From c34a1a493acf07c98b7c85dd0f8dae5bd74b0dd6 Mon Sep 17 00:00:00 2001 From: greg Date: Tue, 3 Oct 2023 03:37:53 -0800 Subject: [PATCH] Release 0.3.0 (#3) * Release 0.3.0 * Release 0.3.0 * Release 0.3.0 --------- Co-authored-by: Microsoft Open Source --- .github/ISSUE_TEMPLATE/bug_report.md | 27 + .github/ISSUE_TEMPLATE/feature_request.md | 20 + .github/PULL_REQUEST_TEMPLATE.md | 23 + .gitignore | 425 +--- README.md | 31 +- SECURITY.md | 4 +- SUPPORT.md | 52 +- bicepconfig.json | 88 + custom/dashboard/compliance/tiles-sample.json | 51 + custom/dashboard/compliance/tiles.json | 1 + ...t_deploy_slz_confidential_custom.tmpl.json | 18 + ...t_deploy_slz_connectivity_custom.tmpl.json | 18 + ...ssignment_deploy_slz_corp_custom.tmpl.json | 18 + ...deploy_slz_decommissioned_custom.tmpl.json | 18 + ...ignment_deploy_slz_global_custom.tmpl.json | 18 + ...nment_deploy_slz_identity_custom.tmpl.json | 18 + ..._deploy_slz_landing_zones_custom.tmpl.json | 22 + ...ent_deploy_slz_management_custom.tmpl.json | 18 + ...ignment_deploy_slz_online_custom.tmpl.json | 18 + ...nment_deploy_slz_platform_custom.tmpl.json | 18 + ...gnment_deploy_slz_sandbox_custom.tmpl.json | 18 + .../definitions/slzConfidentialCustom.json | 17 + .../definitions/slzConnectivityCustom.json | 17 + .../policies/definitions/slzCorpCustom.json | 17 + .../definitions/slzDecommissionedCustom.json | 17 + .../policies/definitions/slzGlobalCustom.json | 17 + .../definitions/slzIdentityCustom.json | 17 + .../definitions/slzLandingZoneCustom.json | 17 + .../definitions/slzManagementCustom.json | 17 + .../policies/definitions/slzOnlineCustom.json | 17 + .../definitions/slzPlatformCustom.json | 17 + .../definitions/slzSandboxCustom.json | 17 + .../Alz.Tools/Alz.Classes/Alz.Classes.psd1 | 142 ++ .../Alz.Tools/Alz.Classes/Alz.Classes.psm1 | 584 +++++ .../Alz.Tools/Alz.Enums/Alz.Enums.psd1 | 137 ++ .../Alz.Tools/Alz.Enums/Alz.Enums.psm1 | 48 + dependencies/Alz.Tools/Alz.Tools.psd1 | 172 ++ dependencies/Alz.Tools/Alz.Tools.psm1 | 23 + .../Alz.Tools/ProviderApiVersions.zip | Bin 0 -> 117014 bytes .../Alz.Tools/functions/Alz.Tools.ps1 | 786 +++++++ .../scripts/Update-ProviderApiVersionsZip.ps1 | 28 + .../infra-as-code/bicep/CRML/README.md | 9 + .../bicep/CRML/containerRegistry/README.md | 62 + .../containerRegistry/containerRegistry.bicep | 43 + .../generateddocs/containerRegistry.bicep.md | 76 + .../media/bicepVisualizer.png | Bin 0 -> 11001 bytes .../containerRegistry.parameters.all.json | 17 + .../CRML/customerUsageAttribution/README.md | 21 + .../cuaIdManagementGroup.bicep | 11 + .../cuaIdResourceGroup.bicep | 11 + .../cuaIdSubscription.bicep | 11 + .../cuaIdTenant.bicep | 11 + .../cuaIdManagementGroup.bicep.md | 16 + .../generateddocs/cuaIdResourceGroup.bicep.md | 16 + .../generateddocs/cuaIdSubscription.bicep.md | 16 + .../generateddocs/cuaIdTenant.bicep.md | 16 + .../bicep/CRML/subscriptionAlias/README.md | 64 + .../generateddocs/subscriptionAlias.bicep.md | 107 + .../media/bicepVisualizer.png | Bin 0 -> 7685 bytes .../media/exampleDeploymentOutput.png | Bin 0 -> 45818 bytes .../subscriptionAlias.parameters.all.json | 29 + .../subscriptionAlias.parameters.min.json | 12 + .../subscriptionAlias/subscriptionAlias.bicep | 56 + .../infra-as-code/bicep/bicepconfig.json | 98 + .../infra-as-code/bicep/modules/README.md | 21 + .../modules/customRoleDefinitions/README.md | 120 + .../customRoleDefinitions.bicep | 53 + .../definitions/cafApplicationOwnerRole.bicep | 41 + .../cafNetworkManagementRole.bicep | 39 + .../cafSecurityOperationsRole.bicep | 47 + .../cafSubscriptionOwnerRole.bicep | 42 + .../mc-cafNetworkManagementRole.bicep.md | 40 + .../mc-cafSecurityOperationsRole.bicep.md | 40 + .../china/mc-cafNetworkManagementRole.bicep | 37 + .../china/mc-cafSecurityOperationsRole.bicep | 45 + .../cafApplicationOwnerRole.bicep.md | 40 + .../cafNetworkManagementRole.bicep.md | 40 + .../cafSecurityOperationsRole.bicep.md | 40 + .../cafSubscriptionOwnerRole.bicep.md | 40 + .../customRoleDefinitions.bicep.md | 57 + .../mc-customRoleDefinitions.bicep.md | 57 + .../mc-customRoleDefinitions.bicep | 53 + .../media/bicepVisualizer.png | Bin 0 -> 73601 bytes .../media/exampleDeploymentOutput.png | Bin 0 -> 84887 bytes .../customRoleDefinitions.parameters.all.json | 12 + .../customRoleDefinitions.parameters.min.json | 12 + .../samples/baseline.sample.bicep | 25 + .../generateddocs/baseline.sample.bicep.md | 16 + .../generateddocs/minimum.sample.bicep.md | 16 + .../samples/minimum.sample.bicep | 21 + .../bicep/modules/hubNetworking/README.md | 177 ++ .../modules/hubNetworking/bicepconfig.json | 124 ++ .../generateddocs/hubNetworking.bicep.md | 589 +++++ .../modules/hubNetworking/hubNetworking.bicep | 795 +++++++ .../hubNetworking/media/bicepVisualizer.png | Bin 0 -> 155157 bytes .../media/exampleDeploymentOutput.png | Bin 0 -> 88069 bytes .../media/mc-exampleDeploymentOutput.png | Bin 0 -> 146504 bytes .../hubNetworking.parameters.all.json | 235 ++ .../hubNetworking.parameters.min.json | 117 + .../mc-hubNetworking.parameters.all.json | 197 ++ .../mc-hubNetworking.parameters.min.json | 153 ++ .../samples/baseline.sample.bicep | 137 ++ .../generateddocs/baseline.sample.bicep.md | 34 + .../generateddocs/minimum.sample.bicep.md | 34 + .../samples/minimum.sample.bicep | 29 + .../bicep/modules/logging/README.md | 147 ++ .../logging/generateddocs/logging.bicep.md | 230 ++ .../bicep/modules/logging/logging.bicep | 169 ++ .../modules/logging/media/bicepVisualizer.png | Bin 0 -> 30790 bytes .../parameters/logging.parameters.all.json | 58 + .../parameters/logging.parameters.min.json | 32 + .../parameters/mc-logging.parameters.all.json | 52 + .../parameters/mc-logging.parameters.min.json | 32 + .../logging/samples/baseline.sample.bicep | 44 + .../generateddocs/baseline.sample.bicep.md | 34 + .../generateddocs/minimum.sample.bicep.md | 34 + .../logging/samples/minimum.sample.bicep | 27 + .../bicep/modules/managementGroups/README.md | 200 ++ .../generateddocs/managementGroups.bicep.md | 155 ++ .../managementGroups/managementGroups.bicep | 223 ++ .../media/bicepVisualizer.png | Bin 0 -> 88792 bytes .../media/exampleDeploymentOutput.png | Bin 0 -> 229300 bytes .../managementGroups.parameters.all.json | 36 + .../managementGroups.parameters.min.json | 9 + .../samples/baseline.sample.bicep | 38 + .../generateddocs/baseline.sample.bicep.md | 16 + .../generateddocs/minimum.sample.bicep.md | 16 + .../samples/minimum.sample.bicep | 33 + .../bicep/modules/mgDiagSettings/README.md | 70 + .../generateddocs/mgDiagSettings.bicep.md | 46 + .../mgDiagSettings/media/bicepVisualizer.png | Bin 0 -> 5863 bytes .../mgDiagSettings/mgDiagSettings.bicep | 37 + .../mgDiagSettings.parameters.all.json | 12 + .../mgDiagSettings.parameters.min.json | 12 + .../modules/policy/assignments/README.md | 156 ++ .../policy/assignments/alzDefaults/README.md | 86 + .../alzDefaultPolicyAssignments.bicep | 1416 ++++++++++++ .../assignments/alzDefaults/bicepconfig.json | 114 + .../alzDefaultPolicyAssignments.bicep.md | 212 ++ .../mc-alzDefaultPolicyAssignments.bicep.md | 138 ++ .../mc-alzDefaultPolicyAssignments.bicep | 724 ++++++ .../alzDefaults/media/bicepVisualizer.png | Bin 0 -> 495304 bytes ...faultPolicyAssignments.parameters.all.json | 51 + ...faultPolicyAssignments.parameters.min.json | 27 + .../policyAssignmentManagementGroup.bicep.md | 204 ++ .../modules/policy/assignments/lib/README.md | 44 + .../_mc_policyAssignmentsBicepInput.txt | 150 ++ ...gnment_es_deny_appgw_without_waf.tmpl.json | 22 + ...ignment_es_deny_http_ingress_aks.tmpl.json | 22 + ...assignment_es_deny_ip_forwarding.tmpl.json | 18 + ...ment_es_deny_priv_containers_aks.tmpl.json | 22 + ...ment_es_deny_priv_escalation_aks.tmpl.json | 22 + ...ignment_es_deny_public_endpoints.tmpl.json | 18 + ...icy_assignment_es_deny_public_ip.tmpl.json | 27 + ...gnment_es_deny_rdp_from_internet.tmpl.json | 22 + ...nment_es_deny_resource_locations.tmpl.json | 25 + ...ssignment_es_deny_resource_types.tmpl.json | 22 + ...assignment_es_deny_rsg_locations.tmpl.json | 25 + ..._assignment_es_deny_storage_http.tmpl.json | 22 + ...nment_es_deny_subnet_without_nsg.tmpl.json | 22 + ...nment_es_deny_subnet_without_udr.tmpl.json | 22 + ..._assignment_es_deploy_aks_policy.tmpl.json | 22 + ...ignment_es_deploy_asc_monitoring.tmpl.json | 18 + ...signment_es_deploy_log_analytics.tmpl.json | 43 + ...ment_es_deploy_lx_arc_monitoring.tmpl.json | 25 + ...assignment_es_deploy_mdfc_config.tmpl.json | 40 + ...ment_es_deploy_private_dns_zones.tmpl.json | 82 + ...signment_es_deploy_resource_diag.tmpl.json | 22 + ...gnment_es_deploy_sql_db_auditing.tmpl.json | 22 + ...ssignment_es_deploy_sql_security.tmpl.json | 22 + ..._assignment_es_deploy_sql_threat.tmpl.json | 18 + ...y_assignment_es_deploy_vm_backup.tmpl.json | 22 + ...signment_es_deploy_vm_monitoring.tmpl.json | 22 + ...gnment_es_deploy_vmss_monitoring.tmpl.json | 22 + ...ment_es_deploy_ws_arc_monitoring.tmpl.json | 25 + ...y_assignment_es_enable_ddos_vnet.tmpl.json | 25 + ...cy_assignment_es_enforce_tls_ssl.tmpl.json | 18 + ...cy_assignment_es_audit_appgw_waf.tmpl.json | 22 + ...y_assignment_es_audit_pednszones.tmpl.json | 89 + ...ignment_es_audit_unusedresources.tmpl.json | 28 + ...gnment_es_deny_appgw_without_waf.tmpl.json | 22 + ...gnment_es_deny_classic-resources.tmpl.json | 83 + ...ent_es_deny_databricks_public_ip.tmpl.json | 22 + ...ssignment_es_deny_databricks_sku.tmpl.json | 22 + ...signment_es_deny_databricks_vnet.tmpl.json | 22 + ...ignment_es_deny_http_ingress_aks.tmpl.json | 22 + ...ignment_es_deny_hybridnetworking.tmpl.json | 34 + ...assignment_es_deny_ip_forwarding.tmpl.json | 18 + ...nment_es_deny_mgmtports_internet.tmpl.json | 22 + ...ment_es_deny_priv_containers_aks.tmpl.json | 22 + ...ment_es_deny_priv_escalation_aks.tmpl.json | 22 + ...ignment_es_deny_public_endpoints.tmpl.json | 18 + ...icy_assignment_es_deny_public_ip.tmpl.json | 27 + ...ignment_es_deny_public_ip_on_nic.tmpl.json | 18 + ...gnment_es_deny_rdp_from_internet.tmpl.json | 22 + ...nment_es_deny_resource_locations.tmpl.json | 25 + ...ssignment_es_deny_resource_types.tmpl.json | 22 + ...assignment_es_deny_rsg_locations.tmpl.json | 25 + ..._assignment_es_deny_storage_http.tmpl.json | 22 + ...nment_es_deny_subnet_without_nsg.tmpl.json | 22 + ...nment_es_deny_subnet_without_udr.tmpl.json | 22 + ...assignment_es_deny_unmanageddisk.tmpl.json | 24 + ..._assignment_es_deploy_aks_policy.tmpl.json | 22 + ...ignment_es_deploy_asc_monitoring.tmpl.json | 18 + ...ignment_es_deploy_azactivity_log.tmpl.json | 25 + ...ment_es_deploy_azsql_db_auditing.tmpl.json | 25 + ...signment_es_deploy_log_analytics.tmpl.json | 43 + ...ment_es_deploy_lx_arc_monitoring.tmpl.json | 25 + ...ssignment_es_deploy_mdeendpoints.tmpl.json | 31 + ...assignment_es_deploy_mdfc_config.tmpl.json | 76 + ..._assignment_es_deploy_mdfc_ossdb.tmpl.json | 18 + ...assignment_es_deploy_mdfc_sqlatp.tmpl.json | 18 + ...ment_es_deploy_private_dns_zones.tmpl.json | 178 ++ ...signment_es_deploy_resource_diag.tmpl.json | 22 + ...gnment_es_deploy_sql_db_auditing.tmpl.json | 22 + ...ssignment_es_deploy_sql_security.tmpl.json | 22 + ...icy_assignment_es_deploy_sql_tde.tmpl.json | 18 + ..._assignment_es_deploy_sql_threat.tmpl.json | 18 + ...y_assignment_es_deploy_vm_backup.tmpl.json | 22 + ...signment_es_deploy_vm_monitoring.tmpl.json | 22 + ...gnment_es_deploy_vmss_monitoring.tmpl.json | 22 + ...ment_es_deploy_ws_arc_monitoring.tmpl.json | 25 + ...y_assignment_es_enable_ddos_vnet.tmpl.json | 25 + ...olicy_assignment_es_enforce_acsb.tmpl.json | 18 + ...assignment_es_enforce_alz_decomm.tmpl.json | 35 + ...ssignment_es_enforce_alz_sandbox.tmpl.json | 29 + ...ssignment_es_enforce_gr_keyvault.tmpl.json | 18 + ...cy_assignment_es_enforce_tls_ssl.tmpl.json | 18 + .../assignments/media/bicepVisualizer.png | Bin 0 -> 46565 bytes ...ntManagementGroup.dine.parameters.all.json | 74 + ...ntManagementGroup.dine.parameters.min.json | 49 + ...ntManagementGroup.deny.parameters.all.json | 51 + ...ntManagementGroup.deny.parameters.min.json | 30 + ...ntManagementGroup.dine.parameters.all.json | 98 + ...ntManagementGroup.dine.parameters.min.json | 73 + .../policyAssignmentManagementGroup.bicep | 137 ++ .../modules/policy/definitions/README.md | 101 + .../definitions/customPolicyDefinitions.bicep | 1954 ++++++++++++++++ .../customPolicyDefinitions.bicep.md | 48 + .../mc-customPolicyDefinitions.bicep.md | 48 + .../_mc_policyDefinitionsBicepInput.txt | 400 ++++ ...ion_es_mc_Append-AppService-httpsonly.json | 59 + ...ion_es_mc_Append-AppService-latestTLS.json | 72 + ...definition_es_mc_Append-KV-SoftDelete.json | 50 + ..._es_mc_Append-Redis-disableNonSslPort.json | 64 + ...ion_es_mc_Append-Redis-sslEnforcement.json | 76 + ...dit-MachineLearning-PrivateEndpointId.json | 64 + ...inition_es_mc_Deny-AA-child-resources.json | 56 + ...definition_es_mc_Deny-AFSPaasPublicIP.json | 52 + ...finition_es_mc_Deny-AppGW-Without-WAF.json | 54 + ...tion_es_mc_Deny-AppServiceApiApp-http.json | 58 + ...es_mc_Deny-AppServiceFunctionApp-http.json | 58 + ...tion_es_mc_Deny-AppServiceWebApp-http.json | 58 + ...tion_es_mc_Deny-Databricks-NoPublicIp.json | 52 + ..._definition_es_mc_Deny-Databricks-Sku.json | 52 + ..._es_mc_Deny-Databricks-VirtualNetwork.json | 64 + ...ition_es_mc_Deny-KeyVaultPaasPublicIP.json | 59 + ...nition_es_mc_Deny-MachineLearning-Aks.json | 64 + ...Deny-MachineLearning-Compute-SubnetId.json | 67 + ...c_Deny-MachineLearning-Compute-VmSize.json | 148 ++ ...teCluster-RemoteLoginPortPublicAccess.json | 64 + ...-MachineLearning-ComputeCluster-Scale.json | 92 + ..._mc_Deny-MachineLearning-HbiWorkspace.json | 60 + ...neLearning-PublicAccessWhenBehindVnet.json | 60 + ...y-MachineLearning-PublicNetworkAccess.json | 52 + ...licy_definition_es_mc_Deny-MySql-http.json | 80 + ...definition_es_mc_Deny-PostgreSql-http.json | 80 + ...finition_es_mc_Deny-Private-DNS-Zones.json | 46 + ...ion_es_mc_Deny-PublicEndpoint-MariaDB.json | 54 + ...policy_definition_es_mc_Deny-PublicIP.json | 46 + ...finition_es_mc_Deny-RDP-From-Internet.json | 124 ++ ...licy_definition_es_mc_Deny-Redis-http.json | 75 + ...licy_definition_es_mc_Deny-Sql-minTLS.json | 75 + ...cy_definition_es_mc_Deny-SqlMi-minTLS.json | 75 + ..._definition_es_mc_Deny-Storage-minTLS.json | 91 + ...inition_es_mc_Deny-Subnet-Without-Nsg.json | 100 + ...inition_es_mc_Deny-Subnet-Without-Udr.json | 98 + ...nition_es_mc_Deny-VNET-Peer-Cross-Sub.json | 54 + ...ny-VNET-Peering-To-Non-Approved-VNETs.json | 88 + ...cy_definition_es_mc_Deny-VNet-Peering.json | 46 + ...ion_es_mc_Deploy-ASC-SecurityContacts.json | 129 ++ ...c_Deploy-ActivityLogs-to-LA-workspace.json | 158 ++ ...policy_definition_es_mc_Deploy-Budget.json | 238 ++ ...ition_es_mc_Deploy-Custom-Route-Table.json | 213 ++ ...efinition_es_mc_Deploy-DDoSProtection.json | 150 ++ ...y_definition_es_mc_Deploy-Default-Udr.json | 133 ++ ...efinition_es_mc_Deploy-Diagnostics-AA.json | 201 ++ ...finition_es_mc_Deploy-Diagnostics-ACI.json | 162 ++ ...finition_es_mc_Deploy-Diagnostics-ACR.json | 193 ++ ...tion_es_mc_Deploy-Diagnostics-APIMgmt.json | 193 ++ ...mc_Deploy-Diagnostics-AVDScalingPlans.json | 154 ++ ...mc_Deploy-Diagnostics-AnalysisService.json | 193 ++ ...n_es_mc_Deploy-Diagnostics-ApiForFHIR.json | 189 ++ ...Deploy-Diagnostics-ApplicationGateway.json | 197 ++ ...tion_es_mc_Deploy-Diagnostics-Bastion.json | 189 ++ ...es_mc_Deploy-Diagnostics-CDNEndpoints.json | 157 ++ ..._Deploy-Diagnostics-CognitiveServices.json | 197 ++ ...ion_es_mc_Deploy-Diagnostics-CosmosDB.json | 217 ++ ..._es_mc_Deploy-Diagnostics-DLAnalytics.json | 193 ++ ...eploy-Diagnostics-DataExplorerCluster.json | 213 ++ ..._es_mc_Deploy-Diagnostics-DataFactory.json | 221 ++ ...n_es_mc_Deploy-Diagnostics-Databricks.json | 192 ++ ...es_mc_Deploy-Diagnostics-EventGridSub.json | 162 ++ ...ploy-Diagnostics-EventGridSystemTopic.json | 189 ++ ..._mc_Deploy-Diagnostics-EventGridTopic.json | 193 ++ ...es_mc_Deploy-Diagnostics-ExpressRoute.json | 189 ++ ...ion_es_mc_Deploy-Diagnostics-Firewall.json | 241 ++ ...on_es_mc_Deploy-Diagnostics-FrontDoor.json | 193 ++ ...ion_es_mc_Deploy-Diagnostics-Function.json | 197 ++ ...on_es_mc_Deploy-Diagnostics-HDInsight.json | 162 ++ ...es_mc_Deploy-Diagnostics-LoadBalancer.json | 193 ++ ...es_mc_Deploy-Diagnostics-LogicAppsISE.json | 157 ++ ...tion_es_mc_Deploy-Diagnostics-MariaDB.json | 193 ++ ...es_mc_Deploy-Diagnostics-MediaService.json | 189 ++ ..._es_mc_Deploy-Diagnostics-MlWorkspace.json | 288 +++ ...nition_es_mc_Deploy-Diagnostics-MySQL.json | 193 ++ ...finition_es_mc_Deploy-Diagnostics-NIC.json | 161 ++ ...loy-Diagnostics-NetworkSecurityGroups.json | 161 ++ ...n_es_mc_Deploy-Diagnostics-PostgreSQL.json | 197 ++ ...mc_Deploy-Diagnostics-PowerBIEmbedded.json | 189 ++ ...n_es_mc_Deploy-Diagnostics-RedisCache.json | 162 ++ ...nition_es_mc_Deploy-Diagnostics-Relay.json | 189 ++ ...mc_Deploy-Diagnostics-SQLElasticPools.json | 162 ++ ...nition_es_mc_Deploy-Diagnostics-SQLMI.json | 164 ++ ...tion_es_mc_Deploy-Diagnostics-SignalR.json | 185 ++ ...Deploy-Diagnostics-TimeSeriesInsights.json | 193 ++ ..._mc_Deploy-Diagnostics-TrafficManager.json | 189 ++ ...efinition_es_mc_Deploy-Diagnostics-VM.json | 161 ++ ...inition_es_mc_Deploy-Diagnostics-VMSS.json | 161 ++ ...ition_es_mc_Deploy-Diagnostics-VNetGW.json | 209 ++ ..._mc_Deploy-Diagnostics-VirtualNetwork.json | 188 ++ ..._es_mc_Deploy-Diagnostics-WVDAppGroup.json | 164 ++ ...es_mc_Deploy-Diagnostics-WVDHostPools.json | 184 ++ ...es_mc_Deploy-Diagnostics-WVDWorkspace.json | 168 ++ ...s_mc_Deploy-Diagnostics-WebServerFarm.json | 162 ++ ...tion_es_mc_Deploy-Diagnostics-Website.json | 229 ++ ...ition_es_mc_Deploy-Diagnostics-iotHub.json | 241 ++ ...efinition_es_mc_Deploy-FirewallPolicy.json | 167 ++ ...ion_es_mc_Deploy-MySQL-sslEnforcement.json | 138 ++ ...efinition_es_mc_Deploy-MySQLCMKEffect.json | 62 + ...ition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json | 234 ++ ..._definition_es_mc_Deploy-Nsg-FlowLogs.json | 196 ++ ...s_mc_Deploy-PostgreSQL-sslEnforcement.json | 139 ++ ...tion_es_mc_Deploy-PostgreSQLCMKEffect.json | 62 + ...mc_Deploy-Private-DNS-Azure-File-Sync.json | 121 + ..._mc_Deploy-Private-DNS-Azure-KeyVault.json | 122 + ...on_es_mc_Deploy-Private-DNS-Azure-Web.json | 120 + ...cy_definition_es_mc_Deploy-SQL-minTLS.json | 125 ++ ...ion_es_mc_Deploy-Sql-AuditingSettings.json | 125 ++ ...s_mc_Deploy-Sql-SecurityAlertPolicies.json | 112 + ...olicy_definition_es_mc_Deploy-Sql-Tde.json | 102 + ...c_Deploy-Sql-vulnerabilityAssessments.json | 141 ++ ..._definition_es_mc_Deploy-SqlMi-minTLS.json | 125 ++ ...n_es_mc_Deploy-Storage-sslEnforcement.json | 138 ++ ...definition_es_mc_Deploy-VNET-HubSpoke.json | 309 +++ ...ition_es_mc_Deploy-Windows-DomainJoin.json | 261 +++ .../_mc_policySetDefinitionsBicepInput.txt | 908 ++++++++ ...nition_es_mc_Deny-PublicPaaSEndpoints.json | 256 +++ ...c_Deny-PublicPaaSEndpoints.parameters.json | 72 + ...es_mc_Deploy-Diagnostics-LogAnalytics.json | 1819 +++++++++++++++ ...y-Diagnostics-LogAnalytics.parameters.json | 818 +++++++ ...t_definition_es_mc_Deploy-MDFC-Config.json | 268 +++ ...n_es_mc_Deploy-MDFC-Config.parameters.json | 57 + ...nition_es_mc_Deploy-Private-DNS-Zones.json | 470 ++++ ...c_Deploy-Private-DNS-Zones.parameters.json | 202 ++ ..._definition_es_mc_Deploy-Sql-Security.json | 134 ++ ..._es_mc_Deploy-Sql-Security.parameters.json | 36 + ...finition_es_mc_Enforce-EncryptTransit.json | 640 ++++++ ..._mc_Enforce-EncryptTransit.parameters.json | 195 ++ ...finition_es_mc_Enforce-Encryption-CMK.json | 365 +++ ..._mc_Enforce-Encryption-CMK.parameters.json | 107 + ...nition_es_Append-AppService-httpsonly.json | 59 + ...nition_es_Append-AppService-latestTLS.json | 72 + ...cy_definition_es_Append-KV-SoftDelete.json | 50 + ...ion_es_Append-Redis-disableNonSslPort.json | 63 + ...nition_es_Append-Redis-sslEnforcement.json | 76 + ...efinition_es_Audit-AzureHybridBenefit.json | 88 + ...Disks-UnusedResourcesCostOptimization.json | 69 + ...dit-MachineLearning-PrivateEndpointId.json | 64 + ...finition_es_Audit-PrivateLinkDnsZones.json | 126 ++ ...esses-UnusedResourcesCostOptimization.json | 89 + ...Farms-UnusedResourcesCostOptimization.json | 57 + ...definition_es_Deny-AA-child-resources.json | 56 + ..._definition_es_Deny-AppGW-Without-WAF.json | 54 + ...inition_es_Deny-AppServiceApiApp-http.json | 58 + ...on_es_Deny-AppServiceFunctionApp-http.json | 58 + ...inition_es_Deny-AppServiceWebApp-http.json | 58 + ...inition_es_Deny-Databricks-NoPublicIp.json | 52 + ...icy_definition_es_Deny-Databricks-Sku.json | 52 + ...ion_es_Deny-Databricks-VirtualNetwork.json | 64 + ...ion_es_Deny-FileServices-InsecureAuth.json | 66 + ...es_Deny-FileServices-InsecureKerberos.json | 66 + ..._Deny-FileServices-InsecureSmbChannel.json | 67 + ...Deny-FileServices-InsecureSmbVersions.json | 69 + ...efinition_es_Deny-MachineLearning-Aks.json | 64 + ...Deny-MachineLearning-Compute-SubnetId.json | 67 + ...s_Deny-MachineLearning-Compute-VmSize.json | 148 ++ ...teCluster-RemoteLoginPortPublicAccess.json | 64 + ...-MachineLearning-ComputeCluster-Scale.json | 92 + ..._es_Deny-MachineLearning-HbiWorkspace.json | 60 + ...neLearning-PublicAccessWhenBehindVnet.json | 60 + ...y-MachineLearning-PublicNetworkAccess.json | 53 + ...ition_es_Deny-MgmtPorts-From-Internet.json | 254 +++ .../policy_definition_es_Deny-MySql-http.json | 80 + ...cy_definition_es_Deny-PostgreSql-http.json | 80 + ..._definition_es_Deny-Private-DNS-Zones.json | 46 + ...nition_es_Deny-PublicEndpoint-MariaDB.json | 55 + .../policy_definition_es_Deny-PublicIP.json | 47 + ..._definition_es_Deny-RDP-From-Internet.json | 125 ++ .../policy_definition_es_Deny-Redis-http.json | 75 + .../policy_definition_es_Deny-Sql-minTLS.json | 75 + ...olicy_definition_es_Deny-SqlMi-minTLS.json | 75 + ...olicy_definition_es_Deny-Storage-SFTP.json | 54 + ...icy_definition_es_Deny-Storage-minTLS.json | 91 + ...n_es_Deny-StorageAccount-CustomDomain.json | 62 + ...definition_es_Deny-Subnet-Without-Nsg.json | 100 + ...efinition_es_Deny-Subnet-Without-Penp.json | 101 + ...definition_es_Deny-Subnet-Without-Udr.json | 98 + ...ion_es_Deny-UDR-With-Specific-NextHop.json | 87 + ...efinition_es_Deny-VNET-Peer-Cross-Sub.json | 54 + ...ny-VNET-Peering-To-Non-Approved-VNETs.json | 88 + ...olicy_definition_es_Deny-VNet-Peering.json | 46 + ...nition_es_Deploy-ASC-SecurityContacts.json | 155 ++ .../policy_definition_es_Deploy-Budget.json | 238 ++ ...finition_es_Deploy-Custom-Route-Table.json | 213 ++ ...y_definition_es_Deploy-DDoSProtection.json | 150 ++ ...y_definition_es_Deploy-Diagnostics-AA.json | 201 ++ ..._definition_es_Deploy-Diagnostics-ACI.json | 162 ++ ..._definition_es_Deploy-Diagnostics-ACR.json | 193 ++ ...inition_es_Deploy-Diagnostics-APIMgmt.json | 212 ++ ...es_Deploy-Diagnostics-AVDScalingPlans.json | 154 ++ ...es_Deploy-Diagnostics-AnalysisService.json | 193 ++ ...tion_es_Deploy-Diagnostics-ApiForFHIR.json | 189 ++ ...Deploy-Diagnostics-ApplicationGateway.json | 197 ++ ...inition_es_Deploy-Diagnostics-Bastion.json | 189 ++ ...on_es_Deploy-Diagnostics-CDNEndpoints.json | 157 ++ ..._Deploy-Diagnostics-CognitiveServices.json | 197 ++ ...nition_es_Deploy-Diagnostics-CosmosDB.json | 217 ++ ...ion_es_Deploy-Diagnostics-DLAnalytics.json | 193 ++ ...eploy-Diagnostics-DataExplorerCluster.json | 213 ++ ...ion_es_Deploy-Diagnostics-DataFactory.json | 229 ++ ...tion_es_Deploy-Diagnostics-Databricks.json | 272 +++ ...on_es_Deploy-Diagnostics-EventGridSub.json | 162 ++ ...ploy-Diagnostics-EventGridSystemTopic.json | 189 ++ ..._es_Deploy-Diagnostics-EventGridTopic.json | 197 ++ ...on_es_Deploy-Diagnostics-ExpressRoute.json | 189 ++ ...nition_es_Deploy-Diagnostics-Firewall.json | 264 +++ ...ition_es_Deploy-Diagnostics-FrontDoor.json | 193 ++ ...nition_es_Deploy-Diagnostics-Function.json | 197 ++ ...ition_es_Deploy-Diagnostics-HDInsight.json | 162 ++ ...on_es_Deploy-Diagnostics-LoadBalancer.json | 193 ++ ...on_es_Deploy-Diagnostics-LogAnalytics.json | 189 ++ ...on_es_Deploy-Diagnostics-LogicAppsISE.json | 157 ++ ...inition_es_Deploy-Diagnostics-MariaDB.json | 193 ++ ...on_es_Deploy-Diagnostics-MediaService.json | 189 ++ ...ion_es_Deploy-Diagnostics-MlWorkspace.json | 288 +++ ...efinition_es_Deploy-Diagnostics-MySQL.json | 193 ++ ..._definition_es_Deploy-Diagnostics-NIC.json | 161 ++ ...loy-Diagnostics-NetworkSecurityGroups.json | 161 ++ ...tion_es_Deploy-Diagnostics-PostgreSQL.json | 240 ++ ...es_Deploy-Diagnostics-PowerBIEmbedded.json | 189 ++ ...tion_es_Deploy-Diagnostics-RedisCache.json | 162 ++ ...efinition_es_Deploy-Diagnostics-Relay.json | 189 ++ ...es_Deploy-Diagnostics-SQLElasticPools.json | 162 ++ ...efinition_es_Deploy-Diagnostics-SQLMI.json | 164 ++ ...inition_es_Deploy-Diagnostics-SignalR.json | 185 ++ ...Deploy-Diagnostics-TimeSeriesInsights.json | 193 ++ ..._es_Deploy-Diagnostics-TrafficManager.json | 189 ++ ...y_definition_es_Deploy-Diagnostics-VM.json | 161 ++ ...definition_es_Deploy-Diagnostics-VMSS.json | 161 ++ ...finition_es_Deploy-Diagnostics-VNetGW.json | 205 ++ ...on_es_Deploy-Diagnostics-VWanS2SVPNGW.json | 201 ++ ..._es_Deploy-Diagnostics-VirtualNetwork.json | 188 ++ ...ion_es_Deploy-Diagnostics-WVDAppGroup.json | 164 ++ ...on_es_Deploy-Diagnostics-WVDHostPools.json | 188 ++ ...on_es_Deploy-Diagnostics-WVDWorkspace.json | 168 ++ ...n_es_Deploy-Diagnostics-WebServerFarm.json | 162 ++ ...inition_es_Deploy-Diagnostics-Website.json | 266 +++ ...finition_es_Deploy-Diagnostics-iotHub.json | 241 ++ ...y_definition_es_Deploy-FirewallPolicy.json | 167 ++ ...nition_es_Deploy-MySQL-sslEnforcement.json | 138 ++ ...finition_es_Deploy-Nsg-FlowLogs-to-LA.json | 234 ++ ...icy_definition_es_Deploy-Nsg-FlowLogs.json | 196 ++ ...n_es_Deploy-PostgreSQL-sslEnforcement.json | 139 ++ ...olicy_definition_es_Deploy-SQL-minTLS.json | 125 ++ ...nition_es_Deploy-Sql-AuditingSettings.json | 125 ++ ...n_es_Deploy-Sql-SecurityAlertPolicies.json | 123 + .../policy_definition_es_Deploy-Sql-Tde.json | 125 ++ ...s_Deploy-Sql-vulnerabilityAssessments.json | 144 ++ ...Sql-vulnerabilityAssessments_20230706.json | 147 ++ ...icy_definition_es_Deploy-SqlMi-minTLS.json | 125 ++ ...tion_es_Deploy-Storage-sslEnforcement.json | 138 ++ ...cy_definition_es_Deploy-VNET-HubSpoke.json | 309 +++ ..._definition_es_Deploy-Vm-autoShutdown.json | 196 ++ ...finition_es_Deploy-Windows-DomainJoin.json | 261 +++ ...Audit-UnusedResourcesCostOptimization.json | 102 + ...dResourcesCostOptimization.parameters.json | 30 + ...efinition_es_Deny-PublicPaaSEndpoints.json | 483 ++++ ...s_Deny-PublicPaaSEndpoints.parameters.json | 142 ++ ...on_es_Deploy-Diagnostics-LogAnalytics.json | 1970 +++++++++++++++++ ...y-Diagnostics-LogAnalytics.parameters.json | 918 ++++++++ ..._set_definition_es_Deploy-MDFC-Config.json | 441 ++++ ...tion_es_Deploy-MDFC-Config.parameters.json | 143 ++ ...efinition_es_Deploy-Private-DNS-Zones.json | 1182 ++++++++++ ...s_Deploy-Private-DNS-Zones.parameters.json | 536 +++++ ...set_definition_es_Deploy-Sql-Security.json | 134 ++ ...ion_es_Deploy-Sql-Security.parameters.json | 36 + ...policy_set_definition_es_Enforce-ACSB.json | 92 + ...definition_es_Enforce-ACSB.parameters.json | 31 + ..._set_definition_es_Enforce-ALZ-Decomm.json | 51 + ...tion_es_Enforce-ALZ-Decomm.parameters.json | 12 + ...set_definition_es_Enforce-ALZ-Sandbox.json | 84 + ...ion_es_Enforce-ALZ-Sandbox.parameters.json | 19 + ..._definition_es_Enforce-EncryptTransit.json | 618 ++++++ ..._es_Enforce-EncryptTransit.parameters.json | 188 ++ ..._definition_es_Enforce-Encryption-CMK.json | 364 +++ ..._es_Enforce-Encryption-CMK.parameters.json | 107 + ...nition_es_Enforce-Guardrails-KeyVault.json | 257 +++ ...nforce-Guardrails-KeyVault.parameters.json | 70 + .../mc-customPolicyDefinitions.bicep | 1367 ++++++++++++ .../definitions/media/bicepVisualizer.png | Bin 0 -> 30349 bytes .../media/exampleDeploymentOutput.png | Bin 0 -> 251847 bytes ...ustomPolicyDefinitions.parameters.all.json | 12 + ...ustomPolicyDefinitions.parameters.min.json | 9 + .../samples/baseline.policy.sample.bicep | 24 + .../policy/samples/baseline.sample.bicep | 37 + .../baseline.policy.sample.bicep.md | 16 + .../generateddocs/baseline.sample.bicep.md | 16 + .../minimum.policy.sample.bicep.md | 16 + .../generateddocs/minimum.sample.bicep.md | 16 + .../samples/minimum.policy.sample.bicep | 20 + .../policy/samples/minimum.sample.bicep | 31 + .../modules/privateDnsZoneLinks/README.md | 62 + .../privateDnsZoneLinks.bicep.md | 42 + .../media/bicepVisualizer.png | Bin 0 -> 36255 bytes .../privateDnsZoneLinks.parameters.all.json | 12 + .../privateDnsZoneLinks.parameters.min.json | 12 + .../privateDnsZoneLinks.bicep | 20 + .../samples/baseline.sample.bicep | 30 + .../generateddocs/baseline.sample.bicep.md | 46 + .../bicep/modules/privateDnsZones/README.md | 174 ++ .../modules/privateDnsZones/bicepconfig.json | 124 ++ .../generateddocs/privateDnsZones.bicep.md | 166 ++ .../privateDnsZones/media/bicepVisualizer.png | Bin 0 -> 69089 bytes .../media/exampleDeploymentOutput.png | Bin 0 -> 164350 bytes .../mc-privateDnsZones.parameters.all.json | 56 + .../mc-privateDnsZones.parameters.min.json | 48 + .../privateDnsZones.parameters.all.json | 94 + .../privateDnsZones.parameters.min.json | 83 + .../privateDnsZones/privateDnsZones.bicep | 194 ++ .../samples/baseline.sample.bicep | 95 + .../generateddocs/baseline.sample.bicep.md | 34 + .../generateddocs/minimum.sample.bicep.md | 34 + .../samples/minimum.sample.bicep | 24 + .../bicep/modules/publicIp/README.md | 27 + .../publicIp/generateddocs/publicIp.bicep.md | 106 + .../publicIp/media/bicepVisualizer.png | Bin 0 -> 58595 bytes .../parameters/publicIp.parameters.all.json | 37 + .../parameters/publicIp.parameters.min.json | 26 + .../bicep/modules/publicIp/publicIp.bicep | 49 + .../publicIp/samples/baseline.sample.bicep | 38 + .../generateddocs/baseline.sample.bicep.md | 34 + .../generateddocs/minimum.sample.bicep.md | 34 + .../publicIp/samples/minimum.sample.bicep | 33 + .../bicep/modules/resourceGroup/README.md | 28 + .../generateddocs/resourceGroup.bicep.md | 73 + .../resourceGroup/media/bicepVisualizer.png | Bin 0 -> 11542 bytes .../resourceGroup.parameters.all.json | 20 + .../resourceGroup.parameters.min.json | 15 + .../modules/resourceGroup/resourceGroup.bicep | 33 + .../samples/baseline.sample.bicep | 30 + .../generateddocs/baseline.sample.bicep.md | 16 + .../generateddocs/minimum.sample.bicep.md | 16 + .../samples/minimum.sample.bicep | 29 + .../bicep/modules/roleAssignments/README.md | 185 ++ .../roleAssignmentManagementGroup.bicep.md | 80 + ...roleAssignmentManagementGroupMany.bicep.md | 78 + .../roleAssignmentResourceGroup.bicep.md | 80 + .../roleAssignmentResourceGroupMany.bicep.md | 78 + .../roleAssignmentSubscription.bicep.md | 80 + .../roleAssignmentSubscriptionMany.bicep.md | 78 + .../media/bicepVisualizerMg.png | Bin 0 -> 14280 bytes .../media/bicepVisualizerMgMany.png | Bin 0 -> 21575 bytes .../media/bicepVisualizerSub.png | Bin 0 -> 14280 bytes .../media/bicepVisualizerSubMany.png | Bin 0 -> 24789 bytes ...tGroup.managedIdentity.parameters.all.json | 21 + ...tGroup.managedIdentity.parameters.min.json | 18 + ...entGroup.securityGroup.parameters.all.json | 21 + ...entGroup.securityGroup.parameters.min.json | 18 + ...Group.servicePrincipal.parameters.all.json | 21 + ...Group.servicePrincipal.parameters.min.json | 18 + ...upMany.managedIdentity.parameters.all.json | 24 + ...upMany.managedIdentity.parameters.min.json | 24 + ...roupMany.securityGroup.parameters.all.json | 24 + ...roupMany.securityGroup.parameters.min.json | 24 + ...pMany.servicePrincipal.parameters.all.json | 24 + ...pMany.servicePrincipal.parameters.min.json | 24 + ...eGroup.managedIdentity.parameters.all.json | 21 + ...eGroup.managedIdentity.parameters.min.json | 18 + ...rceGroup.securityGroup.parameters.all.json | 21 + ...rceGroup.securityGroup.parameters.min.json | 18 + ...Group.servicePrincipal.parameters.all.json | 21 + ...Group.servicePrincipal.parameters.min.json | 18 + ...upMany.managedIdentity.parameters.all.json | 24 + ...upMany.managedIdentity.parameters.min.json | 24 + ...roupMany.securityGroup.parameters.all.json | 24 + ...roupMany.securityGroup.parameters.min.json | 24 + ...pMany.servicePrincipal.parameters.all.json | 24 + ...pMany.servicePrincipal.parameters.min.json | 24 + ...iption.managedIdentity.parameters.all.json | 21 + ...iption.managedIdentity.parameters.min.json | 18 + ...cription.securityGroup.parameters.all.json | 21 + ...cription.securityGroup.parameters.min.json | 18 + ...ption.servicePrincipal.parameters.all.json | 21 + ...ption.servicePrincipal.parameters.min.json | 18 + ...onMany.managedIdentity.parameters.all.json | 24 + ...onMany.managedIdentity.parameters.min.json | 24 + ...tionMany.securityGroup.parameters.all.json | 24 + ...tionMany.securityGroup.parameters.min.json | 24 + ...nMany.servicePrincipal.parameters.all.json | 24 + ...nMany.servicePrincipal.parameters.min.json | 24 + .../roleAssignmentManagementGroup.bicep | 42 + .../roleAssignmentManagementGroupMany.bicep | 35 + .../roleAssignmentResourceGroup.bicep | 40 + .../roleAssignmentResourceGroupMany.bicep | 35 + .../roleAssignmentSubscription.bicep | 41 + .../roleAssignmentSubscriptionMany.bicep | 35 + .../samples/baseline.sample.bicep | 28 + .../generateddocs/baseline.sample.bicep.md | 16 + .../generateddocs/minimum.sample.bicep.md | 16 + .../samples/minimum.sample.bicep | 26 + .../bicep/modules/spokeNetworking/README.md | 160 ++ .../generateddocs/spokeNetworking.bicep.md | 143 ++ .../spokeNetworking/media/bicepVisualizer.png | Bin 0 -> 20766 bytes .../media/exampleDeploymentOutput.png | Bin 0 -> 7157 bytes .../spokeNetworking.parameters.all.json | 38 + .../spokeNetworking.parameters.min.json | 24 + .../samples/baseline.sample.bicep | 41 + .../generateddocs/baseline.sample.bicep.md | 34 + .../generateddocs/minimum.sample.bicep.md | 34 + .../samples/minimum.sample.bicep | 34 + .../spokeNetworking/spokeNetworking.bicep | 85 + .../modules/subscriptionPlacement/README.md | 80 + .../subscriptionPlacement.bicep.md | 56 + .../media/bicepVisualizer.png | Bin 0 -> 11321 bytes .../subscriptionPlacement.parameters.all.json | 17 + .../subscriptionPlacement.parameters.min.json | 17 + .../samples/baseline.sample.bicep | 28 + .../generateddocs/baseline.sample.bicep.md | 16 + .../generateddocs/minimum.sample.bicep.md | 16 + .../samples/minimum.sample.bicep | 27 + .../subscriptionPlacement.bicep | 28 + .../bicep/modules/vnetPeering/README.md | 149 ++ .../generateddocs/vnetPeering.bicep.md | 114 + .../vnetPeering/media/bicepVisualizer.png | Bin 0 -> 15193 bytes .../media/exampleDeploymentOutput.png | Bin 0 -> 45121 bytes .../vnetPeering.parameters.all.json | 30 + .../vnetPeering.parameters.min.json | 30 + .../vnetPeering/samples/baseline.sample.bicep | 30 + .../generateddocs/baseline.sample.bicep.md | 16 + .../generateddocs/minimum.sample.bicep.md | 16 + .../vnetPeering/samples/minimum.sample.bicep | 25 + .../modules/vnetPeering/vnetPeering.bicep | 49 + .../bicep/modules/vnetPeeringVwan/README.md | 109 + .../hubVirtualNetworkConnection.bicep.md | 85 + .../generateddocs/vnetPeeringVwan.bicep.md | 97 + .../hubVirtualNetworkConnection.bicep | 36 + .../vnetPeeringVwan/media/bicepVisualizer.png | Bin 0 -> 13951 bytes .../media/exampleDeploymentOutput.png | Bin 0 -> 94947 bytes .../vnetPeeringVwan.parameters.all.json | 24 + .../vnetPeeringVwan.parameters.min.json | 15 + .../samples/baseline.sample.bicep | 25 + .../generateddocs/baseline.sample.bicep.md | 16 + .../generateddocs/minimum.sample.bicep.md | 16 + .../samples/minimum.sample.bicep | 24 + .../vnetPeeringVwan/vnetPeeringVwan.bicep | 55 + .../bicep/modules/vwanConnectivity/README.md | 172 ++ .../modules/vwanConnectivity/bicepconfig.json | 124 ++ .../generateddocs/vwanConnectivity.bicep.md | 409 ++++ .../media/bicepVisualizer.png | Bin 0 -> 92614 bytes .../media/exampleDeploymentOutput.png | Bin 0 -> 76075 bytes .../exampleDeploymentOutputConnectivity.png | Bin 0 -> 48397 bytes .../media/mc-exampleDeploymentOutput.png | Bin 0 -> 26778 bytes ...mc-exampleDeploymentOutputConnectivity.png | Bin 0 -> 14414 bytes .../mc-vwanConnectivity.parameters.all.json | 118 + .../mc-vwanConnectivity.parameters.min.json | 89 + .../vwanConnectivity.parameters.all.json | 156 ++ .../vwanConnectivity.parameters.min.json | 53 + .../samples/baseline.sample.bicep | 133 ++ .../generateddocs/baseline.sample.bicep.md | 34 + .../generateddocs/minimum.sample.bicep.md | 34 + .../samples/minimum.sample.bicep | 29 + .../vwanConnectivity/vwanConnectivity.bicep | 372 ++++ .../orchestration/hubPeeredSpoke/README.md | 110 + .../generateddocs/hubPeeredSpoke.bicep.md | 275 +++ .../hubPeeredSpoke/hubPeeredSpoke.bicep | 224 ++ .../hubPeeredSpoke/media/bicepVisualizer.png | Bin 0 -> 85906 bytes .../hubPeeredSpoke.parameters.all.json | 71 + .../hubPeeredSpoke.vwan.parameters.all.json | 68 + .../orchestration/mgDiagSettingsAll/README.md | 138 ++ .../generateddocs/mgDiagSettingsAll.bicep.md | 124 ++ .../media/bicepVisualizer.png | Bin 0 -> 31438 bytes .../mgDiagSettingsAll/mgDiagSettingsAll.bicep | 137 ++ .../mgDiagSettingsAll.parameters.all.json | 33 + .../mgDiagSettingsAll.parameters.min.json | 15 + .../orchestration/subPlacementAll/README.md | 166 ++ .../generateddocs/subPlacementAll.bicep.md | 198 ++ .../subPlacementAll/media/bicepVisualizer.png | Bin 0 -> 199477 bytes .../subPlacementAll.parameters.all.json | 57 + .../subPlacementAll.parameters.min.json | 33 + .../subPlacementAll/subPlacementAll.bicep | 245 ++ .../scripts/Get-AlzBicepResourceTypes.ps1 | 32 + .../scripts/Invoke-GitHubReleaseFetcher.ps1 | 206 ++ .../scripts/Invoke-LibraryUpdate-China.ps1 | 122 + dependencies/scripts/Invoke-LibraryUpdate.ps1 | 123 + .../scripts/Invoke-PolicyToBicep-China.ps1 | 293 +++ dependencies/scripts/Invoke-PolicyToBicep.ps1 | 263 +++ .../Set-AlzDefaultPolicyAssignment.ps1 | 33 + .../scripts/Update-ProviderApiVersionsZip.ps1 | 30 + docs/01-Overview.md | 27 + docs/02-Architecture.md | 24 + docs/03-Deployment-Overview.md | 21 + docs/04-Repository-Setup.md | 31 + docs/05-Permissions-Tooling.md | 81 + docs/06-Upgrade-Existing-SLZ-Preview.md | 67 + docs/07-Deployment-Parameters.md | 66 + docs/08-Deploy-SLZ-Preview.md | 22 + docs/09-Customize-Policies.md | 15 + docs/10-Compliance-Dashboard.md | 37 + docs/11-Conclusion.md | 11 + docs/12-FAQ.md | 224 ++ docs/13-Troubleshooting.md | 61 + docs/PREVIEW.md | 3 + docs/images/LightHouseTenantID.png | Bin 0 -> 153554 bytes docs/images/LighthouseSubscriptionID.png | Bin 0 -> 106953 bytes docs/images/Upgrade-ComplianceDetails.png | Bin 0 -> 121404 bytes docs/images/Upgrade-ManagementGroup.png | Bin 0 -> 90281 bytes docs/images/Upgrade-ManagementGroupDetail.png | Bin 0 -> 118234 bytes .../images/Upgrade-PolicyAssignmentDelete.png | Bin 0 -> 133391 bytes .../images/Upgrade-PolicyAssignmentFilter.png | Bin 0 -> 127821 bytes docs/images/Upgrade-PolicyAssignmentScope.png | Bin 0 -> 139713 bytes .../images/Upgrade-PolicyAssignmentsBlade.png | Bin 0 -> 86345 bytes .../images/Upgrade-PolicyDefinitionFilter.png | Bin 0 -> 167918 bytes .../Upgrade-PolicyDefinitionFilterDelete.png | Bin 0 -> 162671 bytes docs/images/Upgrade-PolicyDefinitionList.png | Bin 0 -> 172023 bytes docs/images/ViewDeploymentStep.png | Bin 0 -> 50859 bytes docs/images/ViewErrorFromLog.png | Bin 0 -> 67716 bytes docs/images/access-permissions.png | Bin 0 -> 124752 bytes docs/images/accessmanagementpermissions.png | Bin 0 -> 115296 bytes .../alz-update-initiative-with-builtin-01.png | Bin 0 -> 40974 bytes .../alz-update-initiative-with-builtin-04.png | Bin 0 -> 43624 bytes docs/images/custom-policies-folder.png | Bin 0 -> 54812 bytes docs/images/deployerror-vscode.png | Bin 0 -> 60836 bytes docs/images/downloadzipofrepo.png | Bin 0 -> 196713 bytes docs/images/empty-custom-policies.png | Bin 0 -> 156309 bytes docs/images/forkgithubrepo.png | Bin 0 -> 190526 bytes docs/images/github_compliance-dashboard.png | Bin 0 -> 602025 bytes docs/images/parBillingAccountID.png | Bin 0 -> 113096 bytes docs/images/parEnrollmentID.png | Bin 0 -> 90467 bytes docs/images/sovereign-scale-architecture.png | Bin 0 -> 517846 bytes docs/scenarios/Custom-Policies.md | 43 + .../Expanding-SLZ-ManagementGroups.md | 21 + .../Extending-Compliance-Dashboard.md | 21 + docs/scenarios/Landing-Zone-Vending.md | 55 + docs/scenarios/Piloting-SLZ.md | 27 + docs/scenarios/Pipeline-Deployments.md | 59 + docs/scenarios/README.md | 13 + docs/scenarios/Removing-Policy-Assignments.md | 66 + docs/scenarios/Sovereignty-Policy-Baseline.md | 54 + .../scenarios/Using-Existing-Subscriptions.md | 22 + docs/scenarios/Using-Policy-Portfolio.md | 7 + .../.bicep/nested_roleAssignments.bicep | 72 + .../userAssignedIdentities/deploy.bicep | 87 + .../userAssignedIdentities/readme.md | 212 ++ modules/compliance/customCompliance.bicep | 425 ++++ .../customerPolicySetAssignments.bicep | 57 + modules/compliance/defaultCompliance.bicep | 500 +++++ ...deploy_slz_confidential_defaults.tmpl.json | 274 +++ ...deploy_slz_connectivity_defaults.tmpl.json | 18 + ...ignment_deploy_slz_corp_defaults.tmpl.json | 18 + ...ploy_slz_decommissioned_defaults.tmpl.json | 18 + ...ent_deploy_slz_identity_defaults.tmpl.json | 18 + ...eploy_slz_landing_zones_defaults.tmpl.json | 18 + ...t_deploy_slz_management_defaults.tmpl.json | 18 + ...nment_deploy_slz_online_defaults.tmpl.json | 18 + ...ent_deploy_slz_platform_defaults.tmpl.json | 18 + ...ment_deploy_slz_sandbox_defaults.tmpl.json | 18 + ...nmnet_deploy_slz_global_defaults.tmpl.json | 22 + modules/compliance/policyExemptions.bicep | 55 + modules/compliance/policyRemediation.bicep | 42 + .../slzConfidentialDefaults.json | 309 +++ .../slzConnectivityDefaults.json | 17 + .../policySetDefinitions/slzCorpDefaults.json | 17 + .../slzDecommissionedDefaults.json | 17 + .../slzGlobalDefaults.json | 151 ++ .../slzIdentityDefaults.json | 17 + .../slzLandingZoneDefaults.json | 17 + .../slzManagementDefaults.json | 17 + .../slzOnlineDefaults.json | 17 + .../slzPlatformDefaults.json | 17 + .../slzSandboxDefaults.json | 17 + .../customRoles/customRoleAssignment.bicep | 37 + .../customRoles/customRoleDefinition.bicep | 42 + modules/dashboard/dashboard.bicep | 942 ++++++++ .../templates/complianceByPolicyGroup.csl | 16 + ...oreForConfidentialComputingPolicyGroup.csl | 13 + .../complianceScoreForStoragePolicyGroup.csl | 13 + ...complianceScoreForTransportPolicyGroup.csl | 13 + .../compliancebyPolicyInitiative.csl | 11 + .../templates/compliancebySubscription.csl | 18 + .../templates/confidentialityScore.csl | 14 + .../templates/dataResidencyScore.csl | 13 + ...fResourcesExemptOfConfidentialPolicies.csl | 15 + .../templates/listofNonCompliantResources.csl | 23 + ...tofResourcesExemptofDataResidentPolicy.csl | 15 + .../listofResourcesOutsideofSafeRegion.csl | 12 + modules/dashboard/templates/markdownPart.md | 18 + .../templates/resourceComplianceScore.csl | 17 + .../resourcesOutsideofSafeRegion.csl | 13 + .../templates/resourcesbyComplianceState.csl | 6 + .../connectivityResourceGroups.bicep | 47 + .../dashboardResourceGroups.bicep | 34 + .../identityResourceGroups.bicep | 36 + .../managementResourceGroups.bicep | 36 + modules/util/Get-FailedDeploymentDetails.ps1 | 69 + modules/util/delete-lock.bicep | 15 + modules/util/deployment-script.bicep | 52 + modules/util/wait-on-arm-subscription.bicep | 15 + modules/util/wait-on-arm.bicep | 13 + modules/util/wait-subscription.bicep | 28 + modules/util/wait.bicep | 25 + orchestration/bootstrap/bootstrap.bicep | 120 + orchestration/const/doNotRetryErrorCodes.json | 29 + .../customCompliance/customCompliance.bicep | 63 + orchestration/dashboard/dashboard.bicep | 144 ++ .../defaultCompliance/defaultCompliance.bicep | 123 + .../moveSubscription/moveSubscription.bicep | 64 + .../policyExemption/policyExemption.bicep | 51 + .../alz-DefaultPolicySetDefinitions.txt | 1174 ++++++++++ .../policyInstallation.bicep | 138 ++ .../slz-DefaultandCustomPolicyDefinitions.txt | 446 ++++ ...andCustomSLZGlobalPolicySetDefinitions.txt | 55 + ...efaultandCustomSLZPolicySetDefinitions.txt | 143 ++ .../policyRemediation/policyRemediation.bicep | 39 + ...firm-SovereignLandingZonePrerequisites.ps1 | 220 ++ orchestration/scripts/Invoke-Helper.ps1 | 920 ++++++++ ...nvoke-SlzDefaultandCustomPolicyToBicep.ps1 | 693 ++++++ orchestration/scripts/New-Bootstrap.ps1 | 116 + orchestration/scripts/New-Compliance.ps1 | 619 ++++++ orchestration/scripts/New-Dashboard.ps1 | 115 + orchestration/scripts/New-Platform.ps1 | 164 ++ orchestration/scripts/New-PolicyExemption.ps1 | 120 + .../scripts/New-PolicyRemediation.ps1 | 159 ++ .../scripts/New-SovereignLandingZone.ps1 | 138 ++ .../sovereignLandingZone.parameters.json | 494 +++++ .../sovereignPlatform/sovereignPlatform.bicep | 454 ++++ 856 files changed, 89170 insertions(+), 437 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 bicepconfig.json create mode 100644 custom/dashboard/compliance/tiles-sample.json create mode 100644 custom/dashboard/compliance/tiles.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_confidential_custom.tmpl.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_connectivity_custom.tmpl.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_corp_custom.tmpl.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_decommissioned_custom.tmpl.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_global_custom.tmpl.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_identity_custom.tmpl.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_landing_zones_custom.tmpl.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_management_custom.tmpl.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_online_custom.tmpl.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_platform_custom.tmpl.json create mode 100644 custom/policies/assignments/policy_assignment_deploy_slz_sandbox_custom.tmpl.json create mode 100644 custom/policies/definitions/slzConfidentialCustom.json create mode 100644 custom/policies/definitions/slzConnectivityCustom.json create mode 100644 custom/policies/definitions/slzCorpCustom.json create mode 100644 custom/policies/definitions/slzDecommissionedCustom.json create mode 100644 custom/policies/definitions/slzGlobalCustom.json create mode 100644 custom/policies/definitions/slzIdentityCustom.json create mode 100644 custom/policies/definitions/slzLandingZoneCustom.json create mode 100644 custom/policies/definitions/slzManagementCustom.json create mode 100644 custom/policies/definitions/slzOnlineCustom.json create mode 100644 custom/policies/definitions/slzPlatformCustom.json create mode 100644 custom/policies/definitions/slzSandboxCustom.json create mode 100644 dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psd1 create mode 100644 dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psm1 create mode 100644 dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psd1 create mode 100644 dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psm1 create mode 100644 dependencies/Alz.Tools/Alz.Tools.psd1 create mode 100644 dependencies/Alz.Tools/Alz.Tools.psm1 create mode 100644 dependencies/Alz.Tools/ProviderApiVersions.zip create mode 100644 dependencies/Alz.Tools/functions/Alz.Tools.ps1 create mode 100644 dependencies/Alz.Tools/scripts/Update-ProviderApiVersionsZip.ps1 create mode 100644 dependencies/infra-as-code/bicep/CRML/README.md create mode 100644 dependencies/infra-as-code/bicep/CRML/containerRegistry/README.md create mode 100644 dependencies/infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep create mode 100644 dependencies/infra-as-code/bicep/CRML/containerRegistry/generateddocs/containerRegistry.bicep.md create mode 100644 dependencies/infra-as-code/bicep/CRML/containerRegistry/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/README.md create mode 100644 dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.bicep create mode 100644 dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep create mode 100644 dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.bicep create mode 100644 dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.bicep create mode 100644 dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdManagementGroup.bicep.md create mode 100644 dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdResourceGroup.bicep.md create mode 100644 dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdSubscription.bicep.md create mode 100644 dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdTenant.bicep.md create mode 100644 dependencies/infra-as-code/bicep/CRML/subscriptionAlias/README.md create mode 100644 dependencies/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md create mode 100644 dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep create mode 100644 dependencies/infra-as-code/bicep/bicepconfig.json create mode 100644 dependencies/infra-as-code/bicep/modules/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafNetworkManagementRole.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafSecurityOperationsRole.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafApplicationOwnerRole.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafNetworkManagementRole.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSecurityOperationsRole.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSubscriptionOwnerRole.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/mc-customRoleDefinitions.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/customRoleDefinitions/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/media/mc-exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/logging/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/logging/logging.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/generateddocs/managementGroups.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/media/exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/managementGroups/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/mgDiagSettings/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/mgDiagSettings/generateddocs/mgDiagSettings.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/mgDiagSettings/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/customPolicyDefinitions.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/mc-customPolicyDefinitions.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Audit-MachineLearning-PrivateEndpointId.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AA-child-resources.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-NoPublicIp.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-VirtualNetwork.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Aks.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-SubnetId.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-VmSize.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-Scale.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-HbiWorkspace.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicAccessWhenBehindVnet.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicNetworkAccess.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Budget.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AVDScalingPlans.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Budget.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/media/exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/policy/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.policy.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.policy.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/policy/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/generateddocs/privateDnsZoneLinks.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/bicepconfig.json create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/media/exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/mc-privateDnsZones.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/publicIp/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/publicIp/generateddocs/publicIp.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/publicIp/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/publicIp/parameters/publicIp.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/publicIp/publicIp.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/publicIp/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/publicIp/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/publicIp/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/publicIp/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/resourceGroup/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/resourceGroup/generateddocs/resourceGroup.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/resourceGroup/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/resourceGroup/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/resourceGroup/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/resourceGroup/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/resourceGroup/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMg.png create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMgMany.png create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSub.png create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSubMany.png create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/roleAssignments/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/generateddocs/spokeNetworking.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/media/exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/parameters/spokeNetworking.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/spokeNetworking/spokeNetworking.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/subscriptionPlacement/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/subscriptionPlacement/generateddocs/subscriptionPlacement.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/subscriptionPlacement/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/subscriptionPlacement/parameters/subscriptionPlacement.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/subscriptionPlacement/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/generateddocs/vnetPeering.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/media/exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/parameters/vnetPeering.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeering/vnetPeering.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/generateddocs/hubVirtualNetworkConnection.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/generateddocs/vnetPeeringVwan.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/hubVirtualNetworkConnection.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/media/exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/parameters/vnetPeeringVwan.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/vnetPeeringVwan/vnetPeeringVwan.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/README.md create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/bicepconfig.json create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/exampleDeploymentOutputConnectivity.png create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutput.png create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/media/mc-exampleDeploymentOutputConnectivity.png create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/generateddocs/baseline.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/generateddocs/minimum.sample.bicep.md create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/minimum.sample.bicep create mode 100644 dependencies/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep create mode 100644 dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/README.md create mode 100644 dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/generateddocs/hubPeeredSpoke.bicep.md create mode 100644 dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep create mode 100644 dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/parameters/hubPeeredSpoke.vwan.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md create mode 100644 dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/generateddocs/mgDiagSettingsAll.bicep.md create mode 100644 dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep create mode 100644 dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/orchestration/subPlacementAll/README.md create mode 100644 dependencies/infra-as-code/bicep/orchestration/subPlacementAll/generateddocs/subPlacementAll.bicep.md create mode 100644 dependencies/infra-as-code/bicep/orchestration/subPlacementAll/media/bicepVisualizer.png create mode 100644 dependencies/infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json create mode 100644 dependencies/infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.min.json create mode 100644 dependencies/infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep create mode 100644 dependencies/scripts/Get-AlzBicepResourceTypes.ps1 create mode 100644 dependencies/scripts/Invoke-GitHubReleaseFetcher.ps1 create mode 100644 dependencies/scripts/Invoke-LibraryUpdate-China.ps1 create mode 100644 dependencies/scripts/Invoke-LibraryUpdate.ps1 create mode 100644 dependencies/scripts/Invoke-PolicyToBicep-China.ps1 create mode 100644 dependencies/scripts/Invoke-PolicyToBicep.ps1 create mode 100644 dependencies/scripts/Set-AlzDefaultPolicyAssignment.ps1 create mode 100644 dependencies/scripts/Update-ProviderApiVersionsZip.ps1 create mode 100644 docs/01-Overview.md create mode 100644 docs/02-Architecture.md create mode 100644 docs/03-Deployment-Overview.md create mode 100644 docs/04-Repository-Setup.md create mode 100644 docs/05-Permissions-Tooling.md create mode 100644 docs/06-Upgrade-Existing-SLZ-Preview.md create mode 100644 docs/07-Deployment-Parameters.md create mode 100644 docs/08-Deploy-SLZ-Preview.md create mode 100644 docs/09-Customize-Policies.md create mode 100644 docs/10-Compliance-Dashboard.md create mode 100644 docs/11-Conclusion.md create mode 100644 docs/12-FAQ.md create mode 100644 docs/13-Troubleshooting.md create mode 100644 docs/PREVIEW.md create mode 100644 docs/images/LightHouseTenantID.png create mode 100644 docs/images/LighthouseSubscriptionID.png create mode 100644 docs/images/Upgrade-ComplianceDetails.png create mode 100644 docs/images/Upgrade-ManagementGroup.png create mode 100644 docs/images/Upgrade-ManagementGroupDetail.png create mode 100644 docs/images/Upgrade-PolicyAssignmentDelete.png create mode 100644 docs/images/Upgrade-PolicyAssignmentFilter.png create mode 100644 docs/images/Upgrade-PolicyAssignmentScope.png create mode 100644 docs/images/Upgrade-PolicyAssignmentsBlade.png create mode 100644 docs/images/Upgrade-PolicyDefinitionFilter.png create mode 100644 docs/images/Upgrade-PolicyDefinitionFilterDelete.png create mode 100644 docs/images/Upgrade-PolicyDefinitionList.png create mode 100644 docs/images/ViewDeploymentStep.png create mode 100644 docs/images/ViewErrorFromLog.png create mode 100644 docs/images/access-permissions.png create mode 100644 docs/images/accessmanagementpermissions.png create mode 100644 docs/images/alz-update-initiative-with-builtin-01.png create mode 100644 docs/images/alz-update-initiative-with-builtin-04.png create mode 100644 docs/images/custom-policies-folder.png create mode 100644 docs/images/deployerror-vscode.png create mode 100644 docs/images/downloadzipofrepo.png create mode 100644 docs/images/empty-custom-policies.png create mode 100644 docs/images/forkgithubrepo.png create mode 100644 docs/images/github_compliance-dashboard.png create mode 100644 docs/images/parBillingAccountID.png create mode 100644 docs/images/parEnrollmentID.png create mode 100644 docs/images/sovereign-scale-architecture.png create mode 100644 docs/scenarios/Custom-Policies.md create mode 100644 docs/scenarios/Expanding-SLZ-ManagementGroups.md create mode 100644 docs/scenarios/Extending-Compliance-Dashboard.md create mode 100644 docs/scenarios/Landing-Zone-Vending.md create mode 100644 docs/scenarios/Piloting-SLZ.md create mode 100644 docs/scenarios/Pipeline-Deployments.md create mode 100644 docs/scenarios/README.md create mode 100644 docs/scenarios/Removing-Policy-Assignments.md create mode 100644 docs/scenarios/Sovereignty-Policy-Baseline.md create mode 100644 docs/scenarios/Using-Existing-Subscriptions.md create mode 100644 docs/scenarios/Using-Policy-Portfolio.md create mode 100644 modules/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_roleAssignments.bicep create mode 100644 modules/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep create mode 100644 modules/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md create mode 100644 modules/compliance/customCompliance.bicep create mode 100644 modules/compliance/customerPolicySetAssignments.bicep create mode 100644 modules/compliance/defaultCompliance.bicep create mode 100644 modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json create mode 100644 modules/compliance/policyAssignments/policy_assignment_deploy_slz_connectivity_defaults.tmpl.json create mode 100644 modules/compliance/policyAssignments/policy_assignment_deploy_slz_corp_defaults.tmpl.json create mode 100644 modules/compliance/policyAssignments/policy_assignment_deploy_slz_decommissioned_defaults.tmpl.json create mode 100644 modules/compliance/policyAssignments/policy_assignment_deploy_slz_identity_defaults.tmpl.json create mode 100644 modules/compliance/policyAssignments/policy_assignment_deploy_slz_landing_zones_defaults.tmpl.json create mode 100644 modules/compliance/policyAssignments/policy_assignment_deploy_slz_management_defaults.tmpl.json create mode 100644 modules/compliance/policyAssignments/policy_assignment_deploy_slz_online_defaults.tmpl.json create mode 100644 modules/compliance/policyAssignments/policy_assignment_deploy_slz_platform_defaults.tmpl.json create mode 100644 modules/compliance/policyAssignments/policy_assignment_deploy_slz_sandbox_defaults.tmpl.json create mode 100644 modules/compliance/policyAssignments/policy_assignmnet_deploy_slz_global_defaults.tmpl.json create mode 100644 modules/compliance/policyExemptions.bicep create mode 100644 modules/compliance/policyRemediation.bicep create mode 100644 modules/compliance/policySetDefinitions/slzConfidentialDefaults.json create mode 100644 modules/compliance/policySetDefinitions/slzConnectivityDefaults.json create mode 100644 modules/compliance/policySetDefinitions/slzCorpDefaults.json create mode 100644 modules/compliance/policySetDefinitions/slzDecommissionedDefaults.json create mode 100644 modules/compliance/policySetDefinitions/slzGlobalDefaults.json create mode 100644 modules/compliance/policySetDefinitions/slzIdentityDefaults.json create mode 100644 modules/compliance/policySetDefinitions/slzLandingZoneDefaults.json create mode 100644 modules/compliance/policySetDefinitions/slzManagementDefaults.json create mode 100644 modules/compliance/policySetDefinitions/slzOnlineDefaults.json create mode 100644 modules/compliance/policySetDefinitions/slzPlatformDefaults.json create mode 100644 modules/compliance/policySetDefinitions/slzSandboxDefaults.json create mode 100644 modules/customRoles/customRoleAssignment.bicep create mode 100644 modules/customRoles/customRoleDefinition.bicep create mode 100644 modules/dashboard/dashboard.bicep create mode 100644 modules/dashboard/templates/complianceByPolicyGroup.csl create mode 100644 modules/dashboard/templates/complianceScoreForConfidentialComputingPolicyGroup.csl create mode 100644 modules/dashboard/templates/complianceScoreForStoragePolicyGroup.csl create mode 100644 modules/dashboard/templates/complianceScoreForTransportPolicyGroup.csl create mode 100644 modules/dashboard/templates/compliancebyPolicyInitiative.csl create mode 100644 modules/dashboard/templates/compliancebySubscription.csl create mode 100644 modules/dashboard/templates/confidentialityScore.csl create mode 100644 modules/dashboard/templates/dataResidencyScore.csl create mode 100644 modules/dashboard/templates/listOfResourcesExemptOfConfidentialPolicies.csl create mode 100644 modules/dashboard/templates/listofNonCompliantResources.csl create mode 100644 modules/dashboard/templates/listofResourcesExemptofDataResidentPolicy.csl create mode 100644 modules/dashboard/templates/listofResourcesOutsideofSafeRegion.csl create mode 100644 modules/dashboard/templates/markdownPart.md create mode 100644 modules/dashboard/templates/resourceComplianceScore.csl create mode 100644 modules/dashboard/templates/resourcesOutsideofSafeRegion.csl create mode 100644 modules/dashboard/templates/resourcesbyComplianceState.csl create mode 100644 modules/resourceGroups/connectivityResourceGroups.bicep create mode 100644 modules/resourceGroups/dashboardResourceGroups.bicep create mode 100644 modules/resourceGroups/identityResourceGroups.bicep create mode 100644 modules/resourceGroups/managementResourceGroups.bicep create mode 100644 modules/util/Get-FailedDeploymentDetails.ps1 create mode 100644 modules/util/delete-lock.bicep create mode 100644 modules/util/deployment-script.bicep create mode 100644 modules/util/wait-on-arm-subscription.bicep create mode 100644 modules/util/wait-on-arm.bicep create mode 100644 modules/util/wait-subscription.bicep create mode 100644 modules/util/wait.bicep create mode 100644 orchestration/bootstrap/bootstrap.bicep create mode 100644 orchestration/const/doNotRetryErrorCodes.json create mode 100644 orchestration/customCompliance/customCompliance.bicep create mode 100644 orchestration/dashboard/dashboard.bicep create mode 100644 orchestration/defaultCompliance/defaultCompliance.bicep create mode 100644 orchestration/moveSubscription/moveSubscription.bicep create mode 100644 orchestration/policyExemption/policyExemption.bicep create mode 100644 orchestration/policyInstallation/alz-DefaultPolicySetDefinitions.txt create mode 100644 orchestration/policyInstallation/policyInstallation.bicep create mode 100644 orchestration/policyInstallation/slz-DefaultandCustomPolicyDefinitions.txt create mode 100644 orchestration/policyInstallation/slz-DefaultandCustomSLZGlobalPolicySetDefinitions.txt create mode 100644 orchestration/policyInstallation/slz-DefaultandCustomSLZPolicySetDefinitions.txt create mode 100644 orchestration/policyRemediation/policyRemediation.bicep create mode 100644 orchestration/scripts/Confirm-SovereignLandingZonePrerequisites.ps1 create mode 100644 orchestration/scripts/Invoke-Helper.ps1 create mode 100644 orchestration/scripts/Invoke-SlzDefaultandCustomPolicyToBicep.ps1 create mode 100644 orchestration/scripts/New-Bootstrap.ps1 create mode 100644 orchestration/scripts/New-Compliance.ps1 create mode 100644 orchestration/scripts/New-Dashboard.ps1 create mode 100644 orchestration/scripts/New-Platform.ps1 create mode 100644 orchestration/scripts/New-PolicyExemption.ps1 create mode 100644 orchestration/scripts/New-PolicyRemediation.ps1 create mode 100644 orchestration/scripts/New-SovereignLandingZone.ps1 create mode 100644 orchestration/scripts/parameters/sovereignLandingZone.parameters.json create mode 100644 orchestration/sovereignPlatform/sovereignPlatform.bicep diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..23fcbcc --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,27 @@ +--- +name: Bug report +about: Create a report to help us improve +title: "[BUG]" +labels: '' +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..bbcbbe7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..3f3d19f --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,23 @@ + +# Overview/Summary + +Replace this with a brief description of what this Pull Request fixes, changes, etc. + +## This PR fixes/adds/changes/removes + +1. *Replace me* +2. *Replace me* +3. *Replace me* + +### Breaking Changes + +1. *Replace me* +2. *Replace me* + +## Testing Evidence + +Replace this with any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate). + +# Documentation + +Related wiki link or design document, if applicable. diff --git a/.gitignore b/.gitignore index 8a30d25..24ad4da 100644 --- a/.gitignore +++ b/.gitignore @@ -1,398 +1,27 @@ -## Ignore Visual Studio temporary files, build results, and -## files generated by popular Visual Studio add-ons. -## -## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore - -# User-specific files -*.rsuser -*.suo -*.user -*.userosscache -*.sln.docstates - -# User-specific files (MonoDevelop/Xamarin Studio) -*.userprefs - -# Mono auto generated files -mono_crash.* - -# Build results -[Dd]ebug/ -[Dd]ebugPublic/ -[Rr]elease/ -[Rr]eleases/ -x64/ -x86/ -[Ww][Ii][Nn]32/ -[Aa][Rr][Mm]/ -[Aa][Rr][Mm]64/ -bld/ -[Bb]in/ -[Oo]bj/ -[Ll]og/ -[Ll]ogs/ - -# Visual Studio 2015/2017 cache/options directory -.vs/ -# Uncomment if you have tasks that create the project's static files in wwwroot -#wwwroot/ - -# Visual Studio 2017 auto generated files -Generated\ Files/ - -# MSTest test Results -[Tt]est[Rr]esult*/ -[Bb]uild[Ll]og.* - -# NUnit -*.VisualState.xml -TestResult.xml -nunit-*.xml - -# Build Results of an ATL Project -[Dd]ebugPS/ -[Rr]eleasePS/ -dlldata.c - -# Benchmark Results -BenchmarkDotNet.Artifacts/ - -# .NET Core -project.lock.json -project.fragment.lock.json -artifacts/ - -# ASP.NET Scaffolding -ScaffoldingReadMe.txt - -# StyleCop -StyleCopReport.xml - -# Files built by Visual Studio -*_i.c -*_p.c -*_h.h -*.ilk -*.meta -*.obj -*.iobj -*.pch -*.pdb -*.ipdb -*.pgc -*.pgd -*.rsp -*.sbr -*.tlb -*.tli -*.tlh -*.tmp -*.tmp_proj -*_wpftmp.csproj -*.log -*.tlog -*.vspscc -*.vssscc -.builds -*.pidb -*.svclog -*.scc - -# Chutzpah Test files -_Chutzpah* - -# Visual C++ cache files -ipch/ -*.aps -*.ncb -*.opendb -*.opensdf -*.sdf -*.cachefile -*.VC.db -*.VC.VC.opendb - -# Visual Studio profiler -*.psess -*.vsp -*.vspx -*.sap - -# Visual Studio Trace Files -*.e2e - -# TFS 2012 Local Workspace -$tf/ - -# Guidance Automation Toolkit -*.gpState - -# ReSharper is a .NET coding add-in -_ReSharper*/ -*.[Rr]e[Ss]harper -*.DotSettings.user - -# TeamCity is a build add-in -_TeamCity* - -# DotCover is a Code Coverage Tool -*.dotCover - -# AxoCover is a Code Coverage Tool -.axoCover/* -!.axoCover/settings.json - -# Coverlet is a free, cross platform Code Coverage Tool -coverage*.json -coverage*.xml -coverage*.info - -# Visual Studio code coverage results -*.coverage -*.coveragexml - -# NCrunch -_NCrunch_* -.*crunch*.local.xml -nCrunchTemp_* - -# MightyMoose -*.mm.* -AutoTest.Net/ - -# Web workbench (sass) -.sass-cache/ - -# Installshield output folder -[Ee]xpress/ - -# DocProject is a documentation generator add-in -DocProject/buildhelp/ -DocProject/Help/*.HxT -DocProject/Help/*.HxC -DocProject/Help/*.hhc -DocProject/Help/*.hhk -DocProject/Help/*.hhp -DocProject/Help/Html2 -DocProject/Help/html - -# Click-Once directory -publish/ - -# Publish Web Output -*.[Pp]ublish.xml -*.azurePubxml -# Note: Comment the next line if you want to checkin your web deploy settings, -# but database connection strings (with potential passwords) will be unencrypted -*.pubxml -*.publishproj - -# Microsoft Azure Web App publish settings. Comment the next line if you want to -# checkin your Azure Web App publish settings, but sensitive information contained -# in these scripts will be unencrypted -PublishScripts/ - -# NuGet Packages -*.nupkg -# NuGet Symbol Packages -*.snupkg -# The packages folder can be ignored because of Package Restore -**/[Pp]ackages/* -# except build/, which is used as an MSBuild target. -!**/[Pp]ackages/build/ -# Uncomment if necessary however generally it will be regenerated when needed -#!**/[Pp]ackages/repositories.config -# NuGet v3's project.json files produces more ignorable files -*.nuget.props -*.nuget.targets - -# Microsoft Azure Build Output -csx/ -*.build.csdef - -# Microsoft Azure Emulator -ecf/ -rcf/ - -# Windows Store app package directories and files -AppPackages/ -BundleArtifacts/ -Package.StoreAssociation.xml -_pkginfo.txt -*.appx -*.appxbundle -*.appxupload - -# Visual Studio cache files -# files ending in .cache can be ignored -*.[Cc]ache -# but keep track of directories ending in .cache -!?*.[Cc]ache/ - -# Others -ClientBin/ -~$* -*~ -*.dbmdl -*.dbproj.schemaview -*.jfm -*.pfx -*.publishsettings -orleans.codegen.cs - -# Including strong name files can present a security risk -# (https://github.com/github/gitignore/pull/2483#issue-259490424) -#*.snk - -# Since there are multiple workflows, uncomment next line to ignore bower_components -# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) -#bower_components/ - -# RIA/Silverlight projects -Generated_Code/ - -# Backup & report files from converting an old project file -# to a newer Visual Studio version. Backup files are not needed, -# because we have git ;-) -_UpgradeReport_Files/ -Backup*/ -UpgradeLog*.XML -UpgradeLog*.htm -ServiceFabricBackup/ -*.rptproj.bak - -# SQL Server files -*.mdf -*.ldf -*.ndf - -# Business Intelligence projects -*.rdl.data -*.bim.layout -*.bim_*.settings -*.rptproj.rsuser -*- [Bb]ackup.rdl -*- [Bb]ackup ([0-9]).rdl -*- [Bb]ackup ([0-9][0-9]).rdl - -# Microsoft Fakes -FakesAssemblies/ - -# GhostDoc plugin setting file -*.GhostDoc.xml - -# Node.js Tools for Visual Studio -.ntvs_analysis.dat -node_modules/ - -# Visual Studio 6 build log -*.plg - -# Visual Studio 6 workspace options file -*.opt - -# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) -*.vbw - -# Visual Studio 6 auto-generated project file (contains which files were open etc.) -*.vbp - -# Visual Studio 6 workspace and project file (working project files containing files to include in project) -*.dsw -*.dsp - -# Visual Studio 6 technical files -*.ncb -*.aps - -# Visual Studio LightSwitch build output -**/*.HTMLClient/GeneratedArtifacts -**/*.DesktopClient/GeneratedArtifacts -**/*.DesktopClient/ModelManifest.xml -**/*.Server/GeneratedArtifacts -**/*.Server/ModelManifest.xml -_Pvt_Extensions - -# Paket dependency manager -.paket/paket.exe -paket-files/ - -# FAKE - F# Make -.fake/ - -# CodeRush personal settings -.cr/personal - -# Python Tools for Visual Studio (PTVS) -__pycache__/ -*.pyc - -# Cake - Uncomment if you are using it -# tools/** -# !tools/packages.config - -# Tabs Studio -*.tss - -# Telerik's JustMock configuration file -*.jmconfig - -# BizTalk build output -*.btp.cs -*.btm.cs -*.odx.cs -*.xsd.cs - -# OpenCover UI analysis results -OpenCover/ - -# Azure Stream Analytics local run output -ASALocalRun/ - -# MSBuild Binary and Structured Log -*.binlog - -# NVidia Nsight GPU debugger configuration file -*.nvuser - -# MFractors (Xamarin productivity tool) working folder -.mfractor/ - -# Local History for Visual Studio -.localhistory/ - -# Visual Studio History (VSHistory) files -.vshistory/ - -# BeatPulse healthcheck temp database -healthchecksdb - -# Backup folder for Package Reference Convert tool in Visual Studio 2017 -MigrationBackup/ - -# Ionide (cross platform F# VS Code tools) working folder -.ionide/ - -# Fody - auto-generated XML schema -FodyWeavers.xsd - -# VS Code files for those working on multiple tools -.vscode/* -!.vscode/settings.json -!.vscode/tasks.json -!.vscode/launch.json -!.vscode/extensions.json -*.code-workspace - -# Local History for Visual Studio Code -.history/ - -# Windows Installer files from build outputs -*.cab -*.msi -*.msix -*.msm -*.msp - -# JetBrains Rider -*.sln.iml +# Ignore bicep build output files and keep required json in other locations +slz-build-log.txt + +# Ignore Visual Studio Code user folder +.vs +.vscode + +# Ignore NuGet packages folder +packages/* + +# Ignore bicep build output json and keep required json in other locations +modules/**/*.json +!modules/**/dashboard/templates/* +!modules/**/parameters/*.parameters.json +!modules/**/policyAssignments/* +!modules/**/policySetDefinitions/* +orchestration/**/*.json +!orchestration/const/*.json +!orchestration/**/parameters/*.parameters.json +orchestration/scripts/outputs/* +# ignore all files added or modified by Invoke-SlzDefaultandCustomPolicyToBicep.ps1 +dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_*.txt +dependencies/infra-as-code/bicep/modules/policy/definitions/alzPolicySetDefinitions.bicep +dependencies/infra-as-code/bicep/modules/policy/definitions/slz-*.bicep +dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/_*.txt +dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/_*.txt +dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/slz*.json diff --git a/README.md b/README.md index 5cd7cec..e23a8ed 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,8 @@ -# Project +# Sovereign Landing Zone Preview -> This repo has been populated by an initial template to help get you started. Please -> make sure to update the content to build a great experience for community-building. +The Sovereign Landing Zone (SLZ) Preview provides opinionated infrastructure-as-code automation for deploying workloads that help meet certain regulatory compliance requirements for the public sector and government agencies around the world. -As the maintainer of this project, please make a few updates: - -- Improving this README.MD file to provide a great experience -- Updating SUPPORT.MD with content about this project's support experience -- Understanding the security reporting process in SECURITY.MD -- Remove this section from the README +You can begin by navigating to the [Overview](/docs/01-Overview.md) document to begin. The documentation will cover the concepts around SLZ Preview, architecture, and deployment paths. Please reference [FAQ's](/docs/12-FAQ.md) for common questions and [Troubleshooting](/docs/13-Troubleshooting.md) for common issues. ## Contributing @@ -24,10 +18,23 @@ This project has adopted the [Microsoft Open Source Code of Conduct](https://ope For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. +## Shared responsibility and customer responsibilities + +To ensure your data is secure and your privacy controls are addressed, we recommend that you follow a set of best practices when deploying into Azure: + +- [Azure security best practices and patterns](https://learn.microsoft.com/azure/security/fundamentals/best-practices-and-patterns) +- [Microsoft Services in Cybersecurity](https://learn.microsoft.com/azure/security/fundamentals/cyber-services) + +Protecting your data also requires that all aspects of your security and compliance program include your cloud infrastructure and data. The following guidance can help you to secure your deployment. + ## Trademarks -This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft -trademarks or logos is subject to and must follow -[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). +This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft +trademarks or logos is subject to and must follow +[Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/legal/intellectualproperty/trademarks/usage/general). Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies. + +## Preview Notice + +**Preview Terms**. The Sovereign Landing Zone Preview (the "PREVIEW") is licensed to you as part of your [Azure subscription](https://azure.microsoft.com/en-us/support/legal/) and subject to terms applicable to "Previews" as detailed in the Universal License Terms for Online Services section of the Microsoft Product Terms and the [Microsoft Products and Services Data Protection Addendum ("DPA")](https://www.microsoft.com/licensing/terms/welcome/welcomepage). AS STATED IN THOSE TERMS, PREVIEWS ARE PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE," AND ARE EXCLUDED FROM THE SERVICE LEVEL AGREEMENTS AND LIMITED WARRANTY. Previews may employ lesser or different privacy and security measures than those typically present in Azure Services. Unless otherwise noted, you should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in the [DPA](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and HIPAA Business Associate. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into General Availability. diff --git a/SECURITY.md b/SECURITY.md index e138ec5..869fdfe 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,8 +1,8 @@ - + ## Security -Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). +Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. diff --git a/SUPPORT.md b/SUPPORT.md index 291d4d4..1769b97 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -1,25 +1,27 @@ -# TODO: The maintainer of this repo has not yet edited this file - -**REPO OWNER**: Do you want Customer Service & Support (CSS) support for this product/project? - -- **No CSS support:** Fill out this template with information about how to file issues and get help. -- **Yes CSS support:** Fill out an intake form at [aka.ms/onboardsupport](https://aka.ms/onboardsupport). CSS will work with/help you to determine next steps. -- **Not sure?** Fill out an intake as though the answer were "Yes". CSS will help you decide. - -*Then remove this first heading from this SUPPORT.MD file before publishing your repo.* - -# Support - -## How to file issues and get help - -This project uses GitHub Issues to track bugs and feature requests. Please search the existing -issues before filing new issues to avoid duplicates. For new issues, file your bug or -feature request as a new Issue. - -For help and questions about using this project, please **REPO MAINTAINER: INSERT INSTRUCTIONS HERE -FOR HOW TO ENGAGE REPO OWNERS OR COMMUNITY FOR HELP. COULD BE A STACK OVERFLOW TAG OR OTHER -CHANNEL. WHERE WILL YOU HELP PEOPLE?**. - -## Microsoft Support Policy - -Support for this **PROJECT or PRODUCT** is limited to the resources listed above. +# Support + +## SLZ support scope + +Customers who request support for design guidance or development assistance may be directed to file a GitHub issue. Customers may also have to work with our Microsoft solution architects, Microsoft partners or software vendors directly for scenarios that aren't supported by the Microsoft customer support team. Examples include, but aren't limited to: + +* Application development +* Cloud deployment architecture +* Troubleshooting custom applications +* Custom code + +The following are some of the scenarios that the Microsoft support team will assist with: + +* Issues that occur during installation or configuration +* Deployment errors that occur when customers try to deploy applications to the Azure platform and services +* Runtime errors that occur when customers use the Azure platform and services +* Performance issues that affect applications that were built by using the supported open-source technologies on the Azure platform and services + +Any issues that are deemed outside of the above list by Microsoft support and/or requires bugfix in the Template or Code in the repo, Microsoft support will redirect user to file the issue on GitHub or to contact their Microsoft solution architect or representative (when applicable). + +## How to file issues and get help + +If you have questions or need help, [create a support request](https://ms.portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview), or file a [GitHub issue](https://github.com/Azure/sovereign-landing-zone/issues). + +This project uses GitHub issues to track bugs and feature requests. Please search for the existing issues before filing new issues to avoid duplicates. For new issues, file your bug or feature request as a new Issue. Please provide as much information as possible when filing an issue. Include screenshots or correlations IDs if possible (please redact any sensitive information). For instructions on how to get deployments and correlation ID, please follow this link [here](https://learn.microsoft.com/azure/azure-resource-manager/templates/deployment-history?tabs=azure-portal#get-deployments-and-correlation-id). + +Project maintainers aim to investigate within 1 business day and provide guidance/workarounds within 3 business days of GitHub issue submission. \ No newline at end of file diff --git a/bicepconfig.json b/bicepconfig.json new file mode 100644 index 0000000..eae0872 --- /dev/null +++ b/bicepconfig.json @@ -0,0 +1,88 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": false, + "rules": { + "adminusername-should-not-be-literal": { + "level": "warning" + }, + "artifacts-parameters": { + "level": "warning" + }, + "explicit-values-for-loc-params": { + "level": "warning" + }, + "no-hardcoded-env-urls": { + "level": "warning" + }, + "no-hardcoded-location": { + "level": "warning" + }, + "no-unnecessary-dependson": { + "level": "warning" + }, + "no-loc-expr-outside-params": { + "level": "warning" + }, + "no-unused-existing-resources": { + "level": "warning" + }, + "no-unused-params": { + "level": "warning" + }, + "no-unused-vars": { + "level": "warning" + }, + "max-outputs": { + "level": "warning" + }, + "max-params": { + "level": "warning" + }, + "max-resources": { + "level": "warning" + }, + "max-variables": { + "level": "warning" + }, + "outputs-should-not-contain-secrets": { + "level": "warning" + }, + "prefer-interpolation": { + "level": "warning" + }, + "protect-commandtoexecute-secrets": { + "level": "warning" + }, + "prefer-unquoted-property-names": { + "level": "warning" + }, + "use-stable-vm-image": { + "level": "warning" + }, + "use-recent-api-versions": { + "level": "warning" + }, + "use-resource-id-functions": { + "level": "warning" + }, + "use-stable-resource-identifiers": { + "level": "warning" + }, + "secure-parameter-default": { + "level": "warning" + }, + "secure-params-in-nested-deploy": { + "level": "warning" + }, + "secure-secrets-in-params": { + "level": "warning" + }, + "simplify-interpolation": { + "level": "warning" + } + } + } + } +} diff --git a/custom/dashboard/compliance/tiles-sample.json b/custom/dashboard/compliance/tiles-sample.json new file mode 100644 index 0000000..59ee022 --- /dev/null +++ b/custom/dashboard/compliance/tiles-sample.json @@ -0,0 +1,51 @@ +[ + { + "position": { + "x": 0, + "y": 41, + "colSpan": 16, + "rowSpan": 4 + }, + "metadata": { + "inputs": [ + { + "name": "isShared", + "isOptional": true + }, + { + "name": "queryId", + "isOptional": true + }, + { + "name": "partTitle", + "value": "Custom query 1 - compliance percentage by policy group", + "isOptional": true + }, + { + "name": "query", + "value": "PolicyResources| where type == 'microsoft.policyinsights/policystates' and tolower(properties.policyAssignmentScope) has '/providers/Microsoft.Management/managementGroups/mcfs'| extend policyDefinitionId = tolower(properties.policyDefinitionId), policyGroups = properties.policyDefinitionGroupNames, policySetDefinitionName = tolower(properties.policySetDefinitionName)| mv-expand parsed_policy_groups = policyGroups| where parsed_policy_groups hasprefix 'dashboard-'| extend parsed_policy_groups = trim('dashboard-',tostring(parsed_policy_groups))| project properties, policyDefinitionId, parsed_policy_groups| extend complianceState = tostring(properties.complianceState), resourceId = tolower(properties.resourceId), stateWeight = tolong(properties.stateWeight)| summarize max(stateWeight) by resourceId, tostring(parsed_policy_groups)| summarize counts = count() by tostring(parsed_policy_groups), max_stateWeight| summarize nonCompliantCount = sumif(counts, max_stateWeight == 300), compliantCount = sumif(counts, max_stateWeight == 200), conflictCount = sumif(counts, max_stateWeight == 100), exemptCount = sumif(counts, max_stateWeight == 50) by tostring(parsed_policy_groups)| extend totalResources = todouble(nonCompliantCount + compliantCount + conflictCount + exemptCount)| extend totalCompliantResources = todouble(compliantCount + exemptCount)| extend compliancePercentage = iff(totalResources == 0 or (totalCompliantResources == 0 and nonCompliantCount == 0), todouble(100), 100 * totalCompliantResources / totalResources)| project toupper(parsed_policy_groups), compliancePercentageEx = toint(round(compliancePercentage, 1))| order by compliancePercentageEx asc", + "isOptional": true + }, + { + "name": "chartType", + "value": 1, + "isOptional": true + }, + { + "name": "queryScope", + "value": { + "scope": 0, + "values": [] + }, + "isOptional": true + } + ], + "type": "Extension/HubsExtension/PartType/ArgQueryChartTile", + "settings": {}, + "partHeader": { + "title": "Custom Query 1 - per policy group", + "subtitle": "Hover over bar to see policy group name and its compliance percentage" + } + } + } +] diff --git a/custom/dashboard/compliance/tiles.json b/custom/dashboard/compliance/tiles.json new file mode 100644 index 0000000..fe51488 --- /dev/null +++ b/custom/dashboard/compliance/tiles.json @@ -0,0 +1 @@ +[] diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_confidential_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_confidential_custom.tmpl.json new file mode 100644 index 0000000..c059908 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_confidential_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Conf", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Confidential Custom Policies", + "displayName": "SLZ Confidential Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConfidentialCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_connectivity_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_connectivity_custom.tmpl.json new file mode 100644 index 0000000..14e2204 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_connectivity_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Connectivity", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Connectivity Custom Policies", + "displayName": "SLZ Connectivity Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConnectivityCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_corp_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_corp_custom.tmpl.json new file mode 100644 index 0000000..6ca8643 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_corp_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Corp", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Corp Custom Policies", + "displayName": "SLZ Corp Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzCorpCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_decommissioned_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_decommissioned_custom.tmpl.json new file mode 100644 index 0000000..623b08b --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_decommissioned_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Decom", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Decommissioned Custom Policies", + "displayName": "SLZ Decommissioned Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzDecommissionedCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_global_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_global_custom.tmpl.json new file mode 100644 index 0000000..323de10 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_global_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Global Custom Policies", + "displayName": "SLZ Global Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzGlobalCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_identity_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_identity_custom.tmpl.json new file mode 100644 index 0000000..bf365c9 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_identity_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Identity", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Identity Custom Policies", + "displayName": "SLZ Identity Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzIdentityCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_landing_zones_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_landing_zones_custom.tmpl.json new file mode 100644 index 0000000..bb327fe --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_landing_zones_custom.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-Slz-Custom-LZs", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Landing Zones Custom Policies", + "displayName": "SLZ Landing Zones Custom Policies", + "notScopes": [], + "parameters": { + "DdosProtectionPlanId": { + "value": "" + } + }, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzLandingZonesCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_management_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_management_custom.tmpl.json new file mode 100644 index 0000000..97594f1 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_management_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Management", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Management Custom Policies", + "displayName": "SLZ Management Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzManagementCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_online_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_online_custom.tmpl.json new file mode 100644 index 0000000..e31e6a9 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_online_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Online", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Online Custom Policies", + "displayName": "SLZ Online Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzOnlineCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_platform_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_platform_custom.tmpl.json new file mode 100644 index 0000000..3a582a3 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_platform_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Plat", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Platform Custom Policies", + "displayName": "SLZ Platform Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzPlatformCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/assignments/policy_assignment_deploy_slz_sandbox_custom.tmpl.json b/custom/policies/assignments/policy_assignment_deploy_slz_sandbox_custom.tmpl.json new file mode 100644 index 0000000..67fea51 --- /dev/null +++ b/custom/policies/assignments/policy_assignment_deploy_slz_sandbox_custom.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-Slz-Custom-Sand", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "SLZ Sandbox Custom Policies", + "displayName": "SLZ Sandbox Custom Policies", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTargetManagementGroupResourceId}uthorization/policySetDefinitions/SlzSandboxCustomPolicies", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/custom/policies/definitions/slzConfidentialCustom.json b/custom/policies/definitions/slzConfidentialCustom.json new file mode 100644 index 0000000..d69f9ae --- /dev/null +++ b/custom/policies/definitions/slzConfidentialCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Confidential Custom Policies", + "description": "SLZ Confidential Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConfidentialCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzConfidentialCustomPolicies" +} diff --git a/custom/policies/definitions/slzConnectivityCustom.json b/custom/policies/definitions/slzConnectivityCustom.json new file mode 100644 index 0000000..05f8117 --- /dev/null +++ b/custom/policies/definitions/slzConnectivityCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Connectivity Custom Policies", + "description": "SLZ Connectivity Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzConnectivityCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzConnectivityCustomPolicies" +} diff --git a/custom/policies/definitions/slzCorpCustom.json b/custom/policies/definitions/slzCorpCustom.json new file mode 100644 index 0000000..099e5bf --- /dev/null +++ b/custom/policies/definitions/slzCorpCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Corp Custom Policies", + "description": "SLZ Corp Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzCorpCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzCorpCustomPolicies" +} diff --git a/custom/policies/definitions/slzDecommissionedCustom.json b/custom/policies/definitions/slzDecommissionedCustom.json new file mode 100644 index 0000000..69a3b1a --- /dev/null +++ b/custom/policies/definitions/slzDecommissionedCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Decommissioned Custom Policies", + "description": "SLZ Decommissioned Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzDecommissionedCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzDecommissionedCustomPolicies" +} diff --git a/custom/policies/definitions/slzGlobalCustom.json b/custom/policies/definitions/slzGlobalCustom.json new file mode 100644 index 0000000..b98b8ac --- /dev/null +++ b/custom/policies/definitions/slzGlobalCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Global Custom Policies", + "description": "SLZ Global Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzGlobalCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzGlobalCustomPolicies" +} diff --git a/custom/policies/definitions/slzIdentityCustom.json b/custom/policies/definitions/slzIdentityCustom.json new file mode 100644 index 0000000..0e2a255 --- /dev/null +++ b/custom/policies/definitions/slzIdentityCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Identity Custom Policies", + "description": "SLZ Identity Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzIdentityCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzIdentityCustomPolicies" +} diff --git a/custom/policies/definitions/slzLandingZoneCustom.json b/custom/policies/definitions/slzLandingZoneCustom.json new file mode 100644 index 0000000..df8c51b --- /dev/null +++ b/custom/policies/definitions/slzLandingZoneCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Landing Zone Custom Policies", + "description": "SLZ Landing Zone Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzLandingZonesCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzLandingZonesCustomPolicies" +} diff --git a/custom/policies/definitions/slzManagementCustom.json b/custom/policies/definitions/slzManagementCustom.json new file mode 100644 index 0000000..3993523 --- /dev/null +++ b/custom/policies/definitions/slzManagementCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Management Custom Policies", + "description": "SLZ Management Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzManagementCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzManagementCustomPolicies" +} diff --git a/custom/policies/definitions/slzOnlineCustom.json b/custom/policies/definitions/slzOnlineCustom.json new file mode 100644 index 0000000..4d12d86 --- /dev/null +++ b/custom/policies/definitions/slzOnlineCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Online Custom Policies", + "description": "SLZ Online Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzOnlineCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzOnlineCustomPolicies" +} diff --git a/custom/policies/definitions/slzPlatformCustom.json b/custom/policies/definitions/slzPlatformCustom.json new file mode 100644 index 0000000..1afe946 --- /dev/null +++ b/custom/policies/definitions/slzPlatformCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Platform Custom Policies", + "description": "SLZ Platform Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzPlatformCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzPlatformCustomPolicies" +} diff --git a/custom/policies/definitions/slzSandboxCustom.json b/custom/policies/definitions/slzSandboxCustom.json new file mode 100644 index 0000000..c5bf31a --- /dev/null +++ b/custom/policies/definitions/slzSandboxCustom.json @@ -0,0 +1,17 @@ +{ + "properties": { + "displayName": "SLZ Sandbox Custom Policies", + "description": "SLZ Sandbox Custom Policies", + "policyType": "Custom", + "metadata": { + "category": "Regulatory Compliance", + "version": "0.3.0" + }, + "parameters": {}, + "policyDefinitions": [], + "policyDefinitionGroups": [] + }, + "id": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/SlzSandboxCustomPolicies", + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "SlzSandboxCustomPolicies" +} diff --git a/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psd1 b/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psd1 new file mode 100644 index 0000000..64921d4 --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psd1 @@ -0,0 +1,142 @@ +#!/usr/bin/pwsh + +# +# Module manifest for module 'Alz.Classes' +# +# Generated by: krowlandson +# +# Generated on: 14/07/2022 +# + +@{ + + # Script module or binary module file associated with this manifest. + RootModule = 'Alz.Classes.psm1' + + # Version number of this module. + ModuleVersion = '1.0.0' + + # Supported PSEditions + CompatiblePSEditions = 'Core', 'Desktop' + + # ID used to uniquely identify this module + GUID = '14f47ea8-53df-4b13-b7b4-73ecda225c0a' + + # Author of this module + Author = 'krowlandson' + + # Company or vendor of this module + CompanyName = 'Microsoft Ltd' + + # Copyright statement for this module + Copyright = 'Copyright (c) 2022 Microsoft Ltd. All rights reserved.' + + # Description of the functionality provided by this module + Description = 'This module provides a set of custom classes used for managing the Azure landing zones code base.' + + # Minimum version of the PowerShell engine required by this module + PowerShellVersion = '7.0' + + # Name of the PowerShell host required by this module + # PowerShellHostName = '' + + # Minimum version of the PowerShell host required by this module + # PowerShellHostVersion = '' + + # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # DotNetFrameworkVersion = '' + + # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # ClrVersion = '' + + # Processor architecture (None, X86, Amd64) required by this module + # ProcessorArchitecture = '' + + # Modules that must be imported into the global environment prior to importing this module + RequiredModules = @( + @{ + ModuleName = 'Az.Accounts' + ModuleVersion = '2.2.3' + } + ) + + # Assemblies that must be loaded prior to importing this module + # RequiredAssemblies = @() + + # Script files (.ps1) that are run in the caller's environment prior to importing this module. + # ScriptsToProcess = @() + + # Type files (.ps1xml) to be loaded when importing this module + # TypesToProcess = @() + + # Format files (.ps1xml) to be loaded when importing this module + # FormatsToProcess = @() + + # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess + # NestedModules = @() + + # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. + FunctionsToExport = @() + + # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. + CmdletsToExport = @() + + # Variables to export from this module + VariablesToExport = '*' + + # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. + AliasesToExport = @() + + # DSC resources to export from this module + # DscResourcesToExport = @() + + # List of all modules packaged with this module + # ModuleList = @() + + # List of all files packaged with this module + FileList = @( + 'Alz.Classes.psd1' + 'Alz.Classes.psm1' + ) + + # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. + PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + # Tags = @() + + # A URL to the license for this module. + # LicenseUri = '' + + # A URL to the main website for this project. + # ProjectUri = '' + + # A URL to an icon representing this module. + # IconUri = '' + + # ReleaseNotes of this module + # ReleaseNotes = '' + + # Prerelease string of this module + # Prerelease = '' + + # Flag to indicate whether the module requires explicit user acceptance for install/update/save + # RequireLicenseAcceptance = $false + + # External dependent modules of this module + # ExternalModuleDependencies = @() + + } # End of PSData hashtable + + } # End of PrivateData hashtable + + # HelpInfo URI of this module + # HelpInfoURI = '' + + # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. + # DefaultCommandPrefix = '' + +} + diff --git a/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psm1 b/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psm1 new file mode 100644 index 0000000..d30a62a --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Classes/Alz.Classes.psm1 @@ -0,0 +1,584 @@ +#!