config:
-      - enable_logging: false
+  module.dev-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]:
+    cloud_logging_config:
+    - enable_logging: false
     description: Terraform managed.
     dns_name: 10.in-addr.arpa.
     dnssec_config: []
@@ -296,7 +290,7 @@ values:
     visibility: private
   module.dev-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]:
     cloud_logging_config:
-      - enable_logging: false
+    - enable_logging: false
     description: Terraform managed.
     dns_name: .
     dnssec_config: []
@@ -311,7 +305,7 @@ values:
     visibility: private
   module.dev-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]:
     cloud_logging_config:
-      - enable_logging: false
+    - enable_logging: false
     description: Terraform managed.
     dns_name: dev.gcp.example.com.
     dnssec_config: []
@@ -324,23 +318,23 @@ values:
     service_directory_config: []
     timeouts: null
     visibility: private
-  ? module.dev-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]
-  : managed_zone: dev-gcp-example-com
+  module.dev-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]:
+    managed_zone: dev-gcp-example-com
     name: localhost.dev.gcp.example.com.
     project: fast2-dev-net-spoke-0
     routing_policy: []
     rrdatas:
-      - 127.0.0.1
+    - 127.0.0.1
     ttl: 300
     type: A
-  ? module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-composer-nodes"]
-  : allow:
-      - ports:
-          - "80"
-          - "443"
-          - "3306"
-          - "3307"
-        protocol: tcp
+  module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-composer-nodes"]:
+    allow:
+    - ports:
+      - '80'
+      - '443'
+      - '3306'
+      - '3307'
+      protocol: tcp
     deny: []
     description: Allow traffic to Composer nodes.
     direction: INGRESS
@@ -353,17 +347,17 @@ values:
     source_ranges: null
     source_service_accounts: null
     source_tags:
-      - composer-worker
+    - composer-worker
     target_service_accounts: null
     target_tags:
-      - composer-worker
-    timeouts: null
-  ? module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-dataflow-load"]
-  : allow:
-      - ports:
-          - "12345"
-          - "12346"
-        protocol: tcp
+    - composer-worker
+    timeouts: null
+  module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-dataflow-load"]:
+    allow:
+    - ports:
+      - '12345'
+      - '12346'
+      protocol: tcp
     deny: []
     description: Allow traffic to Dataflow nodes.
     direction: INGRESS
@@ -376,37 +370,37 @@ values:
     source_ranges: null
     source_service_accounts: null
     source_tags:
-      - dataflow
+    - dataflow
     target_service_accounts: null
     target_tags:
-      - dataflow
+    - dataflow
     timeouts: null
-  ? module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]
-  : allow: []
+  module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]:
+    allow: []
     deny:
-      - ports: []
-        protocol: all
+    - ports: []
+      protocol: all
     description: Deny and log any unmatched ingress traffic.
     direction: INGRESS
     disabled: false
     log_config:
-      - metadata: EXCLUDE_ALL_METADATA
+    - metadata: EXCLUDE_ALL_METADATA
     name: ingress-default-deny
     network: dev-spoke-0
     priority: 65535
     project: fast2-dev-net-spoke-0
     source_ranges:
-      - 0.0.0.0/0
+    - 0.0.0.0/0
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  ? module.dev-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]
-  : project: fast2-dev-net-spoke-0
+  module.dev-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+    project: fast2-dev-net-spoke-0
     timeouts: null
-  ? module.dev-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]
-  : metrics_scope: fast2-prod-net-landing-0
+  module.dev-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]:
+    metrics_scope: fast2-prod-net-landing-0
     name: fast2-dev-net-spoke-0
     timeouts: null
   module.dev-spoke-project.google_project.project[0]:
@@ -419,69 +413,69 @@ values:
     project_id: fast2-dev-net-spoke-0
     skip_delete: false
     timeouts: null
-  ? module.dev-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]
-  : condition: []
+  module.dev-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
+    condition: []
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-dev-net-spoke-0
     role: roles/dns.admin
-  ? module.dev-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]
-  : condition:
-      - description: Development host project delegated grants.
-        expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
-        title: dev_stage3_sa_delegated_grants
+  module.dev-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]:
+    condition:
+    - description: Development host project delegated grants.
+      expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
+      title: dev_stage3_sa_delegated_grants
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-dev-net-spoke-0
     role: roles/resourcemanager.projectIamAdmin
   module.dev-spoke-project.google_project_iam_member.servicenetworking[0]:
     condition: []
     project: fast2-dev-net-spoke-0
     role: roles/servicenetworking.serviceAgent
-  ? module.dev-spoke-project.google_project_service.project_services["compute.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["compute.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: compute.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["dns.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["dns.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: dns.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["iap.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["iap.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: iap.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: networkmanagement.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: servicenetworking.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: stackdriver.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: vpcaccess.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]
-  : project: fast2-dev-net-spoke-0
+  module.dev-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
+    project: fast2-dev-net-spoke-0
     service: iap.googleapis.com
     timeouts: null
   module.dev-spoke-project.google_project_service_identity.servicenetworking[0]:
@@ -525,8 +519,8 @@ values:
     project: fast2-dev-net-spoke-0
     tags: null
     timeouts: null
-  ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-dataplatform"]
-  : description: Default subnet for dev Data Platform
+  module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-dataplatform"]:
+    description: Default subnet for dev Data Platform
     ip_cidr_range: 10.68.2.0/24
     ipv6_access_type: null
     log_config: []
@@ -537,13 +531,13 @@ values:
     region: europe-west1
     role: null
     secondary_ip_range:
-      - ip_cidr_range: 100.69.0.0/16
-        range_name: pods
-      - ip_cidr_range: 100.71.2.0/24
-        range_name: services
+    - ip_cidr_range: 100.69.0.0/16
+      range_name: pods
+    - ip_cidr_range: 100.71.2.0/24
+      range_name: services
     timeouts: null
-  ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-default"]
-  : description: Default europe-west1 subnet for dev
+  module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-default"]:
+    description: Default europe-west1 subnet for dev
     ip_cidr_range: 10.68.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -555,8 +549,8 @@ values:
     role: null
     secondary_ip_range: []
     timeouts: null
-  ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-gke-nodes"]
-  : description: Default subnet for prod gke nodes
+  module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-gke-nodes"]:
+    description: Default subnet for prod gke nodes
     ip_cidr_range: 10.68.1.0/24
     ipv6_access_type: null
     log_config: []
@@ -567,13 +561,13 @@ values:
     region: europe-west1
     role: null
     secondary_ip_range:
-      - ip_cidr_range: 100.68.0.0/16
-        range_name: pods
-      - ip_cidr_range: 100.71.1.0/24
-        range_name: services
+    - ip_cidr_range: 100.68.0.0/16
+      range_name: pods
+    - ip_cidr_range: 100.71.1.0/24
+      range_name: services
     timeouts: null
-  ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/dev-default"]
-  : description: Default europe-west4 subnet for dev
+  module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/dev-default"]:
+    description: Default europe-west4 subnet for dev
     ip_cidr_range: 10.84.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -592,14 +586,14 @@ values:
     enable_logging: true
     name: dev-spoke-0
     networks:
-      - {}
+    - {}
     project: fast2-dev-net-spoke-0
     timeouts: null
-  ? module.dmz-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-dmz"]
-  : allow:
-      - ports:
-          - "22"
-        protocol: tcp
+  module.dmz-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-dmz"]:
+    allow:
+    - ports:
+      - '22'
+      protocol: tcp
     deny: []
     description: Allow traffic from Google healthchecks to NVA appliances
     direction: INGRESS
@@ -610,20 +604,20 @@ values:
     priority: 1000
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 130.211.0.0/22
-      - 209.85.152.0/22
-      - 209.85.204.0/22
-      - 35.191.0.0/16
+    - 130.211.0.0/22
+    - 209.85.152.0/22
+    - 209.85.204.0/22
+    - 35.191.0.0/16
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  ? module.dmz-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-dmz"]
-  : allow:
-      - ports:
-          - "179"
-        protocol: tcp
+  module.dmz-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-dmz"]:
+    allow:
+    - ports:
+      - '179'
+      protocol: tcp
     deny: []
     description: Allow BGP traffic from NCC Cloud Routers to NVAs
     direction: INGRESS
@@ -634,21 +628,21 @@ values:
     priority: 1000
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 10.128.0.201/32
-      - 10.128.0.202/32
-      - 10.128.32.201/32
-      - 10.128.32.202/32
+    - 10.128.0.201/32
+    - 10.128.0.202/32
+    - 10.128.32.201/32
+    - 10.128.32.202/32
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags:
-      - nva
+    - nva
     timeouts: null
-  ? module.dmz-firewall.google_compute_firewall.custom-rules["allow-nva-nva-bgp-dmz"]
-  : allow:
-      - ports:
-          - "179"
-        protocol: tcp
+  module.dmz-firewall.google_compute_firewall.custom-rules["allow-nva-nva-bgp-dmz"]:
+    allow:
+    - ports:
+      - '179'
+      protocol: tcp
     deny: []
     description: Allow BGP traffic from cross-regional NVAs
     direction: INGRESS
@@ -661,27 +655,27 @@ values:
     source_ranges: null
     source_service_accounts: null
     source_tags:
-      - nva
+    - nva
     target_service_accounts: null
     target_tags:
-      - nva
+    - nva
     timeouts: null
-  ? module.dmz-firewall.google_compute_firewall.custom-rules["dmz-ingress-default-deny"]
-  : allow: []
+  module.dmz-firewall.google_compute_firewall.custom-rules["dmz-ingress-default-deny"]:
+    allow: []
     deny:
-      - ports: []
-        protocol: all
+    - ports: []
+      protocol: all
     description: Deny and log any unmatched ingress traffic.
     direction: INGRESS
     disabled: false
     log_config:
-      - metadata: EXCLUDE_ALL_METADATA
+    - metadata: EXCLUDE_ALL_METADATA
     name: dmz-ingress-default-deny
     network: prod-dmz-0
     priority: 65535
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 0.0.0.0/0
+    - 0.0.0.0/0
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
@@ -698,8 +692,8 @@ values:
     project: fast2-prod-net-landing-0
     routing_mode: GLOBAL
     timeouts: null
-  ? module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west1/dmz-default"]
-  : description: Default europe-west1 subnet for DMZ
+  module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west1/dmz-default"]:
+    description: Default europe-west1 subnet for DMZ
     ip_cidr_range: 10.64.128.0/24
     ipv6_access_type: null
     log_config: []
@@ -711,8 +705,8 @@ values:
     role: null
     secondary_ip_range: []
     timeouts: null
-  ? module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west4/dmz-default"]
-  : description: Default europe-west4 subnet for DMZ
+  module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west4/dmz-default"]:
+    description: Default europe-west4 subnet for DMZ
     ip_cidr_range: 10.80.128.0/24
     ipv6_access_type: null
     log_config: []
@@ -731,117 +725,117 @@ values:
     enable_logging: true
     name: prod-dmz-0
     networks:
-      - {}
+    - {}
     project: fast2-prod-net-landing-0
     timeouts: null
   module.firewall-policy-default.google_compute_firewall_policy.hierarchical[0]:
     description: null
     short_name: net-default
     timeouts: null
-  ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]
-  : action: allow
+  module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]:
+    action: allow
     description: Enable SSH, HTTP and HTTPS healthchecks
     direction: INGRESS
     disabled: false
     enable_logging: null
     match:
-      - dest_address_groups: null
-        dest_fqdns: null
-        dest_ip_ranges: null
-        dest_region_codes: null
-        dest_threat_intelligences: null
-        layer4_configs:
-          - ip_protocol: tcp
-            ports:
-              - "22"
-              - "80"
-              - "443"
-        src_address_groups: null
-        src_fqdns: null
-        src_ip_ranges:
-          - 35.191.0.0/16
-          - 130.211.0.0/22
-          - 209.85.152.0/22
-          - 209.85.204.0/22
-        src_region_codes: null
-        src_threat_intelligences: null
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: tcp
+        ports:
+        - '22'
+        - '80'
+        - '443'
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 35.191.0.0/16
+      - 130.211.0.0/22
+      - 209.85.152.0/22
+      - 209.85.204.0/22
+      src_region_codes: null
+      src_threat_intelligences: null
     priority: 1001
     target_resources: null
     target_service_accounts: null
     timeouts: null
-  ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]
-  : action: allow
+  module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]:
+    action: allow
     description: Enable ICMP
     direction: INGRESS
     disabled: false
     enable_logging: null
     match:
-      - dest_address_groups: null
-        dest_fqdns: null
-        dest_ip_ranges: null
-        dest_region_codes: null
-        dest_threat_intelligences: null
-        layer4_configs:
-          - ip_protocol: icmp
-            ports: []
-        src_address_groups: null
-        src_fqdns: null
-        src_ip_ranges:
-          - 0.0.0.0/0
-        src_region_codes: null
-        src_threat_intelligences: null
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: icmp
+        ports: []
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 0.0.0.0/0
+      src_region_codes: null
+      src_threat_intelligences: null
     priority: 1003
     target_resources: null
     target_service_accounts: null
     timeouts: null
-  ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]
-  : action: allow
+  module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]:
+    action: allow
     description: Enable NAT ranges for VPC serverless connector
     direction: INGRESS
     disabled: false
     enable_logging: null
     match:
-      - dest_address_groups: null
-        dest_fqdns: null
-        dest_ip_ranges: null
-        dest_region_codes: null
-        dest_threat_intelligences: null
-        layer4_configs:
-          - ip_protocol: all
-            ports: null
-        src_address_groups: null
-        src_fqdns: null
-        src_ip_ranges:
-          - 107.178.230.64/26
-          - 35.199.224.0/19
-        src_region_codes: null
-        src_threat_intelligences: null
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: all
+        ports: null
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 107.178.230.64/26
+      - 35.199.224.0/19
+      src_region_codes: null
+      src_threat_intelligences: null
     priority: 1004
     target_resources: null
     target_service_accounts: null
     timeouts: null
-  ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]
-  : action: allow
+  module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]:
+    action: allow
     description: Enable SSH from IAP
     direction: INGRESS
     disabled: false
     enable_logging: true
     match:
-      - dest_address_groups: null
-        dest_fqdns: null
-        dest_ip_ranges: null
-        dest_region_codes: null
-        dest_threat_intelligences: null
-        layer4_configs:
-          - ip_protocol: tcp
-            ports:
-              - "22"
-        src_address_groups: null
-        src_fqdns: null
-        src_ip_ranges:
-          - 35.235.240.0/20
-        src_region_codes: null
-        src_threat_intelligences: null
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: tcp
+        ports:
+        - '22'
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 35.235.240.0/20
+      src_region_codes: null
+      src_threat_intelligences: null
     priority: 1002
     target_resources: null
     target_service_accounts: null
@@ -849,27 +843,27 @@ values:
   module.folder.google_compute_firewall_policy_association.default[0]:
     name: default
     timeouts: null
-  ? module.folder.google_essential_contacts_contact.contact["gcp-network-admins@fast.example.com"]
-  : email: gcp-network-admins@fast.example.com
+  module.folder.google_essential_contacts_contact.contact["gcp-network-admins@fast.example.com"]:
+    email: gcp-network-admins@fast.example.com
     language_tag: en
     notification_category_subscriptions:
-      - ALL
+    - ALL
     timeouts: null
   module.folder.google_folder.folder[0]:
     display_name: Networking
     parent: organizations/123456789012
     timeouts: null
-  ? module.landing-dns-fwd-onprem-example[0].google_dns_managed_zone.dns_managed_zone[0]
-  : cloud_logging_config:
-      - enable_logging: false
+  module.landing-dns-fwd-onprem-example[0].google_dns_managed_zone.dns_managed_zone[0]:
+    cloud_logging_config:
+    - enable_logging: false
     description: Terraform managed.
     dns_name: onprem.example.com.
     dnssec_config: []
     force_destroy: false
     forwarding_config:
-      - target_name_servers:
-          - forwarding_path: ""
-            ipv4_address: 10.10.10.10
+    - target_name_servers:
+      - forwarding_path: ''
+        ipv4_address: 10.10.10.10
     labels: null
     name: example-com
     peering_config: []
@@ -878,17 +872,17 @@ values:
     service_directory_config: []
     timeouts: null
     visibility: private
-  ? module.landing-dns-fwd-onprem-rev-10[0].google_dns_managed_zone.dns_managed_zone[0]
-  : cloud_logging_config:
-      - enable_logging: false
+  module.landing-dns-fwd-onprem-rev-10[0].google_dns_managed_zone.dns_managed_zone[0]:
+    cloud_logging_config:
+    - enable_logging: false
     description: Terraform managed.
     dns_name: 10.in-addr.arpa.
     dnssec_config: []
     force_destroy: false
     forwarding_config:
-      - target_name_servers:
-          - forwarding_path: ""
-            ipv4_address: 10.10.10.10
+    - target_name_servers:
+      - forwarding_path: ''
+        ipv4_address: 10.10.10.10
     labels: null
     name: root-reverse-10
     peering_config: []
@@ -901,496 +895,496 @@ values:
     description: Terraform managed.
     gke_clusters: []
     networks:
-      - {}
-      - {}
+    - {}
+    - {}
     project: fast2-prod-net-landing-0
     response_policy_name: googleapis
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["accounts"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["accounts"]:
+    behavior: null
     dns_name: accounts.google.com.
     local_data:
-      - local_datas:
-          - name: accounts.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: accounts.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: accounts
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud"]:
+    behavior: null
     dns_name: backupdr.cloud.google.com.
     local_data:
-      - local_datas:
-          - name: backupdr.cloud.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: backupdr.cloud.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: backupdr-cloud
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud-all"]
-  : behavior: null
-    dns_name: "*.backupdr.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud-all"]:
+    behavior: null
+    dns_name: '*.backupdr.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.backupdr.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.backupdr.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: backupdr-cloud-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu"]:
+    behavior: null
     dns_name: backupdr.googleusercontent.google.com.
     local_data:
-      - local_datas:
-          - name: backupdr.googleusercontent.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: backupdr.googleusercontent.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: backupdr-gu
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu-all"]
-  : behavior: null
-    dns_name: "*.backupdr.googleusercontent.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu-all"]:
+    behavior: null
+    dns_name: '*.backupdr.googleusercontent.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.backupdr.googleusercontent.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.backupdr.googleusercontent.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: backupdr-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudfunctions"]
-  : behavior: null
-    dns_name: "*.cloudfunctions.net."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudfunctions"]:
+    behavior: null
+    dns_name: '*.cloudfunctions.net.'
     local_data:
-      - local_datas:
-          - name: "*.cloudfunctions.net."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.cloudfunctions.net.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: cloudfunctions
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudproxy"]
-  : behavior: null
-    dns_name: "*.cloudproxy.app."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudproxy"]:
+    behavior: null
+    dns_name: '*.cloudproxy.app.'
     local_data:
-      - local_datas:
-          - name: "*.cloudproxy.app."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.cloudproxy.app.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: cloudproxy
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-cloud-all"]
-  : behavior: null
-    dns_name: "*.composer.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-cloud-all"]:
+    behavior: null
+    dns_name: '*.composer.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.composer.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.composer.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: composer-cloud-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-gu-all"]
-  : behavior: null
-    dns_name: "*.composer.googleusercontent.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-gu-all"]:
+    behavior: null
+    dns_name: '*.composer.googleusercontent.com.'
     local_data:
-      - local_datas:
-          - name: "*.composer.googleusercontent.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.composer.googleusercontent.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: composer-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-all"]
-  : behavior: null
-    dns_name: "*.datafusion.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-all"]:
+    behavior: null
+    dns_name: '*.datafusion.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.datafusion.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.datafusion.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: datafusion-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-gu-all"]
-  : behavior: null
-    dns_name: "*.datafusion.googleusercontent.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-gu-all"]:
+    behavior: null
+    dns_name: '*.datafusion.googleusercontent.com.'
     local_data:
-      - local_datas:
-          - name: "*.datafusion.googleusercontent.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.datafusion.googleusercontent.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: datafusion-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc"]:
+    behavior: null
     dns_name: dataproc.cloud.google.com.
     local_data:
-      - local_datas:
-          - name: dataproc.cloud.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: dataproc.cloud.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: dataproc
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-all"]
-  : behavior: null
-    dns_name: "*.dataproc.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-all"]:
+    behavior: null
+    dns_name: '*.dataproc.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.dataproc.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.dataproc.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: dataproc-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu"]:
+    behavior: null
     dns_name: dataproc.googleusercontent.com.
     local_data:
-      - local_datas:
-          - name: dataproc.googleusercontent.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: dataproc.googleusercontent.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: dataproc-gu
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu-all"]
-  : behavior: null
-    dns_name: "*.dataproc.googleusercontent.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu-all"]:
+    behavior: null
+    dns_name: '*.dataproc.googleusercontent.com.'
     local_data:
-      - local_datas:
-          - name: "*.dataproc.googleusercontent.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.dataproc.googleusercontent.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: dataproc-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dl"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dl"]:
+    behavior: null
     dns_name: dl.google.com.
     local_data:
-      - local_datas:
-          - name: dl.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: dl.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: dl
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr"]:
+    behavior: null
     dns_name: gcr.io.
     local_data:
-      - local_datas:
-          - name: gcr.io.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: gcr.io.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: gcr
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr-all"]
-  : behavior: null
-    dns_name: "*.gcr.io."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr-all"]:
+    behavior: null
+    dns_name: '*.gcr.io.'
     local_data:
-      - local_datas:
-          - name: "*.gcr.io."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.gcr.io.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: gcr-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-all"]
-  : behavior: null
-    dns_name: "*.googleapis.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-all"]:
+    behavior: null
+    dns_name: '*.googleapis.com.'
     local_data:
-      - local_datas:
-          - name: "*.googleapis.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.googleapis.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: googleapis-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-private"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-private"]:
+    behavior: null
     dns_name: private.googleapis.com.
     local_data:
-      - local_datas:
-          - name: private.googleapis.com.
-            rrdatas:
-              - 199.36.153.8
-              - 199.36.153.9
-              - 199.36.153.10
-              - 199.36.153.11
-            ttl: null
-            type: A
+    - local_datas:
+      - name: private.googleapis.com.
+        rrdatas:
+        - 199.36.153.8
+        - 199.36.153.9
+        - 199.36.153.10
+        - 199.36.153.11
+        ttl: null
+        type: A
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: googleapis-private
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-restricted"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-restricted"]:
+    behavior: null
     dns_name: restricted.googleapis.com.
     local_data:
-      - local_datas:
-          - name: restricted.googleapis.com.
-            rrdatas:
-              - 199.36.153.4
-              - 199.36.153.5
-              - 199.36.153.6
-              - 199.36.153.7
-            ttl: null
-            type: A
+    - local_datas:
+      - name: restricted.googleapis.com.
+        rrdatas:
+        - 199.36.153.4
+        - 199.36.153.5
+        - 199.36.153.6
+        - 199.36.153.7
+        ttl: null
+        type: A
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: googleapis-restricted
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gstatic-all"]
-  : behavior: null
-    dns_name: "*.gstatic.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gstatic-all"]:
+    behavior: null
+    dns_name: '*.gstatic.com.'
     local_data:
-      - local_datas:
-          - name: "*.gstatic.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.gstatic.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: gstatic-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu"]:
+    behavior: null
     dns_name: kernels.googleusercontent.com.
     local_data:
-      - local_datas:
-          - name: kernels.googleusercontent.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: kernels.googleusercontent.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: kernels-gu
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu-all"]
-  : behavior: null
-    dns_name: "*.kernels.googleusercontent.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu-all"]:
+    behavior: null
+    dns_name: '*.kernels.googleusercontent.com.'
     local_data:
-      - local_datas:
-          - name: "*.kernels.googleusercontent.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.kernels.googleusercontent.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: kernels-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-all"]
-  : behavior: null
-    dns_name: "*.notebooks.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-all"]:
+    behavior: null
+    dns_name: '*.notebooks.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.notebooks.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.notebooks.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: notebooks-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-gu-all"]
-  : behavior: null
-    dns_name: "*.notebooks.googleusercontent.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-gu-all"]:
+    behavior: null
+    dns_name: '*.notebooks.googleusercontent.com.'
     local_data:
-      - local_datas:
-          - name: "*.notebooks.googleusercontent.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.notebooks.googleusercontent.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: notebooks-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud"]:
+    behavior: null
     dns_name: packages.cloud.google.com.
     local_data:
-      - local_datas:
-          - name: packages.cloud.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: packages.cloud.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: packages-cloud
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud-all"]
-  : behavior: null
-    dns_name: "*.packages.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud-all"]:
+    behavior: null
+    dns_name: '*.packages.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.packages.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.packages.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: packages-cloud-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev"]:
+    behavior: null
     dns_name: pkg.dev.
     local_data:
-      - local_datas:
-          - name: pkg.dev.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: pkg.dev.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: pkgdev
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev-all"]
-  : behavior: null
-    dns_name: "*.pkg.dev."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev-all"]:
+    behavior: null
+    dns_name: '*.pkg.dev.'
     local_data:
-      - local_datas:
-          - name: "*.pkg.dev."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.pkg.dev.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: pkgdev-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog"]:
+    behavior: null
     dns_name: pki.goog.
     local_data:
-      - local_datas:
-          - name: pki.goog.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: pki.goog.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: pkigoog
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog-all"]
-  : behavior: null
-    dns_name: "*.pki.goog."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog-all"]:
+    behavior: null
+    dns_name: '*.pki.goog.'
     local_data:
-      - local_datas:
-          - name: "*.pki.goog."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.pki.goog.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: pkigoog-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["run-all"]
-  : behavior: null
-    dns_name: "*.run.app."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["run-all"]:
+    behavior: null
+    dns_name: '*.run.app.'
     local_data:
-      - local_datas:
-          - name: "*.run.app."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.run.app.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: run-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["source"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["source"]:
+    behavior: null
     dns_name: source.developers.google.com.
     local_data:
-      - local_datas:
-          - name: source.developers.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: source.developers.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: source
     timeouts: null
   module.landing-dns-priv-gcp.google_dns_managed_zone.dns_managed_zone[0]:
     cloud_logging_config:
-      - enable_logging: false
+    - enable_logging: false
     description: Terraform managed.
     dns_name: gcp.example.com.
     dnssec_config: []
@@ -1403,20 +1397,20 @@ values:
     service_directory_config: []
     timeouts: null
     visibility: private
-  ? module.landing-dns-priv-gcp.google_dns_record_set.dns_record_set["A localhost"]
-  : managed_zone: gcp-example-com
+  module.landing-dns-priv-gcp.google_dns_record_set.dns_record_set["A localhost"]:
+    managed_zone: gcp-example-com
     name: localhost.gcp.example.com.
     project: fast2-prod-net-landing-0
     routing_policy: []
     rrdatas:
-      - 127.0.0.1
+    - 127.0.0.1
     ttl: 300
     type: A
-  ? module.landing-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-landing"]
-  : allow:
-      - ports:
-          - "22"
-        protocol: tcp
+  module.landing-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-landing"]:
+    allow:
+    - ports:
+      - '22'
+      protocol: tcp
     deny: []
     description: Allow traffic from Google healthchecks to NVA appliances
     direction: INGRESS
@@ -1427,20 +1421,20 @@ values:
     priority: 1000
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 130.211.0.0/22
-      - 209.85.152.0/22
-      - 209.85.204.0/22
-      - 35.191.0.0/16
+    - 130.211.0.0/22
+    - 209.85.152.0/22
+    - 209.85.204.0/22
+    - 35.191.0.0/16
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  ? module.landing-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-landing"]
-  : allow:
-      - ports:
-          - "179"
-        protocol: tcp
+  module.landing-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-landing"]:
+    allow:
+    - ports:
+      - '179'
+      protocol: tcp
     deny: []
     description: Allow BGP traffic from NCC Cloud Routers to NVAs
     direction: INGRESS
@@ -1451,21 +1445,21 @@ values:
     priority: 1000
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 10.128.64.201/32
-      - 10.128.64.202/32
-      - 10.128.96.201/32
-      - 10.128.96.202/32
+    - 10.128.64.201/32
+    - 10.128.64.202/32
+    - 10.128.96.201/32
+    - 10.128.96.202/32
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags:
-      - nva
+    - nva
     timeouts: null
-  ? module.landing-firewall.google_compute_firewall.custom-rules["allow-onprem-probes-landing-example"]
-  : allow:
-      - ports:
-          - "12345"
-        protocol: tcp
+  module.landing-firewall.google_compute_firewall.custom-rules["allow-onprem-probes-landing-example"]:
+    allow:
+    - ports:
+      - '12345'
+      protocol: tcp
     deny: []
     description: Allow traffic from onprem probes
     direction: INGRESS
@@ -1476,28 +1470,28 @@ values:
     priority: 1000
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 10.255.255.254/32
+    - 10.255.255.254/32
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  ? module.landing-firewall.google_compute_firewall.custom-rules["landing-ingress-default-deny"]
-  : allow: []
+  module.landing-firewall.google_compute_firewall.custom-rules["landing-ingress-default-deny"]:
+    allow: []
     deny:
-      - ports: []
-        protocol: all
+    - ports: []
+      protocol: all
     description: Deny and log any unmatched ingress traffic.
     direction: INGRESS
     disabled: false
     log_config:
-      - metadata: EXCLUDE_ALL_METADATA
+    - metadata: EXCLUDE_ALL_METADATA
     name: landing-ingress-default-deny
     network: prod-landing-0
     priority: 65535
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 0.0.0.0/0
+    - 0.0.0.0/0
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
@@ -1518,8 +1512,8 @@ values:
     enable_endpoint_independent_mapping: true
     icmp_idle_timeout_sec: 30
     log_config:
-      - enable: false
-        filter: ALL
+    - enable: false
+      filter: ALL
     max_ports_per_vm: null
     name: ew1
     nat_ip_allocate_option: AUTO_ONLY
@@ -1534,6 +1528,7 @@ values:
     tcp_time_wait_timeout_sec: 120
     tcp_transitory_idle_timeout_sec: 30
     timeouts: null
+    type: PUBLIC
     udp_idle_timeout_sec: 30
   module.landing-nat-secondary[0].google_compute_router.router[0]:
     bgp: []
@@ -1550,8 +1545,8 @@ values:
     enable_endpoint_independent_mapping: true
     icmp_idle_timeout_sec: 30
     log_config:
-      - enable: false
-        filter: ALL
+    - enable: false
+      filter: ALL
     max_ports_per_vm: null
     name: ew4
     nat_ip_allocate_option: AUTO_ONLY
@@ -1566,9 +1561,10 @@ values:
     tcp_time_wait_timeout_sec: 120
     tcp_transitory_idle_timeout_sec: 30
     timeouts: null
+    type: PUBLIC
     udp_idle_timeout_sec: 30
-  ? module.landing-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]
-  : project: fast2-prod-net-landing-0
+  module.landing-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+    project: fast2-prod-net-landing-0
     timeouts: null
   module.landing-project.google_project.project[0]:
     auto_create_network: false
@@ -1580,70 +1576,70 @@ values:
     project_id: fast2-prod-net-landing-0
     skip_delete: false
     timeouts: null
-  ? module.landing-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/foo"]
-  : condition: []
+  module.landing-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/foo"]:
+    condition: []
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-prod-net-landing-0
     role: organizations/123456789012/roles/foo
-  ? module.landing-project.google_project_iam_binding.authoritative["roles/dns.admin"]
-  : condition: []
+  module.landing-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
+    condition: []
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-prod-net-landing-0
     role: roles/dns.admin
-  ? module.landing-project.google_project_service.project_services["compute.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["compute.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: compute.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service.project_services["dns.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["dns.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: dns.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service.project_services["iap.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["iap.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: iap.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service.project_services["networkconnectivity.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["networkconnectivity.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: networkconnectivity.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service.project_services["networkmanagement.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: networkmanagement.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service.project_services["stackdriver.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: stackdriver.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service_identity.jit_si["iap.googleapis.com"]
-  : project: fast2-prod-net-landing-0
+  module.landing-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
+    project: fast2-prod-net-landing-0
     service: iap.googleapis.com
     timeouts: null
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]
-  : description: Terraform managed external VPN gateway
+  module.landing-to-onprem-primary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]:
+    description: Terraform managed external VPN gateway
     interface:
-      - id: 0
-        ip_address: 8.8.8.8
+    - id: 0
+      ip_address: 8.8.8.8
     labels: null
     name: vpn-to-onprem-ew1-default
     project: fast2-prod-net-landing-0
     redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT
     timeouts: null
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]
-  : description: Terraform managed external VPN gateway
+  module.landing-to-onprem-primary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]:
+    description: Terraform managed external VPN gateway
     name: vpn-to-onprem-ew1
     project: fast2-prod-net-landing-0
     region: europe-west1
@@ -1651,25 +1647,25 @@ values:
     timeouts: null
   module.landing-to-onprem-primary-vpn[0].google_compute_router.router[0]:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: gcp
-            range: 10.1.0.0/16
-          - description: gcp-restricted
-            range: 199.36.153.4/30
-          - description: gcp-dns
-            range: 35.199.192.0/19
-        asn: 65501
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: gcp
+        range: 10.1.0.0/16
+      - description: gcp-restricted
+        range: 199.36.153.4/30
+      - description: gcp-dns
+        range: 35.199.192.0/19
+      asn: 65501
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: vpn-vpn-to-onprem-ew1
     project: fast2-prod-net-landing-0
     region: europe-west1
     timeouts: null
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["0"]
-  : interconnect_attachment: null
+  module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["0"]:
+    interconnect_attachment: null
     ip_range: 169.254.1.2/30
     name: vpn-to-onprem-ew1-0
     private_ip_address: null
@@ -1679,8 +1675,8 @@ values:
     subnetwork: null
     timeouts: null
     vpn_tunnel: vpn-to-onprem-ew1-0
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["1"]
-  : interconnect_attachment: null
+  module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["1"]:
+    interconnect_attachment: null
     ip_range: 169.254.2.2/30
     name: vpn-to-onprem-ew1-1
     private_ip_address: null
@@ -1690,8 +1686,8 @@ values:
     subnetwork: null
     timeouts: null
     vpn_tunnel: vpn-to-onprem-ew1-1
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["0"]
-  : advertise_mode: DEFAULT
+  module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["0"]:
+    advertise_mode: DEFAULT
     advertised_groups: []
     advertised_ip_ranges: []
     advertised_route_priority: 1000
@@ -1707,8 +1703,8 @@ values:
     router: vpn-vpn-to-onprem-ew1
     router_appliance_instance: null
     timeouts: null
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["1"]
-  : advertise_mode: DEFAULT
+  module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["1"]:
+    advertise_mode: DEFAULT
     advertised_groups: []
     advertised_ip_ranges: []
     advertised_route_priority: 1000
@@ -1724,8 +1720,8 @@ values:
     router: vpn-vpn-to-onprem-ew1
     router_appliance_instance: null
     timeouts: null
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]
-  : description: null
+  module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]:
+    description: null
     ike_version: 2
     labels: null
     name: vpn-to-onprem-ew1-0
@@ -1738,8 +1734,8 @@ values:
     target_vpn_gateway: null
     timeouts: null
     vpn_gateway_interface: 0
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]
-  : description: null
+  module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]:
+    description: null
     ike_version: 2
     labels: null
     name: vpn-to-onprem-ew1-1
@@ -1756,18 +1752,18 @@ values:
     byte_length: 8
     keepers: null
     prefix: null
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]
-  : description: Terraform managed external VPN gateway
+  module.landing-to-onprem-secondary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]:
+    description: Terraform managed external VPN gateway
     interface:
-      - id: 0
-        ip_address: 8.8.4.4
+    - id: 0
+      ip_address: 8.8.4.4
     labels: null
     name: vpn-to-onprem-ew4-default
     project: fast2-prod-net-landing-0
     redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT
     timeouts: null
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]
-  : description: Terraform managed external VPN gateway
+  module.landing-to-onprem-secondary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]:
+    description: Terraform managed external VPN gateway
     name: vpn-to-onprem-ew4
     project: fast2-prod-net-landing-0
     region: europe-west4
@@ -1775,25 +1771,25 @@ values:
     timeouts: null
   module.landing-to-onprem-secondary-vpn[0].google_compute_router.router[0]:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: gcp
-            range: 10.1.0.0/16
-          - description: gcp-restricted
-            range: 199.36.153.4/30
-          - description: gcp-dns
-            range: 35.199.192.0/19
-        asn: 65501
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: gcp
+        range: 10.1.0.0/16
+      - description: gcp-restricted
+        range: 199.36.153.4/30
+      - description: gcp-dns
+        range: 35.199.192.0/19
+      asn: 65501
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: vpn-vpn-to-onprem-ew4
     project: fast2-prod-net-landing-0
     region: europe-west4
     timeouts: null
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["0"]
-  : interconnect_attachment: null
+  module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["0"]:
+    interconnect_attachment: null
     ip_range: 169.254.3.2/30
     name: vpn-to-onprem-ew4-0
     private_ip_address: null
@@ -1803,8 +1799,8 @@ values:
     subnetwork: null
     timeouts: null
     vpn_tunnel: vpn-to-onprem-ew4-0
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["1"]
-  : interconnect_attachment: null
+  module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["1"]:
+    interconnect_attachment: null
     ip_range: 169.254.4.2/30
     name: vpn-to-onprem-ew4-1
     private_ip_address: null
@@ -1814,8 +1810,8 @@ values:
     subnetwork: null
     timeouts: null
     vpn_tunnel: vpn-to-onprem-ew4-1
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["0"]
-  : advertise_mode: DEFAULT
+  module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["0"]:
+    advertise_mode: DEFAULT
     advertised_groups: []
     advertised_ip_ranges: []
     advertised_route_priority: 1000
@@ -1831,8 +1827,8 @@ values:
     router: vpn-vpn-to-onprem-ew4
     router_appliance_instance: null
     timeouts: null
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["1"]
-  : advertise_mode: DEFAULT
+  module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["1"]:
+    advertise_mode: DEFAULT
     advertised_groups: []
     advertised_ip_ranges: []
     advertised_route_priority: 1000
@@ -1848,8 +1844,8 @@ values:
     router: vpn-vpn-to-onprem-ew4
     router_appliance_instance: null
     timeouts: null
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]
-  : description: null
+  module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]:
+    description: null
     ike_version: 2
     labels: null
     name: vpn-to-onprem-ew4-0
@@ -1862,8 +1858,8 @@ values:
     target_vpn_gateway: null
     timeouts: null
     vpn_gateway_interface: 0
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]
-  : description: null
+  module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]:
+    description: null
     ike_version: 2
     labels: null
     name: vpn-to-onprem-ew4-1
@@ -1917,8 +1913,8 @@ values:
     project: fast2-prod-net-landing-0
     tags: null
     timeouts: null
-  ? module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west1/landing-default"]
-  : description: Default europe-west1 subnet for landing
+  module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west1/landing-default"]:
+    description: Default europe-west1 subnet for landing
     ip_cidr_range: 10.64.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -1930,8 +1926,8 @@ values:
     role: null
     secondary_ip_range: []
     timeouts: null
-  ? module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west4/landing-default"]
-  : description: Default europe-west4 subnet for landing
+  module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west4/landing-default"]:
+    description: Default europe-west4 subnet for landing
     ip_cidr_range: 10.80.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -1950,7 +1946,7 @@ values:
     enable_logging: null
     name: prod-landing-0
     networks:
-      - {}
+    - {}
     project: fast2-prod-net-landing-0
     timeouts: null
   module.nva["primary-b"].google_compute_instance.default[0]:
@@ -1958,15 +1954,15 @@ values:
     allow_stopping_for_update: true
     attached_disk: []
     boot_disk:
-      - auto_delete: true
-        disk_encryption_key_raw: null
-        initialize_params:
-          - enable_confidential_compute: null
-            image: projects/cos-cloud/global/images/family/cos-stable
-            resource_manager_tags: null
-            size: 10
-            type: pd-balanced
-        mode: READ_WRITE
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      initialize_params:
+      - enable_confidential_compute: null
+        image: projects/cos-cloud/global/images/family/cos-stable
+        resource_manager_tags: null
+        size: 10
+        type: pd-balanced
+      mode: READ_WRITE
     can_ip_forward: true
     deletion_protection: false
     description: Managed by the compute-vm Terraform module.
@@ -1976,8 +1972,7 @@ values:
     labels: null
     machine_type: e2-standard-2
     metadata:
-      user-data:
-        "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
+      user-data: "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\
         \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
         \ file except in compliance with the License.\n# You may obtain a copy of\
         \ the License at\n#\n#     https://www.apache.org/licenses/LICENSE-2.0\n#\n\
@@ -2148,7 +2143,9 @@ values:
         \    permissions: 0744\n    owner: root\n    content: |\n      iptables --policy\
         \ FORWARD ACCEPT\n      /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
         \ &\n      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n      ip\
-        \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.64.127.0/17\
+        \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.80.127.0/17\
         \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      /var/run/nva/policy_based_routing.sh\
@@ -2162,44 +2159,44 @@ values:
     metadata_startup_script: null
     name: nva-ew1-b
     network_interface:
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.64.128.101
-        nic_type: null
-        queue_count: null
-        security_policy: null
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.64.0.101
-        nic_type: null
-        queue_count: null
-        security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.64.128.101
+      nic_type: null
+      queue_count: null
+      security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.64.0.101
+      nic_type: null
+      queue_count: null
+      security_policy: null
     network_performance_config: []
     params: []
     project: fast2-prod-net-landing-0
     resource_policies: null
     scheduling:
-      - automatic_restart: true
-        instance_termination_action: null
-        local_ssd_recovery_timeout: []
-        maintenance_interval: null
-        max_run_duration: []
-        min_node_cpus: null
-        node_affinities: []
-        on_host_maintenance: MIGRATE
-        preemptible: false
-        provisioning_model: STANDARD
+    - automatic_restart: true
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      preemptible: false
+      provisioning_model: STANDARD
     scratch_disk: []
     service_account:
-      - scopes:
-          - https://www.googleapis.com/auth/devstorage.read_only
-          - https://www.googleapis.com/auth/logging.write
-          - https://www.googleapis.com/auth/monitoring.write
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
     shielded_instance_config: []
     tags:
-      - nva
+    - nva
     timeouts: null
     zone: europe-west1-b
   module.nva["primary-c"].google_compute_instance.default[0]:
@@ -2207,15 +2204,15 @@ values:
     allow_stopping_for_update: true
     attached_disk: []
     boot_disk:
-      - auto_delete: true
-        disk_encryption_key_raw: null
-        initialize_params:
-          - enable_confidential_compute: null
-            image: projects/cos-cloud/global/images/family/cos-stable
-            resource_manager_tags: null
-            size: 10
-            type: pd-balanced
-        mode: READ_WRITE
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      initialize_params:
+      - enable_confidential_compute: null
+        image: projects/cos-cloud/global/images/family/cos-stable
+        resource_manager_tags: null
+        size: 10
+        type: pd-balanced
+      mode: READ_WRITE
     can_ip_forward: true
     deletion_protection: false
     description: Managed by the compute-vm Terraform module.
@@ -2225,8 +2222,7 @@ values:
     labels: null
     machine_type: e2-standard-2
     metadata:
-      user-data:
-        "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
+      user-data: "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\
         \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
         \ file except in compliance with the License.\n# You may obtain a copy of\
         \ the License at\n#\n#     https://www.apache.org/licenses/LICENSE-2.0\n#\n\
@@ -2397,7 +2393,9 @@ values:
         \    permissions: 0744\n    owner: root\n    content: |\n      iptables --policy\
         \ FORWARD ACCEPT\n      /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
         \ &\n      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n      ip\
-        \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.64.127.0/17\
+        \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.80.127.0/17\
         \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      /var/run/nva/policy_based_routing.sh\
@@ -2411,44 +2409,44 @@ values:
     metadata_startup_script: null
     name: nva-ew1-c
     network_interface:
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.64.128.102
-        nic_type: null
-        queue_count: null
-        security_policy: null
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.64.0.102
-        nic_type: null
-        queue_count: null
-        security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.64.128.102
+      nic_type: null
+      queue_count: null
+      security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.64.0.102
+      nic_type: null
+      queue_count: null
+      security_policy: null
     network_performance_config: []
     params: []
     project: fast2-prod-net-landing-0
     resource_policies: null
     scheduling:
-      - automatic_restart: true
-        instance_termination_action: null
-        local_ssd_recovery_timeout: []
-        maintenance_interval: null
-        max_run_duration: []
-        min_node_cpus: null
-        node_affinities: []
-        on_host_maintenance: MIGRATE
-        preemptible: false
-        provisioning_model: STANDARD
+    - automatic_restart: true
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      preemptible: false
+      provisioning_model: STANDARD
     scratch_disk: []
     service_account:
-      - scopes:
-          - https://www.googleapis.com/auth/devstorage.read_only
-          - https://www.googleapis.com/auth/logging.write
-          - https://www.googleapis.com/auth/monitoring.write
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
     shielded_instance_config: []
     tags:
-      - nva
+    - nva
     timeouts: null
     zone: europe-west1-c
   module.nva["secondary-b"].google_compute_instance.default[0]:
@@ -2456,15 +2454,15 @@ values:
     allow_stopping_for_update: true
     attached_disk: []
     boot_disk:
-      - auto_delete: true
-        disk_encryption_key_raw: null
-        initialize_params:
-          - enable_confidential_compute: null
-            image: projects/cos-cloud/global/images/family/cos-stable
-            resource_manager_tags: null
-            size: 10
-            type: pd-balanced
-        mode: READ_WRITE
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      initialize_params:
+      - enable_confidential_compute: null
+        image: projects/cos-cloud/global/images/family/cos-stable
+        resource_manager_tags: null
+        size: 10
+        type: pd-balanced
+      mode: READ_WRITE
     can_ip_forward: true
     deletion_protection: false
     description: Managed by the compute-vm Terraform module.
@@ -2474,8 +2472,7 @@ values:
     labels: null
     machine_type: e2-standard-2
     metadata:
-      user-data:
-        "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
+      user-data: "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\
         \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
         \ file except in compliance with the License.\n# You may obtain a copy of\
         \ the License at\n#\n#     https://www.apache.org/licenses/LICENSE-2.0\n#\n\
@@ -2646,7 +2643,9 @@ values:
         \    permissions: 0744\n    owner: root\n    content: |\n      iptables --policy\
         \ FORWARD ACCEPT\n      /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
         \ &\n      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n      ip\
-        \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.64.127.0/17\
+        \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.80.127.0/17\
         \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      /var/run/nva/policy_based_routing.sh\
@@ -2660,44 +2659,44 @@ values:
     metadata_startup_script: null
     name: nva-ew4-b
     network_interface:
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.80.128.101
-        nic_type: null
-        queue_count: null
-        security_policy: null
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.80.0.101
-        nic_type: null
-        queue_count: null
-        security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.80.128.101
+      nic_type: null
+      queue_count: null
+      security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.80.0.101
+      nic_type: null
+      queue_count: null
+      security_policy: null
     network_performance_config: []
     params: []
     project: fast2-prod-net-landing-0
     resource_policies: null
     scheduling:
-      - automatic_restart: true
-        instance_termination_action: null
-        local_ssd_recovery_timeout: []
-        maintenance_interval: null
-        max_run_duration: []
-        min_node_cpus: null
-        node_affinities: []
-        on_host_maintenance: MIGRATE
-        preemptible: false
-        provisioning_model: STANDARD
+    - automatic_restart: true
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      preemptible: false
+      provisioning_model: STANDARD
     scratch_disk: []
     service_account:
-      - scopes:
-          - https://www.googleapis.com/auth/devstorage.read_only
-          - https://www.googleapis.com/auth/logging.write
-          - https://www.googleapis.com/auth/monitoring.write
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
     shielded_instance_config: []
     tags:
-      - nva
+    - nva
     timeouts: null
     zone: europe-west4-b
   module.nva["secondary-c"].google_compute_instance.default[0]:
@@ -2705,15 +2704,15 @@ values:
     allow_stopping_for_update: true
     attached_disk: []
     boot_disk:
-      - auto_delete: true
-        disk_encryption_key_raw: null
-        initialize_params:
-          - enable_confidential_compute: null
-            image: projects/cos-cloud/global/images/family/cos-stable
-            resource_manager_tags: null
-            size: 10
-            type: pd-balanced
-        mode: READ_WRITE
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      initialize_params:
+      - enable_confidential_compute: null
+        image: projects/cos-cloud/global/images/family/cos-stable
+        resource_manager_tags: null
+        size: 10
+        type: pd-balanced
+      mode: READ_WRITE
     can_ip_forward: true
     deletion_protection: false
     description: Managed by the compute-vm Terraform module.
@@ -2723,8 +2722,7 @@ values:
     labels: null
     machine_type: e2-standard-2
     metadata:
-      user-data:
-        "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
+      user-data: "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\
         \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
         \ file except in compliance with the License.\n# You may obtain a copy of\
         \ the License at\n#\n#     https://www.apache.org/licenses/LICENSE-2.0\n#\n\
@@ -2895,7 +2893,9 @@ values:
         \    permissions: 0744\n    owner: root\n    content: |\n      iptables --policy\
         \ FORWARD ACCEPT\n      /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
         \ &\n      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n      ip\
-        \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.64.127.0/17\
+        \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.80.127.0/17\
         \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      /var/run/nva/policy_based_routing.sh\
@@ -2909,44 +2909,44 @@ values:
     metadata_startup_script: null
     name: nva-ew4-c
     network_interface:
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.80.128.102
-        nic_type: null
-        queue_count: null
-        security_policy: null
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.80.0.102
-        nic_type: null
-        queue_count: null
-        security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.80.128.102
+      nic_type: null
+      queue_count: null
+      security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.80.0.102
+      nic_type: null
+      queue_count: null
+      security_policy: null
     network_performance_config: []
     params: []
     project: fast2-prod-net-landing-0
     resource_policies: null
     scheduling:
-      - automatic_restart: true
-        instance_termination_action: null
-        local_ssd_recovery_timeout: []
-        maintenance_interval: null
-        max_run_duration: []
-        min_node_cpus: null
-        node_affinities: []
-        on_host_maintenance: MIGRATE
-        preemptible: false
-        provisioning_model: STANDARD
+    - automatic_restart: true
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      preemptible: false
+      provisioning_model: STANDARD
     scratch_disk: []
     service_account:
-      - scopes:
-          - https://www.googleapis.com/auth/devstorage.read_only
-          - https://www.googleapis.com/auth/logging.write
-          - https://www.googleapis.com/auth/monitoring.write
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
     shielded_instance_config: []
     tags:
-      - nva
+    - nva
     timeouts: null
     zone: europe-west4-c
   module.peering-dev.google_compute_network_peering.local_network_peering:
@@ -2977,9 +2977,9 @@ values:
     import_subnet_routes_with_public_ip: null
     stack_type: IPV4_ONLY
     timeouts: null
-  ? module.prod-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]
-  : cloud_logging_config:
-      - enable_logging: false
+  module.prod-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]:
+    cloud_logging_config:
+    - enable_logging: false
     description: Terraform managed.
     dns_name: 10.in-addr.arpa.
     dnssec_config: []
@@ -2994,7 +2994,7 @@ values:
     visibility: private
   module.prod-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]:
     cloud_logging_config:
-      - enable_logging: false
+    - enable_logging: false
     description: Terraform managed.
     dns_name: .
     dnssec_config: []
@@ -3009,7 +3009,7 @@ values:
     visibility: private
   module.prod-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]:
     cloud_logging_config:
-      - enable_logging: false
+    - enable_logging: false
     description: Terraform managed.
     dns_name: prod.gcp.example.com.
     dnssec_config: []
@@ -3022,41 +3022,41 @@ values:
     service_directory_config: []
     timeouts: null
     visibility: private
-  ? module.prod-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]
-  : managed_zone: prod-gcp-example-com
+  module.prod-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]:
+    managed_zone: prod-gcp-example-com
     name: localhost.prod.gcp.example.com.
     project: fast2-prod-net-spoke-0
     routing_policy: []
     rrdatas:
-      - 127.0.0.1
+    - 127.0.0.1
     ttl: 300
     type: A
-  ? module.prod-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]
-  : allow: []
+  module.prod-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]:
+    allow: []
     deny:
-      - ports: []
-        protocol: all
+    - ports: []
+      protocol: all
     description: Deny and log any unmatched ingress traffic.
     direction: INGRESS
     disabled: false
     log_config:
-      - metadata: EXCLUDE_ALL_METADATA
+    - metadata: EXCLUDE_ALL_METADATA
     name: ingress-default-deny
     network: prod-spoke-0
     priority: 65535
     project: fast2-prod-net-spoke-0
     source_ranges:
-      - 0.0.0.0/0
+    - 0.0.0.0/0
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  ? module.prod-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]
-  : project: fast2-prod-net-spoke-0
+  module.prod-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+    project: fast2-prod-net-spoke-0
     timeouts: null
-  ? module.prod-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]
-  : metrics_scope: fast2-prod-net-landing-0
+  module.prod-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]:
+    metrics_scope: fast2-prod-net-landing-0
     name: fast2-prod-net-spoke-0
     timeouts: null
   module.prod-spoke-project.google_project.project[0]:
@@ -3069,73 +3069,73 @@ values:
     project_id: fast2-prod-net-spoke-0
     skip_delete: false
     timeouts: null
-  ? module.prod-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]
-  : condition: []
+  module.prod-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
+    condition: []
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-prod-net-spoke-0
     role: roles/dns.admin
-  ? module.prod-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]
-  : condition:
-      - description: Production host project delegated grants.
-        expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
-        title: prod_stage3_sa_delegated_grants
+  module.prod-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]:
+    condition:
+    - description: Production host project delegated grants.
+      expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
+      title: prod_stage3_sa_delegated_grants
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-prod-net-spoke-0
     role: roles/resourcemanager.projectIamAdmin
   module.prod-spoke-project.google_project_iam_member.servicenetworking[0]:
     condition: []
     project: fast2-prod-net-spoke-0
     role: roles/servicenetworking.serviceAgent
-  ? module.prod-spoke-project.google_project_service.project_services["compute.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["compute.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: compute.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["dns.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["dns.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: dns.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["iap.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["iap.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: iap.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: networkmanagement.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: servicenetworking.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: stackdriver.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: vpcaccess.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]
-  : project: fast2-prod-net-spoke-0
+  module.prod-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
+    project: fast2-prod-net-spoke-0
     service: iap.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service_identity.servicenetworking[0]
-  : project: fast2-prod-net-spoke-0
+  module.prod-spoke-project.google_project_service_identity.servicenetworking[0]:
+    project: fast2-prod-net-spoke-0
     service: servicenetworking.googleapis.com
     timeouts: null
   module.prod-spoke-vpc.google_compute_network.network[0]:
@@ -3175,8 +3175,8 @@ values:
     project: fast2-prod-net-spoke-0
     tags: null
     timeouts: null
-  ? module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/prod-default"]
-  : description: Default europe-west1 subnet for prod
+  module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/prod-default"]:
+    description: Default europe-west1 subnet for prod
     ip_cidr_range: 10.72.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -3188,8 +3188,8 @@ values:
     role: null
     secondary_ip_range: []
     timeouts: null
-  ? module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/prod-default"]
-  : description: Default europe-west4 subnet for prod
+  module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/prod-default"]:
+    description: Default europe-west4 subnet for prod
     ip_cidr_range: 10.88.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -3208,18 +3208,18 @@ values:
     enable_logging: true
     name: prod-spoke-0
     networks:
-      - {}
+    - {}
     project: fast2-prod-net-spoke-0
     timeouts: null
   module.spokes-dmz["primary"].google_compute_router.cr:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: Default route.
-            range: 0.0.0.0/0
-        asn: 64512
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: Default route.
+        range: 0.0.0.0/0
+      asn: 64512
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: prod-spoke-dmz-ew1-cr
@@ -3306,10 +3306,10 @@ values:
     labels: null
     linked_interconnect_attachments: []
     linked_router_appliance_instances:
-      - instances:
-          - {}
-          - {}
-        site_to_site_data_transfer: false
+    - instances:
+      - {}
+      - {}
+      site_to_site_data_transfer: false
     linked_vpc_network: []
     linked_vpn_tunnels: []
     location: europe-west1
@@ -3318,13 +3318,13 @@ values:
     timeouts: null
   module.spokes-dmz["secondary"].google_compute_router.cr:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: Default route.
-            range: 0.0.0.0/0
-        asn: 64512
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: Default route.
+        range: 0.0.0.0/0
+      asn: 64512
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: prod-spoke-dmz-ew4-cr
@@ -3411,10 +3411,10 @@ values:
     labels: null
     linked_interconnect_attachments: []
     linked_router_appliance_instances:
-      - instances:
-          - {}
-          - {}
-        site_to_site_data_transfer: false
+    - instances:
+      - {}
+      - {}
+      site_to_site_data_transfer: false
     linked_vpc_network: []
     linked_vpn_tunnels: []
     location: europe-west4
@@ -3423,23 +3423,23 @@ values:
     timeouts: null
   module.spokes-landing["primary"].google_compute_router.cr:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: GCP landing primary.
-            range: 10.64.0.0/17
-          - description: GCP dev primary.
-            range: 10.68.0.0/16
-          - description: GCP prod primary.
-            range: 10.72.0.0/16
-          - description: GCP landing secondary.
-            range: 10.80.0.0/17
-          - description: GCP dev secondary.
-            range: 10.84.0.0/16
-          - description: GCP prod secondary.
-            range: 10.88.0.0/16
-        asn: 64515
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: GCP landing primary.
+        range: 10.64.0.0/17
+      - description: GCP dev primary.
+        range: 10.68.0.0/16
+      - description: GCP prod primary.
+        range: 10.72.0.0/16
+      - description: GCP landing secondary.
+        range: 10.80.0.0/17
+      - description: GCP dev secondary.
+        range: 10.84.0.0/16
+      - description: GCP prod secondary.
+        range: 10.88.0.0/16
+      asn: 64515
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: prod-spoke-landing-ew1-cr
@@ -3526,10 +3526,10 @@ values:
     labels: null
     linked_interconnect_attachments: []
     linked_router_appliance_instances:
-      - instances:
-          - {}
-          - {}
-        site_to_site_data_transfer: false
+    - instances:
+      - {}
+      - {}
+      site_to_site_data_transfer: false
     linked_vpc_network: []
     linked_vpn_tunnels: []
     location: europe-west1
@@ -3538,23 +3538,23 @@ values:
     timeouts: null
   module.spokes-landing["secondary"].google_compute_router.cr:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: GCP landing primary.
-            range: 10.64.0.0/17
-          - description: GCP dev primary.
-            range: 10.68.0.0/16
-          - description: GCP prod primary.
-            range: 10.72.0.0/16
-          - description: GCP landing secondary.
-            range: 10.80.0.0/17
-          - description: GCP dev secondary.
-            range: 10.84.0.0/16
-          - description: GCP prod secondary.
-            range: 10.88.0.0/16
-        asn: 64515
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: GCP landing primary.
+        range: 10.64.0.0/17
+      - description: GCP dev primary.
+        range: 10.68.0.0/16
+      - description: GCP prod primary.
+        range: 10.72.0.0/16
+      - description: GCP landing secondary.
+        range: 10.80.0.0/17
+      - description: GCP dev secondary.
+        range: 10.84.0.0/16
+      - description: GCP prod secondary.
+        range: 10.88.0.0/16
+      asn: 64515
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: prod-spoke-landing-ew4-cr
@@ -3641,10 +3641,10 @@ values:
     labels: null
     linked_interconnect_attachments: []
     linked_router_appliance_instances:
-      - instances:
-          - {}
-          - {}
-        site_to_site_data_transfer: false
+    - instances:
+      - {}
+      - {}
+      site_to_site_data_transfer: false
     linked_vpc_network: []
     linked_vpn_tunnels: []
     location: europe-west4
@@ -3702,3 +3702,4 @@ outputs:
   shared_vpc_self_links: __missing__
   tfvars: __missing__
   vpn_gateway_endpoints: __missing__
+

From 01533a4a66da722574991229c4803bf426dd9908 Mon Sep 17 00:00:00 2001
From: Ludo <ludomagno@google.com>
Date: Fri, 10 May 2024 07:56:11 +0200
Subject: [PATCH 19/31] update changelog

---
 CHANGELOG.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ac785d99a9..6c2177cdbc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,9 @@ All notable changes to this project will be documented in this file.
 
 ### BLUEPRINTS
 
+- [[#2243](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2243)] Added new attributes Apigee organization and bumped up providers version ([apichick](https://github.com/apichick)) <!-- 2024-04-28 15:31:42+00:00 -->
+- [[#2239](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2239)] Update README.md ([vicenteg](https://github.com/vicenteg)) <!-- 2024-04-25 23:14:32+00:00 -->
+- [[#2230](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2230)] docs: :memo: fix error in phpIPAM terraform config by updating VPC pe… ([PapaPeskwo](https://github.com/PapaPeskwo)) <!-- 2024-04-22 10:55:03+00:00 -->
 - [[#2227](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2227)] Bump golang.org/x/net from 0.17.0 to 0.23.0 in /blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 2024-04-19 12:26:14+00:00 -->
 - [[#2228](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2228)] Bump golang.org/x/net from 0.17.0 to 0.23.0 in /blueprints/cloud-operations/unmanaged-instances-healthcheck/function/restarter ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 2024-04-19 12:25:52+00:00 -->
 - [[#2226](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2226)] fix cloud sql PSA after module upgrade ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-04-19 10:41:02+00:00 -->
@@ -29,6 +32,10 @@ All notable changes to this project will be documented in this file.
 
 ### FAST
 
+- [[#2260](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2260)] Remove data source from folder module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-09 13:09:54+00:00 -->
+- [[#2253](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2253)] Misc FAST fixes ([juliocc](https://github.com/juliocc)) <!-- 2024-05-02 06:56:26+00:00 -->
+- [[#2235](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2235)] Update FAST logging ([juliocc](https://github.com/juliocc)) <!-- 2024-04-25 06:31:52+00:00 -->
+- [[#2233](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2233)] Fix permissions for branch network dev - read sa ([LucaPrete](https://github.com/LucaPrete)) <!-- 2024-04-23 13:19:39+00:00 -->
 - [[#2221](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2221)] Enable TFLint in FAST stages ([juliocc](https://github.com/juliocc)) <!-- 2024-04-18 08:06:24+00:00 -->
 - [[#2220](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2220)] Add tflint to pipelines ([juliocc](https://github.com/juliocc)) <!-- 2024-04-17 08:23:49+00:00 -->
 - [[#2218](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2218)] **incompatible change:** Allow multiple PSA service providers in net-vpc module ([ludoo](https://github.com/ludoo)) <!-- 2024-04-16 15:02:36+00:00 -->
@@ -46,6 +53,19 @@ All notable changes to this project will be documented in this file.
 
 ### MODULES
 
+- [[#2262](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2262)] Make Simple NVA route IAP traffic through NIC 0 ([juliocc](https://github.com/juliocc)) <!-- 2024-05-09 16:29:25+00:00 -->
+- [[#2261](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2261)] Add Hybrid NAT support ([juliocc](https://github.com/juliocc)) <!-- 2024-05-09 13:24:41+00:00 -->
+- [[#2260](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2260)] Remove data source from folder module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-09 13:09:54+00:00 -->
+- [[#2247](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2247)] Fix workstation-cluster module for private deployment ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-05-02 06:09:10+00:00 -->
+- [[#2252](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2252)] Add support for labels to GKE backup plans ([ludoo](https://github.com/ludoo)) <!-- 2024-05-01 18:20:22+00:00 -->
+- [[#2251](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2251)] Fix factory ingress policy services in vpc-sc module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-01 16:50:30+00:00 -->
+- [[#2248](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2248)] Added missing identity when connectors API is enabled ([jnahelou](https://github.com/jnahelou)) <!-- 2024-04-30 17:21:35+00:00 -->
+- [[#2246](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2246)] Fixed issue with service networking DNS peering ([apichick](https://github.com/apichick)) <!-- 2024-04-28 20:18:02+00:00 -->
+- [[#2243](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2243)] Added new attributes Apigee organization and bumped up providers version ([apichick](https://github.com/apichick)) <!-- 2024-04-28 15:31:42+00:00 -->
+- [[#2244](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2244)] **incompatible change:** Removed BFD settings from net-vpn-ha module as it is not supported ([apichick](https://github.com/apichick)) <!-- 2024-04-28 10:11:08+00:00 -->
+- [[#2241](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2241)] Use default labels on pubsub subscription when no override is provided ([wiktorn](https://github.com/wiktorn)) <!-- 2024-04-27 07:22:41+00:00 -->
+- [[#2238](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2238)] fix: allow disabling node autoprovisioning ([kumadee](https://github.com/kumadee)) <!-- 2024-04-26 07:17:48+00:00 -->
+- [[#2234](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2234)] Added build environment variables in cloud function v1 ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2024-04-23 17:20:38+00:00 -->
 - [[#2229](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2229)] **incompatible change:** Refactor vpc-sc support in project module, add support for dry run ([ludoo](https://github.com/ludoo)) <!-- 2024-04-22 07:28:01+00:00 -->
 - [[#2226](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2226)] fix cloud sql PSA after module upgrade ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-04-19 10:41:02+00:00 -->
 - [[#2224](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2224)] added missing option for exclusion scope ([cmalpe](https://github.com/cmalpe)) <!-- 2024-04-18 11:12:16+00:00 -->

From 2b6c81f73d1851068e1eab027130c1457ec2a170 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Fri, 10 May 2024 09:54:19 +0200
Subject: [PATCH 20/31] Update docs - gcp-network-admins ->
 gcp-vpc-network-admins

---
 fast/stages/0-bootstrap/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 5d456302f5..758eac468f 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -276,7 +276,7 @@ Before the first run, the following IAM groups must exist to allow IAM bindings
 
 - `gcp-billing-admins`
 - `gcp-devops`
-- `gcp-network-admins`
+- `gcp-vpc-network-admins`
 - `gcp-organization-admins`
 - `gcp-security-admins`
 

From 5b3ed10cdadbd7f082b8b13b94c297de5c2ee536 Mon Sep 17 00:00:00 2001
From: Jan Van Bruggen <JanCVanB@users.noreply.github.com>
Date: Fri, 10 May 2024 16:19:35 -0600
Subject: [PATCH 21/31] Fix bug from output typo in new project-factory module
 (#2264)

`local.folders` is just a map of var-based keys to string manipulations on those keys, while `local.hierarchy` is the seemingly-intended map of var-based keys to generated IDs/numbers.

see
https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/modules/project-factory/factory-folders.tf#L32
vs.
https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/modules/project-factory/factory-folders.tf#L39

Thank you for recently developing this convenient module!
---
 modules/project-factory/outputs.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/project-factory/outputs.tf b/modules/project-factory/outputs.tf
index 9f49ebe986..5040e76671 100644
--- a/modules/project-factory/outputs.tf
+++ b/modules/project-factory/outputs.tf
@@ -16,7 +16,7 @@
 
 output "folders" {
   description = "Folder ids."
-  value       = local.folders
+  value       = local.hierarchy
 }
 
 output "projects" {

From 35a17a46ba99b4845fcc9a7ea6b140c254ea142e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Sat, 11 May 2024 15:19:09 +0000
Subject: [PATCH 22/31] Fix failing E2E tests

---
 modules/net-vpc/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index d29251cc96..fb115804c2 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -299,10 +299,12 @@ module "vpc" {
     {
       ranges = { myrange = "10.0.1.0/24" }
       # service_producer = "servicenetworking.googleapis.com" # default value
+      deletion_policy = "ABANDON"
     },
     {
       ranges           = { netapp = "10.0.2.0/24" }
       service_producer = "netapp.servicenetworking.goog"
+      deletion_policy  = "ABANDON"
     }
   ]
 }

From 6a3c7fe4445ca3f801db6a7d19cdd47587fe6a35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Sun, 12 May 2024 12:00:39 +0200
Subject: [PATCH 23/31] CloudSQL PSC Endpoints support (#2242)

* Add PSC endpoints consumers to net-address
* Cloud SQL E2E tests
---
 modules/cloudsql-instance/README.md           | 175 ++++++++++--------
 modules/cloudsql-instance/variables.tf        |   2 +-
 modules/net-address/README.md                 |  25 ++-
 modules/net-address/main.tf                   |  42 +----
 modules/net-address/psc.tf                    | 102 ++++++++++
 modules/net-address/variables.tf              |  26 ++-
 tests/collectors.py                           |  11 +-
 tests/examples/variables.tf                   |   2 +-
 .../setup_module/e2e_tests.tfvars.tftpl       |   6 +
 tests/examples_e2e/setup_module/main.tf       |  46 ++++-
 tests/fixtures.py                             |  11 +-
 tests/fixtures/cloudsql-instance.tf           |  33 ++++
 tests/fixtures/cloudsql-kms-iam-grant.tf      |  23 +++
 .../cloudsql_instance/examples/insights.yaml  |   4 +-
 .../cloudsql_instance/examples/psc.yaml       |  38 ++++
 .../cloudsql_instance/examples/public-ip.yaml |  25 +--
 .../cloudsql_instance/examples/replicas.yaml  |   2 +-
 .../cloudsql_instance/examples/simple.yaml    |  40 ++--
 .../examples/psc-service-attachment.yaml      |  29 +++
 19 files changed, 464 insertions(+), 178 deletions(-)
 create mode 100644 modules/net-address/psc.tf
 create mode 100644 tests/fixtures/cloudsql-instance.tf
 create mode 100644 tests/fixtures/cloudsql-kms-iam-grant.tf
 create mode 100644 tests/modules/cloudsql_instance/examples/psc.yaml
 create mode 100644 tests/modules/net_address/examples/psc-service-attachment.yaml

diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md
index c1474cec1a..6ecf42a32d 100644
--- a/modules/cloudsql-instance/README.md
+++ b/modules/cloudsql-instance/README.md
@@ -1,4 +1,4 @@
-# Cloud SQL instance with read replicas
+# Cloud SQL instance module
 
 This module manages the creation of Cloud SQL instances with potential read replicas in other regions. It can also create an initial set of users and databases via the `users` and `databases` parameters.
 
@@ -6,7 +6,24 @@ Note that this module assumes that some options are the same for both the primar
 
 *Warning:* if you use the `users` field, you terraform state will contain each user's password in plain text.
 
-## Simple example
+<!-- BEGIN TOC -->
+- [Examples](#examples)
+  - [Simple example](#simple-example)
+  - [Cross-regional read replica](#cross-regional-read-replica)
+  - [Custom flags, databases and users](#custom-flags-databases-and-users)
+  - [CMEK encryption](#cmek-encryption)
+  - [Instance with PSC enabled](#instance-with-psc-enabled)
+  - [Enable public IP](#enable-public-ip)
+  - [Query Insights](#query-insights)
+  - [Maintenance Config](#maintenance-config)
+  - [SSL Config](#ssl-config)
+- [Variables](#variables)
+- [Outputs](#outputs)
+- [Fixtures](#fixtures)
+<!-- END TOC -->
+
+## Examples
+### Simple example
 
 This example shows how to setup a project, VPC and a standalone Cloud SQL instance.
 
@@ -14,10 +31,12 @@ This example shows how to setup a project, VPC and a standalone Cloud SQL instan
 module "project" {
   source          = "./fabric/modules/project"
   billing_account = var.billing_account_id
-  parent          = var.organization_id
-  name            = "my-db-project"
+  parent          = var.folder_id
+  name            = "db-prj"
+  prefix          = var.prefix
   services = [
-    "servicenetworking.googleapis.com"
+    "servicenetworking.googleapis.com",
+    "sqladmin.googleapis.com",
   ]
 }
 
@@ -25,9 +44,18 @@ module "vpc" {
   source     = "./fabric/modules/net-vpc"
   project_id = module.project.project_id
   name       = "my-network"
+  # need only one - psa_config or subnets_psc
   psa_configs = [{
-    ranges = { cloud-sql = "10.60.0.0/16" }
+    ranges          = { cloud-sql = "10.60.0.0/16" }
+    deletion_policy = "ABANDON"
   }]
+  subnets_psc = [
+    {
+      ip_cidr_range = "10.0.3.0/24"
+      name          = "psc"
+      region        = var.region
+    }
+  ]
 }
 
 module "db" {
@@ -38,17 +66,20 @@ module "db" {
       psa_config = {
         private_network = module.vpc.self_link
       }
+      # psc_allowed_consumer_projects = [var.project_id]
     }
   }
-  name             = "db"
-  region           = "europe-west1"
-  database_version = "POSTGRES_13"
-  tier             = "db-g1-small"
+  name                          = "db"
+  region                        = var.region
+  database_version              = "POSTGRES_13"
+  tier                          = "db-g1-small"
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=3 resources=11 inventory=simple.yaml
+# tftest modules=3 resources=14 inventory=simple.yaml e2e
 ```
 
-## Cross-regional read replica
+### Cross-regional read replica
 
 ```hcl
 module "db" {
@@ -61,21 +92,23 @@ module "db" {
       }
     }
   }
-  prefix           = "myprefix"
   name             = "db"
-  region           = "europe-west1"
+  prefix           = "myprefix"
+  region           = var.region
   database_version = "POSTGRES_13"
   tier             = "db-g1-small"
 
   replicas = {
-    replica1 = { region = "europe-west3", encryption_key_name = null }
-    replica2 = { region = "us-central1", encryption_key_name = null }
+    replica1 = { region = "europe-west3" }
+    replica2 = { region = "us-central1" }
   }
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=3 inventory=replicas.yaml
+# tftest modules=1 resources=3 inventory=replicas.yaml e2e
 ```
 
-## Custom flags, databases and users
+### Custom flags, databases and users
 
 ```hcl
 module "db" {
@@ -89,7 +122,7 @@ module "db" {
     }
   }
   name             = "db"
-  region           = "europe-west1"
+  region           = var.region
   database_version = "MYSQL_8_0"
   tier             = "db-g1-small"
 
@@ -112,47 +145,19 @@ module "db" {
       password = "mypassword"
     }
   }
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=6 inventory=custom.yaml
+# tftest modules=1 resources=6 inventory=custom.yaml e2e
 ```
 
 ### CMEK encryption
 
 ```hcl
-
-module "project" {
-  source          = "./fabric/modules/project"
-  billing_account = var.billing_account_id
-  parent          = var.organization_id
-  name            = "my-db-project"
-  services = [
-    "servicenetworking.googleapis.com",
-    "sqladmin.googleapis.com",
-  ]
-}
-
-module "kms" {
-  source     = "./fabric/modules/kms"
-  project_id = module.project.project_id
-  keyring = {
-    name     = "keyring"
-    location = var.region
-  }
-  keys = {
-    key-sql = {
-      iam = {
-        "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
-          "serviceAccount:${module.project.service_accounts.robots.sqladmin}"
-        ]
-      }
-    }
-  }
-}
-
 module "db" {
   source              = "./fabric/modules/cloudsql-instance"
-  project_id          = module.project.project_id
-  encryption_key_name = module.kms.keys["key-sql"].id
+  project_id          = var.project_id
+  encryption_key_name = var.kms_key.id
   network_config = {
     connectivity = {
       psa_config = {
@@ -160,13 +165,15 @@ module "db" {
       }
     }
   }
-  name             = "db"
-  region           = var.region
-  database_version = "POSTGRES_13"
-  tier             = "db-g1-small"
+  name                          = "db"
+  region                        = var.region
+  database_version              = "POSTGRES_13"
+  tier                          = "db-g1-small"
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
 
-# tftest modules=3 resources=10
+# tftest modules=1 resources=2 fixtures=fixtures/cloudsql-kms-iam-grant.tf e2e
 ```
 
 ### Instance with PSC enabled
@@ -177,22 +184,25 @@ module "db" {
   project_id = var.project_id
   network_config = {
     connectivity = {
-      psc_allowed_consumer_projects = ["my-project-id"]
+      psc_allowed_consumer_projects = [var.project_id]
     }
   }
   prefix            = "myprefix"
   name              = "db"
-  region            = "europe-west1"
+  region            = var.region
   availability_type = "REGIONAL"
   database_version  = "POSTGRES_13"
   tier              = "db-g1-small"
+
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=1
+# tftest modules=1 resources=1 inventory=psc.yaml e2e
 ```
 
 ### Enable public IP
 
-Use `ipv_enabled` to create instances with a public IP.
+Use `public_ipv4` to create instances with a public IP.
 
 ```hcl
 module "db" {
@@ -206,15 +216,14 @@ module "db" {
       }
     }
   }
-  name             = "db"
-  region           = "europe-west1"
-  tier             = "db-g1-small"
-  database_version = "MYSQL_8_0"
-  replicas = {
-    replica1 = { region = "europe-west3", encryption_key_name = null }
-  }
+  name                          = "db"
+  region                        = var.region
+  tier                          = "db-g1-small"
+  database_version              = "MYSQL_8_0"
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=2 inventory=public-ip.yaml
+# tftest modules=1 resources=1 inventory=public-ip.yaml e2e
 ```
 
 ### Query Insights
@@ -233,15 +242,17 @@ module "db" {
     }
   }
   name             = "db"
-  region           = "europe-west1"
+  region           = var.region
   database_version = "POSTGRES_13"
   tier             = "db-g1-small"
 
   insights_config = {
     query_string_length = 2048
   }
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=1 inventory=insights.yaml
+# tftest modules=1 resources=1 inventory=insights.yaml e2e
 ```
 
 ### Maintenance Config
@@ -260,13 +271,15 @@ module "db" {
     }
   }
   name             = "db"
-  region           = "europe-west1"
+  region           = var.region
   database_version = "POSTGRES_13"
   tier             = "db-g1-small"
 
-  maintenance_config = {}
+  maintenance_config            = {}
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=1 
+# tftest modules=1 resources=1 e2e
 ```
 
 ### SSL Config
@@ -285,13 +298,15 @@ module "db" {
     }
   }
   name             = "db"
-  region           = "europe-west1"
+  region           = var.region
   database_version = "POSTGRES_13"
   tier             = "db-g1-small"
 
-  ssl = {}
+  ssl                           = {}
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=1 
+# tftest modules=1 resources=1 e2e
 ```
 <!-- BEGIN TFDOC -->
 ## Variables
@@ -322,7 +337,7 @@ module "db" {
 | [labels](variables.tf#L140) | Labels to be attached to all instances. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
 | [maintenance_config](variables.tf#L146) | Set maintenance window configuration and maintenance deny period (up to 90 days). Date format: 'yyyy-mm-dd'. | <code title="object&#40;&#123;&#10;  maintenance_window &#61; optional&#40;object&#40;&#123;&#10;    day          &#61; number&#10;    hour         &#61; number&#10;    update_track &#61; optional&#40;string, null&#41;&#10;  &#125;&#41;, null&#41;&#10;  deny_maintenance_period &#61; optional&#40;object&#40;&#123;&#10;    start_date &#61; string&#10;    end_date   &#61; string&#10;    start_time &#61; optional&#40;string, &#34;00:00:00&#34;&#41;&#10;  &#125;&#41;, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [prefix](variables.tf#L207) | Optional prefix used to generate instance names. | <code>string</code> |  | <code>null</code> |
-| [replicas](variables.tf#L227) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | <code title="map&#40;object&#40;&#123;&#10;  region              &#61; string&#10;  encryption_key_name &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [replicas](variables.tf#L227) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | <code title="map&#40;object&#40;&#123;&#10;  region              &#61; string&#10;  encryption_key_name &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [root_password](variables.tf#L236) | Root password of the Cloud SQL instance. Required for MS SQL Server. | <code>string</code> |  | <code>null</code> |
 | [ssl](variables.tf#L242) | Setting to enable SSL, set config and certificates. | <code title="object&#40;&#123;&#10;  client_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10;  require_ssl         &#61; optional&#40;bool&#41;&#10;  ssl_mode &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [terraform_deletion_protection](variables.tf#L258) | Prevent terraform from deleting instances. | <code>bool</code> |  | <code>true</code> |
@@ -350,4 +365,8 @@ module "db" {
 | [self_link](outputs.tf#L114) | Self link of the primary instance. |  |
 | [self_links](outputs.tf#L119) | Self links of all instances. |  |
 | [user_passwords](outputs.tf#L127) | Map of containing the password of all users created through terraform. | ✓ |
+
+## Fixtures
+
+- [cloudsql-kms-iam-grant.tf](../../tests/fixtures/cloudsql-kms-iam-grant.tf)
 <!-- END TFDOC -->
diff --git a/modules/cloudsql-instance/variables.tf b/modules/cloudsql-instance/variables.tf
index e67dd3979a..613e106e74 100644
--- a/modules/cloudsql-instance/variables.tf
+++ b/modules/cloudsql-instance/variables.tf
@@ -228,7 +228,7 @@ variable "replicas" {
   description = "Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation."
   type = map(object({
     region              = string
-    encryption_key_name = string
+    encryption_key_name = optional(string)
   }))
   default = {}
 }
diff --git a/modules/net-address/README.md b/modules/net-address/README.md
index 55b84108a2..5f53063368 100644
--- a/modules/net-address/README.md
+++ b/modules/net-address/README.md
@@ -122,6 +122,26 @@ module "addresses" {
 # tftest modules=1 resources=1 inventory=psc.yaml e2e
 ```
 
+To create PSC address targeting a service regional provider use the `service_attachment` property.
+```hcl
+module "addresses" {
+  source     = "./fabric/modules/net-address"
+  project_id = var.project_id
+  psc_addresses = {
+    cloudsql-one = {
+      address          = "10.0.16.32"
+      subnet_self_link = var.subnet.self_link
+      region           = var.region
+      service_attachment = {
+        psc_service_attachment_link = module.cloudsql-instance.psc_service_attachment_link
+      }
+    }
+  }
+}
+# tftest modules=2 resources=3 fixtures=fixtures/cloudsql-instance.tf inventory=psc-service-attachment.yaml e2e
+```
+
+
 ### IPSec Interconnect addresses
 
 ```hcl
@@ -176,8 +196,8 @@ module "addresses" {
 | [internal_addresses](variables.tf#L50) | Map of internal addresses to create, keyed by name. | <code title="map&#40;object&#40;&#123;&#10;  region      &#61; string&#10;  subnetwork  &#61; string&#10;  address     &#61; optional&#40;string&#41;&#10;  description &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  ipv6        &#61; optional&#40;map&#40;string&#41;&#41; &#35; To be left empty for ipv6&#10;  labels      &#61; optional&#40;map&#40;string&#41;&#41;&#10;  name        &#61; optional&#40;string&#41;&#10;  purpose     &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [ipsec_interconnect_addresses](variables.tf#L65) | Map of internal addresses used for HPA VPN over Cloud Interconnect. | <code title="map&#40;object&#40;&#123;&#10;  region        &#61; string&#10;  address       &#61; string&#10;  network       &#61; string&#10;  description   &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  name          &#61; optional&#40;string&#41;&#10;  prefix_length &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [network_attachments](variables.tf#L84) | PSC network attachments, names as keys. | <code title="map&#40;object&#40;&#123;&#10;  subnet_self_link      &#61; string&#10;  automatic_connection  &#61; optional&#40;bool, false&#41;&#10;  description           &#61; optional&#40;string, &#34;Terraform-managed.&#34;&#41;&#10;  producer_accept_lists &#61; optional&#40;list&#40;string&#41;&#41;&#10;  producer_reject_lists &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [psa_addresses](variables.tf#L102) | Map of internal addresses used for Private Service Access. | <code title="map&#40;object&#40;&#123;&#10;  address       &#61; string&#10;  network       &#61; string&#10;  prefix_length &#61; number&#10;  description   &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  name          &#61; optional&#40;string&#41;&#10;&#10;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [psc_addresses](variables.tf#L115) | Map of internal addresses used for Private Service Connect. | <code title="map&#40;object&#40;&#123;&#10;  address     &#61; string&#10;  network     &#61; string&#10;  description &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  name        &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [psa_addresses](variables.tf#L102) | Map of internal addresses used for Private Service Access. | <code title="map&#40;object&#40;&#123;&#10;  address       &#61; string&#10;  network       &#61; string&#10;  prefix_length &#61; number&#10;  description   &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  name          &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [psc_addresses](variables.tf#L114) | Map of internal addresses used for Private Service Connect. | <code title="map&#40;object&#40;&#123;&#10;  address          &#61; string&#10;  description      &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  name             &#61; optional&#40;string&#41;&#10;  network          &#61; optional&#40;string&#41;&#10;  region           &#61; optional&#40;string&#41;&#10;  subnet_self_link &#61; optional&#40;string&#41;&#10;  service_attachment &#61; optional&#40;object&#40;&#123; &#35; so we can safely check if service_attachemnt &#33;&#61; null in for_each&#10;    psc_service_attachment_link &#61; string&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
@@ -193,5 +213,6 @@ module "addresses" {
 
 ## Fixtures
 
+- [cloudsql-instance.tf](../../tests/fixtures/cloudsql-instance.tf)
 - [net-vpc-ipv6.tf](../../tests/fixtures/net-vpc-ipv6.tf)
 <!-- END TFDOC -->
diff --git a/modules/net-address/main.tf b/modules/net-address/main.tf
index 20b8b6a16e..e7c69413cd 100644
--- a/modules/net-address/main.tf
+++ b/modules/net-address/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,20 +14,6 @@
  * limitations under the License.
  */
 
-locals {
-  network_attachments = {
-    for k, v in var.network_attachments : k => merge(v, {
-      region = regex("regions/([^/]+)", v.subnet_self_link)[0]
-      # not using the full self link generates a permadiff
-      subnet_self_link = (
-        startswith(v.subnet_self_link, "https://")
-        ? v.subnet_self_link
-        : "https://www.googleapis.com/compute/v1/${v.subnet_self_link}"
-      )
-    })
-  }
-}
-
 resource "google_compute_global_address" "global" {
   for_each    = var.global_addresses
   project     = var.project_id
@@ -66,18 +52,6 @@ resource "google_compute_address" "internal" {
   subnetwork   = each.value.subnetwork
 }
 
-resource "google_compute_global_address" "psc" {
-  for_each     = var.psc_addresses
-  project      = var.project_id
-  name         = coalesce(each.value.name, each.key)
-  description  = each.value.description
-  address      = try(each.value.address, null)
-  address_type = "INTERNAL"
-  network      = each.value.network
-  purpose      = "PRIVATE_SERVICE_CONNECT"
-  # labels       = lookup(var.internal_address_labels, each.key, {})
-}
-
 resource "google_compute_global_address" "psa" {
   for_each      = var.psa_addresses
   project       = var.project_id
@@ -104,17 +78,3 @@ resource "google_compute_address" "ipsec_interconnect" {
   purpose       = "IPSEC_INTERCONNECT"
 }
 
-resource "google_compute_network_attachment" "default" {
-  provider    = google-beta
-  for_each    = local.network_attachments
-  project     = var.project_id
-  region      = each.value.region
-  name        = each.key
-  description = each.value.description
-  connection_preference = (
-    each.value.automatic_connection ? "ACCEPT_AUTOMATIC" : "ACCEPT_MANUAL"
-  )
-  subnetworks           = [each.value.subnet_self_link]
-  producer_accept_lists = each.value.producer_accept_lists
-  producer_reject_lists = each.value.producer_reject_lists
-}
diff --git a/modules/net-address/psc.tf b/modules/net-address/psc.tf
new file mode 100644
index 0000000000..2fbf75788f
--- /dev/null
+++ b/modules/net-address/psc.tf
@@ -0,0 +1,102 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  network_attachments = {
+    for k, v in var.network_attachments : k => merge(v, {
+      region = regex("regions/([^/]+)", v.subnet_self_link)[0]
+      # not using the full self link generates a permadiff
+      subnet_self_link = (
+        startswith(v.subnet_self_link, "https://")
+        ? v.subnet_self_link
+        : "https://www.googleapis.com/compute/v1/${v.subnet_self_link}"
+      )
+    })
+  }
+  regional_psc = {
+    for name, psc in var.psc_addresses : name => psc if psc.region != null
+
+  }
+  global_psc = {
+    for name, psc in var.psc_addresses : name => psc if psc.region == null
+  }
+}
+
+resource "google_compute_network_attachment" "default" {
+  provider    = google-beta
+  for_each    = local.network_attachments
+  project     = var.project_id
+  region      = each.value.region
+  name        = each.key
+  description = each.value.description
+  connection_preference = (
+    each.value.automatic_connection ? "ACCEPT_AUTOMATIC" : "ACCEPT_MANUAL"
+  )
+  subnetworks           = [each.value.subnet_self_link]
+  producer_accept_lists = each.value.producer_accept_lists
+  producer_reject_lists = each.value.producer_reject_lists
+}
+
+# global PSC services
+resource "google_compute_global_address" "psc" {
+  for_each     = local.global_psc
+  project      = var.project_id
+  name         = coalesce(each.value.name, each.key)
+  description  = each.value.description
+  address      = try(each.value.address, null)
+  address_type = "INTERNAL"
+  network      = each.value.network
+  purpose      = "PRIVATE_SERVICE_CONNECT"
+  # labels       = lookup(var.internal_address_labels, each.key, {})
+}
+
+resource "google_compute_global_forwarding_rule" "psc_consumer" {
+  for_each              = { for name, psc in local.global_psc : name => psc if psc.service_attachment != null }
+  name                  = coalesce(each.value.name, each.key)
+  project               = var.project_id
+  subnetwork            = each.value.subnet_self_link
+  ip_address            = google_compute_global_address.psc[each.key].self_link
+  load_balancing_scheme = ""
+  target                = each.value.service_attachment.psc_service_attachment_link
+}
+
+# regional PSC services
+resource "google_compute_address" "psc" {
+  for_each     = local.regional_psc
+  project      = var.project_id
+  name         = coalesce(each.value.name, each.key)
+  address      = try(each.value.address, null)
+  address_type = "INTERNAL"
+  description  = each.value.description
+  network      = each.value.network
+  # purpose not applicable for regional address
+  # purpose      = "PRIVATE_SERVICE_CONNECT"
+  region     = each.value.region
+  subnetwork = each.value.subnet_self_link
+  # labels       = lookup(var.internal_address_labels, each.key, {})
+}
+
+resource "google_compute_forwarding_rule" "psc_consumer" {
+  for_each              = { for name, psc in local.regional_psc : name => psc if psc.service_attachment != null }
+  name                  = coalesce(each.value.name, each.key)
+  project               = var.project_id
+  region                = each.value.region
+  subnetwork            = each.value.subnet_self_link
+  ip_address            = google_compute_address.psc[each.key].self_link
+  load_balancing_scheme = ""
+  recreate_closed_psc   = true
+  target                = each.value.service_attachment.psc_service_attachment_link
+}
diff --git a/modules/net-address/variables.tf b/modules/net-address/variables.tf
index 190bffdde6..236c23960a 100644
--- a/modules/net-address/variables.tf
+++ b/modules/net-address/variables.tf
@@ -107,7 +107,6 @@ variable "psa_addresses" {
     prefix_length = number
     description   = optional(string, "Terraform managed.")
     name          = optional(string)
-
   }))
   default = {}
 }
@@ -115,10 +114,27 @@ variable "psa_addresses" {
 variable "psc_addresses" {
   description = "Map of internal addresses used for Private Service Connect."
   type = map(object({
-    address     = string
-    network     = string
-    description = optional(string, "Terraform managed.")
-    name        = optional(string)
+    address          = string
+    description      = optional(string, "Terraform managed.")
+    name             = optional(string)
+    network          = optional(string)
+    region           = optional(string)
+    subnet_self_link = optional(string)
+    service_attachment = optional(object({ # so we can safely check if service_attachemnt != null in for_each
+      psc_service_attachment_link = string
+    }))
   }))
   default = {}
+  validation {
+    condition     = alltrue([for key, value in var.psc_addresses : (value.region != null || (value.region == null && value.network != null))])
+    error_message = "Provide network if creating global PSC addresses / endpoints."
+  }
+  validation {
+    condition     = alltrue([for key, value in var.psc_addresses : (value.region == null || (value.region != null && value.subnet_self_link != null))])
+    error_message = "Provide subnet_self_link if creating regional PSC addresses / endpoints."
+  }
+  validation {
+    condition     = alltrue([for key, value in var.psc_addresses : !(value.subnet_self_link != null && value.network != null)])
+    error_message = "Do not provide network and subnet_self_link at the same time"
+  }
 }
diff --git a/tests/collectors.py b/tests/collectors.py
index 749e192c50..310b8151cc 100644
--- a/tests/collectors.py
+++ b/tests/collectors.py
@@ -87,8 +87,15 @@ def __init__(self, name, parent, module, inventory, tf_var_files,
     self.extra_files = extra_files
 
   def runtest(self):
-    s = plan_validator(self.module, self.inventory, self.parent.path.parent,
-                       self.tf_var_files, self.extra_files)
+    try:
+      summary = plan_validator(self.module, self.inventory, self.parent.path.parent,
+                             self.tf_var_files, self.extra_files)
+    except AssertionError:
+      def full_paths(x):
+        return [(self.parent.path.parent / x ) for x in x]
+      print(f'Error in inventory file: {" ".join(full_paths(self.inventory))}')
+      print(f'To regenerate inventory run: python tools/plan_summary.py {self.module} {" ".join(full_paths(self.tf_var_files))}')
+      raise
 
   def reportinfo(self):
     return self.path, None, self.name
diff --git a/tests/examples/variables.tf b/tests/examples/variables.tf
index 29dc8d8940..d999609b0e 100644
--- a/tests/examples/variables.tf
+++ b/tests/examples/variables.tf
@@ -84,7 +84,7 @@ variable "subnet_psc_1" {
     name      = "subnet_name"
     region    = "subnet_region"
     cidr      = "subnet_cidr"
-    self_link = "subnet_self_link"
+    self_link = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west8/subnetworks/subnet"
   }
 }
 
diff --git a/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl b/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl
index 5bb6d779ec..fd63d450fe 100644
--- a/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl
+++ b/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl
@@ -37,6 +37,12 @@ subnet = {
     cidr      = "${subnet.ip_cidr_range}"
     self_link = "${subnet.self_link}"
   }
+subnet_psc_1 = {
+    name      = "${subnet_psc_1.name}"
+    region    = "${subnet_psc_1.region}"
+    cidr      = "${subnet_psc_1.ip_cidr_range}"
+    self_link = "${subnet_psc_1.self_link}"
+}
 vpc = {
     name      = "${vpc.name}"
     self_link = "${vpc.self_link}"
diff --git a/tests/examples_e2e/setup_module/main.tf b/tests/examples_e2e/setup_module/main.tf
index bd48e4fbd9..4e1d1931bf 100644
--- a/tests/examples_e2e/setup_module/main.tf
+++ b/tests/examples_e2e/setup_module/main.tf
@@ -15,7 +15,8 @@
 locals {
   prefix = "${var.prefix}-${var.timestamp}${var.suffix}"
   jit_services = [
-    "storage.googleapis.com", # no permissions granted by default
+    "storage.googleapis.com",  # no permissions granted by default
+    "sqladmin.googleapis.com", # roles/cloudsql.serviceAgent
   ]
   services = [
     # trimmed down list of services, to be extended as needed
@@ -35,6 +36,7 @@ locals {
     "secretmanager.googleapis.com",
     "servicenetworking.googleapis.com",
     "serviceusage.googleapis.com",
+    "sqladmin.googleapis.com",
     "stackdriver.googleapis.com",
     "storage-component.googleapis.com",
     "storage.googleapis.com",
@@ -114,6 +116,36 @@ resource "google_compute_subnetwork" "proxy_only_regional" {
   role          = "ACTIVE"
 }
 
+resource "google_compute_subnetwork" "psc" {
+  project       = google_project.project.project_id
+  network       = google_compute_network.network.name
+  name          = "psc-regional"
+  region        = var.region
+  ip_cidr_range = "10.0.19.0/24"
+  purpose       = "PRIVATE_SERVICE_CONNECT"
+}
+
+### PSA ###
+
+resource "google_compute_global_address" "psa_ranges" {
+  project       = google_project.project.project_id
+  network       = google_compute_network.network.id
+  name          = "psa-range"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  address       = "10.0.20.0"
+  prefix_length = 22
+}
+
+resource "google_service_networking_connection" "psa_connection" {
+  network                 = google_compute_network.network.id
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = [google_compute_global_address.psa_ranges.name]
+  deletion_policy         = "ABANDON"
+}
+
+### END OF PSA
+
 resource "google_service_account" "service_account" {
   account_id = "e2e-service-account"
   project    = google_project.project.project_id
@@ -141,6 +173,12 @@ resource "google_project_service_identity" "jit_si" {
   depends_on = [google_project_service.project_service]
 }
 
+resource "google_project_iam_binding" "cloudsql_agent" {
+  members    = ["serviceAccount:service-${google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com"]
+  project    = google_project.project.project_id
+  role       = "roles/cloudsql.serviceAgent"
+  depends_on = [google_project_service_identity.jit_si]
+}
 
 resource "local_file" "terraform_tfvars" {
   filename = "e2e_tests.tfvars"
@@ -168,6 +206,12 @@ resource "local_file" "terraform_tfvars" {
       ip_cidr_range = google_compute_subnetwork.subnetwork.ip_cidr_range
       self_link     = google_compute_subnetwork.subnetwork.self_link
     }
+    subnet_psc_1 = {
+      name          = google_compute_subnetwork.psc.name
+      region        = google_compute_subnetwork.psc.region
+      ip_cidr_range = google_compute_subnetwork.psc.ip_cidr_range
+      self_link     = google_compute_subnetwork.psc.self_link
+    }
     vpc = {
       name      = google_compute_network.network.name
       self_link = google_compute_network.network.self_link
diff --git a/tests/fixtures.py b/tests/fixtures.py
index 50b6d8ad6a..1d725135f4 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -186,8 +186,13 @@ def plan_validator(module_path, inventory_paths, basedir, tf_var_files=None,
     # print(yaml.dump({'counts': summary.counts}))
 
     if 'values' in inventory:
-      validate_plan_object(inventory['values'], summary.values, relative_path,
-                           "")
+      try:
+        validate_plan_object(inventory['values'], summary.values, relative_path,
+                             "")
+      except AssertionError:
+        print(f'\n{path}')
+        print(yaml.dump({'values': summary.values}))
+        raise
 
     if 'counts' in inventory:
       try:
@@ -199,6 +204,7 @@ def plan_validator(module_path, inventory_paths, basedir, tf_var_files=None,
           assert plan_count == expected_count, \
               f'{relative_path}: count of {type_} resources failed. Got {plan_count}, expected {expected_count}'
       except AssertionError:
+        print(f'\n{path}')
         print(yaml.dump({'counts': summary.counts}))
         raise
 
@@ -218,6 +224,7 @@ def plan_validator(module_path, inventory_paths, basedir, tf_var_files=None,
               f'{relative_path}: output {output_name} failed. Got `{plan_output}`, expected `{expected_output}`'
       except AssertionError:
         if _buffer:
+          print(f'\n{path}')
           print(yaml.dump(_buffer))
         raise
   return summary
diff --git a/tests/fixtures/cloudsql-instance.tf b/tests/fixtures/cloudsql-instance.tf
new file mode 100644
index 0000000000..6fed8d6ada
--- /dev/null
+++ b/tests/fixtures/cloudsql-instance.tf
@@ -0,0 +1,33 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "cloudsql-instance" {
+  source     = "./fabric/modules/cloudsql-instance"
+  project_id = var.project_id
+  network_config = {
+    connectivity = {
+      psc_allowed_consumer_projects = [var.project_id]
+    }
+  }
+  ## define a consumer project with an endpoint within the project
+  name                          = "db"
+  region                        = var.region
+  availability_type             = "REGIONAL"
+  database_version              = "POSTGRES_13"
+  tier                          = "db-g1-small"
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
+}
diff --git a/tests/fixtures/cloudsql-kms-iam-grant.tf b/tests/fixtures/cloudsql-kms-iam-grant.tf
new file mode 100644
index 0000000000..9ea53a0268
--- /dev/null
+++ b/tests/fixtures/cloudsql-kms-iam-grant.tf
@@ -0,0 +1,23 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_kms_crypto_key_iam_binding" "encrypt_decrypt" {
+  crypto_key_id = var.kms_key.id
+  members = [
+    "serviceAccount:service-${var.project_number}@gcp-sa-cloud-sql.iam.gserviceaccount.com"
+  ]
+  role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+}
diff --git a/tests/modules/cloudsql_instance/examples/insights.yaml b/tests/modules/cloudsql_instance/examples/insights.yaml
index 84a4245ddf..a2c46f5b9b 100644
--- a/tests/modules/cloudsql_instance/examples/insights.yaml
+++ b/tests/modules/cloudsql_instance/examples/insights.yaml
@@ -17,11 +17,11 @@ values:
     database_version: POSTGRES_13
     name: db
     project: project-id
-    region: europe-west1
+    region: europe-west8
     settings:
     - activation_policy: ALWAYS
       availability_type: ZONAL
-      deletion_protection_enabled: true
+      deletion_protection_enabled: false
       disk_autoresize: true
       disk_type: PD_SSD
       insights_config:
diff --git a/tests/modules/cloudsql_instance/examples/psc.yaml b/tests/modules/cloudsql_instance/examples/psc.yaml
new file mode 100644
index 0000000000..722700d7bd
--- /dev/null
+++ b/tests/modules/cloudsql_instance/examples/psc.yaml
@@ -0,0 +1,38 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.db.google_sql_database_instance.primary:
+    database_version: POSTGRES_13
+    deletion_protection: false
+    name: myprefix-db
+    project: project-id
+    region: europe-west8
+    settings:
+    - activation_policy: ALWAYS
+      availability_type: REGIONAL
+      deletion_protection_enabled: false
+      ip_configuration:
+      - ipv4_enabled: false
+        private_network: null
+        psc_config:
+        - allowed_consumer_projects:
+          - project-id
+          psc_enabled: true
+      tier: db-g1-small
+
+counts:
+  google_sql_database_instance: 1
+  modules: 1
+  resources: 1
diff --git a/tests/modules/cloudsql_instance/examples/public-ip.yaml b/tests/modules/cloudsql_instance/examples/public-ip.yaml
index f3ca86d3a5..e216ee3b0f 100644
--- a/tests/modules/cloudsql_instance/examples/public-ip.yaml
+++ b/tests/modules/cloudsql_instance/examples/public-ip.yaml
@@ -17,30 +17,11 @@ values:
     database_version: MYSQL_8_0
     name: db
     project: project-id
-    region: europe-west1
+    region: europe-west8
     settings:
     - activation_policy: ALWAYS
       availability_type: ZONAL
-      deletion_protection_enabled: true
-      disk_autoresize: true
-      disk_type: PD_SSD
-      insights_config: []
-      ip_configuration:
-      - allocated_ip_range: null
-        authorized_networks: []
-        ipv4_enabled: true
-        private_network: projects/xxx/global/networks/aaa
-      tier: db-g1-small
-  module.db.google_sql_database_instance.replicas["replica1"]:
-    database_version: MYSQL_8_0
-    master_instance_name: db
-    name: replica1
-    project: project-id
-    region: europe-west3
-    settings:
-    - activation_policy: ALWAYS
-      availability_type: ZONAL
-      deletion_protection_enabled: true
+      deletion_protection_enabled: false
       disk_autoresize: true
       disk_type: PD_SSD
       insights_config: []
@@ -52,4 +33,4 @@ values:
       tier: db-g1-small
 
 counts:
-  google_sql_database_instance: 2
+  google_sql_database_instance: 1
diff --git a/tests/modules/cloudsql_instance/examples/replicas.yaml b/tests/modules/cloudsql_instance/examples/replicas.yaml
index 1ed30f9bc9..bb337d4457 100644
--- a/tests/modules/cloudsql_instance/examples/replicas.yaml
+++ b/tests/modules/cloudsql_instance/examples/replicas.yaml
@@ -18,7 +18,7 @@ values:
     database_version: POSTGRES_13
     name: myprefix-db
     project: project-id
-    region: europe-west1
+    region: europe-west8
   module.db.google_sql_database_instance.replicas["replica1"]:
     clone: []
     database_version: POSTGRES_13
diff --git a/tests/modules/cloudsql_instance/examples/simple.yaml b/tests/modules/cloudsql_instance/examples/simple.yaml
index 5103c12b4e..4221eb288c 100644
--- a/tests/modules/cloudsql_instance/examples/simple.yaml
+++ b/tests/modules/cloudsql_instance/examples/simple.yaml
@@ -16,10 +16,10 @@ values:
   module.db.google_sql_database_instance.primary:
     clone: []
     database_version: POSTGRES_13
-    deletion_protection: true
+    deletion_protection: false
     name: db
-    project: my-db-project
-    region: europe-west1
+    project: test-db-prj
+    region: europe-west8
     restore_backup_context: []
     root_password: null
     settings:
@@ -30,7 +30,7 @@ values:
       collation: null
       data_cache_config: []
       database_flags: []
-      deletion_protection_enabled: true
+      deletion_protection_enabled: false
       deny_maintenance_period: []
       disk_autoresize: true
       disk_autoresize_limit: 0
@@ -54,25 +54,25 @@ values:
   module.project.google_project.project[0]:
     auto_create_network: false
     billing_account: 123456-123456-123456
-    folder_id: null
+    folder_id: '1122334455'
     labels: null
-    name: my-db-project
-    org_id: '1122334455'
-    project_id: my-db-project
+    name: test-db-prj
+    org_id: null
+    project_id: test-db-prj
     skip_delete: false
     timeouts: null
   module.project.google_project_iam_member.servicenetworking[0]:
     condition: []
-    project: my-db-project
+    project: test-db-prj
     role: roles/servicenetworking.serviceAgent
   module.project.google_project_service.project_services["servicenetworking.googleapis.com"]:
     disable_dependent_services: false
     disable_on_destroy: false
-    project: my-db-project
+    project: test-db-prj
     service: servicenetworking.googleapis.com
     timeouts: null
   module.project.google_project_service_identity.servicenetworking[0]:
-    project: my-db-project
+    project: test-db-prj
     service: servicenetworking.googleapis.com
     timeouts: null
   module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-cloud-sql"]:
@@ -82,7 +82,7 @@ values:
     ip_version: null
     name: servicenetworking-googleapis-com-cloud-sql
     prefix_length: 16
-    project: my-db-project
+    project: test-db-prj
     purpose: VPC_PEERING
     timeouts: null
   module.vpc.google_compute_network.network[0]:
@@ -92,14 +92,14 @@ values:
     enable_ula_internal_ipv6: null
     name: my-network
     network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
-    project: my-db-project
+    project: test-db-prj
     routing_mode: GLOBAL
     timeouts: null
   module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
     export_custom_routes: false
     import_custom_routes: false
     network: my-network
-    project: my-db-project
+    project: test-db-prj
     timeouts: null
   module.vpc.google_compute_route.gateway["private-googleapis"]:
     description: Terraform-managed.
@@ -111,7 +111,7 @@ values:
     next_hop_instance: null
     next_hop_vpn_tunnel: null
     priority: 1000
-    project: my-db-project
+    project: test-db-prj
     tags: null
     timeouts: null
   module.vpc.google_compute_route.gateway["restricted-googleapis"]:
@@ -124,11 +124,11 @@ values:
     next_hop_instance: null
     next_hop_vpn_tunnel: null
     priority: 1000
-    project: my-db-project
+    project: test-db-prj
     tags: null
     timeouts: null
   module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
-    deletion_policy: null
+    deletion_policy: ABANDON
     reserved_peering_ranges:
     - servicenetworking-googleapis-com-cloud-sql
     service: servicenetworking.googleapis.com
@@ -141,11 +141,11 @@ counts:
   google_compute_route: 2
   google_project: 1
   google_project_iam_member: 1
-  google_project_service: 1
-  google_project_service_identity: 1
+  google_project_service: 2
+  google_project_service_identity: 2
   google_service_networking_connection: 1
   google_sql_database_instance: 1
   modules: 3
-  resources: 11
+  resources: 14
 
 outputs: {}
diff --git a/tests/modules/net_address/examples/psc-service-attachment.yaml b/tests/modules/net_address/examples/psc-service-attachment.yaml
new file mode 100644
index 0000000000..7c3eaca02a
--- /dev/null
+++ b/tests/modules/net_address/examples/psc-service-attachment.yaml
@@ -0,0 +1,29 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.addresses.google_compute_forwarding_rule.psc_consumer["cloudsql-one"]:
+    load_balancing_scheme: ''
+    name: cloudsql-one
+    project: project-id
+    recreate_closed_psc: true
+    region: europe-west8
+    subnetwork: subnet_self_link
+  module.addresses.google_compute_address.psc["cloudsql-one"]:
+    address: 10.0.16.32
+    address_type: INTERNAL
+    description: Terraform managed.
+    name: cloudsql-one
+    project: project-id
+    subnetwork: subnet_self_link

From af253c97022068c8c0500988b45e1ef0f727c7fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Sun, 12 May 2024 21:02:04 +0200
Subject: [PATCH 24/31] Fix 0-bootstrap iam_by_principals not taking into
 account all principals (#2267)

* Fix 0-bootstrap iam_by_principals not taking into account all principals
* Add test-case for iam_by_principals for 0-bootstrap stage

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 fast/stages/0-bootstrap/organization.tf       | 10 +++++++--
 tests/collectors.py                           |  2 +-
 .../s0_bootstrap/iam_by_principals.tfvars     | 20 +++++++++++++++++
 .../s0_bootstrap/iam_by_principals.yaml       | 22 +++++++++++++++++++
 tests/fast/stages/s0_bootstrap/tftest.yaml    |  2 ++
 5 files changed, 53 insertions(+), 3 deletions(-)
 create mode 100644 tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars
 create mode 100644 tests/fast/stages/s0_bootstrap/iam_by_principals.yaml

diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf
index f91b4e8c14..fdd08937a7 100644
--- a/fast/stages/0-bootstrap/organization.tf
+++ b/fast/stages/0-bootstrap/organization.tf
@@ -138,8 +138,14 @@ module "organization" {
   organization_id = module.organization-logging.id
   # human (groups) IAM bindings
   iam_by_principals = {
-    for k, v in local.iam_principals :
-    k => distinct(concat(v, lookup(var.iam_by_principals, k, [])))
+    for key in distinct(concat(
+      keys(local.iam_principals),
+      keys(var.iam_by_principals),
+    )) :
+    key => distinct(concat(
+      lookup(local.iam_principals, key, []),
+      lookup(var.iam_by_principals, key, []),
+    ))
   }
   # machine (service accounts) IAM bindings
   iam = merge(
diff --git a/tests/collectors.py b/tests/collectors.py
index 310b8151cc..9e26c06774 100644
--- a/tests/collectors.py
+++ b/tests/collectors.py
@@ -92,7 +92,7 @@ def runtest(self):
                              self.tf_var_files, self.extra_files)
     except AssertionError:
       def full_paths(x):
-        return [(self.parent.path.parent / x ) for x in x]
+        return [str(self.parent.path.parent / x ) for x in x]
       print(f'Error in inventory file: {" ".join(full_paths(self.inventory))}')
       print(f'To regenerate inventory run: python tools/plan_summary.py {self.module} {" ".join(full_paths(self.tf_var_files))}')
       raise
diff --git a/tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars b/tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars
new file mode 100644
index 0000000000..4ceaffb6ac
--- /dev/null
+++ b/tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars
@@ -0,0 +1,20 @@
+organization = {
+  domain      = "fast.example.com"
+  id          = 123456789012
+  customer_id = "C00000000"
+}
+billing_account = {
+  id = "000000-111111-222222"
+}
+essential_contacts = "gcp-organization-admins@fast.example.com"
+iam_by_principals = {
+  "user:other@fast.example.com" = ["roles/browser"]
+}
+prefix = "fast"
+org_policies_config = {
+  import_defaults = false
+}
+outputs_location = "/fast-config"
+groups = {
+  gcp-support = "group:gcp-support@example.com"
+}
diff --git a/tests/fast/stages/s0_bootstrap/iam_by_principals.yaml b/tests/fast/stages/s0_bootstrap/iam_by_principals.yaml
new file mode 100644
index 0000000000..83b965d302
--- /dev/null
+++ b/tests/fast/stages/s0_bootstrap/iam_by_principals.yaml
@@ -0,0 +1,22 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.organization.google_organization_iam_binding.authoritative["roles/browser"]:
+    condition: []
+    members:
+    - domain:fast.example.com
+    - user:other@fast.example.com
+    org_id: '123456789012'
+    role: roles/browser
diff --git a/tests/fast/stages/s0_bootstrap/tftest.yaml b/tests/fast/stages/s0_bootstrap/tftest.yaml
index 8f415a219a..2643714eb9 100644
--- a/tests/fast/stages/s0_bootstrap/tftest.yaml
+++ b/tests/fast/stages/s0_bootstrap/tftest.yaml
@@ -25,3 +25,5 @@ tests:
       - simple.yaml
       - simple_projects.yaml
       - simple_sas.yaml
+  
+  iam_by_principals:

From 604920dec9ceb39e20b9768f482807f2675092ff Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Mon, 13 May 2024 09:24:17 +0200
Subject: [PATCH 25/31] add logging settings to folder module (#2268)

---
 modules/folder/README.md                  | 18 +++---
 modules/folder/logging.tf                 |  7 ++
 modules/folder/variables-logging.tf       | 78 +++++++++++++++++++++++
 modules/folder/variables.tf               | 53 ---------------
 modules/organization/README.md            | 15 +++--
 modules/organization/variables-logging.tf | 78 +++++++++++++++++++++++
 modules/organization/variables.tf         | 63 ------------------
 7 files changed, 181 insertions(+), 131 deletions(-)
 create mode 100644 modules/folder/variables-logging.tf
 create mode 100644 modules/organization/variables-logging.tf

diff --git a/modules/folder/README.md b/modules/folder/README.md
index 2efb626b97..ff242aeec0 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -345,12 +345,13 @@ module "folder" {
 | name | description | resources |
 |---|---|---|
 | [iam.tf](./iam.tf) | IAM bindings. | <code>google_folder_iam_binding</code> · <code>google_folder_iam_member</code> |
-| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_folder_iam_audit_config</code> · <code>google_logging_folder_exclusion</code> · <code>google_logging_folder_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
+| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_folder_iam_audit_config</code> · <code>google_logging_folder_exclusion</code> · <code>google_logging_folder_settings</code> · <code>google_logging_folder_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
 | [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_firewall_policy_association</code> · <code>google_essential_contacts_contact</code> · <code>google_folder</code> |
 | [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | <code>google_org_policy_policy</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
 | [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> |
 | [variables-iam.tf](./variables-iam.tf) | None |  |
+| [variables-logging.tf](./variables-logging.tf) | None |  |
 | [variables.tf](./variables.tf) | Module variables. |  |
 | [versions.tf](./versions.tf) | Version pins. |  |
 
@@ -367,13 +368,14 @@ module "folder" {
 | [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_by_principals](variables-iam.tf#L54) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [id](variables.tf#L48) | Folder ID in case you use folder_create=false. | <code>string</code> |  | <code>null</code> |
-| [logging_data_access](variables.tf#L54) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [logging_exclusions](variables.tf#L69) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [logging_sinks](variables.tf#L76) | Logging sinks to create for the folder. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  include_children     &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [name](variables.tf#L107) | Folder name. | <code>string</code> |  | <code>null</code> |
-| [org_policies](variables.tf#L113) | Organization policies applied to this folder keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [parent](variables.tf#L140) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> |  | <code>null</code> |
-| [tag_bindings](variables.tf#L150) | Tag bindings for this folder, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_exclusions](variables-logging.tf#L32) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_settings](variables-logging.tf#L39) | Default settings for logging resources. | <code title="object&#40;&#123;&#10;  disable_default_sink &#61; optional&#40;bool&#41;&#10;  storage_location     &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the folder. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  include_children     &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [name](variables.tf#L54) | Folder name. | <code>string</code> |  | <code>null</code> |
+| [org_policies](variables.tf#L60) | Organization policies applied to this folder keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [parent](variables.tf#L87) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> |  | <code>null</code> |
+| [tag_bindings](variables.tf#L97) | Tag bindings for this folder, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/folder/logging.tf b/modules/folder/logging.tf
index 817c4d1e06..bb42983c22 100644
--- a/modules/folder/logging.tf
+++ b/modules/folder/logging.tf
@@ -35,6 +35,13 @@ locals {
   }
 }
 
+resource "google_logging_folder_settings" "default" {
+  count                = var.logging_settings != null ? 1 : 0
+  folder               = local.folder_id
+  disable_default_sink = var.logging_settings.disable_default_sink
+  storage_location     = var.logging_settings.storage_location
+}
+
 resource "google_folder_iam_audit_config" "default" {
   for_each = var.logging_data_access
   folder   = local.folder_id
diff --git a/modules/folder/variables-logging.tf b/modules/folder/variables-logging.tf
new file mode 100644
index 0000000000..89685a6de9
--- /dev/null
+++ b/modules/folder/variables-logging.tf
@@ -0,0 +1,78 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "logging_data_access" {
+  description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services."
+  type        = map(map(list(string)))
+  nullable    = false
+  default     = {}
+  validation {
+    condition = alltrue(flatten([
+      for k, v in var.logging_data_access : [
+        for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk)
+      ]
+    ]))
+    error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'."
+  }
+}
+
+variable "logging_exclusions" {
+  description = "Logging exclusions for this folder in the form {NAME -> FILTER}."
+  type        = map(string)
+  default     = {}
+  nullable    = false
+}
+
+variable "logging_settings" {
+  description = "Default settings for logging resources."
+  type = object({
+    # TODO: add support for CMEK
+    disable_default_sink = optional(bool)
+    storage_location     = optional(string)
+  })
+  default = null
+}
+
+variable "logging_sinks" {
+  description = "Logging sinks to create for the folder."
+  type = map(object({
+    bq_partitioned_table = optional(bool, false)
+    description          = optional(string)
+    destination          = string
+    disabled             = optional(bool, false)
+    exclusions           = optional(map(string), {})
+    filter               = optional(string)
+    iam                  = optional(bool, true)
+    include_children     = optional(bool, true)
+    type                 = string
+  }))
+  default  = {}
+  nullable = false
+  validation {
+    condition = alltrue([
+      for k, v in var.logging_sinks :
+      contains(["bigquery", "logging", "project", "pubsub", "storage"], v.type)
+    ])
+    error_message = "Type must be one of 'bigquery', 'logging', 'project', 'pubsub', 'storage'."
+  }
+  validation {
+    condition = alltrue([
+      for k, v in var.logging_sinks :
+      v.bq_partitioned_table != true || v.type == "bigquery"
+    ])
+    error_message = "Can only set bq_partitioned_table when type is `bigquery`."
+  }
+}
diff --git a/modules/folder/variables.tf b/modules/folder/variables.tf
index 6da2685a71..e5f6d548be 100644
--- a/modules/folder/variables.tf
+++ b/modules/folder/variables.tf
@@ -51,59 +51,6 @@ variable "id" {
   default     = null
 }
 
-variable "logging_data_access" {
-  description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services."
-  type        = map(map(list(string)))
-  nullable    = false
-  default     = {}
-  validation {
-    condition = alltrue(flatten([
-      for k, v in var.logging_data_access : [
-        for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk)
-      ]
-    ]))
-    error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'."
-  }
-}
-
-variable "logging_exclusions" {
-  description = "Logging exclusions for this folder in the form {NAME -> FILTER}."
-  type        = map(string)
-  default     = {}
-  nullable    = false
-}
-
-variable "logging_sinks" {
-  description = "Logging sinks to create for the folder."
-  type = map(object({
-    bq_partitioned_table = optional(bool, false)
-    description          = optional(string)
-    destination          = string
-    disabled             = optional(bool, false)
-    exclusions           = optional(map(string), {})
-    filter               = optional(string)
-    iam                  = optional(bool, true)
-    include_children     = optional(bool, true)
-    type                 = string
-  }))
-  default  = {}
-  nullable = false
-  validation {
-    condition = alltrue([
-      for k, v in var.logging_sinks :
-      contains(["bigquery", "logging", "project", "pubsub", "storage"], v.type)
-    ])
-    error_message = "Type must be one of 'bigquery', 'logging', 'project', 'pubsub', 'storage'."
-  }
-  validation {
-    condition = alltrue([
-      for k, v in var.logging_sinks :
-      v.bq_partitioned_table != true || v.type == "bigquery"
-    ])
-    error_message = "Can only set bq_partitioned_table when type is `bigquery`."
-  }
-}
-
 variable "name" {
   description = "Folder name."
   type        = string
diff --git a/modules/organization/README.md b/modules/organization/README.md
index cc602a6f12..1b004aa623 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -500,6 +500,7 @@ module "org" {
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
 | [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
 | [variables-iam.tf](./variables-iam.tf) | None |  |
+| [variables-logging.tf](./variables-logging.tf) | None |  |
 | [variables-tags.tf](./variables-tags.tf) | None |  |
 | [variables.tf](./variables.tf) | Module variables. |  |
 | [versions.tf](./versions.tf) | Version pins. |  |
@@ -508,7 +509,7 @@ module "org" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [organization_id](variables.tf#L155) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ |  |
+| [organization_id](variables.tf#L92) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ |  |
 | [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [factories_config](variables.tf#L31) | Paths to data files and folders that enable factory functionality. | <code title="object&#40;&#123;&#10;  custom_roles                  &#61; optional&#40;string&#41;&#10;  org_policies                  &#61; optional&#40;string&#41;&#10;  org_policy_custom_constraints &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
@@ -517,13 +518,13 @@ module "org" {
 | [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  members &#61; list&#40;string&#41;&#10;  role    &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_by_principals](variables-iam.tf#L54) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [logging_data_access](variables.tf#L51) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [logging_exclusions](variables.tf#L66) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [logging_settings](variables.tf#L73) | Default settings for logging resources. | <code title="object&#40;&#123;&#10;  disable_default_sink &#61; optional&#40;bool&#41;&#10;  storage_location     &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [logging_sinks](variables.tf#L83) | Logging sinks to create for the organization. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  include_children     &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_exclusions](variables-logging.tf#L32) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_settings](variables-logging.tf#L39) | Default settings for logging resources. | <code title="object&#40;&#123;&#10;  disable_default_sink &#61; optional&#40;bool&#41;&#10;  storage_location     &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the organization. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  include_children     &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  network     &#61; string &#35; project_id&#47;vpc_name&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [org_policies](variables.tf#L114) | Organization policies applied to this organization keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [org_policy_custom_constraints](variables.tf#L141) | Organization policy custom constraints keyed by constraint name. | <code title="map&#40;object&#40;&#123;&#10;  display_name   &#61; optional&#40;string&#41;&#10;  description    &#61; optional&#40;string&#41;&#10;  action_type    &#61; string&#10;  condition      &#61; string&#10;  method_types   &#61; list&#40;string&#41;&#10;  resource_types &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [org_policies](variables.tf#L51) | Organization policies applied to this organization keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [org_policy_custom_constraints](variables.tf#L78) | Organization policy custom constraints keyed by constraint name. | <code title="map&#40;object&#40;&#123;&#10;  display_name   &#61; optional&#40;string&#41;&#10;  description    &#61; optional&#40;string&#41;&#10;  action_type    &#61; string&#10;  condition      &#61; string&#10;  method_types   &#61; list&#40;string&#41;&#10;  resource_types &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [tag_bindings](variables-tags.tf#L45) | Tag bindings for this organization, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [tags](variables-tags.tf#L52) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
diff --git a/modules/organization/variables-logging.tf b/modules/organization/variables-logging.tf
new file mode 100644
index 0000000000..210352f081
--- /dev/null
+++ b/modules/organization/variables-logging.tf
@@ -0,0 +1,78 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "logging_data_access" {
+  description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services."
+  type        = map(map(list(string)))
+  nullable    = false
+  default     = {}
+  validation {
+    condition = alltrue(flatten([
+      for k, v in var.logging_data_access : [
+        for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk)
+      ]
+    ]))
+    error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'."
+  }
+}
+
+variable "logging_exclusions" {
+  description = "Logging exclusions for this organization in the form {NAME -> FILTER}."
+  type        = map(string)
+  default     = {}
+  nullable    = false
+}
+
+variable "logging_settings" {
+  description = "Default settings for logging resources."
+  type = object({
+    # TODO: add support for CMEK
+    disable_default_sink = optional(bool)
+    storage_location     = optional(string)
+  })
+  default = null
+}
+
+variable "logging_sinks" {
+  description = "Logging sinks to create for the organization."
+  type = map(object({
+    bq_partitioned_table = optional(bool, false)
+    description          = optional(string)
+    destination          = string
+    disabled             = optional(bool, false)
+    exclusions           = optional(map(string), {})
+    filter               = optional(string)
+    iam                  = optional(bool, true)
+    include_children     = optional(bool, true)
+    type                 = string
+  }))
+  default  = {}
+  nullable = false
+  validation {
+    condition = alltrue([
+      for k, v in var.logging_sinks :
+      contains(["bigquery", "logging", "project", "pubsub", "storage"], v.type)
+    ])
+    error_message = "Type must be one of 'bigquery', 'logging', 'project', 'pubsub', 'storage'."
+  }
+  validation {
+    condition = alltrue([
+      for k, v in var.logging_sinks :
+      v.bq_partitioned_table != true || v.type == "bigquery"
+    ])
+    error_message = "Can only set bq_partitioned_table when type is `bigquery`."
+  }
+}
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index 4464558e69..146cf9b14a 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -48,69 +48,6 @@ variable "firewall_policy" {
   default = null
 }
 
-variable "logging_data_access" {
-  description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services."
-  type        = map(map(list(string)))
-  nullable    = false
-  default     = {}
-  validation {
-    condition = alltrue(flatten([
-      for k, v in var.logging_data_access : [
-        for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk)
-      ]
-    ]))
-    error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'."
-  }
-}
-
-variable "logging_exclusions" {
-  description = "Logging exclusions for this organization in the form {NAME -> FILTER}."
-  type        = map(string)
-  default     = {}
-  nullable    = false
-}
-
-variable "logging_settings" {
-  description = "Default settings for logging resources."
-  type = object({
-    # TODO: add support for CMEK
-    disable_default_sink = optional(bool)
-    storage_location     = optional(string)
-  })
-  default = null
-}
-
-variable "logging_sinks" {
-  description = "Logging sinks to create for the organization."
-  type = map(object({
-    bq_partitioned_table = optional(bool, false)
-    description          = optional(string)
-    destination          = string
-    disabled             = optional(bool, false)
-    exclusions           = optional(map(string), {})
-    filter               = optional(string)
-    iam                  = optional(bool, true)
-    include_children     = optional(bool, true)
-    type                 = string
-  }))
-  default  = {}
-  nullable = false
-  validation {
-    condition = alltrue([
-      for k, v in var.logging_sinks :
-      contains(["bigquery", "logging", "project", "pubsub", "storage"], v.type)
-    ])
-    error_message = "Type must be one of 'bigquery', 'logging', 'project', 'pubsub', 'storage'."
-  }
-  validation {
-    condition = alltrue([
-      for k, v in var.logging_sinks :
-      v.bq_partitioned_table != true || v.type == "bigquery"
-    ])
-    error_message = "Can only set bq_partitioned_table when type is `bigquery`."
-  }
-}
-
 variable "org_policies" {
   description = "Organization policies applied to this organization keyed by policy name."
   type = map(object({

From e4941c27f2afa053a8dd8a839b026963858a1642 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Mon, 13 May 2024 20:18:51 +0200
Subject: [PATCH 26/31] Implement the full IAM interface for tags (#2269)

* IAM authoritative bindings in org module

* remove extra newline

* organization module

* project module

* tfdoc
---
 modules/kms/README.md                         |   6 +-
 modules/kms/variables.tf                      |   1 -
 modules/organization/README.md                |  47 ++++-
 modules/organization/tags.tf                  | 166 ++++++++++++++----
 modules/organization/variables-tags.tf        |  80 ++++++++-
 modules/project/README.md                     |   8 +-
 modules/project/tags.tf                       | 166 ++++++++++++++----
 modules/project/variables-tags.tf             |  83 ++++++++-
 tests/modules/organization/examples/tags.yaml |  27 ++-
 9 files changed, 492 insertions(+), 92 deletions(-)

diff --git a/modules/kms/README.md b/modules/kms/README.md
index 4782d8240d..90621bef37 100644
--- a/modules/kms/README.md
+++ b/modules/kms/README.md
@@ -120,14 +120,14 @@ module "kms" {
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [keyring](variables.tf#L64) | Keyring attributes. | <code title="object&#40;&#123;&#10;  location &#61; string&#10;  name     &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [project_id](variables.tf#L115) | Project id where the keyring will be created. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L114) | Project id where the keyring will be created. | <code>string</code> | ✓ |  |
 | [iam](variables.tf#L17) | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_bindings](variables.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  members &#61; list&#40;string&#41;&#10;  role    &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_bindings_additive](variables.tf#L39) | Keyring individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [import_job](variables.tf#L54) | Keyring import job attributes. | <code title="object&#40;&#123;&#10;  id               &#61; string&#10;  import_method    &#61; string&#10;  protection_level &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [keyring_create](variables.tf#L72) | Set to false to manage keys and IAM bindings in an existing keyring. | <code>bool</code> |  | <code>true</code> |
-| [keys](variables.tf#L78) | Key names and base attributes. Set attributes to null if not needed. | <code title="map&#40;object&#40;&#123;&#10;  destroy_scheduled_duration    &#61; optional&#40;string&#41;&#10;  rotation_period               &#61; optional&#40;string&#41;&#10;  labels                        &#61; optional&#40;map&#40;string&#41;&#41;&#10;  purpose                       &#61; optional&#40;string, &#34;ENCRYPT_DECRYPT&#34;&#41;&#10;  skip_initial_version_creation &#61; optional&#40;bool, false&#41;&#10;  version_template &#61; optional&#40;object&#40;&#123;&#10;    algorithm        &#61; string&#10;    protection_level &#61; optional&#40;string, &#34;SOFTWARE&#34;&#41;&#10;  &#125;&#41;&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [tag_bindings](variables.tf#L120) | Tag bindings for this keyring, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [keys](variables.tf#L78) | Key names and base attributes. Set attributes to null if not needed. | <code title="map&#40;object&#40;&#123;&#10;  destroy_scheduled_duration    &#61; optional&#40;string&#41;&#10;  rotation_period               &#61; optional&#40;string&#41;&#10;  labels                        &#61; optional&#40;map&#40;string&#41;&#41;&#10;  purpose                       &#61; optional&#40;string, &#34;ENCRYPT_DECRYPT&#34;&#41;&#10;  skip_initial_version_creation &#61; optional&#40;bool, false&#41;&#10;  version_template &#61; optional&#40;object&#40;&#123;&#10;    algorithm        &#61; string&#10;    protection_level &#61; optional&#40;string, &#34;SOFTWARE&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tag_bindings](variables.tf#L119) | Tag bindings for this keyring, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
index 2708a7f7cf..d0d335674b 100644
--- a/modules/kms/variables.tf
+++ b/modules/kms/variables.tf
@@ -87,7 +87,6 @@ variable "keys" {
       algorithm        = string
       protection_level = optional(string, "SOFTWARE")
     }))
-
     iam = optional(map(list(string)), {})
     iam_bindings = optional(map(object({
       members = list(string)
diff --git a/modules/organization/README.md b/modules/organization/README.md
index 1b004aa623..f0253d11b3 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -440,12 +440,44 @@ module "org" {
       iam = {
         "roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
       }
+      iam_bindings = {
+        viewer = {
+          role    = "roles/resourcemanager.tagViewer"
+          members = ["group:gcp-support@example.org"]
+        }
+      }
+      iam_bindings_additive = {
+        user_app1 = {
+          role   = "roles/resourcemanager.tagUser"
+          member = "group:app1-team@example.org"
+        }
+      }
       values = {
-        dev = {}
+        dev = {
+          iam_bindings_additive = {
+            user_app2 = {
+              role   = "roles/resourcemanager.tagUser"
+              member = "group:app2-team@example.org"
+            }
+          }
+        }
         prod = {
           description = "Environment: production."
           iam = {
-            "roles/resourcemanager.tagViewer" = ["group:${var.group_email}"]
+            "roles/resourcemanager.tagViewer" = ["group:app1-team@example.org"]
+          }
+          iam_bindings = {
+            admin = {
+              role    = "roles/resourcemanager.tagAdmin"
+              members = ["group:gcp-support@example.org"]
+              condition = {
+                title      = "gcp_support"
+                expression = <<-END
+                  request.time.getHours("Europe/Berlin") <= 9 &&
+                  request.time.getHours("Europe/Berlin") >= 17
+                END
+              }
+            }
           }
         }
       }
@@ -455,8 +487,9 @@ module "org" {
     env-prod = module.org.tag_values["environment/prod"].id
   }
 }
-# tftest modules=1 resources=6 inventory=tags.yaml e2e serial
+# tftest modules=1 resources=10 inventory=tags.yaml
 ```
+<!-- TODO: reinstate e2e serial -->
 
 You can also define network tags, through a dedicated variable *network_tags*:
 
@@ -498,7 +531,7 @@ module "org" {
 | [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | <code>google_org_policy_custom_constraint</code> |
 | [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
-| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
+| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_key_iam_member</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> · <code>google_tags_tag_value_iam_member</code> |
 | [variables-iam.tf](./variables-iam.tf) | None |  |
 | [variables-logging.tf](./variables-logging.tf) | None |  |
 | [variables-tags.tf](./variables-tags.tf) | None |  |
@@ -522,11 +555,11 @@ module "org" {
 | [logging_exclusions](variables-logging.tf#L32) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [logging_settings](variables-logging.tf#L39) | Default settings for logging resources. | <code title="object&#40;&#123;&#10;  disable_default_sink &#61; optional&#40;bool&#41;&#10;  storage_location     &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the organization. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  include_children     &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  network     &#61; string &#35; project_id&#47;vpc_name&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  id      &#61; optional&#40;string&#41;&#10;  network &#61; string &#35; project_id&#47;vpc_name&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      members &#61; list&#40;string&#41;&#10;      role    &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [org_policies](variables.tf#L51) | Organization policies applied to this organization keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [org_policy_custom_constraints](variables.tf#L78) | Organization policy custom constraints keyed by constraint name. | <code title="map&#40;object&#40;&#123;&#10;  display_name   &#61; optional&#40;string&#41;&#10;  description    &#61; optional&#40;string&#41;&#10;  action_type    &#61; string&#10;  condition      &#61; string&#10;  method_types   &#61; list&#40;string&#41;&#10;  resource_types &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [tag_bindings](variables-tags.tf#L45) | Tag bindings for this organization, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [tags](variables-tags.tf#L52) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tag_bindings](variables-tags.tf#L81) | Tag bindings for this organization, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  id &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      members &#61; list&#40;string&#41;&#10;      role    &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/organization/tags.tf b/modules/organization/tags.tf
index d25757c243..0321818a5a 100644
--- a/modules/organization/tags.tf
+++ b/modules/organization/tags.tf
@@ -15,50 +15,96 @@
  */
 
 locals {
-  _tag_values = flatten([
-    for tag, attrs in local.tags : [
-      for value, value_attrs in attrs.values : {
-        description = value_attrs.description,
-        key         = "${tag}/${value}"
-        id          = try(value_attrs.id, null)
-        name        = value
-        roles       = keys(value_attrs.iam)
-        tag         = tag
-        tag_id      = attrs.id
-        tag_network = try(attrs.network, null) != null
+  _tag_iam = flatten([
+    for k, v in local.tags : [
+      for role in keys(v.iam) : {
+        # we cycle on keys here so we don't risk injecting dynamic values
+        role   = role
+        tag    = k
+        tag_id = v.id
       }
     ]
   ])
-  _tag_values_iam = flatten([
-    for key, value_attrs in local.tag_values : [
-      for role in value_attrs.roles : {
-        id   = value_attrs.id
-        key  = value_attrs.key
-        name = value_attrs.name
+  _tag_value_iam = flatten([
+    for k, v in local.tag_values : [
+      for role in v.roles : {
+        id   = v.id
+        key  = v.key
+        name = v.name
         role = role
-        tag  = value_attrs.tag
+        tag  = v.tag
       }
     ]
   ])
-  _tags_iam = flatten([
-    for tag, attrs in local.tags : [
-      for role in keys(attrs.iam) : {
-        role   = role
-        tag    = tag
-        tag_id = attrs.id
+  _tag_values = flatten([
+    for k, v in local.tags : [
+      for vk, vv in v.values : {
+        description           = vv.description,
+        key                   = "${k}/${vk}"
+        iam_bindings          = keys(vv.iam_bindings)
+        iam_bindings_additive = keys(vv.iam_bindings_additive)
+        id                    = try(vv.id, null)
+        name                  = vk
+        # we only store keys here so we don't risk injecting dynamic values
+        roles       = keys(vv.iam)
+        tag         = k
+        tag_id      = v.id
+        tag_network = try(v.network, null) != null
       }
     ]
   ])
-  tag_values = {
-    for t in local._tag_values : t.key => t
+  tag_iam = {
+    for t in local._tag_iam : "${t.tag}:${t.role}" => t
+  }
+  tag_iam_bindings = merge([
+    for k, v in local.tags : {
+      for bk in keys(v.iam_bindings) : "${k}:${bk}" => {
+        binding = bk
+        tag     = k
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_iam_bindings_additive = merge([
+    for k, v in local.tags : {
+      for bk in keys(v.iam_bindings_additive) : "${k}:${bk}" => {
+        binding = bk
+        tag     = k
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_value_iam = {
+    for v in local._tag_value_iam : "${v.key}:${v.role}" => v
   }
-  tag_values_iam = {
-    for t in local._tag_values_iam : "${t.key}:${t.role}" => t
+  tag_value_iam_bindings = merge([
+    for k, v in local.tag_values : {
+      for bk in v.iam_bindings : "${k}:${bk}" => {
+        binding = bk
+        id      = v.id
+        key     = k
+        name    = v.name
+        tag     = v.tag
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_value_iam_bindings_additive = merge([
+    for k, v in local.tag_values : {
+      for bk in v.iam_bindings_additive : "${k}:${bk}" => {
+        binding = bk
+        id      = v.id
+        key     = k
+        name    = v.name
+        tag     = v.tag
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_values = {
+    for v in local._tag_values : v.key => v
   }
   tags = merge(var.tags, var.network_tags)
-  tags_iam = {
-    for t in local._tags_iam : "${t.tag}:${t.role}" => t
-  }
 }
 
 # keys
@@ -82,7 +128,7 @@ resource "google_tags_tag_key" "default" {
 }
 
 resource "google_tags_tag_key_iam_binding" "default" {
-  for_each = local.tags_iam
+  for_each = local.tag_iam
   tag_key = (
     each.value.tag_id == null
     ? google_tags_tag_key.default[each.value.tag].id
@@ -94,6 +140,30 @@ resource "google_tags_tag_key_iam_binding" "default" {
   )
 }
 
+resource "google_tags_tag_key_iam_binding" "bindings" {
+  for_each = local.tag_iam_bindings
+  tag_key = (
+    each.value.tag_id == null
+    ? google_tags_tag_key.default[each.value.tag].id
+    : each.value.tag_id
+  )
+  role = local.tags[each.value.tag]["iam_bindings"][each.value.binding].role
+  members = (
+    local.tags[each.value.tag]["iam_bindings"][each.value.binding].members
+  )
+}
+
+resource "google_tags_tag_key_iam_member" "bindings" {
+  for_each = local.tag_iam_bindings_additive
+  tag_key = (
+    each.value.tag_id == null
+    ? google_tags_tag_key.default[each.value.tag].id
+    : each.value.tag_id
+  )
+  role   = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].role
+  member = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].member
+}
+
 # values
 
 resource "google_tags_tag_value" "default" {
@@ -108,7 +178,7 @@ resource "google_tags_tag_value" "default" {
 }
 
 resource "google_tags_tag_value_iam_binding" "default" {
-  for_each = local.tag_values_iam
+  for_each = local.tag_value_iam
   tag_value = (
     each.value.id == null
     ? google_tags_tag_value.default[each.value.key].id
@@ -121,6 +191,36 @@ resource "google_tags_tag_value_iam_binding" "default" {
   )
 }
 
+resource "google_tags_tag_value_iam_binding" "bindings" {
+  for_each = local.tag_value_iam_bindings
+  tag_value = (
+    each.value.id == null
+    ? google_tags_tag_value.default[each.value.key].id
+    : each.value.id
+  )
+  role = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].role
+  )
+  members = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].members
+  )
+}
+
+resource "google_tags_tag_value_iam_member" "bindings" {
+  for_each = local.tag_value_iam_bindings_additive
+  tag_value = (
+    each.value.id == null
+    ? google_tags_tag_value.default[each.value.key].id
+    : each.value.id
+  )
+  role = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].role
+  )
+  member = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].member
+  )
+}
+
 # bindings
 
 resource "google_tags_tag_binding" "binding" {
diff --git a/modules/organization/variables-tags.tf b/modules/organization/variables-tags.tf
index 4688504d57..21a0efe6f4 100644
--- a/modules/organization/variables-tags.tf
+++ b/modules/organization/variables-tags.tf
@@ -19,11 +19,47 @@ variable "network_tags" {
   type = map(object({
     description = optional(string, "Managed by the Terraform organization module.")
     iam         = optional(map(list(string)), {})
-    id          = optional(string)
-    network     = string # project_id/vpc_name
+    iam_bindings = optional(map(object({
+      members = list(string)
+      role    = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    id      = optional(string)
+    network = string # project_id/vpc_name
     values = optional(map(object({
       description = optional(string, "Managed by the Terraform organization module.")
       iam         = optional(map(list(string)), {})
+      iam_bindings = optional(map(object({
+        members = list(string)
+        role    = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      iam_bindings_additive = optional(map(object({
+        member = string
+        role   = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
     })), {})
   }))
   nullable = false
@@ -54,11 +90,47 @@ variable "tags" {
   type = map(object({
     description = optional(string, "Managed by the Terraform organization module.")
     iam         = optional(map(list(string)), {})
-    id          = optional(string)
+    iam_bindings = optional(map(object({
+      members = list(string)
+      role    = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    id = optional(string)
     values = optional(map(object({
       description = optional(string, "Managed by the Terraform organization module.")
       iam         = optional(map(list(string)), {})
-      id          = optional(string)
+      iam_bindings = optional(map(object({
+        members = list(string)
+        role    = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      iam_bindings_additive = optional(map(object({
+        member = string
+        role   = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      id = optional(string)
     })), {})
   }))
   nullable = false
diff --git a/modules/project/README.md b/modules/project/README.md
index 75388aefc3..cd92870a47 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -1173,7 +1173,7 @@ module "bucket" {
 | [quotas.tf](./quotas.tf) | None | <code>google_cloud_quotas_quota_preference</code> |
 | [service-accounts.tf](./service-accounts.tf) | Service identities and supporting resources. | <code>google_kms_crypto_key_iam_member</code> · <code>google_project_default_service_accounts</code> · <code>google_project_iam_member</code> · <code>google_project_service_identity</code> |
 | [shared-vpc.tf](./shared-vpc.tf) | Shared VPC project-level configuration. | <code>google_compute_shared_vpc_host_project</code> · <code>google_compute_shared_vpc_service_project</code> · <code>google_compute_subnetwork_iam_member</code> · <code>google_project_iam_member</code> |
-| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
+| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_key_iam_member</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> · <code>google_tags_tag_value_iam_member</code> |
 | [variables-iam.tf](./variables-iam.tf) | None |  |
 | [variables-quotas.tf](./variables-quotas.tf) | None |  |
 | [variables-tags.tf](./variables-tags.tf) | None |  |
@@ -1204,7 +1204,7 @@ module "bucket" {
 | [logging_exclusions](variables.tf#L108) | Logging exclusions for this project in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [logging_sinks](variables.tf#L115) | Logging sinks to create for this project. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;  unique_writer        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [metric_scopes](variables.tf#L146) | List of projects that will act as metric scopes for this project. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  network     &#61; string &#35; project_id&#47;vpc_name&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  id      &#61; optional&#40;string&#41;&#10;  network &#61; string &#35; project_id&#47;vpc_name&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      members &#61; list&#40;string&#41;&#10;      role    &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [org_policies](variables.tf#L158) | Organization policies applied to this project keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [parent](variables.tf#L185) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> |  | <code>null</code> |
 | [prefix](variables.tf#L195) | Optional prefix used to generate project id and name. | <code>string</code> |  | <code>null</code> |
@@ -1216,8 +1216,8 @@ module "bucket" {
 | [shared_vpc_host_config](variables.tf#L235) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object&#40;&#123;&#10;  enabled          &#61; bool&#10;  service_projects &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [shared_vpc_service_config](variables.tf#L244) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object&#40;&#123;&#10;  host_project                &#61; string&#10;  network_users               &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  service_identity_iam        &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  service_identity_subnet_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  service_iam_grants          &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  network_subnet_users        &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  host_project &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
 | [skip_delete](variables.tf#L272) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> |  | <code>false</code> |
-| [tag_bindings](variables-tags.tf#L45) | Tag bindings for this project, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
-| [tags](variables-tags.tf#L51) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tag_bindings](variables-tags.tf#L81) | Tag bindings for this project, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  id &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      members &#61; list&#40;string&#41;&#10;      role    &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [vpc_sc](variables.tf#L278) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | <code title="object&#40;&#123;&#10;  perimeter_name    &#61; string&#10;  perimeter_bridges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  is_dry_run        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
diff --git a/modules/project/tags.tf b/modules/project/tags.tf
index 4f2a666459..1f9ff378b5 100644
--- a/modules/project/tags.tf
+++ b/modules/project/tags.tf
@@ -15,50 +15,96 @@
  */
 
 locals {
-  _tag_values = flatten([
-    for tag, attrs in local.tags : [
-      for value, value_attrs in attrs.values : {
-        description = value_attrs.description,
-        key         = "${tag}/${value}"
-        id          = try(value_attrs.id, null)
-        name        = value
-        roles       = keys(value_attrs.iam)
-        tag         = tag
-        tag_id      = attrs.id
-        tag_network = try(attrs.network, null) != null
+  _tag_iam = flatten([
+    for k, v in local.tags : [
+      for role in keys(v.iam) : {
+        # we cycle on keys here so we don't risk injecting dynamic values
+        role   = role
+        tag    = k
+        tag_id = v.id
       }
     ]
   ])
-  _tag_values_iam = flatten([
-    for key, value_attrs in local.tag_values : [
-      for role in value_attrs.roles : {
-        id   = value_attrs.id
-        key  = value_attrs.key
-        name = value_attrs.name
+  _tag_value_iam = flatten([
+    for k, v in local.tag_values : [
+      for role in v.roles : {
+        id   = v.id
+        key  = v.key
+        name = v.name
         role = role
-        tag  = value_attrs.tag
+        tag  = v.tag
       }
     ]
   ])
-  _tags_iam = flatten([
-    for tag, attrs in local.tags : [
-      for role in keys(attrs.iam) : {
-        role   = role
-        tag    = tag
-        tag_id = attrs.id
+  _tag_values = flatten([
+    for k, v in local.tags : [
+      for vk, vv in v.values : {
+        description           = vv.description,
+        key                   = "${k}/${vk}"
+        iam_bindings          = keys(vv.iam_bindings)
+        iam_bindings_additive = keys(vv.iam_bindings_additive)
+        id                    = try(vv.id, null)
+        name                  = vk
+        # we only store keys here so we don't risk injecting dynamic values
+        roles       = keys(vv.iam)
+        tag         = k
+        tag_id      = v.id
+        tag_network = try(v.network, null) != null
       }
     ]
   ])
-  tag_values = {
-    for t in local._tag_values : t.key => t
+  tag_iam = {
+    for t in local._tag_iam : "${t.tag}:${t.role}" => t
+  }
+  tag_iam_bindings = merge([
+    for k, v in local.tags : {
+      for bk in keys(v.iam_bindings) : "${k}:${bk}" => {
+        binding = bk
+        tag     = k
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_iam_bindings_additive = merge([
+    for k, v in local.tags : {
+      for bk in keys(v.iam_bindings_additive) : "${k}:${bk}" => {
+        binding = bk
+        tag     = k
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_value_iam = {
+    for v in local._tag_value_iam : "${v.key}:${v.role}" => v
   }
-  tag_values_iam = {
-    for t in local._tag_values_iam : "${t.key}:${t.role}" => t
+  tag_value_iam_bindings = merge([
+    for k, v in local.tag_values : {
+      for bk in v.iam_bindings : "${k}:${bk}" => {
+        binding = bk
+        id      = v.id
+        key     = k
+        name    = v.name
+        tag     = v.tag
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_value_iam_bindings_additive = merge([
+    for k, v in local.tag_values : {
+      for bk in v.iam_bindings_additive : "${k}:${bk}" => {
+        binding = bk
+        id      = v.id
+        key     = k
+        name    = v.name
+        tag     = v.tag
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_values = {
+    for v in local._tag_values : v.key => v
   }
   tags = merge(var.tags, var.network_tags)
-  tags_iam = {
-    for t in local._tags_iam : "${t.tag}:${t.role}" => t
-  }
 }
 
 # keys
@@ -82,7 +128,7 @@ resource "google_tags_tag_key" "default" {
 }
 
 resource "google_tags_tag_key_iam_binding" "default" {
-  for_each = local.tags_iam
+  for_each = local.tag_iam
   tag_key = (
     each.value.tag_id == null
     ? google_tags_tag_key.default[each.value.tag].id
@@ -94,6 +140,30 @@ resource "google_tags_tag_key_iam_binding" "default" {
   )
 }
 
+resource "google_tags_tag_key_iam_binding" "bindings" {
+  for_each = local.tag_iam_bindings
+  tag_key = (
+    each.value.tag_id == null
+    ? google_tags_tag_key.default[each.value.tag].id
+    : each.value.tag_id
+  )
+  role = local.tags[each.value.tag]["iam_bindings"][each.value.binding].role
+  members = (
+    local.tags[each.value.tag]["iam_bindings"][each.value.binding].members
+  )
+}
+
+resource "google_tags_tag_key_iam_member" "bindings" {
+  for_each = local.tag_iam_bindings_additive
+  tag_key = (
+    each.value.tag_id == null
+    ? google_tags_tag_key.default[each.value.tag].id
+    : each.value.tag_id
+  )
+  role   = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].role
+  member = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].member
+}
+
 # values
 
 resource "google_tags_tag_value" "default" {
@@ -108,7 +178,7 @@ resource "google_tags_tag_value" "default" {
 }
 
 resource "google_tags_tag_value_iam_binding" "default" {
-  for_each = local.tag_values_iam
+  for_each = local.tag_value_iam
   tag_value = (
     each.value.id == null
     ? google_tags_tag_value.default[each.value.key].id
@@ -121,6 +191,36 @@ resource "google_tags_tag_value_iam_binding" "default" {
   )
 }
 
+resource "google_tags_tag_value_iam_binding" "bindings" {
+  for_each = local.tag_value_iam_bindings
+  tag_value = (
+    each.value.id == null
+    ? google_tags_tag_value.default[each.value.key].id
+    : each.value.id
+  )
+  role = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].role
+  )
+  members = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].members
+  )
+}
+
+resource "google_tags_tag_value_iam_member" "bindings" {
+  for_each = local.tag_value_iam_bindings_additive
+  tag_value = (
+    each.value.id == null
+    ? google_tags_tag_value.default[each.value.key].id
+    : each.value.id
+  )
+  role = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].role
+  )
+  member = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].member
+  )
+}
+
 # bindings
 
 resource "google_tags_tag_binding" "binding" {
diff --git a/modules/project/variables-tags.tf b/modules/project/variables-tags.tf
index 8914aae6e6..ac73f03fd8 100644
--- a/modules/project/variables-tags.tf
+++ b/modules/project/variables-tags.tf
@@ -19,11 +19,47 @@ variable "network_tags" {
   type = map(object({
     description = optional(string, "Managed by the Terraform project module.")
     iam         = optional(map(list(string)), {})
-    id          = optional(string)
-    network     = string # project_id/vpc_name
+    iam_bindings = optional(map(object({
+      members = list(string)
+      role    = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    id      = optional(string)
+    network = string # project_id/vpc_name
     values = optional(map(object({
       description = optional(string, "Managed by the Terraform project module.")
       iam         = optional(map(list(string)), {})
+      iam_bindings = optional(map(object({
+        members = list(string)
+        role    = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      iam_bindings_additive = optional(map(object({
+        member = string
+        role   = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
     })), {})
   }))
   nullable = false
@@ -45,7 +81,8 @@ variable "network_tags" {
 variable "tag_bindings" {
   description = "Tag bindings for this project, in key => tag value id format."
   type        = map(string)
-  default     = null
+  # we need default null here for the project factory module
+  default = null
 }
 
 variable "tags" {
@@ -53,11 +90,47 @@ variable "tags" {
   type = map(object({
     description = optional(string, "Managed by the Terraform project module.")
     iam         = optional(map(list(string)), {})
-    id          = optional(string)
+    iam_bindings = optional(map(object({
+      members = list(string)
+      role    = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    id = optional(string)
     values = optional(map(object({
       description = optional(string, "Managed by the Terraform project module.")
       iam         = optional(map(list(string)), {})
-      id          = optional(string)
+      iam_bindings = optional(map(object({
+        members = list(string)
+        role    = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      iam_bindings_additive = optional(map(object({
+        member = string
+        role   = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      id = optional(string)
     })), {})
   }))
   nullable = false
diff --git a/tests/modules/organization/examples/tags.yaml b/tests/modules/organization/examples/tags.yaml
index bed4b46188..cce3674346 100644
--- a/tests/modules/organization/examples/tags.yaml
+++ b/tests/modules/organization/examples/tags.yaml
@@ -23,11 +23,20 @@ values:
     purpose_data: null
     short_name: environment
     timeouts: null
+  module.org.google_tags_tag_key_iam_binding.bindings["environment:viewer"]:
+    condition: []
+    members:
+    - group:gcp-support@example.org
+    role: roles/resourcemanager.tagViewer
   module.org.google_tags_tag_key_iam_binding.default["environment:roles/resourcemanager.tagAdmin"]:
     condition: []
     members:
     - group:organization-admins@example.org
     role: roles/resourcemanager.tagAdmin
+  module.org.google_tags_tag_key_iam_member.bindings["environment:user_app1"]:
+    condition: []
+    member: group:app1-team@example.org
+    role: roles/resourcemanager.tagUser
   module.org.google_tags_tag_value.default["environment/dev"]:
     description: Managed by the Terraform organization module.
     short_name: dev
@@ -36,14 +45,28 @@ values:
     description: 'Environment: production.'
     short_name: prod
     timeouts: null
+  module.org.google_tags_tag_value_iam_binding.bindings["environment/prod:admin"]:
+    condition: []
+    members:
+    - group:gcp-support@example.org
+    role: roles/resourcemanager.tagAdmin
   module.org.google_tags_tag_value_iam_binding.default["environment/prod:roles/resourcemanager.tagViewer"]:
     condition: []
     members:
-    - group:organization-admins@example.org
+    - group:app1-team@example.org
     role: roles/resourcemanager.tagViewer
+  module.org.google_tags_tag_value_iam_member.bindings["environment/dev:user_app2"]:
+    condition: []
+    member: group:app2-team@example.org
+    role: roles/resourcemanager.tagUser
 
 counts:
   google_tags_tag_binding: 1
   google_tags_tag_key: 1
-  google_tags_tag_key_iam_binding: 1
+  google_tags_tag_key_iam_binding: 2
+  google_tags_tag_key_iam_member: 1
   google_tags_tag_value: 2
+  google_tags_tag_value_iam_binding: 2
+  google_tags_tag_value_iam_member: 1
+  modules: 1
+  resources: 10

From 4d1d3c6811228fcfc59b5b80d9c6d988494e55e1 Mon Sep 17 00:00:00 2001
From: simonebruzzechesse
 <60114646+simonebruzzechesse@users.noreply.github.com>
Date: Tue, 14 May 2024 14:45:39 +0200
Subject: [PATCH 27/31] New Bindplane cloud-config-container setup (#2272)

* new bindplane cloud-config-container setup
---
 modules/cloud-config-container/README.md      |   1 +
 .../bindplane/README.md                       |  95 +++++++++++++
 .../bindplane/cloud-config.yaml               | 128 ++++++++++++++++++
 .../bindplane/images/login.png                | Bin 0 -> 158968 bytes
 .../cloud-config-container/bindplane/main.tf  |  48 +++++++
 .../bindplane/outputs.tf                      |  20 +++
 .../bindplane/variables.tf                    |  88 ++++++++++++
 .../bindplane/versions.tf                     |  27 ++++
 8 files changed, 407 insertions(+)
 create mode 100644 modules/cloud-config-container/bindplane/README.md
 create mode 100644 modules/cloud-config-container/bindplane/cloud-config.yaml
 create mode 100644 modules/cloud-config-container/bindplane/images/login.png
 create mode 100644 modules/cloud-config-container/bindplane/main.tf
 create mode 100644 modules/cloud-config-container/bindplane/outputs.tf
 create mode 100644 modules/cloud-config-container/bindplane/variables.tf
 create mode 100644 modules/cloud-config-container/bindplane/versions.tf

diff --git a/modules/cloud-config-container/README.md b/modules/cloud-config-container/README.md
index d7017dcb77..b41490040b 100644
--- a/modules/cloud-config-container/README.md
+++ b/modules/cloud-config-container/README.md
@@ -11,6 +11,7 @@ These modules are designed for several use cases:
 
 ## Available modules
 
+- [Bindplane](./bindplane)
 - [CoreDNS](./coredns)
 - [MySQL](./mysql)
 - [Nginx](./nginx)
diff --git a/modules/cloud-config-container/bindplane/README.md b/modules/cloud-config-container/bindplane/README.md
new file mode 100644
index 0000000000..035722521e
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/README.md
@@ -0,0 +1,95 @@
+# Containerized Bindplane on Container Optimized OS
+
+This module manages a `cloud-config` configuration that starts a containerized [Bindplane](https://observiq.com/solutions) service on Container Optimized OS, using the official [Bindplane EE image](https://hub.docker.com/r/observiq/bindplane-ee) provided by observIQ and documented in the [official documentation page](https://observiq.com/download) when selecting "Docker" as target platform.
+
+The resulting `cloud-config` can be customized in a number of ways:
+
+- a custom Bindplane configuration can be set in Docker compose file available in `/run/bindplane/docker-compose.yml` using the `bindplane_config` variable
+- additional files can be passed in via the `files` variable
+- a completely custom `cloud-config` can be passed in via the `cloud_config` variable, and additional template variables can be passed in via `config_variables`
+
+The default instance configuration inserts iptables rules to allow traffic on port 3001.
+
+Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
+
+The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
+
+## Setup
+
+Please refer to the examples below for a sample terraform code for deploying a Bindplane server on GCP Compute VM with COS. After setting up the terraform code run the following commands:
+
+```bash
+terraform init
+terraform apply
+```
+
+Wait for a couple of minutes for the VM to be bootstrapped then connect via IAP tunnel using the following command (substitute the VM name, project and zone according to your configuration):
+
+```bash
+gcloud compute ssh $VM_NAME --project $PROJECT --zone $ZONE -- -L 3001:127.0.0.1:3001 -N -q -f
+```
+
+Navigate to http://localhost:3001 to access the Bindplane console, the following login page should be displayed.
+
+<p align="center">
+  <img src="./images/login.png" alt="Bindplane Login page">
+</p>
+
+## Examples
+
+### Default configuration
+
+This example will create a `cloud-config` that uses the module's defaults, creating a simple bindplane server with default (latest) docker image versions and setting localhost as remote url (suited only for local development).
+
+```hcl
+module "cos-nginx" {
+  source   = "./fabric/modules/cloud-config-container/bindplane"
+  password = "secret"
+}
+
+module "vm-nginx-tls" {
+  source     = "./fabric/modules/compute-vm"
+  project_id = "my-project"
+  zone       = "europe-west8-b"
+  name       = "cos-nginx"
+  network_interfaces = [{
+    network    = "default"
+    subnetwork = "gce"
+  }]
+  metadata = {
+    user-data              = module.cos-nginx.cloud_config
+    google-logging-enabled = true
+  }
+  boot_disk = {
+    initialize_params = {
+      image = "projects/cos-cloud/global/images/family/cos-stable"
+      type  = "pd-ssd"
+      size  = 10
+    }
+  }
+  tags = ["http-server", "ssh"]
+}
+# tftest modules=2 resources=2
+```
+
+<!-- BEGIN TFDOC -->
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---:|:---:|:---:|
+| [password](variables.tf#L63) | Default admin user password. | <code>string</code> | ✓ |  |
+| [bindplane_config](variables.tf#L17) | Bindplane configurations. | <code title="object&#40;&#123;&#10;  remote_url                      &#61; optional&#40;string, &#34;localhost&#34;&#41;&#10;  bindplane_server_image          &#61; optional&#40;string, &#34;us-central1-docker.pkg.dev&#47;observiq-containers&#47;bindplane&#47;bindplane-ee:latest&#34;&#41;&#10;  bindplane_transform_agent_image &#61; optional&#40;string, &#34;us-central1-docker.pkg.dev&#47;observiq-containers&#47;bindplane&#47;bindplane-transform-agent:latest&#34;&#41;&#10;  bindplane_prometheus_image      &#61; optional&#40;string, &#34;us-central1-docker.pkg.dev&#47;observiq-containers&#47;bindplane&#47;bindplane-prometheus:1.56.0&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [cloud_config](variables.tf#L29) | Cloud config template path. If null default will be used. | <code>string</code> |  | <code>null</code> |
+| [config_variables](variables.tf#L35) | Additional variables used to render the cloud-config and Nginx templates. | <code>map&#40;any&#41;</code> |  | <code>&#123;&#125;</code> |
+| [file_defaults](variables.tf#L41) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10;  owner       &#61; string&#10;  permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  owner       &#61; &#34;root&#34;&#10;  permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [files](variables.tf#L53) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10;  content     &#61; string&#10;  owner       &#61; string&#10;  permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [runcmd_post](variables.tf#L68) | Extra commands to run after starting nginx. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [runcmd_pre](variables.tf#L74) | Extra commands to run before starting nginx. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [users](variables.tf#L80) | List of additional usernames to be created. | <code title="list&#40;object&#40;&#123;&#10;  username &#61; string,&#10;  uid      &#61; number,&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#91;&#10;&#93;">&#91;&#8230;&#93;</code> |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. |  |
+<!-- END TFDOC -->
diff --git a/modules/cloud-config-container/bindplane/cloud-config.yaml b/modules/cloud-config-container/bindplane/cloud-config.yaml
new file mode 100644
index 0000000000..78f6ea6ec5
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/cloud-config.yaml
@@ -0,0 +1,128 @@
+#cloud-config
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# https://hub.docker.com/r/nginx/nginx/
+# https://nginx.io/manual/toc/#installation
+
+users:
+  - name: bindplane
+    uid: 2000
+  %{ for user in users }
+  - name: ${user.username}
+    uid: ${user.uid}
+  %{ endfor }
+
+write_files:
+  - path: /var/lib/docker/daemon.json
+    permissions: 0644
+    owner: root
+    content: |
+      {
+        "live-restore": true,
+        "storage-driver": "overlay2",
+        "log-opts": {
+          "max-size": "1024m"
+        }
+      }
+
+  - path: /run/bindplane/docker-compose.yml
+    permissions: 0644
+    owner: root
+    content: |
+      version: "3"
+
+      volumes:
+        bindplane:
+        prometheus:
+      
+      services:
+        prometheus:
+          container_name: bindplane-prometheus
+          restart: always
+          image: ${bindplane_prometheus_image}
+          ports:
+            - "9090:9090"
+          volumes:
+            - prometheus:/prometheus
+      
+        transform:
+          container_name: bindplane-transform-agent
+          restart: always
+          image: ${bindplane_transform_agent_image}
+          ports:
+            - "4568:4568"
+      
+        bindplane:
+          container_name: bindplane-server
+          restart: always
+          image: ${bindplane_server_image}
+          ports:
+            - "3001:3001"
+          environment:
+            - BINDPLANE_USERNAME=admin
+            - BINDPLANE_PASSWORD=${password}
+            - BINDPLANE_REMOTE_URL=http://${remote_url}:3001
+            - BINDPLANE_SESSION_SECRET=${uuid}
+            - BINDPLANE_LOG_OUTPUT=stdout
+            - BINDPLANE_ACCEPT_EULA=true
+            - BINDPLANE_PROMETHEUS_ENABLE=true
+            - BINDPLANE_PROMETHEUS_ENABLE_REMOTE=true
+            - BINDPLANE_PROMETHEUS_HOST=prometheus
+            - BINDPLANE_PROMETHEUS_PORT=9090
+            - BINDPLANE_TRANSFORM_AGENT_ENABLE_REMOTE=true
+            - BINDPLANE_TRANSFORM_AGENT_REMOTE_AGENTS=transform:4568
+          volumes:
+            - bindplane:/data
+          depends_on:
+            - prometheus
+            - transform
+
+  # bindplane container service
+  - path: /etc/systemd/system/bindplane.service
+    permissions: 0644
+    owner: root
+    content: |
+      [Unit]
+      Description=Start bindplane containers
+      After=gcr-online.target docker.socket
+      Wants=gcr-online.target docker.socket docker-events-collector.service
+      [Service]
+      Environment="HOME=/home/bindplane"
+      ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
+      ExecStart=/usr/bin/docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v /var:/var -v /run:/run -w=/var cryptopants/docker-compose-gcr -f /run/bindplane/docker-compose.yml up
+      ExecStop=/usr/bin/docker rm -f $(docker ps -a -q)
+
+  %{ for path, data in files }
+  - path: ${path}
+    owner: ${lookup(data, "owner", "root")}
+    permissions: ${lookup(data, "permissions", "0644")}
+    content: |
+      ${indent(6, data.content)}
+  %{ endfor }
+
+bootcmd:
+  - systemctl start node-problem-detector
+
+runcmd:
+%{ for cmd in runcmd_pre ~}
+  - ${cmd}
+%{ endfor ~}
+  - iptables -I INPUT 1 -p tcp -m tcp --dport 3001 -m state --state NEW,ESTABLISHED -j ACCEPT
+  - systemctl daemon-reload
+  - systemctl start bindplane
+%{ for cmd in runcmd_post ~}
+  - ${cmd}
+%{ endfor ~}
diff --git a/modules/cloud-config-container/bindplane/images/login.png b/modules/cloud-config-container/bindplane/images/login.png
new file mode 100644
index 0000000000000000000000000000000000000000..3de1e6829ab26c97c9bf8214580ddf3b22987bca
GIT binary patch
literal 158968
zcmXt<XIK*4`^QU5%N+HXsku_0Qqf%eRB%?7mYEyT!pupJ8}~LdH)3XPaAc(d;!4B4
z!HG5yF(<gio!j)^oBykGUFYSw&N<)v{(e7qqM3;y57%|BGiT25JbHNF;>?+I=rd>7
z-(TSPyR$GRr}uX`>t|tj?+k$=x^(8ujWdt#-?a*U&T76iT>c+Kd>>QHcKv(l4;~)C
zh3hYc=H8X2piHEEH?Mue=DgC(!3OsuZyDSv&&|F%`I&)~Mf?-DX!TEkQM9qYvk<>h
z_H{+TbS#JYqPlSV2N9{!J3sC&M*Dr9Y(A|$h3lPe<7+3q*Zmrvoe(~NPERJ+BWOFe
zLr;%>h1nDT?EX?xk~y^_`Z&~whwQ<dnvgVd6!R%QkrtRdEkRfNDn8VGqy;BkuMINP
z{V6wVrir8}+BJNEH3gfG{fDMjnHrkZh3tucIseOR#3cL{DZYAW)Se!<n)heoTRJm9
zeX;>wsYI`1t@pJE>DlT+j{Ilg_VrDa=X#k1!zMW_q@Gdy0L^wS(4#IerE`$}=lw~Q
z;p|A8L~JT?Z8&_f3$;~N9g`&a<q}EL$$jxkMe5Pj6IVpBo5+IXFJ6SD!wU%ehWLUd
z60+l6=M4$_xkIpHOMYLjs@Di|uoXptrV910jtq?uO~m|l+qMN<{qUdx$4KV!5WEzW
z0Hn>b9ZBIfA)-P47GchyGz>khWUR4)0xunZ(deX&y*@>is}b<K^1i6p5>kB6iy&5N
z`coV=L5vT1oDnpj0}yVk(tH-wxFR1pvuu#z#~TE}IOkbc2US`i+T5npXh2&lp1_@%
z%OM%5SWU1<mWRl!QlA&LVmbhjRjKapWZXUUG|ac9F&H8$_1sA}uUp#*A;SSl={qh9
zS8@7<G8SFIZx4tAOf>hP#Nmm~?wVY74@y^bI=jE(y$t1=6>9wzSo~US;oNNC8yf-p
zEVTPvm*e1>@3nVtoq9y~h4+7ivr?in&YHP~aT4|$q_-dn)-<i|HxXUF5O}4XvNhlz
z%T>GXFAdMTA9qQT3bt;OtkvIiiw-2^ZB@Oy$<C_X)tqes#G#)9T5_8F!euS=c9%w5
zi=Akk4?kG3GoJT5nyQ(PZg3ya{znIbEz*X#(l2)&OxY^>V)~Z3okCsszc|FhH1UJS
zc>i)Ak{wjts<u+<Nsf4ihinY)Tf!4biK(pKQV#t1<+8EP(E7XOV~-E?`a`INE-h<a
z;hEBQwpZt^_W)Bqo_)K6K26WqvE#m=!eutHvQv7}BT}KQhnWyb`z=it#dNGm+Ed%4
zmW7!p&AJg?IW7Uwemnm%zs~?=p0R8Z>H>OnclXuOSwzGmPH!x1g_Mwf3DIn+1ZQ<1
zI`@m6gR0CBZ;TZoS(lXnn5%pcA?oIX>G&{UhSS{Tg33t~(|}v^dC5QYo%=!e=TiG<
zT<P-o)!7`J%G%^aTd%-94qJ|TuHR@$fbXlepoFU8E1h?6NkP}%R7r^VTTikgIXPfx
zSj^`n2kSSQyDm`yT>b)<V#9rBLOfY=bkEnrKO$^j2e1;l6?Qc<#T7r>C>p-9;?{C}
z6}hClX?`|a-X_>O*3eF3fPizZ@S)7zbFqiWj*1I|%YR!vh=24t`4ZAa{El2xDTj2p
z*YU)E1JvfV+8mng9zJoXry)tAF73zP2NRbJlc}EXp*jdUxpQ0-J2tn;zVam2ff$c1
zA}BIeB;7~$iE6yi3_TdW^zg%o^~rjd$e}7uEC=tgt?(75+Zb%O-H={uSzHZU95du$
ze7iNFd3jUtiA_L3vdB)T3r%4X8~TBOJDlCZRa039?kja2(%OxTQ6owpff_Invg7>F
z6&`Dg-3?Oq7~!NJ;yGXB2#m;z;+1>o_qv^}f6zvwnV(}437KH~`s~yQ(#{n<L|xK~
zkp>w|y(7cmt|}cXh-g+%1+Fojd;Ief%TcH%1L~}Pz<N*G3?d-v+K<Jfl-2!<GKRBQ
z{Sc;G1jObtxA|vE3-Q)&@2fB0!O~LMUush9<L_G?as*HF^SXzB19Q$n8Yp8#z*~<3
zBa#};P8EL6@<4k#f))EpPedNrAcs*M*8I1XHzWBXd-{!=&q{6#^kkH;b{S@pkq@|8
zSfLsU;X*)i!4Gc(jSRkrTyKqK59HCl>^KGSVa1Hws@y>bAN(19Lfh|KGdzS_N_8ee
z1;Z2?w=z1Q55%o>x@pRv#awYks2U}|m>ih(EII&MO?Jm$Dk#6OgKRR<&C)|D!-++X
zR!a-ZLM>~)u!H;5DELaH{;vPE{srIl><YNeQk*sKFW0>Os>luErv1*jvgF5vl$Q$$
zIoy}D>f`p}2k3@QAdUv1B$fO*&XEM}RILUv_Y~}tQg$adawLGFDoUxuxtnJ4Z@vo9
z?g|8WIqAj91HMXK6RVTu9&jsX8hWHVjo#h7H%_D8goFX>YmV<64K9A%Cw59^YWOIM
z6l&(vHdC=*331Yy^wc+)@YT1~#lJNAFU{$7krj4@4IwRlye=&k;O;$nyA55u9qa2L
zUB#y_LH;%OsmOVY4v^|lAGp)^Th3Xv9shLS&wk1U0SO8@OtT<`b5yeP&j^8~yef%n
zTa{^-wl2)_z5?Ez&Q9vM9#-#gz2ykHL`~6$7z6Se9H%LGXG}8+k@$!Lo{%F7hcNe3
z|6J+9I>v7fj?S=3U;P%UAMKWpMG$V_(B|j)hfpgCP_*~{A7R!y%Nqq(yx>7b$`%?E
zh`s~$Bss>7q^6`Nr0W#@F7)z6dAx=#P!NtSF;w9l|M4`z1><@>F%#SV((lWaR>E&+
zecZ0KTK1np-#4By3-`5M+(${v+;d7@oO73Ma+3a=2M%1StLcx5Z8UF$tr{H3Y7bW0
zA3VMiKzbn~!~Xzj7i$ZdtTfFoa1LH~EIe#6&MFBG)W|ZALfy<LNznVNqb9{XV!Bqk
z-9mn<^5ZWsLY?x*=4whCT|CU;3Un*ht4x%v`F8V?fIbXZeXRNWI?aS+k)h`yG2ejR
zMi&zzwQPU>al7rOLJs1s6`m^SEgx}2Z*SaNjjb;RWpwBWe1&$1E3Q`!2`>cxncK>V
z!1*|&*w=(I+%EN%Zpf~Qgs8B5@Ta43XgE;a(OC0;>Q-xm4DnxO*B1w0RBfMKUY(ub
zMq9n`Iwxd*BXTQEO3@=v-;@xPrx%2hzt6<=ZORXTAMR`NUpM}D$DB9_Ey_!DS$xwV
zd8b>;9MIeFDEiUWh5KixdURWEjE3JmAZ5zXK6yV(5WX?Bq}{gaEKxUQK#}b1&FX!8
z)R8rus>9Bb=4C|w{xxv9%za_40f-3yphv#VfAL>Ct%)}8Dy3^(2?YcX;EGi>+*wur
zDpxQht+WR#O)H{JEbZO6E!K8ludqTO#NpUs*s#&i>qa!A=|WT6X{wGg2UF8A`&qmy
zi4HIkFp!S6e)GB)b96Tv;r%ud>C;$bG@cr09y+7hl23n{HteQE33+f&$Qvf+e`2<y
z=<X(3)|PFlJC_|4IW5$ARDH-ysOxCLPc}q9jKv5?!|_484pEIjjF=TtPOJC?b8K1P
zu0F6OwwY7V;_wc&-+tVSNhC&tdz&6NFIlN=R7vy=f@y=6@D)(ZrXVv8ArR3KX?U{m
zyWfMUe3#1B1xIarHQy1zY0o#b)jp!8h>0hjNY8dffJ&~8e6SOO%ZJ;9O>6?Xo(XOr
zhi2%Z!;-$1W#fqwPOVt;oMyPnIQ_ccStj?<tuHu69^iA$b?w9S#~ad5!>!RJK9wRs
zV3Xj^<aAeJ`1rFjG#6}!_~IFArD#Y}Uwq(EmUn_4F>W0aQQes`u!fvLJHbKP)22OL
zI{4+V;SpOeXZ5jt{|(2(B6U<P$bKjM<)s!ShRk8uoHXr6fK%8&Jn1CtsA*yMSCCw7
zv-0PJUo&m<t^CEn(#8*!VplNZVOvU~*D;i;y4Hkv4lS^cA8qYAH>4rSQCjHYn}r)b
zm7R*uMd9A2V=xg*YP!S4K3c~4OLpf#GFvS?1|8n(eb)`oK_TZ{=loWNbOTfd5Qp*+
zyge`nN1s`t(YOiq$o~nglLh%640TEHH19XzU-^3Y;2p!?h+SQ}SE(6iuX@9bX5$5C
z=aBu>`mP{xMVx4Ug7@S~b@-|lRtoFB*Bu66`<Qf&!N&XSry1AgKw2p2+ARxF!8Cif
zw$44rZ%B9JGgne=G(-u$XHiXwVOG(keMhM!itoRi+wZ6TcSmePRB>K`?^m*CQIFEt
z)Z80veTEW9oo-L9e0V^cOZjmrz_0$pahpnIAP;~2MtrhZ3&mIV)H+56Z~s!y#eNsa
zIKN)JHQJkeR7#RcPu@0j(C&YCB{ZXitG^mX-Ug|ohr}okU>s#o{cu9wvp=N00@kTb
zQeRc@?am1dcbED5ftPx*VgT3RGpY4GCuq-M%zC44fOao}*<=1&YwQgZqSlXO(*N*o
zk2Dd26^<@#k5ljerrX3cS<E$HCE8Qvc}qdb*g>QuH5c{g>MrpJHjWdu(A>_Oq$t9I
zf}(zy{YIkU1lpfVy9J_Ji$Prx-PBq>a)oHYu6J})mEc~OSX8-fOjQnbPUtBT$SeG+
z3aRzWBYMubqP|n+x@O8Ty+%T(@}GK<$fr&s_)9Qp$H?kmK~gPNtPQgZM_GfdGe!Je
z)2!ptRG7EAF4PpXd2bFciIj2_yA17(hQBOi)l<}-t{I>6MEm$kUwf36#xlA`B`TY9
zHA-!4wv;-#;%v1T^l+tH|8V59YZ@XE_AY!1O+v>AR~P1TgR~f)|1~&9j4Twx{T%B2
z+emw&tIi_O4AFT$FIk9PT<_CA|2~`(n_RhW2fcurTc-z42a}G#pH&PG#Gvn|=8B|M
zWZCm==Yag*kuSFIJaCAl-tk2+Y#c43_h0Wic$B-{b=CMOy=_-V02*IFGl~S}@5;<m
zuN!^<p2|m6n*yVJ(PbsyI^YytE`40K3pyZVXh)eTZYydXJiSrzec}M)l(WM;98&l1
zd>C8aXOLtsJMe(zLj&4(gR}b`_`A<*>W}1{m2|w<)2k_G(!C?>#CcjiyZY0{rQgJ>
zESh^vFDy6RX@Ez>HV7$K2amUR4p4M#TO#;dYU4WmNli(HIO3AyeY_=cdDl#x5jyXd
z&X{()UEz1YB1(|&cF(0cbPmh|_ykBm1Dp_wR^4!QS0pk(EyW&6R1q;G?A{=|)~mDt
zb>mj5_wP)^RK$vD9y)Jr{uzLZ<vTuc@JP1NnOE-H6sfDleJv#$ds(#v>^$zJ_Lgu9
z68U_a@5lNfJq0JX^Y>tZasGKO&PtX)<)SNaM?jy19kHCNJ|EVwLcae5y)(IaO{9fQ
zd&CedN|T+om6vCi_%*onE?VN6%85oFebdRX!q}DL_IXk6>tgj-P&wmRDAc6^aU!=7
zSXgit&WXgTk$Y-Te^iYvHC>&Pnbv7H1mhL+i5H+M-TPSrcLQ$q<9&hssmPZ_rqUxq
zS{qIH-g}NSlmQPrft68-RomW9mGTP(ePF1>`(xxLy%}jsP}h8|n#||*Dx+JN6y4eB
zb-RE0$u$}_vI^$0AgsE`xPc2ZdOkPAB~ue2+9GEMVabY=UjMLVIhTZ!6L4jmP^X)=
z)RuF4WA@t+zsg0tl%w}jqj0Hwn&C;c$XevroIkiGxJXTuR;|uj;wf21PKb#uL3hA~
zQd#Ub)2qKpqT465()->0eGphT7BUiY8>;5dV?V%}4^HcJ`g`J@$WP0~7)7!`oU_XM
z299~@6Q2`)yA>CYop-JJ;1SFk?{)4zrs$f`s^E17-C7K#g<H&7?x_J^>s}j7MClsL
z^lhFG23lM4ojhW9oY4TF<5pgt<J`AZ)-o$YYEgW<CeJ^5F#cW<xChFa5bx`CD$lL+
zjn3b^)c+~r;jKm^3l}Efo2{$KbK_Tir<fIivkoDn5?nW!<M_5hPu_3;tqL3e<LdaJ
zdsd;{r^-C78f8i&AZ*fRvgC=d%XUR(=VX#Z^k&j|G*v$oKfE8;nWKbrOscB5{troU
z=gYl4?hN<@2n{aIa}wrgXlUQ_(MH&rg{&mJN`gbA-*Xeh{Y0HSz<A2W@QnP5@PaH`
z*S{stf<#9^1+uE2mjmbdNQZ>g3=AeJV;wt&q1r;3SRsV&z{4_z*hJIv&k0JdNsGMk
z9Ic^&*laW6p+`w|8zLN|y+sWng9FR&aDL1kF8DoOqzd7aB415|IX(FHSF=4A?WC$l
z^x~vc;}Kybc6VlMq<ztep0;zx!#v=Q1K&a;!<N^wX1@YNFH$!nCWHaT32rW#B7GyM
zQ)`vZfPxjNk*8z`ZNJRjk9@Xz?2}uV1_w66c8!}4B+(caG~z-Wuf6TKr#QJG9RL6+
zE5rFL?xrL*2I@h$?V^#dacxyA%9&vK8z!h6oey_#&M$nk4)9L)5AHyQ;i=K`Z7b+i
zRz=SrR^&|3`6g~(uXVz6VZ_{VP9nxcp)A<vywffVzag7f|Jt06uqFVm0X8ZKS_P2V
z%YIeg>%U9Ztb@orAy>f;)rAZ-cQ*l)UnDrsy53w(HA74}3-bgw-_iS)-n(Q^x28&>
z<i8rsIL6-y+QTiUNbM58;;M|FV<X<15N-`DS5!`6N_;^-V)qEUDZzt2)));OI|*AI
z;j+GbGO#XSGBBHsi>C|Q9h(b59UKFirM=^H)|hp{rn^=8b;(;!J5OD+h_v3}vKoR(
zpzlxw(g5LEVhGXG)U>LFZHmO!q74-zg)ZeV0j<pE?)#aHoQ$RnJ6A#w^S(pbR<o9t
zR!K*-aD?j!z=T#`;2z&V?hcYU)l}`uRp11meZAYPcOY};`_XenHP9ZW$JIlS$5Ib9
zaY*>c@1&ynYsX{wlpQar?P7bUaD)6u`7PATz`cN#%5Rp_9p@je0$<;W(Bt8V*DNt|
zG<mrvE3*z<vrJ9)oA&p|vEm+O9Y{&r*aF{#X{rv_dTLl}K6%2T?mTiOo0w;BLJa)(
za}PzfLwMS!wSBjo!Gj1$S|-6ewU*%4qAF4fA_-YHK&R}@m%6iu+qng@2)&8-=*=a`
z+f5an?1t$2A_T}PV&QRSv5BCI)7-CN^Eo@JPpK3kmn$R2RumiV^iQ8k@`C0BZr?%i
zn`9jCsh#Jt`VFIN0;#smW+ClIuEG7H_te;UwEzSDb>+eLu8E+woz)FR%3!_-ECXRJ
z6R-5w919=XEz`Bm?7o^Gb0kYy8VTGr<Yojr+lfuNDEPL_?mN~?=L5w%!>0Ev0`lDw
zj^y*xsA?pT0KeCuWQE^ti{Ogg_0gKAz&v~8piv-+|9$g2I0-fJG#8U&r?2yK&)2oe
z-&jY558`RI3#l^?cywStqaR0)KSb{IJ96orEeyW**%V4aZew*+pF!b{5#=KvPOr|3
zOV69-8&x2WTpC!cep66AyO`tvFXDVbd##gyEr(v~<awWwVktw4I8ar-jS?qnbnDzX
z!8brvNgsfg<{68#B|Qz*zih}qX5Mz5^)M_McwSlpST+hYVNnVTEvH9jFZbIEgejW9
z{#VV`6$;&Q-JK0~(G!=hu<`&6AOih2=NRbKlHXQUug*yXq@rI`4^A=Dnv;>L^)uWH
zwwdIY@+TT&xbz@Q>i4SSD^ThQ(i}j$0u64K@_m`Ltd#^{%sWo1J+wUu*ovJquNs8Q
zYq!x{x3A6l@AmrK{83bWwqUSotn8-I3724_x{h-JQLwkDBNRp}3*r(~EzlD2BUBUq
zdO-(?n}wBRhd1ely%lZ-aUuW|wt>kix-J%5UlrA}?qfuM?9kj1oUw=Y8&?>7@um8|
z%yeEEG1_|1&_U6LYdNZB-=ciTk=p%iE_GT&;H#z0TxE_Er8_TarH=!%f5&4cl$5P1
z9rOKhcj~X2tp}g9$Wgyd5>|L|kX4sftI<Rn_!{5AyEQxtH_nW<%yJ@*6|vTKt<*}=
zIc<3>Q4mp|0R$2b57-S<ldbuI=WPUTJnlSrwW{>fJL<#a6|uRufXaGh;u%qyREf0N
zQ*3I`>Y2q^8Ft84nUd@5n>EnmrHV6`@BXJTt#atVpL=rwA1*6+WO>tkbm{=eh<Rkj
zap5KBc$Sl6iWfz2Z2(D}e(og3ccK2pHgmmi1S3@-aF(Jk0AG&O6^y{>P~&I2=4JmV
zlz!hFRS|7*_)gty?UdgQsw41gcraN@c?n9fHNlxj3Fpbt$qyDdAK-oXBEQn-JY57I
zoVmObCr<xioNxuUVTHnidPl0nAT8aw3RBE+R@sH;#o-mo-{@vDE@TNKc*Z59e4n6L
zcyhBopTH0NCB73gC8Y4=FZ#bf9;~)6Ko+dFs$l@71GTJ10Iz&O;1KzECflclz%f9S
zVQ{ULD5pkTjxyBs!~5j}kbVc<qeH}x*IV$U59`&gX(HNt(&|onc;U7G3K6aSmXy{i
z^8OH}%tu%y86oQTCL+H%S}=09<T2^QqhJH^l~5!K(*wz<dPOe)kiF0KZRNvVkG7hP
zNWp{jbAK!jqF1yRF8%U}OC205uhIQs%OLOP>?R8aHQy#@eV>}+XBMY_O~L^J8Q}w-
zU122f&u5z<zl%C01Z(=+icn4i*WW{Y`_fNr=*GSOOP|UaC4By{Zs*;#8?@jtl5-Lj
zG}L?i+Ub(#r{$-yo+h_;lpjL$T!$J8buGST5kLM8JozGa&+|mf?@ve0xxnsVPkdav
z#w#$_O@ZR(54?rdK~ry!?x#O?8tfIn(4+OlG|o#bMCrMx=_dNKB=2fnn{qC;Mq-NT
zY_9I-j%B>-9W>Pd4=<goKgUyv6J5kS!a8V4*#Elnv4!G{a^Zauc&CJw;LbiPeNp%o
zX==GF!DO7M2Ks4vvhZ4kRim~PDb6_I&J^A>Q+KhQNWbB*uKydlXFWCX76VO_;;_+v
zJohoo!hG(EhRsalOY!lY4QQABh_ki6ocO<T491AhIMdSB<Lib_i`J*O<7}YU=+&^s
zBBgg&q{5q1tb_S2pwk<-O7rK)2UKOyz>C+&m1_4z>8vOW$lsK&rpbfvxH0Jg<p=gG
zZW$KWyp~%%$Nk(zRSPy7Zcrdea*n~7_<izK-d#9+%X7j|kl`EoG*E&lZ!`_EV?FEU
ztLSVMsB_*Q&;+`cO1|wZz*{%QRmQm3VthjSs!GG(cJtCM%u<Ebfvy0g1<V7V41%9R
z5oK{tMWtb<a1p$)!pzf|4Xt062o^W9`e`Ak6$?KK50&0=6>g!Z0xMwdG6D9BZ&WA;
z?+`p)@C-6G%Iwf(MVoJRM-LuyTDNDWt3LrO&<yDmFLLsUkx#qS1plp9a&rBE_s`TL
zG{*Ov=V{7j2I2&erHIm9cK#MP)Zh4r{v3%J%l~!aL5f>O+eNmUnaqjm{qNn*(Dwqk
z_?WN?hyK{@hX=6ulgQ%uu#Ut$`8gp)ZR|8~ak}Ng1%Vu^X_39s*MlbaF5d-TDFk-p
zp8w2dN-ZVTkCw{G)ZoSJtzL=6P6=!wTEoU3M8B_5lF{tzZX^F&{5^UP%azOK^6ypN
zaIqraZs9+l?vzOJa$P=9%M{q_s^yvmMJjt&KAgGZ$*Lg8S&+eYOIpkYo0X)v&<UPI
zo4{LW1&w)m(m!LPY1Us2x|Q>_fZQ)auCzA1F}fyq7+{<!=b!!GOPF!#IN~6_zF+0d
zk(D}fbpEW(e(-T?80VGsfSuRwIo0W%{t(WZ1}o~5Pd{>xJIBrUwgX1M+hrmOg()y?
zc`es!&@)Y8kOp=5Yc+hnSa@Or{4!4w>T|;Ca=Vs_xZTMSD}nx%Bwy(jYz?zi>8whp
z%8;QLU7G^cU)?Q#ZN#W(9hT)ho+={tQm?BT!1oQcJb;{X23P#%(o;4F2)4dv@8L9V
zO4WiqHZu*d+uY^i<ZTuYy<hIva&PUk2U4Xi0L2szk?E@lzEzNcz~DUfV*lz8NY^U0
zP1}Orv$PP*lB|kGwCmop1$$i`DWfSznN{QzC3f({ngdAaf=XASMiHE~%u3jC>k;+k
zd-lS!p!XuGNEkek^H&4+_(WtWjNdD3&1v4;==bT3UER@DMpoQ!>3=%Ep?hF==w=@O
zLSe4R%<{Q5XsG6J`<?kCfR1X;r~!-9MPETX&E}Z!^&Rvk`|ExDRAZ!rZNr0hfu9eb
zpTCC<hWKL7S?~FHREC=<oy$|$v$`8lU0k7h&{##Uz3bAi5HI$&Mp1OiRzZ4RnYYM<
zH(4~=K<72L^EtDbFCF?6Zx?<+xX|8s>3vq^xG<vky4x2!>TpW!av}f~M*Hmom(yOG
ze&o7<c(O!Md8d}CXs>!~-f}0(<%uN!9aLBsFX_szzD#^g`-AbQo?NaH+zMa{{k#c!
zE689TT`{`5?42p7qWH{y#uv6euexxaVG!qs_Jb(Oi{P>$y37FE=QnP}A!XfRWHcNW
zNbC!c?VOr+FpshN>!8vLpB((J6OnP0y$v{pL_%ucI#qSt+4+38D?2^$;7aSazVKVj
zt7}g=PYGSuGciMEpl-A_D+}QyD4%_)$zUmOM;y3oUNyg=(<wj+_;Q}<zDxSdnC9XK
z#k&T$P7U&M51+JGVY5+T9j*I&$YVwI%>Z&IEM*2p3SdsTb66_EZK7hyqMVD~U%n=%
z4CDi75Q>~|LnK%I<#?Q*K*1#SlMqPm#lj2g?z9;FXf=&6uc?6xTvx#=LN_uLK>tfT
zlXwc{v7QrJFy5PG|A&C@?Q3g!msrvG@4yB2Td&wmvo>r8UfiQBPrss{*AP@a@8!-I
z?p=LVrP<kSDwElH3w8k*RTdtAnBKBWdt=h1xdr0C1U&c2{ny$7?4_1UhQNTaU~G<n
zaK*#I29%Hx+_$(RwAe(!^4eEXQ(|gT?LeSVjfec4X{}(v`t03ti`Xng3e7oW+0lDm
z)DSOV0I$klwd{Uwn96;6aQk)g|FZz~lg>wSVb)=|aK|H19yBC>V&OvJ_lm9JKB_S%
zL{L?$43wWTkpo&H1P}!dH!sKR5PZlp%Ct4ST+gl<jB9l{Sb_YIQ;GbX8MXgKbv^aS
z+BYa9rLzftOAbs5Ieuf|y2m{PJN6TY>>7#$3~7-XY_%;`=z%DHa7d>F`ci@bpk>q*
zH6+?;!uuE!Q2~0JBupw>yAD6<`J>Osb&u_^AnC|x^mT5gb?c5<I9SrYQd;a-7n(X9
zp6#(b>|8Bx0)G{!3)-~8oqHWO-V*P53~U+AM3CphOhGO;zR?HHd+j~1H93osw}SkG
zoh{of$iRpww%F50dogG2ZVK{W{HjY?e5-g~Ia}E&)u?s3s@tf7`@Zyv*{!`r@LJ3p
zYImWur*TiiR$~Aqk_zTxVQuhS1=2EPN)BpJ^JD4`<a_~B?aZ~+mC5?tv>y&n47`A0
z@~@y^kx;8t$@q0U7U#Et$-9B3PLOOem{nQQ5khf@Wc$(mRT@HFG4Y~2F|@MMZRi*T
zTT@?CbcOF)X)5Oj`Wnt$rD^<jHyF3_at%a)8MD@ha#Ll*#TR#Jf5VSyKU?@0)4)Oc
z2sK#7DYIDN(!4b3k+q*4r4)7_^M0*Vq@O_ur~-5<$NyOVuYmVjwXyJ|b%5V|1NNfq
z<5Bw=0?yND*JO2h);<;}s-*BW=^K_X)HgSR%RjRTNT%`f`G(iYM{)kJ<Hhb{5|2<w
zUUL04WkV~KHuv|d2>WsU2+vN*gRw-xPwC&EQMpE*V6vzQC~uog{Q&G%Q^&56>le5n
z+3L1qqueuiOI{j3jnab@%0KwT=pzu&2M@*g8;l+W{joVBmiWQ03_Z+bS9{>5+AKP4
zbxw)B25<mhExUf<tKkF9$~yxj_Fv(<Cw+X&n#<35&<$J87vrYCpSMJv|AKgsDRvPq
z3@`BTi+!6&%h;0pbz|F;1DPbNc@+4^zTDCoZEvaaCKRM49|m+_F(d`0_JYB`XaeQS
zFbLibEhiDM1`qe$Q>FwYyUqzx$O=(ny2QAAL{mquheSZR^bmJQ#q8kj^3NgRKO<;0
zCg<)07a3T=(lSBr!&I&9&pi5mne)s(;^P<{%Pb~L3Ky+UzsHI2%2dV$5pOyLT3cS7
zYyeg_<SY%U%$!i%cxdS+b{2ttqcG}(euaEUjSZwOuy)goUVQ{qfTIyR>dZ%r#lkub
z2e9tJfgCX{aQ$VV>J+6f1_3#63S4*7*^;PLXF%v5$3!Zif5V@C>P?isKuu2#B4NGq
zrDu!pZPx5VL9I^fjCDYsc&OgGUX49`^&5u?A;%)xO4t)dR{A&j2JT^us`a=?`;{%(
zw$54;0~vj&sWC6dCzM@-d-gsYj;MnF@(=Kv9?7sh__y(^{y8mnnUdD(A}NCl*RV6#
z-$6X?9NBgSRxN{fUe7TcJHgc6g1&2*6^fDr{~p4cV@H1uQqS@&bW?{Z_(emiJ|tCd
z%QK<7ieaA%`q(2w(|XbAIv#<gIs)p&o|@S<YF`y;b~*?itp)D~ld7;@N_O{WLX*IW
zGf$e9{)DBPwGnTSDUFoj)fXfRr`uBYvTORLFr!v=<&0wamE6%67+3#N|BG6_V%YGa
z<ulvTu>}dH!F3%|%S)fQYHDispMO$vbo=ypwEkU=yH(t;zlkyhCUZ|>=bP6F5fgeZ
zh(()=Si5LXZoW!^)>)q{Z=mUFfVdo{Y%?fR>(HvYOxtkWl4!PCKOYKlhj~?E_B~Kl
z_<84(Ah24od|&8d(8n^Ef3^Rz0W=j)3Gy|^q*M9kg1&Onvijf<1!wi8zSywR?cf4D
zpLV7;W|aQ-9uLwK%7)%27O*Vc@8wfMc*m>nA@BZt!o|VZ?=|4~K9K32=nOT`Zse-Q
z_qyb{sv9&Sqnwz%4=Qo-&%V;Wpw{I<wu>HwcUM;biH*5*L(su1Q(qU_Ca<Hh)nRIa
zm9k%YAMJm61W;jzoQ~lB*KNo+6LlN=;a!@Yp)=_8TZvJtkx3JQWu4|h;YUi!q)HnD
zbT|LIxu;`{)I<5idaQ-biz;d<1WBYX_QXWu!*jdSI-k!8#s*=ueN?RG3}Y)$R(}<S
z!Q+CTwK#M>XE^h*V?=?b+VMF&;b1CFqrYr9GShP;a*gFtKoQ2MvG#gy!u24HT3hfF
z=JB9!lHcn&^C)?3@Rz_!43XEz&OxMXjKCT$S0YXg(9SxCDwC=QgiU=A9s9+;WQVZb
zh8p;IOfAU)5-uvrX#)t{XYMGTLc|7@*NkBOm5&@M)4@dPlYhe@G{AAY5WRe^z__FU
zS}-HzzM4aYWF8C%--vRN2oXEXs@;N*#?XSJNY(_N0eMkzS=gP^wLem}mc2%G3a9cq
zd%Kftq<O9NhSODtqfd|Xj;?5Q%#Tlj*Ls^5pL;{PI4P!9<;a6K$xM%v4=kYymz@df
z7-op^xYJZXj5L+tcGB1cBl;lr{9XYcv@(At3mTq5J`Wc;r?1HCX6;rmo8R~Mvr#gG
zsY@pr>)m#tzR1s4Yx%ul6*%tMNdA=aXP3>7PW$RqLdks#K6**5tU25PyF_ujja!~Q
zCsUMC0W56ZF)bM_1qq!@c-5c(hkB-H)$m`KrtN~u<kM#Yt0;+THLg+Hpr%u#iL+h{
z;Y=ZWWaClXq)bS#V=UyLX2c{XV)Uz66f;*cJ@lOgU8^!7nV-zPVk@vV8gv}B!1Q!#
zt>Se_)d`-y3SW1kU6T-wQf^@)dAuyXIpsCBUt9U)LZ2@?`fg9r_?bHAa#R-Fe<1`P
zbnfa-Vl7LF^2>Nq_%)@$YOeuixuw~>mmu(yQ5(YY1*9(x*JS5a>II+5OZGptcln5N
zs>%~|cj-NDQ@5_VULkp{;n*r<Br%G#v#bysC0Z=`m^IO@xyJ;e<QqXQm{HV3XmkU1
zKIY)n(-`e55pUe>PMnE(bF#Fj1V66g%R}RqCPk0c@XYH!HVb}0=)cXvpM^z{CHh7b
z`GBx?p-B=wb83AJJR^v0?FfceRa&27y;37;U{lFe-{9z`SDLcgj$&4+zPA>hM1A=&
z0h2iLV4!FHOz%_`R0sd%dC>knvFOn9)T{Pp2ZY1CW}sw?aslE=_YA@l;%*q8dNQ?B
zAjIB4))`Fg3j~G)El+*Zn%%}UuSm5x>ef_=X#ek9;=&-m35LN^cQTufyMNxqwTGy8
z#AY)m+hTe}@Vr!pB}Ca*veP-mU3>O!V`<^){tJT<ir}J@PiYrKH<bn&O_kL9M|(tI
zPmjGXj6H1?!*$1&^fGXBLXj#Ij{zJF!Qc^AhyYD3<xZUsF9Dd%T!1(*RJ3|TAQ_)9
zt%VX&O1S98!@PVbn(SPMa*AOZ3Y-b&%xHDi+GVO?E2SP;A1Mn{a<A+V6iK|#`F_2q
zGH4dIq{~2}t@Y20++;u^9)W2hH&gqP2|V8xs`&VJFRuvjHryo}i`h7l^?iR#tjzW-
zuU-d(vKrLyv)0i#$0rk6z3Fq}>r`s8Q~r*xb9z-L)#ZIX^M?r@+w?-)Wx(=exu@7y
z<+)#jinkePB&A?rfh$a)Me6ehR*xiRs^+up>Kx;SN8wi1-d)=dMPhq3VpLnK^@k_Q
zUJxDbgX%E|eb_Gb7TOOGj^}`mf;7>0O+Jjg!DxmBR2n-x86BklOp^F8<&(Ovv8Ri_
zG}XD2>sQ!7QK=y*(sdLofF>U}vR(?#e}1X8o0^>NM82@#{WGrz-jshZ+<k7jJ-lh9
z22U!QutH+PR0`;vb~!&a1-28CMSoy<!6HNZcHQV@frDccZpZK&D5*$dHhIi<rg=T0
zA|l`T>}QL@e+rq#kdODG2OJP7kM!6-$P>lrq+I+rp5gl+3h(qRMeph_h)RjD)z>_^
zhD_^9193l;eYO~ykOCgDQHQ+5+H~Ew;BkHMwsBX_*)F5<Z!cB);Sb1L`LorG^MRH-
z?>G7cj*I^nr{6a^p|7(@f-kQA&P*=Iu>0j~tVo>C_Q%{bP%`4opPnkLb4N$=!B987
z7vCek9uqR^iFf6InN)zj0w3z<fTOI6Nh^)|%7SE}$2m>(KQlm$mxw*<1xP~x$0boc
z%weoL!r9Eh4k|8_9y)P_Zh|atZx+_Z*fv^c>MwuM1g6{C^>Y~6;IK9iY_BGgSE``5
zaGk&|D%Unh&`ct>(Z;ev$$jG=M16XJLj|umBho{!HWjNQHi2o)`8A#QK=`XmfnU?c
zjYpW6mTApCgi5C^ZFY@HjQ@k%GAKu6Gjd-H@WVBb|55*y=oc3-sN%`aa%p<Bbgj-J
z`%~~@QRvnkHC#9I>4teGpFLmR<`3h6DaQ#(%~EaG@d4%Z`kyw*#3ln0Hh((6#d{$v
zLojDmG^;&35KJ^!Z`*W;T8pm^p6pHML7SOpfs7pB=is25;T)6Z!#+=5>9I)&`ZQIf
zpSi$YHK{Z4@wKLWT#`b7Gea$@^2M;GFfrKmZf_v3**%}T^=#9q2Ofw5-iJ;_T((vU
zHABN*9ugd{6K<X(2%lD&1m|nzF$FIbunGNUfBo2c1I=3l#&nk@>BOt?zCwUL{a(_p
z{p@Sl{Mk`)wxi=i_*i>vm4Se9S4CToN8x2%UdJ|28DnBDUVck-FIbQ1@<NrDIojgz
ztWKJY`|+&1_PfaT|7wboqHb{$q1Qz0w9Qhi11qGICu)4`G)k^K8$lQQWNgbkV}@He
zcth6+Vy^yrT_t2td_cu4f>slu+PJAUmn__fJB%at)|&sZn+w$7sCk;p<5PY3D$I4i
zL#3iJv5NQ9dZ+yQht1*hdB%jtUU!O!Mm@1D-8EN(Tug=#?fcd|AOHIJhg>NB5&eS%
zC#97VpW7M%z|rCECmHcJG*w|u@IY8Sj3*?+6r?vi@9t^k@Lt4*5t4CY6omR_EZCie
zy29S)TKX6UMf{BlcRR){!OY)_KRuy*R_Oaph@ryZ_l>Pi+eE=ClTG)VjU6h#?=BqU
z=OG7wQ$a0YP0fmu24YeeRDbL4O$9+J*RU{5<$(CGN=m3pbR1h5h_M#nEa6wT5qsr-
zWOXA>-6AFEW-A*A{!D>w9Hy%5KT8RJdtS#L_glPr!%`u~PRbUd?V6~~Z;5h#Au6w2
z0FId(y6~U158uwGbb4A0@_(|&h#33bM)qR`b(>6MSFfL!N2Q0dUu;BjEnL>SCxh(d
zvKQUt%fX&a1-wF@Pckb#HdpU`7~3#E>%fgkc_t$=FG=<dh)Zwnu-RQVUUfz?nhGZR
z=e$2PcJxtnYSf=6CjtZ~+>N}*A)1<jyEx~vt<TH_6n-L?96|@%A6&1h7HQ16t*Rx3
zsvpDoR`t1O#9+mt4N`SlYj$d#%ep_cJn+kBMx;y9J5`}UqI>2<aqZCKR>r1VDY?ZQ
z(W_R&SSix-;}HPPSQ2DBwt2l=V5NRh@RYtP)L`(szB8m&&=bd?(!Un_1wDz=6Vhi+
zwMV}fV}$w)a|b~@w%qLw<ipEn?}}(Cj_+uVy+TwJrzTsHB%VW8BaD9mM8M%|j)try
zpYrcR)LN&x)S7}Mj1KoYH~MOJV2>YJR^YBVt?Gs~%1&M;zu#b13jcdHF1FoZm0ktq
z=*SUW)PL|g`?CLWNAKl3))T+JS@y=<odmNdCV$UiUZ<7bUq{oaPs;szpB_*#Wl684
zD<Nsii?yy#tcS-V2?^!kRwu0op`B3bi+CsNv$b0n`{zb(v>;G^yefgRuprRPNFZf^
zp`3mNk-44b2buBY%%bXs6Sku87ylfrBfm5NYl4Fg%iI5b5N;Q-Jo{eyyKp-yLMsqE
z;_s~YWipUrrs<$izp}5nU`syXYScnhS(m6qy0FZf@Jx8DK9@e=q`ReuVoej(^FhR|
zKrn_!pmC<o`zLnI2+%X?8}q4-c`mZbF6=hcU6gO;a54DB!j6Y5bcd%$<!4)BM7up_
z+a{*_?N)nkQ$c-6p9567I=A6kyyl(*WuRxcDzVRS9->IWp?fGn`#4`>=M~_|W$@qZ
zM}<1`La<eo0BB<Ee|}o5{B85e&b(i2E%kts|MJIxl1)jC5FbWJqH(J#AL2bap^<J#
z3JRK@eb*#EntKE>UwZu{%g5?yQ+JU_SW_(3{HR>>i#sv!qldKwbvkg>tlaM;u)893
zL5|X&bnoj-x$_VKihv1339|FvsUphWG20AIh@1$c9o`j?H{2iz@7w4u2=VtOb>TXq
zPw)vV#^IZdgK2q$V90~cwD(C(g*<l0pvE%v%KtdI`mgqytDDb?``t-nYl(LPby~~d
zumS=tt{*LX7b`!+NdCo?)N76jy8|Bf^v}uie}8LQSsHny(LEhC?)Ajb6{;a{EAaVB
z&k930V$~U1p>^uA;QyxpLk_#aF*Kd?T_nJFCl*1WzBYNX>cdZ3HCb(opoWscRi7)5
zm%T|B;jJv~`EtVN>H@0aadpGb+L*0GCYS9KO!vdD`72GhvYc_R^=W>jikr@Yb7m0a
zIKcBq*-p(td|2SoRg`;)J+#8ZF7Vn^NqC35D6b3bqUY14_tc-<rpiICx|5kRZmcq&
z3l%Oxoq=U;Y-90$wbhvZ8nwN$(bBD8rJ&&H_i8FAvuB0igDb`X%{vGrP_H*Au*4yJ
zFSfbpCFi1*&vb;?>xHD7{VI<is{E&1NH%@`yrJpOMT3=?&6;c(ckH?L2pd5eKU$sL
ztFa%DV`sMo?aW#!Q!Ekd>aBj4Y52mtq_(A?*1pS+!%B2&Io}pT4TVR+v+xfC^4<`}
zjpIbm=1cC{eP61~yd=Gz#Z#}jZ%6;UB{(^yQ&F9Gn0?MsEFF<i07S%8tyNCUEqm||
ztrZ-UNL$u^ZXhh*no3Xm{nzEI@M_kosfiph%rF+1S^asF#K^f0v}^<tKKw2v4kB;Y
zh*}*Wo8<eK=;+eQHUw5Dq%O*1pT9rx<EdF>yUiQ89KM{wY*;?AUT_Xx3m+~^K~6P6
zf6lPN@~n7$Sgw&4@DCD=M1lQMw}&!{4Lg1Y`TDeKv8yukAV5U!?<g^D3BCH3gS7pR
z@#aU)o1?Yqoqq`zZs{DSwcS?*@5x11$sy2risp{odlTMD9nw_sspv`X?30zj#3(Ia
zs9J)`n1gJ=C%36JwT;ww=9~Pw8YvHQy@{GmLpcK#z$43um3;?qo_*70xp@u2$)o%|
zWMcQEZV0~$o5v-#_+yQ=DKt==u0xk+zt;4bD;~hM`Shkc^?$4DHPLr)4Q$KCyMQ#I
z>CD^b*j<;R(`)9G1NN0D27e$v@g~1cC0ZTNoapgeIZHIG{bMGe<oR{=gqw@7VP$&O
zCH7NN9^gbk#lHfxHpj$03#NNr_@AxGKo`TKC<uJ*NVbESbT;ZgxxQ+-H-buIN;846
z7dNGMFP%27|L6G3Ria|$>YW9R_wg5R_YEKDmZ45qIMn*(y?Zq7^l##5cn*>!6aQ6_
zVuyrQt^2UKK-~ez#h<0MszDUOh*jXsxMd5Au{dCxATsestB$Zc=se&CcY$Ymrrg$q
zTOGQbz;Fdp-+|SxbxS|%2t&b2H=Qz*6T&bJal!3shV(IqTkFNjX#wWJgK9PtG2wly
zY1HJm5Ne;-AIE{YLn73$OwJKw<w0^6&gx-6H?JWbvJ3&@Kf#zo?L2$*o=`vD)bJK5
zN79eftrc*N86{I7Y_vIM8%8{4is~I%9oFe_MUl<se;->$rk(`azZ^s}jGOX>HD~__
zu6<2hPcOPM79UZo)JbB4#~GKX)K^IO1)x3!zjPeYQ+(b4{*oROXN2Wj?W>#co6=SJ
zpUY`+3MN8$UARELN%vyMMEKmlfS}DXgkSg@&Ae6C5zXQ3yyju}`r}RraKH%OMi1Zy
zEF+h5S7g=4xf!!{`l9dg)P+jmWv0}+M_QUhP^vtODhP+OC*jTYC8XQLx3zLd4x5wo
zP&1Ws<gPKHoD_rr(AI;q_pWl{4lG>NmTj1^)T-tiw2nB}bHx;L_3ALQ5d%YKM0AWy
zNESaOhs@+R^*)q75{+nobGE8dnvV>eT95M#w%@z-L+o?Wn%I$*gn(68>G5pbzm;cH
zlAJP`_w5#<AMAd~=u5OU9;z%ElW!!je)KwI!dG>JM~cF%0zs}3bD^{<`arJJ&+9I!
zYwlvU>xxkb9Yb#WXN{T%kaCAS6$2k0C*7yrRvM`|%>`XTXK=+nUq4b6Y<wqV*r5H{
zdp+TTjMa^%E6Gf~oiCQxBm_`JEQN|KjVQF@(L-LnqSvBrcAbZ@3-Bhp@|D>=Np~wA
zNY!giKMxkq*;r*EehkcSLE;0v<TFUud`@oV%|RKlV&wpxLR%aRDGhG}b-Qau$>*p*
z#XieoMAx>SPD+4-)%MY8GFn+7|2jgc?AXbrx7pB0t4Q+&>#A;I?%*|bb{Vhlc6WR3
zNXr+>Dw}8@I0aBHuH}P%-1Kvi4HDbaZ?<BVazU&g@@B|!&Fx1WYj7qtWS$4}sS(~h
z0lqa?5vsE|FWV#A$|QB2&vXBsES2CM!R%oppIyloaLF)z8L!5}Ha0KR5V+TK2kBI;
zKd$;N1$=!sXu4cCslP=us<9)QHvZ#@kvP(Qj(_q}@5L2V!vji?3xxsPy=N=rUE^TM
zN_iqJ=u2@I{PDN22pj!eW01xkzayOX;>h|)GpFVlY)x=I8pv<Y_UGot?%DvIyTUJ8
z{55%!UC1!#5`mJtV=I6o|K!|roUmE5oyhU<yNzrW@Lrk@BAdjs__yGl0Rp%rAmT|`
z_-L8Tn!F-Rr+cg&W`w97<qVi@!2f1EzfT3#r6u#=8~;+|w7Khx942&;R>{1u*AJ+H
zndv)B4N^{x52l<U-Izaz7-f(6o(Rq4i@=As(<X%7>{vm@d6ms0W3uTQTeu&B2-LuS
zqopb7`fTLl9=-&5R2c<5NDWb!)|%&a<ow0%!i^4U;@eg`8LWj{8&E~w@aTJGnmgns
zW#te9Lo(^^u7B&Xmo++iGeMv-wnDaQwuAvmMBEX+?(sdVJ8A%;x5kaPAMcwXPoc3A
z>`w*6xwCCmGkWuM0y3J}t)kc83MR6h3?|NV`O+v}7^6_*VCb~)tg6<Hs?tdnoi1;*
z*2C+{|3QwKPtQp~Y_9AJa}z-UJ4*y7J?r51t+Kmm-&MlcIFr+p9%q$M)G?Br*P;}C
zU-A!te_LJ!i~Bg7l(oOSSpzT%&IDY0*$VKkG;3fRJP&gKu8?BoM2zGV3?!UsRL!oC
z1-?1UzmrOm2^}4PQ&hxc5wUy?s_n3gcH?{C=sJ{bH<eb#A49E=U$*YPO#b~er%^vE
zN7Uus5YdK?s(|X^b}i4rc#^PBUoC)mKRK5xbGev{UYxs!WQKlNw&+RpEz-^q=jyMz
z74LxoSsas=P`<crka#gK7Gzf(1~0q{F4=$4lh!=*nK80S0gzH7>^4CZzO@<R&~$$H
zM8$|4!OuhN?|_#2#tsPRsC<Y;NUW@LXz=2IA`<#Ew+sJ-#+fAO3`E2{Q=KmyN|mhn
zCEe*GDBqJ(@zI0Y#=D9{bc#j?pwn{v7T-2oH8qS8j~-&UxV>1L>%w!DLZv|#!S--&
z4iCla+!uhVQfAH%66O}}k>OYdBT2olZLi2!R)4e&lTKG9NP+-)TbJ*bFO7~x^BqFE
z(ehuk!PdL_wgNApEsKkDBcKTIWX}JTE2mG4Nj0_cJ^2&;AHO`swc*pZuLz1B^{qEa
z@I5B>+>nEue@LevI5ZLB1Z`jfUiVdc^PgJqoQVOG0t{vabQ|t<f(ah)XOs>J@BYIF
z@Bm3cBfn#xXu=^O?bXiUc>*NF)~>?Y|8JKJkNd}csI_q&$HEe}-KpXkVvyq(x>iT>
zB7}NFL>fIbe$>}^%39rDn`^FOqi_q?c}=^qFM?nW3;Oxo>q+cQVM-8@<H%xDvQCTE
zj*q*+VQAU6QXd#kN#gTqhMf40zg~U5)O~bAuQV=HQi~Q`Thb@9zzI33sTGSN^v-aF
zjh2k_%SnJe`ZjWQ^cC8GRs~~e(Jsrri6(<Q^o&3Cr@o=*M`X1`8DVf})-!6`xpk3K
z>yUQuz^x5z(hnn766S614sucdcRWr%BYeP+ewu*8JWn`cjOslfV*H)^sOme2*=5$K
zPJq=Z(}d8DM{?x*pV%Z7uW@bI-C?e{StKRK#}<j43y%`YivGSzW@r0XtPcV7O{v|#
z@PW;g_sl|taV9bIyw<WBPQNa{H;s*Ru6WckTIi^2>C<d(qKhC|p#pG*Rf0Um3Hc>f
z^n3<9CI2q^9u)V#4-umksOi`#yKg?(mT6bCr@F<+53Q$x$NsULDh~zty1=9-f-8L}
zNPa2I|6tkii<B{5z5+@tW_%hW&%Kgw6B8}v3XD~v3j;{1$kHu3otxQgNy9||z<@k_
zy+lOo?n&5K1o?}fOlHMr9{CWPJ-3MY#^uQY3M5j~<O_%3Wp{*q_b*tp)t<`^w|g><
z))SNC=bSwi!v1!ZyoFpj<|x7TzLfr=!?0C<JHYDImcs2|y>JcuJ6cSaa1`Up%S$I;
z`x23cfty2{DFazedq`107D(pjlwAa>3I%@imrsgB9^kKS=L2~EQYFq^5h{Dtcjfyr
z2QpegyNNA?_4iTOlQ+z8PhFSI<ZQhWL`4CeI`=-Q#4Ex-#D9P|)@dpFmrH=&ox0hM
z8fb_^iV5)cvbD-To<GCe1sEO=eQ>qm;_K-Nx=f9Obzz3KM-cS|WigFzdR}#<<Hl^b
zzzI73|5*Uo%?I-`ikb1t<nI5Y>0JDo{@?!}a(L%dNzPO%#~j~d&Pt_&9AXZIIj=Xu
zoDVZ3l*3eV9+Gl4hlM%L`D`jNa^8%bHrsNTIsAM-x7+Vecs-x5=XJbakE_7l=;G>f
z&W{9^`fF<a18Mad>*sCZL;W$qJFl+_nZadloWWiTK(g_y4`JU}`kd4hCUWAQ+njMg
zCgTOy3MK@TJ|}{VmA3UulAeuI-#)h_fk21qYRmqQwg&HZ9?g}Nl#4t)2pO}@ZFHCs
zk2q<Gz>Z);8okl0Iu3}P@LriqCBvSe`hwwDlzz4@Ifv+KE1<oTNpJpOmp2UPTtas(
zRJI2)-0GE?W)lx>9yh^9hkAl4)Xxyrvns4~oj9b`aq-Zqb>-h}u`Gg_o0}F@&XKbR
z2*n>8P;V<WKVGZZ>ywo`?l)qIMhI+K^IW|}pF--_0=fd3QX|)$C2!MA{W!su>H4M(
zlzdOo!_2|`_-Rnj(&rhO?ywB3S7RdHiu#Pi;uxaQzTLjpMyYGV9HkgA7ck*8?sxvY
zmz~pjLLFYd(+bM?_Tc-pNB=y;OT7ds_eN%~!o^~3<?q}KH=JfEy1y(VaqD}*eu;F_
zH6?Wx4Rpgb$XtxTE3tgagR{*4?t82$*Z6Y$3`I#-^ZbJH_f>r;c(_@pT{YN!t~6A(
zqoaqqs2}`XZ@NdgTgsu-5E*c0;c8H-O-28pMBz$k(CcS|4!zCIC|ZZ0V`K2>hFvS2
zA+J#<4z-=RRV>IMTi2mx4RNQAGV1T!H1?+t991-xpnH?s@KZPGVVfauc!uKp=f@ap
zkMb>h$tIFDc@R?Y2E=8kH|Dp|1oNB>#+ojPkPg9*5|k$8Y?ADKJE)WY1q&8X+T(Qx
zCThML=+Bcq13=?ed1OESJ!t1uWq9h6tq{a5loXnth#rx$IoA!ccac;mka(V<sM(@h
zsUWcGn~-!$I2BjoK~qzs2`Hb76=nxxp8Rofx%)~hY~l(i<xMAZYvtzs(XjBa<+VZB
z8Ttgt9ki;@>Mmt3?t2B?-pW9^2d#K$v(fJ9l3iT8j^D`5G1X6emcP<9tCy;Oxu+Z`
zhIJVC3fu1`j=%k3x+f)Fx%FxIMxnw8$i?m6`+^$txQ<AEZq0JE+aNprCKrw;{r(xp
z*~qXww57%`i{7<Mx{bzUw~MO@Q5s2$;rF!V?*LpIYi(8s8x!wZs}`X`2J8d{vQZ%F
zQXBq{`CPZ!$iNq_LbTnDgv1FxhO5Yw$Ao!*jP8(SZ_IFl-gCb5?V&kif-7=Z<O;b#
zW$RqLaIr#V=N-~OXuJjLQw!RB{@p24pB%jiXymLO<f{8^G`KeDY(KJSTVF8q`2B)s
z^|bx)UoaZ~J7RJwV9PFH9>0Sx)CQdu3!s?i?H{jiCPxJBSZ6&Y*=8(E!@b;GnEpl`
zXC+T?`xWCc&^*<GJvWnnEa*uPGa)}&6Qe)r=Gz{Kxr$$29~EDT2I<{zL;oIW7^TVN
z$oCr)cgADJ7ps_0+)9qM_18jiwE^wu0zzb#jJP^ZYF!Zr-qXY@hIk|_1O<_oHHb!=
zdISiM;IG_D(Gbncb7F=g(4Fz)aCB4=c34tg%d3b=`cu*t;lBF)<eP^#DPT8eXYjlS
z+Ewja+24v9<+O*?-))$Zgv$-7+nWY|h!|DZ-F=;5Rhd<|QeH~+H^=K#^!qr}OpIlJ
zt=#znU5T%vvJ<~#w?$ZOqzdg6WYVskz28{Ec2uucgR}qB7v{hOMcXrmB7Kg9o1s4}
zMz3ukC|q*>MTuf;*t*rL2X5_L5)!rdzMC`M_S6@l7AaUARr@uHo8_L?tA5&DNuo}K
z2`&4Rg6_bZ@XAwY_Pv^>-_zQhNTG|rJ0ia*>2M$6R6iY-(`L7RP_w&S+>JiQ5tAba
zqXJsX#Vz(uOG-%j6%bjr#cCCTuZXBXc5n30dacYx4F7hWS{06%mDp{5>JKi9R1j-=
zW;bWEbY~A<qDkZJm1|xl9!oetCa)BiA51RsI7oKxMDI{|(x!^Z6mR7fE<`tdKCe@d
z=~-OtL7g1D_04y8g4I>xL{t*b*PClAv=gEUQ8VpQUBkrbc*REqd*ie^7;#XwqLYzl
zxV%JWOB+aB3-(rzuU00&asKi2&z=5r23C|$hrRr$k*Rj{q;p(E*46IcxG*K-Uu}7z
zLEU}RQ{=v%CMI$s!BS-v@rDwM;`al<uSjQ*vH$W&tyYQf)Y5;AKep?%{FHaY@=x)(
zP{G%U-+Sy3(U`s#R$D>j>~$Mj@F2(Vz}xsw1NYKiZasKI`=?K&4_E0p9iATe2>dl*
z;LCvJ{__jhL4Q)q(&%3IZZ=`G3TnW@m<kyl3&a&iKCAv`hg|j^I*zAw6)Hi0-8Cfn
zmTT4UY0qg&LCn4>3xQV%`$1O1-I?Ei@v0l(?wVmXNF+?YhdYkdmp;$cX8fG4K;L(M
zw)4!moetPj<n|kFgFFnOeCz|*#59S(w{y<%S0G13^+?S6P@A=1Ka%zqHMI%a!zpSN
zEAPA->+Dva2<jU{5sxl|R_)tJ2XWywdi|190j15A`v7v$KG$z`Cg9oMCnfkrv=v*m
zi)XR(=4WH;MhE^_8ahS1Iv_%BrYsA@^nle@U<oqnw&}cgLHhn?y2C$o!fVYcvPLF#
zOe`2HgwN6eE1U?4zGMtee0Ht=zGNJhd^<JNVQ{ofnwT?O@MvY^eyFdIm+e9dk}6@U
z^hy3I=!aiNN_5pnOYnA5d@5^Khk-&7E1UOI36&J42iJ&b6G8GgsNH*@hb20yA3Hs7
z<0+ih8%x7pQwFgRV!Bibh4MK2Qjx#vYU(JhyxC8l@fgXA5XHvd72!6#)%{1}X^Gx(
z4qZ_WcjAE^yF`|EqT5X|mk1fZIg`u=5DP*v5N8wI`In6v(!Z1EOq_%%b+<2U0Hw{Q
zuHyn$fioDOV{B7p|JA9g-Ex22pgr&Mr3{BBilu+Gv2e<_4sRZbXO<wc!hFyh03<NS
zPN$-!o3lSeUN@l5W2yrQqPBRabcNXjOitSOIQcANJW6khQ$heZ03tEdqx;sRLtcXT
zl?tj+@j5TSJ{FlAR!nsHGqb5<4&o_=ufA(_lRO`BPdO9n-Wbmmx>4}FyPCL=u>N)r
zf_cxI4xF5l8hG4~Z8;E+z`W_cAo=DK-)Xm_cEax!bG%k4fZ}We3%$1^oUm`Yl-hNr
z?}xk@e&y+YI^>G?>d2mO)YKlNiQqi|7@e*lvV9wz?~sdj*;0AMb~a5~Eb)_?aH$uG
zOWLVR>wMptA${WtR*E^pK30P7X=e$C1<p6C$H8gy>^pg3;mt$eo3eIPuBfw3=4@=&
zQG&I3S92uhCZgYP3-h1(ZXmu9dXqK0bzaUzqDjXqYc`Pl7NGw6(KKg*p`a>s8R#vB
zSHHOR;CwrR^3KCZR6il91f6p2?}JHuB;*SZr_;GHAoiE2OlA^iMgksm?2;>Wkq%Pt
z2ZqYVOFdJE_<Qq0|6EKoA_1`{MR-=bcKHe`z>Kqsi)%(>!q9lS-Jr^_X4Vva8nF*q
zbqjjOhz~#afZBrd<Is8>A}hG(bR<>n{N#2v=q2H%GV!9g5s<5+xyt1Mz(HdEm0o<(
z^W{TD0j8_Rr!Oudk+HiF9ZBvV<;ad=?TFGdu6IbhdxG*IwlWjB_P5%kaoq*$F-hD1
z9NgdeEG%7a+=(gp;fqW{T0nIGhW<zTLxYh@yT@K6cb=SHoe@YwTaL`glp1<2=XP4x
ze;@5gO&>Ie#X?dd=1~#|+H1?}(F*xW`&LAe`#r_)6ZjlRv)UO#+^m{To>iVB3Sxdg
zdR`TuD`x8&%HYv`F@_O(c>nsYs;DxkRV_^2pq!A(40*Wm+jhw<C`!Qq3X>JX2)jIu
zg$lOYSB#tRXscNEA{K%y<MI~@{kpB-GF*`ec2Q!3r^+Q@IV^>sjp_}GGZIhm7Fbok
zXIpD1zj=FZvZpnv#FV@wdQ;aS7jkw{7>XP$T(`Ifw}S{$_!QC=)mMYIET-FA#u&{3
z+^~P2b&yht)y_raMWhxeeyP@)su72MqX(*TTaeEm1c2s>wh<dFLj=)0YPh=*V9G^o
zDF?w@b6k{aAqmQDQg+h%SddPJn)cRGbyvd6sg_<q#BAh%Gf)a>>Y;jPs~`DbYmIPo
z)4r{24S03$*+~Bn4_TX=W64i|_nRP2h~>>{f-K!PBf$%ntaY*5U{_&SKuv|yM(_QH
zfAG}PmMvRf&`#r!SiQk&Y1bB@A;{K1-Hn92KNIqjwCs1BI~TI|b%`fmUF_<+W<vtU
z82e4pmsKWYMbk|aV^iy2wbyQ@Z^<uKp0SvoV!0t?`|b91?%4ih2m8+++L*4Se?I3Q
z6JEW7VD6T|EClrhIZaIMS)8-gx;j-`G<Fpt(bvjh8G^)jsuAJe*D4JQ7S=54>Z$~@
zooHhI@k+^TuBq=hkIwhTjdiq^<tGNd7IwE_RuBsRb`VzlIxiS1UGpxG=SbgT<nt&r
zamd0@16?Kv_oiBo@#<wgPYPfa6zT^*nq}QP%dK+1D!nXLQ(^@3lV;Uq?@%4+<XyE}
z;dy&iJAmEizC<SBSr%ZZJfEf|f&1)c`Q#hn$UdM}$#u@UzD5i`5C<~oMn29<g2*8f
z!vje<cAAz8*_JH<@si{<&1H9#reQ(Nu{^@#?-mNw`j(y)@F@)|yq72gnZ-)CboD64
ze>}+}D?wBn#rG%!s7b$(GTneZcN%V}$oma7$?S}pr1QK&GI<4Lt^BKA(Eyz_rMvX6
z*A)&;CHUdrE^n&kecii#cC>c@p9tQ+*#&1eA7;l~<@BEnthjp5m=y#oXR2N7V9(mx
zI%gK_!J#x{fYwL-C2gEbMv6zM`qy0$N*)!Zrsbjis~i?sD2nahOD4_)@dBZ(wN(;}
zI&E1dDxX?PlC<w>CmHwERhqMBKa~n7rCr5Y^xSi>6t=o>HBL+%k9s2w<r4F=cl+|l
zq2hsUx|n(dZpb<>^8b!l>egky`mmcNv%k-=m2XJ!45=V$0e%QA!vwaVnsMs+9-Dr!
zAcw*Tg&fyR)6dHp+v(A}F;R6C>S5i84hT!7HipY{Z-n-K)fRW*;Eu1#4gm2=(-C$!
zHEF4pvy%sv7eE^y9rAAJgz39VuNbFq4(Z$J6Aw(uBR%i5LsAZLtLd$#z8SYkJM-D!
z!H*Ah*9w|XwIa@EN~y!EHr1pdLc^Hj8lD(I;>p-l6s*zDM)p9`g<R4+V;{N@u@Dg^
zGD;z1ud*I*H9k!Vs>J1_@c}n?<BMC1E)9Ltf`~nAkr4*|Ff!G=E@s5i9%Xj?ws73K
zp(-*YB8#bNzWcH%+j3K%CP1^B;SsZM#WW>%hOU#V;FBi;2YFfHV61vfv)u%gbiW^c
zrM?YowD>FmsrVC87I2@C{~J75NXP{T^nPS<yPq&!&$kV#-MaXqgt<2Um?%-sqNUBD
zt>&Ie>2F_GU3tl8|4hk#Y9%(}V)?aqd_*gYf~ynABH`zu9`%SLp^ZF8h>8G=_~6;)
zJ(1eesI0Az)?&N7Pr2BRW7zowt!KBKyo-R)k6=el>|`JAKu_tF2;+HjexCS9&P5xv
z2ZoChH4rvrDzdAs)lyy2Je<OLJSQT&DXa>cHJ$izt8sQU*5_nh+GHRW;-%5|9f%Fj
zIiP)gEOxvVxZb1be`hDsKt$@#_OlyCnQWs&3n@bLc<LP+x=vUzW8%N4uPCX{${X!(
z*Zy#o8SBmLA-Cc_l7*D>X<kCB@;6QQJ|CZ$oHTAlU6ZOk8F4|nJ4Zds#_{AeSkEv*
zT>e~VT=~0Kn8vi~!boimw+2R>XuvNyf@-C=WHzyQgK^lMt<LaO|38e>-eu1h_h{Ad
zE;%pZ=?k7OCI6Q6-UFDW6Q`zYjd!lcv#sL7@&NLKvymbl<)8BzMB4@F4}w>14z(`Z
zcP`&SocVfgop0OJNB0Xfpmw0P<ctE_&!I*oQ+yxHqq|bL^v;_)xiDLbeB;Mk9s}>L
zg-jE7@>1*E7f!z4+86nUyl(^G5}rZDIH~;_G#I&;ZmGWi5g_N~Kfcuu9Ur9Qa`+sH
zqJ2f{$0(lZX0l|u;wpaZmY-Q|NBWyJqrJ^p<y=8EdCGW`OvAwT$ELhz6@jIb?yzFZ
z7VVwai~@ocSrK8kat2mFH1NqITtbnFzfEL%pX+pgm|CFjn;ti#?Ht{0gcNEU*74dj
zcj_zH^_dE3V|)f8!nrjNx3TUB%}x#|pR!?=r9KNLC=Y)%F(9*LsW*k<LT~lk$G@Dz
zWK%7QEmyje(?W1I$CN)M>xk|<`b7$vIa+~ay;y*k!PA78UoWSK+l7G|p-!ac#6lDC
ze?{I^bP+F>7@1!B)M7|FvKr64Q8J!%JLKin0N#3<#eK{*XnE&rHsc${no6_Uf{mtN
zr91Na;{Um+*bKI4tbi&(p9n6=F^(}AX=#Hv@4~*w^eT`(IzL8%cnqNU2SXJPXGJ`<
zny8h@Ca2vb{CP`><9p<$Hu*b+gnM&oB&?^8ISL0)SYfJ?!LcX(z&%)M0QYNl{lA6$
zx1{K*QfS7)@8;tlFGgKgd`g-qQ=!(yo^4*Z&&4ini}*{%L9H_5SnVQD4RlTk#%l79
zmZJsrCWwA$IX+`7y05rmY2OHP)#=VfRx^z4KN?JVc;l0~g9)PeKrigG5@0={ah76*
zEKV${q?GONBuA>v$V!#&8;UhaZQsszNCikY(yHr{Hr~qfbYuldNlAFUqNkpKi9#~Q
zeOn51*)!Ge6#~04C>YqeztCUyxjRsvxgiV$#qnq&QVW*!P;cGu^mLqOu@o#*6xkQ5
z5k8bSjlcS_=#rb0H?Ol9PgRdEmb)Z&{)x5*d{w9Ebb#&!_J#0810P!S?`s|e-Ot25
z!=LgTUv>k+m!7$gBfPyPt&S}XW8hZz-eOnZa7(a?65n>6`}VR23X6K56tSbAVKN)K
z{rTLP%kqe|cNOa9{tJ{2xJ|=WkNSFigg=!lPd&^&V5kA!EjEuiG^h?G(T?}9Q31<4
zc!L*V2jf`Ju*D$!R@`W9KGI%b0jK1(J4DVdOF~1ygKZG^CYeg?TCt{L<E;NMZL;x*
zsunLVP4;P}(ld<pXzzz3DW{hC)titC9?b<9oi=3C79Pf&S!ie2c9ujPbZ1}>U&|<_
zhX0bzWX@6GAr;<xechnrAh6Ee1wJ2IP9>i#d3l)_Sx0$7(5qQl^o#RK_43B_r5@$!
zhNgJQ!T<YKz7@&`zkvB5wV^gitj&l>BWEVk^9Ph|l|O=^7fEarmT|4M;JyjuXqIu1
zmPtByB6nStYX1K0JMJxFcnPp#9HxNCrFvx4Y8U0kCgRJ`vzf-mCbjzFG9z>qB?p{G
zJBSfo=jW}%Fh?nBsCzp~M+r81;}LCq?~O>{$zj<RRiz4mm-}62fTA2$j+xJR;E-_E
zbusW#GQfhX?<9Z<We0F4dVjyv`O566b0J~TqW3&Er;M+Rt%w!Wyrf-Se$urz;C63A
z&#NLgcRxQGB)Z}v%CZ#*Ro6+bm$;*WHs#QVdE^L~_x^kElm&KqOnAoO+H{Jt4N?NA
z_NOJ}E--3aAD4866~T24Iy`Xgz$!+Wl1BOtOo;4jcpBcLw^ZWY5f@&eERlK?rrf6;
zl1H*plS}qz2-toO6lJ#3^C<R?2R}1!o!-7eCjNNRSNUWOr=vLoj+m<-PAmBPg)}{O
zj35;j?Ebg5w{&mz)8?amK<Gkm9H1${tf|B@iXvAhX^Bwv4qq}m>`{x)Yn%(8@y9!a
zyd;pRsgavB0GR%lBxeSv`Huqd;`D)t2}kTfg)$gU7CNP9)<M;d^8w7QTv5j2Mm1QH
zo@J~IKAJEC=O275QRENpFs_b7tc?JsmT_aA1~jhYkgsNOaiML`atFzw(62T(4Y2RK
zXYV)|Gu?d4ulNq`pIs*%u(pEpM09^ZwQaEKK1FVwqSg9W7e#l01zwMkV@GL(w(|aR
z7j#7AlYG^vyE9ip0*-P#Kc=_Z8O=@jdN@o7VfMMj)HrQa`)C-)RB-j*4tP4gx$x2o
zI%(ni!=3I<O27WB8KM5s?mISDW4-gQgnRd2s|s(-&c;NHB4B*VdAzP>fNdj_KLelr
ze=&x6^L8Dh{_im~>6k!yCFPfnx8hB?)+LB706yKK8Yidno`8GFFVPL5(pmkCbq6lK
z-O3;RuY`<R0asAoLp0i_S4r9D?ledUF}$75Lt~%;4`8obxl}Mx8>`2Ck(a*9MqSN{
zE8v^B7xQRGbSOzx_+FuriF|>-{bDxt@5Quu@AIGI)!z^EU~2h?rzEyj42xRxY<o-4
zzy`Gs$zh$)_oM&~<N#Nl4iN%hfn-WW9;e=FY$Hmj>0(cq`7OG1kto+{YC&(e>tL%!
zRD5gHK}n;s6k{ME)9iTJ%#j>Wz^t5GKWvw_yAuCIIf{Xu;njj}h)G6v(`KW#^@fFD
zovTq+`fGm^qV_47t8mKRE$p!vwkeF3bQ1B4H}%=^kCXk_;Z-;eY^P5q>XRQhHigdw
zsybVLw)0-!G#D2S-W{F{BpEY<*5fJ?Y|YZ`$ti4=jXqAN-&J0=+T8mjS?o(tU>Bg)
z%sR7ZNuptZ<MyM*8uvqkfPY$1WSb|q=#b?;)5b;Dfo_c4{gYZVAm4YXgg(uAic1p7
zSnpE*)5!ChlSt)qO=8=GUS9l>xmYdOA?n8(_FDdXN<w66VbTY{@;x7fkt|uykN>N{
z0n48LFWfpjof{b|k3|5!keu^Gb>)~;neXwEOU(U{(~<X^EqGvjU0X@}zeq8ye}gZ}
zE{#-%e(FYl9*kMyc*0|{{?Azxwafu8Ry#pf#TDHVzr~ek)lFQA&hQXR%Y7lv2X>YP
z><X-@*TgMmiww~t>b39JhEL;}=+|dne)`+Tit891Ot|h*W$-Jq{6#Zx*s&kj%lh@4
z!K&`6a6g|A_czrvC5Z8_v`FFL+iF^l!yLCOl~-Lf-tdY1C=n_4b1b#Bjss8M?^V8R
z)MJp)B0Cn^yr#9lm>aHeJle=DdHgF1M6CX635azcrWravY?uf9*Ek=(v9gxEa1v`^
z>(jC&F`S?r>BjiN2_w+{7%$W?Y=7>D{uI`Cr<Dh^(1P$10s`b)5qc+5CsVYs69(3P
z{-`9%^WO0;micm6Gm5Tx3-1uI)poC{XpmuKaM(&Jfv-m`=uR&mGZEOmtzpebqNXC=
zky#+IHCxeU0h+1U@FI<J=y=hCw;~1mFp<+5A|X9FtLt}L$)4xvF*v`<XT(tHnd@%;
zwxc_?0K-`z&9O417gV7c8fv~0F1M^?T5S5H3d6AxdmJo&7n)nIWitUoR8uuIW?!&<
z<kqUFOQXAHgh-tBrK)Oq13c3qM8(q)@_Y-MUWQ<T+i``9^L=GNse9A;RNIqxs)vbt
zv}c<JeD9w-Lt6V{JrSpT`5UzQZa0Qs=blN=v^pG7FS}Y<^(#y<ZA%rc%-dh!-NPHE
zZVGQjCC14k&N(4nk(L$LHr$+@es2Y=$ovyg*cFq?L~pM9ni`(X<hd(i82;181{D48
z<RY;(QT)?vHs#lsjI=T|Ui3(t3JhpK8);5@1iq=ag9hM%GFqo<DnV@(UhMkvreVH2
znyzQlIR8FRIOFtQGD1#e1@MP0y#$APG^x0Hskq#>47bsPpCUf-4Iih49M7XOau@sq
z!iN`*bQT(5rx!%@mxwG7nE%EhCVw*a2j|tlXK_SOKF%eD_%{E?;6FJwP?S1c<P3Q%
zc~Fy}lo~eTno*+17#z-oPmgDq9rT!OW^KYoFWlO0Y+rkx0ghl)Pv2ezu0I4H;xnWU
zV<=!r>YD^9>T<-fwbb!;LM8+@7ll4t@jYBAUh+TDqxOkqN*ymrJv;t+YMAuEWeT#+
zApE5<^LjICC13+1SMI0RZEADUys|lUb4J1IU(98Kz6hk(!x->GMA^ALwY7*aomkXk
zhhjlL`89}FzY=8_;Wq;6mP3d%kPrs^y299Qz7tSuLfD)2NRLh1JbcQNZ%3v#_Xi_z
zxwh5eKk`l!8Vyv1rm=;!y9@#(B*VF;=o1`<?=5<inZ3XEr<h<v`29AjPM6%{(i5#+
zM7uC!z1B~2He2NI%-z=>9Gid|QHPtI$YsJ7p`sDq{!WXNZ@Y#}RZlFM-tJY1LR7!e
z6@sQa*b<&*|CBEc>aPE%*3{m264>!icE4%n*$%()h!?6Wte2ydS^u8j{wS_1?$_6G
zx2E@CgdyFtvYFItIsMNOoJxoz{roz-`;f)v8;E6zwFdp4j<zW=*4ILHD_T#wfXBb+
zm_M!MMEh<-g`@SRV6D58Ia|*;%%$6%V+xQn6n{j3@q6yC6@97P5O~$K7QEoUkmoq{
z8%)O-5pZ%i!5rs>kl1OQ0WV3e{CAkUW9ij*>cnZ_=f_I{*pRRdsWt#FwmNb}J>%5&
z*bSG!hf2IBA6~ny6F3>@3J<P6H7a=JG3Jj|U(sOkf2m=q`^m<N3ye+3EwjjV%M9j8
z9QM25Ds1k8;&!^(Ne-zoYNK&HPk#e#;Ke90*iFq8^9lWR!L)VHn|i#r(4<Su1~(p(
zH^2qwBDaF@w+!gx22HwTXlmP@Y>4v5UjRV)yrfYZdUcDgnUIk8`@_V$cXL&5H_E4-
z+U9abG6szNup)fUx%p`<7dED}N(kbLQj^Xo()wX?NNMV{-18Pns>P0IWXCK#wg25H
z;=+t4|8C2AT(fvUO7ck5504oyF=cXSYSK6W;%W*yDyzFa$zKXw+L>6G(JPI*bmacm
zz!keGT_G>23dR__ir>z&n)OpS;!^(qEC4wu^0P}cX(+y(2tQm-Ul-A?^Io2M)#qr2
z783goMy5=>RBxtE`J|$Eiln*wZxT=BGF~zl9Ogg3){NJ!E(F~kOnGru42!t3!HRM{
z!@jw$&lApJzINru-Jo1?cQMZLiPw>05QftL04u?40-XDH=}(JW|J8VU0_$4xRN$6D
zQ6nqb$7FPhk9cGo?)K&Gdk#>mm5)vVqF$+h&0c325h<>UJ5z8}MJ{u6jdG6zq`lut
zi!{j$C>En5wpAqEc;ghZk{dDoNsfOBq%Z^8A!%~P=kfRp9%MURYs^uS_KvflQ|4wh
z(v{B_t^IDzj>P2D-;N<sPP$i>lq053ZehjVP@)b6B(aB6^e8ua#f#Mw2R&{iKeDxI
z;Zz4wY3%R-+tj*LoclBZw%HHgq;VUZRA-JckXZj6@epP0|6Xnd?YT4EpH!6Bdf!hd
zI%lA>KlR>tt!TGT`&Zd`_6Q=?rq#*5I{yP?K0VHJ;spezz$`@)zLl%q$6dzH`8|X-
z`H0HvSyj4=zmDua-WpOv<9e@>m%OWRx0N<%{nIy+Mn&@K>a)$d=1rCRyXV40l=U+7
zWdruhy2j42*^VjgA%8p^oDw<c6H!e2S*DOm6CkhRHVM7nvu@hOwz=>xraZc{PKGg;
zgk;#Q9b#=*2AG&=YooY&x3ft(tn;2uulFFmI->AQHycm$pY?)6j=VqX2o5m>RhO^w
zPn8h%u%ZP8MtP@0PANg6*c&)dOY&DmYt4^K0JWkmW06Bb-T}uv1_A)~4xg#wbDY(n
zFAdj{ZSAL5>^3VRMSfKP&VkkM#L<p6lN?(Q2ZmzOq+dH6<_;E$B=1)(9Osd=#uzA4
zhQVRCJRk%Q-ZneVBn@K^A7`eX?5FxJ1SH3mb4WbPL|nyBOc7y=%T==yz_}CU<6aWD
zZ6A_(n!@#ic{ArWaDKp0o_ikje~B0QxYZeRj0vq!>k{XU%2fc0gOGb+05p3v5LvNw
zXTq(C#S&8UYe`((GQD+VLT$cE)JP^orokb(6kk#N_q>*^^*3}&AFP_D^E(^sZ8!aB
z$8Dq*`2^w4ot`<Jofq?F1}#wH&}Nm7X$9VuoK+{9gEss0B@`i&^Gjb~a6CduNe5DA
znmy~l#E5?Kdp`K0!0+kkD^^d^wz;CZ{AFZz-xteL+na|!ozkt;J8!0Nbw^Jv@H!F>
zYTh5*(+;$kk%f5M2wvd?PM?oqONkm)Kq-8(uG1k{4&v_3R2fUO45sz+kbh{Q*<Pfh
zl=wxK1)<Ji(tHz;_X=7cN7dCbdHqg15Uc>l;l%Qx?Bq9rlSST2C+Z9Z12;D*`px65
za}VQO?QZ8scCDRCNMEhmF3q_LGWgZ!MO$G%+2GC;I^I8NXk|K3JO{NeM|Nw%yJ=es
zyH&%dS$S#X7^ACO(NEuxw!6WHL`7}y44a({N7d@?))qu&spBZ~wobhB_HUV!Lrb%7
zQhF6bM%>o6H6}VB;x*+Gtx|NYUNcO7^TAN?GkVW^VoqXgq4<cV1^>!51lA3#FNsuM
zHt%L3kJZIDjh9r$q$gJc!P3T0)j~L)j6BQ=>75n__kUwMcpWyE)0sFVIG^e2l`{4#
zKbhCrjI3p=9490zu=>yLFZuq-<8XT+$dsd?qrBpfH<|Wt(tnU{Z@$hjbpg(=W3vLL
zC}BC3<a*+XMHm2<bpc*U8oN{XqoUK4eNsG2opx20zWre9Id5QJ5YJg9+eeuqVH3|Z
zuMC{K(trP~$N`uomQ@s=EM-|;8Li;7`buE0BGo*lUTI~TV}C!$7(1eAzj-ONDOIza
zg{MGpaSNW#@^Z-QbQ?-5uq*fd<6kL*7gw(I+3Y|ykG-3&aocwM(kg`PE(=!wW6xzb
z5d=~Ui<E(%Kdhi50DkMsmNy<7H!AiKe(%dMgxZ$Dw?bMeh}{gclX7f3Y;55~DkDMv
z@A&UMq_XY^>nfX!FP0uN?pzzR*@C|5GHS=Ctd9Ervgd-dL;)llozuw#*-|_u@&{p#
z(8u-^Oo>;YcKyd71f8JRE9eJCos?<@Tx?BkI?qIIiTO8clFiARPqdbU6K&iY+~$CA
zgjS#hK++Z5TX2B8()-du---&>_$5<t?x}`-EWbF`J8fjOv@sEy>4h?LP{7h$|C*FT
z+@y5E-W3qB>SE3~&_N*7dP^i61PQEe36BmI_jgkZaq;idPj;V@reZ@*NqL!xEDl2`
zVQJ}HX-oW8Wzx})vT5TcjNM&{ON+s7rIV#BA0LbR4D>H#z1igCsk_Q~k~g?=juo3f
zI5e12d)_Rq>@!fuugp6cpPo8Bwz-kGsgl)lt@l_b*d!>h!e7w+>AmzAc|!GpDe4V7
zJ5AVVXphIo<h7M)kv&&UsP*z${pmNguhfVwirz*ew*<WeZ@X!omnJSyPmr3SdDLI;
z<%1+Qs$4>+i1(D?gTIW|`vgo8Zz@_H(wK?nIHxWHCbhuUal1<jJij9o^|O8Jc{?LF
z!<RXE0uTEhD>>D^3R`l%eA<NzW9IQA`I4$|b6z!XH}bkc@W@lT$K@)XWtlDAgv|SO
zN`PY1nu>>x-kYw|e3g}kIdFt#;&v8|O!F~_;~*nR5VkhK;y?k>7mV9~q2YJu=sm>A
z1OmH=r}B@fnB}~5(qWWO`oT+Ae(zYdN*x4GT?k;;Las~I70>TDqO~Ed>i*me-Sw2V
z=QpDUz7U+OQ%$4F<8SD?E@F+8$;J-K!$-Zzb3d#Tqtx38LVFeB+|&K_05eBut7|*t
zsA*%v75k^Dyp;rhPk%Kw-7CP4#6Y_}@azRT$pwBnw{q5V=cmK|*t%b5NAZ<bbcx+3
z-qhXv%nAm4^LAy=aOEY7MU7p5*r1^xD{P{))>NY+Hwc@%dP6<jy4kPO$#0Q4w{rz3
z9LqOC95HfnoWA1b{;n&_!-*8ykL=hV`D?9T@jzroV$b~ERa^+w;==PAslOjzcyaGi
z7b4N^laC0C@J9It!cYr&Cyd|-I`d2W##rc<tr>81c`MzKd4ON|2J1)Xqi12mx3-Fo
zr@6s3u(k30=2;4S&ubx|eOu*!@xT#|(=?%XQg6wpm!;WWJq^6|o|=-FbOm1lv<%8)
zys2;>nHB_tBdjNdU0#Ol=;1)!V$0hDGIz|DH3$03H9N)kIuG)D5yYjDtzR<6@_crH
z!jUlI2!MCTdsaH6$8nIVz5HV-s^PsS?!B*EWGy&&*EZ>)eEtszs1=PHIRaG+)v1BO
z6>Lm7oK-M4>Xc7(teq{jk?~M>5ckkF9m|Sgdn}lQ4t5I*&FbGTge7W7o%A*Jii%9M
z8al7vR1RDGl0V{HwB2zwR_)c<T)JJ6^+w1iNrRs+;B{%F<>C>*e-n%r)=*knELY{G
z;p}6UtaDtZDvB7v|Nac22I6MKxIONRhhFKv@+v%VS+`I0Z0Y)fk4jpv4r|Wygh9=s
zwBKedvI6YM{b#PTpR+sEc@Djhf=0WP;+$JleK2=oUR%XT4;38_s**PcBhY#^e%Ic*
zfopg+IeT#4DkNAssZxO;99v7->=-<HB;g7wHW-2?b0i0N9X^`di#*|1GT4hc?($z{
zE`W>YQ_NbSVe==4M#JEPkugPlzA`YM{q&CJGgjG3h`rN#K_!XfL7|=v#@0IG1>Dcw
zNALDB?QY`FE3^+I-!kq@+DjXohx={efQAXaZm|ZsVBTDDNT6DiCYMC&z%H~~d4-cK
zxA!Kc#v-#?QkoxvDIoY{OMrZPG@!b|#7XFs>mSPUQmC;`o=CD!6c%nK{xzbn7ZNz4
z@@PkH_$^Er><s>9us0F<68To0SNywud*FXfx@$af3EpfyJVFp?s_3C<;x{`o?lce6
z@0;zIO2Mn2AO>zTwPrR+QhdmU4ub|DZ`UYxF`#U77R|mv^Iz)fO}U`K8f^}O8X4hN
zz4ylQ{eB}u)Gn2acB0bIkt!I$D{{sPOkQTo9c&PLbdSjQsXeKiFFAo9=k~UA-E`_N
zGxumDD%ZOH8&y>(i-CaDrm~Q-eb&blTgf|%q^{m1u_(+5=DP=^To1UWQ=1jzZ69F9
zRR^~Z{0?59(`zN4`zS3{zHdW~ZW#0KjZi;6`*EwcdcW&rU~bcar-5ZP;&7Dx=~2q@
zK%&~^v&W4G&wDQr&N&twr8ko^<3n7U(0zjrbIgeUOZQt>kN*6xCeJ_{Fx6WQ-=~Hz
z)8@v)aI`NnNA)BD{Uw3&mt)mZKmO;@MovB21-7j>&#QWiP+UGI3X$Z+ljo1hw2&3*
z+4kupFo&a*olEWm`~9{y)Xc?x`^@a_prgKx8irMUUKqSjp-X06a-|-_zuu>p=4l1x
zrRVV3kN}AlsCr0n0s1TLVc%-SYyhmDHupQrrOlstaICOAOnWj|8d|>>OExgW7dZ06
z^$+-Qt~WM<M~lBM9QH#6p&PJa_>A`*{uE%Fws3v=>Q9g3&hEBxrWqBG)M*M|Jc>~#
zp6n5bZu(b(q}IXB-!^=W;Q7j5jGEkDyw&H4+R|J4qR*OerQbC8zQw3Ve>9)4l@XX%
zMi?nL)pB;ktqM2VF}il4^HcO)t<z~c^_ly(UFPIJe_A$YW1j`boWhKO9OsoJK}(BW
zdPGWP4Q~1MZ{uFR%NRhdIAimHo%Pgy>qy3_u1BvC1Ayix#{@f@Q!bl@T<$9$f86_y
z^>7`obUZgTvbnXJ71{L<r>Tf3u&o=6WO}KTbfw~3SL%ncM_<8?j`U{yEln(Gg%o>Q
zZy{$G>mDu*3*>L_lLpO>KafuADZRsNl73I>=NLQE&lgVvb>47&KW+aShqx`&*?75H
z9Zbb`eYaRSN5u!@35R|*!H_cY81O~_3y3b^+tXaFKVQ80dH;R_x4fw%??9G-l{oAP
z#-`myTyg`}hn*Zqn<E0B8cPbXp|nDfnOawm=hn<Tya|L<;w|FX9Q`9N+Ll623huFY
z&puWCVtO!&w{OtxjQQ~t6(6}n5c;j6seIU!DWAY>iGy0J8yHk)6@0o%#@=!(o^zrQ
zrA5}DD244GQyZBhbqZ?fo8*JS2J^R|Y1gf6!A1Aj*L-&69U~4>{z1EAFe_djtIgUx
z{6O@TPMW(D<@6;ZwHEz?@1C!0pGm&mm-qEt^EEwr>kBZ6n}N%I_iz{P)Xy_a@~RKt
zLdrHa1vFn+P~TMrEt?4vO`U_Np#vRq!+52z=SjnJOrMB;os7oT(}T`<?qlcEw$niB
zKCMjo&z)8o3K$}(wx<n>es6d>S%0s|ETn}VWc;mz(J?4Shb;#77`Eg#K5domrXny7
zN|wAA)O@TbJ}LD<ViSFilEWo7sJ`%9Ubdjv^&IO>^-CpXK$FRmKun6KIn`vPSkRc<
z2U?BDM|xM<^cCpPFo1!3VJXCd=_~9cR6FqvV={+sRsE~pSVkFIO}29d9}9mK{Svsh
zu^!8)pxxQB<PEhlQQ;&HWiHvs6stJy5AWiaD=Q?t(}v8-3x@s6T$KfL#YUd8$#C|e
zWMx?<|7GOe=92$>jzzOU_IV>vC-T|_hj;zc7#x7W^GiupEmEx?!cv(NwJSuCXb9dw
z=5vYX8E&ojuxEDWC*5Y(P4@=<jMqg<Pqe4Eb9I$t0#MfQWmYTRm)~*rX9<dc<j#7S
z#LFJIC9QNvzFh*2fm!?4w&~D-QYsfh_ALPtcFuOO=tn3a?EZ~mI((TiT-7+25x<Go
zr;7}S=&w!>*XlnF;ksEpSf%<x^vR*IKJ7gz&47`HOEB?D4qcA;KY#P-)Za*R&dg!v
zcqW7Jk^vH$PZEooJ&L<6(c1k_QY*Yr#q!4`IflK3;+dO%`YU$@3tX9T$y38uI4yMT
zccf5|01ZFA<PQtI>?rpIZJm*+z$d5s{4N<=YGjR;Bol*Nf>IFB)S-K11E6vp77E_k
zh_&eo$)jBFhM5b0cA1?95EmW5rF#4I>I<1cby~ww148RM&qvntmr|1I5mi=7ju;|B
zM?>mIK=fBb_M})Znl^hW_apM-jq_hB43Yo!SfDWcJ9m#9ZvVM-=7zv}t@VoOkBv+7
zHI!uWA&PgkQYl)>uOQjPiM0v1Iq)f7bf^Kw5gQ)Nzmh*}B<RX>_D>OTf%N2_3vzxv
zC_Q$w<hz2HiI$F)aHm=s#bM};y5lfmbb3ax;Clke=6dG^?Kt&3mxMa`x%4NgjMwAI
z$&V&YRdvAh)&Bo8^pxRKLtjt;#Qw~Y<=b30Yg7sh{ZO8Qn&$Iq*o9^EA8mP-5Ox)#
z4!8FC=#Np(h!eM+)&R3VIgyRmX9UH<gLtv`zX}u}LRx?pP;=@MLL75{haEPzQ)Zg6
zS(GB&T?xJ^R4}onti5X<cB+(2Rl=Xn01XFk4V1%*{BBP-F-7;BK;npv_uL~t)blQ_
z_~$Fw2^-0aZ~O+43L~DHEoBW+>}K2!qtyKf>`1QkwEmzVGyH>4gI6v)U;C#vo1=re
zKV;uYq&0!50dGqkQ}IY1S#@~DakAcYvG@atuph-&1%y;UcOj%rRLEj6hkiDkrvaqs
zhb+6hwf<d>wKhKCfl~i>&Oara_<IDQNAFr?KUt~C9)%TnpI;sT)f-RUh>+)w{CdvV
zdRg$FV6)q0uR7t~7?%&Wy-5m&6Omrk)gnOmZata)iJqkT1|XKQ{_Ot@@>Zn2UvqP9
z=nYdHjTI1#Jt(V8XD(79zoswVu4<Wn31WeK8^M|}+{O~GdnWALPlf$H%p^lld*?1^
zfJXl<du-Y?XOq$pnEK^~+FY9Gi|5~1W=yFLu$RS6ls-`3fBljZVg)bI-d7UzK$Edf
zJY_)+ZRJ6BsIldD<BzGqqy;0`dX0N)KCjxg=w9=SlQ&-TW^<O)xx_5`)K;0l*NS3-
zYgXE3?7$Bnq;{AGtODl0bVP|d@mcKQ@bCU`W>jVNYTuBgTt$0A{B29X@}o6WD_6em
zkvQIpzRn?W;qRY)+axvG4ysapqs}?`vFBfQp}S|H9Dlz@+}F4HqB51vhx9|*pUyPG
z1Eul^F;Z+Ue}<WE2cN}jl^g?7>*Q5BBWqNyeY(e^kSniN=)DX}Z6A%l_eQ{VZa+2Z
z(;4@r+ad?5(uUc(@_chGQJz(7&)mVu7w)lM!Uc=5xvy59DYGZRBxtRFdX??q%Rc)L
z=B{G=;FJRX|78$TW1OZ@`Ywm_pW_IcvO4s&<ONkQG4dS~$aFi@tEgHZJ+C{~W=9YO
zNZxdw3jv7aKHCJ<+)OZ;eXZS|08x$l=ed?+LIh3UvxX3QohAe$eqaP6OMq3h#sgew
zeOM783%pTjq2aLrY?Id97Ed?unR_+|f>Bkj1Fz6+{#N}=VqD)#s@!-cQA4>S)f46!
z{n^cU=Dx1FK|#9e@E%ZEEK!|Li>LQ6H~l@HK62CBe42-O`&+?A!v3uKzJyenkumvl
zr`de16EOL<v@uc7>x$sMYbwstl<T)FekH*ntso>wjeNRHLh06iS~Pj>X7JhSnY6cX
zR{yHDkDCtLh9^GoFHZ-)7^)b`C-TIORgP8c=w>Ztb@x<7SJ&~9d&4CHIuf<fbJLQi
z(Z!uHBefAW&2LL|bV#h)9U-O)^exie+@{-=-J>+Nj<dZuvGH245+YPNIjk|2)n9S|
z1kEF*h`~G}<OyF?EJ(hU&*`r%jmOAWZlzTP;21d()&I*7LQXAqgs(lAcM!4-n#fx}
zUe~5adq)PRB;4@U>6OV+DAkPe04A3gp?&?J(tWz0!_&Aoun}~Audmu>&@X&amKruk
zHUqu9R1s#u;j*rQ)na&?Lb~!M-dngMHkmA7x^MVuz2w)GV!{b}*W9Q_aaAkWDk`Sk
zzx%D77QdZ=o8i0^%{jFJy^-;qGTGmzQ_uxta}7^{ZGtE0Er(r8V>xK8g+@=`9YhpS
zl&ty@3>tggurR9*KdX2_xSF!^*md!n)P80Lw~$i)xd_6ysgM!h)7`nPmVXH5o6DbB
z5AE1K7nM7Ydr%7Zd#hS!B8&}vc-vR7(3!UdyT~{et>Z26&mA{E=(`c_=eqamnSNve
zX-Iz_$6o!<<1gr+3%fHjC)Y#GWN^RrZO_^*R9+<yj0_Slz83HuL-@UqOknFC2QHY|
zYR+OlG^^Tvnh#CcnMNBdbIubJQEc)RC#QOfhZQ#uP<~f|_iOuOUjDhbG5ap%WjgOq
z73-!y9?VaQt%z!8acUTn^5Qv;)A-w*-W*3v0Le4zzx~3n@y?XfAq~F&J(_}37rTcL
z)^GTjOtcYGM$@(Hto9(h7igKDQYf^APz$VQI-9`}@T_vLQ%cZa@nGxV;;eMw9iJ}y
zNnVtT)Fc?%lcFeNbX5pDkRq|_q>n>Bp$3KI6At=ux4tRse~fN_YM)!J(6+Z*Tnz55
zqpA8o?lr?tN$>uX9YQ^86#M6-25X~dbvZM8uEF2tXybTiygh)K^cTb*xpD}!(6x#Q
z@4?pY39m}f7Vc+MsfW-n&HB2|Ksg37s3-Nc(MI$np#(+0p@+xxSr?($*Zj$x=v^)P
z*Cnn+9u=6d{#sYGJwV^IQ}L|>)Z&qjUnNhES^Otm@;@bheEDS;Q@P7T|BZuXy+|L)
zTe1n(5RyB4--Kq{&;CBaCcSkc=()Hiy%((x($wAPxp;se5rj#F|6Jxkob2b~W#=5;
zgO<-mekGW$MeC1{q3kxiNw!#=PVRJ#ES=5uLtRVPEv0QGnI9h0qH%J9I5)gtyY_R4
zmgS&1X$AxTn(w!cjBH;in)#n!J~{Qv#vwkH6UV}U+j$NXiZZ@8%!1komi8Mu!IrQ&
zDzN|I`&5taivTCr_BcpI+bc0A-wv2?lM3y6gW2x&bi$NGM4xDH;iX2m=ThN5g4K!q
z!2}RP-+S0>vW7SG#IzMdZ`RLR)0<xT0hR@0jz1~jN3_$&>|i{(WhKa(YQq-oR_7Uz
z8ZlfGxp6?xqE^FtBR_3KXxk=09Z3?73#S@W!rDd^w=ZZ5-bVRb+m9K3;52N7Xk04&
z5H)swQ2K?B#1NQ0KTSvBoCDK+1EI<@#BmMvqWXPXVilqqGPV^RQ&-4#7jV7Y#hMf&
zEiU2Gpy8<F@8R_NQ}wPtTZzc$;s>Ixe5(Wu>Rj7+95mKdcQ_&_qpMJ9I_1cor#W<E
zGu7+#k3|na+mCJkSKWJ@&yPe1x`&+TqwATE9@+z*qgTt1tax#rB96nDzd2sB16q=0
zqWb+0)%B}46PTqk0C|Ljc!}qm_pxQ|ro7T>rg3J*R<jyOl+D>kjeN#78W04I*2HmQ
zs~@7PM)W{KNq?=|pEh;dPadVL%IbI=ojYhux`o0H{S7(>G03oml=qKP6-zvD9`h9P
z*3^w|zJv<Uyg$}*+TC~Y*MEO>yy}ed=nAJwlBpBPkO*xF?JtGu%eNyzw=2ap(|Xp6
z-j*5zWdB@ZAX?`DB8xgR9#^K`R(byEd^<5czP9m~m<7CU^GjqJjsk{63q*cCXPs$6
zHIzrEv5m<GYj^yvji^t(_T2=N{SLEXS4){4A8b(o_=WfD%-7Ba;T?u`78p{Q{O~_U
zViuCHqu31Q{9b!*6u*xCekcF@(cJr;vF@CZc6#1$g6U>V!)>O0)X~n~gO=BuxDvGg
z!Z@dCrE(u-8(-P3PK_`V1xn0N)PpgiUJj=5*y=9@I<0Ex&RTaH8c@W6t?E?hIY=Dg
zC60Hrk(y{WowHuOy0F6XM)Zvp^3BU`@rQab%Qy@1DxEW2<m&cI5_?torXjUjyMFw<
zrR^o2rRluQQ=bS{d703G5npwGKV4O@Zl6|dNumS9IGNKuS3WBBh9)JA_wldaDCJo#
zYPewP=|)2#w4R+=oV3GSdA`!{G!NyJwP!3>|N5%=9dgyE26e$j;wC`mxjj)?6h+QX
zk8v*xgr>;O<FE2z;<>w%`KI5U4eDMl<G7)S{lG5}AE_3Q@e_cCvj5EX8B(4wG@3r|
z8q{Z#jZ%W&S&?OxSDtnK0Qxb)^$+vgH8CYV{KYSbs!Pxj!>7|mOK*R7lU`VxW6T#9
z#7hu{A#VY{6{OGFwMw3@ff|3}YwOcQ${<zwGKr)u-zcWX;$LzIHiEHuO48j8U986|
z?KO=>1{3T<=7NTeqz?WYPSJ$V)1tjlO)k8LRgLq_t<)53<1CDRYdC@2>=m#=l-$FR
z)Fr9gWt}+XBbu@@<sdEO7A15w%3gmhO&=OI)h*eeOYIwbj%r%TxpeWfocJzdXJLPo
zgwP>RRT|HHii~&Ar_l97&=dj56O8|f5p`hBU^#L@B1DmRk}yIE$G1E!h&P~wEHIT)
zBMyoG<37tGQ}z71_Qj4x{B^e;7c}T@H*Y+<S^jsF(D<|d#u>$C9Zu7931B9Eg<5zl
z8n*Kr-|o}I$S|1YfmUOWZ(C|<ktLu<5xxhJ*=b9Z@4m~-5`)dcTy+;e{SAEm2HS$&
z>cGR({ZNrkWTKhhS?YDMzgHHrNew8arovQ$H7Isw36`g4Rn)(e$GD;qm?%ID50TJ%
z(2H(X9be;qx4MmGh%cXtLX&@3DV9~sInSsV5Q^=ggDAbz;&e&f!ydO_YnukeG4X;R
z)o=GhdS%cUtF|~oD^kbHt%3|a_7@hY4nTM`6&?;ir_#|hNYAqjI&LzZ2iCSxP>Z6I
z_7bKZ@*(Y=5V4n3tc-Zrou);GKA~cW*Cyl=O(oBY<1bl{+MS56|9=*sUNj3BIXO_C
zXf!zm0k<Ob7s0Mh5&cbxmjcg3YCJsuA}>{EH=y^EsNog!(}CahfmlBF92ne&Bl$Tz
zb7U}+<->3OB$eNqyMyOcz{7{;y-4W~c9J$4hB^w#{_uf;*9vFm+M1ygcB}p?-($vK
zh=Qp@HZMgRG_j1);S=U$qtgE&n;t4Z7?j@|C<n=tseYwB?8#B)*zxArv-Uqp?KR?7
zfx9Vy>abC-%z~)3llns(<q$_Rj`}-EI%(NJkvjRqw*9+#H5I`O61YKktIW(!ayy#y
z%m3r)y~El5zqtQTTOF#U_NKK<TbtOe8l_5=h^@9-F=_^B)t*%p6|}TQj8L0|+FPm>
zD<n2W5J9Z)%lE#1_x)F{EC1xW-Y4(Z>zwm^oaeDh5!v}689u$|uW>;dY6Z84hmc!w
zC~ML?kI%8H%lC$|)CgrmlTga!z&9PaSZSw|4~<CY|M4XC&bj~N2YW>>j*IwFVGHc%
z>_c`G$@X>lt^Al_Fa*mli3lNVex7VQtRLbH!Zjn0N5B^6fAfMGhSkrMxMurieY*B`
zV>QBLXCYLSS$}3N`$|c{Sy_Q?#0n@PfF0VULA540(YC7#o10Yk57~0mz|zwS#7u6e
zEGoX`?fUC@tDx%e7j3MD;@sQ6;_c{VA_uN*S@@!FZ#5T;o9{_#*SSj{qO0Dv2t?pk
z#^X?F>Cnw~O70LStS4(IEZ+K@qH*+LrC71ex0ysGYLBfKfLoL@hLHX}Ry(5eQ2nHB
z5GJMr;KcRe>|PMNuD}~kqZH}k?cHiNx8H^EV!x-o0U91Brsz-qzKv@7%F^Q&RQrQu
zw+F082$i1iT}vgOgVfA|ZcM~q^2ABt`eqS714P?kHkg-B4m7rkrk|uItfk<My@fq`
z-$>K5NCqmcjt&57YK=Z~^S0kVPik>eE{#y#4C<BNiY`a)45DSWp=soQsddB<AU{sY
zZsG2!kX4ai=92hw>7u`)kKgN&U)JHAO)~#6l=X5M3aGoDRl*7nU%3YUcZa+Yaj!|j
zp#}u#%j4f1XTK;Dn4%Rkc<X8<Y=mTM;JeuQb%}zj@zV9a<#fyZD$_U6wYxX7$I)N>
zZZ!)%f$}_ey*ikKuHF^rF4g4un)Cj@Rd%fUdEnRegk=Cbdi65?m|pZ+*x~)5kv0>h
zC=aQNpLSiF4haI@TeZZXAm03;!`wMn5tm7NSm6^&WBdNlkc1s&lki?EhCw>)<O~g6
zG`?oE<QR@Wy`s@{Hi$rm9oI61%@2<`O6^|3U!aDV3xbz$=^*58Yyr7wsQqZ5!18}o
zvg;v-40N)#pgwG5GVH+iLpj$Xy#idm$O1|9*B~b_<ZG@<zYe8v<AUW1)K{LjIfeX5
zZ#x?Py=8u-L>d{qO{V<XYiMkH@#P47HhF>Bo5LUEQR%3Sk}aFQCx1PtloP`QIhzQn
zzh>z6VcNbXacz*k%T6-5gDy)ENhB|S?K_qj<(6sR6^(ERIUc&m+n?^wT08%+W6?HG
zrw&zg>R#9xiXh_qt+!WQZ-Lv+sSoi(<+km#a>lVd0y4M%ae#m_JFlo}a(PrfRHZTR
zlITHB@=~d12{9k{Sw$tJzP4FyyVm@;7dp;|vB>d+>s1^n<j1OAYEM!AdFzov2F1}X
zg%k53inlx_P(j2R{i6-n(W5)js5EEIu=qAeJ$p=XLirK=tfS?d`kB;~6I<fm)9{ke
z)sLJ@@|yuR7o$Yh)5;o2tZ~l^<OET1)4!B=E@ChS=<T8oYQToanoQb@|Ho+R%9EiM
z-t`XuVm61=XT+9I8L9otdxs_XZuEPm4`0&mj7jw!eB@4at|&-jWtO<Sy~r_`Twp7w
zaojJHe~Cg&1TW(1&#jA$*7!hTj6$7lrLrFcFJBT>y;u~8ls%D<fMq`7*m=-;*$>n&
z&^w-G6l1%wRC*)K0LRgtLEy>J3OPzM7<DA8z2NXqcy|A1nbbY*S4HS)&@I^eSPu4e
zh;D`Ht+%oJa{)luh&6-S#4T9i0))y<T6?1^FXT)>ZE$<SHVFaUUdw{+YfyImHnDhb
z@G%y@H!{>1u?cNdU4PGz;Sp1XKd*3=q~6krbB=O8l4m6sP9gh6VDm-V1Q2pBb4WUd
zBX}LK28RAs<U<Xp9nNcWy7!;&x1VQTXh6VxU@R~*eiWkpGVwL79;YPBog+@Bho626
ziHXDsW!zpN3CDe9v3v%~xSK48`0Dmuk5=2H)cL94Ny1^Ynb!Asxl7XTScE<c5kW$7
zv^7li;!lK*kRjl0|K4W&@u=dL=0n_?g2k~Yc}sp0<{05PEZs*YG*5WD=7+RbGCwZA
z15?Je?`M?M)2W|GlQZ;FOS0OIv<YowN=Nj6HQUDyXX@)uG%O;%Gx%CH&O3=tN34+}
z(5&9@&0!B$04)5_sP42NU_$d_-lF98#mdDoD}j2cc(ooPE@tEzwabAC?MOa|0YsGQ
z7>!8ugP!&AyO*<knc_3*A3bauvvix5e5eK)$IY#+6H55*$y>`XMiNa(ouLUHwAz1~
zVmhVota&+(8NrtTIaDTJO2k^%p5WF{){<Id?7!B0{||v^fNa#9$g+UIb+!tmv$~q>
z?e1@P&PrM7+RmZ&XBD7(d^I}8x;=3{?-yYl>|t{xtaw<zLJ*QI+Y8{agde>aDF|dB
zv9G3^NUhb^JEPAjUT7RD@lg)6OupBV`vNhQ5uemx*x0jKto}<KZ+YcyUXAHVg6cw4
ziRSPdg|hqK#q{~azU+2?lv}F5`72Z5!K+ej2R#hk%(cY8qIPcVIfeUD+Yy9x^8S0B
z&(I~(uQ%NMfwT`=_|U^v=Hf)oVtvn=tFK9i3iQ?=aXOU`a6d~vvQ*nmGC16+mp1hp
zR(P);7UDI<j{G(+yCZG^jA)it$;)7+i_7b|PG=n+A)e-I@H!X%EJn|~r;2<#qZ5|i
zoUkJH=qHSw6(&w5y27DUFxC|Yb}8A*n$r*m90bK^mC${*;15GEPV}8)`|2P#5?|NO
z3+h={@CQdc-T73K>sbLMqVU)V%B1a>Az<OrpM7z4#2EqaDO&J$^3cwX9CLW0*!HH3
znT0W?oGou_tQeU0D$&yws=iyo_ecF;z$p42Npkx{at6`9sL^`fe6*+mPK9(bV}E2>
za~+ZrQ!k<qOLf(L+8nP)1j$G6AO0?Qqj6HCA#;{Jr+l>}0OnNQ>j|~?@3!mX3Exkt
z;y>@#Z6s;<L>zIzdPXMO&kyQPTKnE=bY!VDSd1hF!vA3q$Gl`3^Lm7PD{w7iqsh2(
zCEg%Yjkym*5i{=Dt~tag4<4E=vzT?2S|(h*Kbu>l<8TW#Bh2(exh#2uR@kk21nzBe
zAdgK9Sk)<Gn7tOKFp0F?+RbXfaQJU_KGM0Pt^it&aBF4CM4kf)8#nLd(RrV{0?K9r
zawX&Kbb>v*{rc=q{|oOrkVnw%mxGoH^Td1E!s$tN1^l(UQ677bE6yFUwXTk8Qbzv@
zzM(lGEJdm?RM?NRIFEb;sm0i6V^^)dzWSSyr|&s8cviX2q1oALII``1w%3SBoM9U8
z9<L#wT0gix-b;v`AtOnSbQwhV^5N>R0-K~K4^8@MeY-SAtyU*xVYMs1MLcqT)+ek!
z*b{kvamxdZH`#*E?>tn;MTMkm-C}KXukBI_mhPs&lcjS(P5s@<ai8j#EPVw#N8YV<
z>zR77C}`|hNhMWoG*XRe^cSatH(Er+v^x{UTgI<_^tw5HCT&~X9o=X<4Kg|Dec`!$
z4*$CMmm$PQWwYY6o;ptugdk`|xst<20Vp+U?Kz_?Y@CO`0^RE%EK$cz=zPadcdXhE
ztgu$25R=xvxt&M3rbH$3RWukBwvZ5rv%<G2)C}A*O}zz_t_eJ{g+G6UdJrBv;&x$t
zx{Ve+TU=sKRj~~l>#?8AncqKWfZ_8GU~7-~6cf%>%!w*MIh(Bc47HR7eGNxD5%+zv
zJEbHGg<M9Ioc&41dVyQPv3i;5zK5lo1=hg}Rm<gke=mr$><!fN*)aW{^`u@!!jlae
z0o)oP&p3BbEf@+k7(5(v*J#=)<h7-gZ@fZ$?wpA^H8~S2H?BOC>MVVRVxkLvP<{;5
zi0N=6to4AFp~6~P^)<;IXC7R~qad1@s_KT&a%>lDIE<BOiZBY;fv*9W`m865#QI<}
zOaC>n1$!SJ_n)zVwD^YnNk^!Y*;?HmcfKdwC0VLTru4sH#*7Xn3Dv_{4`M8K%|bp;
zUPX72RunpDue@iLq<?uVlE?c#-jss%=V`1ILg?SAzLR#9Sv0->5n2a)WoQeS8|_#6
zv!*eTMl_SB@P%Y8)u~bu;pwYGJDX@__!8$LWyzyWI#?|^TSy)%fW-4FF1mSV8=#V(
zcpcd?tp<FJ63CniCdDi8BAVs_mEK!1nfhNW&fqUvUS*gr!nv+ww)yZ4y5ze8UpC_z
z<{Bwo8fQ;W_g&Rn_glSXDliB4@tvT!H~gD6J7Ex&gK>y{E&OO-H(32-EVaJ;{DQ1Q
z=!J^R7$_ZMdWu2qtMwjg@tO9&3GGMi7uw>Z&XFb<jq55Ay4rsOZWvyF?)lTaI_Nsk
zRug}<)0w73-GzVWx!uWL)k?YDQP4$$+NyMF{{D@Xj>8vy9ti;Wp%55PJbW$*GML^m
zy*&VN=zS_9V_8;!<hoL0Jo^+gZ@v_ApfRanz{kjbzWC`hX_XzLYB36mc$_cu$|N;u
z<ru%=T&0I<F~L;9i<8`E`nTf}W%{go&eYl^&LgSjXXO@2l8!1TUoW_g6p3NMyt(bN
z`2&X*NrxBZ2PHEg(#H+SB~eyxaSkkiF(!^PWz*Lh-4Hz=mDmFr@QbdSUoMPJqm@j%
zQ5gB-viPG2aM6H*g1o5q=y9!Q8}PK57rXTEu945;vEObf&6e<lC%vs|>G!HA8a{UR
zcEyG-MltqsYn~~XO`Jdv$B5yNvYNsGlj-iC>Zs!!Nl!1!)<IR@QTJrOLKA7UZ^cb*
zTatJVgj_b8<<(&EpmYS#+BXzl)KGc|?8FW92V9)C*r?HVH6<k&vUdD)QEat<^kH#7
zgPn{hL1IhkDC_CO@^#_$O!L_hg>ohsedf^$^$s?#vh-1Ap-E0_vWT9SlfjA4?6r2n
z!};9XYLI`7vdSpT9zQmCiUM)!DP%2(+61pV!c=R3IZ!;{+Js6DpeulW=_3Z7d9LP(
zYO&3G{ZqYAk{)&9EqAR+<lyMmq&r8DwJy-BzbPNY4?h>gA9&#2d@XGNPD<g-R<3}(
zw8QLa9C!AUvy9;3Rw`8^vWza`3=Xj3seeRL9QTqSN*okIb_r2P;Ace-Cv!mgj4G#l
zsQV%Zp8tgPOT3o2%QByNb$EbHG%?&IP<!zjE?4+t(tL=2f%uFzM~D{JmG6F?_iu(8
zL~!;_2N<y!XX_M%(ETD6HU4v<^A~D^`>%C(IA*^~R~tfT(Se!Co{rYy(J#!tYhQiu
z^=tb1QEhWsz2}n7fU$i+k8M4`SX)0M4#-!YvT`ijif=`TmpVzeSxxHliI(3m#P2=C
z|G|aga<OXLHM4>Nt@2PF*P9(95o3hc!-8D?z{tPfWDxLYP5K>W1#T*2ZAot`VFw8$
z)S-U{^QT0b6!>G>W6<JZq`W>pY})}_qua&S)Q&ZBZ5wJ!0TB`;!@kY=blpy${TdM>
zJF}!i*1(mZ+B1n3w?`r6aN4HSVZQPYmEcs#vQR@`4(*8Y1C9x0Mva#T)u5#iQbO<E
zhEi)R{ymV<?v`ux)zf!te7=o(iLXg&CKhw+w7fB?eS!jf%smfM6`gU$XWC&O`>H0;
zd^#qS$Qmi-i@}*x_bpEfaJ8F9w^Cz=*x;7z1km+I3_o8PaBFi*Wq~1cC6=+znRs{(
z6$?uDXyOyD2)2$jBRP{rUPoU!9P8W5uThA7q{82A#OvSv)jWE>t^$Q@`k7oWW1BHt
z6jjCq6mF2sh3iQw`^M~mxmaNUd;7g#$3)BdWL<mqk%zgBjcxD(QfQ^;AK1s5*Do)6
z56{5+kPO|Q$sjK#Ti-$dQ3tR)q!r8?X(IYKsHuy<zU+#x>GOt6H&T=*WTHy-H|T{s
z2A(bGmB41t|5bX|uS}%$;qg9Qi&=lG+P7Qat&KClnsvo}X)3ttj}=uvF4GgmOb|fw
z#~<zi^1=oO675WvrU-`*x!V(l%R>;ad_w0oZSl5;dmw{|S<>sHa77x?+(}>RkDI0Z
zJOBXeI9cD9oD}!1)AsSV_t!SI&Jir3iW6hH{Bz#EB(V3S_30#GPy%6HK`cj{mmfw`
zgB*U=X>@BPEA8)hR>pphE{LaD>O+$&Nm~czbPIfm^`B=Zo7si{I%ci+{RYF~eQV>V
zuyOM^sOiNwJEY0W2cufKIcvJYF=E^`y(6ocUT}DWEIxE;J^%wX<94O)(^`V)>{2CS
zDlwp}VNKGnFux|4Z^UvXlX_d3sD2YmlpN-t=6b4PK-~w`z{Fm3=u}g&$Aj)VKh#3-
zMlx&kWeK0Vy@FLp<lcVd38wn4?0YVBSFly+wx~hwgwYF~Sy3)qv)yp_f0g)2gA|6*
zAa~QT9x1qjZF4As@dJXhwtEOqaUOo}UGTX>ufo;O5!#M})@s~p?S9Bo#|#V4at_y9
zm>Dx}6$G{neNz5?y~k4|Qo5K!aSVmzET640__h^qFjVpFfsxB(N%s~v?x^_iPgWb!
zCIkaC@x})li9R8t(42(Ppf-POBN!ifMomYh>13QPsDqC6i8adiP8QkQ#~&egnF)V}
z9&w*2wCT?<T<s`JpMlJ6)&=&WcIHxAFvf&#W<xhBi1e^=ftU=Q{e8aZpY;HD>EK(c
zwUpMaa+;u=be7f?5bL{EVL;B&E`_Y@wSXw{4jJOD!4kTTDBYs!N?Qn=ZuBrh-)BQ~
z=6ncxJfhbg94JL;Gwg_83&4h-Hu#y6!FH+COO)sfq{$cfFPEUEliIrEo0tW6j98I>
zOC8v5D6eXPhp*Na@QzBV8A3^u(8|2vMcU^(w};+-WYn4UFF*bHGj_*0a-jbD<a2Yh
zG*k-r>)^@T)akCv4A}TUEr&bm`mxAg<vomoRX>1gB^z%L*FfRANFz)+tKrLd72%|>
zb{Y7w0{0~6Zk7hogdYL+zx?;Yx+3;Byt@(+l8L;2+_qF5Cv(I&>|SqJe-V@2tWHm^
zrCplaut%~#(1pDL9n808cc9oSb`J4?oj=Q?WfDs<xF^q+bT(V8-;aW-j?_H*ld9ny
zS5n4C+C;N>p9>XF*WT{F-Q9qb0h3-%^}lfKGg5ciMk90wrm(8DWWVWI(paCRlR%E>
zr(kY?2)$(BZ%yGxTC&+pB=Io``*=cU^tP}Eg5T(+$<^zkR<^EVwI?ukq{9_#S=0z6
znAUXV-XVK?&^zK<;eGu*+$#HlG100)zpyjLvEx%iV*@52+BjxN+z@b&R+%tv(nu@L
zD3W(8{ID=_rcdL%gn%UB{+zGLPdeT4wn2RS_TeFb($8?=qe6<%7&lZQj0ev82HlFc
zFEEGZ>`_mO0ec7Ydrc;WuPQnb?AE(u_D>i;yjG;9Iq2(o{(&kB-OSkgq6MZY__Fg2
z($HcMYorM~C-mQaBM<hleaEMwGiD3qv4decDE0JWXGNdK^Mk2s183!zl9p7vV>qZ$
z<EV?A5j_vTakhW4iEnH~5_o^~@w{l-J}mG(`M1KMZSD1_;C!Fz)8$7-+C>;b`aeM3
zeHSIMCLwk`hfRw1UJj?``?lZqia*MAQxvIMaw7vPMkpqF#3=p-ZZ?FA&!{U9?y{u(
z>8j}RGnAKUyC30SJjgst+e_e20<pvT@@7uyqskjLwq8B*%<0E*cIH;O1&f;Q5!2a&
z6Qw)AN>1DIethOgB3j`XEMgE03+xW$aZE%XW<e5l1qA5{(+QhF6761LP0lWC9(?V~
z=*E+OTs=6H)v-1&*AtDTdDePoMy@43BMbYp=V9aTQxLXLO7f{9v_VoJO#jKSNGU(>
zh6ZEllcZ16G7j$=pFQ-+5c~0|>gKq1QwMEf3Xxj4YkY7^9K{W`Nw=R*zQ0?q9Z&m3
z`%>n*>8GBM#m*<bF^Z3ov5KHnYu5-6?Qd*%@X|{Te<>^2B5JmMdOdBY%ztS_?YYd>
z<TJ6vPfd;QcUXcICO{WxlL}O)u!O;_owPu=>sY6VmEZ)!CFh!w#pXp1$@bDne~&I&
z!!BSiOolxGE#7OX<MTyxeq6O>cfVz_{Tpgc4Js#OsO40e>R(MG+O_h24fc22FKfx<
zTfFqY?%iX_VEfalf-vOUJqc##;u{P$Z-cjr_%Wl(o5Om`4d?-yp2l_xFCm;C&~7lr
znCj_0)V*VBuYJ5p#vfcK93Y@wAKkcmcEo8)jMIEs3uBJM2SatNK@R~rrNN_0u8mgs
zlL^85!S`rVPsp?Es_km)PZ&IPc>^+d$_u<tdPLQlZ36!}mpybj<#dG^GgTGQUo1+h
zPoD30(qX}8z2JIDyAWq(g_}j?r9I{0P7v<Hq8T00;NU;-(OzYyO@82&q&O3t`9$oA
zK((LDedc#RmH(_dU-W@KXceY{TuEWUwh1M7uS-Fi70h@Bm~FE;N;=xKu1MOVBrPoF
z=fA0#$VEKDdMAi;t_>D1SMu&ucbYxKGdOt$rYKZb&T90v|1>(4T}AgI8c%k3nKgFK
zTJ1mz+w%qQG^%cgUH2jr)}i7Tz6M}>WQf?czSp?e*szAmf{~-rsYb@4L`Oj4DjnqU
z{wK}3bBa}Lpu$&mpU1J`$m(foqh$GxxzIuWSkqUDlH6e_Fyl;sfdWiUrgch${*iVs
zmD2a`h>&)Zfr!)hDTp`we>_mo53`40R-HRu$Me*<oauTs9*U3Ens?AiKK~`?&z+o8
zM%p5mHMtrvvLogflUdnoM)I^J@<k8R@&u9`K1AP7(MU@7d<ek{h5GgnWcuqAcj}hN
z3o^z#f`mg-n8Dsf#O3K|is?*J3KnZ5yp;!2-(b|hN353cs~XH_<cS!bO@JwZr^_Yh
z6+(4RC0g{K=l91;RGZb#@Mp8Hn)aCmBtwbM^}kmalm=5SC=kMOy3wb5QsSx=nx2|Z
zi(yPPr<1~fgQM`?zXdZ?k%&L{LFod|3%PKD2ek2lvNo}`VqQ*MW+t@l!ou~@L-)7V
zpINy<_W_jx`KMvFdw;U(sm>I6!V7XL0p@CRbsGSAeA2Km^C6^QbEcqrduf?1%^8tW
zjh2PfT0X&0;D#Xi%QL*;)8#YTmvs)W`iorlr6An3q6?T9Kia(>iK&;K7!7`Q$-_x#
z$&=r1$udk|&9qsxQyWvyQ!=F!?-`f2_+t3>I6gBZsX<ypKw~!yp>@-GD2%^K6th-Z
z2{&`CcsTm;If<(Q(2G{uE}kmhqdP2@I-D4VpYg}{rD=>ICQ?GS^AQmT<%$mfy|^^e
zDr%{9gPzHSzR5Y7hv6<R4rw>ic?x{&u(uTL7WtCZge?c~jzg5*K%V{)3!)v!c2i%h
z>uRTh4tHP_H=Wn4k#-aO#QD3;@>67So08Op)8g&Z=U%-Q?>~fRYa%>f#j_E2weCMx
zN2=?r<yBs|bvd+$T;&thZj}_*K|#i|ZIc8QFsC{WzTXKf9d9rW%rhzib^E6RGH<15
zN({ZB2P=|RFi*?Xc0-?nle&^dDjm=zOeADdwJk#I#R{bn^%a$>K@DgmtUSbsHE-e`
zpi+WbXvd31WU<0@w0mPIo3Ra|YD8KueA|wth-c8ON~k4T+5E@+exaRGquMU4Hj9nz
z)SB<Ksju<5dXQd%F-xOhN$$kItc{{b^69tJ26okp5Q1TlvbQu?cwg-C=Q#<JkKdj+
zKS110A0BM;B5Osa#l{mZ+)_^jc(9z?naYFis!R96c|<0MAx$C!QBtXQY9B9-3{}@C
zGkc{t=%rEI32ID6wlH03CyFfDNy9-!xc8m{W9mv%&+&Z&omGSuKaf<;ad4#JUmI}a
zx%Fo4!=%KYdcGFcPdTofff<(cXG@Pd0Nrglc!?K}D_N5s+LCxkff{S{tm)!xm2-=h
z8VgQW43CT3TJA`N$Ubww=b|NRDJM2u8U<(juE;>&4HuL9S=#I+G-EDh&JA8#(5g}}
zVTGA&jY@S~?baJVRjIuazLlJ6?o9W98%;9K_#N`MM`*q0?#x#BhecK$i_61437#91
zg^NW3pL_*|q}Go16|Q0!L<1R4H&8>%MP<@$Tj8u>UbZGQB>`z)y~$#4TxFvC@m~Ln
z@krd!s#>Q%u?LFdBS(ogJeO>iqf2Z^`O5-WXBm6L8~ImxDd=rVe)Z3a`TgOG-HJe5
z2-s`V1{%IWKCi0jqjWlA^+e|aj)>?w(u5^6b@Fckarp4~f_SV?(#{3a8kRG?8`*W$
zSZgLEgViO~R#@_s!;Ya5+K>?sTWl3&vz?x}-k`CWgLW&)3q{u-{Sf~O#OnbAx8J$-
zgok!NoRI~-xI@@9!RiKNi)#9KEi+QmW+Xjw8OPQ$f}=FB`I!EVZeVwxve}j*P$JZ~
zsp1AR@uqz7Uh^Vz+Ip04GKm~KC*!}YtO8HV{PnJ3I~Xj3is`KT@AOZu60-wukB9JD
zwNGa_<nql!-eZ~0!cN)h+iQ1rB2Hmf>(dTihX<dHE>@B`dvv}_Pt|)xn)JM};AZ<=
z7&UrVJ6FG<BluVO*H?)sO&19TC;!1+QY5#c(5?R{`4!1gJmKYcj>}}wVm0DnN_wt(
zBU|Lf>sLz#g9V$6yf%de>oBA&_H>R(@#9chF30bS5|Z{ng-3|nhh^QexW`CxLNxRL
zWdQ`93OgV;Onv3+|69%mLLpwaE<B5fp1E8f+zAes)(=#~0hPHl0V=xBAX;02Rz3;O
z_E_3eV16e(eHWUL@glzI6s41Oucyhdw-zOL9Cd(tRrPlD^L184D>d3BHM7Q~c{x9L
zWnz*fWFQgCS#t5qQtLL!5m;JtNbSp*1+)xooy=d?7|$nGxHb-HKto!-qfBBMpvy(r
zV}5`}c-kr43v^B6L^{=LhpMLjHOZJ(DXZA2h#9UT<s%ON>hs&?eRaQy9V+^gxM>Jf
z^nFoG!_iH<)~jVa-Aw^*sCYXna4mr9&D;A<1*8Sn_^!nf;@-XMj0)W{#27PPGGr&b
zz9P>y5i@43#=mR12iOo_yjN}_O)ogQaI9z*n}i<+EQH)u$oaa~a|auFp3v0u`i7T0
z=vd%HlYhy80!iStMVcLbT^rKQ?_xH@j9eC-7tX&~WA=X2i-z^Lk8E62mA)O4)`^mQ
z!wW-{<(8t=?KI%{uOl(FJTO%A5;&iaGe5yb=xs2aB*{^3Z6nydW(MVMQyPJZsidha
z<JL$mJ5SLntSC+Ji%Rgo8Tfu!irQJZEqM%45_aG5+O|zGtr?Ndt`tS2>Pvq-$g|;R
zgiVBBzUIYSGX$ydZlp>Tce*$9SW~}(1_<7?40C;gi(PQ)w@1$^Ytod&?HxEf-YlD9
zz2lO23yi<{vPS-e8z~-yyk$K4rg7>|C`8+4{Fo@#`m(X~cC*@s(^^fN6O|5sg$F9>
zI7{+O`%5%9A3W9iqUKv9{wzfEGe#dCgWk|VW_gtAhxa<!pdPD!v8z`g5Oy<|Ntb}K
zvW>qiB^Fg~roX+!&J|oEjRC`54&47FtQ#}lEPSKmU?5B{djoaA+~YMN>USgMew*ST
zLjqd+_<myhSdAcldd7H0mqn5@(0Fz)8y6<TpwKbE<`6C9>?A9Az~{SKBaxeu1yGtQ
z)c*F#g*DZ)D#wvp`Y=2~rm3TviJE4YxRaM2UKY0YNt50HHFS0LF$)BrF`k)rk`@ab
zi@Ba+q{o}4E#<hYgXc#qd4HHjEUW+2>ZfIx6zZ$hPl@9{8TL>~2x7TzeCgZPEC0&n
zKkg6A66W0P;B#@+>1h|vTk{az8*p92AQPXB$Pp-I4sW6Qxo+?x;$SiYg`%2|y_vLz
zcuiG?)>Rk04Vh{`J`N;mvzLevKJWg%&8Z~(sb}`tS=Es4&DpdgV9DRlj4*h~OrVL=
z7DsZN4^<B}3t#+wW<4N*s$_z}i7k(?N@nGkE#H2sdo>B1nQyc3LTp^A=Tlo84nQ^*
zINmOzVQuqP*lqH(st*JT(Vy;ZC{*pBLSNdOEf{8gadR5>EZU<<DD@sWv0ga<-jqx8
z`FdpY;}L&e`4<L+$!5Bvl8QxlgOh`9!!=|8SbBq2Gv_fgQ9To?L*Pl~%rz34fb+;Z
zWVz?AEPpJRrfy=$)4G%}z?H5q97045-2fnuq<$UY#gC58&zIgErl-0y4=coP6sAOK
zj?l6Pz8$YR)kNKzvziC=B@oJX|3J-rNv=%3PZJy}$vM3I%iXK-)<fNO30b$8(V)Q;
zMq->}X1Wy%)}1*{J#oS_K(K33XL>X`HtUMi^nFi3Mjd;qEn3gXPv51UftHhz#h-pC
z{db{ut@ri!iEtVWB-JFEBVwpA>^WpJ1nf<2>YEd`28Nv=AZj~V1+7QX2;e!0)ipzk
z^ndl528l=Q0`mWYY$=0*6Be#j2Q}idh5CMwQ{YX*R^E0@UuH&Ab<(`48f%t)?zNHE
z9~c?EskJVY_C%1%!3FMndCR)JnMH1ZgaJT2zRpUNcw$gaBJwdh)tNQpfhVuL#L2#u
z^YKQ;BOfu$))1%n>uH*ZRkO|ya5@zFHy>i6Q%MSKQm7gI6|@<?ImBG4`b`h>*_J=Y
zNPLp@!r2b4tPHP|SaLWE2_VJ&{+Rp^gTwZ&OUC0`gF4n&5UCrd&+7U;O(rw5|DLGC
zE8wpeI|zIc^bhoGU3s2;0rxbkS#G;<_m5Bw6rRWcXXMYXgegJ~?8>;Wekk|`97srg
z!sqi_z{_jS&yk@Q1z|Xw%d0!i1_jj4*EGDx=we&hBaDkKT6!-fs?}U)j}z`WzwrJt
zhknv9wkZ(BaI5-$%hYw%{LU1`tM%qe9rHuefHBh0ysl#VgV#mLJ<pHw0gj~3rB>wF
z{Q_q_7rEZ@h>q@l^^|in^@gVU=wyZ0n!^!FPTaP+n~92=wpJTNB_kzQ?3iul9WTC|
zx%^$Zo*>oF2jBekGhC4oNTnAwn8Z2f$$xPVflq#rn{x}b_z~{8WWuTUO~Xy)w3p$k
z`tjF+XMv>U)E*b0!LU}^1`mVI*&}~tFV2p#6OI*cI-j}gnex-vN=+YlTacTO-C+ap
ziBYoM!N~L)Z0?X3vQ_#fea6nG<0|3PbIIrU`}O*&tWOYJb}QG-OsYaPlHF<LC4sSy
z$?GV8%tqms(20)C>;UCj!K?3So0i^L(?tNI{UwE%kcnRRXTpZN^$B<0k#_qf8_Vtx
zRTUU^+oSWi|MMh8b7ien0$_cR><<PD*~iGYbgMfP`m})AD<_O=A8GxtRm|<9M?vjv
z(2GmSm$XHfk68^e^HjEro=R|zTBti&L&6BLAA}q7bDrnud`d2`;a7W6FUT-WD@qq^
zG`oAtm@wiyCRu8q8{m1vCF^RmaHZJCDU0=4V{4f{`#<q)Wun9Lsw|^P2+J)br>R$O
zvX$`XewWt9pKq!e#?)DqbhfJM>V1on6Vj8J>@kHqOS+N{a;Hde(yns8ZI^r$w;Wy2
z&8~hvql%=P;%zbE^T_cpdpDW8ABqnn3m=dmpVu*5BPXh`DiG~y#~ooELoMWH9vEDb
zABy(+4eBSr4FS9fktPRnJuQZ=+M8dwg34K7rb!k4mH&UNn8@L{)`xe=(&Z&@%%}x{
zM+ESmv6{HW!HDvbpF7^h=VYKjwS+fd+<0%fb36hRV0S3YIGI1jZf_o>CI61=ulvm^
zVCKso8~&-m5`WfcS<Jy8ca5sK=JPJ9iGi#i4Y0QGVLwo&<9?`O^+KhscuHF$y@7cv
zV`P4h70YCQYYzCUk;O-QJMlEykYV@kx+?-A{@f|Dhh>YU{U!ig&$fxwgryCbPW|nq
zC&E$pE7G84B?+MgCg&!zNozJ18a$J%DT)4?(0R+wS(m1o-pIB&6SW1W^yTRO?_<ol
zfFn#~&f>=i29>FIuTsz%&u@tsR^jRs=B5|tuMTs^WxXEeKVmNSWVog|?mehl_`R3T
zgp%B`o_7B1Rvb;jU|6BT`Ug+u+K7y}&Vd^jy;=z#u>{RqrtiCHFC{VsoQ!Na5o6Mm
zdJ;RQdn;HTqwIjlU~Nv3`de6df#5w)IeuV5?{L+#y7Jl09?L*POPlzjhV#~-8Za`j
znwmYRwbc&OmTc%H1;jh2L9-YgtMTq<e78F4HdF#M!SH#xJzUis+k6Wi?l3}a)C7zm
zxcuGeF=1u{$*prPnW8W=dq^F-q~JB55r=wX?YG8|T2W8?aAsQ7d^H>eKDw-aME4jm
zn)K{D=!1WF+@Y9yX}3tll_IX$4Yvwyf^6@T9_wE8=lH*6k;QxEWZ@>!XCYzir-#&g
z45p-G{!-IBP8}5ZXtP{hVeMA5-Ndye?BcYi6`M)s-wa8${Jz=C(XGyu1j{=P0~~|x
z<&n(XWi(7yQ(}>(G<;i-sD940lu!3&q6~jQb7fC1l(NV8z@tU<Nl_g2dcoQAg$I|z
zSig^3&8spP&?m*SCuLjTg4PoaIwIU_(uCy<Q^LK)y5XC%qM~B6JVnQ~O-nuhC4g*a
z{e3^En?z=0oz-gIn7oS!fGLuhS1u!a2Qszg+SFTYN6tMTmRT!0SA6g_%2ah0eKFw-
z$^2SIPBh)N!O&8xtQxr6w=-%LHzE94Te@Z#S&e_H6rqa)_AK_Bc9bP}^!eCC8Z49H
z?I~IvZ?tY%gVb$`?E)MmHo)JD?Ru*=P>eZUCn_^LwO<PT)D~YFk0c-5m<+Tgf2-~~
zXjWG1;0O(na9GD!S!3_F)|`_Kw`6r+M)Zc(+kqBMwc>zY9*2?=e8Go~?SuFuPV6X$
zmMXX7Os;DH;dQGx^yTJ_CDXhl<5`(SXHM76KrEn1goVAYVM~R<wY%pG{=Xig>A(y3
z7oilhy0rUkuBy@u(dWZ7qK4)cmo@hYY8ySH198?gannm`Z6%lWh2I#)h(wrMi5x1R
z%SQK@AVBjPBJgVn9lRwcWtev9{YB*&OxVzH&jJ~eyVK8O%49}LP>5c~vOl_vRC1`$
z!N=T(DbbH-1FFQe?#QAM@Z{Lc88@{HU5`IoI(E9@x@~Jw`IJh9z&clbSmjc_bK;5k
zB~^}8n*gMEp)t6GreF|NJ3l@nmS(NZ1By;FSg+^>PoTwDzn_$LzitP!!5WH!gl-yQ
zvh6?*9$|Mn0JO~&BPQ;6cdtA3OD!=Tu^Vlb8-fV1_IcB4($-5M;6mzw`;UpP=FkJ%
z9o_JSK_rvj!^!V%iC==`*jqo-KDJO@Je%U<x#D5T5Y+I4Nj9mT$)~W{g)~&9OB^Kc
zAtk<iNT3Xh{Lf;Pr=VHxgwFq_<AADe&v_im6S8a+4G!QH%LNo@A>I%dr+s)LzK@#F
zsO_4*awsWl7j)H%yeY~rw8$uZ$R>Slp)}9ff#g#m#LU8M`di}GXU2oVa}GO$s{EbW
zXtwx!#+P5}sdG!TZhNUB<AVdIHOZeKY}awUTj8x=X_V{JoVnqmfDn(k8jx>?p1CkM
z+Hw35$<A3VWV0m{?9#R1gVLWu*+p8BdCH?~P>3IXI}ZRol5VzH(DG#!<^(t~_n<Z<
zBn9SXkvU&CTm}z#{VUuIFA+$6o`P-Dx9yTr(kOnopQo$hJLrv2SgX4g<-y`LzT>``
zmyD*VLt65m4&o0$<3?`>@595VaTR=(VI3AqzQAOlutT*Z(8ihooes1OxBjPS#gCh1
zy>6^tHT6psy;#r}ccRNTBv522JKU_ZH9WHyN*zh4KA4zc!2%8Yy8-g(2N%K3g?~U3
zF>5Hl4%!cK12Q6A&NO$fwtNX@+iH3y0NJ%{n5z9{#^LjLUWdiY3Afs*ncA2G4F9T?
z<|%D@>Vgb@fJU&wY85awG8fsYh3s5#Cv?rP%^s3tyQE5QQg~TI{@3qk#?uBFzoTn5
zS1zZ3QzXESj-E|(&%O=#S51BFnOF#<JQLoUV^9p}c*D9gWC5aj<6c>7bXB8vJQ9Ww
zH)8vv3f<2_+nt)Kjt?Tr3%`W6k5i3_;J$b)ZxZ!0HH0rd@^2h?f-}qHMEy7;9gAo?
zb0$0rQo^Car@2CMP!Lu~h*n??6et>87y~K@4tOh)QaTf`FN+ZAQ3|ztZApM@39xmW
z+9U=$1xTg#q;3VPr>g7bB2U-|i*3a><i)GhyxA&8Hcl3m94bdT^@Q0nUW{21dtaKH
zT`hUWle3ZT&bL3&8r0rdu+*j;xT^BkhGoZ0-GQfk>i#2Z3vMfOr_}MX<@9*jOrfa%
z_S$7dr;ZNO-{q^Zev4APoEn#UQ;hYxpTp|c1e&C04+f~q(-7>B_5bV8>M?iFzzF>l
zR*%N4s}?tqS1T9Gm9O=2dWYI>y}ebN6%0~HDUFN!biL{l&S1QSc=K-N+oJkk3L&}s
zaT+>HW3~2jLBJ))Ml3IF6v{EM+KwwitgWkT1N*@@v@-OMGcYopU2xMH4D8Sw@ukXI
zYm`0znWubbCIqv_7L2m})CBnfAaCw}7~zlLAjUl_uy11BoVOg{AN4U$YY>+RNq>#N
z|5H=5`242Tret61x3i|v>3xAmH$|Y`xrDnt%e@q!ujVQ%PbBRK{~nZHfYB3)AEynq
z&x%5C`^pP!qWH8?Qr3+Asmx{`N);X$!JwE+Z6#~HFT#+PnDSawi#(Hxc;b`k4%mHC
z-cQcc5uArL>w9sMu@^Es<)oGa+fj2mgi>_Ooir0(mGFOA_;JmZwLH!CHPN*pcf=~t
zYZT$&8Vz*{EaG(=ax?H;8T=Koe}8piH_AkdqmifH{+NxA`$F~OS@4q=m)O&j8y_p(
z6W?o=CZ7LI;il#K0I2=@xc1oo_xu^QmnrS<zULmyjtTbKq*KZBVL#;*n~#Esc2s@J
z6?O5|oL~06yB-#%khG;f(>kR(wqxrsmG)g^<n2=Nv$%L_@Wf<3oXU8P*El7aG>lml
z*lNUm1BvZgF5T`X=~=2iNr{`_6%oaVE+r7uhReN7^DP8mpIho3NUyH^9swE`;)`vE
zQTkR*h)LA;0l`@ks@=LFVMiNFjCj9Q9MSoI;(Ag-Z6Lq$nelr6gR8xq4aP^w?rR{o
z?NA6Y+}<}PN4(q9OEesgo*RW&w$2yvd*F|H6-BUS7LzDaK;AsON+KGJQ8Wr4OvmQ!
zgslY>Px|3S^L;c`wwqKMa`9)YD-inn7;8I&O8yY28Pp2p!r=sI2|_v4!c!|pHTk7>
zh<uJqEq}{TxBOY&FDi$AfcjRlqH0Z(37Gf1*LT9(k_0b)r*?Yq61g$;`EK*^jw%G~
zJm|sA>c@lG6Q}4qO22l@zfL##FDds99X3sp`OTkW*Vc&L4<!`))j3|A`IAmA73`Pj
zDqqL&*jDx=oody5`PM8Ov~M?seI#Wy>wV;NK~L!z0@_wMD|l_DYL(FEE|i=VsJ|+S
z;*{j{Wir0vqNkW!Vbf<PxBE<5gx~13rfZ1ie+^|bu5{GbQF2<!%%!zt)#@TFeB;_6
ziHp%LgD^<%u~yb;%T)2;9BwCYDRwF7R1-HPoVoj*c{4Eacfr{od6?b)16A+1G-&XH
zdi4{EDjQh;un}}itETwo-H5u>wGVM2A(3A3+s5&Szj}em*|v9&xnH8Pp0+w?svcNu
z9S;5Ye`u|~p_*}_ra|g*5Fq&|P_ZYQalt+_@~=1D1EBE>)JJFzwE?Gl-v~gAI?Qc9
z_n;yTMpKzW!0@D>-2UIyUxAY2=h(<4G{4g7G~g}HH0d|l%q6L55K8<BCeEOt#&*QE
z`8W3Gv#0}(nIBvAXw%!%2>Z$%OwNR1-VBI`*~3ixGcj~O&a6IVRr0MYPK8Nyf^F%?
z;6Vn!bm29hkxpyLO{1}vfv{*|;YLV`MyjY`huv|<mONk2;Wsq0zQY=1U!8=?pR@Jc
zKh%HijMVi^ILahXl}i9>#C{F*3wkGf5AEPc(*-ZOkLfO&e3m;2sN+0s)B-HhbVVy(
zvE5n^>y^>xyNO?S8ZITw;+Pfgi1tn;-k!bVD_wqQ>-oUyj?YiHh~$doe!300&8DWA
zR3_g&DOJ-9!K+)S)QjAHZq(GNwW5|En;lF`8=i7#X&o$J$&zXkR<-!;6X>VH^nvpv
z=3C%JoLCLD>$@C1#Be&v;AIrL$UM^)j<3Is%Waw8Z${hv`F~OhS77V?UQ?s<w?$OV
zj1YKcW<=Vb3hx%=!=<#1cr~2WQ5(QNi-SzuD%5qRp8#H6Eg_9Uo<qhG?f$fdtz<5I
zIV-zPae~a46#VfHYQ+|N1bJ68zu!<FT`nU>k>L^M4_>#utB(g2$u?I`=;E^8nREM5
zO5GKJPsJBvXyqnr;Z;D6y{wG09?^-CVLGI8x^z+$cSQ|r-%7}R=v27Dysmb1!ZXJs
z4kMs{m%^~#%Lm4baUeYR;n48?Q$LR8o4v(92bMsd{HJfnBN8pfuLkqhN@imrVcARL
zXJfwbbLwAyB^1U`?C>FEwD$VsjZsMK{4%esmcTzodl5LSyCmT%Z1`nGwR(~6#(1Pt
z8tqjUgDTA9ezsE4S+Vz;!nd~zn8~J#BP0@AMHWm+$!GB;IfVP3$k%n2-*HCO4^Mw#
z4SfD~L6EvUzRcwf9m)C9drUWaD`Hc{BLNC<FH_@hH!mZO7Q)^|q^=Gh6&08X>z6g<
zae+45Qc3H|z1;Uo!q4UeN(Bp}PNG}9H(%KJY;dTaDxtl=VWbek$z~N@S4pCDYRIzS
z%oV;}N00ClbpO9%?_Ke$C0+L;vKV1HQN43a3p$jD@6=q@4!)V%+_v8%=}ujP%g|uO
zBe3IV*>^7c0}an+IZ*qNn(*><{gw>rl~c+lTNRkF6BqUKYZQ-@J_^@YF;P)eFP8q6
zM?wIvpFObgmW_Tm_QALT@l9arqE?vEvPqpZ)1PV)P~_8SL1%yCKwZtE647A)R}mJy
z-ifSrHL1w~jiP71p4C%MP{E0#{7Ui9eAj=WQGlK%*DXN7Zbt$<JUb}kZsQOB5Xsvh
zdM)E#=3pf4!{=WzUN0#r-h4(c&i3b41+EY7>7rtsvCAZtU~Bx+Xj)3*$?|bQ`n!Xb
z@Dy5l_J)%2TCeiGOW<K-b9JgI#PACs$aKC4e9xTM%-5@C&5J(!OlpFFH@@`i{P9A9
zqBv`=XL@6P;fPG4#$hvP{vkJa4lnLNzvExe;JEZ;IKFhgj+^E{w&2(k(m{vzDmYp$
z`P26gNmdM)b?GRpXS~?%9qQ7J>fY`G(iyfgwhJyMu(uE0Fyw9AXpIcT&fQ77`1{;;
zB4RBFil7kiXD{ym;4S-K_7-@`xXRZ^LD}{3LALCL{j^VICQPSssy}f3hW>YhI-$Dq
zx$sK!xAV<XmwG~zJq{{H>o#qZ-5QEsm@nl%9Ah7b^8v#|%io}8SksgGihf_`5fx*p
zX2^MJ%48|5lWEjE+E)|2y>%rweQ_u$RWW7p!*rOecY^s{*Up-35WGE;m$4vm%Y{fw
zNhPLGAkr?HsZ5c@-6>psR(}&fGuh(021LY{556WWn1)Jj7MSW@xk#pxQj2SpSmE97
z(Z1;KY|K~6KdF=72l@*PvYFSJqqJ7NBDMhAR>B%!!Sbm}Pf()5bIUl<R4by2q!T(8
zqx9lU7VGuQklmPHB@h5#VfRi?B~!z=PPcD|FTrcqcvz?Kqy8Tl!?;dW*pFUfLPdqw
zYU6rn;7$fWC1abDQD}Jk|1s9y7hBnmX6l)Sp`+nriP%;=CI2wUj^aMkP6pVt`?A3-
zxs?cijDV`tRL<SCfC8;r$@m-h(Jh54VvV2L1f8{=$RoTE(4}1c{}VFm3ql42s7{2p
zRGw1U3-*@-r+;Mq*qr9#8K8EnYN)n%YiF^p4G{e4>7@970T<SR)6N7F=;6OWs-suE
zV~SF7Uf@g_;rfn$ujSrjr5k}Y_GV8jIx{vn@&OANTk}aG3XXf#&3qbX_`TNrD_?Dg
za<cXvZtN0_GY44WkR*GcR4RFpwq!~pPC8(bv5ikR9{c7V3kT}<X;z5)6KA9vU!HaM
z?j0HIbV2q8N&jRN1VJ4UcR-}*MZ+VDWm#C(q8qFFI94oWSYawuI;p6h|F~k&H8)W;
zxI+{+uDP$p$QNeO@${-7-5vMN{2QHLb)T%Kow(1#e<jc$`xWT4W`zVQBsiS?5lPW>
zHC)Vt+hWJs{zQfOgj8hHsy4!BencYF$mFW4FkCwxp#R!^#5p%H;W@C|Nt0DX1+6GP
ziiycS`0>eI{+{IDDkdvk&D{Hue_NvBA1Ne%JfLo2pvFak&XAkYGQ6Uy(I)HYw;lo9
zwwFn`!hf{%>7$#62UR?7S!~3rhDHu0;+?OSFn$|5YoqsdgyU14s7+jR8}iWqnd(?z
z=f`h{pdl67Z%>NIZH=hok+piXP3W7}jluE;!;J0EQ}tMgTYY|<du-gguUgT@OvS2$
z;U~=d1TCEaaHFxWXsQ-uc8D2TQLxnl2MMY>cYa#<;J?d<*2GHCsCD^ah#R#3DbSzB
z_mPjjCvf%z6ispEl{YpNHoZEp+NDV?(h5`fViZ+W$<F2#Trmt%P+zKfFzUj8X!lPx
z5#`PgGkS1+k&+k$@O{<kWWnia6`NSFntNVuh>f~+G@xcQ-_OKs*wP3jU<&#28Yiz`
zTPl4f>#!-4T}v3FVk(W}B7H<zR!Ey<r{s)hQSeIu8GV$d%={zROB-#!Q~l=Ryuoz`
zS9xHn_i`*WZg*f}Y+a-<N-7idGg+qP`kL&FQJt+>&1W;#u2u}1rK1cxK|5e{cGT|9
z5WbGCSpIGzS_}@yVrQ&yhbeysK6-ZzP+8&#DzD)Y)I3CFs<QBzdFPyPR6R&mdcn%u
zLfE_mn_z6Wd4SsOG^(S{NCeHeO11#PS>*mtoNyO$zo)PW%USc@9o?VvavQk;$j3+~
z#3n~j<DopaC{vJt6}<i(h`;RQs>ahAZH(;TdBwznx*)N;oBKf6-R!xzv;?V~>|BCr
z!z~3RbW7AE8Tm;SZ(!K<VXyO-;%}PQy80umQ$6E*;k{)bSx3CdnX<AX8%lgOX7Y0H
zvA7nqRhEKbFFyv>NTfuZh#5YzA<nr=YYQz||H?L{$YA)zq1tV;p>LX)^4NND!AlA+
zeJ+bj0hvk-xbm#^`X_W4AqYe=8ghfj=jX$^D++%OcuDw>_E_5MkCZWx=C>KaBj>l%
z18+ibt1Aly!k>-p%-G%PLbmq%p6z>rRRSWYPJkBaUVpNufOgjZmELYSNoFMTS5CT7
z$^b95Q)e=KACg*9PUImvbV_ZA7Df=(`CP*qVZ;hM2|LwGJ1q!tIn61Ec&762d#mC3
zwFq(P@G%4o%NIO4O`zHc{)mFI!RUX<h^uFR4PMP5dju(+AK8#AE!rMYp$sCn=MRJ3
z?pR>Y3MiwySUrNJy&Ots+V+20fIBdq=w5FV_B=l7ijDgJ4Nflim7Rp1@9I8sW48^q
zZ{1BV;8GrQiO~2%ed+M~s;AYl=LW6Vx$TLz9ov!@hl%zcqI!7pdxj`tC;-_MR(Dvr
z{nuoZVOv9>J7LQ{uYa;KWzq6g_`q6Pd&0XV3><U98(tVC1Z3EQKr>3EqO)aPEFONr
z{4<v{s@LtgJNXSulk{Sgy~le}@^EMJy1K%N?Xc%qG^ooJS@ts!8Nf^%lo?SoQa8o1
zM23O3zy*??`#ZExJliWR<Pl7K-;K7a+36oTQObBQg2K!rY_c&^v!4;`=e+H&))-x!
zE3$&c>F(#Midq{D$7!Xx)xLgr<ZRD+iu`VJZ=E%gn-;)Pnn~S0FZM+6xt4pHxkeyZ
z2x+<&t>@d#pV@#^vO;RpK3SO6AVvK2XU$bc_edBb58f1%FDFeFItX|DP1L9lflpZg
z+xoXmNtLrp$0+5jL5}OKBQlZc(>T2ihV%LG87hOQE@b%NsX^`E7jq33KFW7&1ZgI>
zH=;-x>4xt33kqIw8M{4s5k41Cc>(1d`-ZJC?D+RG1rNMo7#>li>DXS9m`qka7!N%8
zr}2B+?<}ZMWp;sz{*U3V?&oWSf=~N(H5ByRWD0oxMgA=XpIFW|g6$wjXm!sryH7l7
zdZF8N`FOtluh$!jQj|Adga1FW-aDx2sOuJ1L<Lci4$>5)gP}+WN>L;<fq)P?p@Y&9
zfzSn|gb*SEQUxhe5;{_p4hf+brT2~k0YdM5@p<RD@4fTQnaSj@Omgx&XYalCUTZ-`
zxPx<o?3D;@%4s%C;i^?CUP*>C^DAb&<CU6}2re6JPzNII3PHM?Cw*k%D{(+b06HV0
zd!OE1^1LOhld;i;yL+#uv7HN`P(N;lZ_+<W#@bd1PJXnox|!cV_NBOK82Ec)Y?Rf4
zNxSuQ4C&J6mW*PXnLil<2}3-(QEf`hdNdZNQ!{5%N=-_H{l@x(K{!QNVwy_m5XB&a
zv;LN?%Zb<CvhVHbSS<ogd=xyJ`Obx?5Wi*sTZYDG-b3r{HZYC`O85G916_F$u1t7(
z$a|ozfIdOvMx9W0Ngc!MKb}r~>`8OIL3`poK|{~^-ng|cS+F+4=Ljc*ZT4%|Pjn?#
zT&{&z94|-7>`j*(+tIY?$$w^baZOgtEzIO4rjz%cY&9f6)-9>=KAE`KxvEZfuX1ff
z<--E^EGkQ8+@GIdu_dl#svwd`&I-G8819@U)~Azp^BzVf`ur@IctoQ;k?j?A_^yH2
z^1CSJF~;juekP^;?UZ5TPk4OE_WZ#sEn@iWTfw$X3}xQN`<2GoFrrQHHVF^-h&mk!
z%X>0KiXoB(SNu;lHqSSH`JJCK89Mv3^tZ!D_jB)ov`9US68%Ae8|d>tfy7p_ca}~s
zYC2YCs5)Xi&`dzz2?DLynydq2Tr0-ShE%&R*W?oJ3iEt~$%ofn`oR!`btGFt>a%0X
zDxwap3K$WljAlP5oljjc%+dK^tFP6+k|ZdULBC`6+@a+uV>O0326r7@i|T!T)MBmW
zA;NB0zdmkFSa6324r<5PEHnK<MvkadWd^1zV!RCl%<)%_icK=0sd7P8r3o{0gHNDt
zA68~9DOM4Tye%JOGN&W>Zd5>I;~BmS05jtZ>@w(S>n!IJby9C}T}BrhzQ5N3ET1x+
zth+pi92^7~82Qtz+7Z*=G-`0wkdbdZE0QY&R~f<%6adh&B$yd*;X!-TSMa3wElj;%
zh*03p&!!$(Q>nW91_4mIl+p~1SVJ}+*NTuP45a|>cLS<%sv(fLOx7zI{^nFtUln-9
zKJ)7A;xKfa&f;y^f-d^-XkSY4Y}R|tbmnoL7r714`kQ(~#A0uC|9bFYy7!sa2&$>!
z)x_EOneXm^s!U%s_D*tt=@fmMw@A<l=sze@>qSpr7^zmcxd83ce3jb;65J*=v2sCJ
zi3oHJ+RSqrE=!kx?|LIN?r52*@z{wNmvLNi|5-n-X<~Z63MuWoUN-ZC_`rl^ueRwh
z0egW7JnFK5$t{m@ADvD#9;LpysjnUT`N<Pab``W=fsn7o8{>)fpR2!5c*e;y1hqBO
zw$0CmB6Lx#U)<;Y6pzb4u0f>%n=edpL)f8M9e<9SPC;u7YpbFGyfLv;raw0DsCf&~
z?a|5jkL^2L$)5NP4fYsbJZb1zQndfho@>|OQ9-N74MW^$>+t+Q@j(MoF;(ECzg1%X
z!x`7+<6<v%Zi(U;3(_Wq&uPMA$g7sHh&HTp*o`-1k;*zs5qB@Gi#po?Q*^?D9f-m}
zsWL<DGGO|RyI+##E)|UGzivf#o4yTaw?^$)S+#{ShdpEL$m)qJA%${%VVUS)r{QOJ
zVm}I%0qqr0wFP|7RH3oJlWE*Tya5`8xEfWC1UOXeara1gwjt#hd=y~AKyAojBfJa(
z*7Pvyc24w*c)&r`#u2mMwdLwEVhwG2Lw{@Q=cZwd@)Ro?Xv1gY$G&&(aUacbyY>b4
zR*Z9Q!Xrvk$rB)fUkmakJ}0k99!%>~=EV&7uGD|4C(A*;wrJSy?D&}6?nV(z{)5`z
z5~bNMxX((ETIj&t>~Uj<FKp>NoWuh)XYL_(7%^L!sW9)ybd)0()akyARVMYxOD{Br
zSfi*AV(oRmH&d8i$iFmZF;AW`c9SSV!8*~iS0bP`R~P+0YqUbstb#VnBwkivWEbXw
z3RIEPMxo#kCg=VPW|4IO9&*Pfot+SZ(w+Ou6zuEt+#{gUJApIb;@-jYfdXsO&$M@t
zugt#!N+FCoM}rpj8H=6!YMj@UlquP46Z$2e*R6^6?s~6&o7FhgL0)cFqT@@ku=Rg1
zstojf7V^yDwjui+0cu!&Hk|h%=waXepW&hO6V67SZ_4ob+Q*uE)PURCI7d<vCmaP%
zi<)glJP;PviJvFQYC|b{Z!lEGD$gfYk0tfdv7avsbusZ~-Ky@PtQBlF7zs)7-<#&G
zoSJ(8@}l1@bWq6t;=L+g{UvQXK#wl1;cu$z@buAswP=vH*_k2U!F==a|I6SHx8(1h
z?K#7B#p^L)&90o~j9(m2G-^S-Y<Don4hdBdqSJ#QZ0PUmv$)`2)7#53RpippHPg5&
z-8J>GLqo~xLF%X3|L~C#>vrvkE@Ty}oVW<=Hfqlkgw)b&aGv+8G>OBMsW^Vc%os6}
z8f^8?z@hX9SVw!Pp~&Sf2Bj<pR&O-v{sRoAZDXJ0q(&yhp0#^}rSH+OMkT5!m>NVQ
z9L)g5?&q<iwv*iq+>9g2+IL7;s<_w`Q@qZF=uYw&;v5O`_nNYLf~Topb2JBYu<!Jh
z=S9mEN?w5LWNNEJSE?AaH3Oj6byH)%&gU%CSu#egbMbBLI_Yw!OJP$r_?n|#FRfD2
z08*kDR43qBna7i@<H%b8WA~YCAiBzs#uRV1uXXK)?(|=N?O%?qb6QBSqV_7kPFZQ*
zhK(~Eg;BaX@_f<fd)IK%vF6g%gu{xSev!|@KM*U7E|b}$w>i}%^!wUMu3lJEF&L%%
zl1HJP$GQNyQ!<<3?2s1Zcf@`WH9JW38+kG_tu4Qo{tG9p5D_;!DBvd!7VsC{zUAhp
zcbqgr4sq`}8?zrYkkua;#N5c!S;Ta5X#0u#`DgcJ^Z5P#F_~9#*5_2LK2h@X8DW-8
zcGIh!ZDslHR9p{SKhGsUB=>GtxplK;d;DBw9YdW92Q)i!l>}i&lVfXQk6(<v&nPf?
zgxT9lF&qJd=HLU=H;M^GkYb0T4d~|0qHP6e-h^CPuq(k!Qt@bZs3KNv!5oW28TJX!
zXOK7n*W_Gh5x^+Z=wAH1CbcB|)`^`zPx@DJ2kl&ti5(ZSly{>Ed;3(sYr2fZ!qI-C
zNM00=hk6kklcMnLED+Z6+j0Z^H5@GX@^;rJ3;TFgg#;V@dj|MB+Sc|m0;BD)wBSWt
z<oX0WA=^b)T&0G@5kEB=eu5Eorp*)mi;BFKFxq_e{#nIQT(p^}rKsJe{Y!7b3x_-e
zt7m1BhhFz`n~VH<h1O&GY<M8rSsNCOsWI@-?NF~l_&LcUS7JTNljPD$46i2q8<8hY
zADlPrS5?>BY(IIIJ3EL+R0PixCa(0!=1na<BqVAB$3V2F1rguT7aar^Rbu@`IRg(g
zV3<sy_)SZDHkRSULS~KKX&{#e_WsiV#cEEUNzN{DpMk$xZs)<{CkpQ8#fZqm+r=4y
zhrHu?WKwDWG<jOvyb0cPCFpxS*?D(t=#Utf%JVshOu(4&J3X(41V6^D)b0lwp45*t
z<bHWOQv3OIdf~5EN$_+3KL7K4bH6dWztj~k^TJg4ZQo|DRR^CyiJjQu8=Fy-d8&%b
zWyJbT|6oV|2M<^@y;Jo)mHLv=a9r!eK=lu;*EJidJAI0c^&2QRM;42>9*-Me=3PO#
z-mqq9mH2i$(lHNTiORB-h+kE_`<wS2=JV1xVc|BH3}W0r>zyIi&&#!qJ3*}}@O}&(
zTMUkpOmO%2yBJslxu4q`UX2T}tH~Dfq;R_9K@I4whkrNfJj^3NRF+vt)M4MYv4%4u
zg(~iy%dtgB@ag*4?_)qYsU`~R`@<4PRzH?7(4EmeFBs1eAK(AAC8Tss;3=h)=UpUa
zT9VWySwRsBW`Py&1(a!Oi%PJ(G7w08-uJ>5I)`L<<=y?3@&)ah=#d`{b6oP?+?V!k
zAX`GbuXfFVElJXEib2vF_q1QaRc;LNNOM?DWyu$g%i4B{y^EG{6~aBE!?A0kFB%^7
zpTDw+v{uwG;jpONmrr!p-U9YQBU6V?rS2w1Sf9`aZ9ONl_4#?%p6(<@EGK{6UIJMB
z7)0i&ivOYf^Nc(V*DJfSzI$~JGm|HOM&{@>oN>+pzI}O9tv4<LJOAaKxPVT~g_4X{
zN@Sr_-pc*F-99_IBKr<@F!C%{`t}QmE7`Sos<>@4aMM%e#E|U0TWU0Z5JEVwC5U}U
zC<#6zBiEZJ&ktNy6#j>tQC#=^XDMk6`OuLp%+V-+TE4n{um4V1G$8PA7qJZOA5gpK
znfSpRY~3Su(ONN14#$<|K4*Kb+-m`Idp|u}TxpukDH}%WwN0r`cm>q*a4nhM5U&z+
zq!msPBdxE09bD<Ba!0iRuFUQo^Fx<g_!ox<3ezYRQ<)7TqD@@9)5qe+^0pFkl9h3h
z?;LClJghR@i6!S;e^V#?LNzjeu3QX|cn0jd5>un)7Oq6G%*tQ4wh0-$P50-i>HI~E
zLa8(tjyq-r|B{KfF4%bHjfHM-yN~=v{&ClGCH@78QyV6UQgZ@+^f5<hO&Xw_EWrq4
z)Q=k!j%U^ur^y<_9FfWHnICdj!}FPq87;Hfb*t{{7fW&d`7K1ko$CMvFAn<3S?;E|
zbfs(T9CrZKqXCnn@EERZ$+J1uV@OZHM!hxW)4O^e7e_0@4w|7#eHR%%d)i8W;Z54V
z9~SKZz8+5&cDaqx#8-Ln0%VrwKbe!N&u;TijMtUx<G%jZmajae;<Py__NlLx-wa!+
z0tAwf57!|9EejL8+@u|(1x)Y4D<J*9ES?R-d#_IuuD?sp$4jaW>sO`cY}5e937-G1
z8-IF(<vw)Kt_|@y_YX_4yf1@)5uJ7Ai8w<@>eqV?Xuy}?bMBI*c(i=OL4SlCydd#m
z<Azs>8^HfaWE^U76vf`y=eu9Q+&FqjoH-}97JQ>&=RV$2WkwqoFMN-yj;UZt@@$wx
zKw;(bem`GP)=jlj*Ou|0q@Db&mD)UbPW=8`+dM4>XTikTyr}l-$;&?5ot}m}6(<#d
zmGZSHAAQICb_Mh<CM7{OoG?{tJ{azSH>tN+IIy>?GFXFiC5F8ho1cV`{c4?egX<Ji
zXC$rT1$c}&Y&{BA7ex(t&vn^oZKh6}Ihxl9r<<g(SEt<&-YUcOz0;_&_Y%=Hn8Sri
zXl3=?S~-C|!GcO%zvjp@(@pnIF0t)vFXz>+epGYcR(n%5D#4n4F0x<nfrU?c8U(5t
zEtqN$ozpZnOZZXN2NF*x(rpx7&c9?vFq1307FQrseeSy-#P9UJAsY6oy<>X9ou_dj
zExsMvoWj6J19lX1V0Ymw)=$+P;GfuqfAI~5RQfP^8ZC|1jv4ND*&R|17P$qkx!4z_
zlom(jr^bF^O+Vod{&sfGU1ys9=J8Ry-uO=X$-4JJ?U!F<i>t=5FgczYvd@^@Spo4f
z?O~a^H3Z)`CX@rEhOOP9=OvX&maOxU$PA&FA78eQ4ha`;?LuFm!^jB5K5->@!{MLQ
zO$nLcjd+1qR@6Fd@w~9{-#k(5Z`k(<uIAPMhbvXC$Z!52`ZuolkIMx9mVqk0R!#Mq
z{aCcHo=7hhE5XpA3hPy%{=S&FWRT3@j0!lyU=8-q<(>?@Z6VD}Z3GV+x8`l;T6^bA
zRcoSJ4^#rd6!gOZ2>=ogJ*>bqTcW!W7TA0G&Iz_=I@AFp7Q*xAoyJ%Qtf_);;9jqH
z(**#%QqwX&735&uo^#%g9H~--xF{BYw#vGyS;e>_1F*d2V1s+_dLsdGln{|HFPsc9
zQjHYPpY3&`aKUWNb+S&{vvYa3AUdS4aa`Yse@5hbGWC7|jNsES(QG(jW&NHcu0n|x
zy~Nv`JE23j>Gve)HRm|%S?9IuncI-~5Am-u>46KzV@6ECgdTBZfyNs>mpgiGlosu6
zq~_Fn=O$Tm);p3G_JGH`<6w_M`j`<eVn>@&9hBZiZg3ez(mC?_F<{|YfHP&5aZKm^
zVVQHmn^`2^Mp_9zpP68?I8-{xn;~)1Y@Y_p%@SHv$D>POK}SnOq{ZpWS~8G(^UG)P
zH+~0t+OV`&k5@leo2BGuD=M6fA;-BJR^*8gGH;gL<VdV^o7_U}_mP!khY2SG<Z5aE
zilY0bK4Ym5HtmAI?VM=7pZNT+P#72u4?6yR;o@}aR*x4OC#zG`ZL3=OiJHCn`_1%x
z9i17tw2FPP880!gbh7C+KF_x!kPcUZYiNA|u1a{ckO<Y>N3p@l3iDD>cge=Dvv1D!
zMgVGO?XS6`XUOVEy<`qxATd4;qG5x%%R(-iA=N&OC$ubUtALAbz{JG~`eJkgKFLYe
zE%C12FCq6sk#RyZ`z|vE#9o)`iM7!#8F^P>^u3K`Kb@~cd+k4-XRC%KZo#A<FH97}
z4jYSWU5x^iV*h$q*P1^$%87H`7D%b-HMgge2<dgi6)qcADvX#wv*ar`<{sZ%11}iq
z2Ck2Fc`kSZAI4;^nheFb;L6-N_Ch@ta;LipOs~-(t2P1E`5p#A#t|r4U;7ByKwwLL
zP6`m7EPSkrM#4)nnk$j4@HO|;!!qB;J<ix;#0gN7PIXvpux2t`;^hdF!VS|(d#26m
zQyk<t|KLlCd;&|d|2eGg(PUbi;w^N{Y|c7gW`VjETco-s9qgv~Z8<W|9hY$Rj@To<
z{;#N2hbLn{>gBIt$IYB!H6Boxm06B2wAP)-Xgm|2PV{(M&kH_EZSOQW+3+%XSJ8B}
z_Eb(c+q%mt0$<&A*<rEr(TXK{Z5%e`<sGV7xpM|$uAnh{kFF!$o%-^Kz#h2%vLWX|
z?qD%PYF9~3mbvdz0#fy@N{3Y3FuQAw)#aHXLyM{Npq-hM82PHHd9n};f$QW8^1|nt
z^$-uk$$E-Y@#{pGpYh4*Qet)RVMOq&lLl;tf~=Lt4Zg=@j+ZF1ue=Pma6quoCX3!x
z(y8vO7&aac4NI(tS}*_BwogQ)x&<t-)68)A5EhuvJGe;32JVs>yFd2J6n#4QdT_s;
zi))!0Esi>eh`(L{%&AahC(?`2$89qw@&Z*hX!4g@x0f*m7J5&j*J^Cu><tB1wr*mL
z2wlZ_Q!v^af9zJoSLGNpj(<Ly$>*3jsgm<2%NTa^{1zM?oW}l6T=ymrby15$!0Bvz
zjKYqZ+;H7A3nKkpYuc3~l)&s3e98b1s2i~me3<L_y!H3m_02L;k3FBIVDDF)p!d4)
z)w@idumGNmJ#9as0si@8=w;jF$~o!}Tt3_Ihuq?pAuep}u^FX0I1(EI!ci^k{m~Q*
zRP`lmu{wQ}eRy7U=w?qFQ^^M+Wf``_1_Hy{Gk-2qtEXole~2%&jIo*PNPCxoJyPzq
z_IS>R5G)<EZ{GLIx&;t-lCgUR=egzfv=f%@DXk7&H~0R%|LJ<$jf+l70iI2&xqK?z
zni6#&=8jH>GU6p`-`Na|?wvY1u!)`Dx;Y31bWbo7_nGx-125ewao4?iWgaS4lUta4
zls<IdlCt3dPOSXW?G_19<qqstQU)z2W$Q^;c@1~V7g2;fAIKxK16ebkdlX~0=He9?
znRgzihc2#eO8nbm)zqE!%iVcFV+p=4j#@4I@XD-t@gXu1rXoJ6#m3i#XCUe-7xq>x
zjR|=iEW22BPZ+6ghPJnkt3=}-6lxuPzuw!k`fB;UaLi{}>6c6w@kzL<Qp>h9>K~C&
z^+FW!E0CSQi{S74MvUE*ocJY|LLr{PKX(hq3C9%0VWKQ^UX|WQK@j(rz19F<TzFB<
zUxBp#dv2d#D|(-*>Cx*I(=++^?2t-gF<w+!HGf9S(%YLC+2e-uQOVizv4|_2GVh!R
zN;4{Msk;a#PYrkh9!fONEu?7N+zo&RQvRBF%f_DYy+<4Aw%e%TJ-uAGfmX)9y22(~
z{{gh~m>o4E>R>yPh{!&gW(#2p;iV1nqSjXBdbtyAPiar7Lbv7k>5u1wZaJ8NoBzI@
z#klX{8%LCZ?A(W(L989`vyP2tb0J4phPx8-RQvgtQ<KHa{CQ_=p5YnH^|gA>lwHaX
zcjpP%gOimu&bm1JKM|3NP~~L1<u*An`g*xC^`h#i{`k3c^A$bYNZw;b`VO5dWk$-b
zsbk`AzU;6dg9~r%tsQdrp+~Myyd;|uBbay@TEC9H2?*}Gn694)%F?;&r~Fhme_ldm
zUC-s92_lKH+@pNxP5<N>LZC)gi*K^79r~-SPX(Ac4SX>;0M`qM<s+V-q#?P>J~((}
z2OGNRfZlw9f>e~^WLVs!^l1$7D2-QR{H#Y)sd<S_A_z|8RhZNeYuZo#te&n4>|FuR
z+JF1>{7MM9wesjx+*E>BocAkTyCZ7@mq&3S0GfDzZpnnHL})F0ocRZmZjn=2?=*#d
zq+iY3MXqGIM;kA=URqTYX{zgjtlIg_9QiCPRkRky<2rw2H77M&4P_VK7_3R2)nRjR
zY)p{OoS$A;U^0z;KKppq1H_fx=wY@n#pQ;X7b8rF!zDQOE5fehB783912wN)5bvbH
zElWzGJY^BS_xve?Nk?SChOEJBf6NP}?y&WbX`1<Fawid#vfe4OeEE?Tc6A`+=-1hk
zORI_rKYR!@%|EySTRlfmp7f&>76znJ_QKoIC+Bs7gZ2m-@d~M*>3lBft!mB~-%_y~
zQZRwK%NPYvtieS7QAK|aeYi>Rq48%*2|8a790@aj&lIc6&3mS`cOqFPJM)CRNA6p6
zNmujUZ@wQ3WeZ8ApfDnk0z{;#;`SZSFvp*j>C_$|A1Bvi_;HUFeiplTIKqlmv3oU`
zYE+skK-^&(KPeSu;Z;)UU^ch{jj8Cq`?Bt()p}2DCv{EkK}~mlKGV<%`v{O+FH<vl
zv&rD42lv8yXR3q4>mAQ#pQZr}x-OqXA{+<D`>cOe%nW~XTf1DFU57g$lzChV#!pD5
zR#6JL&3U$99_S}L!l)0WIzJF3!D~h(jAI_!qW?IY8O`rF8(5DD78_f`D*JIEIj1-t
zweYx~Fs%m~?gdc}(OREBmeu=xPAY3J)deesmy{dh>G&^CuX~6&fIkT9Z}(XCRaqbw
zwGtWPS-1y4LrEs~@=!w3L=ROr6~|qwZnDDJT*O!uTS)7z%OwU$FQ01?U(o476`_uT
zB_*9JW{Q3sktZ#8$B$=I49?7p>Y=s5*XR9tW16#|e4j;(1i5;o;dX_E_WRDy)>V~(
z(&+*zwhbJ~8T4Cn5=AX+C-tYRj6*ZRr3J?cD@JrNgU2P4GT=X*r%=-MgR<xDN~QWO
z>{=~)%2W_h#HFovpKB(c1F}$;PPm%EvA){BlBd$@<Og`^Z|gUi`VVoB=eLzOheNsT
zcMLnOxO7f;#k+)$sbJ}OxPPPK7ev)nvXWM=S6++%@<)L2oBmDvdGttd6%ex~jJ%SN
zot0z8#D`tzCH}i(ZYxk!%)Z?U6gMS5Bp@Df9(vT^5$smZ@z$znaUW0mES(WPkH?C_
z$p#`g2gD37J^qb-E%nd_<R>i^Ts*DSIjRqngWcaY3bs$OlvB3QfEYhdrusk@zSdbt
z-pW1nhYEIpv>!nrWcdNSkH5zgK9CUCqpSX~73S+~y#sd_54R3~sYM%*miO9i{3m}}
zcg2t$>OUpTQ*IK^Ky0aMDjW4UR1BUavnW)5TggTmP0&eIgHkG~iaFIfB$g}Er|G}h
z9khTvMFI(qn!c&us;NCrRgllmG%UeiNgp_oszE{-d~Ta|5ioiv4QTw5`_9gdtCfF6
zF6@-_mK95M?jkk|@aFat0f8!(DzoiMmdt4}qQSit$#kGey8J;v0+8;a*{?b(Q59D2
z!E^t`P?|G?C)%+d=~YnPvw(WVuuT~TeGm`b>Mq>{F%J`%vS4L=J76zO^oqyDq{Rb4
z1EOJF^MdrG!;otXTJ58Go6I4F$A&5%72$9($?$vqZe#b8R#QC18>!(3>uwy7qCU}U
z%%OT<@jnca<3cMF@||!>U1}+nUr=%POTr#h#GWQY#0x&*y`9hD)Z?kt^vUuGYq32r
zCBqDn5I!0?=|&;;jA}~KZ~gzy0<h)Z(x4V}&O0`B`NImBuD;J&EBYxP*FS;Hu$49|
zRNORF?3Y<hRLgpRuo2H)-?0n3*D$k%a^9bp9XHF8)@d#+4_^jKQAkm!Ui<gB*dBVM
z<D;AAqMq_|*?A!keum$qE#bna$YCo7_X>0MD!Cb)pilgjrTu6zQ+mFJ!XtB?x%nG}
zyD5!wDi-2Cm`JL&D>e4qOP;!#%GMN~A{>Su&thInJ1lA#7skL07esCv1D=LlbJ-69
z!>qzRzJgu@Sr}itbFwaTO-JSlgbQhXv!*Q}h^GI5v?jagbLfv%5Mv($=xiC->SF+2
zJIoQXSFTVKp3Um0b5w#ul>iS8D4t$zpnkpDZtsRhJbdvd+Y>>_;?_Ec&!@N^Cx64)
zp8KF4<6H0`I>VP_8PtrrPHa=QBv&)2?s<Tpa^J+wu^>CzzWYwCo>IXcJf!7x^5A;U
zpEbePLjIVrcwvhEX-6~Y1gf~?$60h!bW<jxNfgAH5|mt&LYG9B6mw~KSeFx8)EwJn
z)6?ZudBEqS@5$?98Dzg#;fHzWOV{`9!lmxUgguXO*n3~4P{Nb4+r6*}t9??*sBhLS
zRRqDS^b29F2Ee4sbpTXwNy@GX*^{5iAVIzXq6=?AN}*|w%h|vj%hIu1kF1@-gR4Vq
zH0Kayp=5mbJ%z!L%K8frU|Zk#>|+%!)alQY*7J#2!(-~aAUcHf<K|+hz^@5k^zHlN
zWCfjhifh6Tx1$gJfHqCw%Lc|z)8zEC_UK7exoLmuXCDQFo4crATvZf^C@?ZyVWn2@
zR2AMD;xQ!ha2NO*%J^-jGP${sj2!irMoG@il$inF=u2JBh3CXSk5zl>hVEJ4n-Hy7
z8yZddpPP5=-_09KobmORqKIIp;N9zb+!$&9#uy*FW?aH=W>8c9Q|7T2PWt<C=;$h}
z#K4Y2I5hqM{9S-wqI#RmAzVXAvFnylX~oiJ*XW%-^H5>@B1alvaK(@+SG_wkM5Dwl
z2#svlPyGi4!ntiCGHmMny-Q1R2c-`!*K$I|2-GDuF}h~&S+SEb3%;qSLp4tNKF!NJ
z{5c<Zot>28UjFHBes%pK_5Gx$^HulCe*HK5p@XR+H?BL9Je3NgWJPthIOIcadMx?7
zyCx(SlUgE=i;v&2piBaW!--2x1aCng$v$_vXbTU{U3MjP%%jFaNGUG)XX%<c+dyc-
z=+?voKwH)=wXp>}nWFD1BfTt<3?1o+uSwlZCO<f!fPZ1Tb;PG)iM&6&6nbGCg}N2T
zvJ14ZK%5unNT2h2!}kj-APcm>SOAYC(sS9{xDgY+d^Z)MOCE(Oqb8Ebn?!`B7Rm0$
z8K+(sH`45cZwrrH>Fro>8@{%7C|@MDe&BeX57?zfD?XM%XXhtDN$=Ct5w;u)!mv9T
zx+f>~&WZD3oe;r$Wq<Gzwh}<R0z_X~)X06j)&b4Voqmf9b3MMKMq9?^`1^dKw)*1H
zaa(=5aC>tNXH8WNcSqy#!En|LD^)b#iOl1j5;qtrt$_YL%XjvSO>$1VZcfR{Z(!Pf
zI`$}@))FgjaES2`eaFM&rmlMRfsK^iLs&F?-w*UNRq=3Uhfg4linj9a8_CXjSkbK*
zA;?=jb!v$*6P8qozWsTxHc^qU<)JoF7sPbubvkY_8$!V5zq2?O@$W1KDWr;}(}DEq
zSPN7O&pR9LuoL6T3I?4pw?;m&Ef0V+?zQ+aOXx@!9<Yski~Ji2rz1&+J-3A@Z&iy=
zHUngeEgM(spWPtPJ&Zr<M{+LY8Tq)m`7Z#^Q&0?eQ}Vd#n&Yke!}(0kkFD7+(8KpU
zMZQDu39G@+v#!)%o^L%i+!qdNB_=tTq`4@9t1~k+k4jpYv`+N|X8RRrOXMw1#z$QB
zA9z2KEzhoBWEZoB3|ejt8fEXl+19m$hF!m{sSV1e4t``5e<>GtnKoN=Ku7`yOx88c
z-v46=dH2j&#3nUAmusgRDCuR6O0M*bW2%cJi(p6w13aJ%DG}cio5mDtUKc23|59v=
zjT(zWX9LOF_vH({2YuueXq}6EuYdP9>f`;F5NWF3<E@8@h4HE^_G7yacM7MYR@);j
z#1qRO_dC{O+80Q2Xt(=)QQ87vuV8&FgapsP9^<{yX}l_O5Iztb=&SUR0L|?+eSIC4
z2KMA?9$r}GFl0K_7xgo9#<i`Q5EsZQh-Zu*nt%-b1uzO-cXPyz*$rl4>hzndptb2)
z6ZW3rr=02}ab0B_2;DmsqQ%u`&}PZ2dVSuIBr9%%m6${9y}f0raWa^xrW8G&N$-><
z>Kp4ZZ<Pj8-)SlA#<xy0q}5UW<x?lOr8}Yn^~D}b&e-E`mC#mN*`LGk<2}m~78(Ce
z*zO(j347irPyv>rkO5Qb_bd)6>IN<iS!0IvPI-8;*esBgd?mw+$FjV?i~u%YqRzy*
zI~txEC@~!LOj_n>_rbx;n`}S&lqsZHr0w--R9kNLLQr7`7>m&7rjn%lt-?_kH)fho
z<R|M`?H&@Uq7Uy!tq6JUZs^|arD}ssW7-1Z52~D7eLzK_r4qXP{2U0$^?NU3qGk;*
z?F~*u51P*0NEAeXJEVAf92L^f(q=2bNhnS}SQuVER??)9%Udpp8H?d|d*;`o`=A?c
z4c+h2@HXFb@;q4AMGTo*z%>2CAeHwzPcw@h4)lljC+*334tX)BEwhqC)4wCp?#K!G
z*m9)rD8Uth4~tDP@Q|%y=*TD0lmPdg5mdxTR-9MeL4!bms9JqBaNg7ixw8OX7YVSC
z@C20f9@OYUXLU$@b=PH|w#nob=0$Bu*eM7H$@O-5s|I|Wz_2>pX2v^zV6)Di7U@n)
zUn#8Nvi^89jHETIjeTgnU!c00WIAqEJ?4xa1XJjM^DXa{C)R=;lPLN<-R&pZL${AR
zfiyQ&s-{fW6T-~s?Bk8*#gyEF#^zTn7r*Wo8!qQFOCFo>UHq||1^VpmU^zU~c881{
zT^;Xx1lUtQ+-C2y!0R&}=vudZ_{<~@^JqqVOTl4CvrHC4UPhb_t}_1$B-?x9G}@}+
z+$+Z9f?$=Z5Ocd=S8t9s0mzn{uJg@N-p=RSXWaO2N0Za&V54g;G0OMApX>eVs(XS2
z38~y8OJgta13`Fsxmqa;6byYDHmQWLOklP1*FW1pfY=VYmsdS%q7Dnzmk(Tg&AO32
zy8g)%Wr{|p&0aPa1_C`i1ELiJNK=^JsvDq}xPyPuDoYp5n)7b+UfDZ*43aWWYylW|
z<r;(xo2jfHd;q%9fvKIKAmI~Z%cld+d!EU{&it-iD>^_1kJ(Fx`c&yaDO!GDDHl-O
zF3R5M1DEU8t7k1KW4|uYJgh922Cn7Or&Lp0mXn4PBfxeGI_xp@Rq&wf#;1u)GI|TI
z8{Gco!nyyFn5jo+3VnVmvuaPjnq&xZHSI}w#uswokJDwN$rGt&ic;#RRTHPRz~nCL
z%j5B9*2zQjMj|4n`aPIc6OL4HN!08IITS=sXi~&_WDtJv;a=a$YCqM9aiB-<PKx7Z
zd*F0-e0OqroGhz|u&aTD%<@<}?~sXsjpRi|4WU70>v`{A5~PAR%73vXdTD+$s0DGI
zT{`}1rb52JU0(`X<lO=47)+oB(*cKYbEd^{i*gL&1506Iv}`7HnNFxF*@&4MOxK{d
zzPsF#dcE-}ZP~(NVGPH3nwH#-_OHF5Y%Tmw@`~Xe5vfu2iWWu)%ZFLI?&||vME_Pq
z<_2T~Hw5|1Tb`rnsPz&?GbXypw_`Vz{++|gm4~m<fs+dpd>OS5oX>Lv6f))K>1f?l
zXO@8pt}FjZmZd0a!`~S?XiMLtFRx4Kt&KncqMpE}oTTl%F_BIt>3}zYl4XJfkH3DP
zSpl@{*1nZz^lIP&FA%Wo8pUF#fUdFfcGEAZfHwmV8YP&w?!BiUD6QXHLbyO{ML49l
zg<v+#goU2iExpRriLy)f9@7`-i+%A&6C_g4^zd)n-0_YDDM%aZU(eNxxz}YyCr2Oj
z5{w@5*92e8t6m~1roC0hjAf?H-g(7X{Q2^WsV?O7)0bIS1S&AEN`+I6Z|cyfR5mw3
z`$VvKJP#f6Eo;BtO5P{FD0SxVj-t$NgV%7WnSQw9dA-R$&c7pptfodamxv0C9b`qq
zoh|)T&g#8S?u;VF_wSgaqmrGU>x^K3I5>9q9Q>!|{z3Ksu$toHPJ3<8F8>u4ds<62
z<RTk_OY}MayQ>WE7=e4}hjgbOl>gM4Vi~ec@Ds)U9ZVWvNmbh=QHO}V(XcqQ;Vf!z
z^tj45ZY5ug<N3~c6f@6^sWO}t@!yN+iQ`_dZdf8^*-=c2M+U4SGDJUFa*O`-1s0o#
z>Y3gCku?9ldneY=L{w-4H!?V*7tq?E1KPQN9rD6>aw4pmI^20FJII}C!{K3}vH)XK
zbgNqhS%Fil)M>)TvxaI+olPytQvB#4^Yn5K?XJf^<BiSBo^EwzUA~q<5me_5q_(O&
zq)q))?lz%AL+p=Wh~<fpdQDVi3yQ(!fh63Tfkq?xh227aZ*#@Si!Db5*3orr{aIO8
zkLq|l8k<VXFVOboWNY3x8+~R<>hN9&M@XQJwp1(|bcs+7|G)yR?s07)c>IOo5bb__
z@18VY_=^93>U%B9ay{+;5dY3T{3g@>yk2QrRyqDV-u&;IUb#rUwD7gQ{N9wvFyUd2
zbu?fntZMghadEFX6nDtS-a4YWn84~C4T(mro3fYeSM}8!CMZjvd^S%#g?ey6;^+Dd
z?@!Mj^4AGIyS(y&;zOm~W!!>n_mDyLADP1ogA4Y{WkdA>_qdW?1QQHLSb@iu#T-_E
zv)Mlk_Nvu|JBHt6L=R7LUoF07e&yhn4az%Wp!JBJ?^%0KeD?5f{dK3g8>b0B>3I9;
z(m@MX6W;LeTlK0o<Id%+d8?t#E$U*c8DE?_Zk^2bv8HNVz<$|wSM>1IZcqzkv(M#2
z7-K*yY8=fEHu;nrEcQ5EzH(IG5UA|%wbu2L(k;shpc6Y6oE8p(va7sa5Ty)>QU$0~
zjEdcqk@=T;*C6h1u{V-TiJY6KXJm!h#L9mS4vCXEi0qFq?x&<88f^jcbjuOhd{LBt
z`EM`PIzNRmk=}g8Nw+6=+&+L8yIJ$F_xQP4g|7{#F<&X0p^lk4U2rO4G?8%qwonog
zNKk|4zmaoVA=%dUW?c{3@c0@FHw;ic65g(4spdUTmSh3Mu$s1M;?*|0p19-=;~D+s
z8}l0m$<EcuJ)@rq?ej0j7(FUqiQ>%h#Nj7t`p@km1zx&~kMllH6PGNbK4DY$=0(cU
zn~XNZUVV?$=ZlMd@NU6gDY4vmjELes$|*<aFMngM*{)1HtuyLwFxRD~j)S~av|;VZ
zwAcYk#mFET)-3oAUS&fMun!jSVdEfSY8AZCE*rs}Ss=j(`@N$rx#VB=$dOEC=Gjw8
ztY9%8eAsxpy^jY36$BD|PJerM3JFv%Y{1QGi7p2{*1u!_?)w^$OPL20Yx#yM$I;_4
zX3v$<0!clKKUx5CZ@vVMts!2}b*T8)9XEEG8s2|g+TXnAi(~jq?Z?LfZ!q^x7ahHK
zePPrDZ^Tu-3*y+W{-X<I)|G^%9z_H;o%z-|f0z*oN*?<L$_iwr)(+<-418`><u2%=
z%!`gUY%gaKt=Uq!gk)Z4)D>y5w3V8bg{#NBcT!f%pVg=PE=*Rgg)80Y)$IYaNNezD
zG_~|)scy(k$~P7~Saoqtr~0Nq_|V*OWx>#8JfOr!(Tz%&8EO#?9)!f>gaZvH^yl4O
zrT&vl@b=^L+%EP_dw9sz?ec%BTQLggfa(xbSAJ;^8`(JjbO6ppUA)CpqOf>8<5=%_
ztN8FeK`85Z2HPcnqLXhFrbAEtO4K|5D>vQKQFN>u;|hrj(gmloKvPCLTd9`i*WBJ|
zE)0g*aG-e)uvN*ki&L%M1qV_ht_GEgEll8X(P?koV0+1+udR_*_mw6+o$PnTF{!dM
z3~$#xgRno#g?I<aoJCN&KsUV8>d}FypfH6&xC`G$sj^>f?Kr-GzubgmnQ#rq=ofEG
z#t-$Cx*8<PWL3)AQ;SS2j74{r8L7=cwC6tYTl%8K!smuV5WfEt_WmJ7|JHSe5a^J6
z^3!jQE)NzoUoolXN4?bC{sG{lfLr8Pb8ZZ6#!}gi9AEIp;B!()m~LufB#sULWQ;}B
zUZ_}7+I7e%x{(kj63~qNcEh22d9f%laua$ee)0n0+2!uqhAVx#k>`$eZ_e+LOma}V
zPk7?FgFoXHND~eXQT+hTYWliQ@z{|;jG``=o`L^Pl~_5rU^J@RfhLS|lbQk+YR>m?
z;F?ZygyVwPsz%oCvcccq&IlmGv|t4;L>+oWE;wl<9pkn?l_hQswJ8p%k^#ijvq6dS
z69cHF-9q<>0~tU4-(`SkdUZ?c*EB;&DL+&?$HzR7Yb?9C;HLyb&PO+}SJ_yE=k{@%
ziQ-SREMpZ^?lPhxLadL#0LlUo>RI)b(s@qU+(<PyW>yfUQEt$~3E|}>QuV9e1h1tz
zvieaC^lG7IH^y4e9N=u&7VDDEdjv4qtkagA)~zw!mD>L0zFDtX^VQeGAH&M8z(?g$
zj}M#x^bc94DD7rv<bIbOQgNG@Uec?NkkC)UEaovMx5Tl~+2GXSxD8R#-27aX=tD5O
zsGB%zH;f18D;y22!`!;D0JT~g3k5nfCat(o!cH?GzUR|M=}9u53ZWeKhxwF0F|4U4
z|8C3wU7+|o`GZj2{cS)cbfai+5Tk-_*!{jg03aAotya#N45qS=TllUB53fYI&4L0x
zfrkdpq?YN7;wrR6Kl<jS-tk<>VB^+3Pv_~iB`g0G5o8&CtVENq2wFK{EVGy2dt@s!
zEZPr$-n&sU10828lCOveV`mab*P15(?Y5sAYtZM__;SBamp>nV$KY#^;sOtS`8A9s
zjYO>v)t{y%sYYdkKV7{faQXX{XY<~pfa>RYHWZ!A6&j(j@H<zdQ&{-@q`5WQ^Veg>
zi^j3I4q~|~3sbMK>_lHI=7Xz5PE4Ei8&c45{DgAqHGt&w7ORch6@xQ(Nt1*|;V`75
z)XTcryQX00p1}V}761Fn(Lp5`$`NR6G{<dLTL9n_ne4(|=6%y?Lt>eZbq|wv)9>>q
z-eG4>Ej>rWV^b>1$4=&D=4tJH+H{R=EnQ1v_L@RlfUu!p!Pk10mL3sDl~E$gmE9o|
zD48nM47J%*Fq8HIB1NO=rGy)C-*sNfQJ$-+Irt#RMUF}86?X{(W3dXcd4J+~YB0F2
zGMZz2JSUVvr1l9VAFKY=JJ=GM%-1`E^r60%FXeGR87q%w$e&w9jAt+x*aeji<i2Xo
zf?Hj1@r`tWK6$8^`bz17UP#lq>j|Gq?$6i9jz*m8bkMMfo^&$g8YNjN7K9N}5!I1!
z*qK{v@wS#$e4*TujL3sJ>#Xe_jqjP|7xi#-gKre@6BIu(+4m2m`M=jSil}uzo^~qx
zQMX-uj=(g0PiB0b8f1!l8&|75&peFpv|nbpF1Qq;$7<Gy0YnVsYQn7tK1jSg{XW4Y
zZ&kr(xjt1p%X6AR0&HZjdhREBycO%+CCPy52wrzq)S7HBN63~O*GlHya8tc}=SbvD
zR~YfDVm>^oW^<VbwTFB<qtn8$Gpgp<TorDb@he^aag3ZZuN+ez8sshvN~RNhwe_I>
z>Q_cn?fCUlqv&yJ^;P#8KAwFt!JRcBa>?b=7=`Z6!SPDi`ca5W6=fDsknhkIs5;`Y
z9{a<WMiqrm4Q=UCuqlg-<JkX3$+0K)vAlzx$qh6Lq<6jj;KLOJ$L124n~5Slu;v+A
zh3<VmQIaI_pEjO2Ik^0Hxx160EOLX-j*Q5FsL)}10S_*L_a1vPEIRYz*kpydwM&1p
ztt@)nAuChI>9Eb%PYlrVo{l1w(f;td7jsdQrXKP*)CCFz_ADCZ=Da)mTbT>3RP>b8
zL6z99viLEaWq--TcA>QMVGLn9!o+k)G`<L${^TI_hPE8F!W^!-r#Y9BN?(U~T%H$I
zcTfC8-_ku4r)<BYb9)C@fcZTb8iiv^d#{ladGxBBq+ApG15T}E716<K5)f-%!wL;0
zfak0n4l-|P>{T_$-Pgj0R=?Kgl37Z!ed6n?G5b>8N_d#Vl&*@`M&DWA2GzDS8T79d
z_&;k_2W+Wf9#&a|aexv{iw-J|yRkjxDOz;D+WAYS_YUc|Y20pWd~bR@?a!e;G#=#-
z&PiM7Q@+OdP0lKM<ugg7$|uUmX2+&hM2We&BcLN|@aHgwkbGz6&o1+^Gbb?HAQoY%
z@j+>_|GK?QZ?K~#ylxx^*!-KL<8GaRx~}_-&_XM~kRT}esa|u|<0;&lj$%pnS<kKa
zHf&Git?p~g3cu4YwX>dNtgZjRV3h;Bf&)wxW@)KVE2WFEG6<K!;lAk7<jpMA$w9e#
zlzPz<ZP7aBp&4DeI4gNRemJKgGS!ZdviT3B`rifmM3*E?DWsWHt6T}90qeRDV`n4T
zRdBM{6D>wvj;B3O=wBpV_p@;zCauBiq9KX}0Bl)RA6F`J8E9uN&QiQpD_pIU#?RhY
zWALvtr-MtBs)N@HW&qY`VLsE3_d!_t68HMiMiEb_$qi2h+&ddziNq4Jy#Ad3kKB(c
zkU<i&qPE{#Ij$F1t!*K89)g$ed4BYfe-R~TfNyXX<<gt0?*=6-IwC@4t~25IbHE*m
z4Csi7!JJ%rx`o0|>ffIgXjKY7^gU1sO7%m<MXvBx8i;u4zn1a}{GY<`zZYgV)#M=E
ztVtI`VVyVZtPqqSU<9_YCI{}9vA4Jqt+ZdxnMX}J?8(L0T&QpyJB-!F)UiT$?9X$y
zOrhQWUO(q~qS)DjvHPuc&q<xSmj#f)VNknh;cFUbRuW_>sE;{a6;BJD(6^{NPtFFM
z?~{${bR<=yqxkqm^K*2+zz2&p;wyZ?>I227(KSAa^{y8{J?2OO$9$5c98{;k_B{=l
z&wuZeT%Ew_YrMRFRr+(g8A~OD4z9A<t8@5gUKKBCZk8c{f7=fnTYD93IO-@fhp7aD
z_(XkOgsoqG>uL8(ndtown(*IW%<+(_RD5ns-UQ%VX%&W5ru^chQQ?zQRrnEBtj>GR
z6gVIkmME?m>F9@F&^PZ^G6-{1k%m8L5*lz`^_vB4*9>Eh4MT0fqik%7QH{}!&;TbF
zmB8-69TRAa-uK=F&MAKXzjb*iWuurvPl)ZUs{+zBY*QB{k#NRGuu!GBg1d5KAV+dv
zXjvBg%-}EWgsl<-QdZ+DD_aH6Bh>CnrJcoAns2sbu!BI-V0cI%DV#XR(i4l1kJ9Ku
z%5IDB-?npm5M>{x;ysmmFnE%s^^x$h!3bRV{|ki(D*d$z$0yKKAy;t|fc-q(wtV6H
zqHw}vlc7CtG=1}y$uMLe{HCo-&Y$GTr(bra@yN2lcu5%+SajGWJgkO8GB%tVLkqV~
zF{P&7u*p1nz|c4;NLQSmS(Q?-qU*TAUu3PP;{N;}Y|HS%LS!amS```YsHZL(qG^>M
zKs<X%LC2q?_J@sH6m~dVazHQg7K80{IagkZ<m7dMiYvp7v&i-p$4!0N!X#Vc0gayb
z;7=}>D}9e6348Pg-@lR)>3*1RW(3EE2BMX6O(IuEc<bP8w_;^dFdqju^%@@%4n#EJ
zt!==uL*BA{pe`&g`wTh`5la^i>~s0wjPc*Qm`9Z5$7PZhg^fJcYeSh#&qAF3V9bH`
zyEHZ!1;a|Y@eJyxZQMyu1aI<Wx$Q&;J?m@RrWDxpd+;XdOIM^0%z3Vct9Md`loEO1
zKymv`g6L<-pb#F~9qsS2XJ5BE)*sTy$xM&leMLK3(lW!4ASc!)-nzyX6GelWY|d~&
zK?5Tg*oQ7+aQtSV&U*|u3p1`T5a~O)4n3dzVLx<}d-+Y74Q7@;i>u;RyCze0cH-u|
zkM$Kc796<e86N>%EOh48&7v8%qKNiOmVRi!j4A)I<<*vSCHd^b==MDBDp4%p`^bxV
z3`(PJQXAoY2+v4d9CZzI!w&~>UucAzEb>Yu@l6PYy<_1`C{tN*a#j34@$FxnbJtU`
z%-PWMTA=bCOUxeg;^<;PGCRA*>H90rwgP#p7XisfUGC@=m%RbsMY56ZeWSNePy4m8
z9z!g{QNdPPeRY>SVy%DY{&^QLwu2=E(p_1$=OtOX^z=r`ShGVcNt6Y2bS{{)?oDX4
zF?%$U(~S9cpi#6l*<w}Y$@-Ls`5Lz{konMUy3Y?8W!T1KGq5gM{3OZ=3^yJ95XwLw
zaQh|iAnPH_@~hrwCMgvGF6wKqSgxx+=(TO>i$o2~A1DhY;6$4~&hAW#ATk}FT;o}2
zrv{ssM7~^R@OncX_|XLxi5SPhIhf(2Go4)1Aa^}oI6N%W5vhQ1p8L>TBQj%u21Xd}
z$$YznX`7sM{Xfy~f8yZR@TcGSyH<5KUrgm+TLiEVC8G6e7-{6}pMUG^9akRF)v<Q9
zlN$xtT8RF47C@OgOn~O4L5V+468)tusZAkHr)(SrUdTx|zWNiz*s@C@1AM$iGAph{
zs`~gT4fCHnstcaWKDdF3WTI|>CPIN1XljbT@TkvJTb565YjJ6e7-`LS>AbdXlRArQ
zF1RK&r;gB~s-b8M4i7Q9-#-1p`1Nj@lMQB(5I8Xj$`s>GDf=R4Pu`+K{bK_K2~Cyv
zuT5v0khKY%8i%ci^OQJm18|<&?)RK#fp~GmPFwStm8LRsz=;LVcM`%PVhys(RtbjA
z2PeamHoyE|q48gkBzJQn9n~5>Bfz@y9f8n>(j{P&0C=ykd}iE~6XjCJz^gGC1qwed
zA0PKTE5>mzw(8=dZ%8p^Qcu|0px>zQEekdj!R5ByXe;c(VqZ0A$k|>dFiZ&Vq^GdK
zdn3R2v`{Zxt4zJQK*ydvS!P4rqRw-zVKGZ@w;}SjM7xw;tO}($dni-HUoO(F9Ssy^
zh4cI_$H~)^eS6{RZ8YJpJhYj5vT)x5=BZ!tZ!2%wmDfaSbNC)&wJtMU7in?!2eKrn
zx%1kjIXAGbB@@#q3uz&B?CLkLj<wFGC7m%pGX9Of{qIVZq=@~vIP?*t@Fmo$?Wj&6
zp(i==TTK|IWQ@Nm^CgzoRb$eUuB)w`k`bRU#v;eHW60+%c>aE8c}*{X=#g^MBFrL;
zJg($_i0(!Dnpe(r2Mv{M$F`{SWLDdtLPx5i{2^{z0a@v`QN!+Ff#$OP(=)P&!F>I!
z@vkUm#`l}D&&75JE;aAdB?T1mye(~FxZ0CHmHbs=JYzdT!%QzMx0{PknG_3QVu6nf
zKK}F?kqlOX=(ql`d3kWoN&UJ`NdHqMeMb4AKK>~<{-s9>bzpknx&z>{1L=-=-=`hP
zz`le3H%LyB%S)<9Y+T0m9hJEl<NCfs&mlwoD-Jnd@F9O_EH{ux3_G2Fpd4Hf+rnfU
z!H03ExTC&ek@F1%8{0ua45C5LMyU76H#f4H3mhH&p4EPIcWpZRa~G8c)W057ycilu
z5T591Bqs)P;_0TLdhw6kpGr%(&0)bk>Q=Ur^)CD%agsqZMwylG_9z_c40;Vl_UpCC
zOEkB>R&F;5KlDHR3MoYS4Z}M}(@SK3*t0VbP-mQ9;H{%jcJTL_Q32iV`K%b_Z0B1l
zYid>&Bm!n!a6&i`y&V2OlOz9I2*r}8Ms$+hABDAU$;+ucI?s18gBUh6K{+%$E+emi
zYj|~Ycogmtx<D`aLB3U*bgp$jcxH^2$PjC)RbD_#-Q<E;l!GB*XL%j(^r+;f;zryA
zWDh%EF;FM@WZ*WWzw>x@?V&)m>Z)WWKktC<n|VuC^&n`T?Y_gif)m4MQRI##J`BP0
zB*89(ppI*`PCioZ;ADA6ztgR-`8F<5lqXX~{$U=oHM1fJ5accM@`G6VsLGz`Px?>&
zK8|IW9;A$w_BijFuqkc2)=;17NyfxKtnmL{&Z?G<MA(m#U)PG}0C*^;$!l(pw*1~j
zKw24hl~(L|q}#njjQjNfzMDwM^k2S;0>=oCs|v>1xI29;8vh?#Ul|wW*1c^KM-T-C
zrMm|N>6B*Zj-iz9p<|Fzx*KUEL}D0X1_Wk6Lb?X&7$gT65NSzY{?BvHdpy7AFkkLZ
z-1pvlt!rQFT5Iq1#Kb3_Pg*u8<w%m$v%hTch~Gkg=jqyOruq2G^qEz&ljX&gVA`PR
z;4q5`*O9WHr^{iwzvxMY2cJ0iw3qh&$iE`n9dBe)jthZxk@!nrtQMNCQfasN<!VLW
zQem&0eHzVzk&VAa<gV+v^lk4Ac>KzlA)q4)^vKa!GpW9zAK%#WgtRHMWSkngSM0we
zc-<bFHQt9q+Kvjc`jxx(AOab4WE@}HwD9+e{`bl88l$9O_rD}7Imv2{M-x1ooI+0<
zP;ptm!+)7Kh>$uai~fUlaqlPf)Wu-uBa&|ri$HYz&%)71mpXYAl8@UJ_wu+Y(-&u8
zSs`EDkHSRPB{6<a@rQmUQ&0_tGg@$&%#1Y9KEcIV)nD4<x8?Ym%&A|>om#{<$z@Kz
z`}~7<%73q6BSBN-{SUZ$7HJ0&FRPbCYk}Rlr5RDc4T=ZhLQ>nyBN&%dy<4dsSBfEr
zhB_`3$$rTY*%XL)V8e#qn`o)nF!smr0P*iR6h`A#-ZWTnJBsrr1L^5Bg}Ki5PLZw#
zmC#A%<gPJ62%1qbE})H*JRoPgE4jIvH2j3oQ_UdGpH*Xzx`|g!YrBV|mU8AfDRw)P
z<7D{cckB4S=QxI>z~o*OwCI@XVUeE%%p4(A49S@L*i;$h^S~aPiKrbGny<ka>}D&x
zXRbKc=HA*7`?a?PAs^iauc&w1aayQ6znVTVDp7aZIY)RR;-$FwwokR(%N#PcS{RW=
zTJ5xq?rdVyFXzEMpJeG|F7NbMNidl-EWg&}t9^pIXu<JHx*DD?8c1Y+vzASL`jn$N
z|3+8=Ol9L6uzussy?Zy6&L8?c8n5Ej@X_r>*6FhNkC>Z=Xup^f*(mdN=6UDm|Ipg;
z*Q0jA9xH{#Ii%4YOJ`(e%gl1MM26ixwC<Ao%B#H?s|g{Z$8R^}9tU$~__a>kKITLA
zhdn<L{0A3$##AFtpr;&|e!&%sn$nW5KX8s|z0kkpFz;AhbPR;G8g$&6IyC61<h_ur
zCfmE!0NlgVAK+TLCmM3bZxMYTE$-uDdV#33VVWQV6ETewOGsA=4VDrcuB#;brS0)_
z39rP*Byv<c@BEl0=%%JZ(cxmJ$Q`Lwe#i!&1Tz^tIe86r<UMIzG2DtHvU*m?G_&XU
z=Jg;KsggwJbL~ztlpEi{C%kO2F9?;;!F$Y_ORKeL*WIv$rEa#qiqNE`gg!*$+MO^V
zE1i`B{Z-=6kFK`X-|VdsYBs!DHhTBNT~7ZVr}*7)qnt|-)<peUB^LhU=-GE95lLRp
zx=n==u;>4jTW#++63APC48Cwx1)oc555fEl^-gRpw)Qh8%mEnblh$eI<iT{LyDIZ9
z<>NhTGEbB5k&^nGJ#G!D9JJDv3hhQ*nm_wAphwzCcARZo?QvM!Nn2!qwL$*QYvoW9
zlEUNA4%(4;|BoGR<K`?9d_jZZ+8-@<?5tm})^F%eK5V!yRB3nHGt%-)u#@@B3hjN4
zH=WkUZt`qeui%|T+H}YXw`!H>H<b0(tBPm3fgi&jyWlZVg{$}=pD^-`R+sx;w<Zq1
z`aG@0mO1Ua)s?Iwk`Yy3%f0y=qw+~MF3qTyZ*%Fo_uDLiv3+GV&Cw27PyUwEmY;sh
z`gN(?KYuNWp9!X-!*0M|bB;u9S$%n$tYn>=;$+-%Eg-W0V3&FsNZGg{<OTry)ZTdI
zQhUEg)X(!Ezeek)-D{?m{lWAPie(*PJ5Xe*N;E5N!r)Lwo@y5rQ*GL1@0CGt;<s&R
zpFPyzBH`qDL4M3ygVecdr%REK%tPOEwQ@ruy;5~No`kZH3Q{|wKUfGDqAF{|vorq~
ztwLd~N9a_zKRVxeD3qM^ffRC#gRm|?q0Q350vHo+f<3hhsJ<JkedN>2)qA!c&tY;K
z<4s#B<|BaNJbNcraN7De&H3*W-yKEAD;pfL->CQv{(+`Go03m`%|myk@T%nybS7px
znDx#Q#bmx;@}3E~c99YedCH*yp6~v#?*4&*sGnj(GhD`o8fF2{yOe5(5dtN~rS5Tb
zQ=CfonBKijO)|wWm;2?#2dJNHDuvwR+{W$eR^2x`?!L_9VA8kL+Tp^Bhs$)((U@47
z44RY68zG<8D#R}x33EP@?~4f({Ib4Hs~KlZ&buvqFDRGIYGH3R^M`THMs}uAx|#Wf
zQbA>S`5oCcImD@6_^5O7$c5y8s*nB_cCNYW{zEP6iF5uO^v5W}hoL<n$um;Jy${K=
zGi0Jju?4@PW!ga+Be#9|MD!V*OYiox>bHqxb)R0XaJ3FDf8p02c~im`q1Sb9RrVsm
zVUoS*?d|khJ?>>YYOo5^tNFM#C5i0IL1f+XJ<X7=Js0Xku+o7NRYk`;&`Iowky{1x
z!`l|2wN+2r@6GDoD!%(@rj(qQXE^3<y-;#g$FQ!Ioh%tX%RQE?K-z9hN1V{xej`po
zr6M)>2Iq;sCA*52vBxV3Bj%1TL-#~=M=O_gSY-63JibI$s4IK}H4^K(6zt~wgRG0p
zKX_7JsW_`qeqicB*yc<-(KQ%db+sO#=w!zd^syCnmRH*=A~$aC-mDxIbtnDd%`YoC
z$!^aOzqoynd`jJw9{0hLhCLNsaMC;@=1wKftSQDR6NM}7pPa~_&o9IS_%7>wT*-3J
zK3|Y>o5P=?ZQA=<q@PQWx-ga%g>=diiQk#yNlkkm>fpGTd_#}0gvbg>8!emvEv!$R
zl8Y>N+}kv_VUImv;?uToQ0<vAf8uhMa78a0=EDcep3b_lw#IgAoX{M%qNRiD|DCY-
z{Z|9I^T8wLqtxJ8RZ?Kpg#J!k?m#7w=_Y$cCew8ZAwOn$Vz<{g`FY)oZ-J-KXHh@Z
zx>19}zY<ZxH|wDv?>AJ!-jHc)KhpZfs`0Q`n{PRUK;#wmXZk1+k^=Y7{u;UQF-%?l
zFYd(G7ZI_tvc`0CEOXy)I}5#~xc>3sTF2e9bDS5<bIRBbN_i}5cy5XbqNQ~$Fl#xk
zXms5D4hhhAX&Hnu$2+!-m>8hvEA&UFap`9r{5vj6<t}7_*_pjia-JbR6XTh^u@<=d
z7RDqVCNu(*lw`iY8^ncCT|Z+~xb6grsgyf&eiUmhqA(`!s?ikfNM`L&=<8X1Col5z
z7;D79fPdu~qb}D2WVgvQpsr8KNTsm&hUe;vdd-{m9m1Shdd`InD9Qe;ASj{d@<|?Q
ztS!q0Xs$TcgS#ClH{)(kmxk_?q9nm!$u1Edx8tUc8=|CkLubYCoG$@Wu|aN)hrBlQ
zH*ONVxN+-2$c;PX1uxX85e+qs`T6^h@1-lzL5mXyS|*s`n~bllaZz1L4m{l6<HxR)
zJ!xz+xXJkII&$36I=oag*)^3-OrBgm#|^yP>=0y&eJ8h;BAm~-Bp`_OSs!VT63;w5
zYcpg=U~WTPSpvZ<32YYKJHkPop7#UyZD$MOq>R1UzZi|v>aU1UZwhGlI9>o;j?adM
z1C%;|VyeE*0uQHT`!F>iJR_hM?psFAe9rY?+{PxW74i=y1d8$VXy2VNV7)=iO-K<W
zewZ!KuLRm*b2@qN*=A(qd(>VjuS!k??kY-TQ`mkQKQr*#9R8afvW5Gwwr%29V53X=
z#A+6Ac<X6r3s~hu>9DiOM-xHaSQXH%p?aAXdgIPtlQiu?khZRJ>^nKOdsr%(bQw54
zHz>|X*~fJ*9(Z_;ps0T=4IwesWL%p@F4nTFkIge!+LwmsMfyvi{NvZwC&WnzAMeGl
z`}hP|+vH7Q>@{q#P)Xkc3g0eF^Idn2d}`+<iF>|7vgedEu~<fC+r%s%c}XIdnPj&y
zihUl(p(;D4fV-)!OWQ*)6DOQ&s2iUOdemcAN~v1(AB~5FOHdbwZUF^h2S_87SY(&k
z^7lTr1!07t5kxp^rzPdvC`sX%#RDYW6STMEe#PO-DC^Xq!Z|uev<2NZ3GMDHy322X
zg>M*=3I7Snfw$qF48Pe%WXOp)G%9^QhCK9{suOC_p|~j_K>?gigHr3gO4tFCWRc0&
zDUaOSmQc_fJVFX&pG?1Fa@R?*fM}HA4rVz`Jw&r$Dg_zq!3G}(XWNdm(T-2J6p=W{
ze#v-)v9-pytN8sdqVgSm%{ORZtvwJCCwwws*+mnottxG7QB`t3cutc)!O=b8)Oot*
z6?3ji5%6Vi{D-?5hd;{izDx`dj%-av$~-2d*3_E8pF}P<@cmI~zG)5KNTJ8sm~inj
z0vi<yic8~Ad_^7&(oiHvG+W?cK;hhq2b8?2bOp+HeCOTC?MCLSL*mL{dnM^lPNcOy
zrn6I^Y9S$!`~TlZ=-s}sjEdP+q}TVL7WGxVH-N}|VZ=pygHYorifTw(qDd>qaNLrI
z@5h~Y2{P*(EHlgpLV#>W?UkYHR?QLfcM<Lk-p9RESxWw%L6SX`q~J%IBNd!nzQ}hH
zH`fWvjc1ca()m7Gjahvbqt{d!rtC~1VAI6Nv#R-q<!v|4A4<w7-R`?DpeeQ?0^Osf