/usr/bin/pwsh + +using module "../Alz.Enums/" + +############################# +# ProviderApiVersions Class # +############################# + +# [ProviderApiVersions] class is used to create cache of latest API versions for all Azure Providers. +# This can be used to retrieve the latest or stable API version in string format. +# Can also output the API version as a param string for use within a Rest API request. +# To minimise the number of Rest API requests needed, this class creates a cache and populates. +# it with all results from the request. The cache is then used to return the requested result. +# Need to store and lookup the key in lowercase to avoid case sensitivity issues while providing +# better performance as allows using ContainsKey method to search for key in cache. +# Should be safe to ignore case as Providers are not case sensitive. +class ProviderApiVersions { + + # Public class properties + [String]$Provider + [String]$ResourceType + [String]$Type + [Array]$ApiVersions + + # Static properties + hidden static [String]$ProvidersApiVersion = "2020-06-01" + + # Default empty constructor + ProviderApiVersions() { + } + + # Default constructor using PSCustomObject to populate object + ProviderApiVersions([PSCustomObject]$PSCustomObject) { + $this.Provider = $PSCustomObject.Provider + $this.ResourceType = $PSCustomObject.ResourceType + $this.Type = $PSCustomObject.Type + $this.ApiVersions = $PSCustomObject.ApiVersions + } + + # Static method to get Api Version using Type + static [Array] GetByType([String]$Type) { + if ([ProviderApiVersions]::Cache.Count -lt 1) { + [ProviderApiVersions]::UpdateCache() + } + $private:ProviderApiVersionsFromCache = [ProviderApiVersions]::SearchCache($Type) + return $private:ProviderApiVersionsFromCache.ApiVersions + } + + # Static method to get latest Api Version using Type + static [String] GetLatestByType([String]$Type) { + $private:GetLatestByType = [ProviderApiVersions]::GetByType($Type) | + Sort-Object -Descending | + Select-Object -First 1 + return $private:GetLatestByType + } + + # Static method to get latest stable Api Version using Type + # If no stable release, will return latest + static [String] GetLatestStableByType([String]$Type) { + $private:GetByType = [ProviderApiVersions]::GetByType($Type) + $private:GetLatestStableByType = $private:GetByType | + Where-Object { $_ -Match "^[0-9-]{10}$" } | + Sort-Object -Descending | + Select-Object -First 1 + if ($private:GetLatestStableByType) { + return $private:GetLatestStableByType.ToString() + } + else { + return [ProviderApiVersions]::GetLatestByType($Type).ToString() + } + } + + static [String[]] ListTypes() { + if ([ProviderApiVersions]::Cache.Count -lt 1) { + [ProviderApiVersions]::UpdateCache() + } + $private:ShowCacheTypes = [ProviderApiVersions]::ShowCache().Type | Sort-Object + return $private:ShowCacheTypes + } + + # Static property to store cache of ProviderApiVersions using a threadsafe + # dictionary variable to allow caching across parallel jobs + # https://docs.microsoft.com/powershell/module/microsoft.powershell.core/foreach-object#example-14--using-thread-safe-variable-references + static [System.Collections.Concurrent.ConcurrentDictionary[String, ProviderApiVersions]]$Cache + + # Static method to show all entries in Cache + static [ProviderApiVersions[]] ShowCache() { + return ([ProviderApiVersions]::Cache).Values + } + + # Static method to show all entries in Cache matching the specified type using the specified release type + static [ProviderApiVersions[]] SearchCache([String]$Type) { + return [ProviderApiVersions]::Cache[$Type.ToString().ToLower()] + } + + # Static method to return [Boolean] for Resource Type in Cache query using the specified release type + static [Boolean] InCache([String]$Type) { + if ([ProviderApiVersions]::Cache) { + $private:CacheKeyLowercase = $Type.ToString().ToLower() + $private:InCache = ([ProviderApiVersions]::Cache).ContainsKey($private:CacheKeyLowercase) + if ($private:InCache) { + Write-Verbose "[ProviderApiVersions] Resource Type found in Cache [$Type]" + } + else { + Write-Verbose "[ProviderApiVersions] Resource Type not found in Cache [$Type]" + } + return $private:InCache + } + else { + # The following prevents needing to initialize the cache + # manually if not exist on first attempt to use + [ProviderApiVersions]::InitializeCache() + return $false + } + } + + # Static method to update Cache using current Subscription from context + static [Void] UpdateCache() { + $private:SubscriptionId = (Get-AzContext).Subscription.Id + [ProviderApiVersions]::UpdateCache($private:SubscriptionId) + } + + # Static method to update Cache using specified SubscriptionId + static [Void] UpdateCache([String]$SubscriptionId) { + $private:Method = "GET" + $private:Path = "/subscriptions/$subscriptionId/providers?api-version=$([ProviderApiVersions]::ProvidersApiVersion)" + $private:PSHttpResponse = Invoke-AzRestMethod -Method $private:Method -Path $private:Path + $private:PSHttpResponseContent = $private:PSHttpResponse.Content + $private:Providers = ($private:PSHttpResponseContent | ConvertFrom-Json).value + if ($private:Providers) { + [ProviderApiVersions]::InitializeCache() + } + foreach ($private:Provider in $private:Providers) { + Write-Verbose "[ProviderApiVersions] Processing Provider Namespace [$($private:Provider.namespace)]" + foreach ($private:Type in $private:Provider.resourceTypes) { + # Check for latest ApiVersions and add to cache + [ProviderApiVersions]::AddToCache( + $private:Provider.namespace.ToString(), + $private:Type.resourceType.ToString(), + $private:Type.ApiVersions + ) + } + } + } + + # Static method to add provider instance to Cache + hidden static [Void] AddToCache([String]$Provider, [String]$ResourceType, [Array]$ApiVersions) { + Write-Debug "[ProviderApiVersions] Adding [$($Provider)/$($ResourceType)] to Cache" + $private:AzStateProviderObject = [PsCustomObject]@{ + Provider = "$Provider" + ResourceType = "$ResourceType" + Type = "$Provider/$ResourceType" + ApiVersions = $ApiVersions + } + $private:CacheKey = "$Provider/$ResourceType" + $private:CacheKeyLowercase = $private:CacheKey.ToString().ToLower() + $private:CacheValue = [ProviderApiVersions]::new($private:AzStateProviderObject) + $private:TryAdd = ([ProviderApiVersions]::Cache).TryAdd($private:CacheKeyLowercase, $private:CacheValue) + if ($private:TryAdd) { + Write-Verbose "[ProviderApiVersions] Added Resource Type to Cache [$private:CacheKey]" + } + } + + # Static method to initialize Cache + # Will also reset cache if exists + static [Void] InitializeCache() { + Write-Verbose "[ProviderApiVersions] Initializing Cache (Empty)" + [ProviderApiVersions]::Cache = [System.Collections.Concurrent.ConcurrentDictionary[String, ProviderApiVersions]]::new() + } + + # Static method to clear all entries from Cache + static [Void] ClearCache() { + [ProviderApiVersions]::InitializeCache() + } + + # Static method to save all entries from Cache to filesystem + static [Void] SaveCacheToDirectory() { + [ProviderApiVersions]::SaveCacheToDirectory("./") + } + + # Static method to save all entries from Cache to filesystem + static [Void] SaveCacheToDirectory([String]$Directory) { + if ([ProviderApiVersions]::Cache.Count -lt 1) { + [ProviderApiVersions]::UpdateCache() + } + $private:saveCachePath = "$Directory/ProviderApiVersions" + [ProviderApiVersions]::Cache | + ConvertTo-Json -Depth 10 -Compress | + Out-File -FilePath "$($private:saveCachePath).json" ` + -Force + try { + Compress-Archive -Path "$($private:saveCachePath).json" ` + -DestinationPath "$($private:saveCachePath).zip" ` + -Force + } + finally { + Remove-Item -Path "$($private:saveCachePath).json" ` + -Force + } + } + + # Static method to load all entries from filesystem to Cache + static [Void] LoadCacheFromDirectory() { + [ProviderApiVersions]::LoadCacheFromDirectory("./") + } + + # Static method to load all entries from filesystem to Cache + static [Void] LoadCacheFromDirectory([String]$Directory) { + [ProviderApiVersions]::ClearCache() + $private:loadCachePath = "$Directory/ProviderApiVersions" + Expand-Archive -Path "$($private:loadCachePath).zip" ` + -DestinationPath "$Directory" ` + -Force + try { + $private:loadCacheObject = Get-Content ` + -Path "$($private:loadCachePath).json" ` + -Force | + ConvertFrom-Json + foreach ($key in $private:loadCacheObject.psobject.Properties.Name) { + $private:value = $private:loadCacheObject."$key" + ([ProviderApiVersions]::Cache).TryAdd($key, $private:value) + } + } + catch { + Write-Error $_.Exception.Message + } + finally { + Remove-Item -Path "$($private:loadCachePath).json" ` + -Force + } + } + +} + +############### +# ALZ Classes # +############### + +# The ALZ classes are used to create resource objects with consistent +# formatting for all Azure resources handled by the ALZ Tools module. + +class ALZBase : System.Collections.Specialized.OrderedDictionary { + + ALZBase(): base() {} + + [String] ToString() { + if ($this.GetType() -notin "String", "Boolean", "Int") { + return $this | ConvertTo-Json -Depth 1 -WarningAction SilentlyContinue | ConvertFrom-Json + } + else { + return $this + } + } + +} + +class PolicyAssignmentProperties : ALZBase { + [String]$displayName = "" + [Object]$policyDefinitionId = "" + [String]$scope = "" + [String[]]$notScopes = @() + [Object]$parameters = @{} + [String]$description = "" + [Object]$metadata = @{} + [String]$enforcementMode = "Default" + + PolicyAssignmentProperties(): base() {} + + PolicyAssignmentProperties([Object]$that): base() { + $this.displayName = $that.displayName + $this.policyDefinitionId = $that.policyDefinitionId + $this.scope = $that.scope + $this.notScopes = $that.notScopes ?? $this.notScopes + $this.parameters = $that.parameters ?? $this.parameters + $this.description = $that.description ?? $that.displayName + $this.metadata = $that.metadata ?? $this.metadata + $this.enforcementMode = ([PolicyAssignmentPropertiesEnforcementMode]($that.enforcementMode ?? $this.enforcementMode)).ToString() + } + +} + +class PolicyAssignmentIdentity : ALZBase { + [String]$type = "None" + + PolicyAssignmentIdentity(): base() {} + + PolicyAssignmentIdentity([Object]$that): base() { + $this.type = ([PolicyAssignmentIdentityType]($that.type ?? $this.type)).ToString() + } + +} + +class PolicyDefinitionProperties : ALZBase { + [String]$policyType = "NotSpecified" + [String]$mode = "" + [String]$displayName = "" + [String]$description = "" + [Object]$metadata = @{} + [Object]$parameters = @{} + [Object]$policyRule = @{} + + PolicyDefinitionProperties(): base() {} + + PolicyDefinitionProperties([Object]$that): base() { + $this.policyType = ([PolicySetDefinitionPropertiesPolicyType]($that.policyType ?? $this.policyType)).ToString() + $this.mode = ([PolicyDefinitionPropertiesMode]($that.mode)).ToString() + $this.displayName = $that.displayName + $this.description = $that.description ?? $that.displayName + $this.metadata = $that.metadata ?? $this.metadata + $this.parameters = $that.parameters ?? $this.parameters + $this.policyRule = $that.policyRule + } + +} + +class PolicySetDefinitionPropertiesPolicyDefinitions : ALZBase { + [String]$policyDefinitionReferenceId = "" + [String]$policyDefinitionId = "" + [Object]$parameters = @{} + [Array]$groupNames = @() + + PolicySetDefinitionPropertiesPolicyDefinitions(): base() {} + + PolicySetDefinitionPropertiesPolicyDefinitions([Object]$that): base() { + $this.policyDefinitionReferenceId = $that.policyDefinitionReferenceId + $this.policyDefinitionId = $that.policyDefinitionId + $this.parameters = $that.parameters ?? $this.parameters + $this.groupNames = $that.groupNames ?? $this.groupNames + } + +} + +class PolicySetDefinitionPropertiesPolicyDefinitionGroup : ALZBase { + [String]$name = "" + [String]$displayName = "" + [String]$category = "" + [String]$description = "" + [String]$additionalMetadataId = "" + + PolicySetDefinitionPropertiesPolicyDefinitionGroup(): base() {} + + PolicySetDefinitionPropertiesPolicyDefinitionGroup([Object]$that): base() { + $this.name = $that.name + $this.displayName = $that.displayName + $this.category = $that.category + $this.description = $that.description + $this.additionalMetadataId = $that.additionalMetadataId + } + +} + +class PolicySetDefinitionProperties : ALZBase { + [String]$policyType = "NotSpecified" + [String]$displayName = "" + [String]$description = "" + [Object]$metadata = @{} + [Object]$parameters = @{} + [Array]$policyDefinitions = @() + [Array]$policyDefinitionGroups = $null + + PolicySetDefinitionProperties(): base() {} + + PolicySetDefinitionProperties([Object]$that): base() { + $this.policyType = ([PolicySetDefinitionPropertiesPolicyType]($that.policyType ?? $this.policyType)).ToString() + $this.displayName = $that.displayName ?? "" + $this.description = $that.description ?? $that.displayName + $this.metadata = $that.metadata ?? $this.metadata + $this.parameters = $that.parameters ?? $this.parameters + $this.policyDefinitions = foreach ($policyDefinition in $that.policyDefinitions) { + [PolicySetDefinitionPropertiesPolicyDefinitions]::new($policyDefinition) + } + $this.policyDefinitionGroups = foreach ($policyDefinitionGroup in $that.policyDefinitionGroups) { + [PolicySetDefinitionPropertiesPolicyDefinitionGroup]::new($that.policyDefinitionGroups) + } + } + +} + +class RoleAssignmentProperties : ALZBase { + RoleAssignmentProperties(): base() {} +} + +class RoleDefinitionPropertiesPermissions { + [String[]]$actions = @() + [String[]]$notActions = @() + [String[]]$dataActions = @() + [String[]]$notDataActions = @() + + RoleDefinitionPropertiesPermissions(): base() {} + + RoleDefinitionPropertiesPermissions([Object]$that): base() { + $this.actions = $that.actions ?? $this.actions + $this.notActions = $that.notActions ?? $that.notActions + $this.dataActions = $that.dataActions ?? $this.dataActions + $this.notDataActions = $that.notDataActions ?? $this.notDataActions + } + +} + +class RoleDefinitionProperties : ALZBase { + [String]$roleName = "" + [String]$description = "" + [String]$type = "customRole" + [Array]$permissions = @() + [Array]$assignableScopes = @() + + RoleDefinitionProperties(): base() {} + + RoleDefinitionProperties([Object]$that): base() { + $this.roleName = $that.roleName + $this.description = $that.description ?? $that.roleName + $this.type = $that.type ?? $this.type + $this.permissions = @( + [PolicyAssignmentIdentity]::new($that.permissions[0]) + ) + $this.assignableScopes = $that.assignableScopes ?? $this.assignableScopes + } + +} + +class ArmTemplateResource : ALZBase { + + # Public class properties + # Need to declare base object properties with default values to set order + [String]$name = "" + [String]$type = "" + [String]$apiVersion = "" + [Object]$scope = $null # Needs to be declared as object to avoid null returning empty string in JSON output + [Object]$properties = @{} + + # Hidden static class properties + hidden static [GetFileNameCaseModifier]$GetFileNameCaseModifier = "ToLower" # Default to make lowercase + hidden static [Regex]$regexReplaceFileNameCharacters = "\W" # Default to replace all non word characters + hidden static [String]$GetFileNameSubstituteCharacter = "_" + hidden static [Regex]$regexExtractProviderId = "\/providers\/(?!.*\/providers\/)[\/\w-.]+" + + ArmTemplateResource(): base() {} + + ArmTemplateResource([PSCustomObject]$that): base() { + $this.name = $that.name + $this.type = $that.ResourceType ?? $that.type + $this.apiVersion = $that.apiVersion + $this.scope = if ($that.scope.Length -gt 0) { $that.scope } else { $null } + $this.properties = $that.properties + } + + # Initialize [ArmTemplateResource] object + [Void] SetApiVersion([String]$ResourceType) { + $this.apiVersion = [ProviderApiVersions]::GetLatestStableByType($ResourceType) + } + + # String modifier for template languages + static [String] ConvertToTemplateVariable([String]$Variable, [ExportFormat]$ExportFormat) { + $TemplateVariable = "$Variable" + Switch ($ExportFormat) { + "Jinja2" { $TemplateVariable = "{{ $Variable }}" } + "Terraform" { $TemplateVariable = "`${$Variable}" } + Default { $TemplateVariable = "$Variable" } + } + return $TemplateVariable + } + + # Update resource values as per requirements for export format + [Object] Format([ExportFormat]$ExportFormat) { + if ($this.type -eq "Microsoft.Authorization/policyAssignments") { + $this.properties.scope = [ArmTemplateResource]::ConvertToTemplateVariable("current_scope_resource_id", $ExportFormat) + $this.properties.policyDefinitionId = [ArmTemplateResource]::ConvertToTemplateVariable("root_scope_resource_id", $ExportFormat) + $this.location = [ArmTemplateResource]::ConvertToTemplateVariable("default_location", $ExportFormat) + } + if ($this.type -eq "Microsoft.Authorization/policyDefinitions") { + $this.properties.policyType = "Custom" + } + if ($this.type -eq "Microsoft.Authorization/policySetDefinitions") { + $this.properties.policyType = "Custom" + foreach ($policyDefinition in $this.properties.policyDefinitions) { + $regexMatches = [ArmTemplateResource]::regexExtractProviderId.Matches($policyDefinition.policyDefinitionId) + $policyDefinitionId = switch ($ExportFormat) { + "ArmResource" { "/providers/Microsoft.Management/managementGroups/contoso$($regexMatches.Value)" } + "ArmVariable" { "[concat(variables('scope'), '$($regexMatches.Value)')]" } + "Bicep" { "`${varTargetManagementGroupResourceId}$($regexMatches.Value)" } + "Raw" { "$($policyDefinition.policyDefinitionId)" } + "Jinja2" { "$([ArmTemplateResource]::ConvertToTemplateVariable("root_scope_resource_id", $ExportFormat))$($regexMatches.Value)" } + "Terraform" { "$([ArmTemplateResource]::ConvertToTemplateVariable("root_scope_resource_id", $ExportFormat))$($regexMatches.Value)" } + Default { "$($policyDefinition.policyDefinitionId)" } + } + if ($regexMatches.Index -gt 0) { + $policyDefinition.policyDefinitionId = "$policyDefinitionId" + } + else { + $policyDefinition.policyDefinitionId = $regexMatches.Value + } + } + } + return $this + } + + [String] GetFileName() { + $fileName = $this.GetFileName("", ".json", "Raw") + return $fileName + } + + [String] GetFileName([String]$Prefix, [String]$Suffix, [ExportFormat]$ExportFormat) { + $fileName = "$($this.name)" + if ($ExportFormat -eq "Terraform") { + # Perform character substitution + $fileName = [ArmTemplateResource]::regexReplaceFileNameCharacters.Replace($fileName, [ArmTemplateResource]::GetFileNameSubstituteCharacter) + # Modify case + $fileName = $fileName.$([ArmTemplateResource]::GetFileNameCaseModifier)() + } + $fileName = $Prefix + $fileName + $Suffix + return $fileName + } + +} + +class PolicyAssignment : ArmTemplateResource { + + # Need to re-declare base object properties with default values to maintain order + [String]$name = "" + [String]$type = "" + [String]$apiVersion = "" + [String]$scope = "" + [Object]$properties = @{} + [String]$location = "" + [Object]$identity = @{} + + PolicyAssignment(): base() {} + + PolicyAssignment([PSCustomObject]$that): base($that) { + $this.type = "Microsoft.Authorization/policyAssignments" + $this.SetApiVersion($this.type) + $this.location = $that.location + $this.identity = [PolicyAssignmentIdentity]::new($that.identity) + $this.properties = [PolicyAssignmentProperties]::new($this.properties) + } + +} + +class PolicyDefinition : ArmTemplateResource { + + PolicyDefinition(): base() {} + + PolicyDefinition([PSCustomObject]$that): base($that) { + $this.type = "Microsoft.Authorization/policyDefinitions" + $this.SetApiVersion($this.type) + $this.properties = [PolicyDefinitionProperties]::new($this.properties) + } + +} + +class PolicySetDefinition : ArmTemplateResource { + + PolicySetDefinition(): base() {} + + PolicySetDefinition([PSCustomObject]$that): base($that) { + $this.type = "Microsoft.Authorization/policySetDefinitions" + $this.SetApiVersion($this.type) + $this.properties = [PolicySetDefinitionProperties]::new($this.properties) + } + +} + +class RoleAssignment : ArmTemplateResource { + + RoleAssignment(): base() {} + + RoleAssignment([PSCustomObject]$that): base($that) { + $this.type = "Microsoft.Authorization/roleAssignments" + $this.SetApiVersion($this.type) + $this.properties = [RoleAssignmentProperties]::new($this.properties) + } +} + +class RoleDefinition : ArmTemplateResource { + + RoleDefinition(): base() {} + + RoleDefinition([PSCustomObject]$that): base($that) { + $this.type = "Microsoft.Authorization/roleDefinitions" + $this.SetApiVersion($this.type) + $this.properties = [RoleDefinitionProperties]::new($this.properties) + } + +} diff --git a/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psd1 b/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psd1 new file mode 100644 index 0000000..73ce816 --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psd1 @@ -0,0 +1,137 @@ +#!/usr/bin/pwsh + +# +# Module manifest for module 'Alz.Enums' +# +# Generated by: krowlandson +# +# Generated on: 14/07/2022 +# + +@{ + + # Script module or binary module file associated with this manifest. + RootModule = 'Alz.Enums.psm1' + + # Version number of this module. + ModuleVersion = '1.0.0' + + # Supported PSEditions + CompatiblePSEditions = 'Core', 'Desktop' + + # ID used to uniquely identify this module + GUID = 'bccc040b-857d-4ae8-bebf-31dd454e4855' + + # Author of this module + Author = 'krowlandson' + + # Company or vendor of this module + CompanyName = 'Microsoft Ltd' + + # Copyright statement for this module + Copyright = 'Copyright (c) 2022 Microsoft Ltd. All rights reserved.' + + # Description of the functionality provided by this module + Description = 'This module provides a set of custom enums used for managing the Azure landing zones code base.' + + # Minimum version of the PowerShell engine required by this module + PowerShellVersion = '7.0' + + # Name of the PowerShell host required by this module + # PowerShellHostName = '' + + # Minimum version of the PowerShell host required by this module + # PowerShellHostVersion = '' + + # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # DotNetFrameworkVersion = '' + + # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # ClrVersion = '' + + # Processor architecture (None, X86, Amd64) required by this module + # ProcessorArchitecture = '' + + # Modules that must be imported into the global environment prior to importing this module + # RequiredModules = @() + + # Assemblies that must be loaded prior to importing this module + # RequiredAssemblies = @() + + # Script files (.ps1) that are run in the caller's environment prior to importing this module. + # ScriptsToProcess = @() + + # Type files (.ps1xml) to be loaded when importing this module + # TypesToProcess = @() + + # Format files (.ps1xml) to be loaded when importing this module + # FormatsToProcess = @() + + # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess + # NestedModules = @() + + # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. + FunctionsToExport = @() + + # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. + CmdletsToExport = @() + + # Variables to export from this module + VariablesToExport = '*' + + # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. + AliasesToExport = @() + + # DSC resources to export from this module + # DscResourcesToExport = @() + + # List of all modules packaged with this module + # ModuleList = @() + + # List of all files packaged with this module + FileList = @( + 'Alz.Enums.psd1' + 'Alz.Enums.psm1' + ) + + # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. + PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + # Tags = @() + + # A URL to the license for this module. + # LicenseUri = '' + + # A URL to the main website for this project. + # ProjectUri = '' + + # A URL to an icon representing this module. + # IconUri = '' + + # ReleaseNotes of this module + # ReleaseNotes = '' + + # Prerelease string of this module + # Prerelease = '' + + # Flag to indicate whether the module requires explicit user acceptance for install/update/save + # RequireLicenseAcceptance = $false + + # External dependent modules of this module + # ExternalModuleDependencies = @() + + } # End of PSData hashtable + + } # End of PrivateData hashtable + + # HelpInfo URI of this module + # HelpInfoURI = '' + + # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. + # DefaultCommandPrefix = '' + +} + diff --git a/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psm1 b/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psm1 new file mode 100644 index 0000000..0343b3c --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Enums/Alz.Enums.psm1 @@ -0,0 +1,48 @@ +#!/usr/bin/pwsh + +############################################ +# Custom enum data sets used within module # +############################################ + +enum PolicyDefinitionPropertiesMode { + All + Indexed +} + +enum PolicyAssignmentPropertiesEnforcementMode { + Default + DoNotEnforce +} + +enum PolicyAssignmentIdentityType { + None + SystemAssigned +} + +enum PolicySetDefinitionPropertiesPolicyType { + NotSpecified + BuiltIn + Custom + Static +} + +enum GetFileNameCaseModifier { + ToString + ToLower + ToUpper +} + +enum LineEndingTypes { + Darwin + Unix + Win +} + +enum ExportFormat { + ArmResource + ArmVariable + Raw + Jinja2 + Terraform + Bicep +} diff --git a/dependencies/Alz.Tools/Alz.Tools.psd1 b/dependencies/Alz.Tools/Alz.Tools.psd1 new file mode 100644 index 0000000..b08678b --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Tools.psd1 @@ -0,0 +1,172 @@ +#!/usr/bin/pwsh + +# +# Module manifest for module 'Alz.Tools' +# +# Generated by: krowlandson +# +# Generated on: 14/07/2022 +# + +@{ + + # Script module or binary module file associated with this manifest. + RootModule = 'Alz.Tools.psm1' + + # Version number of this module. + ModuleVersion = '1.0.0' + + # Supported PSEditions + CompatiblePSEditions = 'Core', 'Desktop' + + # ID used to uniquely identify this module + GUID = '2c90f23f-c69e-4819-81be-cf67450c2e39' + + # Author of this module + Author = 'krowlandson' + + # Company or vendor of this module + CompanyName = 'Microsoft Ltd' + + # Copyright statement for this module + Copyright = 'Copyright (c) 2022 Microsoft Ltd. All rights reserved.' + + # Description of the functionality provided by this module + Description = 'This module provides a set of functions used for managing the Azure landing zones code base.' + + # Minimum version of the PowerShell engine required by this module + PowerShellVersion = '7.0' + + # Name of the PowerShell host required by this module + # PowerShellHostName = '' + + # Minimum version of the PowerShell host required by this module + # PowerShellHostVersion = '' + + # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # DotNetFrameworkVersion = '' + + # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # ClrVersion = '' + + # Processor architecture (None, X86, Amd64) required by this module + # ProcessorArchitecture = '' + + # Modules that must be imported into the global environment prior to importing this module + RequiredModules = @( + @{ + ModuleName = 'Az.Accounts' + ModuleVersion = '2.9.0' + } + @{ + ModuleName = 'Az.Resources' + ModuleVersion = '5.6.0' + } + ) + + # Assemblies that must be loaded prior to importing this module + # RequiredAssemblies = @() + + # Script files (.ps1) that are run in the caller's environment prior to importing this module. + # ScriptsToProcess = @() + + # Type files (.ps1xml) to be loaded when importing this module + # TypesToProcess = @() + + # Format files (.ps1xml) to be loaded when importing this module + # FormatsToProcess = @() + + # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess + NestedModules = @( + @{ModuleName = 'Alz.Enums/Alz.Enums'; ModuleVersion = '1.0.0'; GUID = 'bccc040b-857d-4ae8-bebf-31dd454e4855' } + @{ModuleName = 'Alz.Classes/Alz.Classes'; ModuleVersion = '1.0.0'; GUID = '14f47ea8-53df-4b13-b7b4-73ecda225c0a' } + ) + + # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. + FunctionsToExport = @( + 'Add-Escaping' + 'ConvertTo-ArmTemplateResource' + 'ConvertTo-LibraryArtifact' + 'Edit-LineEndings' + 'Export-LibraryArtifact' + 'Invoke-RemoveDeploymentByPattern' + 'Invoke-RemoveMgHierarchy' + 'Invoke-RemoveOrphanedRoleAssignment' + 'Invoke-RemoveRsgByPattern' + 'Invoke-UpdateCacheInModule' + 'Invoke-UseCacheFromModule' + 'Set-AzureSubscriptionAlias' + 'Remove-Escaping' + ) + + # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. + CmdletsToExport = @() + + # Variables to export from this module + VariablesToExport = '*' + + # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. + AliasesToExport = @() + + # DSC resources to export from this module + # DscResourcesToExport = @() + + # List of all modules packaged with this module + ModuleList = @( + 'Alz.Enums' + 'Alz.Classes' + ) + + # List of all files packaged with this module + FileList = @( + 'Alz.Enums/Alz.Enum.psd1' + 'Alz.Enums/Alz.Enum.psm1' + 'Alz.Classes/Alz.Classes.psd1' + 'Alz.Classes/Alz.Classes.psm1' + 'functions/Alz.Tools.ps1' + 'scripts/Update-ProviderApiVersionsZip.ps1' + 'Alz.Tools.psd1' + 'Alz.Tools.psm1' + ) + + # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. + PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + # Tags = @() + + # A URL to the license for this module. + # LicenseUri = '' + + # A URL to the main website for this project. + # ProjectUri = '' + + # A URL to an icon representing this module. + # IconUri = '' + + # ReleaseNotes of this module + # ReleaseNotes = '' + + # Prerelease string of this module + # Prerelease = '' + + # Flag to indicate whether the module requires explicit user acceptance for install/update/save + # RequireLicenseAcceptance = $false + + # External dependent modules of this module + # ExternalModuleDependencies = @() + + } # End of PSData hashtable + + } # End of PrivateData hashtable + + # HelpInfo URI of this module + # HelpInfoURI = '' + + # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. + # DefaultCommandPrefix = '' + +} + diff --git a/dependencies/Alz.Tools/Alz.Tools.psm1 b/dependencies/Alz.Tools/Alz.Tools.psm1 new file mode 100644 index 0000000..8a30180 --- /dev/null +++ b/dependencies/Alz.Tools/Alz.Tools.psm1 @@ -0,0 +1,23 @@ +#!/usr/bin/pwsh + +$ErrorActionPreference = "Stop" +# Set-StrictMode -Version 3.0 + +########################### +# Import module functions # +########################### + +# Dot source all functions located in the module +# Excludes tests and profiles + +$functions = @() +$functions += Get-ChildItem -Path $PSScriptRoot\functions\*.ps1 -Exclude *.tests.ps1, *profile.ps1 -ErrorAction SilentlyContinue +$functions.foreach({ + try { + Write-Verbose "Dot sourcing [$($_.FullName)]" + . $_.FullName + } + catch { + throw "Unable to dot source [$($_.FullName)]" + } +}) diff --git a/dependencies/Alz.Tools/ProviderApiVersions.zip b/dependencies/Alz.Tools/ProviderApiVersions.zip new file mode 100644 index 0000000000000000000000000000000000000000..4ed6795425c3e80886a771a91deb8a28bad0506a GIT binary patch literal 117014 zcmV(@K-RxdO9KQH000080KjQ2Rlf;GMuf-#0O1V|02lxO08nyoc4=f~azSuuR%LQ? zX>V?GE^2dcZtT5jbK6MLF8W{k^Xq{~ZPxjw#qL&&Wotx_`^LF(KR^UTVFVIv0Ft1o5SRn3ZB;s5)~^k91M=HU3v!Q{=lEuX9M>o5P` z|NS59j=R2T^F^7dfAjgg*{u35tE;Zp2RVMTGbt9{oWeV|@zlXA2k&#{UI{K4-r`i= zBKwUUOx_%v*#~d!gA@C}kvXytruMId?>%i*bOTecz$ehj@SO%NPJ)vM@&)+sE9`*3w`20zyUkDK`xB4-YrZO~ zZr=RuVZ(1OtD8Caq<`1#-ivnO)BRus&BOI%GP?=*JcHZS<2*R&JOgh|_@f@~B73OX z@@rn#?WShetKVo_cAL5zH!HS2vXO#b{72b1yktijxaf~iFUZ9Xa|<~0`x6eEqK<=C zX(m8E=?{yHe4j_iqbTw|f5_)-NljVg z{NOY?>h;M9K8n7U_tuQlGWDZc5^CS?Fv*qdFbsl6@N zbtMn#YW1|Y+1vnMdrz}d+M9@bJg~nysrK&t~ATn zW)v>kX0z_>GsG+^!M-?P;iHS7Lvt(y9J@;7X&(i{Q;bdjS&H#K;bXRX&ifM3%7Zt; z-rZzseMR9r13I6GaeS8Wy@`))as+&Y{R+?Pu2#Ip!@1YP z%A@~+I-AgxOZNyx@z&rp6a|=u9@=4A26z(g<|1- z!#L*7lY2%CNWrqDPnyR7YFC5WdjxH|k8HK=NGY}6x0AQ!vh3Mpw|Z#vu5UNTX#vsHl;JAdcxMqd2iJ#1tpVB_}GS^*rj zXnJZ*x|SJ?jrzCd;Dk-b)~L|m!cyE*6GsHItn-N@E|o(77;{up}@uyI2r7_weP~-9Sx(JEsU5FFwfWdyy{=FR^9koJ)q7W z#8OACt7Szz#Y+VhK1Gdvi(`L~*pP3>zrqw0NR{L}^I_pXwRd8KCEDtwT(M8NSuM%2 zdan@-{KeTdq(wq7B)PEY`-U-?ffuYJc|2=rd{T3l^6G781sS6l;<_RDqb*& z8!mBm5e_g10$Lg^>C9^kZoshDWBnGM486iDwtFv&=jB(nDnEDY$1-Uvb*Tlv+z7#$ z5F{2sa0UTE;vUV@;Ny@csnFJQfUit?b5O1GI)1;X(qFC5YjVf+(e&dsj4SE3>OJu` zVdLW$4($Upm|@~<>1-8j2vv~#JL}-sJ~*-uoCydRf9(5uD*JVv&r2Cz^2`?F{Jt)m zhX=~ub2G>RQ#p?g(LkRh5Ew+`_8p4gzLtBo|M#~yd~3!7WS$=9Rf-ZV_Hr{W@Z06} zSVh_qP6(<1RTyWq9b!W-^u-0S7ojpaf#)F5Ei$<9^pHV5S$nkXGC-Q7G0~vIKspYf zPmm9gx5xl#%Xz~l^%oOCHmDBw>^*MQ^R`Xif7~fBJe15wziiu-9fuDbTqTSHKBI{- z=)C0K%>W_+DjNE9it2NVkSA^#^A#f=`y)~#wflQ?Qj)6`4jAinkZk=~s zHRqPzO?1>#F=fyTyp>DqWfA|iM)B(Ka zi@90{3_bi&uy?!IV(k|&?-k5@2J@N25IO)R@E6qu?D6XCEX-cOw(wYvfipXB5)ZaK zv-b#Z?S8y4OluUq1#Oo_=}(5qGxb#&ouE@JnpgN0L@Yf=Zw>=zIDdRo@FcyapSq*y z&>2#pPZu!_AHpZGp%&`(+`Vu-c9ijtz!^Tk&T|?@V(^pB2nyVNfh9#4{700oWVn3<_sum!th>dtdHZ|Yiwx8b%X z*&b4^p36%M05UjPeYs5|KJkh7K@gVir}E`FXFG%xE$Hv%%NO2utmdQT611IRA{Z5% z9T?maG^PVcId|p=;YRWzNA*dg6`?i;t}o%v%K4_{?$NH#S4G|y)MqW5h7Wy^1;5sy z2V&S@gPm!~c_!k&*>_#P{F}R-@;O^%x^+`m^NLDq<+9;L3$Sw!>{f$8AHi@9gcxFC z#G~}V=wu=YUfITw^w*emEH&*FdH^njpY96Xd%A@TFpB8|@ofl8wSC4MKoK?7YO$$v zG3rbthx+4>P1EPmF*6$w!bjyp{)0nOBWFfjk1q^{9uTI|`+CDh58GIz%$paw@z{y; z0_r6tZrWB#-sJWAG1ptViTE!3JP~nHwo7=YO5xr0JsOzQcV`KVeP7Z>w^{RWxGehB zN_*NrMQi*9pzF3Jvz+)wr&D{?0z-yqe;40c@z6tVeCgJ8-t&lrl+nodNFTJ|tr8qN zGC`1d+#c-FIPnuC>AWDRF0K3R^Mrh)lzbpUCS1S#J<9(;i<)m>l9%{c=5?QxcCK&g zHz6^0#&e|;QkG9`Jq!4zo;LSo%a*jVn>VY6YO#@cS^2FmSM*l@??&{}77cI7!UFR> zK$y&t!i;C0hiK|qft(PK@T>4`_DFo|{IQ%rMWQ+I2v#AD$M{@2z2Jd8ScthiX;frw zy0Vn!vp|jZ_+ESgFVkI)|KaCTaB_B^)|x$lM?MYqdB55Esog4+nM8>`y`Vkxjq9B` z=zkcVL{b!@8=v2$d^M?IiEiM0m%SrDA|y_c1VN}+#>FTiF{n9_Ymyp-n#1`eNEB+0 zpt(P+j1pe#99LInDt$WUeFd}1HY=Dx1FNB*bO$FlB;P%k3!%Q4t!P;(q0PGS*Hu?I8I zLJ{Ep0*u7e`V!4GlW{{qL~OoZyW0onh#QMb!;V9|uJt;ylW<^X9xU{_Jj5&l5RZL{ zrEjJXkHr%+BgA7t%4M2ME6ty|Q!=HFLU0q;w}?P^b~4Dx=!3B7YvjQX7kQu$95zuW zDZyczbGD~Jx}7-~Iz6?oAY`Vq4&K@a4x`(VeK2(DQI|SSEvp|tVehSdaB3getf)Lh z^}rZtOwcGy{pRzL1h#lJ3CQ>duDEBzpLy3c^D1tZR~R=&F#I?XP}o8r;9=JUEjP!c z^$j)%=bNJHc`6I(&`z@g3#>bZm2CR;q+a!0XyE{ddFZLA^QTg{{ke}PmHFWV6FS#I zW0%(eAZBI-lZ~B;;y5YK)1`UYV$obVd@JOl88-bC}1&6Z-&;X+87bGaNOKzI@nV7uRbXMZ!sPI17hI)%0_=M74P>A9A<3FPddut&+yW zb@TaBN&~wX4mZmk3Wu#zw@R6f-0e245N)C3yT`43jq-45CN9L6p(znn5N2wvD zab}*cpj0pE@gW9@G@&r*a9|8@MsJ*HIMf*9UI!$ItZb80LhaBCL!!cgPW^FJLr?DU zJ^btRJ!1M6hSPP^^$Rvu2QB@1N}Eh?rNrzXAJFZ=^AvoQu5@NMMpzoAXLQa|S1p(d z+A3dDLh{N?2;3>x4)J|~TNy_^lzlUIC)MOY@0O&x8U!QsR>BH(h((v)H@#l4 zhCjJ?Nd&0S5$a8kE?xKLHx~=?%A2McE|nZf3!5(-uesQB3 zyqxXfMXuZC+eYxTfT~^4nT~?FG@ae@&Qkb^hJM0(NQeDyu66g>@|cX#yt35u zTzl(6;e(WNqBv@1dwjWXt3qo7&wRffr*-*F2whr2;Ug?5YL^foD^uuQf~R$W zm)Dr*^GD7>S5#E!JZlqP`<)O1Bjq`!{uxn!EoYw-?c$L_L&iPVTIW?PaKka|XbQI` zpi>WT03bI`p>?Ea7FoV%%aWdAu4GfdBr?b%_7Ja!==1b<3`7(MwAmYBT~FHnrJ2{E z4Pl~vo!%ny8iiH&*mS++UaiYn*gkMRwW;-WS)GCj_zB+~U$%xE>3Lh`oQ93q&aQ#Dj8Goj z#)3T&#>kY<4h|*aUdOu0iTA1cuDMuQOO8-lh3W>E7{#VFOod` zm$GSiZ?tzvi6uCL(lgAN#@Q~a72BzG8$u0?Wtn?0@l5kT0Hc37aTAHf2DzQP$Nq*{ zoD9V*${63_KS*GdR{Rg1)Xpqp=IMcQN&;9FOLWQcketdAm|A= zNx0qb`TZmm@C2VBU9HnaMg{_3EU>{|aYvi{n@yJ+xl>~&^SW&N{)HmW$A^2xeP{B= znGJf*K|jABJo+>1n&RSkAVgqF{Pzeh=?|=Vctc4<(jWYuNET`6>%>_a{4lyr-$-wu zo0g`mwVZElA?%afcu6h2=LQH=fCprikbG{CuN5*BT!&m8fdOv74skmG6ySjR`VyAu zq<{z15l64(Pyj?46dIQs+a_rB9V)#$WS+8lcFqe#4a0?EYyr#h(qL$b-k8{brEG6N zxRxhXI=U*K&w&hKdQ1qRn06Q78Nv&2=bex4lW?h-ZRM3DM+3vC9HP|hclxrzvjSm2C(f7WG!>` zeb6EU#COPz;yiE5d|jn{DZd#3_U@>`0*wz>I36|Z`IxjBUA%0+=nAw>La7t>b5+(5 zd0-W5XAkbgY$e~~;-aHd%2C5mw}4W#sUbFRy50(T zOfj}G2`bu=&Zu#v6S!ax?77uGu)d~}#rdXxY+9W)**0}q*43ht=C*GBSQez^1+Vndm-sE6E0EmR*t+vDHOlJFp&1lRC|p?ff|NFHpjK)*x1fM8j08h+U+k66N>_ffRWC9|02P-hJ4~?hN%g0|cmFovIc@3lurgdU**+es(LrcI5I{g{$VsF?#dE%z zmqq``1BTf5)~h{K+4tPyvNKVT!v8GrZw>xT0{RxU0 zM50hzLI!)KV3QI=pz9(4!0j**1fXqtYIEPTV<_A&wb0m2N&t|Q{0~-n2yG^A$lGZ= z*Fgt@r{|fQ*zxT$&3$p&Y9xbh^oC281GQsjhT5P`Fbv5XHh*3&lQ{}!^Dj%FG|87Z zL!pq&!iI>0_rR^D`!!z`RX1<`_ORhiGg-A-&V6Njq9nK9R#^#AesE*D5`+;zRLo~d|>-*ixbMd+fS5TfedGKHpKW!dTbv!f%kR{yqjX= z6q?0j?Va#?G>D#vj_1}*>i`LrcVpo3uy@C5>bN_dR3>8Q$CJ>85yy_$*CGlI;9~;J zLvt|Ln4a~R)#!J>N4xcZDjO}>`#sbf?kG#hm%P-C!-qg;OkP60pz&eTaOpS-m=Jx{ z8KfKwLqMQO)F`wgGPP^=$Ni?N3;7f_Yo4C9X>t0Naf#a;{({5LM1y|{_AYJJ5-ER*14n;Lo+4R0ym0#I5ZeFbx z%cdy(*A_}*8|d{ODNaiAII zsc`!SME+B8g3!9?>^*VfNY|6^q>$MOTo#&m5r+r9B5zrnPGq{XIXDWMr)O%B;S**& zZW}ydc|2mF6IN4DH6`L6sO>vjX4!@3Lq<`TlSX}Vp`brA|dKNQfdr*qc_3LR0}gk`#0YqZ*ftCZOHMFRe8}%p0+DG;g#`lljwm!?>X%pn^yGU= zX2g1twC47!X4xBu5w~=$*Q5(E7GN6%j>p|5K!B4tvGfEVX8N3lexm>uF@=4^uOK>O zy&BwKllA|^$@**?u-vRF`CVk?GOubg1<2|Uy6#^7rephA9Raz8D)Ub+j|M`H(`Rg~u}Y2a%Y?#g=XJ9wx@x(u z?SLuucIA(r-3W^x@k4Acx$sONQx8FPb?J1a%tSzV3DHY<{ZUX*|A!a?2a0JOeD^hH zGkVYZ>%?%~hCteenhj7iJv1ux-N>IUk{@;z?4cKIEGj`)n(6& zxI|swqHL=ro3LA%Z{5XdGyh(`eBsE{j4iuTgVYqU&|Upgc6Ck>Z0cTu>mLCc`I`NR zlBAN;!uMr!neAMIS|DCooMhDZo*=u^9Ok;Olhv7s3p+)N`5o>#Vv+f85UYk!Mu92B zv1B;&t!)N?b{C;}j4f3nciJuE>dYRySj-r_NQVCCRBrX-auSSaX+S@XU2T^FB4cvh zcPt;0m;^trct~P){JyluA)rYO?ksQFRG-g#9V~^r{I}xA^F`=>y*H-bMT9k|h9U4V0*!SGL#&p`3L&tP>d7k8wp5^&$>@3J-Vh-nM zVY9rg^1@c18J;-L#&cg$n-r-RaQUkXQvVnLKUc^e#m0iKMT=6JL{wXFb+Br=ZrZ;5 z#{auViXjR6PQY%(GZY8-DU(zjm$Q?x0@U)JS8!BCQYr7tYv5ZNS!zTBZC7Yy65(-( zvg_@UP!GDhD2LuCo$8e~&p5<(qsy&Mb`!*I2m=a9OtO9X{PR-_-ivtb3l2 zhwH6M>VuRD$C0eb`H90^gOitskof}Oj6HobeTyxbmK!8rEZTCxE#f-!e_8e|%|~yo2hoHr_7pMUM3U#3*7;QS>pGv8oE)uexif*Odz<^Z zVte1VlV{nPIw#jc0|VS9NBB(Qf(xT}Wif6yH^(gF zhxXEan6P9!3*kV4k(>m9xQ5*rE1pNxFoorz*&)PAf?RWuln5)QIhrvU%kxp+NL{U- zL?z2e3F&Y^gqYzyD##D4lbO>AT;tgpF!(i(g9D$?nLlg*Bb7x+?yZX4{3t^(QZ~}8 zH5L{U*-jhDgeY#NLmp}~fg6SC6uTP;e~&>ddVq zO%@rHz!iXX%uA{7Om!uvR{ta=D${fg)eT=KU|pzZ(! zg{lt<1?+!(vZQ7L6K?Bu&iAPn71$QsUoOy<0V3GGaFMb6UgdMS>KAQQWZesUI7_xe zqxLiJc=KObb6{5^@tum~lt9A<>m`RR>1WZip~|0QrvDh2 zAlV4Y7s5*2^|9T~XV&H-hu(CremMtmiLH)?%u*51_#+^79C1s<^U2MFp1zr2m6~}N z#&cd*Jfvk@(1npgLM*J`f0%%ZKSiZlT`7(Kn|H)&k5)wElII<~s^41Zs?E<*;S3C& zkT#j8@@4;_5)%6F<;yOi5fKoore3&@hMuG`B!*N?>>BdAS!C*8nx*MdHUidqEsYQ~ zUHZMi6w_{U(JB6#=Z|^A3H)S0AxZebTZR{Gi$Z#BfIlJ$h$lc`5e}*Pe((nZ~?LE)3-X<>ZlN6;smz3DNPxuw2#OL|^;`2vmdoqeM>XJ*7 zJEc^js7vTNQrV#blP11q0t!~lOOZyjt$hWZ{)N4hW!2Gp&1CZJ0R7fNA3?|+!2wCS zrvSUG?c=d54up9U_Rd+GfM&(6$81^C2)vSAcR@ezz7(5TDaZZndlan`7Y{3*7=ep_G4!v~LPFl0Pl@hdiiE5C8bd+}*2p~U&D-{;2 zjQt<+#ff2cw9-#ca9z$0_+;;%&74Y2 z;)(5SqK^y%GXC>!z`OJCBH^H<&&_Od^(@K^#e|#bQ7YhrLZ=RA~^cuq$FPpgrtoeoC*z~B~u(e5>ejJ&xcsZ`0qGvL=La?U-dA;L_!{y# zoAEh^A}42Vo0^A(mC>k;8v%loI0#hEjd&?hZ#gOzx#0k2QTeeRc*GAQ^PuvYeOj97 z>3jHOWH;x$8%^4@n|~%55Z!?Tt{1sEshp|->3Iv>t#YFgk``ntdBH)0u7}KEm`cwL zU|aG}P5>Ta&B$uL#Zx~hKr-w(LG6d(Cwv%)iL^r4x@-OBe%?n3#l{>y!#yg$(OZI zcIc|cqe={j{yv-jWd8h}>F;*vZ*0whF~~@^%4iRp_N!@fo@({na951p1*+dU19(wB zRI7^qfRlZ1+EeEBJM;RzWBp!P{f_X;ZQa9n^VcPNIlZ!N-@(&)=PD)x0&{ObdY9J8oo+<8|wIM#(N|U@07>1l6&A3D8k{%v; zO^E5jVUT(Y`0iX10MJhAkToNe%wCNQH_M-JD{IaL$*#^V^f^g2p&zJZJP)6+0U-Dn ze)IZ5RvrBh(Zyry#_2< z2=WnyCr`n7OHRMyzb06Qt+SMC8JT@S40Q5ET1U7bq2~eU91vYRuuDa$ZQ{!HUNz?} z)#7b*UOr*f`BOPCFdLPNdu7J0Y_j)x<5GeNH3=kTFc$ zYWX>blLG9BC97RLKFQ%jL4uWb;iiMidubD4kdhrK^M%?4gFI>I5jhxPYBe^lkD(yX zLrrof?W$oV(t{J|B-=k9SO=3+U{0J)foX6WrvFWB{+3~DhjT#+@@g3bYyONn-p@@_ zKnpOxQ6BemsNa~Y{e(RRXKAoLH!ncerS9Qgv_RYGf zn+3H;OJF)xV4nxDB(76PY%gr5godeq67fIL5i~}fEL2+&vqKFkLU+V4zJsC|jEEF{ zF+LO`YGW`4qFf21Uw-rOAl%4XWi35C2v;tpizKBjDV(u+O9!gRjvu~Otpptx4-Dg} z@N?^oL&r@;tr-bm2@;@IlS>yA3|8~6i4q@^E=RfaU}gJ&Ob;Y0gzTvz2&I`}0z0wg zM?(f;BYk|t05RO70Rz!oy}wYrfVKw6#c!K;XUsAxK`ZI?wfO7v@u+J;?51zsEhT#& zUXJ>v4(qSA1GDN5MffuTVo#2%5QACjFf;$WL06XGXOT7 zVFd-)p(dcq+eB!m$qv|VbKlL|YP~0CcYr^0@ON>(`bcQ4T4(#}&q@>Gp=qy^;n?3M zfLlMHOAV6rm1$JMKXsXMRp=J~5L)14GpmrygYY$`4srMjli(gog zm|-|mOIP(}mpwLJ&)q)v)v6%tHiNt^0|pN)y3iO1iwoNNr{i?-Orm=yc%kasI!D?A zwQYS{=VvP|99ZY=Yrw>|tZzG5ai&3Tt~ePgLVSiO3z>Z){<~@lIvz|)AZaJ!^hW^! zD>;^Q<}^lF2Ym%k=0hAI-=p&T@F3vK`aAk|XR_^#wFN%T;YaGtS{NBD0xm$#H+1N) zMu3It%x&gY)OO6Qj_>nGlUSo(VG*o@Xw3OKpUaFFlg!$*JeQ6QntHzB@$C;%7Ul5tf=H{g6~vg+-eMx^AuwgA}Og6LhE|DY*HzHEA5bs0*kr$`-V73Ts>9IER!sP=9Ej%ON%gyPASi zrVY>?ZTlTll~?n!#Y6Q~Oz-LZ-A+INVTbl`FU8ygH2Px~XOF34InRb`L%VTNaf{ z_Tro6hpO(WEi&Rgxf3X61N>g0poCp$`*?K#XKP^_Wbh^2wILo_i;KI`OtDGWb?P13 z^KNRLg@lZ(Y*F@gv*1DDdri*bxF4DY5BMHEEkg)nQ?_`JVZBNGv@dnzvETD0)C=m6 zoI@Y^fEtgUM3ggcS8k^VNMqP@)m0H|0jj}x;I~%%zXbm>fD@|SIG9(D z%Dz1++i`#B!Z}4*mwoB}$_CgXHmbHJ|Ii&@iHEK56!qz?LarSC+PIQCNzvsECG~uqQ)l-2osKdg5S(*FuJ% zV7y+=>H%8q!j}YTkFki7^oVOTfF#8#dl~eXP`d^T51AT&MM!$2e;Y)#88tX#9$F;U z1m3G>yohcq)8Q1)EB`BIjL_Tc@G)Kwc((?RvP5X8EGCJBtK)-1h4R*_9({_!>z1$| zt@gU&u^p_KAJDm$?Ok=`>+mNLE8X;H!0WyF4UUC2KWA=B)K3cfm_TjZ{)&glF;i>= zA@RFsn+Nt;uxZHrMclb=0^Il@4c#}?3+gb%g1Rks9cf4mO{n6eYzHS(uq~aUmsh&u z_#6rbaU~&?iU!^B?a*J)c#jzqE_qMh=VCs2VJltrPcM}%Dm?pLS$M3N5boT`Ose!^m`4BBr4db!Sw+kTNd>?vJX7{CB=q7M2K=F!GqQxWw=A!Gx_xD$%e`yE2@r5G4GG&1HM@e2Mg@{Rk(1_NVlYl^ zn~k^#?Pfm_kL&Q4!G4U!cKJj&%d&fXUdzDGRibJfCBxyMUtG|HaOwBZuplJk0KX%)^;|FwD0{W(Px zn{XZ}TsrnG`N0G%)1GN;{=8gzL3Vw)T=Qfw!Xh^RvRsBw!>yV2*}y=CFpiMn0vHJ# zT9n)(cG;{8^6E)a87&+kj~SZ%XGvlLZ550F1V;ccI!U@@UrozaOKyf&gcDn5 zOAlC=1}mO64NJxIr{R#~b=!QamR0{EiXJXS028lkJw7(sAl+)DUnLR|q)f>C38IyK z(|9v~VtOr`cLn)yid*Bt$QZ(6@2S(AtiF6k^RUXhwaRsSmYc(qV?FAP5@M?H;)Wb1 zriUu7eGE8|T?c^3YzbtEonX}7f|jtWy3k07o4A!of;AAj1z$W`C|u5ub}qQJKM+Qf zL1W|_z>}b0rl_@Sts(8QOV-UYkz;Tvbq#Nz>qshS=-V8FBv9<-iiNzLbMwMh z6*%O2+Rm?}eFC+Mn7g1#x!GVDEt}}J18HlZ72BB*F{N31aocjiX%m|Eg|7{DB|a_o zffadMbl|V5Vj}z_=ko75x=Ii3j2;j#4dM*AnBmvU@M4A^&#jB0JlWs1TX4D!-IKbC zJCeN0pK!C{kXgQ3H9a_Mg>vB|Mu4bqs*fAd#|P2J4i01xEt;yE5cO&HP0!1( zIcw3aAIsLHCB_rVwD^}BAwCo0sF{XLECZpkP!joiLuVW5IWI*qaQ1yQPwd|X&uYWH z=dv-RWeMqDg*4O{yK>@P!$gzE1o&5^;(086!KVsL`Dvh)-1rSFw(mvgT0s|>$#!@ z+m?CzRQAG>nKcg&W!tkW=p;FQ_sEwGah9E_a~X%huA$2+wySCTYRPX7_p=yiV5`7U zKac3^dMO_y;Fj_3U>j7V0y!K{ZYQvMU;7ZJvSljk+WihMExbrlD=GOM(_6PA1!MYt zTg_9dKyS?nCcB6fd`_hVgTPW5!SwzyVQ-CY7wN6_`>=^h7WXatWFIJp(cVIf zhpzS*TWo_SrvfIJYrD;w&tCY53Yw;kD6$8%a1`mEK0|C)LQA~$P6Ep>FXGL2Et&qq z3?4;gR+kO2UF3DTFPKz#|GoO2oSnLI8YF04Y)33K3kWL9p;@whrD7w_Oy!2)wxqbWqUBXa;&1 z)Zwe4p5_Te2!=rcP*4;dq|8P^7>_u$Ll6Bh=HdGUY#P#MxmIIhyQ1vU`>1~+2ThY= z0`>5qYl=`oQU$p3XQM*R>t@4th^EX4H+E-EcPzd!Q|M%8-i7l?3_XfP{|(K?Q9*03dc%s09d^55jn1 zX|kMR>dhHs;W1f#Dwa5Gf$;VnoCPPrY~qO@@+j2>z_L04oJO3J@GO`Q&V2e26=;0m zpX4o%f|HXs(?eto&3R1%8P6z5TuQb*N-KPGX+*=}GGIlE++0FekW|n{8QQ{kuYYss z>&2NN4^kQB;LK+Io5z38&V&GPT?RhZ6U!?s_5^l@-90T^9-;;Tx* zr0MXf6P99Zj^MsRkxC7>$#vHMg1*Ny7ugTYyiIHJ{^I8ZoqZsQ6 z4{c!>mlg)h=P|Q-bXy|~h{%dBcVNM9XldsJs}5DtnKta4gZ&^2*?+H4^F3#?c(ELz zxSn{yn%=z3{_!Dv6j~P228~!Yv;w(0L$?)7yYR;*U-g@1!c_JT*)qId($l1*B7P>w zTdo~=*ha<4_-~uK99VUt37Zkp0gg8C;!v5I=fPEga^M7llDD9>;<~!&_fs)$KuWJ0 zhswNGj~fnvPt2?V|EhZBGGz-O+q3OJxx=88AM;#5C9&-gLdZnw-9Hw%qORQyoQv5- z^hr8|jM#g!h}jd zGOIbr>uv43i>iAP#-{D|-CX=uh)4F_cEgeTZfwD1zb`8`F%$(EMT4)CE&#ba`b~eB zuOoF;+|NRY#d4O9)x0hf^vogXQi_b+GW+6@Ei=ssWXCkhNQv?r|8H_K3>nNQ5#I^K zlzf<3a5bpx9>W*&KCknqQsh1H)h5pD#Pd}?Fp+aD0&HaonuS1|WP5^b6VBv!OgfPb zp` zNZg@>hqM8~l}-o{!O5)Bb;a~NcDp2tn;S~ht(rgPt3|2v5i=cKDNhsgtN2|f6#|=I zT?Jm@K*QL9$U+Hl`35~fjw_c~(+3j!t$eUJt9?yol0eH#a2?4hC_fDEy%oAQB!%Na zd?MMp9Kqc}#rC}mIt*j=Zm|yO;J+QA(Ht!E&>amlP~YfekAy)U22`h2ij4(KM~lYd zz5bN~p7ntfB4Q`>|ID?S?F9wU|KHlTeQIApSP#rPaPrD+HNdI5W_5aE->J7nwfZ@+ z`|&Myr}n{#eUMn8O{u$-=5Ls*#DBYt9dAQbWlK}sRBpQ;nvBYetz+|Up0KOC;q69l zheLI)6zDljg1Oc2@nL zcnV$r-&#xkU;;iENDIZd@E8_@!LnVDxQVvCXZv%i&feCs;iiWR)x!=U;Q-dCNN}2h z+Fm!YF~te>l_MnK)4Fax|qEjHJcH z?91VOd3h?}4Zg96(Rb-?{}~ z-I&$d_7FUGNc`&4ZD5PZW4o7Bx-mZDG z;FHXAY39QrR&^*ks14rKs-|%8dC>>v6gqbX7+mN)%;4I5hzOOk&xGl$c}K>SB8)i` zzkG4WhUBKsWvHpX4l(n^!`7op>qqq8o@i57U0dDl{dP5csHbd z!;y`Lb_ccux#orJE<9irss&&Ly`Bbfu0rF`bS2Vq0hu#=FKLd8H!DO2|y$tubyaIw@h0j1O8WnV#DEBE$*8 zm=LRrm&}pC(WokU7#)Hq_qve`Ho`0oV$~tiDT8@heC6FG_h<)R!?GQO3`EPhunz1ZuJ6Uug2lLNx7$nn- z64)iD3`ovcH(kGAlcYnCue;6bvNfp#$*yjZl5s0>!E}zWqjTPo)=^Rdzq~$xYmY&q z0H;7$zd0h_Q<9X6GV{AyuInTdj$}s^Y1%U(gzkTk4>SOXl~ILjvKzHLGa36tg}y;e z4hOJF)ekQ94(J29!ee+6_Nm|}?q{9k>vg4DXh~D5d$*f*}HuFoD;IBt%_&jY!%dBFWb!ipQMC`LDXi>LF?Fx+{y{avqGo znsJe_vzI5H;KgzVDVSk481WQ?0_wSwJ0!tmxy5cw$q{=m)8bE1oktJCsXL&ooz~mL zZP(XoRWx7OlC?=8`<0E~&Hfp_0GjRB2-0cTatc9d)P#L$UL{q$;Y}~E0Wv7^LbX_w zmH6N-Kvv@=rHcCR#*8Nq`!=6Hl||fsFRRDnHHReJX9-7I?Omh{6$FX8i0UicQ2mh4 zdD)Q6`n#JymP@>7FE=^Amo3AaDuy3t5(Y6^zqk7J1;YFA-AztG(IC%^cG}td3Sui^ zSHF91)?L0SD&fs5d-2b1`CAV9r*(I(&}RxgHJ57(oS%Qwff)Mb4vYKtYF-j~3-i8@ zKpFMJw%}ywS=6|(1j%V*-Hy0 zRy;CnPqE@hbVg@89x*6bo~p;ZEsI6YFM#wZ#y!3g>Q@7m=2U@nQ{MMK4Dz8(G=a)=;;8P2S#5;v|5x1PXP#G?XZUiW+ z2-^c!&t*}yrQ8_bPv`o8q@fevsF1zVvcQ5gonKjC=(q0TWPw=nC!dh1A8yKrilk5# z2YCITSfh@wbBDpGn?~(CCQ;L`cwfkz$}N&M1EeoGwv9IloVd&noy<9y-94IZebT%h zfFvqkudVx5PSbMrT(!-Le`O=eCa>4jYf#Yd2I#c<$cjb9p)C8D5$ZRCz^)G17!Z)aQ*qI#>q$!o)p?#W77}+2K25L`iQ@r)OVU~9N8&Ie# ztmzdMvjpJn(_z)Q`5hsj>Lv{K#e|V_oQrBrsWbLZ#dajzOs;1*(cM@@lV4h?I@D(~i zCMnS)cvzz!qImRX`ZjI*y02~P`0Z-SHdW>9(AuX-Ypa^2CirSvQ4Ta(ursEHreMeQ z(KHlrE+q{S%5W6rQwu>Gcl@{Z}GmywUP<-&TcwSXRbk zH*dt08)1mU$BqC-pQV+*ICFYJ`P;yeWOtHng^9UP!^FEovm8%=;!#rB15O?ro|uW} zn;qWX6e7!+9s~QPX;|!zsw`gK3;KRGlUTcSwlij`RK;r-&@9g&O|rs!7vSA7Je2nN z_u)!t$sdtK+4q_{0sL>#<;bBha{}wXLj?lmN3*UCbY*&~{L3m|cctJ&QqICBUTiQz z{w<}#q2a^eB;ZKDBpGn0eIFtR#$Od_Y8=1g> zv_gs$3wr?j=N8+AOKcbJFeqTF&*x8%^U72djRb4)=D%HD0~(-~M+3E#XlAvHCocqs zWi!1wX~d8T0JhRs&X>t;jt^y7+_P(=>X6Z&Cr5d&QQ%5sH-4{Hd(>1GOzDwgi`at* zG+lp+18au3{#IvU2a}|nY&$2V;J_r<$;`P^vp%00^YxK(u>>qy-DW8X+4^#o(>qPm z7TB{ZVVE;3=p$um304#ESwW-Flw6U8Y*k6_Zl3dee)f%f=QCx{sJMOPA>S&VMM0{1 z+cVzP%*{*wirB#I0{WLoeb|P!cYgr~XramcWz~G$LvhLcDk;3n0WXzW36dOL zP>0h)wSA`k?W_4y=yD921B2I<2V(t^o)FWalLZN8oQQChTkj-LT7hpYS4CN9M_V@M zTiNB{W|t(ZCI?A)R?v6)PNC_9C_o7n@E?45yA}9~edH_=2ua5Z9sj}-Wvx=ES;|e= zDOdCMWvy(Ay)gdD5Gx*dZ~TATChQF8w;EjrPjPe;4}#5kTj2cVCck|VGP=vV($SG+F>Nm&MxZlJC^_ycg z9HXTsVC|TkFnkT0Zo4G&03j*v+qC^l?7sdpaoqRis(h&WO<&b2kEq)$mw6jafeEte912HYT!Rg-AD-@D0v%&Z!UjyBNe{ru6I&E}8g{D~*? zC6y??;L_AYD&TlE_gGQl3+Ork!F?t3x{g?fB?qr@r>9iMRqL={IuoZu8v~G5+Lo7p zHTP_)A!}4nHWns+F2y6(6uaSHUI7HR4xV$vPG-$`3DFQbZ9;7AP<~oT|eP%S_lmMQBTIXF~&9h~*s(2_UuARz;;bSn8 zkZS6qCoA4kSq;MS0BwAN(6fQHpijdmu&lmugK^H4tc<;ez7l~D?4fsY0!l7>CuIQz zMS`76Fp_%G!pTrE&^ip}m^#{?!+;IWM^ijXTgSdj19ru}RJIlTwhcq2M7UnxY6K#l z9ccR};HC69#!4QFy;-w`zRav0mZHVQS;mCiKZRWQlmQ@!XUxKY`cA2C0w%)}OA`-} z<+-Y|$V8XjZ>qZJG9CaeBUhLnFfu+?!p%as3k`>a$EFDWFwwDKFpV5*=`8Gg2lQ0F zjPdr2B46kDe=lDW{XG=tI*A1O7qQfMI+rVj@sHOsFRFa8;^EYDtwrxj0O+D>jTd}Q zARizqkCtk}Y6+?ua4*ga=r?Pwbi|7a-YIE%WH30saf5CzK=Q9c34%TYGGNxPl{msc z9<7*|W-9mVCZ-zAU#lltn;Bz*9{!XWMOpM)q|D(1+OHlOS~t=RU;;~#57qp=6jZw)*Fyv z{><0wTDf!_>H7IQP0drBX^~(A!X0spC-#}8f zP@V8eud#~`vRhBFhNlp%JD33rE~*ckm9R3W@C&Qe?Y$BS2OCW=?1?87;Bcacf`X68 z7bQ#}%NN_bjHcBS`*?1ixOoAM9v*C%?+$O|4WfTtFaWsYJt4*m>QX|~DfRDH9(qtZ z3=mOI0IEVM%-=)I8^TBM(Y+#C`cGg526uq3)roefPUP8{*&wQ$oYS4?pnTWH_x zj|!Aq2n!_gcjK{rVpsP3eW)z!_MvT7Jk~%kTg|I=Uhp&#ia0Z2ugLoN!1_?R)9riJ z$F1n&dVOyCNZK!sK>M>zgm`qA@=yz&j9sf%CSpe7$fDAy9e#Ayny^|e+N!V=CQ0~; zJL;c>eX=Sj6-|<|LN{u}GoUpRfjBt3oPoykv_oQ@kXz&cYUz&>(A|h?>dvwjv~VIN z&it-n>w}+=9*UjHM}f>w+*r#-&x@hp8a{jO{M@YbyjY7w8?pf8or19{1fY|X#68c8 z+W{90LUAF3EAtW1h;K`O@WP|@$*3br{lQ&aecnB_8@@KNGeyZ75{B*sr<4bMr=hPD zbdrNA4gy9VI)fhFvcwm9YG*>O^wtK1TTWhLmEH;G~$K!jnV!c&XI_v%}Gw$(g0c9EMZHAuv1WqzGsm?>EtMy z03=e>JKIqvo>Iw_oh3Wn^6y4&qVO190YSRUBqmcwmNSldWiX*2T@Nm!q(M!Sa0W;U z-vny~!r@EXC?tt*+%hqi#TTg8v2J?yUgzaw)rn|N!^?1X3yi`4o3VR)m zjRzyS4^YGwXpdtwd{M;Aqi)5V2w1cwvpf=_NaeoCx?_6tCYeLaqM|rMr3kt?(-_wX zS*RnPxvkSmoymjr!e)S8Z!%&N)_i?`V>kDAKp$vfT1#bisD~UIk&{m8DbY!0A;%Jg z+IxsH)5nJS3Fjd8?cX>xj{W{z-r~TipX6L?HvK*O5{ieaEx+bY6s=#s+>n-ku8pZG4fwh#*OOqkm>;GKaSEGVvx=vC*{Zn&5?$t-p=cksp{4TD~&H>sFA} zmb>A{ncc^)b|3Gk8Wwg*=Fw>X{kqMz0t?uK38TQk5^5DpNa6Y*Xi2To2N8ykp?5@P zSHe=#>hAlI4~GNC{B~&nGBF3jV0L(5J?BHLHkley+*xDS5v;l=e(K-Nic$@wET>AR zv;_{v+x+ilh3J6;PKJvias>|H6g$-cC% z29w=k%MInhubZ!BdtW7Nt8aPB3xIi=+*B*6$d+0x$d?cmmf&{7586_BF(hkHG_l(0;UBz*+o1== z6?BCV3i+wkBe1?((6Mp>XE_gE>$q2#ZTGpchB6Qd5nxd?7`GY&Gz|GYTCFkbYM7A( z)%3x(J#Xo4h+}@&@u++YvPb`bhUL48t=s}}fWMMudb>PM&5@W12Y>fimbg25>y%EY zlO3`ZOG`HtsEyPoET^lP-q=I4OV|NoYq1bEVjh zVmE&P2%&JxbeftuVrs1GwMb9FUqz%Arw@0l;GzXLalt=zRn36NZHsKKIDOl=T&{q$ zZCoZ7P1Qyuh_e13Q*uG>b?<>A9Xc$pZrt#@|)$5>=Y@G=1CSP&UPj>!OBm z*Mj+0l0XDAFHrX|jGz%D<7{S1<~vUao4MqeY{p3;Jr84L2tq=B-_Nx!@ zXi>Yahg(5(Y9H9%MysDK>n$eM01+pB7MoN)$GlipE4~cmV~R74Aary(Na1q9869I# zJEb70RLm}4**!YOv?!(VEC&K9a5S9ect&0Yx)qpWHbc*+Uo=am3W$A&PJx>9oV*84 zF|~tdU*dkWaW8G$xPL#6u(Owc_@MN`5ol_*4fOm4>{3{Q%coVAa9aMAOr-Yg9Jt7L zt4ddt&&|5?D;Vt2TFyH7wC?=E16$e6$3Xr3!voH4o7c^zFmZ;wI)`E1*hj%>0Y9_h zuYLHmBGY4m(C}gN7zr!DJ-5EgEgRc=7pX<+AeX>^l2C}w={2R;oG|_QzUsWF@+DFy z-ES6Na8M#0MMelYQT1(0z05j@Wd5Wioa~8;!Uw!c=b@lQzXu6L->j>7|3Vhk#pBe3 z^ye3>X0C}#bK1Sep;^10adBw*dd(;2y5f^tzUi5kCIWu93O!k`FAdhY!J^jJCMgmH z#)Ynt3{07d6#A3E=b;=SL<&9T*DY6UZK!$ZfbZ({Dq-#J-5t8}J+yajkt=wzhkd+b zK$FXl23Cx~B^-pT&4t@HGka*z^k6*hK!ocn&1s4uxyBu+41Y3JB z=7@w8{?PNfRccc9wY*=m#d&j2)Sc%7cS>IgZ~yo5{&sWER(No+aD+3vEgjt-uq=+Z zT>{Po8R{qX#EO0MBWU?$Y~H0%-GnGL@!+)l0ZbAtzcHGnIEr`m3`3UJlBD$7vTgV>Q-x&N7S zB&m+*EtpFj5R`GSewI{2=$;F`3L_W!Cb43SUgiBxiV{RlEcctvj>{5u zgi)0~)hc|k0T!|(U_74cBK6vcpj6rz4C?0LW5sfn!GxpkiCw5BQC5YQ6ZE1hDfq<^ z9IG3FAZf($XW+h7#%~-4y0I`0A_C#wMwr3@4SOOp^+Ob~mlB#Y@|)=0Jt-zs|KzFG zZ6woCHIECVn)DTmyj&rwNcP!7XZM!AE`uP(_Cu5V_P%kAjnI({PCC zs!kMP%BZAc2P31=i5R3u;g~qVdDHb4f8(NDapY3+ot6dvxh;8J9byyG^%Q;MuL|-? zLGt!@5)#~z*k~Ck95*633nDdvTP})tB`n*a5#BFV?rH}1lX@q#A#o_s_DB7^srhr0 z0Zc;@61DQ6h1&k8zu0K!78+Twjg$j@K#`DLT^}$ zgO@rlp7|d||Jar}Pf=7vwNc{-_(T-^bpZcaz~35p$|5owu5%PnJjlSO&1l(Tnr+yd zh~Dk3XdB)z7pCszcIbn=QiQ0=i2wux#KO>p$*HI8#tZ7jEJC3)v=8&(K=V(^bwq4E z|J71@A{2*>$@$acyi%@{7wI>__pn@M#$|rH1PBQfh^em^Ze4Bp%x?~cYJh$WVx{u~ z)7i4#mc(=zjYro231R3%)1N&0T$!4I*gZcxlx>H(wle3+d_&ASm#QW3wP{f>1JuVS zxRhnpUC6R7$II~Z1gN!)?e9EfBu7-9G|jXbFFfNe_`}bhIwVKJ@Usr5Mr#W56?mUo zs{q_iagB*a`1Fpq&-fA496Sq*EwA;SQhi*^u{l1z^w?79U(5TftNL<8g3a&cJ@7sU zj7VzD?{1F?Ni~Q5r{q{EZ0p3ab>M9*oe#;fK0s!A*Ou;cSx>Fc$PF&T!_E$^(dWjK zg*wTxEqm-TTUyuXtkF)<>0>v3%^LcCIcg_b8dsF*-BOBWCALF~*jBt1pCsI< zx)H8mbTW1Qq=+$K82aUE-o6OanA-d9Y7~H=Z#DGz3ejmGKYx6^UZVcP=@)pqnV~c; zi(FYmI`M$NN9vi?*|{=n$j)|4LmLD8U5#&cxkst-iXu+h7`?xO>=InmW73fp+f-#w zgL(bxps$W9_pZ!(^Lo>X*wa;0lyqo)q}n?U7%lcriK1npAU`VPD+NwE!937_00IX5 zcpmUI6UIKX*NwZE&|NL*S_<%?iG<#qy7Pl)phl^0*lPXlWsiw*p27JRqqn)`{ce>n zw}&47q!SJ@W>ZSup`$iZ^$zG`M;nXsCZuq1!>)t~1-FO(-*qAok)|Twah2D08S4E+ zm}+FZT=dw;QVau3$RA$)-V(R<0brMunF3qw%4LZE&O31lGkW(8S$Ac?%QTXPq(61z z3*z*8{R`jmrL0xgs5469{6pao6Tr3G^B}Qh=8HZVF6Ef65Kg&R1QzP&2xe^1{S$7D z{Gt`!c&xfjUU&Vbs2W}F5cLb%jlV z1M0{pn-0zuMoJO+02HK?ck!reLUR4zn%fOMFQ+2()i{-T=&L`?8GgRu4Y1L$=KntC z-Qza3RSnQ*1@v1kxHN;izYF{JL|$vI4hIqD1-+D!l*vk$t-2?+N|qf-BaLd)O!{0) z6N{JE4vWi}+AEfc(k2p>?93o{kvh|fdve9H4uG6m*QTTmINO?#jC|B$WVJ+#5<0gB z&U1cH@UY;7nIWO!70DU_jCE&th=%oBc+&Z9FypVY@?%rF^_z9l|7-v{>h5KguREu7 z`ych_x&ab|n&%nnn6d%TRgI|{K(nHc<=WS^)SvUZDn#^r&E|ji*Rrk_RfOYmS3drk ze<4@mLav=(-&q&3J7@nEU4q-zczpX~nb-Z}oNbHqb!CX&c&_kL8zUQH>iNxxv;Kkg z7Q=(wiCCIoVTwvN0zTVt(8}51?OGHH7;S%Bc_LfLP{OI)Nw0+Hob?1LGEB_$* zu*k5HpO1-gSoiG~BS(T#*6E$%CGFFRkvysg)V6^91(ZM!9SK?Z#no!2Ygf%8U>RWlLq@fB<1T?ZXfN$ zxDrgP;e#0I{&C^93BrW@4s;%{E{It^R`a?X%^Et?v6KMeGZ?`j>Vu7B6Qxpp^YuEx zGkm^Y6G{Vg$>$C(!Q&A)lMe0Km+%6~geOrR^m)1+i=s$h5(ri(AED+_$Zh`1aR*R67#Yw1uG9|!#uyF4N5wC^DG%s1=&_0-)>7|lu zIVWb_B$oP*ZhsLb`d6dik7N|o2d`C- z_E`mK-Fz+E`^v7yrw#rhUq$>%M3}PQF950mt9YIcTX@e?M|5)_>{R@e#RPHFE0X%& z3d-47To9W6?ub(<@Loe~e*}}5>ED7B`7M*?)6(FLE*hM1zT@wmCC}EFO`VG%X|s|p zo1!Ev#Ir#rd}TfeNZpP1xy7D)(>JST*=)L^d@k!|&G%9~LWO-n%aq-?k-r+`Z5X2vkh0^iTX~}=PQbDuCGa%^5jd&6bxwCS^NlC|K{tR|sA3rvNl6nvm9F-9``K)z3ZXS$sdyUt(u7-EX~V^iQaw6)5r@NX3U4hm|36jw)W zMP$Ul1)@WC9L6AG;-E%k_dmo{G6pxMv(G3~|C*80=l8WCc#kDw%%pJmOcd(5gKEW6 zVo4Y?_o`6&9g5{e>*Ik2JsF_QuR@m;(obwh)7}7lrGWKKLyrkG@{tgK8gpOFb%)#W zd}|$I6S1{t{t<3t9kDfEi9y*(pw=is7yhv1glH9>pfV;+`F1j8hR%L;Frt}^Uh6+; zRw6zfZ%;k|8UD5-bL8oD+<~gA>X>762=J6Q9*TjM)fpgw5#UK@cH{JH=_6v&P9OQ&y01Wb-})&PHOE~>dTUvQ(|L*0BWzmc5IAGjDbOKF^U-!LNQ4@l2OBJQ@P z>K$1-mNgGMl_j*2Q&1w+kbHDmsw;)Q!mX8*jPoa}qy#1j@WsDuw+yck2pW!OS<3`cDYXDx?~p`C&-@056+%5b)1f&wmBu@K^#|-_pyamzs$A;CxQ#)A6Yfuh)G2%(+0X_jSC<(c@e$s3Zn4h&rf zBPZBQZ#Y7DuL!WFHu^-GPH(7d10f;=3Q&nCGoGDD6|nkr;MERV9NNV>;aN4|S)y|# zZE3y;dl-@22JV@mXOm!$AD)r+dLz`OT**HQPEOxUG5eMsDJ}>|d-fDMnKITra;`Q> zOPYy@@ho4oWl3{(lkwsL>~m@tk*M*pU?A<{;9~~ZD%sPia@&+m6Hwmp=A^|MTv061 zw3;-a-3*&(7tJ%LVdCsdk=k_F{5l}q;YH|z-tLmC&4qi3McMFxaO#1BTM0`J*-1Dp zewd9!5?i=O1HMm^@BQ$4Go7bs7TK~{RXjg7Ys&|w7dOF@1d+7&06d zv{R^slQen)wQ#ByA44sUkduShA=JXjm%8shU2U?t)dm}3RdvOX z_*>zC19_?-6N0oBBvk|Er)5RpZcoL4c{^Ftw;Npx7?Q=c)<6k&5`d*@^2es>^CYc_ zsnB$4umt=E2aKsp63f39NHngK2RX#>DuyfQj!vGoRuP-mh=T4VQt~=okDL2=XvjO> z^0y7Jv!_Bsv=kj0;#(cSbpxEa31h{5W1@nFKTT{JOr=l7j$Jf(%+S60&2#`W+9QEw z19mnN3fUuvfr;=E3$V@&2?N~=du7YcqJ2ro5|~M$@EKVsWNN@H>~%bw7rIePud$N6 zM@w;dqT91XkLS;@Gt)*Ew&i(vsOEAlYZqm+X!G@BHGizwt+xE1EvzjHR4z&FuLkrt z3zRUsq=|!8T_@QuC5sQFN)5iT$EL0RExq2NYRF4h_9;5uxh)z#Cy6yH`-n1k4qQPX z6{YtiRvw!rz_s5vn;gfW8kB!C&oHH`r~cSGPFD5U5Z`v(1TbKvZ2IliuiJcB7usf< z?-M=Gxd-C~pufJ)=TDn8Z`er}g5sSg$e$%v3JtadzvSR|0{l*agM`p7Zg7nt3=%9m zFj46u60RSTpG1B5B3`W9tcAImKanjxOcH1|0L2|ms0c`gO{j1~nQ>hgH?Z^60=#w|ke1Si4CL#QO`A^)F$GK^w4hC&-e(p@mmsNDOaEO?+!S#0$N zRpR`W21$B-9r5~nK=P_$Brc8{Of#i|RzmoZj;KA}=iO6+wvtqHTw;x_HLj(=85$&2 zKk^?9vKz4CnO7aJ)lffMxdPEKf^G;L+&hJvMDX_!x-tqO!rMvnnd|59T($isuhpSs zQe^!;H0{^CEvnT*EYKyPwW5zgL4UNNuU4FzLP6hYXyR#%0omz+DD~}r(hgpx;)1E6kJi@t1^ZQ1jxcFoGGsVetl zTMq&b|CzzxY4{tru<3<@j}C-%pdVl`*uIGG>V?I~*;DGM;SBAOYHEh2JzftL;A*E- zy!|M5W7WD*V+Kt%rpFA#7Yf$qfitpfOR1|&10T5OBDGwj$y0mGNoqMbQ|5HfO-f6r zI!f6*rnIqTK7VBIHVe+kEJbSW`Xbxk$oAol22Et5Au?aNO*33Logy_HZ@!xY)UMJQ zV0ihi?U`Prbez#exBH&VEoNrXYnQ`9F@I!>+L9!zGLwW}RH&6rBFg-Ca>lvFuExls zVIby(gRBR*S=b5qa?DRiB&qMeaw_NH)Q!&WHk`N+7FRfC=q)~Cy}C+PeT}W%)UjGi zVIQMB)n5IjacJ=khQq`&d2@(pF%Ua}N7wqWS*a{YlpEQ)D}fNBZv`Py9)gbv*E2p) zN|whK`cPN#A~@E^r`~}4(Kk3ms%8t_XC@G-xj}Vt>2#rO2GFwz(8KFR!9Zgakllb$ zei=uR zaODyeDl8Br;>5uMKpex%fxk?Gt_XABC_TV*Ef^`-z~}7NEm4dKW~2~;?}Z@7NZ~a3 zxf017HfOLzXlPjcF;dJ%W~<5(|NT-`HU92-ssqxfB-O!p{Wz~OclXw1Qe|Oxz3Qv} zh0XpsH&iD0wST(=2(1&*NuM_ZPQA($z5$9qDutGm=7@^WkUBh2apV8b%k^Yg-lo=s zes~bHION}WXpwP?w}gf|CiWJ2r>&`d?(%D_)%(O>u6~)o?gWD(Yp>%%pa%I`aNWL~ zNWt~Te8n_sUV^i$c$7RpBBT!WGIboX84Enf1;Gq7>ZZmBv`<}8Lam1fiKS|$m0`vI}4`eWPP&^3to8%IKQ%nz=M*K zSk}(37CMn<0^SEmjSahs!j@3JZO{TV1UTC*(B0%M>VB*oSfR{cy+g56FXbj4?7z22 z|1HA&f5;eruOyM{EFso%h|{aCo=fq8$UmD+&o%-((s^;9cLU}pg_+3Yg-ZXxBwnFA zJ8oG_@Me?I%b_znS`_97^JR~4aFaPL3;u;Zn}QVsqao@TqTY%^!?PWH_|S`kye|(q zxK0=-5;g5v=v;r`ks(?WhR4ZUAPPvD0A+?cS1#CfZHh{e2$p?>%Mc3t!SQAq4~g?h zlKd+L_Sl~S?cCRURU*xEut5~%x^6^;ousf*!UTaJkroJ42Hm{E+Y`riTNI z7-7LELXzW5)sNDLdNS3=^G(+`%c9|qqG&)-L2)4O&>=M4?&)5L?KzPW5b`9yF zu(Mblhl4N~T@KnIxlN=fTJyrh99X}|!j$H~`sEljkgyG9JAafLTD6F#({l;g@U03k zwbCVVa#`1ai-mR|;hdQc1+Y(f9KxxBY^K>ILJPje^$jwnK}6Hc6U)Ab8>J8Z62D|^j$#*1oIMr%e1$IPvipZ((l z@C|FgcLLB{9OmR1urgc}WDgUzoao{h?j$)O!jf$|in8d+RmV5tOr>BQlhujS_O}-H zY{32?v6J_@5tP?;Grn%BkUH8w4ijIvM0=h0k4Wj2-?h+tAr#(-i*gfGSn&Wdw0&}F?dY^awS{}g@7aR5 zWGkXwBqW+W{9cINFfrgQ+BkR`@c@x|65x&~3`un>YVeD7_@gPGp_ zbw%m>n#<{`eEzfsjN}ZD?Yb`mJc1TVLS?w**i;ym?x#bc7HqBjn!j+$tETPQATN_j zy`uq93U8+IuF6=E_mA$C0FwJn64VDK#y+~9bUZ(#v{eT9+Goage>>e7Wy zUvo&1omL@`b*frD^?AFXNLSKWrWnv?1(eDv<%ocWAJ7>Fa53fU%1Vk(*dnmrs1#^= zkKhQ$on5di-ih!7V>zMe(#g62S&2Zuyvt1HIK@y-VP|KiKThtOI51!8DQ5uCujS16 zGX&q_9 z($&m3ZKK}VUwQlRzFW(Ai#lb0_4*n^gXhF`h6ykb`xU)!;bcdY-J4=LLM-1Fy%A#j z-Yc(>&$VrN=+cerc8-wR-3sN6C)w1su3F0WSL_*;Ia7WGlk`?8LJEF{!k^dmwIZq} zGla$f;kjm%QeJ-Rg@w!yQQ4z9uDdw*Vo$bG#K(dCl~nL;ZG7J9z#nkSl!c%eMz!Qd zR65j)UNYV(=nK#9a5X^3*O4R;P#Lf*-w-u%z(6{19wr`YsuSp$X@mu5i!A$m{cPzP&_Myys?nTP zBZk)n14LLDM@_R%gk`*VKv-R}&YxtOSYORS&fM7Z zd0$%IjDa;||4M@F>|$_W4CElYXa+Rws1j#%$#maRwRWtIHU)FZjroOZloWd|!i=?c zY=qQ;q2QhNa!Uu>xLoA$I$@xQm)!S($7>X8oAz$iiGS57iFJvs_OEHYNTk7!QjxeU zc-eF|EO?M^v6=S|`I4#iWf$cXdB-F_aY@K{BB0(Ys2hSn#GqujP;#(2lr~-Q+HI<^ zNKrm;%R?JY;<;`<;}uOb3YEHJ0c1dXq+rXqm%GNd7CEk>t8WT_EMDt7^XY8BJOP}_jPF-%4sW4n$<;s*VNNu`N~ zY(G$UYh;SNC9DEGg4jjIdA4Oyu>sbXEraXIC>yLX_2H`r91nWOJ9-y%gp#-p9YM>C zxb|HjQ6CnpR0fl5ussZ8PU+$#y!h!->iol>W-BNyB<*H(&vwCFZ7y3$#0~vI5<4hl zz*J&>J9m4%li0rt>|gC(onJ5(i14nq$44BgQ-4{0;;Dy2sDIw~f*pE@J|hB9EVC#_ z0VcpiSjf;i>bh`4>#3PMy?xL06kOnWl)zhS8J`@PgQ-!39b&_vq!5q zK$N!f*{PY3$Q|v1W+@n{%+V$%lcz?jfn`OvM~Y0~$(k@6USPsxaYh8=Aub*>_NL`$ zGg(@h`_|M_j#FbxiSU*>Q5%^ZFa0yDU9w30b`hfNqCD`E=t0_a-yiHwSMgtJf4)VbsYXwvWA%s2d57WXFQQg2o8 z&9;((m`pW@-Wh;9Xd|Bi&5^WlpW#oPGzZ5}3#Syw6yOuoqukdjk(16m3)nZU7RT-Z z_*SeINNr@R1^8wsw&66e@PWHlSmpI;oWtqE;glb2wBlfLrl(e}JD=Fby@7&+CVUqT z2<~^x7j0R_>L(bnPf84!ZwDMYJo6LKGqOQ-*n=R(7`fNsmY&S|+c2=jmsz!2nlULr zff#8(Yi3;!Dh%qtXXt=&g6$l0vcu@;c%>XiltURcSm&`I;S+no3S)=XZPQDW zkWWRckPIIYl4s)SoVB$}J zQ#gG4oA~d#-gKzJ<>Rl{AOD}fiT~by_~(omg~Q!@GI0}&WBw$z_4(@MepA&&QaaG; z<$|{ztMh2Nn7T6w{Poil|8n!9%9r@X`YqGO7KI<>3L**Xob?oEuX6w*RCeC9SS_kP zulujns`ICxbiQy2@|lA~C&eVna0_r-*6?GkeaJZ~ELGvVK@Z(UEGf@fGLh^tfkFaq zl`cVvz9vUlpIWffC+0U{lx*@sOmbzLGR^(2L@uPr*xAk#k578~p1_E?Q{XpmK)L)U`{gX$=;k=6HV*|&GUO9(9C{%EoE96~za z?f+-*%evb(maYHGeZC2-S$>o$JJyP2GooVO^}Rs^B;gn&7yy*5^XtE!(L+^rgQOhA z(K_qIB8l3Kq0wFAF0$m%Em$Rr{Jkz9-|~Jg`d4v27EY3~MIVqaHrA!YigyBmrCyQ< zpIs6mXvjGoa2+SEQ|{{cB2kLqJ?Dc%d=7+QOili>QF&G(|CiZWxGGqo_4oh?pcGPL zrg|jJ%mS_nZA&UY_j&g?xqit=ELI8LkAmv* zlAJdWV2((S2c^L*_&s7zPtAfK$ik%qzSV7D`-TnQ+*Re!7?!AH(IC>N4(Kxq;~GE( z%UnFbjFe9-m!hlVBPAD3U$>prR?HmK@kJEAJYDD-DV^AGLfNZ)l0j5A%e%g87j4<| zW{%C0m+q`rJG7Aa2-j?cD?P#+F~UYB(6t}gy6Xr3~!A<`cood z)W;r3=E|T21#~<(G=J!9uc2++DsTHGXK^qIH#}KhHiM*xj%FGtG7Th6`0 zo35#7h5RR~O<@rWDLy0ArkOp?jL?sMaO6UKpnFI7KD2lyY1D=Gfl4OzJ!l`uV8_-D zwBq3SNGtZn)Jy61%H$?W4ySyJbbSRdVv(&^rlT}?!C|*){Uy+Rd?+#L%f+hZRZFXK z-epl%bfV%!Bh6eSvH%5@L6tVxy#wY%5sooBjbG3UsIqqPOSKfb0;&FvOxhP?Tv=mW zSYwP%(T||v3Hjg#!B)-#@NQblh3>H?R;N9aSr(@1ND>U4QKF(*Nj8b@@sjT9O>6Ly z@z-_k7X9IuG8|3JP4GIv zaZvUJ^n9E4h6iPbrV~7Eds%QtCVA$cq#UrCX`tT((5%O=;gdghAQG>X71?FTqmcf{ zMe~pr;!}RjOMZNKU37fUmQ6_DB)an4)N8hTGm|DWe;B?z@ytx;>yfe1&Al1S5}R0H{OV<>Glh_KkwRA|LL4mxv)ACtZ6OYU;+IBgeK zAi1&wIZkA>hIk(AMP7c;NK=JGJs0!l&onel=p3SEG)Ou*GE>|R0Zo7Z0C}W~>U&wV zWnQQ4SeN|pD|z_HEz1^-cO^iQo{4Dcv9Gl3ftn0AaM9QbCjyJ#1cV5Tyn0ClMsura zf@!>cQ)B@l+cV*d#w;9xC^GR^fugkE`nBC1x+92nl4>l`M1vV<~q%(g7X z@XXg=f^ID*b0>Vi!gQVk`vZ9IEoaV=eYmIu^0un^!(!o=K;ygB{PO}(r#`zi%HW2@ zCA08AteTsuA91;7{XCm^NnD(H*2g3(B&bT$i6`8G3ZQ?AZzAftw7_^F+rk*gefxYPK4R){NVNt@TATpaDE`hO1`hg^znd z(ZznT&nyKYZWws6d_k2v7du7ea6%N-yjetJUGI%N8=0o6Z~>vnzJrCIOG-MOQ}4OQ z!&am-mGJ&QR2{qNUB51>CaGis77cGrq)>u7gQUjqzIyI!j$)Op%e-BRHW7gaNvMuO z^n(&jP$3cB5rj!-6&j{U`zgR^9USPpHPgT;c?+_DY4bDm3Hgy%FZb84EcS!#mMNQB zzpKc9P9e>D-+XYC3@3%yQLpWsUGAKF?WkO%H;iO8V8jOE^Oua?}!V?2`R7ZMVKzQcMsLlS_hr zcG!A8wKD}8wZ3BF|1|PVx51xRijP@}_Lt_vGoa=CYn?Cqwd0KC9o$Ja-an)aHDv}6 zV0!#PjEOocyle@zaAJ`rI$VDSAEfvlK)T zOfz0F6^Nj!l!D<+w2(g8NFWzwIJzf;=iG^mn*aSDU}ZURf8O(0n;^PL`Q;#^`8~`x z#yt>xV?840XUCzUN^Pv4b@5GV^R>U$W&7w9!Ej$>xr@eY0{Wv3J?jznP`v3H4ieo8 zFjMmts3T|wIExl`eN$K6J!L(kY;Pb6=yoDTjq(7<3qAm*tJI$lVDpLAo55X?ZG>u} z@HaxYV9{|6+P*&5apkN*cHO<}1w1gTlh{114~Ks7xFWZCWo?mqF{7)A!|w8S`S!dm z`;_E^c&~XMHIk7Kbe<>Wx9CIfL|%h7xr0@|U6))7C$UMcBLTe!jxC5qQ$w2&ti*A2 zJ}>_k$cH-oW&b$%@*vnSW#-gD@MY-ZJAxd4aK~T0PDy)BTj9JH%?8Vq0GYWU#3}_J zj**-l!pjO-9rwT)DU(9DAo*l0hWp+@PvK`vCZ^vBAw6{31Q9)A0#jvox@=sun7OTL z(m9M4iVNv?N}4DQ_l|oh21h(O|K?(F{o&O9V5_(|G0z@qYP-auoALJ~DHGbd4xIKV zbyPI!pH3zP2JmC_Qt46uRKlsDvM9cC6NNO-*;ukjAVB+PRx?$m6Q`+B*2sMM`CR8LSD~ivpMiNvxp) z6CV1a!~9cqn8?eWVCKhPXgY=(yu`Z*o^Ji(MvIp=dbO!Zy!XnP(O?M_Jk9Y)O~~x* z&;1~u*a@}jK6TbE0XWZ(OgXNYZ+@UbeQE8``h&0S#;Ngb-If>m4$dz-`m?uhsiu48 z)=H1U@L}NGRv#SQcK9Het9^&V9q%sjP?|R-npHK?BKV7v6IoP&c$U*NMQiQW-0)bKloZvTfcLKEVe2g%t z69JJuFRv)hAfbAXZJcNnXM#{2!k|0gWgd;edfHT^Vf#Gr-F6t=QMG(%#L4$JExGj0+a z?<-IFq9P=A%P~=4vSC79VLird0<$cyIr$B7$E<^a zy;4a-cMBRN%1bsR+k&sGt;v(s(uztjxeXn$?-5gBO!GPa32$O?q1q?hUjs2{{H!3y zI0>Ulel>*SC$$}uu3qTa%s}AZ1oC*;s96fP319oFzFf#0l1(Z=J+KP~Hc?RJc9dwL28BxAxR()yNjc}@y-}Y8#>}{+NMH}6EBaBjr{MNQ3u%51&t=nX({N8iM zsoLRn%!-QrNY}>4I#0b-zz#KIc0K^d+fgMzY+DNytQzr}Apdq2C1+*jx>|g_ov@>4 z^62o6kqjG_WQ1Nrl3Swm4eVu4*%;ViV|N7?8P(i8>s`7^{FVcIULOLoIb_i+@@gq) z)3UB^dKCg!Z5WBC5orx6aX+HC@y3vG1iCF`@wm*HqCYQxZEi%$oYWj~pV+w(_+$%& z*9JMn5aEROFA$##R4X`eU=4)3^3@i!1RHT+4M;N^iR8dSWx&_zmA{0faqh^XY_%0N zt^T4d+5WXL4G+V3zrL9`pzMn)0UBrKiHM`iDR#vUWs{2g=n^k-|lp0SLZcVXW zbv*gh7RWy-IaRz#t^Q6VL3itg?!&%auUZr}v1KhGpIA{J_bfp*l4##GK&jOMv|`yM zzZz%|je(@h_m9JvDU&!zIDzu-{3H?}@a<%LL@Qy2CF730e&6y(v9#26M0tsn!VIXt zNz@AmHChW3mES!pfo1A!R1Af!c*D;>>9U1eN1Jy&vdvStJV$>341Y<1{b<{+dGSzn z4MoN!sHz`H^VEQ#RM(HT1!^7sWR|A!FBDaNw`>G4Q`z@GSyGB`V*r_H5Xz?k9uDfR z;j=w~zI4*nblsQN+PrBw@m`U4_cu-65|O8=I1;$XK@@6b9^eyQMuV3{d}$HLy@q!! z;H`+SO~c}tuZv3DZgtmp*v&vg>j%0~8-p~Em(>tj4O8RKI*_C7A$DUcX7RGy+jY&n z%2WJuBSO`BIBn`o^>AmyaD0*Vva$+07>d z7~U*4A_lgP1^4$*cY{qcptL%f8xAe8HvZc*W=maaO^fZM?d#=a(7)N_R1`nRh6vXF98kYX#CY zba9V;lzonL-ut9;NlmW-KR&QHJGp+RzwC$Ml_#XCvsHIYkHKr=xwi-}xgJv!FOkO8 z#A}&mAyRwtDKd;=g&#I52cT&-BdTNL2;<@Z>- ztd!Wcz`7P#Bcj-j)RTD;EQiU+K53NOB)w6ZY}Ui(X=`QRj(A%zuwjl*mE z1773cERbQ+%L$YTgPG%m8%77iJ$|rxUbBs5uw@g-d(n8fOY}A4&@&5~X7io6=a&SM zM6=-*Ou&yfkxb)n;m_El2zGZg8%6oRIcMtpCS(6krV)iQH2E_=E%x|KsvRw;Gt`lHM`9z zw%+I2CvogpV^7N^`5(k1LsHef$7#NFv{mtq>)^&VOzSt`OGm#w8QkV+)Ss5u?6w>( zJW`XI%m(Vf4`efVg(^l68UxxHXQ;mmha{lBP49#(;I|Ya#YvdSNu)URq=rawqV<9? zQk;=oHy|&~p(-tlQHg4vX6>ctIRO7{w&W7kpdT&J|JNjwiBjTY=&FSx%(ehJL2HN- z=6yaSXo)I~w)|^dwZb5bXKCSch$9baRuhhVWg`=*S{L@&(HI*R$LKG^+Dz&dPjL5O z2{dTQN3a0z;jg@F0zP?m8JeU$K729;>faPW!IDGOizq+xWUfu}LPHQTB@{Xw)TM$J z60lw1afetR@Y;AM!wMztAsBg%?7HToUmTOe^M)o^8N(SIxxEgo(}C#Gi?XhxMM&rT zpfUAFwm=Hm47*Bro_UH}3YVUzLxt!2h2+um#53n;umKyOu)E8jDF0kBvtZftZK7Px z+ec9#vBQK5YYZOccx%SkDDz?@+E2O;de77ZT>ew_T=QV&FtK6b!5t=krNyBqVUJ@S z2nMQ%@R~Mqcz*WG2Tp#m$-!bv6qdJpRk_LPXkLSgNr72kzueHfH%vFaVzy0{e!uwD3jgej~mM&hp; zS|>ujU>^hg7lJkWgF`m)>O}LX> zpbV1(I~Tt4XG+95nu$M3rs1{}GYU$bEyZV2oN#ky-hoJ`6kz)?NkiZAWl^yc{q=Uu zT{-?zmL;8aGy(?`3gUX4cddf%3ljNs6q(=%TDyVQ%(#-`Xa$ba3a~lQE0yW~8)GFK zw?r9Of~t&Mn?eA5QL@z=qQnF5QYQ1!+x7CMX})rmI$9M!vSFDV;7ShgMGWv8S|CsN zE~B83WnzEddIhWxj(Y1Tq)*h?jP8*mmY(uEcM@)y8sK5RRhXlD=Xlbf?i0xYplR+f zUQ6{kO46OoXsJF^q}>>oWhjcV866?1L2-slZLx*vl&7SHop}EYAEzR$)W17)T06hV zdeoUWsza2u#gjaF%ZTQ^yq(Dv)-^Juleu{ zy6<{qbY22=oczKvH6wg^sRmC+@^KF<&~0 zO3=fOvv0R~okUYT+@_1>dLjkG8ysP(hCoJ;RU=^~SL27;D-gEdq23B8#FaKf#@9lT3q)#;T}tykUmF1HF6PBD<37YC zXWqs4(gN_G3}Vne>EIIaPQv@=D?5iqTY6LXRfqX++h*ApP17<%B44d))pGr|YRhkVT`P8;b}dUi z$L9hVd}cPB4fyXAzATY1uGX?t6S{vN{WDEPiewe|0e;)D=(2eq0RHL6Wxndby5cB# z%S_5r>n73UGr$?$<})eM5F}54Nphiu775x&rc~Lxf|FKL`8N7M=tiM+-!6JeTa3V| zkd!fSLgNp$W9LP|XDT5%fUEQs zx5*(%&2Gx!5|YdG{W3*r#BvEw6Hh*+2|Soq?6(7ZW%!2)Q&V|v^e&r{S0E+OjWm*8 z=t#$s3%#T$pL*xmeZJP>e&ji_0#aH!uB(-}fC;3MnWYXR9;}05@5{+DUn-b zKO(D#hyO1jU^=xw?2cKf`>S?ifshX%lD+#^{n-iEg^v^@rR6f?j`HOF7?xaHO8~z#+JdtpgG-PTzHw^Q zUKv7_V=K>O@5m+`JXDpfVCvgVxh!w1egx5~%1C>o1UFPpU63>lbq~(ZuoXJ#fP&ji zkDI6{^-J;;o!R528oK}9mefb~hhe-C8m-qlm>)qIA#{J>&q6xh1Xv%pO{ZTXx5C*o z#^#`%Wyn%a5OKIV7&uexnz^Z9d%`dE|F}*_?+|wkXoEAltLHh z&3GzGZ%CsTx8SZTM1KG&#sNX7y$MVny$|WscG)ej)QX0{=@MUFR7C~8{qd-9w~kpP z1f=`2U2GVUz80d9khDH1zTO1Q#6gV%h(!;&h*b-9VE?jbaYyh}Axu;Jy1psfW!WdW zSARDL6B8D?J-Q2X38=9pK8`%k|<=?O7 zJVWlLT+Z)PF8}>%{zV@j-UgcA$Ck}LMc;oSYRM!!H+LnS z;X$4t=IOB*TX+Rtx$5Wl`SPyp%Vkb6wOexGukF6VkXwzy3WO_@z=WPbHbD#4h?UQl7;R^I0DM+M64~m zPvuf{1?2^gkCKXpQh<#BFkLyqp9%q7W4zIZW0RAmVOLD#DPrZMPG~sDZv;YH`^S!2 zZB#8_MH~|Ai+sg7)K&S*ecl%3lJ@xGN%jg$mA1Seu&BroB^9X#q2om!A$!I?ciDr1 z+mN2!gNc*12LjKUx}EAaqqfar+2wVWce`q_rC`sO-5G}+-&iXSu=^;14nZZTcWBg! zw#=vD2>+belJVj3eD!9@8`WitM?<<<^<@yg4TXXI*hV|kXcq#FA{?RRz*Qz_;-kNG z{21;%aZFU7QCypwjvE@V$eQ-1>hn4iuI_o8-%@Oq@>sx&UbBb>Tk zZDmB)h}Bi%>V{WSiEA8SJ*9qlsnwIvei{_`3sNl3L$f1Q)I;X{GRY-jA^kuUBVA#o zC~NG5_5=ziX7GQ19LM8?rn@JwElv4w$xKc<8GZ}kr{{8#uArNo*>@W(ueLO`oVv$> ziOqyx*XW-Asd~{^foh_SYnx1Zs--FY(mif$(vhnH6=ltAW>wImR<)*O<~93!XZnyF zMAhi1CGAr?lY@-cj>f|Mq%HR-+X>(W_DhrO{T<%)cgh^xHg(Cjw7VtUf_T^5!B=eD zGi%)4vj>MGjHP={&H#x#1AdQF9QkAKF~7oyFF$e*Lxd;0M@6YBfVsE*KP4yp&HFxQ zN{i_XPWk<11#ft3a4^{4KZ%{g#$B!x6TO*x^KE(WZ{rZNnlvh1whG?z64|8d`Ztd!09xpdV**tTo>*W z54YV;l;84%k0Lhk-6092zAM4RMgGWj>wqAK| z;Ls^^3VQMA<|L>!M%;sO-APb83BF5YdlC{0xsSRfiP#4B4lqrB{;*hN?EgCZm?(1ix_9914hMu{L~nXj-0#*pia-Mcy0J?lJpwj-Ty z3TY~k5*=@z3|PhjBtNk^aNo4mf8~rw)r-$;sqj+TxSD$wj2qKheWDo1JObVE7{yMC z;~wn_6T0|MA%`Tkj5yVYP$?B`GdVQhPOYJ{&(WKn?=l63I)v!6`~;t!tb*JpML8&T zwH8j*IJ;XB2gI$`#W`m}W)q*=D`PY13#PsaNnkZe&!smgBf{&_JUT?KNf%mlrsRU+ z5#QrE^1$Q zJdLI7nQF6PZTp`b;anj^O5D9;U2fc}Ik^CR+YV$wLO83wSL6;f2=43eH7~f|p1pMVn}lQ0l6%t4T_v>Z2_i zUTCan5XMRHYO{xT04sp<{VHHPC$9X-m*M=;uyq`~dAHzzkWnG^-30!6>d1 zU3Q!_t9pv4k^CM(&2oVk?PqPE{4>2Fs>yZcH%LUd&Ss=nz`0Jeqhs?m&nXHJ5Sk`YzB3BG1>cbHS4Gct|2D^ z@=8HM1=|`8I3Hga4X+Y!`4Ra-gZwC4(xHIsGsJ#^P2~9c`Xf6DMb*O7hNV zHpl3v9!pNG4;eaZGN9;VVU;=M=E0u|_<;cY7v<9~l{P!|F4H|4{OTnNu zTv+NFxQzq;V}LQHTs~B76NwF{aK<=5X{<4x2%`ON&kaNHzZkC1#Ej()=sy$liqUQQ zJ#cn7#|$L5XwJ^Qv*S zyGPj*j_;>;ZL?nCH-+pZFNDzbd0F1UySqsT`sR+;XFQaK zC{lQ_i-yxyB<4pc1e_dFK%NW8c%GDpmf^zC?6rb@eh#+B+-$|j4u9D@l^>4DZA%pb zJ53^7<1g)wNf^3ogln!vZ<_;|#Swm3O)*by;#CmU^3Jv`gwj>EBHlPI<4J+N4Z%e4 z5L`!wb0EZ?V{OK3H^a@%mpgS=JTUjo&tv=B26*Eq|dXiPvu+6^BjahW4S~8t4(c&=klI z<%Fh~LWYcNCww%b{XB5{Feoxx8y5nV=a+PC`*i4Z?XGXjd|_CCEHz$~;ja7Dnjj+- z!iKzuvLra#Cy54j40C`oL=H`eqjN#gK#|FD5$|GJY7G%MGNlj#F3JEi1d>QWkRBrz z>M`zjwU6v`%*x>732RUnei$*Mzo-yGl>MR z9P#svUGnP^_!sTZQT5zhr-4i9uekMOu2B4vb)GIG7C{A=n>`Tb|Va zEq@$a`(@;R)ACpi7<43_mbz)#SLnSew)Ak^E!^M|G`9>=|!D0|*Yc9Jy;(Z}2 zIj#nYrT-p@ep{Nq;=( zdSh?zp;7#fe%U)l=m^AWqAY7=@#3uB@%2%16gXpl1l%FFZ~bs@Ln`!cWl zdu`$7%Vx<`y>*wbs&!Wq1(0Xwa#MXTq<*PdW(-vRmsRm%KutlS>9zf=i9mac{pBwWj=`V6ZiK6+s%K%O*MuWE&bc7 z$PaY1gynqL0=iY<9>3d6zv|^IOKg!mH3B2A$`y{gPMjPIhfDIn{tzylUf&40ME))ay! z#x_IL7f}sV97fq85{MTrons2Ahmi#$n9+X}m|$S#JK!@;YQ>RBclwTdZ)ns_n{5p8 z+jrNP=iNLn%8c%*F_A|BHYV0dW8&b_?q00WbZ}qQ&GL@D3yYSwjOJe@x6qF87;)fh z27IM~Q#xwTf^&;O{ChndS{<~4l!+&pv`o>=)Uh??3_aH&DNWKXY|H8SBPoxHd-HRyF z=v%@IBNE&JZ&c62FFD6}828H@sT^_1 z?}xG`rG)z>#7BTR2_5ev$)2=#Lgpyw-bxm`SaDZMvv;+=VOHKfrK6zjm0Z04=i?C_ zmZFkBs>xCqJrzo^b~mTDih!c00!sUalUhaS@d=@k(bMn(bwyvtdC%~274V9*>`clc zmk=DayNItYz?O+hMU;38t+ZAE6t~vQ9gC#T@_lYj`NbxizUM8m?n)S7d<{NpR{^dT ztETPC@BF{J;_#H1Zw2Ofw$6z3KT_j$DAXMFmp_|t`Ld|GdGqV-nqOBY|55o7ZMmuy z53R`h&lc4kths#AFzVZ)*PjRx+)w<>1vNvzhJn$aBIa?IfUWd-2sT2xlkwiI{C~6mj=F`*}H8?(AO<{+V zD18*M-?lc;Mp$6r_0TPe!Q8^Yb_v=Q+hGa7@8MS*gyG(s<~zUL)O^1EoG~cP+ zTO(aaBqaR%1{~eUpu4o$hy(WrxDmrDx}*0vLB!YY+lQNLRuh%^x^3AXY9{EstL-|u zC`>iWtfVa5pi7Z{4n1D}S})dh^Xp%!9TonN$Nz!1Q@~9iOLjz$JYfayVHG#pak$#= z9#-)>JJe^$EMZLAbA#x6?u)RysQXQITG|RF_WPfZH(8apauX zADkes^Zq;3NGMN|U+Wbt6MhD+`DZ3ofNBr5g-jpYXN?m&7@I z!h05|v<#y!?}^6~=F98{iWt8I#p5#X+k9UB+T4gzQMo^uqAu^M&&}bV?8AXctmVyx zBBGgfB+9%IOr&`6f{9|3%eJX&eiO}CJFIUw3x_%Lh8b4^F&c2J-c9J%en4IxIq{R?zeqiSn0CNy|R7@*hNOM zrsu^2|ElQkd0ctO4@WxDj@9SFfv&|sLuz=~uQsCPje?9%_7RQr)Y4cM!*@ICsArI` z2IR4=^7)$UDd!B z7BJ$dnncdcg#aBaL?-sbf^)J+YMW}Ys(Dnf5S_CN`DH9@@%fSi2nvds00=MJAj+eN zU`7Czp|W7!BgD!pVk2rM%6q5+GWe4ezh7A*z%?lh=%EGT*>Lpp%q@2)B%|5jhWg)X zysHXpj6Bko!P_ytKLY_Jc1E2t#cC zuvkcDHe&9~KQDl;xRTZloFQBwGrxl`!?At(o3!_f?dlu$^&__Sw1$3E3d8tLergY+ zRtAssah})nbuAWF&VI5f&!d5vwvt2zP?jBP$3P%nzp#gg*|F8$BEs9jYVV+pSnWNz zk*j?Ie)KlbM+`#<-~E5l+3l?$}({ z6EnfB@h3kXor|@XP{? z7DQ5_sBMI8WFGyy4ifs_S1KJf!U69?k_{7lB6vy|Tt4t5`&b$ZHx!$tP6Mw# zPc=N=C+wqpo^c?&U6^OcG<7w992yshkD{S3VbX|$aLrkQynVptfh(VRheOM|n-LP` zgUZCtL-W}8eOpJy<*n`8@|j=^vH5D{#_v+f-B+tfST0ig?#U;FDeM&wCR+jbi!e*r zbD;q*o=+W;kSr>kAG~TgE6O?hrqo}I*U$r~YYj!H=adjS)5bVoL|?SUqwRzFS`rCs zqD$H3BiZ*%0AL-?gly&=`efbC<>lpVl@~Wo#8WybMZvy!fh%??qdLW3a?tZPlzyQ{ z5j+7?HA-^Jcr^fU)-gP^DIC=J{I0DE(N1B>1^Q;iHAJ$*`EN`jylew;Eg`U0=D#`P znS+ty&cUbdC{KJbJOXXDAh;AB=_eV6-Ls(y7Gws7-Z+o*9iZd^vt|9xR3MYjG44>1 z83pZ}>&qE?k>$G;=NOPN{&udoD!k`8`>UP_Ad*wS#>hYs)K?PsilY62jL$@TWdA%a z=l5;1)NPbw0cfIGPz0I^IS-wK(m|qagn*7gAzKqCM`f=O=d8#$cdyd$i`(^5`0bf0 zfZq&|wn-w+45E@O-YLYh72Li3i#eO9>=OptKwVkaBd0VIk`ibMa-@NfBc0GRXt3sz zd*WJ(4A~$z76|a}%{*U8ClZ;T5V<=JNc{eIhi}m+ICfLK#Jz@%S_VWPc*dSM9<`C^ zR6ScZo}(A;NXVL**hJ6b4*hFgu1l}&JnfN9BsRr?lX*=kh-cG?imj!qI`6q!nJ{VC zS~pck6PhAoN=?IY#;|6Eer<>!GdKdesc?F6JekL~*2qLjm8zwqy)yV(CTrx8L`j9N zBe+)*eSGnFGR`xJ5C4621NsFbNM-L=bG{nhl*=RznfI&t7k&81SIHKQGvyMe%(tpJ z&vCJ$WKGLmo0$s!)TK;~CMd}yM0g1n<|hwRCMtt_DR4%pG?)VqwW*X}nw}lnVzRn; z=#WM5jXOt%pHJP|bvZ5Vt{{+Z+p0Sxi378UUr*mp+1CQFP*IPbE18w3FVD1N*7VWZ zo#%ZHyp-R{_NFrFa+~z=oN|me7v~y-TJHi-(2MEfQRkGxS>Rc|$O2&&1}Yy&xjBqi zm-Ew+8mZ1V!+p92g2-IE2*%r(qf&nvdMWpbM&aOQowPs0j??fdyryrwyk|9yAqym@H1jakYU&2`f45ZJ%L*ued;V1qM6QK)Ry)Iz4O<>RhYatZi*`8Zw+r$k>A zZ%Fahv!1H;S+6)HR;&k9AV4|C{Eklvqap9ElkY%Wh3^cNiHkS6;MUv11uAjgXq*Jc zXCU!xY6}21j@O{Soij^wGdI(J7`L`a7sGGoH9P(dJ3hRpz53Kpb^kv8Vtf8@`_s~8fe9YptvW@_qsCzc4SMc5h%Qa5>#q&0t zHwu2uv?JT;B6MIVyJSxEv01e_SB|URQfZJX1?GFXh!8SFvL97i%YYM2dIThpoc~xp z2N7yxY38Il?0@au;|O;>XTo_agmAAt z8R!WC;?bUyU-rQr>kwEQ(U(NWvC8l4_pW1BKwokdYXj;j1#!h8rUHUspMnm4A)tD8 z1XO`@a(P!RzyB)!yQ+B@j{jAZtGaoF5@|pFcJcB5eii?ne)tnuCxraDC2!`8Cz=6A zMtHaBDga3NiZ!rJQogzw+OZZ=zJ|kJl&^n}^2OHOe6`BtKSNIl6_ydLXtRf=X0xTs zx@ErV?i+edK3lDTw@Z9~=EF}BczC@&ljk`OD880EO%|Pn{gwR&;|n{&K<-<&&RUL} zx|=NQ&RUKx-$dU*eED{IKZw^Irj}R#(j8`E+AG>x#?w+0d&=yAm2XzYuw4YznLyWI~5#yzL`t z;0_HQqjv4sR*vefrDf=UN>FTU7k zn2LgKKB#FO&~x2!pBnGu)HQAS*ShTR)(|O7T^erIHCGBQjkF6Cd^Rz*E%>|c^JU&F z#jD33Ey6HtB{#C;KP|;{2WQx2Krsx;X6~U_D}bN^b#Kq^zk+0xeZJ5Z8ii9Cf(=^F0@DBNWH5Mn^CkH>q>J~8HM3F|fZV|r$d~dqi#wC^Q=DA|45j_d#)haIv?pr6R zLXjGr2Zu9u#-V2e^u_edKok8E$AJ8()``$+>v-HTBrV@grDPWj?aLn0&i5VROTt-SinO~4uY+uWs?U~GUWz)V` z&xt6)!K3ml_UZd&X)woVgL9e*@|}V`)-xIyeXvPn!zp;Yjg+5M7+M81M4BE=5Zf)gtJ@ zT)*_86}-fQ|-QNgqYo=T*%NRS|RFv{%4y z3fRiyIG4azr3&T)i?P!^AOV7Qupq>5VRNYA!MoKUnnpupqi)kHDi~nm4j|G*hGb>Q6s$yknExzW(UVJjCPYB9Ap_imki;2RaqOKehUnh z?`>6+9pu@0QTv^P$EkYXDLhc;u%I$RGM;v1o9pHSSWrSGXy_J~THm(&F(wgPY5=Y1 zQqwHTa_NI%XG17uj@|{7^Z1GSQFG0$XK)J0oZz_AQX+7$nh#EjD!PoPIXj5N(4y?V z_KnHIQ{~1ypd#yQ)M`RUSk5KLX9pyFzz8as2@3#XXElcCGYrbgSj|3|XCj~dLGYrS z=#*&{unmtu3bw3<0=REXdQlGn{T&D??fJej#moIV(DYyXrLd~7>s7D`u_F(IFZX`g z#|$+$fGTdIAaCRgyGS3*c{J!DXAkaM)!!Fw{*7lSZ5m@01I(NO&Vm7WVi7d6F2i$8 zgo-yNLu;uajcfI_%Gm!oBU;SqUmPAh`K@E#EdxQBPKgttYow; zu%FC8wXIGv%2tqbb2 zSuD8?+^%=kJ6wI9g6JdGf(Xu5-Db!7o_5~u3H1H@{Jg)&(6-N+m%96 z%^8o{ZZp!F+(^4RWT(OWhP-aL~&95X=W~20DIlF#C&m=@$8_ z8~U{+hfyx`6>vLUoJjcOG8}o+unEZJ`*?Fn|EMGopVq7%zSW1;vImoNgspY}N^9fhrEt-=36u zgQRx|JB!Ghq~cXR8JC>!NotdvsiPI8%W#Bf%jnl$!Nakilc=s{@IgVn#CgOd@TNpk zhR10m@oeE_)g(w19;K%|&m3WUjY@09jW0{lF5FXKq@QQ;(R^sUa7X`bvy=>JWO>8` zqQ3;ocr^4C2z`dTKP=QN6$G?o6K@@+0H#1$zfU{0EqkVd7wP&1`=UZsnV#kY36=S) z8}iaO;iCd^NNOrXVkazBPXC}VM|!%Xh{ZO6~1^wp${rPexpkw`m z!t(<`(p{jSiXQ5uJ`*UoE`VBV&{Hg!kVFQMx<;c4r0nBT1UHc)`?)Kgu-t;z6sqSw zTXet)P2041V=r}cnw$Ud_`m}-KdHW63g*)Q6KU%O3GA+`m)iq@&3b}GHPZM%3P-yg z=)=e6Bzj*bAYsR-M$ zr!Bw)+EC$^m!bZ&6;AoiN}5I>?ZOx8g-CNl6_${j^dY~&wF`UpdE3{#E9@ZW7GpJwb%<6Gtt+-6zIIK*wvu=zX8Szkc%iWKK|2+1i~If08$XOVP1fiT9v z8DvshuD?@?9zbc&KuZ3h9k4|5HIV}I?d#g1`GJ+QW2@_Psbc4Lb#AZEbDn2HQJqeO z1ob`{2(X7YHePZ)*QuNI3l?ku${^jrd!SE_($^C7$P0qG_DeXzczR<+L(=8Tl=c3t zJbIP`HY2^j50dfPP~oP-U29C0Td#`57{$3b{?AphL7>8xje9k$_Y6#ldqpPcV>xX+ zB3LaS8m_-e<)GvB4s))tvkl@#rckr5+39h9--@UnOip#r%XKK(dY|x1qbY=}Y z9R?kd0k;|a$iz7PW)rXIkleIpI>AD;ynhth0Z)>@ThcL8Jljday%lg`dq1<_sPw0Z zV7z^`<5o1S63jPwy}I`q30HOgc$?p(yh~Gd=(`*U640-a5=-z4p1|F|UO^eBd;7tc z2exLAL^qt3-}`d8Av=vr4eVeg6AF7$KQ)7}R?$!G4*|K1>Pz;@C~l@78`!z`S)s}tCKmn^v#z7+mC}TmksZB}S z7`;u=aJBMe#btNP@65K_VCC*nzz`!gy%aFW$fq{2Fj>L=q-r}yl*LDL7wn&B7JRfy z-cMyn1NsMLHt3XHyCsY8I`;Y92C2FM%r%E0Qgktamp-)a12)fcH+^UUc4zKpN=k0w z2XimbSbfR}#xtl~`g6bhv{{QHB~hvnK=8Hlyq)H?F3$d~h*x>R3n@1tdyFt}oz`Wu1&y7HKt-@ZgmR^H5_Y?IOn zq`(IuFm}OqgcHnQN5cWrhW3EK&j=FEqMwgpof=2EdEUva{+4C ztkT(tE&B5;yl|JRPh)-5SkQ+3d6q?`@TRDsrF3GqA8{}E>-wf_*|n9OYa9d}TP_pMcPPKBQjjr1ttX@BO$_EN7_qhmP=EQ8eKD_AihfaNQ7_j0vjE1 zMpIU!=s_~imkDZ>>=QDF{QabIW#r;H7f1L^)?T|-#%$Fjt!r&V+uv{Cz*FK=Ia31I zDNf1Zo>vs$r*`Wlb$&^sUrp@*qd%ftt4JppUv4KIVMef&3^AIgVJMke_}j6QxJXaN zOyX)Oe5YTO3%1tpDp!spUJAtV*>R-oOKq@O0+3t_Y)QY*n=b3~_Ks>RGvP;t4_1r8 zw5}E|(JBcj&Dq1!W(}LBDy(_T)E_(@qi?>JWY|c_s-hPlP8fnw9GX}7IgFW)DCg*g zckkxM+dbcx@F(5e1LhE9hKcJCMi5WhJ9;+qhF zUJHeH=4<)5Lqkns{$4(AWS>Q(Usl9TS43)&Syd};u$Aq4XG@KSyjpLt;CRA+>#{?3 zZO{AsHlH&s{Lz}iY;U+N^L{Nnl54-5-_6Z@C#9+PiNU>-aGwPnlI8ghIuB0}P4A6U z{G%;50{fkUp{~&78Y}#l-(c}^G#`bKI`ctL z8Vc-iB+V0lCLqc8#=B_5&zb1})vmVKh!=7gZ}k2<0(r~LIVh}qnw{FIC0~@?y}eJe z3;C8mrpISw#rGvcA@^+w`za-8Ga!cN^@$F@p8|#Tx~y}gFUexLO-W51%W28EXd^kQ z5jM*Z;c3}yHOHmiJvNSH(8QJ={HUOX!)7@G=*cR*6yG?O3ah9EW7Olx>986PXCcQ@ zVh2eyC&OPvtfXAzgbsxA+Kk> z;+a0{w%(C($@O2*R+*lg^Z6;tnJ!AIKm@mAM{ zgttIpUR#*aO~k-u3DQXRucj~A15{$vIT9Y}7o;aBT|BmN!?|8%meKB2taCNMl^kFj zg(?Z^Csm)e^z$a=RVjOD`;@AQ21?JSvP5>0NQJj4(kYmE%@z;ceQ)%hlGdO|k9Ee! z(p~q)Y%pMJq7kU*Zj+G7Z?Q6o6yL(i`HgwPlJfe40j5I=F5wGuLFx;fXzSy>|7~{SjG`UDb{0nsKINHf@{X%O@}$i-~MXOY}G91G_(m=F*SC3X`wp z;{)f})#ku`w;)Qq%g4|B;PA4P^!wQ*T&%4GGxs=DWi?A}y2sZs_rO*_V04#ow3{tR zrXs12TkJ*>NBy3(F<}xfd(_Jw73@*q`|mV!b~^43gC5&g>d=TE+v6O23+bu-;l%!M zY=1~3ZWLeor3!dKf)02ouDn&=mdl=hIW!E}tVRI@=3DRE0XR~&kOuKHN4R#>AlTEo zs=JDr9sRdznbIEQTpoVS4-X$V>0Yr#Q^+a~>;?583~<>*4D5wEFdxY1Ua{1Sn#`iV zEljK9aSnYL0`cl&2mcM!oxDqOg2uHuaVH;u&g@L4?F^vCl6Dq(cYo95ZINb3sDsBF z5WpxYOeElwCYnb(eSFwbsBYYboqQ~SST7&vP>}pEEJYd7fhUPuRcO@pn(}9FM5_9g z>(BysQ#Mr_;mK%JvA)@(qrCC6q$%p_j}aLgnp{EeGQxMk$9JUM2P^T8o4b}XYbV+hElIJHCc!tgi< zywmHJA3rhxG?h}ox|kaMncCwfCP}+y@`?ZWusxx;f4pg{LUw1<>pA@NKd4OU0(0m^i%O za|r~pR4lA9QkrvP$mn!E9iB#yz0b$+OXpbmN1jU(h&6J9vMpD2H6P_|z8XZvtBQ_z zygv^+?Y(2nl2J8%_PbBInbCSe8)1gAJ^`c62m+{|g>!Fk%j~d~hC2sun(t7Qx%;}N zC*qstJEg=Kpcw~3X5$-pY$bv^Q_RB*e4unGobynf4cplvU)v7|TxREMUj1C$qAY8f7r{E>$o&9%_N^mAH@|qC z))Ao*yGU$;`DzAOT?{_)%Him zELOdSZ(J4&gGDQ0F)?uWuytLnZ9$9x04;@o|EW~J(E116m#@tnfl%O7t;*IL@RiLJ^Hi!ANIjFZ-E8uubc@Z;^L zXNhOJacdB89tWl+woJ(O7(7kedeQi)-q!3n;wylZn=v_RB^ZF9mwUhf$0jlY;T_y@ zRXHZKeV7}ncg!Xy1}~~Qf}OToFJvu2D_$jW(nZ-btAgBewODwwt_GZQg#+)sW@J!; zE@cSrj!lpRZ#Y!i!oi-k_Gp{X@#={cZE*3iWltY=;>9}Q+?mz-hS#;N@}gijnyP6= z(`F>Z#q`WT5E(Pj!7s@&uuJ$QS>|U?mf2yoY?MZN^9os?QhM{M*q>M(v}f{|8gYF) z+1}PHJzs9rJW#UdMmC%RcmS5dNeaNaF-I>X1DM#fA+>D!>Q=cS?$ zqlNLFVT8BC#G3?YEK23$Wu!Q$MTL95vveKXOV=TokwY}=%WLs>$;`3^&Y3r+J)cIL z3B+*?`Fz>X4slk~Bjwig@{jViTrh2`u9mlL-u3Nz&N;VJLMm^V=p`4ua72lB0?sOe zVG=?toK(+VTre9;P?oSco>G3u4`ox2cxKQwXtB7vIll6Ox!O>g4l&n95HWo#Z|<9h zXz(_UdC9)J^LW&k)V~tGZax5%gX{XZH`f9PuG`8C(>TYKE&A4V@ zGXaKksX*wQ{N&1@19v6_2G7#R0r!{#*=)hpS&zbfG%SIu*~(V2Vf*dt;C!g0Vz^Lf zY(<>IB0bD7l1F+}FCLm$Iv5dVgih_$<8V!Hhy7&q(-3d>cC_5lJ24zbT~+kV+p^9d zGh;rm{d|5azT;gh`unD>{wr5VlAZaAON7^w3JdDbW6q0c!Z2Fviucs@>BV>1W7j7P zhwe?h=PrPAyEDxHiekx!d?PNAl;dyu2{H=n)q@g^+IdU(^QWnNus+m zGZG%p3eJ86X0*Bja>Q^8;=bWZ%$=jY8LrgZswRsHK+{4Yz6}sL*XcWjh}ay7vd=Na z)`?E|VK8TZa{>~fm)!|6oOq7>Fr~*fs?3KI`-5Y99oZkkG+^!L-?Khg0Fj~;v&L*- zxg{(#2!>Xx-=riF1GSEM34QJ$^yxXfn%)$7 zuzCC!Q?>K2Wvi{juO&eZ@uunVY7YkX$MWowgK6XJ_Y&rZ7;rK|3?-??Dp_p%Ame?d zlK3obDL@-(I13p~U>S@XW2^*AQun<$u@hScjTk2oJiNQd-hxf9-a$+@R0$6u*PLJY z?#;4#%^RpJ`^@~sbh4JIA^DtY@}&k|<#Awl zDy>dd3!dT>Yet3Yh)NvqJvDR3fg?<=@6g_|t>xy(+ogeZgj<7N_GZUH)r1Hcg!75cH5Lk#OKrkRw z+<6pr!8GJp+BT@8`@)Di9v=1_HE&El&03^?^6E6GFM%c-(jT=2r9U&1;I7(D6N7O> zC3ZX*3;Of7M-W}D`h5QNeqMR3iG=+q`cHAG_mhk8QTi}w2P=gTjGNr?z<=Ali_41y zjrHv8e58`fB;tB0TAA#mJiF=3fC_$}w*_z3qy6uTMs#&e$$fjTM78t#ve6A;N9DdD zF!9_stMK4dQm6&i=Bto>geNH!&0V%&8#=S?I^iwhPHj3nfr$VnmW}aVU?6D;!HD|k zNX?=DYzZw%QjTa|h4{Rbgdr%c0y#q+*%UTBzcy5uBzv#S2D=YbkG?vFzC7Zc6|9Z+ z1lU{m_krznKkU86RIgJYBnTLMr+S@})?diy$1ewR6T3Sr);s0CP`N}yg>WESD&6TV=yTG2S{ zd5@4~UhklsNkdI#rP3;?tcemz^zkG0S<C8PCZxrIioY;0ODo?UV{mEN)peP9e3|h3z#0X^#UQL4dc%Y7AY_D+>WJA6) zQ3@z_9&T5bY&wt07yaxcw-S1eGo09JKB(am^GDs0vdw_g8`_22kg93*k-lL-;Hzc8f$$%&7OWA5!*8FalIy0NcSk^01q_ai8 zIstw*fPXaLGX<@X&A9)TGI{=oLb$r|lcVMe%V3hl2-EAFC zR3XwgYqI8hbU1N<-8P)~cT^v1!@^^RPjRv<1wTd&Py4=Ll!zY;O{s(KARIg)%1Br0 zYWbF`|F-$1*`mMhm>S$Rb=|Cq38%jVw^@yR1t4E(WQZMb0L>CH5>*rIR)Lc)y!~QF z(N-1G1s-nE3sPDVKBYJ-+b$W{pob7=Tf=VqCd_Ks(%^Iepc$XRMT34Sjz-`q0YDrA znh=tyS=p-T`ny(?Rm=24 zIzD{X&Us`loK#bVW6~HwYukdzAPF>$ZcK#O6o5+&R+jT||59D?aflkwp(Gn(lacjy zlK}{<`gFzyM8L?0!yf0Tfd{`JnxD&fjcb06vWK#C5%gO}+70C+ZUqj`t7WI= zTGw-ApAMaoEuW|HxLePdCq1-P#5X7(3GRBgp4*j;2XC>dKNuq5-< zDwF>V-nM1F>h2rECq@~MXRB3s(M$3DnUAMgzo3hkP+43uZX!BOWgL6a*#>ZX(b*H6 zq*>>KVr5e$L8&iuI^fp?VL=3Sk+)yVepNFSUPq`@qr97S{gqS5s327?{vqrPg99y90(dq6 zPX^$#xw@Tz(Gi?m1R`2+0Z>CwED(9IsFre}Y}y_2aXPpg@o**}yu_X@jWpteXZP{; zwwlYTt5)|}9q(>Oa0t&jDgj2(9F0DOcNf>reNFoikLucK7N*LnEXq3X`f5&7Vvv~@ z7T8+}hSFio;B)ZA!2W7@fsy_Iq+mJijO`C`o0x8GTv)%7cCpju7?b*uEsvY_hMz+w zoTu|X`j&i>#{<@s1eg-9$0v8JDe+zeMRkWZhZv|yh`z_wrIAHkAnz2|l?DTw9a}gVCWaDsfsqTxsE-GP{3Q;wA3^32w-2B*S3oVq zahEwX^skJEOuD{K%uf5-Y#?E7{Whue&}D_0^U)=9lSFyPSuVLYmpu=UiH2&-8hI!SHqYlwH-A*A zi4AeFv=d!&X%6^j0{>j&PX_#$bA1d_-02SQ0}m_q0QyaIXC^rllEj*C9rKc8@>3+4 zMC_N5eM5Zbh9vM1`TuOkO$hSqUS~=qoTYRHohKfvoD-AuVDFdd)!WY(Z@-us^_uJK z_LuVJTg^vKZ87*w+)5QQ!n6+N9)>4=+D{oY+O5Y3R1P>{B!^>y;0wlh&(&vbzL?Kt zyQn(4pII^yy81lz#+X`Tj9^AjLK{n!?x^|hRvr}Y@NJG*Ss&Zhzj#Ufv$^Ycl=&He&zyz z!DZu6SsfZ8!z3b$!>C2m$?gCX3(zFH;1zMQp}40d@ZSjc%iyxHG)ss=Wwp}8d^QC% z;ZXy!Y7~IY+6?aa!&u&->1mch3JvAX5Y#Xkl=oYw>>X>Fx+k#;`hMY$hjri|JlMIUZ0V~l1!4l<})dYuu6Kz{3uGvG*fz& zKk`+H-NpN+*n!!s@GceJ2opJwjJmS*?h|&%0X^G3i*8VmI4?O12v6Pm53?=U8IfV} z^YURL1j3u*A;5)*6L2(SeuOD?`*br-nNPZ@8jj_YZlHjxe9}!+?;nuo33_Q!$E=&N zpXiu%k~g4+naG=&oVl0$Zl>hzVQ*(r2Lb>6q}u$Uu~E{mmGB}PXBRu=rBsP9Yk(3; zvI`PNMOo(#f?Gg2bk-e7&mD2kDCwxP#T@sNefB><_L=3jhQE{_=vs$)&Q?LD4;NJ@ zb^$gCx{_c-8PQgRBZt%AiVyWR7z&^=NuoCsqh#BGq8hO?X>g?|NpYqg!cc0`ELP1@ zG~dZr70_TJlmQ$o4v5=WB0478Py(9KPK6oVQ^%W%K%T^*y??=+vQ^V_ji}A*lt{rv zb3Ktqhxdk#xDAp?G?i3(yjwqYVw{-75}O)hs+JE8$&tNrWXT|J5l^x(Kt1Zoc3XFc za_ieg3&b4;7#^J3^ec|OQ8*zP=Vb@nYzGW1tGvpF9vof1EN+_bG~N6eKvfJuz_!)d z1vno1MA4R#a9y5GFcc zl`P5GRqs(X%DEb4qDHxrql|AsIvVfav@k}=g{{^c+Yt*pKxw4Hp2+U=Bq=ZRh+c;y z{K#p&4slO$Vy{DM1@bG*oMrFO4du`FokR$)8HBvjkjUHgjyfMp7)&a4BDzFr z7x*@5<({n=yMLKBEf#Kr%W*q2%&k=XV^J|c$04OetvHU;_7ByXtj>2l6%7i zsTW5esq4gw=H5V~yE2h2*mn;DX&@elP%j65iX0>WbrN@9D!GCP*tdLawDZt|Kg zRh|q7hv)r9OT$UoW)$lRSc;#&dta)4 zskfK656OB#0@*f$OVI#AdTm(nrPdLCn_g-igGi*8ygEMM=;fb++L%9o3miOv?B_Ca;fp}w)z)Sy3lcp~+@JTnIghN9Vg9N`Dz&Oo`o2M_ ztPV(|`< z#{LjnuKa3qc2EFwrZ5xOK}qTGVV*!4Z6{#Qr+HJ9Y-TK7#fo^Ti*hCp53ey+AdjA+H7G)IiQOBvE3VB?yD@ z4u@fh*wIN>e_xdIvhAPF-G5z_6E?suT>d1~i`yUSmUElmwAI{BLtm6Zh zRm+3%0ZTNqjznB(sEZrk&Liz|6E|?YRW7_`<85-KeYYPlS*K-R>wIQiKcIehY$8s) zyXIXYt%jR4N=T*vl`X2C3EUd-BMUEQ$PtZgV3>%yO+>h%=Bp`rg_ym$aIGIN~2~4gFuLG+Vv4-JN2v2n3C>IKaa0Oi0qYlS! zNL`@61Y1v|-3Kv^D4`oqerssqqp9ng^bG>=H|!e(BJHkk5HD8e4&}Q?V*({CS8VPt z-wG+*5~3HW5Fv>SazC62VW$9pBcN6mvqEYXj!l=85GcBqKq5O|ME1OFtAJ2bMz);> zlLydJ9a6gTzLcP2!}`rN&<_CtXd|^NHH)&zmwEm8-?B|7bwc)25BE&resW{rNc&Xi z%qWC-^>RX`;g&Up(1n22gVds8rrb-N;5K!FMakcGNxhXoPk1g4m%LWQOa_-3OElWZ z+%1CwdHIOyFgu#`pXMeyZOK+b41k)rGj}X%>IT)xadln#VAw{qrIv2tBr4~Q1iEU( z)bMRJZl1!)yD{ncqUiaC1<$w<9+z`b*pJ?)w+c!t%YY>*us;OYGlnh7@u7R?!)7Tc zpnLw*-s0f2!nR@NeJ>)TEUN%i^wVi|VfI`t_=A@?w|tArk#up#Le+ zHwyM9<2-{%Z)&Shk@mwhS7v?QQh6XFnuH3-KN;jF2|21gXef-+W)j6S(VRf4c7{p_ zv`S|-%?1pJtrIE+R5AtlrL)8Z`MHVJICufhKCU|q5r#e|vQmhMf{-I42~w?LLCU5qH#$Bnkb=x|4tuQi|bX_v}#<3A_z)6bbPR7JXZH`|;^L zwld;=Nn2%qt(!hiaX)Y|?1kao40pY{rEkBVN`G=!adO>n1G3|1J-#?a?X9hi28~>!K3r zozbjQ%DKa^KCQYlg+->Dx@Q1O{qtAZSUKZO-j<7!x2!Ig`9|%FU93xvb*-?H3K;>Z z7bnH@c2cCY15;ddPtf>F@x^V`;)}%i=fCw&p<9LZfa5k@uo^IVgZ-k%OW#ZrU-0x+ z7y4E^@u6e*mGs^y>%}{^O+>%;(EieVII%xCb&EdCZTFy5hkCVp~P=n#NOn)SwE z5dq$@&HY>cIF!?NbrY!~ME4L2_BRP@daTU4`V(GK_%S>$65wTLdEPsVy+)Z2f1mps z>0Is5Pcu_&gBkCVLtp1`HvC6-MEB^Ix%}+rauAE>wmVyeGWP#2OKJsoUOrqip$|D! zJ0GCHad`y*jEY9F_py!MDn%7sT8n&H-Lfx)OK+o+Q~`6TVBS?o_|hs(1qC)MQDy4i zys6oJY4D`a6t=gC4MHicDKxVI;8>d3S7du@KYQX%w1Z%OvAOZRoUiFUJDN)Y!zE-^ zV1h5|cU=80%I<65tkk}s+dX&lT!aYfoJ{!za1A8t*A>AuYS#YWl-0eBfvW#Xb>jh~|` zrs#k)-K)jul2SN95W3LufJ<;3Bq(4jKCZ>-=tqd+0}|cnFCCtN%hJmq+nrr()Utw^{N`dbO$&_#z{l+*v^b_Wu@xI$ z7?qZ%EBZCj{*t``_YIv&AOTeMczB;MM2Z7u7C9Tdh-W`ovrnKekD)J*pf3-hFAtzE z2{*SxR<$8L6?DTKLMm)>Jplz(vCP>2W&2p|=D4le@>^cl(YD@TX$kxCi|7}t;od1Y zs=GI@BuNq6rf_610<8kMV?0`FE4Q*PX){e$$wt&xbJS0wqmmv#{lVn0e9ML*W?Z&@wXpg3ObCqGOyP)fmH zAoBOr{8_tF_$ByehgJW3(0T4fy5T6!W}7-))O?$EV;fLOTTJK@?81OiywRi>X5bw< zm+2_Aqb%C{rt4$U=65%wkAgCgs5B_*$ z8PIFbq5v6!Qk6ZOi|czBdAn8q6?N$vKXh#v1@#a zOK<1yXJ1`D@eTrYYLAce#1jLlnoa_-Bejrgu_JF`N1N3$UEENdY}Brn0bCmZx?!z% z=r%2DX@>nJTi|Q{XY>V&a_So>>P7Qe^dTXH^XUM}Lopd$D$k?K*t*WM{41U9-U5`x$dbL0O}k?zb)Pcu&Ko zeH3ksD`8qP1GC86q62?Tc1Zwt+Q3Z=+zc3O_%+3C0SYF=qGZN^g%m1q_j%JLIJ+nO zxbS|E?(T_)jS}X769#qJa_{_VeN$K6J$r9?HRwnm{UH2jhbSOloH6ua|NKNz^Whof zgo5n;Zf+dS;E+b>@8-UtybU0SKP*ep_J_F|o3)wQd0QFq1x;%sgUx&ul?(Sm{aesd zX0s+UmbVl1fO*Ji9lrD{wTqr#N_~`jm+eu2>UR^H(h1XU=N;)pKZ+DXIwJo!^r9mv zMEUF4vB_MTunIfvucqRAV=~bY_XESVOT=TeqH%;Ga^EI(9)QKW2>IoH1y} zl?M-;F^U#v$Z{%V9W(!sS9yjCl^Ue0C~qXFO)1G)g}5QV4Cwlp7d>j1dX$d#S=2Ah zonRyED}p&24fHuUX9kCe@u3obOAlDR>DYcE*8${EY&co?j=$R`ErN>4Z|XJEMJnFa zP5;GIMs>Ye-u4x5IZrr0v{d*EXh6u*k$5gC-2L|ZU^hLJ<=Rl{-yYJ&%ryYBK5y^J zzJDa!CPoZR1#<@xWNQ zoVSnS5>%tF2G7MMqhSNk)Br_7V6ezfl1lgEnQY*U8M{JP>!0Gdty5?Sa`;pZ$k6GZZ5(}6Y}Ty0Qo zF{@j?cvC$RDV3p@{VEMeL|q6E|JOgYFtvf*sYk$RcEeWE^=jU>L!N<593-H`O73F9C+Zn`Q&6z1>0^6#PeQrxEHUA6rFtN8D#UU!-Jt6(Np z^C!yr$hnkR{o-;J`PyG^M2=@0VoCT=1wvZkgUkb6nF|<)_o-=GABQH!;S*h zp|9`^)e@OH0DS;k6bpo@7Ji+E?d0SN-7&T-tJZz$UlVYutFG58K~AjDSmQv2cV^?M zcXpP;i?w?uxMU>9&AE6olMN>)LHS641Y?~0!*?P(oHSr{tzB^JR*l+J<_=4`yb6CQ zuk*)jcuBKw^IP#9wP3TKfrSae0GDNS#8`g_tcDoW4dvY66lME18ds39wBE!+K0JhG_TOvd1x#8 z;L{N^4_Q-GA`>%#nx$%cai1@4NVQ$boEsUy9?~F0^3*vnCgJFH%sg{r!%Y9zWR-=i zpUYIIZM{hnHm^XHocm>K}cwspp`4@ENDtwrQ0OlXyiitU^ylqV#9Ns7aE&Wj_% z^Z!8Qf7znhhgcfeanNKO+x7xIJjHZZK7rfyaxUGyWq1FuT6TCB;wZ1hJB1bA77qT| z0uLJpQydrX>~oC6AkAY&r}4^0HQaKtl6Z^qw&HUJb2@dhLCq}y|Agb^vc30TPq zydlX`(cEQ=hCwyNOMNa61RlSZM97*P^k@Re9+3Zzx^y`ea<-~gJpYACofC}3;h7JT zFf-UE2OZh6PJCCW4!{zQg2AZMC91c1Rdd5n?Cv|Hfz|l$6u#JvHzI=_f%M{eaQC2f zf8Vs)sju^0hO9U%hl|*mY>@DYYt$jDZ93#%!TS|>R;WB4j^r2n*Ltz8n_vIR^A0Z- z`9mJ`N1g*N0;n#;5=bZkIk4UOK=SRX>H0f%ozARA_d}-Te19DCB8rsSsT^bW#|P@A zL^rr8A2jjp^u`OXX%sw_beB>$`8L04tGRV*EcLI*OuL@svp81rJ?%_a( zXNn`GJJ~>*j&N)AizC50CNNdV@hXAaE0Ka?9IoB^rkl5w$Zt?zw&h*b^|3lb-0x~b zs-vzPNXq@1Ae`uhweNzzEDQk}`(iWeds!TTzxKnC_UQq>gyBG0;{d+aFj@u)KhG>y z%ip7ORU>qI`4(h)XM`D>IY&J&B0Z}BBVHsx6 z5k4e~?h2p^0-NdyNk{AU&R2!UCKw5b)MO%c@bgO?3i(m;b>A%5gPQm2B{f45$yyBD zwS-INX$b}Y^@iU zd}7%}I_Uv<8H^&rdk3h!OH~{W)wk$HeHx^33Q`64Wq<=N5J1WxL6mb9$l&%8QOpM- z?=o!C=q`}Pm1c4!bjscqy&K&%&Um-9$JNRTL>JFZz+QS74Ik`ZUixu?{kVt?fa`6% zM6zig?f$zexw2G0wdJZIt><_0IO+@9;BnrO{}Gb88ZVL3jV3y>Dx8 z+eo(kFZ=mqAX2g}j}&D)I+1LR=yA@s-yi~#Fd_*CAZ07R{`4Jvsj6;(bnL|1-=0_` zyB4n9UDs8mj=*Ub&i4Mk`Z_$&!vIzA>|)jaF9V!Oz=R+UF6v$~!Qh{%tL7QZ)tr~O zi%gJ3{e|}q8OZOiL1zM#SGNDIKzWBL=*oVF&IuL&VZ4igX?8|B7QFzX!^okw8Xiid zdJdo)ju*&tI5pI^aHFt^ou(Jc>lX7(x0pZ;UovZ1PLdRl<TyNP$u6VOtUUZpQvA(QQk2IE$T^L0Q2bG=|Z!A%W#)$?frLjaHvSVWj=S}&pT_)VP zM!e+&v|CVtZirR7-85ysWUp2{Z9j=w+Tf8n`VhM`D7hboX^`>^GLV81hjye7**KV{ z%j=qk>=#Cq+9s?)Xxg@8*^z$!s7wE`P)8mT`ug=k%~MKmPYHS%puXX*k!R|LkM&Kg zW>z^rly}ZLf#A3F{GC4*ibp~D;KKWJWgo^JoRr4n3uXNP6V)v&acAt$$v$<;L>X*9 z+Ppp`u*oEPMEPqnrJi)4jQow&&BA5MMcKB>QfAPF3}0;6nm9NIS7P2uOIKmeG-fmd zHzJ+rM#ZwWz;Zmo%Z$}c{;@5$Wz>b5TsA4-D0eAVHR%h!7EQ*ACRI+ngkDyX8h)V~Y z?r`QNn0S)b;dfK6^3{fu4cs$BD8hq4C5uU*a|MJ`9$fp!4n)37|6i(VC*Ky8SeVuN z+($Q|W{<|z>wcm#0-PCv@S2wq*OJmw%A7M$Q79VcAN8)1BUq31k8Qmn_$ki$aO%ZU^3XNFM@nJnM*IN2TI2*- zf(}Q)vv=zF9S^&sJ=yAz8v%8i8+A+l8(Zd$#g!5#y}?PG22kFBWKMCyn*>s)RJt49 z8r$EhICB~g4C;^CH>E!_1LdKT^n;0@e_0y*|(mmAON3AGk`r%xTVxWwnx}P<4-*L0Yeu&=VWFziOWb@-u1o zQG$A_DPPw8ouVuzkkwB>@QC6Vo?`;cAQF4Xz%O*5T3QbYH$occg$@}bh75ht5Jtjk zF^Y1Rp#C1~%3=+m(>*}lDN{Y5QJ)Yf{`c|{sr$@Ro607W|3r=7D=`dM9hEq4<6gPP zNli|oubtWf)FjbNCjmFFNZWYX*QTJ3cBzhb<@4`~w2PPi`@~?}pLpv)d<*KcT^yb- zcpQBXZU*&vW?@ehb`OsOiGmk&B31bb8vVzpA@k-P4*!4fhvq-;>rx_3FLXVN^bFF{#zYJ|l?>EG`X;uG&ZM8vZ%IF2N z4MBrAeA~LNlMo6JAv*)ARzPVlZmpkEIPe6bBR%$rE+En$yH(CtwsI6@;fLi0_Uch+ z6EBn&Th|D=*JUha8Plw~g4IzZCCk6N?ANSr9)zFwza`abt|QBZc^?I~{Beq5lN`K) z88Qteo-qs8l_ad=Xx#|Cf`15)@LKm_e|Rk|>{nW7Pj0ZsDz=EfLMNC_>rWh-fqg6^*<;Y7CYF$P*@yxmpE8hTG~G5 zjYSwEKGHl)Gd=`ZsXYj!aC8P9k06V7FTk1j?$wmcblW(I7U{0Vw^BB|DgcafDZa(e zA?8X1qfKvYYJ0t+Lq!s>gD}KA02vorP6lhWup{ z(Que5szV@+)jz>0f>NWJ4$Vq+a2*-Ox=Z`#x< zlZlBvZtrZ;B;3ZaWPW8b;T5jP{#w3#wxSzrfzB33(LJ`8$|Fz(lJ7l_!en=BSz0%| z`j|U-quD(ZBN<*Ohq?)&&?#t+4+>!l-;uSwp!ImNevlnu@xnPK>;~keSdAOJZfGWC zCt8-$jyTxA1sGTv;^1Vk7#acrpK!!A!Q=B~+sat|120rs@d%rhWe{~q081^1X=Md~ z7f+v&D;=jDi&HQ@F!f0@6RDV!jvDPo%*cQZ<&g?z=*(8tZAZ(<^Yh9AvNP;Lg=dy`xoZDdNawdh-QImoT)*(0f=#xVwCp^5 z>w^-lj169vA`U9uZ}9dZU3qxjJl)mxlgZf~QimR3kOk?$Xs|49#OYSFmB&7x5H7EI zzFJlf?AG9PP@wmU$z3Zs#1Z9;i2IbhwNdtb>*C?-re;g}Qik^L5jR3054=(lK;QwS zo(nSd91k#UAF-8Yoln3;>9o6+sFP#Jfiaz}_Yn<1jQV zH?YHC1LLc=`S8Z?MMmXRp9Non<>c&)j{Hq=Gz!jL25SPPiZ4ZH!Jc~d%Q%c@2lqpU zU&cqlmu#)Wd;!da*4d!lpFJHT%=|^OLGR3O=^l{|FG~Vn-Q`y;T zou}MOlj<55k>2_%hDKO$KKulLM?Cosa&Vq75VV~GE07b1dP8<>vlITD)-WjzBJEtf z@ZQ+JMw&s|Lo-}1-eAMubJ~qn@2%M{iagQ>bjswYdT&iyQB3fjpDsoQh@jPn3AO>v z6kL>Y-c|KRc%RB=b_x$oRoqvL4f)2G2*Jr^z4_H3y=O@86cXHjOdOq%0i9~0l_^5P zhuuy(veyPrab0pHru-^YnK&E5r5OJ9E38G4bl0{h&2{ZW^8Mg2)i{%Dt}3qCGwN!j z5Uthv{V%8o)Vo-)rpwd;i(snjQZ2&sBlE%fMF!N(2kVzNU_UNpIQDRl!KmrRlJdjf=N;>@A(w|GMAu>r=7QvMCE& z_3|Ie?^^1ekP4qg2QzbE%!BX{GF%|JaYsTTCfSz47%W{YhfGjHbo|o)t?#Hs$LTtO zbF=yQZ(aO&LyH-9rU4STvd1$Z=Zkt<3<`&;1ji`{NSdNlMAQZwmVt8^TKPx6j4|(O z*w4bmUDV4Ft3XQVUtu8CQzQzH!hRLF@M{ujauO-UO<0txmz0=dgpQEIM8b%Z;J68q zL&vuXl4ykq{ikq-m{YeH)GK-An6g@^PfPAd0p`LlJi2x(C(p$J6Wejmf@>KH{WBE{ z;NEay9}jefE7^!I+>H9m`(EbH#``CBIbw=`1`;Ec=v0bA)B5u)^9P~)q41&$KKTF=cPL2$(k>p)eQgOaTthmWic|lM6De>De@SA)24?Gu9cdn63 zYxq^l0{@;%O>L?0Mm+>$B5QsKn#C{>^>=KyT^V;Sk7NBoP7ocJJcXM1iaR~V0TH;#{&cQD+#2;J{Cdr!xA%3k%v#R+f%oZThWd>f8eYIm%0g4V z6U)q~bhdsp`NAjJd4m$#I_eePtdPH%e@1SHMuPykG>Nn9=AOROQ#>(cVz6W zCa^B+@RT}<*=IT}T2314gR|c_nk1UC-Jy{w+isRNmEz~-PSTQa8c6)7et%*0Fmg3-34E) zHb3@!(U%5x;KkbjJKcn}x~9kNU8etb6S@TTe#Pyv>Yix|c$7eW`Rf+wC8wcpNoXi? z(4l6jAju7_QgeC;Bj3l%E z*~O`lKgJ4=2c?yX`y3T1_ucyvlibp-fips-zYAY_r_P7LH<-SXTgJhcp@|@veGjpj zVfzf2_FK;Lusu+s+u)rMk9ZF3fnf4UkU9sylcAr$Hk8bVH=zfiEFQ|bDFi#3XIK*T zs7&Z17Xns>$}<4rLR1Zqf#cITKgWPC&`*r#hu{rp+iFucBx_MLKR$p;Ns|YJcIjKE)?=FZFd7kG`GQ&pwG67Kk zqfmi6qye)u`9AcZz?Y%V#`jd%>J?AGJ;pL8yq?+ji}GuwLXu?aT&!2N1|n)Z{2tk% z2&R;tfHyCpf@JMck)(Y=pbp*YNkOUh

fH-+f`Xe*R2g$sF-2RogXqJsyx!ku92dSB*yEhf2=)~Y;?gm@n5 zmnxP5^>Mh<^g`lvzeioCfka;isOe$M{+3T+Bn& zWk-~p)b;`AM2@w70FRTB_Khcxdi(;zQb;|nbmV0-#|(#~^jGl9G=k@6fA+@E!MPVo zN5$L56O=RSZ=%c9aKb%j|V57B$>O8|()1eJZ!2xm?IG5{tI{G_PK0AO{}0&V|HqbGCt&jp^H# zv9FjmkizzNQ9e(FaCkomG?*Z68a<1_Imj@{NU>`FtXDi9@D;D>LHR_C^r!##3GwZ? zN0H+|1C#7 zNN3$(@XiF!Hpr{<(!VNPM6RVsUjyG0kEu*_GZ(9OhI%x-nt5KW z^F_?}54X)wC^sDn-7y0izf-deQ@z|iuD5qgT_Lk8@CxSk@kWUMhGbSuyW=X$ILDJb{`T@Ml6KA;MB z)OpBmrkY~OP-V5`(_lYcuq5K;QckRdJU&$R@0Z9&x!}C0K3yHZFV~zG#J?fS+WWig zc7^|ky7GF=KUqz(*4^v(GX*8+jRx&I3j=XbQ-)r6zaEeCSZ!WJZzrt%MQEVoRRY_XakFANjQXjq7u%senGjWvof%ZhRg)$kX=L+; zoSlAKvS>Ur+KX&X#4`N`WOFKx=~I(C{(~NC%qDN2WNm6uvQdOi+;5rba4!^Y-<1YJ zh(EKS1vA%0$HUi`sflm@gdH@bC2 z{e^cvc&ygDaDXyA{o6-_mqY-HNWQXv!milASqu4qxy*X3c$bOPhL?YAYqs+3quZrI>ecGf$fWhT^gY(jyI{RcemhLFC-ycQWOcudKB3^AxQNN6 ztIH^xWff^P*t-Y2;Yjx_xFCuuD05uaIPA;LmT3JAXjJYWY8l)6$-e3>_EMF^ z11QCo2T(RmzH0CJO3ev1&~??>Wl}TQWNMtK-LQCyC;YR_QE3o-64WD05hqeM#EO^m+GjfYzjKF zl`J+>K*}UQlUrxuu|1L3C2`=A$X-UCPx;d2xpt~=zLrT})I`2j@(q` zpajx5shjAsI@d<9`~GsQIoQ z#5qbf2ox$uhf*m6NA0rQB zDq=OKxS{(orRYsQSfbVxiqT~idsmbEzFo4Xc-?ScaPttR&_p|Sg#c);E@(WJ2 zF71n933~7}p%Qk{ulz~hf+^!$Xrj%6?qU$0Rh>?;~v45Tk$?(Ov=%C=( z3xJY2LdXOFT6I%3C|>615F;X*D%#Va@N+|Z8W(+%L0!+1Q)9KqHV5~1UDTki1_=nS zM%F+h3oZ-Tu_7S77@%hzKo7#{#2o(a19;ngYHCYCu#?vg&6>}St7UwK?;crJdz^k= zuG63in1t~<1&2;SX+i7U*`i+N)k@Hdr1?3N1&(IZO27{xAa2c1opS+2ahqN1IJSyn zg>wA}nxmosUA)O05vC5$8y=(GR8-P*zXXx@>6~m7zxWGuC!E-4;IM^w%)8c=dfT&g9N#(NxGhfX56AWghcDLn zS212eijosZ=ap17JLT>wh_pmqGZ^)(!J4WwGn_XzHIrAbLn=+gR1nU&3fO-kQZN^* z_J0M;^uy%(EwvJ10$^hAF?_jjA}elM9uOd_z&xKn+Eg8RJ5M-yMF246!sJTnpy5mcQ}Qf&YcKucm9RE* zh`!klUBSqIvvGIWeWgsd1t&XfGWic_TN;roF*dx_R|*3*B|Y)18;!j!ht|#T7&!HG zM{P?(qQh)wQD8(SLlMM1O#ZEwr|Ej!kv}R)&$|9nHg{E8pBXmv{4%^Ju?90jETL-L zQM5+CjL!%cf!e@jXhc+{wA;IO-c-WZ+H(I%NpK#JP6UNL>#%1w_Ecd<+ziPm(cKR# zvS#+|My3#EclrEjyOw=nNL}N`$b{E@EtN7t+qp-Yls}t((=ur=({v0bd8v4uuM-og5i* zHUtRFFc|xH)ZC{Nd=J;2U8@RT2J@C|Kdn}!POu-qln_8(OUN0AoFTj%Q|x>I;qT9= z0NVMsVeQ)NXghcd&F>9=%0Ix*40%%i_oC2qMOP=F4-vWh-cxaoK|Iw#X#dd1%=yH_ z7Q5lI*B_38;pu)3f@{al7L}E=&*o;QFz-DniD=pfxDtSAT;+OEzi>-aTDMKcmNg<*@xqLkHY#ASO8}6%&Xdjb zP%tP3Wuds)*Ix6I#kMLWM|t;Wtn=(UJ`&+8zc;@TZD%`x3>qJKQo^0^FhK|#h*ZQ*aYn}x;ej~Yw13BD4V)volgB41Cwz6LA6y)S=cO(tkgVl8; zDW#X!(0LI6eNvP0dpuPc`yU?bV84Y6gZMHGa4;^MfY$sa`CE>V)K1ObZ!MgnV* zBS%Ln=K~Ua(0k!V)y{mK16B?lwGqv8A`+Om+Gu@n9JN@Q5}ujlBpW;Lzmq*cY)V$k zFsMI{R@_RHCvtK}-c2ll5hOjNtTf&Y20`pj48Ok-h#l$Q; zgHVdrt@R@5Z}8r-FRCz0RgGC{;(C0&m*W7H*#m$UdgNF{usBeHo!Nfu&uJ{tx-OE+!;XSV@5KFxxL(V&B{@EnD32m^5DK|?x z55g!kuj8q06os)&tht4=FeBOGe(2g!f{4Z3t1I&&)`QE*yf`xWvba@bp#)U6?6kbx zQze6s5ewG5t4)s%m1+28q^*Ei)0PD5EXRHM7(WGaO`@sN9^QlS`$iBzFO_yDdH zx3#R4#8Xnai{zRj$BMd0Psnl~oYs_2kZMuV54H!nslxj=_Be5hQ%^FD=rmw31+ty< zX3isl$qCPsW_}@Qj{4_3E7_zPZ$Cf->Ml@muhn(!5mTZx&EOdt_c(vN2C1 z-B}`%yt=8^ZMj%5J(Pipd)u4wJht|V6jXMc89UBLaU6bCtxuHRH>ov_I4Hq2wU$$N zn*9caoE`KIRh%{mI9HM>ajjO1*6P{I-%R#e^gvS_&vvuLxcK+)wn%L7^T&K8iUac1 zMrjxWcY2BRNg&-Sq}Y}Z%b>1pEZHkY`y;cYx+g_9HtO9x63L_rj)ycI>eEP4W?Sus zOhrV%Jhs$mNzi^VXaBcD|HTRWKj=;b4H(tHAFBgnm@_Zmd!|P`@da&{^mvJMqmhy_ z;RBh(q<5&GPLOmxkJF3lguv%STPV8AtyLR1$z?%7rqIq9z>m9Ntf9}t`o`msA z#bX7J`cUy;fj#}b?B8rY?jg{JBKHXV5g4z5z#RjDP(di*D%`C)6aq{v6@^9jUpE?1 zFY7Os3*%Ekx{`$9cbtt`qh4Pb|Hv%pQ-T9#wEXwsZ1$SD)EkrQz?I8#S+!+buG*Tg z+b-)*c+LY?>;%e8p#V3^0?2^zXv!$P$dh3T+MgDSOQ7B}FAx#+l^KJ;A({zD1cRL? z%nHP6KOFv;F!%5jrY1_D9~6v(U|G@Kmg|x1A#Rt;vTgGR_JZ@=PSW=yMbEd8mrG(@ zYph#^g%=Z@cV_@dCDRj!dC6ckYH(}9FHbxz{M26H0df+yUal53Pc~(11aGa$ZNjX5 z%$u@WJ<~x?CVHhsZ#B7pbqO1ZOiZ2CmK}D2eyVLvN$#Wu(F`o z$v?%_Upkr7gS=vpx0K%N| z4Mhty!8gIN*UX1##+O@=OH4zf4D#U8yk-iruuQcN&A&OJAmHd>NK=FK)*w+$>TntG zc7e?=fI1Z(mAK2-8d`_BL}_8yX;Jl6=(O!j{KnH`m`R1d z2t>O@1^K~)oN7q2=VDwK@xkxZUXcvV$@KC^(JV`ZKE<-upMZ^vy|)nvdNp9|--bL5 zt8sKV8f_1k;P*`_b9C4fNuSqDLXwq^Q|NpgVNAQnxLvRm$~~q`4oZ=Xr9@JEYec%F ze(FR%d`L>ktIxJ8rl?55DYE5IoR89=y*Fq{RFt4x(hNHUrke~q9qw=LooO<_?@Lyx zKkSdNFyC$->!$iMHReln+`2$sRrf1 zj-&^8%V}xjZ`Vb>8CH!g&G7#S0O~4}YOrmv0hQO*LkC}=gG3ILq0Mg+THbuWMmM@c z+~f8xQ(l`z8SM(Azx;IzFe4e53DF$JLdYP2^dKP^Xbsm6VTg{6ngA>heh|l2C<4!W ziW>pSgZNV3J+hTm)+PyCZC|+%4)WV)ELcM3L%*Mu_xj8uRKNI(J^`vb%s{<63j=?Vff z)I+KOu&J8UG>L40q(1*DCxiZf?O&+0Hkdw8r{gB>~|6BR2G!5506C0Gp{Bs4*c& z5)7At(ipGZnZ3?owy|tE)|5pRe-X21b}NJej=qs_53*Yu9(`Xrc<4)Red?oIwq%7nL4K#SryYgk&?+YHZAK|(9fCu2FY zKLjlR({?wC&O_TXY#S(BVWp*3pMiW4%Gxky1qJdg;95hxta3b+F$ zZ!GG^PYar84eT%)V4!qsze7jFN!PrP)eqlu)LB~`Uj(2jf8+L|#*r%D5YU&Ck_qjI zQ|Zs%K(s%Iu{nrzq=bxJL94UZ3|)yhEF)LT{xBK1k|}~I9nVZ7X-aEbP2T1uMT3C2 z&=AOepR&J0aQ!mepp0-lml9s(JwG?tT8Y^2`CVcvT~U55n|Lef&wTWy939>{s*|)W zNj8!Oq7CDN;AJ}s%53F68FVXQ-;7UyFWKb96dx>6BQ!4FQBJ50Tj!A`8DmF zzH8N^cPpi{t<6^nO)B2X!83>vjOB6&-hm( z!Hz|4EzoJZ(wQ?j#U|AHj(E0*eV#4yz6TBYlFb18bq_F863ETlo+AC%zU*)X-b*gt@-t_suraToxr= zvT)x^+=<5hJ-@%*;vHr`gl9%0^z0n(m>{SA`(-`^WsgY)4U|u+V*=)bL;mYD0(Sao zIrjTafW2a0(nc-#LE^TXpy?JEnEE`T*DoP$&JK-ax)FGv1DpsrKnj1gTpV?-c zCSSGroZj1$lNS~G3`Fmd<f0dlFF#y+_)cLU9@+>W#3RdgQ!m1jJyL2QWEL-FF`F zDR|zEuvEslEdmE?;69D`KZ4M(>vFSpG8x)oSI)*P=lQCjef_gP7M~q&S@;mH0&Fg{ zoEmI6ob1A82`J$70~5nSSHRfa8i44LAHc<gccxlD#~_%>TT2e7S3?Lb?HTePW&$?RL!>bLKgf{5iS!RY*&t9<5gN;h;-{ zkb?6-Vm!cu;xV4CF?HMx0|t0HfGf%q^Sg7bE7BSB8rm5i+UXK>x0~9nM;;t|o-io4 zcsL;hO$dSW&rv#w>O<{O;IFGLJykA+0saGlqJDj^Q3!7VGXB*!@ah}bi*G=!F(Z4y zaT*O-$MHF4Pwfvl;cQ~*m0praB8*Kw=j0IegJp^Rw!ztqRdT1W{?c`O9ie1}N zP|vY%Yl=Z_Df~3JAn~&A>WVI?fDZ#-ynG$PS%~b~Nq6Zu4wivoomLw0CPy^7!Od12 z^d0)GcsM(?T*=q#jwE$0T2HgDNUl(v8Fgj>z)Ycr4%Ho+ULA;5^f}Wx7y((AskK0u z?FiAE$r&kAY`bZ>ZOJAOY91r0v;hph5=`OaCaYTeNMZlx$?JPeTmSnctb?s>_TRiF z-=RGXEbHE0l32Vcg*_fg1&I-i-#RF9qH%vb(pV;7>=sdA9Y>d3rJPGtylty_waynQ z9q)hRDB(qcd0PDP!QP- zYfi1D!`s-mH?=vBo~@~a)q%)yvvV*+H`N`J-f+BF791t{*QUho;z+@K4XUfGn(js46i71%0F zyv*^AU>fyf zjh#<~@B>ICz*0g^gN;yqiIARFHO~%hv-`YS@I>SO2l@dRtrcB#z%L!Ql4XngI>v$Jr|sdDAL;E~yW0cL)!{GW zFgko_cw3QPK?ECh=O*vCUoFR%IEm4jc5m_9C3(+eBn>S^oR^L2QC!-QJxBAg))Pd*=d(g6SzI$lhUo6V1=V2uM*sWXpP0@idXF zWk+0;+$gPA4rL`B5-Ff?hzB}jpdVLL7Ziz+0Oy2=N6HCC-U36IhFxPyLCZO$@1ztY z+e+#ouU#X}yd2gw(j`+&>4-}cCq_ErVn>77*sL3L?4?zlU>6IRNJpT8Cwl>J^7&Kt zQ1Vl!`$| zA?#mk!5@cvvttl}+zH1?6Ut?d2O1xv0cl;3o|2=H9*>4l`-G!md4z9kV3^t36i>{D zH`Xxjb90`KOVy$7^oj4`h-E=~33=_)HYqnSAt};Bo;_`2NrGXHWE5lPlu2uQJ$0<_ z$mV&M3;s2_+Y7o!D(PRbPA?zaqx?#Bd3jYO|Kc?Cw0upbw=8S^@bbl+GguO@NphB^ zg*jE2J#sTaX|UsqGSaA)4Ni8~ebq1{Xt5AH4}DU-B3&poE@x?ICus>^Gw{p^grBbN zuNMzAL6ZnXl(*}LCNFUBT1psMW2D87yV0l#1v>q^-@-5bcbzGngW|+9CP=;BN#Wrc za`c#g?JUS|!a}FVcxI5^?bN@@BumlG(5+8F$+X5Mk}LbcJw7ND-xNW&7g%fWOy<7z z%=%`zZ4+g80rv)$_xI&os$tS|D2kEA>e>H>K093x<>5X!_v@`boOV=B_~FEoNZs^Z zfxqK}*}pOZ>mU3DC|*|irpf2!ziL6KtCUm22T>O7_O6{b)f$>H7e@M{Ege4Q4sPba znFojCvYXGp}wBA#cyelJ}I*ckfwlJZ|xWkalAg#>9InXL^RM$kQe~q>#2~3HU z0x6D`L@B(9j|W*f4pfFqrc(K0>&_;Bcqj|yO=D|zyCu5}CND4&_mjk(8r&W$35xJ) z;QR;%j-E!Zb+&&^ovp~g-IVPntCnQ-l}L*H#0G|wR7ryCjS|Yt7%Uz6gs8<=l`}fd z^eB)L?eR@G!wSK_Q4S{%FT)yez5^|3Wpp$PY_W1U1Nfv+Nttj|f zgNL3#ZnZs9llZANPLk0uo)VjCNz|=us`+NSqMA6->`ofwlLU#;I|ajE{XEtNnVLPr z^RUIZ;kh#gA|-Ri8XV7?@yo+2yNj;kVZw{UE3$pAp>YCA!>jA?I4Pxe;AR4H*h4Q! z*zt$1%7xbb180o_-yz&toKQ^QdHE%8RAE)MTrWyy!4@JFybxcm$o>_duer2P+h#&Kylw+0 zMt#7VR|H5IEC?psLZt3I5c<$mMOLuIm1q8K>NRCH3p(%jOaQn97Xjk}e-9iD&6@1C zc1L@2d;i*6TrkJNk-q8$cGL~#YoITIg%)RcNrY$Af60gVT9xqcIqh9_hrO!FuQs^7 z2LQf5LqezjP!R!=x)Y_J(;(9hgd&~;hodiT8Z`!y`s7ABdD2m{$`|W;QO#d?dPw0U z+MDR-?!ixes2g#pbABi%%ie@D`@}%oliW#K7CLE(Z8}Q3P~o^YWa<^nJsYJ0b$8gTW> z=az@~>;&~cHZygIo{8Ntu)jRRn{T4|g6B)ri!xLH>KjdUwq#OMIXb*~3dXv-fPrfv zWT61U_6NKi%Vo)qEGaefhX|tc`nqp zUM+Zo9Zoet_)2FV#jx<)r5xlGRU(-lfkeZ{$AG%Qz7#YO&NumD{g^v89#~q_Nt$n@ zq?Y}szVy3$}c8?J?J)0$i=bl@(6z*!UrX*%eU zmr1*Me2C4^Jm>5md21*s@M)Rn07scC3(Z9)mieR5uGSE9NJ1BDUSLFaMI6$|+JFx0 zWo?P0oyM$}KP5N(eo=m{OzrkCiZP8bQy6q^csQDB%?%O4z+OU7n{|B5D96kJ>0>O) zXRdcH@;lVlwl1`M<|^Y=PW4;`?~oCst!(Lo_HC(CJIp5;2i*lyRvkNOP-EXzCsRMZA2uFA>&9`IkMK9qwIt0|3g*xDk^foW-%~qD#E>Kq zqjn@I+qciE38Qrz@bD&11|z9^6Eu3KwoP7&hm6>Zmi1Y?s42@clHwteK3GWc6c0!S zqX&Qjs*c~VXC{c={hX{h=K~N9i_z@ukzj8SwccJy^*Rpq1P2>Inf{Swgg~2%i2dlvkg%VlFFze9(=U5GK=vcN+{G$0E)2t1meo!5P^tFb z_(LuL?$sC=^q3RQp-0-Bn^$?}-WrR#yd$O)sg!|R-|GrhJoDU@V)Mv-9_(~C(h0K1 z7`r~iCvk`ybBI9!_I_ad&ze)(=iRo=x_y@SOxeCqu;0&PPCS)k}N-rJ1{*{e|Jg8x%%fot*g-uSybFU~xOODcOR@?(LfEY59T* z+9jK&w-R$=Fnd{}fOMh(3hn8ATG2`smMf2&CSSFAgbFA*0E6K6h^?Rq$uwsvkrLru zbQ+cD0wwux{e^pq9;-FG6)V2Rl3`CFLiZ_g;Xi8lOA8*_tpemM3FyZxuXd}I!#ZZN zd`j#uJ8+-eD*1R3RX6grj%p8eR6t~CUa|ML-Ly&>j`pM!%K7vXNCV+0O1Y(4w`+h5 z9*<;gizZJ5gJLXSyD9I>rsUQ}EKQ_$%C>>#R`m=?7KvqTLm=NHahn_4zT-<j7A;xxG>@P63ySd}v(KAa{)d-pnUfd(vwe#wJkt{jpgZ0ZBaC)LtsQC-0W#P5` z+-bKv4XVWZsPOtwp!$-@=@dbU(EVb|>;L2VI#WHCa8rOU6>to+1K>EcHjkiQw$8o) zMsdQP^nSw?XYEIL;`yRAuNMnxBtguEp%Ab@GnA=8@dyi%qlV+t%ZQHrJu4-gc~OtXEWej`lkUrR>IhV!5#F99 ziuJ0j?Lk@VHX7?gSoGdIQMPOPu-8;s3wBtttOG!$m=ZN4pg%Y;kEpmyQ_Y|3f{KSy zv&}|lA42tw~UVnL7@2L4u`)BX3DNHZL8K>TXH|vb*i#NtQDWX^zRIFQhct zA=4T6+9tE}ppUE%*6Gk~G6Tl5IoZ!PPIorP+SdkLXLGDuZKO}0PDzuwj%xp8ik>L= zUGvt12}x*3wxx%5qtJ-7Gw>`rIYhDYO%vf^RBwh*=~kzS;PBQQ%n&ml2sPgcSXrv(%i1x6M2L=$Srt~zI+lA6DBDLFzU--^+1m4AWvJC2vJ#Yk6t)GLN+Z#6OIm6-gurC+i9 zSqE4HihQFC&jGe26MnCSsU{Q7uvd%lud@gpjU=)^mn&vuJdzb(@lDzSN!h8L;XC&8 z{jM#1fv$eEuAy%~vvulqS}#K-aZx^hT=&k}cco*g`{0fDFCEs_4ZD=|7V)&Mc*=yK zoC`0@LLs#GDRfk{)bUoAn{!aJBoMm#+G#)&24MDD zCOfd~wPzWtUjDHOWj?PnqvON)cERk)s4+`}r%+xCz$*Fk<#kUgT|knq5M zpzHce+1yozUOb!UY%#4iRP^D7%bZ_cXc@?tWqY)@Z_{e@s0zJdvhPSPkF+vSg)@Zd>;$5Z69gVWPQf_%^3a|$6vsk5S0cipK;}!h z90^e#Q7`!wCD72nh08lGfF(;NzK=W5GT!5Z*(Cr4R z3AcW;zVw~_Kvs!#q21M+%={H|m7UjsM)9bBB3xqU<|yYFZ-Cg3#z*$^KBX-Z&AROr zIcNEzY<93k-YQV18abOt(6|*65s%v+0Zl!<2JoUK(ZrqC5GD1PrwW$@60iG>^^~`Y zmoS;{Siq#CRh=6RuA1@s@Ty$n&WG@{9pV<1KPc+Oi3XcJZD}_tDfaWYO_9tu%dg*Z z4Zh99KLzIGPsxL`yz(;}6L9h4XGBV)IdbN9LbQfFar6Y4_Eo*PuNu(^rzr2sRhz`8 zds%;ar=%{VR9}Bph!FQ$jYiRQ?RDL3@`a%TC6rn|4p^|XAgIW?*htC(lnvvks6hWG zpS>YLnVqv8K-LA8PL0cRzNiZJCGvZ<68vGLxjOAc>4F!1EJWbaIu^9k!BSZ-)W1U& z%qiexcvrYV98j&Vo;9-BKoe3@*rx0D<;c@R)iys(lk_@6eJDW-5a>7MLl% zN(}Z2;2w<3`rCN&tXAF;5=#{*W_JWIU)t`+SqM#VTUw}DDhRlQoCUjBsLlDYJA0TL zyK^)^CrzlU6u{Jx^;7K~b_Kq3RY%Os12-~7YPw_V+ z8lI`Oo;z5;$^QnOfiIQb9qpjku1l$r+)0z(N8`L6+Crm~Odtme>f+Eif^(V2_I7q+ z70W?k9yN>Ge3f;75)n%|W|jkLaA|&n1DEFK%pHl?IAg5Lhu0A-@~4umXp0wq!q(C* zx(LuE1XoOSqD86wMPVV;0}f1h25_P*;Ql;zQ-P@{rdKA;nO6qah${+~Sb?}2_Vf5j z?6tzEo8K?J3{+l!&@P)&y=QM_TH=))&R(#-Yp5j}Sw!VSK@*~N*L7xWcYm7rCm+K7 zGTXKABk;1phpkG?*%DVaF;L-!b%&Ywhxv~<%+x;2?H0ZP6X?8q03u{bqeIXNwO%gW zpXStZ8mKY}Jn38}cytS7yRLc1A6aS}YxM#rnz&$Z71%A&^#wQwUo36`INUUjcm2fv zfUIO-t4*@H5Hy{n?UY(tm}Eb-(hh=dod*Y=k&zDP--*4V9Fv7fCYfKhBY$q!k4!n# z`;e*FkmV#YUuW~e?3kRZ15|y2M3v3OpJxI!yeld`aIFs`>qRcrVXpOI;0guc2w5^9 z63_8#N9g<}xC>7|%Pg_^PO_Z__uNUh+OQO-zWsOP61fuOsquYjVn+AfmL}kFdY0NA zS&PkKSUv=1799m656Ck4j?ui$*J^%M+$XcrJ#~1eX!FewvU3KkCctF?Y`%eR;_vpk zB|-G1NJsiL~5{$u{)?sJ;ps>)$n08<$RQfOLqFf~OS{YLA?_&?E z`43UPP2oS7N}tRIAY1Atbn~Vd03^ti?BIRjA9EV*+8rZRmuS{4cY9ezNkOSg3Q;vZ z0YL_OL7i17zkhlI-VB{-IZZyOll5i&X)2|YR9B*op+oB5$C?0qK!d+Z?pIIte!CKj zO+ucay6f+h1aV=6N9J94yws?LvoX**1?+ITZ|c>isHv%m`kO3S!rkPIie^B%?j78t z06TeSg6Nlz4-m?@?S61t*7Q-vQ=)-{PRh)$$gig ze>dKc5lGV~Im&~Iw@S_l@>A0-IVTuT_tEy4>wZQ3z!dCN#ns1blRwat@j^<3*JDGV zv+x2q9zOlXUZ4d^=LdaovLxljE=rAbbek%X@VYDvyp`J&I3m%*Oq1(qRWDJoYX7WP zrD)^EOAPv}xC-cE)&4IBy3{~~zKe^1!5K&S#V^U&B+IgWd|vNjl5m92>okkR8jIAQ z;JS^Y5vo?Pf(?J2H_UqD??SnnH!mVPB-x6LXsqFJ`1<TJ4-VcJ_QILBADzt|_mz@4m>kvQ<#wq3L>!SZYu=>){ zKCJwJGoQXrR(g!XL~E!24Z}G5A00a8s+%z}hO*r8#EophJ}v5pHgC5LzT5X>wllz2 z^}{T0|I>iGKgnhXLLd~_z_WIq50Iae5YLddnQ6bb*La4+ervFY#WO;bzcii!7fTaC z4ww8A&4eGye~G5FgOV!GOV%BZv|Q z3gUwqb)bI%E_tHL-JVVDz9g3GGMhxR7yd#<-HVgYv+(9B)G3Bac^DaB)(^jZ)naRZ$!UtYiprLqa;ZT1r6zX9gquwY)HhN?@pi z)E8~N*bdcZG?pGQGgy==KuMuZq8-I`FP`c>(jvxO%Y)bvhk^bSF6$t)%jrVP`+U3D zJe7EuJ|5rYB%c!Jw-Sua2SHw6Vt&6+S@I?RRVqDK&hFnkjUSEISkdL_L03B zSywU5Kc;z9L>q2CJiPN19HKPMqUS+mrZ~HFsytUHasWnF$wN2)clfwQ;KwB1bGs#WZk1zu*s<-TacEuN z*uESmp7X{oop|H%!UB#m{z%vsQIubqZqYCA`7;;2l%mkIfv}*IU<(F0gA^ayiOol2 z`CWsAkx>}@5#Nl1ASdS|#hS!)ieXYKRa6g*^-$GnU%X=_v4oiVfTf(GP zjH8@G*4D@=&T&Op$|+z;Lja)~x5WJ;Qfem7eys2*p@ z>(Er<^jK|-1b8W@uA+Wwm(h?~`CvUfLG%9G>DniruI=;$to0^frAlHhZJYu}!?3%28_8_-p!>|6ln;7%;ukXIN#gOZiD65>rl(onlo$f=(DJ+ALda^le_~N#A^ug9IBCEUmVEyt2 zO!(y)r>lBdZ`*qGU#2{XDh&XEfq_8o=>!lfm9ccC{al-FX1qKQPzV(dfcLs55IzllzW8b54Ot z>XYaKVkh1#Ov;TPGDlML<9h~+ksSE}kz=rxW8dU?QNCV1sIECF?owV~t_8xo5pkK? z!U=BEkj7EQJRuh`P?16<+-^6IbyNK*&xH5QE*I59B^8F2X?VqUk-*|Ov0=iy!ExVq zxHE-Ik~mI+Gm9XAE+)LsOQtGMC=Cw!`YvvDTJKZdI!v{Z595%W~f}}gdvHf6eouOo1xf8m zm^BaOYMjIyFBBgk@}7zGeXgE(dOil>@l0Ci+BHKhzs*V~v3FhSe3aL92%sm%K6lHSsR~XAi%XkJ-ye|9KkF>sJp93ledNnZL zPMSLh*NRR^$4^nux7<=J?u<35-Um@gjJrOR+{Jl#yEKq`m>&cXJ786tw@*#chR zQ@cjw4K%{3A{he_1c1I3i8Y8X%@Pi>#@WFO>(JOXaAc1_I+I!>pzx5DvI6CzfLTU?Wn^TrwnTT}gaT-w?AOK0FiRlqHHqCK-pC$e z`A|0@l}Jh|xj>k92viz*I5xZ?Z{XcaGZMsKc$@=)tYn;pM?g+5LTeDXA9r+v#uRpY z;H#FNtflKON5M=2ll6$nBtig&WgyDM4?F)udCct(jr;}<|FWs_1>0|0W`!oUpk)G6 zDbQE@cZ3tzsosPqT;%QJU7a^Y_R!?_`3mo1d7(#!XQ@TOP_>Vr+AxUT>%8vv+lGIe zu*}`akv&(rn*g7pX|i=V^Rf`dBf6Kk$j2U>sHyvbi`;7B`qC3N9mFAtn|=C<8y!u@ zPZJ)d(X4dTvgczBn+2U(fcIhKI@cT*n(Op(NUP554|vaQht?y^DLR1| zm$4mzZp@Xh*ZzCK(+t=7<}vA={ZMWu>vi;HeaA3w7-sB+m2mzUA<{cEw{)K|?$1S{ z7k<9KoVAeXqP)#Lp z45EuHyl6O@Lbshmx+M@2@aa!|{&m0|9R@;w%=-?ijBAsJrrRR|R-_Z~_{ z3nf!9C(Jm6r`lw0DH?O0Q5`Mx0-31|(o`bdDkO@F8kYfmo`kK^RjtKpF^N(&qVTe- zPm5Gp{>_Tg{5rHD3i}?psWDA^5GQp%u%CWc=r4n zq@o?ye&&uZecjX>wyCfK?wvSYJD59i^BaAzU8vK0!@j<-V0N-K|F`QkTLGBLOL$a=Z1 zSG@8s`(s-+ewZx9A`Bo%I?8Y`s4^e%&WMyxuBh^dRn7C=qcw{Ww_Jxrl_yS+qf?cL ziYo+9gsZor9alW_MD%Rp-Le4tg~&QFVsyrdT<=b>cO+j3{_v0pG3D*BgsJz!83qN+ zT#8;Nu?I>zLy`;c7WG}!A)1_7$kAqmhZIXI^yFU4*21#2s5?7bRL^C--K@8pgv}_$ z$1M;)3PgHW0vz9%Y{Y4cyT(1<1DIc>r;8k(BHixFj3{PsDy37YrFGM8@7Ui1W{VH3 zbVj9Ber#q6n3y=}5U+E{nL~gAQ`~XRro5^0;?8*12ejC@IA=K590w|q@PHHhYuK3n zxg|E&u%}v%$u* zj5_{~@LH{iLTksmq{7o?6I#n-0Pl>3(MDOW3sxhP}Y}6%mf-akx#n63N~v zwo5lWypwcs#x;B-oZmRHx-U?YgViO(I`Fh$$5#nC&AAWg*nDvEWvRNjFXf$Ran75D z@;_uY9#07$;JvWHxF1C(%<*h)(wjkwft%CVP6G()dH90Hw6iBWNr)=v;p4Bwcw!L( zRS8=*UWssmDBQmB1v9*kq8qZ^Fd%8B5RC$2GX*?SuVy1ug8)+nY2LN|MUd8Oiq}9| zgTNO}Og6d(2+(Gu6+bCjET-l-@{uCWGibT(Q{t1i^Sl^HBP(S|-8G3fR-HrNBpQFK zf$aMiJ1ft1<_GFvcu1d^1fPCkyu^Nl6r}JVIlXgt%opD8Brb!wai)b zSUY6a<(!~YxVV&plya_JAp!}aRL~&d(X|X{lO59<&l{4*-{=;L`T>8WDLM@U0G}Lu ztk?s313Md2nxYzeR-T@ap*+pQdZn79%!GgdLEO$sEmU#5-8-vlEujmGJv^{=B&zU9 zsY^TvXTuQM!zFlJWXX!|MV_zuOI~gG9$Sf^?T-Fs4mRt+QhmyS*f;Yd%jURu^(IAe zl^t!*YhYQTy}L#*i-euTn>aSzXZVJCO7_7kzw%6sE%zsIbUng>-pHp<5LO(1TG7}0?!3eh5&j8UPkw{y(`NVQ>y9} zP3#U9({bsywlq>w2aE$>EWmfhwNNj|v1fgVmtBa~hyde$`UFGmGa1SVZF`)TOSbv* z*0}5q7CBIAki74W>^r@UB&a4NC(0vTsw0VvCnY6Ug=Xp;DJfmCH)cG6F?4o;@0OS9 znEuA>F+UMbNsQ0ajD5+zAR00zO;`>yc|iIxLNnJE`01uFtVFc)=jAf90}iBuJez-B z0zIGXPywd;3egN0iSUpfply3{wzG+L#+=KzEE?W^;yIctDun>eRifP5D4?*K6Vi;xk{bD;{>D7g zt`9m&%=Gn>rpel<;-RdY0pIAnr8iy?-rF?! z{e3l88*DQ761v9<&`%On?RzQAOCRiWii)HCbIoh)yyb`X2Rp&ZrF6j?!XEuH#_Ezo z7AF-!vAP%YV9HLMP6~3;L0$>SB!(wk_?7P|%J(E*%3{@~`|Z)0!BCP2Z9a5IO=7SK z$|^weVkeak?2hMjN(KzwTm(2}PLuVw=@O1-Cv<~>WxxB;ZXF(GCcsCxWzf9<+&P_h z4k-5w_c>XP#1`iIX}i{`WmSPXMU?=wCDc#h#dmTY~*+sv&UJu@LjU z!~}H@4-PmZBMtUw=u`_o@4-$Q-+oT|gv;3QzAsphSQ9om)C0>F|75%Uk+ z*??NYdDUjTU&p#y)SDz{u5e&YFM-5DgA;S>YKRPzKq3cWOAbF#M-&1t%Dh?eAgq4d zELXP(?{P91Dt||yTqzWM3c#>nS`UbboY!E!J#f`<=117r-~h_4J0RCw-pk$JTXkD? z{ZV9jl$+Sj3wCzziH-Dm?~Src*LN&0ASLLA=K|2VVqN?{k}0-p%wJNrs6-OETrJq2 z`fKjqE>}e?LraXlwLpL^h5e?-xu{@w6CW_6HYk4R4Xr!Cu;Gez)aHwBi- zIQRtojSGg;k3a(E;%~8|<2lhMj$&ZV#PNwckphLeUe(Kb+ZN?>xv1A%DdX&MJekH; zSqy0y+g3NEpT{6xbci zGkuT=!Ek|+TK36kaxkceGxo%3l*Mp)m+eT+MNde24(#r zv281;EdrF>nX=h7M6Nj+;I^PXI#5)Un-J<9>K+=)4%F+vAh7M^m0Gl9V!39sGTHG= zCz<-lY__HNo}G--Gz@Tiffk_u8#a%vs z+SH4ZDM>HvTINjkSk^_k7*LL(;Xc(@0`5k_T?;s>I3psMnonHSo3KS=#w?IZ2P?8v zSJP$vDWQd?Uv5^QQT4eYZom7$0!jH2=50 zgDyB|6N8E(-4?XbEqoeYQvm%XQIu}|?d10ktWme%rY>BhWStWH=T)#{F_iA%M_SM) zhfe~;9+4A3c5guwgeBgMq@4Iq&U`?cM|-|uI^){&RRVnGp%#Jhn&aNhvE5a}RwZ1O z4s>}U4bX(ga&$(jfjU29UDu0!se&5whGF(s2P4uylS&vCP~O#F6D#n~>#xK!0&Nv3 z6{mP`S^)%s1$teD^9|i~^vp{!1k);b!KH8r@K|E84Lg@O*_L{6cuR~loTeEbg`mwc zv(w%N{6N8Ba$#(?Bf%5}*QeCg6WqO~H7qKMY-0(ETZn2CQaP=l`uFO-F)-9>+pAgk4SHs&5sDt2Ov$24kk$?G82L6u zXt{top>JD=&k$>(B0k|tH%L1aX)3AsQ@DmqJ){l~?=ERUfoDRrne_KSf+Mt}y6QYj zZN1nkjlbTcx|0Ydta_t=oY}|;*-JC)>=H3R-htCl)8T8=swfM6Yf~28w@OBHL50^! zM}vL&gs?EzN`qJV)XuazgzVlE`6aPbcPY;K`q88pOJ{LWZrIGn?}NVR_gpr-2^wrF zz%CRR=sL4-GE9u(hm9Ea5k6qf&S1L3iFP49$r+6BObR314B@aJGtbT?J9jwBorVsl z_JRpv~!$=6k@EB0axE_^(D4uH#zYNYGR zX4cS@?l$_#i5)7O*h6R287Z)z7wKpDg?Z7S}^b#Bou$M1tr`@ zyx;sU(P%iJ;f0=7JeD3-q@KaqKi+RK&)ylHpJM$Me(5ZeptN5sjq$Hqzgb`UwkW{c zqf@}xGhJ3~E8N480v$BNtHYqGan6GylBG9E`B^9_{~oCLVZ9n5;HT_9{JnLZEvK#z z1K7d5y)@)PHJjwwFW#0LR3jwrwnU18R{5F6SFe)wV6BQ@7^%LRaEOpdc@0>BQ20-4 zHppeW)o!{3JK@SB1#TLN_QFiSqsLnjIs263g$vg@hn(Tq)6&A*1rtLuMLcJZhnJxZ zF@}F-;vZL{ifvb8*n;Y5467~rFfswMWl`3vyE<+RG_TfQf=#}h#UG@JIK~@chaEdO zsm`DEs%*38Wwj&&F$vu|INJZZXi1$qK)Fb>G{63M1h3tA80G-v-ho7RPX$9~b=4|tRC_x*@r`8CtM{Kd`>3s(4Pm>+Z zQ+>QXKIMdJ(r()8#YI}gb`>s8W~RC;yMg1Tl(f`CBgD6*rnQcRg1eDmzr=8Z zrNg~t-Y%0ONo-u-3HR2+P9ZxX{F2MEeauw8Poh8anu&yGZ7^bf$ZO|_DeW6=V;8$7 zCquWEJ z@4ocfJ&3xx`2{!nnxbOH-e$Yz6c;_G5C(Z6ApfHvkx7&)`~ys*9(|73pFwBFJvBV) zpu4t;@a{)+K0-itY|R+7@=kO2KzEA6 zaak;3f>Y=6Eh*D~n5up3sy61o_1%E77$HSe#HinY)M6MDU1AEMs1hxUAjxt-sHsB>k|N>tCpZg8 z4y8A6)@01<6bTjXFGvXbq9Wlz(AbOw1_gQ1kj|qBn^D(5G>OJs(i_o2i1&OP>i-l8 z60=tFj9*4Ak}&?{iZ|D`mvuqzmDgM_yiS2MageSR66A~Sj*iJ7Wz)E}4id%?Hl>>i z`^UCy!Vpq&@~ak)rn`0n<9?7xt3~$K-PygOVUk@codDX&7f!yW3^9;se$RwPnk#-VuTdP}2XHL? zfd1KDojX+}mHJ7VkoY6-+s0F&tFcps-oK|Oh65_YPAnN}6C*f8fO`n!0Ui2$kD7JF z_l5(WFp<+4kisB*Yp8F0@BC}1pL+*Bwmz8OtUYl1vdY(OQeEy$4(;pin1x43Zph;# z$M}XU)PV}fvI19&RL2MZf=)c_;rZZSpxKAG>%$iNVSFEXUMT;n$@{6dCPaXzFibAO z8zmXrXAlmQyfC@QNC`Si!+%NKyhdP#$inscqTUv5wOlVsX3{mAZN5q+Z!>DLt z9?Hn|V2ubv2xv?h?Z%zbpYodMzzwviye7JC2Z@1BE){WYWSovSNQls$^o!1M!2h5u zC}d2|5&io`;@rEwuD_Jc9lM!D#rF5INHFAXxXAhCg%;^))cNAHffuM?lyOro@^(|r zIa7ded+w)=mO|xK|H7Tww~tm-{?)R9EE}y><0;q39+8Xn80-_4vLiU+)cWrYjMo}F zxw8&wkdtESlrlQuj6-WOhrBx2x>~Gs2O&-Ct`wkt$>j(Jl3k9D-e0pKNnqNWwxvWe zwbNNz?Bk{;&>#6RP3e{cDs4`JA_VoN{UPGwGb#54ErPDS3x3_r2!?ZokP>h`g?8HZ+RImN4i zq&fd$`wUT2o=t$SRLnve*DtewUxlxt2Oe75Hwqjz+BvR&jugx{v(rWVs;ydMZN(ao zOq2j#QlSwb8_N^Uy0M^UAzl%iI>6;IV=wrTc}d=I`i6MvQ@*ZtD|O-kiKR_)=#N#( z#O`>NFF567y|5#{>YFGL$V|vj^MmrhzGcTQWpEDjud&EUO2V!^!4^`4HWmd3^R-j}EVzz02lTYGZa_GDHel z=X^U#@^%Hr6?<#^FX=_FBXC&f&4%6c#MTW2gM$K!H*M%B959hMhrK75} z5IG`^Xxvk8spz;7k!7Vok4S?7I(R(s%o+`atN?#Joh}GC6536@-pN@Y0MZ-+YUnp> zo+g~{g1qx_UL`~ngj-w?asE2JB$gG>e3A~_ zQQ$=#jRFs-_-1?pd}$F-Br&w7^$<-ZW{)-!MfljG-9!UMMj$yF8&y?S61b=k1Hx)PqpdQr_^_89$E2fS1VykZCZ#143?4|pREI4Cf_3-r&V zPN&W5gbg)$KGSqSmH z4Uh9HdWQD^U2)tl=6MKd3%*NLrP)sn4i&34Us?_1L(V(8{6kD}c8`lY?m zNBNID%ETNcx?}dn`vJB|%AVzW7%z@oZP>gj%KM7x^Sju#<&5J^CEkUF7qxQ;yb}Z}l zydc1ceb)GPt`X!*+VMs>9X4z|Y(*)zd06G@xoYZ_c!`H6ZGB?EGXac0OXx_wGPuHn zfM?$;ol7SL21}Ocf8#l)MXshwc$b>JNOhForzKg6p|=(UpxtszIWU@W8Ng+@^pDxc z$s%b2J1;@0tx^jal;0{<0pzBqC%OK|I)lVaSL^10tAJmo336|#63}eDy<1fC7|ptr zQO)_nYnC9FIJ>$dpLxT>-4kTbLbaS7G6<4#1n4XPr+h460Wfc>Q%gp0shajS`HQMO zdaMav3%s?Bl)qN;R9hQ=B;5xzt-npg@H4sV)#|wxX{2n`S+#kDzOt|NcS9ehzX=!x z1Y?(k%0rf9-EFHyvB}#f9#1TTQVTn>(5Em*=8l+LRFQ&in^_*_!cG@SyJ5x4*ZOdrmU=CsNV>u~+POHTW1I~U(7YW90a+cj!V zFwx;6bek`A$^1t!$|9?2W!%ALy+)(2YLOtvFEs ziiRPOanC5m8|hFG2xj{s>b=VzFnPe9Ilr+RT)4^#LrwPH%+#zM8Ad;@*7fz1t7TjZ~lg!v__8T@!l?grJmrz4A@ug!~ z0a*vu2+&WCGQk8(8u35_zoZBYE3WV_Tzlk%1-p1BZNT3DI=lCK26 z>c8%{{79M1a}N`de%IsPiE-f_=mgD0dor0lB$+C@clg9g90hm>(^#Y6G*SRAN)08F zN=ZTYPI$VEs0`P=HdDIHPKAX2iHa(Knu;qO;hlgIc+vMM(=04qCB@)Z%wS!2Sn;jZupByRn~cHI(tTzI$JOiffwdckxlH|m)6IOa zIsEyibpV^n-MRUlsZZ<=PH!*UqIMb`Tc_hQP5Mt>(AvJ3itcU!xXb5H+x5I@NM`X{ z1%Ow0`-sz~`M(J3xDOVbO(%ofUYwkcQn%4Oq!uIfdU zLZ<;ML^iuz3GVtB6M5&u1UxM65?;) z2qa&xbq=i)Af7Xex4IYXTEq-ouK^`QqP<1YpsClL1tpi>vlLGf^MWg zh6)2H%7UF?$B$XBPEamjfCJW`5x^koC~407WY(=Ok3#=C{Y6GFfV1_q!*>+!%<)GX&L-Pu*xW9z!zJTMKDt*AX?_1ucO zktN!+?qE%RB*gqJ|4lKb+p9P$G%LmaZoXkbhV0Hea-xZBf-aWrTBb{+DgGC_SAm6y9?m1>mS7 zkJ_iF$@rJC&$VYI($@_;bDky9FQNXU5(Boy4u?*x{|Foz+1`Vqc)yfJ6#42VqXV4z zvPu|jIoi*k?|}7j=^K;AFN7Cbg7RES_exkQFS@S+E8h6P`Y;NL>3K_!kRtW)mvKm@ zI{IaN3ap8KJWno^W6MAQxPuP)+Thm(vdbEq8GdT7t36Wb{@9k=Qsk}eDTz)1o(sUf z>2r=~-^4ka&_uUCv%Nv^c8m;TJahzLlE_&eH@-o1>{RD1Uhx)>Z z`VG(-bYhQ)aOs{|sUA{I^q6Awm*!0hh_m&VmW^fw{X*;M#0~LTd9uf1dpj^6oZw$K zQQycJZGSj0A4b-PE~`d;=zcl2KOBa2M4sAzSFXx?*%foiz9^!eCE5fymvFZpT-+Q$ z1=08*vYctwRI5Dq{yD)rgHonCKs0yW2k6)|U0yK%(TP3C4NVnQdBquyaSBg4C;sN7 zpu?2%exn(ug_fIL>oi_)($!Dw4^DlIlM-MD@kh=F$HH@5$asFhvHihG7I2vCou&|I z8o|iNH_H%;YbpM z2AmI4dN#8Aesz1ESZqVhMgIm=L3?dw6c?7{*5RsT;duPoeWk|g14-f=-b}48}whDA(hm{{#?reW|jVF0z*QkRCqq9Fv3jYdk^%NP)}u#Q^?pCR-05Z$I9ac z!tD(oFwQYF!_H-}Ap$Nf2mUoK_$*0BvQ^cwOcDCeZ-kR$`2KYBLRvY7uLF|i!IgRBH3SMka{?$ zEE$X<5%D(JYB=VCD%&Uad=)*nj-Wm=3z0Vsi3$yEx9+M{L25EVuxIc z@o&ZW@D|Wkhby@u{)7OI;t+NV|_TVK3IO|BRDBMXgr||jdr_S<_*P?m(YMh zVa*IyQX>jLs&Dx_*Oj;jH`9M~fqPLNS~j8&6hQ&VK1S|fmnOdalCu%*`jOqV%vBuP>|x8bQkos1%l^I=P%{A) z-dT6+Z?pFt8>dWwVKW*9sp{npEfEG~f(`>ZRsWfV;zYqW{jN-5WD+De8XC`QUq!c@3aqG5^|5h8dtFaY< zt#ZOQIBb=3K-ESy5ui63lv?hR#CK}M1CtW#9hB;cmdH>CC&C`F?Vkc9TWKf1M;w--~2p??