zv~zgbNL`<+Ixup0BdNh}>Ia@TiPd>c8WpC+)*-&eOa}`T(7f1ets&8*y7u@##COHe
zx5utR#$>sg_XOzz->PtXJfCYl?0$zbAJ;s7UkDR~gGEXHg9rby`fo8x^w~E^@<=up
z1DUeXyU0@M{s8ZzD30@h=KKM9zJOrr$%Dk~CrP3Xo1g|Ms@S0@^yM<)vq0zu$zFq+
zKxCSzVyx-D5q!`F*_4)fca?=i-fEo8j->!S)@qzjl>C$HOF7mTojY|t-@Q4c=~M))
zPvLVuH_WWf(gV21_q=rZ`h)!88u7SJ<V^eOLfF~5OR@&bLo0DeM*E{YCxr;ZYQcn*
zpFg&(H3OW3w_2V29}r)*>or%$w^JP&aBfE0tE&Kw!MW){&lE@q%q-%SDv6u{ShE&y
z)1x@De%b$G-+#th82)15qC^2Qv$(mlJA>XGI6fFV!R%h4=ix%abx+k0%>Y&L%|_2c
zkSY4&qfNEt`C!h7(m_cE->ZS~v#y*u#2?k!^wgv<sUEAf3FDZlR9S;Jh=!@|3|w?Z
zTfZRVRq3Z~k^L?9+VuUE#__%zQ^rhy)Niw4Ev0Xna#(LmZ)vs6S4{5ZKXP;^M%^rG
ze~={$t5?ZVZ>BNNI}3eAa&>*j_O@!^)=_DopCSo-42zNL#Zl~n04p7-LTI_dNjCFe
z^3qWz!9RzK3skL8SSkCaGLGASTknrZwr7cpo9jpC<(HSu`cI4<1&x=YslZo{(+`&6
zZ6kC3GA^#mF86dubr7d+Kn-|I%*I*v#5!fI*wyTO4I3UfVXZdBsbQRE=pIxxsyocp
zLf}4X#M>DfSTU09w{3@(;BS_8kwg{s@#jC#(8V{jK-h)$5`PpQrku<m^r-x_C#EhH
zD@1ibOPcTI_|)rcsYLuG5H*IT3Sq%JeV3_XzmnkEoAJrX#^b`l!NHQOHu^a03N~4`
z#VM%=at;Kt{?Rf!_hWl#`SS7SV<<(AVRu3w`TJE#q{Iig;3okm4$zT*x-09m)x;FR
zTESJ{mC5MV6LDBN2YSBhh*FTS6zhDvNLr9*INjt4H1hNI^Zc<fi;m&}vd!5wBruSc
zu-u1X?5|v~-I50_lRr(mqg)LI8YgU2ydf)vf(8M^;)+Gn5~6})hNr~5S8$}nK0d~~
zxRv%^nR;IKqHGe*7}~2>fp59PN@+Gu*iVH#!;5o$Y548Y7H{;eg{P9zma?btelGrS
z%-dS8g)#L>#)FRg7U{CIRy4&yy-jb2nqF+adJm%j(sHFZT9&V^S1(jy1XW4!H7)(6
z-6Y+ym*3*MOb6b{t0A<Ci2na374jKL;5Tz0GtYc>DUw~Fa1gI-I?+G3_~rWW!vM8{
z1y^?P___?{LbxaGS0#&<d~np%!4p^<^~f*Yq3Eg~qoidvt@@NEELlZ8>H<BaN~2=G
z;@1t5Uv4(>c3bhC<cQU#qd&EIEcfm2%NL}rU+MB`oF-Ba#k8Pz7SrbIHvL8<uG<Nq
zk-8SoEsf^|B(`1>mz1R<a|D}3ORG-YYNpco(S><RNQM_SKdboi*P4&#CnEzmhDWVA
z30bgnGBArWj$H4jye{MS&&E2rDXB2mJ*s~0v=v7-xn$;IziiY_tub{YYC+A~kr<_1
z{J*XHMks0Mq_j?T_%$*Ysf>{9?5+bW`>!x`6Lz@$>a`)jp&biw^~=&_?QASBsR+9N
zDOGA7Z$MG!@Q73JXV^kusi@A##kiBIfO(OqW#%*=F_#%vw$s+J@qI+o-h=Pvd9+qL
zn%j6Q4fjvYW6`vs*gx2s2&;hO8G8LjOeR!r4@F#bj&76#sYI*sUs%70l#pk#+6;8X
zuc7FfcCI!N7D}RhZpH&)SJ>e`3Z<|Tm_Cx@fr#g|Htn}DweU>!{%Xw0_9u}N$J>$n
zv^In%MtlA_gKr%rIC7;GJv>n`*E*_Je8ryrl;6PVgtq6m?V0`=_!fE>j-guL-W}1-
zBHz<<jAV0jBxQ%>_^6s;=$4OOcjpYqgXfReIkdMSuKFoA1e@Mt7kzm2Ql7|_D7%;{
z=QxrMk%{=2JIo1sZ3lqw!4KL%tRMjrUjOj-d$`7ae_0L--4>c5o#!!k@>->x_RB>(
zfhIK!G&bQW5m+G0+=g;cG(ohFEidtgj`(#({623qKP<?JjO9B6$yP?t11X<xy|<tJ
zvdH9cAGT3F*Kn9bn^2Y9ZxKb&SYXs$=z`GkyxxfMr7y)ZMtfzVih=8wA#p(=6KA6>
z5yBr_n%=Lpl9T*C=xUKWkY5BK&c*$n$^1o!BgFRZB}7B_95vlN&q!h2`qCyekHmjq
zjk#e=<^I!GIt2g|aUN<!Qi^|KzAjKS&-7bgB*V2|@znAU44-Tx)iN6yznG82B(cjB
zvJC5F*$>X*GA|UFUvE>lvigFSA9W|ErL2gtK2?HHH+1U^xs9z4Tm>j&)9@<oMps#n
zXw8ph7#B(UE}~~izfhTVVg!;uqYIQ+eFzpOebVj}1`;^n8T?2OVwV?gLbQpI1N^S<
zyJ7oWB<5@Z;Rp6OpYuRQ2Rg-5@{jR5B+e0tYK#Rr2v<t|n`b{xe4)PVml}L79!!F;
zztXDgOa)>txX%Jxee*4`43MBLAU({C)N?a&aLiS_V2?RcgXf2NbBWEHbYc%0t`A;K
zAUZfT_%RS7RTdugIM_q&Cww^B={j$y726(F>rHcZ{@M&C$>O{GrGh0TZqqaps~#3l
zvodMd`?L4g$$CF}Z|@0eqbN4R+v+HMhuHB;l%6^6-B<|RJA<+cwgS8xASa(UO$sw)
zrDQ(thQIwXX(K)*?n(zS*d}t3<1i4l6`hN;N<--lEJr5{e47xKi%m<piV~WwmsV3D
zl4Ky0+;(DAKXBR+4jbiW%Kn{#3bBP^7K=^7^*C}q9-g}k?9pg?48^9X>>15ypE1=5
z7erT=ubixtXh)=0YpUJ`Cw#yTYyWa$csa1)?<BPjeO+sVlwO`Yp6D)`3Wo6P4z(P(
z2jpe&je!gSw!5EvEvCZ=xH?s`j8W7kmXn??;+i{qRI^NefsenC+KPm;Rbh}m{EK5o
zBNAJmp|AIK&bPg}nag1;`Jk*>;%&ls`xi>?nU*#CP;%JGgBU3;Np@!{FN0KHGI{Dl
zIhlL1=RXiTar`;kol`NAyOH661k;f@fyxRbP+A7P6hn+U<|`~M{O?#J<a5;>NKj+m
z8tCBDaFQ6K%z7VLR{c0B!#4BWl{pNH*aw5d!`KRtqOp16N(WKd5B6uTVeS}*ID+gP
ztQ!DUzT~`}Sg%7sR1ZYJwB^z{`iJrdI)TJ35@X^$tb-e;UeHVQUjE+up7#_5Jw}!Z
zPZGjXQT{5A9o(P6(G8xFQR%EyjUI+^U%#%?fOpo9swsfNyLbm-Q(EXU{7Q<>BnT?U
ztLVG)dnL1)O~LqMR>!8B66G85?>F$G&m>dQ(IlblK9ctjQC}JJk#rG~(s}{?!(vyW
zbbqtU8@GJE+p~Qs^;d97p`mGP11oukf@EKm(~397mPB24qG%qXdafgl%eN?Di^FxR
zhTM~$i&^T9oUd_GCV7h!)pMSiex9E`79blGQfzyX^@88C<D8&MnNC?0*nPyF4a_X%
z&2iAz6Av$%r<n$$inRcjPa8#RK#u1+cXZ=qJDZUbDPlRT7YD^u=v4LQC0yMz&ck<X
z`Hm#9n41p>DK*LA<7SYL<ActyCl$cQqUHhj@}{bF7FI+KK$_lGek8+vd`Y@2hSlpw
z&_H^B5)6CwMnpn)Vb{x^>y>X*7Ti7CH{N+q7hlPMB^E8SG1bNUd-UI8)C&bNYstnp
z&d2E7<Q`gHeRc`%X*du9d%%LRjZ?|~G7cl9_WAsRW!k}MjlmlUikbqv9$3lSTf9Sp
ztMBr6ovXEZbX3oyqqKp@>nrTzC9`u*;Akq|(k6@Y?;x|USju0^Kc9-X@eIkR9_-AD
z?44QneP4Q{UL6^e08*L>r84Uw##9XfBy%0zH>mpRLm>1ZMRbU3;7h-$V`gP1Dx`;?
zzb>VhnABwwl#p$pwn0yWb`|gzc^DF1VzAk6g^Oj@+w|PUueuzp@2x-N!v4;uzmdok
z9x4rFNOvjOfUcfUUTU~tpBXUsUC53sR(<}_Ww`0<2OefTnzKSn@Mcpe?04o=`gu|X
z27)zK<H^KN98cxW9uPh<Giih(F46NS0b0kMt)@r`+hq2XAokO=v7fa4v##{t;{#3y
zTfm1#{XM9mQAte3N*ApL;F(tzIiY^D=yp6E@taw>UU5xnQwUxnkCTnj=F&1D&2DqD
za-B!Fk2#pCC}*NU6Hk*i>8yKV&GGhN!dv^>NM$Vrk_}~Q|Fs>GKVUFW&;!N!ohI#I
zV^_ophZOd&T7ZBOp@x8Slmg^v66pVzkV1bWlnd_~tkg~Vm24cb4HxEfy1r0nX17CR
z$Cc}D-wiG;6;B#2p6%CF%v43rm17dURA0tivjS$0Gc4nlolquK8$Z^^A6o6YtoiWR
zS)Ht(WS?^H)UGI<1h^z@5Ypkao!cg#;KWe1;DtmUGQ^iy;Oyp5j}l+NQ;job&7^VK
z`{paf-;h+Y7SeBuVcHP0K%S}nj4<Umf8pHLhehqWme%4^siXitrMFeg{m4+Qxm?Lc
z1<d5jIh!x4JMCrXa?&@pUjQa_1K9m8t-$oVuV^pbegxIXGjc35tvOwS#LWY0+^GLH
z<r}wRl?w%e9rJ=AZ3h8ujdT9W(U}0J#i}yg38oo4;es{9<W9Tty9{iIZC@CVc&mUF
zQa#2LcXt+(AEo%M&Nk<jHU*DN!!I3rLh}r9$MXA}q)d|T#`uNC_Ow1hn@8b1x}<Im
zFvxQJ_j`GF(+A|o`Vu6?G23&*Y}7Is0aMKg)zl;V6c?&F#?0*-z1|x)tFOPidm`_>
zg_(o+r!poa70T;Ck%VMm^pC=ns+zY5mLTyYZ~S|PdF>^0<s$%8yvAAQ^S%a2?U;|%
za%Z4w@cCDhW;;5|(ncx2H$CU=I%lB_Q%=b*05+hr6#oBH%>L4ajJ$3g`&xk+P0p_+
z!gEA*y}{&pp2Y|;e7;sSQsTYdIa7ecuwHY<vxmt=SUX5QF8%Ay-t792)6T_UOT?90
z>|Jr+g!MeARnsF+0i}imnR2=7?`f(NmTs&o6LdAH77(ghVF&WTq`lkbM1OJbL0nm5
zhPn%}2WQiM$QhzCgYxmQ!W3lPjbgk$Vi+B}c^o2AO%-YWRPqVx$r?46S`n30=E<E|
zi6&f*h4dq&cV?-~u4J!3F`;J@T)@@PYXyg2)}y|haK--($ZVGA+K9@q^Y)%|kvz6V
zU#`cSiTfNLITr-*kvuKPu^J4}aaDHC{VlF^`$GS0cacu@Xy!Ch=@WA!a&gAy{=*}K
zM~Q6gNKs{ngr`IIc6LvN$XKQvu>3-_RIzOBaJM>7j;4sgP?SF3L5cvtSA{uMrH?1s
zbJPWJq{-}!<a>Bj3aG5lt->YMq5oi}(k$PB3_D;y@C)t#f<}%`jb2uoMP)dOtzYbx
zKk<x6y)pGx3%``@%v=j_TYj-u$c<P|*vR$9`Ac-(`pm(s922D;=JTGb>D;SksevJ?
z5(7)bz7vO?3pCdXzu0hiz-^4A0_39$<rT>J$g}&No<w|s{4z82qDlQ%S{>q@hiG7@
zpRj2n5nTFPMBJB*pbx*rTsQ7CFyBH`SFR;ip=^*&=~o+oHI%;`P|DAJrWvj_c6~|w
zz0CFJLOI<rk9J9pF&BCx{w^tR@<?!e*dadDS!9AP?&dbK#>Sks3BO#m@x8)zpIy>;
z1<7E*5byP(Umdo>zO2xk$m=j?B1cL!cAO-9pNkpt=X%lWl!q^lJ%M!=X;f*f8d_{(
zy^%uB&FvFn>P#wc`(qe(U+FY2Nth=)@4J2=$Dj)jEF1YXXR8%b+1@bUACO3K$Vff8
z{8&A}tEqY|>Q<b{r$QHTp0HgMe&QuJ<cFVo8m%H=Mctx>MQGRDndTnCqcqZE$239i
zZ{@_amXPSutnSEnk8)vlcLHM0a8P25i<@=Ef(-_H>Avq!vu0aCJb5IA_v&)JsEV6X
z)1p_?$Qdx^5@_UH_nbKI@mZ+=MeNpYy8JO^sn2+KLSE18p52H=f8YIKszqe26}G8C
zP1RZZ>8qF6F40zPp|PzC)0052OG0$o^W1&KCDo=6>9A5_3bQoC@P?eGz~+4;lot<*
z<5-`gMCzSHHK-iSlgCOPIx1W){6Iyglr>UiD)&a4M`ZJ;H;p98qVhbvH#R@?aUVc3
z#PMk2PLY%}X)H$2kpwRQY2f?FZoq<bJKi?f4}R=9K=R`JTa7cMTN}FjyVh_cR9YZ3
zyRg<Xf5UfUauFIZa>6=XDqWSC@&M@+Als=iZ?dk0v9=glkqCuf-!YIirF0;0-o%z$
z1T{jQ+AzBn8G(9MB<`wu4Gp=+JNT!ia<QJ53Q-*2Ny{sCU2fI+^^@zz^Ob!rn&+IY
z9yFe<De4epx{?3M#ZO3G2@hqG9JBJBXDPQ3RMmO~5u;*$E=}2b9MORC0a+fx6b7~8
zh6%jN)(l}c)eBIG=J;?neT8Jm_9<zZ+Yj2=<^r!vG>ITrHn$ZQKvh~|hlE3%2c)1=
zZt6rMw|jf|?cZn@@_C*0WpG(MYb8da`#ca;X1WOybbs7en&BUvcYZjS?qST8Su|2*
zU*}n7d@eKvKB3?o8nH#?OD&S|Aew4?1G#!Z)-RznEPEeE(t{3Ohvelz7N^!nOGS3(
zCm}b$+tWS@M*%1Bu4e1-R3b*0r-^*@&NK0cF!lYTkoYR7@W-7yZ9?ph!Vzo|j@}JY
zA`#tNW^JquDkR;Y0F}5Re5cm@I0kWhClbZEj10j(wEBa1@jxquYbm_Dg#qzxzZ->$
zWZavWB}x0ous{qoqSrJ97`}0`H8x+z8g*z|cG%KNol5BC;NfBuA=NVsEfR&grb<~@
z7>-nWJZ))A6DEnZPD_vj!x*QMo*<=uY|WeAQmUqlzV1=lL8jqzH3iCyFE`MH(I0f{
zf}PF%&0xY<SClVu&m~KZpe#lH2VVC5*2nqzC3AvBv~k%#vrgXfkm9q5qGvag3+*M_
z(i?Z~X{u}*d7ylvtv0DIM~`T88(hU7sIF8Qs-(Mm?7r8d>H(}z9b1hDBbp-)Tc$9^
zTT7;YQ<0kl&aSu6xh@$^rcQa7RpUlsG1s-sD@oH4@b-Kmi-YV)nd8BRz4?d6`+NL_
z+osGZ{@Td=pZn{E2M^SIE)+UCGb(GHo=yn@rvu{0-X&NU<zZug*01f%w+J_kJvm-|
zRZb@XP8paxP7F&;=YW!JeZ1{7L+kO@rtdvi2z)~!;D?d>=s``4>+HsRM!s2}83fcr
zVrqpZ);g4p736yVvM~0_jLd#)3S+x;Hg6id2_?dOJHdnRXu^1%O^^+UR)&uASENtP
zUOhb0RV_G-lY?Cwu`|3&=IK913B2RjW;eHj5H;BOWP>$Zygr-$x<g~~DEGq}$st<8
zXlo+)W8;B-ARsFT;`v;%CpB2fvq<@cf01nc!R+jF9!YoG)JNRD4sDNxee$t{dGASk
zhQ(2$(0H!w%31$U6uu;#I>zAVXUYN-5;5K+#Sm*?-goA6$8MdF<Y!5q+}sQ0r9^B2
zw}%24X^CI+nxDJb*Jd<dqK715GNcQm&EO*S*)_aLaK!;_Zbn-}rnv>71<l)_=?P2(
zR`R8)aQ>Q$aGTR<sP<MFJMDSWaW&IQ8FqU83Dr2^?-JM0b<6-hVAdSjok1KFH~4!#
z<ucg5kg=#dBALW^ZzDy5c@K(oe3F^%rfpnx3WnV3b{w*b{XIQ3MHIlWuSoBlD!(WE
z>qYL?JulKk-sdR_oWKL;vx)dhBz-XU=NK}`*>kQAWRtu4mA^aAAGI@*GLS4<O;Nnw
z?6voWg7<{r1Ene0ZF9u>8}=727zb<;j`HeGq9H)MQ|Sp<MhIIUKB%L4Oc;szgkVnn
zB$;fD?*!cTClMbIhP+c)+a6+a4<PMr>GKxVG~JA}JJgyY>1V%AKDpQ|BNebn9F9gV
zE%JA;p-XwOnRq0(@}nztT)!n>@_YJJfqxy)Lbb6yr_3*SaB9DujQGrtS+z=QD_%6a
z*ng}e6$lc69~M7m1z^+q)7C@B@VMj{-&>x$MSZHR%`goWmY(2KI`9=YkdOl8O8#P6
z2FjOJUz2qmweH9{+q|U`UJ1@z-9m#*)C6AG)H6*Yf4o7E-cuwr^<dHi5vo@gW}r6n
z?r5)9HsDQhH{!&PxfD5^*?iQ=+05rC44;Zb6Tj+-5!NVb^GXW}Nn1@1{B)SWcYb^D
zDv9fIqU2bvsxgs+<o8uoVAIO(oG3|lX)!e1IXN;_0<!vhbPN*~i7M)8%<AWu0G%QC
zve`Eo&sLgkKMu$r_?RT-b2&a`JYb(w!bn*3gC<e3Y}o^fYF?MgUNOk9scK9BfU<2M
z(?V*WOZ!}5eidhoe$q$F8~T9_6Kzy~8w8^4Ve4@&N)p~ZUcV|H;TaAPfhxioiT8a^
ze^pvkQs~pE(F#Mewhqe=ye9^Vx!G<ywKu9%85AaO{E$lA8jRv;d(Gl{ejQ6Mu<qtg
zP8U1PP??iFS<1$DI(#{LG#jc%>Si8z3V~?N?ykw`ZcWAM<CXXx_{k2%e%-G)db?&z
zmvFEx&f73#{A-l2+y8e${ZsBi6zfLLhmxFi3rQQ*+QxAv?3`%Spi|LGGJUeBBC{{D
zDesEgQ8VpDA=V<JG>`5`rEqM%nq{3~#c|w@D?JgLm%s62>psiq*6P<`4(yk*@iHH3
z{}st>ameM`P`y(STYn+fLO`<H{-?x@aeuaPypY9r>Gepex)a;R<$fx9M5H{F_}Gs_
zwXCd~HgrM<9PjN=lP(`Yu7k$gFqf7mN%}aV!dR=oIZ0GO3&s$ek?Qym8Sm*)4j}l9
zn_(&>605ocX1`-psI*Y%>~80EEZyS%$amBCAj8uU+j#Na!YP%U8X+AqS7(p_XO&MY
z2^Xdqcd^eJ@$aY*YH;)v5VzwVa&Vd&+n2jeMub#vYt4vZ_Ut958x#%}X?vF9?*;@D
zFri!$D2i=g_ULg9j9uzkO|ax%;}cDn+^wUkm#W7=2RA?Ay-}lL8QL#9#37WKv`yNT
zl|D#?2>Wttg$U{cS{(#_nD5(0i9r=%C$FHLn<iV*yYKUHv0W)Pw3kUy{fG;C_!R8u
z`R@uWeGU7aBI&AO@vH17`$5?64|Q0cYUi9NS^^6ULF)!*#YkV5S994nzNPaHeFb5a
zCHIT<uK{;#c+F9YA$xan^}R63PPEC1K45*L^}6x7c22~+9b(!mPcYgMCJj+t7>$b|
z-6p8^0&&ETVs5b1j@^Q@%Bs|A+%y4YgEY%m((!XHs|@+!-Shiy9H{p^vvFpPEr;Lg
zmN|kgX750c>0_()DOb_AYr>oC>`+d9cBNE7A5Ee0OVZ;cJ0NQ6e*ldH!FW)cOEM6%
zi$(AL$~XEk`_Lv89+f+mt1}|162P+g)5(|_aG<aY8tVq#k{KUKE=l&!&m);Tb*!x6
z80vFgoLW^K5JdUsS2va>jJ<PA7vnFe9s-zbImI{WWsajcUzS-rk!wIk{lzmfX*nAn
zmWG1C^eu4%{RAX+b|Q9x8#C`rwhm@p=-d$a<-U27GVe!@mPe+@(W~y&X5tlJrIdGu
zXph>0Zd@-$4GHU<`R>hC$p;d~Gh@7fh$fp{`8O47ru~1GbNnYbeW}Xu47La>ZVJnz
zn?8*c4rU)(1hJ$~N&AfLe6hqLe0Ykj4vuGP52!Vp;e$ggLIFW8=9EL8jz!M-D@_V%
z@>BJfRMBwCNSy$rRKogKAM*te7~D4TbMDNs2$-nrJCAD|N6aHxzDdq-%+Alq@CYZW
zKd)+!PRMkwzguFJEK)SwXfRDB(U5=<I*cmVI0H!mB^og7rC(LrIINnQ{hM<aQx^1Q
z-&J*)F4mw;wpB=8Z#tcS-VKyfj6HNt2BEA%_kV|mX&u7Bl@qMJM{ZU+hG?ooZ>t(Q
zzIXKvdM$tREMK;pCS<OQi;-u+{J9LRhXLT0*e?Ap#gVrxS?xKz0sGxKD<ho6$kRgT
z*JB$XwPFwBE29>J0g*8^RIS!NGv<gXbb_njV<A}{&SxB{lVV@2-Wl+Dx~_o%Kt6%@
z2!P8jtJ+&`xK(tR^z|)I|KL8YwcN}WRdeZm&GFR(uMFLR+uijwXgS^#1D_jPRKQss
zNC?Q^<{Vf+)yKH&IoF_*1sZJ7R2l2XNrS77Cei#n?7s!lH$oMdUIrVwW{D40#v@q3
z2wYm1!4AoW4@N)5Bt?(jQ;WCubH>BHRYZGBM*i+*b5+t_3Tcslsqc=ts3q<P>8<U4
z0N_Lb%Pwk@@6iW&V=oZ^q|Uz+W0{j~CD4FSO7eq;#e}VF9K7!+7d+^WdEjI$c#-np
z2cGthZDS9reYKs#=H}+{MsVhG4$CoUFxepk{|zm?G%`teBfMbe`EIBsOA^~X7qznw
zQ#<3Awgd8ku3$0E&wY0FhmjN}z_<p}%2KsmqcVyAuZ~;`CDpxm7ztmM#-2oeOG(<h
zqj@!$Y7Mz!@m36$I0=h-{J8YAuIt;-l8UEfGA{;cx;1w2srUA39cEr{3Wl4Zw)(ol
zw5QT$GE9c$<}HJt*^2WfcMlu8m`S?S)hgC%j&F8Rh!TRU7bpudyz`yMRv7mmueh`4
zM1U*21ek@s)XlO#Wyi!9f_XF*HzNAnUAhj{--FYXK^ro2w}zevf~4f%_I2msZ$=PP
zjqL{iI``^h$t;Pd5^gZf|A)}?r{+_2^OlJVLVp&5gMOWW1s!>%SDM;z--8OkU70)>
zOIatn%A}-7-=4CViaxjZ#!;Fyru*a%j0V}L#Bj9L>+taU<s3`r7_FB2%ydH2&`18R
zcK!IoeQq&22#L9;?G#$ced*mseB;lhTypc1;fl}t;eAt=*KbM>I%!!v3VUJvJM;b1
z-zVuqolI9K9p+pbX<{FNOXJwG8QFAFHS>c<8I@o>`}`l_qgi&{>0LXgPr*+4><LW-
zWxenGH}zP)m1=MTqO-ko6?OV#zfOt%x;RjpQ9tD(QK@}z*gTeQOB{Ldd$RG*vY_d~
zJ3KAhb^pf-6Ab`B{yu#eWCFh6GpBAkL&lkmze(7n2V-k+UJzsIznVLHmvQEJ6p*FP
z*o)M+5+ZZ}W{e|bW9lNjtgLrz)9?&%AA8Rb-5&=OjMdE@P4wEVg>0JA@GWVRUd#Ng
zH2j5aHSg|t$O1LE`$$#z^WbWGq&gAXbB|nPR+}C-1u@4SrigL9RjIaBCP6d^rr3+-
z^DOCsRM?0|Zy+0+{P}x>KD0IB*aKt~j16_m&D$yakcMBIu=(Q6+xNw{pMh5TD1Nuz
zKV`mHb$Zn@&tXx!@hF_dud`xQ9;4y6Kn$aeMA<8rG_7sp3cHmVQ^|)2K2is=pfVd0
zHW(Vf*kdb#*e)+o&sRrR+=OqMV9w-nX7tEFDGTr+p}7*A`AIY4!9Qe#KY8KjHxE92
zdvk9roWfirc`Z$jmoPm$;G>|V$75&*M~X#$nM1OrIr7ZKyD6bJ?~&+4m@Z+7Bx_z#
z<~XoB6<-f5rEd~sh^yJ~bD*(;uWL=EyVwO$nKk4Yw#-gMM6~~dZ~bN0e77jfywLXg
zx<LU8$8%umglf2+GkJ7sVD#0PcXXTm9=rDIgAT5vIrUByP7z~M&YJ7U$VQhqd4KjY
zwWRvubR#_&4^F^kX2)Aa=$;P9t@s?v_J)No*MB{$n9^s~p{xsU35AmRO)CFuw6iQp
zCvIog*WU2upJZkXD-eo8vw->bb$!CiDj!NF_dPOri`9zl7q?RuM_XC8h+7!d`ZtN#
zXuxTA1*@^k#8ercqdBd0Md(EsL8*P<OAecXKl0OedFdv2Wisk=8964N>oI*5s+RN4
zZVc1J!<-%A0(eya&5_7MK5v#4NX2+y^L(<ELFkn3Gh*I>a(xMhDTbpsc^#kUl|iiB
z^{xx-p*^V<2%ILJ@Ri*}qI{5YPd2Xqy?Kzofy&omdoN_hlJ)JFx(xVf${-6@DjYCJ
z{Zu2_C2hKB8hUqpjir-t34TM9P&VwhXy?C=UZf9}(hP+*VHwV4*{hpGHb}}UI3RgJ
zv)o&=3}b|}@fPw|HmLD$E#=IuszTocwKE-$%mOYOnzO^}H?2`GJWey5#&w2Po2^BN
zH*XIAR>Jt_N^|3dDvS6hbpBEP9&mW<$_eF3#Ti{6`DttD(W_*xS6#0HCmWTta_l{}
z5lO%G(MEJ4Bw*l&m(t|$NkYKh7K;aE92=rYz3G959OSL%Upn}o|NPoXV`U1NbDi%U
z_Csgen4Xs8g)In|E0Axpc;^@FEoYaq6#+6-WL>>9T!49Z)}V&tvSn!#)>J~g*KR6H
z@nz2Pwl|WX%s7JOANi#J!ocJ;i%t=X#*py>jDgKZ`Kdn)UMh4US)9>-RFnJbb6J(@
zl(TuynJzuD`2$f+n09c)FGi!~@HAh5`B(79m>5-Cx+Nel!VNS>a=Ykv{pY`PKN$P@
z!O|+rSQ>w*bCuA&KGp0^7YjW*u%!9vWK}ugseZqkW3r~u<H0}j?H$a$Fj^1t?JK+s
zg}gn?Oh}$;$OVKQ{O@!)U6<C15D(FBx%e|zRh6+r=Tmmx?ANti==Xn)c^#i%(nh4Q
zMV869IL8uX)wWDnmSR6<$*PXx=Ve*=bfMCQRy{Vbz}dY84a4?L8eR2D%^Hnx?+CJo
z;`U2Yp>y|X1F4tvaD=~WvVS5adFG3O4@=3ve$30q_M+j68kS!$YA@ge3#_jPn!T+O
z`SlHb_?m_%emNz6O$}$MR%9cOwoZX;cQ4PjbDJSw$tB2s5!R6}-ZkOREy=x*wz%Ga
z2P}$%Vb^H-a>Ju3W2t2<?eQntad^?^?w%^=y4t+|^YuF16b#%X@q2mkU$bIFe~U5K
z2jftdeBF@O%CbBM*jy|7(NG}$fkUI^fWlLSQlfHgnt_3pV`B@(9wuq)L??7w;-(sV
zw3X%8AIi^w^cX1(3?G<|4d8Ldl<>NDhV^8TS}ExGy7kxAGyYui4Gx))zca@FSY@cj
zEwN5uK(akY9uz~S$rWU$%c%A!<@oVzvfqsQEW)VIY9a23y87kTYRMe4Yd4wtic@;V
z_{`-y=gB0B9M|zMLT>IHE~qqjblJy)4wl!I95&4wlJAgS&-rul;$CR{i;of91Ov^0
zLNm|+kLRiZEJv0#eWLkkbpc$_L^0Hn>X^-kTBm1qxg+LE;)Uf_fSd@E(A3PqbV@b~
z4pg}Y{@A@mGQ|c@=(b~1MCOu0gzi1je{lQ%x&wJ?2tgSY=0^lsfY#jPv~|{4kg{Cn
z)TYyPuv6{hWS*S`y%aUcy_g%ZesM6Xa9yv5PJPJknOJ|U{0~rsjWrQ!@VbgY@Gg&|
za7THm-9O0af3ev}?N+IJr|S1&g%=a@2@AJ+J)el-^|8m0zGf!tbEVSj?|0lmup96)
zI577Vv3Q>rn#tPTPJB}V(5*DC$>@d*Tt-+6rW096MYuU`694NEUclT^3?PJpfO8>)
zR!m(P=uU=tx-BltX0w1TSJAQ$NetdLu5;rgWON#nmrq~S;80a5*!9*SL^iUeQ7AbX
z=t5lx$};9c{+F$Veqqrf)kyKvB?TUkYMOf_kc$E8dQ~6or$pQC000HnBjp!au5WXe
zta-P062}=M?!@sp#T#id?XVh_s>2|-_({<^2R{<vKT1Xaocq`pfX;H3O66DvO;W^z
z+794wZC&Lf%}@M*fx?MDOi~k6_~uw3=4xaeeUDX71%oO#wLMJ7>fu^-HzS>XW+>Vr
zYG^a}j_vn}7GgsB2{OA4hTazP^4Lw^WUzUlVP>ZA>VJsdXW54zZA28fkVTgnj&CaP
zdQ9+y#q9h=&03MULOYA_W$DAr#>iA3;lLS<4_Erq@J-0T=Kert8D>;?-6nH<CL(~t
zgfSPXUQy!SM0?KJMme6plAN4c#a6EBo0c$@&%5T$X>=7QnG1o0*Zr>_ePN{UaKPsI
z((c*-cw~e&8>-tq?=$*rlZs!SYVrFZ-W>rv=E*d~j%P7i_5J({t&S0?cH4(|dgQrY
ziaf>QFZzieYGW|!I*n}kjPHCxHarpRUqgD`C?Vo*wEx4pUha^MKGm3|>g@;Yh<Zh6
zaddJtilvA{<&l7Bxc$CC#zbB9dTp+TCmPekLr6_n*85Unx%&^cdjsOI$M&kCytsZ<
z_xi%(X4RwQrSUPQ->dom+6q~3<}EQ7DaWSS1M_%Nf4P`NVO6$+)SzAP*L59AcESoK
z4E_U$MS<@i*EHf(U^zKFRbVtGGo|a{JE37HO#ZK0fX`#t=G#@L6@Bz3u=p9D>S|cV
zExUpK8w1$uSBqV6{9dW}r)NprDwWKYXH+=XQ(`Prnl-Y-q)6a&Rrm*ZDi0vmAAfQl
zRWHyva_6c%D?-Gu082{MKP~CoP-pPNobkuwicL95&9pPfIvn<B$>oXuWKw^#340bT
zG7T2d6~L?5hN~=vefj%cWSTx;$B{_CJ~=2-LS{WrJb9@kK8t|q+*tJnCSMgbrc!P4
zhTgk@JFjv^!6Xx2z~T*%)cA+c{-2HIvnA=fGPf}vg@Aa505<>XVqXjP951q+z12U8
zOH21yw@UMgpVwKFu!W8xevOTD?HNpRE8=e0r5g%K4s>tZ@E&n5)Zb<bPILne;^S%m
zmP`C|-vSX#Ut^AjRg@okxtxWT<2lLFBQxHL7B(qZl`Z!B5;L2EF;J|=+xVHN;U0ek
z=oZX|(ZS(yR&xe!nqS+1Ty-mAbd~yly~pxFRG4l;Yi?JHORvh9I($eoO?!M<iW{|Q
z<1H#x;QpwwaSi=xdw;)o*Et5z=(O;GyR5vVIQ{q@Ti}ps&$!7JGQJaGmMT2H_RGnW
z#l{+17^J^A%3xbx>P5|%FLAJ8rYUrP#Qh$TnUa9WH9ZPQ{8v5@a$TAaz1SBbE+|vW
zPEYY+B6WiQF?jZ9_ncu*t*=Uzr^&j>w}3fWh}JFVv5jygWnE^f>&K}*Ng=+9fmGwu
z=V4!yUUiH9i+|Gp>7RGG6Ra)04U>?JYr=*RsgHqzbWHh*DXvv-_n3`coJ!uKj0WAt
z(p9vCbd`N0e4X81RtCuU=Na76d&5Dq(pSpPbZ<!jj{o~%fIs7~nqxwvrBwxLmicMt
zqD>pH3l(@orH@P(QC0PNXx4UJF7qmWYd9w&fMSo*q@Ov4KgTxQcBC;t&VS(SP&9cW
zRmh2I^Gl3dwl9ee-M_f}1NNPzlDs#^55>-AE4X${w}li@kG$&Qem=l?d37Z5FipiA
zyYDZjd4j%t?UK^i&k);vlk8P@F6>Xd@mP*L=~8NTq`cHqrMo&!CLO0Jf_U)HRQ-RL
z$V)!L4I(yhf&GX-{Q5628T$gX1s_umhOH$nV0tIbQZyvpH|m5Kdd+k)HGc?YR%8LV
zvLf)FLh0b{3aU8gx2V8km0PNfG}p64@$a+b*HOMM4N915xb67ZIQdS!v64A?3f5=a
z&fw9Is-ik~d90doCCfpWF3>bRB2WGK!5!^bxBjUpok?e(R0^&RhaG9^s0Y7S+5Bg{
zpQXKE&UGAEbZjkV&W-4%>|->sa3IVj_<)2A&AqKq_<-nYvtGRZ>V3+jx8BbaJx(XM
zhIB>ZsXkf8v07$tz$aF;tuhT(4qh_lf+7h1g`}DAgkFQ;F%xt~IXfjY>(Rtavr@{=
zU7QlUAS=e-f97YpDdg*i^@%42Ba4qZ`%hPRJzsO@BK5ezA_~ijh4BjLlxF+RPjMM&
zhZm)n87j7XbYIUkpduB(kJ?ezB7$DD3V+eTzhj1bDlfp4-%sDz^L_x~rLkqI1gM=X
z*Q+j8ZC{_nrPGP2Y?!T5LaGz8f!mk>$w(TsD)#VJ{hDN-^^)HM0CTbiYL7k_60J@9
zKND6Xa>pwoH6E0at57X#DyOG$p#Zc#N*dGXp3G~zR=qws&XJ|d8)#PPs%~xDYR|Uz
zDIC}#6d}YegjKc#i21rC<eB&2WEa9(lpz-ciT^j2!Td5j^@uUq=|ME}RdEC7fC}4X
zptq>WT_{C;pl%-4w+N74v=+kH1X|AXQ_ag1vkBc$V{qx0zhnGxf`1-~N|X437*2gs
zrA$eh+7*Azlw|&$DWxr03y)7izuqtL-kg=l{2KieJ*L`~>5OM?qJnjy#4x2fq9ps>
zQe?HelZHvh)?GaTrLkh|<|ExE{LTn5CXR5o3Sx$Tj}+hzpN6l>Q8XF`Zxr&o<_bX8
z+HfU35;Qy408irAMI~_g!39uNF*V+oJ9oQT4qWVVuhR+n8Q`)^lP7H5X9B(LSm-!L
zw4}#0=>EUZyG&~TSVLD<0Tnms6o~UcU?85Sy-jJy7W*0FeF(`WTblTUdW9E)fbv+*
zql}Itf-?3Ouml2IU8W)W8qx|c6Z%~8llL;K|BHE)H_tPgO{Hc%dQ+dV@IJHwDi8_-
z5;_}t2J-9naGuDpVhl9FQB8@6xAo`p8Yn~4dX75^15vpN+8oc}TLbcw_yKIgbO)aO
zevIPJee@b9?3YStWH?NEJ?~3G3o_ke_){I1Rd{b+UzLd9-80cpRmCaJ7!<=UewCK;
zMeLbuF+V{?@V>DbG9(%Qs9RJDmb=EFp|{lDe{OBRS$>1_E%b+_=84k553^V54YYYL
zSCXN9*Eia7MXNm3IDM@tGGhb^H`z$o|FDGqpq&gierPyj4Tx9Iu)7&a1mvv;zVtKJ
z5PHnLRi!gny3N6#8*#{p{onVHzYSr_l?Yw&zq`W)0^w}PCRVjnQ79d*Sqn}Nw&d5G
zeYMXzIqbyx!kxeEJECSi;G}6fin<(m1C?LN6hWrZX%#LNYZLKqTQsx($j<(ElDO}O
zf+A8Il~STUTyzJt{4uEV?!D?H=y{%mXvPXDtaw2qZAQS$!5n?QO2p<=BVlw4O(rVz
zlcBSpOlvH(l!!TC5ceRbdXlOC|MY~^f7cUObCCx2eM~(EcG|LW<hqmIeq6msme+Fj
z{oY4{s&#6O3Rg5XFBNF*UgtYg@)*B3eF30%>5CAU#)Gys?)PWE2$U3Mjo^tH$VTPA
zd#E7^XTSG9jLC@mmVt;v7PD0QAM`+LG$YX9?aZXozy|!+6WKu(US3zOB$Zla37<qT
zjfu;z^60wjj6d;!O5PZ)hM<-<=pDkgAvZIt<ZF8oZZ-}uBCm*L%ymTd{kt>tx$X03
z!owVmvnEosp6@!BWvqqd(+?C(P{;GE99`Lyu(=>T!VQ+wj!m+?mD4lE5aVX^g^u33
zo?N-0t#p2ZGFs3-D#rg@4DxGfN8y|jh^rduEtpgL=zp&y>N??^%7X)-V@ds150u#_
zQlh$F!`(oq&(6zO8i~ccIj>IGOSU#*m?zU74?58s4rPazKF@bt1`Y#^m3ZyLbP-$}
zf1d{Z%Yu!JZUH)g);jQ#s#Rvt=bx$zb)OwY1M1?^O&cQAxu!EdY@O8AfVQXzp%;r|
ztaPibr988_{U+J#08gj(SGx7xc+M{kQW`IK>XIe-t~Vn{>c2wkXkCd$m~Nlh;s0an
z+vAz;`~R=HI-eA!DCA5|B{`4EDaI5c!&J=qeBPWoh$O_Ya+t!*Sq`&|QG{5?=FBGN
z<`{;U!|&s|@B90^Tvz}0$YY<q_xijJ&%^8O!kmQ*At;WAI_z$gLlNbc--sy8%6OhV
zCxqMYxTeq>?Z*W#MAitMccG*Ai1g~DJv-;$^4s&zIV_s;HNyhBc;T7=<{Wpj_?g+e
zJW|;FS#^Lt4kj&w$6c)O_e57b*lo_j|3Hv`IQ`+=<T}Z;<<sIa^D{1h9>b0T7}XC?
z>3_E{t{e`hAe1K*Qw@A@d`1{|sFD?IPX0cKHl=1H9BNaRpFv*`GL_1X9OENJpe~$5
z!6oKt+h3sSr=Y}4z2on1Ha~r96J46Mh*-Q--~B+^7brWCcTW7fum$XMs?&wqqAbP&
z7udTI4(xzWT+oax;Ph@5E)ppixzDIvvi(H?WfA1Bn+AE49Pv4F#jNyZ3sgR3Gl5#^
z6EQJLEU8pW;TLvgG^bKLfzJuwWeWfAPaUQEkpt4fj?a14o$0Wa5FB<vMtCvc4P->g
z>5Z1Wv_yicnE-gA+_}TcKqj}$lOS2_{S1ZofQ~WkjwFVswBDyY)O)(ZE%QDj0C`Zy
zmc3nZ^kv7p<>?-oi8PJQe`WMNhr;$jucnr3QXXo@KhR?rfy&!Am?UUjGf`zIjzigt
zlkUTw#M-(syp&JKuv)B)M5B8q45G5l_s5|9&g=oCpzxy~s#WQ?EvJ5#7P)YnIg%bm
z?L*1hDlV8j`Tqmbe|ry?O5hZ8lLAn|VYE4&sH~1F;|iAXl_!>O;@^Q88Twfir}y1(
zU%zK>$^~EeI*tmXUlQI?9u*wxH(3}5T#B?Dy3wV3a;F9V<UB#UK%*E1DDuTYI(VE4
zE#?b9@j^(S#r`h#_`lij+OUvRX{4etOSVu?(BPxUvOa~Y@1=oTL#jK0Yf3mjEm}0u
ziOlLQB!l<dW&ifV;f}OeRE5DE16N#v!f^tZhM$b^QE)vkQ6YZ6J-P?~MAG-;w_YZ`
z*~4k}aLd106VBM{`5vVs&BS<ma1wJ3W=Bc*Xr2fHg=J!cgy&Jyu}RcIMVtYpxkx_c
ze#Vdy&X6fYRh3Ovt?Uv=$#4!lenyePyB6~N(M`qWWANYNAs=rKpLXRL!_$kz%HS^Y
zlyAbm&=-keU9Z*!b<arWQtNVkZb&(YKNoc@PXrr_J2>US3N-}E<nui!7fwQ=mfv24
z{;P4g&i2@J*n~qG3yPVs7*)MuyFbbAe1B+pd0{!)SX@H4NF1hFo7=`q_53g(8tJk4
z6|L6yq!4~IacXIbTcAWB<z7@_w-ON+W*p7AOTF-)gcb#UdsoqXm{M9^kfb{%g~)Hl
zLenZlp-IzPq)Fk!h|;f7h-N!Q^QR)Bt+GB&(<cOP2u&hn^AbGa3X4;bH0d>!(U(`X
zamCiPH8}3yoXW-bf9yksp?WT)k>rHP;_Qn3O<zmZ6N;>-%H8Qpr35`${i;k4U0P%G
zd7Z!)<c5r%%~k==EKk!3&Frt){^O^m1B2J-(pBe^X+n+<{eHgMp$!iHhBi1R1dM)Y
zD?hHPh@?DK!;#388Szr*5{qM68O?SO1OzLr);{0+T3FgD-A~pJ=<k*36xCT<Z7zt>
zt&0IqbfkF?ix-z*H<RVw|FER-D`)ptR@7i#H>@1ykOlI>mEQ~sQMzvx>c#cGbj;mA
zpCSw^p*a}|<R8ay7yvgYnOX-aaYkaH`hvr!Bl&3_r>>Cdn`nwHh-a9>9=*#YwqS7P
zE$s#!xanStwbdW@A-zx~wP~{=wqZF5t+u~wGye0+7Fg{i)iqaq<}k?56OfASPAFWD
zI`i(`MniUT##gcVrFTN$K7+WbH@Eh+%)ysOu;YHC(>o|aN-#nGQl7?qgKZCA_lhT!
zQE;Y2$QtRIWmVL}onP1kdn)V;5)%JyJ5Y8=bXG}Iq_2C`R;amBYWW0qP#`KpkvX}(
zUiALbVbLnL_x7P#?BC3%BUheqAF1-;t#kCgjfMOxia+*Wyv#Oii*oWJS7&j#w+l)5
zJ2fkl%nki?EfcB*J(-7O-79Gyc!5rq(qGMaXH56fQL?-=_ro<+_jwVTr*gJ~>qFN=
zfqTJiHx#>mc<wS^{FOl8f7lm(M6}&EU?f*-toLPh5X4Z#NM<v~%_^3VZj8P_cF!&I
z`#Q(yJpbV!HJ>W~tqP)hATl66=3CEfq*BZ4mIeM)<Sir4e^;4%`zH8P%b(}s=_v5Z
z1;ayHht;Hd$^>!~-el4A7_&$sL;;~Ilgr^biVbd+2)sppCuXBpF9Q@<T4(&@yVHjx
z3VY?M6VHwRuW|VQLtm86{TvTUyl(Lr1@?&?Fa<Pb0{MwS<wp!y+_Mor*{DSQHP)8_
zNr39B{BhgU#x*5T0rRc2r?iyp2arC-QcqtT!*%n6mHvI;Bd1Odmy@Nd^s93U@WNOS
zy8M;6>-n)+^4KhXY__<wY%<;zb><;aI?`-j1s;1A73LL=5`7(RC)f8q(?wk7jDGqw
zmz?vl@xaX^b=`aJOr30f3Ro>Nc8P}n+jH?ge#ZsrPSNCrk4Yvad0o1F$(6eZ^xU9k
zK^ALw%Ah|}vlQI&GG=l+DM@4{F&=Y*6f2oa?K2?lZQ{7$M|xoUX>9NdMeAfWzp7?D
zV|wCv%hIx(To`o(B>DW@zkZN!de`k00WRUYcvp|0hZm?Kr0QTiTIqD*C1*$bJK=>E
z3VAot=8lG(w&YP^@4hzy<BRq%qmKACkEt^TQqeD@FStI!PIt0@eM&8zE4ij^6>|*7
z->G=;Umx^7U|+bMB0|bnq5XvH({h<paU8Cmof03NNVoOoN=C$?@9eH-X3M6{SWNi{
z1_Ce~x=lCJ89XH!zzXg>d@aXR5|L}8tSy_0eE$2mvO5K#QwZisL<H*wVk>J*7WpHv
zhhtl|B&#jgB<T+)>rAUwv3lJT-7lfwZ+Bjp?aL90abi5wz#6-5iyXfIK)TbvhjiVk
zKTRENpGDKWzN{yi-t@cs`WLs7y54$j*HEcK0_Uwe!FNC$;61|ix*8n<I8m~ADO3Yp
z)1|EVqVhm5uZ*s2n6ZpO%fE3+PT(p;E(kFZ>%#AzYjyOULm#vi-8mKWa5>D>r_eHD
z=GiPFG4dGh%h#^G%P|&QW3G?x<`ZlWWI_tNxSB=c;A`7NjZ+Yk<}Ur`e_MhJdodo|
zmwfaBr2uNy`*cUjOt_vzu_$uv9#9|E;A8iE!l?yy&DWr7U7=I?3IokxjxwVh-*bjp
zeuZxR!js6RMf*cIQ{wL<6aiP%C4&eQfv6c-A`~Rt)ImLZZS8c|I9xGW6Xg=G7E9>V
zssJAqI~sDjmtsT=LX4jYT+bH?M}F*T>3*ob^!2LF-2$M>nV$Jg89jOL@?JVG1e#hd
z*AzINlB(dvOD6Yy)-T9O{t|A~l)0IgIg<-p7!%%$7!cP@seYLsWDq!bq|7rM_3`vY
zZquWd$0-AYm-tp)tdby^R^-I}`3;n+;)Juc2JoeBo{6O|9#f3q-;`I*s7I|H$-YWy
zXS4-egap6Lkx#F&r+ns^os^SsZQs82mHlZnDIxlrn<30dA<C9=5j0>*_PPXD(0wX&
zPa*?3x^lpPaW$#4RoP{?HT6G9wc@ZQ7bHc{DNdz3{Z`}cD2<NEDcfY&9aC}(B}2a`
zvv_#6tFR1LcMJ!6&#jj*oHgAE_wtK7XwkAd$LeISYV}wgX<vRd+<Ei&v(4=RxoWd9
zO)h=m)pzJZtrNE1aK%0twWp-d(5ql9c&zt_lrJpVwA}9Y-rPN_1*vYDvm2J(dKUvj
zrf*9Z+6&d^CJOu}uUhc#kxGSHYDw&oigA&@?aWh|N(d?(GeZvC-;eeuCGX>i5cG_0
zA;&ATX|nwx@m%h7F>jhQr&ZI<#nO1BjieR$Y23=IVL6$)&cDmk{u`))`vitNCEN;(
zU(IKdUPG;Pg^Ki=uSq3<I>s7i;4YEWh0=;fE{M6}ar08n$FWJ-cs*e&z+sgKhiUPc
zmPTTM0bHs+;kU!ycd6W^LCr#6JSf`993u53Kj~VRQ3R(=e@Va_1MIpNVsmeW<-8^j
zRPp#J!wL@O{+Zg@1`r45VbS6us6F9AkGU}>;HDz}cGfO`)?cLu0CUP+xak63syHJK
zO^t@`iHo3ok7OrjdcF8T=zw>#v%c%L;Cw1?E*$>qmS`kl--o2f@OHeZVbNoc{tNYr
zMN8F7ZHA)3TT2Wb_4PZ-ld0ZRrO7mO8)$W~d=_7nRx#umQBFPXr>`>eUW2$0?Ut}I
zxFpTEWLBwX{K$H{QGv2*xc14UPra%m9ZOmzIvewtF>jt%aMN!}_ZZn19yByKU$g2s
z7a^gn(Z73YC;;u1uXpUmI#oO~{oH98PQR|2M;<6wX?gF&KPQz!E&9SDxQNY>THQ=S
zY&Zc}N~(ts?bv6bdoW)j{Ykt+ysUe!M4`LoVLS-tZjL!{M)ztY*Kp@GxdUg~Y(_qe
z8s5_3+oby}_SDiXo32&#iSPt`9LhR4Q)}HHygGoBuwv*9S4NQ5@r-D9<WlFt(-T4W
zkxMCCC2PrMV^6kOwY3HcRclh&CogP;_h2I~EPj`e<?jF6?j)e!mc0D974P`rVq_TV
zS9DNN^?V1#$mtBksFpU5gju~Cx;;5Rnm`#x+hfb+VnQ=oOC5iy?p>68OY?5N*-4(7
zSyK{W9jP%NVNUhz{aOV2+H+H}^=5U*99t+elesZj`xY#Rz|+^|36S}K0Sij{CL^7A
zR!gyqm0>Et4k-?9eZV-y7J6^i=br%RJ=DG#zzP0Apy=YkA!2!3(iw$^JP`)naifcs
ziKeC-ntk`AJoRY!*PmN8Lz>7H+<0r5-03)#4()-CXUv?%EMv8zPmvvE$DO#+u2r4&
zJye(bY;L0^hyk{S98`0td2_{Gb>yed&rb&p_D6aolZH-0%C2S|*wwY%pFQ;+AUh3R
zVjK$f7qj9gZ)OO43m>EiVg%O4ue>Vt8}&$Q#doF*n+y<||9tzDJgGCy0<KkY(AbyI
zIgLd$UtfF)mo^NiPJAF4txqV_Ce8(JZz_Pt=Rp%7$Du%)cZORSbtdQ3Z$J7uz(w`I
zAoRxJq$lV{9FZ6YU-NP{s^n*jq*cfEtHYtlXQ)I4`l^(XSgDJttX6!^{(B5=I<GN3
zeBuy}lM)PHoS+hFM|l}DWo=%DgYZph#vaxz+K;w8!4OfX^dvS%yQ^MW1+;U@X`T}@
z6tmiOYle5ainwL?YW;kug4LvQk0U!I7CBZ=&1Va|YyD@@TkI)_*|!*6-`^2}-Z}u0
z6*A~DzXdYCdClaGABq${DLV5)*4;e^@!2U@SKO}3^H-P$1w7?+KVww5inDMb-^!V@
z!*;rYyj>t90XO1LbpmyTZV2+N-9z?Y#V{}d-~VL0Rjf9X=$PVKk!!l~lyB=Y3AjL!
z$5m0<8nHB09f{vu2kuium0m8f9&ihs&33-~v~ut1>xx!;l;4Q#a=jn9^;Wpv@lcXj
z2mF@R+69Sss(awUI$Je&Zz5P4jA`hCNj?FgYh`c=A^s2(hiU{a?2Z?wrrplV$Cf#P
z_w3J*EJU?_1rnqWt7WEgl}0fPU8LrsU`tbGSRJ*I;owAU!XoT;Y$ydq-9MS0zO{KZ
z9YP?EOI1yO4^!R~W}J3PcvqwSxIyqcz^Ku*V#`Z-HQHRyDBwZ4zLxTp+UXXk8+h0Y
zThn&g`Z$lNL?u|`E0Tj$z+>Lok8W2}kv0j_7GLPA#8KBlKwg1yk@4OU##(Lpz#~()
z`t9dQlnAw7TPrX0o0r;D)YCjhA{iyI2<CTX#S;BLhCd(LEsCko+zVB7M8CDVkswK}
zuP5K8OzPy9X~UDy-g%S{0a8`E59gz0&^;1eGio$g@YVTYlhS+L8HwC-B{pjm%CA-*
z&eFMF-s{*>VQ~>IGt)=>sS{eESPV5}rOam%G^czQkXLRrCZMScc)!CJQ@h=UPIB!6
z=Psu{qSZTkyVMkBE{)wawnN21D%y<d4BQ*3FRHj0I0NvSX>svrk931uZfA8CgqvNe
zkox3{1y1pZ_ub2pJ`_$#=wi17Mi0F0a$X=Zo1Z^5e5joM#(J&Aj2g^Qt@1xDz#ib8
zpZa!C{ih+rjWq)rigFF_mnJbOJ}Z6pxb3ZRb4EdzLAyVof-0v%RItE1f#eVgxM~?<
zGH!04o))qYWu0ZcwOEiaT1j870QU^cAsN{UBwgZSVsUk)v`YV<({>8A4JMoaOKH9O
zJ)1Uo$LzOCT)VpXUV%fspi}`*V~ZPipYS(JnX>oI!voWEq*FX?weA+*bDI6=Ah;k_
z<v8{zyawCWl5z)r$);I4vMl=5TRDB_dgyt&aa$Dlypm%?XQao}I|~`sDBrfwEWVwF
zJ92_nn;X)Q$Zmduw&GW1c)E7ZZvbl;Iu!<tT`FezN~?oQl!NNbVV|)(^IWrM#)D~0
zI|T#7z!nsB3&;!={ZlOrR1;4+=2w=e;b~I4^^gi_GDncMG)p(_>9tE?cCZCsq|NzN
zVWXspVrd?AIEu=UukHG9Y{(cUePHR;LB3QB^K%o<l|ZZL&!+Fy2%|#Xjb;A)N8=7O
zL#H5sB8?Be^y3(B-y{N77{l(9wH5z*F{xwO1tI5S{x(LpsaU;zn>S&&vosY_PdLde
z5zB9eX*}T(cqi$>brC-!Y6W=+5INHo&|J~}dIo3JT=Ld3HC@lbowOVz^8q>_6S_t&
zAF!r9$eT0dWtI5gRA?mu28I_BAs==c0k!oww(R1d<ywj{W}O+CVSZ%ud*G0t;m{@|
zFzYHr-Dafse5|4>ZLQ5;k4<gt9ix*9aei1<AET1ZM%oT`?6GpEo7CXH0aI=FKxe<-
zKM=kh&X(#S<)8<%HI+5JiCEMwI<>~>UX11EGLO5R2UkSAF@JhBRgbfkm&4Kayu=$V
z4TXIK0SWG7FeRx{y(h<p<)#a-25<5D_mLAtBUFEVXR^tJI`-S8xK4z0ysKj@yDO@a
zwvOxgG@-EV{0I3GVtzF#v<jtewcGHa)DRnoADG@feUH<^n$>c4vc(Hl=O~5Gt+G+t
zvpXP14g~}%cF9JBUw_{R#yDJ(%B3Dw#pnR$)9}yc%1v|b*U$iX#Nz2Psz-899e#&d
zvamIA?XxcWb673`8AQ)N5omy<rVNd6e#sb9Y7f#T4$xK{p;O)5w3EX=gA1ZrqN)qu
zy1{aZ)2$v(d2(VtKTw$0FlJqCI`&1R_oQ&D-C+m1YqBtB+uzsi01p0Rdtu=ys}T8l
zQe64vWUbSENUzvVQ~zaVvcXLAq&B6wrSt|D#I*BR^X*HAB`vHCH}AB(J|tP}#yH8Q
zT$gJvR*~4sIyLJ{2-KJ2E3==(I{H^mTT$EyH3q~kYq~6LCR>50THLSLqa{$D#*p?m
zsIB^WlW-@L^<f(|=NVgtwQ{d<Ca!lCCoR%VhPK-LDfzI?{-3Fq9g=n8_6DH2l2{09
zrfk(AHamTLW|CnswB@I~n3GBE%Rm2m`u-B{ZS}2T@uzS4!re~{Gn?Fu2cBb3?@EC0
zg*kv017ot#uWoWvi%cz$<Zc;6-3Iw;oyhi&e1P^?Olr~c$|=`3;GXh@fV<=N-<=w}
z6~p*tJ1?^0F~#+yEOB!LU6XJE`Hi2JI1>^<qw@F<fo3Zwc^MG@YMU~B#u<oAa37hf
zLRTVH`X?#s@T|3!ufqI&ZPWpnlsby}`I$+Z59$G_nJB{7{02p1c}Q_>A)8FxwgQb+
zv+A$aqn;kH;XqwL1hrZy7Cw`2eR}jC)G46EhZ>2FG>g3Noxzzy=ix_>7Y;35){w<J
zk(Ye}N!SRRN$PqMG2X=~4t(wWIc!iX#gp?1uVkUQv8`fj{=w|&wRMG>xD&xG)Vw#4
zJNwM(sy}WV%znxnaJ?lZ23>;;qr%ZvNn48*q2qHYJ{z9txBPoIR~nqH0*0S4PWaQQ
zpwQ<Y{W~qrFGJoGzrhC)KZ!sC{}8#sfsymw=qg6Sk)4^mSJ04DoCj3GHTmedOS_99
zXEH#^Hd1UI9hru+AQzhmTV*YQ98)wv)DeV=MVg&@I$T$_3fEp@%_p+HhjBrq&bBWn
z$PdM2L7E@wrWM}&;%a;OqFx_FnXG$WdlUKjS<TaKho7}9+C0S>##(0<2@Zjb!w``J
zOBmLSPqedTeIZUqakD2hSPJz0(Vw`f%GH`xy`~GnCdR4r+aC{7%hH#sb4!5~TDwKY
zQC!`;r$>C-)h1JYQU<oVOx{eYvdkIg?WsY=FylW{Z!VpNIAaYo%>N<Udp~~iTb+0d
z`-_Ts2KM_b4Okp3o9cvV<S^`h(>e96Bq3>{tGeyWY$t#yhsF1Zk<3lnLkvi1a56fH
z5zSp)E+>y#bgv3A>d^(T4iLp}YsZrl3KT@fXO3;9;F-~;iZolj@y$muDl0Y&!)>3<
z&NWaSBW+$;mNbTyNzWS{QeR^D<Xg~7#Vf!vBsm(AFklE*T0VlSo|z$AuisowMjV?D
zsJF^)0j*q#g%k%h_*mqfQQkixoZ4-a67KPRw`}Y_S>Rh)gmLWq1u-ph*JraYDKi3$
z1oc?Dt$o>hXx6t^80L!C;z-^RTz>=pRSO)PYiX*g<%{0;%0I?dwE2oe^Wr3ZOP@VI
zp`FKh;HgJm^rJPt_EM2~uuscsZF<d8+I%*ucA=HIX$)~Besd!XNTvO3w!y9V0buC%
z&lhG`Le1=~agWLplS(nQaP2y+Bkl90o;MD%KB&tv9{7y<^n{uiiSfKXrKoZ~cuoQD
z->Go|;i0^7yx3W}*3{uYiMZSDA0v;28o(1r)_+s`G*_7wtRa&Nh%3m?%fwur#~LOZ
zx&+$__Lb3vl<C!3MdcBweM5pNs+FkelE<rluci6+FooXm3L!3!7Z37=Q6)i_YrVY>
zbgn{_gn^6hL~*ep8@)_w`i5M=poMm~U@FGvhcQJ|4Kb*>sT4S+GNf9We?umunVg+;
zWaS9XUUf5<foKngP<`1#eriz8ZY@P|z<V-0pkP<0y<q;`LsFCoptSKjZ2J8NDbDVU
z(t41m5HeQ8Q%IO$Ya`YyHtPmeHqngtKkg|qVyN0=4Ag*U=IloFc;&}ppR}T*xy8mw
zz6sn9ZG}kKClxl{AfT~*@GC-Qsj@vSfp;}bw9?&fDGL${kn<?N+Ra(&;ik}x{CDml
zWDBZ<_3~7tH}V<PJAG+}`PE*vkU@+R*om6tk4A@fm${6?nt)uU^qG^z0sNy&v*xa`
zfN9;<(DkU0L;>`nL}H|DX}Kh-SG%WZcG$KdMl?y_6Gx#^g7$QH@3lvyi_jIfQs0(q
z%i+WQE#u04a)8iz%VRurWhou^lns%?N~)R<ogZ+lnyom0kO~~|Mgk5S%cmla4!2b#
z{nV1tomZOzz8bat_5DX4>-982%fq{#FNZ@+DwpGN24Rt59y4J@o5S0Zz@U*tcKqhs
zYEn}8XI|a+(7{&ll<Gp~kxvqnt}uLM5|!bsE6M%3t)kSKt=S_Pi&ogKgmK=fnJVF9
z-RifARbgX?bnrs#H#R!Um%A+#6r6YgQ@OCx)nd?Jhopjf^7ldR(ML`&Kr3UuEok0J
zSm@j<(Q?k|j1g8}oM$`7lGEgpSbMYP6`k26=dtZ7-RrP$;{>U(=448Zf$&GnzS2+K
z%3{#GNjR7hljHlMM!GJy`)KIk=wGe)PWyf7xqr>5tK;_Oocb-rXYRQyLZ~i**j1R!
zT@COQ40%Gzrj)O<ZrjDwWFqF~?&o@P>UkJ7q1-%pnk0HJ-1daIez!&Ms42I>0~oAr
z!hXY3_to(i{s@F*VTNm>kA8!&ujvoX_kfb#T|JAUW(c*@o$P9KXcmILOS};XY<wts
zHw}Og$l=()jb9uP{n*etRQ8iEEUEEe^jN;VF0BW$h3wznb5OqvF&{ji7^AeFlYL;D
z%2I!YSsI))OoX%H61w9xou~AV?51@s<Q~U+l=5l@X(c@CJeuck>{S`U6p#-NHoSkF
z-5}4X%GXHTIM0zy^pxJI=dia%A>LB?OSZ=4mWEMchPQy}WyLLsE&)T_Q(hY@#sL#~
z;!a<yOx<6t&@z6cc4^i<i>G2J<dp|;rj$&vrmqxJfRR)E%)mlZumJ7Bs(}Fc=vLiP
z8GZi`OPIN}L!x0+{Xa3NU2eh0l{>LUebT&Tagb7`DHVTHxDsAGei%m)nUp%LBK*E1
z<WAhjmUP2IqB5Df+!t=dl%{xHmcK~bgD12nazmkdXPdK=44OfJ(P52F1{`X4h~tI+
z=WDIz-1$~RDP@>7rca@>RX*$H4uHk<mkAi|L?E8dyN8ZCXI{%%>_QDEv?Kb++x(<W
zp84cF7WaS)Dn@O}icu6e$7p0lS#Jnz&T_CB46RQP21kJ}VZ3^Ma^LQ>Q^x+Su6aQI
zmME@M{u?j1gOp7R@)aPoc_`km+-xV=%D$bTkUVKIRS->1d#La!FIc_Y(+idmeb)ja
z`UX<TD^(u=rWJr>5g{Qgi;$zKo60{v9?S-+bq(+obYZJmCo>5cv(wnnK!-H>nu*Db
z^(2#qmx~S9g1_){GyzEmFeswue9%=f4X;VxIMSJ6<@2DqxWC|)JTsEhdb43@a?Ns~
zI}Tkta(7s%@<bS*46pG&jo%$IW$e%CMrTQH+E5Ba7qDta_;5!hF{nJX4F!kpJ>FVJ
zxuSbv9ZFf*2wk|DIjvpSY$x4!>>X4&G0}kc>pOEuhf%dyl(?P*hl8Jansls(Q{~-$
z^5EnaE22-`h^!VkpXfK}*;HPCVgNVo>Q5?PzFPqS`~o4$K<7#^Gz3WnuYs*k$h<B~
zfox5ov*{u|5~+*(V^p@nm|>#4{qzsvz{>M5<NC|*4()1Pe;yRNZDDj)_`RmNZrKdV
zq(4P>rKRGb&h6%fTe6N^whL|SWu0)Fban_fN)z1Y^0qq<F{*jA5LRZ!?XO(l97X89
z0!<j7exK!5<G&Wd;(G<zTJM>(U^uxVDhDE)LhEQ}ot}HNbk$7Yi@`b@qbbDE){$v`
zwvgM(8_yLWsZky`6@A%6Apf7d+({bp62KdHX%@ue`W7T~FRhb9_}8t{mxO0=HFjgR
z1sA8|^kMo?IRm&tA1Kx55vSAP(h5fob8Ycx>o=2qS4*5b!s*vaOrE|rwLbhqYP77U
zGy4@l#u0P|l==cD;J%@&PtKk}WAI%Sxh9-SO(D#B#)QJQ_iE?6I&rg=l32bJ%wi`_
zA;M?$JWVW^Dafb4y^Kdu-x-Ens$(#(ik$nIM4Wi1d1F^Fe`mY?mYJkX5@-==OGwID
z{&Hd9b9Zo}9y_pWvf#9J++)ey0TZ!kRRgiOPVKLEY6*|<Z*DD}(~!^94Kv-U6~#jj
z9OQy5{dmJr4p~YW%2KEucV%est>v)f37CAf@#cu^jiGDBYof!BWru+EP&<%@+Rw*q
zSVHZR)jKhA27_T3>V*8b#ljX=^k3rf{>q{(ZEx-8xH2wly+t`YsOVoy<z>9QCTYL5
z8XB77=C@>_->}u+b0LX$;b(-DZ3?oH3%)zaNTIIlDl#~A0)-f|Qfi+$6zP{PTS(V(
zf*HxVZDPXX4o!mFD;0c~Ry;zKQb)}iN1T^`{et?jiL%9rM(Bx1<q1NS6?}B9r0@nY
zJ@UuWr#=Hd2D`~axK`HnW-eezpIfDb2CbAaK8!+c;V^zs>i$*YG=>5AckPKgowP#r
z@bUaf+fU1rRdlaBV6NG`N2I3B-2+)4aT)w@C2eiHHgXQVy-8-0%i6eutI2IDxHJF(
zDxXitIyKR5y+}dh{A;GaL=sm&ka;upCFjWlLwTa-f9OW22?vj$nhZ=fUup2Bo(Qd<
zP98A36ae_Ham%58s9XWz9YjFx>}8X^|KVr;8=;bNk16rWq}do?#h7a_^3lCoO8l@1
zy9Fj7`CfE(st&M}DrxIkpgFKW@K^)vb`;O!Zi!S$mlRKvy!NQ(kO{Z~!&%$Wqw*!}
zp!jl2B|w~br+kI^)rTKvJUJ?T>#XHZb;ib0JD)3O$Z~#hHGWRHrxMb?qCAkD=HIWh
z*_`fjmDM2ceLO;S<`g5VJx$ItaYMdFp_aj?u#}klFPS#<@G-ywuc|eDjpT*-ddmKe
zg!^X1vSQiHkZtj7vqZZfP{gS}p)2l`J@?i|3wcgEkXQ<ifnq%_XKb-)<Fj_dMhaYz
zvO(#nP&b1xZK;jE_E5|m01V<zs89B_>$M~8SRuEg3}12nLm+!^0MLImgYTD+JM=78
zGz(>B6=vZ|=BuY#%`9X~^aSz=gpAD$?K*LGP2tK>ILL8NmUV=g#Y0iAe8L@4hB!N<
z5_6%Lkgv=IA(2YQ6Sh|fwWt%Szg{s5>{UUaiH=x(Gt$)El=G|KbW|?|uc)i3+}-j{
z-+am9Bu%^!KeX#d1D?%W`0eDTDMs_n4LsHXKU%Q|YkN?FFasbZ`3ViDh1s>p!>S*J
zZ)Dq?Y~ldedG?kA=cJ-gkDSSa6IX7QYnDczwGo9oaX|#q<UC|kCpy4U=1r*dMPM=P
z@}gPDQTkFkFc208(yzMKZZ6j!NDFRLVra=A%#|0yIB+cq^2e<8Z)zUj{Z#iC4tK72
z#D^t|d4I9Hj_A_`C6uR}M4+~1Jbz@px%EnyYu44ts~N1EEbf*voFzd$8?`S%YJSg8
zeRP{x-nEY$W_YITQGA8x2lRM?x?p{7w~EEY!iFhvV9qa);8{g;Blr+Vs}O)T3ntQ+
zixm3*l#E4DAuMy`JZnpQ-{J~^B)r-B=gN@m<Bm(ave_SdkLtY@N!46&SVL_~!EOd=
zj2YWCWT2dxPNf)q(OG!7<Tlmy{X#%~gSM9h5}alwYX<$(Vb~GH*_=TqrBt7IVN|Dj
z((it+tnyJkwhOYUcBE^ZOB)-0l^aQwh~N_QU)8sa*mf18KOV2K11=RIBOTQn<)wP5
zPtjVP#OgNb{4y}3KyFd&p8sgt=xk*cx%H-5lO;_~RZ0d2Uz#A6N<w$^;*Hscduc)u
zrTZ-r9I$q?!l%{aA=qoLl%-{?4BCY2b8+a3)Y893`Gab|-Z2{$YOh&&Y^`0rCMi=N
zIBh{MKk43`lKU?8AD*xKdk*&^YB^=;HMc4vJB;wjO|SDN7s*r#(Kj>Jc_goJF0Pf!
zx)CgtjIGKz*R%i*HwJ4PtL0Y28t1;W-)rw^Y529Ur(_oRc@hVc%-we0bQ?Z(dD8H6
zh3v9+<@~C+zwqW^wm=8M{n?t6qW^f49(}yH7m!4gHe+CI+1OVb7OYn{9_OGkg5UOQ
zQnO!FYo?kvpnO&C1P@zGImzM<v=1!lejkX*?K;ClxPnZRgfGS`(H_XFrHl)e!~?z>
z|B8YodADl0U;q!--$}a4o6M_}c8EG?bE7;xx&~eB>{4bx`~>i=gvwS|O2{h7u;07A
z%7@hFMi$U^-bI4|?BjtwhKlALor~<H@yDjlXmz_g#2O83R8<r}z&TJWDbP8)00t;k
zk0phl14y<YJwS6U>0jpezWYXpEXdrOi|gi|oP!BLfRU98W;Q4bXzk32WAR{0VsX%T
zd6%h$mFJCbUjGix3davZIlY7~NAau_nD<#;5yQRa4BG}slv(6hyzkX())_Y4ToC#2
zTu^GYOBOWTxbOkzd$*U*v&<VGI<|`xf06>ETi?8bBy&@+XvMR;2DzPF|Gwfd^N6UU
zLBeaQpu3Bez#G*F*=ZxifukA#QTm)cHZLVS!g=9|LGAcW({;^0ox=LIt6{KAJ#&bc
zB)bbt2Q}Q;ukl;a2p}S;p7r;N@?i%zqXJmxj|-0+<~M(XrA3@ALuU!fN^GkyikICI
z8(1mvxCB3zIFm*@uREY95z1^37A`y+<k*a<!L*vje|k6Cl_o%*^RZk5{L;w4=Zm`r
zt{oNC;|BiQWRDi9g(Pa^_Q|2QS}{FHE4M>Dk)Q0;`-lZ6sZFHKr0O$Hg(Ko#Dw)%k
zNCuXCM+*;kHl_D!pGed*GVJ8yF2cX0d{U<7!2vmlfzgg1-|f%euRj1(MWWfgXN>7d
zs@TFv<gH$Ga-S{lW<@pB59Lo2^E>4LDw!%Z_6!7kY-CCXKJw1b$`}W(!B^j1SK<kh
zkO57l8aGFAD@<!Yg#u_a=%vb$_T#-?P#8S{rX5awMIYIXBkh>yK0ZA8EmB0DziB{_
zSWawNVqbcD(KB*inP>kQ%kIbb-kerSOuCoZ<qY_cGLGTm-z+6{Fy2=CNYWGy9q@8a
zM#r!v*Gr>c2)#x##;_TTUw~Q;r19?^79Ss;dJmqeE_g@ry9wP2h*ao@mrLK}h>$HV
z5T^;s@A%-2HVR3~Mb@&Z8ROm$C!rD*@`f5yxtT)mef0a~p-T?M=z$;DY^|q)Xka}3
z1{+oVM^ppfrC;=RiwA}Gh75ekQYXPzPIII)Y3BGTvkK7y!(7Dc98nTdJD*<a@xm4m
z5y!c#+%Y(Uh|j5LN}x?UIt<DW0P8PS_>O7*tNfjO{p^u}93xT5@7mq=HT(xbTm}Jj
zsq2)|>s#!{BSGwDz}-3He`E&77rfdjiEusqAsptkoXm2*P-=$n3s^GLt}dR~|8r7t
zcgh9|+I`Q%39_l569H%jWlE;&!IWeyaubt8A0cJ4RS%99o_4n4bQrBzHtZA(R7415
z3%zyn$nXuvFEKscWpa|rWepW|Cwr91jji!S3~#37zdxYl5KtyB!8bKy1USycOP!8e
z`V5H*coBwrUf!*roAe=DGbsd|MtWOx`{0ACsWV39Mj(yww8RG#Px|EIo9G_Dik>U-
zDiY}$Km_rQ{x*W%*EK62?>nm8U!R*q0}SiXTUy{AW+jHBL{|x8dr5es{IdwW{E<Zq
z0Q7%6^)b#T{t<{Fm^N(nUi5Zxf#|bpP^yrc`~A*`-D$UWFxJMkf4_@(@WuXm-6)}j
z6Uuv<ROXt~`|YpELPvT_Vd06KdL2m`E2>p>21Ujwc=xsgn_Ni*>Q=Ux;+m@U?G%vV
z_c3C|(VqJ)o>K7{B=pRLW!y!HM5<S7O#`4a?51b@?M93L$S1GgUpNG)toj`_1Fvcg
za2%&`<Z2r>mAKK2=+S}IK897?YXrhUg0I@rz4gg8zEvq-=*O|pz)t~O5HC!UJVrR`
zm__T`KB7wns?hAu3W4T)GRol)uHWPLAprQf_Q%umnwE}KzHIZMz%;h32Eat^Hao>W
zVb2i-AEl}dLu*0hp+*a`+v3OxbZ6w{MfpU)*B!_&_0;L7UQ^})?dhXnS+boS;$f@o
zeO;O)sj2cehiGuIUrx1!eX$hH%)2!I>m<S^7m?pFgV)Q*)e&nIq~{*PUAXQ@N*8sN
z3xjrdym~Mp)knSUOdc<njCyJ7b9~3nb#C&XH5Rz3@9Fh~VH1?}h>n+pZ&F;VV)EJj
zDHr5ou^zAr6hX$M@OY6eiqMJ3$Vp(B5MS@N>i>Qz57%8n)X<98a^@hllJw&Bdkn&j
zUGM!~N6f4q;<zmDsdXVN;AjfXmIH8!UU<hPg+rZla%)5xNxd;j(kS%DtH+1NUQLyI
zAHQ$$I(Q8rk)M08Gi+}3YWI4<X6|sO(wds9M7SXM2Mxb<;JmNXB?v7Z?tT~Wq*0lD
z8UlTu7=}uM#Enf=hD)iGx0QGhnG`VkS`NjFXsTE?H#7!UNK}hT>Kw25QGkmNC~drB
zdm11{>VL1S12hjpQjS&?B3qwoTH7p~<RyS5A$J@b?v;m0Lvy>&=le-y9>ZBawlDHI
z@G9K(S$ym1#ct`916+wczQq<$J+w@09bYl}Wn0;zF8OM3%rih)Q;m#4{-db?ejex8
zM`s}2XA?}3<E3{-AVT5LRT=Bh|7ig#PA-adv4<@#d<oWs;K~Qx9a3#V%oP*6&uYtx
z*q>lL(prDsx@3FT^<G~zKEwBwGK{2-qDRvzn$KVK0x3<T#d_o|bN@zi83q1m(N`|u
zZ$#W!OiVPU4-5hKjVQ)B98Q(WcRYSdMWUy9Tgu=OI?)OlDxQM9OZH-q%x<s%XQMwP
zmV}Xk3K7-!F5_wUHfN6VMTwN~x#6+nX6{46j3Az<qzAx0l4)l~aK=3&!UwkF0{@od
zcOD7=PZc!n_^2)$qpoQPp*nLLVq8-odx3y=NlIAZ)6g>h>|dSL_H-C7jwluH-~Ms{
zHf?+UDdDV%?TBihE!KF8&aDuP@qY>A1z6^9^FlyMxHEqiI=8RgS)$R!?we#rbNq5x
zykd%xsp)BNgZO3U%okcO@b_2`UZL|ohL`cBP_<<{eJviRXGt)qDEL4#aD2ypdwhV3
zI&oh-p`f5#wH4gf;miDjGs=iPqlGy=J)34!YM3jX79dyR7@*diZMJ-194@@v{f;~x
zoHkP%D4XN-RJ*Crc>D{1gRlO+Cj*`edf=5WC*4bB+H6Ait<Y1XY9ygrx``pYaV#<v
zSdawAOX7_DP=rw9!WyxkIdPb<yleEvg6W@+^bmkuMe?^#{jtbpF$_XZnW~1n_&qZv
zPYejhL&daw@ph0tzZT!jGj@d~U=jxx1W-oVe*s*diPI&{g(JG;3<s->YcceG?W4v~
zq9t+m7{o+QFR%ye?CKo<KfBhQY-YJ*PQ@37RkuKsGPKmN*gyf@v9;(Nwf4<`<%$;)
zfoUZk@xcCyicWnfrz)mv(Wni1H3g|cB^%}WzOq`hpM4ws_!y4610T2%50=)&VUW-r
z0ZXbIz~7tv31X#sQ;N4H%^1)gq8-r0yWN&D+&y&yJ=49Qou{aTD<g!V%JyWfz1bpB
z$Xm!akV5btaI^MEcsX$ATTi2UNfyNHf>bm)eY$7H@jVoJywxR7DwBE~pX&&lyj5L#
zIKXz6`LRRb=y2!Nu^!VtV?)rj*^)_m=G(1WK1_TOz+0XDGpHGCjiIj<3H~3a)?;e(
z{BKvb{AUA#{Lwx0@CPF&m`2Jnx*}+*L~*sS&mFI5xoqFuWYN;{h*Ro<SG1aMj;ISP
z2rYjFCYcu!_KJNi8DE7YQdD16l;AsVJ3sPC?Q}*r_KmJ1P35(mrAaF-z9%7gUdyT`
zyvKS6TMfE`=4TN`?Vptv_{W;6pE~^afi-U@M~-|Jey+0c*|0p6DoLKyyX>QHYU${o
z$rBxL!o4rOP~+;kOP>MUqGi1!`h4*xV_^N5<svui{5AY(sjAZuWnx7H3Lg#ostl9B
z0w0aBsA@U|aVEGwKel_s_z30y4p$uSEs!|52W|%I1NJ5~yoMx|%oYic+(K0K>mR)w
z+)AOSD~WnZV(;3MMjZ7N5q)Z$c3WzD+2K0)V?v|^1N7>32bL)cLZpi&wq8xDbdmcB
z?bmptF1;s=%7<1r`$vL#e`v=6C@?$%Ki1b}UdPW4BBcVI3-g))!xr6vAWvm%rg&`@
zdbybRjW$MS3j3~nhI!gzV=C-O-+d(SOrUBoXCT5{rqBaFZUAz;Tl0m{-trNDRTQeZ
zeOg)(qE%hDhuDoz=1x`+tZl0p$Sx$%iMc`2%)b<hYk&ePg+3<20I>DEKzhSj>(r3t
zX=@xnht%ZKhc+e@7yw=3+aJQ3#^nR(y}{(zO@J<Z#sDH6(nFf_rFpjjkas!FmjJeK
z^&QVv_P*c<%nQ@WJua6F`Tx;Qr=YHrEv9B<uPt!KS7&U`!xfjGC-b{5YZ?_|;)C+i
z2E2l*BaFchtg`o!QHG%9*l26|Df+qccfJ;$iKDr`hqxdhQpHM3o3Y~Nfc+MTG<RGl
zYd+np<-@xknp+j~ON6={2*70_hf|FKl9sfs!3PmdW3Kr$GVEWr^-a35vJMVzZ!x|<
zWlMgvOzf%UCyiRoLjawXAf<*yze)ml1;g!i_jInrwbk|@W!h8{L7xTSF;sxDt!J(f
zYQ(Lohew#hvB9c;0bG|*qaRqbRo!AlmjrI)*C)2n*D*>H!3^uI<)ObQq?)-xckgLt
zs=b;ZZIstP{rNaZhYtlq^g2@>ALM;?qBnG#IWq}T-(-ra^CUJ;s{VTWl#<D}`Ne0h
zauVy$vo_~bhf~An1_Oix{pWfQ(ft>BJXUSuHM6okls|Y?Wr(N8zrAV*1e(n?gaGS0
zyZX;x*W9-&zgY4g0$NBZFj@1a7E1vh5I6K5g4MazH<N8X^<wb3Yp7w6tV1I(E3oNR
zB}~UvC;<z>;%49q%XYBn^Tcww1?75f6RvZTxfX+y<mxbL+`QT)(vJoi9&#FJ^@Ded
zxiX*>KbqM-=fBOu`U7m5&23!JHjA<6;Dv+`e?UpHLqx5RCP9BK9WBw^q3pqIN@Jf!
z7ypm=XQ+h+&oiINggE-Zw)!_$2!;_nD=(O52_LkGO*N}r%|$`<9gSVbg2fEcS$VR0
zsZoGIXVE2imgoGjJEHB((Z6)(o2#sp1z$I0SxWY7#ej71vV=8H=*lplu$v|ISTzmt
zg?v6wb+%qzFW*s|0ceji6QO39WxTcZ!7xabH1|`Gg05wb$IY}@3zT{3rz<af@LA5c
z4z{$n^R3<7wzF)a&3mryh~N_;>vf?qZ7MqimjY?wdB@Y&GXIG8P=~!pdV1RPV6uf!
zx=U)uVtK#3I%#%!Ww_0^yivSoDQUb_LoRytk9P1BQ?po05fS}U_PO3S=*&HzG|S?c
zvhpm*d7Y~8(oTk#Yf|U(iA}t52q1J=RhhlgGJ@Dz!l<+~#(8>gtxe+4q>VEGOkb@-
z+}@m5aQX!-cZ{3!YY*0;{OD^(Y9lAEV$_gYc3bNUv7zxN6n}h=vt1(?ZhI4#3%9+P
zz?RgFc}b5G!F8iL=C_fDQvgCkBq}!)P;+;b)@&qRjfQQ+qocPr$7Mp)Xuld2csEsK
zwyWkt*lw*>wOiwKR5u=s3O_RcWBfzehZb`)KIAs5F-@dSJoMGoWVOXlt2k$CR=>E+
z(V*d@)~RaC?c1`_fnzE|m^uGiRyJT?liX~wS4Z<M|7ePd3I6%#cEVgmJ3TYh9pDsZ
zLq9$SL|_}H{nJH(*)}n1PN~llM+1Ik@}eMH{mqQT;s6A4#)g;VcYrN!_ZVSz4%mk$
zzPJx|^W_1dxlddCqzaw*XM-bpW2wmj$@o7r*PWLkz*qfnt?F&}uWqDj&RQAw<>IXz
z8?4nzAp*<13i`0P2FzHup;b+j{Ha@$p<AM~kt71|wMA#^O)qF|2>RjEp_K~%EP#$o
z6t`d4pkA5hB8w<7eq;`%Y|ZVL(U%GOG=vr9ThHoff+_|NXSHXmZ!e`7SOF5GXm_7X
zAIjubu#<XD?Jx2`jAnOWjIx(dmXo!4$d33_hwC10YfNW!1o%r<iYSi9f6y~%CU8ha
zm^Mvc<qF;oYf=XUx56@*4`2D&5WQm4({Pz!Pvpjsnw!r|3UFq``OQ_n$a0zONnJq%
zwl?HfCLgwnwh41gC#~x7t$$}ZKk)vC$@1giVNLMV;<Jp_+NCQppBe_PTlNTk>KW7n
z3zC9!0?Sf`<Wrv8j$UA&|0U(S7fe1^{Fts)u&?w9ZodfwiqTDI&rs-e{8H%_nG0VH
z2nK~wztLHv=?ZMa2^J+g(w%<)AA4By=&iZ6b_qRP>NslEx&{21*XP?~<C8)nq+^C*
z)E#}$CONXH>bs^QJP!3NW>Xo+uDaI0+GVoOl77wu)F1NUsjbFnboP>rqB_lwFc90a
z`AcVr&t5(9Ka#bv;t)gz=BV_Ci<=FFZdcc5g6D$`i9MisCC?2+==KvP-G&YX+?NQP
z8Q)4?M@c5#+Xwjxh)!OgpEno=Iv3^|eMeJfmDe}6w|+&mj<90YiO>JL8|r_%fsGC&
z$R9_`Yd2ph-6-;<dQ6)jwIE{_1?Q;by@kec3cZO*e{{z`hOUQHI|kSeXR)Vg2|b>)
zA>NTXTMifa5Z7CJQ{TVnxeQyjr1RoTmRoFjq_D3BvTQSTXlsSQ81!!EnSECNpgw#-
zF|X@=6K`PWi<hz6tD)QeMB3~&U!Xm&yZIfSDdP9A>(_-{CH7s;$<c&b+}I;3a`5z-
zrq}1roUu>UdPtAD+9r79oV7`3j^Yy$F^I$I+u@Dcy1eY=4R0R_Wqf?vOIu-e&A}pk
zyRGu`R@7KGt=CnynI!w3qTzg^PJ0v7d8n4P`I1_To-1E!YY1cuT>w)j)wZ88ziOn%
z#UPi?i@MgX<Bcir+JjccRxiNICozFOahk08+99DA;^~<x^T=4;<Jpw^&>zn|kc0fO
z22DXf9aiN}LFNP7t0vFzv@58x-cR~5+>~bLu`)_Q6dlL{xq;ZO%1V{S8cu02Zfwnp
zN>E+h0|(}$PC*c^N>IJpqMG$7pULB1KUmvHCnBIQQ}x|kb`P*oUilDu%W!kLR&PG2
zX@KY)0h-^>kg(p;qhbmbSrKlZJm)8<kd&kc27i9rrDuvtxV{yVoDNG%PaxSg#{=q~
zX|nTA?uhH+b<G^Q{Ysr-C|@adIg~vNOqD2<_PQc~(t`-ET1eo=v<#QAAaQQqE``!R
z7XQH9nU=uF*}f^?&kl%`SpAJhG~*1AbibOFJK<hwhj2AId2}_MwH<VKIUEwDRwv$b
zx&J|viZ3Z>CCm_e5cKnL!xc8=UstRO`P0}%6gB{^&46$1#{%QCOeiAnk)L$VCR-CP
zY7W?x?HhX5zjDAWt#d63AiF^K=a);#fl_N!Va9%$0GPjSn6We_n8_NNt~fi)e4IIi
z#{B%%)apEX7`G8d+++*5*CUT>8-F;dGFxs86a&Jop3Px4Mz2lGbP=Mine%4*Y`Mqc
zK8$E8X04!}(rmp6Re(V1qhQ`C?iknt1)T+u+j$I2Kwxya<8P<=T}1CbgMvl%7b<iJ
z)8CRWb$P@`{wT=ZfC;6!RNQsTACG4CD3prtHDWjHdlq0rPIXyNGsu_FvcZ21jW;sm
z{sL)CDL2SZ8TVmEx-H66-D))L83=Mv!&G0r;F6AFYbk1J9t3RhrX~W-x>auoYqkmp
z+@L$2bTmnC`D4UP&*2O-iP^yD(y6{=`Ld{M3>(Eb53D`Ur{oT;L6AeN7)a%TI8H4?
z#1s|yCpCQ3&*nHasp4ns5FHXg^>6BgUYuQe6ih@Ktv7ob)r+^g^FO0rX$lb|4M)4{
zVSf~IYM1|A?)ouX|6-^+X(HL#D8%DV+t`<4OFmx$uqr&E<Yk2)D?!=w$eOi`N5lDE
za^vElrpW|O>wB*!i+LBEkE&@(uvu~fmT13DRQ0<VJZ60QCg<VHRgu^=ZM%*#A9~~X
z>Pd){XhvbQru_KrZ&v;^yizi@(7(288nzwoGZ@j03r`E4;Bt)M@$)!8p{!9!za3Jj
zx|-_48j#67!K%O7t{01#S$D|XuKqR2uv4fq2TmXs;*OXeP-#Y`|4bT+Qae4i34D3>
zlJVw>QT44z=9Hi{)!+gDGt}jlQ>M7k`6~V%wa}if=y!Ym4hg%}?em)WwEwK-w?q+s
zieqZ@iqTZoWc>EG$C5~qbyl?5QE_5>jJZXc0;Hx%LfB-QoD$0SZhTptV7ENw>*!Vl
z+)OY`<+;b7P`rG~0NbE_^UKxnct3mU{Q7fA!`E>}J(G&v0~5&xfW8LS<Iz_NS9tEy
zVl&QthrIeB6g`oIZ3-M(j`8`phlP`>=*>`>uiY3A&EC<IGNP=NOHxuokd|8@9UIWJ
zQaf0OccG=cDR^E5{|(R~fB;D?(jTq1+G-4$D`I?kXDP;V)ge`$2gB@B7oHY9_v5v%
z-CUWa!^DP##NE~od)jaRWHzh%<XQ2C0?~l)fu)>K{5j0XNZ*vCjn4VcV>EGadfwgI
z9|CXv`rv4$f3Z?&$Sa3EyIOLeacR>c%f7hY;8j{KLvHlV`%@6pLx~$tT9Zn}-C$B#
z{2lro?3oFbYBm8y*mmGrP?2k?UQaoP$0D<X+!Oju`&TJ@U0N(`4;6ZpI(ow}*sslC
zT-iZgzG|-apCZ9knhN7`#59S9s-^?Wv+n8rXNtS`mz9OB6-yMo=APPNHrKy-Hf34R
z7lC{6YJEm@8EY~DcUG%TA8ofEW8u;<(pwD;G}c<A%UZL`qVn`i8TC`Fn(bm>$oilk
zfn=pTFRHGK29!m>|IzhYi}YH<->wtKv3NFKHyL!NrC%Z-XOpGJ4U2(8GKLL}qqjwP
z7C(skP;?dNh|^ZoXJ@VCaw8JqorK!u<q`sB>+f)*2TJ(8Q&*leDMk#}N9gVLcp(s`
z8WA^ugh!~>J{(%IHA(O4Wi64q(_VI2i{BRI&h$Ty8@zLx)~O&RQW_>}F5}Z0W5of%
z9)FpYR1=XvRBO8GR`syqMM9>P+m|0App@<P;%z<m(55Pi_|UHj&Gj$K@KtCM%<ESa
z5!Z$&-e3}9dAApQ`d4x3FO!aj*G_yf16tgm;0JD-(2|isW{F{tz~=XZ>Z#9jgFvy%
zi|865(9FAokmSkJ)u}I56KaFJkib;NXd8ZT5Ok?<qoc)Vu!K)PHu!7iBpyLuvVILw
zWsuW8x5$EFN+VNubuPSVQ=Kko4rI*{+>uQdv3jdC@8UVq(XCBU8dZ7`j4_(*vTR}b
z<E-ZT@ha01_F3wzG6wUr0^f4C5A&efYs}V5oNt`fx-SrOIGY%dbedly8^thW1K4pX
zxqw+I$7O4zFED+gECwH@)@#fB9mnt8cj#7vaa+#4nxHk2_ao0NGSEh%0^+e#*oN`d
zGUNAb7pXU7V0zHPTCs=!kFf8Kr@HU|FD)vS5myv-jN=d*c2;t5jvO2!>u8X1tn5Qb
zk-g42$mZnOBgZ*}gQ8(1IaYRL9YPL~{rl+my&sROuI}spyN5pKGv2TH9L;81AMvuf
z51`x7NwL|v%k}v{b-WU<jyqa1+Pxl8;tOhN$+ErcVVW@qj<Lyjo_O0tAioy|)PNSL
zbqmX#x(jj(wX4I=h^S*}CS2fpfCfS<t{l8H<ll__pixO>_?e^@p=uT8UVO>WfvUyN
z@3c9WOdsByd)~O>q?4OaX5%P;uKRLkK`wqw7F~aBzI~_B8@Oj;)NP4tlkG~s+}B^s
z;|s=XzDC>I$@MmiJcyUR@H9`}IG1pZ$e?I4KfAc0X<AfM_@&Nu_Ha<G=>{E?y5DNM
zGJz)-s>|777~vjnFNIkWX@ddCU76fbJl|~*Y>O}Q3>%_YGk*}lcelP>c_Xs(T<x!2
z$B9p`S-vTuQ}=yVA|iY$UP;DP=B=?wZt1KNhcsskK<5O9H4cqWe{b?5%KI+mTj%#-
zbU~>_fxs9qwpj)J*^_<v5$GoNn5;9>%?(#DQyn#Tg&k3?a^|3M!BlqRXRFjr$=#m-
zXmTEd`20Ns0gI-O8hb{&-sbnTa3EwZ5CucXDc`8Ukqh!Ccw;ZCD|YvQdy8!gh&>p!
z*7Z!<Cj&Nw%-5DjjE9vHMLmcZp@<oQ6jLj#@>w4P3Z4`a3cTD86pN|H&!aes|9(V)
z0+`JH+1E%c-}Q=FBdmta>{)XQZ`y$zzen-XW3mKySzSd+$%lJh&?K~s8l+VGFi*IZ
zK`9SHp7^14wev{1tA=h9;>F2Oazv(2%IB+S*huSL4Ba)Ztn2Nu(Jn8|t(6BSq8sB-
zzg?7hZ=Fq)8yA%@T4e*64d~IvV3%Hj0-p(F7NHl{9pZKSCvLJ=%o_@(tY<U%@a0MY
zpPqqZO2c%nxqD64ib2FJ8t)`aX%n^iYThZiBcCSqkd67Cho4wZJ$8}1GXI-N!DqJ5
zzCChN4P30f>~DP@i!|hN9Tm8f&*gsE3hIgI-ALICs-^Rp?Z-_aOocw-TjL0$eq1-g
zmD$$}X4?@m>lPtt@#~yRBFL6<uPVuf=XiBaHUuTjq2|M(+q_`YUlFS(Y=vH~78xNY
zJSl`x1vw&~-59RVF)H{$Q1pkA6*O+@<K2FL%C)jbZTAu}*kY)v2OB~^OT<}C=6vCe
z3($|@qsDG-LykQ!>GJCAFy}iFXUnr}8CM$Yn(k)=9On=E;*!n%+k8Up;eyGR)L;=J
zf~q!`ze=gr(0`3j_Y)+o7kzZQ;y2&xD8Mq&CcmuY2TCRIz-buBM6pc1h;^x8;_?gB
z{GI&+ykevX=G?4zZtKd*%<o3Eeu*o<aQy`0OFDo?p|9)2>4gjGkAoc!CMF(EG&bV6
zN%E1D(-bt(R*^9%g33|UWpvD=n89K;Uss^=4}92)8}hp<!8ug2g5&|+hF&T6Bm+*S
zdsEKWI^1oCUTFGs&ajS>?dD_)f2Fr^rSBOje|!5Yu?yI;ap|DMZQIc|lMK+EBogwV
zsbOz(^el!`oUDEeW9Lhe|4@vo^+~gta4$$UJ`QUo0_^EGG2lolt4Nqc9JJaA2aa9-
zv~JUP+Anr_Yt06b+0)FMQ{WGBOtn4mOF~!8j0di33X31;V+OYeT4`b}LALHGA`ihW
z*|cLq?DBq~u&*;z`F<H94Nk<YvgsP==8Hk)>3U+i7cl4U4k!2!AcwheO~M!LjkKCQ
z`n*dsHc^J&gE`FMN%(*zZ*{q-r9<xzjmn*-ANX}_{qV%@M{4uRe}TI))9=y#3H4W(
ziH}C(5<_2q_;>?~ddvGRrxVJg^B{7rMrcm*JdabveKh@9@O!-zE6QSJR*W8y1`Vbu
zZ*s!3PUh=%O}Rc7IZ*1`zT5xxg$A0!)4re3-;W2Ukq4T3zqj6dM9)kyG0vM}w=TA$
z8x|Zo$x@i?Ztnvha)+DdrVHyvqoW+cZ$Uku<0C};=y*9@5QRq$Ide~`<@*L3!b5}n
ze^}1{#L<r-z|&m+7(Sq(o8MWYdL#)M8xen@|Au#;ar(w|QR|?&1i$j4Br)FfTy}XC
zT;I^>Quk}q*Js&v4Im!kX4c^OZq0)42H5LNJvgXLdq+=FINy!w31!np?o(HgGxjxo
zo@vJ$WDw-vWb!`3ffG@j-7*In&0b)fezYP$85^Y~#>>Q|JoT_nKh1a$5!E7kU}-t6
z^VX=~zP=L|O6v^lkVZG-kET!@^>4eec5qnv6`h87_{HEy(vLUXm!lo|d#wzFvva^H
zzyIM87lQH`FOo?VOeH;j-l0QrC-=l-n8ZeSp$I5@TXgP%B=kB)QMk^wEm>M#13hzt
znssD0S!L}UA%FkNLb}zgRQEA8m|}cS(FSmO_?BF+{P*|OZ!lBzfDH`V@sWOR{RE|_
z!wDS^OQXTHlWvPQ<a<O*YjWmv?H+}pzeu({%J!60#U`Sme2RZ!Kqa)CEZ3^y3&CV}
zMJ<Iyy6}Vu{GRSq<)VBKQi1k{d4=w7df0B!aEYT|^X659@U!+7`SH3wPI0<%@+J^2
z*rlPEDVNFO)(DqyE~{4+5>)3J(_{;XF3pU*YN%A2m%z=W8Duarv@{@)`u5M!BoGNt
zi{v~xQgH{~{+>f#*2><(5YgnDoG$C!p3<e>gU7c3tDv@}ukpow_yMwpEC%9|{u;Z6
zmqEnLLWSv7m7EI<LF0LVXZwNwQiI*;=;dGW#HxEnrRGnCf>K}WOrPbF#EP^F+v5gi
zc@Sfl6i-=~vKB9OVG&@r@VB9~?VtySW47ro?AIom`3J(d#k)w|#8eeshi2b9JBnq*
zV0>lO3ZEnq!GF|OX&)fb{ne?KwITmQDA(W16yV!m2hOk&zv=yfX^02NdK@8nN2@hE
zF9GM&iHz_`xIveyQsiF{a&(}d8|aCcVLXZ@tRd2oUVeu9GH$bCdA^unTE|~w%}=l<
zixU>TM><j#nn7#`&yqWTT^0$Ppfva9jY_rZ*Kec#_>BbZhD`Y*MBoh`(7zY&$wD-g
zUKHzh^JZ#2I7C*Lhw2-5)S61swQ?^Kl9!{e2jQCd;-na*>6yk-tu>_;6Z&KWd^%U}
zo&R6~dUB=&{brTP-lWWDZIwn6hrt33`4uUSy=!M3zNm}+mW7J<|48qK7Ys`Hz%2|X
z-?{O~gu`O;pwY&S&0;(yLm?{?#bP~oXD(?eywN@M#e1t?8PN2vde%HR0r6OWOJgeH
zw6`eg{h;<e2&aAylXIb;vu2GrqCM(>`JfI=2^xDxTK^?(o+}v5hQ{cql(TETj_}|{
zb;YJp5-obz`#8TFxPdy%1?W<2T5fI@!sf78x^fOE)wH6e2V;NoM#TaWkE7i45zrok
zXF~HIdOj1ETJQq?9RaOn<q!I|peCJ4ej3*#Xy%_s$%*p-D_kjb9@lg1PB)+nPzW0W
zF&x$LoA_$TK55zB8^$q$F*YQ7wLHNTcYlJzz3ocQXrmcPcxz#BUSHSMwKJoJS6cqZ
zlP$p`6Bo$eQxspZH~-b{==~_)@J^mbJc=ic8$#R)oeH471W7*3<)Q;ZNX<{eOk!mm
zib@?AR&mTZS(n5vh09o!EDK%<GMHuK>xn+zaC`8@kzaF=s`}4LA_`z>#cBDdOSYAC
zq2{AV)$7@X7_k^a9ta+{6SlshZssrf{#Gj+!biX3?xy0RlvJ7o_U1JtUD1Rn+aWOw
zFV=ExHV3}d5BwMYtzb#W?Sftv)wi%!x_oA0{3NR+EajZoGAQkJnmVm1`mR8-eaH1-
z9$_{_zXR-@Ofu{&E1Qlu#L-hRP2d!9t<P6Vu<9N_^xP0emor7+tIxgj-B$Wzxp_AA
zt<paIj&EOCK*pJGbhhQ;H8@ZGW$bqj@jJN{K9bh$;W^meFe{vvP;CzOd<rwT%p=7y
zp)h)*v)5HqJGKAL_v{jWn{rsO2(PQ~!)F9@TE_dU&JK8naZ6QKNMpsd{~Z&|()z5>
zd>B6UE0ImwTD)h50KGTxv#;l$xl<D2eTOyLl~zZIdwg7rzQkI0JOOu8B2{iQ!U(DE
zrfI<`0hQ9Y^{)Ge-8LBG-L2se=ex@fo<))L5i8%O{fix1R<X!l*T@;iA7_g$6At{E
zsREUE4`zswg&fd~MVBnthM`*cphr&6$~uUqk-Pn&Du%^EH`?7qdfIQk!Y{-fy_EK5
zvLm0^4ec<Y^%@4@4!t~9&{$(y(Zg|_Pp;H5WokM}u2#OnvbGPUkZB_{xA$B_zIEd4
zzg|4WCH!?nVqiBY*gf+)m(tqFwc~z{(=F=k(BnF|i)8N^v6Ld&ut|jlh(`yLBj4?e
zyc`#oli}8H;?8GMLaT<PByGwBvkB7@pwuUPOZ1H&XHWk#ft_G_(9Sb;-di^xmtK2a
zBu)MX<EW=6N;Nu>Hn|qn6W`x|T?U@NkecmhcsL)=m^z$GQ&YUyRsD^fj2y=|ofWSF
z;r@ae#@owbdb9aKsq0^z1{406{DV4Q*qki@9Mhc1ogXiYz_^`rZbxOaO2@CS7!%my
zPcnvkT_NEO_HB1&Zx)-B3yZKRD_LK;nNO%1G?B94C8RiH;}1G#Ai*67qRuL)48C%)
zS{Mx^;D1fcxm_kz<MM1`X#`bn3yHjORmI+mt#GvTQ&8Z&;G2R3du1XALY&d`=xh13
zmSW%PMh+dLkI=VI2fwnvCo%HaWv0CIJ^<4AXYskG!EW%fUW5xtIqQuO`TfTPCdO$P
zgdM{346yxKD3s5#O_x5VBb`dk%Tl~r+K*wex0)sB6%QtgTR92g-ajMj1safoO+D?N
zcDdNEUCyrrR6kF3F#Q%?_<{E`b4|>Nx7($~Nmb?H_0<yxUV4+jmGRTyt)Lf!mUtZ*
z!IOwd<H9fFZMEvOS;;#Wzt?4V^%=_4$mt%YI61-&LiKeRbq*R*MuOpr=Y&s=*1kJA
zvoEt3P~4uCNE}$aDtAot_g4BW@cm1FF!_d@A){>}r%?sG;?d`@#uaBPLq)`6pA>b?
z8n1FdWuW=qepAw6F6^V&o#JMpE$`YMsM*EwA)A3|9)!`^zG+e2>n0I5ea6lJwH7#p
z^5wD1U$XPRRh}n)wwgB2@JJg0oO-qQDNAwbREIs0@mI#Ker=(urqgE7!y2c<CA7x@
z_IJ4AUZe1YWM*)hr_m+1FAh`R^Ic`E5wEe=O&fa}ns6|#=w%_^g236vtdUB`P!}GX
zcWeLl;X^zW0FonZjH9SMw$CKs91VUX6&XH!zHph;OLh>oj%N*{(wNW%PjIXYB)Stt
z4av4&a;{kBeyu*~6vbDHtR;e3!_(@OR58O{F3A(NmI0D~4B*VU_uC(GA&fR}_E{a!
z(Y_ZS#g4s5z8hv9{QVp;-dEpP-`6;E!gOfnpb}UTU2JruMJK<Ug9h>B3YB)FIA)M6
zfK<F!!uc9{t84Nm)^I)9B4wT%7#MJmtuW^<-lTE-7Q?RpOiYjSfM4!YMz`s)?s{~K
zx~y2sr2Fj?GqLC7KpmArULF#CL&fN@<eFa1H+2Myq2V3sY+8M)XqN9A`g;qJh`a9M
z><ET3#H09K)gX`o|9e><<<e5?lW!|zXW)7SD49rVK1U@#f?F8&Y*4kgM|fI#;oGlk
zjGwA6xf?J6^-KDB(gJ2uynmQ$?Tce5)mZeK<EX8?H8jCE17iQhQMkb_Rpr(ni?-d)
zI#8q`f1#5OI)0~>8(J<2<!DQCuT<Wzc=blh3dzs611XdtuzEb&g?85d$oEWNJNF7*
zF)ZA*wXmKO>JZO3I%f`yBZeGnqFwC&ds+5@1HoZO%Hq`99>SeB748;9wB1+l(7I-1
zw*?=;S7Qa2K;_G)!KYn=3|PY-w(YF2>F{yNzPFdCsa}&zF|q-ImDi^?Gpog_*e)v4
zHo5N5sMNS^dws~iJ;qhMLc8pz4uXT2c<#83S$(qt3ygxh2v5IftB@*Nny^ge3K%=c
z1B0i160;bG@5iO%nNt!RqX<t4(Ed85Dq?Wlu(@-|rRelR<JYYv7VXCY!K2RaG7nDl
z{P*xun1OKKXX-9<WBkl(NE0(kDz5m;co<(=b&kyd=qa@ugMhZ{^cWm|Uq*NLNlh+F
z&hD~PUB4KRev9-HZFZXYoPNgy#UH1Kt?+Rg7T8ihJ%L_}e;08qblKWX>i<9Ke;@ql
z!_(TT+25VrG0hT~e|03M>`jBV<FZ`;?V}dO@z<;PXO$gBggOM>7=-7`zG*Hb67=}E
zjzbfu_~KH-o3GhuHMpj*Ns=J1Rm774onqpgU8lU&&|rD`9{!-zUy0s(n7#nxyB;~k
zIfEHE-)n72v8phvTVA(G^~E>1w*8%MQJ|E`c&TvY%yLDaR7HY#6d{?A46o4b<J3KY
zNpZf`PQI~pI2^4#4MjF@sRLDv=l?2t*$}4HH`fH}eIfRju-`!y(Ks?rnV^8s51`;H
zn$kj#mwAvpe48IEWj_Um1;}k-hzCzXU0?XAwIOXvp`(Y6TKD?$eDA7v&P8~<7>o4K
zao~|!IR1}W8j2OHOHfBNwutENr>iDnMHr9l$cd+_?<nQ8sV?={3#5L1(ZQ4ZHVzm)
z-TK-leag^`%-v_@##Ag{_&r}J$q^lu;>eq%QR4(u_MTb8PmVVz2$=q7PVs*@faz;M
zl<~8D<ERa7tbNHv&xfj-1ah{i*<j-5!w6xD=f<rIp?$Z7u*67`NVi0c(#g^BtK}fk
zong@@aE*^<FZi?vq$J;qg?o}hvZTATk3fcG|NF`RPrJs0NZ*7UcuqciZdQeQy}VA}
z2$j)4s%~<d(nZy}hq<b5a15p?2R(=CXfUgk!79tx7u>M2ljjTrIbXL39(ocB*dTbh
z-2~<aA@{#X{MMAQ{T#H)P<aq>hAjecKY>|c#nMcr2)|3__!c9^$>FEPoc53MdSZ%M
zZp=Efj~X66fV;Yp-QBnSx<IF|q^hd9ROYDme5Gzdp-Fwe0_d6uN7>sLV4NI>{$Fow
z?q2C++zL;BjCzt$PrxU_sD3r74ZUpQVRzIdhV>I*7X{x+S)PK*vAi$=#Zp-kxJH|c
zka40z!=`HJO^5M>c!aCch)w6J2+y!jSIgYLm3&>hZN56)<5C2&Sm4ablWo;TVs@$B
zC`;ky6x@oCK38(WeFd$ioXNIgiyF@~D&)i*$l;UW2-IivmW(SbMY`4m6@+sVBf;96
zleLE4mgBhy!&X2AIA8H!#y`6iARq^V*?)!#;!}$`U(%>>XjYYs4x=r;zQK9m!=Smb
zfmwf~_U+nGlG7W7Q|%cyg*ig31X5kE9Z?<m%92h4Y3F+g(X-FZ<O!TAB$t`S($^AR
z<5(SWjZmOO)BFqA3jCv#dFaBkdK90I%sms<#3hcWzP})Li|qVuQ$ySpzFw}Dr*Y2p
ztZ5FEh*PiVBWW0E!7NcOy2gz#FTL=;W(*peB?g^B6E*)LcGEdkoY~TKBC~O|BO1;o
zW+5&GXGSY#nREYTnC1{<V0cWVfF&(W-9PL)qveO~{Ts<q;0(ol0Y7gy`z*px$P|>S
z{8gz#p^-TkBk#p~*w^<=BG)MEAofGT2Dw8=zsba^U$JkTrKIUK9kbiB82)?PFj#>{
zf}=sz154~eJ9-5Z*%qP4n!=cDOpPsFFB0?eX%DEG1Pou3hMZl>J?@)_dC?Ymy&+Me
z1;kEznL|tZT&tJ}-;nbG!+8J+*OMk*2^4MroD``t@2+{uGlLCALeELwE#f3v1>-#a
zB7tV_5tKJhgffLuUp~Wzva@i*a+^KO8k@~t7v;MX^B`s?v~$}{OgNi~2~nYHV^(g2
z(DT4Yb9&^3_<t>%ROcWb7_yc+tXSYauRiNc^2^0_$*O4OJMVMe+ub%yF;=e@E@f<1
z12t#0I)hm1ElTW;r;QTsla-bx&wpIL{hZJ|+sMb~2gJ=Uo9F&@z?R5o<M-rP0wgRy
zd2o?b{}sLwD(qVd4zusLnXcNo)xSY$Pcp0VoKraR5qDMpsd0v*1XLt!Ic^&m*C#!m
z(;P9tB8SZ#eQP{}3^L9{4*>JzKTq@aZq(KbCRtg{9;4a{E}quU=hwYpcbkI+MDI<p
z3A?UiOKB=X@-ID#c3{m_lyBE#J&70&s%-+dQ~P42bfqYJmiP{Qx>TwNM$WulyQU!*
z_0N^j&mNwb+ZCq!QJ28sOqjrJo^BSM6>|Tk&ADIdttc8<Xg!SLGS%_aA$CnzQj=lB
zOwxJEdy2-{va;s}4S&R61}mkjU!7Q`!WVpW^g~l3bC1UzJ9SO&d*A4bIRIxl9QGbq
zY1Xv*P5ibL*u&Jw@_!ph|M;I9$g`q6C25bq_r`&Hm=+Nk5^fPKk5;e2ZkB)8j}Fry
zZL6<ygb>j717%io!{*QYr=V7SJP0Do_daD^;pVMNw`=6~+Llgvt|xDvS5@4b<Cs$G
zB=Ca#g5;(O{G9JE=E6^k(RM)z3F2l675(;w_Z5i0Z+%ik0t-v)6pGEOE;*LH;j&v}
zOr(ee-%mILm9v}5w2qQHVs^M`egEuv>Q}K@@Yl!PZ%uC3a!cNU0lUK@JuHf{(;?s?
zohrq72EsXUtS5J-QiNF6m&eVUHf~Wmak<|E`lf_jh1+*dl?`#t%XhtQSJu)3fI8W2
z%vI`MS)eY-rTsn?57fcGEVxlf6G}A4CP-K$??NYZ@C|aU(cw=9K69SZX+4E$KjL2I
z|Ef9!B42*4v9(4sW;R{~yGH)_?U7s2GU-eAdiScXbulamcMK=mjpjkNLYVHLFJb(A
z^ZiMC`Su^jvp!x@k54f0*(bt-x?<|sTUtF+;699*@`ws^wZE(J`&^Q5Z<td{ujh#0
z>aNVwKKp}AD7XcG*<FD^E76|vuAH0jq}dd;+;<Ff?Qz8Gs8Fx6i3q|=e%Y5I><F&d
zqdl5(-JoRCb$}IF8OU{AFb=-b&c_U_kOJ7}dWBl(MwQh!`aOCrV8v)nP3_;(@0q~!
zDH1O}KXM=P=w%y{q9uI{6h_&b6b^(UKah1HIwnWJbBg3y+qqWWT)faEMG|UdGBS4H
zVjJ+a$Vk0EauVHVAnDVLGtwu=>Ew6PUGztMP{Vg>3%*ergIw(U=2m2;G6MXo87*Qp
zyska~M#(X;V$fCla9E{4w$Lv<)blX5rV+E!s>x*cHz$qV?cCQW0J1t~_fI$k$}Y5i
zN6xJ8ulFXvuCQ!8tiTSIQA!-ElaFQ6dB0md_9qxBTv2gOMOtEwj87u^P5Uwco&Yg+
za25t0ih0S=v~D>RGWaFxOBC_lH!H*aJfl+E{A6{7sFBM`f0r8uaF;LW9GOm?FMLlE
zyC~rV<XLS?NOo<+T%~h(x*j7te!j3f%ezb9T*8LrVX$O%z7VTK|2pzm_FvBv?g}_6
zJ>v=!DdnL$6&}aV^8>wrz}CQcG9uB^AG1ER;NKhkD1ml*WA($C-v;we3i}yeUFOMF
zfM7CAJK=oRz0M{x-jl5Djozn>(s3fz5p;BgFxDcR^-0IwD9Tst!<j2j=Fo6gIuD}y
zi-=&6jJLL^g`JwuH4k?KLBXQ<&U*;|4_lvBYxj*22lb_>6<^GMqlE10hohKQeCwmm
zWBcL#*0wf;eYOO=Ed7~bklB@^^mh^I;p(5xU(pMvG1eVn?^1pS;@T7W@m=7tJZt^*
zc#bT==S4;Ad$VN)?Jrw*Oil{3UB2Xm4#GJ+kGuvL0M66?!Sy-&T#iK@7}Fdr6`9q(
za%l0e+BM&>CW`GjVldVN(*KP7G5S)YYkd#Jd#OZ;_@O72<~D<zf$OVz-uHtV;x%ln
zaZ!2L4MOvP{J<bwsbu&Ca`C<{9H=m(FF5|T!v~6IK*s~<@ZywFXCp0$+_hHa1r93G
zhX_R6mPtfW0z(Q_CFsmL{8WEW?4Tu2fM`QAlU<Ubd#Yjwr-|}F2smOKB}O$(SDb<x
zLqYGIPB+-y_rG-k{o5Hj@lf^1Uf$910~6}X0-~p~2L`sO3OZ{__b=#w*1@BCNgBEr
z;;EsvlTrGnzTndACpa$g4y$J$%lgM0cv26Pwmoe+$Fe|!_=|g_+G9dIC5#G8Zgsg7
z%t`eABFgh~5gd`Iiboo|a>rc@vzIe@r~hoCTgyI9RVbqqmdPp<s>qU4+B<2Z6g`EW
zgaSTHcMc%Li6x~U!?-#~r_!59hX{E4+;=@+>|B6eitlp&Z_of>Ma0FwSCUvF#Qc^+
z6=edN6;f2wFBZ~e|9<isYQ#vfPd<J;LFZ5xF(OAXA{rp0$DO~|R0bjT*kPp6%XnF@
z_Q7sKwpEm?B!CAfar;f?1Gs}*_fLESI-LEHU`IHgnqUHV)0gf*th{%isvm8Z>Z4!1
zpp{DL387(iN*%FC?%*4CP1mwx<Kg|U;|r2}-;spl8A|$}lFZA6pL52=Z>Y(MM;~Xt
z$MWlv95}^)sbv}hX5#3A$&>D6Jm;uH_xqLo`uKw0YSh9uhR?S4LXvlULeu%#+mkH0
zJxw`WqX1s;Fo3Yxd*kpB$*~Aleh_i~_DGX3J&^}d{4UY+w*$MYu%HP{Si8XCd6R1D
z@73Ma;l*Ccz1sYKmUfYKU9~<v)yKt~*VPqt!ip*A-V(8HJ5iI$o&zR<<4_rld@v0$
zwXgqUxktd}-Q)p>@@7Lt$i2Bths+^4^dw^ecsui#=Kk<O$2??}VmnUQcN0!`OBZCQ
z#~pjRD1t$~Ug9=7N@32Tm3V)t0BYMh+o5U+H8{!wp2lr$h?OdS_byyG(Cm^|wR4}j
zWTbY<#LBu4-ZNL$jQ=3UvQ>PDYqYC+fczUXZZ||IGwBE6UOf50=D_S(=BgQS$^?V2
zGlJ_!(B`Q{5{ul$*|l2YSDbZCyZ0x(h?mfD*^;zS7{<F`H9)2gxiSTL6(Tj>e)UI(
zk@d|y6zp||jFF^rOm44@&S2M7)5?+~w_7E5H|1>}|2S4J$Aor~O}^N#M;NWGb);7c
z>DhK+T%<txp8I4xA5Zl@6kVV_<I}cBY;58|IWWWng*O;!_F>aW-|EECQu5x3^;IC%
z6B0v2cu`{B#Ks9L33a*eN(ab)2!(u19R@RsVW49I8~ajR!B`EW`2%g<hU9M@dlgaN
zqQ49Kb<%--AXJs^(c?)QR%v#^;j5d{`wpx`d6MR8!#+KD1&p+xOF0fMZ_ee+=)@2z
zLC=6C^PKJdGrx|RcO^!=S-eL!1Xu(>Z%cX#9}7A<YTOV^BabhFlF55!1(GMbO<jfc
z4i9%Ag!-+Ww=7t}Rj&}k9J1n?BJ9fP4;cH6AcOBYZV6o=Uc1vf)~C5UGf0*B!zT*M
zG-}M}lzaBrm~cr|yw50Z_T$yd#cT!?i*J*sSxQQjaiaVAnlJUv0qw8n=YDmwY@Pi>
z(zk+x@#`JJ&!xbA#e$!*Re+WueNX=%?0b&y6-$M8K+_FkS4~r)u+N{8wW=&7UutX|
zcP>eIAg=XpMSo*xw%$apdEENGbjrjTf%XQwR|d0Yn(`RktcdsNI!S<$;P4A<5eTqd
zf1q{2;2$4>swESV2hp+bEtRBLp^OC+;BHGZVkY!1aD?{T@EI9Q^xGwYVq~jNrUbEs
zlR&(Uw-@i0=?Xua<YIWDb;bDb0!=rw+{ON!jZsctl&V~}XTt0s9+dXka2HzO1^qTb
zF-JHyH^CI_3R4VgYcbVoD7N$TJjNbBv6$55!XP{~J*<s6Qh|Mk?gW*7oz#dkiYxAv
z(U+09<i-T6Y*oP_D`Pd2>;4(JWhM4*)s94*rAahIIFRbHxGsEYNvf)Xt*1`iAz*;~
z!f|b_7AcclhjJAmYDrX;&Z6J*Ab1L*%}Gb%(I|JEj5kU&ZB8s)k9}I<5K>bO!)DAA
z2_)LisEv^J>3`l+u;2+|SC~MPM3!Kf`}4^6orej?HGU<;%2|;A@>Bh9*NaEEob;1X
zcGu$&3KJiDa+Bftg{Ph;g!Kf)#w!r>gv4{;Z2ECe3z|jHD^emRhk!EMGtKu8LFq9t
zYDc|IDE?v<9Lo%zJ?m~MQ`q7Lz7(B+FuK+EGA)5Q7wMRnw;2~TLtE<JYVNmyB?zRB
zYozc`2S>5WOZ0?8>ArCfXnVdkD6(14nP)^%)FPR4&t3WO3(oQ<cqj19)wA&Y@>k;Q
zuMFhpw+sG*1z?9s2XX+>!p5eGp+OvE&Eko_PSQ6VQ+Mx5&=DXrAO&qom7a6`VJ<wE
z>=yXMO7<tnxB&#-^BD&?wo2Y4acQQ16aAhw1(1Sn=05WO=Uwvh17q-Jg@bda;K(K%
zLi|7@F~CB~+?P`+BcVw+#vQM8Z=<{+zr94~fi{44!MEfbiWI~dUx)Ym#P>?S7ty6X
z{yHJvuP29|pvt4=69za&yQXe-{J|jZ1v5}0*-J+jxr-jCAvY0_2aTnSq~6hv*~$`X
zLsu?}Z_VVLm&~)Bfp~c80c7+JEulR|g7m@HNYOOPLsY*dgj&dXkn7CBEoGo$@zc9t
z_Rmwr&qO4QqOxO-dB<hc_S0mTb9C_r5b4r!Rf31+E7ksuPYm^Pb$JheE#wR}x_GF-
z@hP`{ws?BoNULsFFWSz9D0QWVOT59}jm!(oX66+BT&oy1HfvvALiXAB-ROq_6T~x5
zzd!|9vmA*At<;dn%ZsWq#1H+&${jkx>gNS@RVmqX7$$gocgw|rTyR$rxyA3M7>qU7
zB$|8mw<;a@7G#{5fSFh#@?K{<`2lG@`-YL-B^hYjisj)F2;0i07Uxy#iJN%Ssb;ZR
zTL4dSFJ9YJ7~?|WY*EpSfA67Uw8x}uoP{J}+Ir<EQL5oV6mxFW#^b=gf0jh|&fSW5
z5@B;<jSx`zMLkZdC+3rsqAXJM(5oV|9rH@$w`i}0*zcNlo^jK(yS8gwN*HHkBaCaD
z<>@(&RpC2<fD8RjKWkUjBO}qiDxWHBh0b;@Uh-6wW>9BQP5ahAPi|DAsy1tGLVxGj
zY4V6I+hy9Y^37twbn?=)c2Dc2@`+%F{rEH2vJLG%;F!VU9@zqt6YtGJZHDc2Gh4UR
z0YJ{RqFB;xhvA$SMaR9RS|}(je3uK9xbn|Sy}9=CFnCUm?EHLKJt9S<Mf0^@vzcu`
z+yImSfjbw*MGqnj!?jwAOta(DIt|_NKwV1gq;#2tbI~W{`xoJBaXkKp5zVbCU1R4D
zTb8?(lUM<uNcEqa4d7+x;KTN}yt*KhrZXck(Os!7hw-yLt{?svk7*-p;X3CK&}xNB
zi?=G;aK>LwUXIT|P6Z=aPhL0u++{BuPsk*9pwluE1M>FLqq-lpelW4TCMQ08ob}$X
zzDT=c^E|fD@F%_m;R0vQs#xrRNLwMX4(Vu7yoDYm0;*{jtLtrReTH#B8_T41{APqd
zgKHEjjmb3I6Cb1}6&=}){My3QU2o8sZyjR$2hXn5{mZNVXDD}PRW<v}XdiM$?0AUD
zv?>eE<-4;EtM^Y2JCT=dE`Ov(N{PLuHWimV!JT<d{?xy?I38Q~4k3y)Au<b!;S~S!
zVI?x>W7FRIolUjB^5Ks)&<Us<RLIYYm|kgH#TAELR?I(ivg+upy8ZYwDTPugeVA7F
zq+=&*E-01yrc2nVRP*IC=7PK(q)PGIi%i|QC{6$+sJmzGpBX74<e{<Dpf-3(F<6U`
z=a-`g*I5$5T)j$bKd+`8GjU)abfMex(&6)>%EXeM{5sSn-~KvE_7t>3hsVWH5xuF{
zEa*s$!U2RKKg3?gKm7j@4-@+g*%3XOP4;H<W%|$re3V8qx3rXOuh}gq0Y=r#H;e<n
zF!ibg7W?eBky>DJw`CA{umjrojHTE0P;C|Ztfzw*fB_zU3)or5u>Y|jR)r7|R}Pg5
z#w18%4^Ls9Y^ECnLOJz@?RLyV$bh&#g<)khMJp;~lv9V${)nIjLcdX$F}Y}Mt-pNp
zs#0!(PWgeNqCA@4G`b7GA8ha%4^VRfG0sjGq;}%4^3bGAW#0>7KaPyHVD4>A)AD;d
z{kKET(0a_AJvc1ITYs&Xx%TZXwSDm-9P9k8UwyAqkGw5LNX1O|&a)JTcXgXy1&TBN
zBwAcwm*h{^JyJQZWFa+(@Z{Qil11nUt<cJeXaLDRf9*N4<%n~HXoGg0HD4zh$nPHo
z9()<`nxpjQT$yw29aB#j9z8~{Yh6e~Z8H*cd<VDYWw*1P$1Z<zT=mV}sU8bo&e!!<
zoU0tElU?j4{i-!~>*9%zYzU!@*j{$1d>^_8?fptBIm(k4m2D{H$zNB^SFvmyZbhTP
z=DYnhN(OikAOc`kR7Zg6KIa^@(#hBp-#pE_7;c5Bir~Ty??;a>1EAUutGl`Ehm*M@
z#ibt&_!!BUIV&Z7o}r*S3o^D8EtbnOJQf_Qx{UyTngA)_Mz&;2po6dPJ$9)Ma};U)
zJG0=W&cla^NE>TC!3Sg!hIzQ>@${!<KOB60hs3T}P03hk7YUSYzYc#fh+^`lY88E0
z!UK#3D*dvZSl0M3cDjt$zAdX)Q=D3CHvWWQ%A+Cpw&)cA3T!WN-u-dwfV9HA#)V?j
z?-9%40;n{^#<tzixFpI$zxs{1Q`vp-abYRmpiUjz%O;2aKAds_?Wg8;VIJjAN-Hjo
zg(aIp2+W1tK^)ELNPg7Ek00gZqg8+4tLyX;o+l)i;lpSMR|zz3%j7LdxC3pR95Vl|
zJXBpyd|o$(YZPz%BW1)qZoca4@X#II?J3FJiPqko_vi;q0I(p5Ch+&`p1r^uC_?<;
zc5v(rqdrdaV|hoPnP-AfGslo@!e8N}76NCD?I03w06eikXa|fa9{D=j;gOE>Qcwan
z&*X$=%L8<;A}(*?`=rBhfD%x?H9Gv%tMYKJ;yX=##t-+&<L%d-y|>VvZpVCAy2!?*
zC|t>lF<E&-iJ{wcT8_{}S$R{xQ_TR;Y-GLXjW0vKZW+)mpG<K~ck-$k$Z3-uq1r`W
z<lXv76bAggI%;B9O9A!T<pHtM>otH7#Zt~vh|1<UKxe@?XJEv?d7P)g?!CpcU-b)a
z9c3Z{t(4eJug{opWyf*<<}s2-Dz%H6FfBZbDzX&~%T3shNEZRXcu1}Kk?Jst%SE$y
z`9#Zs+*+_tgLz>rX$;mL$AbV=uI^XR1yYY;8gR5zfGz=QwZC4s-FN;ry?VApJ41fd
zjUE9`{}d*I0aQHZXxkeLDZ`#!DV<zq4i_okHkT<s2~92yQ^J%i*T?3OoAT`#Pag&@
z{S(ovWj0r(_CoE7N2#t&x*wu?a;6Zxph9ofy{<_en;60k`q$atQ23k`GhO2M1&`~@
z7@;GUZmBGpgb)|}7dGhDlJbhR)4`HYy|%I?1B7Zf<2AF1+6md6bvr}N-%}Ak%D%+t
zjwpP;LT|`GeX6bBRBr9O#<%<uQSAuW5*YYdL%g=vb`qkuK5uj`1O(hz|EA(ExXbt|
zX(QIJPh`&}A`~HhbZs!PGyqVq_Wfy=^D0JBL}@lDB<Ika?;dEQ><1O@dw<^@1nMO0
za*ppAbu*b=dX2oG13~6ZYAc#Zxpz7!<%?+LK^35<T!A7Z5W6#nLl~3%JR6wQ)JlrV
zB3>qP%|q{EC>ikE4(qC)zFph}zK!ti)ESK~4~%Tf46XY6deNpV>s*o5?S2WlxtrYv
zo%tgsk~SnOz+=c$hZ_hB?)1`tq1x5Yhm<b(F*x4k0!jjtxM1ZkA8m-GX^ih-R#m<8
zHMtqv?*gu8zc(9kHS~Ggxsy}l-vju5J?8go8Xpef^S-rvcGD4C^YxxfP0;s}KPvfi
zQ-;3Yv&%T7_=4kRfbTdPT}V>-!Qrof3r%{$(1!Am@0EG-U4^B{@07gdS%|KmslxYx
zT+h`>WyWl8A}X10u}M?6r+kXfH+#ox$b$}6*}m_k6p`DW@r|B8U9^wSQ_pJ)60kPD
zOm9#9NNHW7_SPm4+c!JGoq(%d`A^N1GuvZ{2#bvg$$+F?jw7UWG1aXdDmU~afam?M
z?0&ud?wMi6V2CW`k#K$Qm?**b`@zsIlK(U4$~1=TPykLIS9Yc%4_k`YN*0ZFUFyiw
zDQqjJq{8hy*?u4kQ1iOuMj87+vn_rc0QwsC;{Jjo8^VM-KAmyiilH6;Bw+i9<#o#+
zv@kj`q+SG=Li>95GE9E*3!5JEcW#x;Ds8Rz)+1Ky+Sfh7{)<cW?bZ4btHqs_g`IR1
z=5-vMKYHsHHwAB5s?3n4|A+|y&27XU%8lXQDMR#(8%Gzdzl(VwWgUm_++fT;y&J9V
z?A@8tDG{(eWxxhs>(^9XFI!Ho-x$G_A=YN<v#nb_Gd4?R4g3}W9(B#&#0Q8QW?F!+
z4=O!}saNU@iMis5UGW?Z-iag0wLU_RY^~^IY>&SK`-Qo*IB&jDT1ZOY8Em9I<HP6y
zHhs>0lxBxxfIU!6Mh0g3GHn*MQ4c=wNf)prqIG60zK2<6tdGCz1X$a?U-(XF{5JWC
zrH%XUL|>Vgi;t(}eu#?(JnHrf@ZNrWYx!U|lO3V0i|!5VxI9+abZH|1Mgike6KZ<X
zm@FcB60zzSjB}LCcO6b;_$rW#WfqW@#1rzMRIY`o7%s#H|MP(AVmMn3V5X^saTXFf
zU&<&4KM+-#4m@5Y@#Fba?ODHxR!i7|&(uJt<xaOj^@=<R5|MnG)ngkoWwhb_`P#~C
zQ2WNnYWi|ESUKwxs<p`Z!B!zXJz$X=w*m@ubvK9x`2f-^IMl{!?~%NiGdp4K<0Ey#
z;x)Y__m<|J!6C1=r&P2;6t}~M+Eo-*zmfrAp$wj#R5zpR*~xVhcg1TP&(Kbd?95Z~
z4YIXs;`Dv|iaFZn04=7v1jb0Ezu&i~cRP7U+znT`8uESAZT}C1^0N!y%RH#Mp8!yh
z<Uc{^GT1lPz_!z=HfX+e1y>qBjx%?Tdekyk?9G_D(hLlUj1<0Ut~UW`X5PO-I`v*(
zyOWxHftJS@k;>9Ec;4rZ1&j%5=N@+--6xntl8yt=^sXSML0^hX_&uya!^)sr%<_zJ
z9YLE_td_yAClR!@E2(51x3tNvC|SD_uw~)Zx&SB?kY|T_BQjGfRw4nRaK|NZ0K4aE
zLS>y&?ZTF(SDczNW{H=^w_59b-vPFGWfLlSJzzCipr&HC*jxVWx4IzM3y#^b^?5CD
zeBK{bHC7~XQnLOSAdX=7MqZ3|Wq7-1Sr$-xn6JGXy`|^V$UB1P^J===d68eS|BP|a
zCvfzRt-`mL`>JI?si+kiHz4=1Sb$ko+J*%r?baCp1KiupX9jrJ)Y+;FYf9U9l<w}%
zZYp2>I=gxKeLsOP8YjX?4FcoVtB)+Q_2HV@Wey-tx18VTHI~94gs=$H3V@Xt=QnH6
z3X|;75QSDnORM_qttw7L+g__Dmo1fa6H3k>0hWL@QeW3^7+b_k)Ne8nUE@+DBe5EQ
zOe%FeFW7)fLY|>fKkpJkq(^&EpAA@UKmP#)t?S^7&2Gfkan8#dKJ#wJw1E&kqC2cS
zBkrudpt8OXH{xd4v9&sQS!t9dCM6u+!s>eQ+cmzOY#1x?eE3TBNID&mh;i}R{BkUb
zTM3|iTO!(hw~t)Oav!d;@zN#v4h)RM4KEF^g4tA&voH{a@t5yht@54Oo$Y}bF!W`H
z-zT?Dm7UgR`boer&!=0=a<pUwEdVHEz>|6{<}1vM0}41H70b~9JyE^Ja%rCZoBf7u
zhXSAcy}7+PzMrw$Wi~Wpv}-}SyHSJf8ViCfJKjqB0px?j@w7<CZxJV@D0M{}O?T<Z
zy~QJm&*T%3Gm2}5DW!axkAlhCakFmd-XfDk{#6uKyF5I%X$EM0Fs?*qaFs+vs5;(h
zipZkjYR?qHgE+!~xO70diGW3xyWYsPV8FWd`*%!3zEmJL_1iau+=OwoTJ<VvsOI?U
zrd72Ub;)9A!$@vomC+x)@iC;c+42feELyxYm6nK>+m)8Uts0f0(&~P^;pkNHo9U##
zFaMBC&3INayiwwn{rI?l*SL~+J7S&2P4ipu%^+{oE(}C14jI(P0|q7~I8)uKyj9=f
ztq&59L^Y9THm4u&M%8;XWB-DoU11HM2{BXxYArmm=CAav!KvJU?G_bXD<dbt2FPmK
zyN{)tx4qw;@thf6AGA?P<NNXO(2K2k*WMa0<l#}N=^t*tU|$uOv=b$CYQB<=NNIp>
z38caUMKM~X8aOIHkzn$UO{Z3RPCWT8E6lJIHZoP5h1cg|DchaYo-|A;GGA@T2Q?e8
z>kNDIY1KCCtH&R^+Ih~7xMFbc{!sODM1<sg4&dlHTYr5iIqKya;Lch?WweywfYwGC
zFsbxR3tDuTb`T(z$gQM#R-t=!_(!ulzbLOQ#t`=bl4tg!$i`+4MD-{UaGygc&|B$q
z3lF@&Cc_))Uc~wb4BVi#^%~$II+cBVt1+a;N3RM&>r+wm!}26L`*gEu=IB0PWK=&I
zJft!cXK^Oyd}AG^rP(4Q(cBeQ-OjhV;J>{FRna+g`o}kkORX(u@`;A<`~l~kkR0=`
zn?GXwep2;4{Stx<>Lef@)fMq5hv8MADo!6V^9$}QvI*Syd&~U%DFET9=rwoK0U9{5
z>Yb4c%K@hv$9~{Gxt2&W$yMmlai|!q+FUUC>-XemB2l*mQXII9o^Um1D67`KOnVUU
z6q-<)wAX&=sd1y7trRZOj2&Ra`Mq6iXx$%l#<+1+rpkTjiXhPBx>>b43Xvcoj{u2;
z61&3U3Z7E8++4tu(z1TF7RWZGrB~fMf_J<`MeP7mpj{tBsk(`f?1F{Bvi1EzL%Ay7
zo5zxOb|tFj09Q^g$L$F*FmYqhW-WW`c)OyQ(qvhTwmj2JW{AppzxgFgEg<lw(6U05
z{b(B5?MvytH@WSs(Fzk!Ms|Rx$fCR6I-kDePX>vbFmest);nU1azgmY%GEQ2ZXW<A
zq{cJV8R!OB_!AqJm8jCKR>iQV*8PC8+LIE=pw35pehPm}=`UC~UaZd)cK%HyM55cp
zUVPvSF$;=lNbvv;wwpsNLc9>I)nXx-${4ioyLD-&zy-^L&>u$4u3+|I7%<@lVjsQC
zH0l;4vWUy$WN`Harl}U-4JhrM@T|JmiJ404l{T$#=zG+fqxeB@G&{l!orT-cKy3r=
za=HPNK~8|1x^>u6zHWeU?WD71n&+q6AuN#(+V28}Xg_-{NuSXpw4L>u`ni$`JVjIS
zYZm=tjIy_AIIJ~uSBk-cCxc2lVNv&P3+$1>*ib=XoYp&4hMZ`V<ry0fd=|A)GHVtw
z5a-FAOQeOp$LG@Rf0oc^yuKdl1e^v_<{5x6h*rQ-<h2^`^sclFjazvm31%rh>i&O~
zvsSNijPH1%rL>7zf_I4Wth`0GvH!W$w`(<ozrlC{b#ST)2r=W5uUz#T^EC#Yc5m<M
z`M}fSB{6vkMUW&ccUu=IwCDuwOOJX?hya|pG?};%14;vRRb<R>BRjrj`Sx5IH8r)!
zKMu@?KCSu0>C5bwShuhOdeLjTua^DThwz=#o&YrFzC!WxB}2IhC(BJzVs3l-w<@O~
zbB9eQuL0?_+B;CNookRj7uZw|R&C}~zgw644t{Z>hwp4VDtzx+xGvZ#i;$NeT1sEN
z{!^1hX};39*K2<EHlTf2F+8bDlb=dW@n?MD_gYYy`K(FYS<1RQReXV)rTtCA(rnft
zzNgCmo0>WOo7=0##G2tbKHMt7upvTn+uG;#Grl3H{e=8Dc-cD30}yz0U!4>oO8U<S
zErSDG{Vp~nyR@uM_!yRYPq10=%U6r8`U03Duh|wh6!+HV)EQuY!^!}^Jo~roBzv2w
z(5QHZHXG`i?1!sm2A|2qYKFen_aD)&>Rk1HB|*$QQ%ew$%Y&LyVj&0k`!2zV+si)V
zbr^^T?P><T()MGr6t)^3msVISnR0K+{0OFVDT<Ie?s68uLD<%|0pP6a&}Y1&)sS|r
zBVb68MFxGH3)n&HEMOKkXqquQud{!6ab4D|U1X)JNLFQwoi2G6vi&VYC3|NnhF>Q`
zc{E5uL92eH-?wx*LAJIGXT(@v)b+;>?*!hZ83QtX`4v^3fHc}p%5np@Vt^<E#<MlX
z&7He3N7;t?@o#@DGYEb|Y>PM+09)VWu9Lel(rmW6J3ceMJd-k_?7=SWkytY<G`I2j
zP;R5;azlPo{)3&yV?KtaYtQ28)2sEeN{cKp$Mx^gm)8KPMo_71<72?8$h}M786Fd`
ziL0(g62X0xdA45$g3lowu_C#fx1LS3mP)=UgIqpU?YRML+~(;i-PTig4kUP4ylrC=
zt0(wUnG1U;zHx{(l;mHz_>;n4!d%Mzb5iP~To}S8SY5t7VJI3$>;Wxb$Gzg$eKTr}
zj}RZ|I1rv>L$S3bSH01lnXr7cQpJR4Zic^)*TdCe--QE^6UraXZ=qZl7o-b~y`Udz
zRY1PR5(?WuODjCIIa#T->&4RlV5zN<4ltmFE$+W@ro|g?m&{sfa*B^9JB(nWQk*N+
z6q}`5PcwG*pa5i=T{Ctdx407Z$;YDnJ<j)+Z1LBB0DsZgpMXCA?Eur1G)dHR<94-(
z$o{HLuKDN}%G+^Vsq=%HVoPkiX$)cGIo%g^3n67AIic4N5RxDnr5+c1en4XxH%;M~
zmyS1+rM+<n-nZ%G*fiFTU+`9IDS^f0ZU_T(qSe+p1R&g1@=AH5DCWcH-)9Ivp%>-5
zv?7PiaVN1<hs>+Xcm;8L0=Zi8i3bO&AekHgY~hSpFrw!xk=9H>3P0`DP%+V6Xc8nk
zr8+Wv7aN`v++XB3x3%dUzA>??on;wkhi4V-c4G85DFU3LDXVY)!kPjI)QVLgr#r}8
zt!@|Ea6|YRUg&t6Ie^tO4{tdbZ?4f5(Dvr0*By(<x!#ui{Lu3NgOA8roiNw6uVs9H
z(9lEXyr=|HzOQGb?cLh@jv`6i%EGgP0AcXm|3Los6pjiOYumZYhzN(9W9#7hdSg<{
z`+DH|TID5!vsVsti9(G{yq---pB$Acv}LdQa_XW|9wJ|?`*oR}yMBu~nWcw}S?UaF
zx^fz5czhyzN80~|KAdIP2r1CF3O0nvnA|qNN`ca;{hdUuT=p>RY(9)+f?QJ=HN0fz
zS1E~Ar^Q4`h<;yiRExO3bQFlS*1<R}2qps<<APs0|M4O}>2;aGxV92e`F(S;n`2|M
zfXmG+TCVS9s@8bdc&uDR&$c3xcwSP{zA(6A*4Y6*RHTm(Z)nD;h>t-;%_pFjFd=Hr
z*PFR!JOS*=>0%$=AcHhE@!!^{%e$fk%H**MBRP|#y9T463_Vva%rcT}SZ5sWJey(N
zgA%00cAI5cZS*chu9re>0XYd~@Q{A9XZ*qCJqh*~``i_jO7<jxhcMEqR#cH(q;~GP
zkFNFVa;)+VOADj_hMulpJsx&i)Y`_*xdWS?vq3s_hq7FkC8fx6GG2momlG{#H!6j8
z$5p=25}hb>zgRSls_9F&V#s{V8HVi`<xH$n25EDQcHmM<q|VhpGWmYO-@O64m2c<+
zwTRTRtI~ePA3=q1zaBUwJ{!kvF=1WVhSR6yc74yU5@cx1vt<cBwr9yMHGv3ijRy$1
z>&Td`3Pn^@VJY7#F()P`t1GFg+5r4w`_zv)08af+X_Z}~n`%C=b9l5_YIO^Pc;(BK
z#u@~vifDRvGXpdR_r)n+DiBPkPM0LGYg9x<UYsI!H9vYA3ZS+dpeaJ132mYFs?Z*B
zc4HJL{s17mFm?RYe+BmM-kDcu(Dn2vu&eNx^|cO{S<Pk9@nmpGcEHf^!5>G@-4Upu
z@)-I!3YAUdoSXqh=I0Fkgy(_{p{`mXIN0s;&gY$9iD%sc6@wlM3FHU!0;?&6>LAyD
zz2YZka48oh5dj{~lD_%&2)09P5q{WY)Sw{AkU%K!C42^@j2fjlL)P;H@vpA^2Mci5
zAlzj}xMus5f2~(%3pj8*EYoy~C;~}~wz;hy;auiPI|vvOrTq^&0To}31X{$))ts>>
z)zk3>ZT%YTm^l4wZ*V8gDQ7d1-9?M7ft}lQjtO$c!3sB5PgyXnyCq1X>dE%m?j1V?
z7i-bVFWiEV|5evWW)$dfuIM1YP#<#5vV+=hKMNbLGgXgGxKVsZOHmUt)K*eAd6&?2
z)j1OTBe@lL0}oG;94XH)AHTW3>oFJfGDZD7bc_D@^8}n7AiN2_|5w7BnxT~W>TvQ^
z;sh3)xBgyE6x^jL5&u>!ELY@lQTt|YkO6F)>~4DG4GE~Y&F$j46rzXa#BuI<NyY{R
zp0^yVxY&R(JJPxF(CvRY-2h+*kP+eot@q&!#q(YC{pLhm3nYU9xZUD4VjUWtl!)y0
zBA_<%{Bhs}`z&+PebOhao+vCY??=LuY2sesM&5>Lh5Z|G4*;A@CM2@nXnDy{d>oJL
zc(0^6*6q$X{GiviYf~Gh-aU?;eX?vYL+%QTG<DqTsszkT&Q8b>!CiFLMJ{f~=X{ME
zH+V?k=VWgXkl)_5{+Yh>|0PG5!KYsJ_;XpFU5MyyI%Q7m?;e(}IXuvNeyl)4#5B=U
zp@)sGY&N5>0|41_3S~@mrA%&TZ=B!-r`%asRYk{j@!a8Ztdo^JqF4z~(LJVslN|f^
zI{Rk|b=?2s_=aPueX%_og81<CLNd2sm!Pc-ptDn_*23Q1!(kC)uLj$wV?&^%J{fwN
zi~s<cJ8(_5W;Ln2ye9@a3Q#@9hUa4s=2YW>W(@@xKcJVSiTN*jN&m;~0wf1ajc(w#
zC&Qj98c0g(mcGOxWzr-nEkzbNp-S;IIviAdv(YZpoHQ^;?1Az6wec3-Yh@^%B6D5u
z_z|bam?UiMlEVM281yr%d}aZsDR5&B@tS|Z97@Vh)VDT17cH>EyY`n@CUp;g3<4J2
zCtsnifC*GwdhkA38r_5GLCBs4r7Lzwoivq}<z{++H<6G6zkN&ShftvP@h8iV|2;@e
z_qX+!jmJ?%1QxmeA7Nh}4)xyte{x!Aw?rtFeK3^l*^0rK42CQtbnIi#KGqf~gcw5@
z6b56>GGs3zYr-IeCi`C2BK+Pu=l49%iF3aHbah=_edhCdFZcbrm)Gl-smS8SyK!q#
zGQ6I|D+|ER9J`Qu0Qb=};l3lwB0V6JCE6ywD787#UF1XFsyYePJPG^U%JG}u#gys?
zhhTMf6<r=@fy!C1-v6NYoxh@i?piipx6Bwqe22T#15wK&JW6ZSS2j~=VaL8eBg%(P
zejP1Kj=`Q_wTnVoAA0IOpiXl0&XMoXF=^D(P{EI)m}t`LPt{_2a4)v}_axr_wM8X1
zFWs5@1smJTHFOgo&1r>2B@B)7H#Pc=zKbi<^i@|5r_L6~Uo4u52Z7l^$(fRFi|{r&
zN&?T)m&1NWuXT?g1YsAa#QT}#%Oax74K-`mH~x*HtqgJRVV#_X+&<me(DG8iG71}K
z&=VSM@&0KcJYuHXX_3G5u>znKLetw<vEorF8%vy=b`x|NnddYW``jnLNL1V%y4%6b
z0P4Z}-#F~~OF!>aj&sPUHe3;QRXq3dDOFC0dt`FKaiue=Gg2jql1^7jSo$akz-tK4
z$s|ElEKsDEdb#a3`y_-k>P`X;kJq8mg-dI;8e{Tc&_bf)zY~k|05q<Aa4bI9RxQ>-
zBQ&k!GyF%82cKV8|8lbfoNK`obIvjr)+<+Q9EdXs?9J3n<k1{e_EQ1!A%B>Bg|d4y
z6T7htaQi=W&6~$TO6eb|(tquko>aFeNp^}8)#%E}Q;<3^fKmVq?X4n2lcV{hAcLm%
z!Kb-rEqg_fP0cSzY)JCDnjee#g~>*4zcxk{&Qx`6WD;#??Q8q_w1X*<H=OwCk$#@C
zjsUlL2~GWd?D!o;-k%~*cL9U$W+31JN4otM>V8P#GaSK+F%pDY<of_KheoTwl-0MC
z=OG8yqB*m#IRWpO^}q;w<m<sj)Thb^1_<U;izVzClIZ*4oXN%ZoeD<OnEXhT<o}_L
zf(D5Ig!q*C<*XD26)3V^<!mrtfr&XYgNMJ8zh`gM10Bds`^hvpY-(6CURgBUdNAij
zJYRMX4!OG7f8oiD_BOCk6$;xsif-m`&0nsV=ucwkaa)MHceGxd#r@mGo?onT?If|U
zFAu%+(?4e!sPX;un7(>mnx#B0gK{j`N&xyUJCbSa_i|o)$Gju@OQ;#Nq?a6@sWPlX
zvqVmuu+H&EjohBJw?Fmi4nPUEob@fA;u$0k9D06M6*I1Vc8-6{f%$NWJdWiFQ@3+g
z*cB4hV&4PFJfmJ1;|f*-CLum#s-9s7l%oB~wR+m?$wSJ3iIx~Xu((&q@)I6@U_+X?
zMdkgW>q2K@r9WeDWGmYpXfR_?l9<bKDmX)aQxniWBumn&x(_}|NoY_X>~dZ1oJ?_(
zZ~xeYPO%ZN1ud)<b27E0f00Ve57J?3qVRF@M@%26RjySJiJIB4KbN#{`r3tN7xv2`
zSqM^B3JH>t&p>4w6R@RCk}J}3-(areU-NlURoCgF1;Q>Dw~67pe~CygsFMVx=@!sT
zgStzspDloR^A9+*IqN}CY@WV%K2PF1Mw`L-G#f8&A6uHN;%ANh8VzVo_pBohGbx!|
zeMhf&Fuk_e=&&QRTjkSJDJ~ZON4O;c7;S_1^>O{KjQy7;>E#s6e!ra-<Q|$F=RTG+
z6P%L3`J8*^L~kW%@pLC@3D`{r39GA~9+MYUqra;C!GK9XPr!_aJ(a~#=ZiYMfgT!6
zYoGtN?6;>J&tK|~DL{1~`l|&hw=!b&)T)1(6^}0F0T2D?-~>z*Q+5Lgzp6n!=Kv>}
z{bjpE$aRJ(t~KvZ#jlIZDIvO8GNDpl_KvsX>dBu(QtOG4l0ARxCv9-mCjiQ*?t85*
z)eGXRou)Idb7=fS=JOaz2?IVeC$gH)g=^?TiAO2R*l0Qh-w8B-$#daAE3sdl*^LRW
zdpSI*m|-7}YmY<mnHB{`fNlH!4{U1{>^wblCT02Z9A}O~K~e8j`J$8j2Zp`wHRIKR
z^2Hx+P%3X85#VyS#XmYSkBKMPdO(NIbvqaGwhf%t6zKENOTvzTB}}^W?@~9)z=>M=
zD;G{0Msr4@bv~)zl^6fRGFW+@D4_x!X=S|bF>4msC1k_`f39}C@0b8gsxLD$MplVl
zi@2_7qL4;ub2*$>6T2r8{K;?*b?)R+o-!xKYXB=pugD{90j!W0`hcD(+GJFR6mjvB
zngS7th^uA{=~tby9oon>@Ar|@wy2MBOwDg<AKKTvutQHLemwqfG02>XI?qG<E6_Mj
zKKi!G1*s7RHDmP6QFKtact$cxvRGaxbgJ_}HT0W2Zp~I2c1sMf>N4IIUvTn13Rr8i
z$bX4&CKVYI3iSlSbLCVK=O3>!cpM;8N>N!uC)pxDg-pw=XpGH_8Zje>MmfJzRMqh*
z3B`2F`=f!upP%9dP2{?i2nR0q?6-w8tF_dVNTu-kA3i{`<DUY>Al%BS$Zx^w+tF58
z3k7+wBOLh)m%66Zqnbj!ZAl9hX;ve#$_TB+S9s>!3r$rfqqs)S{70pw7omyhX=yBA
zR=jLp_~{z{S<=o1t8TnXTh>#oAJGIf1NiL~HN<={)^bfxCOHM0bCztHm;}3B7C*LE
zJ}xHP^^7W4ISMCfFTGkBL~Dw{wZAx8oXSmu=|VmV^=tVBK)5y1^x8%*{G_^b{NpAW
zP?-*tKa%VidOnJ>k47<_C0fS(AoxA<bC8gX-Fo>>1C>n^{Nqtl0QAn=b>{Z$$>7#d
z=fzt$tU1I^k}M>Z2C9x0FpZ5ms6lSzGkNq(I5!gDB=+)+t~HPq-_0rh%hi*kWd!YH
zJ2+D^$IqtN@Ce3Rg}G!|=40uRJ%?Zbs7rIUS$w{;4*Dl0FcpKKhyRq;I)?+rqSm`3
z^1^bzGWLP?WURgc0Yvdzcm5eHfqJkWC;rU+)<!`p*8<G&<~m1W3CjUWYvFq16eT5L
zoY>OVRyOs(+p!H+w-Le%#aF)1MFn^>rph4oQ24`!u+Ld~Is)yHw4jxGab@kFY0`kk
z)|A?K&MWeoc6!XWFjTs}25s>0BTgc^i84NjI(-wtFZsfH7LY~0YM0++sus7bbMgOt
zZd(e{YAN|L25mhf+js11?W<WIKxZF8J3jnp9mf=^=smo^_f7uHhNTNhz5;DSDs1p%
z^t~{$x27X35=p!y*GFlqa8fsJskJ>&qTZXjWz;#6vMkqLPHxPUWkF4&Jt~JlAaAXF
z<d^<-KfssIK9T#<0a8oq*0#B%+q}5gydM)cdZ1@gx|OZZVk4wsX<8Cy2C*mx{sJDn
z^c>?#KKB08#vRJ$YNUb3;~y2V8<_)5XB>_}fYw34t36HkUv5IZ7CtRysQ(GZX_&7S
zZ`@R)Jmu)O?!;q0_LL(v|5l;-yKHLl$xe8nW*Y^oXseBY`g#90arcAPmu3|uV0<Dl
zWoP$<B|mdJAYdO2^<Z0ETDOya$+KNieWxTAE`CaO>8(O~S(`*carfOz+TKRGXq(K|
zkRR72w}N0~+I;k8dY+(B9jU}Y>47eHxP`3I45^!QdZY4vv2PXmcyw{sp+^9EGIsoX
ze3J+=;?t+$CrWs6?hHKi=3GHJre8&iQW~>*@V#e{IR1h2U6pRtC?<;TF+LGhP4=pu
z15+MJHc@YXU>R}JUO`$dkP{)yFwq5cMO5%klXKAQ`VXIfQ_2AC>m|hzXQ2X{=JnTe
zgNkDeKO=I6Pn#2ymV!AmE6FgIW|?Qf+;&hllOi*ZudJx>)16UjrIB=M75ueuRX!MJ
zi(}G|&;r`xSXBwo61|<H^LekV;7|2Ueo!2AKOFh+J@Sp<TI!(MmSJJln+$^s7RHER
z<<Pgm+|eveH$t2jX+nV9fwq4VUQzEfKCidLG$#?vo!;!H^LdWZRyXFTVX7KkfgaR0
z-O-=KIrP#a|6RE^Qa*|6y&QJR%_Tz83`#`i`It4gaIhDyGjHqIGFmp2&5-GlY?Du#
z27GdsBWFzVQigI+9M6{NVG@1fUV82QGSE!7ZJ^bA`!GOi4>^BTN`09GVsAp%GcLlL
zV>Y*STe7n7i(k3%EKs29e_KzgCbl3gY68WJ<WZHvT-7;JmSr4q%PUf?NLg(P*4M}<
zcj)ZZQ!pKv!{P?`4cE#&Ez@6Ob|6D1Qqdf8DqrYHZ@Q-P6OYS7&9ZRu<9DY_)Lp}E
zuV9y+3b4tKD;x1>%{*0-xG7<0)=Nn}oO)7Rkn+gccJTSX3Cixsls=hdoO5`Civ>9=
z9A1pr7kkgQff=biZWzjK*Q^fCfv_SPv>n`23w`!n8)=ef!PJlreJ)4a(SQH}#_g>q
z|Cl!g-S3q#P{2Iqi?!OBZYMTBo#C@&p`-B>wnz$fW;p5nRIh+it|jvE`j8!zKztiw
ztAr`D2q^gs&%ctjq^xc{b3ArnPyg^!HLC}Bhe!)%rBN+z3?~aCOuOwG=i+(oenO%v
zlMS~kpj$14sI-Y<1>NjTiNzI7`z6y}V_o<~op?IHFi+_ANvhZkok4)YKZ?hG2?<hV
z)s2+IXehN@ZijeFJZdPXOOVg#`qp6JH+;0<VhCJ10sAgPSM1~O(uh&q!Qwuv1RlFd
zx5oHK&wn^MW(V|w<Z!I|^IIh+z8gE)CW%1Y&Cgf@i^ue<`ZMTC0_mv{!a;Uwn%`YM
zEBkWeE#peqs4zM(+MP2g!^ZG7oY(MSr~Wg1=L}#;0@e=yej#+L&}aA>E4XEC^p8W_
zv7G8P*7Z@PTOX5XGh#+={vT;XlMd&6M>lR<j@_4(NcC`~K)hG*nSEneM)nno=L&Qv
zgX!f+?u8KFX4e@!N>W+W@B%k`<XrM`E=DbH9lK7F(H-wa!ZH=64!gB1$H5N-f4OE$
z!3eyribo|oLK*{?O@0YF&tD{f$vi+pV{AvypE;kp-(Ee@{TOu0+S^U!>^m#3zEwRG
z4C3|~6_hWbQP}pTy_jO3h3D#Q<@M(aagMiK9IE1|WWGz(7`EtC5$!%ocwn;uIm-)F
zL!{{h^>WmDO?(_c>wqCp%*bt+ivCr0-acjj&ak0km$ByJdS;`vv6fh;6s8744<;&8
za5@mDPSl3b@JAv0|A<!B!>ou8qe47FKqrBUV;MN*_Ho0Z*7fU;t${G<Nz2q6-7JTk
zVpX8mk@#{B#$p@|CU|ugZ>|nxBzg{E3CLYr3?}JxXWiHtxd{KOr>BKi{SShr4<PIV
zoiqi?o3Pdw^~PQfa%JN0vhpL`LVC0g&tu~12u#PEFtWuO(Rvfax~9|OM+^{=MeJi^
zGSinh>4Tiv%4fRPjNQ9$OjRzun;GJ6#+*t2MGV<Kem{3PB;S8+&{K1#Q7fI!EbWF5
z#Jy~WdEu7M7}{1Gj=kWtPR<mN%a4p1{umZxI@Dg0ij*?6yTO(lf$!Qp8hpKZ4g3#c
zSZTrtU5<?~$3<Hy@#HF7rC^ux?p#OE8Rf2zn#p?eOCO`+t$4*44VIhESIa>=%p*s(
zDd!K0IMgv-)=oyH$UxEoikF`XLa_VZ^!-%sl6B@o5e;)U#BO?uW_vMUxKR)RZeyVA
zTaRN#44K*WT#C{H3}flSm6HF+UIa;3foAg(gpp$z&x1EJlfR5;0b9Pf)@PSjwo?*5
zWz1&mztiuH0o_dl%E6B-X8DQ2hiwYvl{OxsJZ{Xrw$W}*nvg%pXizHr&{4xtgh&^Y
z7N4Y3oCoG(#Q$I|JTDj}=9|Dsl59(;l=MfGn}lMEHydRE>#=ZV%!j)Z^CM}B{_lL`
zSAf;wp3pEjf(pd35K<1{lHibawROmWg%92uouzyQXj)2x?FvNvIdfaR1}T)+a`+tE
zSoFCOzP0g>unI$&EE1Eq9wMxWMzB9kO=1ivtwZ0w3`n@yHMQ6xqFJ*sxKOV3{&|4n
zrt0|dUyxd8sN&YUcm&SAs7(TtyLl+~Y}gIZXbZ@RdPgxGx{FLn!%wO?HB+jBJa{@h
zCz+d=h+UZ1W8G!pJ*>ec@QyE0*VzzaSnF%g#_hb%IBdJH8|exPEaq+mpI3QUcR$pb
z?Yl_a{4Zrlzz<`m-zQQF9}Q1RZ~L$~iiEtcmpMF8IwAk&_R;!o2CdODMor<B#5y3>
zFqh+`>Njvi%`ce+lLk#bFh`C^lC_3KKhEB0T<DW00Z~Y6%!yqB1O~GE)#;Hkx9S;H
zw7H+SpLJw<U+#_>3<{DttvYY~==w9YDD2o15HCy{i&Ziu-ME4z$7>7)8H`w8Q10#`
z-&(Z59kWaYL&eu#?k2aroTC2{sAFQOTSL;_Q2TMe+Vn`8P>dUUJ2pBcs?z`AtQusg
zrTLP`iww(FxVkZ7<hes7Kc~|^;#MjenIv_1>CnV@y6pk{@rdQCJ0nvj<bT<hlXqS<
zXeu7zV;|*o$*e#3m_BmUGP%zmLC#}|@`y&APN&Z^uF&Ir$!u?8ViRK^-9FwI?B&rO
zYTubI5@IlI^ePneM0yBKp8oq$1JrltRK^#zO-IZMgkOj78!C?qpjix?1=y8r$nWax
zdOd%DbNnE0gsJ;x2(u8Z-2Sz*U<~k2Ll^kzE+*iDf##=_i^$(7GCOU_w?=qR((!$z
z>$%!!YipL3|BPgL56mN?U9r)Kd9WqNmcfYBZq&2m?|TAM7LT?!CF_>=psy1fdHuXB
zd@&K=a#VcWgXDK+zZ>MN5qIV2k<oY)%h13@*@wscgQu0l;KjOv%{`x1$8ToOiSZEL
zXkk+@tuXAToC_3Jj7D-%5R_*0>ev49Eub+y{;rE<j~C|r)a@)lcOLpY$Ml6st({TU
zYm2vu4|Jh&A}*J;+cK-ksk{((iRLDx(7nMzuc}9xRk7o|5eJr2o>qSUK%<97!)744
zS9SoW<wMLK?@rjCl0oUVh@7~T@*B$xhuhS72w&O&B@oDWamUTdk?l*--p08m-5+;K
zF0d)94vW!E`6C^E!D<Ydti}FK>D{w&iKX+Yu%~4E^ZzV-0%Y=yN6)5wI+gzp1#k7D
z*XWBg(CjP>kFN{9iDY_jK4I)C=HXi!qyz66JsuRo%bv%>PEY*OBt?Y5{LqY;*V6@v
zLkB?N(qM0~5YXOH`RPnmN>8-d9G@&_e}T<5wJEdUk#~nixl=o?(OvTyc8K>niQSG~
zTfrpBeE5>wfZk;f6Sb%I)iD^(G{8;te6T0)6^M6?meI_dvBxAgN_&aEWeB<FWB;nv
zz`|~1>h`*dr2Fim&NL_dau27y0y$+6{Udt((+byIRbxh!-{W!RjxP^n4lEzpb?;w(
zr31N$ZsEd(0q<_d==P5vxe+<MskSsWkCx-`jt=kYAB#Z=j{IN6xXVepUI;`w|JfJO
z)%rAQfDQZ>_qU$VKRfQ(MfS1Vd=BOjY0e}zXd@CD>kT5P-4D@fS>k=V>^=gu7%(|a
zJOG=+{B@MInm?j2#?1OHrDjG3#U@Zo@(A3+ei&5lH1E%;aR%Iy3&CH5YQweVi0s#-
zVA?mx<kH6cW3>?L?zR(4Y)dbdr|gNB?C%O0-TdMGI{HYQsmKfT;o#U&Tq|TvNqz8X
z#+~XttSie75Av8>)8*AOu;khy=pr14iIgddS`Ng8jc4I6huB_k1G>{z#!ReC$L#Ah
zhYz3|I~Klc-{E;>0{SGxPn`{E)B;5$Pu0ClD`7t<9~EX<xRc{MI3B1;1TVecN{x6E
z@~Bi<7*BH_y=8BC|Nr*_bR9-q83Ge;sYYP65`0@OwJ2_Xd#m6<a_?bowi>-H`<1DQ
zcQC?Ozez>qs2a(x58l5+AO4Hw@Yi3N`R)SeC`DIM$bXnWt4|ka@L6=R=Cfi@8io8a
zK1vXCTY!g^DE$CXucQ2U<(41y$!O9@*W}knmxR#sJDIC9cODj*ij6LRUeV<D%d>%!
zOjxoa2=m)Ns>k@|#<*J!!r<o(w=W5bi)1z!X^vj26)QWYIap-3G=AlVSf#{;E0Gs|
zD_;J}8Eemk8lL2BZ)lR0J2FA$BRV#|bJ;_3=PNxwSO7B;FJ@LQva(}NonA+D=-QL8
z!hz+Fl`F-RR3PvyGH8E+c?6w*EGS3QAu~osOHXV{WAT$0y;d4!P%Gok?cJL!DSKB<
z$}r<3{xkiB%h{(FMcabjPvV~I31m<RGS(?c7Vp5+Cne_2wInp!D0xf$#z?A7F6#8h
z{UKS92Y_nJRs8pnIy=80Bus;r>SMd!!#Ig2e|sR$t$r<AQ^BtvwAp(LC!!K$DNuc?
zN$<r*fDw+ZwNla|oNehkrelnQpG3VE8`SfEw;eOBc!6Nm@8}o=yv^S^EA|v{aH5*L
zNzM|NTbAfL%v_D~?VmWDvwVgrEqJf^_6Y`zbwSq(Esqidp!nH_W1tdGc@+;`J`8$e
z9W!ySq;~Hedy*nIA;&9(0JjTEj}g7rgPFYamH`QcczVwfqf~gDy67_aYbSy}Se<xz
z;0)`lOitgVQkHIu<a_!R3Z@efcgZ)9TSs@h-!P?TK%-k{wvv`F@|ySs-6L77*+Dvj
z^_fhO9s&|-nZ*rQGxZ~UQ^i(;>mM#UJ=gmYE%ZmI{o>JQb6rOc;mWX|;d!90;;oB0
zw97^r`0lsw_>yTKp|3pP&7|4r)!DElz~j{M(6+6QqKxC~3u=4;`m5A`FFj0>KcA!3
znV{3+U>~d{a5eZk(drJ^yM(>>PNoQ+@izGP$bN*!4WfMk|BOJ$$*4=RQ@Wvq5StUH
zG$X$WfRSLXPZ^M9ccIgO9HJDiuj|`#<Vw*}u{N?ie=>fp+V2Ea%!04%(64t8NQcpS
zi4#(2xj}C%ZNp(sC~kREyQJqdMZJ(zpX?>tCc_m`Pw|l^B6EyMcRcr7(mn#ZY~*0=
zaC3~g5ofH$kVz&%{>+Z9Nb8=uBCkNqUzT$ALG0DB19e{6B}pmu1xLf|ZJ(PUvWwom
zS^VN(Is(R_WB~cFGRs20{tuH}aW+T3V2?aam^mEibKrIAmh6j;*UxRdk`sy0Uk@LU
zzM_92PFS8zy`IzKRt_>i>XsFkZ2HS6hm(9<XN~JH7ns?aQqa}UTZ!Uk0-`wL{d>;n
zM`trMcOQ<1tFQb)qjjkIBB_Ky^FymE$4t+djH;uSM(%b&zEMEbMlu584si*~2XLyv
zN5!ruzBc2~<1C_QsHa535hKBs=NnBxsz$Qkql<p`i>7kjvXjET79d_H73d5z7na~&
zMbP-B+&SYEM$XJYO5r(unHRYYu1toVx|$iB@lk*7$)lT5C3<&uu>TP(%_RG-&2t`M
z0EiWWYsN{;48p8gd4<ikvRr(%dK>))pFrGs3YfYR771|71duHwrx%1_&!nhjL_xD}
z+!txeVKabcpG2C^i}~#q=a3MlF*%ljK8W|a5B|t0W<EAb&w9nBIlO~mOgAB*W1tbp
zIvI4_GvdUppE+mLZ9IHMR|b~gcqB$u`f2U&REjkpX15nNxVc04Hq@k^>geI9m%+=+
z*N57(ab~V-t)cdhZSfoBXl|FyeM+I4D_?Uc>9aD<j5B#`-Ol-*hol>yOb$#ci^iS@
z6=%ras!0hbzD53u-@h`G#fm1&dsUTHN)yG)N%eh{!kYD$j7}O=c2X;G%ctKWBzjj*
zjp^8)Crac}Z_{R6@`#lG#i;EBGe6x^Vu1%|?tv1rTIVJV1y|Ky;TdleK`Vi(MsD_k
ztjh)*q-ZU&D1U@{*(Pd5r?9YIn=0iEtCaRubht8j5a@q}?ydiYmKy7eO^dp@5ZL^2
zorY?%o~ZgfhL^9`I?S=qE|ZS0%!ENhTwx@yH=F9F6wE6aZc!&ji2opPYBGeAAa>p9
zdX>M=7v|yQ<Ck|^WX1EG?@?lvqmYIW+Cp=o<#6m>Rc*GxCuM=+gdn$`wWLd-5d%*y
zI~<o|oH%ua<$Kz5E>H*(*jvmZm&#;$6?1`Gp+(@K@^6@HC9+TE0_@`>xtBPK(+8%p
zx?ClI;nXa5#z(tj)GAVw=Q-0Dce5;KDxY5zP;KJ7v!`kkaB|(gSE28T?l+P?*;aYl
zR7CyGCTM2&MQ1ulILl-B<X2twM8R%*(6AhZ1&q5Z4STA1Xo02+Vj{lzhXJQ{)3Zh+
zA?^-6eY4)=3EfcpC@iS?=XcAZ8|%GONS5>^VaK)^PK$c7r|SuFBGm`4&CB@hR^M{G
zNs|jE{OCU=YrW)4F8<hL9;PiT8)c#`@l+#uiGY}?%mV7EfoSjkCtM6Lu_goYDT*1R
zJG<Ollo!EXct_0%zqguGm@~t<lieZVvVjgF*|DqIfjX4D8?(h);hn4Y=ub~mvcX)f
zqk7P)+=JO3Rr@VL>^@_kbRb7kt3O(zy9n!X8DRymn~U4tafzE1j>U4+5`{H+&i!an
zd`>#&;c1;^gFnWx^iIBhrqE83Wky}J%)<DCN6wuIqgNZ*Ki?H$t&b^|K9Tk~AI1tM
zuf2V=r`Xx6Y@n`S2GijVw%5b+B~{Xl@OWx-u^#y5WoR2YOv){gc-X&Ut8Q#jYXv&|
z{k-4Lr659Id~Q0Nlc}PUn`kc!l-{}C?74lwAokhkqevHK&VU9T?WXgCHOQKT2R3be
zUQ6MHHJnb2ZB8i8rgREyCEUu;M&tC@jK}XVnQmJt_?7mfDkZ{ES|(3{faG(JB>(?y
z<o^?(NXqZvWshSZBAvS&M7g<mv(Z3#UFGVOTkQqAf~6#7DMK~#x`z3__nXSnfkOsl
zPUE5UwPO!kKt+YwEMtmsm%V*)`y?oCM6vewBR`+9GQP@9K;Lt+V!aaLT$loB7O-RW
z$+Gd93qq^u&29Cs$k&pH`I(J3NK&z<9Du}6<haakuke+@2Eyi;8qjd^T9SFeLKr<}
zbndYvlIg=`H*3%V_8>-mNV&=;t6-eEuPdmt1x8uA3R<PnA9v%A58vp#Y9a0AdPjX@
zCX?Clmy~tdvXxgd8qmGE>c%F{4%fu_mGWXa6Kt0tr;e3A$C&IBTKH|sBaL#bPka7<
z<wE|1ctXc%R)H2)Pvp~%xnk8Xdd4A-LTpj(>iIzYu0GD@YmcY=PbOz6GVV(I=gsZa
zcbo92RH+|D*RILXRr8(nJ}vj+(!LV9gcrHA54X3^U2OQ!@Zs){S03L^PCj^IFIOfv
zCz<7Gm&eOjB$}OFZtcBrnSQ_LmF^pc$<u=a-}x^O+#4)6u&A6ZTK-@jp}~;jajXBe
zVVnlXdsI2GfHtF%bZHMIR1F%mrOw<R=6cCoc5D4NyFQG{2n%1IC}7gamDMVLGDOah
zGc_?W!CG35T{CIW=3qZN;lNqX`yeV>#ZcXl^*WCfU56bv5}xRJt#Wt%>4WgTI4aYW
zQ?v*B6gGNXAQ86i16|_3*0BUl|0KX0Vc{@Fg>Ggwe>m<fg}sVhP<>@!p3|D{(&qbY
zEZvUzonS0Z@=>&<h13dxzjwFz*1P08vs7;5Yg31t2SLjd2iIVb3K2GIpqrbO=Tga=
zkTcZps_BFtd42zoPE~)DC>&jossx`I{%{rIrw&PT5PNGpGp0K)vN#cSfXCg{NhI&@
zN;*4Ej-YT?w2m|`BIYT|siWq73_;t3sx~RK#3b@{7bY|v<+M8|c5JP)u!lisY~MqP
z+d5194$myvjYgSx+#?xp9o>C|6ZVfz_#@tUy}MB8(^m1A8BVMyFzXb}vluh9P#|CG
zt(`*O5Vw?ujYgB5p><7J_-I!cs?9=^4>M~km%O+yl1lLjy)C!v!JmBTDBe<-?pvt`
zI$pEE4m^#Ya$Bl~FQwCC!#uht(l~S^SyU@SMF_&YW5w~#SqI%15s-()=xa{LvA-K=
z=60<b*Yed(`3CTxWZm`fXFv_C>q`>3cz;6Dckg`sW>TlG9?amoiJLJwEsxI!B9cRl
zA2i5?B-m~r{!seG>TzfJ(e!A<7=fH45U3L^Ke8J!3~*@)k_2&v-k1Hu8`aL4{qRE`
zP3qN_Yb47;+}gTL6g8Z%eK*YRXG<J&s+vPzPALAK+nSEnuu9?!d!ClJLOH$1i95dU
zdvy7kvRRBSBT_GbFYKOPB)%a`xH~)XPIn!~;;2qg7x|5?NOpqH#&x^FrxjH<vY*N#
zWV=ySqsKUP>TNfmmQ1WjSIxMY-7h?$sdzX8{aIZ@$ncs#z~GD_bo0^b8gsl}OqaH)
zKz%#6HYK6M{RuU?9v8ETb1<T-woJ`6Kj$-BP&JtCAX<+OhxUF=Lg|N;_$D&xSV)nR
z&W!A~!vhzzR-K!*RSOf+&cWrcu1BLJEIlv0ecUS0`7ubAPOt*vlRSiLSvqGS1#4*q
zb4R`N@Cm}OXln*C`|EWy9V<8=*?XUl#&l{QoeiC2{FxA4)3(7)!j^{RkDl_RZOCx4
z;G6WLd=8w5qu8*F@oSX4BGFje&+vo{p=3b^qMj9>P76PY9h=g+i*|KVN`wYnk(d`L
z(g&dCnIHeqP;0|Wi{DEsjT}nl?LZ@^8w;Z42$j#!%!_I7Gq3aIr@s&{g1k*MJWudO
zCfe;@feDRgyo5C60*}vS!6r0NGl6N3;@d8XNq%!aQpC2k{ip6utmvY%6{4-Ui8df%
zgp9tlJ0^Bue8S^Sb}5RyrqUvYE|kre<;ngm7#3VC5<>V^ot7tbg&pswd*l{{&DB1k
zL?2NSNo6VvJH0!L`GNOt|Ac>^5@hZL&p_tG#*bSXWN~N{u_<%Nk3*Iy9Q6lN+r1FQ
zxhAja;JPR~mv_sa@j<G{sJ-5af&T$+_N|!ch??thZIQzLhS_Pznfr3qo0~e*o%J!!
z(~(y!wNeY?(UQ|Ew>yu^<==I-CAN9(4!%5Sm6K3>u;`D2{P0xmnKrRP<Tb(U7IRe#
z{j(NQW5K=r`2#H(+1VE5S)OLO_IY|nHgUE6@;uIgT^{~wCn38pIR2G<-4wakLtnB<
z3KNb_PF?m#tm<T*)uO6;tADRdyO5iMG-nPeqZw#*E~Hte5pj5m?+}yeYP$D{n2!J4
z)a-IiitL{)%CQ>;oTVvzsFNF4`VoKqUQ<ez=UU-yEFwnd&4A4{M8n6zbb%ZWSubZI
zF$imE<4QeyHYk?L<ZFsUngr=cM8$KrT(@D9UrQ@HzU#@(Tl<@%%FpDkyeM#yj69lw
zzR^R^%2kIs*X3Bc@p;;|IVY<s$3#0`Yr4&>)3;fEsHLSP`jW?&LJJ*-6zS3@hnf;D
zyS&64$EF&PFqX2kd=c^syD@Hw<}Jq{9quMe;l!cY6m$%3LfN}_=txF1mFW~*G}r$4
zOOqxhV;!8fNpK=>IzK6t!TQXu^}Xe@zxZfIaj05Mmr35uo7aJ0r&riheMT)kuH~4V
zjQ9`zYtEh1$9Xc<&feNTkM4wXR0gIKOPbh2qRJbCMfY^w;EToIpiGn`1lt!|7?hJL
zf*W}azlxjHbb%STK?aCn0lQGXxhG=ghV$&y;$`DkKXzY}E_(jUgcu=Q=&Uozo>#+)
zn2&F3B9n~@6Gyjnsl`id?yCF{bM-RZSbHm}T%-s!lGdG?md7s6xI07nF6Is%@EPLB
z_lHBDaX(;ViO|b1bik>o<u`pVwvY;&q`DpMV8RGHTFL+?=4E~P%&r}Mae)RMq~pPY
zh8YZ@--thcb@AG77|lGKe?yCh?O;pwLmljMy^3C)t#sloEYW`PH*y$Ery?go(MP~o
z;^}ubQ3Bct(y+%KDm}X{R)9W^-NeZ%P^(Nk*^K*RCj9vmQST`3IM>16G*m^&QdePC
zczlpgTODHLhS3m$+R5fs>M-G4?Cym&cP<O(sp;f6iImHzCGTFxC0;Eb^~6|ew1<Su
zWt-r~ypY6Ew!#Cb(Kk02aO%_Qic{^WmkG_%EgCBp8e`I_G1@IISu3}jZ*vkjOIgi#
zJDUOSXO>cynhekcyQW)<{DwmofsbqlV_EE^lh0(wQ1JIT+sIt|&Om){Uz#ZF>y4HS
zK48Fp-#I>vaAdbdwbp#b2UJk+VFoL61iC~cIX^ee^rgXb8!LPKukpA~nF%g6B4P`f
zdz$-mw&1xBBS&)Yl33x;@Wr63Qf<=odAsqh{rx+wz)b-uP&6|xmO5IM+*_=yEeLNP
zj$ZJI%66ZVs{yx-l$NLG!Yes{K>o_p2SrK6)!LoY@JZT?GB6`%k45A=f0<AjBa2wb
z<m=*RGs=~`;db2VBW#+=%_1OzMhQd3OUYB2&H@fr7#X>zdmzp`uS#eEtnYt|q2#Gb
zUg-VYDM}g_JDxvhI7j97Va3p7=`*iL9E~_*!EM<#t&Jbo1g*E6X{>vieKdS<l0$>}
zf~F|!hsqJZGLbpzZRirl{6ruwW*?<O5nH9dAms@?QQ4!U9*V$e?tE75o}YD#E`zCT
zf?Z|qU9(iDvM%C!$My6W=~N%R2e=sOsHGU`Y?Fwv2YT)~KD;MkC2e1nouN6y#kup7
zRHiEY={<rMj=Nyab)n#w(JuZ!M#R5_=jh<B6E{vrR^4!gS-}$n(L<s=fstWGDEKvp
zGFYzrL?drsd&tp@7~CzP-L}bSzdF?dyTAR)<BtXUU|2xRs+bI<U1ix3g?j=DP+~?I
zP=T5CV$oukCB09Dt+@xDS~HW&a&od{^}$4y6}r=`$Xvd<J>8TIE7HV{qpU)W1}R7n
zy=484aaN2~%sQ#(TQ(~)J`iL4N@hPK#k+Z`^8SiwqU}N4(TpL+3Gdw=?>j>#o&sxr
zC(B2jyV-J$P1@STRL>2zI$m$Gq(aT0G`->s^)|Q2&rB+mamrn;jv3RP(T4@;1PbhR
zxp<!8DPx1nA<49O(Sgj;%C?yr<A#xy(2zGK>_sd{lR5`hT}_p!qc#>LxI=FSGQ@nN
zDOhFfx!nfKn8qZiEB*=&X+}roInaw5b62f}w|p}^JRhGzvK<V`m}(N@59~r^v{&vv
z@Lh~A0=wcP4H<0csL`w9g_p|er!v#twcNCYw=W*IuIcISo}W%1ZL6>%twB3fPGk@t
zUEW=J{<OT`md71ZPE6B;_%F(Qx6|ud4CM~J*O*pgSRRNBBCa|MNXCm86h6esDr$Nk
z=tI_VCXSI!P|^njb&kxH6vW2HRzxUld98r~KlAg$H8mTbLq+;|Z;Ac=sN6L|ekyp&
zF(CK#4P(U>&-vLT?0DSZNQ8oai)ZE5DkqOS0?s!BckA&sIn%-YJdzdJ6QAxZVA;mM
zkNb5rE3zVVbSkf_9NoKg2k}*RsJbvPJgVHix=i8Qr~88s&-uT6XO{EJeDY5*Ctv!k
z&CmB)Cs*-QNJlt;^VF~Ow%CSCp0g04@f+UZ(dyUMM(55XWUP6}8-=%B*Ez-)7du-U
zqU2(l?~FG;7YbNhL2W4?PqBO)OVw?0{0vezY3AlS%v}`=)fF4FMeSxR7Z3lsug7U+
zS139aI}J3kg~?tkjPFGWVzDQiWI|{OqGoe+?(rfRdS!Z3t^{2B^UUBJ(YtD=kYjhs
zc(a*vBx_<&<82e}H+pB&Vg_|Nj@Dw{LG^3Kfntz~MA+Nr$A3Equeems!!uY+eZSHV
ztcVVTMN^<fi`1MXU)!l+u{K|K{Q6P3n`x8DbJEfD8{!XeB`;eKve7HXE5+AoFWI`b
z_-UggqdfeCn<snB+tmO5=s7+`?BLVO^BA`I8#fH;n;B%l4Gd>mj0$RAn`jkT)0tUw
zu$F=|dR(57mm1k@yxnVip{4xI?~E*QA5M=Di@VbpHR`UsVu?*ZNOh|IKK``n>49HY
zikC*D=7(t5n=1<kMCzJc54*;c#(SvxsKR>0#=64VSuYUMrH(4-&QYT!KjB}&B&NeU
zj=#9sTT#8{mmSMkONyOcSs`8ZYIgp-E3z1&O*{A*(iPn6OOxarui!d>FHCa`Ke;GM
z$lH9sQrAD;I$W5l)%7KY&Zwb>&5_)C+1tKPXcK7u1*A{atmHa{nT$uqFXWaE_4{po
zpNOC&_5EV}?h@%_zmMW7Vokg;Q<jb^KQfq*Xv|<Ir_I#&r8WizBoG34Z1^VK&~qA9
zMHqit;d=~-hqmLvk(}#foc8*)6!1!lW(w|}58CHm(w%!9CqymgK8#pz{mNoVpyzXC
zW<^3Ki7ov(s>g(}FXBH$h2<?$!E7>u^439)%j`wJA}U2*MHq6p>SUAi^r@@pz{0zp
zh7R4Osq5XT><^8yANWYYg!=f;rzQunV9G7UkE=?BN#6+UIvw8n%Oz4|00XlI8OcX8
zI#NhN&k@?aTk@qDIK0;7*r>7lwwjp;yFN`)MQ|FCkjLx`&9<3OubRnG85MPJvpt>E
zaDgD(T(Cxuyo7xG%OKzP>c3Gb>a)(3VAVR+a}TXNN>c0BnNexUbLr(Wdso|<_1M)%
z3ZB~I`S_u}&ovue>10neJrA9A8BG$q>t|3(I1~5Ffx5#DN_!Q2Di%`Mp{pwVmlGB@
zlDx8Vb!OTuc=o{>v8SARHu9W1CC<{Rv8S%ssgKy2H4PXbgy^{-Z=X;p*FJE7cB{Hb
z!(RXuU^or^Zkf`AYO6$)nyuJI$*0^fgOMILJF3rg6Et2v#7TE_-w;*l@Y7K0;u*>&
zM&LYY$!m6FZV;6~oG0p^zW>hA3_Y`lBUS0tBv%_lV>>3{qWB&g4taH%V_?ek$*O{(
zyJR3AV9b5&|Mvno<;JX8V!?Ri2T5{(+Z4q0>$X4H5Bf#clylSaoW>vO+ie!Kl##2o
zQ+wVm860a?&Bsj~v6O<-a^3s7E=d$u&z8(e))8AhbFLPmo+A$kM7tjdxUN-)dYF-D
zj}Eq42tI*$uSi@plQ+W^i=ASA3FYw-nu@0B0w!|^b;7zRJ}848Yz&1SX)Yyt<nIn(
zUtre<pYxq{nAwotqV6|c3^Rsy!sH(KgD#6oVc}I5xIDd+MV<4BXE#1SbY5(%A5xX7
zm%8+eaa9!Dr#_7iJ{!I!3b3AHM>m&dBzsj1^FZd7#!xjM)xz?djp-Wi<I077XX3QS
za*6Q#MYcelQRU4`w0z0*T)*sW>xDbc@k(=4@g(PFE-wG)%)xkFbDm)#o*?zFV>?F%
zy>Zx5s_B3V-Sfp4ql7|)53^Ea8`@m#$xv@Ir96pzZUs;$Bi7Hp+WH%AzDuM9#j{2<
zkGqK}v5Y2b{EDrimR|)0@y&bUdhf%)E)J`5#pnw1{@b@*{YKfc4ZHbCco^RLV6Kpe
zD1kF$GUBS#_s6IA{k`yg>o{1$Gqxx4J46ZN&D_u^wTknQ=N9+EC&X;`TSUxu;w%EV
z))Kb1>RC)@*&in?nHm#K;L`(btVrT{Hpl}PH*~rVlrd|eq`bP^;|XmBeW2%+f4TE|
z@IkdH99K?oYGhOkqn6(rGyMgSM0q>HBgoS>u(fc??v&BAv#yx91Ln2+t<^VMT|@Lp
zSLE6^w!Iz-_zJ5WU%aKlPF^i^LiOJjN@gzz=Zoiki~6d7<HBU3vvYf+sm01FIA%gj
z2NV1%yHAU8J7~UD0{Sz59n6<u`%&eqe969r6_u4A{l2%D4(;HHuI-%O&5gA+C%M%R
z<`p79L^$Dflz%dOBhf#u;^hb8H|$@w)|(DobJh2ZNWUUepncwN>w<~)5@=ao<nUHs
zLQ8|vy68;i(Q&kxhH>KT(aat^3}S>W>(PYd20*FH{jXSC5@Mqt0wbaH-`n>Rx?g_#
z$I@Vx&zi?MzvT|@gwdIuS%+0$YL9ena|HbOdcQPaIrZEe$WvVOn=6}08UT`q!vjZS
zmKUfAPSw)&8$LB_J{1bz?kjw_KD+<$&rP2|0PE-}fjFG;$cByQDF^E1s^sd-`-R4g
zQOj+H=V-)n+h*tH(6A`^qz=SP_i<~I)JbIIK$gQ%z^i3R-8qdPt!U2qf1}QaNe+EL
zr1qQWq<49OUe>|E3eUB=5+TCYOwE?v+KlNo8`Ukr$$9l4_~B3ccMQn;UM3`2?QLkr
zOm|GHZKwKyHQ@=62ZuW(juPFkw%?^pv&SCRyK+;M(C{9NlB6~Y?LdbT<flQ;;la&~
zn(d9(64mS7`SUv%k0dtVrKylum;?k)hv(j=iB|NQ2Ari9uhjAR|3vBrkAJHrop8{Q
zf?l|5v5<adlfjN06=~_^YH?%8R6hu(cj7~NoY>I4Ec~}Hf@xl^xTvaB+Xep}Z+cYK
zYA3jSVM#;s?9lXI#2L@OUZ&`1YK%F<C7OD-H;1?9ww4sOUDv+8J-6V$y%rF#1_X{>
z6}a&uW5ZWbC(^jnN)|cmFoJwA!q0Dj?JT<qNRCL0X1ejlTL@&Aj6XVS*K4=xSg1ao
zp1)Jj2oun-lm5Io<w|Tr1mvAncgpG4;7o{)Jrw3_D}BR9=zre}&bc{jtuWw3J*4pM
zu0X=#o#lnw&5zcBT(LjpEhhWSNu-gS^yi(rvh&c+(oZk~w!Gk^zFib1{6nYJIq?Xd
z+T!m-U(tl1mZ%b2<DpiSA+$<lv?f{UEdCFC&x<rh04hp>5W|1h!cy8;AbBIZW<48L
ziu2c0BVr+`0xS2_<Fs72>u%Vhl3ISCta?6T$7wUP?L-bIH2t()pVD@I{~MG_5p)Po
zxP5L_r&CtBJwEAeaHXkCTy&zzM&jE=WlZ=~6{U{UbE9(M!)&&lrQ60Q;k@J!eaDxo
zqOhU_kZjum)_){UbVmmMZZ7?|Ij4Y%jqmLN)h9OEw|}&Idd`2u45>`-!;jwZCT3I;
zGpg|U%N4aE0pD8&ccj<vH;lq%s(viC{KQpjk^xJS8;GcH>NG-CKxQv-FyIH!(hl(d
zTF>H{U$xpl4-Q+++RRvJlHY0{X0GR(T`gvcoN(23-%syj9|X?ULT2UB3=X<zF5D1I
z&jT}*>ZJcQ+s-e+)<<)}5<)DC$5}}c=X#s_R92ir%;h=YK{_X@9`*u~p|b_^&Ji`@
z{Q_c$xvi~*ZU34Fx&mv73%(g;H|K}9=7v2M024zjf|ua`HPm!=$bZ9uv0JkGYuM%r
zMhimdbe~#ZRv$stWa=KytU@(Vk~jO3#aEtW(Pa>OhZd`pW`BZiExsM#q9jYD$W(MI
z!DYfh_TWqt5e_vp)XNqVJged62fYgka2N)u^26PSB}IpdEG%Wo8todG{Cc$@ozeXR
z4d)5{UYFPa!hYqz^QD2^X?7@Jd-MJrPl4;&{2(d03tYk~MA$34{CMYb&xIl3O_7>T
z#xF?$Ti+q~A#$7Zy)|1a9h4a7=HGSbjHAq_w!v-LUQ^T~3S}z%s8cw4PG46FTHqn2
zcJOC0?bY~>iwn0ec5d#77F7|nZW)oKqm)*xcXw75=Yhh=m6J%+Y_YJIOQjXH^GE;P
zu$%htU_o7{%m0JiUiHwW$*YlagysC+dGo-RKf1PSu&VSkP6|=ou-LMVftt;M&0-Qo
zSdN<aBSHrxe%Wp^A|Wvf-*F0ku^)+FNpFPlGerF;3(|M&ayKVICI4(#<n5m;`a%v&
zBdEU24j~9x-_EOr;Bb9<a;!+~J3qMb_m&T6xkOGwB<f!7DWijd&eIzWZTbL9|Fzwv
zcNN!5Wi8o=Nw8$!MYua6ABeUJZ|1jp7Y26igqj<%0pDXW)s*}xk*&`n$Cb6eJNZn1
zjRx|R%RB#40UXrg`3CM5|Mjlq`I^<<fX!Yi?`LQ&X1TwVI`qehpKth#aR*qlB0zTM
zMy_`0V;KSLx`&USd#+R0qwig34%L$MtY4a56#ts^U03FWRg6ibi;T3#{*!ag^hmD8
zd5`}tqXX9$;Bb&~QBiN;W47pV9oxlCaP53*+!0b$-^UX+0-S7#j-=xG<gKaXo7CvS
zY?FY^6|T`K(rpExR=R4cX<mF?Xf7wE786W%8mOxC{|S>mUDyX0M}rqpQe$exhn~SF
zoFm_8nob_lKgTmk8{iu4H<qIyS$&@aX&H!ER*r93n7nu}Sh&n|PNmWOB&dQde3AJN
z4)|2U_%dL7OIWT=c(WpMi(pE!hvM^zu{?z4{EUniVk`d~eth$5L_lRgOSAKOe{Xfk
z#)!h!NGhar;h4e?>WMW|Q!pyAVAY|<^TW9v)1n%;bF-JB)HG?j+zw9%_wQom^scLO
ztKX*4=Q7lK@I8#a>;3l+oj4vCuU9JReHkk+=sY*&w)mv;jO*yr()5plz;J?L3;%!D
zBM#rC%uFq8%`dDDXoQvN^q@4P@KyL~Fct#2nNY0XoVETi;M*a6DWVEBU|BW5je%PH
zraz*&s!o2#e#(aIn9mG(nL2njM+<$kP#T)%`f%QlZ1HxK$*D*U@{LtcCO!}@f#v33
zxP3>j>x)a3_9mg(%W{^MZ<{ylv7!`=|F0^$It}TZ&U8z($xbl1Todo?4UA0sY{s(s
zvC{2j&28NS=y1gEIY%>i(lm?H9D~Va6@Tv7>Q1nhIHyMCZs~EcD0C{}_23jHI%T}A
zO6c^BIiIlV0u5a?5AUfdk8h?S>c<HK7)1~z6u<q_)^vWl&o?bF?{G@$=({K+ZAKEK
zpBFf?|8*-<!(VnnSJY|;$l90;HiNW7!A6s&f1ybB#yijIA|L7lmaJO1m9XFT#_;eC
z9=estR0lRuVZQUjk84s6-}5*<etLYhouyj4sv#8?rKs0uXga#7FM|I=d`|KRAEtM4
zSk;og`=U))W^?+d#eN<bNDyvH=1BZri($=c-9bmU5c~a?5{75DR!q0uy<KiL>v_+Y
zO@t@?7Q2e`79w7M79AXIIu-1yDYv3~Ly9PgyDpIIy9VY4c*Yh!=+v2yvRJPd@xLU_
zCt^yQ0Ud<B`4e)n?HqT%OPqD^7W+<t3KhDX>a(V%xhsxQ{=8!=X+tCASUujStE3nT
zMl+bbAkO9Zi9$UTUr~aXl9VJ;kOP2n2D!@rMo}L`?<Q~mn9x!BvWRE9J6z^!z4nGt
z^Lov)FUTjTnp-IFW@EhKC0G2{r!)h+-#gzFMbrw)VT5Y{CaBJS^ykn;hMzBW@tRZ<
zt!<oA(ut{oFhBCRZVXzm%_o`~?a&itsN8XkWa+O%>0P;R$sD~pF)2d^jdt`*o*Qp<
zBjUpTjAn0z?neb_H{V?UbpJ#xHDF_4cnFZ`5Qj$WY9Yt2vmzBX`r41Dp_0y9!ig%M
zAdH8pO!5c+vh;B~mg?+#H7XP4a2|QN<A>^SUU+_qXyj<!NFKR`Qq?p+n6{s9LLV``
zI7)su%_YG>_C`DLWmBBo=m7QN4IJDutv_99>3u~3jL-JwT1He^bR@SaWM)dx^m{XR
zd}s1lHWM=biTa4n3D6t-_FRCh<rU)5EHP_={2j2r33}d>(lz>!kUB^WaI<ryS>Y;F
z)9_mLT2<;w*8<z0RstBdUQbgnR!Hfgj>NIpI3q;<*~3q+{^=9oJ3hhO=$e!vgX)I2
z>GGU@MEGlUS{YlmBqd`3^G2nDQg6(y$fmR&X66P5(qkbIy_*%RK}eyu&6s`~oiIfK
z2gEi0&4B5mXwfGz>ymOs8k*Gz%~uGK8H{s8zw`^!pC|l-#Lm8b4`V=@_;6}2E8|?o
z=k)}aih8b_YHsfn+4LW;cc|C#Qy(NRl_67Q#t`WVQ2J1O^-j3M{-1E?j$)!>bCUN&
zqGx*gsHXh)(T-2cp+H)GNnt^LeKK{bYKM)v)-0HR=hUB>wHKJ3FC3XUg+vqaJeZgm
zb#Vr=OO5<JmERW+o#40$Z{cA<rxd@tFLXJF^X#zB$5i!c7hl?pp@I2z@BbL<-)P)v
zoGQOI=&Hw>m~Qm<rXNk`PU@_gAw8t*Ahbd2WWSQ+(H%gGE;(fV^Ly{SirIk!$ZUNn
z%<=jxHo?u1XjBp(d`7v!tCK`{JKfD>_?E!|`wmhE7rw}u%Fl2U>fR#igw8=cO7~R+
zFYWZvSNuQL=C`{t`{v+YJ*R-e_L?U^D+m56I^SB_F&(N;74mt*$r&x!Y_DKZboO~^
z>o-KN+tCX~bjqph53+qkE)$R)rKE#hw#-QmH;-62<wV=F%GWk=vG|;$GL5|9|M}9B
zd{5XO)Bp!rF}$@}s;ZfVXsfH)30qKg^V@6NTc+D)t$((+os{~0XJM5l+nhTYtSo#|
z9@#hNnLD<paU4eEl(jn-c9yGHTv@S~F}0(6Ubu#0yONbAoDbr}+uqTXu;+iqN9W(G
zpO=dimZK99=dE#_Kz_rx<j!3DtK{vh4t_v>-4#@aq%GuTbM#d7RpezVNCY3`_o18n
zVx(sif)E8<2{y?o*q1$x6^~P8ueWfl4ti98Y*6f{l@(AT{VNXppBxAG&MB0;q$)Lb
z$`TTXXJW)7{jPL?tNWr@R7(2(xMj*E4q86M7qyFaO<=GyvcHb!Gw6wMBCbpQ&uRF1
zd44X$P6+>$i(o<Xc$^Q--PPHrK^_`(#dx2x@}XMbbBGVfIVolP$R_%NQ(f21W_}EL
z1>#isSLJIV4Z+&~eaz3pir$IELH_T@87j9vWxwt!Byvj)aU?^OS;P*bE5vd_SR_C1
zaZ#MIj`!MUvtg27un?yMHaAUkhS_w6I@(v#2n}`)(OP_ap5UwU`0sR=^A{fi{ea`-
zhrPvz`SO)>B?m}OlJ(vC`W2%-#mvfvip1?<YcryPr;vX%6Tq5S9->B)sog#N{i#!$
z^ycGu3fb8vQgaMoRp#bZgT2<`ue@k(EeV8)>>d3Km}B)DDUKB~{iBr*JtK!o@$)c{
zw`O^7`vc9Ae8r^Yroc#HXLlj7$imQ0mKJ3G*1h(6?$0#IQ$YfXNpHjfdY3n%G$n$2
z{PBnHbx-phL;8<r_jBmQYJAt8k4kS9xJ*ztOkF|RHZizxmBVKiZCRn8s#x{VzWr#>
zv<F`YI82^P<(Jg(Qzejil%{Z)bb<0Q{+27KnhvSwRumUz<@6{gB}dK}6+$B_yuN&T
zjVI_1j56GNd!M*+J4)q6&kRPnm6mTI+H8S~U`9CoOV0fn9w0LO2kJL4idu#)S58}b
z(Z<X=cQ)N+A{Vr7*sm0eBBqPeQI^4jv~fBWJe5)9lXH{=`~&BZsJsZJe?Gq*0)$0d
zbWjAI$yMO_D9@D53G12E?_Z{?oI}zaq0l(A<k(pYjd)luIJ$74X7I%9XVmsT=gk3F
z4F@n#=#jIGH_br3yHjes+jOYyP&b;O7i^0DqnP$`LeRt<Wu4dX$;9(a(;I@M?51>=
zo*^%g$wbB+{pVaWXKfSuwfD0=o5-#rCBt!jy?iJn@wobQ^D)pb#gHO~l}jki%e6EH
zu`xf%=(9!t1W*^gJaYI?tN9;-4?Vd3v^+kK`3Pe9T8tW4BHAkQu~qRi7j|z`Szl4(
zb5$eROZ`?S_#9q~`$%Eg!>y$7hvYK2pB&{|;QsgR@Y0lO>dWQr^LZVuKIbTmN~YDX
z9A+sCAT!&Q3v}v1j5l^#J}vL}w|stq7y*^!aZt47nz*`J+And9O<r&=n+e{}xYn;H
zcP7kv`uW<I{v8xp{q1w;CETT7bG)?I|6g5K9uL+2_iv?JO39K!A!}mD7Ru6M9n6Gm
zqa<rg7$z|zT%}~sj2VnUVT^4EGg-1_XDr!9WQi=<GqxmpPWO54?^l<{U-OUiI_G;n
z=d-=v@6U$?bIf<O*WzX86(N92J|+%wQ%}lcgWu;d)!IApzUv2FG<AS$wPjX~DxL^n
z{1w@SY;nh9i!;{)j;tB~i9P>U7bpGzv5(d=4QrV@1{s!Y7!I7J6hBA_+(z9ypZ1G$
z`}?Pm*2iXvl)<05%*z6{E>?ibi6Zq~9y~`{4#uu;6PIV35ljYP<KWR7kPJsImvEd=
zg)MAk-K0FXu#6hjiYAys;wG;Ed^&>0b}hT+p#PV*2kgb||7}9Y;t#3;fZv-pK8sh=
z9$z+6=^Zzj7RXJ8pbSO#W!oRtjbr>IP&&Y9meg1oP@d<ZRRlAcNBKmU<0AFx1nP(s
zUj9#mM>K~E6B|FPqxCOkz~c}7YydjR|J}v<zfkkHCkqO#rps29`+Z+(1Wpp*U+7~&
zj%R6Fyu3^pF9dcx@xIJymGw9QbyB+&5_?{k<xX2CXE-%9Z48)qa%mLE4CRw{08E!P
zgJSz*<%zzl9CwdHNFL7<3}WgCm3LQj9LJ1AYhBVmVjP1dTSP{=l{~wif%X`Niv=3d
z9~HJtP6BuB4G37EYXA;840KwY?Ij#9{L6-;PX>{b(XQ(N{HtO2#>VLl$7njP)rInK
za?OK}rjSF0e&fu!nKyX{W=|9&N@pTBMSCBu6%rK_<J~?v^vK8@EvqkX07j}*kY+x0
zV`ql_*KehFTjsX@Y)t-F(WrKn1#=G#q|m^E-K7}`TULpjKvSDei~)hln_zU~gQro1
zwrKY$0)yZ;I^KJHEi6&>N?$9X6>*OJrh*SL@tFt_4TV%CGs_%H<fZ=Z68&>^#2eP@
zI?CG*MR*}ys+nRA%B-@VMDC?5og&1C$P?4Q>IW9fhY!fD+&0GENsd`D*Hu9UPgbSy
zg#u09#y3#St@}PdwzqDz1nh((*;&)2GbECI?R=)%lZF&J)UG}LvfurvBvCQ?1#PCF
z!R1UIZdBCYsQ;*B#R=5aTT*ru@*0&fF)?B0R(LmG6fk2-P|H%xQ)}}OZ>gN-M=$Gv
z5z*>b@_tz!@_#XqC>z9JBbQ_4H^jn|3HLC~@@b)#TRDz3*CmsINro1f1Tk;?*BDMR
z%g`aIt`vO*!~ns(%@$hwg?h9mYxM^2Zp_#qJ$ABmY-%W|@U}^Qc~)nx*dJEVPHX~H
zo$M%nsF_Wot;B`V?piq{<=bNPb6N7HdF#acQj#}NNPdXgou>&DPuixEm~xx<(*sTM
zhR#v3n4>y5pI!aEl7WrlWYl$&DUuI>6q$&5GjwvVb+^pAdP$G`!MJ#k{Fzdx@~ct&
z{RXSo4r&?92=`wlC=x_4I>ywN=|VkzS`;@D3ts|0&hTOfwMaIbcE@@SxrbgdQVNGh
zspG8j%D>sb&#&+!^(UvrOt+UW6mHVUJYg_TWjNi%Xr4IH-9;n!MMll*sc7@-==Wpy
z@mrZFI~VcQapwJ5^7<$M)=MIe?6{sSKTA30Vw+D7c$V?ro8tBy7mEAD%>JNLKN34C
zI{S5vIXUn-BFtq?jW(c{liP01HagBR=D+g+AF%ow)lw?;Vzv$8_-+)tX%Si#<n2`y
zjI}WF$(ELonmrd@0GE9r-Qc<;OvIP1#-I2%<Sv9j?*-LJ`t8pTp67mZu{fR(Z2G5@
z(pwmRW?W~wl^#^1SzU<8&@f}{<g@4MR>S#hX8mGKV0mHWPRfbZRWR*9NpnO7&HnIV
z38RJBx2}n&Vy4GQDX7T&mI!f>fUHh%_dv1e?7zY8KUf$d&!2SX<X4v6rkeLVu6neb
zh+8b4t63K8dfRj;FZ(0_+|aY|@#qFfjiiZBJkL^t{)U3``J5nJ@4N3GbxO)Ez6ysW
z+%l4H2KM(Np)s@n4h?_o1vuAqM7BCbW=wZH&)UI6N=}xpzxF9gBMb5-F9PK3W3^NU
z&AJqCsHOvj%s3vVU8R45A26NG%VRxHvG#*ChMgW&T<<B_l|1V36pJ$y@xLmWJe~qd
zDWLi?IiCn8JNAU0J}BYw2?kCOPk*|9D*d6A5QSN#dX;TdaYiv=rzjK=zye(9{sH+9
zl62C_4?=L)gOjTufzzO6*DOv=S)Ro$1iJ)WIN#~r;TP*$&u(_PM|Ej1zNwu7yx6nZ
z-%!WD-Q<+P3jn+^Dbri+&GMOM%{rALQLQs)k4J>*C7&83=BDB!QC1MVWmsMikayYb
zN;Y+cW`(a@%BFp@!aR)&6*Jg3bwMGeC`9sgk7D_RU9n4S_f(c6Wxz6DMy`w7K#C)l
z*BXElBpTFyNxA;_XV9{Ut<n)_42)ft{>D<oG*dJ~KSLhUfy>pdItRo60M9>K=JXyv
z5bs^B^pd-+9BA@+ySDDsGpeWu0e$YUu9-e6{(fQ0mZD(Vsy8h0J`$k$I`h6(beTBQ
zBR$B;pCpo;`?xs)=wFFJ!c=!To+~dNf^VfixsF%0+5evJ4VJUj@4a=D<hkb5Pt=MF
zfYjO7O5**#eypB}Z}a2zmdSEMiD1)?X;09Ouli#-t0kb*U{dvdWZ>mEObCtd&_+1-
z45Bh8RP-pkb(r2H08#Qg9+b5IIuy|f7g^F0wJJ?kQwcU*QQV!ECtoY6n=jU7SSf^K
z9JjuyK+h5<c<Gr(lea3*Ek$dT;^@W6|8N1Ucp+BjtopCe8oxAW4APEhn-sf-z#Wx)
zTT>zqj4FP^+wU?HW#bq?Y?qX$!!3{2ET0(O1Sz^k*3#csB%9h84sY7D0`#+iGOtH>
z2h756F!xGN;CaGhZ!_frK>%~=2#}}~kL^Z?6MZF{<+s}Fzt%+zJ4e4A@q$w_Em0&9
zO~MRX_fKX5H9z(e=_d1=MC4!6Q(wS;h&Y)XDr5?AKn#d{$X%p4k1s3MN^b54&2)}6
z2!9Hdn08AKhJ}CSCeMxb6qOi);Cp(C+-L95VTM+A7VW@@Mt}L%ojgYs!M%kpz7(VD
zQE1THbmOj5PZ<~Qy49FGRbrJmlG(2}D|~z^X~ba7`<zIR;hCE0@9oc@?ermO2k+K2
zCvM(+Vj8x2gQ>q3;mQdSLr_w%IMo{pUc+bB%JTsOUk0X($M&pVpMve;v=7Dtq&{~H
z=M?v)BJec0(G$#yPl)xWB|b5wc$VPR)4id$)3SVzl&!CnF`a~Kr@2SKxvak>JwM}{
zWyt0JT74wz@V*`fkGi@3Eq(ZWJUANjNhJV0R9_z(VCIL4EQ7BG8w|_H%jD#g16+GH
zr?BHdkPDUDHONufBq-8tt_tI-v8r#1Fg~ugN5Yf&^SNRmF>*HFokW)Px)Db2Vj0j6
zH@0C$lXtJ6_+u8WNx+?pU_x<yKa=KzyNXbRQcO<77?}&xIhpzx>X^Z&)U8CFXX3NL
zNH(XZSXzl#3V8a4yS#9+&d^h(51&IN=WV<CjzQ8OA*h{iU`qEgfX^MI2=pFM58Hd(
zPW=rI?lPA3onSU0mLDDkkK8&tnu#C1A!ST|q~i{0$>6XuWQeDE$J)3g;g@3jfP!n-
zE@Ee%bT8zx0YJ^~tmjlS7Iq3HoW<qn%hBT^+V5r84-6`*2?x4%HP3z(Q2*<5389o8
zf}QF@L(dRX(|LE=+IxXL{fcVyLWKQ_CLgu99;90&h?M9wP?ElK+ouD(b5H2&cbvty
zj+js~y5xi8fuP7qZulE<{_S~#mW2Qkv&ju}*>t_lm!t<Iu`hRx>J09P|H$3)cPMvM
zYpc=6LTUNEExoC0?&FhirXj3##Rp)Bt|aUl>0wW?5w6n_FHF2pT3}vr^#(p8x?^qz
z5#EMq;U5W4ci48Xe9v4_X1Aqpnu{#ME-(VNb8;jD5|&~|bX90X7W<tp^n>vA3rA!f
z!Fc82+HS^s%DTfv12xK-7I0Oe)Hg#VXBEH-ql0_u>sQ1;ZFG!U8atiGL{jF~g$baV
zPJ=$)`0bJZH)vfG>QXG{nb*rQ&0#45&*V9F(?;GATR-QLC8H9xbNtI3pPEtyjJcpO
z5viSy_lMu2<$9&>07RjSDS~^o{zX{>zLk?kF93@`3d$etfKuz+O0jw#lCnn^x9}><
zmPTr33Ph?<Ih%yhm-Ih`qgNA)Bo_&=Pha3?EIO*M0y+KeR9zAR<9MIub+IE_E7a2J
zDibZ4SO{-+uLWlo$P@9$ppLDhn2XTCrXzSvGhH}L;A)!y<1&gfmq)P1Wnmg|dS?Ln
z&I%wkTQ!ns6*Gh0Fb#c<E9M`d(_X?7juf)EG)~N$<BgK;++8MM>)(+M*x~rt;@HF>
z_~}7Y&$NfP!?{MsV<vaa61DtPdb6vU3nDh!7+2s`_ZjpVw_lQo>XbOyj_BH(@2HNd
z!0Ncy?Ncotxe>-Os>n=_KfE(jv|#}-Cj7RM!D5qCT#jmdr<ixAG})>q>(4H!+Xj8E
z-XR8pQO^7{ZiV1(7`f)+&hX!T4B);xh<0kl4WIU9hZPkP%D<vNox2tFz39R^HyH@U
ziU&OuNWNk1rFANFy-Awd27nQBl52MTHeRTcWVFpS9Ok%Vz#BK5cyL{fEw(TbCwf*Z
z4}{`RRJ+!<?=9EuiNQja>jKZkn}6ypYIoIJ09RVz=CEGSnq3mD!tYOz_QBp>?2qHQ
zP3iG?@DzKTYNl*C@V5Ml?3>I3T9vP9f!GMvQN=Ot_<cK1Dfy?4=$XN*2c4K>3L(Mb
zKIpL|uE#5?UQs5#Po7}K-N)-}u-OdxH;mS^iwOAX3Cerm#)^e@6Qw3zrldpYCt-HV
zu&Y4s@Of<Ph311W$uYMU&rbiIK|`}gpw3!J%!EUb0lzzk5#AxJDc=j!?<>{k3QSWk
z7W%aF+xj2^xD<y=$*^cq*(Fjspt8XBP`8be;gX*sS^&|3V||=DUG(+jAqkiI@-8K#
z1!@baRA}5AQ~&_##?Ase1KI}1E3^vj85w^|8-2#5GX1BMU1y134{#GSx!Zh_6c6Ww
zB%kR%D&l;|#atHC%*|`hD#m*AQKZ8aU|Mjc+sU2j-Fu!rl0;#4Fueax4_vFkrPqq4
zGphbba<P-%T3DC_)F>>OabqOjSA^KG+<y56jGg&DB)~tv)vz;tc&&XI&X@e)qu5Yu
zKS>PNl5Y(Pblt+VSPEmB`ME;7nV0<bTp*{*3@A%_l;HIhr~aC}Y070Z5UIsZR*fy)
zMJ)x|3)4@Ma9|AHNq8G82A!6JId*5huh1~9RUoE2bX~}ERE!)z(ACUk$zDeR711+!
zo*icL3bfb!X?K>-nWAJygf6`VGYcm@BysVbBNpmm*4iF(W|^)`KC8@kwC>H*R?%*j
z-&u43oCXqtIl$7JY+1}`r;$5Jv^ZBUn-3PW6?cgKEw_RJu8-hu-1c0k_~KU6o!5WF
z*>`^j`ihPX|1>!M+hTgHZ#&H<k>gC&q0e+Xh;^J&=Uo`H^8$(3C`qKvPiL;*07lf7
zep>Z7N5WWioVbN#$@GdUOozf7%o?5`_>59^_2SjDqYmmz0imaTlSR+P>#V)#vI~nH
zyfs)A_`?+f6$AO^JoejIy)T4+))LZd_e1!=O}ZD8k03%64&GfwLjn%?K$a>8J;ah%
zJK-xQv_}fs&1q<!lEvNe4qzUfx5-b(Ye17n6OjgfUeav|01amH-2~rGqrGqt5D}10
z@tF~vLKC08Yqkf6q;6S>3}Gk6#rC@F1(zl68&$kIr-c^RR!G*VOVdA(I!2S02=2ZR
zaQT?n4&M!MF=cDBbO&Q=^m1gDVH}Qo@Y^HHAeuBe{DvFPU-qbzAgn&}(t)E+_q!2C
z9_{y~UN3y#I|HJuGy4{Y-Y6SwQat>n5Q=O&#Zf=;?Q{g+nfS>$%^AH^Ku~OVHb1Lg
zMBxQBBGdn=>3w^Xv!~zZr1F<J4VMS#^F`oG(05!P93Aa3!0lQPR?`uDr%^dg&9i>I
zkhHOtZ|+mxYSUCbb_pp8IKZDfqDd|JB^3=ZHaYQ<esY(iW3{YlUOs3r$AI(YH4A{E
zl<fNItTvQPRaTvNToSuyj#uns@|mIfbVrKi3y(pJA4Tl!9o&nq9^i%WosqIW8;NV9
z_dVA~4GruYZ7C^Sl%#Jxbyl$&%V2@+E1jfB2Bp&+0lQU#2Ge%Bvsq4+1AtCYpwzGJ
zrC#7m4r>!bZ9)=zAULVGnV|u($-u2wMl_<YCgb#<AYkkKNxeI-0q3+dP|-#!<ABY7
z1gZn!pk@bIYozaC%L;8Jw(Rb;vr-?ukmg)Dg+v+R=zVXT39zbyhyPmlm-=_|ayv}n
z<2Xwp0zFUbTbqD)&Iv(V=9DeI9$6(Mu2%>^3M1UIyxydpJfdmpb}Bj8)a9K{(*1c!
zZ`2XhjGLFFN$xU-1PkB4i1P%(Ugo7oyQaUkH=bfA#9H#<_T`4+l2xhl(%_326lwnD
zq+1UgxpYhit2Z&JR$#iXlOKDb*yr+wzdR5N&h8ou&VyA}(UG(|)4GBlQ7fgK>9Mgp
zc*}MK*j6}P$K$kQe3!S44|0S1P0W(7r**?IAjSB!Yl@M3hA4kp_Hc_UY8=<q_Ht46
zgu%r&P6%>u#LaHZkVCJO4kJOK!NBO6O54j8rJb39+c8U16)P>p6Lz?Q3DsPI0k}#2
z8WBLWbpD)BV$a`?8+%8Hh>n1^lW^}z`JJ^c`ZKLZcGN^FpdcjB?uZc2*M66EcQSrm
zU)MwhC22+pvKAW0&cmi|c|GJ+;Ds1qoZNRBwhJrqF#^oeQb)u*vq<oUq1i3sG^WS4
zw>B+|H@bz>TvMl;&_jy2E<jYxn0u1z=m>OOvb=U3p8%Xk`Pvne3;LRv&yhU9>JLfD
zx9OL%SG@>hx3bgQ-{2IRX&E<}V{`yJOHJRs{8xHn8XP4}rjJQ@%@gdY5xFL@Mm5a}
zZmJ&z&ZH;2Qp;bxUp8R>75q%yv$^)U6=VegTYlgO+WBB*EINlIWZ`;r2iFalaCdjD
zOP+H9Uwoecr;jJ<$96B^>Myp5)wL-u8#NQfeI8g?Y_3yQa=krhwY^P<i(>waos*8F
z4Q%5PWlQ|#RHZ2sETq5h)FqsLiJ^>hXrHkcrcg5{*F7w^6_Kq^&fK5lR=Czw3CNX+
z*Je3f)JX23*7)6;G1q`g%D*1p;5HgCtjW+Dj!Do`Ur9A{KcGQ+ZiGKYmpiRaa(8%u
zE%szJ0>31jS)LSF4Tu8RxyD+%x6<%D5L9E=8$Ax3nCS!2ff48xS(x})`wyC=yn002
zknOpADXt3UNE@LFUbeY%K4HI-auj~{7z9M!H7N<A1!J}AfqX2?NpVSURolV>JCbEy
z2-=D*gB^;;PgA*@N|%L+lbBBzcfN!TF3W2w+TWDLObCO`>I5|5Nr&naJv)q<jEes)
zV4f>oN#f&uBgz`$$M9-(sR7#?fI7q`#<jCk+8$Lc`2^eQjzMIA^Aqo-ejn}{%hFbK
zaSYm2iEBq>59!l5OGzY)6+p$KtuME0;s8G=5gCR*oxX|!_c6eI?Lj32(cnYm%+H}w
zQpy4}gcDRk?2`-R6et9k8t}5-a_8f`J}3?Bm*Tw!C>HrdDNd8a`-XDYm;2U%7FcW+
zwbS@f<LpQ*oLk|h6#qFs=zXG^VQ@EJu`+yT?g6=0%>_w@ei`nN5!(u!z98L+mF#Kh
z)rkpP!54l5H>anjRgu{wI$)6ldaM?QNM4Z)a;NrDp9MfbjcoSZwUF`!XhugJ#7)-(
zl$7OthB8H5VvJzYN^y!67Wf|R$AmX7s3hD(`sv`~AG+j3h&o9ZmUrG*dvrBlO_umQ
zrXT*W{-UlmcVznPAyRmF)*(nkoZ~<}pfSjYDTL{`Urx+X^e0Ch0fg}`3Yt43!hIIT
zF-UT`D(=S2OZVoCtv+jD$<Dbnz1deX6PR3!x%p3u2Sfpag3_+q=*#&C*Hux%?5l60
zpewJGhEHA7BH)$;l#blCQy3u9?w`+pSwi%X$!)UXfN+2#c4iRwus<&`<gKLw>ipp1
zP9(4yAg%PT7AX*6`&Jt0%u*%(c)tP?Aj|rH{=K@ZCQD3TCoIEs#T`Sw%Su*jXR4U8
zlhr==Y+)SY9#G;;twhc$7uQiD5wJ(+cJ1L+9~|XIy-Q#$pXGRNGEEdSr4*n_<ESBz
z$vq@x>(&pM)@j_gOwJ|=Cwl=jJY#a}uH9pR`9_-q<5Ouj-%MJ{0+T=NA}@U&6?Kb!
z9b<Y>sBNt|viHS$UBpjE=(MXNbghvb<AN0>f>Vqa?mIY{g4~UKt=K(t%o0%k82}}d
zEJLOjN^Mp3`nnETFQAozyCpM=#CN<>+tYguoK$)X6BL_^+M_;LbY^#gqeYyFYyJRJ
zd2uv7A%~fI_oA8K=e6U*T(iQjjlsG2um8VaF|N^{^|<lv;IwQx+e@XhjKZSA>s^>f
z<2H25BE3s9qtu3{u5io9TIlf;HPbi7t#&qdUa18c*EEMy@pbl&$56<;rGRvY>kXdI
zN4eW<!koBQ-C-9vHO-m@YqHiwOLxxIKvc4zpJ1m<$2ZN{NysMO>?9N3+j%<JA1Qew
zffVViORGz9{YC>RP!7SGY3?4YT?TX=4YC<c*UrLqScNLlG@!G`P8Nl6JDGMPIt(XB
zeJ$?iinG04`U;cqVMl-=(hWNi^}niBIX@qVC<)$iR8F$KfL;Ca8kV1NA8(ct3yhWE
zyilQxwE!329|ZVmT;sc{x`F?WNow|@-ft__mne<S^eAXB0!ZE_ZH6?NlSj^a33)}d
zJ~;QO&0aS@8bLss+}uT~|7TEVO%}e_0TqXgg?7$KZ+t1Pux}Cbo^ZRKqjU;%zx+do
zpX*T9k`S?+Yj;d;<sex)Ot{y|TF3#%=(USuTMGmTXlpz(V|FP6Vu?NmwKSgd-SM|>
z8lG7Rlb8jFb})(7U797UKZlCV@VjnBQMY?$7gx~r&-!A<Tp+n8vO=&<<EfXYq%W=$
zOw~$(K(S8U9hFiWRrEOkd;J`DMA0YG)P{^oW5N$Wv*<zSEL*sT-kK}S^ywJ@-gDa(
z-m{e)y|G}c)$k6jb=0Eplp!chs_oSY$h2$>HQVdvqLZoIV5NPjyj8&ML+67{Wl_7J
z&zFTbfUq~8mv?pBp28K1#to=Ye)#bIcxyT%zR$b6YMOfj4zlfQsS&Qtnz*rh)D;WH
z_C4G@l>#Ow5&9lAqXU@+r7pfV&TE6-a~4}DHpIZ4M^^ya<6PwmNj8#5DBYRjA5%FK
z1TY@w0sxH|grof1OiqzVXQ4ke<du<dhVS(cbNeky-bs<9uDt{Q35;ZL%E)CkfB&JA
z6OVwIJgQh_Sijj^UtF~D9epyCbjb%&;Km644_W6w$*k?3y(s{DcL7*O(f_xu{ihW8
z>mloAhitdO7RI4<MA(`K;aZh+x6~baelakk>J%~$1(08T1Odjt!cUc$Iv^cGW_;XP
zu>Qf){`@k=NdKbxa;w6d{J^c*aGkRi2IGsWLi9Lk-dAyh_VrcKs&PHIEBFMhfxfuG
zcY~$0WQYK<3HEbi!2^$~tu@6JKnggh4ye&%=(|iO`m36k>+3ic`e3ngb76aVJFe>c
z#KPSU)ilW&y&h&s_=;t52zw$nQ0DD?&J+d_=D;%%p0>x8EIP|gsp<$NOUUr%L`XTS
zk^~?lUmKL4Lxx5k8UDA&@XuROIUN++yOKEa-6;+Yl#I$K4WJV<zJW1p$rehyR><%H
zbAdsddY%BAC2vs6=5l~ryAHlYN5j}7REbIasjrE3inEz^G8B6NkYGh4>*9jj2mkXD
z{$Yj$U15=tmG#LAlXSd5VyI5z&`RVwjB!4)9TB!*%w;?c%i(J$tdB97%yVU*n>?+h
zKhP5(BC6+i4!8ef?=08nwtFyPI|>n$UxXunnE%v^R?)u;3rrWQZcjqC8Im2YX#y17
z=CBNM-_pO7%|A~7fc(3<Kbz!d<UgE{>i!Y!JMYIcw4&OAbQk;3e2z7C6M&^5pM3w$
z#`A)`ym8EQfvDAOjph5UP79ZXP_y)P=Z0>-gx2>11{Y<who5weqx0=6V;^-6K;8Td
zG>i+LcIVJ<ZJuohCDYbB(7zss9t-1JMTuh)zF<H=I3=#jdtz$F$f3$NWu&5`<Lx?B
z9Q|l%z6$BluviZ%OG)yW)$Txj**LX=023rV^0?0e1G!ccofo3t$|p}J>Q|3=m7_HE
z7jViJ+naUeB^&MPbZK<MfWISadh%wge150OzW@<67z<h>uvP5%G_FWB%i--=hX(2*
z+<pzQ(%bto`t0_?#$To1{ql?2WjXVwE}`v_`T0#^tIPL4q0+aKazn6#<&2o2{r5BW
zxrd+P3oTyLs-Z#>vYkmH_@#(%jn#>beu1JQlfNIjz^%O#fzPTQ$gyL&#z%BDvhLCA
zD25r@MSt=9A+E_jf?rlrAWDnG9T}I@cn1ITi%@dS^W^Ng?DBOr`{@PUjXg!x6%{kF
zN=xJV67z|#_{!ss`XUQ_WOWzBJfhBy8!v11S;Gh2hWcRNE&l=WgCaQ(Zfle^EL^RM
zrkwV$RhM;N+-fzaYpG^eo;(JHb%g6<MIF1YZUh)zq<D_B-b!n*{V{CR5K+1ge$qWy
z!c&p=9@_r#9R1VyR3LBo`u3Oijty2ZZsrZQUmpf<_S4T#J<MPu4=R4|u~KznPp?*<
zLwq^SmDgWgF4Afy)BEkh#1lu@-HpfnTu`sv2a9OUaY~@C;`z=};p@6>#}g#v#W@vz
z#cS~*$2OAOdg6`WSV|=~T^wFq?Nrr?fN!w(4xo##C`Ohw3NQE6C9T;2lh30H+5_og
zI4q)zPlLXFMR(*_YSr}>e(Hn24m_%fucE#@uoY!qu8_N;ChO+WzCF(Vj)Q2S<^3u)
zj?-0NB0Q+E#;@whW97K-joMM`d9wCP4d}&?wc}s&l_yZX$fKdn)}mjxRqHv~67KxR
zc5RjRPA-Dqj<8!CUU53J=<{ZHeImehnU)JY%i%vkE>|k!#(FS{t{B((qU^lBuN&KX
z!=aM{6ELJ^it>_NrKYr|arkYiIQmvDwF775c_CoLGR4|@EM>vq(?hZVWTH*YSpk{9
z#A1}Z-qUY^T$2bq8LKHY*;-r=SNzjUP}e2*ZN%#|k3aTZA3xw9Nm-8u&zAZwqZW(v
z8hwAQhz8B~lD`f0TPrgIwjXBtf0P}O(&U13&b&@`bGS{q7apNWmSdErm_~@$sWu@n
z%0>7M2mg2Lm09RVk#(M7C8>UV96vA*(>6b!KB2##+Hlvqf`bFaU$W};`}CT7G1d6M
zxIWB9*M3pPh89-w^@B>7ICKSBBtBZfky!G_ABWrZwXWQN(0-_Hs+i>tlqKsX6jd=#
zv7=RzW|gV<{YXei51)ZnEVaFqwnVTrF+J?~sW4Gz1~%Z*{PD)RS4Ww8pZomx(BBeF
zIG5$@`n(?Q$=a2wwb5;3E))DItIcHIQX5nyUh$3FBhT9=K2avR;3x8q?({AvdO`HJ
zr`_Ww1nc3D0d_dOCiyX9X0(W*`Iow!*KfoLcm5#bsu1g%v&-lDI=4?Xi#Mkvw6J9}
zkxaKs{2RQ`0H?vO02*5{s9sZokw)%`{N|L%74aYv*v4x$aMzqk{B+ved{_-nS#9}T
zE;xwa8s=NZFIM0ShD*O_{Fb!8lHOx*e!^_Rne+iaEgzR>c(FhArqqP(n9$<>d4Uqp
zl%}JKOQJ>``>ahu?;!trPhZmE5mV%sfNIwSAKDK-1phdf{PfKQ@Yt`^@@l!D;gLSa
z2N>L|7m@UoAwe9nKh+lFoF;Z%?a-9+{3g&l!Xm)=rI877k4RR-<#=kaLH&6zn}lWs
zuLVl0qoab=nEr4gs2>v3^~Mx2yLDiOTkiLIqaAmdazuAyqhLz&n{HspdIK)SnCbjQ
zx1c9`)uyX3xV+;z1um^V{Out+kuK6vnZ9sJ+j2J2(ja<n<7FRTBcs7!56tOOvtT<c
zo75MVtF4Fnfk^i)mmA*f3}h2o)@smN42eN%_c{DR{;9UyJN5O_(6e}9q*g=3*IVUl
zf{mcg8v%KpkngW!&1u7J%;j4s4GJ>Ju3W4sS5$C*IoHR7Xm^_eU-+p^=)P#II_!Ed
zsnPdH+C+%YtkZ0$=QwSceNTUg>-a$N9T@}BX20xmS>bgp(Ze#|qB}l&GD;(FO2}I{
zv=Y|em(~|e4qN>LK?b>ToLu#zKSSxXavYao77-q}#`p@`3&XV=eSIu=p`Z)03p~>|
z4(;C%q|-Yt*~}Gh`OhPh8mzp&XpmDLB_1ypPtE<RHsTfLZ>6aTjHZ<RXzD!Lv`Xi1
z-+ZbmHrF&jcH$59q{uPYS#qM|)Ha{lo?G|I_G^T#-&o4^uFU<lOb9|soCjZUOc2$4
zM(-#z7MMB<O)co)C5xTBXH;Y5yp>6uSgA;7B_ms!It>>~4G07k$-s}XBfe9WWK~U3
zbY7M}7kH1Ey^jp%)XlNas$6-$ZjGo;gS=Q1j3zl?3MIEH@cL#>RpX_v#jSLP1Wi=5
z<q0~JiaIs($;9vIN?rW3J8i1Vm4L?X&-;fY$NH;~7<<rxv-GB1K?n%x?wRXTDRyEu
zv4D7u{?vN8Qd`<>Nk-J^zkVy|1H`s@q+2O;oE7^)m`7(sxzN=yyv8W3w)HHt-$$`S
zY^wWQl!MF1`iY6HX*Ngk&f4m(YjZOA2-Bp^mwI5HucOb?j@-Oi(njcG)9~VQGsA$I
zjlHm(`WYe&QPb_w3bS^DZTpgO-rqTuI$U1@l-Gtmq8qor^Gg;V_CHv)!Io&3<A2mO
z+JDnR59QoUXqs9u?R>Ye2gP6(%`g;7q!~cfQZzTJ8i<ISFxwD<dLtt(ecB?397{5C
zArJB<F2;CVU##qv&zM|r{H}Q)DKh$73r-Eq0$JMhrIbU=sZA{G8-hJFu1n5Yg$<`)
z)8@pXibIU$o=Wz$b)Wv)tXL(6HoW;c0r9G+fKf7U5BF8>=2<)TVY)0Wce4g#K>ixy
zd`md@cN%hp(D|vN$L5eYyR3kNz|am?PrnpN-MNiZlkc*vz)!7#T@n66YYG}oi0sod
zu+*&b(F*w-uQ{UNQFtKo*3DCK2k;|mHVN+smXf>C1A%8U{r5SeU{TGRRx>tBldHp;
z62o=B@*0AWLLYINkr8stO|+J9Q-|=zB6C?!l<qRV-R><DS-Uz_m6Nu1(HaXao^Pdf
z^eMeXd;TqK(OrEs{n6W=zamJ42P&1&vP_pgAz3SZu=A@<Bo>n%Q583ud9nkQ+~hwd
zx4PZ=W!OWN9D`g<HW0-(4W}+^jh$BN%R~vwDf|~0T{-q8z+-7RI`8z)9D}(znko19
z_Zg9kYRUJ5Yu8%{NN8f+&0@8_MhS>)1v^+681kMrpg$bgx-radZbh0<b%hr{G<WZ>
z%`8BTjIv2=ybZV^gq)HT!#>#8p5)U!D?D;CcAyt}*(s<u;04^idyYB0)Us3__z=C2
zFu*PbAHJ*B>1p$QSZ#Q7`1{5dke>yzhBegxmlTX}-769Zof)DxS*9X;9XbY8MMIj@
z2nRbcY`H9<&-9wB=xfQ{Jb7^`6O+&4knhQ{;S*Dd%;hOODQ#`bc;UmhZ6I`aRm$at
z`Wein>Oi>8D;bp3h4c+4T7Jke*Epg2YS{9%Zv{?LeBI=Y1=SzEZk#{fFMQkX*VZ}E
z;drL^!q~Hq!Q2)p5U)#DE7;aJw+(7HMIN!nDZs7<uc?k;+^nvnHlx4A(iRVI@cN~U
zj{E!G2CJ>^eHPnI*?64&T5vJr-8b%4W@%&}yijJ|bTj0|+UmhXWT}sE!M~<^s)(Nd
zwvK{pY+SK+QkduvBX-E`k+g6SZdH}<7PSWjk;UWNJp-9YDo+}|-|RSq)}u*bo9?mA
zWoDZ;PEceGO2*mK@U8qFln>tnC=TryD0x!un_#)=V#w;RR3KabldIWw?ejkNQ1NE=
zQRcp4Tr+0FlJ%gCU5#5st!u&^mkuSFsRqMMHV?-Jl;4K|R9|Iu8=J)8N7B|8Lj*Z(
zBtNRwWezEJdT{16zGJx84f|4%?dz`F2QF``o46J;)C(CGD{_BtT^Vq_A6smo{dff`
zvdlG1`aD%l+DP#VNa(%aVmX=XCKlQwpYZy5DbC7wB+&+A81O?+1tmCB@nq^0g9xYA
zcD2m5>ob}Jr3cvgK%3LVwewTCI=AgTsqLEKXXmS4`Hr0J^eFi(&@r(o!6*AWeijtM
zLLHf!a6XjNbGCzd_OL|wZB%s9B|(q^y=4;nsB6>aVq=A_MlH<#XfW0+)rs^cS`s7B
z`gzmlTvF`bm>W%>2MnT?P0n!`ZLQD%O%x*&F%uok`%jJhzp4+U`1MU&iesLZW(P?<
zF2$fd;cZtzul!%>&oAk2*ew;L+iPsfr%8Fq-g8_`ju<#BAzP%sZ`NqouSn+%-0I3i
z+W>!K(=6$atbPxaNS@eNoduui(%hmrregie{t1i=Nd3XIzprKqjB)$hW}z6*Z|n(M
zDHiIFlN5iQcN(=59sJh)v!xCF!fTA-$LlEhMpLY-jl5C#b8D|33}<`UQr*f$K!c<M
z**tbT;JL@f3x1qFfg@JFxlEG2PenK3`a+swGOEJ_6RTPG9J*E<C%&3%NWKe<su*5t
z@Lkjmu+8Po{~n}j5~jV@@?XsP9oV*R(V7BZ+m0HqpR36CcY0?R*2<Lt?@^1P=>%*q
zjpg}2XJ}wuQ=A<+8#Dc;FSMoU^OshEJY!QjTsL#XT6zZm^4<nP#L(=h5s3-4n2rp0
zb}}>3fc~cotKJ6(13tTX9qB+@9CLE8&Tu}lvE?=I#^Vd<G&dI_4wG3B<q+Stb)anB
z@65O8g{C524y0(Z@oWS^;@3**a%453DlP&BuT$$(E%#*lyOk^JY6yA|*8?_C^l#s#
zG(B265+<DAnFutM3id8$w>E-Vo(tE0n+rS?5aVYSfR}QNC?`|>NP~Tx!Y=I{@{%3p
eMcr%Pf9!DxJ<9{q^+o>y{OM~$wDPXnKKdUW*}`-H

literal 0
HcmV?d00001

diff --git a/modules/cloud-config-container/bindplane/main.tf b/modules/cloud-config-container/bindplane/main.tf
new file mode 100644
index 0000000000..a2a11f8654
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/main.tf
@@ -0,0 +1,48 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cloud_config = templatefile(local.template, merge(var.config_variables, {
+    bindplane_prometheus_image      = var.bindplane_config.bindplane_prometheus_image
+    bindplane_server_image          = var.bindplane_config.bindplane_server_image
+    bindplane_transform_agent_image = var.bindplane_config.bindplane_transform_agent_image
+    files                           = local.files
+    password                        = var.password
+    remote_url                      = var.bindplane_config.remote_url
+    runcmd_pre                      = var.runcmd_pre
+    runcmd_post                     = var.runcmd_post
+    users                           = var.users
+    uuid                            = random_uuid.uuid_secret.result
+  }))
+  files = {
+    for path, attrs in var.files : path => {
+      content = attrs.content,
+      owner   = attrs.owner == null ? var.file_defaults.owner : attrs.owner,
+      permissions = (
+        attrs.permissions == null
+        ? var.file_defaults.permissions
+        : attrs.permissions
+      )
+    }
+  }
+  template = (
+    var.cloud_config == null
+    ? "${path.module}/cloud-config.yaml"
+    : var.cloud_config
+  )
+}
+
+resource "random_uuid" "uuid_secret" {}
diff --git a/modules/cloud-config-container/bindplane/outputs.tf b/modules/cloud-config-container/bindplane/outputs.tf
new file mode 100644
index 0000000000..56e0824296
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/outputs.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cloud_config" {
+  description = "Rendered cloud-config file to be passed as user-data instance metadata."
+  value       = local.cloud_config
+}
diff --git a/modules/cloud-config-container/bindplane/variables.tf b/modules/cloud-config-container/bindplane/variables.tf
new file mode 100644
index 0000000000..39856f4585
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/variables.tf
@@ -0,0 +1,88 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "bindplane_config" {
+  description = "Bindplane configurations."
+  type = object({
+    remote_url                      = optional(string, "localhost")
+    bindplane_server_image          = optional(string, "us-central1-docker.pkg.dev/observiq-containers/bindplane/bindplane-ee:latest")
+    bindplane_transform_agent_image = optional(string, "us-central1-docker.pkg.dev/observiq-containers/bindplane/bindplane-transform-agent:latest")
+    bindplane_prometheus_image      = optional(string, "us-central1-docker.pkg.dev/observiq-containers/bindplane/bindplane-prometheus:1.56.0")
+  })
+  default  = {}
+  nullable = false
+}
+
+variable "cloud_config" {
+  description = "Cloud config template path. If null default will be used."
+  type        = string
+  default     = null
+}
+
+variable "config_variables" {
+  description = "Additional variables used to render the cloud-config and Nginx templates."
+  type        = map(any)
+  default     = {}
+}
+
+variable "file_defaults" {
+  description = "Default owner and permissions for files."
+  type = object({
+    owner       = string
+    permissions = string
+  })
+  default = {
+    owner       = "root"
+    permissions = "0644"
+  }
+}
+
+variable "files" {
+  description = "Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null."
+  type = map(object({
+    content     = string
+    owner       = string
+    permissions = string
+  }))
+  default = {}
+}
+
+variable "password" {
+  description = "Default admin user password."
+  type        = string
+}
+
+variable "runcmd_post" {
+  description = "Extra commands to run after starting nginx."
+  type        = list(string)
+  default     = []
+}
+
+variable "runcmd_pre" {
+  description = "Extra commands to run before starting nginx."
+  type        = list(string)
+  default     = []
+}
+
+variable "users" {
+  description = "List of additional usernames to be created."
+  type = list(object({
+    username = string,
+    uid      = number,
+  }))
+  default = [
+  ]
+}
diff --git a/modules/cloud-config-container/bindplane/versions.tf b/modules/cloud-config-container/bindplane/versions.tf
new file mode 100644
index 0000000000..bc9986b3c7
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/versions.tf
@@ -0,0 +1,27 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.7.4"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.26.0, < 6.0.0" # tftest
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 5.26.0, < 6.0.0" # tftest
+    }
+  }
+}

From a14ed9add2777769d6b1657ff1b6c44637d2e86f Mon Sep 17 00:00:00 2001
From: luigi-bitonti <93377317+luigi-bitonti@users.noreply.github.com>
Date: Tue, 14 May 2024 14:56:10 +0200
Subject: [PATCH 28/31] Cloud function CMEK key support (#2270)

* Added support to kms key

* Updated doc

* Fix variable description.