(YSpZ97de6koe$|4$7%?pj;`?S-(y{O_<|2A z=1zrqojS==hphTvwM;X~+db9xui6Pm>s`T*$-O@1xYtvcl1GXV(YkTG>~Q8H|F9L| z`h!E+YUi`LS!>~panjQKJB~q)k-`KCL>w&s{-eo!mwQKUi_=zKCW&U zT%RIfP;f8Bz_KafoLRTbMoUVE`PE3U69Alxv?JP;PN)!ec!wR{y;0DHAdx9!WaoVz z9#|i&O)aLVXZy>Xh?RL}3w3Gx6%9Wvvin?jHckFNc*8X1JQ7gIzzYyTc z3!&_XkIhVh12_G5@El_>KW6^}cP+7(0M~nIhcK*+vp3M%^~N3^tyDH2!sZJ~?X}M2 z$a9e5Dl^fz;s3YyZOd&V$+qw3Gv;|buq4}(A8E;MYma2BMYnxozd-~@VFVIvfTXR7 zIRAd?j=E%K6+pV%?$$(%TO^UIKoF?P%v!n9B20jg(snn>F8t0{ z6gvdO$gUzh5pa8y&4|aL(8nvB0W-_j`HV;BZG%5Fq`0km-d~l~7g8TDQu|0d-BZZMrf>Rjh2Zk5t=q7bt`6 zu-!Y4rRHeP9E&?EJmS^Sk8o1oV9Fto`hufj zhnV3+!zbaBp?!>U)i!m__miS3aj19EV^H#NZ-NmiUATzO7!OxC$&&%vQh&oj5(QwZ z^kHEKeCUrDS~vxHzRHRdbT~D5VPf1%V7QTpqpll-C4W=|g6(2%nsvh+j8VIlmNB&} z=^VD#?qj~n>&LF@01>bO%zFirA_^9wLVL{~AbD13BN}Io_GO(<4Z~0*zK(o}8?#yx z?Z#48YPgM9Y#g*b7%G0NcU`?M$}$NzeB*WHwl$VHH0Y=L;Eo#@`~|jOgFy1B^x2=H z2bMmAPoyKX{=$A?YpXjMYbRZ0jpHv8&hmllv71aLo$}V}1CbIIytPGJ6`5ozvI(1o ze3_)P*{b;HlPS1nzc7UG*_4oy`$!4)2X8nR%e4S>`WAv_pM zMLAQZpdsSwu7k5vHuzM5k4RX-Fv&Tr(D9saSF+d9dd*fqF32;;?bPOz^?EAJ5vLP6 z@Q-pi6Ir4MpoK!;9_4{zSKv<}eyZNQ*0Y-=5v20c)``GaNtetQRHOj6aGeW>(?%kH}6#3nC5Hj6Jn>+S67xStuzvgw_Zfkbc z4pero!QUzHTMj)q=3gsdXmcLL>_p-^|1f~D1{0>tpVXl*LA@HA4l)|Ts9 z&6}C^cSMDcSDxMWM~7eEg8Gc=@p&j2WCU_Oh$VLYP-X1@PV)>UHAGI!HxE_#Ep9xZ zi3J3;5n^N0Cg8V;HAj%m>UvquuH5{-En7Bv%Rl8(Pbwe5f6!5_>m2Z3IrvQvu38cD zUkhD@WFxx)FyIaR3UH?X>3$Zz=|AC*T;pn#9`IC}l1oL(s(_yXwFtylSSW=O9Dec) z^3ntHAI#qK_LQ;>SAUJx-=L&E1vhcvs7jovdmgCa69q7&0K#Foh-Bx^2EEL|4iCBk zD9I3~LTt(ingb|Wht;}!JRyi`-aU#2WVP=eOa2MA8==i^Cq8=f;jMwX z(NOUX2+#=JOabl;vl*kFK2DG5co_jPON`kRQeamMe(J!7k2}3-G!O`_y)pL(`0Eqf zPI+Eb`O>~#%t@0~IKFk3(dS@yHxhgd(bCe&6P+&32iREBsX+8h$%E{#0gJTmU&J z=vGgqo5vxG3+^ixCG@eL$mQ%+UcdpZKvE=L`fo`V7$BwxDKSt@ZWDerteY*J)V&Gt zkz(#M{2ap;kZuvy2(KT9N@@Wa8a;XY2Pyc0=nImP;-~17C=%L~q(}4z4W&j{vI+g4 z5n==-n9zgZw1{hHOo9|~Xk!0Ko|wsZQ;^wv6ge;8Y8#oPr^4}`R#aQ$GQ_V z)bcx7j$s(ZTU#0yb-(aXqMkvoOWHoI`6X61kT3;CDhBA8&n*^+On6vw$l z2vI>GJ*b2)jd)M=m%aAU2Y5|kY1?prDqI1)ezhU526!m_XGl)qFP)j$FR*eoqW}(~ zmdWzue`Yz)ysRiZC=;}rXz1{1}4y+dL-yd){7Ux;pt2z@AeRN8Jh8#sUoImUkO=s zq$!!Fz2rDx6%-ekB)d=_1dLQvS4XO|LXh4%x@F?>qUL@qj z{B*oXxR0dFx$HPqJEa<2^?U5C!h4dAxkH46@Ecmyj>K;Z)qr4Y<0-)XfLA5R?;E}Z zfhfd!gB<^~xEy$K0Ts5hqMY;X_qF+n_fp)}a0Vh(fg3RV&WhYdd$rf_r2|e|DitXg z#-q*KU^G0`)QZaRf6e@@V&={1(#win zpRL&~)H49FS=?;!`cDSN=`ZSl8v_Py7aN?6Fhfc1X%slev3X@*S<`sIOwD8?#$Jwk zbo0etK^k5Mora6f!60)0azKs0hRE=8cArmy(S$qwQWqX+MYb4I1|E+sQ1PG;z2_F6wf&3*R5d9*o%-qk)b%H{&G{ zd${5nBHbC6zv(GdRdv6;%XnRY>ULIC9b1WcD|gwES@Jf9)(?pKsP|i-U?z2_l+pq{ zO7i)qR2}FCb(D-3;LL(M0Zx&$;{`xv4Ny}@sWcI9Ns!iE@=BnQO$or(lA+z<`bt8? zfoxr^IV+;18w94X2n^K!V66cGN`Y?_&y*voG2(WVRG1OMF~V9BRKN+s8O0n2Zo2%z zk}lelJ90lh1?fYA_adtDSRBS>e$*5fZ{jAnE27R03jaVTDE2id*!Z#g-QO;T=yOH6 zuA4{hO-etuO{Ya)7*pwzwuI|P(4qsFG|4ER#|Fmq-Y>e{G^=LWY`cOjK6SGe#5S$m zl(2kG48TPXfXheG3n>YfklzB!4?%Vjq!>%pf8d=w*pvMrx{PrknBm^X9@!`KUImd8fm@PL}#?h^15!m zmIYqSVBLDCW|;y3OBO==3_N@<4KtvD)LtTNAWT}5r~?YK$!cHKWLn962Mk7!+(+6*~*iH1bZ8L1!22*QW=PjExS}E5yMw?9mNPRWvm+h6< z{6piqYu`_5&EJ(ClrV^HP^V@I{JrWSse$k^fEkxW8Ech3ebjkW_UL8iE}2*LhVl!I z4E3!-0cJZ7mfsNX6f7ldeT$u!3lK>SoPskP-?pjq2T2g-3iXf*6p=P!=2y&oqRq*~ zQICgg-8fM2nIz|UU%AvDDlEv?>pt>JNaak{>pt=dzcJYkz_E?A0qDCsP~j|#l(%*6 z`J@#uui?QA8^0^XE#tg}d&oT;^;>E%{=wA6|MZCL_)N(&C6I;|;@EmO{08T_X)@9u z7}|%}pYf<1jp+xY{OyBzoy{EDEs)0u?RK@PmP6wKV}&_3l)zITSOFC8dcjllHy#G@9dCnhmvSkip#D#j z$mNId*6XqnR-&%S#NdP%vL9pOk0D!F#pO*V&>5$qA$gUf6L4~|CKa6!KeMi{q8z`( z){jkF=F8qClCRn7MG`uu;wZusa$&$?b_XHz4L~9XsONHG&j+vI`QQ|)`1Iz5(1kJ& z{A+*u2xjEOnS*f6m(`-poqCR8LCUqXC!NyNIOQ5Xmn4nYGn1CiSQ5BaiFtpZNqbnar%3+qW$Rzc42L!fo)o*8u@#U~K!$I~-ke%tdf`%LH90rI2989-L-b zFyEkx?z)aDB7g=MSwH|o9jhnk}Pz9iu%hr5A9eaPSU905D3Vg)yOXLus{O zM)C+zAtMNg5B$zDt4N<9AOs1S0lsco2%zd9G8*y~Ii1K%yxva3@hKR;@TSmb*37E9 zFezr0=^f2y#MfqCd9BBhc}%Ot^wG29e#Q|qQ0PmEHwj;A-Fz+EyUG#$Q@^=zvgD`9 z6p$Nk@a8i74Q#PKh5wGbOXBb(Jz#z8U?ebP0vso)i#jm<56hq?d(-Frm_w5N=Dr&( za;k5e6MJoTl(U>92~q>`((ChpcBOrm*X#S7N`K6nqU0NvocJ_OC8;Q<(mwn>1`8w^ ztZ~{%csmBp8>p7+x>V9wgip>j-KOH$@CzAZLTxbs-G7@EZ(UH=!?%?c$i=GrUjstyEW?N6^Mrnk!kTdYoqpdg zw{`Qc-}AgvTT{$8DyU9ZzeV!Y}vtch#HLtOy+O(mvuC*iGi?i11Bl-&wrr z##u>w2&mFLR$0Jv>S8abcR;O1sOh@A7UiEo%IzgQQi8@H#d#@s@Qep2^q%-Se3CrD zu78@dDE>;hGRe+kfH=UJ1Z@Ap&Sg>Vc>M_TXol6@UX(jtnsSws)HJ$YsK-dIyp?sy z-s3L6zP0|ncy{cn1gR#fwo=S7Aw$-rl^*j0iMSq<8f#Lte!v;)HAJvE^E0$+!V8Zi zG9HkU$FkhCAVd0NWD(BT^Kk<<_5+qfF#6O(swg}3i_WRP9E@bk40-+2UV3697z|kO4+$p4Z zl8UrXXSh@(i-dOw_-D#R0zFBG^OquhNC#1u+}@*qG;2w1Itrz% zHY?i4c1srIilc?16`-S|&G8PwSME3nzvCGAV!2F z>Y#WT^NiF5odRPJCCeBqGfv}JHbq$d74#WewbNP*Rkyhlv!a=&Mg#zKY<(%1xI`n;5AWHq@UHi zW`SX}D447v(oho)MO6n+f$@E#rwSn`YiIi|Nx}=3Kf;2WW)@>$MylK`mttbWMXTF! zLrgr?_b!AmWVI^FZ*0-;A9G&6qSYnTYKVTh&m7`XLQpdfgb92@8!mE2DGeJ=0|79R z*7C|i)FyWz6~^8<#u~`AWt~6TqOHz70yUkq!!KqF_%b9I7{I?97Mn|xi3@(Yg7RA{zC1g?HvLcq`^Uu&m8fx zg1jk8pcGb=JTg^ntmO;*OI|jgQsl}c%r7n`@J%ha;EV$6^p@mAxTn1dwbCd~u93z2(D1YVSXKqd3R{~C{mA;=|!+bx56rP7`i1IY(6brf+?f7yu-_%>H8d+w}o3LcE zbsu}g^>!1!Kq)icMj!1CX1Qd~q`cR3->G4%?5zueHlRvgXJNo$D=oj&Z zSBq-(?O)>Gb-g9F;6MCw`QiWmOZR{~@)I%yAZW<^UioRkKd2?HnHUTa3a5%=R# zCte@@Ac5#74N-$8HgjZlr- zk{OfT@xG!)zi6Cf86(RAQ<9E6=2Gg6I|rGQ3ssqhL=|lX0lB&srb-LPCA7ga0`!|LO?mv`$1+@c3&${(J3$YgE>UdNRR`#6}7{4%#y)&^M-WXC!f>-& z#>ALDLSnB7bu7Y)COB8^L&=-aG1pdoL$RK+t23WdmFm~MVfY;s($ql$8CJpQz6~mL z=BjD|vEH&_j#sIZ#ba*8Yk`1fi3f^cIB0`qFtDl`sO4L%uZ7e@?doPTK!_ZcLG_U$ z+T&lK(Iax>KXlQhLn-&^;m#*`I{tu#njXLW09Bi&8Dre7#TzV=KCNk*NIJA=IwQRR z?Qq=@^PM4di%!^*6IwTUp{5)5ano*=RogbLMFzkZz0ZIHtwuO^NBCfmaIHts8~5M} z_<5R*#6nrz=8`$|lhbEM80`sIA+1!_*ZYd|;<~hQNovuwK)*PkY3nFqzE=k(EQe98 zb`5tAb%3jy>u%b7)$tWDma9(AVyJ( zIn>16V1S^rphV)1JQkbHE`xIQLgS^aW)IzHGP^WS`o>*^&z^85$!;5@Tx53nV=K*~ zZtn8BW%2EOiV9D{$|4bOIbuYOC|pTU+rzCKApc2bQ69?2^amh`10`|)T|TCC&;)r< z6arNd1JdU}wma~wsST>Ea{i3Q^$u{FPF`(OeqTAbG5u? z!+az!%)qrW035nf2AUHIS0S!CLI3!H?nFF+l&(DCvGD&y848yV1Zq+Qv~KuWwYR|V zjXtRlu`BPZSv^=bRhxg7=HXA8uAu5c4WOIQ-IGky!?sy%il%8h`6t(Z)|;qmZ|r`v zS$Am+U%WG7ILupbnD=~`DC_qFe%?udQK^2H&yQ31oqNft4n^wf&p>Jk(v@sTiZ-!N zSz2BU>0Fj951Wvloi&S9wW)TcsVOxJ3M%=?X6SF!#@D&V#H&pGK|+Ry2a~5-X#q&5#&EkUOa0Ol09N1e0n-Z;jfX<5mh)}EP z9iUR3^Gd&5}XTd}i9seL_s$JZl~;eZXgK$DEqBy#v8Q2ZU8j(}TRSHlo5Oq*;W6gu0g8uSqM2m`3y2X znDQBwn>W|;^qG^WBGd1l=MV2eIa|`6mI@$P9=gJqa5=8Na{TP*3=H^2k#^{BQeKU% z$ULGCpIGDb?r}9UCpat{0YY;btxhc16Ao=MDOi$XD9BUp0?J)z&J|Jm3n;=eAE(7j z!crt)B|@6!t3LL-IjyqVe;F`eVn?ZuTB^>gw!|)Z1-w0Q3`N&W9u4#g@gA|V3^6`tYrnqtL zahR03>6^us@SfW%-?8=JADsfT0nn-=oFZP4jX0!3DgHICRJUPM|B^W~;whnI$q;uE zfxFUhs52Qij0zmMlQ^vS7AT^Fv+W69Kb5c7y<&l^E)#KDocKLiug{I;#8?vRCm3(Q zC{bEC_k7$2Vk+4aDGB6N)UsSnY&?5&CXwFiHrK{1{EpsS2dA@a2!D2@d}{OcKx#`| zO*p8DK<))j4i}p5DyeK4Lgj-%$_3u_#* zY~LFKIP(Z%yz;=iRQa8GxVhRW@$K_FJT8-_&==~hGJO!3=nk9)-G0xkK*SFYu`4(2 zw%gb(Y7Xc>%Mm{D5zegM$YI*ruWGYGwQ98mPOBzs9O1*F>y|C#t=-A?=w}1s`-8A2m<8i548bVil$~u zRMVz9b3$Umwi)Qg1@;jK?l~FV1cBa+b7J=h_0B&`uHPmFd-}*9E8O!nmzQOC&tSD5O>Ou)?T+W246@Ri};%Z%rXTPitzg z7oji0Aqq-kLL9LUg}$~12emxvFwS!O7Dmhu+s!c6`!+riC$zl1q9)?7)9qCxlK!I_ z+`6uVQn*t|Q>X*V0i6jonCt{Fh1#8raxcch{`?Nd_sH#gD_)~QI(C)rw|AZ0x5EDn zU*xO<-*4{##~VRa2Z!sLcMNt`%0Au;OJ9i>_Kb64&np03+BDX132K5Er(P%l>T*8k z%j>Sxj=_%Ip?kOCaF}LtSoK2Yx7xRQ*mG;x0Zls&G(fz?M`A+F=b0uyUkB{q0XOZ4 zcaP*nlKXXz6bOl3Bh|6sjUUV)e^ir5wtld)E8E4Rsg)g8XvZe+)ms68m(C`a+J#`l zw4G1=mc!~sei7V}R1@iDx!kVQY?Za;qT)icY&}kDSaNP#hnJ#%1sfOhL0?5w%PKICTLpZzcwiP{oX!qOFC^ zGEea3f?DEx?j|#6+D(mC6FV>|^~9b*yrS3_0_0n4f=aew5y_Z{+?i;s0R;wRu-Aqt+p8MQw31ERD$xRD5H3rK&O<( znQLf@vYCt>NpYLj>%?|$<8Qn3ldGZs%6{>}nq%ClsFws6@|1y&IbV`hF00~1n3dj1 zu{#`(m?xz*#u+8FPJ_!nKL!BiYU z6SrUVw?LfQLvzOq>(fgBHAX0p+y9X)^MpqAv!-DG?#vk-uwlIiJ+5(m0P@2$u($bC z>~ESBLsF`Yb%a%A9hbty3=5>;Oas-F%Bh1BO+f6oM%Lh+3n1?px&{w4f!JjUy<7E6 zLp?avg1PW1n_t)RNMfl6Z~Oos@l*R;qv#WL6vo!CpB+aUFnF^-O7!DBm_y?r&pZ+l zxdFy2@`lv=2?qDbfFg+r1_X<>S1f9+HI3_?Op5LdM72JA8?b)A{_iT+{w zh>&uCK!FXzV&fykUFRo6q}+Vx-~MeZ0P?qanRL-DfK#`{p5WA5FPyl-nr9qd)2aR9 zmHoobcesN1{R>~HKBlz9%NFwWn*GRSp(bxp`4?lJB&aQM=!t^9kb40$p;kN|9(7LW9uM9!e96`Q%WwQ&T7m0Q z9Qjrp8Ga{Bc+0lJ^|tKWCLmT38N!Y^JF|Q1iU@MWqh>m&ts{1oswE5R+wHm#l?rnA zw8ojDQ-MqUa&jQ8qN4`7(F6S^2b!3H!2BtA?gJn(?NF>S#a-T(42yHr=WX6?+U;z! zg{9iNNS)Ig26fG$E*+?(d%eSJpAcB^42gOuc{`z(!7Xv%cSloh~Q|02LgH(CAEmdryRgKyd|!i?mp>m8gpuEI%h zIKp*0f#1Yjh$E=epYE)Y?mZmo{(*tR5PVg6yB>$xQ~stC4+RMhymv$IPy4{?O)IkL z>+*E2!JQV)d~y$evv+mG7dm=vd($Vzfj+~%fqeCNx2@_TrL1@L_=X=E-nAs}Ser%Y z#z%oudHhP8>(_i$RNbuk*L=&5&t%ew%Wm_Pji>ZCdAleB|LlvldnfF|vkrkiDIoJL zJPcs$-UNISp}m2G%>SU)p3G=ow&jWnXoj}-ys0FVA@BCuGe7@318zcD{E@}S3i#7L~SJyue87{Dq~F3gjr zZN8T69Xszrl=c=rVIY~ldBcI;TwZ7(%9~B5ar&VC*(K3A{aYmPJ?H{6qENGHHZ$hK zwRxSfKgj~z%jVO$JT$y8>@%zaw>QiBqtf-!Uin|uS?=g0Jd(KHJ6}!B8sVWo&6M%e zByIGIpEx_+J91b))#hn9DOBs5dZ`j?9J1Reo_2M*!W$<$kkS%w`ZRk;Un_5`ytso} za}6omlImF;>*5VHDVy$EiDgn4kA&b^;j9GYzB#vQ@fOm=mk%bnB zqVfs$Rbu;5LMP#Xn^M0>yb(K7#u7~GJncx?r$g^Zac%OZWj|#WuMm05j{V4w1)>X>k4q#1D`^Z{5+-Ld`Sn!GU)zr4Vnv;HFJ zWKbA!1knS^eYP$s#eH_^&M)u`R05%s(+Cn=wK0TF2~D|g353o7gld)N6BS1ZU5Ad_ zJm*E?we+`8sNB!y>LXa2#V8}rf*oL<@v!ApB?e+g|AfRWKlz|Tc$ zj_oV6=T(`fUXeL@HO@RQieTf;*qv80N0H4GnMJ6HbE?j{VfYPhZ6r>8vEAHoo)V*z zHt|9*Cynw7ouFO?Gmq!m@wy;hQ)vl3-v&G0yPqda_AWHg+fkMqk+zj#sJp`VuIJc$bF+E{zfz)oO?CA~X?p7uqhojusHsJjlby91}FI3Lbkf!{eld!?jUF(lPaA zObb<0cI3t)oA!B@{gAEQ)qyw80OOjv$DszdbGM5#(hJ|ovXCT!0&rX+3XHT~QfhE| z&iH-XZ1Sk?8#-+$b6nx=+#P2xEjQOu429kF3n05|gfq16rpzVw-OW3`KG?)$Ser3K zgdOC*o$*_52#Z@BXfq<`I}j|r(G}nlD~LYG4rvgK|@EugedV1dA+6Ty?2 z_JC+zlTnLu*Q`59E|7osoV~1R7ox-Rf7ol$0j7ydt6Y@3k89u_5F^MB&*>2e)fH)< z4Z#{N$RaNIx@qbGKk^Mbe5ku;nZ|z5_+G|yl2)xa3HwqJsM~lb17QsD;7EA;$A0T5 zDd-{oHA}NC1wT~aLm*8+BvkN&wE5`-Kw=^Yvo7J$NKimQ7~`RQ+~sT%v+gxXX28CpB=pjCiY{kxNjJFp7-3C z&RN5Pf;SD`8!I^)=s||b$p*dmP(S9xn*(~?-c!@z?-XX5@IE>BIWPFDx=pp(Rht;g zg!i%G7QpT5K_HuAQ*b;gIhWV#d%um*@7sK}*)B)Nd%sHi@LTk4GS5?gVTF~&O_41i zuii@6PDKhde3fyxmQNJg@2?^57VC+=xYWX%W{%hTL6tWm3#v$x{X04ij?~=1Nmzx} zAEM)0=(|mVvjFXo-}VIXu3QpQvL_ywSxoWA1EIy#&M2d$7D1oLaf2KVnDfGMgK&1( z7@x@N0*=sL90A2t(!9fcJPWrkjq@;U(!yPZLWoyk6kwz39DQznxLsg{0;>L%9pk*$w3`JZ10vhxBV{7v+@SHf=s* zegOMT=hdp>@6Ow1`L!!*^ymIk0(7MSll>SM2J;=m{K7GTANmV)MwoS?euhKge@S+S zTjqS5E9S&q=ip8o;jLXexI=1bK>Y=WjRNWq1QO!W0+fX1hA20o*P2^s6qthvC5W3l zvA4KsScukiJ);fpz#~fl9(|KclwM{dS7do49t0jH@WYsgZ01QV-OTWqqMZuyxxjjf4j(6iUCROpsC}5 zo5ulw)zQJRhPCJMwNCu3E=Zz4_afm9%0%s*2G6giYwvuVQ1Ll@`2N~Eeq-42En%s% zw~qO-+Q16$jXlv1ZkGD4e?cbHq-l6f9IP)r7Lr+m&cLw(FB(7yk~H&_4RDxN9@+Bt z(f6Q@Lt7|hwJR(R9kR{sy9mB}j?o*%sbFw=2BMp`D#vNR6&9{JS}!^moUBwR zC*|LGVDFY!@U7_-LHbQ5oCz(KMp!<&(Wz;GQWm*jBkD$A$=6<%{69ug3f4FiG0s$t zlTtz14*{Qf6cMe-fdmHNknjx5G67X8dzGYsiHflP1bf(itYQ=QPSXjHzSEcz9^mW( zO+7eN^D#YG-zw}z4|Zz?8{UX)EbJi?C~?AIQEnnil}T*D9ww10Xd5K*1c6*_x5;M@ zy6!Wn8Ky{9O}QCxE6DoHSQpG5B7-eZ&l!zKC3S~uKk2{wrOh-+TsCYaWv>^Dw&YE| z3bzqeoTD6mYfw&`^g#cV?(~&pfDha|f-hr162OQ%#@1M5?3L6JKw@cWe z5{GKR?#EWsK>8_r+wsZ={CN^~w!^^J*Iy+I0vIXu>MTYX_2p%Qk9N9F9*2eV`5$pjUh zoQL0g-bZOY#b=1)XY7H2mQZ*Oai$G~$ta$B-Qpk;7dXDjJg@3zSGJ;P>QEUx4JvA& zhG*(x=1(pXDM3m>$|Pv zt0m8GWa2-Ya>+AFL@@Z-Y5RV;RJjp9jmh8tWWa#m8p6o}Gvp^eGG)~+*}Uf#za}q0 z(9dqhGYiXjcb9k*JBdX0dI>t$g*J%tg5MzMNYU2&l@C>3VApfQpQlX!VKT5RN`DYn zf1dA}w&E#-W=5;0 zTBuOaZdW{yp09{jY6$`b4CY+JBkE*$lMfnk#3BS;97^%_r+ z4=drZphnd3ggz=rUO%>f6YyR}yy?{ZG`6|{YL9%)uJead5>w3tGq2k6YhKs1)+47z zT`^;Xq#B^zVoHw=PltFAk*JwIxn?gw9i=Sw z8klZ}%uKd$vKZBRW6%Xc^^^swbwuj5d1s#$Z4cH##Py`zD>1LPRneAp{+RWD>hQ9E z$4L3(cm6wm@GU<$yc%=!+0=#>@0|D0z%}Vnvt*DI2JZ1I>%~$3$%|*lcGArX8(stS zdLC_{%I{@S<(c@`Bs6p8inCRgmnRVg?bqBUyoeMOl%$M~AN6=)K9w#v6$de*IpW!X!JV z8WgGxbn!CU9Ly=GZ~^Sk6>lVHNw)NV^4}m|t;(9z7X4_j z$!OKhsg(tN5PDPMwzm(WZgPkiGJ{Uoc{tVb@5`tF=UuK%|CLUD5KoXa`1O<8Sf3$x>|$@b9qWnORYXL(!Z z>&mIV@`Un~>@b-Ies93oWuhy>)~=Y{xrGk=QZ6uXmM~6=Td4g#C3llTPX}ER)zW)U zUr3{*Izs*NNOjz?p9kyz|b*egAmZR)r@dJKwIv9J^zS167gp zUKq!OWZx;Y&k7Bi|81ZQwM#A=b2F!uA^>xn7c#ZhRfgmv-z7G##OD)b1<&{l=3K!* z8&?iO78szy!$kT^N+p`azj*2PaNV@kVnO-kgnnWYE-9**h!9cVf9@_F(E2U&G-I=* zNUml?X7n05k0epEB<@DAKLG}`SeWNLA0g<;VT=#J8%^Rm99v++Es0{ z;?moPYHq5K-}cDETbw3g9KO+MQSN4Jtg_9_Uy2t(Jgw#KTpSr*lMn=YG_^f2=8)Z4 zqWsNj#4xmD@Of{#PupMw=I84jd=^f0T4pvu$OBcBrG-1Rcq}c{F-9lWD~x3EIr~Az zq0)QkG$t3AHbzf_kiI+CjQjA=W4ZU zcmi7`b!2WgkL007*FCGzrr>CM)ICRV_e)Ykas%sozMht=zlL$drM$t3l;1pI{o zzEgnlOcG)Gv!;=_fUM-0%=32HrC(-HHdZ3N>yaYY_lp@FwfQkUd^e-*P<)+|Jtw)` zr=6jG^yY;lb^FqO;piasgTAm&$M0Z@H}pzOM4279F#B_WbQFa?Bq>GX?4OznBLJ(x zt0ofc69cUK{;O7rWI_}G8~%OBw1HBrWS^<5#iOkczunw7ZS~)h(v6kYD&qj~=O8#( zMbbTxowtYMc2Sk+p1OGr&8^bZAYl}sV{!yuM zqS*jmRtpwvmU&&a8>o07Wz#vtpthW$qft@yT(@1Xn|4zc&4DVc z6#8!heX7wv4z92wapDzLu!5SovgVS;OAK`-1I`-~V7!onEHU(PGSF;flyARjUW9%m zRRNz?oCfZHgglufj~LXxb^-_@X;(Lk|7Oc(Rf#6oymWv)AIyVqR*8~PR}27nKwU&0 z6MS5qN9CcefU`kt6L(7y`VrKsE@9P3cKpXI9x1Uv!Wxnq9z1C{jMi{Cj8cPHTE?V- z@uh@9qm~ZZF1;8xeG)ueg|1nU(4DswuL9a?qsKssTAWtUL7*9BJf+_S3B;!)&Uwgx zO5>Ujr9qj%qvGFf#oKb~cVcaw^>LTVGW^a4isN*fNGqg^_^P!U_MM@j} z%#_0g#H$RQ!osln;}j|h!NeyBCs1mY=WUf2cShKQYvi&&^1HfJZ$(7Ox&6hP@J9py zRrM5@>9DY%bLmYfnekAe1K*X{4cwFXyvL5j=Y#A=%$jav^`0-k@eqJ|(7FxPcK)rh z2cIt6H0zH9DL~Ex6XYF1YB;{c)14z7Hf~smsosoNgL4VxuleJCb>P2fkhBVL>+ru% zx(bS7o@&4Uo??4Nxy!3eI}9u;%vZ%-^NmM3-*yIFP14UoN|y0+Y(gKK z+*;Ky0N=~wSG7%D<{eK<(vy9RId#i$CKgVd6BSxOfds{h>~|r`O=WI#|eSLNKo^dV$HK>x!W$+E?YUqkU#H@!i$r_hPME+AUrBOb4og>Xpb)0KtepHBqJ%V3+gQ3`w6^*Aq_xDIFhj0y6*^m@{RlNic5 zWvfCu(@WoMH_fV9HrtMQ8D-t9`CM+~1c%j6O$^pWkA-Us!r)Nahr&h9k>GuSwN^`6(_@3LT#;c`usqDzDnZFd7X6_8+Yx{C&#k2Z!x z5&d5A!9&vr6Wcp3!_;-O??nU@+q;PcKy@<<4h6RyQunrvBg9sr#frsq)vPNw8@{*8 zug{`st5NKe9&W1O&U-k@A&VHIT}FoZRqK-Pt}L>;T;#Jy^@`9Ykp}=bqp-ix_K*OH zGm>>=VxvKDp~6=nCrbz>alsb##7+jM^;X@MJ<`_HTI0kwkj)DLAS7P+(4ULD`=c{- z1#6|?eVEuZSQd-29k{@sTL4!A09n;jYNSK30cFxs;N`>$$c|0|9t)9D(OM}gYtn%7 zX0eD%fAezYb*_gE~u)LsXPqn zx$a_pQdrPJXTfBc)xd2Yh&ASJK)-}16MtejvE~AIe}$Msp%4?z+O6B>Te##73_Q`S z+l@j`3`Y}iQ0W4A?FvN);>t@0lA)Xr6``E}uo9HMzJ>FvrBh>~LKgy8yU$518DH@t zim>Fn&GQ%X zBVw0Ed`>H0Fsv(%b)m4JeVG6z3$1=k2iuju2wh@)@8>_w9rG9XB+mZg{zFOd=E%Jt zW_xalR97m?C06A3*ppv&1V7xi0OEQMF_94PR-r$hIT)n56AcjD@;@_SZSn=(*DF%> zX9J-vy{^!)(QaOQ*ZAG#o7ue;dAUt9>7r?FN`bGI$Owa^{-an2lluq#TW`rKc2(E3Sz?X%L>>;TRMCp=2|QACXJ0tjx{g-%1f{c= zb+cNq=VjTJ8@}JxtnTvJ!{K_KbNEjT{#L`k5%9w^mgzuGDV2Ci#msKD;HP}6YwB$* zX2s^b5N&GEsF{$qi`?=r=||S_`lN#?57eSDIJG$0^OUf+0(PokLAEjGjm81MJrU@x zh7&4KSp-cpmU@4lqc_WWq3R}yK94F6dafJCoO+mq0%4N%U$n(D-@$(lJm0)pH`_vbFMQKVtLJ9BWu!`f@_8Cw5CwYff_~^h@p^rRm!+GdQ;QoY>3jVYugP;K zTiKy3B~urfUL{Z@6*mFKj^*0CDh2m@;?!-M@!=NHI@u^E0p;vVpIFZ{u%LS-rcSzv zY@@Kb} z_%quqZB?J~ihw2Gw%(&_r@t6Opaa%&*!++p>YQjQyQU>}`x<1B9rax0u48J_4Z_Yb%!vH>pet%JaVh%-N-5(H$udl^ZdnNvqEx2|Oc?n)}wp1ap z`O{2GU(37urXkv5OpFZ>qnpnr0UlCV7MuxWi6|uL30VB9I>tH$r1zvxcj7KBy4PV!4BBnM5wD*R}0y2=P0Ks)uaa2eiFaRXZ3T;OY(Dh&1yQ*iw%_M|x ztlRDQ+40$sXhBRZD#fDX*X#W;dkfB^ z#T(?Iw<}!^S~rVomf~Yv@dJnY7gs)dG=czogP*!SxvOmC6+r@PJ;9p7oKE(lZ056; zIpw%CO|rMi(LT=4CE5Tt)3ZZc76+mN#I#MXYMc*xs1;3M4PMQZ6_RK7s;AsE$M;+7 z3g$;_@_O^NTG>^)>6r^@|LLn_Gslass5FIz1)WP|^XaAj$}-2~@b>=7qS3>fU>uFcU})>I-0c@XuY&89{L$JM8Fn zFlW4eb{tU2kAmwV_YaO=1aBTaJ3eu4ny>k)sJdD6ulbf=`Aq%?yg$C^L*I#G!uvtm z`nyM-S>_#;CbAGwt0UQUZE5bcL-FYx$e|26&p3VQ0&lX{(WNWo)kCY4-e3-H89UJq zQ8-<1VN;a63-h6z1qR1kDi8M+aKpd7s{q!T%mr&(_amRx+fFuY?dNG;EEKIbc_(1P zUzEW8ByjPXlXuZG(+KH35x`y>;ZNizYoQwgro}i(TVka)6PGSR_1{RCvCuNqnRf&| zRZaafpz6}xF#c5TA(=4#wapa~w2;A_T{ts1+nF&B*w)2G9@o>w$2eF+7l=_6l$Ci8 zuxug~3t$5SBL5S}g(QrIg!#@EGQk7FZi#+IHaR0_Z-Y(jJ8V-8%EUi|<*)toip^C>?v0Eyrs>7mDHd)G+ zf871oN`U4ay1L_99~NGo3x#yuBOzrS=7bh4u4Z4?Xf0{?CPT|R#1M}$9)vj3c8kFGY&{3FqFcKYFrF9PYkxb7~^ZMH?#=mNc-o{##wwpsWc zLma^Cjf^}*YXA7z@he}jW83mW(iemqX)taZX>P_ibPy4!sZ9Ndi{-Og^&Zf)YR4L!BF%M)Su>xVcML1V7rUx zOygT0z9)_TzAU;~-@8Qskz|QJuV1)jcp)4pJSF0wWUvv)8gdjqh~SCcwE2wh8tZSW z)uKA5&_iTm>S|eSy0-j%%T@mH$4fzmUs{iGgO70~#<&6X1q%ArV?Ym{f5t=5KpOh< zXU8wChsfF`^rU)JZI;sXFxnotXpb_umIsCx#2`TOJ+5(P9UCVA(S60r&Fr2%LUcBq z&ZP*9n-wzjeLt$$Ct!f$e32EJLW1CTB96)X3>_u4DQy4 zdu!l`=Dsn*NIK5XmZeBJ7FCz?30QZrk!md6z}5(f8js{)DP0p_@yDUCf1)a+z9}84 z^Vea7rtZx7b|px7_Czq>B`4O@ef3VEkW@#4C6rbihCD0jR5^5%~vGG!HN(&&IJuv>DJZig8KHRom1x_Y{3eQ7$2xqWhA} zE$xT$H9)!MXG9AIh5UG-dU*@ceU1 zU1h+p!iV^6RUsu_K6;i822SLl z?@P>SBSg>->cJ3_d<;ar9LW;(+W`H&ry0%1V}T+-=W^3-Y&NEbskpTAwWNQBfa5oPRvL{i$2mYLCpsuK+&m`-Y+QUb6!El z0&?~Bq(^jL;f-+7j0%9NkN9X%iNs2x{XoSOhf+3%lSVZSuo#U2Tg`P>^b5ShHqKpj z$f)*~s4Lv!EV+rjx1Gh<7TG#-Uf3(M-?koGnVsTnXPE}N4HyaUbVAZwt+Y+VcSMrJ zm?xJ{zp{EnIJcF%kex_0>YNQ+X)}`fkxI z5}QV_BZ-LwbdUo46h+0LeLZsa{e8I3+YOs^k~GPQTT#JWM1;rtyAd`(`lzD6g57XT zSL9O}Hmc2-uA@itY3@kiQIE3H=Bi$o|FsZvI$iuPj&ZkHPa37Nr8F|2UkQU4+axK#~-w9w6@+SatUe z_kR~w>dBg@>vC8l!8jb!Uoge+sqLU4NgSZ These are only plans/aspirations at this stage, but we are sharing with you for clarity 👍 + +These modules are consumed and called by other modules within this repo. For example, the `customerUsageAttribution` module is called in all modules as you can see from each of those modules `.bicep` files. \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/CRML/containerRegistry/README.md b/dependencies/infra-as-code/bicep/CRML/containerRegistry/README.md new file mode 100644 index 0000000..b2746b9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/containerRegistry/README.md @@ -0,0 +1,62 @@ +# Module: Container Registry + +This module creates an Azure Container Registry to store private Bicep Modules. + +Module deploys the following resources: + +- Azure Container Registry + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/containerRegistry.bicep.md) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| -------------- | ------ | --------------------------- | +| outLoginServer | string | acr5cix6w3rcizna.azurecr.io | + +## Deployment + +In this example, the Azure Container Registry will be deployed to the resource group specified. + +We will take the default values and not pass any parameters. + +> For the below examples we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-ContainerRegistry-${dateYMD}" +RESOURCEGROUP="rg-bicep-acr" +PARAMETERS="@infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json" +TEMPLATEFILE="infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep" + +az group create --location eastus \ + --name rg-bicep-acr + +az deployment group create --name ${NAME:0:63} --resource-group $RESOURCEGROUP --parameters $PARAMETERS --template-file $TEMPLATEFILE +``` + +### PowerShell + +```powershell +New-AzResourceGroup -Name 'rg-bicep-acr' ` + -Location 'EastUs' + + $inputObject = @{ + DeploymentName = 'alz-ContainerRegistry-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = 'rg-bicep-acr' + TemplateParameterFile = 'infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json' + TemplateFile = "infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep" +} + +New-AzResourceGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep b/dependencies/infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep new file mode 100644 index 0000000..11d4134 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/containerRegistry/containerRegistry.bicep @@ -0,0 +1,43 @@ +/* +SUMMARY: Deploys Private Azure Container Registry to store Bicep modules. +DESCRIPTION: + Deploys Private Azure Container Registry to store Bicep modules. + * Azure Container Registry + + +AUTHOR/S: aultt +VERSION: 1.0.0 +*/ + +metadata name = 'ALZ Bicep CRML - Container Registry Module' +metadata description = 'Module to create an Azure Container Registry to store private Bicep Modules' + +@minLength(5) +@maxLength(50) +@sys.description('Provide a globally unique name of your Azure Container Registry') +param parAcrName string = 'acr${uniqueString(resourceGroup().id)}' + +@sys.description('Provide a location for the registry.') +param parLocation string = resourceGroup().location + +@sys.description('Provide a tier of your Azure Container Registry.') +param parAcrSku string = 'Basic' + +@sys.description('Tags to be applied to resource when deployed. Default: None') +param parTags object ={} + +resource resAzureContainerRegistry 'Microsoft.ContainerRegistry/registries@2022-12-01' = { + name: parAcrName + tags: parTags + location: parLocation + sku: { + name: parAcrSku + } + properties: { + adminUserEnabled: false + } +} + +@sys.description('Output the login server property for later use') +output outLoginServer string = resAzureContainerRegistry.properties.loginServer + diff --git a/dependencies/infra-as-code/bicep/CRML/containerRegistry/generateddocs/containerRegistry.bicep.md b/dependencies/infra-as-code/bicep/CRML/containerRegistry/generateddocs/containerRegistry.bicep.md new file mode 100644 index 0000000..0e3e2df --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/containerRegistry/generateddocs/containerRegistry.bicep.md @@ -0,0 +1,76 @@ +# ALZ Bicep CRML - Container Registry Module + +Module to create an Azure Container Registry to store private Bicep Modules + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAcrName | No | Provide a globally unique name of your Azure Container Registry +parLocation | No | Provide a location for the registry. +parAcrSku | No | Provide a tier of your Azure Container Registry. +parTags | No | Tags to be applied to resource when deployed. Default: None + +### parAcrName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Provide a globally unique name of your Azure Container Registry + +- Default value: `[format('acr{0}', uniqueString(resourceGroup().id))]` + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Provide a location for the registry. + +- Default value: `[resourceGroup().location]` + +### parAcrSku + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Provide a tier of your Azure Container Registry. + +- Default value: `Basic` + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags to be applied to resource when deployed. Default: None + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outLoginServer | string | Output the login server property for later use + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/containerRegistry/containerRegistry.json" + }, + "parameters": { + "parAcrName": { + "value": "[format('acr{0}', uniqueString(resourceGroup().id))]" + }, + "parLocation": { + "value": "[resourceGroup().location]" + }, + "parAcrSku": { + "value": "Basic" + }, + "parTags": { + "value": {} + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/containerRegistry/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/CRML/containerRegistry/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..4915330882428e3da33db1994f43ed47fa59efc3 GIT binary patch literal 11001 zcmeHtcT`i|wr>bT5Tr;|I--amMWq=C1nD4EB+@}ZY5?gyh9VZKiYSU8ML-0kcLIun zAT^vU?j1K{B-zPYYwtDtT)#Q*8yRRZ(sR>;Kp;jP zZFLh62uuqCQNier0RLpy3-AvTl)GSG2ogGL>21_qB)oX zyt#ol2t=Jp1)>JNsSf_j1phS(rp=`O>zWF7Fp+H7h5&)Y9CXxGO@pWw2(I2%1B96s z45#Iz>ZgI`k5)X(PddD4%jqJ4j--Cm5fsu0(iTjD+vw}VE=k=QSJKFJyEXnb$4x9n zxBUv|U78PREUeNB_DAjF0v&!pmdczuUwBA7BC@JCm7gv|hg#vB2+4-dQ^M`(VtERZxN0+QRc^m7v0;;_oHEM>-816ZH1-kv|Wh zW7=doyxkr6S*pk=1KtMJKN|raMg1@KC{Y8E$8Qi-toX##PqZ09=*`?P)bf38{yalDR?gam$5hK55Pu-;eK%Jk10{X@j$al5JJs4JX@JQ8AH;f)@n;P?(1kqBx* z)5e@XWY`r>K?SLz8fM`vnkdLuNnURFkCxG8+wV|BXA41sViSntSqWb%jwQghVg zUeP#%znPJ=*SJ#QyLT0hp&O%nyW7^@y$mmIvC+|-kq%n6<1!k;;chrMWJ}mKjX{p8 z3K@+wun8)(*Nc4F2kSq-_~};9E96;&m+#XR14q9+KD&zPeZqoP;t~}XFTc-rHcgY= zti%S1uR?aNvR-T01MIao!&08XAA1iCre+LZ94-}R2(^1m7cC*}+J72*P7p!|?Sfws z=f$nJJ0v$V$m6D4sBei_1A2^Cpcr`+A##Co}n zJZR|E;1~yrHFk;jDB23}1XEWUK^x{)Rvu~Bi*ochb?5|>U})UZaHeWhSv6Z#96S!R zars`0eV+9MOM)buYlFrA~G-SB(+H<>S^;gW#2@p)}?XB#(gw5zKNa>M6A z9NeDXg)Ar=Y4l7s6BlzHe#4@@NNeQKQrjbe-EkU?oIbQ_Scw56(ZbTnCu6tmmpmVKem}cli*lL%YV>=7J!W9eg zL?;T}fd@h)8_6btTg#SSjRS+;Q65}$VL!GC@g5*_60t+WhC5~KYsy-(# zQSoJH;-*$Wgqr~7*GoP^*N^Nd3agPh4NLo5fD*IdksvSnCr_SQbj`aX7sHt?2RO>d z-V{1_m!=iYjNC=ozDIgVl@4adhWe&@9QaQ<6Tn-y-;!$3O?(ybyo)kQEw?ht;{n&0 ziS0Wkpwd^ozlSOx!0lf-LZWwV?Od)GSywGf zzPLSiljq`_4ov?{?e$b!Cx-p){jzj{CU0t)AF{JhEE%A>Tl20?FO5vAGm*MVTDP{ zq(Jb%C1?EDHpaQKeDBk{8e(Kep7Gt<4V9a0Sy+}i8%p}Z=A?w;z=vyRr05k<}yX3;2b2`SJJb>+4MtpinhIY4oFCzkan*7hW1@grfnQ8*N5YFZ8}v5z4)q7@pd$g31^8f&E~49+}Rxd z$gJX_vh~H#W2!y5>h=#!cX#*B#7L(C_J>?jRk8db?a1)C!J>fq;nHE)8P=oqi*<7z z{W&@TQ|-qUgMT^BQ?_cnarwppB-}ZCt*^5(XX3>*Un)%|N-*_|@0xBl++hdvwR&Vj z+0j9&@#36@gyFGj@uh|#Hx&$d1zT++)vhPtj|uk=$?eNc_nqmkyzDzY+@GsgzL?s{ z*RV&K8|>|!w5bnRfO;8=TzzH-ByEY7hAs1T{&U^iC(Ym>G>V>ucLy7pK{0~2G|z_$ zROl5y_d4U`6kg+8-Z6SKfZ(w2c`Zv%00G<187Q*4wUAftJDaU3@dOHmb`SKW2720) zKW;tkNt5j?t|N&lhOWOGz~P=jKX~M=rW7b{FLldZEXr<%Q$vd=dyl@ z_reflrb@D}`zu4s_SZ^KNR{o89;?{BW@_f)hTzpPV@!9(J_&&-lb;B~E(Cskb|GMY zcLPrdoIpk$VJsUQGz*>0O`Q+KY^N*U9Mm11uDSig18_rCx4O7_l!D${`+PZb5Gl6T z7koPff~Srn?iQzvU{Dy?*3@G&z{@c!Z)Wb!8luW3cBbV$E5Ch=eW5JxPcp4e7#d%f$`5QuF)P1+K-$sM8MI~~`!y;$EJ@@wkLI$dmi28xAF1Mmz_o_0rtFr{A}`aE$v@wzSS>H)>A~q^LDoj!vb9IQ(|vQS-C*6(Lvv#MpH!&d>dN`a-tPC<=qVJ35d z8~dG-_2;X`^`4%;&9|PNs7zX~y#&SB0MR<6J+-64=cg`0vX=DP*5XZ0Gdv?X9=h9? zt%cW@Crt61lKZp-My9)7Sc7u?H|9rvh+GuwHR{d1qd)VDnODJkvAlXbr0`t6HiQ;o zbvuS(dOUcBj|=Xic$(%4aM++LsPwfOs+tzTt7Lvn$Z)GpTgVv25q;ElTY8+{mf(@% z%)FJb*u)!JKa98MPd9%`b@_Og(X(Q*abw(<2Wz}lIb`E*2wQuicv0o{_vpFJftGXL z`GtkP>5mf}GlIS!4c%U-wr&#ney-g}D|~13cKxpoae|)OyoFXaqp)V2w=nH!GPL zv36!GG~U8x{PS?BgY_hCc$jGAlm|Ch(xHnM0geb34`)=v6*aG$Tbm|OGj4lmuHJre z!dkU=Xja?r(+5gj2;R)p6Gl63HWD{nkyDtqG$=r^$8XJj_>q#W!Rg5#K(88 zkZr&v+6EevnSA%vD^~52wpzx()!0RxWlIzZ6SC$On5O>1?4-)xrb8gdT`vUv9Y1c> zY!JPlW1-z_HD-6Aww5pLaq_uY5)%Ygkb}MCK2+>4455rI66&opMf4z2fYjLmsh19{ z=5*(^nc~}ux~haJ!b%QAyF%rjh2+re;iA4Xah3r~rHp+k$hHo#P>09kNS9#?sWbZA zIKA|`1kW{H!&qj40JRywGA68POR{govk=*vfm8EX0}bDnO~lsEMN!LaiA31?v+y~~ z37@Vc=|;x>&df}sk6LQ@8{5(RNw>BHK1mmB0e}1n7a6s@ z5O#$m7CK|V1+<#=TZjyrR~hpnn`RrX^dPh z>57|$=#OHFkqHeP+Ach4VVk4wCE?#ht+MG0E*}+pI4zLVqpB@65wkaz9#R-JaM@IRYJL0k!)pXRgYu6GV6b18h$M?A;7+^({ zurH(cBKGg`3zhm90f~UBY#=`(pw&f@y)l9RUG>qnfKlAr+j7!rfj;eFoIk{O_jO_>fO+D@+B4nzlXp{_$Y%nhF=1Oi zq2FS-#*CYe`B`Whh-Db4xJ;?y6>Tjl-BR$W$|X6$3>je`qUyV6KL6Si2cjbiUnS^1 zs2uVVnV68dF`%`2yn}Xl^Wn2Z?|GxBaFgnxstV@!)96ND#c2i&fHb}ZWp=_(Lj-3& z8*U5fKb@A7UrYVPvEMp4lgThWMY0mRT&2n5ce-$!$Azf0i$iy0zxHb6l(ZrmXc0|x z(hYiZAJvJe`kr`#GoKr4ilk~>togyj6(oA2&-GZBW$*d@t2+3d@r|Y#(rcXv5^g|f zu7j#^$mx;w&}G|3fAJ~60=*NK?4kg{wZ z3oDxVllpWoE-2YMXvWV5APqFjx2rYsSOzO!l?po<8!e9vcoFu(S4)K!VPASYh)N1$LHEM4CUZYw~E}3&HC8*s(hGV#3cN6=e`d!xwRkcZaK|kEP zoKDtjc|s;@eIcY)e+{_Xu+1tDSr@_w9qoQ%YLiaUZZuVn=OpH4q|_DrHifvetD(Do zB&sY*YT#f;{pdARV|Y!nS!SI~&X#0eLD;$A)KwpM6n%+8ZGIH60_Ci65M3n*XEqr zr<=F@V4=UJiyz*c;Nlzg8t7~N6B`XiC z1X!QF9s!8-NpYv_K+Bwqb)M-HlZ^|#T}kY{E;%1lWlmnhr(7eMYEeSO9)i!LNO?}d zGy2*eYF=S?%+b{BuO1juu??BcUA#DW5PnMnyY^V#oA7-SolTYIxxdg>$XRC?wh-c6 zAQ?W!gM9mKQu)O=yER3jYV<*!Qpc9JpX>L!#%*M%aZLKWt6i_+r}=d=-2E+R8SaS8 z^Wr=1r>naWuH}}Nixw5@16B2U~$+Jo2@6{4y41D+=;`}F#oC*(`3G$m4-;A)8h9|&E8Un z@~w1vMPT(iaCFgNFkw=A!?``6e^;mpi0}1{(h+Dn0gJ<*% zxIzSO-)3hw<#n&fc7EWoKWn3KX)rdABWz8G8C?v1X+{+Lu-(LNHIf5vmi#z{- zKkkxGbfuZdy!zZZ9-nt#EM8a;%Be$~Xgz2SPKZ`O5LlLi3tdNPv$J27Oz=!%+qLCx z4A5emqJ7F(as0>U;Ysxuvi#7SXD#vc1-ef-fK}~!0Gij}!AYMYX~fxB5Fd%Y->1Iy zfQYgc<1zJgaLc+(r!O%WMt+tK-5M!+7(VwX_Ta$GA_Zg(OCS4r>D8lX_YT>$xRuJ->m*6~L*lD4*|2hC8tzyBePr zb)ipB^@^d%Y_mxrFYLn+4TOvg-(|O=F67|tbq_gHMI93j;U^3w*KxSTl3xW=s>y36=%*ReF)O zui`bCKI-^)CoYQC*+x8BNt$~Dhir*lK5}s&|a8LL&0c7vGFl=*F<1OI`Z88 zp0(*PgZiUV$yT6=Rfvhk&?Q#C{iCpZ?WumLsuEZ}y0!CQR)D3w ze83^FF1r zidHW5DE%-?7qxFzl$Yoe>XT zL#oF9%qhlqqUC)94n+f9S}qmib<4(ydV{jA3#ZoS(Tsi&)p+-YX5zepLJy{mcIu~Wcfo|Vsl=$vL`!VaI?t~vN{2fcQAU!WHWBn&X za>`$c=G&>}arlW7*v=Z%Xt5f;QW{D33|ea3@ECY|y)W#6&&E9m2s<<;scD~)N3OGDCuS`K@}FSzVx@!Nn~`!?>Ov+@DcyYivAbfirVx}6^a``%h)0H-Ww8%nN+ z60v!P^;&1#KfF#@SD_GvuL-`+4(H1iZ`L*pX(&(l#c|%n5zZ{8n|=z&XdsNhYf%|H4gU>A!$MR6taUd}g5iybb5^%+TcOmAU9CRp zO~M8~g<*f-E+hY#^G`38ky{etspg#z`&?S4*USlCdU}3}Gx=E5Lgmod7@C~k_54zs zUnM$WI^}ab&x}oholrP|L)@&UmZ9!DJdx{_3aZH!51Xy2Y_jQmDp5XUiy|cODL!pt z*jP=IbsxLVIJ@0DOAnZ1^cjFhW}!3Jk$7$ra)E8XEueAxZdb#S{R_DnJu^i);Pus^Q^{d@2!R{)^C53~-ReH-=V+mgq#MaY?)3 zL@gUb{3#+HJDV#31plGu({x0?=D{LMLWqSjH{U=l|x* zeeQx@IoZ^f>ckpk*)b{_N*+Xw=h4vR`r;oIxAg-m`jCAHu> zA2^lzP)-9ZbiF2&gGi$3lJDhU=8^aGTjdH^82u@7(oH$4iX&A9ql#|L(s(%Et+?cu zcR}W)i7&g%km`mSu`aP@q4aQz#(qp?*(kGki?ymdP)0_y7m(Cc%ZGc0=0+XC=V)vU z57=(Y^T^)B)rL(l*Be&jpAt*EkbUZnS7)!vIKPnLp)u+eN zT(OSHy#D|S%hb7>rXqd&yL$cZI-Zbz%%A%T8yEI56csNiI#GRfj`TKa@iYV+;wmGw zd+GKzu{*##Z-d5f?Vf>-YsI~2xGjUUPw&w8c`38WtA3`KwU|5)FPVAN$WW6LLh^=V zRQDyTMZBFB4qfGO!=bBZx5J>sa?vukXVq`%4ms!k9moMK7 z3&bh;5t<?n4&Uc(c8Uef#=xbGPzE zRI7;f1@Ss^DbI#++~=0j_4x{io}I4-jrFHX=1Q0>R<%fu0_z5 z43|2HGD%W^oo)5AJ`pyv+vrCCsm(-rfo*M1anl@+*-8Dkdb#UWY=aFuF!%7;>Hv|t zKGwrv`kh8Mi>F+vSTEO4Wy9k%!THsK^HYh_0{YLe(F%;=GpEwy7Y)5#2=s-Pn2v6y z!iw_jwvmCzLx6Bw86nz(+yI2m1aR$0&j_)^ z-*cO}fS*k+SC{|}0jResa1fy(?3nT&&Xof2(y+d0-b1WEl5B!$I@>n^agvr+99 z&#r$tP2&T2;v|MO@Yu{qxpPr&?xz&1jgYed2EI;Xf^jG+DjLBbwbT^U1j6BwSdDZD z;5R+^`1s`fh`rqmK|m(fD3&>K0k~OU!ar&%ncGUR}XAu0#nlE|Ep*iD!X)W`T9Y|+TX#%3=_GT^H+!!>w$ z-de2t_tyJQwNJmRtsQBU`Z{XlM)OMxE_?)tGL=GVcZVr!bI74$>#b`Fx~wlji5^VF zUqbUfR905X9Tw7LtiRWw_V;|*I76M8Js@al8ksF41Q>vj|Ei;rNTd(>N|j$N4{}pv z+K$u>8ImJC>#eWPz8PF1y4`*Bh;<`Ya$nEz=<)U27R>q7Olt_V)h)TrHTs-*j=3PKCg(9uV_Oh*=-Mu@X}V2!;G zC0quSt&{i=RSypJs09%JzZv~ob?N_Ka`rywkjZHHr{LUv8YmlyocwiI)S@#5Bpq50JQLU)T25&|^LN!>@G)?oe-9$j-yJWyhB%3r?gp8M{iAc@Pb0;b z|BIEGqRHBRG!}t>NCScSfpq%6V?zTVz5m>fjZXktMD8%VxxG@h`H#+tKaCWRb?zkp zT|?l;r;>?u6^nn=l8QzN=wta;Z4LQP=j1=@eR=TsOU`UcQS15-rY_j>6;^aT;B4R)LSO+U^37}1#-=hp0;5#NwDx0kg ztx`X?qYOm=kMMV=rEy<9OSrf0FHZ@yIZ6BcN4G2ex8dYJYdHJg&bI%_oo)L9%V!!; Un2v8M2W_W18V2gcSL`DH4^Dk{r~m)} literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json b/dependencies/infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json new file mode 100644 index 0000000..7b5c3de --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/containerRegistry/parameters/containerRegistry.parameters.all.json @@ -0,0 +1,17 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parAcrSku": { + "value": "Basic" + }, + "parTags": { + "value": { + "Environment": "Live" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/README.md b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/README.md new file mode 100644 index 0000000..4fd12af --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/README.md @@ -0,0 +1,21 @@ +# Module: PID + +This module creates a blank deployment which will be called from other modules. The purpose of this deployment is to create a deployment name to be used for Azure [customer usage attribution](https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution). To disable this, please see [How to disable Telemetry Tracking Using Customer Usage Attribution (PID)](https://github.com/Azure/ALZ-Bicep/wiki/CustomerUsage) + +This module does not deploy any resources + +## Parameters + +This module does not require any inputs + +## Outputs + +The module does not generate any outputs + +| Output | Type | Example | +| ------ | ---- | ------- | + +## Deployment + +This module is intended to be called from other modules as a reusable resource. + diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.bicep b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.bicep new file mode 100644 index 0000000..4e6cded --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.bicep @@ -0,0 +1,11 @@ +/* +SUMMARY: Module to add the customer usage attribution (PID) to Management Group deployments. +DESCRIPTION: This module will create a deployment at the management group level which will add the unique PID and location as the deployment name +AUTHOR/S: shaunjacob +VERSION: 1.0.0 +*/ + +targetScope = 'managementGroup' + +// This is an empty deployment by design +// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep new file mode 100644 index 0000000..b90f9af --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.bicep @@ -0,0 +1,11 @@ +/* +SUMMARY: Module to add the customer usage attribution (PID) to Resource Group deployments. +DESCRIPTION: This module will create a deployment at the Resource Group level which will add the unique PID and location as the deployment name +AUTHOR/S: shaunjacob +VERSION: 1.0.0 +*/ + +targetScope = 'resourceGroup' + +// This is an empty deployment by design +// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.bicep b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.bicep new file mode 100644 index 0000000..e11e553 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.bicep @@ -0,0 +1,11 @@ +/* +SUMMARY: Module to add the customer usage attribution (PID) to Subscription deployments. +DESCRIPTION: This module will create a deployment at the Subscription level which will add the unique PID and location as the deployment name +AUTHOR/S: shaunjacob +VERSION: 1.0.0 +*/ + +targetScope = 'subscription' + +// This is an empty deployment by design +// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.bicep b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.bicep new file mode 100644 index 0000000..a53487c --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.bicep @@ -0,0 +1,11 @@ +/* +SUMMARY: Module to add the customer usage attribution (PID) to Tenant deployments. +DESCRIPTION: This module will create a deployment at the Tenant level which will add the unique PID and location as the deployment name +AUTHOR/S: shaunjacob +VERSION: 1.0.0 +*/ + +targetScope = 'tenant' + +// This is an empty deployment by design +// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdManagementGroup.bicep.md b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdManagementGroup.bicep.md new file mode 100644 index 0000000..f7f5589 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdManagementGroup.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdManagementGroup.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdResourceGroup.bicep.md b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdResourceGroup.bicep.md new file mode 100644 index 0000000..460a655 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdResourceGroup.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdResourceGroup.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdSubscription.bicep.md b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdSubscription.bicep.md new file mode 100644 index 0000000..e8ae6f9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdSubscription.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdSubscription.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdTenant.bicep.md b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdTenant.bicep.md new file mode 100644 index 0000000..58bf694 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/customerUsageAttribution/generateddocs/cuaIdTenant.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/customerUsageAttribution/cuaIdTenant.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/README.md b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/README.md new file mode 100644 index 0000000..5586a80 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/README.md @@ -0,0 +1,64 @@ +# Module: Subscription Alias + +> **IMPORTANT:** We recommend moving to using the [Bicep Subscription Vending Module](https://aka.ms/sub-vending/bicep) instead of this module! + +The Subscription Alias module deploys an Azure Subscription into an existing billing scope that can be from an EA, MCA or MPA as documented in [Create Azure subscriptions programmatically](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription). + +> Please review the [Create Azure subscriptions programmatically](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription) documentation as well as the documentation here [Assign roles to Azure Enterprise Agreement service principal names](https://learn.microsoft.com/azure/cost-management-billing/manage/assign-roles-azure-service-principals) for information on how this works and how to create and assign permissions to a SPN to allow it to create Subscriptions for you as part of a pipeline etc. + +The Subscription will be created and placed under the Tenant Root Group, unless the default Management Group has been changed as per [Setting - Default management group](https://learn.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---default-management-group) + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/subscriptionAlias.bicep.md) + +## Outputs + +The module will generate the following outputs: + +Output | Type | Example +------ | ---- | -------- +outSubscriptionName | string | `sub-example-001` +outSubscriptionId | string | `5583f55f-65b2-4a3a-87c9-e499c1c587c0` + +## Deployment + +> **Important Note:** There are 2 parameter files examples provided in the `/parameters` folder of this module. One that contains examples of all possible parameters and another that only contains the minimum required parameters. The minimum version is used in the below examples. + +In this example, the Subscription is created upon an EA Account through a tenant-scoped deployment. + +> For the below examples we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI +```bash + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-SubscriptionAlias-${dateYMD}" +LOCATION="eastus" +PARAMETERS="@infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json" +TEMPLATEFILE="infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep" + +az deployment tenant create --name ${NAME:0:63} --location $LOCATION --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell + +$inputObject = @{ + DeploymentName = 'alz-SubscriptionAlias-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + TemplateParameterFile = 'infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json' + Location = 'EastUS' + TemplateFile = "infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep" +} + +New-AzTenantDeployment @inputObject +``` + +### Output Screenshot + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md new file mode 100644 index 0000000..6510148 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md @@ -0,0 +1,107 @@ +# ALZ Bicep CRML - Subscription Alias Module + +Module to deploy an Azure Subscription into an existing billing scope that can be from an EA, MCA or MPA + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parSubscriptionName | Yes | Name of the subscription to be created. Will also be used as the alias name. Whilst you can use any name you like we recommend it to be: all lowercase, no spaces, alphanumeric and hyphens only. +parSubscriptionBillingScope | Yes | The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in. +parTags | No | Tags you would like to be applied. +parManagementGroupId | No | The ID of the existing management group where the subscription will be placed. Also known as its parent management group. (Optional) +parSubscriptionOwnerId | No | The object ID of a responsible user, AAD group or service principal. (Optional) +parSubscriptionOfferType | No | The offer type of the EA, MCA or MPA subscription to be created. Defaults to = Production +parTenantId | No | The ID of the tenant. Defaults to = tenant().tenantId + +### parSubscriptionName + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Name of the subscription to be created. Will also be used as the alias name. Whilst you can use any name you like we recommend it to be: all lowercase, no spaces, alphanumeric and hyphens only. + +### parSubscriptionBillingScope + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in. + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied. + +### parManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The ID of the existing management group where the subscription will be placed. Also known as its parent management group. (Optional) + +### parSubscriptionOwnerId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The object ID of a responsible user, AAD group or service principal. (Optional) + +### parSubscriptionOfferType + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The offer type of the EA, MCA or MPA subscription to be created. Defaults to = Production + +- Default value: `Production` + +- Allowed values: `DevTest`, `Production` + +### parTenantId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The ID of the tenant. Defaults to = tenant().tenantId + +- Default value: `[tenant().tenantId]` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outSubscriptionName | string | +outSubscriptionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.json" + }, + "parameters": { + "parSubscriptionName": { + "value": "" + }, + "parSubscriptionBillingScope": { + "value": "" + }, + "parTags": { + "value": {} + }, + "parManagementGroupId": { + "value": "" + }, + "parSubscriptionOwnerId": { + "value": "" + }, + "parSubscriptionOfferType": { + "value": "Production" + }, + "parTenantId": { + "value": "[tenant().tenantId]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..9d75c536ba3552a41b3b9b6e9da3cbec7dacbf9f GIT binary patch literal 7685 zcmeHMX;f2LwhmZI38nOFMMT6@mjVg`76^zy;#e4&EKtBO1dAau1{p*M1Sp%LElVha zfXphB3<(N^IRr(COo@ODVG77RB@z-s$n;L^)&07A^?Iv&_3QVmf3UbW=bU@?*~7QL zz0bWXc2>I-4=6$)kX?vN7aSlE`3eX`&i%_B;FtCp_Az~uUtsFD}DYa?5<`qhM5tl)O*rIV>| zYDjy`Z-sOZ?;rD=-b{43@oVdszrGhTln_+;ZTnm{En4S|!oK^MBNZ%}RV5g}Ev3@Z z@bK^tRqzXO#Op7XfFsE5iWQ5+g9ZiSv1?qzi!@FTD7`102BZ=hupmGrfDA zAdsJnU&uqQoJ>@K#6LR*j=$IT#&*b)n~GreMMoDo$kD8Sb*kQ-8w98FQm1ky4PBWu zpT&~y=rR4gQCf0xGO|Eb4gyj2`d4@QXXOuir4&Fy+LDm&3xB1pmYuTGm&-JIfczx{ zQon!C|BI&nLVhI=m+}GsvVo;@)XqN|5vYxFcHLHH5@b<9LBZg{MF^zz?c;y9`Tjzv z&rad`={1tz9s<#C|NXzur~X!`&z?H+qw1hP zDa)VK`2OXeeV>DQAM@FIPKyf*&yAx&P=|c0^^ZHcv1zniE49C`4^N}fDv%_d)z#HS zHk;lUv3!7hoMv?Tbk^JZs;1FuIVEJWWr=-0?bD|ayPQ)G6A}`BNl7t{zTO(O*Qx%e z@tE}DLhJAc<@2lOreec|<@9p|AzyXWJIuYG6ua!Ib z1O^_jByS*hLt$eJK5|B2>m9PK7Z(>h-oL++e9#OJHvP_ECsFCXssU|_w_F{**tar4 z9xYT+oGR3`Cc_@|(^tCPcj#fph zieC`Xhk=(3#;eCGb<1TG3DaMW@fLfJW3n#?IO>&H?VH`qEMAEwfJc$~{`ka_7xL?U zBW_)FCdwss!a&x@sjR^{q+#{b1u!o>!e(Ysyc#u4PH)%W8^4_VS}~>&47Uj18ZkDC zjIJ}kU3<07C^3Tf^S!{)P%ZVLU(i$|-83i2zDKVW-5dhK^q67{n)5!kq&k}6jrR`x z#theJhR`F}k}5n*(grU&Hn3A@T4|SWi$)cTRN}W6ypUHN0OCYa!nKsgBXx3hwH&QO z=T@GHC`|n>b1HI)8nd{57_9m!6&cFZXhRg4xFb_)Og6SdLfo&oBq(L+l{2Lyr4>k+ zSr|soo-&e7&2xX)kA|Om<C!)s8+=pcX9>J z>qI#w>ynQz@-%_q}ZD&~Yl$rizYHINj$5Iqar=uZt(0yp5kkr&a{xS7+btG0iC{l^>zFW(}{&^(gm)~X`! z2D0*puBG$j{?q}b^nuJ=xoo&OepR^z?(Sl5t2)?|uh#SNtz*9r39k&J;qo%e6+ZYg z)(mtjJNicY`%@{K_bHd~A_<>jZ|Lr68a%dnFP*OYGHjl9{Cd?9u~-ab_-U7Vs8r0K zZ%x?7AY&u(g%k?h-eT>-ci(+S9CVP=zjR}J)ocoFPRKmiU6!_|Up-N0ejFct!&b9l zSqUBH?2EHBwFZRlqU}#s|dO4N{%s9=H-bz zs~Vr1lsq3Swr|YJtr_H;O~@6;%zaUQ)%Sou0e`tD-9|GlQ+vPxp-KASpEfpRnG-AR z&Cvt--W}oJ z=DMCkL)lA9odDkfP?5L1s^1!C>fb>LI-P-$Ds#f5D>(YP_4HW8FUiS+Lm4(~6_6`> zIJ5oCf{u<3fU!+^qd@oO?B?pch%N5o$_Pm}U%Y}|Pc(@6UD9ri&SKl_C4QWs3q`EF zVS>FK(3&{-9xQ;1`{BTv_rvCMBYlM%tBj^djO0@i{6oIE`88M^K~IR1!S=+4mR>+l(I(896_d z1huobr*DU{7Z*$6wP<=?ctphP)1*V4zyn}hW0@r=qAp7JTu(N=A#Qn)06mTHn{Iy~ zm@}nB(Y_4}qsP(2d?t!6J8qjYJO}9YNPps5g2JJ9z^(hh5mra*;ue;Bda}op8e@eU z*2JlEzWL_DX2!9Vu}V{+WiIvy28c4cAlhz1UO!`}?${)&G059j{mg0`*4e5A|LR_t zU1OO&a=xsmp(j}3@#U&!O+Sy5sb=P-1aEQKy$bf@cMtiM6VS6gJw0lN4$Wd^2?HiV(=@+>k5u64x)1&0-s z4>f<>IaTG;#o_kb50yLu=~=K*N6Fo$u-h9XUD(^PmtI!*naNjo0T-xLeKR#RwKDwj zu#nHT2S_5Bv6mFKz)1}aW+0S!^Bx@saNGiDQBjemYi(f11R1-0y^e_!nyHb=SGBf$!=FY2GG4C={;Cj4>n{bjA3*{aGa=XFSAnuTU#3sRq57XhzMQ!P#Tsj zbAZ^>4FCYSJl+8R4>Z=>oF?sv+8iFAKaXV!J<|1D)8V2i@R%e>7k(pWMVXI`flh_}A_;|i@Ep+Gvsw-WutGB=k z9$s1jh6+ndkAZ;U2?3tM1~p0X>e;UqP3tW&HM87z&yJ%^A^>P^OuwILaFy3DG?|}X zSzVb4_scbZnH#l|m{}=695{HeTV_Yrcs5kLV5Mr|E0u_OqeB!4FL1P0PuH1fQSyQ| z0#3%NpH3bFn8iCbCD0^PR~uQU9~ZpqIs@EYpFkk+zBz5qh!w8Zg)w9K19ftMS{4K8 z0EwgYVcMF9PC(JLoQ|b|@_q&*%1+Ilf)gi6UO_(H8vZTBw0=lhU@R47`^?*3N5i0* zmv?BVdQE4v@KWqC%KP^VJp)=7?|BC#y8)JT zYr1{Q=|?arW?G$j3EwQ@bn#N3pEftI27FN@numiVC(may^9!s}itFn5=e6D4SxqkP z{<{!{78W@#U%sqxxwR&Bs@8s%8`n3WO4)pS(BjVfiL0Kk9=~|KD>$$j50!LvR#2k8 zL5VBR&wF4aI-V7lYpRi3FJ3e7y&Z6->)GOHPV;n0HfNYZeAg1GYOr$uaT3Gwxw0kq zN-c)zVc-Y?jhFg!ZSZ&&mersQ4pL^n3(a?@#U9VpkJ5Fjc+U2-#iR40w3IDAodHYo zKmidrQnUDD|G?bboXnt+6H#c{p`zC3MBEa1PfM(D3H?#J29@3td%tAd=hIt$N`m4} zjn-i*^TSCX@c@!S~Pe8BuIKw&DdGAd1y6zof0z6C22y zhKm>Nm-!lIp+{u?I6UlvU)(tZv=9ouaPU;f6G<~lx;12m6W!To;E^N4WJa~Nlxr`& zYH-KV(J?b8$HtJHHU;c^Q9M&wHxaFS_wHRaD71233=~x^g|FpH1^Ke{xZm> z4HqC{9k7z2{N*14^g4p-#?zUSjXEWKgr!Ju7= zxYt&h{fLx&|4uLa%I;LU0e$$*fI)e+@QT5V1A8mHD5WPWH{PQ=X5yGXjOw;R@SOJ; z@FXe`Vgbw?rqB{Ov^bg-dG3C!_&z~p@|>(3&seL5J?T9ZHS^Gd_rcLwPr9CesAq$n z^Uj&w___~iZJ4<=7(dN6oqw4>{zyBH^o`fFGo>Qb4`e8;M8cNBDk+j^$x@}Hthejf z#9d|BV=HKEO>bAcdR{6qKCF3-^>Jl0uAH-yR|GX*-t=@lBy6ZsY^8cxLq7eky2!X= z)*gwTSY7%&a@{IVR8)n;OC%CN=l0nBL7sR_Q8(l)w4~+`G_cbPPCjN2E3ZiRg<-wr zE`v{me4jzKe3E_;&aiNFa@Hw_9RD&=rM{5S7w!FI_Hc@&WzEqP@w#mkN6kkiJ`t2R z(8ULls`Kw!HE;i>r+Id1@oBMWeZ5u=^5Vr_r%8^@Kru5kf{4VIdPj|3m5B2C{eo_h zEFk+p>D5i|-fLWm;e#N6>qoWTre*>9o^C83wO0VHdJGoS(FDyUyI8T_8 zAJ}P+t8SJp0KJMMGS9i|EZ;f{N-II8IU-lgGfRxvG7*|o6geX0h#HEzC*V+HK&msd z@?My1>Bs@M4FDDNqa(nbyD3s3rKGZwo#W+Ow_|0rj{S^EC&z(8*?`P-koh9uUfIEo z#}Iu(Lm7a0`E=kl8$huRihizffbt=W$KZ3zd!opYA#w`LlnW64{Sgmgd@ z!v~A`FJJ-@$6~FkJvTg}-`2FKq(qwz69(qRNdz&=uFOtAeTfU3<4uuhz!4he^RR$U zrpwOa<>h4-#qq|i-ABb7Ew8LJ$Tr2$WM>8a8_?KNx&Ty&*6HwuJ+82uyPHawbJO&s zztRMCW$BGB3+zT9K&NWI{$iOL)lGw&pG~U*xC2Kvwa(DD1>G4i9>$sJkmW&{vDXQh zSY3o643=k!-SFlu4e<8Vv{R{JqRq8(fuUURQJIf9rg>KxRvUZHts@<>k5!N|UvK5+ zJ>}-!q^VmSsMhlYCXt;^>|N@NiZzziL*f{gSk)Z2L6ubJOF=1s0NRr^zCf+BH2~3{ z0oLsVJMP;^lpAaPti-uT14=EoTDhy%`RW~+mB%}!TkvxA+7G}n-9No4Y2fEd1&PT( zfAjEg=DT&xxy za7w5SN-W}D=X&ii^5L0wJ-S9T|Jx>$kE|Uen#|A*6Pm zARp}XO>5kzG0s?Xj3N6VhQ_!xkC6}Ifgu$$*az=2#a8XtE?@jF{rsWFfC!mH?+j`C z^toI1+E|u+d#&Tue_~>;>_}80ehZXyy)oRcAVY45Tx6Y53<{OrF37VNuZ`zFO|@OG z3wHlJ1ZwzM@czJK$8W$YGf+3#fbav^cTCo?3t0R3b`ey}ukI?SllOkDsOuIct0w^V z$87cI2Xh@J8)e*$3n=!xhlfD}@$*Nfr>CP9i!%B^%k_b}X;#f^d1UjQTPDF{j{y&A z=Jr{GjE&*qT`I&Ypfd_6(|W0WtPX;+ zR9=}yJa_g_J?eTxfB|7JegnOTK+pqNfB>T5w0&M#kVvH2?o1;D9{6&OCDsJfBJc&A zWpFZ0F6?tdIL-X_ipxZtR19dT??Bl#nXbTV?C2Msd9u&~HN{uEcFn%Iw+A$DKBX!i z{S{m(m{x$Q%Er#lBwDT2Dx^;ZVtU+1g}Cb<=&I+0ZwJ>kHvcErF@Lvp{`W6={3#73PD`7yFfhW`Qv{BHhmcN literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/media/exampleDeploymentOutput.png new file mode 100644 index 0000000000000000000000000000000000000000..d8ca170afc4268a96c8dd0162926a5ceeb0ba965 GIT binary patch literal 45818 zcmbrmXIPWX7d{w7ML@cON)wPG2#APukS-!1BGQS7bVBbXp^8Wo0a2=e^xk`dNUzdM zfY5shJ)~~X_jm1={jmSt4_qWO&&-@T=gd84?lVs!UTUdPQQV;b0030#&y-&Q0GIFp z0EzUqtHhF={4g%!KXT`1hHd}=b^FC1NumHXGqI4&U0qX!Z1pdlr?*l7fV%*7 zWrf$?sXHxx%{=;s>lovjCNFVysm)N6?!?EUUjj*!FRO5Hl3flaPg?Zu4qawZq)oHP zlGu=-rkK`g?_;^~_?IXrQ*5fjlFp?FE~a<|Dh17FToj>^PwGA!^G>VtmSZaI)8y@B z?Pa&$=QI~(9ge z$FEGh<~*hv+<1jrjz?bgmg%Oro3yYb*?Jo05!UmI`=qqcFQ0WNn|R5fJ8{U!kzbS1?;)nc&(yLHvs1pP% z`^#GzIhPad1vT&=6)!N79@`0QD#i6d0`*hX57sjxouJG7%{a=O%S{#QAJ-S6A*e|d zN|QiUCbvp$(&S7fm-%Y;I6~Ux0FJ)}JK9eVlqT$~Be5ARH`fU>gjNXQ{OAD53uc8N z*VD3*5s2nngiVXQC0+!^3$>DA60_{&D{F@F%lNJ$NOaR;4r^Rf1mBPZQ! z9Pe{kjM~^+Ybi_Hhh(;?o81} zDGY}()Qcys1fvQNb1ey=Y>8g+$t`>IrLr1xX0t|TZb#pFz4|TFp^n7i%7Cepb^YbK zvKDe+!MARG0W&gEUM6B_8dZf6F6Wlk2=)az57gBd6elVhM`C%Lw)U)Wct-)@XxcEW-5{%>|%e;*Rdgr@~Bo$a+_?+f(D5G~YL zu}uTHGz3}fLl%lRlZp#w!~$_ugdm`0HBkr>kqM(Fwkwgy$)OY2a*VVyQJ{C*6D8Z` z^#5QjTyUEQ8$`Rvbf7)_ANtLdm$tEQv=ipM5SsrhyHmMGEOSKVZ2Sk7yAph%{~_ah zkmSnztj0gA`Oflx4wL`CaM$6vwM^yu;z@bPKPavIaLc~L)QRh#I2`tr;pqP={=Xpo zv>TS@=IPFKNQx8mHUQbi1a)3IajIXu+CMb3JUs+{vbMgS2V(oDOR}5cD{ffAsS|+_ zh(Aoi?OV$oeV?kZ=-N2(+MNm0_FrPapT(yi-%ItH_tCA1`zzPykO(FICCHHM*+OoL zW82|jWro-Bu-Ywoy4PNKewY0fSge7jZ> z<`1t0)o)})I$w;w%ubNFSRxzQu}h2L?775k@w3wBGU9Gi4k)f!9IXX6jvtMaJrnj# z*@KC6#A@H|BhE z_G(q^&9irfL3UZ5TJV<5sAK!Yt=Yl=VaLVNFR!#d%52{%=v|x4G%$dU zr#HKrW+FCX>do|-B8FKxMe+3DXX==z#r3td#sEJ@N9vR(AlHlmeBJ!MW!gZBIMWW7 zh2)Cko-9#+7nar#YWT^ACRqS_%7qH=HM1kIol2-3-u>U}cr^Z9W4x9WITO%dgw1D# zjzz-xt>6F;F^c&5P5B$(IrigA@}A(&NwK|!uax=u7+ToAavx{;*X@u82vm~FEMXyi zFR+{uj>=W-+a>fQU=88nTtqR7oP~{PrZ{m`pjzm*#b8iC$?l<7r#yjwDgLEdQuiAujfT3ssE@=jM(++dv%a8 z!(6LzXEDhs#s4>G^xnLah!z*`N%CcTP+hcUooo~x*YCq_{<#;2x-7=+eLq`hL3PcF z9nT1EXlFtZc-PshUXwNq$@i}BV*AB-VEF~k7{BF)NK_1 zX~0H3_R~XW^iN*R#(Ew+*YwXa>V(5FB|ogPTt8oB&7twmX8Sk#cz$6zI}Q-zgVL|2 zRo2%?TknuAQ}ne1O`M^g?j5;ns8FAgpRcrSnWHme<W>y7 z?F9%Qem0a<rQ7OsO3Eda3Q5klI8)(ncQ;9DNLeXW1sxE$=8z7i?%l$kf_8^=~I%wSkwK zX)@Gmb}S=@aryXzDZKYgS1&FVE9bOzapf0&mRB3d`J=%;Oli{=o<|1Mkn zAiUGFMi`9L>b!}7%oZN8_hn;@Ob($=3!ki6!q*{PI@5=K?2>`&&C3F)*#JLWbA~_K zr5?@ATh_P}3*MwN3FssBMsVjXcAuknIraUKLe02+HY6;=zm0MBI9b$XNhf?@PwkrI zH9o42&8)$+dj;f>03}OFL`{`0oVnfUfxiZ)Omv`^_)xDDXi4VsuyD-N-Oe?>OUC#0 zrAY$m3D1vHYOf?;)r4nhZtcAp5fwNoi@@K-)~H5TRZlm+_P6$(y{Fiu_N~ur%6cjD zjc=0`Ch_PP-45fkVJOS$PpFMKV<6~wexiz7wgkPAWhMv5Clqe8I*9J|MwwB!0$0`V z2=xl=0Dpn^QH{qrxai^-J%KX6y#_MlI>!!?E*8;mrG2H4fOrF!S{mU{&v)E$}sd?8iysUpQ_B_x`RS$TZl0{ z+jqW)3Wm4Ef3|&d*0nslk!pf6cF)RrIFlujHuLh+A^KV2^LQy9!IiGjsBlx>LHKkAaq_NX41;<{(*$p2ht@(DLsxU;njd*mYPv*$`w&XZq%6 z!t(4c82yQ6J}kTL3F^=K=>mDzz;ZxR>IVq;EwJK+I$?>|>ButRSR-~pDFYr-1az(R zYBM`(=~@~g><_*RAexM~Q-x3Zd)ZnK0KB}C;Xyypu0z81CphWf(m+9UpMl^v!di5f8i;)9-OI41zCv z$0b%3cKO_~a9#{!TDrny5?I8@SnhYW_pY(#1`gmnaggFNPuJwqY}y{1ihm|D5Y~kV zU*6>$lwOic^}x=^lAaRX`Z7CiiEF9~d5?V+ijFt`)@STQjJSP&Mc5#)Y2K#{G3~+# zZ}vc~zzok9Ot%qLf97J5d)k7hrCv)qDM+s*c@n0y8Y*`1`0_!fe)_NgIw$pv@LS1y zB8CgO0cDgw%|o<9P|)Q+#6=_Ow;!+qFgqXuSFDiSIQ(Q-ST6W4J{{n?7Kv7t5t6cJ zK7Al_p8d**|(y>ZYY zDwi>-k5f}RhqXMv6QtIk;vDZSu}aGXfK2S--}&9^QZ5iYmZmsd&OOu$30A7F#JLL% z>aH@eFWFtIet)7lavk!Y@UW|M=cWn|{i>e-V7iBl0b@6IH4KlNNJ5x~@cTDo;q59<-MuM1*JnDY+@VyLg;Dgy` zX3o_;?%#Uv+S3sL&f{&t?5CoX!;rZ-V22tEC7DVH9j&nJW0djlB}auB6DSB6L+xL> zF>=%y;0>?|CTD0VL6j|A(71NtU_C&*6gxIhzYw9_SrrRR;ke7xj42x4j~twNb7M0W zUQ6EPKm|==lOuIkGI{=Un~K8%8=LCn+=GDz*%J=T<=xkaJ4SZV)d zUn|eoe?rB5t{K$_o5gz^M}JnT^?I{L9oo~L!5FDi0IrV+V_VOF7K|f?Xy5eD6g#N- zuPRN-vku1B6tJy@_&@T!@j~10r{c^0&&;(=QeG!@j5hGAnhd>6euuu{hZ;J_5%*?X z6ua42;##4U<KWCU5cd0+RjTqcZqN)Ak-zM53I_~BGh)wp`wLxq;CUxS*9a8 z4#%oppFiN$93>|Ck8o3)DBFhT(~i5;f%1SAcKqI za$fNdvEG%q1UZbQ!I(=vO4#hso_|tU%nm_Upc0w)Q@SH=^B?Un)S=AfFF?DjX>rd6 zcLB~s|6jB@H}E6p2p4)J1K{MRjl6fS?{~5HtVgmn|I)dlD4&-RI6m`ld5mW^ySbU zYS&nqW(U`s)S-C9UpC_zRvj^K?OSX3x~une8{xZJn)_jGi932G`(yAcPYq%t?kfRt9>G z1QYSTxNOKszBYl@l{RZgHtguL$l>YC$e+|bL%t3UPN`VmMLFRNwO>!N@rhcA4f#8< zzP*)vm1)IX!(f;U-GHs{aF!9zSLI}$mPhoZ$)TA-mYAH>y(W{%FH|RodY!|}q07yO zGE3ubU7V(D`vO-FH>S!p-O=8LW~v2N>Mbqt0K&m`!?|f>3brzS>ieKZhH6-K+DX=z z7M$-8<$1a8%~~IVoYtGziW>2+ETOYL>uL3SjoSb~5)gbocG$9(Y!3hk2W)D%Y!&2b z2?8G(Q-^u+|D|(^nVPr%BX+1-Ie4++pqbF@Sh+jLy&%n;J``4+!}ir9ebG;*jP z>>3k~smzYEm^2e;{$uheh!g;!emUkhcaljk@e~0^JUdzlp;;oHIgD6;%&`G%af zkAU+`$2REpzXwz*nY`n`JL}*(^=G(Nas-Xrj5dIbEf}{>phV5un@3&I!g+0jIR8C; z`vyK98J6*(fe;(y1F*(QAg7ov0s4Q}x$6V=P~U}EJO0t6lHEU$?0rdK3h#y3paI5* zfK!OzgR02#6v6(=u$JYThgVzg-yr-m$wH6?whL*=i)Q9UN2kDW;Xy4xGBzCV+uN;` zB-8+jKLBf3;?lni5XiG*4a&n!`xQVDhw z+<%9XY;N%Ss0(JB!ljswu`_xjpK`?crW44G10`Fl0qID$A|d>T?Xs@6wnY4yim)#o zc##QDS?f60xYazFoY9Ou9JWP(2gD?nqePvDBh4NkH2&@P{Wm2=6vAytcB;`sAVzZS z+plUG*<)HFb?H2!&a0V+j3G z|1RFjNZNnrGbe_JJlpG zmVgFA7$_A1(o{f(h5WQK*dDdMShD>J1hyYr>0?xda1)a_X9S~4iBPdaT zI_OEAOUF(9g;ck}lcSo2vI}t-_E917t=eW_Nlzl{EspCIUQU`vsy+~s`v{lwV0Of} z3l5iOrAa$=jq3xWVa*3T#Qs?8W?dtJo=1q;s5 z)_1)}Q@~f8eEOWs%@_Goz1t#&U$S4QZJBg3pf#z%ep1K;*8~d@Z?0gzRD=4Xgi3*( z+cy(t>???}X5gkL&DRIv2S0gb8>WQ*`Vw3Z7PWB=0(JUP6MJyMoNJ~i>A$5<{xptQbCntjN-QxtnlX@(3g+#m~_ zY+e%spA!=U?^D6(&8eDgpzp4+kx?6&JnC0|KdZFo0uWaO*`1sN_ltP13J7;hlo(e8 zU_4X3_I&D(n7v91P5-V|YH@1vMVhe=Lcj9gIS7VTV0iKT&O7cZkX{ z0>6{Y)I_vH6J-|rM(A-{n_m4nL)}8H_T1O#W%fvD-h~r&fHE3c^-WyDU?Ufah<7dr zziv({d~1*3OO!mF54WwMyg=RV%s~!rY>)w#KnyfR{f24WwUG@@5MC6`tpz~f+&<~) ztjzd3Mkb~M-bu4<2m&h(2?43GN5^Z+H8jSs&2w5DSw8E(a2(TpU+V-s7yJ1~*rLaU za}>bk!&s%$X>;PtY;L`75I8+7DPmUFb)G+u*rls%vjS)lJ+}UKBi+0mm39)_ULRQf-?2 zNtPToj%HaLygW%VmazyUss~6o0UjwC3K1O%&oiCWyuyuNTOis??4o42ah=e5j`}U{ zPvcmR_f7TPvi-Y0cHwmvMCoz9zR(qn(ojH5-R7)Y*PH}~R31r+n$8Gd#V?L#oQm^n zn3@q=M`ifz+8+dM%LUdouhwOqj66Eg91PG>12+8yMTf^xX;@5z_BFG^EgM^FR zHG-fvNxD00xh=|+lsWGBis?Tru4Qpm3ZSO=8trGUKN@h#yf9owssRK#_5Dk~-FJOP zePZZ!$~;AS)e05_YGOKBiek^0N%8%6599k2maQs!Ih<3FsW?fO<1Qy*0x%%bdWPdh zejA;HOZ|&99^Ei6_ola6 zZ#fOVcG}5*U;E`zzw?*-WgFkxr^dgEWzBN9J?AMNACSsDv`8L!+HJ5>`xqyf0bS*e z>N$HSTUOotzVA;n)IZ!I|Hf=U!6T1`(RvSUhg;QG8fTlaBBM&6sxP|_+rOPAzXyI( zy*~l& zRU|-LY4vj{^WMvqvwLmq6RIR}9QO(aORbDEA4W;qM2X17zFwKCU-*QqGYFz)Q*nq* z;Mz@vOIR6!HRgSNAH-7-Y$ep+nS0pBKFBsfxL}?G(_0PVSZXb>veCP*5lkA}+s!A< z)h20QUr>h;`pZp+Y*dhu22La&yAkZAmuwcDxP1|qN=WXIPDyg(JA7ccI@Ex_BBmo zY~HFB-1hF!abZ6(dO@5+E9ucQ1BUSqW%zE`V3j*J&s?~NB)X5A&C+kT{%%o78{~}v zcY6y8_=cShjR~9}C%jR?f|fs^Z?)dxMO#Yz;X!?bF%ez~z10LSBwk*diGVN<2(vYI z)+aU^oK`!iA0^kIgvTvAmgIYj<&&0ZL*F;fhFw)3OACA#cf+gQk?OSLJ!?KWr~O45 zmtyHP3X{fC(fvS;ZPc~5_PymfXB3kMx6b|1_%Z1+3rPxj@`C(rCX*$T9(P!Dj?`Fh z;^r46TElY114Nyf=CL&#VDjia<`RA4$_nCkDdIffiN@xYO#eH=z>g$fp`2bSOLw5w8XI z7O?L4Hm+SS4wlePk!18J>i?tyE3i&Ye8fNSjO#qn4hBM7?tZms3s7rgZ)hDuBttXh#DbVB3nFu&`>)bG z=0-jLT$(M(w13$zIwo9~X%#C}v|^G|o7-n+nbf;mm-!VU+bq&)nD4}tq4+4D67${= z3c4q+cZNbJpSg{H7(8Z>c2t7f^;f)N#H$CqxYg$rr7*fOl$_ZOWah(Ke_&V!v%o$= zm=>MRt_~x>0*rWPrGS1bR5#Q%(6h9O;;lG|XH}mQ^|^D#;i`I3hn1#x)`Z8`g9Fmd zXB0k@N7Y*BSf#w;X*jPhSq<*m0dO~vx5hjQsqZs+ctcHKo_h5djkV13Z`!@Po<2tM zM=9`{Ar1Ni=KT^78t>5*;A`-fT1}(xoeaMQWdn)J94|Ip8Dfgf>vE9oE!_PGiKMEK z^_jNCY!qF>CG=)g%U<VtW;(u~z3@wFgPvcNV7=m#?6<^(5kwkP3t<}K2Yby7>Pvb)&1;rDBe2v0Wi z?${N$R1ZjRI&hY@ut^P~_~P=?XJi>U{Pl*{U|96XO&Uvqv|sh5B{uQfz(YRISFbIl zlEo{-#lB43SffcO>D#jZ&4+l-dUWEjGIb)wr!~b)y6=6vuFjo(c}S`=6xRU+YaVgE zznYMRI~<0!p!B!N6-+KY#o2Ny#jTB{KQ>L0ZvHGlxqT2fHrAuwCqyMq@iWd|wrnW( zvrvgsi9a1~uDS7#kP1d)38oC3Zgk8!c|MBMXH#UquMqb*_8nAb1;%zYQe52!|EIt< zbtBfTC<5=EAN^vIl@o<+s~(t4+Ru$Rq$B&`awJ)8eW8%sob7rm2%3|)MLA3Y$_utj z0&oii1zO#nLxFt?hnkHiWlu+i`skt-?z%tM88~Pw8DILtsg+G_5->F$tUA+>>2pSwW2QX_mt z)s-4h2(y9fr{jpZR&>m){Iv;#$8RDDFWH*jSEeU~T5kcSYE`z;DhOf8cP{t46k#Z> zKH=%iBwIAs)^EDK>IZ_@QOup*G;g6Lj~h)xxsR8C40y41ix=)KCXNl74waf*d3{Dx z!?LegBKDc^i_h~{Ow00m#p&^Lm0Vu92zk2x@Ua-Nm zZ@Blz{quo~gIJlSSs63r5>Z4$;xl53@A+a0mT`@F4I8_Tr4S!#vaS6q?4S(vj?mXq|BUxfkt!Mw^&7Gsn1t1bz7`xcZ4zHVanDYY#_c)tKMu{W=1cG(xGx=OACC z+T;srjSHMjk=!rYL2>N1YLh+%;eTxF(h6UCcDy07wCGq zc$VzpdQ86Z4sRSTxvi$Bx+YD+A?=|<$;S?)-%Av4+l2Ak`*sn3?#eyBvnD%ndZVEN zVZG;kk{p>Pba1U5>0dxbgl%4tGIOJaEDrR?bWv$LogzubHpe~Dl5a~`bt9vKO&e2z zkI7j>*>-g~t>-h;=(x;fwcmEGZTqGm?Vg4%_1p*$N`7;`A)Mr9wE0-Q+3{6~H^s8l z*3YOHSgvbcyR_$s0k$uLv*18AW zQxwF2(`4G*uWi|U;SUCLn;~bom@Dtk$+|9IEJdqJmxK(DU`< z_IYbLr+Q)+JN0FU$t41LvI{-IPF*RQxwXq)=p?ukTQD#lpq&?{Y0cf&=h1s#d0|_= zH%7%4&Z~px+lp=f{`DltuR2{Tuipt>ab|3f$Te_$(Z2WZ(l6QZ%_FmB$43W6$aZtu7 z(qm!@)@!yCahRnl$YsETWf~PcJvgs9t*$7KMwG~|Mz*-pI~7xLnxds3!QFk8I?StW zh)6K=)>5BrthuBP~r_8s314!(PdjFYpgJ z&CUB>X-fBvzELo0I0jJ>OO$s07 z03Rt6CAGJj{zsOx)aO(w@v4>{lJigWtZXG-)2;tl6)TmN%k1w@e%JJq+Q`JeW#0F@ z6xI7$uZhMkLt_-fo4VW4h@d4Io(%{_SzhrrPn!NSeKtgylkZ?3zf}DIGC(luu#D;k zUQ|iSjkiCVk$|qUy|h@y68H?+#V-7iPVKk_aQqe$Tt%s#mwL;M@+bQM371BIp%oWf6 zyt@=vKeiZU(61LN--fPntvTXYPNaM^lsD;vS(Z8<+qM~Q8P@wCzNW;H@aDDPmug*| z*-w1-S^GA!dLKLi$(^l0hwh!2-TR-wmbyLUpHF*@YHR~*ci9wQ3dz}pc{iy}+|yDh z32@(<+U(sf`TAYxrN#2)RR+PAJ2v5%dDL|x`{ux|t=;CB9uzU72937wsx12vE7NNfhE#Uy)FFN=*lNfucMu3^KjxC2_Jpu0xVxNyXD6X;C9PG0MB5#~Nt$*-c88dfQ zNgrLZ^}_@J*W*(DuJSr>!v<0hx%<)Rt|#EL;T^_YP8lhmTl%_QhmKJm*}B1`w4LZ8 zdipM&o1L~}todgH?@0ehGUrx&ENxIOGtvHV@~lA}Q(b6!Zy`Gy7kyBX>8zqK&Owix zDR`L}(H>nID*zl+n~;bzZx&nqaQD6HPsO4e+)>$)fLU+fh)}X!W=j0)f~^)2meR>ap-CY@=e-Lp5cX_Y0m8xTm<`8VK9G@^SgWRC*Hq%KEO~xJCDBI9xGDf z6{uwP@_gf&Bd3)65=D&*-q-96)0sABzU?_T$$gK7aC zqvB7RQ0}JJ)rI?oRQG4p%NGwpcCkWGx1xlFq)o+-KlT0dc)^jp}zDA@>`Luve)^Z zGE1BFvj#RPI|Y1CX|uSir}h|TjF6aX&3&zn)G{8fjl)lHZPJw-j-mZA?nZe9H6A?& zg_E+ixv#axgrF_7XUppDayRkUda8gNwqM>|BID2Aa2``v5R%C{(7i%w}nSr1h35h^Ek@VyDM!z|J)6V8PHwILRDdSpDlgoJ1c6J`TkcyuQ z_E){ja^-8O7)K+@`DdYbaMC}^pBF^d)=Xr1sJD|m8`e49yS&UMT)-0aI9QlSk!nhR(m{cgn_wHW;9%mz zB+sf&ccw^_CNXqja70};BQAQgbL+{~ZyISqV{~s38r1Y7Hsv1)TF2oWa_0{-Dv{bp ztlHl0c?slWT=k6-TqC?<`OwkH9jwwVt!`47<_YJMs?C|YN4^Ji2KdMvU}(@oQV zo#4cAFJ{z`AA-zE{TwxWDqg_vRtLX$9SY-Vq}Mf)d9o${rEoM(w7P5?B%e#Aac)O; zm+8!75eTR0-nuw^`tB4&qEj>j6Y~i&e|E@<83=*Wg)5tK(XP}98)}?r+_J1nW*F&2 zp=4+4+(WxIWBQV2K;I8K4hqr+J%dM|SjZ%Tiel7VZZ+rEKDCd6JbwT2&Zfs$^`lxp z!c$YMAM-1^qTJ|8!`{Q;r)ScPbF0inz3szZAnn4qrbkPzEu;%~G}hF(`P39yC{*Vq z&Fqh~k`t`vRWK^pKH|GZ$vYM4nb}|JdhdjGJ$~|z+2O2`2QHhKn@IhJQlmXBkg2K1 z-{5RRja_};jDA%`tT%Zkca+nlM2ELpqQvvP@{08^pGjG z@Si3{@XoqekD<{d2K!f`u6)g04CD}7@_HBOHOtpC*RR_ADEl&qq|SaUfa-{g-wnvM5LyNeyI^yR`wC~TI0{K9Grw)k*^N++g&tA{c*ubk~}=75g^)jHf34 zSc!NXPjwAe@J?M%jYJjY!z2OUER$*#n1+*%Q|MH%I(HCdy~8=upfb}-gi@aME4S>2 zr}j2!sQ|`w&`gF<*o$2i8_u^N1!U4?xe*^bL;l`T59MoKN^cKsAj{Fzw~03+O$|33 zsM-+6XQ@2sSHbcUw+#si3ENzRC!QZTgZ7Tb5s4yrb+e_%o3;IAQ!Dy(!K638CZZxMLkUT=9MPWpWT zNNf=S^mJ{zy;0q(C|aDFs#hQ0O1ONu0E{B z?nktApX)rjoiik=`u9sCZMB~s)iac9-K7%3!srf^y6=m9z9_u~P>$#(T1!6Vv z)LnPd{*KOS#p>4&(6L^Vink}0i5mRV5~Z_Hvl=TUpN9MH{-cc8kaMfrv7v1HU(Y*G z_b|7@2s0O^y}o2n$`&h3e9IKS_x-^D%iA=hxGFj16Z@DVf#LUo%w)QAmVU;w@EzimJy)E{$;7ge!*G6q`xL{6JhUp{8ZyRn` zmqN$cb*nhi#NS+}iK)?Q*SU}2=(?*#Nu(e71Yefa7IwbUW3*TO&Ndc?uFvQF2kq}-ONyIEV?uqR2p+3u~{fxIFc z6gbaf>a+r`z*|J&SA)obw%vPC=`>b*{>Lg`9Jdt{f3Vvl+FMKv@97q&be9m6ga)l{ z@mjyL28EBOaLdq-FpVS%LeK%uY@z3fMFn){w)cwE*0Y3MPqOW*O*t3S+X}i-vqiVx zlq691-RD@k@r(r^CNF$NXAF{~40`lgf1d3?mbL~vT14K`2GrbW%vsk6dC28;d5qME zfsDgQUdSakDXph7_wia2KPUAimkP#9dFj@!>ecc|2O0uOu{>2Ek6YuAT<(5F$Ba;il8gqBlkbW+mjC za+RkKalzC1pv1wVnU%q3wuWL|1CSi8j=*?@Ym&F_t3kGHyBC8TbeT=THTQ2SossIw%@5_ zYP+z;OMU}i)m9`dsLim*9`w(@9XL~C#6cAs1SF8y`<90 zCVfin%I9dM(f~A|q5hx=emLdq{cu1eYnES$m}^OR4UTxrbWoO5GuQP~|JuE_GQ@`T z^veu-BWbNKeN)u}1LBZnhwidB;9>G_Urfb#1}xsWz&=&xw#Z#%TB$Ypu!gJ#1OK}V zFnKcqr4(jtna+S47T{ey$e>zE@zoc`)~FC+=BPwvB|HliPo&5D8%;h1T;xoNB1C0s z7(PGttFd4H2s2^*LkEVmcmyk)+HQqt?h3qNh?C!F-!o#aesg}LF1vC!xQUBHS(HK6 zjc6&z%e&7J{d58YjrFbxM((T1)agAiS49k|N z?(yj1>T;;ugT^F}2vps3ti~}=h$NpC{sY6>@?~C__|pPkD$ImyDu*Y_$*Z=y&c6tM z8Chn1Y0olpkvWSv78u^o#+1XyPu@8rqPWywfHHb7k@#m$$vGH1m?1y7h16%KG$)({33K&E>k;mtoK03cC#Fm3w{4^0`1VizxAIKl1xx1J%Tc_kIs8yD(aV z-9zlIZ$cge&W7$uhR4xLt3g@4B=IK+*aXe&N0szRo2$$1d96ArT<=<1DqKKSBSnwm2Gx+>TdUL(uNfZdJQ;7Vk(!vvHYwBV8m-#!|866F5&>?B z85G%hP^9Pt+^%boNbx)dtD!G=7&+gvD}+aH&%(8fa!-)#kkLJsKMtzI$hsHLMI`8A^F z>$&*evRyjsTIjL#M+HF&O!)6mjGm_KF#oq>!#kYr?WtP+_C0zL_pLz{kBqa1Z|oJg zc23!BsHhhgyrLM8&_Xrc&yX8q?Le#^c4Y<>Y&xD);{#e;1NJ_ZncbMF_~6t;Ui$6- z;_EHL+UVM7VJNgfDPAbryk?(S|OIrKT_{eFJ` zW|CZ)y=Twdw${3LkIb{)YTmGTqSKm2I9vW)KjIjD!b^#hCviXI-4#w8XnlvNQKs7BU8+hfaXQ<{k7HpxBZcN2*AL3d`x|A>) z<4W2N4;H@ZloO#EKKl0RSEeH-fu!uzF$kGhsma(OMk2`@NIz7sp`#fMgic$pI|hUjfdzEBA6 z9M@`Aet*GwON8Fcr(_(ha0cpPFb2>A2`tkxT_)KGn&av&Re z2)&|uZq_giJFk4M5JB+htSoF*PX{VkZMi;vhsTa5xNg?CU1aSME&Beg%EPVaXG}^< z${9Xf@a&b-4!uu727^TIeICFQvZ)XEnkkwc&rj#Hda8YIp*ija=4Ev&TfC1=d@?iC zum3^m0SId1sLe4ho_-?g+4p469mK)a4|EE$U}aZGkn3-C7;f$V_EF zJ2U1u%%r)W`z{M9S?@AB{D`9__z%|(9t%WE_QGs=fdy@vnm(5B`78T1p|M4mC61B) zqO-a&fd;&%JE zO?U@MmPf08>Fb~KlOM?tGOYc23s?i5it2-4CT0#qEEw!6yG=bFXAw|^n<)4V(Uwv% zjhVzfj?B#|*0h|rI`%@PN&CLY?6%ibuz$q`$8L#9{|toMGyI82yXXQBAnsGx;k{M- z4pvo6rhzsiQEr0vjPMp@_`@~SktC_fNz6Z~pil9xxKGLIA=Pb-Hw@yZ^i+rkEigRF zA^$#bC;QO@rI~uEl(7#DWHcvIYhXsolGw|q(AJG78^Vd_seiW&}6~s9c#rE zLSEF5OAR`k5rT`B`6Rw&;ZBm_d?K4<3CsPhU4oH123pOq z()CfyVA*+>9@_c<+BgeB?^f%)hwMY2bd5a04m)|HrHqn)EKY{O!ID-dsLU(A+=Yll zb92@It#>65zO*0g6#tk=BI?<&jl66h5$Zw$K*`dp1I>SFrC*SpGO^Hz07u9lZi+`4 zvCE{)D_wyUd{*PYLGdzp2n$uF(Aluj1n>{L&{ z-1Rl~AuAY3qns?7diJfh_B=tmPnr26%KQhO>PMAiZ=b6Hzkcm&tH~R#RjU~*`G3(} zYiVA8k@iiF1_%=x@ccF6mZgV!XQ(G1|Ddtp~$k&LSv((7+-g?3<8fGC%|3vDKf^R^F?jxR<45B-4<_TtN!b3Q7qV ztrYS=iSjc{u_}+cBBd(JTWjyHI{Z83f!pcqupD>0pm!?&%_hk&O6fz!+c$@TZ;HRU zU+3y$HP{K5JTddCPENff3lAjw^zQRE_Bol^c$xS*p5{ zfMZWg$y4MPN`mMp#IL|fF>&C!Dm3#Cmn3Vf7NSMD)RfHxNg?3MVM%v~V`taWN_sj1 za732#@!rVZG<6hFl6okj3*tB-pDW zugxak(TdF1&p>u)ULGY2&O8w$c?um%sP5Kh??>6q5eo!H~D5?dDPoY~V`I%tlzK+3=V4x2&2Ym?ZQd* zH=5)mKap?Dyh8zgKizFeekfS%@0*RlGkh5JqvgI%Z)P2=xavcvb7Wf@ zeL$Dy_>MQ(CimeIZvk<}+>}@sh;)2CvSEQ=iHPN172vM7$TuQ@4{PScvLE!GCg!+9 z)Yr!s4Ig4f11D8GRC1D`!zORXalj86=auAd;orXY5RG>SRYi`Yb995)&JWzlZUNz`0LhFF@lpviem_L_ z7U27!ZIrctRxjphT*pK6t8hs>ycQs0&p^8f)QS$@eV;)M!EpR2QPf5Y3Ogs6LWA`o zxK&lHJ|FHDI_3{sd#UNlu=>>h8S4EExJNhCu$I;w(y~0PQJ!*=E-&nb5V%(7#y>1l zF?q2*GRqr-+tpN|A&Skz3XeF!<~8*h-K&O6?c%@V8ma;@`kOj7H(xtnkVn*w$Sm3K zG06JAi0>yFFutCmXP9C?xsXZ2?9!B0m|rqWHjmbsrxGV`z_m3F*wVaiXLv}wMAH_}MpkIEn&2C%MS5>}F@^W4 zp;sy*v59}tT&ALMCY;b0b?%u|^XN8umAAOqmIf_`-*VXcRRzKUtqiPlu zQk|nun-KgS@LC`6X|4whxNlAWnCT*`6#-|hKNGlgy>SMR%#LB@)+ARW5EmeB$$HmG zs5Ck*(--IA{GQ^+VW2E7Jos^27x?Hj@%`(HOT{A1iyOL^Zd5m38ea>?jtTKWzToii zFb&Cvl%s(u3Fhc7Kual;wzdxe~-*>2C3RTtRgdp?3-(yH267Sxs*e9r@6< z)`q|vEX%4It3r4ye}y2KR$&=Cm6U+-JInr-zF2d4-4|YL87IAaqRo2N2uIeWsQ1T0 z<4suRiUFs;mxrSao$0v@@aMt*Bt z1>Usn4o%_T6p~!`YK_K@cSVn1`WbQXC-`fJ09p@rPtQ?p1XW7c5$h=F`kyTg@D@YN zvdR*xW%y|gou)V>?3Uq2Hbmo#k6rL$PdNxow5_}G#7f8SQlooqOY zbl8isSW+VcP7DN3EqO zxVIEO@Rlnz7AsrF-%vA1M!=jF(WPJdf~*-{hZKSRZ4?;tW!?+p!T4oOq=jZhUUk6l zGCD?hCLW6Yltan5o!W3F9E2}Qo`Ur68SVt;1=VrhQiWsO(W1*{fIffT+>oK$aIS$< zcO`u@Rnhx^PX$=gBgH%!==};}yR$6KQHCK4ex#@;D{yKNSGrcNV-yXp!+RCQwc`2t zrdkb(S7WF&(e;tisPwgEM~7~fd{5a>f1&nTyitL2iNR7i4rYvv!DsPE3Hf>iH95FV zkhz(%M-m+c+07ZUcR)Q&`yl^gQ=5Bzi}-xD$Fsqa^9h!i*86iNL8I<0E&sejf<{wX z3xx)A;g5{>WMN3S_0HdZS1$9UF@HA|(lr;xwfjWg3xPu*#mx16=93(eGHyXrxLY1%7ii0ii19FW4McUzWYcbGwP-asIv^ zU5#^8kmIyDQ$m8LvBc5qTIZ0S9LY&fso>TRoFqr=?}&H}n;BH`O_JhlAQ(#mc(Pi_ z_?>I20)tNR@{iB46o~=}q3}~C3On=ch>m(SsIPC*`QSAc6-ze#k9x^iuB`ru&? zOzv7`O1Pko6KhBQRk)m)@JYz#U?UgjZ?t|Vxw`K)G6n$Udk*|`wzm`O2#j$;^1=9| zoP;lj;IbfNs0_EjO1?yJ!cXZfx!!*=QjHTLuSw!GYAjc%rp zLpS93N5$e63N|_D)1twp(h|ML_2%ObXn93~NJ>(=i^1F;o%azh(o&WR);~Cj*h?cq z&}*~ZMg4&5DsbV|PybW%6}eY=JDG_6}c+ z+`QlWLLq2u)H1Rn(Pb$;kPc_6`n)lXW-l7HJSCuAJ*Pe>8|V={80el^Y)}{??MCED5I2)Q0xmg-ekz{B>ZKkV`Crx zs_Vc?$M;z?ps{TbNyCNA@!mp!oFV#e31g@wM;E%9w(awN@Yk>7>V!S zTGWqEWT>7k7XFNA_$~-_^Tcj4pO}c#Rh2u6(D%;8f%Kdk|mN8#w67K2^w(nHZAc4iaFw(Gn5^X0fra9tsY2KQ(Bu%$-rQ4*2$}yfA zA@RNZr;HCzudB-(?`|2UZ+me)_LMp{i(0oAPJkIeLK>(x13gRYCotP1sKk7Jm-Lp$ z@x}7VPcbnP9h&bVDCPs@pd@$vK=6lRWqaaa8;GC%Mdc5uWUe$Wjw`)I|Mt&$54FnJ zj|QG7Uf419)b>_M(6H3=clC@{)Dib{$kt3*R1=_7e5emhe*(l@s2*8L0eIsxN$YsBOV9&u7TvK>qlUIp zECd*@-t{*0LHecA1FKJ@hW^z(k>ICVL`%+l2%%r*y8UmvL#oSVFZWt@MrPR$&nmH} ze>{F^ev7n)bZv%KMv%2KQY8g^v$HCffN>qAZ}`(rv$)ib4Vqy5uEpgD*V5|)r5{&s zMOU^+5TOS*4*>N0@V(Qa#}>2zPy3+8rfIvlmUr@+nZx`OadXi8ppTH3KG9z2=^*Z` zCywh2`m10#v-r`yl%JQ%nTh9+GKq$YqBw>`=xu3=J(5m_yU2I$oFRm=gT5V-Ihd=q zler}*R3NafvH`3%C-Xb*n8y@v5|NTcKI{A@kHWs2f7{E}|ACCuNp^}$7v}RCK41E- zeoZsqM>6>P+2D6@ofQp>?owxUpA`yAU5^=7x^3(U8@wgci*7J-4l!)+x_#5~ zVUFl#r4}nz>YvYDUZuqh>;UM=!e82GS^7!PE=q(jF0MHo%ywJ3>tSx6bX4zum?;gh z|AM&NV`ILNNuOsvm4g(uho8G%qfcY$BgLA_o6c#OQC6D()98VCl71ADSLNkAd;{8g zrWYhBA8OS+k{gwjyDofC(r%hPSBD;)vT(*K%!Ex%3lVO-X6)REci!sl07paEhxz0e zF=v02n`PXGFf}H4+C>mB%9WYV?eCIf z2me)O`m%jfW8?@gw|XG5&uQL&PS0{5UzA2EeF{(kn&ovP!YzuZvorAw&ctv1Kj=;u zW}~$Calvu@;*Si~_gl)#Z*W{q85P{$l^pbyq&bcCjd2y+YEAIAN2^XoIL&+& zL*38U_UdZ(VAiF+dNd`G!Y27!d~j}7F1YFJct;-C=NVIe4E&szX_oMjyCssyKMgxb zZ@A@I9=ZJj$Da)*_Y>)WU;8Hfk{~YANrLTCwGqALwvpcfuUM^aLG|+|+3PXB<|~Ut zvEZ^F9SM+77?)X-#O7&Xe7)?n$JBG&?dNq_|2b4d-hGXLkKR zb7Tu#m8S5pyqI>TMhIC&>ix?`iZT3eDltZWxk~`J*>ce6m)&=0VvdJeFJznNq$kDP11HIm-L`Oqj`z5-J7g?qq5;{fF zogRMA?|jW#(S*y*9{NELJo<=ihoT-dr|b5{hS;MQ`JxFdj9@{W7~D$!1X+YK7aJQ& zqQfNx^?iHwjL);hWN>x?M@H|V&4_ZoN}e;pCrYQj`o%~e@rS57KZ*Ome_aEkc+bLq z1V-7w4TTOKWpwXE+UmJIQY+q1;3sevpQoH{b_kd*1b2ZOY$nb?+jL#vRWz6-!Z6k5 zn$z3d)xrc*@k?F`7fjl-n*2$#nu{yip*4RmvlY4FY+097to1yYR(&F+U(O39w#SxE z{0$NM`&^iCWg8IoHuyt>H+miY{3L=+nxJ$}-ZRGK(;KBOh#T#u@MFW32djwciZk9) zdT0PB`HIYe*RiHyVy#1ThP~Mp)`IZcvDz^BXi;M0hIF7DOj{nP0dW)ipUMDvtbE zw`q;S9cr*wI4KLRlbSzddmk(@bfrTi*)A3`sxGXakc_WN`wEm2H!B7lfk#&YX}6v* z-rNyM>khH@At-|v^=>ulKzjw;gw8UijDt!Bwju>x5DvHj(4S~@OkGuI4d%#QLZ+)Z zw-_MQv??q(l(2JFI9rz-4PO^jyu_l3c~y-x7-(H{1CUfNi<-8rby zU2@2i-hi;%gfYk5)~%pivc*C9^ZDFRosU-{&r!#OlC0vjC4z_L8y#Ci%{|M=& z_@UTcYXI1zGx;AEpa;ajkFc!TF)Ihfz|K6*1HqES`)c1C&V5r|CM7dy2t{5Th@&yc z^rqU0?Avob)Z7bt=kpx`We)|iU3%n;rRuJER-N?C)`5Qr5*F`+!a^&O@S6)tSy@~; zBiTkNNO@!j6ftw-XnCZ`w2y#y-v*Nb2UylBx>+*KWSDe6q%|C%R4;)`IHoqsMI{Zq zW|`OYF9f7O{q)Gz9)$~KS=vyrxtTb^;?jiS8A}lweRdrw_z8&)#*!=6Tk@=L`=MW2 zV~06qc#8K={r>AkfN=C9Ig$GC#yLVzo(;#J0k&hccFmQkU1L|S9~PKCbdpK^=m^0$ zI8RBEZ=Or-u4nzBP=0bPz};{iFvpV-2gz5iM0FPHa-h{L z??~#luV816I8QG@M>+1(V=Mo3f7ElM>OR=QMgzI`g%gsfuimMP8_SZT8zQ({i@6ts zmQiI}-%m(lwZK2M+^@?Kuj8xoiD2!g?-%I}37W{5>rzHA?PE%JDY&`jHGIcE$A}FERK+)hReIhl8s!wZ0;lHt zf8Sb&qzvmPY|^J@;&1lsH!unDUklA*zS!H`kXymd7|TE8pTB}s6}tTcIsaN?R=K^f z;oM%DB;0LM?586IDxgzY$e3>J6{=DX^o7>V$V-+diC#9EM~3+o@>@X^40YmNY*+k@ zi*w@&sXS$T5sGg*<&ogb3V22p5ko_&ci$QBe3ZYBU^hw~OK)3ZI;JhQl|f~ZjS%Ra zitssq?WfdDH8I8mE#vt0OLN362ww&kC;RB{4wr=4Vr9Fby7#Q1fxYcHwrRXuEeujd zzeQlX-fzk2#N1QR^p(ii=n^811RK-RD|?qd0GMPvf|Ni<4|HQKH%hJ|t%o13}{(5SkqbyHqqRNDbj5za`;{qFMf;0^jbzF;OD!yu-y zuO+iXwQVuqJ(9sbie?V1pE;f2BcC0i+~PNz=wG~onN*8(qIC=H>Oi1SL) z`~u#17f{_o+wVVLxts2G=Gr_g!E)-Omz!MkeyAp&@$0i>SY$?zw2e%x1)?5+^ACQ%QuNy3jfy>yzHi*G%clwRZx&(% zkILs3^m1_e$a-2pZ(Iwe^R;)@bvd4jVD@(#`i&i`C2H2Rum~C&^vj!$72uolF_6=k z9daF+581rP*L#Y0Dv#(n{q1e}B7gi)euC@|+)>zGiUJwEA<=I)BoKd-{NY7%W8S7% z;2a2>l&VSUK(Y5nl3$UoA&F)t5qhL&opDcyM){f~bZFQJZ01$;J-6_fvps0i&Ky#F z=8JNAX|(r+HX>!hrMY2;)7zL%?j}nq^2!L8p%MSrusSUs>*!LGBTWrZtnrZ21Hc?p z5i_|&6h&AM5$h<@!!x$L?3fV#0E8FY&(;qHLbVlg0Y@}4n&Emr#p23$i}x`5N3USL zL&n>u;I;$jI%1#uei}pA4Jf%bQVmXf>VmH%cM&Z}`ER1f7uL>jrjihe_BZ)Uzo284 zh*yq9U*N*u_grY61xGB^3T#v)%{btZ1nAxuF;iAu&Qog2=^B z<&H1Mz+ZVsb;`}R?B?oZJ+S?Gq^DqoN45pxI1Aw!!MEXsL7^~5w~}hyI>uq2UQry!Yhd;?mSdzQGBiwVDiI=s4Mz(4d98N|u8e~{ z@N+^8XWN!ud_7n_LUe@E*LjyRjv=&lY8@q& zi!(kOudsyqduvI$B*w0oai%Ply4EJy5@@C``l8ppp>#QQ_R4-K^8B*{x05#CKy)CE z2sZiTze|I-EwT3uM-Y~SQ+LI!j`8TaFE=L@VdD#>S=N3vw|p?EnUW%i{S_9Pt0S&^ZP=?#zNB)%EF z`l2ko@Lbjz9-Rl%IBYVzJAVBl$iPFRBUtiNFvz=XJDPj)P%^B;)9SDey{cN>9>zp& zFq6Igd2MtFA&sU67!D@HybY4Re>160U-=iZzW}6cD@E4cuI8S*P70|}fz4)@H||%7 z)=*m-a392VSzbZ}7rW=iso>-Xjc)>ziU+~=G4&1l5EKv8=oTQ-OCx~CQnl5N@Afsa z_k+`3FIHe~p|!uzmf5~bRQ)IY(Y4EpbC4KyC_IM}oX&z4Bhi01_WgXU(gG<^;x^-q zN`1*7RAMMn;-ezm*y;h`74&gH;$lEL`e6*KfDT?mvp-nr6OAItVcaIVRmkR3m0cR%EAlwDnQNgr}MOOPi>H zlfhu(-hfvA8up_!#gK4}gyk>@`V*?_Hyx(bSVb@$qAY-jvJmpa(_Y`Ra;};=2TL4Z|H}mPGWD89lPhA`i*D# zq{PRkN~dAo$EVNDj(&NCB)vqR&>ui|=fg20jW;tj%Qy$>Oi7@*3{KT@G0!A?!T)R9 zf_9+Ky-yrs@USR^XgDO~cp}Ty0shY7O)t+=;y48i`)7Qtfj|(!3Pp_`aI8MEw zQjeArHlgueTg+o+gN^S;&BNH|hMlf_+MS|-GVNEso$;pa>LH}nW!{-_yTJzDi)omd zADW7(jyM)yBQtN0^MpGXeaUa#bxEh7X->ZPQnqc~MNGL#FTJ1vz>kgdR`-qVNwQ++ z>WZ^a&V=ugGnB8RX#HXO$pWrjcLK4TstP7)+rF%;C?V3=@NYo?ut6brt$GVeHa5K3 zZ#&H?Z{*w!Yav1c@rp^K+gB~nU7HX^)ChYxR{5$%>Fbz3P2pay6^&0jUB~vrouWj_ z8e{PfKh?=(;9oI`8F#wu+t;kTg!MtwamR+Z`f7?Y{SE@% z;gCDpjE40N6Cz%Ea4SQ+9fQ%DVX~rnfeLk3V&KaoJG{G9pHTVw^{ZCX?UST8e_}~v zM61mp)K>B1@8-jfqIB|IR9JsOzr6WV)bV`xZn5aV-NmD^XYDuJ2LI*j3lNWF+wJBh z!vguY1`Wf?hS%X#+{s5c@B+Fuq~+X^&!ka-iW!tw#SPcjrA%|E>nDpOX?LRptTbIDKFA+`m zp_nE=c^E1l9W6B`KT_-zAU@z?Gdxqg3ZLIt`qYS~PxvhG8oi4VuwBv*kL-~M5wrMv zRn{O6*CAUE!}9|ZZ%2y-cq@FQqZiO;T65oPo~0{ z-?!zj!UZ^R)b$2hrY$I|@I+~{NrUVI>?`HH87}!TtpF7$Jb!kfqJpjq$Y^nL)IudNSSAGJDkZ2ejX1 zn(#ha;{@3D5OKW<^IJuv?0ENy-G+=>92yMt2UmwV2ZEc60SQ36@`APrs;$xv$(0#z zLGVW)7h1Wi)IE}QXU!bs^ki`Tm1*^ugTg1g@l7(moW?zD4FDW>W6ytZyEN}L`uPBu zsSQ^}*H`cJg34^EOm-~HAQr6J@_d`rG6W1sb1FI$ZB!YbYsNZA)d97!SPTpjKY%EL zY;QL2sJ)6#i?l#)op9}^*URE_%nx^61z*6epkFYKWj!rJyR(;;RRT&|Y(c|P*l?Mk zB7;+CH9L-^XxvHuhgDGdbIr8d5cQSJHcRa9AZnL$31`%bGAwJ^wVI%nogC{-KS_xr^J)sJ#0%>Z7@vcgw=!OH1b~SWFv-w6Z zZ0(#daH-4;Xdvk($!GWEHkUNcoh~6bC{F38j-$$6>V;TP!)G8rF(ZEaurjmGr1}Ft z8^=^wj5WZ6w|f;m=#N3RdEy^A?xUG~30(F;}V4SKMTKSl$Qkvzxb>yzM(^+9io!Sr9OmrlW1LCQl`Dj`<)< zN{o)+N#5v@DIWm#%$!4rRVCF8iJIT3ezp`>h4RHE`S5P4@GZ+8G61S?ZpT)J#qe~P zYmcxs8a(u@G05zBy~#wpHfEZze<(j!v(Tz!cb?%8I%`?`UH?F7oJrL3zo<6$cy7WR zr;#$QVCR_;VeQ}N$KW{_lSeFAPUgvphf99?aF6UKJBcc*y`hx+hllI0P<@KeB+#*A z&17?Jt%tn$Kw{wdCi!AJZ{F3j1+|cCR|xM}lx{PU+t;?-UJ2kGuE4$=2RxSC5U!>A zZrjI;bj54R4D`wc)DcC=dh}38t94lAnuNwUGsGK=ZMJ$2)X>3!k#L*1z2Pb<>T9X&!f$f}PkPg(gV(>ZqJ!L#^UVWKZR2C|phs;Mk;pMnJ&v$|sv(iliy`Yt@R03=E7vnt z&9|o5e%f0-q7j=a%MmRs$ai5B>CKTKFWDbuoEOeqyDfPR^6Er8f&8xel_~?;m|Dln1@^`SteNmOiC9kK~wTjtWjC3flb_>KZ?O8ZcuK&$L+PnuTKV5>lvO+xhy7M`^twf zfb&ztI+CvKW19HP44Wd-@k|aD37^bb7j6@_LA%43m$G;tS))iX&7%tFy!mvZisHB| zmK>jj&y|^dr;oh%D`j{D8{*)W&5VwnaR8s$RG$$Gl9|VOUyKs-k9SclGj)>9+kUBS zA)+)^FNq%E&6-gdq{c{mX~U*cFY3a#5RQ%>$Lsd>6LpSr<5cKs=$>otY;V? zo^pxhMMn=G&xC)p{Y~%OUZ~GbPY>zvQcST3eMF67ynFh{^>soiBSEk;b53--cO4;2 z>MUK#XWNauNj_|n0nJ>NT)))b?$PID^~Wcp0DgLhi$RCaM$;3))AHKee2IJf>XF(_ z3wtJNZoRF~WCJ(^tP)i;^1;rs*>uMW8J<~-YJh93qkM4wR`M1(6EO}f^F1F~81Y3T zt=oGAv67G*Wc$f6d98#j1(nMfP7k-eh>3w6Puoc`>iznl#M+N@_46*uP__e#gN@Fo zhM=YXL*ooRWpa4jH_If_yED}abAZqfb!P;JZ_RzPAn3qK+*x>V8x;LEaUT8=i7OxaPMQ8GW04Y} zhOBEjs=a}c+#GXdeT6&+REtH+@v$$6b_`g^h)io^z~?-6L@dvyO*FC+w?(rvX+(wTVLwR{m4JLOm!0_`-g?b7Za*W zTHx8l*4h!eeoZsWg*wy5erV$fN<}K^RrBvdgRI~4Z=4-K{EhW@3uFV5R9LD9ndt-Mv2ym;qytuPeOCz|+5x^8TJCnW?XRS$iG$gE{V6kLK{I)G?Cyq^fKYKBJ@d0}e zH;!-+`;o(h{UYG*U3}_qaaDTrgMcHA2U($HkBa19AbFnHB4UhkwOj|^G2~YyrtJ_{ z3g2e|@4$8(#9ztz3%El;YDPB_F@+1IM$DN%aUK-PP4qk_LNw{@w6F{ya+4S-A0S7h_L39TOnv&cO8`@#YT@o`$gE_zrC{VXWVo_;Snzc7g>z;S z%F2H+T&_7!tfn=V=h;EqTYsFsj_JrAEQ$rb{OmqTA10Duo*Z99R#f}v^P;<8e5AUp zhi-b+!GoqnR-P6h-j42eF_Sk%g6k|79W&2!-7lUZY|C59SHGhZmt1i#Q8j9c zwkM25=1ke=_%stVm#oI+Ys&5Xx9e%jt*JjLO?Lz_KD68aUW_zMQ%z{1U$5`LLJF$= zB#WJo;-mN~ia{UeDNevMM%ajhhr);^tqsD^($U|{u-yW;@B4CuJiG1Y&Hlje-B9=4 zF@|rU=6G}pvQsMOl2Z%pns+qRjGFE5imiv)wr*3=7A&71fAbs;|d1 z^;6V@Aby_sS7LZSL<0cdOn;b+X^py9|7cvc*}Zb`MiQ&@?tb__09P4@Wx$ZGDNKTK zM7Bl^Y{2MHVn1DT*lac;+n|$F5|Rb5&76^Y*M22YDZv(R2M&FyMZ_w4MXO@br>9;k zYl(d0M9a(f|FZZt0ok|`9fyNf?@*BmJYX1=p7<80P$^yxPuP(W1D&eWBzzV#+pen$ zQ6ol^Cz&;$i|d!WPB|flHZz5o-sRY3+6H~8#nF0w#$(j?8q8e^L6&623+4-f&tWN4 zrrr1VJlKhDIHQS&?=#2`+{Mmk#}BR%0|{|wdrSH9Fe8~U|C}XJOiVp@utGT~fK?%NpMpxhG!_QxC592uPe8sN`6w*>KO+tVV z>aXv(m!Sw_vu;|OPYYWdp%T%O$2XO*z0Hh@jOO%+%ywvdW7e1o9e<(NzQsTXrR%1j zq)$GHX_m$Sr>wT14aZW$is*j6nz_lm?+Ea5xznZ`6^#cU%U{Xzkk4+7F;w`bCn*Z; z*44Ax|d=r*48g2EDb5gMd-ZbC2rr1|N_n|Xk! zGk1GPzbZ`Qs0pYHZeMsHvTjfed09BdRsV>?RKD~gv)s3Q^jHZC9?~>XfDvTes@>DQ zc?5m@IacJS3Qd~>+a|KS3ygTF)5&~A6|#cFf z%hF#S^zBrKj#R9QXD4n++%nX~cYL%!1X=bne#eZ`r8FM3NG=&`A9)@it!wc z3LEc?Hsat{THILORS_7gr|~(5))?fUB>PZ+aQYIg$^~g?$ff6>ihQsE{TapJ;V`K5 zF1{b~9Js*$@aWDkHMIY?!Y0M*6T&fVgj-zg*y#sf{OYj>(MbwH(towtcygYDtekHD zQ~XP?p|n3e!rjZ}fjyv}yF5P;1Ty zo;5;b?f}cr?CDq9rdcKExmK}N*1jcAM&6|1Joqu*cX=jevNXOWBvQ#a;!0zb=bMC`dh8h4LRlUR-jRi^wM z%1A*Tkpmr~9XxM<&uqcBZ9SIOuRdndRAP)O^)$wsv3t>8iDp+!k#wgtslB!zTj>H`wHyUMbWoYRGv&ZmaOb7WIir9%WS+B za9kP)ut!SfbF}FnUFSKWjVTbW$-YsS3oEDqCZq4i#S6dvw)WL z)Zp{{7z+^csIXSGE~s*3*1}oHO2K$`s2O#BBC4j5R0QXU|bYW+o`?920l! z>k5W|dY+@JC zAR-?CoXEb^#7`LOSgDh|W){Mi$+-1awV~Kzu22^q%dYqNW}3csmB~_wJcy;c6Z(U_ zyKiy$>~#^o4!kz*V|Scvvt7PP#u2t(vtvjM9S#GLc1h*fmoG*i=pg=8{mcg(uayjH z$fJGiXi;e)G@SXMgUusSREJIvO0-sNHImJ`h)9#c$LH~e4#dwLH4Ue0A8rjo%4^!5 zpOPU3VrL<~$HM;#K~iR>uHcV~(DVfox;lz&VaJC9#lKr;fA_m-(3I2`nDc=+W_AFW zCVS=v!_41QjfTBM;jTU1nPj>cW%UN6m}&Zrf)u2y@Sn>5MOLF%6W`h|8-S_r8e<$( zm!B2&Dp=f6#A&ypD@tUHV-b_30!Tb+2r3qe)BqO5KnVrCm12Rdu&cNPOyt`jf9#@C zY1vuDDJ`zN&j}{SKcCyUKNY=MkETR(D7TkmBk0# zo_ooMV#-{K?(~dc6ivLVFw*i^cYFMtBaBPQLu{!%gXXkEw>Ld1?t&`3#(e_CWi0q{ zk@1S`%UoG$0;$Oc#-&1lF_G3+uAkSTfAkwAKcPKc2d`nB55Np0j60%D@%JzE##Ztx-EwlvQA6d)T{T6xtKXha^e? z7otajOE;QDZ)op~Lv*`aCbVfvlboxwQ+LcSCS5DdFe$DE~XbLZI#gziyN`ZyDC5`tRqGlvQ6tI^Z+Ix*J1zG_Xc-_@?E) zi{-_+CCmT&9$R1T^Sp<954^fj)P=~$*kHNC;r0LiuoM-uH5&D10g)^C{lBYAQhxTp zrdnvF5zDx%*h7~Un(;P(X9o_o z4<_40_42u7kB_;n68Fa59M_BQ{fiD%N872-ViIvDMO*JEvJ8elS3vam?UyX(eYxjY zezjzvG+?y&>MoTGL-|m>V-euXBscEmKA+-=7yjY< zzjMP4Gq?wOJ@ch8#e|58T}_IL*|Odzgv_g%ADyVby4{dGdDXe_edFgmsdn|Nn^{@! z#_*7yH6lq}KHWK_Do}wX{5=7FEOHIJ;CpBMQaJ$OLm}YT_gx%c)wG^2H{B#K{dT(l z*k`=~!c^C3eLqPeyi6mV;lBlI+6Pn$c0Czm*^9Ks^{;l944(kd@#p~VbK|~#%2^Os zyGp$h=4zaLvGJK}+dXXC%hY*Pvo40Cb?=-AOw0r4ZHUH!Y#;VM^E4}`(2yptq8X%} z-2TY0<2!Y|7P+OhaXif{txEaxr3+&qi+u#3J{spi@9r4)V9$TsNzecfb^3ItCPk}) zPqQOgk_&lT&O|bR{RNn>C`VLw`u?i*CDGUUa|Rdud?d7v`lqKyV#oSonBs572u>hC zJQx`|>MMmMh9P=8s;ndN^2Ao)z9*yj5(qdoKP&47i*7m(n@|f)Dz_j@Kyw72THUb|- z75~q33j(aXzgY#8-5chDCJ5+WQ9K{Ih!kh>mizRRA*|eeJ>kG|5SBWX1Tk2Vngl|R zw6OTDkq4AP`o@K?!{?R(7>``$#Jlrc`1f!Ny@t!G=`$eGvtOmWK!zLx`&11#HUBMA$JA#(@g}S)CS-B>E=uzs9ohRc=}Dv)W9>GLEM|9=ZE52QUX#X7-{7RIg07ao+rim^T|u;v zeGHBbf9Kq;f`OdmJd_`4t(n*S^V=&!)y%8;`-3*7(upC4=GU_M^q4XLHtCxf6{$fH zc9;3nsbH&K8E13fyhB}+)|+;TP-B2op_c!Oy4aRV2)Ye%NB4MfHf?-?KWec@Ccf|D!w#FPh6 z07dLeLNLmvI|gS-vqKnaPOO?uo=&J3BC(TAczw;K5T8g$`|mWicS5-E=ZMv;AtIp& zC(xyI&|(s86=%`_4pReB%E6%YEnnOv3UdnkdXg{$B{h1J*8Zo=uLfv*&x^eL^u+~d zaP3G7Al8Q|S2~F%5RXtgTAhXzsi{X?HkKME+>idL-Z)^%Fha6KzzdF{E$0Ca4aSRi znmTu!mCJAz&LapPrSwO)LS_}`eS8GIGO|;xMy1>JD3F$=Ov}yC=T+b4sC@E8%=;$m zed!N3`*28H@Xa7?cv40MHXoeVZ} z>ii1r7xn!Iy-KDW13OdFUte;CkZ@gZj$Fo!1(V`VBfDs7V2`MwN{GQnIhaAQ4&0pU z+D+G$L5Ejh*I_vc(S=fRG^pSV#72?|-J;^n9z5ZSvwPsc-dOj9VZ@zi|4s&Wvg5mv zI`&Jgjuxu4Pjbsa;%_ovHRI{G8*-m%fey|GN#}-(3ylU*#eqce#bqBm;uGX}FRj`F z`k#I|J);9~{Il|QQLL!a%rAxYbH<@iY$>G~xhV%bqGN6HOXqhw4HfB}C;TOEEKZa< znfe4v?7I2F`2%v3j{_bciCu{a(5<4e8h0XzHP%WdH@%93lAt|OkeVF%8%8wXtNVUVlVML*=k##)^( z3`5_sqrlZ0*oAtec#~l6w|DLobHqeWGW*^7VJcN4UCwg1&wJ`8Vd8Q$`Qw}jeoO$e z?TLs#7u8k5*|#Fl&XF%dKc8OvF+p5xK<_5(F>uB$}w!HX5b}rmFVs zhu_wrgQR=_UE;og1|>vu4Aojfo0h8U5JY#RwvhTsDz&TtPMSnBM2C8zw?ihTAF&{H z@GbC%v$$-P_1z)}5FbURoJ@}qXmqFLu-gg|d+6hwSL-nGSlVEuUC=HgaAO2?HGsHg zUj$uU_U*t|aoE#}bjZH>$#6F7nBoQN-`UMPuk}N01zwK8kgZxppwpo=L^#*w{hYw< zs!Q_~6kiVJM6Bbll;G%o<`ZzxfQ=MXiX3~&70jZq>=6s>2>1lLoV5H2IupAb7XzQzP;^pZt_9uKqu;5)N zLAqRSve?3F2j>gZjUp*gM%)C{tPvw})DJz7m+BcJ#iJ&BRJ;>$^$nA zgnEJQTnVDUjT+IKz^|G?DRVV{G7!hjp!Z@7iEFOzTYDB%eX zPpdy1XHH*`5J#d%-9_{Hh0wlIHgC<0JZ(Na_8gSwT55h%fS{G@GqBX^^WzG zV_N9u0QA+%z%7O%2oA63cM*6!ZwB4&I5&3&6P@&}{1M$F3v~@d@}T>CmEr^;`x{c| zew0g1n3_4k^h2hYT+CZpFlt?@&nVHm(i=7qc%b zCJJ0p`s*J03qe;3jw=wP;Bv&j-Um^rBDNqQr!Q4gU?7U%-Jv*A7$``AgOMJj^ zZZn_Euzh!ZOnh@;QAUzLC;T!3rvK9N&-rdNEKxfmx>yw(yk5gz4211XGWulCMZT<& z_{{n4J8Kk9E37_(2a!hFoq7YT#gmo5Cign&TarTAx1Qxv_?>|*qe}6fD}jx-cTJ|f z=VPbeDoZdeWJjhe6t{W+hH~KsfG@888hyu3HuPUZ^xGPZ#i8L4ANx+l4iEeOG?!ew zr@dK(j5Ob7$h}@)k~c%*9R>cIWzdQYs4d_=9r+=1>Lsy~0rFg;1IjBlQ98l@JQ~~a z0^e4Pr@_33UG}5mKme+lQf?MJ)0l|!Ruvio1vab4%n3+mm9uei?)fY{-p{+B9)wNs z2+8G(>~m+3V~y0q_-LrS1eY(ULV>dTqJiz;Bs5Hra{z2Fx*H)U}b$VCx{%^d!ZQZ3R!{A2LBrZ^uqllu=`}-ZqKof zyZVYAu`q;vZYd84gs_Cpq2U47YjLIU_wbu-b*EV6NXa_E97G>r;PQk0vY9<6(SpqF zWsUv=SDj0C$a%C&G4E*mzXD~RN(On@nLR{a_ugxEpuGF3fHq5eg{`Und+%`q$DYX! zYfKCEEX?lV8EeF1r9Y+(z2(T?6NCP)E;C<4;BPUNayqz_Ldn z-fB?diG=H3?D=`+EBi})aGMeu?X%yk;o}cuP|CF0Yk1Bucr_@mVXl4adhMKSA?unp z7*`R=h>nI6hrn?JIV}cJAVL}Zx(mhKc0>2~?zvN+(m|wlsJkJY0$a8cyUUs(F72)^xFC*1h2yS@MS=-L8MI%lJ zNsO4!%U=-l?P;TtYyS@}H zWJL-jB2!HhQ=ogWY4-o%D|E7qfBj4rgPT@fyPQDQKSUuoI1yx%b=4ajI5fNjp0`WQ z`499HcJK*5&>i7UdRb+{;}fqO0?sS5ad#^F|KUMC>N<}+o<3eV0f)H+-F0jB!*F3= zjQgU+-53y<|KdksOMe&9b?TMdK?6YIz0VpoH%#LS5LQ_V*Z(3;Dy#3Jp66D?%7jqv z27-KkoBa>?sV3~%;QH@VlPeOCum67+Q7kwPZU~e7{}88^TsltNf9IgGN~p4ffSp}2 z1J$6SF_A#?|2{dFmm`f+kq4cUDW}Gh z|L7XWCCNrUXbJg?Pf68|92}N+Uhh%`pFN$i)=iUYH9s{=a!);gzDuxBhaRAjA7K^`u_OPvZ6R<~_M5opfl8*98E3qFA2ADlPfq5;Z}&30&lK}4 zVvp`jwj%Z$i&dKG*uf{Y<|T&Kw6+L(Hz|DXHV;ppdxGz!rvEe(MM!Y>4R{d55DNId zMLDED`0=s*UA)k`!^xl|&VtX%HeCaKcz`+g0+si|V|J=jI$aO6}nX48tlQdzm+*sz%)ngAMU<{b4#4f=o+`D_{jG+K-4m%J10*&XtbCBlc z0obv;b+;XwdERSzS+AyZcd}Ba)8?>)IC=^NN=+-l(Zs%eR8#yHe#<3PbVD9>iw08v z$(P|B#rAmYNZ)LLX4aUWBJC)=LqR+ELQI>@zYsBJJLdTmDMCkXpF zt?Z`GT+S&NKF~%=bki4QJL{!&b@j$jUe?!m+cd7`J0OOHo8FmSXldeGS4>lCp0fj` z=H=WVO#QTq$BTac8q;^(nt2K5web$x%et6h_zlzOajt<6zErg?{#N6eF8?)j;) z<&g7B=1CCjMHKASzWd{aJ=ws^lB9Pm5BGB8QFMgSpGgSPhr^5CyuW=-2K2WyGOXa) zx9`gl;&-}l!!sZ-ub%;=5}h&qk+VOtsw~N$&r)W>?FP0Pasr*oQcl*)T4j{MF%RTp zi_MvP8n$fa_}?pC|MQyF`_JP&yQ!R@*1_NxAk&=665T+Lc8{!s#*bpQ-v9^M*m{@t zA;;W}z4&U>vM(U9v&j{FAroD@{`KbNzB}uRHwoKc!6v?nXombV2`Qn&E&Bh8p}H#L zga}|{Lig@C59<>c@nAf(#@G(V0;sHnI;?id5`Vs3qhD*Z57?AS*h>i+`ZRyz)V4Db z$XwJi@DW`}X3$>nZtJc%Ikp++}#d z*05#qLhEMk5nanCmPD+-i-QL5eqg^kpHtd%wx_mPZUtXGpYgSb`sR;*@$x#ax^^pN zB>*tEq_sA{B%7XDD{GICBiqDgtSRjI^X+-C0DnhYvspXqJFhLe7TAUrX=if@#R4;n zXAam%ySMOZo)5gy-iS-jbXwbYpg=VE)^<(u*^);G9VGKp364|cVtoBVFf=aID~mac z$jhR~$IzQhfjHG{gs-u&x4cb&X|pmZR%-8~gSqDN+g>($X_`0*>IYeki@&vf?Wl$A z7a8yOdmvQ@-{meud-HKuhIUK!G3@2uy2>?D)$-)Wn1d88smMeYD~f*5$wE&x3_ID* z-)J;2n{7M}IQCy0`@KHf>iTtGb~3_}Vb%Xw6DHl2d0aR_4HXhuy7lM<;GR7uUT0e`QRL^&-}|@JOfCKhnh4Ob8NW6ZQ4~ zAn}P7Tw`x0={hfz5{vwS31Ub&Ol#H(bSHnDJpc~WNt8=&JA9*0ui`UDP?1w5mM8sw zP4-oPPu2$KcVJCYz#on}eVy~@UrKf))6&gH9OM>8uO{WjJf#Wd$u&Ir9mLVLEP8A4 zLsDwi6*5Z!)>m=@1^I;CTiV&`kIn!>t!kLWsh!I;86`ySueQ0deH&(hP(Wei!K=@? zjR(7p;g==U1Q}KW!>O03rsqb@FX?MFu+ElkfzOvAh99f5?PbmUudm%RGU-p#elCu& z8=nncNQ4zrIOL$@`E{lu95Nq{c}kJ+4MAVw{t{;?pNi<~n9d2yf5!8nptwEJQm&g~ zBikA*Nzs>XW7Qx(v#~1@e=U6)4*6#o1WdIFkoeuPi&pUAV80%|;mO!`OSz3i_6|682uVR<#QHrW9&|*9 zakIi_3oLB>*7!Yn&<;87!<%5gT$zNY15<5MhxUiMzyancTs*ok0RTOP>!7K>vtd!y7cGW_4Kk9<{PJ7( zpHi4~3AM|JE4tnpe(q%^fO%1^A(la9%TOLiiA<$*(mM6lk2%sQ2o@yzhbV4;L?rS; zhaf(aOkk$4OC+otLvs{%qzU6Iwt+hKyPfE<+*TfvV`bcEkWrP}O zQ^sk?0S-J*;b008);~zmU?Sr@D&^7dsS?6tMHM7>^WDPmUc4I)y!NRqx#KL3r z@*ul5fZaoEu{30WTM@UUpw)mY9{}$y51U@}QTm7b+#6=xx+r9Q5i<2yo){Gvxl#~t zD)2Ref(<#JXchJ^t8kUxBksa?`*bIPKmdEMEh#SaiX}b$5_PEjPJ?girtX~~U*L8l z&&`i3ZbeZVIpEjXv{XJU9?0R7aN+AjzS6r;vI+@vBNKmn^gTxQF&kxDzOBKqcHbg; zou#0Ju_vSGG%;VvQv@jewpV>$b+8DMNp9q@`h+4~Xfa%chw>=vSel&V*ya`7RZoIY zH{A$;E-5L=yo^Dq$CKzX4AsqneZ{TzQsaNOY{#820lm(@&@s4k1W&qBe5oW;u;$*< z>a~A89qZK;5vYL{m6OIKNcwEI24HtGnY@A78BzfabDg_KES}{n6=x28xiIUKK^z0Z zHHHH4ZLSktQFvR6c7vJ$-rA+;@4Td-v)4(9Xm*~z7lN!>ba|)T@1WrL^hvr=Pr`UI z>gQ-DNrIr;D|~`la#PL1w22C5jf60VlH<7z5D~76VXjN94=37%yfC@8u7ZSs$FdbX z@%231NU!C$24wh?Rvr5!eF@4aF$qP>0oOYVtuo$HgtM0N6#5``j;8381aYB?0~a0B zcR%lxJxz5P=NBgYD;P?`$q|EkFsYuzY1H?A~WNZJYPz?Fl%6mrj7G zh0@Yxe!wfA%5(WBU(>Vo=JQ`0chwm~S@X(RUj5Kcjo+_H@SgI zq3t=irhrigX_jdd^k>!=(G~BZbK|g8>*pXo{NrXrd5sZD~ixxIP zf*9`_mU}0xsZDmLe+V)2{cRfm_7h)b4~v{;oFQL{&Q!zK3rD^cNhw%u(!)FVjv9*n zp)$M%i-eQpQ_jGVwWePYAeiP`t#rn)a>8*d$3L`WM00n=`@Vj#xXjVXlOq(#A}a#4 z(d@0Hpf5Hv%$R|;Cv{Tq`1MngABeu};t4HZInJ|&6b`~ROk9_J7+PiaA95Et=2j-X zp4PN5FI!~0%+yqdaZLjGla;YVpF>@eBXNlW=(22XB$FOr0_|3rOK-O_YJ4Xit0g1 z#<9d=WPJH^TBB0t;&!A?y#QokJ7&)an7KR9ng1$?Kg<55vjjgA-!;D*_I1t)cJ zL{#cQGu2548V*)J_j>^(^nw+a)aPoJ7KdXARU9LpaHh!}DCi9{URZRvR6oE+-jd=H zr1OBWy6copF5*>TIemgQeD{y5w=zp=*`rB%NDJ(grq%AN`;&CFoOe{j!AI_J>QHpP zh5j}FPznPBL)>k#Tm$*oqN0~?syon$SqdI)#ZLe`1o5T*Z53H&&m2if;Yml&DRrHv zRpPyzM1EJ=C1W@{;3OTghvi%&rS%Pj1W}FS>c=~{Xr*Zj zsN4nl-mb>p3?oF~b?T*z+Q%`YAd`l0ae}-XdF+IwK#@q1*6t+Vr>;6SK$n5>kRaRR zt;-PJVP}()lLn}{u}016^p7N7!#ugNk#99Q{I!(e;J4~gHd-Is66OO(_a5AQ zaxbG6egKZ_;V+WRz!-*TD|~jM(k@4x8<}=+**le7-2BVdQ&UOA?IY|b$NDE`pAf>@f?|)-AxP6OV*06RG!GE*=@;PI{CENK2npHYGA6ZY+Y^GlWk#*`m%H5NLj zaZ1}dKX(xxkRV8n0*#0G%SGP#97{F(J%MsDXOkgB8ykKCR>mu*kge~KSN+d%BQ@_& z7s^XQ5jX)AUrKYG!EYC}b#9D#?A=~Qei-U2^+yEd31Qnj%nS1&PXas+Lu%Ahpw59G zJ(Z3Co#R|>Cv7CD2FtWdX3|ow_P~%t-SISC=O3gh!93A+QAJ799DI%6=7rY7!Ee6( zOffkyjULY94C^K);J7`hVU7*szM~KMW%=wDJCE*eG=zWGG!!|QlYMz%8+!%@;2U*! z?xvn-A%S`?`t%tsCZs)zx_cgJB|oTFs(fH+&_?Bww!o>nlP~}l+nTdZdY9Hks>X3x z8pC-Pfe!;GY#7{6qBqvhl*SWmoi3xUp%Y0b4}O*;+blwB8dHARNveJN%;Zcrf8#GZ zIX*OJg)1y9)VfYn#D(?#B}I0>`xTGn>%e#w-j_k$!+5%%i6aJ#$#J>~a}j9cNifp{ z;oCIb8qUCRF~X{%g}Td(sPYCiouMotb)sZZNZvmHBqu`9BT(u<-%xMSwy%54;(i#TFImT1L6WAC0Cw*!3}e>%~ei4Zq!XV^8Y1eowgENc2hnKMqH;Mo7K|n7iZa? zH|kMdr1`?}5USc|kDRSGzrGbVf{lriZae%o{OS9_hrd);MX#8PAZ?UIUj{*cyubDN z(y8$GbCHaz{dm}t(fd9fZ4QM|(TZC^%FL)e5gJMnzLmZf&En(o&!6U;wX3qyNl}Yz zw)%G@0kj!h`L*LcX`D4b$V#lKYeM(OXTBC?*s2{m-Q8d8Z+Z>R3C@^xY0T;Uz;Be3 zH2_K6`Xo`vMXe~rk{~N^50$m?ExM1^SMH|;Xr*eZ{z-FcScvU3pe?7`JUU~kS#rJh z!#n8a@q7N@XE)DwfGHqetc8o#^}zh72S-B(;*5*ln17BX#Yx_;Ep|1otES;-q4E5f zqrJ0{MqB>XI@}*~E-*?P`J1Lq-lf2j=x@$CVZLj=%#4%Ra& zfel9f8b&?z=7fwXtTqH%{ysUTejI#HZ?RG2mWp|B6=JXX#2@cC3^Qy+6>BZbJP#f3 zWT8maF_J5l^}i~+xVNLf|I$69HgGFRi_$c%EQ zS+1MV26Y6i?kH8-2?9f&77HVmdQ%D95%Ht3}-H$6DF!0?l9I&t;qs zxViG(?$KVTE&|j)H!LBv2 zjR{|>YCkSSZ9rf6T>;%UW5(W^oS8GOj~ z7=0DSV4Dd!{Uj)?9j*4&5Hv5IFD;bKcCzuhI_$?G)5a0^aY38U8bgauU-f|ZhEm=qC{;qt4+x~8` z(82mlRoy*=-PBH6Mt-$AO&$8Cym z$coA9@jK}E!IIkP$UcZhJ43g|S?{r?N}kzee>nBb)XdOj{&1%b-XUN=ZS56zj+Tff z_Bp$R7ou{S!~>b4*^ ze|(Od?u1gy<=X&`{7O8_Hc{WxCvwb40Ou$_mc+2(sutXL4?A6&n>-93++PI($uhNc zK;%XgmP3rU-FLVtYWN1K1YRSD>{M+xE#4>Z)IS-pj9X+vNtX*Q@ArJX#fNYu{UAwX zJWMhZ-3J3CctkXx+U#k8~LZPgy9+HhEh8vgB} zv$K{EiJG}8-~qySyMFh+)=k=BxmRctHiE}mDW9wWDRS@A#}^GiM*AR{l&F88xcj3C zQz5AjxfDLw7e-52whI^RBhnuuk z!mHE1ItnPF8f5`$0h=-g1pD5*QLu*(`J&U>W<@Qhs$ScX8d9>aOS8-~45RdC<{c3j zsa!>afPSWZF7iLF@qA12olhUc=9YdHAMhWIDL&5`7MuirxwY|iapc#OcR-rjm|_z*s+^_vBZPTq&%@*DwgTO@JYWkA_1fk;+hNa%{`8SuYv1|p)xTpEE;wzz7MjfqkKjPWS{w_|2|YT zu(6$--{`HqBOSFug6(X34`2(R|4ge&c~}(29i$EWO2r&`GE(1CmGt-gYou?HZxcn}Czlc8#lbOu--B$i0 z*?=;Wa2}lOgT7o=|7e^bqQH=gC=fO)ItW|DeHAffB^-Ri&861L=3~;C$2t2c zx*brLbFvA5x)Z36dujaHB@mSN3H{}e?|OVD>`)4RQyjin*UBto1J4;-uR z)b@2|w{sKQT#<36_&4KuvWnN2TW|cU?KP(bd%K|o@?r>#cx}k=a`0IN%t%yC{LCyT z{qAGO4gUj<9@r41o|ssP&(x&;XJpH<#)o!;(cc=E3LFnwoKNK@V?00h5QUN5j`Y*0 z?ha?k4tv}%z&6?RSz9eg-%T06zcwbHtVx$|z5ay-UTD2+0Yh^Xn!BLBGV zW(ID^b-OGrV-}SElP|3n#7FRKd}8#O{w;tV;XGPalsiSUraz**-^nml@#wl4R5@*5 z^04$^R{B5xb8L<;6`0)tcTg!+^DpCjNG`;Wgb>P8gj-AQDdt}wBcXEtrg^*1o}Emi z!X`~27xJ~Au1>w&_~eH8q&qg;idPdphCXE>V*U_?`nPUi)#D)tN0t3;D*AlowD;ft zWDt0z(~xF`NS4`*|5W2P`|p4la##8E?yqk?zaTxL`fm>UFb>B>y=S8IJyJB00RPc^ Ms`sQ?_4WJz18(ya@c;k- literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json new file mode 100644 index 0000000..bd70c8b --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.all.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionName": { + "value": "sub-example-001" + }, + "parSubscriptionBillingScope": { + "value": "/providers/Microsoft.Billing/billingAccounts/XXXXXXX/enrollmentAccounts/XXXXXX" + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parManagementGroupId": { + "value": "mg-example-001" + }, + "parSubscriptionOwnerId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" + }, + "parSubscriptionOfferType": { + "value": "Production" + }, + "parTenantId": { + "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" + } + } +} diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json new file mode 100644 index 0000000..157aa44 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/parameters/subscriptionAlias.parameters.min.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSubscriptionName": { + "value": "sub-example-001" + }, + "parSubscriptionBillingScope": { + "value": "/providers/Microsoft.Billing/billingAccounts/XXXXXXX/enrollmentAccounts/XXXXXX" + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep new file mode 100644 index 0000000..9692622 --- /dev/null +++ b/dependencies/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep @@ -0,0 +1,56 @@ +/* +SUMMARY: The Subscription Alias module deploys an EA, MCA or MPA Subscription into the tenants default Management Group +DESCRIPTION: The Subscription Alias module deploys an EA, MCA or MPA Subscription into the tenants default Management Group as per the docs here: https://docs.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription +AUTHOR/S: jtracey93, johnlokerse +VERSION: 1.1.0 + - Updated version of the API + - Added additional properties: parTags, parManagementGroupId, parSubscriptionOwnerId and subscriptionTenantId +*/ + +targetScope = 'tenant' + +metadata name = 'ALZ Bicep CRML - Subscription Alias Module' +metadata description = 'Module to deploy an Azure Subscription into an existing billing scope that can be from an EA, MCA or MPA' + +@sys.description('Name of the subscription to be created. Will also be used as the alias name. Whilst you can use any name you like we recommend it to be: all lowercase, no spaces, alphanumeric and hyphens only.') +param parSubscriptionName string + +@sys.description('The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in.') +param parSubscriptionBillingScope string + +@sys.description('Tags you would like to be applied.') +param parTags object = {} + +@sys.description('The ID of the existing management group where the subscription will be placed. Also known as its parent management group. (Optional)') +param parManagementGroupId string = '' + +@sys.description('The object ID of a responsible user, AAD group or service principal. (Optional)') +param parSubscriptionOwnerId string = '' + +@allowed([ + 'DevTest' + 'Production' +]) +@sys.description('The offer type of the EA, MCA or MPA subscription to be created. Defaults to = Production') +param parSubscriptionOfferType string = 'Production' + +@sys.description('The ID of the tenant. Defaults to = tenant().tenantId') +param parTenantId string = tenant().tenantId + +resource resSubscription 'Microsoft.Subscription/aliases@2021-10-01' = { + name: parSubscriptionName + properties: { + additionalProperties: { + tags: parTags + managementGroupId: empty(parManagementGroupId) ? null : managementGroup(parManagementGroupId) + subscriptionOwnerId: empty(parSubscriptionOwnerId) ? null : parSubscriptionOwnerId + subscriptionTenantId: parTenantId + } + displayName: parSubscriptionName + billingScope: parSubscriptionBillingScope + workload: parSubscriptionOfferType + } +} + +output outSubscriptionName string = resSubscription.name +output outSubscriptionId string = resSubscription.properties.subscriptionId diff --git a/dependencies/infra-as-code/bicep/bicepconfig.json b/dependencies/infra-as-code/bicep/bicepconfig.json new file mode 100644 index 0000000..d43536e --- /dev/null +++ b/dependencies/infra-as-code/bicep/bicepconfig.json @@ -0,0 +1,98 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": true, + "rules": { + "adminusername-should-not-be-literal": { + "level": "error" + }, + "artifacts-parameters": { + "level": "error" + }, + "decompiler-cleanup": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" + }, + "no-hardcoded-env-urls": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "no-unnecessary-dependson": { + "level": "error" + }, + "no-unused-existing-resources": { + "level": "error" + }, + "no-unused-params": { + "level": "error" + }, + "no-unused-vars": { + "level": "error" + }, + "outputs-should-not-contain-secrets": { + "level": "error" + }, + "prefer-interpolation": { + "level": "error" + }, + "prefer-unquoted-property-names": { + "level": "error" + }, + "protect-commandtoexecute-secrets": { + "level": "error" + }, + "secure-parameter-default": { + "level": "error" + }, + "secure-params-in-nested-deploy": { + "level": "error" + }, + "secure-secrets-in-params": { + "level": "error" + }, + "simplify-interpolation": { + "level": "error" + }, + "simplify-json-null": { + "level": "error" + }, + "use-parent-property": { + "level": "error" + }, + "use-recent-api-versions": { + "level": "warning", + "maxAllowedAgeInDays": 730 + }, + "use-resource-id-functions": { + "level": "error" + }, + "use-resource-symbol-reference": { + "level": "error" + }, + "use-stable-resource-identifiers": { + "level": "error" + }, + "use-stable-vm-image": { + "level": "error" + } + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/README.md b/dependencies/infra-as-code/bicep/modules/README.md new file mode 100644 index 0000000..d252a94 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/README.md @@ -0,0 +1,21 @@ +# ALZ-Bicep Modules + +This directory contains all of the modules required to deploy the [Azure Landing Zone Conceptual Architecture][caf_alz_architecture]. + +Checkout the [Getting Started](#getting-started) section below for details on where to start, pre-requisites and more. + +## Getting Started + +To get started with ALZ Bicep, please refer to the [Deployment Flow wiki page][wiki_deployment_flow] for: + +1. Prerequisites and dependencies for the overall implementation. +2. High-level deployment flow. +3. Links to more detailed instructions on individual modules. + + + [//]: # (************************) + [//]: # (INSERT LINK LABELS BELOW) + [//]: # (************************) + +[caf_alz_architecture]: https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/#azure-landing-zone-conceptual-architecture "CAF - ALZ Accelerator" +[wiki_deployment_flow]: https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow "Wiki - Deployment Flow" diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md new file mode 100644 index 0000000..c288fa9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md @@ -0,0 +1,120 @@ +# Module: Custom Role Definitions + +This module defines custom roles based on the recommendations from the Azure Landing Zone Conceptual Architecture. The role definitions are defined in [Identity and access management](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management) recommendations. + +Module supports the following custom roles: + +- [*ManagementGroupId] Subscription owner +- [*ManagementGroupId] Application owners (DevOps/AppOps) +- [*ManagementGroupId] Network management (NetOps) +- [*ManagementGroupId] Security operations (SecOps) + +*The custom role names are prefixed with `[ManagementGroupId]` since custom roles scoped at Management Group level must be unique within the Azure AD tenant. This will alleviate any conflicts if you chose to deploy a [canary environment](https://aka.ms/alz/canary). +For example, if the `ManagementGroupId` = **alz**, then each role will have this prefix **[alz]** like `[alz] Subscription owner`. See the [example output deployment](#example-deployment-output) below. + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/customRoleDefinitions.bicep.md) +- [Parameters for Azure China Cloud](generateddocs/mc-customRoleDefinitions.bicep.md) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| -------------------------------- | ------ | ---------------------------------------------------------------------------- | +| outRolesSubscriptionOwnerRoleId | string | Microsoft.Authorization/roleDefinitions/8736d87d-8d31-53be-b952-a04c8d470f69 | +| outRolesApplicationOwnerRoleId | string | Microsoft.Authorization/roleDefinitions/4308c4e6-07d5-534f-9e18-32769872a3f4 | +| outRolesNetworkManagementRoleId | string | Microsoft.Authorization/roleDefinitions/4a200286-e2a0-5239-aa8f-fe0a90dd2eb5 | +| outRolesSecurityOperationsRoleId | string | Microsoft.Authorization/roleDefinitions/b2960c40-d3db-5190-94c1-5b07c9547956 | + +## Deployment + +There are two different sets of deployment; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to the following resource provider which is not returned in the list of providers from Azure Resource Manager in Azure China cloud. + +> Microsoft.Support resource provider is not supported because Azure support in China regions is independently operated and provided by 21Vianet. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ------------------------------ | ------------------------------------------------- | + | Global regions | customRoleDefinitions.bicep | parameters/customRoleDefinitions.parameters.all.json | + | China regions | mc-customRoleDefinitions.bicep | parameters/customRoleDefinitions.parameters.all.json | + +In this example, the custom roles will be deployed to the `alz` management group (the intermediate root management group). + +Input parameter file `parameters/customRoleDefinitions.parameters.all.json` defines the assignable scope for the roles. In this case, it will be the same management group (i.e. `alz`) as the one specified for the deployment operation. There is no change in the input parameter file for different Azure clouds because there is no change to the intermediate root management group. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions + +# Management Group ID +MGID="alz" + +# Chosen Azure Region +LOCATION="eastus" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-CustomRoleDefsDeployment-${dateYMD}" +TEMPLATEFILE="infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep" +PARAMETERS="@infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +# Management Group ID +MGID="alz" + +# Chosen Azure Region +LOCATION="chinaeast2" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-CustomRoleDefsDeployment-${dateYMD}" +TEMPLATEFILE="infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep" +PARAMETERS="@infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-CustomRoleDefsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-CustomRoleDefsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +#### Example Deployment Output + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep new file mode 100644 index 0000000..7b44457 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep @@ -0,0 +1,53 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Custom Role Definitions' +metadata description ='Custom Role Definitions for ALZ Bicep' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string = 'alz' + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '032d0904-3d50-45ef-a6c1-baa9d82e23ff' + +module modRolesSubscriptionOwnerRole 'definitions/cafSubscriptionOwnerRole.bicep' = { + name: 'deploy-subscription-owner-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesApplicationOwnerRole 'definitions/cafApplicationOwnerRole.bicep' = { + name: 'deploy-application-owner-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesNetworkManagementRole 'definitions/cafNetworkManagementRole.bicep' = { + name: 'deploy-network-management-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesSecurityOperationsRole 'definitions/cafSecurityOperationsRole.bicep' = { + name: 'deploy-security-operations-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +output outRolesSubscriptionOwnerRoleId string = modRolesSubscriptionOwnerRole.outputs.outRoleDefinitionId +output outRolesApplicationOwnerRoleId string = modRolesApplicationOwnerRole.outputs.outRoleDefinitionId +output outRolesNetworkManagementRoleId string = modRolesNetworkManagementRole.outputs.outRoleDefinitionId +output outRolesSecurityOperationsRoleId string = modRolesSecurityOperationsRole.outputs.outRoleDefinitionId diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.bicep new file mode 100644 index 0000000..554ba43 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.bicep @@ -0,0 +1,41 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Application Owner Role' +metadata description = 'Role for Application Owners' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Application owners (DevOps/AppOps)' + description: 'Contributor role granted for application/operations team at resource group level' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + type: 'CustomRole' + permissions: [ + { + actions: [ + '*' + ] + notActions: [ + 'Microsoft.Authorization/*/write' + 'Microsoft.Network/publicIPAddresses/write' + 'Microsoft.Network/virtualNetworks/write' + 'Microsoft.KeyVault/locations/deletedVaults/purge/action' + ] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.bicep new file mode 100644 index 0000000..a46964a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.bicep @@ -0,0 +1,39 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Network Management Role' +metadata description = 'Role for Network Management' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Network management (NetOps)' + description: 'Platform-wide global connectivity management: Virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + type: 'CustomRole' + permissions: [ + { + actions: [ + '*/read' + 'Microsoft.Network/*' + 'Microsoft.Resources/deployments/*' + 'Microsoft.Support/*' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.bicep new file mode 100644 index 0000000..58d2b5d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.bicep @@ -0,0 +1,47 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Security Operations Role' +metadata description = 'Role for Security Operations' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Security operations (SecOps)' + description: 'Security administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + type: 'CustomRole' + permissions: [ + { + actions: [ + '*/read' + '*/register/action' + 'Microsoft.KeyVault/locations/deletedVaults/purge/action' + 'Microsoft.PolicyInsights/*' + 'Microsoft.Authorization/policyAssignments/*' + 'Microsoft.Authorization/policyDefinitions/*' + 'Microsoft.Authorization/policyExemptions/*' + 'Microsoft.Authorization/policySetDefinitions/*' + 'Microsoft.Insights/alertRules/*' + 'Microsoft.Resources/deployments/*' + 'Microsoft.Security/*' + 'Microsoft.Support/*' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.bicep new file mode 100644 index 0000000..797d02d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.bicep @@ -0,0 +1,42 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Subscription Owner Role' +metadata description = 'Role for Subscription Owners' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Subscription owner' + description: 'Delegated role for subscription owner derived from subscription Owner role' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + type: 'CustomRole' + permissions: [ + { + actions: [ + '*' + ] + notActions: [ + 'Microsoft.Authorization/*/write' + 'Microsoft.Network/vpnGateways/*' + 'Microsoft.Network/expressRouteCircuits/*' + 'Microsoft.Network/routeTables/write' + 'Microsoft.Network/vpnSites/*' + ] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafNetworkManagementRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafNetworkManagementRole.bicep.md new file mode 100644 index 0000000..abe0027 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafNetworkManagementRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Network Management Role + +Role for Network Management + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafSecurityOperationsRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafSecurityOperationsRole.bicep.md new file mode 100644 index 0000000..12d7aa4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/generateddocs/mc-cafSecurityOperationsRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Security Operations Role + +Role for Security Operations + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.bicep new file mode 100644 index 0000000..65ba11b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafNetworkManagementRole.bicep @@ -0,0 +1,37 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Network Management Role' +metadata description = 'Role for Network Management' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Network management (NetOps)' + description: 'Platform-wide global connectivity management: Virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + permissions: [ + { + actions: [ + '*/read' + 'Microsoft.Network/*' + 'Microsoft.Resources/deployments/*' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.bicep new file mode 100644 index 0000000..254b760 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/china/mc-cafSecurityOperationsRole.bicep @@ -0,0 +1,45 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Security Operations Role' +metadata description = 'Role for Security Operations' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string + +var varRole = { + name: '[${managementGroup().name}] Security operations (SecOps)' + description: 'Security administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy' +} + +resource resRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { + name: guid(varRole.name, parAssignableScopeManagementGroupId) + properties: { + roleName: varRole.name + description: varRole.description + permissions: [ + { + actions: [ + '*/read' + '*/register/action' + 'Microsoft.KeyVault/locations/deletedVaults/purge/action' + 'Microsoft.PolicyInsights/*' + 'Microsoft.Authorization/policyAssignments/*' + 'Microsoft.Authorization/policyDefinitions/*' + 'Microsoft.Authorization/policyExemptions/*' + 'Microsoft.Authorization/policySetDefinitions/*' + 'Microsoft.Insights/alertRules/*' + 'Microsoft.Resources/deployments/*' + 'Microsoft.Security/*' + ] + notActions: [] + dataActions: [] + notDataActions: [] + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +} + +output outRoleDefinitionId string = resRoleDefinition.id diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafApplicationOwnerRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafApplicationOwnerRole.bicep.md new file mode 100644 index 0000000..c7cd819 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafApplicationOwnerRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Application Owner Role + +Role for Application Owners + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafApplicationOwnerRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafNetworkManagementRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafNetworkManagementRole.bicep.md new file mode 100644 index 0000000..63f8fe8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafNetworkManagementRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Network Management Role + +Role for Network Management + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafNetworkManagementRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSecurityOperationsRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSecurityOperationsRole.bicep.md new file mode 100644 index 0000000..56ce46d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSecurityOperationsRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Security Operations Role + +Role for Security Operations + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSecurityOperationsRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSubscriptionOwnerRole.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSubscriptionOwnerRole.bicep.md new file mode 100644 index 0000000..135e404 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/definitions/generateddocs/cafSubscriptionOwnerRole.bicep.md @@ -0,0 +1,40 @@ +# ALZ Bicep - Subscription Owner Role + +Role for Subscription Owners + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | Yes | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRoleDefinitionId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/definitions/cafSubscriptionOwnerRole.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md new file mode 100644 index 0000000..1e25021 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md @@ -0,0 +1,57 @@ +# ALZ Bicep - Custom Role Definitions + +Custom Role Definitions for ALZ Bicep + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | No | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +- Default value: `alz` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRolesSubscriptionOwnerRoleId | string | +outRolesApplicationOwnerRoleId | string | +outRolesNetworkManagementRoleId | string | +outRolesSecurityOperationsRoleId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/mc-customRoleDefinitions.bicep.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/mc-customRoleDefinitions.bicep.md new file mode 100644 index 0000000..2496911 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/mc-customRoleDefinitions.bicep.md @@ -0,0 +1,57 @@ +# ALZ Bicep - Custom Role Definitions + +Custom Role Definitions + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parAssignableScopeManagementGroupId | No | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parAssignableScopeManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. + +- Default value: `alz` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outRolesSubscriptionOwnerRoleId | string | +outRolesApplicationOwnerRoleId | string | +outRolesNetworkManagementRoleId | string | +outRolesSecurityOperationsRoleId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.json" + }, + "parameters": { + "parAssignableScopeManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep new file mode 100644 index 0000000..4d752ce --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/mc-customRoleDefinitions.bicep @@ -0,0 +1,53 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Custom Role Definitions' +metadata description ='Custom Role Definitions' + +@sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') +param parAssignableScopeManagementGroupId string = 'alz' + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '032d0904-3d50-45ef-a6c1-baa9d82e23ff' + +module modRolesSubscriptionOwnerRole 'definitions/cafSubscriptionOwnerRole.bicep' = { + name: 'deploy-subscription-owner-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesApplicationOwnerRole 'definitions/cafApplicationOwnerRole.bicep' = { + name: 'deploy-application-owner-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesNetworkManagementRole 'definitions/china/mc-cafNetworkManagementRole.bicep' = { + name: 'deploy-network-management-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +module modRolesSecurityOperationsRole 'definitions/china/mc-cafSecurityOperationsRole.bicep' = { + name: 'deploy-security-operations-role' + params: { + parAssignableScopeManagementGroupId: parAssignableScopeManagementGroupId + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +output outRolesSubscriptionOwnerRoleId string = modRolesSubscriptionOwnerRole.outputs.outRoleDefinitionId +output outRolesApplicationOwnerRoleId string = modRolesApplicationOwnerRole.outputs.outRoleDefinitionId +output outRolesNetworkManagementRoleId string = modRolesNetworkManagementRole.outputs.outRoleDefinitionId +output outRolesSecurityOperationsRoleId string = modRolesSecurityOperationsRole.outputs.outRoleDefinitionId diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..7d5251e88abd12c28d787b260f77d98c066cd05e GIT binary patch literal 73601 zcmeEu2{e@d|8G$!A*o~;luF93EMpl`Bq8~R$(}u9-x(tjEezRZEtQ1qgDhjq#8|Qq zBV(6!7!Ae@b07NtzTfZfckeytf6ux1oO|xM=R9*fGiE-|=ks1(pZELyykF1ryLwt| zM|qDPIBz>y21E0J2=Ycne9MpBy4;(0o zVWn9g2HqcWzXkO=Z~zp!_c|Cevu1bT0R6r84fQ|#EtY;T)A;Yd*$fHJq?5YOI`ATBNvVf37H2HpRt{4LC%agZdlyqY`K2F#d*ki zlNOTI$mJkcMx`$AcCElDtATZv6O}cxUb7v;8N_r&+4WlbCVkg3_Plo7-a+P2LR|QL zn%9k6yYl-~JGd2T`RD0^tS{~M{&%(SWtB`B|2~b|jsl_oJneT_+DiOA-aAzrOwqrF z=J{V5+6lL&;?fn<#RuO0aYlto`!>vLY+(N3|DivQvfaV4Y~NpR}>FpyD< zhweW5FCJ{h2siTgum8o1Y**7%M|J;CN$dZhBK}_;x-S`ob}p*(#lhD*o6DX0nrZ{q zo5q5OAa>=|2KTLr$VlNB<$H1G^N1i{ob|+GMs}8<^ela7u2mBe&|4oo#4KtR(%qYmSPz%lO(YoV9l<6`a^z+qzMR+Y zRa00l?<=Kgu!AYn@y)&Ob(*Cy{9LESADq0Xmwsl@GGwP$`Te658^9McZIHUTl3;}8 zueaP!T`GUbv9^cX@-l}8?9wRK?FpjRX)dTErm&KmIPX5)=2kv8G3~hiO*uTQtav8L zG@`@?6EWYH>mYnFNep^IPlepSM0m=|ZO`NM!)Hjm(|F;SSHXGhd#@DbGBSx<@70&; zsVh(-#DSseq-#_75$l|2xucTs307lvMoX89fu;}|CgfJ!dA38P9N*MORUg0NoW2O= zst!l?yu*O}%u*D+?ETkXTAF?PbL8Gn9VPR>yfMTp7Hcn->K$P2D?z9qzIeOjw!)HD z-uG-;ap#?4IkV^QjM~QQHt8uXpG2x`;M^yli`Z|*&D1;D1?VhW@5z@}(F^7rh?+_+ z?x<5?!A2o*kMavknZ}>7Xve*4{id^6P^RY_b5&Emx7A8P5vF5*d9>=9(Z;@%j`SbcO|ek z%Y!bIGAOy707DkGXQSw@)|7m^zYi^kaz&Koy2!$x2_`UdkNtfE%2C= z&wL=d=zbFV!9R~MGlb`T#Epe~3-YI4W0cQW%@zg_WS4m0oP2`w5TK@s<`==tF;>yMV+qtcayLq zd1)kvEA8!s+kha2D(S9Pe@hXNsFvGRMU>#WL%%GC-;`*umSC_q&LJzf>0%n}-j`Q^ zI5@A+ZUtjskGKd_(nBW7{;$#*c4%}L3CL)v#|X8d?p4P(>+ z+`#(`sKl}7EzEnt*<$^5ui1y$eIp*}=CApbIlq+w_?7~I7iGCZURmX(Y=EP`>w&t} zkxO&Wd8P7mv|Ym5JwhrP0hqPZQIfxqiXCviK6ZKRf4w5=~t2 z=8v+`ie(i3zn_}^b=93;ea-K*<8RA<20TSGhS_Ebg?F7O@6%(&yHuJxNf>%{lmHgJ z?0_`C-|bB!-B4waRoSrP+lvRBj;FMlGtFMz|3-#2QoM9OOgPLmTmFxaVaZ&(5ec)375(vc7yHu&}&R&M|xTJljwuLrXx zfWW$>FsFyt(!AOXBv~MV)O8sMb@bo_NB1b#?k}uc;x@V2_-U@{7AY}{zPsGbYFR%) znP~q?KXK7*=Hn4SeKp5Aoc4Vd+{|xki*eIam4Z;`>zdrqAP%=Ze*qpdmrhTTdcX zMA>%^eY%O%M+~soTF%Yn-lZkZJtYKB1Wd?hg&?qqjfVARPS#yxCq+Q7BW(@oN&DKD z?I^kFOPif$^eSV)qWO+uL#VCm*ZrlU-&5(P|KsnPp|%cBU z9p1Teg;;*B-(D!DuGB=52ThB9dG%(?NaYTY6_fM`;DGW0bZ5z|$u*42dqf#VAjlR< z1>k~BGK7NFfe2TG?VC$FzAIQ=y4DExopBw2TTY4E)uz=fIwcG0KIT6aT{dJBTMvxg zoHq9B1A~RlYjeLJ*J@XvN}Aba7UF`4b`?s#n;T1R zy60{GfqaYm+trs>Z31`5Lk>RW>s?Ak@C?0i;ICwUWx)EZ&rQt8o+B3s6xFPJSrURZ zv&oC?n2FT=dN0Yg7fTGfy46!=S6k)lrJF-1p$-|R?7Pxa3&j0u{2L6Zbsto5_Aj|5 z*-c%m?M#5Z_jazECM`ICP9+Gk1E5{JyS%%x=#55WiBDqTEXNa7f=u z7*1mlkwNTg!vcpXjMJFPFADOQtGo`dK^H$odFUd}>Va zl1*w%2yJSZKnnsQfN%|V#q+T89?krYO6ZU8YuMp?gY&yoA_vhQqqMiZC%jv~@-z^H zra{g=$=C^H7QmGtD~@no47bB3J)MeyAQB%p5;50?%(zr(6C4gMkK%RZL~9A!FbLR3 zQ7VuaL`bW^>%%9xhS3xht;?@oHXTlCgGM?G!?(3*pML;~gPQjvDu-Q@EdrfT(OUT3 z<*h_sS*ct*BuF_d-DXNg(0@GCee;K3q%cz9?MmB5Ai4jOreZPvT20}%5jVtoT3O&l zVGv?#LU=(T3+(f#YOR&88Nf?!)n9KoQp2`cM51OpQsdbK-lz>3zJ3KRi2PD%ZdJL!D{1H8d5(rBoqm_`x<=BQ)bA zF?d>7@Q7RRqG?$Mo)-Y;_S!Uqn^s*@1fB;P?Lvg=oOzLtR^D4v&gcA$V)D9pJ+<-XP976g~~4Vh_ z4jAV1&NR3VEumgy_`aD&KR)dK_mV-SbUBv6M3qCZXr;pbfIS|FA%hygs zX;v?lVoSqR+uK-Hxa)r2e9Cx^{g-1+xD5FE5#2*%*D95pHGm{S6Bt{zz~rWbZ3bGP z#EKBtfTmDS#EAV@0;dwQ}jDzp{-g7a%NW zdwE*?sNYzCgZ*FuG^f6)3u$@(>;7)j zrWO1go(MuO!REJY<~qcWo|)IlIB%=N`@f!ntb-vVyQnfzIr;YIgxO=kjtHXtDTyX;`4mw&|*racG~@md<6#Z}$e z7%mFgSu8U(jy122l&ro;AD&pqfrjDMbmq44V;d;3EBBJgpN~&fJtPEgvibe+F_r^m z1l_S=Ul42#&f@ik+HrKWN*P?swSABj6KOwp%@dvSvN9I7mmVSOl~X~8k!@bc*j zVX3(+TeMZ=YMtpTZGPJvPYsacOX1;Z3_QMFbzYf%$bf-E zeIcAn&!k$}T~b&T3m)?QAa~TdBL-Qu7d!DKVrxH2N|d~r`s8cTf6!ra-KS+{w|u!2 z>ttf=n-DIu@NA>ImgjI2YGP-^iKKtX{*Uw6DL2$v6FCm9e2`-M%rAb&)nOouJXk-hHh-G$BT2RaG$_A3KvQ?bQ2Dj9c2W zR1;ArDyaDDQ~u|6JvGec>rPO16pUF$3|#_~T}X4xA7UCNk7holkEdZwzRPXA6k-%zXEEpl$m38=%tLu%TSzZ+tX=fk{hBX4Aogm z$!r0``gbR~g1rYX4At~q-9!gVQ4vp6wZ4K)()vK4%g}Xnj?_8yO z1aP9y_MdeLC*Ww~Cjr$-q4nX(q7d9*xjxEcxo`(?6*)t}du6`^x`JaJmOGIncSo(4 zSvsW6N`$SLZ>o*MB+rIDzVY+nTpPR6?$34AtT~H!aAc%zzb}0C>BD+jv8^y?00ks_pErgr`kCzFZq?wg0<%-0Vdj95LA zbW`mir6UH!K5;?Nap7sP0>t-^B`c`F`XoW22tIf2O>}V^xI{UrlgICa9a!MksX0(d zd<@9k`)BF;%pH}Pv;2uZ$giZ*;Oc~z%NUudWdPdc-}3;)_3BV zjfgb^g8r9vvuV9(pTPF&(lELF-ct_t{TFnwXC~Iaqu7=#4^h*TWs6d&}F_J;USR;hRf)=okfRk+2 zDHW5-HQtt9Vts4d*)urWZaP<&P>z9prfCVVnHSMuIor>uekf+Fb>_1f^OA>OpLq%q zRKRYO8Zn#iB^bDq@bnZsS6t+Eo0xa@*T^fCaZ1OP8o%AjR{f^l5m{h{D*X99XIa`! zM$s-hK#cGlQ)^@N4vFTWm&yU^njTVMTfC_VEvj-6HKj@P98Bqcl`R{~zHM@PRuD}{cx5N!;v!;G zmU_+JroDAD+9k_Uu>IS{`@&U~=QHCzV{_~MKJ`e=__X=ynW`ukbx=vYtz$bz_WI9{ zG0Wi_YKmLz#m6+C7;5U>h<-Pf?1>>BA>jRMxv|}g30a=&)mwaOrpU$EkV|HDNP_*M z#-pS^<9!SHlPPGKlSZ=L-8=NyBK93!|Ia%??|+3<%1V_PPHLrq4uLM!>Q&h~G{s0N zo%HqZS0Z|B#FV8j-EmejXSqg8Sr6;(dL`8Wy~}V8q;rUM&)!Wm`7=_okb;}lUUT+X z28Z~0xNUA1(&b%fs+zikkP=&as^EP!2VwQdjI(d7w|~tK*Ip7i7)zc~VL#78^7s-M zs@N6N(2@!pxw!t;l_jiJ&ppQH=J8y_k?e3e&HPgMhaAJ`GOWj#P`Ov@YnMj#oA4~3 zxAiF@!+k+E0mDwEVwvym+jnnN@po zT$ASryo?_bx31u zU0ynEN%T0i`$;7wIz9YR#$FE5JX*|N?u_EYONC^oKrT(ysMUFthL!dSOv+i6b1=V! z>$8lM8=^$;NV~GSOCmE9n-VDetMbDmPOz+UW-u#DH9TgW0Ll~ON$FcKLxS4lh1-fM zLgq*gpMd-@EX~Gwb57YT87X3619?q|9L$fQ?Pe5cjJ?F#UVXIWp0obUMaGQ%UHwNx z85ZbS-}at^U$^6RctktCbcZixkSMP zltvo^r3LFP`<3v?^CptW``;G(m0W}*BA0KW-mf?bmxyDQw08`;OhQV=pzHy$X5VP3 z5~vW=Sx_ci(q&)_?QPu}n_G0eTAfM& zkJ0eA)_11EPZ2no(x&lucDJJD6$6?B%c9psI7l-N z8N=**HNp1lij>SXQ}uu|qnt6^cL&$-w}WqW%IxPchD%#t@A?<65`CHMeQlRce(YA5 zjLl$BO2i$!QT0s80i}Kno*w;DSVsMpb)??bS?}X3lR>m%u5nym8JD#~14q!ZH$^A6 z;iqbS!4ghXA8Ix0wGA!LhkS84@(9aoDU$ zu&8Y6V*lWv!$~Z*D|uYg>Y>uA0R6=EhYIZkiE|PB;A2NBm%gw2+~5&qZWI^1G_~(Q z?G_H8pI4FiXBk0=I!cIYbMxV?G&`AvC%$Kf4kn};u=TUyFGD;dA2%*mFe`X~N7xUZ z7xXlBY4!j)y{uS%{KcjoZb>4fRt1~TM@R$B%6UN}`p5M6FMYRAJaa+$E2=A$bFond zs^7$Aowzxv%~+2KzdDO=2Y-+FsD%=qh#BXuNL@}Rd@gZi z$@gAbuhZlY?g|Rmc;c9jBtJWtG_UC1-W`v|jx4*ogfiY9aj6d`nZICeCTsTH+G%P? zH*)ZTjVO;S5N2_Woh2TrB~!^mCT=JWkUixfTZ!r;CB)Qj#_~;`hjNFgzTk0Oq^vlo zXss?#Q7ZFBE`pM*_s}AjE86F6bHcLvZua`C&B^y7j`DZl>DPxbjwc<4pY~oYG5;0fJ~YG`>yBcq=ZYD+VE$kL9?oFDH>_<)xA$ z@wZo1#_LLv1fzw&H<>QpqaBt4NArPKq4}zt5~Hk=1H(Zj@|FO(tJIKz5OR!j=>CU~+#&N@^`W9|av7j1kf4GF|n?|m_+hC)FS$yy#9 zInPSDx{e&791u{d#qrE^ljb;o<#7$p#OX*t1ByyZ8~Eq6wz6}?1)~}onH@x-XqYtl(*kP4 z>L{53@(|zVw^1o|Ek2ENA)5YbuhHsZ5N8~i?yk4?@cuuG^ z*^GMfEzAAeOCO*DX8(%`pT2XzDENKh*RZB% zcR@O|6b6W7ZJ~*qkG2wlyq|3Vi!+%mgMfQ4pu+q#$uQ=ANW9x6$6Ki!5j@SHF z1I74KBLedZ(I#%wUY=&P<}AZuE_bN`z>V<;5*?-m{t1;Bme?KpUVS_0{g@5YOG=DO zI&mu+Cs!bg4@a6VL~ZDAbh#N9TXcwINeZ{OXj4agd3pwMOi?Q{@0gb3z(UloF5d$C z-rS}Z855_iz)4P86unj>8Rr7NB#h$*TuW{_p5U2eI4C#IGFy4hQY)ve(;GD?u=rRH zp_jdy)=0FdWhh^wCS*yVQkez(vsdwqBYfCg2}*sd(?beHz@6bN-J->c1;HxnRv(sy zYTUFd$DgOyUp+C4JEw&3%4F@(u)Y>C>r3Zr_Q*gdOFXi)nq^J_Iqqg=JPUmXyZUhS zNU1C`G*!^2>3~uY1OJ=z5ZxO>Hq!?h!?RmCAP4h%yve?1Yd)HXPrSh8ooG7p@er@? zIq$n)WuwPCif#AqRP+3jIvmuytU5)aQRK&~q}Oi<{`zFSMr)})Gh0@UZXSOYCjC-Xu3Q75w8P71t}YX8m{>+3WRyx z3{Ir;kVt)Z?Uec00dKCnXuqW>%`fOu-wW&gmvY%eqonTMp&Z(XH zX?NUHQO!PR-TcMbveUw>lPqUOnES3hVlCjFnN}#K+W@J$y|A7%7hcp{89+r#A z@P|vFoJKASE96Znkm3piwcPs<^HH61HE@h1J}#7@Kz9B8ZX1CHfxcQYH=2WsP$WuL z*2pw!KNL}}kkKP1?;BgjU(Da~>N7mEi#sbfO5iX_89C55e%bH#A49-q)o+E+T_rSF zeqfjpuDj=;ZU7X)|5Om)>R73bfcD<{T@|ce?g(L18dd(&IPuNu=t_gx zh6b-+hn;nvnAF^y@#%&f8hb+51;kcl+UGH3{*n)Pg5{t`xxhq(5U<|@4-xs%3&PUw z9wYcuUwh$3c~b9So)-{rwCoop7wiu zKpiv~@mkZRs$i#bB*MwGc>oHB2!1*e3d6%egL=kSkP2_2DA-(uySDu-v0i7ce}*u6Wo zsGTAGTGW+zre4&vUbe<)SkAToG|O9l?}S3bmQbzX#^`=Y;LeuMMNGZbfHHIf2o>gL zRh}uLd_x2*wU&Nf(D-ifjrM3!m{8sNQ3u?NZD;<_$>HtT&-Bqo=EVB6m#vlN8=0f2 zOS(qq+=>fD<#U4C7-8H@(5Q=kt6=POMJc;ROW>5Occ6iYSeijeMb^zxWP&uxNroHx zJm4-mJ_5<9pr}4~d6Bos=rY!?R!>XBr{P!ns8u!-K8lK$iGA#1P-7lxS~TL)^vqRn zwa@pGlF#j$i^e@~w3*KpVY=rQGxA4C)sXheRJh{947qqH7I7uwPg8p!+U$<@>7><9 z=U#D^H4|6c@oI|l#niu`v;c^>j=o~|Q0ZINflJPOh5cFx#eW%98yJC>0@6v137;8y z42gIq!kOOnbgC4cywbN5nksZ6O9*>mmdtS6VcCeN&M^?&Fpr$Ea|kNdJ<=ThQ$Z&A)zv#1 zu~RZin$;~>%PE>Elv(qMdqgJV-I3caH8Bb-QFxasfX%Xb zfavD6WHpPU$p9%__LBEToc_gA>BW%G#?leN4=7}CTKMENLa@Z#j`vP%4aua1V-Rrr7i9t`-4&Bafu)O?0(JbuxHPJ_})8#?OVvkbsDo(UsO0*)BVIu0Gu^bJqAGA4{H zTS!PGV+q1}r?c!HsA^eVC?ExjNh&COTuz_#3Rg^O^Sj&yakbQRD|TTaQ|4I)3a+?_ zgoKO)PJCP<`$I0bo4G07F!Q~EyJ*{wbhREk^honlKPvQJ*cMPX_C;%L2mWz({CR9M zPz-@2fA+AtuO!X_E>Kz*S~@Yd-k253uXH1CXv;kUr^vsU)^)GmAzX2VHQmjyut1}B zNEREtxl@?&dC(oL;^>`yMvJA#cMIXpcYGm^sML2iE9$WXYviaBlJjtf{Gcv0V5@Na zK*EM0QRa@*-978V^YhJ+@)b7}#cYmyi4m`jWQF-WOpqe$fqL@vx}K36cQanK_A6#& z$9o#1*m4c{)N0X}K=roTdMSNLljE#lXkL)(fZB(1>z>p@rOp4cshP@C>qudwx>9H5 zsqd{OOvE`^{;V9Xgl)T>pEvBxod_jjb`+%C$x0EC>m&?=tx9|I+`mlf=b5>hmf9`X zuk4!cC!QkjBef>y^8A>-7OR$@LTMp($E(79reA!6D*~BLbg9P`5PJDrCmEr|yHlTS zk#^8WUrQP7%x`!%x19U4YPKpag5NJ;$D%l6(#vde^Z5{VMDq&y>^1D~PKDDc5c!iv zT9+e!OzgTENFK6ZozlJZkong5yR!2UM^T`h^~o@P7V$OJ``(D2vtLOH8Yx8D!{I}t z{yJgyzK+TPS*Rwxmj~3Uve)AcVwbEgK^9X5GaB{M%XSZ`JmFu|8V)EDlkytO>Mqk; zQidigOrEAeia70mI?gPCLH>t^Xfu}+60`5*3Y>ic9@lyy<8EKS6w1e$fr!!^_oA%w zV6iUes`RC)wK2278Gd60ebR5F|8T~)aIb}H1ZlG(^MpFp zQD3VaQAo}oRsB(VmLrc4H)I_sQ#-EC93Rw#9Cj<-oFtEgTyaU+Tqq1WN$8GzWRYv3 z`2B5qd5C7lDn5xY*w4zW!k_YeFkqY|>p5QLg}&2=#To%DpXb1wq-NYR@> zDT}NdWXHEEAgn`r6Rq~m*S6+sSlALMCK&k*HLlreXTcJWv=F+ka5?0y49e-F@cd&si&>GT)0$R z@nTmRLG^=Oxp?(uNEHK+nHT>sv9DwA9dWriry}xB^vYt(c4^_%+;CSy;wH)EH7OR~ zc88ziJF1ONal(>7#6IheFC{LM8vTws9Wi>wnO=8IE1L_Amp9|O-JfK*WD0_A*9hnK zI(0R-l3e6`Ps`}mzK4$5Q*0R9lO?sTq*fTneL$vI%Kpnlw~`4Q?U=Qj^~-MoOC`5$ zrpJqyTQcQJEhN2KDc2Y|n&UlR(CIhW*E%mXyBSV|?aE!VbID2Ej(u(S=dD252!?fs z$fid}rIk50{TOvNSE3v4_)lX}yRQ4Hh9A@9k@=L+&^|XDaQxV?Hpcyi)eKBVi4(DP zWFR40cBvz5yj?F(j)k2&B^9!nGkHS9H_#*Zrj{N2t@xt8zm@7Cj@_)GBOQmFece3} z6=%ij^$yI)NG7Q(=A|h>By#7jErfn=xp3P%sWc}#*)6o&fKYG+q<2WUJ%xkn5nzW? zH1ut6Xcqn0XJXNUb)4L=3h0-|+A?Pfs=VfS9Bz&hv9khqjgxpmh2duHrz&mgd<}@? zk>v(ok;h?rdJGE52Cc8Iz#LGlWPSX&?4j!m$$_6-7`-3M>a(9?`8e7gRjjj`H?#}X zmB@qA?L$t>o8p4APE)We?Ycl6tH%yh3Ds9sg9Ob@@8;iHx{u(^9TVRjl6w z`S#FS{iI2trW&nhKoWso*3$>Q61=3}p-Rz{X#a70rNJHat^)s}R&x%VQ=8|2l3afV zsw%fxNO8HJHsR>tO?$=B*2OQ|f_fQ9L1I^jF9Hs#wd2m;5V!_jF7T~kue7Kj=%9f0 zjKcjC)|x!4BE|40;d3OHq*}~J%MWj0386$@eDa+$ZUzl{ zKs3*#3HO_#wf_@zyIgWP4$pQUdpa=DQjE8+JCV`|SD5PRN>)=dVNkkxo$+h}vX-`! z#v&VTqRDj}xa36mfu^6D?c7=nSGiKu6|DYXTGYO4Ez*LFn(^3(mFoOelAe(IxD|Xn zX&q!kW{_Qu1D&xG%5DkZyb6^#7@;TUix5lWWLa`Na=rq4VZ6-neQ?=S4$Rw~b7PX! zUc9o_p==%RE`Y_N-pZzUmdSo_73FJ8U2d$!G6=niQ|s7_&OnG=QL=iXcMMk1HvkB@ z2(xTa1G>bA9gk9B7VeiMtKZGmy^B!Q33}@l&nRP2W@yMQ|V#$n`7oLAN9GqvJ)dsBwT$h~r=4Q+eR&bAI zmgg^@&2{quUE)}d_PsuA6Kp^zKg%9Fj93$L2SUqZe%ZG&q+dKHPXwJLwqZ73GMBH) z+gaCyb-OowV=-rNu4m^kR@2V$k zS!Qv$TX^HWM+4(}ejx{nRrvF~|FmqsWR^`$tV8v7q(Li%?2^DZIu~cw2Ay5e)PDV?F3ZJ?kuybcf-a7@n0%A{dn$j!7>Rqmg=@linzi-zE$^igJ(`Y&gC4L5vVSjXW8g@{&WPkX-SNx z@NiZbrS(`dt$iUZpzN4xv!^;wioD%rEEn0+YMI&*DHor`OcyNk$sx(7DK(US#Fr{Z z1ma%=d<}faBbKbJr(_?{QC6UfaWOI~iY9@`&E6h$TgR}|UbRSg-LXmwI{?Ch>z6}) z=E|f^lPZQsfG$#+Zt73|xkCptViQClphZY;$H>phCzS7P?Vi{{dDr+6@O4?cGb@#! zdx*Ep*!x8|`I3e`{}gzK~Mu1f8DRyxqG`d)L7BNUw!s#u7e z#?9okmGnr3$iH#`I`#TRz2>?)UDX?07`N&Q>#iI0TK&~RM~!4~vALQGfR+!GzETj zXp{t~@n_V#1@@&ieFnNf+k-|KwZ9agW%&_^<4hVP1hLnISVrAK(53{tf$qnwZ{RS?%`Zbwfi}VdlG-)xu(rJ@ zzo_3~L50&_Av)6v7((oK*KYrp0V7j!CDnjoti@@djo^qj)%f zuC|{qk7J72yOX}h^*Z(Mz1RQyKKf{lA@=7P%Gwcq9$X0x0N5*S33WrP|IwEZybZ1X zvkPAbghtW-gO%m|psi#l1(Ndxg!Xu=$>n#iEL2hMi|ZqJXEAM{^xux|yiZe=f074` z!3e{OtWWZTd_HR(COpYrQSkv8vJefI;FXRo1DW#61Go9t0Y1kXPqiRPxq?Koz5wDL@R6OK6sbW;1J$h%qK?2^s*iCMm* z9$MOQaS!RGi=S)ksXIVRv^*=;A;ZV$bhf@KWx5#X8(v*7MuQ6~1|PhqO24hzktkMV^!&^ z^InhtdtMf044&hlezvRE!GS2x>Qg^JMPPo45d+Yyv__u*QiD(v)wzJ zy|t%h?#(&Bqhxu1&VG+w$~xsHQf!cInG$WyQv7GnYA;-fN*S-u+-sXv_?aEnG@IsT z@da(TzE5Q71NQK^z*I$4@P3OS`$wQTRHz0ZpWXHh^H{lNxM2g31LbYP4`o312pTx2 z+>EB*#$@RAdw@NH&UUCGO6B(emohzTz2|!Y-lK@^rpEfgGjZ=MT6UcQvf^+&Ee0SQ z6n{N!ny|9j&%bZ*dyJrW2rHxu$G$BxKHHvt>Ao@S5V_|pH7(goTDO1!8XVC%F{P-1cNXp3KGXH|jC5$0U)p@3^!x@e1G|b)?FQ zqeu0g6;I)k1ZC{SmJq85zT*A)kt+;-j5BgaG zNXYJ1v29yiF|Z9MuF$XUHI4(U$UURkY2{D*-Mw~juf^Y9KYBETzEdap`h1?`olIrL zpv$CEJ8UT$yYWA}=!nmddGn&h=9l7bRcg4$RBItA2Uu|t4+H_Qc&1+078&BMGi<^t~lR&S5OPdv2=W*YLWOH;MfC z7>evC{2HIgqpKbw*Z5Lwauz?d4n_GU{T@dYDBxGqm&5;=h> zcZGf3Cc8 zlN*2Dhnvw0{4Y3o3E)Y;;65?{L@SUQ(`?A=ilMjev_c|FGJ+gA@gaBj%-CvKaj$qc z?SdKgXLmD?A3^XmKU(b0YjB~r0I(*jzt^+`0f>ruAu0dRw@p*I`CPb$MD4kBdY+qo z&N3)5EA;*kWe%(=+-`ISbu{jKh;)A^L&WwBa2!KlIy^VOMWJZ%KGfaiKZ5L)L;OK3;J<(l^&}B?Emv z4_K!6zX0VmFtL9aBGWagZq@Nv_XTsoBgVmVB75@6yLysiZZK zUi@;E;e6?N?F<0?|FT*@{{Mg{$L|d5Q9roDZ9Z3voBevK)ugMx>*sXb^)yG<_(9&> z`o$dUF>6ftk@(6h=BV>|z%DkwzxxBbfq3_aPASaodz%0}0`K-fj19mTL@v~tUM6vD zZfrf#eTO3?Bii#4D>_I00D7`9w<%73RQhDcrkHr-`8?Tw3lhv-p}fV@8K>vLa=3z&wEzULh1=`ZdR4)q{cf12OKpab24_mNU)Hex`dJ3M}D zW49Rlma(bo2-j__nD%Y#-=L1$0MPK>wSUa)WQvG>n!pCs*WUjJMpf`Lbyu<(FxQH! zEk+ZqA_zf=-QLY617kwm;q6kAPFycwTz|O|KwORMhyLY++4U?Pz~c+5nFTrZg1SYT z1~}+fM`=@##E8L9YeL9H#8$rh1_pg*LuqHUcqb~OeMl?r>Z5H* z*-X~v68ZXTW~3RdW?lWAH&;LUrlp0@<^Y92Sh0kilGTxB?#SnR_94#}vB#j6ubp6< zNF&hfx0<-?kDr#bFx#$HZy@&UlN2|ryPrl11YUw~))3eP>06lQvyuGwwgd7w|Divn zZvK2_uRVuMjQa~IJ{mL1>hq}n9Mx$G*bG)NqvsH8bB?z+Imy?|w?V?Mpvm4Qf%pvT z)|H^7&$+!yQ&F;|Y8$J~9LeY21(WkF*@%HdHBBWL0lp7+QtyGY{+R6s$j<<2GLpVa zq_ab)!{0;uNi*-W_@aR)K13)HYh~ecN(51JhgE^ao#*=SbF785i&27*dT+#XF|nQ+ zv5BVdObk0@u>m|<%j+~^B!p&dQfjMh^2OV!YI7{8jPYeL|55IO>&J^D>BL$=hb04{IYs-axbNib&$2M_?Rrgp&7^y_iw-w(uTyr2A%bITNIzS2rCrwjAOKSSg_?V5 zmP4uymM)8VZ9|RzTm8ul>z}CtC-o3i=B87Gz{{gFZ@)2m!F}b1sS&LZP9ykgXz@_5 zVe`AZKAlCi9BxM0iP*B$sMlM+av>R%B?m~_(|4Bi?IGy*gIRUJGX{VH6Kc-tLtiKb zDDT{tJ1X>9)}Lrf*fx^8J<%Pq>vcLC>c`G20AFnsEAC2>&hZ`-+2q(9_0mU~hmhj4_PO1rF(ci1!T$imW%gNImo%{cMQO|iw-*eshrNjVuH>Ov z&|D{nmPLS<|IVC1d*)?Y#2)s5sg0fbbZIm4ciD;Q%3!OX2PPV%faj6)f(;fQT3tMY z02s4vzMsNN9RV6|H^QaKorKMsGoL9F>^WNiN z_EP$b`kA%u4)@Nqd48^%d?AK2)G}kj+yWMP=k-<5eB)V-x)Vv5Xuit!xqj7u!Vj=g zAgAjriB7ShM*gk%G{$vbr7jj~Cc;&L%4K<4u_ZK=6)#v$i)vWBj8FG%bs}6|+Ji8CDt8B@=1FRjN zGD8(X|4M0owDIFrXHC48fGT%T*x$3}V_dIV<7#r|fLu)9-3@9Qh@puE1-e5&F8Nie zQY+nmaD*g+q?Y_z1FWe$vO0@8ojlrBtpMFM{zvl5o)e?^g=M#pAm7>ArLvqJmr%vm zK$u*$@F~BP^B|C*_I{DCUyF9B{zJ-@i?Qt9KLf0wR2zIV5PX1uOxx{m=v)8*Y^3oYTilAnUWWJIUth;66SbJ`{_Ux8 z#5#oBxisGpb>b3hOxV%~5&H4Zw2eONc|HP<{Zf5)xj=q7kpH<8>oz0y_KG0V;^fzt zWja~@KN*VFgd+ByLzF1HT&})y%?EI&NH+k6hBZX%*E5K=6Hy}5D>cM=pR87$yKi<7 zdnEJO?mmY`MgbNJW6NM4IXdmCFk1&erM0XAK)ke@6Um}2>yQ*)@Hj1LC&85*x2m?U;})872&_J_Z~n|WnI6w0t%=EVU(OC3qlJ>h8A@|C5r(h zgH2F!&N&zeBRQi3iU>-SAfX8YN;e=uGPI;da%iDxXz05S&KTx-p8LM_)&1)Gs_t7g zGle)E&OZCBy~2O}mVN*MN(XEPF;?sX!owfC&(|(Z()oY6IKhV5Qms%DqN7tbr?_0F zE54D$IICSfs1@exM3{!ommBRU|8A<@a`k0=EB>j6fo?qqI6X|ek}`{smGv91hJueI zizjKC8d`AA8-3fq_^8tmZY zx>?M*HdU~5?Z8Hn_XA0P66B^%s_VF$Wz{VfIt|yE9vuiEF-;^{?_Fa(xuGqixHsa| zn1?(;Tf5$0yzAhb&~JO9QxS(2jXHjcDkgjDonRAa0e-VS_m-jyUpuQ59(47-nVR;2 z34bz1(waDq=LG||*L`w2k@w;&fNO)|yxXYsX0lmiGEk$-h5Gax>rFM*6mK1JmHXZ$ zCLk+k$RE|2rKAAp0Ot&fCknlf`LDtEvP;(z%;!TT20ATsgT1BPKixHJJ+8+7_|Tc8 zMuZFd*FNP>m5HU9Af;kZ)!|q&2z!fsD4*6s=euRVlL2Is4*hJL-J~c!U*1j=HOP%N{_mM7N`n<^EZH>}m!dPa*-y;ZBZ@ zz9*UNNC`)>p9kYlo}+K9TtBcq=i0EdAS3~n=&#^wKB7T!BLmemS_J3V^jnOb2y#^9 zxaqer=hWOg&h)DP1jb*Q9hV>3B$n+bq)|KTYmW9Fh&(H4l?b-@q*gkI#M5wf7iRkg z#xU=74$JfywjJWP$q1hnRZgBLIo2ecEHZ;)2|Y3KxC|dA8KO82oF?muKfKE{ znj}BUfk^)IUyq4pNV;DinK7j^fwP3fv!FvYj8@ABK6{zUzBQx^AgKBxh6WCj8+=MH; z;>XuG+?>o$$Nna*YvErvEhgi~`FW2F7Ye5-+I6O?f$!xN55(>%uy1Y%Hvb;G_otLB zZQ26Yj=k)RYiyV|Uhy{px@zRr84W_{BpcY7Tc zG5zR@*MCUBX4R5&h1e#g^O+*f_B5aaM~kA6)Ww7@9ci-Pc!dY|5bkG3U0`vM7RM@$ zA;*+ym;#?sU~l~dP08iwB;6jd+3NX-yoUJ9%P|MFQ@&@(67q8>NsP z67V1bW~{fPfA&YZ_V<4put6P?-vbA5`gbbs;$eY8vMac;?8p{Ve^H~&P}4-<0XU7z zWF7MzBRLK3jjJ_R1yans04^6e_?vrt9|Y5P40&|YOEv|eX78%;Tq;L-d7nI(6v@82 zEjODHpGhO|)rln1blG4~D4y;nf^=3pK!O@gwR@pLM+FfQz846I$2=RS8LvH!*J^6B~n(-;qdnLzd=|J?^p9aBhgn#A2NagHQD z_U#7GW-YuTd+Pwji~}8-;$&7sd*{nV*QmQ@Zsf`9K~C*68VIWK#X;)lL{wd2mEV2I zHgxELBb|P(DETi(soQO{@>nbW?= zpJPmgR7z`sm!u9C@j)8R0@9n1nJ|_ewR$F-!dObxM~F8P2(lqjJ6UbbH%9MJ=qS5-UY0}|N6Zc-dz+)oyUz=gz+>Tgs!Nc$6 zrjxtoWNuOmX8fV_KBTz8z@mxfpqnf~utS1td9ECk8SWem$`fNuV1Cw!TobOMh~FZ- z&@Dbiwccy)~gfIjTy)6M*nvu@LBw9^=IJ;&@8?><1`tW_u$J?e+aUHBQ@%GyIotmkmD@`$!}pWv;#BzD924QonuMwI#iVYY>K zp*XKOgZ3p^n_xLpPowcvt_>YJ-kbB$uVJucz)t#}8u0-RD|B3>XIDhYRe1kMet|AL zuxF`#X%EfrBG=qxcN_DXH?((4q@p~^P{^HLr>}XOvb~Dkb z>oQ0}$BnY+wp$E4xXVj&zD0_o=N30pGe|tMh93RoC8`4BUobQ^*b%?FeSaMlZQJ z5$s#^GhM$V^)9L$)Fpby>h?yIEghH&kjzL7`H-DO{TIDsaIN zlNL^v<>fnI?0KT8A)uo*KPpDKI@@|+*b0y`h-PpEn(+A$Vt&mHf0XSVEs0%Ol046OnT8i5*U`E9B!?JCnc$ZV--E#ME zKQpVbY7C3Hu*Exayi$%|A4_A_4ocTS>;&KRx^H^6;I#yrx|1p5)zfjSK-h7|{hiX+ z@%5z2J0t1pTn6w9%TB0?&kwoT#oy%8$_dp#DlkF+wzpFOfl;mIBhGRhln>u%Z%f0H z)lZ~!(0w|L1y#jYLLz}8auuh?#`ii(AOfcZu%O^9#149Je=CDNKGE)`7huERwrRN+ z^*0grO2=XB;Fq`gYv*z@XI2Ut*p=31i_L^&xxPl{HOtW{u{i`_i=OdRFuvX%?`mGl z_U1#^&(@ev>gaH~I^Ki!>I|^4(|eW_Y$0Tgp-(P;KE)p7)Nq-yi2}zT);fnf_((^M zdjhRov=(MzGW+0t*rQ>=6R}eI!KfuF=7ewwiPJ%4eNmmCB?Q|qo#*>aS1ZJ-UNnrM z9V{=D?o=8K@~r|mD5GLldt)B16qU^5X{XvhtP6{f)>z1vPuwzk{7KtDU-e<>(*ZJE zw;EUGSauX@WQ%>Fv()>v)Kd6)1>m0o_PHo`+eb7pg~`0OVtFfl6a6B4xEp}^T>ke} zU!V`EAeLbV1I3_h)Va0_wZ*NO;4s7v(gBcnp8_zgICA6RL_4NBT*3 zTUE7bpdoDyqh>5MYkW`EM5z*N)(}V`9&*^a9|O|T2<_Mo(}31mmg9{(VYuoauDW_Bc_p7US zlp2E>a`>55B;uCZ4^rlwt{ULvy+PFpRHbWNq^^7D$gb6);mu>9htBpLwD|m|IVw9EmMmH8d@%-6+2;JzaUFu0qmihjq?_<8{5-aEz@f zS`b-ZuGFqFcCO5rAWF&MTNZp)F-r9^38^k6nzEmTcZ}edyVs85F1m9d zzdR=nJuF?vUu_eATesUQ-BAKSv>hcSqC|VJ8EGqx359afb%4P)mbgTEYb-NEIeepR zA5=WuJa(AgG^Bpt3I5?w*aIF3sgLVw^RkW6=11-3$JqgV=(qUCu&2=~a`P2HPcg=K z1CaTawwBcP-4aN#lJEPYo_tsUrWQ+*Tin>1y>`pJ<8?uiY{K{u{J+|qMV}(xWO70>57sJ zq$%1No-*&+;i85PM?>*Q5zBwP;WufNyA6*e%wGY0b(5{g~=2)6WDnEEyUpIqa;c&P0Cqo@F62UBy%$Zy_o zXIIl26c4X~`+(!}lV9A;S8Gn#smHASo15?o(A9J6zn#BOzElD>ur_Vlbns#$;S1NU zXA0?!b|uE8S?!HE}B*2XYl z_Hfd5W>-@@g*AB@->09-_lp1!AJ@0@BfAKx9^lif*`RM$kBG)oCfx#%|1-iYdFy|W$$xW^OiQ;gw%CoJO}p*x+0wE%1QOM|6H$D=!T~M^v&o~@SH9^V7;Wl zda)mA+z^Wt>D4f6ZQpsWL>z(5J%ZC(E|bh{2Q~lstwvJ7F87K5kwnWT$8lbaAzYzi zqID&esix7OyKD2ZY8(M+f#9C<@%hg4e=ZXnB%N^lAxqn^G{f#$M;<#gQ>Nwx-r_b5 zTGs?hj8^q239HE{4bzO9jU|k|Y)@{MMv)M(P`sDJMs zgU9x=V^f8xmwZ&UqZ?lHpZi>~_Y zId|s+*!~$?&~hrk)C`;gh~nn07m?H>0n7Qv$7DJhMl&G%I8+##02%fVP=|;993(w} zbQjHS@V&KFAVv`183hGZMgff!9r+?FjSShd`+{&#AM8}UQp}hqs<2#Tc`^+x26-qDKo|Ns0tDuZ#_O3yM0ul3|AMglR8=v_5}*up@}NY?lx9otux7{oXVhn9dT5w>WPy9 zyF#|H#}NO~61_Yv8j#o)(HM!k5-$)AB-04ouz4g$6Hv6@s#jyqqlNJ4H|C4G-L8rM z`oP)&trRbi_dfiwwZ=G8=va@mTZ64tkWDjzjXOW$01D^b4%&O?7KvX1BZW=Dw2@er z6vo3?2x>k7F>zH-Ph$j`UA+gPV8U2J%?67zx{yRNDvL055QJTu;^iW|f3cu5&;Kvm z+T$y_g!R&oY>opB`cZ_auRs_|!3kKMmq*a|fxRHCt~5=H@9{;|A-ynCk(#(?LRX;&(YErRTx zATUms6G5dN--l_=Sgf~2(lWw#?tsRrtp;kcAuw_#K3ckJ`RzjKaZ00;tuwd$Vo*g@ zQcIJM#5=`Qrs~Z;2mcm!rGDg1@`H0n&}c_cn(h))@rCjW9ghg>eG>%SEED#VhEt}J zug50+QL%eDg+OJ5Ysa_7aIl?(G#9*}w1X|JfjR|tj3-@7w3b2D!A=>dHcU6qM|pw@ z_t3MuqrTCRh*fUdtW7k=nS~&Do(pJH3_c@vaj0R?gm5%@Wu~$bB5;TMRUC3h)eYz? zCsVp`H-w&_?0trM{sFsSu%KDnoVcmX9rNG33>TYMP>qWsbs9p(OL&%UoWzH8J=nOdKc#{erZL@r{Xv?g~!JcSZt7$VR+U3oA#fznQ=U#4zO z6L1)xawViTXxPkBzo)>K&RNI_aW$sk^#yp7lLiW$;~sa`hg$aI=9fTi{kH`9 zEf1`#{>!jaJ3ip}>z7}EeazU~;(99pv(D-qlUa&hp_}qph(TpqTz+UCN&kMxzP=z# zSWJPp_IL%ArebQcbQ?KON>cGV7H2XJ>uKsi=W(En2|58NdGe54P6tI~es%sm@1luw z%Lx%R+jkN%d@#!oar{HI-XUvE;YZ5`nBSb&w|Ym;dwx=WwcK1)aaDdnMUHxG^j`Ej z{afl3zX)4q&GVVZm{O|YY?RDKrA*CdW*+8O>WPGioXb~pR!|9<<=R9BAUr( z^%+TX;HE0~PmrXG98TN~R1E#eJ1v$meVPhMoOZlv~Fd_fhqCaP>6 zORsJ-bxeszI*`EH7;VdJ+c31os3ps@V~(xc2M#uz@?$(ORm#kwQpI~+;#5#KLoFvt zwx@wT8MRICLr_dkEI}8%etY`p7iW&GWSz_02v#wgDf|OG>lx3g28{!zKoodVb!z+U zg|K3+Kk6nT*h(=MO=3~`H1#%aj^#eRx`*3;=imfg2O|!mZabnQZ4`#G6=&0U&@5I}AhU&IGc8~4%$xXTZsOG9n z4_ZqB4bfMq)9?OxXA@M4N~H>=&=$i@qCE|^%)cJ!WuRcuZAf)75r=4`Mh>lC!u_@m zXIr|FJ&n>mOz~R36=aZ;?VY>Cn$A3pd3=zx@v*&Z@`uB^?9Ot+WRi$jO3Do}?Hu+fGcz_Pxe+iRLqCOUq@*y51)=iMdYl;J zdZ6L{eSI|}1}|`=A^-s?vrqKDw@K8^S_hq{nmr^vX>mzetVx0EsEG(JQnl1Ok88Im zuz42;2}j|_Mlu6bn2`$(=8L(@M;XrYIa>u1)@MY-lOIBZxkP_+@isW-^@gh3uPBu= zhubE-*5qW$6j7EpaIk@kr<7MKjT<%Vd(~DX3*3b@u4<_btaqEu#3rzU%Oz-zlv|kN{Nqru`A~HlmUFs0tH*3}fAwM%B+l*|a{?jN z@&^A8V=i+DYeUrG&XD)5EdJ6Y((DZh$OuEoKB3NCRU3E%Ul(M15s2S=+NR;gj4NJaOw9lqGRd2g)XM>-gjoXxqsc(%a&$Q*@#Pr z4hyDVXWjtRa#)Hzw-_av%S!`a28U&tu8PP}2H^u7Aoe!f8;Tv=XY-7&ccO z-1wN&6o>aaWrTaTq8@5r<0cQoOK+&Wy)BGc1EjfMxZiKYW`Lca>LJ#DXo^rp0I2UZ07&qY%`6rcjXb4B@<3 zbizLz3#+O{3y`V<+yGiw+ud(1VEc_8##|{R^HHF1smb)D!D;&&>#sG0PP9UbP$#{G zJ7(iE_p~F0XN`^vEK0+pGKpPzjhi787Z@hucFc}9Fpo9Vb*yJkm>4OB1>>s=qq(nm z&D52yUVcA`%lIJZB=L}kE6rdWRG5>M6hk8IS8wM$X}wI<`A$!@z0LYHa&LRloVm8m zIt7lWw&Y-0YpiP+^nT~PN~%@8Kh03H?X=9;bWF7LKF@2`C}gO6Fn_Mb^z18`eE z0cG%CJvUEGsL|b9Pr2pXm+v(PB#+aJd9CJGU}Rn~277NdBaiet`f3kuHt;qL3TOC} ztj)fhXb$JQKySYU&4VBt1TkG^X7DViKIm~qoZp(s(ht+>jBB$+HSs22J1)&)pt3rt zA#c5q3dcRl5vuAFix|*X<;-pL^^1@QBF#oAB68R@+TK&ClD~5aGGiJD_I~I7nTIY+ z-DJu|?0Ix=!l8FtCV6ByAR_zY6))Z5=Q!zhFEDB+9JC1ZWyaVyxJ;6(%3d~;?@xYf zMd{ zST50f182XsN~}vw?W`c-u3&TvA|>YI)h*uIwXkv73#Y_ilk=Xgl3_!{E;PI~1yfyy zSp1u;GM8UE?6beW6ynV&UnTBqq}*J^vSWHzb9(zWQ6{nK^>BeyR=#CMe3mHA=3iw;{kZThcA zrJ8qkt2aO3+P+@3nGa8h81J@GGt0t%#WZ(j`%Bq*4in6YVy?}D_KyyhFdet@aw0R2 zL-kG?;BMD;UZktyi_xVlhtuDu%11oC--T07)?Ul(LaGJL^oWkf;wF!ESC>TQ4LMOJEXcKZp^ph0rI z_o+Ql$V;}xpq+;JC*2{vLxnQB9 z$fCe6sZQ!w4mjL=*`PSvjS1&i-qIi3T%Bqfv{i^Wn?*>>t@zbe|B^Y>frHa^WKJO> z6|^_R1dNPLv~%rNNKwW1*^uKLw2Ay^;XGu?LOM%xu)$x47Kq&BCCGc;O zcKfc&H1N!7&dBkL?rbGDZNT?jZMiu+fqF*F)LX(X5Zhu-T=WKhOW-*EDwwqR>(li; zX9kMQ$?54ii*;J}_+gHqUmDEZ^iip4#}t8etz625AvQ;g@r2~aGUR&b^ObbaXPUJ; zW*T8DgOt=5C4Gc>>h0P6Zt$b1^(|rOviLibabFn+ax8)C zKhi2}tO+|xFg3>K8Z^D8HP*6Q+m&IDxClkZf!RxKP{gYRQb{VW&cSTgKA4ZjNH(Xe z6(|qgitA(f-WMkdkBXnR47i zdHRLZVhx=0wGR>hj7QFqFW7q=#JFY3yO#%-`&^s1jIm)QBU-2T`{%B?6D5i~76TP{ zZV(CGQ>6=``udA*-lN7>}LI zy@AzXgmuIWK9F~GH6ED|fdCg4%bHqg89X-pw0Ka8&>I6|r;>vxAJd zMVq7eop6coi_XinEFEu zdpcwGR;>}9C>Dj+ZY-enF?W9J#v2ag?t3VN=m({aZ$Is~^GUr2c@wI&;v}`Ku&TPKNs%ys43t)Fyno1kGduJ6{5MAu>LpU#YxG$Sh# z3TRX30NE*5x^M)1+dqZWVck@|fZ-Gnlb4MebGSO^2Kq%Uel$|rJ%&n3KRP}@Ny&le zF%p^YYRcwOznTWy$UR{`N~;ilcB(Bo0AL4x?(hN9WblCfa6~0wGSUw7Utu2W9?w<) zy&(BlU+9-a`2T%<$p5$XUH|W{7mUE=0Fzr6A$kbRV{x#Di{nb1&j$eiXnL&1$pW=w z?DIQzvsF8PG^%63ak)Q|L?H+onz{RA5vXy7Vy_O-#qwRL3-faVAxq>8D%meE$2OjIvM zssU1k#J&E)V!*$!D}R?{=wR^nKd~l0LgTQV2F)YGl>jB-`n~^;Ur3 z@IX%b8}NnP28>-riA5`H^yxu!$EOf3ak*I)K*MH@zcjVJGEj>>Hx%&Nj+FNpWYzaO zg#ltf5IYD`+E8!&3uv@5J4omc8StxWLj9v(AxeistKKf1-1Hw#kWUOU!;wrtuJ&w4 z>D;$Q?KAs$ffT5f3+g)#`co@UE0a}AelFLExYia48VT~hMnZ2R?YTUfOfLE*vEWV#_kJp_s*4Bv^<1a zcV_HQNnKv)Q`~QF16KfUl2wd7*Eg0$RM{11RP(Lz%Ngp}3Xmo3;R2I%-%{f@ruVXp zSSvy8B~nvntWTGL8Wi$D5fNB9zKzqacAzH>irk#~&S*b20vXxO99J+hUcur*T;C^V zo<@G>#mc`&KSu!RVVxU1uYbSIyn@mlw9)fzF#L^sxuFkgK4p;>?0RTC{%onRFBKmGP{IxnDtqh-Ha?cAA3jY%A^L+)ik6_~N>ps-~!6h3L+~scZ6A;;vbkYFpFL)j>tT z($B45YC#+(yYTU>kY~g`p2S*r7NUgYrTz_GI`@u_5wFRs=vdr%cpua>Xp<9N$|VNo zEC=r%+ewEuw|U)0KguOYr5Xe-K#NlVjj4A}ldJIA?`{Pf={le>pum*_f9=2ft3M++ zkf89@0hnmEuPCtg6+;4gn-&CLVhni{YDY7u5az$PEpJ+ z1T^h}pWMKor_JyG{5Hna?Jt)aFfjiU`wcjD0$`wb2vC&)xCu1%9N+_heFF2s^TGIx zpGRT;&#(SxasFpd{QIW^;vH&brV0BN_1>mNL(`U@FV>lu{b~Y$b)iB3jVzqsdb9fv zBa+v9HD;-e$nt4vE1L0KT2(v{=9F~1>rLH@_~p3=AjCke8^AOqeKQR`Yw0g{uebbS zkZu)>v}5dIUL|9ETAXGa0q@Cvxcn`n$8A8r2f3HIw1@#wl|4>Lev zycP@{BL9E?mCy4j;96CigKExDgdsFgUgkC5l{i)FjZe3_ zU35vod}<5^(qcddDd;qy{pMCSfK_141n>mGMbO4GksGgdWU4Jz{9j(VKVckr5awWt zwK*7TeP-<2Dn;UbzDoI z{Qi#eO|e{9$dAE5gVQxYys}Vd3KTViKy{@qQw2UUt(hEFMY#kCRHEY`Us4^HavLJs zUAYU|Yy6cytv!N#9Vk4Sn2y(`g?j0m)lJspdZK|dllypr`n{W~i*`AfZW^)gvCC=X z?7#dfAS>#3xf6Ttkszky!Us5{u>hUIO`!Y9^z9n(Z~6vR+3XX>Jd@O?0JAS!R8isT zpGx}|3$mG!1Fjs%&)2G{83n>}V&qTzUOud}9g_l9_Ac#&7vS&?QC(k#@4UQKcY2=} zNl>?ihT@9JbR`a~gS}Rl2QlO$)Jn1sj97NReA8`I6j)w>&H2w6qmL@?1WkluYmmiGnJz~#iQo?TkNr9TgCG{g@DG^F^flM zN>S5Eq6Tr%Y230a;I^29R^TqyLoyy%SKt}PNeSIF_1`E4LW~F~NT~(g-N*KcB49=_ zMC(a+ms;T~~cdfxj98d#J0&*So+=-}_JcE8gM9?${*o1asV zjaq3Q`)lF;kFVDMi#Otb-WnL`|L2?D_B$@KuHnDEBMWp13m(MQ2dtW-9sg;o|LgA~ zL;{;*Ft)wVKV=q=80`H6*!>^>NOLRT-#TS~JyQSpob77jH#ZD=*8jgX5kK$DuZXr4 zfPLnW#`xi2z+Ht5X)$z&kkcu`AOzU=29@+K4Cr4xU#rPxiti5~%& z$pupIe2^jGztZyrXuEoEaUj_os?1Nu*|P5^Br}{YK!7#bnFPJ2^%+$2TwXRf!lmf7 z6qd?GNq>ZDK@4UHz6-`}hyDKOWcUL{!HA6kQ>2u3KI{HD23i?<=N`pin1HP|AF;3O z2$A4PZB;SL0)Y7xK(8GHJk_R?hIYrL$J~00L9d}Y$Vt{g`98bqnIv`a$BZ1GAqus}NvI4}1>a{++JW17hLnF!Kvg3Z>~N zaJCYg8*Tvybd`&=#szL9dGI2+3w*&T}N2c4J1o?1%H0S}M~Bz9R$h?7iA>wmp- zImo=pD~+w~JiJwVs%C|SEn_FkzH-cC2;p+Cute3i8KnPM?@-vtGs+Czi7$pIAeOO8 z(ivWp4~FXQR6E`_7{3PmDags_WFJY(TH4|lb#pLgUGI@! zD2yNDjn-uxRp|IQ`pwVmPq9qzjpslfTQLFT*ON&s!YW?ajnczB;0bks0Qyk27^45h zg=2x&+=7}JMnmf%1@b|U=c;2&IfKpu2iz_P;yNo8)o;%~i#`u7Kic_T@Y+;fIon2CG%Ftf&|*w6^7AhiO>7h!V+Y!$>%rz%jX2JzC>rYftedAA zAe9T_8o}p4?l91mL~mSg6Q`^F+#{RiqX=TA#Vk$)n=$yPjtScjXRSNZ&WY^Qh{ooh z`{qBx+WH6dIFQinZ=Y2<$axL0Q9f`nj!&4z?UZp!Ha^4NAlo-nC^TaSZ)|9^tpFi?Q+{4n+Sn6s5K@W%74Co#fp@WfXW3wR z*ki{*h-5*Y?11e#bAT0p#s)b*Ic=e5!T(t4G;Es}zEm;t`d`8o z?^9gCshm5d(cr^#rKr%;V&tyho^Oy9J-P2><&r^JQfNDT`&GK6YZHmKNa4$&iP9X> zGhx9q!~s|UDv<78;a;HnEOZs>`$pG{pD$!|XG7!L7UHZa+xisEK*e|}0fdN~iXGpxG&W$7{2jwZ#+ZB_= zfixp_Yb(!YfaSd__>TpNr$fhL-rV+@tXrV-)~&`DGIG}7Oplrq=J1N*#7(`fqk((v zxTcl*)!NncE;tea_x((mxPORLP@Vz4&=TM#|D4)&T@S7{2%EvsgwG)Tr@VO-Q(Aj= zNw5C>|0`xl3|Z}~iELW&O~;|fE}9d1!M_VLjg>b*drsW-L;v`$uDFLxVQ~L7?};u` zhfdS__1aa>rga&0`T(_c&kx8@&XoO!3PQ{^)5wJF;xX`AfC>=XHL6(xaplB1N}LXr zEKUb(?u|KXzKtS~w+)l*l;z#w_(tpG-CzSBsg!P+BLF524?yj>GLmnlBzzZ3)T*}U z3m{$xn+ae-B?qWNl^|$Jw1Wcv5RcOXw%|8M&We(npHO1YR1BUn@|p!LPpe*k5OfJEkpYFnki43v9b6Gu&}+7%5;pcB%wZozn{(}lRT_AJ{r5{hy`N`Mzk z-AkPSB==*Eep75^?zIGLdb9Uz=Khh;4?1OfY<(MnaXA4s8GKp*JaV?yXtrD1)d`@Y z@TM4$KqD<<i6Yoq!s27 z5f67jK@BR4P)G-sQ8csOfFc4+8c+tS1U_3G{%w`OfbnYfp|j@*=k}n++X{uYn{OOm zao4beriBSm$UB;s<#TsL;iW=d?c>jte_$Howd943e3#xpok)g5%X1BI5Xdz{1whfF zWKE1V^JS+!!Yorg>9cRshd-ed1gPCe51su0dR+EOVwgj$#MO!3kL#_jRq9*33EVu0Becq-W&<7>DrI{*$nDMo%gt)O~o$?}R zK#7NJU%0K|T3m81A5{G_X!{(g{Pk&~efV4AJ3-~gyStBL{rG$XfqBliyQ5Vj^|DuW zQ*Sg!{6lRK%SU2fW%H?auvz)0Ygau zl!uZK3Z=W2klc8zPm-hNjo{KqNp1HaRF&#}?&!Z@Shhl8pINJFcwdef%0)Em*H!Y} z1gG4n1jF=){q7=Qa7CsEw-nB|J|j2Nq&{;NLA@>dyFZ~De&|r8du*m&pHQ44mfxDocs})br5Om762_iSeJToY?-!_g zcG5ngk!kuXg!&zNMSU&WX9fBi@^Zj!y%_+P6?keaNgoQv<=3LK}Y8<~upRQjEN7ZMPi5ywp&2y(xWBiWGiigbF7T=PDHP2#Gj6bI7nE<+T^ zq-@&tk>_x|NCs)hJSSn6Ks~&hki=vVtQB$p6{nNC;ci=}`tYaA^X2Iy+VxYF(ha3Z zZYfiUyJ&`el7@*Qe(iYq=Tv3-LLeUqF|H*b+rJMDuxWEl)_-ey4y38qckR!$xirPm z7Iy;~a<5!ccbe$Eaybva;Sz_jo&eQTui>fZJcu5KggGYxPZx=-M#^LFJ}dlz*_?KM zeJNem*&+!eE8JAV9ymMu>8R>$5?IH0-Zw*W2bqbqPU{q9Rvo9=%gQZs!DsacKx2kJ zY0fzQyV_lvtzTuPS z7Y5C*tJLivj=vmijfz4HxiKIY5#l1dcD!Tyqz*Ttha~~W>P`$naS&+C(p|+HyT{9_ zdck)$AvKo}KV7}C_fkHf=FC3gL7`{OP`s_xPHq(Q;6^u;=g<3iHRc&Q>VDmHoO)?z z(M?x76Oi5$hT{jV%TLL@{KT$sEq~w)#zSW_)!`bL(-1vl&BZ`D{l}c#ah)Q@_}bPl zxB4R+S>0}K_PiQM%O|OVTq?=AS5qc@zfsQSOZWJu10M&nBLT?<;?I9hbs7r(3(4^; zG%q#66986&3HL6Vzd3PMabQpB$kLasXu1S$?lqX8SdO`yu*@e){D?)KdZz0KDY`pV zU_na{v`H;`RoT55udNQt(2`WWRX@eC@_r9t-E|-3qu?NhlY`3SzVh8eZ9k(^8IehX(!j5{M&$Y_C!*A2QUoiNo=g=iUMb!f@2WiKP;j2@vkQNJI_1gY(c!$a zdb4hWXHN(1_&Z}n+RZR!BJ? z0ekPc0kzaVpK5e-Q^hGwe}1?^W`Cd1vZA&36y|K=$Hj6GH2UGK7EUfCxbtXWD-UfX ziNg`r@CN+DipJ80ujkX$unqtG5+_ip``$S)$r%WaM#a?;pNFb`QpK|UZ7 zRWf}{f^x@PzU6jD3Ga~1C1F=l%n&r3$WUNMb`t?+YixN-&9iG}S~faT?r1FEkndq< z<8o_RO5Y+quFp2D1Tq$35jKN}C7O1F&Ef%~Pn%Kmtbu0*KW2=$BDkQLb*JW|fW?TJ zf{QQh`~%F`M5&=NTjI>j#5w|f`)paaE%VCJj`upHoH%p21f-pJbpHeUtC>qk(%#Vd zG~z67W?Dh@W>jj@TgzNAO!n{`bM;j@!m)*$j;n`+BrBCCRGR(ZvImP?1-p+tnTdSRLc6gNde)vJ|2!28eAh9_0hU}RU|}u+sta_=bbCY zYu=j$qBXj0;!7DT$5S&a-krHV>FaFTt0Cstw}v7PN|y`Aq{;?N%Ra3bbFcB+g-i*0 zJ@3=iHb-b`nW573onS)2Me}nJV-JnJE^Hery(|7ObkSp-_=52_Dor=3()ee+k2B3i zhX7qv@cOEpe9K+(-%N$DDB5sBG2>L3TkWb0hxg+ByB8^!9_g^d+oaq+f@exAa?Z;? zH<%^tw#RA$f1tRY$0h|k*=g&{#!|1K!zk;3MJZ|ux3rc`J#knYp@dN|qf8Oof^;@1 z(TnbKjYw~3k}pwA@&{BbM6U!#<%#>anfwYxn@8Ryz5LS&hyGA(zxp|MIaRQiHz|5m zbM`J#5jWMt)Bi}zr5)|lDxpgX`!XRvG+)P6$%qoTOfN8pt^;B0t$u|4SZUd3?r22s zl@H|S^|`dT>4T{M3}c^<^=O{OAr4O5mqvM{D*OBN3v06IAI4X|+Vx}UPlvTtq=D&L z{RSDPT*FMb*`3CUoX!_;`UY7lGlR7qb;@&@D}I=*V_^reyf8YmT`dOeR^%;Sk+KHSrewLJ(vDLbdTY54otJEVcf zlH-j4-|1%WGUUOI`x~a;geX^aAv53o*N7dPwv}7im=oR=92`jA4<$qsb^6MrM!aYCZz~2rBNyI`3m)>388b)2&zQE zThgE^QrMw$%dNBDV>sz)&SQDRE+HUZ+_smf$@avOm*oALA-8j=-)`2gO>(1UjdCQ! zuB*b4KRaYeT~MyKb+b##j%_~J(pnxrwI?GMi3qA_JxibcjD~IiJ7*NTfd24gYnR1d ztjPZ8n>HbItOS5XKf>MJ==aP#xq#d+u>Y;m@vAcIvC3h?dpsTZ)YjmsA^gMBfoyPo}ME?Uq@_ZgjD@ z_dg)$4McH%#&HKZrIXK_mvbQPOv(6y6F01sWJqln1@0~+l?~Zx%Nq{S+R=qv&xk-B zvQ%PtE9aX{cS?gz&9{t3cI&>j6qeg5H(9;M!6v>>kk>;t=;6Y}^gAOiAz?lb-BnW! z)arTrE-v1&_C4Of60G^Z*n97wrn`1+6dNiah#^j=j67)ns8bfwo&B3)_-NUwo!Mfao6yT93c=KOi)oSDopWBiq@b@z4M*L}fU z@|<;iAVMiPtFq*qj?2pU%W~6-?vQW$J2Gh0>6q|)=_08YTHPBl&F)3j{#q?U`pJ%R z%FM09Zq9~sf5_0C~b%O71#K}@F zB2v^kifwSELa~ZARN|}|XPpP?Kx>+2W_6-+XpHQA?BgLY(dl|8TG*)IjYa0V4+*Z$ z)sC)r_U-qOEnsa;(*@2TkMZVisL=sT8idM%=SKV@P%zW z8#Qa4BD%J{GUCpe7AbLXvuO<4tq-eC~or`u%fBN-j`|j8Q9@y zG`*TLarYd1p{KYBYglXg(rw%`;*N~S8C;=ZqPfp)L^i*M{SK}pLM(Ow6R^Lp=pKG) zgW?zHP@?n1O!`MXK~b7L`{Bfq=VkP6c&vTb(>k>zc8KhOJ~g9@tF51B5Nook zLyEru;*I~wJAyRdLYL9<7rTly&1W0cc$Qq(dK+8qC*l5F)%p5}yKXHx4Xg_1QuO>lBG^3s=WKlK#LGGsOWVHz!rUus-Yvb8nsIq7!-Rq9w0;h$2 zMXHrPU5G0x&K*4^c>GG;^L$>!($4hSp=aPuIA$sqqc~*A+9t@kjb{&U`1xSRdRa;3 z#Z`JuPPp+5O`HzR@R7C4p0v?CtZPrbYy@TVf*z_$rgu!PuHoxno*R4VnT(E*_<3>v zBI3S?U`{60anU;6{9~iDWf99{mg1Eh1F7AgOO!iGW@|V-IjuPRybf$-U?F79t5&?i zu9+Ii8Me@dB0Bi|LknCJf*PB;@uT7B#dz8whiF zaBiQJhbnTi*KOtH;@G;E$TZ8*6^V#fdZ3-XCdJyNkV&3jG54C{V(9a8;$} z{r#AU&>J$Wvz_iv=g2(0KP?6VdDdFHvfQ|lYxnhwL&7^-x0Se;<%^V!H#>HZrq)x)hfF)|CFe_V0GM)Uv9L@9~ML}EYBRk zER4;Alq@btHi9weZPQc7Me4YX-gut<>hhtn>%7Z{w#ed{Hd${O6OJU*j4ijMxi8)@KxQip@G-C@jueSz z%L0S2l%`KQWn&@`x8*`(cg_SAJP zewTxQ^t-cg6IpQe6y4$}=WxBRCq+NKaHer|i8eJt_thh)_h z-^pCm!tOBOF~{CXOm4>PkMCI zfBE7D5J_sch}&0otQICDn}k&=`H$k>hIb+^~e+g#cThr+My+`6Aq?3TewN9iFRRH$wVe0Dg8y~#?Om^5XW8BUJ_pQDZw+P8= zh!4VSie|~2iw{nzFH*V5=~Q(@xX#3|izUBWd_Jfwo*=;K4=iXV@l$?q^0gx`U);Z7 zGJC$WrP+;kfyw!{@$4b~ME^F~QLG52^cPu#h8eYcx0bSlFQc#A4%FZRvP2^)U1Zl zlJp+Bstk!zT;Hl z6FF|=WP6)0PXgnBoEAaTg%>r$qO_NZpX|_@; z6EjH;7bQtuHD$i!TKHI0Fs!30X>Ck+rhfLb!BK5qtN=I0s^yNwP4-#+(&l$Yj?z0Z zuZcU$?xFfA_8us<%pb8=oJD>+^Rncf!i$~`Jo#GYJbbeUb}q&Odq*NAD~6G`qEF21 z@3$OvrO(Zl4=gTNd>)u6&{1J%+)<-8OC>qusu=TJ?QDc(>nA7nrAKd>(wI)r%HPp7 zMy_!Q71du(icWWWt3iGI>aZ}ohCg#hux6*fH{wHh&S2#Xl_NhkK_*jw;m~xUuF~K4Yw#hSB&V z^`p$owA*W7aE96w>VnnY@Mm6=7OUyv1zd%~okfJB!+bSPaIM)IK>AQUej$yI zE&Ah<|9wUDbHx-fIcebH%NF+@=J4H(J<&F7W$k05xXXUc#tGzF%uizps>wH4E+I`? z>}$-u^DO0e2(&(XdOK&{8N~Fpg9Eq?7bO48z;>C$=4ZD=(^O5t=2dq-by&0A<7Hxz zbKZH``gP%6VaM0J^*rL!X&hgp!+o>8zfp6+ST(A>-U0zJ%bXa7ABgODe#7rLvnn^+ zx2cz)!3l)bTd3V#GrWwx#MIsnLRH$)#DBW`wXQwubT>yF$gp<^En9w3T$LT}Xny9m ztti@0144d!Uz==?EnFHsj9Y$ONj%zuxot?Wzo#zFBa7}cq{eFN>vAw%m~>{rC*<>#=VQ*fV?Uq!Fz$;;36A9M z9TTxwaFaVK$t@7{f$_pE5f#@T5BLt%B?g%t6h%0VSLYfg`Q`zUNFg2ltv%(TscC)( z3uUI@SSp8@)EDfrbi&e4qsuRDPcKh2L1yunJ0g>BTEw5`GJD5)$L^qqSy4eK<3-WA zv!{gGf?ku?2i!kv_v!KL7x#0oJ`McYBsN}ce>@O~2cdpd=@F+!6>?-^l(PVpo^MBs z)2mXuzYtYCnY6*Z-__k}Nwt99#GDK7nOKw{By>iXmP#!IkFgA&#nTED8(yk$JOR#IQItaq0+eMFPGTK;&=;O7umFd@zF#l%7h zDHwC=6dg7=Sff4Z2d~zw*(v7~_$juFVqTK$d8fL1SlQ&kcD6xfNe?);(jtOz0!Stp zK`YV1H#XMBaJ@a3+7HP!Bub$8VKx#d4tY0*TIJvqE5=^gJPWo|q!Hx#VhFpY*;aqd8+`}UUl zZ3dEfE-Dofn37&`elrYwNyXOrun7{>(y+rL(Q1boD;dwkkn2<2V=@&b-)LnX0<3dy)nXaJ`3O5UFEThy z;ggAh1k}hwRtSRqlq*p7=4(*M#4rm8jnJrmeAZok0YHNM!VH_Fhc#NHC*CZ z-`x011PhJ|pIpQD+D)YHrL$`HN~k$6L&k_vf}uPmQS8*m90nC_L*1Z@h>G%)vaiaDk)OzgVjhh)wNKx$0Ep^JEOAa z_A?G%cPcoH$OXB|99|slj9pzJW+GRYmEcr21RYHlzvt?&co%LAD;j1lGQ2g*{2h&R zS~UwMkCX`JJiTne=3pSnzSWT}5NBT*YWHc`unM7?dlBY0F#j&w&ZbQBZuQjW8ThR= z-4-Ruu;pfto>dO^-f*$VArU*lYVq$mzOTQ)XGF*@*C5+xG^>5slz!?};l!eu?IcQG z7a@&aL7CsTEmLyey!EXPlGQN{+|0eIx?lJNHHJ7@ae6H!Ud~{pbjG71gH|6+uRNx` zHFU9woezg>MGfr~9lNCOBq6rkd%Jo1316g0RFX!-+OwhK`ghK(G_&V^HG@95+$5d0i@-C3-*SfU&2X>kdVTeI<;g`EBv z-jJ;+<`Yk47O_>G!4(Ec(~LQ*_SJM`^=ZJ?XKt2cm&JFcaUq#{y0fG+!rM}^>?f&? zA3sWG##|tyLyc!w3TycCZT9pJ;kykl6g?(Kwaji~459M6BfhJ2! z6MAa)FKi8chzFW9`LbNBmLkV>bGU+=Ad^NM<6mm&r_)u>t**94;OmJ$Z|S7Vm?jHL z<6^s;!x<(#z943$F&A+$u(qur4Y3_#1WpPWVh@ z&@IqFgtZiDEH@iJPKfl`Q4Mu&S{=Mva(# zWg%;mxNm=I&0JE%CdkJtyfQAbYWdcKlSnXG$_d?W-^J^(Q1f z75R$ROoHU!<=Dd2glT+vCFOn9L|(@4(9M17q`S?(#K+96EM#Hvb(ii|JdK6@j*lU? z5MBP-?Myx)zwvt(ms-=3`c#uRGZ|d@1GQ63TECt}{9J6m?^qkg&$F1nz zkt!6i4saBn3?Qh)-;mE2kh9BRu>YD0C_k1l=?i5dSqGNZHb?Q&{ z71lcYld!PO2G93vI%T##iW(1HqGOR7Eu6UPleQ#plI`(_^rSwyfIh4>wMuDMCMZs9x4iD{@t23vs;}4b#H};5YQur+?l@!+V8;Z9Z zalT~%NlE_x>!YW#UQu5=d+*+rc3|X{V0L*#rZ)F2508WuW^&+ zB0E8)d+PmZd*_cF$3|RK_ZwO5E{~*eaH(qHcRo0yrfrzr1?KEWxJR^ADYoXixps+9 zZgo78^_Wf>7-rFKFF0)*adYXhw4%G6CExIuyHnkexSKXwaH4BZ(Q^rFFX@5=9__;g z>HGV{x{dT!Fx`zV^ARj{!KS=0;nl#J`k1B%epVmiLa>#+VuliU0UJ`tiSLSZqP zC}rmds#S6L6Wa7q?hcRr7c{@t>2!yEzN7`E@%!Oo{MS_dGTa+O;rU+^$82&+D` z%A*=lKM`)Yzkc)st~WO()XG4XBeyC4OSjiUKE^=B_r}<@M}kQ#ekLM@F_RC<@|e0~ zj=FdE!)ykwSAF5N4z<^Q$*KO;TH1NDo zn7XE&y`;%0U@)(Ae*Q^(1HQ)9%W~iS^#FQ$Jx4A!Lf#O4wmD`g=#GAEUbB3eCKDY& zdLXN>ynk@rN5S6Hh@NZMJ?ps&o!4%@xCu+yQl{@MZ+Wc;Tet0#)^E+Z&PTn-4q8@1IR-3F=Ils^8*Ge3|Q}WY6z|+oBs=Ts*QMR)$#TvOetomm7U9s2uF@ATM zxuT43Pi}g=$I(frKq>=S)bOH)WA3&$zo9nLPAl@uR;zi)dJv=wORv0dN>et7&@RiK z4Yd5OXP;o)hqmee9MBnYXIHoDZl0aeRQOiMxs3{JY7DBm__@uvPN^4*k3pyU&El)$ zls@EreY@idoci>3o;{<4If+MhliKUIqp6A!~ zXph8L^07n}6ykabO=Y^CsZ-N)GTbOSl&qH#nl94F2ahNfm^8j#nMxQbFwvyVG;50G zFa2(!hm6UcZW`#l0k0@0PBvHc?RF9S%lSQD57d+@_%)q1Qfuue4#dH|Mi5e%%@mtQ zb|VYBp-tP>mJ;QaO>9P2Q^+2tolp6aMsJ{fG3&G`zxG!8PZ|8?eH5;4y#I2>0jKOz z#)=h@zM%Myd&+`CKY@PCZl&CA*+O;w)A_^ibDO0F8_wO16os00$uS;$le3>=bho9h zxukAX+#M72RHOGXnhLfrOh~0gsf+=E^*Q{gYud4!u=b=Ti;HmLcD=B>2XQ(AHFcit!~(A*!K$Mm0V zBnjE{l@042CwbFeg4GSJ*21ijH^cYv??t@c7xWXFVh3ubPER`W=S*9DX0i87Z9xTX zdT(BLGvt=`Q79|i)Bj$t3@2`X&fe3$MNNcmU90A7Wapd4D(`zqW0YkD^#*p`Ck8j{ zy;LLJCf4$+aNW~UDZK&f#aXikE5vSMpJ`TMqp8*M=SOx@?)lgMB|5E0YswkPVUtp6 z2daU=jME3TRL???+1ctpHbP3&?rO9OU87oi1Qj|ar$zehA52Y86XrvZCx(@bj=qrn zEq<*rr6<-1hk2^dkJyD}$>9U)x{CF~)8=WSULR!4TB0onK5qZuR*qe}6L;(@o$rwL z$W?D%LU+f3!R=0ggr7d#NV+ddb1Gy%m6`+Nw)xMh?vG*_^2$mZ^P0yT*ccCeaAW8n zhl0bAAx3HR?2-4m(OoO~@Jb=VYBXFz&|l(()WtZjn`X^TJ}w_E=5^A%)~}FlXPU}C z*k{m@m^v&{)g}sh5Zrgh4i75)4r|g0hvIX~{)b8}hd%Y^4{q{TY{zI$Q3snC3sjI8e@JFCegBlzx!?+_z9B^lX6&j0^L z|8H2M>yj(DT=mp@JzEPXuG&h_t8n*C^#B!-~y&YeV6{8aIEq ztiiuO5n>0{l9KhQ zr3j1F!U4XRb4F$3VI-}@lGN}XC3~U_$#M!FP2KIw%`m!0G0la%b!j)d)N{vC610fG zCL2P;+}ABx#cbowu!w#or(z-_d%;^(O~olA3o~REYmjk41~kcM7(Lka0F6@E8lS_tlZqAB zcyge6dKt%Dj*&g2G^jvC7}~EV6rwiidxjsGfQD}kDM6i&7j}m&WY*#v21MW-B+G=7 zhA@zIothh5?=@}rjYTpqd(fRF&i-oN=|&H1X^)UuUUoNF z=+0Dv*HOW4rVCt1u<`qKB{k_va=0z=mo;=!t7weil$8lJWA`zi>q_soJFQ&vj*QIm zctW2>*StTowckbgz>gJ4A|!JNWrgzrhu(!Q{pEGqg_Frl8-i)O-TN8NK~8-}Dn+fg zo+f*tnDGsuhBPZ$t|d8B-BgR7`1Q`anWjg`+Cz~j{$CytNdV0UBvPok#WxUUa_BuW zvV;&!T$h7%BxHdnQO2vBG}Tbevr2x0WWe)fNlVu@H#nS5a#AyW0JhCWV971Mzd$wx z!9M5_`L`gI^=kD7ZKdy$`J zO8m87PII7L&X@i9mm{PZk8>w4&BxM^k+nZt{qaqM`yFEmt834nOS?!HrknoWXs3G> z;Fwr;jHD~aPEtSEZ#+gOC&Db@n8mMK)L`D8U`7J1pEEjqC_&mUd=T;k*|Rh3_%M=U zCdyZNY$1^sMF9A7?&QUJM$$90jB30w#+1E?HLo~lc zMV=%o!N?7HQf$$F(U+O*mBR62&cFLXOWK!T`*B zI%N)CjkeAE?_Mat^ErR-1#KI6wM%it|BwE_R$Q?QCmx$=F}X!X76F{ZKN~g;qPni6 zKN4{%E{f3alcp-Mpd-1f?K0$hQx<(>FI=^fjVw+0@6w7fgOzWO_`72geLch0nKTJD zV>{D&l3O9Muno%P!2s5=k92lEUFJ#8b2d0`NUgY&y=c1gN0J85g1ZdK{gsLR*BAFx zF(+d88`Nr+nJZk^aEN&$+r*pDvC=iMN|V;Yn)W6^9c$^`bya1&5JPEDISrGXMWZl3R*i`s@YG9cS@4 z!xZfbC3~^U^;cBEBK=jIhoio3MXIo!BukU|t8yd@`J(CeuU#|a_TF2cr&HcFta82_N1~ep!DPa1 zR8#7Pu^pj0mmq2JlE3Ca3tDV4)==0*=?WPzxo|0sT zjf*TzOzNt)&CV{A#&AmAX0oh%w^%Q`X^fAq#;`M0FT>Qv4?G&)NLK^+eAGROHqRok zH2nzM_ue)Pgov8O1`w8dsTiV1Avad?I8zkeCZFWROm&(F;TIcDCL^ko;R9TVi5#E7 zD}p|+m`XR&9?JfbxlkL};143orpzwHl$>mPHDSBI$a>}XTR2UYz5e|c59n$l4)$|R zZ9ro70xr7OP`D(Yxh}7C)teNFQg3v9vA%i0cfzT&nrPe8lS!x$CysXbEZl?^Z&Wn| ztJW)YR$1kau4S=1E+z2HMK#fo{hShB;a!(^r>p7tuSh;7#K?-Y#!yb6IDOhuD>y3D ztE|_%>0IoIjR)Zlj%92ucZJGI2H!Ck6W*nc+0M$Wyg_+S7=?5vh$RP4?OPa@y{#c; zsuDXKur}jqKlYB1&50I<7-dP4LR?^WF(g;5D!7jqJ{X7%t?0Z5s#&}u4AugxRj73pbN2&!+q}JUOnf5F{!h8a(Y#+ zCQ=KfXXY~IRYsb+ya`61;p~0(potPr=9AMe9sf!y)CbN-(T(OzH=PLi$5f@8pD|B1 zbKP~w9a<@qF=mw7+p^^K&$Zng1B7r6X^1-)Y3lMIV3c|aIzdWF>AoRD>FqzpYjC{_J)dS8 zwJgrQcM&2c`Ny(bV~nv{C#Gfu(V6y@^&K9o=b>wp6(PdI4+Oq%2PV5V%Zsfw6laJZ zRo-It?zlBY*%fWNqdy=9}d=Nw|TI`p|dM7$9JwB(klCW;LSg5}z4 z6!d-y$g0AU0XbH;&cVS}jnbI*IKKTsPZ2~OigF$4pjBd{t=j2v1U#Iod*9T(&k?It z%lWK9VE&H>o6j@_!J6uUJgAfD%Kzg`9*Ue;`+2RG@RQTX!h+~lj2i8UYnH|HB!8Kz zJX1Iv%4%0eWMH=f=0HXNG0rP35G5f9O#*;U6S9?Wpn>ZnTXr!Gia5& zbIIN)m=qrU$u37V(cEUBAcA9n(a5u#ME^VIO>ab93V!*2#bSd^a?K$6QE863(`-)p z$NROPZ9AqIiT3L>gmI4%b>LbPDn`Ciw&zei#Lvgxqd! ztj!nN2c1IfRqw91nCvZ8*st$RgYkPI8OjsyETsTf=(*Sd-3@AUSince>6USsFz-Sn zNP^0ViFW1R48g>EOZ;gAC8#Q!Q=9NjoWXN2>99MIu_~l{WdaPFM~|58ZY|q`8Fs~h ziDUSkMrJ;kF^n^4lD|^s1Xywvo)$W1jf|IME3KHhug}qZ3YMeLBkjS zI73_0bW@v1P=;?!H!b%2qtuGjGgahNCD+CzIZwluX4BK5PP-y6b553Irps0%={Mez7kBuw1}y?=E;Cu; zyt<8}W4PiO^X}zgd_jePdwm-J)r0M3S?n{L)4t55a{m%mrRLp?|NGhJ+Ps1yOX9hc zVcg$W9>NjEuq&_VBi#@yYxYA!k+x`svAy?azPor%x@wt9V`iibOJjV;D@jlzeq%B9eO8FwZfNXbT&p~t>-ds^RCkQ1B(ufy{k`~%L1P*Ej~XuBi9^Q#tr9VXUzm#Wdi<{=-G?rdIQd$w3tJ3&cs}1B+}#oZTfQ(WdUq$rXAN& zkoR+cr_+by_=ih(1lK9fdKuMb$?ig1HQrsn06%v!IX~^^CaFbyE{g$@qvg38x*Z7) zfu6jh_bD>662jj-LvfK`Wy=O6(749AU|KHQ{tr(y2In-_ZtYIW?v^#>6jRxFS++H{ zz7vg;EG~eswA}#B@H{1O)?rmOd-u@J1>9>izhULAP+VOzYFm9G=2SpuVHWBd1*f*c z>RW9?D^Lmx#@cwYvP7mZvgD?ODc5Y>A5p8^cl4oXhR#oY_}HKL;Zdh)gna80xm2Hn zoo=TBSLOgyEbHSD7ZfzPz5Kb`ZZ(IzG$X5*4L!}@WB?`uUksYlfnc6ffu)6p|FvAF zW{xx`ThT4Ke`gq}>F#jbjA*#mprq#QTC57)dbc5MR_e@NL=3agqcAGj2q`}*$Nl!x zTt--i$ozG+^K`pA{nO`RKD)iC8EFrH%!OAB=sT&x-3Z7Wb+1yJgriD=2fL!Tkg8tp zD1$P3lTZNQE;uYStb#ziW06)l!aVEi8M?PR?)&Om$Y66PDVRP3qDjo&GsBA3dAdbL zL)VMtoh*4xp1_qWZQX{RoYS;B5n89Tr3p1$1g)60j@M7;b>#ETKM=xu7I4qZ;1>ss+(kT> zN>2ney>FJs>mAXn+)#Os>mGw>1UG?`O$2LSkzEZD0Rk%DG4LxrclR*y6GRAT+ALX-yF7qegEXp4YP8&0&7f@d+5*Z+^5kkU>YG`=uYZp84>yAnpNWCQJeQ+yF6Nz*=mKS zY(#OWd-eGItUak@G!P=O?rCLZ_5N1e)NCq-uPcUmxJa%ujq#kbqA&L zZq^EIBd?n*Q7J0JG;GNdApUc8K~KFtXB%?t6~49 z`53n@G|(Rv;7#9V{!?dq_tbZ1BGxvQv2Al?T@bfC{L@MVVVLKgb24wir%M!BbtpQM&^zoR54N-&4A`y{0-jh5ymcja zn!sM+Fpb(4zIML;5wLTSNbQ_MUSmqZO!T$1k}Clmhgr_uql9}`xEn2(9i+kVR=-() zq=fdq6kUWHsK0h=iMdzLTd3GCQn&4ly;T5qx=MAkO#6O7{5Uws}okV5^qj zQu0PRUoouBH|`B#SeG2Mv7KaYbKi$MQn2@;gqTc+SLK@9dds_}N$srTdmE=_>YQ`G z^kW$Uj_5xqbT0QDv#^iieOKH(~O>YErw`}gT)mXt3y zy}jwzz$x=q=9eDf(h{hlrzhI+=`^~aB&p+gF=D#My$7Q4ecs!W@ophH#6rl1PcOBx zxhU*B2Oj0>r6TS7`T5BFE%RN&&*J(SBeUyCeGtCU;maJw)wu?Q5?a3nd0;T9m8IN z!Z(V?zk_tEt|H|lEzmz{=l$YR^(#$9qSivZqV&f?eY0Av@_a#N&*Sb;IHSIQv~Wt{ zn%ss}g$%9sS1a96K+WSJP!1#PX0~1#@dis{SXmJ(qoK`Y(*`*b7?T~>t()weUpQ%I z$xFeGS6P92z6pL*l9*JdT$ZQ)ZEB>gCE#syd5fNs;jgs22w`CVbtK-No^xu(r`MtPs@--4yXWCmNy7VqbAH9TAee?h9XdtC%txj$ z+O;d4Eml8_1-3G(00+_BU53yTUib4qX}rMX{(MlZheXbc0#Y3wGC0;O;0>myYivdL z`T46W)27pP_bPK&U%J-#hi)m3CA>L1L1``9d z*a3$oc+$sB`V=cM!x*(sX~j*~k?_DDV9<0UDN*EEg0l&-A5&?ryIx7$th;YvCqrEC z%`~W{7lnuvA=Iyb5199*6bSA($iwk`Ur1+bG^un}$gcS6hRQ>d7bCcP1zxZuF6Ch^ zg}6wsd9tnj`h68H40an2LoqtnN}W&CCWZe;ePEuX&S107K``#5(i92JM19jhs5!-B zps6%qt>k3cpbN*S38SsIq_86EP<&*~Gp8ljy1)Xjy7DKqEoe|QA_V3v+o&9GgiV~j z1d&hA<7dz+(6^$I-G5FW6goV4>`?oh7O46JBU8@@WvE?FL*1BMwqdN~hhpxoWQ@eX z^D%XJ#$MQW*Qto^Rne<3{wuI+x*L0SW$V<;v%g`cDybH*;PJ~vV#)vP zq$+D0T6KBQKf-?KCD2YyvC0IdoQRoyi$gn=W$&I%!@W-%!H6JUul-`jgqv|2$~!dP zKmFzupy=%959KZ!V7N-~-><~#7r|5lw->8cws=qTCiiP^DOHSKdkEhFuQEVR&Bo+q zlxoY{;%sz2nqtn8d#a1srPL!{pvIfH%cE2JHmF)#Aiom(q_j3)2kYLGyUkMEG3)`x z^Bl*wtU0tng>1Iu4Ah|=4R||{gw<|P&M$t`I|L4O88}o51nxiO_TZO^J_G!hEq~WP zr%`?Dwfpv_V#L;~(kma@|8ZRD2^bYa?=hs;xCE=uFXt8b0THCqlV6)}kO|i%xaTl= zf%rDlpotNTD!eK0De#cbCLA=z&;ju>2ZaC6|ZlWB{ts5S?no+g_}iv!V7392mb!` zGv-wqfOH!JsN0-3LC$wKb|8`ZMDkKaHK!5Q#+LL}&Y8|PLD7#O&^t=7ENcZw0MT;x zs?VCo@sNO6+A6p182aJ+cVhcl3jq1(@koU$rbybhxl{jjT!!L=Y|6tI`{B0TTO@^M z_!Hl@+!sGAxOA$uE0}$3ktm!Bnl9iN)EH!zL*|GKDYgh0(pj2>@GSDb!HNe_keKaBWbhMUv02y9bee0 z19=oU=G2|)8r#)-s{fcpi{cKyrf|O5wHx$ZyYbyyC1E{;vM~;YsF-YFLm%P>3E^PR z8kVsOU=JY}(TAR(;8@iyjG}1nHPmrN7$`p#!dK&6Ekd*7Fs@w=ouV=*k$@_sV6KCW z_HBg%?=c1eO{u1f)t!_naes;bWi+*#3^4){@q76Yuat;?s&?QCrnYV1A_o@PFL=*k19 z*AG3W!Dgv)ve7>#?^Hyg5tB|R~g4+-A z&ZnurFLe$?IQ7KQ2ZvsY&`j68#h?(!h%l6~;IP(4@mXZxBXvTIZ|r7-ua@X(Rd)!U&Rz zL+TdAk6Q_)Qv52yhLua}KGLbB{pu^&+sB=5{0#)K4D5-Xx{%FG94IA$1rqx!V$XyQ zan*?jW^^g;_2y$W-_*PoN*mHpZ^Kd!bG>F$a$#f6kN%1{+c$~X5p zw5uk%w9Z4YDVWC^w`}(HVh-lUb`xSUTjz=zJ1s8$hff8|0nx(0{N+;%;I^eo*8v)udo? z2D|pbHSEQslACp)beeH084#9;Q9NLGy5F6bx>1LpJKT-d9UGXQ#Lr=xBRTE46vKnP z(Y*I43b`RO@hQvY`IrnILxiwGK~rvPn9O^DO8fFN0om1tuAFdPqLI-+xiSTNHvyk@ zvYeA8Hs&o{V*YFSxd`p4t~iQ9?R%|VQ@Lo6_vQX@Rhgd~%=#&OZR5Mu^3Id_so~Mx zf_1n2+1MCOSD%gVy|+r1KDg;S>sHMN+lw2f9H0v4J+hY~AFmbXrm{xpPW6~(h)XHQ zwjKplrxb1AxFFcbltdC@A_f`JoN?F-?72r|o`6a-z`hXY+!UI<{eJ-!Zs+((Y<{m0 zE8tJcmHyNS;H1NpVl{7>Dv}+VOa+H(T?)!B0^3!_66l!U4FCiz0N3~r@BrWu$hvO* zl~GlpX0a;MJ(xSrT)JdPZS<$L$+i~0(&E5eWr^esw?1v?>}5IY;$6Tt08jx>#NTM* z8%*yEI3H%A`C|?~Q~nP7P(JN5qh;M{KD!$YXYD!@P|HIu%VW=`>_D9q3wt-e^j!JB z-HUW&{TJEbc4p@5pY+100V|&|$0iqbn}^+g6=zBYVj5cd2k-sa{F^ ziIHgAIJ@nf=u*6aE*~Z(@Alc;<}up-o`_kDRL9BSIm$>0^`qRW)VJ~gx@+|}5CO>n zINJYxNDQDyXKVGJwVo6+pTddlbk_{}?uiZScJ8;Uxw?j_R+{>4RBya5=RC}30~>e$ z@5#3<==&zS@$#Pp?4s{y|JkupBCgJ@qxi5yc+0+YsZ2VG31tNkDrusB%~OnA^HDj? zKM8HH@#yHb7$qhldADe&N7Wv;Z82K(GV*X_bDwCAceI)E7XfIL?7u-V0t8TGqOyNV z^`~Yc!>ydU!pxg%o*@p5+OQ=%YEU6{&n0%&svR%ZmBpI;!&IYUY(j zKRCo)1Tdz5KrshhM_}od8T`?mUPHFdP@ZP)`d~ka>hGhSHTLqUySW?Hhl1D*WJJhC zs31VQL@WL+pwj@b#w-3myE82v$6cyh-oMy}d074FLbS?>;_%Vcml5tu(yWySoY=J# zM$|OMg3b?v{a+;pNS*_1rZiynnqa)aAVX6ueSqUXmj2Dh=J7dTJmhL&)%E@uacP-j<+E)UzHM0fV7O{uc1R0^RlHymIVEq40?4tH= zDuO+8`hy+fQLmLk@khs&1*}RaG|TelzA;7;i2EL5@OoL)fR`Y20B7U#UG%@niyLX* zxc}_i>e)6r9N&;NLJ`Vi)W=Yp4WhnBszR-psT}E*z>V!GN-S6&fJr#^pZkxI0&zaOM)xNidda1B#qnC1Q#k-!^lv3<1+cv|iN99A(HOhZ zX^sh4ZJ~(t(Na_LlVD&MC(M`SFZ=m8%i6L0&rg4wyiMrMRlhv%v4MSUJPNQ~mz2kB z$V*v#u)c2AP#(^Hh87EL2VkZktZlFPIqx>BvabF}#NtO|^Bd>~Ewi`VC#p%G(x$&nX|y%xo(U+*7Z%?sMGNJw0<8 z#sIr1i8=<>p!rJNA)$UMr^?2U z)Nb924Y6$kmX!L150P%+)%>z+x zZ`Sv+c~7kO+eKG!bDchr-}|dstiHb>BYIyJ{%le_jL1CokmgLj)|CB>aY{Es%NUGu z`bo0Xfv!a9shL5NZq}!`x9&>)WW>8GZ8WR4st9!^+-w!7-Zqg01vyyXJB^T7D{?UD zs1%eDzj<%ha}I;K_jbHm`5$ZjPI4PE$j!Pv*ry=A8f_>PedL3<+q0c$2C&D(9rflI zrRE%fb?KsAX|NY5x${PGAqWY#B|(oGiEH{|J`vA1T22@%Kh@FS~kwh@$sK^LR8|bFo0Z@cRFkBS5gj*ac zMu9Wikb%O6x$ewNGjG7>TMXt)wE+ljtm|hJ_9~99xyq~Fua^MW`j_ml{sQg3O*egc z_Kzxon!;YG?x+66$Fsm`XyT2L3KNy{2CUnIW3bK&acwxz>CX@n2J%Us*3fXN4VU?AS9HZ$2%m{WwY z3}zaN6oxcqhOEE)tRBNrJ{fR*hk2f9g2auQ_qErT`E z?=5cwV455XL3_FkTmSm4Zt;xj+Rt|nmD(RX_GVYMg(HP6k-a$cwgg5g3Gv}@O^a>jM*DX`#O!sf%Obr9b$=rPzDWxU{tm!=(%@at0;l$+p%zg88#KHz0NQA=?0$OSLJ>nMbo0SIOi6- zW?c9IlYl-t9-3p@VWPnSWyuF6MU2oVH#TI4l436lDu^^A`atz=rfnNI`Ah3IwO_)} z-hi5)wM~z9pVPm&T_C0YWF^tPK>G$ClUtpbC@iiO8jKcahqQU2$d&RI4|Hmi(B%Os z5Ph9`$s4q#8ost2N||TbcA>}AQub-f4Yc*9au%l#ZES^Ufc_MF0x*lbJ}6L_U-uy> zGQJM<(AcV5BgKnHN(LE|3CuMdz2kDLqg$0y(A5F=*q4&_**J;VqRl1)Mk~aYxbPY+ zA+ucOhfk5Mkx0Eq+d0REMh;g`3N{oO!iPI=Ht*&58_r!KZL*M+Ou5Qk;_iftzaRa90jM;ofXFsBF$9`N3 zNJi=rmv z+xYMZt+;D|C8T8P-062BsbhQ;g|%}#il}8fr_ZJz-XNAwyCY?2Ye&xFJUaXf!aG>} z_^uUe5_#{be+G0|7LL2}w?mtu_scth+&^9Q)xSJSx!n#%_DjnHve@psvdE3N``l_2 zp4AsuTxlU;;5)WwHD`nrYPrpVK5oQ*&|`jZq`3;)GIDK8MWK^HT9m>tNJgzbX6J9N ztWY#CBwqt{Bhket=Hj;r1;#J|xgN!^6k~5!*l@w-@kPfn&y>1=r`I-6yUV)5ootZm zZoIdqHHST)(Fac0ch9#S*~Wy^k{h#zEgeP=RNzRv+u-i|?_z=vRoAsC1^K@6ILD@m z#9W;Yt)C(&2kWxzwFa@CWjx_DB5AITgMRQXo8=xj!@LNBmipu@O#0!~^l+UiD@yFK znc=J~6%WY~EId#D&5?uLX_dQh%qWSIjo&@FeNXlvUK=gROjMHg;mK@bam#WV>efq3 zfM~qS)zd31GwFbDCCCMORsn0{{>{~YC=edlTBq$rKbq8&7hn6wjFNAIn7d(gPZTGN zT+?4mt1wRWRt(~vI+x24*8g3T$LjS+I z3yB)@4?S)}+0T$ftA!dZ8;cNRq2Dj5| z^R2RDx1G+s$zxVcKEG@}=f+wE)Upp1H%=Oq*Q5$Hvpe4D#L_l8X-mZ zJRVT76mO<`8B)f~U+o<&bGZ_3En^iBs9Qi=!fLNw8HA*z5u(Ug6i|xy&5--f z2>CP!^yBoEQDf};5$2V-?h^Fy6Y*F5U5^3$e)!OcuMwh^{^Dc?!G$&TxDVzQ8x)J?MU0Qt&MgEl?)&qC}AzuUur}BWIRAcOAmacfB3}p?vlQ6x5 z>Iwonyi^b!Dg0Wq6Tb{x!{SP4vq9+Krt#` zVb%nT-8IwZ+XV{kq-{;vc+SJawg_o@*BPX-P@4LhheFGzeBgsC2$Fe0SW{Rj9;ci9 zEi~eh?SLbacpTFNf*5aaw~z)W!f2MYb0?gdY1;HU^|^#v>$J04MIQvG$cfcYKf3K4 zaxxxx(veu!hqZ&jq+JYjPW-mcVAXbu9(U0gwefYigk3y-b7~=C(rIsHqMb}+9x#i* zT-e$?^H!6uak_-QL;LEZbc<{`X6o==dr)e(D&1vir5u&N$Xjcl@1Qi7>`zs|^;xTj z#_9TIDq6mX(>{&o_Y%!uj+NbsCe^fIX$Q(0V*RylUM^j;ce#ka2Y8<^%DR<6Dnwj? zs5xvM@STx}I7+L&Y%i{Sp-M7q!^Nt2IKzraN>E-mtq- zQ|Y&$glyXvXgzyLf)U$dy814uu+6tc$UiqN6kBE#q9HFeI3$1OJ>(~)ChEvtYug_% z-g0(tXUs?m{LS@~=Y&e=G1`?^UF=xEXSk3G475# zVQJ^K^bTn&{b7uABcDS7%*EN^89z)8u9oCV_WoE`CB?!gCsSV&DBh`@q^mHxn#-uyh=N>i) zHPLsRq)2pFZikOVWFq@JM3XU})-!KF-A&n=JLNA|#)&o4bgKF=89~VZeFAjk%t+m z;fvyaZ!dc_jPo;ek^P37&iQaQy>p!MDej}Bx-hv?&WajZaB)vnxBb5hCBgX;R~sP@ z5BFS%OrjP)MsHmgVqZy=-?@zd%)0vC5_Dk5?}XQ#mYX7}1&sTk{TuqzFDahd_6i~% z^sOh;>QOhv(vzH)rP z0ETtBx7Dk4%>|^PPsq%InexF{?hXTi?DzDe@Bb9!=>dK4q(eZWJzm}jb6{-)0T-P! z+?o59jk!HwR%tGOi0Bge)G#fZ)qz#CZ;B;nwiWvORy8_zMjxEiu+?+kGLKCA3*{+x zqcB%dwoL7~I-glj!_YxFd=i9#$b`f$Z$H{_e4mv(t(Hcy9Jc?OE>jL%fq8g-z%C(k)&DdvIE~5)>C?Wh{ ztWw1utkD2PyIbMhKfTs!$gS$JZl6haHsk#k8dF0mQ!1v$UDr@dOL~*$J6nQhILVTS z@riZn9)q=>uj6XTQlI0C3fJ7QPTH+G92S(Ya|UgDmE_bAaQIy4Tmi4(9 ztrUrjkJy|6GnIU0a7M7mI@496)6_KtPIfnk110r+)b&zcPJ?pO*jJ$Goq(+=_0hCN z)ySr5w(!=-f!TD$y=c!vaT+!J6%(N5J9IL-#!0ot#QfLB{(LKCREkHwK(&lbrN7rf zJKY6v&TFzW-H#JXI%$K{sb^XHY!~XQsKRAg20V@7rt%uFw2^tk>~72eCvO5(MThJ9 zV2{YJd-PAUcM?=cMfT@9o1vD61f?9S88UJ7Vo}_mrGN2NviXkrd`3o78KNM1tI5oqpi(AYodkqZZFRHY7U)d;Lzqq;D-wnfxe8| zx>IsiV0WnBDXq0H#hQx?nNwwU&-CbzvrNmJLl+<0&b7}*vl#+?V2gW`gm1M;LXg=O z1ulef@@^Om=$yavrB*~3OSUu@dskzT{Z!|%D}GAFx1|{#sI99XBkbzbFFn&LSiEz% zH+B6>a$?Pz0^YQ_)yIuj_#`W%j3BL;I=`;xwS0$H%eHPtZ);7$_NRA7J(VZsLE>XN zaXtRMqe21ewIeNOmRosj6>RQ*bFobq+(+mh8tXR`tAXmtFf1tE_T$rI(I;M|wygbJ z6qH7`(@*oj%jzKwMCly9(y5P<$1;RFPp=1Xs&KUC0 z$BJWkO2!Rj_o@iIA&cwE{8g!YD|Z%zq}dO6$cGybQs&u+a-8K=Vo zp{U?rDJ(C7YE9H#F?7XTV_D-^p2iNDA@2v!2qN_k1#K;QuF(q1%F3C!sYWHuBsm4uMO9q~ZybdLKmqcdA3pxr1vU!YuPU zp%{5L>x+dUSQfv=4n+5Z_ONm_3u+~LtQ$Y!gmm$nW&upd*(SCir1}0oXe@y!y>m>k zwt_#dogY9(UOI&}9_iFxlixMH0aBCyG-MA1>w8kCy{=oH0*cDE1l-bpEJyM!>CC}r z>Q)HWepT&$FMDr;L<y7@-sMB|*8zwcfflRYNe04TH5A zVW&QLfx^p&psAB17w;3Iz~=DZk^QFer?nN=eAW18V;%>vosIzwSZ099%vXHEf%8#{ zh_XF&gcIn#0R*!DH2@)mlW$K1QOGtvP$nm?85}UMUkXqoo_e3tu0Yle0hM`2*85 zsgOq?EQLTK1;aM1g0=mHwp_fY>PlCkNH~K~Z86Z(l>Q8NVd9>`9qFJXg77S_@V+7t ztK7A)V>K*20gz+%!fEe8ac0lyr(lhO^5PuKX}~{7mV{U#OIQX5K&W_vF1XNqSjxKq zwQ+RqO@M*Wfv+jq9b#Ev?Fgx3TZ7-JMiVYSTmq$lCkGc1l|&xR6c8bs8q`e;F@VYIWt2K^e6h@A73b@a9F_#~KRat$GMpjef~S`o6GC=eI7y*NEg_*u zpfRMLTtk$WZ+kzybf?@40HoLo_$QOYRFWGt(~VcFp@cMTA-A)-CS!2v65|j-;=+=q z5n@US=zb>Ga1`%DNXDC@c+@!ju)`DB(!y!r0lXKt*c!)Y*L4Nqkci5S{Fo3tq+lky zv$`it?v2JIfhAkwNJ_v zBw?`BNd)1!SjwamNYt1;c4t-X4}QZ-y~dYuPI~EbHDxVJtRd>(tf7+0SObc&g*s5n zwQ$Q@Lt6ZqnC@W_0PrHFcZ*i{1#?T&h^8T<7G~?Wyx@SNMW!>L2Cs&V#^H>=j^n?m zum2BlXb%CzAWbs_)Dz^Bace(I1&s*+jDxDf3bq%-`C8`(*joBK|7L4_2i5|Rt=W;E z5*hw+CF#>Yf)>h@7tku-{Zpe)=a2W8&(rqN#lw1|fu?mfvC63$bAEsf#O|9v*XIkb zgm;MyE}lsSw1m#IuDxmyH)7~Znp9(&((=EFd|9v&kF{>Ufpv5E9yGS}eKnvUWG{?G zWiR2#KF<9B2b=2ndt(;|bAGkE$=n42U?%?s-2Dpy{C^Ef^hl2GH_Ork*tDk1^&gz2 zXRQY!z|6eT(hGWJXGWjKSj9_eY^~hX1#y>P9`QJ)U5C*epZKBXL?v5~dEf&9goFxv z)jB|Od>;(DW|x7@g$}gK1w^7+anl(|u&=?=xx+oS0zkn!r6en>AKaT}0+qBE*vj*YgxJ_;NLuyN^Ayb12RL!s0Em6(UD&UvFc?3P2ggfL4Zk9Nr z3^zfTCuP9Fc>;DEROUWUzA!MQwJ@kfl9Yy&m}9%w!(gw+6zspm7^i7!z?Be&hK8N? z2H!qPm$Dm`9BogHc<79g0Io9-ea|4;BQ}F)8{LDuv03~AFja9l-B}=X4y_c{rYvDI zi6hMJ(2T9Fm3u8O^)jDzrDG=G3+yaqRFX9z*`2eUYYnFC@c z+=*kZEq}TxL_;sGnBsx|%B->XqCD6|XkFB+Tfs#Uz%H7y_-M56nt^YJuWzaCGsp2enjL6T38Iz&!jYlL8xL^e>Qr z*j15!^5pFr`qs0ze{Xon128pUGE&-#yTDP|-s~VtFw&;S}g zF3l6*GM`R|WN*+*84mze9Ms~r-6ns!LE4PsbFNEQ85-`vxsO8gbCyU5QKTDtzj+!- zwG`a=exA!{#d1csX~?4;Ty1etVC4rE0|&mx(*4hrU4RoZq-Q<(w6F$d@C3Bylb!c`i9e~uqcZ-Lt-Us&LfQ-!c6C7_e+ z5)Tvh_WF#zWHx>WA3*y(j2GT#?EsD~H%YkZ&Roqq^ypU~fqD)Ga|l8g#2XpSHI}K> z1B)Ud`MMkwno-~N(?d+aK<>c-xFND8_$U~ocX>fV&*|Z4AbN$sl_)PS;{K2kL#mE! z#w%;!H^Z)g64}rLYHab2tEohT#{+?&$88+$4i|uCRIuS-_})fBwWuoip+ecf_3ngb>Y`a0gI%m$Wq=}Yuk{r>-adw$dMAFKTP$N%G_ z@yEB)*q2vUF6osX>h~nr-27M5h9+~3R(mfG={2rc&OcyZSNz!3H{E11#|7r>?KW}A zl{W7On(X&KS_KWh2Q{TX7@VKookG*#`?ucznOwL2>ltCmq877mUo3TL1t6 literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/media/exampleDeploymentOutput.png new file mode 100644 index 0000000000000000000000000000000000000000..a664620b0439d1c7a9de15aa207776e4fae8d2d3 GIT binary patch literal 84887 zcmbrl1yEdD*9F+P2e;r5f(7^Bt_d!|-8HzApuq_cAh<(tcXxMp_r~4k^1k=p_t(tS zOwIhKs_E*!ea}6z&)RG6wfQ0cSpo&|Eg}d6LXnabRRn=x=0G4w40u@Jo7JRZW#A3L zPV$Qb2=u1w^#u_}_l5xY63$WTlNj6%5*!vfMR$ctFsaWh>IbBNe8Q0RZr?|L=fe3e@VW?ER zH$YXW%Ai-{_z>U{#}${u+_otllvX*R_c<+$Z&lD|4sd~-!{G(4B`CW%j9%SZJ$N|ZAJk*;mZ*JUe3I~OiqI?b#@YOt@#XZ zWex|bvoFOvn?)+Svf}q{F0k1mp4j|@kIPN@&n=l$(+$+NLwoZT3mm#H&Zw;0i6~PP z?mwCQQi6kjH$hkvF>imtlDy2{^&TX)w_uR40bh|?K!vyaSm%}U|N zCYM$}Kx*iLk37W??qYHnGkR3yneQXpo&I{*AKQ`ZnuPNr8ABJpgE8Qtq2CYP{T6xj zwPRiQu7guWk;^dA6=HhVKK?a#cIfBD&Hl6Gv@WAB3G7s{X4mUtY!9d8fwrGTGHRyG z9>P-TfvedW4N`KTU%_PmozOs`cFL!gm5vo0DTl?(%G$bxo3Gm+_m zlosz#FvXu>eR_(@_^;*3)*@LMCe?<(Z}I2Hy{^Ede9DO1tE zxc&`D{V5Z7=i0gQwmFiPWeh#0u|aUhA_$j*8nCuWW65TPr$BHy~LtRfJe zRNTqx+ePBrrt37vqPOb-!=~p$uo`)e4&_{Ey1L|0L}#jX1iu&ASnIvCV>xHU+_K~~ zLtIdeC>qzucvB7pMBnnIV`mCytHa4;FcgA(R~fIXRAg_>b*CZwx?93q&;kA z%pF2<=^Q}U;YuqIQp|+~1_%P_^BaVL=O8c0m(aX!8B{qHUoJnSTtvECPs2hTiHcr| zHY9qXo@ez_Pnki0h#5X7Fx`HUJQ53EV*P77G7)EB`w3Wl6JiSn4Mrwo;RTW~@b~8O zA+BkbwU`)}P{xB!NVDVk78;XYZgjuZU~yhly{}!aQ`6e@lBrXG$1O+UNbC1|%tQ=< z83loi244hIbD@Eil;8Rdmh*~{JMYX#quDtbWFc6KBpyR76n7;9b|b5H*=mjWAbWfI zX;%^V;9VOrumS@E0~Sv$Irc7x8>dd-jYnsAbK^)zYZ@HFp`L}9o3I)=c!!>NistnL zz0kVD0K77VZ?kDm-RESfb#c03@!oX-h1}r|LQ`AE@SIJvy+o;>hoik)@i1#vdl(T1 zajl~k7T5MJL5^qW6x%lF;x^6mM!nLaa;23twWl%@PE9OzJWJYy5POi|LYH@X3w?I$ z)wv%is7Mx3Q`)N()}y442pW0h;=+=9ltneyRwkciiWg&Yw+PDX;y&0qr}ccUH$gB;gy`Uh;z}g z{FZW3r{>YZk7N?V=~w$oQR03t1F`96a)L{QC}o7Q8{0#8({g&`6PmhUYtkA^SXQ|- zHiTtO9=*@DoK>-N8)MawOG@z|&@<0G>ge5m&t0v^w9l88IU&TvLL%uw-O- z^`pD2wsQMQ>UFW{@7@UvEyg2=*-Z9Ng!6miDmB!zIdgu<9Mu|~+}qIB9NjS#m)it2 zX7#~7H_hm-LJ+GHm*2Hh-XdA25S$-DZ+9uK-#p8U z3c$oRJmb)6yfK#6Dqlb9?x4@>x&xRJCBKpe7;d?dZ_ufS$PdJ5gKc=*KCR>QKKhE4hI#hnKd8!8q3(w@=qlyo(DE zP-*rZ@vSU?^ZC?^Er#>)wwC1!;(PU-faTtw^egfFF?YuZPXV$!O7WBF^bFtnMruax zWiQ`N;>54jhMKz?8re!xUXKBv7N4lr-aB>ebjSER=P~37<;>v0%&8oZcRjnKXWct; zcnlja4f`ccy?*Gq7BP*Aj(M5ma}xx102*{Ia}&*0OP^V@Y;oDmaD`!mMb1*TF93lI z$`Z~FW}((TKm5er@_eilN9yqjcqjI5Hg~HII*{Gp$wW#{>t}WMnucc#Lo|mF1f1_` z{41LJJ4+?L9SXJUjMd(Enm~29yt+bxdI2^KKtgn!?eBKs zxOmeu;0ZrNNEv zu=7;|XXbeq4|FkqasQQN^ww?drJHKKQw@%+Z*?*swY2p%S)OAHz*oAgJ$8aKU;g9F3aUHzh^<7wOM7SZO>vXohYdeQg9>o60GAeWS-@e=}~lRsgtCv zOSQ+PVx<0KzQYr}Mey%Bgp4S2(Oj?dDExrR2o$v-dYUPY3+H z0(@?H%TWJAv(fSk_-HpZZmPi9UpbfU4-kCcNh>M?hVm#eMs-bbUO5EcFTit(0LTu| z5%mdZoR}(cC7F&Cno&{TLU_P4OfTWJ$*CbRDW!ff?FFzWs|YztR~aGk3h<%r-R(Hq z15k5?I+wzizN#Jd4(N-Sw!RcvT~}#S*!a{181Lk$844$4NQ@;$Sa;a zO=@0c){ckg`4a>r)G{IgUGZ^4TvHXpHm=xmPQNWBp2DbS|NG3?fhf)*o5ZS@hjD2A{4D(jqU#1}@%p&t005$bt_ba~hy| z7`Hm7+i`$Hdh4o32bh;oOD?p`y@%jZ6MhR{44jGrjSlj!%p5=Z`)a4IKxY2aUmU#! zny3I|ire}ih&x4f)Zmxx-)KGVc6cG9On7Aw-e-Z#-MZ1{IXdS)kC<&6g=Q64JTl7o zE#Bplh`k*fL1-CqmK>z-x!JuqvrxmWa>CRX>j5gr21#-Ha<{HtsFdU}eOo zLDO)H-Hrx4>|yH76UjwevsSs_>VsE4Sl#pCjzeka3+cKT6%cQ1Qn-xw%Y^9*eZK9L zm%Cid_x+PUmHC7*KG{CnNa;)>Bd(k_M!Wd++`>g^WO*LJ!W#XWkVltNFOQy~-9;d+ zqwZN7ee1+rnUx5nrLkAx5U_UCtxT4l5c^dVUi82(HSmFEf*(44aOl&ZyurnWlrTqg z{n1ibqnm4uUs@D;5h@PBb^D|WBB(CAuj?N5J)SXiUbgY(-n_tRH_s+%+}vyftmk?4 zqOhQ*ZYFq<6V2IPHl|VP|AB-c`Z-<&~xNJyJak2QRg;S-itLQgvh`&Gb zWdLpfI6ttL@GJ{y?1tPfSHJpO60;O>Rd{s0Ke{2<%I!tsD~uWfp7#~|4If+rq_zEz zgGS(YwMnc<%niV5;8O1u7=k6H0`P^vFUR4%3vMTFls|Aiy_{5c8Xtv?R?z0>g>x7> zih11NPnKpf9h72{J+-Z6y-r)SEm5giz-Kg=026h$qBOQZtJnDkAU67%MUdM=#oI<1 z6H3|m3|o|PVoO}RVi}R=lt3qi6?T&fpQpvQjf^)wQg8^0va8G#lS%7e(<8Z+E z(lky)*S=GSFQdcZ_1o)oA;|7=1NhQ;Xb*%%r|(sh9jD_pj#^@n6#m;V#ON81m&-@( zqd)KF-!D;%n%ZhxskW|_9!}74v1kV}*VZ@a7n;8nXo ztmi3cy2VAc^w(`n9v+p=ALh$db8(?HDQ(B+-vdGLdDmd_q<&A++hspVsb2WkeVb|W8rUop)BM1~vg`&Ss%?A( zwsl!?)7hKZyD_H`0v%ksxI0Z)Y}dXYnNmvAe$eGn=a|>GaiOCMd(@iQk-O?ZR$bfP z_ePPInxQ*0t@6xEkw5#IgNvO9?Hj!q-oy$*Bg0ay>#FGGR?J-Jn9vT)-S|cD!QvNJ zZSCyt8-cVQGt71g2T|u5VR?rEiN&yrKT52QoH|gRO8}wv1dn`{FJM0fs9hUasDmFc z3-O2J#jC^+kh0{|Pmb* zJwA!I-N^a29Cja-QYhRwLo6>q{pwQ4Kn1{Qi*`_BF7Z*z(B%h@m`x6d!3)l2n@S{( z-6TIkN{U|ZO)~=tgt$41suV`WiHhM=)`F}$>DE7+`?TGZVz~;W)eZI!u61qW?K<#B zZ*7pyZ`cs04t#2yKjhx45*2i{EZnhF$mQGFh%DZ1^wk%>5~ZbS&DST*?QDXrSnA#= zr<5xG;On_M3E8sTXZL=F;0MbaEp_$<%j@&y`=)i zVU524JMl>BP|bQ)(!;Ej`U4=c_68=Pk{vVjImOvpf}0R@pJot1cxS(SNf@M4rh^kM~mNLU>4QJI5H^57$D7N z9GxF^m1v>s)9foHWZ*QH1{iU^AA+KOW{KIG<1Y~`Q+2b7;MXCETSI#kYn!tlfb~dj=7| zvy2@03-l~qO$q%E08#!B<`|UJg`+vLv%a|MVCht}F~O1@zuLC9vH($>Z1oy9p7hlA zxNK@79V?6FpmEj~IrF0P@!6QHcAjNh2E$thbsyejY06vjQq%TOigAeFpoo!p29uW-{?>ralfuz8m?rsm)P z0<@I~@V1>&{FN8RiQ14&Wr-R__DS-bC@*cKxX_}7qS=Rq|(Ko5~1eFLX9Ap zz=;Rlqr={=gB~htbcn%>x3TrNBGv2mpIhs)%w1W4{3%`Od1P+ z0{7qm0qH$#0s{<-v04Me;zD{8Li(V41ad4qds7mk7l?09*N1J688def@Z*72Zr#kB zY5kaxv%V!pVe6*!n$K{m&3ggawF|;P2-o)+p1D0+yvP^moO_UY z7tcvQR4AI5Y;}Lh`#r51dYx(HyuI3GWxvv?UBQ~sD{XI~qeV79@z?QgV2ttngs@S9 zyT&arcz_%?)ABXqi<(0fUitR>m6Oc~W}ly#KAI9h*uVMYH}B+v#tK{I;2&Sb-8G!F z9vZ!JYhWbioYGf=56idt4th>4{8Sj1g!wsM+kaca;b80b%by_iUr~NqevRJUImTQi z`Du-zqL;3(c@<0NcY5Gk$y>LYuJqLQx#n76W!L}O#aS!t&~$ksoALF zCfyvZQ11DG1|N*xtelv6Qm3d^Dh|d}|JW+4*CE(f~>iGE!k}X5df|hs=l^Y zFS?MpktsfHQ6D1)k+!<7=0nS*=8E1B)3K~t(ya$B zSQX&jbw8Ncp8LCn5;#V@H@1+6UF%~@9JdS+&Z5Dy_Hu zM(R#-m|h$X)x+_$toNjrWKB<6DEvfbaJpk87vKFs6DL@%RX6NGjPjLA`j>_H*umC^ zjxFWlgRyx1r*v-Yho5ZUYcMv3kT9;i0!8x^k^iO>d)*;hgCSC#j8z5$gIGkv{Z9^d zgq!$Ro;qS|R(7nFdb+zc3|CfJjJJC@+F;<=i_tJ&i$F=QNeu(J zHxNM0;>7s|aB_Az6V7~{q<%IRT=U0J3`L!7`X>=ELfHg{&WXCl z_c9^8;Xn-42{5`M!u0^aC=H}Jms?ABjt9S6-Kq5b(#8IM_=+q`OEv1;9Y`|wwH8rt zkIqAHUMc1tMDZW1nEDXe8J5?~B#RnPA0vls{|=KaGe$0)-Y6wDB!6p&35kwq+pb#q z?oUL7Nhmb@e3?D-qP33zCB)&rlz{l?wvd&LEGb+0!SG(-r7==yl#7f-@H?x+!iGT& zthHtc5G(nu+VJI1@ISkgZIobd#4(u`5rPAviLyJ$^YCv%%a65)GlezufPlVBo3U-U z$pB!duPLIi2h=klRRW-rfBSJt6c>e{`qtDZgV2+o=k`oFpr?i34D?Y2?!j+}uknaK zbhFx!7xB5Fw&EED-T+}g6A3dhR=fdVe4gG#r-=uCoE;`xYy(UoljJKY?esd zi^#5ajZB#LIQk|XOX2;2C;Iqgud-b;1N3d(CXhTTvpNKF!7io}SujMac=H5wEs-Lh zTfmHw_g_f?@CsI0+&nw>@d;?Gq!3=L=I}r!aWQS;%V;eld15A>&gV}#JATGYI3MT8 zYAHlySLvaMn?rIc-hH&B0x8o>P5@-EXn{DAhQwM#Q`ZIAn*rL~#0DD3T_xNo3ak@? z8Wt85e>BfK{Q4bjSfSgvF+yIIVjDL>5lE?W>4iN%|C`8V`~1E8v4)4l*JC)-Azeh6 zLD#+ip~gB^apGQ#;p(Nhz*>a95STbd7^yz5hJB-)zc)JL6lF4vX z9!-0E>q;jH_X4dog!b_{qlEjb2s2`!$@_u6v-^nr1Ggs}AaOA9s)qpGbdG+Bze)ja zDnYtA1AqIFA0qvUc+{@Zn-Fw*FyfezJqTd)M%K6DHG1oaDJ}ZkBWX^=G9QjEOk0UM zGWt?=yjC3#7xe3vgCNtTV|y|gKLNLe&Y7NDlhB%M@PHRP6>|FmK16Mju?k~y$T3t+Um8hn`OrYUc45|?0UB1J^QPg+aw zRT`g`*#&0Y>{8yQ)zpbnKb_abLll$%A>wCEt?xkSoX}LSN3X=GbFj$;%W5+qyMe9g)4lR*O{9gshk1|kvN(r@v_SFa(IK|=VD_DjvMB6Fav-ed|BhMovQ8iNUl|h}JsKMi(1HJL6_EcoGyJE&|IJ9+ z{;Qq-e|_i`hF%)YXxDGd0ou|$pZ8q<)B==pXLQNBnRpRaj3Tu(5BCiH~eRF#y1Py3|-O-ZtwEcp!!eecCQalrYn|!%@sc4O~TAFw&iDPbh4N>h3rOK z`%eV{m2)^y3)~xvtJT5}X(c#%eXVrgivtbwd3OdDE0KuF0e+_j#(@C6vXEVWjt*v& z-cr;f7c)wX6FP5e^K?rCJ5U;D z-Ke`40p+{{?AbTe4o&Ax?yZrH<1JSwy13icUsqJY4o(;O4ffa;GUcavR*%JLK?;on zyGy68_brjfTVa3`@;7|zU8>^Ux;|H&qWjNDp5i*7_j@XSF;OYdFG5{_z!qW?z(ohx zv*>(9L@@sBTgE55#r)ih+16zdz_%I?ek2F9FrBn)5a{(sN0!g(E-Y$htvmi0!2AW< zC*DwN&Y-h;)RW(zE^AzQbkJcI4{(4nNg?DF21I6Wv@Xvbd}I1<+0vwZe2c_{-uKG8 z4V9PPZD!pz3P0^HDQ43&}Gp+GCZeC2^86yh)Ewqf34 zg%k^iO}wQQgx9i>+E(Zcq5<^>klPE|&f z#LVc~z{MY{FA__PwB6Im`m@SWu@NZGVp@?FGaxnocE^!vDDnD{7Yef z+3#(?oW*lgfw~?V=sKW;1pd0L_g3B%B$yD1M^9PPr^qLoQG@kr+)FDq!W=iiwG0y{ zYjsR`C#-orI}fTp#sbhDi$Y8#o3Jhly=MkF#f%+tZVw?@OuB?6oc_bw_2&)_VCuoh zj-t|^qx;WLZBC4oQ^kQKWMZ>cfT2X+J0Jsy*uL-!L(}u)9A*SL0iZ!<0QY7zdwbpw z89wdik)#1~yMsp~!e*&CA-mMT7-?A!5xEhD{!7}MYf+gW#R@!~X9uenJ(VRL*Jl|c z;t=LCU165=(D^(bp=ZMB6cM>Nh>J=Ce$7Bh2l|2W7gEjA8V4C&6KYyf3rE?`=e;M# zY7kJFBEDJLUq(u`PB^>GZgfmo%3BH|b@zo^Xk1L<`?cOQJ=&S%rh#Q4L!T-Umohq~ zcigWvv}f+gK%Zjx%AYpV#wW4eek)=n>_z4&IfS8FE0|t{{^R-Hs%GU#m=q8LRRV^w z%g59e-_k4PI=0+|FPrMRMVaZ;(r2ynKP3$5%O6u*Y7?UG|aHqW&5N*O@` zg*g?rQOf0klY@w^oW-7%H}urvJR`EpM!IXv?<0J9{UK z@=WZ5EAZJ$snEeBpP`h@a<{JFBtSxcn0LbT=jg$<#PKEF%?kGi29%X#E zPTF{-amp~`KlH(ZD;!7f<|hYk#YZ~0)*%?D!p(OTLO@2Xrgdpy;~a0tYN?F4y`2c{ z?D3-7J&m8>>LJ^cP)^D4IR8(3IRLXm3o$=lhAmB%ahEUx*{g2k#$ilN2Ur7+0l;{* zXVa6AYhbVU#-!gt4-HQ{mRJW?0NFep@KG3wp=Z&Xy&2K8fTC5OUkCctIY7XBd`^;MP)xN)c*k3 zIrE>BN8rKlmZ-6C9EwmRqEX!Mxbdd3YI|;0yVEUaZK~gt9A2T=b=8`FML(eAz|Ss9 z&Pa;QD5zy!(v-oJWMjp8KzaK$pz6x~g$cc&Q>! z$%G^aVMpJCZZ9RfJ*VN8=~Wi%a~S6{8Bw#;>Iugi;VKHJ5aAr#mjI&PvD@6Qx2~#m zaPZbWmK#iI9pQ0+kuf8Xt~n@JP-8PP<4n9S)43-zqO3YeSSSTx4+1A*_zdls$JE_l zRZy=E3#D|NWe#PK?6pJ?q&*)B)I}9m+U;IDcW(1&WSt{b(^Q^5xiAO2KHq7?1r!uj z*5dix#W=*J=j#AC2h`~n}_<#8vr*bj{O=qk2ym?96oA@vaL#6 zdB*4il0?ZJ7&6Or9!iH^gqvjB+eXHti{8)9z! z1FTSRtEPS41R_EC@aAI&!l=B=PhG!l_^o8bmiC?R$bOAo09584q4tdY@`S7V&eYt( zHP5^{QR1EoLJ^FEFq=U3#9eF?G3{vB0TgNg2dhE)F1gdTZ*1g~(beNWCo!{U{BP<% zj`jGc^x->?qign>yON>0V$aWX7o{7(Jd3z9*bozDbM8Ot%55yUCr{t-{(F0#M3!+G zC%Ydks`(MaR6XFleh>S4FYOK14;^ja&%ubLb=66)_)>WM~WWDle(hqExt4H4}F@2s<~B8kJn7b#F~ z&W1PssT}=9X13RI7`ykM*+jouTn8!`_S&%uh>q zhZUiw*=nQ)C!%kk;w>zSR&8+|lbWFRtM@lc`c+ylru)^obCFV$T%uOl|K^_6r;c!Q z)p=;G%cPxmW6p$4)2_=I4eK+khzdgFZIoD*_pqGKE(iX$je?Q{jhK-H$25Jlu|Y(r zM1o70b{Bi*Sq;u;%%N0$J!Zx#5feSGdSj)P~P{KJDRkbBkY z%23MLVYde3w1kduFdu&T8$4IcpYq{^=RDvW{2jPfC|~q|1q~Iu2g@h-;*1D+6C>=c zJqZdVl&N?h49`$o_3aIBvffUZ=B*!A#|&}Gr}Qkq5IEtNR!H5tYEX-!OxIKSUt95R zS&&*7VQqPA&pCV`QZRJ07Wk}q!`LqhEtL6=#Kk{9AKURDKb8b$JDXZSVO}=Mo+Ja=u`!B!?D8K zMI&w<%^HXwjGn%BKd?JV|8wfx2c|q=A0|lR;FC*zhqDFrSocvKpIVdV&Ih0F`HNtb zC3!LO9?CtiGKC!l-k)$sO!XXM@llHMXY8#M1|RHYk)G%jVp=CzZoj4@Jiq%mj|pKdr7dfQx@az5}_o=)(KH1r0gh zMbET}G9bJm>j6!$(Tm{C)NQQz$E`yb!9&ad1;&I02I0K~DR`BWww~rk0kZ$tXEfyj zd)spdRc*QB4IlN_koA)l!e{VsbgZiX?2M`5(4V1uUdLe@qP7T;1`-jtrVx9tK~_yh zYmug$$OX)4sO{$fb*w@{*!xuKb+n$>U*-@x-dj+#xZZk~X`m zq|Jj7wawvI6`XH2cE>KWOX+%jzM~BUwVX|7=Ir1N5i_WiK8B)OOSJI(j>AmX6sg;! zuiSCo-V8#J1KTIbyoD`H+MbXnzBv>@F^OA$;2pPW%SD9^_+W8VBRC=ZUe|{0Y0l;yBp&CZ znH61Tx+fb*il#dvSuL-(hpQq?+qry1;78rBRMS3qhKXQ_EJ zUm{y{fA`n$zhFOj+3XFv+FqS4&?|q*6h2^9diWt?v7Hf19o;m0`g^K2j$(dmiLn(t zr0oz|yY84Xa!{H#TeIgK>DC;2wgf}lBBDkGMM?Y4midM6OXIT!*#mAD6{Ha614ZBO z8%w$MH3oV#7KEqopelS{h4nI5Z8Y;6YS}A@iP}E@0yER4dKpm9eLQ z48a~)!aDiG=-0G8(DwEc=#@{bxHLkIOw;IFl(k)Sr}eyog$0 zVMCixjw0=FL4fH!3NFh`!_oY~^!?$~ke`capN85Q=G2>^3?+{%bW!H1Bu>cxmIuVD zO44N>AZ?cBeom@7@-`6R@TVp6I}Iv)%bH5^|^2t;drZBz!Zh9eoxviY0cNN!goaFNI`}j9oE5e3cn)rGM{Dyh^_rOuSeR0 zztEv2DYw{GWAr!vGU(VUjnZo4+g12ByhJDYf) zlO~*Il->)^@sqd$pwoAk7cHTin!h%x1zN+Zr?p=GT3we~!K)!N+20(*>x$SvZ%W(3 z%G1`X8ZuKf_g;rc8|XOkMEp_f=7C@`H`5{ReCKVpRbtqzYSK$;RZZ(JManc`a?#*D zJiX(V9HT zGSkU~{ZT&%gx(VlMx_A>hMYo(d=r6#xU%U=^CDOdC%!`MKDsqb&@flKkt=PpL~=|_ zgqS?2OYW^_EI-#m{SbVIwJDs9U1}Lqem(3$rUr@<(?9FArJxl>G@FdBvv{*(BPTWx z7;t+~Pr}?vJP?XSh9|P}JG?-|owQ8}I@T=O+a2opWI0??HILk65~Ar|4C@cWMJ?1x z%YLXniB0>#HwZI@*a$zmT*Esu>~#K!YL8OAzN!!cEE>%ny>T+_GD$2B?3c$y8F(jj zp(Gb#p6BN`99}o@-^v{ZnQpY0-WT7aZ;C9FDW>!S(U_2I2#&l}SIw>3StQxLLy7QX z?<88**b@%ZIn?8ExITOoG7(7$dJxqV`hBIE~}@bENAZ6%}W61P8OFDV6?Cp`E+pttE-*YWZqyv~^sY||M+gC|YI`@!;t6{#S(7viareYe&)YOjUQfOOS#2BwcOrI`mQN+9O zbc>$8!fl;ZqVtPtY+DaJHC%+0&EMV}6u@Ku9_smiv>BDBKC9|Ptub3OigEO$rYzhSm|b?%<}OXxzTbFhum^kC;P2!{_Wt(MO>cbm{FD~nH43K( zE+JB{cj0aEk;2uv_R{AtX$HNsQCu_be1om_!9{; zkV>F@i{V?EO$=xD&fot~v+LgaR=xLpjjPVffz`sGD9Pu?Y}20?JP~=gcNYRHNexA z#-nQw26$V|`R~08eY9dv5vwHJQ=l85?9xZ6c_*2J;} zrQka)U11Z9mia2^%??kei*Z)a`eaLc>nbY!>aNJQdn*cLJf+ zlckR;50NNd&B!c|Z(O#ZNCv@g0{UbFu^;TgfMEBFUAl#H?KKt$1J9dcBi`q`9R0SY zWK-zO`?~2C`Vzg}1HXovG;w@JZ*w}aoBqi$RE;iTZc5M9{EAZ0shC}(^lrau2x;f+ z`9w5i8z*%-d7aMZw^(``uxcs`F$86o2{@VMFCCnv1kkgC^;bWHUGE~4&os+bA#O(= zr?}LM1x)e^Zf}d_1-;M~-z4^>slgdOht$%2KioD%^trQ!hLGfT%W*cgzI?MRcv?Z( z(|*;kSK6)ISDyp3_Qu7MeEj}OutOrthoJKfe`J2VC_q8_=-slVF}~&Zx3mRd2XlWZ z@X{fyv5|s<{oKhFYB6`)k%#1)#NAi!N*c*PK>;UqK5a<_A6vG_NC zVb66(C>!K;{C34>iZom!Rrd%23iV|DCT1I8)_C0Tgi)ZRGl?5OFrY4CQ3EGzE9nU` zT`o9ge9${|^+)}jwJ#}nk=`meLrNRM25xRi;4E~8!m4==ybQ+Jm!=n93-$96M8&## z2n}P}pOO9Ol{PRq!|wQ)J(ulaCzsX}_OnL)u^GW{)oI2k_kBOFZwu&3m(~?Tf7R%7 z1ao?MP9J?*1o=lE=sz)eW-=9d5^oOAjy{KqcdqC*MiBg|#p)}ki1>9Wo30o<_^rb8 z1$H))!wcf)6MEE{aB$G+K(7OWnCqR?B%I{(f)h@KsSAT{NQ%_{7{`>skA-(#C)1Gp zlT1bDCfg-8Fu=9jO0Dzlz^B|7cd_P*>6d^j=A$<^BwegGkTe!LL~-ANt&GFKpk_Hrg+n zzs5@8CTv|_q&dYz_m)iAM8|}^KlEoNhteuQ6~tpOv$*iwHgZZRYM^txd?iszwbifkQn4Z)S^Xfqss|TCX><^C z?a1r=3yyknwmHn^aHu*=WJwA;FoBv90<`}i(0OjC0U{66d}b8An-VeYghE%R9Qz$H z*gN3E+l)og$iV*M?WC}LQ}B-HY;dJJlcW?6&Ql8#Z7mbyz%9wdEijLz+Tev>CwKLo z%`^Nc5_DbXa!2m|>;UWFI26Q6?&6%L7o~Z0lQ-E6ElAM+bPx4Uip;NM+`3!gxd3tz z+{==wuI0`SRPqPdl0BIQ&l@$zhmzkll-n2dTPmKs^lyBY?O+zLxPP@W^nU$8&_N|( z_$-4CpWo|_`R6vJ;ZXAl`@Q4KfNY^rSC>vZm)}>>fux3?wCiNw*om_^tgpW8%(37v z*Gw%Dg0i1h+68o_x*J!myTZ^3$d1{tlvWc071kko@OK!V&aTg;B(=*>l1#$e-p9)$ zC-R~w^{Tr^#MRk{vzy?IEuov>ft6p@T@7clp6t6HTlx!}B3dFT-`H zg)QX`(CG&k#7<+Yf%1yw#FCF4{ChQHvW>?)=mO1ffm6yoxx-AdZz~{Ax@~&fIfD$e z2>c9hhs2e)lR~D;o_U7d`T6}p0+CJG*UX^)oA)``WG_NAkIP8}^ilVF%E7CRof|V}CKmG+F{*3D zX4;7nzWoGD0!`qd2B|YG{U)5t755)Y6j% z^P^nfz466@AZsyUsR)fa%td?nrxw7T27BKlf@1q>jaE)PSoGITA&0fsLs)NA`a$MO zJ9fLaCZ~Vv1(bJ60`lE8ihAQA5LxjA$5l{2ZVpoJnW8Z{Bl!@llB9%fJ!zKNFTd$3 zN%fnXh6vVphQU$u*64baB(1pJCqP>KxG-y7Uv$8Rt5#W#a6Kz8edi95+78czyR5b% zDD8a3=}9L!Zo9#D+v82SB&yhL+uegq%IoeJ?zHr`w4Z+s1dhZzwvku1t_I*4p1Cw- z-zO>T#V+UJGNUTZxN{~MA7z6pIk!Hgc*N5FrQ}m^E)-Hv1aFS|1T#JwDPb))COpH{p6}&7>?NVZGs_vGZ?M0;v(5lZeH-}tRk5&1 zmEpCCEk$$( z8z!xaRur##5+V@Gk?!@zGf<+^ys?o6WSI7M7xxbf1YKCKP6nrQ=?OL3aNCyC^%K}9 z&w+oXI7Jql($pnA_=K(KOy3ndy6t*0Ecm$FE7gO)SYrcEbjL9h2Cz#Ro-(t0(sqqfkn85L}C+tPYTRx)w{7*Pd?d}jV zHSiAQAurWfF(m+D~K@?hT91rz)S zP{$4PRt_qMBI`rP zvuQQK)^Lt^>dzM?Pz~LmEoHU>)1zg|*5b}rSw}X{vvfyPvI!RgjX)U`WuEGf6?DgK=RKR0Nou;!t$2(Ye>Md2~;#!C4bFl8* zTOgHKPRoG`ob8Qj+lnY4Gul5|+g3042qcV9e}&n1MvE2OgE0kOlaM>QU_%wFYM2(w zsE97F?NC4Io-Chj7&H`^t2U(V_OnZpNThG&m(Anq?y|T-2r1kIPn5Lz=d@4gkWuY> z{1v>J(P!8=Plu$6l`8VvITUV#jkkxj`!8wD9+8n1{1-1T;^@%fnT7>{5(%#5wk!pbxYwec01f5njhpf`IX zJG(i7oKE(`n2jCho$Ag*Z!$P>NcLy{yY*9deqw$jaOdvx((aIxuER2O{JXj$y;R;4 z7^gidhm-M`(vRB*mzRZ&g)+sq(-tE0kynbXehER_Rts6PFL*nxUfL641=44HY;$!w zqb=M22XXHe*3=fYjbh(!5$trZfOJrLM+Bq^D7_bH(t9VMqM*_w^cqEq5J+gDLl6X{ z_ZkSj28a-n(31QMw|?KbI?uWJpR=yWVy?Mn8Dq?MykpF{bcl31#3LHn_27Bu2D6Za zk8XQzUk>w3jCPnL(L|TUv6b0x3)?!fC`l1zmM7-k3I8^J$Bt3>MqMaPKAi^}f}#bb zI@mozdH0nWIOVZ?F+mQN>IHQZB1sor7C89I_7M zG_xEWJNJ8e)pjzWHxaUIYd$0ElPTsTh~J2w@oG>3s8S0y;D}rssu$Hj%xgEDG7lo+ z{YOS^>fAtw;%YVtNg=QOyZni3GY?XJY=4EQGUhD_5?O`BW{h&`IWTEc1}7pL4je(6SkD}M)tK(U^BMi38FugaBb9FAif z^%))C;0UyM#U#6*l~Zimvw;e~68Dw?=Yu`#sDclYv^AKIA%zUAcsXJ3a8G6m?fI^s z0uJ$^lIZ-=sMJGlg*dOb$N7xr4muqU=9UhdQ4kM<4lZ0zD*suS$0QGC*F=UykAdnP zMqGE59S#c2s|NEf1cACu&tk{UzcH%F-`IVbC($RuORRc6^=yWprD!NBEWMz+y?AHb zJcYgE>+BFdE+TE*@`+6%tQJ%TD?BK(kiRPl34BJ`jdstuadT=rW!Rwb@PXzY&tMUj zWDCC)+ArX+$|_547RLv~eJI!W3kzckRbgUnP+@9`*@dOxLo39NNA9o`4r~95+q;fk zdp@27-K6m8D_5pi5j5U-ZC7)z#?d;d6f6}Vl&y>$Pssa?_%53SqWnlGMc?OB?-QQe z&kzS>8bc|JjlsF5Sn_K4Azf=w{tZLSD$m%PrZET>{dGBNteb5YMPwq)p)JstKk38x zpEp=Y>`paSMLsC<;{*Pmb}?nG{2h(9MK)%^`qj>eSS+(zGvVU zK6WR8%&Tx? z>P_1QcCri4KnQa<9c30>G1%W=CVndezkiP=rmjS3EGjrnPKhWTtPg+AQ%U`c?!k#< zQ)QlC$o}567pUDFvY3lCdjXw6$r^{;OiHNOVX9Qg^~IJiXW?wo4L}4wx3PHp$IPTR}2Zl zU3knHZcb#dlR@R9Z~HRyf9R* z{CS;=8=~s?(0WGJ*~uypI93He4cT%-?1dlZ8%KUEH^VM&tD8ao}ll%x5)%q%PDR%IXD)Z!O+rkuBA)U zVV>Ypd;+QqdO54BfPV%a4#KM)?G$cH%g=8}SH3hz7ucB2bAXPmbr#VrGeb)1*~o}0 znWVuedUCTIbqid>qtl1 zFT2MenD(YbsSRipcAy_pqiy`5V`-wn0%J*1x@dFwkn#-g?^RVy;c7IkR{?b)!jM{s zFtEt?qRl25SM{DzO<{JH$!{z%AgE%3%%avZmod(*b9)t@SBF1@BIDc9MVq{bqW6Bw zT|wSew`vqi|9Rb8fh_}l%Z&~@fS|!HVGkp0rF4B5ztLlhp5UHW={ z@%5MSJQiAu0&EkznzG4wjS(p%i=)M3G|?$vlLu-p%0(OXDqtgMUAm6^-QNcrLFYs4 zWKP{K9`*NT9jV8Km84%2n)q$d*EFYvCpayAl8YHu364{qHvI$pI9bP^St>cmQ>D0{ zJEw@3>2J)qWAKKJl&1Sh>21x9T-NO}Gt#yCafahX&Nb54E8HZD!U|bzaQJ4|v*Z6& z8&z{*!jk;`$LArz##+u*88sc;Yn$fd0=gc?)9}cT3HVJS*_@!*I+GD9wJ@-YrRbE5gDhtkrA`jE0}h00Ydjy! zmn?@J8j4}#-U1Jrn1bnVC{>Gx6xAX(o~_0&PVLMonNtwthIyLzv>hLPdJAKPzSo$6 zu!gi40{2en>(%ur#?9YTP9-rI!@NzSs&gQ&xv{@=iPS+rcI~!?GY01SY_AC)Gi+V7 zdGd0r`uatf%|vbw*Lco7-=H15Y>+<^-s1H}2bNk?jKU6?SM&&FNfw)*{jbsoKeSS* z2{)10=)=3i7^K*fB+9Br;``rY29(IW5+T}*4qU47VkI|I-V84|uC6CXd)wlhepcds zdN%G7u9gH8>PpW_76DT5%x*qKBzP*Yb=2;^+Nr46FWbDDp*KT14ZU}Ya~^I^v~%8# zJM-tk+ath(fI_K*Z=nMep5kV~p0VtX3DsFm8ahK4>PPQIqnnHgwBW=Wy6#$!w=xj9 zE)`P|^=yA0_qfKiOBD==+#x1@F+KDkHPiuqWF*{|w8SksY^in~WgB)!qH>zh?#5wf z-#$Y3=dtE>$E9b24*=1TY9d3=xN(k&-Pi2ZL*Zha>I0L-Z5p2wG}XEqh@TCr54|Rs z5OuZ)`C-}hWIGc-Z?ONqn;n|BBy?JM%*#D#r9dS^#VOeOL$Zq#j;5N&aah65pf^Ps zoNfU9fl6*SMHIhC1_$wVjw8)qc4s;jjVU*ehWbi2+Lb08Co)9MjHx*56b z#=Oan$zslGY38or+5 z(Cu257}TXdUDG<>s&m)gh@%(mn`2J6k6q25ajI|IxafCeEP^aj*VorCDoTgvYWgV} zr#&e_C#*C0!x+~kGQ`6h7IWq$FE5WEwn;DFGI~A41Ek(II2K>-} zuba689gVB*G?{nx-cZnfHd{)r7q!&aZ<;%Fvokn5W*R4Wkx!nd)vx%ZZO|i$zZ0BE zA0ZP?QnE^O8r+bL(Fp>J$#*2dC~gmYHz4)87g~$kRE{GDD4%|j)add-T}+M9J)T2ES|<8EF1LUDSeC;?=LM0E zcnivhJ}syYf!kH{4T8asUZ<1_vcyzP2Pb!$R4Ki_&zEi~YAMUcL?2zv1)Rx*T=F^Q z>lObkUWmwXf3OUrqI&gyx+4zywNZ0>u_Lmc_n+@gK%Ek@ZL;AkROh>S`NI;}%^^X3 z4~Vt_6IGzKgD`YTWGyGvmHMl*VZv(_NAbMja`L|(*R%c}9TNu1TH)+VEZZ6-%?)q7QB9 zndZV~($A!zxp#iDqXUJ=Py(=Vf5?Dr>@C#pc+k5TS>s<2r!7y?>+S7j6m?3>f0{N_ z5J=cU71Y($$!W*!uR9MkAioCylSpkgtpOaNOGP#B6H0hDWJos7Qb7)ou^`b+k+>Nd ziz6gaUs8U1tOP?#<4LQ{=IH3y)z@cWZk`2HH;&nBpOc!zC}O~#$LWBm%qfW#Gi>&{ zLLAqtXz@GGwX<3hFZB=YW^_1DPdd;zR8vtkU(Bzqm0YN)tgMvN4xh(2W2byO&pE6Y zqQGCZ#J4wv?F7?vC;Jf_uj!`n^l6*nEh!%?3=Qe_ByW7j&m$;~8s6=@Rc4YoKS*f#ENb(*Bwf${4^1ZA;55^CD$45$DHbW~!RMD^gUS$Rrw7y7ET zk9VGsfkZ^53a2!Hq4>Xfw$+YW5Ok5if_e>J^}^V%E?Fh^rcG)i5gj~L=L=8+_a?owh~U_nw^H`1fBJ(SWc}<{mw+dpXO=?Z~CHo)f4SIHGOQ zPnIncV|IM-W+h%|@*<2@@W|9${a`(qafc+Hv^z|+4TCz@)Q_lS2OB@h#5%yzbtr+$ zMcgsiSxXi_{!+b<$Ta{LhFvy2Uk~&%Xc?6dUOqYu?n~y!Y5>zOHW_ta+5I!9A~|t# zbmb@nAEG~F!%#^+&G~h9bY$(2$?e(W$8Ug1-|OlY#4w#Z*E&;jJp!7qC+y07g6LP~ zw|hQ$zO2nNVtNx{2QBtXD&7HcGQF@L%W2P_-&UISoj}}1D&x){$ZTkwKYUa^G8>GQ zZ6r)NE40EI2`1)2j(a_W7q8!6>yyUrg`t75>XWC0Xl6-?t~6y9u|oYjlZknuBppv+ z`Zrz|U&0$@LC1^z`xUEX^hcP^+a)=7^FW_A@_%cEiH<54Op+6po}9BZEq93@2M&hL%#Pq_CaZVP`hYeht&vuMvc|fg$k!TQ6M9W_s!Y>v z>ZdQ0+B_C7WsKhE<|faa(^5x53**_tJV>kZl(Z&X7M8{vuEkCx>#FhGdMC)$-GUG2 zs4sh${r!mb_?u&&t+`A0w7fezJJTQ9w0rn3CXR-z3HSEVk7Eyt4YN5h!=REjR_5D2 z#j4{&>5icKD!aU*>MP_zK9Qf>N5n@$<1wovUlb$vBIS=2)YR0}Rp|pf_I-W<+Hw5d zw-YD3UY5~;0aW4wvz0$kMknwwq2XPiMk6 zs|4AE9{_5<^1y{*bFq)r$~S!{t(?Bg)5I;?j(+mnC|L*?N&~)2XBPmpvmqYhYV;e? zHMDMZ8gRIlLkH!jCt_`DtJQI!tH%In3Y?aX*bL0H3i*zAzj5R2xpD0X!OD|KkK8e9Q*qZm*blHigs|h7Nk90pd#&;4mIcx~X$)hnk_8r}6~fzG5UzVQsB( zZEY>1Y*1w^i*)`Ls+yOdU-RO{i&N!xQSEVTa0+Rbg0B|rgs8dn+&0lKp!U2^ zvDH&%xLog@b4FtQu*dd(`CK?G>ihVmMM=hx5@%7{rtE#>t$$NGS>fdm?kA`L)ju~h zG#s(%@z+XwdVgycIV-;%PAfNH>fSiI7(gvs5TXFGloodA+k->~6E@@7Pb|e+rZDRf zC-_Vjgt%Y7aya5$Ic_TC_=7l`$PO|Kt##WUCCjDgcmcdaY|&^b&(c(8l~L5={7che zpbq%M3~6nKs%&Ck^T8Dvx!u5P%dE~a*zzufK#%aiTyX9x8C^m7LZWW6q=UH*<$Qk1 zj}7YbCSQP5bF0g~?zf?$daxIfcRqOPZ3SLkW1q?dvH_0+Aek=~%msaBfu2@&W<&&O=Z6Ih zG5NW=VaM-No$u{rHY0l0&s-%Z5RtzYk6O#T8~-iH$g7mOX<&G6e98?r(o<49H8hbM z(SAP(+V#woou@=pe(?!gv$P^moN{x zR=~~a+*l>90aonBrSP;NV^N6}qW!vxqMqqqmFD#gsBT{%U&E`Y?PwBd&Y^}8b#TZo zh?(;0w7+CJJgu+0(VK%4a4!)l7!h!Pr@!TOp3qjefKOk9Rx|p_zpJp2w$)Yqy4vl( zw+v)S1wh7EoK!;JGM4nBsD~NGBy-`}ue{gFZpi&wp?w>$+B?HwvQVIPQ(JvGM$_qK zv4OR(=d(sskZF|HFt_(FFa<( z$9mF)MV&^te0_Z#$6@B_Qocp@{n;h%AdIP#yE|=tCi<9!4I2jpUnH2|VjjGOIMKb^ z+?Be2a{+wjnom(y^Yicf`kr%=kj~OF2jNH4WrM2(8h$+{?Zky`mi4`R_wEc0jFvWK zQ=1W{79Z<5>zTP+%ew!@o9yk7q<>$sQYNh4%PH7G@Nxh1#qb|gB(gl$edWRVLoy3VPkXK0v0{uL?D1!y)< z(jX|P&LZ@{jz!v!&ke&wn-VRp0a$DPm#L%@0dt{kKDF2W^wYnfq&l8;ms+;k@^K=g zs=(Hii9?N{%7EEA|5v&otZ-*tks9Wstio=@1KRxFOBt1I$t)sr`!WxY&9CBFnY_@X zXC~M6hMws7mQ`ufPWxwhgRt5kc8THQHEs=-1#gSPZIrWl^7VrIDa}PZvLIICiG#QI7a+Z~wVVNrlb%<$T!4 z6({{~X8s2W*1aZ`Ra{!mY(1glZC)C6zN91Bc4J7Wr5jdc$6BX|({s>L-1oVORVIG> zuIt45FRfLS1u%p>%RQec-raJueo47^OK|55uLCLy)#_s%SC7oDQnQm633;u_Ymg@Y z-W}{~ZIu~V=Wa?YhqUkv$tYHt?JYCD-NyZJ?0P7p_Yb&AqI3q(@Q!gvuAbd!^*7O% zFZ#v&S)&QpfT#(UIwVP45YVv!k;w@B1Kw(hnqEHBGVv>O40MN+!mj;Wj@cHuK@QL_ zEE$wjuL6VOE8!eHt?yMaQXT-3ze>UMiwss)Rc#a&WDn_T%jV4yb^b0IIU|vcAb%E*uEX%($PYB*S(Xg3i4C*cql0 zwBu;W&|i4w0?oJ2pC5fyiQD$HV5mTG^zRT6aF8Zg#B)K3gPr{>hAH`e7?+`eH}nt zBn5(@2{~U9a7oJC&xS?T@~m&lHGFO6GUblAZzh_D_HHM>u)rRak6lsKs&uj_!zzS? zy+d~cDg5_P-joksaa*2f4ikO1O9#sDcCblG(3Jy9e$*Z@yaD-wI=kPgMzeCCwfTbV zZNE+nr-aae7nFYi{h*Gs=Ds>SO-RdjS{vDn_Ea}LaF_{N4&0DAd}rZyV2XTWn;cxE z=NnhhprK~`c{*xp3t%c}v#T_R0sxkT!=#-1%Dh?~M+nNb#8q8=TSJ-1&Y_ujXu@!V z-es1HYXIxyv{#?b2>SZ@(diT0%w`y%^63y0L4#si^nxswUu=EGW^Xd<`RADdQk7S`c)OFUr5>^kVDgF`?&R!_d ze-sD!V(=hi*mIIjZzbPlMm_o}E!Q=TTNV2E1G|0|m*_=sn72a;Gw9rOwH&jBTn5$G z_OJzOo!n(9-V+bRWhJELc=cf(fkA48ANTq0wbW%(w~Si3J39}jKC}@D+FLtSJv%vB zi0hY^->ey!U(F7N$x)7RcY43c5~saIy>eHzTQRVDtrJU)AJNrT<})0&biCe|OzPD> zG{4_YUf~3Vy>j9boHvSxN%l+Fik|Jf%d!Zn%QvLs{W>La+mxFHEa_TS)x(81yO-0b zCps1Aefs_0Yt4Z#u{aocRUF7~L^(M>a$%o@}75A!T}xedZZL{$=V8 zGf!1C#sT278)zFEiMMpW^N8LEIKA~++Ppv5#p|OuSN5%LONH!6%bV>AZ6!nO$_*V_ zx)e;!g_$$=j!AP;Ytcj7LHZNr`UXrvtkqq{kQ_7M6jrL+(RXM|#j8R0F~b+^kj`KL zrH`GNyf4aj_;j&7vv66wgCMNeE!%C&Z(7n$Fiz)CF8=VpMBoCYK}x;ewWLApCMV~c z&B1_B#*)LjPmezA`BaQ%^ximb8^-0SzlP8TpXqH9v;b7EwS8yqQh9$UOrLiH2=vc* zDZklNP6$e?fTTn9znHo1z$!SQ!@ow$OO)}tyE2MHyLuA-8O+0ZiR%X3&(#YFA!E@C z^sI6LLZdz8E!Tet;)XnnoqDd0F8_{%%&up^Qb;17mLoQFSv<8pX4b>5ri-I`IbF*b z8R>$@zKm>NZV3!^a>w`8hv+2Cr<}QZI5~K2UZL%gGK_Wx>#|phk$TW-98Ovr{CcuJ z%RdnR)U%Bw8-q>X2{5`;~{INNicev z`aq$uurLVMD^5B^P!+r>=d<<Ko03y54D)0?w>GFj+71vrZ6JTmjurY+NiPx9AYi%@4niE0OeF-|Jh589qJ{0 zQh86~@J_7rubpvK?}ITpcr z22o=!s{cB=1HjQ^f}_J^iEKsf$gwjlXSHXNi%nsw1N?^UKYrQO(e);ErDFC{7#`ZK z@bG?%^;c!F;o#-yE)><4YMgYnU%nMAw`xluMpYLmX}2jxOs%4=D3was)=RB|=b5EJ zX)hZ$3r-1$tD0EE)ve4Ux{Td_?qeqMSmvEth)}cWYDh#~Z>+;Qx~uJJ(;Oc_C=^Kc<4NyRNoLTG!tEzh*;cAl zajQgghjsjnbh~C+?bX?PS4GSdy&iHFsebo`1SCb(ZWKXJ+HoR->gwu4Dr}$|!@=jH zLsnOT*N|G#AvjHQpF!mlpYll@Ye|$qohrad4hODgt!fLMG}*+&i8KZ|Moz-pjDvW^T06*(Y7+e9JK@D6`0f* zKKcbPhEx(PmyOQ{*USa=43(to8RURFKxe?VB}PEp=mZJgG~nmveg46HFF^Z%zFQWD zsJ8`p{J@nmGZqeM&@mrB^wXCtAOdB7xp=nu3hvw_hxW7f{R5xniCPO|;VS%3VtIA_>A&=`+O+{<Lc*z*JmfV2!VmgF9HhbJOlGZ?PMRR0Uv%XWfd?Sg=qCr+%dI_-o96 zY+YV9$Gs2+*l@n)FhCaUO*z9Idr}|Poj@|tY(?|H<)o=Ho5)P90=K&L{Lhw`H391) zDJe;=Ize)onVGDu9P7YCmopw_fBN(}O0a2yGSmSN#Y5|UwOqPTiT)B|jA?2Hd3kwF z3xQk%Er;;PDY)r4+ejS>e9ykz9{}|$0cYNysUzgwggy;K7w^)?d3Kr}e&g^6)gTv} z8fq5WAF@^6ay0+CI^`iGW3<6vvwc18so!kaq8gT9@wxvNf$ZwR8@6A zQ+y_u&NAe=dm}zMH#=<|@O?%A-;i!(6<{KNz9`%8zXwoZB#%0BVMDnKZF+sgW=Y;xcEzzZUD&89}lIk+T-LFWM~CbM}=P1NKwP+Pc0tQCzVA*zlZQH(9}C#F>sIst$2xbX zP=?0N@YVbPuppGX9z~siz8seXx7xekDMV{;l*81XK?*C>yHEn?MWE%!#rpeNmw{je zUOsFJ8n)j76H>DNC{dGoA>Tl?lquY8}~7 zYm0(zRu>0i7*=x;eBoL0WGZUCSxYZ}Ct%2)X;f1;j^(AuW$88vEDK%7U>RsHO0h5&Jd(d~ae{09ER=+=4AC>o811LnWe47+6V}O1^<$&*Qt2uvZBBCO1WdK3SCDmtnmb(q z!?s>VZ|M!ra~77S`1z4s?h?XhQ9+MRIje523jXD-lFjrq{`%a zlIa<7twSX+?n=bvBOs|_Ztq60=Of^Czb`EtPukKr7HNYmSJxf4TN3=0)dfoCHaz%if&7Bc{ z(=PtM#mBpC}&{b*%#T)$4t)X=$9_=Jr2{0sE+hFmC65 z@5Du)Zuj>=ExvG8t69pp;NE;B8xO|xV%^%Ci$Rod+L4gvJkLd7u|05TM|%LVqZKKA z15|EO)2pCJ^GmzK%VwxtWk=6-xxXE;ZfjI}`Ykw=NXHLj`r;@&w1vG)Z^q6MNUjE5gEncqGW5S35<*xBhNCREC&&vtH+!pU7TLJ4CSCgwhr1QD;w)nYh{I&SWL2!=8_1s z*toj4`j!`mmTv56Ts@7tv9T5+KwjDpW;pNTy@~ppQ}clDJbyDeXw|Z^5TP8KD>mb| z%n&qBlE)lWk;>Vo3qaRt9jBJu8mGyjo0n3-Jh~HCJJmaPkGm7opv545^rmNupKFqr zkfx3|f=3TlAEK~(!j_zE%)8sm`wQV_;O3c?>57i)MOA*0(Ef7A^LJ1v<*d-gFwoiA z9D}q(sXQ%dzxval)H{^bWYGK@{GX|Nb$#aZxryOE@%8v*${@lr{j+?m6fBZ}EQI#e zKa&T(IAqVEJqG<6i@9)=9_-F_Eo@Fk51NVRR@Y4A^w{oZb%zTI+0!rQWyxo#b3yJO3v?CEx;tsuW;i%fxgh56{B}FyGO*6eX^T&s&usvPU0vlZasO(;y_v0cr`CUhs zn1bcP(kAtKsp9XV6CCabsd_UUYC?`v)Q;1KRozMCg8Diac1=>%F_0&- zUNcr&7ok|oLu;7+L?_ub!{FB2PN?=?pS-zxnp@JfyhNvdhhDDOPakOi43k9sWv9!8 zJ)CBpsAD<%I@@)DXWPoxeeg9=KHdxL9MLiw6c6;dhgB|P=3<3+XMcI=bmCeDYPFI` z0~@p^8A9H9C8JYrd~M+5f|iYiIl9k;@`mXJ{1o|VRCPqKc7Bf;z)f$*S(fXRXPV%0 zb-C4=2r>|Fp^NZ8`3TLOT-&Dz0PV9etSvtZc=B)<4EAl<4`6>6+hY#*hP8bGyB^Bl z0W9s8optr%A*@{8LWV%hlScw7d%}xbFy+%@@-qK)J_B z%vAKtL2Wu>xg{ly0W7t%{X4hsPZ)j-! z&oBL}R)6zjZl6EjdG>dZnVM4KvEL5FaPo-x6h{PXV!;) zDeI)nO1VmxopCGp!iN&0kSAXx@a$^;`uy^n64XEp1{U?Kk-o;%@$u2CZKVVpR(nmJ zHS95E=NF6m1WAKr+8HDnS+Bd34CJy$IP0}e-Oyix)Ewoy_n3@K0Ol2F(L`qHsuEyv z`2wdN+GNZ(RcT80nTH=eBih!q<16A;-f21+z1+4dl8|{1#0uw`>Fq`>v0vBXdO~p{Ahj4TdM{Bvrk?+rhVGI`r7N#9gfq~xLPOm zdwbjg#;-SfR9m%gd|AE{)Oml?4ss5`Tv_s_+gNETR^ezGITLIzdA=9fay9cRhX3Bu zKWX=0T3}_`mzhwTWstkD>T37i`B?A%sw`dpQPl2foG*QWtY=qBQl$`j)Jx9eNJhWP~y`O=%{fUtDb z?gaV~(|TMT@ySbXtWAXDj2m%YlSy`%F&}kgWU?13BD(=|`FA^x;=Q(u60Z{%J9lVY z$33ut*37nJM*D;f?9#Z`&CYf-#xbl)ZlX~>5*xq1Tx&QU*kUZ#p5A6fwbjHnZdF)C z&M>iEnlxx~1S-)8pPEG3%+{T}E58vPh6P$Qi$zbc=JSUksWA+PwVsRxQ8iRb5reoxcNOUX#2kh4zo#k6R?fZ0jrrJ(1;XSbb$3vWAeF_H~qi zC%F0lM8LF%m1^6S>yq(1jC4C>x+0*{LQ6F<0W7#}+@tzC;{vk*6qzrp%BdKSI2$h8 z5J6&x$7)=`%z!sf7hYnIc^w1lt%-iW$^a;ymM?G=jl@M;=w@USWGutBv0im*{4TJ! zrw`v%e)B?CXD;A&q7dB~^Y!_4su=2Jho|SpJ`V|(h~}kNz|Bkzln>TJr(P(=yr}Ss z;#gHkVFx0609r9ol*~|q7CVAZ=ti$3rgB{GIfJyNAy|noPlI%+jIP3mf1zhYS20;7 zO%H_%&aK3WgnSDSQkG2%L=`Y?EChvpu$t~u=QS{XX7B!J1T?1TVSG;49#+0#It!OsDsx zfQXL`$yB+v7G=C*UHr9iaWHt#orwM#7VHsM9=4N1hVFZ*ficTGt`qKKIeEnOc3!Yu zdS*#5uWOg2PCaG@6r%I3`<(myLa{I zCj%Ry3j7^E3@0Y&b2?=B^B;NeKd`U_9O=kRitJ^gZ#gCCzd84d!L*Y41qX|iBNqLp zqFpF{n`Lp=N_eX6B1Nof`~c*rl}wF0TTPcdFSSwYe>OJ$8EFdH#-V^fe}#zOISjJA zWc&pC-`pz$>mfBHcf=x`W3YClTu|ayhIOZ|awD-j&@^hJLMMsYk#LxoZlf_+_wu_h z)+<{6Iz)Gi3C-gGs?q_s^mq<%YpPuyb_3wsP(*DzB#X{DoTyO?c#~s=H7b&?R9hp# z6pjMts7hhkqCjj^+8SU(^9%K~4^tlX_bg;;kc^OHRo>rpmf0mDI?>pO0W4WM)4ZkiMWN(PNi2nD#kTuDLf1O{KECu3wVDhC`C`O!QW|P2osgyQ-kRZ>L2%=jsfwVlOi+0G_`nIM+6BUuf&` zY1Mo+?xC?;wKvj@Q;QReU6M#1`akBx zIkmcC2SBSA?{o7!{IUNx7a&iN=?n6(77cP42IAiaf#Ej1MZpbx0jgPPe3;g_jhVE( zI)^sBt>e%tFsEixr6IOKFb$+Y=rdpeCngOE@1@9anCiR<-D@ExiH=PWUUH}o-GDY3 zx{l^3`kI7>6^8z5y)k11>acT?@7eWvd!ir`4dFT9(YAQdr3c z@G>=Cj=)$FkD~O|z7MLc;hCGON=um4Pioz|)}SOmU!!~Sw;yh7G19G@jG;sYx_l)Q zZItWAa$SI|4F~lTicN}RR&L63fPiiUx(`JQF7)L6sPDfiw}<2)&(WHJj2Yo4lu6H4}7#8012FE&a!iBgiI%3YVQ8@;dVfBcqwtr-yBBDvJqx*i0{8Of& zT?o0X%}7uLJid)qEoM5BF%}JA)zZcU-NzbY)Cpyi=|qytdMz6!1@7OSXg3;T!(w7V z)@a-_fSMf<*VHmJrQ27!gUtJHC#`Q}B#KrUIEUhMGR?tzA2Q(vg?fT~k^sS#iVm!2zm|2%> zo@ncy}@Jpn5`GbQtWGI%%jo zqx(cL58x>2+i#u~x90iHTlba~8(PP?2y2(x+K1Nh0GqaW_-L~IqoTX}4U9|l!NyUH z(C~3+jmc&3k~#Wm_s}E7w(QMCJ$_MY!J)b*+P?&*f6d#CzyJXM9_54eo5d->_mVsyd@x!QGJxSbf(!6s^l_qcF5v&D?lv&nju>+?AL0Mx* z3#%Mp0vue+5!Xl^Vg19Ri!D8wsc?wA@6&EJ^1JQY<&F)5H#%;m zPS5k%(|oq?WUMU7ueq+ukyMti*u%#Kw*vdb7^`d5#`H(MBFwsjEOc{JPt>I>Q_M8c z|M3mz)Aq$G)ptz*8T%pj=jzA7PLNjd#{d$u(+Ml|v(ovsb%qAoIsV2C+c>`%Va<;o z{81t@HFTgl$^q-9ZI34Ld}f8d5p#gm_#$hHKFqhuWt155uI09{@+30isFJw9erGE1 zUf?X}+<|nnzx?(%Nb_TmHsI4Y7rOpQ^QWSs4}IzTd zZ`u!RCMu>sqH=H`|KKMx@5ismX`lC=zq!Fj*pn=M34XwH5FIvfpdae)r@a0?WL6km zi-~L;pe`@;<|xzgq%c zB}{!jKM_YcFwh2K&-II|hYP(L%j8YX{?$0h;7%;$^2$Q17m&C5hH=~q0b5S?;dhVq z+`hTqWi}1vsKQ?iSa@xaa}Bop(IfA@;Yoe9Rjd24kZw?oy85x3%cZqHG@cyY zNs6xrGNQX!IYtwdIR@m*WoP<}J3deM-v-=3`pT08{omJu=Ey zG`1>sAw&$%M+Bq%M-zE$-p!y4@|e9|)*@xG$c!zMxeWM-KngN0u;^QgSkGl@T7Jt# zqj4g9DNyOD;A$Mh81tPf_`%OuQ_JCSjJVLk0%N3RlQyO$(a|-!Qdn?08mZgm;Oozb@ONY(xWWTrY9lW$-s8|p$lGY_@-l@ zS3Q?9MoI@v)$=N+Kh4ar-OtmC&jcp|kv>GW&I6tJF;RhJV*$iww?S9dnQd5NYS9hE zp69}iyz}R_HPy3p3btIqEob)R~Z zPt2K9=IY`D=c_(#Zj*nVA4q6m8@>h5DQcIU^CZdX>z-ZzU|+@y^Xhkk(kBX&KjSa1 zJLuW-JGtm6+8{*4YuaW0NbGI72)Sl7sR>YZu~M;g-f&BksWJ`e4G4A_n5Kga6iU`~Ug?PTq;>q6W{~h&V7(V=D=YGPb z^04ln+vgB9jKn(VB}V-jyjS0aM1bv9eKM9(xQ5q=c!T1^As@T_@D0Gmn=hBVa{~ie zadthLtX4^;n7Z^16*4|W!E&;LoF?j`+*OF=3iYUD>7Sn1qpcoESWktxmo^C**U$F9y~EG7H%R) z$4JOyL@vVq5R8Cpsc3N5{zq!qzwU@kvpeO zPXv)u<3;Ypz>-T}_aEVPTB7ayB!#_2z(}b>)_c3HUZE|@L5(fGTV}^ui|^Nk?^+fp zFFcSMzXOS~9(PdvP$D46N4%u*?$&|tm&O;l#NxT`i^ph5qj1S5ck9MlD3h<=RCssz zHB^xc`Yr$`DP06UQI=!<-5@1W$(*}|`Ek>Vi?8T}+c)Ln~G3L^Y0ClbAmId$?Lr21*c_unG6n75~?=kzkn$9LhLDEqDBjUGDIg;_Cn5?Jc9? zXu7u1!7V^=cY?e70KpPm5(uur-Q5GhCBcF_A-KD{OBmbi3H2xEzQ zIC9oTrthq1Zq}z8QZIE{(BYgXGu3Cde!Jg<1gCL;ii_NfH$x$*{cq`TEZrfzLT$U#9pit9awjac<7#>^`qm43FP0)H9 zS!S6x&S9!ae$!CJzd+HFaMVX#*4Og%b|^uJR#z~`?S;ul=?_wn%hAV8cloXDPIVHS zzGIPFjoQfjM!r2e9o{iV;(kjEP>jAPMOekpQ@GRy+*k1qL9xF@=Jkv0h;D3HE|LW# zE5;hX9y5*Evkd1wM(2!$-V4>SBA(r+TI%haY`I-J@1A;A3uZdxd3?Dm$S_hNerL-f zxgKFyZAgTB+kE7|B8YS4=ox+TQ+m<81s&dP^nUr<(gMw#V(aKRFC|FoYwOR^H@HtjPdwkrlO^U1^sh)EmTQQ|8F;v+g28e3@r_%{BfRL{&PMS zz3r|N1&F1J8%fjrPUELFfv47^z@sZe+wJ)$&yV`YV29W{ZM=Tdl=k0-OM_UUn(olb zj9WR2zHL(#kFeQq!IEW0(OqPe7TX20A3T6_PZ29Qc>C{tLepqPdW8Be1wDbyUW^vH zd|eV+j$r+;Y=*)P9T~5N3zF*2#%A5GU(fkWx{L|l2OBanFb(8Fm^QZwMKDS z_msGSnUS>Mw{`?*hp-?YJfFy_U!5Rp?VfI%hP8 z*Co*kWN;&Ob8z3j4Dz#0xB)_Co2UhjsjYC07FOK<5UntCC7hV|pvFgPTL!~gCK(M$ zbkZAx1dO(fYQF)WOu9BZTz&-_Ynb#|Z$Ty9Zr!+ed3&%w2$61vA3gK9nmun`YI}Y$ zE@QniQkoyLZi$8z8tPp+90f8%ET4Y6%boEI%x_<6s^VU^OgVzDw(qYnOcxeMgZKG; zkL3*q{1?BqTzFpXlkXOb3|%;qd>M`YonF~@y1eh=`?Y1o?NGKgdgYWbZsi;C;mHg_ zOI=S@8T@SGYvH;}@SN<@?f2j5>+agf7apD&u}k5P#;hYFHQR5FUrl(im4-^~Orx)`vsOrw4CA-KTDwuS{j{?y)o$XOu7R(p=n_1n0@iAi%Wj zTlc!s>lW({>xsp8dEROAUBcbzn;%cRn$gbOZ5~6*_sgD_Wo?g|MQcFK5Z;>dX#J<9 zV;_Y0fglVjDe_mZdKw;!eKI!!PJBb?RrB?`LowKr<;*NCQCw9+cRa>TyL;!Ya$kY` z;LShb65E_}r*OjspOd(ITeI2Be}em_-k!Y6s~O!BR`ii+Ruguhl_B?IZsy$=PaVVL zu_hJ8!pbnEBw{Q6!MO0S)SF^%)hhqdQgX-CunSpLBWir5P#P{lX}3I?bO`wf=;=_k zkE)>tCEe&EPi-8pe($H;$Yo_3>PX0@^|bMB7INX?Td&mf){n%!7C%NEW?;P&+HxuU zFTVMeeg<P zHo`1zx~nt=D^d8wP2S>nzpBez*lSsex`Eeruk2A{nbgaYNmqZB$A6c^z{7IgdW_$r zyGGbTsze06UNQ##{Rd9metZ;M}AC6WJucdo_imBOy41eW$3r&;nlsOcMh;)CBN$zHMj4)rAVST z=cNpsnj0{d2+TtrnY5bxBGlBsb=p0)ARXuu?|6PJKL(>=Tx;Wvo2GzL`NB=@1=BN_ zSQP7t&S|v8t_VO$q3Y?$bRzb6`L80r9N+aXxqS?9>XA9<_j%b#ip742(LP-u5D4V)uWrO7DU$++#Yo<<e|AEt&yS$d57WBx5olCC3tcQg~`{=*LE~bm}_M@3H zrH;uCl#s<46KA!H~&cD^V*WYHaUx5Cq;%?pVMSx|3NrW=9Oq+qj_ zfdxqIOCk}oq}vHjT$pNcsZ`aO77YDy{Kg&$h~>qo@_~K+DiCE@EF?@4ko}NvziX~- zKY(zp-lyA58nr?>3&jaG>8tJuPn?FnPCPjd!ZGXb$BJTh=O%z)Dfm z!Kmjw6Tp!MwU9P6Cv!e2GFO9=6z!;EDQZ~aw1C}x0hOXpoBTEXPV6hu9{a7uH`1>( z-gbAe?#D0kqpkFEziL~822RVxu*UZ(e%}$1!&0D{ag_PdbOhuBBN_)*$>!x1^g@wM znPbrG-dW6t>2+-dmNS)5Pd$gT3qqCE9CY|aT<}(XkedyHaB@}IRWdM!Y%p8dgeN1- z&(+D7V`y1yUoTGMyoLL8d@l&=#fo+&?5Nav(!j#lKE~zGcaAg7Xu|)Y{F2KLNt^-y zf&#KrLCXQn%44%G^F#z^xL%S(r;~2S=w#X|#Y?VtJRNN+tGN1M_q#L;biJ&-CBnlZ zt=)0U6A;sZ8?vS#~*#2=Oh{Rs1L zyY`3x9~01d%K(uf$=*)~+=r&$3~n7b#=qoaOCso#puJkwrt`$qQb2tXL%Y#|N~W)I zL*iWE(R*^19S2HD{GJ13^4am9$pQ5@flNFGaP#tvLF69k6X)p`K+ux!#+4)xbn#1t zniQ!zGSIpy(b2{R8`ujrp!w-;k5|m0tgQ@XY2Xym`n%S^O*u5%basnqRso!#!%teA z-|tAq!;ec$Dxy}i;D_W%G>-aXwe;Yw*b3Pi)g4BEl(GulM=GeByvq`n^(re4RToik zT}M3Q8ffWICkh~HDV#QCrknanUfK$CI1#ngoB0+sV!J^h_%}-Q33AIK+mdBzMf+W7 z+1LlJ=m;Hnk*Z`Moz}S7n>d9ARK!+#Yf`2NmI|;eszn%y^Nand8Hh4{YPA_e1lXk<&MLM^iRN|7bi@MtBFJUIb1_$fA3FtgEL93{V;l zMMmAl1#qk19zWsYKeXb(PTAg{6q1!U>o7gJw~>`d*2I1O7_PldML~jMfqFKuOUY30 z#Qr^(i+X6D_OaU6!cI@PK?NHT>jBQO`EmXw7HvzShEgqEzsLe4*k%_|-7&|@$uTo~ z0|T=6R?wiBF%BKm&LPe6oeH6n+NPsJn-Z*6DddshgdMe{{jLbPh#+Pq1KV8|59^bs zqZ32EGf(z`Oda)MaE3!*JsRnD_84N$2SnXQsoHQoFNBc=Z@mVRfW{t>qlb*5wC*%!(5eVi-@#@gcE1@4x)=C_ynx(CoK)L0?nq6 z&?_}}n#el3F`_uOUaD+xYfjuPlq{{C<6xZAmPZA;i|Ef#ez9hYK2V4-=W!E?52Q`< zs;|HZJc*R2GL1?fGcayA8`(+t>Qus2U1!g9o_960roN8D22ghL=g+*gNUV1{Zr9+`vUMU4+{Sk**c|pq#U3 zWpf+qC>@u2%{&iPC~nnsx1}^{V;{so1+5M?>~r{#`#rbjE#nVSy^436{GZse9P*rG1p@jK-Baodu63DTlx|-r|^)iO4u$D91EsT(j_o?yuUjs3>Wah2&@A z+K+l_Amidg%P{7*FLeCTAn7uK_nDW`|FwfJ^9yr;4bzc!1${e11p zn+6z#nyBsP@7CSl^l)Ks*l8>Kare6mKAqT;skP#Dook023Qx6_dzDr(_~xIIgt;oF zQAYgsG3nt=Qulx!HO|Mf332WTbh{_OabkQ5D17Y;#fE7~hP1L$NZjrYk>`LwO<2p*K)lIa(6C146Hfr?bd7K6UrmRk9(DQT^ zLD#f&WD?zi^<+1fVs={W9;|Ptj?l31QwSc^YX`F;sbUXLvLrbOwP_SMLL5 zb<>|fp6ui|R1@zLX(L2jr}a!F_Hzgmtkpx*x=)S~K@(c~7bDO;5!ieqL=0+w;*Lp677xpDIKh)lh9Qk^M z${$6U%1-g1j_vYtp;PHQTakRWLb!wu#>sbTzE*Q0T%lt^_T1zY=3l95j~~iPO5qn! zYvMqaY=*DOv2j2#kv*g6`#fA^(8zjUr!!u`RtTl$ z@w}IPG#ek*LnXFAvy;;gYaTgQr)sFhz%8SPd9L(A=LIAh*t9otZ`QgTWuFTn#$o|z z%#w2ZMjhzM4rR4}+GVIvi*4=EOrq~QyMvPqXKI)>|7;z;rqWrh5Pqw7>$|OC z*~55hUJejDYk?{0mY+nQAg$9hHkaXimeUvr{JhmTY6>u6Nu)u|3Vp#cTS;=WdERTD zZjv%3(EE}vb3gmcu`Y@<*w=mMsC+tyzOV;6jZ3ep%&VV}iPu@5pNVd2t3yLCSWWbW zlWgbI3`@1b+mK1Gi$~|2V)SvhX)>8saRXz|0SuG`TG$&?QBypt@%pIjKjB8JV}%FR zf;yb{JA~hcgejF8`Qa3l$O!Uc2n->O7!q8YTyP|2toVEH7yrE~fdKE@!}dv}_L4e~ zdXF>A1I+c^qwMT?J2TrN@67h2|CIjCFTO87xI5u-R5-~W7x2^@@qx)I&Jr~a_3B(E1H$b^l)7^JMCj?-?3j`I9gPzr9ugX}4(4-S4j!Kx14p z!f*i5acH4OREj|j^gJs$=Z9Bx)X#8d6^q_7g4W#oTH_Mfb^fhM8cTOTHGAkH*m}Fi zcz+9N>#a7QdPzbO3Fit^zyd>-aVXuufNXEn2Lj#R-r8NC7-+Y6-~^^y{$yY9mK2&t z`Cgu<6)vY!alQ-p4Uij&r4FlVCu&cJ4#I-Qb1F&uGqNPJtvuIO{)>O6-LcWZ#q>qt11 zE2aw(#M3JF0+^(?O=5a_)bl0|nDYNAX!&O(7l!`QzrqtTwM+Z^&Ct+Nb&NL{09^X_ zaLRd}r2nac`TRGV2nXii?@8d5Lf`Lye47sTe^qD=_JjJLUw!$E!2b8ZhK8U0_l`rw z|5t@pWkdj1{UrD zGfex~6!V%5@;`M1p8qO$OBlm8Ege3I7cN0K{{4L7;uT<`1_%c*rQ;3W?PyI)0Pv-i3< zR(3@d!?dff%-TPGgNh))2^O>^A-K$Byjwi6FDd1JzCBchS(t;3J|7fVngz>Il?JiviEy}QSk7!0m8sKTT|G$ zt+K(+1f-`;XeY%dta>sr(*1C&*J#z3$Ea=(Ny5PAWf1y6Hn;sL(b9h8*;33-Iv)oP z%J4+`n#fuxghYI>q`?c}3JdJpXTS&kz#HQG9r-{1uS3L_GZ zY{ljx47;t5L`?!Tbae#=4FR7-5p!F&#zr_{gDEw(uy?k30U=1+$IHe&q={@s>tA@D z>v+ph)ZtHlnh5G|*BhL5vD|ML54DFD`o~CfSB>dNcRKxZZC;copNG*r!9jf>KPUh! zhE%qYr4K!1O-}{H5kyU_O12kA>DN=u9u4*#5iXGi)^FlEX>Gll+p{QNQes5PFV6H8 z0bC!fK%5X!cv_LUm6-@Eb}K^>SQZ`U8Ro+tb=|akN5M@6w^U%|CqOz-qO)_#l=R$t zln*Ye;j%F0U8B{+*e?zG!$^QfF6xVz_R0I`mUH$W6JEo)#5lN$i0t^?<_i_I8Ts9Q zrBk@BNB?$(6|TD|j;4q-o;l=FP)!}p1$bsCE489}t0{g~ca+Svvb>5>A*h5q#ehy_ ziV~weV5AgdZ@`}YZ2jk{%+WyrYKMZwOyJQBU#=vhFs&E8(jQo;@^|5)c9=vOt|(7! z(tB7P#)-&LtCpbk-YGs;bkV?hvXq0^8o;BEA& zSSxGgm`(xwKekEN+$j?9(7APfU4KOG zH7|ZjfF@I6iGRgd1PU9{V! zFPzVt_m`sI@&9BC_FQ1AJkknItt)jdfdF|gWWD+FsPB8~yV(_@!BHBu?ajR6c zeR;t7IQ95!{A#N`>IjcFj3IZo;<{V0ru)FtzrZNOfH7-Jte7JLhDVBbP_n&fyU3J8 zdZ10h7~%EGXrh^~n3&)_y8;%T(@ST#{@_(dUa&SpSNut#?fC4@k=p>wrmgkA1s4V0R&m}zK*r@pTrtM zNR5>oX8tiBx#Kvg9{WurKFT1j_4!-^*X!^fKC)>TJZ3Q;XFml$(y*B{;!~naMi!is zJrM_n^hP_B$|^;RDc`~}E#QexXS;&mZ*7wIoz`c;402J^jCQ7^a3^uI`&kRO%1s!U z%cCY(P(hkIp8M@x6hu?HX1`|B4g09CCX{S>heekFUoBM?@t22)?xL%JmGz6{227-) z1~X*SnhY+x5f|^+aD>v3|Jcs51=QSV2Hr zo#k#NfcN}opx#rm4HS_)sO!Y1&fguDqk|sQgH1rBLk2fG76DMfGSVOaSL|X=K@tIH zA`r;wEa#w{!&g*9`t?He@dbr*gysK-(B<8DXlJt%^&YWSn7Pf5JQ*kW!(eAQjMvoH z))2_G&%Je6k$x+gFHsob*fmQg&|NsS6h*nc1ovErSONZfC%lO}zfN{krkU(plaZjV zQ+ak|q3`4Tv2~g`>WODL89do?FvVB-FF5f9&O-*aKf3_6kGR(|hW7MFalqCet}=B` z@qD57?wFdPJjonfuk`JqgIJN%y-@j12t>+Yk6NTI5C+k*$d*I|$`271wn2PjZ-CXV zNhIe4AFlK_TBpW`TW!np&^;3pAfRE1BM$x7H&9%)8NCsfZi^kd|C(IzYJ*PF02c%D zgZd#petFK*Am}9y+^ldS2F}4O0f521L*5t2#7q1W5!Zyzf>NA4$7}{ zPZ(SyEq_W-*Pe@zXYF}q^lpuQ z$1ZPP7(wnfhppLq*$=O~N{R_d%n z`3mjbTAPbq-Ivm);eD}OeaIWS#pho8k2{5`hq##+KGt5by1Yv$vOuYgClA@N*n`y2 z?dd(Abl(?hf@QItH}={n0~aNu0~q@i$P0oC>j^Wx8;j`yk8qiqOns1xFL5Lx2eUnw zqsm?N5NtblmAyI3a`@tMi!!7tuM68VbNzO1L3zFpJl&a>S!m5iFK%m$HgfeS^Bdr! zYqrTB;>ipcD^Ii=PJVDE9W3(55@!iw?SHdmdtKz2#28x+Jh1np7l;BGOINZ6Psv2% zJBXz)ejY3z3;nC^9Aa7z{1~romICoq9VfUP12vY-r?)LD&ist}5|!Th5W5d`<7|D9 zp>wSnsif$2XFA)k|H29Uyl+st+FJeOpy0{v!I*X*{R3wEw`BBHt0_XMWO3{uAMC=8tA=OOc0#2V8I>3eWVA2Sq&^rMYtxcNn9c%fz{Jfe?}*sL2SUJWvnV?C^Sy2rzbWa%rc#q;*n z#30g+FYf5%CHJ5dLQQ*@+HIixPe9AB=U5oq#{j+DcU$X?n|T6b@L>IftKnja>$>0` z^>(A@alKxxkj?M3H5+)0C34JG?%sX63%|26#c2wp;_^M_8u9Yku!rEE?I_%Z_V9ki zS-63@)*4|cglY9l3~I+y4FRQ|ieh@IFce;luo8J&2dnbZ<<{WT3d#K}RqYHCC>gg=CCYrNa3G(`u@06h)GO>DWKP|B-$$2Ay<6D( zy_Wh%k-c{;`E(h!d{yT)k-ofq_laFiFaPzQdz=Kj(9YQf!b`1<$?ie$|Y2$NoZ`@?re<|Bkz z3eo50!4=Z1mo4LkWby$XwnTEWP9kL(?z}Ivl4-cz|YeZnpe@{u%AA6eNO9?AH#S#A+SwNFVCU76x z)^t#~9t}j49sy;nM+l1CuS(5X`IgWUfJcN@FV&U!gn4nksYh+)#?gy|jS$l$!wrEa#XG}vV zXsO+Cjw-I?Wp9dLcviC$3)?t$G}Pf(7}&sx5ydLOv%C`6gJk2aER?A6p0+jzb9ace zV`h{v%a-By&wP`Nj`2AdPQR)<&6wrMs2(IkyVeJgQY%aK27;f-0MJ9Cw{n@g?NG#8 z{OUL1g@}lkDF82rp?n=Ij37u3J4X^d>q*wz;@aIm)4Wk>U+UU!w ze?w~gw2$-XUJh*ZDF1))cI>WBe&i2?#5r`IDY}o0F_byZUgv zda1S6)qc1l*s{hN;wEu^+Kt4y^EC=M`ut&Zn!k}=Ks_zJM)b+3uU3Fs7^_t|Vo8iaD^* zj0QX^W6h^x6@NF`W~RpaDc8iM{fe6Es@?QjTf4ft`O_lyK;f>5bLnc82g{40ATB(% zw#cuupqBFnVJw4McVagkx<97vbN2a@45VK&!a8=h5``pXY-#@?tO_0cVcpbWk^ zp#!JPm@<$+v*VN_Q$C>n1HXnUn0-?Q)+;x8ooA0n0=4FXpGaa?%ISK^w=g|Dz89Ob z#2>d}Pdq{tLu2EqbJwIn26+$}?svXGksp*5LAD67Cn)zx&#_$&>Eke6-_*mtrNpe5 zwSTZDy!fW~`p9Mg54_jF#^i}A{px0EYH(XHqm9>|W>Q4tm2S=y-wY_1mceTvD?J?I z?UhBH8{&WM(TL9OivU{R4|zruYzWuJIusQTe~yLx1<-6nQM;U|G{M&CBA zOpk2By=5L&2*tQap41Od-cXFTY9z?!_m=k>w7netB8XHk;XEaJvuO+mE18J7w_nGP zN9Am>8oVvNDrvhImxFZrYv+>1*rqliipd*Ne8KbBdoj|CD#JJ?sp^i4IY^P4a*8vY zm}}ec+@p3Nd9sYo4??T6?F4d>H-aDpzmVfZ)~2DQrNEvE@x7FX-WS84x=bC2zXQaO_fc;r6moVpn zbX!uO@5O?Pw8yTIkR5PyE?e(;AoFDejd`y~s}laU(;~^k)Btytd#s+buOW#;LPmH! zjm<-FI7@P$UgKC1^KBX*%I%$c$8<5wyk9OEf^MSp0`=Bl;DP@(|CPebE2H@aY;Bmj9d1gWiid9OvkF$0h`go3Qk@4^vaGo${~?B zq^1w~0((sNCBu|1RZR6Ks7otq_Ir)glFSPL!wz7-vx!FfPZy*_{wMn6>558pYU&&EZNIEZ-or8*av3^w) zc;tvQ&@X%*T3RP4?9$xM;-lrOJaD=Jce4$CXi=c=BVi{-UY#W7DlXmXj*= zu0np{L@gw=_U-}-p+k87mkb_9k8uBwPb^4mtrfm@YcslxKPHtoNuY8imDe}s-3ne$ z=Df$hYP8@wbe69rG)o5ZF+=w_N5gr%otxO&uCNDNe1Gb+r`0MRq()t;?^g{L7|;-? zgZ-~DhW)?uH`U=V8urJ&*&h=dki)8M5Mb9U( z)h5xBGnCADs(mAy6bGVk(@YPJY|TDJ`}LN3^Y~OIoN`(i?~_R<_*;T`EE~O)TkbDp zsGS{z7yN8n z!X|n(tjQFum;9g~((Q62nitM^D z2~PxSbo(kZLaQ^nZYnjsdZ#^;`4)-cUUoWY>P4`6IVAPjX?8|a&3-nURYooikt>$A zGC*@!cKQ($H92Eo{+YBG`IWhH_iysXSF#fcRml9F!QM{Mw}`|FslnW@V!q^jYBhe3 z82OU|>1Y1{hGX*B2Py@*J-!6$!j&KJx`>99Z=-9W8u74c_=4F2Jk1rOn1aLVti6BM zIgK*>7{svjQaW@QRKinjI{3SuIOL6hxyBmYy@ zqWm}W0KdBvy~WG^BwOy^?AHAQMJ|Wih$4!qa1S~Bg+M-0T46;gL6R`TBw15+{P}@A zrrr72=Z6Q3h9<`l6@FQI3%n(H1B;&%z3^dVTLGp z)Mb?1S5YZuAU3_j4!v{jV>F)VV85`O&LUdwi@gmj!t?%xK=JCzT%u|XhBw!1{ z21nz1ji;kzGcOKxkuV)f*E&9^A`g+7F)w)@sP8m&F#F&Hg)jzU#aWtEwXvSTGZ-^X z7Z4-lSj@--wbq9+LxUS)E>|wTu^rHQxhV+fn&?N7^4*I-|+e1$FpJol-1i-sBfN z*ZbuV&kD5t^BS2X>K~&zG$S28WFMJ4kdPF6^#f=Jj^zgdOn>c;-7FAlNE{-dyeFwE22&p63Edx;Q^;Dy{_ygtZ zuyUg;fNT;0H=-cZtw~+7vqAQu-f1pM=7kBki4|eLV)Sdaq;}%tKs04SWl$-FAlpYL z?A~Ysf@z!B1IO6h>5M>=xtD=C^t!Dt8%TrP{y{04`4;^{Kcy+^-U`A)a5Sz64AOGi ziURk=8%dpKRlY6C$Vr#ToL$JGG_owZ@5}W42sW5O+u$H8V%xc;xl9(cMHLw*Y!JZ{ zn-SJ%doem-@tQg3aszc-udL%j>_1QuYknvNCE*d^yWVAC%zOqi>4rI&LW^MrBudFq zd5JpX5hY&#PJLr+I{+-cJ|hwY33i@xz8-?72z~|$!1SCu9@wuQuSVIG@d?CZgfP8X z?z@p}UReS_Lr~J~HrL*HjfT6Z4489gz&4~^zw8gR9gL^i{c<9vA;BCkG*p}$`|5ic z3;Jp?pe|Y*P_)>T$9@@1wj=DiwCcALd|iXzX&LX7(3 zOD(pK)l?L)#!m&`!tXA~I0cZemV8ipBav77+%Fr}wlx3gB|;&fm$E4w7Y#c+r5}m# zShVr?@?T=m6Y|;+xAITft4h3D@DEpqw>u3Zfq`iUh2XC^Ns%K{Nr8-{B@GS= zF)+qjMnrgjmtJr`b1vEA|1X~Au{Gw|GyQY?|Dt#Tv?$+|S3Gdu?@qPBSC>#+EV!9< z9>!YyPwr$^641JO)}siYfqi?*qP)V?e@9<0T@DivJ>D6!hNWMJ*zpGbZ5?1v4JkPS z9>6P4$cgVxHJ0vcR;(S{us-7gD*eBQbsT0l71K|f*Nyp8CGY<0|TdvXG}@n@U_ z%PE?Fc_qS2N=$vS@&)@EUy%A8f}P}jTisSigi^>!N3JCe`4)tB;rd zphM$`D1gxG7rzaSUEhsZ+&VAeYyiDb}GgH zckRJ1oN?-)ESY~VBpU=UNSsfpjR=T7%6QE(XM;p$4$5!9+Z;o2s|a znW>XOg*hA-h^jXy^KT>Y8n+2^6<<(9w4CrC9gln-se_NkWdSzugBqR2Rx<;fo zwz8HNRmR}*Cqo+ih)reVh`@jaYKJ%a4-+CL6Ik`K1`vY1(qyRC2(`)$_WJd&QJ9re zat3&d;%7ZV!qq37k1E$U!jhtejlHF;evC+ILW2NA*sNoX2U2MJd=usF!JPdigOhjY zZnU{ZVwQLwxh8TKWHf-dm!hFcc6h+%^*M#UW*o!n>x!R0^_#MAhtlY6)W*Tb_+M>1 zW+*f5T8l}ZQGCRDr+=SeSWu|EgU8nQm!el!PfBz1DdQG0uJ9w==jt#aDQRLyrK8y0 zMS;xko&{-K$rP|Bg6bO$qGyfL1pqlezKD=nMi3JFNevvI-zXau9$Ti=CmV2SABtWn z^gr78@!W=qK1lo)uPNgxr1R6S*UX}pD43R8V^-YzJ+Z6IJGIb=9Bd^(&j(90xv`WY z_0x&#Z;Zbi2a|=|^AM?E4EwN@ED8HLv06S$S;H*>b^*bRxNi~?d_+F{M7<9;g^X06n)0V{yElgE3nzsdx-bdUqv$_KcNS2_481h=6Xb6;z9r9X1hd+ zkLAI3Hp&8|Cuz9JA%6Iv&>5o&10vkL>i)7S`Y$ZGpXZi$sYYZ0_?%8EUx5)R%rb_@ zoTygu?N!=-%Z#5yh5Y9z9*KSB4{d}?;l%q>6AxY?oU~2(nHa%or4K3j90-DceGA5f zQh4RU;iVm(fa%nmq_Ic`lK}gfUkyTsQ6l&%ZIQ=dA@;?Q`dUa{3ltdAh z;rEbaUsquLkGAXNn+ji?e_5lfE8-mjNn|5|Rg!Dk?>{dd6rVf%HY z|EODL@j3_@s%3tZOOyt%m8+S>77{%k!h*DPmYpXQ{__LbN`F>wDFVJrfIZYJ5@sMJ z0IeF&j8Y>IU_YL{U)JIBpOpz#?DTb01YQvH*d)`S99%7(bjy}a<&T$4U_Eo;zjy6k zZ&FAkDnUJED)AUWBUgMZYEoT3sA3v~N?7=**2KV|xVXawG!RHn%}>f6rl>KF0||AB zNA^SQZFc&@X3N68dyg|;Mg1*BHnyIgbnI3A*Ao|ZO{i|veDA+K&x;fVtc_cv8#GrOaV$sOp{b%4KGnq)Zm{hvTCt>pGHXbJHu->SqKezts;q$tq6K z+J@w@j9vBr7NH75&&wKLy*t^;8F}RlwD|1xfrU+K#3rTwB1881YBD1-r|)4RzBMXe ze_wFtPBf%=pEEA~TaS-c3jaKJTOI!^**Ghjahrmj4w*YatUS!$Ys6*&Y-8dCGcC*< z7#a|AYm~P8cQx zWS|;7gL;7V7oUU*kJT(ir_{2VKT&2Hmr!NeiY4<+wk}QkU#j~@N-~R}4a0BD)5v+g zi+0oN1J-(dR8Eb7?gdWYauKIfz-ME<&usDGj*AaA(oSD3CMQZkhnkAR?tS=Xsmwu- z;4ycqsZ@(Ns}i$UtR!ZQbz*@4h_EyLQG1188p8>LFH;1{;ow>Ixa!k5w=XaT+dta3 z6b+VG|Gm>LEI>lSHC&ikh8a*jn3JVSO;yG%!wCZDYS1%*eN%V<3xhln^h*S^=SB_T zLH4(Bq-x}xe7UVr>jFhkG)QmuqGnXImVqAincMbH+Up@lQjy-TXzX7IwQpC6jp`zh z^nvckNN_~q6784}69xC&0`h4*F(mdsV`k^J10;xnDw_fgF*Cd3VpCzapUiY2 zUN?aq#MAcCn~GoQv-F5h zXLB&dFrCqdst!TAyYpa)y?{CSb547>Uk$RJ(r@k!w)aC0Wea;@c6>P#W1((jG(AIY zsi9HQsn?Q0A)0~I50Ov{6xuM)>l#SjO0VnF_`UkiC~fSe|yJ#+`YfZj~PKo=wB?l)8}Dn?+<=%Lllo}AdCmuUYRH0-($AZdXl zK7FHaa67|Nnqnu`mWM}B)LC2UN4UXrV!;?2W=o&CHFs~Fs9hl0E$!aJ^&2QqkQCr_ zw>+v#m^#kyveMqQ8l6fcLu(+Mkc!RyiEG7dA;vfvt3fTy#|#(>%$-W6sxHE9>x0X=~+%HXS+&U_a)$zh9CyJ3NS%cqieM z!=5-udwgKoyEY^0GEF`*PB{>Z#_s)@v96JU2dyN;!VbSP^jXAhR|p?Mn}?7O};&jjvB67vurw@yHv6yr_}O!DE=De2MKD);Wqg; zoTrsfWy+Pum_F4H&_3P=$m!`EgEwB5rr@ZnAX<~*hEL+g#*fHkL3!2t9sJX693-}B zq1vd=?LuD1YgKpzz zFTxQ{HdT)^`2(P~zYQh_&Q7#IH{pU0oZ}r)1?~5W+}mSw?9eM&8t&()zHA%p8HA+4;J?$a4I)4}KArWO5FhVKFATY^ z26DS*8~r5F;NN)PT)si6JA1=j%hHJI>1f+!`*h(loWVgjX5IMG!-O`a;;u-I$=!?8 zXS+`iG#b8KP}ZN1RubdA`Zg;5nq zgn-_)5~8PHVV}ICULH)1o-}Gd+M0?z9TZE&S~z{%C6+~MpH_C}eWPzn&*qHWOdHJ~ z0w#u1`E}2!G9CbSgPkN39aPKA>nagpw`*IcA7~sXa&t&@U`scf4WG$T;o&#acVGV- zXYBN1T)t6Q5%C}Z?!@tz9)e$TbcDG32Cv&{daN6DFZaamRCHu7qbEzSHUy!~7eP_v z@wGn3$>v#FVTNh|0aiDy;yp6Kkbl^xz-tyiM^prZi>k*WD*D-M zyqa+wU&_*iHyvqy`c)aoSFKUFUvw6D-RC@2k-KKy-O52$kZx~n31{~kFJpb~Q=mow zXy|Hk`InArOl6m}%_XPwL;&`^ai^O;!^!k=e9{`v{6ojEsU5?4+lkmO^iv)Cw3qe1 zMCj?z3jB3m_(h5&lIP|itbfC5Cmp0a#LML9MM{)XLAeYeWc52?NXWsk*ug9}dQm)- zbmn^ji`&4Jwm{k;ZK&nb7vw{Y&uz)e8(4~3}ii6H});s zrvssUzrm|LD4`vyS!R+o5#4VA^i3%^XDi@{>4N1BwC%#1c(Y}0^f3mx@86@+0#t?l zBTN5HQwSA0N%f!V$Rd=r+xVQh9=CtLo7>E96LKIJSRpN{Zvk%$XxjZQQZrS$X>xoo z;}DS1Rj{P`(let^S9b=*h1E4rZ9wBO3SX2gnqYs>f6Inmm*(kZQ-19#y}2gt)x3vD z*O%GPVb1P9+K$EKPI1dKUWRLI(Rkvh-JqE&yaD_&hIGAUkLXR%uG@_4qv!4gAEX?s zfLagqFCwvo*qKh*`>m;0YHeFFswb7VwRctvzLnoEK!TN(rKO%y_dB<$nOtga+6}+@ns3o43QMpONPa#!xtjQm^!lL*n@|9HHcM` z@YV3)j`%$U=f7d6O4Q2&dDH zyJtD6Y$Rj7@_nUP7458~?Nz8ElcWD$wN3~iXf1jc9y zS0omlh!}B`WGlm|TP);#5_${LtFL3ic7cpfoL=Agb_+G6lJ8T=Ea>{;`@YZ!;!GYK z=(fISdez2dXDaNBUBUjM^_iUhb4*-pr$p$3?e3A6J&rLie=SGNo>B>=4=uP)7#XVR ziCjMjCUIO?N87J$)X*oLq1abW4PzdNQ=|{3vIyPGA|DK5OQm^g>DgNdqz^hpj`&m_ zkSECD(l9JBmwr2oudA@B-ue7*7$$%ucb{&z}R9Rd$jCGKp%xTkT3em zBpT_lLy@LVt+eUW=iN9eFH-qK)f0R_;pj@&{kKmsP;DW`u!0ymz>ZIdmyL}rg+GA$ zV2)YxFhV}}Zku@68xozQdInDI&0PgvNRkb$9?&D}vX9>Tmk??Oitjt6~IqH8^gIqm{z6Zw|!2CVlv?96UD&P>N?0wNK{BRsbu3vjDw| z4oYH^eZ32jCYUVy;dQ$w_Va^Bb-f?<*a)BI{s_p%w8}*@q+BwIBHYyH*8XNwzv$I)d3=@&2J~)7i)3-e_BcuD&NXkm*j?1N` ziLglzLPaxq6(KmOG#iI|@~bv_&wwBNYV+ZB&p*A=@a<;mDrN>f^BDAav713rdN16Z z3FW6{-}kbbHfijKdYP`IuP@l9+K=}k0;FA6MAU6G{Au`uWd2793w#*}L7`i9^WPbYj^B7!;Nx^2DA%O7A) zQH%b>876J!otB@DDU`2-nSNBP-fu^3Q43YoA_+%Lls;@56pdiD3M;&k_8C#0g~ms^ z8|EC--<`~>0N^ zS`OZi+-W5j*|rBeHu>KC$NU-6s`orG8(y<2yaMp`T+JG?$V-0qi6Kp?!K zIsXr9Zygj@w?z+P34~xBf?I$DhsIrkCpf`9KyY_$AOV6y2=4Cg?(Xicjl1hy-kbNm z_nSYaYO3Z`QAKxEci(&NIeYK5*53P&=sl9?Eff%p@f9FH*Owe~u?~5aKhIM=6J$Q~(mh|6 z*IK<}#(6~PmJ$E6a&DC>i{2D0qD371cfu;~i_p5{r3d=G`h!+GfGNZOp6=e9?wPxn zUl}pdY*X`xfqRBJ^Pi2ok2O5Jw<6T#uB8F-wIE^ex^FqWx+#V^ET zNrv3F<5TCn*ASz7aDxFnPluLQKv}KP4X*(_zWRKr6@12CL%M3-MUPuX&yV#MI7erw*hKy!s=ViZF~ zY`92S#uqW~nhiG707d-e|50d($DtHJG0Hgl`{UiCO-ZJmj>F}8&E~xeu|PoPz3p%v zG|}y-4w`)5dnE6V9w2e4R{nJN?sdulYrC(*zbu`>S|~T`qQe{66e$_OcRe=&Zx+Yo zym>Y$MRa&EI z(~4%+z{ipz;r)&%s%gmHbZ$z=?|b5B(&lp5@rXwKk@a&YSR7e*)MtZhy1is)>}UHk z#9Wsm%rM?lI0o2S=k_q!%i;9xQ<4o5&kIg|!bdkBAHF8Slk~i6vb|*7Hi6JbB%*!o z&oem>xc3IGc&GR~-U+HBmmO$5fEF>m?WmPYiWDWGgot_IJU`#mhbnkjzsbt9CI>rqU^ZVmf= z5dwo2oR`0DU8unK2>e8xzn_TP4*1VCiroQ@uUxixUmAa zm3z{nSY$+}$)82%3BK{lsiXFy&!ci#E07H4=(l*;+LxS0i(S{Me#QHNP1%J07rpG^Q*xC zop|v~)P4V$eU&y}XJdrV_t6uxGjGP@=gxo)jN=yEv7AR`Nx1C6fKTz=EXwf1YouE< z`86DD#~`gsk;Mr6qN zkcRwYNC)R-KU(3_9B21YJ-QCYe4glluVe8jf7E;>=1xAXcuXl@jjsu631#)d0gQIH zIm&FQx@TPQBO!Ig&2B|&mQhnKlK;vA?4aKEGaSME!50Tlu<+fptw8T@0gP&`2aiSM z4|fX}5#{}6sbuE0o|F;<+9I7g-Wn-y*KsbNN%$k{JR#bp-bwzwgF{iqkJCM6yR<8v zWwO~V%@>OtHqTJQ)7v)6le#K)P1kNe`X|C_oo}ysys*Lqf~;0FW>xAR_EcJ!8wt#= z2tWqM->Cc_OSne&s^LH33=Lc+h3pVmc6PkiJtoYSm({E5Snh8|Gy0pbz{vtwuF}7 z9V4RFWCcFAc;U9|^Nc8-9N4L1(J8OWLbZ8!SXb6EOVsE5ebjw0fTg0Lfn!K)+nIgKWeFiNZOp>G7v%T_?y@u+DMlGwV;!Z{gi9{C=0OvQdf5|iV=L_JfcOL&vO z;;&QhgVj}|=iA7&(0#w!d`o@7OWZk77UbW;9GvsqHXjrR0|O@RUahF8y%|vRxpLgt zO#sT;C1r;SsTf{mkE|*lkTK+mpDwC-6V;>$jx6V#*aGi70l~}t6XOBTvA1sy{dxPp z?L=gtyw)>@Hu19ePa{*gbIShVX&gjEjJvu?!^64r_kl;3trqasM)df~VS3NndGwIe zm80{3y-_Z-X4@J7Rl)UCwZ@;0da(2`E`)*$g_PA{WmH&`(L zHJp&}(vAy7a#~6TQq6n#SZ?1KPnS1ds7eX6OawQto39t?7@oe>|9-)=$4qFH z1$?pY^mEHU7JJMA7Ol}ytLNhy(%oLfhM83V0E1rzVhCh9QsGQmxlfeP0$9iD{i!T z27Iu!B3jHJ+c^@@@M8&spj`8whz1v%bUeEkin;d4g~J!EcoGt5L*P>K8wjo!k3~n! zMAc-Cb7u^z=FFW(+?F$Tet2$#aGU@~2I?+xU-lk$l~gtZadSDUlO|H?xm`+|j{C6R zFiG?8>xCee3%mCjXKf=Lr{}=EY55*MB9uZ7YzXIXJ%S;J9*YVPj;BJ4_bm+JmVvVb zcc+K4aPSMJWm^hOR9?)Ap?-0(q~({7?*b0Ig+*9fXf(HC6XUf{Ea*i0Fgs8=7QF=SG6dSMf%ATS z(cXcuL1!@|^;m zSZu3u1tOT`%VMWB^yd?FoR5T((~|e{D;S;d0uM~pP?oa?sBGHq&ld5eGOvdV>$Ocg zt#TgN4;N%vh!Kh5v1vz>i+!<9V3MG4NyYPD1A`5S-DEy@$K(h-<0 z(Mg%O%aKhHldM1|&(ME`hWBq)1c<3hIDaMiNBe9?V^^}?1J%X8iPJiDwx8lP)R75k z{%OOWhK9Ht_A9UZUr><5F3GZB?&(4G2(yJ5+Mq?`SpB$Ga65p=y{1k z;lUcj`F~u!`Wf=`-w9eH#* zzHF;_Q_oa;uj}5qCCrE|7*;?y^lXOft&`g&uDMkUwS#xQ0Nl(ra;kM{0<6emH? z5AY8YiUPc!&QzYE?+a_8YA*(TBY<(K??0Qf0MZ9a? zWr>QGLN55---Dz?I0OH?eRk9pPPk?*YUW@YgXeHdb=kZ$jyq<0Ouc%YY({XB;b1y5 z@@1T1x{h10KEJnmdfj?R@*6sAMRue49-YArwnM-s)zXO?!wqEQ0q^rrm3#7*$Dt+Z z>A4@PRun5ceT##-#d(XZ6Lyv%xsAo!4}>CW^Hjy+4`*F4t(AuB`wW+E1#>#55Zm>7 zQCEe5w#y7o%VBHhowrjLXVX8M)!*2J=0Q?s27;8FfXH|=i052g1Rsr+cGD!7^`$5(&j@xsAcLxfqt2jbwHyICje zW48)q6p#TUt33*&sR?MMASAP2qFMKDh@L*T#51*(^dI(dUulhJHpr~>uz>C6+!0Ld zQiPgP@`z#Cv?VPfn=ApgGeUJ-Y$oAzOKJCOb|q2P;r2a-c;a3q!J7ZMUz2>^<Y>`th^jF$eo<_q^agy6T?-x6q zGuK#dw)+yStt17AAJAcf34c=}>dg%!F$%YjdkXuPAR80MbPj_7-V5O1rJ2`O~_ z+}@ufhd{hz$rZSbc+}0e%onR>2p>pj{P?snd$NalqqwwG3-tiIYSRjtFtm}A0c{@` zHUUQovp-WZ;&Sni?+H&Pco!g|mj*8=68Y7)fG|Q~;%zhPe|$@NCKnz6-0b=M(QoC( z2-J4I;|9GNJJ=KZcZ#9LH+H1N^tgs+P91 zK03aTo}HkJC`lrcTW#FVU&fAK7y2hb^bXayPTiYDo!-rP9?lZBOJ0!-yUv`W+-xDr zM!LUhHUl^q+n2sQfu50P!{6^JSv0ibl%A5N8ulL#OG zM0C}Dz+wmAXl)P{0RpHo$DE+IwW z3rovc-eWYrI%o~ke?X9HVp=-HBANHgtpRZ|X|IlDgDz@KnW|kx{6~=TWhb|tCR*oy zZ#+?5jTme&E`}h-;BdzBqeXNW;2L;G(p6;8K?#yGvx*u3Ghz(V_;qMfqf=|iWh_2( zly%3d{b_MW1WG2epXE;kbeF-SI#%9aQJM*+88*C&JVAQhRAsz0>E9O7Uqne#hEOCK$;tO^ximwGMNf*$meVCiU7+}zxUmWn?qc+!pQ9oQ12AChl#C zD*Iy5jd?~RX+z|G#FG4l8eBe|U8x55qM9Yb>A`V3AQNgoZdZh4$-%)Q+a2^*ts+`{w zWfNm6_HS`{Vi{@poH-Me>xlrl)boo)O@4yGhr8coG#cJmzl!LYt1f$eg1Bw$^8EinIfM*+n#zWSGi6N3l!SVo;|~7`2C(6I%pbG#<@l4A{CA|^+6{kz=n1mYj?;#w zj`)3-^3?IFN9$GOSEQcM2;ELgeSf{_5z=3QHql5ONWDP-5?e5y7|28$IaB?CoFT70 z^Lr^s5GA#*^k|4-Y04yVzDDMO)gkvQo>GtWVhvei9&h&Gb=-NCASBn$QhwTm8>*|c z6t#4vxb-zWdH&&DWX%#LyM$YlT{b%^>PVdHWpXwelVp&k;-mvvX1{*-{w@&*Q_-*8 z6*uz!E$RL|%Q_b11Xn&KJa!(O{UmtioD$}xzfd*lMAWnD@?bRrhdeqXJ=}|dT9>5n zgiq%ERll{}?UOm>f~^P1Q2qVKnX7V!_PGyT+G-D@Pu+PYiweOVOVfL@0OS>7iH#D7 zui|4ZaNpXqrrw~= z6iaW=jCyM5y!hHp8qQheq|#m^8643lJ@J^gp7sTYi?4#yF|Ri0_PcACWwYFYq*RJe z&oDHVGS8N;4ta1Qyl)>N}L{Zv53nR&}M4x8TZ3 zm4ekxew&DkFJizHSRUE~XR5Kj@<}*VCTXGGCmPAS9#6Bxk7vc9DKu7w3Sw+FSQBfp z56`=NuNRnmXZoz;x^*;is7IuCkH6gy+q(5{Dcwp!HM4{L1n2iB=L}792Q~I=>7&Wd z>sdsxj3%57I4v0*v=t%K0$>9gCozMLR1|{58tDby?A?OJmRL{bY5fusX~HQUYzpY> z^E<(uV536J;0`P8;-Pkf_asS=PV%kb|JUxirt`71m^8>6iOyc14Mz)QdDqDPc~KZFzZ zYHYV=XV^O^{9?DB_p+s8*Lrp@#H+~GQmUKhS+r0T|Dcdn)szlv!; zl99>4Y}=W`S1ghCNEUt1mMam`$UdvX>BV5bI;QBVoHkF?B}J1MWxTTY<*>n=9s|O5 zo(osg#Ja&uMeVH>_~{qo>(NrJxaqVVy1y)|uaxc*s*B2KJ2tL!#M5}1 zjAgSI@|kOW!?BUeK3t_>jlUkBVhsxcio%;fPyw2hg|tm5?6 zJRLu~qD8S333QgTd-E##lJx`GxbAc^yTK*?(E2UA+B3J=Sn4gEHYJ64k7PzU&st0h z-Ej7@atfxR!-2aUfZ5d_^YjWUH$vu(X7+D&Z-o%O{Ef%nI%ViBe7>uwnf~6!`Kv)( zo^KJoprWQHg+#Qs0TXg&)H99t{hD+AvK#EF;K-jJ8QB(!cb=4-AZTn+^mIkvqa?kg zM&n=|nhc-1`#zdL^tHygy>bbS_x%CNx^=3l-KTEt5O`cc`wE;QGyE|+Phw4tAmt_c z{41QjPHdGNy@20#F!tPxMD*mjS5xWj;Gw#l#9mmS-=_ z`1C+kItShiLK1_I$|a6&p+5cYS3{Vw#?Bd>-O=~wInqVNw3OR^orNID3lf1kYW6$e z-nx42#xTX6cZrCTUk4lJc)zy$)MCvjPdPGp}sb8xnUL>V`fu;f@uuFBUiKH zR3UExUep_hc(wYpPvx2=2K?A}x^%)GcKOhRBOnB66spCS*RR~kXO6veOGpL|ma6do zeULjAVn!&K!paty`R)*}I$Cp>^NBl43JcLE(Y`IZ!h<7oVi5zI4wNu?}Xt)@~r0N&KeyBNj-}%A&QCf zW@tt-+x##}0Z#F_@d=2_Fv^(ZXoe)}pis1<8YEI3t&768LlxdGUsd-`i;~>fA-{uR zi~Qa(Lo9Ajm2-iSYbrYaSZnXkAE>&g)U22@f_E&;Bx-AgAg}3UcoOMz)_E~1+wz+O zPksggKGMJ3SE%QqrXh%A znqNGd%Dzos6*$>R<&$SD4hfl ze%_yCRgbXiQK#d$JMD+o#!(s9dGEStxS_!y&r!hI?=i)>J^ej=M$C*v!!8~+!Z>a{;Lg!g`pI|Yd4W^Po7T=cw% z>gexUP|VS#tml=qD2~v=i~ft({yY(1nN9S$#Ui+sKg6x{7*~gyW}0 zPO&eoVYC9NH44MCNl%f%k>MnDl8(tSk!{5IT~C;Q#K-~ng`Y9&*=~9FckDe7UAmo4EraUMi$0U^OdCJR*)5f+LI3eg|@2DgdlDZON1;U?ygdGTu# z1^ggk!J#luKt0Jdac9reecFFn8%L{I=e>3Act`k$8q&49{Q>G0ahShfri#&K&F=DP z;f_>+xEkZBaKIt^=F8>EY&b|nVPe`qP21o9J#%Fa{mhi%jInQn*i?w1X>h#;?D4Wr_M+YZE81mr&PK|EhhcJ7Gbga zpjyyzxtkRxj|=$J{zpQTRMPJjtQGVr_5g0{02l6COb)hbqYBVye&e#a7mwT;xOhmH zRakL@kCh7bkRXZ?V?`Qyld!e#zFv~oKxa8p8mb5_`SEZeCYzAmbeFg*Ul@PSrNH$m zWZM~8cVUfQJi_dAv1jmxf#agBf%*}vZpEk}6Q@PNmN%f z*ckV_YKTE(dbg>E>o$$wq>`>m3+P6P@@Q{x^9d~e0mK~N#nsKtAEX@OB5L`$xxI~} z?-bW)dNwC7c+JTlYb&>0q@mVsr=%p+B2M^;!GFVYzz=V3U2%5ldv>ygw&ET-%2$%R z$X&`l#5=(gsd2Cmou{}g(+~0o1J7>9=egdE?$os^wtpr4-P`m!%hx<83@6A6VmNZ4 z4l2_QALY}w+?R*U`(n%h4d+w-D*0^5)G!}eeKU$BZO`{+CpCRR)|sziupH)K)lp-R zt@&Z=6ZgK|8Uw{V4g!PCnx*;af{pQBd;lmeJV$_Y@~?}0eYK{Y1CAEuUj-MFl7qotY|vtT3u>V&2@+PF-ky=Pu|1uR=* z7h+wlYikM+S9W5xHq>RDkFZ*H#dY;T#cBZMzqQyFoqZ0_kLg*Nt1o$vL%wNg`aAoF zFa1w#)jff4HnuboggnCkAJWYWS@X|`^d`XJe(4+jpCJkQ|DwXYop0mEj9D(Zdwx3H z6MFr>1=MB(IJQt64>!C9j|*%Xj}|0p678}-f}}uF+zif&=FW$IQh?RUQ;80YHmo*s zpwC1GH54!}QjeDt&Pw^H;6IIo%YO`W&w3`+{!*}N2@p{AVDYf3n{;{F)@TvkXyNta zu&Togpj9bjK4s|iaATQ2dTOdee*IsqVk|MX0_|#41LvgZT%coWKxNgvhrYJvhCLCo z;m~*{gnL|Yi}VLZn-}s*=WZj)4$H?(vX%gg(u`?tU3KTrKi3KZZJ&I~nP_?ZRIJ?` z*tt~@TaVjwr1Fd>@Nh{$<@gACr-J!KQ+jpgxdiDtvWYgVNn~^bU2lRg;yyiBYj?zfUC8|;wY|t^99CAs}V$N zSqmCg;@GP8R>c@{NGc^s?9ODlH6UzTw&`5+Dv|^Jrwj!kHpiJL$!9yP9+7dtO(6v_ zB_BwiwW6LaoqKFQ7JsznuSa>_3R{lYAST<%BM`kjVO39Bzh-w<=M{q1bG9$}eW$zC zqOTWfU9Gn50PTh^U*z6wr*Wn|unv^}9A17ptnh^PAlF{eeIkEr~&WrRGl z9pt$7Gpo)4b3!%<5bY0K?R?lGc3K?$+4BJL3D;19J$AT<=ISy;N)nIJx*5s2;vzsX zW1q49887sDAn9feGDHgGle7m<#LS^0iA7upSIZR1(&~hD`Z~}Dhd!tm-NCH)UL`-zs=YV;4 z)8X`$eA+t)+-_%N*&SvFX9+jhWKB>nEys?RRC&ZwlD1fsMG|=c>Pi6g}(!; z$)t-4)otCoLp4#oe+x1#XTxx2sr5fUivY^U&f$K~-Q~WW`t!x^gt5t0*?;v|WW!-? z+xSYL)pHr}hqdy!G1vm-a9vUh`aQ}Y+{2rI5VJSQLlFhY>eihiLuq6-7e)lyHg2Cx6o{SxD^(XLh{acpGghMbS32hQe0i<(IyI@oXv zXvKYLZ=tWyD8zk$iCz4;!@lOEBX>kq(^k<0@?PjX9$y!3zTjT)67HkcOVqB+z|_#( z+Ihn>>N*-)y!qrb(t5;>T4tCM8V#yUxkO%*U1pT?gCMXW5}Zqb$!HpH{-9&Ia`Y7o z&M0UGoPl=f#n1m-RX1YgUHQo@{3rud2B~%&@lhk@8&dJ<306Rwu)H6E*3ye@_fS&< zuUwYB<&Bd8En%3+)2JoIlCFz|e}P7%QW0>4uS}gbm#@-p?TV^czOFPnl|uRWf^%PF z1`{b{&mx(Km9DzUB#Zgu9{^C&O;~@=!0vqK`}nbji7lk>iM{gbIw!l(rcx@SM7zph zh<{=s;%R)JwqyCVUj;pM*V3Pg0NA=`Lq+c3aezJ^;26E&Vcdk^E$&pHM_9d`BIlPFR1zH+UGyoxH1 z%o$JcW;F}=Y5RATebgRSQ?*e3L~W-x|Eap5g?tTS@J0+5Hh{U&_q|3~;Hnw~7ZDT}pTTh2nJcr}@!A<*Z2%KQQamyC#+GtYU{$0~chD zWc9D-sbT=A z^6^?H472Og$qL2lI(`9lh=ymJo()T%XDl;@CHHT6Y%?((tulto)u{4>s@z~Q_E-Z$ z^ihbMS-C!p&}Oy?^3?BjhBgiECaNL$Jvy>FJG7T$H1_KkxmKp(c5jnf;QMcl9Z>k#@_;7t3sp=0k8+Vz7RcAay@wDKmh zILHoU`MAgZzN;eTm}X|G)l;t@zg<57Y{9~7FF9L$;Zx4tV0+0B8tKq+w*H8I*M8$W zR8eiIu21QAblqA4mfM%jr>^}go34^ZB89FAbIB!xH5pEYmwS+naK9JegeVpX{SDyr zTtTHbiW#;_&|S*r;-X`$jG~A&`IM4!vx-=#*=5<6rcc475Y8;ME;g6BwKT(Uu&rq)_+o7W=ha^vxgbK z4ximy7(aybZnQM5Sg9mu)qjc>@*De1ZmMoNma09SyOhy%S>*(#{=;bcj~P+2oH`=1Wq&GZ9HTk1W-!)*Slp7(Cew4LqJ& zP&hVIS>M?Qssl6cNsp<##L4rJ?|fwygQ$Sij`zqai5h-))oDN`TqjRZR9jZ@z)wt4?j+bJJ5Ajx;+}Vs}#?N-r3PWn5}v~W!KRV@7@&Tg`R6}p`X?g9O@9Ei*hGy znvjNRHTZ1&{TRv9#gx39(NAgUvZk1>0V(Vp$=A;tTnL~$FAX){3*EftzWqj56TRP# zvLK(6XH(znFvIZ3&7+W%p~GHvIW3xrlG4}Gd-=2q}rwu8&X^rjtry^UWH=i%1^<;#N|y#lJS3siEZ0p|F5-@E z>L)Q5esMchRg;3Ej1R0!gL-Tx@^<5v+ zgIlsSsoHhNJ=i1H>PIgcOK1qTloyEN`n_Eegowa48hh10t{lD*GiTS#ow62VPF_kV z&ooZBy<-?MGPpCYwkR#sZqRymW%IkEx0=(`&tLepJAzj-Q^BAkxzZR0 zLdzV?`%l`}R56k~c+d=Znu05atT$!djY(cN@l22hDLM^cDMw|ABl(JBENQ~Kot@X= zxon2=&YbJ7yHPh9_fT~!IF-^m5PwY(9EFNb3g|tln$Q%EBavM~FR0!lsw?b%1k+mI zKkihk1m=zQ}vy+%mS6R%)liY3dGyM>3Dj>a1t(9CyLtHB7{q&mdh@bCCtUiJAxDQOHF z;NTMu@8jPKj#R^L8Ml2j(x@+d5w+~=spJXU;NguqsTvWp0c9+|XK={_9O+gS>xV@y zu?b?2-a|`bw3MA8uXb%={1jc!D`B9NV8v`fxnQ5CIB5}DMAV-9^_*KghBxc8_+Aq? zn)9ATo@=VG^GYZ{23qU!@|g}2d?E4_y)$dy{T#xfmOVHwoh&05tOMD;J+UA#Ta}qg z8E4PuFw~TEY1G@mRS0HPl7Na*GwhAz9sZ!g{C(Lx=DK%>i&jZ2m6F3U9fm!k5?7<| zSSUJvA9FF1_Kh!rco)CTICXqebvG%eNFi9&aXNb>Dh{`cZKF>9dtP&y>T*$~l5$iW zVMIG^Rgl8~LjB&~%OVnII>>{C*@4gk1y8lBzIw#P(hx?(j;r0gT?H;oSo zjzPUYl{=_0nYXNNod=-bda{2c2&>POF6oLSsk8&wiC{(-AVp1Cn+Q!S?AbBj>b;~I z$b8O6q-4BmWPb?P2B!-(#e}P(8z^kUd{~{r>oW6(mZ6EDBY=3v-!!N$OO52H`H0p$ z#1ScEFzavKb=4OxjM&ynm%K&Y6CY{@*ohN@O2NWPFl+Gq`+4^0y8xIn`Z(F7NX!ni zzfy(MZ`8EU|D|FT(kYDZI8%E%wu1#we-tehBPn!Wo$~fMhu~q%)9tw~)-FYB+^XM2 zgY9Ab{jr;@Yc5oE|Nf7J6{gAHLiAs);!(dfDA4Oh^wR;8@wLLsg3F!6;KUQXoMw-7 zft*2MXE~~1V|}a1XMlBviOYxBnj22CBNEd9-!lca9u{`*1!@}tCXH%VzPBkEVBG5l z&kQj7IphM7c~W2r{xGbn0ave@rMM-G`kbM8w|(8OP4v%}H=OqPmH$$CsA0cPlKw>= zK+1;zxo(nnAXDu<$WR2sQ~jnaDq;xt;5yP>rnt+eDC3&OFo{{E+q_8zj@BfXY^MN3 zhyw9cjPhRSpswP#Y@pK^&s$?#o$SL{aDog@QkP`^_a3Rej4f`;-9;23GqX!D%oNV= z|68a^WfkU}yx`uf-2H8jHzf8ID}SxWc@Tc24yJzks58^oVwQaxrlAK^at$*Q2AA;o z%DK)0+dxSEIH53R7j7xlW0EjKs?d_Mql|s)MOA?ySswa97lAaF=};w0vK<>2rr5hh z|9Eqbw9taFI(Z^QNsB1Xa)x6s4~?vsC}^Dg`7=41bk)|ROob^sH|#wH!C#v%G6UEE zD47UH;_V}V46_ri97K!{F8$n4Yx=Cdhig&1FZM$s$3tfN9AM-2`$5u4Ihn&`;^o4b z2KW*5-)6-k77o$BD1ciJ9t?q09$~YAF)l^l=8(M=sWT^YLj5$cgB@9heNngaWtzUC zrM1~f|7>_c-udIUgFaYR^AzRm64h+f2?1el0)GL4z&}oucYk%~=EL)474DIoB<vLglf>Agoz}Jy;;q|8tG)tKsy%Py2SWk>DXE@bfBCWBc*u*_q$kAY_%=V??={F~J0xiuSJZD*Q3m}7o zNb1i|*3;>vm0*Xqd<^2Y)CQC={6p=rF{+UEi{2z{J~Qm|f%0vkEJtEDRBDU#{|Huk zBxguMx+J?Y33cDAju_u=(4~{MCf_ZYiYo)FmYy~{Xt*|Z7A5_NIg;#}yXOQ>?y;$~ z-AE?CvFMe*|KTBQ&lW$xLlxjdt;1QTyJUe9%rYH(sDj) zK1l@;t#a;RY=l_-(a4pm0sSxH8U9(noGr9rARC|j)@piZF;};$xv#u&KzG!l;9sI2 zMb(CT8w!zlJC$WwVce3n@y6e0J&Kx_H!>=s^+Ju zx_IFR@~LfVVb)YT;)-~kqRa{*!VO9auTh_TyEmMKSD9k^*XHnO(pz)M)tcK6GSwi{plE40XroJ>$aiss}f%AN9!g1Zm&nu{lRwu zNCo38L)SMm^A*3Mj0`(5)n?5a8Dsu+Rk8f5@q;-#H|Zi)3|Q<;T{bl442 zUcjPb^sX`KR0&y#$Mj`1eTF^rgAcp=SzMhBq$DwG^cp1v~3v)-8 z-m<>XGIH49qNTWvSEW=l%(~^t?u2M>!F)W4J+~8I(yBA=$JMY*Oi?_awwf|guH^2R zZf^bvJR*EHe=TpLsN>w3I%q&TV5h%*M{(^sT3MuLQjcrV^n;rS$jaH~zGNi`{DUWx z_IH00rH@)F{u@!94T75z*a>^S7>GE$TBd;-XWJwOu}~;`8fx@|D2L~O0tJe!zOBR! z!O>_lE?dE_-e#Vf<8eo-$}z8D5_^(#uYx;a%C~N4t-#~@)Rz*R(LTzoD~T>vZoUPS zVjeHJD)FrIOo$tSdJRYZS>x#~E41_npH{G{A+uIXWcv|z&Z|9kKJB{6{pgan4p&>) zIv#{?^;+a-k>{KLSQ_rhE=1}MaiuVHuf~7G78#KvoDR!zdFs22pZSKO{ulgaXxrTY zFk2%i#Y{_qwnd5k15#`A(vojqESA(qg2}$RX|Xg8#D>Wols>EMnu}>0%s`h8SeJ`% zt=KR*XZS|m7LAA-WvdsEgjq@{>+wk`w;SOD@A{T;Tz6WPkTZIunmdY|t9>o$>QrMI ze~k0I!ujkiP=>3^zlpM+#gHG-V-^t`jaG@~^r2q*OHbnZpL@r@IMsJn-(v88#xeXj zANrS0pC7aGnlS!bn5Bsb+rt_2x_hR`9f;`wPnE`OsVZHYS zqBHaMPlH9nHmMF0nj=9w_zA<;TeDW+!7oG=_6jpg((-kUTusJ)7fnZXIhn{)xUH#2 zL+@M`TwTW1-nxDNkVJVF6lW6GYr*FL;r)fLi{?0S$3);_PN|?a^JhSpY5`498j^C* zI7+SZiP+wMYv*I(NSkHv!6MbjLcR3Oun;7|jW5@gn9TwQLvpkw}aKvvTpv;E@kQ1hf>dz`s!wjyexWc0WggKP%>VD-~brI^zdKva2 z6ULQeiI3uZR(sYPSO8tz7@q71)xawP!Uv)DL`&^_`I;qb%br$hd9&)dY}&`1@Ot6} z`l&<81~WQ;!{=E$rp)Uxx2^Ml8t;KQoraS`$Zh1!sO}PA;`}pCK8#l?*im7 z%3HpOgp%!}qf8fuO99~HMe6fKL;9~GMjy-N*0&oq@J6%F9ZLmFDd*ruZmF&vyq)2+ zo-|-3ICU5jxMBxr)pI~C*rtwEW+{kKx8S(vM++i5%;$fLi09RA{}r&*5w;IL_NOLWWJ^K`z3a-;e;A0^9CA^et9hKoi#UKruAPDy?5PeCQS7wkVz&x6k zBEj6HAE6KZ=kbYD8V`L%yx&{rvEB$7r@FdcdbqEJWWl$14!Az#p!55%9XI`7#l2-% zTU*yP9H52bP$*CwTD-VxTZ&VlxO;IZ?p`PacemoM#oYtJiaQhu60F6YcXRINoO3_l zpYM8qz57Q&}g9{Umm0$EvR@q+U&hg@%4oQ3)JMVto}O^$Y%D z7gjhF_N5nSrg_+ftnk1E^%zoIL;QtlP}4_shmZ9gos91=o{;$wRmbOK@3jB&Bwz(Z ztK8xKiva;=^6-7}^8;-%f}X8+5w3{2+n{*RvnYd~+F>(g>yl!YA3i{S&Mt;MDq3pq zp$SamOA}wOuTg-d{r9jp>pk`wuqZYHXk6D}zE@_q*A2EgMMck!+#rG=&`=_C51^6% zbJXFDr(TIj@umrn$yO_4(&sO|M@)f1@o(o}ZpVGO+49!*&WwpRd?>y85#2VdBb+V- z-E}}j&12l101iLDUyz)QW4l6*l`g_{&)T7d`bXylxyofi+pMMgvO>mmA^6TohV#y_} zz8e=zqOyM>_1aHt9eH=Pv@_I|^@B2u*CCl4`CX&72fu|9;8;>!JpeIlPgoWFssKp|k0kqo;Mby6^wPMYe_8+W33fBGeb8?RV1~}& zwnlv|No(-wC(qTNH+pdUzc|thvPo+Xd8?POp@J#Tx{m?{0;wM05qsFMidL{7 z&NA)oAv!e{2ncx!>6nf{EX{K!KSR=Wp18=E3vp?f?wtEIzXI;E>Gq*?-jYO8RIyFp z7(W)PHF%`mciOGpL%@J4>6j|{k1)RM&pJ}x<_e&!SLk`a&_3>a{Vyhi9vZK9>=X8| zA{*6)VOP`>+Fx1^fMs9t1>a>1_Y}X%C*wiL=1tN@ZE|-<6JMmPpw)8Kr$2%$ofp{z-(OYH0y}^X21y;gj$O=moX8ewDBF%B9kEXxcE2Pn?^Ay$5@f?S$;H`h_GRyzud#-A z_UY-5I$siu*hhYsRCSfM=@OkX>xVT&^S-G#k{4&PA(2@DOX+WHCUtCci~+q5wW_A^ zB%`@--I>b$L$&IxV|v274a}2I^$tkw_l0BYYf<&5hFLOF<|z9 zLOS^DJDF|^;hzyH}(9R~FX(t(q}lqYB%$N<#lYUN;vAI#PSC z`zqeG^z5j_N`g?E>?+4&qEC@^B^mE%r}QYA>FE3-kjnX%K|rUkm~2y$C%Ad?Rf%%$ zHGo1*=P(7HI;jif282sKDUu)u=jz4Y;7B@^O7wv(l2+Q~-BfR+Sx6|3vyB!(I6(XY zJ9DpbKC%6q{#X1;bYxg2T6@6?_>#Xnfv7%I!dEL=YwHkXg|^>m)Ne{|^N6lk?g)U@ zZB>2_TYlu+bMbyZ=zAwmVHUSfm6RNFe|vw~KxH*UM9$8|5y zIpiQiR27DH>J;m?z3(iv^DZVCHoyR-7`?z}3Yp+*m%cVpk}fzKN)bFQB@cD4!qZl;ZY&{Lv#PeWcivuJSoMDkjrXsFIU^Tz_MG})eA z!&DCnIa90>LsVd_H5=kqcvPEHX`4?>nx1nn&l&4@9^NeUv@F1vP zN}XlZjMonEkjqfdJC0c?h#!l$SMpVhr>Sn|qBje*BiT}IYur+lEP|#rlQL}-=ie=h z3L8iFhYBcjwMl|ki^VP~bW!z>e?;5XI#&qji3$`?ioYxsYk03)u352EEZ`#nQ6pRZ z=q_+pe(aV;&U*5DXJ$NcR2t5=m&9xZQPU()I9N{jeeis&;~KJgTP=L;+`M&}E<-AJ zAgRrQF)82Bnv&%jo-|}fTDIjGcarBWoU>eTsi~WkGCL~}cx+DUqUtkHud7zXH8Ip9 z;B26FmY;8DV$MlIE{J~CBCS)ia863P4fGR3k}~OqSJX*nFN5>T8PovkOb^JIOqw_@ z!HKa2xxPtS7d>X3b5MzJtl5=fl6&c_8T>Yng`!}aZ={K#Df4}X&6S33z{d)?*9$z> z*QtG%m&GSKYBsTt9liC#&8A+q#U{YyY#||~(sw)TQ=$_zB3WT%p&o9fAb!Q&vegze zviJ;07Lz}StRU-A3pQ5Hy;`rP6u5ICt>J15KNSi2@Y_4|)O`Dd6dw}E)g#(db(CM|nWf=uGpcBNy>#|6&*Er{Wi2G22z%kvU{mI= zO&($JsHM_MzVFcuns7n`Hn=C#be7z%*ZEcZAIC6R!@U3y@Lf;Wsc}cWN7U_u%$)k} z(M)}R1xC;+tMy`-%LPcH2L$kh>v?LHgp=tUEy&Pv!#3Kt5mX=T%}Ot<3Yr{l+Kzbu zg_`ACk}bLbhXR9G^*V?0SDS8VFiZeN{|$wS<0*KrA0@(H+OIAq>{5ind)-tuJ)8^y zPj!U5itcSz8Ul~HW_swSq5#>FPX`3Y;IByK%+TvO4VncC+5Y!JhYoG`$!ySxU2#DP zc5=L#k?6uWg+r-b3z*x>Z*;3}1+#-X^}~@i4EuxEM7ZIZucp};Rnr0Cc;15RErc#2-$EJX|?8hmmu@h<8w&#zN*C4AiFs^-z=~*3*N+{hl zX%Gb<6s?9F(v{}n?uKOD|l$eY)0(uyz@6$b})uMz; zTk39K!M|u{UVg8_uC`FWURP+WYz)7R`=jF%q1FBqfs$J5w0n7Cqeyy1E8ywIvqN(6 zGdo{3$5%3}Yq1nBPMq^79x$AZ!b+8^t$X-^pgH_6p2dgtXoHXO@PD1&H<9(z?!UtO z6{TP9XXEaQD%f7Bnn>wGE$Zh0urWEsb)aJlxT!#<5B(}@t22WNgjsF zu+)R=f7Dc@OJu2%jtIXVY>#{b7Ws~D{d^NH_1EVx(QnKtbeEaCtuhp``?Crxkv}_2 z`W;svP!5#BpC*^n7w@9`lfuOdGg2jg7pZ4(T0G~>*b<9Dipx-3Bn;v|V8=xrrGL#r z=PLD%&#GUJyElU+G`t$8Pss=}Gq@9`3u*~l?lVI8ly`YIY%cNZ-aYf~LTF6nX5ZG{ z6UBm$+c#dou*V_O+g%)-6!=VEl;0LRP!zXu9BD03?+_+WmN80r;`siH7or1@^}t!u z00*5pWYxXu;AU^8N{7?u`=kFBfs6ufXyCS>if*s^Sum##^CY#?1%g(u#~ zWn#g4eao=he<(xlO*h)bAOTwq!wHWpXAp1tp4&*;_h-(OTbtd=>fm{N#uQ?D$uShc z?1EMa8Kw~-`W&wmK_`;wB5nRpNm7=UOZ^WI8)qta_NZ#!)3J}a#*2%q0cUCAAgh6k zFd|_gu;JB(k}FPbv(=E{0u$p5FBn8QEx7zXj1158M*hLWF`_J+l{k=&BiIU*^(R$mYG0`=RN6C&n-RnAFu4jl$a z0>T>uz!SmV7Oga%j~SF6<3Qne3h3OY}A+6i_wKArA=O zR+M~qVoPR@*=XMgk-xLGtI&q@g-f)0#LmnoZjK0npH33q5&;8QPy;5td$J#`4BR)e zF~J@iPf4@+>O~!bhr@rIC!3St!Sit=>7p+xsCd^!3B!r~#a}xMPUI_M#yJERyQD-+ z%RMU$9}S>(iO)DcbevldQ4gW9_L`K7m`j>1w`eL5#G6ZzU3kfXX|XT;2EAYoE2U*_9@@&h;6g;<8k zsdR3ePAFC}Sq}=ByD3_ras_M^*);#h(po6~;J^t5_odc{!$7>fX9hYKmno!+xd^{* zksa=$CBXvzVI%`*+n5q>w%88ZK!!B0T-{)72fC&5^-JuE+d8vtD^u7Zh1h0Vzik*w zx7+N^q=z6EFXLyqclG3`BINSg!r-V$4$p>$co&i5xjLdi=m&{GL$YC4mfuHoJ~)aH z+7b&R*BSyzu0Y2D+hmu>IewP>8^J#-@HUcL;*luZY;qq!*z_G4oUV1x%=G?zYELnq z5BIphDS+4M?_;wm&hql?@da=!URQez12Za*)tuabyW3KD`eRye;0-B(81`18_;8S4 z|3ZSNO;sFFH51WmJ5FOqU4h+damEUeE&KU&7=ekXsqy;K+^36DmlDM9Uczu)HzHK1 z=NZm|mC;BvSfgG$px{b_n<>;{L}c=k)ugCXz6m+BUPHC*`3s0rJ_iG%;GSnX6U~d3 z@C%DNR;@!Vv4txeRksSv4}-`CLo44l!9>Bka5uW8}^sQue>d!u5gQAJAg>DIl-^RMkK2?W6YM}*p`LH zsC~!P(BKjkE-HjCFkUKB5siqf0wLtta{DIQtYE?f3jNmaR)jmYsaBR)q}RyT~}J!DAKOG6f)N?K9hIR1pPx`{EQz$=WYY8*-}x zS{*hsa#)JXJsqXsKCjFDy=RZ@*cZGs1dk&21_?MBDyKJRuhco_7SwLF6$5M7ERlGC zTG>7nFB`OpnOVzWLk?-0vLacl6{KOLE0OaIz8EvhTN`f@CSjjA#9xmobT$&(mSGir zf$&?8peK{k>km0E{LE$FACB;PQrKam9m&-Mx6iLHxLNojhl4 z4^nnFF(8cM*ZU2AmXOgs2yL&{grp?QW0ICa!q8X45aN(hqx=bCll53c$+R$!?SE=V zX$nv4q~#qFgvY;qz91!--{olEFpzB|&j?*HJwA`ZXEu znGp^&Vu(wn^1H;=UihU$7)}oPWqjqfnnXb(TQf)G8UnT#Y!IgIE!dN+>u;om-LKY7 z&#MwSRGEHdj2eE$s~iUuxT_xof#hDsE=x+~STEv5tGVvE;(i`E|akoU(#It`|<)K~Zr(G_KeA>ttg zbfV1C1)J$06U(abpL(_}L2CQ+ncF$cVRcu} zHuWc!QBFZc%&g9Ks`cm9qK3ty%rc0x5h>BLZo;_w>d~csSe--tK5^nLg3e66tbphE zc2?(-!!z$v37gJ-=!M$;s~(rIdJOBT*4kKBD;rbc1!H#bx2yMWUPdI(Y#w=HmXp}< zjZWW!go)B9f**41BZ*6pR2IFll8hBeFC_9^f-OjZbT=YRB|qf2_Y&YKG}Ssh)BK5; z)|Ka}Wo@CJY_w%v+b{C7N{$Pf_9O*6&Hyp55r|L!%O1lbwaXq~E(eMEj)t)56adh4$PD4pVvaqVkrY&RQXH#RC&MQ>0 z=SJM&26z`gN2Xvm^Vv$pDjriQl+-1V?K1-_L1o|mf>}jxoBFHS?8WMKT{S7AOCh!| z4OB`}Ms5Zug%?v+b~e!&Uyo#d$M6t4aFP$BVz!4ipd8ED{M>hz1rT{4Ht(LXKKKJy ze2+n0sj(tj=?nAUpPX+kTGUMWozfbI0WJf5(whOlTBGDT=cWq}` z4lx!#Z8QMv`2wMUfPmfIwKFNdL+{M-Y^A=Wq-5|n{vnEw7XG7brohR)U|HSAM(3k} z)!WF{RcB@)TbCgpk+;$mmD+%Y2Z@NGyz~a7z4Z`7p=FimHEIC@=n({LR_`MUH`7|efxaR9NeSqoW~F*h?qQFwdD)!f|d!X!<-5bWdpu#!89_&4(qLlZ2M zuT-3Yy42)|l9rZsxsw|OBzkSXr1tRe_}z`pTFa^VH~J6!;(AMMlpC`w@1T(pIj`Sc zC~gOJv%kx2z0tFL@A+3ekA(mF=h?LS_~c~3O>kx>6)3W>eJRrVUtAlvPF!1HZWU;| z>A=rNigkK^J`=9i;kb>(!^87)divYL`LLli!P~B0Uj5z@GTWBB=S+oQ-C>& zio<5l;9-8uCrDk-{VC{|&+eXG$LSfgw&N1>H-(_zYP=tiZ&IY24!fiC;j*xji|?!M zRg5w>13`;X{M7+jUQ2)-=x0>_mnu?_#gkUQwNmj@>Zhj=%Pq>B^A_OeAB;MK_#8ID z2mh@~(;^R8UbFi(5cA6I;qKy3T-NQAi^Jv8laxbUv8F~9v`c$#c#w@m0 z-2FJ{7F7|~u?@W0CoUG55*R$LT@fu-bL;Dh(`|`pTZzU;W^^I&@4TwpeO36Ck`m|H zudD4WNR;obu}+5%88*34=l>Xj*1PjXHz4Q#W8&VmF`@6IT zx6vpfl_(;%I9JL_m&rkiBvJ^hNp#IPJ9@oJu0LN7VBnH*^}*=9IGe6H>)(Ir4_Gt# z;p&j8C0Ni#j!qHGqv6qiGH{MQzLL~a%NzQ6O>w(N3TtwOp>`9E zXe{lqjkrBOnm(7swOW2QuoZY--_Dcu!HUWSs*1gBnOK#);Z`~F%iKao6nLI(kyO+I zZVR4A@}A<0qP;>_n{hzzK6~=Mv(9R^s=Yljjn{Vl8=>AiK2izwB>7gyA<}1%js7^` zFt&`f$NDnVSa$p2ED`CGE4~o0`a-270+K%>;o!