* Updated README

* Cloud function v2 integration with kms

* Fix variables description

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 modules/cloud-function-v1/README.md    | 47 ++++++++++++++++++++------
 modules/cloud-function-v1/main.tf      | 14 ++++----
 modules/cloud-function-v1/variables.tf | 17 ++++++++++
 modules/cloud-function-v2/README.md    | 23 +++++++------
 modules/cloud-function-v2/main.tf      | 11 +++---
 modules/cloud-function-v2/variables.tf |  6 ++++
 6 files changed, 85 insertions(+), 33 deletions(-)

diff --git a/modules/cloud-function-v1/README.md b/modules/cloud-function-v1/README.md
index 7099946e2d..ebcf0dd0aa 100644
--- a/modules/cloud-function-v1/README.md
+++ b/modules/cloud-function-v1/README.md
@@ -16,6 +16,7 @@ The GCS object used for deployment uses a hash of the bundle zip contents in its
   - [Private Cloud Build Pool](#private-cloud-build-pool)
   - [Multiple Cloud Functions within project](#multiple-cloud-functions-within-project)
   - [Mounting secrets from Secret Manager](#mounting-secrets-from-secret-manager)
+  - [Using CMEK to encrypt function resources](#using-cmek-to-encrypt-function-resources)
 - [Variables](#variables)
 - [Outputs](#outputs)
 <!-- END TOC -->
@@ -258,6 +259,28 @@ module "cf-http" {
 }
 # tftest modules=1 resources=2  inventory=secrets.yaml
 ```
+
+### Using CMEK to encrypt function resources
+This encrypt bucket _gcf-sources-*_ with the provided kms key. The repository has to be encrypted with the same kms key.
+
+```hcl
+module "cf-http" {
+  source      = "./fabric/modules/cloud-function-v1"
+  project_id  = "my-project"
+  region      = "europe-west1"
+  name        = "test-cf-http"
+  bucket_name = "test-cf-bundles"
+  bundle_config = {
+    source_dir  = "fabric/assets"
+    output_path = "bundle.zip"
+  }
+  kms_key = "projects/my-project/locations/europe-west1/keyRings/mykeyring/cryptoKeys/mykey"
+  repository_settings = {
+    repository = "projects/my-project/locations/europe-west1/repositories/myrepo"
+  }
+}
+# tftest modules=1 resources=2
+```
 <!-- BEGIN TFDOC -->
 ## Variables
 
@@ -265,9 +288,9 @@ module "cf-http" {
 |---|---|:---:|:---:|:---:|
 | [bucket_name](variables.tf#L26) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code>string</code> | ✓ |  |
 | [bundle_config](variables.tf#L44) | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object&#40;&#123;&#10;  source_dir  &#61; string&#10;  output_path &#61; optional&#40;string&#41;&#10;  excludes    &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [name](variables.tf#L109) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L124) | Project id used for all resources. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L129) | Region used for all resources. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L115) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L130) | Project id used for all resources. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L135) | Region used for all resources. | <code>string</code> | ✓ |  |
 | [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object&#40;&#123;&#10;  location                  &#61; optional&#40;string&#41;&#10;  lifecycle_delete_age_days &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [build_environment_variables](variables.tf#L32) | A set of key/value environment variable pairs available during build time. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [build_worker_pool](variables.tf#L38) | Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format. | <code>string</code> |  | <code>null</code> |
@@ -277,14 +300,16 @@ module "cf-http" {
 | [https_security_level](variables.tf#L85) | The security level for the function: Allowed values are SECURE_ALWAYS, SECURE_OPTIONAL. | <code>string</code> |  | <code>null</code> |
 | [iam](variables.tf#L91) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [ingress_settings](variables.tf#L97) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | <code>string</code> |  | <code>null</code> |
-| [labels](variables.tf#L103) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [prefix](variables.tf#L114) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
-| [secrets](variables.tf#L134) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_account](variables.tf#L146) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
-| [service_account_create](variables.tf#L152) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
-| [trigger_config](variables.tf#L158) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event    &#61; string&#10;  resource &#61; string&#10;  retry    &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector](variables.tf#L168) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector_config](variables.tf#L178) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [kms_key](variables.tf#L103) | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository field that was created with the same KMS crypto key. | <code>string</code> |  | <code>null</code> |
+| [labels](variables.tf#L109) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [prefix](variables.tf#L120) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
+| [repository_settings](variables.tf#L140) | Docker Registry to use for storing the function's Docker images and specific repository. If kms_key is provided, the repository must have already been encrypted with the key. | <code title="object&#40;&#123;&#10;  registry   &#61; optional&#40;string&#41;&#10;  repository &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  registry &#61; &#34;ARTIFACT_REGISTRY&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [secrets](variables.tf#L151) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_account](variables.tf#L163) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
+| [service_account_create](variables.tf#L169) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
+| [trigger_config](variables.tf#L175) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event    &#61; string&#10;  resource &#61; string&#10;  retry    &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector](variables.tf#L185) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector_config](variables.tf#L195) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/cloud-function-v1/main.tf b/modules/cloud-function-v1/main.tf
index b57d8431cb..7a7fdc9152 100644
--- a/modules/cloud-function-v1/main.tf
+++ b/modules/cloud-function-v1/main.tf
@@ -41,6 +41,7 @@ locals {
   )
 }
 
+
 resource "google_vpc_access_connector" "connector" {
   count         = try(var.vpc_connector.create, false) == false ? 0 : 1
   project       = var.project_id
@@ -67,12 +68,13 @@ resource "google_cloudfunctions_function" "function" {
   labels                       = var.labels
   trigger_http                 = var.trigger_config == null ? true : null
   https_trigger_security_level = var.https_security_level == null ? "SECURE_ALWAYS" : var.https_security_level
-
-  ingress_settings            = var.ingress_settings
-  build_worker_pool           = var.build_worker_pool
-  build_environment_variables = var.build_environment_variables
-
-  vpc_connector = local.vpc_connector
+  ingress_settings             = var.ingress_settings
+  build_worker_pool            = var.build_worker_pool
+  build_environment_variables  = var.build_environment_variables
+  kms_key_name                 = var.kms_key
+  docker_registry              = try(var.repository_settings.registry, "ARTIFACT_REGISTRY")
+  docker_repository            = try(var.repository_settings.repository, null)
+  vpc_connector                = local.vpc_connector
   vpc_connector_egress_settings = try(
     var.vpc_connector.egress_settings, null
   )
diff --git a/modules/cloud-function-v1/variables.tf b/modules/cloud-function-v1/variables.tf
index 73964d0b18..8dc592addd 100644
--- a/modules/cloud-function-v1/variables.tf
+++ b/modules/cloud-function-v1/variables.tf
@@ -100,6 +100,12 @@ variable "ingress_settings" {
   default     = null
 }
 
+variable "kms_key" {
+  description = "Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository field that was created with the same KMS crypto key."
+  type        = string
+  default     = null
+}
+
 variable "labels" {
   description = "Resource labels."
   type        = map(string)
@@ -131,6 +137,17 @@ variable "region" {
   type        = string
 }
 
+variable "repository_settings" {
+  description = "Docker Registry to use for storing the function's Docker images and specific repository. If kms_key is provided, the repository must have already been encrypted with the key."
+  type = object({
+    registry   = optional(string)
+    repository = optional(string)
+  })
+  default = {
+    registry = "ARTIFACT_REGISTRY"
+  }
+}
+
 variable "secrets" {
   description = "Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format."
   type = map(object({
diff --git a/modules/cloud-function-v2/README.md b/modules/cloud-function-v2/README.md
index a5bad718e0..f54dd50aec 100644
--- a/modules/cloud-function-v2/README.md
+++ b/modules/cloud-function-v2/README.md
@@ -281,9 +281,9 @@ module "cf-http" {
 |---|---|:---:|:---:|:---:|
 | [bucket_name](variables.tf#L26) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code>string</code> | ✓ |  |
 | [bundle_config](variables.tf#L38) | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object&#40;&#123;&#10;  source_dir  &#61; string&#10;  output_path &#61; optional&#40;string&#41;&#10;  excludes    &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [name](variables.tf#L103) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L118) | Project id used for all resources. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L123) | Region used for all resources. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L109) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L124) | Project id used for all resources. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L129) | Region used for all resources. | <code>string</code> | ✓ |  |
 | [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object&#40;&#123;&#10;  location                  &#61; optional&#40;string&#41;&#10;  lifecycle_delete_age_days &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [build_worker_pool](variables.tf#L32) | Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format. | <code>string</code> |  | <code>null</code> |
 | [description](variables.tf#L47) | Optional description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
@@ -292,14 +292,15 @@ module "cf-http" {
 | [function_config](variables.tf#L65) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | <code title="object&#40;&#123;&#10;  entry_point     &#61; optional&#40;string, &#34;main&#34;&#41;&#10;  instance_count  &#61; optional&#40;number, 1&#41;&#10;  memory_mb       &#61; optional&#40;number, 256&#41; &#35; Memory in MB&#10;  cpu             &#61; optional&#40;string, &#34;0.166&#34;&#41;&#10;  runtime         &#61; optional&#40;string, &#34;python310&#34;&#41;&#10;  timeout_seconds &#61; optional&#40;number, 180&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  entry_point     &#61; &#34;main&#34;&#10;  instance_count  &#61; 1&#10;  memory_mb       &#61; 256&#10;  cpu             &#61; &#34;0.166&#34;&#10;  runtime         &#61; &#34;python310&#34;&#10;  timeout_seconds &#61; 180&#10;&#125;">&#123;&#8230;&#125;</code> |
 | [iam](variables.tf#L85) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [ingress_settings](variables.tf#L91) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | <code>string</code> |  | <code>null</code> |
-| [labels](variables.tf#L97) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [prefix](variables.tf#L108) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
-| [secrets](variables.tf#L128) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_account](variables.tf#L140) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
-| [service_account_create](variables.tf#L146) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
-| [trigger_config](variables.tf#L152) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event_type   &#61; string&#10;  pubsub_topic &#61; optional&#40;string&#41;&#10;  region       &#61; optional&#40;string&#41;&#10;  event_filters &#61; optional&#40;list&#40;object&#40;&#123;&#10;    attribute &#61; string&#10;    value     &#61; string&#10;    operator  &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  service_account_email  &#61; optional&#40;string&#41;&#10;  service_account_create &#61; optional&#40;bool, false&#41;&#10;  retry_policy           &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector](variables.tf#L170) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector_config](variables.tf#L180) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [kms_key](variables.tf#L97) | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository_id field that was created with the same KMS crypto key. | <code>string</code> |  | <code>null</code> |
+| [labels](variables.tf#L103) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [prefix](variables.tf#L114) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
+| [secrets](variables.tf#L134) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_account](variables.tf#L146) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
+| [service_account_create](variables.tf#L152) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
+| [trigger_config](variables.tf#L158) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event_type   &#61; string&#10;  pubsub_topic &#61; optional&#40;string&#41;&#10;  region       &#61; optional&#40;string&#41;&#10;  event_filters &#61; optional&#40;list&#40;object&#40;&#123;&#10;    attribute &#61; string&#10;    value     &#61; string&#10;    operator  &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  service_account_email  &#61; optional&#40;string&#41;&#10;  service_account_create &#61; optional&#40;bool, false&#41;&#10;  retry_policy           &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector](variables.tf#L176) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector_config](variables.tf#L186) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/cloud-function-v2/main.tf b/modules/cloud-function-v2/main.tf
index c38f863950..24046eada2 100644
--- a/modules/cloud-function-v2/main.tf
+++ b/modules/cloud-function-v2/main.tf
@@ -59,11 +59,12 @@ resource "google_vpc_access_connector" "connector" {
 }
 
 resource "google_cloudfunctions2_function" "function" {
-  provider    = google-beta
-  project     = var.project_id
-  location    = var.region
-  name        = "${local.prefix}${var.name}"
-  description = var.description
+  provider     = google-beta
+  project      = var.project_id
+  location     = var.region
+  name         = "${local.prefix}${var.name}"
+  description  = var.description
+  kms_key_name = var.kms_key
   build_config {
     worker_pool           = var.build_worker_pool
     runtime               = var.function_config.runtime
diff --git a/modules/cloud-function-v2/variables.tf b/modules/cloud-function-v2/variables.tf
index af97650fc3..428ba8dba2 100644
--- a/modules/cloud-function-v2/variables.tf
+++ b/modules/cloud-function-v2/variables.tf
@@ -94,6 +94,12 @@ variable "ingress_settings" {
   default     = null
 }
 
+variable "kms_key" {
+  description = "Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository_id field that was created with the same KMS crypto key."
+  type        = string
+  default     = null
+}
+
 variable "labels" {
   description = "Resource labels."
   type        = map(string)

From c854057bef191748c6fd66329dc9392c2152405e Mon Sep 17 00:00:00 2001
From: Ludo <ludomagno@google.com>
Date: Tue, 14 May 2024 15:01:43 +0200
Subject: [PATCH 29/31] update changelog

---
 CHANGELOG.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6c2177cdbc..8a34721182 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,6 +32,8 @@ All notable changes to this project will be documented in this file.
 
 ### FAST
 
+- [[#2267](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2267)] Fix 0-bootstrap iam_by_principals not taking into account all principals ([wiktorn](https://github.com/wiktorn)) <!-- 2024-05-12 19:02:04+00:00 -->
+- [[#2263](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2263)] Update docs - gcp-network-admins -> gcp-vpc-network-admins ([wiktorn](https://github.com/wiktorn)) <!-- 2024-05-10 08:04:25+00:00 -->
 - [[#2260](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2260)] Remove data source from folder module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-09 13:09:54+00:00 -->
 - [[#2253](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2253)] Misc FAST fixes ([juliocc](https://github.com/juliocc)) <!-- 2024-05-02 06:56:26+00:00 -->
 - [[#2235](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2235)] Update FAST logging ([juliocc](https://github.com/juliocc)) <!-- 2024-04-25 06:31:52+00:00 -->
@@ -53,6 +55,13 @@ All notable changes to this project will be documented in this file.
 
 ### MODULES
 
+- [[#2270](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2270)] Cloud function CMEK key support ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2024-05-14 12:56:10+00:00 -->
+- [[#2272](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2272)] New Bindplane cloud-config-container setup ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-05-14 12:45:40+00:00 -->
+- [[#2269](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2269)] Implement the full IAM interface for tags ([ludoo](https://github.com/ludoo)) <!-- 2024-05-13 18:18:52+00:00 -->
+- [[#2268](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2268)] Add logging settings to folder module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-13 07:24:17+00:00 -->
+- [[#2242](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2242)] CloudSQL PSC Endpoints support ([wiktorn](https://github.com/wiktorn)) <!-- 2024-05-12 10:00:40+00:00 -->
+- [[#2265](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2265)] Fix failing E2E net-vpc test ([wiktorn](https://github.com/wiktorn)) <!-- 2024-05-11 15:29:35+00:00 -->
+- [[#2264](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2264)] Fix bug from output typo in new project-factory module ([JanCVanB](https://github.com/JanCVanB)) <!-- 2024-05-10 22:19:36+00:00 -->
 - [[#2262](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2262)] Make Simple NVA route IAP traffic through NIC 0 ([juliocc](https://github.com/juliocc)) <!-- 2024-05-09 16:29:25+00:00 -->
 - [[#2261](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2261)] Add Hybrid NAT support ([juliocc](https://github.com/juliocc)) <!-- 2024-05-09 13:24:41+00:00 -->
 - [[#2260](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2260)] Remove data source from folder module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-09 13:09:54+00:00 -->

From ff6f6bb32af76c73a9df4c68fb021bcd6bff8f95 Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Tue, 14 May 2024 16:53:38 +0200
Subject: [PATCH 30/31] Added apigee-x-foundations blueprint (#2274)

---
 blueprints/README.md                          |    2 +-
 blueprints/apigee/README.md                   |    8 +-
 .../apigee/apigee-x-foundations/README.md     |  481 +++
 .../apigee/apigee-x-foundations/apigee.tf     |   37 +
 .../apigee/apigee-x-foundations/diagram1.png  |  Bin 0 -> 37153 bytes
 .../apigee/apigee-x-foundations/diagram2.png  |  Bin 0 -> 52665 bytes
 .../apigee/apigee-x-foundations/diagram3.png  |  Bin 0 -> 33258 bytes
 .../apigee/apigee-x-foundations/diagram4.png  |  Bin 0 -> 33815 bytes
 .../apigee/apigee-x-foundations/diagram5.png  |  Bin 0 -> 30537 bytes
 blueprints/apigee/apigee-x-foundations/dns.tf |   56 +
 .../functions/instance-monitor/index.js       |  138 +
 .../instance-monitor/package-lock.json        | 3271 +++++++++++++++++
 .../functions/instance-monitor/package.json   |   20 +
 blueprints/apigee/apigee-x-foundations/kms.tf |   64 +
 .../apigee/apigee-x-foundations/main.tf       |  108 +
 .../apigee/apigee-x-foundations/monitoring.tf |   52 +
 .../apigee/apigee-x-foundations/northbound.tf |  248 ++
 .../apigee/apigee-x-foundations/outputs.tf    |   46 +
 .../apigee/apigee-x-foundations/variables.tf  |  360 ++
 modules/net-lb-app-int-cross-region/README.md |    2 +-
 20 files changed, 4890 insertions(+), 3 deletions(-)
 create mode 100644 blueprints/apigee/apigee-x-foundations/README.md
 create mode 100644 blueprints/apigee/apigee-x-foundations/apigee.tf
 create mode 100644 blueprints/apigee/apigee-x-foundations/diagram1.png
 create mode 100644 blueprints/apigee/apigee-x-foundations/diagram2.png
 create mode 100644 blueprints/apigee/apigee-x-foundations/diagram3.png
 create mode 100644 blueprints/apigee/apigee-x-foundations/diagram4.png
 create mode 100644 blueprints/apigee/apigee-x-foundations/diagram5.png
 create mode 100644 blueprints/apigee/apigee-x-foundations/dns.tf
 create mode 100644 blueprints/apigee/apigee-x-foundations/functions/instance-monitor/index.js
 create mode 100644 blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package-lock.json
 create mode 100644 blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package.json
 create mode 100644 blueprints/apigee/apigee-x-foundations/kms.tf
 create mode 100644 blueprints/apigee/apigee-x-foundations/main.tf
 create mode 100644 blueprints/apigee/apigee-x-foundations/monitoring.tf
 create mode 100644 blueprints/apigee/apigee-x-foundations/northbound.tf
 create mode 100644 blueprints/apigee/apigee-x-foundations/outputs.tf
 create mode 100644 blueprints/apigee/apigee-x-foundations/variables.tf

diff --git a/blueprints/README.md b/blueprints/README.md
index ea91caa78b..3fbe689817 100644
--- a/blueprints/README.md
+++ b/blueprints/README.md
@@ -4,7 +4,7 @@ This section provides **[networking blueprints](./networking/)** that implement
 
 Currently available blueprints:
 
-- **apigee** - [Apigee Hybrid on GKE](./apigee/hybrid-gke/), [Apigee X analytics in BigQuery](./apigee/bigquery-analytics), [Apigee network patterns](./apigee/network-patterns/)
+- **apigee** - [Apigee X foundations](./apigee/apigee-x-foundations/). [Apigee Hybrid on GKE](./apigee/hybrid-gke/), [Apigee X analytics in BigQuery](./apigee/bigquery-analytics), [Apigee network patterns](./apigee/network-patterns/)
 - **cloud operations** - [Active Directory Federation Services](./cloud-operations/adfs), [Cloud Asset Inventory feeds for resource change tracking and remediation](./cloud-operations/asset-inventory-feed-remediation), [Fine-grained Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Cloud DNS & Shared VPC design](./cloud-operations/dns-shared-vpc), [Delegated Role Grants](./cloud-operations/iam-delegated-role-grants), [Network Quota Monitoring](./cloud-operations/network-quota-monitoring), [Managing on-prem service account keys by uploading public keys](./cloud-operations/onprem-sa-key-management), [Compute Image builder with Hashicorp Packer](./cloud-operations/packer-image-builder), [Packer example](./cloud-operations/packer-image-builder/packer), [Compute Engine quota monitoring](./cloud-operations/compute-quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Configuring workload identity federation with Terraform Cloud/Enterprise workflows](./cloud-operations/terraform-cloud-dynamic-credentials), [TCP healthcheck and restart for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [Migrate for Compute Engine (v5) blueprints](./cloud-operations/vm-migration), [Configuring workload identity federation to access Google Cloud resources from apps running on Azure](./cloud-operations/workload-identity-federation)
 - **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Minimal Data Platform](./data-solutions/data-platform-minimal), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground), [MLOps with Vertex AI](./data-solutions/vertex-mlops), [Shielded Folder](./data-solutions/shielded-folder), [BigQuery ML and Vertex AI Pipeline](./data-solutions/bq-ml)
 - **factories** - [Fabric resource factories](./factories)
diff --git a/blueprints/apigee/README.md b/blueprints/apigee/README.md
index 5f77147df3..6d0a9f5203 100644
--- a/blueprints/apigee/README.md
+++ b/blueprints/apigee/README.md
@@ -4,9 +4,15 @@ The blueprints in this folder contain a variety of deployment scenarios for Apig
 
 ## Blueprints
 
+### Apigee X foundations
+
+<a href="./apigee-x-foundations/" title="Apigee X foundations"><img src="./apigee-x-foundations/diagram1.png" align="left" width="280px"></a> This [blueprint](./apigee-x-foundations/) creates all the resources necessary to set up Apigee X on Google Cloud.
+
+<br clear="left">
+
 ### Apigee Hybrid on GKE
 
-<a href="./hybrid-gke/" title="Apigee Hybrid on GKE"><img src="./hybrid-gke/diagram.png" align="left" width="280px"></a> This [blueprint](./hybrid-gke/) shows how to do a non-prod deployment of Apigee Hybrid on GKE(../factories/net-vpc-firewall-yaml/).
+<a href="./hybrid-gke/" title="Apigee Hybrid on GKE"><img src="./hybrid-gke/diagram.png" align="left" width="280px"></a> This [blueprint](./hybrid-gke/) shows how to do a non-prod deployment of Apigee Hybrid on GKE.
 
 <br clear="left">
 
diff --git a/blueprints/apigee/apigee-x-foundations/README.md b/blueprints/apigee/apigee-x-foundations/README.md
new file mode 100644
index 0000000000..3c336b8ed5
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/README.md
@@ -0,0 +1,481 @@
+# Apigee X Foundations
+
+This  blueprint creates all the resources necessary to set up Apigee X on Google Cloud.
+
+Apigee can be exposed to clients using Regional Internal Application Load Balancer, Global External Application Load Balancer or both. When using the Regional Internal Application Load Balancer, used self-managed certificates (incuding self-signed certificates generated in this same module). When using the Global External Application Load Balancer Google-managed certificates or self-managed certificates (including self-signed certificates generated in this same module). When using Cross-region Internal Application Load Balancer a certificate manager needs to be used and it needs to be created in the same project as Apigee.
+
+Find below a few examples of different Apigee architectures that can be created using this module.
+
+## Examples
+
+* [Examples](#examples)
+  * [Apigee X in service project with shared VPC peered and exposed with Global External Application LB and Regional Internal Application LB](#apigee-x-in-service-project-with-shared-vpc-peered-and-exposed-with-global-external-application-lb-and-regional-internal-application-lb)
+  * [Apigee X in service project with local VPC peered and exposed using Global LB and Internal Cross-region Application LB](#apigee-x-in-service-project-with-local-vpc-peered-and-exposed-using-global-lb-and-internal-cross-region-application-lb)
+  * [Apigee X in service project with peering disabled and exposed using Global LB](#apigee-x-in-service-project-with-peering-disabled-and-exposed-using-global-lb)
+  * [Apigee X in standalone project with peering enabled and exposed with Regional Internal LB](#apigee-x-in-standalone-project-with-peering-enabled-and-exposed-with-regional-internal-lb)
+  * [Apigee X in standalone project with peering disabled and exposed using Global External Application LB](#apigee-x-in-standalone-project-with-peering-disabled-and-exposed-using-global-external-application-lb)
+* [Variables](#files)
+* [Variables](#variables)
+* [Outputs](#outputs)
+
+### Apigee X in service project with shared VPC peered and exposed with Global External Application LB and Regional Internal Application LB
+
+![Diagram](./diagram1.png)
+
+```hcl
+module "apigee-x-foundations" {
+  source = "./fabric/blueprints/apigee/apigee-x-foundations"
+  project_config = {
+    billing_account_id = var.billing_account_id
+    parent             = var.folder_id
+    name               = var.project_id
+    iam = {
+      "roles/apigee.admin" = ["group:apigee-admins@myorg.com"]
+    }
+    shared_vpc_service_config = {
+      host_project = "my-host-project"
+    }
+  }
+  apigee_config = {
+    addons_config = {
+      api_security = true
+    }
+    organization = {
+      analytics_region = "europe-west1"
+    }
+    envgroups = {
+      apis = [
+        "apis.external.myorg.com",
+        "apis.internal.myorg.com"
+      ]
+    }
+    environments = {
+      apis = {
+        envgroups = ["apis"]
+      }
+    }
+    instances = {
+      europe-west1 = {
+        external                      = true
+        runtime_ip_cidr_range         = "10.0.0.0/22"
+        troubleshooting_ip_cidr_range = "192.168.0.0/18"
+        environments                  = ["apis"]
+      }
+    }
+    endpoint_attachments = {
+      endpoint-backend-ew1 = {
+        region             = "europe-west1"
+        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west4/serviceAttachments/my-service-attachment-ew1"
+      }
+    }
+  }
+  network_config = {
+    shared_vpc = {
+      name = "my-shared-vpc"
+      subnets = {
+        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-ew1"
+      }
+      subnets_psc = {
+        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-psc-ew1"
+      }
+    }
+  }
+  ext_lb_config = {
+    ssl_certificates = {
+      create_configs = {
+        default = {
+          certificate = "PEM-Encoded certificate string"
+          private_key = "PEM-Encoded private key string"
+        }
+      }
+    }
+  }
+  int_lb_config = {
+    ssl_certificates = {
+      create_configs = {
+        default = {
+          certificate = "PEM-Encoded certificate string"
+          private_key = "PEM-Encoded private key string"
+        }
+      }
+    }
+  }
+}
+# tftest modules=7 resources=42
+```
+
+### Apigee X in service project with local VPC peered and exposed using Global LB and Internal Cross-region Application LB
+
+![Diagram](./diagram2.png)
+
+```hcl
+module "apigee-x-foundations" {
+  source = "./fabric/blueprints/apigee/apigee-x-foundations"
+  project_config = {
+    billing_account_id = "1234-5678-0000"
+    parent             = "folders/123456789"
+    name               = "my-project"
+    iam = {
+      "roles/apigee.admin" = ["group:apigee-admins@myorg.com"]
+    }
+    shared_vpc_service_config = {
+      host_project = "my-host-project"
+    }
+  }
+  apigee_config = {
+    addons_config = {
+      api_security = true
+    }
+    organization = {
+      analytics_region = "europe-west1"
+      billing_type     = "PAYG"
+    }
+    envgroups = {
+      apis = [
+        "apis.external.myorg.com",
+        "apis.internal.myorg.com"
+      ]
+    }
+    environments = {
+      apis = {
+        envgroups = ["apis"]
+        type      = "COMPREHENSIVE"
+      }
+    }
+    instances = {
+      europe-west1 = {
+        runtime_ip_cidr_range         = "10.0.0.0/22"
+        troubleshooting_ip_cidr_range = "192.168.0.0/28"
+        environments                  = ["apis"]
+      }
+      europe-west4 = {
+        runtime_ip_cidr_range         = "10.0.4.0/22"
+        troubleshooting_ip_cidr_range = "192.168.0.16/28"
+        environments                  = ["apis"]
+      }
+    }
+    endpoint_attachments = {
+      endpoint-backend-ew1 = {
+        region             = "europe-west1"
+        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west1/serviceAttachments/my-service-attachment-ew1"
+        dns_names = [
+          "backend.myorg.com"
+        ]
+      }
+      endpoint-backend-ew4 = {
+        region             = "europe-west1"
+        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west4/serviceAttachments/my-service-attachment-ew4"
+        dns_names = [
+          "backend.myorg.com"
+        ]
+      }
+    }
+  }
+  network_config = {
+    shared_vpc = {
+      name = "my-shared-vpc"
+      subnets = {
+        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-eu1"
+        europe-west4 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-eu4"
+      }
+      subnets_psc = {
+        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-psc-eu1"
+        europe-west4 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-psc-eu4"
+      }
+    }
+    apigee_vpc = {
+      auto_create = true
+    }
+  }
+  ext_lb_config = {
+    ssl_certificates = {
+      create_configs = {
+        default = {
+          certificate = "PEM-Encoded certificate string"
+          private_key = "PEM-Encoded private key string"
+        }
+      }
+    }
+  }
+  int_cross_region_lb_config = {
+    certificate_manager_certificates = [
+      "projects/myprj/locations/global/certificates/certificate"
+    ]
+  }
+}
+# tftest modules=10 resources=62
+```
+
+### Apigee X in service project with peering disabled and exposed using Global LB
+
+![Diagram](./diagram3.png)
+
+```hcl
+module "apigee-x-foundations" {
+  source = "./fabric/blueprints/apigee/apigee-x-foundations"
+  project_config = {
+    billing_account_id = "1234-5678-0000"
+    parent             = "folders/123456789"
+    name               = "my-project"
+    iam = {
+      "roles/apigee.admin" = ["group:apigee-admins@myorg.com"]
+    }
+    shared_vpc_service_config = {
+      host_project = "my-host-project"
+    }
+  }
+  apigee_config = {
+    addons_config = {
+      api_security = true
+    }
+    organization = {
+      analytics_region    = "europe-west1"
+      disable_vpc_peering = true
+    }
+    envgroups = {
+      apis = [
+        "apis.external.myorg.com"
+      ]
+    }
+    environments = {
+      apis = {
+        envgroups = ["apis"]
+      }
+    }
+    instances = {
+      europe-west1 = {
+        runtime_ip_cidr_range         = "10.0.0.0/22"
+        troubleshooting_ip_cidr_range = "192.168.0.0/18"
+        environments                  = ["apis"]
+      }
+    }
+    endpoint_attachments = {
+      endpoint-backend-ew1 = {
+        region             = "europe-west1"
+        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west4/serviceAttachments/my-service-attachment-ew1"
+      }
+    }
+    disable_vpc_peering = true
+  }
+  network_config = {
+    shared_vpc = {
+      name = "my-shared-vpc"
+      subnets = {
+        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-ew1"
+      }
+      subnets_psc = {
+        europe-west1 = "projects/my-host-project/regions/europe-west4/subnetworks/my-subnet-psc-ew1"
+      }
+    }
+  }
+  ext_lb_config = {
+    ssl_certificates = {
+      create_configs = {
+        default = {
+          certificate = "PEM-Encoded certificate string"
+          private_key = "PEM-Encoded private key string"
+        }
+      }
+    }
+  }
+}
+# tftest modules=6 resources=36
+```
+
+### Apigee X in standalone project with peering enabled and exposed with Regional Internal LB
+
+![Diagram](./diagram4.png)
+
+```hcl
+module "apigee-x-foundations" {
+  source = "./fabric/blueprints/apigee/apigee-x-foundations"
+  project_config = {
+    billing_account_id = "1234-5678-0000"
+    parent             = "folders/123456789"
+    name               = "my-project"
+    iam = {
+      "roles/apigee.admin" = ["group:apigee-admins@myorg.com"]
+    }
+  }
+  apigee_config = {
+    addons_config = {
+      api_security = true
+    }
+    organization = {
+      analytics_region = "europe-west1"
+    }
+    envgroups = {
+      apis = [
+        "apis.internal.myorg.com"
+      ]
+    }
+    environments = {
+      apis = {
+        envgroups = ["apis"]
+      }
+    }
+    instances = {
+      europe-west1 = {
+        runtime_ip_cidr_range         = "172.16.0.0/22"
+        troubleshooting_ip_cidr_range = "192.168.0.0/18"
+        environments                  = ["apis"]
+      }
+    }
+    endpoint_attachments = {
+      endpoint-backend-ew1 = {
+        region             = "europe-west1"
+        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west4/serviceAttachments/my-service-attachment-ew1"
+        dns_names = [
+          "backend.myorg.com"
+        ]
+      }
+    }
+  }
+  network_config = {
+    apigee_vpc = {
+      subnets = {
+        europe-west1 = {
+          ip_cidr_range = "10.0.0.0/29"
+        }
+      }
+      subnets_proxy_only = {
+        europe-west1 = {
+          ip_cidr_range = "10.1.0.0/26"
+        }
+      }
+      subnets_psc = {
+        europe-west1 = {
+          ip_cidr_range = "10.0.1.0/29"
+        }
+      }
+    }
+  }
+  int_lb_config = {
+    ssl_certificates = {
+      create_configs = {
+        default = {
+          certificate = "PEM-Encoded certificate string"
+          private_key = "PEM-Encoded private key string"
+        }
+      }
+    }
+  }
+}
+# tftest modules=8 resources=48
+```
+
+### Apigee X in standalone project with peering disabled and exposed using Global External Application LB
+
+![Diagram](./diagram5.png)
+
+```hcl
+module "apigee-x-foundations" {
+  source = "./fabric/blueprints/apigee/apigee-x-foundations"
+  project_config = {
+    billing_account_id = "1234-5678-0000"
+    parent             = "folders/123456789"
+    name               = "my-project"
+    iam = {
+      "roles/apigee.admin" = ["group:apigee-admins@myorg.com"]
+    }
+  }
+  apigee_config = {
+    addons_config = {
+      api_security = true
+    }
+    organization = {
+      analytics_region    = "europe-west1"
+      disable_vpc_peering = true
+    }
+    envgroups = {
+      apis = [
+        "apis.external.myorg.com",
+        "apis.internal.myorg.com"
+      ]
+    }
+    environments = {
+      apis = {
+        envgroups = ["apis"]
+      }
+    }
+    instances = {
+      europe-west1 = {
+        environments = ["apis"]
+      }
+    }
+    endpoint_attachments = {
+      endpoint-backend-ew1 = {
+        region             = "europe-west1"
+        service_attachment = "projects/a58971796302e0142p-tp/regions/europe-west4/serviceAttachments/my-service-attachment-ew1"
+      }
+    }
+    disable_vpc_peering = true
+  }
+  network_config = {
+    apigee_vpc = {
+      auto_create = true
+      subnets = {
+        europe-west1 = {
+          ip_cidr_range = "10.0.0.0/29"
+        }
+      }
+      subnets_psc = {
+        europe-west1 = {
+          ip_cidr_range = "10.0.1.0/29"
+        }
+      }
+    }
+  }
+  ext_lb_config = {
+    ssl_certificates = {
+      create_configs = {
+        default = {
+          certificate = "PEM-Encoded certificate string"
+          private_key = "PEM-Encoded private key string"
+        }
+      }
+    }
+  }
+  enable_monitoring = true
+}
+# tftest modules=8 resources=55
+```
+
+<!-- TFDOC OPTS files:1 show_extra:1 -->
+<!-- BEGIN TFDOC -->
+## Files
+
+| name | description | modules | resources |
+|---|---|---|---|
+| [apigee.tf](./apigee.tf) | None | <code>apigee</code> |  |
+| [dns.tf](./dns.tf) | None |  |  |
+| [kms.tf](./kms.tf) | None | <code>kms</code> | <code>random_id</code> |
+| [main.tf](./main.tf) | Module-level locals and resources. | <code>net-vpc</code> · <code>project</code> |  |
+| [monitoring.tf](./monitoring.tf) | None | <code>cloud-function-v2</code> |  |
+| [northbound.tf](./northbound.tf) | None | <code>net-lb-app-ext</code> · <code>net-lb-app-int</code> · <code>net-lb-app-int-cross-region</code> | <code>google_compute_region_network_endpoint_group</code> · <code>google_compute_security_policy</code> |
+| [outputs.tf](./outputs.tf) | Module outputs. |  |  |
+| [variables.tf](./variables.tf) | Module variables. |  |  |
+
+## Variables
+
+| name | description | type | required | default | producer |
+|---|---|:---:|:---:|:---:|:---:|
+| [apigee_config](variables.tf#L17) | Apigee configuration. | <code title="object&#40;&#123;&#10;  addons_config &#61; optional&#40;object&#40;&#123;&#10;    advanced_api_ops    &#61; optional&#40;bool, false&#41;&#10;    api_security        &#61; optional&#40;bool, false&#41;&#10;    connectors_platform &#61; optional&#40;bool, false&#41;&#10;    integration         &#61; optional&#40;bool, false&#41;&#10;    monetization        &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#41;&#10;  organization &#61; object&#40;&#123;&#10;    display_name            &#61; optional&#40;string&#41;&#10;    description             &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;    billing_type            &#61; optional&#40;string&#41;&#10;    database_encryption_key &#61; optional&#40;string&#41;&#10;    analytics_region        &#61; optional&#40;string, &#34;europe-west1&#34;&#41;&#10;    retention               &#61; optional&#40;string&#41;&#10;    disable_vpc_peering     &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#10;  envgroups &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  environments &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description  &#61; optional&#40;string&#41;&#10;    display_name &#61; optional&#40;string&#41;&#10;    envgroups    &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    iam          &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      role    &#61; string&#10;      members &#61; list&#40;string&#41;&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      role   &#61; string&#10;      member &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    node_config &#61; optional&#40;object&#40;&#123;&#10;      min_node_count &#61; optional&#40;number&#41;&#10;      max_node_count &#61; optional&#40;number&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    type &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  instances &#61; optional&#40;map&#40;object&#40;&#123;&#10;    disk_encryption_key           &#61; optional&#40;string&#41;&#10;    environments                  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    external                      &#61; optional&#40;bool, true&#41;&#10;    runtime_ip_cidr_range         &#61; optional&#40;string&#41;&#10;    troubleshooting_ip_cidr_range &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  endpoint_attachments &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region             &#61; string&#10;    service_attachment &#61; string&#10;    dns_names          &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
+| [project_config](variables.tf#L271) | Project configuration. | <code title="object&#40;&#123;&#10;  billing_account_id      &#61; optional&#40;string&#41;&#10;  compute_metadata        &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  contacts                &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  custom_roles            &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  default_service_account &#61; optional&#40;string, &#34;keep&#34;&#41;&#10;  descriptive_name        &#61; optional&#40;string&#41;&#10;  iam                     &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  group_iam               &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role   &#61; string&#10;    member &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  labels              &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  lien_reason         &#61; optional&#40;string&#41;&#10;  logging_data_access &#61; optional&#40;map&#40;map&#40;list&#40;string&#41;&#41;&#41;, &#123;&#125;&#41;&#10;  log_exclusions      &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  logging_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10;    bq_partitioned_table &#61; optional&#40;bool&#41;&#10;    description          &#61; optional&#40;string&#41;&#10;    destination          &#61; string&#10;    disabled             &#61; optional&#40;bool, false&#41;&#10;    exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    filter               &#61; string&#10;    iam                  &#61; optional&#40;bool, true&#41;&#10;    type                 &#61; string&#10;    unique_writer        &#61; optional&#40;bool, true&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  metric_scopes &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  name          &#61; string&#10;  org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10;    inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;    reset               &#61; optional&#40;bool&#41;&#10;    rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;      allow &#61; optional&#40;object&#40;&#123;&#10;        all    &#61; optional&#40;bool&#41;&#10;        values &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      deny &#61; optional&#40;object&#40;&#123;&#10;        all    &#61; optional&#40;bool&#41;&#10;        values &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        description &#61; optional&#40;string&#41;&#10;        expression  &#61; optional&#40;string&#41;&#10;        location    &#61; optional&#40;string&#41;&#10;        title       &#61; optional&#40;string&#41;&#10;      &#125;&#41;, &#123;&#125;&#41;&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  parent         &#61; optional&#40;string&#41;&#10;  prefix         &#61; optional&#40;string&#41;&#10;  project_create &#61; optional&#40;bool, true&#41;&#10;  vpc_sc &#61; optional&#40;object&#40;&#123;&#10;    perimeter_name    &#61; string&#10;    perimeter_bridges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    is_dry_run        &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#41;&#10;  services &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  shared_vpc_host_config &#61; optional&#40;object&#40;&#123;&#10;    enabled          &#61; bool&#10;    service_projects &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;&#10;  shared_vpc_service_config &#61; optional&#40;object&#40;&#123;&#10;    host_project         &#61; string&#10;    service_identity_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    service_iam_grants   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;&#10;  skip_delete  &#61; optional&#40;bool, false&#41;&#10;  tag_bindings &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
+| [enable_monitoring](variables.tf#L87) | Boolean flag indicating whether an custom metric to monitor instances should be created in Cloud monitoring. | <code>bool</code> |  | <code>false</code> |  |
+| [ext_lb_config](variables.tf#L93) | External application load balancer configuration. | <code title="object&#40;&#123;&#10;  log_sample_rate &#61; optional&#40;number&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  security_policy &#61; optional&#40;object&#40;&#123;&#10;    advanced_options_config &#61; optional&#40;object&#40;&#123;&#10;      json_parsing &#61; optional&#40;object&#40;&#123;&#10;        enable        &#61; optional&#40;bool, false&#41;&#10;        content_types &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      log_level &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    adaptive_protection_config &#61; optional&#40;object&#40;&#123;&#10;      layer_7_ddos_defense_config &#61; optional&#40;object&#40;&#123;&#10;        enable          &#61; optional&#40;bool, false&#41;&#10;        rule_visibility &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;      auto_deploy_config &#61; optional&#40;object&#40;&#123;&#10;        load_threshold              &#61; optional&#40;number&#41;&#10;        confidence_threshold        &#61; optional&#40;number&#41;&#10;        impacted_baseline_threshold &#61; optional&#40;number&#41;&#10;        expiration_sec              &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    rate_limit_threshold &#61; optional&#40;object&#40;&#123;&#10;      count        &#61; number&#10;      interval_sec &#61; number&#10;    &#125;&#41;&#41;&#10;    forbidden_src_ip_ranges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    forbidden_regions       &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    preconfigured_waf_rules &#61; optional&#40;map&#40;object&#40;&#123;&#10;      sensitivity      &#61; optional&#40;number&#41;&#10;      opt_in_rule_ids  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;      opt_out_rule_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ssl_certificates &#61; object&#40;&#123;&#10;    certificate_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    create_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10;      certificate &#61; string&#10;      private_key &#61; string&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    managed_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10;      domains     &#61; list&#40;string&#41;&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    self_signed_configs &#61; optional&#40;list&#40;string&#41;, null&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
+| [int_cross_region_lb_config](variables.tf#L164) | Internal application load balancer configuration. | <code title="object&#40;&#123;&#10;  log_sample_rate &#61; optional&#40;number&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  certificate_manager_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
+| [int_lb_config](variables.tf#L192) | Internal application load balancer configuration. | <code title="object&#40;&#123;&#10;  log_sample_rate &#61; optional&#40;number&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ssl_certificates &#61; object&#40;&#123;&#10;    certificate_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    create_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10;      certificate &#61; string&#10;      private_key &#61; string&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    self_signed_configs &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
+| [network_config](variables.tf#L228) | Network configuration. | <code title="object&#40;&#123;&#10;  shared_vpc &#61; optional&#40;object&#40;&#123;&#10;    name        &#61; string&#10;    subnets     &#61; map&#40;string&#41;&#10;    subnets_psc &#61; map&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  apigee_vpc &#61; optional&#40;object&#40;&#123;&#10;    name        &#61; optional&#40;string&#41;&#10;    auto_create &#61; optional&#40;bool, true&#41;&#10;    subnets &#61; optional&#40;map&#40;object&#40;&#123;&#10;      id            &#61; optional&#40;string&#41;&#10;      name          &#61; optional&#40;string&#41;&#10;      ip_cidr_range &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    subnets_proxy_only &#61; optional&#40;map&#40;object&#40;&#123;&#10;      name          &#61; optional&#40;string&#41;&#10;      ip_cidr_range &#61; string&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    subnets_psc &#61; optional&#40;map&#40;object&#40;&#123;&#10;      id            &#61; optional&#40;string&#41;&#10;      name          &#61; optional&#40;string&#41;&#10;      ip_cidr_range &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+
+## Outputs
+
+| name | description | sensitive | consumers |
+|---|---|:---:|---|
+| [endpoint_attachment_hosts](outputs.tf#L17) | Endpoint attachment hosts. |  |  |
+| [ext_lb_ip_address](outputs.tf#L22) | External IP address. |  |  |
+| [instance_service_attachments](outputs.tf#L27) | Instance service attachments. |  |  |
+| [int_cross_region_lb_ip_addresses](outputs.tf#L32) | Internal IP addresses. |  |  |
+| [int_lb_ip_addresses](outputs.tf#L37) | Internal IP addresses. |  |  |
+| [project_id](outputs.tf#L42) | Project. |  |  |
+<!-- END TFDOC -->
diff --git a/blueprints/apigee/apigee-x-foundations/apigee.tf b/blueprints/apigee/apigee-x-foundations/apigee.tf
new file mode 100644
index 0000000000..86c738b859
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/apigee.tf
@@ -0,0 +1,37 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "apigee" {
+  source     = "../../../modules/apigee"
+  project_id = module.project.project_id
+  organization = merge(var.apigee_config.organization, var.network_config.apigee_vpc != null && !var.apigee_config.organization.disable_vpc_peering ? {
+    authorized_network = module.apigee_vpc[0].id
+    } : var.network_config.shared_vpc != null && !var.apigee_config.organization.disable_vpc_peering ? {
+    authorized_network = module.shared_vpc[0].id
+    } : {},
+    var.apigee_config.organization.database_encryption_key == null ? {} : {
+      database_encryption_key = module.database_kms[0].keys["database-key"].id
+      }, {
+      runtime_type = "CLOUD"
+  })
+  envgroups    = var.apigee_config.envgroups
+  environments = var.apigee_config.environments
+  instances = { for k, v in var.apigee_config.instances : k => merge(v, v.disk_encryption_key == null ? {
+    disk_encryption_key = module.disks_kms[k].key_ids["disk-key"]
+  } : {}) }
+  endpoint_attachments = var.apigee_config.endpoint_attachments
+  addons_config        = var.apigee_config.addons_config
+}
diff --git a/blueprints/apigee/apigee-x-foundations/diagram1.png b/blueprints/apigee/apigee-x-foundations/diagram1.png
new file mode 100644
index 0000000000000000000000000000000000000000..e8b33532323d4b7cf3cdf9b73be24648ad56284c
GIT binary patch
literal 37153
zcmc$`Wn7eP*FLI4N(j=8NGdHz$Iwy&1|0$dBaL)B(ybyPIe;iA-3^i|HFURhcf&qM
zz3<28egAv!-~P1u<UKR@T-SA;>s;$Nj&-aFQGcL-k3)rX<;oR&#rv`kuUtWExN-$T
zgAD<%lu4>{T)Fb{ilVI4V>iRKS}eygUB8dQ^)^<n7N5+&n13nz=vn3I;qt}&Q}yEM
z38vAh$d6d-`KRBNVmWlazctetQPM1nag2>A&Pg)ExbwnjS3kpD5$ccq7V+&cyZkX0
z_`4Fabp`U>*MiBPP#T-TKWkx1NAuUe2&LbpL5WeX5x&4@L;ikS9}R~eyZ~MudI?cQ
zy(j(c9^(J+kKKJ28(ViG<?33VB@2()(0u>q4Fl$YpW-_YQ)YIZW&9X_!gN}k5<H=P
zUCkTi&5^F5tQx2XgZV=^{b+UNo!|m0sAn0Hfycs8k41->Uw)0@I(Qo`s+bOMN?*E$
zc#@LAUx*Ngzw+y_ag$gG(QLB)6ze~)ILMcn5=jSRHF&2I&O+IccZVH}qL*ILTF8pB
zF!;M&5i1~;roqP0#S|G-{rdmq`b`6EBYk~+etu{gbu~5PBO}MVZf%Y(E-qeP);h{-
zvnzsH1?A-yI{SXa#IdE<F{lS-X41?!8Dyzz_@uENZjvln@rj6>EOb(92vFep`1ttJ
zaW|cvd8w&IndMrtu(DE9Q*&D7vfa5;l(Xa1KU{zzpqBo6sQzL<Us+i>mQiKedu?^K
zILDdI%E~G;Gc&eS(`{x<HJHqL;}ona9nM~<2GP>juU}VIRw5$svvmv%CU$mqzJ8T@
z@Zf>9bxvtCK0dzp@eanL5WN&eMn>=~StQXJhAKt1wc>(;7W|b4GBPq27K`)qnLSP!
zB*jacn{79nHx8$K+wPt{$4rR?YnT{4P5MAl@q1?{sb5o5Q^my%J7&ynS7+xZB<dlD
z7@O~U_IyKPV`C2v4t94P@#yI31qB7c+Xnjj_r>Ru!C%W`6UMKe;(UC4V`E`=PqOp#
z+q5&54N#v<xY$Jw4i1ivhC(o-A|pRY6h3yV)`%5h_1BN+1luXy529jb<urkiWq7ON
znp-&G(%ZL0+IR78^YGX^IubujOiIFII5<2s($iz-=Jq{5xhFQ9{$;G(PEbIgaX3Z7
z8|PYNNQk1EnnHQw%=91w0|PEDE^@Z9Q951+24nO3GK@}wzuOod8XBsktej?YxH%QH
zqSMh>TsRjFb9`G+z@xv5j)8H_CL%nXgN?0WKO`!udt<{^RTY2oZcR*GU7Z{EWUXgV
z#MMs28n>$>xt~A(`0?Y_w7jfrgKgoHr@Gk|)_A0(q_3@=0?N5XMXCE{J6kkKXlWzr
zm(UXl^Ag^^eT$Uf;=107H}gPMwPgYBO5X=o#Dq~tU%z=w{N6og=Lgu8310}-Kq}w_
z!L7fpO}O;(<;#b}ueBJEQS_2zhg36l1#I64n{n?td3b~>!MN~-)9JT<ekay=DZ<Uo
zJ(pi0c#V%t?W;-S__#g;l9-rSJqujp<3|>3!8O%ylnc1YcQ-pdD^8N%&aXtX{k+G^
zdjms1J@}LDmPBaVxTM$76*)2pzP*P3kNth;`&%n3cLe-2i3#Y$;**mDd^5&-dtc$p
ztelM$TS)(ys`C!BL4$}32$=Kd1{@KfO}6>_qcb4womALQYFszz@-qCN_`%^<Gqma^
zKne>^gn})$<c#+AZ)$5(=x=z>RQfqDFA!&QV`G$LDURDH0hj+wJ6@1~b)wo;8le%`
zaV_K3SO|4eQLQ_H)>r}U^a~6-n5-;19)(>{j|zhQ&K)NB#o4i=jZN-$5LCu@TRyD(
zV{I+1-hDT>3JQMTAJRmyjuw5y-0ZBTrlxv>(RLPrKIItNXxM{>jt&(|%g_BWJ?vAq
zAWJo?BB1S0gP@;2eG=s7x3;wn3=HJr;sW8`SPlX{JtKphj4UuHsAqa<X-SQiGQxFZ
z98Mus@8#{?-QCR$59ErAiLtS>%fKuqhIqTV1-qvS?hyp}4M^?Wv<F9nl9Dohr6)sy
z>qv=^0Micc#@KvwQmH0|5GKSsiR<g@TO%rsFfQj=C@n3msuE%2E}^jN+}q=)>K_`S
zr>8fy2T8@*nN%;JU(%mqGF%|O{o<mI2?>jii3!MM=Hnwy#)a2aR6tL+w;ejD_*yVX
zF?pxHfB#O-Z5TXRaOL5m|LZRfNBaT{&53EycKdw?G6>T}kS)J=$Lj84w|rlDVoY3|
z%(KiW-zS=y(g`j2_lMPNZMpbIa}qa?j*h%e_O6YhbGANJPzZ8+fwuG5z#!s#OSnIj
zT9tsJp=z?;m*7#`&7ah>7&<|1)Sb3I(d-qoodKT{rg#D;X1(FirjTvJy~9Il)zmZM
zD7~kIF>Z0hL`2~q^?HPbh22~~bW^3DZA^&vE7MB5CnhBD#2k&My?)M%GZ}ueuwV|7
z2$`DIv_Y$9M7g$DI^#)4dpj|`a0>+Co9!t5Z9w1K0t8qd28OO${~0-*5=cpS8pSkH
zc_qfod7eZubTd3yS{z%t6bFfdcFm;ks6HqN<y{%lef`|YR`?ZRdc-O!&%VGQfr)GE
zMl^zK4Nmf4lrLe1fkpG`gWkbGmQ!{CkWl95=LavJRJ;ld#N4$jjm8*K2HAShXjmG%
z=bQ7Pw={Mo1XMtm@gb(Fr)`uyk&2+oT|u2_ENM{mBAp)<%q7n%zC)FEDzFbvgJN$O
zAn;N3zj<FBVTP*l!9ibFZKQ+Iz}pRTIap1CafF-xuJYKZLaA!Y<1$>(mMVLCdMfG8
zH9J;utq?70>hKyv-tRY)Zmh@uH0Ko;x6zrGayuBk@o9GZRDz*727GzJTpddfhG<u?
zi^_}QE$f!OwNl0h0az}-uQk0LInO)1{lNW9vA>wKuXrdDfDTpopVIwx&Sv<!m>#dV
z=Q=3i<0K$GsUyC3w*3C25UHWvpUO*TAx;tH>nQ%~qrs1Q&b#i*%eQ`^zmIi`MEkpv
zV1DyQcFYiA5}2xWvVIr+-3Q-$d*)j*=W%V}CDC6NV<uTOEapZ+mq)A=l0r95>o#zq
z!QS?LF#(X=ka<((byFIOrU2BZX+2A6qsKXZ-xIiy_f+}Zt5ibQmx*~CBrwW;J9ZM-
zr$C4eR!VMsO07$Cc9tYS2f?b~&a+%Oa7rG{;lU4%qO&a6KU(C|GWfqvgaF{MuPYCC
zv9!i1X#?rTt<1y&EMa$G8~Y2HnUCza-~%`%iOnCO#8&@a*8tL=s)OyoUa|ZGY_Zh2
zLo8&yUq}WqP+uuX(ygh|Z74eX*eUMH1o=zC)9GJdLJaP#^&@o5xQWj9rh0xnIeBYS
zbbD=vWRbIdWs&Ex^QrW+)9Ib@!PQNVesFJOOLd#8byxg{u>=it*pLYbsOUWbjM2#2
z(MUyGvK7+Zqkf@Ej~-rUmWQHV2W9h2*%wj$zQSXYWl6HG|9rui!&kLn(FRp5G7z9E
z<)mN*WZ-3J`=Q6{M@8N{H3h4WnU?#$*Cx&RDhU%Q9(xrP+O5V}>qnlHGB!i@L6~3{
zUPG-=q#RhGBnBj%FVU0ycoLYjSjhSLIY0#My5d5jqNfMzi2xa;fU^iz)1?&J?IW6R
zyLvn4^X7Y<#;4wgPvss3IrGK5pA=VA=`PAT8$UFAW~26wwLHp7<b+52q!J?=W=U^2
z87psGfGDzsJ#VkFD34HuAGlGYZr9z-ghsm}i}vDTOJ44BxqUP`sIpDMy-f|b{!`Ye
z_2L#4#M{GT6d<6{(W-)io0b5@)p;G8Oq$!;<_$D2EoFUu%0r(?v~Q&lT<x&GjdKE!
z1<j2cH^|A$D=J{Zx)?%^-sdL+MVbT)i;G6}J~ld5xHXXH&z}QOHjVA*V7xjGrTH<C
zm^TFW`>O_omNGT|(aDWT8Va%=As*eG>|<}8Oz?nk^wSe8-N)v>Y;h+XcGk*2yoOH9
zR-QlQL9fbMD2|#c-dN6mB#K%8^5(Fknevcny~X*i)nIb9g*6U;p?s}LO0toyPqqGd
z74&4GOGX+0LN4(0*W$eQj?c``8|^=9A_xcw&d<(XI6AJbu7Vv{U0G2V789c(B{iGm
z;O5?J2_px&Nk>Nqg>;M)qn`Nv+Q|v#=@mX@X=!O+Ur8L0=+sgrNMl%8Spo1|IE>*9
zo=~Ndoy*9`0KhThJv22rIgRo{sk32YV`F=pcLjh94Q(SM1*!0pgLUeY8)n)ZEX~>-
zy8Xe~AIu2*W?xb6lHQ|`&1B1<^D8bcUVucj$kdkH*Y?quw6n2E3%Awa=K549*2{Y}
zjEU;Lc(8_cO+y28`A%|0;1@xI`~Z+{PUhAIAm^v&SbUzJ*!H@(WHK0#g^JlXc(=Fn
z`&i4aYY=4PM@9PWOGgI9l^5eE8!|ENcjlJhsijj=MdfUy>&QLww3j7m)y3UI_LBY7
ze%EB!To%<SjmRL5mQ&S{VgK0Z#fPgTtNO%B(4%;%*#;y6&C7*J^|ePGl@Yl05SjZS
zGpl9d+#ZUGic(T=wmC7Zpw>!tO@x)Dr7WmcmASc{UO7~2dZN<dwl}Y8aa=iw!y=%&
z?>8Kx&L=2HPD7KFni^G~1^1Kiy*N8RJv25puC1+w9UQEWfl|7+w+B!wwJ-MG!GVjL
zo6teq>({RV^T_V5cHJ~LH)mmC0hp4BnK?5a>iy&iDW-#Jm=6yHIr-tvymH4pfL;Y-
zZ{FNkYmt+aTf#r7E-CrBx*Arf{Q)4vbSZ0Vj=UsZvR=H1*2fgow6r!{$fc{r4ZXA9
zu5h=_KrnL1HF1d32}wx&V*+Rt<mJ=PKdGhK3&ZJnjPPc;S=w&q)p~k(*spWa+5}rw
znDp(NgM?F|iwLunkn~we)idN2qqs#)nJQH6i<!)sbAhh$p#65d;DlVDqN|#(_tCKH
zQ)AkQnday*g$T3^^_jH%M70!*rv=aL$8`}mDx5dhehjw?cHsKGg=Ww%xw)HCFFYLS
zH4{%eZTmMPX2-XEYOT#^Pi~UDd$vF8kixL!XKZ~e{aF?*Mlj8&#tlxKE0>uAB_}7h
zv$dUlb_@V;Qg~<EXQ}zo8zvDOrx&ESSA<*X;Eg*wFS4)oLnB*q2fMl+u$fv}vG)`E
zDJUp_s1Kk~7W_;v?(yu50f`&|1%1s7hDS_Fp!!u+?s98K)O90R;U=A=k2Sxzc0eI)
zb8gO*|60i~FYn>Nz(8r~JqqF0*5+moE-rHmi^KhWV{1o8K6EODr}u?h)9>E9M;c>h
zW=3J<fJN1IwM6P_bkobir?az^=Hop*aEM2%R{&JzM<Ek9fbr<cY_`H-KFupZfq@A|
z6olmVEgx4q)e-j`N}-GytET}^_Ic(O(ylGvhz$K0SuU5k`%x4bvaEA8?S{G~HvgW-
z<X+a^xkA*O(Wf@%Pig8CgVAsF`17~0+iI4-N8~iVogEEK>W$iEf!Cc*Gq5Nqtt6_W
z!Rw@4lRHfxA=Zb#pddrqLtcegE~V2hoN6_>UTQVFdhxo`4WW!>+0PuCl8M@d`*iUQ
zw^cjHEj%1fBt=D|NnuILjJIwf=`55)>HIV+UHr8(PV0R4F)nL851*EAwE!R*%t*s~
z^Cnb`ikFWs`t93?hKAQk$s*F?3&w_rwRzcoYGXT@nB02CKOyVuThD|95VyBv;gOU(
z-`%?_tE+`q<fEZ72^vsIo@Kxy;+>qGo$ufOc6KIa&X7chi3ca!H!-{iR+^NwF`P36
z-s*6L%$9#*-PYRL9}DnOW5O=Z16U4=rY82@<mBY~Sh-y46$9fpAM(Nh&a3d~+t)>b
zfho;A!lgF@6Xh*t>3G+CVzvjR5ez@BJ%3MeHaz~E3#sa7YHyUC+U;%hcJf&_J1+mq
zIpozV#`I<d%uf0lLb!3g&#B?NnUP>;)(uLW656cC9R%W^kn^m^ZE2Z-n`)Be)V5}{
zO=)PM^#r#-p*nmK`6cMFcNRS>iocWCx3(-_E~fgnQfg=-G8Ke&c6S-j7fc5bFV?XO
z<<H>;<Tt}OIXUI~R85SGjD&90XpV0L%mGq&9UuRz5HGfJ>yxGB<=bM^T4^AQ*I!;#
z11dDP^JL8ol!e(582l~N)NpBKYip}3SyY}K9$2BKstWM2e^5|&XJ?w@_BE`EyXYtF
zaon@Pq35*4fi@QA<|c#~xNtK1Fxkc70A_gWi%>tPni>HM2_#~m?NtbKTTY?1_Rb?>
zH!1ZHW+`O=!S`N)%<a)uC5>3T&UMRV_EFI;2(uK7pus~t9c-tzqw%><7Z@?lYJSoW
zr{<L*;-~B5l1v<@GVTwS+XRp4%@4bq9dD}J>%ir2j;FopNw?-ig8UCRz7cO~D2MNH
zR8(X-;pf>(30YrY)mYDZtb)z|q0)TG%V(EpIYm6`%#BFPu~+g?K~?8+r1+N1J~CAz
z=mUD!#;m*2*Zlem%SQ+Yq5v6G75q`k__GymfcYxe0P{sS?GM;VgTAyh<O3f&yRz3=
zUPXmaYxBy==bk-+R3sAl^XE^HmZ?+;?jz_V@Vi_6d7e7LeYR%<*bu%NgakBAqkevV
zAhsJD8zUnl3-D$g!piNY(goKXfCACe)3Zc4)VgKOK|pq;77(j+%6C+LSxJCPpEmlX
zO8Q2I!9jJt<TZ_kX3%xYG7nx4wBh$2zERv%qTO#dRj1euHI-jNk9qRs2}N^@ut&q)
zX(DNr>p`&+R~3T|0j5{aH`Br{xxf0&>50`La;Ve2PyG2d=Zg$0Proqg-6=`^ik<VY
zMNL;v^H`Shs2QZm9X9S2$wP0rimAQV?v<_x#p&_EV(4^pdeiZy;D@N@@`d+UWY_)j
zH|d)7b68!+hDl&i<;J1~*(j76&1b5(sdGO&&208;>nD+)V<LHoGwb)%2Oo#HBh|Ro
zx+5q^^-Z9~Xnxz{gVb>1G@+JR>pK#eP7V%N;XZpyZ`{(+rk`<m<6=G70-6FLkv*q%
z9xa1ySW}difq}v780U0F>|7Gs0yxze?g6*Ld_}UQJpAV@Z*B;MYY!3$Hq0dESpXH`
zD;&}Z3sHr$3=Ti;Kx>-c8+F$>d_IkZ_My_^;8bwXx!bVjv*a~y!JlQRc)sFB!(#b#
zBDm~)vfljs5vevlkDQAwTwKaZOP`DfH%<dxt%8z5-^hsEjDzXHS!~~zhK11^>HZr;
zh>MPNBK?fkwl;9K0QS*~bi59#$E>oz2Vdswt6E(G^i@K_!e6U`xpx>h0-FR4x?lc+
zFdP`8*$#owFTRd;YyzZ?Hk-4%-*kKymy2&TNoLZR@h9_#r^M`CY%BZMo6~*G75!Lu
zDLu0r73ixd9(v|>xAdbD!r*0RDWmMQ31;Xa#?5AlU;JVa9ei)$Z6t~W(qmiSVZlgn
zW3Adet>V7IaPajPwr62OJ^*OB%rw8u^lf5*YRd;G@uuvd_f#aVkM#Ie+o~c|*wp8$
zBa*2=wgT&yYZtdQ_XFNnkwBd4g(h3+xKd+##PR8zKj(~TtLe~gk|JI*pGr*ixsZF3
z-Tmi6$zup;G<DPonka++FiP9?XiEo-q>B(1B^fgMSfy!XzV%|h_n>9?huqXz%h^Ip
zYk7OjgtGQdTt2x>7<s#B+!)prwMw4hUZ?k^r~Nv;m;;#rif>{&Tt!hgE6U$bNoUvO
zGX0wiic!<$f5Q*>&F$EbwnT{#)tv1=99GWtn!2w!Lv!wLdWE^)rt_QM{epFWF||DH
zm&twYnT&xB&u{Xae)h3E_^dhv^bo68fU|)}7quRqBS8O$Fap-a&e^bC*>keg#*_EG
zGBhff-KNU$I)?5)1g=nPjQ4wI<3A*L;?O%2_d*7TKf~yOb+SdokHow<plV8;mq`Q4
z#D@ImVUj{m(5l1IpnM|o5l~{l=>Ee<UB;rbGX8M$$!i!1J-j5aYM=xl4BLP2>n|4c
zhgOcT(dM%u!y`2qkxIWW1&6G&fbeLh`ippG^5LSs#}ZxldEfpE)Wsyb9)iucz%Drv
zJPe%uwZMzeuC6W+=ABk#0B9Z_YH4Y;sUqwhw(UeIM%7eQIyySywJa^bpPgNIktQo3
zw3!$P@C1Ni3j#8)&xxdN^VDk-?HJIJoGkZQmIWM|R$y%#3-bF`uwJ;kA8*YxRaOe~
zVoTOJuMPrPM_yhY27`Hcct}e(`e6|OAQiz<?z8h#5pcGL4<ACI4M1jh*V2VOf4;o5
zRFE@p4YkDob=})Ya?ikft>!NHR+`)s^r*A3Ht-*T!;u4UAa{57bTJ;DEua*V+(dSE
zcBU5<7Xyqz6fiwK4WP8f@x}QmP@6R{$HvA)MMdZ4=73t>+xgt@D{^XzdqjA6cz9`j
zePUvQ)D)<IfELEZ#igw+U5$D4=n-h{czb(;T5IxlcXt<5^!|*9c;pBwcnr24At-4x
z<Pk9f2HZiYykG-l3~>@z+n+_(zF7*=e|^o_1>d!Nqk3B#n|l{J2v!yr2pSq-cXkt1
z%&MjJ^#t27m|s4BrW5ygtgcQ-OG`^kY|1Ylv%R<6m!5v>o2$FKu%(EI2;g)QUPmuu
zK}Vrr(a86lbR8i1>Dic=7}zdoH2|%*u%hA!pa6DucI`VVkqP7D<DQ2b_XGr#9G&P^
z2-dg)A)QMU_aLgzP!Ts-$c7x9GlBmKNzgC2{3&f|Y02>=>Dpk|i-3^3Gcz*<Kcl0G
zVP62DPC%!Eegq6OMa&)IXkcV?xV>GNw1Y(m)6U;+<72S5VgvM#(=swD3RJa-6Hrn^
zv69mkMn*;mVL<%kt*iu8)BAE@+I4f%_#+=5Uw4W)u}x7?kv=2RHjE0MG9pT=Gf|qS
z^?v2Ra8=2mSF}1@duXg<dN$CRIRh-|zlUTrLk=N6890#&=n$$8B}HKaf*DA?S#Qv(
z09sEscXcJlJp1&$<0UjMHa7HyzW(^umc5D!p3~V^0uXo?^F|kPR3PB}p+NxwA&Nj^
zUjCFSs|wJmx3~Dg_)xx4SOSm?xNpER=VDahd9W2XDiWeg5nA8sPxZQj1@EyW)N<IJ
z6{XA!q@L8W4Y?A?v$BNktd;LhZA!+EOH`eoPP{~7qqC1m2(Tv{pJ25zf10ry`uWN^
zH9R&8e5>kEJJ<jy+{LT}o4*IN)I=S<yzsIEjsU_4rP@^xVnUjOuFSjbz(!c6#sXx0
zaZylGGBq~Ve6s2I_?Wx?>=mWrJxg>C0ItQv^!tN7d(+oY8dN4<`v63|(%b8@XD*u-
z?ME{4F88A;1dpq|#uVS<o_>k4ZB>3h?KmIXH+vqi=eU02e9ABZI~HW84Doz~P4DAx
zM+;JY({2Vs4Q&fu?`!);yL?ChbW<socvY=ce%NTs8?3RV<s@2laUMODm9xAgV+Ug)
zyN3UH%tKe<V@u~wT_q|1Mxq`mU!y+K@xii!BBH11TtUKQK;qCl#69K}gkLv&J=x$I
zHh$YJaj&(o09n=5xNPJ%7;mh@<9_Ut-jA#EsQTrblnJ$p3d7JnPgL#)E9D5%#Rt~3
z2pq^nUmu!qV2h@f7U*W!+t{d5F{i-6$?9xx$Hm5mN;*0^!u%e9NG2jC?)jLN#U>(B
z1+sy-IH2eT5l|z2eKGHol7a%ldBD=E<q^)POa}<CULb1*v60^6kIxqCd`|0f(gubk
z2`@(Zg~%ulYKk&(eW_0r5Q(q50NMJ`;cAaOriU0j-WBE&#vffLCq(BZHTW8`IbLn_
zaEb(k%Ew3nMZ2QD7dSVY)zJLXYA7q^C}i99$~SAiU%uATAf_OLOO<qU=5rnQhrc)B
z`BK0naGUhJ;pNN^<kEC-*5^T6r(Vf=%<}6vQOyw3!MD&vO(ue3!rHHCi=F5mfP(kA
zgm=revW8M|^lt5x@pI0-R!6J{LUOO+lpMfrfJzsS1!)6i$?<6u=o0l#_xHc6q*n&#
zL-X<D{(%7<FB?AeDg<I0GzaWgQGL<Mswx~#`T3rnH(8Vv6l|QFv@|rbl%1eWA}jvP
z<N5Pz7{R4kaNqo#oM7`Mnw6y3SQd%tC2Oat!x*w@OL!om43`F5&SwJbh?gH488;<&
zz8XC?|4AArSSH8HBBQ;iTAr1bsNUP}dQ3rMFvdr|q@Z>--IkfE2S`L?Sy~M?y6*VN
zdV(&V=M7Q2yF<vVc=x`}O^^+=?~arEA*~AUr<ae|Evg&txh!soYY5kRzLJ*KWkDB_
zU`A_yS*ZO~=rGKmX<IDtn32ZhBT$nH+&L1p8Nq3y!fH(jVrib`eSm{8YWquHwTdG9
zji887J%R4lvm4h@1?>IXw|7NEMu&!6FE6~epSX6(A9@=tzq+)9qhgvUyg_{?TUt;~
z6>u5?=ZKje2X9CAbl&muoV0x#hmo2X=%vr4)b~&3_c<ZTbo%2^Ciq6m1x{SDptn9Z
z|6LE4%eCiE?Va`1o>-L=!j^>zHG(~kKUb8cJ-1gG=ZoFb#pV~IbKzPD&_P&ia|8uI
z841lw6n%}@Ff&Dww}5(h!C;(@m)3^y@>pBm^RLr_LVKk_5bumMsHXs^S!DIFCAQeO
zI9wc@7cX8kb6S!kE*dsW^2lIJKaX*Rc-JV)PL8rAEuWU8p4Nrutb-gS9blZ9KUJ4H
z$~(>d<8>EnH{@wIeWGY5h6spo2o7IhV<>CXqH2`=HynPE!)<Soni>P`b49UYV+Q1F
zH*L?khNbTMvrs7~h$#Ko(E>OT@YZmmzT$!ob$kAH&U}=LG%OPSK&6ausU|eR$ftII
zub2sw6P@ZBo@eBPf(D)!4i?D{Py4a?-=I`N6y`)FfKeN@bU_kem!JZrKYFaqULngu
z$%V^_@*d-tYI`#wtGR~Zn&p|N6qZi2R^PJR2-828Qk(KV0SX}|--|F=Nj5}kZ#U<|
zMHywimQsAShL~N+!SpNFx;XQt(`pLWtI380L&loYiL;R>W_JW`gN>xb?Acv9@p-r)
zdY|tnbw&Y&x_bwEb%nM0CduFh%O#pe6Oq7P)P2WP!3h@fZtXB__MM}Jt5i?d3nFLx
zBEr#t>`sl+;7dDf;gjNq>(m?2z&6kF>#@1i+Rt{!dXLs#JJ({#hC%xRor55%!AkEU
zwFEFus^A6EGNP@E)5#+rErj)77X@l+d+s8e0kNL-6pp99aSxJPvg`p`E0p>-k%^~9
zzNhP&J{n!s;~lJZ61(iggEk$-1p>!~ADgQt(bDA*Ase8Dqbdc!vq-U!KH^PT&wC&i
z?X(Iw$c$pVAD7_D`P_Y>J}H^+cHd&0=fCiy<&C8_HM)?UprW&)A0{Ls9*GZo4eyl=
zhI&vqjwTMN+BlyxCL0NUOdMN1RAEVuz7*gSwXt=l@yoJawN+76d;77<!J!aEk3y)}
zkUu{ns?pgvU-F?R7(f04C}HGF5w$JkyxnPC;(j)T+!<*t4%c`m&~i)h>5b|_lMQLU
zPR;h#6fVP$n&T(to?JG3s+C#yGo7eYOSSgVlV<j!>O4z1Zp_WK_<7ND3os@g0`$lL
z&_Tlid`Srx3O9Gc`+eMzw~&`7ef5F<7!%dLg5^Ba_p&L!UsH5AmJ{9%DHJ}|VIzn*
zMAX$~D-kVa2XGhI^fayZYk3=qsE24!sCXpvh)r6FGamj|%6Rbz={==YHT~%~$p6C|
zF!#qo$>3zJh_rg+8w{Q-@Idx%&M3w&V~&Kg@SeO{N!-1?*>Ag9_B~DQT7}?Y79gDd
zr>*li@CVO@I$>g@-1l%Um8apskB=Q6Cpu?ZD{G2m6G3bYZjZf<$>}e@D`e4C^{_0H
zD~8v3$~VB@SfAz}G<P8%-~yK?ik=&*qV^0L^OJ#iVvg;Ey+Cy38sN`#%kT!*14Y&W
zrfqN2)D{>!+HmtSIfJyD3}!J7*YtIk?Qal80w<3v0JML{Z{TT}lMmT^K<W3%G#8RO
zl|3?_Z!s&z1DW(;JE4;?TBP~5-CqkdD(kAZ3O}Mt;bUst#sQ(xu2($B_u>*1qR|2n
zh1WDfdbdM=gU`QWSOD$4&+(nIh21ubt7;Z;tvS?gD!&mCf935ZuB%EGWPod#{*~x_
zlblnajC@84W1dv?wkmp2J0B{vQLQ*xd=ePg69dRQvX`jq;FL@Nfi=wl;Tolt%U*j&
z7k%_P^#Z)1@Yj(5S^fD{6thZ$j^P8kr;ARtl9ceKrbO6O{73FBpF%Td&+E#ocoRb)
zuuybEIuH1?en%Gh83|0j?LROM;iCt_?_MhV=hgPyRcEyaKCwrtv7f7oUN%_F>K(kU
zYE`m0OA^93k(Yt92x5Rn8@UXK&2TC>%P*$BsjZ7H!t>2{^(kdQK6Rh)vE9_XIhS2$
zy1e%O#<r!I&2q|j6OF#fzKX(f?IQ-k_0H8d-zEAF@m=}Lhd!AzDL)kDpY$sv9iabk
z+H57do0@2)9v@FlX0!*dkKS#HS5}lW_Avi(v_^P`T$8ofk*^SM%e-UhO?OjxPJgGJ
za?@NbSWjm7q=dc?+16uSABC0{$a)!T4>b-(0%3&u{|E@f(WGnFa8L50+P+AAy$ZIP
zwpLZ6r+dhi{0yyL`HuC#&?YaA>*l%PZl#H>yBNzw%cqZ)Y@3gK>yKkXYSLZv9~r4~
zM>aRh4G2C-BP62ouP1a+%<idFpX^vG`9^+&ttQz0x^ke)kk^HffcW%b2YGrpGbP3P
z3LQ+<Be|eR9LqE?85g(Biy1DTq7cBH^FTW%to8pT&`kOKxQ$xUuguq8P8<4YTz_$T
zU^fU^-#t3r%w40&4TkKb)gY?sXdn~)n&lQJcVO{O%Wb!YIYr<!ZOqMx*GX@O`G#ZP
z9$1>#QoK!$r{UH)-K?Mb`V+R>JY?bYnZ7F`;JIx+xob1Si1r;`Zd|xe%vtY@Bt_nT
zCt=iD{>>KWawZ_+yUzR~0z?5I@i3%G&63x=iKvxx=pNQZ&>xGD^htZIQn53`H^9?(
ztH7ZdhE66IUz=ki)sR;Fw${0F#fKPn8rRHH4XB7C7&>vSqS@X(AyanEjzJeWFe`Ce
zX@dW+G<@Y>)xoOK7T~rp(a!3&FJBqp_fjRx4*BcaJIDDb9ravIH5BtU`&doXRo*7O
z4OZgc^<1c~xrfUd*mZ#K>K};Zx?c_r?y1Wt&;Fd3la{HO&~viUXmoiJ*OTp&b*v_N
z$uBfmYvGa3czT|=dHAU>`X=%!ynA{!*nYnG=h4c^3yQOp7^uufi-9GUd>E=*E=DK>
z4m>#eC}HNmZ&Tjz6U&1R{LS+t=Z&|a(hiGmFMKL0_z7HaBU%xA?UVK!qk&QMKX98L
zeIr~d`Z3!ZC8uuL^VGxPr;Lt|_ajo>gzo!$euzxBB1&Isz12{qo#yqQG3&xk0cP5~
z=XZoYR90~K?v4@tK-vyh#(OQSvW<_{SOkG0J%$p2t^wP}pBwu>kbb!^D0hx(ofoMU
zL-h)yc;igMQ(+_KdXlMY>%-~@JAPDZQulr83bdYInd279Xs{odDTjEoJ(BjMPt{1&
zWIG46Q|qdEL<Z~(^2NExVCCW=lj^`Q3fz_d<TI2SOofp!(#L`<F`fXn(sZKCInw_Y
zf7B5Ml$;P%ryy{KRa8{M6NMxs1oFki#YxRbfc_%q4mvU5N?*RLE-l@+!~=X-mi4Kp
z=a|<!B}`0AE^cm4t9|G%$nd|Sl><Z9Q=bF5GNqpmY!YKTKyxSsf&*xP0_tpIW0Sta
z?R%_jXqdv5pO+`$b4C#W{(=bT(;bYB87$Sgop+Y|J|Pf@-rio|UZbZ^Jvs4s{!Xd4
zuTSm41CHO9)xCns_&`dNfdeg6*Rup0s7xJbaMLtsH76m=q4;=d345cuu+W(Q+8$^`
zHAh$|A{g30i^$}2YpeWHQU5jc6W}gOuc@s)-|dzR8~bi*Y6>JF(Ec`g_w^~v&TeyU
zjU-PD2++6fo<IM3^A0!QM4FmF76VETFUt2BZ|UPxmz@n90pBBON3Q>3IDZutDfl2A
zC&Z@B(58*)Cl1gm!<djaB_-?g^15I|OLcV;;NO67Dk7?@s(@`#1lThrDjW0>_1>ok
z`Ijg8gfI#hAmzx&G-W760g%oc*U-=a%$}gbfJCbEfBW_g+TGI9($>~iZaeWxJ|p$?
za8v8alUm<P2{Ey8*uyQ*i$+Lra;|?$^*QO&Pxb>YnqFtfe}@6+dI5Du242^rj+h{G
zgtw0E%`{<UC?e8|mzS5BnVH`LXBSrO>(_+9d`6Lb%-G(`NE1)<HX@tn7&OvmrYQ74
zH%eU{csc{G%bfxpt))c{yJQa;%!I70tfY`#EU?dbu4Zj#M}ANHanCTyeN#>GyITJr
z0es1r2^aFU*7i{m;Sw;Pf@c7I^7{}@Z9P3)0s=u_B;_nMCFRKIC}3Z#DG`Q7MwdX9
zx#gp-qjRm+=V&YKF=)MG!8cY`h{W$h479b`Ed9Am<$(=k;hy0y0rY=pM9-V5WZ*7(
zOmGPyp_kK2-O#YMcMQ!yej<e=Cnbpq2(WwvB7u^sYK#c4ufNRAlpj14cx*r(&^I&`
z5EN974i@dRL_gVI9h&9ZKR&LE1LDO0#4v2gyl^r&%dZPHm)rkbSZI8!r>7^E2_oY5
zZAI)o;6`zKR{7xr`e*UGcW*hHa3Zg8wnVH12M5p07=PO<w&+IYeExighllX|%MH-x
zTLyX^(DRs?n4V^T=t>R(9SSG&KSJ`q7!##_AN&XQl*^sa!5qr9Kfj}M01;AhM7IQt
z2VvZvlOrQ<>MWa*va@gBKkn^)O98UL`tq_A!7Q}^kWYHj`iUH6C1=ShdP?xp3u<b@
zAAm#Pd%mxwG51SM`dfzu{8Hhs99<ao=FJ<hfp9qd=g()WiQ`?+|B0zcVCyJY{x5o3
zGY3BAl9G}yU)t|UKFK<*%Xj*!_8SOkjyl!S{Nq|W_^*tqg}XO9L)iqw^KbU(BLYIW
z>@Ry0Z5Ys5|4x!Wap03eqs0>DcRQSmO^3CG-nznmVL(*Q{Cz9`NtpwrkXozZ67b=0
z+G7tV%UXEn7vjHVxn~$6)!e7t!k5=>(_hT>$*~1fo!(h(Q>Kf%Ah_{v;&X5QnQvL=
zV2Bb)`U-tWg`!!v^loA#><v7B%2(t%;-=+I<X}t@XR?8Cp@4t69=e%e_8GrMpcawN
z`1>0%;M)$f$Hlap(nAqz5;0b%%4{^rbiqm_JZvTkW>yx(DB!;zGbFv-@gfsyr%lgC
z*%}ED&L7<nabbdb`XUIY$?o+Mj}OsPpUOtRbO-0<lf>S<BN$^Qo&RIL7Q<@(tr*@f
z>d-q9LyUv-#m>yuu88V%sJuvZqwzcK9S57+o}JH)%%G#*t4brWE9~v_Ttn+$IyTzN
zBrqQ$C=~)A>-PVuC7Qn3j9)<>o?)Z`bPnuZ$(0(k&Wf8Pu%N$EHOjO1njN%{5?`UR
z5{4v3f`b&u;s3~be+d=fBY(OiT*2TB{lUUus{mlBURT@;l!mj&GLpbrG18!-zoMfw
z96YuzdV)ZXC~&1cPIszFhw`ER=YQgd1f~Um1Tm<LsO$eZI)8s)C93%M1^x#y6~*0K
zIY@HO^fWhHZRPmP_4|sT(}oh8*9(m4uxUVw87KKw3L0$T8*5g1RyndBm}5C@x}QGh
zSs%I$R2klWKk^)Ky21U8=v=?~g#!<b2cEkg*5=46d`6(e34u1spJVjDAjKFbGHvE7
zK4&RF(|`+0zMIz*EVyr_<>#FF@TAV^S-r2RLB8i_$tO>9H5y{j4B@H1$2$Fhdj&`m
zl-hO&{}mlRdZ6D$@HgE6&j84kdc5ut5!sDb(g4{xS^ot56QD&3jxQX6j{xNB_@>k{
z{pDxe5rBAMjbZVNjg{3WddQnx44A}RHeL6VS(#c?JMc4J{`mP$w#3dlx9O>+{LVr-
zGYN8Ww989F(a_vwG_m|SkR^C=I+0^tJwKKnOHwtgr78rdaYrJ&FYjBZ=#yB=mfyO)
ztO%<q5)XRLD<n3l_e87Ay8_QOD#G`TUVMa7j<U%^F|z!!8AhrjED3y^>lE+T^rj3N
zhJ&K$?$@S`4DY?<{}vBY(SO=%s8l#{z~mu=0z@}BArr`lV}j#XzjEIB9sq0P0J_U*
zol`?v+FKKQ`y6VFl0)}1SogEmb@2!`rrHOvjibj?j{_1W<_6w|HUilAa8b?6yLp#R
zeG=Zob)U0?bmyF7dbxG-)(YU%yx11GdE9N&)ioRy+&G)Kld)Q)rrEcQWD!A;lOMB|
z7Liu<7Io@|-<<AizvhqI>mU*0?KnD|+C-EC?gNWzIZ`)#S$O+-zQ}0;Lm!Y)wyZmF
zzxWjnq~7^J*MUJrj<=9Ov8#@t1x?6bUR4y-P^BKE1p?R|4H3iVH<kcRDiO?Qyw${m
zO?`2`v5D+M7Cc?z?x;W<iLYptEp}j>ya9CI9c=SpwG+Remnq>}9N!ob1%h;YKzo*m
zD;*aFR7Q0X^(uRzQVwXIPM;;gE<++Ph{YQmjK9~PyD0DZK^{|MbX;#&*H6Hj2$Es!
z&S(^@=WJ<~Gv<Q5lnYSIXetPPJ(Qi_j5eZ$&F{gcxy=^l3eMg?HOh{7X`-of!jH4I
z$gyDG`BGmXC@`##xHT6IUY7T)fAMUscc(x)$?w-81!ZFPM&xTG0)XL^uVp{qHA_aW
zw0*IEwEYvaW>6mioVg!22eWcG&(&k|nUHlpQF1fe(F%?6E%?g~H+{DUXqNi)5gDe8
zEpx>2b{^(9=(=JtaChTKKz|!|GJRwP4(p{O8IbW99>F2Lg%%$D=+VlYAiQ~8fMoR`
z%DGY+Q9lJ2n7D3{1J267%{*Yv#@^c~&&`ct3@qd(gsmzq=vID^u0{tf`{!3naGj>&
zHoKJpe}u{dS`An`8A<)rS=nCy)TV(U*<Qasuo(g6B}{qu3@z1XB3_dSrox<JkY{rg
ze1OzElS^F^;}w?R6J3up^5rFmaiA?c)Q^p_O>5_w#v<7CW#evm+~_(-WO8#5C{@y{
znPO2mZ5#(GIM+WZ7(Xi_P>vKf$z)jwWdAJL+*<#VCSws~oz_9!ii*9PrIk?D+6NTL
zD}tLzZ~o*Sw^z_j(62lN={ltym#T#Qms$d{8C@bBVd|m`W?K~l@*C1Eis{XkX)uTU
zSJgum`X1ta$M(6}rganDlJ`dMhxsP5<ZJugyPqZ=;n71>6(oDTVNTd`t>fhcaSTPX
zO<uig&F9azvD=0_5XV~WQl*7>WJZ}mU2@&=r=wjpS^6UhG6b_3uY-AB?8d}MYzFU>
zVsK#UkJnhViv3ec61I1K$=T~vsFv2H%_t{Q3(JN2_}1)`op!|Z%Q|k_L40c#M)rXX
z>Z*lqXf=y&>>xD|JpbJ}(1z`FbN>Z^UGPzj&sIeUXHkKGdoH~iF9D1GWCG|kMg#F<
zR?#Z1<xKR5Vijc2-?U8d4iJXof`0XJx!bZKojkXG-53~Y>*Tou7LN|6Bo5((n*;&X
zPxs%ZJ77!lW`C|&rTnt@J-CIx-~ZK=r{pF8oCcsqlqid$I&-gnpLJk3Xl?)f-B$mI
zSpTW5|8qe=aV7`M^q<4FKZb+h;o{X&^>#bu&%*W74;$e9uD!p}_z5*B9XFC%8LM&=
zr%8r!&Xkxna50x!%zdr;Vn5Nj);e~vtS!(yQ_6{sh6HqcqPp5|>z-Cc{TTh+`Yo8e
zyD38?;Z(Lbv{#qo%IKbpSK&r<5AX%7gN6eTr2nnaB(U3NEl);t+}XmfcO6M=7u()M
z_i!-pt079amN;@gh|<AxieheNRo>@W2qN&RBPTmVEN>R=1f8%nNvCGeMIVW~i}2Oy
z?{4$4NOi6q;ZP|X@Y)isLneBWIyxG2+0X5k%M8uJ)DgAlnR?T@=v5ijnN<fFpFY-B
zfA@&Vr|$L%5vfYd)zT68duuY^k@%=6e;?NtfmYUAIXND0^)$7aykmnROf!rm2%<tG
zLz{-*eb~!d?BSj>{92~9;5uD>!}tx)^faPixsW;B!~W9P+qrm2ifD;58j%s5HW`9=
zNjNh#*W?&4CdU7;YIkBlpn|8=w$MMku7?ZR<Tn?48iU0v%xhNrgA8z2Opr5{J3x%G
zvb1qj@7`=>sngEiapvO{wj9aF;*}6Ksr^v|65$`82N*LLoWr1sOiYeB9A3P}?_q1=
zyc#5^jDcNJ!Hx&tSfznO1$|eVr&qO}PuTc@O|@dDE>pQ>X!y|78|$Qe%67=>?5r?{
zi-}F8r1|DgQ7)FNcO#_Uac)@f*^=Vy4FFb%^(&3BA(hk-Hq!9H8#pB_VulF0!Fr!B
z`L<+H_S(25ZkSXl6Y4{l@IXOR9>#qey+@nv6<TWNXDxnRPv-ZPAm`a1&Ai;Yydv$l
z!FHOr#-X9T`qUOHJKwn1Iy#%;&L@AUj>r#$tV^KeTp-G8zJk~g<CH`Kadu`KLQ6}^
zD$#*8QhRz@8<7bdB6K!f^m$xs=>=v)OUK{uk)#AEcrT}dmQhkU25Dv~MN+D+QOX$I
z8l_sW@>>x>z}r52SYl+kF%Nd`+#qAK7&mOEy-X!l$p5QMcIOyh6=;gxBY_>F&fCcp
z3x+OekE#O8!N1E~HoFZG7cQcp+@3w<{Mmq9302E-kBb3~I_TqPD);S=Vig^YT5F|M
zM^^<+tc@12aomOF3~c<2EXt8LZ*kn^*gHPjqM;dG?1|nX7)amU&!3WIeK<&VXvq8_
zSaeX`K3>Ff)|8m{@HL_!%FKCC`P&lppXL9p1piu)p+8Np-=`GM(U}dY1=M1JG$^|i
zybMfbC;(f}pA3U~gGi~o;r6eMo2B{-{RV1K{%32KJEVWF_RxReH>#`7X9%WE|8MsH
zcjo(d#XyECAtHe#sw15JQJrP}x%o7x5kAJKH!4S6lq>$P3!v~lD#@JyH`IpTZ+wq>
zgb*wAgm1sbXCiR^{h9<|F3a`DMfX^pF7iC6vD_*#KeBe)K5N+eRA^Mry&Bm4V)Oy7
zh}!8w*J0GW>j3cH&|KrR@_n6<;NgB-GR=hzDT121`kj~SsBrk-s8?a+RYQTC#KOcR
ztDsO`UalAUXaVR!KurO2y)7dU@miNRBVMyc))j{rM?PH+_e0VOR-K#=Pw7IO9;61v
zQeAlV_Dr?XU3j1MaN9*rl_ha)ep}1s<>kG4^(q)1d>HZd>1)Fz;BpCR{Qf<pg}to4
z-nRuo^`D^n&;68~qWWIRI(wwBtd#uxP2fWu8KIQ5_d1I@-=3XSGcoffaJH~exT6<d
z8b4^8bO$Ml6?Z#T&9+`VGW)LAk}&78c-WcS4$si*36H80?;Zj7>zNmA{uu~@z?|4V
z|Iuh)5AQuABRVpti$rGJva&K0Q&V960Tw4-AxX)oAwFSYN?#yDsqX>@{n`1>d|1}u
z?ru|9IJwxJJ9mKV_|`3mW&}B~N&!RrJ{TxjxMfTH{~RxSq$v5OEsB0~eLW3`Z1~Yl
zM&I-wKI{bs<FrOF1^K!rDJcnzK@1E$;g>o8@k8n9Q!qCefReTzsHliZN(M=!^XjJ8
z&L`zXJ;JCmo5c&I(el1q<mB*_hmL})O^eHLAob{{x7LagU)1H4R@-vKr#>t4AlBAS
zyExKwi%X-Op3M;jvh#N_F;dCf>0iAgSl|!t--ll1zO6rUB!iHVmKG2YP`|IH76c_H
zCA~J2mzM`D;~iaHbW~K0(?F2)cliP$4{%Gs$Nm$o0E?DfIl<wlprgBvgA*DSMooLZ
zk?{Wg`}Eg|iK09_SKxFsG|f-d)YO0<>jP>M$4?qj_z;Mx6gm0%<Og^${0S+RK+ob!
z3=tQ4f|x2zzIf~2FXrQOHW$e4()@iO%t9{klE(3fzKMX?Qcct4!e(<^qympa;7sN$
z75xNgfHO@&7#JA9(gvnaN5;pS!?sTLt$4|_SX${J>vMCAcfd?8F1&R$kesJc77RQ5
zqz>f7+!nc9niL>`(f%?z{sKNANx0DeMo%kT$XCF7CY=FnXVYzIX=&06{!m~MPXn>|
z9$7s)syjyjZ#CLo^w^xNWoJPLLy!+^y}|t#>(=2qZLS?JAJg9(zA?ty?W-htamWyK
z>G@5{?Y*(f+*FFZuvn#R=Tr;r#nQAW&{>i5s>BukY`1U2q2Rz#t46t?V_~5tVSvj7
zSn4$HKX?F|qhS0q{3G>%+f}f1EfI^!$+UuA{xbiV7g54xcwE~)q_(Q+q@lSfh``ju
z#J)~2A!W{McOfD*H5D8<clSzI2(h-lK26e<7%&^Pkc?0T7BK$cqNTQ>AuXrt;2=bN
zOkp5YQzaoM*OR>F@v91)!zWsn*pWtcUWzIzBxc6WK;xZtcm<4qV7yHc5%Dpx&)#ag
zCWvt9!v`h@tg4I*)923>J=CvyrpC+SJ|JB>;a;q_pkFLWwx#!)$}J>!QAwWibUkw|
z47wCQUaDuNX^b)b@?c>a87IG%4y>@{MUlSlyPwpql97<ySBsb%2o4Q>1#OBq{to<a
zK<||De)f#%;(?l42BrejG9`@07%3ql;^FO0%e@>%&dn37<bZ3$ocG_@6s%1|bctIL
zVS@+CZ0AVu;0#QG3E`)tq|EyF4-UFGIKa&t6CJqfT{lyXCExAt>|7kDUh14^-DZKy
zBewd~Bxg9-?(rpzQ%#1yS~>=svtSA!0E<A67NT&71k6DP1bp2kA|fg{2lF>zC^~F&
z{-sPJF8_hh<Io~Pm_9Py!OKhR-S*lV-d$i53V-fERXdpcSO;XVFV%59F@bHzfuGZg
zCz_OvyMh1N;$A9$MDmcYa9H-)1@L08^o{I?70&M#JZzGz6H~G)DSWs9@J2s99o=k&
ze_T6*7CD%*1sK5$I8eiX^gkZ*>X%pEy;mpPeq;g16rzrZj0C-mxOeY@6Xxg5l3IXy
zdj|bsF&KkimVeX3gyfk6nmIiU4MhwFmGl;911QrK)YWm>KK=sy7EJGK;j8S(jqpbp
zCp*1D1@<>I&9~UaeEOU`L|2dMn`wNOgvUfrd}OFjf9`adZDBP@Hq!^jQk~)8UB=s!
zX!zVMwQLe}NaH#u?nnY!IGAgnRcA~Yw<iJn^sl$ioFcAeLljw{m$hqGe_jSEQEBP^
z+DI{&*9Iae_7oT;7xcZ~1i^L!V?;VS?_s7~$lJGXFSFP;%9I1|d_mHY$RCjQtCBZ<
zgbwvT)-!yg*E88;KC(&B#T7omX90#yE(H#@rh;fLnAc$@^NnY>bJI8a>Z2r22#m2V
zEsms~7J|{L*|j#bKHFDT|I(G;bVS~CjSvRQJ9_uf#3bEG`DkZ{NFo{h00i*yf}aPt
z2l4jtxxP+EM<+lI!;4Hj0`qNPR37wuB0d^H8`hB8USjvfY1e6E7agT(+DKiNu9lRR
z>*j5x!l8Pp{T%5|SffXCkNhr^P7K~$4k7$}RV5S7cJUW_CyRZ9CC><qgM6tS<F!4D
z3Xad+Vdby>&B?#+3plsX!La<SF`oLvhi_9;CBY;R2?^6Z;3($tJ(0#P0Y6vq1ltt`
z%UWZk0i$A|Tk_WDzBLTCR0Zi21@PlnLa#x~^#}iDna+e9UiC2V+BB!XEcee?oDaNw
z?{Vhp5EO%E5ya}tKYZqLTr>M~b2btZhJRx|ko7n)N#NM%RzJYSD6}dCH>Zej2!?*j
z%$#3X07p&Qccuc2F@Usoad80}Ocd1x1@?y<2D{y5$`CN*5qXh%v7E{TH#9UPGg4yq
zf#rh96JFkJFsO5OR#Q_W1{wq_DBHpxaQd+wok~>t$&(m<w)1z0V>_HXaB=CABLrEb
zs`lWW>BsOu9LX-xi+t{=yHxd74oyqP`S06Yrzmkm)T+(9##p+eCA}{Rjoq@1P3BF!
z=5J+R{B)?BnQM4&rcm`4N<>Wt^EbgdoH0C1O&P_-C(?I*{zU&sO-Q%}qLYALB6!ml
z<ih~%)1#vrw{4RbFM4av7rRqix?fVN8s%SIBr|Hkkb7O%BEZbt0`s{0p{z_mNQgq*
z!ptm9t=QHYRd`VBGaU6eUD2#+A1()iH(4<&ZpGAX49|v9WlAX`Vth*VvJG!W<mTsJ
z?kz_jXR+IVhQ=KvpR4W}KMOE6J3QrbbFsCi5k0-PyF^cX-S>ykNnHQtlm)pVrl*9Y
z=w;nelTo*yGX4!x-;>xB5UZeBMZ=Yzo^C&3E1?tuns6D*OV7M%iqZap)+DgNp7>Rq
zz0Ow<Rco*$;FnxLIRq#O%$-r>WMv)A#~FcX+b>_ffF{TgnDU`gHQG&j_s-vZHVzxW
zs+oWS8GRdR1ehuGk7mqc8XK$kb?gG*(%}toOvb-?v%NFl4mxVvszUK((G6uSaT*QW
zJ$UDc-Q#0-{jl`R3d7QnM;KHqXTEZD0ujlnXBD6Df@~?oFBjisTyh>wUt)`6a~=C^
zQXX)$(ouxxOQw$dUVa)|1lOLenms$CSp@;);O53A(H0KjTH7uHy}OL}M>}hvgw})~
zh2e&upL=I~{{Vh}Wnp1K-7gl@^4?M`E@$ft3Se{jLn2zu(x8ui^JkE-vK+w(Dhd9@
z9ZQZ4sLW~e=BEbRv>HN*Z5a<R3}A1BT@r5(0)>SI6C)S_W~P$#%5A0Sd;FGwbKXeo
z!wnJ=^m}{T+c*4XU2`WEukVFLv0mQZDY$5VKhq{CYAQ)%RC&a?dL$W0dlom`lvLK&
zX?N*j<PFB(pPYX`r*Vg4R=lR5p!f!U?}6LY!NI}K&JGwDp-?F38FPt&aoK{6`tt)l
z&@DYVsXEI32pVKFE6gAjaB~~F)b!7~+JNx_<TOZ1T9N__|HXz1Dc7g2a8_&_LZ>)T
zbmW)V=n#Q&eS@4E6B`TM^!B#4T`*?k6&yC2>tQ$%0+)2u%QvnEJIl)Y$18=ux)lZy
zk!9_T`}uNx-R3zL_>mZJ-ZvPLnckl+g->|4z}V_C&2<|gzDQ0Z*>}_z3>V+>r%%Zx
zPszP6BVtNxm7A95Cwt81hK29+G}I7d?}2CmElcpr7&q%Gh6~7+LPK%pqHrnZqT&pQ
zU^N`+Ur=MIp53!bXx#ZnV)9^o_##wbu;Q-~gE<b2gzZtU{xfR-TQz8^a2I@(+ytqB
zB3d>vLN_h^8$oHL&P7LAcFAD;=i@iYo>ZYlXn>yY9gI=fUFq%k(xX~&T=>N^>Hgv7
zY)Ea1<BZ<Zqk1D6Ofu>n(XJhl2j08*zIG=g@3!Z|x|SU)ii~C)G}~|US0Q#uB)laT
zhi7H{31Kx<ZVq6Wv8DT+E>H>ts(`&Zz9az3UK<WFF_F=I0<h+Qx}u~lD;c;Z+8^3T
z)_{R(-wqERv<b?~1k+3UczJk$AJ4g!LiP>(-VP0zNSBkBm&Qu#k$z+B)2#}oLbJ)2
zz%T*=adQuE*N;~Zd#|Gd4`-IrDiNSmZdD^w^1ZKHmrQgZd(2EV(_BRT%ozS0{eHiF
z7niYD)b--?MKkN=(ZSf9=t$eumNvPGPwb+;JE~yZ7L5GnkY9k`fC=TkR8&?5Gp`PQ
zBOjq)P8a+%43+8-A6e=*ejo+@p$hrn5dD>~anVl#XCK4KI_&h{9i%W1rGD^{$flJT
z8@?>JBZkXxTO0V$iL<YX$R$pW?A9{28#r58eL*0g@APzan`1EZWI(=p_~_A09hfl8
zY90oID%&&dYiri}x@&7|)1O;mCzd4tS9M<=59QnaKVwNKN~I{Il7zHa$~vV|d{D`r
zEo2Z<_HBleWUGWi8p)DEWDA)VONd5UGWM-72Fa4Kea}5Z%jbEXe}4b{{?aSA>%NwA
zo#p*L=iK{V{v-=+O^El8efQkr8&rhzc3wIk{)Zi>yUWdx_zfu;v-B)qKy*MDoaF!Z
z8X1pBBP|{f4CHs{EK5I|*b}?jnNsO+1H|gfl|&F8RX}~X9RX9!y##7zK!w`Q-;NGp
z;h={9g%XH9Wd1v(1kU`g*&#`ws6XBh86F_YrwEOZ;J*~DoFPOJFs)_3Q(ftOK7I+%
zQWlNKE|M%<WCjOBJPo#aX$HZtu-|yrD$w}ZP_hdts7H?s@*ey*{DVa5jO8;BjXG#7
zvNZHBY!%3M>E66V%u^`6`Y#|B{ng<-1JT#(s&DdZYkF%GOzt+m#>Bv`St0e5+O8Ru
z*PjrZKXRO+Tk3djj>q>|`twW|(+1+v--tK)pgI9&N(X-z3Z5Jz@VRqxg*HWvtdabc
z_4{ip+|D8pG7`+3A}EOoiY<}iPG{k~Kt{=@8K|r_q`P}V*CR-U-2_E&3cJ^1r4A$8
zK#uIW{cF@+q*ay&)?*R2myWkXHQ8UkZxFH(qn{x)4RVVZPStws(%4W~SL@-hixdv8
zl39ZIrXB-2%LZs7<LH0=*#uFOBUiM1JL|G^(Q{M~>0ms<K#RQ3D4rn%!$I&hbf$s(
zZwjf@Nk{yrps+1rJxA^|6o)Py8?p<g0iPr<{XOcE%>J4Y<dFXTR-`&^d7J3CERqVk
zH1@JY3PAgmWgwn<61J0@0TwLnE(6ZR#lb$@RO9%I-Tpl?1K*o^>;VOu^cuilf{N@l
zRJkaLt;dc+10H79Sc{8{U7(}de~*fUK()XUEYAoL(!buy0QDH#v}6pR_A@p-A(~9%
zk4a81sxJEEIXFapZff1~n{5D<%n&066OpTPKz^Uq%uVk#>vYyNJ(Ymr-T|EOmYKzC
z6l-Z?uU&c3iJIY%@cx3+w?6af^a(dELw!>Lg`E~wbV@HX?%ljj%{vZfE<{f(%8HS+
zKw17pQrr|>ncLAK^UUy-3$D!EzA_*BvQ_Rl%DXbxdV{cIDC77QAWjDk_dhDs2EwjF
zro1ZB83!JqPmWPDi7@oG?*Iqf*=IyAm;BdzIda9}iC}Qyt7?xd<+UM&v45lu{FxO{
z1;{AlK?MAS4mtqdBiRQ#6)^;NZn=E9smWSe(P7!*xa;#7PjjRTEKEFIE3RL7CeEk8
zgm9agaZU=N(Loz}wjl5eq|p4Hu>IS0EU}%;wO=;)apxwz9bGcrL?Tpv{(G|^_ZHEN
z^iy9_deH1h63OcSuXh6(0JIL|Yalo=qO_3<paFQO7QHle+n;pEuiw+JEOJ3~dYSx9
z!6>)2<vz>n=_~vGaFbiuZ-QxA2_h<_nV!p!f(l-sE5Op<{P_lQi~0wI?%utdR)0M-
zG_<|lBt#ubE6HTL(@%gcTMC~L75z)g&^N}2h4$tu+t;h$rb1yRWDx!ow}Tp0=zSG(
z^X66({Dk%yN=iy;>n#CwJFOxu?czD(D}<DADJZCJ{s$7AAV;#Lx%u1ZC@$~;Ak&DC
z3+<DZwFculXsW{kK?tA{lW2S1#)j=GcoTr@K}$ubA%v!C_>+}oWzsS-Gc;OHEp=c3
z&jF1Op?6BpC^+s01_n_72`yf{yySPPDbd7s?ZPBN5D2-95Gi1h=6qEzvqF9w&Ht*_
z6l7qr5I+y@R99CI-Ra-a*(tYh%3^LqgmQ@5!L20dJGSYZvGKdK?Ck8&&{g%?jM~^8
zBmlS4plWMmaIgh>F5b9t>#K(eV9ks)sDEqxRG{FE72gW8yFif_B!Qhcu`>4yxVPA=
z(a-y!UFAOE^?Xzjf5A<gZlyfJbe^M2OYH%<Y_dV8GD+!z5=WJ%@$+mKbCZuAK7Wf4
zB=JnFWIL#&l(z<(b_tp$4gua5h!GVLfnF15b#*P)8!3BFt-?Y5EEKnfU5L1Jk8|S9
z8~;uALchHQP~J>VT&q@Q?#|LasjjV2mFw6wTjoTilmY{}^ZK_Rog0mt56D5D>@Pt<
z%n>4KfOKt$xP%926dF8&-`1ddTex(^Rbjxo0p#XaQc&RZ*OI*rxpT3a|NK+pGqZpD
zc2&he|0i7B+<<_WRkC?|d+*!80WK6I*nRz>8}Y}9snmIuV2B_0TvG}ekINmd?SBVk
z&iPYNObnz`7S9>rKKFhhfBAf>d5WfMWau1)oqCzS!4fz(y|3=(-P(e)`7)D6A8)*L
zW|-N(?nv_yuWRq3mN=A%jRW;>?pG>nk9Tg=4wtwYtHv!9w{a`URaf&-%W#?c5Jk>b
z?7mKtnQFkhpxKmI6?c&`ky`D{^70+8<Ba)>lD1j$+Q>r9i=M6Rz?^|z?~^xV!>k;D
ze*eCk&i66ULeus9`L{VuRlnYiwX*h0E$Y!B;Kqud%}E~e2b#~y=BsQ&-eH1*F>T+y
z`wN+Q*`hPLc1L_Jj}*WCG7xjfiSxRbsA<KkoP@w)YnLyLY=`ytE6dxys&)f?v+NSk
zZM#nIe*Y%cKj;HuhDQmeSx@$Zc4p%9mp&ffrba1dL@{<3FFW4QmLmi+qWaSeyLkTj
zn?4WPA7P4_*JIt`xMdi*q@a}4f$4;<sh9Wv;mZO?`BYr_*zpoPN6dP^RqPz9VT&(b
z7p1541dMl%wv`h)BU6D<R%y&tobt@sPqY*!wNq97(Qh0yUpaM_jE?d@*kb52C2bD8
zrPpyFLvv#pdNu|uqFts433QIi{6yr>m0Q<zehz&L$+^&s<zZ~~cev>_>6916#h|S0
z4WEK1%ZR9J546eY>YZaf#_JwyQxO9#TO1eK@~mkMUFIJ>Y)>b9oZydEl*_)!w7dSy
zKU_1sdSTK{1=DVR*$E-WP%pldA?+e`2V6m>nP;G<rw0fWNM}wunF7sT0WXJiP3Un6
zJ#&ECg3yFEJ1blW;raPH_4TJcWRLS{GKE!8sZ_{dKK@x7mlO#zuC3Kv{{hGB17YCR
zw{-~m9`R%^b!O(!SHTS%^78X{8kvUuz5?K~LH>ozA7b<Xd={-RFMsHlyK2>{w$9Ft
z#Ebi(`xOt*86zWk8JWOX2w$L&SXo&aB<&6j*{u&vaUwu?j&!1hxOFEH2Qba$0U&;o
z27~kgSW)q%O?17v3hM3N_uk3~iw<~@G!Y%m`(b2kY_Et2>nj;KIm_X?I<BubW^Ota
zzW5^&q2rZG`~RLI1QX;Zr=>_hNI~1KT^O5Xj-j(9{{DTjQVUBc2KMnO0pt}rb8fme
z{x&WwWtIeJ@uu}A!8V7sl6q1(PDAlOMi{|2<{a$pRaH)XOGpr$3w&mI(aVbl4LYmS
z*3KhDB_js>UsHfqVvq|9UFIMa9@-HcKja@C7Ulrp`7G_{&rO<44joq~RzY;Ef?GJJ
zSc3GT%g^WCvITmQblNdNuPhrYtA8{#PZOLt=#J*UUo-C%2^}ob)(=3XE|k-sh8%Nf
zNmbt2&~Uc97K-duRXb-rCkE;l7CSrc<Bo-mhD=HMQs&2+iYOiKv+?euRONQ61lO**
zb#>dM>uwU5_Ol246Y$UeD#ed4wjL;-JyCS!V3bb{X7|b4!>^_;CznR4tIx-h+1Hl(
zIoR6HPzyTyy8CNlL_DFQe#bM|X2}&3K=|bey*#6<3#Yb`mjpp<aBwi$&F_W+IwQ6S
z9fX&CLpvu-@D)Ql9AlC<;vtQg&%Yko&yt&Dv}yo2IS`q73uou=kR#nU9JW~w+Ahq}
zXjX@}8SFRW?HiZ|I5I3O3>MeW&_HR<vVZU(AtCeCIpg<rbxjLbEVQ)3r#d;H!u9dJ
z=B6f7qMzh<$=<|MX^$Ttoi*$PfagwgP77odKvU}>r=3hAEYkOmVB*Z@kFcVt8thnc
z9#Z`sJl8?Sbd)&IRAH7}b{3b{B7}?+7&Q$h`K@Vt{MV7f)iL&Dc5GwAYIyX|-;)It
zBT$W^oM>tqOK!>oyq;z|UKM%4K@H6887A^g7MI)|g!VT-R-Sr=W+I<v$7(Xk53M2P
zZzcHJUc++*%Esuae&)o<A0qCPepP>9A(dGtF-ip|uRDAMQyI&WtKcDsPM5=gVn=73
z#Ha}{k$G8irNY*bD4XNnecs$JK#48Su-D$LpVgm*P4O`hhzptAw2fe?$;6mivn)GS
zO@tsrWy!T0TCs(R%tE;mh@VPc%j9J(*|4wZdybdxkJB?l*%SS^;)1l9+0V%d&YWu7
zwS^gDJOdQ>I^OLplhJ1_%vCX1eUsGLHKfwJ`21~X0ZH}&Snlt+u`tPZ9bY-nI9coe
zB<xYNOg6!G(s`!Z|C>gTsYE4lVI;4lzx%#W<ta<cUg)r3otTqz+1J-ZDCRIVsF;J9
znR(IY4R6jknXEGUd;y5+(wx2f_vbjYpIAf6-ia1ib2jGnzn8;!<0<SFi$l_iFNED9
zoD?$*<|7`L%emUG_NAPsj8*hZ3n@%8YdutMZ)_Cd1hxJdd{t%e8$HLm4nOGzrW*Lg
zp!pr?#CfU{Sv#=tiy%oYLJ(Zh_I$@3D+dfB@osD%w__%&j?mX?D@xGSk?UGR+G(It
z$3rTWK7w(w@w5FgQ<=BuYMJf)`t4fm=Cw@n!or7*Gcz(?xlv;m8d8J_t|=)gS_z7L
z%IVkf;WF%4_c2ALvrc&W?ndIn<ymqiS7Oc5IR^5=YBQWnrc-?*6B|A?F8W@{E`d#o
zkMI0R`?y0^^aw_S155z4$<|N;ZhKJMA)T29o+yZWcaq&7^Ifr$e)jAGX{wmk066t@
zyx<}~9QeEnmmLVpq1)MWxDg4{8nb$~hi5Z+^X9s|538*lc!*m7RXQ`$UJO_)mAW`C
z`wz3xaV|l{!ugH?p+5vO%Yo-#ccbYWTp|r!bh~nnUsubg(o~I@%X(!$T53Q5=I`cs
z3{B?9UfyHhj}zQuQaAs`m$a72h!~heBrXorC((4`ZsP06+b-_i&qI1hG3p@iRFUfZ
zsTNdx3r>K-<`yGN5XgI$zDr>-%KPhu>k$WS4JW;Oom$Q+pjW3L=RrJm7&H56C0bzm
zve*+3>r3)G+`<D*&t_1)i_X<&XNF00JI22^D2-nih##R+l|04>a59D%C{-GPMi8L3
zXS=wAn>JuWqd^G>6XvZz!8q^b-9bp=LOU>_1uli51vq>cxk$BFDc`eVbTssBN&}<y
zRds$O7OZ{>Yiyiy{2+N<uUS>~Kq7E{X7>|}R!Tk{O$U*h9%<L;cm$e>7^u1;ITYfC
z0-`z-4R)DUz5mR)bMdjUMZN;!e~NnN!D8v5nq{qm!LXgP#AqmSYX#jjZr;=HLmWL+
zY>{DeJ}J>jY5wz2eN0V3h#p5=a|Q9bvRh{7?zx2riJ#N;iyKu=Tf4dG72A74vCFs=
z=ve5jQCL#4Wh(u7lw3inQ?7H~pU0}r%S4u=$^0$l4Vy@uHHk$Xley`Qaie+*)Q+Cp
zxyjXalfyI_s_5E<&e@P}IWesTen%|qTB>nvW^<!#8XF$)a%q@i{!(SL75B^Q+s-k`
z?_%gdF?5)tI;QyQx3vT>W|my1yZE}A8kz9Q02Y@9VS)o3=ou#d_Pa}WFb_1FT%FJ6
zs!2=C(-cQIB+ci_`fzXTRt=O#ouZJu4u2;9NFOct>20t6wlMiAf3je;eF2BQR;kfK
z?>qI*zKY_nc^_zb>-cJHUg+`DB)3GD;2HPvxu3Z^A7kln)+4HN<8H>llVP<l%Si+0
z(r|W3&gQQyT`a#EW9RIlt5MPwi3aJydWE${1`DMDq3<~)RX2a`JfC}$ehm@J;uLSX
zsjlYZf#n5hZY3~h?jy{zpatxCNa(|^?D6=iFdotj>rBOW1CrMAs^GCbzjuaa1xB>D
zVeXa`vyqG|Ge~2=WUmC>h`H!2>H5uJRN#?Ir9w{Kr|5==e(71Hi^R}Wt^_sw&}z`!
z&X@ht@ZuzYe|$c}2>$we#8z|;G%t&rxo;+2(I1x+0SiX+Z?|5F?c9Z)A2IQFR^-iH
zM>6L?X2H1u43Y?;UK4D=I$?rMv}hQcL#Ux>DHjjvjXz%2AJ0`tp8{QdZ)chK*;DeJ
z5Vnu<vkha>t<YQeO-o9164$y{>$$T1veWSEj~Mfg6gh(F?Z~;}l}&j5{-9uu(Jx!v
z6!BvD^}qD#RG0}5>DXvkZ?**bmHkSr@gK`rGQ@IjTE5!}SDDccoJ`~x9@0R{lBq>B
zTIp#fTKnwzUJnU-kzaS<q4@9jEX#@8KYM=eC;TBQMtWx+L_QeRuhDoKMzo$d1;z>9
zeH+iU9&sC_w-x;|Vx3?19a<dm4R%(H&f_7aKiPa~C3f9P>`|9x!;Sb9n?(qmAu5|H
zEe*w&H|7n^IU0ZbXdF0FU7jpy9VmFJRkW18)o`9+H)N5+T3#g&$v*%&=HLJA>ktXj
z=FofPm`E~+Ta)^-xX~}s(Og7QnjlyD#R<%8xf}Zcw>3QF)_CL(+kXSA1M7Nkws_)k
z1W((6{IJ@Q47{M(*RB`dzt$kX^=K(eDeqgQ(TU-6wubke6=h8de7b@aU70x%MH+S^
z^CbPso6kqGPVIsmAizGlle~peGU+}BoT~ITGULv_{vn6bQpK=wAimGv{|haobWWdM
zt6Vf~F%)|Qv2nk)#$b`WbNKWeKj|M69hla$j~kfy*E%42W|CRq^~gPNBcDB6CB*u0
z*&n3u5qb`d7TER2GA^;VO@mMFJNI*+kIU%02AM!aqK_YKW_WccPM&<37r3Bhb$GJ{
zN$BdhetbfLqjl{onO#IF2bO$r1qmM$K(%gvqzU%E(0ZnNCA>R69_sx#=<ohDWen!(
z=QV#Fmp^_*sxX0>742~3xnsA%R>E4PD_$=9j;a&~FqUxdURq`**RLf6ax)ploA5t0
zjvuRTDG&CaS*-)k<z~ulpIbE2!A&i+q7}VcAL(D7;d?E20&^vScMGgDfS1%EU#xiH
zXVUEF{;)BXvAqY+qEVR8y~@gUsb?;2C4jnWZ_vUpqYSR)pqJ(oFo{F4<ocR$VJWzm
zs4mfGW_;)`0ssX;Dnxfu7wk7&xv9K$q~bIS<)i2T_Qk0;wmS$=efv)BO)6dMQ|(0w
z?%#t8Lt;>P?ygSdgS7(#yU+s2l%AQv=2A5<%y>=%mFLXETukz(5Zmq~!9*_I!zL~C
z2!-lmfshy&d&b+=J+rwl#6)W?`_K>{q@`UOrkQz9UhYNC-py5|nHIfUdpa&hj<QhQ
z`%31U%m%)Vt)e;Yg{ewP)>g-QyR1Qu>5}*fbZx}=@d-V@=$i^_&|T6HPfkuwF26v?
zh8??fJF-HL3Q!)3Jzv@k&Skj@LQ}gl-)KUwBz{OSRGU_gNB<?07Uf=r_LtTXS4gk>
zLbooW#>?VNVVg=*#j#w2+|Z8?Re~Z$eDA%c`!k?*=n_ArB$%&I$j*?>U$V^n6F$7*
zUr|vpR{x6I29Ny38q$pcBy2!d;I|sP7sT}sm0><#eWD?I;XadhEaa<zJ34lH4DK7a
zos6{!uE-54ULp709&=>{7PNcFRu&ht$}g!mKT<V)D^knUxDz(BSvEC&Y-c@GUg3O{
z8&NjzZibam;QCfc0^soW;en)Q&;BvxQKoGNjP7la#MaT>J}VneU;s@;7Pd{h>oxt#
zS=CIVO-wp24Otzbg?tFvm|5a=-{D;M>jl+{!%>rs8TYfsLwhsDh!1An7x#v5_u9qK
zOs7RJ;~<(#IOx0$T-3RlAAkw2#*tq`K@+4qyj8=MLHgvoAc-*m8H6qXXzL4&;eKMb
z4pJx#g&#2avS$`w>aOsz<neLdo!5DJvO2bGzE@MbyFu^*QS2U>1Iu@^DDsm*voJU0
zky}Ah!5Iw>@jS`(#HY6|%o`XrH}7-nB~#Z`_NwU0UZ;wPz8G`(s$iJ$BvYsL#;&W8
z?>fhGLachp-nSg`{YIi$4PR#Gn>5|-@9wbmOmkB2NWA9vsa-|6Ik)OvY=owD`NK1J
z1TS3Zt8U80N1Nr@^efd|{t|cC#gK_SebmvNec;(M3B#3vM<AIkhSgS&??YA9{d@OF
zO;4UYxg7-1OB{}M0^*tc7Rc{}9f*bxlw7>%Gdq=$k)at4k+Bu4r<<3T(W4S5X7|Q$
zuU_ry=2pF8Qu6&%4o*%0Y9YJAssy}J%2())?Wvzb`toI$(`642k1G^kK%8pqEREX=
zomJ(HP1BrIp3_wn64QV8#b}rbDs2%BBzMXPbF+D;JjSQy%j;HHcgH+j6gClmP=xDz
zQ@_w69>XJ)tZeTzq~J4fWBrxGj=?)Tyss<{>ewXfLFeQ)b^f9IT&*=9RTj4epVQSN
zj!w_#^lNO)R6gPP=@V&wd?rq1MCDG#0~PPnJm-dHT;});3*GuFzI5rgB)QDZ23&4Q
zDt)p!*!}Tvf1a~iM2(*{=SHb>w<X_ijx@odC0V6JnRCXeaVHx$Jbc%&>QN2&Txv##
zL`079$Zp@>3y{$MJF&65StYhZtTTR!_OmKd6t*r^>%kqDXnaC^Jmfz;$^~d^2qG*1
zZss5t*K-C+;i2EKk-oktH#GR&bJDk`EEs46C{gc@G4rdR-nF^pa(^`>1@18^I%{ay
z(%3i&%|ZY&(QtsL&gJji=lkQUrlF2tW>!{>!rg)$PF;Ofk!M<gkdQJhxfS&N`}aEy
z<6o_tKaJ3)m^C0D2Kqhz9Ow`o=QB44mv<|nptV&wc46C(_uWZ{?gv)jo1D6DUCx;Q
zBJp7NciMb+UTat$l_!gb^ihzg=>GLc6UFDG0sHyhJriLk_;8uFk@$sAU$%2cls~wo
zR2`5z*={^-EleGJ+KFpzZa$=(=jwXyypbCuU3yX~Ug><dslKT~ZFR@Ap1p8<ByM60
z`@memXn!|lqJXE#2&2t~i!2oyjJw?#AhEfV`w`-uta-6^tEX3Q#p=OkC=rKDTE5#7
z(eATfYvXWpy+V-8bSHz{-xnOrK6sXW0KO<hO}J1c<GCwKQcUdjmneLbGV!>Y8Z@m-
zcI?-8kZR4sXkcoztP_iiXQ8(x4+%bcGk&VtILFvnEq|v%BNOez{R7YyF(>A!eio=9
zLFl4ctPCG5$}cRu2XsJKrjz3P6POy$V?THOq$}S_!%nu`v!mF>XA&nI7kXpNg1k~9
zgcJ^0^OAz~oz!O?xv`#5hR|O!{78Gl!}5{*ZlM(u{UObL{azT2XZHG~{edTqr}uOc
zV|I%d$W7N=cF=v{a%C>~bE}*PIzz_!xRKu1rzJQ*$Z#ui6@BKqj;Vio*U(qlY8EmO
z3<}zSxSz*$8!ly_;L=JsZTJKQG_r8Cw(jrid;B<^Wg^?Ma>tX&$>e(gRy<BjKEIit
z-?5{lCI1+FZA_4KC%-w<1pceYcQ$`&_h)=`SETPCT5?opo2ju{y2*JHPOM?HfUWoK
z0{6c6x8Y-AzV<A+;d2|-ATD`+;3zY#>Rqlv!JQpA5lr%RYpcc5t9M@5YC}ULN!<tc
zZyV2L_JCmZUj1Q#Ho2$2J1c$W%fwhjDp-M>OWkeBbxm)cznYu-Aq8eYBrq!Hc5ouA
z62ZErz-gy%`b9<8{fU|B$wfUs$~pC8DaAZm4<priMPkepYrm8}d8{Dz@!?~fL`Gym
z^JnEp90U0&9k|75T=U2^u)atrvufadF(S^Z!a_ng1CQK!uc@gCrWm(4+X=`clqo=C
z*W_SpA0MA{#cV}sX#)Txe=6i@F)@ZT?;zIP+^n*Ki-zNJ!@S{uM4u$oWC1ebg@G?P
z)zH8mocR>9$Ammb;SHB_>VP(oXPaX5qVaxH!-l4&9q`?!`v+`NQd6xBD+)yY%)u0@
zDKoE<03+!mMA9)X&{p)GJHzCD(OgSVT}b1FdSY~GR&)?(@!W)_9D_5)#e+xE-3i`j
zaGvEsMuyRSwLVe$v)P9(Ze*JhN|(rJl-qXyX{V@((OD6xW_5kp#?P|bICCy9HkoVz
zv9r@pa!n@w0P~?kE^Nr3TK&^V#a%;s+BNj#4Q+>4>!_ydkA4K3D}1?JUcJvm<9TVz
zqvy|0jk{c-=!HRkrp6kLcJ&6Rb9k>4A*eJoJlxhc<uGh@ipl7R-jLolZvX*IGxO@;
zb7_!bDgi9*droT|$O)qfiVzSvyK2q(iNf=SheFmtdgJzgqL4MW8)0hXg_M0xXliDF
z$vMnd_3>j&t-6$><Gj$(mb*KOOXpvIYHyzhWEk8K?LPJ`28a{)@FJ@)!Q_%!C#SZ~
zkwXWzPk#!0T9N99ZH`I2JIigBN|aF!94JLDg35EX2L=@GdEW5%@UaX*d6!*2>l=RA
z8DT=w`FE*O6>r|FV>b4!-%Lyl+8{zuS?}9N<USt?QHmgUYx~{AL}Brbq2jxDLx<eA
zYKJw!=0gh(P?(io>scXiprfAj*Z{TgItwCi8~i?|-+>78T9npj0GT^F1eH0I|Ci6i
zPj^HCx?NkJf`p5kNP;8$ZI3NOez{-2e`k=5{H`nuUCSa%AFqmcISQlsD-Dr^(20;L
zH*4Cie3ktoJ&u046eV=_S`=T6`(ypc+obU-SbKYDy~`ogK6{Don=J=Xs;iFU=gPGu
zg0Az{i#ACYH2MxohgTAMYlOoUWD#`4FJ5G6#&n%?_MuqK=D6$JTy5|4Wc;2uQ1*vc
zrf5*Q*YUWqAmQ**loW){Aj_bs2d4EfQbt_ZMm}?ZS^$h;L^7vzpK+$SX<}wSL_9R6
zkc%PKeliKbK^Fu4whCDa!~pCUbUix{7|w_EiY9WtW3R_WbxiBEC0c;Kk)x;c6yQZ7
z1Pa+Zv^N`=f^~l$m_NYP_k~mnAkx;g!6S^qa{MK{Vmlsw7qz-}Qs7m^_b&}zOHu0Y
z=#ip-{89MO0b~dsk}Hdg`PScS7~4zGE#67+{aShbE3Hl$W@e|f^on00^I_fWJp}qb
zh*RQx_(<vOTaZ8<q<bw1iG#@k0FWnzr>i_;ajBd*-`W?j@Z8!Z-`g?I89Vgj^|f6!
zt<4hlL$}PrHXnB1K@aA@|6D%lBs+I;v`IbLmo_Kj@Y2R_zS(zH<aU2^S#ecQ{kre0
zx|8D#t)J2hBU8^LB-gy3ExOR_Mq(8o;@@0EgB|~mohnzygs?@F<%QQ)9XajrIm&q2
z>M&E0yM-!m=|3NYZYp#r6%;L!Zr9zn=Cd6Tin%W9$YMguLTAV`ucGrBbbx}&wQm!e
zmznmRGMw9X#PCE(+%prCCg!4i8-vR;I?Y`zHO-+?M`JS5=G#b0=362(GuW0$72rG=
z((&BSddE<jvW~<GmtIms)q!tC-}Jb*D5tx=V3`QMcBSXZm5t)W37?A;CER4u_rQT1
z78e2>O!rlMf-(O?lY8T&`+-m1WKmN5j5`cWf~|BcpE~c&k@{@P$F}y>We3;obI+OT
zx-2kH-5mB2%CB+8e7@X~tf<i}IHXUIF|PRfI3uq=d{D$!#-(LE_WDPqs|?|IT8Bb_
zGfowj+~&GH5qt{+3obKiwuv-@o3HnnGNF`Tzr)R@n;3HsJiBvqac(e`oM1t<Fu;W9
zJGOg|e|0b!9cT~I)=9A0RDj<@$H{(+d%hHUHEIt-+=B!t==MV|<`fmoaD~2xFTPQX
zycTA?BND7}KQ}cs4a8bMgs(HK;;Xa-0osXBDgc^0n8h%Y-*KNtt=yUZE_@PSp=9B?
z8ZEFDkv70C$fa&fMw8hrs5P@|NXjpUbxbTr9~QKfl{PWQMi?Oo$4aamMBFG8Z}6Ly
z00gF(G4ubkeEq4E%NXOu8dj8w1rh<C7I0gMeQ0Q8(%K+*9!`)Q3;G6h7ZQ}~3Tdnz
z8&h46QY@qI#yXPn=PdNAkO=Zt3<9v^X93IQD{;(xqZAq?)YVP&ZOoKpnW%VOAk!uu
zt=pVC!M(XsDSNTC$U=TTqzTYUe+F6^DG7^Ukwz8bCz-vGDQshNSu6;<-_PE=Z=GdR
zL}S0wRceKE))u34vUTDn|6^yg`tX83^Bon<&r28^>NY7fSZtZDzFqEA;hC)QTdyoF
z1cl1x2F)V=wAwr9`~ZhbF4O<mD;Af|=iFJpwa4GsMzDPPJ1%4#<><9^{|O)&GvGHt
zZty{XMsx`aF0|@XV?oLEM<qiyL|8?r9%i&BNp>ad>y1sM#KB~--fI<mQ=>10;#^`?
zR$&_}&#<_C=Ru93fBh|l>y0c3V$9y8oxhDu8sM)Lc&r6og9ZWdXG2Hx7<{TgV=#US
zIi-N$q35cgU2|@7GbfqAi+2zN==KIkSAj`T;xq#$)D2(cxJ^%!RfgV)lYANgmWTsP
z{szngg$gM%XDRc*Oh>qWkO&8?k@US~p?=V`x3DHU3b$#~kM0e>Q3SWMqD*9(*&ftS
zc7|qsZYfF-{T5{USY@qQsaI2*sr@<O4-55EC66xl7FNFr&U_jiV<lCQdcJb1BV~N(
zyx}dc(mNiu=N(@chC`IVKqskbOB<p%w}utP{e7&n)UFxC{f_gZzptyNkc!ORN&yve
z!_?L5(S;W;KHV4ov?Ru7Rzv@)bK8|(?FXA$ioV2q{HPAp_?FpT_$W-j>8_$S?&7&l
zO^q7$6_sF|O!+eK9p!2cYv}4<VThX<?$UaHlM)t`4?bvdO1C(l4=6u@`sf24inzE%
zFFT8aV*PdHHQz>ew#OT8;k!Q+RjTOT{bABr|3@b=ir;VSprKyo&$E}Od;-!;ila_x
zdEUBv>FeDR_0FGtbEM$N%G~~(^yzO>2~m^A3Y6JOdB^sbd#>Jj9xRtt{dVx$Px0nG
z)hYZ&Ppt(Eb&BgGCB5Yao9<sp%`zoQ7{{6L`;PY{mIysDotJn1NQ&ue@Xk4PYEG|%
zD52;Tz1!QCVtZG{TBqEab-%%x1uZ|FobR;g^o@hs3k!=2enS%{`5rFFN{Ca?l0@ry
z?lSRt{=W<tu-VL*TmZ2nK(NDW@lBZ+4Qs(*g|?Q?`1_IH<!6%>C#9(tr)@iWzj5d8
zjvDa!A^Yk{h9247Cx3D5HmoAjjICdnr{xY&*EKmOwk&gfM!qxq=QwvB;>Is$N3+*C
z-%0n~PUUGCf4cr<D7U7YhJ4LiXjm_?PtsQ+F6!_T1HRD#`#Za0rnicp$op1WBatD|
zFm4iUW?f3cZLHL;sP!dA`{?o*@@iEG#Yn!-nopwU=y(S4bh2@c#F$wh_1k!*H4|e$
zs>6-_K5^f}lbfbGJ%371QM$u&%d|T1?8{p7^n;aHZk40xt@qNn6l9s9Cj!n_|IQVW
z?`KRcqC-!Ns}HLmRgY4)H!bx_d{uC=qTf)75Z7w&)K;3}&|UW`Zc<X0hxDm<e2kXy
z^ivX9Cr>kqoY!6SHR8_u98HH86?kQjf!A$Kt3Q+9z09!x_-O)oOaAI_`6JIx__{29
ze{ojqV#|%PYzY-FTF~(Pj~MNfV(xJ2PMxoWxvfXX1$Pi|v{r4hAh&=rNuh10ab&-D
zRY5VE@waU&CX&U!6|XRw2pTEgKr-d^xd%xK2n>o45lIW+y9jB3ev5$P8!@=$p~U0v
zVP|0=pO>3+$&u1=y(Rgym=^WZc<WrV7u@Z94ZNN4tv)Ir?L0rpK`Cq;9>NViP<lvM
zUA@Q3jNL}7*1`8`I2A3aT@^5VHd=%vQY=Eqd-ZL7iD%SIkFK7Pp5t}JyRLmy+s*51
zo`#4#(Wvf>(tV|U&|AG2`)cvEGF3&Y`a*JQp0Q@%yuEkm8q)aPg3gen$GILJZ-ev+
zGieOuJbW!~(~^<8p^o|J(Ej4~{YYUMpW&lzAZ$B4jpc_*U1YW>UmknYYh|d(jWsls
zH|{amug}|;Xp6C*K8>w$k94fAo?a}R{b`uqmlayWDP{KRxf0>n$-a=7j~aQR9VNS;
zp2XC&-jcgAFy`<7UF&4WI?)IvpF5Wat7nF2`{&*F?UNfTATB!i<eS|z<h`C++H3>j
zP?lSwC%Y@I$ZP)c<)K$`1?%z_w|ji+sP&$9vdu14A|%)J7i2lLtb^OcV7?IkElrCh
zcanGxHMXt^!G#+wDzz{gho>T3u{Gp83x~sY2D4^f<MxYK?`BMhi%oryqNjSz=a-|M
zpE6YwK1B!ZEY8z-o3oWN&>C~j5u4Ez4Q-qIL};b*vvJnFWWmX4@K=j#jx>O@+uLpD
z=^yV1)xVKPy=Zo?m8N|&Cr7X9(M7jeCq1IJYV>4Wf<`rGZb+NpZnV;VzJ<*|Kp|Jb
zI8-X=<B8Dd`OYKui3r4h_Fp!>m3=^nmi)APc;;G-zSOywZq6G!>kQvcgU}ayB&I;3
zvV!{Y&XNZMGZDUG3uAs?B7Qjp$F^}lxYVmQS@LAzZ!b!LpEMP9y(tS_S*XMLuGJ}H
zs=DXSquWoEdkgiCixYI$9Yhi+F6HFue<>#pEoovlw?+%m3TA%y-3+Arp160Q$(*L=
zPhk$!o1?B@fCEionHZ2p3#^A54!>n>tmHvqh7k)mUB0jit8Ax9N5{}8pW~~J137je
zq+?@v?ZoEFSNn|^IRa%}&eN9N11Qv*wv$H>pXGhT3LM6pvUlR!8CITs0CO1gPVhJw
z2sENPUaKn36=cz401-l^&Ei~XbGCUdlh;O}yu*0>b*0cDOEIQm4|dc~6!#+aDLp89
z`^dc%Y&^r7U(Ru*NKLGhT48w!^4pGiV+A~eqa+W!-+Fana|3VNx9CSI!)z171ywD9
zVxem}LpUl^kB9b-94y$RtON-h!UQx5wdH8zh%B?0o5f{2tF@Mu?yP~^=MPjkyT{*;
z-A-t~hF^g~jiFl6O4iSIO`IaG$Q@d>7q%CLLJ4AEYXSn?ljdK*<1Tv$z*h33P_GZ4
z-8cqLff!mzcCXDAcQqz5u)FX)+v)Zr>hLFXb4+G`48wH<!&VkB7jRl-MXnta+m@v<
z=z-l_$z1lEEEs(U0aArvCYRPU>O-E+!;=VShrEoL@h0ViPVlC0Oh&FNHbE2xZ{r3>
z^+Lxqev08_F#eWR(TTaJz}MyS&p78T?vOs$QFe>roJpfl_^WA-!miQ;k#Inh4&tVI
zqBMdfSGQMe2nX!0;ef*yIoDjA?8WUiJarFms%&q?jqlZ*9TXnrtd@!|-T_!mQ&Uy#
z?z<bx0MrX>op^{iUG&fv+2pcFe6)w=Nv~a;)Y^GA?k%#W7n_)hh*x}OA&HZC@e05?
z#@P8b-<h5~s`mU8WpteKrK@>j<9)GdAwS#UU=?R0L9S`7n&{Rz+T+wLlb6EVeIN9W
zub|0S<P+Os)Bz}!+Em$I|8gl(W=5e7-bh#3vU(u?!`oK5$lS%xQ!i5-&SMc4gsejj
zu*#JF4j5Y9gO^)BrtDNvhV_Qo7jO$GO7KYv_y7<Gxc82b;@0a@CWX7p<6}%7JDG7}
zvtPK5ot@)jA1F+!%v*@|iXM-Sk#2OgqcrHrOy`DO#CexW%Za)N;JH?TKaOl^DbolR
zqp?l}pe?(f9aJl^t|!DIL$h1>5!*$<yfalo8k8Lb&L8Ui-9pnsQ5$gTxZC&VQ_Ste
z%dA^GSZTz?S=@MMDK2hiPxr*38QtSI$7>!ZTIUs|^Ll#pc=)Wzly{O76|MA0?u4`_
zNaBIbR(xHLZ@L@0N9<XHWB1+_xo+GOA*p<TC-RW`MP$auzF*xqey6x#L`Z3i`|gF%
zdy~7hH;~{MiPBRSg`A!_#I)zhO+GkzP%7)wiah&It@=Nb|2#`%_|n@R-&E@>pJZHL
zm@n|PWWF*xEpWFVWR={$v2*mS<48;(kQ0=2qqj`7{vUFKQu|Z$9k22x-_acPZ>p`5
znCo5G?l41++N^6mIX<2mVXEaY?_Oc)Ec!UHAZt`Zgb;Q$bMPDzH86H@PuC%Sk`i@0
z&<}@vhlZa-vXg5!0jPTNy{RH@rtiDX_!xj-;5OA4IJU)+i@1RP+RDjOx<SZJjdtPj
zy^lNMwGaAczAV+C%>w$GWqN_q8lmFsH9PXSCUWF)e7MSXN=?Ag7olw>e)>~>yBGes
zaNO}r>y^q_?YzKI4wC~?QXdZv#P=uT{0i1V9>MP$J%q(1eW~x@TL>E2&cB(Qzj)yR
z=O1!^4L=1=)4?p447PvWZUsrSL%e<wORnaUcJO75$GaKPAErl*3>CBV7({!2UhN0b
zcqEde(Dg1n$n~fQuZH=LArXc1Uj|?kCcL_{G(bk|YXE-e>OmK`hNPu|+59bP4+0c1
zbeS1il(6(RByL2GgKhb-Ou(fcpds~fNfV`p>0v&8_~0{7lkt(>24C~)R;{nd!>@oC
zny&v$UT-HnX!65kWn`EXy8#_BSP`}v=!V2oyL?u&j^7ze#HwPvIU(Ffb!|;IKEaMn
z%@ZO4W%Q|*d|6$+8oGr^Kp6>iDfm!ZTXh*&aee(}V1n%I?eiM@fC*|WDv~#h?gHjV
zYWMC>d(53KUOcO>54{VdBqeRdTi@jUG2g>0v01r7B%V^W@GZ!P)p~j!$=->K`~e?1
ztLlNedKl!PvM&u-tWPBUEK}%d4D}<C&W2QYcANs8g#j(M>i_xE!_d&^Ty^oIM?KY1
z;;qv;3g_Vb5%a{5T-sGQ)LHbam#%VG+}x&sdw}-bece!(1GH03O^wI{Z*TAZW}sTD
zJm4#p(9Hng;R_eOel<h;4v>VYnGw(u0=i(p_sH^mLZHQU3vs39?@h|WuOn&Ms}P`;
zr?R3#w!pEX@KW~?clT*%iUD1>Q(T`*XA6>m6N0`N|7d9?+`IRsjh94Av630QKn;8g
z-|1Xv7}-jA6^Mwy7>bE(OJ#Gpa^;1~59pH(pYH_xAJVx+ZbJ!?$OFhF5eb;Y^Y%S~
z++_P2BaDU@LSsJd>Fu@7yLRmwjYb2O4GQ~*ioeKYvi@Z%6*A`WypYH)sOT~F^LuY*
z<{r;o_3^+TWk`rgaKm0q+E+n}b52hFxwB_?5cfz*T3cDYuYt{xD;P=Bf(JA;sl%af
zH(!zb+t8+lsbeaEL@1yeWw;1|klVtzMsVkTS!*z}-XioHw+x&xq-<d;h-4mqkGQxo
zd|g+_brTcW_|FSTHeqvtbX9Hbk6)X(`G=u9Ixyn!4e7jxGT0#K!9?{wVGNg?_tzcB
z6C}a00xbfiG%#zRks)oHK^c_z&bomZ18E1f2f(~oSag5*5IS`SQuICHE0`}|ZXiLC
z!T2f2uO5F3U)+U?BEx(4?%i^pZ*_dn0ga1*Vu>^EwDK}H$0S5)R=tCE62nk*1)t$G
z{t;BjOG-cR8c<@eeIDSS<u)<XddfpUsO~(6j9{qy)>K#bf)+n_C!iA?NFgsT@8eX+
z;D>MT0l~V5qQR1yk|HZ31Fg}4(9ys^Jwa|_VmGk;<cQ&>gs7mLC%}SRR)(Lno1U0>
zAHL)E#|H|cgLK+<*GK3G_FgAv;r4d5T$X|W`+sSsj7dC*b~GLu;5YlZbpe$K`I1(`
zqN1sg(!jeTBssx4uoJiF>*_iQY%Td?59E+Wbs<#MR_Fy14UrfMN&xCJcWIbv2*HQR
z#^4BY)>ct~!Dk<UOm|ON1qHZ+=ON#{;fW5-m<HMAe@g@f?K{$TNbD={qPmz)B92&C
z=;7i5IsHjIB;cnZgN9Z!i7#~-`~;u!5+w0dlOyzQJ4WNRprA}!yV>uqyP4TTL8MM9
ztpDF?M3BVBwPh1OfBLg$Z3Rvb6+cv0SJ%`;p7Mig4Y<qDr0d9$fXA2M!sF(fagtI}
zL}0!N1aqi>cpJzGdW@I3C_P<$=exGH_~A4nQAL7a?GBB!qHPL@*(;HQrGw*iB|6DQ
zKU!!9pd=!a41G>iR8-b;oaED(4G#@HQCA&Mmg%PA;^^pj@?;gXyeE@m&t~}rU0-k*
zejEy#5Dq(U(f$jGM3|RSePT0s(eT#w=#psa#fukD7;EI!n5(H(LP^fori{k7`O_QN
z|8*UVDCk!k!F>GI7wp*Hl20J?f6E?AuCwW&5jTQwExVqeTj<Y<Ks!W4Mi1T?;)OhZ
z#((}fz`>PhYSi)o|5l}c*+;HNG>(I?9rTBJNWjS;?hmAW|L6S&Z~d1gM9^Eh=kJP+
zSblcd<o-V?ko>}~UP|s3;%;Iwl?d4-%kBYU(kpgBX51>eO+&LtA3yysCw<>d`He`>
z%g{!g9>^oV2S5zC<$BjWOXLZCE1CFBNdIzkFRqwqD+nH}cdEGc)?EI8f-0t%eQCrj
zeCuj#*$qf0r*AqahOlt{j6VbzA_$iTEGt4ZFb;)D5FP=)VR=r79Y&t`OP3~z{)#l|
z?#B=}6Td(d-fcMqLfnRWsL5c&Sa2lA)xbGm&;-a*VJqbAa+&@*iQ{S_2*S#c7s<!B
znTv4FmTsPH2FGsj3YebTPj`42j0)Yh4(}n9zbS9LU4E?0WYf!pSvSb`{NtWfax?SS
zANqZ+h^T}K(kU`{1=u=%C7`wbnvz%A<lo*(z3T73M-0nx?tckt*gp6Z206DBa;(H6
z*Z{**Lfn5XOj6JvqWSj-9<MpjVI4264*jxe+s?g?Gh7`exxI)wp}uRqGM|MF!?3-T
zeEd8$_|l3^Rt)nbOt8>?hcKY@{h~2XN&jQM<Y;w^cOfZs5U+!jqh4>RLoNLi<%VL2
z#ktqaV?qoM<r1gZu<b!+>7{{~`2QFvQN{d^cg%}-<y@jjZL+$QwJPQDV{FZH0mSN|
zQ0CwfB0o_Icw{yx)E78j<mYRyt@J4@y%&Xg4$_AF0xy6;qz#1{hGRf}{(m#X>qR#2
Xz_sq(O+FWpd7nI{bu{ycdBFbxPVQDZ

literal 0
HcmV?d00001

diff --git a/blueprints/apigee/apigee-x-foundations/diagram2.png b/blueprints/apigee/apigee-x-foundations/diagram2.png
new file mode 100644
index 0000000000000000000000000000000000000000..94f4b1af57c608eca925d6e0a7a15d084bb2949c
GIT binary patch
literal 52665
zcmb@uby$>Z*FHQmbR*p%Ap+8!qbO<6AySgk-7$!WgrtC!i~@qv4T5w?kAQUN(B1Xj
zAiJLZyubH&kK_AqZ=8GPzOJ>dwa)WgYhA(0kLB>NsjxvH5T1hkeN_+$r49sw&|pG<
zzm!QUbAmuHkiz}D>hAih--De-e|%UJ_0w%_S#MdlK4|HD+}gCe`}m+~wW+iE!}@`~
z#`l9|jml@H@dQVaoH|7&ZQr<83f50*>{e>*mg8Ius+prtNc&pS?t)OkL=Tl~?Yw0k
zvl0a}Z^|rSv@xIMOE41!-@h3p&rGCHdLAnh@cX}kKedH|694!g?0cw)KR%~QcoW8Y
z`T5JoUJ`-@t{)F3d4&mAxc*c+!+p@Bt8WGV6^#*M@yCzc#=HTIxqevwE|LS*-QDeb
z@_>nniIW(seNIA6C%Q_R)l`)=HQ{s2TowFbJFeB|qOaN6XKqnBL43E>oEEe|cdVHn
z#2|~J<;|ifH#GUn5=<=7a7F9hiiF<BF15gt+YS9jMAXK~H#=_GA{6s57sg0l018ew
zKt-@>)@9nWE-T727yk%z%cdNC$X5z^{j3hc9PRs)2%lKVl>TE8MezNQica_P#KJCS
zH4eicH##G65n3Qx9yWz%3iErP@?PEN3;pBYL+^z*1z^G-aemXkUVBR@Xr$>=rv25D
z?|-U~GJ#p(Iq!yYaRi%?C2ZLW8Yd}y)~t(68-_-MKN(EF@m0~fcQfIES+#E0kXiH>
zQl2>o8AH_W<=0>zl62qK!}{lgINGrLz1&=J_98U+4rB^}>iaj?L!;!=-*kkzS=9-R
zT9<WnC^^_Nbai)!6gO~Jjn`CHb9QTxyftV6RuhP7Mu_zW!yzv$JUo1Vf4`}6`%^(M
z<jWb+^w5yDl@*85EfyA?+=2XZzl?<iGl#fOR8&-Bw&fxRp^u+D33~mysgk*QWu8M&
zPr=fXy}MXsF#F4wFZQVyF)=YkMSKo<sRM(9q%*JXhd{nm>UzXDCXJ4aAik53lP@kT
zgp}WAmy*&?CiSJIr^i_v8yl<kyYSW2Bzs+5Q&W?V<2$go=c1$(Dl#b7*ViX5E<W=t
zTIzOCa*=)8`DT#xR8fuZ8I>W^#A@2=>S|-746urp)>hzi&6V3<^Yh8gkC0PShR)9F
z$x1U1N5IFYr!+p#6%??DepuVt^>lP3rKF%)Gm24DQ|nA8Bv9^hV-5rcqE+YQ<@sKm
zOS*0>FW-|6%>BS!ced1*+0f81GV(OO!^OoVFflYF1g5z$@m+?ytgNhsof%8DLjUdy
zQ`7lYdcP*)Fgw<&oXEZ<k`E1m4=*0kZ7>NsdYAddS#VFc>ArslA;WpGYg^;;>E2wy
zZkk*~e-B0^U@x45jZkuK?Qd08Co?k*X2r2_ai8p@#l-HhwxHpnQb-}Nrq<7=NLNBB
zpglc3X?1mVFy&h<_+htUNtKnAr>CbOA=s;-Q7<(@C(OLOsMARIm)F)Fc!bgZ$p8Aa
z;m6BvjGpBNM#P@c(7izUjg1Yaw<F$QDsj(h+Wwuzo`e1U<>h6bS07WdP?MmdSux<<
z{(cfy6GU-gp^CDyvYJ{k@M4Esvs(H3SSb{@XBtZDNVnW?*+R+XcMlF`d->VqC}1-7
zJ~!BL;aixf%6G?ZS`!*md?hS-qiu~Q;8o3w+i;f+8}!zj>=PzWbxuyseTgakx<+RF
zCha#y1ax@?!Cj1epI=7GKYZxDIR(DC>6E7Mj2#muD;GKcEA@Q$79kHdQ$L|T;9rMH
z2?@b@sAr*zD+wsCZoEX7?C#5aVrOgXdwyizG&wiNys}ro{Y^!a&aV)Qmc>(Y_dX_V
zlkiKd8?S5c1v20D{LtVNSo~I(iu}#@CKOdi$L%CxyT|}9x<)!%muF+IUZIZts#vE`
zl9({UjbEMbh_|*yH!UCym~V}s4@@+E{=B!hcN0!eP98*s084soqkepe4`Bg()BzLs
z-W#y``j)E+azy$4-hHH|{hOhop${ME!rs)LjBgP7-kS#^gOgDhNY=f&;H42{_2q<_