{?TdX&;zGfF<^XDpA4Pi?|F@K-R zyw<(r(!bt1ajzsY;1uzB%7kg$SX@zpo=9&aO4J3dJxpFFG8m|S(IWcXG35Ol>nzVV zC_H?k_SWCtjFt%}Ixm!buE_RYMeKv2Yb@ZMUFS9=jomDTqtM}nzWtqyi+d1DTF^$F z$k>r)^#C&!O2(UETMQb&1Nt=*!t=tH9ZS2dVeo>3sIp0&o<)+~UqkzR_5II8+W24^PiO%SS#9gQI7X-=lk%BJ90vE0_526c@#}I7e1>oPiN-3u5o+ zIt98HiQ%;Tb5$Mloi>h(mOxD;cp)3bICRg&N)Q3#&qze#v0(L>R+w1xE#lZ_TPgVS zR6v{*J@f>FfU^Ep4h7H*56A;Y7k_v0G>^WJDRT1NgQ#-V69HC(<6EC{CXZi`C$#6k z+gG9h!=`sWA2!sxwBu=<6^ZyNr{G0WuEPKWwij}xf_nE$`g=_e zvL%XlmFvX~Oe!o^mOWgXrnP&mGzp4&*j}l#{;KY3F4rc7mi6Lj&T)Vr`YnCy%xE{E zK3!gm|D$JqOsnjNOz23_`3t_YcEvAo>GC`whHb5uFYr&?Us&MB5~-~`Gb^0h{am&6IruS)|vj!$+cALob$1UZ|lkwLMC7j$)v=`_9tU>$EdnGMFyUs-1Mx;!?2RWO*M)^19N6PX+-(`p1&FiVf^VBNx1&6$J z!sP=F0aI~te$7!?n|qbDKBytT)5L^u;sP7F1dO`GaJb}VRLDB8xk7msp~RL%JYg3< zCS2xZMsDoa8HHaEBWr+L~pXf1sbKoHK)YYrWMCxTCYx zRua+UHmT}z+Tc(evIJ^B)usV7IMmo$`~=zDj3}211-^=IHN%k5m>AOwZg$X7=i}UDQ`eP@h#NySEuAt1^69u zlN0mpkM9|GJyN;&#=%IYiSea z6op471V520_Bgbv2*X}w5NDbVKfbOJ(0A85TVOO-2|3!ATrFp;D z+FeeQ3f2)zH_|NE04YjmWGzfKEhc4e7QvioIyux-ZCAB`-e_r)?~pITiMemqwRSUH zk9M{c>c)WYIp{kg!p%rH1d%;iG|#evqo@j`@V>ZeQA-u@tjAZ~($_0=_vnXooVQMJ zbPy0Tv?QEZj@`le$9tWNvqi?7Mpb{@=}qWG9Ulil^!>NnzMZU;c^3>f-z z(KI2E5}+8KdX)q=XAAO4$vQ-tVoiZTdI58d6KGAkR z@~U@PMm~X0Z=WqPw}{)b=JI2C91!GQt1U`?->0)ET7Dp!uX_w$yNN?ui-D88sW1-M z`au|*3`W(c!q@Bfx6|=?(X=w4Kz6TDMtm~DY&6^fRw3vFcIX!hlS2;b1h^@c{k4vP z-P4yY>n|rS?Sm{*plb(2Yz1CO1I$Jk4Av@{@fY+3EjT#-w{mT`MM|WL@MkC}-G#{2 zPBbW;k5K7MB>@6{bv4@QS?;mtc0VOz0xWzY?!+Uf#`WjoYVLq+lo4@EJ4?3YwE~a7 zG`;AM^Lfr#79`Ro5IpEL!C%?PBG^L|b*7T!oK>oa4FC(AXyV_fV+jdy`SV#I6Ia?r z!bb?RQi!-eB2>1dM;{ug<#YFX`Kp=~PnxYq&dnw6h<<2966t0k!wkIxLLGD%Z6``e z=(`cj8szy^=Q^7$^&4?2Zaeg@4C52|PaG5rk`MWa+2#n3`E!aWe!lFtP*f~@J(CwB zInTX$gM>e@?M6mHbe)n%ZcSW?Exei zpAGSm8vn9P3jGf)Lg2uOwk)5fNR0u{BgU+!T7EBP=~FuN(ZZ>fi_sI2{R)%b>a2-T zA?P4ccS|Jr+n2jf>}qgr6AFL87pH6}-EX+LXsGwzj0f*j$7ICnsk7h(AafGL2xW<` z%Cu%<|7eupm?MtSe-Sq0W8F*Kl#L)&y}F&RzF0yL%3!oDfgOm4SveIkaVr`k-o>I^T3=bmbb-=Ln8mk zXof>^VG637D8Ho*G(MhA1MKoqprwb{Q7dn9CE=M7uhrZ7g#h-rrlcUDP;4oL--3#P zcy+Vp0kyo68S>9|xt9#n!8$KC09cn z?Lrl=E~o>Iw@=lJAC0(n$fqwp%yVyA1U<)tiFnWq18wQp=Dm@%GeBQ*L-uMEO>f#l zeuQj$C+xa+gtWfrS87d3nv4;6J7Y_LP)4=NYIORWG6=RRyZk;Ju?`!#c9(b>6`AaI zi>OJ`yAUnFXkk+Li$sQ!ka4y$VrpCBAW;%8et|pI?^gts zJC~m0*wQEO(sGCmFp8{?S%p&u<-1(RLxvWCg3?34Q*qy!bq9>SJNDs)GA^B0RzzV? z-W$xy50n0fBEjVcj!Hhc(mIhB-TM+X#kC)$74Ax36yHVqSoD_XtYx=WyZ#4pCZZ%o zN6Ltn&>%QExrvJzEfZvy?1NGUvCP!gk z#(;9SE7#%IG34Rpz0S}CQp<|*?#RAiGme81MMD(#0POhGRZxmW4QVk0c29)a`{@|^ zHgEjIsGid`3<>{&FZdCY9A;`PJUj#?^**0O*x&~!v=v)^$L6{S$t|f!UofcIjF_M1 zZrIXf_0J+2bnLqfEUE@_c7Vah@BPd7Ca_NKR`4?~oTbRNk50H9)Szxf7SAXwNTy<%?iqeCv;f)c`6E3wZ-ao%un01IU2!9D?^@?_Qglc+g z+tLTzxjfwW;Q%F*X#uaM1UI#bDeRgPz%4Z}i$rOr5;7*d3~Z4062^<5>aqFm3ba#U zkD#&Sx>0iAbwDu)zcNIYH&*ro6nlt<*_BLNrZfm0!Cv{!`OLa|y~Z*!7vT~w=lX*u zA>j+&dR?4b_hH@PpaQ`9mH@f>Kp-m%;aIZ zj1xi?ite=1c!Y*%1ttk-5i~NDJG+4bzE>sMF2Twma^Ylw7*skjWe!x7Ngcv!AonS@woGNTbc~?C^U&iP#OKW2Nq=&OEb?BqDoqUx>OKSmf&9`O3=B~ z!$>AAx{JO%b--0S{6=HCW~4P2G^Kqbb@eJ6SV*3ynaWr%969PWuar5@Y&Z|v@4|sl zY4ArrQTA~0fZy)8XvsI*pnQ zk9LgsT*bCgd`Q?ag2R_#I9vhhK_b80d|P}`xfIe!-04PxmG0++$Y)cHK-2dAlkiM` zu1`p9r3;pkptSJnM$`1n>j|JCOAG$sYI!jD(Y!Sb16L3oxm3yyzx@ zE%-g@g}l_PG=1c^R>=mhiOh?bt0&YU++jCe-^LG~6tqn+HTw;kzc@GtB}%ICs74Yc z1c!P*IW@5MA-xZSK1BhH9FQRk?$YF+`cudVQJV?{1Smqm!)Bj+y`nU=ii8uPvr&7A zVKe--X8|rw34&lLttaw*uv)-8qL!hvTcL8<-&!TA>Y~dfE+4ymbfL=|pPL}I(MyUb zZCO27cejl}&t0^_QQ3})PhwW(r*)o4?|nIpSX9rSPSlVZnJ>^~RKc7SQvTPl{ttG# zh<0eJ!h#lhZFCfzBglP!6lq?}!8dNOZ@bD!6u6YkK%l11*I(|qDEjeFW#`X>kKpq{M4-qL!+M9p{j&#;edpFq zr+taozabdlugwo8Dx=316Ir*{{0dO{$FRH;nPt5kepIpo2k{{4!eLL2% z+F#eg)|~O~wLQY1=#?%1M|FutNp9aL>J&MnMj_$Uz%{<#UyVd6je6Z&N=%!M!43?= zA8Q0AL{h~R`H%I|G8rQn;wkXrd!_+zcaf@m?=vFc*G-#X%zXIwcI9VcrRtYSgB{&w z9rvwku*|CkWxnf-Ra*{cLd132tqKBMEQG&5!J=K`xF&qjD;50#Wa-4N4UT zWelPk#~d6u#2zL{E)R9kC3>=xI1E_i{cMQsvZiAsyGYtFWI#v7Exy92m&n7q*w~KS zi3rAxH2anQ$3R|VQXl)DKEplAEh!*L7+#MVC@lx z)Q105SVsPdO4$-b!wyz_N1VZu86&ttwsUZV&^+BichUgj+vFNGC@H#Rl&{-7>O;gM5cE!_9P z%nP>o@IwFoM$qjNolfL#u%l=89@c>Z^17e&@yfgjn0c)wWyHb`o_qzW0rdvT4-n>> zxJF+HS_#%7 z^j1cPocq7OO>HR!zfI|*Im5%*f)VWj=NVMoNzL4+kG$(KgCfA!0=^5kp*pD~((lq4 zWwGORYHA3S>;j+%wqsH?KZwwF8@c+(5rg~iDGY6%iZ=pA@bAmAsXoHM_cF}(*GZO| z@7v2o-><>0?f$GH2O!D_9o8|kF!y z{!OA;06UGqtAX*C{rhMtd*eZR_N17U6tda2;%4ql0zJtYtNsd2!UU45E%M<=NWj59 zKw}Pz8up_4wZaKxW)u6zzZkhk}6%9g=7% z)1g(4|5aTFWZ{l-<9nG!r`-l^V-kG2`ZEWA^jo&Zzf%z_J~0^lU+MY;p0%GAasFdl y0n~=#ztXFL!2`&Tr}}@c`Ttd1>i>t8x_o%5*j>Ggr& **NOTE:** +> - Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder. +> +> - When deploying using the `parameters/hubNetworking.parameters.all.json` you must update the `parPrivateDnsZones` parameter by replacing the `xxxxxx` placeholders with the deployment region or geo code, for Azure Backup. Failure to do so will cause these services to be unreachable over private endpoints. +> +> For example, if deploying to East US the following zone entries: +> - `privatelink.xxxxxx.azmk8s.io` +> - `privatelink.xxxxxx.backup.windowsazure.com` +> - `privatelink.xxxxxx.batch.azure.com` +> +> Will become: +> - `privatelink.eastus.azmk8s.io` +> - `privatelink.eus.backup.windowsazure.com` +> - `privatelink.eastus.batch.azure.com` +> +> See child module, [`privateDnsZones.bicep` docs](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/privateDnsZones#dns-zones) for more info on how this works + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| ------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| outAzFirewallPrivateIp | string | 192.168.100.1 | +| outAzFirewallName | string | MyAzureFirewall | +| outDdosPlanResourceId | string | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan | +| outPrivateDnsZones | array | `[{"name":"privatelink.azurecr.io","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io"},{"name":"privatelink.azurewebsites.net","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"}]` | +| outPrivateDnsZonesNames | array | `["privatelink.azurecr.io", "privatelink.azurewebsites.net"]` | +| outHubVirtualNetworkName | array | MyHubVirtualNetworkName | +| outHubVirtualNetworkId | array | /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/my-hub-vnet | + +## Deployment +> **Note:** `bicepconfig.json` file is included in the module directory. This file allows us to override Bicep Linters. Currently there are two URLs which were removed because of linter warnings. URLs removed are the following: database.windows.net and core.windows.net + +In this example, the hub resources will be deployed to the resource group specified. According to the Azure Landing Zone Conceptual Architecture, the hub resources should be deployed into the Platform connectivity subscription. During the deployment step, we will take the default values and not pass any parameters. + +There are two different sets of input parameters; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to different private DNS zone names for Azure services in Azure global regions and Azure China. The recommended private DNS zone names are available [here](https://learn.microsoft.com/azure/private-link/private-endpoint-dns). Other differences in Azure China regions are as follow: +- DDoS Protection feature is not available. parDdosEnabled parameter is set as false. +- The SKUs available for an ExpressRoute virtual network gateway are Standard, HighPerformance and UltraPerformance. Sku is set as "Standard" in the example parameters file. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ------------------- | ----------------------------------------------- | + | Global regions | hubNetworking.bicep | parameters/hubNetworking.parameters.all.json | + | China regions | hubNetworking.bicep | parameters/mc-hubNetworking.parameters.all.json | + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI +```bash +# For Azure global regions + +# Set Platform connectivity subscription ID as the the current subscription +ConnectivitySubscriptionId="[your platform connectivity subscription ID]" + +az account set --subscription $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-HubNetworkingDeploy-${dateYMD}" +GROUP="rg-$TopLevelMGPrefix-hub-networking-001" +TEMPLATEFILE="infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep" +PARAMETERS="@infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json" + +az group create --location eastus \ + --name $GROUP + +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +ConnectivitySubscriptionId="[your platform connectivity subscription ID]" + +az account set --subscription $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-HubNetworkingDeploy-${dateYMD}" +GROUP="rg-$TopLevelMGPrefix-hub-networking-001" +TEMPLATEFILE="infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep" +PARAMETERS="@infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json" + +az group create --location chinaeast2 \ + --name $GROUP + +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions +# Set Platform connectivity subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +# Set Platform management subscription ID as the the current subscription +$ManagementSubscriptionId = "[your platform management subscription ID]" + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-HubNetworkingDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-hub-networking-001" + TemplateFile = "infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json" +} + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'eastus' + +New-AzResourceGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-HubNetworkingDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-hub-networking-001" + TemplateFile = "infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json" +} + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'chinaeast2' + +New-AzResourceGroupDeployment @inputObject +``` +## Example Output in Azure global regions + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") + +## Example Output in Azure China regions +![Example Deployment Output](media/mc-exampleDeploymentOutput.png "Example Deployment Output in Azure China") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json new file mode 100644 index 0000000..ad3802e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/bicepconfig.json @@ -0,0 +1,124 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": true, + "rules": { + "adminusername-should-not-be-literal": { + "level": "error" + }, + "artifacts-parameters": { + "level": "error" + }, + "decompiler-cleanup": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" + }, + "no-hardcoded-env-urls": { + "level": "error", + "disallowedhosts": [ + "management.core.windows.net", + "gallery.azure.com", + "management.core.windows.net", + "management.azure.com", + "login.microsoftonline.com", + "graph.windows.net", + "trafficmanager.net", + "vault.azure.net", + "datalake.azure.net", + "azuredatalakestore.net", + "azuredatalakeanalytics.net", + "vault.azure.net", + "api.loganalytics.io", + "api.loganalytics.iov1", + "asazure.windows.net", + "region.asazure.windows.net", + "api.loganalytics.iov1", + "api.loganalytics.io", + "asazure.windows.net", + "region.asazure.windows.net", + "batch.core.windows.net" + ], + "excludedhosts": [ + "schema.management.azure.com" + ] + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "no-unnecessary-dependson": { + "level": "error" + }, + "no-unused-existing-resources": { + "level": "error" + }, + "no-unused-params": { + "level": "error" + }, + "no-unused-vars": { + "level": "error" + }, + "outputs-should-not-contain-secrets": { + "level": "error" + }, + "prefer-interpolation": { + "level": "error" + }, + "prefer-unquoted-property-names": { + "level": "error" + }, + "protect-commandtoexecute-secrets": { + "level": "error" + }, + "secure-parameter-default": { + "level": "error" + }, + "secure-params-in-nested-deploy": { + "level": "error" + }, + "secure-secrets-in-params": { + "level": "error" + }, + "simplify-interpolation": { + "level": "error" + }, + "simplify-json-null": { + "level": "error" + }, + "use-parent-property": { + "level": "error" + }, + "use-recent-api-versions": { + "level": "warning", + "maxAllowedAgeInDays": 730 + }, + "use-resource-id-functions": { + "level": "error" + }, + "use-resource-symbol-reference": { + "level": "error" + }, + "use-stable-resource-identifiers": { + "level": "error" + }, + "use-stable-vm-image": { + "level": "error" + } + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md new file mode 100644 index 0000000..738a4cb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md @@ -0,0 +1,589 @@ +# ALZ Bicep - Hub Networking Module + +ALZ Bicep Module used to set up Hub Networking + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | No | The Azure Region to deploy the resources into. +parCompanyPrefix | No | Prefix value which will be prepended to all resource names. +parHubNetworkName | No | Name for Hub Network. +parHubNetworkAddressPrefix | No | The IP address range for Hub Network. +parSubnets | No | The name, IP address range, network security group, route table and delegation serviceName for each subnet in the virtual networks. +parDnsServerIps | No | Array of DNS Server IP addresses for VNet. +parPublicIpSku | No | Public IP Address SKU. +parPublicIpPrefix | No | Optional Prefix for Public IPs. Include a succedent dash if required. Example: prefix- +parPublicIpSuffix | No | Optional Suffix for Public IPs. Include a preceding dash if required. Example: -suffix +parAzBastionEnabled | No | Switch to enable/disable Azure Bastion deployment. +parAzBastionName | No | Name Associated with Bastion Service. +parAzBastionSku | No | Azure Bastion SKU. +parAzBastionTunneling | No | Switch to enable/disable Bastion native client support. This is only supported when the Standard SKU is used for Bastion as documented here: https://learn.microsoft.com/azure/bastion/native-client +parAzBastionNsgName | No | Name for Azure Bastion Subnet NSG. +parDdosEnabled | No | Switch to enable/disable DDoS Network Protection deployment. +parDdosPlanName | No | DDoS Plan Name. +parAzFirewallEnabled | No | Switch to enable/disable Azure Firewall deployment. +parAzFirewallName | No | Azure Firewall Name. +parAzFirewallPoliciesName | No | Azure Firewall Policies Name. +parAzFirewallTier | No | Azure Firewall Tier associated with the Firewall to deploy. +parAzFirewallAvailabilityZones | No | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. +parAzErGatewayAvailabilityZones | No | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. +parAzVpnGatewayAvailabilityZones | No | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. +parAzFirewallDnsProxyEnabled | No | Switch to enable/disable Azure Firewall DNS Proxy. +parHubRouteTableName | No | Name of Route table to create for the default route of Hub. +parDisableBgpRoutePropagation | No | Switch to enable/disable BGP Propagation on route table. +parPrivateDnsZonesEnabled | No | Switch to enable/disable Private DNS Zones deployment. +parPrivateDnsZonesResourceGroup | No | Resource Group Name for Private DNS Zones. +parPrivateDnsZones | No | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones +parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. +parVpnGatewayConfig | No | Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parVpnGatewayConfig": { "value": {} } +parExpressRouteGatewayConfig | No | Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": { "value": {} } +parTags | No | Tags you would like to be applied to all resources in this module. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. +parBastionOutboundSshRdpPorts | No | Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion. + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure Region to deploy the resources into. + +- Default value: `[resourceGroup().location]` + +### parCompanyPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix value which will be prepended to all resource names. + +- Default value: `alz` + +### parHubNetworkName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name for Hub Network. + +- Default value: `[format('{0}-hub-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]` + +### parHubNetworkAddressPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The IP address range for Hub Network. + +- Default value: `10.10.0.0/16` + +### parSubnets + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The name, IP address range, network security group, route table and delegation serviceName for each subnet in the virtual networks. + +- Default value: ` ` + +### parDnsServerIps + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of DNS Server IP addresses for VNet. + +### parPublicIpSku + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Public IP Address SKU. + +- Default value: `Standard` + +- Allowed values: `Basic`, `Standard` + +### parPublicIpPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Prefix for Public IPs. Include a succedent dash if required. Example: prefix- + +### parPublicIpSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional Suffix for Public IPs. Include a preceding dash if required. Example: -suffix + +- Default value: `-PublicIP` + +### parAzBastionEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Azure Bastion deployment. + +- Default value: `True` + +### parAzBastionName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name Associated with Bastion Service. + +- Default value: `[format('{0}-bastion', parameters('parCompanyPrefix'))]` + +### parAzBastionSku + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Bastion SKU. + +- Default value: `Standard` + +- Allowed values: `Basic`, `Standard` + +### parAzBastionTunneling + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Bastion native client support. This is only supported when the Standard SKU is used for Bastion as documented here: https://learn.microsoft.com/azure/bastion/native-client + +- Default value: `False` + +### parAzBastionNsgName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name for Azure Bastion Subnet NSG. + +- Default value: `nsg-AzureBastionSubnet` + +### parDdosEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable DDoS Network Protection deployment. + +- Default value: `True` + +### parDdosPlanName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +DDoS Plan Name. + +- Default value: `[format('{0}-ddos-plan', parameters('parCompanyPrefix'))]` + +### parAzFirewallEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Azure Firewall deployment. + +- Default value: `True` + +### parAzFirewallName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Firewall Name. + +- Default value: `[format('{0}-azfw-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]` + +### parAzFirewallPoliciesName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Firewall Policies Name. + +- Default value: `[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]` + +### parAzFirewallTier + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Azure Firewall Tier associated with the Firewall to deploy. + +- Default value: `Standard` + +- Allowed values: `Basic`, `Standard`, `Premium` + +### parAzFirewallAvailabilityZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. + +- Allowed values: `1`, `2`, `3` + +### parAzErGatewayAvailabilityZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. + +- Allowed values: `1`, `2`, `3` + +### parAzVpnGatewayAvailabilityZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. + +- Allowed values: `1`, `2`, `3` + +### parAzFirewallDnsProxyEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Azure Firewall DNS Proxy. + +- Default value: `True` + +### parHubRouteTableName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name of Route table to create for the default route of Hub. + +- Default value: `[format('{0}-hub-routetable', parameters('parCompanyPrefix'))]` + +### parDisableBgpRoutePropagation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable BGP Propagation on route table. + +- Default value: `False` + +### parPrivateDnsZonesEnabled + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Switch to enable/disable Private DNS Zones deployment. + +- Default value: `True` + +### parPrivateDnsZonesResourceGroup + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource Group Name for Private DNS Zones. + +- Default value: `[resourceGroup().name]` + +### parPrivateDnsZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones + +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` + +### parPrivateDnsZoneAutoMergeAzureBackupZone + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. + +- Default value: `True` + +### parVpnGatewayConfig + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. +"parVpnGatewayConfig": { + "value": {} +} + +- Default value: `@{name=[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=}` + +### parExpressRouteGatewayConfig + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. +"parExpressRouteGatewayConfig": { + "value": {} +} + +- Default value: `@{name=[format('{0}-ExpressRoute-Gateway', parameters('parCompanyPrefix'))]; gatewayType=ExpressRoute; sku=ErGw1AZ; vpnType=RouteBased; vpnGatewayGeneration=None; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=}` + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to all resources in this module. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +### parBastionOutboundSshRdpPorts + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion. + +- Default value: `22 3389` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outAzFirewallPrivateIp | string | +outAzFirewallName | string | +outPrivateDnsZones | array | +outPrivateDnsZonesNames | array | +outDdosPlanResourceId | string | +outHubVirtualNetworkName | string | +outHubVirtualNetworkId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/hubNetworking/hubNetworking.json" + }, + "parameters": { + "parLocation": { + "value": "[resourceGroup().location]" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parHubNetworkName": { + "value": "[format('{0}-hub-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" + }, + "parHubNetworkAddressPrefix": { + "value": "10.10.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.10.15.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.10.252.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.10.254.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.10.253.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parPublicIpPrefix": { + "value": "" + }, + "parPublicIpSuffix": { + "value": "-PublicIP" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionName": { + "value": "[format('{0}-bastion', parameters('parCompanyPrefix'))]" + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parAzBastionTunneling": { + "value": false + }, + "parAzBastionNsgName": { + "value": "nsg-AzureBastionSubnet" + }, + "parDdosEnabled": { + "value": true + }, + "parDdosPlanName": { + "value": "[format('{0}-ddos-plan', parameters('parCompanyPrefix'))]" + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallName": { + "value": "[format('{0}-azfw-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" + }, + "parAzFirewallPoliciesName": { + "value": "[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzErGatewayAvailabilityZones": { + "value": [] + }, + "parAzVpnGatewayAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parHubRouteTableName": { + "value": "[format('{0}-hub-routetable', parameters('parCompanyPrefix'))]" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZonesResourceGroup": { + "value": "[resourceGroup().name]" + }, + "parPrivateDnsZones": { + "value": [ + "[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))]", + "[format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))]", + "[format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))]", + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parVpnGatewayConfig": { + "value": { + "name": "[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": 65515, + "bgpPeeringAddress": "", + "peerWeight": 5 + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "[format('{0}-ExpressRoute-Gateway', parameters('parCompanyPrefix'))]", + "gatewayType": "ExpressRoute", + "sku": "ErGw1AZ", + "vpnType": "RouteBased", + "vpnGatewayGeneration": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTags": { + "value": {} + }, + "parTelemetryOptOut": { + "value": false + }, + "parBastionOutboundSshRdpPorts": { + "value": [ + "22", + "3389" + ] + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep new file mode 100644 index 0000000..4a62a4d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -0,0 +1,795 @@ +metadata name = 'ALZ Bicep - Hub Networking Module' +metadata description = 'ALZ Bicep Module used to set up Hub Networking' + +@sys.description('The Azure Region to deploy the resources into.') +param parLocation string = resourceGroup().location + +@sys.description('Prefix value which will be prepended to all resource names.') +param parCompanyPrefix string = 'alz' + +@sys.description('Name for Hub Network.') +param parHubNetworkName string = '${parCompanyPrefix}-hub-${parLocation}' + +@sys.description('The IP address range for Hub Network.') +param parHubNetworkAddressPrefix string = '10.10.0.0/16' + +@sys.description('The name, IP address range, network security group, route table and delegation serviceName for each subnet in the virtual networks.') +param parSubnets array = [ + { + name: 'AzureBastionSubnet' + ipAddressRange: '10.10.15.0/24' + networkSecurityGroupId: '' + routeTableId: '' + } + { + name: 'GatewaySubnet' + ipAddressRange: '10.10.252.0/24' + networkSecurityGroupId: '' + routeTableId: '' + } + { + name: 'AzureFirewallSubnet' + ipAddressRange: '10.10.254.0/24' + networkSecurityGroupId: '' + routeTableId: '' + } + { + name: 'AzureFirewallManagementSubnet' + ipAddressRange: '10.10.253.0/24' + networkSecurityGroupId: '' + routeTableId: '' + } +] + +@sys.description('Array of DNS Server IP addresses for VNet.') +param parDnsServerIps array = [] + +@sys.description('Public IP Address SKU.') +@allowed([ + 'Basic' + 'Standard' +]) +param parPublicIpSku string = 'Standard' + +@sys.description('Optional Prefix for Public IPs. Include a succedent dash if required. Example: prefix-') +param parPublicIpPrefix string = '' + +@sys.description('Optional Suffix for Public IPs. Include a preceding dash if required. Example: -suffix') +param parPublicIpSuffix string = '-PublicIP' + +@sys.description('Switch to enable/disable Azure Bastion deployment.') +param parAzBastionEnabled bool = true + +@sys.description('Name Associated with Bastion Service.') +param parAzBastionName string = '${parCompanyPrefix}-bastion' + +@sys.description('Azure Bastion SKU.') +@allowed([ + 'Basic' + 'Standard' +]) +param parAzBastionSku string = 'Standard' + +@sys.description('Switch to enable/disable Bastion native client support. This is only supported when the Standard SKU is used for Bastion as documented here: https://learn.microsoft.com/azure/bastion/native-client') +param parAzBastionTunneling bool = false + +@sys.description('Name for Azure Bastion Subnet NSG.') +param parAzBastionNsgName string = 'nsg-AzureBastionSubnet' + +@sys.description('Switch to enable/disable DDoS Network Protection deployment.') +param parDdosEnabled bool = true + +@sys.description('DDoS Plan Name.') +param parDdosPlanName string = '${parCompanyPrefix}-ddos-plan' + +@sys.description('Switch to enable/disable Azure Firewall deployment.') +param parAzFirewallEnabled bool = true + +@sys.description('Azure Firewall Name.') +param parAzFirewallName string = '${parCompanyPrefix}-azfw-${parLocation}' + +@sys.description('Azure Firewall Policies Name.') +param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}' + +@sys.description('Azure Firewall Tier associated with the Firewall to deploy.') +@allowed([ + 'Basic' + 'Standard' + 'Premium' +]) +param parAzFirewallTier string = 'Standard' + +@allowed([ + '1' + '2' + '3' +]) +@sys.description('Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty.') +param parAzFirewallAvailabilityZones array = [] + +@allowed([ + '1' + '2' + '3' +]) +@sys.description('Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.') +param parAzErGatewayAvailabilityZones array = [] + +@allowed([ + '1' + '2' + '3' +]) +@sys.description('Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.') +param parAzVpnGatewayAvailabilityZones array = [] + +@sys.description('Switch to enable/disable Azure Firewall DNS Proxy.') +param parAzFirewallDnsProxyEnabled bool = true + +@sys.description('Name of Route table to create for the default route of Hub.') +param parHubRouteTableName string = '${parCompanyPrefix}-hub-routetable' + +@sys.description('Switch to enable/disable BGP Propagation on route table.') +param parDisableBgpRoutePropagation bool = false + +@sys.description('Switch to enable/disable Private DNS Zones deployment.') +param parPrivateDnsZonesEnabled bool = true + +@sys.description('Resource Group Name for Private DNS Zones.') +param parPrivateDnsZonesResourceGroup string = resourceGroup().name + +@sys.description('Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones') +param parPrivateDnsZones array = [ + 'privatelink.${toLower(parLocation)}.azmk8s.io' + 'privatelink.${toLower(parLocation)}.batch.azure.com' + 'privatelink.${toLower(parLocation)}.kusto.windows.net' + 'privatelink.adf.azure.com' + 'privatelink.afs.azure.net' + 'privatelink.agentsvc.azure-automation.net' + 'privatelink.analysis.windows.net' + 'privatelink.api.azureml.ms' + 'privatelink.azconfig.io' + 'privatelink.azure-api.net' + 'privatelink.azure-automation.net' + 'privatelink.azurecr.io' + 'privatelink.azure-devices.net' + 'privatelink.azure-devices-provisioning.net' + 'privatelink.azurehdinsight.net' + 'privatelink.azurehealthcareapis.com' + 'privatelink.azurestaticapps.net' + 'privatelink.azuresynapse.net' + 'privatelink.azurewebsites.net' + 'privatelink.batch.azure.com' + 'privatelink.blob.core.windows.net' + 'privatelink.cassandra.cosmos.azure.com' + 'privatelink.cognitiveservices.azure.com' + 'privatelink.database.windows.net' + 'privatelink.datafactory.azure.net' + 'privatelink.dev.azuresynapse.net' + 'privatelink.dfs.core.windows.net' + 'privatelink.dicom.azurehealthcareapis.com' + 'privatelink.digitaltwins.azure.net' + 'privatelink.directline.botframework.com' + 'privatelink.documents.azure.com' + 'privatelink.eventgrid.azure.net' + 'privatelink.file.core.windows.net' + 'privatelink.gremlin.cosmos.azure.com' + 'privatelink.guestconfiguration.azure.com' + 'privatelink.his.arc.azure.com' + 'privatelink.kubernetesconfiguration.azure.com' + 'privatelink.managedhsm.azure.net' + 'privatelink.mariadb.database.azure.com' + 'privatelink.media.azure.net' + 'privatelink.mongo.cosmos.azure.com' + 'privatelink.monitor.azure.com' + 'privatelink.mysql.database.azure.com' + 'privatelink.notebooks.azure.net' + 'privatelink.ods.opinsights.azure.com' + 'privatelink.oms.opinsights.azure.com' + 'privatelink.pbidedicated.windows.net' + 'privatelink.postgres.database.azure.com' + 'privatelink.prod.migration.windowsazure.com' + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.queue.core.windows.net' + 'privatelink.redis.cache.windows.net' + 'privatelink.redisenterprise.cache.azure.net' + 'privatelink.search.windows.net' + 'privatelink.service.signalr.net' + 'privatelink.servicebus.windows.net' + 'privatelink.siterecovery.windowsazure.com' + 'privatelink.sql.azuresynapse.net' + 'privatelink.table.core.windows.net' + 'privatelink.table.cosmos.azure.com' + 'privatelink.tip1.powerquery.microsoft.com' + 'privatelink.token.botframework.com' + 'privatelink.vaultcore.azure.net' + 'privatelink.web.core.windows.net' + 'privatelink.webpubsub.azure.com' +] + +@sys.description('Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.') +param parPrivateDnsZoneAutoMergeAzureBackupZone bool = true + +//ASN must be 65515 if deploying VPN & ER for co-existence to work: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations +@sys.description('''Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. +"parVpnGatewayConfig": { + "value": {} +}''') +param parVpnGatewayConfig object = { + name: '${parCompanyPrefix}-Vpn-Gateway' + gatewayType: 'Vpn' + sku: 'VpnGw1' + vpnType: 'RouteBased' + generation: 'Generation1' + enableBgp: false + activeActive: false + enableBgpRouteTranslationForNat: false + enableDnsForwarding: false + bgpPeeringAddress: '' + bgpsettings: { + asn: 65515 + bgpPeeringAddress: '' + peerWeight: 5 + } +} + +@sys.description('''Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. +"parExpressRouteGatewayConfig": { + "value": {} +}''') +param parExpressRouteGatewayConfig object = { + name: '${parCompanyPrefix}-ExpressRoute-Gateway' + gatewayType: 'ExpressRoute' + sku: 'ErGw1AZ' + vpnType: 'RouteBased' + vpnGatewayGeneration: 'None' + enableBgp: false + activeActive: false + enableBgpRouteTranslationForNat: false + enableDnsForwarding: false + bgpPeeringAddress: '' + bgpsettings: { + asn: '65515' + bgpPeeringAddress: '' + peerWeight: '5' + } +} + +@sys.description('Tags you would like to be applied to all resources in this module.') +param parTags object = {} + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +@sys.description('Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.') +param parBastionOutboundSshRdpPorts array = [ '22', '3389' ] + +var varSubnetMap = map(range(0, length(parSubnets)), i => { + name: parSubnets[i].name + ipAddressRange: parSubnets[i].ipAddressRange + networkSecurityGroupId: contains(parSubnets[i], 'networkSecurityGroupId') ? parSubnets[i].networkSecurityGroupId : '' + routeTableId: contains(parSubnets[i], 'routeTableId') ? parSubnets[i].routeTableId : '' + delegation: contains(parSubnets[i], 'delegation') ? parSubnets[i].delegation : '' + }) + +var varSubnetProperties = [for subnet in varSubnetMap: { + name: subnet.name + properties: { + addressPrefix: subnet.ipAddressRange + + delegations: (empty(subnet.delegation)) ? null : [ + { + name: subnet.delegation + properties: { + serviceName: subnet.delegation + } + } + ] + + networkSecurityGroup: (subnet.name == 'AzureBastionSubnet' && parAzBastionEnabled) ? { + id: '${resourceGroup().id}/providers/Microsoft.Network/networkSecurityGroups/${parAzBastionNsgName}' + } : (empty(subnet.networkSecurityGroupId)) ? null : { + id: subnet.networkSecurityGroupId + } + + routeTable: (empty(subnet.routeTableId)) ? null : { + id: subnet.routeTableId + } + } +}] + +var varVpnGwConfig = ((!empty(parVpnGatewayConfig)) ? parVpnGatewayConfig : json('{"name": "noconfigVpn"}')) + +var varErGwConfig = ((!empty(parExpressRouteGatewayConfig)) ? parExpressRouteGatewayConfig : json('{"name": "noconfigEr"}')) + +var varGwConfig = [ + varVpnGwConfig + varErGwConfig +] + +// Customer Usage Attribution Id Telemetry +var varCuaid = '2686e846-5fdc-4d4f-b533-16dcb09d6e6c' + +// ZTN Telemetry +var varZtnP1CuaId = '3ab23b1e-c5c5-42d4-b163-1402384ba2db' +var varZtnP1Trigger = (parDdosEnabled && parAzFirewallEnabled && (parAzFirewallTier == 'Premium')) ? true : false + +//DDos Protection plan will only be enabled if parDdosEnabled is true. +resource resDdosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2023-02-01' = if (parDdosEnabled) { + name: parDdosPlanName + location: parLocation + tags: parTags +} + +resource resHubVnet 'Microsoft.Network/virtualNetworks@2023-02-01' = { + dependsOn: [ + resBastionNsg + ] + name: parHubNetworkName + location: parLocation + tags: parTags + properties: { + addressSpace: { + addressPrefixes: [ + parHubNetworkAddressPrefix + ] + } + dhcpOptions: { + dnsServers: parDnsServerIps + } + subnets: varSubnetProperties + enableDdosProtection: parDdosEnabled + ddosProtectionPlan: (parDdosEnabled) ? { + id: resDdosProtectionPlan.id + } : null + } +} + +module modBastionPublicIp '../publicIp/publicIp.bicep' = if (parAzBastionEnabled) { + name: 'deploy-Bastion-Public-IP' + params: { + parLocation: parLocation + parPublicIpName: '${parPublicIpPrefix}${parAzBastionName}${parPublicIpSuffix}' + parPublicIpSku: { + name: parPublicIpSku + } + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +} + +resource resBastionSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = { + parent: resHubVnet + name: 'AzureBastionSubnet' +} + +resource resBastionNsg 'Microsoft.Network/networkSecurityGroups@2023-02-01' = if (parAzBastionEnabled) { + name: parAzBastionNsgName + location: parLocation + tags: parTags + + properties: { + securityRules: [ + // Inbound Rules + { + name: 'AllowHttpsInbound' + properties: { + access: 'Allow' + direction: 'Inbound' + priority: 120 + sourceAddressPrefix: 'Internet' + destinationAddressPrefix: '*' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + } + } + { + name: 'AllowGatewayManagerInbound' + properties: { + access: 'Allow' + direction: 'Inbound' + priority: 130 + sourceAddressPrefix: 'GatewayManager' + destinationAddressPrefix: '*' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + } + } + { + name: 'AllowAzureLoadBalancerInbound' + properties: { + access: 'Allow' + direction: 'Inbound' + priority: 140 + sourceAddressPrefix: 'AzureLoadBalancer' + destinationAddressPrefix: '*' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + } + } + { + name: 'AllowBastionHostCommunication' + properties: { + access: 'Allow' + direction: 'Inbound' + priority: 150 + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'VirtualNetwork' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRanges: [ + '8080' + '5701' + ] + } + } + { + name: 'DenyAllInbound' + properties: { + access: 'Deny' + direction: 'Inbound' + priority: 4096 + sourceAddressPrefix: '*' + destinationAddressPrefix: '*' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + } + } + // Outbound Rules + { + name: 'AllowSshRdpOutbound' + properties: { + access: 'Allow' + direction: 'Outbound' + priority: 100 + sourceAddressPrefix: '*' + destinationAddressPrefix: 'VirtualNetwork' + protocol: '*' + sourcePortRange: '*' + destinationPortRanges: parBastionOutboundSshRdpPorts + } + } + { + name: 'AllowAzureCloudOutbound' + properties: { + access: 'Allow' + direction: 'Outbound' + priority: 110 + sourceAddressPrefix: '*' + destinationAddressPrefix: 'AzureCloud' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + } + } + { + name: 'AllowBastionCommunication' + properties: { + access: 'Allow' + direction: 'Outbound' + priority: 120 + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'VirtualNetwork' + protocol: '*' + sourcePortRange: '*' + destinationPortRanges: [ + '8080' + '5701' + ] + } + } + { + name: 'AllowGetSessionInformation' + properties: { + access: 'Allow' + direction: 'Outbound' + priority: 130 + sourceAddressPrefix: '*' + destinationAddressPrefix: 'Internet' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '80' + } + } + { + name: 'DenyAllOutbound' + properties: { + access: 'Deny' + direction: 'Outbound' + priority: 4096 + sourceAddressPrefix: '*' + destinationAddressPrefix: '*' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + } + } + ] + } +} + +// AzureBastionSubnet is required to deploy Bastion service. This subnet must exist in the parsubnets array if you enable Bastion Service. +// There is a minimum subnet requirement of /27 prefix. +// If you are deploying standard this needs to be larger. https://docs.microsoft.com/en-us/azure/bastion/configuration-settings#subnet +resource resBastion 'Microsoft.Network/bastionHosts@2023-02-01' = if (parAzBastionEnabled) { + location: parLocation + name: parAzBastionName + tags: parTags + sku: { + name: parAzBastionSku + } + properties: { + dnsName: uniqueString(resourceGroup().id) + enableTunneling: (parAzBastionSku == 'Standard' && parAzBastionTunneling) ? parAzBastionTunneling : false + ipConfigurations: [ + { + name: 'IpConf' + properties: { + subnet: { + id: resBastionSubnetRef.id + } + publicIPAddress: { + id: parAzBastionEnabled ? modBastionPublicIp.outputs.outPublicIpId : '' + } + } + } + ] + } +} + +resource resGatewaySubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = { + parent: resHubVnet + name: 'GatewaySubnet' +} + +module modGatewayPublicIp '../publicIp/publicIp.bicep' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { + name: 'deploy-Gateway-Public-IP-${i}' + params: { + parLocation: parLocation + parAvailabilityZones: gateway.gatewayType == 'ExpressRoute' ? parAzErGatewayAvailabilityZones : gateway.gatewayType == 'Vpn' ? parAzVpnGatewayAvailabilityZones : [] + parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parPublicIpSku: { + name: parPublicIpSku + } + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +}] + +//Minumum subnet size is /27 supporting documentation https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub +resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for (gateway, i) in varGwConfig: if ((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) { + name: gateway.name + location: parLocation + tags: parTags + properties: { + activeActive: gateway.activeActive + enableBgp: gateway.enableBgp + enableBgpRouteTranslationForNat: gateway.enableBgpRouteTranslationForNat + enableDnsForwarding: gateway.enableDnsForwarding + bgpSettings: (gateway.enableBgp) ? gateway.bgpSettings : null + gatewayType: gateway.gatewayType + vpnGatewayGeneration: (gateway.gatewayType == 'VPN') ? gateway.generation : 'None' + vpnType: gateway.vpnType + sku: { + name: gateway.sku + tier: gateway.sku + } + ipConfigurations: [ + { + id: resHubVnet.id + name: 'vnetGatewayConfig' + properties: { + publicIPAddress: { + id: (((gateway.name != 'noconfigVpn') && (gateway.name != 'noconfigEr')) ? modGatewayPublicIp[i].outputs.outPublicIpId : 'na') + } + subnet: { + id: resGatewaySubnetRef.id + } + } + } + ] + } +}] + +resource resAzureFirewallSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = { + parent: resHubVnet + name: 'AzureFirewallSubnet' +} + +resource resAzureFirewallMgmtSubnetRef 'Microsoft.Network/virtualNetworks/subnets@2023-02-01' existing = if (parAzFirewallEnabled && (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))) { + parent: resHubVnet + name: 'AzureFirewallManagementSubnet' +} + +module modAzureFirewallPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled) { + name: 'deploy-Firewall-Public-IP' + params: { + parLocation: parLocation + parAvailabilityZones: parAzFirewallAvailabilityZones + parPublicIpName: '${parPublicIpPrefix}${parAzFirewallName}${parPublicIpSuffix}' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parPublicIpSku: { + name: parPublicIpSku + } + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +} + +module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFirewallEnabled && (contains(map(parSubnets, subnets => subnets.name), 'AzureFirewallManagementSubnet'))) { + name: 'deploy-Firewall-mgmt-Public-IP' + params: { + parLocation: parLocation + parAvailabilityZones: parAzFirewallAvailabilityZones + parPublicIpName: '${parPublicIpPrefix}${parAzFirewallName}-mgmt${parPublicIpSuffix}' + parPublicIpProperties: { + publicIpAddressVersion: 'IPv4' + publicIpAllocationMethod: 'Static' + } + parPublicIpSku: { + name: 'Standard' + } + parTags: parTags + parTelemetryOptOut: parTelemetryOptOut + } +} + +resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = if (parAzFirewallEnabled) { + dependsOn:[resHubVnet, modAzureFirewallPublicIp, modAzureFirewallMgmtPublicIp] + name: parAzFirewallPoliciesName + location: parLocation + tags: parTags + properties: (parAzFirewallTier == 'Basic') ? { + sku: { + tier: parAzFirewallTier + } + } : { + dnsSettings: { + enableProxy: parAzFirewallDnsProxyEnabled + } + sku: { + tier: parAzFirewallTier + } + } +} + +// AzureFirewallSubnet is required to deploy Azure Firewall . This subnet must exist in the parsubnets array if you deploy. +// There is a minimum subnet requirement of /26 prefix. +resource resAzureFirewall 'Microsoft.Network/azureFirewalls@2023-02-01' = if (parAzFirewallEnabled) { + dependsOn: [ + resGateway + ] + name: parAzFirewallName + location: parLocation + tags: parTags + zones: (!empty(parAzFirewallAvailabilityZones) ? parAzFirewallAvailabilityZones : []) + properties: parAzFirewallTier == 'Basic' ? { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: resAzureFirewallSubnetRef.id + } + publicIPAddress: { + id: parAzFirewallEnabled ? modAzureFirewallPublicIp.outputs.outPublicIpId : '' + } + } + } + ] + managementIpConfiguration: { + name: 'mgmtIpConfig' + properties: { + publicIPAddress: { + id: parAzFirewallEnabled ? modAzureFirewallMgmtPublicIp.outputs.outPublicIpId : '' + } + subnet: { + id: resAzureFirewallMgmtSubnetRef.id + } + } + } + sku: { + name: 'AZFW_VNet' + tier: parAzFirewallTier + } + firewallPolicy: { + id: resFirewallPolicies.id + } + } : { + ipConfigurations: [ + { + name: 'ipconfig1' + properties: { + subnet: { + id: resAzureFirewallSubnetRef.id + } + publicIPAddress: { + id: parAzFirewallEnabled ? modAzureFirewallPublicIp.outputs.outPublicIpId : '' + } + } + } + ] + sku: { + name: 'AZFW_VNet' + tier: parAzFirewallTier + } + firewallPolicy: { + id: resFirewallPolicies.id + } + } +} + +//If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. +resource resHubRouteTable 'Microsoft.Network/routeTables@2023-02-01' = if (parAzFirewallEnabled) { + name: parHubRouteTableName + location: parLocation + tags: parTags + properties: { + routes: [ + { + name: 'udr-default-azfw' + properties: { + addressPrefix: '0.0.0.0/0' + nextHopType: 'VirtualAppliance' + nextHopIpAddress: parAzFirewallEnabled ? resAzureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : '' + } + } + ] + disableBgpRoutePropagation: parDisableBgpRoutePropagation + } +} + +module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPrivateDnsZonesEnabled) { + name: 'deploy-Private-DNS-Zones' + scope: resourceGroup(parPrivateDnsZonesResourceGroup) + params: { + parLocation: parLocation + parTags: parTags + parVirtualNetworkIdToLink: resHubVnet.id + parPrivateDnsZones: parPrivateDnsZones + parPrivateDnsZoneAutoMergeAzureBackupZone: parPrivateDnsZoneAutoMergeAzureBackupZone + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Optional Deployments for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location)}' + params: {} +} + +module modCustomerUsageAttributionZtnP1 '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut && varZtnP1Trigger) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varZtnP1CuaId}-${uniqueString(resourceGroup().location)}' + params: {} +} + +//If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. +output outAzFirewallPrivateIp string = parAzFirewallEnabled ? resAzureFirewall.properties.ipConfigurations[0].properties.privateIPAddress : '' + +//If Azure Firewall is enabled we will deploy a RouteTable to redirect Traffic to the Firewall. +output outAzFirewallName string = parAzFirewallEnabled ? parAzFirewallName : '' + +output outPrivateDnsZones array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZones : []) +output outPrivateDnsZonesNames array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZonesNames : []) + +output outDdosPlanResourceId string = resDdosProtectionPlan.id +output outHubVirtualNetworkName string = resHubVnet.name +output outHubVirtualNetworkId string = resHubVnet.id diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/hubNetworking/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..e41ce74db615d6f63cdbb00fd09ce674c1c5fb8f GIT binary patch literal 155157 zcmdpecRZHu|NgDLw?syRgiy#TqeR)8?8@FUql~6XC?na5>`_Ltl~j_wLPkY4*_+>S zq38L0e!uVQ_5J^MzdSw0bzk>&o#**}zmNBE9Ov~wPUig9O;npmB+^##3+EI_qz$V` zq}9b6*5NnfR^R^Me;chXsM(N6+ddHgk@>T1+mBzaw-uKbUH^Lx^@jZ?ckMXaNFp5| ziJv>8bSD(b`*bJ1U!*lO&5x z!f9CU7&<9saEYVKS&&Zg(xnJRT+QECgzEAAT7Q2a{@;C?3-|NStJ0%#!#_WeNW$!A z5C6xHq`VED|M}zCq5nVLY^#2_@YxAnE`zVn${!vMzcEt6_`m*BK|1{31NUsz>eZoQ z6l55n2t!JK+t{xLY0S*bkJ#28f0UAv!py?r$+r6Vqv9*_%F6y zK+}_r_(r(mgvEE>>FMc`A6Bu+$>rVFB$4TvnJ;=Alv?X9?W3ckyL;~*ekw6YGahQq zOKmh03s_6MamVtt7{xpnagUb`7nG2YP>`2@Qq@T!W$#R=W45%k9QgM7wgGW0se9d5 zF$&_Fh}qG}N!7M|=M2*Zwjlh1@xp}*a^~hqVvqJ+wq+s?Ayq9chX|TOhY#zgH7cp7 z7~l_X7R(0^p4sams;#Xp7O*r7T>@0Zos&XTu;M0$+AM7;aoE=$+b=(?KDV{Cbt7^} zr1sqNOY6z4#`@~jCmtRiRrzTmPW9>rJi4!o>dZBAwr-;i3u%M28yrOU*JT-&LF zqqS`1YX)u=wV4#Jb8t>;9?$FI6tPyN6qMZEI`L43(Kv_cJ}j= z!!vD*^KEH2qLwa&RM->vcR5gWvpYIv=6-%2xs_DrN?Xvn_Ipc9=fFTxfVPvk`!>2(lC<1NK2c4VPa(;G~p`nz+=e>+RKR!4z zGNPcS7AWRT%j#bA{PE)*&eNR%(v28u^&I=8XlrAN|M6m%g>Xuep8X}*>hA-P@Ctw)$Na7GzqDx9Me-%M_E`TMec2pcX7!_ zsE$`lviH<$Sen0X^I*@vC@L!2lx8UF!M{8fZoZe#Eq!NL;qp*YH!b{AO8EOX=FMYx zM_g3YxuM)quU)%$pS174C|>O=D;TF=`qa3+@MaK~vCqP6+hT8{VYsq^K{P!RFYiU! z)5CZ69=lk{WxLp*IvDptyEEQiZSug(PE_m?5YwH591ROI)D9&{P5wN zd1I>R+O=zm`@|5%$H#Noc318_$<59EWhtbLn%|f^&5t*9_VmQvzrR6QS-GcZyO0uY zKT##&MPy{gmEujv946mhU3U8A$um}~C>xiWs_^5-j~Pt;_*c$~*!+BL)C#lLZBGuL z|I*T;m193pt*YZ(Cth%Dc?`zvA1wucdq1DF5KX(Kz$#%=FW;6b=IS258b{kHlB%j| zquHCilR4Sh@yW?DJ{`Y*9}#C}W2;X{$&Y{ZXp4AtF@?@C_g^v3HxXlH_U*WI2(SDp z`~J#Mht{|v_wA+)$yyH|JTO+TC@K;mCns;pcg}fZ*~S)A6Ngh|_bin7GA3ZO+1S`v zM^uwFS>25KP4ET)ldgO28@o#*G_(!NJ4|)3PpMK$Q3d z2M1%a4~P>vSXkI?FlR^*`QWI4fRqt8>40MiHUw?1~uu%HC$Hh!di}< z{@Ej6So{M6O4bXRVpK1|1t|JlQ7OXT9hD$aI?q1L3{-d^q@q4ZpdgJho;(s|47lSK88Y|U@2 zX0TgDdUVpH_Nf2Ur`5SjF~3fCWw{R&c_u#`wCPt`ta&sS{?u@A=GOASxsC2yuKndr zig z<&@jEZ}$%fAYv9_XU$737O->?%cp5k$vpL*8d=sfIZJGIa!6H7>|TgW3}VBRZS%U( ziHUkq3auy%xcRqNXJle(x_$or_y~<&6~)ze+}%xoet0nRJJ`~;;^oViSP-1qdx&%Krq~7VB%|KuUd8b5 zsY#W;?1IHeF*QsvX&PH(+-Thz2vEE7N-wMHUaI2}Cw)ukb#!#3!%nN+Uboc;B^U+0 zN}nI3&F0Z^4Q?r)8vaF2MHP?o z`Z6YFzt*;-rPscM4V!-`MU) zqM^cEZKD%3BPP{lZutCG8vfdDjx7XI`26_-IR(Xjtxee{kkqhfx6%oIU&cbDt{uw( zmAw`D1{d-9ht)nDn3bK)Ki*UGi8#Z~ozHKt-;R_|Mf}0XXO~)%%F22P5n0CG-P}k) zdYR1tmjZ4@Kje&zVypD`F&{hjsE4zXZG3zj3HC(x7GeMj`8rH&$p%i^8O1FeXHODo zzTr!q=uqG-clG6U3gxvpB7(E7uC8i>n|(rZGI#bG5!4k*tyNBstE&|vC5cmzLPP|j zcOLkbx$y0z?^(8M8m&(jyFU1b*ppk#yfm>XcucRwpL#LC>sWob&_nqv+2PbOHCZhC zmfpJj&+4&fVs5`pZ1R2PmMtn0+1E?a zwtQ*XV%yEu7zr&NXF8DRc`76(%Q;oQt5RgUKopAT{6uDfGSb)kq9SEg)rP?V!}5?g zKAYd&0D20dqQ&A3vjBBtz#GPMQ^PdzmH<&s!^ISKrL37pSy`pM1!s)h-z?XOrH`}q zq^;SogQ_;7a^ZZ%h)|q?;Y_fUPe4j}zuUraNd4jUAs-ZF1zuw1B1fBkxWBV0%f_&V za&&R(lhD|7SGeiBTWe>^EL|d7avV&F4+9JtA8*j0dF6a;->s!E zs*E_}^z#8@ZDr*F@h=q>0pa1{txkQcd6TWzmjGS{&_ z!hC#gw8C^@ZaTX+KEdzFlY>G+LY*BQ-LF56N;=FOFXcxT&GJ}M8@WU;#)<9gcKi5ItZ~2|XqH(>NXI@$3txbE z4?R2-9UZgGxP$5A5)-A6`p~~lGD*i`SL}AFH{C#vZSFw)gUdarFnLGn(5dvDS$4|s7P-{1_sgBuV4E_ z{rq`_z|#V36choR@w;)wT`317Z@UO4M~F0=iEpg^v1*7denU6SAu(^&@9#w)J_oCX=|<6P@58PDCc9t!0}B<_yf$5lCI+w6tvEGe14pZR?a(jXyr3R4;JJ>$lHA zYVSZ@!|`|T+_~U`R*7CbEG%rM{r2{;iDpaF##H?;B_&Uaemrh8ds?DLV9y)Q&HxRp z9>p&JcGQmTt*ftp6I%n$pr%Fv04IP4w8(Ix7V8Y*JEE zI?B#2TUAx%Ll2C$bw9V%P{Crpm=|?phAanev3&FHb^bl^;*LJ_X~6|j$>wzJ4z&R# z#zHfW4i=g>7cyMj-bAm7d*`xkaRRM|@rDOk*PdR9)`<=s%6qOg zRPb`9iK@hryXenSk#2`f8EiSVI2#YwPac!|{ z&~oZ{a()ab{!MIEak1#+cN=eF7HMgdg%*ar5v2q^eafa49~2Z6Ex)`w7GZ9%y z6+NPi;>S|*QJo$LNI^nF7r;9`^QU=$2QyT^`dOPh=t{7{tH$QrOR=we@L)8O;H~eW9 z&K9u~G{ZeXH0_V1!UeS~^QWT;LWUH=b3`^Q5&1nKJ3Cu)ayKATcefEBO1k5se&lAm zW_?N@dezcPftshAH7hJi10s`Sd){~??5S0?9(`=Kbs&79_gc~Gq}IgZifyX)@(nyY zzlI5DIDEhA?lRll77yT0Mn?9~%ZpgEH9fUpt(3I2TjOSPF|p$bI`a~!TCv)Wo#aG% z2V(4(yVqz|-KXg%Y-O3oEScj(xR6?8bn6bD^kd9)G;Ue5gO*`>&4s}*pYZTs zF&-(AodflyURv9?r6#z>4ulAOL>oaYY$`6J$H4M-Jud@HkO>A_7hZU3wafOVYd=r&R5$(9wiX>T*dk!3r+}$oJHRp?#C5Z3yors75C)qV zplSW!`}glk$l_B|*OXOMBzyq;4}(wx-z4ipute^(P8Zk<=2CzD`o$pbI^U<$+1neB znUO>Hj%iWU(~G*It4mHtm$LJ)*imL?36vHlCZ-^6^B`ogxW+WYJ_Mu^=%nC`_3PKO zaBwKxy?fWkD{TC~R^60g zdJ+et1&RkZ5qaKQMM~-sI#jTpDf6?Frl5fyBJu(P0>A&JmfYNv*P6D7dZqO?H!M6)uUM=ZG>?%EK7wAMz5SATOSba-%($YG zk{^8!Qkg24D}v5KEQ(iq(VU_e2U-W$R+p+@I_B*;T!gnmYn=0+3IzlKYconio$Q({dl6kG4jmqb;jS{UiFDW zr)vae*oPjiJdqKbUR}Peps2_oPN9A6IWTUA6>qxZr~&G1&#ldDk8^Tzz^QfOm(H{H zU;&vyd(}is`{E-3js2fJJBprC%c$WB&iXwEJePc@(z+oU!BAMLkL+lcO!D|>eD zuF;=ntl7yJy+G&pINk@Gd>Q^h*d51oTH=T5`tCL zb`-_;L4wZNE|WQJ;y$#lb63lPd1S*~X5!egyAKJB*DCr%b%ncXD@IFI#e}=W5C8fk z$?qgrb>(%)@pA>Jw*=oR{p|P|pFKcFrv~4Opn0qdUl?O#IC2DlSN8Jd%S|~BDWLGi z1~S{itod)^6n!7}Tbg|-`15{q2I>K;=3BY#LUXTX#`|JKJ@%H^Ca(TDfXdzAn9GbYct3(ulze)O zZ+`dnb=foHjlV_&PAliNJ28-Vl=k$`SxiPbm+(__=8H7X0Z7-kIJ6}pu@aX{6j2`^ zpFMz;0D~2qwrr{OVUY9#{{)&5OhbI}1YnD_;+nbNJOx#Y^975lIyZ*zqQOZwsygJk z@5I@H#rYuyn$RY_su!X-qmZ!x0^jL(pkYU6Cj;;;^3-Rbbl~zRsUyVoa~W4hMUSWC zj!2;GJx|n0EMVJ4{eYed*M&4(44Q`s+`0(J+bRIP1cZVPF+)eBo<#`F{n(Bf3cD`D z9V{If7&z11wh;YV_fs!A6-$$|Q_~f$t$t7xE-WeSs!38 zS_W&5fr+Kk&zrInVjDDYP=H( z6?D8xeIuLgVq?2&`!YpzMe-E9sHyaRt|s(R8=*M~8d^dV^M>w{V6UFUw$jaQwgBd|NNE}iq3yhp*8F+qU|3_g5w}Xyp##1x>OM+5K3P6=9ghVkMrt=dM*;9S?$L|hH28?G=F&b zT-94T%(9Yh%ab|XPIhtrm(B~foc`qgp8K5P$zJY7-xt%L78F_gNWo?GKi`Ch>(tzI z6bGM)FOUL{YkHIbG3iUp1e;Pq0|S{niVs1;1E&)Dc-4X>hCPM`2ED2UGyYGH zsl70*D6Q|dt{y>N(yy;-s;dWi zQS-eB6^V?pFcMG@^2Xq>?RZ~7 z%;MsOzf>y37SOD1S|iuL-6xe*)LQ;ZoS)E^ImsbB`ee1&B0(fq&W4zrbMs|AwHc)! z%0xX9FPnHau$A(~i?LW@C%L$c%0u{kq6p=ux=Lswe{tbDk?VWg3JU0r0XhgBhtRaH z{yYa{(PJny8%S?F)?F1OaQzLfW5-T#2i<^WM0bj)fbbEG^hmVrMExa_aPh~Fz0cig zt5Mk0YkL4vm=vRlv}Yr+ndACjF8~4}OyGLD!;m(rkTEg@@$PloX^)8`Tpy#WE52gf zln-fzAOOB+*%0CoaE%f8Fe1qLyB?g2F{0+Zs1cGZag<3}O9b*s95ajjocH<+e%48& z-NK9yyuBMj_-yu&lQW2C{|++Mdwr1*>gLB&T$M4WGh;n9KfV)5g+kNnCd4<}Kka9L zh%KPIlKge->4fmTWtMCK$}0wE#@)gBWS_ zdayo8!|oG}!%?uosOa+Hg3e=QJZW;p>gFbX|9ppf<6#* zz{!BQ*5?iebY%v=-PzT}0xBI)ju40et;PZh=0s7-2*}MK&Z3%J`$E)1NnZXrF-=$~ z1T#cHk^L5L&m8d;M{7*vLu6Lqu4uz>XBA}M?E+(uArP>#v$HcWGV%x*f~n{GVP+h1 zN`~E%{Fe3Wtn5G~T`uqAG7H`UR zOaoGXP840AbjXTI57#3WTA^dvlGsx2xZEfkpSYoCBdZ-AT^i$OS6(i2a*a{K z&>pk#BP}!4as#D*j8(_B@_dg#`$6;!G;DoRRAg*9{TvJo4A8n$ie~#tqGiKdxr7Ld zLw0LNiEqaBNejR?haQ)+A|hzhk^pA7!Kefso~cXxJsM26NOJ98ogddY5M42sRBvpW z!yPbh+dO!@XOLpOX`lDPfb&t_^+%+GqR3fP_G#U_ywc{@BpXg_R|uzQdn(z@go^yF z^M@^L5P>uI?r^b|^V`Y=n^H4BZH{yBxhfZ3AXMF2ec5e#w5#tfg?9JI{G(;PsH_@u+2 zCMqr@Plc^pw}OOIwX%9e(5ab=gAg_86Y(_w1ZPqQ_*(dgxs`y?mVB-aK7m9X81>5lD@g~ zXC6L{@wHqzKa3pi3Rmda%ZEnMXyX}fM z@<^S0G!!%;4!tq@WnDvNqt*5N1K$U^;ApYy^j9^3uLA&msLCW%hPaN0-rnfk0tBbp zSA(wiL|+1J&1ooaGX3f=v9b_8Mdz8ZD#BDj5X%~Mz_sY7?_(scw#zPeEOREq()sqc%hp1Sm z1q2AK34|u%fe9@i$d!??F*7R4LhycVZ3R8YT#@qLzdws!JJFc7?7?nEW*i11Na!|b zRZQCn=S_FL7hRN)@6Gr8+2QrGYn+%U#OKQt{M1sPMd^tz96U2Jk`bHwR;rF%ImUw+ zV6Yn(DvZ}WR^M9VIA`Y4B|Ax@V_@?7h0NT?8N~lxhVbG@D<=ACeXsbZlE@+R&PHY0ZNyK*Gd>l z|CjRe`qsSb<8WAL`=sBPwuY-I(s?a0Y!w^&v{>cva0!7W6t%rEWC%Lo|1(8_wGq(RdFacB@hFNMAJa zUXa8-EXCN`Sz8idCkGz3W*jw8*oTmz#C-_m>7;2rS4%i}ee~0Nn=`e$khdPwBL@>@ z(NKkmt;%14{8NG`lgcK&?dnrtCU-#vYY?gn{zZLngdZ4KMh z*QT0Lm%+?>)F-maMaE?LvJ9g?ajlx;Ie5;cHD>nX(6NdIOOcGS#P7Q%Ia_J*3Brul z{0!&QDkd3cceg(pm9?M$?zy8KRS~WIQBF=pL@4VZ!Z94=h_a%hO?mH`pr-FCMROH4rngJ7xL6DNNp{8eG1!47tazXBt0nUS2A?Wz!TM+vy zW(u7Fe}L_Xut$TwOxQv~ZNLo?3#PsM-ISu#d|kRsnm%J*i&x@q4p~dWLcn7|2$P4Q z9j#rzz7!&a`*yneh%>k0_lu-CWlxY&AXk)NUvioHu^zC51%MjNJec2}xD&b`3EBm% z%;Tcrn!tvgJ9na|G^%-1bZ=`7L~8%Xk0Ve@Cn!8dZ?u zWpYzImGaY$-dguT4R{$I5&8k{8j$y{yE_Z=6oL@Y8{z`N{AofuZb)&RH$~Adf$0bis9I2=`kBqRkpnO`U_MNN zP_6Ckl)>u3NfkU{gDTMr!LA0A$OXd}QSY&aJSf;z&`~pA#_^i)kM@~sB8427>K=l_l^qd8&K@!_wSlzft=@s zW*aN$#nJy0vkN|s2%>@J%mjea22C4J6k^-o`jAcZAIY;cnzaHvx)O zRrBgyw%k8w&A-2ur=+9|otRrHNLJBCOWCN>hBuUvcFr<^DWYcoY8fGVVO`xwqIH5e zb@b4ovpxhVXx_{XS*;h|nJ-_zDnYnL3=#AZ%nL80qnU9S);jJ+0kR2jt86wMMjVMe-4@koE=g$vU94+7NE~Nf^l0qlaJfTgc#rR%}C3{Yi%FChr z=#b#91eeK)ZRQ$EN>S#`Z+Z|UAg%o1JOo|Yd3r)SAteRPbR>bIpiJXZyFtD|>GC5Q zw;w+aif`Ju@d=U+h&2FHVBVT5Likveny2(AFCxe%=*9@FOX&Iu$=MP&Z{DQh(7O*T zWQP$IKfiwioPp7p24y9s&sbE(#>T151I)-nF#JGc1HnbFZ)nH@&nz*G(3E08iiQs; zF6GEVHC>aX^({~u=T(xKpR!tHrnJ^%{`YNC`e9i@GPz*EDM>BucU0d~=<*DQY_3pl$3E`iqWZF;CFJX?Xe|DK>!3?R~18m=8N=n zE^vOytGDm#3hvD{8@MrGDdD*&Q8T3dB47S?XK&MR%3A92@zjBqI3GhgzqII?M<&Av zcr&v^w5W*~OJvN9w~JHnW(ed*FbQ=g%5WV+z(tP(4iBUI9NiP7UQA^vE&vKHCV#~; z@!`Sl@yUWktu(_5i)l?IRnt#iG}#?KlC=e{u7uA5i9{Kx5TS`)>E!hZGnCdZWo6Px z3aoD|&CL8-ECN7*pe(@}hAhRv!@~o{UIyW5IF`FKqLpg@EL?Btt(CMfbY%s~6HFGT zqy{XQW8>qiA<46g!{cPifAOvTfI51x9&n+`uv`Kc(IbVUd16_16H2c?h>4I!W-%G> ztwUtifUZRg9gk#Az#0q&vF@;tu&OhVe6|T*45?t=wh&t}s2wHvD>3^|>v?jjUG;)4BQiV6n7|nHHghNgQn-a2*zw5$JU3 zA#b9`0?mi2MdTFtAYpZ-2T=&IcOIkZkJL%ugMQnOo`IhJ^AFw`?@#CznZ;qks(;F= z0Rwk^?b}}i1FQgqKrly-^>>e^0)pe#316#BjAEP1Y!Z=*(CT5elr%SM0A}LtDv&|! z`@cQ!sfh_6wpk)ag$*N?{MN$W@+t#P>6GnyL2aEzx{ZO>5^wH#RV1pYt2fyS@bIYm z_<{ZshbajT)yp;WC_xY$7j zx9YY`wu^}TO=cmDq~7hV-G1}U0~32wCeb)V_o0eQH*j)r&}YmqT#%Ku%x;~_Qvt|% zzYtWQ<0VT6!t;B2Vq#+d9dncsjqh(7&3tOd!V;5`VEX;-h`XbLnwOkE)61QN6jvg?~JM#eiV95hrGjTvx&k0SJG9Sx)a<`XBXx|cLTQrByXQE9|*0Hk`p zgtakP-q8OomMrYYg|%+0-8Hl_5Oh;aNIBNsXV}#XE-mx!)5K+C4WbLdgv0hmhS|-@bOu(;a8egEhA9jih6S@GRRv*qK7vmp0J-TIXZ0*BbW)v z3F11muZqu0Yhme%NLIT-xla;%D(J-t<{=@3P%r>8K;b`u4+6wL%#EEy_C@fX>Qiq% z>oQq3iR^-KMg>4=`ps#wsynfPk?>TmaDV6Fvb^Afw4Osx$Ge{(J$t4L8@qcO4F5-F z-$DJbu%R(hH?} zQEJ_LjyV90u;lX#2%u0LB$j5O4q6aCM64}%iH&V3@4@atv{oHR zBg7v-FcF3S|8Wt*OP_(-y_NR##pL8u_p=i}pBr@E93cmt*k2p^1arcY=nD^e1{6?1Z?^>DYN4#dVD<)hw~q?MzB;1>(f zdrSBl(Vd#0<6)HsW0b3NKpgTglv4%NFX+3TY)hs!E3cI;D9s?cssO_h4vO46ilv0s zW@LEyME0?Lgoa7@_aU=!aBw^un%jp@$CV$2WCp7znv(mdpI?7_Z6$SM$-(clmm;k( z5vE2U6?^&dZe}1bff`I{$+ot8f=G_gGB{fo z9eNXuqd(ijKeX8@1_YI}z6r)^7R3dYyH%QtiWpHpo>HH8BD_@GES z+_y2Vzwgb@5gzpdq=kN7rKbJ9Gvkx5_J<(i+l8gVByx~wY zhZad(!Ni0a>CbiB2%}8M(S*8qgfJ07XebA3=gQ9sP8&x4kJ1R`$^=`OAnoB=fop*t zf5$lhyUAK*M{UJ15!hURYQl1_o`3f`S5pAFzRfa%Ez>FRx5&;U!r8a2U~O zLtz<%eGs-A|kA#>WLr9LuWPj(uY3Is1;$4q+0NvF|r!gaaJ-u#- z-`>dLk5<;v*x8jJt1SNLO~;P00pKEZRoE|1{tW|c8SSQQj2#N&|^=}Xh?_L>HqxEo)z_L!j za#(I=78`ShrjEvsd;bb&Z5#_Dk?m3^ZOl7nM0yf`e*^PFw|3FF2S*Pm-!(lWzf<(w z88Z2l7neketyvFf%Q*?Jc~ZIC$>~B$&g|^rR4U_*>$qEY@|wWh$44+5LX9 zEcjCw#Ou)Eu>b3eMe>H{-+@*2b8{mls<6Nvas|mOcX44>PfzddzXP#J7rET_E&s-) z+l~7U>|cmjL_NQ1$9#z5s~I;w-nb@uD>}f#M~>Xn{p5vVd{Qa_w-safd= zcxhH~9aU=9SiFYT@*ne5_0L$bX`o*#GRfFQO)VuQwFQoit9BAA z(|L#@bQ9U~kancP=J*h&)6R36!`8$(bW?S;d;iXRvE1Lu)Z|8{z+^&3eT1s{+N_ZS z0sJ3Jj^X85((=S+9RnS*H=*teDEny$WxUua`R_bk-S~IbFZkELy{d~L#AXr*;Wt6s z9r&i@S#g&x=| z_9WCjY_aIVGN$L|uCHT41T4Lj)c*#@6Nv&2>=#c_LXxa%IU!N&GYHN>tc=ghSQen3aIEoWiCD-m5?F{2N4Z3jc(< z|5@w>#m$46e}yuHwbu1-q{q|$9rpW@*qC}HLmjLJR{cG&M_K=j`V(g9zxVue7n)Xl zGIn4zzSdojd+F%v%K3MBGt2%x(pns}CQb-L)5i7NX*;0!9%5i9t~35SLYmzFTw}nU zcbDGT&fEO;0u&;eGt{wb@FxsZ?4a@f9fgk6$iLH?)eUFDEhHx+u2k^a_JiMh{=G9c zjeo}9j^dWP0pf9Aak9FTV2bhZPXCb8kb+qW4c2^{@W?uo2k5 zF~gLCQ8w&!UpB?;l+ul2)j1D}|1}Z$%V4X}=dv<}g9mTIo~0Ud*#AzI(TCDf4>+{I zGSU8b#%E>_!8Wy`I`O5od!e)bxyX8KK9!M?DHm<=es?KCI+%OSx^>pwmCrr0+2fj! zZOY+|xgaHFi>x(50TKMLfIuj~wQ9_AOj(O^X7iIRh3ykXz|uJ7guTFO_IAt)CD>2e zz;`ZdB~tGDMX$_g92c?){7^+dDhu_kEg&o_rD(U*8UH;{Nn&MApGXv;9}^`h9NFf6 z8KnJI3iE--sy>l{QHt~FPlY)}c z9ni$cM-&|Uwg{KpPVetG1KRT7jGvJ@vKw3b-)3c9=F)CF>9@_j$nlX@+*bomKv)zx zOl?G1A3pvT#<#h7zen*Zt72E3>}n{cXyD*;f&8JeXY=r%>-TLuLG9OrOow-F-8gfV+x%Xo|Xk z_=}2)dK?(|0IW%ZqBT=ai;JjG;>mqmc&WF6FWb0fO9#}qc1Z5YG6`RBo)=&bqhexw z!@|6(jB;OC_9l;wZZ0e<+vr+r5ByfGg)92$q0t|2KK_BNRsu93Y{L z4YuUiX_pwo#Sp8SLW>K;tr**eSmQYW5Rb?}z-G*r8p~wNosa@hi(9cuxdMnM?+x@z)KuVK>02b`g=9 z6+};3e1C?%72)NtiIV}OILWEW)Fr5P0fJ{g_aDV}gec&RWEqh!g+&$N9|dN1?31q` z0Lo|m0|ySc!J~+NODpuDk~QAUWm5aO&RFv*QQ_cuPpEk;!N$nwjvZ+~`}+ENmE!$^ zPMYq5U!AYLGZ#4GwR%#rOyn2&oB}^ld^}oyH8DAiW)m<34O*8Z(dGV#=JE*86u(vEh@d@(*Sdz?-bne-+=NxoUTsHFo z78VcK8&qTDU+&woE?zYy`Rsls-_-QkV0L-7Lx&V@E@u{uOZ*1+qMMD0k}i(V$_&Vx zE(AI{Ic4*&J84n>)@zE`9H}h@Ojzubwnz z+TK#2<23X2Wg^Zg7C9sN)E%O;Ri}ahb2^idR#DXHa-NfJgX-tb#UF4lI&<~vYvKam z|FF80*{l^R=6@xvQ8VBNW_nsAwmf1jzFvz(}*;NklV-=0XG(`{X@G5!Wzf%lCl zq!-mZy17gg0zF7FS0{&m#cT6$_Rm`yS&IlAYZatms;R~8ZXNO`8cGoA43q9oUiS zCve25XPCg^xjL;;3W?H23p*ApvO4#A(Fu9IyL6QN)0Nkia56)h6+tG3NPh9yUR)@j zZTAk~R_C~J_brrX#l+U>xX#ef9c3*Al zTF0)fL}oj5XhfB2r|`LsO@4i<0b?fS7gFl)UCET>oO^x${sqxebDFZIsB;`PHq2ZW zSFi5OnH)NNB#O*lx6w2PTb#ebuJp;F&G{3y(_e$va2lQ9)cj;yprA89@|7XXcOO1{ zcxBTigY7S0Kz!gaMC`Bzq4?Z}y!8ssa5#sE+>5j_)?4R+5gdW*dlcvK2@EU&zQ0j^ z$PL{gyybK5$ZM?-z(5Us@?%omuyw0G$R&&cn5*5SM`DNJrrbWzl<^CNxbTOS-$O9b z59{s9Pz4Y@~_o+SE z6YkyGmD6I~cI&;a(-jZDUtf9POI_eY&EXsIbrB7>T;-FvRR2Z+9;)8}a@*;O*TN@O72KaN!xYPUBWP zUTO@M)zqKMkW|kB#GKh|#8x>|<(^8CDP zq0o*`A1E$QyB<%xX#XH>&rTj$_NHyw?qV&o?KGMSB(((PQ&$RRZ<*6Atk=L}mN@qy z7x8ftCFFC@*`f$_)>!TR{oK4R8+Li0F`$}D3W&f6CN!STU2Yrnf>mD8^I@Sz0NE#MzGlDps$W*uKZVD013+mKSQz>gs6f|KhK z8t(7dGc+|bLo_LY3h7Ct+ zTmW7x-U2$)q&4<`kGX$8M8wLDS~g#vW2>;5#p~0~mn!#ddGP7d>^+aLu={R}KV?EE zLc5R8otZNg^>eCVjN-4)8H~K#uz$+2RchCjOvMnLH$72ADq84cF&Dg=}p!)jp;&O&KHmV;a{B5 zA4dx2z{6Sy{sO=W^z9ayKn&UoZ{}jpLT!>p!2SC^>pEewJAPxz3RL|&Y*MJ8oP^Si zg>r>Ec;mKhzp;W0ux;12xAp-#swYpMis4Z{YUxHhi6HE6^o7&2GDSxSt^McnayIgc zA69>AWQCp}9=`^1I$|#>+mwT#RXYj2RtGl2{6Z$~z;iPws3p&JSagKR}5R!$WjCD_h<8mtBbmowN5kFk8rM0zI{;l;DI%Q+EzWI zER4vL#50#rDbB&ukx;{zfN$lLls@3W2`VOzXvL53+hW%Irc5;OfhIM~69AP@u%plS z>C@jn)aYl=!X4E3#(X~>Xk{(F&3b3x*AB;-S9}%1p1&B4y1PW&yoZbv8qK&TsAbz5 zqPS$#b6NBnFlt4^pFZ<}FTmc_Q0xs2gGD11JSsGxKVxHhaPdUFd^rrBVAW$kzYo|W zhu_k3a_)9RlcWO34UP@YI7UH1S~plDTU}<&A)Hj8F@U>idrwc#hvMQVK|vA*21kfq z9_UZ%+3}m8#H&*EB~=nHzJsn#^w+pQ>xtgBY&*EP`4V*sXd|mW!zWw_pCTM_op^Y_ z>PwS@Es5HBLD0N>LPEa6H7?XOl#9^tq7`^pW^kB~FA)3;DXsAa&N~t4T+zzK7@zM~xG&Pqb8J_u> zys*H4x6C5{_K}9kqOzI#w(0ciht*el?im5#B%t-OzC$qXCcc+CGI% z>|}3$+}qz>{cpz7 z(-?41Z7LF}6?}mK>h+nHI*@&2XLk`8=?WK>mi7j@I&W9iP@TI6JwF@Ohd<6pxpI`P zSz6KM;^q;PH;1hHetLwoG_q=C`=P5}^*Ai79MOv2Bcal{HeT5SW$YP1&a3yE$Sm^4 zRbU@lCp0o|0Fg51}tA+squhfz%F~$1<(~Py}_yPkrJGOG?PqW@6uSZC^+T zwKh-$$#7>O6Jf^~b-MNi`L%b>5!O=DhmRk3?cc9qk_TDi6&^~`)dy$%DOc@R?G&uGg6xj80SWOgbE=(F z>mr{-J6lBl`ut#D8AZLG#c?WQo(^sGR(lGeypdzq7afe7q_Ow?;;Tz!fVAt{T^DER z5CjG6N9*CzFGdAX+F(T%KQipf^m9@9OvVwtllfuo<0-nY$e$Vq=Qf!$Z7`QAeDjim zFDDHSDk?k%;t|cMi5CMf3(_J>DH$Cs#Ks3PbTV!}*FQk%^YOL$J+uQ4URy%~@VRj} z(|=*N^88dmZJUtn8=8j=@4{b4eF`vk&M9{Ppe?&I*M;_J`a|>er|IDNfm{6onrPA# zwzn--UASvlgM3_FQ-fuGfSLIrtOw_mKTt*1=|!g{^`Qyu6~{zI_Hz{`6EiM(df7>w;Qa_zB&0 zfT729@s!MMV%9pi#8v5pG0pLde)$}EXsc0gQ9+y zCuzr6IXHY^$oHLWa}9?_EZer{Jz~AwNf)T(yx`m)k?$?+=3y~Y)6=hQdlZQEAJNfv z8=CTN8k(}VSAXq0ab*n@2)OP{;ZAtFA4QQ?GU8JsMcO)UOwHjEez<6cx0Po{^E!c znlAtz2m7(3M~_|ts0PX68x-^f1~TV*a}f~{^yM+HURClng(}h5^T;Zk@;Z1po^E5F z;bR@v-nsphkD_d8WiMY^Q_>*w;&^OpvFun%4$nT+%G0A?ISIyQ*RHbxY+7G(=K&x9 z>Ssj1{*lFs|BX%Dt0bBZZQitr0A6|5CqK5dgktOQuf*n=>FJ$xbVJmk!wT`Qc9OB# zGkC0sKRRy{BaUuMr!G|v4*#g>=iD^w^|axV!>HSfL)3+Fi@XIxeAKSTW^`{h(uiE6 zzo(^98Y<~cEAWiVco+5@^?%Ru#ct`l*hK>Rt{6Vnz~h%!p;0XMpwQ)_5|@(F!_$Wh zJt?TEzha}BBlZF|W?Irgb&dqL_fj$dDLIh$>LEhEKuZQaWEA^%PG#EJ*c4f0>K@f*62lpJ?(7pvWi-k~LM#73Qcr|gfx*nww9AnKd`AmgUOvAu4~KDU?{#?2ILdKmRb z`+2+|*<5~o@fuN7#%g3`OUFU~5RY>!pQ<=Lx<&5)ko6wmT(|EV@Ye{H8AUcN4O{lg zZV4$3tEe>W$etOMP)IVPLBmK{naOGxMY6IIksTr9J@20X?>OG$eLH%d<9QO_@Av-P z_jR4ud7amJOZ{p^V=z2FUyjsf8PuroK0u#Z`14Ub7%#x8!I$PKoQIF7EsMJx$_i+# z-rQ**)hx$MU!D45Mqcj6xzpL4{St+@y3)7Nouu;bxMP_eQ?}rNN)QaGAz;6`*Q7S2 z!atkR=s}7VIuA}EbVx%g4E=Fn)#+1kOnP~-H5}&$Q@q`jEhWQ;n3hKS`zs-5x$*k7 z659KguzCm+P$L_R)L&CDYy>u}-Y;Hqwd%AGx)X3iO1LstfRq$DG2w7dQXjYkv_8QO z$X{?9s6k!TfQ2Oshrz4ucqeeNy^Zj1lx40$M%OTVY;wVE1R!f740o=v+p5y`52N%qqL{;%wZ z?+<4}X%ieSv}U2%hjh8qy`SKvAL z^{vKy?GCk-MQPwtS&Sz3V&)H$ZaR=uNxsYO#4-xw0>_c0NGB7TF65XyAZ^Vj&Kb6m zHP}&|B|Bk$V)k|71u818u=O41GLOD@b-UWS&G%==X5VSYxV)cTujOz=AEl>5R&EHr-&)xY5>>fOfw#g zY(Umy_;8F#?9LOnMT>WHlvOS9w;M+?ZgVm#1;3HXi~FAV)^ca{smq&2p72O=aI$7E zZDO3A>i!H1JjE81JItGzr5n)^+Rp zyvDKNR4<03MkbG)Bpo#E2mr#F&>Z>l9P~cv;y?y?b=BGpjYTdO$xuBnGkr~jz&Q-- z68xW?ErI{4M5#0yc2PEdyO>zDr9{t6!$Uah{rU6vK*UBQckXQKCA+3j@3<4bQ!jk;F?2E z`y-5a3*m1@HY2b$S@D78ODosb?1Zr4*1PRHCwBDROZGm-P4P_B`Fi7e!Yay^mA`31 zPabsC38=;H+D&ooRzJXbH>$~olvta$Y{{{#p#J98&qS;bQ4myPWJ}$_K>~GAAG~TF z8m8$`?jG0*&G-TA8me?0{Jne6{oFlGk1!13#CzpvfZTpIn z3Pa>#@XS>q|6ot0rlk16IXMoeHc@g6e|R$_gkJQ-OOk#skAF)<^pv(NCvBNHv~)JE zrNW3yE#`%_j~?9s_tl5!S5RQ(DeX343G&Sijgv&C3zX+4^B;lkVdR!!z`QK69U|hq z#j{(CS=;Y^zqn1&!m}o8i^vbPGwokg+*w*ol=pseVX>NK7J6EDQ2xUht^Enw@Tr*- za@;rZ!<`X%;99^5p=H5nUI(NP-;uEU;8d21b5!5og5JhS`;r!g-&UxyeqwLR#@{4B z4DER!*eZl@5`%#3iZKw2`SD<6iFiCfa{e$iQchw#Qe6QCnC4O4*56CRE+egTM4T-I zAHWOn45leSw~;axKe_?nt^nq54$jVLSV6pc4EjGwZhfoqg4*bs9?QG5kx*3_1xc~% zDykO_h0TjU{PBQ=Yatb?L-Xq{fH%J0Q#hE^kI2~re~Tx^m7R4}rzpZ<1`Q0Vbn>U@ z#Rcp;Rg`N#eh}U?v)MIXCm4Hbf6Z|>@8NI5)@y>Jr9N!&u~w7WvGM4aQ&PPXQ&kTB z3J7kXeKyM2u;NLkz(^T8n}YcD19%N)7(YAm#o-)9kHK@aLZo~a-B7$EHl|@UJ7G8g z2Tusws}Wzhjz!)gS^v~2I7IB&kSAPCa3vgg-Ff-pf?At1$bO0Pc+sX>z?N`_9SQIx?uxEGy z_7(*%SvC0I4S=1%;|84@ho^)hkp`ltfW1*$CxIi_*x4&lG`Jy9Z^Q}#v_X$Ws7Uya z@4*&~Q@UaoY*|e)xO~S;EkbV%e;A|^_?cvyP=YUybnl1~` ztwKY)QO!pg1>COVFRsE0rt$R^drW^JkvI>bbUyya8&hbo;hCJCWnf;j<}~~#5j?OB zk3C^>fI1W7!q*WV2u5;39G!+urX#-N+_^}YtbK4Vt*)s->a0W5$DrM5K>lL*9Rf^$ zM%Ey2R!@%s!M_jm>LUaL!jHS`72Q?KMKhr&$es`BXgeXmwN?wYP#EEgT8 zMDn%qg)|+Qa*0}fTzc)FW}1QeDr>1pJcQdwy>M_ObuAn*eq=mO>O<-#(f*lf;cXO( ziC@OlKo~+qNBR*+a3AjNzCmDMISq>hrhi>#Mv^%d}y^1E{ zJHV<0i)e)V_h6OgVbxg$gRx2=eipxvXRYAhRzDvL*H)b(*HMr9CA>Gq!ClL6=^!!9 z|Mrd&lo_AF=n#Qdg(WGvA;i;9QeIt-lO7rtwpmH(Z!ybSsMQYQ^b(Y!p7E{jF-`!8 z%M%4V+sOMUl#C2mW!`zG}W7Xi8*@_87 z09bG%^iYxP2%r!zo}e~xy3{`E3jWp&gNW|nH610;dI2;*_tBJT zrbM2B$uxwECA=V$yyVT~cdw<>bwIQ$R&zG+_y$ID)(y=xW{Kk2VH8M8#{Wq&^U+*2! zDs6icWc&*)7-$zX+}z|bgT}}s`$3`8!N_P`*~+pKISD9EPuJbvqP{o24z`0epdjwb z+4BRF41j~|1y%VNxsg;Qppzjf`uXKK4`f9@P|_)nTt1HkvU%G!c6N4}a&UF~poE;9 zoh5|;%8fgqoWUTiW?(2tY1o&^JHPwht!CRD%u%a&nZ1}7BYK#!Vs{36PMHU^e%$iv zv*uT2n%bgaov=LN#VcN6_X~ct>b>r&M}H1-zXw=T5bbv^NN)%402+MPiI<@y#Q??_ zK@yO5#&^scwRx96#AW1j8bE(N?27hp1br) z?&v{RIdT0wzJ+sa>ONbAMl5!kMEF=4@>lTu2&~-WTFKAh8FIVRc1Mek*M|KU=5^?5 z-@Su2E(lh$YzPFS4m|=5{qcW_tYDfAXJtprvbJVQ=m7b0H9gGKgrcz(8Qy2b$c3 zwD}|`9*c`V>q^wUe@}8OP+%yymTcrO44EO=e7|=wlWLzLU6IEkOD5opJW*^n$6sG1f&IRFsUe|bjvFZ+ zig22J!5ih`^abdlg#L*vjVy2BRN9TvlY&QEj8d$Ry?fj@WcZaC}Zr3@{} z;1c6omo*w$!WkoJ^}>{KO`g^5zpGbOP3d)NzY;hX*}NoqiQmUsws3Vw-OZGPH^fBD zaXv7ZIDmvH_G%ILIc!!|PQZuB!MLQ)!q07ZZs?Vh+MuAmlU#ZyG}Z;Vum2MXuZ{1&cUbQY`$Pr(Mi6i+9=|D; z&_Z;=L>9&CB$*)nIw(kOIWapB`dIE--sxd}C5^Nby#wvb>c7S>?Q-2jBYjtNMLrpt zw@b1-==oaV7(e{hfzU?^9l|J+Lh_puI?YVnGCe>}@Yk2bjSay}JUZw*C#KOraOF>K zDSGL=65ZE#8qW1ZZitYWhVu#8j*ao|?fC)2hMTX%nHtfS3#4tc^O+7f?Y?zUXXqZM z-tesbuMPH6_hu_k$tZYA$6~-q3N9#OyG!WGQF9<4iJ>>YO-3df89Wy{6l5*`+W`fL z`necVClVA8$d#xI{BE1qJicy4a`pW9XR4UNKQq5Ki-?4xJHg7u<<|Ze+E5J9-dN4P zHQGbZ{lbIDGFXWHARrx)^MOg0Ij^eMUHB!vk~63K)DhvJPjC6I;X(V8pT|D+iHRIF z_~2V^xmoE2k1UJty4Py@Ge;UM3;k|Up{32NF zv8$lI3WZ@-&&bGo(xwJjCargTflxc>^hv`j4qNTYp0aIzkO2~M2%UX}(GtXKpld>7 z?%liBQ4FbbX`@vMEQd)Hg&}!3C@7+3K!?S-qVR~!e}O^RwdA1bG<|mbE-qeIWv6h` zzc^82{l2EanLT{OuB!J(MRM2j{s_9Bxr_elhCs=8EseiGlyLDj*vDe1PGuYNeu;I9}04S z3TX^)8vTXs#x}$mFo{lRa)8kJ?v({?4u;!sp~5Bz(OZpFZ1kB{b|bE#a)xPpsqaxs@=pjjtzgKU!40$-nGkl#@txlbqaa+I} zC`6r_P;-{BPe{H5P$3_7}?jy7UOOv?Xo@aXl;uaKG=Wv=( zp+(|I5JC@{p=!{WZwMy=9Xesn2>eGJv<}5`GYT1Zv>`x?`LN>$BLsvLpb}^nJW8 z3c>MbC57bHCSnu@Q`m#(8bd$33vELLuqIgJ!-)0hg(Wa#Xs+_4_^R#=NQ{9N zT=#V3*)$P5t)}c#nkXLh_U(h@3FKADXO9!h?5N-n2hamt8_m%S#V{KW&y6M<+>x+# z^XAQ<15aFdjl2ScxL03aRrD;>7#S92s=&nXR)QR;-bmX{SlA>_jen?Pbjx9y==u9T zb+W#T#;2+%aNb*mcxH(XD=Cvf50HXR3d{onXGq(nv#6+^9m@%TiWYI92J`2RVDKSE z$3qzY@_auSX?U$~24e58iExG}6W$;{TeAdkIIW2)1j&IQM*Of`bS?qj0st;i_MoTf z1RV@KncB*H)u8n6gt&>3S3VM(Ur9hU)1oX1bLZ2p+?*Kp34)??s6$3S|S)fkCIKgNF~UUJwFKY&>aiuQrjwB7~cs)w4HpFmz?Hu~04<4^f>kByzh@^ju28(n$-;Jgxcbq;zPHawBvMcJ( zx}viiGMZS7e(`CXjf$tBt_XCx$w-+1eKUz}umqS6!cPE|x)CyaIOFjgt_s+`V+Zc@ zx{E?#5~oE;NzDs>Xt1!3MN%fp1n6$$$VCT;*YhYw$)+aE8bm3|Rzm71$=p#}x`T9t zJq{QAt^^2#g^+}%=gHH|(@2>Bbwo{z0tVA{ilX{ZG2yTe;H3w_1l`B3B!Cl(g2I)w zP{19#?F6*iKeC#}Y=D!8;&u zL#c3(@K!i$pcu$T!8DU|C6ioaR8%DiXE@JjN^Qm{09Xpp`WscfF!@K6vy<%IUiv<`Kw12b^)aNRB~0@O!*F z8M^<$1;REFRtZH5X~W_@L`6kuqIoRu`in~d5O3A;O=CtfXHZ?v!Ilv~m=5ft`q$=} z_VTYg4prKS_dWS|sQ;Gp;_sNStxh4T0VQ_Lah`FDwofR31k~PmSLSmjyoUU6_vY|k zak+QQA^k5~&$a&;e_x;X(IQdwOI%-qXqj}CT5F!~P2W=abM3R^3Z}IN8YufwupJo+ zOnYyJNC$AMG{|~b`_)N@;t}@xR`U=!Y`-rG{oG-!KDKOyb&*ByM-xW#gZ9kq9a`dL zwyHarw$j@|`%J<2Rz+L=difPelO(I(UXm*wohwV7JKq<&m!gBGkT6;-Hd3~2MGLX% zSawhH?z6_L_!KW&0;52VY}&kpa>)o>7rYeeU)$AMx9RVnSAfYbiO(&@krN zb$PUVV#*H2cCz;0{)s5zMyGAs86>BZu%Cb{&A#h;1C7s)OQSs6zdPJ49He0&Mp+88 zZiL@+$vzlIzk!9qcuiMA#j(LXKeyXMe0GFh(IS3>a?q)c_NgsPA@8QVCl3@Rj4JhH z*kZP&0ZEG-yF(*pN8?<^I^z%qTcHX!Bs3qoclEE6Oj_d^k|ahGM&@|GYF}QWJGSd_ zYJW#UQv1d&{qLmF~_80~#F%mWNH>H?)j7KJqM(uDU!UQM0}d)iMwi!o@Ho z;epVJu(pqVyJ|5(b^ zmo~Xa9M~7pave0?_Pk^BiwkBZ5BpflMy`Y0JMbc&mPr>L>S zm*prj%zJacD-ZwsZo%<8hF>d(`{zbDsOr`B>8x^Cu^m<0LGAZh;B4}^%keugF7eZ& zS*d*q=iQI@n+_>Dt#)6y&9M|Y{ji~8H?6IyTm8XKFW#42=6)5X2Yl}E9dI>rO(^Mp zv1L@SrOY=Vy1rjzHbY0}txIFup7Np~OSQiVPG=N?-+S&d*ZUyN_h&$Xv;K;Cl6|7{ z=>Eaa1DhJH9~7?ExM^@JcO%`=wQo8a;&)xI+kNM`2`-h9hw$=JXTdF`>)W?(VHk%N zamjhM9s&_q^Py9J$kI{}S^p7gdXN+ASXtE}Zw7O@qvgFM3PA{g6t9f^y7WQyh^WAZ z4LYW#ykIV9X=w?0jnvxq@;o~btu?9-8O$vJNqz=m0E$H2b#~xgjH&17E3||n<4;P- zy-H3N0NB~OX;WpPeN^4mmJ0)@y6gEx5I`StZzfeeI^>YkAqbYY`FWI1Lz27C>SaNH zSEh7xSb6Wy@csz?fM7pLSjj^26;Iv3>aSfZHr3AZ5_w~OLYwdQvFp}$&F?RC%GlM- z*^pl!_r<<7lMjg&GbJNo?xCiPZA_`hV&e48G?{NME^QavW!Z3Tv(Ni?+xoqn;xxE>u2M-kInZLx;I7N;o#>R0_Ws~5tmP=T z6%ReA&Oa=9_Hlv>Pr7nzwsWG@nUCWd4bR`Xjv8ZXr*^%d;5=t%{?=1FR6WJ_Seb7y zzj&uY^iR~tkAsFeqYc!Q@~%s7+~hYz;4$nDu8n!~C7q^fY}wM!vYUF*$D96d_oJ>k zr7LRmbh$SJc$Jt#Xp-Bt0r4pghdK_qHD&QSzV`1ER+?|Q*W>W#ZDj0`TV>&TF)<5m zo?Ii%6^3aWxOQf9l=qfLCkI-!oQpi1H$94JD5&IOAs{1n-%SEEI|HicLJv*^tniez zX?e09Dgk74M*x9bP{W8-hfbds2Kw!V7>;Ooo3kud#53ecgNRfl7!DTMxI+qD1cX11 zfF;B`2!cz(+n^ql#`YoVPIRF@<=LLZd_Tclxag>lux9|&WCEIp=RNS>wd>bYQC6XL z+nCm*2L&jq%Rsn(eXq#!6K$UZ1rs#vh;i-Fo0`4poGAi%MBcJyM^k{NjF zt<;{gkDF>Ik9B^C9*#7w1p{fu!VZO_|99 zseS=mhbA<%zO#NmdpEE!dGHVYzErkVwET3c5MRV8hSgxbNL+ zm1~(7RNXmFmQFKq{Seg{E?eHF5fEVa`ccDZz?qJ-FTJPuuRdB3Q>(x5Dm5=}1DKMZ zU$?j)adFxG;jHuHh!z`}W4ULU;PKJxAfIBCQRlU0BPKmPU0p-t z4U=?HmmP>K!Cku;vD1TFN2)-XkiL7xfYT`uzjLv^^PKn#my6CtgxZK44hz+dYGb~6 zA}G62y|!uoZJg)j(QR`qib`37to}LzJsYUBpWSC!$D#~P==j5Mbbe43q7f)3k@ULf&TR6j+(-^fx3254pN5aCs*3{#c{V zC#LbcuF=$MT8Af2s8F-ug%JSqF`8N(c{^`9=(-_eKiX2d52jeSd6U zn(0UP=vzVxW(=2g?)w$=8HP5LQimlm(54%HXJy^U5xV|blbg?Vs)h$#4zWVi8tRk; zYQJ=@(D(eobM|GF(>nW>#075$H{3|~7T=^gw2ouV#%6XS)|t;H_d`R6e+vcZ2EW+F z_r#gnFz4irFE6r^helEi1g$?>F`OvkmU_6RNL@fDVVR!#x+@j$XPwJT$?t=1Bzp(^ zX+767H}*Wc!$Ve5)8TcKtBk-*gAaRNzEAh_t$t6LdFA~eb?QTKWToxB=sWHp&kDN- z47Sb(SZS$jZEX!iI6yOM zqCf)mO1hA+hguEKlk}`CG9p6?IIvOcQDc^DwJNZSQ(k?W-AWN2KFPgNLWkNjvAbt6n!WQmlT5QAp9hS-~8!qpWs(rPG!FNi*X0Y4&bI9=>(IVX$ z+Aem2^}bw;S-I1XjE^kZ46O``8&rq+X$V#7&1hd8|LYssb((tz(}4sAbuF2zt4Dkp z92dOGJxAR#sc-Q9(Kh`X>{-^vlr{LyZ{J2g$teGox%C`b%4=mz#~#1cq6sbJzggx+ zXQ;N!*UY|EQ^jYUaPrFf;bh-upF={0EyYTz=JX1wdk-yc3m7XDh^!OzP_}XVxv}67 z|LA}(rKzVc@2=s*>sW^i)A4#sO)El<&3tA)&z@$i{$aAhGxkQ@uISLzQ5a%PVw$(& zf~~#I9F#guU%n8F04fR*?L*X4+3P?Q1^y?VS3^*-3L}po4FS!1V5#q*mjA& zq0;;1szke|95(e-aR=yLcZGxJ*T^u|V5KGfN)#;<^Iq8`+Eyj~ zPYW>W>ZZ(JyfoW^9(y^|f0z;ogCQ~opWRB#ff-YuKW9REba>q*vh!lM=+N{$=A>8S z-2kW4$i_2${P+=0hXHN_SC4|)ZXTYMKC&i=8m{Odm4+w(M26aAuhV8r6;!9&SRBA| zP*m2YWyjT^ReQwj)mTT?`v)>xMz0AqqHJk3v-!2&|AatKp8|8Ln{++X#PA}4H8 z%l0Hf-9Ss^!_2|#d?ybc!;l{*WJ-TCVqa~d)`nGk+sliKIB7xT%97kyi^l;k@{3e z*Sxh~-ia;k7wpYV_}4KnMfk4Ow)TuFn|7n(Uim}s7qwGvas4((jhPJJguNC#us2YI zlG^I|u~ib+lND)EV$D=}FS>ZU3pB)JHHyrYPO7M<#f%APY!<4p)9znUUR%?&I2+zM z871*+KrSVe`%9XKRM5Kn7nA+Q#$ramGXtmmV9n`L2kK+EFX(~LJs<0@gJ zWebuQ-ql|T`&hqfcM;4|~7vVvhevXUNgi z-rhdxmfR3>=gtP~oH;L5{5v$2A-9dOA;$5Q$%uuSA%+=yCfx+D3j-eMGGVVhdh{s# zuX#y#i!y%%Jwld)JTKxJ{w)#z5x;FNTnMP_RmWYoP%BAzFI=GNo9C7O_2Vecp2r^L5k1Kn-ncA&07cPy1On4xp}jy@H3c{ zYDI7c)ZEB@uK%@IH8hnHDy*7u#cM#-WNdIoW5TV6M|xxFsy}~@H}l-w%)EAOB@y02 z@Vu&Q{-gcGdyD0Dpmc}k{-P<``^~e=>oYqqZx}Qf%!Y<4e^d5cmJWEe{$Sa%xZ947 ztQ00LB{su`6@kV&`BD8kYlfvSWt+b9L})%T*7#juxMI<*)3K~la%cDU?W?;NzT_8e z+)o$xY^`otDBaz6-by($8Lw);&B?iWwyK#a?A+x7d!nCaaSVPtElgIP{q``lun%rq9Ef=<+#Zk0V;gmBv3eQ{!|<=s z0o#PXNN;Xabr-Yhf7Smjdz|F425z@*xNAZZE@~8Yj6U8Gw^)Al_nq|%eUo~M-@b=$ zF!MQy##eugiFpN(j@_}etZ(s|C-a%fjV%+o$xDpgf4}`KGo_io<~0LFJ2kyJjbVU+8;EXnONE2EV~@ARDcRzoRmm)ZLwGhKd; zfb`_WOsmn1r{87n`AiGb#y@O*p^6(^7}l;GF&8VH?UePQzZM!SIKH@^^-Wrq4Aslz zMSFX60JT=SckJ>Ld^0xLd*Eqq+Ftd7F`v|$wH8yn>YwGz#vxb@G|wvgA&WpQfJ<{p z?r?;Q^Wu=Mng;y%l9kmAO+sy5n^z_r<(UO2jo%m>zYTnwUw)l+dwVp4=kIRTm)1u- zRU&vkmMv}X-12x~m$M04^lL#Ht~ zaGIwke;u3Q3TxF z8gyAFAZP0xR9jKNrUcf8#={c*xUP3!jv(Bige%8b9&_w_ml68Ll>2lNN2wm{^!sWq zewPW!&RN2KR;J9#vKR-os3S_Dp0UQ|54of+~=1lDBl{Z2$xd2h@rEzuh+Y* zOfn?Yz=v#j_4dY<#Y2(wA+A3sr5>*99Z3$hYx1U0nnra#zZWle&Uw%vb)^N0G6&42 z@8t^&mN#iSC9|@;CDddqb+F3huFGqSzA>^!O3+DWm423do+di(EVKOE^Y$U?#tW}- zHnzR)QdVy*a=9VM#>TWGRcGyZSQV>EtB-u~a-*Sn31`IHVar*D^gKnSOufQhp-0&^ zb2?iz9fuo5lUIo98Q`z6z5RM|v2v&H$`Y$K8zvhAKAsJ1ve5z_AomABCraAWfSGg9 z`Z!=Heb3|1LgL~q=+f}*#*KE_=&ui5R)lpE3o?Bce*HX&wYa)gcV&I8xeF?;X}_zDsI$F8fbbz?Gl2P zk1~|!fWBnZm)~PZ2=CA4)d}!hYivLep>};{gGx zvY^Vgx5E5zP(b$*@AXz68jEu{d;K(}|9R zbX(_CQ7I1n=NoKo%HA}l&?Yg_P+OPZ=^c$|vtA{YHJj^_#zJ~kdiwg+=;P)<`i7g1 zgm&*<|Jrr*4b;H*k%KmDpxeWWv?u{!|(|6zK834=igf>4x^}p z#Rx4LWL2f!qbBF*=;^H>06?ol>-h1FGTcn)ZDwN}iZonWzjLFZfF216#hU==PdwiM zP8l~7aY6!3NBP%l^>Gl&l zG)bi2Ma+Ri*g^+ak5e+-s9`4{gmLX(iIcf2QeyXk!<50Wt6))3s7ITI z%Y1Gwa3&WGT+d618DV|dcYjvVm4|y}P_0+d{XxgZ=zUvCmqzWc@Tw*3zPRC=_a8F| zIIZA#j?0O4(W6W998)OhvRlN>)-_CmJy{F#@wnXlZ>`m3wVK^VIVGe=s753{4?8;qeccB>rqHblWW*QSzGJ&T=tVsPV_Fdce|IlTKrke%%TUPe*;cg0`djif9P9o z@B8;8iqD@H)BZ-_y}@grY;*{Ip#HhqWmki?S7xDwt*t1$YkM5z6{|aNLmtsb>l{4D z1T6%05ZVL4~G<;wz`neI)8ksDv0E z8lgs^g6|v}hpgLd>eF+lslW53eDp%ulc#$r`bGYV;@K6SmR;U-)iFm#ZR9n_`h~NuYq@IFJPEIN=3BI9edxbg8n^>Uxgbj zfIyU@(AY+R9!*emS%VO$fk#g1`Q|xJgya(=7AxEcQn=6n6b3mEkht86jHFPoM8xuf znx^BiQhmG}3+8$%$R!!gU%rsRUxwAIEAT$EaZeq2RL`C(N(_9(i%)NSy6_45p70p*>(SKp)sw@oIoAo&i& z93c&bOx{D;&WY_>0EG=gb|Xq{yy4S;xUh{N?_DseZUPi??rOiy{qlEjKI&e6U?t_( z7_>c9Dvo#T_UF+EwdlYF&gECS2Pslp@dpH2Ac&4rBF#- zN6T+LB0t7vAQh)WC5F~4>a1Xt)`XJA55RCyP51JwoGjI4_J4JyWNG@bx$paGmCe=Z z)Qg>{t}zxYd^uS>_47~E4r#HkrmdY{9Q6+`PQ77|W1RS@s~*bB?EZP+x_Er@DK@L%S>!C=olX;9{v1{SKM>LsKDOS8mreYz23?|D= z!Z@=N7~J7Y+G!t3G7gv`D@fQd@bz6Zm%Z!y*R#5xcZv(z%yWOuvkmwf)D%{qHg7Zc zvy3YBtK^QXZOZ&C@#6lgJsBfWeBM?$Y(yUN8DpcZ%L*hX3}uXq((^DItIG1GFWYZdi* z&2eRLsq9hHhep63I7yq3av<=m09)b@k}*oECEQ!NG{A5s3@r3-;kSzpPhKM2Df6s1@>IT@=ck`tB@sses zs55E@ro!nAKz1N4bjO^3Le4K#DpW7C=*XxV7&MEO1rrEeI7t|vMA5Nv!;Oc!3L(O> zg!GXtJ;tt;Pv5s&;G#C=#Yj=Nc66Sb5;rCDn`>^({OK^W3$z8p*urj*6@wqasNxOu zv--$;Ipj0Ne(d=ueGM^S_539Xs}d%-V!TD3c3k*<9x4ucJ{PnUCNZ=DTeOWZu&1=^ z{#^RLO|1g;>?HI$Lil4y{K>pBnFR(hlc4Or4$7L~16wf(t{Ll$b82ZDG|<)hdWLH- zC+Q&7+!G)v<>k44KY%X1TOENtUySVdOYC>OQ z(1j7V^FRvz7HZ5%Z~&T5TTWyAHL}iHPPvD;-DoAUYf}X@T>1ETdo0UbO6n@tEWiD> z`~|Dn{6cm6D-Ak_-_GukzVKeW@>Ay;3$I<@)+s53ZF3!0{DD0W(HjdSza_oha9bn@ zc*0E?RJR*$IG|9VrqDpf{D;pxCT1}CNS;pfh28qesy6{cI_|1?%APoRl3*eT2(8eB zM)g<&OBKkx+Z~O3Ax1e?=A(jvU78>be>if{!xM-YH6RA#!js0YUqi{bICN%U%ldP> z)Rre%UcP+UgI5BpN?r`aECIUXxUw51E6gS}&z#vp)RVBzrGi|uwzk%0m%jp!B$H`TU`8HCJc4Yd&n*sKWiQqj+-nOIu%-(=3^fiZ1}|kV8c>5>%^}NO^7u z485+eiL!3oYfuRvpAhuGl+>|xCr(RJ+fW+p5_E;$i~I z5z}tMYH9*V3*Ad&S9+)C9TqPCUEhS%Bwjivj0=-<&_4~|o~G^@RSyd=GBncXPtRYD z%|vWel?j)DrAL0FygW1`c>8w0fnENX_{+SMnNhXwFV61 z^9;k9zvu*PfZkE{pm5ph!chi7>TP)4daZn-;akLwwK0l1$?=%>!Ia70MVeUitdKfu z4QFTPWK|X>X6dsZ%8@cQxiAVZT*v4lHjUTlh3SfF8yVrvn;*Q-y1~{xCl>JNBdD2V z!PJU@JyD-MKMp?izS8aAca*;LutA$+{0{Y?Q`KBouZDQphB;M^lm$&&jTMYvfBRMo zicgNLl38w3vDV$b`KZouM+caB_|zcGGdbX5!N6WcZ0?b-AN7~|Z|U;yftDpgKtNJ# zV-)|f5X0O-P4|H{f1j#4FZ3+Fvkhpykr$|t?K8Kvn6rL%PGK)MNPHZ2>q<{K(li28 zG^!C)%fXo5;$(zxv|_M@JL=9`@f{^m^D;8$U!C}RDK9=#<%bqUI8~_n@t2ChSq(b% zNU9ejI*T{Tcb}WjDm&;pp!RlTjD`}R(URYL4QabHfa#>xcX6#fenWqq7IQvtOX(aA z)@4;vJ#>?W>FpyW-91mEt*#yoQdz5O)tfmRb=@wDGv=JQ@BxAFf~H`xQR7D!F&n?8 z8#&YNEAEGZc>cEFdM4wK=Wb+=bE=j9JU;FC$5|~z|LN$l{4aYrdTs5rmLig_W<8p! z4#Mk)Zhosn-mi}LFK4&GEPn?V&VG~SF`Z4PGs~Xm{;f@5P8Z{t)z=di=6+FZE)LSV zS+e$!gSa5u{8~d+p*dQH)KHxe&X0ED#TtM6UOg2(`1szlxmfQlbCta8?Zwpm4cmi; zY`bGUW}J_`AJCECCChjtLOXr=ok)vaCLPxkLu_< zZ7K`XhSU_dXB&=v^X3cp?htB!zV4svdy(XS`DHjagw?=0}y$qAD-V;Y81^XKS& zYDS=?3_$&t0qxc_b} zpvyV1!9=)6;-sNZDs9tbPGb#ANG+XWs_KBt%ihi}e++Jwu}H5htvV)pw7GOKpc!s} zp`mset=v>7@~J2&ZAy;Zo;jXOe*X>q&>#Hb{*&&ch{f2lmBsy&f3=&BEH6*1VO)SR zYSKEh6@36?6M*?|4wuB6j$osuKP#T(`c}FyZ|(i%+)`=Q_;^-CV$N7Mvx&=kuYJ3l z^9$_fV^*G0IaJ17GO>HXPpzy<|9vog_UM7zckvp3J(o^8$~FrP)~qnc1+;!?YMuYv zP}W>#p(WQpuC}tcB)omnY%PvI=rb-fGEf*1ivz@0n*0t?m(ARMuwo@1X~=ZC!y;N* zX2LS9ds-H^8+#kX-=GRzh#i{V$LEg^oxa~1^1j7lcqE3D&OEnAnWc+|NB{qg6I$qp zF$6e_D1DC1|NjRI%rX5Pn8!E|nQ+3z4Y>VH{rj>NbxMB$O+WhI^L z`exE!P0lcCfu%Om6;uNR?YXS@Fud0U*XJ~|)kYW}IkK0pVtm4z#wDg<@b$n&F7h50 zjUjZimWsnsWdWc=3sjGV1T=N#ELSBqp8`VrGDUTg8Yl&%o;$f3^@A!_nP=~n5!ag$dqH|NS&1y zjk`>%QEdL~ zreKtC4C`pAF!B>@o;7%lwMYmoJVtawfi)TSh_uW1` zi1$(zfQYc$u-BT;kEZ41upxm)DX!bAci*5K3(`LcbI4w3=}|Zv)l8j)Rs#HP zu>Rvfl&T}96n@oyjBLksN7(~zbUF_1`}!0E$JTh=`uR+5T)*5AEX?opEsEQHC=GBosm z@j@zN6VrK61Sl*CZv*BJEBr9L`P|%J_lp)PXHVxGgYy-`~qznTnlb*AxG2Ba_{B2{o$7e|*w|@b9fKSr60c_fs6pG7#yRp2zOkJoCFi zjT|YP#)AHEB?rizE#+E%mi+a!DZiykMFQ&qB4>Z zVC1+&D=3_r$#vl-#bP&y{u|NbF9_oTa`*Lsw*XjsUKI}xY^sqEYnmDZpEA8qn0X;O zdbqnoZTB`xCb377ec=hD2CM)fa~Lvs7%pWqvD?8R9>%h$riqbxABrQRnvG5#3*6N$ zAS`8UaO@f9Z&{~`Owoukt&SD9(1GU$*^m$j;^?GWB*hBY;9#ap2QGOR7-hhkA7Vi5 z*s<|Rx8U#hL`y9;SD2J85!3OQsgSEwq8Es;h_lP9aWE@OZ1+gEdRh(LZo68 zq#rk6Te16TkvBk21FUrSqc9`9yP=6m2nYkx7ckN#U*UcU&sEB0_uaVZk>@s=!%MhR zxWZa$PlhpbM#~v36|zHs-Z5jvBNn?KO$nNNI%yT~p1@>4WK2vD_|%L|hH{Q||L%5~ z7ex~ubKgXOhO0h9uU*>%r*7PO+1x||GTnL*e%Oa%7Nh5K+gN#dJ8LpRMZg0Pl}4c{ z9#2saVFpA+nQ(z&r^TVmYXRxOEMEnR#+spcdKj*yQcieaj5q!vRS5>T5Lsa%$&KCk ze;>-YD0c&;M~jlWOzgnX88R*P+K4-O$lJf8abF!vhnVAlN+6@3mB|L(I}}D_4`b@) z%~p!q|1BFg$G!OY9E@%!sCaHbi%|~b2VNh)WJC}q)gOO$8M$DEC^(}Mq(K!`N1HNo zQ7JU|32KGf0Vjz3_4tBp)Z;OjOG>Z=Rc~(0jQI;P80n^Vl#{K2AC!)XELJ2HfB>JG zCw@qE8CE2Z&5MEn4i1Lc{f?L#T%I)3n$#Z}RrF8(KBbs?ANQ9bUr@2q`s0zw5uF~9 z`D1Rl@8Y_qgBTR$0b@hTKUkJGJEn6w2>-iwg-H?OmaoO`L}7s`nIHr;Jw5_{Ywb5O z2HQPfMQPtgO(6u>4LvPd@JOUVb2iGtw%{|hY62`Ep3kn zCAIXvQAXt5y9|C8sX`Ugj55f#Bq&{B#xXFe5#o*nHHjcgRbn22X`Pg3&khXhHQ)G3 z_+p4L+Oa`z#l)<_SIN$m>^ay z_wI3%+80ZOJ)v6u-)ZGuha`gc69QuW6u9(bMVGg;9DuVpTi4Zp!NGbHrHO(?vXqJw zWS~ZA>3%zEND*psy@Lm}_4S!?pYelmO_?5C3}Fe2Bv8u?sw<1m8T|$Vr~mKiY=`nr z8x2Gm)fK|2YF!AX?TGu}a)3t3 zFtN$Vm7uZ~lMG|<=6oyO@GJ6e*Q!`})C{ zkU%x=9-y&e^Q>mc^w`e&6O{2a`tp2Kvtej$1M(%N!4ZvxOe*v{RZOPgXYa(>F^%Q|4V$Nad7PUmyRcs`DIH?{1K01 z+1D{0gpgMgt^lBu0Eqq2oW$w3QO6-6Ta55D1mhtha^XvFajXqap1gqz4Wq~Fg1PjO zI|1E?Gqm#RZK2rTUJn~8}G=lViLho1%QPOK`P#SsEyw}#685BcnaNWME!+@ z1%5dy%20vP{L>Mt(4krEEWi$7nB19MUT1dy^H12!hU4ys7pwh-cA`BL0c@W3@+Aj4 zv6k%RtfV+5ufG%YE}2^!n(-jqE;hZ9F1G~8d0bM-#>aOP3gu0>)^1pjtPN4jAbZeK zkl2m;WSURHiyd+dyQg$O5+1QSY5q+%NG-utr}ub!mo(oBrMn6v2cjE5d&Njsh+6_a zK>i5lBuM`&QG~9EJY@bCbz~yZ7>4TxJMvrss2~T3T$7p$`rvN`9RLfQ>@UiUSsETb9EhlcXNFw_Iv$&}iLx8@COq4y$n_ug=u5|k2S?%Ks(Q`s`8~v+Fn9K$PN@Dx$6_b!)CGB9; zK9G}tP2W#&7k&+Yz^OOHo`RhhN!VCXXCOJ*-5_kB}GVgOGr%tDzxVvAKQLQuw<0r#(HEFtg|fA{N=c{gxv0t?vX^K{$YA zBPJ`HxvaS8P?_YoP`lKJ4_9H(q6()z+onkvu}7Ee6CcuHMF?K())!VwMOc;K^056S zPqqjl(N3N`S#ts$Jrcp@4D1D9e{hc$IDNOJ;|`GXtf@&8PZ{F=-=_=!drnANB9bS* zcG#*|Ww!YsB6>lZ#-B&yh@`It^rGD})S^R4)NkGSDl}LMqeoaUbK7R2DHAZ{I_Nwh ziarR}*jxzs3_+0!u`(nh*Rt1}cK=`cYu4rzHz(p5h-pbu2fs&Nj>!#|CK9(3lCg0g z4<1aDsHxf7#*)Hy10=x+ks<6W{SEUHqBIfDs-Ma@lyZ-d7t8GHK=c?j2G&igc40))4J_YOWlfz7vU{H*@V z*G;x)uH)9KudlC&KhjUU4ktJme`^smMPr0W3_|c9Hr3FQYwWm4mHDFW5;-yV@nPZI z27HXROVaQALgyi@B6L2w+u&IM5;k8$Diqwbi3Zwyv`Beyu}kx29; z&^EbNifu^7`XGdChzz7Tqp&`(DCj?2rBwnmOe=^3i3VtcxOo_CVhOIYDaSS38p{(KRnuoKzU`Bw2m>FTi37`YIicwrQFGLs;{F?EfnsS05 z9bx?x%uN5~Nb*{YdsrirlOu3qQSk2vFswbCVa%oAWSyL7{jy`U@#kf4qj(z$gc(9& zAzVDBYK)YIEC$2|?sefIxUoiP*aR;@s$IyZfGaj3l7~)P@705LK9y0?Q%Ry>&J+Aj2Gm0WjC$&PRBQ5pf0vKQ7Ux2x(`v z;#xO8Adbbh$3iuh5@h3SxUmY8Z4gYO_EM`p)J}l1miM#lY*viQ?LohW;7iC9{yk82 z1d9+;vBB#U;cFXjqA_Bu&U#ff!#=kS6G@;P7apiKS%NRa@DUookn$C7@Czm)NW@*7 z+FoS4e;*hduN=1)I4my``(<|i2n6!)ga7-$EMgX=VW|hF1ey?tMtY6$k#WS~my>;n zhYEsqK==QLuQ!3pd2Qdn?~)RV%8&+8$rOqVWhixvHkoHpWLJhwky*-)1{BGdA!?hp zA(={~5@oJ7Tc#9|jAfG{srPe+=fD2%TJLN9)^9z}e(bvM@AtaS;W&@uIEkbw?HKE0 zXepYAJfCMi{svutGSMihGoQ}`ojO=3&67CVf))K}T60^~;#>lyjdgRA?@Gfd^$?n? zEkvcLzp%KVVomo_m}=siN2RsU?R4QdDnI$1r2f6+LMBw49JdAzPL5OvRC96|rAR4m zT+x8s08-GZM~`N_UZ5GyvsTyCyY-~iqqTk9A^T^A{-aJmVt?>8uI!NHi-CECO@c?| z!^0Kdzkkb=zvy)M0zEvTN}8eM2bPs-rm`9uRk}t z`?;)AL^S*{#{yG(DwHOx?L#DxQ7MA8o0__SIX(qxhk6ysH4a(FFaQSNr|b9p_&^LH z`vtZ%4Fr{=^DInk7Ia(T(~d)-p^)a@aMi(Bav6k*I@DPN?N=YJ4zcmS%7kygAtx?= zMF_MuQ>g4R3$m-PGa_k*jR6(?R9YPNohsM|NbRS*Q--afkXn(&6_Gim;r)n{@GAc8 zX_V{%)owB_2P;IpURiZEtm-}|I%?atFnZx4mS|*RcJxn|n|8{P+llSu`}vc`DfPZa zAGZGhQ|Ew>VR+}_s`GI zy6w}vJqL!j^F@g(Lso)-29Admhz6#=eowme5)|VkW6|RR#dWUzJ)5^~)!-y!$mRkT zlS@5Ie*L~MF3;;E5SLs=_ucESn6R9YvMvs5H21a(8@se7$}yWE;nD=W8ifcz%Df-t zEFqI0ZQ%IpH#Zfy!bCZ3nyG<-LGGhRH%{}dxfYV8 z*)^C2eo3Cc<1JMVj@Cth3PqI-Ha7WLbXHyBCJR9rJk*0!iV{%b-H2Fb{!Y|>FpNV; zT0}4{19n9~{egD)z4H9RbGxWDb}_GVfUwNB=Xz%FtK026a3J%gKe1beZ2|0+GR7_M z64p9?7`=esH_rZ1ahlqX1oy^$5e-mNC{e8#H%d~ua{!Flk34j&UaMCFzNa=T>HtxP zg1#(guuZNED`@(EW^Z6*xJrLT4!CnzJ|~MGPd z232nZmWTjBIzq;Al0g@Mrb)>Fq9aa267ZzeE3Q6UCyv8x~D z-pwFl<77eFlKGx?_&N+^(-75qz2FQ5m*nriK_hf3VyGA>*o=DlI`CpsI}?SOIkFGY z8Wtbit&R)K<7WN*)jo}dN+}I27C29ElyhPSn-qgfCzG(aEgZ%Ul#*#;d9%*QRu|}% zMm+kIjswg*Rtf)CrL4n7cvT?A?Bb|XBSH^$xxtu)aDv$cA9_T>4%pg~VA)0B+}z;! zui!CALOy_^hC&`QcC%5~VvHy|G4ZI7acNNZ<^w=FJ?qK2IZkj{{$WQUPcMY2ori}< z+6$UJcz1;-iB?gKt;ZE`v+>=$-YLxoJqEj>oG8^FK~gh{a{)x`_)l{oSuHL&ori`(5mQ?ow}fuJ}DMX7lY=967o zlSAcAaw^~!zx}Pw)CzUi&b`t3hJok||KR}sEnuTi5$q{&RHe#@3E z6S@<*vHs3=K2;dqdCZ!%mL6qqd}CLATz*KmPcWR25jwn` z;UA07d%5+bW*t3tZ0%>jfk;PRKa9@+f3yKLxT7WfUJ9g(;C+HD^VK54m8A+P+mtq6 zkGY+d=mcNR%+AgLf-vp_j@hQBDP5Rwh$cg}@LWb;pr>BF7lv~@~2Mh>(_ioOk^Go#b zw$ruKc4ZH2N02p<9v?h7sI-?-&lFsbXn{ycIdo`bu3uQz&slhtn|vyL7*q={UD2aBwu=c5rWW|N53H*VY@VXnJ-ckJV%JqPU1T=mZX>!Qh% zCN)^L?3>GVGu?2HsZ&*W<(Rjz48S9|`t|MY!NGOTr>5rR=ZB)8l_y?(c6&#EyMj$U zRqx%qhg(~=RkQuq^>@u4d8kQNRu*gERvkXvv8G?wwR{ga4UFPkOWP?wyP8I|>e^NJ z)~#E-=5}-c+S6j~&)$9hkdY%dPF(;Hqda`$$=nr@A-Yx(9Idr_G^Mnca|8g%|(aY90gEfat0No5$ zX#4v4;XL8AbZO^aN@J$dq?>u`2<7T*ET+}x%;)=#7c|Nm}|r zUE=?@J-dRD1~v$cwpLR}AURs@_`0xB?Lg&w;+?s(XA8tEm-_eLyFaODyK#6$CriuW zlP3ohR&ZR~F1Q#{;T;&Dp`oD&I(zo(Uw2Gm(zvPwC0UXckRN;G{ll8wAG>VrH^D3O zh4+~|ixw@4E$@5B`_;EmW5(27?Pxu#=3DQFuOHsK$LNt~(*TThdwFI2<;o-WIu)Rf z;t)x}qR)Dd{)-lUUUfItlAdl+X44-CVM#I}zL?S;wF!kTj#AgUwdc1&_x!brx&d` zS8dxN8mIl!S2vC^qJ5=t&csD{(Vv!fzqkOaA|3tRIrgHS1s$GWw-Ywk9J8f+r7Lq) z3k(dzjP?m$r^I8^n5cCT5&R$(e4K#>iZO0$iV1Tz^^h z935fPNep=@l((M<$N=>m;_Au{K&v+Sh8_8sheodfX4o5_+hlyw9OD}|Z!#9@!ujgY zCBheF=IM#0?QEQ>3nkAI0&?^6TKgNt`GHLvAD?TiK9$z` z;IU)QU|vSX#(T#e&bxoVy}ylV+=xR72?LqzFeV)V)uW`uYp>Z&{WAN)kg$ln#^G~o z{vNcf*z^2+WyqrS*VKkOpNtxNc-KEoRlHI*Pf7if=AP`}bxvK8J0?&kX6@I-Uu%X8 zpO916-P?c@0j^o!IJoozO9|9gtXLt##2pHstc}QINC^@HfsiG-GfKMnbNmpdesdt<%fD;#|9RM2CE&_ew+8R6(hA0`nmBZ72ZOcr2f~ScLWImMu9 zgtM#(xR{^c9I+{%P3O=2S4Gb@^{$E@b^OpXjQZ>FHyDzM_7n~)8dV90&=9(nx}9~? z-ae#9>$Kw)A3t8gjZ+)HbLoCX=xn?omW?8cT9b;RPhH=!UB?{2f(W=4H~O2t$9C;9 z7Ig_}u@B21kDoq0fDb9_gMrA__4bDLB?uldr{T4(y0d1@B9s@iQ^C>Gv-s4*en;s^ ze%m*)RKHu+iOY7qy68`R7}Q=r7WXm?&YfLcG}#dyw0pNuZ)7LYqJUkHAjXYr&YF|( z5rNt!F#AC^_nbVb2VO96O<{GVAQM z;8l~Vs;c8SZ;hulrgtsfO)JNKuMkql_=*4Bx|e6Q<>{wYPkl_H9W0v_uWmlYVesGv zvX$!mf7d!@4(%#8Q81mh&tk~fV5YLoLq*ZZzN-A7`;Mq6>w}sK#gHLG_KfZzseja{ zQKAcUpd}I3q}C)S1`TYqDy~rp0c3ukX;R&|bLY;op48SOj8aswSaZbu549M$JG;$IYZkX&!S{2#t`%9Hl zWzdvHVM=!s{U@<0QP=ytzoaLMP==vJ&z`MU|lq1Gq z4EhJ*Z6)@@#XZx$YKbtwf5C$O3Hh0Mc{->7{@l8?xiCjptzJEq-MuvVu)7y%()Hdv4UaQ@SSS)y4K zA)`|X+gSR4+xpog`ucOdnzB+^9PcrE_6=u6Od|WEo)i}c6BJYn3JM&7Do-L-5fl1?dnJxBXOQJG1qZj zMl&Nbz)6z~x&Eso&Du3@-kjqdf8c=ky%#m}hxHutdu4*5s`KLI-`$pl)|-3zk!_;Z zqbX;;@!IJ)S7UMAkL8@(Vqz}dz1xgca$*4D$IfyYH23S*ua*Q;{l$~S-``v}b&cn6DU(cekH(6pF&r&CQJ=hxiZ1pFP{6-g z>GI3BZ^elAMs?i|x3$&g-vEECUgjG#f&<6@%4n|9x2kz%{bo-o=>7M5&A#PXHCp!l zn%1w&f|>W|Z8PrNX+jO!%fGZS94Zw`X_y30Nthulkpc;)Clhn2y<{U|ZRxvrA#@~k z4n{^sGJAj_H-6G2i5^feeHSbc9kpnYIN)YjFpeENHon@Z10H%PtdJ)P^k%NB$<-Ud zoK~Pr<}sf>eUb%dc?hb=G89(vsj0?2dh`%$GhSQAg!6w=M({liS5#AZ%O(*Tv26RA zuQ~1KI!;KORu{}GYDe#jJuK&M8gH3J(>Z+NM9z0g1KJ>X2X$#qS$*0V)OTB$(o{MV zAe1clV!q!i7tngRwm9}p1=S8O=_gfzYiVCV9=z~q>1nWTz1^q z+0;Mo+~b#l*=OTb^0ixBVXdBkI zqRE|^r>Cl>#iF=F&U7o*em!50I3l~ALe8GGg=8S;5~~p&y|2WnVCvWZo?BU4_h%vx ztw!rxL>D?>#k=vQY4%BpiSPHs?yY%2h)*kik$|5YO5mj41~2A3J|E6rD?{P`Pg(q= zF3=l#;~V8uJ{BJ8^UF)scHE&lQy0d)2Ymo0fR5yoK7Fz&Vw%Tdz(J zu^usc^eWM*+E?bSFK6$SIEHlYtSx2_LRhPKHKrChJ9qBeo>>u}=HDwQh+rV}E>D|9koR8$l@uD{aBJGGDz9}saXUBgD`2f4(OQEFc##@=P^kth< zr%z{Gx&(MuxAEG`lFSJvG8!Xw)4Nl0U%Yx%lNs#F(H#ab-b+bIkwlCn4SrM;Mq$C! zEPL_~?B73)oOk8Mjq{%Wou`-M)qJ_1v%;&FNpk9@BZQ6FfBYeFl&-wRlxRdEp)Hrz z!wVpOcb_!BV)Yf+9A{GJfec_Mu$Uz)@1tX@)JVgN&X0rO!(P2^=eHsNm8lIK!EpE% z6gz#sf4mKm$N?mY(FO98hS%c?k4~`%Hj;DGbIv3EZ)ru=uU@{SvFu3;)%N?ulYh3% zT%V&kyP?!j%qfDIFu){Vjw#KTlAdYd5+SJoX^_-?mstv|1Yt;ohTy~E$wGlS6|@`} zCuEShBSmD&xpSy=wb3iU4ElX^Z024t#Y9$kkj^e%yH-E_ZO*Hl!0P!RC8Dt`|L?!9 zJ7ah4ieO?^^|X1K178hV8^Bo)>$(2~aP5LdcX)nAVPke^bO(h4D8ljnVOc)ZmO?4v zFT+y^{o|2&%v)(jABDk<@T&Wx7u9+&ZbMj@#a0$=z@r$>X{HnKU$~H_Dy&qSkbEz7 zSx=yo-rifMPvKP)6`XfA?pUd8Fsb9ZnT`HS@zUw@>EP2T3c-DMAH?VuZ*1G)@14<%u?$2cE zxM7ev?4jh`5&Mn9m47l9J+{TlwXT|4D^3q*JvwD%!#w4O|Ne7i#Lr{<3EgRibo@bi z$V>j++dDob#egYaXp6? zJ$N?i#_ijBlAO^I-BW92b#(0YrYg=a7pFY?bZ=+TQ5Bz=1XawNix_3n!W-zdZQGV` z$EX!{yiL4RBkkJNgUb{0@2;?t4nK!wc>#>WGMFE+hE1kcGHigwQQP@FgFhG2NfoTS zlmE^cZTq=)@L$z_#Q5=HHI)f9x_0XDtUdisPFeRk(y)PXaMo4U(@sm=c5|RjJawGY zzLCPvWLzlq&}p6(slyD4HtZ-pIB7+f95reQaB=qqO>H|2)n7svSWPqTWp57iNdXvU zqiIM|Qc~`Su#!GKRCC>){OAcjR#a#*x4c7Juyon7pKZa2sNeRn#i%0--DDd9%+i2b zTQ|W=r&1e$iq~Q0Nm*<;<^1?k1~=-UE!=SATJ@gIJ4;Dk<)S0{21$AQf*f_8j9g&~~KLeMU715ysqV2Pky`f1G1S400k z`U{NNuO!L>czDd26Um`qF}L*DCCN-qI3W7ef-;tf2DxV}b#e<;82B1x#%f@+ank9q zQOEDyBU>sv0qm6&_d@I^-7vTgr45yOX4%gHMqK+*G%h*zHR3WOr0PA zMLI>(>_h_P2i?k>c^X>LgsT+e6zpzVLHql5>(-6r<#u*nT{5iPrYL#`IfKNY|AR9* z{~T26xC$>)`~*Z#$RZmBtqh+g&uCws4-MPRPO4#QudnXM7HmPyy;?VoVk$DnBbJsSm215L~<1V6CqDpGCzwqb6bHkD}tE6 z4jJw8f3fmm=*K>zES^!L(kP$D9dql?ndJkM z{=7z4A39R@@}*|c!fyEmyga@bQ%&E%*#=6>W|=uTjo=UNC?|e@`)ZW%vg?I+Nf(r+ zE6H@wsZ}( zo{67?Bs{mIv45}48ST-dwdD-RyT z1e%%A153XtSgLPP5U(rDXXjrd+jGK--oDl1R6$v5AQyB4_@+3I$-)%mN&q=~v4#jf za^#3h>W=!!sYai0zhI)=^HBcY?ZY^LbeGcD(fGDqkme2$J!;hL8NHwE8{MJx=HH-X z*uTt2bl88{vfigAzWvL6tyd3scXz0Su9Y)&C~HA_DB+@)8dq+mjde`OFHC$@C(qww z#tiX*hBGD#CKwf<<1u;n<_xZ#(A{?Cu#+~mPEU-Wmy+IxNh~=v&KAhG2{{o6G6WPb z*U!tG2v-}`gT17889#C2&p_R65kYBhYU<=teVaNQo^-5+_>UPf+wk@lGOx^dGN@mI}~9SieJ(6!C6W|D(!m25AjPPobV~*Y;mKaTPI)>GrOTxD(+fl(*a2t zW17;^Ql=s#!xCT;f|7-zNu;HSWO+wP1RAC|>pL_>Z#HETL` zW;kU!apq?IsvRxJdkhr@6G21}C^Z8#4(bmMhSElZkljB%FP#_OpqXW3yIbpSgGlq` z_j=|wg!ZRGY2zH!K8{26;6VrfhB2+78vy96itMjJu(3x1}W) zYbzvaV@W6{*ZdllDi=lL?#ZZ>*OH!*p#oDM&x9t>Ja0~;oOXcI{bM?yo;sxq*=|DZ z055vjzL9(X{=2>);1p79Ff@{bi7yjIF*Kv*c0ac5w#Ia+?Bz&C~!i3EdmWHjO_=fwl2e~$1UlGJcPVr8o zzQ}}Bj5Sf`+V7Uu9bgoCWQ#UHn6kO6Bqw$~(SR;SlAqThdJwm?6~;`qCHbBHk^Gc4 znzLumhKef0QqCbaxt;=$M5k%f)o2@_Z^j)uP*c=A?(+_ex=Rp zU-{eXFP;bdI(1$tl;exQnjXx0{4Gsmey4>IR)D^KJvt|01=vw+DbmM~zAT1Q9D%R> zs2WWb={Oqk)mVZi79jF>Tj=hs!-R%E1!9aQXz~v-Dq#S(sAh6@O!-h!sZly|zuNil zY;p77{dMe@?(rFt@U_>~x-aXFjouWtYX848RUXYzBgHlAb@P!$bZPm;$Z5TDUK>@+ z>b$jG`Qr)sE<*+=Jx}vZiNI3D85STJ_ifMJ6>D~itk zae2^{#Qtwqe?2&($Li&}uGM(nl zz39Khphdrf!k{h~BSBT*9ge2n(wk!AiKk3P&Wcan&VRVo`wP>ZUdLSau$tcFMNVus z#y8#eetn15;Px>0aec3O?i#q@*!YI`deteM?6x-h)7^-rZrVG));vq@`}q4m&->}F zfBef7PYlmw5-_*0pD^bY8)*JvSPw0&01+=gVERGVHZ5zckMnovhMlgV};JKQp0*O<(HA5;Gb`S91g^o+L)y9Gt5ZMa^MWO5?G zq)uAPC)*B%YmY5S9aY^eWYwx7RDhjCEiKOXJT^EAMisA6?EKeVzqVHn8xT-~A zfSWtd+7&}+)G4CfX_^n4ry@V0HH05xz9pHI#?3vjgX&ApXW zm)73mRl0sI_E?IbG^|Y_7wdfe_AQfYn%)NZw;A_rDy6IFmSL5k&yJfB^eZVH*&G!$ zb-b|$E9tmiZnt)Xy&F96TC!`eUtEBJ8USc;#?+Ay_$A!7-l+d_>dYnIw4X8-SFG-9 zb#Uvf(lrkcxPCiI-Zr0AXj(CMDTINeNC&w3fpRt6z`-f%>t9dc6FD zt8nfJMWruaX5hTITHrM%G>chIm>5{I0)o2sj=r!4Ku)tD=qeNsljdflT@42auljhv z{xZCbM5Z<{uT3ySkpl@jBotY&F|kSeg16-waxy%Nr{rWolBgjd7E0bruYh(NgO_ zNyjpPZ5*zYsRlSBH5->7Zo>PVz{ijOZUt+LXhO~9zT#_}3ze@rDw4|fyHm&jNHV5q z$kh%FaDsXxaHq(Uc-xgc-tgYDdQX$Kv1`5R<=5Hk>C1Tb7?(7R$ z3CS#M#l1IhO|owfv;X5@TMRMnYd+Xp_2`ks}@3A@jLqWj(if zof1U|?}v<3bxvDT>_ET>2Cy5N{)RqWS+qt`TPfRIFMuhAX)tp10la(Q7QrvNxiP;X zV&aBi>A$Ikchsb|Z#D-Vy`JAFU&X!A{2N&(^>*RIt}=%Xo1fx?+Mh4Adqw38hBrm{&8~LqoGmtieDR`hg*6xU z)>4lIX?JOnIKJWBxpRB<;?@YELrmuIwi6Qil)&!`WC}$oj|9*G-Fx-7w3=m?EEEcu zQlW6V6#Tllq@?CG?@ek%pD)vZ@0DjleH<}_)H`TBXtx&02#E%$e5F1%;2J3F7A!Y z2mzb_+`PHzii*ST!mgJk1Sq1)NiN!$|3HLw1Q%aH#>s?M#(c`Kz;H;nEi~4@?Q`Tn z5dv04I?dk{6{Q2Tw64wIEn-qSTeVe;^H1)v^5m4cbGt}RpuJ-8Y%|zLtGC~OR;K5w zJSoy>emjzaHk`@JSA4E?%KV%XoLuuQ@0jWylmE`Q%uHLM1~eucegJ7DF`|J4P?o`* zcwKMb-lF<*U`_M%x6i*kpJz+!F%{}5*1~uPo7vjlA3n^onUlFe!4Pj66R=Gg`3X1* z?cu^^&$$YFMRMcf0$(x4)bA_sW(C<}^^3s6h?8`GF>phx)R_6Oi3)Gl?j=o02L zhjDW-PlUa`4HqrE-R@=EQk8Wxbp4J%{M=KvW5*5+SA#W5Q)&y@rULCVL>-Btx&pE~ zrkufR*Iqwf!8=pv&s?}*!BkQ!(AZ^g^W${)e$Vf|uE>2oH?2LR7J6t0cXyM&MjqPR zes9f#%$KiUJ9&G**b`z)Duk!1SahL_UVp)3$JO1YZ86jBX-oIQxkFM{n2Fd*$cr zKVgJ-@0_XGfq&p%E1iBy0m4c)RaP!#>$*Ppqxe9R&g6gZb_al!-u_A_)m2^n|MWW* zy{ULKN?>%Ia1RjAUsGqy(1a6%OjP8!B4a^~MB7;o z*wg4*`^~?-XHTUMrZer>h0;@I784IaHdR^wt23(G?&tW$RcQMR()xE_#>+{Bb73A zB>@6LKD>VY`pMI$s^ss?L{dKln&PuBb_er@k}gzqf{lF1D$-{TQ$S~WT6BaB54$yX z-6tmm92n7I*!uMYy}b{B1N-Rze-l|uV^kOtKz#_JR!L_73NXfXsO|2oc>m*5mv)B; zRNE5n)H$1+yoXtsuv?cJ11^$`=3cTN7QDsAEd6A_KkuHJgttr&KegoGLF2DOzW_CG zkYEGU=Ua;q1VBk z0eg`Tir$C-9gpynCF0DS0G858nAGWvPB=52Wjz0U7)) zNPcSsBY+gckeGQcQFj2rpPwBC?gTERnp}|Fb?)On!Yg1yCX$)~GiJ0$9VMJ6;w*TI z+zrS`a_Hf?{xmLU)@Ue!gmMKEjY0tvi0^FjInaLBu3cK+>XC8d_V4!^`Oac=yC$GX z^w8VNALv2ENxyQX9%gFMD~|FG)+NtAxq61l!q9*F&*|e4G&FB~r^8*d!W*11>sN@9 z0mNONDNs661^H~=-fg-2z^C5&i@q=Vn#LM2h>A`Kguq&b>_{BgiB&vtKnRSCiLCf? zJmE}clW@=mPzy09@!&zxz6(6VGZ&f`kS}Obtt~kW6>yXgY6nm~Ns|!y_#gs2F&#mX z;K-BU7)d4qxdYR?yWx52=f_S!v>fyhP{zeemPlIMzI{7CDT~UC%7Q|G&mBs_r9u@& zHn#4tQE7nW>=Ka4G@`&`h=kKCyF%waioV2LA9_pliqM4r5mxLD?+niMSQmbY!$Cpgz@LW3Vipo2|UOych=t;Y@^( z?ewht+HiSeW1GQ(qhX2y08-D`d;F}sNBSf0;n7%B*g=$(7Szx2!&i;#$L9`y8)O!j zP;;mz|Ffwgc*~iVzL7qEFJID*IZb_>_N=;Iajx&6j}=Lk zfdTe0`C9WWZEqXpq^A1#+pD>15;O!`=-G48$ON;fL9!p^^u)gMnDBp7Lt{WK?Ax(k z%siU<@`{Sf_?fi*o}*!!5?K83ijV&P&w$1IyGueLQWM#^3A+ZOtVm5J9=(td(8K%o zkLk*1vPE~{hSaV51l{Ad@=8zZ`$FYcQGmu2cbS*H^YVu7)fI75cQ@CvU67s_Re!Cz zQE{KErw*Y0nKNgFdv}XxAC@%lHf?!9e06%8lF;s3ey`N%p`vi_S^ntvD(yaAKBoF5 zGh()QRep)-RMAFPlk3~|yr##Q^Y%yVmsI@TwMCCPkLvaA-FrFhCuwV2E^L00Zx<(Y z*?q;TwvSPE8{_3=L8)3)R20PC`1Gq+1roIh2JE7R@Zj4y4&46u-M!{+_8Hmgef*a? zgg$K4Lv_e9y}Wu3dg)eYLLw8QBBw6T_OBE9(m@$75I^U}l(v{4`gw&)o*I=-1{Z*{ z&LsFre^-UlCe?2iB~MKE+BuJ_8kquCjm$3zhfJWG2o~KK>{@)CaVlvWFzk6^Opi%* z-gM5q5b=52d3~=WMevh3omf5HkC2lzBV0miXp;J&qq5lZ=v{yjo z$AF_d2P#Lc|A|fLXbFCRYEixzr#}Prwg*p6ATkx`kZXtp%pDpS|6ch|oh0uDW&h;{ zez%&fVfAd=iX!W(*RhSYz8VCl?Vl0RQFVx3e2e%x*)P*Sgc@!&ix|_e%D^aI`I#G* z`}pxK3q=ejAS(oBC&-A}3QoXHho2K!QvLLvn?hwGt)`lR~>m@wzk5$<$Yav zcV=geaihGxky_h4?o2Ju{~jG-r?8vj*slOXWk?Q%%Ni|p`j#rIL4ch+XUg$&!xt7-|N=qKslC52I3P^-{2vF$_ ztO>1qi-*{M|F*L5t+j7qxwY#c?IjJ5^juA?gg~|Hn}WCSnQ57JJaFi?YV6^h0&FEmIGs-a!IEfQJ$!Wa{9;DH7v4T&!yMHSFlTxLJ&|mwnfY(R37afJ({Hv2qeJy_S}BiFdv;)Hh@0_ z5Am#Wgw7B1H5-=fh8;V4r|dboL8O#Hxmo}8nxB-oB*7p~KRG@wc(L(AXSH^<}h^VezI|b`+i$IN6 z(x)P^5^kticS5$Oq`X)9r>-kzMyu&A=nm@{uPzaJ8#mqY@V{8p-pbuGP}$9JoLViZ z$JAgS)s2z;3L_#BnNSv5w2nHS78CaF4g^yML7bd)+-MQOg-%WI%`4K(to95JyRf2R z-ySjZL+++6vJnP$)qmGzqk+hf>4NAfVQ69VR*xMSGF%|F@##XDvC7s3;oR_F6DfR! z{vb{9p+oKY`qU$hXpNYr!&e6Lx3oO&SL`f1dn}?wjwTCug&fL2#e+`bvv%*ni8>wz z`U_`IOYfC(eVgIGi7KZxBL3a`;xW6%1K?y|7Su>QcrgY=mM8c$Q}QS}e%vC2whyOH z##W+;kpD_O2L~d9#jmTS1q`D4VG2cyN1WG)DqR>N9*s0NGH%EFD39Vy-XLl2OWyhw z{_cl$8b{m(W_?mx8uk-3FM^iDa1D@sEvevS!=DqPu&h#MLISRG^{}sNATu!7A2$A+ zXe!lKwR7Lw*L^-WHA!jyb^Pa6CdFqI99uyeCAYh~7d{+Ou@o>K!suQO2i2qyj%i5X z)zg?__M}DD7dOx6&-W6+fB?;=41|S2VG!fOc$(bOGO z^QbTp!@VkW;0f?61-8rS_wCJYy-g=~jXk`Ye<|0xq(@&xL4F-)n`d8gKZGoM zYYw6zzITlv#Zw^BVni-xHBYAt-wMhY$!ZdNAi4;}R1Q3Csen3oR)8E~SPlcW`}rR9 zp@hVPI7*@Kklu~U3E@3pUZ8`iEZE|I6x*oJ-UnQoLl6YmhVtu{x^xUfNgK^ysF}@B zX*-#Zv-L!$WlL>8<4I-ob@n{|X4OpZd-UK*yZfGUxhr!;jzH<|;}l=MpI`_Ilp78Fw<&|Zk=ch6LJ+6hGw=Dfj?2lnlY=+`PQ zfPmz{)*l?SpmUwvrZg2xCd52~MA3rFu-byE=0_w;8AjC1qA$mW6JA2gU|& zu{zS)dqG85-s2fIRlSTB&R+BG(S`WHBihEX!52(?tMlF6yY$@kU+h+&6ir;G@oC-p z*fhi?%F7!>T_`*N1ZLMb9 zC}tnLHVK)C=AR?&*&H07N@x>CT8Zn4(WiL$VZ@j2zhj+7*{~?gA`4tSls1n zct~E_=}36>ZQF+V+!BNXP}bQwYtPXxVHW>DPZD9OK#YR$akvKj;x6T>b)?DT`NOXe z-DE9UiRZr(gD2W3-?fT39Y#*5r{*tHn8u6(Ig(ay_wLR}s`rVZEGQKX;Vz=&{QpHs z3t{|3n%GB@x4HZtSc=m|*M4%0SCY@2^F*;FEQl@D_RAKvZ1y~$ETX1ww}#(3*E2P} z(P~Zoc79H0`j7C`)iQUC?Q!*X$;Ykzto#0Pd%sJB6l+R=bqfj%U6y}Za*^R{jAJx$Jzh^E$>*4gF^M8rwm19TaTt@y8sxN9{ z1`W+PsA{hO^#C1!yl+JBQYN)_(Tz1!J`*y;#BF3|EcuODoqfia6XYTQ0BOyntxSzPi2;wq#7P4pY9z}P6!*G4){ zA0i_-@l=@_8Qz*!)YMc|2ztiBZyZpZ@mQ7F+s4TZjr$-YK57j)5*yJ@a7bh#3cE0_xN(%$ zFY0lW14RSJA)~ak9aBBoFPjHEsJ+17U*tsaay~qL_6RhJkXm275r?K}u6F$=fIP+;UdKcC$UeH`f!0W$>OLBGRq zxso*=mjK+hsKK}VzfIS$NG`Lgpf;6oP8q}Ax4NJ>v}DZ=+mE7eKVqL$K`m(Ar_b!D zHmXN<*+W5sjJN1~A=@^YJW${9iqHK!Z$m%>0x&dGK(RSz=lc6Mv51~AHbU{avU2(G zxLEfs2g{y67l&{iN^~now?=Cvw(dk{9%a>03XLgTCZ46(pJ&cS^ zSf3E^1%%}5EqXMnmu+*@{%BNAb3P{ThwYIVG&sV?n?e`q_*q-?{ zALmA2oxZv93{t_5iEseL*(%b=_D`gm<85Ni)-nu%mdYE_fJp~Ap$-pJyfdj${D@U~ zeqmQauF~=x`4Fu^4`#GBJUjym^?T?8Ya%g1`{+PZE35=4+~RQ#Nu@cLv;-?nRdlYA zqOyi5+3aX4X^1lR#>=HSR8tJ2L}CIW7p<2t&~G}U>ka0b!NI}$En8lAef8S9bqy&a z=%JbZfHz7b-|*7=8A$}OQzHtxwNf^vsgJs`Wa zsbTgak014Ak1RX}saNS_#g&|FO+kRdZ@@q^(~eXzSpb9>zK7v36CU{?ov6roBJbhD zj&}9$x8N=HV?{V~i9@lS;25j5J)y;a!KfO{^u%JPX0|Pn4RU=+()dMNnu3rrSf{T` zX9}p~gY@<-+dlipCova&EmJZPI=^`{`|z>rzbVg9?@#3|3bP+J{Y9of$`R1B=FIWZ zQ%q12aTNlF{~5g@bySDV!ghyr7lK0(TQexv(pLK0?+TRS`Tn{^oZ;sQh%%-Graw8Mw>C_=;$04^M1 z9Z8ae^@XblnYDiwikq8Bz(*aZ8?`!KE34r|*%KR|KAkpX=+G1ILyelXRozezss-#5 zp_v)4e)EV@1Dik@LIMTn`CW;WjTf>|&Uql~vUaSku3jM#=GL#_*Oj3Vtz}*7M)THW zRUWA%z0ELVNlF;@l9y~=n7jOm&Xg%)X}f0*Kgje}wzlngZ`NpbDaK?}N(~xUyula+ za~4pFh`w-cE?=exW%k#@dvgWezv#CaYtWyH|0{7T&Qm99HJMq9C5O`K#}+^HC1fjt zMydGR0>Gl!9$IIQ2HQyZrQx-e!j;IQtQV&FW;nW%C9Y(UH?`Y$KU zfoODPp^%-n&VAco_}2YHqTGXOLHB>}^sMGo%WZ)qCv3p$j9IXl^Rd*B*if>`+=ZWR zi+?{y0n@TpJh?-JEZJU;iX1-m`qEz0Lt&U5XJL)VnsC|$80BN<_4!qan)deUu|viN z;?M+}QUW8%X8`4B1D-?%gM#BfRxiu1q!jcyMiUEyfydzp|0X9!{TKlyFaO$=e9qPF z-30YAAp}HFcCAzX)c!sxa^z3k5;i`l)A2%M6##1b^uOeww`Po?NN=NhWpBeqjZW$W zm4Ik7LM}d`u$cufm_y%bQA|^i6be`Y*7?b-e60P+zgWO=OQv~vC^QP>(%l$=eRa+Nb*dEI4 zJxhkx?p~cgK@qc=_a}R-8S|8ul{GgGeKUlBP07lhn=q~+AJJ#`)815jwa@DygcqI{ z!8r@t*2a2zX0^YH!w$65S;s+prJjmUXO1%-@0}YsbSoh;L;lA;OnOd#qZ4LKbs%;K zrz#Rw0z)RLIa>a7gyt-C@7FJqae`=FiGQShYR+at7QE_Vwddf$dK3(daVV&+{LP(Z zupb&43ZY>AA#9p#Y|>}<;5sjKj?deZCd{#+oC>qYj~|Opj2SgRa<7P0VMnBBtNruA zjkfu5U`>FijwmhJixV!T*kBrV;jZZF=?xgz`a}npjdEA7%ml9@I1Ia#x9$%Pw)95m zp?PN{jCuq*^hI(j!2;xEtNbqlsgT3ONtcmk?KMhp?;^I_eLroCmr%8qa$jLImUPxLJ4S3~hENL^iBz2(C+eS`cyorrzYu}1z{K2B zkHw3}^Su11W@L+|AbXUDZs!)dlFsIN`~u_W`7%3|iaR&Au}FO>%sD5e{b;qH@G#v> zgG$B8bM6Sw=fA8>pbf zJz9C)^#84bLI{;K<@@{heuCzL#0ghYNSnQS_n!1oKlVg+P9y5qPWkyS{TW|gVsL$Q z_s@!&S{pUs{s_h0TRAWCs}3fx!-o4wWI22%P48}6?@0mQ|MjsE)%=UfcV}W^D_$I{ z7X0p>=lZ?);LCbzEXW7Ewy!6jYSE)#*2PNYD0+OTC-snO3VYPjatMzqC6tdzVwTPn zoO>mQq8Y~&VElmUh5>#P6e;fXR2*sN{{2^$wwqpz1(4#0c@c&5Sl&@w`>r^joGfk3 z_1;2!3KsHQ!J@*Z#$+m=DMC*d;UDtlWmD=7P(Br>RE&`z8m2wJK;6STRi&F&-KcXj z^5n^GvdUGY+Z22!kLdxf0@Z;UPq5nc{C_p*SpQ8+a^OnTd>mG@3Ze(}BO;xuRA%V- z5RT=I*e~u1VoAy|+p}-q0M5!(fjTKD#L93-z^>M&*_VGTfKn>`CxQH-r&R)w3)P0w zR*p$$+Cu>n@NOV4OxKByj;2L?#(~r)p_A)-sN_yY%ZyPe%*IWw3jcxRLwVb{$}x+$ zZlN$eL6-i3ipBL#5yAP}hZ-1>A30(Pekgfmk(HfYeNMdyJOP^J)Ne2kk5Ejvc54>& zPS~bMzF{;d2evjm4gQI9Aa?4M8LZmKTiJkt0`b52RK!A>v-bB6omX1lMsb9=3EX1B$#3)pCr5Apsi7>C})26A) z)B|fksJ4t&)hRyn62nR@M4gCb&(?aa&h_lm2h*CR9)Nt~&o8z%R4F|}>&3{CCRco% z?X>Ufv-uAqmUsz&0l5|lU+q)-UybiGR)niX=_;aI!9W*CS-yuWM@$S~Al2lJ2=j8? zXb!Ma3v@Ux9Ky=>jpkEcx+Wn*Wrj_iCPkh;rxOzPMV>XnGf;kA-m%aB_?XI*;&}yl>kw6R}#x(tlQ>E^V0H;2yb4!5=%o0U*K|u;?%^WMbilek?hQl!+ixt zvuO9m9=@EO9)vH6b^=`vUw=I0?ZAE(=ltiJrI(iiZ zhR8rtMiy_-65X2cZiVB*;wT9|6F{6yO;0S7_8+Jh&vfkSg9t&MzP`g5k(-)^ijbJc zp`wrk!1yO4JgnZA>EQ}Qi^$Q#=|wytThb|GZhmq<@s_u(mueF+@{lxeGGV8fqHYh7 z7%5WZe)#_|8ILNct)cFxLR`Q&YG?sIT_rnu@hkhQYiNk>n}2HBw{O7Ak&Sf1yK#O+ z>?sEp1s}TQEOQqeK5oWLJX&%>;lGwTfd1e|3EIQFd-tZ`1eb7nDQC9Hdr*G-u|nj- zMH&%nG`G`@a+-zVJ(CgYN&-g=8+LPNfBo`> zQI``Wi3~ zj(Q6_N!EiAYs#71&aRb~{l_C;8)?1?brgBR*hwFYA}r4#MT_T8N=i)I ziR`|!;C0J+XM!XQSjff5z~#IjAjAFS@@pI0nPcV?@IGDF=x1$>+{7+|7`B-f1BVwRBng zX;d>*5hPL)00A;~bK}*s)0xA`YIUM7g3A%LA1!LFEVDYPM~jq9=z=)Py`AQbj0t!4qPZXLm^fSy)^IZ z(fA37X?;cg=U|vbRaDnz6?{e!7|7HZ8L!Xd;t49IroCy&SHmC)kL=&$7#dUZT5Uxx z)kq8*)kH5)tH6S%+F+>i*?9QXVPa>~zCERE+_H`4nu_E;ih`b4sxTJ7Gok3+J8eoH zLAO#;h&sAguuu9!0L546NLoJVN3g-DFZ{=;2dfkp7t_^$+m9z_VPVeUH1Y4gWf>RueJu$8L9z(TNE1c?!SkGUD1({a7DXCMAo71 zy5a9Gv*6LgDl8ISpZ_?anlkVR473+LTWx@4aw2=;z>erwd#sO8_@{|V1|-F%M-QM( zRrdXQFvQ@kIs^u$mG&|pL>(qQyf}5RBTE9kt#_hx5am1K*@=G}y*>#7-0!vCeZ{hx z%3qrSzx{0wmV;#~1-q%WwGK#H?7yRTe69RCm4bY107aJc-V;y1+WieIh$BAl%zO6v zc~7ocVW4tkSK)&k_es@N4@U)1-67Kl{GGV3dUj%U!G!<5Lieouqpt=moOr(a?ePn5 zYxf0Cn`TN>gY0QJrEnuZ4a?o5V`BAwLVH*CbA_j&?UE828m%n#K=+vyr{bQ3Z3T4PJP$T)YA_d?OAg+PoWm zzr8t06S_{09C(iimfTl0)`^<@8~YRK`>7tqR}B2H-~nc<6e90ZF5S}`)@Nm2-UxQu z`D;h(6vT@28Ba~*hu&59K#~Xuw57M|Uv24zs%6t}&+lx$ZnF#|n^Tl^uIvKdCJV(J ziUt9#XtP6Gq0E4rKE)7MUtjpgt-x`kIl6v`x?GYT6h(Uv90+w)Xm=n)anEH9+dZ|S zAX)eX@I+Zjm$uavxZzimu5&;6=e@_s9@;sD$60Q`hmp(+V0MPeOOR=nlg&*^B!%x1 zMM}rc4T_R6nu|i^%uuEFhC9ul4b;21>V38tHvr;#PMhY)EjHazi>9e6t~B|r*An&g z1^v|?{TctHrIA*CU7Zab3zP#zLw=DC6u;(m{4_CqAW7gaNi@FM+k}M}3?o2T+u7C6 zvyqw%&`7Oq>q$* z=f-P&rZ6#CjKb0n4k-vMxj;=pP=UEerIlhvCxb)Gjr+ z@y?Hdd#c^jLMP?c&x?{hd%k=CfY3dJDOk&l>h*B(ney_@n@ci*gj=3jP%s&1f%c$- z_v@#a)j|Z?0Q>a?aRCp%qibqY17lv6%L$tkzEC<1SzPbhL>fFY`D?5H4kbNFn)f2$ zZJB|-=9o`qM#ox+H)H3d$Jh4_vDjfSYxd1zl39Ky=20P%s%xkWA z`OV-uXq;~MwQjor$2s@ssQV`UyU=OTaucn%SD$9r2{NfJ4`r-V^EI|6T;#A^*)!LqE+{!HdF*GI za_!omlqvJ)pQKFrfDT+%z(7}8vd{Rwn#)E>zf?}>pH>sQYe&S6^9RxE9zCjsHi_U= zG6CrcSgo^fVT!O`ZL%$RhI>1H6Qfa01nDA@}#K&X9!q(H9E z1V(nu&R9YY;?x!hK5BC9v8WSeYn$0=cAcso)p{1LJ!7BsEc7bNne#3CkFDiu?NXcf zx9{~KZxSdS==Gn3HKr0F;_Y=2xu7hXkybmcx*|bEVUNqBSe!!s6PGuILO@^puUCiR z6WB$eU^rWTbZ$TcpwdwljR*`7{LUjbglCk|JnhQ>Vwo_H#C4I7E=nYO{D#GoSO->7 zMn?bh)s?TeZA)HoErS>)I$4ZCpG+#OY{r0HoFJ+y^V70enY0Fp=hWrPjS|wT?RZtz zph=$}FKdMTt_{_#$Qyr3Yp@;6*qT=LJGe3l^eIxr*X!&9Y2^I9!LUZ%R^cOyr+CAL z4Z|V_OwT9f38XH)H8-CAEV%d|g@11ZQp}&9o=|9;quFKlBbKQQiWt$`3aJuw&k>ef zT%4nnj^{EihXJMqU7Xc=d30LHfSf9=>X$XDi&s0$wQ-tj^Zk3-j+#fyc4SxvM+bg6 zast(Wr|<+9m$wqlb5-@{G+ClNW%>I7jFyVOzKG417a@;_$2=-N0B&$1pb0s9ny+tT z_b(Tl=h7XQ!LpMbh)_D20f*C13iA}~M!{OedK8&VHKo&#HJPI3oQ9GJKv?$qh#cwP zgcVH{Mch2p^u#>*S5~bO!a5Tl5gEnCnoL>pys4~dW2RF0{oSGw@MlfFmktzlHp#pp zpq8x9B8acvvBQv3N1OIUB&2CD(aI|l0*wV1g;CJyeW4iS^u(Aw`~RWpJ>YWg-~Ruz zMKT&T6%yGqBr2mqM#d#%CEI0{tV#nBQDkJK$hrv0UM(v-i3=C0gt8hc?fO5Dv+Mf) z{`dXxxF7fR`%&ll`Mlr9c)ec7>tOSslW7Z4Ofsk9A80+N7-B=3byN+su?@zMCvV)i z{cy|czR6ZNC}CJUd%=R?XnNFYCq|xSfLgM?*y}*i_2p^>ejh2v}-dd1x^n9l}f5TKqMy3Z=R}|p-ay`?foU9ifuC0*HP;`fk znURQP!b!pM)Du+}0Q^7mZI9}T|H7wF#maX6;t@v4@fMZek!7`RcaYQlk%9fQ2Z8r+UhvrnG;$64PYclATx-hylP67N9vMppI9DVJ z0_)9LEkV#UsH5uMgg>+FXN`A{cS{+s=rzjfZ1vlBiq^YSz9cQawbm-6q`Lmv=bf?# zbQ_vBO|#&WW=;sg8U7?V#be7EOYA;+;ezWwma^4~^C#cw_i4ifWvVE!s_xC$ zfsUbJAgZmSxT4C@`7erqvF=(J9_DrMB@1J@FDBHPz}32i^8) z{<&pcEG>K~95-22ezjlo{p{5fIrwG`Vzd`bY!gKb#jrD)-RvJfHX4s8VaPDwyE?b} z9%9NMiFC!4rBYP9?eASx@p8Nh#LoXpiU-~3$l5U4UgOigJKOBjVHkYjYN}?jnpM;) zvu7WLQmV}(My~3@v=8{tBWbVb&p{C&{BrjOtfZN#T28WzD79<9p;wM~!r|rRs#Ma&aV#$3Dd`s++wkEC1 zSs{+U670lupd>%YdmHZ4QeMM-$&>A2YPwNovL$uO_+SQb1RO~G_o%o)!COGI#m%P1 z{8NfVCZnZ=xoWWr`cZ6axrraePJ{$8Z+9h>i;P}JJKxii*~hesFa3J<>a`xaPiB#Y zwIqs(g(2SPjL;%lpvoGEX$JF-`}4D~`1GH5j zf@t(EZfgTNx!zX+!f&4QYd`af!LL2dd+dMOBVk}=?tmrbKh|A+x9VWxev1vQ>rU66 z5YV8uEqpoeuP>aG z*Qak^XIED}&}rhUHR&2*LQkMF$S-lZCT_{#BA^2HsGA_+F!EJX(9iVf(Zh$12qqut z)oj25bl*Us2h5)#pZZr2jXf3>EI^TCDrNAjd|6cbJ06h=@?qFPY7{YR zLk%>mM>8t_1HI{_k-&BKmu1GVx69p#y#kOU1CvWxIxkJG=hdL3VMSnA$WpPs7d4O(ZT&hTEF< z9jG>oAZ5@^#dIZ&%oa&PB>e5y-dM-}?POt&`_O74x@#A`W(#T~+ddGc zL^`U7bdX%|)y4wpe^~xwb!&tNyWhT5tL4}ENx$viDiTk56wJReI_`G0*VWWjy?g?? zH_GwdvHkZG%YibeqmTa}lLxjn3w;=nxxNjwaS?zm{0dkw;$+pM$!0&jNSET>U0l4P zQ{z+z?j5xtv$^J(iFUzaG|~B(Ydug!$~VSAQ}&h!9Ui)Eu^*{U5O`R%_rEIFoue6* zF+{Yl9*2)Fd9bRqtjrnqSkxU)pI(03ZW_v&J=0`+(goE@v%+1O`%Dj$8Kxh;7-iP<$d7BB#@hGV~5_^0{v$2@)7C#vTQ>_`YVh;x zTdykLMGbk@PmhC{N+=Q64@bv;Ub-p5^xNDRK!Nq}$-qz#VPqx2{pWN%TEQN!38c5w`$PZtcsF3 z>-d|)M~)mystH*KAQn7hNit;VwKlC%n-c43dY+Wsa|YFFN>PvF(=kb>0pL551DR=Y->>-J$ne^t-z7-HOe|*`w!;YB74pLq$PaOO=7< zkIob%yibt5IWU}%gh+L;BK_r?W_)hS#ae`YWct>uhd^fCrQu%A-r^bj7p&}N8Zfw3 zQM^DVH6lWsV0GI^*^UD4lQk#3 zo@z4K@f|FPh>C^9wms_dEXe-vJ?x<&Tglk`l`Bfpd~K5Rb_HCf!s+rj3lZ3g#&$*Q zq^ga&GaDD4Qw0OrS=+xz9(c96DEO#ug%NU&u2w>|0h?d zeEae>n}_Ie;AD0n4q+$^@|+vtc&w_@3C#3!8AXD^a!RH_$tUY%rj+v^v<-qz*Wfu0 zbQxN_1XYx?lAs(Wwd&DW!a@m*S)-^9JLIYaCkp)bV7AlK-MI5Kq5$mQ-r~J z{IN)-d|l<`;xf^|;bDS&8)SKY{==!is|2YP^@PK^F<|Kj5<~BoMNclCJuRrxs@Zg% z`sus2C@gBJ8Skp|Dl_wqPF!<^PREd=*DG5n4u5m*xYxY1ieiSAhIyfTy=L1rw{7)} z4CuVO{v;mMk$zqmR-JP_(<-5H+y>Xe51AjOZ^ECg8OM?wDQO#tI$AMmi*!`i*t22! zDO)r6l!;^wM*B3xIRo#;8kt4Lr5nK02x}YhucTBZxieg$T%-)v2kfBUuU|hA=H6VL zdtYo%fQ`fn8e=d-L&V2J4k_IKnVF4s<=iCtw4(t5)zW#%zDmXw3+~9;`dgQD5s3&kplBVu?G1G%W-Bzr?6uBAA9I7ZX(@2E(G75y!R+LhB>FxP{x)g^~xyVYoduG%n zuil4lqy#+Us()bS-%&Gz1nKGR^&aLQ9h%Fxm#51Av7*rdNcbx<@?d`S7ugvAa2~qt zVb!BavFn-Em|AHzr<%d3SuAm$Fk$wqOi@aryW`)87O1MS{H*)H15-HzvhbD$0~Z3e zvI;rs+CkQDe^NBsG*10htN7dZH{^Z&W_|Uc&$wN6<|)=~==a>pG%x7T)A)^Vw|x(9 z-gE(Da<8`^8CR#rL7f@D%`2vbw&~YgQBYZ_gTOr>$CslNEmYnxw=&fP=TcRXWi=a+ z`|7}X6y;DkC>-hd?oxltoF7Ct;LoVa7sJmwsFlnyUC2Zj1uGX=2468w!;~qLiCmde z;**QZFqAi<0BJyxo}xzyTlE8Da{^)JpEJu_aM^OoLq<_TnZ{+i-8gkz6^x0hB{|L8 zd-M+Lz}rqe2BENKFfjC(jRR^*l6-6PTDnuDHf4%98b?Js#r5d0gaYP1%EC;+l{OnU zH2}-`68PlU<|m6c&M|dFWp=AuzI(LWsYL#L#KXmG z(f!1p3rufMY(KO((b05akn<1Q?v3u(d9Zy~ajLq)^TOVv^yG|P&_~uKx!fvzF_J<@ zcJEMycpd6)yz=g?67>>~F$bLX}(H+O`1IG94yLWy1VW0X9b zfmXfm1^WL;kx$sX`4-L^?{^X`><-3tpjD5YKfgn05mgr!tL{`AfBjm#{gHh)&h|Ul zv-RrRH}<%s{J#0(kGfMvS~%ReG3K4uN@r(>#6HSM74zLvj{3<|FPgU#VmefrmXhPa zZnKkBseA|^@P);3z=|nL!_8MN`gXc1yz<9<#qz|@jbZ0=59}h(>IWH*5GYVqXyCOf z?)Q-C!V{Ys9RyYB+vjY+14p`7Dgje%xTm&gAgIqTmg%XR_Ct^+kQI9XiOjD1VK5SE zK<3kli5c!G6U||oGnX1ZpV49em9*y%dequ(JFQvEgWvr*Th@IeA;15fAaHPK0$oRc zhQ|3q9ru{9@72MtMg*&4bIsT~-#(`mG;kma6q%|)NrMW> zcJ12hK<<562Qg=f5I$n9la|)qtiJBk`zUGzzr9smRnD;do@}#1A1PiLDFhcmkVw(Q_KY*ig z?XGQ09EePUQm&=S86cu`HioUgc(EWJ%$U8Ejb9OY znE_VBllmx%n_W+xbE$t5PCiL$Tk55X14E9)lWtuy@7J#({SI@8o$Sh6bHFVuY!dga zCgQ-4oml$#vul8N*y#2tFaM~m08otHVyl2HQ^XUzPb?|U&-cYk#&`r~0mJO=lU^1# zJ32+Yw@rM+9Ok{jhF6Gn+W@aZJxY`hHgxE^K$8#o4#)QUWx4HCY)Ts7%x_g(7 zl%;__Y|Z?Kkl-(Vg|a(t6SZfTY1ecF7h1Nqf{~{@h@3iBgO2O$Hj{q^4;Q#aAtYMGw@Gm~GF=Fwb!js} zwO0P~TTIYsBE(-cKMMY$gzV({Zc|*YSMkk~$1|%``J0l2Wy=@>XS^2xaTb+oKOcjJ zM3e(cp||@WumKr<0*ru_TC%rgJ0qhExtGfSQOf$kK17UH6W9Cy+M8`i&)>yzljpg; z29)A=ncvCV6XmJF!!7|=_d9p4Td0+{mqU@)?~CE7`Iej?!R8g`fzFs&%>cA(Cw_~{ zwSM>e#rpCLrWm|791(2#^U=x+h9j-4_ShY_`JTFETDM_v-wpK5d_ZO8$*uXkXHrht zz?%o@&j`(F`Bg;Qj~lcteQ4PQ)5hKrb>7FzuV)NJzYw*zmhcq-gSUumkVa~dQxfel z8WD(c^PkpjjV_q{C+{@6aF{SSb+1fp zSJN1aOnetka4|n%OCl9hNBk#(sdb}#hvdpx=u&A&b zlHq-^gTdiPb42ioZ{FWvKR_GqF7qy*Dr87)s}dD*r2HeRs{Ej_W(kH2MdwwO=VoHYx8J=2 zBt8$Xd*vr3@aJW=s&2+7gKjQK(DqvX?mc`1v~)ZMg!-|%PLy;QQzeRpmZ>Q+s;9va zEh5=eP)x_n?O2}x*!BOtjvga|^H@wK6ikcl^A?%=TuyA=@NLVBZx{DA(PjT2Lsas{ zVI0zjS(WL=mc5EXouMWMq`t7~o@}H_WV2U2)VjPo@Z2#LUNpcGPe1|@m?^neindVm zS!e&~q;#<>c+y)YLO!g?tY48m%<91DjPKv2ZxnZ*qSrGM@Kaf+$L) zy~s9{n?L8|ycK?R`*)LpB)kxI4!wb~#Y;CI1kVdD|FdwCPQ(5YUtVol@a)Qu1DVA} zkzTc~C3wzlF}b27|*(W1&<2a#x}!=>?$6+U7ede*`Ioe3ITSPEpX z@mQsnzV&qcae!pO(rts;ADR~w+Ei6nCC9A3bPQs1;>6SySEU>G(#!+@f^3id>}Bn2(AWbhU{OcMcBh8>yWhyW0tg#L0) zen(5n3yT`r*^0|w+9^}kKJxW!JXcWO4`#xff2LpcXpqs=)udEuM`xD*^ZLXRZ=AW< zq!1KSEyMb+z8v~ex2m(R@!i-KzA6v9+>hRwr+UAc%6*?hW>dRvnP772*no-Czy6VW zZpHjBgMbBAx zxaNrA2dwlXKfZCfrLbzV&MNDebKCq|Gdp}xxQ7?7jV+%p5=x3;?4-m_CFkH`?07Jw zQYgqz_zP(3%U+#=f&%i8_P{Si?&xIv@7}e>uy~+prdZ(~g;Knr)s{%8yvt5{m&IRO2UI0%1xa?*Tg51b*>vT-!WgVP>?A((?B$WMd0Weh zcE6~Y@wl!HP+RjmG2Ejd-yBOXXe?$Sz>*f9hcyRjuz-{lt#9(U?2b!V*4wUKJF(wE z6e4D2i&XVPAfK))$z`6>aB9{=_YD}VPjHnK)lXaS2R(y zMJ)NLZ|aKAt>^ctX$U;-wW>^Rg@sjJ?djV^Mt|>~jq-=FMrjRZ#cgFxk{1# zhfj|=z4kAsWr;5>B}~sw3bT+%?1RJt4MzM|H?NFx?RxcCfi(**Pcfz|i=`Rh5sILM&#t1Tr`nORwn>v-ue%wHnHDuJ zMRyMii~8gU)P@q-0|Ej_Qk&oXw1rs1L=Yo9e{c{~5<{3uWkinOPPW{D#WE!CJ?Ftp zfeQJ|VYvFP{?Yv8Ruj&5?%MTU6qd~=y{dE9<$6$lWruhfG6aDyNu^)Yl{R?K$`Baf z#)VejF?zhi!;Z^y@jk6pa!~DYSf*u&{h(h#)k$r`gK3ND8zH4N+7Eg^pp}K8HeRBB zR76UxK3r4JK7IVeIlW1M1{(O{R~{r1>{4onJZ4!IWPz9`iIM>^M||ol1sWR>ky2UF z_CsMHr_cyb+Dy$o1d8K(5zvoX&1mCh?2nMCE=`M#Iel{C`|>y7HDTW>(fNoW{d-Kz ziR{(4vuv0q<$#^n@>@R?CX-(H-+^wI%Z)h?_g>LqM83o_fvCq$vYvhW)`|;XH{C6c zqXxq%5Io8P>I5I$SumVtVund_*h@c1N3bQbnODY}al9!Oi;isflZnFvd? zw;3$UIaRX$KP|wYf2#Q$jyW9j;>W51CaPU}*6|q@b3;d^XI2(BLM^4YrMKnpq9Tju z(_SYh=RbG9x-88ryQkqi`v1HvkF0N5)%7ZJDm>rJ&iD(?k$4!y4ukYd%)5aaCVX}K z2*MTmWsvoyt2XDUS(yaLJ~1gO{RpQ>o&exRDYD#`N>@(EbBqvpO;bMfP3q)l7iW4R&Ud=4>qG4 zxmHxAO<%cNv0pd-^~Z|mwx!A0yVKK_1mDyyseBWm9=j`j=tlLDgB?5Gn7+D|-EOxE1-a_GP=x?<{_SGl z5h}P^_*ts*$nstgC77XO^{%XNFhlJp!t6vNN3W`+X@AvjT|3XCj@OUvG3A?zT&)Ir zrHAxw-C3_BZu~m`kPqu}yzPrJwC^9=SD;co;ez(fh}_tuR_#k?6{ytzoz&{jQY(GE z4GmTHZmGUl9a|o<2Ma6 z6I-1uQ7ESD^qOqbMQZoBlT zw9@OzvuDl>|3XSQYM3~-py&g#yAQ0)%ApI!eJDgS3Q9>K*NlsXY`^F1d(Sz67K-bt zdD)SbW3nz1saX6m1!PFnq`N(a^MIazT5h%+qZi3c`1EUys$FtnlV!xj$GM5?R{v1* z4^;FWR+$rVSUrBy$BL5U^@j&pA4Y*+UcBA4)j9Kae~tg(-6nc+M)mZzKGnVNbucDV z(Yyr&>bmFj`R4iMeR4;g1*!_4kAK~qpmt18{eU7T`B7zw&Y*i)&ytE<2Q|*voV=m@ zdqH64j-7xy;E}QwP^QN-pEndo2Jy8=QTYDqm-YVs4*i5m8#ngFS2wzlk$a{*+_cr5Cr|2OQcEsbFHOlYpBRtg+gSw~?KOxn&a-9>cALi6-9dh8w68&4+4m@h zio1MG8e%>8UiDk6;pfxU$}IGb4XesopI%gYQ`_F7a$j*}j?t%3?Q5B_@fkb!>N}Vb6LVYt8`bZ>u2$=2b-1K(^w6-IN%^Ji7EDoWwOV2L zVQTZ|8LFpedlj$xZse5j<=9fMfx2c-_OMCwl$)D~QWoi5qVXQPafnM$woBpc+f|DTrI(Rt+GnwU%~ z6rkTDCkBh0pFejl#WFemb}4IX7(@uBmSG?{y zsEx+FnBuN|y&nt?Po-ym0tLIgZQFR#~pIQ4$WmWv_Cfa#c-tLCa)~Zy`A9Jmhy-KyE zT9=ZXF^#U}&MCCY+dLmJzKohm)h$~ucr!t)s&VEC$vmZM(smp%k-sH#`zRJ<{_%U! zM_EU7;^fJE)-;OgA(TG43UosHUNFYy~)=odHVP=!cf|Nq`4u1ixpc)iMw~;g6&AT|u z-Ms}}lBJ)ef7jS7(~nz`}urD(Ba>INtS_F?SAJ!F5ugLPQGKmEg6IW(Mo`5R!H_$<1osOUY5q938T+iAH z6mdSFNph&5+GHjArYO(PohiBK0*2xXhyF~t#Q|oZs}>UBVAQPG}%_p>C?yJDDtn__Yx4!GnvJRSt16)S+MJnd>7L_8%y z)g{{3rgghj^!L=|=7&o7^jYQI4s4Yfq?wi9CMErmSy`Nxm{09+{k1u7h~^uu^4b%# zyN1v{fJ@S*cQ23r;E@|MY(`1J$rEbc`2};6T*4zywkZvX^ZGP_HftdUgKS`sM)Ho|UJ{F_C$Er1#Gx0zT?cP{jf zzk~j6P0S3ssdX7EXzm2(n|#(Gbl}=wrve*7y5X)u)qHZhoxKw>C^7s;>*7*bwo+y? z7wq?27HPzRHsI3Yg2cv@xdX_hGJ}Bvt4Y(QAwSJBmM&VPMROtUt;}cg(D);!0YQlk z_cfyS(!Bbvt9dstgXe!PUX00}Eq91XRWPvX2X)U{4}O~Ky}ZvL9jT6?ZADxtECX$e z?@iA=cI}My>d4-ZpJ`R~S4XGj0n-!TW<`)L6te^rJOy+tOTd z$*>X;pGfu8b7V%dtB9@NG@5-JOoJ`)4C|Il&@8!**F%+ zpg%QtRYt2S71o}WAm0z-ZhhqYt$|FWwcF(9ry)Bm0er5p-3=w@M$f>I4Rp6F53>B+qj=WY}UP-s;RhAO|QRX4&cQw*; z?kxgsrJFy@NT|T!LXip{6rVamU;Iw^SV(ni;Y_D(S)$;|yg5HhjaN*g;8IcIa;rS& zrox8|Sph}9+1e-}xAH@7n;N*uySmsrh;6Pi>I!02^3UtoS^@V|HzepxE=^&)K+YL0 zF%u)Vk#U}1`P~5{V-Jw2qH&X*4)9Fixb_=Q9UV|qu&eW2KMyMQ#ogkR(6eNCk zVD#YTnBU!;;IzhRbv~SnNN;rTz7mH^o8+9m<^ny~xecF_|txTw>7)THk zLl2Zo(iv4R{K=%;aO2?3GvW^(IH2{uYx&23?pRsFxeF!=yowXqZH&q)ysQQqYV+eT za8@Ch!CcW!4mZ|A;mX-?Ub?ga@X?0cl%z~#$@w5nM`L0Pyh}s8w}@$-Z1du`)7Y*~ z%eAD40!8xPBpck?B#)hQ_1#;|^BaxhAA#gtZxO%fGNrc)*&EQOUTDbpQ>J;Lv|}Ze zUW7aDe_C-BeK5Dl{qVWh-(@F>40Kaq;enDV5G@x1*Ej;k^VhFyUwvm_7RN22L*(PD zj@IOq^5m7U@tt`WH3IV)-bp8z2IT`gYSIpt?6N9tC>X@*oc9UDPqpthXvG4mf2UQo zT|J1|w6n&W@Ayhdj~~77S4FK28L^f3tP`H) z7N`bvuIy93X0?7?*|*3%_ZTKed+{~%e!p8LzudR(R)jevLZLBME8hTan*^rtVc!tM zcgESPA8rf&(Q+k>D?z9VqOu7^tLPoE!sE7VA`HxSanYrWL`Eem17-F@BvQE0jh&5z zgum{cSKHg??b|8*$XVE=(KYNCZd}4}QUi7`@T;V0kDOWA2`ZYQSa$wNd;uieaeX=Z zsYF|!cAtvNCskDxT6}oT$?2v{x?DUe!#jj!8GD+=5V&|pDP+y{WMEASuUVHJb3LjV zQ2fZ^Nc<&wfJ0S2pM7TP)doO~g0;#bb^(GLY*rHzLFOEwVHJarY|3m=mu}sFj6TL< zXKElk>8$9QW&-*=OwO12P zFoa9|n>YL5@->UwzbNsv6kQaDRvZVCwSp;iEM`0gzEAGOieD)mh5hVWUUxi1Q38U1 zJeDuIPYD`o-@bS6hCrg!m?**aaSKOj;Rn*xAjsdpL$=5l8J?l{Lq{v9Y1?r+*p3fH zi=*El@q(cViV8~8px6}8sf{aURyWA`;BiZ}iN%hJd)_KdzO*X6w2b|kLZEbM^7zpw zBfjFtNpWSbdcTsUfg}SIUE!C+%NYz%$J+|~I{9%ss)b(ryFBj^6RNBZf?Ps|B`}kr zzN6z_i^tQw(qFg?53KsQGwH?mB1EfqP{KKMXsS%4A8Ok^0H&7mg)@EUYs$&+QZph6 z=Gq`zYrZ(TS<$Zo>>x>$l6$d!J0q>3B7(vufw*(_>=K(CyPo?;@%V=kzy}=J@PNoq z!7ZlTh!o;4`G`jVr=~|oCmDtMgAV<$jJc3?B8Z7mv1Lk!56;QfK%2tPj!{E;y{|po z;hb*z;{%EXMHk-vR8F3@b-UKIb?HqjjZd9lYNi*fT}LMs(mZ41J8}sk17;Ym7$qLux6g-sh7hHt%KF`}7WutebPxCxu32Ya zqdZ~sKD*9hXo0yW+oL-Tep*{M`uo<5?h;i5XTq14RXw#fw8t=U+^K;d?T9X&0G>m9C(5Gpy4R`3>#NUta`(b+9!GlksgdyF@lCF?-8YUDY zO2lL5a>^&V5@HE&Lo^@yj zA25vDRUZ-$;7}Hba{TCq!Bus;4!D`xfICADsj?h&X&VkD%vs3{jfWV&Kb& zSo2HY$5J7Eu6bUR?ntUzFf$$NIkskd*df+EWZABrL%7_r=;-)qKt z+fjAXFV!Yl_M><*W7DUU|MQa!S#?`0r29;9WLq#L^`MVl%a)IA6%ljwaEXwj66;;D zDA9NK$Bsf&=(LQR8yL_&USmewx{R(J~vmJKut7i+?WYRRfotvJv#cV?hK@4wh&lxRBZ%x6t?Fb&nh2I0P#ZN zOy9nHt%@6V-NgsOcs`vb7`eevU@pn$#3y>yFIzkC<&-1sb#^fV$ZywrTa@KyKCACR zMgpJO`sh%|IYHm#f3)FCw?98b(na5cU3+w7JY`Fu9W2xj!TT*Oz0yuA&RH8p2*8Ax zt+RQpal<>oIl#w@LlIP#EMpY6O&SfBSJ{awMyr>STAxL~LQO>d-0@RM%{={(z|oH% zJ4eSmM+?hJ9^P2fld%Jf<$kKlo($a3I#HV7CRBFHbsw~5V5V)9XIaHCXc#iEh;~@S zMSRAHJP>ygMpZVY_^ltykHN7(XdftIru4b|N-rwojWE>giXxzFoGaWb5uBL*bb4@` z#q;LXqT*%d$CelDG(Nr{$x1uwbxUOd?axC`c45SP?|XuSYNV- zI3CgmFr6vyoL7;BeJ+5`z6s%!R6A=<1WIWp(*TP{P2NO-L$yKCeB|cMsgoNx_UB8Y zo3w_tMMFXEgu8*2_mw52b9#Xo0<>-oWU%wn9D*nHWpr|M2lcMq zy19N+x444IQ@c~MfdcpJxomuS$f2k68XEXI>}2Bzozh^pdS%;~D3Fs&5ss<7Ollxc z^IzXg^kEC`5uat@11vMbefm(jfBfgpGHyES7W|ZCW@owslvN9{zRJ#|@ z5sljh^iCOfHkUf0>{-{bY97*t&STJWGX5gq>rok*x^(Few|ZKt{CBe!E!M->(Z#=9 z)Q7fQR0zVDI%pF5x60Wq97TxP{(pgXF{4V1(8+MUE{qY-P4c)751^B}y-oeP>ZSqZ z&B*bcUt&bI+``bJ38{oO1e=m@(R|^+NQodeX1qC(FDz)Ryj*Ahf-YG6{+cezEgb`m z_*7e2sU}gRNdPW#T6)YzNwT7n7f<7w31Iq)_>AT1?KPIGx1uC-NJ&YN5lQxL1hUym zR)B_do33XNFhl}BigEg2vnA^dJ9h25G!uU4+ z_wL?p4XFus6LC}rj8-O@#bii1e~+Ds171s5fNZ5~AgByp@p}K$d3QjdiL)G2Z4#6p z&xP7c;#y7NK#jB^F|&@TI=|vt>Qd!Z2pi7Vax#yPnW*BK93JMEmYc|Kqi7a8Dn?#a z3mY<$Y^6Y+v24V*)IZhfE$6n4525a1E8-oZhP0(|ctGfBG)Fl0pQ`Hh_r?Y+A>O@P z$}(hYElf=Ls122+?%937M%ewJ^_tY z`RE5|h5VYuA8z&UVUW%Wor<^qVF&JHh|G}cnfY{LEsa6+u|zQ|!~M+%e0xQ&lup2^ z(dW-ALLOi4a`P;Q4%KwXt)+j-bQn%3jkGlQPQWA%g(cnNDta-Zn@qhDk$8ObWA+?^ zcZ-D!gus}sI-`z^l|5WYBIKAe$!a7jhO^_9Y(irJhYyWux_kB$8Y_B1tnNkJYTn@N z5U)6^9&Db5#)Udou2T;QnGF(`$JpStH|J?HgJfvv;#HlUn0}0}qD}QES-{n`7djCh z1hJlYH6MY8#>Kb#t`iJ7R16OEw6J*Ean!7(bTNDch8{f9qaodq>mIIbF#=Jw#o=P^;o(N=N0p zaUI!L7cITYwE+%``ip-)f2zKni%R**?x3=}nV%gxRnsLQSGcyg$i};B%FJo&B424m zzS=6-4In2iNB{o)Y4W*Q2$Ud0!_$JA*DL*()36%&z1-7M^hI<;f1NwW3;+?GkM|?^ zrFWAv-LK%OYNk3}T_@Jl~}#{O+Ras**EBXhN8H@dMNaP+a)%yLa<{hnuvY zmQAbAgL}Lby9l1@;F$8HIlX2PHmOfOz3JoFx9`FFc*6pbi%b~1X=DS8Gk^wwAggUx z>D*sb>)8QdeE^JtpG3v{Zc(q+oeR?yt=%1o=Rd0vi3hM0KlP5 z;^FRSyjn6f~+se#FvJsf`8c3Bss-1>oDNXH2Ii~EJCy~*HV z&-=yZ*XPhFZL)q17pxL6tMSYFbsHU^H)T1m>UI^1a%K6em9B;RnN}_7Jt_MCUl(Fe zJ5`Uby4*}Z;%Juuyz6iMdem7~-ck)R?V^&iu0Gg`)!OuEpk5#ot5?&rI}1$D04M-H z|L7)lc54%ptmvFUCqM6EQcUnans3n}KkxFtj!oyl(A{)vGTkBF+7)9exteJ zFzIp|u4$9qc6aXs%SeZTP2g53ozY0XZ@i0JK{f>!#cq+^h-6c`?1Y6|{5wpWj^^!r zC&{C97Lp5R>#AHUzvu}e?PTL4d1i~lo0tIyNMdVOuh4l+`!Hz|qfxV>P*N~ru%_W4 zGxjam@Pe6GlWn46#ZJ=ipsq9;-Ma?}*2AOx^qMxvF`7YfHZj~-ky6Ze^zKHcvaFjz100yEfSTNKR`H4H=XG1J!S)t+t(||W zs7IbVC-NDP?@s1+Z^mOp4$S@jy*|N6|3Zp8mW~6JIsHQN0#n+B$a(fBAI`z{)tH=4 zeUGe6Rl&#S4}@HOG8h-0Kjf)REXM;6(AVFXl-1B6#NYq6Ps-Q3fKp;V!bg%Sh6h+v zY%?0D+dZaGkLfj>9I+>A{AtzAj8!+44T07=UySYe70B%T1NE+miiwh3P@*v>C%A>4 z|AU^AS51r+#RXeVU~H6$y=zO}Am#;BZ^X{YGyvjX%%SV6I(F=V{rhDimQhm1!+^6z z{flO(Rts@y=dVhO5TWxLUbRMq@^3GR7A9i$xP84_Y-eVF12fgh3+5c1voHGHPl{P* z0tWcBjzQbSqD|+8Gh2_}^Nwt@Sqmv^h2vlP;no(|L}g1p%ST2QE_ERXiIs}TVk3?Y z)TO7p?AX=3R&t1|ng0K3_bG=vVuQ-iW|Q{2IzDd(6VX|)cfY?d{}tgjXq=D>g7D+C zFx{<-){0^Wb(jbG3G%r{G;eSl>%}7gU zsnwO;?_NJf;}|sS(j*|egZ*9VWcoM&>G#RDk(&}T<)2gdswgBHFEEwC1ftNBc`Ka8 z`@CAzIFy;zA=|0nFs~*Bi255*HXo;N#Lga6JRIk{HAXT_pxF$IXnfn&Cw&k48NLyn ze)726;{o?re{*_DYBM|B7=#rCT!+Bgokm1lU{iBrrjdpz)bdeSZw>r)m()gW;lq1Y z`kxFf`~#?wicKBaCCO7-V%8=Th$xMHPsl7o@;GkxM*g;#6UlRAQ#YOoI32Y$Z{l}~ zSr=M29=_PNc*V_hGj>#=rYCnt%zi%f)0Z!xKcn5Yoj=ABNTe+pxaw?t_p=F66{#Jz z#)jlW>EmC%+^y{6=PA3kkE9De0L^ff&anU2k$5afpE@95f+5 zJ^irqva6D;^RP!f!k2)_qvA_s+?;&gVelFf&9k&SnL=uuEm{)gXO%thU>48~xW--T0+9W$X-9`fTfu7hvB=3?Q!cusWT&_Bb2e`>%C|Y3uN$=8(#YT|}B=4w<(zf7E;bp+oon*BZ?d zO(&WG5*&CmT`ySvU#Cys1`8*`7ZzU1zDAVTDsT+kB#p6b{DT6=_aia$#n!SPTYZp) z;oSH*dq!KxsV;zd*1T7W>SVF)u$%mro5}QBK6_o_zZY!{Y}gm3Cr{2Q5mPxtM*pTn zGA_CCAy1q*G2~;&A;zHSgrYqT-VWpv$HxzHIz0@#7cc~IMrZs8SiKi$Ci4Ny9l=w& zQaONOV8N%&RpVa+9gL!z5P}sUuwU|mPhmfFu3WpO8S>bVF9*0Y0Yrh4A!B!R<4dry zU>ht#a01BSb?X3&;jdt9Vv>my1&2bMDEu`QN-SXujS8))vK+Z!OmUBPs^0Z!&j$S6 z;mr2HK(V#}YNJ4Rbn=rLghr<+eaoSnwC{6~iz$>_#ZFIr^Q-m2=XFcI1K-G zUidZylswMi;I=J)OxnR94FPan|KG4tUqgb;VGB~PJ>K2$mWPMIux?dUh!C69Pa7l;xbOeTUz7AXiB=u)2ET3 zGm=>n(f_Q!M`u+5Bv1J6H@r)*l&rzkskz(oPSf+(h%XwU^ESP(Soolt6$6{B0&#+} zc59`~=fQ+}5UC~xvmZhL)O5TY)9f~j`-&TZSaTd7-+W&q`2kz3^%iJSWz+REm3zJZ z31pZgQm_b_1_DC_y}`z0Na*9ww`Dw+C@m9o+qPj0_Bb9XeEascZuL}Uy%ec!^PM)F zNa+VEUJr+Kx(KZj6*CO76^vlFGetI3U`?KF; z<;o*4yEJ+K)*WE)ydD%76r;B?Nf9~GZx;)-MeN$dSt1rGfvPh*j*smCKxgo~=_mI3 z?nF~hrAHPWM442J*p4`$Abq%uQL?-KoO=fgkW^2XTP-*rL%-_9{yVWeLzROONV!L*>QMjAnxBS_BG%vh%nzPXmTyi9qpyk zncC(Wzb@lxzcg#)#{5P6Rl7!SK3j_h4cKA5-n#3e2$?#6$F5y!$HzacdR3BkWfRy6Ehj zf!amh58bw*Z|1IlI9_}<>9U8_S&Ivqih_w5%`v~+ zX3DDAME06ciymJ3QbnqsTO}U@U{qwr=*g39QifOu*`Ub3J88-m|LjvT%PV6OGU0i_ zBMy*b99H!*ukz7v1Pn#PhPVro=tWtJ7eBji;;j-Y)`RVI4WgzKp#_qALbotm$94ez zh~A0Vk0gcK<$P?*8K?eGPBZfCYAi_G8SQ$QSI!ig^u5UCX)IQ+zM4Hb=r|BDJUNOY z@fQPdP*&sa&V5Q$X{g_#euS0>B_&B@;gLq%H5&24Nj_bp(GXZgFd`(Rd(s%$nJ_h1*EL5wvh1^m9# zx+MZeNNZBNc26m~kIUtN+GJC9hc+YG(?rd=c=6&_ zqxo9$sEGw$gXb#)7ESfSzz94K^ewE<47|DQY#Z&pNNL6S4FL^spCRc{><= z8=&8S7xaBxX+e)!t`pX+@XS>p-*+CUZJ(a_v;?IGQ-HXMsI%AxNh^m)kZ2yzziFlJb`q&&H{%|WONKYTo+p@ zhd$@nNE~6pQir_DQS0hUKcHmcALo2XEH4PJ)(2^p-qi=l46p|HJN2y@%U~VWM z5Ovy7f+_RxIIFGCHfuCQnqd&$3{js-lV(;ZW3f8eX^KnzxZ7j!@vg-@su|kG%37r}y#8vmcx^~BZCE0A|^S(Mxii7pTwJzf58BGXO zT51#&Tx(Laru6i*Dnf@aENymZjPQhfLgK27{Bd^)_v_uWfXOZPbL@G%hzO6KKd-~| zi-170$7vGI2H_D#jdt}@=97h=j~_e6P?vI9!|wA&JBN=Y5V3PeX@}6z6{U1OQXe`l zfy^Q@H--v`L~uiZa69?vu+joZ9zS(umD6wpp5r3xoOVrd@M(MVXIo_n6=^83rJhC` zLNlE`?;J*1!U5=oY%O4+j38yKmgDRE%SmK6f4jJ^$bk`-K}`{wDZ=Hmi`=4f=M8DO z+5r#eAAvq?00MAr<@deW9cHydkwMx^q%%k_a<@sW(_hRm5fdplQ`tRui~Ttp-UE1W z@S0nnej?NMQXXadW1J>T>bAWtz zfLS4frn3H*Q_SwTHfDxMu70i(c$2Rug|?rGd;4x7b@@a20cIR818c(zcLTW#lFj<_ z8PBH<7FwPW14<*CVRia5Cd$1bb@)8~tY=_yOw_at>_An_eiQRI5&8&5`V?w!M8?kB zx_{pmRoRxnixE`7qGf?vKn%cv$?o~|$rHLn9T-sxdXXA}#);P4OmdEH4W?=hRblxMz z={k<(hxy*(RVoC!S(~}o4hY1-QJ=I0kZ3q7PdJx+z$>DjLl>iCF!$c|)TJWKp)4|?1o7~)lA{wLu>To#~JC%3)S@-)RyH0J9a2yW@y9nNTiQm z&={G;Aj(3N6Wwo|9gomWyjEc7r4~x8Q4BGlL%ovb?QMr_s~;+ z$p3@P`JzFTvH=4g*lT4rOBC?{(;pw9yM@Zn)RakDKoTYPF~mA)ftQyd-$Y;}G?S!K zSs{lCSoT|(n4nHpB|~_&*~OTWFrQF%@XYYL&;m~e_DTa)aUTH5l1)f#s$KVpII~8&_?uK!U4bpp+DBS66FGAwnoWsS}-7f zMRf7=pM~lg*fisT@h+sIDWAV($O8lx90O{^4JZpCI>eet_Ga}VsL<_ws5TqM@akpM0wj~gMl!Htpv> zQ0b%0$$Dcn=KY@7QQBC77ipB3mPy_mL9B5_iZzC&UIph>n2|#Yj zqQ_BJc}%(=Px&gX1M<=2aT_PF5VX@Cz*#m<`tRMJly#@D&{Xzyas5RXNfpJ928H0- zBc%650VrVt6r!*{kA&dIJrYqW4}I3vcK}Zl=b(HfWbwf%+U7P)@5C}tRNK0sZxv>X?u%q0B6+r?u00a^kwNjS>=al*v8 z??DU~cA!*gtP(kjwgdbXkvVPYaMmPauPV|^n6R$qV}{Gx8s25SS{t%EM25knU;@S` z5w8If!Z4X!ifF9dCg^?)y=)u$L)dyH4=~J(X$TNJiNSJlhFY&jq#$PM%%!49qMnm& zCL|njPF3nz^$=sY4(z16(}|IAboTID91Q6av67{wuo-rA;_XG3(SxqvZX7uZs7Gc7 zxfELh^l`Wd_sny*$5JzdU@hl=?i`64UunejpDg;BL7`k|5tN-xU7vI(c zYN#2gMxL55@8Xs~n@9=-miqjtr?&2%uMLYB2ZJI}({} zT4B4AldJ1^x6p}Q+qP8`UVw25_`~?zVp8N4Ws02n7fk{`OV0lLrB}1f2Dc?T(6#H= zx3kvf?nqTZyaP_?*}L}!4u#Ymmo7CzK*Fb}TemKcRz}AB3!&=xU zT?(2x`dR;e{fGHJw@-aOKE?Ozyp|_cJ)U~y_2sEIhn0K(JQDMv=*Emm+vmAw56|jR z-*kkgj^5VctvB}Cn(Oxc&+ z+VG5ZoH|tw-Ey-hk+%N+&)$CcVEBG%KiM)%Q2UXaTM#g$>?XFA+!LL8wKA5QS!X>@ z)7@f?^$~848To6hvyL4P3o{gPZo-Dz5fjG$Bcqx9`qhS|CFO2?Hew;{yC{P6SZxs*Qe!f9&*Gdb!k?ATkn)RG9Km|T3jYooR9a+$Gw03$6}L4E0>-m6?)RgqNlg*XhfjkGXjDe^Y!iec~%D8}MBc>330d-37S1K|0iePrW;*M2?8kim50sh_w8KrK!`rSl` zGjrjhMS{oW@qGki>p$WY8Hjs4dHVFmhlW^p?AEN_ZRW;i&sJmgHNR7~5F3w>x(tN{ zAVo%zyKYdTO_rYS@pka<6#oo50Ez1x8ZvCUe89U^r#)zjU~Z8#wW=&gK1 zVVpWHJjvh>qg`uC@{VNh-i_IoKl+A&9>2E**n|UbYtit?q!5-q_x_wpG^$cdRvCIcogcYD%M82 z$w*Tc-pkA%M8*Z3MQD_iD)Hm+ZaDm4)Kw* zaO~w*OuJBGEkFw(Jr`rftu<}TP1;?iO<-D}cJ10^MNM_p2;fEk;0DUioP-n#+?cs; z-{L>2>mw5ZsN|q}YH_)&yEM6zkx{qGYD8m3OE*QEL;fXI<||0J2cWeG}3x^ z6X$5LBpY%>2k{x-4_-!RyRFU1alrtY;t~!_#Sh{(1_?s|>$5iaUB}K{y4(fC&j0qR z^NhJgThLATl6Pn!!^(>4Y%()ePySB}uxZnBx@sVWble?1>r>Qtsn>i1`YWSm^*+*K zMob8v0g6hqSenpE_t14~BNcij5dGuF+tK$?h6q`K8xBWF3R%+@pZ9dLwmymMEPjEh zxKGmT&j;RC!M{;){3c!wXVod$neD^&u7)|OFcY1C|{}UqyS{&&;02RgO^6xpGdmucvk9v5=x=_x<^IxZ&yHiVsbg* zx?M*DhGr+i$s^6Xg~U)-i~jSoJhXv0Iny?E3>v1DSv7Mm;`-Gra32xha_ zu5FI)1^QBYADVv!4#k4f@F&4(?DDR<glYjEXD(zTe$ zFfqFvNs#QY^7EH3&M1q?>zOTI*t5jo{Dlka7npW3_w&!LeJ|66w(Unwjx#Vi1qUYv zVao>N5h7(o!)&xuQ`Ofedzw+iv3Zvrso-S+1S~iI$nwx|`Z_6@L5@iEMD=j_uMUkq zc3gT=pnTa$fFrPXq5HtHKfz%3aq@Y-TsCTgZ5%8%a;YJEfzr}BghG0E@HLr|fYp{2 z2V4-FlgIRf5;xF?NpFebmCB&iUD)Gg%d~UT;x<2=gFjHy=gG+`Tw4aDXjTc@UhyNX z3)>R)VS}hwS-zs%U~|%sF~jW)AVP@pORpZxtshK*Dl2+RG=6jx89a$B%yL~P^LBF^ zVX+U&gW1)Z^518(Lw8f!2u#hJqFmadO!iYGwiwAZ<8TV=U}twaDoUQ1)nucH-Jc3d zo#-g9T-o&V=Mw9q<0O0&28qca^>_Kq%RN22nD6oLaEi~%(>H3Qg;#;-wHzY%oV1?X z1N4SaLqSb|REwTG%1tk$IQKP*a;E$_pSNfgLCAjm{JCY!h~`(9rm8AD3!e5{KXUv~ zTrB?u*`)gOUP|D$Y$$=dS11t%9ShG@nX8W-qXZ|c&RV;6iklY8iR<_cA#8DP-n@AO zRv{~jh&J$;ybK-`k-6k^E#2f+95~W8u;3to{LK7#DL0G;%OsSC$6A{~dZ$jG9x`D< zLx)L|cz>7Zu}Ran*5t20X}hj9LR-oL@{Rh2!IT+MV1^`jQ32T=%~)wj;djy}0EDRd zQcwb>J8JHx*5*5uGH+5-Kd1ge^AS>q2V;CAKve{4;+3-5_;>vwSao#~s zpN^JiOmT&NW%A6Ki4xohtGdS*{;Xd8M9GS3f&MUH$uaUpfT9MU}X;q`ArU=HPkFmJ>)1Ded|E~mw~H;$SacOOe;3I4jr4Wu}oi!8GnulIeN zceuSx=z0`*axDl~Tdaq;v0dYOzI%*}gHE6BhuCtUq1aCwkGPE%iMm9k!fUOMe}@Sh z?}%g>MpuRV59a*l-Mh@BEzQ4_lr*Ey>lPAVGE}qC7Hf%)SFa|953@{W2^95yiOtX2 z(jYPuftX>)ksaBg$5x@60`wiYCQm^SYO0J}dnI!1K7!_(H8}OoI`EacQb|*ja$5u& zCUOno%p+E!q;guZqT!LTnq)M#-2u5#pbbHV0q5x)y-$K|@A(AVi*I`nY{ib;(D2v7 zf9ieAUn9ggmG$=R^@$tFBbrCzk3`!hJf58$qCCD9ejijwFA*LrFZwo-r`F0La-!Rq z7mwIT1N_NEiaOiB*g}|$6R!2b0Of7V4zgclxhBtNSlh7RH3I{IWzi}*OW(mhmgQ8_ zZ_?7(?0JW2Tsk_$tK#4=B3J7@md zVL55rKelw}de6Bha3!yWMhjx{&Z5h%x}Ao?Me^VL?7YGr{~udt0+w_Bz5hx?mSoAA zl#t!n3q>L^qU@pU*-6jP(1uc3ifm&^ie#BImd276McFIsSc}k;P!a9*f1M}a?RWiu zm+SYvW`;b^=ktD_bD#U%=RU)!mv$UHc&Brag{%c*C|0U$D!b*RRDw%!erAi1;0wa| z5+3}L)p@qV+P7DQhtE>Nnj{mH1dD-OKb$=l3H?Uv5l!=(ckirtx_0(sjGGKHGZWb{ z@DT!uAtrJe&G&%7z((+;?OSjEda|$4n87qxVq;@bP|#@fOU-`MBDqx-=a)W$U{CO0 zlK>y(v27C(RS*%Wg|^t*m|oS(%14GJ%Og0z7WGSXsW<35=nKeJIZea=b;rF}AkUB?8N7LEyP2`pmAn87HZC z$R9ETKwYBBuQTdE1A@6nAykO2+gKczA@zB|x*@^#R4xP$iMlSszgbICiLie|=jrN? z_ZZ>+>Rw&0gkqC8>fc9OmBvPsskvvH8HnZUPgB@BoI;++&z5Q@vaxPN+k{LVxCJV3 zt~?i?ikVL;Y#M(vGzy%L`+;D8`@_J8j0{}}Ln0W&h1<|Etswy@#t^X50UuKD?IG~# z(dg))`h^CI5#UjQxqbh*N4fjhB#h;u7Q6T8QMe`10Ho+7y$YJ)eD@kGg( z#m`z3EAN}58woTMY<}w0Min+ctQ2Z;+jZ5o!qa?nZti08waSpv_Bm5jYuD8OzIgF0>6b1N8NPvz4!wtPoOJ<^b$uIKQ zX>;g!cfI;zbn4)6yI0D6JENUU7`G%fHm<7)DD*)oBpR^sq2}+G{;0(XLID6@(Kx`$ zD#v(_R5thTzkT;klg^H{wY93S?xUwV7Cx3?!_c-L9`d^p<>E*qT@I+aTIhlHMrO7C zO>WUpAtK4jW;T2o+gNfd=wi{8B;gSGXZ-n45-b1^P&ziKT-&-6-J_IwM zv2(V7#@lKtB1b${#QTo`4)y5k&lhe<(1vRk2wBZPfFUztqY%W8b-36 zh37VD<_Jw#q$SUEj4O%{d8V{eeiRpv%$ctVfTqA8^O8Kb0NHPkCgB3Dz?1+&Zc(P! zi5@sMVO{~y<`rL``-|{FUN_#Xg7Rwtx5kLNgxR5Y78~nrMHUA_7rGk4!FJ4gA{aZ~ z{2<>$f{QrNWM)4Q4I#HHsxPq`Al&Y&s%8K|OOOu9>C5Z5tx-`uRC%|kvno7%;NJ_a zv@)S`iek*DlS~#9IHi~(kS(~nYET0>XZ{RvhFVyfv!DgacF>_Ugda~f>CImP81mt( z02Z|!FdCN-yoS_@8qFflVC$_6=?iHUP8HqO;A3{@oHrEE$`z;apa+Yt}Rnl`EDvs1Zx&sO#EkORnUjqBa#9Ic%HIP8t^hUOEaenOGQv0?4e zV+h^_&QK(?mQX#|SOio!Mo21O7YEND?iyf{46=rDge?^^9Zc*PJyoISA@Q8?TV(w1 z>CM%P3XxYKa*?1V`NlYci~^KLFYR6wqn10m(=O5VXS#oDIKHeFmck8rS#RJ!Lw~zb z2f94OKq``mlQnIW*-Mv>Rg6jDxdSbyIXJxC$M@>;iR=W2Orz%d?c3V05Hbo$#;8Hd zbc^Ah&AW`U%1O!lE;cm(8^%4t*+$KmM(eosM$(PIzHquQosdTyRMJWW4LOLYV`HfJFvA;s2L}4~7rB`!ksJDDNDz#Q#kLMB}=~#(9 zJX`=!+us&`Ej%buFi5|e7Rr5{AkD3**?dhaN?mqMO6i)>1%w7%P9m>hfQscOUXy-k z(Ww5#6@f`LGNMdg^wf>`1qNN#t*>1xW@O}6feh!BO}UTkSmRYdq40qtX|iT4+WoXw zg*Sx{Zycj|b!wh)SD!0%eEHQ`Kn7^}|2eik|ja$za< zyM2vpBoP0ne`4i)H}5;{+jB6eg1S`u577*EqLQQHxE5ixJCJxjV8DP0gj}d*3UAM6 z`!~YC@vj-i01=3q@7RS0NCl|6s9cER&dAq6-^`SSPxQg{#TOCcQzx&G42$!Okc-xW zu;^B#L|Et}IM1j|QZfUeQpJaRLfePPN6fj^Ps*^x2<9UuS}e;FQRRw;~5kybClG%Bs6KVhK<;wvvG5yKqA~Fq|z_dYIw7H_s zgw5*Lx;br=#aT*a-4`!j&{2OyBo5W>CxqG7e)QwPAoeKF0uM zMK7po-4WU9=>=HvH=m7*+fJ_pgwJ^G92UX`8%v0z&HzLYvDxfzKDGu#zbzaDhC%>< zT}Gd>_`FHr(8k)nwAAQ;{{Hzzmo8nqCUIpm`&Rpcd#sLTY;)X!)~%P+65B_0FdOL) zIm+n`gK=xUee={iLa@|ReaHZ+MPXvoLM?Cr*9#fpWdvwpj1tPYDcwIS8)H@O9*)G6 z_&{*`{{Uzees5y81r-Ig0_AoR+%db>Zv>GZ0Qji7A@zHPB{btdPcY&Bmxgtd z&USY8JlN1TjCc}ZXnI(}*nlmVNhdzT2$Za>r|Z#=8WvR|Gd&deWH%Wdn_i@j7EAII zqdWx(&$^IMKz^wxiAG@@KSFc?&@jxuE_fFs{;DD?Z#Q(ErlicAm%puDn~ig+cv=t4 zbWg6`iZIqMSrx{_jf0b%O+p8R%^v91~sa=Wm{{y4d zN-Do%2JOe^f%(MTzz^%mny{NtWV0Fug&0MpN|iUn@Izm?3_{m6>`au((Ew**(K$P} zZ*NiVcAbjDCQTZ-;a7Wtp0WWHC0}CmRqX`9(TX}MJX!~FA7H1jq;OtFm!b}wH?b~N z^|GPo=Msn*a)DMSO7X&F=EEjfjEQ)n3^_0qX{5I`;C{z&V=P|I#>R?b5g>+vfv4et zcW|~8x9P862daq4E<#MErlz)9-=NCr3buK4*+f1Nc_@~rMsGYDZz|o8)n9}urOCt_ zn6r4X4V(#ySXXs&FA>Ax;InWjX;qpsbTYIAe;sk_+sST3y7@dKNE1}@ggH^k!!=QD zQt*RdC2!2`{m0JK@+KL6_3CUQKmkdasTM)76eiuv+VF|RO)e-^q)R!+E};IPZG8Ai zog=(OKno4)IVo}DCo}(^pYO*kcJG$WLR?o=m9(;_=@Vc2p$&!mR#j^2t17RX4dh`F z30P^k)ix~Q8V~@V{?BW^mDK^bH9tG8!GA;;5dC&`x@fIXQourq!jbxaTbcJkfAd4Q z@ZWjAk&>6Xf=^i;KiZztP#2#3evE+u**r97L!`5gu1#R63pL!-@h`;ei$7=aSMoz?MC0o z|G|zIpEq;lzkcmQJug-XuU<8z0OWlOW2GvW0&F=4s}%|#>KEyMkZ`~xLRIQjs!`Tp zOX#Ruu%8YMD+QUL?q)Xf63heAh=q?rOX*5WuJ!QHr)Cd#y+4jBfwGl!BcJkGesRrX zbyXpTW}SB3!hvBM(N}m;)1tKizS&X<=hF$>&$KoS6a?`NPy>;ar^z$r$%?5HD-DPp z87HlFYm#aO83v`&GLn8TMSgKho11S|WkFj*W?s#%5)xZ%|5U`U(Ik*GT7ThHX!2y3 z=6pc4HVAFsiHXfw%YgNUOolViR+ztrxX>U;;zF|ltX_zka;JRAM5{q#u|aX+6*pW`a=s%D|oEHGnR? zcPek5B#3>q8YMbkRdRLIln#1Z3!R@DpXZO#dPQf=2m)28DRsRhi~@wO?ECi% zGEAM%@RkrM4@WHsW3X-1Q58yS;v=ZN3oV)YBw|qeojXv-75N^-r3IK zh4ulGOZ%1{IXVPHmA(KO;sRtfJrcLLhIVya%tD9?boOPn+`2eXw4JXz%%qtm83GvO zHZswA%Z<6{%a}@PRbKu($cYlcA!-T_8D3?0`^Jf6){&8iE^}+Smxen>Gp;rNZh#KC zqbOOGJ2uudKki1}p16a&#<_;K$;jBL6w=<{U7;KETC|?OR!*ExbB)Fa!bY*c8`2Jz zMR(>HE9V|98%RZjUJnj~vm%z1DBEvtx5SV+~lOLf)40y zNND5tuxy2E5AgP+t)PQ|Ywp{}=wlHXI{Z3u2IZf+)KzUDijzQt@n)@KBL zP&p_dquYjA0zz7eZ@4^yJCLw|E(Bm4KVZ@@_xrjb>x$~aK$VCgGz7t)QBeW+Z!hxm z^OL5YTnk9vwgv`UZO6zIE3L@zzCILiJ~ZYAwbct*eH^-9YzMA-lw&aIsJOrXz@bAp zgQt=cpI1B3R8?lrq{yiF%X$Eo5|?-p72hnX`+72Vg#az!e%Sa)P!VFfdQFrPjyg~X zi$zK+jn)67wSWRCz0u6Bb?}|{sL!u|_|OSWyD$=+7hI5eH97p0N=PmQg` zPogOSfxlPTj8igkt-HI(b~%rj!5MbzCNf_xF+3?hZsd@5Ir}zSb-ADSol$c6v(o-c z%^q_3*B!&!dr#}W86C*HrAxbg4)Um;NqHkdU8=muL)~nGX-zyV>*vi=A}`H`*Id4D zE_X}#Ix-^cV;XnZUumuCr;U^%ap!2wXverFA(oNtdG~T60khKl(GBSWr-i5E!KhlGARLQ2^|QVqe|w6<(Xz$4J~r$`6%p&Nv2Qn643A z`@*~VkNF3}O*T+dqNnS9s~QTUuHn$p#!7|ok}IJNxCc2`3(1P4Xl6Ww$HF;* zkA5BdC2Ag3tK|K!(oM&`d*$n^*Umeqsq_JM+N!!+o5l~-v(1Zv=l7dXy6_~)$3Q7n zX1zZP^pgC>o3=185Y2#;%zRw#5>CM#m}$B;yZ5}qPmIU>2K5f_PTzx5A#0>=&2JL2 z$Bs29r*7>$`By$YA4|zSmY;Q(3tr`ka2P$2pjHw7?w>N^gjJ ziCE^SK8ndm6<)ms12&s*OG*Brss7^Qh`0$0D(;&q)_78lx)RYO{Y9~>C)@#|Xg7$j z6Bkbqbe&CL6J z*U;#)w)8^z_n(xP*m@CX?pZvPWND{LmhWI8sjdpMuGPxuqPWd-;51NGl^hdq-B6hu zYuNx!5wYKJx>}4^Azsbka)XPdxHrAO-=z6vrfn2v(%u9>q0pt-bN_Zr03k&HCu62b zwJw>KcaAKeX~^mi{1nX5_U?VE!3&ZmyF_h;S%~t`M667F@lR_4$}C~%wPdY{P+R>3 zJ9RwE(SI55(FTqQmIS>+I&dB=nc6+KL zIU(rFAAVW<741h&Ue986Sh%b0WFm^th;D9mi4qehOO)89Itl?eJA}ieWO|kZe$Cj* z++W7;q+P>N*j>c+qt#Bu8TK$29)(c{HJe}tJ;j%cuPYU6#^~KvRJ+tSK>T0uegbJh z)MZRx%yiiifEgkO_k_Y))U@JbpemA`yAqB>hKDkL6Td&hH1Z?b)0%*5bK0vIDny1= zf68hXe_zU2Rrt3XQWqGnK_*J|!_>wW+pxZ@2^DVyIzIunA}{a4>E!XJlE&!pGAC#^ zYgR*47*xhY3gj9|`NiLCriB~xpFsJ6vJLC;5-Q^OG*c~@KFTkOZ50u*YmyMQ&z|l7 zk$(e)tyE43JGf|*!4qilFRd?L;Si#&KrAn7hk7|)O~jz3CNgZfqpMHOwOB^!K^#|g z@hzQiVm1bjWhzPpAJVM1w>N3ViU41{8sOB>M@Zd|oyE)qPkkCdNH-xuS6rN-=xLX- zB{f?ZN+>*869N8*j~DY1+p#kkT+H++)(0v<0P~`(I(KZy;x=wBZIOuYO`np5U`LvV zxSSF+Hsy378~QFdm>f8KcoddH@s&SbY`b)h9ZCN8+l|+xQ)rJA3SGELoU3f$n>KqBNA2Z{b^C zuAxj?FfVxo;74u7zgKm*O~$FtbiMCIMYB;MpfaG)4|i2=lVX&fyWn(b+&(XK8^Tpj zhVd${zxO{Nn+~(l&Mc4jRyp09Y0p7(fMn#qBk|u1bigj6HM^uJ)PjVdH?S_weEIkY z8LLOi2cBqe_WqGW8ycmbGmoAl5HdlAg6b(Pc8C`GAZr|KBJ%rssgjjemv!YXvs*o=%)ZsR6kV%-> zwW4K$^E6aR-{#W*qp#wU|9a@_%s&hff)kL5GA;^*u}YHNfgentfVPwL*?7G~5a13- zUMS^z_k2;{sVL>$Pk4IBz?mTzrKz@W795sygg)^QK!ct4vB&$8Lyyws;)kem#mR0a zCbI6k01>``<@=?}WULJa88Pq-X@zTLOIIJ0#sQ&GJ!;%UpsB0AOzOH>;WL^wwzZ*Uz`rl4Be z<~F3KS&t|_QH?gz0z6&I`@+>-apXB}Hdl0~a(CKZ;u2IM;3^9;Kit*)AVrDHj-X6- z$8o+UA#YbCNb^*^e!(`KrQI#l`jD(2fIA zGC0CUb_dB^@+co5I=SL6vt+14^l-aBsM50)0f*PRci+B|oZqch zMj}6b_Dsd^sk)cwcLfdeim37kMIt39<1y_ZqeuUeNInouhA>Nr zsL)WOB|m;+-}TU=0B@e};< zsR{`;I4DyLNW)6{osB}yQ*EGUE`D1VI1#;}41yx1Q)RLwu`l5Zs#;C9lM&Fc5~@JO z6o*ET@CUAZeO=VuOdaRApQ9b-j>jBQQNqQL_das(8wwH*zK%==BKdW^2UMb_h=oDY zD1cP(JtMOQ1|xe{Cusg(7>rr8d1$Zfpx2$s+LB7;l|Xc$Qhu8E{?(7j|CPhNExe>O zHmoXXO(n+K21~{Lllw75xwmj^Zm%@_8l}E~r>Z%$=F|B?Ld?*S!GOc4_4X|)-nNFb zGZr6gD5NZgW!*P+-?YHl8MloFJi9hsvT)nxA7yo-Wy+|raS!@H64()%VV$B-{zfd3DhlGSE)5CW8bn$i({Zf zLaN)>cenQ6t)5}Kw2EMo{^A8f>u=80Q;v_ZP!q>U0oNd z-llEF?lywp`w2r-%gMgJs|VQP?R4j|BYgx8b?lJ23Br@E9!$5tt!aM{2;5qDU-M@M z(dw63&^pGkRxr&4%3HBuOelYqFP29#Zf92~cEa@Ox6bteOte#z6!$Ne3rE9+SJ4o+on<>O!zl^b)s+d=T3c@zndKba!={W#i^?wi z7?dcT_&1aBIg`^h>L_}Q>a1N=d=hGk8mWdsFTgFtkks0$DZU9!IEF++v~&I~_xAt6DhCJa(yGeQtq6rvRLC1ShBOK>yU zR{r%I)*W~)@U5GLe0?T-{q*Vk&(#-liuNdC0RSthLGS}HOCOSvc3vAyD#JfDRCVx{ znlR3tCdI3(A*fz8`6D}SFc_0ICu2O6*{2Z?5F+P_D&)2^np+=sjY_5aHG?J+9r6v) z301AbCX80xw{As$RPsGIowZ=AHqZ?853VEOQ4_b(Yt+;EJ`onMF=94Gs`Zx=Aly}N z`zV)HtGr?OMcG_XAcOY^Yd4cDsh8ME0iOr~Z4#>fz8rln1?>;(c(X4f$p#rR$5V@f@_+U8`fc64imKe`kcxe_FODsK=)UXkXZO~v?VA!C|0HF= zkFu=z@rI2@TQ*TzX$5jgps_=N}k2iVVtu;Czw)NbHzhr@I7bI`?h~wL)=LnyWW~sBA5BVK%ka`WN0BX(~=d${>{VVpwXW7zW6dX%S|L z>EltdV(+jKBOCZ~R!GYxC?bJpk1^IV-A*E?(c;MJM;@)`_R1!d*!AkwleYKu>ptl& z8n@Y~O+Su?c%4ndm4l)qIOE8Jv=(k0fyEfv8?M=Hws`_QS(mb+#fa(NKyO=$C7RK? zj^ehVeGdK$l7g3ICOpD*u)3YIq$o>!qA#NaYL|ZitzPY44T26VC7msl!Mq_4OB|naAp7 z9r-gs<~aCUm~-o)*gZ9Tf(c6kFzXKjKZRk8rK=m)M{J#H+kvil&Df9o@}%TA-$5BN zb7tG!VqMM&Ol|Q-R?c2Fb8xhE5N2X(RabjRfr**9${s^Vm;BYR~ zN**74RWvtrmM)-P=X-S|Iz**dPtg+&J9;%3M@?CAB4;@Em1SzF zJq|8|)_!S=s;qz=jq_HluvJ;?S*=gPO)$K@8J;aLl=KjN11+`0qE(^*lAf@me6b8e zseeK85THVmWEXxK5OtWfk8HQ9TfaVislDlT0TnAaaEMh!qfDhb<@Ebg+e8q$lYJv} zKAGRv*6%!EcGiDiHGV3;6a_;LBTf(x_)j5BxV)sXzZM%cHxNvXGB2p-SfUaCcIjn5J zr9UfHs2FhYle|fhq#U!JJDnI8;~R;a45k+VH?1`m?nf5)YfU{O3pAI+I4B3Hi%$tU zhFa&NtM=n6B3n}7at#ySb{slXpO_{z5`UXd;I{~Do?XPd7{l?)tKUx;pDdp!dAo$U z;j#ny^yAwetBYWlfKjwb1F1+K}YJM)%pj1M7G|JVB0+Z)9fH8W}lc z4<Lgz&I=zK4jNoLONtSOGO*z~5VM%oTkXj)zK<_4ZJVSlZG` zNvDM&@%oNWTEnLF7bGfy^b( zKL5-ou(>_(H+a`Bv=6PnUcBsN&Av3)&E7+jyNyWvmlj}%`;kte*pO)x{tPWnO5w{! z4Ngb>+<{MEE&%uDl|>U(@lc|eRe6f)U<1TAzxbRI8S2?p(adZ%5k>rEU^qd1s!N-p z`*%zX#$*9t2p}NPi)S_*r8k;Rq8PQF>F$fZxdnaq|0*qMSVjJ-$klP)u#8N$;?e{T z^9jtJN)8fd9$?dk#mmNwAMZD_r%q{%8civlgxKs6uDU1=^?JnI0o19mT8u!{M7gi^ zRe@vL+_^>q$D!vz)N;1DcdTcti*93a6TVb4(Y;U_Abz68s|R|di$~lbnzhG!6RKz7 z`RO=)Mc-v0j_Mp)52PBm6yD9yW0UD0fDn!z;FS`)(c?#qu?m?RVgLK=s)Wh3I9WY5 z#Is_W(!>egy1u{+T$OLyUZzC9hA3BjXsPo7IrYR!*#G8A)d`tRzV*k$vvjCivjc=; zl3-(2h7x9L;-W|3s}-qaVESHiZs~zQc5|?ysoMAG(eTZiH*j@YOWqC8pGCt4Oh|JP zuTmQCb0>a@rUA?cFuSL6< z%KytD=u0rc_o1VKj6|G^DZb$v#TklAIB9)q?ked{VM@jO23FU& zUZtPajG=Rhg_n5N2tF9(DX!BTnH{edR8OanrDW5&70`etlcYePg&&wLEZf}{ahKRR zQ>-zxVWmPpR_fxF6|RQ%S2_ql(oVz;O+vS<+{bEPAX>U_G8J27+@Ldsj}|_@Kt-&)wWt8h8kAbXD`O$m#4II8mdZg?VAbG@ zuE^~E8TQNyG0T&~CB`#ib91>9$wu8fcDzyjc|QsNC3?2)ptl+fukd%T%yU9)n*^Kb z6G*$zs@Wv|B1F&LXoIYb;OLqW`v1ariqOy4n!?H~ocB&T;-#Si*I|8;;@FX~wzetq zld*iC>*h8MygjbFUUso(ezA(?0nbasAppC7Uh0&b=J}&9ynQ`==czPGJo7Gk))z}+ z6>wi8Obv}K!39ji*5H(83eOobL6cz5$R-CwSTY)F%0UW$PQDRqXpL8T2^g*&oSMBM zW6^bnRGPcvVEHIW6_@QTVy86GW8j3k{?p628|lM{dXDBL{p69 zDn1qEK7<((4#!MezYqDcru9gG(Urwx3`;Wa0RJxPDykVtDc}GC5tN5`X~Ku0Uoq>d zuTBs{7b~R^a#%Mvbn-FjXE%;H{n&`aDYKR#A zB?E7~$5Q9terrzJA~K4VT}|;J`^Tti)#^TL6R&UsAmX7pXhEYA%sbQ5=JM`_qJ8qR1vSNf${uh}Mm)V9{n*1N%J+H_CjH z{_j$weLYG`jj`+&JL4Q4?*|VPHQ-3sST!*i_-r5q^^Zs{qpx zA8r`PWt|}IVGnbKu%{B@0SXLZOpN1zm9p&b#)e{M&wc4Gxs8!J^2Wssoco9v30+%v z#h*t=uChFe78pJrofU_MN+k$-hEVYd{Avn`3#hCYu(-aII-ft^sF|$ls%R^Fq4?l3 z&n5O7F%G^eNZzc80IqkPDObglug!&K6L6ugVFe6-S+`RnUwbCaV+Y32sK6du%vSL$ zq!N}_kH&`(t@Tx}ukUeYR@hH5I>H|C2tD04V4%tObwl~|07TRoL_1@c74fZNXR_IC zS1KDrhy%8Q?N~I^jO@ZVj(Jtdys)E3;HP961aB2<4|RM>Y5>3v)kb!Un|JSu4*>c} zWMz~Oet$g7wZdhKqi3xzh%D|nT5ayLbe`C4VcbM`8y+$S3UEw(8|$~@W@vYZwRezouQ?O%pHfBhPGKZ=7)476MrT6x+(D2Q%fZ9;_OZsxX0xLQ_&8bcJ#1WcjfA{Wzuk zBdulnn=Fr#rMy)8OdmmkXsTpj-4&C}j_`QkBM|X0FhVV-0V^fs*3sICZADyz;X0Gdc)#ewb{7n-_$Xdv_mw9Sr#S%hD!W?khZ zTo@0ymlF?7{Z~v3C*DkhqbsnG8V5Z|4MxzH;t_4K2oe$9^M*0pt^@L~+0f08OI$YK zTVC(yeJKh_No_4W+p=VVFzi>hel$)o#9(F$3{Esx=UI8=Sy4N2c$1Qo zYbQ+CH{tstk|KC$Egb312?4hQqZqJAcTuZ2^$R;0>Uri>vJsN@nb_ISZUw9t0}N<)Q}*>SXGb`142so7)B`anX1Tx#Rr1IPyNCdrbqc^s&N7yl zvI|f;__yXu6rkdu;;)^#f1K7P@;qu@P%NPVG^O)C=RTAL|KRfJpI<=lupoQnVlL`O zFd3mVQSjlhpBNm{cqf5V-7EJ2_>BRg?>Ec(+pZnZ>dNOe8L_ zN)yF(f-yDiw1OFi{1z+g?F7w#gKqI=;kU9eN9Li7cCv%39c-gS{7cP}gjv(mlSvSa zAd#Pscs6@Qzt(8F7<1L@v+|7BeopJ9nP+zV@kk7AX=n_8szDVkTsCsmBnqJRtw1V5 zMw3@jny@doUhpOfR!4-V&REJ^nP79KO4qe_yn7^B>=8Td`uyb#i#Uvo=KMEJZAd)_ z?2?uO3KQNs1t<0<>2_T-*|@@Z9DhKAs+WlBx8mbIkS(s0s7dIuvIfK_uqc9?2b=B7 z1RSx8cn(X8tJ%gwp-`A02|7a(Fm^QHLCe4%yhlM%?!@7JROexmJll2SWUJMkRQt7orSu8L_L|A(l)w{Qfz zr-Z2f_;E)KQO#e2?jbDOzAlxz@F4gCbK97-6ZCMlVj=P#o;jfreYJ9slL-i39AetE zY1+@4a!ud}F2Hjbk5lGcjERwC1i~L4`j%Dh-VD;R_%RHO!G!+sp)8K}SN@P9+$iSn5l2EAd?pdKn!%h2RseBs0daB3GO2roR7MQm%;&CSdc7(=>akv+9 zUVfJr9WS;`{TDW7Awmr{Ch>RpFKpa#0~!%><9{Nuj3bymiDx7*3}{Nd2<~fUcEA46 zrI*_AxG$)SCm;H-;h~2mWQr^sTMG{O@S(BfRf!f1oLC!pC`?+<=1KeeT$gA(^wfzH z|GctGT{*^PG*=%4TUSRX=Y$ovDZJKghKM0|#oHBuwZH!`lmWypdI`Kf6dZR_(mLE+ zaglXfP2d~o&GLH&HFGLnxqP_<0Z3sL^B$U=rB z;F)B!0zv?}STj96*>4B&K-B>9hj7+2>smX5JI%$D?kG<5_+J|+bJf76qC&4B$1K0B z&jSN+=>2cJJ(8K?b)1I{_c+|C`GeQ58=alDEy%pgM41D9pS^3mx$gYt8eII0IX7g5 z=X%T@HAt;UH&(6f>u)efp_)v@FB4P2#=BkRnFeYL^Y~fxEPNHLs0j~7Y7pdT345T59kKe) zP7=~Shhmidlb*J=Mi52#_%C{zqIgYg$h|PZcB1o!5kU)%zq$^V0>TJgc=~nO$V4tD z=qKIf@I*vK0EU}gH5M^|P}B4_d?nRAvZYrw&K(chg~sJ_zA&BJp}8+^$bLTsVdxxs#pm9r+^e8y*W zbUd8?3-6Gw9yt*Dtl(DX(5y_f9I8EfFnqk`%!&^K3%9RyuO)4n+qavTbuE2{Lxe0T zk}YzlohrK$=1GeV+!{s_0)cvAM~9?hchX%?tMX+*!7BQaTEERog8S1YZ6YwydViIg zB8&P&r~%HC=?&prOuUoq?d=+!++2iQ9sE2?jEzBBaxU$TpU~s~>!EOll zAWsGAsH(-S@+CBP@7$?QPaLKOew2)l#Wn6u^pZy^-QHOPqhzrFKm@8I|7pE7*Dy%i z8twkRo48_QfaDukOHK41oLkSbhoN=8zodtU2}8D@MTK}9Yj`?Be+kROlEGn7Q?x3s zq85XVfPYcr?WpgF`TAQ&RP;dbD3rOMF{m5*}Smm_n zPtUf<+y&2K^Yxs0GzukMVp7g`Aa01Pa>a_CSMsZN0C$8bi z`W@DoLmDU}VBbXb%>3uI`F-l?`zcMS51~Q*w{9H)hoqK8@5=L8wCE14{4ibrUzELf zFAQNFLD@hE70T{ma&gD4YBcGbZJBK0UemCYHu}7{bNmm2LL(~0F%kC4L2?Vo&U~be z1Fo0@#Q2zEZ=SKJLCJJUJ=3ROqoXh^jVZxoX(+JkLmCRbdTA96k;qu)q{3GLAWhoP z?q#{~&4y)d0aKzph>OP5ku0w_sJVP!-&6l#yHP0r>^o!rODeBvRX2=$SdV>vikZ)k z(v9FrN@s^iY8LV(vBLDgubp6J!CmNWwGZ4tPDQRjRs!KL-1Izi9NBN7F6BD)Y>K*m1yW?O*(xKWJ@0^P%(MzGBR`k0&~ zP3$>yhSxM-6>5Zd{`#My5kdl{bRalC8cTpC`nlW^hQR4EMBk(mV8E1QC+o;wtq>0= zvnONs-&<%ka^!GY+0>1A%`i_Yx-EyOMh+7(QO&G8U;h{ci%eb|4KmkOK1wFwQleo7 zF44v|vhQqXd6XGjRflIR_kpDeD&maiE~{X~%9%P$)y0s*u2k!D@E)TcE%o(p5J-sh z;v7P)!Kr3R0SfvW?%NSZC(dmnx-$X@f`Z^SwM)i*t8`!@I-qH19!U3+x}|W)Fe{5< zo_mLOY!Z;ptO;38^FpCGSivD%-0 z`4#F}miy)DQ~o%0E{Xy0!e**``;!ey2kr|x$48TWf#~B_#(md=(csp1QvBHq<6UtE z0ms6$Nq20oFvaHP<|fXJqJVm}c#!IYh1#HTNgIoY*YF=xFdQ!{8L}VIrruvNz~HZZ zFLixUZR#a@ePBo$^6ODpsAAzG+cVvbPl zY;9dDsNQbaa#ZBta$*}aint6|8A%gQri3HxFTZG+7+r5f8gii5zvt-VVw1If;Oj)Z zv0%)71HbzU3yN(3ixT-x;Gp5F!E6GC4v8B#+>G~t$4oIKWfy9GIyV9al;!Tyj>J!O za(bsms>|G5z(pK%g(g01g-EsG>f6DT<7RdwAtCf)uyQmqA4`%cUo_}ZQGNbYlR#|6 z=|m7iXtS;9TwA)ngb_l=vyf(q0d`>&RAQ|j`%qmh03g0&U-eX6XwkZ5%VCh8K=j%( z9^+(6v$AP{E7Eka&xEY3{b?Khbn4PKVoimmOJ-hYst%Y~!WgoGB+HooAZECLH=|8$Ik%;2olE^I7uZz4ofANHEyahZGh^;i#AO$eU`%&IXzDUtJ)k)I8x?v?*{J_d{EanC0ZgH=MOQdz=zkwRfpcfHbm~U!HEIk|3iGk<+Cu`?BmXbm~k@> zz_2F# z$Z%3w9HnOm!4!NWOm8#uzYC~dR9zF8mT-yrBr4j$a(!bxJ^6^=OR7by6+Hv)Q+L6h(mQVkuve;*uK~;WrY(tmZIo3{9MI&^p zK2>jRxUiopad$|~RmjY|hhNmZmRZi*mzdcdCQRQkO zlx03yYyKW}$-t#8RHuF%>>C{{X~=q`KWNYVM(>NB(lE9MbJZ zbzbeNinQvsNFBuWsLjf&(gLrL24*~C{stA&5>{hTbpwu5HNSHkjMdXKj2i?+dwgE% zmLFHFTJs2@DM$q_o)2FDG9FS~NbO&O@&CMvyo9Q5u%>ERGcwEc)Y`Lv7ujdptLI%% zb+Zgk3ayGa233ZHIaypL+Vz(@Y$~@>_^@yWRiyYssDab#1L_G4Vz3eYG~ZUc?xWAk zG>~&j<`J4(G7okdz5Dem`l?mupY!?F@_hD;X@23Ll13X60QHlV%X(n^a?UA_%bv7s zKsLO9=jrJj1}smBSYjn5A>{NpIRG1yh0}1_H70@zWx>>P!#%;8*RNNm^eS`w`b~{a zULw&$7d0q@trXW+D~3A>-o-Mrk+SPn=r$zT;u>DEHKC+FWH5KTdQZFZ@zq7+L(5}e zxrL^I+y#VTfUvf(v)9+oZsngZ7WS(C+N&y1?t_)q?wUQNSXk_2#Xaq3E<``(T$T-x zNATf($x)~)seEfPnMm4%7ID3omL?dL9#2VVb!q64L#=KGh?{hInPn!e=?ywhy1yV})+_^(0xDoQ#wRL?AX za#3b4LGCh^#0)QsJIgG*y_S{f!t1P6VJ0yHJoQP~%1{IJA;pjy=4xEIUmQhrC z4-5-iqSx{)-0Gy3_~l+jzI)DK<`S57MSR z(s5wTPEA=%oO|&AZ)p)4Yv{_#zsF?1yR}Qi95tA#(w35gzSimehK@9`0C315ojBnEy`QD$EU3|MCz#8#Y7`d zidA$rA{&#%lE}P@MITK#HC%v&kBJxh`ej5>74zTBoSG6o^iMEL&h zdRGfm+Q{oNuP7Knx;S$6s(W#EoMSJpA|KR`CWR;kMG$xAJyn-{4SJ{O%?kHKyVsUy zhzD?SQf3Ycjl!b_m37r*B?+Lag}DyZq*}qt9)Ch7B6p;L=XK@_;Hc_jbk)blhnJ}m zUnW8}0G%)EbpU-|Y_+*x&q79jU*_P=6p7iF4Fh`jR%0(1s6z%08Jik))NV(2*!I|N z8pQ7q@52kuKhta_tKQX zB@b2s+EGguIOT~&_q~X(WOY*5QP#l$v6uYfoau?DvZ&A(pUAS z@c(1;Y6rQ;kwe&>q$~|jM30mC7A=OoC@YmYnk=!P0Fsi6+bdl zYIiZssA2@1m62u3FNk47#vD|K4QmuuC^_aVU0R=(=$MG$hHs)zLgZ65U#BVsIqfehlEtLC_8GAv_3yB=iz6Vs-`M_h)AZHnS&GUGY8MNtZ@jjJ!4*eXzyevR^{1Sx# zlqhFk+-GW70pM)xLyf~xRqJMH6_)-UQpVqh(nCbjml`B^Yd>|}nbPgX@=H=P=TauGbQJW}v<5tbgAQ1Qk zCMT({?Oa>z@PJ6MyELfn5hnNswt4V>Kv=S$PUV0vRg)WH9wy`LxEmBGGmd&6BKO1Q z=kIf%zaxksJ2j|y7ArMeFJ4<m{2>7oM;E`4hb{ zN{N){>~f2|pRyQW6`ug166Zx$ZT*-WNvla1kiq#^zdet3<`HDk5ta5KWA9jI74H#z zr~&#I&twdhkd`Zuz{$E5?+i6=+lCI~l|+)MjdM9ODx z)CEFCe*(%e=|K?qaEJf`IW9IZ(Dx)9z&TUa%g&EMW95p_)?4?tk=Qe1s52b)0(Fxt zS8usJ<&}*(;Lg&zA+0%e*bmXr+z+)7^A8B|_9o6c907dUH^Zgw>O8)};RP_NM~~&1 zzro_K`t;9PkL_Q_v#p$*D*m)k2~ST+cqA%<@x|%W{T{0{nRVGpbgY~aHllIHYovJ{ z=&gc#RMR+Njo+@mEHl?6M4Iv)`o11-w3AwOwYG-74bTti5AEg}IkuTXr0=w-h`c04 z2q_>q;XSNoI8IG%*Dd2!57K3*lI#s_E^=T%BML+Hp%34$#>@Q(=Yuw&=d5u%7)b#c z(CPnl+7|YSjxhuN1<(7#M_^ziBB!V8+!;v|H%q#eB64gOloNAaBmj2GY%8_!S`0MS zL&hvE%Hptx^-JB&g&(srYCCw%wu_VGpdmQKszbUgv`$Fe@Nc5yqziG#Hs{MRZ-h3S zqOff3h4h~|V}xHxGBQ#Gvi3e~YHAt)eIXWMmBpFGGiEUk#M$)m_5FOh&^=+PI%iAt zUGeepPuE?AGlptW4MBL66~(y9N6ol)jeew7I&>@Qpc^)7MfTuoWC*nIbR@n*tfYefA<5F#(k!yv z#8e0CB-Bcx46B|kNkOND9)tsdq5=X@IxJI8|CSbH;qq3KkRp^0!r`G7@kBmCs(9NX zY4}m$CTG^{k3qWLO7D90>yMx*3c!<*B-9m<7rJJmH{^STeW=k@qkZ@B^P`-SNmP26 zBB)>(hP7!ThI)AflW!m7R_oW7e^KC4slVeqr-(|Is!5&BWSnC{{(-b74X{p_)_w2O zQ?i!}E!v`f2ZmYfM8wTH8bM6~5uwdX`Fg)?_TKTZrHfRB*B(8&LY5Aq4 z%$!JGrIdf|RbAQPskcfVA(YO~|I=<6!3e)UT^VRT7=xDfOL@n-?Z(!>QBnX1_ zlP?Ny#1q8dgeNB|_O$}Xil&$*6^*a_*uyH0!!s(CsfPCaC<>(Yp34XYg4fG`d>%T~ zmTyb+LMVs2st)5phtoRoF~T%So8-`hZH6KP3Qryx`B2bY#!+i@x6fx8QaxbZOZa7EVMO_d&y3aoq-Unq26vTw zZ%{MqEetZB1QBWZsf(ebq$mJcZuaJkDg^m&}BOrvP=zYEIc4&7d$w|7OU2_?XEhVEBoyKRjlUtA(Rn9VN*(* zhpt>}FV?k)L3{)ArV^+n>{3ul*ad=O*je(O+Ugg<3{g?bGrMX0cvu%H!MU6mHKbu5|B$`J@=LYF2ocs9)1pay65oWMnS2y&Od8g za9)Di&1#MqS*JIY4z_|@>^wDcinGUs5n9$o&s(p3pFs$VotGRzX zi0J+9?-8ME>l{qAP1-xD!OCgI;ce^q)Giq}S$oI;jgqMhq9L9rc0al)upI()l>D_9 zJnbg*94T0b&_{-Wt7K4hIC^hrF)7c`qjm58(xY$Lf|WfDG$G26NsfT92OQxEBNNGL ziTH;V_g`=aJrZkG$VN0CobMmH1}5k>Fb|Q9(A1Fm)fVg5wre-pqu8a|bz!GnLk;II zsIR_pgQo7zacgEIzSmni>*SA&ClS+Pdc@^L{XIV4Vg2O`9!r*QeLd#Jt0k}2hMj1+ zX8xXzjYn(D?^qr`ZsCVRIYEht*EIu11Q+LB`EdL0{%_@n^0x)F=$o_NGlA-G+<|^J z6!p(xxolFQ|8h^AKJ$P%{K+$BoF)wPA2={nahJo7=SZ0AeN$^gLqmtZmp!v-lNNpD zV^>!4j>kX#%BOR8NV*Z@%}cGQX+qX5S5s3{R!(cJrrgvz*>B0CqNUCIth(^J=c=21 zmi3u`v$sR&%HT;uKlQnl7ks|zFUvb?yIondePin_6%GSe4PboUJUee{_}V3l7Nv6< zV_dRFdF|6sQ}b>|w|G2-kHh(e+ldpDHOEl8%U2*BvyJL;7)tI*k6bOz5A4@((X(?4 z%&IHC^uT~{Dd>*&{;*@B|S8u8|&oMDGbD+$oS@7`6 zZ+W(6d5MV|YBg`sB64i6I2qqK6&3ZEx@N7zd3~P7k>YS&HRXsQ>S3o^_L~vWA=*AE zYtVKBy{N*4`}>T^ThMZIV3GPw`@Etj$A?Z^_^9{f;<5HO{u5q^zI zTi3d>{_hK4Rw?TE)bDk50>n=6F~n>kYdRzzv)R>ePLj`n7j$#4>^{5Vm6=C%dFH-H zWh*O)2NMHLJ&!X9wPx|X1N}R{wCL1nRLaiNePJm2um7>k#_Y|qy3DNXHSXA{)2Smz zhLIhwby>=r8kRYtgIc=vrCQ~Ai6zy02d_S%v262?z5N$`&GNjmYP7}sDFg2;b%<}J zKHuhe$NlHt#dP;I{rs^-+v9&6GwAl`oWMp`tF>xB3H2Okp1v#O*7vR%<-bg};JaQK ziwPSSG{&QR4Rs-31T1fJrRc%f_iJK38mjv>(*IaAsl<5`cwDze2IhZ8$Cr(vxSVKf8%Vn9k~(c~1j1|-R!cyG z4zX)K+Y|={2L5hFS^!D zyAFH$uh_XQv99Uz0k!{W@cX#2xmsQOubjWFr%j+;S=bo;S?hW}T0GI}$cPc;wU@e8 zH?D2EEcMv;r|HM0#+2Tu-WxkR*2z(a@2sX);^5&CwGfAn9v_ru-& zjLHphnm5cj@<#DKSoyLuffh?DN(v(%*KHqj_+~Ykt>2PICVbzscebkqU+}D4$BSB0 zT~!&n7~vGnHmh2F_y}fJyw5w& zERC9%$NBA<_|`sgXD9EY7F+XXJ)bcp+BG}5|8c`#NB-91zz}20%8j+&U3jK=nX@AF zQu?rvZ2**6f|r5{=yiD=Qy4 z#4c~IH+Afo*@`+93^jGhl2e--w0iKq5d3|v``8hi8|-|Vx98Ogi`=Tc3%U#(cyVGX z>fDFUp&p$szK9~JHT~k;ax)r)3%`F`2r+VTe@K?X@!>$AiTJRAnflXEz8PV{7g#sA zwYs-s_x67#9Dh~#=j}gxFYnQ9&%@Wx)mAB{sQKNSFlGAD%~qO=D~{CNzHk2E51$fJ zFHCy)$<8KjY{&0Cx~^Piw_w+dm>%t7{y6?AJKyf>2fz2L*5d3#%{9_OH@frpFs9otY#Yl#F5 z8=H*XT_&<+@FW3)uR4{q#lPJ7YQ@tn&AUCHkC=8T9+O=Ont0+gNLKzm$~&8Hck1lf zjH#&uC)?Yvb}(IW@x{RV{q9YSuiChAqpbmZ|ExeoA?SGcV*YQ5uP@Q?JCP}rLH*cH1 z@X!LA+Wqf6pEWbG&c!Z4i%;FS@b1TfK0R(NURn89-jXk#vb1v zPhEX^W>t3s=P(2@4O{iGnt1%zjN{`D&TltsZ4-W~r?XC@MpbbMTh-G0|G)O$Gc3w< z>k=+=o4Z?W1rbzGB&$e{YAY5l-3HK-AQ>cs1VKPDMkFgaV<1N* z=la$S+ULwS@609mQDm>2}_FjAKwfBvWRgsr3=a@LG>b#)nBYNrnu@y`u zac15IR0XI0yOi){w)a@JhSxk#5lo|;s`{kqH{n}T>b)oMgX40olcrr~eA%jLeS2j% z`@V`c=CSJ(3?0Drp#N20YAG-7L+QeWFlLvrGdFMD>W>bzsCxH+)h9SO5z-MZc)QFN zt2@X<2wW&6)mG{LAzyI}rMGbaCl608VuZxVNH!$@hxbBNjS>ivq%;$g7Fz(~O< z(Ij(`4fX?;I{os8y&GYfQ4dgqLX31Q0{LK3HNxdQbDp+pwXT%NUYO}O$ZWPjW-TE) z`XnT`v2CuiD@~0Be`o>B%l-Lfu>5IQqU2C?EJhQo&}^{k0#`mtYda05!*-ho8qenQ zu%5izvn6;MzC!d`k5Z;<7TD+J9=VHotDXW$XY zMB+%ArcBFF$p5x6GIGX^cept_=Wb#akKJkU{3xzJaxH~jRYfHNZAS!-9ElANcQU%S z5)QEY5DccA+WymLZdkkLMn_49ov$oQg%}l`6;SGS!(qI zA3nxj*m!q?ce81q^ofU>Y}9D((*31|CC@ha`|k1jkp0YE=-}yXE223*y)O!mFFm-y zydmYNW&U*ZP*ykdF5xTEP^#2|5*(jxr|XcSRoJ)jQ2Lw<1g1U)8jMn|x%(AEp496& z$?GI%mX}dz9adRmpYQPXy$?U`h|YQA?~iXTJ|aKZUZ6YLRX)nYaU~aeJ#B|hpX~mm z9912iBxp6xp=WPu8;<_AorM6Iq+YW>dF*7PA|Vq}Aw_qlDk~}7x5)0@pGRMqEqV9u zee9WtYvls<7?`7LHZi^DO3wWp`1WVAS=`ggpPE+ZXz>EOfh#^rY(GvdFkW8Bfw0UN zA3f;nLtaM@dV10wqCQ!g<+?%sd(I=p!_N5z4Qhuv_Bv?h#+zC7r*1vYI;N{`6r%?{dg?>8RJB)EM>mjuP-^;Lx<4rB?&_i zB2W-&bbjFjy$#;Xh>edU<4mTOcYD+!zC`B71E25nTRD&M8qG|O+Dpt2`(dO|o<;sM z$FKjf@VX;?ev)jBEG=GLC=udy4Kt2cRs$oRi8vYe{Q2{u`2`5tr%@G&|4i07H~Vw1 zE^K_!|C6uK0oibcKwg&4x<|rtFFcdkCpM?ZQRlg}gS*Z~Bxt0|Gm8ugu4*zjv2sv5 zSIb>ZTYYkMZ|?O^>(*a;rYb?Idep5k?WK zNFeQJ`bC@4pFMlmdo4aGNdYq9P+)L@i?9FUH4p@tfBn}lO&R8avcM#2YEck81Un67 z$(}m(9?nnT^84N8K_V&$UtmhJKmM_vE#38n-VP5Gb~SYpNRNsj;>_5dDBGM6Pv|R^+c^sUJ3A#Jwd#o9=*mAPwfX$UWZy~2_2RSmmS?z)u5 zOH936Q`kfXs@^}k&}iy z`L=CTrg6|#Vzi7OQJOzCsytxuw7w8v}xiJ6?c zcS|RnO{{9QYftPBaZ<2rxq9n2UaeSIjrl=KH&d5Z-zZ=>lrWu^^X2|P+b4Gfo7E?z3!H_m76^F43z0jA7|_zb~7 zc`xyizfi`M<1#_2owGkgCVaKIsm3q(@36#?{iw$4$l_F=l)_dh@JZ zWlimr;Y`VzZ)u6YNPEangso&aS)~5nUOOr^w>-b7;sS@`{Yz<7i{S@roi?P~b}{9- zaVHFBe71@inkp5Ee=@khb&y!z@<)e`LnD%j@?<3KkJ$97ViaMqcy#l%z`GfZJtBWK zEPE6Vx8A=nJ6ylZt|c6Rjn@EOD*76YLTg7WrIPWY$-8xSdykM?4`at6g4!R{^WE@E z4+jbCeKr)QaIk%>ar=C9+1Z@^6zbs(#hrpaYE@y<=dAk8 z3foxfof&s3s1O_I|idlkjM{h3s-FvD9f zT1sH+8wQtr9-H>XzJF>cWtx!475BKk^qM#Ns2S z9iMy|+G!%hUsw!qgW`0oVJCYtQvH%t~fvPspz~|NOHjF|$n>RWu|T1(TvgI|4of zIjY$Jis!lw8)}|tq`^DzQDqer>JS$lF{)rH50%p0EH#$`-^BC0^9uu%zF1WVgaU$B!85!b*We`qf71lVh!*{!c8j`%FlLNUOXWcea3SB+Gq z&;9#hp_u1v9HBT~xMK6=@xEHep72{oux#!zi702b+6Maa=_bJf_Ed-sqi{&6yZzGA z7*i+}%gcVEj2*L8j4&G#-SuQs4WDFEmC9(uR))FpZS(Tr#xyguZpClx>~!2ZWS*Bz z?|DM;#lUl~I!{BGX?V`jG)7zh^I(4CDo#cobG}s5487`xlYS#yR%(|=*RTk$m}6$JBKkqLfus_EAxw z(ezXwRFG&ST$wiTS4mmffK~91(VAL+k0Q-?Y4S+PQ2YZSVa;1RnKU!n!)t`S_TJD` z{Ax6(|F^7;y(aC*=jTtEse(rLE&GNeG}+7_)>J8VpJ&@W_pb6F^>12+%@ zhiCUZzEe}+=B9S`Y(}Y_uqNIA>KL6J;D!V+HqGXly~zC4LrJ8VU{QSpjZ4`$*w}vO z^-Czf>RI3>o?PGWBwtk5R8=LK_ILB3WMcM@+Y>&Yas*qhF_-7|f!6)isYi^JqJY092@3C){!&4$ewnZkYMVJ)NmVgXQo8kpwtR&_ zT18ExV%Qq7hiyPGbtdZ1P#$r3W}yL7_okYS>Vlo!g|U#O1}Y@tsb@)lQAu zn}53Bda$WwL{oDsvye3FYW8A_w9KqdKPKOtft1y@2b10p)=B1QM->H`iG}Fx$e!s- z@Cgcfg0w1%)?sqoA|^jWCV-juv3UMzwSl2wAG_4_;z+_Kq5Brp+VQOmDB=T#Q`Ogx z7?!ILHHgE1L4Faa4TAmJi&fhXu(BTK z%NwI%D4vP7ZPuWTcXSOw`dV2EL9_z{DG*;4{Z@6AYUPVs%`lvXxaTtg0FUR`@IuM4{D7 z0H7gOUAq0Zi@PM9&(X*?<2)FuN${=7cH;(m4TQUKz8Wq^Z4h6*&) z0}xC2*F5N3-8(j@uW|MkdlwSuV?gC5$k7o@4p_16=bv|1AHgE&XtpHxVQl4C?vK5&I#ML-ootY(d#;Z3Y)B@uvKlFLEw#J{xX{Lkrx;ALN0E+ge!T9 z*|I%fo96BB&p~yBoT1r(DTjUr%&CNgHnMz!A!361?fEY3iB8QK=E!{e$)T3&Y>o@D zTpweJeOR%2!+QXoIqeb#R2e@8p)}tuMgL~UfmcjIbPc{x^a1Yuz9kCf$Nmc&*;Hm#D&14Vl0+)!ltJk;%8}AUkc4^mOtA*G8XwQeO z7JfOAr{bliYvw43G59QoY3LQSFUfuD7dHH<+AWLd8?D~sMf2vt}06-BjAfl?IZi}8A}J9)cn@XqC#!< z5r!2(aqybOlNm@Klp@!D|cUgm>Ey%em5!JUeoYYUjRm* zkyug3WrXH_GW1o_z)Ul`=a64)@t~S}`To+w9X@f_mn~!5wKY=KOJ+7NdjDNX#XUz~ zn7HhM&8SE_mr&XNfjbHYRZe?bSt`tm^G+>3&(;r*g8(bvJ+f0UK zYqlB~ZgLYaQ`kE&k?24qOifhpfvk=Tzzpm+aWzP5Av0M!v;)eiY;ZDaN=jjXE3p|F zXHhh$Zex=UNYP^0j->{33?lFZav_+e`!!AFkgYz3x{}x-yd1gUTFj;xy(?lkwdTdI zlp@QX%d78Iw;0;wGT_cBbH&@lWDWQi&bQq^;G;Nu^K-uan74kw>U-*q15O5wOovyz z+B)AUW$-)@Sw%CPfVI!7C<1A?X~tz;6~PH=31@??%wPds$0AsIL!5?sYn~3}&suC` z7C%?8FrEzFwBSrDzNbf*vuilva9qiOG7b$P_rOFj72H|4)E5%u7p)+V@i{-vxQ<9D1dm>S8wf}O@d;+ZtvvFpV002Hb z5!oi9&QmG8`BN8HtyyD=)AL9yL>Li}_Ptr%A=Stir(Y`mRbqA^&2ccj{@T}%MN(CCs$Qlxk@`$!tffyp0>lM_KkhfB#-7@9WF;qV`|IhVmxccnjzlqpwnAqf{Ku zJDfq6`%uiQwlSEMYxnOurOM&WiB+uZ1?JJ}Ty-v8JN2!F3-Vb$*1Yvi7AujrE3L2e z_dRPdcZ^okAv%7`3U1uTCkjQ=gw`Pl9Begm(x}vY0zt3wi$7MGSXk7-sE*+nV-7K~ z^GNK($HkpFapERGLkt7I;Q`P<@P&{76j&NBgYSjDvQ+dij}s6H!Sbut{|3z=6?I!R zf3Dp^$Zou#9~uGj!B_<0=wO2{26t?ZZHe=bp8m#tE)3!Uz)MAB$jup7xNk{~R0(O! z^mMuqd|@r+xQs8u!I}*HLfVFi@hp9#{;DsV%zq_`Q!*Tv1Lv*H`%?^)n1X4Vj&rY>ZSJ-XcxibOvP$<^a zbNu`_``EA>{XB_Z5mOw$>ETh5$_=T!B2)ll+AAS`_dz%6+pJXFO?|mg`x6q8&5u%cdzQH!>$x= zIV22x*vy-rQEAtD-tTE21*Wq|qoef6WwNyNd@^%Girx)Dvxbk&t^mq{vq>6hZzqF{ z12i)&v;)f`Dz|UjMl~`2ts%`wF-NlcoVBh0-IKB+pR?#sy?jULG9ScmcG<42bV*$T!VK z&$5WwKAD*uP9`lh@)(#4UAdBEMzaN-IklH{5=4;&yTgn&xM9z-HB0rENH znXz812Y4%!G_w~t@f>OsJ(AHHam=Z6#|*lstwH=5s>kt6RF0#6NJYu!p&5#cz5d!w8nVA{e~WouQ>L+e;=A%lo*QTxvgFa)e|rtV4-DN>!&MV`YY8@ zyp?n4#fuj)F5+ZNjWQ!jmob?y|EY9F>yYUJ=c}^>YkC}kN`fOosmC@UBxouA{#5t58hSC5flcK97sUIIDPSe8cY2|!feOnuaPMBzgGyW)6@=!Vd_0@;a&cow{$={KJhur|xntgK*h z>vc2A*fpPX#FKl)l`_eaVLRPdwaJ;woR;V`mK}^9s(0H?Z_96py02Z30Gr=XLBd{b4DY%I` zkaXi_gDEhk&dbv%}LqEa)!Tn zwsLIr|8!RWrfLS4wC`m9AS)lnNx7~_(4RSOpQy&ZQCGg|4>KC!6-N4r@Dh`lvrMt>>jy-QRN@F$w|x^I*0~-uAI+Qr5|6V@?qf4bW|m$!KXi ze|y6ydMy@KcpI=XBuJbG4=NGa3>%TB2}NDPdN!;KNyIG30MNxjZJ%yb$xL#oI0q^Y zjHYWz0uc*R#wdG!;mrAJ(f%q0jq=^9m61vIj`B_j>>PL8CjL%&q2xj>^M?EUWmOI5 zwP>voT_A^lJN-ioppxpKmYq1xMt`)*ceVUTd{$dR;eztp1O*YU)NSnRlOjTB0uzX3y$e19@)DFr=%6en%h!EHPCM)?uim%wl3 zes3>?tO&->o;mXXXrQL5>M^w1yF{;@LR~7JAd*SM@<0i$fI?{f)B9)9+Mj+>f~!G~ zr7`R^E_e`_)9l{pz-Jf&yvpX&Msf*PGDbFu=`tJrx#9Tj!QnGnUHyl16IDLmdhI{r zm}g>aHedMbul0^qZ44Gv+hnbc(cIO_r(V{pPuzMPU{#yhwjoB{)~J8YE~Cz68wKr( zKbg&QR&SHgvRdty!$+1~kKUtS;B@$lQx#m5^CPj)1?+pC5+iF-(LBNN7eOi=eK`&}7{0s@1FGpFIPupcf!$9zb+0C~T%G14try zbi{Vx9HD{gle7tEPKY|mfKxpu_w=tfgPihde1G{G^?c!U`e@;AlO8W} zLEYu=tv?$Uk1)m;uf5ME;M=I`&$_BeGxc;FC;xjt^^`M=GrMr(I%)>Zofav@DPmh~ zy64wTS9IQv7fQF&j(eQpvRj~jw%>qcU?rB{BVS1M{ov^1rp_c5QBeCL<013#JH@oo z8<+~BFQHc5VsY(h&W9uSkB&nY4Eg%O#xxlk;j-`ypew`M`l5sKD)hN-seM$OPU2^v zF*8!i2O1W{fXi$^bR4oDwj-;^-Sr$go&31K{`8?Q3+jTisv51y2fy}*yx596qvMQ~<6#KNJKbd{BzEMr(qxYpa!TLR~hLm34 zTfa?oave#o#Zv#y388U);g`z0fbR+G7S@+rad(#(2}LDTt^%$sWIpn0;}I9nm7%-Z z+PQ-Hg1n&eT-$Y87;EW@Yu8kYn&qio4?@i|c3F$L7GMA3yY;fg)3`USjYHRy;bwFE z4Ncd)dMf4B<~igvm!Z$X5_okWU)be8k`ScrF38Z@=9a5lE+!~P3u0B-Hs3ELN7L*x zi?6Vn37|N0$4y*tXS}m(aKB(ed3pkF2THG*UYFa?y9|p{imftZ$1?3o(p}&5=8IoT zi{O7{x}-l3fcPz0+&KOZ?4E?FxRTO(zz61xDi}_3HMhYdIQehM=wTnvVe32Oz#{bz~abv}E8VY6pvuS9nm`sqE_Nn#r;rpY0-}sTt5>VHYDs-|=G4?fF+* z)}0nnKfEFR(y&@@vfJK-thmuN>5W@$n%%g}7M4?KwJniV?QPTd0w^eP7@Hq<(bOgffjZZ~NIx6Z z@OU2Q!rV>)%k%A>jQiySBK2N*^pacwXnzvs67f(IqL-xSpVtwO4!jDP^4Tj_Qs98b zNmPgcJ*O^NH~G`6TU-zkZ@P6HGO6*-Y%N}*O)c@}$d8@{y+_iqxIkslpCFQsfC3~c za6tPik^pVC$dSj}YVnPUU~h~U=B9!Ck=_DOin#{ZL>Oei4cZZhk;P0aCpR|%8W;m8 zmicU^3G*r4{`M|KdNX1fLCdx$K#fG?0G0g$?^>e=kWvu;Lvo9x?U75o^WsQ(8VJ_J z4cOVm^_JGs*z7*-iQ97LVfNz#ngu8lhm;-X#W>=Eab0PjOffy$wJ zXhp}6so)S7*8=$T!@F=ZEf$%pH!?;-7p9Cho^_DdLsk1bbbv(A(e(Uk1Y|r2v}2(} zQbv9O4g{=DlW`uAHup5cH}!-Q3LmKj`=c;#N=Nq%VXW<4;z7HDYJrpeVW1oh{4O{7kRqZ?YcpNx^}Nvkjo}P>P_La^X4> zw$0-8EiK&1^|Lm?zEQ-Ltz3zIn5VvTgdxr&RJ1;rSI;p+31`Aw#9Y&;5 z%2IoiUQO&7Q4o&A^<(uCAvJOwB7sJQ`dsRT)bRP6m^SdxEC41K?#-%QzWv?OXh5Vy~FZ{Hj5=NxkD^xIj53%Dm$f%I60m&HrV3Hsjms=?8e#5{@k@gZo@kLZj zjNPpAVxfS6hI!KNWeS%NeiJoE&b%-r{LpNbpp0!oAI>yv7^ei1q(_l;U&8eDEbDF) zh?g)Z_*j{SIc@x(#9CeVaIWVjYw$C9eB4YVD(_bzK}NFv1*OuPe+GXD1wU}_(o3Mr z!WdJ+*5hggu!+I+y7~Q)riHxxzga=N*5zk{9C~ye5V9e+T2T523-q;dsj13jmm<i3YNr?OESq}ueqVBhi##r0Tf5&`G5VzWly{9{yRUWjNHY70a`U`EbuO;xLcZl zTtu;fpK-tf@2aUfBtLN;7KfBndwUdlX&y6NCFX_w!V;HGp2NfOmwyJ4{MvJZEa-n8 zVcWxh%ocghUFXmL_vT-U{MRvp$73^woi^g6eOJTgNJt@qrNOnxOHRA+7R1o!Y5#~` zA1dZcjpWE#I=H?2uAIfYq{K%2|J%`hjrM=3bK01JcA^yW4hi8U+iTs|M4Y9v1Pb#D z^Ua@yRgNMA@?k@6YxMMq@6+d+*^Shn91ZTin7yE~b8@Ue_a6Z?rg2in)vlLk zc=LCCGugsMGLrlRp8j~ezq143fiFreC?5lfWMENE8jY#UxB16WO)h4mrIYQD;Wh;o zL=rAbldbR%4YG)yCCmE@;T&|$n>S`2~;;=>@&06gypmmx z?mKktJUgSoCuV!rU#Bp<+`s!V_piR8o}QnrWW4Vba{sY@@(&%G*ZjN@`~|y1nsqYcF;&CLI@*7)VGr*6q|CfAD? z#DqA8OpeACRfvexIx;*WTV?{9^Zj z7~EaX8C1A}wR?OQP1a9YTcZ8c6O`Yb;@2&svIl!3Y0Qs?3>z=R`Ltb`^Q#s#x8hQKn!D$37iZpJWT>H!p_F{52eN4FCFP(%N@FkSbRRk+6L)6MN&Dxou~2mpevU%!5|h{a{>14cs;k4<6& zDdwFXD>eyVXy#l7EtRpUX(_pxN|zz)>9<1p56Doq`yR6Ct3glO?v0lA#~0@jf=mNo zorfxr)1NT1u&}6jTErZPGp&ZA6PETydJNi?>%>j`Oi4*l5F32ff-E8yV9vNWgaD_r zv=ri09gAK1q?}LmwFx_AR(v}amB1?-r9WOeWR1ExBV;vj%#N5KYovrL&8oA+8J+6N$Yo=}qTfP?obHS=N~c0v5YSJf&7OZnMTPU+ z7naJSYj$}jqrxu>GUCy0R46!nyuQW??Z~^ULl>^)kN6~aKOR2PD${ zkfRa|oh~!Vn0FI&ni!ZX4xOX6(HADWo7)#`p;Qe)Z>T5dp6&$=-fOD4D!d82crb(* zwwa+uFx9>N{iSI9m)Bg02x>MPW!eWJttyB9GeH8VA(xG7Ii>JtE`bcT#8AB#Gg?1pHt0$(`c{AFkRyU7CjJX#Yay|&V9mp zA`zY?BHcl0i9ewQWe}7cQlMli)<{jgXhGtk5yoXxQDvYIAGqjJG;Mp!6H(Qpiy_Th31lm_=uE~v}f9S?47mK27})Xf!Z zASNeA3>5{xgDmkss(~cD5{&6dPbPn8NB5!n_xTKNVyZStjJ=jy9-DCkIF}jg<>D|;!RMW#L=BV?_ z0!w4}NDn(nBl}u!n2UO%rVm>dhzQ-8?>LlC4i3;m%iwFJEbW+;((#emS6m{o;j|p5 z_0!bJVH0%IQMfGECX^c_-+3&lRq0)JRh{2Nf}*5&HtpNE&s=}kv7tU5HlJh4JA!bv zczk7o^K96qbLGw-zHFhFlRIA5B{sL$oTXasn|81paVjsae=C)FQhMLRom|sXX*P|@ zR7rsh+L!Yg%+{Aw_LJfc4b-Di_i|1Chybc-0VKGo~=Xab=e(%c9o1aHZK-#Q7Gavi?`W1UD@Ym zR4twQSlE6eJ!U3zC@ucT)Q!1&D~jW*>RduOBnn)@XxzMpN{a*yfZ|Q~{0r~4(O%ZE zR5mIpEZDlF#(R%>KNQPepJl9~t$fP0QTttinL>7H@yzuOy0-c|kL!s=^Mf;&tR4DI z?Z&oR=?;4~F5U>G*)(>7LQ%5j^oi7ReUZ`87SfTLADMOEj9a~`pq1CH`9VvK|JH|Q zjP?r&3zL&3@=D_5SD@1Gr-RlT#4wjeMe&b(k2>HIiSi-`y$1OUiBz z1FVqSCG&&|UO!?S;b*f@2gHwK70W^-#PEvZ&1kl|_0F66aYjNAPzpn&$%<{VZXZj| z{dj)n=1bFd!IhiDzZSN*&JM;UB$T2jWd-g$GBZ<%n&HCg23mfacmgJ)~7U? zew!k8h6#sp6hmQg7$b##Y0+6(4!2y;r@QLIhX-iXAed%YE^Cm}a$}R|f%6$=#TZ{Z z;iR-Qexk4#A!pzWLwaG2^Q^m{fAN&Vt!|Q<`wDd?qF)$bbBT*5{-`QSn4G-K5#H(@F%b zx(IZGB+0r~O+BihK&ptz`t&A|j{D@Q35W|tIwU432`QwBb0kv0coK7Q!-78r4&6NA zH?x-Kht~hb{qBJbvp*74WH&aV<5-$WZ9Lkjc7xd~hmU`V>d|guSD;O*2DTWSCpQNN zMnWl%rmlO%zHRlx&MQ_>>!a0M5;4$Fr}Sr7RhDKYhfj28LAtU=f{wAt z8LT8-uUF?~xb%MPByKQfVsZDlYepj`I{xHJQ32biTi{lmm@O8))ES+k&r1n->~ieA>N9jd+@+hkJO$KSYke@3^(4hsmi|N~=(=$VENuwlEid+j|L` z+c_qp!xhcla68DbSsyRA85XFm|+@5cIn~HsEqDp z$*N92Q5w`@f^9X2pjq-R?QC@nfys>4;*C+|9IP8v+WCKgD-)Ese^ZI;dH>WJXb=JL z;y2FjhL^VAw(jOJ{7Wyo!1u{+X_1;JVPw?95!gN4FCRa#V_+5VWGY%$ns_Y^%~Hs$ za}%q;2>Bdi3yY+Q0|TG-BMNaC?NW2vu=w#4M-euE<;0#LrIRGu@>yno=H{_I_)uA_ zbnKM#gI5<{+OS4I)d`5986c@EvtZu50*ma4PM#?CC*t9_gzDsGKNQc$APQc?bVVAn zk`R>GWi~C<^`v+y=&J=o7uA>!(ouea`<2n1RRt;bQvFKbX;j^D@jcm4*W1 z2D^R*&7(MAA%qQ{{;Biytk%MR#ZoizTArK(!Ej`9G9L;>uBFQ?qqqmyA$T-IK1t*G z6}`o0{4QbPEIs}w+=$W^R0raS>ja6_swbSBoPY>a1`jRG_i=D1N?XvZkw62iDm5IT z_y}pD|Mu^kKC%d6H3tuUv=Ku5{T<9COdMGJkbymL6R~TdwY5L##T=~fDH7cjQP>av zAVSO@reB%UCthNS8FTu}!vuKlIL_$d#|EuD&Dh*r4W{yfSJcwZ{fZ9P=k6oZYT-oO5~l*Dl238TFI-?3AA5hCN<(u0 z9D*Qsi2yiyJPH-;E!5n>Y=t#N;I~o}g8#|$A&Fr1(2@7%F}-Ge-EpilL&Ru+O>q+k z)Km^^MP!%)PgEH44~4S$F5|JD4`my}xsOTu?mS5?tqz@wDE1@q$$ zPH3kurC=w-QR?6@nbRIjbSlffKE}rWjYrcP2+|PUf@_)AP}~QejG4h+O&_YOAF_Ih zr$)Qd|9RcygfqAj@(@Eq`>U09wg}#-pbiMvdqIr!m!=0SUioT&5o^QSZ!Qw1R7Q{Q zN}YyLCoo&W#10hmc>br$bCJr$*SI&G<*12qs;L>f8|158{g-!t08Mt^_zDT*A&tN@ z{mcq3PZOH-ms6z6;W){|HesKPw(q?yo^q!8`V%|rfA0g&N4{1P%RN6qA?EV}8#@BrNMtL4DPu59Rk5>XZspL|7U7M`u-v zV$zbmH_qOx2)N-TYnK&NKEI-|rPklSVA_mvMrg3h4tpm3==Zf)&UrI?Ec0&hp)E!E z9YXY-eYCeTC8b?v9NU!rj=jw|VrV9(zlotSV=z6Go9B{T^Xm=m$8S@h%()g~|M_ol zJp)#xc)zNtDWHhi$;>YeK!z}JAZf?~@*Bl1IDNl`oF{SlL;G}dI;QgP8oNyIEu?F- zJX&)$f2wcUMw^@30p>=zU=+(%ZP&U#Gn2?qm^^eO=}v?4XxGF%cq%`1W8j2Xy{U7Q zG#)4?^f78V=G1m&q7_nifN2sH4fSXpC<-i7bepNxy7u8j<1=FwawLO^pV11+h2igZ zWZ?T57(Ut(Zh& z-5xtF-a&%kkBu;#F{*>cV#&SF(Oa4LML@+;60M?7RswNA9`>RX%EZ|v%T~zC<;TV0 zqdRk+-aaR_*`Qji-PbK|PX9)RA`}1K0;H(pR2g+grcmUgzQsNqohL*gFA@3l=N2o( z5uNW?y@=x58xbEF0;$=?O31?eI#^kzPhr6GC(@G#?_aH!7wT-#_gV}O(BWkdDdMsQ zxHm-MMQ>kUQ$~9|UKxZ#_(%oIEP2p#NUIR#A_RQKw&jG62|`aJ5tQSNq65Uh{SUwdu&4&mCf8>9Hp?gtJHPvr27^x7 zeNk34RpnD5^sftcC)~H}zgHYSn8%?wJAbq&J>y7pT= z364F5KmSFJe^H=;f5ADL;4$}Qp*g}R&Jq$p6xy%{nXgM29Y7U%Psy2{xgxhY8CnO* z&lM3s&^rEN^?Zl?N-AnB5uF<0?IZ(YRj+N=`Nw+RQ#5kQRlh>HGs(XoqAmXX=FUSl zRF~VKliA!|CXvH9DJBb>Hw|S2NR>$f&QWQnA06C-aMhI7kxZXS9)3!7w9U3nc5SAA-E95s&2}Tq(R8n(TL3w3rdY!$*ax=LoTaXvY@~sdS5_d?JIyVf z&Xa=F4%9HU2zDc@pu*`hLMDPZ6hh9lpd1iA)9q`Avk)brGgUG2u@G-&ik0faN6Vp1otY4zd3z$YzwTk^?%Fz#P2US*f3CE7i3<#%*@Ws-Obrf zWJRZyW5!k$hZps;J9qX~H?=%+JAdvSkJmQa+|AN^vMkHro}Q`=HJb8Zw>1GTHGx2d zBqFJYkwPW}5;YarjjTnKs{qi+f!Bj=BYPjdBvPp%dmWBwRD?k4Igd4H9YpPIwh}1+ zyMOWNBdmaEoDzfp22yxJ1mm8n5JR((bg2#;NC?#2ri9eO7JUr3o^=$DSEHM z7(&F{KUteqR z`}t8h5Sqo((w=yDr*`=?Au9(<*VMLbpk~knV(q$zfZ`E&)>1o#qsnC z=Ka0B4AN?j>xCfs}Vv8EQv$9zsWjtd=dETz$LProX3NMAr7yO=$B~`p# zxcD|x(9m?nN0CZ_Y(vhyzDJ=$Rnjx7 z$-d$^>pGdHMSVJVv44K}a{p~gGfU2RWw6V(J_>M&@HE^;($6QNB+m>NuQ-1GsdD_2Iq68cR|8r z&Vh3Phg%9>lW@@8sO3rJ`P zgIsrjG-xz$*o6;i&SYbc?fhs3OsvE7EhPWpT|XI2N_@G?Zv}9%kGhx>T;jV*Dv>+e z6KHfG$fiys3+<*BBbNgGA9E;RuHiTDHz!v&Vb-YkH+|!Io#~uYfir8`87~}n<5;mv z@zTI;-TW?6Gg?(wCwTe1scAnKv%0#vA2Gz^x^x?$1S@D7@&^_m;I&Xdm6>{(OOaUH z1MpMgL^1%m`TXsD?rhki6{LY)m#OZoX4_W}Ardbloel}Q9|2&-CMG3)wFwW|2$8bzbu;}Sb}gaS9G#p-KW%msMk*OO4hPqa zq$J>zPN=ENK?RRu77h|1PTUgo@&*t;I8+C=dE<0(jQAcL_T)_d1UrSIXbWISEgFYP z^d&^&BA@?a9qAG(5TQ@f7uuQ7X)p`*(W4K%oY`PXHJ)8QvoIY>7eVd$RdSKOzP=;@ z-XJIg_fXO~lF^NVAA8BE7n{M85-47bV=e0lfJABJC8BZeBK}_nXQ~l^Mj-kYX&M|f8}E>s>y#sswMQ5MPJyLvnQIvSrA?Yn0l$G25EiESQ9!X&G+Ha=-1 zc2b#cZ68#qQ8aHZYFyB@v9U|^q6Lw`gkgtTYaI0nn?%^KvnB~;h3SdJh?3m?@O;~_0rK9xLqip4 z)RWl>J-7kb2qMRTfeaKIdd>|w_AdiqUk80ZirtjhV z@o3}HY$k`v(9UlU^Mgtrt*BPj6}r62ef#-eK4zKw$foMaxt-+6llXGBWjdfj3Vsgr z0v!Mt9FoL9uVgvwD+Kqq-z0Kv5TEP@mCIJF=sNQ7G?MJPQ!lrVSkfmf;h&D90=EwF zB3kavE}}iKb}>jxz~L=9qxQ4DI9sriq?vGP1HNX?k3OQC3a-^JC>=x%Yy-8bzTOWj zneay-HTQ{MpE6&Ci z-I5-I%+5w>E2 zTyr~lEQ?80f|mg=7hGB(@Cj8t!iXMDxw*NK1R>Ma*S|PmMFyZ7Oc9cK`XhfUI`0J$ zKaH~GN#~y9EG28%gYFZi50RY%v0M0gKVcF>NvI$)_zbA8)(0nb@v|dLSIDa**&-4X zA@_zf8(eFia;1t^2CtDUwSx^3ORJPl3nQTQv8pX(6K&Q`B$++U#wT;L6fSF zhYQzxbNP%-m=`xhNtG@r&YSkFp3xZCEW1laHe0gqe?~mOZEQ zsq{D>4xE+a@F^7&pOFPEpQ28CUCsCSp#S1PiLPP8+c%BELp?{#d*8)+-txxhToC#J zE`)emxvH!3Qk(SQLgf<@mS{t~r11T}5uN`%gW5n)9tb*;(0K|JKxB@Ew%-}1U9f&J zC|Ot(NN!!nAYyfCi8T9uS(`+~#7M^1#OsC51+<5NWW@OY_X1JTMZn1-ncEbRaw`xL zOJ>)pPb4$+uWuppE7;mIn@~{#m5`bf(}XmDqR7ZQR%B}fkmWh+1Q(W}@+09z?!58{ zHh2(t9b{6`Op1!L?fd$i3oh%{ftCcvi7iVcZ^Rd*%PgmST=o5))KLLXveB|{+!R{s z(Ih{I8({X_fYVScf(%443D_P=C5uM<7CEdS%7~V78Y2}dFg=T8Wx~{sq z?H1*3hyL|K-Cd^k--&GLjaQL{TzbUr`M1p7e?JX)(f^*BbdLU@W#=!AXFNp6=TlE8 L{GN2|!XN)1TC3fp literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/hubNetworking/media/exampleDeploymentOutput.png new file mode 100644 index 0000000000000000000000000000000000000000..b20b5cc8cf762b20f7809ec328086024f72f35e5 GIT binary patch literal 88069 zcmdqJWmsIx)-8;?li=>bNpN=!79cnT8h590cMtAv!JXhvfB?bWNeJ!|^jq2cyf^!t z_gwD(?|GVs?nSXy)vQ^w<{V>GhbbvYp&}6=K|nyD%1Dd9gMfgohJb+lh5!d#u>-w5 z1Aaj|zLOG#s2n5O1wM!yYsi?$%R|ru?-3v%L(Cyyem4Pr2!J052H8n7rmh^=a1OzV zo)NEPrY`L?jl8{TH66Q*h>m7{L4X(w@!U)GHPmCG6+aQ$bB%yom_fa${v|;MiS^8@ zBmsu*gZgkxPyofV?Q(oakDu*StZ*TfFl6gHZ$_dQ&-V+~${SwV7v`B4JvAiKeBv2s zBj=e$z@O+oobw4oQ9bigdWEReRhdAF3@`C)JB*)*BFW6U{Kju$p6eL!O!`P)DM&sl zs)8O~liueZ4fJX~3_>gvoY%|$+zgQUO-cGfU73rGN6S2G6@JVd-@`Dp^XF}%KnU2b z7*&9e=Gpl?5%+~^q~-le`D`n0Yrw|YoEHZv&swDm8+c~cPuAycw_Xnnz-#ea9q3te zKq|sO2^hPlCnqP<{`&Q66^F(7v#&1%BFe>(lH3Xx!}Dt+g9PgP`yg_?UjKlA{_*kg z9aCiujgo%*3o*>49q?jycSV zlRt$Xd6((@{0zvFDcPV~)$1#7HsE_mG}+#sns_j>>&?!RG7iq*G%^$=_mM0yvZc0O zu&q6RCr`01TBt_b;CH{Y7b^Pp4u{WqY00Jq=ezu^5Jv?pgnm390eo!{l)A3`L0MSk z>g+_!rI?6lh55B;vV#wG)EQ8X(6}Ve+0vH<_-|&v&F&J;TD>5Y8h71%+4J6rfmnYYIg5HiGqg)bxFHBcO-(KF`pp~NB>QBId`Z;yNUp^5tOY`P`2QmgmSDjY$*0pOD=S|) zzG7rd*cyx(K^M9w%l5u4UB6M)ygphn{`oDpW!&xjN9JUQ;tbEKQNQ?uK@M4_!F=&EA2+E&1TqSjR2xOmjsG z(NxaNNsOoZOfI`&D0mqg0Ra)0V}|aRCjJpJTgX2a^m;uu0y_GfP_1GHcdkIcsF)Zv z4UMEt^9G#xN=ri|{+odvkkw*+DgWcmR;}>}&aZKwN06-#FxXn#H9;9!**vgyaS!qD zX)DQq`T79eWAi>KADjBp&;wwiC|QuFz_LsR|5)@z7M~8yCDQciNwow|lglEuR2cFVq(5 zxGWgAa7$RJPp7=EfH~O8J-t#Sx9{`*)WiO)VJ4M9cJp*Hx7%3ZLA{Qku<{uLZ-*XY}u(t?CkBfAP3a zlI>QN&San|X8*AkJ(piuWs592Mo-t5ILbnwr^m^BDRe(BO&gm^MfkPPj;4O0UfW+V zLtMyxm+c3M(aitlb|uR&Ni6z$6k_xTrmAf9VE;8KZMKI^#HfAEZmc!gvz^i$YZV2VoqAe<7>&@@)=^F?Q zC`?TY!P-|ESfhVU%xV?9`V6ih6pFGvU8#zT=JF|*T;E|0-*J$+J`{i}@*ABbxbUwRvo&0{L| zwV>Coh&|C=+DqGf-}uDPH+gl*{R|o|wqj<%Uah!o&cRu6w!w$d5w=<^77}i&$4_@E zGVfSG%9ng{W#lY!o;wUddh@|ZO@H=xrO$}MWCNh-lhD;ppH8o8XgHKukE74U8eb29 zkfGFZyT{#buKe!VEtD}A4b1|k7> z)ymc*UJqUV$A@LdahX<^!vp8IFgr>`!CwVbw6sejV<~K6G3dMC1VVD<4?nl^he(Ga zSxn|f9R6OoIh%-JkK>=kn`)F-^=jJ!E(a+(j-woBr-P*X{V&+G%9ngS;1Bw7^{1g~ z1W&pNMK!w9I4o%p;@&L=5z4t6mQsk8-K^Iy^qJGFFTPx7NB>08$_2%-sYU2`)mItk zEF3YXy?-^sR+o7$FQ9K5kZ(v`@8WMUJMm_5F-BiFhZ&n>Ni--2p~i&g06th;#>i6} z5vl4hRxb;>K8O?Azbzg0T>U%6=3=N%&Yivc8xp(jUla%7eCJ7W(nh*r<#S{Ej&^hU zGP_5&3zz4FXqz01BF#zuZB~#~XSMX^I$vr3k(bc%K_ax<+uOT~R2FA@YjM>Z4Pk}A zv2@-$9AY*(@4rtK^64ljC@>Sjj{xHkS(DtDlO0&@_H5!(Hn7CqTvDzS@ zG6ecQR!W$LWVPsMgr$=a zA0NNgY=UA1eX+y2ui}=-nbz~~oQaznrtP!qI>}j#&%Id0T*^t`10@H?j38ndEA>*7 z?c7#>Ak`5u7{7Z#o%U=iMrf~EvzgYgMlx`UzDlHPP(>JH%baRGT)5$^ixZ;9F=p=@ znGf}H9)E@PCcU@?SZ7YCW$}ed1gA~XO2hc9afU#{VUTAv_R77d4BkmB4y&`{o@o5d zpb?Lm=3BM`69IGg32ZFPrQzJcZB(HzM?tje=BQ!iluU3B+M*zWrID97+e0mi$FUmU z-H40ZJfoajuld?N%toyiS}(kIokm_DhLrtu^;9#Vw08Ur5lYhZse zhq7-`%obckCKQ@B$o9HQB^yt{EGG3hV8efH6uRtny`t4jBH&*CYSV$wVw&y{7M^^o zamgnBz-nnN0Rvj__9tbjZfm37*ZonhHK!8vs)Kafj)kn?(+`l$q5GtsCw>B%e1G@l zJLR`_57%EueCco?Em5MMVc4{LVzx)b4|kVy*m>z(wzG=+DK1~zw+@@u8ifi25Z{6= z)B|&^5q48xfPKe}5nO-^8kDZ{QYK%?jI6ge*P)+;D;pTBoJHw^@ ztsjLg8ZOD$C^J6OrN?HBmJl_`Q@QwM6%0ri;Ui~D6-|+)GkJrXH0_0t2J!~pPT2Gc zZ>LK-@?}rZRS)$6nF2eE2cuJpn^{>@1lE;h6FyngxX|a1m0UXhJ(e;fBiVDC9GeQH zS^{#lQ&)1rW(gz`GCE3M=vS9Q^!i4?!O7Dx?O9U_qcok?kHb!Es6v`zV%8#dWjgyap-O}xOjn4iqx^lk4AR!@L#503G4YZXb zGr2n+OUuYlJb*Hx1Cw9BpY;eS)lWJE@<|Yed4b~6ZtQvRSGSRG91Sy zC((9wl{-H2|jFCh^-gMSvT-}kEgYOu_&YE6t_w_?UPJZxHFBASt~R&q#WJO zwyKEq*h631j&kfL@F9pm*4LGKX|uas^EX6?L(zTSc6ZPK=IC z>Gkdx(Mx=CX%(U4L$cW%a<&1JEo@vvIGVRY&=YLpZ?R%Cxoeg77z4@etbvGy@FVb^&CJB z$RsRu+J|i@8cr4o&tHOR(Fg8Nl{H}-yk7NCT#v%V#?FU5(QS1>oRrnN8Lr=IlPFh7 zVHoG)e}`5Ve!wfz&f}4g?-PpH-Q8V;@UOjFkgVF_yDa`2lgOncAY2Qtx1SCWUV6bB zp2ks1ZJ&<|B`?&Owpuq8pip{;1O|c`ErvCb$&)y;xNp~<9%-A=uYOL537H3eQ$2xW z8Ip`9di8Ye^HdCL*LR#H=;bb>mZBepsH%-_b)G5~Y2&&spo*7s6r`}gzSW0OOa)r8F1SnLiqdhpvP>b6M^PY`$RMt-0c zCJfkN7Y)?V50yua__U_%K}BgL9KnGS{f!{9TNlAVS(66aTd83&nixyrKh%$y>^t6TQ!`EbsLqBUlpDlUow(__R zrp78Hw%U;wH6A+YuT3oX7Lk)2Xcfb1PpBHT^xmflqo5+i;Dk`ZjmieZqD|T_R?7Em?kDTr{cwS#_f_pzX*g}i zt;d2Q+;P8)7LVGO3_7AvBw`^_+yiwsE4(3-G)@Scpnt7NdQ!j1WjxjFIgM)b&fjwB`hE^Hul zcTe}pHy7ikWrv8X*h0Q)ySF_%I@%i-~w;Nl4b-Vj(JUb@ls=078 z*ZN}sn~v*>a|`NuaPurix)zQil(P9(Vic|dRAl`D=9G%_wMD;xfjb_XZ zNi(W-RKIwi6|hPRQqn?&p_XmclKNh8MG`0c57|ne5^-bVgp{wk%;Px5XR7#&KM}NN zw@r3y?y!k*myCn3ur`b%=V#m&1`nto0(z*V-8jq2La(gQ)C_nryz|L~q~0sGyr*7* z*}AFhJ#a4P1FGz#sO%UlgocVLPhAg(xqbWg@S1ylOE%(gv7iALOWKdFud2S|U@cVV z3wVaTLW#o%F*1H}#cLg6F-NX)a7{`yJiG5pl(yYVOd8p6UPIK=V6XXAI4&I(tV><1 z=RsW5S6|w+7ZL!Cd&vV6C@$-Jt8*5y>7K6>MYBTmDHU4rq0gm7lu6vpFIuX@V1O<} ziJ?gF9|hiDsijoB&?Iz3DRF-Lh+S-aJSAvwaaL2L&Ac!6Xu351s!~B#_G5?ForQsx zI-@%wkV{UNsz@o3tWKSL35N)=jSzk z9n_6)j|)A$2t@1NjK=u3!4uL?^RM)_I7E17EVF-Eteg_;elc~cw?5hq-NTmkQ?tP$ zQBMgkYYyQ764L#2v%f`C=MJ5ix8N8an^qwqA>l>pYvXXM)wYGj3NIlhCV7@D@J0}> z#j!a*YQ4v`O;}{)bk<7qb(hL5fJD{Kbx#RmRNHqhc6haJ@9gZ?ng|5{I^S6u;XUqp zv(&dFiHE6vHAw37r9dWL$C#~x0K24-WZn%j_beGJn`;0)fv6#-AAduBMchrJ6}xKm zx*#AtWJSph)T`uboWDU+_I9bcQk`eo(rJ}gOGiP-?0g$RnSu)?;tjzm!Jx*A2@5S% zX8H)Hz+veHZbe)~q$an3buytr90tP8dRo5PQ5VR_V_ww|#F`{)@RfBV8x4Eg>(?C>R~>qHLlwhv{1P$w3;l{RP7&v@xx&#_Pin=fO-GcS z>d34`LwiHfF$F1}JJ#`!=(3rO&<(MfEyjLiM$#G;lJCkSY=@L~8jY{wc^@0NbT(Uc z^F>{jbH?mzj0&k`1H)@{%N9Pj9IC~K$ayCn#=UgaA-E={c3#r|6aof{uIL%vrUzpe zWujb}b!XjoLa;mwlZRQhPJADZhNErt={4BnCI2`dm7NLp&&7tagO%1f@{G`P{B934 zy(#S`8)t1aa*-2|cW*GNR*9WW?=QU0QJ}`n4}uBgWXr2}H}2Am{}C$4@BNA;s0c5L|k3$)(Wk7Ffa__<8RvjaCNj87@E;xThUif zk^|DoC*rSY^5&9^nByKB5o881HR?-`mGU4^=wRrZcE`v4$%~%BLp{7-3#nREl?%-w zSUny&pRiKTjn=ZW=ld-SM69CTL)qA=W?XGDe;uEJYD~o!#|LSf2#`nJEf@E1^B!8U zJ;o+G8&z4U+m}aytr={w+mR#Q^Kw~dEVpDb@Msp8*C70)i`8$@cnE0AYvMD4J3$f^Z%Wc{|#h)x9V&yhd9w6vx*u55W`?8cW zKUP-Y4JD?gkwVdH`g53-8EL-q3v1LL$ajnp>O_lSXgw?{nKpoylfS*4gZr^u&)P$4 zdWn}&>hE2e2LbGO+{KH$T5kDaR*G&kl~~YI0 zi8nf|Fd zZyMt5{fLD%B@PupIn9mj{MJrA%A*$+$|1#qfp#l)(9vZOwr03DAvOy3HQUhoSli*C zu2<3De)V6ep?QP^?XF-c2o%2+^77k7GCj&*qOUD^jZF{DXDw(W^6}AkCdqjFi%WtU z(SPjs&x-F~@4K#HhKWUC@?MKu0c2Z(2oXyJI7$LPxipBN=38FP@V2w{Kp)ee^yg%H>$dg6*Z11~L_8ijzsQ&Tg@o36_;->#Wcaizg%lksPBtC-O9R57vKj=8%qumcI zfT#W8?Lx%!+z?dFfoGOo435M<$07T@Nrr$ucynF1_2oHsJ4Y59;ljyfVPPSwHudin z^}jpzKUZE#cCqmCwp90Mnf|{RcqK_F6!LeHcIE#Jx&L#YKSofh`K^Lr)NfSyM`Zpl z%_M;#k03oS#5q(NX$!y`FU}nXNVu3kwUw^zm8S-++aM{g{?U z4}3=R`WI;Sk3s*NNpdW(Pku{T7{_0Uwq2c{#}^b(4ULR2D5@~;!@zR9DAR zG|Gv-rTPcb|Gzx;lT6Ms^VCUOCEY2(7xM6YuM4sN#{dOkhM7K4T1iWQ^|Xbc>h&=< zWXiql{z2gVTSxze{W)OLHTmj(RtU)_f2KEp`RHLhYePZCL6}%r6kfL%m{ttKwRLsI zKvwS0^p73mzdWPM73NdDZ&dRF09CqZaahjQA1AxgGBJ&=_5mBTQ-+NPlrm#9`6b(2a*1G^WTmO0R@)5nA7)3v|ef)YM9g0 zrbu7|4SY#d*LwvpR@IDJ_0q|mkGK1Uz~BAbK3V8{|0;Bm-J2;(2Fd~t{!vJ1xG(cH zpzlET8=I`}y#UfQ`S@2*y$OamGL0hSN`i(*`vL$pax-*9iVyeqRMgaks+Stgx0oML z4)(57&m;fC|7Ar!OclvHoUDu7F}!*uGh3z4VjJlt2GHSh6O%)EC3EGPZ+?@43N-HX z`xE&gI1UwxDZi;vhc&P3p&XF_{^<*5%YjJz+k3K)gsnSS9tS&CV?Kk?#I<%CqE&;| zi}d@A9@j@{D#F6TVe;&@t2%GalFY+UYyawZLcDL;e#z&o%~gk%!xh)HnYmvc$L({6 zN>_(Vw5_hkE?))(tnP14c?lqo!T=n%m^nTpgHe(HG*C=)2O41&==;=zA(ktUOS$_j zH`|X%xV?pPftneH_83lhb%iao!siXyJ^5HkN`1Z#w{Uv-Q0&3o^7NB4S=MYN>0|x& zp)6b0C&5tPSc1GF0&1asBkr^*uQBB)51Dw8sxKSHD%8YD&Q-<2wmvB$*xF##Jr2Hu4&tR2fYS#-8_`E-zOIM6jZg9P9k8pwMTA$POk1dbdA^f)J{`rJ*;_V6!c@vs?i1QrUD6u)Ayjr2^ zuFPRp(_#eZo(d0d7-EH<3Okl=Tz7&}&w1?4;sfxGB-C*J#0ozZNr)Kf-je`Qq55q1 zy;to|01`T~d($0-K~da;!>B<9r14X_Zm z9o$n08ddo(d0awAe;1fUJPrjtE!|!ao6ZUf(HUM>3$>PW%pUsERr;MB5A!o}vU0y;#o+#QyzX4~J-o7VcF(EMBgR5&Szg+; zTkGYWAeFu83Jt^B&jT`65b$Ia`dOa+}$yeJG3TAZk&!&Xm?- z*bQT#VsI<#buB9x{^41Vr}xg_$Dib~%bdnnBh$9+H2BJf@3`%J8z90jheA(!NlC^S z-j|<*(M4XZzlzpadVl=+4CM+4L2*pljb8v7n@Wl2(&=bfGiFXD{bbg1=2IfO)x1*j z<%|6nB%Z{)PO)p=ck)137T{no!`%?AmYe`qxIhv|DiC^kCCkq7P|Ad+ZTUi9SE7LS z0bD0q`{1!13DneOwDP!&e;UM6~+4m zNLjR_Nd)$4MU+;Od|j#ycE^0O$;HxUB# zLEBt4{^7>)C~-XvHKDFyYp@e^6;S*55J4r>>aIt(Y=62t*CV8a<>RLIzHL&g(Z{XI z>d~m#>h>r7ip0HJA#R4_99R=M5sD#4@}OVC=|pR} zQ{-75Zv>P6_$Q=3R*Ilkiw)Wa*9Q%DK@JWzp^ge{Mq3QexSioQhX4yY6`@ZaOeg9{ z#OoxT<@4w!XFb=7VLd?;r~|q=MQ7pcBbV@~GZ~#c^t#;B4=`0kUn>bh<>j2+`*EUeiShxh!NSFZK3k>KoI&eFQ^efW0fz z^}3w7)q>t2m{Tp6`v9{wQ>MPppD^f!I49WVS)<_ZjKb%7G#%3XL#tOoa|FETic=-8 z$@l{yA8Z|JXGy(Y@c zX#9K|oym4-)>-a`Ytvf$Ulr(IyZ(1--@$r=AA|h-9}P^((8E{#p#m35fXW1RbqNm_#=!Ex3Yg4pI6c>sBRKfbuYe|Oszy1J z&sW&98x~g@&_v-xlhacwTt{)O{?wUfKB8Pk9%wV@g}d9i{3eDz1R#>1wmL;&{6nL_ zm0*7Fv+bd)M(^8QTJvu?emK=Nm0035{7^AcmwyrZ-jO7Fv7|otHS2G><_$p%ip|n@ zLw0~7Cg&X%9-Coc2Wh!hgRH&^>#LA`6q+}u7f2{e=z=%G`V5#KVdAaf(TQH@SQ<1B z7}mZBwxn3>u^i75;2l-BZAROad07r$W4|Sd&+BCNIX&1nrh$g6c}lwLCFFH@PT8cX z5rN^!t&HETSfBp*kNIe4E4>l>UuPrmG)28HCl7{Q>wQbL-<<|r-(R$aM_8Q~Nobk9 zRWTPlfDW^oAI+^3^YLNi>vZeO!g-h9QQz@h4l%;oT9M)Fc-+j>?kjuKHR?-7y$*qF zfr1gDn=R-Cft^>ow>P|qmCA~bo|66SjeX2E-;R~dza6ttlVx9s3eSf#sZ^HkcwP-bZd1bTzeDLkXL#xWD#3^&i;Hg)4s#9s*Qky*Zbb6(PPnXnY5qyxsA&Yc= z?!;vKdD_CwkDc^33$4bWWkmTjPrYM8f5DGYjY(B$3=MCEq>+P3Dw376_~}FUOsvfGpBD1)G4bBHFw%LtJ5F~ta6rLD4@3{ojAB>d8#HB%rUUydu0yXkNvrIVNo&a~U-7u%XYuDw0 zvB@FogZJj1Y+%`WPM1cLMj?Z4PRB7ykTc8eWLgpr9idOa{Q?6V&`ah`Sq=|Fst#vR z0APA8C}$fS2+D*mcZW@uki>UjM$)XPWF3bvUwjXc!_!giXQ&OwK`M9 zOt=~nY|McST86j0zqyK;7zmnylkMP{>fo+;MZwZ|R?Mp|X!QB^(zwuKNmfiwqc0fv zLf&obw_%p#G(*+4Uv(@=yl)J=nEIy3%+1Z+Uymi6e#eP-26ofWU$X?XBjzz?YB-^2 z^vKJTXHVEi_>Sio{1 zhC6d5{oaN$#41m~ert1fm;X-1+v4KaMyOAgELq}&xAAL);{K*r*-d|?qtyYONw^PPkBL47Ca|+cOM(Q;*MVQP{G)N4v(^mgSJ2( zj|pC%1o|i?J-i_;W-j`SKQ>zXO`=+F+AdxN-E!+D2IWT9k!LydB4^E7lU2SJRsDbx zs$%kzG-+s0x`?E z1w~!-r-p~MZ8MD2Y~n1J{M@GV*&e>bdegOP{i)6>3AXGclj_m#r^>4UEM(m9PLn|v>;X!xUTQmZ!UqMX3(F<{(;my6(C6L!3BgH6qPM|^h{J=Q`mZ$y^{*X!1toU4T}KxP=QW9oFob6 zB>95TQL)KE5CEb5KH$XPF{GGBJRIOVR#u-L)}Gv~u)F|XChNyZn$1LBP$l%Z0A3(2 z*r-?g8_#xd87qD8%Vxq;g2VMV$3P%V;k9zuTz2_EH#Cvr@TLQ@JDhrQ3$YKp-uKOq zR+!_9eM$X0CqMIJ7Sp+aWQc6KmyDI%DxA#{KYjoJ^Mo&{eD@(MRc4c&b0q@3Md>hf zu$LOG%d+X%PH$?0AyCMpKOn4300l#POw*Kog_CgfKMPK9cU3g_`s2`MXcS51jds=I_UycDetY93mB%!_FQ!?kKqn?NN7ds-Z2 zz}78^8?8)n)tT^(OO4i)rXo&0K7RspyEfT5tIWM}a=kx_7HYkr^G8Kp;@~x=c8w-F7$pE?J2K)!d3Cn@ zC+qY>qJS9Zx>pL}MnP}F)dP#*Flnh)u9BH>M~q-ZYzV-|>;P4yxh@gd;2+!ODRe4t1Eom#Gc$w0Tgs@paKR}nWA@73kcPD!1N411DGWy`8mtDo zPUIs?c|pjo3Dc%dA6p64>V&_!mG(=4%N+UPqa?Cr0Ceh}bauNGbdIi^r3fM;9wJ%%oS5xZw0bQ zkzjgRT}(sNZ4^-X7n$KJ0GWF~^NOmEjK>K}X|d)mp^M;`UpW++`Qe6Lyj#_rsImijAT%Rp$9`=%-S7{SYJE;=*1}|;fj0))IQoV$hoD< z_*tqVD3<&W=ND6o`=<$1A3%pt{D}cBn9;~2E9_V&;$1S0m#P;iqXE*T{M7ZKWsM;T zH*FdM8#9AN55wVkw7W?rFNRU~Y;(Tkbu!=@&5vEfU)nkqFii$pscb|%eQ~m?D&MTm zO-)bzBoH>r*2pug!ol?r3&1Y2c5mOj31M zHIANxhF%AznohL~YR9tGQ$4<^@LXROPj`OfF)jQ(u@`vpCD)m2qN;E0Lg!ZPcv{S} z&ZhMkHZFPhs%bS}@ll^9t5X?AZE zAPB!gYkj3Oi>unzN5UHQ^?w|+%AkRI_3BlN>3MS#K3tC}UhZr`D%08K=4QQVolL+E z2aHx|<18ya&Dsi%o~;>rmZ#7CX-KPKF(a{kfk6N~dSeW{0nfU;8O-kQLi9DBD^N2L z8%k3Wg`6&P#zTj)q2|K+x18tyFk8|Fa>h*Na2HIpBC5Ni)?*kJ{+1^oJvBSN`HdeP zecmC_eTkg9;R!M{+y*3hv-U0IW|aTO-SC{B=$NoTej59?5VIVR<(C_uBXPw+VCyYj z$J2h?kv6yUgZ{4^Q(5aKrVqiFyv6F{ddzYuumqXC?>^HPtI@GK5Zo??!2bmC?DU}*vtwQHmM_f!RztBpliNjDUk-ndJ!@0+Cj$~XV+i9FF zJ*N~$Y~d54XIZ6WQc&9UYgnefaWa(L)3UC9$4)0fH!Uhm>abFwI&brCQsv~skzh8xfX&A_c~(OzH_TqUrh)ex^)N=2^v&5 zf7=Q(e@UOZhRDP$yIP70JA+cf`tXR$RKh-$l3Tbo({-Rc3|EB2rcTT!M|2nXBqc|Hze)WQYxGKl;U|AZHdO}oSE%eRDAGH zL?o3ptC&Nb@_q|PtH#tj^;F&Vpt;-O8tQxHa&NM(`-gzb**5ZnP(B8`@Aws)>b*z~ zmqG-tY7vE$M2I+6?8vq_3`(N@>Q9ogW&sO-AbUG{1U%&zhKy~qkvWG%OABs{Pxm`Q z#G68tNw51t0Njfk_Y#bvXc&rj;wc%50*HwNXQroBV=lcifddMq>49{huZ$Wd(QGuK zL>PSQH6h=q2CC=t>k#U|r-tn*6m1wA_EFU|)xoHQIOnSDhs}#Uy_gidFb)Xg8q!mE zivj=uSC1EHPu{o>#4smL{)*0rD{bOzoYffCKoLJ*)ZSnB`}$9l_7kJO_E9>1v#Y*@ zP&M|AmWZMl_`L!J^68vElxzt(EDEaFezb%X12Bxd63KED;ZoMu@!{GBJ=e>Ga50bs zyhbRd<;xG&&|sw)V!l~DlsUoB(dt(!Me|b|4^cIS@5U{D+(uVx9Q9cykOBy3B^_ZjhnErG-O@w*yp30%Lf z8b_+JiC$KL)OU>M+c>_73rh!HSq1-uAOC^yvIu&UL%jcGRpUF+99~-E%W)xmE^XQu z?S+RL6z15s47rV|^{t@jt8Jjjh%_E?(GLG@acj#Ix2I#y!-CGo!OJ4D@n_2sl;yW`R9CP!P>oczH)hDHA(f@pQ~S$$*D zsf&=lJWQ7b`#vb9G?ZyYJuJ3-g=b>E z=W%XZz&-{$`SD{k-T4a&LiGvzxe?d0T|m9n!n=^%p8&j5Z?mF> z%O!LsFw^jZJc$kmG9V>_NnA4&AHm!YZ)#Sev;30Yf;1*k>}v=Y_oj+iCUUe=ITeh`H?)#9>Vq{7fA6GbOrFVSet!otXQKU)5* z)%FN%WzNeMZ}D;zJ>hQd*GCcT333&GAD-&<7Z!$6#N)3pK*nMG7NNte+oI}0LNM;= znk(Z({o4Um8K9brDzv`;jD>>$L&3~pFq(wEP9f_JOx2{DN7`NWI8Fq#>`(0mzVp3i-yi|nh zt|QDXwbS>wUU8LwDG(M)YgsM%`xMnKG>Y;6d>4RI3SB~f8dUY}RPk>Gokn)K2%w(} zj+NJ71=Ll*`OUevma=M#A>2{PT4t~;LI|BV&q}jfP4!h_$=Gf2M7>xZ9W3IWdY9&4EErd+DP8F>Kqq1>aP8 zv9HKw2EJ$R1EwO#8`96>bU^*W;4BTFW}(b_u@SaK=e%r9<+Ou%=PQ&bQTxdXhsI`?#x`l!HfyN0ACm^sJgu5vLU~vt;$fpFWmS8Kw zyizt5^vyuFsbHSq6yL#`8ai?uLGhHRbek5Lz3I|?Ts`*h{MHrLXB#+Lq3n^q=)!6*4V2)8i6S0ctU|zjI%fQ=i^K5=WpFIeAYU=E=AK$65wq6 z6k+ulKOw#`uDE+|(-P|rO-Ly!wj82P-uU_R=d%eZ(p^IgSB(6Zpuy(#4YYvdJ3#Mw zDcENR7TP50CORP3Tk||0<;}MJ4b3F`evYOnhpWUMW6>eSL_^FCvpejbB5h7uZvj=Z z6`{UeG$6fx8Hg*=OxJfh*x|MbU$6$=LiHl;rs$%JIC-0eV*hAwJ>U*|(lX$TF~?sn zQVp=0#K&t|K9Bdm7JCWicq4J=j56S}Zo3;!fxb21xXy=|er9`%*8+(7;{FozO(&P@ z>@jRceom8cI4WryG~T7HcVr3k@d_X9C7^i2U%~LfWBoLp%F_9?xi4!B9~oO~i;r~S zB0pMRC%+$}K}nBA*Ljq${qVG^Rmd8fJm&D1++aeqxld5wjCJXVF^L9?<=SC>44=SB z2vRGX{^a!|6Zr(e?Pi;CqmGHi$NC>@Z;^Me zwoMMz9(LY1TV<&3HoAIO4F<4Mgs3abtu}F}5*-mlc~~6ptAY5+=0_TZ2GaGdH#7xS;{XgUlCs(Y~bx)J@ZZJh%YQxpMHcw2Py(?gMq8yjF zcaeyn773Xz@A&CZ6YVl;U6PEbZPl{6bg5cazV8ts8!gB&UGzZ=0GhBVhE=5q!_`kA z;jr}Ggz@l?A_lzHb4@Xp<3}HFUwsiE7s!^MbUxu}sm&+sOe`qG)-mQOAU^`n(Q@vN zR~KMVK;|k>K9pMXq9FCu66vwYQxG`C5g;}W`Q4X;Y7hF0S{@cNLu4Xyk9WPmbEJA~ zYGxm@xgjyh2^PEOqF2mKZm1A7-7i7fe@=2F_lG9$hj4S%O(yTSmH|tz-|Vt z>xE6A!RRwi^~&4OC)9BZFlr0dNBJ!bIkI4~q$aLTHu8G1gfAbd(r6w9# zHzhe=LIR;>tkHb(1AwEn^tp5@hc(j*ASjgJO{W*@fN-mv+bPh3U}@V$GnUS;z=K@q zuj1Z_ZH{-S)UjQXby0}Jf7NEz99k+Q6H*U4!m~-6sOiJZg3&u1Shiot$B{sZv8>|% zI6i40h2aiEvb;MiwmMu;;O(#W>NuuBVZt;Nmax}wX)(y-#c!I~>K!&bT1|O`mudJTlg8w^+S`j6+pE~$;3Ts7 z0Iq;N#Q4>=TK1Cr^@%NlAvX=$o=f}t0+KZgm7+vU3AHDCj2NA0*0~byb z$t6EIi?HZ7XeYT;-{7`=m3tk!gz>q(0Z{1>xAZQZ9S!HM2|ZmL#KIh3@i_iywiHD^ zU(Lv0f=dzkt&a-t%9DtY-G;DVitn-}xOupq6k>}(B8vKv=i0`h9$ct7wh z7=51?fOEIr(>aXLCq-z6N9z;teY3Bkf?W9J_S$c9&)VKMkj0v#TQwYSZ52#3$;~cy z%Dt&KG=`oQbwyaP6Ah~v$p5TCp6L7SCDuBvW{7L^@T~cXPL$O*d572U)bQdeqW$v= z-%C4T2leUKzH`-jw{k%5V&J?~qC~VI`$dQ47Y|KnbNZQ}?0{&%#wY!!>NNi#LQL%C zM7Q5MNDUqBA;Gktrx`2uh>;~sm^Ic^0_IU!jCLGo1#U|*t+y`|Z8XAte9x|~kJdgu zWXx>Fg^uXziP0sWxa(5ye6bl4{NXK$|A2>XwKW>$L%9*vBIk037V{)I%qKbff74i% z@c-5*ZN)({e)3ze?Hf655NR98HwXp&IAn~)7ZVmwm?pl=xRDU2A6-;Ln(^sa#W5)u z*>HWN{)Im%-?R+KaBh5k>wFIbXcl1pWOx6jk?g{k%vmNEC!-hZ3l3q&p+9XP55~jc zd{qICvKLkrJQ=3!Ai-LCUQ5Ld`@5f@$Vd-IB*9lMf6e`$lI7p!aWj#=iZBNj1ChnR zsTDgUgby2|Vk1Q*;O|R{BDM$qe~{~c(>Ue4#-ejYIT!}NBf|c_4CHSeXIH9X*R@F5 zxF-!i^q;`@pK>t(67rK322^#_HyGS7&$rtI6o0s;JujYb_5Y8%K}FDJzTKTH92tT> zdQKP%*t+W#)jBRQu`U?t4y68no9usGUw;W1jB$#Djr{yQGb{kjp(2O<)$_Ve;BH9s zdIpB%&(DYopkci#r5SttH%I!1Oz!XNZ4|)+I<34lY%pS3#89_pRYRL zEFM8&LC-%^f#dgAFQswcJ-@6@!i96x3uWo1|GT)7I@13iz`(z+vcC~uQ{kl*{K)_f9Ep#}zGc^*+hf8bF6%gg;o$T!CT&gz!p#AHkS z)7Yv6h*c7nTu&bpH=m8^dWJIw9sU9I{Qk9!A6no%7EsX`%6(T32@=~*r<<*I|LO2q%gA45FR$c0=WH&;hW5e!0BQ%}Wfc{`h^ z;jSXe8PY$sY#Qki5fLf2lfrv}Wq~XpZYWjk>~eB)7Xg=a-N0m| zhd@ba5i)j;;8$I1V?ABUtgXQZ{MeZ1rX~p`uh4FZdNE61FdA4=cUsm=vaWF z5;N~7`dq--!;u1wS3q*Qo~V-9XkxT z#Ynti$B}nW3OMEJ46>~&|Md$JbV+idUS{;6iI<3o=}XSYf^%0AL-*V-$n_ zU=>@>*+Hmb{*?#oIeWSNg0LHws*&RvjA?m#3RL9s!9EodERkCqF^^1!c#BN_r)UP zDR7AGhFrYXHa+-;_bhN_W#z}DX-Xl3WgjFm99>Tdh+NsD8D7N6P`Z!kTK-BE2Q*>I z4{%{;zhAPeUSmiNv3eF9BiF!_`cZP{8NFM31w$21+XrN+kt)orEavSoQAWviRJB)# zQ%dO2zT$Jp)XYUCVaUK~g3fu|$gXY1iYaCM$|%>$##qXCQ7TzDMo5b7GPHhOD*oGg z@5>d`vhp(;rjLq4v19kkc{VfAAOrM)ENe^Devf*+0dEN~O zG@A7!=j4S_Tcx`P>A(PlKJI8lTI1;LXdXSW_B-FFZ%2OQKYGH^I+3rN2H#zLUrDx1 zTeuvp^{oP9C4B8u#Y!DG!q*eatR@gVE-T6RNh*ZMm3#<5)7w7b$W%1r;HKKPRmGIN*>nF^Y}NcaufQd<((?9DcXzjG zGb7&t=U_eT*jULj5vm{&K@oE8{OZ`)GuKlq?K)yjbwZA+o?+H(LrA z_{yz-P0p7pnKfImjlVHe{JTg7TRrW16z}^P4=d9w4RQ*Yt$QlwIWg+gAQJSHZ#|Qe+2qrf>|0EhQ?72IMSC>kWWy8yEvS0_X{; z7k~n{Ej9rP$eQAPQ@c=yI{091PrzdD@hXLp@*Oyq=MDszEW>SKKpDaow3OXe+lCts za<%=)c?~|hiVfJ|$HWbZtX0Og5lAulD(tdBWa4~ydhP~-5ot6L5^uSqf@_=v`t4mW z26vxs(0C#4W&EN_b}(wU*7OPFtrV2dg5%d>vft`yMC6>u2f~Z@qCGJ!Mfsk~m(M662=zp`60Cd869;pbIzXz@N;3T~hG@MOYy9qbiQ_h^``lle1}6Sw^-8 z;qnloAySyPtf{6X40cPBlY4kbjeB#}JyYS(A%82Wiy<7u)F8rd$za$Q~@{6}hpFM9i&xUtB0G}DcxXI z&Fne^c5bgCRES^ObkbhuW+&r6e_%OLA|8rs*!`JR(ze8382G-qEw!%L{vk+jdbH5T zO+Ie-T;Cx5KD8WlWuWyADm~{=R%T6ozvlkqrU$1nk6%?(KP{?PKYauI^H!~ikVN*Z zJ{x_D^kGI~xXrVRbq~yznm>smw{Z9%f*IWZXw5O?sND$KygWjwcf;xK5M`-l_bk5F z_2r%1VIkQvE{xUL9;fXJX`N@rXVb7zN_~{WE*bN~=@r`V1_m_~PDu}rYd{#M|KRXDhP-X7(=l*8g(Yg}5|;ZXDJtIl~ik&$DTK#H)aaPg8*^Q(e_ z?Dta-i=#}`!kp1Oqkd!LMl}oBqO#N)9=CFDO(rn0{D|Hyr-+G(trCSqD(A1F40&w0 z<3FGSM2!20g=Hd7Pg@pz6NtA+RGi&b`5HSpM z0|q3QDRPH30lb_Yx*g|F?@}Y_PT+o^K8qWr(iDZZ+;LJ8s<^|x3{=T*=c5JkZUeCG zBe4q_LRq?==>RvCVxjBf;i*e(zb88<(>CLC^AlamyHH$YE|)yGACabmtz!{%EIcA& zd~U9jpk5)K%}g3|?SZJ!J!&J`DyH`i!Eo0^q)5`hpU6+1+!aT8hSQJ(CX*w-ZQDr# z&N;3e(6nR`Q*f;oYQ3la^5l)5qMy2``4F82&mVz_)Dh%&o}vyLpCp8}wURxCh^j^s zEchCVIX(pc6xbo-indQKD$goluab$Nhy^ZO+9m_Zg$y{hg`Obic?=_Jb2Gn}mJNN1 zy^|TQ%VgykSNsUs5<`bjcrrArszzur4Q1&zz^$RkthMuza2x%)i?0!755Z1*`qF4# zekr2BY;h`t)B$UB6E+pFWyeT4-MzNy0rN(mQb7GLlY@;C=S*ZZ z_a+l42d$6wvr>~p?YH^gw?jSi zEq58I8x-Rgqn?-*H0oMLXgQ>qPZRyP$=v_(pB6${ zIohdA6rPd&^Sl5^D;gilP4xl{U27n<8e*U%CT4&ub{ZOl4pdtL<11AfPUxj7Lb`rX z8?_{mED3aC0gPVdOFd_De->i!PzfM)Hg@5l7geYfq2<{uZv!Tv&p5+OX@q_b z2%l=}%r&%byPaAmv`5KtO#}RAvx*A8HNT;tt=T-{kC-Nc@70xu@OdCQ-%%Oc+%{Ni zqCKBHXZo70{4TUgsZw0BOOk#MucjJg&y}DZ{Xvvo>Un8mXkC>Q1Rruxwst{3fuY8uO+1)!DYE$5I#0N_T%V7k!;_ zs?oRmKbk6eil=pYlw|V}7pLyHckNecT(;zV9oqCa#~%|CA7kUALbPbc8^`l#xMYKQ z@ceXarNPl3|B@-IvP-VZqvF&nLXuzPH6QeCFu*V-_?n%+!Q<_RFcjpV$B|P+CWgaZ z5|y7r<BP9O#K#Q5iNqJynvcI?M{(O#+^mUS?n3k6ANuYw0ou zsd+u(*1{Q~xfo;>-K-gAtiB8yJo)wLgJ^Ssg!A!(awWTA9Lx)rkl2xkd>&gx*5Yzk zoBbQx(0rQbzu!f3Opu{wJPjWf#qXt!cBtI|MyinrXC@#YiqZ{tV06D{SSl4IlhWt$YF9{QmTj$6IE$C^()Lx8m?CiLa8DXTxOmdhck zQeF!tS@cIWUDr%O2_XnccsfOdAR9*16i{BY|YNjrD4YvMbDTX{=Ty+F7(=h z&avIOs%eC>KWz{lpJ-e)V6#N->P= z-E5QLqi--)y}XIJ*0S4iXL`rkokJWy*1r}51oXrMWZXa`BqyNUI1)h=dY!&=<9X>w7`#-3h55kn<;c0NK5NJ)8kd)ArCk)mX_-%c zhP-=}jD@*JqfIasumOzjNYPzrAektZi8XlfTFo1b2J4JUmTD%1#V5ESp(obCjCO0p9=&%$!_Ug{O~!>Z@KqTvoFHwO{k8&Bx;ysfnM zQMJ$}a3xw0ufKGyQoGF9^{@)etE2?yW3;D7&5<@BEb2taEEBWq7JPRYPN}vkA&2ih zF@a*{#fwnwPRw+UC7AQph@772dS8O+{@AGFShD$~M)R9Sk*(2TB8r}Xsybq(7HPq_*Z#c6$`&?ZJYqU4hn&v8qsdD=r6cse$Q z)Iqo^lf<7*iw@!P5>@au>{aRB42glPdzr_o)IF`+RIvOF1o)_c&;c`Q;Gt^zD`yeMS*zEDYU@w3Q=Qq8stX9G&Z8raBgW$mc_ z`K9yLTAxaTO|#D@gUrUw?DJ8A3YU8}huq7THRLv>fnR=)&Or*%dcox>rC5Ux3XCHk zpPrizYPE9WJ{CVj01Hn?;(hHaQrs(ZzF@2litT2h%k9sAVn)7CP(A&1-O6U`|rE%gp0+Vw(v0Q^%IbBlq!_T)9U8?t`P^2TERPiR5tmzu_G@1O~MLvW+ z@44F&hQ{rU)QQPbf9-UW%`E@fI9)4d$fK&dH+dtLb86{d6KT7gwG37s+k_irb%sHi z5UC@hQale!J2hER?=ycyR=OT}Wtcy_O1g{EWNn}~svFqD^I7({fFYz2J@lcVs&wds zG~xs#biEGQKxZ2RgLJr*Fpf=!N&VY4I9o;$GOMC3@kr3Ma7gX|#_8uLYKf1YXn;w< zWqFUX2m_#fEN~<=w=uI3hJNH$|MSl-FL_PrImOmcjks`x)ya`m1k*QzHoI~{u*il zt>165D0b@SU;nYt>JNL?ShKb?6;|f*44udG!ogi*{h^DAVH-i<6PhBd=xET;#C(=4 z6+@)awmZ`vO~wZuMbDSG`o_6Bzt|S_0gK^(o~M zm1aWOMAp7)#O&iiKB|g9Np45&?}Ai(uS5D7QA^3=9F3~ymRPBt%D;W;VAqyDOFj8c=bX_R!LU&*+yeE!q9z)@_lo^92dglJSsnoxqLNIGPQ## zTs+L230zF|5@x0$ONVdo=kTA&qJioSpAM7OEltYmcOE6&r55U%H_1-q=Q_gKYXjoL z<%h48nu&?j-%h4ARe5sxjZqh(CggjlpcCvbT&xK_(wEhfzX~SgSNCm-0E8~S0-?}-j zv5eP0;k2C^GU~f}7dyK$51d*tK0m+W#`)MS(j)B<2i?Z3qn#-kTZFNV+)CAQWEnR$*L@FaFsRM#|-Kko0P&J zAIxqqDj&a~)HF*BBq=n%d8cWsLx4zaS{=0WnJkm{5@L^0Gy0)Z+YFv z`SChqS<%7yY^8A;0q6Zmf`SbnSK6{xw_e6xejxSANPXnw zWfEvvw@Ugm)cFPyi2y6Vz^d5C{+(Nlox3fM2+-qCXAeyg9M z`m|d=mHNTVu4uhVRCzYrdSsbbTB;tzPytd)#UL>TQb9v%!e)bYy0C+@eU-4Sd-x+B zsU(oOD?2@%TTL5CXGB)JE{G{5I8X_yjOO(#PEvc}719;VK8bB?l&%_}%%Vh|H0br1 zWw4s&Wy*K09@(}{5K+SNc3EZNKVJ5xUt4mgQ$-1nxV{cp`L>6D`?()~>f~+X>=a2~ zCRJAy$-M31+k+5GR+3Ba=mrAxx0jO_E(uuf;xx;ho3x7a<=To5C-Y9YbY~h_)D9tE zku}DRce9}mRmUzuauLzCQ1)x<+vSdvVmkBD{F4xVB}9xrC#NqHp_uA4Sce=xO}Q<& z!M4yT^n+W996z~j3%*N4`$6>}tk=%8Z?aZkd%xQ*249>C z8P<)rVVVJE`nx9dnnMx_;K+KX*JZEuWH+vU^Er(lWDYeVD_rEjE_&wL2Aj*w9ek9tANG2 zJw%#4*bj5!cL@tS@p3J`pV%Lj6JkAXNVqSFI)uj}tuS3C8AaAikEdhv+IQFDm~*5} z2!jw>ROI*c33K-`c?W*GhPNu0TOMhgqBU9^myQMq^CSehK^=J;)5=}&)p7x?GW z07)f9_PU+T3r!w9L+kW93bVK+%FPRs*W8_3l{4b0zi5#(UEezFCwGv9zDK-|`b1k2 z5hIZosmLR687Y&Q_%ZV#e+XtorjAENAd8aT_AcKG-;Zdo1@4elmw{E~#r#`HGHK|Et0%vhK9(#rC5><^&F%82uPDuG53UhfQ~Si?N)FHtZlX3R!@ zRZ+52RpqbbE;uH;JxMPQL@3j1^uENd><}B-^wl>DAwUC{?WRe$GYArsmI%==6Ur-~U@ne9Ku|5KbnE)^Glytu6G3 zcT02(3>g0I$G|&d8VO53#maUs;_tc(`~q!!eS~THM^68LY|y}vn7^|HBAlU_9~B z5$Cg({)c9bGPfW&!7l6^{$Yf3QW5S<{J+&8A5)a-@<|pR9@VzCwvO4xt>r}k2Smli zJpxyLp34=iKaMT`OUHrta>V*y1JRvG<2PDk}+O69B6p~u5N8j6Y*xPRc??>d{nA^V4iYV#q*vQhh$QIAHtT3s`@oT+Fe z(^bRte_C*;@6$l@ACJ{9J^hFOAHnsNM=i1V;Tp631mjLReY02m%WB)BgV^+|VHy;a z%#&sLzi;dP9134dPM_V-A>k+L&u%z0wy2rb^}rD;TTQ zcoF~nt~S5C$CNX(M$6;>YHjKmW=B_-0ywmu3)rm$?@U!H%(<>V1am4EwyrmZ&I8Ps zNO`SUX6v2V^YeA#0cdc2BE-SLiN7c(0K?~dq@v&U9(~O@2zH8=buepJG|gPxkRD;P z)bT+Phn|B&8Kfcg%jc%2wbpvS(89R|7`V}HiR9+y8te8-wzx001-LbXMBCVWHuN*U zeO8|cp9G?XFXkhkB<=-j{@HISu-b%S#|xb|idv5n*=-jg7ak9ixBhr7q8;N)K@9@@6>a zNXmRd)xB1|r_x;7=V8v3Ja|t*OQ*;&X-|iFu9c%~4Sl+9x|7N)(&{zBh3U_UYI&yy z=cLk!RcB{d+7jikTmuq~&Q#Xs4>h`mcC>^h6#mU9N0(^wvo+DE=&At|ofk@kW^-=kx;HO!rk9d8_It%>?;zf0{zdunNRUX4)J z1&q8hZqvdRPJo3w4UX_Jq>|DUp!u2LK5cirF~~Hl<`|}xiTbk@zU?MH$B55y8@iEWzaRknQlF>5PqvHhxNwoY+|y;eR^`bdSU zx+F)ocwoA&)ooalztQvnS#J8IQlz>iQ25*V=kuk9_gTY&2BLOtv{iQ3clH*6B`!{U zL+Ce*U5obe-QHcH*LS^UZXbRc*2pcp@hC7XOb2;Xhnl``nD8Y)7=1!>n>FHK@A7e+2c#NnhBS5RruE}Fsxfs zM}uT%X39lg@P0giG9wGaYcnNiRVyV4(1T<``4un%;W5-2h~eG?HDp*p(YJAN6vO(0 z0+!ZNV5PU;Npo~vSUoqi9*iaUbmHnL<#wbMy*%0<9k~b?bTiXRhdvo7FDZc}d!A@q z+m)abD}&QZ4mZ--^Y80cW@b6Aif33JJEdL7j(K5DyOrbJ;7V-i*KkHIv&JQ_xoAL3 z+Sz)FOxlEsOI4ItWs|bHcZK~>U;~vmS;)0aTVk1}BqNYc{;5Y-iE@i>i+S%@)ABjr zesaQNUp+;lQ^R`LqWk`tVxLl}>l>-HaY}w1-3$p^Xx)NKo)Mc)DE+#X1UlBOo0Zgc z;jc`4K36C^|JgD@U2!v$`BH%^sx-RaEZT#V*sO5M^+mEp&AYN1UGM8gAK-8o3CsWd z$lED?>oZ}!w5WBHz2kOvS3%65&-i=($3TYp$NxE~x12xnDX8Wcj~EOJYbhPX4VHqE zko-84IRmC5kKr80x9sfg&=tq+u`iPoIp-ft8psS6W_yMe1`LFr3Q=L=L`b&RfEr9O zzyxu_^|)1NE1X6juuG!bEmBDWjz)v&QuugyX_x#L%2PEP-or0=H~S#_#~?v9d@1cT znASjUEC1yUj z_77a(?QGiyaWIwcBQP_z_enjvEa#haq{B#6HV^PxWLT|fH*_}<`Nawea$qDA(zs-q z5;IB^cmwUGCXkeiWn%u)4OVm#Pp#bM1w(dWCMm_D`>}Oz2#YK^9kL{ynx&k)?dr)d zr>i=o2R0wqJ?*T^9=Pgxqkj2j$f2WWX;Fv#sfzJ4Y_=peIc7b!qYb;L>P?XVl&UZE z>gvt6PhoX>xWBkb%aWYgYLqz%#z;b5qeoRPkAoK1r6n1%2cP%%^ zCsBsRVmlYd2%weZ2Nvun-wJ1CFV9o3ZMv&%wYX=rD#?vVRp*=cz~a-}JajSy&x_CN zY+Sw00=XkiGS+kT9n=!~!i!whPCQ*rX6bpA^vvxqo$dprQJRWjSFy zAV`@M8JPNPoh=C_kynE4tBs7Go}Ru^yPg~kRH6?OYL2}|Rn&e0cLpP{f%qY?mq9~M z!0g#ZxQjINBN#Xu{>q0NNNoaB?Ya3H+vU(bp8d?QkZ`!vui<3M!bF-}K8A{xeA4sB zjr3Z|Ag;$}@ZvpCRKEeP6L7Q>=Fbo|-5++-DahH42bF2bRLNIe`wTx+Ex^tUBYMEc zEFIPb|2V@aA~DBk9J{xYIr2&?&yY&~q+&n{(dIfAG)C&`(C!SDAf> z_8f*Hi6wkm?Q0KSi;ZjBRJIA0Bv(L;#q7d&BfqV3t)89iJ3uQJQ@iNX6X-MA^6GcL zUA(i*LFzQy+>vBVKMXW-jy zQ0kZVIsv?iZxPtK%i^&zUMUuPWW?yW$JI73f|}`knG^(#XP?PwUgxpB@N4n7tXE}3 zUDwz}i*asn55U&Vc#6>gtR258z7{mM?}|97UljWDsFo^r@4grUQ8CZ}ZZ2^9)q~SO zHUAKEQO&afr8@U0l7>zsBWXC_;`VSWLDiTGsU0nu_OlPF!V(Nr%G;Pt#gdaE^IQIL zCJoe)%GQlAResNligsJPifZuSXpV@Mit<2?LAX3MDRlW3(3r=E!LsWlD|L6g;TNc! zMWmXN;DMLh@i2cP+iVQKaWv^=Ytor(gP80#DY2)^Y~lB*d&?=j8|CR03P? zmaWOPJwn67ub(*i){+yz+>|~o5XFC}XNtg^`BqFt z6;`lyM{myNL;^ju#A#eMvb%fkX?enm3HjJIc5cdxz(%S_+vRWPIpZt)YL^MqHJp)9 zU<#oyqqamL7cW|a=ZoZ@Ua}dtqp2bY1X%)%CUVD+2wA7IT1R8f%<}PU(sUzY9i6_?mTR~JRyx< z6SU@*F-f)!sjqE&+s4T57lOzrXfXedOc-gSe=BS1bR9kseZM~P*?$iTx(W)j%mlzG zJ^2jju-YBKjPq)^BFzv}Kh@!8EPO1;-C%x3cxIQFKZ*C`LlBby#vv)rjGcf_G$9|m(eR>+a`Xk@ zSjLSZPzc9}L8VRji4_Z1S=DZJYlHF~A!=%Ir~SFzoDh+_LCiIuz~ft7*?!g78lJ;F zFBeF~H$h3cEmL%Duk%$uPNlIzK+Dxt48d_-c9x~q2q3R-Cvm=`Ve@M07z_y~jo(r@ zsl3!;JriKn2j4bg(Mv(vFTn94K8V6imQqOr(NZX7aY%uEba|=%F3GIrea06He%Sgl zjSaFw2^!tn_m{-Ow!FLd6;~9R5pafCxSM6MSBO5A>VhJ`bFYr*&AZKhPD1M^i#Z9l zQyxFAd?Soa!8qa7HZT^#^wjg>_170Zr2Z?pp#Yo9|mCS(?(Az zAKkMt*C^mD5u9)Su1tJ@ZnO1{pZK?c?uZZ~a`r)s_(-~RAgA>z&z9E`<>3#PJ>XAG zm1;Q~YDe2?wIF?MwtVs~gPmeUWy+s8tfhL8a?*O@ZkJCe^drxuZRDHqlm6-b9~GC` zU)q}vyP4N2V8}?!Cw*v5F(>+LLi$)FyFY*aT=OU2?fPRM@ttCNa=!OdKsFRJ07Nc$ zm5#y%_nu@IGJFEgDSn+lruINtTP)J2vR+rEbb~`TM`>M6wg2$~m~nI8-YlH1+L}xj zcGG0%$qqw(n)NN_dWLPJR2qSd*jS<7;_hk%Zi93QMP@GalOYdA4E@4|@pYNBz`$6L zqL+5V*D5@O`-FK5jt7_Ggay(qQ)ct|K2Dx18KGO?$bM@8cqGA z^42k97>b!w1tPJ>)rk|Z@*Nd=Hpn_jCcEa`x2*wkz4-dHR3i*kE`1hA z>UnxN{8R6~m5(1w3=6r)G81&(eacHI=v2_>`h|H!^4+@$fZ3DI+>f;10W8 z#4`-HV@j4mn7L6`*8K)*iSu0ZOMr%@@}NtOg^XlJe>QVHAvS>~{i<`cNEikp2VXDQ zj8fcr@fw6+xY7M}a&&aYyuY8{vAc$79E(P}h5C3%UN%=w;blfq<-yL~7=KREvgRNx z5`*5a`;0bzaY;$LP;07;WgQ??V2FIvzfhUhc3Ota_5;guU_)J@&muE}EC2fo)Lh#D zj3Z_xB3W8Wg;W<;=_XAJbUU)`(G2`dS!08s=U&glg@r3wmYH<)AllX)P1;hjJKg|6G_Me|qC7b!$;1SCksM~67S;oLxTMs}adKat+?@s?|2AK1E1l%Ff=F+k?o zqXmcgsU0$nUq70p7iK0*#gplwWFtEU33Wqntb!&jEw~H`pL88s!f@q{GS`#&=-i3; zoAAxcJxRE3U{fER-+8Kp(W#Az4!<2O1*N|t8oo!$a8*(yIO1;Yn2w|*^H_a-4#0ENFg!DGKM!K7 z_YK_zvA&n4CbS_|7ss0y4$7Q&NX&BB!r_!(%N8m?p3_=Ta4j;;QYZJlBF7|?WW4t(} zeSl-8&%fRj`b6UR9PHsnw>Q@p*7q-2-g-1I^gj@S60OF4a-CI=rEEQI13}3mbf~BQ zK2eM-Fj0^7f-Z-Wa5+pe%ShJ{pjB2X2O>`ngD3;BN5q03U1!(2NKU^jLR2;#?K0> z+x@8{D?ROQ_t%zY2;%bn((>lY2S0IBjGgr6I|ZP`Wq+kbvz}GlDVf3cN2MTz6^Fq< z+^>T@J%D3-s9p_Hv8VPa+WKyBX{v6-fnqg|8cw8S-@6Rz63W3wKEW-c z3~fx!*ZXoj+fV$D-oTT~{|+?p-6F%|dV04P@gh(V?UVy3GaWOt0b^e5KwX3EYxOjv-}z12Dw`~_ z!l%BlULo>3;8g!@A&0(2$*_chl&`^}8hFHjP9AW$DF~qG>-QYUB zX`Vqxc+m`P!@OvF1Ln5l{O1P>Y&#u-Bb_L*k*j{$rA(bF{t1pMVp z)tAFb$l2x17lokwqBe6vo*d(YUM0O3*0eDLcE_Ae(}`iNtHfD82^SJ3ALdk{SGFo1 zKyODlGX?9*vlE4hYO^LsatPFmqZX>f`NIU|jh_b};vtueCklB=ix#MnZLFFXKaUSp zTCew_Q59aMm}8)5588(XheZ`5Pg8dS!=wmtkk5#jb`HuCzhm|?*t-4L~RD0)liIYUe+@qA!m5w5H_t6}aFx9j1 zXo_A*5=y@etf+adIcr(_om0>_o_zkMGS9G(vtDI^WVfRz#i+|Y4pqXSX?bOIiFi_z z^W^rCD+B%tw0rV`Pw>SoRSvh#r})hN>pMS19iJl^EF&*dzMkxp%h&zBW^x2Y|5S4; zNR_S9w-39uFlOsQ-qLe+{}IKVl=jvuWv2d_FvRvV37RN~e_UO6e|JkTF`SF4+YQ<_ zuc6dAs&Y9)#-L!?+*{42YR8im*lxcIEBiI(pSh~u6R*_Sq!N{OvYP2P zpJr8ruQac(!F9c(i#CY*o$|Nb&nT16b1viu?-Wjf5Vg;zI3ua*?WlbGUGYcB2MZE1 z*CklKxXAZ_f(Pf}x01b}smYwjA5&p~0qr60anmwgUJ}AhRR_Um>|a_o%Vwm$9>^(! z%?;H-v|Ko?n8?pSrsEq|?ZaLF9{6iHB8})Vwxk#{#3n>T6^6hiud&#cQXcqx6TAgm zm?8Za6YMf;JWDowfkS&Utxg-$xvv-=DoMP1cxjL!=7{d1I^F^>FB{k|>C-ypH9{8C zuG%Y?B1>W8$B!2aaN;guwFPa6J42nL+pk@5p2prOnm@>(TK~4A;gS86j9U#wUxE&x zAOh+Q?gz-`B3q8-DaLJOI=XJ@7|6w{nPNr5uw>R{BiSqWjJ}0RSfJGR%SzoUwXpf~ zc`cQantY5pY*oaKeLAljh`G=T|A!r?Xvxl5OD7p0x2{XW-UV*e)U1=p`E~i%#e$AL z6YNVOj%*}lxB1?3%NEJQ#K^sfBa&_Gx6xVcrXhHrm1avI5A%Nz5&p1o9Y)0;$%&WL zdHqrv`BJFV{tFEE`!K!J3G-2TM9&=iUgX_);R63Xw1y0#Ds%H)NMdFRv}d^6qpU;Q zBZZ%QOLPCaSD?MoB}H|bGU8Toe9T(lS<XE`mhlXLkYy*$&`(j80f#2{FEYp5r`y9^Oeckt_PX)`~DG8LH1 z9#^Nq0iHR`n!_aD1t)Vv>pQJC;%%LWLvyy{Sh__OhsTb_LMLfr=18&qEz(J3GtUCQ z@{W!|>`|*l9^f$K_Ih2p={;JEXv&ih$|-rmnH!>Iyhc!DX^v$-HmB^Bq4=I@V;_#3 zu;N%fwpeHM#QR01SoZ340y(~Cs;C#%J*f0BB*^(8q0wAkSq3Z4y>}H!LDj`0A6|Z$ zBnfh4wUF^Fh(GUgc+H(b(5E@oDUhg;^tm6@lV{Em*7=lRUXb^z-sW?+=IOiW#QWn# z57L`WlOR7q0HHe~W`97WI|&3V;}R?GY|UUN;WZThLVx#P>6YKS@fkc-Y}4;p4*C2h5BIfKJj0s}ioSjPcNN(Ytvql|NzUo6k&cs=0PUn)Vy*u$ZW#c-?fUwWa zgcAJrD*oSpLR@|2<8j3yB;uAvvdgWsDzlJO3Z>Mdk09{CYBRtSOPy%y>XLz>tHoKY zLaz0_EHYAO?mWF9`lZX$(mbVvWq9EF_Z-Pzdt=Q43R9A=XA^qeIqFB7`TXy^drR_^ zZf{hxjEb+M565a%$BTvpR}lW@-@%u%QTbxB`FJ8;Tf64{{ipgZeDjLWZFTLT3xCG{ z|7yj5+LoGy2Kb3rUIaqee;ot=x)c0+KQF-pWJ{nw*WW*l5%LQ8K}*r&W^@YFKaTGPb&AO}AlGmjkM|94#ozSj~wt!i=M9}$TAfa|g7w(;xw?UM7K zOvs--!2_N){qA?x>#x@Sd%nH>=woV*I#g@FKBQ{@@E?91By|dT=9z>7g_VfSI zi@$XTpiLBlU*m=+{QW#h6@$Uimc}OX-y&iEqiukrL2yD@tReY_X1y*3Xv^q!&)`4J z13x%x^Z!>94mZlgtUo8)|M+L$uk;Xl?h=c!$Fa9&=>k|$cV}fj#_N4T z9<^aUpJbpHw#_%9vyAs-UROx|`Uk%GKPK?MzSFmy`JFgwiT`$W%|&2*Ql4OYWJ|JZGfaDeA!W00C>2Cd8NYEk&f$ z*7tv+tW1>_{O;*jlO5!^T->c?nLS=Q5TKo2y*Cm0U+-~^J~B|4J}NgIhyx&NlG^$e zoVJIbfDBI#4hD}XJ&z-6|6H6+kbdfZm zfK#xp+kEr|6j*b0^aI7&hAPZo9YCSKx^{PW3)cap;-#B}iWB$874!aQpoeYW$M(ox zs9)8t1_CxI%9I10wG9`10)kZ_y5z}+>Tm!tmYlr&P%)^e^XgRY#fw-}3YV6w;%h9V zIZR@U!U-DEQplgY=IEx;BBz?e&cC>pSWG|A9Dz@jO+&@D5t1w z_*33NMkXez=LZI&3UMrvKps4rSsHmAy3b3VUB0%x%?t>dwYNKltKG47%VE42NRw#R zHh^P&`SNAQ?5qwbc58Uz_|*3=@Z}LGmrkstqy$&?Jqg~G4egG;@ALA0gKJ? zdCI52p@U>mhm=OW8QLx$R;EgCb7tDQImWPJS6vLdA>-?EE2$(0^I41Dx-43~NRXN! zr%;+2qX%@df^m@YTPemA?+04Y9w72VeKrSxRWa5sOJDZ&ebM~-e`JttiFdBi9h950`66X z!`EZq2m{p?H!UCk=qcj|^fs1oN|o`4_f@1UKfRmG%ai|W!QdN5g4aL;9@biV37m#>biOMu`p+b-RZuZ16n!U~iFt z4uC9zhOSaXRMFEQx>0NXy!r9k@i}KHKwva(n^k#=ul2OvvKT*{V@c54WBuvfC#t6y z)Ft=lNHan(kwq?dxa1TRqDu|CzM6t{i=q)gIdA+((}Bm(FGtZqMBi<=)D<93Oz=Qv z(=1t~#O?LI_x7%>7H_8@VC?uQ9)VJct008t*Yu#>40r|ox>hUH%p?ZkM@PTwjHV3` ziedxnMR^g20MObS5;Xlm&x+l{dk5pX1Ol{J;GcqyG!Czz1g|%Z^}uGTLaw;|aX?_; z);_XF1XX=46B%1a`r?wA6va&NOQvwrJi1g3y%ooih#t1*zM2nPus4OY8%Q0aXWE|q zR59kXQ>pUxDo#HaND7qSft53#GRVX}dCb%s50I#QRLMXAa^|e&I?uMg>(Bzjprju4 z2eYTvv&+zK4Yy{*dv$`dHY5@%Z!4AFRbbqprf}SqH%rB?NRWZek}p`!^CkP-wOv|V z_U^P*ar3>PI=N>-<9p9tKxkh+VgT_!VIpuK>d*DTdoKM@DT8FVxcR0IUe=z<|A4BX zxamS3u2`$T0dqoNB6K>B(gP|Ely9NfFPDkl8D#)QrSHK@;EPnO@G!mD5rRZwWu_3X z+5IqGPgXYAa;8REqkx&vkZBs$Z}`r=H*Ie39Uni zohWM!*Bz1by05yd~=du(4EP~!SQ*D$-u5($WJ8pR_lskQ(DSo~8 zIb{D;>rAJe0JDmza)yLUP~?!q3VHc+jJQneD@j-iixkTFXUE((iEHDH)Q>HQf6URJ zZdi3s@pe~NG#N*_b9vdXCeA6g;ny#0fOV+_# zk!I;`ADk!ztv7xJ3(D;>3>q!Y7aMyXq2lXeV=m%W^uAI>O=wgKEyFl%@BC`<<)?%< zEK6`^z+nMQ}R;Z)gTrS*9}YeZ)Z3Ld{Km?l`!k z#s!@G*zT><8*`;Zh*5T*y1|;|&bmGj4b-dX;8YVSkMs;-XvDURO+TAt`Z2Z0?hrN%_sUbSM?tbkW%)v)0) z>F$xy=72b+uF8Epa~>6B*9%m(BMIWyOZEfun;V`y9Wy%f`{Pl z?gS0)G#cD3xSi2!y?gJq_xJ8~{(OJVsp?8msqUWLbB;NBjOV%U>rO4z5|!x{sjkZR zu)K{(uRe7*p1O9#(|pm?nU*#Vl{izJdE%JZ9W`%-<-{x?HGh@$ByVxgSFo-Z- z@-^S`dh9yz>OBt!VVtNtvu;P8b9_xQR|)0TMq)6@2R{vD+IA=~_pXjKfS(@k!7 z&vb=wOOR8gQICEXFPSh>2@CN;#_Bg={T1C=0k*bd4Ah(b_F1&J#+Y87+=z5{C85*{ z&{M`3b$^&t@t3_)@^kppZ`&cK1(iWOnrYEW&@pw#ouZm;sn{n%0}6A#;ZqW%8h867 zSoj%JnVra*pbK!y>-(fgt7cNj4AO!HkvKUy8S4)CSq0N28av}X+y49xP}pXBJ6(oSC8x@lEH4seqh$G}X1@*W3^#n;+{o6woUN2#q^t)%wyHihw_6-)v_RA?m0|*IKu9O}qb5+RQu3sTAR;A!1@V{WW&6(LDaZqbXQbP_=^n^Sbf^+M$cWzo$(3p>uQ&>%KA&3M^^m9qd@|H*`f`iJmAwVpcp`wC4^EyQPF(N zGQS6xp&!tmF0ZUmf^g3UbRM87&>PaT8{lxA2e@1NGve|ZC3>iH`Xq=-95BF~gTbq^ zfSa1fa7bH;ulbZO=Z^!V1AzA>AMml~@Y<}g5kAn3O>E!b@%_=W=?MT?#=!m}-_2+) z78MZ?LKahBY4W>b-%oS0c5LHcs*h%KWDGQMPG^n1MAOtLU@_KFk)@4(p633>WH4D{ zl1AI>0ZQ%Ey4}#ieL}LT&o*D2O}G=JqQLO3(n&B2ALI7IpQM9FGQ55onaPx@dUa?kQ~H$6dD=*kGA<)SI*JIY9vzqRhA+IFWKc7d zaN#W!DUa+xE4n#nmHEfuRYEl%{gySGbGWBZ`1NKvd5`BH-$f7)uE1@dKwQ2|7+LKu z;Y^>20^DwUyuowj639axYns&WzR!CiujZ88F zISJzNt182PR&|9F_Jai%rL%&RR1_>E5(%dnL|!zZ{UPN_7aYK%9Wr$Ud9V;4z1Sl` zsob12Pfaf`<=+kA#FGKb1uNLA)^@lTEul=*eQX*o0L+M9Fjj1xjkgJbW z+jL@E1OwT+*fo`hpbptA(%$R@Z{EOn@_ujL_l>5^oeC2yau9KeS~9t%mWX=_gdrL9 z(9ch;=5I22w>8GoBHXCjT;sU+GW*=sr!E%$=(g;c+cg#7oL!#*nZ}GVVlOYQ=@)3^ z8qR_;Vr{5$_>KUz(F#EN!0C&**Z{Fa2lFiKAn@ZYV}lsX0<(jurY1KU}BK1)GHhl{&W#>iyiK zW3!Q*Xt!c9Y3|g$3tsi`j2zFKQWc=W@-Z`IG`Gvh5c!>noPa<<>HUVw_ zI;PWtOU}~uj|+ZQ)%3~h_4JjIK`$0RO6K2l z)%PE*(fr1;DRk)XDZezBj?4@o_bTCE)#rIUzq$C5{;aMdzWNjerp1EP)XO%C5WZho zITF|mJH2^pR_|FC)s*_-bc4KcjP~{Fq>G>Ov&%)-S+K(`R*G1}`HM%dHQ>3oD@>*x z7aWXyn=Tf6EvWbnC~QW-uAR7)6Mnj~N%!Ij?pqNN5eL%i4gN2L`HzfDR@yq= z*9z|B0^pF-aVL(#E6pFqxTS(c3J)CKVw}-mTrEZ?*u6PcM%#5i6*z0V;hXtZjO^h_ zp@Yu;f%kZknBRGj9qrFJaYZ|DK1g*F+rh zsgK`nB)?)f9{WvqyAo6Rp_+ubc7~cRgG=iTr@P|%g@p30N##Q|S= zaT`=tE51j)u)Gx>o|+i401Ao)P&`GX&Ny7^{zF3n`4;{MbAw^C+7i0m%)-LbMHh4s zLn9XrpgCKD?B&HssCenj*{->!-piM$wOT#(0E?)=(?Q^bxy-vBEyFa@X0H7)h08is z76b&=Hw>`vKV&87)8lqsj-Z4=D#rIwcYjqlEH((cV@pWOr@4JsL@dv2;>#+qCYE~R zvlZH)ZDbf7Wv^JjK2u(JdKM*9e-@1(fu83&MTekeyzRQLW?1YZBSs^`8fp13e@XV( zx4I~NUJ1h&! z{K<@>MfA>XZZ8D?Ja0s&7P85`fpFu_d3G4;gw8DnDpptXrOY!~3Ly&M_`^u;J!74?77bz97AAkea`c>OCGvlb)BK+6q$2w!CcDj(C(z z>bpR^ulpiz+b7Xs+>h+&qx}DrI$;eBpA(66&)aew_CO3Z>a|_X7@GK1%!VJX&)Oc| zbdV;#zv$+Z~F?`7dNyEGXWk73lcc(EbS9%BUf1;G+!4l z1^lUD*kGJKFG~X?v-+igpO$lI{s-a2yhH*AXt*Lr!i(}LJX@$AAyZ`~OeLlPbfx^yHr_ zg>*qnOhMpNlSxp8<}v6sH_mpgxBj`NuL9f)6G~(Y?N|m&kW_!?W>!F4EOLp}sBN~k zwbSRkE8;T>nH%4G9N+WKtVvoUh=&U%0<0m39W8oOaHxnqcjZ0H6KC0^{PM&^#V#kn z6@Tx`W7MDm)SWIRv@kJShTB@I`)Xy1Fr?c&j=cQuJz+l?E{QSx3k{0$=q`O2*8TNT zqsq5U)J`+pu7X0njLdswXBiObI-0%>$jzs|dH$`c_78r>mxRPOBN=p+DGHJZM`-4S z(%wXhr==Kq`gU1&Q>EMwfg1W&@#jxb6{q~i-BmM>O#fMg`uCQeVm}1*^uvR~)5XzK zeZ$-LROT@oyDp{`RI1=GoIo*F0)%;2W_*H!qp z&+(y1FpI5}+^?Q1*I;E|_jCvZExSTWK+s`E;i58I+%3fj9IsR}}{zZ)N?|b|D*2u zZ$k~t|BoM+`b+-*RC@4#OAE22(Y9y785$lQ2apXmP9;~)&ISe<-+{+jSlD-f{|}Y> z|DoylpOIOm_2-3P%?VzrN=izCWrcvgt8t)hZBb56j;Mr$jFJ+T-!yu_AJ&%txIF(T zmhU~uweMqREh(UPMze+dVBtUO_`4=PZiHYK!Za=68{)*N$rku9J>oT~!t*w>zqt=` zHDI8islu`4k^j6Q|MHmxEwOT=gI-N4qmq)6)?NGxMLd|8u(h)@{_*LluhU=F75~S5 zmdgX{UWw1|g1S$VW?Ng^y1nu9(Xp`s@@k8jZ#(u$|EM4Qsf75?*T+4}op@m3mI8}j z0QoAWEwyte0MNkdv_EHS-HrAi(|{nHQ%JFHlP2&DF#@N(Mw1=jJ~S5XmAB=^8MeXVvKq| zlV@3M&E_lcUy7!Y`mTy60r`T>Lqu0=>iGoF`!LlY>_v;#Ct0DA%js+m%2HKHN2?+^6(eSCEp#kvpCB9{58s8MH z7;lzljDmd)YlUCIN;0hQVFsioh1zxHqa8t@v1->@N5Du+E6GgHzz_@eB_SmxB_Kp* z6Zb5f><8!<8T{!b2GK!}roAFGOS+t-Rk*ZwuXihkAk_BP=LdT0hs(>$S9Tt@Rc=14qaQlA6)S|fDQ7MdV~EIpvHxdCCR1m zR8gLv0nfplgMKi#v+YFmX$4AJUW_T2{S#ylO%!PX10A5cSqr)K{H35j-b zjwW1THPXL(%HX&MHd0L*U{FV-FUr z?0Nq3B^xj;aSi%#Ut~l3Xz}{&i z$@_HUy#ooa?*J%g!~jo+8r16WwfB;Pu5PNf{fJn(*S)8mo;twd84mJ(Z4Fqe*=S)L z+fOqo?n)5_GMUsRw>_Zu{fg8cLO`!rfH3`hN4)=zQ06Wuw|KF=S3p_+a`?^`;~)z@ zVxR7Uc)T>|LaaJ!Hxrr?fyKM2G>=Qn=OJBAk!+>d_vtSZj6;{0r{>O2fn^K+>6a=i zps#o31oqiSmK^HQ_wHk^r-&?j`|DPB_}nRRbo;uVzcil9wrFbKM|`)sQ9pBcozkf3 zk-yRc009~KZKedjsaKLK?)I4Xg`^x#|B|aDqok{DpfES4S3rShhY~2h9T)0|%nvcV zj9!)KwKPlnw&P(W{>rVgOnI#qA;Ocn!`yO10Wv&d2a>o#bELPo#`9wM7ua|-83n6# zVG&AzNp;RxH2H${0!GmRfzwH=>+71~w(G!{QHRNw`5u&bO&vd$eg_-9dhvo=7Ccq2 zTrVg&?Mm+QG>_wM?oK>(Q9cr&OYVTK(ln*0*`VX0gvdvjjM3)}q9RT`DEdT4MP&$> zrg%7J8e#V-7HL$7!$L5&zo<0X9_q`$)9`N;`b|w^^!Y5QXm;3uM+QH0}MXO{|%+R-1gH`Ds~( z$Xc}oKUbCO>?CWqW{EnKzCJP^U>~1lieg#z3VT?Ip8do4wNPbwVwDAN( z*&mB!)R=vIgoOS5XR!Fd4_yTnk|;!!XPd17Wru1i=1?V(C4#dac=j%_myqjn>)JSy znh{EKA`V?jN=gSf!tQWK;9%~LQQ*(B&fuyR`%I$YElx%#^o?33UJ~3<;Y`uMwL663 zL-555^vZZ}MmFJ20Bu2AF((;j`xVrHzqo7dFbzMz`7Lpo-A&>q>qUwO)pOgcVl|&+ zNE(vX{@fu}3pi6!eh<;?)xr$jyB2_(&=<}|r3#3RwlXl^OU&dQ^Vg2>J6jSZ9Jv6; z9(lWy`GXu5ogMj&TYIxM^JHz~DYb`^aVoTbs#rpE($<)p&pLkmRy*}lb}aIkEb|ah zTUQFj+xt_+lF#5@aa+%-D|USWkwDp2fpWzTAC@d?%<<(P%zmoySaDX|Z|~?{yep*> zD7kBo&}ZG2;^jH$J7_&Z<~F-t9ma@6VJ#mKR@R8le}Bh9Y+o0XkB4Fyd$aJm@AdbE z>QuS_!_&xbwixaIT4o3$LOv#Oem#nGF`~-EKXA>y2ujFFNEJSus3%{!0tqrxLY9z^ zM`R2)ly_js5%0EN*ImDZKNfLTVKvWlt0)0cSIQwM+1<5Z=}Svykwko!UY(C+q*3-R zUNa>!Ec(akXFp>`3_YZ0xQzp6^cqlgJ2|?<0zvxQ$_-QLz}WEXlWsMC?$SK z7~94wrwD0&wXH!LLjQ!gWMH*+SI~r|yJaD*!d1zqUw!lE2#~%-6h*4uT~v{?sA_*R z3g=VOS6H%Imu;oVfTdHMaCLi-fUx-5g6(V46^fPekXQZ+ee4QvLcZ+o^7<991*Q8I zJ;>)jgcDjXb1>&VLr@`Em7Y0YW9P14C$>}3sUodhop2V^|G%lX;mNHBNTuIbK%SVj z)x&M_2$ey0{vu>sKx2YwXv#zT(#Phj-g%(w(h~ekL+3H>UHMt~F=LUn2GxSl$U2jJ z9+KexpPZH`ruzlD1s|pItsk$11gGDpWLshCsgSxtlSEcmeHIx*C(^P=B8gR7is3cb zUaKPhYRbCYtizsk3~oj?ut*B1-#7`95wZ#_%hg;|$Q9tl(y>zX`6ccuAQw0oD;byA zbR7d-n_f(t*=^YP{iJt@pL{2ksdt=)#3Gz;}M@wx(0qcdSGTH&>3_- zKRk=8mB6OnxDc9QuL!Lp!F@r1;UZ2^zhD#*B(Nbd<&l23J7<1Yky=W!GaMNyGlsP_b({L)l-LHtN6zU2yGuAPDMK!lqd&- zya%yhWvQp@x<#GP-6irgiaHF*kDNAalt3IvKGV9M7w=a=uo_1LnHwfx3f;Z@x*Vkclh|p_fFXWL*G&$_Jlg;^LZc6vVMy?uKq>5N z@sWMbHlmya`Qp_FiT*dpbFDDt_4LjMEGRF1V#|Oku>YUB|`YhA^E0XXlhv8#xJR zlH@MKfpXb{+~VSJ85Z}@w(*=F#U=`MOq`A19JV*P)o|V%CYMrBn8IBN<5#(i2z3CV zh*iyOh(Z>S37Z5IrbdcV-G#tin-#04bK#xh4@|@tEpx$|-|d90A>Z$pT~)t}4~PDc zC5fNmd5N#v7}aRmGp>vm=}AZB-&)Ko9^e-(h&gF8PYR6zUEx;xd6^t(;*PK;#%Npf zACe^FRhpu&nNwnpq^4(WqN$JBvk!DlPJ}fcv;QebO6|hn!jPc}sS{*=``+29rjO}G zs+E0QJ;xiw{}d(h(c5IwnH{I_pVg<7ynQgZ;Xs<;_2i&?V64F?=FM4n;bw$W$#A#7 zKHs(|C9T%;{FKVN6^Ym4U8(L2({BG@0X)5W-MAuYCwt(H3;=V!hv?L}PvHsANAD6J z?bz#$XP}#NDId$z?4Jd^LQ({zMvoJ1r6;Pz4{J{^nEQIVy6)NYv#aLQ0N<(Tb5E^J-%928 z+;k4z%l!B{YiFE-rdb8eu4A;2xMzmzGJ|EWuhf61;XBL$jcfKj-;DJSmw&93X%(Ns z_XNwx%TH>w&|>)twgcJ8yN3ew~bDTy+RDBJ>owjE2%--04bi1;%-&yoRfN!R2? za6Q9=t#HW-QZj;6lbktOQxRxbQ>^9ji$4%NM{pvsRPClPN!D*- zYH@r@J`uRRo+!#I;w;{Wp!1V+w4&`kNfsP|;#q6>Fm2I!p&cBN&bsL|-bK4umJBmu z$V%Jj=3*uC)Xzs}Cc=Y>&u5mjmDBg9vl`=MrX)?kv%FS^C{%RCnxKg?NETA=B~;|o z_oA!ot|}ifR{rTxul&a*di#1*#N)?E?V;bxax^3GG>@Fu8%Ubo3D}OsP#G@LrFam{ z?3pA9ZDY6#4n1e`7&YNGK`(JuVn#7Hy~dS*cw%|;HLplK4I5yo3EelmL@_ufjYlG) zFvr6X=oC3td2%&sM(^>h$04XTaAdnK;JnS?f?9 z9fT=AP!xFjz1qk~KTS)wMcI+5QHnF4|9#Ya*QcPz7Fso3B6^?Y&kM_3F2&UOhl{Rf z6rcx$J4umBq{VcHAwm2UF+>>L+Sf*ud%nBdOX~a;*g7PO2~Lt zVWh-??Q8Ggc`>~k!zr&w{B67%(xzdX4e`}hiz_drZ04VJ89@i+8v(bC2Y4zY9!E*S z$W#yz1+hs+y!GQ#u0FGRsSjd*&NMW~OH5JuX7|%4olf5-df)Unoe`sM)*0W0B*|Xi zb33sm)g;XiWRKVu?>BR@Sua@kLRTAkP02p|!f*)gD6JKIc!tI`r!sUeb{HcPqNnglGrY>l|0B93=IYQzjtW`=FBojT@65iDC!e|uS+;yGb zb(fa*iawoCz#`9NHVAh`Z+`4*q^?CZg$p`z_*-tE2y?=F_^HveQeuI{`KYQgH-8{!y%ICvpB7<3xLjL(#8tV4c{TzH)5yDIdI_z2}@?8-zFUuL*!IfG83UeY1nj6gXPVW zHn*jeKJO#zkY6f1@Ppi7y}CiP(5`!$6mBW`w#0uqP!gN7o6wE=8)tx`Wnax9UCA2J zUdCl#@W5F22ewBDp=sM4xP-rKyW+iG7t-%u>YGNzHOg1$?^N4d9xUUP8)1c1q>WH7 zv{URz%Jygeq<$*d=liR0_xm@8Y1fNT$Ao6{?QXoNbHnI|hs zs9%-Qc?aJ?>?JquFx@n6Hlpx>;QEQEbCGL3>KP+nzEAHNe@iDyj5`nIH>xpmoXy5L2pj` zn}WXThc7!buhvK+-}Q;1|Ik`S``SGJQN_ak+;F_hF{A9(!5wugLWsD9gCM0WDIs$(9D{+~v7Z z8c15`!A}#kZA17WrE7(o`=R)K(-}vqd_t-`@RKA929YiY-Dlr^gz`B;PsrU|Ckr+B z^+Iu(CwXA&ea#%fQVE)~-~x&F*;F)TqGW_bXXG#v z>d~~K_%myqi7E&=!UuxJR@_d5)TFn|4|bQ+6BafiEQS|Urh->r@9X}mNcoC3yV;WR zn(#gr@1(A?l0@JCY%%VrctRlW++mMKLb@r!w5ND&F|X#l`TIl{w0@KHv)R*yu~PXq z5ja!-FDLQT+w2E9s`LvE@l7^?yEDIY&aGbb%oI#gCx)CDpH#AJZ|Hne#CP1CuPYSY zQZ}?iAl)VqXJ?WT#Y4gD+^=Hme>0%N>13Vnj51&PqjzBX1;@7)>TjNeGc|T~4SZ_< z3ar%k!jzPf8X22jUN}oG9V!(rnm0{&1tO3rt7yuumpIUTo_#ACqv;?yuaO07OsUq- zz2{(qe?ecpc-A37U;|=jYOfKr(2a03gdns-`!q>ER7KftxPxf%`Xo_3~7h7@et)}XMk2J)>G z)2xih+e?y!U>QI@$aA(QjC9zBzUmt{aD&_rl24CbVloGJfs$4Ef+-oiLfU@0keG(s zkp1LIRkQufoB8<`JukhWc^r0E=$lJARMH*T27#^9=KkzF9Vb&m|3!es$=$8osQySW zrJkiN=_7S`Fyl3}S2T-${)R1d$BF>ftm z$l6+_mVJ7qQQ@}|>4-);bJV>ilL!#y}{JB{0E24Rr+6^>iQMiK4|z1q#G zynTu@#Mo>lL9VCUOK!kHOwFg(BqkQTjx0;?rE$|Pt;B*7SxwwIjkoeWjkD47Yu@wX zr;9sz%i-bghmC{BckHYAQ6;aO%D*#QwO1|57HgDrwOX>?a9BF+$*qtcv*5Huvz0KpQ@u3ql$Gg8~e~ zQbz8b!grx64T}ql2BB*Tjp8$)Q=n9UO2YT$S5-i_aUKNy9@Sz+DX104^SXbC;N+yy zL{Evv0gHl2;RSLOsg7&1Od&@LJH<167N~}vlW->!Pcby^Fi;BrWN?OhWWY5kY~E(} z*JPr?LkoQTu@^Libs1QShH}qJKMjlH`R7!G=lWY=E9I2Q%OfwE9pqZOCnXWNWwP_T zeuwT;P%&up=-h@suG(o~7lAm{S$!gL7;w?|dte@Rvx|D3;kqYpTar*+UPCMMY^KLt z;8wxx2mPt@9pGwT=J%__i`C`zB#;#sD zow*+0M9vMcZ+d1FGke@Vi4of;@KvWTPBD)b?I>aJDYVi{oHRD;h#%m>K*eOSeE6jo zM`x07x_D}Vy4`S|H<^>;Or6+n9$CFLmfBXXn*B~roSJBB{Z0H;E{aTCqpVsy&USkj z;u$MummTX*oacWXTc+?m@#5n6{sSNq{Ba@IAr~_10Q?USPYG)cz}q}geNsv*G%aw9 zFyTPb@zEl90n@H58DOpie|l#j@@1#QcyjNkOz;H8iTsq{d==O(61D~UYawIgZ}Hoa zXx;rpo;bC1#a9q%qMFHa)DADRc;(|6(q4>xzlVn4Utoo;lg0JKsJI$gtB z{=lUY%_`}kkRiA<(sF!q`4u~VE=CI>GBTg%@QIVbAmw|TDgkIRCy5fMRAMfI zc{!is!Q9w0hC^9?1k5nFw%3pt{BNivpDjVY^SKsUzptOfZ;*0M@BFz2SSkk^yAU|% zo`Wf{r)ymHS;zr}JH}F~e+a3;o{!s?lGYw_XY-CTgqbm*<{NgS7l${1JSxmPY~nO% zhd7;rqO_*Oq<(}i7~_u$OBJ8lJtpJ7%2mg)QKQqei75054=(uvEUEH%yE}O2Dtho4 zL8nhw+swME-s+IU+t2xat_fS&0d`t(p}}1RF>@sR`NSFwoV#O<>O~#kZ$uI zaM5c{?Ksz8D}K+zz*yI(>`=E8{OI2#o-*0(tc(&G9LvKPc{Z(lZ{7r(fD|N%6<4CR2g{muwr$jy=Vf@;-iKC}-vk$er3#XXXJ2(ndMj{t%HOb{V?B6~ z@xZ5-46A24zt7g*g zG0RyrC~qqEhHbS-ro7r8JO`=6RG# zu(6d@vFulNsZgOg9|`)a2+x_H7Djc3tTK?!k46H&2-=8t$#wN?emr$ehE1Cj3EoYS z@03yZaTb{8NI`2jcT%+WoXBmr%$2##qkF;7g3$SWkb`?kt1iS*>F}t#zN!>{%QV$R zyhY;WqnCZ{sV@{;H%QM-kVkszyF4(@`F;v{2f5)L{X&(U4n{Sf+ZooIi?Jd8;`QLX zt6{&sUt`X2o}1?p#tV<8L(C{4_yq`G9OXe~P@5yUXPZcN<)v5|rp!slepBJ$k@RZi zN{w39Oz*jQ;Qra79tVZl5p(XHyx&jVX>om4A<0jAJ{zO zq{bW|FW%R@^gFU_7VQu8pZI*%!6){cip_>}_vM>-ck&~T;%G`HcNLG+b1OZ%@T>4c z7j!S)<%yKvLrBFW#(KG($-Redp>iOQhP%47H7rTL-3 zDR~y-MJ{2Fuexj`s;j11{nd5MF1Tp5O-Bv)(gv#m0XPqv(&!Z0xFKprEH0DGOP z&Fqxo_RpWPr!v*IqR&`F5sVB(Fi#`MMFO1% zONY-&E#n&xWsVZqPYgl~$|aJ@=J0?VJ9B(;i1$cKYjRwF2*^URhN21|{5>IH=l= zFx;Z~pbx{r1;6ghL$R>ODAJFQcbe5ID|bivN!5lg^I1d-&8*z{=+r4M`gXoV zBHV_&7K_THyK7To@F8N=1D~hJ@Fe|E&(kNyF&kcm@SG9PnQu^0&{Bdi(?ZH9q|W+O z^*CISY4+S8Ge3hkT)*Fv~1nPql96~&C!xca7c8kOW z44p=yClD$v^1W(BfI!NxiWXmy@LZy($M5R$YLQlUI`YYd3Q6i6?JLSJY+?|c$AEq5 zACFx%_=}FkMbi6b9^XRqX$xglK{6-#O%;v3_#9%{y8wohQF!0-(^{q?h6os`La!|r zP5I%*?TG>#E4!c|SsEy@FJc2LhWT$O90u$?y~(|iys{8Q_31w%(OrWr0}{{f2_DH3 zH|eiS2Ia~M24jS(4nrzT0BJjkooSJNB8qZYr%`Q@h|Yoh&AIMVs~wUE=~B_#_+Y;B z5_bIac&uk~jKKz9Lo6rhUEH9#=2YfKi^f};SqYYg3<95jG_Gwt|IWU++sDt{7@R3f zW7$jbRXT&UdZ=m|hUbmDkOg*}vPi5%|}-{m(P~KmWF7NTs*Ka|WWe zs*@av1e4Q`Lq%?k*|3>(BeAazXxXVP$zSpM3O~oKQi|QelkYvgydvuk4 zX+MnxORE0gA3mS3b4$I$(TC5ozmbYuZr3#Iz7DaPl%Y4pM+xZUPQ{6jEm4`I_-`+V z#q|3531%TrBXwsfx9IA(w`#K`>WtoC*uVL)E#a-EJ&*ikb)#?4&KCYtTW2O_xf4;|G(~ZHev=1EO?)Kq} z69O>r{qH9g{QnXrmEePG%$wn9=nz_cwIGGWslR6O{`&#J#|a_>vZ$b? zpf0Ar`x1fUTlpaZ?2d{5{qut<9RVD3V)^YlNAy3=(f@Md zTFE8J_!QIJes5xJzKn!bw*KZJ7>9)%5+2T2SUx%P@^7CBQnX{>7)ARYMNItHQ~bx- z&yNRJBY&-b^6xH&H>6L>8{Uz-t&HGrk19BUo$jqu<{%-uBE5JVm+{E?Ma^wDd(Z+|i!M`xOfecF97~avbdyG0~ zek*#aGUxg&`XY}Wg{pkq*MjW&bDMy_drwLIdn_=opg}+9_cS_E2wtlgC`3=Cr|c3t zr*&3s(pm0I#OEHqJU3%YN~SW8d?g(nK}1(&daKa>R<$AW|K+{Yw;w61w-#S9sqW)H z{va;nDU8u;#x3~$ByqGrhnNLX>@YC>WH-A#*Qu{p?2^ zpHo^<^1502$r!yIB9D$wq31Sv*IW91;?2%tO;*>HUj8pTgQUMZmg3$cWt0aEWc4AH z)>ChA428ye)k`O2PJ5|LqYc3;VSCfwJa$HroAsTSRFG zJD>Nps@Y`Mtr$Y`Z1%pEk6JU5{O4WZb1MUyZ?11zJUwRW9SV$0O%E1hNQF&z<{N6X zUDo1Qt>#|M00NNE;tA;2^t)`NJcs3U|4e;-oqoW~3+6(_Cgkx#jkmCrK4^_~0w{~e zZv8q+d5Voq0rbYk`Q7akk>1uS=cTLZ;^aTnR4X4H)f;r`CURP5xL@ANp6_hvc~0G0 z*+896f1TBe|N9sGsE(};BtDN*FnRaPL5Y+VM0(?Me25hl6N{_e2dPGN{j)q5E1rPJ zbqqvA{h&0U^-bQzu@Xcx!zk-Bb#^&`dLj?nxzEAv@s>Qp>;7)d?6|b#1mG%q50^XE z%DPE-sfw#Wg4t-k3cUw0HnGWbFh$KltZJ77u@@1~cpoe>BJt43eo4P2(#AROWejaLs^x@|)u-E^5M)S!gXFirs#yjoOa zpX`B5`YiJFrMUMX$HIgQVt|R6uF0ghh2e46ql)D?)7mbdOHrz7uHkM+qgv7eFaNZc`44tj0rZ=zrSbwqspf|>g^Ct^HTNu=Vdr3u@a zka{D~e?z>y(;Ox>NYp})&jNV3xw)}PNSJ_-!xkt<`+&CX1;~Gh1D-UOar%C7Ake=7 zW?0*sqwb^@t;aCu>TE(-7^+XL_X?6BOzZ(tBXC`o190;z-Ej5X%NTSU)hiNGo_}RG zi~hs}+eg@OO~K~)^wCG1ot>LbLI7TO%?nw4yyr35e@FyrbB;~m%C_f2J-m?>$d=bvLJjnJ*S-mxTo3;1Z zbH5-m%9}IZ&toWR7|mJ*2yHL;a^WRC2OE} z!>l{a^>S~Xc@mU1o(s7#ZQR}LzK*V2BbCzQ)pEQ$iCEn*;>M8i+ZV|i_g=7mTesq`$O*wKOcR-rORx9q8(1S^d=K%O%&A2 zSfu@BI!!0QZpAbs>>(p$H445t@VduQcM?Q>eLDVj4LHlH#q1M-++2dl#@~%JPzGos z2W&y+7yxa{DMJLGRXy#RNAy$ose*_Gz?6k8p0~}~qQ?oM0w4KXPSL++(>h;y#ad+R6cghocqpsth;MmAjmnL>^~Z3dTw}zG6L=M)}>KR-!xW zbx;oM2Qh|`uT_V2T{_OPfWbG5)2Gl8nXczkNf>Q-!#Q{BFMk|)T9wM9;*Gh$O}`k0M@W=IoNcB_a;boJDK80Bf*4_^|zW#b>F&S zWYm$~&3-kePh3ysqS~fS@I-ZEQ5up$v~<|BoUk*fruqP$+4QM)OLxER(qcC+vaVO8 z+~*dO4;1vz_2{_Wstai6Y&zAjCvxpV*55qyD0Wy6H)r&U2#L8=aE$uya$wHscFSZc z14YrLSIVJtOkcd`n^XnQq1ZLAN}oruli$an&#hDc@VKB5S{r31tYj9 z%Q$uBA-Pc`Fkf>G@n2gsXeE?3PnR2qK3;*P$uelyD&7h;Rg5mVg}(x&LI;h>8s_E; z;bDvmn|n~qj{fo`_ihf8>~j;E&B8+nVr)PVS7WBq8R+oE7L+t=hK?6$slimnDZ%FP z`1N<-y5`Fvv5uz5zEny$O$}6!;7o~e5^B5zw6-dy#&%pr&F>6kif-MOHS^iJi<@Jx zFo?SXye`i!eAD+0J;I`VAQh<|jTg(mY2TnDaI4w_CH@+)9CG$x9E0zHY zi>TF2lJAm{0O6q_Slkm4L40o$o0oi1elJt)7dZ!is>Ap=B)-(p&R-iA9zK!gadYFQ zrLFS&k1!%RBA3;uHP?@u)}2^1cA~&FvK?(rwM3<839(QQCX1P+(vc~4@k0zgZEap# zWwKq%_gc$DVvbTEZ5h3-x9U-1!myBVaq@_(PND6uvtp1V>zp(fP;WQ?ab-bekdDuf zh5dnnpYA-U_N9P?W6_slU;FGb7NN?fO|&$RkNf^hP5V1gqnRY8w3cc49GUs*=dVI* zr=l2jx{ba_jGOH)Y?xCsP>fD{*|Q~1?0FEMO(PM;q?{~7Rj$2t@FEu2ILkG%@{c;z zN^1U{P});Z669`4R=`*9LJDXEYdbH`|82+PodgGg1VfOMp6>DE=^KLtU)S+1M%RAE znjVnzK~ZHs6%TAZ5;O{_3@}lEYb-zL)v=oV#B&N&czqgMEF$XtGUVq*x&Oc!F<^Us zn!r>PxLn0KH4cxAoMPb7dMMJ2g(>#(1wPHGFWINw9>s^kY=O}t&KDqoNqHDXLM4;I zoHD2=BOezo6-(a*5s`D%^zV_NhYDhjJfa#O5mAsYdn&7s00XfXmJ6v()-2K*m>zl8 z_6Bhepb*tUMfAHk0}m;8Ioe|8#5HQ6t~trJpIXro=a!Z~3061WYFk1VWctg&C_4s- zfSnF+7|l=20{InY20+v}9(?$Jh)qT#{`|Pv!TEBH&l(5^X z$bf?GgJ5S}x)~|g7H*q4I58gbzK3`tx?2YNP4cDLsaHl68CVTpD^aIrTU|mxtHIWX zk5LHHT`!^Py}0#t%bf-A)F?bPhTMO6g?)8>IOQ9ggt# zIqie5*oz#3Ad97RDwokdP`wXps77N_rfPIVWOyzE?NzLVxv?9QeH9X;ByTI1GI!Vw z)cp*yRNGmeBs}nCbQIx;|BAeq9Q{hhqY}$2s_Uv`05np=?(j(>U}iU%1V*kCBh zU`mUKoJEw4`9e)2cHBP{-mJ1upP$mlnl$rjC{wZnLcy|7QBXd(jHI_$5&n9>WFhON zpZsA$Nu~0EPf5aDmjX<>DJD-Ac4WYr>wVymjAZh>+_CS5^x#}iX8`IKtk4k2C=XfV zo?g)Fzh=VbvD6)ivoF5P&*&;_yl$h`Qb7P4l)OWRzn!8?Zd|B3=AsGv zSfbEj_n_wkhh4(g?m26I=Ta#Kt81C^p>2ylw&VU{Nchh29xxymG}w2dIaEibZ8<6Z z8FYs*n@W6^7VivxYK4q+HyHcOLb7(g#y%UX9H<18TsU+*LP{IPkBnE1ma7WH#i&n> zdn*|q`vk?s6iV~z;hNK%3~~IB((U87KOCWM;<6i~6=ASpGRZcYtXnDv;SJQ}tX-d> zIDqtZstoT(-0(VlV`>M<_rt@(Q<6Q$p?a9bi0=i(Y9A@rx))s6GMr+}Au!$%x6+7p@?@>=4*$r>&PjmfT(el-U#k=#{98JFj%0y7?o>m1Ex(MSx1fln>tdc8V%I$P~ zap#m?$hs>F39sRL@8(*WFX%k2>x%FccXloFR0*N73v94P5WMB32d#ZmJ;YwS?^xY{ z>H;Xie4RI;F1ea!>CmSXOb(5;`i@s30v>^`EOgb^$N9WO3--ZS^+UWXUItG-@>t6q zj@f@6ITI72bLpL`pI*=3%4~Q^M!@*VEAHL=6Kt_V{#AQAAraNLuJ#ihRgc^bGz&Yg z$EC9CHam&2n;o0j6Yq71svmf!5X^B-o6Nkk+RU4~m|gqa%Sku4Qz@_~MO+d;(d07u zGw=|ObRn4B|rDkj$=cosRe!sjV_Ie z55UCx$hu)Q90K2oN#}=36QczmKXjp719>9x--NBm0#UvW%^5^&Xh+<(G9`;f_gPaR z&@dlYFF#hAT$5njUA7*0*XPcM8w3No_(RvvF~V%`@1~c&cw&nZS;0P4@F2jN#xU$l zVX}|Mc|sV(I(%xCdx*1Nx55@j7|C~;KgN@3uP_!qVrTXOzH6J%>|2c0c+ga`Z(05= zEg!$kB~;;;D`oK0C~=Zk+!+cHh{JclyrX4jmNg(h28kSg<9sA6O zv>0`h(lOyvj!o5wso$_)eF5b1+E@E{xs1KU-U$Qm!NWiD4vVq=Cmzz(4yAV&EH6j1 zQd07exXN<~N>}!Y3p7f`=J3B|-W9Vx6E%4&3QcR32m8#d5zOX{-7jdAj)ZQ;=Luhs|pl0t$sxxnO1G#(RrD7gHIPv$prJc8-swqkbT5j); ziW+B&Fd)j<&&jl7!^M{?*zjojbsS{AR@#1YT1z-0nyxRkX_G`VbzVO5-?uH2ER>31 zi~J2jxy{-4Ah43E0exK}aHk-!JGI7GyoLf}wb%!{KY0Vs(?S7PN=q5{oV6<-I|`aF zy9kP5Y2yLy$xg{_B6xJq_o)YbPl15A$Kk9Kdr_bEf@mVYTRtWJ3~hdS2|rS3!a;jlD1L2+LT~_QMFPMQ4hOtoGM(9ugQcnR#QS$4l5#? zx?ZLD<%Q91@m5IH(*Kbj#Y4iUjC&F#w%;W6GB!}3%x%G^W;Y=ASvwZSb$M-({~dy9 z&DO~K#;jZ``1|4a7z;HkOUgGk*!xAiAfQjub)u=VW6H@FywNU2^F#NPGFWo-931SP9?TGxFM*<`5z;GRmMzSl$T_x(Ai&SX z*5odd!o5oEk>maOUp)0u)?TczrDq+`uv5hQLEcL8Q`r1e%ejHwuJrgLd*+l)ek@=m9hD zFhkM1P&Y#)gYecNrk!Sses;ZTbxp+Smc5$?>kdk^yOzcqEh-z+a2*{s0~bR!7qBhg z!XSixgnE^hl+Vf_C5u<#mpYd5XeuRTBFZBhOQOSzD4{*A_gIZq+>2q{u-AAyIZb^r zgHrm?L9|%jL=0C#EstNH(`ih%bUPZnGx3NhNIpbucFq^+-J8UoHlHP?%qbk?@Gp0)FAf2QV`YRI=~2G%GVZA!JoE+0KGZ}pPxKeKFP<)Q_qDx(S$PB~HvUu+!VL>N zq`Lz9-bz*obH@B|t%fN&ZS(mmncniCIf)5>6L+CYAF*cbb(aHW5Wfj`38ypV-31Gq zbff+^=>!lRziCPlT{*t$sMGSo*`_T`Q0+)_Z>E?fgtS_f{t2u3nin41;mm!FLyD{<*+wBqvD>8|ILCI!;v*cxwa<;j{a8|#%2PbrDC(@fr`d;a%_S_=uAgjL0np#6?MZ-*_& z)xHI7$PJH2ovP6dEXIRUBVBAX1GrL!M+K&h<>lWs-tOLBhp}2K4qyP1;&?i0-D|ID z$|uWdSU~goDEkJZJRRf(nS0hl?72EE>6cNqB;Q5Q(4@BK(g_N_d74HG|G4nQ%xgvP zR-}H~4_{NGSoaAC=83ed#8JX>q6S2^Orj6>i=}Ug9pf zS6VUFH`JSS9b`MoS;E?OU>}+(jw3p#(CU?=z~30< zNll;rIdi;#`@oEa?x|xp#hNd*5h|sDEuAC3k^E04#e}=Oj@qGu$V9eBfeE>wKqNZ#OFZOiLB-=X81lf zGj$4aS$or_Lsm@%w#zNI0w_&YoR3h_=FZstr>=uBi$`zrW4$SZC>qTh($(V5D@mxq&w!sB^>dcGr*e8aD}^A#3tkOvz;gLOSoUq#x044 zZ<1KLdGLO^G=9t9k?qTBm{z<_-J6Lw<0^YK_LF|5^404y+gz?&xRL@;q)PGWX;_kn%zH4(oy!*Us%*R&YdKmcK zjrtSrUDeUa4yto}q_`@d1)o!(Nx_h4OifMy_%SxuH1+Iqh`2NiFz?$WPfGXJ(!>fJ z=7BYJTR$2KrYRiF#_Co_+=`dGQ=M#IokGw#e{LK{1hP2Ogq%pw?nQ@EmO#eyDY8n<9)6iFWA z!Yv-*!AIuh9%p{$s0~hP;+?TO`10l4qkNR*x%o|y8SRvcthQ!FmzM~(>&DLcrc)XL-`V-zU0%M*w{Q8L zEKC@nI2~$-d~sa5B%vnfp6}E{83UQ$Xs`7utUsAvYovFqqN8UW4~L$i4t$@yn|$8& zmfp%fX8iJ)8MEYbFWFK*4(Hi0r=uO3QI}2K>H5nLG#UJB0(9%5o1$neIA;PKXdOz5 zmU!?+ulN_^w%^nH=lLb!ki+92Kb@qyFc>vEPb8qP9cy~f1$}-Rl*2y}Y-ZZRAme-1 zRxa>Y3E7EHroWL5{EDg?5cu#=DCW%@l<5VsW`x+Zz#fH;R0<}t-75l0GOPZtsRL`M zgjU{l@eDCqS4&9=*5zFUKHU&bBB5ec<*ku@S*sDBd^n5Mby)dsWO`N94kG(gq`k9e z>lPbpZt^i{la#IIs@U&C=&r}G+R1n*vBF_sY?PS0rb!JK^z~0uLmjv+hpz&n2DCKM zyKK}@vYq|WcqkZCD6V)11J4Yj2|tEL5b+^rM0;vMuzZWU-sB;o(c|bD5zIgvLl9pq&T3cW zn;}ptGFO+ZlyAMW_7f8ma||?C2jGcPj-6wh z%6G^!kDP|N>6zL|`gQoA(&;0i_8AYMVa(xA1yvPcjWfo^gACIIGcp;zAwz=Lma3ef zglCX#S!Zp5(8JAJ2!IY+diCURh}i5ZZB-uqZUbPXk(=NSh~10nv99Xu-*S zA4PS&uf9w9!O0f z?cfyCGJx_9?*qhoSi4u1(Q(MV7nW|$sNgMOER_9?qbNOzy+Ew_4cMDRyo_!VN>-@s zoh+XFCEK9T^nJ?Dr@>3;EGgH5^PXraqm|cnf7h$VAbOnIj#ieqm#?Ve%!8y!hxZ@- zc=^CA;XX<2!v|E0f3hUx50UVZ0|`)oVK%M%>u1!#D1?%MR#Xy4+tU?6PrlO%gbpFF zOz(FXf2s7R#=R@7Ld{K(>s?B~dTIz`DI)Lmf)>Aj9B8JORjnO{0yqaEj8$;27Y2G* zzD`DDHK{>k&(g&wlgs+c-&eWR(gz$8<~yMAdfV;4r|PKs&b(L`WQ6Cc7Td?Kd<$1} zheKWH+M~57a+RaTxeJ--$du!@ujd3j2sxcH#&uQIeicPEt4ovF4pDG8`h@l;XJ^Na zc~`Kkc(+xnax*@seN@Sndn#Wu81AO$?jXanVdVOtulaM*b6B=}4Uwf#qekHiUQ0Ss zotqy-{^C*|QGW>^06K(vcMoUV+Hn-UP0G{4kP1c5_`&~#7mGQJDoZ%qjgJX=!?smdZS<;p&;YNX&%wa`FY(=^_z-+b?VMv3l(rgXNZh`$rV}C+gyk4=55_ z3qGk(XG_a`nU$onyFs4eQ*HN*nEC~1jKjXzrwshOe#`@&KFW}veoms$cfTHT3US!P zzIfT7Y%9|@wtLM?2D(DZ+QQ>_B@KQuFp3|WZIrcKbR7NL*OCjOJl!ymmJS{6rN_%G z;6L`nN>BRsD(}1B&c`V)csdQVe(mzsW&J1I^!3^twrngOnXKdsH3@Ibx&Qk7{P({d7BPdrM@KnGyd6PW%-M z5Jxg&Y{l8;qBBALV|n}QMv(fOeyje!v;h85|9zfw__E+sro;m*Gk@&+|9lzHkp;M} zj%&JA)c;DKeFR(={Ns6D+0?(E^j{Cv0ZNqP?*sMgY!v_VYyLa}{%5yf+%qvg_=i8H z^Z!Q1|A>%5q4-uRC;J-6_jDYJ3TV3nY|8LA*tC2D|1EU*)Bc%UEuq}?z<5T9t zL_Ci%oKw61?STIMWlkSPaA#K+iH7zTVwj48TUF5Rn)BQDgh_Mg}*VIvcpoulrMq{@Z2#2TzE){Wj2q z=fBMW>VWSI;0&zK%U%Ba+ujmla9D`MS`U8UNxV4OQn0lAy|sjjikbij3Sf70!2g)< zKb-hquE{-nB$~3avJm3B7vWPhG&JQvAqZI770A94-3kp0QvlS(=hD(R+G=Hq+5bvt zg*^_yvM{7O@&w{-uW9v>1ztFYuK;P%Vy?RlyCXIXm*GQ%)5VeOP9&E!+65`H@b(3> zy^M{pwa3E+|DC_h5D!6xKtt7~R;v=pW=gQU680GfKaYO0mve6zT7D)LvF`Z(#fOxK zMqX2S_VP24CYf_f{~erc^`%}Mw>|CHxR>?nMJi;=-2R%H2dr%Q!4D$|H5W>q?WUUc z-^e|@>23Sz2oL^mv*SBvfHjL@_uOfrtaH@C9?8j6*Bb7DpxX`*5GRjacdQ&IbF|<& zf85spXL|9^VZDWntL~SYEPBjUC-ydwJbC)v#b}jsT43|hw1b4xwCBmU`q`^#o!u3t z2Tn^9Nc{wV>DTzTh5q(s>otuE8|t>F=A2RI2L6*c3BBFgn@7_^Q%>bwl@F*AD&>aj z`a`6rk_5Yyg8wX#fb}Z?<5uoH6pxBBzvr$H{FXce(cV4iIo>2uETzbs>#I`(fu&%g zdz0+t2Dj^-g9>53cE#69n<=GDpv1U(JpsIW9zC;ES@kSbxx!Evx+^q*F>2H$h~i6w zUv{d9P%kIB+&xMJ5)?XWaq-1jP$q+;aCXst$H#x55OJ+ba)#Y86o){46RolK))hu& zH!UwaK2b?f&aUn^38|QGV{k|aYM~qTJ^02?83405sla!{_e*(SX-~vguruba40j7M}_iLSG4r z>#G&5eh#p3aYe-_U$MnCejy>)N>Y5h>IO!iXSNiaySZgV*^dDDpH*2;yrt?AxJBLS zw#)m0t9?l^O(bJG z)nb(c^(A(R??bZDSoih}wFa52T!x&~Y6cI~=)QlH4fhCD)uI+?sIe9!^z)VAa$`Nx z%tZY0G|G8H0MaBu=D+6wRT7xuc54e0DAxFMZ0tDJfqW0_INUf}VEAY;V%P3Pdo?3Q zZ*v6oY|Ok(@x%JK>07vl26=BML&}}tnU9iT8g`#V-@vF&wWFQ|n#n3D#gMy(@q4^^*u94!)iJlvZ4;}Q?US1GY?#8hXPuPa`4S!%z>E75i}pvkDxN3@M?0sEj* z7%H>A#m)@vM*8*p!pfIwbYCOJ_q>x|)QDEs20bs9nzU!jEWUp82Imp6DK5z$kT*yo zwgMxnA_@^ur1o|_0~Q^zyEj0h)SL3Oiip%6w8fsdE1D ziJgEnh-U`7a~ih#tM#K=e`@Ro0=kbuRjT}%{k(8K;~UccxIVbP?Rb8C22kG&q&fV8 zdLiJxZ&>C0q^PiEWnHZEGmuxkU{Tw>>M4K0$Z(-GozXY z#D*#m2M{@_9^}ZOl)S&Os9isK6H7(Dl1A7H6q-jp+x9G8SZO2o7oP_L9`u#cY;t<= z%mJ_3G*<8GyxvPuNfOa1oonCPI>?6$|LwW5XQ`{geJ^30PXa zo7QY@ix}27m9o6{uF+?=z!6t|q~bG_Nh6tMigltG0q%B=`gK}1?EVO#VW8%FvGMri ze$&R+^u_}8s_3I-a{P`O$TTfJ^R3C%iD1)CHB7!Tz^2l7$-w6%=~fSqdQ&n=93WmJ zYgNslfbU6Z-(~_Pf4v{@rK4Q)1c<8hO|9d~ECL{3#ycxuNPhiP7MpPT$T6?&ZQy+n zGAVVlBoZk{c5wIr7;9A|-x_PZQWE%Kz&VFUK$?-vVZffsMATeb>+22N3IuYV7Cvu9 zR}{TIGs#pZy15r4dSMATc1?o`L0-h8j>FL|9s8y)-3OBmZuVD=G$c#HxAwoK){_G# ze56`AF{eR#EUe)sA0czXW0lc$r_#3RUc5wS~g z<`!Xc>#TZ8V+SIpGaCGDk;_1A_7Sg*1;3jjvGgKdNLHvh3 zbp1T?pn0&FwzHO=nv0v;hhnwaS}A7+6N>+lMmo%xG>UqMDUa6G>?Vj4P7#9Y@qvOu zpJmcw3ln*8AJgO{KKs=*)iS(8Y^1v82L8S9dSAYG_^8q7{_0v!^@4u9$d(_=C_2VE z=*X8Vs)Z98`_?^C4i1(|<@Ho};jHWNJ>^Xv*M-)moYr50D4^;?&`LFfZ%?4q_7H|2 zc7V>;sUMz!ffFs=s?iy$7uJKhafMv7Yap#-irC z(j8-;&TxW2Md9%q&}05uT*`pb_spm!KjLj$s4bcC_U>E*>N3X*RNcK)P7~qsj9bjf z1Js@?OYmPkO?yBX=Fr3&M3J@FTzuR5J;v_g^;I9N@by&MeM1m)Q$D(RzZ)Mtv1@rP_scluQSIJ{uG1bR~keMMlHB@BgWIz&GzM*}q7GwLDA1KvY!RcqlIt8b*Wz@W446zNA4{Q#k0T(3|DMXIHA!#xpMt_B5%jpg)eBNknFk4Yq zCcB5x6^$^kxlp0DDlkt~+@{$jI`%O96g&}?{7*ou*uZZQuCjktwn6 zT3^n<(%I`nJo>M{N2@V+y8BMqlcNTYK0iPG__i~oME;`Q!1NsUV~PZ};cVqMjVK3| za&2KF{|39GHayvOe<9PO<1mJUlmq5V^i7jQ6Z<%lylC#V3!UU<-wzEGh2v3jag;ZD zg;(cmW!043wSUHf$*llv`Ygf9nE5u8nD$nkcFnG3tEW8#ik+=YhEE&kgB|}c(82>b z_oS$1esic(QmBV3CN?$&GzMc7e-sW-G&Y@{7DwZFF#@8jJ`mEBOuOL+6HMtkMVtGX zP;|iJfr(L%ddo_Tkh=4MOHq%s-E3`{xfe`vn^MFxhm?3=)X$VzvM02LIoLUzu}39T zHoCO~4c9?>Dyepvb+Ob^n*JdHr&{bmX~J-%=Iu?Z$&*hed)3WtNL9y%@)ye)rniTC6Zz_S^y;;)xHPye(POYvKfDdI{?sVmAWGq`*33sXIAGQ zgqIuY?L?;8WpLLDb0LE->E<8`*>p%1gl7c-Q|p3c91g9W0?Mo!do}oz{f|ns%JCX0 zK}UYMhQ+zH1a;*H-8|8=GW}*i_b}CxirwKzL)ebWh+fw@vm;Vw5^8;_rbVC z^shdTjo4mosM@kLFJL4tZJ#UBG@m9}BjOv6$({_bU4OwQR!i|NI(bCl(!{<)R-U<4 zMfEw?t*<@yvr@c!M)|talY!xiAM$!#r*&$yo6i#FY|Q1CXCIguj9DjQP_oNpoaPE8 z3fi8l_sZ*kvi-gDa-!UdC2xzj^K{qkvS`^QV8aU}u3gG|_TQX*?ss{GO1jpdp*T_Q z@&-G{Y$g|t4)+MQZ{Yh}oTiYaV;)h8OdCxB`3$wbr1l1WO%iW$NI-GZw)WtFZ((;%puxO`BvN$h;CbJ+xO$` zp>3bX#i6!g6dsh5t~15TJl`q-Xb|2;gNp!$CG-Bep&jMJ|{x>`^*>S@d-b z91$KX!n_XmI)VO@ty|rXx8div3#BoVJ4Q&D#?XV^bl$+auoWXJBs}6B%li-^DhDGk zKa>~F!ug$UD9td?=aP%pmZ2fjc8n~+zk5=fvhv)_3J)j9D$xvd(oIOW7EgZ*gG|@y zz)is>h2Dm=Av4}ZicpxxH1@C|iWvUps6ncSAc=27{(lHDrLl(#2&~v69+3_Gxp~1A z)z~YjY{pT>Zo$HDNURC2m+of??%-dS8LSc3n|+`Ye>Lq31!#cy@Q`5Y{5x#b-A$(# zTQmW67@k19r^}S?=Ppaqh~63KKQ0G6~&%UZ-f?YJyx9>>xb*Vv@3!-h(W^M^jXQ)0Ol2C;qF=Y(~}DTG}8AiSqXR_}JZno?Tf z|8&#)xt5eWENES+n+(u3k8vEXaPK^S5U_29(EulRO}!A>Yy8x`<7@LWSBS#?7C>Wz zR`Z*{3#W%(#=5wBNFH~&NVc-G6_%!FWU$UR7x(Cgh3`@96U(>?$4H`tX4jnbR2x^g zQ8WNB+f6T|HD(yr3o5|jxBKH3Ia8@mEi7aK9FCiP==eW$u^}jMdU9XigzRl{;&y$mZa|O zb~YNLO@}b92rS^_aVcolYHr71vGFNWvFH_N(_kX+B~bX)h32=le+nf?@kN{)2AsQDw_dxY#)NFa%!Z{+!;)QSZ8i#U~qN`KnPmz#=W89WHSet3= zqt%r6Jy4Cn!;tgo`T~t0-eQxx^JLBqDzSFw=YE759VgiAuAkYj)i$eyv~$zpV=GV0 z8#W?tlF(%Isnc{G9IChsDn<=1e#x8*&`Wh<1V)}mXP!z$HqD4XuzMT^uZTnrQ((yD}V zmvwvKqy-z^bNwU}%YL%-0tB*E^}zYDI>d!V7S=32`#hAkdMPtz+v!XP;0{5%==bJr z`D==(_&0SLh}Rqo0qA^Mk4^N3_LbB6$Vcl@qyy6F1fZ3aL}pj}oO^~%$lV&|PjQEm z#Gj07_h27QbiWkW5etf66MuEj=<;?CYx9E%)jKQoMIs1T@W}(pXFEXG&^I~?YTcD3 zBF2y(>%@q;`?I8x3Ji8H$8n=3_lZk++J~D?-2y6DS*4z;p?%^sWDB`&9imrRyhdqY ztc*m^a@CX4MVZ ztIu<9f|=?)COep+8{oi6B4t+diWt2WD9nR$tr)fB&A?$ORz5@ANMr;U(4OzbbG4Db zwx^5R`IvWKzG0{$bD2!3qG-DwpyQ8#o1TcQNrh9p^b972$ zZ%-mGTM}P-khL8rK(WU8c%1PV$D%?u(4Qa3?*^yqGt@7H%jie1_$u6Od}fi zUrQOPbs8dT`}Y)gkDLiOtzvXKdx;v@8U{+CTjJyMx?mhcY86#s`7sz?$ddzQsf^#ZO0|-#I%CmgA1+!6ZX=sNm(s zFS6AtaWj3T(?9}k6^F`@4T-~r%Zm=qp%G%)9$iVYzgfF)bL}@MeV%wSt6ci{(MwYc zMLK*SSYkCYlZgM@^EON%ck-i0)VD{YLse)FHyASb|q z{F{3;dhwa4Q_OX#8K6q-k-ikf&GXzF-9b8%io}6nOoyCH$Mg2jS&;$@AiFG9uY#Y& zkptWdgRsGmgv&0(oY4P~82m=OAcwk^;mrNMfT?0;$|~{ts&ybO)k3&LnOA?*h|ur& zPL(JHcR=vZyXzJ$rBe+!p%MhnPlhkg9W%R!=RT8tVapPRF~HKL5`Ay;7M8L@O@pr7iS`5ep9T@ z7)LI#4=qI-$fs?$HSoCQZ=J=3kMZf^t8fKEByIkJfAqsUgTo$(IZKtlXEj9Es5nWD+xul5n`P;IDh~CevPb&trtKNR9S>Xvx6&cFX3C_K0fn&WK7> z*Sg5;$G<<^Fy6D6w{=WMX~a}d$Jv&^m~wv;mE!Rx`u9k%<+-oSSBSzu0`$UV;DHNU zTC*noVE80xAj&jOUiGW%)T;6Mwb8s}-JNcZS`$x^={Ce(HDc+}#cyl7HSid@8tXaV z4~$OSm#$ol{84)%v&Vy`sW<0e8}$2fIli3dppTo>?-D%Td=a@DIQ0g(8yM}1_RAV4X`!BYHHBYlyv4h_1&=P$}I(tk}<0g z=9<%a(jX5D)U5Rl{hCyM?ATpWBHMmYW8+$*ByDwBnRv~EBzP_I^pBbqH3m|uw>`*> z2u|OBCv>F{l)qbn!DR!|XSr~KQrA{`y;u==>IK;iXar*>G$fe9C#l7>b>^mOx&{^a%L2kNOwf8?fH;7wp4;|l7>=JJcOd_HuXB)zV9Bok3)jt&Ie;PnIq^V zD^#Fv1Wl;PTob>vUQ=0kZr5H zvsgI}PE7JbWdPpbJPliq-nN0pFFp^iiLGUe9ln2Jgz8_Kb_D0YUEbM|Y9CJ%+*e|( z)kOEg>qZuhT5cUCr+ zGQ_LY={?4--ouXpVWzcf%k$CY4(09v*4-Jc2Eoi*&`thr4!N)O zyXnd1#2fPEJDrN|*gCN$UNOK_8>_r69uu3x*z~x49>upCW6dLT%X4Hnz2z;w3_g5T z3ygRFTsy-HRns-2h--dSi}xpPMf~PFvW2#&a2o1gwA8y^7F*990(Q_*?rWK~@}f!* zxJ%RmzwBj#&(*{5N0p#fW50vB&y@L|_)-+raD$S4J1tM&1r9P&!pI9613HEcP;XG%w6_1FNm-)G1 zO%>Uhi4M)@=8g$Oo$OwNu4;<5vyIPNC02PmnJ#reJ>ehHg%{MVlVxUQm5BnLB|`lU znJC{`?s{>A6rq)WZZbF%z=l)aGa}tt@v&@YzI~| z6_z=#AVgEd*3E$FFCKm_qe1h8L|>~pi}p3|{JX3?7()e2MPUD>VbaZho)%ka zYjs9@=v4I6q=MF<<++n$MnedY*&6dYW+Z-3Q)-uWkdM$xKQb6&H9OOQMNsavWw~)A zgx9}xahfKx=mAZcGm`bew$j}M269mZF$AFQ)u+D_pqHBcc$DqJdXgJ%LfHM=KC_6{ zts(O9BPG;?ddNGl>5Z4ZDvmFeof?sLmjM<#7~k_5WLnVm^zD1iC8RkgX>7!rrLSte zW-HW7K*vqcXSQpJ#Z0}Loe09D5j_%Nn1Ugd@uvkzn4%6rLUt1SQCC%U!xsd_jjZXF zM!m@1D2bgTrG$5>&x_v|nZpS{-u=_g;>?4VUwwTe6yATwBT!(sLNspjlz5l^PEDQ~-joITs!&E1}OE;*I_*4R76hC#6`U5s771k3z zdGaf9a3jGgc*|DXLyd)1UHVxOodHBHfnp<#aDi2cQWiH}Aqw?ju+4CO-0t4=dlMEh z4w#mXca8>igp}WBjWjY$Y$Cpxl~8BEXrexxJ`5XGTUXHdCN97bz|*ato*(*>8CI} zkL_k&vEKcYDMPwJ4|&>evkkgOih80_SU3wRM{(2#Qx8Oj+WtgD`A1L;QI}Y#yOh$n zeoTENL@?W^^%CNumm$+yloBysG)z(}t<+$2CL%w{S-i+}B`>}3_W|aruYNxs`(ZvuzH7I4jKd&OY7=oi3YS>kG~)B(m{C z9uf$3gwF^?xo0M6Qu~le_j+|##ZG1XHz*(8N+c*|Q?oE6!?(pCAl(>BO~DlRn_}W~ z!#2#$9F0$+j2pE6e=yNwcuY5K>Qpk(`!KVcrJhoes>8ZVHe1!^3$Tg<4KK6DZ6F@a zT{HLjV;@f)u&HpzcN|=jK{OOPQyJrg@}-Wj0)HP+)awKN=H6O&199&#dNr2B{Sl}6gYZ;* zAml;OX{Xsk4LqCZj+c#HC$Qf6(t8wle3$-}%E)I%A|@&2G`-Wz*Av$@(3M2-G(XIp zVjCaLZ;gYgM{|^L=z;cmNJ45F8$uBVm6mqR+nU@19A%s80#~Nyj2g%dDUK;WQb= z#PJr|PX8JsSem&!{RdwF#74-F_WeUGw$m)KzDc;6n}221t5=`*+7p=uYSTtenM2qC zOn7@RAip8UJ-lO@G{mL*KeB28eY7e@*ztXvvaf4?ZhV~jY!t?x0NIwPCOdePR-2kL zLdr?7bhznH_iNOTx4*nn(P`FWylTGo<*Nw$B*XFuzMjAeuO!w|s#E7W-_TY;?s)Wygsi=gafS}qO*XKyAc@o|cG3v|2lK;nd@;>k?0ZF~_6Z%@{*XAz3i ziyncf%qvyw*j=;~Lle7~N7y%^7>? z3FLgcmATyP1WxDodR`vRu8FRtcvq8?Az@Ja-}w)}TJ`C~?|7A*=ku$e;EUh6`+xq* zd5ekPTCAJRXA$|IJ^=i0n+FM{^z=jQJ7lT<^a0?1fI+#t-FM>QRQ><>FvO+Hf9^~a zXqNwAmHeAy#TU<+MHwrvsKD+kaubyP+jmh*-IWjjjL~iWH>Y$5={Jk`od$284T}G8 zRsZp^;3JTrPuj~!|HHui<64WKW8t^58yI-X{M}*5s`}q?edhoP{hP6&R%r%<(?69m zPw*c{7ksYTeQN(qTJm(7|2RRw=e{oiqjz}n#qIx`9RED5fcvOiYP0Ot70GNmZ-C=P zk$h5lY}ne`8Vm>`LJpRHs3Lyh{_Q#bAd&4K8e(S}e8TLWnVf76M9q?c^x=o%WxMqF zcq0INRs;qj1wtJ|QX~H6EY%eQ)bbQrj_Ml&r)V`*bgyj0p8f5?_R* z@=GS?y8n}~+%M78za8l_GtBpb{#X5i6ftOjHk0$yNf; zAYNb>nX!@d_oL&AL@elER6lJCtH!mN02w%8y_pCgAsNjuPbLt-&#mIlWbP);y1TmkALFrYaJ0m6O^o9YpHR#sNko+q1xw%vV6%Knd_NqgLD zQGcC-IVecn<^!d_`%}VN-oAYc0W2l2H`Jj36lyR%XR5we+blFU?X=unH<&Y~ZBCVB z2lr2QljY2 zq>#*72CQXYuuTn@g6`;XO}dfc&XVSfzLE;-3Fe0L)$~u3(LSI2Pl2D?m9Gnt8!#mD zy#O8Wv3g0T7{RE_uhHPZtQcR^kuk%+q5m~oL4@r>El!LGQ|U0Nveuw9VkTCZT>F>m zxSdGrOon@GQN~#y+s%bli|=5UUZK(OPd1BoqU4l*y?$B(?YsY)bxa?{0VG*uJ@LKT z>L+7?+Lw0#v*`!-n0XKfCFF6YcY@3AY+cXxBH?biRspzlh)IxJL|h&XM^^ckCxJEX zN?=nrNFz^)LX1O9Y=PH)9>QZiUJAzPoMT7l`8z+*H`=z@NPD{ybYgVs%g{a8vXIy2 zo7?sRj`4~N&awQ<;j|6*BRK&rLtFerJbDPaZ2wWwV<#CgKP)UP??pjAzNtq%*1uYg zO;yUjE}paoAYToSAFOmEOm=__r5^C9_N~||X%U@XWi9x8JNYwHROiesOzUEK2YraO z+J>GfINj8?@9Ev)`+Z7Es-aTb1W%OTI`59qD6(^cRXUfyyjeStYsl9xsXD2JE3^#F z))ZGwBpSS|_stF2nBXqjk;BuPgNMDD7zmANXIOgh3kE+?xO8N_`la8mC(1Uun&jz= z_(@rTHs@yc*}W#Z-}YyFiEUe|&Z~QrQ#%f(OBPGlVkb9#jONA3b2D7&C#7sfa6I%< zA)H4>RUcfdm?yYw+t$S%&-0thIf!x_2v1E8Uq3T{V*kIh+ZgpYyz;~K;uO`)?IpcB zUbwk-gAw^T6a@DSkBVL$zaj%R#tTV(&Op77VzSCclMHl6-e$*C1ERB6+@a`TwJfc{ ze4#JXe*`6lh#rqf+Jd3~T}^gHuCnh5ng(54@1jG2MR*5d>=GpS!WO#IN1_)kvV6Pj zY7av9jYZ^+!MLaU7Vku4=Pe-{Ek9tnT`b7Rcq`7=wlC0C^|RZ%IP?rXMlT8740tL6 zUOTq!2^JyJ%PngPQ?p8Ale=ekrzWsSC)~`W=x3>i0zEThs$*Jwy1uIyZ3Io~OtHC6 zPYH-(H+VKBYqaRIz@FNBM<7FaHft(e^Mozy*y9@ZKYetB>vEc-W@}!@uvI&G6~8We zyd7nJs%pB5wFGjB_()M8-<1wf-j`q> z$EB;L3=}G^4j5r7)1H}vF6H1Mb>WgYA@~~200{U)02U1v>T1)u4;QcN@S|0qSqx=- z-a^9$y{TI^m0gsQh9_STFs0{d?k~G1Kgr-3)Cj{JJ&Ur_(yW?1PY$Oy0l??e$etPo z?iqSwm6z)PU4w<MsQ;b+~dtU!vdtVyPR@b)e)}l33TU9lc&gQlhEj8U#YbuHm1g$wS)DW{M zIx8I%B{dXPQ^Xj=5K&6aQxL>Zvko>|!_9v4>6b+p0_rk)A z?=YIvy#r=G=ucgQ*^YJBJH_1Y^mDVEI7yTnX%Ba%HqWDXw`>)rCl0yw{#xE@-Xn_t zetH{$SpW+6v>{|#vG0b77uj$RxQydw4#Zx$_+>9X zB5%jC59J!Nct>Wb?Zq`_DP=A!0}QG)#(`85Ug9ePQXSwGP=^9ED=sb?!tWp0GvmTo zx&e_FN0Gr#H@(uu@9_|isqH?tDs_1eEE2;l8W~N;<_2-9+Vt)~)3k3f06X2)zk~>O zW?fe>Io$jZz?C~Is04c}4V?z@BRbY@LG8Y3G~alfDHNF{+6@Rlj=wdan{{c^L0wh` zI zd!qW7RzUQrY@xs0%;V3^zl!$@%yiND2HA;;*u8Dy=d0b`b+xt#azm}2ucHlM)L%S)OsS!_=K1>Y@fv z-=11IJ3122y%73Ua;WJIzkSPSzn8eE5Lnsjki3LlM!vG6f2)Ru6Ty>E`v}S0fTI!6 zZa{s6>f`*h;sxJSK)$Ca?|CF$f|_ohqTp`1y-u4H*>^e6PDAhKioS~&%$?0`noJFx zNqlT8g4q62=F(lyRw!TaAwoasu+7_ryc)pFZ|{1LqlPMwxXtQRZ|Vmq#*anx4??A% zhYzGC!p;ItGCyrid`<2T@RQp5dL^Mj2O1WPvIm!Rd`sMSil?(+sHB1-EI2m{mQL## zsDH-6s4k{uk<(I4y918*elskW>$sWG2a$Y&F1mc`@waow4b%QkIKFx%KdBxY#Y10! zKB8L=7Oh88FM-b*Vh*o^3=r)Cn|r9To4>TJRz{_btt9M5eCxi}PBjfBieU8@P3l|e zBy3$zo^vIBpVgAm({)F}VsL(hPr7Q|OJR9QFy#4TE_3Buo~=q&+j!eZv)3VJMm40L z+!kd@?e%1dLDjqR6*z83B4_~ADAotn|d|D~q)o`U*TTCF)ls-}Py?z*@L<7MPgK*4T zNQ9+7xbljXvKZR?c5gjpcYLo( zr1i~p1z6vBX4A<~w=V5eyJmjDdmswF`F zt{hNF>pmMa_vH~4rNPVVLa4K2XU{9u?t=FFIv&;|p3*;1=v>T|M6ZR%0R(}kaz&GH zRJh1;EWKiKZN?u*hg=&@3HWtXnVes;OBaYBK~aKv!?)!UGTNb39y z8{?eUn(_Qj0zNr~A(-cN8H#k;t+Z#j9 zNa9#LI~_TicjayI&@=ob!NkTN-&CCqkF9YXS^k?(-~AWcww2P}iQ!`J_^WZ<6Mc8< z6Z_adc|hcc{bS1mqiy|{3`Mr7?6uTtil9g}Xxx{OnZU4n&o55~544W1^Uso--lf{{Szr0oB*}cl^!{HEZr|kByRU^@jK8LuvTF@A$Uv~$ zS9BwSb_F!m4KBs>nPTk$vtfkg*j7WCwuUchrI$wzi-1+L#DxK*)^GJqW}lC;)Weth z4YcF5jEz#CtKSZPEmC(ZqAduHatsP*s8-dn6mTqVOHl(XP)0^UX~ALO8s_0nMy*%S z60@MSV(H$d%%@Oar*OFcx~GScox9w~?x3jOZQ{wcVT@`McS`p7qsdx6EqCItW+a1t zNo15?-qtfdCb+IMZ%m%X*Yv!mV#Vjge+Fc1iQC z29#kIt4++L(+A(ob`;)O-bbTLs^OcrQ@tSNlg5^fPPM+_(tB>7Qf(B;7jTp|zRt~M zE1^|25MfF4FN)`0f6GiYA}&-d{{;%US+txnZ5&pVJgl%Y&HjL`DJPmt@u^tW{A#k` zce~yYmYfu=l*HU zg^GN;qT<;;K(HS7h>F%=C74pNx07Pbz5*;jqpn+iD+K{`Q|%Plva)2|P%%Ag>E>)u znzn&_l|4DVMFT(8oW;nE7FJg9#-#Q~KhttwbnYfg23r{r3G8ln5iIf$xSP^tN9|ma zcdPWC^>c2)v%J~0KqXSh{E4{R-IWrt)c{2RAy|8WgPrV>&jYH;jBO-l=gynJ%2lD+PLvN$D3i=ru4c8_#-_UK_D_K7mZj&i5jH>WfyF zXIO`fha2Tfc#{HpmBQjK72QBd|$=e2vb zmPL8B>l-Z&mRtx-xTLlpiMvp$&xkX#npzO^ui4dvAsV;{ue-2De5HCcZo&u_RJXiK?kW1t$dmos_s19$6Q7)pmWF8x!OtUVZ`x2EX(bZ& z&GvN2@U^hND@3@q=8*I|HQIhwy)+i(@*S|e;8TPbCnkzIly*1!SkEs*3T7i$zCJI1 zXTreb`D0L&Dq<8$t!=DB=4()UrTu?iv_*r#^{}j3d-e{+Ilo*Ka#cetdx?37Y%Ly_ z#yfk4cMd%nB2f8eO(=nsA3x2S(w1#DrZBr}hYe2ym6P!C?+FctY-1R-?IS@x1aI{w zn*CV0|5wwVJjds=vogtU96v@*BT`!$cKtnHOLP`FHu{R>4|q9Y7M5e=K6=@jj)771 zs>Q7!%6{Tb{CcBWI>-?8`l5GZu~K}qYT_SkZ_5vGd-IPAit?AyFjDYlsT2g@itmY(DO=#Oq&`-fsdS0Ja9aWkVjVn--POj0GXHcuj^2Qv*=m@%+%B zMwd!Tq7vuXXzqwBExP6=u5SlVOGPE4sV0b*Iy2%zna0Fkz+e?#ZLnJxZJDOgcaT`I zjXDT66}Erj73SJB4ywy+|Gq;U7nm~E5RB6{{(kJ&|2k))JLH)kkzrb;pLs>snzQa>k^(pHy=R+*oP) z+GF}EDaF*73#P(YPr&Uqio9(}ya>a7$@%8phmII+naeu&PG9u08`6zXUAj2dm zL4EHeX}uEoIk=u&*u?|eBE@$FMt4dV`jD2@!Ow8!h$O+J{S>-lkeQ!L5JpmScY0=S zF9hePJ{j3}9X|&GP=jEb-HCTkgPRjqK9woER^+^S$voJSTRT9an8DGaGh%gztnJ#xpK{-R@tjdk*n9Cb4 zULnFqi(H?%gH@V9A@u6JqkFo2N;%cW$&^8iM~8ENA>9>J^6;=>U*a@o|K1P^pvx`T(Ykl8rT97p^Tv*?gyUOk+i@nN-p5IHLzfI7XZr_Y+HP``DHq4WS1l16KQ_NcF{vU^oy*MN0s@=np(vsFf;thD)NTWQ%n-@jegHF=>G#~JsoOTmg= z??s=a6#c|TY(mwLbFk#3a<;gzlu6=C5A%>miS0py{bd}Xl^?(vGHYdtk?_|+Tno1) z^@8H^aKiMm;>X9oyTkYfV@AwWV{g}3a3w;i`!(cySHxef5mZ=z{!zADkL0#)4BERLcN(eiLYO$7({{2Z8`B5% z8|_3^ZQ>@fMX}6N8fhvPh75@_nOUOxRtduVHykZ-fZpdGs#t^&AuE>Dzq1QO34~0R z+2yg714!?lXjg^KoMrk+EsfsJcOA*fY@UofU7kBO)Qyd%gV4Dc$Rp4PP*$2=&jJi{ zwBVp^?L*gdZ^ZvlFk*!}m_T4GNP_9Y1(%jRRUiQnSw1l^PAe$3coi{VxdUjKuMLZR zzb%%)OL=;0w`7f_!hLc5zvT4Kxa-7GanP^~MjZhre9?ASlzoF;pAo=_5!yqq=`B&^sZx3@xEZNuwGAc;qgCH#*Voq9;BVf zj8tQ6#9mGOg46iu8lRsWOsPD`BG^9v^-l9x5kR>cK%d=xpXxT;40r?kC2|Kze##rC z0#&;Dc+R*|qv-i&4cz&1Nwlj9sKBna7;lzpiT_j^>c1~+me|4`;_~E&2ML?#aaah5 zqqFq4262G(jNlAguxSm55N5V=M`JDk|IuL<0Bg<%1CML8ECmcf+5oqpd1_9l zdTMGhKksMIJP#qu41ApB-BeDNKCH}8jnT*LeG6dng-wbcdC8`DYF9TzlPO$RIt@0I zsT1ob*To}>eeQBi6O|$8us++#&3#I!G90R93&<*D2?mxpcWxyPVDVYxsROXjobV)u z2F^@9guU!K-gMyGYy15?ojq%F>Kzo8$N8%G8ykQRp;196?-{=9%!5Me1dX3H(wHOF~$o~e^bgU>B9PLh8 zG=y~BP^>0l;2e;p*|2RYJw>r+!C(1SwbZAV?WaNGVE4S%m}8bf(L~Tv!Yu zPrH2^*XoK;ji9n$p7V0!TKgJ)#LQ_DNPv_BlWXYdQJx6Ghg$6|etkCjeeA=}&)A=e zWf*C2vCPvq=IsHcl{9p>FmV=`+|GcH#)^Uxf~8pAV)ETN&3a-Wo~E=9ShkFCXXfZ@ z1?C}gL-x1IaXT4D`Uyxor5@>p#r8jUlPV<55c}Vav)or^l z>2COyiXVqV=dzNs;5-J?cT8n;;k)v}9}7Qh09I#=&J$eB`Eauoaj;2p7z8PA6JA^Z z7w(fcv_C#Kladnf%1xlqn7<#}KOX=$=nr(+Wq}BK0xoFHgp8~UsrP#fS^{jbukLAz zf<)UHhJej@-ol&4s;E;{89lXzj%xBj#|pE;{KJhLACUPPy@Mcry*n8An)xNwMnrkr zIzQHyG%8l@9;6K?2M_;k?ydAaVaZ}+B6-4b$uPLjSv=1Jeyz*Cu#g&UQja%|!@m>` zFmjYr;zqPCRMZtEv0gC^osCEij3)$zrEcc$2sC)nOmM3jlo)4~rI9uF_R?+)eA5lq zvwu<#ZG1N`5qkG3O>~1JokrOo5K;?^6MWa5n>qYB;p*yUMKGh&G)zXo=GZy!0?5^P$MY^6BZ@MS52*uReTL}@cHdyEEUs~3^$> zGi6>3#{JS5XSG@SEA!!