zk539C<b0+@t_L<@?Cwrs9U_GndA5>Y>sieN!G??910%3xQTt&uyVPW%XtNMZ6w;S3
z;^N~mFfa;9t6x4wuLuZ-%;JbqYKk5gwzRYa2V+6+;J=cQ@IE9=Bf|Gr!76#h`Z4Jq
z6L`J`loB2NvgSq_(Q9^QK0ZEWx~2e>k3<4=cu*V%3ukAMo7gn;^l2UU<}HYzU%!08
zaykA$91T{bpb4Zz%0<vk_rk*b*?zQE1c=lNq6IO~qtM(VPovJe{RvaWfAOZo{pn?6
z;t#FL1Q1+5Ud-omVVV#qQ)j{KuV19-BKMomP7b2zsHpByss|R58ifrtveJ;?A(6<s
zG;)a7BnRTghhzIU`6G{Jo>&e-PkNv@?>c8dKJ;ADUNhuifh058>QClINtRYt<mBX%
z6CPI1mOt*R7rvKed2?@)3KQ<4I9=pfy;F~ri>!;;>g|ng_3{}G;HGPG=;4QbNJ)7h
z{qi9$DaZnsfWqH?{HM><N6c~XtleC3eFPThEiV?91Tqah%m!*w-SnpU^E)2a=@5RH
ztVZqWc4!AjfAChYATGC#);)eidRF}QczY(vNZ2Sna%n4^fx*l^bED2*1!N5F9UUEI
zVPP>;-d7;WdPxesfcc`&LZD<4Au8xSi%4FCD4YZI#=TkwH;D;#n1qxRTsqwPfo|g+
zArke)u0&f~TNXH|u4a`GIgjXpJCZbV<rsZpp<zQOYPkDT{3GwGvD@?=SmjT@PmQQ-
z(t!7AOtbCm>{#o^1cStAR53+a1BanT=v1@#d9*|1Q2~tTX#_lj@sc2f-{~y<a3(gz
z)DY@T3sg`Sp9%%a&3oNDdqnsk0bPZNiU%pyo|t!kplccmJjXhD-ghwR7a?{dj)KyM
z;1S3M`^y<Az8|cGMb5y<(=){OMp(xJt-mIW{dIp1j~KTz)ZMa`6_pDos;y07fcRrt
zJriw5lbX0LrK7z)j0^V&`S3=RJZw(eh8a&4sVFg_FbSL|W0MAv)&(~QpW%2$`)&Vj
zAbMCdN$J<2HDolAUYu?CUCe~?aQU9Bm2-B9;jn@PsBiE-oPi?m4w>s)5UnWky#HwY
z9Q5`Bvb^>zS9x)HnVs4b4S*G&^xNGyQdMpF#rDt6e3<JfE57_JPdfmKG0>-AVWI?}
zeM<yR<?cPG(R38uEaZ^-T^NMHdU_%r)dE*0i#RJWKK>TOVn3LYy;Y`agOTFS^byTC
zZ7<x&Su-ba71}_A&kBau>khq2G^p`zGlQ$3wD6S>AA$JF%uwd<svspYKYxCuD9;$>
z_``z)2NQ(XTlb)KO5^EM?E4=3tCSFs|0|BF!a}ej7`m~(ep4PMmXMHud2iLKP#Xx#
z@ku^4BR_vm;~>~zkFtnW>RXyVeq=0D$9ke;%@^e(|59EynJK7?h4JlAS0A76)zxE}
zznJMV$lx~w8r(kJ?R|s$%*_6dCr24R?u`I}B+dJ9Oq{u4MF#8VDQ`B<?lB{t6xwC-
z!epIqV$co@4^tk?Ni1T8b{2@w1h2^xk!;>hR`|%_&w~!f5Zzs_55Pc*^U%RhHr?Z0
zA3l7@1Ji%@%tR#gBLsygWW3hzVx+2oAdTrm8l9B)8;)ju>{t}|u%etZ<!YY>IwCeU
zHj50aKVs7m^cMcjZG%pi@vS0HdZB`?dg%5KR3tHAE8S~bQQxkkr@$GTuoExfCi&EO
z;H@JTHjPp)>PcE~y8?Xnda=XMpN{F)Eetf6NY1?}oMW)F)M|_y?n7N&T`Maq5mdVE
zdbX?tpVeRiPtq_&YhvBDWiQOt&~uD&oDidYAnCk*jlM7XwN;#2QbgoOFP+^WM%F!u
z9&u!7F24zAZ7baKM}1w;!J8JtPDqY1$Ns(2euqHKcE&{&PMAFLLNxF4w5g5`WgcxF
z`4CD|m{kzw-7E$o!aTNsNMoFLg;)VhbZ;pl3kV<JGSM@(lL>oOgWl4V38}KZu7f(y
z`|7au6kzNzWTvO1Vl?m^pPzZrpq1l7h@#roZxEHMR=tube#JuLc)YtrywV|GulO-y
zGxi?uSRqt*n#I;`Y?OkauH9YMJey#c9e?Z;>F`0yC*%=#^(6N4#)jYa9F`||SKK{#
z(XP6wxMDMGZVTcpD~sM<JWrpMD*4(7wIM(XdzKB!`AQJc*w~o!ct4E>Sq54eN|CfM
zLOhRAU{)<roVK0U{Ajtez0LOxQ<<CRUiF>(MEEzpJ`n^zSq%`6j>4vJoQ6^E5yjd6
zz<S^PS|$2R#=g?4#K0hTL^J@@+}{u^4-zZ9RM*cptRgbP3d#o|R*gJ8JrjL6<lh2|
zYj2PtNor<{TCaHdUDrbybF{j+7-gGK6ZBf<qh!<ASaKp)ILXsMp1FpP0HjOmV(s4h
zd3=0aU+*sxZz2>(3s;y{d!MKE-~k$)*Zl;p`0VOx2`;Yn@hZ1fFMmsQZSAbF2>0sZ
zpAq!ZbaZrNb_~DS$&4z1_sJHYOkd%0N^U9|1$4GmE4ac9ay`v|(gV3-e`b{QeJv6B
z1yUCl=4c(0ma1Q2HmnIx!7^NiU?PRuT}a9J{BU7qdF~vc*CgGc5*IkNAt8%{F{<+>
z|3t2tHGf+_uuou|NcrOoH>}n#ea4lJF^xuxYx(RP3jd8&yns;>-PT?@BVq(QAJVYH
zKL0^0+Dnh>xYqlA%)urq9O=a&-skM(j?B?fH(?8dAFr4cpEk1Q^hAJ9CqoZRn0P;=
z8WVox0)>6P<Qz?zG^hv@+M1sj2mz63T*6%cg+Va*X@<J~z}D8*eiq@xo5Sx>VH*8S
zs_)YYKe2CU<}nYOK`e^sI8aJVejF(p2@yuUsA7yk(d9+A%Q(;y!Gt$1DuYYzY0YHE
z#*#Y3iINK1HC2C7f^!D$q;1>ID@NO}!dO=d`JhU#lk?}W2@4~CdG&mz2t-9lh%-Pj
zys^!rR}}B7QuKFaWO*<xkm^B9Zzt2ox^ZYlTl0ejbRrs25zw0##!+pKnz%Ag8|n*D
zASKV}8Kc{uV+VYzB>C?@_ZSuzKnbyMR0f_oCSq*GCxv#nu-v?jyS$*<UwvaIgv-B(
zq&uR$Dwac`ECH05)7lQYL+NM<5L5j25F>d|SD_3Vf<1#LD@jRZN4AsW8*2MEoW-Eu
zpUl-kMa;o-XkJgFA&0;B?Y^9u>l`bKP;;jwrrt1Mg%kJjsYGlNEp0F0$I(445g-WH
zD05}`-l3@2lee@gvv8b|ot}5}NcOSHBb45A(!^%K20LmM>7UG$BNBz5>;Gg?9?%n!
z223S6fQ4`jU;+z>vT+0%xer1EeB?CC2DohXnVBDL(4fF?2@|voxD5|{$(14GA+lN=
z+`%B1QKIH_a`%WKeShLCRb2uQ?8E6k^DN@vcR3RMFh~|zPO`o-<ij}vfo;rju374G
zvTnhJfoc(}>Y<bN*DJ&|9I1GeJF>J10U>!$n-b0<)2-!L?0>a(iq}Txq~R~yM{+*#
zf&DIa8zUYF;`PiDpP0o_pU6&_EiU?I-J^u=r*4dMf3aGpNCM-LtM@YyGoK-cJ9>}f
zq`fc9Z$OQ$Mt?9<9B=Jthm!Y!5%TIK&M)8lFL7kzS3i>~jL6+MDsSiff7(uz0s6$+
z+cVzaoxU=SI`?;X=fLl$JB@1}AK=Kc#pSInw@x+m&UexBSKab3)v$N4nQfS6;oAyF
z{8*iF{Q2X7rkyD)4p-Emjg$e#iecK!gUb(Xw4u+OQR`JL+8*H6v&O<eR2G$5?RDz>
znuyU;-MYz$1xiuT4teBYH}OgO!IRx7h0dUsvd{i1p_4@T?v^KPOL}A!RJ3Fqgh}tV
zS($DLW`dBXR-HI%`D27Mgm4t8K>oJ>(HC_n;Xg0ZVp7K>-j7NXd#+YKSp+Pa19B{g
z_38Z~bca^g{GdmfL291Xu^`xIldV7aYh1WZolbhDTeyn;P`pNHE(OEqGJFT;GAtP^
zz6U{@(qbVlPq+*XpL2&=B`tfsj-)7GP2)w`v06f78Orc-JU4yL$KE7<4@Ft#;WNl+
zAWaSyyiG!z7q_wc6;th}*DTQTMkQ)oc+#=7W{I;IX{>+l&!{7afO3_eE$JD)C;dCH
zCDV?J<?9P4iR0TOW=9RU0#2%)LhL2(i@0^jPqdHbV4ypLa&OX$-Z#K)xgK;;^X4Oo
z*p#MEv#NC~qfL@x!Bl77o_Beb0(AVpA~$3Boql=^y6&MkrMBLBepolzoW_BRTBvY)
zV>=Y|85gbsLXo>`x|Ths?*B2h`b`HHS1SUv_)hbD`|!3lnJM3-9~2*xq7mEzPmT_W
z&!2>QH;g)4H|u8+2SF)mW_}ivTj1gcrKJsx9JyH9GA4%PLZHTDcfp}<utv5P(8!El
z=$rAV085=Vqm6I(i_lk4EkxflUVFz*JZ49dIILE5;)R*BM-2!s?c!cU@VOEQS(9M;
z4pp}{KQHyf`TWp>bN_7T`^h=z?PE>%3UcsnQ_HRXgp-fU!`Xvsx<Qw_0))+HS~sKr
z+>-_eEG}+tB}K)e;$qTsdTUc!8X6N14FJg$4>u+G^#A(h;_J)RjhFIg-~ybbign@V
z1Ewt@ar$=><$f&#vxNlgy02S?J+by3G78uu>bXGQJnV6i&&Gd-KB}8ZchlLEl(F_c
zs`!=?9UFuSCu8cUFs;q=A~eLydY~ZW)Ts#ZRzXpwcw29AlLo^5li3;~aPaU>Q3FL1
zD(rRPV8ir$Uwl4vG;1*^)mN5!W}@1LI>8!A%VlLvtQcJiyb+7c<F}abw!1oj2jL>f
zHZsln#9Pmg$Tn`-x|@)j=6w(yHn)%CHsIQw<b@AsdYvCFIA(#KW{{w}INi3Kc;i7D
zt`r#^T~t~+?^@N@+q-{o0ImoM3W6`MtgJLQKgj;o9%5r>x3RifAP}O%N%rw|X=y0|
zy%Ynlm{>cJxw-idXD@LDhCM*O`1LEcZ%IN*%C*wgPP)IWygaC>s|!!a#@aeLIT@4G
zQd6Xxz)lq%`DKks2+w-Uw?(AXh3!<9Se^>hMN#tQViq{p=K1=?QTIR=bD0Zdu1~rf
z8&vT$8;6e9N0TAUeAr4s@xtKJGpB6O)@cY8NB|iZ+XM|5ksWlsbVC*qRNX=U&h9N8
z1Wz_i0Ev*!DTrz>ot(tjAe6jm7*~K_|C0@;p0>uVxtM?=KByJhb)X*tC*}-aCk1u<
zWz8V3Sw!jf(g03X-pAOa{b5}<?lI2Qi8o4e_t+;fZ+oj&plW8CdrS%z`=C6rWpK>n
zkec{r*)LknPAzRXM$WBYAV5gAOG8esrLK;e{#affxxW5bQBh1p1i8Enp#&g%O?kPS
znHj6Nc-806pTB+$Sz`n3HZ(xmVa0%Q2WWKLJ3DKxCx9>nkl9oTkC(ZC#$<^6{F(I~
zH#fK4ix+pN4SbK#_R>JuICy=mfjh*4s^}IXndvtLGvVoZlufvp=xnte+z?M+3ky>v
zkx2LB?O&@CFZ2!=7^>i(7V2Xt&=E?lLQs1hH7`}qvI4jc5!`O@g?fJzYlaDV{0U@t
zq#4iB%Ruj9CqH6Tmeq&AAKQ3_$lh5!93{hKo{?VH2TWypK3`sYQt{1Z3&kSzAPN-t
z6Evy!<F3vvXa`=nC5Wo$X+yvMdJwyW>9qeckbWI(h`pZ5JY!_Htz}-;<9!nT{CAR#
z*%M)aX1{Ci`0A)EU2X5i{Y?1b#5eDzqp$T_K2dn*8J(KEGbHihuheU9s2--<V?E9r
zOW6^wGp%q&9Obl}_lRm9CVA^>#>+fA4z;zleQs>*<1{lnE2&SCmz(?Gxr0MtUY@Om
z1sey4m8a+N%nU?yYIbYO0nRgu20Gj6kv2Cm0koRU?d_tR9NfU{?Cg!n+6X;BYE?!r
z#RA=-xzP%N0*VI{p5^5Dxam=1hP|))MD8<%qAoCaWajMaB%-&)peDQAg^lwY%E#~=
z>q1jfwNbgcnZmvA@xg5?@p(XA$pP(?)<7(_xE_@qdfQgoy9W!fV=R1ne<1!+Xn%z=
zhgrYq5&Y()Oo3u`>|`%dIOeOT65pQJ7BIT6<4AmD`Sgf~iu>RvhtAtr@Ke4yZx&(d
zEOhwRP=Gl*GdlUeq}ig|lkQ@SkKu)s64iyx8E*<lEsnNtV~ak`rFcDkL5g2w7K9C-
z|3(xAoP2||)XJpHWYfm-?iGjAXJ#k)OPYrUjyWFRQ4#67x1YV7Rnl7N6bwymkXmfS
z77tCGG|^ETH3d_J1P2>+umgMo5MC*u0l^#`98rd-VW)ujcIC)l0kWTda&mIFEeG8Q
z{kSVhSWZrE$idzH5WxX%0(>UO-U}_73`FG@$a3><`)CP7Bs)>oOok=BxJ^IIS7S1v
zWUiP6MHiYyTbk$=ZIL^%&%lBp$-=EAAoVq$Fv?DL7J(4%#}Ki>16(Ytv0*=xyMRBv
zW&{hg;$tE%3Bla;T7AT-(BSPi%$whk!=;DLz2f%#Omu2*7m)4)K+87c%AIJ72V?0|
zFh4f<wgxz!*cIhoyt6se`yg1XblVpYwPT{A+uPfF`}*$o;==EiyX)xde~65<cXaFp
zV%{2Qg$JO%3ksHIWo6~%h5upz?E+#waJ(xhy)@L-VZkbly;+Mt)8rsflzjebKo@3#
zX-1kP$zUSp#F3Z~fl~>o8x^N>4`_NpNUvInrbZ2K#ixT!-Ws~XC(;pZZuI~}RuU0$
zg~H-inC`3UJTy{1h#g-V7I(3st%~2b4M9(??I{*~tWS_X5tcitjUOAZ#sP$B@bfwu
z*DBh>1}UhyrLApudpo3wlbicw^`qt=aZH%2Cve=ybN<|UA&<KD{9-~UNYhp*;@N2H
zdRhl)D?qujqJnVIvlhqQX~*MiH&%<&rg)gS<0RzHCg_bWCm9Jk7d;IPrY<dhkg_i3
zUkBq4FwK)j1kWDvnwTdqOl2Z5gC_tPv?#PgN9^WBCc&^gU@)KHNaMdeQz2z^EF)m>
z;+^TJ2yVZ!G#&u~N=nrGl$1NSZ-dXOy^mCf5+ft0oW<(7o}@~hbx3_BU8QCWd}hhz
z|7+Sdx#Ij}E_?4uyU)8D5NLTx2?+@aAdiQZ2j0bAl$#%Kk7XWx2zoSNe1$><Rk45|
zIN*1jdLdEjW3q*U+*2CNp6fr|UM?R#YVdok5UzRcQKUe8YJhjYQikl(B>U|j`*W0!
zZY4b&oojg;>EXRpgVk@%CM-O7kfePMlH}*-=jDw`PUbZEs#Pa^54)V18$7evK0Pez
zz?<*m7>h4<!PqQTeJqMGA@1@en7&wP`}BSSki<Q6a1n_aMDROO21I(IE{A>!&dxSk
zY|zU<2{?8w;Mj?&4J@Sg%H`tY^n<plPiZ^zlU5HDS1;}~Qt6tL^WmH%n`_QTR%w`-
zE!5Z7A0LYmMe`%{^z_!&)?U1LvFc@f_x2PuBU<)_`2KP}ot~MWPFfhMKA)0V&DXJu
zj&1{!TGxmieQC~eerdMyi;swXg9)9DSl@1cg8|WSu4ZxB)b)FBh%O1rRg_-_Cq67g
zMMF69W->sKn*cqyjN?@H%C(LaR;~H9+-2r&;z~iu8z(8;E31>FLyk4o-WnT+U;2IF
zGk*3~78VqAbg~d{AXhFDARaH?iOa~$#HqdeSsx4}T5bQ}W}T4eYE+@jOsDhXlbgED
zKU@~a9<A)Um}Tw&A%9-(mVQ~+*qpO?O;`C^ilUp&svBHQO)c=E-New4ft8gN2v9(c
z>o5Xk3(3OSsI9M`w~x&$#LHXH=Mgz~WTg84U|hQ#G&JJs0G5t@lg^XH&kOTaS<xPI
zNzoYxr6d-v$i?o*o{h$*cH736oU2=&IOowgmKP0MD<~*rWMshU>jXf@RU0+N7hT({
ztDGP)CMJ~K<dl@I^Y{ul$>!V0m$5uuIjYg|Fz{}E?0$wMd2gns+v3<BL37!!C*|Bd
zHXkOMR}8`5GBaCe&j!A1UU;2AO5k&ICV2FwubxCN1}XffKmWz5m|+V;V6fPfnn=uV
z%)4HBb~;|{Fvm_`>8rV7k@~%i=9_TD*srw5AOZb6`mu8^xwBV0=NP)9tAf2VXBp0(
zp4ic3i_3A_)Qpr27fOb16I_YrPo9}Jb}!{pSKqHYRrNh_Y&j|NSdPmC?CT^>^pP72
zVU2zaggN}60Mla>0lGHmP>tw~_=}?(>3>NRykLO@4B%AVnVte(@o8QJp@J!I;N9`r
zv!jWRu`8$gKmgW#_?8yQU+uY5Lk}|XQZ;St0AN`3-Nhc$eFKiwHK(GBTg6~iUnXXh
zIX|p!8@eU}$bwPeS*EJ)(WXru34sV*+^8>SVQhp*kft8}>turVH9t=~6!TEmgC8J)
zB!62Q8{j;cCY)bZV~D~R1thnnrC(mB^gkn)%(XaSaC2@5(0VHK?lTA8r4<u#bLlbw
zyn5ZQ0PGNgkvzU5yy|!JG_UTd1adX8_BOH#4LLbK{8f$x^n>Si?Tu*kC4&YBOP2#K
z{Y4M@x|%x$q`P99(PvLy)pnJV?a$7y^@PmM+ZE-w6A`biW1%9Z%;IiCkZ<4O?bE~U
zSuS>%<p0yqf<V>(l009U8F;f;K+cgwMY!o6*WS;fhY$Oe_DxK5543A(Y0a{6cE$ZH
zevX5K!%6HYmJ$#U0APCqjVAxoo+rD(|Dms-B2L8^pjN)v@$a_bzMk`R#bf<pdYL6+
zL`gJVYJ+Jj!Y;FecDid@Z^IXsRtoo$UI(v~+l0rvxWdca{ZKMaW#y^T>EYaK>j}A|
z1`|IvTt1hHj+o_b75OZP)%GNe%~&LT_Zb#-JK1)LNwZ>%R)XP1UK|BW0R@BWfO4($
zl%OXXTuUUe7%r`)i<=Fl4#>n&SAUnXa6P&B^)9CB>V%2ybLmd<RD;L1W2^0_kuP~K
zeFCqS0CAbsx_sQHC&V0e@a>4nT{k+62ao-6f}K`uFsJ92Z&l-}Aa~gR+uj<qb)f_C
zEuiQ*MQ^^n{pvqy<FwrIAT-ANpLy<2fO4&XK`g>)|2N^`N(2L3jV_1cb;+v$V_>nB
zQuml+oB!lx58|OZ|4dpbpgS1+*K*J<%e`<~b^s6jCFY&JiL-yD`Oimw=ed8o%a!_f
zDt{4=sZjG@gtosNLA@V$8BpX7Z-AXGT*$i#E+s-2NXgig{N?FrH<Guyk~=kT$Hog<
zqVEBk;^`ZZSc$5L^uN_iTcJo$BF#I}#z^15fWPJZOCE|T{Yen<G4{V|U})F;77H#4
zKp=de4TJf2O#VwO{O9ihxXz;hupbfrr6J~zF{9MU)c$A56Ic&TC*ift<1s~D0e+mv
zaYMmKSvdaF!rRR>HvI-(5fQd-?AkxIfd5^@JX9$#xCs<<?Sz8?D&4FzP2L@G`0hc<
zA9?=4^#+2v@&So;A=6%g5+wQd?c13g9wZkcxE`AfzQ;B+Y?}gsh8D|z1e$yPhn>fZ
z7kqeAoA*l?ss&TT{4_V~QKjxLrJ}COKz8k#W7Z5;RQEOG88*hXI@=N|tj+l4T~u*{
z8x8#5k30kaH*dar$bk)F;Xrn9Ef`<RS1+)DFUCYT`n-~752a+7Fbr(^7?!-Yzeyf*
zI+nZ4@>|#bySS6ieZ%qh@p@kE9zYtcNQql28&dv$ZqZhQ`)?}fpZdn7{j)%c^jqj0
z%&~m#I)PE2-s8snPy4wkA8gp1&PN2t`>^);kIxaq=h5Y^7KShL6y<8?6<<{37!lQn
zD3~%ssXaIe{CL}X#=q+SQ%E;M0hW2Gu`Fo;IQ+^#c=fC6u@y4Hl1Xc3L0$iT1pC^f
zh@eiZFc9r!O)rn*>Y-qn8-PhG;!To(FZBfQ=)!*j{7%s28u3l%tjmLH|FIze>Z-@R
zw&h>QdA6B4CsMuLFiTLix|vzpE!*?|A+w*pxiWlx2YVPvv&nlvgTKVX1DwCNrEwFo
zyYNd;XP8<u{=&ofH{@huc}W`6E)NrOFH3sP_YjCDD}{jOPfc^RE26lK73jwZS4XqS
zTO23-=P!1aTP{|0)IlZxx4msV;-G0QWAf8yKJn^U-j()>LtJWhe|U!|hj%MDF||tL
z``<zQKR{1i;vb;r>LH?_n=mqShihkg4@&F|AZ_GHRszZ>8c+G59eX!!e&IBO0nSGh
z#OGKx+Gy}_+o}BPwPA7qXEA*JJ7V!98{A}uX)f8L{OyJQcXzd~0ROM<O6y^TZqfB*
zI_eJ}lo)-)OUe3QQli-Q04`7@nJ#**fXcxd8wIkNE0j3>x4mnklkk{-BZPE=>8ZMD
zbO5|Gx&J;kj+%$zC<6cKA~n$*&_8Q2{(>mZm#uk!JcR!Mbf<gf`b1pgHzSfe(;_0H
z$?vK6dm?gzTD{Kr9{_Lne>nbOWAT{u(no@KB<H(E2Ynh-&UMkAbVuNNuWt7oxVh@L
zEM%HqcsEuT2nm);gf}5~p^8s?f83|<U6Xv&Znw#KdWp;_xPd^Eu8J;`8#Qz1Ux81J
z>30lk`~lwWGmqFhX!?c|E&JTV`17Z4ufWKGdPNPrVPt<@=M3_=yP<u7lMh3#Dyp)u
z_SJ4{+xhzW!0R~6)ox4OXQ{phi4jfH&8|L98gfr|zSs~{ZP4X15p#OE*9b~X=nkp}
z$1{v9A3M?nYWy1cg%}urv%ShTRO01bMIP38N9VH+-l2G{Sfx)z2rY+|V(Vv&sA8uQ
zO`VgE+4=KR*8Kd7<5gkr&WM#Z481%w94>y`IY=8h94yQc5)Gn;AKkDkxTktMAYOyw
zc1Rn~f1<V<C>HkoQ|{ibZ2P}Lzt6gyqOsj#{to#l<wwcSEBx%~c})Q`0nbRk{vba>
zQ#rY+Kxpsg{_xNF?z7a5w_Uh#@5o*E%L+z7U4{nCumZ!GmH{e?D*l^(lm|3y-WTzy
zvY8koUWo;>r|qbG^^*s_$3~96sGD!MK~`l-s_iR17G4F>A7Z~1mhX;Ep5ss@9CJ~6
zhtd8dn&RUKuASFlfjgCed3?M}18BhqxbW$BCCn{bj)1QKRQ7+1D@<kRRCCz(TMVXd
zBX{D1q%$)zCA_vs!f@Wp`X@B2fZ=xw;Wj2@B=aDB{{r&~ooT=Xn$+(pXu_IO{SN8&
zm@`>FrDMYD2jpuXc{MJ4DBj_Nt>&;>qtOHe6BErAh)?-W8IvcLn<PAb_!vYvD4<^A
zCY+JZnrqWjEK{xM9!x{%t*Qt~1m|olTfJDyF<;w4v!Jo?Fn*oEl1mBKP;4~Ci^0@<
z$j$^F`C;sF7^>jAuDN%e82{AiuAowg5k;lJw4sv7@oVw=FNQN=t0nv!A#c=1^*eWN
z9f}L_vw@sFG}>C*d`aZxJ<(40Fp%FqE0*;i9(BBL47FLU@v6rE`r$pbRN?x|4m21S
z7l+}bAS!r+HosNE>*em@s<M%Tt&ZsyLYqL}mOc-Ajq^B?p8O(O<7K0d*tns01S-6;
zG~1u{`<GlY(D;~2>;ADNx|kr=hEf({^8XYeC`4i1cYc@z=ZrZsa1)B&kz|qN*qgGB
zd9+gV$ZMxYfPg}Bv(W0I3DSTbJRq!PL|(U^;1=?&sy0@Gua-|`sw+8}Ug7bhhYCs%
z7Vf+!x0qW@7fq+Mtqb|ESLt$R+1Nl_tsSZKV{#}&F~rcJsTbDw__Y-lhBJ6yFVVAy
z3|X$0t;?3+O$_OxLen%vZt7;^6_u}Yeej^ieU*xeHA#hpJ(+&!s2997gQqD^69Rgg
z-26w%fLQPmXyP{hxHGNHgXv;q^R<9E-@IVlFFU!u#>=4QG;_k5PuzQ*(t?=HpgZvo
zdWzBnq*oCDDvi^fKac)f2KqZ9k2)dx_)>U3-jbSQ$P#-GT{5Bz_jr*b>8x7zkdt#x
z8OQ|ys=P)GxUZiwHS7K(+u$Oi88c<C;r%nnuAbBXkI6$K&%eg%|C~L-#`5hW(SQg9
z$i~+Y<A=_)I6mTUi0-;mArEv7O27gb!0%k^uU8L=kbp}>LcOjL$zPlY1;~59IS(!&
z5a4E%WxHLy{&|G{6Pf>?_7D{z<_*X)o*wCw;)~(AJJf!<Yh0N!ZKm|>XZ#*QhRxD3
zok{t$GjhULk#zzjcG-{ccPu0Wu~?Imk`f;&js8VlFq5jVfDj%u;4J|%@20gd*!eeh
z0-Qkj!J|LvP-zlKOq&>*)O_PN9w&ecIyc<-15;dDd6A=X7<!Gak4f=qSz-7Cs0gz{
zO!(U?FnLFKbBD7{NC~nV{>#-woG~WhAV=%`ZUdkWUOf!Cb`oHL4?(m*{kZG-4Jh^P
zYfxUy45c4=d?v2Cog&CkFD?K6Pk<hTPYlJdf>;!byab>F04+gcBv-LY6yAt|aOC+*
z@aQ*!APs?*Lozvgtf2ZCJODNOez=10j!?jAZIORuR$zzzczp-d+WQs-?kLEt8-Odo
z1yM@O01OjQ<VZmTwE{M)fE6Yb%7lqP?{OuD1}Ok*fZ@|aJ07V3Z0+(>y;K%!*E`{W
z`a7JWSm34DH~sy0cVhoeW&XAxEBJ;8P<A?%xFSAtFu(`@bFYAA0P@T`O2tX%M|a-p
zohN|5e=8`KC^yv^A$MHJ9EiMK-BhSt=O^d;@N(gsm(4cKI%C)02Xxgq**5c}v(ShE
zW=Pm@RGf$>Ux-~WttGed+~ORlt*#C7Y{l@D4U9kVJ^fNqfLqG){jum+rQ%~n4vsI~
zUF=ON1%i@-*$nyV4CNGlXW27NfX%N~I&4b-c4oWk{BeW^5&VTZBWvzwHMWD!RvKF|
zM&soLewF5PtvZ+N(t0d@xTAE^^IV^d^qoH}-b~p1mZnlDd+&r9?6r!arS<LkE^+1U
z;~D*i?DWHmrmkNyn$t0@J=!xij>j{d=*t+g#m9@RS}G``*y(1i^N6cAiMOZVoB%zw
zom$k1wpl=h6ZDjy@-wXj6hFG?ta{P)&xV~`;JwECcu#lRoM3#I?w;17(wUeE2}_ls
zeR1zIxrH?Gp*;%uYUo}qksfm?aTAkbt)I`jir4q+j}r&VK7WXN{rF=8M(wFsuk`T9
z(An-5|GOql5_E67eA-!UQhLj?(K>(~b<JS<1|tl&&=D$3c%bo#K6L=ie5>&`bsF%?
zp87t!H}Mhw!rQNhGyId##pxS&U(@H$Z7G63?|=LG1$+T<LjWPX_)0wx#l?b`>Vn|}
zW!%G^Tgn@UF><^BIf%1o0K@V)vt`7187bAz#>@TOlalevg%3hN$BU`HFY-1hkd))4
z$sl<7Ksdfz-tjl7PtnsgSdn5JuZ;^6Uf^FH62eQ43HWY|0BARK$Q)`8TbR97OQ&zm
zWWH#z)?e0I<|{TXQn-H8zjj3&htp}ru(|y8_^iuhyxl~NSruGpb-hZVKsnb=Lj-vq
z{J<T+iOaQVKkAOtI%wmhL`F^eI<s}1bSjtR`vug~Gcw=3BmdyR;djQW?{45WJdI*e
zdE4?&Qky%D4Z>?d6At(|Emte0qc;Sm5AZaQiZJF!IK^ZWGwpo2O<4o_{@wMIb76j@
zfvdgqagJ-r?k|mUOc!h=5yOt{Tkpnnq{}$hnEd>9aD#Mp$C~{=v}Qduq`mRq!dfX<
zz!(8w)w<!{?So3R1bMqvZkN4MhN!5NeZF;3BqbIhyW>Rs0)R;y^beC#;-lVef6FNT
z@C%)+bzS};cNj#wkAJevMR*^#M9^)F3@Uke(sxF$rW&KXt<j*Q9{WBS^j?;#KeU#O
zU|Y6pLum(AoAY!IPC-OKfA%uYdB3bq1X&eELSyRs!rH!s+J!Zfbsyga{+OhZ32cRq
zVo`yVky1RaIk@)Wf3hQl5gP2Z{|~@%hZBzEr%Zhwap=!*M}8|UtST$IEu2lblrh{@
z_)&)hX}yMF1gP@!0Nk951%($1GTrg=afr|udNw(&d(n@4-cm)QUL*pD>}Smc{SmbO
zKhNJz|32e`&`Ae?EgyQsnIx5hcSlQvd3#ddX~n|S{Csu|tvw5h_GR?c=6B+G;d5%E
zbVRstanHo0k(B~1W2;9ShT=R2eM>F-)9jXprC<{)D)vZuMFo&>8hbxC#G?OoZ5OQz
zz=_N!Jf5$To-Cu`JA0SztTwB?>uKw0s)6m*Oh4v1L-vE%?^DA%*isXAY&YCf1WB3k
z-pF~?b%n0<bx`v+;O-6&g7BtfjR1fz3_#nf=Ci+qHy5BEt?m3Of**1KO^q|0>p)nx
z0pTf{C1X?hp3Z40-^P8~%v!c^7lZ`hSqnT@4^JNDGKRQD48*7r>)0?6`;h)(F`qbE
z^^efY!obAox3$ccJb@rqxg9;xM|-L{C&nk+K~(5alpLH;CmsGWd`)|cDMx^EDO&c9
zZM%CejJi?U^#IMKIk**+gwmqYkX3a34)E^U4U7@(W3D8C-&X?SVw^pa=dW~g2`Vt*
zGK_6PR_I86?!lLuYLhHlgYo2Xb6xolL9#d@j_vHBXfSk+0Oz|sKZYgs4=|8jPddVE
zy@JGgd(}X#StcIF=wAM?+LLu%S2+I$k-15k^FZ3yGh&=x0FT;Nv?unaqzRflS98@z
z*Ja1cx9Pc9I+4D)RU;6=>-jUtyN<V)VQ>2@QMw8W(a_n8PUHO)c>`ECN2lufr#V`O
zL(o%vvulZSN$J&9PJe`lkfaUR6YNr%`Vh`|;daXr^&jDR0E7UU3UyT%mID(yo@Ndt
zKfD%9$13L?s=asi1sRe|>5^^2yKsx_Ft~CaeUzX88vLJTZQ6`b@0&_>tk2AyVlqvQ
zZrsj${7FLmCP%O$!11(=K)Wpy(FL*zv}hJw>Nwmwwh=Eiv5vBov)&47{J>~0mMPef
zqBB@aPiHwAa5cYjlD}zlF7E-{lSBp2WF>3*Y4^D6;hn=;@hGN4mU{us)KIy%0-%zY
za+&D8{F9$+l+2Jhy;EjoxMFMorF*q^i;qgz%HlXdhyTx}97b>nfD<m^3SE;Zlo}94
zK(wrZWbihXrA=_j7>VE&-V9>Q^&hak0xMksA{bW!=-&Ys_zze9vyT#}>RqEIk4SWw
z(3KogGFI19d?hO3TU_P2zsn)HKu2tSA}A5#1;~QwZ%PP;08q(tx~gO$e#52TZ(v>p
z)M7pY<$VBmfoY}w(HZ;k8iCQJgW-6W6oC3)nB`9j@F%*vde2L>6To3<vQ(gNe(BjC
zGla0m#K)#D*43#_j<qagXDyF`-TpV|stEx3I5+?e7#5{Z18J(peLX#wPk@5tLwBr{
z)YPhH<)_Q8Rl}dt($Zw|m8m%bXfoAib9fg20Jy+=l9QP?m%dl)!%4j$Cc|r~nOW}q
z64+c<J9N3Wq)z}a!Z4lZNf$(n02a#GV1Q<3W&+JJ@$cR-Gc&`&fFZ@mo$1D)urS=s
zt;0iiM@L5w509r$sRGQ{1O;PNXbCC37#)CNKFfS%I!-!z`UpK$RaKyS!aE{EH5sKO
zs&#u413@J={pJdZjXVT({egr31)|-E;SmuLQ4|yuK%bSOq9R0g))Z)68y+48I;kjy
z4|aF0ZEOnlKnS39V0?6x7<AkmN`5c!&Ye3zU5t)fpXttAcKpAbA{S87JFohc|K%3n
zCOVhbC<*0ivB7X@-_weMg3X1lBw*y?*RNl|+}YQ!Ux9WmppUMiLSzeHA112+FK(PR
z1f887OqzR?78k2&YgbfOdH^$xVt2?w-OWjtS7-@qg+HJIvSpyo3^9pH+aHkja^ZhT
z#m<+9ZE&)U61lLj08DF+kLxiyIXLjLvMy|ItG<7V{sd<w35;+bo|u>z8bV5==xJ(}
zm6W`KWbF(Wo8PPPeDU62NcA!{TA=?X0VP1&G5>$a^UIfUv?dAE6=%=W+|u&WXWZ6J
zRke3|+6b808yJY|n1=`e-5&*fK$j@1l+*-0TuW1P=;e!~u7#w0eJaq%l^_kA*6ZW-
z*G^id<07cFguTi-d`8iZ9(xRW&eP*|UUq_C9k*kAh_jZ~AkbX1NrZT&t^GbeURXk6
zb?aPK4shnjkGuQ(-zfu58?aVXTRS;67KYkh%t8ayblpWoMH5m|0N1W9EM#2GxO|Bz
zmp0iDVOTiT4X72+;$93i{>AY@>4&<{s1<5(CTbiHTLS_?V&0eJ!;KIwO7f@o-v?d2
zu^9NNZHO2lH1$Y0+MB%Exb&nofQ1bf7b<!=>GTW8I~Wf52wA$0MtZ0f@)Z-;W%1(r
zr>@%Yuc`;p_+Y5jWfkW;7W}`2p1=0yx0l5UfJ=V<=0g(lD1XsAe(;s00Mhi<851Nn
z)q3+BkmIw3!2$#`Gys8I+b4tu-HWyf$Akhso19!+Ur!CzRkV{yZw6w)dvZVQ>zF^S
zVk+(WDd6H`c_vXYn;N6!rc%4J$afOp=+*pVud?fo=yp$cH}-{5OunY3CNM$VTzO2Q
z^E;3grOSX2;DBCWe%oY^6}E8qKdo#n0d;e6Atfc<+ug19+-sk<e<OVI!Vucw_cmR2
z8iYJkb5qQoP4ZrG3oN5ow4NjzdA_nbS}yIjR7g|dn`Ct&?4aeBYJGN)pC5TxIOOWi
z$h&)smDSALym<HM=xBbP<)l8fuTO1XI(>$PPlrlOOpNG*Y~<2Oz&$Xj=4EsFWp!LB
z5j0|PojxvOt-hvF`Xx1u+5)A-#x{Re**ch+dG6^+B^nqQ2(1H}SAhxM_4W0#G9i+>
zNnkqXvcq+JWF#>uNf($IBLQ5htFx1njjdpG?NfVzstD+t?+g_(xo@q2=39CAxDEfH
zpSNA;7YAIf$y2AYy^G*-%?N!vns1u>dRutmwZ0CqgG|22<`?xI@=u<WKh1SN>U$y$
z1Pb6-<>ln;?(ahs;^X3oh=}ajFQ;fD4!l1}yr-UbXql+>Be<unr$?&6ky!w_;?yhv
z=_tX12LLJX(&pFPBMbux1e=l)fw1SHp`l#yI2M?!bhNZ+wAdFaKUW6xB`1QlPv1sF
z$g#emd_gigIcZ)643jy#xcF$eL}Ft=TYrtxYkYczBO~T*<aWS4e#+IepQ@VUM{Q@5
zQd8+Twoo<pA%Ootx~BA;wU6~Hm;gOh%7==YdS!KW*L_mz+}6&HDHZJO>MHcOVXbgx
z#@_7t^XI_mP-O5U0y+ukw~rse1k9f-=Py0!Ds3o<p@Qy^J7NFbeI??8q+tUHEV*aV
zHbQjp;R_CD2M6$Zu{P(y#$^7!rI8UBWK%p2F$Fp}>gu469=&Z<itOm<_+eBvy0-6i
zuwJOQu(;^Mj{g*JwN{ONEj-u3_^s397Rjpl<Er%Ri}|hjTBU++n~V9^52EaFR)?79
zppP>z6V&R3vFF}$>>|$PxtUvB!~yv@I|DOZ0`gP@)HwPnA3jL=p1#j;b93{_)=<{|
zqX`obcjJJA_!PKzpl#X461Hwjos(;cUA|&Tb;>WZvc7-!3cdZE0=&hrP~PtB?5wZ9
z`~3OMb6{flB|b2Zzo`YZJ^Sr+30n(Mp}r`6>L1+N+6qjvdU<&<bgZq}7=D@)UhC(e
z0i}#ByDQs{N`I$C*gg9&FFClelXKBp+)*3;{a8BH;7qEg%y;wX!??85S*!5C26j!N
zKQQ$B{37Bu>hl)SqpenYVCH^ne~Y9ZL}hmh^l1KQ3V1cT)}kOI#?8GkH-}oT07O|}
zoPKw=#I6(@o8x+z2nj|8mVPN*sz3VGM!b@Dp;<rltw?kwbz=iy;(+oFFz`d5?fd8j
zW$-}W>%A1T3&>9!h(+2ZE&u>+%ljBLl6r$_hU=OfH30%Y2qg^gZM>UJ9mU1Pz;NIk
za0`L=>EYJ#aUv;kjrb2D2D4R2_r81Wtyb3?*j8%5x$|3EAP6k$<XWt+^l~^@hzKkL
znp2Z9^KJ=0>rxZGVCvhi(tYhpZ{X>Br~IO;BRg&>f1+W2K4bIqs{Zs5_z6CMPdG8m
z3GC>f+;IP97}IBHAt8@xKqIlctmNZQ>H|7spEd<}7f>1kxI8wlkA2xN|Ij+H%GK(y
zwMGq~CKZ;ZHQ+0<b8iP=Y-r7u^7Q)FnE)sz54Q~h!BKoUX8>MS<mq%TNFoVX@?8LB
zmW|4QXt5Q_hTUNca)4{baJY31t&wBQQqfE<=wA3VX!JCcc6n4GhnF{TIVVq7$h9Wt
zMtyG=UnFU1d3=BTj$CW2bjXd(XAigw;pNMhIXRqrlO*cOCSZU&I74<b`|y}2Osn<A
z6Hi2jQ{z5F$0qr@*OUTv4f(JRzf?W#<SMTceI2!s=Ky2rEml=($I<zQlsR7!-ZJJ7
z$SDI1SpLE;66!&s<P$IPokvVmx>vm4{~?J~%}86P$HBtd%G>V`)L-(M#x@VBKhsp!
zjwZhlbG4ji(vQ=MH8IKjC7@nl8NuZ?bmMNLxSUlMF)2VirnQ$6?8@;q5su9E6-Tkb
zfIv_yaq8jv0v8bx50rwc8*=8~*2Qxt(m-JN6z_f~vRlqSij$HOSC0C=hv_(w1(R6f
z;qC@wP&j>cgX^A7sN<Z3Wba_ZtNj+*mz_^X53?^M7q;mq_4P(B_$mxU$Nb_=&L%(T
zgVTtqX)zYLj7pu;Nr1dCI}7W@LICQ4QNebw%fWDHW@g#<n(6M(Wltk{dC1*qcTTYw
zNDU>0BoAu@Hac-C0KPh92o(~-im93{mce~<H=92+4K(>GUF(cVZ?8+^2P!?&;#Q2o
zmYYQm#;MQ31M|&;m2|Bv4Es|+_JC3IynST&oRA0qTbX2pCq8!>K=t7n#dJL1E2L=2
z{X);>Nl50^2YivsR^yWT^oK)%LdJ3fbOtcnHB02G&5iG8NTF*4um{Xe{#I9)MU(u)
zsea;?2z7Kp4JIqh%WQq)txjt7$5gi`YYXXojxx+~x6L&VYJFUA1}^4P_KYgW9VzBP
zxjJHCPoUiK=^LuIhke=6IDHKYTjTeDHSXuBg?v2*Ej%#W6<ZTr>;`mV6!<~-U?I73
zQtYY7uz|h{4g&Ptx|s{EdjpCR6@?Bj7GwlXE`)y@)R$^eBJ`Gf!q1Q-h(h|w$k3sL
z&|*Tozn-;BWxLf&x_}Sw&Mym;vQLy#j-oKxQkY#_4HKXtj9d|_5zcT1=;Rg)jY^t5
z3eYh9S%f1J0JFdyG)<L8$|4|7)5$%V!Zqp4r%LE4I(p%?k1E=c_Q|7CeNLM3#Of)1
z^T_vA=W0=RKK?9pqbk(Uei(&zDTJkf&X$}}o>A|tViA%dyiZCS5=Qe$7v{_%?^?}+
zK1g|Wf;?@!q<BS*jQwtl3f{0@CP1)7ChXt`FCT9MCAR|W9_Z+9gN3Z?Nc+O-_f%g(
zkY^j;TSaBk{RdPaNxq-LVv>>3aj&AWf*q1l<LXyhwZwDGXx5YLd?UyfNX_bh+->{$
z#lLxP35b+{$3t!G_p8FnM}xA5QgW5H(2(tks{I>&=%0odK^B$o)vh5SAaz3iNp_6T
zEP@)hx`ZczxoHL;Cnq%(75}EgLy?nXcyfD3$MBQ!7l`xonq&GPd<>|$o9H>$(%0ur
zSkKUD7M;Z})Y^Y>o9++3bv-@vi^&}x?@q&s?^;@V|NY$OL+SRc7QrVGrB(7{F>&!>
zg6JP@^NxD@6B7a7zkinx70%ZDGreVDz{S0EL8bDbL~t6&6lUh*M9K%KI(7ATQuYe-
z^<mNAKJ)T;$9F&3dtt_ecPPrUH@KCUK>3+vk`#x!nmV1nRcV!JHAVX<=O47)Myryv
z+kz{N)SCyMpulyjsO&8WEA8La|FoU_Ty`+Fj#-02mg-SEsNJXRZ&`?APx&Y}i)&c)
zY2#<0D%}r5oxrb1Ui<JanqlgY*5Qw=d#S<p^$a~wbVQNviMDpq27jxqt<BB7!_7^w
z1l+2V>U)fJfA4s21pr4?<N82bq_(!UrsnHhvQQRDNl9_>lc^~XC?zQ=G#)^Hz(|vh
zjt&4dDJdy|9(s42ur}>d(4%w}1)zZ%U_Zd%$lbg3zwd0Rv3*n007d|P&3^G#;(NY=
zh<V42)bVbyi@nfnzq8Zrd;@(m7tvQ2RVTgc=&I6r$IH@cO)rAqzLk`aNKQ;_pxhj9
za`y4*sz~sOMa-TJ<CV27ITt;;b?X+$A<o0sH}6!J1@MF4^AD1sT*FNVSAAJUOI0_&
z><dj%ls7Ah>}NZ%cQ~gpW481SFHZjq8ds9OUtqv>^^-;u_W1E*^zRwz>A+1z%ykt%
zR*}f}@88>3jXOCx0b2sx>jJF<u3jmaU0PbIs{?_6A&-%H$L7{nW8zu)x=)dnwY8}+
zF#!+jfV*mdYY1?M9K5}0)V~)N`j0>8iUczAv2a3}G|5n&^z6#ole;~(mFGg!%YHtd
zN0WRx94CI1NIkBeM(mRa7K2Cpv&;n-fl*PrGcz~o_&14q2%yvEJs(KP$!DJdHzm#3
z08q=_$tmXS{dml+Cy@bqeEj?z?CknA-oc%~5LB}8Gqk{4A>wEVpysb%Ms|~J!_zz}
zV0(Xh`HM}Dw6yvFBAw0tAMB_^hvx5jSkxQjV{gCNDt*q&!Lc%E;J3E10o-t+|2ZQ=
zP)Mkyxf#3x3Ty}mu9-kbSVO22fZGi?i4Wg=A5z7r6JU~`60r;wfdXCf7cwC(CVQ{X
z{Kj?V^5R|g{mA`D)z%JKC*wwEB}8h!o8Rp*UdfwW)Fn=8=0~iiO9EHIY-ph(+y~`>
z>k!m6G_ZibuHoGB?`oeNo0*<FKRfa9@zKyfqHERy!kOrMEP80nqcuX1a~*sac)?5Z
z2t*35X&&wBKX^5b6f7?*3v}U8tqd3x=~$^>?GFCBvb6NV&JN?kKNCQ#sgho0z?{Dc
zDmid%6v|5!V4QUOSGE=~n<FD5Bb3xd4lge+2N0OU{mHl=w`oA*Vm@aFc6mT<=~{K3
zI}oFPH+;d>mN+r3J?;i{RbMDuc#SS((YeIoi_&Y1)N+*gJUijjS&QXCNda6Wrl6#x
z>72j`9kH4+BcZOTsR+3oZbMn$-Q5MK32==~;l(g@1f>)PFyVgb+?UnFqI4|y+x@n!
zFVY^7q?Z-A$!C7Q>?o>p8ssm_KWUp_XFI$6la2}@9v*uqr@qNag7;O`)j40j6h6(R
zm-cNkZJrDWK!F)6DJjXxweIbeZgS8J;WPs?022CAQlg?p2_LvGco}E;;{p_c%X=J}
zfEgX@vtDeLKoocc_c+kmZntA|aX4^n(3=BH)6{Ob(YX&wrar4&xs_-9)#gCaM*7{5
z{s7R=oS#o)Fx~)x($mw=enCNmWrhPui{9^41r;Ik)_tFlb?OXEg%%PLQa7ogp|PqU
zs|u{L>o+SEBPydq9_(j0?KI5W1@*0cQ`tTodgaI3(~`9S)R((`r5UY&KE!LelK_6C
zB?5Yyxd{UOf2@58G?nf5ws{O0GGvNMW)+bkj=7Yn!8|14m_lX}GF7H}Wlj!KN<x&G
z%t|;R^N{(-oO%BCF;wsS|GnS;_pSA<^{&;sT2JS>pZnhTzOQ}lYwugbd>o?Q;wsb1
z(NQiWqveu;uf>5Sc2@{iP$%nedMBuzU=x3opPzqSUC1q}qqleSa*01DIr{dMRtVKE
z05Bc7p(g9fijp4?NN?GmEN?t0Apgx?xANGYwC|_RpW=p$1`|Bw&~8AzCy74Jis#dI
z1P{4MDTb}?|Ihl-KlwSxQ{TJ*DWh-yuFAu*B=BG7c^Ka{yx2?<)S~|XBFuXa(pzka
zAyx*d+suK3@sS+|y#4o4m1|f(cl)iz*`Z8!lnSpPIj!3a&e8clsVjDVn+bL1;t53J
zGuA|wgvSkILpj3nD^_bjD7^U>(NY_<Y%s^F0M7m(zzq43ZyPt9h_84V9kj)86}*t1
z;3%C_H168MPt5S})w1QVsiImnZ{w%N`a*KwM+k$x%@q#l%rzZzL=MQjz7B%b&_APK
zE}xyB-z%HPYSa65gIG~#FoO6Zo7#Qlh0nH5$VHsJw;j36N{lS<O|-xYE%bnWj@=U=
zY5U-;H3ESxw3q$YAwVnr7RBuFPLPa8OH6`D)s)(Mm(tonXUyW=Qye~&0mr)E;G&e3
zh`Uqd@Q?Ox&8VejXXY24Oe-kReR{}hV266%QxJGru)6%l^0?r3%a5}V1&i&czs}%@
zbe=pqxhWi)XTC?)l;!}BRKJG_>2Y&+gsFBotia=pcA67och27)0ob^=Kd2G&lWFkL
zkp09+PGo^L^9#>?sA=fiIsE>IhTxg4%Wm_5-?RAp=|2N>Am~1H?gse(oV>I5$|_`k
z$stEO3DAE*&xm?Q{c9tO8KJ$9rcYK~6<6FEi7Y8|?lb7eb^Wk3W7k(vGnkwD?hU07
zmFwHt+qMo2LDqKDi!v;o{U*d1ANJrCXz=)^kAoOf=I&0~$4PAVRAgJ2=QdUc@rOF#
z8S5gp1OO7gv(qiLP39-GWOG4^prCIo6};GA-9Ixgb1CFY&cf)A0Z4Bj-HbRg+QE?d
zp)Ksjv(lJEJ?k_}zB;~69r2I#pTfz%FHU~Bv;De`6RZiJD7B0PH4=i!%(S$%{!#9A
zyzBXZiHHQtZJ#YZQwzQn`LmW=7MF+re((Szozp<MBU>84#~9XsN-<8<iCTL6?65wb
zl32Sdi<j(}r_9!q$5ES*YVH}fQdKksL4w!=yBy(L<#}l+e(_Uh#+}K~t6S<awbfi%
zWWEQvYnl=Bp(E<*Y%=nr1C8GnI&PcVGN-do&#*1pQR&{qLzV*lpMOo7Qf)bxYM|zz
z?d8>zWLwj>*cY0_GIyEPu)+B+*o+g&?lR_75Tj>@YY7i5&pA9GZ<*lq33Fe=^9IR8
zj_^D#+Rzr?rlo68Fw5<^_vsTkIJrmSe7EL;5+9P+(?ILB&N?R6ICs`<BBAK951&<D
zuNO+M<@xek><*+%`c83SmgBG&W3^X+C((HE<TAaKvh>4GmzoGo!YLXCJE_%UA>nQp
z(Gp&a4v{=q<7m}W@7BZX_I5F|=Q)-@g&aqDPA>u4ga%inDa->)j)5))Kft0!`_aez
z@N!n1-mC3*7YI?E#!t$1s2HzL246a`aNYVto4Z37Cms@7jTy!D5=0+$s3*!M<)+fR
z9`FAO`R-mN<!)6TQvB%W2-+*u7#vKvUrVaup*n)&`cX>`l`PW+14|!Ujy+RI|9mT(
zX1RH*ZMA8c{kzG6yr!A$HQ@#Xu@kbq@%Hy0#)X~Y1tn&0?WE$B2c18ruMe`wmd1w(
z_2SoyNi&x<k4LU!F0a1b;18%Arv~;MD@(@B4OBZjxFauW5|!L#kj(MHOGJ&Re;@5@
zd|db=YN7SbtFP5n{x?Iu_j|1q+iVUrE&H_A&DcyW6Jq?P>c>uHpPQ0DLh#+$-BQ&|
zmvuc1MS_B5&?qhQq$B+4_|T;-JW<*`Y)ytvJF-}484P3?yZ{k3;-ZK36w(H{ROfkR
zb8U7GgANfw<OFH<91}{c#YJ^G9&7F($7x_wdRZGqio%!h&x%B2+`4}tpBCTMxMdet
zC|zt{_U3)?=Z%6ouFurNMdL;fGMv}CEQYjy=;ps-j_&=z2jBX5Cs%aVzx`^c8;CIW
zd~cjZJnLTm94t?{&!H?O)h^%e9`#Aa>sb~yE;knIirnxSaoF9*l5lI!Uw<O=Q}7uP
z(WScv*DVK>ML)LL7?(5i5u;`w`|>Q^_MBoA3ShE6v&$<!)LM3-TrD#zCqUoP#YHWP
zHNn>YXnOqCOOW||3t*j{Lo{K+Wi|+Wh%V=eI1Rp{4v#Oz3GL<*6vbUuhef@W5moc{
zUNOzm`kAjLw}2C9Uo0LK76fiLtg{KnYv?D`Qf9w0`$6ws_9-tl_v|1u%L(mi$8^c;
zPjhJ%Mv^W?7kqkGS=(iv>&P4sk1r{D?t1nOrPyhUJj1D+cJ=hhrq@%PK1#lC1Z%0P
zMY9$ky0#TK&C=`WCP00)!{XA<fkzx~VA?Jx6~5qA#K|zm)>-Vk(G5?l8?twllFwfZ
z&Z9bZn^F=%yrEMCsfOEqx-vxPT=S^j84r9k<<w!KdgAt=%<YqORk`rU+8`T^%_`l8
z<PMFQvlso6EGcsD$rI`y(W@yxGG6m(qOqU}$8d2ju6#N|WxXwXqRc|4ydk(q5H-KD
z*3kTnJg<HGOKG*i*8?J3eM0YzyLz`d#;xpEiALI~3=lVaLXX_0MkE>)Y)?o|MD|i>
zu`Rsay#9V*rnQFR5v%3FB~0ApyGN)6?LMgEeN~h&?DP1#cxh}bD<wxu-MB?~Hi$;?
zFdFBv^*B<JKd^iq=*ldPJ)|@FeNN`#P}np~7LT+h(2CWqB<9#2Kt<@Y*r=>jK61Ri
zIx5>a#s9v3YIUo`*1Uc(tzxV2>s;cM3^pDgB9ZnGL+x-QKOfE8?){4&7MBjn^9>$n
z!NI(|mUjmFzztfq&djxSo^;skHqgKHo|R3XiV3lvc;WHUv-q~4*863(dhzRllJR;!
zDyIUK9MtO0oopW3o>thA(P2~4gTge5oIauv*t7$T)?kCHzfIbc!sk{(>DJiOCY)Yr
z$AoVqS;qbECST5XyAL)T)gJ3{c8L})EkBhvB{$m7W#IlC$K&SWsLU}#UDjI%?M)I}
zrWfvLUoX1dBe;QsNYw51e3>|-iX*bZNXk;^_OZZoa4XzST7Gq{T;PRqzgypXNq*ua
zUp+je@s1u04{7_%h><o?#nH;dp=P`H!5aW>!8m$Y`+@WSG^8#^=}{awx4zX{qiw72
z&qD;hvLw*gxboprzZ!?SUEd2y^Gx3gs1Jp5!L8VJ+w_#5DYUVoV*=}B*Kmu@_4Utv
z)H+r;nyJb7pxUrK-dwq*b+P%G^$_~ZtyQU%5cy^Po)-yX&z3hEH;hiC`+g%msEm)Z
zZ2Y>NuMu}GOlaW#e#Q|>Ww03!`ozcFm;G_Eco2l9T6WKH*QW0~`iQQ?{UrML4EG$<
z15QOo)R{e~B6T09OZ!*scWF06`8zu;AbnKx7#>nMc1MId4{+U>8Zoh>KE;At_-hs}
zpD4$_#l|~Xq?wh&f7k+`$35+BaMO7@o(gQk<xQwq)0%mNztCU2vY}snbFt>ayi5eA
zGN|9^?EwAmh*tkhe8T5r|Mdf$u1nZNCI>O{b_}Gjn?b1xo8BC1(*W9GCxr$#H+E0S
z3M|+Ht8oQ2fWKd`8pO5O&w5VsPk^_U8DiMp$o%g~*S&p)jauG$V8v?$=*NHk&usKg
z#`W(r_s>V;a6OR7w5D|Eh%+aeNl#DDPmgVk4Bd`_s~I%N0IZ7UAi!i~WB^+i5)uN<
zE$2jK3Jl)9e$DG}EA0?$_Lc1W0J1*)*pm$YeZtS+FAUX&GZf<y2j{te>+BSlmKKE8
zdytas?2P4xjsjPnq+H%%1UO*Is53y_P*_}?Fj?2oP?DdY)oB9?2Iv)27YhkXUEOj&
z7EUsu_O><+n%MK$FqLU$cJ`oUQE%8wX`dDC#UC2}xDwYj)^<?m9$3bzEO!YsY>FAg
zQqaeSWW24d4L%40cSz0@^Yin6sjEZa;y~8WSxt=+^RlRjIi8n~52yo88XRbu^uD;*
z;M%pw#Kc5sbBhOTn#|V9P*s(`Mvh0op}k&3)fNirUEST(S8>diXsFMeITL`u6Djjp
zgm$-<US0|3ypD5mNhGLk5Gt9rKvot~m*qWneZ{iKB$~k9HANg-uDw783c8+OAwYM*
z#`j(s2;$Ea6%(_zvVv6cV^X8e{{E(hhDEnmhj9$AUd`QUZ-k{m^73j$Rn^tS+|P)K
z5qE(&!oI+Ol$5lCj-7pb(V><14RGaHcb6;=Ys)Tu2ZtCG4jZdY-b#~@t95a4Av+Zj
z7xz&0KDR$Dj>qlW?=mtdR<+U(t@e9wpL2N-9Bdl<=NLh1?Nu9XuK-~5J*b=38xi=Z
z=;-KkMjM9u`lj{jo!H*5`AkB%g3ze|R3qp83V^@>IhtdRS3ud}{bVV2$$7cC?LFsC
zLmz=tQBR)uFF<dl(*ZF|EG!C#lj?9hoSh>BlB;isOG(|?Tzj8YZ~Wt1((aCdP;nu4
zswH+2QI;o^5YHg!E&23TyDEv4wCF%06E(iphVUmAy*r7_X_8yV<$g)7ZNd3h9L7NA
z(b&gDBH_CABL@`~GJK>BD>L&&HMJTpx|qborY~Qr!v4Yu_3Bh<yZ$F#5ZrWMD>N)@
z@EGu^!hhYeu_3sS!((C6TMPo2CTASvlLa?z+9avwI$%{zin82VGGVYpy_P<dkMrKB
zZRZe6%8QV4?^SqJB~712%<q@xVJDKjtOA#$uct>!Mn;)SzYe&_p8o!_4<B5doB;c*
z9iXJ_vJtf@%+CigkdCpj^5J1G50Apa!q1}FUfCC>EzUjJA1rjD+x0;UhPmeZ)x|q?
zWmQSP72sGSyQZR3L4AuF;fTaTivK%dQ8)xO(fcL1T`aeJL@(jvdo3PoZ0#04QmVG&
z$8O4`LA@oGv#@p(B#ZbV4kd^W{wRI5c5KCQ(y`dtF-Rgf(<->O`{}6iNKiA$l@#cm
z63)lmT$SMJZ7Io6K=Dy+c`x-<7KPf#&TRCXFRx6lg`6vzcz^C$0;^}qgt&!k4O{no
zUwnJ7M{h=y!h_fw2YE)1U4G6zdg<Zw7{^AYFQi|@r<Hqdi5xzpk;dtRH|sU#iVD`x
zyJd)ANHab}{&D)PV}=!U2U}lTdun~|U^rRsv<506ky>oX$-P9y$=kc$Z%SL(&dx5u
z+Asi*H3UPC>{T8pB{K_fh&@u~fAqSXZ(EQ)UP4q9S7{y7C-7UKTguO`YiioIP4B;H
zYnzdlR#%|qn7e&4$&OIZa_qdX%Uvaro51=N6?s}%jD7!p<kYEb=;?BAePh*ePE`mR
zeYkxHm`OIXusA{4%w~gk&XW8ybUKJ}!wgSO+8~j2g8k5#2)xkp^0E#jv{Rw$7G%>+
zO^+TsMlfQm42@Rkk*VS@X~=RNoXB%)Fe`S88r*y#^#rRyBn|Uc-`F}&T|q4-8DeE+
z;N#$h(0(iFw9LkAWweknly!S=%qg#YhLPPA<KY4C#oG24^g4@-yr!*99PYlkb|#mZ
z%gNQ1m{3SikdlI869(?#A<>mWbJuT)hlj_W>&?9kR8L0-Njr2U?u4H5^BTj0n!Zs9
zx5G3gn0IEtfKb_Nr9bGDvVsB&8yg7Yz{`=>f;Q#esHljDlatf;v;!ASO-%=?G%Q%^
zHn*0`YW>R<^z`)BW(VYLZ3W^?w%~Swho7Ni6SSx&afSXQ#>U2X?nr@p-0kd!<muBi
z`c7;Q(^qs*&c|X14{x&*69?6Fc9r$?lttaXeaG?cPlDX{P8a#S@NO#VUAS~VIFCY|
zs}5GE)^4;eEEX?=Y6_3S!Pg#P0SAx+!!&tBAfLP|n@#_PypodM)>dG-2}#+QnLV>M
zvj_>W5`%J=8V^@jF$syat*yK6?z&Gu1!7P%ul=1(<Uo!C-BSjwCwn#x4}pzMK5-1W
zj8B$3FPzK~BWm9R)6T}if^e^Hat)4!227WYjKVJ58#;CVBpp*^j6cxW$+%o6UZlln
z=QAHVWR_XgQ#r>RA_WIm>02H0K(D)Zw<bt(1MsHQXQN4aQv=HsFeg^ve|gZ2*ItBA
z#_*um(1PepqY@Q$b#;)JgoNCAL?Y6&Tpuk2GQrt+xK$yznzQYlaRo<dliCUy@7F#f
z(rYxvJQU7>%n$4yyg<lMo?RjEFg3-m)uZ|_5%3%@)bA9_Ygrc#G?>rXtMaKUybij)
zfg;^}CZ7iV0^8f$eUG38xA{3K2;-1JcvC_v8YsVw!^l+Dve=`N=483jB4i8D@&2WH
zqJlW|UT!0geHIhr6YL)pq@U3Sgzwj{nk%XoE_~Y9xC7#w4K7hptzbloe8(3w8ojcT
zAAwL-RFsXGtkie_+v<WjH@dOuemWxHl<m8B?`Dn5N=hIX6;cE)<m_!fVk$~X=yz3_
zmDCP<CPqBwc7E`?d;>OfDN)ft-D83wO2VGUxoEc7PuZ2--IO?enp2R1#`;@(du0Ku
zQW6hrr|5{whsi{~QWAC<&n6)}#m#B|_9Y@uv>8d?6%~<BfB@64L8_ya4fi7KE;wv8
zW8&jscKq8Q0R^Dv;0^AxJ?HN{C6COv&h%$1k2oU2eO>X*@j|aGFH(F30~_sgY=@AY
zJTH&aA;&C^`N;V$o!~}K!ygRX=#X*^*teRf2KIeF^%#eYuqzRTC?ek-8S(0I7F=4G
zU2Zg<A6|yj!#KRDjSvEjJN#%BM>Y7(WLC1=vhVV~ls~Dcf4I>ux!<h4<l9C}sD~0n
zzq`_SO2q;njHc;4PIWC_#?ig!5xz^;p15q7hwWGr3PIjVsOR!oT<H}qVb>}XDM|yi
zNlKPm1b+~c<z^=54v9JL|1A7d0y^aJX9$$xmaf7db4a{;2CX7_S6JEQ3mwu+14T%*
zzl=NYp1OTmMc$XID+#eqE=`9Ns<pw(`15ynhO2fFyX@z2u!f&TzEJb?uBqWfyO3eG
zb*)<P=ZER3Q(kJG7yBpk74^3LcSa{-dUE$|Kkzanf6s6$p#&%Y>mskLf~2Dyf)@(U
zcNvkjP1&$MYV*9Ge6QK}nS<pfEp`p=aHD1Kk}7}n2me5p`w@lUOGti!kd!%!OUF*0
z+x+wjDWTqjXd$^Mi#!cR<~aP3>hS3mj-rpJ^ESDT@$+rU>mY~i`>(36YxH!x^31eE
zL^OXzCA~O)N}B0Qh>)^!^^LDJKTAuR-XEWcZy!K1F|mcNZS*9&&drqF9e>TAQOSF9
zu{t)ix#^l$!cpTNU56+1G;?xXn%mFl8GhyV06J7Y5ow^`>0iVsucSx0W)Rm)hsVks
z;p4GD`kd<X5jv!Ic@Q4!Fgs`K9M|OhuA?K%MHr&YUOqK_(nxd}4!_4Z55o!dl)2F=
zm%{ifjQf>p!>Jmm7S-rS8B%DH57bh4(Prm4d??H(*0;4A=i_-@#d&sascSBsA#)%f
zjd}fUt?)J1iC{zBj?i$`+%Bo27e6n0sI;|WI4?;^{LJXMp;Z%<5h))d_L1wM%r&R?
z6mpMEW_40?oR2Je5w)^}W`AD#@pVEwiMw4}Ozc}8xo=}*oxCZdXy6Gi4I->T&>@W#
zfBWg*!#|8Yx_7sP1~umWalYqFg!Mg3^$Z-9URMa+%gA!`{qgSw;}I0TF2;3DD%P2(
zok^^8!sXY}LM46RcFLoY3**4n6I~RJ$7tDH#W>%PQ&BUQChO3;eOW?;^=(i8nTOI}
zueaPj(#79&>%rrX&zP;t$b8vYV|?Yyg1u+*dtcrIU#EfcI`rGo6|Q&3#g!7^l=$^F
zD~}NncGYX3BHi$OT~;lqExFO}5IX(Elrt+`{cSz8tgG~4%uH;(Ez%2{iFbWk1B>tA
zn+Wi{_Ro<ZTUhEkb*nqxGpX^Bp_{Fd8b{$fS90I2>28@t=dh0tObX>t)rAQe_y>*O
z-1{cu#sBGiJv9+K{b60BpXncx%Y!EIL~7jLlo^ChaijCsE0<-GYvu-|4(*#nJA!X&
zrGW*D4IW&SI)PR>EsupNc-;H$FPFypV%umSWele6GsiUL(xvaWjN7@VD}0DOPke9l
zWVV>KbWl~at35d_7d@58>aQ-=_FlpWUqEmGX*tO<o>*hZ{qAf+i2hgc&pHfzHzqbe
z6hVO!+O^i#<QSN;LY}=xPela~*fl|;+M}-a%U(C)FiW5QlLz1u{3-zMO6}r31C(Ux
zQd|37(yJbYt)))Bc(#JAgk7{9LIdc!v5KFQAySqlWbE(AACjr0E~?{!mqa0iiNLd9
zf1!|e7?1Uf2C5-onXs#W_eGdJRL3Pa_jGr66AQ30?Bc0k2LLf3Dd%F+b*XozFA%iR
z017*K#u!s`eCaT#>Y;yeoK?pQf4NNwWD+8t{D1gNem->f*okJb%QU%@Ml32P9{Av?
zKBEsO&#jjUKL6Vt!WfD6fQqgbs{BVM1;@QZpBA!A!LV)y;<4ts8K4Z+RKU0tz{z2E
z{M1N{Dk^f<g+~&^9TZ3-2N2RiL*|5*^A%;FL%QzntD5WF=qeJdb0i{M`@Zu1qldx<
zWk=W7)vyJbRyh5-HBi0aZFf&|nlK+y!Z^nA9WN-#jXtK~j_0ct=g6Ccpq;|HTXr(1
zN8a}}YU8t-uxGx=se6TpdNuJ{?gWbG2wGh@6rBC>RCDEb4!6>W&0+mt9<vI=Ps;B3
zBiPUn`00>#V2KQHZvE{Xsv@C74yyhy2g?ltI0cUh(;+$QX-RVHFYx>UM@m?7NOS-B
z&ZvLB(fmLlo@xjjH-#|&?=(;)6og%d+~}=)RD=?BLIWf*@DHdDkmWY>Sdoc59w8;r
zvuu2||5e!IVv9qL)viK%2Zdp$RzPxuCB;ef5uWNzn65VJJy?N4tn>al4{s1S@1kWZ
z#NS>D_N%SgH5V_wV|Pd4)nf1)dyZs(tyzcv+{)Oo{q+S-$F|kgfsrsLV|BcEzxv*9
zIn3jCvht6k1y7`k{DuWfx4&@xK9=`}p_eR(_CK2>LBWG2+JhQ<n@CB60oe<you`o)
zNQd0~SL1+9f_<czs0(MTDCniukPVA*25Y~Hcv*2#sRv$7?ThD;(zx$9Gmdc$%Wm3M
zMv(pqPq?tJ+23HuLHgG%kNPW2@Y)(PQ=8cG?<Pn1sMsCv3-7!caLNQ6!mkkL0rhX3
z5|<zFL*zLk9;X*?>L<5>!gxm2`l<LgC%Fy~b`^YH*fl#}Jk>8gKSYL)vv48u5PT)d
zXBAC_g{o}cRm7Z>y-ShnZj{lrXUMX?T7NN-i8zpdv#g_{j>A!h(_jC=vZ<)931d#f
zh52H=_dCdDe+uP%xo+*uAlJthJlkh6s#=VJj?MBgcSm6>Ld^L<KTTbpEO!R$mclE%
z4t*vYI=u%qR70-A#&!t<d#C@=@(AuQV(Z1rI3=;Ae~xbFF)*=zzHm3t+Ii=y01Nh|
z84Fs2o7nf#LYUJfm8muLKlhq`ni`CO6fJ-j46jgp(x+0)p7V*!v;xl6^h@kJM*}rD
zhy(DL5v%}2m(8C3S42eT<-Tz7g^<#M<;9PEdwp)#JQ)G_#qL-~Lg2HFg9Fpm(6Q_R
zZBTR(pG97?Mbl5G--D{LacutQn6P^hJ0f-P9CcSnbKP%XXSeYJRlx5Zc`Hd8%yP6k
z6)_=AwtQ_j%-zAj;B8=$y2LN<PA!!YzUqO&%cwI-wchDLa=Io4Ty-)E$Y<K=OIQ@N
zv&DY_;3|QuFOyD`1^6)zzar54Wh<8+k^gA}d(P|(3Txd7umNa?E~5<D0)n|qBHd)n
zBM#O0Cm|%YW2JxXRwj6?*uSzWpAMP2O!5+GGa9hBBALFTP3hM>v9Os-=_EieIDL0l
zk3)`j{_1}>QDnIf+<ARP)nPFXREm!$VO<k!0asWuf!3Ev#DpFr8!nq0f2E}?2>a7h
z;AO0H_h=`*IVngx9Bof<3G4a+g=0Aic(pXeIX8;j#oNYfm7WTpe{_Z}bmkxrB16B<
z_5VoH&|-|n?$Nm4tG#ogIEFNLB6hb0=9Aq(M_HDN+2iw?5~Q1de8T@915`Jvko9f5
zf6G_PBi#OBjk(eNT?YU`<{z73&;4Va20DVB^Etx0>W{7Pf3rH+2eY||_!F>>fdfw$
zH1-e1y<Lbm<q76Lonmhs@U9~N(j#E^Phxj77=3EOQ9|%HYa+vE(51?G2<worZ7r(Z
z$Gq>O|7qsCuzSbS?~(^$U&{B(en@ZsX&3u$kO(^l@Pc@@*ezI}Vo#l#M>A8q<EJ2~
z;ceM-J+N=^;k(%dp{Z5>6D<|pe*H=2=|^qrQKL&9mZ`LWN5;=p@EneJ=h(4U(x29U
zde5DcV{Z@kd)=Rnx7&{SE9%K3I_>4u%Z06t7$@%;jiOv5GLP<adXa6Op>wh21D}jE
zpBcxl6qRjD(w$sc8?~}DRhAM!?|W#IFQO;@>7XqEMPS|YLIR?Ul$<)C-Ogyh1(|$8
zK)4{i?9fPTYWA0>xq(qXe80Z!9GUx6kW?9*@nh}uRW+dyl<XCKLrXJFBiRqVF(=H4
zgX_t{ZN`!u=Y=&tJiB#$@qI7hRnfd}Gc0dg#jcq|`pq{yjQa~({MZl%A1-UV!~02y
zcQxPjo#2Oiisb1L$=#`omW;*7!0z(7>BuSZH!;s5Ijzt%DZCjgxdmk`%hOZc`Dqjr
zG;0?wg?Z2YD8L-!61`0K<o{wPXbU`wGM2+LzGNqkRm(b>4y7c0n7PuIVbf5aq3t?4
z5uZLUGvcx!l7h1w&?OgrG^G+`>UTHBiAB=aFZ1xze|%8A$c&+A>lW_N(pqFnS8t$7
zp|O^|BX3k@&=>RSH6L8gF@8Vo<ayD;iZ*LzKJ?Z_Yk?2%ysnpDSIE;}ujjG6FwaK|
zw*<;0>q5^btpni)s?Vc(A8qCPGp5bAhbiSdTU(?sQh7{Fu0J$Sju>uL7?@M}4=m@d
zSCUl5Ztg`(OpZ0m+imNd|Dns|+S9C7+v6jSX;wCJU%)1=UaERL_57V7s^xTq$(OV*
zLSJHy7<~_>^vE=m+R>NDS}4C*(^#4A%)=0K8eKNR97Devzrbz!b*+z+tdsrp^_pb9
z5ZuLaT^`1dLnjAQiiq`sRiqnrYfOeyBNa7nu1H*EbP*JN{D_YHA{)zu+NH3jh9-Y2
za$lp)I0_2SP*Z#<&g@0(8rO{vNG9w5KY09^(g1mbic?aZ<YoSmrJn4rH;bIyW^SJ2
z9}Hb|O0mdl5JX45Po3&j4Pwx@w@!O~6=jl#d?2^beST%GZ|-m*uOOfQ_i2{5*Y#a|
z1=IQOv9Le2dr12!Q_g5I(bj2E=Evy|c$!Mg9HsaE`l;T*ExO4iLZDAwS^4AOTEnK<
zLZG6mt+P&R+ajU7VP8zSFYd}#kcArw2A9fq{o~+DN5X&a8qltI6pM6(jJ$7h3o@k7
zY;M*j8(=2UZsBLy4Q5v>t0upHcN4o)n01yaa*)$<ph5Ve=~5Ge;9FJMs&E^!XHl^S
zw3STEtm)H-8AhLI(aRQ9FCOZk|8UPEd%9j*W@Ok5ieoAqvPtxz-xbYa0fY=AGub0k
zot4L`J*QeHshBXdW=@f@5k#>y&Hm5NI=tAJ!`1SVe&-c%-bOB@L`?U;aa*p@_Gucr
z`ed4c&nd&4FGlk|)_zn{eClY1w(`?2ODxXDyoS<b0E8CU2IxW?iVyA}6#}4@M%~|A
z?ZNFmQfcQrpOIEbtLXbALEzDNTF~(My+x<Wxn}av`<aWgEJMP6%_=AUOFt!&iXdiw
zMvt7wBEyqUBiP7xLl);CJk=gKufvy7Ug5WV+q~$e(|6Cwi)Zn;=#V?HNUkG9K3FVl
zUQ8s>0YK|;%23%i`Q1a9om1pD2-tV_5LE7Xd$enRh3ur89xCz|EF&oR6K?Gtz`!f-
zz|!-+qPT^GT_c+L_xF+MB}TGb$H?(r2#ZG;7lRAv_2St}KL7n8`Uu8|3*Wwf;G8s%
zkN9K0cfuPe$cA}vhIvr+c?nPxi?a`mJr4p5{P%#NKSdwq%pS1L`{YoK*}aWF;>jr%
zo*m4>k?Fg14vr~Pr;R)h?%l`a{r~yGy?6@y&Y$}5IWOT{+sF6+D`rFK|5uoe0DR)V
zVYWA%Xt!E@nX+RyHzz;eb~%y2L0`EWcJ3V0Fl8UhA1r?KxcQWIqI#(>^2v~2dW-xS
zBG20Ak(c?&nVVG-adaPR(abw|dB5B$r9OKqexHotBVA~#ezj2Ygg{`HVEkBiKFuCE
zyaxb$HaCw>jEaAy+{t3pO@*e*coV2V5Qj^9+_$gfY*cCVU#OAU8`=^V_}>!jLqQHg
zJ(<0jUz+Y0<DobEXqWNW3)cSj%=W>gFfo(F9b}PA==Db!yEp9z5dR@aS0G;_*r$s3
zLNI0@yeUCoC4BLw(z$;zPV@k;zU+n-ID51RmOU`W|Hb-p?F{eJfnBUH97IB~_d;N^
z{~osP4ez%Z?mvm}-HGONQR=AQdv$S-T-YJScXw(sAr&wK*nl2;*40^~{`Sl-;@pPK
z7mmJYt+lA6xo0I2&X!&WlhuC{sr!fyx0TSt#G~X$=8B_itl6z@%dbGiS$al4p}Pi*
zYV_T=aq$M#y`2vtf#@AnKa?KqnO`K5vpQ~iK~wgX*<Izrw-<mM_=EJ+O+<_hn-zPq
zM?Z~Q$;S9Oy<(jhSJM2XY+3T;#fQSi(#&R$Oy8sr&R*0b0F^pcFuQO@>ayj~5rxEE
z3g&mzf}ck2q=P)h;%en|N=oFjrKW;T>-5?<mWL*yDb8~+7c%7`Q(c@2eQ!KvYgFQP
zPUgL+w8-|_HOz|<oV;LRW>deMubSCFx@XE)WMzDMTwOPdeAy67{CCD?k<{t(?TXKB
z{A8A~pWwWa4B|U<=6FUzIG%@nsqS*>yVMdB`!~#HJ;^k-*PByXHo1oY1ipN}LA%h}
zXJQ~1!VO(4Befaqri3!51TP7NC7ZjwbDg<a;{BZVuab9X#7a)yds|~cRGnNp5cckM
zQ#@2vNES(L735yGx~t<vNX5oDC1-N;wcRq(xuq~faovLXedwV@)oYB*2;8In(plGM
zg^bSCp8d)eX(uON#WeTjsfbOhbR!C)%`YK4tN@Wc58BHxg<EIzgGtHY8%HI*#>xES
z3#tlQYsB~ME}B{ZuU}U$<}MzPmfNK!{PLxFtwMDu<(I0OW5uCi3@2i6>2&F6h9XRw
zb*%I4R2KUC&qXEbAB#$sAL!@u->21nCCPg6D5wIn0t3s8`t>iJe^_aFf3iKSM*aBe
z$*VDZcjyMmg#*cys}=Y&)S*sS^$X<-i`1*%A}f+2F4HL3=@6(Z;-)i1A5v?iIL=ku
zeXQtUBmhqnT1-aCOQw6ww9F5d-ozzW;ozt`T~Ls{iu5@xVY8u!9~2fE-j^k)SQctv
z5MMzbpzfFFpqWqMzWMHbPIf^F+qvOkGpEHoxt45>H~NOgq9T1)08l^|RiXz+agknD
z9yG^{NJPR2j!ZXO9O=M%ls~sD@Ms77!`Y=PJ%GqgAdujkoO=qqw!=*~kvj~{Aw}qs
z(2>nCnNrNm;SBzCAzp503H;3|v8KKgFMNC6glol%rKlstJdluf*fcoK>eq?g8Gp|Y
zz0pSj{O5RMuhFv!H~kVv2Pjpl0IsHL6w_p4W8x(!Ovxiu@w!>`JU{mx2_7H{zak`$
z2Xi8me?_v7+F)Nv^;CS;!4tmpp(Y(Sg0u8>&gxY(R)0WM%aq&+i_5w%rqP%DS9qFl
zgDX|;jjK$ZuW;^e45`bYRBu~x^1GWjpO!vFPem|P&iUl)HMz_Dltj|>Bgqk!!2&jE
z$uFwrvWZXZ_{9CF=Q)BIp@?daUeb>*)a=le^rcllAVf0ZOou566{bU#nN@$wXJ(Hl
z8KcLe0B!tJg08znT~;|`jcvGeA3!8oO5%%pdEDZmBHCg7+YxiWo%{onAMi+g`Z@7!
zW-)yH!Xg`sTb+T6PWWfgEfC_IU5G~?<UqHOAANN7&9&uJ8ZF*K$XxaMOG>zhDLyIT
z>e=L3albc2)tVEbK5$=ci^95+?h2PvI5vt;Ym`h6Tv#}8=<d?XnNe-7ERvc#HziMm
z%05&@ggFG4SJfy(6X6^3gUPlBsSgF#-k+O4kc&t}Oi*GS_Zo0;6UvIHq%6CXq56wf
zpM$Nh*D%+wXBr2zX^C!*cP<aogh9sb%>q?qs&g0~#Z=?@2EnbXnvb-lI)uOWO2;rJ
z7Js;T$V-Auq*#iVlPFz28ggiw5eK9F56Lh*F*CdKD6IAv!Cwg14~u8KEXi;RCD&5J
z8?iYrEXA=v>U3fCgxinD4UjLvPccNR;shJ&B=|oV1&4Zfo=jR#=c$FYF^P9Tbwv)J
zl}eT6&_)HzSLQonyj*yMX#$rH>lqjt2S&k8GQ0T_LWI2cWj1yPiWIdWa`}!y#zw}6
zH7tfZ-OzOC9Ma1A+&33jVv#G0OA*&S5pJVxnxcQ;(3zb2Aq>mNv+@r|<6i|sGfo@2
zXx$X=`q80peX?Oez&FvI*_|uk57soPk?9Rd%EabAXW5HIa>Scu&Pis!EAbE!e|NuV
zNPa#oh+U}B26ggGA@^HDHs&~aU8mEnk_DFH2hCa~m%?i>Xb^dS7xZwkF%`wTfT~q8
ze`<VSEA~M)(|F2!65@|cM%xKA?}5<ekE%s$`Ykz^pI?kbBHfFh=;~#LZPHLuWxqRj
zqA`K?Kb`!rs}&#*y~B2`itMr2>VoLD77B;d(`3!5yiQcPDtzCljnNz#-n>LgMN(a5
z>`8lPC6?shB_45iGTovkkk!2=9lA@+&qt7pke>f1I#6ZIA^oq=0ja6ze~AuA0SCOj
z@r)D5aDX@1?C=iTikHE@gGct>xXbbgxSdBus%b)|49nUY;s5QKKQkU*?@9lbz3j8G
zyCk}Yy?s`4ax&cEW@$<4n)&u^TwENqRsunb{qpqmTPV_f_wKf-X=Ul>j~_qw^*z(+
z>g^4c1BqgQ0BC>mi}LgD-`3Y>KHSmX%!Y;a>M6VV@i*!yPvXL--s810<I{H0(h{Lg
zOJ0#KnD7OvrSt3wwEqIgFrbDE2q45jC##>Jxwv&}x}$?}T1ipS(7*r^ea8JzA8TVX
z`St5#9q8TxVn(6>XaSXH*Pndw@Zmy>`cI!8RNuI8{yfy^O~HNXJUk9PQ8ifJ_|D<I
zRHzpoR3%UMJoYxfVXm--5jib-?t4#yx4FwLl{L&$AW?-=Bq-cTgLbVT5HT||lY;K;
z1x*l{>Gaf8Nm-f9xpO521*B9|3=Pn~M=^&u9>G9Imz$T@4f%V{!RReEm5UcG%<r;&
z`uzD}iIFG3U@UFFpX1Skm&*BmV5I*|OK%)Z!oIFqqhEuTdmQOq99PkcK+W;ifBp<w
z)O#Y84<>&6fK`IEIf5R%lyl_>8l+Y_xkW{M1Z(kjrJr)mKzAi0;|<M$2zx;5WpAV_
zFCkf&z^;EXH9Pz3D$|_hFXcqD@=I#6-0Day02A2b#p#gvAdF%1vp^|A#}tJDxN;gq
zBOnZ=c2!nVnv9l}M`eHR>e7>wySH!vYO1}AjT5;g+pNPo8xg|3@N)}aE&cIq9ggqh
zr*_%!HQ3g|>YQj$9YMz;=pUu2sR`;#xP=4izipvcSavp)Mkj|JMAAXUeE>qnd#ku5
z3T}!ASy^3O9f)HC0|TL|+_R|*yL)~fX9<DWEeb4210@g$vDKgc3Hz=!0uM*W`O(pu
zY;%|gwgaB@u41C1pjc(?Mk)1F3mi`IArk)ZCNneGqZMvy>o0Q4t_MNK)CdsB0up`x
zUOS4k)NnNroCNdjZx|#4CNihHBv^i;8kghx*x-2yQh{5fxnUZp3-*AsRUw#t^-F8A
zH#!J$c7!RuhN!&8rssYf<zIlgc4B*t&1=9)mqWS-k}mtC{6+QzC2ll5naG@k5`@Z$
ziqDe}5#IrcC1H7lU+K8<lok@gt{XZ#*;UmiCwcd>W;9PVP)zCy`%(k}FQ>yv2z>+6
z-PEdxCTIb!?YuM2<m#^p+>OE%Kro|?ojW=t)$yG?;)((aWO#6MYZcWU389FKARTo4
zMq5pb=jG)oljpphG{pOS<L9+bv)l9EJ~mISej5_p`ngtWH^)`{^XJUz#_h6&VD!WE
zw*}ofd}C~n$n>9Dv$H`-Ftn<BY8_e~w5tZ%8U3yl2s`?7PmcT!?4+qNKY#vw{Fs^!
zG*s99xnaTB+1Qfpp=SQho#LXR;0iz0_m4q2`($Q%nx26H+G#1A&>8vu{bS$DQa3r2
zfT!#1sLY+>`>#qo`kfY&7k;|BGfWBR1z9ZTZ^l>UY{%T$svN7g2#EGhuwR;?ZSolN
zo)3+!gWDC81qS(qJUu)>;Ac<g;N=zi@&<UtMKD%SQiBB}ufNxud*b3MvxU8o^%`9L
z=H*q=!r<__%JGj#6uUAKz%rDR!YTuGuC<#gU3!3R-Ze5jj99Pgg--)7yW{KvK!=^1
zoBQe0C+HBszqT?r1l`|O%#xo!e-7pNbJnOq0$aFo4z7<kZJMs3#WQU6+%$F+v{JSc
zv}2o|W{+~6Nw$8w<vFb=+rDUAow#i{TK%!PcX6t6u~)vbqrtc)p@e^PwR>bLHZIO8
zi;%E~f|OL(&=9^V;COgw=)eV^%g`Q6?gjMVl&o{Qbm`01mh>~FTu^vdJD!%74y#e?
z<*nZPK)7>T^$7~$d5FyEWJ_mT`$Focme%(6i+qVu(_weVQ&N8CkEN-R1b-2ms$IBH
zP+GbLjgi2k!1bTO4<CXLyCZyH9fKh$3^`5UVP_{KDakxCG-TSkz0jhrlM06q3ia`o
zMcyE(FJ*f1M)u0j!O<}<i7nmtecREK!P`6w3qqVtMD#PayxqSg&(?-VLs?Nz>01&?
z4l7&gGCkff_F0AM>S|J7L4JM%eSLW|Cnu3-p>}1P^tCi@Z;x~e85JYMj~<nmGSq{G
zy6dmGpS|{X3yX_8Y?;ac`no@~Vel<!1HHXNtx$o$!o);MLD8E79h_PP(cr8OmV?hE
zj+d3Abyyx?@O3d5$@3~=P$zLx_%;&U99(ZKh{`W?$HWzFwr5*xPd0Rx-9MYbR3Kj9
zmTNUUx-_t!T)#cB*~E}~|7l`kZB^BM_EXjPwY~T6-;a;S_B(`jX(YZ|KS%06ejI9(
zmy?^lq@<)YNUvVq*~uhwSe<%$@RP%&)^UhGj>pa=AprNP@OcH31`W%HknM>L4mMHy
z1NPiY+Jhy66!C_TmXQ&qtp5}!49A9thet=%R8>0(K{mS8ZC4h+C$n*zjDAhWz~Jel
zM>uEvbwF#LVt%IweO`(Ktyt1tR$s)ZR~W!9pHeh-Ynyj#PH$}cFRwZF{>1I>{2aZr
z3nTbOMW%e=(F#FNHb<}cL;o}Y49OuW<UJJR<j`<JMOC%8zu#C#=VOkmyZeKn@Ub63
z>~|5uQl!u#1lm}_U21Mi_RoC*2Nav;@q!KpdtiO#Mps6ZC?02r97_<F$McJ<mdIC8
zS}L8=SwIG>On4EpwbxzkUl>H{nmu;1v<JByFJLGTp@byXoWR?>zW#<;O6SgbO7WbL
z@+A&AhueBj6lIaQ+#S)$CFLzmRL`g}hbDT}k4N`27=~r`Iyd!i#pk{B-f%PNEUFB4
zUdKr1{`~3fy^cYr@VRb_&kx$sG_6M)6hEw<^D_m@1>d2htV~Nwn?OH)e+;-T5i*h7
zcds&TS$eJYuIGOpzuP*=^0uR?T~A$X(kz!cV6mhcqB2ja{D}^et(QFk-#(?())tNA
z)-`T*Hub)p5<KhjzM#xTNK)W0vzeQ$rGlR^Eu{r@7<<i*F5@lW=10C&bB~Q$bg|1l
z0uE~DYwuxYu0Uiy$Ry}GHs_D%?>qO!rq4^;ZO-_e(AKpt<B36udP{eE%VrY$w%JL?
zwoeZ(^n>d#>(QMb&e*&`m3m1{O+vfe!@>f9hLBK#j8EE8FtF4stzCqLu4$|RpSzkf
zSwp!ipF^0h;X@o0SQ6;EHIR7Mdm%V-P|%H;;S5|y(W1dd%N(oyXj6J5p`;R%_gMME
zJQ_Kljgi;7wf4eU{FL~XgZ{Nd;@ZNm?sAuV&~EDHYF$C$x=5nTfT85{kjd88g=4vp
zx}nxDFHG(R3dwI?wZmQh;+Y-^0bzF!lVgG$T<7>wr!S6tUSiRz<z>9&>DrRl@72<|
ze8}2lg7Nu5qzyHGR=9A?Dc(KlshpIuyqCP{qmd?~1PSd^vJr2mDaX7*ykF!L^{!@H
zswr!yJGy?jZgJOTQA5;zUM47ED?C$u+j%lJh0}Dr-@<4kr~T!&)CT|1#Nt3_Q@i~7
z$!E04=(ovEq8derAmzZC5>IlbUP)c5V7C^?HQDE7omDqz_x*e{9#LtK)XrU*kyK`X
zW#HA4a4812Em+R$%C+(_DtoOrMa8Fvj-e+!gVQcu@N^m(uhvA0urM%J8@ipmv!;q9
zX%paG)zQ3iPyf6y+0iRrmP|9U)?*Ad46l28w1h-Y6-kBR!nGJ5Ur!Cm24U!x@#Ik1
zipac8Ut(dU9UY}V0h_cGeuLeB{oB)CH*3ELqp?shRT!-;Ms;pJZ(DR}GP6IyPbU0q
zd}n@9&eVWIk%Qav%wW^D>SQN7x#0F(rDE;m)T*7J?~*J?^LBI!6uIOgbhPFyhiH9^
zl1xB(nbrJibs$`koy(k9leAL$o$fd+&BmdT$P96e5J90Q>KZ>y3F}ikC53<_4MXFl
zf?S+UoFbQQLJvo8cL!TuKC#WZ(Lu<&+4uN<73>LB4+*$j`JlQm%gBcfRi{IJI3Xe$
z*SYVUUUl!%G*>QD!gRm5fvg|cqyKZAb+_+>7e0|PZUk#LWgoi!IylD*AX7SEH5534
zef4n35i|raVGO5aIs|>R%9c<mDW>M;H3eGwRm+-Z+j*;K@y?atDoU?=Uv3;|ptW}O
z-khE+Gfxz<>1R#s&z$bxyn1IfdTwm0C2xXw`SG{#vh3403Y@1aisoE>m6Ec~W~P_D
zFMUO3q<>AjYvn!B5(_gs#l<b4fm~sC$mwh1a|9Ns5FRF>4l=2HUY6Td;Yua+q0c{1
zB=>4i@m)&>WUlXIo2b^u7|2l`L1SoHYmQglS7fY&tuc7ps+_%S^=0bf_|{{!b<)wQ
zVYdT}RJiA^FRqRL$al31w|V(xD)B*XqHm4HMCsKoPjYkYF|e!LJ2w0Ga}81``IG6|
zncvY=qMl**@1K>H-dbC<R#j~PwA0Yg0JnB;))Kn9xPW8RK-$<qk;Dfbevs9JfL(`h
zv8br%<jm@-`y8`pnz5c9R0O$YdFAy&5Vm4<(<$cZ(>H>cC4gip)`HvDzI0+fr_h_$
zN@s6jTD;jDmS!Rvx6Ot-x9J_*q#ZqN*P}3tn?*8Sh4=03*?z=}*+E|-xEp%XxR!%i
zib{@XcA+a#o)r!_zE2@az8`EFA5Mh0hHH)S4=I1RQUR&6tiF<n#qsK|kf}${wx=;@
zE3-VcyTQ{Y=WgbymX@V+EG><P>DlDDcV3JR_QlM3${*B;!_=0A?7rAc2{j3Zr_g$8
z^XZ2hmODtUmsa>?ykuTdR7+f?g;T5gePW{R0i5*7#B*=&HF7lEaBel_OQv9BwP6bg
znY>y{#X|&}tZU@?6Oieh|2}|Kw(n&XJoQlVadDF}eD^D$ua$+lIb1)_ao@hQs;UY?
zoR}C!Mtf)#WMpInwIeA4I)oE)oCD~lXXmT|c~Vfo8XStmP((rNM!4>fN;wE3sOXfY
zoo=chW@qg=1_g&meYe)X1aCieHtA0t>VLIZw0&l6(wjtlbAC1_EVjScYKZx5>H31(
zf$xk`Pl>x<Eo5b#l#-ac=H<3D%fGm^6c!o^B{f5xl{pKQR5IW1->|no7(}lla`L2x
zzJBmg3K7JJ-&7v@>l>&z*_t}u?52hSnRXPC4tWUm;Zfr<&rDT7<6+;%QHIg;6W?Ch
zy}n0waUzk-sqbqGe+HErH`)leYrI2bpn88skAb3!_4ReQ@f+g8Amh@<6t{>Q6ipl*
zbKbrc<mI(;aiI^c%InI=%&c7XKa)&@CvZ1BD=Eq3=1qmG72zh>{=?9Q7$VT*Zr~;$
zCWhKfD58XVqr>VX3o<towqHJ(uQ%S3^Q+ChRk9xceBPVw?h;k!*t~w(7R|t7gS^|f
zk;I2j3H3HE9e9Q-WiNGk&N|o)>E`419Po*~+1!;rh)ki$HdIR3TT6vLvSfMmJr>$r
zQ}<_w`jN3@fB#NE%%-NFUF!(+ObuZi0i3v*fFgY#?rSmKu3~#N%gM=ow?8QrGhJy%
zc-WkUmDS6|MGMMxe8a-S87wX&J$Q!~`Wfm=G)Z0Iu%(w#a&vd*DGYFrmqlHP&)k9&
zrfmLjW@FKM&`84i_UsnR8M95XvZk^X`K{{VwIRDV2K~~lp?w>9R1D+B2{MW+FJ(4g
zB_|KA&X0jXUG`P#w0b|dT7}PWVkiI+tO#vMp_7wBQdZVMGpB$t836$bSMMB(AgGAh
z<&bFLl-L!G?iui}4AZ2hZ(~zakbLlMpk5&Exq0*0F*i#~9$;VS8L6q~;EiH-eIXFp
zhlG$cL9bd@9&~=daZ_x45@SvZ!jvy-32J-SPhJH;-*+~DyE}It?)hGjDV5pI6ld7x
z9Go;(dg|KLEB7MWWx7-#e`Wnm@K|+pzgOXgw{T+_Pcd8#efLoC#k0T&puV1!J6MZf
zP*8B$mtN+1GABAsL6{}BL#CD|6yO#%?jE-}LKw$wa&<@7d;YuZZ_j^@7Y(p-=_jl$
z?5yhQfR%>__zSZMZ@5}Qh21?v@Gd<S@$5E<l635xPOs^_l5q?_wD<J&b$K^xEDW7~
zb`Vokw4RZ&?i#8MA;(7MV3QG@v6@|9=klz6(6TtIHlRkSb*IO@cT21`7avl3R`FOI
zgI0M|Otl<P@al6MV%EW!f%2uKPit!)bkL0*dT6~)Pj6~!s^%og%hyXOC}1)RuKp`3
zD$w~_827JZ7DUv$v3djol+XJqOV6uNg`-ZA+YdWzgCqq+rA?g88Yogyshtv$e<huc
z??wiyC&?Ge=eD+{vmIPqg<M<&Q(2}A+4R4~u<2uUTE=~mS~SUZTi=?>>}uT3{ey@Y
zRM~L@K%3IgA<J$~ZRo8{`dVwBz;)j6K6Rkdje`!k%UHmJ*gPkMjq6zLIUKQ-F`|2-
z(mk@`07y6+AHy>cI`7f~Ly+jkiu^vGEL8#ZHk#cy1FK)$qe`^@XSgjIwv%u7H@OsZ
zgaPS&=ly5UQ~t???9{sLupwBbe6;caC#b;={HZG4qkcXStj#*j%(kj*gwGp}Z@<89
zjFd;>fq1qozjPjqH3zUVwavM2yx20bUHa=3lsBDDQARbnrW!9?*zlXWGPbR1wjYFb
zo!u2I1e$!I{}01!p<%`II`6w={NeqU5W6O7lTMvnr1E4)wERBjwM*HQ6B2givaqn}
z<*A3}<aw1Ad2yI|j}0Osr`{j6JkC*5Fpr+TD8D0Pcp&XNJwAh6xy*nAxiS@CnIzUr
zRV44+{_(>)HB$Xz6XNB<SMdQ3Uo8nmRbNWMVxFDJFXu;Z@YvC$t<1hG_S=y6-=oGR
zXpw_wtgNh_NA@Z2WpA+pdSZq?IwULbh%|10D>(TyXZ=e&PASNZezAK9{85-CDh?KM
z{U%8MPr*+_d(%JueRx{$mkIEoxlUy5)?}3ji2dgy_6kZh%y_?&z+To@RDcdilLn-i
zACxz+ltHa51oKc`(DFAgt$|WiyAF28V+98Xl=^J6c1^Fny0Y2)WpubMIk!Xt5<(bT
zOP3a-ocFiy$3Ys*!PRq0$Hh^B$PR?|*dnXAM;|NyQO9I^dqWSqFR*e-=>kL(lv62I
z(Ty@F2P#8?<gDNiOLktqw^467tFv{@EDi72+>kYLa6`7*_qTR@w{g1q2Gf7K4F9My
zu4}d?NntMEPi9yZESq#}_HWw!h@tk~J<$676Jg=IH>KH2d}JEkkGIBu4#xE^wm<?i
z?z7NAWSTwH41Ly$KkhBa@0}P!)YR8~7HXv~U2J6ekzix{V{0^i#(v!~DAgHmE6Kj+
z4B4yqc?$#6n2%qoX7MEG;=&Ha|L9H~;wXcn7CmmX^cXNN-}S2mW}jb3yZ}XkzY8Y1
zhBZ*BevcImQSDK09PIjKgNZ%4?8PK_T|B4U%<i5z#X*Rd@Hoovvw!}vj@kG}S*x$k
zTm|hxr5B%ym1~<?GUpBS5l;TkeH;XbDb|XV98b@ij71ep#iX5$S?KuAAC*iy&Ul~m
zm#t(FgdLtsR`G~_h_C!oF)Wk*5Y)SA(YG2E9;-9EXuLbXfB3<!VS*0;AiqSA=UzAQ
zU_IR1D-FuO!LAUPwYMK+v-=ZSbiXvL#YA6Wgd(WGgG_7`p)NE?q^rDY{rT<OlH0d#
zADRmCIKhD)ynzWF@w%#_EO*y$-!3z%p!n?6*F5cT`-Otig_Ufat7_o_1K$F)>pRda
zMuus=oI_^lu2z99LBCXP^-#fEdX)A!dRH|b9=04)KtLHr1i8~A<$Wf1-<G1J3J_ys
z^zTJn^lYOHw7(J9)s(VL^ASi0h|>lSn$l)RyV7A^tSy0TBfq;{{9bn!`n+e*(#5j`
z<F7j94w20VYi<{y4(Mn1zZX0D6YM^?5HWP-%H^v((ibJs!jy-UaFw6JL_@{kkM#KY
z+cJ^St>4f1v|qEB!13?4TGywtLcb~V48fa%Vs0S5nS_Ar$J)8`*eAlnlF0M6pVw=H
zBVF6oq2<%%ev9k1hF4Yz-yR_T*jrPmH6fHp=T9Rd<}_*h^xBhFxv=gyPYu!&a4{GI
zt6VhewpEFxxDQ{7_nWZyS)?&}n}t?`cx1VjnheM<&PWF+P>h*Y!xIQo_<95qt%dwX
zq>l%_LJ62%nR}o%d7OzrYp^zh=HM#=k8d8)y)Fr8`!j{NgNs_2U7>gLsXD)wb>Gxl
z#pXA<GiakH;f*sndYOcwLt<sNEAe+U4XxDIzf6r>G5&h}HbC}W-Ax2-2bQH?`$X6!
zgqdKnS!<?CTX0&q$o{j*?FuS#^r;Gz%YEmjtxZYZ_^DV2g_N>Jr#?R*<vECfiSH10
z5*Otv*F=F8RLFa~So?Tvg(@YSpvF{B70C=6ey8W%C|<dJW9n`0cA@KlSYb%&s|M|`
zGfPfQ{ZUjKHkEvyuKjn48I4K_bw=_iyd&($1)ru5(`Y%k+rQYNagpR=z?@i>S?tIB
zs+(2S?r%45dYP0|Uhw0U@W~E7FDEq&?S8FFIS)Fg#j#Oc0mtn2<lIo?PxuHZc*;<?
z)mB@zGQ84J_3*DQD1<!k_+vdp=G;0P-sY&Yo063a2ym{?_@^L(WhRP)z1f$SdWY+7
zcrSNAP2>hk5}7)uzUH@RM}3*~!MW;l{?|yH`Uj`N6NQYQ7>KI(eGJ?dU6gwF<LAr2
z>f^hi!}$5m;|2xpgEbdWm3%@|=TbI%H|1rQok!3O)r;~shORYjOyyLNw{Fj+<RFyW
zrL?rD`irgah%5$XGwb9ZM84T7ocw7vo;f4}HW<5?WQ3aGhK>cF`JC~@*o64Mq$N%)
zV6z@OC%w~mz)8_*<RWu;Fw%Z{1C~UY(o22b1!Nid8>jCcC0K*B0Qx-tN-b6R*h^@*
z<RL)+UbR0gqwf}LU!_C;6JrU|h3#0kFg2W;%ckv%t!pWlQ*>)51v~;dE6bV$XUZOv
zh=>w<)t*N)y4DlDHR(QxoESgX!+N?`dY*eh&3gR4Au8gv_a+VENowR$I*-Pz-pDqM
zGuP*Gre9T=x3FoSg$U^0aPJodT@|#^d4)uzxWIaPj9ir7b(-ez+ethDUT?dik4JMB
zHBlVp?~jUQst7rDXHJX|bj=+QndUlURAOE1Vd%nS=;-d@z8z$|wozKAi>g*+wZ}Yq
zSIZ{7yv2_$s$JgZ87aQC;80}zQp8X^<C%=`G85)V_^;HY7-YUoc4~^8zE|_(?Ug@E
z4__cy!)$DojTsF)8!;>!ZeQ6_9O`JYKna%`c}*6+Wh{R1y3`-B-On=yi59Tl4#|S;
zpvmB^>h6W8^s#CyywDBXAMRr?dGvRmw%iSsmT@u&7Dh+Pmyu;7?LC)gmt)5cj%-JH
zauBS2pJdyj@NK;1Y0%zh1Vtm}VSgLmPGSyNd&**{?E_nAa;NcCf;0$M+jQaRt?Cm?
zsJg-AFo=Rp>IIDC8QQ5P)?M*~^V(W!p{_IQtDDI>rNCFC1xNRJ44RTvhJU6n>F3Je
z-J$PeqDP~;s}m$!Q>1cMtxea1C|$$YC2Ivdl<YKg57=EFZ`(3thnh|E;)7(l*oD)^
zrspvqq2^r(FwE1JG#C^}aOdQ>(S?wI!$Mln?(NKDhR7IX-ngV;*FkPkSb4t`aqnk-
z)#9<boeD-wkPybLz$?JfHn9B7Qua_U<X~9c;Ehm6pE%F(xa{uO;jbjmM8<{3p{n<H
zVcrA))+B@s4;@l~@z8I0^+z<svp>+kp!yVF$eenw!2pLZ@jrhEGP~G9S8lW~R6rVI
zaTI*&Dad`^aw2yc6?&DP?r3EGe_Ffpc&fLr%`wmOm?2F>rp)unSP4nyIX8ri$1Fp}
z5)Fn@W`zimDPs|CghP>xnQ{namhoNZpx?dsci;D~_x^M5=X1|F_IH2xUVH6lJ<qe+
z(CCYfj`<!1D%sEnB0D>o9}2uF4&u$&oAU3O!d_t7St*H3q^hv>@&*e<dHF#oWw5eJ
z%gQzkK|$s1+qVX$FATn~u1e0QrleSR!JQLI{~H^!t@Z&>1FWdv?QJr#XQQV-l2~;J
zh!NO{E`4jI2yPf<rKM(;)jRsa7oL=rNlf+U#2O!HA@^>Ar~|?5cl8P+R3$t55Ht~d
z^+CIVPEMzAt{Gevv||$!e|&<$LtO;g$J|x}L;%16xO0w=j{_F~jLk)!f(r_(*Oe=o
zGJA4b?4`5+th2MT>%H=_vT)yoq@-&_rBao(wPg?Q+nB0;DNeHa;`8Ciza?`+7-r1p
zB1`Xn#P@JM8Y-%c#kqkB@I7kY`q_4zgBJ7Ui}7GMH`HZSQn;P$Uc4$PnMEi_t>u~-
zeGbe&3h*;dmI!*BqflxKT>1t!-yNZIcbTT9rl9#(TW6>6$&-MZfDH=Ui>lmQduTs0
zHimemc_9Zd6zHFI0oxu#_pUzr!)x!_y_JQ{pZ_8shu2&>ew-r~0U$<Va`K%;uv4MM
zBqgy8f)7!IRJ0mY_R#F)rHtgI*dmB)IuTEE7`P9e6clVSBd4KJl9oPu?ws#Stz(y0
z`;TNZP!ETBWMzZBQ+bTOh#}BUlKnq3y#j6Q0Z#e1WEVR>U`}$Ih7Nir0q4pYxB|(k
zsbJN?M<{#pBv}>KzF!S$v|uX_ep3KTmLRCC^9l;K+Y?K%HD|2$_UPNuUVxoK=lUsG
zU7>V)=1j<XRtuP<n3z1ak5D;%L3zFSkv3m6g^cS!UtiR?c=7pkvi<tmy*EH;JGgYi
z@d=D^iRM7E$eeK*>?H@nk>msLu)$z3fMRi=-iCr#3fRVwkdS~Uw~n^<EP|@I`3wuW
zayqn~@o;yC#!9Zyq2e3~)=V5-+u4o;*h!Dn*xamcY5p=)+xO*lynCs)uamxwpOdc1
zxhS{!Pu`Z4<A5{`0regz88F9Kqo7VQtZ0+!+r|dFh9!7gjm>v;bwT$Vz&8NEZElXp
zt%27oElsQ0^x7_Wb!==5ikQA^oBWx@3s53@T(;ym{feZ}JcaPn4aN=;%JHs?>7L`)
zLRL+x{JC`W&+8dle*U!8q;2C7&6u-XnUtNKt^0bJGRBKav0F@BTI7?Xo$FJV00*PQ
z;`jHvGR~dU8>bLsi0)5HvoKB_KzDQxHb-0?5%l`3lT5Yv9JpE7_(psBKbAmOS(|wm
zS`72CmL64PtZ)-0fSxd~Ju3P86phj<QqRfA$a&vcshFObanEx*@8z}n*zCkZ0}W>G
zBq&Uprk09TOY`X4d4_OdIOo5!b!&UuS^Aqk^pfqbdR!-7t!8dsyY%+9;E=gO$F3AU
zBdjn8t1<9|y$g{<5!M0p`#14|LluO6K0bXr<2S)*XKYIFQ;^(G=m(*oFa)+qpI{6R
zkaC$n=&AR1T20u|pKt^@z^<6R#eEGVs;m*Brd#`Hfb$?dxKU4pg@pmqnU!^vk(ihm
z7A^pSUf$liGO$h+6$4#91_PD}E#$y?oClq2X<-rga@%aMx7PqdT~7~_0ZYQ4@FUC1
z;^eT5#v;jzk5s8mjpehNL0qS=Ie~s8^2o5Gj0+pz{tKOmSn&Nl7%0%7R>A)cN*=I8
zFNFZn>la}BQ2qzb5F?xB=sQtSQTty*-Xj3tscL9|@eN?pVBn5gT%6SGyPNyYgo=u4
zWo1RH90&=S+XEFY+iExt%ACQh5*uF~+BGn+E-$b3+Wm2JjtEaLFIl06w@=o6m0Qww
z63q>___A$kn;)s|djT{r;FN_Tls4t-<N5kn-<2WY*eou(vx=3fZxy;*Sa1<S9eqef
zS~@p3myeGRZ1}dJ`i;Tx@q=#=+`Q<i7jAgbVj$!IXJA2vHIqK^j%Qa8*e((JIXQh8
zE?6DW-!B(uARQ@V?>~6(00<YZt`hR{TeDxp<fkeRv9aBfF@RdFkx^8VtB+4*P0gKi
zH`Sy~La~lMK++(^^>Py37I_GGz3$1t5)uYV1_>ddd3Yzljsh$X`5NL(Ss9ZlozlX%
z0Z8m)a)=&Vvo^P7Ait|;AxB0=BE!S=`xc>TVRSTfA!w#X6xP(%QiaTy6D8am2fB%I
z2vpq541qmxTQ3442B>oYsc@vs{@C4p2_6-NS`M9{T!u9QE0KD@bt~dp=(Sa=&5Sdo
zC{xoXwKssP5jr=J4qen#C*dD(^Rs^c$d=X_64S6AvD2r0h&QAzrb~eO4D>BxfXRWz
ze#o8?^Zxz01-+YR;edncF0@~O&Ksd~QdQPs0E$BVe3=Z#U!TZR83BQOAYy>7n<<2O
z1)@2o<y?A~im`Fh4OV_^AqK0DVJD!0CTnKq=AQBnB@`$#GY-P4@^a=*u^Qd2?8Djj
zD#IFwEr3lQr#A@QK>U9#K7+2MDC&^r4~$9;V`~U(Zbbh9al^++;UyQFU5j6Ft@rWC
z^{+F_KgnL6aylzOraQW$y?sOFgpu{`OyFI!p)>`H#T>EUge}i3tQ8SNLTuuX)%}(>
zi;If~Y%G&$*pH5m(v*9=hnxaff(r`^upcurGF-24<amOs8ztq$<m8#krKKfv^5xJu
zo1)6-RA7v85V1#F)CXQKHsS!=CCG|6$!tTu>G;MW)mn6X1<3ShZ>E$ky~>i=2Sm>=
zfrtb$(LG9C3m<4296K8t8ag^+*Wd6xWm~<|02Wiz(<kG-fyV<pC5N(1cMlJS6)2*?
zaWLjiy<i?W#+-mfrm<F0FrG}Q!P`1)w=G2n`}^rXAAZgBJL&2tWyFw7{sPen8BxD-
zNZ=*7@zlSARQ)&d%ZFA^M=J4kg75+IwS5T?=1sIQ;qUqsKx8-R4tPlhk7)pX15O=|
zwFZ1}SqN>b@YQ1%GmwYgMj=Tq#D60o>W6d_SaH3akkVprR(my7Nd(cx8DGVV>E?Ts
zMj!}4q6dHLcPU}-Z}sl^{1{)`|0qsCwC`1d`#AXgKz$lcX;!)ePpfD9Pq_y)+r$Gy
zmp~YxX3%v(HK`OV0BBnGr#>99{q$mbnbqY3e<xfD``4-3r_JFq?CRur0Lc>`r5L?$
zJ9+AZutm~{n@Rk#kbb{KYxbm-<K#t?A2JU7^=AcYbv#rw?7jz=rutCPkfCgT{9K$)
zfyNfaAD%pvjWdlj*Ne`Suc{i5s_&OQt>4v+ACXw0dSd|dq2>1D`RU`+GpUVHzcp0t
z`)>r7#)B+qFNvQ)fG3laua_g}UQWyR<8&{8Ms9S2?&U#kbs&E$ATx7iHjFcQkLv=b
z-Ob#r{f35}Y<z?4=KgRQcXG3BEatYa;42cEFAy~5Gz@Zj`E%VO*mKUbrF^#iTTZX)
zTSekc^Gz?#GfF;(Gw<Aw3KSvse<o}H%?A}y&H74zK7>ISYKRd(cE*3~qUEK9%s<IF
z-e+?3{6-^W8KEBK?yjx)hwSP3p@((%%e$u0m_F#gl-FDMiH1m}?TOp_=@f>gZZ7#S
zx)AC|e7I+n-7uLs<cJ7P-Jzb&@=(UH?)MheC!!6{vqqMmb9-#lRBGeGe>L&t)aXS1
z0E3~pl>024OasG%1H;`UJsoY^g!$?O;%%+#!D?9qVwExeo74{+%BHU=n_UWY)<sR2
z`pn!NQPR0^Hi^r$Vd!Sf7{G+<&c5fg)J<ZISP&bEqEz`-3|Hh?8)-&%qqs!!0O*)_
zx}3e?MM-Sh*}k#f60|{lh~DOnl}JS2Bf{m6MxWW4*>ABsHB94QVS2GX)8xo;%&O0b
zg)>lyPgAE|eRq4v#;D>&WfdT;#1SMV;;(LrrVA8r%vKVG?%p%MmzaF3x-%%?eq0ha
z7rR8C7@(L}IVi2Rn2wieKRJ<#W$s-x9zcsRraiDOPGJpXV^6*Jn2qkqOO$)`KvUND
z?&cysq*vT&kEzv88~V5|>7r8lxsQwFx-`l1ay){LuGbh8NaG@qowF&K!G%_xMMpEc
z1n0G#xRyH#&PGn~>~9Axj)i^w9Ek<oHukD1#|>E46a&{OV<L{ok%@moJIIZahra7>
z?Uo%>W2;-wu^W;41jn+blA%m$6esuNNXtyTYZj?P^a^h-b~QUxFCzpqUb$+OzB`fE
zI+Kyd*Qh7ZHdDM(*Fl$C-bb6*Ybcc!_aO5;C0+suD#DTD%;d4`ZClz`0!~Zf6O{LN
zJeE_G^>4TOK`0rvquXb$6n@?GI!ju*3L~0;{N-->H!k@L@`c42GUCnBq9&xW{ZDiL
zXxDxb#pK@~IZIPhm0A2cgCO(nQQ90W1|3+d)G@K)JI!@EPlgpjkQ8DaJC|>l(Ax7!
zI7B2$@t~Vl+RN2G3J-^^beJ@ZG-quIDIAL71k&Z;*kWSFt*u3eXsz^-6VDpjiUpmT
z0t5ToAm;3w<0L?&do2A|{T%LI4E2pRgg<jmV8!RyAio{=r$Huv=F{3|q{=z+0v!4C
zbKWBHV0gK*h2_?AUcDpZ2dzS^G(<1Cn#oWriYvVwoTV-XQ#GP^9)ofVpu(5>@x@&q
zmd&iE3<lWjc@~T+s&CLf39e@j%EQdDmdk=IqLkzbe2MRxo4Emum@0$fL`+L;?puTO
z1`OM_N;>v?S<EbjH98lfVP_y>*xi(e>ioRahr!>B+?b8~ga)&k%gX@iTA!~z)Z;b`
z3}X+H%Qb7>0Kh!;Zfi}cHmtucHcF__(T@>R!vBfIpeJbh5FNy#)6I)~Xj58yQa8WA
z`<3axzW+SN9<|ulpK4Pf;$C_BouAW?gPSygAZd)BTt$%3#w=@^2m6C55m;(_K6=>W
zP>ZAMfFE>IFP&tA_z8iOf_ZD&qfF!zW~Pw9%kOjh79X&)@*krYT0e2@MOEg)fJ^Ev
zO=(4z_-A#U!Rs)4rx+59CRM!fXJIjUHXY}{h@9Xr%wD8;EZFW$K4fNE(x8{|#5&`C
zpQ?$wt+AVgGY>jVF%kJ?$s<~XSoBymvO?VJ1n)DI7x}F-cFhmFn23Ms1g&Rn)5k8y
zpIVM%O&k0on|=gczdOW@CcDE%El9|oAd~cqRcXV;852y%!W0i$pwSQ;I^qb8>y|eH
z?76Znj1BH;5H==~i_eeoMC;AIYXfAS*LH&PRACmLZiLE!&}dY!Y&|7a<RW=UgvCRt
z3cDcwaO9fsi}3mw7q-WL{xYj`^<kpt>gkh9HoyE0(}EC3YU+B?W3qR;D$bqMBCx?&
zIt|HPOy`cD!Y)JrTDaalIXK)Cf*F->@<y<{GY304C@6@t@H-`q(4`5N_6tqW-gerR
zPN|$%j<<dWt1^?aRy{JacsnmbtL?2-XV`iPwG*9?oLuphA9n5&ZVanEbKJ~f@3Njr
zi{6nuysY(Z{7v9AvkDV8pX%<I-mUKMeCahmT^8unmz{ReJY0)|6L~8Sb=0p2_`Eb2
zc-E6SOx@e?wW)<cZFlU;%b;!2%N83lXUB+A&C>nt1nU#04Eoh`UMVI>E>qqTYe7#=
zeypAzVlZ+yw+m`+>0};Yas1@9tmVv^Nhw(PgZ*BD)hT67U3Dc*-ilaFl82HG{r)Xd
ztIq`ds39?13;<PzhWs&{8x5{Xx#t#DPpq7l`Z#5AXCbT@^;{P0)t)AtzicQTxb+j%
zLJd<lOG?HZt|<WiD}>fYX$b}vI=bhby1w-|IgUH-(JU$@V#HeYpw76r@!fr%YwTCG
zL%|pA8W~>52~}nt3Y3+NYI=_cI8@)bF=sRkx&6REV?iwy2p8JCy`6VyZi7RzX@S9%
z$y$~;cW-Cm3l@?v((;ZJ;a2)RV<p_r0j(dvuj_=JWXr(a0WWX9mgZ(?%f9=wkp?sp
zz*q(nkn2d1WxegytAJ!dlXoEgY<XSR3W<jX>(ZaAxI0L20)DKeCa2l&a>Vb{X+>%j
z?ypf%q>Skuw{G3yi>f{gIp_SmGZ?H_%87`)eD&&RYnl=i15aJh)Knoj>*eb!bIjk~
zo;2Fe-@o{Zr>8_K5fKr9MR2<U?y=Dt+#D;TnTqWJ%aM>Md-_zh6m@&{kqmd#fvpu5
z_>!&snT-Q3u|Uan!lPK1%nFjn6fM`Cog<En&quQeLo-BEQ&a11uylt+yhEVx*e2Zh
zz(ZF-0lLKj#RosZ9@_>Fz$N!<*Pb_BA)}yBfeY)a_;^MqL_>_45m9?)R+jGF^Mjr<
zTW734B-8x%F~cIFW>D9n*kj`y1p<zB7082D1;pXf4Ys}@0&#=ZdXm687Kix>UA(;r
z*H|@tE;Btnpz6k5YlDvRI!fEeurD+-$vhnZraRT3Q-Kc~5luEWs(?6y`Wqc4Ybj-W
zPETM#WpzzEc~>ey6hs(%_Og3VewSPvq1n;a#&C7>IL8s!5$OB}_j|YS(p*X!nvwo~
zc1}(~KEB}VHbZbB2?@a$4`l;Ccby9t-aOGKlob_q1Jo!WAQ_=m6N>ZpQb1_kBmiE=
zo)0O|_iiFTd(k9(k|M&3QBcvQX~(6PoMJLEWIW819Ua;&YCsSJgaP_Tn;07x8v++u
zN<sqOr1i;pYHI3+r#$U^03>DsrzJ2bXariBS#8qt3~m4!-}LQJaj~e+>gXs>Ko#Iv
za&iO11z@7(<*i6N7KO8!!s>;N9}v2PNl|MPH6AP=<NHFC6KSiOu0RJ*UG;Hr5UztU
zobRBK{L<<0N;z&)H&yck4hTpG#K|u6q5EwDLlk9Y-3#57Fo1G=dTk&x-$A0xAquWj
zIk_i+?vjPO8}66B9Xme)B)%v8$9)d!gTKw#GJ(L4wXnlx{U-jY1_zsZD1|0W8f@eC
zn5uuH&=e>z+J6zP#*Pi{6E$~!mtSyOY3@EbO8H|?TCFV8A7vKNwtV)_-^E&*oE+#*
zPFTe~&^xdj#7c^>G^0I}L-?YO0J>~QMXgLr`{_iW(`p60b2%j^nGi|$-$sd7VJ_)$
zwt4^>o;VLqegLEs^20X?KH|HV_*z?Ii+Dt`R+*<^Xt%16-(y3OX_{-(#~y*>@BZAC
z07`JTHQ?~O<HT4U6li1(JDt~rs0$$K1gAvXOdl%+Prbd=PZ<Fgu}(FI(fb$X{0}6`
zW(RX(M=*!biekQ;!&4vLh_}a@xH?Ys`)Zg(6IKbY4##Ksn?MqKH*AYQ2p;+(iu*x$
z7F#6vUeHs6kPJ(<O{5|+ku0$>!2ZI)Tw&dn_8b$i<pUE*3)+LLUcxVAlqSw5?=N~}
zkeXocdDyYzGaP(k-$jgvs2`7IKx3-9*;uL8Lg96syXTD{@BHSU=%~^MwByqC9TKW)
zj{uZm#eES~OSa99y_@c-DZ#rgbszd1QY7Q!=G-ly9CyAPb_-FUu(R%v!1)R{xqo#@
z{JX11n02ZMf5QZ4NZsq#NyS&8Wn%Hp*RNk;85gU2!+8JuN3g;f>~CP*NSs5wd>Mr@
zmkk<3bXb|JFVSOmo|&E;@{mf~EEF>>dMd6nEbTpd5BkM|%QQgwAcv}{k@v4{y7HyJ
z-`zeJOf$ax8EcGNN_*y7_a3@F0#Ctx6B^d$vzNopolDo;EOJzLX5Zai?I?SG>lD=+
zCAZxsr=EFjt+}SWg8nbR#Fwnqz0_^d*7`_BVLsU_AlA)gWFeX?If5wpDp+YosCw>0
z%<TQ)_vOW%{u@u9pxfnj6x71Cc_k<2zMacs;9b0Re=vM>*Vp0jW`#$R&f{*TopPBW
zpQEO}EJBx&6{V%p4?($@n3xF4MeSs1QAtTjh$>xO#bsp)=bvqCZYotKQ4yB%rVgC?
zK#<uLj9(DVhF~vXY`G^zr~W2|8t^c}!>VCc-9)I*_VdGL*3Qp;Y>sfBN6Hl;Eo*#=
z3kv3de3+Novj}GTF?a8RzzQHNfFKq9S6?h9);&LiY;kj08ML+LqK#?ApObM9Je=Nj
z-i?wBLt6O}pXwq3?zgWT^R|=Rwa;*!J0p#6ZfS{CctZQjI(_^bJ6pfHh4BlR^IQn#
zPfL(u6hcL4qSPmY3)x|u@h$g)hi~LlWAf6%3BqD&FDN4|**eYr?|o-)_Z%Ks9o`Jy
zsX4k7+4~`<;95l*r;gOnX+qR5#@KER`~o3BsldKIpW-gJl2DOtlMpfLL>yGXSUEV%
zOibJpq0x!cb?#wkGy*+Gb^CYjLvsLIyWQOZgEo?KV<RIzVaAK~jW0V`Sia$R*}n<y
z-F7<$&*n=hL*lnqAe(;UQd1+jRW$8|s^GwQ{>#!EPtopjYhP|HPrn_U?5Y`<FW%br
zz4q{I&d02*tVtKk`alI4ndd?uIy>cb0rxI2(Nmj(EX7wsz=0NBRja>EIztw`am&Qi
z6sl&Q9^BYmJsx+?b9A&Z(y-9%+_OtcJL_2+)}6^RdUXtCH90vN+h1E^Ije(q>o%zs
zKyT)0QD4#E@g&?ADb7z)I`!x4u3Gl9$gG4h*2R+?bgnrBU<-p!O2_jEg<o6#T7UFo
z!j<uuSze8gjUG*QZQSbt&nioKxZAyw*$GRXUG(wilDo}MF~jou6kb%nv$6T3-qP6E
z4dG{NtFG^!anWaOerRkg(?g)l%-pm;&~0OR`Xlr&0FtUkEC(pzF6Bd$lKdxT^?~LJ
zUoNisuKyf`?!!G_KuZh=x$fr^^kkj`(BK#}c=}WGQ@qad6~>Q9RI}WX{;|o2hR6xU
zO-{!0;B(^VQ`?WfawYk_QkT*76ilmHEGB-hf)tZ})$#f-+dliu`}A&cKE5s~rhC=y
zPHxdiz)}qPq)H^U)`bhX7Y#J$2Vd)1S{C^kHWk0hHYx01>wcy=a${`>RDb6ufMM^M
z5BBjV;@$%-K5xgsu-0$od_i_E=pyGqpFBP7rtK%=`W5*rZ+O_kbGKv2;Op!52KmG6
z$J0g0Z`(lES-O`q!M&VE`G3A<N77=~{Bo23>oo2Of9}a@b(MA2YIfT2U?E2G&9xuG
z*GWn@{8naqvNZ1IT?~YIYi?G*CYPlzDpzr-4QdgvB9mS81=dzps3<9c^?RKD76prt
zwB1?AD}Z8LGeM4d{`}-hLF>Y0e$UleV^8A(b)-!@B`dn>5f5(n`7&4&4o<^>&f_Vo
zlAbU}<~wuwU-DVV^I5VcO>594z^%9*84{E5qSmWZPPV-1(M@B9mN%X$|LV%pz`nrL
z)Oif%V#4fTUI2Nd%IT!b*SEjEB`9kEv6yUdE>@WU=(Z<*fnP01+o6>~!3zre&g;yu
zRdPAdsYj<s_QFhXY_J?B8cza=9R;ttd+6PzIAL<7$OTa^NYFZhCbuWvGps;0)<yrv
zH+LCNnS}GTf!qDYg^(|TrM}+ub0HUJ=Z+5_r1RMz*nD?Y47Wj{O1IogW~{*Yd9h^a
zBnN*<kL-LWt8QD{cez|{FKC@1)6!^c+2bMk#8a`_=IYg}Zf;$_JfFLycw6U%^QVAL
zQopYH$9eU=<z`5QA7jvJa~AodPM-wT)7gNptbrZv+LnOfXu?8(spWi;-RaiO&KqAx
z<WA=hKl|Y6{u0iP*RPEwMrf3_&>+`9qwjT2)o-s3s2=I+?afX+B`C-#@AI>_z!bKq
z9;Y!ZJ?6Zk1n((`Ld!z#@X}WD_3HIkp1i2hzKacb1jMEDcaP!*@}~^C+NB47E{>ne
z0M8V+mf|L_gwt3u((roJySzumeA~>Sa3--O|40#GekAUFE~9qNN5diuPi=F|^mI~k
zGHS!e+WJh{*U7erAdR@J6SUC8;;>CXLJhTcSv#6T{~fiRQANb`X!~c<5dq{H|5!Sq
zaRXP1OV|DK7yMQ~+Dx|yM>o+FdB*ErolVZUf8j(*=Y7n~44gmihz<CIP!`QAfHHt#
zx$oxc9Gt9BErrI=+ch;Np~11^!!vsuCxM{fV`30v@cXnd@<bj=3zx%CAIIZ4LKr8M
zKE)jEY`3ddBW1XCP1<|jd9_(J(95mu#@tqS?^qQ|T(7$Ep=Dsw*<+WF<e!G?SEbLw
z6-e%jjZh@Z8yi&{tFXg)by5SCzQuU_LT9LS?9TA2ApOVwx^XMxa$KKEzKTwg;@do3
z`)i@7qYE~XjVh6%Apz-4Y-HcDF>Ri!`<N7js;?GFmQzZW>q^^fdrniht!G;Gt9<!H
z!`<gTyU9<0K{0i+_50%0qyKi=y7G>wM&VNlK#ooyOiOq391D7C-gd}~ax$>$q2`^5
zD)r$Y1*!O=O0S=88H+*=(VfB0+;S_`V)bq{@^1acTIN4rU7Rc67G5?JdrZ+rx)f}G
z84ktWTsqu4BSeM4Z{s@zV@F(=e(_X+i*vg$Q-W~sa2f%pL;x}Bo?-eLB{pCs5L7vk
z+LvD9QbEX8u@h9y*p1?493_nF431SKEDZ{S!-HKU-7|=T4Ev!*PI(e`0tZU_w95-G
z5q(Dp8Sv-Qq~{Cv(g|IebOnu$nE4(gZm+xYDuojeup58}4DKEN+h?7L4#L9A=3q%h
z3UBm&h(h!$xeb~s>>UAw;_7GIC}qNrHn78?btm`Dlmp%w+MCxp2~nNx1Du9&OgjPI
zrDIda(>2H7nW+92_^?y4Kh5xk<v!G8bbBf>8Rj3ura3rYtQ*PggV_(mqiqYQ{v#r2
z7}_8Ww@+~#Muk}&Ne>FgPQ17k^81c7cC*MwBolC&$NXof9!cM3XsPY_U(aC47r#UD
z-=6oMN1k;I{`COn`E<E>ys#+R3-DgXDl7b)Utt3Unf;xcW32Av8etL;GFWv(I(zVL
z9wz))R-Kjd`GNnN@7y=8q~s8y&LzWHices|BDVLSE=TUXv?c;J1A_Jlq28Cn_?)<r
zCXrBP{ykp9r^Jy|haa`VoGB121)qukw<V(@k^r;+fq+=-f13`{?2<DG*;xPlDM>LJ
zR@J|+m3um)QUB*~)GH7W3~xhJ)-ba9Ph?O&__J}r&3t^ZJUOna@V~#u(lM=@Q5_~F
z)H6m@y_2^Rfp98hi(Tg&D#NO**jJ28AO3Aj|5yk}kpwDwv_J7T{7^nP4QO%inGl7N
zAl^F~BCYr}kq;k{P}=@2BgAf|eqMd~7kK5l1nv2=z2vqP!`}pgWOi=hVjiJ5u`acJ
z=Y5YXe~Ej+>H<xo6ME7|oQ&`b;3XqJMg8MLrXje`P;#Ju+<rDS-5Nw6x_R2hXX3nK
z>RybbmB1|tG5nY_$8b3a>pCNKpBkzqiael@7_VBJW6hxRdWQ=g+Nf5o*i0VwsgP~r
zu>Ouplx*7d+j^{9T467v*8^%$k@R>`?6CJd2WnCU1pg?%bWN3_=Y!LuVYT!_GDp9R
zZL(x2?P$;mT=rOR7LO!E-5Fg#;NjurD!_j}-!PWO!+T>9t`vKbK$^twM`I&7EenjS
z+3g8WFRMnZAwdQ);Wi_6lp@D@yfI~twO(mwv3Km_f3g|kky7Jx+T7`E;FONXdlwGd
z({0c;N}~C`SRo!QhxTZcsN!8Zh{M6=ys`d{92IO=V%#R8*mCh}ZizI*!2kBGI~=O`
z2-)VJKKL-SPpLGBDj;5Mz0)>dpAvp4QbLhJp^lQW<DoESeH&ifxRhhXL*b3e2%g$F
s^@nvOg)ajSd<`#{h*13h_usoj8ne?(-w`*LvA=sxO<T24+3M#10GnC?{r~^~

literal 0
HcmV?d00001

diff --git a/blueprints/apigee/apigee-x-foundations/diagram3.png b/blueprints/apigee/apigee-x-foundations/diagram3.png
new file mode 100644
index 0000000000000000000000000000000000000000..c58293ff052631fa4ce77797a6f6a98c9a178bc9
GIT binary patch
literal 33258
zcmcG$cRbZ^_&=`W*x8}%5Fu2K9gc{UQItI@$;#fllO&ZLLO8Os_a-SqIQAZ89eW*n
z{q95c?ma%A&-b5SfAqjPuh;9oulpL$>v>(*%m0>&0x2;)F%Aw6sp54xH5?q=k2p9G
zMnVYqOR@B=3phAWa1`Za?zkAtS8Z!D3`VDDd+ToM4C{yQ%WljzWj1|ioo)S=?Y^rq
zV!!szT|TI<zP|pE@adEF_(tPI3=9|VeZ+r^kNc=NYTA`5OlA$mGSFb_z+p`}kbu&7
zHeyoss>rATNr<_I_P=#~$5{$I7W{i+exPqd@bhPKDE;vt37^1mkA9*!L1B9QAsY^a
z^ynuz6plP`^wSF*LfG+#lsE|dqn}tItf=EZ$>IF}b+hJ)IzMue8n~rHbbdi$;hQ47
zF+S>8G)#sI2j?^$SklhbdWs=D>@wJK5fMb$pE)347f(MXkmKBQU`1U<=$wP-=*cu!
z;(X>4#hk!-O$OEBbfG!%UB(wj{plxsoYPE%g-XjjkWW6uCsLrkq&OGFDNLirNO$Dm
z%>^gha8l%&Re%Uquv_$OXRBR437*ADhJfQD1$2(LZA%F5Sz7&;5D1G9;wOdkq#Xfo
zhMI>Hn%d&=twAVC#!v*u_kHF{v*K1IAtBMkT9nRp&jV&F9_v&gSxWc$#C;yQ`_|S1
zrE?^HetyhBT%{r(kS<Sf%!wIraDJQti~LmiQj{?;DT%{)`I9e+aLhtUyP*$fT2>b6
z;@w&l3YDiR-WX<XZvNCA(fTZ%q8@|6)a(z|+%AF!Evp+E)>Kw94l&%7^4jYg9%dTa
zb=Tw9ynFYqjllJLfqai~a9-F0aS<hET|vaf##)-1vRXdaPg2M+tYKzhNp-TfUyBkn
z0b1C1KBxDlUFYcNXjhkmi_3LMA0HpsI2wJv2rS!7jDdln%fQgkB)X`kM)l_0+?>(P
zzJY=FGCG7sqgC$Cs}qXC0xw=%Y+KD^oI7J|Z2aZRm)O|Y$HA?>X{XWJMv=)}oSahL
z2TB2rjf%7HVq$c)w3fHyO+V0nI3e8I+S(c;V*NBukN&2r<T?u@V{UC!)EN!4cqz~K
zUK&?oVq$LIyxE0p)X~vNtM8j192|sweVLk=IR4q6nw_1!>66UUMB`Lo2rf7frqp0~
znEh+-?_KHY9H=Dr{{DUrHcX_FFXLoWIPZjHSy|bH2re$}M1K>FLS*xLWX+y$*N42k
zOF}~7Zfa_3%u*iL>F=nkuZ`8>Mo)Gm-{gQ#h;Vckdg##eMaYLdURYf0(27o}tbF(I
z6?62nxOA!)FO1HKp8PK9^YU4odj9us-;{dR>d2*0Vci1*ZU=j=K@Il18<yhZ@9lZq
z9yMmAtHeorXJ2XO7=@i{QSrgZjg~v!EQ?SwF&y<+Q+9Wkpdk-PX68xQ-CXJ<((?3_
zZ29`qk8x*zce6{@;%eA!Jhc_ng+e9zW^?~^vDg7VetsScGN8Ms=?NX)U6o(m-yGHS
zMtpuznVOqxV`UXsANqBq)YizvWctUKR}U}F)1TFDF0$x-a}LN!wLrM@!cH^4QM{yk
z&w|tLUT?UCg+&y6b7LbkQoSNQom*0Je_^mB$DnF;+j>MxTRTrDD^kEvgO;o-@fxyD
z)<i+TusR7p>QV)>QriWFYmyE;U!c({h`ujV)zwl|ruh@^-Z8qppV@9{YGU)_KYt!6
zBc7$E5f0UH#eMeeZEMPPq;}M8>2O-1>p5n$oT#K$j+H_R@%3`Ib)J9+&eZ)2P94rX
zk9h7BW4+Wz;I@pZrgna4T7UoA+{_-CTw7EmWXBqB7_F%BHAX=}p^gwHri_Hgi`hS4
z4?~2+3L;X3`D*IgfEh7JH+8V0KB2i#XU?3#Bqb#$-%h`yp|JyjM!$R8n*SCa86KXe
zEASTHsjcqiCFTCUKlTdH;>Wkjn%Qn4XCA*)={|)>`Eftq<Q!#c@+HLL>@1tH3CS5o
zMh<T4$B!Qt?CyOziNHrZ69ew($=N6HW{%f7o_CRop4Xojmz2yb4VG9dI)8n(v9WPI
zE;=U0?CIKcTiE#m?d!;z-9?G~^P#B|6A$AL#bMOw3g@K`jIOROM-K@J36mG1SnC4j
zd`3n_XJ_ZbYhA2Nsb;24CT($Iu_~bj7Y(;?Tug0!FRocxS%r!h2un)b;bRV(Zea1|
zFf!27d)VtA1rM8{rJ-q8cU>BhR2vBhApJnFBOxdVZYN6}=G$4I>UjC$#gDYtU+yiG
zjPeTzs46SpzKcS#p}<)buqCG`r1}C$Mkh6*E3Le|;@r|?Iy+%^@`6~TohpWthR-u2
zDW-rc#CeVb;S0N%!#2VAFuUoVg$1wsXk}JbR#H+@RaNY|v!i4CScYa!AK#gPfPf}F
zn56cp0Jib72?@-0R>c&nSj~!vh{$gXxP;i)mQJ`%t$F9p#ojXv4D8+685u_QA;LmJ
zLV3PEeH1BI(T&k>-`>Jcr$TE>c<#U?l`)xlx}G~bJAIL7)wm=JCi3Sq?p%L0!+2rY
zKSf4d`2maY`ZiuP?X^cr_IV<bY0GJkJq%y^eOT;FRfT<p4s0g7pwITP=l@9H?$;}X
z%m=dKc-$ueKKkSd5CzJsUqVMdQ9j?_-zOkv4ray+!m))X(Yzn}L`itY#@KjrYs*Dm
z9zWfF8J$DvLZWb*jEwB-r<r+v7bwns|H9l8IIJUBjrhiZ88}OzHWET!x4OEDm4)$D
zB!N!c<aJ5*W&Kxhd3kwr3kwqy6CVW|<d5%sJQQkcJ3DTB!Nf04@kxMq_!$?3LCiTd
zA~I+kHiCaXi~arDtD{(t4PVXBUOMU%AcD&L4o>hasuO(KNMi$>AGC}+I5_eI5I*Y4
zmrs_FSD$dp+{gVZcq*n5pE-TnR9L{gnu^QzdK!qMZ>g|x6yK8#IjOC3zU^&X9NFS!
z%Bhj^>+SjKI5_Yt05-r43$NQ;b$wn&(>bII)W9GAIH;nCeE;~94kwYL=cW4yc*f_U
zmu8DuuTK45Oxj&G<QJO4Zx*88vfg6vUHdD}*JcnBs$RYO;^;nf+(dW#aB$QihzS3W
z883RLb@N=O$wOR-B$-CWOt{Sn@4T?RRPrF&eU9y10*J5oZh+87>Ebgov*Ihx$R>hG
zdL}cbt#SQ)+r{H=UHgRr2JXR;;}^f<>AZq+y)k*Kd#R<$5eFyO6pkdthl-OW#>2Tz
zO=&3ETQlL{aL@xFL8xc=4Bl{`6?MDz=VlPHEZ{h3u%D&TfNQ7?kVU0WBV0-Sey$yh
zAaGvr9xaIm0WSVTQb-Hs`CNMZxRB6WSd?-OdxOfC*yT{5(~t(2B$-F6TPjTUg>>Vq
zcqK-XEy<frV%ic%MMz%0_nM<ZJmYzc^Mo55yxbV68=(UuXC<8EN;5Ih<e6ETwU1Lw
zIyTPAWm>cNvFEIre678d58n+go{YODK3l?1iTZVf!lx<FqDn4^9=6(}3+<;-gBK?}
zde$uL=;seL9_`BJg(rKV*87>ABaz)$DLmOCfLLB+McJO-hl(fM%6WSPGVPAmvGXGj
zB3WjcWigj>%Lji+GJ{^Pk1$rrc!VtQZj~!tpWtr4GKnVs?sSj1f=M~oREF*V_tNwF
zN1OVOyHdMjqk96Mw~j<fnxI2lP7ylX0XKKoux?1Im`QxKYWLBxsNU;G$ilq(;I@f^
z8H2MfQ*FUB0I`-phy<7epo2`4TGcUFU0od$6BF!AR#F4?#`Y8v2<yb3hjiBk!D*&)
zqZ(70zOF4RC}et(w<g!!?ySR&aM$jY?^a)4AzMiz)ps9hYDtu!Rn#}({hc2eN|r+5
zky6=}Z`}eIqnR=DzOU}KSZ>Dm>M1G5NGw0&AA%7HppKB~bJ?l~;(8<9`fcwg&&P%>
zE-ek(F)&#-=t&A%HO*%CPLjp>Htg-~HHLA`&CUX|SA8dX>Cz>cSOJ5|v=1MM-^~NS
zlAN5}-QB&ty`7$(Zeaacv$We<pN-W9jf?Z76avf`p&7Ca85R={iwJ8N5Xxeb3?l)k
zCwHc7o5oSOORUI9z;pE-e!t_SNL5{sVKv*Pac8Pw%}QEI+`~w<gGx^JoUy6l)msQo
z87`xgdQA3sq<X4iq*?GI6Qcr>m!?8!>%nE{95=uB`$-;`J+4Z)g$(lQ>sN0dc<HU~
zttrp>kWI%4xxAsjEGS5TkFVu!W0RYd^tpl3)Og)%dopr;ef?veImMuO!QZs|86CR6
z&5Fu2bgDkv%Uqqjh^6N7+kX4Fino^wOSN|wJr^qY)ka>W_u^0WHpUf@Sdj`?hA2)C
zT}aU;Ze~V7AJ(~kNq#t3!gA*sF=nf$Hp-qZtsT|xK6k)wejcLyO5AZ{XgPlpQ${k+
z94bc$73WF2^9{Gcxp#J0Y)?pEebJk{Frw0tU&m{1sNh2t;eLzAXy3vHvNea;!O(ED
zr>6%1hMCUP*wz;{Q?ipi=Lr9BJPercc+r#leUIC#{A5aO^aLt_{ADFMK7W~1ZGES@
zxCOfgY2m*XMqpST9p{`eVW-1cw6^r7ih(|Udg#-orOnmsm9lRPA{AUy)B6z5ADI4E
z>1O?S*ZB71)BH}xT#;~)SO3e1d1wmkoAxVvx996}xIM<VmP#_|;s;qA4tlhu(K@5*
zj*(wj4!0C~(sFWgva_ws%vNlnI{@jKnVC(u#=2wBx5v(hrwx@uW&ZMY&*)4;ds7xq
z^i<pK@)!9)%S-ocfyC)KG|5h(2g!NjdTN+;hLT=edZjduc$|)&CV>U;oiB4f=r9&O
z?LtC866G-Wk<g;E!!$2}<dQPhj}d{`a4Y?-Yd~PlNJ+@0R1KENJ;B}hn^|1U{c0b)
z7Pe;)3tiN^U+wx#CP_xUb{D>XKP!}yk|Hi4(H1YgG)`EU?*>%d$jAs`)Qz;8!vb0e
zVPP$y0BR!LL_p7DV^-PNs2LozRMsMt2(#ZbTlu3yL1=ySaI15$_VzWTw30xqSiF*z
zzShQ*&zt*w^JTBNyZII(vs1k9B2A<#%!ptT3@2$!-EM8z*1NZT$WAgjx9Ue&MCfoe
zLG6+vvN3LVT5?U-;KuH=-7e}upxEfu97*R9@ixs5H0V#CK21$M>M_vPzRiw`ii+~|
z^!(dGm7v)I&*{*vhjg}GC7ZYUm`+s*Hir!gn`2tCQRk`pQx*}x0)0pr*expRnrTBH
z3$qs~J{^=+$*+xT^o_KZ0M5{bE~v3AyyBf1y^anF%A#3pMg(-?n`PS?1^T>g=7Vxc
zsfuRJ<pJB|0jZ+JgyP{DCfyaiv_i?lF}?m3Q9Xl-=H1K&*A?F?lPPrbeBge4*}}pC
z0AC=L(A3m4toGOjIxSTLPfbp~>s|ZZCfE8q@?fqvCp9T)jM+4Rka5Ssw`Y2a?v0}?
zm-u*P7}<?X(j**2L}Sa>?pZB_{Db&qNEYJ~6m>c0yQsz`XYwG2?L`TN4#C|jr|GSi
zF|cyaPo4|O?9<`n*K+K=nt@TE=y(=NbQnGD<JyYHm!3J5>4AhzUtb@j8JQ;FzbiN;
zgH^e?9|zXf)*z$zr`7WuiF~nHJ_U4xy$ry8wp;r@L(@~Z@99V*8vEKGSxh!}9mHyC
zyfGC%>#_>cNvnHxIW=-yvSmd^pVp_s=FEcDKzLxW)?F$VyX*DlB0gh<Bhj_1G{QLI
zi2dvQ*bsY18pLQ^L?Cek4<~d0_F4BnSC_8jM;Ov-5(_Wj>$1my0N{leB5kN}BN}Rm
zC4J%iDYxKT67)E%JU^iUHq2KFH^i8roAO?km5*DVaqK1)7trii)$AJ$ER*0I3aHDj
zSb8_FyRb7g1j2x(Z0o#cpdigg6M1%48-=OO6&)uv9QXqW;wT8e_JYLTV$67};b(2x
zTT!`i#=v2-&An%{l3};HTYu@>b7#}qecQ$Y&#~bl>F9e8`#Ytlqe@&Bvd4VC{^-lX
zrK(jSetrF_{(XO0EYe8x0+0Y7!bI~ESW${%W^Pnwk>i+ueDzB2_cwsQv2eBQ0q6P)
z8DY^QA!Ik?@83Cc{(oRG^xsbDByhAp!3>qPZ|p7Wb)3#8<>4d%KtsC85rK8U@gPjJ
z&yHM?)%>|003y*cR~Jlio}}Rb0er`E8+_DXki#x++)!QSf+pTC@uM^4%V}AeI#d3@
z>I-bM=S=LfMEaKp+}zxXs;b^AKYZ)H6EbH#Eih@rcUJt-5+l;m($aJfP!Rs{AVp$g
zWZV<hCj^8Dzy-BcH4RoJEX>UKn~-~ItSEf;Ot|~iSaN?Wjm(~4?}|Vm`s4M>bA3~p
zU3UYKSX4;p+5&J?e&j6pfjgGvxjqO86D;a!2aBi-`tyC}Yc2PJ;aum=fm|%I8HDQa
z$jDTs6xf@Mk&(EDwYd;}hrG=8&Q5iGeI`+2^o>6crf>+3T(A2LALFy1X~%<jKQyG*
z1JWvcd;6}_%*@qxlTGV$y-ULt3Om>BqT=EVZruuwh$t>7kd*|m0MHwSONJFrEt}Vn
zbaZrPkkzi$RXgMDE=8kPuU@si6FcHDR))&#tE#GCvjA%pD(PG`G-M%-lkzN2OM8LO
z%fn;344@N+LQG5y$O$GYE`CE;snf93=Kg~RKgPzM)YH<^b{P8A<&~AW0zN}WG|MRs
zzPm@|u{zNRoOisa?Ng1=rtmuwE#$GnC}?3?czAeSovfRjxrwoH|H4LA7M~6aeUeJC
zV`F1uA!pMnB75x1wO>}KV+DnZf3sN2GmYxC`Kdi@Hs~<CnR{kt+(M5`OeDm`cXoF@
zy_O1fvbsv`r(3^%{hFu{^mdi(<jJ8L@AyY&JCkLmBC7=;u^}NcY&S{mOmzlISyo#a
zM67ZrQ&UpZe6ECZvL+gjC=~=l)qT1m9!Bo;ci<Bc=w~Og5VNhN)I6+z{C(mF2MVlw
zcz775rK>wQGNRI?GAHi?AdC!Te`7&+fPa8ufSAg3^|9LvkO#h^6UgU90X3|ss8B*0
zR=TuzcYlfK?CFu8CTEfMN|MomSdwJJ8&2acD5OBKP;J%^-W>4cCxZHEMEE@OWo2Sc
z*0@BAAnCtu(D<P7a(^GtH;@Rwd-raA-7$Xjt)QTwqL!krSuhNC3+a8ZZQ`UH$r_ur
zAq(-G>){)vv)<UYE^BRSdXImG&wtB@fV`u#Gu-z)sZJDtmkmJxAB+b{9j==R7iVU^
zhDOVWY~?r1&d*nR?TdHLp>##x!VBE*Tt@<yXLil{g1=}?N>b9Z`pbwEu0=qAJ<fyC
zWpP>N=femcUSC3aJv_>)fMfYnf8V(9&R?`%FCAVKG-;impWoVJ2{l^1G14f-r?4m?
zEG(bW9Dy1fyjd+FCDob@4=cbYhLv%z&3{xKUxB(=TL-n=+&82#)gcIK7`H3?+H4lg
z`RJt*xiVybqLF&_5&acWQ5#W4au%tFn#jia8aEOGSxWRrUQ`z{{60kg_HCJw`Q3c2
zNn#kE$D>Ejq0z&tkO#7F%keG&M&h^Rv3b#7j^x_Qh}f&-pO#E9L&+&AK+ifyi;IQh
z51G-;kpj~b6T$qudn~!lK-qvt`SvYISdptjJ8HOge)oMPFiw~zf@N~>iVH-UBtgba
z?y{y+t;BUCAZfzF!e(T=cV@U^TI73F!rCvuBB0SH-)i_Xzc{dZ{1|mvK)+m$SBc~f
zJ4))XXx75352J)MgBa&IT!x!K0B#f6L-l`|o#lyroLixXb5WAQ)aL{ug5d;$>~MfF
z&SmYS{&AA~Ixr#@cFN9h!yzazaHPzh%cW2%_(j;K4%x8PP=11-9wjfYgMk4Z8vz`m
zlTd7mJIPrOT-?c%Ct(f2fb$*Wm%ML{^x5Jlmq>3IcLgM_hK7cW41$?|_bw+Fm%W``
zenEk*j?U8tvy`Hu@Q6&00HznzRI|i48GpsdNqi6$XJ==hR=_hU{vBHmN~zE-RbPCI
z{83*1{Y6>It==aWf;6B|oo0)I2v->wRumNoNhbia@5Mm}m<H$vLoK9c$@Jxd&Q~u<
zZY&KOXvLh2g)6RAJogv7OXgNlXzFUgSt$J|O83lYpFXmFYkqm(FZmUNdKW)$O+hZR
z6>gCn99hJA>nt3k(*DTY6DYFZNa7PjStZKw?ahF6U)8d0vCL`DC0$NrQt$A-rQprP
zn=zd)!vmEzyid>f6=f}GX>v_VZ+Oqr$1vZay`DHrpOJQ7Oe?`Pl};f|Qdm%~Q=MG7
zrdU$J+pk{g)?vd+^+<vWeUWGBRbKd7hhgzMRcg<DmWnrD@)b1sIXVrajk_-^WZamO
zmxL9s)#*mR7PqDyHg#DGWzK%TdSAt$XMXjxE+m%YJjrV-R#eIf2w#W`@8imD+}DJ&
z8pqDE#tFe3OJ8ccCa(QxWBqktoW`ok<*u%b$e2-~hm%R2hM~9f4X8R-6`UD#&8;J8
zLkbS|npLwFlzThWqmmZ41u&P*Qj)6{OyBzkwUKpFeJyTu08)0tA5iBvoS${q99;g<
z-nm=&v0`)Sf_2L~anDd%N1+8`<-;9I&+YNc(a8MSOS%`b)QoNpkD0b@PuRm;Bn2$&
ztuINg(JKn_d02S+AB5(pllNbtHWfBf)XvMdI-_kS6T^~4NLcu>Ad|v6?mj0ta%|K;
z;RM5hCjk`ooEC8~`MGVP2;=<a^6qN)+Rz@O-K0HT=+5)eFw#y~Qo&1js<Ga1QPypf
zM@~Bf8+rz{j^>)ZcfC%}-y^B?VvqUk21I)mIQQnBE@^Tq)7b=W#ftv-Uo8}oW;e{k
zv^qPkCpKo8Iho(lkW47M{&Z%k?&a<#^P6C{u<Fh?un1+@2g>i2TK8=$gJ@T`w8bpu
z_YIIUl;Na7AT|L_wXbx29tFy2czhDvIINctaE6n7kQU&@csIRg%^#<GuB^@sHEn(C
zI6v950HMDY`w}iFozmK65!vfJC5smgbM|t4Ft@fE-gQcctdZB%NyUnD9c6?^44X@;
z56|G{K;ikic3GKOc&wLm?z+{ZyKq{VU37(&Z|SLtiXDbrDXq$g>WP?mo5ho*cG!^Z
zTSTP85*@;YdU)8>@jm7>2@FL}2)p$WAV0$F+^={?F0Yp##T%hb)!9;YO>JT@`Pvs}
zD>W{nxt8|~nw{AoNq%tShwiO6n!Q@r2IzTEq}B#bm_oJjYsz>tc2-`kpNAS!ddf53
zVLs_@BOsEZ1G2BmZP(n4ZZZ*J8r8Y3J2l#B^4ZsoSHUE+@EZ&BKVZ%a7&5iEEMBFm
zV2R#~>$#Z2YGUC%)3Xrcyf^|v?6tg#8%~)S?k6CYVp{h_T<0hW3(cOuZ_16KQh8U3
zrEt<t2=E`#N5~ytJaLcmosp2#P#+#Thal2)K5aWw@2&GCHfXxbyCVs$sDm`Dkyi>^
zMA1D1Y$hc_HvR&cUbQ~g)6Xz>mH0shy_X56O{Fg%v1xZ|R3O9cojQ7IeH}fg#d(yT
z*GoaY1pK0dop@PxJJ}uRk#nnfP#qEo4df1RY%gvT?-uZWTcMS4_!hn3;v?MT^-$v&
zD#t?UZ-bg0cHtZ&#4(#1ZN=;^CJMoQ55F(FAf~$cUXcDwF0imh=Qw$|NDUm3X+JmS
zNlBs%k`kLi!hu2mbm~)8!WjS&*D1k~2#7V8FPuFef(Y~m=oA;iCvu6_6v;wiiu^dJ
zcoy{{GmX+z?|#THKpnyGhYTy%5#ZAI^2n7RY{#CI1zZn-w76Sp`26K+6;D6{z7j*l
z53o!fa_20{j-3^yLy<;-1VpdgYqdTKQ#r8N74n~;{ns;&w+pJvAv8jemJD4AhM&np
z;n08BwzY!K@nR4le>mF6@j_&OS<;BghZ1<(VugI~=GEQgXFbn)xC&W9s0bbQaItxi
zX_<c>9CsgUb0aElneY;_*Lp4GD(R0O6EV3z-g%_ikuyrT5J{y&t;5perKP`VW%{m2
zp~q>>D*Pm$m4T9SV$$@Kbe6ZI^H{=drudW&yH$|y-&RFKDEWZ+OF#V~A_~(^kmJ7i
zn4qfZG6&K*f~nrNcdE?8eeuK2#&oBI95(U~X7n4r#R=Lptz`Lptj%j_%cMMyf|0bG
z7CqDaY|>_<Acj6{uts7F$`{si*2XFNtyuPD+p&A7d36aVw-<1P*RbGQT?fCS_$oK`
zjlvJkkHmxo{rI9h%0HAXbk34l9xQjzw#0-RYK@LimwLz<brHf0^d^4CSa~?oHK)ZK
zAO}KlENp;C<^~K}g8)NZmvH{Z*B$0<n9vOt%}`SVrK*h|>w~U`=VsTqH9PFr6fY^l
z{37{GTJ^tH+O9n?AE+|9`x35M<r*0s5^KkoSe~q}EycIj(Ovj1=1UE5_yrg#A(c4A
z*?3)c-(<g11DD;QFQ@3|<KCto%s<slDp2}Ca$~W*?wn!SKwr124+dUHcE%M?dJiK=
zTI~I<(m^Pexdc5TOV6<)8S4<Ig5$L}`3#hiK5(hT-<MYzyj+@_KnU}t1x#IHQ+<SA
zw_~P>scnJ1gS@uAocrI@?gXL-Wc)bcaOAlMZ$6O$9;m5kX{2q}H}rFf(Zh0Yt8fmN
z5dmasYh27waY$F-){-6Pc&5c1zbhv5Ls<a+Ob#3Baef(Y+qbx|DYi47BCsC8GB{*^
zzMCO>OXjX6Aah+0zucSME6rC9ax4rMSz_+)3WFO0HS^IQx1Xpj*v$qU8U5bHD!Ct0
z)sApCWs=ljHg)MnSjEcD4L4dzS|Z5`dS(0^LRfO?-ldr>aEL@O(olHko5Cnn!>WWL
z@JyAtwqm??b_z70%YOn<Qb0F=O@R!##XSQss?wR+8EF>Ln<TKAsg{b#9Cv)hH~oDU
z{bduK;6z&R6`dM=?5$`Ec#AkXU&1>_t!s99E9%~^I@!FI?=Ex-=Izvjt#t16&LggC
z&B!zeOLu-ES&9f_8TB@hg(#0)S#s8!J$t*Am%qxur2?D{m4%L|^0%JvpJxg%n-w))
zIag>Eh3DQK?n|OhUEa#vyGrHY#H~+>X3sDv{<bUdQN8aoP~*w!Qye_NbSlg7@&GpZ
zC#HS`$Y@GF318-Ar^023@`kI_B=PPPv7IRu`k<@`Fu8q252-q5^cB=rlY@8%VKN7?
zm!nhW&AQi8H0U#dS(idAC0#lFhlN`faqoX8a#*O?oPP>azQxRj0<2m3nSR*y6cub$
zA<?(Z%SpYDk8zqm1=u=I&@~_M#cc;9ylpq<Zs$&cdk(Jk_j_mSRI2U5hjlzR8|^&;
zFP8tWPM1^wwRSMqM8}^R>XxF{jHZu|*))u(b`T2aD#*@qAMvicqzpF#njc~jn7Pz`
z-YE=51mnKoFQlx|IbaKD(OHv6nHS#iC6y<~4qsULFpe9wncB@1{WikY0k1qix+`M1
zMd@aug4mAeJu4}`_{?bfHLo@)dnqx%zgH}IBWnXg%yiDVWdbXFxM1z(ry5@YZ&faU
z&hA!@u3ATom{^L7e66@kCF(R{y-~;+*?HOQ4r-c{G62+(q>n?%Zx}GPkkmlzkaR|S
z@Z4x}eXO6VVf6xl&_R_<j1qR6MZ-xGHxrCPwqDaC>S<_yQEaAV2zU%WhyYMB&+<>Y
zERs-hQ1dXCcLF5$eDlnM;15&9&1O-(`Suc0%D#cueh8XF>3;|8<0w+u`$)+2uYi2&
zJwJ-@{pCMZ|7Z651Z0p@mu}pb1;Oxm14n$E&L6mUL>HtzavH!9=2*!*2Bp*Au?o_b
zfAu(u+ypH=2?Ui)q#&Zbq(|Tb^uTZuWTk|Ju%#kxQjqBZtt36=BEgM~TK^eZh!OG+
zuLZ!ziGOop*rZk&_t?wof6w|E@B--Q{*n|Wh3SYz0e#^&l24#F2^%<w{}nX<?!BJ>
z4(dmY-0x?sX!KQ<xUn7wc7x%keIO7WQIC_r<>SQ}`+{Uo5afO@u$iih1pRUJB?Xb;
zC`SHV$d4AmZ%`=x`DLe$i;yZCwDuK;voGqOMf5~MeBccd|5lGH2+p$pVoP6U77C6I
zt;Z4xc=hHNN*QH8{?GbQ4X?OLPDaQUtiLO7irBW8cR|$uMIio`xy}^ccf=8><HC!B
z3tUBpoX3M${^AgipaLj)Lel^rLYa6<7)sv`mN))8&|#BFpc?)qpQft1aS`&EK-&LD
zP*nxmQT}JF0gf3%1|29p;%s%S9$Y}drCCvML`m3HBqjDzTi-wUsN?Jliz&00dk7!_
zXeK_$|APW7!I1%fA+vuefE%cn{w0W?N_MOO&+v9yDl~IOd(`Vq{A3&OjqR=T%CgQD
zvM4??r8ND&^&&bK4k#XSkZlf>M+@j(Q4K&5K?>Gg%PMO4e%^!?K*CyJM!*8s3}U)}
zCSq6#5R+iqYW6<UD`z<d#f_xazlv1NnKm9Sb8oiG&G#%-Q`2}C67IAl)0ojK)T}Ew
z8MN2|GwSr|wSK7Xt)R+Fs?iI2&ott~!@NLl-djw&bN&Sp(9fR$_fN0%37a!*k~tbw
z+ofA?c~1M4d^zXab@)EzeeriZ#kJvGXVcsd8~r{F#%meWW@j`NL&93)^|fM#1`Kah
zJH*jXw7@PYM}$QRT^V7(KIQ%Yc5Vt<*tVL%mrZ`!Vl$XX{AQM6$ry*7rtUW&v;3OW
z_!@L##edeJMEkBQMn7pe7;CI5-n2Ho?6j+(z0EW<e!mBZzOwXZGUW$f%eNTplk6Li
z%tc3cd(L%KOPtrJXqXwB8ecXwO>F{xkBEf|jZ%^Gys|iMIOYn9DM_psQ1i5bMGIo9
zQ(61TsckGmuwE}QwJgcZ($Rqtxdo8GUqgyG(V0FFR+hPMaG1(Z=)ea3OHE(`5)~2=
zcX^+tog{KF<$5nwp}R3w7iJE8v>NI>%KgAyIIha2GFQrV@oEP+w>4rrkTxmvd9Z0_
zr+K(+H=VnNH2bkjev`y{QaZCVG9+9+jufHt><>kqGBz<0!3Z(SxFFyb-xgE&ww9CV
zv6?TpPaBw!N1mCt?z-J6H+tL1JAG+<H!8VZ^6(mZ=1WLzdz@yD#n)Uu0$!jEkKN2s
zmGkUA6a5y0_FYJSO+E$E&mQe;e}fBa5QID%F;vH>5Rd^_w0%|J0_wZ$)pu?ScDHS7
zliy4vx6Gi3f<ODy{&MCp0SZ%&_i&_;{400^!zEfY_UT7#5=Z-QC7Z&71jwBtEUbqk
zDdpS?2^}h{!ooo7#!>Ca)PNOrT@GySH7$Y`5LCq0p1|LZV3$TM{X2>I^Eo8o<ZymF
zjKAOHB$QsJ@DD@&eO<j0BtTb`Li_*RGWoGr`x&fYpx4yRV$#ORL#UADk}WHW9yp_M
zQbHIT?~z}`x_N_7B$!W_N4EDHi@IJ9mMrqO=sc~@7FdjxaF=r6H~3m?!sSK17*ZS6
z%&o~SrtO+zP@T6GQ2C?X-mP@#-CldbnOSYa0RaJb4<Vs_`Nfv>_GFYX+a=I2Ys3ly
zw4@GHd}O3i5%x2mg9&`c6PM0G>)X=_jlc?TOPF4uMz>7*O!hB)JP0ovCFPmYUwfZ0
zwauGcle4StWpy^@31fLySw;5L`mn@gm*9cz;<uRsK-AAIzA`E5LN76w*&I9=dqBzE
z&W~bRa+|eaXrUh{M=6v2btK@>oUIjP)nm0g+dJvY8$(i>fn#WmD@ll9qz7D!#0u_j
z)VXH&8a_=c+*5SR=YngRvq!1-<t4Whq=95D4^5^*;oh6WhK-(K0(x#cXuS1!=}0}B
zaoT{UZ(sAaaxNK`dGLvF#ZS1GTK{-pN31M{5^SQ)1^_;xczeaiq^Mi@i|;v%R+r$`
z{nzw0dmaxgCWDnbcgoexKx(azY>?-Cx~WPnqf1xbhyX{8&BRP8(djekV_%|PsE+%9
z<(j3WaQZ}Au*q{izbYaI`y;%$g3gdNbq0~OS7EJj?9!b2WHe}ME*0%PH_z42Gey4o
zROm8)p;@s=hx?9RT>Cmxeao3&1b$46CTJoR(-l$aYx7YYI--2jx3>!fQ`<($9G#sW
zIC`2Lb~OqnSomHC<+m#orYz8Ca_Ej02x7l7jx{O+r1o`RmZ6OErMA3xkm2sgoRpNd
z*EzxP&d)Fx?(Nkd-)LuqDw?CNmVcv0JGba7RcK#N)HQStl~*56W%1V7QB1eR(*Z!`
zyW)97&p0g^Atnz2UoxZqTX4eekIPG}>|)XVmC-j!DoWm+ImSAB&K!b(;G3pSDw|hZ
zsqdI(MW|FnU+R)j@lj8_3F~kEP(Rz`X8avdVv{@cwW`0z&Vhtmd2da%2K8X(yPLS*
zg#(N4^X4LKA{6LlG!Ith`rnBpq0t0jmk&S`KaMn0=PKdeF47*8t3pmhWhHatJx%u?
zxou3|On=x0&XfZc$#0MnmsBu4Yi`hq=}J*CpLjUQ*P<iu_ehQ3;A}ujZFrew=u8-w
zigO8hu5ahPnb=(fxrku3U7?3t>CN=Vh=(KTnjL9=2VToDuwRQ=0o`Gskk|lx(J@Vr
zT?YI0TR>6>_%18T1AImWs>~(Mc2uNC^fn8mg#=3PfBuin0Fe1>Gymn2>Jl^H$3AK5
z1VW0IuyE!VbyEpPhP;3v$jG4s1c)iz|Nc<*DiO@;`-@ZH$UXxe!I9(vK(|Nr*q?sW
z!Nq~b^a$)cV}`WgLOd^AqA>l57k;{I@hj!T4wWYmf!MnM=mH)HstK-uaH7P6FfkJr
zl0#a!@F7*z)0QzdRg5-O2NThH>!nv}0#@BT)h*(prF!?Bre7IM_kC!XIViX4>Fp&a
zBg5a^=^q{S-rKUZvBtariNK(Q7-${*9~Rf6P!4x?aG02w7y|9gZf@c(j07cv`WhOv
zLkyN+2SL3emFPxmyLVZ+hg&G8A0d1T$@|^8%~PUkCXs`^qVwYWeFs4zWQS7I%ZKIn
z_w$A{B*w&Z2^dnFC(B({*!FR8CBUN4hMx!GrM({ofC^^xR*C<fTUKF}fj|q*MKu~A
zml1!K-xOao7*wFT4UW3~E)oxf<X~PDsQrKja}FnWcX!Zz!`^7L&#e0Ki&o7D9vKyw
z4!9v<li3?|ISo%A&&{|uM#pkDrAue%M;eP=)z;XJ?83uU^w&`7!AeJ;>_e~SouKWW
zA^Zj(6%&=JacTXMgHC0O>4_YjO!)LQ(02W;t!;E@D5-X8Y6>)xf*Ng{nEfMHS69$>
zD<LsBU2`KgG*s=@t>v{g=}vEVD=U6U$yofGH*T2DfBp<5?GXD0YN$^mSitH1mqKyr
zB0)cO<MKNdt|G;)c_)cRJ<xuyqM~y5E{$X8UBeo$s^sKJFtG5jo1>u%)aEde^&6X;
zVFEnVHQt9(f`Va>meA;}{qYyb40tb@=%GV{&T3Ct<$`Ug2S<w!NgQwYh9R@gtLWIn
zJ1$Ah0=xQi70elR73Je)y;EC*uj_d4ZXhR7#bM&089o0HhsZ%z7FP(=Y!w5e;GH#_
zn3>M`ch5dYL!%w~ALOA}qeS)x8?*W+O?H+nt*s9iPkcJI$)n8j_elZw6*#CXYEa{)
z90B%IUR*5i6Undtpf^EXU0vGyz++=xTX<`0#VCIP)T%+vKNNBqp>pE}TU1ItsF9mp
z=IpmBiJ{%9XrQ>NiD)&m*$bkYn;5XB8;~?$5yKpo8lAg+u$fLE;1*=ncZ)wIXWr!?
z8MSkGYR}C#P9}dB+nledDeb;74@MVYjs-0AMR|ELRxQwIPEcsPSAeQ{ao{d}xMx2=
z2adHG^o1LP?&5RHXFpNn{w)*wy`y8@EB{38HUn8$8+Bd*Ek2;784OW)thI=|{ALN7
z!r=vGKs~;ODkg%?Vj#Uy(0R^FqHSnMeoAJN^WJ?28uV-NhMEYiUMFwC>m?1E(&&SV
z`MN`~$uVzb$;#c<GLwB}<ff&Rle*t!$(7Z~=I76!^GTmOcMc=X;hvq7v$@?I)CvQw
z^EE%dMG2~;hPCpm#9dK56xlhvARw^27pEK~!^H<nZab7dsds?&LqBu1V_%p@hhAJ<
zr1lC84So6YWuIphCeq-G!1fH7GErAiQc42l@T8>kIg`Yo;Q<V;XyCWSN|=-kYHDco
zg`NRD8q3>;OZ}mWsUtx12HCn2G5}Uw;YNXO4A5tu89P<8r>Ig{Qlj89&y0Hw>Hqrm
zYcQk{e;8&zPYlZ-HSg-`%5CnRx3_z25C8&<YK6XcxuxZ4C-*%v#f_nh^E;7O=SHU)
z4^|@9YbKZvWEbzd`ptb!n1R+!yNfIysEYZS@OWtk-`Q)@9|tY<4o)%<&xHY@0iU<j
z*4EaeW%hpc#YIK!-kC_`m>-K5(!2e~k00F`nltf=66tl{k*;PY-<q1rJ$Ic@1f+F<
z|Na?Du(0+`9|;Bw4)pi3yIhIu>CxCw5%<3hhD3y}zy9jk+tY(~jHL%PXQ@N|+%B>`
zR9`r+=E2^yG%sD<!D?hp-(z97Mw8YgctP;RJb~qb;o)T83l}axRctO$n8rUw6zgR9
z`uaY!o3N*$p^@^I%nhmt`IeWe6;)bY9rtXIjunNO58KwS@rqqnkJ7L9h{9mit4Z$@
z5R)K7Tmg;Kjm^TrnGK<nWd~)bopDcH$M_7RPs*1)^EwVjSF<J;T8Cw=moj(#>;|PL
zbYi5K?X~sGeA!>Dtk~|DFf%ej4GMZy0B-p^0L5Z{m@urzEU|z+zq$M+Xf|1DKAchY
zwiAy9W(m409>!v>Ru>hm&vs|Pza%(~Me+p0!5mU#VN4aGg&GY8SEAL<yo-x_B%jT!
zkEesJF;%XI@S;{;XG0e3b_eQ*Q<(?(uarp7*zI>J&yAX}c)hhP$a%W4L%M6Yq;+T!
zSF{{3zUy9m=&_%R$?9C)K0Q9aNj)^TwvNF(1hX_#Qz}YwPB$3iP6M*(Gx=vgoq^i*
z&){zREC(L8Dl8&Wz>DH&!J4zJ?FtG-VgCa({e$LGq$>@WOfZf!Sn7wp!~$05bB4J(
zS)lXe+O=!7f(lQwA$*_%227?j<Uxk}`Y1f=&s+t5W7)1|%w{`U8VLLA4od;~Vd_l+
z>F~k%ni}^X@`>Z4hLT&OIZS&kMRhSbObqVrJ5Q_AP8_MzUtVyWkPxFPz5iM2%UvCv
zCaEYn(O8w$;mpj;uC6=g8I-24zFd7ZFfyV6-2nqs<Aye6dXkcoN=V>1X1=Su6Rnk!
zN{(v{+^ns}WlPA2vGC(Wf>U3{KV$~UZ=%C37fmEl>Y%3d#LnQix<kJ8C(xbGvN7YE
zBBsHxL%$3^Z~KL@nh7Qi2d3d>+e+*Df5Ms53UH*47h9`UNsZh3jWgfAeVd<~voJL!
z+-rOee8cdtzHu-SObCRcY{Qz?3SS>L;56RUPPfG?@Suns@#srz<eKs{k=@U@Q2aql
zEvbpSafiCqMd$#ZQ`;<d<kI{HJ5g63xDM`GMlCGmldsV)L>ly|N*7nr+c81CNedqW
zNcktnjYU8Y7#AQ5>uzmvlDh}{?&hGq<(-tLo10s-!*-;h*L~?>rNpm3xTEhhpwZ%;
z9UTYDe$p2aDUE$1PL%TmF9k1OHmLTPu`4ru3fgf%c3^zg9Cd^kfY;u6O9b1OeY13L
z#pTL;hA^6&?27Y`cCbx#b?PAovEAL>*&1UIYT|S@_r6DjS8f~E%%Q%!x6kb~F!(9b
zY}5y3BV0EtE@`@D?bl2(jab<}o_EKel1%U3=%gtg={J&+J8kp_N(MgVvuFr0W^9ag
z_iP~?3?_lmI^a$f9%b&y4T07(E33tH^;970HxiPkCnqPt$C*{t)hc8Q4&oxh!hNx4
zUzeAQ#~-T9DFiX=m)e{?cP_cST&IfR5{M!$vgPp30&n2_dQ#N6H#(U$GS)$~XoAUz
zZ1eaiA!V&kXjE68v$=z6d$J3uSIbL3{6MRZS3Z%o=3VAtlhZPT;mxa?l(a*8%pL0A
z+h2@ZKjahNQTo0Rk*G@QR;f^v*Kuj);5#BKcN?u~bPD~B12nC*9M%QQ&zXL*cX1Jw
zl2QpsNJtQ|9)Si0G9E!2zzH9v>Gl41kO6qm0XkkpTy%7~^Ac$0JrgV1e((PM??KWB
zeH|TFO*BTm4?ThC%b2vsz}#D7>dfm`Z%Rr_MWv+=fv-ub<UlzD%Gt+Cx;xq0+Ja7_
z)&|q3Alyp3EF+OfR&H+pGaP(85)v^}Yzjlb+Y*`9HC`SBbAWDcARtCXMmBgA?`Q!@
zu{2vAexI!kofPrm@bfyT-S&RSydT^&swZ*5W1&xKYoYL7@2s+$Ir$DVdSk=M>3&@C
z3*i>4l1|Qo0^h1CN%4@ay=}o*j}GZz6`}OQ@rEFbYKp(v4RJ@?iecD^{gVD1ay9m4
zzdOSF=Y0&%feujXrHSLo70~&5gdWC$rA^-s_*wU4KvcVL@{3_UfBp=Bj;CP-#4=Co
zt!~(fFfH<vCvz(%fd2twpNdG}edpIkmt~u-Lt3Py#X&olmyR(Q3d2NWurri=5zk`q
z6=VDBl2cQ6f6NeLRLSQ#P@Qu%`WLt&=VKfX^;^%b9~vFpZ%!Lr+-VW$b*g&UX2R>`
zOkK!^;%IP?mwDtd*+jF^$x~QWxD6nNgZRqcw!QcYYjTRWl(Kv(Eyg-CE6Z3~1vAkY
zR#;e=nR!8+Cc(ddY2b?c#_Lu~^f$TfsF)m(bxp-?A$~LJ*kpw#ai0NsCd7-pFz?s^
z)j-xUxUf-ku%2_*tNQT3J+<=;4+<C^fYBV50Ld$RL26R3l@XMK?)v=vP-t`tX4@Ld
zW}Q+$FhJj;^7LRlNIE~p!!-D0sH>pZx!tDaElRY+fvzaAfrRiz6@O6M;wtI4GH+MY
zUFiZcL31W97SIkqKP<TDIoKXPvw&;p7(Z9xUi?X<2KX{)bSuTz(3$u~uN$0qko}Sj
z^Uz0TX8z&HY^bEKu+qv(rNc|+x$y@n(@$w{E&y!vktLr9@arHkKdLKW)m+Ya7Iuh#
z7IYpGv?XGhyi>sX!5qxy;;_-Ew3dd3{6-34VaubNii#`S(q2u~S;>p&x$pD@1OzNs
zT*lT$ufr4X5Ep)VkdU0`emaeb2UTJ<933Bjm~YSkki6=SwA@xnlwTPsS?G9!e)dw+
z<HJjHx#$2R`_bK<#JO+Ox~ul?lLVUMxpVhZ*QWi7)q{Mb<*q~a0jRz_3~-mz0}3A0
zd}8_L(rBu;R~nr6unNqGjz&7;o8IP9d3VpSwDq9v%AfQF@W6NQAz9C#QJMOe*nq)J
zZjs*5jF9)PSK>f62!;mL$hif?F8N<x58i0kqURv0wx1>wTLD9^v~+ZLiD5!tKLK<P
zTJ{*|>969Imz8aU`G|QEc;Gcngp<1mANyiFbKk+5<J_n*%YkR>_js$p#X`{yvY@@u
znT?{?<(Fp}CtAF#tan!s3+6>tGe*n3ecUBBs6)hXQ)q0gvd+9yMObL)RlI2V$?56c
zKx$L*jD-Fy4c@G#zCNunc6`czV|P#&1H(1H*bGn5o`(d#RVP}LtOVw`FxNOwiHO}8
z5g*_h5>8d!?n5@r#b~W}k(cq5#}?schZqOdtq*F|FE87em~dH0yRJTa=HlS+CRRH5
z3_$)}y}bqGgu=qY{1+~i>hZ760{|ToLTQHvow!cp4PXKlxGc{Da`t@p7PCf&MHz9G
zu>B2}vwz3s*hUw6tW(E@Fmbz)6cRmw$ADxJR1vT-5qly4^nk>l;D|9mySQ_4wf`#A
z0cL_S98CJjX#PdIf-}W(A^)~YT!e<tZ^VOTb^hb<|9TW?*8o+wqbk{vO@pgt|5u75
z?Icu(w4C@S<xGyivM3P%wgr>?W-)k<m%wBVN3!FA?HoPhh<gQGaT6Tbjf2>bL2kp5
zLI34R|8|!D3z;Kl%!>LM`PG0BpTJqb3NU~0)PH}}zYP2Rxqr~7QBa*AUD0x>!d{Uo
zn1#5Tj;x4S$LB4>JDVSb3)O4V_UO$1UOqY!7&RY4Wf>GVjwv65S8(<f+JO~WiDU&Z
zMGC5%VB!%QAF!3%G&wBoPJsp^RP=Jk6{MeM&jk81D2={&{5!7vx(-lQ4!$K)6sCgU
zTYo2TkJX1M{CE+kSW%CNkMI8*LId4%0IgW^uW1NjFOHiZkE7Pn-9I0Z?Nn!{{=q+D
zT|6M$Zv3t<kRycEzj6Jh2m$y3${@}Im|HAyM+rgTw*x7IDaN1rssQ@MK5Jcy|2Gx&
z>$)TM5uEXW68P4d${zf8ZTj~ubU@!1iVKghFzWdJ$GsANlN%m{^!=|=A(n+Zy8ERt
z_&9B#+>32!v}Osb@IUk-k%|wS6m-(Wp=6OQr`Cx6p}*K&V<|dpbw|eGs1kl04#0>i
z5tROt29U$bhKkC2P)`2Sc>a>s9LPMe()uR{iB;R%pd<sTC!l%EGUfRG#|8P{o5sow
z0rx@wD&_t(&A=PqI8dd&?353r{!U*+4*O&=HOGzg7i#sEFv|3g+A_}D2})N{4WwW8
z9Ii`<eNm5^Gd1O+GJEWo{j=tUB{>KSvuAct2BVnEkJ8=mG7O{}9;-bJyt4z;>ab^N
zSMZ?d`QBg^nD#|%4rD$DHFSG8glPzmieW^B7||o7t{zr<XiL3f_TZvJm@L@!pS4O{
zLKxvwY+cxq6zZlL^RLzb9H@@?FD20Fg(Ei$iT;OPtuY|!z~klseO$zd51aw}whwHQ
zh;7Tu!b1?B0K9QT;B8_CNR|aF%ALX#`>vDY!|C6zEUGHYaV{3lVqn-n&Rh0x@|8b)
z?7~?{-F_NdXXNN$T$J!3SN(vU=pkOp0-ibhKPdVB`b{|d?9(M+6;8sRYY2d9rt)4%
z@Pp6M6Jp|o|E#n9I_E$UR+Jj#*Mk3Y_eUlV8cqQ1|DVoY;oOntV>4~UuiO8Zv;U=W
zplRYCa>24ezbqdH=wt$fFbI>sbJss?KM4w{N>%<BoBcN{1vLVlUP2N~M~B)vosO=q
zj{-q3h=M~jpAHVZ03fi*dGz<h=-1W2H|X4WhF1=FmC8zw=C;;Wm1Q(eYn&v*5Y5x(
zNgXXM!o~G%12FM1ILI)RLH}o#aU?`wZ|$e~Ao~Ef8rwKJ3W<o6<mN7eL?|pwq4}|y
zS((#<j-p~C7{)Qn1!)67u!4eX?THF77x3a0>gnleIvN@<Hv`_&K!0-|3<SVP_LKV?
z8X5%jO5v6|rK@mCfGGZ6Q)mVg*9W%Q$>~Nv#y!w!pk7C?$#Zp=QXL@wpMLhJnIX%f
zkPzcf&DF7Yl9Uv@I|LvDx2lnunHk*@D=;e+yj!lv59Sua+A%OEOUnRGR=*T89v&WX
zaq+YoFajX=?$maD00V5RQ&l=dS0c6*ytXEuGW#E%5Hu$~ADH^~`dxi_1jZt&i;TV^
z53@ZVm4qsDF|(L4^Bg`i5OkXDIKCX0HhP3W8FHBzM&xk+{#l`~p=+zFU?RgBjK0g~
z>55)QHhxIIt*+kL-yancaz9V257V1ts0r068}$)lMX`di*RhsFE`u4Mh;_4j(eyV9
zBDlzTr@4BgP6)I<t}-)aM@TuYDt$?u2IZhcS-~zt!?ov}rBQ}T*^gHY-+QfO7Uzy_
z__ZeZ2dzcT^qXl4N^Pk6N>NZ9BH-A#AZO%2g$DEG7QNZ+$lf_g&z-_H0c@_&b)K91
z3=`A2DrN?T#9HvreRI*5(sV?Z+WZ(X9Y?jBE(ovQA;-n}?Z~?UpbQARz8Dh|X1y}n
z8xj>F3jrg@-ZM+g+sj^CnDhc&UcW{<{t(&DK2RWR?^Bp;<KZ=bRIkbZu0~WWe+$$8
z%5O71yLIWARPc~P<wAOf8O&lpr$Saln-xeE#K)F34&V?#prhm0JHN69*m71xiagLI
z8JXHF-I6{@6bGQDCYm&J49;bML|9Q#(RFM2JD?AXi;KZbOHe47F{`Z1ykaHy&#Doq
zaH&sm_QXkhMmcQg*&De73=d$rfnp53J{!UyZaAfums^uAMc6cZH6KhLU8!(bvD3A8
z)^C~n(B$$a*Pp1Cjzf0Y%;kzh7#?VK{xe+n2z`QBmJIf5VrNrrDu(AF1r6i(Ngueo
z56(CMj(De950T>E7}u{A*?i3h#$FWOA1;8oMgRD0CKLA`Wh+qeRE*U&a(le3*Wn9F
z<L@%BH1|TIPr2TA6TF24O3@Z8soJXiKv`S2&li641cXWR7!+U)UtH~tJJN{g2%BNS
z5Kt=5-JW5Il0~Ny@*!@1-YQRTW2@Z>|4t@r_g5r0-@*^)Y7U|bOQ*Iox_HfCp22W+
zZz~n47B9gX7qgy@p}x3yO_)SA{SMp?08Q#+XanPX1mW{N{m*WNPb4s3OyrffNv@#u
zjPJJ#Tttogvz_$RHGLLex358FkKN}8^3Ba}P4E0*j;Wf}X4)NN4RBjuZPBcuR0SP$
z=6{M5#Pl8^3bdr<KM<H*CY<Z)-@c3W#?*p{YTNPWEu03~500vQze{nJ0LzmA<OC2F
zJ^KZeYP=M17MSgt-m;1c2^R-Kkc0s)xweWjzow?Gnn@Md%bzG+mlZXOUDgp8kiF4G
zf&nAR)<dNsAbT3Qa{02|;!qi2<w0TsUV#%j0B9$FfB(wLN<c^fCI^K9Z=ZtMdU<)>
zy&Dc}4$O7})@MGoa>g1=2rBE{x&`M~A&u@BUlEOM4GpE5O{#%y&35yeqtZaW=~s7K
zPj3&rkSTXE<1GH)TGz1v3BWM@-}q*RSQUL1RW4rz4=WCBXJ%$LD0gVwEaF80y9Wuf
zLCz*9Z@{i!mXwxO4FG1Im6H<&FUYY6Z?>u&w&J2;W@1W~Q8O2I2b9wM{9`aAe)A>?
zDHy6!liv5--w`5}^4JPy<|oVf185iGL9+ONLv2&;+XC2heWDalAHXQ9bBHiszY@lb
z4O-XSh3Uuu@|=$k6u5$*Znm}|_)9}&f?z;30L*-<ne*UMIYe`wJLmf*7Fu3Y6JM{P
zso9wb;2OnI3m^cRe;#9^8d8#(+*QyluXE-O)a~BAkJEJM>}-B>4lXVUMl$nv;*Kv<
zl$4c?r4z2kf#K0CHROzd;3HsnB>vw2h&~{Xfgm*KfMSE5EKmx?c8~)1bDJ9_=j7yc
z`}S=EgAovPOmhKq#m;VIX_-}05}6e7cnbtQaFnpx%~5Y}8=H%lFJC3wU;ZvT>rgSw
zgXacbP6p-=L1_ZSr{?Bn8Hh5o_r`obV9-ai&cy$ldH?$&K#ny>zm6qt`vt5C4!#yQ
zPd*^suo%P^D}mddCn&cRj`{N7KK0V#Vm`|Xr#mP40pQePG|htT3w%*pZmd00SFSwN
zEK0v$GMFwyo4t2u>$v#+pJtJ0fD9n~dp;MD3t3okA)g;v@G&gNThcCcc_iZ1vJ=<q
z>d?&z&|1UYp9TTI-@w06KlW;y?UbG?Okq|Lfak5SY#ov(xak;gKRvcJUZe-!y+ZRx
zPVf`2{*}QMp38)@h<j8OESgBFL=0vHh6P!ApD)gzsI<#msNY?o|HJA1LZ3f#Uckzi
z!;y(pAPc;7<URh$9%Ao3_^vvSMs@AQtB#8kJZ|<JD8;sU?z;-En31ye?X7V~1qHvh
zLx0DObD6~8@R+<nb*`qWib-^Kc{$jV=FL@SXOWn<GB-&W8Sn`m^uQ~OerJqWSlG$=
zuSDdg7Q)H3vO;62DbR1#tTAk@$#%!TY9-OaW<)uvf4MKHx|Ev{*l3XV9=i}Ic(%q$
z(20IXNH`1l*vDJjYtz#E7;0tYYaQ@XtQt=wlF$K+`5GSXXc896fVL}a2_LI6gcxS%
zz}G+0FK`e{Uz-9&KtBP-XmDt1rNPv989Q`ZJD?hO<*e*od0*nftKbDRRqmTl-2qE5
z&Vz*uzhwG5-O}BHSlaJgAQ;JNt9kUW-#)p?Yc<5urZ&;Rip3=>aO?~&XrKYk4ZQe^
znwlDvG~%P8Zp-^pqIos50p*Fex%z*p3~e<$D90^sL$q1Kt0jxJp^e-Uyu7Dsd#a@M
zrPcJuN-mdH91vjE-@JKq>eQ)VT7nULP%T?oSphGBAlQ5kdO5IR@K=Y;uk_|Gq6F+<
ze<y4%QlZ$sZC-nwtf?qc0kXgEscXKTBMDwh;_Y_Ny=R;_PVfnMQN+-vc2G~y&`5dx
zgUCTer4@}fwXxQ^j`Z76n1yxrp-%7Q$g=%^)qQC^)Lr<u8H$p!l#n$vw`>(<jVWa<
zx~XI-$~M`T?AvH_S3;IiCYcsVL>T*4DQlP_GPdl>zVH06F_gOR|MPiXJa3*?K7KQE
ze&<~0+Rpb{&RzC^|2l7EUf<Ez)jJjK*YG(r>HzUuwS)7s2Kl+(=A?Mf_r8xmFD0Rx
z={KF(JOL92C-GI#+)K2iq$CQ3qIc!hA||5+DTm%q94lv>-#ul}RbvMOraXMz;<LU#
z6^*NyvM$ST7$-k$J$|Rx9xv4!X?Ep<i|MqyabcmHyY=0I{Nfz%vc;3b=zyiECI_v;
zeM(Ba9*m{ny+`425jpAvT9l=JO!;etg|>fovM~2$-(Ht#nEO02>*?bJ3Cjfk9nDW|
z<h>~v4IEaZ-8<;lC*s)6Mx(>|bW*&n=gvdyCP;oh&q;=9>SMN6t2_Y4al_n)YbD0M
zH^drCAL_pG%C9UVxA?H5gPq+clc>s!9oVXn1AU_lL#ozUO+5PsKfSNZ0a25F0NK>5
zN&=#Z<P!;riHw60a8z_!mqH|N!iK4|a%jp<eA1+WTnxNq;}_o9azF8T%?H0*Ba-f~
zrpY|ME^0-m?l<+#EZZAN7Q7A-Q%lN(gghR7a0p8N0B=AGt6t)eqGTPZU%#*O=OGPj
zkl_Bc%s+~`wY)w1^Xv|I0!*jxd}5Y=b<4zP*?q~=WWFNzFo~?-oY?7HXhxNAaEgp*
z=u4ZQL^TvoR|Atgu`I2Vr{j`Sq9ih6SNs}&&|Xv+i`Z?09K150xvjv)yY&In@W>Ny
zze-B;jIYXbyMss1)Rd)JS(N5EC`6mu_hYUmOg?=}xbc1y>>{k{KS2|t!aXFYEBGZT
z{~H=44q@z@RB;kP17!0%k_Be}?)!cJ0h@rYq`t*$Pe6${_bq0CdDhoIP{{LZ)Ri>2
z6(DMz(q9?&KPmC^h5vzX{kAC%z8=T|)02JIUL9eJMHZN~Z4rO{luJ+GUkaI$$aawm
zwry4nc%F35Zdc~w$tK=Q5uxZnw~FeevB!eM+#Ugv>RJ^(pkSGhw8pXL?FO#>#_9wW
zh0a6k3PjdEhHP4%@8aD5u$cV;8vzEny1<`623`bUz+dTVE5om33;zjQKEIOb|02Z>
z4oXIFP~wD&5a~-vz@MFiF%OSHt>sEd69uLVJqN%4X^j38zFhkXBnltWg99k=+s{N{
z2G&XnHu@*V$DbPXfDXdbLPseW+qx>M-(QKE2prm1YV_W8KMw8iHDu?yrBNqVx(muT
z26)>78278J5K!t$&qm+Xf>8>Ba^%tjIu?v6mpb8E-WKgYbD?2&tJv@Rra79!`(n|Z
z?{(HAtXJP3Siy1Vv8w;Iuz*zTA26S~*ebVTL5^KTVT*pkxJNE=QazMN4>m6-tX#iQ
zYpa26g0{o}hpwd*s*BMEY%F>AAJFpJ)K&_H(c6HIvZLYaaa5r3ita@aSbmo_Y4|BK
z##HRzE4r^iaAH*3ZK@QY+EPKSoQ7oo^;{s_dY!i~V4aQ{7#g}>SR%;qL~kl{;B6qP
z7#W~VM;)2cEzmd#?`1XlCU>ThZF^vCzmtng%77mRb(Q1r1&5JO<=GK9+}@oZ5}d{v
z`=s^acauuBFK27>175s}4T_$%DJyEx($VCw@91EsDN=)0JXlr74J!!z3A(z?RQ!<A
zFOd=546RaV(SpnvW;n$_ufrXn*jKBpX#Vj(^_72W4X*um28wQEpi3X|+PjUZ^lJ#T
z1Hj4M)M}#*9vk-w8@g?#c~9NqwHhOFR_K?!(x7JzE_Y@#qcn?V-mykcM_(3XRb{nR
zWw3?Lu&rTIzfmw@U|4pmTh8}>-mQbjn4gx;HFElR=t8)88_nIHb0Q1D@tS8LLgwoG
zeR*7d6-Fy-T^kkJHwRGQasE`uyXRnB+fqt*L<+u4WfUm!qGIVX$fK)|sm@&P(SDb4
z#){m>wdOHGq{lHPF`u(z_;G8Nfx;318e_j+6J3$t)vyOVwPeK@ztLLVQH$M<bvJ)!
zi0(Z@<=QkS#7Lu=D#8pD=!rW6lp_ee5N_3dx|KDF@G`v=po#!&0W`~#HJ;jtWD44_
z7VNkU`L-(p%L&%96`}L{E8&c;<MVKtBqyz$!z*v?WSN-u1Ug^X*N$dR7tgno{OE2O
ztSDa~=>2nqR22$3Pl;s!{Pv?_E-9$ryj)~w%9V`8<-wLfeYRQho6(}_g6ZZw@8o2Q
z<Hzo`Za?<-u_J$rP3$>|_WE1?v$xvqD|BzC@8#etS$j}I4^A8yUwqi>xF@{ayqTxR
zhi!LeY_|Iq(?bV#m(2d{rT6#P<G8|N&w>WkC4P$!XR7--OKdu|(X_2r?bw?l3>ak<
zbpKs>g2ToQI$I<w-l1zeRK0pgy$Ls?b(~$E`9Dw2J%f}N6WTrQIy7DvH2T)lz{L2}
z-+GM`(%qhFHnGhM2ht7h8|{@*b`J*J<woG~4{aLU12KwA+iT4#S?kH##OWLhR9Md4
z3_BOL#IXFakw;S(4NM~R_w16?cIdL)k#TU^dRVwJ;EVrE-&g!V`<FXO6GVMyTj%uL
zCr7rPo8ni?SkOo7N7Q4~M7Ko*@+ouN-0zjNos=J7MNcQKcn5nZoKfEnY3NXg5TD(}
z&LzT`yDwvp48ET%tZH$jV{)`Oo;6{4w&unZt|rpLRrhn+Qbl)SSp50ejmh+M6;;G|
z$<5;xLjKo~4x0Zcd(Wlu#~*8oG`l(fd^y`ggICw^G$#wMxQ)c3)9m?nZ-ZFJ>B5QR
zDM!!bmt%9NkXVZ%@lZenYg-rmMh7MXr|*)Jah4E_&ljf`2}Er(xPKw)g8%G7m1)iU
zyKnd}+lUj!)9whrjS9KItA3BVnC4BGof5t`I|QG(nYLr6G93QG^AoDN-krf?>vy@L
zD<@p<YF^uD%(zh3+{sM}4slf9uf=IHKc4HRXB2wCZ}GtVN!82=o8Ho;tQ2RV44na!
zqjK^G&KfO^Tfd2VaB?s;jbA2XQukw6T^j!pZeDg__j2cvSIoDZMS2=XcO>{c$o)~D
zeLs(^5;ml4Z!;7*2zyykML*4}@ze$(F3jVsVB0r-+SqpC*0qZqPfKI4Ztb6~{`xS=
z&CR`q+u+<eSw%%f&#dr5K~%$%rkPnMWL}kL6s6_n=4NELI*VU9Crj9Y+83mP#+Tm+
ze*|kfj@F9ru_~&?H5n<Ds<vHD81@*OX&k$Z5Wg{qY3nXR&W**1zG8~u+m&Z-S#q|T
zm86w!RE-ed7BLc;xBK1GINx5BKW{p>5jlJ(Yen#Rriq}+Bi5C-Hfe+n#BU@v2i>}@
z<vsUq)|8{9FI5Ar^%$Z6sgTy$T^ZHh-VU9hP+2p1FDcW#J&<2iwA@8Dx$NM;$H^&|
zGc}BhiUL?$J2^ub$@S>?x;a;>hgia9FZhN%oZ2I3bZJ`EG*o)Dm|nyXy}Z;k{ACBz
z203B(&LQ#TFIB-etaMDC#}~}iHHVM=<$BRtT)DRe<OiyHI&}o*^BvnSnb{d#aC3Us
zGGFSx+exgZ^>o8?U*xevp=K}sdUbCq(i;`Hb9vN%Ih0=BP51^6EBBsVWda-8Hs7Ob
zV8k@`z=3$W`TdVk!HXP{L6JzqQ8vd-ec!&B+Q|tETR1wNVkeWyX=!N?P|287QBi>g
zWK2v<&?7z=yEM{X46T5cmI|9A?iTsXK6wR}5{EaO85$gngcIkE9p#UB5aKmoA=U8g
zSsWgpS6G;QShId&a<Y7CxUHz><Hx$zWZX4qa)!GBec}xuLpf#eqNyo5SdDjgjl^ZY
z&XT(jj2V<r5G1r4&=DVO*S9-NM{IpTYsf`ROVUouc-#}-m5@Z)_W8YPVNjK%k34N}
z9lQ4tkI6l6o5bi0dTYk9(CN60w1TND8Vh`q%&hLm(%7T+s;ci#NBB6lmUm33Uj93-
zQ{YVZBx7wq`RbHNaA?y-@>MfnmuEe3br~n3I_s3W7g7_9>eWwdn>r!Jw`gAo-DG(E
z`HMZQs1j#+?_q&+_wDzo5jMug%|k=UU6;MQ<{%Jt^yt-R<FNeGr|SUQgv8#sD;Zea
zvHI3&U+Ao6XE*ru>sQD-gF1v~7B<$_T|LnHt-BR4P<7!-Ui+5ZZU#)_I53+99y-Q)
zsu~E&SkwTx62f~pEHES_M5|US2D-py5sB*2l?ZiRD|2&9&5m8W6qJ=EWrP!i^M+ds
z@}P^`K#jQ``&Nwd+|4vrB)Nu}<n?qbM)Komh~q=wJvZ48e3mkKUgTQXA646O$OCmK
zz=Wad{(&JnBA*l86=>dg<;nzPFo!&KCopc_{7etf**mvycO@o8Wa4Ziy>Pi--su}>
zJ3jvQ&-V1@T^t-QUPakKX~4CsR}1}@mpX^}+C#Cpt}i%RBy#JvZ5e7B{x*%`nwpwj
z9z-lOACDUB77^-)N{YC$jECgLM$iMHul+{81x)>gPj^HYZ>J;13J@ksCa@Ro8`ieQ
zDmAF1_4TD6dd$xT2_jA&ma@D{VcU(ZupIEU00fnhk<l84G<B^|4SB5(ninby!rsB8
zSxLI7VPt3%oHhn9Bf0I!cHOU~w9t%fxc-&V4=nDI5-%w@a3?!El&gTcQk$Hcv>6n!
zw6ugQUSbVSo#0?^&q~_5YAQNjz6t~lR7)Fu(e@zFiZMz_MMUZ7UIY&_Grt|VzJ5=E
z!r{Y^*BKri4T;!1tgO2F`lu={&<%$UO#xh8swN9avCzFZ6AP_dEda^@BHp<nX#-#<
z+VFvcL(28BQ7mo%(x#JMyinKF3_BRC7WeE~L{wDe+p^-gZyDG}v9VG3&;4O_V|;Fx
zE*%{^AB=)m)|cHYbE-H*<{kL>4l!uccIwa(G+x8$OFbB9CPdY~R&IAB`G!{P<L#yC
zMMZ5RJH=JvuEpVn&7lAUy62hSm9~MXQM^v9x#v(>$kU>)sEozMdH2S1T!u|)1qJ7u
z>>wff?LFYg#>l#HGCA5UitdWB@k7OzMB){1@A;XhU8c`I#o;rG!d`43imAVc@TNwi
z&9If$;mT22USZCbPoEx(H$AvPYv_b5mIb*smi@j7Qy@U#EWw+FW2Xu``PxsNGd2zi
z32|?aYHMUiFxBj)*f9;AwH1hNAnGjA`MA4JLu~`9LH<EZ%wS)iY-Q0Pl4<SRD^?E~
zeKB8-x;<}Bf(#TsK5+y+&k0tZ0dsS-C!39goi>mqT-;2R3l+3fkW8s2qH33i8ya1l
z&VZ51as0A}FnJSe$>9*JfEauiS98kedfiqrZc^bClLZ@P`q|cOBrobuS8bY!0x!qg
zcZjM@wlMGsiH8%QwwOs<I;#W-?IsKu4|aszo}JoWYtuL<LYUo@&BII@5u<$FIAe_*
z;9%uBey43VZ^!oRs#q0;pK~$EELy(bsARt2D@2IVpPNY<j#b>%u0Zw0s9Oz$nq$hB
z%&XpMRI;p!Bzwk%)C_E0{`_nhDEh3>I`%d&@j4=@Bq$%%L>rkc>?c@d)@=W|#yb5$
zJ(fQfIXTKqs^?&&C(hB`JhDQm&uerD#9A)c{O3BqC?imWSNm6`Xzr!&-Zdh?UPu_v
zoj3+>2jVVGGFfm^MgP}&889|MH)y$@^Ai@gAYRGPNf&##fCu+OW&}RjLf!cP!=l#h
z+5i1|(vJd9?CkB|iJbGV{VF4$n;9>@?bQHri}r+n<BP!`QM0lK4rh*@&$ICvCp>n~
zF0{hf`nGwZf*z}^F%X3;<E~bt{XJ=)q_PSR7c4Elw;kpk@Rc%8OCNive;`Qm<MiUS
z@Thnx7m7zTsq?0Wm2@jauM*#s(cOG|o6dm)-91&Lk%@r?wHhh=o7b7d?1Ft3*|~Wi
zjE&im@!UCD@=cz~K~Af$Oh_Te!~VuJ4%)>p4+MHwggUk_r_n|oKNqIZw!PIIhfV%I
zkcW>*5)V}U;K%&{hxJ?N$jI!mu)o+kADt97%{lvl%(clz%~7hA6E@i2SH)l>V$g~K
z<5GG9>xR0TBZhpgpoI=`;9c-sEFo2B4>wzr22UAuGGKB<mo92vE-rl^K_n;p^_Cu>
zj37;wI&$-<Gn#e;IVt)josM{d+|=9wi39FC41|YK!N|FexXLWSC&f=XA6a#4siG9U
zbZa%x_(SV?h1@JaKuqU2ewT`v!%qYuT9lOdcw#*icE5CR^6mJlKnm8VsjiVo{EQnH
zwGmZzlN-Li-~Nw%7eRW3VGsFPX6ej&EC0Z{^?vTDHbcaAQ$+hmr<@tO^7=8=QlaJs
zTnuflm0R~*m8pRwn`5WtaP!M?UXIR^cZgR?0T-F6l6@PCd(hUnkd|J;ai~AMX?fB0
zbg3E-X~?mC3&JNhCFUy(>5b0XqV2;K^9h${h1)f+s$<J9YO)h&UYIzexcp_deLb%v
z(njyMV8DDc_8EMCcKJo`0HSJUY*jP-NSsPw!0>UqqVq=l8v`nLi<QSXY#tT_fdbvO
z4EBA?iXKyvg=JB9Y4x-FSFux4bi{4JP6(zqjCCoeH~k?nQ*Q+b0WMA}>?b3Fu)CY;
zh@L0QM4V(MS?Zc(=p0ASe|teoj?uy^glzD^QOsRJNN*J4a6y4gdO_vPj5=B&Wg_NY
zdf9B9ycs%C$CTqb<wS*AToOPGx}^I**Lo;wEUQA()@y^xob#wd94;#8USRBm4AxDU
z-bkf`<4t%}wFHtJ#X_=l9(>mJb$Qe^WHj>LGEa%qAkgw5g_eAiFKE3kdKc$h=iuXR
z+lG;g0&RB`?3?eGn+LPU{U7`%O}O^q6j(l5u<YZZE)1LsX;U$GBo}t)3zGy^&|*{<
zePtA8(wj|%Zr}C%!zmvC_ow)(G}3{>o;<Uw{#$iiRZJ;Tsj@-B_eZAymGG0Bwp;@;
zbvz5?vSJV`Z_u`-sz&Odx59a?9}2t{GEqqVqWpvMlb;ODWaHSod|*v1)z)i1%KUcU
zuiR}a&$q4b?I>?=WT70bSxdEO!6Ddc*v^eX-EjJ*$kG{iWNvcKUO8cnJqp8BA3whs
z--voX;oIJKC3f7apuF5)ul7`XervNq>%*AyytTNUXHgY<@2Eaks&rQAr=K1EmS5n0
z6MNGN=pL3hRa_*S{4I(2wSq{Lwrf1-m1iL=D*pPjn&Rog3Re`Nt;c+OekErt&x@Dh
zj9YWQ=fAymk7P`~?{vZc$BF7~C8$=X3l4J=TZo5G6iPA<7F4CWKe=Y#(l=o9Wk^#!
zUvT;0L%xn1znF`L#z;z<AZnwP(XG6c{g;Wd>p@l3z`&a=OQ)8{V>-uvbiCPx7@h7o
zdh}Y+&_`wO(JPMmy_MwCmvoPwK5^`Xaa~=<NY_HBn3ibUmaWzc=Q_W7`Z>9sIsZUR
z%rEA|iQ7?jL&_)4HAYued)L<23iXfQPBT>ak=S2hp&T}x*yIutD^zaD^7qB!@B(MO
zt%B`KE&TxvKpyk?!uG9=x@Xy=x_Oob)tM`=CYhXzxo^T5)f<MFG*J#eU#?zS=_S&c
zowwgPG@Mbzy~8Yd$@BO;ZH1!O!W$Nn^P8L-4}xR7T|oQ%VB^>bdW$CW`Or2QT6y8g
zPxH}XsLSOC!pdaqH)`@}^=QgezKd;0mazL+R;4U)KEgW=8+XZtv6Vftr=l3&WF4*-
zR$@8l&{8Nez4hdTI$qxG(F7#=oXVRL8{3{XBHw?*+{R1QTFX18*(Y-LNnxB}hiqq+
zOOC-Aqdi|l85f_PXDwtUMWq;rr8slwCttu7hyD|FA&Ti)X56(>EBa?G!i{ld-7k>I
zCgCwQe8r&>QOZ$n*Drt9F}L_JzCA}|SBUnsTx&pmj|X}><Vr>CC#NWxz!jc>4b)qv
zYhJ`A&x{NizKPZ9udOvvU4kpiiUn0Ho~a4@n{_-Pil@+DaG{&HrZ(+G?_c;m@3p+Z
zcQFKyH_FgnvqkmT4LLVne@X3m+f*_2u?nT`{=6}tUaW-J?1N6pHpLW&<j=gK?GoR`
zSW;Rd9^s6a8j6<Vc<@P4XK`-+QymFi8QkWU)rmUi?`o9aN^_BWm;Xd;maQCjv0We}
zRxx4*7Ze<{HL9xX0~YSJ!G;uV9O+rnsBm}QdHapTDVE@c4rq`pQ;ARi95Z&N{$omz
z7T&r=OeV#+V1S`7DC_%~3}t1!K#S+_k^Bp2t!Vd2|A-rPy&|q^7Geq!Vz@w?$6~48
ziiEgVuxAzT-Zz`7V_w^e&<o0Rd&cz$U+p#(YRoWmQM?l*l)^qYddpoX!@|21-<Xy^
z<C<2GWw6!AUP(hM+2-YGIwJRLy6MpvZ#xR#=wtUWAed;d5+QU%Ts$<bjT>ex7Cagr
z#+LCuf~m{$lI}Z)qU9cjzVDKPk1u8cmk7DgmwHbi4X2WP&w2W|@ym8Sx0Rf(n9@xI
zPOC^3x)VZA>~b}~lC79Ba5nQE7Ke(=jZ`bYn8dSK&77lkC>zf#IxYW5op)*ALv6-W
z6V|Y?39F?F8!YhoEsfDnsrOj>K~~1lax`)S<+G0)yZ39j3?6(#Zlle8A)VE6O-{gu
z3JB6*UnR7?aX}GuVm_pVhn11jp2eTeNOJOtez!mD0~ufIl}=RRVcXgLRW;M3ac;JC
ziu|`|&En#D^U@O%TP`~U*ucp#rPROZ(e*;xZwoK<)Rwl79V4d=^v<L-geu?blqfBG
zT!BzXnXX>lOjDa5A)#K1gb<wzf1kZ#Yi@qU0~B1Zx4&F$E*E2Kw`_`XC9s#CLW+$2
zW-VtUg&#2u-d5}A{Q4jpEqU=%tM=5L{nMw!e-~W7ZI~Xwo+yU`%F_Ii+Musjd|b)~
zA<0~3?bx$L$m`$=)6iUDS+N}yzlWB__T=J5Ua&mi{2S0o)4Zv#;}Z~GH65a8u#+2U
zzH%Y#0zoTM?I!#movYl;)Hf(;A``_~t449$FQ=z_j428b7U6_L^ZFn-i7i|DzQj#-
z=h&4@+{3zExLlu<oFW^$myYO9Q8uJ*OLU5uo$NGQ=i+Drb}6@~{QvFze)`-L#kRCb
z_SXt&a;cuW;o@fI6~#w7PPJ|OHc;oj%VW<*=yEgHRkpKtGKldPRh5rgW6<utT-m$a
zB^AZ?PHN<KjotDFcu(0Uv}56~0?t0pSWY9S=A>8FTN&?0+zJkQwKpZ|Ae#!~Hr8;#
zcTa~uD0A@Kk33lHTRZB`YJmsv(LkY|vXiT#MA_mwFZ8#WZ~0>81?4qfF)}i#@(N4o
zSc@aN=NK{H4b{jMCF9{Hab7&$_j!$QV)g8-Y+)}&x!B{E=Yx)WTI3iUC$}DT2%L7k
ztEB0rtN&#;<YIcoy|fURIs4DCd@=QlZAH_hRHOd8aKiOP7V}fLeDNX%-InW_mzsH!
zo&9<Jv#`qBiOvTYyDcpYTAK9bKshgEi!q7gBa0GolK?YsNazAA^|FphS=H^&T;EL%
z!XHg(R?O5SBKH67WOz@Kj}h}AUZlo?)-z(@tmr`M+nl$LZk7GRVRubZ3V$&2Bx-Ao
z<}bSXBkeKhkck>a^%I4>%=Z^F(X91y1mWPQkk<2C^ZiuVB}{VDr1ON?9K}x+UMTQ7
zx!WV#!EkDyOzPZBdu_<cmf#pIwA%6ah2>>_kD{HV{_=41vG5z~ubjwA8?7y^dDg%)
zpH=)*sg`V*=$I(!8hIk7-k>>eSy1h=6;o<OSkC9-H%VFaJfA1RsQa;Kc`DDAP*v9#
z=7Lt%(4PPL^~-FkiFbp+d~<q)yT(O}6Q_;+r|)<2U<^d?a=bPL6!|bgyrU45CO3!?
zqXGT%fiTH`&4x}*d;rK?@=*Z}KPxv(#0KA<nboimX?aa5>n@@v`Y>g)%O2W?Vl<q8
zuBd5eH{d(~x9G?cH*L;uY&f`=Q6)Cse&Yr$X_IXX+yf6n4?>Uu*eArnHWl7U@fImU
z>+p?pC+UFemsc$9pWH98nFDlYS*pKV@KVR6&f$_4(K3<m_I$VR<cOa4R**fdW!`ws
zn~*t@kfX-VI@DUDUSq5@m$A!Puj5>k>XU`@?em>Fs7bIMy<t^Eo+-B=^{17!<v~nK
zwoWNk@ga7R!{F*cdQi3KUHnb**<R%|P&SPGD_+DBL&9T(T`wmWm(pw-`Dm`f>Da(g
z+n>aFQ_q0WyNR7T{hK;rz+AhD-9uR9T2mjJ);*voFoFQ#@Q$B?^6SYjp`{}pQ9-kj
z{O(dTR`i_Uvy}(ldkJ4sXy81=MPq71M-)*(Q=XvqZ8^H4`&#(^_!;Wk`UmKp2s;up
z>CtA)<f<-QdEy~N09X|A)gdojr}eS4jEuW;WW1*o1*)OEXXVU)tz;3~+Sqt2IJg>8
zKXr6;G&SWF74_^ZEa9RG<(&Fj227>kD#hSTL(1kO0iFrXRO)c)X=zX{C>#t$u5fb(
zr1qFwoIH6FhH!UxhrH8F13+itP7gO1fBzyVcs_LD!UY_@t<X0S()Y#1Tbi5e4!H%&
z(EikLnW|{~fg$<{xW4bysZ$09jTIHQGxtbI>0R}JOh+N1E=YmRa%iirsWCZsPF-C+
z^ciL1|NIkLg`}nJ2JqMV`0*Q=qmWMy^|){aYEx5FXGce{@*SIe&fok;*e54tf<L$K
z?Wa(g4H1*WhZjdiMgY>({kUPn1{wS2`_a*1*rlmKylp*T&=)R9n8e-pU)Vu{9Qp<~
zxVbAmGt+If<HJ?KwAWc#?gJXeN6<#R>zD$F3Yn4Vr_(aI0ZUd=@|zv&4k%JLQa~CO
zmVEed*lR-l=xm@K8m_@iN>0{vQQ(Dpz((479d{t?JXd5BSPcdl0@4Nt^TPd`5Z~Fn
zIZRetOAD?af$GwliVAXDn>*b^$kT1MaHoffQ9V*#PA&&-v~qSnAT52x!9jBG-j@jp
zmn|*#$jCH|ZkHIh{K?)F>p~fy9n$8YMF_OCV6Ac<2l_$>5J)dAE>?EGpr<EjLllpX
zj~C9!uo#qN(KLd~CA+%2#l^(Rs^FTWw6p^Wz2i%|`Fj6iDM7>_nE2oL<~R1FnCc4Z
zla+HH#Q~nC2k!C^C%_d))6>&B$p<;8qyVi!!Mm8aqG(rQSkAiaP+P(6FL_EpOw1O*
z(k`+KVBR7U5=uE|`PPxIX8-|Z_!pq@fv#>ETp1!S&&9%W@8QGd#zsyyw(y7uVs`cn
zgbrT5eEH<b6X58wDG16yjj*%cye}6k3A#7{GZ@-sLDvk3w^Ttg{jFP@?2dRp2?#*s
z$jQpiboRM-O-@g1NkjOctO`PH&{aq?Pa#;d3Xgc@w}Ampv@|q*y9rFu>GTtD$%v4h
zFwmO~>cZn5#o0jB3bn{KD>D;V3LhPPGceGhC0Do!K7rdb)UCDTfj`O`-n~1zsRN6}
z!u`UKh6uvb2oaudaOH+@6g&dC^YZrYzEx6M3U`4)KA*)lXBQ0SFL`+{V6LZ6RotMp
zkjvP&D;|FcK7~G+nP&|QL=1d7OPF#*W}ASFjNn%`6+>JO)(p#sVh9K+0_%NNn#j-2
z&MqhzoMBLdV9eZHE*)`dc&C!**s-~D>_Sh4Q{eL9y*B2ku<wwF%}N3eaZX9PY-blq
zUs22xIH5&H>}COa80q<6kH8+nRP&Oc?Eu_u1^p7d5aQ*cHs;r`SQ>FchQG1}FoA<Z
z4GZbhr%#_df+4U_zf`b8oB$z?#FsCL{uM@Uu8MHIrjOk3YSX0zi{meJ8ze*Y&A<S9
zuY^2(64?#CA!hehLNh5A78X_#sHkP=_X0eYo}M1}3fgp7EJ6&9lh$zlpE5|l1RY}Q
zNV&UHs14fXEV((({abqgz;y@04Uli2oSY1?4L-HlzEH}Q%b;~YoERAy)5I7d$mi<n
z3aP1(2M@Qf>b@aM_B$?c<$-!DAA);R8m~1+DAixh&dW2JZwegSKK7!dL^Z)p!}`{D
zJ~jXJQ}cZ;wSe5<SbvuT;3cB+Zi09S7?A%(@vlf01>c}p7$(IPv$P3Qq)PRpS#<xj
zQ?Cyq$q`h`weFPt$IsXt*FPXYtRKUG(E)6H2mgwd`uXHHhaJok9noaH0r|HgAZBFf
z8|a&zPaNlK-2aFPL&bttbwZVg&o7$|4)U-6!6BC7<*V7aeg>9`N-)5>rALp>Fq7EP
zKUWU_dmLKNG}4{j6tlmAwf#IZd`YQf#BXu&DYTbR_<0zhIOy4Ui2hh{BgsXpqRlxR
zRQa2%uRLJVqkL?nR}`Rz2KaaN>r~FS%$Je?ynmHyws*0XJ{OI*{<&ztiI=Iie-Q{D
zJqqWur5n^8ukx^>eE*lFr#|>?(Q98{@i2-Q`eIJ@vR>lYsah@Efc#}|d$iHZNe^E+
zNHyhc>8!W)g<h2MM!(U*kCU{;4EC@vh{{ahcSxJnul^6*S9SlO)t2Apvhra4T=qi{
z!{it1Menz%=J@F$0p~@JR)IKuxjmXpLxYIZICkXp`psa#lq3ldd^vyF)}Q}_clG;V
z*yK0|RQk<}`BE+lR-1ouLH=SfUuE0YD2|f;bZ^Ho+v~$CE?|k8dV53NFRx2_feZB-
zvT)#J`iXDE=HVNNk-)L6MCVO=12}_}9i>^it&d%KOoMfye!9zpruq(rI9z-JH%vNr
z5U3-tkbaGz>i;Ii35lo5V<+lc+Q^7xl6hQF(g`iCT3q`{ioK_CgsABMAAgp&)h(X9
V92K}5pdT6<jpN$Kl8>5R{U5JU_~-xt

literal 0
HcmV?d00001

diff --git a/blueprints/apigee/apigee-x-foundations/diagram4.png b/blueprints/apigee/apigee-x-foundations/diagram4.png
new file mode 100644
index 0000000000000000000000000000000000000000..613b762441005eac0aaad8ae69675c3a0d0a9252
GIT binary patch
literal 33815
zcmeFZc{tVK_cmJFkg1TOjG?GZ5y`wOl7uAlRH9@o^Q@f;AxQ`sO30jfwkydj^E{V%
zW}Bz8wvF_CzrXif=Q@9!_m9&baoPJbJkPV9weEGVdp({v<)sgj(30%ix9_0LHOX81
z_Thcqw+}&2gn++fN!;Yzx9`b58Ockx?R3Tqy)=)EgbxY1c8rUP6c(nZcZtFO3RB|w
z=L;QcMl9Qfm1DUBUkXwXNKyQ_rATq)5(T~@a{r}Vk0%Hg3#C77g3P(6Wh`XgtOuJb
zhbLC`pJIJl_6##;U*vmq=IReRncF{j#3_#lFHc?A4^Q8BLVrX14j%TmeI^GH2eCiz
z?8B$U{`|U+h#&j&$$kn$?9Y98Cu+BT5+WnFt|fbd+`97EJ`^GLgLC`-{~P>&JqN8X
z-oJleiJo3twro0$$6udQNoUZa9Q7rAYwbEtupDm1|3Y)8C6gGt$am<zP_#xZnO!Tc
zd5T?26Fh3fzKs*LgLR@7lB_;(IXkVr_~CtD@xc_n22~n_-`MA2<kV7yyPq!id#x+a
z4iY#X;eKO^KwTi8KeDfvbU!Idj3hr<4sLTd7JuK;<;dP*#^>5CY!rrbUz8AEb=+<1
zFF$)q?s(+Y<4|N|^%XIKCxwTsIVHbP?3+G-yUT(w5#|t|sAy+T4>~W8_98R>d-)-^
z1LO!zR>><@imR%;X&3B7*L7aJc%h=A;v#nM#Jzj>P;&beNx%fB2c9CQi1dOb)-g(E
zW@ZKk22M_E?&M5}q1IQ+%gcZM{Q25U^mw8@({`#m?yldUIeLAeyU@{gveVPcYc6w>
z?bNALX=f0cuGPOweGeQsfT#KGLQdNQs;xO7WpAOVGyfbO9$r;-qvw&cb0Jw(b#*{s
z;7cWLZtjZVpFdyZ+;ef+2o*GMe4mt*WN&XjF)@*%i(Vkks2n)U!^6YPt)r&4l)G46
zT~}8}!=uw#<gAJB?BJ01`Sa)acq3<LZMONvMcD{zYwLP+!-&(uc<_x`E^z^YQ|G-l
zxVgCEf^Nh0(|yH1e_qY*;7aSLtv%r-yJ^$}16`czLEFuIL?f9*Y;GL%TDq^VUq<>`
zl{?|J3`|gcA539m^}}U6!NMS_dbE`YA0JE9tgx|>k$x6jDogI^>8YBc6M$BoC$=e;
zO2e*UU5nDbeIB$J>RZ~{+M1eUJuJd>G&Jls9O4X2OgvF~ua6!*N<~Gb_nIX!MW^t(
zjEr9$ouFCS$p~a@baeSi^>b&=l(%RqDJj7S-z6BX1fPE(>1AnYDb>Jm$h|B%!%Nev
zzy*f0I)$c@IqF(nUQX#JW;^-*VzQdGib^1cHAT|N`Ocl*u@tn9wsxW8Vsg&Z($bPA
z6?<S%5X>ug6yIiDl(ef-<bXk$Lw<g~FOvkfYYUhN=jpl1QEu(LljlDRm3)`N3@G?F
zc{WrsolcQ!wwV1R!)vGRg^3zx`u@bFg`i>ATx)68;^X6`eHqJ<E-o&YFJHcN>051W
zZ2*UA<843L)T&~4@`O@44Gj%RUW4!;9^H!1!)XeUQiAB!$$Up0$>&l|Qc)%9B^OKT
z3<d`W?+2g6>;DE871}LQ8yy{;W}>L*M}%3P8xmY+B%*BM=HXFoUmt0RRf?653p&})
zf#Bki2@E(?V&&-Q=u0p3QRnVgR{GV23I8DGJRa(encvcshW6k1WD3+J)vMWRxM+y4
zM;fT<gj#X@<P7IBR-7v%eU#tTzcS07Kuv_VqD^zd4H^2NBkUH*=Oaa5n{{84oN7Ax
z#acQpDam<##rn=ziXW}8xHw}g$v$1e0)J|jm8U#s--m@Iz33^hXZ<cLD*E2f?}J8t
zLjyY-o1}siuVCTgV=1E&RuK^qL07I?Sy|bSp`%wEpN8mi^-~S6E>4+mu+*}$vexHb
zODcGB2c@H_Nu@~b9(Y_bvZSWOP}yA^6=?ZPBPdY=vnWW=ZhJtZkIK+q8O$i2myPWw
zd+lscg=mqPv+5zff})~VNcZD7KM|D@ds$vy-ozwvg){vv`I)=iL9$|G*&~I#kw!21
zxj8u#?G*j*KX?#59d|ca`s#Ym#2c1VgIv)!g>Q4+;)p&1Gi~l5Q8D3|bt6yN=V@^t
z(WDZggM&kTeSPEa$NQ$EQ%xE0o_AmV#L0f@R8v!vCm;2ZBOaC4y;?`TXn0_~4^vS^
zx4xXZo?mrh;@0K?LPGfn@vfE@_V9^KB55O|_!K7HO-*7<Z*Szg)Yf>zj4GxRwHES}
z_5pExXPB8UwGT*L;OEcC%9`xRR;Zzc-3q?Jyr(F@b>PNHo~VqB+v5wp-`qYBWxTKX
zL(k6cS5a|YsK<0;mZ%i0-mJSIE-%3Hb)q)+u|GTk5?akHN(O~|y*=z-!|_lTe2c=b
z*ZDo2pB<>ox1Fl^e8g`Gy(!MYA^S4y_UVUy`+0jmd|-~d*w)te`0-;OAD>%wpB%2&
z30aReVlWw;r=-qFNa$X5*5Euf`xS*(A8>?K`4%~Y@JXrkgap~b9`@(s{Uu(vilXml
zW@dVxuDsne^y9~~V_AtBD{n)@`S@lV6eMKK6(Ypv9VcKSpCG4>7#kaZ%++&eU|=Ys
zOTP6HTuh@6*~25jfoYu9YFx7`^J53d8AY9zZpxFS<#>$5ENXvaR|xlbQ&Us3A{^9!
z(zrf~UWvcxUi?A)BYS|Z!_A&Zc9r&yjs#&vbBR~4URBT<#D89kSv*x<#Zp`9%M@h!
ztl*@ObeVDB`MQ|J2ABRxcvY7CBEf407p!AD-QRmRu7!5DC@Cs3v-4P|cgD6`xL~X~
z{Qn$bb@j^&J1JJlvccqs-|BUu)`mIY_SvY83Gv7M&yJiq6Up~wgzJ>WV;<}4#2D}b
zgoK2jw3|-Eg_e|*+!7oc8}oYk^3#DhXTGz_YF*Z?80tjJp&C;M*-uuPBhFJdR8HbS
z>`}=M2A>xle-;H1iCQ~QUNS{0Dw^YrUugID_U>+Raq(pFwf*~aPY_vsdVQTcQ?=#@
zF)=Yq4$6PxLu4fKSy5tQ)uPkFAr|(xt*xzJRXq4tLY?o>;<t1E@ck7b5fK)){@Yi=
z#@5ygxhh`BJYezgp$xIrty^#MGPRVIPa&L#YQoYV{JQT*>0V?%7n74ldvsmdYqk4R
z2S(h8&4zo^%wfuP>1B{wT29VkLtb<BpwUlRSqlpj9i#pnB>1$wvM>CNJz7&g+`oVS
zljf#KwM}|a(Z*;~LU*^0wXf5Ik>TO#E-m*iJeu+gC}gO#l0s~3Y>C^0!fTloWn~m7
zaR<!jM$XuVIPo`$_!>vl3)59@-#&@x>g-Gmccdx~Y(HD1siKlK;@oIrW+rdVjR<@9
zE@#A<iHn=ttRbP!=nYYZgD$6-nDe7YH;FSauD^f!$W0YD&wkhEidTsHASWm1@9z%*
z-(Q1%-#!;APW*+_<9S<elCIR;*a*9B<*L%HTaq^9^cP=;g>g+Lc&k&>$Wn7rH&H)7
z8lmFrH!v^|CgG|>W@lnz0x_66x7WbP==wYxg6pRfV1;MTo`r`qKAc&1Y3j%}H_(oY
ziyLLX8-Vo6q@kvciH??uC@wBG%hnV-$>s4aB`K*qK0?%fcFve!-;)#k1Wb1Xi<6D1
zh%)TSCf;uNK3baFSa+ParvI4Eypb2T$x82VT~@ZEqXSQK|2~&XbMmxHQ9Mgy;c`Kt
zufP0cXuo%n{`b~kbQSQ_)YWtC=kDK0SmY(M_EmTO!gEC5PsDZ-KZ~%gsVN{lyk@as
z{}aM1*5k5Q?=j1cg|f<%Gxz;Ej2=2B1PIJ<^vu4m;rmcoHJIy>%@l{j%Zg}nL@wuG
zF@2F1h2hwZTtw!J*VB><g<rdPiOd$-@V6k<_i_PAemW8qo8R@*i0W-<(1?WwZ2Z(u