@tM}I2$JXyAMzoaJV7n5lkq!nWepk5tV-MKDH>_)D13Mq)-`zpxvQ==jPZEisGRyiC~Em& zp8RHJc(I&%=`m1{%zgh#@JFRV3vdIwK(^L1=Jc=b>=cQ@G^rXO_Z^R^df<+xjkV;1 z`t7RKy}K$SE-5(?)?_-yKCzdI6&{%DAtR_c3QOg-ID{%w#^Q1Syoopa)?(rJkTmO5 z<3;tv1z<-@i;&z@*5PwTl`N+?`+08UQd6_VMNv#8Epj<~i1aLdSIEAe?3qH@ za^A4s>vK9E9Sq0-y`XnY%=B@n;eNi3U%u2Zokha$=zGytY_-}q*|xgT#Paqy%$a$; za4BKFmLJDN5DzhT!Z{?GFw?ebj;NSg(!hrpE*ltxCD#mH`CjsR4{cC6q)=H_a4_M# z7rygS>d0gj=vM5sd#d*(#f~BxBy4gv=kyl4c~T~ELPk*O*JlE?=jz!KCpL&HSMX;_ z6V}r+O|5`cOp-fX{mf&CGh|+nVv2X3*ieQUR&l!yWcH@bpD6<};+nc0gW=N8=Hz_xe<#{ekREl$sspOr3+X~m{;FRXE4SGorGbPUN4Eq?Q>VZoa zi0&bb6$8E6O-0!coBR%TVenv0oF!O9uQ;@X^Y!lhB{N+4(JFEm*qld){E;c2kr>J zl`T-LEI!%jnkx+XoTb006*}V%hLL9xHlIBnSbn?NG#D}-En{cf7&jI$?|jsTthMHC zJ{*()wppC)i2y>5CLPS?1wOHSv0QE^hRd-|Nj zTn-<-^dqm0bV-pTW&zd?c@>*1QxZ54{3ZN+6zQns|8PY9Y)rpTT6gxu!71+=kdP{C zL~xUj&9%4=BVaKV2yU!?QSlMQjo0);dm6Ej9q{&%+3KK5jz^wcIA`YnHs*gFMpQC8 zo~+xOPO)iJEjAm&IVdYk4Yn-b9U9{AJ|qHKl)Jh|TpBEF8+P-8mnXapYaoo)D3Y1h|sWKan z@E^S$%s8Mwim5683H$$bj{p1Z-bHmL<@cQH|E(AQ(_$+dVA!d&bawn>i<1Be^Zv!} zA;0rg|H%B;EkHIL&DdQO`llA6@71-_ zS(3&87gUER@IR8;o~TzI&2)5j=KE;1?EB`=#`XIl_Is|Vzh?e;T<1hg`~M!UKYeO3 z2gr>(v>xT(3F-fGh{J^@PwnOY@uJswMV~-wYd2#4sT=RofuTP&G5B9s{lP$_g|Hm4 zOF&<(x$wWw{`-)bV!-Xab5r3T8Kq*j0MB!pthfC8(trQ+&-xJuhW`HlABuzV_h=!_O*QE}jaian0zNu-?rRnNZ5Q!>033GDcK`qY literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/media/mc-exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/hubNetworking/media/mc-exampleDeploymentOutput.png new file mode 100644 index 0000000000000000000000000000000000000000..0673133982638ed455ccd1938e2fc917bf48d1b5 GIT binary patch literal 146504 zcmd432UL@7*YAlaqM+C)BF#<*MI}lvf=chbilK!NT7vWrDgr7^M7s1|5=wxG1vE(S zge3GHkQyL_%+2$>&o{o`obQ}<=FFU#do33$5bt_j``Y{e|Lyywj@F~oOqZDG=;%&A zdHhh1j_!mA9o^BhCyoQZndPuQ1N=DRsrN{UuB?-L0r+stK~YnYj;=C}dEb@+_7*x)(>U;{@yrdSa(@WTuuaDPwck=p`Q_nUi zfsGj{^-ZTb<0&8gv`qB$^vaF^C-Bb}u2V-oyo`Ugvl7REEBTKt_{}w&fBQQ35$6B+ zBOTr4=@TY@e5AYb=rjEvpHDoXXaD1)!jE$me|)4<5-ZWpkgF&7{qf7-Hzm&}xuLL(v~ zeC(93fj~pOeSJ{s-d57vw-Ygco^hgX;Zb(hlI|*S`x{0f*4)n#D$(rcYW}$(;HSb3 zqs8Ee{(b{>4UL+bn!Dy`L@5{y_R&|mCLz%aJaUl-4@OW>oPB$e=tkZj|1lVQbIcDf zo*42*`CQ56(L9vsLBOAnJ5e7v^nUJT7L|(7j38W8gGhw+(=bHRSa$yRA?Nv+Kfjx+ zyZG*GniSllyxP9QqdW?mHFk#KX3a9qSpC8J_2^f^A7`$38aF`Asi{yaiH@W|>O0D* zKh7oenoSlf>&I>?)_aDW%SM!v6f~2?O9zhKZqUzWCqvg<)*h z%Z!wl5HrvpNv}3;xO{)b=GyItnTnO}ob615EDe@c+kTDo zu>#wF4?-2Vp&`|z#wk^{Ml;|nTC?G z6nCG?>;O+S-u8J4$u%3w+Q4U$|2pT(UHygn(2dy+3isVO>$%RfQu~e%M#V;=OCuY< zo05TXsFPw?ZiSCL#rc%zzY)XyK|@`=9hO>ZTHR{jl@8UG+x>J8Mi?{C-WO7*xGoP@ zMvNA;L}nk!OH?E_2au>_V(mNXW1q6?)JoIs|$L5&&}!8_=|jbAfDeTM)@1N?7ZioDbkW=TC-xz8%^aSi^rJb zUL!AQ#-irK_Xy|zzWFocjV^iIV5vDirr)VA@2^{{quVJWKi-*pSC=-s}ai;A&~BK-@#Nyz#| zHsB%$+aqmMs;=$Ga|DRuHk~!m=4oOMW)EFLYr!@|=esMewzd-}=vol8YcP>8ECb1Z zjpSQ(vSB7RjCoXTKR+Dye{XJe^^>oJmq#Jxa85R(QZulzB|I_BXEsGLaQ`_hR))z) zhaV+{HI$%FOfK7)@5#Z#({I~Ff(BjIr+7}5FG_6%`H8L% zdImNmt~?Xw3Z>nv{V|ta4$dI_{&joM{o9!&-wBgisEzg2r|Zqv>K~Y{u>Er;bcyP~ zG_VX-dipf`aC9d!?QHgGHx=$!Z`ER`9j&oEO94VIliyyV+^1BdU%&PuMi-T-F^UKT zUj{X(zI}ayk%sh5y->2%kzsD3#s&LVkO@{^YTW3oW)n85Q(UFSO0V2cmG&+xHLvZA zJk4c4WF6Ghks(j)?d^3LsRAPgO&xqZKMa&x6VsnhzT96ZN-pVdj=!lXRHKEj%a99b zNaYogtxT8OUo0*k^TKzFE>6d5qZpXkr&r@0Q?4jS*5#iwF0(Lor0C~qR7Q(84|g!q z(VbPx&j@UQP@dV_k23Q4+gJzg=7Mtl_qIupjG%*h$W*~!(dax*Di=z0N^>q}vz)7+ zOJ5Sz9WKmIcV2BGr;A!O4#OKEoK2mnpsv=}oKvG<#?;X?@|b5FL|^FaLrSLY*5bg* z{`~vU9v?kv{SBu;Bxka?wd*Q|){NFV@XT{Myk_fG%t4`keuI0#eM3o`E6q;c(U1ZD z$M)gfjY7rB@hwv#D68+sMGqre0s&;!hS5UudY4wFlXFeu{6J>;=7A{RrUMt-iMNE0 zKxkOH;W|P+T`C^fXP)hneL=6}=TGw9_7eY+J6Wn$tO?P$Cav!5{lV1aJt#j`@Mmn} z#L`oon3NaVv;M|i=|RycB26+m#xo&ThvUUM|X?D&#O+q)SC;otO%2?b~nNU!$EF zi3l7N@$K9r6BCp7Di0r;7#Jj^0-+G(MXqUEF9@q5FG--5yZ4q8X zJxQbz7z*E;hGJ~++$>&SPV(1DVX}?!250(<426qzb0VQQR7c>!t^;VLl?&zt8k6># zA5S;J)qCc1Z8lq?5eQ-cx!&s+Fo&`}N$P26yoQd}{DgnvJAwRe<-evfgu-I69wbpD zlI2tBl(hqJ{OHn+7Dm3BXt9PLsdwT=!DnPQ-)t@PwSgIjoBV1a8%`rYVl+D55@v}A z34_jeXO&ThvQ?PLrj$2t-`ZAIR<3*$Mk`_hsbhCB`RTq`-hfSA?-J*BXHF7^UZlU- zr8_f(SwxqsH%MbrUX>=vk}%qUgbbmY{KyTL-xif&kBfYhT(CE-PfFezKihmW!z;D+ z5nImpdU2Df18;K|5_=NTAqu=Q?D(L0=>4bG!RMbHA=9bs7fd&PdRya98-5m^1fz6&ijsnOesab)~vY{ z4vFMdZ(Pkj0T+f?+ zuvm~Y*5L?#{@cOkM`tHOn@Pwq3*4UMiep0P@HooC^SKt2t$YhpIe@an;KM!0tX1L> zwUkV(y5jq=xKFj#(=mwVOd0yEEtO*sEljinGNu%mR<0jH zUBLT0Yb({q8MwFw(zw#h)7r$FcfN3$!wpA*BMMaU>k_=&lUJ&Ajf(>fzEi{Ssm+5) z+83SfsDh9gye?pQ+5T4hG2*YJAgM1R{J2H0`tBmoFG`M^b?@wJ?{;>cz<|6soT@7# zuXK0zBn}yvUi)yQ;DY~JUCZ{={LN;n3u#c+PUDU_`RhhA3>==jc@PbZ9=8pl6E+9x z4(vFN(~x|bh1s7b|0eg6Dse{-ZFl5OY)s=2iEzy-f{dqR?%@dzc<0YomV}3yuFSvcC-Gid&GP#0x*P+NRI%E_s)&%a07*mU$GdA<6?V^^)D zQrbjD64EnX#ZVnpCso=g*fQWU(sgNnjb_15TaSxs$lny!)9|=MynWElpmJ;_Uuv0) zJE&Tvm4Bq@XHYeqC_A%_7Y`WmM%iQK{jIA`6!($zhMf4E->xA=`n-ABShMNk6|nCz z_0BO}GTrPN^dda%*z224Q-8Kf8#}_TGoh z8q1}iYD=!!dcE@@GuIRFS31c7KgTLt5G9@JT>?xmOeGG?aMj>?(9N#Sd)3g5FE ze}{!$^15Sugz3QS2a}pkgKh5O7V$NK4{EOcOAr#~8h(_H&OjAw#wMa3rUotSVCCSL zqrcle31oUqqfX6^Jy$st%#z?j`eF1(Sm%8Oa28nmD@^QbjKxCC@2gbjpR>A6z|13G zq4IyR4O#h>wy$T7$M)nr^3yLy0Z+EV+qeNd`#gn(WesAImIORo8K(0(`IX;>M6Ex6 zIR_M!iuBS$os}~gr;58>jt82Saep}uEMQ&Y;Ipr>40mPR!y_KGjut&RGrY~#*C@#L zDCC0qY`|iG&{^~16hqip^|ys8yO~q%glat4=|zbVj*Cl5=&kPE%iqe4D19PV^CF>^ zo8U^DMpsZDxvw~jjkp{k9N_O)(3zpBLF2f;~6xKjv-Un#jTbDgfvKZ zbtOf>`9h@urFX7f`&wH230_1((5PgzixE~M6P2nK!Sgut%P10J`SO(w)Htz3Kn=`i zaDH+o*%|@00?+Ane^cSGobJ$7AgLlxvxyYu+04S=---yT#`!VSLv`*hUKJ<#~etyh@|`%EH^GB!2H<{eS##aYfl=r;*< zm!6^2oMi+0EX53*C_kjObnmG~rOWX}6S?)s^3u5gr|*#~IYxUZd|PUDa8lvG!6}I3 zygS5m!qRVtvVx(d(M(FV z;*biU7~qTPtyte=UXHw^$=rKzT~c1F@U{rBo+83d7c3D#{1(trOh__Gxis66IyX3%&(&u(%SYRZO7mN(ca>!d zf3vx{xzDu=jJ2$6R4j)23GoD|C-D@l2G4#*z;;R#ncyd8{<-H7AGFjA=`n)p@6=}x z)6sdtlvw%vcMBs4s5ZTC@Fkp7f;QVgjgVa8_0#A5CL%a2DAihNQi!$h95`d^fEjwx zeQ3uk#7v@bgNO4dCW4uxq06rI^;(`%k!xfG+a1w6{2=jm#kWJlqQ#^iungq2e3>~e zwdbN!o4{|FU~OQNACyK1OTvX2MiG%;m$rGFEu+LL29ulZ1cT~2ol$Z>vnS&%8BtXn z2~ky?pICgy5*19S14PR=3c3$~yf$E=76m>Ce;StF+%?urNbRdleS3Rwxg^LWS$fvA zeS-#uH&{JA*+HA97nKO06jU9f=+(9v8c_;7@%l7Oke7M42tC^sKQih|?!8w!bB$Or zf#*5Xw(&Ew_UK(WiT& z1Ra%UZXohSk!i&a_3zGLW3z%U1R=tmx1`Os%Susp1KI?$_3M(-olvvVs!U~Ahnmv`TYBlXZThmZVTYcT`h#Kg}FW~_8iZk?dLPs0Xsc$Pj)LKHFZfs zuW-{4oR3J7cv>hkWDaWr&t(KP-{9vr2a?g{^>%UZ6eJ5uUA(EEL0v#NxpVc!xoaiH zfozG-IY8!4VQg&xkVGSgWbeWM< zCJYd<-yombTSbO(6De2AJA!t9XwlYgNC)g;{FT>+Jd=X#=Sp^DR^dJ^OFcw+SpH64 z#$@U$D{*~gfV{g?D84he>pnr+xg)Y8w`!@|D5l}lPjb&4kUy|*@A!!Tp9fN=k-V59 z=$+P2qg`=cHE9qvi_|_g1u8XJJ5X?#QKus7G|sfk z^PH>sq*x$e^R#o=YP(Mvs>VILpHsW~+^Ft91_?TV;Su*KVGK8qSH{t(fq1_4SxH>; z(*_bAg$0DphAS&CQ0(zzzsOA=rX+3^Oe;sOO0%cEnWQw=)DDk|iZs|?YahNv^e$uS zRT28CTrDpP)jhcd-DuQa9&*sGSRnU%hv8<2;(R>+@+5+>N=J_OmRVZ){H%I^$0645 zd>N3*59T~NQ*4PwF+bJ06((R=?)pMlM-kMP7-QR)ry1can&G=xC}v`dZ-68EG(jW8 zgYDY=U`E}~zykg`D^tSIyw(*CuH1YWB%pSdTg2g`d*srxvEa+ObiYp5x{2eI{f(}s zLLX?EP7QjGyt*1n$1Y-GbCi*##v$FOwTT@4;>B+QL;mLoV1Rr9N9p(+2S+&eWJk33 z8tRtSO){ZpKR_(Hm+j(Y?Lma+c3I0d0y<#x#d@HA?IL&iaGqg0^Ps-o2v1g#dvGOd z_$&{*eL%xOi`a6Ieb$6_z;QE=XP?q0Q}gG$B_sjW`Zt0}&Y@gnf78cj{v~-dt8L37p09v;eX&mAfwt!%+3fN@LBgU4rVdg7EDFlld z4&HMlsfmF#v;)o=<`Uv8$Rk=tcuUCd)s+lW<&W{WaT=&2#}K6%bDDzkB!`CvCE(SL z3Ry)xTJZ(hn-2ykte1hsVw1;t;1U8!!UVyDF?HpaFJ3zVcG7WrIsYw^UBCDxAY&nq zrv=P?a+&)IBhP|eUjWj=wFb+{?NW&m)HDQ$B~_O+{mhYjKKHJutKSecKwYUclrJ91 z!vM2K@PvF~pw7t`;r49}J|5KwTx_Deul~lv)*B5&vZ+Dhh|`8*pMd1B>2GN@v+6mJ zmO*E*i7T^frL_cS<;YWOdDA^HcDW-|Ko)Jh&5-a!G36ZVi*6*uIJtBJD1$cgK8TuD zeUrVN&-LR&S$;q3^x4Plj*WVB5K7?I(oijsJ&%g!8ypH+QK6x%tl@$}mcQ59_|W_m z!xgM{+8Bq0TS(JdE0-h~%WAy7=$0cn1PE&usjDA7JKdq8^2nA1#iv0dr-ec>%i&eB z$BwrbeG04MybB%e=h7d?3YXVZ+O@Gu&3XL1kzDuLl)?5>Zmy5r#!mGMU>Fr?DBk4H z@UOx#Cf=q1;k~g^;ADNbTr<83Rra$T@rDGJ`SBCEx$Hu@E88?&fg?wCeB#R=Ub;XK zzWX|Lvod%0Kw$41NV~_jX9b@`GVjC$(jbF-5%xp_jXgiG$dA!9*9l#BU|JfAafMjB zkdg+MfANb-l;wf!Y5neFbu_$KYRle&_{c0#Zaa_r{c@8uK2WuFsH&lvdWt!2GjEzf z_^#}XBC$>YrV;W%lwyisNv_v8g9(!G!ldvbpzl}JSm)n!W!&!t1j_Ba_uq%04jsp3 zC!~#idW^xjy{DIgp0{{Z-znYJoimF+V#kyQ(;W#r6g1&ue6A?5_m0xWv}I}jpM#TQ zL1tU65jnrSNOALl5xMDW1)#jo+idb?My>Y6Jq2jyo#FaDejL}?%Ts4&br2DkPNPRw zYI4QGlro!e>)7Ylkvt{>HcE51w)&$iW)F>dz{{#HkO_08gN;;umkmJ-S$dBELeW^C zGoV6M0YWuFtns%}azm|vEE~vs#e!U81sJr<{_pP=y4hJdbE(CX%nBEx@GgMdsga+?giziGzF@r`70tN+^K{J8y^2qzsmtNA(s(zg zQnOv~<>_zn$43U5chO#pPR#?e<<{l(>dlou$mQM}hR1Tph`*2{fCe8|FTNoHJg02=+In4iJ$l_Dr1k!3e8 z)pdPVOat^{t0ukb@;;DHe%GT2DYVeSQ?ZKk_CA*xG#v51m)yxKcy>S-IF6SI0!j?% z_VNhf<6&%z9KEr4YbgF;ao>p1AAvxD1}rXzrT?Y@quSzR$k(l(`%7i$PWUp!dZ1H3 zzj4%hsx`)QhE3`1fEo#lb47O~p2MNN%iDJ{QTg=Bs)UHYTko zGr}PwU=UoZV_&YoB&kF99Z0GzQR1TcGvr66H@{eL?%%3~jT$`(>&&3{F0KM7k5765 z5WuLIwqi^47vT9t{ZWYTMR=ooV=bxi_?jKNrAbQfPmUgU#KLFKF^U3le?JVGAuk=& ztbi@a434|A7o(=V~bOt7bpHTKWtXbq{CjAXW{!(Fgi-P6+)3)B(t%^w{d?wltO zCGS^Il~Z)sfSP(2i*9QCyY1U3qaq}qOiNP+WuGpYlzAQNmZ45e%J@dTah27tg^Duh4?Oe9G@*>C6lT`Ko zB4mNzmB+{87-hGCX6L6kj#i1>U{oUs;irHo^v5au)?v6SGvd!w5o5r5k&oYDd|nsREi~fIjZ8;>V?At|7$Ze zuOl~DANXE-t0=Xm{2fEm>6d%*@>P}C+S>QX#dGHd^PVs-^=-XZ`pOski}~sNEReLG z)y(`8CyGdrvbiEFi*L&N^ojdjCIeI-$4+bh=K#RZU~FOkjVqH=Q>B2nz>auP%^-mO zlC2Ug0?0L7`fCQ~vy;hk@88c~T(z{VPw{K={vJRw=f82~k6rxGUkql@?N$O3e$gve zu1tq8Ga2aEM*!&sU%w3lMwI|jF-qJdFI4a5}5^pT6=xhmrm7yuklVu!#r?3J&>U ztk>4ojA~si)gM2usHnIFb8(!Woi+3IZ78+I5F{id8Y};~9l*~_2_g9B&`>rrlndv& zLPR!eT?HW5hW?4l6?{|Usd)3@gY(OmFO!mz>>)#C$dVEfn4055RaG-JwO4?WfCGrG zLui1&`p3R?M#BBdDY+77Jp@A89^(2@-!bBU{5jL(@X#36Z&@ddes91iI?1_z{FRO| zum9ipK03A=|GGeJAoKZ$>{3%%c?4ukCBO_J73_fikc% z*5-bFbht18>gNhuRPv9y4}jE_UxG`+pdtOcC~J|Mg_VGFRt(2LkjRE{FhC})%^naB z*@P8tAbfuW-PCp|HCU4JY6dLxs{3!Kv9HyuuEBOj8{*8IfSl*KUBH(wB3qjn^EmX7 zDd0i-T>DF%G)$EGIIw2nHC*SOgLa~B<6!2igr=tYGuCO+-Y6h%H3MYC5{IsI!tkrP z)dJ(FV5#HuyZLN9hb#$D6m1U}TaOqTTh4Tx1`^+@#erhnn=8u8sj%kCLl|W{90RSi z@3@pI>xYsBEYZP6A5YlJb!J29MTNxvK_+gmvQFt$8Q4o~7L3>|_Qrd6eP(ya2Y@^z zoq9j1d5bV!IKq6y{@43+?~Vw>6fD9^I@ngt(>mwOpFgbm%RWy*i~J%t+ZSIDk&zg5 zzWZPlaL4`BGaLIC$~%J?9^gw^+Z4WA>|*BMpj zxdlwFchj)Dhl3)xNa*U-FZdd{g-`Lzz@;HE2V3QYgs**F@-&x22?g{#I>}77|BHVR z1>n~@q!7!FXJmc{H*NN+mt6q%aQVGwm+VmU!5)O`o^t|xzPkm<)t~ujoj*)5hyFeGaCvfCn`FZ6L|Q0i_@enCgd&=5b3qhIcaC!*-JXJ8rO*qEdhb z(kSf1f@)-@%N1_@&v0LEw;q1GY4Wss3b==SCVl!ed)p{?)##Gfnn}&e((N6cHGooK zK3FD7Na!xqnEQ*sEn>p68V834-Jb}*unbhcRXoy&I{uYI#YlRqUmqAJ^4jv$8ooAW&@FEKxUJm$LZmU)^-sy~$r2u`1QyvHV_ zngI_A3XHe17|G|q$CXGmhq{B@-uyLORqoT3RX#0JL9f6lFiien$^^Jfzeb)Gm696e z()R^K5_rqWhR(xsCq%$(=)v4ayJ&V%k3O#^%GT1Hs4m=a0dOXciv2##!MkpJ`TeCB zw7H2%9n^f^8dnX^1xa>|3fhs{{4NcDsTHgJSRzX>;Vvji6~Z!sFUi9bIudlyl}EJf0#ced(E51c=D+TlfUHygWx&&a-hvm= z*3uF)qCb+GQ_~SAw^xAoT`Dar^8&yb9?xI52?oH3lQFh%kFfM3A;ogO6d4v<2o~Py zlId%W<6G@``>2I!@te`3dNtL|^vp0&GCbu@%-ptr?LKT6B4E+ZW+K6!s%G_ z&)vQ^1_7*1zwcMxq(V3W3sGg&Vn%{pAox(s5Rqy406NMv;eR;k6>`@P#Rjcy05gD$ zyc5Y}oNO1zc!gZ{0N9?hbigQHKZGqA1g_t_*{)pi4KBMUHs7AKD}NS^|VQZ91~ z07@o}IAkDis3)12nSJ0&61QH_+eIu5cBDdR`?$VLa!Wzy24xik!_W@UxY%uL!H9hA z4A&tG&lu29OD-uXF+F{M2y*~tW*4adD&0Ejps!b_*NPWQn4qsKatxa&Oah!}RCxF? zSlK&E|F!Rj@``tCO^NIKt`GOx%PUZ7^y%#VPU4Qk*8Y+w~Q|-{t|Qj6yq%gh2e;m>cj`Uoy@=3&i?(0IS4P z<-mUvapUwnXTk&3Ng9xX6bTR{| z-;Lz8a%(8qK!l$CpzZ%t%*`;!nlcj5FXYY3m3F^3Rrqj~g1C2jHbZGENj)-BWO##x z!J;RRz;BZa=F`-;8lW`7&wUOMUD&CSw~Xra4kHXX2Q|Q(;i%NwuSjcv{%qkZ8I>pH zQ_6O>%{S)nd&!s$iZ@&NElGHVzjic*)V^4NzNl8)tVNFJ9F@>2(&WMp(}MjVxwBkZBTJVBa07fSN5Skv^dA% zIRrB~U`|-6V&ktA^nT;KDiY%<4dnMtMy#@;+W=YFaH+}N-5upQr-iF_h#M%-{i-Fi z_HgK=rS6t5pZ{+~KR{x!l(HsVp@whB)F!6{B4bTfasKlS>~ z*jBf<`j9pJ13V_(XO{CY+Zk)jp3;wME6~lc;8)br(#qP%q@McZnJvK$EEY9Do(d}O z3>oYLSU(6r&4KuVdBMoA4v1RAKssjeXfMQZtgaIB2);5lQdL!DfqsOU+iPlEZKhZ( zysTO;*T6}b##d1Vr+2%R&zJ&)ss(~B$oyeDPy!ACO!9ISGq($1WFY}^xd%xG zFi}L*D7VxcQ?uwOK}1tp3HktOx!-pEz-|*ZrI6W3&p5dhd{FumooRj+s^B|x} zvYVqLz@!n|Lj*i_^&XIL-Q&GAdTBS0;rP*n>-?U{=90s2s=f159bkKx%-6mLtOS@A z*wt>`fSEVhxmEy-coNbt)x2B^G!^S;CmPVE1K5#-F|0(!|IT6_r}NIUT93^ZPraQY9Mu=0WLum*T^XH#=+&pj?PJ+!_*aqT(iK!NAi z-;<``;-Q-zw*mYKSOo&x#m`jA7g?4B^mlmC z0+(cBxImroG4k?AAH(sT1^b5dP=mJSqyT{77>j|6=2!7Dv3C0|_MZ&2o&jVrkGaP! z48$N>6SG)%m6__)*4>GND(iyq7p_&}7IocXO`CefhQ&!}LQ!>T{@JZhIonT$l(hvG z%^=+rps%JrpzrqX(c50sSh+n%@2>|x`7?gW^UB^Uq#DjL%FA|)V1j~%S~5MSX|7J3 zrE`Z&UmDPw!maf;aR_~kNuJ52Q)G}55)P$-j4&a4RD;ZnP{vLG=1sCs1t49ftlS(v?Tyso@^R6s>rA|r#fdew+1YJzgvwg4W(^b z$c*2bBMI&gBrD8f??nsw_+oari+PRw&EkJpNRQOI%)S5kwC~kvHb>Z=nYohGRbBvx|RO_ zk}WJTm(zK=F=aXD`+pZLZ0BWoULo*&@&&K)4vXvWlh?6j!Nl+lLKH|vIPaf z8DTzu%U6u5AXm7)v0%`EVks9EaGpIwj>1-5LVH;}8$GM<{>0%}O_1;hYnIX{kN zS`{TlqHX5O*V`~KoSd(_sl81VCFwek7ne7W0%ewo*HK!cv6Z{_-J*B}?H_`UnKj2x zT^!%Oee1L0+(Hb9;8ys4D?F1{sHp41EK4fj+VpkSNjbk?Gj?dj9nSx;T~W0o^owu0 zrPz*T1}6fXD=z0{N>12 z!fI?hr3RC1sZ(^j%j-&48TlSo;-p13`YQ9IdES8f+Uga z`nV;4s)S>@fY~XWbffSt&@^W;aw=#y;f?Eo@!OV+P7+5!tZL(Mq?b5x;eQurKX%Vdx%=}&Ne1zs3;h$22#(^ zYD&^lMT*SU1En1Y)<(zUXme7#$w4yxvVvA`pT0}oja{=A6S(RoFACVY|208LYq(mX zRjY3K$h|5|;l>g#;{UZ}!zWMRQ4 zMRKb@J0tz6L2zUhR|4y^?EKA8%dU8BxseZ&(8ctme$8E*4M(D(pRaX-%48H@pa7zI z;7DfYDOu!2mxg_S2`kg83B8$cPKk9oi)$O(pV=7~pc~)>G&^wLEtgjZWHrNxK)W!& zg}1*(Ou#j$2E&J|sgh97?sM;2ZGd1}^v@jqHTXErn(y0wI9G+y;QQE)*ot@XTht^X0`M_x_e7)};= z!gu+=L zhnIceHY{hEor&qCs{nT18X2qhjP>-1wc>$;yU{NSZOu6XOhw)+vhHM!A7wBr_!uS- zY`Z#`D5j9*8`kOi(O{#=_~vT>{r1+Ld-QFfX7M!ox&B6;@N=aWiQE9JoE_DlTm&sV zDw6>0y)wr&-S)7xQW+>dL;*n#{Z7cQwzNtGW^KAsa`lGp_RE+%R?NPoo2!ToSVkTB zq^56!P0D&v->wXK^#&=Kj7OHAi2B!^8_r5 z3jl`Ve;B1rt?SJmf%_L9wE&GOi%Lu57}Q08Mk~Dkp~^KDGgqbe`v=fIv5l4BI$a&Er>7ft z%aqhsNfg#o2p#2V*{K#TT#l!KPL|hIhMZSeKNe@6M5?@!N+6wJNE5Qz{K72ml~UD@;Ffsy z0>lO+C|M@2!Wz4N`hX9ZA6)G%v3f?>Jg&Qvdln4tUWW&4d}n-6EZDqu16rOf_`Q*y z`O=w-P@v_j9WH?2s{D1{d|6t_$NIm3RyU-@jz;~Dm{k&g6@mOnJLkfq2L8H%wW4IHNursFTB1qK{j0ynLJc%ZuWjYhAYd>;d|HGDC-!J&$yv;zTdyBAJz)72k`7}Cc($TZ zomL!#%H7Z1-`UNGH* zi%Rgn(*$sSYV846Q$t8ef1U5B)x!3fB%2#2_xm4|YOTJ?u4xXr!N!vJIdvYs*zZ1a z#&>hx)*BB`W|k0OmIddFuwJ;SQDN>{{~i2Ar|B6uy*tJQem>#4iGq^T!jqo?rG7y* zjf>Oa-lI-sxni3D(|cVWR|YZ1kDZ0|9Gk}$08-jqz)i8;5+Gp8>`_%-^Or0D z!RJt|u4j4Yir=ZJBQ7hODI#e8ecmagpFdOOK;@#A zKU`uqG|e+oAi|-?)H;az{?fb3Dkqt%BLkvi479YU+2Tm-q%}VtoeJ_k&E+%9886wwP*uY?5-Y z=a<#-yvC-aoKCnlm3GhrRm{*RKQV%?WfLpa4VRirL|M0R-8hr#pL`z&jIvD6bIaTd zV+-6y7l{oCN1j?6s9oEU<2Ys7?6VI*(JpiYTyXCpHAOBV@hq0D|ALA&oXF=spUUHq z=9;nq@J;@DfGf;yosV4oG+U>^!j>g7Ck>fXO{JQEQY9ru^5Tl@y*^ya(HrN`qhBFg?xPF zGDHXOB+uYCzk~K(T}i)hki^K~3Q$%L$~INTw+tP^u@+cyUS13%@EEbg?YR-Xclp_$<; zWfy#xLc3h>XS)0@FzL4)te^BA{Q?pblN9lt6KXf1rGoNJr{Yyj(>gioV*7~l&3Jpc z;Z``Jvk_BI-SgtZRnK_CIwvO=QOLcv)9xv}1~7S(Ct*6epTB*qY+BBb8cn$WYxfb1 zxK`q}vBW)ZaZLJ=lsAPb_Wnhqzz0(Ea*Qm+{PNQsP*lKoujE;I07c-MjCF+E{@LMA zEPha?Z+U}H!k<_ZxZQv&QhcTKbNQV63nl`DGPM{OUOIl56@228v2XAuB)zC#lZGIzV_zpF(sLw~ zD)F#LiH{Ni=Dwc)Ty$@}@8nDVG5s_qkM6#YLKi#^6=2}iEpE?uR)c6uY98O)+R*%a z!k&UTcRKHXg>M%pd;^Ro2hf;XSO8GV5c;W%szwP1R0?|glf=E#K;I)E&!s4VJGVK4 zIbR{Zu^C&~9xCOKayh_E5(`Vfltz6iLUbj{qZQu_d81NdhHVgiQq{#qlmmzC=8oWn zxV+s1-LkvVu*8wlW}jZRU*nn?NZ}!|ZBfrG*yv|A`zcgnW7?~1egec>stc}K_Wpja zQP9?7t4H-gT+Q-E)pOu%k)0`)Tb3f>+ zZ#HIxGtLwcqfoZ9ODOo-b(q@EeeFGt+}`81Z*$8hE<8?Q^pNm2H+UM5Y>%lLNliDN zy?SNqBH7FgoBpP9#W?!!9v$})wl4v5Iw2ylt7sIw=b5)vV#JkZS99XM;~MFPQ&v zGRfF911Tix^8?jx7zci9act>d}9tvYXNE0+iL=TKk_j z%=-^p<#v1Tc3fEYcSfHbEg=kxR|daXJ((7#^g1Xno)BA+dbzzvk>mha8bs9OCOQpb^&X6hMIiA zv4=|4c6gb3Q#7;<%LkC}hkZXw=^Ypjbfgf6UNLonkpDFUYgEejQsy=a{vvM@8%bSM!%VQV# z`SF40n5H8Gk3dtI8tV(!#>JC0Q*rVHGRXcX8T=6B2dke+Qc7Dii&J9|s16>KxBYU= zc&NV7YbprvgYr^oKwCNL@Ffm9m#pz62ZtUPnHYot&Hg_3KE~#A@R5jZb8RaYPKoRD zr#%Ovjrg0ZEXDw*(bYowQB8hZg- zRDvNzfRem@1u#&MEfp{zpT8n4Ep9WegE0#J%wMpy)rbXO`yE}1@BNUr`|PE5Fk?>a zR4a8AF>-29JLo6CLRNxi{txcnJ1WZTd-ueEAPA@=5fKxTQBksFkrpNAjAEh063JPT z0Th)eB3W`yMNS4#at=jQBo+loh5~B#i{1UT``$ZuW`66gJ2Ul1_gdYhmCpN~efEBy z&r@@EerS62GJjQg_X?;0oZkzvUC@c2=A_xIlXEep=mHPujAL~Z%5{A^B%aW`oNM{f zT{}UlesKNMYX;3Mj1XH6ZApI|yMer|%M|C@ie$y8=xa+>hin0+i^**p3}NE;cT!Re z>$ks|;e4K9>{eQCt=sxboz>AGZEmQX3#2?V<%|(n^ibYM6u)oS-0IT8TkY}r%E0$>8?rOjEzS|A zW!cW_87^4l;j;NpDjobqBAHtvny(< znxe&ed5H@jY06t%cyrjdwv~st1@dQDSyKnl)kCDbPijwYeB zRAetw9BM0Sr}gvh)f&+BKn#c2|<*^j}X*ofoUUXn*2{jpk`mFnek z)kN1j#!O+$y3zB;m&;eX)Rjw3u9Mw zC;5KKUJn{mtv;5`$J$Dhg01d;G@8&2PR3DY2E8ZDRhY_w-u@uXab=Mb^A=})qVIg) z$FrbgmDKOO9k|ppKk#zytoC}#hKBa$_XqErXm3hZ^oJdKrf6e^&xssusTO-#wbY5s zfvXaI?F;9@IR(yHyCgxn6Jz{*`&BMJ;pa;26idHuI8bU9gu-LLD>fHw6cbCN4mi9k zu3o)atcZB^K83UQVdrC4C$4Tyj|^eau?x|ic)r8ei9K8Oof|~6QYj{sU|+=S^D8%_ z2&^}!JrW6XQ=;p{A&Y1@wD#o_w?;gD?N{ZA=NYQqUg#UQ34Q^;x{H^os_@KzqH|?IeE2@lrz14hW`v#7u}31D0` zhi5&B_Gwde;U&ODRJz&j`ayLM$qYwZ>59`FSz^o4=o|#=aErVQ<2_Ib+Up?!$-`Jl zal^EStP}=qRp!i_CsWl&i+YXh1m10TwZ~hgw2&AI5i2%N&Nyoj`;}|?tG5;d%P~7E zGsg;t5t+1jSo$~#iSUW(Vm+1#*AC<85sM3?JHr_)iE*Fda;ha|I+?9J!Oa~ax>}U8 zSEBHXPWLSS{!-wGDV1<>e>8`X8w{BLZCu*SUo0+7n1j$~0h@Q(l z^*f(Kp-j@s>rdpa=}xpLVr(ZYF%wbsS>qcQN~dwj5|&`n`^I~FE^WrOGP{{I=gKNR zXT!c)`Elbf)%2uutiso|mjz0blv!ZI9q*lMy=81^S?$));ki*Vh;cSBf-d1L@3XE;h9AWnPh5*7oSZx$VJ8vJxvYHr4C< z41Gln`SQP56nR9j4LStO59bdeb~C{i=g*`*4sRs*D{kTHVd;o#n@blk}C;6y)Y^<79jbaZ^rJQ`M6R_CvVUl7^ru&r-QwtEuer zAboER@Lu(HKn+H!wo!a!9o;@J)e6{?KOd)H3%>o`ecte*DDP*>2FBEq=|&}+F{9mz z=ht&mxzZhPJk8`8d8PXy!;8Gu{;xj^|4x6S29pfj3lN%?^~%;(<0&#cf}_Wo^Y=ZL zUH%P;_lPSQl+tSI>b#dOwIiBCJhmu2X_n;ldlP@SAKz3`fV+Y6_Pg68!wD=V5;A5)ln(V>7_W&#x{QWvhWY8 zUjrgjO^EaVg;13FvX7B2^;Jxa4a`y5b$3*FYe1q4#o1trZlvYie$H;8Be}{Uq2rJKTaIQ*izNJ9H^5vL9aXcARLn+O1Q%0-utZ%p-`Sm>%6dHZ-g`scVevR|Y z`(&%F)3um3eC*FZ!X^T;R%=k>VL-K94tnTHL{qQX3UcmAtlZx~&6|_|4T5v;6UMy^ z0V-|YJ~S8_=Qb(=rC#5_;x(aapA!LU=l$2GFX+5DC`*IOq=3R3Va=8HsyxjK11tg} za?=)UKgj9$gUVRH_uEaL`2M`%Uv`E^9~=KfXMTPR2X(9uDdp^RN-PGjQEqmuMsRO3 zL%3soeL6S<I+6stBSnDz7S_`~`eFYctv6meU%a)Yup%VlX|_~>|V zsolK{-GXE&z8hUvXQy9?Z#`!b!>G6k^u^gZz_7*TrUtbKVYLX(nj@gbjPZ&FbbvK* z0@Lm5A6`6?dsr&+s76n%vNSn?La%K-x)MzxDt>24jWPA`<+Xk2Lp$0U8D61Cqwck> z0B>6J*S|hf!)Xv%&vd1Y*#uX?SKL$PV2M_knmVwBw6vgVx!HDz;<8y&E~tC^=Z4A+ zN8!qP)iCROg1)lAdZ?`1AygSG)Xae$uK$mS zo3r&*J`AA(r*$U$kd^I6gSMBZOm+WocGtd@_0b{3*G#3a)C_|kF6_&9v@YUZVt4%$ zIZ3Tt#+jWmv*l|OO7JDY7NgO{!>$=_tO{j&M#`PgjKc9G0SOYIN+?D*ko-izkIW#q zR&g1EWtKfACLqwgIyZ#F-uES=;p7?iB+x2gdUx->Cm136!2POfZ6Aii*$+_ZrNXVnM#Y7kl*>wNl5L=UO-V@d*GoJQ4hRgi z%Yg}kV~+Q-#t4`OE-?0i>*Ij-nlLYKb2yLgomL4#CU^JYCU8esZ7xsqMWaXgFI253 zL`hinT?A)Av1lhIBwif^xc)yg)Q z#w3mx8Cn|?jy$(HZYdG=sf{*>Mq)kg=GTmI0S=s>8oMR%y`O3L&Jw*{(nL6JNRIYJjdpbnBv$@KY!j4i-z_GXp zdP1!TSx9uaXjg-L4>&LfZ|E!F+kr__U$jj}p5W1z>$+m$S`&Xk71|zmWAf0B+s~=?deT4$5(o!_Htbuf8WNL}ePjS&olB z93`i_q$!a*M$+1go}W4DS@njNh%u&TZ1_dbba-qQoI1&PZ4ci<#$2d1p~9;5nnvSK zJvQc9e6Al6Cv8vKwvFUEGTMJ4B!7Ec{CZXn*hUzw>h;f$zo{;n20x6>nksh|Zs9Xx zr{tz;2V><%Jr>xULdJIuf>~TX_SzWn(%$-0tlWc|+FQ)Rn}fF?u(3oC-xY)5256sb zPQsl*Wz+J-6^~nrTk^`pa~wN=EePsQAZjuPN~JA`3O`~vlF~G{N1+5LKi-H)d7&Lw zQdpE;PJpkMzU)ZWTA8^xfZv=Fh1l6s+W6sWwp*GmsGA=w?aVJI;00>8BOW_mXWmBG zZpYAF`3cwoJ%A`1ZjT_7a`$W3{4&}zx7&6??F$T&E*iPv1rQuZCNLv52-n=NefGmD0yTrU(?;_?FWj$ z9h}C4$z2*$qj>d3mMqkdKjCbGO%u#L>P{mFpJu!4mpp#$i}l{$%+nk3wDWU z$64$$G$o5}v;HDz(jWv)>~k;`hthv|qHYq=-hXR{fXX5-BCaX+d5Js$#Mn+EzOL(bi;`q9eY4CCVu|0`duhDwu zq7`=hPNgVcDiNSrx~wMW1pRx~O>k?mY&*^DsZRegp0Xm-?xJCk7)|OG`zf)q%N;F`QOOoqEFn}#y`K@vM?bbOn2>~-NY@%Q}Kc+tJ3(M-;}A;DE~Ikw5$}ttZJ&% zF-?7hfaqwgUgQnZRa`Qs`kUvhlEWT7aVEa|lI#-gGM3iC+UIPV!3S$A@qL_s@ZKX= zs`oPPMJ<=qp^VA>0kvwq;rCk5)Lxx1U8{w#fUN4ao2@od&Ne;F&r*t@%yRu`Gd#$4 zGwSj%ufF~IN~DAh^GuuZQZp^aavMBs`CxK3d!ba(+2Iu%T)ac3U;b_KiC7+^1A`#fxwEk&Wu@&udU($0iSzliaTEJ_ad_Gx*z zR8vZ%x-FZCCE(cL$Lqe|(P_cz5X9?=d+21K=a@V%T+FxLv?kg9Afx-+p}-p!-+y(! zNOIBjtX}T%bQrIVM&rR3cZcq3)mO*RaVtoZz%-y}8wf$e$Ly96E(u?olyde)tQjq- zOzI~;%q4^vX%&Oa46@7TMCUubRbP4AT(Kl>r@g$_^yZtQKm@gp(7P}T-KBT-9XCG5 zWYUTYtoP`nOGn9wKP|;yO74_U_OwwEO@l=0Uci;Wae-9j{JC=_Ye`?v6Gn zXK|vlKo9*bx4cv7y7F-TrYuf_(1@v`v_TpZHl427&*tP?4YeY;dj ztp=0v)?7^nE~eysrX7ssXk0Lrw@vl7qZn8q3@=K@0S1XrQm2QN=ZySGm-mhD<94Z( z2X=r;iHAy`=0+)5w0=<${ZvNHvl@(*rd*8-XQ;sa_&UFMe;)>oGj|A&$YhTe<}Pnn zW1)rG(&{t%V*;D3J71#YEdG<#=^8Uyrr%GlPN%c;q+=wN;4Yi8HA7s-h^sW$4u3*_ zahQrP#5B2QEs2wyRBP2`NN_$x*r~`~s;|NWtnu zLrsq=I9x6x4XHDAwQWRP%{;eoHlB=Tdvoq#GxQH}e;j6HY zc0wq-)qIQW@xsHmz{CK%gs&Uxu2!&tT%`ad$#^$+E9CY@^z?XGNKrj><(k9pa3~PU zH;R=934Z6rJ=h(HC>{mT>kf;Pcg;#N_cs_l$kjl14S^uRI&#`_(dU$cup|IO^m|$q z8KPAr?=O4-Etl0ma7Aj7R3x;@=Xkjd!u<0$i~#z(K}Ab(krXQmIZlV{{^Xtm7omeEX1Og5ElS?b;-$S4sJ!|+|M1=AZI-ib(@6e($K`ZYO|fo{pvyK<@) zmg(m{!60!KTLC=U3`?@~Ege-veQogIalS&T{o}n(0NrLTwAOFe5S86i#O0N&#z0|k zY*%}?pC?o;_tgGs7LR!zhNq*kl7l!YMz1y>BbxJJdMYN;$i}_$8Qrfc)S3%p3*9?` zi}JuwvMWcD3p96yXUJU!sZif-B4?}pK@d%Q86 z@*O~Z4!Q?HWr_LH_ZAWXP$JjETvbSX-lfQNG%YQJBnnHIX1W0Cs7h zbafo|blt?k?Wgb{?fE|5;=%6<3aLRkYJ`~s88$|YNe=1Z`Fk0!yv)A@w62N0-5a+M( zlI0L0P^(=39%w^k;4_$#c*%6RE{fu`N&F!N3OyB)4?%E8kf3kd>SiCBG}@-NXp?~< z{H$0PjG;`jE_l?d?L3I?w(oE^(Gyot zRJI_1dq~L1_LG$((24I2nx&T$i^n==_% zFe2fbl3LnOpJhmLFdv3yL3v6YfK%~4Cy;ar!lWcoH{RT7<^4#N%{q7BHK=d~FWtQt z;Z8hALNaOsCTNS0t_HS!ENR~Zj&PDKzokVs z0JxkPAGV{kv_l&#m+tsk5;=jSsP#8Vu_%Z|tjx-U;*`oNUl@z}f&2h!y<-yYCESF# zZ4Ieh3~eTluBLpA3{%*N!oyoMe9b8v`+ONfUwkv!&-)t*5rb%zbzeGS%o8mJo?l8^ zT{_ERJ^5C5_#NsngBfQ%bsm!S@gKET<4=~6|5mPbZ#wO+jI+i&+?KYKU+CJgu(aDl zYsv%4G#HFO+USm$c5D9A^}7-Ar&pHc2W_=NbHC^ySOE!o#v@Uq`PTt0vF->1>D^zU z=9?_)RFKHTF?A@>#_G$XY8&3hMU^MS?MrGOVkG4o1SP>-a$Zk-${+&Qi8(K(;(A=E zC^U>ghoE;ftW2fGCuU){*9je}Q_DL5tHXkM&#;tJyqz`R=zg+BrhD(ci4rswzC$EL z0kcg>tpst)4xL`=__n2U6YqQ+_rZ9mgHHVgEYU~m8>oXCH%rowuS%WBO${;br_^`|M91%J7c^;flv~3d+kBZx zD~GOFDRXZFMnwa<6x=sd_0knH>8i`5vphICEkAoxd)D-9X65PA( zrQgB9vH)^h3Of$)eyXdRD5lqjGyezj(yH!Se90K zTUPqnEuy2nsm_Y~O?^HYA;Jn>tj#*Wum+5v#*rE5%Butm?VMR@%$BLm=moKOD;lqzrPv`i)d9`^LvICncWMfK9AFRD=egO-7GZD)+AR+FZb<0@ z-xEtt;cwKxC(twa3;VZ+GATD@nk zf=bB)d7c&hB)}`{>){{5N`vJZ|X6 zs5y>x-~MVAy!suxk(bg3y~*Sd+6S)6s}5zYq7_ibKBRd+O3&DLjM#eogxDw4bDixG zc^)^KG~?ZKbWN=T!1c?c%66n3Ji~&ulmn)pT}fK%eqpPdfA?8NMn+eW>s}S_L$2R% z?Kz+jl@V34V|B>eURH|}?O^8tN|udA4#iv>J?^$qI5jR$v<$Q$1d#N}O!m>x5892; zHED@Tyh~B|=8Ac+Th61WHP$VF5KscAC1cwHRB>f*YvGMNd5aab;7+4TbPUJdZeU1i z-4T3?_j+1D{aJ;b zp3b8D05yg1D@eimg!-x0lZChx(GmVT@G9e?pFvLz<1Xi?4eNi>^$sOua=e znhlb%p(rsVd&}^YEP{y^ExKjC_b`}9%`RQK#P_l9zfb8S^V0Hve$tmR%%+Vn`@?L` z!zA)ahsycK3DT62imop64a!O6f?MkWjS?ya4qm{ViFYV9t#V+g`Xsuu;s#g^|0Lp0 zw9wj)z?{&Bqx#DZ^EmsenzBKO)~uYVw(svIhpvvlj(%-sZbvlbtV9=ra-?KsV@;ch z0qVCr6mg?^i=S>>yzb492^-1sk$z9;k7aQkn)Dh~95<`n|F@M|3 z&^rPp;%IEZFt#AnyO-FXu2876*@?KuH z*EaeF#;Ob939Hc0D2B7|V3;2{C8eD*fs;f^$O*)9W{oW^s}nqNQQdHNWiBhblz|Er zm-aqbb};jJl^o~x9GrN^`A>iP{JAu$EGZ3_;nE^WbT5Z0p3+*~cZP=huuSBsEAXNx z_`1?^sO`joNrQH%A;VHzOX}VT5+%yR}f3xrg1YY@2(Mjb2 zSs(&+tI>R8TeT(|+kU+8PZC~(l?DpQ2u#}Sv4>_)C6~g63Prak$5WGg^HG$fTz{+w zQDqm({=kY1zgbi@^M}FC!}&yLuyzn*Jdk(i`OFklOqdUS$e)z z#gl0DS{f+#c|E>rS6NHkFBiJ71dTrcDfL*jjS;Sz@xP6tt_4P^hTH z$>e5|U9yubEYU@Wie$*#2(3Mxa(!qYwdY??g@4E8$Dg}KLdppvf}}gO6cj3{mu%mB zR`#m;;6s1Tz24R5cjTI;8WMcCa{bKNvqQM}(Gf?vUI|q#e>f=F%eEgqtjg_~3-igt zzk|)BNCB-S1IRBo#Tz$7&Ph}Lic?G@Cp4t1AoEX&=_-om^xxhQNz<+ZCoKCE*mMB~ zW`6tj?cq1FpfiN5x4Uo*M1JJ+{&0u?bLh&EAyb5AWmEZ8e((NGk9?7_@V~SWaZMB; zg^(OIA?k(~8) z=M4SgY_@afkccoL!7Bh;-~|w3PmVDfS!uujVk%5wq9)R{6fo30jp> zui@dZFHPf461C1Bii$;_K3%(c^JW1|y7jcQ!iCtbz!k#_^jbKcf%?Z9W7W@({ykqd z)#^iK@3tBfxd>e?MS``(!1s~=D3_4YB)oL3F~xV4{oLyt#U81RYQJ4DkM<#G#ozx! zz|lWHU~yX540`=yJmsm za#s;ZTf+>#-Ekb;MG zLVx@@SHyyXzzRl{!+jmx)1rW*k{y%s959!U=RXBg)@QWrC%ZssJuuMmEfMbMJxf(r z){avkf;U{-29yU4=S5F{hQK>Zgtm)>-7yCSL&v0asoSGV0g^uIne|=SJS5d!iQQ!* zMOe@t=R;u2pUI4mV*fwGo(lt*xV$dJwlOeicLrlm3?4m0-^_Y7j^t5-?91{V9V9}q zOy1b^_7fKpDcBaftsH#dgX+CFFRyPe;D#pif!X9$fiEdLcSN;RC2q(xH%039U0%mG|zC!I(4xJ@TT7_h@6PwFBxt+PD< z5(Mf84qRKjucc6`_%}voW=mv_!!iWsvxU0wk#B=R>4%{AdOHfT1jHA=oP{LL^6_x} zS#XA65ElY840%CTPgPb&an5Bnuigss#fAqp^?|MUMlB@_ec$Dav8{7^=jMv5p(RUp z)QKy;ACTZ7$aRA$ScY|^WIMC|Mp~zM%UZORYlCl(=fbtXtnRL;hwEPfDwjpcuB+5z zGf=ffHV{=+7j;xLZ2FfWK3(vC7hDb%Sls0;@(!z-q*|CoFZ{b^LNFgB-+B0KodD?Xi*9#!#ne>i5l;vawqs)AO;}fp%lm846rHncT z(cugXC&3(>E98;2z1Z~=8S#WyE$gGL#tW8xqY$#();F-k^}#$x7fw~0H>dBX`Njxm zUM9 z&r5X=?ecjf#{cL&@^VyocM(5on1dzc7(M&#+qa&4HeD&2Pf(Li@0I=mZU0jwuuOkg z4nv0<(OlTq2653ZfOyGO{b%(I+KUkNf<>%{pwS1>H`YLY=97)6V$@`TZJeTiYe1ea z@Y-FggwHJPb#PC4@XJ>m7AD%~1fy^du8R&c8rqX3@0l|ZQ3SVloXL~jq~pL0>3hPx9YWMDpq1=;*Pw;?uyfyRexAK6;Ksj!=OERF-lb5rc#4D4+bd~(qQHnVKtKDSp)?DzKn0%z z8Ot60!rO7cWH(@zjyy*#So8#$EA)D*oO-${?TaN7m1HXtS?vv4h`p=`Sx*i-{5vZd zSp1(yR;cu2eZz&xlL0q9m``BVGu}!D zs0>KI{@DJZ9Q$|(pE^1OEg zuf*M%M=xqzyWXQ&(EV(#Tx0pI(5zj#zqZQ8W0PNe$43oPLh0Ml15nV+6(vlW=OJ^? z?kPy3DF9|F7MKT_kooKge$Fzbsetre3*%mwHX;T3Qg7~ zm3>NRd5Rw>E?*-g+SjCa8k9R)YsbhEvXC@k^yS$VxEL4wz*u|Ct6Mcg?R9oEK$ z;$a_OdG8}DI|b8q;g5zi9>wBB+w)B2DdBLuG;`v<_@C+xXQ0SGa8@~G{GUYDr;u}0?x+Fc6h!S>m-Y$D|AOYXpQFyj1Tz%m4U#Y8I2if1f8re~Q^#^p-VTt}r9l~er@eh()ShBkC ze;4HD(hXfGOQ&vmt%C7`;aQ;n{4r4d03vgvipsz5%NSVVf-w_H;`#{TJo|_xK6~fW zQ8hPxB}cP()KUE(-H*REV?&&tS9yF{X%2~sGSw}|Ot3oj%-IW#NNiv<=cj73_ens+ z>RcKj^Lew43#l5C7=?ebn(_m8*bF%Ct#4xq6}Z7xY@}ILh$#Y1|H?_D6SA}Byu@+> z$rMcAJd)kyT}4LEc|I+zsC+{Gro_yNkxjcnm!Flkkq6=Aol{}T{dvvKi>|9!&>0>ht}Ps>*Vg%of|B zt?m~ODxtYZv>#BPT&EHm9BnrAbQ-jMlChMj^azRabyyU#>T9#k0s8SO*pml_bR_z^ zMB?z{6BAf;^>(=N$va*eU9v6VOzQdKw_ZOs49$M&ZwihQ&3-aJ4)a;`v zVaDkxp~UGp;#QzZRj;3r8)Z}WHTo6abyg_TFS=M z^`)zODU7bZ=}HFwXENn0mGat=WF{B~!I`D`1?8bp4r@RY79jmQ^M=)PWA!hcVg*uJ z?Bnch>}?!QRzoBM+NxUL35#K^J26Bep`IQ|Du7_FI>*d+bBd`Xw~zGX!ln%Z zfM(B3%blXmJnQwJD4{@1G~{oBgPPM$W+u`!%dF9pug?^)X9F)2qkdR7I^iduZ~G=) zi2B~_@rZijSNS!1s_ljTP?u(dv4aZk@nWHQr@<*{xqz21os?&WU|hSgXP+xl85ous zI@IC5V)m83&Qc;sZci)o=}1fO70uoyJ2WR9sDjbukRr}kPH4f{Wt@KPTB7K|Wxsbm z2NW#9%xlBCZ{G>~7)09}5umF~z8QO*F08l>q=wQtDF?zhYn2-jjPPnKajQOhBmriY z)CaTFrAa7sB9YAc?!i)K7)|2#_cI#mTi=`{K!LVeH_=|w)uo|LkubH=Mu5s;SUfMa z<}oE-NzIF1H`F(kfbp6QIbG3R`A$fw6_Y5n_(qz`_6To#RqA_E^S65dW?S=It5(4_ z%pYsLS*cNDHj1A3Pe!bN!xj9?p0tr2AbAENZ!nVc61O*Uy^mS-&{vG}j0s|J-P#3WA(dAUBH&lDeL7AjN9 z9-5AtY(5~;W7I!hIeo9|OOf`>WS`1N{>$!W{U_=lR=GMl)`%7`PY{))^a(+RNtI)w z-)P>qc(IGl-pKwucUGK~SkOtk zo>9G1p0%@jP)NB_(%_zIcc6Uv6My;sfP+q(EkD^e_VDVp&c_}qs2tGJ)sXSH`G%czsp*f5Pm>$?n_gjRp4+{LYu3D71-u%1{gfQRnf}Z zQ=a^yst2ylHxYTJt&aMe^VK@ooGRAbM>TOk11%j5hv@B!ODM*GU*t_GIo0Ey#23TH zUfbPCtD47e55@JUuPUT4JAcHSnc}Pz8aZU7ppo`!r7OzjF7AM{OZ3AA&N)s|hex2^ zZ}hi$!^$IvPT+=BPdW3cSJ9R9{)zjB7OL`6uC7KHW$~h^l$2xiaq+VU*hnMcuQTag z0!b?dk*KGzIjBqYUBx&Jq5XeUr)<8^IFOa!HgA`!WQV%0cEc|} zQ{7ss=u$#rqG9>8imD)`YVK2?>pxVA&lZZKvP)L6mWFOOYFQHHU#=!=S>M&UI5N7) zzw&lXM1ZSTDd)ANt&x;;===)L$mB)z=0?>TpHywgs90bGyK5w!dneJLGwb3=%}i;J z00z{J7v{SOC-%;~>kh&HVwE+J$EEbp@5+yccOs0HdQJ`qj|pf8#B<>1Ar8xSp7!nX zm62+LHBaOJqWs7`<;-9LEwig>V-5tsAi1hGQ?|XwE#1bSK=!b6#GX6d@5!izPqDpG zl&lWXK9E4}!6?|gQA|1WG-IeCOqU}^G`h85;foF=&v*=!P1T?eue1EUJ~|ck!j8U? z@F;T&R*J@xB_?_S31@@TK2WXS8!2U(`_t_Vj2f=S1)&`t;jX)-qVC-*H+hDfL84lb zjJxum23iy+OCft`NZl8lveCE`Dhs~+G;~Ram=f&t)m}a0zkI(sK<&|^mWaKlR{^4E zS$tuW+MG3TrXwk^kw2b!A>9E_GedqNv|lzYl%6Ni<4BTW&nDf|c+oE4b~~cjw(5`n z(SO!HtEfWFh?}aAUva+}D0xm$cTJ?FK9qwX&hoRzyd2rWJQj&{;dNC#k-*#U(eDtY zCw~Cd#{i_X&G6H5eC!aLudtKyrl7d1ah-#dpMgaqKY_z*^&)8w*I7RwJNhf}m_JmX z)bsgpi8a{lJeryh$2fog@<6rQbl2hz?V;dOc_4iwpI@-Nh5~gL5_D%k7jWzFPEDZHOqX^f z#V%z`Eym7R12j7Wl`fH4ggMTr6&-E;M4rQB$6l#vC{6H0ue1Kh%9wYvLeK?%1Vo z_>i6p4UY*O>@8c9Z_F5ecq7zXy7$^1dctx0=LwIPy1!|S`qWLo;{qwxD@2Orzn8Ia z5QgR7EzG!YKFO|yNw1Z$$4VIP)O3$EG3mh`5^}a8RgBfw#`Vk*;jqH=*{)h5AnN;J zub<2(J>jw34q`}dM)y=fDLKs2svIKClIj1bB)M&`y(k@ds*8Fhc1h|mZkA!`q_>@4!590Fd-Kk+|k zAROg?7@zy#k!VAsEQ(T%Ox))6&l{M{jA}9u3vqV09K?u&X^K^`>MI+yYaBG%dimxe zD&ou6RSEi(=Lbvs<&?}sf>fDKFjP8}f@-wG;fl6pTR+%|-#V0TYe%$HCxG2mBW~0u z7-VXx&BcZHgcg;*4@;>;S^gYrQ%T`9u#wrZYjB$M2=vXQgbNhzPdqe7Yf z?4M}}kBEw{M~$Ob$|7gy3ndP_DrEDAA8?+Ee`26@z+nORtQ;Z1qF7bPDt#2T(w_T1 zdrH3eDNKG+R`$lKkcTmjk4ju_6Oe1=rv1HfWu2ZBt8G7>kjQ)6R2~|NLE*`Fb_Uad zHMoqH17Vk@`|=VSKY_lkp(p-$4-s-R$@SohcUkz2C&UfLTf&{%h zp9ZT;nrQ{veKTQbJ;eF=)bJrgmLzm9(dSve)i(P>`Ia6lp8S??=p{i zJU^eFvW#xk-)V2YjcLF+H8-s&4jeTLT-%fg&8-Z8_~J0cw#_TVK9H0eyK?_tlwdjr zXRy8TItXLe%!6*>C#Nh3HGQJvUP+B{sJ(}odoo#h(0_b(2ug}UbIOsDlD^!jXe1gA zJ^U^yCHNr3FlH|qM=z=kn|9HzLA8Sg;&KtM`_j>YQrB>~PweG~sM1m-zXug0fH+yt z`L0y+t21Zr&>HkSHEpsz)|9$VzcZfLZsNeFf^?Tub%v_+)v^ZB2p~`q$8b zL!9*3bBjIm86WjEW?;6yS3E2w3PYhquB8`OxP13r%xZ6^ZNo9u$kaohF4dnf<%+!s z7-^?YL#6}vw1)O`KGCLLkLs&pS~RAg92c-~j-^OdmzF;BHrYi%ZJ1q>{%%|fmqTZ@ zVY%aQU%u+7PrhdAN9jp9!T^xH*UsHh71dV0`qR%XU0s^m^{qNerUmJGLG&^;4Pu!v zypau4skLifC_a>Z9n-y%7SMw@L)&W>py9b7>KKeFBi4Kg=s=L$F&fFq&>z7<0*88P zQ~%E1i?Z!OCEo+MXQ4Z2i|?*K>DGjLwOG8OqSHOszI0EBd~vfyu;2)Dla1az$8L)e z;;m2=ugPYjd6icvcXNwA$}s~SV^4b7x$_>rp(xO!(O@b{@PU7Si8UKKB_Z{i3|?un zR0&H@E03MYIhiM}@6No2{nN9{{V{N*bPdb0nSk30;D>);WmM7Pp zI{AW^FI|r%a8*(J`cp&ZMxy*id|WUim&cJ?e)F3;I$tG8D1NA@$lL&`krQqN(os#zBq17RkZR4NJ-^n1EaU7>sJfDE zV@77pbEeA`oTwBvMuoMEsBWwlsv$ovZcn$bmY|OVE+B%T`{xwr=Y%cg`xx`i^Y__3 zM>lxE)~Gw@ZvJ-Spkq~`Qdap@FwO;!sK%wxB0aFRs;l;wjg_rzu!Ub8Tsa0lR9%H> z2IkIZ3L&)ajN?9%!xR(>NJydKsTiNllW=!dU@nXs(e+}!UR^22>FcL(kHu;S(*iB3 zK+-)^gXwp*&BKye;tw4~#XI((A`B<6?%+~--I(bgd?a_25G#8lryAc}Jx?@R7{_?4#@(OpHNh_usbno42qIw3EXDdP8pk16LAZi|p z7AmmbNcm{pyXi6<8W7(y{cl0r-oFHGQ(|lX60~_U{PzWI#GD`;gD`A&P5;Bv{#RaB!n7H zE_S>i-UvA#X|uB{eS=w}jJdl*!KN{BGh)b#xIO&lqr8cr4;WABuxN1?k-J}B#R)ZO zUeJqPZ+K{n%PKB&*|x6$WPkn&(D&g)i};oy82xRzW7&Z+h8;_8*!rV0NV7b+E_CN> zsrcm^4Z;rWzp88>ZRD|{>6Ep#EZ(lTmB1o|xRt>q>cqn=_#;fad(9k%pnS4&r@9lh zv}l^6!nN{HGJ8l;$tl#@=5skhUNuOk8PcyuC1ZL>84XO3^diMb{?9>TbHeC`Z?a6; zU5{039w`WsV%WBMw;~6pHO&%P_6;!e7ZzyM+^bUqhFr-W3_A z(R_ST(x%d4WM%&tjF2cvWr5gOqB5XR?PO6rwPvh5%bgf3k+Edx>)8v$K2FA_)VRuz z?J(~en$JqbkE3sL$o7Iw*lK5MW5fIL_-o)oAjvN~BAlWeqf!zZKWKZ0Rg-y1Q_{ub z9R099&^UCkZcb?E40SA$yZJo{e5f{68<1x>(Jb7}) zYgGW$$!x?g4Q>Wd^R~DQH>;oQXEF~LT$9`#13?mweyo>Qw@am%^)p^VD{(v`o@4$} z-8msALjQKlIGARAworNoF!6_m29{G9_;fZF?r;YugVF=ZmQldsCMZzISh9O6;++UcyM>E#&I|#;~tlZRu!X1=3+{En|nYl=(d{} z0DvRr25{v&N<*6O8W|Ojan;}uoz|$VT-QRkXkj+E%?5@}X_Gx#)%1$lYjJ|DQp!QaW6pOZl|2GS2t?h0SRKZXJO0(4U$Kq6!tdT(S+L6f@_nO zh|81KC);||5pIwVotkO0m#FO}i}B+bo$= z^+fb!x7VtAZWEG(lAYyMDS9Al4UR4j%1IU?P#Vc^W@$Ysjak;7EXLmSu3odK=eYk9 zxbP38A3wo`Y&0~y5AwigR7aPU;ahsXrkxXq_gJ;rs;nohvlp0=)3M*ut@m_jT86}whkKElA`MP+G*M!%b8#41l z@kO)mwT8?0rJUM_y8bkyv*E*;1RlG|^8><50{TnMV}LV`7+eOEqXWx?rz^GssMr4q z&gDPxS8y(ZfMWkocI^kw>`-6PMN^CMqRGY&w)rzE&cTrZDWj5mt%tjo3xS}blKnk4cIt9`%=a=4LkZ4^? z9lafompQ$);hqmd#L%etLkus-p69(6+#V{^$Tvl@1>8SGGaNB&MtDwQ#dfi*ue_ei zwQ6I~t~2H@e;7-KMIq-n{Y$o?<>7Ml+n$^Fd3Vl0SpYlt9~rt(JoT2!Lz3c~%?Lo% z3c`#BEx|xKzxVN~gA(=fFRjJy!sgKJ22F?Xh#TW`rN%0SJsN|{DE4C8oZbKV>mM5Q zn&s!NX@#S|@ON@dybyk|HsCJ7eB4wZQ2eUshC)&xjCiS z%LVF+{C5{)OvcmC36A+Id;=^yc;BxnAm#IyY;8|mpkMS#~%{8Q!l z{U2H|k|Y0&w0$c4Pwv#Gf3lJOXD=N%)0<=LO+5MA7k28*m*2xtNzU+bUApx8(C?zX zQwjfi%Kv*m;J?0G1C2X(?syYD1HXU&&IA5TL>R@z)xgTkL`q5;9u|hW8P1b8J8R|j z`w!fABuosEF~T}OLZiWP!<%w?dKv+Q|NY3_$L&-j0|jj+lr50yc^d*M^9KhFycF(! z`t(T$csh`N`<4IlWotP8?1X-KX5R5(X0CJO`>J@CMbW&4z>LtvB?a`y=U*`r9{E{> zZU?Nz^CCGN^NwN4*+unZmjC5c;?zt>XiA?3A)>_n9An~S%7BnA18wp4X| zCyTx(F!Px)NF~kxeAI&E@c-J&8o1o~v3!f59D>>miS zFQ)tYajxJ~K~DaZ>rcMxrxl1UXo?YnFHr>WNG2Z-0f9F!Gjk*=QC+eBPhWznrLc@BqB^jn(#H%e3A3I(x0)*Zdo>l8hMj+g=+k z6|T#)C^`S-t^4i$h2kCzA=MAr|9({V?i9Eu{paE4$o|1$cSt1u)1a0u{^f#lP{=xf5*=VKFR4w zyQ!})jeTE>$(h-JQO%hb7k7gOszbw;VjujVI0 z>@P#I#tyBGR9Hc%JJP-usXAyOR84gz>#nD3T!v)Z^I5u46v> zG!*1pPyPVtAIj&0fZ<7$5D3aB2g<|hxCLM(yYWC)pNRsZP;U_$@Zwo+c~e*HE$rD3 zgAamB^8j>ELvwSpIoQL*eG^6gUI9Xj0T3|2uJL!@E%(qc=j30tkybup9kQ>?gy^5y zRf8*yghL{*CTFsTtL{4K3(0CJy1Bqz{iu4fzgiE;>R0}0<^aLa)==?&N%Ki%i!RJr zi`A$Yb60J?__(5ZeMZ4;N|nX3Zpl63gA%*#OlW~#qw_&B z${q{ryJ$oZTSDU9S1xc?GDO;p)ybiyq6?!~d% zkDo_g9PxXx+RETq7CuV0Q&~?dP-6YaO{;ZJ?bma4!tQzEn@Ssw`Y9PzVpaKCRHS~M zQ!a+AeT}-z&~hP-iHyc(5bn>mtWP~)y8>`7v#mQ=ed2?fD+lgB9P^czlMFM?vwxL8 z=NH#p@U|xWADww|e8tJTz!9n*?k{Agwi|}I#;e!|jAOuEVh2u=5$fD-T|W&-R|p^< zy_*``k*z+)ZIG&h6aX&eyfP*I)`k~$AM>W}!cklqyE~BU$VLt1%oE49%I&%1koJ+B zuVNq}UVc|oXJUBtxg+-to@QISN*_n)x%2WyxAT@ZDj7Yk9ZlO>sp^mljrE64T2SrP z1Ms6%@D@v+XGeU`uGu4 z|KY*C+$Fk^{6=2F+uPeRyBTzPi0XbmvqIOg{VS`hZrqMeB^M1T)(63*mf_c<_6WL8 ze2m6n!nu50b{x8R8@PzCgP_oj>^K&f9Jm2@P|?GOf8gS?fVgzRTB#2irMwqq9NoVrbRxcW+0y#4tF!%}G9@l$d{8AMw#g z&rNPJ7Z)Xy?QLxbfRpRKU{5&M4aY!yN_8WKo{hfqb zv41x$l*>R@H38eOa;}kAg7KBY)2|8Gt_dR*7bNf@PRPW?j-QsftVI*SeeH)nBB%qG zKzO1>?7IKQhx?Sge}1{oIx20hl;Hs&GAVG zHq?j9)~8iNVsq~LhH`+(xO>Ach-xaaAbra{Rs~FFknILo{Z!W-;ccq3g?S@m+W@{K zjje-|ZEv>GmCgFz#WYSQeX%CYUz<}eoU&Cflu{@5O$E#h>jzaB!4ipK9w_0<4?gc_ z2EVgg19*C$(V|2#LMx1Nqv+Kd0<&?cAxs(UCO^W&P_H3A!r{fh8R3Y0Wn{L5W~s=X zvJ<)Ow=OhYzv~*QI5=fQ4;$TZ6&RxryQmANpRM18AS%f>PVE2%k5qj&ej>56L#%G04)KQGZehhzz? z1RsEZx{`!8zRu!D>ZDp;4BQ;1C40Cr53ZJIvcgP>=3O6G*4oOa6rWoX`FEx|w7I_% z(WQ{^QuBOjGX(L(NZt&oOJB2|g9tA8yAK|2gu7ak)I$<*6W@-H^b3ClYvkBdZC$R6 z`whFCUPzx6N6^nZHD@@&?ghMA@SeH1xL0tIcF4JJWRTSReDw7$&^U zn4;~}a-jP>^H|yfS&UMRQU6_58c;!(0X(?X4#uDe@muS;%`#T%*~Qh%_Oqs}Q!tlt z(@j25f6!bW+{t%*95TQ#N9vRyYsq%bUpk;6oSeJDn@A0jbhM0e*Uzj@KurP zfz~hG6wc-W9DH6sCnp4`7f{16^e2@wf`Cx+6KUl783iv%X%EAfK5>1xvQ$vsv|P4{ zU37(orQe|4dc!um)KQ&+MNAdYVN*~Ah0;Pf#X_Ew)3Y~(yHK3#629G|1nY0#Iyyn z-*NY-q1R`AS8SIX3x=Jph2$XuzSVi;sQb^XDC2zEW5idKOHiw>Uo0Gb8mc?$$1>8k zHecCs*a`h5nYOy?^;H9a6F`4smsT9Z&kj|LS^1jp)-E0kQlNV;#HKyH>^u6IC0WWJy%QfdC@R7uDAZK&MhTq-Wa z`6i{}?ZR2J^wrzuQH17g&4ZakgP>jwcJXWMH^qb%({LT0tiv>@aRba6LoLIrJ2X#H zPnCX6CP_J*N7YFsf=$%#LjgJ^j&yT6Y~v4?3W}Dfaj9WX`4PX9J>OJ29ia0mVwQn$ zn5O1y;sPz2-i2KJOrzP>bRDajKQ$VrJo?}fnj=IA@d)e4qZ_CGD*oHUt9$7_K=J9gD%eKlm&DvchtL7fHHczHA%A0W?KIz4pPgRb2QHp*Bq8-xoLxv@icnl+d zK=07w9=l8vo>hj#{PWP4DTV+bY9Y5+@~>FB=yhyo-vwO}cIwQZ<{x$j4Y0sATuWZ# zTIdbWjMP*HFJa@%4adH2mS_q)V4^m+LIF%Na$}n7!-JxqTm@Rj84{6enTgRTl`k(Z z_XDN^!!OQ1u%v}dubY&Yy6!z4b$#ssGE|hllWDB4Mw=8)Gxpo7wu7>38z`H)I?%I4 z??^LAS63bd8{pCsicfT3R(nKgLgAlKHbMC7$oZJws6d!4{TIqTXiYjq=zxJ|oaA^{ zh9ahr#^HLUidlL_U~U?oCPk`6u9)P+Lk3ZyzVk!<3)Me_hE6mm8n@lb<-9`8%a~1o*iEQ^StNuhGMy6_g52dl8u$)lws#$VRN#^>?Qmk-0+)ah zkr{fQ_H9{6>e>kJ4o6Fao;*5+`{Z|_!0wEUaz2g8;Z2PqV7(2brXdg5g55RyxIw4OS_Yy!*jUQqIH<+v!b%xT z&cnlcOH=aMHd$@Od1DpH^gfT~XSXG1y6Rh#PwQ~4jr|(v7PlJIxb|)>?}B&PE%S?= zLu5f#YUSJbbJ<2YkqZ-%V=fYj-~g(`UiqZTvh6ute*SXOsVrIDv#|K z>>}w zauMecA_)>Og$|6x?9iJV7=w-MImS?-&Ju^3D#Y}vc*m}dCsA)k?1u`~e5kPBHVD}7 zkMeDjV)|BoJ!<_@i&9mhl<+*zJ6TJM1A_5MqlSq1H^BRbd;(NZq_g z{_;C!0~KD!Ct;4g6d;#c28{%NvxM>!)jJYD(h|SyZ3MG$09?NMfd*c-fuG@Xz;Wvp0T4 zELccim0x7}SPLU+9g_tj9Y+_BDVN%IY;}59!mH^7_e$zkdFFKO(}86J;^>oo9@Qs) zw`m&5tKiUAt*xteY2n*DeM23NMt7uzu(s^CNDJ)8H5+)uPHjV}JG=Jm_e^cbeaUm= zRW82^Yz=c=+0hLy(br~RE}bHD`Ld~-{>z;vh9wt-umPsg9!s9vKxyVHGL&Jx76iag z;3f8BBn;Aw4lG(RYk?EpsU46CFgNmtpXZ(=NQ~n9syRNTe2c~5uP=Mu@3{;!aI})h zlw3zMVD}#E?Foat&=?d0n|H1!a@X{+-Z~2o00LK9V%|OB;lE(O8v#K8^B6KeV*;Bp zRQwdq8*QNrEJo`&DIeJ|SsmVPM|4xq@^SAkCvm+e`#@;$49Wdzj!{t^#0Q62y&7jx zUc7R%<)ACVguriUq!bO{CJ{TA0I<#?d7o6+OxLBoyG&8_5Y;bgQSR63T zqq07lu<5WH$U~MO-LpBYlIy79uYU%d`-kom@8(wNvCjbcdn!)gk;b%&$R|;f9`9-C zB^c{qkZ|FN8s*V|CbsAd7||SqK&o^~lACHzlP(lbFK)`$&V3KlK}ni~prpK7=_KFxheuB`(OTQaF)Ln0c}2YhJ<%xXO&hpkNRN`PIv0onWxqLn$vR)Cvd zU5rOS{gHpShh+E8mm)9qaKc!JC~;~zrr$4){&An4cGpW}Q?ORzhyLKr_FKU>HtADG z@Rx-Py@~fId6oiRx^Qx2c;wE>&?~*V@h-hoypb5*QMfIvxzDgUa?g>J^0}mK9~MO9 zCGl;t-Oy@=I@WOU10jrdoJDUw>;?<^`%{of3Oq(Ea9GDP;vm1M!Qhb|{KW~~%++NB zv8Cj`A8#M!FH^3#lNM4%;nFN3PDi*JS}Uz#>x)wkn2AvR)QH@- zK~O&?j-Dv5VG9eQ0oyt5M@o|9M+l=9qTGK>uIm0(M@?+pSD;bHn}LVNi4B{Nsv*tn z3^Fynw|*VJj*&0c;D8M!PHjLmRLEjyG;4YVhaKhhwD zdMfAcVXj|u=xxjeOW{UXIX3hV%-#i^GI}{6ytEAs%_Bc|zGG(5{aA7wR#-WG?-- zT_+0lx&>-Tdu9<2afyON+@$4c>`8#z=(pw^O|2va_Jp~6jCt)C7@Sd7woKb&r`@|4 zQ*mA9Z|tcfW@5PBtH4izx(jBT)z+6Yc9fmCyFqpMdi5CNiqB*>7rZJIN9m_9 zsoiybxDz*_)#>c@WXw;6J9ZWK+gcVvLon}gy@bDD3$l4P?+DgPI`!b`=_*Jk76qC$ z+q=?IAbRU5ZL*|75F=L06jT-V6zR<``cen9-`P_T;#oDnaO_J}vJ|3FuZdt| z5=2kzd>A0`mA@cUC(O_g1RCXaFjiAR4D{7avTQjuh zVTZ}Y>%(}swlqI4XcWa4B}b7;q>D~9&^PD%7W2ZM_oHG+&ka5oV7(U2k|TGD>@JpX z^tCQ(j0P@Fu2uXzqDqFeTJ;k1%m+FbE9w-SaOz$@{HD{$Vb-ZnDH2s>qX-(0hoWq} z-N|8+2)nr2#747yClS%|&AJjrP&@fFHcF9sev7rj!P&sbxJ1 z93`+ed_t!wB0;gl&;KZ&=w>NI}_>)AJp~4dPit72&heU2_h%6842*^HZGSu;a z{VHDMyif_t$LRl{d=<716!$&Z16oB*l9e$rNCDR5g~3rvX^mR5!Ve09(ZV@upHRFtSb5m7xc#;^5LgaDomvRxUWM!wR@+6p`qfbw0oM! zV};(TI4@k_e-s}?{t{L|x{xM6c9gnY+Iwu^sres{heSjql+5zq zR7uTl=FWt{&4y$Y%!u&~1Zs>PQR(*BVwd6hRJAbPbmh0at2!(;bj>GR<$Ll1$suultcP$sssyYa1CniIj6b zOQ`ro$h7#=k2&9M13z4bC-vTx_P`Vn7Shf?P0}EdHW*_paQm-ic`? zjnr|KDgF_IW&)&I>*c||+jySCRUHOHEzs1LMq25&+A)Y{71Fhlz31pEufR}L2W=_B z|FLL)KF*XxuU#Ou+r8+%CgXWK^*n!LQC!?>`s~%D;*_2X+|yfD!1u@QYMLv)ASUknP1% z4&C%+2LAl=jAH^uh1c@sWxpsa$$$SyVbGO_dTHiq_@LEH6t9f*gX;$#E=|RJ^g4}Q zDd_4_Y?nEhom2e?`>}SyBW&D&p5ONAqBZeMFw%CPgfKqC>kcm2K!lQ-OCEGf+$e4S zbb2V#V?lN_KU_iGBT7fAVWreCQxF4&Wa992c2e3(+pCQ%I!QzGDDUX9{N_w~8B%li zncp{(hFtKt%wKKbFLZHiBi$u1yL*>o! zG{CK0G!~>Uw)T|4WRC7pW=Hg{)LO1&p&GWtTu{HVj(CyAXE?U2f!+E#$>ZP8KI$torVA+Y_|8 zhI3;jXJ1bh+`UTj708ngPAU z^=eZK5a#(ik{ne$PWDAzG_X(-goVrI@!x8D$9@EaNM##98?EqxS#X*V4Q zUfK=AuM!bA?zAoCXp7jLGoZJF0o*8~1sf-r#fKNd{=U;ylANh3A-_D+A8QujU`}~Y z_NzD)|6xoy%3rYeHq~KzM0z;JB4hTIqm&lXXg4(rtnIfNR7oC&6b+K_aL)|!)(7`Z z!9buyn*$`D-v{@O48_XIPL*~$v7sRds}{!^&Akyzl7H!5LlYI#$hmuS_WPX(biV`; zXgk`a^@c&lO@|HlTsi{GaWzoB#f7p;X(C;O9Gt|pF8Tcy2kN&~ z-{So9h`&yGynbRtZ&ilvHGS82ZOROE=hlQycG;c!1C7=fzj$geOnmS&rxg?CS8;}AwP4{WYhbgipucfA&N%wlD?{ahHMriG>)&X$C50G@dgRvEI!hdFm&k+M zd>;JD(eQM|9+QWVVwb)rDCF(kB7-957u$#3MyOeB$3?-RRNX%p46&3LgL!Us{(7S9 zwQ9KEp!}b=(tSq#smO=LU+VG=$D`8l$9l-V4YEkn=wy>UhCPaG{fU03fzS0Zn75-D zrd=C@pV{wx1}X$&8eXfCd6ORD6p=m?I4xuz$y6(KlK;D*ve-TeA+H~h8-q$ilG`u( z*KqkF#_9z1?8{$1kM{Nn4iS0nYD}Q6zQoSQp-k$M?@Zd zdoJe$>72obOx(g*6VaDw^pAr0ii>Z-fSc8c<#rcB7ye)|2x&^|lb@9qaEVIvD2%0n z{^g_S_YUF|d16pUa1BWKmAEq-baSE#9FrHtxmEcIZxfj!(WT-PQ-RBNe;Huh@kR>R zF81Ft81#dAkJdN`*w6wnAQ@Fx%$oxvM{i-wSm0FFn;ZdHbquB?@e)i0lYIHgl^W?R zG>U78DIjTJzYliKMYVX#^mMg!b2;Ro$pQi%}NOA&s{w;gG;S71(g^*d8`@#|{%=R8u90 zE%Nus6Jf0!q=u368hDm zA|WE(n7dm4jAB7?HAX#q6{KtU0XL@w&xnuDfC8hj8S)dM`C2(80GVDnT04QbhiS4! zNXy8Mxmw}O{mjqrL!7kIOijcwLQDiRSu+WQ@yuX1c3aITVJjhU`;oEAcAWM?Sft`Y z@M|~A`T_2V5x+iadgMiS#dZhIuA1ipxpSL}^2s$}5kndVTtBA&p7LUGrRQK4@0Z|>kg=Q~t^@lF)}EU?L3W!-%7k8SS{{2fBo zLrCE_X3r1(9_Xv2x2eH zm7?b?rnKuitcV^3`zEkGkvhaY9;$!hy4{n3#IZJni2fvqnj>gt2~iq5B-{YPt2bX zD=BktJ(9V;QWQNXbG_lug~dC+aF>o;db6V_gCULxp{v!;6Y)V%RuKC6`-<*)A?LCG6|Kv@JG*2C^%d zN#l4d%@zBQF_4cpWGnhf`bZ(^&{bgl3wNeHhJ5O`FcevxxNynj6KED$_DMX1Fc*Pl zhMyO@8)|~;kk0bHV?hCQw4~C5o9FasMimtrEt0mP(mK^HHIONiN@rf0Ve`|(J4cUR z2d7U50#DS(o(r0vW3B3gY8FmZJ>e+r)&!B=#m1ib3pGdH7Pwvo&ERbzE-{leZsiJw z)tmv{6wNolRf+Qs`%Wc{vWu%*Q59vsp8fT4pTDpH_>&Mw!==`8a~<*i4uu5$z zmPTgRG)mPz-Xtfv)x~cYg_uMPfA2nMb^hnzEB%;Z(rIJ1%h-aHH%hcPZb`(jRj>J5s_B> zd(1)KbOChGD->SEeHGV^*cbmE{YAp133t0je*ev*$B*pDMS(G|b-q33?`hAn<^ta; z!IuJV9d+d#vr2}n17dVjk=u6!W0+KRzr%JBg~PV(lq|@Wjz#6TF#H2fia~3R>DpGQ8_t?oQ(J_p znWo6dn`;S8YANso(XX3|)W^WAqo(k?1yc1YAY&II!g_pE#<+*cu`k8pTr=$Qs(R=0 z05Gdh-^{s^Jc`~9g%8R(Gv2uZUyJZW7^}Esmv*xh2(NXrc;NroEMMbnNA%!z8+=EDi4Dlo zi1O?j19OV^@1^}VG;diOjlHnXQOZ{jZ`rzNSZJ7ctL6#6g%$R0|9z!H5qEc#RT@6M zz7(8WqBKj^hO$KN9_#k_Ec5QweXdN1g*CbLW0>T`9D(CLteI4$Fgg_KoXqxnCo?h_LtOuayHz zkw5O2=pa3otoRB(4K+jQwN7;Mj6w2A4ZINS}Q0MT1TS}gS#p`t$L#F*VK0onpdR~)ZYXzhC%e-A&9^ws<`e_w}* z;mVfV7fYLVPC!RJIM(3F0gF0uSvTf0+v=NSx;#wvX!$2znJ*$|60KRo^WQzNwD4hN zL^jW{V~bv419C^iFNoDpK6UPj=PfM^89wesq^F&HHLi+z;N0C=J0pG2#5fh8FwQu; z;Hg`bcQ~}&v;pPN&Mbesy9Ot2tjM>#B>71ntvYNQP&ix%?@>HE6l>4g9>&7QN_$JR zrQE=L1KAyiJIQ-PPHLN^{@dvHfKx7Z26m-b{**}sNwJ7VklccVHW;16&@85R4Rh!2 zj@fHF%tQCONalZ_>!XX2xwzncS2F z4O$9F7nCH#6550d@nb+BG|^@*ya?O4hUSD2lYna359CJHxH(e!FBJ+6`NQ^4TL3$F zh^k4sm1OZqAg~<-nvGdL%c-jaV_*_LYA0-H;moU;vbNkJRlBS$6$&Dns%a+f#bxmH z{iItumH93;6~A|)&XDZkR~mZ$U2y8h@{?W)!fNv^l}Wvd%CclkG;;z6#mDV=ge*i3OC253+brC z+>s9kmTotmL8~sX;t>FI}vaL;YgWdO6L#Hs_hne2139xHmJ=!2o76xNY*`GOw zM$@4r5UK4K$EbE5DG0=?k8Wu<1YRm4~x#HvfoHa5>7wJ_G;gqQgd%vKdJVs;PSjs z*=x$y3{i%I`cKG?5-{H=G35bqDmaGjwdg_^|# z0w&ZzDKT38+IQT`-svF&<)dxybLGTA8^A~N8h6_bce^3N=HFqECm{&#QI`S!x!Jd| zl|kbr*M9Y1zpA7}#$OPazPHFtS2UW%pET27Y)>a+94l-r$=4wH%qlNLpf!uNhcs?)9i=q&3_;nI)TlhKz9x zgJRtIt~&*$W_C`!z4Kg2C$?l&yo%pMnI}L07o3h3%&=zV`{c0uf?zW_b7H_LZN;8m z%8zxK?#{(kSZN9X{}%p?6@&bTxSg;HS@Cd-0OxF&;T!%~hu1QkElAGX0g9zh0^R$h znV!f#6@4(WdoUn>iw8kUlMTk@7f%_EWy|8KKjJ^ZPQp) z-C*T39R7gk+fit>Ib6c;!|PnUf)H8CWkUIF4VLmrHbw^b0wJG?ywrxG`_`bufN$1+ z^LR=M?NxgcrcWTWZQ~Wuw%(>KdA(yrDH-uKDNqaZm zoMq0XJ8Ezll4?QKa4max9fXVeP!>7?f6cvYyLIl5$Cae>hJK86>VuG|oztt{QRf z(sFA4Z<Z^YhQ0a#!QbK zg8j{5d_1vjydk|eclFAmx#bUc&Wj}znbNqQ1uSdY{1`7zaof5}Y6^1whSL~A(l4Hd zYp-%r5UKztt!fh{GWLo0x3lV@)$~Jo8y}jmgzOb-r-k%{;O5l$Na5?etalm@f$(-l z;=xQ$fAP2}TtuceYtm@+wpPDq#Lg?SQv6xR}DEJY1NWO=uCoO zluI%^+RxTa@bEw`mOf0I`O3se&nn%&I4X6^POY0${5^DbwWT&L$nd42x?`chRRgh| zDx!8(W@;WK&|kCa1bfb+`+Lu0e%D4)J+j{V(cUi{_dtVPIl@1&)OYackzYAKGB+0N zIQu0%UVrMmZ6@F`7RkWKc~j(2*k58{tZ=RlqRTR{?fBE~Wdj}Rj}Q!{Dz^RFiJ`L+ zT^ThGTw7l_xH3k{ajH)ZW(m1?rdqETr0f=@5wb{n$r|i1ZRnSjKi7in>XQ6{d>763 ziEFp@USa@_^{&_-Ikd@y_wA|;(FY^-PA6GYt^=tNetKYcCi_E!+l)shkLFwZ`degL zUDAjOct87PS9RDjnbJPDfCj$S{j_gFksMh*!_ns!bv)7xs1x6`zdE;3wDTTQvt@Mo z$+nN(A$KY6Y5;m>!*|YR*)m6blA1q#s^(|qoIa!dPD6?}LfZ3s=>!iK6C;T7h=$B} z)(%-n_!KbpnsfW+GUI3@z1H>3y1SY6gmWnJ_g9wfX4wucN=g2e^|j~P4?RC-mS3P5W(=;Eg^&jBez^sbjoMWtn--~u!PFP95!sRwUpj5O-mq%KrADHDP z1)S&w_}u}M3c9@qVjrO%2HC1diAp=>0$=ov(W$G<(Un!#j?b2ewE9tddu-(^!J5&x zS1Ye}+_E$$(;+F61MN{G!ba5c30IgZlte_?_7U(%9zp zK?C8@D{nqITM(v8Iis85`aFl%&3HJ?#u~VjghiOUzgPZQL*dyDU5~NM#6yNfOOcB_ zA}jSL0}@JSM6!7#)&?`-Kh{XT3x_hVIK^NQ&*w|)cY|1fUwrX6WS7Ny!=Q7saye|q zdT6%h!IsQF7Y*Z*kMCZ2$F=V%v-!Z2sp^k|T2^;U22Gy?Ccb#u&z}RJ=5Yn`__qza zwS!hWl#zSlxMF!b;A%?+t+?F*+`Z})K>5lo@l#%2UTJA*_8=;d^TG|pMD%|9hD>oq zIjjEicJcZo!#SG-hqP0shQ7}wSjmWl3HjrUU(1Rxfv!07E5K1!S61XMUi`-0 zSt=Alz}$#)XzvsN7zknPO>=j595*xjR^stHFL#2MSug^UEW{gu8)AG?Qc}QpB#%gn z`8}XM>z6D!;nrFG)#7+qMf}Bq7jPSaO3LtT!Yt)O(p3Y~hff=$yfT-NrsTxAc2G5Jhh%=+-V>W=bOXb_!_x#9y5gb*W%Bl$`Ld$Nr)p z&Rp#=7_RoK`R8!(`==+3yS`Ik+ty8wm98iiP=U2<=n=K^C<|$Z?B2;QZlsz-c~l(&u1!0;gQ z-(N8h0Vvm8kUU4u(cIPkZdP&s;UIozkq~{f9Pwn9Qxl;90NUlOV-4{ zsTyAhdrc4gvl#yCUTRD%0?(r+{J`)jvy%s0gAx8Z+%D{YeiU<`*8ltq_xJwO+*PU( zZC${v<0#xLLW*0y3N!CUtPohWCecGmV7+n!0W6%e|N1^ZAyri4N69v zmiX7ds`BxOUS9(XIskvS^bsu}4btuFi}Rd!*Z&KQ?WY9rIfKTJ_hKc$|D*CA`1Agk z8(p>j|DfI`t^b?J6kz}ssm2b?*>FJL&E@*V+jqWlx@iBk?3ksW1s?z+C2 z_iiN;fJlLy6RHjn&(w7$zV%xA;DR!=Oz7QJ55@b=tOwk;H7BU(qq#`e=~%n=w3=A* zHWR(=0NQ;?>dbWvND>E@_BP-Gsz7^f^8v=%z_65mCv5*i{({uw7cN|I9jyyo2U({B z0QaGH2?Car6vUVv1ThlsT>r+7EL93se>YQ9KurF39P0nUIqUwW-iE=Pm=?KFZL@Em z>#d{@oIf5g9wGnKzw^}U{r*mhT<%UJ|hv(Z6n1#A3m+PArI43=f5j>ygwb%!)%iXpmOI8{~8U(1wKCC06! zYy6cOm=!#wGX+H@twNnug?BuP!#RPCzv9?=R7n^{t;96M7_Ck7J+@UK8Y*QPD4))Iyz@udclJ@WbWf%szxlX`v z{}tvT`2M|9|DEGx3X-z-a!sx+svIXEq)bI{OvKjBZ(MV}?Fqh(8-g$odKZkAlrb0_ zX$OqS>gF4^Iig}>4ugY(?%h{RPqgk5zG~AHE6ki4t(gaTOzLlamtv~iIQ*`mYf@xcc`f!q^hrPjj*h3?lc+B=@c zL0-6kk|KthSf0lAAiPl7$4O~3#%z8LwsNG(Z?=6OUZ5vw+0BH^)Zwpf$5{8{+S~8#3YX3^01jQa9nm(Ir*op_@D!^`MHh0l zsDHYp_hSjKPX{?8!`WOjwIPC=3$P0%f`Hm)saiKVi>famW%R|H3KOj+uz@dFY=KI7 zpfO^X8#t2wM&2{IVp809ZVDzhoWVay3HV9fXF35>76K?)yG?PHGYT-p;cuZPfhlzq zehF^mRcQlV_t8s28EEmqo*-CzVkuki9Rtb(Axw^IS<7ZNeyQwF)GWI^W7mg7TFK^m}MK* zR5#F`{H0^6n~>p^RxvCinwdPwbH?EO>C#m%fBy>J(T&!z7jCFbU!qdW)oP@Jkl9+( zjdeP-!*$ce!8~js2t7xx%uDCS9EH#3r}^<41#q<`O)GETzU?4sXl#I-5FkeL0AU4q zI-CRmQ39Cfu#Ca7z@G&mTR+g>BR$~<(S!cTI}*Wjsbz+~+^uQQUg4=(yQW@;ER{I8yP19|V9OjkwZ*Ctb+vQFQ+0Hfe;}!lV?ByU)15C)qtx0C^$HQV zhl5Gg?TW8!J)9$Rg{F5mx|M996)#i-tNH#c4?2Ccj{(&_I0gt zHw~_E^q*J~5EU`Mwc5p;8X{FuR7fc1QB)e9@HaQH&h;v=#HOW)=fS`zL06^RV{%x*c?OB_; ze<^8s1#P{5D3Et^Zj7??sCW)ViWALVr=_a$?HJ47b;g&#R9n`datk6Oo!>wkE;c( z+0(CrH-ddS&e;DxAl(TaFU~hnZ#y2X2jN=%)IX)4e#RViMmq%qo;K3bVJb5#`Fcnm3ZJKcmIHH;2k0vtqz98(j3Q zEP-)sGhKY`y`Fal>hiqEF#B_jdjm`f85?5Huvqt6jg5P(TgC0q`bnJ!0M()cxY6b0 z^h=KiTU~5LVGbAs7R>os^!Q>Cte&v$=kB!=(q=gunoT2D_NDcNp^j~l?b`vD0qyb9 z0_;cR*4F*OT|A2PGu)kR*qx#$Ka|#1G#qVhaXs{eJW z#$8UMX-8p5StKqBj6ks81{W8NK*?C$EIs8r(_WYf*NQ z-u$rFKj6wzS)D;Gx*k9jsf_!><2|S-77K`K>-W$<&nVIrE0CpsAbhE+qZc+4eJ?Xk zFS3-e1B!)<&)>s$roO|a_9mXpd9a`;N5v}Oyx?e8M(fy9x4(x->rE2YCuOeweu#?W!ZP$VxJb2&+eR7lZ*JKoVS_;ShF&L#vkF39NSw-A-cfs`Ro5$GhJz zzGn?xnR@kupfL2B^q=`F+*tQ4VI)Fjd-k3A)HE2O5V_SLH-7~d@Z^v4A7O`nPECo) z^36L)r#>c4Opn&rGWD0Gl}p<+=v*cg?5AI|!2o|gif6-_f^%z6SMV2^f%SkmI)ABt zKwGwVbfB1On`)Frnj4WiNqSvaXp^<+2CdPfIz)5a;}=eX3v&mjqwIE}10(T{gWyCg ze!=!pyL=g5P(r0ozJATfzv1iQ^$j}^z>>_&q}3#K*S}goMm|U$|0BxHq+gRy z!o+v`-HB&hwtoBEyne_Kw@Wem7m+x^aIqX(3|WMw&J{m#pU{=n&$r-wM!64q-r&UG z-Cqlu3%D(a5o?%;Z^_o#l|b83o`HH^()vDKbQqn#=0VzqndX@y5$nV8^6?sX7>GqX zWGA~DEX);GB`8C*(MZJ-tN2keZH_62U##K0$~6A}qAfq3`@hnb-?p0z{0QJ_9?g*O z#P=729mwV42PzRSEkkoZNm^6f%PjcMQPkj;GL$0N}@QIEUXE9bct zmt28W-kS%8Hc>oEy?SBfUcJCvi_K~U=`X9~`Z`Z`*cdzTiupq29=F;@#IXeCAK$YZ zqL9|x8Mi6#AU?2Xqu+BTnsJX;;@tWMozLP?gCc1O!7$ZH{i5psS=18tJ@$VFwIpnU zA>sROJjT0N50pK@V|0BvCyJ*0((S2_!9Ok>o>uKG-iD@$cvt4O>cRgk&RUlU~XhnC-#4z?n;CsXu~# zVfZG3z}Ci@BD`x`){(FIlwG^R&8eVtRYG=xCfiTQ2H5=;2$a0r!oggCGm3`QP2DwQ zrKuSKtXJ|2gC9W+$C`(3tKAh|N6^+LGd)OgEUtv0F+5zd03-4ivW}kv<@=0eiOUrf z9ds43XHTErY7j52{>~4-#V`L0^Z)^enbv>dSSk4-qAe^}{^r`#P;kin-KYdJNa}{E z`ml3!VHyad$r8pJ^wp4anA~b|%=fP5iI~nY$>6yO$pQ7Pr6#SGJk#ex)^=fg3l+Ip zH1+7P+cg*XaZqR;BLuiz;*vp^YW@zGOj0owf-}sDiX$fqHE!E!?G5`^7|s92C_%wS z1nwq&mE16zFMlSjO^w=uX4X2_GTYS=HH6 zH2++t@A_V_B-6vqCG8q}ygCFUhTo_%J{@uM*!9)L*;}mnbuv&B z3Mm1vw)J5NH@D8SluX)`Ij}FVsGmgW)uf+ah7w&{C%Rf#HExA(P!s;bLtMqrX@Vqd zsdIZp2)^^xKzReEQQ*=niq!9ckF`^Hf{+irfo9i~k<77&XGL8>k)Xa4H8 z(xS0znWQ;px?F*KvZ8uGKzUks$9nBY-lUR@^_Q6n1MjRoJnSmf>psKw@&Wm>IcUUs zK`V^^J5!1OBkBKlrm`^EeCKiCrh(P zVh2J|6i`5#A_5{clt4h#&;wFJ6+#sS1q($)B=jD7OQ;r5dhbO=Y9J^rKq%*VU2E^X z_TJ}=JI=l1jC0=)`oRb!yybc3f6n=H8d|4&6p!C16PD-7KX^{jxqxLpYdDoGwbWz* zGN(VL;@7|OmpKkzTHI_aH!zHH=iQW3P6VV3ebb(b#WO36BKoRApWY-*QRu!m?IE8mO@eCBaJfpyqe{6KnGv0YOl^Pq|`2eg( z-y0~^MGu5Nxy)=Oi}G=!-Cpc|F)KUB7mD(;8~ZwRWFeeXBB*td;f~LdH=QD8MrNEz zbm?t#kvkVxWR}6b%{_XdD;t?}ck~kW2?XSU&~G@#!~42c}ygl z_rx=qkwsU~GbPjf(tsc6a6)Nk9S|SDKj!h4L`2|z$w)aU}%aoz6 zMKO`<*z=vuE2?5` zd$LEc1FJ&)DrVi$rGkVz{$3UlZr$JCxJhK!8HBG9=8bOgAw_LK2%>psU9mi0?}eA9 zh)Md@{EcqjRelFBR4c4Cm+v%83tf4}!8sZIO?7PTh}oUsK$wBFs@uXX&+e&*@;$Js z)2o+lb5eh?sZCeR*2I!&#fqc`$(iGEY!}Iq*EzAOG zqob5G)2N1ia0};ba;ONj1@9)H9jZ4S+cxf3U~cce-)^<(p&tZV+6+ByF)qTAYF$2X zck!~DIn$Wwkh!!A z&~SgEpNMc4p{i$<%lQ3``hd@sit5Z_+5&q^iM6_i_QD(NXh2s->71$I??Nc0WN+(* zi!c=x!Hdsl_uf^?`;#t|28+v#Hm_Lr8n6sCfoi?%)vrde$waQ9eL-a0Cm9#+y`z3xrzCm1kNxGi-Sr*5Z>GKp-YF9~5$EpsBUavn1=Y4_o6-ZhT zcKrmrUh=;3+YW^b2L5AJRs#sO2IozXWM?%=r z6#=$onxcz=bGiG@A`uW+8o%^;0%_1tWm%6L$X@!@d~H~h__FqN^p`MU0W$4Z-X=+7 z_@zN*{?j98q~^U-Rr`q+b8cx)7Ugc)IX|9ii9Ho;ZZ*LiGvvOJDKjr$hrAh^esbAS zUD@wl&d9r!0md>b$6s7MINmbIQ2jv(P(Z+Ei2)Aq zM?UKhp$;DAcFwe~FOE4@)R*#tb`b&eq<^45lo#PN<}-UV)>ip!Qww2RM4gdIL;|J~ z1u#giMqKD?Lya%php{rT7!|g!z5O`$p2M<2#i4q_2;&>{lN#jQRblpP+dA5>&)4G+ zhmYF}VIn&!`<67k@-B5WT{=w61r?wCGw(7;B!r$)AXV=Dfg(iKaK=}eGWjL|vT!dm zb+V-x2-fj=j6lhTC(XAA2Q`6+>K)C*$?-Y!sSfbj7ANdv+4q4_BfUUwZ@8Uz7Y>>YcUj~nj!=B(cJM;;z^es z?o%>3C5Rjs573QOg{3V|i#ksE7*!CtG!ChvC4zM{t&q7{st=p5sTtcX)~C6{4(q5s zT znVGzYn+piytOk{Q{T1=6yb7lrc*+G{-1ATS7uQu%8BHGzk3do~6FNq4 zJcZs=WA6JY48W*%vjZI*_`=07s^U;pkuFzAgU`Xjl2?hP;?wx=eEpYb<*Ia}mw|UV z?(51GMt>?7dy3-7vrs-rO21Z&Fj#X^6T+D!*K)({cz2Z~OxL%AsB#7gD<0>3Y-ibA zqkaiGeLyWH)+h(Nl{K>u5w-#oCAN$y!{8sx5d^o=uN8d#A0e+q-qirq04bT#jk?1g5WHo4-?OX z%^ua3*A;!B+??Rtz(Z_zz|3}BxxBs7y#QS8&YY*KeVi&0W(*7`)oDTqBQC4`{Z4O5 zB}1KAfxDn+uNaKqhA}L_iGDQ~OcBM`b!ZH|UWrCrIQ1k)(WtBQnJE!2Xa%98!PIL2 zP*$2pJ=Jz)`glL`&6>7J(aK->OdhWH2YKR)oVa<&Z4SPE-&Vea(7Ha|>bUGQ^zs=@ zTILp^$ATg=e!Ei#ot&Jz5pXRpR^({=!%@hZea20`$FAW_rG^U9%;*uyy8OyiE!WXl zu*Ip&_l#w#*{Wg{_uXo$y@8bmn~_Sa8G2LkuE%-BTqFwxf*TAEM$DzTx58oOt+{kp1V?sRNnwI}g9JH@{g8Qtf}@F`e1idvtUo z`<2=2eG)n#-J@FA?}9CPjL!p}OxJ5BG`1Q)|OT0Rzd1_-WtbkhqYL zd^@Sntu=(qg?l!K;=~l_@bu;;q70k`H2ND-)o9}!*Im_on$5Q|K&o>emR8Jfv`r1< z0K2smDbO7ADb1}%y?`|b-hBvZs2XW83Pp|$Rap9c!#{%bUA4$-<$!athhXeNI?5o9 z*A2URe|x*Syj~0cs$@$%_M!Et#O@~)pI-*c`>cKk85yl%osH;J7yS*y^JL4|fE{Be zfhtKo_7871Cc-ezne*cj9d|Oo_Nedx+e+D$#EAXzzf!$t7ICv|!%dr}dOW?p$6rWD zKw^YY0_uBCkvZF|APq{k4x*B;(B2>D^1~R64y+b60)zrDak{_A45z`7RLMi$s8@cY!Jf?b36!IO>w@5z5S4b z1jkz>k438Fg_-)=B3vdL1@NGQ2{48_ceT8oRiANC-X^#HHE6p~P8_y>M#hve3bG+3 zJY4z$&D#GNutW|GwaG8v;ucMszb!HjWjk?NY5uTLYazs{L8EW|d!g+x)L+E5x=pwdG;4u6>K)Iu5z$v#4l{UN`q!-a)Ts*7)o! z(efV`ZTMC9HZVC2H3`Kh$#&_L8KL#)Z|`Z*YP))1{*s5E*4Ab`<9RVJlJRHY^72?> zF%vk^ftp9=8iI2eZ#C=h1b;U;pt3Ge*D ze~z>>fY9XZm9lFf#k44^x~sO(m)t=mQ-)+H%wlw*9W7+-Mbh$JvpKey@JdzjDm5Bi z*8I40@+}SR!JPzl=C;62h{?NAA~m|G5sOSZ9j$EO_PXc93E(-JF#mwmbJ79{B8Q2c z?kf(1`#xB-^HBoTuJ^woRzB!YChDSdk~Lgmzl418KtCU;XwoTrR@SI!B~@*23rb%W zK%%**u>2A(Xe}@Ipx~r#=Y)~cduVrz*xeMPlfJ%Ncc+uXY+)B~S}G~KSrP(e(4*R! zqLRBi4O-k7g`0A-JhTK;NORa6xv)mTiecwlpJ7MPeAqr_qe{ZN2a-Dv+og$UM?jo( zQHF2Iz3f?i{NDEHm{80WK|Q=&S=rD5F;SA?+evIoR?qm$mv$dHtXiPc)*q{$$M8Yd zq7H-f3@3RDi9J@zTUzNbtcQOiaS2J3KGnC!mqzF}Jmz~s3K#(WKh=0iwLwVc;U^(J z`12=+H;J3^Ff;OFO4|(j*`StPMQpML4EDt4&6Kbf#?(*bvr?YOYDcYR?0a!Nghl{M zlVK8^IXZl;9CU3G&)iiP$pJq8j?y`U=Rqjf?D*&4uG|TnTmB0l`YrGaq#t47;jUtv z9zTdrBNR4mj0W?Gr{DdRo16!kNLq&DmGecUmBsP#QEd_ZZZP&;04pMizShAQrt_zq z1)SFgt%o5K2h~Wx^DASlvPeb$HD@`{uHNzTatnnLXVotuMZQ}&SjkeQcs6_DV4NTR z5iRYlwR_jY;+$%)B94}?+5)x2y4$pvE4={3MI4NeOLNK~Wp;IzzKhJZbXBbGY-y7@rbW)SMD8H+uIwqL}m1{?rxwRzMdgdiBvjiY6_HINp( z(V7d7^0u|(a{y=72VL%l(p7c$a`?P-o1`X81t;}qSGCbQNBQUN!KTzjY&)LnlLhXL zAcxl0RoL#`xE{-5Xag$$sNU?QZSCW)Cz?ub>zT@kA4i(^+jX?S5V`2fUx4Hl!$uO= zpJqtcy)e0m5H=ViMHBCm-Sx-?JnY#TXo1`}J0U)azcZB!^J7K^V5eI_l$Er8h?&i2 zEh}Yd;HJMbDEnS1(wMkGE2o-$Dj)8@`)Zhc=P2xg&}(JG_U&Gn5WpMsnbwL7_o^z{ z$cVCb9RhhzP*nttXi={dPOiv(-+31tNz!{Bz?2I0M*qsAt(1-T&6UnmNLt3xH47)1 zdqYAJq_)|GZ5y;zVPc#?i`f5RuN;8@~B4FxVKOO@f4Pu+`AkTnODhz!r z6Njo`o@3^7d+zhqoJ;H&aq$lFBba1kAbdRzYc zG>H(ZQnlN?wum0*bpf?g>j23 z)sbc5s!}|ZR(<=6aKW#^jWT(et(99&TQ6DDBx)br3&6G@e7!sErF3>zvyU69&L+%j zSTHc`uBcyEHrNCW&;wdM<$ewm=q>HZ6!-{NXv9zVi|tbnB}e+igsXSgZrXqrX^@2V zCFdX>14F?ApHl?XSerBKW`rkxHwbuL(p+eX*!iwUHdYx55PwG2n>4zvbHc24RUyrh zT*Yy)2*{r!^qHY}wc1dSTTkM6T`)rr9VwKa_l}~xSBk1vW@JYhz4F~b+LeU`A7VCj z&`=wGUfI#ta*Ps*tlcgK<;lE82h7Np2q6D8G3l0niOH8kuE&;G)e8^<(E&%)$;YQ7 z^KOjMwByc!QMwx=Bj~Qh;F|V33TxeR*h3@veVTv2=(ayPqlql4JLVyC)^S;YlnuJ5 zylP4Is?(xbbZ4UGVRSKAI4@&IK?LOaiKJx)un%eu-gmkp_n6dOvq>MvHW7SoJ6+)n zPHw36XpGSz#Mx@f*jabkmLpXs(jAL1t(%2HHYZ>9pg-)}T});YlBWB7^}Ri|x|b$X zatXe!G3WPiVDT}jRh{bf(qmvFW-=O>9-f4uE=-(0ztE&@XjGFJ~x(KTXh5+$rgg5~Zi#mvO} zry_`Dc7FhN;K4?7AV%D^eYje%2{1jSa@2|s0>#_=TW_4dQ|Et|o);4f;FMki%u{m` zsA!0r2Bb@}*B;q1&=5Daxwb%QDo+LTytW1)fwm>I1+=L?aGXpI7kBYhwoeq%^ff^U zshCJWJ#csF=VY~knx8CZ#E3rU{n(=D`xI!1F9A*t4^honE(Pt5RWR3Nt31e=)FV(@ z*Qc!6`@X5Mm>O6l^ zgtrwaDlQ(q`bSe4SfTuwYW2tmJHsl; zv-qzO$od1VY`jx_X<@zp6?k;!tPINS1zJaBxZlH)^RA)VCdUlEBE_`x zf~gA^*hqvIUBOn_LS8!t^;Pqc{Uh`#W^)j;tVtcX(o>T)BKLM_%WBfV9R5CTbu5~? zURpaUzS9Rt2EN6s!i1z>{L`VWDupLpU-)Rv%NH2`3~MTHJ?uetHT8nY`cPri>sx0^43tkhjzGxp^hRh@P_?1uSQ(lX(-Jh7*4Vll}U98p#eL2w*kq94`eWnB+y<;R*i2RL4(yh#Vu` zLv#hhwKq_civN-hrU=zUu`EV?0r%cTVsG5$I#S@%(X+Q6jIu;wmVSJ3+$Y*6J?s%od)yp*0?)6E z*pcTfOxWf)Ido0zls8*0wpVO-U-MqDc(Aj&3AM~FG&DHc?M>Q<5;x(zSYO#)rEww8 z{$_wMDkD=;IqQv-_+^M2*Bj^z%q*V*fthB&d}a)A<48`OfLQV;H*N{y#sQ9{?r(0~ zLMH^I_H$CDnb%hbOS(Z$QD|72tn{JDrYrRcmrYFofjMBTZGwz5q?rOPw!2UvvCp;CKry9K>8iKfI7%ekH`_Yr5) zq;J$ifIBk$L5J0#uwtd3+f21a?-e0IdI&ZGYW{4qO0MlV)kA?SH

IFI?CyttrO@^FaWP{#Jh!pjG`n&xql6^VO|gHMb-``rO=B zFnM&m2wc1l3$8k6v+uNgSs%9Y{keEoc&quE3CyYnpEg`3Qb>NM*yL@Ym{VX@ zRW$DV@u9tIPc`UDzK1`s2na9$HzoJU+f2%_yJ|?l$uDiZ9qdEJw#v@eC7oQ3iH*>$ z=dYv~R%-l+8ik)4>0R;zGfA=oXZGY|5B?^xcEmCGPE?1!6p=>yaP) zC1pf+W}RazmBrrs05S;3dX+zvS=_=JR}b{HNL($wr)$3?O*fX<{iFM~Z)c)i*-!HB z5ZJcIb^R)ro$pI_%}i>43?q(EN(V+0$u1xRW2>Ji*XI(`{(!R+{#3Uz)I9uZe%$@m zLse}s3n96B??uvq+}BG1Ij@a$uJyCjii*nRAM|F8|JD{=6cC)UINy|&=o#x=bH-=< zLTmmca9(^#Oo2Bp`pSUi-b9SP&h54Lzr+hpM@fnZ=_K8D@!{@xUhN5PG|xra`o;g4 z7HI=N=oeq767)h)k+bO5ufra#Q8)S@k-q4xv0?^|FXG>_EDajQ?Eb==U%BPh*bPeD zb7?>0sGi`X?}nv_(kFT)Bh|V&9(019CDmz-Y0@-Kf3!4zB4PWR6j3xsWxU&DY@7>| z(lK7Mc5b`fmu=LGR@Of;_avsI`GR4bxF582AygT}5t-+**FiZ&sXgch%QG=CSpyPc zCD)Q^GIJAPsXHsfvyZa{?t^S|{BXq2B-zd1z&#-F3|3Y2SZulCg~ z`1CtFdFFZ)?^#bws>9)-X=oC*)H5J_@M=_lk$(Cu=WVr|kQ62c16@K9s|f9bF6K!S z1sI&&;@I6Bua*1snOIl4nsW{*mJ$s-1mI>JHMYkD7tBl{@57i_8_EU|rb_9P^>&X%J%r|f3)o18`^LUzU|3OAI) zYqyrdStLiyO{WluSHOdiU+;{$yS~mW^gJy4~ z09GN93f%8jd_(nkBOGXkwF2dahqyS=-C(~-C9&&#vL5=irUhAE1zhK6Te2|k97Bza?Rd^BkBop5FHX5Y27A1y3@wyPIwyRZU&Xp)NHX(0R znYWzMG{>4VH4H}J75@HBEr=wHENJNqBRv~OP>XA!1bUKQJwOR0ubbAZW?UX8LB0Em`xfk0<=hq$gxT@&$l=4pS zt7P2qht+8-3f;(5`%15r#iceU%V2{3mx=z;j*WQ_Fqt%8!8`Vw!k zN4UD}LBFak{u=J;S=!|t$$zV4lQ<4h17ao;5kc-rwplbcr(z z47pSNL$r67#zRu>3U{`9UFenZ?Xyf6L1b$e`iJO==rcN?mFrZ@Z>MW{O$nLSxwYHP)u+|<_Ms@n3sp# z8Sd?)shbmJeuNwxp1H`d^&zu4IQUSg@z`c>8MJEoSBmM*D;JLgoghzU-$4k#0IW;0 zYPhJ;AmhoK^>7HC0-(apEiEM`#o6z^*X{(Up+@&axba=w%XjJeCazUR0MNS?R>qQK zJJ0MbSh(I#w1&1d2l(iw4T+0GPi5L@J2SKS{{rb1r~?}fM41y4YfVlzXsuZgBCB|N zlQ7oS^n3oTAk%XlFhONZT-x=;(%pRlWeE$-v27*Z*#O(e^7KF7F@vU5DUb zbj-js_8=z#Yd5?X0YpTR>_>oIFh3?z{Jw;H-(fKF`Rnl4ij%_hgm-p0k>-16NYVe_RhTGX051crIMH(3h%yR8vEvsHNo= z$g#xy?K*`>nRe^>rm2pC_f7XA9+zcdH4A>L>VJLfJBCcL1}F`viCJUIB0SL{2*hRlBPbkL>iW$wJP;X~vXJ48oH;r%{ ze8R|#x(*<0jnvSoa@;+!FJ643ez+tGlEb4Pt^%WC9}z8wf6~e1r_&m^x7MSY;dGr@g)gFgvXO{I)Y9Cj(M# zQCzvt6?gW4iU(UB@IjPv{J@qVyVXqn93%4HEr(-2qh_>~Gk>79ONiWlwqLHkSIhbY zCSmRy{cMoS*o-RznCr@%v5!>yZSSa$YCmX}w!sq=Wqw~Pa*x1xekex5!m-q@w@ATv zbN!xX2J?4yb@eiQ}EITlG2qATY(s6&V1h!u4qC$2rJm}jm(@A>l%9RRwplTFb(ddOukF*N};RrG^7 zu(JLhIqE0&SA6R(=Ey-Y)3Orq8yQW!D4Fe|I1DIe+;0iX@^|VOxF09uX2(zg^>5Ob zeSg+7(>3R-_8b31S{JDJ6JQQn;eMW<{i@UAwD1d}%>YyrshasuXdd5AXsWxOTzJ+| zr*J>-5x?5v>SyGf6dAVyMJm<71dqRWq3{4PC+f|r-qxAlAI!jx@Ui!x{A9!jH?7lm zO{a8DU+3C0UMU9vTV1PXj>dBV&aeN^HU+u^8FZ$OR`+jhEH8|>wwHo=aNn3WMGPOI z0yoq-Qzp`cc=ZiF%$6_>ROr!!Y0wnVDqz0`ipeTlSeqWcc>Q`t^8EZfcqd8)yA`% zzXPHS0~daa2LYa7zKDggL5+??{O%6*ge?dy`2q&|&VUNg8Hp5N+)P^eikyIAt(1Yn z6sYI8%=6dX@(8FK3L=oE+rN1Wu0^VA!P9>vT+2s58fv8C0Dl{(JWIP$NCV`xOPlFk^^Mx!Y=0v=CbzC|0k936!EZachrTs*C~Zx!t9DrUX+ zo4*XyH!%O!WHuUTLx-|flbJXh{JC4N?*N{;Xjx*wOH9fJNa)VS^txcs9?1$-8Mor} zE-B7FXJptlfD%tEr~#08qGNXf24`D1I%OO?il0$9z23S5d}<@U8tP~8`FqYReky6} zOi=@ft8Mep6ygWB-wZlX9r`Z@T|AWr_2GKpQ|aalL63lSsA8$}LP&~B*VR{3-CHDD z+(qjMGIy63yy;eV6Dd)3br3`n?+&dE-7QdQ9=)6AUj6e^4?+E@lt#`1UgUOj$qWw# zFLKpJnXZ!%^}YsVfKjw&zcR?=1T+}qMAKN4$ef)5knOw!V4ho7nq&SRjMDXjWYrJ0 z`5X&Qi^r@?$rA#_KsDXIB0YO)T?^ReB;Lxh4uju2evo=<$|PuQ8wA_BNu|%sKUi0+ zu2y;#;%ZmaAfTLyL6o8qrzZteC_cvVEyXSPO^m$9u1_a<)!L)acwXid4*z;Q>y`=( zLr`8UZ3FB#eTM{Wq)!hT5&vtAY~HK@0+X>0R~=$%*RcPOY^^YR_C3EM=-B@}NF)TVCRC^{4hoG;^U)GF+P`>28aBvx&b7eJ__ zY%JFA^{l<#<;ttQ|J#Yk@KZZAj1E0Dz!L;ojYES;eA8KPK{5ypp$rWEA24yPxMkt) zAO-u+ZEfxo*&5NbxpB~BJGjc2hs(F99ZTy4jy|xIuqjm(8V5+1QTJYf!U*+iAf}Y( zu{gE{ni0v&yGbR!FzpeyZmqs7{c}eAL)u6~p`1^cShUqHeS9};4f5wYlFV^qOG`^( zO?p8h?14mum7iwQ5vL7YL6LeinEX0?h)VqC4lo-5pwOj+xgU;A_*M!AaJ} zH4ite7?U~Ed>%t7K<~BrS*q9ynGbYIlNib1QEk?Ll#?^J*oQ`q&(o)Q|6c1@pBTM2 z;!7Lt%ePSEUgsU5*#6IgMG!2Pp6lCDZ3WnPW^stmW%rd*{~ho)8aZp81pseUbFBS% z`&^A!MP%>Qu{OsHR^!LR6AyBn+jetH?!aKDwkWR*rDtlNEm)+WOv?k}r(UHj-Yi`< zce1sX@9t^yEQ?bt(;2G4jTW6#82DJdFM!1|h^xxCqsAb1?VJJ@%yAuXFNaO3-ircC z_Aw?kG?ZLnTFzyVSX!Vb296yg2^tBd)kaO$ycWGKp(f47#JEP)T?~e=t zoBCVP=H*8-ptq#5QN7RkXS^ZkZBw*f%}N*;BE8*xa%MsHGw9D5z2M~pB}X;oHcae$ zcVk?lb!|EJcYu`75dHhRI&aQ>Rk3LR|Wa z{2<5y4iEQ#kK4oRx$L1p!2+rZ`eL6;zf}eGaB{M}3F!aKT^?NgodBn5L8IA(Hotb% zaoP97?KfiLtKW-p>t_T=4N^`Tjgih?J42KI1iNv`2I!mC9==|~;cGF%3$OL*@9ak< zHu`wouXf3)cB)SD>dOp5N${ppf?)fx+7T_pXY^uBx4h%_*z@@6u4lt90sl7-Jee2C z&lgCKem{Bds4WBEJ2^Dl`}uLA>Hbn#{pL%^6{GaX`!HtEdIp8*P~9?MU5U+r)am;2 zz_ZtVFH(y4U45H(Xl|JXj5f|}Nl>(>FE6wOT8LA|k^v5y$W%@G*w8QptN~5{E8!fy zoHVTesix>e)IoUXHMdohT;>t&tE*A*ipIAGPpmMQv2C@>Ey~O6W@WsaOIKX_e2S`E ziIUC^RGL^3G-vCNexgLtR9AOy{6m9nit_94#x!z{JL@I04Cxls@1Fq{T zm>&EN_gEzPcKEgc>NDCuy&+`Z10h84nq~l;6v{$vb*qBH@*sNKHySj{?+UK2?0<{+ z*zVziN03^Vq`B4;rQ35m+}khb9LAPeqHC}%ZN=z_0ge}W^9RIydJCUXmPS@ST3v|g zBE~58=6+Ci4r%u4PN~AVEh#W->=UyQD3R#JTp$UJnq+;uCU6| z@+27P^4QWf@xEh#uhKq9{9Ys3^S-vVkj+G8sGeAaZ=g&M=9ia?j5P2qIDEh6V**NY zw<=`@c`=7`T?Z?S7W!Xcr7f&qImQfR)q-aCz%4V=D+?DFwx2_Ywr4cbfTV@9X$%*$DXiBaZ&Q+-0YpH$`7)tp zKWKxYDra?lH;h7s%+?c`_Vn~Boo4;xd>wKn)C#Wi;1NkfN3~XDDyYxBS2^!sbco8V zf6%?&wJ08?*(hW~660Pt|9*aIEvUi}_f%dEHwOg(cE@BK-wtczdUed_T(12IE@L|4 z4!~vHdw+qkG-*{t>BMhv8Qkjie}Kz+jU3XmPQ1u~_JNGU2xi9Au-A0|%*+ox6>0t71rMcNmd4y&Gzb)R}RmHIChy$sgIbNzcdxEf~GW9`{iw6D;Ui1l7eSz z`!L5=fxC%g;q0+~EXuG%411BC1llV8mVBw=GgsKbnU*`evHwN9#T1tf)iQC=GAvdIN0{WlI>4wf|@gda^kqXqeWmF&I#mFDDK7If176m^<^`z9ZR>_>Z0G7fF+dhi)M}OTqWj&W4Lg3(eg90+RE%w#-D-0ION8qPN1@~SOTk+SRgEMTetPd;d5`|jO4Dm6f)=r+c#WBUb( zMgM1gS+WCH@|_oi_}srCz38d`iS&|lu2Wg_J?F`NzlP=bO)R=yc5LUdl){<;K6|hw zu^9Vli?vMlUdpi@PiuYE%s}q5eo@Fv3yX>UsD}AxK-u6?BqC6T`TDg39P$LLjp-0* zTmy?D2W+;Wks;#~%{;R@l@xR9iWWvldIpISgrTJw&qgH$O~F@lP2|bAPSL1&dfWY( z$o}el@#bC6Q5>tz%e8wTG+`DKF!19L*U|otL_I%HaSOHWh~DcWmx)ww?cN#Z#U$bK zUayQzO@E==hi~hsy@1$JA%es`c1siJ73Do{c&>LV|FlLArpdU zWPeQ_iuq!`6zhYe9Z`M|%yf$b+};iYrJam5l5=r;WfLj}4OGVA5;ztOnF=sjVzB;m;dN$%hj zK?blAO{ct6Uh!A()UiMzlrfKWzADcEsbJ7rco3kblU?B#Wr^4`oA-Z3p~QP8O7L{0nO* zbY)M?dOO^Q5|$>tJpJ7k<>z&xc}$>egf(SRVhrWCv;J1A**jk|-RZ$Z(47$f-)EJ< zIiwPzfB*`)^Co8V0nU5JsyaUr!#X4|)2{2RK^q6bj+n&wd&{+dRGNg;ibR7vkSQqg zXt4SKwwhkU)amw0^_@-8W^?($T>~>eN6R?jQ!3A9v_`Q8(WDcf%~6|*bq0m+$}RJH zb7SX=boYXF^2PZ=+nck<*UywOg!w&i&(Cj=1DwiU*k?sT_6e0&;;2&dvekH{xy!tZ z7d}GCeQ2q^Ano>s924bx(%@FY-W+6YVfjr~d)Jjcmd)0*W78n8Ty1tElvnEB_8Au2 zw@#L~C$J--^OMeD=WDmI=4XY0_?6DJ=zz6JDf`5-ZN`+JjloMLuR;Q6lG z-fbuWTw-(2`R&qT2e9VY%KE)ro`0>dy`m3{WSk9iMFce2-LVSwBc}*8$hdN+QZnjx zxnvwqwnkpJx$i3S7$9w;0eMZF{o3H(sK24H>@dcC1pm-5gZr5+oX?+w*+7rj^^WbJ zKpwX?&Wa=`C-PYGRA!_d?5s_EQc0w#$i=iU@ngNK1luKen0!`?tF3kJb3204>EB)&!oO{bIPJ$gI&B4NJ`a_;R3BpvCYTR zd{|*WL_VJsTGk;k%T7GK_?zfU(*wdIkt~6GmQMfnwI+*{MK6JNlndivxjZ`k;*{E^ z{s}p3UEmL5Tgic-$P%e;X;rn@mXd;pQ#XcRA60mzwALgq6Lq6`pT<6fP5e;VTGEiG z%vLMgal2}R%7;^w-!%+L6G?^_#lPTm!ItEGV&Pr8KFvbu#;yLl-;Y3}$q=mbyTtN( z+_{4Pz*~L()rL|2B`&KXd{k9=Y-(4@?5g#xfqUHrN!Mfd!OTs5SXr+px{JVvqNv6+UNhaUu?>eauc9MHPGa)VBPcB1TpebR7$*%)rne#XsdY3K9u5k$JlI^3_2?odA0Lmu z=u&obVM=1XQCUi8^URQhP2od&3{Gr4zCk3Vj-6;}@VRHGfUJ$6G6kur1``qLzMgSA zVI+tq=zrSgYNirQ%c!3%4b!b77{ml`N@m_XQZkk+1j7j3RObAni3%B{uFJDtWMCK$ zLv2%PR7aI&6&%zu7#J}gU5j)8aIk_x!)MN%0UP+%`P||*m$=k2X^f*@L9pbltcOsP zY#6`?(RG2;{HWCv$46;EzUaZ_;hM$DD;StCpY%M;0e9_YDYF<d;%#?(i4<$zm6D_TK5X zxZ+!UVtdt9%;yUSzHPyDA()E`jc8kvo~jUhS_i;rtUeCBlGZWv2qBHEJzF%nLzu^q zkG~)LVaTg?um_M5ES&6Z?>RX-Ks$tDg^DKFz2Fq0pjFkCj}4=vSuH2-eK&R70cMN7 zHQ=AIdZ=%DVf7w;`ALw&yqMM~VT0=--9O&x;uxDZG%gmPtrmRIW-9=;I8)Zehfs_G z2nHJ(FfpO!o71j}C19)Vu*SSw2E~mb>jo&!2gjX88mM@x_!ozX@({=Q3*7wauGnLk zRj1r-WSWl%@phZsA_oked8F!x*l zgq9<4&klEvkAyq>bi?i;Pl7ZKCtP+Mw9QELDV8eO3-p#3_v!Pd`SdLfy_0k?h(SqY z(+}mTQMN#1hZ>lv-O2a~RDfZSNFS+whFVceW(mxjoJomvkKTqq@?H9JZUKn7!tRP$ z^n#ls;j6&=4`aL)FWtKD&~Y0u!m98QcpMS2HXf4U(+GtNMvvwA?1LdeX&9K;tW0N; zK!9twO>y_3N9`(bu@0ognv*`j;A%~`1quXBFWQ{YtB23+I|*bNVzOCY2eO{1u#2px zcmiC~(9VD1l90EY*uLw@Z7hcAUokeA#Rn(fovR=OcY*5>H_D%DA=U1JFt$zj%a2;l z{3~zmXCw78Zz|u9K+Zm~xVzov3cZ*X9YKx59^2PBYiJ?-#Ux*$e9*4v%*X_4DT-G5 z_YH#%`EazU)ZMa<)esMKK46^gcz@fgiC;Y!t9-gBoM*M|v{Mb804NpvV6p03&P7?U^-U&VV~H{yHge1P(?9B&v|Y$ zP>{51OF2+>2#L23XvLV$?bfgLL8H}_PyxRg$>1b6 zfK(~F(V>zW$eDV>O$-`?A~%WcW&pCD>iCMvHSEa^hHROV<)4yH^SRYzGICW_wX&#JKFO^G?(qD6z8Pn*4*!Kh))C4kXR!&tw7MBNjxx=)Vbng9Ri?Iu(mw(DGR>>5>#z&5x)d$ljaO@sWQHyj( zGi6Fzr`HkA( z;rF^{VK4_F_9UZxb7C$iwp7DsSKiuhhsiAJaLdzHK9qDRa`RnZDWS-3zOc~&uq=ON za8bd$XIa3Am|T;M{HBKls#YE){dzPLJgP&QfnhyE|GCNoCjya00d!pS7g^M&GH$QE zb7>M@YeM8#jB8*{4~>B`DcW85AAel3(J7?IL&X`RG7iFIW!%3x#E*$U4)MJ03-ND( zV7&(X=$r`GD_}uk#-15?J}N-8Cx&XR=?a4VmA)O@b*e`1JAY`n|GS(G8H=D@Bok@D#;>5wVovUw%&srhOVIwyUNKmJ3x&`^8egFeGpLfVQ!j9k*%Xg>F#O^eIvA!rYRe z&#y#7L`@bL%B$w|7kTbAGMgaw*?qm)zx{sgtkb9lx4%w5Vi@3YwhPTWy)h#WyLht0 zv2RW88|%BSgYr;Y7U(R+^_vQzJs_&u8v)M*#Ri9KQzvO}2D}KpSW=FUgzPzNM8)u2 z`8*|Z@cQ)Gw0@otlS?W#UYJK6xI*VvJ-kB_t4WBM7^rNhHhHeG5FBHe|A|VixY#`_ z@taEgvz=?`jd}FQ+)0(_Nz-nqtB`-I4Adp2sTekwb}*MofXc5oeroPD(jH|4(wNG#C2p#q=4esLe9R0 z2`!mXjx|f~2gH)M{B`Z|GVKtMCjMPs<{8TZN8BvIizDiY#`cw*w|aVdBOlf}=HZN` zYd)Zg#Ow;?TQ!r|6c9bvE&$9mcsR+Iv*wuw?CVvg6T=wMETHiL6B-C6yX)ul1(Qh3 z9ZuPPiM@9%;*wTOq8E8r=ydRCArV@-ibS#Y@HYno1#z|Mbm@h1D*6%YF)RG`YOEL< zRYgoc*@J{Ka7G4a&oIM|e{K}O&j-r)ihTr$_it1SH^oc99?;(#O}(nArxQqesMF#2 zpf;r+8vJ5ZI-ILPKjO|vNST|W=^LQua*cW*QlerISRM9!DyN6lUePEWRENrvawt8q z?AG!PNn>S$&ML@3{U{_jVmq(DV;1-v@Fw}+@TOosR|HLB`{uQD`%Jr*zEaTRJ1@JI zIffU8vK)QSgaUY&%kp)NzVY#a?3GT)t_hX5LjKzYwZ(52^HvY<7IMBCFRz;a-l?4g zcX5T9Q}QfhPv!O(@RSXA*p8ha^){F3h2|B&JXSm?V15s9{t!I~jplaGiHFU=Up;ra zw3Ijn4wC2heqp6mvz@dhtBcU&J8wZBgp+MX&5t!BdNuu-Yu*=y-69Bl z(v*K1hG+q_nHaKTG)qUvDwin5JT#5$icB%I^yW9YFu5oHsTHX%0$3VmK`JGr?FlK} zc%^%4_hz1nVlPU-FLbrW(*4`k*yifcYM=zDQafcTO+|Y62I~=?G4U8oRbQ%=Nln;H zjtA57v~ulLQCaaXq=Or|4}8-Oj_$4o#s6k2`13`JY;rOXp2B$jwpaTLI0t&w*{oOV zyuhRl&df^=ZlE;p?Zl$Y&m-42x`qVh%fqPD+-u|2U*A-0qV zVNnSzU~ShNEMoKfyiThTY2nPwYH~u>g^raAJy))eoeNY~4jHy@e)vxi3d!ipmoLtv z3bXv__aEivDVrn`E2nt-&-8)Q+^m5a*oAi}zwN@f0nqX}a#eq3J7Ud3nT2Gb?;iej z2T_nlAM66(lRAFMX1pY?YhQFC({&Fk-6v0;Op@$C7xOoB&I46qs&?0#cE z#zOTpH_N~_4ug2TISp6rbfZ6%)1K~2X!mM|9kzKm_NcUP>a$OHlRCvhYQYr{H1``>A=7R#X8E?2-XJGp zN{_tp!9TY%t|@PwKckNw<1R<_IV=i{j0wzVN2#8#`Eez)Nj91_2~>HCK{>P*_>%O{ zkm^xv8*q0FA-WG`)XYSj8u5-!O9tL&luF~ZaLJoCW4PvYvM3*%L-=z$ZX(Sv$O@2S z*4(t_9tsawMSIjh{@><6U6)TWbXG-4N zqcVt-368SCeZfg%*Uubg`Il!FY#h{-|K06b!Mj7@f^9$h2p}c>*b@Wpr#BUTD{0VI z28XFOaIY2>6^+=xI;&Nt-Vyjeb@_>(_@}`&dF#UPqas9VMusU=J^$yD=g+S-Zv%{m zf^gK$-`>Ub$IRkjhY`maBWj}Z7aru#*U44DVSl%1G8lyZt85*5iPA^*f@0p?)-06?*CUEp5b$l*J}4)c3=QFIr;hDe|m9HbN}Mt-z}Mf$^Y?^|Np+h|FE!{ zLFA=?UB7VXgpiWz{XQ`vCL+=#aEu2AgT+KgW1yMl{JaB1oB8K4a2OB=l&nXSN*$LG*baMW%rW;2e|6t z0e6O9%*33O5Nw_@w6QGl>u!e1alq?$V&MVq)4!v;w*ZT60 z$JWiyeeYUQ{cX_q?P-kg=o`wK!!BXJ>d!Ti@uKB4kKGG0d~`c^mIqR@VDM^uI3*4+mMSxry>$tiSCIMNyaUc^Pp!Hque>vs zlJ)>k>FIK9E0R0Q!py7-EIx|>_26c5PmQQh50+IvJ-ly3D0V1C-Y5c+8MBWY zLGaFgy9&K&TaIb)xPq8Dc$zNEe!hYeBx>au@ca`u0mK3F@_K;JGl#Z|MeEfXLP)o- zHg$$cNV`irzr)~=oBwzbOdu;kpvDxS?C!(>XeZy7^|Mzt6gY-GdGiY!G(~B6#zRed zS->tEmMxE`Gdx$Qw??TEdI@|D?Z$s-6=(Y(!z*+XCdA>hW+bdHDnX$;LHEj6$H+ZV z{Pya&8jL{P?5*kC4{>;*Bu0R~R_dK8J0< z?H|lDnr3gdz92uLDd;835)$r50$`^Lu&y;r0M}|j%csVAv=clni~GYMSn1`igeu$u z2>-tn8P<)M{IGEwoT#=pKoWz$*4@UY?^Td}(In1rUpHSNz;&qVteFGfuuR zd&1Uz;di!=${S(3gLWR?!1|sZ1+^{Gph>foT`=oeBCd(bR>2)E^_&~_F_k$s^&e6g zv}18E4JmWm0-1k(m=wCL;Q#%$f=bPQ{TAX_->~9p`9!o2+y%p9qyEIzwND3O(Vtsk z*DQs-*heRLf?Z>To;-fx+x*Y2vX?vh=SHbj$47;`Co0e#pUY+aY7VvLM3$gHUs zER2kd*_R$5-t#wC&1^OW>DlfSlhCYFP!zTBOTf9b9e5pNilO-?C!1O?Z}U9(_zJW` z+wY94Y!ZdFk+!g@btrA^uV24T4fyiib_4}am~~#mLWt<>kEb2q!uV|5UX@8w*xy%v z^EE&bro9K}=8O!yh{2_CEen5zt&WX@Gu*1-Mv4rZa%I0Z5I-Gz^%yMe<5%y%790;e zl*04!@{Gw|lWh5D*fO zuG!QE^MJJLZiM}*bWyw$IT*RD1NIM>6z#=E4d!F{8Y1(7gOTJsu*x==ul-cHJe(Y1 zL<4K~J?bC_TA>^ZXTWq#a3DumOLKGqKEFY=!<_yXPGiVk6?;wi)+fSaGhuvC8K=S~ z^@O!MM1-EcEyP0vl}n{OO(F#!g2sp(*aKs7-M@c-6WSFc2`d^n1SFsYz{P1kk-&yO z1WG@ZEog%HEcv2w&yg=K+`87Jy@_Z)yz~VE!eN^MwEcB;av+Jz^K)OCkQ!(yzmXp3 zVwTi8ri1PBZM>CLEgcxug_?InkWyj?LR(8c4~)6!s6X;Q%KNI4yzTR8p`NF`iEiMd z*4s}Zke9X;w%2FyQccNJx7I)d-z0P>6jGNJTsooVE+VDTBmMjQ$_Q#gqEPLaRCpjM zBq_+5dl@6V=CS46b@15qQi9@KF#_M~Joco1hsWA?xqtk{1l>5?#;E$omr*UcG?lT> zj^>SSjel}RuJ_=rk|Q_qI=?vRN78eiZySt4;_lwq1{`oSCo`?p$;RFTEYma)q7oEkeC&@N(gEw(eAOju#qYK0*D$ANn6` zF#Z@!99g;b{q9t(pCPCxmTrFA%C|K6;z3K_(}~yXlYge8K7HAd(bFq*iEP+>cTGLA z^!z%iZCVF%KD$&tacZcG2)4yV*!tboLj<{;IL;e2glvj=IBeCI@g&t7r+tdP;FU~j zAKGZ{AGu7&N>9?#Dt#XLiuJ*UWkxX`V$^a(JDlbwf7CYSuT`@mriw$FD@>=?kKckq6)dVx~kMf!pU;? z-4C12+52SFi(IQXu>x%H{;JDNGFkE8=APQ=g${dg9tbLLht&5re3WrV&-{ zP2xIjCIN|hd;#uJuqWHwU{J)~R3aCv_-Y~-jjUB~NXCMoAP^en0+!-ZHM&|%=N$Vrmfy)&Vn0Ebqr4*yL@k5r5 z4)5okR7bWjy=8?KF8dJ5jRFE`JThv7+3u8Onh|BmhId{R1*b!BW9j~{JGJs6b3FBt z_sQ3Hd>7A~WDS&h`S+7ZI&TX{w`E_yu-Ur&@@w|9z2cJ_X=7LfW96v&mPc>Qz2TLY zW`1)j$?byU``H^T`^(9{`bQNuxQx`Q%c8SU&BQxieoE7>cSwJwVpOauMCdrjy)L^b z``ROddxv!LxqkW+je0}4{D)%F1V2l&6qxL{EfHK-f*n4u%MisrrJC*2fNN%OWPs~Z zNT%8!@WQ0H8xLiQaurMip|`)iS|gL3L7dSDnWa@-2$`MNrw^gEz*%8P+b+LQLD@_v z<-QFnp?#UJtz>NYolHKrtr2;N+gaFyP2e+}1Y)O^8p>L0fs=aD{sbsKxKmP6MnLj_ zYJ(xESYaocgV=io4jHj@->t97$~BMn-%q1|Y5|sK`uhRh?PGEZ_Ku^B1i}o~@6crIHg)!T%2e)`SUuM?TQ*P0F;!6bg zslELrF#8d8U*m`ZZQo!A*CMD~Uib#6Xx1mc75v8Hlu`{OQ~qGB(0bZrR6|`d_*Mkk3rIVlRvio z3Udq73VKBdsEla}XQb9nnlp`KXVKF7S!@Q{g)})zU%~o6O46K>?kGe;HB%=zgb1w# z&mGvhMIPB^?ilDlo4jdDtlp*Q$24SR*c%*zSG~2%yU3zqfg&DX>}>6q``ElM^t*6l z>r)+1x~A!BxtjR56HE)092!+dAdA6IpV{X)7!$^>+*sZ0y(KYTq-WHDmau zN5DYl(V%1b`jkZZez0^r#Ht|S{`&9gK?hDF_&kf+wvT$UEq~!C5l*8Eob`Z_FuDOf1U>rn@SEewRiSV8M*^?RGU)g7XO+p?ma3267DEG!LrU=N!{}(DS9x z$3U;5q^dfO)zNKn1Cw3cm@HU z@IJn5u3hA8zq1BpBM(8CrY;(LI`I}*< zaBE#@p?;Ne5buyT3E@0deY`(7i++T(4lJ4)oY^CGRjUFZ)U&+|A4lR@EaoO9foY)r z6akQL#UX7m7j&>-;djEqNmy;jiO3M{jOru48Q99LO=M?ia~66|CO`_7xdkOaeH8cQ z%eNs_^7{VL7SAfoS)r-+ru*euQ&{sq!CU9Hg%u9NwM((noqpnYONJl&|EbvTT?GCM zaWf7LMH=-Gsj21pdsC!DPXi#e-=b0Q9-?!h4;C4x-e35PmV0O#|LYxD9cSxXV~6GH zEw!UVJl-yWXqw}L*z1<2m#G-ii3z~&U`qc>6xnJwvpQA&rak0lbo$TL;kx5$YeY>S zTUAgLTFUJedpO=V#W;-8zea9r19BXFcusu1L>*O^daSGNJ&C5`%6QsR=&r)$ zLZ_rn)74kKmilYinNdkYgIy-|JEW&)KN~*hk?wY@AHi8C6k)}r>-W^uNiRsj|&O?EE;`0A78`9^?L@J9qCA?(#pjqj*TXx`eOK>3dan?4T7#Mj621 zm2Z-9E&mnkrLyC6r4n7Cs7zf}`JEz`J-Q(hP=&Xkm9q)=j`&09HT{`ND*$U_eR5k5 zxN(dsAHRQ(zIX4-!<}DH!u|2arY6DjMJwqicv7WdiFfg*zB^@xtw^_G>_ezXszduo zYi3;{=Vh5{SB4en1oNKQ_$274Cc63pFbu!`mr`Q70~sM5e=2o>0z`=)_b7f^FikOwqcqcWJ0l%V8c58Wew*@77>q`-w*swzTSnWCq z;L_j!z5PtOWu!vq!~89Ab&H+8-@k`X>-AapZ=D>&`*gaWmzs4Eq=-X2GEhn5n(4FRwr%?lXywQVYUUSuvEqU)Y9V>)3#x zStkPT*nE(XpI!4jXC{!OljmbVOs?jGOSKt$J4mUpWyG4(+Gd*%xBgSJs2&BmZq zTPL}*=AH)9-@>KxCUJsU67|9Pxb<05o}|VB{ka<%9O<;SHO`ThhGLCAw(iC@5c_r7 zNlm`ej`!RQM2Cy}YpnBaTzzE&fIT1;>p?EDaq;yAifk^=Y@xb+$Lk9&&;M)I+4yOSDdD$chWX^^yOspR{coy(y5A9`-M`3EJ1-s!+1u}*xJ z?h6NUi`Z&%0s=Wh&~BHzZN0o(xj9j?&3$T%rq@3t{^0BYbic4c5Od0#caPWf3uUVK zSrR%ygQmevGJV0F8^^|n>*PwyaS^wR-F(ludLI??`fXN`u(#w8qPfM#5ag9I8 zsMHcM;x~BnqFzfz^e!>aEq0LefG)prfW`=@nyU)@n^bN&tZ_(R?URzz#6{6a zs%$3(lVau`@pOxs4!o;eGOxW+VAMw>-`Be8vU|JilGhcoq-c{ZoJ^A=7W=*RYdquK zsQkXT6Y-aZ>KBq;RH)H(MvU~2I!uauHPAHWDC`hllMOC2-i zEQKcl%6O5>p=~-iad(0nIJMKvVob1!HWyl2FvENSJOavKD{zZrf%dltfQJPXnUvFl z6NWi$_qy>z{xkv9@3ff=o>xmK1H-Z;s`Td`26Zz7QZ$T7L_azXGRkr&8n;EQUiT!h zP4A(dk)V`L4gmj%zVGI*TV+UPN*Yv9Ur?|+T>kF&=@6aqYf&lCjk~n;i0i!w3Nhi9 zX5yYuJLU3jJsnv-34i(0kQqWI$!+_2kE=INzUK$U-fD@Zx8hl|;Ci~?;`&3ryca~b z>vJsjJD%mYF+zPfYov6)lYRvgb}!HwX}wnb1PxlHo-`kLXD6$JMLU1vepHaTyX&G0A7Pue zmvM=z0YMS@@Ymhtr(m1!JwIAm1L%NI-gKaGLA}rqLeOB3L-LCZ zYI?$mnN~r~Iu0iTE&g$aYi%+F1bGUGqSsqWX@>z)W%pY0gbB^Q`-Bmz(45=H`4$Pl zF?RuAa`L?F%Xi>(e(!idBFKT7{WBRaSNLv+^hI@l;F5hs@$RxiQw<>6l$X zhRf}~R`FRdjGpRsk%@-+CRFI5iS=Cn!HS6mc}C7=bO z7)sx{6L`L=3&u*8m2YJ(YQ%i4q0H<2TD<_(N?%97RY_?#eZkt$*NAQnx<$0yjvmd_I8Kapcts03ElNR$w)+4}vXHP~SiHR_ zk)yw?nwy~X1-cAUNJnjed5ytj;iN@0=5LAuDbOw&$-*dv00#%|pgT5r(v+`XuQja6 zEn<`_(g*#zxkmJtSrF|8z}_cHb4XfVKQg-oFrr~m<5QUGiI zN!SC#u0Ay_*<|adWa#>f=jqaz;i;|Ac@Q{pYWxRO<*+EDRZ286c4F^6qg0AE36;Q= zjoIaU7s3^Vrx2Id;k!LG7<^CD=zROF~P8tDj3fCp@zC z4ZQg7eU;syxWh0S<(EYUnoG8Lh-roJ+Gg2fLG;Q^7KhFwk%&#-FJ6}oH?m<7M`5(d zPmRcoOytgJEvOyK%+w>SMI)S=UTbIar= z#sl1U&@JxxkUl^>7>6s1Z`6g}z^+U1d+3akrE;BV=p!-yYU4CsodR5<2bdXFVNmLS zW57m1Mlwy+IA&Js%l6Cyt81+;gQ3TVK&21sxdsLmR@InzfiwiPV)==;Rso^!xF#`S z5!tQWZ~h8 z<$|NP!5wjS=uf*9)pC7i;EIm~lktdhOMw|NG^QADsQHGmD^=||XRxdFps^+V~0V7N7kgec=OeSgS*J9`*{g2#P+CZgd3 zAsDlA!SD1_UJ&&)PBMlmEc_e`#2p23!Fz&={7=Wo5lJikSo8F>5*D|me?CMd*T(VG z+r=H=v!9rSN<0G4*jj6Z=PGEx``8q8ItLbVYk5Judd<@{4`)|+rK*$b$G6wTahuXB zQGbd)o&F58mbS-Kg5-$p_I7j7zZ5aNOg&fdOuR~*I+qFTV(DBSh1CfQy`nZzm5ZhTBqz2(gq^c%=M~; ze#jXIO~AcLNp$i>1_}1dGKaq8gal?l@oU7S8G8@a#z9vyh3Iai3%j~eUQ#?G!qAt? zmNZAWw94+$hvO>K)5{0?%$g226sW$`L- z)UC9NE7UEMSy(aN1#fHYy7RglOo#a17vRGu`{(39Xj@a+&b6nu^32E z_zF*}71|y78aZzwETfKE?;}->*XKAVDSo+`;~f*RA|q8O?gj~w3OU=G*%2vw?v6?X zNCv;Ux)e}RQCC}TuS>W$Y$hAuxmqtez3TACAiq+hc+*@ky*~R!iMv!Q{x(4)$^Hv_ zfGm&T!Z;247s6s6HG{HH4@!0@>opg2e})m7XO~RtdG+wZx`BBm)1<$yfDCeWeGiNo zpmgJqsFOO+isC`%O{Xa;5jC^llg*kV_sAmCLX#^+Y|Bp?{6hB?TG&K$_ui@fUix67 ztnuPvlNG`e{4T!nZS{Lkaka}A^ADj9?FB@2wY@57x z_+gg@saXALH&IMpzfeB;G&;kZ8g?P`Bp@oIrDuSLHEAaVZ9{l#gFN?<XN(%`f+| zDA74~ueK#S-zk1kX=!OmXfH*~Ojuu}=Oc6|5)~@84`^o08 z;P&7-fLn&|M1$G0G+>Xoo0PpU4`>a7q>uimvQI-k@TB=;3cH;>S{;a4l(kH;K*Q486IMI=en;{1xM?ke9>a4PfPd7CA6fW9V0F z{OTrFPrB(b8mMfrZ7@>96~}d8^w#$Wt!A_*mF3R5=?YbQ#cJL1(&I$`u7+I zx_DoR78-|g1RlWa@vNo{ravRzqyI|JS_`;?iH>i2YmhFXF_>528f3BZY~X&&+l*7! z{Wh-h)9c<|4C^e$mi|%&<%t-n_dnCyf2cOVP7g};Md$M<%o!{xswlug3*le_9V>oY4R+6|773aLv+nP{@>53zK4&e`XS9P z%d5j9;ogd$L+35!a+Q-#V8W_-ioxF_vwz--jmU#issFwmavuife2`>}e_u8N__|;O z_3tbDS(iV?zyAPyZ{zm=<(D}CYY=X}1%L_v*CmMi_W%9aHps}xI`Q%T=SMS^|LHXn zYW(*_NrOiA@85&(^N0CN|9}6oy5Qj8#7_qWs|N=>z*_MhH8rP$gTwk{rv~7&P*6~~ zEViNm)Q7L@e-`KPQT{Xv9=3K^OpN1+6ovw}p`xOq=@9CF{mhAnoeROM0E7KwY%CFQ z@{0p5w18nCkS9QZ1SP`5B4 zpT!L-f!qz!vuHsW!VlH028>;AFO3LVPGYH*Carw_=iz3wob8`r*E5o)E;7X^t)82l zdnxzAS6ike?GbGN17(8$5V}r@Z<{lmnfC=K5HpCGI0o{#LHlAaOqZP?kwbgp17XZ zt$}#^0d4or{6=%pZ#mi?@J9w7wd`iLd<-I-ebm4ssT9B8Xh_g<9(&)?0tl{wzrm2I zOi4!AKj6YY|Fd~0=#btUdnS7cI&wK&N|rW#6LYSiZoGZ=`{F{BZMMbW&&{RL$VMX@ zJ6DK0y6R18D>!7FJzhZe}u45{YF^VeoWW1p z)k3LkZD*;+$BZ+z?DS}|OE==xgu3&KbIp;>v<1k@0*y{-Sm&PyN2D1rz7#pu!Qg@e z*q8BlY3~D-&A0_1zA-gH;7K1}h$sQVa7TN)Y(0QU2zvmK0#IzC2O>bHegWDQfqWho z7WspA-rboRwSy&NpCfr|KoYEz+gobp77)+`n2H7P`&^$i8|+KrSLtmXcM`*t`uuJ^ zg_1K32;{v#!}sSnK=1OFH;)FB^XbxzYwShw^R~18^@bm$`wRBX6-WC+{XP?wb&yNN zWU6M^Vpz1%-$I<|^5T0rwVX6t z2K|chR*@0GFV=oX^!EdxwFYbslLG@$!=s~+-OJ6-R|F1;xrAf3+u#!?0ZPPg{y{Ob=r7w3_};t+maXbH=PQJm5!6gxTqMLA z&^n+`vY0BjK#r-m=9?NYd1|M|2`?@$mB9e9D!T!wI@c$s+o4AK`l;FpJSNSv)GFgz z$q@gB{d$#oDBMUGgeP_^ESR{sxVW_nKcoK*#M-RDGM{h5VfsPo;(M;|sO2093C(28 ziG(uw&-b?%+=LMUa$pX_;(m;pBNoBJ>ydRH(v|Yc@EG6%{+~#qERI))Oe*@zy0C;i z)vTcdnp;q~h_yS+{3vq!k;7++bxpJS&}1*HE=4bRB(uk6(DD|Q&5Q5i=w1SnM`T;R zJNN$6n*YO)R0VM$05pB^g3Qs;k%HIMUl=ARMg&+|v4DVOM0R)s+SiZy`H$*$%X{4n zRWpDH5yWD1%n|-*{wxmJmfg+DqIboov2RQY56hQ83Rd-x=78g^u*+%~CU+E-(2EK> z-F5)9tpS)VX>3f>^?Ut0kO0oi&HWhSxtP9F?|6?(qbEms&m%jBdbC?tPx7Go#$R6hZR za4KH!n!n5NNdJ@}zYP#PJ@#kWOrWQUe~qHIdy#nYe@3~GJwT9gs9nOO5O&G!%MhJN zZ^vxI&HwdG{+<0}!{IWtjSB!vjUPAKjI+BIc7t(&fGgT#llQ^F)|eqk8bEPEf})bM z^Ok8;>4y?-PDe~m-gcQ3fc7!lPPjO`x=!?=c4IH%vR}80+#QBfZpIo&4x8V-t9O6e zsrT_le+4vILl)Qeu?6w)}e!vazwT z3z)2>nsHD9mY@W)DmdN`T6k`+EN-qYrWg2(_mE^1U<8;#BIk3v3oRxSM}U3Q z3rMYQBH!9Ts?^uaB8$b!(H9?qf#bFd*qdR_(Y&;yWz8Bn&r;0nhqe!aUq=#hPS6&F zFdO>(^WxuKCkEjRF}Vc=5mku0SS0q4Q?J2_$9!j<-uo?;8gxbQ@N z<&T5oFpG!JKV@+_YY=FsEM8s#S7)~tu1BH?Lf=GvYxd@Vv*z^U`#Z8MRK&#N^BClY zS$?;8xVR@Z*8q(d$QvW@EjermZaF@OL@&^EwZO@`7HlI|njXOFypEP}cYYmI@t-$! zh%W+K?g^ZrchMc_3AhhvwhdH$C-%Oi9~wjg4ymsY2?@!mC-KJjC-6I(Lf}mP;p2f} z@D1JdrC_4L`~%9!Jd^xi=`IZ?wJV+!ywFU1A7*(>F&{!wRk`VoyW2 z8J)>2DX7ti%E*#?ZR%<#AJ_CO9MBfc4~&?Em3G|H9lb=iM6DwUybh=+cxXzl6ff20 zz9NFm_MhyF;zYU6OPZw-^SenjW^<-yx}}}eIaVYQVqaYDb0W6nMT1ej&5==@VpP441y`v_Ye^o8 z-UzFm5|Ne0j2f8mEgnS<;ky#e`X-$F8brh$RwLKDAOAfRcUvfp>Cwg9$Xg+$Q_NH{ zIQ>*AHo!2zGVmQ^ZR$FS&WJV$qifa^;6{W2yninfRT_4e+shpuXfY`r9S@*`e-ZwQ zPumUH?xW{<^=aDF6DLc;Nf5ArR-^a_hHyQ6o=x1Fnwm=e{-ty%$@*Rj?IDHiix<(+ z1st05IeshM-HLl?lsf~1gAu08{^3A=O}z4n7xb1^7>7WO{)6yl z?==GZ^Ct;tz1#k*UN0IVya(63s&*w>bQM?#bIuI{jZsFlPI?WX?T(cH^2bFlC?FIQ z>$<4$1c@=$3*G)YUDsQ{5*Zx>LkWaB7*mn$E&z&G{#F>@+%%yb-H!C7O(kj-?WAZ> zc^!yw63oHMs-h3HFqC%sS!q3*3(O()+YU2tukxlR=#rp7XL^#_c~-cCH$(l{JdBob zUX=fDrfn6SW2;N;!{JbY0j5Cb!d9I0ylvxNLE(vW2N?X_FTOA3-vKeidw0?i-z&!9 zHSN1qVpVwpMWqiBG=^r0?i4`>RV^(o#-90O42;>+?T+~S6rfkC^I>QNu;Af4fIn01@mGdZa?J$G~j2;%!Up~y=QyMu9DPa+~;bi-H z^OlvWYn?lw2%$8w(;T}QP|V~vC)UW~+t+YUbe92Y^2v4b=_VtxK%sfo#L^F7p#eR9 z-~ReAHM#V+I)HbyB4UImD4fjl>|*nRuO}-vU#ho=SE%SDopjw|)2B!G+eMc1+o_Bq zi-MgeJw(#@*vwW?*!>K`(GilQ%{Oh%dD@#l+eK@G&uccn9-!%;5UI8BLLHBAY?(fz zbkfa6F$3C)Mptm9q-?#RsM^o^C?Y~0Nw&Th!`Gefuy@1&cm}UKm-ifg7a6spYAmD{ z!AhEp1;8BUM+7>u5ppUdjiI zHa0K+7T^;*l7s*O%z3lG^-(`OP}vO~qPrF@MXp)Ca=8hlQOKb|eH0V=_r=B=;5g#a zFF3L3?tfuq^s4(=z)iaI9)s=@pmi2`l%lf3i8uWtd<@Z$HZ$6sx`@aqj87qdoG~rn zz`fE&9=AGX&8ZO-y+G<0Rl)A<1l5A;7jM-Sg9FEwsK}hS(%+@ET7zH{jm9FX1?8zw z67Z3hk2A$h<1je_o{G(6)ddq$jDJ0^P=zl;>j2RR@jqr+UVvetqa~)1jwn! zCFDa3JlWX$yRhe}?v9)`%~g_cF-Z$4coWUSo+*GF-Cd|xapFnSyI7M4L}=bVwL(&4 zJeDXGr{BRE^DiWtO5K&as_q2H=*`Ni2rmsDvw4qGMG`gdh1PV;BQv3 zmm%DSY)rn>jCnT;Mk7q@>fV$=r{1svx~{Ji;_Ox#|B(GcGT!@&A8fg1f=b-wgk zryqshl|_I+n^WjpUQy`H`Qje=YzgTf4QO#}tM+wYoso*3kWR8Y^^-;s-I@U9BdBB( zeI3>lAQQnaC%jL-YGu*r=ceOomy$IZpg(04Tc$Qr!^7W|BpoZe<4PL~n89UxGb9;q z=YVJ&-)tWq2Bs%Z?XxlIpOOH6!CmgjlTO}?>hSy7D%G@zmR{=2U4d_zd@*p5yQ{*(TodrBKr6nkJRcV;A&|JMTuk zH{I^OnS6qHW|UX8zjy5L@r~KkTeRZjELb%sX-Y$qZ4I?=XWbtH>#r-EfaYvVhT(R! zL^G{Fm?xgDke~nyOxW%-IiJ7i{_!H&ytb%xV^cqdgBA;z4gYLb_P!SM~gJ1 zLp!jk$0={9*&p%pMBgPuBy*Mt8lvp72I9m*QF@msU0{NDiW&MM*IF*tsay+PyC3<} zqiGUlm9K$0da(xGyyEu{xbHO8v&L7EJ?V?GJsy2MMt@Ai4t_L{qYMlyV?jVKTkkP< zNBiqb_wjYZiH&#Ym2c$NaH89%pJdq)*S@#I1#tr${V-n0nO%{;G#P%nj>03R%2@e` z-C#WORIr8RKRK)sdiqp%fyq_cXwetV=pM3VTl1};^Es4mVhsZAvE~%lNAW_Emft|~ zIL1xSdA1`*ly)sboZ#Q8vm1IXP9L}m4kP|+uAh$7j|IjOpvk(?X!UlbI-?7xBrl#y z`>8n7s{5X`q|}Di0dsT8uMJoUT>BPrMkoO!-M(YU9$@S;o1=rjFy(zns8Yocz4iJ5 zi$kO3>`nc?IH1a3fdR=>GA^O6z`)0wItsgw8R3oc` z6;+H>iCy`cC3l6?=&S+FS)UE+bu8p!+F`JsklH)l^wNcJ`V1?vKbq0ou(0T&;_T}C zoWfI?WUMKr9dktEQL0jFVAAD`1Qjb-XW^bsQSUuly3=3M>hB(W@=PmUco|z~a<3&L zcZzt3OIoUTem!CP80ZJM%1P<-bGRv&4YOTZI=+*fTuUy@GOMd2KbD!JLw}Uu;`(v%EYF5M06L@u3RFRLM##c+ zxjmKo4VF%0(MG3GHq^Qr(@v7($aBT}a2y{$8r1+U)br&dW>_xESTi2MU%*ecAC=g9 z`E5^4hit)5(2m;iKuXdS4xM67og)(?T|Xm)X|bc1|L3^Zy#nDd-%||IZX`jX4r|7L zP`g)D?2dx>+fsHP4wdUDDXerVw@6bi9ny4G4s47mF3xU&VbI9$iBcvmdEJSQu-_%g zdQ61~I_ZR=`DoslQB;1GQ<2e;X7%!q>2XJYxR~nv-WHqdtN>TP?N9f;fSyRu?e7_* zB~l6oXs35$9wA$qGc3y?<>4bSEiC;eRQANei0keA{<`A9V_i~B+Amd)%AaK2!&aBT zHgEMpKYNPVpOrq`k9T&gi-;y67IZ)FcTf6?k`jN|5Ksu5K?`uuVZsFhYKn?OkgU`~ zk`&5A(Vzw59nTFbr?ZC7pFZWo#h=om8|t={e88BIUB`8+3Fah3^7h!?fbb&ETPZfq zNAU?`c1nYV#_vZr>EjG!<*t70zm_H-rw|GaW>ip)vcI@YF{4s@?O09b) zlYRq{RF>3o&BtD?ClmKyUgtSf&9#QQJuu`>LwU@RWs9o$p6=4NTDV%QGF!588*LA_ zjrc$MiBqUkTEN%2hm*1_UT4h_LZ|sB&xGqB7ZEz9mBQ6GS@&+|{Jj(GY z$l=~7uXK@omu9~EC^DfUbYFzX-2Wo>H!2DVHZNd)B*dQOrMXVk?@7U_E}o?@FkwA@ zOE1;N?r5$ISQy}`Er)9#d{OY7cIYQqqPbrrP0~|4Ku~-mR}#AD!D{;q3$irFJ#;5& zOm*SGnoIZpQO)|p%&b^G+;7XvG(J1->Eo`j~t8mIozgiz(CLZqjq`a689qG;vUt!Umm(oF^0f!#y_xVDJ3A868#@?)i> zLQe0{7X5LK_S~KPVi6$Foj+OqlFVQZe|N4yhu`szzG?O!IuzQ(3o|_Uc2;MOwryXbkt~2Xn+p;#6QWh-*S?K6Gx*NYJ3el$Mk-(e1aKv#$ z4{6s;T|q(hMt$=@4n`t9Fk*`XR$Hn;#OfFCds2}g9ej{@T{>1?PVT+-v@TJjKRsr; zj#~hrqq=`gN%@ZQ<`kucYNlHFfNZ9R`~3o?`R4cH9#}X+u5e;p~P8gC9dS) z!ZXtA@c`ww=w!bL{4_<3PQy>qYn3nOT3*SBB+PliG^HXxkGLE*>038$gi?^Qhj0{x z9Z1^OV6r?_o@!&2qG_kWlu0{ zJ~|QPXx>|8E*j0kQs|EG-^I>P_k^?KaZ2+BRG767z1yXBp0h3x8lkXIB^m*rSFmq=C-aT}gSzHv6%dXw#UFDEZz_}C)Cq&v}2>n6)JN= zu;rv}4K=6f)qe&qVxaTUPqy(r3JeRgA@DmWT6l0}U%lTEZJED#3o_KqK@@W;*BzAb z&3znrQmv%ikbznL)`5txDAG_q1+b)UFcswGtvyXPDeuDDVF&h5S-3UQt8#x~!SA*x z(-LH=yW!3#JEe$GpK?0WBJ-}WhR||JsHqQ<%6nyQT#0HgSyN} z`QEvGVY^Rhgq*ZxqA%&wM~6gkr2XoZl;LnArdFr2Qd$5!@{Uo-=V#p4CAln`&(X9E z-Q-?@?NLwnwIZM*+&9<0Qcy8=2{dP=5b7|#nO3G%SE3z0b}8a5DeP#Z3Y3WW@Np5f zoM@~{1rwt1k|cwcDx~jMx#9{_3PMo*Cu%H?@l5C_$p*Zb!?vB=ehF4pg<17?wy zfPt?VDQxQ1i3FWbl$Gr)(kuLOFqyqVt6|*I^tF3Rml39z=02^?^!|4OaEZpwomaXL4Ip+=921=3aPWCtC4#=cm^CIQ3JU<`(xFEZIY#ho4KB*Z{nzY>? z$U@+!Q<=|5sk}-j*=5R7!7XSYVPyP4b+y0PjA4YfB(duix0GnS(Aok(BUBG7zc8XPC^fuy7CPL^v1SH)pl=WWaveT17FuCpJ@A zl_}i+N&0V`uUc8D(qG}LfPO0j6Naa zAQdU@(*?y_#|2422{XFk8h+RcF8i-Cv1*-UT)RqRIXI0jAuK%NBo&j3J_u72CL$;y z(Ofx$0YNhCdjkK9VV~3!NYDN%+0}?{;|R%(G{rD)s|APo8pxGlzw71S(@bck8gYlt z5G{XIdPma^&yVWRGbk)<8>@Z^N$!VG{hQpMc#Rzb1&$>aSLa7-`>aO|qYvP3+^>zg znpW_58nfV?o1amn6R|htzhz&#APql&t70x32QbXjXMGWST}D|>W?*>y6`lB}{L7b` z=FMa(Wk<9nb#?E`CAUh=-)d*P;Lg!C_xz&x!h#RyE>Vd;?sB(rj@<05#YFaZ{qSgR zQh{^SD8FBI6r(omZ zpUn$S+XrzxHO@SYfUfHWzOj#Mt;4FZ;gvU&p1`v9n{imr!7}FY9WK5t+fbIxPL%56UFyRm8l*uQLFp+V9U>u}lkV=$N$hLt^Ze_5*WP>WvDb$+#=1W^=TIEX zxbOSA&htEu-;uZZtk9t&)Y3~@!D~BTMD1w~l}YZXD^wBj#Zr#*+~9jonT*k_tgK6e zCfajNgYw6P z8JQqP&U7)WkeH1*==C{!r^zq}hSHGV=j0rha?k9yLO~M zV4$bwic#`YgeYJnI${lYctvai3HR%aX2QT~4)-$rZ70YV^%-O77d{H7#PU(L_v+)X zLoc}NqudcmQFvCO?|WToia|RDny_DUnWLL&GUvlFrrMHIQs{&4eU>xKVsS>|WYJ6} zi1uCZM&-kJz znOPSgZE_X(WaGQWifp?mHU?Z~^VfwUlfU$AfgYUP_yE#kE|Z z$^+t3I?_zgRGag2(#Dz8iiDmMh?Zk6_#T^c4ah{W+^bI&0d(h%6c1)mC#*d9-7A zoIvxi8qu3n$de(88dFU)M{EwTsmm%BN%e&40RZDtT>o3v1jkb=J-NuaH7Ig z7-1MdE7)CR)^K=VtR!kr+%-Q5wnE}(#fl_=g%%;pw%PV~dHJ~ye4Qmxdqiu1OfX(x zF0BQ|Af>BngU>O{O+p~ePDMEJOQ-BOm+9@5eh?opkFIc-3fRf16zw7y(BNUz-P{D- z%~2b9l_!4UcdT-1%WxQ|j8UqA(Lmu0+b*I3JmCaBnBu4Q#(DYDg#*C9tu=>SLQ~;k zH3dE4s_!aUsZHCu{i@nux*LbKMjjDHnZai$j4EXK+BQoqY(r6Jll8^MN?>XLoR- z2ZPyHB}l!5GdrZbJ3`IW<`*?pB*Nrfj+Mhra6A1f8r?eUflt_RHwWwbp)HUI>Cj}q z@d3TO+EU`OC_uS!y=0#e)X=<#Gamz?I+_D5yH)aRmOI7HIfs--z+y=W!OKkhjlZe$ zF7(3EhIzxiTYYYBQC(*uo~P@gkLc(+e_JD)Yw^rgsLJ*Vh?^@xOstwq=9>mVm6{`P zx?7CluA`H$O;65c_}*xJ3#Mk_2_Pkh1JeX4H*%;vw>k9gt-Qzdbo%9IITHW1WMvXm zGyGBfX5;r7Wn_6G_K?8d0Q9ygnq*FK)5M!u>@N1fbLwL|kYP%p#6*S|0nCY$8q`OmPbJecN!tM|&z?r&7S>#Ro z(uv>{c+TPyJ}mk9A^$%2@ds9rePBf}^m+h;$Vs__*l_}ysVR>A2!8Q-?QOOTmVZovv zSel~h^r6Q1H$MEH>ijE8Iu3iM%dE7}wE#u5`cT9=o@&yf;P}(=cQ6YM12iT*kLiO{ zbzZZpmxP~m;>W-3B}U&f+k_R&8s+vkq&j;?B6DJl5FlYiL+6;-<+&ak?_9hT)A-Er z_*v{&Z#<}^J_66cMx$m&D7Alm+z#ZZ@OH$Lh;TGMVL!*p$1Hc5-gek85MFV;b}dc- zrtG+T4SQN_EdBM$Q6v+04kNtZ*QO~jhZ*2tue0~*%>A0m?awX77jmi<2<~jmNKYJL z!D{Or)|kBOSzU3(emAK~qjsi3rOvsax%zbYJIm+_E-vr`MVQ8x1&3o|sO?8=XCh(? z!1z*LT7eluJZKU`aNdbMXA&JS`r%TJ!;ycLu?;(+U#hnD#uI!Q?c6yYOb^HTAiYsy zFNq&b$pZVe-v?uGs1FK4=HR{e@k|C%MCK7854zpXg+ZLc6Glk-2!)<{MptRW zX$s}X%2GGG2;ji6N1=fWYjl5r?a`MH2bf7z-Pu!!o|=>^?~iJHt}ih+qV0W()&19{ zn_q?cR@`*>U6kwdqmL^W5yju@^x*(5Ud*jhtRl;yTsdv6s7zF2N)X`TocRK241sYX z1{;AzxV*oBK_aLXSl~?hv?w7`Am3PIawVXWoDttH{j<`i&5AHQg;!$^*8MyqC&G&` zM}Q)GtDuYGU@%v7=mzHO#$Z#inpUz<7xJ8J9R2E3S&0ZJwDixX!Z96D-ewBNU9h*Gqy*eO*j3vK@@46H?-Q~)_VUC0s9V8ZEK&ggVc~YZ5WJVTP%QZ zpDc2lFtW-2)eLfV0Q3E7s%Ag$)+$|W1~C*i5E%k!b)$ete6pEW8qy=2Li$#0a?UBL zqQR}`LT>pmK|*?i*fxAffVN8?NqA;?*BO1qz$YfMkAXP>**)lmv98@92Ojj4dKo7M~5n8h1U~r)mTVoj%_aMh8hO<&2 zF>`|Bk7FUn9}&ZAyy5(g++`b~^XG7}XhXfek5Ds3{JD_RS|1dF2c{Gw%xG{MgL|-R z3Rj{;jZ=+HquY5Lo5*kDLpXXqKz*B5d!v*5bf@d-;W81g=J}&0zl!%PWo*sOBsK#Udfl zD;Jl2*M1XgiE%7}i-Gibf0MZk^oT+VvVd%KhZ}uT#e!BtvZnFSgeLryraMSTXqItd9z=DyxUmA z*7p`JsK-VTJ}qAy;F;AK-id!_gxAFp#XthBPA_D08cAq5h5cf|w&*1?fqai2 zYJG~7x*137s+t9nZQ55jwt~Eny3gn0$sesJP<>?s+n3?QY$Zdv3wt{oIPcUIMdQ1s0+{I z1cKa;0PZFyD;r`3urUCNWuim_|D1$@xdhbS17k@^Njdlxe%5cM40aT}8K1D?JzXlZWlG=Dwiw6nNN(cGgNErHcZ3ht-P zsDn*u!OEFG?|G}#2O80_EXV-s+H@M|X#Y7B;k|C4Ba{Ay2=BK8{|7y2mVN{Y+47*% zPS3`sEPAysyl07ZPLav84^q-J7+{WAP9Dkl8~B@SRG$W42hOQzz;=d;oFp zN*P*9?#`;JF#w<44ZO`fupe+H1AS*Q&Ue zZQ$fofr5_C=P{3jL=dgD0Mr^Mltlg;P~e~ zPuVw0H)2no^dz?G5Xvs{eaxj6nn;uX`~CcW>?kBfWxh(StUJ8T9Ss?bP0^>86Ocg> zc^dcflEikJJ331zsmW(DEyXCZ^7F&yALmgNC;}DRBhnAGpLO44By>S_NdD7WHSHz!7SY~x6ccpWW;i%F zSk2F&rJ<3yxq;ap{fA3Tb$9?!J8fz=9v#gL@>oKd|B3ni^8u+2H~XOqfkov$FbN*L zZ0+ptPh9CvOw9mjsDEr4{#hsKUp zCpCg_kB^hn$jbLmXR1!ZV89gkER2w6T}4gJ*k)sV(DdhBI25-LU$yn<80#aPF$Gu3 z$_BRpP@3b(rwDNNvF*Xq5z39ysnA zY3$85(EqDF<MM754jlEqHRYzdsNRm3n_S23TYC zcdM7~Id+wAz-=%U72Mv3mlLCLj{W=O>`Mu6GEAlU-n^%6fBi10=9H z$bB40a_OGC0?C{vp#rYMP;h4ZeAqOpY+6Uhi2&WjUh@|{&*NuZOFshQB%#=n*ObO$cEE%Xzx0nfeL6VCR(Vdv zQGSP}Ip^ZTciA(YL|MD(FRPkgS<=|jzE`b@(#*88aF$F|t;QKC%c=V3UN>kqF(rTS z?TiWcUX5#a6pknQeQBw_3npyFA#XKj{#kIs{lf+GkW32zbbd}vO_9I! z26mXyd6cv@&Vbr*U8mqq@ zUm0kE>DPp1TE=1k`JIprnjKb;g`__6=;Q9^S{Et`7qE|(JmLje6niUR^9ha-wX8gf zfCq3kEKWD=!-tGc{^Fy76}|nUu%c=2vzf`#ip0dkG%ttI{(5jy7g*GQi1OtG9h<>$ zOwZHp!IE4+ntcLhr95k85}=1%uBsZzN(<+-hc~OInZfQ}fh3H<9_&spJVL_HB*ZC# zE_Wm%829$?{hF-Qot~cN`6h01y`3{821JG4rT+J7PVOs02UH}cZidF_096?9TC*zKSZ;3hK$^m_H<(;+U(daS&r%{&mn`M&ZcYK;`V5Eb*z2MrEtBA2nY{bY zRk(hB2sG~I^mX9)*}?aTITL#Um?TETam}GcB*^0MccljQ-8|wnbaYPxDF$CPgH3kN zmt$MNfLHzn40gTBD{w;}Fc#*L)Y|EBJKxpJY=8CQ;S;i^@>iz3dyg7pD0=P?T=4Cc z3}YP)(K~OQ0c)QA)9+Yx+&5NFy87cNGHx?+A2ajj4;*ane=c2-m5v2G;}HFCeXE)d zL4SP}PF~`uo;Efm7higS?6KsUyw0Op5M*}kAR)Hg`(siZ0pSSlJC$Q_csxKDW=p+! zll}Q{XRI_sKx4FM$FSMcY@q)Lfa6y{+i-Bl;5O!k8{n%u3@h>_JMu7Feg8b*arm$P znWl2eIFhb=ChOrw6K`r}>Rh`)cobtxOUtTm2^=~PB-BmjB!*hT?E2qKBc@%ZtXIhi z1k!^6K(-TZd%1vHVE|3fyzhyJ&z$=j#V4C4Uw#>WjlSne>=ONnmCEV@aCrABxk=eA z5Mjr|{f~WNmRMUdc|bZkSiT&9#X2yT4_t#6i(zcs1LdsyI+tK%o_J%rNQu<6b?)u7 zyeW#=5)Z)m%ncc>f<$bubq)Wf%dab00rdsMdWyFps+rSmrr!PAEG_lNr&6ugVDv4L zdxnF7(jscme2v)EF)AYS>I_dk*-#tA!pbL>L!&%RzUtrAJWm9<1@TEQZQx84R^-on zaMEI@UoehbY28ii>f>469UG+V%h$!->O4-hn?{ZwHoM0UJ}&1!3e^zLeOEzc6t*~kBqf+ z&%nigD8$@n$a)B%+O?&LRcsdYz;#q2U>r2yAkBwM))ZS|U5TS!@T=zT2D>I;Ke7OH z%dj|(6ZW9{_Vm!vyCvrb<6ldiYE4}xYN@8#W^8U=!^`8v)z3%N$kJ<;Vq+UD=yQcj zT^y@h{HuDODESVbIU19cHk%F|^%2zCjsx*c;L-3wC=R?y>G52Xat(J4e{Ce-aNDOl ziZ!Ywz-U)UKw>OdJn2&1i%ur=aHvs1JhC4^8hQ_|0x$iF~kDDUL z!M`Z@d288%MSIo&o!`SjptaU8cP(T+#o0wQ=kG#vrO{m{%Fo0GU*Z7%?{r?G@>R_z zut1fb09Nd*@2&Sv&RBoHGUVGgdNDEmfPjGI-tuyu+!CFM%Y4%QUxAJzLmuui<@Cx2YXi1qTz0L9N&U0|scWSc)%S>OOx)nYmZ zR#sMxd*jNU4ELQ{fm{OzROrL*s%V<FtM;s8qu59&KtazV`M6}KBPdPALi6MoEJsAZ(Paja4z8T7Em(t2>Cg)1(@XI zGW*RwI!GOV;^qYx0GaC!IS{!RdBu%DzKOa9-`o=`AeO+!ES5Tai){URzb$mr^qVhs5b44BS?;?r8RZFjIY}z%Mv#ulT$6}+RJiE-p_c)9F?RHByUQT41Amw{!y5yOEtN2QQ$*Se>o}6RI-{ zvHk)S%_g4)^~3LPN9Dhd6>6|uTpjhFv^Ypftsqos0JsB)onqXf%w}A#BZh?pZ$QCC zv)YrKLvRM{8Y9gJSd^c02fy3s z?^X^ie`0>$Ks4+j^i#0)f3tCrIZAg*luX5J-V2PYDiWy3U7fX6Wp|+U8RKVVK1K&*A#=(omo#qkLkeu*j!J3y32atkKq|Ys=Hr0- zV3OhGxXX!tk31SMUoEN_m;>jQ0P}zIVBs}l(-_8UK*i4opAMknBb{MGMS1}hpH4(X zuVVt;PVGz->C9BG)@jh9^ArVad;kL8j!I2~fh>-t>i~G-*gJUj6om{B<9}&qSv3lJ ziMEw$N~1hbNK4$>FoO{(WO}x3SPLr{CzV^-X1qzMAs01ov#s1HHr+%1vjPdvTjTzgt)oMg$+M?ix9vSBf>g5 zAE0P^_oEnJdPo(r&#b zrmG1CdMCqlE7*4X&{37^uaAOMa0Hk(&ZiQIyHlof1zQ!+2Jczx7go$uR?R2)Ba;bv z4;{xGb`o0q`88%~ik;Hv%S`r$LM`?NpdO+-3&PpLoc9wglMz-GXD)#;`qL98D(jbE zX*ra^eOlOZwqEZSPL9DKktq!nJRn<#U)k`}`*n|(P@h%q>O7@zsuEy(`G)#Bckg4- z3{%gY6Hu%1L+dK7prT{I_<3tlPpNxR(idP&+nH1HroT}?<)lfyG~(y8VdE9ra?=Ud zxTf^&hflVe*l)-e_Fhr^^P>B-(85Bw`EZ4evEV@5{o-(iR8}S9>iW7eZx)pDx}@xW zWAOCV;hk(wN|q^*pi35i3h#HKF;UARbW|FDC|*FN=Gli&esPM)Fe&Go&SpI)v+?3l z%xQu%{WnQPy{dO}y#0{7Hgcjwhtzt^Y0N80QJergInqr$NroS~20?y9Qx_pYSS_BWK#K1Ig2kFO~raoYHPSklE zfIl#U1aSP?T6TLUa2)@hqqw+u5VPDU9*8HJG1Z)58^@^*t_X(78}CZ8`!|f~`!;aT z4`LGf8?A^UnS^9++2H&Dl*{O;5gDF4@Pg5raJ4jbMlwOC{=F zpN}2d5N+RwaO@5i;JY^`tt}C@4Pj&V_ihlOC3JeWSIf0S`k#?)u|xBEHuA{D#sdE< zqd!J3QFNu4aIzpywElujpe*~%t^H_xrDxtUWyKB-V=Be7<7!PEKQk~bu8XpJ$BF~* zbf3B}@qF|{WjXoo&8y^qV}-vrPkd+3Cq^JoSgmLG|JJsm9Z&l|u&t;Mg#S0Tm5LPC z|KDvZGS#zzQ=cAw>gXG0<;SIqJ>KeWKdJ6c%h~1bmgqB-J3p><*m`FA;V0@#y6Ziv zV{KdL-dj-GXQqaSyv{i$cJV%o-sX!$UTX{3>lJIS+}o~G*Naen{kyPyswO1cYAdon z11NT%PoI$*3TH|)dFBpR`Wom^4an~;MSXIm4^`_lKY5Qn;f4SL&475UDq9Nmyl$^i zXV>3d%HAs^(f}2OB@>?tX9F)&blCzZJa9!29J;V%25 zpLUM;bwzb$`dVy@A(69}#^(WoQ^A*J+oEsG*qv7I=3ZV&KMYh?oIjh;$`jzE%~E&= z+%0E*)gAk%r%>4E9MlPBgqDXGr2aYHRQ@|Oj&1N1voi&ZUAN;wncgpoWL(UefqKwD zm)G9PvNtbYa7O19!S0 z%>NIaF7nrZJ6&{y?1@D5Jw(x-&pp;FxgB!pd4>uxJ6LkY9I~gMsBZtX!&hYFK9>~tP;Ndn^9>Wv%CSjuBI}-|y<9b;9usRu^~|xyYMiuX)Gp^aLmOX} zbJu>p8rr-0gg=yZh_TWI_{mS;g=KuZr%#eFy_IB7Hu;JEkU5VrR3Sm)_U8}Djo>1k4nBl=?+I1~9JB-Xdyn=v9b z31r6XMUVIhNJk1|sf52d4#efYk&y5c+D@bv<`(-ZS^nlryq|tsEuwXj)+I7B&)iAc zefCDIP%P88m|#9WS+mIDcEu~?PS<`2Bsigw#$+8Iw)lUN>o`i3SM6z-E>bC#!Y&7h z|7!3&tqctQ4h?)QEH3?4x1vg>_WJ!|kpdDHW4`K!o_;iRtWhE8z40xs2ylykqq#H*1OC1+f z5@I_gTou&`KO+>Bo=hqm6jlTBt_S{D<`S2{ArOzH+w1@|V3nuI5zG|)=Fad0T=NSjwg5FVc{7x3m^-`#}V9)UwctMA)5W(I&7PNid?$hidZXSu2 za<0cB&1h14j>8EgdZN_#QFf(@IlsGB?9!Gr-FWOUV#9)&wa$f&+V46tO5E=+Gr(^5 zbt>~#dh+Avq55*@^3t4E`*DO)qnV|>uk~{w6>3PgT;@o^735^gce_f%c6vH@H2GsL z8>3HYG7HD!8OE$n??V!O->I)Z?Ch;5vC)*qJdo3yQWsV}EckOVEMUJv;Um?4m| zAJJ7Oo=-Z9&ZCk*5Y8_p?NWjfb9$Ttx~O&c8ucU%=$lz=RE_QBr^(SlnI(Fh<3h11 z>&N5l#*bL});L$Yr%V0uUrP+;5uBZt>2K+a>Ln;g3@r3_2+H=|V6UnPVLP$1bUyco z6g#n3slIr_v;>Mp9_kjMib|I|NG;aNLmDVt)Jw>b$cQKyYJQnjk2f!R#&5puc<>qi z_db{R-WsTcabzX5xO$x?*y= z+=^#~hVy%VTj=~JJ``g|_S`;yRfvO4h}w%e5K5en#qwLV;!HJ5<(7VrGrV4W4HGYlviJ}^c;J6NSXb&l^Ev0 zkW0Vrvt%>UE?4wPOLBW-R1z3ixWN3bpJp;veKY=r@5rc?;?f*2itt)L;x;M6w+qjm zXH@Y;@8$mSo0uRi8;9{CjVsQV%S=XPMVvQ!Cx;7=l?p*k){-m~W{dHaeb?NI8BUfde z_Pc*AtefIY;${Oxb|wU~ekGK;sCb#LC@Ci&YPM*NA&mwl*qiS}LG3$z6bP44qeMXz`dB_$}N$OY+t_J`Xz)iWv_E znm|e;aPmk1)7h)cABZaf*E=9Atm>)LJBSC!f2er%IDmX0<^Ie&xK;1BxTNDf9RD#% zp9p|2RqJBub)2=J9ajmV(vzzP3>tXE-o*_Ja#{ZsiFT`dAWQ1R2R}JQI-HmW?#!#P z>HCV=Y!wa*0XJ18_=vYb-+Q-ajXN;Txm0F_2TYoK9aOfDon5rcr+rnH`*QJX3`-9> z=nAin%|0qD|Co80z%tg&X(=L`0I0OrEm0iBMyyA%~iL$|Be;PYpEAHrzlZ0!fN=%Xyi06oXc<_1np zsMcIdL5LWDNISbbF_poIYx2EWg;=?;w$`^+TW(ztzf8nq^av{y*xA(0j15jlpn7Oz z5n&1dgt};du+?vj1X#tKl^~0x4lQ@XPnxdQRzUDok&RG%zh9^yI*`k|&rZd{`|;z) z$|2+lLdGMIV%rJFjm@SUPbq={7%^_#Ip}D;rKSwH1c9CtOT6ZYP2ZqE*XcWCcmYy|UMZ7$0gOVIUcId9F3Z)SbX zw=x-k6N{CmtjyO=C60+o)V(M4f*G}~BtNkciVUKf6q};_0vwI2a0!jw==Bp9RkZdUlY(I$L9k^6D217 z>zq1y^Q+_(d8!!#ZpJ0AN7tuc$$yRKBO-#mk(3wHog%x>qJ4R(<@c0tLw$w6g+rwM z{9R=ga;{hb_);0V8&6ujNHi)3$PCPsjV+`<4FqBvWgI?!x1g3XPh0>y+wO66I_fRd zT4(VUPs7(K0#M_$?vP!gO<^Sx6Hm8mFK;rad(u17KoC@BynR*4ZJy1MRrj8D^+E#S zS&-%6dAKF%+7JOs`qSg;r_*UYf#I|<4Kf>NG_4G4z+(1FpnikQ=tB68jqm$+F8tkp zo8OnGYn``_X}AOKMZYG}dw@V$pN%>R2HG}Po|T7Y+HT{XV|uRfg=!rh1FsM`u?()U zh*(E_K3QVn+<++&v)j3E*OUBCcoHFN1RJF~pe;-tjvGZK8%0u_PGEop!`C)VgNF`3 z-rZ56O3G<6S6ig*ZUdZ=;v;RldUz82U2=Yv?y*5ITc?AAfECK^JOS#HLoi=aTF9Fwb6{Hd$1Uk%E9mFHk_j=Wm@B`JYUc z1YD?F33d%}+5JjVxA*9aJU`aDu)U&C|9-#o)DFb4Y>=nN_A@Ws4NW`&PK^V$rc< zeWP9D^Dg<|A}8vtj;@_>pW`G{TYLxuyqnK&QL9lqCT}2P&P`mdEQuq6oQV&$VLtVoqxsTh4>;9u{ zvNF)9IV668Ci9j4oh|MWa!V`dcyL1gt;|@MusL8u>vBbm#zDV>jQ*)VPsf|lFcI=s~3ckKC*Y45@G4~Q1KaVLl+SdoG z`x+~Kp>XPsY25K`=MA6(>9%y)o)-pGpzmYhxqF|WPvB37o=36ZxwL}2u$45^h1l)Y zOPxzHR5Yw(N;%Z`0=B{|U($dkqiCFnu~OTW&s>{p`{ctNIMGOCOzOdAR%w zq{t==iMLLM0NC?yfzNYtbQJPtU^6H@6Y8u8npc~~nFl@g0C#U6P|4 z;}$TX5K}_9bVA6&***-*x=m|b57h1b1o`a?p2sz6>7RvZg4eJ z)dO)YU8}%#{Q8i$I3!YFLw&<}>@84O$!`q6(ocpCdtk>&F`uaC#?1=4Ykop7P6zz% zE!CfVs#m;xKFJ7DDN-FnwqYCYax)N>I$CqC?S-MkR(6BQ*BdUwk~`2Wq$O>|xhl0p zDRJ4pMxGS8AC#PoU=ino1fp?+paOHHa)~zg)7epNdrIFnbdTrbtfw@qakn46n;MPD zzZbJfn_)ukk-*BH))`;`QBSqHy5;-G9Qun=

AO{ElIec%C~KN8urSy*roH!Vr9O zSv|DW!i}N}I{Kx@x+ffcu6rY=o#5glp!!X9-V-*BRd)Sa_#Or2j1Z>vO2_8*Z7Ap?f_&&#mpFf{Ou2{IH$O)*S2N>%9NrpU8^% zCG`PuAZQSMAU!YTeY_CnY@i3?oijzLWl#}L36Qlb7W|LRGQ3Uuysae4+Q4|GR8O)x z3-5!fbSI&|cRIg)_5%WfWXFWy;6qIpz~P+q<<{nZh=4$V%Aix|Fh`=6kXa9(XeHy? z+3b7=g~!;YKq=NXm9|E99S*3I=gP2k(F-1ctXZ5295XCNLAzZQ62BwU-mop)j=-A? z7K{WfFhWb$v25T+D>{QmTBv`~jD)9Py_|fYc{R{0{c;sh>eY)2Kf~3Gp}xlCiYGNxJB_zf zUS`dS9VKn{Mn1CwxjBtcbQBV5t^j>C8T+IC*nn+gf#WrFZ8-|DONvj8w`XI(&3e6x z{}3nK-bcrTnrIQs^}`wh2brF>%t>h8z;U2>uE{vCVObj zq=;nUxBQT(i5;X`QgKTsa$8lOHs51G%0gNI{M&H2CR&`UuLC8k5=&jJxB?9DDd;=~ z6!FKi6HTcQoHYC$KUP}SkZax~fc^{(eOr)V?~7E&J1G=P+c5gCbHI}t*|j+nmJyw+ zZ>4J1RecIFTpkzqr_eRx?Kod!I56}G7HHi)W${!3N_1{B)*v`{uwx!X*Ug)&_0pRc0B&K(KQxsO1j!??p#y)R!jT z=WXPe-VmjxmH3D8L*=Ej$Qpn8_yQMQ(b2$L5DBelJa!ISvdryFnuSMu^z+oF!hss_ zY>)mrT8%M#wYfriK;O{wVY3&J265~hkLT1~W+S$cwV2>E4)WP!=MCp^KyAq%)AaV0 z`D<_d`=MY1KI#aoBED@~ptYM{Z`dV=wz=hPG7y!`XG^Bu%oOOT#yWFaYuo;=-;%cPUMB~@_8;KKR>^b5*u2z zRlIlq80)1WgVW#tm1Uii2A~z-5wX84O@C*-{qu#cyQ%H4(g5N9V;UM7phJ2HX8bS4 zJChM{i*WDXrv+A1#Hw+xxSU{{1IK)K`kKd5}o}^ty|yriD&o+R=L8 zw@Uz=cMr!%9EjuG_&_13_s~r{cd9u?|3#V1Bly4Bk2#VFyV-rXNdM=D^7~nVDtqgHs;+qizn7J< z|2G*MZU3b9|Ctm$9a;Y`V(F(5fV2JAKmYykzuk}Zu`n|i{q)kOhX=?2DE|Ds!EbvG zZ)9vN{;$r?XrQc+1x(+6`k4OuTq9-RNjGJZUS3`~=#2c5^OBO1NP+)(>O~rXp91m7 zpWeND2XI%RboBIchK7JEY!49M^3R`#gAYy?(0aG0Yli>nI{NF=>_~l!&V0N*@$ws! z)p%LfU?2fAhW0uD>zit6*0~f5RM|gx<{TT4^!mkv3Dr<39fflJcMs5c?|-kqYu~Sk zcXr&c=x&h1QAE_A+djkh*M;@hL-vv)Jc9%7Z-hszkLBc*pXC&2nf=-kQ^M3fA;RI~ zlZYb5Yn)wNv8m@<^QUd2hx=#R=;>d)NMcLZA^OmNDXi<3QC6MbZe9`0gI4qOR7cNtM58#VhBZYjm-Vh zrXN24#sqdg09no}2|ll>X%#WN(w!1?C;XA5$}m z^&-;|8o(aSg@wsu-ZD<MlUPl_B%+WRkC&Rqi>OwES)mTX)Pk&8qspy&piwCKAPkicBT~ALVRK_GB8d0uiph8p6W2jpL^+Zrr;EEcoNH{^Q<%U z+5*BRq+CBe<79q+`7t`=$U2#zrzQWGAenHwf}JbsfxM$H)qz8+!$VI_$Caq-FAguB z7d*Xy$=#H7`YhzfB#&Ujv zCVL}*^TEw+idX6HTZ>bgJFo{Y13wu&_Ze;({Buo`b^*I5+?OCY@9mu|=G#av>ZPeq z)(T4UN1%#}yM~>0gUG+$@)5Y9J=*({&i?E;W?1{(uT3eE!zPhn`X@sAg2AYrUs!(R z>9}PYQ#^^Yqf*9xI)JD}AUrLPZmhL`RDsHdLR|XzDax-8y;6C}P2a8LdK1KOK6kIS zYH?PZR0EYnbbaGkvW{3}b&Xsd)(sOf`cX{3B4oen|r% z6syytV^!8V@Kg>rcXv6U$Uoj1>rXq}Tl@N)1McOhvYBDb@IFn}_1MT;#qa9{Y3fcj za9W|ZiMcgdw_u=i{l#i(Ee<*kC9|H`>|+2(_-*Tk=ZDKo0W}*l0Hrm+1zBLT@#3=X zQ(Rnb(+U_#6^>=1WE*LH#L;93-(`Kq;-TPG(6rqz@X+D{b#Y_iQSjlRiM7LLEB>@6 zHc5lMirOfb@-STA4SYgsy&uSV*3nH)7ATNu&Vq8hTQZfU!%2S0|zUIa{iVz!}t4UbMNj)r~5G9P^D zMJq(yLCOfQD*#g+DRw^l-bGkpTEzPwMv*LEp&JUIv>8ARky=36e` zW0U1(W{SIPkJA9l0cSpU3D9M0gZSOYaO#b~>iXfyNj!)G5dbLim6I|3M0h9MVKvz- z<)vO&L`3|QOL3)c1s&b-i2fIGVw#y}Mv6w}jHDY$ceY(QrR6^R z&8(Gjcg(%4o5kJTCo&%TCQ~1lo*F7aK+o`%d?+TJ_Z0q<9z~vfZpsQwTc1Uip=&68 z#Lx?V&pGX13bUrI*2>m(0bG1(-|#mxWp|*tS^<8Ok^Vk%0f(odVPQOOC@d_N$P$sxlFz%!6%yq_SL7Ph31sWn7b3jXDUw=`BCD z?PxOkeWP5)z-h+IWd}AmZ_P;P*}6i~<|;TZV{fn4#Ng2%Z|5a_d>X5w0ZL3L59C0u z>aOI0gjfxH;6TzgTzK2qmFBrygHK5K2qcI(oXxmeHX}hTEj^W-U-BE)_sP7unM3OQbHywsb0i%WFBnN`FKy0AK$gMx~@j9 zP+WiFQ?g|}A0|pN?oY)xQX(b>MWs*C-DM^0%S~m)5s*0_zq_ne*h`pQwDxMBH)=e! zSa~U^Y%f>tWV6bGtPPX>ZcfGJhzwuW!@+T%CJx@{Y-c}; zl}+ZQdp>rszK`(%`-l^|!%EpM7)d;ZxqmodP4s=;WEcDIwOn<{KK`v6XpBsHH^Yr5 zEH{In5Rk}JXl{UP?^P1|KD7@#4P_T}=!X0IGV^Xh*bp5^33>z)N0+oK%xQ2$j-%l@ zxKxWq6vP9SKY-Vb4c_|hL;pK<%ZZ5$krAQDr0BXl*o2Vnb(a8ou6 zwoTVnlwcnce7rX|N3Mf+O49M+dFeVS5(~Q}k_3+5a}qc@zOfVw##v%@4xTT=g}sT8 zmKw=Sw9i>-9CIKI#smO8IDyn4e=Mj{1f)Y8eXvCAHgr$pi^Hi!uwOC%WCY|5o6XnC zU_H+RcUM5F$LjSNQ7M}H37jv9H-t-PcumFYl3y9mXS_gnsG^&VIf{mZL)ElDodq7` zwZ@2}7q;MI58U~aA_P?*#z5b(?&|t6Wb7w0;Ue91hr&?QgV5B2iE}>xMl@J$ch}4X z=T_9+;)ZdT{JODAqf^wOL&nJc1 zmZd+MgK9g`d!wD#>6*S4+ls4a+(k~7Nv}lI?K0@soux#%TZ=mS+*X4F%#gU##Cmw9 z?;qa^NHd9=@{KPmX&2Ki^Yw? zWL=97Tp@ZTOG&N@-y^L5HP6MGD#H4tc8krzXR&vs)~mU;9Gg505IrV&o&slwGYRav z++dVp@mlt|z zZ*54jRlhV@Xb;jXw1QlOWojc}N@s)GR3(AxfqQ`Lp`UgDm|2k;K5CZ~KN_nU^GO?eMnM?qq3}YPEDb|+5mxK;o|FDyJ7_sZ%ky3Xy zWUngkcrQ|mHS*Zg_Nw^Djdn)_r@8m(b^9EHzGF#fnXYCco(IKgoo_yCa28}wy2eqX zb?=pPOi5KS$-38?ieH{WLof@BPO zGG42JGjN)Z8My*7+v`D0&x-n|%}AG3C9H8mkxziV2FT_79S|ui4MDgMGLo*mygauf ziuU_HIR2+g9SS0cv(kJnH}D@k$US;P(lb@-Y+19CpyQO>)dd3vyLkA<=G%+;-+49b z&ijC!Cb(0(Y@Yt-V%;P5>BmI~^$U9Mmx+KvS`QDGNDYB8OcO1*;;fge*T*7AxDHWqo!=C=jGycO zU(~%-Se0Mf?oD?q-4aT7w{%E%Bi$e^DIh2f5>isq-Q5z>A>ANd(hX}&|IhoZcRlag zSjX{geQvNENc^UL4w)aMS5h1wzR z2B(JB|1h|ZlW--sZnq|r} z|F;LypQDbQZWup0@zKnE3GrRC}KLJeBxFlN}#bwfN zBO;5HMSL3;GedNPU?tWaU&v9tE<&ZONeW?>LQ1M`l`di#YSWC`-P4g_3|sVjIn85ZUR9c zacW?V+jT#~=5>u)C*}yP-iYZ)~dYr2geFpT{$Gbor= z6iv53X&J}!SzhSuqd9OCEb?R5{PH>wEWNM8e>)USL9E{4O|Yr{H9dPp%?H1WAM*?I zjPKF8;LPP$(zUx~=b<~?>7e~?4hmII3zJCtr_PE{PW;32S&C zn63SP7V9F6NL-TTK$A_cP%?rSO}$tuxL=$)^H}=WWcX$3Um}T}9U|cE;k2DrAZIMs zZ=4{}qh(}N05~j4$b>EpaI5AoI{IU&h6`~aWv;54+65&qnXW)r_bt%f+e$&HSLJMy z8Q%f0Y`*ZARB_wvthV)3QGx=%4Npu?x}_z!t%7q@60d02c#k+}}4vLrCB*`2G-A3P%3gRPQS^@N3iInQckKyrWpk82p6d?2QU+YTl(; zd}`?Rz7Z2L&tRfWM4)T`Ac|nx_fPN$xXB}H^pYv=^Z?yxF`(Wv(s_`OhJcE1COw53 zP7Ts?=K}U?vd5D<5?gC)Z!a6``~MYz_*dm@oFY~J(yXio?i%^jHVU$x`CX_+uSomP6wAB*CVT|h zqpVWUW_!6H+^mw+S@GAiqlib3rQ(&+>YY%M>ZRJa(dP_+p)z2;V_@qfL&Tg5#y4l+1$e)MW@Mdwq*WvTn^429%CC_@3n++7`**BA5C=B zDaM0(WjRcnM}BP!gPbUXd4uyb&ufIiwKpsMMoR86o-;>rH5$afgaR0p|HGhVCtG-PHX;18i>T5P_i5nTP8kVGum#y=g zHpy#mXKgKVgNapK(}lp?pS|SVJNqZnKL7%8FVxhRwvbl`N`n($X(yz%IwW~Wts7vp zJUH&18JRxz7gfNto?h{~9ld=l6HuG6t)iXzCv}%gSpAWT6{;{$r7$A2zks4Q$V%F( zGMXY7h}R84*Tp8v4ShFqd>D=_J|}LLO&&^jD{F#G49PRVz7fa;+){jPeLaDv)g16G zZs#Gwr#O56aHlx947dz`ph+0St%bViPh~vCXe^&@u3+I?u`c zu1y}$5%xWNKnmrpK$NlO-74(j6qga%PY7f{nYst2FbP$Tmcb$_8UoE%Rj*Dnfm{ zd|j*oa1Y*mziQa(zCH8ti5G;`QEXRG`@ByF`3~%TVb3=$t!cDwS9&9xlG-`gwB|`alFBo&N?4kf1$aoVDvpJbV+-w9HM_ocpep1a7Rd`842Vp5UC|rm zRWA#)48v?M;FIrYP8MW)xjDFm-ZxG^MMbc`mVYd0)3TQI=*pjwzig}B`muL%j`_t` zM2H1Zv&G;j%^dV-+saDx;xIn1Cm^sXP78wjL$trnL_wT9d_y zbC(>xsP3#A?cL>LF}EZ4?*`!e>_s;d7V{;2bfiJ0H=KR5nP`}fHM!#GVQ$Oy*1mo- z28DxMI+OdMf1BAvh^pr~EGB3>*-%S@6dJ5#+E14Yj`K7@7s~Twy;C*O=5QjJG(x)F z0`4CIG(C27VM@~%gClP7IYA6E)LobYPXE0VqbR+l;A)?6 z7JN=|{P4)4|I@>}3E7tkni$$2Pyzg)rb#pewdR+^pB{nZmYg{>Mopa@Mz&=Qr$L?- zA1csr{WXAPxf$uU@!qus?__Qu@55wzDOy)RXKG%MR&5!1C*st@o1WVWp~a`Q<(U2i z07Id;N!}v~EZo$E9R`zg z1qD&X%N})t_`L(m13lk zLWw*J!#f{=k>9h;P(BHp-fIW}mr;w)pMYl6$ta((cUxf>ELCl%S(vs-9I(9y3b>)vlK(6;E^9x|x2 z8cHeQ09i8@;wKnk(;%C(qn`bx<3PE~fHZWegN0{N5`kktls$)Lq+oB(X+j?<|8?SvY)pt|44ZYOfpZonV8;amS|H# zqRCL~wQz^5WZS)5E;vNHfWIVH48ikj!KcQJqHuh|+wLd*wbO9XZvECmrhaX}6-edUAUy{b$?gUCT~WA*Ee0F7+%{ z;LEWooav3?R0g=j?1h(RLbqVMH3N}$r@+C>uKYpQtR3u1_!cs`&6;WReL*ib#F!r0 zvIgMAwT%N7+3DoA7?~!G;n0@9-L)yuqW`JMmfFVgTrk+*)$dBFnyoEfKrZPwDS5VE zm#~?^>9s4n1ofg(*SpZqx*tyN7vh@g)JoQT;b>H{yT6cKT2{ zZB`*#J!8pik0 z@!Gkyki6BmGkOu|jd>pRi%Msh;Hm^O69fVYv3{+h(*?)25hRn3+4%LxP)_8^MaBh|mI5@^Ao%;20xU+Tc=I9e!)#ZDcckdR#NBfdW#RhJLh2~^aa9D~FB zcEIK{${Yr9naj$_6*U`q?_`C3ubMa$@V8yn-DX*ZDp?itcRJo2g+M(st0>{P{XoD8 z1VlCs|7QIWQ4G5w>6{BwMf}dKf$zBKGj8IeH}rBA?}K z&J{Ydd%S6Esn1p@TB=pGR|w#zFaAbPRW8-0vwhRC_P{2TcKUml?cHuC_PZzNO7;ou zX$JYQNONLxcTyV~_A$DTxEgQI)EXy+XL+BD=#ivE&6`Bp*q?FcbDmj>T|FycjFKTO z-cV-y*tThFOV5>=W!Up=n0ASFks?RA(Ca8Q&Sy0jXX)6gR6%0URh_mzR1+`pHz%Ju z@#KLlw{*o1biS!C^ZsYisx{-2^leOI?^~8n?4j-!bPHB5a6g%xj0CUAOFODX78m$k zQ4U)jU-Hxo`-CV{9vb8kVK(+s7O-vq!OV!=Tf%DjMHsko*B>+3o{*)*7)RE(R1Ph+ zW--Hh&3tlH*P$nURINdHq$K&6rMHf|D{f%KORz zUB+tQ=o(yXEJ?C|XBP8ke{#4~5vXjtocl=gH^xZeba9!rD>9cccMC-Oq8C(DRCKeV z%TU2=tQ;D(u&{7mu3YGyi_0d2xMO}p49P_*4-blBHy?QZ&`H)wjC5~R1e28oY1%=? zYCwQxG4yr3sEo3O63YxYF;X;O`#b@FW=nv{1vCt8dSK~!zP;b0YoFtV62sm(%A%Vk zw<>!5z4r1qA1$EnA}?;N`ayljktX*Av3nboIWgq{NT^4ZG08{^fdTE)qWCxsk`Yz@T%@Bn1aj9_`c$>Kj=f+;aPR}PCu;$_Rl3!RKX!ksz|y>=mF zv^Dr;1^;JUDYMsE5)R)(uAP^+PT?#a~ z`qWpxwisbZgx@z{@B8Y%=U*qU@^RrAnhDw^RH{1RnX&IBX)~2^mbHwUBPLox3Vl+8 ztuA@iCMx|;6u&2#py%r$--4w}<_a;}`kxjYZDkRo*7Ao(hte~23}ocT)pk1F zVg95g9|VWRLy~-t_X$c*CiB}eby(%<8DlkAzA=g{rPGHW%fw}n@4O@yY0+h9^WAUo zy-c9%)iZYG$q@|Rxr+RDjDfRi^+GK`Mbnh(e+Ot&YA-aV;rVO{0%VBoN@KZvv!^>WOy;?Z>%JFsbK{EcD!=LwNS>wNmY7B|Q(+OTVya3~ z4Ipp8)8~rBS2YxZ8kH(7n^*~m|d52wv<4O$|wx06o0F6p20`Oa=0UZZjyW^n; z5H*J@n=^|M{l(&DE%aTmO9Jdroj`rP%SA9p0XZ4BUL^~7l(iuuX)YNo8INTQ`WeWj z?QdD59+c8-PS9}5z~b0M5O1y2HJhnOHL^9B>1FASHHz1=wV`w(_bMwJGTBx!aA`va z4HBFV+M4YqqM#dgxGtdB{?2D&)@fS1{!j+h=A$riVwNtCfd7_5Cq0@)MMzl`D2y1B}~(e)7H{TemP z%-FaUqa|$|o!%CD;a214c>RoIVeopHt?ev~o!D(M;P|y!$VrcbkJjhtOxSorBzeNJ z=r%a1Jc7+~XA#57ASLc)`ROC0=@C99IgTXRQWZm{Hwa<`{HN7NgKdVie|1Gx$87$O zK5yg&L2@PEUO~<|;t`noTeAl76ifO6C0^dqRS0=+U(|)!sU3>$30DnhQIryhj{N{4 zpM|unOeU#lGA2m3^D!WLI$S1pF>(4KTKKkr5%2-^kB|9!FnwfVI7qA=mG^xjk0x!CvydX$K$+r#Baq}?qbt)E)ocVL#$6V-{%c{3 z1plqf)^KY66+BQ0#se2qgLn|$*aLo3M%M!XcBOA#rF^nwTV4SE4|kC%tSTIn#}HP` zDvPx?^s{v$v<8F?VfZVbwj(ykoL21lKP#l&6tlCPK82nlwNrQ;Xo>Oc?N3Zvlo>b zTubG8dYM%s4m;Mu3~lLa$T%Wzi|W{!4WA-4?cCz4N^o^=LIxVX`hBShM^wkydbn)k z`-phUB0cD#K9L1eNqN3c7RUL+XESwJJEU9M=v=Z_m=fMsVl;?`(fli)`>|%jrM%A7 z7Fy{}kC%M9YiOqb-L$B=pV@rpR`KoFAsjth?6-EaeN}M1?R?A5rV!T)cuD4zwGy`4 zV4}t;{()f|lWx?|JZdR7r>-z}!F0Fa@TxDNT?G+t!XWWE!gGpn4ECXMb_-No2F?rc5C+bKx{3J z^;E&vu)*EXKoq_Su8_0c|AlvyqYqi+%!w4?NkVRp)soNB zy&mct#B9=^UJ}DK6|&-Gk1}14M3K5?-wgayDVG1&=IssPk?JOskdw0@l6hv?3M0{^uA^b>AUT7WciX+HmY1Zw0sx6(BY4 zWQU*Easel8`OHNqu(92Aa56aq9gJ-q9Ndfhvy3OZ=L+lSb2wO>AEr|Zg2iUAcVK=5 znx26(+yIacl$MVV)KE29?i{#)V5MJV4R~3_w4yU;NN*wO8++yw9ks+W@66I)Q;5p1 zk)h5An6Y(nUFRkl7I`=ZZ?@f^4ibq5c(d!*muA8`B8heg1$aB`GuBLxP(OG{KB;8|sU z;QRHfiDqawCceU076U!*dQ}u%3JJ4DKIViH)qNJ!jg;fP4Z$&@8@{7dfketro2`sy z)}qD|y(90O3HM!@eR~$eqCSS@eIi4YIad2NHozaw!Dx7^a8s{Yq4C>3CN0B=V`Z11 zU}r$uDUeANM@liNW9LXU?j$Il%W8LjDUio{(P-b^)XAsmJK@41(r50zUzWq+auWs1 zq1;7gjQVHE@fMG74{X!U`8K?el}gD!Mx%5xn~o$Iz7(>HniHU~G8x3bA`sA~`n+Kw zb0zEXYk|j=kZmvTg8e#n>azD097Oh*6o>xDli%X{ zYs81xz8O=diKI!VDakK~d3?9KbDV$CetfP)l%V5UJh3tB{ZLo5@}j}k&Bm`M6e}_NmNy3McOTr~A-Y0fvq|w>vsIGT! z5lD)+CsObiRvrrUXqt}4h3nh@M6;X=JSP-SD8y$fSvHaypIbf=bW{OxH69QZMZpsZ1M(^@W8nj%ZfHV|7!_!Xk+i~2 z!dXSTK9Jg$xs5YPX@3rqC2H2;p`Vcw3RVdGJ;h1C{3=8 zX>~r*mXBQ>8V1o>$o4a+t}2;Xoq;Kqh{VL;SrU^T?aMT$Km^X!_r4&hamN+CRKHR6 zn2zlI4&~3Gp^{YmWJ0Jby;G&sHEb@+c1&$2 zhX+}^g~Xq?+3#dg(BoM14bm>5WTP>@U?az_b2_-g!rE0e{-D_p8!($3c{le~aK#2q z#~e3KXK%s|nV`P1L7&~d2~G!pOhaPy6BZ%XGiK*bMf6}KH~#Ooo)wBOb=r>-k0>(h z=4trkpQzYiX$K34XMXk*PZM;Lv#;N3%;ON^Hl;p#7=+W;=%Ny06ou8xTAi{Ee~)=M zOOq=7q|%xEFgciFLfN!JO=xbn(7&%`n>#nw&JrKiHLTjQ>+Q04yI231ZdmVM_{Cx7 zO68b@)M0_XRWU8s0Q$h*{rg zY)MjkSbo`KM!hj;>}8KMr(*ah#H+dz8a4Zv_q)tf+TC~o_8_vpPy2DK{mIzpF^VJq z66p;QBc;LZu9pIdcN^dIGvmsmQq-P=`Zks1DT;)_EqODR6{fwbn(T|STyTO$Cy)_2 z6KQIlW|I-VellCQdYU-S3E{WNIPtC6?Y8~yxpAd?vwVEO_szwgvF~<7T+&DKQObaP zdY|bkiRZiB0?LwK{NOl`{g{{ZN{d(=MuYM@Kd+_j%Z+B2$vz%AH?J&&fHiN_{YhV* zODgMonz)<8ob>?%%aKZXuoDyAwTcBnBN&|KS_mykco;Cz-3=nu#zRmdp zqDEtnp#BKd#IuKF1B+hNi(LZI=<-1fR(=7@BQIsV?p-fK-C zBUJmP0=xwy{B2Z^p(SY|&_# z4f&$16lEI$wv1)@ZDkvP)lz7|_ZrF^Xc5asH{bnSaBOF)wiqsIW}&nRW1^+alcX`f zc2Y80diC9V;%FAbL!v5P!51hoFvmOTDv2^H+6olj4KVbW2p*F^WA-YOqbqk0KT$pC zCD-w+@wym3!gIx3+m(Ckq#t~rSg$rvWc$NGVNz(KfzM->Yrm_j1ct8oRZ=F;=reDV z!P^L1x*B&HD4tq7cR*k zOK}_9YRrhtWJFQi)r(3~eBb8Cy+)l!m3 zzh;RG;n$FpyJkz7m)rX#wl@TBQQy<=3-U$oc}9{Po;i$h9%&=8LuGbh_vIN+Nk_s+ z-yc@j|8dCqz8~x_BXLzpgcTqfyI197Ki4*;T~_WjU;U=PBIf;&!MqI_Zr-x*T~Mu1 ztWdA*W{HE6Y~620Z?!5s!7|+b<@x4^Vk6-tl6_*`Z&$oq4#@Ik*_#u(em}Q*bfa1) zPxWy3#Co0k+DvYil`Wq2J!&*X+=RnPc}%j0+hLdsX#PxOIf`3gv`@2QwEzUVpgTccQ52{HGjqEYEs0e(i4jui1*N5AAW_pjq75_s7O8eGf z$-W`XlGJ%P#uwbip1A!YoV&$^p2ka5)4iz8a@DX;pDyhm1K<4fO8 zGU~aMPC-o4LMV;X4T+2W-wNk{f4M8iLu7o8kH2sF?%gRFvTg@|r9(xXxd)QLbpvmE zlM#vs-rzPNUsZLLZZEBrbv>5323H&&;S1a;htbSrTtV^pNlJt6KrZ6$)mbOPB^uRJ zh9a}0EqywdgwMXqt?Ty}1};qh`{n*Vy5rGPP*4b;zzq%wkpteeSvzi*p>H415CHur zp{k1AW$0)PBNBgxQcKo;ehufKLjLLxg)A~^;&qHDU0KOQ1oEoXh_Rc#%kTXSf7dVT1cvry8 z77hGpd}MIGKS@^C(2{eI3A3Z~7)xnZFeDSsO zp-<46*;5f@QK?=Sqn++bj19}ae@hR7;BnMNF6M8-AW z+q*FSmp~hQA8#w|A;gpU&Y#uZ@Fi6C&8c$ij(TCFO#FNY>u731E>4AME}YrpixCZS zSy8VxOTqv4vyg{eUH>E2Y0njU3u4v%@BdWtP5y^R)$RY{QO*CKR@VQwrzK}HyoG`i zWR#T)`;q@oPpc+%{()V)$w{(pVXR_y$rCe&Ss&TQyEQ+p)R!~Tcow_uX( zKa+bt@sq;-r$6)mcTY=)Z2Hqa%OzuD%CZUy@%{ZWm2-Amvm+{cdJH{1JyjqWmyUsf zqYvl5Uo?=bv!DkW6-iS@N$L1p^kWECLj@q6ATa&s8rKchxG~UM{Tvn+*U};g0$t+v z_H545N7kHpsrmSH*4Nj+7Zk{FJ1knYiT~%qkpdPgG-7UGzq|)0v~;o(W3jO=2>5=m z>vVH)xH3J5HY-D&1~Vz;x@|q`i1{dn*E!S!JGEFFX5frE^OYKjfF@CQ`Fj7}qWwSi ztAAe<^D{NP#wOQ))@~aBSlo9}jo(|qrs+KClnq~2qn_<;{T!Uo+aK_VVH_Qv4vMe| zN4j(c1vnn|rN1<_KA8?%;+*d^47s zL;ep_q|5=ZzI%KfO^pXmxafs?$C*B%T#mY&s$*)pWp)Gs&tR>jN}5at$Iubg!}CQAyEs zCVVKHpNZxNM)s{;2L%y6F2lg?jokb1FF^#O)&FH%Kw$Kw6WEb+j=U*$MMjVNytH9% z>fBhu{3>>DUUxVpX1^$IfT$jB?r;l>qB9E0_s4!|F75;eySmYgOey2wQsG9_@swne zj@NG{)hXY!M(%%qx_=*JKj6dSDc}YvO;S?M(miYH`MG}hv8wbJ%?MN~hR}=GX42Ll zUseb5!A%Lhm<)V_xivCi15T+p`RHe#?Ur4Vcj^!X&MSziJFuxk^M3S?^7WivO#A$#FO7L*GkGT?SArIXo)kA=^BMh}6-6LM zf01$h6ncLZ*7_efmSDnY@%0yGKB_g~Q;MI0&#mHYmeJfy>c=)PrJ0cAyPXph&{VMMp&~#IIhL1i2#&6!VB9kh*Q^goLW zI1{mHxu{0tQ)W4rLVQ0`aT>nxCZ*)wkm*MPUf;r!N5oi4u(qxU>-rBIXDGA)xluoXG0zj@^9WG z0H?-~&lESrqRI;#7;eNQ7@;>&J7*0Iyo9_lOTWM#b7&3D(IxlilS=O(85R{LW@g`K z?R1|Nf=rlmUB4gL()|EIKU683aBgHCJ%iCoa7SI^-0JDE*T>K&uDGu#fsK^`c3wY4ew?M z?{r_m7mIN89j&Bc%f`76Y_PAg93SC}G2B(96NZ1UdZng+lNzxt^3`;AG-^ff?@j${ z3@Gt(pi!osK)}lYNO=VjY!cZyIh)|BO9C>c<+LXA5fE4b*^nWeIgpF$75kt|^cmDVd zaL~SjL_uIzt=o^_7#aI7yQ()v*#*SM>Yo46I{-3)8UeDw_gBvvl$t?m8W*gZmsca- z%khi_KR{!Nl1VHw43)DntFX{=nwbZ7RZAqS{F6@wdD&q$&bkI-1mZDElNaI@!tW7A zJxA{xOy}VFqb>QC2TQn?#m8XTxqe*=>)RZrKOt(QPE8N=VwT7Dcu@b`8a?Keb}xgn zETE1^W2QvjeTzDaOV`${j%WF^T#1ZU{&=4W%nZMpUO8rchNX7sr&~t~=jj_;F5*1H zzcHUy)_LrIRoapF0NY;w_uy8*cMVMu4#RLDM zay}?0vV~wfzd>RRB_t)SLyFoTFUsEmnCQUMPhF`|A5f$HXl#7wFl71j&F#Zv#&@ey1rKYWrtLEcSDLmN@%D(B-Xm#K!~ zOqf(b4jL6QUT(wQypaALM5zG=OSjl|GOVmg%AnUP%pcwzBagpR)~$f!JNVY=kaQR6 z>`6XHKqkUu=peu^mE=77n^!i{nP?CLtGO~l&eXs}vAJv^oqh4Yzo`wDsXyQjDO*Ck z|I>{*zfQh{Oi=-iyABDl&#{IQ`7xRyV${c^-=J)C7nt~{SMQKeQo`7{S5)i@d}?8f zfca46dGhuFn|!b%pbU3wB%J|b=H4~l`&C%wb!OqaG9VRz0%c2P>)m4V4P+DV^0T2| znt})c2uBh$^pXIGeg6?GksuE(g0GIvj^pxKvf(%voUU;lLLeDbGP@%08l3Mk*>Yb) zp$R~eL3A`O%$R8ma5k$#B$f(E>FG>B>XihNLuM=+E2cxCN1cUL@L0*W`neo6yC={4E1l|?tyWuq2utv1~p`#; z0LjH~08WSpfm5k!Q=w%&PVEg2OZtg0u?oYt?V@%wAnqyuFi*VaHwRI!awv4DenlEtRHO?{HE$wVOkB{FepzqpvQtSslCjs|5$S6F*y5r28uROM&tvS&gfFjqPH~m$9Pl zJ1onW*qQQ)3zLo}Q^XqPDYB@a0qrftgFVhjvLwcBlQpZ?uDjmTw(MKe!~85G3z^~D za-cNXdJd%XB-(f38&Mn4XT}MoA$|E=gBOy~`D~)QqCgKkK%wc0Au*2eJ1tDHe( zn%&ep#pM@1K{BIIRO2A8gNUupq*uy~UuBJXhHvNN>e=ESpDU3kAtuzebCF~FbY_!Z zd|O{{OE#u{T@fYQrP~+{IA9GvVc z*qwEhnTwn#emO(WwU15S?5JhKJ5hU|sG`R12=s$06&LeqXlVx|@eQaUphP~dSVxGk z(%z{CZVvYQyg~6CMhUcreQ%JkG}LP^^HM>|WT3MP+q>nxKA^ryH|BD1Jq@mk<}&f`De`@L}PR!q{Z*DI2H7eNYw zf|DNOgzf9jzq;nH$VsLODMJReKhTAHJdZeOIl^QEjzy%#rTwg@%XL4HF4aFK#nZ4B z6-(rizBsZ;GJ6v2n~l;XUD=M8gM4WhWFK$*6$hbXc|4d&w{OglfY zuY2Yy`OB(CH>zc5C2fW`*iutxm7gcy1_I?r8K3#&m?Tn^H_&qAR(YnDcpWOxtyB*9 z%!t5Qpfw&adGSHi>EK1JzODqgubFjNq6oLx!m zXgu=j5@-LDJxa~*n+=!gO+ccTQ^Mc1PUF7nypC23fYO_oKzIC^_+8P7SJ9Y@$w9@6 zuN|^&awTk3QcBV3?O@Alkkno9z@FcB3#BZg0rQ7gI;qB2r)f_qa-&z_&PUJsxD{RI zrhOfLyyB5X)c@XzeJ!|gz2C^1`0+G)^s5~Hx@nU(iD=TvUKUuR}@mZCmLB`c6@3zS;f z*3>K1)!hGW5sfdK&(~N(^vn+?H$Ym--gkrpID){7nErnklqjZWBLGT0Z~EG&yBysta!|oPujzrx0*^yNudYlzAvc`O|oHOVXhF{Yx~nf zIV4mgzj8}Dm(S2t)PFQFoTW`$k28A^b%+Nft)?SD;{td^I{>Ds0RqofeRD`u03-J7 z3IN$Xj4zYJ@w5O{%6rBNe=S3=+#AI+GT(ER(tA;3sHRI#AggiJdDIo-?z{}CbDfag`bFm5{Z}xnsH>YI{9+Qi?4}tu5Zj5g$L$tU$wHhu9Ta8Z z-JzH>4mnOjk^#_Vv2CmT!1=1b;f!8a*3%HRK?XnA4Bo(Sp$8;BTo6FlQ_z3vzAXDW zi=m(M@=eOG9U{fw_D>kvta@Hr$^SOK=3S_(YN{~s(Kzhl9*=dvdfGcTM(iEMKgu@i zh9eTVnE%!ow3V0Jj8%KP8R(3iQVCtH9aL%Ypamb2ti&HP%)AuUpjjkWWqw1I^Lrcd zc3_m_ZcufD?JhsbHICVIbViQTsH-_@Z2D|}rBMQJ<=ZQfWulj0h;Q1aM^66+6$rF& zXH|S@Ig4aM3Tnh_B)REVJREM9Nf=ah(r5@Xmg(h>c6I6_<&WgQL?}5-qdW!2TFQCy zjFM~iq~Z+#!ROzi{=Tw|j?KNg;GUjQ^1In~LjNt=fe3?_qL-wJM|Kq; zah3YL6UD#9-90=I_l0Vo>>is3;Tht7V~_A28ylH_GM}hiJ#*<`)SA5Q2y_(Na^Jrf zku>5oDtX()1!aZyoZ6xLlX)HfXfBokDtdA3PqFW;9z^CmJH+Z)#Aw*v5o(b?Pg@{ z1O?-TMKMKoNcW|b=^u7Rjb+v;`3Gnj+z2`I`%e)lZ||{|umF@AX$`0`W4LUmznVUX zzc+Q|_&`3OBD=`?Z!_#Q^ulSh|GoIinL{Zi1h2&ijP)6MBIotb18E@%JPE5-QzC#X zbNH>39k7oeLB+05zzoYph^`C!*9^P$j~O;KO6XFX4>U7|JyJYCAox#kQiAl&i8uqw zD3#g9zjb^J8RN$p>=LHT`Jh4TR057qX7)dCKt*qRbGyf|;i&mcS7)7s>JBE5r#Fgp zpCbUORD?~W>V@`TZ_A9nOJoVq-b4=qUb3s;0n=YAJl!&3sgGOF6t1KET2>7d zPrj{pk|k%Q^~)1C*bSdMq+j@ha~-_;>%hrtCmZ9ysB?Ah7o#wb4W|(of|#i1W=0k9 z8q)*bg9h)`#Im*sMi0JT2H~2&J4yA5Be71xWR{65Q|VW(u+{m79Qjnt|2QbC*PFOG zI1lFEVS&S2+Oa8NI6tp{)6(5`H>h}o$R&-pF`SJ}ctB*zN2m3**`<8IUrxWAm(UJm z%_*jDdi{Da_$2j&@k^467mVlrEU%c~b>;ss(6NbP`!y|hRK-)vPQsKw{o?}qLf>FA^5&8eX;3#V7XNjKrDsQz?1UVv4exQ+LDQnYiO142DwQi5 zdYclc*i7T~U{PX7q5fEviuh0EUqlhJOa8t;4T-lXW$pX)gV>xPncm$&w*dEIzH2FX zyI{4)RDIqAh)Mf>`s&BNi{XUI>3c-lJ>DzMJwAN75Vq7Fq0Ko^e{S~GRPYaB(W_bN z{bkUM2%O6J86`Qodj?#BJ!A)sC)UV})q>s{2CScYypvUYUry^;xOsgznY%6iUFxY7 zodADVVLE=MYHydy!B}Pp|6cE^krM7Pvlt6b((dWR>*w|P*6sF)w#63DQ~VHo^e(3? zqTwFLr=r@HnQ(Jc(&dHd<79}%YjZehI#J2-x=cz(|LJJ+Vgx&iaNu?0$&Hk#_QC2G zU`Q$#GOw!rmoMrP?fZ_jQ5V6OBy^LPXp!-~aVrSDI*jYQRhcL5t*!gFLzd?N2D2S z+ytJwL|9D0in4bdDEgulNXxdEW(}h9Z{Um|aG8|hj<=+?B=Qkg_=~6G(&V!4?sb|W z*Zj-c+ykcFRi9=wxzR~5i}yo)FG!w&xvJ|%B#+I%EwY7bsgBRLNFfec^zvLh{qPgA zqhhHjJLL?^*(SGQNGc6bE`vTp@u2h{G5PXBZL;amJCQ|VoSSMRL`In&#WUo+7#pDr z84L5clL3uH(;yz6c6vSM&>GCaN(VvI&_*k~t7)q{L91^|gz%H@w zX#Gfw5nmC%rn{z50kX~QCY33}4zRFNW}601XT@HA0{Tl75WHA=Pu#^O22UKw|2o2c z9|;NR)za4I%d4${h0HtbRWv-yhW2=WZdtzHaBv1g2YJ%?UlwMXh1S$E_Z=#}8zxc<7f|V{!Q`(m1$0 zZ91#$-21{=E5Y_7&w#(}@ACTs!`ycGg#GI_t6_E_1CGq0P@Dbt^4^zo!~@X;5wVfDr)x%! zSEx7b-fdb`-Vu{k^LU4RBBVP1a>lx3p4L@VC)POwi{r+WZ_=!xZD^$-D>5aK%sdoI)_@o zJMpLAHVCZtdELtxX=vmY#;1ZnoPLRbjo<+&xGyybfuzihzj63h17P=HfH&5;2Un{f z$h)l-r}zQFY!VGadn8*j9C%}S_O+>+#nm?9@BUYN=M@xX_ilM|6bVWcB#UGL$vH_< zkYJO80@BblK{5hO5){djMGz3lL5Y$?g(gadCfLwql$UP4}^@G?tWkpnUic@|2L^^~P1e z#+Ch4D+O6!1D4&1Q1UsC3LIB}z=r%Dh2xq1$}3%3ws; zHnIwl#R&#XwF4Q=)5AJ2ZWb$3b2BO)IscCHTwW2D_u7#k0=7gTAaRSHEX7PVtC^dW zHM~JubIfn_?Mk;@-T6@L9)5TFu=aM3Sq`lS#psyP?=MRH3pfrys%kl!bRI2E>T_qdjs~aXiK+&-UOIh{K&G%Q0#Xw1;HAU%I*#JS> z=8(?hvHFyBQ=+)b1O7^rB`;2v+79EO7zkc-#_XKrr4pjMj}T?!f0@_4XjsU{lvkT1 zc~qyCxA=0mO|@l@^?xI#r?9daveKgQjbmZi=`X5KHa8(l!nfy7#c=rD@Ir1Yi^L#s z90djNdjMcqeipMN#%gA$(EL6+#lAwqT0Ej(0dIi$@sWZn^VR@OW8QrUVShWOv*)H&bH@mRMFXEQ{qV5fTPvok} z9=+Gzc@_-W#pa)aKqBbmV}b|O#3xSo>?MOT4<#{y1lQNDt{gH}vR?4b-^joU7EEqZ z%#(01gtNM~3_pWlzNb56@gmN)BZbJ(_p#}cOVvu9gqPCWvH&KIb&rQw1r2f!_L_!0M@EU|@hgpH!uk=K^BMQlnrb?A_O3{K`<` z^KZ?miolvQ8r&U0HGXuwoZW-1r=`F9>Xem09b+|wl2fBtN8ys=5;7)k7AF-dMb@`p zdx`0aWfLtnkMCum=atlrPH`wecKs4x+?kFNE%HWb*NB9Oq+g9sFy@>o-3`EOU8LRA z_1oEF__Bu~`Eprr!ssZln#|pf{2W8sc(sOxaV6<{6yGQKp&{;s(EkQzeHe{}S>xN; zp0<8MHehMijo^@fXx7I*|C45Qk3c#SvhXoa;ZKmoTfQ&KnM`}C_gOlW+oiMUNtLYq z@)B!4bRKW_-I(%2HN)lM3bfbN$uAb0Mtc-Fp(AjCyd2Dtg6P7ItNjY?>kl37hcI>j z`U!c`?y3rV4)PAyO9kyH$)JJ|*73esRQUk>9_%C{zINu?o!Le?Q~W*+o$5u8T1h2i z8OMSPoqJYawfU#7-FpZ6peRu|w4UnoB{j|Yc?XP)q#4B~hkXl!2^r=Uig4a+I*LFK zR9XcSY~!>^{9yDSzL50{8k6*`Gs6uCG{2=hi9;YS$ms+M4^?IO2DazDjf|2YD|xG- zAnys*s^a8STss7d`}NBLxZpj&v>t(rPc*VR_dX9BkAl42}0wJb$cwpdv3NJ+#OSp<=^cpaaHLdLBn$>*#U7z zF_mMPydU;eGs8QSs%KTgtbnToJa*l;^Y#Ki+xO7t0(Q5)*Ro+M#0OpwY-qSq9QHB2 zXhn+HBB5>=AOYHebqEbTeZe>DSLq{uC6pP=WSSVLtIC4;}RwbJiIXvs-n679ViQXW*sr z>AO+(-~3a1MV7KpveylaW)BEd8N%dSZ#_cFnPj7_U;jqmzTMC`j<1^kv737%V@v~j z92zwlI-@wm_5%1m|I`mG@j>O)0Zf9fTtzB##iKp>KyYs?D;=qT!UQx zopCiK{_B(_s!RF#6vc*%z+-MPm)tD(0N8?{S$rP1G@ox-D^B&EUiL}o#|vTfXEjK( z?`Q1bD$v5I6%+(GiL)&yij3{{)&T_Jx5d$Ihg7Ov(^S0)y(q(*SG1 ze_#@9syG)Xr>fyrUMMr|q2^4Sw(AFy0}00=t};yxbt&Ng&7E#E_~lafw%?36c^tYO zXHUr@Gr~OOM^)+$GA(pGJ*$bx1HeKV5Y=HWV$;6!6!7Gi!ML6?gOG`d39q8ULI0|J zUHN?@>C3ZSaVp%YOE8~iY>qgvz&sg4T5%BZd`zYi4+jS`FcgS`y}wH&UILG~23oLU zo`{Q2e$UDN@H$G(&VfNBHwYb3XVvWQ2+B8wC0v{{MHnpQkH{0-B<3?-+Ys8B2fxvk z(W>~?Nwf`W^j4bte|_=TmshI%v+;*0?84$;)nLv-Qjg!SHYG_Xb%2dRvrxn(4KcNm zsLr^E#3aIBxWH%4;L#N-ZlNOAlZ<;Z*0d=gtr*dWvmGYWhJ2MU`a9^_?@Y&zuXX5L zg-~n}Ojk@=L_RRAb_=-w_IM6iJ(Y94%C}3Egwcb}u{}_ZZ5bZyf3Cr6B4%7{sZKNI z^?~4?S8`gA1}ycO`f5u#>JO9Pr};=d_4O?0i#14BrlL-j7?gl`+&L@in?#|&!G~m3 z)b&%m5B@WNeVr>8NKU(W!@a)HVa8k?Z2PCYh{i$f$@~U&Q+WOr$?WydjeW`*0`z5r zBJYH68;={?4cwL-UeL&AElU2jqW$D&iG%ib1fjp&>dMKPu_(S-itEK5o$1B66z|WI zM{$nb?1Vkeg~cJR*ouEuJK_a$7inq)pEos1zC^-o&%b;)dcaqB=bdo*%~U!m5zDy_bR zd*H~b{c|8F-qV~@+8q^I7t9|2_}=6aZDzs<@2*0PSiA7A_56cISOF6es=5ukhs4SZ z2#i&YQ!(-z@HE-h7P{SoS>5|o7(>cPriVO?>v>b&lTDyHCTq;3=_(AbB9EzfWOHUol zIHx8aE|FBq18Z5`W94!%96ugLd&+nkL_ym z+udui!L)|#0J+x(I)K-3sd8voKO+N-4rf475kx+h^& zMm@i}z(dGp!3lX>dgL9!qj~nS28Ex#v5YHJQr?IycQ*fPcrAQ91YjHlsI?Ju*4bxgYN zc&trRSY9iA?hyfzm}|<{ZBPxU8FA@MZq(%?uVd(7htS+(q^Dw~jREcmZkfQ)W2e+u zDdGdnZBmlb?4=6Mlp86cDh05%am6*BgF3loO83R*xtCO$!SgRLZ=H;DVoPj$uVJy* zkKD!HE~%OMmxId(?@0pN90-zosa!KzlQs`JFV8t`(}mXWvHxXZ1M&MR(2N4&$@WZJ zBUE@VLg)O`E4+V$V-v+oOUO7EeLtZMUue&CiQQ%V`p-&?Xt$Q%0iQ?dHcQRCPoNrA zT*anF5^YjNgti!Bu>5}L6Mv|rPz$)c^UYcY5)ju^1#r|00Heo)pq4>ywOLl{3|n(o zYoULR*%M$}s1cP`P_Vixx1|L4i!8;ZFm(*o|AN?Vr(g9@%D?1{ljD$oenL5S@Bd@6 z{}q$HY7*Q!%Bth%732KN^p-qFsCcCkK1FZN$1%ajz>pYDsPhaO-$qRAbVtSay=7=L zrD^34p@fjDuOyJ%;RGP*=O*10#3C(DJB2x zo$&E6Z*_g?A9MNrNeCFXvHCPo*YUCV?z`BKD0Bb;&o~~};{{K6j78$MswH<$dtA3=EpDzH>)t&m z0{H6)xhKi0jKxsFS1t+GN_klhd*D*jK)EWRjc+e7CWnPrMRp<}s~`_)kPPZNZUtkcePO;&{VcUPC!Hhy zoIUW5Gn(FYyr4YNnjd}3!ZmiAfOs}wwrTdvG-|9LRmw^7Qd4%{nntod$o?)KhyTq( zr9Al5jS+?p=4JZilUK;&eIZv8NUQf09@C7P*9c(W-~i_h(oKx+*ZMP9ha#7&?DNC2 zygLcU`=$O9mQj*IBRgUD8F`5>;V6(cIb^^0CDFH4J*Jzien(Oh{3)&Mp<|oA^>RFM z`MUiQQ(A3!6Ik7x`lW=yt$TXw=EvVbBV~=Xs9@3Y(>;f~!vuKJWYL=~OJ|HdTz_rg z>&-3a2j<7X-6y^;!Z%gtJi&nteLmh0Vnv*Nf_%tR#{?dtd4T(7)N$KZim#XY2t(PB z+Df^+Qo=Z#W6wGU!}i+mi5pPo$>IrI>p^;&nwn;Ov+0cgcms0eG5$ExvGRquO*)BC zrP&FmZCmr<00V!LaEX3gp|h!J!uEUIMj&R z!gVYv4e{Ak-d+98bhC6=YpkL%UzVh>%-fNFI}P`Z{YcCzb}OUdYd&Ieb1t^M`E zWuxve#^wzU6u@0y=-~N zM<%JW{c-bW(dv&T!V-mTqq&&0|G;LYzW{7jF1g3uQS^U-&HkP{l#mSyuo6{hZZ~9< zy?CM}zqHYy{bQv?!ztev+I{Dh?#w8jKY(NNZT1V0JQF}&Y#JO#QFwJc8)&zN67JTz z-V`sG&X-?q1=B#|0}?j^o$TT4;d#Zm$wivc(@JkaltJZ*nC;hf(W4z#PlaAZ;NfXN zRGyy}RIAq$CYR->E5htyC+U|(l6pJeE_tR}E>nYUHRU*S6h1u~Rovub9oMyep78xE z;MtMxQ?w(YJJs6&d2MKV7-mx`Jm$Z*jjU-1oMz-vc>}7oQ-l1cX*#l8W80UjR3w<} ztFdTo$S;RKyP``eSNbIwR#}7A$$)JC+5OL9OT}_=qH~w|h88;AvsK+|k)osW@_18c zcGAxvtEwbhUk4;n)NZ3w_R-f)jbZ<@D1t^YaB6%cXZ1HtZ@=9%P zz`Y%s`+HX2N@(`avnHJ-vuZvt&62L6pO(#^62C|%-KaO_GAz~CZN{ao3*IOwMpyxAI(8V~ge%HSQKGY--K-py*C;zl% zN}==apbj0R{52U?|Zr&5Wx(_OnZoSP^bP|q_ePWC&iTDJBFOM(Em zp>;BJUe(i0yOij5sW9K0%pGlahW^uzaGk6YgYFXalcwv9+ZuE?;a2Cdjf7}b21F*q z<(1gi@iRN#+NNGH<1vm68cdSQR~w&Nnxs8qv!`98*<12^BJ6CM?Jl@T@+twBzNvzC zAJG(44uKp3vNoJ+ZMLf%vb{9{nmSQ;9;EY<|t$t+8o=hU~MK!VK&GUEoV4< zP>~UsOQd-eO4qV-(K@N%d<{>qHt@9YgWhxfnZuf!)rGq6e5<&k6^!