zk^a{RP_ItF_*&1veJEhW@J$i~!==5TPf}@`((rKHGnU%z;V3EW-?xC@m`YKnMud=K
z3Al+*YXUgZHzpjhZ=4uj=0xquTbCkPiMCOl=7H_!SBnF3G}Uh_%>8neh`FyUcK)Vo
zdkd3%GV{l_n?(Gcw=Yu~;xH-P%WSse_OsVt9+<SH=TWM8nUwsVc^edzuf?q^>+HOa
z!C(?pQzq9hKX?#p9-lD;@NjVO5E<DLZ4ztON=nHge(JO&q^&|#m%W;%N=L2W+!?#k
ztT@*;_DaHR>61g})0~Qxt9b}%RGJ?BYW(hB6P}zJ?C2YMGQcOPkV$+)^r6GdWRyc2
zf{&t;IrT8U@KY?P8h<Olcz^npJQ1@E`<lc=Xn1%xY=sv=fq_LEE5<V;1qB69pFZ8#
zaG7cU@k7$jB)Gk{_R$Jv<lDDzEh)N8;!bu47##HU^qibTA(q!2aVkXGzPiCA&bT-|
zGB>+&|M+l(Hc7ZNllp=~U03gd#~)-BWzTf<xE7^>fKxig<*t2zH(SgnPox(&lQ{LN
zgN4pvOU{K2|Jd1~QhG77$-_@gj_$rHsWA~h^GSp~x?r8SiD_Nr;fHAm2N@as0$RGd
z5y8P{@K|aAt;RpLvce44Me%)c-P~wvQ*UamufL_H_W8wgK+E9Vwa_lwqocL8uZ_kh
zCyM~4T4jFuav};gjpW+*=cEDx0*t=Wv{T)MnzwH^f|qM*ik?Ic4Gm>yWmVi-ob2jo
zU2+oCX%6@E^Yiy-U9Z$|GUk67(>q2We16JC>WUXFHQHp-nH{g5<)eL{kxj~C%=p~5
z#c~?%Q_<Rn!=pipsa12w)gRnyn41ig7^9mdwpy>$dH7bQC^Y{~THepKw3q%5-lUUG
zdc;<Io$rXQ7ti_PFrkt<DtR?Dujfdh#9QUE{_Fi-OwHk9oBr3PLvs!0-{`l|l^6)h
zPL>;%PTwAl=6KM+lT~;;K+*oLXL+2eIknT~@BKaT5k)Q>VxRBkUKkG6cr9^LC0;`^
zZXi>}eKy6&Pe6QRe1=Otk^KlN%f-9c{OOkWq%^#IO;Yc6qyXea%`GihY#AMW>bSV$
zLgJg-t|%8s3Nk9mdR$hMdMwZ%v$8ITi@P{EX~{3}bpUK|b=@rYXNP|!zW#6C=!bW9
zcD{M@COG)`V?$o+U`(vUdR%U<Jpl5wv|HZlgUi{jtAcf7<V@o4#hvq_qV8E+&$~0Z
z7@C{ILOKKBN<8(bggGjeq7dn&clN-%)cd8|w<>B&ty9YzhHA)pOn=aOISZ{^Do`hs
zd?jTh8_!fp)}IfX;w{oEoKYfp`hJb_YJb4H?38TMU?GFdgI6Lt*$?~wP>&Y$yI+S1
zX_lYwm99_-qSHO-q3Lx{HiAz<(LipfEaP2am6n>0@}td5Ev?>(8aFgVHE*j03NyN1
z*Qrl<Tw0f7H?r2-7saQr_@lF>XRTz@T*!&j=4;<u(tXQUt`?{g0W@w~YLH3ONquBp
zjU2yr8gXztJZ(+zVHXrN0IM@sMI<C#d%y1Y9hxJhK)v$xq?|d*^~%eOj*iYhu0IVW
zyYcjMQduf3z)xz@U*+XzxVa}6XNM#<)!(ipq!f)#P6pNioY5+<Q^eO0R`puKcjzf{
zj*rgB$beKLB}JiAJM)^k3ciM$PNYANmP7mb(|CG?EKzztSrVfK6dD_u$V)sb+1O&^
z>k<S>jUsG4zsKi)Z!r&A!Pg-Cp%?8BcFQa6D=WdLRaeV`NLrzpP+7Ds@s9S-p5sVc
zDlrz+9~=!lL}_Tvv2sbN!>6C`c+T7xm6&+VmNb%6MQ)@CX$vj>b3JPVnj^ZiLn-Ko
zjv|5Y-o)s9fY5VzBt0=%QRP$kz-w0n>j;{vsyK&cZZ4KumVphg*9>G^PFxciNz6<s
zBZ<G#m2cZ02YXeVcma)<qz2$V-#Wj`$jZh>WxQFiNjFmJ6=VhjJ>K4AJ?xa=&^G3E
zH=6|8!M)K812z?RTKWQ@az&BL@35ib4c_|#PGdUJ9x1JsF6z&{i!`-FC@gaxILx$q
z`Wq3}RmZ0E{EU!yn0HaRYDpsNgwO^<I&JX?3$&~2SFbmec)Jm34BpO8jdrCRE@eoO
zijj7q9NuU<WzD1!y;xk@s^n?3RC>jIy@fkPX<V0^tTC2&ovH7pUjTKWYTRA*l!9}c
zaX<7RUQ}0$e?cHjNwL0;h4*Z&h_!{717_HdRXQdnrqS>V60!#~HC^457nT+lXV0E>
z@|QFPOlN=;v*JB}UP(uXJM42D%W!D7a)I-z3Zc03%E|K(>fkGo6X~j}`voQ@a&jP&
z+HN|aT+U}Zt?54<HkomgF8!?_U^Ty3?Ie8IvA?ERqi&$%XcKF9N>*6~&*2u)fVX@F
z86Ox8sGBxsZh9+3mSjaU@tTjEO~DkUY$oC7B__{ca_9IqH{9IM(rO^^SC)HM-`z`1
zv*G>Ck(>R=lJ`F4dZmzHfUs=#alu*eUhyei7eieXMMZ{eM$i+hXM4%t292Iyy@Lvr
zP~j#gsbs2XADBmn=@P5GSCcu7C}gE6ryxU^GRlcbVQs)u5!HR>#|wop;Q_jJIaGK=
zgu?V;Iy%RZ`smC|fu56!nlrx}8yl~<A391yBkQF$m1{W!nUg}es5&4%E;lzfUS3{4
zU(W814!W1fN~F4a+c&oZ(M&UrFgI8iBl|);xdlC*WHtic@+KGFp;*Jm9UZ&^XX`m9
zHCwv5EMM78-4I+X@>d-AA=cofeeZm{w(!H@QU7J<Fk3Q(_#v@&cebWjJQ3-brXcNW
z>}gBjDiRjc(~PWDJ6beLryHZPg6g^X)^nYWE(tGoZ;B^41Rj;~%FE>BNgP#o91E=r
z+_>8lulz}{r{`1{ntq+)oEzq5L;IN&{b7HRJBL$`?MB8eTk(90bg%jT{b|Dpnc;2U
zM>$%_KtZfz1JSecYkbBIQqrat<7XaLOCt^JBSNgKQ7})BEXoW?HnI?={2${XBBgY5
zUJQ84Qco{h{7Twel=l=DgtWDhlYWD}$IB*hTX4?M<~n`|#bLi=M-8h*9`^m%JU$#Y
z0D&_&I5>z~TiAIeV^hpL3U2#~6yvc-Z4EwiGi>mjWV2zval8yZ)l1~mn|q=wK)FT5
z#qL;nh%mMM;Ly;6`}Yx=wjSl><$ivY^YbTS>eM_K5OUW}6H7&Y!!mb<qYqCb#B#pG
zFN<1SQQdq}e7uuUZ{@ytQ<2>Oopby7R$fu%%{0~ZveAYXb7y~@0=gjTV4<pPVL&+g
zz9g7%!d*b9NhB3nITpHU+M}wuo;>0fbD^h{@5Z05{`N%)#+ytVujxI->I5!WURc+g
z4CAXC@M<ypOs=9TfcB6GyIoiN=CRn6MNM_D3lXy;2a(m%rAV1ihhHL%%@$BcDGaeU
zr>Y6hw@yi0`o<~{qNMiG#YWkAs2~F%+(BmxU9|RDpXUS00!d-@I;;K4x7rDUmC93(
zeYsJns71XtGFaI%$0+VBKD!*%Mg>9YYC+GHM&WZGV;F@k#wXUUSEZ^&e2ZPP63U^v
zT-N<k5jFUSmL=rib3nkSj-Uov+HjLKl7(2ez_@u#0ZQn}Zg8CoG6#E%ATQeN`})n+
z%a|pfr`yNts@DN8j!Lw>ZKc$6g>acb#fNBhi<I2OFe^UHV=>s_D}0KZWsQGGgWxr^
zbyZp}_OsXiT6uBk2R*emxPu$h#;niAyTBlbD1Dyqf@M?2YWdtGq*o)jIBTEklWehP
z<L1}J<1eOqq#Yh^lvS0qiB@zzP-Hh(m$O8wnr<*UVmVY2T7ovXO)XPsC1A%Tt*77-
zmEbB}fZ+0qxOOA&ZCJ;GjfvgE->XdI_&icXZTXiXO)ul%{E1phe8BAYV;e~`-WgZb
z{m!+mIN6^D&PI9-UzoekYVpVW!^05x=Xo5lzPUbxU42>VW7nwH80n<MYepBwFdZ@-
zMHh9c`#N{q2W|+AZW6gy^xaEMVIOiHQ|{?gfX9J94zaEO$|Uzq8n@h*-W~W`PN|6$
z^ZQkc-cKXDVgFSC0}$+1i&iY}+BYRR2C)A+>1$`8imx%gyj1=yE$`|w{LU#fsAi&W
zT09iXXGEvtBl6?Pl$cqbO+rpus(_soUoq3h^a1rS+Jn@?@q;vA0*$34Qkia!C!UQb
z!A#3B;JM;59$0TeEP)NX$pJM<8#>dq7$C~zw0Ylb8PIlW$IBOif|lG(OExYBb`PU+
z7rVgHQ-?&zjin2E6xin)Gi?(L9Ajx<D>P}3_Ea^5U+P(Guvf+8T5e{L%Ykpycp7x-
z*?8`W+CFUFgUhBgYe_NYKNpGIT{TwRsr;2vXu8B~`ahv9!5qyAQHLb9v!9)4#)hBg
zsK=f2_{XYSa&_TUcTEbu0?V`4PhcefJzEN)FuY8Z${2+>$ow&t0zX9ZERhxdB^YJf
znJvup6xs1Crk8amF~i!LCz9$i%i$<Ql0EyuHONJ<7kwb&FU{HFj~kV+UTfo%n8y0z
zjO<yVdE<Ec@_jzdbP8Rxhs<tUvcRo&y-e~bJRXoQ=1|7q)qT&fSs^YD$$GN&5Pab^
zteM021q4^Wk`QHZov3~G+T+J(q@~3{%IX)Fx2?m^1e<L0&+}WM7_IY4gH(x_Kj>HG
zGCEOEZvMCJa{MDwflGu&HHMh^!;st9z3C5<PXEQk$)qBs!{|skn4Ydbq4@Y~bs)1B
z@8xH>Avok-U);37y9xcomO~)*e8EzCuV((v`4i7fLT3zI+FUCCCkq09yg-0z#@}8+
zieVy{Xaqve!}(IAz@^Aya$J6_VVO>z_~h>=urHtnBbokz0+(28o!s6Q5UW#ph%(r&
z63||jyvK~SimiKwN~bHa)IMva!PlU|Z)f`_QO5<C)u%{fZ00fb2_+Ho)OXvl9m^)h
zZx;=5c!{La)1@$!^CroNd4-aoCEa$vZhzMrdxNJ)ccxw2F}*8|pXWNPEN$zhZ((-P
z&ghXtj}4*V;ltRm5yv8ZU%l#{n+5I@n>1boI&o>{UXN&3R~LW<zFv#mipt9L^mHJa
zC7f6OgkJibkf5~QiFVap!9*M(0on!lOjOccd>l8Bl-qVd1;_z-rtrLzg-T7p$2Xdf
zXG)Ff7zuw-Py{!m@>6!oUwaFa4OXKmlzTxy0C;&Qxd;jhGKo1@-MNFLEirIi%<r+b
zvifXKLPBB$^^xB3w)BrR{iPo(`O-Tk7Uo%_fbLXYAMZiy5<2-`z6-3CP+pSZg(J9i
zYOj#uGsO7@kyEwKZafBe^evF|8iX&{SLR5Pd$`LZ)am`}l8c6d+m2iNC^z|X7-Xd7
znS2vC6&IgSR$!AGU3iJM$J<IUvvGi?o1#!fmNKoyZEIzcP9Vat{Jiwlt9tkD2^J!t
z5QEKLVjFTt*lS%^8X|6cJzAX9b}yc><k3Nezk7GH82D^poB5_EyYe|yldo+;J%(>|
z#_mS}k5<kjNV(_dt!Jjz*48R2DrRRbf|a^Z+-J@_G&hH8QvXCpwyKKCCj%Rsh4xHi
zY<=jshNh;oF+b|(Wvtol27pd=RB}8Q+G^nGy@xCdKW4%O88Q!&r`*>Le?-RcQmD17
zN2lecHKz4$@Wiy=6}?}!lhlJfHO`Agg3DU<b3qCbSz><CgfH^vNX$DEIEi&gnH{;o
zgdtDp<8fW~svJ119B@_f4^%kiBv3`xV=9*~e+O#5xw+ZN>+~9dM&My7U>YF7m>wQB
zR8<Wk11e9{Zu$h!;Lnx@t3z2T>dU8GHyuapotz4ilH>}>Mx-0n2Xn1P-gx9>cr<v~
zcs-5%^yvsS^-4<PX`JnE(^~u@1M<WfIp$hxGru2~igS9~6qpG)tX)$qPwF_ee1M$6
z&_&0Ubt<Il!qEF^8bg6}@0Vh_`7X-%8crHlHAQHf)}D>epQsJNxr&a%Cu*@tftJ>7
zL}5{p%Xn)lkc$yWQmALul$9-QtWE)Y*sp2Sz)=Lm$&KsR539;6DA)>z0ZaL@a$N_Q
zAITJha40X$zbl1O7?f68n)){oNoFRM#$}b2p~1mIcGHm|(#;-7|6$qF2-AUM2M%s|
zM5|c*JoD-3i>Zc~X-PCxq9Se?Ao+v^PF#NP%xcMdEmA5cwtz|aNO6(N94$ibBhHCv
zD3xZF=tgRDw+Qw)rKhHTz;|d^CHwi|ihDAY;1FEmg<rlz4!)0w*qqFt`eEk0zSM(K
z@fe59DPDn^#K`aCM-~Avngkj{`@1Z)zkmORGK3N17#8twM~hZmIPbcI(!s<}mv~#1
z*8fOtjZz3P3egyy?BrVea_;QU&emJ14pUiZr0VUi!Vv4+^`>+s;+d}X3Gi=4Fujs6
z5uuQA1$<b67aaSB-3*eELxY1qo<Ju0scyo?OU>8EXL*H~dicSw@aWiBN70DQK&Xu@
z3vzKKMMp~!s;H`#cweD33?Aw*M;~48#)w;+Dn<(Y1y`gZEVVp&Ax(w)o_2F<vw!|{
zP8U|ZnRSnjcYc%@`zi5DbRqMG{(J8Wnc^zvy&iepO)$@-3#PXdtL4UvYB2v1>(+9)
zESwaPB=e3yBV!3O(x8_Nr35G>grcbp{kq=0J2p=wZD~0NnP;OV?S5`L&RV@c>gwvL
zsi}Of_wUDegDF&+00CWpnvDUQLP14*V|{htXvHn;G(gT70<{4G{B~*^$;f&2M{?2H
z7Z)Q3yGy(=FXQvSou@dQ1b!DHN1te}gJ?K7-PF;q#F}3+GLB69)b*Esi@4M{4RyxY
zhBNCPJ+So&<u5$Fe}x$rcayYEx)E-L0$M^;pp)7$=k^6jvB67aK~xY@q7V#Se+CA$
za~}19uYkG?P4J=jCiwpWPLDI9*#1<KA(Ds@3}45`$AJ^voXUE4<v#$W<ZcYp*rLSG
zENz3E?SkM|7K4qN;K+?fk1YX1^{+AQ1i|er;VDv@0%ipe#yCtrJlkbEYVOR}_9u|y
z{&!S=1{aUBuj@#6GnucaoE_*|-Uc)GEQ?6D!ORw6y^V`-v9cTWf?^vN?FCcVw}59g
z7x)uy7?OzNB1g!*PFxDH{V?o8g$TnJIJX1b9tLagFt)sK*7LB#!_R#Wm0}Jv>)sip
z8G7nVbQBxuh1X0@)kam)y$Z-(4p6_$d0)?7$nF3gvD_|>8h?xY#Zx817DT*^I6tLE
zCeCtuE6np_1rH{llkgq%+Kv`19@b;AI7MCH=JSlL_8+iu48L8=n}q+F2R10^*-{K^
z69GQo0*89ML>Yi$FMPl*V5$fah8veKVAmISS;k-(|FkrA`SolQ|3!{ofIUn0tZyp=
z$6gYTlMr=*W(yVmm^@LNzrDVD|El&6wL=ZnaIe4XOO=05Dl+$4)?aXgeb-%txN}d@
zkg&rjwjX*FhL$_1aL*8rUqHERj5n?4E1N3l5-PmWDtL4%hxdnfVQ5ma6Q@1qOP}`U
zGo$e-#=s^q`^L4tb@rzEu9*dwk>a0u&A~I#z4Ao73|rH;GY{3on5up?z)OF+R=a!S
zz6FOf9S^1_GGo`hyk~kErin7%jg?@$2VX3B%c@HeM1MO^FKl-)=W&7uwQ6U=j8D<1
zo#nV;B9Ya=x^(F)`k=a?U#tDU<;9X*9}g`Qra!o)AHLH5z>`?U$G5}6(yW|=c+#Ju
z;h!0|M071CkKL^L1~5uBox3E$n=0Z^c&UV#xo|jt6MnWo53|Z{+2)0GWJ8U%p}9R5
zUc)`F{vuZMn5h8KM|S3nLDWH&UpJUss`4DfMyzJ%2Dy)Oap!2-#NK+V`hIEd)|A9x
z*J;r(yM?;q7v0IW><TC8C8!tI+BlkWkIm)&nKN2?T&)zW6nNBHg=@f|DJ|#N!f>y*
z(ejz~v;wjoW7h4pDfWGc5)ZObIru;)zjLiXhmba+Y4E7llwB7~@m!_<BGcRMvw3Ze
zw^}4Hqt(|Iy^`-gWTKtoI9;TEOXZ?~AZL_v=74FKT-t5N#q{3H*TY1JLO{5t%%TXc
z1*eOH*K{T)!h@#hyN5V#y=l<zHJx(wyMKIXPSrKA?_1Ff-ho4&Q{gWa5>uSnLg*}q
z%l?!Va4z+_Ot>#bNX8w=laA+LT3u`HW3Od3mjEk~8l-n#W#+yh{`;1Su~KZvQ0e-C
zr@BX(MGk{CPz+DsQ;d}0^bYs%4X6uY4`@l&WuPAuvLAi6rg__fgI!RzQT^&zL^FS;
zICXHiI=u+BBgViy^s~+P5&ty1anIlVZH49{<cz{!dP7KbC_SI<*$I7=hVF~qmfF@0
z<y6E5wrAZ4+82qWE7}^1RIdQ@`;E_mjaNN!Whpg>bcjd0=$$>LjCbUuTBPfe3;IUD
z?aqYYut)I=L)F?e4d?4?v|sm4p;wuE=PA;ZaK?kn#`w5ubzRpV`1PXK214WWNFEA>
zTClBNjj@{xPWJ@J+pqA`=U0*c0zfEnl-WabiUbw0li}h5!s}P@HN-X^pJjHbcT@<G
z)CHs8Ei4za*0!V!#Q9G86o&c;S?TxA8(P#0xkn(GL@A;My?sRlX739lBMllCN02gK
zkgJS+H_z}SOirvgC1_e)9P~)!Usxhm4>I!WwtMC_eh0QRcvuP+T2fxF+R;N+SLUJ;
z-*fPt=+<hv87;1U`ab97HJAI3W?B$k?RBT$BsowN2OeJ|aQM!9q=4lx!KFxBW-P7}
zF|Y%yCwNLo?#H5@!&MivI?SrCUe(b>BmLXNm?CFgnf#LjCh^5%IU9)eoWX~Bm)~%5
zD@k{|7@8SMII=~f9o4KEIct;T!r1%eRk~eozqXa8ejE6}XX4`^d8ILrZq<=ca+l}N
z-W@`i0w|U<Bq@?Y={%D2Bq1lWRh3A-fqu8(5Gj^2{c~E<b!7cx)wnl}cJ;?Haa8#F
z(#G%%D_Aw(T-)38Uft3cDTY6jZy7c=tB3h~gPQbfkN-LOD%;5Fvuj#%-iX|<cSe-N
zfgYz59E<r9i(KSmUYb@SdlEi`xX%}@)+&tYF1=uv9&Czg+MwKYnf;ublv}wNZOw<?
zBt4-Y3pFh8vD<O2NC*`kLZ`w+^43Fav0&siDsbTi_>v?BA1|HMWEZW+DQS}YdCT_e
zWq+Q8Jg{1+?pl>Ps%#q|SovvrKqfO0atS-BlO%e3(`va$V$Wu%qi$8m$ku?Y6hd`h
z7^M@6H>&h4Wl+-1xm45&=KkehzYa`FDH|%#YF>=SC*11JFI@**n8I@Y*uX#vkYJq3
z@bc|MqKv`&Oltd4Sp+~{Y=@v7hQYHdmF553*rz9E$~Do{lvx)Nd(iZoYntm;%)<Ib
zm-dBEF<HVd8yXibE~Q*JGQynGVfb<!@0+Xjqkjgh_A3;XjS^8gQrFeQw8p*)qD-17
zMD>;epdtf_9(AN_RkdPvy)&(Adb$qnxzgdbIob=;y<2i;sr>;{+sk?x2hOf|V9`rA
z3BH3S#c(0%4lWqG6zR5&PjF1c|K=Ne*d+%JieXb?H{>n_C>7}mxz#u6XCyd0)yO+7
z4U`8)<wR}AVZvRK4zLF!zVMRA%^gOi@F)=`>qM<1%@!!s6C<*kru?u&UhF(&hgU}a
z`;Z-gXik7A<ho1of85X|-I4iSlV4-PSjqOlrT=A&<J5*Nc|-F{SHGoadgnEDaE*yg
z30}Cc7L#mGyV6;Hl%sSiQOhNxeZ6}<wDd*kZ=pxMNLN?aUVI)gF)?LjWmJ;L0YsrK
zgvk9Uwq`fv0Vc|`kg@~d_Dn=V1tcamHbTtt0yA@8Q-UhWKf8B*bx}%63NG_WLKJ=}
zP+xJHaCd4c8mrv2ab8XsOTO|vxj$<@U|vp$@V<n7O<>B}m6vno3Owr*!O@$`RrQ;G
zlbm*0lf=T}4vvlnc=rtq;_9Gk0m3%O=j0$U8iu69;5K0(q<fEnxUsTo%)SHC4hx&q
z>B-5-<YaDzX_Aa*U;?}R;XkH|+vG13k&rI}GgSVha^R(>r=kxY9-euR3-^hSwk%E{
zZdB4~Y=o>aSly?B%-Pww{v%s%ml@@yI%5GNN=<^55xT|f+)C+}TE2NL-8W4659TOz
zX)bgBQeHAKbuwd}>8@}U&&QZ1C#3eQ8<|8!+E1Y0TW**?tQnd@M3k0QRngPYiC7L+
z&CaHI>*U*Tv9kV#f_@rr$p_s6yT_n~0C5{ABt}O^K_!xtb1|4pLIVBi)2D)hHPB=k
z#R0h>D+@|9<fg;-6MKEtKN|&-618jk1bLt=5D;i$FAdcR=HTF<D$WN18xTRNy3PSX
zL4p@AzI*-pgp#|vy8&U{*!%bN$6=aj=BRi$xw)x><z-|j<qE7u>KkGeoEbuXs-TLr
z@*N_-Hq}nqB-wY;g$HC-XE)H52XN?ifm*tF-nP7kRf=P3NHk%L&w4J(IDNciWz){+
zOi|-Nk7vV(sP*VuGEoQ2wNLg9`ST#lX2%0*2}lKRBDxwHqAs+otmM7Jz`&tsxLQar
zY-MO>HVL8=BMb-^H`dKbx2zGzR`0cTENLyR68RkHD`5LPiC$8BRWV4oXqCUe7EXi#
z3Z>EH`0?W)tT}z=3?;*DgcvXH<G$|%0+~fcMcLV^D}DqZ&-(RVXs+exyAl<Y_+#4v
z{kDqnSoGwy@nm%n>*VIp>}=0T?)9FaKzDJw3ogN@@ur3@Y>2ll_nd!Uv`pYPn3Iz;
zK5mkG|0c~b@ht_1md0t+<oNh)g@V&49W5<yPfz<5QmjsUm`(t51h=ntMsk(F;o-xF
z&6R6wPRRWC<XXwPUABHyU#F+1+uK82qfU6O#-lqXRJ6;5)aDakD+;(ZjL_55zjbx?
zatFkq1a$3oip9!-73b<%^PK}VUGG;Eh|r^?eY@vaHrS<&ffoyz8>kEl2ndjokpcO`
z^~iyxqqZ39ruKG+70koTagfA2PsF4uM^aU&^vi0WXL9ZC8<0>U4gcZDvB`UPq^Fc;
zokyl7B3@P7SVCc*Bx6Y8l+fn8^<|-hOf1z!PlJJ=6Bp-3bb)F;^cpwUpX*nMGpbl$
za%N(QS3>>!b!KgiX#)e_uUsEUy;lkZlD;uGq?JW9*30fm{IMkpXOIDc9J{hjQJ&a>
zFyK6jU)*jQc{cw&tHB!ww_EaLP#VQb+LN{5f5k-&r?ozE*Uw2w%Eh1-lzv6;w_oU#
z)8_i347#?fi^~VdwKVDxb>X<=<b|n|M<@(Kcku;mlNHdcj=o!;?sKCbv{2?eFxc7o
zo-89XbD1>5u6yQpDJdzbff{j!ma5kwkQ$57zw-9>2FXpZIxW!FC$lEd)RwJhYqLXI
zihfxt7irl#ig(QYc{+qy4?rvEthk;JbS)TIF%Jscd^cKfJ3WTp!M@2~F@HtSv!<#v
zp@{KMzb^MtrzmhXv#MUmN;YBFje;Y;<fi8Op}&Cd#3pDE%h!w?E1Cl@pRGv}&k^F~
zWj?C>-Z8;^uJz?PBK~cD4I3-pQ4GI$K`6jk;W*hTBt(hTBX^w(wEP3q9xE5@woxUX
z&~9_XTTC7^%!u_a+nzXuuvO9whmBwE?{EJ(nPhfH_E*}quclL`;P;^{<-)>IYw-k(
zraU0&*fjX1n8oR}k=O{V_Wr;UY*;jFg>uH{?wCcJ%$4B}L=jb-l@&8ZBZabD)Wc&H
zELkL0zm~3Ql~>gD2b30${kEigFqyJunYT34KJEQL&n3!S@Au`Vc8O>%uPeVq!~{cC
zHY<gOrp^bk4`vA=oj^|cd&Uj~lm-n=jg6go)*N@@kK%9!0J~I1kkmi8$@|;K=b&N-
z`2VKUuQ<4XJ+shI=CV)$_n}fuLOBe2e@`cKBZ9nw0xfy=qB>yYdSfqPfVCiil8oQc
z;V$na#DqqN(?$)0W?I^2;282-g#<WlyGnu8ks;~Y3!<S{&eLs%WUeiqsbQMc-h4Z{
zwwcUn>$^Vc_0iQIB+ESo4CgLhRMXPZ0wR?0UE3LO&3~CEJuxWNK??{PjgF2U_*3pb
zx?bAX*Z1Sc53q2r+4#~(h4&ZxRv8=aNJdIM2m1{T30Wh+%8!J5rJQSGA|oSXV(vGr
zR%NW@ys2aV5K0@NjBsk>7ic-ac&zUE8Vco_eu+Qy+Ksl{yyYC*_058uHL$JC_Ze2H
z_nUOtX@bOL1~@j0%cD2nO)txW&ZH$feQ27BaJQ(9t<7QIQdmq(+u7oCc6N(vJqBY1
zO%hsK?@NDE;xW?GV<JX<4-dn(gE;R+ZEk%a52Dh?k9rNO*6C?K-@SYHM8J&HHq!KE
zoyb<s)prP^(&}))p*US=aB0o?*Ji`Rp`LJ?jo9-w=NDDi(EILv8xhjTm}QdZUcWaw
z<Su9?kdie1r|@^!epGipPDzPfV=Bai<FhNg{QRH9&wZj`-<a;ZqN5W&74#6eUniz>
zw@#x1Q4lo1HbF9zo_=0Ps7){=Bm^soz!6i9mm{NT*9QHGv-A>>3N?<m&Z=%M&ecRo
zC8sUSZ@Sno>+%JPNV{wd<~7Y%|8!XdW89n^wQ!Em99)CA-k6uwVRo5y3rph2qUL+r
zk*cbyz6>JJq14>dqpPC>Z7z4SJH*bPx18?1^teAcIr-D4lk=b4$s>>nj!ohyamzvP
zDNT9M?HP=MYR1CSvLqB%*=21;dcOQqEo?T>8*FD)F0J^&yu5Xbo3e+lST~)OwmOaO
z<!Y%PUA5%ArK(EPnjw%yg6X0e+f*LUwKJG5{wW<4oBUwiHaJ;ATeE0Ee_m&`eL&jy
zV~uOU;OMc9HCYa~hKMO;*9bIc)JE7+(YlgRl<R6%*;A3(b5_Uj_p*|SrJs>#r)3L$
z{gaW84GabVnOICFCMO5JOrd2sBn^Loijmu|eCQ}zbgsA$D(Wy!X=&*u)#9_zuXUkN
z*YgygHfVuJCO0_@nW4;i1i*dVy<Xp+m%p>tTD(2Q&JN;na|hQ<&2^6q{)!LIGyPKY
z)j|-QU%Rb905bA>{+z(?zV&bQmq=-8cPt+c+N@imf`aT(5I!w97crR6JVi(T9M%w4
zJdinCDQMpPnJ4D;trM!1qtf56e1rIXD`U2Yn@7TRDDdULj0ty=lg+Sex!T6++g}Qz
zoA=`9eAO!%u1s2|9IHhCa_@Al(y95pKGxDo47a)=BU4^e^UBwkd`WWNobTMZ$cjOD
zE9Fxe*N*KnVb~1Fn*`I1KxLf)G)(M^q@kg)wYJ7;%zvmBEHo!+@^Nx=(4?|7f6Rh%
z9u2pap`oFNkB_x*nBGqaSM&4pvs2JzL4;{be;~E`ic##WJZH;K=n5FMUAm>DWPkx5
z0nxys+<CC-`0;?Nb;h}zzMh`o*@SE-wTz7uGO(e|)YKHkV@7InbXY<^x2WQAHP?DU
zF^7BdsK#o({*dd%+>>Tq3zH8VRg_|B#B{Z78F-eLZ6lAc)Q<jKo1LA70?&oQp6?&n
z;`X;8pwtRoI%x+7;#t8)Sy``eUv6aOwJ71cc=2>cY+RhoMr>J06|@;NiV@{H*h5oS
zRtL$}HpN!&_hfs*YXHDY$|b!9dH|=xW8|iWC?-2|S@8-B3!z0Xv^#=;vV3f6N<mhZ
zDmCzG^b6=~qba9Csq`40Vd1`Y`emYvx(s3Cfu|AT&Km0KXEq@CoC@>s@H$iRev~~i
znqwYCGOwoU0RdOH=h6D)=xk^lTD-B~%XoR5?s`XqtZPJnXHfdu@cdAZnxcu_h5XVB
z8}BBBoi|m{<)c)Fxd=a54>`2N&4cvNNOvK}<iPO&E>2AzK|$Ncj}^J^K-*AAXy|~$
zl?|G*XfLhL*D4{sk&2Nj1zFtuXcNaWx_9+qe9uWJacq~PAw7CC8bA7VN}um?WqROO
z29B3dq~6sJ9VJ9jqgDq)%^Rn@8Aa`Cf6w5PS{WOULBENxuy9R;#3s})q2qA#0h!Y;
zWYF8UWunkV<=PbcQYx(ENJ2tF)6@iUJ<HfpgHFuG@SBzWeqF4!LB^_^+-<?Pa`^^Z
z)znwlexGTfYu-rls@x38by_T0N!4qq(+j$YdD`$>Yo6?e*-6#JwV8Gc`=OMgR2_Vc
z<QtMt4HDvGRh|-PbSZ+p>uPHs6#^&r!5eg`J{4Jcj*F8qi$$4hu6~;|X~zdbB(ok|
zzh1#(yn66IvJT0U7jt+qj}B~S-`j*6<nY*Z#?DUd;DZMb7NG`hZGH5}5fca3>o=Wc
z<RO1?bX={ke{*f&>(?jmQdcrrc|{+RD@H<3Cd9v%=4Sds?kf++_MxahkgXS6g2Ss+
zTolYrcD*>XwlHYnG*Usnoa|ckWli~2f@$q~U1po`u((U<{5=%MMBk`_0LP52>cRkL
zthko7(^}L1kCVts0vSEM{wzdcT3T8FGCL#VZ9ssjL(lQoTx{v(n@8pumP4kxdL$zk
z`L;N}QwTYFq6}*M_843cu_4VMdhhV+GBX=j-k_B*)Yfa;+w=1B96%iT^XE@MgEQlR
z3SYh?36>7T&K|S@4(J{a6zV~{@_0e5T~A;C6J#5mW({LK*Au0}q=F2PpKdx7In2jf
zot}*i?}t)9O>sBI#ZEqEMaP>_lK@cSoL-r8mfipasLe6^p{eA&8s%iGL*|LO5)w1x
z8Xe>Gj~|Gui)j5>5$`#w*?-nVoo<C<>6A^8^hJHQvgQs9ZMq55OfPWPpA}tEfz|IK
zB6#o|P~l-=psQd21$1>nRtHciSegVE+797s0Ee?Dr<kA~F7$$Yp4H0QIxgiDrIE35
ziMRWU7eC^iZHEV*e*3*{9k>GcdEPpxQW=_8C%Z)ICP8lQ!ICg_($9;^`Vt?sx9Sy+
z6xNhiR&sE0tz$;~&8@$Im)MokfI~$gjkjaqF2ghKf_ilk5`(`)-vLAt0nX=Mip)l!
zx~cIUrf^c4-K7FK)fUtA5B};$MrOh)LaAwo=fhqd2*`Ptd8Rb{`=$SZ(%N}CmY@|!
z>>-%`hnb@sPC`azpCUt4^P1rlOGi*_f9H2cVzcuqe?dGRsu>$Ow<=$nDCBnDi)CT9
zuZHr08*+!8+EIfM@jpIMtAR^wgmPbaV5_>=t7Rd=d+BeB+4g>kSrV&t+qw-Arkh|(
z=O-EIS)7IxY|QNBus@a*=h}F9n<L!P6ZK>u1v8sfZuj`~moXh%Q>D9(f1$2;6~$!}
z6PL-olyd0MF7piY`GvDq*A7R)Z|nO6xoY)ku8!I~y7vQ0bN?>CCYT-fRRRzrd}Z<h
zy<^?mVXA+Y-jr*r(g+Lu3brH#%a%S2>}Ko2ttxQTnL748s2dg(%;hh=Ndgy2Mj$PB
z^kZAA(GD}VQzW<)8Fhw;AB1V!wao*F?PqRPH?8;ypwzpgmiv42U1gkb$YJOISnHj;
z?-Y5rUf{2s>LP_9Sba4%3nALMJ#Lw|F5HraG01s}qnbO%@i<P@VnglrOF<cPTjOWN
ze`;mV3WFqxG~)hHOc1@k`CvNofWRAy^P7*kan$IxbN*+bxk?DR1uL5e%&(q8&VqAx
z@HPgv&8GMcG}x9Etg1}^aW-}TX`+9N+6;1SVb&cl_p-I+{bpQ06e+gk0^7ikV%V@^
zGO^=tC2`N)whHyQ&$mj)SWcdEviUMS6kl-CxSePG<!bjn0!Lh9S9ZK6&-9;iuYXCG
zhDQ|it?laM{^vmvBTT8VnjmQ<n+IK2cgj8x0;p|`ar1%`_uzDZb#J@Wvy=WQW$(W8
zo{Ij?J8f&Mq2|APw=LP{*5^LRDX6JK3&!73ZSDK*XY46e?0v+xE^udJ_wH}?&ZOrT
zNpLzp+z$VDP@r|ftd$Ct{^4tj^1DpmdF^u5+IOcNavZ1sTo`!R;h#4Rrvfmv>a$my
zDm;Z60ImWLzRsc)-{G#f8fTdfOxr0-ORvA|{EpheR99!dkf^g0o15ZF5PKD)+h)I~
z^4|^upR;=n<ez;#0a^+;_5n9fo_MG%h|1U!svEKcq>d$j_2IzdZ+{AEg)MEvY5eV5
z@0}v>li*;nWh^X93fmn-k4N{|`tHMVp8kLO7@XCPbR`4Sj>>zg_aKY?e=$fRU*s?O
zi^h!2J!Lg11)Iags|w%FpJY2pAo%7B#J}wVGK@Y5L;?*X(5Odla*z}v<xVK*qZ}5=
zo*K~aq90~F!=2+eV4*Ti=6;CrkXh$h>n1q@d)ucSo+Bq}RdBPgQ}5`Y8ABA}5RIb_
zQ1E!{j*zO>fZ*;<0u$gjV8J%H7=0fkbdyp3r4B|P+TpLvmQ?-BQ*mEZv2vbBughk_
z3J!)>nWb%1lF7z5`%1k=j$><|s^Wo)!Dof+SuRyy;1y*TgF$%;dOc@<FX}vAHWT>s
zRqs(sP+=s2h6JioIF)jHks6I*P^C36wmrkppIiF#C*boi`B-m&trCt4oY3BmpNB@f
z8XA7i%vA332@ejohjvP6ekVgaF3PV^-V1Egck!Er_H&@qM=Dy<g?1}dpjKkE6QgzQ
zZ(MGSczcz6!6!oIM&N$l5v3VVzUhhV9w<bI(FaRdO;0b?YSoYYX^xS9NE6Lyf8Kdr
zLr2@%-&^ORYg|;OyGX4FBYyk!t%4j*J-?d9ir|V_ZL9>*B{Y}W+vgHl0iWI3sdfGO
zOT)*PFF$>kYG(sos*qnA)C2cxWHbur3-G^`@w)3J16gtl2s@jbfhJddi=_kl9^ohd
zI<Xt6$$XIs1t0;L`5s^#EckS*#_!NxqB;Q$o92!^m4??XG+Y<Ilx2TT&m&&{qj(-s
z_<MI|cVkw2(YOcFYh=Mu9q>PjS_n>F0V*02OX#`|MT>rCPEMQ@gM<*~`Nm1j7tsBM
z6)#d5W_J|k<k(HL3mku4_ryB*#2%2t4|<C3HJ37GtV~2=QsNwx?EC&aJkG%Q?iRwi
zx75w3W+_MM%DVr4M3}_|<v*HNn+{M=4l|I0Gr{R|c4YV+K@60Jo6;B82=V|p$7k?U
zQ&XQs>402LQ&TBBnn~2|%ZT%ex~Pa+B+$qUFOl1k6|0>&o$@YKE#=)zm&nm{s+!i{
z>}EPV*W_eWw>VE-5Iu~<CP+l<2G;FEnVH)=uc>L>-3U`+S0F!lqsXb7J&GYo>>CHm
z;8Ua~I63YucroE+jiP1;qx-cm3yR_X{(k5M0*&71wa|b7>$$<|xuIVQH*Uaup7x?f
zyR2)ll~4Q73F>D-x(_)AXz~2aX9hu9+y$q?I8YO~&W|ehu8@Ie)5i9;_#$Q5qz9#(
zqz^o39LBVM^p+?4<x>zGsJN`kCgYWpNgH-t*TODh=B90!fqb3eh$I)cN|M<_e+H}<
z-hoD0Jk12cRzRCR^FOy+=YIZ$n7^%hcky>(W)@H1kzo+nLMrf8B@|n9{of#?3E7JT
z!Yu!03fmxM+uRS!V~+!|%+*3AU2xkP6RxXik0b1sf&L0;AJ5{6!IH5BXteG@;B(5*
zp#KH}0v$5aQsA_l21M=`0sTe|Zz%8%?h&W|g+99$LSu>bSRo({4hYB`S*QF4n`v=j
z0S+K|F9FqyM;F6tnwwR6$RAfeS$TYk((p_>-x{>%H+6#oy}KJuTq%uJh=3(EcR)8>
z33OgvNFpOABm2xGV3n)I7n>->GmMt`hxplxHz&M=P}Fgz#>V+J6YX%+2(+66Unb=W
zyk4?S;R+o50%P3R*ub8dgXVhx)Y4c>%K7u>r6NJ1-9%1xogHMKaPm%WZZ6cP>VZMc
z84=U@5imD5R}yaE2VJN97cO8ADv_zwfU_A8x)nCN7404Txdj#$O5P(u-0U&f4NaI(
z^5HwH!MO>nba$?$G+{Sbo0gW-Nc}0rQP78b=*z+!F**A_`aG4cBr6j&DoGnAKSVCE
z24^QYZ>%jteGzI9X>iB~9AJb=DmlF;uxzCd+p+U+)SyBD@97^HxX|eJ4l~GOBy!;b
zTQ?^j6m942MER8Q^CBbf=;>Xig=%pYv@UT}rtuY|rZS%&Kf235j{-V^91gNHtnLGc
zTRLc{5ZF_RR+sKPd^pnBc>C_%yUNM|4I`kLre$CVs7p*tgp3=GN^&oLJWvq;)9itS
z#lIjZSb2-@tPA#N2e~Q#+WxkptHE-EK{6msX6dPq#k%3-sz;Ew)9{d?HMVj{9LW7&
z0{;zgw~#6BlF@&W!>+J%3mtI$-{Af%P+Gq{x<{?BeIu+Wg~AY;DiU_}jsGqz0ZIh~
zDSs;oJD=`IHb`JEZQXjeJMF(tB)$d#svD9j?BN8vYX}L~7U;!-sQ>cuUzLwI4k7(N
z9Hj0mq@dWtBrl^;V@<%16mEN6>0d;*WPzVICS~5s#H5{(y@0>j#7wvs;`}GTiz37q
zhGQeJveBJfenM8sxXUeM_EF62U8zS=&VCZ-AQgS}k8v@8$Q!z>uo)(<XU2+OYAX)~
zPX)Mg%Toy(AtPCjVxgsBXf1R)35PsIUh&wTG^@rZNNJEiVD+QB4MAHu>fgHM-tX*q
zC~2jS3OikvXArxuv7N8tvQ1K=-7B{f14vW<<~#po$Xl829*ORrui(gwofH|wYp3=+
z6$fY;<SxM$`_EDTEhAG78(zl{??LPueKRJ><|fJcVrLV^pz4qQSqOh|9hZh~+3m&H
z(P(ca!GC4U&yAbrY>cAJzbDo6<!nS6Cw-h7@)r8>0gtB5bbCeqV=6Mf&y-uHI8VrT
z{E|u5T2@+^o#JzqzlU}-;CkfOMTlU4o)ien(1Nt}sJ|R6&{*GmPX54okR1YKYlZem
zmq<$A#D26)!YmJYAS060+JGl69gk?>@3l!Xb)A-`-W|_>nZ~3?$qp-Q7j)3JvPQc3
z=)w`<#XFffrW0nXLu9{967#c#mf$EP=qb`a0acEoqHfoEUx|$zIA;O)H>mZ2Ghb22
zb6H>UXII!N_R63s=;$C=j0#R&*qIFM3T>z$)?MtKnGL5-<%{MkMLy7Ca<lzHi7)(d
z#~9B|T$ywg9pao))79zPc(V9`#?ZZ(84m&noF=BJtGg&iLSg7SJ2%(S-j2}BCPcjg
z!8exX*d}6nu1882SnJrRrn$3Ni{$Wrf1FG>rSWfLA2fk5*lgG{Bf?hHBf~f%(1kTL
zV$39%ttOF~7IRGN^+*uXK=EQ!Vkm2Odu<aqhWH`lx!1ZN<H+1?00bw`MRvo~>Q#=2
zOL<sUCeXL<m+g`a9(A>}iWK$LyS%!|Qwv29kSFLm&j)N!9%2GHOhSA-iAfXa`?0%k
zdw=ZmKi}i{TA0!TU8iW~2k17U+|5$Fg{(@^I+0Bb!%$&`iFaDTlnags5;(xY7tn@Q
zSy{P%!eNw2B8gwtTG@J<nic%bw#vNjZN+D*-6V<#6QdgG+oS%F!3s^=@%na=m8<i;
z+}^eouMZKLw-^%{^V9JVTqoJsum{Spt;Zk%ug4{m-5of@4@bdl3Ffy`P#iI|d#(<2
zuW-~tJyw=O!gs+tA6==LJY~5W-d6Td&4+^$)hy;W&QqIh-ZQ!QQA-^^51N^-mUz1^
z^&JSR9MHUupZDd<&1%kTl@RxC+^B-H@XW)3mD+M#I~x6ALpUoDs&Ck+=F*3l(3&rZ
z=*YR5POX~P&i_SxuI_x{Fbs?7jLm>xN+x;kP#B#*DV=?_ap`2@?ZOo}Ov`u-txW)x
z5a{bMh)hl8U8VWq8!hFe;RDF33XbvOfolApQ1vQJ4K{Z6XwH>iR4j116+Ce#s7NbO
zK;!Zjt2|3eGyH*^Zn3?^EIV<c^6@%vM-zXqOXCE$^Tu)z(W17lxZ1FTz#!DEILtIV
zT*u~k;ydk&ioR(6TEX3PZz$U0!*)^ON(pI(w3Rx(#`+`ME9m@{CI?T|$Y_I2t`;a4
zxCM>rplsH~EptCxJ9p<gAN3&md%ta(d5b;UIhly17V6E|u7xdfVP^=?RDvI(2FE1e
z(tv+h#-c|kYC4zmnRS9A$&)q`P6LdVCS=uiglvN0<fhju{lypEOMGmZI@kRtOA9C6
zwI_=_eFD%MhZZLhyL%Ex=FlggHfhSbtGf>ywk;xTOHbtNbS|tsC(S5LAL(9t-(>x(
zBJaWPxzEy9TRIsZ`kB~CJD*Q9H!;)2W5LIH#%=V(a>~r5`h5QNkIXFK74y%hwU|D8
zlw)k8jXeefIyaV|lUnhkcJ>sO-=vUxxB9)Iiwt+VCl)8{2Bp6t?+QQVKNROHT8d#f
z9SWPQW63^p>e=TM&VMzD!=Lx#MtLc6KXkTYgDFs$(g$};<=~y?K=SUe7XLgD$j$FB
zRxW#p?}doF;S(Fh@ky62BmYYr!$ofoXtde3zr(1#uesgF?7;?cc@G1vhzIirxv<2;
zF}tPD+!}KjsRz>$CfHMY$kt}mJ;<~+2xy~H6!C>~W(0>iulU?KfGrc{v*Ds^#VaCA
z<;J(Kn^B6AJ)z%vC61#Azg)(2Z9zVubhqCCDi*YNN^#Lw6N`LCWQ-@G+E2@`M+Nqx
zL!N=KH49$C7!su=#7>Zw7X>IqrKbeS*fvTyju%wFxRGUxL)SL6!|c859P~^>1F(Z8
z^oK#4?|vr~&R5!F`=7j+QOQOlpA+Lq<<;%&wQtw9wH;S8u(^gEWG^ZHHocu|=?0JE
zeSx2sJ7n5>>6kXzp^cwOR(swY4vfKW6DEAx6QaAW_!(@G314Sir#Q$qi8oN$J!?&Z
zw2M|zL{^V}o7d#3((W8sJ2*2D^$lKi`<jEy7QveHx`cJM2SRYC$>REzy)H$rgKv8^
z_=;GP3dnujxo^-h{{slajaGJOklw!r{P<R{KK8AF$#VsjH=wV-^EcVK{UCA#!(&K4
zKYD`E*=R#W#1sy(b@(PEA~@&wn&%uT69bOPL`D`9(~Xic1FgRGGMcStP;Afe51>?F
zZ7lz<+P*uU>i+#-GE*|jN{Q^*LiQ1|l8o%purebf4o65CNhP~DvXT|qvy7~=M+jw)
z4%wUEbq=Zf{(OFq@AseY{n!1_d9T;&dR_B*Jueq-*>_I`9&DGFp7XR~=^k3#cJnNl
z7hirEdG1`}<DrLSfoPI!Qg0ScZ?ttbNx(^#1KC_GwJfPW#j<Nr<q1s-AFGr^`y5HW
ztV=S@YXXc!SjW+bJM=!nM;ctRd#;1h*w#2$9O#Qa#}7oPeao0>fI(ztW)^qpeSnYk
zxz1ceK)?W*gXo$DG_I2leqO#Yhpkk{$H!y)egQoP|7{|H&j!@^QkM>am!xCK=ZO0u
zcVZCd9C4Js_$sw=RRUfa76ThM4nzxQyg-SC7LP_gmA9(qi=IC25lpfG07R`T3JTDc
z4UR=GRPzCp_?%455~F5yPE2gQ+-I`}PH5fH>r#!o)f#}?KcXrJD|LIwe(I9xx|we8
zCF!>9=hw>lGd4W!GTlav=~KHiHz~$TO2l1TZ7eKSfZY&SWaON&G=IPv378rn+&Kh>
zMZmCVp>Gy-GZuj?4EC~z^p8>TJ&4gIPnTR(Q#&IhG-@;z2+TYAU80XqmY+(`$SCUa
z#{a!CpATVM`ev2Uf%-xWYk8yLE|O2IkEbD^xEyf$nwHkq>R2qW+p;w0+xE3CSz?1&
zY6ga)scg2}OYl^01e2(d?aD>iAs~u%ad81i^u2op>$Zo_o;{0N@tg!q0?8@o=}Smt
zaZ@}PN^t(ZSp~DfLd?iunOS#Q{ISp16EbqLLq+!59=~wi3)oC~xwrs_2=qGP43t<_
zRV$>RS6BsX9u9hODpx3JHO`v3*{f<@SczZ_`nvU2A>jm&&A`Awz+XXz4tOEMl~U@y
zd{F^X-ZSslA!FRws3h%th@8CN5f+9$T0Jr}6j*vVF7XGgudOAx&-6=7=xX2S2G}ph
zDV4PscliVa8r0NJ(9w-!Fe=V*hoT{&1(^s8#)dv?jW8`U6YBO2Nh^aZD+LGJ-@QAH
zajan+Bh6WkBTL$WgjbcVur(8AurVH;5mvU*uZWwK@ybX|rKS!D3hEnZC0HUo|6YS=
z))q_<FjP|ehHg)Jd*i3vwzQ<0?d$GtL3wcV@PK#M<5c=_0Wf8)+2HCp2R(TL-~a#<
z1?*E*RSm2~f#5YsZ5!z6JvS~j(I77ba=D++XPtrM*P}f*C&%xV@-`&cT6-%hDpE9(
zhdD(IdX(+d%kKQ}_RD?@XdBX171a!B@*^$bAAzMvQ(vDa`sS*`>{++mkxTzNbSP5C
zh7V!plSRTBsa>k0X>5}EO=-P%l(jbd-yU9mQdWaTWM*V+tq*LY=0}5Gh>42IzFlIv
z$+!+8H`sTvN*eMyz_xSg(xr;Z%4%b|C{uC2o`9|ZHV#%+KZ+?#;#QSEwXd(QdYBAq
z9g}ZCTfViHO7||0!~}`dKX}j7l#QEPNz8JaikxzMaPTIVf{Kn#1j$0KRhP4&3>!f6
ztnN;Arh9qqQ$YjaWrDtloPvVig`408ZfVO=SRDT?`8zrRMY>SGcKGb+(&JhSnC*m&
zlFbsqd8Zn__r@+^U485JGBKvY!sXG4G>0th?7He%>Wla~y1D|X6s0vkEhrC@EW{0&
zell5JXJZt${YJ;g2-H{3#smHDj(8pgC;{*nb~7?Dg=aD2_kH~etyFxFvaYsT%=kv&
z2H=*B)%hO&l;tB96MRBKTC^4uQvCc^tWNbQjYT0E=m9mG&_OoXcJ^lC$u4#qc=bKW
z`a+H8Wu!Bz>Kbw@YIT*cDVBr}wq<!G&pc{9KSMih`(<I+wer~nk2XG4DQjm`xAV;S
z)ht!CtAhlEEV{CyLP<#pvaQfXU*(p_+e8T>?YXs@yfMwX?E?UD&=EAZX>N3MB9x_H
z-g9yi<m2OmXbs5n$X%!{xJ*Fk&CGx_X?txdbDdCc2?$0N^3^*D-MZLnf=@^QT}4~c
zYe6p>jd0sU58z-`c)!8V;g)XLw6RfQP;O0r`0)1fl*p$GyFov}MRfS6S&cTS$iv9!
zt;tpDxM~3})EuhqT%t{Mq|-4DrnF6zCnl3|`DL9xkM-PoWrcOMq}P%I)BYhyZ#foI
zT<hSej)s~Cs6&XhOf<x=F<5vOIRGJ`#*Nzo)2V`C+aor#EXC?zE>4B&Njuju0|q=>
zd&(f85C=Imw$_1+m~bw=X?kfpc=$yGdPoUbei?qmw!&Otp-A@&o-U!p((3#o(fz*#
z2&X!$8DAi11?}1$ZJmQ`%cn(ZRezA2#!AJ=Lr>0e<qIXJz5sa1^PQ(oe>Z%ukIlF!
zG>>Cjuz5$(1Vsg=LzuDj#Ew_N#uVdB_Yucfzm};DR;>+Z(bCY;uJUlBeu#UK=fzFY
z;p(5HSrI-|;}xSp$xK4g>-k2Gwk*vtr^QSuc!wkYc}%gtYt0MF&I_7zIc7Q|l#rH~
z;52XB7lYUi%XMbymGB(P7!f{B``-*D_S(3}<4q+@{Q>;zOWUp5WYIzc3$}%cv-4Wp
zFY;A?L_ijF^Dx*>JyT%mR#fy~sxz$s9Sy3PhnpL4r9hRDpmkyZ$}&bq8KqMV0u<vi
zH4TqRFOZIro|nN<;bVQUaCp-3VC$KmPd?kqhq|vf_2nL})Xy#)qMRAW=M&zCp>~IG
z9gZ;r0|RJ_L?g?KGBRL}5*g{~b+xrQ1b4E+pxUr`)UG%TwMC4<zNI1YznmR%CG;b+
zyuMbc+|8wVGqXN7hYmNJF0JkMC;C1=x-mdc#ULsu=rsB{5^e@`)SEy)0d#J$?!wRk
z0hm0)a0D<WC`vPm^6*#zwljYK6(R$f<^Y3&#nI#I1U(HN2fx#K?|LSYg;>u7yMo8A
zP1zRemZE_46UhT)^+D|n%S0(1ES-{_2s=>Tj~-chW+L6(L|Iv7QwJc=J`!&1Y>1!k
zv0@7tPM|rcT>zDywpnQQ0|1cgqVtFFJ;v`9{_xpzPIh|pL^!>k@UM@C71S>lJ8d5w
z|MoCwrQWHDs7Z2#VjQ>yplFs3ndDjEm$!=L61s4Kj)o?0in%#^8T4$=z(Uy4T5RQM
z61e%VAW?RZQF<(IaPP$r1V!=bGu<JyDt0{*E{e}XTE%&Mgl3|pLXS!<rg7AqBW7zh
zywz(v!PvL1(VywIG?!$TIuwZXna;xayV`m8c62OedTyq|`Kqe!>FEJjBnu162`LmK
z6;*3XOBTF>`qMDrGM&4(IyW*sZJRGydMg%j4y0LthGk&(%kjadeh8%23I8|0&N_ZP
z0FgwA_$<LCbZTr_K#+fUO-}TLh;Fd>v6mtqjqlY%A8M!j1}jNS?GF=nN_UwtL3V}=
zMfy-#sOGsihj%(Bl~0>GyP7vdb8kmfSIc2$gsiM>r&Y9JZ|fwm>@`;BE?jt%9$=)W
z*ScLY5A|FPjW);}NJ-Fxt|9Vy!z)|X7oR%4O*TA!iJ<5GoPvqjW{uSP+c+{BNVN``
zUM0GOwqqZlnRrq0`KyxFs85Smq4y)UY>_i1zc}+14kTZB<$6a-YDv$aZE87twcuA>
zNb6YFEvotxQXyX^T1;;X95A}Jnw@`_mHVvd@Hf}=%1uha@SjeDQDgl4oU~2+^#ak1
zy5FY6*|%=H2DNL0g16gZ_5F!-wXqXZ4&+W0Zx>53d>$58mhxF_d4vMPn`zk}7Oq)c
z&2DBc@glH=V9nIY$NBXqZJSKvyaL06B9dScf>}UW#Ydg#?wR$-=aA==*G9`9-TSJ$
za0)B9>!YI$e@#?=NNdm%kT-Z%5$@Ifu9<{uV{6_2NnTl5hQQ6%A(?rWk1S~{WwaOh
z$(L393C6}~0t+u0`vXc@Fo-2P#{AipA~B+oBc8G1Y&Ay34EkCdnwmN$`3diC&NZmt
zbkBbCj`QBV@ey-XBa@_o*tNOEg_QSmoMmOk=n<Wko0z$T%95Afy(#pqydr0=8R$}5
zJezq?aI96QN-v{+-mUfwDSj!_IzbeNHV~MT2hQ){kelMja%3MbxthL;u=)|NuIkkp
ze#b8^z$Or}?0B%wY-2H@ad}hiSqn>waEP6835A}TUOJUUDYb~wV=Y!416`q}SBEH(
zF-|H+2MV2BIt4}elK8_}M;7#5<ore+$4Uj&caKz<Xv|F7f27X3LpeT~oN1!Lx(@qO
z_F%}p*7w;~q%v)#xWGfkSRlNC<u3hJ^MQmUr}B@wAbpH5A83fCGkWUn_tV%jhH)~w
zi1CDAu_{_MRx~yDv42^A-<fgt=GPU6GWFJr$`n2kjkzCK2z>+4^&&*zcXH2|u!~>b
zyA@KU>)YE;=+@6f6;Tb^)-t<Eox8>Jx@(Segm`&AmD}<fKHp-U;_V*pBM#P(&?kma
zM^o6Hpy!5t3?lU*Kg2$Hz8^>yhAKEfC}SjCu>=YF!ZUu+F%s13M(Uw4VJQMXC^-1t
zH5n*rxR8AWYuCQ?);4I%-3XyluZq)W5PQuMFSywkYrH*g1#EWq(uHPY@P_*ux>LE0
zp<w??S<2y1tLMG1BNHtny5VKvsO=Pn<(bj`LZ|%fG(B;o<Mk_S%@RzHJl7^TFucQG
zA!t7gYUxdx8m!o$xR=%;!*>8gA@icNP}D}2lQ`b3B(}MWMjDi8aZBYa)h3B6#b|f>
zr`M0xxWwiz9=%xyVyP!h9=_D`<8`~6Zc}92m}t*hLP*xf8PR7s`Hl@g_Dc*Q$1JBh
z7!+<{9A9_Icxc#`3YJ-hWRxBJtfZUf@wEe8j<kN`;*j8Zsok|RmtRh^AA@lC2K8u;
zbD7`O<Z|_6gz{YbbvBM#m?a;4oelgOH>A-Yu}t7tZFL#FpQ2onOf``1SD#pS3fDwT
zvHK+g34S59=t%Y&5t0SeFxf)Mqm9#B2hP*UnnEZ2o@mg&xI$%tshrrTUl@15ekt>#
za{B4$!Ajv;Ui?joontGFK28H(q2;(YxVH0*)Ick972XXOZ*~Cs54&uC#r@-(kPa}K
zzIC18uh;y%8~T?r5v(<<_5BJWaqJo%49p8&Gc#OIev(x<8FrXWV3Mtgp_i!4_I7c?
z+0^g$w=q_w4+$<n9M{oI2uBW!x&xY%1r!*1`Ng2KEX}dBo!g>LMV|ID^*#-~9ICMs
zk%s;S3>rpVI_nwpjXoO%FZ8o{GSklTv#BhIp36MF+9=V4Qo#FbqajSD845>epU*ie
zneKe&&r(6iq^9df=@sTjp<U`BJRF6hQ4aGaSy=zUWivBi-WZ_MF!Z4{NsBt<#b7rn
zDT2ZR44lmg0afwcTT)BxE;tckQCYlpwAq!q+PAi=r-!M=i<YLBo&f;n3vC5Uk$IR5
zzpv{F1$@TeULP)Oz@<MeqOX35pgUqwR~Q&4@t()L$+*2!I1o|8n#kH$Ul6`saQ9}M
zi|yj&TEeDyh5O)>?8@&6=%|NkW^`aV{+EzcxyNLVS|5k1a>OP?f^)uXDqqNXDd|#X
z<zQc%Yqr)p!r62Jw<dq>qQ%`=?Hx_>iLl7SWGy)sWx2H>*Sm0J{B8bBRrLEnrTCje
z^E{~%$dmhkI-Uq;pGJXzbdSKrsZyA~`MI#+rdwf(%gTI3k-kr(KOq!M#Dm$q{O1Yu
z1RX!_fJd>}Cmi7d977c8dD1QL5U$D4^6s+pRYSF9FcW9BL!ov`PPY5F5r1p~3d<J*
z@A~m1HyKt^|37QEqp)`$iOa!ZVXm-2su^Hfu>!u+y!U6_Fe8#gmws_I10!gSwsxJG
zKS_?c>FKI5kHcQ%0O@co`7P5sZ*IFHN$B>YH)o8FUHTZMMN|FBx?lDE1Mf8D*qV3j
zHx^L3w>TiaCz~~5ZbcB-c<Z9&j)@aToCy7`Blq|ajJ?d9>;Ls()WA~cx4R@h(wcxA
z7ULy3Plsju36}<z$UP#Us5AdOxjPBT9s^J#F$R3t%l=9g0mG9JttTPY(R_UWuRBH_
z+vR2eyc=o9Ato<potGTHKj;UVz|G#t4TbW0dW&uq(*n(OV1tZc+a63F^WAyC?$Nz-
z9bbiHmINQe25XKxTJZnxPBvc$WhQPEb8m+g3iq#A9VN}*JX0J+R8u4|<#YO+vHa9A
zEAgrQ|2!a2Zx6?!WTVbxaW;<$Jd`!^FQ7p#8Z8|^qtHaOelGX)%NNhT>t+VLxvQ?U
zu`yXNmQktFTk~nQP@3!V=R;bWq2C%6Iws#cob7iiTeN1X-IKa#kSnZ?L;CL=AKn8C
zb>-Ww2bP&kXu?O7rQP$9-+c<QwWLZf%%zljm`yaS{QO?gQx!hZw7tm{F)>5`v$;Oo
z%Gvd@5Xab~B^MOWW)fp+=pzm!@g=E=kxfF^7j3sC0$aec%LeirhtDe=rsnVNU_mb1
z)pyi~DoFDqQp4kO0>kA?Q%m1pUa+7&`DKv$*1-Al7q{jQWXquid=1-sYH1zVMAc_D
zuKw1)z-04CJ5StGoP=5OTv7J)>VCPL6&{=}egMHja))W*>atvT^+_i2`UAiT!AvtD
zPU~>#o9LX9teIBP8(>j+aGpP%Ga#rqEG9DSsiWaR>}rZ|i_P>$zE2i>6{@i5t2~yQ
z{l-;Y$=$(nu(E=&TO2w4SS$1B#m3kmWk1)|A|)1%`uaM*A~)C3DT}(0i-nJWek*RZ
zk#|X5$vEFz9P!34FE~i=@Lir;aX*l2`q$Q3B`1oGKo+5RZFD&^(<tzH#<1v!Qh+j3
zUAJ9Q-_xkDC1KcH>{dO{KjGvRR!jSO`}rNt-v;pWH#$m-x}QBIW2z*~Rm!8~Uk+wk
zBe%{|0!m%wjqM5z;o9<mr*iQt7BhN#k;{&SbFQ}=E7Lw^+0Lr940;ci1iYoX-T757
znJni*DqVWsX_+TSnL@)dqb+F-l}{!lcD}cGBNWZU&5MD(Q_N3pdP()liQ2;6(Pq&v
zB1g#erS{X!4O3r|9D`uzCH)Cu>?XA-a@h46v3>Ikk-t5kQf^pZNnI*z%Pw1E@C@}j
z!yv}+1ob@4SlFkop-iWxylR8su*#A4OoP;y8tNgEOF5QZ-`Shz^u27y9#QQXUj5UY
z%`!Z_)TumeR)G&FPDSdhi<V@M%-)sVf}Rm}%>m9p{LQX9sp_*<lQ99&^`k!W%W{ZB
zUP{-a=Q<x0tZrHvqDR!M^~E;Se)vRbt0qQ{r&$NMTd|jp>z%ddTbg`r#kRoY`LcQK
zg<qfBft<YNiwk<Gv>pQPFFEixbCTR!a;;A>PppNQ2g_6nSiU+EF4;<`$Iy^5+%9YH
zQAlTVLa&T}^RYw0S9jYj56ZRHfY)-F_^<3|@-~#vc0`hYtoU^upg12sIrLkj>m0H0
zAbk`uo7^;GHI<s<((Z4+bkNzad~~=^-;q9@znP_&d8|pvXSKt=`-Pd*5erIF8+%`&
zTj_il3yg)1qkp!h(wCGrPl0J_iwPAI?F0UGkeOs@e%+GIg#t#yWX!Fh#g)=UIt{YQ
zSEV*Rx~!)(JXppZeAQRh+w0&|sMFt-&_jw{Ur!#5%#0Uqv#pJPsd;yyUB8a0NI$2t
zk3dxN%+kC<avA-~KNJ=u?Tv9!Th(jCK*8#OY6nG&yXFdF;k?*P%vW>kZ@K+(<j=kj
zw^yZhy_V&veqJp&(_bDh7*;<X!P9dvi^Nubx&J{%?bMcP)>G6cGvb8iwYVQjjtS#-
zt8F*CU)22ayK190_gdK;@?5mxG6}sEHHS?#2=s*Hl1A*^o$X2;)Fw`K^F%xBThq-s
zkwfjjX=Qi0oyM+Ko4H@$wSb-g?MY&-u50!EYo8dNA=5_|1{K`QqB?_f4w988l+XME
z6}MCCpa(D#GgjmEKCt`*UxRD{Rc04u%wN<Wx%|_2;AU4(%hPDjf%pB_7uXp0HOz+}
zWiR{e6SQZ<u@+U~U9~ZkAUdGceBtNZ*Z2xz?M%6&N5&%8FN|f^v$T0CjEqdZeHbR;
zarm-X*%Pzk&QwNQFecZrJvqOx$0poPK}R9$uRjMI4A)Z`Y-hmRW0GJr_SAH5MQc*9
zJ~#7&ug|h_nWX&RBG89kuU%rs#b&>~3+w5h<j8}zK({Owcx*cV)C@M2^$#~<)8E_!
z=`z{df1mxqQ#=#*FLp?xp*O&#<E*pm(-E=ZeK;d6cx%^Y?wGVusHJ{?QwiP`g~g+4
z*PUW3u@}+(c=F{l*Z^_YO{x5R2#?W;!omlX5u`6sH&Cb<Cei?G+JT6d%-CF9-tWX+
z{B(w*>y$7q^81Q6;+X7WP&Q{XS!&z+p;Xp;Ech5*`gfmIJQo>R-9G<z#PRMAk^S3_
ziqGQVF;f5S5*+rS!uuY9{<kY&0;wgLDH)9e!rNX-+$jlj7T3H*{(J^Zsf^hBe3)1I
zeSe3h#NR6qKUn#mG^he5_)pM;`{7?JyAKb~9sMU*IS*4#4{MSs!h}-@nL>=i#HZLG
z?IXWtE<TlRGTG3T^|5eMFyvHV{QiNC3xB+R7<$SMR2bC;nKi7eRec3iPM9A)7n_I_
zNx7JM+$5$v>COysBsMK~y%cp~KRZ}I;>U9%jxs%nDUn@l>c&E7#Mg+Gsuh#0rO2#M
zh&5}w6X(q4Y`PbIc4DJaEK+&*3C5bGWk?Qvo*JXTW0S9}?It>Tmt?G(7RIwl7N)}a
znqo@Er|DkQd&SH)#a<eDlO&AkQ9HGH?%L5@hZipfI?Kg8CavZ5WBbcVa&&T!tQFVr
z8<B)=2^b!1a~>HvQsUOKP?9~}h(YS9INW^OK3*d#h;!Rutm`kYNvAu&Xw&w{>#n(s
z?6d07+^BhG+ME%_xbO;j;!#;N^`Nb0*tJ**>ehMtf}A(%2X%x59?ARjANGtPCkvwR
zqFL<}UmrI16fU!DTkj%tdt;|`g;hd%TU9A`O8J6qU&*OW3)2)w{hl9xyd3N%A{MXk
z>J#d<_MN#mwj`0&JNNu;Hxp@2-h=qGmD_5lNRpf*kZf47|3NJ>>}+{yKH8a!l_TlO
zK>>pcp0_>6)~Lu^rq_DRQdZBNUWWu!<8#zhhR%9WRdi45lOgIo;{_|s^oF-e%WHaq
zj$x~$>$-!<nc;7%{f(5N2<>a_qmal!gclJMz0N5rKpR-vvJaq^hJA-^Hj9}K<OuCg
zH!ZMxJ2v!AD{OyaQ?W}nWanBfWvd__|0(tD8BS5`NEZ$83P93|gCi+`bJ->Ml?3(K
zcHyHQY@>!6U1O^899K5tNOSz=R+>xN^UpgMkUIAEHbQ!#h6o$8GZ^Rk^TdjHTroa$
z77~Ysm`z%N2TM*K&&Y4x8l19<hQW&Ma%seFpG?E^T17vkq}uXwr5)6%SK=1u!89~X
ze%dtV#rJrC8{F%T)>E)dMJPkApxRiqDAHYjLq|x?7q&5BpeXv);vEN*tdaz!1YHwt
z{X*ujG(KHhx3;aMjB5vSn+9t8A1|cE^(%INZbH5c*Fd|Vwr!_Tv0*u7n-NjZ`IGO#
z+Gw>cta;pYcW_YGyIc8alW%`mjB4rhfFp6s>W^YY53$|o3cD<dz(3`Um^y>gw75S|
zSQPsprhpg>hR(qZV&b=5A1QHvg5T`KD!8-j#zBK`<3eE}G5Xit4rA3z?{NY>DB^44
z&W_|&T?l-!zaw$H>V?3GRqj)mv?NB7^Ot7B`@l+)(<hByjKCGBu@Bz;!^vi8LhMvy
zP%~5C_kOdZWkGTzua;7i{pa0?vGE>;96z1di<}!bJsCs{5=>&mEX~lX4f%QjqY@n*
zojU``Nm*I;NMvv65<(gs%#WS8jMGH$&A=Z4B^iLcS3lI((}T(-RGj+sIVr}R@9zd<
za6C_g?QuyXTL9#<rsfN+>B&h3dV0#l#-^s=z(C~YTCOI5_rrkAN5$2374TvSNzl7<
z<3`-OcXyzQWn+T@;$T429XfO<+X{XGWn`cpV3I<8bD;_$K;S^B@R=bn6tSiVL3Z;4
zum!=}16Of2)JYd$+9Z(A0AL-m$iS)u#czMkKtwr=znMJ6!jjMp?agxN_u1J{5lJ{J
zDQUz20CY!~QD_dm!S&43=5y2pYvbNK+p;Kn0X~IX7VSGRF#*%6$Y`-eaDy^;5g0ZE
zTm!5HadFZFZqO{=1K_d%CKqRCNz}%@WhSpM8K_+?qOQEW@a)In!bBUe#=Dh@;Gg_Y
zd4Yu*Yl?-@OsSz{2M$b5O=TJuvrDE6Hxugl1qVYZIW{8V>!v&!iepemb2e0#2Ao0T
zE3y26WIigq-2}#-Ex|4c%=0xab1wu8e^HU>`SXrY7lZ*xP(wT#a^>=6pnCZx&<ta7
zpMTQRrH0wSpMVVoM#csxDr*D95*HU2bWAy<IfY#Mv-da=h90Y_wUbYPA!KQ3siWgs
zI<RQGO-Z>8dHQ;&j`SdjePJ8w>J-z(fqvp>g0!-7Lw$Wf9#<Y;G)r4g642kogN?_@
z?L~Eho@quu1To(}irs7#)~f6XXwAz#GxHx3YeX!M#$16qNJ)viyZg7&PP6~ErkBYa
zp;FKgE|B;OWa;f&?&ZD{3CYP*GYmNwFJFF)42{Ag*-g;xs9Nkf_(bUD;4lYh5m*8k
z5ej$|H8nNBV!}s(gvG_h0V9TSIjYoU#t41~^ZA?&nZBr9y-Gn#n>>+Ag5{inv1Ciy
zn$Y>QJX}ZJ4c#?ZimJ`EMWEQi+?_HiNAWE}hxxajo=FVG1E{N@4$D{uC0r2O*zFDZ
z6XoUS*+>>z2(h!ve|gmdz`OXC0h&p|?fjWDS$TQR*wR-QhbYirPZvQomjg9BSPeZ9
zx#jK9)x?Q1fI*^*fU{5+AmU|*IqguDI|oH<b#-+E174(Dy<D-2q37WesHr6<%M<yW
z52;Knt<B*qj>yT$Oi6iW#>~vTUCeHLvRR&XSJC+<fPOi{-+Z%FL_`F7J)rJCH62W#
zm!Qk4@3`8YqS1N*hP(lrij;wI1#=N^81Kbzt*zNpddCcnjRkx`umQB9qzz<O&)&1L
zvep8mBFeWxclc@F_upB{-F<&z@6|aPnuw0_q8Y%z?6L~zK$1nbwYCxw6Pw;ep^V7S
zb2h(jm|JNQSq{5PQ24iqz_lRQN7NeY>Q(_813gtRlogsLp!6vhm3xhzkdP2o1t|VJ
zH)d;q*Sj5<UjogI3mxR5=#PxUawv!M11_}IKfx;*(O|?iQ+`_DuSLLVd)Noid~#7R
za2U#ja_Gb)m`QizhV%iD3YIeHFN1y<IOMMzKtw{<CMIsL0?BWBO-&6fK*C80prUE~
z{F#@JuWt0`&$Q0#{k}&4Atm=}gts`ul(`jgpjC&wrKdr63#n2@@|P|JSLc<^&K}4=
z`!7NZCWAoq&8`i_I*&j&4J?;v{2dXpWaj!$lccy~&;EA?u2CpA9uIGStD>y5=6@=$
z|6^l!+uFi)DXk~PRb!xJJ5UZCOtEW>GJQ@p598f>^vCGzEYx|C4_}%8eoa`CD8}m)
z<EO9_L&0KV{q12q9|RNgt_h@h&hoE2f%#G)KkbZTCxdIQQ~mP}U~{zy-E1svZS7HE
zPfK}u8(qn%{$=uKsvsVDKo>0XZ}rT2{f`%cwa1Ddyb;7l|FW=D@4(#enQ~BwiXU!X
z`OD<}eFK~u^3Mx)Y(M)xXz<#}Z0~*a-xvOGo;=Id{C;3mT*Z&V^W3(L**(+VyZ0y5
za9Lm6qQt@=uIupf&}6pf5>c_L?S)%d54PVQMo^vfSK3WZ<2)Uxr<^AReye@Jf%;p?
zQL##+_X8#9Z_^M(ps2YQ;bGk#xZ(}2dbs0VsCcuIINpbN5*snO9cT1nm!|ri4949Q
zduDLg>_oM@&Mr)ZJqdmLz^=Tb^i7cFE?;F#Nl4w<J1NHR@7Vkg4HsJ%F?}N{7s*BR
zrIyU?WM}~a46hE}|32(1!b=kGY}mcyj88ZZV)2;R7x^HT_1&+cIhS;2L3BtM)#$KQ
zd+b-^k$IgufP+}T<xKCM9{F<}9^M8Xb|qjf0L6k`$`W#N`6CZAb^<L);N2{lxY$L>
zWg)1kPX9UdtYa?21qigUSKvwE9{ulIz)cSSk3ZOwazk0>m8>VvVQ-`;cSSbi;&t!;
E2dS&=LjV8(

literal 0
HcmV?d00001

diff --git a/blueprints/apigee/apigee-x-foundations/diagram5.png b/blueprints/apigee/apigee-x-foundations/diagram5.png
new file mode 100644
index 0000000000000000000000000000000000000000..402a759bbe867906f0f0991108f351e8f71d4f88
GIT binary patch
literal 30537
zcmeGEXIxX=_5}))&_#-ZpcGLN5NRq+dISaOND-x4=pE@bQAAV}9;JsC6oQI?bm;;j
z(nD|3r1xG!xhtWF&pGG+etCcQ)AbW3JA1Fa)?9OrIp&z_g}SOd<q^gs1Ox<>3OBE7
z5D*Z4BOrh>lR?2JInwGp1O%=$3fHe`xfxCs`Rg!s$Bv4_yFD`vS0_aTk_(cO%uMT)
z1SDsR#dERIIoRvnR}qvXQOwq_C`p)nONXq#A*xC_qM{vz?}apPe)j&H%oeHA%4c`t
zVsYH^-Dr)ET1VtRZI~CF-{PhQ4+Q^Umv=7OlkEQ8??i*y{p$k(gcAQ3;>iDhKl-hu
zqa(dhR^U3@p^W^dT>D+Q_GoydySw|;dGNg9GpLGqZ?%3f3uN41SO^ISAT*fY_bLeq
z$XvY$o4^$zz6g5K-Lct2uE7F)-!S3EiJ%~ZG7=E*@tq_C{{ufFAh35RjW;JCI70x{
zWq$RGfS`<pND$l>0e&xjngI6IclzXC|Ai~;J?;z&g1aT(88UMR!N6Y;%II%*`xuj3
zC!E9xM{&ypmhKFSUB=IQ@W<<Kc}8yAo9jtxanMm8&91I44o*(O(e2p5!NJFmAAidu
zKm<Jg@fiH%YXtbs+pw^($VgEU5&34-B*zC29(Z{brlmDlW;aErr(Z7UQKfD9T2xe2
zQ&ZF3-R-o{-;XLN@VtNjaf-34Yq)Ca=g(`mt<vwHlal1+<SuxzP?6T1I(-^#byrW%
zv7qPu`}bMGVI#@O$xaT)t72mBLci$AOifK;swygO<ZC-SJ2y5qE-o$>FB1~*QC+12
z3rqxq1(dVq#Z##&DBRW6t*)tgA8eYr-jt}s!oqUm#EFj|KMIa+Z(%DdE9nZdPNuxP
zn3I|52!~4x3x_?42#fFU?dp10@gbC!meyNAWgR;hB)zh<M0euE@X!z@+Q?@;F)J$s
zx-nc6&d$!hwY8Ncod2V%OZTPqC$pUTSFeuhwvLQ&#3YcrWF#jCq&`XgIhzB<c7zP9
z8w~-3mkM4fJFoa!iT3j4%eRw5AFa&v6ij{A%e8G}rpM4#Pfkt>W~QgVf#%1@KSq8n
zD2RG;Ra&~FurPYNsj93@23gLh3W*5|lcTlG#ZI&)3zkyRIppadJ9f-EvbtJP(UBg*
z%gcNB?%k~8mae+)+S=MiMsbzmJSyI5?Xi)OReZz*U(M%oAA;2@J_4+$KG45uWuz|3
z!NFmEe!k_afq}s`L`A_S{mva2Cp-J}?5t-oQC3>Si^#~xCr_UI{{6tE2~LD0&Z>;6
zcQW8Xf%QrhjWRMa>T7H)g(9~{Mn*D1l~q)3J*TFo&a5B<_Q`N+yCeaa-`YiBd{-eV
z(=}A7XFddd4CO+>x7SB~eSP!t^2Wx@8^UF;ez4_21_cJ5mT-eXBqb$P6ucijlCeTr
zxcnkEaPji`C5=imDp3t*VPbmkCut;yA{P@C6Z3F$yQ!0&n_CG*^8HM;^6}X&_ooKS
zr&S9kxZcLrwzs!eRarT!)7pB^0Z`-K{HF>WUXtc2*-LowLJS)l8~4SFvC{D3ygUVg
z$%zRb`hfBQl%oX)v55H4Lwoy6A|kn;KfkI^4EFZ+cFOql>81A)W{`5sb9E*(BxGoG
zG_%o4(cXn#dm&jTZDC=dW0d$VteHq#DCH@ijKz%J=wy4E0Utwwn~n~H9@v%OU%xMc
z>e#lw{hGk#%Z*)KV&dXTqZ+43W4DAhsR#ODTU$%x&0tZ!34lu}qH!CJAn7sq36($C
z7HsyZtHE%vvA`Yx+vD+Q%#$kP2XW9L0TGc=riUa1h_o_M+<y3G0US{2PnDCGB_w`X
znr}*<Jc4+Hb0&B%GUZlAR=%V0YGC%vKSVjeEdG4Dnuz~!n|*Infzh%Z?F)Za;tK}y
zZ5;w^S<V*x8h;)5$leDA^QCw^fNh#{rMU?u1WOKX#;8xW`y<%#gYD`2ChAhzoVUfA
zINABf2;iu9JtD2#$zpy=IO*f_huq|!59jzT_J&8~bn^aMvEU{P5qNApH8877kM^$v
zPem*e9)9e;`|OvwxBH{F-wrv^r^l+XP17qKQ!{lzd~u82sp;CIW7T%2qk6Jx-DTHV
zh`zD@@v*U&WZaE3m|3I0_PrAK8gc2c)w%P&nz#0&b5ipOH?E#rKBSO2((cQ9Tir$C
z{?mnGCr=4+`I!tzL4#*@oAgM;&OcjGvP!D{0&^Pq?>DKS{nUR=amXq=&g~Nrc;Ujt
z5XUR^)^LAQ*VWI#cSVeMmJ^3v{De}f!e*TBcPDPrP~~>_w6y^T92p)iA|Oz1Dl8<F
zlA5}~FE={kVPS55DN=dcjO%(UeyR}kG?;!F)F*xx)du<Cs7}%8O=>Q5^=hCWOZ!5v
zS)K3+*0VepFM2EtRsHz!V`yloHCcy&p5EM4QL%b#?8D9j_~sz1#pChu@wac^uC2N4
zWYWEx053rJXRV)NGhFM}8PYkYHP5j!XX&Pd^Bd)KT2BrA{Q2|SH^gWN!X;12s1(E&
zK7;%rc$m!7*)w1J`_(}h!+S@ZMfrJ;yLbvy_i$tR;+EM0;Y@a)JZA57VHaytWOJ2D
zFD*?>OiXv@5{||m$Hc_M^z`(cI(14&NC@|$11v;m2>x2I`$l5XGiEU>LnO%!A0E~0
zY+;;|ry3l8nz5|VPIeL(Wo6N^u&B`b`}@xuGBPqsB#}Dl>2(iQ1{oE)4S)gC^<E=@
zesejx8(Dl=)K12K;h$D*sMDxPyV3T<R$QQ{aix;kabi-sAy3!3=&q%tU<?aJUS3{$
zd+q(KnU05t2k-|HNkoF;Pkq;h!;Mx}SGO9ppOlG{!3fsE_um{U_Da1YoCh`AdS_KC
zFVa9DP+C%`B*tlmc}o~L@RSRv7vH~s&$a8z7;kH96Cm8^@9zge4Qli~evS%C@Eyf4
z`<{QT*BL`(`d~yfu4+ZRKMDYg%2j6KQC4<u3+Jz{fd&q(Z5@`A)v-0k&a9C=v-C0H
zMt2x1nUk@6x`=$y<W`sD+Ku~l3e9Gx$-SMNLZYLYLC~b7m4$caw%>y7tPKX~6#go3
zZ5X69cUb^o1Ni92R<{su#mNY0MvloT!`z-ErJl!GnZ2oz#*sAEuVP6oqIT2Lba$Gf
ztTXlMR|D$X-v@qpWThM`l-rXt-`FEE%QKd~qi?SIDR-qooa-Z@&XUlSOTlcx)$<M`
zEJXdu_s+o1exRX2_Y3in6A6B$iS7)i!({5EW<We|rNwOh?k^xVD}P?Ts`OOnB~M68
ztM5t^1e>_oK+!@auI0^{rBz?(OW<|FDPBhXECB%=x2rrE<-lFY%<V5<gAo!S2!IFq
zGDyx=Kcxg75OGhO1d(2PFAls1z-hF&OQ%kb&D@o*%wl_A71n4S)$Kybm*-&`V=~K3
zjkIYHvySqg*>>mTUHsY_)@#gk$G$WA@nmCw!0Z_UBVutKzy8P2`$u$d90$*tOE}6F
zvXt05BYM?gHtuWqij-AGK6RZfGShj?u-7qdy5O_Rs(kaPC^vQ{(Lij~(It*H<kvL<
z#HEgY-%G@51`0TLj<~+>0bxe!XU`~?YU+TS+n>GUWyH8m1y%U>ob5YSjNg%Kegp)Y
zIFvbUv44-ZFc@4Gz&HTHDtv^hjIRg@3KG?~z6cBq?CCKOo^~lnD&pbe(@kmX<3CA;
zP1h#igYHe)zHjdc^rroAg;m1spSU=H23T2GiZU~4zka{#wYdh6&Sm>lRSEA6CxH7@
zGzE9&%BfphTTM(%fH|+!?OYrl9$r!>s^5~dv9ake^gDiZMF9%J3(kKI<hFx|13TW4
zck$^COhsAQ*vt%z22j%CH-M7w-aSDsjEy~4&DZC%tSl=l>+HOnV+@DGuU#tz`@^4_
z)e8c!jHQ*8l9CcYByhcg%FK+61%Ur_(hP5*?Ck8qLqY_Fg~gbu#H>6#kZqk^U5b+;
zk;)*lI)%;t*3;9=x->jnRYhK)P*G6<(8tWwl#^HtT>;n_P7b=#1rwh>eL^CU;87c-
zODTG}9fCGy85tR4BpBYLWK`yD9UTilN=iy=d*lqN66^A$O)c5L&=4K$BpwwNWs#np
zEu<@}um3BUQ*CTJ!x`F%(grb+o>Z-RKSUym=S0?2R8#=2+jhKQX4hA&;;bYI9<Rdr
z@eDvJ!otEI&T!qS{P6>L<*}i~(S~szBUlm|-E`Nf6nN>ruKfJ`rsn34`drPkeI;sl
zqvPV#B8y8()Y6p}Kc;XQy1KadY>abuF{+o03=iM>3E;lwpoaD+z`Gt}Vd`lOwYB>B
zPF1Fv+P80OU{ll5`tlqrt%apMS6-<$Er{6lZd$^c>rj&{tgJz=UL|0&3ksAN5{Abo
zt_TQNKyuD&U-gsf5y}^{^vL&h>K@YtIl_njab0uC&)e6?`lX#8UjoLoMtHnme=n-T
zjMh#xb#$za)G;A1@bJ8P{hIgUMO}S;oGpom|9*RMabtOMYVKKav6P~+uBox{Q&kN<
zEEM@@v62=3c}0dxc|hruN}Xbb!fREE)ukoOUBPQC`i6!x^MNoOEiH_RlA_`TRC804
zgb(Rcb<6g)wv4H50JeGxTsu|X%_SnxQP;y0PiTy*s;c&Wb@1&eL&#n&#?FZ6p9;Zh
z4d5~djFay;&xGj_lbn-6B1H=KAS%sH-R9X^wJn`ayw<1kA*xBix^XjCq6lROc0N)(
zz4kXWIx?U`mS}Hl%NG?J6O(w)0OTpv)ejuODv1aSUr^(^EZOUz|5A72=fJ@IhFQXm
zp`oXbg1yay?$u-ltU>e9=pT#hsPOP`i($HKC&DL$UADQJ7c^y?p>!CnQLQX%zhcDp
z+yG$#U%q8^Um8i49T9SX!W^G4S({$J{*)gz9@})KxOJmf6q8jx0E79TEd0R^uowe$
z7tj4eR6_BX+Q&~_{6}SFZcdKI75Wn=Zq+m~e`;Nw?OR=52Akp5HI3OOFI~ilW=nl-
zEeH#CmX<HYx_4*-Lqh2KJiI2Qc~RqjY9`9ril<a+NQnfq`75|%l*}rA{AlvZe*-KS
zq)&a`t1QG$AWs21_SY}wt?WBIP68J%Ui@I2W?1y;JPKq3@7}%R;NX~;oLmH9)QD=}
zLu#te{BL5tlum23Rg%b2C$;gw=4?!!Q<306i7G)E6;amJ&1tTyI{RLa2Ge&0B%+Z@
z&Q}EmhnVaWCqPnwe!k=;tt)?7g)1*Ty_9cZpxpo2vuEvTMw&TI6<o>|9L@k^*l{VW
zuB>=*_x1LghQGURYIGvEq@+RWorsv2qSd`Vl)Sc>sA$z~8SYg#Y44luH%B$9Jqtx%
z(4!H7U?+S}iW0nZ36|^b;Ltd@mBpIvsiZ_vF$2I)hj#M=>x5sVt)hCpgGG`6!vi2=
z{pDA9R~CFJC9Hm8W(Mu~y_hkmO_^bS=lOYp0Wy%X;KBMHEYEr9acvyHK7~4v3@JTk
za?4?U`SRt3vE)ymyeiG$vLvLW@87+HjzWtLMY8<~`QoVk{1vGsNWgDTN;mN^`Ilb?
zUPM&XeI!?i;u3C-^hrlavtHsNV86mCxuew7xzEDTXuuj=Azu@@P4F$3n8^!-<d59s
zV6v}}oJZWB^Ddwz_(p(|fko_M0D_wk2xS@cDA9$dMrWyVD}O(|lpq$$^31pWE4c68
zw>}I|*61Um4sKy8wq&xi<US3zq`^b&bCL+opsw9PAlmA4gf3Z~Ir@6(7loJD6Lp+#
z6hHk9e{1W?tV|Q~T1GNiHpx|JT;R2PU(|3h_RAoInFe!)=Uct@*=W)u5Xxl@1=#yN
zzp9A)E#ghT_1rOxI{z_@*b@Z3zrYy?NL2{fN<Y#N3AQK^Wd#Dp<R2)M@hS01GIg>f
z85(eHD3PGyAc&QOXNZXe$tbQGkZlfV0gh%O@hyS`d>&BV84E=qNbW<Ry5eN!9{|8$
z!3A0t>VEvEIS;$8!DNfHj$=+v1rvew+zzZ9SYZ~I@ON>$mWZH=C6CwQt^Y>Z7<q5>
z6HPs#AL5zE$MdN56ew^X0p;!*8j@*9!nm<H83hQ71g%Wx=}tls`TnSHo&9mAFoR5_
zCTV(~bj8pv(!_C|=xH`hr_TQM{D`p7!6@4)cWJo!!)97Ne>;CpIUU#J?);w{_1jf3
zgMIZ~QlGq<Rf7mrh|*{*k3mw{z!Y93Jf1~O;q$JX0%Ri-zw_6pST52aG|z4#P8;?X
zpLWMOuNHKzoJL0Uijx~Y<2P8jt6(zcWl(tBp<E;;GD<DJ7Hy=}Lf0<bRP{AM>xg;v
z@MP{gDQlneY_>OA3#ZWqtPTPiQ@lhHD)_lhw0{o5+&NS{U+TxB=JhawIe*-<>iOKX
z+Z!v<ANf5w7|frHsGFNgRK+Y&RToDYDb@abrB*j~G6o&26=`u-bXBv7;-Zyj61_L1
zN9u}#z&KA|Ki}QfuDf@%862fA=YDu47RnJ@^a-`T=%16suhgkHX57AJ?J#YXe<c5E
zz*<u~FS!Nvg(qgzwNo68CUN1ni!P+0gJqTUxFUmSn^>u8Q!xtp_Z?nvsTtC3Elr;2
z({_bNychan;bC_v-T9{LKdB*g@d@Z|IqrlKYbt}m?g8??ig=fOt5E`G2P}@El|(R!
z;<0q}kpWUcb`C4`xR&p(gTeGcELy><Z=1tZ^^fJgle_KmA<E*(?}&Ffg&$wjqk3(o
z+#8_C1;HyEE-T-f7JOb+cjxB3nkxJh7FeNHFYYkk@;OWRrD^rj$o74ge)%R}`Iv_S
zEp1xmS*p6|gkpC$_o(VvdcIT}o=+Ah4SEuj(Qnc9Xgajg4Y|I=D8Za!_@awo%I3s!
zR95ZUkJ7}No!@Yy)V`O<PLW0?f_%1`URN?6)ObeY>hE!nk7b>nBo}1aA(S|z;-4vb
z111Z0%?%=_u>n%22XdyX-z8Mkmo;8#oYMSqTd>4rblZdXiLNl;Wxp7&g?Ar@doHl^
zFrDyO`BcV$5xjOniCdwj`o-5%3X}2U`GHbL%yWFIZH0@KOq97JvF3>Z(q0?U^tKaB
z?+~W4jg$t24NA%8@1~q7VrrhHj$gd9R?pfs)+KH2Q@F`5joGMz7dyG%vlZgw3hj~E
zk-d6T*G$`r)8LqRnD2H|t9S7|7sH3MXX@e+=nJbQWSh^<p`3{T)-<d1MLYwWHh^pl
zQ%-HJsC>~>cq=16wk&)i@5`q^RX*m<wCnnD9a8zuoX>b+d7WGL`8EtUJGxHC)N=E!
z5<AskFDnl9FUQei_%B-CL2I5OB^BhYdX{dnMTfDGWxaq7FCki5>Lq9LH&vZsmhXA}
zu(`yrU<N+zB>r)G{51qC7{7CtSvkMycbA;7O1qLs?T-G3TkMd!Q&WVxc;_;I26Yx}
z#&=zaA9%<1k`<FlI`T8(PIYI~Gm$rquHte@NiNbo&+|1`^8FsIYa29YtS0k5I->MJ
zX!ZvuZ_L+@_}Y-J62pKwV!>A76#wd|+uG{42K9C<AO@{n?);*!!*+%zvhxFr5eOfV
z5_$*jm#Hz;YYy8=x}qlp{I=g0GVsJ$WZ!L|P%_H>lGbzcCj4eh%<8A#am84veyS#w
z<xp>XSaVEbE@?$}+IZLaN`rS6i9WOCEd`jPF0na|G8$EQu{+O}gp3!SW|oeU3g)>@
znX^V(PcR`n#EczHS5!hO2pyBB&fgHowwvs~%9}UE5;+s8j|%?$f-@%wIIm7GU4_aq
zI^J2mbxae7c<)1dhhT3pdtl_=oy34|lgcTU&dHJ2sguk0wqnxl@({Qrv&e;(Zs-$B
z2=%Niq3uA9zci;}(nT}1b%=LJ7c_|!4HZ~&q|~{Vm=CjYi$f?dj7Y5ico>h*Ba&!h
zp_hoZV<65&LqGz09VTmV9j5d|^Q;+3mM)j}Y*K=>`z<FCsTc1=-5%TVop9IJuyiR+
z9`l^1t1G4Ww#Wt5m8ZdIz;-uDHds(Hf^GYYLs6tl8LrPgoSfU?38F+zLPxw*gj&FY
zzsASML)VYX^iwCv7!wITRRpmEhKq1lyEWM%l3%|zb}UM{NoArkZr2Pvm>p>cgZAd+
z?#oiMW(^fCtm02TXVvZ5Q9aHdvwUHe7|Yn$zYM#N^Fqfk@u1|ee0<N_i=SqPY|V`?
z8l@SSv7RE&u^E${QyvC(iY>M__m~}Ow>qZ8$+v-ZaeMdBX=1#l>9ZMeO>e_pO*PGG
zGX^?RFDFJzItZonF$jytUZ^ztLXBT=vr0!(7_bAM?Fa7{EQQG=bBg2U&x=S2`I=_L
zJu>NI7R<<?1rD0;^6<6#%o%FOfVgPjVJkS!Yp#J!S5^DVOKg4Y?zOr2M_IxvST${4
z7WZBwmqdhVQT>CiohYeMYMZ<pCJ-xxE^cYGm@v3haS?VF6>oTv+*~!8fEQ%U0}@;f
zN5_!4J$~BGEtMcvgclh})1C4T&v!Am5cqw&Wg*<iQ_*AY!|+x|#%lL+6xN>`*{9*y
ztgxYUS6{37Td}NQL4WJyj4MRvnuTh%3N3Kj&%$!TiXe4zC=hro{D95Ubwa|Q^eN(;
zVK#)4uB@}44UA&n!@z#mA_9xU)zxol_OvZGr|J9<p}K(b=2eO;*knhg8J1N2c;$FR
z=>ke1WAXP}4T0Dp4Hr!~r>SvM;@J5*9?zcR_9x;>PVU^MOW9QY<=uyj3)LD4*S__<
zfwilb|FfnZss0fk?%maW+mA;k?7OztPrCH8x;{nxvR1>;do$vYGCGX)1!R6$q5#&D
zlP}hr%iHDJW#Xmg@I+@8@0wof9pEdjI4*WJyo+@?<J`7b_H@aASjA>4VU~u9LuKdD
za@W*jlTPgPjpDwyetp+>-*?ZhiFV=EAdaocqFaM(eNM>ulpU<1HXC#O*Q*4?_CQh`
zc*_U0Zv(8DfKPPN?8ChNATAi!6%O^Vwh2-lIT2pTp6CLPVAB8f)m?m}Gx=q~yuwx{
zcd1T`K;B#ud{e$})q{j+DPz@4=l#r&VGz?xQhWzXtq^561o4T|T$KR|zk1@yE`EB9
zL$Lr*ZX#kk#FnV<&Yopvn*Vr8Fix>cBzRkO+K17ghsCg0)jOm|@^Z-(%e$Ev-RMq{
z^okCJ74cM~&=gL$F3yxsaMQ?4k_#Nb0iT14EuA^Eu9fA~WB0a#9<SsM_n6mieaCW*
zpXzik?aPETWbQ>25L<9iPSn>MMuFSD;-`UqyyiUY&G%sH|MHXa06AWVP2$pkdIS-a
z5%;F&Q0#{RYa(Lbvmym(2>xKxA6ELnXK)=vj}fP{ICzCasESa=n>eP$%=6_z^uvwy
z#h$}sq27OzEcgotbVrV^K=2!C%8dp?1GfAv8`#6ca8)z~ngt4y{)-7(Co#z!qxqdj
zD7lE8=9EA5XgAOL1fC}OAdGq}bCt>K0BKhY9KCsgeC$N#BqqbrxaZlk5U7|N$0kQ=
z<a8<jg`d0L_5e^TT~mOiA(=}}2q@X0y0Md{R&x|bt^inNc7|ZBd>6p~<wdh3j$xP&
zVAmc5-*=-phh9SqsoVEldkI12Ah?bQ|I0mB2~r405-g5F|84IgL1z9O5ylBczTXeV
z|9$z~&!I$tJ)&spNmviLTSBlNyT1o-a6I}5ZcMw23+jXiHy$}kMDWLq=NZF6&hXdw
z|7{%^=^;ghqM7iFV-h>e`JP$%8InvAI}!o-(X##9a^Fj$sFj(5G6kx_+4*~eR*3j%
z&Mcc4JT#fxY}W6NQLDMxi_JRi6;|9ti8b#vZl=wY<z-2;crfe6E5zpR2<LKJcjN|(
zKxQ5YaMOQU`7}hu!gIMRH1YK~wSezs*V&_i%Ow1?UpA)}+`uDht2`w{MVKXwTxTmP
zGfGElD^FQaYrNH@?bwW`_FnhPE3JvsJBC@f4s-n9e!WBiW>n(vT1BTlJQ&N#r1t2F
zW^-^8E4nE!3ahkA`}_FY88c&atBCe3$x*2Wv|j;fuZHiBo)Rp&=&|a^@Tjr0_w`dq
z<Qp&Z&IjBQmu#;0yfAK#DdNpKo=<jSVx;tV%JfgqpVt+2&#8R>QGqeh6KC}2+!&;t
zZM5XJQnK)I*Pbu`?38~d&+)5_6*@mL08^HAJZB`kXT7pBQn0bB^CzFS*2V)b4|~h|
zA@uL9ytdFIi+L=s!TtHSWMf{ZID<j~Vb8Om5fxp|9xfwTun3#o+DzFx1B6$NNKpR2
zMv^F^B{k`-o5y~2XebR_&0UC3O@C{0VJmSd;iO5WwYpxoP7xBx8b9+(+_1nw;0d1+
zMDayoh9tKCmhLRpMfcT&i-*Ij6faW?iRo)cRIK6pfrZ`y^t~NMg)A(2#ksHw<;9OL
z#?Py4Zq}&j^`1euHs!UX(G{?ol2E*iO^5Mw!4-0oGSimbOEtwh+d8j{yh?Soc!<0x
zAvPkMBEcpQ%6DV*$FCyUX;rudME69GOg<#bG+(TG=H-Nrybl}37zX3ysBE_M=4{9#
zGskU{e><}|N<y(k2NH^5PSGIS8$GXz7#umpJ{5k7c;x=TW$dST@g&9AN596FSH?Nd
zk{V(Qna0rwQ-4c|`g-OVkIH(+xYNcD%LV7lsdr>1&vP~V5{mua7`<g*t?%+Sq1MJn
zPYu$uIO7;z!a7}5<*BcK+kWeZkS=+}d?tgMQP@!PhQHKOkz1rZg|Vs05HOobMR<fF
z!}<(%wnIomteJ^$0=xFz(@A`skJ*6`$v5LkZNGg3?@53|bR>ZyK!&&HYTRBc0UzsU
zcN{ZC6PV)5ex$DFz4j-Ki#kZKO&#ua{p7Emp0bG#R<T(wMt~(q_-ShOyZ|1)u#^lb
z`YKfsh`G}h5g3?PXWFE_CKE|{lhvDiENG<8>X=Taj*EoHCIT4&%}*|Qtty<;5~fYx
zE~4FNB<613*(GlHkXvG5#Cd31FNNiG$U;lo)Jn4$7p7CFX~F3(((q1{v3#gK6gkt_
zHB&e{Bzj<Rb-S2z56b<6BP;4xmY7JE-mFHve!CFf66pHw{i8TDP5D4I>iRTQ^*fsM
znywpABt2is1x4jRwYr-=^H+jYeS}b4dLM&2=f4wIG+4Ncg(D+Wd)1!54^TJ6k_vWq
z=rXv@^0hAF_YbdfVpMpXZ0=)^@F!PS43$-T2f++``?3^!UaRvSUyyG0Bv72I3FlAW
zw3)R<TPD?TB%a4?PW|H1HS6-F%MWszS$vY@G|khtMTlex`K`COzk@(x`p3fp$%DKn
zEN-Ofhah%F)Us{3?v$biNcJ)&9T)Fec-x&_%h(2!h*fNdyT5#x|B|p-r<m0PJD6c-
z9l=tTo-Z)EbHj~WFHT8p?MbQ6w&7?>-)-lit*`O3B<dI7%dpY<-Z12|m;LLbxBrj$
zu>kEF-JH1o;L+yR)2~^iTu`IYLU_iT$k6yNuD;7Gge;6AD-5iXKK)pqu`e|Hj^K4n
zvdmR#y1hu8bp!*&ElltgB1npX<(U2Y?W>BTbDu`ph_aM-L!LUBnQzdccn*2-h0Oed
z_Wr>BMv1r#Wj|K_f3b8Q6YcsYJp9>3)41^8cM(M$w7QzBcJHbpj*GjvI@ow^j{C_A
z#K?05m1Gj}(#y_lJIOWk9$)qMOs0-=wAOd;9>x#g2GXZ}e)S2K+b=o7Nb8<fZ+(T+
zZN9v>3mB&KPn5Z%R4K+NGuhWVDdG`Jsyu7tIiGn@f8Z6!c8Id%j$t1B0T?C$2q}MD
zwsZ6*4(;i_Co{i%470n+)$|Z=s%x-a8jA4-Ea0OsN|X@tjaAhTfLZJ8J#zE!@AoOr
z>f1^%LR{r>z*_AXfPE>qh_WJfBYwsWSe)!1P}Ft-s;j)a;W{nJ&Fk;6?iy(zNH>pR
z_MV&Ws7*HdSOzAGyW~%Xc5vrCZUA83&U2^+fK+jOBn}zv-aYF)9^CIeS%d5@tYnfU
z`J*-S*lBX90I!Jot8Qo+9flR;ME6gTG;w;gNJs7XJbQkAuAPTVn^d~!psb_Ni8OIN
ztZTd46P-tIZosVQAiU@<fNt@S>l{6%Kt5S^(0iz?%XluY)E2I9*c(kAOU?g87s{CC
z0A?bQ28lpF@{WjYZN3~48mXzFb*%7Pc5=I~SuBT%gMoAA>`(`0DkbU`9cEd`&bH@y
zLNMDb`kh_hv@P6d<&)Te&vD-7-X<mnroK+$f8ti(+A7S6@n?{kzdnbm0AMGYj|h+i
z*LhG$^m1u8^m)19>*qNIKy+Ppn!B>CT1!<lZArB^pgjoBh(xHW)SsNf!f3mb<y(qt
zGP_%cDY3n!gD;zOk!!=FMvk!(0VUyUsb(RnVf5O!Lt8Z$G-%<)EnN<!i@!Y`$n6YW
zl>_;{|9bJd&>3qmds0vIgyW+Jj8V2$GidhljF5V3RU2(ugXklkCO+YH?*D8*w|zF7
zb8XiQ&!J?4>|vZq9ACz#l7c*XvzxD**(qIX%mh$QaI3NKZnOG)#?TENqsgV;9a9Ty
z*v8YylCM$#8@((1<TiQl1ulG19d&I?B&qcDO(SNMC0Y{QrRHeCTzeFsc6fhgr}g{K
zvf|aXmkHmskP%V(@6FLK;M?1A79Kv9Th*afEd{Rc2fOq<xE$G1dph*DZ!%bau;{#t
zy{;fBQ2a})Z)9@Ny98kv+wC4P9}%V>*`3F7A|^DlxlgDzY<)SLyEOO6m0dG^0roK?
zp~tBGu&NVXjJ1#6&QfRadh3gb0@pD+h4q@kO=d+ivCiI}U#)#|my0~JJh&%Dehv{N
zx=a<F%y(;vxj8Xal{b*wp31D7^CXRo5ypF%%X`X!S}l6mkfLI6+4Vtk^@J~Bmn)gP
zhD>!!$2nrb8<%1VS;KE?v$#*X$mx!}_wN+3`}HoAh;*qzdP`>Xt#fOgCliP8jzPm%
z`O@c>p`*y{@ya+tTk0i{x#4zTHe@$egxJH3@|POuN_Q6c!<qCZ%~fTZwtkIvw$uS+
zjO?0t_s}+NmKU?BGYm?GGfY#cPdM!1>T2Q{21T-LJBSE-G>dakzD^25jQoi=f{?8#
z3kY_sccRSjdp45*>+R!%!K+))jfqgQ9OI?w0$_R&hzh579MyUJi;-sLe6o17w5TrP
zF8Q0pz(Q+?C7(~&zwMdq)y;#=M{;Dqdd`m!`5NZBR0u$sGHpv8fGtzOep)~1zFQS6
z%9l`&ZO5y=w9X;9Xs!EA8U<pcFK%Y{4Fz^i5Ta5P6%wI1fW0J{e5u6Pb2{Q>UTS`%
zY6fC^reM}WDl+7sj9DA~9R#rHz<}3D0nK?ej^dImzT~UH=*sYpYG1<q605cP>4*)a
z$PHo>r)$XOZqb_-+xa=ejpf##*8BC`_WT70K6h(8iSZBPRUC*+oJZ$uEct)LW8^q~
z8)coA5aUtPBG&2n>np@dz4KjlKbZ*24YKUP60iXlg3P>p*I(m&35VH_a6LxxO8=3L
zs*3TtHgsy|3vFTla}f#ZrU1v*75fC%Cw8G<d`zzxX`e237@JvHEgr8M4w}MP!atVu
z6_1}9JGJa>!NNNWCq$_oM25Xu$^%G|^Ox^ZbT>65)oQ64ulL=P2R6JNU(aTDM<lyd
zyFFY}Zne<Ls5kn4&1dU|+if8&Lbo$)(V0?6kxr9UHQ_xA-XkZ0%Pq$xez*X0kXaw2
z7!xq*``Or`!Q_sm$CgpL-EaNFSK<<FoR{SQIq1zJ=8v2vSWK2iq$bwi?FX%0Mqxj+
zu<@hL8vnl(LGZ|DFO=?07=TH7yob5i{ZM<rEoJ<Vm%~NVW0+AI9AS*(Pb{g&9v7FQ
z(e&@TdM?v=g>Qk_i*qhzkRHjooV>)UZ!VNs#C=xUO^i=;tj>>%(s-r$f_q1oN}-4k
z-J~-z?;B^><CCm0RK+#hyHR47>Le#!>S)1!b3R3p?_0X68~OwO98Kyw>-<F*ifq2P
z%Q&e4R`NP*5dZ)U8yKOVz3>{@SThV3M-CP9!c`Yf{evf{S&6dF?;(Z_K^lzN69kpf
zK6#D%?hwtgWN`-7aGvP!90~4SvRmM~28$zsZYYD=>0z=3H-zJOniz;#rD%zq)^G*b
zUA_hXdpzIb%}6#TKz{8oWWvS&5nn`D!XL`z;Htli3sPj}3J0JFf6X<RKmQ*TfxFB3
zJ>msFL>kNh#U8h^_k;uPMT(MWDe~zV)B*j{(bA!n_PV&Y7`GTO{B%0z)8L7xC5w}6
zs2EkV{?B&upf3D}S?j7GbNYi0!NmW=f}!`vmggsbXpe2R^lTlCxZ{|o?=#xf!=hRL
zUChcja=DSIdkwjmoJN`3?LAx_3PhLR1PYavm4R4^q<+ig462;rz&IEnEW6MV7lVr-
zIO$$&Z0tY(&@eHH3k%b`t#Ex#NdYotAhBw@NjWB)ne;nmYgDGjwV`%rsdjTqpeFl)
z(m0}gVh&?<Z#GywzHK8{0bP>sx}dYFwjG4!+!5{3YMHbrEs_G_pm9iTRn>h?5fKrf
zjqvdF%+1XmADW-P9Fy=OIG7fhmz|xRk@35re{SxQmCL6&AYpE7yyZG~!v5du`N4o_
zZ(0B)xQhv!L{LD74FpT(We?J?U%&n(Qb0h!(J@ZsOo%I;7ic2TGwjF<2nfi!B(6XK
zbmooBE@92%2{Z|Xrkq0Ogir-$G15a(b|H6qUv-=1>Kh2u7qqsqQt(t1tt=Dj=w~nY
zu}5$IV>ce{5}1<z(qn2zs&k1|LuHm88dUkSzTVKlpa{NG41^`YYH?C^)zu!@6<*1R
z77P$hrG5UK)jfUd)-9mLx^d$MkglOCj!;m5F<Dtz#YwoA@o8&n$~rDAE)upia1uf4
zEKcn1Urta$w>(&)J;OBWL(EK0Dk&(;SEN@mIRXKUmKzYn-A-P{&X(|BxDXK+7xemd
zqGNbim^q|+vanD>EHXA$by(iuj;^la<(QC=>yZ(Wk)1s~(|YljGzd3t1xzcxNqpF4
zkzNqPm)klM+3mvKrdI;D&0G4l(Eb9=#NL)om|J&k)FY5L_S0(M&h(6elV1g#og;W0
z^dJb%1GUvl)1cKxy*qbMFM!1K*)tM)43N=J4LrKatkonOH4XX=nhjG83S8{%?H5N>
zTo$TBxwj{!_xG^Cna7A{T{mE)CFde=grK<s0I+=s4xlC0(A4B2;tJpzImgC!xAxZ1
zEf~;{`SXT_hGu7GY8o1<ivEOpJbcK;#^xK--P<cADhi6h6jW4Hy(RFS2Awl6TM)&X
z7Oy{M%y@4s()P|Qz2Xty>60HRc_qFMzfu<<ZrdI%VDVu3+p@?D^iG(`0<W67U|+Gf
zxQIx2ufP|PlK|XIPbcQm^PqsxxAPc34^CKg?%cWjk}vuBiUQu8+AI~14}9J9C(5zl
z;9yC9R%xH35o%b%fMM4`zAQp8^%>pM+XCeIU+pGmoy0mnnX}fm)uMu}A;DFG($Z>h
zZw4JIsP0=!!aWN9c`=}43zfCyX@O)>CsiMGX5_gqnr1UhNPA?<$;)T5gSHnSZ34YD
zpgVxV++#~aeB*X&Umtw7SJI_3Cr7x?>wW@>lXa+2ep!a+W;bo@Hc*NNCg*J5n5x=2
z?!90)s6vgjrpMZidJuMP+5J|5S8sVmKcjwW+D9TFDG9n2Vxal&-}|0E=V5hiR`3q2
z`AW#oEZ&&N$ar$yh>WPymL5anuSsn#+V$jvoqHq5#mp>eXX9_rj+>CthB%`VpO}@v
zEG3lWg=ungQ(0L;n@$T>1+#QGDuG4T#l-~(8G&+|?cBMJI{`t`+w(y{v}o<&=(zaf
zHIv}Af~Rpl8(iBI;AI6fb8^B`{o0hdEi5e;j9wh4!My#G_4FZpR;EsQ)&Z?0rY5@g
zL^H)=e?NkQgoI?15Glrg<x0lauMud_UxBr(zLwcpSW*%PED6XCDVl4+zP)9GH3~Qh
z_Jm2$RuWWc>v{S3wtfT9=z0pZl_*H8&)yv|GSc0iWNYqAjJOgt{W-o)*!6b6H2<J-
zr;TtQ<5-<^k@j3nG!psFQw5?zeM?uD(MCeDcd&w#l+@zMHV{HJElkZP$VUk$wEUX#
zjbdVA%DRy_A~oGDp~?mdV1ING(?^J$<mE}D&_gP!s%Vx0*FNt`l2;b2?&}LC$mXuD
zYN_Sl^FFe)SlBD-BV(-a%{Sf?pv$Fm9xi2`BqMGij8L&c2M`_g1c6%jEy%dv+rgSC
z3PJlxZ>I(%Ej87nkiUVH`n0jBX%oe-0sA$Pb43B@mPI%J<W6~Nt~K-f`8-9vlD)Sq
zKf(Gw2?7tv*=CSilOm#&ViO#=OxV7~I0;uslFH$q&KHr&M+@tpdc9JjCZs6~7tAwq
z>fH9u7~g3SwquT-ht9K<4Fq*hr+)Z=@=wjnTL&#rkWotrgryiq4B*h4dI3NjD=4iW
zeBl92E+7ikCHzPf<>KPX(lc>1Ps21fm!nV7VeEPf<JVT~3G;ysxNsH+1Fd|iyzkr|
zFj%4-TYS}m$mx)rrH{Tf+-78`n@V?gN4RroQmLjlsgLTKW1eI{LF&$%hucx-n;ZPX
zO4KfI!Gr1slS{Dg#?r0`3NEz{AlBE{o0^)!!suPT)#jc9?)b2dBHo1<nxBwh?BS80
zmd4M)@oWn_*wmx}%y)URoy)!RKE`$C*SvR-#U(mSNZE@QFYtX)TU)DrM)PG-W|~@B
zEx&$E&7T&ilS)lkxjB|v-}^1jkf{GjV{7y2wX#d}PNamhnTl7bkA-GbjaWoEZN^d8
z!B3fOxXyD@N7-zPx*NMxw(IV+M+BEV-`ZryXmtl>PKYi6pz#;MgEJow4>9ZzW@sp3
z=PvLeetv!+^0*ZAXng~HZ`-3A<xme-*VS+%pLiZA8>0Ne!ot+l`oXRIyZJw!KYxy}
zlAwJBK*}_kAf5|62C#=1bo!C!?Nw=b-{Ou>!;;Rb^3F){xX<g>9g0g-Dl<{+ZEzOH
z1y`;(>Rz|bhq*pA>4SEJdoXd`>=-E9rNUrXs)2hz6P`hR^zw%nKtX)u$Pup+Wlwwi
zek|gcFR`GCppX!Vk}>p{^73*pfyKeV49LbD&*5<wc>n^PQmPZA{15Q#y_;h|{J&Kx
z*j#s9sTDO?B6(#;Hq6~^J=ZQZQ&b|RxgHqg&cKU2?`j35?K}6l#&hFxubJbKV;Ior
zS?YMgx~+3S4;_f2Dr#y#&uduX(=+ZgGc#jY<PnN=b8-@tl8R*+A1G(QSby$fz~D5j
z-ZkU6PQ9q;Xq+G#r17oGlW8RxY8+go5MG4?oyK`%2nz$lD0b%tzwAnCs9~d`Pia)I
zQs!(!<4q9w`#(3oVZ?;avh2K=$ZHWR85GO;s>jI;|CzHnsJYmjn=^3@`(DIFaa39|
z`zWvXc4FxIbi>0|=@ZEDgdIh%zHNnWxt(=08HP;`Qdz*=9pKCl2H6lv;OPnrnJ+b4
zW*2*7!&YJd^vJ3(6Ifkc1&xA6MII*#`%*rBocFFawXzDB=Fz!*yF;h^3OxgZWN+H{
zcM*JCT=7J!J0}DI#mA20`|y0;O>-#H&;+arz?7$F(_AuH-=HIxntayg&SFQRV`5l5
zZn3hmW(F{yKCK~``Pi(B>?kE=W7YJuP0%VE&ILL>a&`_itifS}0Df{03Kj1A{FZIu
znVFeW0bJ&qu-UNApr_o|EMa{Y(zn~?M_egXyB_5A#L`ZVKHK)^S?oLSE%keSRzn$H
zeVLk9jHUMyx&-v1z^jGKvNzYQrk*qK8=hxpA08P25t7vF-9~b4ZS9vjQ$0PV?&Fpq
z<v8qML1dZ(<rM|MIg+cu09*oH3+TkeTWcEa#a`=g(H~95Re1b_5~t_p?B(RZ4du18
zLaL14T?q^bu(GpDDgn-$4ns~(9^wt8><Jv`)gS5U=~J$28X6j7#>&dIEiH6K!^Q9&
zshEVwkoKh<iF4=P<>iTrispf^GqSnVtVT#k_*i6yE`el;)sd%f^e&aEk7rrtGh62D
z9p`uBMwQX(del6dw;QH@O|z}8Ht@U|F4>}@^MxWQYoqE$tlCrE3;W7S>mSfAk@4{I
zg3gG>hc{=%K+_Pek3fY?{QR@t^xB4o=E3IH)*CyTV|B`QcKl4fC|7>ak07;}F0+^2
zh@S>~lMgDkcA^wiOs~WIV}Y7g=#<Ijt?9|h<dl?UH)((M+qdOt0k#2t<n(OA6ZIjm
zVL-2d#+_#6uxG%Y>D=isQ%t;E-?@%(z3JrVZY09O>|I@5y}c!ujZ{^sQl830E4~Rc
zmcFl&{DAetJ%4Ae>y|Jh58L%}+Qq51IBH8N!Ggsu8@TiAklkD5zTwC|ueD7k?xW$|
z0>u*>nyJHvb+bOftqhnYs;9j&Zksb_qP{v$(o6O)UBxJPJRNVWX=soJoxUQMfPI1f
zq9q^SZ3c`UgU5RrKwrAcTvieFS)J(ty~P_P{aA}nX~&=ZElN-?ARFt~Ap$l118D+~
zf}jxvUh7w|F^!--Grwo1A2BmK3*TIu$6(ZTb-SjftX*7kb}o|?KSTjQZ*j^9)@-!$
z@qwb*#R@c<W5v^xs4jjo(Rj%X?(|{{@pGMgOrAHVL{*TzRZnNt;5K%YRn5Ka{!Ynh
z<c@q!-a^sf?T^EzAN?3NFhjzfzXYOEzl%-A#Uicz;j6Eg=`c(6PtQf1)^=%8w1;IL
z8wTC4QFU?-n;XkkV&fF%E^kjKgJ#|!*I&r(63h;T$H{R?a>-Z)1qGwjY3~1s5$908
zM#q%@REmKYVU_awnw9k(?da$T78e+Oz{{5sy>Z8ljot>w#Ytbi>IV91-$)7w$ePsp
zOg}#oG{Sv!3`ETD->(<+fYy)(pDwX8D6R{ka5q&;SkULI{G)o?AOe?DI6C<)gUk_L
zbqOA4b}GX4w4TJ)V*Sr6pcyW#r9FqVu5C<l($#$=q&;VAu&)T#K_*yq_C-K|xBx2U
z_M`=*r@dWATYGqZyM{pWLDtDFwflW<8rFNgsi9)g2Ry{|!7BmE;p&NV;wY~E4hOoU
z7cHuVf~!K_ylL#~v&-xR{Uze!;=njRW`d?3&=qKYDqjmEQ2?%OC0gh{vaxy1w+&i-
zKzmVDm4c;sP;SZHJDOsee9c5R&Zewa1#@P}yp(pKo88zDJCRd~9S{|3cYU~alhQo1
zZp)`JQr&C|cq_P~z}CPE_Pk!P!l4XtY1Vn`bkAquF`ahP?Mgh-Cv@Lc^HzATRK$Ga
zPhVsyyGBhW>2ccba`T`pi`Q`V36~~m)cAcK9-ahpAK2{lG>D0yKeMU4=5#KgUvR7h
z5az_Y9K)2Rk#XSlB>Oc8aggDEglwstWMMHeQj*Ea%2GeY&&Q{sjg=c4r}XW{PV!7o
zPgD7qKS-xzVBqKBQFoc0no>WPIeR`{gma3rs;!OQFS`;em4rfpMycP;NovK(6dZ>M
zn?Lgm!rgw!H_2g}P}lV@*5)s#a+(Ow{1E+x`}Viou8ao9>;wbf^G5>+q#=JYLr~rU
zO>y?8FYMk4IQ0KJS7wF$2Z{5CIskGRBAh<|51WL?1c&qOeM%2ccqss8X19U^<Wh&n
zglzWPErzKPLcBRZ(di7Xw;_6(>u~lC2o`GSA!ck>3v_riRFb>I8h8#;po0{zg~GF2
zhbMc#kc+<)&Ve0p>&GFK*#QVDpBtABS8(wx)IQ~dQ=zul%3B#ZuUozE+D7xQ@nHiH
z^t2FOa#cSvQYRg_l7VL8<3#b3UTNAN%Vn4HIqU<K3pVs{lpug$Ktl#(L}WnKO0RjK
zRX9dv?naf8mPQ@>5rFtVGo=0(#d{6Lq%cS<xF-kziqCi)Yl@$guAAq8tZTmzh`&26
zp5~Kla{C*6pKUo@p`e3y-DKqd8}@#{l@||+fJ_QR0KD!C-(+wFvVBPy+Y1B<kXhi0
zmiUnXa%F$9&Dksp5r3p_d(S+ua@?p6!3g{l@dZucw`4%CwNI_>J<b0#QPvwl!@uds
z{TbYszX`wnL2;;>S)vVN_30Atkm~fG`@KHDc4jv$gDe+zHkwijy!QTtk(@8qhRKro
z-oOQIoU)kA{P2tI$=CKv^7w)5$t!^buX;Do?Q@X$Zx5AfabNFlN;zO!bO&7P1)Q`9
zU#G>d=wCZk9jE8|vq^W~{4mA3e*sRwEe}lMuk~^NBj(9^a~*KapjZmF+TL#tq>1=d
zKR~-=!=Q8ySioI`O15hg`^rsVthldnmGy&}0nIizJ$wkz;O(l~UMI}|Ys2ARala7u
zA7%!m)Z85Hk4>c4oS|oj)*AB*EFY1Spw56Tu}hEduK|u5S3i!Sky)#|v9~(zF4ToK
zl)M0qKh8965||TSGbG(B<$yP(!AbNF2;{I)95?UZeFwvGw79+0lH45MX@_%CG9Ll}
zQMB)Nz$==9Z~u55@HO5daXP~ndxd>`jYP%(U^`%uz%Z2mDk_2rd76K~rOM#tNG+g}
za2tZ}AaK_>w|Bv={t|zKgW4GsLU|T6aqJe?|2z}7cK>=KFrJU>e=-%azcjbFUxIHB
ztsPFN3cMyxCCCBYU_LNGvOT%@!ci4ilro2Z`LU}a=W*!fk4hG3-tiqXE~!TbB-DXW
z%#s=)C2-uq-D#6YkFLyF^Mi2D&CUJTam(DsMp8mzDQ?iEKus^|BJf22`?a%4vnn1`
z{rm|yo~S521B2=D@yn6QPLI63ivXGZ<;y=%(6sO2;E)aw{%g6}nHd*XSI{clyi`^O
zP4RyjN&kMBs~QlAxL(}kg_OHT_o^6p29yQ}gm*=qHH%S1f}ys#44IwL;o&-ZdP<O(
zxH!1I{Xc-cy~_;x_Dqyxdcf%<ZEbR9-k`aao!!L8C)QL$LG!+*LQ+x^XuQnH%F+UD
zw;Gid72q%yQo}gKgJQ+*ydU^Gcb{Mcx+!MmL1yO#6jxx6t*fQw#J6uS9i8yenzPI;
z)z(v@moI~JQo_$gp~2t*JvvEYp49B_<g~Oju8BkiL)zJ4hoj@}vhS-*ara-5ep)V#
z;^gE6>8FLMgTrMC^W;{`-0sdVPO`GTm7Yri&Mx+_0{v9`|7yrdD+n|P$j|DRo4UL8
zbag$vyp%zic-&4^wLXA>AMiDx4G|1JgbOtNtijA0mq0hO#by8UTiV*$xw-Q5Dm|Oy
z%}JnjyAjD%3Ob&lX=?0bV{^p&4LrEH$BDCtKT4uP2gRSVh5Y}pr)O7CSS;3nPp4nM
z>fgYc45w}0^9AnULg#&|3$Lzun!k@c7LJ<0x~E+NDvn>(xw1PN&>*;LxCc&K!VgDx
zxqudP6*XmLOdm+W5)%{qc$Ylo<m7bq^aw{UJ~If=1!lV|7d*Jbel4v=lLuuZtOx8;
zRW+~@%l72Wn>XMlpmo&3!UDVlNASmzlD<{hUxKAR`u{-li;H8?fC=f?1ofBF(o(>=
z0y<=Q**R!cTyiV}BnE;2{+Ii-U>>An-a7Ga!genHg?SFVPtqNjCeURZ1^xR=Lqo=%
zp5lNnTgXjLo&*3oPRjctC|1PA`fP8CZY8pV<O!_YKQS>XkeIh`%X}jKxqbY^2_Z2t
zWLzBJXm1D%{{Ah|+fI@F=>Gk)tpWxK@$vD1H~8@3xgs*v#MM<~4joOr$2H*{JZ_qC
zZr}YSv6F_zaT8l-=jA97yRq{it2MZLmy4VG{R?n@5HOwET4lwF${<!v<L27I!H0ck
znWwN*9f{@~dgOJ2k;>9Ln~t`&wz|5yDk_x3f(C82xnQIiS6<71m!)?1)vg4K2D3m%
zHU^FuX=!P(<=1M8<+msR1%n=CTEH0C=0?>gBKR&|?CR)1MS>Fp%t!>YuNZ`(0hP~7
z!}m9;Eu-n~5NY|<WND0j_5=X219(%Tc?Jdcf)^|6=MNt`y1Fj%@!48igAs#;1Fp^K
z3fOMk+{ySus&?iFD;wgZlMu1d(Np8&@k)&f6N8|i*rQNhM$-&y+VmhxA||`ISan`y
zG67NF(2zt7lBB*89dD~+_!{SK^8gsj*1%$=$5G|J@A`8^RP=c02(}Fua4x&kkAqbA
zpWlE99IE*41)M((N+%zH2y`fQ077j6ASC+(5Ak=v7j$t_W?H-gZ7*^kO~-`;{AS$^
ze1A#B_8)!V_|Kst|5eR?x-jJ-vbmvRg~(o}OnG+C&F!ka@9!HL2U`~WWEbu3zO;<H
zYHclP@zBxlo15*kEKpq|oQmx4K=*Huf{R(`utP8shc|%c|Dc5efE_TdL#1B)9sYaR
z{sYDK=IQ?gT@nDWGa;>HEw(1}`y&?;aA+Pc3pgCi_lAR4&K$$YWq=bA+|V<JHFJB&
zX*WmOgMfJKfrDxP8!rF*J#k=qzsDJXh!C^qgdQLwZcqR|4Kj*U=0LJu(xf08`$7n@
z0RjRTUbBbeqn<7tb%244pZ)xKa7-Qp1A|fCqr}|Y_MKlTDJe)K<BljJD9*D0TnC=;
zcXLVgViv+ja^eEhmvB#BY>|Ud8@yUz=PZ`HH#wa+b!=4~hCL2W*;~gQg9ZqJl8lTi
zfY<<B@8!$a;NXyk&MV;155Vpf2PCt9-_t|=2Mh!%$_r|$FrC6ok=LS(^3#H6*-#%}
z!PkcwkYByl9|3pa>4^od<<X;zI@9;-RQ|s8FN1=T>Q{_>FUm0g7buT|<iWHUaBz_t
z{pxmlz-u{pG7zTQhlGY2l=u{7XSagGa{?-4Xn9Z;=R`zYjg5!a)~;T;vargnP72-d
zDgzxXf8*w8L@G;0gIxhyB-**W?-9`kIH~}6q=ye5dU|?Va}WzM*#UhKaLwSj3h;@6
zLCj7?>+#=zASgaD`GY#$A3>42dA|+%=b5?)#nv7^DTRO|UO@RT^q+sel$5Z3`GR}1
zT>&BySkBiBhXfo?7bJL5Ny7T?x$Ez7q0;E@zMZh~lU#Yb4eREJdCa{bd4v#oftU9+
zm?QFno>(Mu!YMX=Bn{|D#Az`9N<kW$p<Uw(SBp8E7vahRCziXw!AHC+Fq=4mh|1V-
zL?j4OwyUEC;hol?E^i{Brm6~XSm#nlM}*ydZIBIvgC71fDI0dzg{j$mmAhU1JJ}H1
z;Me9Ul(Wg_c`J_XTNw4Z!S4%X4hIcO|H{~a{uFO>0y7^Nvq<%X@0IA8<b~L+&qNMm
z&jd5oUnLRy{`Bfz^V0qr?TKweMlB#)9xb;7h9bHjsn~qAEa}O$e|nN=Y5l3@S)d0-
zb~>EYl9`M4lp^$Kf5f~=q$dZP1Sjy}GV$Rm^0AF$m8CB{Co!#a)5WCt$Lxu7qv<h2
zpQ_SrbILBg1#MC2dZcx!8ZY|oUrvb=#ogE4rz)n)A*FT(75Z(L%ee}nELS};)*m@~
z`>$s03t-|mrV}!KzBgW)Fh992K{uUg{mmh_dO`E?@Mw5joRKcnYwgGBujdT*_U3My
zy`OV|SM|R4Xx3-r<&B~h_|Ge5xm|L%^)vMzr%o3@b(TDlQBlbyUw{T=-e+|&)2!iT
zKmaur)z}bV=r9<X80_ZyA~?R$1)RkA5tOR{)43ARSN(r^0T;MRa=C%<y&b6rjrp0y
zfkxY0&Tj(o?_y$O0gYSYwZ5>jvhwTKuevCaaXY{Vf)h^aOee?3*THF9;OG!gH}=_D
z)(OguefZ!3IOhnQ*aM;>Vf)Yj+bw`u^0?nERCH{t|6L}abQPjfHe&|2evk5xk=?mx
zvNI+5PtCC6&6{JBlkdmzbvHiYIAJI_(2x#8OiXM|bwill85G5D02$#bI86;#`}KKr
z<Lp_gy@s$qo)V{SCc{~-Sx(1;<P?aMbq;VIE4Rx0>vBAW9#cq6N?>K5hK7bV#7aJF
z2FINh8=Xq91?BN2>M>TIwbBRa=Q%mSfjw(fo9fF^y<}sH<Ty_3FMl6Pj{zGM(AETT
z&K-&yJ``hxRGzmn(9qe2HQrfjR;lYZZgftUc(;84^OKd;GRP7J4lx0W1#+q}aPH%T
zsjwL+GO1iR|9!uOdCxig0jxORAR?Wwvq~7#=|ssV+Q;kT;<300VS-Rtv&PJyE#n3f
zh!P*k-WqVUN}Z{rwY4?Cv%q6>kM|>_q@;=+N2z#&BO>l-X)P7B#@u-RCp*Ta_kV@i
zB;u^|Kp?VGeD6wRM=dy~>XWgsO|~v@5?&P8K(`emInn<Wj{Hv&Idwcn;CKIDs3U%l
zYS~2{*qm>mBI-q%hCq)R_BUT9`%9_5$GhP31HRnR_dP{szH<M79Xhfe66?%I%<o#S
z$*|i24Fjn){?<TQ2lLaXxqu=x^AmNOPy}@=9M0eCZv#g>_ETRRdUEeDZxxc1PMDvP
zob(}{z2jMLe82y>JAl&Q(<0lw@Ni59S9(~RO0Ds6Gk_CLK%?T}D2y)%5u%6zd-uO!
zNB`seGbjJW#O-k?_+Dm0HgG@?VB7Y@g1Zb-)_L`_3`DyG5Z;&V@i@570<E9KrEZ7x
zffpKn6vw}PM*n^zU#+pdH3kUo<rpr0*EuUVKSmK@Q5Z>wDHSNmH$GWMbOm?ffx9K1
zuXv6ifl>Tmdc60pINAr76@U-_V(Rc@$|5)<QXjVW>L3)CErN%T5Uly`k30`_0^x{<
zg9!rk`z~n${O!R{|9t5G4uU(B7sp~%47~b(s=M-VsMoh|a4>a5sUv%~6rv(amYI{H
znxb=Blq^X^cCt>GqMXW*B}AB#6rq^x%Rw2;V9JqgkSxhI*|Us!??J`+UGE?7AMf>E
z?_V`v-}QO!=UzVdeSaR>fBS6UcLk_-d3aU=7Z#kwjNtnF7f4vLfH&xXkkoc&)qmXs
zP1xlxG5aFvcopSkB8$#tA{}#!Oo1{l&rR3P1B&`BF}Zx@VbO1r8x4-(!gqJ_s3sNy
z(G1Hs2dHKxMNK%M!~?+NPy5aq2w}5l{Msi3Ie&n)MTOF=n3S)1Bh?MKZ?1;}kIm9I
z4SS0^HKb{}khmm+vQxb1X&)U(Z2344gt5*gHl1%;;#UT&NT01Vw*~E1HF<bl<grS5
z{T8->5JBp~8AJsPOnKxcAQ$HGPIdi#<+kP1n^{Mm-CGYh*A5r}Ha0;)paSCD;`aM)
zbMz8?3CxG4roc#7&f&p27RYSv^vgdKp0a)`GuVr+0g0VUQKC_bLdZLJ5VAsO{$F?e
z&h^X2Q*P2ixA6oX_8E~uLo=nm?kKZU>YM5GS@Fcd$AyItMiPAHuijRYByf<5_Op@1
z%xoLG7uPcZNC3XI`I$jQWo2h)CM|2{n+7R@B|y{~i<KN7^Lx6if-iz5vNk?)q=rhR
zE;^sDwuI6JxI#uo<{D$pgK3@siV=c#29}8`>neNs@?`-1c5ewzmp0=MX#Mpblr~$a
z)?$zE4&7_tT&4z3w?Yvg%DtZg1f34xEJL-<sE&i9V_nNju1P53_|V*37w>jU*`hR7
zy)V>F%^po&#N(OsO<mcJ+LN6*HSW8cGa#i;3G|xQP68rLD9RgUe7N0Lf_r+}^Z=SW
zR8W@fAwPFn<8BU<2vsSmi{LN;Q?0CQ%Cl!X6cjLXrz`gF*)s+#k&x-%RIZN((|Fm&
zrncNDQ9GPhv$UkdtYQXu&mb2Jxy3MXod|cpUykl4CwBSI*Zn#GWLV%vgU_C%gY~>{
z;ewBkrlR7p(N7bzGB=e?^Y2ARpRuq|HUQGNItu0RezG1};2vX~AL99{2|(8%aRo(B
zkY*pE)4L{A5>9ZcI!F;XyuOwhA=naKU2Yym0}O@vjodsqc%@a^Z+K=tCH3UVlPPDw
zZwE)#nhAma6W6}O$bHGyeOr%M-X6x|@v*U6Tczc~rBm+X84=Z8Wy~qB-h&1Pbl!pS
zakticIY*K)XmYumyPe$^T7kP((NI^mL1G|Cz02jxpX;5r0ib4DdabqETC<_0Wvc=e
zI{MW%QrTSGUh!XOEZ=f56OGA*B3H~Fs65nFQOQY5li$17&CTu4+|T{}lpa|^Wkm&)
zeOjNNo676*S5bOoXk-+FQ~T4~-X1DfuXuRu+qttQzqu2mA#;u1S)w4~cFolEAty1a
zkR~cD91$r(f@~eeTm+F2AFtr0E`G@ET<K`Z?l_#9k1}DFnU4WYqEWD6^g!%}Mef(?
z1PJ$)%K<$>>FO$BWlqZy$hEalAM5F9On}nC5R|?5NZV_u&BI7xc8J(h{_LD*H!<9S
zTpVdvZ{^|R>k^@Ys72$iU%!6i2D=J@;a^7cvp2qamH3dxGoa-)O3ck29bS~@^WpKa
zwK`-vI0yxNo2WpiTJ^w4gZ_&uOVA7#OWent`?a(^vm+CRwe_{KObag3-jq`UoKQ0R
z6gw2pDQ>Yh^`UiiK&ea&08`+XP0T*Ax7OOV>-gdW3@=dCK{czRg9Fs5DJd$ds;iSb
z`l<^H_s=?cdQR6np)K-VephR2ZwCkMQmUxc;yW~QASj5l2AusCs8qRse~XpQc_=B8
z1$RzX_BD|>yx_-6j3R1BYX@oL0RRF%x=AxPWgp?j#ztVn24r?$y-UPK>Pv84**?bZ
zQSPQjjCW$EcsBIIiv3n1!LAR~pDvWinHeZ#rgz!@aq=X<X;uqPS}olrxKi(rO$Iz$
zL2u!>$lh|Gz~Wg9-m1^;2>`9caTdd@@TqDfoY`L~5W}KVw&kbF1<kMvgXTf7Q7;J5
z0Zs(<0*ddeAPgg&0Rzba)SGXyh`J_&|2PX*h1fFgXn)xwa;*9=`n;ET-MRTvX394`
z?&7Q6Ed7bQm3AOE*Q@G7E^4p25Yl$2URujjIF8R~>Ar+V>jvoUS|46mhSEi|aOSNv
z=8c2YrT2OkJ;q}j#=G(b><7_Uhhjl$+KfMNZgH_~Lvs>IRaitu;T+EfSO;vjYtL6b
zwdDX@!DHJ3sT?-Kqcnc@HmjZz+!;S__TZ%<;TaIv+qvF0KM3xI)_Wad@bh&3Z7V02
z%me~O6c9aU3sB9HRSq?iDe<z__r>&j-l{v1WS>^|ZoYpt%rAlwc-LZmX2-E(4U}r-
z;RmKK6N8Zz-pYj2#uDYgeFQA^O?wj)aN=ei>$F7Psn5*zILR^>NkUzp>Bt&8eW*zP
z^&lxJ5>L7NmM_l4y60{CV#~yl4->n8-@3fa;q&C*7^2BhXFAibcyAYZt!!>ycuq;g
z22Ea=zZ&aoJu&$pr+>_2m)M8MwHMi-F$$PHWPLaN>GbZ~VMPeDX~Jk{q~N(<V%+Xz
zP1gB^hT!u$!;#~x*Of^8d--*P5xWGEqU67bCb)Fw??jl*KW4mbFOBijEzm56Hs*C#
zhl(VJgkraa{E(azyLwvr2CzovK?bB~l!L0%Xh~4z)}0Q?@m-+}3HXrQ#Oufk{$;t|
zhMwl|br~anQR${%W>nRMEIjrryQ1eiXL__S$m61ketYo7mAjivb@DCEFK4wsT7`6x
zB?9STAA!LGB<qS$7;d^{<)&!8(~=+)x4w&c+B!*sjvCBxQ?T5U$e;spx{@FQw^*u*
zP4yJnd)4WP_gs_1%}qD6FcjA%DLqlQ(42BxS>%J@eN9jHpRaLPgi0PtS{TY%Igh_S
zRXKg-B#)_$qEf771cR}WDjuIKNKML6mUrhF;9ov`ng=oRN^*I9u@(jhIDQ6h-i=(o
zZX3a<8s?#U(~8W9|2!Ry`+oBG0r?BQ{a-S+>im`4e_uba9zN|RpbYs!45z~CHkg!6
zRfhLuXz|4s@zok^*F8HU@%+I=7`gdo)AOOcOvQkNSK|DXF>`dfuJ-k%B_OQy%VgQ&
zl)a^^zyI%s$4rUN*$uvbcg_;EJx8jnhy0t0{o6g$i~lJ^^-c^N!52H;!=sAgRI=ZH
z61a$G;E(eS3DeJq@%69%yu?b}B4aWjgxBt<v}bTt=jo23#?IM_maf)`?D5f&Q9dyp
zM%HJP(NWhqFF|_=os5$6CoL7tW~RMLMFw7!G6QDzZr`WlbERBP#LYl6;JDvwnS7eV
z?8F0C+^ctO?_{1c(uzE0hbTGyx6-hA!K5zoqQ6B$d#P~~U#$gEM=ew$UZ{AUu;62#
zJj*|REF@KRkGi6fo*I`v7GI>Ehq|A7DQNs*K=I;OV4Hzgs-S+~^X(7s7M=7s=~*if
z9oSbF=$f0N+?XxacF1;RopKJmWS^VMP~aO(gJFHBC84YtADJX;rqCfOC?RbZZxQRB
zGWouDp?dZWr>2IM^2v+Dk*0}fv4^eB?N?AwPS4X((>0lE(s=YFL+I%_O+n$rCS9LD
z0wh&VJ0<d>tcKOqDx~Xa@@0$uFViP&YDQ{B#GFkYTP5on^3ej$$|9AF^h;~~QUwkA
zYO1|3nOo>)a%vIA;7@&dNK-7lI#x*)sTmcqHcrXtE1FOcC=kpMPSkO@Vt4GQCOv)_
zV|YA@5c49Y=kjj`b)W6DPbZh@?PDz=EJ}l=NBOq}Bm4&cQT`mcN#>IKxQbx&)3nhJ
zCB^!Hg<``yx!=a$isWSpkxSlFfjeuKB%LfBQq)!KmyyDF&Pjart0D>GDbghzFBJ9l
zJ}=Uu=Bj2YrHnbzHNN8mPVF~8riOrx!{G!>9R`i^H5uwM>y9SG+^VlW8W~B;cz(F(
zp44qcqtjC6z9x6hRm@zp9DPH3S&X<BS*<A>-gm*L!i?V5S3|D8HI_g7izc0G(Ij*F
zJiEz;$V=+ZTmk=591WIe5d~_X1QtJ9e9|N5#V225=OW7Awsd@Ux;{U6WvwY;Hm*l6
zV=UtleiMezg{bedkL>(xZROy(d#^lABbD+#<_iaVTZ=`rH`ClP1^!Ng!Ib&yE@oXw
zWVLwDVIjML_wlkZS-<TAL6TF3Hl3F!LkzbFH%5w_nCF+(+j{iIJm0UjKJ6DgJrA!^
zTbfb0Y5J|?CoV?Jp&)nH_l=v9-@kcZx6|&3o)!HlOle7wUTuB~<I8+`X7#{dU*5ix
z;3BHJo;vpAl~@wL!hA}#LK?Z(=3wu+FUCGRJ@4vprDtOmz9<I2tui179z}oNaw*Jk
zN^o=EK5gtk{BWeeG_My%2xafIJ0NKGKC~q_qxz7PfW(EV=95((P2&!IuX>fLUe~)F
zsJU3<)U&gOul=9*J9g6ZIEf3k<5qF%fv6=9nWgtm|5b_eKVj_X5K^~6O^tEiDM3eB
z*=%R=`IC~C^6IjuW%XtCoTJR{Z`v0cKA@PMZ|<9O@Xz+L`69)Tp<A+!c%7=vF`Fmn
zeJ@$Tq9$3C_!l_$W(3Sc{JL{|j>LDVx4-fhRv!XM<E}DkzRL@)Xr!&r37^eA5mktY
z4mZ+x+WD%-*_vUA|0upNob?L8-x|~U@>}!MUi0z5tpS;?4mMx=N9>!O&BB#t=$ZNC
z$Oq=%hGeQFTvY3&Q}-!pA-mUD!5H?rk3tE9F<c|wjS&yyc33*<eEb;hP^VD6;aiMJ
zY>W%1qs#~FoW=PWZg-F`7vzdnYG{HP%=``I`=^y6l6$usDTz^JO!+c1#W^8(5k}Sl
zJ4Gu*RqLTE!HWkT_X08Mv3n$NW_;<~OU}s;Z|8r-)Jd(_#UG106~UNl{6t&lepR2n
ztx&}_he*6Ou-3H_<(eFiDY*GXneuMQJQC_Y(Jr&k<+FC^focE0v}-IskF~n_jF#O3
z{b%gH*DfvE>0u^vLX8BHGP*KKx-@9&b{)>{g%(pKSFj3=U0PR$A0(U&C;5&)^Qp-D
zT86D+91m+x+?Q*JS2Ah%SOTW6Qg+E*PP5iF<}mrBv0r|=JCL-++Do7zm12}JqP0y<
zp)A#&>PwOcedGG>Eg3r#bTi?3mXFky#E2-*tno(=nWon+dK|(J-@X$fBo-SU5-oS)
z^dh=cWXndKFB8x`^W7WD<eF@}6>Tr8j(2?C5*C<~muXBno>^O`m6v8iVr-&XtIJQg
z-<8R>zKnH`aX2h%QD(Bez+pI?UR&;#_31{$$+CwL6S1Emock@e@1sgU(EMDg)#IKJ
z=Y1$fPV$IjU&1_J+7Mo6(^x}Nu_}G2iDlS3=a*blkUn9mK<Ukv*l%PYImnw4#!5*)
z4%r*ch%7yXv_*az3!i=R=AY0HPPaQkCLIczQz{g~hAfKd;^B;w$#?Ud&va(INDw+7
zdMBh6>#ssc$!U<2snIt#?7m4<L|R*wy~&%U%3b=m`fb8RKZrMV#J+ow@E|5JZV&3U
z4X<s_rqHUwr{mdIkOSOa5;b*&+(u7gQ!?OFl=`=%rdr#WSI=6aG3rT}!}5jRt;NwM
zhTc=-ygmdNv-gc+j?NhkwUsNYijDX5&3s`heyX9!VoInzqJUmx@C0|6#8@AV%Pg25
zFmI~#L+rvjnPqLA+byZ0Hu)tOQ8Lr8z1FHmTDaYf)HaXb)Hfr~RNv8OgLQB2EW*02
z3MPy>3WpkIHr3)ij{jNp$HsRN^|J-gT6v~3D{Y>HTD0RNhMaQ#*2?p|*AJod9<@bi
z;}r2x%BSfP(v)(4>W2zL=DT-oj)?&l=&&#f#u6NKq_v(eqlYR7P(Y1cA2PNqPCB;n
z1MLsvc7CGI+4IgFUpk4ZjDne959yzNI{qF!C@a9k?TnQ7Tu%foD$6ZrYIZ1BFyVbE
z3<s)M%+CAUvC>+vdEaY$v-eQv{}?w`)91E%Qr73)<M3y%o54gchy-mWUdN^?I$k`l
z2I<GqSS5bDUoI>zX<x3e(Y9|YRP}tOL}73-U8n_Ge>bjDb0at#9^0Y2wW93%gIGQ_
zsI4L$PU6%d>(B(;nIFNE6rn?$y>0ICUXmd?JyZ9_vOfvyioI<_lJFl6@-#n{<xg{7
z<ynsF<b!aY*yZPFAu{H^axTYv{M1Ln-|zZ!ss8(xJp71}l^d@1;{RHG%e5h7UNA1V
z^ch8xpvQ_cm!pbyJ@k2tQ~mr@$)C~W2-s=J;xs_%2!#TBd(oIWuc4fy?zqV9K{Wpw
zr(SPgJ%=wKEZev1m%=^-sVOP5*Gd@%JD@p&-sRD9ga7B4hQW(H<R*5}VM~H2TxYA}
z#e$s{04@QCJn*FF=H;zlzaF3hfNXk)Dk^S>Mu&$>lB$6Q7P<}qaBy>h>Mxq8kkAn*
zO`=d<q@}en52M0xx}`tnr=G*)s)q;Q4t<|L^YQZ596w@dl?+wdSy@KxCZ)A?P`d?$
z^3YOAB&rtJab5+W1Dd#KFS4?d;^OuPEEa>0eQaruvbOmh2%ZD0G|5J)Q^O-pq9x#w
ztWO0Bey9OS9rm3WP2gmuKSf_cbx&fVk`R=o5GTCQ<mQZwT@x~8i*xC&277dL97p+%
z!N{!*qnyGfaHE5R@;i6#$ps7vz!qpA<L2V>^voK)r=iB-d)dp?q^&K#)2eITRSbp<
zJrNELFJ65u&d;}{y+yLmeft@EO>6Mk9_fXStCS~Co}{LdnW2zphfZx6ImmngEj<*j
zU^xo&@&H?DZczg}a*bBZWnw7X2b)AF&)mmqGR4F=C&v!`z!XMY#i<78{yp8_*TCvf
zbFB=qAchs;ALb+umPjlGfJ@TKDN1E^NtOBUQv>95I-va%AfeODhzgE{f0Tnaz<~d2
z4IwoMfDywr*08}=PiF~szRc0}EJAGK##aF`!U(@>tJcvlH?g>;z@_`fSd0VYoB)<$
zZInPH!g#!?s)BYQ|4Wx-cJ0a_5YUUww9Za*Q`0DCkd({T)_(KT$JzJ8jB07k14Idr
zgm$!;99FxNzCN@>*W^7;PKHJ%5Fp5$g22MQ9=*`uWe+t7v?wRYsi$RTE<$RvcW6;A
z6^)j#ShlYar+0|YBRU!zVFx)$k?!tpEtJW1adB~TbMt6?NJt34WFqQL)n=ZaOfEW<
ziXaEP=$#|Oi)Qk=Ng%VI&N`hrb4K{{bKnXP4VWEIam}r-ufKC=ou+=NFrTrpai06+
znV&k7mwo>!D-<Cm5Z>_U(W8b5`(IBaFRkSI`e+W=iv`+bLqgQ(PUaP^08w7QjzF>y
zW%@!#UG~_wu^#v{;OT%=_hgM{K7SsLQ!6|terPn?eeyeqwiNw4g)wl^nG9&-fJvm6
zF-vpi)tyBUyO`}ltZGWso;{KxkVxJ{?O%5l8X>=aeOZTtVzdI+o6vV&1@eyYgDNH1
zy@{o&VAi6XOifK~Y@TuwpNzD$oV|4ElCv|NLJ2uI!a|#$$Yz6902ERtyw0BB?&by{
zy(8CTfB#dOEcBWHoVg)~i+BxF|8nNG*fyRuo@SBGG{>CAy8o1`|Hry{`PEq~t5RSo
zawR~X{>pbF!n=%oE+K|%)jbPVY+p9JADis#=G^IgL;7np97QrzWUXt=W82RkjMLR$
zMwI||R0-DLoZQ2LO_y-TIL$Y%t86wedmOSNf0Y>x!`W<b<r%PI0g>C#8#vmG&??v}
z{3-+LCQKd5AuFuMDBS&3I;VKQ*T0<ehuo@_qPsaKf#B!+GhID+2BhzPH(;tggP{3V
z0bw==_SSQ(V7^P@8j`MumN>VBbxIM0j7dIgJ~|}5M|%yJDUPVi-~T^+U{dJ|6ELDJ
z$e);ND#Y1YNrI(HdyZXDS+uSMA0ZgGfdxV0*z7psENLQO@mB>!Dw3jbV6DC09;Am3
zUd97ifZBijw31uB_Tw~fz=2f&TV0UL3OonO7k;eO#w!N~rI&^1kx7*_;Q{{!gxG-}
zx@*nP*3Q-k3)v|9t=oB2a&sAu_RRI~kN$x7PW(c&bdR^Zp>w`{-Xa+KrdY^u^cdSP
zYu?zr1-^sr-i_tP5|S5|9--LN9V<mJTau>VZ+?vZlrpr84$5<qHcKQf!`F}|ehJC*
zCD5O3nq}|Uif_;OFQN7Dzx1$Wuzd_l&h7@N#7wr-)F+os01ZafaZx4KTd;kD<{bFv
zs{l)i**?m#Ab7UFp(uy7F<}y9N8u-`JAm!@g}+eu>t%c3C)<%jh6ghbT)6RHv{AD1

literal 0
HcmV?d00001

diff --git a/blueprints/apigee/apigee-x-foundations/dns.tf b/blueprints/apigee/apigee-x-foundations/dns.tf
new file mode 100644
index 0000000000..20b0170856
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/dns.tf
@@ -0,0 +1,56 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  dns_names = [for v1 in flatten([for k2, v2 in var.apigee_config.endpoint_attachments :
+    [for v3 in coalesce(v2.dns_names, []) : {
+      endpoint_attachment = k2
+      dns_name            = split(".", v3)
+      }
+    if v3 != null]]) : {
+    endpoint_attachment = v1.endpoint_attachment
+    domain              = length(v1.dns_name) == 1 ? "." : "${join(".", slice(v1.dns_name, 1, length(v1.dns_name)))}."
+    name                = length(v1.dns_name) == 1 ? "*." : v1.dns_name[0]
+  }]
+  peered_domains = distinct([for v in local.dns_names : v.domain])
+  private_dns_zones = { for k1, v1 in { for v2 in local.peered_domains :
+    v2 => distinct([for v3 in local.dns_names : v3.name if v3.domain == v2]) } : k1 =>
+    { for v4 in v1 : "A ${v4}" => {
+      geo_routing = [for v5 in local.dns_names :
+        {
+          location = var.apigee_config.endpoint_attachments[v5.endpoint_attachment].region
+          records  = [module.apigee.endpoint_attachment_hosts[v5.endpoint_attachment]]
+        }
+      if v5.domain == k1 && v5.name == v4] }
+    }
+  }
+}
+
+module "private_dns_zones" {
+  for_each = (var.network_config.apigee_vpc == null || var.apigee_config.organization.disable_vpc_peering
+    ? {} :
+  local.private_dns_zones)
+  source     = "../../../modules/dns"
+  project_id = module.project.project_id
+  name       = trimsuffix(replace(each.key, ".", "-"), "-")
+  zone_config = {
+    domain = each.key
+    private = {
+      client_networks = [module.apigee_vpc[0].self_link]
+    }
+  }
+  recordsets = each.value
+}
diff --git a/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/index.js b/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/index.js
new file mode 100644
index 0000000000..56dc61fed6
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/index.js
@@ -0,0 +1,138 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the 'License');
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an 'AS IS' BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const functions = require("@google-cloud/functions-framework");
+const monitoring = require("@google-cloud/monitoring");
+const logging = require("@google-cloud/logging");
+const { LoggingBunyan } = require("@google-cloud/logging-bunyan");
+const bunyan = require("bunyan");
+
+const loggingBunyan = new LoggingBunyan();
+const logger = bunyan.createLogger({
+  name: "instance-monitor",
+  streams: [{ stream: process.stdout, level: "info" }, loggingBunyan.stream("info")],
+});
+
+const SEVERITY_THRESHOLD = logging.Severity.warning;
+
+const METRIC_DESCRIPTION = "Apigee instance health.";
+const METRIC_DISPLAY_NAME = "Apigee instance health.";
+const METRIC_TYPE = "custom.googleapis.com/apigee/instance_health";
+const METRIC_KIND = "GAUGE";
+const METRIC_VALUE_TYPE = "BOOL";
+const METRIC_UNIT = "1";
+const METRIC_LABELS = [
+  {
+    key: "org",
+    valueType: "STRING",
+    description: "The name of the apigee organization.",
+  },
+  {
+    key: "instance_id",
+    valueType: "STRING",
+    description: "The ID of the apigee instance.",
+  }
+];
+const RESOURCE_TYPE = "global";
+const METRIC_DESCRIPTOR = {
+  description: METRIC_DESCRIPTION,
+  displayName: METRIC_DISPLAY_NAME,
+  type: METRIC_TYPE,
+  metricKind: METRIC_KIND,
+  valueType: METRIC_VALUE_TYPE,
+  unit: METRIC_UNIT,
+  labels: METRIC_LABELS,
+};
+
+const client = new monitoring.MetricServiceClient();
+
+async function createMetricDescriptor(projectId, metricDescriptor) {
+  const request = {
+    name: client.projectPath(projectId),
+    metricDescriptor: metricDescriptor,
+  };
+  return await client.createMetricDescriptor(request);
+}
+
+async function getMetricDescriptor(projectId, metricType) {
+  const request = {
+    name: client.projectMetricDescriptorPath(projectId, metricType),
+  };
+  return await client.getMetricDescriptor(request);
+}
+
+async function writeTimeSeriesData(projectId, metricType, resourceType, value, metricLabels) {
+  const dataPoint = {
+    interval: {
+      endTime: {
+        seconds: Date.now() / 1000,
+      },
+    },
+    value: {
+      boolValue: value,
+    },
+  };
+
+  const timeSeriesData = {
+    metric: {
+      type: metricType,
+      labels: metricLabels,
+    },
+    resource: {
+      type: resourceType,
+      labels: {
+        project_id: projectId,
+      },
+    },
+    points: [dataPoint],
+  };
+
+  const request = {
+    name: client.projectPath(projectId),
+    timeSeries: [timeSeriesData],
+  };
+
+  return await client.createTimeSeries(request);
+}
+
+async function processEvent(cloudEvent) {
+  const [, projectId, instanceId] = /^organizations\/(.+)\/instances\/(.+)$/g.exec(cloudEvent.resourcename);
+  const severity = logging.Severity[cloudEvent.data.severity.toLowerCase()];
+  const value = severity >= SEVERITY_THRESHOLD;
+  if (!value) {
+    logger.error(`Instance ${instanceId} in ${organization} is down`);
+  }
+  try {
+    logger.debug("Checking if metric exists...");
+    const result = await getMetricDescriptor(projectId, METRIC_TYPE);
+    logger.debug("Metric already exists", result);
+  } catch (error) {
+    logger.debug("Metric does not exist. Creating it...");
+    const result = await createMetricDescriptor(projectId, METRIC_DESCRIPTOR);
+    logger.debug("Metric created", result);
+  }
+  logger.debug("Writing data point...");
+  await writeTimeSeriesData(projectId, METRIC_TYPE, RESOURCE_TYPE, value, {
+    org: projectId,
+    instance_id: instanceId,
+  });
+}
+
+functions.cloudEvent("writeMetric", async cloudEvent => {
+  logger.debug("Notification received. Let's process it...");
+  processEvent(cloudEvent);
+  logger.debug("Notification processed.");
+});
diff --git a/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package-lock.json b/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package-lock.json
new file mode 100644
index 0000000000..7fff997d3e
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package-lock.json
@@ -0,0 +1,3271 @@
+{
+  "name": "instance-checker",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "instance-checker",
+      "version": "1.0.0",
+      "license": "ISC",
+      "dependencies": {
+        "@google-cloud/functions-framework": "^3.3.0",
+        "@google-cloud/logging": "^10.5.0",
+        "@google-cloud/logging-bunyan": "^5.0.0",
+        "@google-cloud/monitoring": "^3.0.5",
+        "bunyan": "^1.8.15"
+      }
+    },
+    "node_modules/@babel/code-frame": {
+      "version": "7.22.5",
+      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.22.5.tgz",
+      "integrity": "sha512-Xmwn266vad+6DAqEB2A6V/CcZVp62BbwVmcOJc2RPuwih1kw02TjQvWVWlcKGbBPd+8/0V5DEkOcizRGYsspYQ==",
+      "dependencies": {
+        "@babel/highlight": "^7.22.5"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-validator-identifier": {
+      "version": "7.22.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.5.tgz",
+      "integrity": "sha512-aJXu+6lErq8ltp+JhkJUfk1MTGyuA4v7f3pA+BJ5HLfNC6nAQ0Cpi9uOquUj8Hehg0aUiHzWQbOVJGao6ztBAQ==",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/highlight": {
+      "version": "7.22.5",
+      "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.22.5.tgz",
+      "integrity": "sha512-BSKlD1hgnedS5XRnGOljZawtag7H1yPfQp0tdNJCHoH6AZ+Pcm9VvkrK59/Yy593Ypg0zMxH2BxD1VPYUQ7UIw==",
+      "dependencies": {
+        "@babel/helper-validator-identifier": "^7.22.5",
+        "chalk": "^2.0.0",
+        "js-tokens": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/parser": {
+      "version": "7.22.7",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.22.7.tgz",
+      "integrity": "sha512-7NF8pOkHP5o2vpmGgNGcfAeCvOYhGLyA3Z4eBQkT1RJlWu47n63bCs93QfJ2hIAFCil7L5P2IWhs1oToVgrL0Q==",
+      "bin": {
+        "parser": "bin/babel-parser.js"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@google-cloud/common": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/@google-cloud/common/-/common-4.0.3.tgz",
+      "integrity": "sha512-fUoMo5b8iAKbrYpneIRV3z95AlxVJPrjpevxs4SKoclngWZvTXBSGpNisF5+x5m+oNGve7jfB1e6vNBZBUs7Fw==",
+      "dependencies": {
+        "@google-cloud/projectify": "^3.0.0",
+        "@google-cloud/promisify": "^3.0.0",
+        "arrify": "^2.0.1",
+        "duplexify": "^4.1.1",
+        "ent": "^2.2.0",
+        "extend": "^3.0.2",
+        "google-auth-library": "^8.0.2",
+        "retry-request": "^5.0.0",
+        "teeny-request": "^8.0.0"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/@google-cloud/functions-framework": {
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/@google-cloud/functions-framework/-/functions-framework-3.3.0.tgz",
+      "integrity": "sha512-+4O1dX5VNRK1W1NyAia7zy5jLf88ytuz39/1kVUUaNiOf76YbMZKV0YjZwfk7uEwRrC6l2wynK1G+q8Gb5DeVw==",
+      "dependencies": {
+        "@types/express": "4.17.17",
+        "body-parser": "^1.18.3",
+        "cloudevents": "^7.0.0",
+        "express": "^4.16.4",
+        "minimist": "^1.2.7",
+        "on-finished": "^2.3.0",
+        "read-pkg-up": "^7.0.1",
+        "semver": "^7.3.5"
+      },
+      "bin": {
+        "functions-framework": "build/src/main.js",
+        "functions-framework-nodejs": "build/src/main.js"
+      },
+      "engines": {
+        "node": ">=10.0.0"
+      }
+    },
+    "node_modules/@google-cloud/logging": {
+      "version": "10.5.0",
+      "resolved": "https://registry.npmjs.org/@google-cloud/logging/-/logging-10.5.0.tgz",
+      "integrity": "sha512-XmlNs6B8lDZvFwFB5M55g9ch873AA2rXSuFOczQ3FOAzuyd/qksf18suFJfcrLMu8lYSr3SQhTE45FlXz4p9pg==",
+      "dependencies": {
+        "@google-cloud/common": "^4.0.0",
+        "@google-cloud/paginator": "^4.0.0",
+        "@google-cloud/projectify": "^3.0.0",
+        "@google-cloud/promisify": "^3.0.0",
+        "arrify": "^2.0.1",
+        "dot-prop": "^6.0.0",
+        "eventid": "^2.0.0",
+        "extend": "^3.0.2",
+        "gcp-metadata": "^4.0.0",
+        "google-auth-library": "^8.0.2",
+        "google-gax": "^3.5.8",
+        "on-finished": "^2.3.0",
+        "pumpify": "^2.0.1",
+        "stream-events": "^1.0.5",
+        "uuid": "^9.0.0"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/@google-cloud/logging-bunyan": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/@google-cloud/logging-bunyan/-/logging-bunyan-5.0.0.tgz",
+      "integrity": "sha512-Ila0PB6JZ/Qv18wx3x4/NoPLoSfTTDCvEIeaxCyKouv97kEWOP+HYvwimdJCYlvePyClZH+y3ktW17XlJAE4gA==",
+      "dependencies": {
+        "@google-cloud/logging": "^10.2.2",
+        "google-auth-library": "^9.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      },
+      "peerDependencies": {
+        "bunyan": "*"
+      }
+    },
+    "node_modules/@google-cloud/logging-bunyan/node_modules/agent-base": {
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.0.tgz",
+      "integrity": "sha512-o/zjMZRhJxny7OyEF+Op8X+efiELC7k7yOjMzgfzVqOzXqkBkWI79YoTdOtsuWd5BWhAGAuOY/Xa6xpiaWXiNg==",
+      "dependencies": {
+        "debug": "^4.3.4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/@google-cloud/logging-bunyan/node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@google-cloud/logging-bunyan/node_modules/gaxios": {
+      "version": "6.1.1",
+      "resolved": "https://registry.npmjs.org/gaxios/-/gaxios-6.1.1.tgz",
+      "integrity": "sha512-bw8smrX+XlAoo9o1JAksBwX+hi/RG15J+NTSxmNPIclKC3ZVK6C2afwY8OSdRvOK0+ZLecUJYtj2MmjOt3Dm0w==",
+      "dependencies": {
+        "extend": "^3.0.2",
+        "https-proxy-agent": "^7.0.1",
+        "is-stream": "^2.0.0",
+        "node-fetch": "^2.6.9"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/@google-cloud/logging-bunyan/node_modules/gcp-metadata": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/gcp-metadata/-/gcp-metadata-6.0.0.tgz",
+      "integrity": "sha512-Ozxyi23/1Ar51wjUT2RDklK+3HxqDr8TLBNK8rBBFQ7T85iIGnXnVusauj06QyqCXRFZig8LZC+TUddWbndlpQ==",
+      "dependencies": {
+        "gaxios": "^6.0.0",
+        "json-bigint": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/@google-cloud/logging-bunyan/node_modules/google-auth-library": {
+      "version": "9.1.0",
+      "resolved": "https://registry.npmjs.org/google-auth-library/-/google-auth-library-9.1.0.tgz",
+      "integrity": "sha512-1M9HdOcQNPV5BwSXqwwT238MTKodJFBxZ/V2JP397ieOLv4FjQdfYb9SooR7Mb+oUT2IJ92mLJQf804dyx0MJA==",
+      "dependencies": {
+        "base64-js": "^1.3.0",
+        "ecdsa-sig-formatter": "^1.0.11",
+        "gaxios": "^6.0.0",
+        "gcp-metadata": "^6.0.0",
+        "gtoken": "^7.0.0",
+        "jws": "^4.0.0",
+        "lru-cache": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/@google-cloud/logging-bunyan/node_modules/gtoken": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/gtoken/-/gtoken-7.0.1.tgz",
+      "integrity": "sha512-KcFVtoP1CVFtQu0aSk3AyAt2og66PFhZAlkUOuWKwzMLoulHXG5W5wE5xAnHb+yl3/wEFoqGW7/cDGMU8igDZQ==",
+      "dependencies": {
+        "gaxios": "^6.0.0",
+        "jws": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/@google-cloud/logging-bunyan/node_modules/https-proxy-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.2.tgz",
+      "integrity": "sha512-NmLNjm6ucYwtcUmL7JQC1ZQ57LmHP4lT15FQ8D61nak1rO6DH+fz5qNK2Ap5UN4ZapYICE3/0KodcLYSPsPbaA==",
+      "dependencies": {
+        "agent-base": "^7.0.2",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/@google-cloud/logging-bunyan/node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node_modules/@google-cloud/logging/node_modules/gaxios": {
+      "version": "4.3.3",
+      "resolved": "https://registry.npmjs.org/gaxios/-/gaxios-4.3.3.tgz",
+      "integrity": "sha512-gSaYYIO1Y3wUtdfHmjDUZ8LWaxJQpiavzbF5Kq53akSzvmVg0RfyOcFDbO1KJ/KCGRFz2qG+lS81F0nkr7cRJA==",
+      "dependencies": {
+        "abort-controller": "^3.0.0",
+        "extend": "^3.0.2",
+        "https-proxy-agent": "^5.0.0",
+        "is-stream": "^2.0.0",
+        "node-fetch": "^2.6.7"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/@google-cloud/logging/node_modules/gcp-metadata": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/gcp-metadata/-/gcp-metadata-4.3.1.tgz",
+      "integrity": "sha512-x850LS5N7V1F3UcV7PoupzGsyD6iVwTVvsh3tbXfkctZnBnjW5yu5z1/3k3SehF7TyoTIe78rJs02GMMy+LF+A==",
+      "dependencies": {
+        "gaxios": "^4.0.0",
+        "json-bigint": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/@google-cloud/logging/node_modules/uuid": {
+      "version": "9.0.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.0.tgz",
+      "integrity": "sha512-MXcSTerfPa4uqyzStbRoTgt5XIe3x5+42+q1sDuy3R5MDk66URdLMOZe5aPX/SQd+kuYAh0FdP/pO28IkQyTeg==",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
+    "node_modules/@google-cloud/monitoring": {
+      "version": "3.0.5",
+      "resolved": "https://registry.npmjs.org/@google-cloud/monitoring/-/monitoring-3.0.5.tgz",
+      "integrity": "sha512-txZPpmE+HGkx1wo5SO975Y7M1lhnIUMI79+7SDTHvVU7lNvQB6i6rNqOSkJZYHj5I/JFFqHIarUtSoIWU0ZCSw==",
+      "dependencies": {
+        "google-gax": "^3.5.8"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/@google-cloud/paginator": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@google-cloud/paginator/-/paginator-4.0.1.tgz",
+      "integrity": "sha512-6G1ui6bWhNyHjmbYwavdN7mpVPRBtyDg/bfqBTAlwr413On2TnFNfDxc9UhTJctkgoCDgQXEKiRPLPR9USlkbQ==",
+      "dependencies": {
+        "arrify": "^2.0.0",
+        "extend": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/@google-cloud/projectify": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@google-cloud/projectify/-/projectify-3.0.0.tgz",
+      "integrity": "sha512-HRkZsNmjScY6Li8/kb70wjGlDDyLkVk3KvoEo9uIoxSjYLJasGiCch9+PqRVDOCGUFvEIqyogl+BeqILL4OJHA==",
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/@google-cloud/promisify": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/@google-cloud/promisify/-/promisify-3.0.1.tgz",
+      "integrity": "sha512-z1CjRjtQyBOYL+5Qr9DdYIfrdLBe746jRTYfaYU6MeXkqp7UfYs/jX16lFFVzZ7PGEJvqZNqYUEtb1mvDww4pA==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@grpc/grpc-js": {
+      "version": "1.8.19",
+      "resolved": "https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-1.8.19.tgz",
+      "integrity": "sha512-yCkvhtstJvUL3DEQAF5Uq5KoqQL27MTdfxVYvGsGduoGxiJcRCvJ29t5OmLfLhRuRpjAQ1OlhJD/IPOfX+8jNw==",
+      "dependencies": {
+        "@grpc/proto-loader": "^0.7.0",
+        "@types/node": ">=12.12.47"
+      },
+      "engines": {
+        "node": "^8.13.0 || >=10.10.0"
+      }
+    },
+    "node_modules/@grpc/proto-loader": {
+      "version": "0.7.8",
+      "resolved": "https://registry.npmjs.org/@grpc/proto-loader/-/proto-loader-0.7.8.tgz",
+      "integrity": "sha512-GU12e2c8dmdXb7XUlOgYWZ2o2i+z9/VeACkxTA/zzAe2IjclC5PnVL0lpgjhrqfpDYHzM8B1TF6pqWegMYAzlA==",
+      "dependencies": {
+        "@types/long": "^4.0.1",
+        "lodash.camelcase": "^4.3.0",
+        "long": "^4.0.0",
+        "protobufjs": "^7.2.4",
+        "yargs": "^17.7.2"
+      },
+      "bin": {
+        "proto-loader-gen-types": "build/bin/proto-loader-gen-types.js"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/@jsdoc/salty": {
+      "version": "0.2.5",
+      "resolved": "https://registry.npmjs.org/@jsdoc/salty/-/salty-0.2.5.tgz",
+      "integrity": "sha512-TfRP53RqunNe2HBobVBJ0VLhK1HbfvBYeTC1ahnN64PWvyYyGebmMiPkuwvD9fpw2ZbkoPb8Q7mwy0aR8Z9rvw==",
+      "dependencies": {
+        "lodash": "^4.17.21"
+      },
+      "engines": {
+        "node": ">=v12.0.0"
+      }
+    },
+    "node_modules/@protobufjs/aspromise": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@protobufjs/aspromise/-/aspromise-1.1.2.tgz",
+      "integrity": "sha512-j+gKExEuLmKwvz3OgROXtrJ2UG2x8Ch2YZUxahh+s1F2HZ+wAceUNLkvy6zKCPVRkU++ZWQrdxsUeQXmcg4uoQ=="
+    },
+    "node_modules/@protobufjs/base64": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@protobufjs/base64/-/base64-1.1.2.tgz",
+      "integrity": "sha512-AZkcAA5vnN/v4PDqKyMR5lx7hZttPDgClv83E//FMNhR2TMcLUhfRUBHCmSl0oi9zMgDDqRUJkSxO3wm85+XLg=="
+    },
+    "node_modules/@protobufjs/codegen": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz",
+      "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg=="
+    },
+    "node_modules/@protobufjs/eventemitter": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@protobufjs/eventemitter/-/eventemitter-1.1.0.tgz",
+      "integrity": "sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q=="
+    },
+    "node_modules/@protobufjs/fetch": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@protobufjs/fetch/-/fetch-1.1.0.tgz",
+      "integrity": "sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==",
+      "dependencies": {
+        "@protobufjs/aspromise": "^1.1.1",
+        "@protobufjs/inquire": "^1.1.0"
+      }
+    },
+    "node_modules/@protobufjs/float": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/@protobufjs/float/-/float-1.0.2.tgz",
+      "integrity": "sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ=="
+    },
+    "node_modules/@protobufjs/inquire": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz",
+      "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q=="
+    },
+    "node_modules/@protobufjs/path": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@protobufjs/path/-/path-1.1.2.tgz",
+      "integrity": "sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA=="
+    },
+    "node_modules/@protobufjs/pool": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@protobufjs/pool/-/pool-1.1.0.tgz",
+      "integrity": "sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw=="
+    },
+    "node_modules/@protobufjs/utf8": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz",
+      "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw=="
+    },
+    "node_modules/@tootallnate/once": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-2.0.0.tgz",
+      "integrity": "sha512-XCuKFP5PS55gnMVu3dty8KPatLqUoy/ZYzDzAGCQ8JNFCkLXzmI7vNHCR+XpbZaMWQK/vQubr7PkYq8g470J/A==",
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@types/body-parser": {
+      "version": "1.19.2",
+      "resolved": "https://registry.npmjs.org/@types/body-parser/-/body-parser-1.19.2.tgz",
+      "integrity": "sha512-ALYone6pm6QmwZoAgeyNksccT9Q4AWZQ6PvfwR37GT6r6FWUPguq6sUmNGSMV2Wr761oQoBxwGGa6DR5o1DC9g==",
+      "dependencies": {
+        "@types/connect": "*",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/connect": {
+      "version": "3.4.35",
+      "resolved": "https://registry.npmjs.org/@types/connect/-/connect-3.4.35.tgz",
+      "integrity": "sha512-cdeYyv4KWoEgpBISTxWvqYsVy444DOqehiF3fM3ne10AmJ62RSyNkUnxMJXHQWRQQX2eR94m5y1IZyDwBjV9FQ==",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/express": {
+      "version": "4.17.17",
+      "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.17.tgz",
+      "integrity": "sha512-Q4FmmuLGBG58btUnfS1c1r/NQdlp3DMfGDGig8WhfpA2YRUtEkxAjkZb0yvplJGYdF1fsQ81iMDcH24sSCNC/Q==",
+      "dependencies": {
+        "@types/body-parser": "*",
+        "@types/express-serve-static-core": "^4.17.33",
+        "@types/qs": "*",
+        "@types/serve-static": "*"
+      }
+    },
+    "node_modules/@types/express-serve-static-core": {
+      "version": "4.17.35",
+      "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-4.17.35.tgz",
+      "integrity": "sha512-wALWQwrgiB2AWTT91CB62b6Yt0sNHpznUXeZEcnPU3DRdlDIz74x8Qg1UUYKSVFi+va5vKOLYRBI1bRKiLLKIg==",
+      "dependencies": {
+        "@types/node": "*",
+        "@types/qs": "*",
+        "@types/range-parser": "*",
+        "@types/send": "*"
+      }
+    },
+    "node_modules/@types/glob": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/@types/glob/-/glob-8.1.0.tgz",
+      "integrity": "sha512-IO+MJPVhoqz+28h1qLAcBEH2+xHMK6MTyHJc7MTnnYb6wsoLR29POVGJ7LycmVXIqyy/4/2ShP5sUwTXuOwb/w==",
+      "dependencies": {
+        "@types/minimatch": "^5.1.2",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/http-errors": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/@types/http-errors/-/http-errors-2.0.1.tgz",
+      "integrity": "sha512-/K3ds8TRAfBvi5vfjuz8y6+GiAYBZ0x4tXv1Av6CWBWn0IlADc+ZX9pMq7oU0fNQPnBwIZl3rmeLp6SBApbxSQ=="
+    },
+    "node_modules/@types/linkify-it": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@types/linkify-it/-/linkify-it-3.0.2.tgz",
+      "integrity": "sha512-HZQYqbiFVWufzCwexrvh694SOim8z2d+xJl5UNamcvQFejLY/2YUtzXHYi3cHdI7PMlS8ejH2slRAOJQ32aNbA=="
+    },
+    "node_modules/@types/long": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@types/long/-/long-4.0.2.tgz",
+      "integrity": "sha512-MqTGEo5bj5t157U6fA/BiDynNkn0YknVdh48CMPkTSpFTVmvao5UQmm7uEF6xBEo7qIMAlY/JSleYaE6VOdpaA=="
+    },
+    "node_modules/@types/markdown-it": {
+      "version": "12.2.3",
+      "resolved": "https://registry.npmjs.org/@types/markdown-it/-/markdown-it-12.2.3.tgz",
+      "integrity": "sha512-GKMHFfv3458yYy+v/N8gjufHO6MSZKCOXpZc5GXIWWy8uldwfmPn98vp81gZ5f9SVw8YYBctgfJ22a2d7AOMeQ==",
+      "dependencies": {
+        "@types/linkify-it": "*",
+        "@types/mdurl": "*"
+      }
+    },
+    "node_modules/@types/mdurl": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/@types/mdurl/-/mdurl-1.0.2.tgz",
+      "integrity": "sha512-eC4U9MlIcu2q0KQmXszyn5Akca/0jrQmwDRgpAMJai7qBWq4amIQhZyNau4VYGtCeALvW1/NtjzJJ567aZxfKA=="
+    },
+    "node_modules/@types/mime": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/@types/mime/-/mime-1.3.2.tgz",
+      "integrity": "sha512-YATxVxgRqNH6nHEIsvg6k2Boc1JHI9ZbH5iWFFv/MTkchz3b1ieGDa5T0a9RznNdI0KhVbdbWSN+KWWrQZRxTw=="
+    },
+    "node_modules/@types/minimatch": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/@types/minimatch/-/minimatch-5.1.2.tgz",
+      "integrity": "sha512-K0VQKziLUWkVKiRVrx4a40iPaxTUefQmjtkQofBkYRcoaaL/8rhwDWww9qWbrgicNOgnpIsMxyNIUM4+n6dUIA=="
+    },
+    "node_modules/@types/node": {
+      "version": "20.4.4",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.4.4.tgz",
+      "integrity": "sha512-CukZhumInROvLq3+b5gLev+vgpsIqC2D0deQr/yS1WnxvmYLlJXZpaQrQiseMY+6xusl79E04UjWoqyr+t1/Ew=="
+    },
+    "node_modules/@types/normalize-package-data": {
+      "version": "2.4.1",
+      "resolved": "https://registry.npmjs.org/@types/normalize-package-data/-/normalize-package-data-2.4.1.tgz",
+      "integrity": "sha512-Gj7cI7z+98M282Tqmp2K5EIsoouUEzbBJhQQzDE3jSIRk6r9gsz0oUokqIUR4u1R3dMHo0pDHM7sNOHyhulypw=="
+    },
+    "node_modules/@types/qs": {
+      "version": "6.9.7",
+      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.7.tgz",
+      "integrity": "sha512-FGa1F62FT09qcrueBA6qYTrJPVDzah9a+493+o2PCXsesWHIn27G98TsSMs3WPNbZIEj4+VJf6saSFpvD+3Zsw=="
+    },
+    "node_modules/@types/range-parser": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@types/range-parser/-/range-parser-1.2.4.tgz",
+      "integrity": "sha512-EEhsLsD6UsDM1yFhAvy0Cjr6VwmpMWqFBCb9w07wVugF7w9nfajxLuVmngTIpgS6svCnm6Vaw+MZhoDCKnOfsw=="
+    },
+    "node_modules/@types/rimraf": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@types/rimraf/-/rimraf-3.0.2.tgz",
+      "integrity": "sha512-F3OznnSLAUxFrCEu/L5PY8+ny8DtcFRjx7fZZ9bycvXRi3KPTRS9HOitGZwvPg0juRhXFWIeKX58cnX5YqLohQ==",
+      "dependencies": {
+        "@types/glob": "*",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/send": {
+      "version": "0.17.1",
+      "resolved": "https://registry.npmjs.org/@types/send/-/send-0.17.1.tgz",
+      "integrity": "sha512-Cwo8LE/0rnvX7kIIa3QHCkcuF21c05Ayb0ZfxPiv0W8VRiZiNW/WuRupHKpqqGVGf7SUA44QSOUKaEd9lIrd/Q==",
+      "dependencies": {
+        "@types/mime": "^1",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/@types/serve-static": {
+      "version": "1.15.2",
+      "resolved": "https://registry.npmjs.org/@types/serve-static/-/serve-static-1.15.2.tgz",
+      "integrity": "sha512-J2LqtvFYCzaj8pVYKw8klQXrLLk7TBZmQ4ShlcdkELFKGwGMfevMLneMMRkMgZxotOD9wg497LpC7O8PcvAmfw==",
+      "dependencies": {
+        "@types/http-errors": "*",
+        "@types/mime": "*",
+        "@types/node": "*"
+      }
+    },
+    "node_modules/abort-controller": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/abort-controller/-/abort-controller-3.0.0.tgz",
+      "integrity": "sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==",
+      "dependencies": {
+        "event-target-shim": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=6.5"
+      }
+    },
+    "node_modules/accepts": {
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
+      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
+      "dependencies": {
+        "mime-types": "~2.1.34",
+        "negotiator": "0.6.3"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/acorn": {
+      "version": "8.10.0",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.10.0.tgz",
+      "integrity": "sha512-F0SAmZ8iUtS//m8DmCTA0jlh6TDKkHQyK6xc6V4KDTyZKA9dnvX9/3sRTVQrWm79glUAZbnmmNcdYwUIHWVybw==",
+      "bin": {
+        "acorn": "bin/acorn"
+      },
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/acorn-jsx": {
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.3.2.tgz",
+      "integrity": "sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==",
+      "peerDependencies": {
+        "acorn": "^6.0.0 || ^7.0.0 || ^8.0.0"
+      }
+    },
+    "node_modules/agent-base": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz",
+      "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==",
+      "dependencies": {
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 6.0.0"
+      }
+    },
+    "node_modules/agent-base/node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/agent-base/node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node_modules/ajv": {
+      "version": "8.12.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.12.0.tgz",
+      "integrity": "sha512-sRu1kpcO9yLtYxBKvqfTeh9KzZEwO3STyX1HT+4CaDzC6HpTGYhIhPIzj9XuKU7KYDwnaeh5hcOwjy1QuJzBPA==",
+      "dependencies": {
+        "fast-deep-equal": "^3.1.1",
+        "json-schema-traverse": "^1.0.0",
+        "require-from-string": "^2.0.2",
+        "uri-js": "^4.2.2"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/epoberezkin"
+      }
+    },
+    "node_modules/ajv-formats": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/ajv-formats/-/ajv-formats-2.1.1.tgz",
+      "integrity": "sha512-Wx0Kx52hxE7C18hkMEggYlEifqWZtYaRgouJor+WMdPnQyEK13vgEWyVNup7SoeeoLMsr4kf5h6dOW11I15MUA==",
+      "dependencies": {
+        "ajv": "^8.0.0"
+      },
+      "peerDependencies": {
+        "ajv": "^8.0.0"
+      },
+      "peerDependenciesMeta": {
+        "ajv": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ansi-styles": {
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz",
+      "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==",
+      "dependencies": {
+        "color-convert": "^1.9.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/argparse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q=="
+    },
+    "node_modules/array-flatten": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
+      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg=="
+    },
+    "node_modules/arrify": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/arrify/-/arrify-2.0.1.tgz",
+      "integrity": "sha512-3duEwti880xqi4eAMN8AyR4a0ByT90zoYdLlevfrvU43vb0YZwZVfxOgxWrLXXXpyugL0hNZc9G6BiB5B3nUug==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/available-typed-arrays": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/available-typed-arrays/-/available-typed-arrays-1.0.5.tgz",
+      "integrity": "sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="
+    },
+    "node_modules/base64-js": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
+      "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
+    "node_modules/bignumber.js": {
+      "version": "9.1.1",
+      "resolved": "https://registry.npmjs.org/bignumber.js/-/bignumber.js-9.1.1.tgz",
+      "integrity": "sha512-pHm4LsMJ6lzgNGVfZHjMoO8sdoRhOzOH4MLmY65Jg70bpxCKu5iOHNJyfF6OyvYw7t8Fpf35RuzUyqnQsj8Vig==",
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/bluebird": {
+      "version": "3.7.2",
+      "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.7.2.tgz",
+      "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg=="
+    },
+    "node_modules/body-parser": {
+      "version": "1.20.2",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz",
+      "integrity": "sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==",
+      "dependencies": {
+        "bytes": "3.1.2",
+        "content-type": "~1.0.5",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "1.2.0",
+        "http-errors": "2.0.0",
+        "iconv-lite": "0.4.24",
+        "on-finished": "2.4.1",
+        "qs": "6.11.0",
+        "raw-body": "2.5.2",
+        "type-is": "~1.6.18",
+        "unpipe": "1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/brace-expansion": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "dependencies": {
+        "balanced-match": "^1.0.0"
+      }
+    },
+    "node_modules/buffer-equal-constant-time": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz",
+      "integrity": "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA=="
+    },
+    "node_modules/bunyan": {
+      "version": "1.8.15",
+      "resolved": "https://registry.npmjs.org/bunyan/-/bunyan-1.8.15.tgz",
+      "integrity": "sha512-0tECWShh6wUysgucJcBAoYegf3JJoZWibxdqhTm7OHPeT42qdjkZ29QCMcKwbgU1kiH+auSIasNRXMLWXafXig==",
+      "engines": [
+        "node >=0.10.0"
+      ],
+      "bin": {
+        "bunyan": "bin/bunyan"
+      },
+      "optionalDependencies": {
+        "dtrace-provider": "~0.8",
+        "moment": "^2.19.3",
+        "mv": "~2",
+        "safe-json-stringify": "~1"
+      }
+    },
+    "node_modules/bytes": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
+      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/call-bind": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.2.tgz",
+      "integrity": "sha512-7O+FbCihrB5WGbFYesctwmTKae6rOiIzmz1icreWJ+0aA7LJfuqhEso2T9ncpcFtzMQtzXf2QGGueWJGTYsqrA==",
+      "dependencies": {
+        "function-bind": "^1.1.1",
+        "get-intrinsic": "^1.0.2"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/catharsis": {
+      "version": "0.9.0",
+      "resolved": "https://registry.npmjs.org/catharsis/-/catharsis-0.9.0.tgz",
+      "integrity": "sha512-prMTQVpcns/tzFgFVkVp6ak6RykZyWb3gu8ckUpd6YkTlacOd3DXGJjIpD4Q6zJirizvaiAjSSHlOsA+6sNh2A==",
+      "dependencies": {
+        "lodash": "^4.17.15"
+      },
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/chalk": {
+      "version": "2.4.2",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
+      "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==",
+      "dependencies": {
+        "ansi-styles": "^3.2.1",
+        "escape-string-regexp": "^1.0.5",
+        "supports-color": "^5.3.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/cliui": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz",
+      "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==",
+      "dependencies": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.1",
+        "wrap-ansi": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/cloudevents": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/cloudevents/-/cloudevents-7.0.2.tgz",
+      "integrity": "sha512-WiOqWsNkMZmMMZ6xa3kzx/MA+8+V+c5eGkStZIcik+Px2xCobmzcacw1EOGyfhODaQKkIv8TxXOOLzV69oXFqA==",
+      "dependencies": {
+        "ajv": "^8.11.0",
+        "ajv-formats": "^2.1.1",
+        "json-bigint": "^1.0.0",
+        "process": "^0.11.10",
+        "util": "^0.12.4",
+        "uuid": "^8.3.2"
+      },
+      "engines": {
+        "node": ">=16 <=20"
+      }
+    },
+    "node_modules/color-convert": {
+      "version": "1.9.3",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz",
+      "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==",
+      "dependencies": {
+        "color-name": "1.1.3"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz",
+      "integrity": "sha512-72fSenhMw2HZMTVHeCA9KCmpEIbzWiQsjN+BHcBbS9vr1mtt+vJjPdksIBNUmKAW8TFUDPJK5SUU3QhE9NEXDw=="
+    },
+    "node_modules/concat-map": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
+      "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg=="
+    },
+    "node_modules/content-disposition": {
+      "version": "0.5.4",
+      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz",
+      "integrity": "sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==",
+      "dependencies": {
+        "safe-buffer": "5.2.1"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/content-type": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
+      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie": {
+      "version": "0.5.0",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz",
+      "integrity": "sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie-signature": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
+      "integrity": "sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ=="
+    },
+    "node_modules/debug": {
+      "version": "2.6.9",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "dependencies": {
+        "ms": "2.0.0"
+      }
+    },
+    "node_modules/deep-is": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz",
+      "integrity": "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ=="
+    },
+    "node_modules/depd": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
+      "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/destroy": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
+      "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/dot-prop": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-6.0.1.tgz",
+      "integrity": "sha512-tE7ztYzXHIeyvc7N+hR3oi7FIbf/NIjVP9hmAt3yMXzrQ072/fpjGLx2GxNxGxUl5V73MEqYzioOMoVhGMJ5cA==",
+      "dependencies": {
+        "is-obj": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/dtrace-provider": {
+      "version": "0.8.8",
+      "resolved": "https://registry.npmjs.org/dtrace-provider/-/dtrace-provider-0.8.8.tgz",
+      "integrity": "sha512-b7Z7cNtHPhH9EJhNNbbeqTcXB8LGFFZhq1PGgEvpeHlzd36bhbdTWoE/Ba/YguqpBSlAPKnARWhVlhunCMwfxg==",
+      "hasInstallScript": true,
+      "optional": true,
+      "dependencies": {
+        "nan": "^2.14.0"
+      },
+      "engines": {
+        "node": ">=0.10"
+      }
+    },
+    "node_modules/duplexify": {
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/duplexify/-/duplexify-4.1.2.tgz",
+      "integrity": "sha512-fz3OjcNCHmRP12MJoZMPglx8m4rrFP8rovnk4vT8Fs+aonZoCwGg10dSsQsfP/E62eZcPTMSMP6686fu9Qlqtw==",
+      "dependencies": {
+        "end-of-stream": "^1.4.1",
+        "inherits": "^2.0.3",
+        "readable-stream": "^3.1.1",
+        "stream-shift": "^1.0.0"
+      }
+    },
+    "node_modules/ecdsa-sig-formatter": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz",
+      "integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==",
+      "dependencies": {
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/ee-first": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
+      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow=="
+    },
+    "node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="
+    },
+    "node_modules/encodeurl": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz",
+      "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/end-of-stream": {
+      "version": "1.4.4",
+      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz",
+      "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==",
+      "dependencies": {
+        "once": "^1.4.0"
+      }
+    },
+    "node_modules/ent": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/ent/-/ent-2.2.0.tgz",
+      "integrity": "sha512-GHrMyVZQWvTIdDtpiEXdHZnFQKzeO09apj8Cbl4pKWy4i0Oprcq17usfDt5aO63swf0JOeMWjWQE/LzgSRuWpA=="
+    },
+    "node_modules/entities": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-2.1.0.tgz",
+      "integrity": "sha512-hCx1oky9PFrJ611mf0ifBLBRW8lUUVRlFolb5gWRfIELabBlbp9xZvrqZLZAs+NxFnbfQoeGd8wDkygjg7U85w==",
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
+    "node_modules/error-ex": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.2.tgz",
+      "integrity": "sha512-7dFHNmqeFSEt2ZBsCriorKnn3Z2pj+fd9kmI6QoWw4//DL+icEBfc0U7qJCisqrTsKTjw4fNFy2pW9OqStD84g==",
+      "dependencies": {
+        "is-arrayish": "^0.2.1"
+      }
+    },
+    "node_modules/escalade": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.1.tgz",
+      "integrity": "sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/escape-html": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
+      "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow=="
+    },
+    "node_modules/escape-string-regexp": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz",
+      "integrity": "sha512-vbRorB5FUQWvla16U8R/qgaFIya2qGzwDrNmCZuYKrbdSUMG6I1ZCGQRefkRVhuOkIGVne7BQ35DSfo1qvJqFg==",
+      "engines": {
+        "node": ">=0.8.0"
+      }
+    },
+    "node_modules/escodegen": {
+      "version": "1.14.3",
+      "resolved": "https://registry.npmjs.org/escodegen/-/escodegen-1.14.3.tgz",
+      "integrity": "sha512-qFcX0XJkdg+PB3xjZZG/wKSuT1PnQWx57+TVSjIMmILd2yC/6ByYElPwJnslDsuWuSAp4AwJGumarAAmJch5Kw==",
+      "dependencies": {
+        "esprima": "^4.0.1",
+        "estraverse": "^4.2.0",
+        "esutils": "^2.0.2",
+        "optionator": "^0.8.1"
+      },
+      "bin": {
+        "escodegen": "bin/escodegen.js",
+        "esgenerate": "bin/esgenerate.js"
+      },
+      "engines": {
+        "node": ">=4.0"
+      },
+      "optionalDependencies": {
+        "source-map": "~0.6.1"
+      }
+    },
+    "node_modules/escodegen/node_modules/estraverse": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-4.3.0.tgz",
+      "integrity": "sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==",
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/eslint-visitor-keys": {
+      "version": "3.4.1",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.4.1.tgz",
+      "integrity": "sha512-pZnmmLwYzf+kWaM/Qgrvpen51upAktaaiI01nsJD/Yr3lMOdNtq0cxkrrg16w64VtisN6okbs7Q8AfGqj4c9fA==",
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/espree": {
+      "version": "9.6.1",
+      "resolved": "https://registry.npmjs.org/espree/-/espree-9.6.1.tgz",
+      "integrity": "sha512-oruZaFkjorTpF32kDSI5/75ViwGeZginGGy2NoOSg3Q9bnwlnmDm4HLnkl0RE3n+njDXR037aY1+x58Z/zFdwQ==",
+      "dependencies": {
+        "acorn": "^8.9.0",
+        "acorn-jsx": "^5.3.2",
+        "eslint-visitor-keys": "^3.4.1"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/esprima": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz",
+      "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==",
+      "bin": {
+        "esparse": "bin/esparse.js",
+        "esvalidate": "bin/esvalidate.js"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/estraverse": {
+      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-5.3.0.tgz",
+      "integrity": "sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA==",
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/esutils": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz",
+      "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/etag": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
+      "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/event-target-shim": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/event-target-shim/-/event-target-shim-5.0.1.tgz",
+      "integrity": "sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/eventid": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/eventid/-/eventid-2.0.1.tgz",
+      "integrity": "sha512-sPNTqiMokAvV048P2c9+foqVJzk49o6d4e0D/sq5jog3pw+4kBgyR0gaM1FM7Mx6Kzd9dztesh9oYz1LWWOpzw==",
+      "dependencies": {
+        "uuid": "^8.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/express": {
+      "version": "4.18.2",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
+      "integrity": "sha512-5/PsL6iGPdfQ/lKM1UuielYgv3BUoJfz1aUwU9vHZ+J7gyvwdQXFEBIEIaxeGf0GIcreATNyBExtalisDbuMqQ==",
+      "dependencies": {
+        "accepts": "~1.3.8",
+        "array-flatten": "1.1.1",
+        "body-parser": "1.20.1",
+        "content-disposition": "0.5.4",
+        "content-type": "~1.0.4",
+        "cookie": "0.5.0",
+        "cookie-signature": "1.0.6",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "encodeurl": "~1.0.2",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "finalhandler": "1.2.0",
+        "fresh": "0.5.2",
+        "http-errors": "2.0.0",
+        "merge-descriptors": "1.0.1",
+        "methods": "~1.1.2",
+        "on-finished": "2.4.1",
+        "parseurl": "~1.3.3",
+        "path-to-regexp": "0.1.7",
+        "proxy-addr": "~2.0.7",
+        "qs": "6.11.0",
+        "range-parser": "~1.2.1",
+        "safe-buffer": "5.2.1",
+        "send": "0.18.0",
+        "serve-static": "1.15.0",
+        "setprototypeof": "1.2.0",
+        "statuses": "2.0.1",
+        "type-is": "~1.6.18",
+        "utils-merge": "1.0.1",
+        "vary": "~1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.10.0"
+      }
+    },
+    "node_modules/express/node_modules/body-parser": {
+      "version": "1.20.1",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.1.tgz",
+      "integrity": "sha512-jWi7abTbYwajOytWCQc37VulmWiRae5RyTpaCyDcS5/lMdtwSz5lOpDE67srw/HYe35f1z3fDQw+3txg7gNtWw==",
+      "dependencies": {
+        "bytes": "3.1.2",
+        "content-type": "~1.0.4",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "1.2.0",
+        "http-errors": "2.0.0",
+        "iconv-lite": "0.4.24",
+        "on-finished": "2.4.1",
+        "qs": "6.11.0",
+        "raw-body": "2.5.1",
+        "type-is": "~1.6.18",
+        "unpipe": "1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/express/node_modules/raw-body": {
+      "version": "2.5.1",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz",
+      "integrity": "sha512-qqJBtEyVgS0ZmPGdCFPWJ3FreoqvG4MVQln/kCgF7Olq95IbOp0/BWyMwbdtn4VTvkM8Y7khCQ2Xgk/tcrCXig==",
+      "dependencies": {
+        "bytes": "3.1.2",
+        "http-errors": "2.0.0",
+        "iconv-lite": "0.4.24",
+        "unpipe": "1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/extend": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",
+      "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g=="
+    },
+    "node_modules/fast-deep-equal": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
+      "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q=="
+    },
+    "node_modules/fast-levenshtein": {
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz",
+      "integrity": "sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw=="
+    },
+    "node_modules/fast-text-encoding": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/fast-text-encoding/-/fast-text-encoding-1.0.6.tgz",
+      "integrity": "sha512-VhXlQgj9ioXCqGstD37E/HBeqEGV/qOD/kmbVG8h5xKBYvM1L3lR1Zn4555cQ8GkYbJa8aJSipLPndE1k6zK2w=="
+    },
+    "node_modules/finalhandler": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.2.0.tgz",
+      "integrity": "sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg==",
+      "dependencies": {
+        "debug": "2.6.9",
+        "encodeurl": "~1.0.2",
+        "escape-html": "~1.0.3",
+        "on-finished": "2.4.1",
+        "parseurl": "~1.3.3",
+        "statuses": "2.0.1",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/find-up": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/for-each": {
+      "version": "0.3.3",
+      "resolved": "https://registry.npmjs.org/for-each/-/for-each-0.3.3.tgz",
+      "integrity": "sha512-jqYfLp7mo9vIyQf8ykW2v7A+2N4QjeCeI5+Dz9XraiO1ign81wjiH7Fb9vSOWvQfNtmSa4H2RoQTrrXivdUZmw==",
+      "dependencies": {
+        "is-callable": "^1.1.3"
+      }
+    },
+    "node_modules/forwarded": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz",
+      "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/fresh": {
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
+      "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/fs.realpath": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
+      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw=="
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.1.tgz",
+      "integrity": "sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A=="
+    },
+    "node_modules/gaxios": {
+      "version": "5.1.3",
+      "resolved": "https://registry.npmjs.org/gaxios/-/gaxios-5.1.3.tgz",
+      "integrity": "sha512-95hVgBRgEIRQQQHIbnxBXeHbW4TqFk4ZDJW7wmVtvYar72FdhRIo1UGOLS2eRAKCPEdPBWu+M7+A33D9CdX9rA==",
+      "dependencies": {
+        "extend": "^3.0.2",
+        "https-proxy-agent": "^5.0.0",
+        "is-stream": "^2.0.0",
+        "node-fetch": "^2.6.9"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/gcp-metadata": {
+      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/gcp-metadata/-/gcp-metadata-5.3.0.tgz",
+      "integrity": "sha512-FNTkdNEnBdlqF2oatizolQqNANMrcqJt6AAYt99B3y1aLLC8Hc5IOBb+ZnnzllodEEf6xMBp6wRcBbc16fa65w==",
+      "dependencies": {
+        "gaxios": "^5.0.0",
+        "json-bigint": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/get-caller-file": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
+      "engines": {
+        "node": "6.* || 8.* || >= 10.*"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.1.tgz",
+      "integrity": "sha512-2DcsyfABl+gVHEfCOaTrWgyt+tb6MSEGmKq+kI5HwLbIYgjgmMcV8KQ41uaKz1xxUcn9tJtgFbQUEVcEbd0FYw==",
+      "dependencies": {
+        "function-bind": "^1.1.1",
+        "has": "^1.0.3",
+        "has-proto": "^1.0.1",
+        "has-symbols": "^1.0.3"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/glob": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-8.1.0.tgz",
+      "integrity": "sha512-r8hpEjiQEYlF2QU0df3dS+nxxSIreXQS1qRhMJM0Q5NDdR386C7jb7Hwwod8Fgiuex+k0GFjgft18yvxm5XoCQ==",
+      "dependencies": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^5.0.1",
+        "once": "^1.3.0"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/google-auth-library": {
+      "version": "8.9.0",
+      "resolved": "https://registry.npmjs.org/google-auth-library/-/google-auth-library-8.9.0.tgz",
+      "integrity": "sha512-f7aQCJODJFmYWN6PeNKzgvy9LI2tYmXnzpNDHEjG5sDNPgGb2FXQyTBnXeSH+PAtpKESFD+LmHw3Ox3mN7e1Fg==",
+      "dependencies": {
+        "arrify": "^2.0.0",
+        "base64-js": "^1.3.0",
+        "ecdsa-sig-formatter": "^1.0.11",
+        "fast-text-encoding": "^1.0.0",
+        "gaxios": "^5.0.0",
+        "gcp-metadata": "^5.3.0",
+        "gtoken": "^6.1.0",
+        "jws": "^4.0.0",
+        "lru-cache": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/google-gax": {
+      "version": "3.6.1",
+      "resolved": "https://registry.npmjs.org/google-gax/-/google-gax-3.6.1.tgz",
+      "integrity": "sha512-g/lcUjGcB6DSw2HxgEmCDOrI/CByOwqRvsuUvNalHUK2iPPPlmAIpbMbl62u0YufGMr8zgE3JL7th6dCb1Ry+w==",
+      "dependencies": {
+        "@grpc/grpc-js": "~1.8.0",
+        "@grpc/proto-loader": "^0.7.0",
+        "@types/long": "^4.0.0",
+        "@types/rimraf": "^3.0.2",
+        "abort-controller": "^3.0.0",
+        "duplexify": "^4.0.0",
+        "fast-text-encoding": "^1.0.3",
+        "google-auth-library": "^8.0.2",
+        "is-stream-ended": "^0.1.4",
+        "node-fetch": "^2.6.1",
+        "object-hash": "^3.0.0",
+        "proto3-json-serializer": "^1.0.0",
+        "protobufjs": "7.2.4",
+        "protobufjs-cli": "1.1.1",
+        "retry-request": "^5.0.0"
+      },
+      "bin": {
+        "compileProtos": "build/tools/compileProtos.js",
+        "minifyProtoJson": "build/tools/minify.js"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/google-p12-pem": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/google-p12-pem/-/google-p12-pem-4.0.1.tgz",
+      "integrity": "sha512-WPkN4yGtz05WZ5EhtlxNDWPhC4JIic6G8ePitwUWy4l+XPVYec+a0j0Ts47PDtW59y3RwAhUd9/h9ZZ63px6RQ==",
+      "dependencies": {
+        "node-forge": "^1.3.1"
+      },
+      "bin": {
+        "gp12-pem": "build/src/bin/gp12-pem.js"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.0.1.tgz",
+      "integrity": "sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==",
+      "dependencies": {
+        "get-intrinsic": "^1.1.3"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/graceful-fs": {
+      "version": "4.2.11",
+      "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
+      "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ=="
+    },
+    "node_modules/gtoken": {
+      "version": "6.1.2",
+      "resolved": "https://registry.npmjs.org/gtoken/-/gtoken-6.1.2.tgz",
+      "integrity": "sha512-4ccGpzz7YAr7lxrT2neugmXQ3hP9ho2gcaityLVkiUecAiwiy60Ii8gRbZeOsXV19fYaRjgBSshs8kXw+NKCPQ==",
+      "dependencies": {
+        "gaxios": "^5.0.1",
+        "google-p12-pem": "^4.0.0",
+        "jws": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/has": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz",
+      "integrity": "sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==",
+      "dependencies": {
+        "function-bind": "^1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/has-flag": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz",
+      "integrity": "sha512-sKJf1+ceQBr4SMkvQnBDNDtf4TXpVhVGateu0t918bl30FnbE2m4vNLX+VWe/dpjlb+HugGYzW7uQXH98HPEYw==",
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/has-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/has-proto/-/has-proto-1.0.1.tgz",
+      "integrity": "sha512-7qE+iP+O+bgF9clE5+UoBFzE65mlBiVj3tKCrlNQ0Ogwm0BjpT/gK4SlLYDMybDh5I3TCTKnPPa0oMG7JDYrhg==",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.0.3.tgz",
+      "integrity": "sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-tostringtag": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.0.tgz",
+      "integrity": "sha512-kFjcSNhnlGV1kyoGk7OXKSawH5JOb/LzUc5w9B02hOTO0dfFRjbHQKvg1d6cf3HbeUmtU9VbbV3qzZ2Teh97WQ==",
+      "dependencies": {
+        "has-symbols": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hosted-git-info": {
+      "version": "2.8.9",
+      "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz",
+      "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw=="
+    },
+    "node_modules/http-errors": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz",
+      "integrity": "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==",
+      "dependencies": {
+        "depd": "2.0.0",
+        "inherits": "2.0.4",
+        "setprototypeof": "1.2.0",
+        "statuses": "2.0.1",
+        "toidentifier": "1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/http-proxy-agent": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-5.0.0.tgz",
+      "integrity": "sha512-n2hY8YdoRE1i7r6M0w9DIw5GgZN0G25P8zLCRQ8rjXtTU3vsNFBI/vWK/UIeE6g5MUUz6avwAPXmL6Fy9D/90w==",
+      "dependencies": {
+        "@tootallnate/once": "2",
+        "agent-base": "6",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/http-proxy-agent/node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/http-proxy-agent/node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node_modules/https-proxy-agent": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz",
+      "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==",
+      "dependencies": {
+        "agent-base": "6",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/https-proxy-agent/node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/https-proxy-agent/node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node_modules/iconv-lite": {
+      "version": "0.4.24",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
+      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/inflight": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
+      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
+      "dependencies": {
+        "once": "^1.3.0",
+        "wrappy": "1"
+      }
+    },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
+    },
+    "node_modules/ipaddr.js": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
+      "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==",
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/is-arguments": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/is-arguments/-/is-arguments-1.1.1.tgz",
+      "integrity": "sha512-8Q7EARjzEnKpt/PCD7e1cgUS0a6X8u5tdSiMqXhojOdoV9TsMsiO+9VLC5vAmO8N7/GmXn7yjR8qnA6bVAEzfA==",
+      "dependencies": {
+        "call-bind": "^1.0.2",
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-arrayish": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz",
+      "integrity": "sha512-zz06S8t0ozoDXMG+ube26zeCTNXcKIPJZJi8hBrF4idCLms4CG9QtK7qBl1boi5ODzFpjswb5JPmHCbMpjaYzg=="
+    },
+    "node_modules/is-callable": {
+      "version": "1.2.7",
+      "resolved": "https://registry.npmjs.org/is-callable/-/is-callable-1.2.7.tgz",
+      "integrity": "sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-core-module": {
+      "version": "2.12.1",
+      "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.12.1.tgz",
+      "integrity": "sha512-Q4ZuBAe2FUsKtyQJoQHlvP8OvBERxO3jEmy1I7hcRXcJBGGHFh/aJBswbXuS9sgrDH2QUO8ilkwNPHvHMd8clg==",
+      "dependencies": {
+        "has": "^1.0.3"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-generator-function": {
+      "version": "1.0.10",
+      "resolved": "https://registry.npmjs.org/is-generator-function/-/is-generator-function-1.0.10.tgz",
+      "integrity": "sha512-jsEjy9l3yiXEQ+PsXdmBwEPcOxaXWLspKdplFUVI9vq1iZgIekeC0L167qeu86czQaxed3q/Uzuw0swL0irL8A==",
+      "dependencies": {
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-obj": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/is-obj/-/is-obj-2.0.0.tgz",
+      "integrity": "sha512-drqDG3cbczxxEJRoOXcOjtdp1J/lyp1mNn0xaznRs8+muBhgQcrnbspox5X5fOw0HnMnbfDzvnEMEtqDEJEo8w==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-stream": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz",
+      "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/is-stream-ended": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/is-stream-ended/-/is-stream-ended-0.1.4.tgz",
+      "integrity": "sha512-xj0XPvmr7bQFTvirqnFr50o0hQIh6ZItDqloxt5aJrR4NQsYeSsyFQERYGCAzfindAcnKjINnwEEgLx4IqVzQw=="
+    },
+    "node_modules/is-typed-array": {
+      "version": "1.1.12",
+      "resolved": "https://registry.npmjs.org/is-typed-array/-/is-typed-array-1.1.12.tgz",
+      "integrity": "sha512-Z14TF2JNG8Lss5/HMqt0//T9JeHXttXy5pH/DBU4vi98ozO2btxzq9MwYDZYnKwU8nRsz/+GVFVRDq3DkVuSPg==",
+      "dependencies": {
+        "which-typed-array": "^1.1.11"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/js-tokens": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
+      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="
+    },
+    "node_modules/js2xmlparser": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/js2xmlparser/-/js2xmlparser-4.0.2.tgz",
+      "integrity": "sha512-6n4D8gLlLf1n5mNLQPRfViYzu9RATblzPEtm1SthMX1Pjao0r9YI9nw7ZIfRxQMERS87mcswrg+r/OYrPRX6jA==",
+      "dependencies": {
+        "xmlcreate": "^2.0.4"
+      }
+    },
+    "node_modules/jsdoc": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/jsdoc/-/jsdoc-4.0.2.tgz",
+      "integrity": "sha512-e8cIg2z62InH7azBBi3EsSEqrKx+nUtAS5bBcYTSpZFA+vhNPyhv8PTFZ0WsjOPDj04/dOLlm08EDcQJDqaGQg==",
+      "dependencies": {
+        "@babel/parser": "^7.20.15",
+        "@jsdoc/salty": "^0.2.1",
+        "@types/markdown-it": "^12.2.3",
+        "bluebird": "^3.7.2",
+        "catharsis": "^0.9.0",
+        "escape-string-regexp": "^2.0.0",
+        "js2xmlparser": "^4.0.2",
+        "klaw": "^3.0.0",
+        "markdown-it": "^12.3.2",
+        "markdown-it-anchor": "^8.4.1",
+        "marked": "^4.0.10",
+        "mkdirp": "^1.0.4",
+        "requizzle": "^0.2.3",
+        "strip-json-comments": "^3.1.0",
+        "underscore": "~1.13.2"
+      },
+      "bin": {
+        "jsdoc": "jsdoc.js"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/jsdoc/node_modules/escape-string-regexp": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-2.0.0.tgz",
+      "integrity": "sha512-UpzcLCXolUWcNu5HtVMHYdXJjArjsF9C0aNnquZYY4uW/Vu0miy5YoWvbV345HauVvcAUnpRuhMMcqTcGOY2+w==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/json-bigint": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/json-bigint/-/json-bigint-1.0.0.tgz",
+      "integrity": "sha512-SiPv/8VpZuWbvLSMtTDU8hEfrZWg/mH/nV/b4o0CYbSxu1UIQPLdwKOCIyLQX+VIPO5vrLX3i8qtqFyhdPSUSQ==",
+      "dependencies": {
+        "bignumber.js": "^9.0.0"
+      }
+    },
+    "node_modules/json-parse-even-better-errors": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/json-parse-even-better-errors/-/json-parse-even-better-errors-2.3.1.tgz",
+      "integrity": "sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w=="
+    },
+    "node_modules/json-schema-traverse": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz",
+      "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug=="
+    },
+    "node_modules/jwa": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.0.tgz",
+      "integrity": "sha512-jrZ2Qx916EA+fq9cEAeCROWPTfCwi1IVHqT2tapuqLEVVDKFDENFw1oL+MwrTvH6msKxsd1YTDVw6uKEcsrLEA==",
+      "dependencies": {
+        "buffer-equal-constant-time": "1.0.1",
+        "ecdsa-sig-formatter": "1.0.11",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/jws": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.0.tgz",
+      "integrity": "sha512-KDncfTmOZoOMTFG4mBlG0qUIOlc03fmzH+ru6RgYVZhPkyiy/92Owlt/8UEN+a4TXR1FQetfIpJE8ApdvdVxTg==",
+      "dependencies": {
+        "jwa": "^2.0.0",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/klaw": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/klaw/-/klaw-3.0.0.tgz",
+      "integrity": "sha512-0Fo5oir+O9jnXu5EefYbVK+mHMBeEVEy2cmctR1O1NECcCkPRreJKrS6Qt/j3KC2C148Dfo9i3pCmCMsdqGr0g==",
+      "dependencies": {
+        "graceful-fs": "^4.1.9"
+      }
+    },
+    "node_modules/levn": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/levn/-/levn-0.3.0.tgz",
+      "integrity": "sha512-0OO4y2iOHix2W6ujICbKIaEQXvFQHue65vUG3pb5EUomzPI90z9hsA1VsO/dbIIpC53J8gxM9Q4Oho0jrCM/yA==",
+      "dependencies": {
+        "prelude-ls": "~1.1.2",
+        "type-check": "~0.3.2"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/lines-and-columns": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz",
+      "integrity": "sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg=="
+    },
+    "node_modules/linkify-it": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-3.0.3.tgz",
+      "integrity": "sha512-ynTsyrFSdE5oZ/O9GEf00kPngmOfVwazR5GKDq6EYfhlpFug3J2zybX56a2PRRpc9P+FuSoGNAwjlbDs9jJBPQ==",
+      "dependencies": {
+        "uc.micro": "^1.0.1"
+      }
+    },
+    "node_modules/locate-path": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/lodash": {
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
+    },
+    "node_modules/lodash.camelcase": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/lodash.camelcase/-/lodash.camelcase-4.3.0.tgz",
+      "integrity": "sha512-TwuEnCnxbc3rAvhf/LbG7tJUDzhqXyFnv3dtzLOPgCG/hODL7WFnsbwktkD7yUV0RrreP/l1PALq/YSg6VvjlA=="
+    },
+    "node_modules/long": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/long/-/long-4.0.0.tgz",
+      "integrity": "sha512-XsP+KhQif4bjX1kbuSiySJFNAehNxgLb6hPRGJ9QsUr8ajHkuXGdrHmFUTUUXhDwVX2R5bY4JNZEwbUiMhV+MA=="
+    },
+    "node_modules/lru-cache": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
+      "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
+      "dependencies": {
+        "yallist": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/markdown-it": {
+      "version": "12.3.2",
+      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-12.3.2.tgz",
+      "integrity": "sha512-TchMembfxfNVpHkbtriWltGWc+m3xszaRD0CZup7GFFhzIgQqxIfn3eGj1yZpfuflzPvfkt611B2Q/Bsk1YnGg==",
+      "dependencies": {
+        "argparse": "^2.0.1",
+        "entities": "~2.1.0",
+        "linkify-it": "^3.0.1",
+        "mdurl": "^1.0.1",
+        "uc.micro": "^1.0.5"
+      },
+      "bin": {
+        "markdown-it": "bin/markdown-it.js"
+      }
+    },
+    "node_modules/markdown-it-anchor": {
+      "version": "8.6.7",
+      "resolved": "https://registry.npmjs.org/markdown-it-anchor/-/markdown-it-anchor-8.6.7.tgz",
+      "integrity": "sha512-FlCHFwNnutLgVTflOYHPW2pPcl2AACqVzExlkGQNsi4CJgqOHN7YTgDd4LuhgN1BFO3TS0vLAruV1Td6dwWPJA==",
+      "peerDependencies": {
+        "@types/markdown-it": "*",
+        "markdown-it": "*"
+      }
+    },
+    "node_modules/marked": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/marked/-/marked-4.3.0.tgz",
+      "integrity": "sha512-PRsaiG84bK+AMvxziE/lCFss8juXjNaWzVbN5tXAm4XjeaS9NAHhop+PjQxz2A9h8Q4M/xGmzP8vqNwy6JeK0A==",
+      "bin": {
+        "marked": "bin/marked.js"
+      },
+      "engines": {
+        "node": ">= 12"
+      }
+    },
+    "node_modules/mdurl": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-1.0.1.tgz",
+      "integrity": "sha512-/sKlQJCBYVY9Ers9hqzKou4H6V5UWc/M59TH2dvkt+84itfnq7uFOMLpOiOS4ujvHP4etln18fmIxA5R5fll0g=="
+    },
+    "node_modules/media-typer": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
+      "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/merge-descriptors": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz",
+      "integrity": "sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w=="
+    },
+    "node_modules/methods": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
+      "integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
+      "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
+      "bin": {
+        "mime": "cli.js"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.52.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/minimatch": {
+      "version": "5.1.6",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
+      "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
+      "dependencies": {
+        "brace-expansion": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/minimist": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/mkdirp": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz",
+      "integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==",
+      "bin": {
+        "mkdirp": "bin/cmd.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/moment": {
+      "version": "2.29.4",
+      "resolved": "https://registry.npmjs.org/moment/-/moment-2.29.4.tgz",
+      "integrity": "sha512-5LC9SOxjSc2HF6vO2CyuTDNivEdoz2IvyJJGj6X8DJ0eFyfszE0QiEd+iXmBvUP3WHxSjFH/vIsA0EN00cgr8w==",
+      "optional": true,
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="
+    },
+    "node_modules/mv": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/mv/-/mv-2.1.1.tgz",
+      "integrity": "sha512-at/ZndSy3xEGJ8i0ygALh8ru9qy7gWW1cmkaqBN29JmMlIvM//MEO9y1sk/avxuwnPcfhkejkLsuPxH81BrkSg==",
+      "optional": true,
+      "dependencies": {
+        "mkdirp": "~0.5.1",
+        "ncp": "~2.0.0",
+        "rimraf": "~2.4.0"
+      },
+      "engines": {
+        "node": ">=0.8.0"
+      }
+    },
+    "node_modules/mv/node_modules/brace-expansion": {
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
+      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
+      "optional": true,
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "node_modules/mv/node_modules/glob": {
+      "version": "6.0.4",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-6.0.4.tgz",
+      "integrity": "sha512-MKZeRNyYZAVVVG1oZeLaWie1uweH40m9AZwIwxyPbTSX4hHrVYSzLg0Ro5Z5R7XKkIX+Cc6oD1rqeDJnwsB8/A==",
+      "optional": true,
+      "dependencies": {
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "2 || 3",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/mv/node_modules/minimatch": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "optional": true,
+      "dependencies": {
+        "brace-expansion": "^1.1.7"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/mv/node_modules/mkdirp": {
+      "version": "0.5.6",
+      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz",
+      "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==",
+      "optional": true,
+      "dependencies": {
+        "minimist": "^1.2.6"
+      },
+      "bin": {
+        "mkdirp": "bin/cmd.js"
+      }
+    },
+    "node_modules/mv/node_modules/rimraf": {
+      "version": "2.4.5",
+      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.4.5.tgz",
+      "integrity": "sha512-J5xnxTyqaiw06JjMftq7L9ouA448dw/E7dKghkP9WpKNuwmARNNg+Gk8/u5ryb9N/Yo2+z3MCwuqFK/+qPOPfQ==",
+      "optional": true,
+      "dependencies": {
+        "glob": "^6.0.1"
+      },
+      "bin": {
+        "rimraf": "bin.js"
+      }
+    },
+    "node_modules/nan": {
+      "version": "2.18.0",
+      "resolved": "https://registry.npmjs.org/nan/-/nan-2.18.0.tgz",
+      "integrity": "sha512-W7tfG7vMOGtD30sHoZSSc/JVYiyDPEyQVso/Zz+/uQd0B0L46gtC+pHha5FFMRpil6fm/AoEcRWyOVi4+E/f8w==",
+      "optional": true
+    },
+    "node_modules/ncp": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ncp/-/ncp-2.0.0.tgz",
+      "integrity": "sha512-zIdGUrPRFTUELUvr3Gmc7KZ2Sw/h1PiVM0Af/oHB6zgnV1ikqSfRk+TOufi79aHYCW3NiOXmr1BP5nWbzojLaA==",
+      "optional": true,
+      "bin": {
+        "ncp": "bin/ncp"
+      }
+    },
+    "node_modules/negotiator": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
+      "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/node-fetch": {
+      "version": "2.6.12",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.12.tgz",
+      "integrity": "sha512-C/fGU2E8ToujUivIO0H+tpQ6HWo4eEmchoPIoXtxCrVghxdKq+QOHqEZW7tuP3KlV3bC8FRMO5nMCC7Zm1VP6g==",
+      "dependencies": {
+        "whatwg-url": "^5.0.0"
+      },
+      "engines": {
+        "node": "4.x || >=6.0.0"
+      },
+      "peerDependencies": {
+        "encoding": "^0.1.0"
+      },
+      "peerDependenciesMeta": {
+        "encoding": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/node-forge": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz",
+      "integrity": "sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA==",
+      "engines": {
+        "node": ">= 6.13.0"
+      }
+    },
+    "node_modules/normalize-package-data": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz",
+      "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==",
+      "dependencies": {
+        "hosted-git-info": "^2.1.4",
+        "resolve": "^1.10.0",
+        "semver": "2 || 3 || 4 || 5",
+        "validate-npm-package-license": "^3.0.1"
+      }
+    },
+    "node_modules/normalize-package-data/node_modules/semver": {
+      "version": "5.7.2",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
+      "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==",
+      "bin": {
+        "semver": "bin/semver"
+      }
+    },
+    "node_modules/object-hash": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-3.0.0.tgz",
+      "integrity": "sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw==",
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/object-inspect": {
+      "version": "1.12.3",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.12.3.tgz",
+      "integrity": "sha512-geUvdk7c+eizMNUDkRpW1wJwgfOiOeHbxBR/hLXK1aT6zmVSO0jsQcs7fj6MGw89jC/cjGfLcNOrtMYtGqm81g==",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/on-finished": {
+      "version": "2.4.1",
+      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
+      "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==",
+      "dependencies": {
+        "ee-first": "1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
+    "node_modules/optionator": {
+      "version": "0.8.3",
+      "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.8.3.tgz",
+      "integrity": "sha512-+IW9pACdk3XWmmTXG8m3upGUJst5XRGzxMRjXzAuJ1XnIFNvfhjjIuYkDvysnPQ7qzqVzLt78BCruntqRhWQbA==",
+      "dependencies": {
+        "deep-is": "~0.1.3",
+        "fast-levenshtein": "~2.0.6",
+        "levn": "~0.3.0",
+        "prelude-ls": "~1.1.2",
+        "type-check": "~0.3.2",
+        "word-wrap": "~1.2.3"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/p-limit": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/p-locate": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/p-try": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/parse-json": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-5.2.0.tgz",
+      "integrity": "sha512-ayCKvm/phCGxOkYRSCM82iDwct8/EonSEgCSxWxD7ve6jHggsFl4fZVQBPRNgQoKiuV/odhFrGzQXZwbifC8Rg==",
+      "dependencies": {
+        "@babel/code-frame": "^7.0.0",
+        "error-ex": "^1.3.1",
+        "json-parse-even-better-errors": "^2.3.0",
+        "lines-and-columns": "^1.1.6"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/parseurl": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
+      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/path-exists": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/path-is-absolute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
+      "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/path-parse": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz",
+      "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw=="
+    },
+    "node_modules/path-to-regexp": {
+      "version": "0.1.7",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz",
+      "integrity": "sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ=="
+    },
+    "node_modules/prelude-ls": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.1.2.tgz",
+      "integrity": "sha512-ESF23V4SKG6lVSGZgYNpbsiaAkdab6ZgOxe52p7+Kid3W3u3bxR4Vfd/o21dmN7jSt0IwgZ4v5MUd26FEtXE9w==",
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/process": {
+      "version": "0.11.10",
+      "resolved": "https://registry.npmjs.org/process/-/process-0.11.10.tgz",
+      "integrity": "sha512-cdGef/drWFoydD1JsMzuFf8100nZl+GT+yacc2bEced5f9Rjk4z+WtFUTBu9PhOi9j/jfmBPu0mMEY4wIdAF8A==",
+      "engines": {
+        "node": ">= 0.6.0"
+      }
+    },
+    "node_modules/proto3-json-serializer": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/proto3-json-serializer/-/proto3-json-serializer-1.1.1.tgz",
+      "integrity": "sha512-AwAuY4g9nxx0u52DnSMkqqgyLHaW/XaPLtaAo3y/ZCfeaQB/g4YDH4kb8Wc/mWzWvu0YjOznVnfn373MVZZrgw==",
+      "dependencies": {
+        "protobufjs": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/protobufjs": {
+      "version": "7.2.4",
+      "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.2.4.tgz",
+      "integrity": "sha512-AT+RJgD2sH8phPmCf7OUZR8xGdcJRga4+1cOaXJ64hvcSkVhNcRHOwIxUatPH15+nj59WAGTDv3LSGZPEQbJaQ==",
+      "hasInstallScript": true,
+      "dependencies": {
+        "@protobufjs/aspromise": "^1.1.2",
+        "@protobufjs/base64": "^1.1.2",
+        "@protobufjs/codegen": "^2.0.4",
+        "@protobufjs/eventemitter": "^1.1.0",
+        "@protobufjs/fetch": "^1.1.0",
+        "@protobufjs/float": "^1.0.2",
+        "@protobufjs/inquire": "^1.1.0",
+        "@protobufjs/path": "^1.1.2",
+        "@protobufjs/pool": "^1.1.0",
+        "@protobufjs/utf8": "^1.1.0",
+        "@types/node": ">=13.7.0",
+        "long": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
+    "node_modules/protobufjs-cli": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/protobufjs-cli/-/protobufjs-cli-1.1.1.tgz",
+      "integrity": "sha512-VPWMgIcRNyQwWUv8OLPyGQ/0lQY/QTQAVN5fh+XzfDwsVw1FZ2L3DM/bcBf8WPiRz2tNpaov9lPZfNcmNo6LXA==",
+      "dependencies": {
+        "chalk": "^4.0.0",
+        "escodegen": "^1.13.0",
+        "espree": "^9.0.0",
+        "estraverse": "^5.1.0",
+        "glob": "^8.0.0",
+        "jsdoc": "^4.0.0",
+        "minimist": "^1.2.0",
+        "semver": "^7.1.2",
+        "tmp": "^0.2.1",
+        "uglify-js": "^3.7.7"
+      },
+      "bin": {
+        "pbjs": "bin/pbjs",
+        "pbts": "bin/pbts"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      },
+      "peerDependencies": {
+        "protobufjs": "^7.0.0"
+      }
+    },
+    "node_modules/protobufjs-cli/node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/protobufjs-cli/node_modules/chalk": {
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
+      "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
+      "dependencies": {
+        "ansi-styles": "^4.1.0",
+        "supports-color": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/chalk?sponsor=1"
+      }
+    },
+    "node_modules/protobufjs-cli/node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/protobufjs-cli/node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="
+    },
+    "node_modules/protobufjs-cli/node_modules/has-flag": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
+      "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/protobufjs-cli/node_modules/supports-color": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
+      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+      "dependencies": {
+        "has-flag": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/protobufjs/node_modules/long": {
+      "version": "5.2.3",
+      "resolved": "https://registry.npmjs.org/long/-/long-5.2.3.tgz",
+      "integrity": "sha512-lcHwpNoggQTObv5apGNCTdJrO69eHOZMi4BNC+rTLER8iHAqGrUVeLh/irVIM7zTw2bOXA8T6uNPeujwOLg/2Q=="
+    },
+    "node_modules/proxy-addr": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
+      "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==",
+      "dependencies": {
+        "forwarded": "0.2.0",
+        "ipaddr.js": "1.9.1"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/pump": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.0.tgz",
+      "integrity": "sha512-LwZy+p3SFs1Pytd/jYct4wpv49HiYCqd9Rlc5ZVdk0V+8Yzv6jR5Blk3TRmPL1ft69TxP0IMZGJ+WPFU2BFhww==",
+      "dependencies": {
+        "end-of-stream": "^1.1.0",
+        "once": "^1.3.1"
+      }
+    },
+    "node_modules/pumpify": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/pumpify/-/pumpify-2.0.1.tgz",
+      "integrity": "sha512-m7KOje7jZxrmutanlkS1daj1dS6z6BgslzOXmcSEpIlCxM3VJH7lG5QLeck/6hgF6F4crFf01UtQmNsJfweTAw==",
+      "dependencies": {
+        "duplexify": "^4.1.1",
+        "inherits": "^2.0.3",
+        "pump": "^3.0.0"
+      }
+    },
+    "node_modules/punycode": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.0.tgz",
+      "integrity": "sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/qs": {
+      "version": "6.11.0",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz",
+      "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==",
+      "dependencies": {
+        "side-channel": "^1.0.4"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/range-parser": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
+      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/raw-body": {
+      "version": "2.5.2",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz",
+      "integrity": "sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==",
+      "dependencies": {
+        "bytes": "3.1.2",
+        "http-errors": "2.0.0",
+        "iconv-lite": "0.4.24",
+        "unpipe": "1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/read-pkg": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-5.2.0.tgz",
+      "integrity": "sha512-Ug69mNOpfvKDAc2Q8DRpMjjzdtrnv9HcSMX+4VsZxD1aZ6ZzrIE7rlzXBtWTyhULSMKg076AW6WR5iZpD0JiOg==",
+      "dependencies": {
+        "@types/normalize-package-data": "^2.4.0",
+        "normalize-package-data": "^2.5.0",
+        "parse-json": "^5.0.0",
+        "type-fest": "^0.6.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/read-pkg-up": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/read-pkg-up/-/read-pkg-up-7.0.1.tgz",
+      "integrity": "sha512-zK0TB7Xd6JpCLmlLmufqykGE+/TlOePD6qKClNW7hHDKFh/J7/7gCWGR7joEQEW1bKq3a3yUZSObOoWLFQ4ohg==",
+      "dependencies": {
+        "find-up": "^4.1.0",
+        "read-pkg": "^5.2.0",
+        "type-fest": "^0.8.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/read-pkg/node_modules/type-fest": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.6.0.tgz",
+      "integrity": "sha512-q+MB8nYR1KDLrgr4G5yemftpMC7/QLqVndBmEEdqzmNj5dcFOO4Oo8qlwZE3ULT3+Zim1F8Kq4cBnikNhlCMlg==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/readable-stream": {
+      "version": "3.6.2",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
+      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
+      "dependencies": {
+        "inherits": "^2.0.3",
+        "string_decoder": "^1.1.1",
+        "util-deprecate": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/require-directory": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
+      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/require-from-string": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/requizzle": {
+      "version": "0.2.4",
+      "resolved": "https://registry.npmjs.org/requizzle/-/requizzle-0.2.4.tgz",
+      "integrity": "sha512-JRrFk1D4OQ4SqovXOgdav+K8EAhSB/LJZqCz8tbX0KObcdeM15Ss59ozWMBWmmINMagCwmqn4ZNryUGpBsl6Jw==",
+      "dependencies": {
+        "lodash": "^4.17.21"
+      }
+    },
+    "node_modules/resolve": {
+      "version": "1.22.2",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.2.tgz",
+      "integrity": "sha512-Sb+mjNHOULsBv818T40qSPeRiuWLyaGMa5ewydRLFimneixmVy2zdivRl+AF6jaYPC8ERxGDmFSiqui6SfPd+g==",
+      "dependencies": {
+        "is-core-module": "^2.11.0",
+        "path-parse": "^1.0.7",
+        "supports-preserve-symlinks-flag": "^1.0.0"
+      },
+      "bin": {
+        "resolve": "bin/resolve"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/retry-request": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/retry-request/-/retry-request-5.0.2.tgz",
+      "integrity": "sha512-wfI3pk7EE80lCIXprqh7ym48IHYdwmAAzESdbU8Q9l7pnRCk9LEhpbOTNKjz6FARLm/Bl5m+4F0ABxOkYUujSQ==",
+      "dependencies": {
+        "debug": "^4.1.1",
+        "extend": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/retry-request/node_modules/debug": {
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
+      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "dependencies": {
+        "ms": "2.1.2"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/retry-request/node_modules/ms": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+    },
+    "node_modules/rimraf": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",
+      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
+      "dependencies": {
+        "glob": "^7.1.3"
+      },
+      "bin": {
+        "rimraf": "bin.js"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/rimraf/node_modules/brace-expansion": {
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
+      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "node_modules/rimraf/node_modules/glob": {
+      "version": "7.2.3",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
+      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
+      "dependencies": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.1.1",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      },
+      "engines": {
+        "node": "*"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/rimraf/node_modules/minimatch": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "dependencies": {
+        "brace-expansion": "^1.1.7"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/safe-buffer": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
+    },
+    "node_modules/safe-json-stringify": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/safe-json-stringify/-/safe-json-stringify-1.2.0.tgz",
+      "integrity": "sha512-gH8eh2nZudPQO6TytOvbxnuhYBOvDBBLW52tz5q6X58lJcd/tkmqFR+5Z9adS8aJtURSXWThWy/xJtJwixErvg==",
+      "optional": true
+    },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
+    },
+    "node_modules/semver": {
+      "version": "7.5.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
+      "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
+      "dependencies": {
+        "lru-cache": "^6.0.0"
+      },
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/send": {
+      "version": "0.18.0",
+      "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz",
+      "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==",
+      "dependencies": {
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "1.2.0",
+        "encodeurl": "~1.0.2",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "fresh": "0.5.2",
+        "http-errors": "2.0.0",
+        "mime": "1.6.0",
+        "ms": "2.1.3",
+        "on-finished": "2.4.1",
+        "range-parser": "~1.2.1",
+        "statuses": "2.0.1"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/send/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
+    },
+    "node_modules/serve-static": {
+      "version": "1.15.0",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz",
+      "integrity": "sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g==",
+      "dependencies": {
+        "encodeurl": "~1.0.2",
+        "escape-html": "~1.0.3",
+        "parseurl": "~1.3.3",
+        "send": "0.18.0"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/setprototypeof": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz",
+      "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw=="
+    },
+    "node_modules/side-channel": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.4.tgz",
+      "integrity": "sha512-q5XPytqFEIKHkGdiMIrY10mvLRvnQh42/+GoBlFW3b2LXLE2xxJpZFdm94we0BaoV3RwJyGqg5wS7epxTv0Zvw==",
+      "dependencies": {
+        "call-bind": "^1.0.0",
+        "get-intrinsic": "^1.0.2",
+        "object-inspect": "^1.9.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/source-map": {
+      "version": "0.6.1",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "optional": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/spdx-correct": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz",
+      "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==",
+      "dependencies": {
+        "spdx-expression-parse": "^3.0.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "node_modules/spdx-exceptions": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.3.0.tgz",
+      "integrity": "sha512-/tTrYOC7PPI1nUAgx34hUpqXuyJG+DTHJTnIULG4rDygi4xu/tfgmq1e1cIRwRzwZgo4NLySi+ricLkZkw4i5A=="
+    },
+    "node_modules/spdx-expression-parse": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz",
+      "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==",
+      "dependencies": {
+        "spdx-exceptions": "^2.1.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "node_modules/spdx-license-ids": {
+      "version": "3.0.13",
+      "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.13.tgz",
+      "integrity": "sha512-XkD+zwiqXHikFZm4AX/7JSCXA98U5Db4AFd5XUg/+9UNtnH75+Z9KxtpYiJZx36mUDVOwH83pl7yvCer6ewM3w=="
+    },
+    "node_modules/statuses": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz",
+      "integrity": "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/stream-events": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/stream-events/-/stream-events-1.0.5.tgz",
+      "integrity": "sha512-E1GUzBSgvct8Jsb3v2X15pjzN1tYebtbLaMg+eBOUOAxgbLoSbT2NS91ckc5lJD1KfLjId+jXJRgo0qnV5Nerg==",
+      "dependencies": {
+        "stubs": "^3.0.0"
+      }
+    },
+    "node_modules/stream-shift": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/stream-shift/-/stream-shift-1.0.1.tgz",
+      "integrity": "sha512-AiisoFqQ0vbGcZgQPY1cdP2I76glaVA/RauYR4G4thNFgkTqr90yXTo4LYX60Jl+sIlPNHHdGSwo01AvbKUSVQ=="
+    },
+    "node_modules/string_decoder": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
+      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
+      "dependencies": {
+        "safe-buffer": "~5.2.0"
+      }
+    },
+    "node_modules/string-width": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-json-comments": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",
+      "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/stubs": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/stubs/-/stubs-3.0.0.tgz",
+      "integrity": "sha512-PdHt7hHUJKxvTCgbKX9C1V/ftOcjJQgz8BZwNfV5c4B6dcGqlpelTbJ999jBGZ2jYiPAwcX5dP6oBwVlBlUbxw=="
+    },
+    "node_modules/supports-color": {
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+      "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+      "dependencies": {
+        "has-flag": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/supports-preserve-symlinks-flag": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz",
+      "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/teeny-request": {
+      "version": "8.0.3",
+      "resolved": "https://registry.npmjs.org/teeny-request/-/teeny-request-8.0.3.tgz",
+      "integrity": "sha512-jJZpA5He2y52yUhA7pyAGZlgQpcB+xLjcN0eUFxr9c8hP/H7uOXbBNVo/O0C/xVfJLJs680jvkFgVJEEvk9+ww==",
+      "dependencies": {
+        "http-proxy-agent": "^5.0.0",
+        "https-proxy-agent": "^5.0.0",
+        "node-fetch": "^2.6.1",
+        "stream-events": "^1.0.5",
+        "uuid": "^9.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/teeny-request/node_modules/uuid": {
+      "version": "9.0.0",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.0.tgz",
+      "integrity": "sha512-MXcSTerfPa4uqyzStbRoTgt5XIe3x5+42+q1sDuy3R5MDk66URdLMOZe5aPX/SQd+kuYAh0FdP/pO28IkQyTeg==",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
+    "node_modules/tmp": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.1.tgz",
+      "integrity": "sha512-76SUhtfqR2Ijn+xllcI5P1oyannHNHByD80W1q447gU3mp9G9PSpGdWmjUOHRDPiHYacIk66W7ubDTuPF3BEtQ==",
+      "dependencies": {
+        "rimraf": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8.17.0"
+      }
+    },
+    "node_modules/toidentifier": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz",
+      "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==",
+      "engines": {
+        "node": ">=0.6"
+      }
+    },
+    "node_modules/tr46": {
+      "version": "0.0.3",
+      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
+      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
+    },
+    "node_modules/type-check": {
+      "version": "0.3.2",
+      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.3.2.tgz",
+      "integrity": "sha512-ZCmOJdvOWDBYJlzAoFkC+Q0+bUyEOS1ltgp1MGU03fqHG+dbi9tBFU2Rd9QKiDZFAYrhPh2JUf7rZRIuHRKtOg==",
+      "dependencies": {
+        "prelude-ls": "~1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/type-fest": {
+      "version": "0.8.1",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.8.1.tgz",
+      "integrity": "sha512-4dbzIzqvjtgiM5rw1k5rEHtBANKmdudhGyBEajN01fEyhaAIhsoKNy6y7+IN93IfpFtwY9iqi7kD+xwKhQsNJA==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/type-is": {
+      "version": "1.6.18",
+      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
+      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
+      "dependencies": {
+        "media-typer": "0.3.0",
+        "mime-types": "~2.1.24"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/uc.micro": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-1.0.6.tgz",
+      "integrity": "sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA=="
+    },
+    "node_modules/uglify-js": {
+      "version": "3.17.4",
+      "resolved": "https://registry.npmjs.org/uglify-js/-/uglify-js-3.17.4.tgz",
+      "integrity": "sha512-T9q82TJI9e/C1TAxYvfb16xO120tMVFZrGA3f9/P4424DNu6ypK103y0GPFVa17yotwSyZW5iYXgjYHkGrJW/g==",
+      "bin": {
+        "uglifyjs": "bin/uglifyjs"
+      },
+      "engines": {
+        "node": ">=0.8.0"
+      }
+    },
+    "node_modules/underscore": {
+      "version": "1.13.6",
+      "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.6.tgz",
+      "integrity": "sha512-+A5Sja4HP1M08MaXya7p5LvjuM7K6q/2EaC0+iovj/wOcMsTzMvDFbasi/oSapiwOlt252IqsKqPjCl7huKS0A=="
+    },
+    "node_modules/unpipe": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
+      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/uri-js": {
+      "version": "4.4.1",
+      "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz",
+      "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==",
+      "dependencies": {
+        "punycode": "^2.1.0"
+      }
+    },
+    "node_modules/util": {
+      "version": "0.12.5",
+      "resolved": "https://registry.npmjs.org/util/-/util-0.12.5.tgz",
+      "integrity": "sha512-kZf/K6hEIrWHI6XqOFUiiMa+79wE/D8Q+NCNAWclkyg3b4d2k7s0QGepNjiABc+aR3N1PAyHL7p6UcLY6LmrnA==",
+      "dependencies": {
+        "inherits": "^2.0.3",
+        "is-arguments": "^1.0.4",
+        "is-generator-function": "^1.0.7",
+        "is-typed-array": "^1.1.3",
+        "which-typed-array": "^1.1.2"
+      }
+    },
+    "node_modules/util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="
+    },
+    "node_modules/utils-merge": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
+      "integrity": "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==",
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
+    "node_modules/validate-npm-package-license": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz",
+      "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==",
+      "dependencies": {
+        "spdx-correct": "^3.0.0",
+        "spdx-expression-parse": "^3.0.0"
+      }
+    },
+    "node_modules/vary": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
+      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/webidl-conversions": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
+      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
+    },
+    "node_modules/whatwg-url": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
+      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
+      "dependencies": {
+        "tr46": "~0.0.3",
+        "webidl-conversions": "^3.0.0"
+      }
+    },
+    "node_modules/which-typed-array": {
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/which-typed-array/-/which-typed-array-1.1.11.tgz",
+      "integrity": "sha512-qe9UWWpkeG5yzZ0tNYxDmd7vo58HDBc39mZ0xWWpolAGADdFOzkfamWLDxkOWcvHQKVmdTyQdLD4NOfjLWTKew==",
+      "dependencies": {
+        "available-typed-arrays": "^1.0.5",
+        "call-bind": "^1.0.2",
+        "for-each": "^0.3.3",
+        "gopd": "^1.0.1",
+        "has-tostringtag": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/word-wrap": {
+      "version": "1.2.5",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
+      "integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/wrap-ansi": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz",
+      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
+      }
+    },
+    "node_modules/wrap-ansi/node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/wrap-ansi/node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/wrap-ansi/node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="
+    },
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
+    },
+    "node_modules/xmlcreate": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/xmlcreate/-/xmlcreate-2.0.4.tgz",
+      "integrity": "sha512-nquOebG4sngPmGPICTS5EnxqhKbCmz5Ox5hsszI2T6U5qdrJizBc+0ilYSEjTSzU0yZcmvppztXe/5Al5fUwdg=="
+    },
+    "node_modules/y18n": {
+      "version": "5.0.8",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",
+      "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==",
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/yallist": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
+      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A=="
+    },
+    "node_modules/yargs": {
+      "version": "17.7.2",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz",
+      "integrity": "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==",
+      "dependencies": {
+        "cliui": "^8.0.1",
+        "escalade": "^3.1.1",
+        "get-caller-file": "^2.0.5",
+        "require-directory": "^2.1.1",
+        "string-width": "^4.2.3",
+        "y18n": "^5.0.5",
+        "yargs-parser": "^21.1.1"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/yargs-parser": {
+      "version": "21.1.1",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz",
+      "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==",
+      "engines": {
+        "node": ">=12"
+      }
+    }
+  }
+}
diff --git a/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package.json b/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package.json
new file mode 100644
index 0000000000..c1004d3ccc
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package.json
@@ -0,0 +1,20 @@
+{
+  "name": "instance-checker",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "@google-cloud/functions-framework": "^3.3.0",
+    "@google-cloud/logging-bunyan": "^5.0.0",
+    "bunyan": "^1.8.15",
+    "@google-cloud/monitoring": "^3.0.5"
+  }
+}
diff --git a/blueprints/apigee/apigee-x-foundations/kms.tf b/blueprints/apigee/apigee-x-foundations/kms.tf
new file mode 100644
index 0000000000..120a118ca3
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/kms.tf
@@ -0,0 +1,64 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_id" "database_kms" {
+  byte_length = 4
+}
+
+resource "random_id" "disks_kms" {
+  for_each    = var.apigee_config.instances
+  byte_length = 4
+}
+
+module "database_kms" {
+  count      = try(var.apigee_config.organization.database_encryption_key, null) == null ? 1 : 0
+  source     = "../../../modules/kms"
+  project_id = module.project.project_id
+  keyring = {
+    location = "global"
+    name     = "apigee-${random_id.database_kms.hex}"
+  }
+  keys = {
+    database-key = {
+      purpose         = "ENCRYPT_DECRYPT"
+      rotation_period = "2592000s"
+      labels          = null
+      iam = {
+        "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
+      }
+    }
+  }
+}
+
+module "disks_kms" {
+  for_each   = var.apigee_config.instances
+  source     = "../../../modules/kms"
+  project_id = module.project.project_id
+  keyring = {
+    location = each.key
+    name     = "apigee-${each.key}-${random_id.disks_kms[each.key].hex}"
+  }
+  keys = {
+    disk-key = {
+      purpose         = "ENCRYPT_DECRYPT"
+      rotation_period = "2592000s"
+      labels          = null
+      iam = {
+        "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
+      }
+    }
+  }
+}
diff --git a/blueprints/apigee/apigee-x-foundations/main.tf b/blueprints/apigee/apigee-x-foundations/main.tf
new file mode 100644
index 0000000000..d25c1c11b3
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/main.tf
@@ -0,0 +1,108 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "project" {
+  source                  = "../../../modules/project"
+  billing_account         = var.project_config.billing_account_id
+  compute_metadata        = var.project_config.compute_metadata
+  custom_roles            = var.project_config.custom_roles
+  default_service_account = var.project_config.default_service_account
+  iam                     = var.project_config.iam
+  iam_bindings            = var.project_config.iam_bindings
+  iam_bindings_additive   = var.project_config.iam_bindings_additive
+  labels                  = var.project_config.labels
+  lien_reason             = var.project_config.lien_reason
+  logging_data_access     = var.project_config.logging_data_access
+  logging_exclusions      = var.project_config.log_exclusions
+  logging_sinks           = var.project_config.logging_sinks
+  metric_scopes           = var.project_config.metric_scopes
+  name                    = var.project_config.name
+  org_policies            = var.project_config.org_policies
+  parent                  = var.project_config.parent
+  prefix                  = var.project_config.prefix
+  services = distinct(concat(var.project_config.services, [
+    "apigee.googleapis.com",
+    "cloudkms.googleapis.com",
+    "compute.googleapis.com",
+    "eventarc.googleapis.com",
+    "dns.googleapis.com",
+    "iam.googleapis.com",
+    "servicenetworking.googleapis.com",
+    ], var.enable_monitoring ? [
+    "cloudbuild.googleapis.com",
+    "cloudfunctions.googleapis.com",
+    "logging.googleapis.com",
+    "monitoring.googleapis.com",
+    "pubsub.googleapis.com",
+    "run.googleapis.com"
+  ] : []))
+
+  shared_vpc_service_config = var.project_config.shared_vpc_service_config
+  skip_delete               = var.project_config.skip_delete
+  tag_bindings              = var.project_config.tag_bindings
+}
+
+module "shared_vpc" {
+  count      = var.network_config.shared_vpc == null ? 0 : 1
+  source     = "../../../modules/net-vpc"
+  project_id = var.project_config.shared_vpc_service_config.host_project
+  name       = var.network_config.shared_vpc.name
+  vpc_create = false
+}
+
+module "apigee_vpc" {
+  count      = var.network_config.apigee_vpc == null ? 0 : 1
+  source     = "../../../modules/net-vpc"
+  project_id = module.project.project_id
+  name       = coalesce(var.network_config.apigee_vpc.name, "apigee-vpc")
+  vpc_create = var.network_config.apigee_vpc.auto_create
+  psa_configs = [{
+    ranges = merge(flatten([for k, v in var.apigee_config.instances : merge(
+      v.runtime_ip_cidr_range == null ? {} : { "apigee-22-${k}" = v.runtime_ip_cidr_range },
+      v.troubleshooting_ip_cidr_range == null ? {} : { "apigee-28-${k}" = v.troubleshooting_ip_cidr_range }
+    )])...)
+    export_routes  = true
+    import_routes  = false
+    peered_domains = local.peered_domains
+  }]
+  subnets = [for k, v in var.network_config.apigee_vpc.subnets :
+    {
+      name          = coalesce(v.name, "subnet-${k}")
+      region        = k
+      ip_cidr_range = v.ip_cidr_range
+      description   = "Subnet in ${k} region"
+    }
+  if v.ip_cidr_range != null && (var.int_cross_region_lb_config != null || nonsensitive(var.int_lb_config != null))]
+  subnets_proxy_only = [for k, v in var.network_config.apigee_vpc.subnets_proxy_only :
+    {
+      name          = coalesce(v.name, "subnet-proxy-only-${k}")
+      region        = k
+      ip_cidr_range = v.ip_cidr_range
+      description   = "Proxy-only subnet in ${k} region"
+      global        = var.int_cross_region_lb_config != null
+    }
+  if v.ip_cidr_range != null && (var.int_cross_region_lb_config != null || nonsensitive(var.int_lb_config != null))]
+  subnets_psc = [for k, v in var.network_config.apigee_vpc.subnets_psc :
+    {
+      name          = coalesce(v.name, "subnet-psc-${k}")
+      region        = k
+      ip_cidr_range = v.ip_cidr_range
+      description   = "PSC Subnet in ${k} region"
+      global        = var.int_cross_region_lb_config != null
+    }
+  if v.ip_cidr_range != null]
+}
+
diff --git a/blueprints/apigee/apigee-x-foundations/monitoring.tf b/blueprints/apigee/apigee-x-foundations/monitoring.tf
new file mode 100644
index 0000000000..70d3a2195d
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/monitoring.tf
@@ -0,0 +1,52 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "instance_monitor_function" {
+  count       = var.enable_monitoring && length(var.apigee_config.instances) > 0 ? 1 : 0
+  source      = "../../../modules/cloud-function-v2"
+  project_id  = module.project.project_id
+  name        = "instance-monitor"
+  bucket_name = module.project.project_id
+  bucket_config = {
+  }
+  bundle_config = {
+    source_dir  = "${path.module}/functions/instance-monitor"
+    output_path = "bundle.zip"
+  }
+  function_config = {
+    entry_point = "writeMetric"
+    runtime     = "nodejs20"
+    timeout     = 180
+  }
+  trigger_config = {
+    event_type = "google.cloud.audit.log.v1.written"
+    region     = "global"
+    event_filters = [
+      {
+        attribute = "serviceName"
+        value     = "apigee.googleapis.com"
+      },
+      {
+        attribute = "methodName"
+        value     = "google.cloud.apigee.v1.RuntimeService.ReportInstanceStatus"
+      },
+    ]
+    service_account_create = true
+    retry_policy           = "RETRY_POLICY_DO_NOT_RETRY"
+  }
+  region                 = var.apigee_config.organization.analytics_region
+  service_account_create = true
+}
diff --git a/blueprints/apigee/apigee-x-foundations/northbound.tf b/blueprints/apigee/apigee-x-foundations/northbound.tf
new file mode 100644
index 0000000000..caae13bf07
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/northbound.tf
@@ -0,0 +1,248 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+locals {
+  preconfigured_waf_rules = { for k, v in try(var.ext_lb_config.security_policy.preconfigured_waf_rules, {}) : k =>
+    merge(v.sensitivity == null ? {} : {
+      sensitivity = v.sensitivity
+      },
+      length(v.opt_in_rule_ids) > 0 ? {
+        opt_in_rule_ids = v.opt_in_rule_ids
+      } : {},
+      length(v.opt_out_rule_ids) > 0 ? {
+        opt_out_rule_ids = v.opt_out_rule_ids
+    } : {})
+  }
+  network = try(module.shared_vpc[0].id, module.apigee_vpc[0].id)
+  neg_subnets = (var.network_config.shared_vpc == null ?
+    (try(var.network_config.apigee_vpc.auto_create, false) ?
+      { for k, v in module.apigee_vpc[0].subnets_psc : v.region => v.id } :
+    { for k, v in var.network_config.apigee_vpc.subnets_psc : v => v.id }) :
+    var.network_config.shared_vpc.subnets_psc
+  )
+  ilb_subnets = (var.network_config.shared_vpc == null ?
+    (try(var.network_config.apigee_vpc.auto_create, false) ?
+      { for k, v in module.apigee_vpc[0].subnets : v.region => v.id } :
+    { for k, v in var.network_config.apigee_vpc.subnets : v => v.id }) :
+    var.network_config.shared_vpc.subnets
+  )
+  ext_instances              = var.ext_lb_config == null ? {} : { for k, v in local.neg_subnets : k => module.apigee.instances[k] }
+  int_instances              = var.int_lb_config == null ? {} : { for k, v in local.ilb_subnets : k => module.apigee.instances[k] }
+  int_cross_region_instances = var.int_cross_region_lb_config == null ? {} : { for k, v in local.ilb_subnets : k => module.apigee.instances[k] }
+}
+
+resource "google_compute_region_network_endpoint_group" "psc_negs" {
+  for_each              = local.neg_subnets
+  project               = module.project.project_id
+  region                = each.key
+  name                  = "apigee-${each.key}"
+  network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
+  psc_target_service    = module.apigee.instances[each.key].service_attachment
+  network               = local.network
+  subnetwork            = each.value
+}
+
+module "ext_lb" {
+  count               = length(local.ext_instances) > 0 ? 1 : 0
+  source              = "../../../modules/net-lb-app-ext"
+  name                = "ext-lb"
+  project_id          = module.project.project_id
+  protocol            = "HTTPS"
+  use_classic_version = false
+  backend_service_configs = {
+    default = {
+      backends          = [for k, v in local.ext_instances : { backend = google_compute_region_network_endpoint_group.psc_negs[k].id }]
+      protocol          = "HTTPS"
+      health_checks     = []
+      outlier_detection = var.ext_lb_config.outlier_detection
+      security_policy   = try(google_compute_security_policy.policy[0].name, null)
+      log_sample_rate   = var.ext_lb_config.log_sample_rate
+    }
+  }
+  health_check_configs = {
+    default = {
+      https = { port_specification = "USE_SERVING_PORT" }
+    }
+  }
+  ssl_certificates = var.ext_lb_config.ssl_certificates
+}
+
+module "int_lb" {
+  for_each   = local.int_instances
+  source     = "../../../modules/net-lb-app-int"
+  name       = "${each.key}-int-lb"
+  project_id = module.project.project_id
+  region     = each.key
+  protocol   = "HTTPS"
+  backend_service_configs = {
+    default = {
+      backends = [{
+        group = google_compute_region_network_endpoint_group.psc_negs[each.key].id
+      }]
+      outlier_detection = var.int_lb_config.outlier_detection
+      health_checks     = []
+      log_sample_rate   = var.int_lb_config.log_sample_rate
+    }
+  }
+  ssl_certificates = var.int_lb_config.ssl_certificates
+  vpc_config = {
+    network    = local.network
+    subnetwork = local.ilb_subnets[each.key]
+  }
+}
+
+module "int_cross_region_lb" {
+  count      = length(local.int_cross_region_instances) > 0 ? 1 : 0
+  source     = "../../../modules/net-lb-app-int-cross-region"
+  name       = "int-cross-region-lb"
+  project_id = module.project.project_id
+  protocol   = "HTTPS"
+  backend_service_configs = {
+    default = {
+      backends = [for k, v in google_compute_region_network_endpoint_group.psc_negs : {
+        group = v.id
+      }]
+      outlier_detection = var.int_cross_region_lb_config.outlier_detection
+      health_checks     = []
+      log_sample_rate   = var.int_cross_region_lb_config.log_sample_rate
+    }
+  }
+  https_proxy_config = {
+    certificate_manager_certificates = var.int_cross_region_lb_config.certificate_manager_certificates
+  }
+  vpc_config = {
+    network     = local.network
+    subnetworks = local.ilb_subnets
+  }
+}
+
+resource "google_compute_security_policy" "policy" {
+  provider    = google-beta
+  count       = try(var.ext_lb_config.security_policy, null) == null ? 0 : 1
+  name        = "cloud-armor-security-policy"
+  description = "Cloud Armor Security Policy"
+  project     = module.project.project_id
+  dynamic "advanced_options_config" {
+    for_each = try(var.ext_lb_config, null) == null ? [] : [""]
+    content {
+      json_parsing = try(var.ext_lb_config.security_policy.adaptive_protection_config.json_parsing.enable, false) ? "DISABLED" : "STANDARD"
+      dynamic "json_custom_config" {
+        for_each = try(var.ext_lb_config.security_policy.adaptive_protection_config.json_parsing.content_types, null) == null ? [] : [""]
+        content {
+          content_types = var.ext_lb_config.security_policy.adaptive_protection_config.json_parsing.content_types
+        }
+      }
+      log_level = var.ext_lb_config.security_policy.advanced_options_config.log_level
+    }
+  }
+  dynamic "adaptive_protection_config" {
+    for_each = try(var.ext_lb_config.security_policy.adaptive_protection_config, null) == null ? [] : [""]
+    content {
+      dynamic "layer_7_ddos_defense_config" {
+        for_each = try(var.ext_lb_config.security_policy.adaptive_protection_config.layer_7_ddos_defense_config, null) == null ? [] : [""]
+        content {
+          enable          = var.ext_lb_config.security_policy.adaptive_protection_config.layer_7_ddos_defense_config.enable
+          rule_visibility = var.ext_lb_config.security_policy.adaptive_protection_config.layer_7_ddos_defense_config.rule_visibility
+        }
+      }
+      dynamic "auto_deploy_config" {
+        for_each = try(var.int_lb_config.security_policy.adaptive_protection_config.auto_deploy_config, null) == null ? [] : [""]
+        content {
+          load_threshold              = var.ext_lb_config.security_policy.adaptive_protection_config.auto_deploy_config.load_threshold
+          confidence_threshold        = var.ext_lb_config.security_policy.adaptive_protection_config.auto_deploy_config.confidence_threshold
+          impacted_baseline_threshold = var.ext_lb_config.security_policy.adaptive_protection_config.auto_deploy_config.impacted_baseline_threshold
+          expiration_sec              = var.ext_lb_config.security_policy.adaptive_protection_config.auto_deploy_config.expiration_sec
+        }
+      }
+    }
+  }
+  type = "CLOUD_ARMOR"
+  dynamic "rule" {
+    for_each = try(var.ext_lb_config.security_policy.rate_limit_threshold, null) == null ? [] : [""]
+    content {
+      action   = "throttle"
+      priority = 3000
+      rate_limit_options {
+        enforce_on_key = "ALL"
+        conform_action = "allow"
+        exceed_action  = "deny(429)"
+        rate_limit_threshold {
+          count        = var.ext_lb_config.security_policy.rate_limit_threshold.count
+          interval_sec = var.ext_lb_config.security_policy.rate_limit_threshold.interval_sec
+        }
+      }
+      match {
+        versioned_expr = "SRC_IPS_V1"
+        config {
+          src_ip_ranges = ["*"]
+        }
+      }
+      description = "Rate limit all user IPs"
+    }
+  }
+  dynamic "rule" {
+    for_each = try(length(var.ext_lb_config.security_policy.forbidden_src_ip_ranges), 0) > 0 ? [""] : []
+    content {
+      action   = "deny(403)"
+      priority = 5000
+      match {
+        versioned_expr = "SRC_IPS_V1"
+        config {
+          src_ip_ranges = var.ext_lb_config.security_policy.forbidden_src_ip_ranges
+        }
+      }
+      description = "Deny access to IPs in specific ranges"
+    }
+  }
+  dynamic "rule" {
+    for_each = try(length(var.ext_lb_config.security_policy.forbidden_regions), 0) > 0 ? [""] : []
+    content {
+      action   = "deny(403)"
+      priority = 7000
+      match {
+        expr {
+          expression = "origin.region_code.matches(\"^${join("|", var.ext_lb_config.security_policy.forbidden_regions)}$\")"
+        }
+      }
+      description = "Block users from forbidden regions"
+    }
+  }
+  dynamic "rule" {
+    for_each = local.preconfigured_waf_rules
+    content {
+      action   = "deny(403)"
+      priority = 10000 + index(keys(var.ext_lb_config.security_policy.preconfigured_waf_rules), rule.key) * 1000
+      match {
+        expr {
+          expression = "evaluatePreconfiguredWaf(\"${rule.key}\"${length(rule.value) > 0 ? join("", [",", jsonencode(rule.value)]) : ""})"
+        }
+      }
+      description = "Preconfigured WAF rule (${rule.key})"
+    }
+  }
+  rule {
+    action   = "allow"
+    priority = 2147483647
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+    description = "default rule"
+  }
+}
diff --git a/blueprints/apigee/apigee-x-foundations/outputs.tf b/blueprints/apigee/apigee-x-foundations/outputs.tf
new file mode 100644
index 0000000000..3ce7b959c7
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/outputs.tf
@@ -0,0 +1,46 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "endpoint_attachment_hosts" {
+  description = "Endpoint attachment hosts."
+  value       = module.apigee.endpoint_attachment_hosts
+}
+
+output "ext_lb_ip_address" {
+  description = "External IP address."
+  value       = var.ext_lb_config != null && length(local.ext_instances) > 0 ? module.ext_lb[0].address : null
+}
+
+output "instance_service_attachments" {
+  description = "Instance service attachments."
+  value       = { for k, v in module.apigee.instances : k => v.service_attachment }
+}
+
+output "int_cross_region_lb_ip_addresses" {
+  description = "Internal IP addresses."
+  value       = var.int_cross_region_lb_config != null && length(local.int_cross_region_instances) > 0 ? module.int_cross_region_lb[0].addresses : null
+}
+
+output "int_lb_ip_addresses" {
+  description = "Internal IP addresses."
+  value       = var.int_lb_config != null && length(local.int_instances) > 0 ? { for k, v in module.int_lb : k => v.address } : null
+}
+
+output "project_id" {
+  description = "Project."
+  value       = module.project.project_id
+}
+
diff --git a/blueprints/apigee/apigee-x-foundations/variables.tf b/blueprints/apigee/apigee-x-foundations/variables.tf
new file mode 100644
index 0000000000..a874de822a
--- /dev/null
+++ b/blueprints/apigee/apigee-x-foundations/variables.tf
@@ -0,0 +1,360 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "apigee_config" {
+  description = "Apigee configuration."
+  type = object({
+    addons_config = optional(object({
+      advanced_api_ops    = optional(bool, false)
+      api_security        = optional(bool, false)
+      connectors_platform = optional(bool, false)
+      integration         = optional(bool, false)
+      monetization        = optional(bool, false)
+    }))
+    organization = object({
+      display_name            = optional(string)
+      description             = optional(string, "Terraform-managed")
+      billing_type            = optional(string)
+      database_encryption_key = optional(string)
+      analytics_region        = optional(string, "europe-west1")
+      retention               = optional(string)
+      disable_vpc_peering     = optional(bool, false)
+    })
+    envgroups = optional(map(list(string)), {})
+    environments = optional(map(object({
+      description  = optional(string)
+      display_name = optional(string)
+      envgroups    = optional(list(string), [])
+      iam          = optional(map(list(string)), {})
+      iam_bindings = optional(map(object({
+        role    = string
+        members = list(string)
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      iam_bindings_additive = optional(map(object({
+        role   = string
+        member = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      node_config = optional(object({
+        min_node_count = optional(number)
+        max_node_count = optional(number)
+      }), {})
+      type = optional(string)
+    })), {})
+    instances = optional(map(object({
+      disk_encryption_key           = optional(string)
+      environments                  = optional(list(string), [])
+      external                      = optional(bool, true)
+      runtime_ip_cidr_range         = optional(string)
+      troubleshooting_ip_cidr_range = optional(string)
+    })), {})
+    endpoint_attachments = optional(map(object({
+      region             = string
+      service_attachment = string
+      dns_names          = optional(list(string), [])
+    })), {})
+  })
+  validation {
+    condition = (!var.apigee_config.organization.disable_vpc_peering ||
+    alltrue([for k, v in var.apigee_config.endpoint_attachments : length(v.dns_names) == 0]))
+    error_message = "If disable_vpc_peering is true for the organization, DNS names cannot be used for endpoint attachments."
+  }
+  nullable = false
+}
+
+variable "enable_monitoring" {
+  description = "Boolean flag indicating whether an custom metric to monitor instances should be created in Cloud monitoring."
+  type        = bool
+  default     = false
+}
+
+variable "ext_lb_config" {
+  description = "External application load balancer configuration."
+  type = object({
+    log_sample_rate = optional(number)
+    outlier_detection = optional(object({
+      consecutive_errors                    = optional(number)
+      consecutive_gateway_failure           = optional(number)
+      enforcing_consecutive_errors          = optional(number)
+      enforcing_consecutive_gateway_failure = optional(number)
+      enforcing_success_rate                = optional(number)
+      max_ejection_percent                  = optional(number)
+      success_rate_minimum_hosts            = optional(number)
+      success_rate_request_volume           = optional(number)
+      success_rate_stdev_factor             = optional(number)
+      base_ejection_time = optional(object({
+        seconds = number
+        nanos   = optional(number)
+      }))
+      interval = optional(object({
+        seconds = number
+        nanos   = optional(number)
+      }))
+    }))
+    security_policy = optional(object({
+      advanced_options_config = optional(object({
+        json_parsing = optional(object({
+          enable        = optional(bool, false)
+          content_types = optional(list(string))
+        }))
+        log_level = optional(string)
+      }))
+      adaptive_protection_config = optional(object({
+        layer_7_ddos_defense_config = optional(object({
+          enable          = optional(bool, false)
+          rule_visibility = optional(string)
+        }))
+        auto_deploy_config = optional(object({
+          load_threshold              = optional(number)
+          confidence_threshold        = optional(number)
+          impacted_baseline_threshold = optional(number)
+          expiration_sec              = optional(number)
+        }))
+      }))
+      rate_limit_threshold = optional(object({
+        count        = number
+        interval_sec = number
+      }))
+      forbidden_src_ip_ranges = optional(list(string), [])
+      forbidden_regions       = optional(list(string), [])
+      preconfigured_waf_rules = optional(map(object({
+        sensitivity      = optional(number)
+        opt_in_rule_ids  = optional(list(string), [])
+        opt_out_rule_ids = optional(list(string), [])
+      })))
+    }))
+    ssl_certificates = object({
+      certificate_ids = optional(list(string), [])
+      create_configs = optional(map(object({
+        certificate = string
+        private_key = string
+      })), {})
+      managed_configs = optional(map(object({
+        domains     = list(string)
+        description = optional(string)
+      })), {})
+      self_signed_configs = optional(list(string), null)
+    })
+  })
+  default = null
+}
+
+variable "int_cross_region_lb_config" {
+  description = "Internal application load balancer configuration."
+  type = object({
+    log_sample_rate = optional(number)
+    outlier_detection = optional(object({
+      consecutive_errors                    = optional(number)
+      consecutive_gateway_failure           = optional(number)
+      enforcing_consecutive_errors          = optional(number)
+      enforcing_consecutive_gateway_failure = optional(number)
+      enforcing_success_rate                = optional(number)
+      max_ejection_percent                  = optional(number)
+      success_rate_minimum_hosts            = optional(number)
+      success_rate_request_volume           = optional(number)
+      success_rate_stdev_factor             = optional(number)
+      base_ejection_time = optional(object({
+        seconds = number
+        nanos   = optional(number)
+      }))
+      interval = optional(object({
+        seconds = number
+        nanos   = optional(number)
+      }))
+    }))
+    certificate_manager_certificates = optional(list(string))
+  })
+  default = null
+}
+
+variable "int_lb_config" {
+  description = "Internal application load balancer configuration."
+  type = object({
+    log_sample_rate = optional(number)
+    outlier_detection = optional(object({
+      consecutive_errors                    = optional(number)
+      consecutive_gateway_failure           = optional(number)
+      enforcing_consecutive_errors          = optional(number)
+      enforcing_consecutive_gateway_failure = optional(number)
+      enforcing_success_rate                = optional(number)
+      max_ejection_percent                  = optional(number)
+      success_rate_minimum_hosts            = optional(number)
+      success_rate_request_volume           = optional(number)
+      success_rate_stdev_factor             = optional(number)
+      base_ejection_time = optional(object({
+        seconds = number
+        nanos   = optional(number)
+      }))
+      interval = optional(object({
+        seconds = number
+        nanos   = optional(number)
+      }))
+    }))
+    ssl_certificates = object({
+      certificate_ids = optional(list(string), [])
+      create_configs = optional(map(object({
+        certificate = string
+        private_key = string
+      })), {})
+      self_signed_configs = optional(list(string), [])
+    })
+  })
+  default = null
+}
+
+
+variable "network_config" {
+  description = "Network configuration."
+  type = object({
+    shared_vpc = optional(object({
+      name        = string
+      subnets     = map(string)
+      subnets_psc = map(string)
+    }))
+    apigee_vpc = optional(object({
+      name        = optional(string)
+      auto_create = optional(bool, true)
+      subnets = optional(map(object({
+        id            = optional(string)
+        name          = optional(string)
+        ip_cidr_range = optional(string)
+      })), {})
+      subnets_proxy_only = optional(map(object({
+        name          = optional(string)
+        ip_cidr_range = string
+      })), {})
+      subnets_psc = optional(map(object({
+        id            = optional(string)
+        name          = optional(string)
+        ip_cidr_range = optional(string)
+      })), {})
+    }))
+  })
+  nullable = false
+  default  = {}
+  validation {
+    condition     = var.network_config.shared_vpc != null || var.network_config.apigee_vpc != null
+    error_message = "Shared VPC and/or local VPC details need to be provided."
+  }
+  validation {
+    condition     = alltrue([for k, v in try(var.network_config.apigee_vpc.subnets, {}) : (v.id != null || v.ip_cidr_range != null) && !(v.id != null && v.ip_cidr_range != null)])
+    error_message = "An IP CIDR range and id cannot be specified at the same time for a subnet."
+  }
+  validation {
+    condition     = alltrue([for k, v in try(var.network_config.apigee_vpc.subnets_psc, {}) : (v.id != null || v.ip_cidr_range != null) && !(v.id != null && v.ip_cidr_range != null)])
+    error_message = "An IP CIDR range and id cannot be specified at the same time for a PSC subnet."
+  }
+}
+
+variable "project_config" {
+  description = "Project configuration."
+  type = object({
+    billing_account_id      = optional(string)
+    compute_metadata        = optional(map(string), {})
+    contacts                = optional(map(list(string)), {})
+    custom_roles            = optional(map(list(string)), {})
+    default_service_account = optional(string, "keep")
+    descriptive_name        = optional(string)
+    iam                     = optional(map(list(string)), {})
+    group_iam               = optional(map(list(string)), {})
+    iam_bindings = optional(map(object({
+      role    = string
+      members = list(string)
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      role   = string
+      member = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    labels              = optional(map(string), {})
+    lien_reason         = optional(string)
+    logging_data_access = optional(map(map(list(string))), {})
+    log_exclusions      = optional(map(string), {})
+    logging_sinks = optional(map(object({
+      bq_partitioned_table = optional(bool)
+      description          = optional(string)
+      destination          = string
+      disabled             = optional(bool, false)
+      exclusions           = optional(map(string), {})
+      filter               = string
+      iam                  = optional(bool, true)
+      type                 = string
+      unique_writer        = optional(bool, true)
+    })), {})
+    metric_scopes = optional(list(string), [])
+    name          = string
+    org_policies = optional(map(object({
+      inherit_from_parent = optional(bool) # for list policies only.
+      reset               = optional(bool)
+      rules = optional(list(object({
+        allow = optional(object({
+          all    = optional(bool)
+          values = optional(list(string))
+        }))
+        deny = optional(object({
+          all    = optional(bool)
+          values = optional(list(string))
+        }))
+        enforce = optional(bool) # for boolean policies only.
+        condition = optional(object({
+          description = optional(string)
+          expression  = optional(string)
+          location    = optional(string)
+          title       = optional(string)
+        }), {})
+      })), [])
+    })), {})
+    parent         = optional(string)
+    prefix         = optional(string)
+    project_create = optional(bool, true)
+    vpc_sc = optional(object({
+      perimeter_name    = string
+      perimeter_bridges = optional(list(string), [])
+      is_dry_run        = optional(bool, false)
+    }))
+    services = optional(list(string), [])
+    shared_vpc_host_config = optional(object({
+      enabled          = bool
+      service_projects = optional(list(string), [])
+    }))
+    shared_vpc_service_config = optional(object({
+      host_project         = string
+      service_identity_iam = optional(map(list(string)), {})
+      service_iam_grants   = optional(list(string), [])
+    }))
+    skip_delete  = optional(bool, false)
+    tag_bindings = optional(map(string))
+  })
+}
+
diff --git a/modules/net-lb-app-int-cross-region/README.md b/modules/net-lb-app-int-cross-region/README.md
index 4bbaf4cc8c..4e6155c4ff 100644
--- a/modules/net-lb-app-int-cross-region/README.md
+++ b/modules/net-lb-app-int-cross-region/README.md
@@ -1,4 +1,4 @@
-# Internal Application Load Balancer Module
+# Cross-region Internal Application Load Balancer Module
 
 This module allows managing Cross-regional Internal HTTP/HTTPS Load Balancers (L7 ILBs). It's designed to expose the full configuration of the underlying resources, and to facilitate common usage patterns by providing sensible defaults, and optionally managing prerequisite resources like health checks, instance groups, etc.
 

From 95d0cccff4f9ae933eab0610492c478d5a3730e1 Mon Sep 17 00:00:00 2001
From: Ludo <ludomagno@google.com>
Date: Tue, 14 May 2024 16:54:51 +0200
Subject: [PATCH 31/31] update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a34721182..0f76361713 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
 
 ### BLUEPRINTS
 
+- [[#2274](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2274)] Added apigee-x-foundations blueprint ([apichick](https://github.com/apichick)) <!-- 2024-05-14 14:53:38+00:00 -->
 - [[#2243](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2243)] Added new attributes Apigee organization and bumped up providers version ([apichick](https://github.com/apichick)) <!-- 2024-04-28 15:31:42+00:00 -->
 - [[#2239](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2239)] Update README.md ([vicenteg](https://github.com/vicenteg)) <!-- 2024-04-25 23:14:32+00:00 -->
 - [[#2230](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2230)] docs: :memo: fix error in phpIPAM terraform config by updating VPC pe… ([PapaPeskwo](https://github.com/PapaPeskwo)) <!-- 2024-04-22 10:55:03+00:00 -->
@@ -55,6 +56,7 @@ All notable changes to this project will be documented in this file.
 
 ### MODULES
 
+- [[#2274](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2274)] Added apigee-x-foundations blueprint ([apichick](https://github.com/apichick)) <!-- 2024-05-14 14:53:38+00:00 -->
 - [[#2270](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2270)] Cloud function CMEK key support ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2024-05-14 12:56:10+00:00 -->
 - [[#2272](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2272)] New Bindplane cloud-config-container setup ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-05-14 12:45:40+00:00 -->
 - [[#2269](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2269)] Implement the full IAM interface for tags ([ludoo](https://github.com/ludoo)) <!-- 2024-05-13 18:18:52+00:00 -->