|D^(SiWr|}c_ z(eq2!vr=|=Bdr{rJ4`c}ZqmZj`X0rzPv}@DXL1XpV16vjQ#wSJdqoP?$7>4>8$?Vu z4XagZ@A?Ro`sr)c&z|$IHZVb*(vcC`aaumwb0MjJdRWM_Q=>Lsvh?~Yn5!Wy`*kOHEB5~|;@ijVCkmj)esdI-hUW`$wKvxZhbXo$ZdUMc~x zTBo68me8JO&2h`%xJbC!p~xl@7&qojBIQGp*m<-D;hk7}HMSc;HtwP^&E>ADH#-0N z`f9d1jr#;k>DWt_}Q&wK?tG4-`3m{NocAK z{6{+GBewFvi@BwnCTF<|LeC8wxp0lnayeu>Z=0`9H$05{Dw!!+J))8+mEyv6<0F$dI>2B4ZH<&|j0ow@tx0fdZ;IK@#_T&t%%+?%LN z?aSS1N24V{ke}3sZAfQ7`8l#k2Rh~fO zy>}}=)%RY3Y=!e-^a&#SZ*5GP1x9Re#Ou!jkjM+I^M2}O(BR|G9CaqoEFV3|e%>gB z3VM7W{mIPW6?npPMZ~vT|Nf-EUl6x?H=W5&&hgzZ?wUXA;kSDX$%+0$Qxrm+Ebanm zmVr`o5^W`8%Ekz$K+p6zh9@z81CI!negxx0P;XOzwg{u;lzQ6hlr<507>h_bP_zhl#o{e6G zg~~W#+e~5GGTZ{1b#U0Lo-`gMEV$und*Nrk%SD+^+Y)Gkm)b9ay7!-d6TpsKI=Q#1 zxVwK+xW&V>ned(vq;(R(%)KKAUc|lLEji71bNCdHmB1;>Ut;h4B*~jxAM%LPF@fDc zfBoP}hUqskHEEV1aRHMmkt?wjse_gr++TCGmt6XiMUB(Pm(l!v)-&QLm4A6AqN=^E zt@^g5G89_)p`hUP&!=J?YmA*XSa|O*=C^ipW5Cy)SG$9RPW_RMqimX}1#+65idc z4^|?ygMdQ&4i`$u)>7>Kgl^>m&7Z;Z+-wY|f;2anZ-?NHBd!3%dz~hC;1RdWe9aUC zZRG~PdwGD~TDqdG$h%N%pD5z$6_fu|o11&CT!Ke;;4?~k-u_PRzEfgklv;r{TrGEm zD8g^LR3JH+g`b;km)^bnL=#Yi^7H?~;T2N<_x{!bz{~y1x4o31_bh#>DmJ121GXseEdT%j literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json new file mode 100644 index 0000000..686de4b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json @@ -0,0 +1,235 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "eastus" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parHubNetworkName": { + "value": "alz-hub-eastus" + }, + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.20.253.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parPublicIpPrefix": { + "value": "" + }, + "parPublicIpSuffix": { + "value": "-PublicIP" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionName": { + "value": "alz-bastion" + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parAzBastionNsgName": { + "value": "nsg-AzureBastionSubnet" + }, + "parDdosEnabled": { + "value": true + }, + "parDdosPlanName": { + "value": "alz-ddos-plan" + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallName": { + "value": "alz-azfw-eastus" + }, + "parAzFirewallPoliciesName": { + "value": "alz-azfwpolicy-eastus" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzErGatewayAvailabilityZones": { + "value": [] + }, + "parAzVpnGatewayAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parHubRouteTableName": { + "value": "alz-hub-routetable" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.xxxxxx.azmk8s.io", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.batch.azure.com", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.kusto.windows.net", // Replace xxxxxx with target region (i.e. eastus) + "privatelink.xxxxxx.backup.windowsazure.com", // Replace xxxxxx with target region geo code (i.e. for eastus, the geo code is eus) + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "Standard", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + }, + "parBastionOutboundSshRdpPorts": { + "value": [ + "22", + "3389" + ] + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json new file mode 100644 index 0000000..d0ea43f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json @@ -0,0 +1,117 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.20.253.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parDdosEnabled": { + "value": true + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzErGatewayAvailabilityZones": { + "value": [] + }, + "parAzVpnGatewayAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "Standard", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json new file mode 100644 index 0000000..dd5b18b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json @@ -0,0 +1,197 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parCompanyPrefix": { + "value": "alz" + }, + "parHubNetworkName": { + "value": "alz-hub-chinaeast2" + }, + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.20.253.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parPublicIpPrefix": { + "value": "" + }, + "parPublicIpSuffix": { + "value": "-PublicIP" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionName": { + "value": "alz-bastion" + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parAzBastionNsgName": { + "value": "nsg-AzureBastionSubnet" + }, + "parDdosEnabled": { + "value": false + }, + "parDdosPlanName": { + "value": "alz-ddos-plan" + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallName": { + "value": "alz-azfw-chinaeast2" + }, + "parAzFirewallPoliciesName": { + "value": "alz-azfwpolicy-chinaeast2" + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzErGatewayAvailabilityZones": { + "value": [] + }, + "parAzVpnGatewayAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parHubRouteTableName": { + "value": "alz-hub-routetable" + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "Standard", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + }, + "parBastionOutboundSshRdpPorts": { + "value": [ + "22", + "3389" + ] + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json new file mode 100644 index 0000000..c16d37a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json @@ -0,0 +1,153 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLocation": { + "value": "chinaeast2" + }, + "parHubNetworkAddressPrefix": { + "value": "10.20.0.0/16" + }, + "parSubnets": { + "value": [ + { + "name": "AzureBastionSubnet", + "ipAddressRange": "10.20.0.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "GatewaySubnet", + "ipAddressRange": "10.20.254.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallSubnet", + "ipAddressRange": "10.20.255.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + }, + { + "name": "AzureFirewallManagementSubnet", + "ipAddressRange": "10.20.253.0/24", + "networkSecurityGroupId": "", + "routeTableId": "" + } + ] + }, + "parDnsServerIps": { + "value": [] + }, + "parPublicIpSku": { + "value": "Standard" + }, + "parAzBastionEnabled": { + "value": true + }, + "parAzBastionSku": { + "value": "Standard" + }, + "parDdosEnabled": { + "value": false + }, + "parAzFirewallEnabled": { + "value": true + }, + "parAzFirewallTier": { + "value": "Standard" + }, + "parAzFirewallAvailabilityZones": { + "value": [] + }, + "parAzErGatewayAvailabilityZones": { + "value": [] + }, + "parAzVpnGatewayAvailabilityZones": { + "value": [] + }, + "parAzFirewallDnsProxyEnabled": { + "value": true + }, + "parDisableBgpRoutePropagation": { + "value": false + }, + "parPrivateDnsZonesEnabled": { + "value": true + }, + "parPrivateDnsZones": { + "value": [ + "privatelink.azure-automation.cn", + "privatelink.database.chinacloudapi.cn", + "privatelink.blob.core.chinacloudapi.cn", + "privatelink.table.core.chinacloudapi.cn", + "privatelink.queue.core.chinacloudapi.cn", + "privatelink.file.core.chinacloudapi.cn", + "privatelink.web.core.chinacloudapi.cn", + "privatelink.dfs.core.chinacloudapi.cn", + "privatelink.documents.azure.cn", + "privatelink.mongo.cosmos.azure.cn", + "privatelink.cassandra.cosmos.azure.cn", + "privatelink.gremlin.cosmos.azure.cn", + "privatelink.table.cosmos.azure.cn", + "privatelink.postgres.database.chinacloudapi.cn", + "privatelink.mysql.database.chinacloudapi.cn", + "privatelink.mariadb.database.chinacloudapi.cn", + "privatelink.vaultcore.azure.cn", + "privatelink.servicebus.chinacloudapi.cn", + "privatelink.azure-devices.cn", + "privatelink.eventgrid.azure.cn", + "privatelink.chinacloudsites.cn", + "privatelink.api.ml.azure.cn", + "privatelink.notebooks.chinacloudapi.cn", + "privatelink.signalr.azure.cn", + "privatelink.azurehdinsight.cn", + "privatelink.afs.azure.cn", + "privatelink.datafactory.azure.cn", + "privatelink.adf.azure.cn", + "privatelink.redis.cache.chinacloudapi.cn" + ] + }, + "parVpnGatewayConfig": { + "value": { + "name": "alz-Vpn-Gateway", + "gatewayType": "Vpn", + "sku": "VpnGw1", + "vpnType": "RouteBased", + "generation": "Generation1", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parExpressRouteGatewayConfig": { + "value": { + "name": "alz-ExpressRoute-Gateway", + "gatewayType": "ExpressRoute", + "sku": "Standard", + "vpnType": "RouteBased", + "generation": "None", + "enableBgp": false, + "activeActive": false, + "enableBgpRouteTranslationForNat": false, + "enableDnsForwarding": false, + "bgpPeeringAddress": "", + "bgpsettings": { + "asn": "65515", + "bgpPeeringAddress": "", + "peerWeight": "5" + } + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep new file mode 100644 index 0000000..7babf3d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep @@ -0,0 +1,137 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy a Well-Architected aligned resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// --------- +// VARIABLES +// --------- + +// Company prefix for unit testing +var parCompanyPrefix = 'test' + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_hub_network '../hubNetworking.bicep' = { + name: 'baseline_hub_network' + params: { + parLocation: location + parPublicIpSku: 'Standard' + parAzFirewallAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzErGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzVpnGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parVpnGatewayConfig: {} + parExpressRouteGatewayConfig: {} + } +} + +@description('Baseline resource configuration using ExpressRoute') +module baseline_hub_network_with_ER '../hubNetworking.bicep' = { + name: 'baseline_hub_network_with_ER' + params: { + parLocation: location + parPublicIpSku: 'Standard' + parAzFirewallAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzErGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzVpnGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parVpnGatewayConfig: {} + parExpressRouteGatewayConfig: { + name: '${parCompanyPrefix}-ExpressRoute-Gateway' + gatewaytype: 'ExpressRoute' + sku: 'ErGw1AZ' + vpntype: 'RouteBased' + vpnGatewayGeneration: 'None' + enableBgp: false + activeActive: true + enableBgpRouteTranslationForNat: false + enableDnsForwarding: false + asn: '65515' + bgpPeeringAddress: '' + bgpsettings: { + asn: '65515' + bgpPeeringAddress: '' + peerWeight: '5' + } + } + } +} + +@description('Baseline resource configuration using a VPN Gateway') +module baseline_hub_network_with_VPN '../hubNetworking.bicep' = { + name: 'baseline_hub_network_with_VPN' + params: { + parLocation: location + parPublicIpSku: 'Standard' + parAzFirewallAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzErGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parAzVpnGatewayAvailabilityZones: [ + '1' + '2' + '3' + ] + parVpnGatewayConfig: { + name: '${parCompanyPrefix}-Vpn-Gateway' + gatewaytype: 'Vpn' + sku: 'VpnGw1AZ' + vpntype: 'RouteBased' + generation: 'Generation1' + enableBgp: false + activeActive: true + enableBgpRouteTranslationForNat: false + enableDnsForwarding: false + asn: 65515 + bgpPeeringAddress: '' + bgpsettings: { + asn: 65515 + bgpPeeringAddress: '' + peerWeight: 5 + } + } + parExpressRouteGatewayConfig: {} + } +} diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 0000000..7e99d9d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure location to deploy to. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure location to deploy to. + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 0000000..0f75999 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure location to deploy to. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure location to deploy to. + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.bicep new file mode 100644 index 0000000..f6e7dd3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.bicep @@ -0,0 +1,29 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_hub_network '../hubNetworking.bicep' = { + name: 'minimum_hub_network' + params: { + parLocation: location + parAzFirewallAvailabilityZones: [] + parAzErGatewayAvailabilityZones: [] + parAzVpnGatewayAvailabilityZones: [] + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/README.md b/dependencies/infra-as-code/bicep/modules/logging/README.md new file mode 100644 index 0000000..5ba38b7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/README.md @@ -0,0 +1,147 @@ +# Module: Logging, Automation & Sentinel + +Deploys Azure Log Analytics Workspace, Automation Account (linked together) & multiple Solutions deploy to the Log Analytics Workspace to an existing Resource Group. + +Automation Account will be linked to Log Analytics Workspace to provide integration for Update Management, Change Tracking and Inventory, and Start/Stop VMs during off-hours for your servers and virtual machines. Only one mapping can exist between Log Analytics Workspace and Automation Account. + +The module will deploy the following Log Analytics Workspace solutions by default. Solutions can be customized as required: + +- AgentHealthAssessment +- AntiMalware +- ChangeTracking +- Security +- SecurityInsights (Azure Sentinel) +- SQLAdvancedThreatProtection +- SQLVulnerabilityAssessment +- SQLAssessment +- Updates +- VMInsights + + > Only certain regions are supported to link Log Analytics Workspace & Automation Account together (linked workspaces). Reference: [Supported regions for linked Log Analytics workspace](https://learn.microsoft.com/azure/automation/how-to/region-mappings) + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/logging.bicep.md) + +> **NOTE:** Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder. + +## Deployment + +In this example, a Log Analytics Workspace and Automation Account will be deployed to the resource group `alz-logging`. The inputs for this module are defined in `logging.parameters.all.json`. + +There are separate input parameters files depending on which Azure cloud you are deploying because this module deploys resources into an existing resource group under the specified region. There is no change to the Bicep template file. +| Azure Cloud | Bicep template | Input parameters file | +| -------------- | -------------- | ----------------------------------------- | +| Global regions | logging.bicep | parameters/logging.parameters.all.json | +| China regions | logging.bicep | parameters/mc-logging.parameters.all.json | + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. +> If the deployment failed due an error that your alz-log-analytics/Automation resource of type 'Microsoft.OperationalInsights/workspaces/linkedServices' was not found, please retry the deployment step and it would succeed. + +### Azure CLI + +```bash +# For Azure Global regions +# Set Platform management subscripion ID as the the current subscription +ManagementSubscriptionId="[your platform management subscription ID]" +az account set --subscription $ManagementSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +GROUP="rg-$TopLevelMGPrefix-logging-001" +NAME="alz-loggingDeployment-${dateYMD}" +TEMPLATEFILE="infra-as-code/bicep/modules/logging/logging.bicep" +PARAMETERS="@infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json" + +# Create Resource Group - optional when using an existing resource group +az group create \ + --name $GROUP \ + --location eastus + +# Deploy Module +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions +# Set Platform management subscripion ID as the the current subscription +ManagementSubscriptionId="[your platform management subscription ID]" +az account set --subscription $ManagementSubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +GROUP="rg-$TopLevelMGPrefix-logging-001" +NAME="alz-loggingDeployment-${dateYMD}" +TEMPLATEFILE="infra-as-code/bicep/modules/logging/logging.bicep" +PARAMETERS="@infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json" + +# Create Resource Group - optional when using an existing resource group +az group create \ + --name $GROUP \ + --location chinaeast2 + +# Deploy Module +az deployment group create --name ${NAME:0:63} --resource-group $GROUP --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure Global regions +# Set Platform management subscripion ID as the the current subscription +$ManagementSubscriptionId = "[your platform management subscription ID]" + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-LoggingDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-logging-001" + TemplateFile = "infra-as-code/bicep/modules/logging/logging.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json" +} + +Select-AzSubscription -SubscriptionId $ManagementSubscriptionId + +# Create Resource Group - optional when using an existing resource group +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location eastus + +New-AzResourceGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions +# Set Platform management subscripion ID as the the current subscription +$ManagementSubscriptionId = "[your platform management subscription ID]" + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +# Parameters necessary for deployment +$inputObject = @{ + DeploymentName = 'alz-LoggingDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-logging-001" + TemplateFile = "infra-as-code/bicep/modules/logging/logging.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json" +} + +Select-AzSubscription -SubscriptionId $ManagementSubscriptionId + +# Create Resource Group - optional when using an existing resource group +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location chinaeast2 + +New-AzResourceGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/dependencies/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md new file mode 100644 index 0000000..3f6feef --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md @@ -0,0 +1,230 @@ +# ALZ Bicep - Logging Module + +ALZ Bicep Module used to set up Logging + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLogAnalyticsWorkspaceName | No | Log Analytics Workspace name. +parLogAnalyticsWorkspaceLocation | No | Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. +parLogAnalyticsWorkspaceSkuName | No | Log Analytics Workspace sku name. +parLogAnalyticsWorkspaceCapacityReservationLevel | No | Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation. +parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. +parLogAnalyticsWorkspaceSolutions | No | Solutions that will be added to the Log Analytics Workspace. +parLogAnalyticsWorkspaceLinkAutomationAccount | No | Log Analytics Workspace should be linked with the automation account. +parAutomationAccountName | No | Automation account name. +parAutomationAccountLocation | No | Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. +parAutomationAccountUseManagedIdentity | No | Automation Account - use managed identity. +parTags | No | Tags you would like to be applied to all resources in this module. +parAutomationAccountTags | No | Tags you would like to be applied to Automation Account. +parLogAnalyticsWorkspaceTags | No | Tags you would like to be applied to Log Analytics Workspace. +parUseSentinelClassicPricingTiers | No | Set Parameter to true to use Sentinel Classic Pricing Tiers, following changes introduced in July 2023 as documented here: https://learn.microsoft.com/azure/sentinel/enroll-simplified-pricing-tier. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parLogAnalyticsWorkspaceName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace name. + +- Default value: `alz-log-analytics` + +### parLogAnalyticsWorkspaceLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. + +- Default value: `[resourceGroup().location]` + +### parLogAnalyticsWorkspaceSkuName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace sku name. + +- Default value: `PerGB2018` + +- Allowed values: `CapacityReservation`, `Free`, `LACluster`, `PerGB2018`, `PerNode`, `Premium`, `Standalone`, `Standard` + +### parLogAnalyticsWorkspaceCapacityReservationLevel + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation. + +- Default value: `100` + +- Allowed values: `100`, `200`, `300`, `400`, `500`, `1000`, `2000`, `5000` + +### parLogAnalyticsWorkspaceLogRetentionInDays + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Number of days of log retention for Log Analytics Workspace. + +- Default value: `365` + +### parLogAnalyticsWorkspaceSolutions + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Solutions that will be added to the Log Analytics Workspace. + +- Default value: `AgentHealthAssessment AntiMalware ChangeTracking Security SecurityInsights SQLAdvancedThreatProtection SQLVulnerabilityAssessment SQLAssessment Updates VMInsights` + +- Allowed values: `AgentHealthAssessment`, `AntiMalware`, `ChangeTracking`, `Security`, `SecurityInsights`, `ServiceMap`, `SQLAdvancedThreatProtection`, `SQLVulnerabilityAssessment`, `SQLAssessment`, `Updates`, `VMInsights` + +### parLogAnalyticsWorkspaceLinkAutomationAccount + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace should be linked with the automation account. + +- Default value: `True` + +### parAutomationAccountName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Automation account name. + +- Default value: `alz-automation-account` + +### parAutomationAccountLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings. + +- Default value: `[resourceGroup().location]` + +### parAutomationAccountUseManagedIdentity + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Automation Account - use managed identity. + +- Default value: `True` + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to all resources in this module. + +### parAutomationAccountTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to Automation Account. + +- Default value: `[parameters('parTags')]` + +### parLogAnalyticsWorkspaceTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to Log Analytics Workspace. + +- Default value: `[parameters('parTags')]` + +### parUseSentinelClassicPricingTiers + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to use Sentinel Classic Pricing Tiers, following changes introduced in July 2023 as documented here: https://learn.microsoft.com/azure/sentinel/enroll-simplified-pricing-tier. + +- Default value: `False` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outLogAnalyticsWorkspaceName | string | +outLogAnalyticsWorkspaceId | string | +outLogAnalyticsCustomerId | string | +outLogAnalyticsSolutions | array | +outAutomationAccountName | string | +outAutomationAccountId | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/logging/logging.json" + }, + "parameters": { + "parLogAnalyticsWorkspaceName": { + "value": "alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLocation": { + "value": "[resourceGroup().location]" + }, + "parLogAnalyticsWorkspaceSkuName": { + "value": "PerGB2018" + }, + "parLogAnalyticsWorkspaceCapacityReservationLevel": { + "value": 100 + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "ChangeTracking", + "Security", + "SecurityInsights", + "SQLAdvancedThreatProtection", + "SQLVulnerabilityAssessment", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parLogAnalyticsWorkspaceLinkAutomationAccount": { + "value": true + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parAutomationAccountLocation": { + "value": "[resourceGroup().location]" + }, + "parAutomationAccountUseManagedIdentity": { + "value": true + }, + "parTags": { + "value": {} + }, + "parAutomationAccountTags": { + "value": "[parameters('parTags')]" + }, + "parLogAnalyticsWorkspaceTags": { + "value": "[parameters('parTags')]" + }, + "parUseSentinelClassicPricingTiers": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/logging/logging.bicep b/dependencies/infra-as-code/bicep/modules/logging/logging.bicep new file mode 100644 index 0000000..9171621 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/logging.bicep @@ -0,0 +1,169 @@ +metadata name = 'ALZ Bicep - Logging Module' +metadata description = 'ALZ Bicep Module used to set up Logging' + +@sys.description('Log Analytics Workspace name.') +param parLogAnalyticsWorkspaceName string = 'alz-log-analytics' + +@sys.description('Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings.') +param parLogAnalyticsWorkspaceLocation string = resourceGroup().location + +@allowed([ + 'CapacityReservation' + 'Free' + 'LACluster' + 'PerGB2018' + 'PerNode' + 'Premium' + 'Standalone' + 'Standard' +]) +@sys.description('Log Analytics Workspace sku name.') +param parLogAnalyticsWorkspaceSkuName string = 'PerGB2018' + +@allowed([ + 100 + 200 + 300 + 400 + 500 + 1000 + 2000 + 5000 +]) +@sys.description('Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation.') +param parLogAnalyticsWorkspaceCapacityReservationLevel int = 100 + +@minValue(30) +@maxValue(730) +@sys.description('Number of days of log retention for Log Analytics Workspace.') +param parLogAnalyticsWorkspaceLogRetentionInDays int = 365 + +@allowed([ + 'AgentHealthAssessment' + 'AntiMalware' + 'ChangeTracking' + 'Security' + 'SecurityInsights' + 'ServiceMap' + 'SQLAdvancedThreatProtection' + 'SQLVulnerabilityAssessment' + 'SQLAssessment' + 'Updates' + 'VMInsights' +]) +@sys.description('Solutions that will be added to the Log Analytics Workspace.') +param parLogAnalyticsWorkspaceSolutions array = [ + 'AgentHealthAssessment' + 'AntiMalware' + 'ChangeTracking' + 'Security' + 'SecurityInsights' + 'SQLAdvancedThreatProtection' + 'SQLVulnerabilityAssessment' + 'SQLAssessment' + 'Updates' + 'VMInsights' +] + +@sys.description('Log Analytics Workspace should be linked with the automation account.') +param parLogAnalyticsWorkspaceLinkAutomationAccount bool = true + +@sys.description('Automation account name.') +param parAutomationAccountName string = 'alz-automation-account' + +@sys.description('Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings.') +param parAutomationAccountLocation string = resourceGroup().location + +@sys.description('Automation Account - use managed identity.') +param parAutomationAccountUseManagedIdentity bool = true + +@sys.description('Tags you would like to be applied to all resources in this module.') +param parTags object = {} + +@sys.description('Tags you would like to be applied to Automation Account.') +param parAutomationAccountTags object = parTags + +@sys.description('Tags you would like to be applied to Log Analytics Workspace.') +param parLogAnalyticsWorkspaceTags object = parTags + +@sys.description('Set Parameter to true to use Sentinel Classic Pricing Tiers, following changes introduced in July 2023 as documented here: https://learn.microsoft.com/azure/sentinel/enroll-simplified-pricing-tier.') +param parUseSentinelClassicPricingTiers bool = false + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = 'f8087c67-cc41-46b2-994d-66e4b661860d' + +resource resAutomationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { + name: parAutomationAccountName + location: parAutomationAccountLocation + tags: parAutomationAccountTags + identity: parAutomationAccountUseManagedIdentity ? { + type: 'SystemAssigned' + } : null + properties: { + sku: { + name: 'Basic' + } + encryption: { + keySource: 'Microsoft.Automation' + } + } +} + +resource resLogAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { + name: parLogAnalyticsWorkspaceName + location: parLogAnalyticsWorkspaceLocation + tags: parLogAnalyticsWorkspaceTags + properties: { + sku: { + name: parLogAnalyticsWorkspaceSkuName + capacityReservationLevel: parLogAnalyticsWorkspaceSkuName == 'CapacityReservation' ? parLogAnalyticsWorkspaceCapacityReservationLevel : null + } + retentionInDays: parLogAnalyticsWorkspaceLogRetentionInDays + } +} + +resource resLogAnalyticsWorkspaceSolutions 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = [for solution in parLogAnalyticsWorkspaceSolutions: { + name: '${solution}(${resLogAnalyticsWorkspace.name})' + location: parLogAnalyticsWorkspaceLocation + tags: parTags + properties: solution == 'SecurityInsights' ? { + workspaceResourceId: resLogAnalyticsWorkspace.id + sku: parUseSentinelClassicPricingTiers ? null : { + name: 'Unified' + } + } : { + workspaceResourceId: resLogAnalyticsWorkspace.id + } + plan: { + name: '${solution}(${resLogAnalyticsWorkspace.name})' + product: 'OMSGallery/${solution}' + publisher: 'Microsoft' + promotionCode: '' + } +}] + +resource resLogAnalyticsLinkedServiceForAutomationAccount 'Microsoft.OperationalInsights/workspaces/linkedServices@2020-08-01' = if (parLogAnalyticsWorkspaceLinkAutomationAccount) { + parent: resLogAnalyticsWorkspace + name: 'Automation' + properties: { + resourceId: resAutomationAccount.id + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location)}' + params: {} +} + +output outLogAnalyticsWorkspaceName string = resLogAnalyticsWorkspace.name +output outLogAnalyticsWorkspaceId string = resLogAnalyticsWorkspace.id +output outLogAnalyticsCustomerId string = resLogAnalyticsWorkspace.properties.customerId +output outLogAnalyticsSolutions array = parLogAnalyticsWorkspaceSolutions + +output outAutomationAccountName string = resAutomationAccount.name +output outAutomationAccountId string = resAutomationAccount.id diff --git a/dependencies/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/logging/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..8de53129959c8acea78b26d6e39ac39d3d684cc4 GIT binary patch literal 30790 zcmeFZWmH_jwk{eZ(73z12ZzQ9PVkT*!6it50KpxC2bTo*1cEm%!L13>Kp<#v2=4B8 zb@tu+?2NnLc<;v>cii{J`H}RZyH>5LS+izM`MwpYsji5HPLBTQ(IYHnCAsI19w9M2 zdW6snLIJ*^U`n$FJ`h}>vG3ga(>_elpGV z;;*|kqc5rc{lS6A+cMI;&q;QP+5hKI{&6>}!Y%fnk^O6sZgjb%#Tf1wAOH0YdW8?pG;IFxdq z0MBsie4F>z-GSyk2mk8(&o7!Jh#wM~O&c`-A<%#R$h+e4*EsP1v-lvUi*0^_1=0(@ zO~@;KpVgSf`L1baOJBA62mI&Hz4JR>zUTKhOU8daFINFs6u!Q8$qh4q3jm*0xuai6 zSz!OaWC9=e8)ZQHD$T#S{+e|%V=gIMWFOUEbC%{pV^w&gJk|1-#DWq5`7n(&%Kp2w z@xL+wO2W03-td=_XeI(G!AS1$_rlfz4=ZLeI{EZZnf>YM8NOz8vfL{6-_!d9Jgn}s z-NN4kQwBtzX!DEiuQ^P>ANI+0*x;{$vBKwzA0zg+&b$I1Hj!B2rSjKWF#+>^mhT+? z_Z(D!hrRkC==k@*7=iiz?-Op&uAY~I~V`?bMEaT z4Fkh^JI?;!+vkm3Zb3tXN40`iM)_aUqy^SB`o9<8|0mk52XS0%OJCRcZ}alcUHjkW z1%6ikU)b*d^URA8(?w%JImp$+BOLsiyUd{B$sH9L85#yLCx}C*%!UIyW?{Ojs_KP& zMM|+Vh|{o<$FRkd7ZVdRq^+&ZX?vphRM@1lueex{OsoYleatg@S`V3ZRT6O&a`RODlAF==+Sb-)n5_yF3B;OG)` zL}gH5W?@01&u%9mAW)8{6!+xGlnU@)*fx7w!;p)WN!8$;`30*C^=xZUF52`)K~b?T zXngfJf*v?N=xO)Porlu}%|@~%lp{tHM19Wf$>)br+UGr|jnRfeA7OjVRKGU+S@JTk zsE7qE5eXGLWV}dYgvnr}oDRXk6l*!%Z4Pe~rGB2N@>#H0LHBJ^$(kjznquHsM`=Yf zdzo>osPADX>T*vcftigBYv`+t3SJ#OL@en*Tl9$Q`}=!Bs=R`4mfsTzsmyvtC-jhO zgJRqy%G6E>Mp1+w1j`gL2pP_D7aqOl^RDtZSb%t){AQHHWgx{%LT2RgK>Vcw@+lOr zFlm=8Z>JYskr48z|2goKLXRu)H$#vH(1(9|q`@Rb&R zGLg6C1AU@=IHgGQjn5#z{@I#Q(*bd|;|+ns@GT)jxtCFq15p+O@z)v!OJ85#*;NVP zVE&r<=z{oy^n&~%6If##B#Mn!dP$Q^xmfn|b_TK0T=*Dno zruM}FnBt9^Kek4b>F2JmN=YV4rHcZ{PYfGzJ=4g81BD>G6~T2jG{C&inusH3 zdpkvIYrQI4mude&BeNR^4;EfN%HIA2YibO|Y=6#7kyCe43bJ&4D{7`7V#d+k^SqfI zlbuRn!%l__w>?jKY16HeIu>sy4}MLbOKSVMbnLyG+4j$RgZ=0onSFGMie^bp{W`0@ za>LP|R3r^1)J4t?5!wwEtpaWw6>K6Nr<$px-*{Gi#WexNlWqm})sFnaJ7D>&09~;C z#PQSe%&_|1OFfduJ?94cx&FF(Rc0921n{|PPB08?w%6_XI4p`kI|D6?Tzj^$95`M z_E~XajB{vtuP^RqwD6CdA;qVk#`KVRvN1@WVAA+%&exI7t99NI*#3k3*kjym&+BBcG4%t zEu`w%;v$Z2ZCiyIUApbpKOuk_blrpY^_A$H=gUWRQF;8rYr9?NE)rk#IcP0eH;Rk4 z89CpZ>n?d&+I4v7l$zQdOgLF#L;>H(*i@n~;tKVC69RgqEu98cD>p|Hc9>1JXSbt| zrIsLvWr+!M$%hP1mK${c9?nQIBBi3jvYRYJYro%Vr*1n8<%Sz}7BhYa1vOW|B1AsX zp(=S}`5AlEpsF7RtALoFOcFk(Bd-=hPt0C#{pt8dV1+}-0ZZ3^d5T+Y{#hKNzd)u4 zCCy{;LA>H^-FMfNj!o;I4zmt?Sw!+vjJ<8I2}+!LJ`izq-CZowwB7AFhC`{N;xr^( zm|L#5OJDY1JtubE_g@wEXYl>apM&;rs_~GlaACEQTB;MoZe8oV+IRS|(wAxd+T`KP zglkIVD_=$ZNNmC$QAUF;lJ%vU4G~47>(&p51vIu}srPt&(0by!qN2iS&Y|HkO8EVW z)C0fx-RZb3Bskm<7mtk0whf`4Oz>AQqvm@cJVPcG9?9(ZQMc3mY3Hpn#zcc*fXb3f zxwbB5Oy#1Bn_iW(%CzPo>r&e)H2t?$M|A8_dS$KkNOs32)$9HFZ^EsWg`{+j$61+~ zs$M5oku2G%mA_xMQWmNhy8V2~wrFyHobqyH5z`<%P{_%Bs`{t>k}4ag9)wn20ha-U zhflv&Bz0%&xt5^Vb#oy0*sG9JqCyZbm#czZlJ-cO|MsuVJj6L5cZSZZ>| zUIrYLh5>hHW`m!&5TG*2L4K$>)T&UvSMKv}Q(s{A9=^W3+OD3_d|L6Hot>^jt`B2m zZNJm)x_~K;f2AmRjfzbPs%$xawh7pm7rZiy6Tt~010v2Va^x=!n%=$s;7zDtRMEKd zL0~UpOM4>Ch4lNNmzr+QyBk|>?ezYX+vTp?4H;gUJ6u+$WzWK|yyXaQy-LW(GVCf_ z&kKY!dSiCpt;Pr!ZfS#ZhVHXG7L;GMEQe7fvU)Fvl5|lxwj|W^enf<77&Q4$>}{7; zs>jW}hFxs`EYC;96>b3}zG+%} z9HEGwT0MJWcjh_8U7_=fwwryG`i))^6HE#rd(d3HgNhdZWR5968Ez-DIX@H%?XI$b zB0|k~j$~CmWG8rI2z}%yzEoCni{I?lESEPdJX?36T(_o(!J&_vGWOwGPs2WzLYqhc zlq&WxqiHkL`RVm_#y&`Q{$vJnw@o4AAy9v&Iym_j^V@|KZcdw<{N_wGKc(;KhS}yJ zldSlh_cF5og-3vJ7Hk$>bO7|8K`}Oj+iy!{dCGrp>W2`vsT9L2smo5BL|QZSE}Gj; z8paKoaB{`>1Xrc)*QGp3TJD)s5*NP+{C67sIU;FA_gzo7TKFGt=Y>;0v-98N;TJ^L zdS5_4q#@IPySI4nfG_21C3y@3$Do^?9d_fe6orn(=luv!SRcJBQ}z=QBli3T#>;L#=0%;Uv}yTu~!ag@}?-AV-fka-??J^MDtcxEg{zb;gr z0b^w+Ei4SByLkVLnbUz9T??6F&jzc)CTK&5cRr5rSKA2EqfwE4lC zNL`U%@iFF#yOT5|(-hWmJ$NjPP-0Wgm^hc#py2PQ8>&7w{2MEJ&alkx2FssJ=xcQ zU?EKk@K1+8zq}d~n*gs7jDW5s%yW!o>EzT-x?QzcJr~S#_BqwUDSR{Lfh-0#5Uwwx zWP}BofEVC{b;FOG!c7dJ<4FTYH6%66=VmllgMnDV>~e2OBj`mdNYl32n;qKFe0R$? zzF7|1y+O1fQRwb?Uvapf&y?qQE2Bpvwv<84g~_p6SvKN99y=D8RCUX+f!e*iT;lW> zh_Aq)$5&5|?C7~7z@ww{Eoo}ADs($->;poM2^84xx$hmQV>UgA!7o%(ynm-zOCFPn zXxIx#K3)uZ=&Ue5iHybl*{idhp)_r@Yeg+>h8wjh;hu&-vdiKh4#l>ZBGt2?NpMd> zCJzFP7G8x6!Ias%@6{dKp?RJ6PX22$(>(6XWswYGgR73g6QVKlozBe%hG6_&XhPnY z6SHgR5ln?XH~qB*q-Ly8b|?y45)Z#nDq$0uKVLpPhew1;S7Ao#;cBEP{x%QnhK3i& zlUE>S)Rne&MxxJ(OJ*t%oxqcc;nvZ)Wbfp}sL%=y(}HAvoqL^P^a(~Mb6oD|$05Q8 zgU;Zg^=pOssxt-Pf!0*~qZ_q6jzf{K36@b<8YM25f@#W2%?2n|BC2hndku@(lw7ey zbTau4s)`*51P=7vA=o3!BWU$4rXzNRXn7Hk@7i-qgBZ?XjRMN1%zunbny&`C1oNC~ zezlhbWm_-^-5rBM{&Pr=kTK&f8Il0z`4Y>aNW>>pYEN1TIq)$<>K5 zGx}~np(48^C5hkio{Jkl0k7wg)?-RUJ8Grd*U34>GOoFJ+^+RooBV!}Y`W1c535r5 z7TbnJNdvcv8yNyG2}Au_NM|;<>1kOOP6jq=vP5aIr(ps`x71^SH8MQ7D>)@)nT}2E zwQ(c`?jV#xu_J07{awPzrpCp|S zp|8Sgl0ZG;g^A`K}aA>_sn|{+;ad{8%KiizN2q^99$&<`DjOVTR_oXM0? zt8FFf7QGx^lfsMN!iN%kv2sASBgJEoQ`WN!zw6~* zdz!j+{H`7Ojl3!KH|M%H@2`X?gDzFJWRKh|dBUQg3f0#n?tNWC{8*_O$@TN?$S zEefR_nQLO#@F-A%m%3|ent~iORh=)(BomQA-L-9Ncbr$zlSkr1@2qRONSOM&We_nQ zF(s0nG&%v58$D;sr5R@r&cW6M|H!3gW}@6?mN=eJ@?bie=xPK$r7AI{>usd36K52o zesCfI^v9NB$Dxcg?u;oGNV_OiSCvBlCJ17V$J7;U(I00K5rKPW`jpv@8-3~}q+e1> zFiezxBhA)O94qRKKLW|$fiy^-!j@nh)rMbtd`ZDe)lGKj(3SMqEFIw_504^Rx(g?K z&=qB1ZI*UAl{uxTtO}HE!LB?JM1qOyph~qmJ37XroXZL1K<1`9Rt}!lQ%t{}+&BAH zH8<_OONn+9!fl!x*~y6Fd@N9!Npqe^a=sx992es#DwFD!;1yW=!ncLJ<99ViE@{21~XZKHoH`4v*lJaTQt-KrqJyb zV$;851D0r_HT>Gy98adpO0A?we$+{za=#gO&l=4`?f=&RfK7X$+wvmVv7iek5;6O_gGJJ3gJNR7WMpx@(KY=zDSgi3FClJz8 z-u}kJ+uOoN1Rd2#NqRo^iM{K3Vm{}YNbEkw7~~Bkj3#c-YrU_=9>qav6vcT(@gILT z)f49N1fqY#Qi#)Xes%dl9MxgBbpb9}#JI~7L(FcY^*HW~8BX^fSLyo&4srZ=5X*5;ybR`O)5v%^ zYt-U=t^=i_q@1)319X+t>jwsm1SJ%0tk>{0J#~wXloxI6S7GebYv(6;sQ4PeolnQD zh)sVBxnRm*<{eE1+)c5OhiK9*+t1|es2X{hlMLw-AfbZ0GDPXT8?nJQ*_KHJyLy}> zM{-YDDT2C9i0iZ!VZ6$@^nj`PR39{ryz5urK8=SG4H3kAPWJ@ja@+fRed`M-Nb2E4 zN@L7oS3>BcZ7U`+-8+aFW)}}>cM=GXK3TqP#)|$8RxVZAr! zBd5tK(B3VbL14eQQIT{PvMT8GiuM?PvzjR@`a^c+2mKq2gd=Yt0-(jlrfdWPr9>tK&o`Cv3>_p`w z|4*;pxv$*VnJ_uJhn3X{q%mI=QX~tB-BtsEii`-YBjf zBt`dPpXRH?A-3`GQPTVzOy>0GW|S;vmniYLp9+0}7@_{QDR$rW#`?KV73lj0Zkn_z zA2*rS`=opeX~IA}e}y)7HEofvD-OLm*4hfrgkQjM&mEqKzh(BKee^rs=D=`Hd`i^Q z9|K6q>-h4j%mga{s~^2(Pe?lu8IM`=O2~%!?EC9$UBnZh`plP8%eBLRm_i*)7O-LV zRVtH;61!9pDziB1m6gk!8c0A|a^%_Y+1`*#z98gpd69R{&KN;q2b)YnUp)#6HWP1Fwr16EN->p$| zoeFU{&dPOQ5(%@+L1GmTB}rLa4~;q{%?Vz~-qjxDC%%mz(92|dUp0Uk_jT88wn%pJlfD^|(lv9aJ0|yYI&APlwpVk*Gvxf= zAQe2iql2)`7(B*#rsMtXee^*c&barMTG8>CCiqOwRbm?WyvjiBz(xTWq*cqCNqu0D zIEY4dA6{u*z54BNKOP|QW;o!Q+)y;1*oxaxPdm`w7>kl6eS}?1>?zymE9R zrlJ`i^;A-_x7>=WezOVUuw3rsMdj7VV#8Aka6lPXu?WZ}V8EovebvJ9^X)}vs|&64 zn#F5EY6?9P{0Drpv`B0=&gue}r<;*>&ze`$6GNkX5?Se9@g+g&h<~s8z!Ui=K)w{b z*u$mqXSg2{fZ<{pTTcdlb_3?vj8kM;p-@1A{Zdh@fSBT6yX zVvr5vTe#YWqJ^E7RdI8p5hDI&Y9Np(BW}xJK**<7S&3rp?_-sT_>laHgs(K;+}{Y} zTlaAVk(pL>BBUd$=&eyiyB42*@EM~)!&@w$i+wC0xuq1fQ`vUCeF)^13U!OGNwQD+ zC>)bT%XZyEIea{RXU#P@ z;_%y=jM@4p2O^_`YSXbeZDykvD}YkiFV}H3cqweTX(OA%XCYnCt_w(1c5jUr$p!=j z0C_Wx#H^d2mHtGrRAM^kzh-uOV$BV%u$cYhBCBWm4nB&X4DkoiXbAv{bfN)l;D;fD z>K^&3m!Uf{#H%0eK1#mQ_(3H9J-_x-h#-@NIC|rUc8x9&c`Ul()&92wlx%CMd2Vl# zZ2r05+{P{7y9hch+-#nDVD24BY}YH5lkC!N16;5>ISL92#b+IqGATKx20H;!@-{ zvv!rk>>3)0fylps9nI$v=8%PyfKzB$1@<$#{l?k0((a{9RaLN1l%B#X3w#RNR8)KC)RqZAAP8$VZ0U; zOhX;3J!gJ*)q7r`7+2`6#XL8iGN+r#qD}IZ<9)OoVW>OZCtStd0)i_4yXzM?3KaZF z-QhSz=U)i!G!VIzaz8rIj;A(GHEmR>Si>@v&qHHxIQ>7E7ct?~;6`$pWFyMT$cWUpGR2T1C}So`2{?yfOV+pYGQuCTv=NF`U9 zb%&io2zH6jR!H&jGJqK{twXKt8HIkrYl(3{knX>m(QHXM{s9&XsaaihqZ5~Er!MA~ zK=-uO>v@%U30_)0sp4;O()#+lGKm)S_S;_lVGn`E=h!=I$&<7-)va3wN+)0NuguL` z{@y5;SQ@EpO4|3!*E^LO8)v7dj4VJnjZ-)RPyAi0u7&ymqQ!D-yRzEuXV7ul2AeK0 znBr1^9g#bL6m6O)M)F9LY7#tootU%;RIA?gtE%K8J#Cvv5!JG$f8t8dno>+u8^<@T zj*5&5JIWApK*y0d)x;NC`=03}O5lsbdh#X3_}O?%MeF%2W5gz|6L!`I^Mp@iSGtJ9 zs<~A5v@*-^EbRsOf-ji1HiNY*MtC80mu!ygFjqEbPrt1KGu{vwtL-RaRiG#BkHK?~ z1uvHMsB*^i_f%%4kHx~v=|4C>++Bndap*9L_4tS2XpnV%T5uVWux%zf|8P=_w6X3t zttf|?_BOa~JL6dsmOb$yuk=^k*SSivDtc=>#UFw4-x z@E7%leQ4DxYWL-LiRcKbU1Y1$i{3ls0xaY~K}hnDc<`rURIqU-gG++*rw9TC z;;SJW%7XXNOUpx7L*xVsyA{pbC2OwVqar}-@fSeNCxMbf1{n&op;_OLW(Wt7z@SG- zEQrD0$1AriIlg@B@GN1t+s-5tYMh?*nx^9Hr#Z#!XeGYK(bt;7AsAVR+d;TyTo_sj zz!s6Hi_#j5p%7-Klf6+Akx7)i%t3w?EiE=J-Gku10wldvv%Kt4&)+*t^XC(4NSwWR zHPx33q6)CrR-cx(#|>~9n2Ug!>q26<+i&0DvrLokvT*O>3WeN8{$6-D$fbP9)A%$y z0@t2!o!2vQj}}Q_`l}+1pMVXkNjA z>Sp`h0_19zqWj0|!EWdiYyS-Xr#25u6lQBP(5}rSoY2SuRJ&IQnH0+blynIoN)~k@ zv(5<=1vES?Io8W4P;L#(@HM57MvU3#I6N7J)9OvrS{|{LUylZ8P3VchuX@nEZg;Jv zRAA%@f!(h^AQePTgyYH4lc;)`mJoJ@%3aBEJN=pnihT^r8W9;oSTY>=BB^SZi;2%r zFp*LZiTR4Qw?tX^X3UE&0G6kU9Hop{t_0Ubyq74N5%Hr}&`(uZbY0RYcv>i85VT)6 z5s&OURq=&z#GWAs_jA^>v+UAenOd*~cVgR9oORSEK)9w^b_vgS((NjgH%!O-qd=Hv z^f+=!0RGj+5J->owF+UG)a0!ycIOd5yVHbCa9AAMS?t@-Dj>_p5@uSv(IdL)(XqQ- zKG3dy7mbkRB7d^JMPDXWY^;eEPfAv9`~c?(uhTdX(n?S<0$81rp25o(wy`|w#fzG* zgmQDtJ#-@64qavtaOzVH>X=#dJsD=Bf13RMgf-*1Ukn3Bfy(9c`#TXjd|W~h`F13D z`6a6Y_|x%;mn%6gc?9-skfs^MI$lDa?9(R31^zb!$=t`cKvFnC6w|ioK{>YA`O5X5*Hr5EaegK8Yx$gksQ(29%$MC{v7fYSGG zv94`316keO#z{_jD8Ku;E2-CgG0*J~gW2s*lCGXD0zr<7#OSTB;`{8&*f=mcJTe997f1~PJCv7j@$#b1)5?7ORavmXwDJgHH%APvnxsI< zBe-;u^Wghx=je1?BV3lI;s{=nPAzmDi?lZ8pG$M^oh6V1#b)?1Qu3_?o-xVEb25xFAh=b zqUJjcw)q|>$L-cK2OtKn34p@=PR>L-`J`zZ+Gw6-GP-TsUGM1Q9=zJdsLj)LQiJ7==hq>4YmJ3gVY14aM7pP z_icC4%pZMwsz~G9T@* z_NIzqEe@-*&vfos8UuPv{Y{qMaT|KI7A`U5PVDo{Afnb(_QV<{tBE(0x1VWOf(3-b z4vqECDyW=m&z@_1e)-B$%u3EQz*n3jD$WF`Et646Wdw^_Ybd&uMjnAKy4RcK zN+}sjQk3&ph7LpF3QV#QRl}v48FkXT?BXx@yaLCK4Oa8Q>r1_Ef#h%|s>>8!*^rSi zJX~KIszlPlvDdDer$gQMdR`TyL?LzSDEdu$;dAlsg6i=DBvs=!Z2*SfYj({#u8k*- z*?)BDX1}4~f1JelTrwe&rbGb%j0h%krHxHUbbqohiAi@vB#3rzy*4KWdxI-jyx4Z9 z8>H;NZPi2G%=bZ-WHtD7z7*Y9{$Tm{9Yzc+Mlm~oRv&E7FR$lS1^4;;ptNwbmY9LW{DJqs*YZ%Eh3f> zmjQdC$|Qq6GJL>sCH66ksd-Qv2TvD-hvKQX(T9mZ&%yi$Jp{nymKSus#GYM*u4;%= z!l+{7BK_8zAgi%AU6VVGSSqUp6x=c4e&kR&%pH@6b_+hrsnBR#tVla8RX9c_J)wie zVd-QHWuX+StUGi~*+6xj{(W=@J^g#0<+~RvU$9@+DxuZF(ewt!=hp(>o2>=QroLJJ zCoxVd^}4GCffu1_K9y(^&e)FXTUxCL)M(v6E{8!wg0gSXpG&gDgXiG95{?uqWIC+E z@-?E+3oq@zCNhQ(zY3l=*zvBFceq{tn|R3*yYlnRZe*kPw%&3V5OopjeynY*5K@vbVzFE+|d+7cnyengA)V6@ra$OBoQ*hA4s_pXek$hDZ4SMr&ZD z{X?gCOjCOEsb#obVBBg$yZQA#0BZaFEO%y4wq`1zVrt|BuvkBk)8{4i9)3)HlK3Z< z>~C@dIo=;oSee#>)m#Vi`N1L$5El^}0~-#d;>*hnf@RVy5 z-N6*YP%dLs0GP6xOY!z|Er$Px{1M67h9}cICYx6$8*tF+9fvs<<0uL;3MwknUyw%@ zAjNxUC!Rt~PL_tz$}H*e?j4`1s;Yo9Mp-j*dibM@S)fjzQPkz2sqJ7&VQ85#%>#@D z%Y}`+n*KvVSPN%e znAIzor0Y`SrY=^%@&A?ZNWj_qSEp`6DEzwTEZrd-?3+sSv!syTSA9>6zAv#THAScIiAWWaP z`{h#D2hU$;+L@`nN_iv{?~gKG3q05-Yh#wLx8D#=XzMCk)07mHQDN9rt!!Xc$22;P z+}Mzc-P8K}tEq(%hXe2*j@@`VG9>7fAGp)Yuk>dL?2_p!>CI~^$zj>R_^r`V&2;`& ztKsxh%W?o(*4SU~^(0Tw!4y%1zN^*k`gF@_sUwI-T>Mvu;M?{RTco*z^tqKQIHXr< zvRpIK{4-I-3g;Y;sA#&VlFBDew4JF+jjoU~-|b$`An#Xm1g3dbj*gDgjm{R=8KM16 zE*rDiY7B?~kaXo`mHMzMfczWMt@L+0h=_Hm_U|=#$AGI>WiCGrK;iTn-WqN0?y73x zXQRPhGDw3SsZU&>`T;I^Ij|uiHm{T;GcE0D~;Q^!-QEI`I9wc2K z1iHPQwlB1@Mao#-{@EV;A>rC2IPB|F>S5`4p6aNl%Zhl;KL7#4v05+EfT&tn{Y%+* z#klajg98ma+2h;Isw&MX=kGV6j|@-~_z$AA7INd<}EA5Q(;0F90V zTdoj}z}+6yy%@N$Sp+g^9RE(g3OWb4K(-@0Z%hAu8)|w0hUR};(|=I0>_ogW0&H83 z*@nX;juSMz5Z5oR@BZ^={oDn#U+L-~*yrB|O&j!Ywu1u!?M2!j!6mO=v_IUjZ`ixT zEf#qWVC#-569ki`zW{Wb7te-P|L&s%2;yEmE=cjr5Mi&l*v1$V*)C9H|58rb(-nf*%7y%`4&Mr~375#syD4?w`o&n$ff2wV6=??;N zW1u7?g$ReC8X3_n7Rt)X79VmM)cd}OJUTjZTIq?5le__nB=ORv03D=$;A1TnKC9Y4 zXp^UJF96GY#yC1YPH=x2_W%Y6N*ekx02ArZI^f*e%+k_w;O;Hp$TE%&0cYc|?^)S5 zWGjUZ+gJRnYg%wFuw38Ch?GgS{W+W5vlTeibaV~wH~J%#w;@|e1L=DtC2IO0Z+y?| zts*46_>~@^^E9|+sO1BWX$}*kIp!c-fCG)eIJ$)VEC!RD$o3G!`V8>*OMt=Zz)y}` zGl0fQe*Qy`7tL2S*VA(JYd_T9mj&oT66j*b#KK^@4M_Uz`RqA(5#X^>lL@f@kRur> z0qDanz*(KiFT)=%-3^>L0=r+T%<(T7gT(o4UaTb<-U4ayT2!D9A46+{8GmHSdxYR~ zyKh{dq_y!_DaqDa;T&^mF*r|Y{AYdno?OQwnQc+2QDOOQto-e88szPK^C?L|JK)Gb z%zHoZSvRR5;s-vu7y-Q3?xiKu&7B>LBK53i0Y%>E={@90aKcPwRNWhFKskRms>i%i z=~XH)PV*`wd2caQVWb@4>h2yE8yh=OymI&Bi^@h7GqE65(66T6!wmB9M^hGnmmD1% zTlg1WtIe7HjanhRoQkg^`*s3FXzjH!5+9)aEkeVZrLh3$%=GvON>iz9bg?&=axC~z zd?bXJBWO1nBH?q+NGBt(wmVZ}W@>6WuvnMcO!O9D*YY9AeXo8!*agr95Zfu$Le@Hh zkd{xk#;@YZ9vqNwcvc70olR>dOeny;y)H?}R?4P@LJ<93SvJhc_Q)gBXOA8Ue}=yc zfG|yEj$?f_J>gi~z?-`u2$b-%R5v_{MI#KLQiTGl`RQ#3wr|&};Yi1HW5Sl8#?vV|FWv?Ii{jiMZpi9QlnL5S}wYxIUG~ojX)v zh>rhW>)lozrl*I8cqJPDWOZFLrLNke*&tb~z)l!>T!3e%)x6nYAYyRvKHH+KlFnjd zQXhUZ&K)#dA%d{awa>dR_$PD#PA^y;gt=S=@Q|CQ>eIQjqhBOh5v=!qrPUZVuWAOg z=_?h&|I!>NnoiG7HISDB&4bO8);n4E;Ke;4zRB!fu$+Qz3(+7VqYI$=inESjzc>q zW|jnjI<==@^l4U>LE)bv<|+dM%UF}qR|6zu1w2Af)~;_I%a1iX==zs0m37sUChUcBs^uj914L3EfLUG=-cb4c#D8v-Y9owDegee_a~ zU39z3=?uB=H{22=C?o!dk*l|GKPz_zKEJ&W`X*>frjkHj@@TmUG??ZEux3M~vp?)s^$XRe=gDfZbJ>Quwx4 zkZB{98lAv`#40lm75);3uOxtxZS6Ox0J`G@x*LA?CA}B z)pe+ZNKQ-0#KT3e$qoADjFI>GyWJTUnTPKe)*o|N;0OCxL7=B{G-3C9xUmrP*vACo z_~rft2D7fZxER0AG9x22*YnfUTV*3V(`7fhzy!laCo`Zdxn0q_XS0JtT=|NsPEC>YU-YZy3*mWJ?aOW5cJfc0 z`iT|L>1jQA2YArixLZ9a(~=?^@NlbUVNh$M)wmif)|JwJyZ&Mk0G3wfdkfEY)>;F0 z3eJT!^Ym;i$qKKtn+gNs_7K@{Y{6GGbM=z59oNR!8IEltzDH3em?YfBm@FFEnGFL& zKNn!N`BO$7MwjJ_*X5&RIh0pGt+mJ@=$KGWhTw7fYYwvGU0ALYHjGi6nYFQAT|jNBiLpuvlLd5v0grlmPvQ z`c0c60t4fI`@{X=o@0QR__?0%=c6?K<)6AHl`M^AMYz4t}C4`50{&T z{*l6J{}Ht~Gee|fzfgjeN!Mubwu#AiLu^r*{tl?>rZ4Neh?S9_yB7-Pp7^bQ)D2sO z#)Ut|xb@pIe+xis$^wpv?$$P*U4hkhl5TGWFc4LyDsT)czAcTF>+Rz*lkEh6RIxO6C5i|K002RRGhaLcJyZ9Kd5F3|fgf;4r|T9e8Wo?ctyz`` z=j3>^0+pzor z6+87=TV069VS9PjA3xS|%T8yYu@X9RAA z`%XZfXNsiwLO7*2AVT$XaHhtE+2%vJ%A|2GE)I3Pj&g*>H~+;Yy~R zi5;{g9cRUk0c=wIRQ#?pivLL=j3VL2W?*0ls-7MZ5T<_t;Azy9A_SbNmLy*kMHrMH zn4IM7H9V}I)CRdU1ksG&o{HHo3QidkxF0M~r7C=vh?-x`9@c&yDQ$WK$(p9j@1}&N zW1+aC7d%Syi*G8jJZ3c&&}I;BZm-Pq;^I+ey*_Toa3u0XzQ z%_J3;cJf+mY~Nw7{>%B;Ti;<|H>MRPCUOVM2>)`Dt=6B`M=9*jsbl~A%z@WkVs2)4 z{JFx*Ta6oSYO8NY|9Fqh0zNWv-{Y+v$7TjYw-M{^^HN8kcF`&;FexsRU%36)Zf7g+Ud{F)>;}MjeK`Jy z!Hi0&?+;M}4p9Ms2NuA$CzEpD)w_h#w&E4%ouvUhI!h0%8%HWrvjNJh$Y1?{eR|c++|a-+$k|v@`%-(Cn77FGPz4*<<^U&x8Q!i(a96^ZND116(sHw4FZEsgkkR2Jup zPuf%D!l-u#eEnUy7-$*qslJmY;GXv6o$0IHAmiVD*uh?!4gTi`G)EJsw2l_%4-HeyP=g8uE9_wjd@ZmHXDDaNYMjw^sCu*djj z8p?agX3r^!C?=G}73Lt4(?@8S^v^d9abrVN`VQ&Ua@HX&#PfY-_V%mjLlBWs;2N zU9WZi;|G9^l>*B&@I0^0r zb1Z>%l*Q*H>5ZV!y;>ZoGBTnTG6OPxSG2n(^kieC$TxztGeVS}=j-ac$6^+Y?s-=_ zIX)GkUIMDQxu}9GvZ=gvh#M_PD%)O`%xT426PojIyP^E(c^|j`QB+Tzu@>I8=^J~% zM{Szv*s6F^9}Hs3UxR~%lO%Gxg<>dYSXvJMPM4()GfJ1b`t07`5*a27hxjL0r2p7E~G)i3{>J>?19 zJo&(Q?t>$#OY&Xfwsn};foeXckAet@c$WdMKs+MUuiHA|z_p%KJ@o!P=v|&hL1vS} zxXO{sH)LAijbA=I9RGJ5F$Oahiz`JKPFQ!h#j>wSCJK>aScxD(TKwhW?eOAf(4#Oa z)b~fwtwVExXe|!Wl?W_KMDw5?$*x}!q?G6d?qKz3Dd-PdMOEB)EcEY@%q^qYl=+pz z&A~avAg~GL(un_gjllbelRWk4j=T1Ui-+eDU~I+EBt@kmooJpFrJ}>8~9PVR=QT zuV5un#AtNBkC@Jg7z!+DuR6!uaE*5@^29V&^0Qn8NY@MYA~-@Y3cTb#9#_d}+fbk# z9nT;53mrak(FW5I;3jR3^zTOeyHG`4jHu?ke48ck9Bl!^TNkAc)Ms%G@`I zFX)Lrw2&perMnJtxcjvsnbPz4ph^V3->L8S5AL5xD5PwuO_S%NiwyTHBt978D%>@uftVu-7{+d!l; zX_|0_qO;KK%vl_-1ll3SSn3v9PMP~+B(ZWw&XzU;nUS;JEhmYfuL}1fIFv}-_zGzx zuoxvIDt-L%q|IL|j7~gYkir$5S;oQ=Vk7NDt4iwD70Hv|+fU8l9-U67-k*Za_dW>w z-X8y~z<5ZCxjB%Qp4TXn1jZ{iFtZjXoeP`z=rs^+_}qF{jl$_ovWA4ykQaI-O!`o8+Q!qUkUbjluhdaH@l`L zX#A+J0+*^VDJxVayW&~Tqq*;`gG<;ua+eY~_*quF#>+~Q=U#xBW2hYeSvujr{k;@y z#-NO;#Cs=1BU_u&nX;=$s@FLJnGF7_LCj#^z3}>5C|6IRImHpfw4&Zos-^uCLr6Ez ziXdRju!40VLvDF(p^`DxgbbRzKR*DlKpo3D&c(xEKm#D&!t7%>uZ1_&fu-Zi)UGjHh3BH1dyFsZ{x<| zp~@%C5EOyuC2Kph*wXqv68&<#*ZPZF5yz2$6MuzYP7@+W zX}SwJ4Z7DUTEfQB&*(`>U#?2nSI3(R#OgXzu||om-?eO{7USD{cD5ao0<5(gk%mUK z-W-uIm@=`|m5W(;r~@bnl?Lu!L~?RtzW-+GJini#Iv zj`}>}FZD$hx9-hV3aeQ#y)`vNPcc_`SVOs`eQ}RE9e1P0s8A{;Z)QdcQT-tjMfL~i zQWgZZEcb{Mw_@!lVz$Cw4CKdwFY?Nna#qfdyqG1qFj@^!AD-pT0jy%T!%uI#hVIs5+Z`|!Tr_s+Lu{bpt*Gi%M7`L{)`p_B@~ zWtu5y&XC;*>?RV?Hu{poNH--73bzo{+gTxPy+3k2`-LnmCHt)``8h!hl=*zjf?#N! z2ba6Hh6;>gscq8E5+%JDuc<*A1y5wtK|>5q%P)y4M4T1MXZhvZ&1&mph9)}N(_Kbg z@Qpgj57M-<@6U8Stcc$&6!Z>Lx8Y*fu@_;XIc4yf$B6#kq;Pikl>&FlfEA$*Nh0z; zg41v}UR9eD=MZqVcsl#lHLoZPC!@?uec8$@@;#0&Ob0~r;n!;p#+?(nngn^F)_GLP=)Nuui5tElX=Szl15dPlD_Y?kC4WYA57FHE$Zoe$9f_?6a97 zvY*_7sbyY@4L5`=ZVj<(na-55&4PP>ywrsEa)#pga+`fP$tF_OGjqgl87-SGd2_+C z6ev;$B^Jpb8m2RMUdaih8cKA;&vfcs~BdoOqMkz z(>2Uicxn5GBQ`J?nB|3bhb=r5Qy;2i*|-a7dZ#i*l+HYX&4*jhtVnqYT;L^sOW%qI zsaD5UAO}@hs+HLaUYz$dp6PbKDzMneW91Y_XTiKR7-D*N6U$QtAH^Dev8!%0%X5Fk z5T?hcu5st)xS2T5p$@MTNzZtb!u3Q9eSV;a0jt2Kd~RofeS1c=d`I1N_0c`wy^dbH448r<&KSc_Gh6 ze>|VdxmTqxJSV~$upRv)8*yS0VbC7gITqFSUKv0pWEB`?H0>07A=X7h*7w1W4viqQRa7VxiLom7cS1tzmIk&H9G z%f7f?yzLA49%4^4B`&cIF(BMAJ40*6*46wpleRCR98bx$wWPKhHaJmw~BqD)uED&LfXHJ7xx!X+e)v?G1l6CryOptMq^$n+ZDJ9`Ia)%iA6!w~?=|rV)Msd5Se~Br4OK zD6lhDP<&rHb*$LT_}1%2s`~2?2>#Zq4u0eqfL>0elIujfT3gCu-ceW5$(yD6&N2JU zX(^u=mMf$7pr%OeCYiES4*wR#Zo44%W33VEoKjuvk4(W(LBypGne_`6cno*h45z%l zlGl0~dE0PJseHJMdyT$drTl!%=azg(o$pgHI1F=*WgL=U`bxu*O%Lpsjh3j$kS+_Q z6kCVw+n#gDq}eg((PFI~qtc zaJ!M{%QAB$S{*`MeI$$W0^gPCSVO4{V10%)`5bYBZNItrkG%vacBAVIWSyX;xiS>Stj4VrC}&A-0qf%xO!_x zN>6a6%NFJ^Zjo9@VNh?|n!xHUXaFbH@ORQ;xr$;*aNFLtSGtKX(i*>W3^Q6iCD`e@ z%ph~xDBgQP*tj}CmD(+Z}R*1uaqDgu5- zca}sqpKV_XiJM~GwJ#->kKo0`O1oZ}Xs_>5LkCyH}n6OanwxJZpm|?S`Es1xM8R5?eN0`?S<-TSL!g>51|I*Zagc8#gDodFFYW zvC@xaw}#@2&sUJKu%Yc8>YopjZ5!yctb=LyZCj=MzUur+*`TVQK7M9e_dM94pyQuT zJa<(9#d}8O%#AT8i!U)x45Wg3zR9jBovRM0-Se z?0OERV{vZQ!8SM0Lp3vzh~yrMf=Fm{(G{QEA`<-^Jk56_iax%DjkcUI**|0|`){}_ zdB3AwRlaYl+)<|d^TQD=Q_8iaNI&^;vs3YI^mjvg7&s!oCcmwte;zvgi>)nCQeXL> z-aC@RXP;epk9X&S#Oeg29)fOSQlx}bz0wOW87UY2%(+;}$)Bb#&ii0AR!cC(iFP#} znc~6e$a-PU8NP1J2$cMl69qWJPIpXu9pXdt-l#jm<3i8Hy?V{e;&)omD0yF!u|Kz? zeV$^8|M^3%0;l~~fC#ne9KCa>)1JEju%v-oKH9_;boc@K? z)VLh+xHQRbMDnR_;L`Y_$8l}R4}hi+y&z_ed6P*LPfI?Mx*8^gAs-kMNLQ;!6>|RY zq}adF*L-K`c8`!kc3mVTs~~w?X$%7N1kNFs704gloxTa{PW$p{uI9vy*b`6(r-`ce z=UhSR#$h;P;)plt9Vu{r5rbs|vNtlhfBJjmLQtcKN1dOpF8mpg^%#f&gQ?$jxNIlF zx^_Di+}#3YJ1*GmgHz=T@!d|px$vZfGPHTc>c=?u+I6G{usT{;t}3Y{o!k4cc_cK` zN7FLv62Q4#7W>7`cCcL1hwnn$iq0Q&)- zs%|>0rhwJwXx&?*9n*O8T6^~+-Y>6U2pjO8I6F;?JLW|DY_@f$?8rF+;6qdZ*9}0i zykz}D06>tx0vTgzS7Z#*uM@r1{U4S-aBG9_Sn~ka(wX?W8QZO{yKEe>G%Yv<6F^zc zi+lj=kX*t)I&lD>pAr--iTQ|Re$Y)V(`d@5U|EglDBcxucQ2C{CZ?6P2xk5m+c5j1 z1fi&yUxZp}4id${ z9aHP(&U{VkwlrsWm#>9ELU8Ys8nHbj@nUQ6Tr& z$sXue%?9|LhqC`SZoR5(dy)K4^=9>c-qE}}5bHkz1TKshssYaDh#wd=K?HNq+|M7! z$RPkyFgTsi312z}C~Buiz)42yD|e@)|A)=4yX~xo#pl(+Bhltuwre&>d4pdypkTCp zIdU}dli61RF{=iJOr=2h-r-??aZz$+nB6oWPxEU~>d&{T^L3v|iAw7`7%?)qa~%3G zdA6UmuyiH_#0i=`2O!F(SKx|1a1cJ-*%XM>txD(YAM9dHu( z=E>z3K-e=NS6qZ!|00icnbV^bi>7dm&h~x5%xBX2v*xIwSS_!Vk>`t`S=rND%a3YB z#LTM|^l{N2ya%on2IuZJ02#IXphdI{0h|S(8#_XnmXW*I-cm<{?+@=lI%gjOn7mB@ z`KU6l>AuN$oeZ+wj;JO4C}082eoUYSdc|%G)-RGg*luh`!dUSq=YZ!CChvG;qya4Q{J{*r>0jm3es+P+kn% zy<$fQN&{j$5Zf;fZf^aYG?um{AmofWs|tw88Y&^$P5X9TgZWQqBC#P&km2DBCUh2C zW=9D8TKOh4n)9=>QyZYObq8N3i<;yY(I$1#`_HyAZ~~g1l`h+}ZpjIP|B;`qkOznp zvEtKAx;qNc$3uuS2aZ#EE;#cybFJ~dB=IRDSuo8=%F3fWIu4nz{k5M3XF#xAislVZ zuRPc^!B7_YCh* z8%fyVY#;yTbVV^;>%{`m zU0ATJKR_yZMG}tt8q3B?lklmaRQz(6fy@dZEJOSEtT<0U9X*;~$kw8&N zlz};>t+19YO*R_4wHij(d+a!2(yeJD>jZIy3`JjWK9EXP&niZOVHzJSi`F?;9Z2E zJ-`8x0k8I2jiQ#kwhAEi!najAxF|F!5Qm$;x)^Yz{(gQ5Ev*QAcAtW*fIdq>hY!4m zUir+8@p{g2ujA06;omadD?RmTl&`lv^S?u}GdG*R?)a{#S zeGVr*4OYVj^t%gsZKqt8u(ewa@(Zs)FUh7&#^+DcY9@29n>hg!&vbq~=3N`_ftx2Ul4eFTisHNdesVE_QZK+{zNcYLaqZhySi%wZE zs@zyZ4a!M|YuJw|RzZl{wVk{JQA~o}hR1x0^c>*FeSLaSrpD67D zvg95XqkjVri9ZAf?td&KyZ_l?YEk(-<^9_;!M@h&Ynx?!-W&2Ua(Wd;ZOYV?73>g(%xS^DurKuX%>F&$6*@nliv zvI6;#CHF{Q_D9md`Q~-AI#XiFHq>Yh3nne`ssl}7cE0^mnJp(QtyjDqjhTavZ_U;@ zGT(TvuH6KZ3d4@EYdvP?Qe@V;-jxzq(sP09370iD4muw~PY-ZOYNP@p@c^xdw3Mq(h= zbe+^E!6SOhoLn0gTi9k7r}$Qb*oWG`C8XQfhrvJOmyjdciPfQTr=6pV8&Vf}72@YK zjE+-Eci}%^#n={$6K$9yvNziQlCJ84*p&T6>V6NzscTtrZq)qSCAcP_BQUp@M?*19 z3F%j2(aZ@D(&JP#&0T~}qtMsXR68;ZVemoJA`?O=Ir8016-XMj33ZL$1wo(J?>|_D zLAxV%ACG_>`=z{k$Kq6M!Y(h}5#$&Q0b$BK#IjBlz&eU4>R^D!asnObDf;9&-z z;A^Dg81lyq{pS%IGudqopeMIb^Zt!VfuWAsSJNRhSmn(Z@MD*jgE!BMPGt;Inz=p1 z4y8y0u#7IEK9yMUdnWk)P_^ppa2e{1R;dws`LNG-^0^qSkX;^daNH|wv2v!IdhKK7h-hv~wP zDXGG!v(D#E-k7+nwZ2)t^u}XqM1Bhm!Ni;$_4pj%wh?@irYSFX+mE4sX>eBcXG}}bAE?2*silfJDZd{-K)t*tBm7*KXD+xR?IgZ4v>add1o!GUmr?*s@|ug| zx{6`2=3U_oCq1P`!iosMVjun@2hUf(VCT1a7pkv#$XLlhgi!*=O?DhxiU-h}Y!17y zN-qUWOY^>@++I{MOL(Hge3rhLessJFm>iY9)65_Z)*1<0 z*5SU@ddwi)^aSU%Qk6*G!TWTXH<1-`)}~)$Ou~j~nPpV9v4rYN$DQHq5mMCJ#%M_c zPPxk|HTMK!bDSvl-$4yU;#nPrbegCV=_gWeV|;RjBWcI`oxoYt@N<`fdbiw$Bz699 z8R&=TWxC;VY((K)fbZa-4Rb<3XU?EL{>RHAW5u!TaH=K9W4t$d%1hcbF|j1kHjh*1 z@JED-=!6P<5qpyy0^-(Ci(=!wRP~)f6q|YP;4`xUetydSP52Y^kcl{NxyavQoZQ2{y z%KLpd0PZ`7-CCWDKhj7LqV;Lj?i%HIPE-GJ)HrZ;R71@9=o@RZkWqPdu(TehyfM?L z*QmQb3blbkuj_rz^^EnjzfFV=6_+#}? z^zLzow?3KUbZ_!H(t$Z}O4!aEOguLjF7wFtVoMci3vlA@*R?01=#yDB6^U1NwSCI! zS>WDBDN4%1#S}(5M@%kf)q2TR_7a$%zOr=#pazZslB`6${Wf#sXm!9X*W4B`IS;q$#Y9; z`(Ag0yM%r+h?tV2m11o!@+5($lFa5_!1O((gBj19Q;TAnP?0lzs!9?Lc=DrG7ClFF z>a&Q~&Ej_SWouZ`N@#u32^6F*4>+1sHYmN?Gd2vKrqs*HiV)GtLr&PHpXTqp#|*q! z{_M8ciIMb$U-aEtdO7gb!`s7jp?jqk#;)Iyrh#+F6;3o{LvaT{X%)|Kl6z>Lh(R`n zG=&$!d6wc^W1B5V4r=8ditZ(hk6-@g8h@GcsOx;La06E>=k zgm?_q3&IXSu3(-%^u{{+byDI)avVB)zD+8rBd8DZoRr~=!C)k%ro1W(x0W1v;6_(v zncq&}&c?iF8kz;%B&69|6qA)bx7dtxnJSmhcrUyC@jI6A))>fd_;>`x7#?mZo(`J3!Pb<-~xQ*R=vz$7IN zY~-=rv1>Y()ba-#^b^l&6hF-wHu3n36!ZktZCS7d&8|q|^)f~FR(EaYTFX}Si&ld; z&5QcPvM%m%1&bK2Gxu=G58q~$pKadF?+LCs4@ca`HyCGiC!0L85}q3VqX^c2Z$BLX z%yr*AB+aixe!s<0RrUmkUN&Q%4u&e0997MozICFCzYqS@c8ah5P-*Zz2cA-V=(2HF zd>BYBXzC@175lm&jyl$#8YMV`=VskD-2!^oMEhR>K@A+0mch=ZSAR-aL~{keaZzj{ zjiBHTd)OBmcD}2OKXZYABtRYryoX@CX(^Yk&VU2fLepg|8RQgCSpiIQPIn0V=(;a- zW5w?eVl#N-|0Q6zz z-{nvpZf8w2{Q+l%Q%5b)e}XHY0naP;smaIz0JL}#()Vc;`?GE$qXy%*F){u8h8|!b z&&j`IVdaVFx%@Rn%>KP!l;~Dx-CU(4fPr8Lc*y!oQ!YUHI7KOz`aMBR z8vtAWrdCxU0-g*+wA26ng;Kj(fPxi>J|ZA9|1K;9=mLa8X3hV*DD{G%sEqq|ji5pN zcVRNpi(vo5uM-uFZA4fdb3@hp5GMvvmO9mxpxV=jb+b}y8ts8%-it-)!OyKPp(YOk z(%sJ-NLF?9JElZ?8~ZPA-a~ zP%WgXk9dJobZLBLWu?&abdpDt?nag88cxE0W^61?Q8HE8N&VmnoSqji9PGuRH+Nt?Q0A?v`Uy*!Kp-8t z_18Cu$~(#=&yRIC-e)>zUvY8119V|JJz7o==t7&mwGl1vy;F(>Wh2=?N&=A{U3&m( zHSx1tIq<~GKYSiYWty^|xENudr6ukDiZsYpSn00bpKW=y37{9hQY5S%OX3%32f3>< zt9|kgC9LV|f_LSDwQTJBzJAAH8-vbk&dFAQ;=jH+_E%!^D)x$4<(vJEY{|MgZU#5* zee=IKJ3g4M<;CydI@;1J0%i`H-a2+*7lo|pGjX3bf_tZ+<-g^yr<8sD{k6d9d{RuuwIG0DVd7P>HbLSa18Hcalw$XrxT{9eau%xsE4FUL*8J;|2k}bYQ(4Z)D@p;Y#QVkjEd}CtOCBo!?TfhUd6o1%EBfMp^#>^>Kh>v`hH3u&(YJrj z9e?%H`w&qG-)rK(^;{Zpvv&TMslU|>1CD5;|C)0M^;GghBom50%Koj^`w&USA)&t- zCDeT*%!{&LUA^<~0ZRrLXZt&HCkk0odjm A{{R30 literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json b/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json new file mode 100644 index 0000000..51abbf1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json @@ -0,0 +1,58 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceName": { + "value": "alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceSkuName": { + "value": "PerGB2018" + }, + "parLogAnalyticsWorkspaceCapacityReservationLevel": { + "value": 100 + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "ChangeTracking", + "Security", + "SecurityInsights", + "SQLAdvancedThreatProtection", + "SQLVulnerabilityAssessment", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parLogAnalyticsWorkspaceLinkAutomationAccount": { + "value": true + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parAutomationAccountLocation": { + "value": "eastus2" + }, + "parAutomationAccountUseManagedIdentity": { + "value": true + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parUseSentinelClassicPricingTiers": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json b/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json new file mode 100644 index 0000000..a962c9a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/parameters/logging.parameters.min.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "ChangeTracking", + "Security", + "SecurityInsights", + "SQLAdvancedThreatProtection", + "SQLVulnerabilityAssessment", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parAutomationAccountLocation": { + "value": "eastus2" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json b/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json new file mode 100644 index 0000000..5881fbc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.all.json @@ -0,0 +1,52 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceName": { + "value": "alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLocation": { + "value": "chinaeast2" + }, + "parLogAnalyticsWorkspaceSkuName": { + "value": "PerGB2018" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "ChangeTracking", + "Security", + "SecurityInsights", + "SQLAdvancedThreatProtection", + "SQLVulnerabilityAssessment", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parLogAnalyticsWorkspaceLinkAutomationAccount": { + "value": true + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parAutomationAccountLocation": { + "value": "chinaeast2" + }, + "parAutomationAccountUseManagedIdentity": { + "value": true + }, + "parTags": { + "value": { + "Environment": "Live" + } + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json b/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json new file mode 100644 index 0000000..04d9b40 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/parameters/mc-logging.parameters.min.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceLocation": { + "value": "chinaeast2" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": 365 + }, + "parLogAnalyticsWorkspaceSolutions": { + "value": [ + "AgentHealthAssessment", + "AntiMalware", + "ChangeTracking", + "Security", + "SecurityInsights", + "SQLAdvancedThreatProtection", + "SQLVulnerabilityAssessment", + "SQLAssessment", + "Updates", + "VMInsights" + ] + }, + "parAutomationAccountLocation": { + "value": "chinaeast2" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep new file mode 100644 index 0000000..11612fd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/samples/baseline.sample.bicep @@ -0,0 +1,44 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_logging '../logging.bicep' = { + name: 'baseline_logging' + params: { + parLogAnalyticsWorkspaceLocation: location + parAutomationAccountLocation: location + parLogAnalyticsWorkspaceName: 'alz-log-analytics' + parLogAnalyticsWorkspaceSkuName: 'PerGB2018' + parLogAnalyticsWorkspaceSolutions: [ + 'AgentHealthAssessment' + 'AntiMalware' + 'ChangeTracking' + 'Security' + 'SecurityInsights' + 'SQLAdvancedThreatProtection' + 'SQLVulnerabilityAssessment' + 'SQLAssessment' + 'Updates' + 'VMInsights' + ] + parAutomationAccountName: 'alz-automation-account' + parAutomationAccountUseManagedIdentity: true + parTelemetryOptOut: false + } +} diff --git a/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 0000000..8988086 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure location to deploy to. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure location to deploy to. + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/logging/samples/baseline.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 0000000..71927f7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,34 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +location | No | The Azure location to deploy to. + +### location + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure location to deploy to. + +- Default value: `[resourceGroup().location]` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/logging/samples/minimum.sample.json" + }, + "parameters": { + "location": { + "value": "[resourceGroup().location]" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep new file mode 100644 index 0000000..c7c9f52 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/logging/samples/minimum.sample.bicep @@ -0,0 +1,27 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +@description('The Azure location to deploy to.') +param location string = resourceGroup().location + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_logging '../logging.bicep' = { + name: 'minimum_logging' + params: { + parLogAnalyticsWorkspaceLocation: location + parAutomationAccountLocation: location + } +} diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/README.md b/dependencies/infra-as-code/bicep/modules/managementGroups/README.md new file mode 100644 index 0000000..0c72103 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/README.md @@ -0,0 +1,200 @@ +# Module: Management Groups + +The Management Groups module deploys a management group hierarchy in a customer's tenant under the `Tenant Root Group`. This is accomplished through a tenant-scoped Azure Resource Manager (ARM) deployment. The hierarchy can be modified by editing `managementGroups.bicep`. The hierarchy created by the deployment is: + +- Tenant Root Group + - Top Level Management Group (defined by parameter `parTopLevelManagementGroupPrefix`) + - Platform + - Management + - Connectivity + - Identity + - Landing Zones + - Corp + - Online + - Sandbox + - Decommissioned + +## Parameters + +- [Link to Parameters](generateddocs/managementGroups.bicep.md) + +### Child Platform & Landing Zone Management Groups Flexibility + +This module allows some flexibility for deploying child Platform & Landing Zone Management Groups, e.g. Management Groups that live beneath the Platform & Landing Zones Management Group. This flexibility is controlled by two/three parameters which are detailed below. All of these parameters can be used together to tailor the child Landing Zone Management Groups. + +#### Platform +- `parPlatformMgAlzDefaultsEnable` + - Boolean - defaults to `true` + - **Required** + - Deploys following child Platform Management groups if set to `true`: + - `Management` + - `Connectivity` + - `Identity` + - *These are the default ALZ Management Groups as per the conceptual architecture* +- `parPlatformMgChildren` + - Object - default is an empty object `{}` + - **Optional** + - Deploys whatever you specify in the object as child Landing Zone Management groups. + +These two parameters are then used to collate a single variable that is used to create the child Platform Management Groups. Duplicates are removed if entered. This is done by using the `union()` function in bicep. + +> Investigate the variable called `varPlatformMgChildrenUnioned` if you want to see how this works in the module. + +#### Landing Zones +- `parLandingZoneMgAlzDefaultsEnable` + - Boolean - defaults to `true` + - **Required** + - Deploys following child Landing Zone Management groups if set to `true`: + - `Corp` + - `Online` + - *These are the default ALZ Management Groups as per the conceptual architecture* +- `parLandingZoneMgConfidentialEnable` + - Boolean - defaults to `false` + - **Required** + - Deploys following child Landing Zone Management groups if set to `true`: + - `Confidential Corp` + - `Confidential Online` +- `parLandingZoneMgChildren` + - Object - default is an empty object `{}` + - **Optional** + - Deploys whatever you specify in the object as child Landing Zone Management groups. + +These three parameters are then used to collate a single variable that is used to create the child Landing Zone Management Groups. Duplicates are removed if entered. This is done by using the `union()` function in bicep. + +> Investigate the variable called `varLandingZoneMgChildrenUnioned` if you want to see how this works in the module. + +#### `parLandingZoneMgChildren` and `parPlatformMgChildren` Input Examples + +Below are some examples of how to use this input parameter in both Bicep & JSON formats. + +##### Bicep Example + +```bicep +parLandingZoneMgChildren: { + pci: { + displayName: 'PCI' + } + 'another-example': { + displayName: 'Another Example' + } +} + +parPlatformMgChildren: { + security: { + displayName: 'Security' + } + 'yet-another-example': { + displayName: 'Yet Another Example' + } +} +``` + +##### JSON Parameter File Input Example + +```json +"parLandingZoneMgChildren": { + "value": { + "pci": { + "displayName": "PCI" + }, + "another-example": { + "displayName": "Another Example" + } + } +}, +"parPlatformMgChildren": { + "value": { + "security": { + "displayName": "Security" + }, + "yet-another-example": { + "displayName": "Yet Another Example" + } + } +} +``` + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| ------------------------------------------ | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------- | +| outTopLevelManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz | +| outPlatformManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform | +| outPlatformChildrenManagementGroupIds | array | `[/providers/Microsoft.Management/managementGroups/alz-platform-management, /providers/Microsoft.Management/managementGroups/alz-platform-connectivity, /providers/Microsoft.Management/managementGroups/alz-platform-identity]` | +| outLandingZonesManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones | +| outLandingZoneChildrenManagementGroupIds | array | `[/providers/Microsoft.Management/managementGroups/alz-landingzones-corp, /providers/Microsoft.Management/managementGroups/alz-landingzones-online]` | +| outSandboxManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-sandbox | +| outDecommissionedManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-decommissioned | +| outTopLevelManagementGroupName | string | Azure Landing Zones | +| outPlatformManagementGroupName | string | Platform | +| outPlatformChildrenManagementGroupNames | array | `[Management, Connectivity, Identity]` | +| outLandingZonesManagementGroupName | string | Landing Zones | +| outLandingZoneChildrenManagementGroupNames | array | `[Corp, Online]` | +| outSandboxManagementGroupName | string | Sandbox | +| outDecommissionedManagementGroupName | string | Decommissioned | + +## Deployment + +In this example, the management groups are created at the `Tenant Root Group` through a tenant-scoped deployment. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-MGDeployment-${dateYMD}" +LOCATION="eastus" +TEMPLATEFILE="infra-as-code/bicep/modules/managementGroups/managementGroups.bicep" +PARAMETERS="@infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json" + +az deployment tenant create --name ${NAME:0:63} --location $LOCATION --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-MGDeployment-${dateYMD}" +LOCATION="chinaeast2" +TEMPLATEFILE="infra-as-code/bicep/modules/managementGroups/managementGroups.bicep" +PARAMETERS="@infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json" + +az deployment tenant create --name ${NAME:0:63} --location $LOCATION --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-MGDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'EastUS' + TemplateFile = "infra-as-code/bicep/modules/managementGroups/managementGroups.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json' +} +New-AzTenantDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-MGDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + TemplateFile = "infra-as-code/bicep/modules/managementGroups/managementGroups.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json' +} +New-AzTenantDeployment @inputObject +``` + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/generateddocs/managementGroups.bicep.md b/dependencies/infra-as-code/bicep/modules/managementGroups/generateddocs/managementGroups.bicep.md new file mode 100644 index 0000000..9264a56 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/generateddocs/managementGroups.bicep.md @@ -0,0 +1,155 @@ +# ALZ Bicep - Management Groups Module + +ALZ Bicep Module to set up Management Group structure + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. This management group will be created as part of the deployment. +parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parTopLevelManagementGroupDisplayName | No | Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter. +parTopLevelManagementGroupParentId | No | Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group. +parLandingZoneMgAlzDefaultsEnable | No | Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true. +parPlatformMgAlzDefaultsEnable | No | Deploys Management, Identity and Connectivity Management Groups beneath Platform Management Group if set to true. +parLandingZoneMgConfidentialEnable | No | Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true. +parLandingZoneMgChildren | No | Dictionary Object to allow additional or different child Management Groups of Landing Zones Management Group to be deployed. +parPlatformMgChildren | No | Dictionary Object to allow additional or different child Management Groups of Platform Management Group to be deployed. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parTopLevelManagementGroupPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix for the management group hierarchy. This management group will be created as part of the deployment. + +- Default value: `alz` + +### parTopLevelManagementGroupSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix + +### parTopLevelManagementGroupDisplayName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter. + +- Default value: `Azure Landing Zones` + +### parTopLevelManagementGroupParentId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group. + +### parLandingZoneMgAlzDefaultsEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true. + +- Default value: `True` + +### parPlatformMgAlzDefaultsEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Deploys Management, Identity and Connectivity Management Groups beneath Platform Management Group if set to true. + +- Default value: `True` + +### parLandingZoneMgConfidentialEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true. + +- Default value: `False` + +### parLandingZoneMgChildren + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Dictionary Object to allow additional or different child Management Groups of Landing Zones Management Group to be deployed. + +### parPlatformMgChildren + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Dictionary Object to allow additional or different child Management Groups of Platform Management Group to be deployed. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outTopLevelManagementGroupId | string | +outPlatformManagementGroupId | string | +outPlatformChildrenManagementGroupIds | array | +outLandingZonesManagementGroupId | string | +outLandingZoneChildrenManagementGroupIds | array | +outSandboxManagementGroupId | string | +outDecommissionedManagementGroupId | string | +outTopLevelManagementGroupName | string | +outPlatformManagementGroupName | string | +outPlatformChildrenManagementGroupNames | array | +outLandingZonesManagementGroupName | string | +outLandingZoneChildrenManagementGroupNames | array | +outSandboxManagementGroupName | string | +outDecommissionedManagementGroupName | string | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/managementGroups/managementGroups.json" + }, + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parTopLevelManagementGroupDisplayName": { + "value": "Azure Landing Zones" + }, + "parTopLevelManagementGroupParentId": { + "value": "" + }, + "parLandingZoneMgAlzDefaultsEnable": { + "value": true + }, + "parPlatformMgAlzDefaultsEnable": { + "value": true + }, + "parLandingZoneMgConfidentialEnable": { + "value": false + }, + "parLandingZoneMgChildren": { + "value": {} + }, + "parPlatformMgChildren": { + "value": {} + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep b/dependencies/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep new file mode 100644 index 0000000..97280d5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/managementGroups/managementGroups.bicep @@ -0,0 +1,223 @@ +targetScope = 'tenant' + +metadata name = 'ALZ Bicep - Management Groups Module' +metadata description = 'ALZ Bicep Module to set up Management Group structure' + +@sys.description('Prefix for the management group hierarchy. This management group will be created as part of the deployment.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter.') +@minLength(2) +param parTopLevelManagementGroupDisplayName string = 'Azure Landing Zones' + +@sys.description('Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group.') +param parTopLevelManagementGroupParentId string = '' + +@sys.description('Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true.') +param parLandingZoneMgAlzDefaultsEnable bool = true + +@sys.description('Deploys Management, Identity and Connectivity Management Groups beneath Platform Management Group if set to true.') +param parPlatformMgAlzDefaultsEnable bool = true + +@sys.description('Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true.') +param parLandingZoneMgConfidentialEnable bool = false + +@sys.description('Dictionary Object to allow additional or different child Management Groups of Landing Zones Management Group to be deployed.') +param parLandingZoneMgChildren object = {} + +@sys.description('Dictionary Object to allow additional or different child Management Groups of Platform Management Group to be deployed.') +param parPlatformMgChildren object = {} + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry.') +param parTelemetryOptOut bool = false + +// Platform and Child Management Groups +var varPlatformMg = { + name: '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + displayName: 'Platform' +} + +// Used if parPlatformMgAlzDefaultsEnable == true +var varPlatformMgChildrenAlzDefault = { + connectivity: { + displayName: 'Connectivity' + } + identity: { + displayName: 'Identity' + } + management: { + displayName: 'Management' + } +} + +// Landing Zones & Child Management Groups +var varLandingZoneMg = { + name: '${parTopLevelManagementGroupPrefix}-landingzones${parTopLevelManagementGroupSuffix}' + displayName: 'Landing Zones' +} + +// Used if parLandingZoneMgAlzDefaultsEnable == true +var varLandingZoneMgChildrenAlzDefault = { + corp: { + displayName: 'Corp' + } + online: { + displayName: 'Online' + } +} + +// Used if parLandingZoneMgConfidentialEnable == true +var varLandingZoneMgChildrenConfidential = { + 'confidential-corp': { + displayName: 'Confidential Corp' + } + 'confidential-online': { + displayName: 'Confidential Online' + } +} + +// Build final onject based on input parameters for child MGs of LZs +var varLandingZoneMgChildrenUnioned = (parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable && (!empty(parLandingZoneMgChildren))) ? union(varLandingZoneMgChildrenAlzDefault, varLandingZoneMgChildrenConfidential, parLandingZoneMgChildren) : (parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable && (empty(parLandingZoneMgChildren))) ? union(varLandingZoneMgChildrenAlzDefault, varLandingZoneMgChildrenConfidential) : (parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable && (!empty(parLandingZoneMgChildren))) ? union(varLandingZoneMgChildrenAlzDefault, parLandingZoneMgChildren) : (parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable && (empty(parLandingZoneMgChildren))) ? varLandingZoneMgChildrenAlzDefault : (!parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable && (!empty(parLandingZoneMgChildren))) ? union(varLandingZoneMgChildrenConfidential, parLandingZoneMgChildren) : (!parLandingZoneMgAlzDefaultsEnable && parLandingZoneMgConfidentialEnable && (empty(parLandingZoneMgChildren))) ? varLandingZoneMgChildrenConfidential : (!parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable && (!empty(parLandingZoneMgChildren))) ? parLandingZoneMgChildren : (!parLandingZoneMgAlzDefaultsEnable && !parLandingZoneMgConfidentialEnable && (empty(parLandingZoneMgChildren))) ? {} : {} +var varPlatformMgChildrenUnioned = (parPlatformMgAlzDefaultsEnable && (!empty(parPlatformMgChildren))) ? union(varPlatformMgChildrenAlzDefault, parPlatformMgChildren) : (parPlatformMgAlzDefaultsEnable && (empty(parPlatformMgChildren))) ? varPlatformMgChildrenAlzDefault : (!parPlatformMgAlzDefaultsEnable && (!empty(parPlatformMgChildren))) ? parPlatformMgChildren : (!parPlatformMgAlzDefaultsEnable && (empty(parPlatformMgChildren))) ? {} : {} + +// Sandbox Management Group +var varSandboxMg = { + name: '${parTopLevelManagementGroupPrefix}-sandbox${parTopLevelManagementGroupSuffix}' + displayName: 'Sandbox' +} + +// Decomissioned Management Group +var varDecommissionedMg = { + name: '${parTopLevelManagementGroupPrefix}-decommissioned${parTopLevelManagementGroupSuffix}' + displayName: 'Decommissioned' +} + +// Customer Usage Attribution Id +var varCuaid = '9b7965a0-d77c-41d6-85ef-ec3dfea4845b' + +// Level 1 +resource resTopLevelMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' + properties: { + displayName: parTopLevelManagementGroupDisplayName + details: { + parent: { + id: empty(parTopLevelManagementGroupParentId) ? '/providers/Microsoft.Management/managementGroups/${tenant().tenantId}' : parTopLevelManagementGroupParentId + } + } + } +} + +// Level 2 +resource resPlatformMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: varPlatformMg.name + properties: { + displayName: varPlatformMg.displayName + details: { + parent: { + id: resTopLevelMg.id + } + } + } +} + +resource resLandingZonesMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: varLandingZoneMg.name + properties: { + displayName: varLandingZoneMg.displayName + details: { + parent: { + id: resTopLevelMg.id + } + } + } +} + +resource resSandboxMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: varSandboxMg.name + properties: { + displayName: varSandboxMg.displayName + details: { + parent: { + id: resTopLevelMg.id + } + } + } +} + +resource resDecommissionedMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: varDecommissionedMg.name + properties: { + displayName: varDecommissionedMg.displayName + details: { + parent: { + id: resTopLevelMg.id + } + } + } +} + +// Level 3 - Child Management Groups under Landing Zones MG +resource resLandingZonesChildMgs 'Microsoft.Management/managementGroups@2023-04-01' = [for mg in items(varLandingZoneMgChildrenUnioned): if (!empty(varLandingZoneMgChildrenUnioned)) { + name: '${parTopLevelManagementGroupPrefix}-landingzones-${mg.key}${parTopLevelManagementGroupSuffix}' + properties: { + displayName: mg.value.displayName + details: { + parent: { + id: resLandingZonesMg.id + } + } + } +}] + +//Level 3 - Child Management Groups under Platform MG +resource resPlatformChildMgs 'Microsoft.Management/managementGroups@2023-04-01' = [for mg in items(varPlatformMgChildrenUnioned): if (!empty(varPlatformMgChildrenUnioned)) { + name: '${parTopLevelManagementGroupPrefix}-platform-${mg.key}${parTopLevelManagementGroupSuffix}' + properties: { + displayName: mg.value.displayName + details: { + parent: { + id: resPlatformMg.id + } + } + } +}] + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdTenant.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +// Output Management Group IDs +output outTopLevelManagementGroupId string = resTopLevelMg.id + +output outPlatformManagementGroupId string = resPlatformMg.id +output outPlatformChildrenManagementGroupIds array = [for mg in items(varPlatformMgChildrenUnioned): '/providers/Microsoft.Management/managementGroups/${parTopLevelManagementGroupPrefix}-platform-${mg.key}${parTopLevelManagementGroupSuffix}'] + +output outLandingZonesManagementGroupId string = resLandingZonesMg.id +output outLandingZoneChildrenManagementGroupIds array = [for mg in items(varLandingZoneMgChildrenUnioned): '/providers/Microsoft.Management/managementGroups/${parTopLevelManagementGroupPrefix}-landingzones-${mg.key}${parTopLevelManagementGroupSuffix}' ] + +output outSandboxManagementGroupId string = resSandboxMg.id + +output outDecommissionedManagementGroupId string = resDecommissionedMg.id + +// Output Management Group Names +output outTopLevelManagementGroupName string = resTopLevelMg.name + +output outPlatformManagementGroupName string = resPlatformMg.name +output outPlatformChildrenManagementGroupNames array = [for mg in items(varPlatformMgChildrenUnioned): mg.value.displayName] + +output outLandingZonesManagementGroupName string = resLandingZonesMg.name +output outLandingZoneChildrenManagementGroupNames array = [for mg in items(varLandingZoneMgChildrenUnioned): mg.value.displayName] + +output outSandboxManagementGroupName string = resSandboxMg.name + +output outDecommissionedManagementGroupName string = resDecommissionedMg.name diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/managementGroups/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..64572c2215777da8e66a00598e074358d5cfb7e1 GIT binary patch literal 88792 zcmeFZcT`hp`!%e9G--+mNEZc-(nNX_7z;{qASj54fCK^Qy?0Qg*eD?ZWQ0HvDI&du zj?xt=(n6755~Kw}`R)_udEWP(ncuU%^{j7wf4ysE)`*gv-1oW4zV_btd3Ia(Iy2)b z#zTh=F>BrUP5;m#I^3Z{RJZ79!QZ6m=)VL1JM5}|UE@$*C+{5ifyP>0NBz*D!nmV5 z=10KK3{E$UT@M}Ni-i6=95=OMb?DH3rq*xjaIXi8BkO7C-rfCu0*>gNSmR7Z!*HDb zi^G$5Jf5DOavD`-#kYqu#ol~NsQ9*FdU#MHyh2~_%#9lw;U_m&J0@$j5~o_Xmt}sD z#shA7OefoQwlCjzHJ$N(FtZc5PuSnZ32MDM^XE%nN_r>ZUq8G$!%^+iK&bI2Uo+n1 zpdLz-_-|kN6@zBhq!fOmeilaLQdi=C`?~ADlrOil+@Fs>EO3AJNnp)?{hGJK^`vsj z|JMuBcL=N=Fa2LTr4`;uH2L>7zJjkY;m-cAZN1v{fB#YI|84?^kN@vBVV)UB-dN(X z8oA5#UuOY$81qPIj zg&b8K`_(29n3ijw96DpKQ#_PbtRqyk8&hOIR8nBk6ea04+wDXekF?%flDn235Wv&A zG1K-xzuwnu^z#I4F7y+ESjFA`{!PH&g!k=*vM8QI2W-!ok5+k`*M%IBIfXwocq+}X!&E$??1eH`vbC6B%J=? z$~Y@FKhNc1g?6O0D3gGyGW^aR1npD(^RpwBo<^S@|IT&k(GB^ZFElTyu``dai2lPi z{`*5ShxdFM9HH9KG*dPid$b3m^SrJ!eiTM$XlQ7@vG^nXZvKODO@Zy((=!^BiV`nN z`F(8T?e&h?yY+-T(@F$wxIWhWMax)SXv3TH2K8UB3#4rQctNR0nH`j31C!DwEBkM+ zanT^c!}PI#Z2SKD`9+GpYx~I!=u)}}vyou^ zxC3s13!ZHznoPAHl);Q&RtF!+)!-N}eXtp?S`#Vt6mG$UGwl4cdcw>i@Zi1r&!l$l zDE!wS_=^#Dq0)odKaz!2Gpn6Rg}mN1e9hLL^3h-eB>vppPwphs-+w>m!_0L;aQ4bgG`(HefNhP*s7Giozy{x{P)5zVhxTt)h!qA^LJLQwvEr@78y#_ zHg(H(2|^V+cZV9jy?0;;71fOyvQl|qYxB3O8j?&^Y_*Ntd$Jm=aD)5~BfHak-IW+r zYQWk1#CK+q<(&6V=H$>lTE1?p^|v>BkVf8lrb*6J#f7)=2PhBkwA&%mJ#|V|!1c$U z?T5MIR&R5u1ZqvIW+qrr_FPMU>k?%FH?{4;@f`8-=HG|I$9Dvjc^!Tj2F{xD2$96P zYWO?1+wW@TAEuU0)3g=;>m9nMxRbZoC$=V_Ad*`#B|YApB7vYCigE7{_H9^nRXgQl z$jZbKA70MywZFI9P+;Dm`f#>8J>9x16&Yuf{h-<>JeZm;qP4ZPoou2HqF#P~XSE@U ze}t??KSUytDZhogZHmUY1vpFQKD_Dq8r<`Kzhy*YyG3)2ICHjHpN`w!QTlb|kY5X* zXIP6sptADT&)4HqiDoQaDx3EQYW#gkZDxDNLx1MB$b4^6-6$lssO?EXIlsD>@Y`qq z{oTz-6NmD%H7&x|W0@qXh#FqRI=TkZ%A{Js?$0l;8}b9z-xC|z^}?_QSiwA%&j((6TQd!oaVjNhJE_vvx}^2|K)xFA%aJ-L z*``hN<>7Mkg}x7kIm#+EY+RHCeg&_gWM#(j9yGDi#4umd;Y&`zxGO$7eQoIjub(K* zq5yg7o%xn~8k44oPTLa`O(|wM!`64#<5*T_x>!N)i0*k~(4pe7I8fj=_pRX3msgSx zYlC*<=6bU9k`!DKMm2ukP%+(67-_K#*eFU1ZxgS45_ntt?B%-kiKge1mh_E1Cnjh< zvy19R8}`x^Dsy&yxjbQ$<{plx`HoF_$dl?>AI7la?Xxyp7+85s_*$c2^4#YwqN9y>Pj4xvtIEX**|>cZdxu z>lyY(c7g2Te z`>hdgCZ;pDYb=^AG zsmgjHplCmaN3Pj_)o5e?oxtunS`z1dC-q^v{BV1QOvkE~X5v;?pepT%z}DyM6AKf? ztBT&r!2x$j9iOK5Hv{)M16EP^#zSdCg)URAMpK=Z`)gThO+-}fZWE^&Q{sJ>FXX{{ z*?+CdHZG)*N=Gig$r1C;&b#&HdR1%=KUVJ`u8iDs__2#HBEJ`H2qNqWxv8uUx68`X z99|^^Y*v;ztY`oJ&O%bzvN@XTp_yxkOyOyC(AvxE{0wHh^LH)X<<$vSIZaPAJg#3( z?n&-v!Tk_0{A#u{!D;C(*V}*hfwvW@AGgQxzLuc}w^5wmv|h*Xu{>=i>)ZBnB_UR5 zHMrg}r;K6TTYRw7m0jN;y&9wgsmeOV{Z8(stQfGJ0v5Bn#oH2rTWwq~R{e5^bVz&1 zEW?t2gfDie$yWONyqq zuB&Z-B`KEJ4{g-+zmWTDl}u(2U@e!E+A!c16-l4pd3-}uq-X_R9uz32XR zKd!lT=0q5KG&@`Wu-Ot3bp<7ex}s#S$+7WTPnCO9oz#Id+xwN+P#a9W>FB!fp|m;2 z1;ed&o7CYmq^G>nxaV=)NR2cWD)m`3W513yfbBvxvN`2;GNS{m$cD#$d(m2rN8tL@ zmPEkHb0c+KrJ{Pr2XyHw1nOYb{N1^%wAfNJzm+BddYpIKV_}2bz02xwtei%Qf1xdgB82R?}LF^BD5%BKnFO9AS+NaXo93 zf^glQaP|NLtWK{xzQ%vkQ8N=1v)u*721m?E(V)B$T@70*Q?LeU^4rrpAdx(t^c43$ z;7RqF#~PKJt~x8T_Ri5U;1X&E%;_1~GbS zY$lgZ9e}G>|AsJ02~0Trx^B|ez|rx=6p2W?G=JgYjbSCExre2nAHJq<$H9}!Eik6L zGQQriZ+5i8-Hyo>nSdS|h@H2=kP)W{s{Y$yIXO8_(@5)xYTwOf*wQCZ0XFA*-&=OK z<7~`mTEiCLrdh3yA&+4>Y@?mhV6FiO z9>3iMGr2#9|050mYN!GMIJ=1+$B0b5suP`ozowiF*!!t*8*_IXnsGbQ(d0Sy^aWOa z@E%OCa_6bL3RmE!sPKA3P`$Yl7AWZVJG=I352_!GyzhiWKOoyJ|S;^lr?4eP@~7b`NjkOJ(km1xvs^%KhO)P?0Z24A697 zQ@8+B*z*saYxjPjvE;_%b>D|?Zhb}GL6k|?aH5J;`EE!5m(|{30fMQmUPX+5A#;BC z%-h{6y1Bi--(r(6{1=k-C|He`0(zH(YY_7t^)n;-w~dxIB;%JEdpFhiVMQ9t)HVoG zN-1cq2_E;}o7lJfWq3&{VZyz3)~h~tQf1q(>=&}X{zF$aySV>Pg82Zez!#R%1p}&a zxt=(@a|@q9w(8x5zYZ`WaYP>W4diBHoB7wYJ^l&+AG^0|L_anxZJ+QaefV>5`rmL@ z-}olUAF<3b-mW5afBioF^Hd*UrlCFC+4c9;=@*2&?$nxcHaNw~ye;it@BiTG9n7HbTq>Km zpLiJ0hR~X>J}D*I?^lN;QDUD#C168)_S*|=H#4r6>2KxVgQVi?Nk6m9JYI1xeG|0i z=pXC4T;;1V-TSQjj2xT&21gu79}tp%9jc1!317&$c=r0@u5c%lYqKej!tq}!g-EFM z&HN4iGR9$|Nyo##Chx6CJo|=mnNnDsz}s(?B^C9AFgCy0cM_4ytXA6L4x|x54i1iV zyZ$^vUR&swply26vR@wf`GrvW^*H|Yj~_2Fow|H(ZD~l(p=}BKF}a0Z+*N7F zg=c70dGTFEh2m(}#-f^v0NGNhL_pDPc5kUn&0bTfT!7|>vP9|T;t$t-*CK%u9@!^G z!?ZMb&k^^#Tq-_p!!r=faq2U+ZptAf$Gy{`nVMVwWwepoXa1MMesuw%{tM{%MpQ9Riv1n5**5A~7DqiZT$m0i9Ue1028!eLzgEm8% zi4RVNERND;cmu;(D{X_bsp3uD|(h^@i(A-Cqj~ zCIZhfQV}V1>uzLG;C7bN!f2^<=u*UETT+aa9*!f2P$LJAO?&mDIU-5P)1hoUf~WqI zO^*fJUVOgaS-{jNYNsg5&~}G?4QqwUd{0Q=qNTv|bP2V6`z_9O*wgeXiyHP&ut)&IfZG06S4%C@ zDcS#c0Q*IDegkh^NgeqvOKb+_66!7TVT#9!k%ljobxzKY2z&1bR6g}K{9Pqsoitx* zmf`tDeCe`*)M0Zw`^`L#(e{(7sm}$``=M;9w{ZZ{Fs@!cq8vX{Yd(&ZfEh|v=eCpp6OewJAMwojDKaKm`#_mp43Y(%zg8Qc}Qx~;(tK5;8Mg| z?@({I$Ex8EYeANviAo<>b)R;j@CVrXAYRrN=NlMP5R`O%zPJX^T-2J%jLZrh20B zK*I$?BRYnmLKhbz|3J^RG2F#^U~*8lPRskFn>Cz{qHc(^VcpN2-{%(zu}aHN>tq+~ z*l$YjDlS=8xRgv4!fn~R*;9-3s1O*%nSc@=b<(3-Se4+MoBNizQk*d(Oq|(& z(x8g{HC=4*L+7kwsk6ZT%!>9FOUY#Qqe0i4PH&x0;WIP-2!Y`Q3|xYyg8`?q_p{|c z=o#OK2%lz-bpFF{$eG!N;jmtBD7#u!Fii}E^x%VR%H1J~xr z60dnw^rAguh;;};!&$?&uN!kZd8nvF0ueR>ue2Vy`xLz~yfM@C57+opYI&arsVWc! z4-@~u5gtC#IT21+nX#JT|nE67cF1-4J@3ZZR$H8AX>mAN8+^zLJbX#>n05fo4X>z_ues9 zAxJ7d|yA#iD7b9+EFRBT;ov)j#HB9>3JKKo9xTvUZ$Hg$G z=|r5s^xjljI$^3bOg!FnatS$f>qFzeisqj}MAH3w!l??DQ?|1ohW|=;zV;-EP5ryd z{{N|5JW^dtXAKW!Rh9Pxq!r8ls@nc)Fq!%9`p8QKpgq;U5Yp7Z1?)mBy8P4|gZh;g z0Rh0Ka}tz(eHLzLjlZC2Wo3nsKNk;EWu0t^W2L5JY2R7=Khz+Obii6i0QoMw10~l2 zBZMF2jDQGbps=;%^q;+z5C+(LD_Wo@&4Vd6Nzz;cQoyEXu0fL0nSTjY^y>hFM&OG- znBi0*NUEKxtPstsaEYQWrEfxll}%Pk!dCgq|3k1kex1)9K08|Nn`2!q`E~xqIQr4kw zb07^dHb#OQM;vDjl;`zd`Xx-pjB zE%q{-*ALy8y?#jdhg2AhvmxUcMMd+T<0SPL_=XpwT==D*MR zr?DTbPw`-Vyi!-aD?OI#zlf&sQY%wA=2UhmF60*2_U04-j0{P!TweXDIa{R3IEagH zXR2Yxcwwmg_I9?+hs&JJ!5FdPP0Pe3$RX2LVl7EetxV$0aIZm*qJOY(UDQ`PWCo~t z`N?SMiM1KJ?e>GPnK(#?;`C3;#Al+ZT<`BhvI_7|cc3^M959bW&?seZ7j!c6N>yI* zvmdO%0_64zwe(~(5j}Wh2F5;>tKIka76cr7h}!VkX6b~@B6zgUFuz_ zDh*nqDJK$7W^WlCY*5v~2FW@#9=jeE%csqOK4k1)zJ2Y+AAkQ9H<;=?VSWd6%sBQ9}ip}Ds{Xsp=K9Ixiq%mKzS8=>J&4V zz#zlWLobh&%(O_3G63JAkA94?u%3M7@dcsNhXXpsQ2p18ZhTH!m-lBgm*e=XEzm`7 z8GD+$^!<_-&UnU`I95lfOu-prl&zO`AjT3%O-pILL37`b_foK5;}qw!H&t{GmVBTW zVv+RS^u@-{<#mp9Zr5W!CXU6lI#B)G?wb++ZE2{K)c~XYEZ+_gKr1pBBI^9R5BD8- z5j28EIs~DGOliJ=z7kt*zvcN;Z|m@qX?lBobS%7FSy%N!*-5<8PMHQ-x<}MBLn(PT zbzr@*rJ=gqcSLo2_TA*CFYxCdJ>(9HaJ#EM1fQ+pEx0GxQI_zc={dh47Iub7%;*qhr5=nR__{QXqnv=cJ;?qS0D>`ltOc zc3pbS2&QKSKzd=YMec3A&}4ZwR8X@Sa^&cQ&s4EM{2;^^Rm`q@h9X05e@BQ!5_@g2$St}~r6 zy5zzo7igdH=rQTjs6F1vC)-?suWqzt}lkmv39}NFg-8`-sBv zK-I2beK zj8$7*xe7F3v|_4ECacO?cl(lI5`F2`Fk6_kjA9yJADvmTtznXsre>ad8kf2=oUc$kZS$a!p47Fu+26U|C3{g8u-oJi!1G$rn$)MOcN=VY& zG)>iiVr_|L7ykZuh=BX|-y=rtqm5~eR#BU33jrLgAw;OR^D9-j%^kOn8%wIMJ)T3} zs$%An6#V3fS6y8>$m1 zQ&w}6F_^u#4WP3oLI^v|u=C*K@?D#8Qo|`i?vYOCXI6Cd^$NO$2rqzs?t9|7xhbh(t4t}s z9AYplCAV3&3Q)GQ2qHI5FJdZC>+THx#s*v84fMp`=iIB8(I7ZaHirZIN@KTg>zngZ z@C%V+xB*F}!@YPAOI=lFna^z<5pMyJaxTF!<%6Ww`fx?u~;7g+1 zI!69rxpcO=jp1_F$+cSe_2Wz(Nm9bJ<5_5zn@kb(Rc+2W4`E{lvmGZ|t0dqt{Gb&@ zSRIMQv*P6XLPY4h2Cq#`HVEuFDJM8<3)9aKEC4lTzBE{D{`HTm=8FS`&L<;Xc!q^3 z%hRMJJ62Fi$2(Env>x~#C;*1zOuBfwoZT5fBTDD3ba;eaH71{<3(M4wYj^uX^GG{U zd$xmYF>A`pm0NdWmudd3i<%uzyeLM=x{sE&RFV{FDU{|K8+y@N()N3HSwLBuJ0)gD zDFrqo->5zGG;}9l~)w zz>_8!5EEaj%&5|QX>UkgRc&c^t77}Lq`b5ADm6l)b0eXyAw1=qw3 z;yo7!r0$3niOX<|hRKGNg~Tpv=kq{z91+pl7XLCEo_|&mq0LOkAzLvw(5D!k zGES-+`EJi;wLJ8N5bjiKywu~mT;n1OHeI%cH=SXV#^mlwyY#zoc%wR1*l1PYyK6B~ z1U>?a`pC_GFrA#Fd&s~l-s4^FkDsuS`k+^gkhn4*6r!IS9E@{o&G1-##gP-I_{QG3}U7gyey|lYKzRzA%DFijY0MsU~2=*{(QuE=Plx11~ zzOMuR_;W=**TCOgjm3A!3}y@kNK6%=!JQRXPkcM>mF7K-l#-tV6JhRy&cW-NZ-&Tv zT<)L?Hm|2Ly!Dd6ZX*Usxl1M{<<5gPj!tk0G_lhrdppJ{Oeb+EuB2Xi@eo9cdPc+B!@nmUQ|2RTBS#V9>U`6`q z5$WTf`c|;zOI@h{*^z$WIY+=gQLB`7|D7l-{*BBa8>_N0P`2mf?(TkHAR($2_$|0=FK;o2{%FQ@@-)x4i3#^!twhS>b*-ptkd}Vcg36C6L-m9?%pa*vn6gU4YhEe zzZS>O2f@WSQ>LdDZ)rolI>F$0(&XLf=07=%4_NAd`(ooUnk))u@@87$ZMnT2Zf)8) zodPMak47VqJyREWSeypTBdwM-nKi@D^u9X3hI#c7SY`|BRqcG^C1?}b{6K-OXtKWZ zA~{rD|6;KERnq5|!VQptEL!lw-MnaO?+6yYQ`Su5m1h?YAXf1a2qt7)(%=y2={^3W z3pfXI?-j#zE34fX`nVoQc5I!`LLY~?l=r&N?K{RbG`+rD*4F0iBDa$}y5K&mm7jg0 zTY1tH5M~3PYz%fTBJ72yp5cC{a)`AA+`==1cLoeKAcN%}ht?TDJww{`k;(%~8uvYd zL`?XEkzA5(m6T<38g>zh!Mvsj*9%`UCI}VzOctltQ&m zp(tQNH1BEh!*YSWhy^e~aYCoe<T7~r}o7c#w1b1VGI)m94#jG-{c7I4;U5EM;xs$BsJkjWd>Os9P%>Kj5 zn2JhM6%YDZ(_76*7H38`TAIQ|>d*pGqPjX$x5d2M-YD}yFB5BmW*;p5?=qf?g)I@f zDT+<*71(UySp>`#Gl-b~0Z?Vrx)GL2&gd~;B)`w&`g^j86l#DH$7u|G7JPt*Fk{^g%O*8O0v8y=|>`Rm8Ck>GdRyL<@#q^{r*e|jK5_f(zxf4 zAN8gq9dGv8-;dl9lm|e)ot$a0na=8e4x*{XKlSJy1(YCDk#$!rwJLpsu>|@DYc~Dn z0E}`^nJ6hjr8%Zk+xlsW<`A62U_|F!Z3PyZdO5~&@j6F78YGu8!;WEZYWK9QRz4g% z9Llo8m!0X%`;dWJmE0-vR=;`WHQ|zmLk&6Uls}-|od*MHxmE%b5+0T?Q?2IuQ%I#Z z6i~zw1Q{O-d(w*aus-j4(&m>TM)F1cTssn$5E~fUS8`Rb;d>7-sXoWC_pKxDJqYBq zwZCXpD-~3{3%2#7rNo+G;O_Izcz;PqqC+n2a{|#=8n%Kp+;nrq-f5 zeH53l%lyDvJqs8BrmCWi^b+-Kooryh=78`c5XVnKEYh`Tu44@+LQhOtf$8K}V4Csf zt*NJ(8o)5Xwhhjk(7kr9LKJ+1Qlo3QQ~xyJT$4g6N5-)2lp9wpsQ6P)emtxj#E~Q* zTO_SJ(MCUX)~7)M1_sUr&op4XbG`>fr@d6BI8K6AI3t(=?o%{+k(%oxzi=@}!qvAQ z=igh&M%5&oF*cYT`_H{z&vcZUeJ?wGNDITNi6T3wqytcyGSEG3wMDd843vq7P90P zx)|DW)!W1BAv_~L#8_1DWTZkSKri38NCeo2g@K!7xXQ4lpX0EC(-q~N zThIt)S%IjbWH7;Fes}i%{`>WC=}viJaDGOFb~JZHCsWek zk%2;Ar6*w^-66|+{Ev@u=V!P-K@__D5nvQ|)dVB=^oG9BxY1>opP#*U%(udF?a#>Y z;u*q5K#<4wq_3u2p|61s1cCA-FBmn~^MMgciHr$K^IPM`oDlhp*tY9CY6W|u*nkv? zFF>`ntxUGGVD&!`#reQ9}iuHxk^SnJYZlBZZe4 z(j;ihq#86%3CcK*R!M@3_ zKLM;sJ9;$)e}3UZ*7|_41hN}tGl%`zBz-wV z0bc`-yaq=NBBW42t`ptF&Wn<0x&r$?Rp`EHg;UH4@qCJT#$@EYLr%5PruX`MZ{bIm zFR#uPR-oqEv82-%tvW_>ce4wKzE*2e%?VWZlPy0aZiv?pPAcq2(B2)4+DfLkA) z!yG%0Wz$=KIb5Un%|#SYFpQu%G6R-`5o&CIwupn%9ah1%4>7ff!G}3z+4Gn`p4X!0 zANFl!NLPZMsU+8+ILz{4M>E^im6bbur{SfG9Y|3+Vh%zLw5fvk4}bq_i-0FegH$*U}U zijDJPih0ac&slLrpx>3rD&d9zyAlQgN~{fYwIM92I0y-o_gJ6(+F%*~y_wYRoLW03 zpP-HessV(felwJx;R4)?rwucuvK@k81@=t0l+Kmk!sUWxYX;2B_xw`o&#@#GA^P0#8$q_#BA$ujAt#y1!}CDqt=jnr|ckj2?tP0Geu= zVlYxd2fO>-RWPFPx`Pyc4|dND)>E!Mrp4C!sTNd{Zk>3!-dbry`+(YRF<*C699~Xn z4ESv(2wot!%qJS3IoE3TZRlekYDFlxPB+R#eh`mmq@#vp{4)6kdX6zBeXSWGb`kBT z@e}A!$#9>(gRU+{IljWdK}7&5)g&W}EjtA$U#2Q-nFX^htbj7N&>~VgLB%9V_AWxh zX($bqV?h5-n)@IFKd71U$7utidE~@t?P%-)YHH=|9m{P~10d1paHpU$LS$SyT&97c zK2B}V>!3;4UZrg1*zbipy(dzdb9;1pB@B`cjIT!i`i?cQye_?2+2?8_Bq+bT)-x#> z38a-sfP|ZFf{RAb!9FbdnA_URK_8<8vOsy?1B}i{)hgifcgTCG}@1Ph74hWv2CP1e{qORxEB58+eD=)9e zNkS^YKrl=J6PxL?Ol)B78h!xd1iY0|^B`V39}V)MzG)`murJfFr3ebDtTtbfy2sq%}({)@Xm~ID-kAA*C|>$_O! zd?>nT6vAfuBa|BY{^qzyN{O~{=l7{w2^XLB>S)_^UQUA!GLDP(n1U3{jMNS2lUo7| z*y4co77~gB z5uXajO43t$1jSN{Z94V@BO~U!KF`r#kWr6A#j@@Bn(-%z>t2+y#!1P=FWEON6kVxwVC6Gla(@3Z=^MJ!2v&nEdEI$0L@#URq8`+X zH$hvTfN$nnDS}q&^i4~&Y5i6azwlhGk!r}~#n5LTmlNR?@|zZ8w;(x7;iS5J(fku& z#ZUE>8h9bN15~Kb2b5JjI3J<)>ic7wQSCadq;lxkPgAA$>h!>zB52~>U|29ZqC0C7 z?zv@A(7r{Sd;~_P6+%n5iERadyGC0ofUIo?drDVh&8oCmP{vEu)-GAZD7_qX z1x+xca-kJO9E`a)UqXXR4yWO@updy7`xP6!Z?dbpoB$-;Q5~gq;?;&K`L)OCq;jgtTCX)itQw z9;|3h)h+e7g@IP%o8(YhX2$0y#iIDK!$#pmaiao3CVu6C^D@O|+m#A?q{#-LDp^=7 zjq?UxXs3BND^{G_^qjM$Ye1@n_q8|fj5B}BB?f@96Zm2E$jr#~I%ImJ8?)Ls9OOmpW@}b867$$ zX&UH|?P%gUmsUrEvk%A^$czl;X?>T^LXnNDO0-!kyX~Gb)Tg%gftv$zNu0dUyxR$3 zPB&GWhY4R_>Ym)jsY?K+=N@yOeyGc2Cysy_RW|%olX{ zc-ZL9$Qm#X^Ex*kL&m-QekrLYiTfnzg!-0jF4B)9EL#AIYXIWN#FZA1OfAO#@+Ac^ z)O^s)$#DUSlU923vwX==D%?!8b->i0xnjPw4C&WUGoOD84iffZbKI{mJr!KT*ggTo zbzx7HBfiF&5wY)((bwYE1a~<8!1%*?Y#}KR(VPZ?2ZDl-SR_BmN-b#Jk<8&Z>Gz`U ziSBc8a8Ya$1nA+k09=G5&pY%z#8|$bbGe&qbj)$G=C!Wk`8y#d;~y$M0l9?bh2WZq zm*vR#2_JH)aIskI41@_ne+P+>5g`u_I&Dh$H~5S(MQbmFLc9*`IG>V-n-dBuo_|0F za(#wBG$LPo1hTz3uy_`(zM5;F`wU8qjDQj#4NJ}WZYW6`3czk5JJH2sSdawSf%|)f zr`x+tTIr;{B(0o5y}3k4%xE6lc`1mld!ZeuYF-~Ee^!xNM4_)hnWdm14KM_It2b#4T=I;;=tk)BK||3$l{rd8vA8|@%i{oA(|6$$`tG;hc3l3R z+xvNN1U?0hkIQ=8WZ}MaW;C!{oz80cUGbX+vf1b4p#TKc!)u2SbPq?mAa)v(!Waum zk{*-~}KxSK>E7-(`*lBz!gRODuPtX};-{pk|Ip z|MFTiGAb%cp8oZu{sU>o_-(S;KR>YJe|i8x=3s#0acs$1zcX(#zQqNhbXzWSOo1r2 z%z6Y$n+qyx`^u8U$*JK0jM9{2G*(ws7tN(9gK5t)Kr!~@wtV_D{RzhgnDKZMGB=Hk z@5W*o?LLDj`bD{piR}~e(HIKjd)IQXt8fO07z_|A*YXw|PrP=%z9V=Hh$k>zv5>|ztjViZ|9TnPE~x?6l_l}>eoLHyz)2v|WTBue zMTfWm{|{u?mm&#PwGUdGr&i+MvSl%GDbgKQZj(uQy!R{8U zbYu0$qX<^j{4gEkp--93CAjVb&R?c@H&P(LivrW`jWN|f!t&7~#DPOSnqNiHZJ|#r z^_@%V%XL!1x9=OAjQ_(D{`w@8{B+I82#75Tv~Ev22A!SFO2}YL9HIlnb7(8b^^#sC zc2qqsjS>*nSt%a(m@2RXe>5cTvuFH%B()_d%Ef2@=*y)pXnSW~Bd-{3q6pztm{WOJ z^yt3EBl4N_7xUS^audc)L7kZUNE2wGs1>)oFlqFnU_JGx3GwCYC|gF~1_j>E01-Q7!jU^Nf3pfu7JI4TH0*o3fy^arp@N z5$pC+w5~=38$i6?_;GcwKG|1qI75hiBtM0u{{G-cw{UJ zMAi_ByWm`l_3;-`T%mU$jH%WSN?!Z$wO5QsW=@BVwBMO~y$N^O@# zm;Omd&qD}Z|3Z3C?Cp@8Dt29Yp@>+TQFukr{4ylj!IBJg6*2|;m+!2+qefzX0r8M8 zLBfnbiw~e88!maLhgB*714Yr{WiBGsgBrC@v!uR)UzFEdhTMYS00a|GK@D+b7BcY- z`nT}=K0zOT=8F6icb$Yf%{?|D8oRvX9z_X4yf^paRE&t3HbiNZ% z8h5uP-RHl1Da~{+4XzFwLs-ury0Ny0bJN>T#KN(XF~S@p@PSLrVs*kj$W73z(OwhJ z?s&cLl^QyfF1K((MCb?7jWj;oCSt zH1@09lL5A_axA^ING6!Xy;7k^easy!mZpzy5fTBHF~`H-qRw|}v6tsFkqIl1 z3t(C`BjH+>BOrCqRzWu%_e7BPK`iEdJ?%cx8QH}_lAZPEI-_f-L|Lj+I5~Dq$3bTX-6Rw zsx{jAT5j3dpbS@WI{|&WF+xn#IgHXY!3ClcfNbD=C?ZrM<5#`5aM+bx@{;Gv4E?5+ z7*~e`FG1pif`{t7YjpKQZfQgqz!XjZL_IpVb^L3NzihD4lUUrOnO0ZcEKtO8QEz-z^V4tE1~foYouvK=j- zW!AUaN(2%PblSY$bPwVQU;+TRXMDVN`^M7|P|5}rWWnPMxK4j_zP3(pcN7|J^H9U! zNdxca-dvzX6h!P0#~UUu(u@(}u_V4|p?Ene0_c)0b@wiQeOVlHCcXl=UsO7S>VEyk zbnh(v%s#qJ`o;^_fG#A2RVa^Zf!)gG0Rbu6Y;%m^I71nhh^YQak}PX!JR`;xq$4xEUgcnXyZo#@*O~^T+`n=-7Yj{t`!ClJa$-eM4@P!EzC8qE9h?L zzQUc(WSI*>)I=mq9(~{RDj#m<{=Xg>7m;ka7} z(HqncBze>Is!}<(5U2h!Bj$W z%n3aF#921`pvu9XKtc2B%GvACgNh*f=zDkWTq$5zAc-Fm1dMidIONCE4U1sExz+!Y zs{&iYb^q((HaL2C8K0XGVIgJ`D+C;KU~G7`_uTa&Ez9pq;QT}Xap(yL%CRmggadXcCN!i#CA*&>Lc|E$0yzPCu84Drs^absS&;1Mf@=_0KIyZn z-PCpQh<53hi${QEDXIr`%k~mNVZ8EX@I&z>A*~Kq5b~5sLp=)8Z;Ng^cQ*gJd9kSR z)C6EYvy0ZCW_bj%V89DzZ~W2lEcR@OydWCJ_is;So4H#M!q! zZ-Q(gB39$|5O0|f_N=5}G~s5ACeV$}$gs>j2K|x=Opj53va7L5h=F|XK$;C(9;s}x z6z3Q}*w^nK(7qlCfA~TYRlJ@Za`q>NS^yHygyegeJwR5xy?r&@b{Uc+&u?M5?iC?) zn5uhx){Ns`W?%%->57G5=74Tu^73clxacAs$oB`;&eR^~4Aj_$`{)%ZI-OPPQh_`(q9O|J$F(*+t z(DR&ddry#=v>`x|exCB1+sWUtvY>?;N!6Y5p_$Ax&at@K%NjolhS-?EA?>T}cok`0 zBjz*MV#yvF!>15s+=2pHfRIlV*8c%Xcu%nnLR4uBt z|1yUl-!Hho!I6c*5!ey9RE|Ab}+l>nhd|!38SRq!$4-brGR-+PHwmj{% zb%J=PY#)BfL^ZAKJYFBZV$`9n{-mM&(E*<;1Nl<1O>7oL;&KZ-JufwTx#RO~D%3E3 zm~X-7_vxEKIpN?@gl$!dKD3A$2Tdsw3NXn2_%2RWai?p4M{j!a3|6LaS#G=)SQq$$ zgtd-@xHdp_To5{~D6tl$NzoQSiLuzL zK)!K$3U;Aj6BwsWHpr4P&k#N$PDv}Lo} zyKm9D`mRApk<+^$v;K?Y9Q}79~tLE%aG}UeR<-6=caszd}JJ!(yyIH z+`)i3yy-jagC2qkcP}nh(D1;!u6s%HG`n#|*5J-;T`IU}i!03M!)Pm*SZF`%cCvmn zzIs`qpM#qKPWFHpNL*aZ2JN)NZz9(rS{_h82|}`djqW3#PVaV|FM&57^S2!DsWJUl zWZ^&JQq&P4Lfe7-E^f>M-GErk#O~5nnTxDfrb8gve3{4@qf1fVSqD3y@fILp_U#4D zb!P;I)%7mf2k4!ILQjK_bc810FGU6TeXKCJ50sTtBffs={omTGJK;jcS<2^bB;6YR z@SxQ>@{hpa?fj}2xI@`V##$NGO%mM65U*{Tb#?tUpouJe#2H0EA+A{lD6pWthy0j8 zr@6cGAGrz8Qv@qBRZ0DFx-}^sk@(cDo0I$jpaC%x5RE=C0k6Gr<3{Jw#|^R6lO^{V z6ATgs`Es_p#$pa3XpCW;1Qi_-nt*CZe#Sy9X8m$+UMSMLY?L=20uloS zHaTC~a04JG{{f`mbc`{54!TBVKOk@{JMw*P#yA^u9_yD=kv0Y@B7I1_%^f(X4GKHr zG%(I$1yFgy!U$Jzk&9%;1ca%=->DWV%&2uKnRBN@?=MgY7%mR);m5DiGsSO};< zXzz&tZripdHUdizeODRiw1m^A7oskdgFdB_|B*{pF^A|c8=!AQO*I02qXLHt`G(rv z6Lf>5!W3_Scl*c~(MPU$}0tKf54)0?72qewwRJ8AiSU;K!MB4K`-vqcM9W$S&5 zmsl4iB%B3`3_yptZ+Dk}?9yb<%K&%)EL+Vo$AZxFGH_prKkk>v@k}7_y=~>77EFvI zc$LrLd$_g;&=Wqpt~i#vu4*K60>yF`FxzZ?Z}sHe1dJ@^C)F#U-bJb$(yz#P)9Zc! zV*QPbGJ0F}$PfcR(0sAsYzwe!D4TM*+a>gwRSi3Lyu^6S0um!9T zr~LLp4H#p=s14#$e13AJrTFWQYpv=zpy^LG=IcRS z_K_#oD1P!4$^zLOQU0Jc8v7BX1r?HI0buu+lGE58wThl)x=RG$N4F`_2 z8AzM;;G**yG?E4tf)J6XzYLM(rZB_kL9qEZlgga`I2FmHvcav3Obtw!4QUz&0()%Wa(40Bg_jyu)ru6ex@cn2K(fR zOZQvj6@erZNd1%Zx8;Am)Gd(C_Ood8v;%!6syJS^$T$IeRve(<*czy!umz>Ag~02! ztQKgbukvK-{8W0d-)N180=bYm?!{j}sk#$IKfV2$74#3~7DI==sfzlTl|f5{c=DS4 zS*BJsMzKqP2$N8vANpX6R`d=5LTn!n8R9hXSWP_KSid1DfeS7LAN4a6+7Qt{m@bez z&(A_e4|mDfxD*_STd1SY5|x3kDuZus-64}r(xzJi_jr;HOiw+C+kGXX=z|79kCUXq{6 zmQSp%zeS2?*@cWSZ2gBFedt21Sw4W{)#r0**l~U!5_Y8OJh|fObotKYS4eSbaj+Qn zp+M(m^WN6S9q1p|o{cK|NX9|;o(8leW%qylVBb4Y)l`TLfxxA7B{bXR2U9!boXAk2 z$Qb9r>@rwo5xf@%AjSXf9ewk3EgDPK(5fgCIx2z3>I@5FhgBou$pK&h3 z^Kt?vf_$uh0C>G~^cGsfO(eR6cVe#rK&aIQ)Fd!5rWzRKcxX;joF)vK{Zdhv`S~83 zw>uu+{)Hch5{g}z&^B)4q(RScx2pZ`0ltdN%!Ww7m`@%w@%KpeaT{OD_X8^st>|F} zN-f?fV*R~qc1v>qA3KKiYBWIWIWri7z4QL_*L`^WVjkK(f*n|XCpsVFTI0!{Xd0NW zK!ns+hycoacj$R_x!#R;q;P$J#aG{>@~P_W7gmUB#=}<_n~G039Jn%w$b2t3n#=I- z)38@b%sR^hnfgH*H7C!0!4KoRgHHcNso9o@8c%espsQ%82jX(C`k3=!ANkO~4Ht^g55GHeBvJ&v-Rg4h)Ko_0L6yW z1m5<)D+gLU_o?-_XB#qBgRz@#Wt^rQ*sX9Nx^C22Sou(33!vry{)GSh%k}S&UwB&n z128wq5Dm2n5Z2J0tD|!xz*hka&!cI2PqqZ^aT*G~==$nc{4yIFbn1^gC`ET3y5~Sa zxLGA-bna2Hvs#gu6&R&T&aY|fcJ02{_TX-JnKJl26rm$!tzhtz^x>|JfibvMAOTK3 z|2wiUC_qtcFJEhjk)8MxKApIgv+%;G;MpHG^+rl}<;w$mUI|J~lEo+?FjTst3eAoI zCe`RW3vq{T+%^OTCZ67`W_PF)x@{p|h&SDNzexfJs${C9Yt5? z@-0<%eC8-)#^*RuW~b4vQp`=Rf0LQjn}wSMvnSKUq*kd=*_|=aBTb@W3v5dBQzW=$ z%8t~T@&dab*0y@n$>1=cVp$p4mw`f@LSqiOK^J@ z<3gwGfTioc!_i0`dFBlT@`#28+h?^Us@do>Ab<^dV*dGEjw{SfN9`nvmnseZBuidx z109y#pG&}bo=uxFX|*(7iNHV{>o1Y#X)1_JzwN_Tf7;#H!P)*7u%5;5I0GTMBeWGv z9~y95GB+}frr!oOeAQ^drE}Hi=nLcvWDj;hYiIi-tGSpTp&0;($<`ub2VsN?x^AF{ zPlk$tjwf#6B~479x5{kL$S~HntyiQb2p=Cu&Yt2% z7NLpctG%Mruc84|{_)>kq$glX0&q2@_#Kr&_6*Nhx1$hp{ zxY)i^bPWOJ*gn1c@#SeO=x>TW@^NmU@t6i<eA};AA^0#qvh9-8!r|P|zuzFE zV+Bus<(zl1uth$)#V2K)4s1NTMs6pA{}Jjq zD5y?T+x!mN?tF_cugf8h0kRf@l!Y5=0HRvp-4;Yum-A zE@3qD>`|8PXGp~z#t!Z3FwQt0IX0;2Jxsb4oZy!G&u5VVCI9`%!Hs<>?dST}&;&86 z6IGlH%2ocupCEAJwAu$iGO?r{JA3Iufyw}$fZIYh&aQy~?bfmy!IkRRuyBVIA@*@$l|F$E)42H|Xzp2)!J$*V&6_?6;z)1A_2<6W*A7){fk$&L=0H4)ew)0( zWiI#rAj5~Jcw!;jmV>Igf#BeSZHg6pb11F^IqhiZkv^S0D6}?~1NsQpbAl=9k};;v zhrH6PpI_lz=z{z*O)Enn4h1O;?y=YS$1}r>O&Pk;5j$%^-bg)Ftg*lC8MVi;px;G; zZLP$@gM@pCfOFsH4??|w3GlksY{b<^x!g~@N-Zz4OQ^S7{0nTVkXC! z5=C+*Vl@`N(sTapt%yAM6{yQP47!0>f!CKUBHo-tO)FLTdyiifVbrBSGp#`^mkt^V z`dmDF>>rh#bu8F#25%219*F;eg%?7Y5k11#r8#*0&#!BkQ}+wKCCD3kW-@G{HMb03 zJ-edrPBE6d-KdJ4YB?Vc!LKzfmEWFur3zpRZUU^UJ*5;E4Up^ng;P#nPck}pYD9Wh z7+(doGh*-Q;isUn7>NNNNH5j`riK&ifXER#2RcvpWK6|zVrkt=W4KH9K;pOuv!( zuxTsaa^7TasbK=JysZKJ_oP#~N{-wtv(4D52X|4~r;CERftd!^Qh!7sW2$WoWbaJ_5i3kUUKL!3vGjUo2&u;LZLu9wQ}59QlaMof-%2O zl{Zvyx}u$#XxrBb;EV-!B&Tl#tcI59{(8Wx*%B?cPzam(ggI4RP=(XhunnFs*thK~ zrC~=3Pg@;}aQzF(hNfc{cCWfV0|34HO#OEY;7tSFdQj*ATyRb$Z!c;g4?1d@y|-_H z>X(B-1Yl(v8?CBwIS^KS3bZcOSJW~j8U?^~4&*`uImc+uzkJ4L>2j^W$m)9sm(aai zxe?pmFRt6!2{FWQ_*stc&vUg{a0WxlIT`aq*6r`p0sut*wq#7n4 zMF3nsD==vAcrir}uBHdq{}NQBQ;o;f0V1o~!6E(pmJl*)9EPhORrQbRQY3LXp{R$T~a*a=BLo=nmdm{mVQ>FD@ zTvtX3blVPqKXU+=TII*AIN?Jp|B$d5eW8HB@yT3+X66#_$uw#`?PfrWM_$layKbr~ zRe3`7@Pm)qJjrkn67W3(!aZ{#0%C&%6$Mx)BMz*4*xC$aFpJdj*1BZRMi6}*cT3L$ z6c|vlh=S&;XF}mr&?JxRP#)`o1Q8yiWY;tE}@%m2oURjNNWPNhs>2 zzi2C!G!ey~C%U&^O6H!}$^x)e>PoFauhz=B58E=S|9Ky z=kLE}z>&UwL?%_H5GMtfq|DmOB2Bfoe%G-+iU@FUSW}iJ-9j4{zx<(~&tNhLHk2#u z-~5b--Xy&kh*cFu@l~f2lKyx*H^NUNTri-*{?aM}c2QDQlT#SbQ(n2EPIJ=Yh?F$c zED=lqN7n5Ffb2_YYkLS8Hm6WZ@pz0uRR?suzBtcg9vlvn-XjX9_F`UjBk4-la^P?vcO)PBbT z_^b_BFe~ctBuhxf;4Pji(qsV#AafI(z5H*_wUbKz9CTQm;&xcL8P4lDzItOn-Q$nh z=e9RpUW|`B&Dc`y>~31_dj!Krp%@5|%mPEJ zAjo1VgKl~QkQHM0Ie@(i+pKCExJSDCI-A>1gz@_1%{@mm)rIBqSciV6=+ZiVS zNv#Mv0~Q@PF8P3;!Kj+=pQA1rh?K^!q-$5&;7TZ7VCvNk23}SW2s44aeIX-Uw^}gS zI0znCv4SEnVo_ksd=Ywuley?q!3rs4_fL-y>Tsr}lB zE`SIzAdfi%+0H^%x}mFCcvc-sD|;L83sbE1iYJBdQ3)S_fod*5m82UsM%-W`{UgxC zGjPnej{?z1+Rzc>n*}-OS0?xk7LGQ6IS6I12|-}3ijGp52o!Hl1AhsgP?fvm4zfQ%img^lHEgms(r~i^Ixq_#xqA ztO)yi&n;tKRnNPq4JEgb;%e~RUE^nC@KHa)Vpv&VwRXI+d+S^otq-r(Kitf6Sbf#Z z6JwUU>M022l-cru7?q@Gka;4z z4AYu`X!`#g%Ej6-_;XP*$r001(MMj{a?4T&rb$`qD^ntS+E56}oQ7Xr>ZB_y2H%kf zc42e7L6nOCj*VwxGpo+jMcsh&P`BDmCoga(e80`k$aSNXMPzIC zFk#lNoV2&=cAZ*wq-?vttm1cxP22Nt{aIQZHIR_^4dA0&ePmXS|ApwsoYe$SOim0{ zcW$Z*O^s;-CkM*j_pl)`5HS+<6S9cdU)2KfvehXbJ%L2=T*{?B%{q0)O^^K z{W3zJ%`4JfZ!Z&vX=bbv0n{8B81Hsqt#4By8{#v~I5i@Q65PLW>;J5;L&5BVf==#Q zIw)#WZfsUSQ`+!B|MtYasD#Zi0jV-uk>IuYta_1RNj@Y`EI6h@HWoyrKB%8@-~GE6 zodr@XR(UV+BC$>EF??A#mN0tup0T8#$@@ozWjiTH920XyB~0CRlY&-6?^%z6NFh!v zwYA;hOJZ~@DH3as%$moS=7!|$NceVXh^I8EVe8c2&Pc!32 zdE?*jB5Av`M#3rr2*#I01!vnV=G(O`WXvZO*CD;sD*9g-3l1p4$BQjLg~PYf#r^1V;Eh z=?hh*yC?ppl42KXb#jLZ*ZVy}CZ1X5Rdr7G7Qm=?CkCU%wclLp2bckOZhX%d~o=q1ALl!kuW7??k*L4s4t~IclWr) zUfrzN%UxiB$a^LYgiP+rO<auA?NSiwV9fW0)JKYE6{=4Wauj2F=GXB7 z_%Omv^!D{qD`|P>%r!9IDNj#v*B=eSy>ln-%&f4UwW_>($(^A*b;#h|E+Fwbh9F}X zinZlKRqCYH?}wG)CFrejJMY#bD=T0+d_)8ZJGu?(OhG*H{39>~vw3(i>-+keHROa| zJ;RNJy`PB$R;E?BW{EX^GM*$;d=3->`!^b$v7L5c-_MF=tX%Awy}E_4eg>5<=RV(# z>t~g#pDMI^k+Cjl;R|iYL1uLE#O>hq4?cV`HvGfGIO~F&OByvF>UVte_MQZ2q!d8K zLa{<7Kl0`|JDyHpC!4W$e=`>PEr!zyhJ_$9V>B<CBICIMz9%6 zoZ1`?;j=s&PHV1w;ZmrW(Qb2TvqLg0#*ISYfII+Rc$N1S?Dw7x^nFUDGW7yG-;fq^ z78Q81pV%~+yE>zkIzqPz?FNKnP$o0#c@}w_3L<58!S6{|rq!Z%JXpW>`;o>>pP1Sd z8<>@6?LiqPD+*EgMq!z{;T(^$x~XU6SRI-eUQ;_7Z`_Jq7-ywdDE^p@9|va+zlK|}_8!P!;(=_`cfyC@t6UAM+e}@S zlKb|W)zuFvJ(H9S8!S7|-tQzR@$Ad3hoG1;bXbcl=(#;{$@MI>S%JbR5{|MiQUepm?bzM)xx6}^7W@A-^!swF2>#C+gH znpszg*>1dFTH*Dj;up#`%2+I`Eflngw4~_oo9eHxqo7&+_7}(5jzcjW2|vcjA&XUF z@uMJuX6^Ta!wh1NZD@&_*tNav#`H@2Z<73W1V*ox3eq`rMugSh9sxJTH7uzvp*O>& zBjazDIWIiyF_p14oHi|jIbA0L5?SPd*9vc+FbLym@|3|8f0gjI zd*mO}zHa)Mc=CSp=0wOevVW;@15A&0$~*u+k8{cU{+-g#CX}9sjQtp+;-T9f?!w%?Jgt@CH!Jbr2_tzI+t3500vat#f3jWnwwf0y_b{KvVdyMJ^Cx2~oNC|#>=^?PCbB7IQwchl?0X|7z##l=qubwhHv zjHfF}+zcvd3fjC3tl2Z=CCf&$AEI2+h!ae&XlrI5lJ62VF?yWk!8iJn+6g3eiIOqP zyWYkk_r=slJ$v353oL`)AVM*TLO#rcrBoXMp>@F`#za-@NB=XJ8;4jD-IQt_IgW{S zU6pG(UgYKY;f5!%GD--l;-&*G1m_mZx_=EW00lLu5YrgZZkaTYUL>BRE#f)6DTG=3 zoq-Qe@Lp&Rv#na4ktek-<#n-(gsYItilf`S^ejCEK%xS4E%Uuc_4}a0Enj!vk=`}q zFlF2YXaD&e9JF>G9Uu5*i~;62@mwQ=tmuqCnjZErnpFNwNQAlCIF1zehX?|U;ATbs zT)TgFE>n88HUU4!=ZW6g*x9t4$ zrI&sSMl8hpg@b!^ob?a|@=j-<%clm(^;5ghpCWwOZ%>1(f3umKwV5+NwKd`Bedzik z{L|`g5jl%=cf=@KEp>IiI@0YW0D1S7qeX*k=#2H`)7YD1$>&tf9a`sAOG#-IujqkE5;KRc%4`|F_wf} zd;2R$AHyM}`094Bi%}FFq_7z*+D-+z`m6u&F~E#<$)N=`_$@(T7tOf(tK%!X6PvC0 zU!d0D)oAXUW{DsK_}mAPB@glVKP^67)5nRn?oL8B*33MO@pHn8LBXvb7)%+?XU{~9 z`>DbPPG$G_b%xKva-Ry3ZY8;01!CaA-FeqhYmgDv`)FFk^7o*v<#9occiz*xU`sxF zgb*gJyh77vDAuZ;iaTfAvIf~i_}j=}Ch(IVMQABlx_fVQl`xep7cH=P-a}^1X46i@ zcBk9TVTrUE^+!Z&yR}!tg+R_)z0r0@=4J5>Db}KftUce*nUEK&&RDx*QzW2b?mGH2 zqcdbsuLTxU)<5KeNH2<3hX?#J*P^lnZ8jvzU*0^8DB2=*L2Ay!ozk-tT5f*5$IZdS zr=(?T*NC7(oS++y!ptj4M2#7bn!f9S*Ts`8~kaj<5;ohgKEtB$!^GxOtmv z;Zc>y1VY&GbKsIKSH(s!_~sGSI@Dp@UCFS_paKwg<*O(kq08isahs|Sk{#qN`kO^G zUV?O?1B2EC6+G_jTV;=S!#2b4-OICExQMX^VvqN7fCw{!r#!w(b8yi)#Tt^(6>G1@ z;NkDZ7Mk@8DcOU?Zf8pbK(}`6guM@3ic>`Df-n&2YgQHjG7AMa5*P z%Xg)*_`wU}RM=}fx*d3;`o(4pVjR}rsr20~txM7xNsjpH z$M(YQ&apeI^+iHsSYP>t!$}0~k(SExS;Rs+a@cUYe%5!z+6{X_SD;@ZE8IoS!-RCW zPEJT8h`soi>E;h*&uQ(%)+k=3cG723vxfiIeiyR?cB?y*znrqImdyw%3(t?i<-Zoq zR(@3bWhNGjKe|Obv9Arm|FxC`F;-DR z;~-nf+tx>?+PvEwh4r8G?5XjX9z1IqVVRJflQpd}@FP@b1tzAJ`inJZ%Afvb!F)4t zX_Dy9k(Xj)y6G8^q+Z<IeP%Ez6^-1H#U&WhkDhN;s-Z)@@mtHw#zaWr-BiV=ZhfIGm6uu8Qivh7+o9? z)n(tT@@nH&ubh*3EB-983MB49seqg9z7DMlxr%fCpglz0gvqC zyo9m+qnZy(lsR@=IvY`pVD@|Tqqy_@i_uzxb$UC4K1Y^t?GS4D_PZ?H(^A*W)9Hmi#nL+?tQ&_v+?? zd={9FZ@1IuH1n^7fF7Le$C}go(c$QapPVQOKDb69r^P@?RP}1A_YACjK#iPQQn)I- zbu)b(1jUi4iiN7UzIbp8>tOAeZn>cu1Z&l5i>_o+)jC03m9OyECBK>nXNmsm--6`a zrb3=06!CfPxSx1d)Racb!f9bleVBSU!{bjN15UdcQJ;&cI)~>$#jXY}Bf>vDCb=(* zubEJ%lp}AG!#&?-hZ>ScD6h!dP!b-l%l9YpC=;%II;bhs`Qy2y@~xc?yi$3>rtEm< zqgx}{^nokdtJ}Y%Nru6i_*ad%G1JjLQS}<4KUUH;X1h^(-ZldBSEE>qoVe8I>!U+F zG#{eoa-Wi|U28O`9Nqn&Y1Q|I2(GIF7mbo57K={O`7Ljh&?KejOv4Xj|DG$Scy8N z#V&N7PJJ=y&a)jK3rrZDym7|mmW!8|r0*CbzWP?!w~5FI$u`Wr`K8w3_XiTnQGu-) zEWa(XrtrYCXN)j09;yByNHdEES>U2F58tNx`n=5q&7frJ* zqt+VD8s)&=Q+3X~4DQPqkNLW3rN0e~zxqQg7%dp?RU(mbJCy$34HYHYGTIUEJp1it zd%cD|vr6@~fq=H-1`Wjl316+xmZ^ubZAtI>-?Lj*98)hsfNm=>NRwy4p;4Ls^p8rM!ul35H;Hrv z_w9J4v0B&4GdBOhz=8)!Snmmz5rdX&r(c1<;Bd+(r{=-p6fdUoB?h?WBgC%UM%k@{|jt-$P{#j91PM|_}2xVTL9C5gGDNMA75#4nZe+DJOndZBs z$L*gQ>- z%6llKJf;LWkg@cYYpA>XgdzGswBFjK3OFq2?yQ)0#kbr}vSiqQ>VQIq*xAN`Uq zTIn->`KlW!QDc_JPA#;K%w@X8c%Lz-E{XWI>X|tz><9g!u$V5`#ETPy$Hm^c>6S&DxB3o=v>kswG|5cw$$Q z@g%rm9%Eola?&5@E`a{m!^Tv&KeH*cVlG}>^(0yP)D@3Ybd9FBL%^!P){PN4pTA>L zMw@u>qZ#p2!{M)`S5!d~nnO0^?~MBUpVr?8%$kp#(5CslL*5B_NBJ?Gw`%Cs3gnGI+HC+nEMRuj^R*I6%? z@F8KRo*>R*+|>t$(@Fv-yb^_!+P%_ZCwadqU*_p#O`oa{oba>P=YBv*c%Zrq$%4!E z+{106@jseLLq<`PqxP&kOMw9~sRA2zETvmZW%9qJHS~Z!`QxGG2418JFOh#NP) zEU-0ERu8wV_ZeB8`cE-5dc(J!^ek-XX%)6!)%NeCeVd6{6D`7RFU@~vBRsYWy*@4P z^y9Dj@CO3yUA6Ky-Tcjay&7R`YkNK)jQ0*4Q8{`PU0+ia{@88RFWb!i^iVgHc(&Ud zHJH}sl@^r0m+xPo_IP35EO33`=4LE@&8wH#x?mc9vyrFU%J3RIldtHx>Qa!y|E%lx zJD?TmhzE&i#e=-3X{JJV=!{cp(8sm^)~01_OLrZ`HJ-SkO@q&c;HUGh{*jYJJBUb5yEwVp=@BJxR<6ZaQ|K*kkcn0IMpOZ-Q{J--S2DaZ^ffu_;5qj$QBnFI z70VBo!d7WfzoJ^IoxLZ)srp>Lc{X@lFn1Zfx2t;8s%L2-xsBwvDE_G|D1N58C_|kQ zogpbMG#a=BQbCS|0e)+x?s7=~g6NakYVvNcY+{EC`p&lB1}J!EBhy~YHA)L=F!ct> zxgY?7g*Zty=4lc%+|uy~0!+sA+(ssDh$C7U=xfhS+*tKrEE^^HHqqu#|B09-QcfaHob$>NsX{U$PDH}pAmo8#kH&E^tsB&;bo zx3$N{BCc7tthhd=s60jQ1eS*}XWltKFn0K!>Z{91dFjz^wrL!1&7Mbqv=h^T9^1$E z$gP>mxme;mkZ9c7?$4^{9J~f)@Z{8zQQe}39jZe;-RVYqCoN-PjM)nwBQLj)-v`Ea zF5+Fq1McEs7j5l*H4gu-S0*YuE!>MS9WfP=A{us&byjOH6_~xk0LTS!*(uZO1!2Cj zCiVw*P;!lAy~Yiq)@vcUnYHnn>zDD+i47DMFdEie1BC8j#rK$BEeD<+>(i5tHNF`- zVZY01p#A)sZl4}le^#gikzBAg?nAMDdhOo?HVeYlBBs7POVMewuX)ecONKcpN?$>B zbJlTu_5RqYt@^Fx43Gn4RiwLo%ZNb{C)MhcL}RKQnS8-IP&hoqqA_2XeZlsU~qC2H3=d$VD>;9DkE z**WC^|4>Loa2}5CYwll|w2us?KT^P~R-^X9-N=HE!{VpEdwL1lkfQ_er5i z=k+tYWtJprp;}(A+wSHEbJge+9kdJ=k z@3VtF@DN!jq{$H0wDum{ce=DSrYgHXW)5WaC1(JBbzW!24Xv()1qFE1ezJl%d1YYt4R`E{9ot4ZT_s&CGG5!8Qg!> z!bi!X;uZK`R3n(KsRj`w%D}4|(Lg;>`2IrKH}dzIyGI@75#Y;cu3xEh!P#VBUT=>zl6+q2Y+bQhBlqWFHuuuP;`LZ!@uA9Fp}xA9 z${3t#my~>O%rq|srX3*2t}06&HYKR!n$*k$c8c;P`U;AuA}hTPjWY-bipDew;#6nJ zYQS!XrPs|Tvh#ZE!W(P`39_{dX*{U1g;-n$#-tRXL zPAANXjc-TPmtHps^3;Dd#f*Wvdkp6$-tF{71@myks1Da6m{`Qhd{;sp*MqYqKRDaN zjIK{$J1|JQt6sBqdjQadNoumN$w!D&c+N)LS-I9|4P5rfi21&-=L3MVN%Noetv*Xf zx#fmzYOExWd&L@oY~9Yq;C~W{S9x$T&lvpgh06&)0ec)WbcG8H<(e>|L$LNI40hJ- z9cIDfBQAxWwymZ1C^NMNCBDxIRzhu2wH(M{Ninju$a8-4{ZKWjyC*i(MC-z_CQCCG zvL`RxD(mSN4Z@1o&(36`Hsg^D+dLL{(W(v~kE^*-L*Ly42+=&9zBp(bOcj^EXyY%# z&9_U`&03>&F#!FdhV|$8j^pn5Aq$gI76P|LwlauCI+1rYdf?xDf1uOT6cG3*{MvPI z4^wJJQ_3Ncvh`txokQ@Tel)0S%a(#nj#IqHdl1FPieATJet1rZD%z%K8jyFP<5P>$E;up@^3lS4obkK9uaDyUc{ch;3&}Mxhu&* zxcIC$mLrzDT%@z((wMNrd3Gf{C+R}$qk`E_Gf@U8Cj;-}RzW-cbpN8A^ej{B7B;c}Qt zc=(ZBMr|u&No{zhK1i-UVe`di(h~2vZ`4+_W;pXN=4c3UPatcItox^boKE$gO?=hv zXoen{obSzuS^O?-&*ZjOp~4#W$dUKYt)WkR1QnjB_(Z9E$taUrm{kl;3bb_kw5|?8 zZVb)%ayK!3y`lcejPEy}#2465DYcyZA9z6##++ffBxjvaWa}ySM0USZzB-sg+9Wy> zt2ZIN9gYxGsjqk=q$wS!*{VeSt%^~2?xB|UApUn-DvR@ozNnc%psjUc#QX@~R?l>x z>_}^eq^|O&FN*Mx98SK?*$flnBXQ??B$70FFt)OP>yubK6B7iT`ztdK9@1nekE5!3 z!aDdZD>yGyh11I@$UoD)R2CXz$c$d#V%+Nygv@Lud1{V-5yQ%YHXU7U~Bme9U8{c*>tV^fPRDp=LD@lJhbA7UeNu*DK&Uf%Aa$HPbj-!zz(7O#egG9Y$9FA~}Fl^{m1kWg~CW z)Ac6lim;A?62&7BSz~mGsZp5zZ@)Bot=|m8p;cXE{x4IQod#n3oXvkoDz8)C-+)P8qj=Cyp-QZ#Uv{V3SrnO*`mtR9cbFc#`hLC{qaE zIOd7A9?|bu&j#JesE#qi4tsU6L%Phk_OQjc6ge5;`lO{gITLgonBD12DO-arO>f<2 zu{^<5(aUy-$CQ^Ta$D^A?SNzE%bqQ3kwqxdzBPKS19yH_ESfuJ{M?Bo8@I}I% z0~gedB+U`_sN;j03N!vA-N?R>j&F_)Xz+D-VsEgZ@v!B2m39;W!%Z~onT7^o=EP3B z@>rAbU{Cy!`IJ0E{UId}14?${rOCZ{e{Dqko7vTFVkUw)cYY-IVIt3b71lXflsie;Uap#fFm&K=JY+ zo$nh{vWg{?W|RcUmVzajhvlWM^PPNl6_18NiJFCb&^@1WvSFZJZRZ0Ol!`E=TgQ9ZI(BRiqZq?KY zx>oRHCWCu+q`|L`G^(l04l5bN&QFIt>Ly8n*W(SztQdiSliz ztpu~jRW`it$xY!-+S4!&B0ue2*p=qzIR&o!o;#4(Qihi3-^3-QwQgXwMqwd*EV}&^ z^X`2>GwAkZ;I%H z^6PbQ*81mg>L|W*raqk?b;W(V)5`kXx%XciCeL2&jQ0fC0#o*_&UlUt%txA-?n9sw znw9b{{GRF3b!)fOpVFh9o|s+z-G%*XO{sR2iEpwL==ddEO5#y<_hE@IM#@Ozq^ccE2`^leU zzG>JWW!a2S_*v^D_Y+|NA;z;aXg>mYD4=!-4>hqfF>cAX(w1eT~aoNXiY} z+bkdiG+BLoEUDV(_ZEJ#@+ZAzT;J2H(h5TL)gm|9_PdMf8awh3ut88l5(CrWpR+L;bWr}z0fkxM}@xbW>pJ1Qn zo4{QN(;ML5qcrrz@mN37^`yCJD~x-F?(5>?X2FdhfV`l~`>2sDvWzO@ewLcCVxi4* zZ{pg(jO7L?X;t7*Kuw+&7z!B{v3N|JQtQW|csMPpe)H*A`j~d84@}PoxoDJUL>z$E zSYCo=RRcXcb{Y*EXW^VU^v&BrGt@NeX|0p@i*}4(L!w; z&;2cVT+DXYmN70DDb5Op6nb~^ob_H&1McN64ggDqe-@-VEvEuE7KVApvKdq1Fl6KK zd%8R-2mMP(M)-c40&@)B_2j?$pez!4nDk*G?5csYhaEpR67Br6nYc*(93J&uL}zO` zc(R8TJ>QuB=83Dwt{LX^p5dS8zm+G%6U+VL9|!=@wQkJ{IqNT+QsWq|wAt!EhC%cp z>vXj2M;MayM{+QQM8ckXO3gGtJa_V!`j+Om=4~B&jMU@m6J(^+%OEf8(N+(abKf&T z`Qh4}v!*$@SA1?hXzNwjO5Iwft7pna%57({e>TJjA)u{gD*-w+w5bNO!Qea&)3Dw8 z-Q}>0%VD$&C*Su+>!vvYZMoNfiqiX6C|W+bM?UMT26!>5GzA>0`#rC67mQ*&IlN1u zg@{qOhNZ)R0CoTviFf3EXd|sqd*{(EW{fJDo68EW{bjXnQO*-=2(Z2Bwf^3nTUoVB zU~fGNb}}6cw3kbY2>~R>g|_Y@e7q&fesf~e9-$;jqsN!)i-b$A1qYhFYg}?O0dp(& zAcNu}RQ|{l<~%U^9KF6Ugh|xFZvAosWBipC;Q7`_PYMC!258O+6`V4E7EGWDY#K$I zkEB&g6$_qRl)Ud00@{7}T`pcryN()79b6A7Qbwwf$I+(kR?W;v+!cvK?i-lxboVM? z6iJaI7DkN~pL{wRr1dE_H)A%1`E;RhK_+<2XpyK9xbljorihrD4rEQVoHW!CqW7*R zr1NE=W+Kr^VB}&4H;HrfZ*#BzZ7wQEimtj#?SsFGZh;ycn|-`=_4RO469;y5%c5?1 zSOvJWTfVX1`uW~r3GDrYn_6k(_U0hc2JHQRL@|8)Tu3fY%S-hxUW`LO|CnC|t>=#| zCEC*=Jv4p?=0}~k%v%lPlSV>9et;Lm>AS_^1s^*tYZzp2O&l**O1cIbzR|?czdhzV z7@|Hq{U7s!w1>9PY{@@|NT%(UmXEd7>SOz8fU2xFlUh3OyHbRFj*=Ig^>8fZOm-9R zWj)X8-773?r2Xwekh{;n9I^|rD~)U>x3RQC5}Wtw^K{a8q$YP}RnUC;_K8)%z`>BU zgee)!pI|B44{|Qcch|seU`vt*6&LPe!FcrD?^h%5csl>_*@y;0)oBHklgzcj=MudC zkFD>Hr@DXtuegme(;%xtA{m`q0E%boRb-jy|+>*L^w!DMu=>gNm)m-_sHIR z^Sj>F{rP^szsKkCIDg!KbUWw$eqFC?Jg@6|K2t0vohF`hR$y-`?HO+=ch`y066KqB zx`^%~WX-;_w@!kpYYU^q?~$Bs{qEcE(Bnl;v>TDx(Qo4BY4eL<9NzFfaT#TIJ}cIZ zuGwS8i2d2mxSVs?v=i~5f9|S;5JP8qiQordF=g1LV&CL~0eW8ka3f3x!3)n9p@t;R z60(;rWUMpZS=fBDXW3xK2T+LO_SMX1{|00PwSdr&GEZZ$8|MJg=pHH?3y#zslAo22 zTC(wa(kFSRVh;EH^(^;LJ8`ANH1I5n5c2U~h0^Rdg3z~d+a)A+#d}HZ&dJDS`V;0- zheXMgqfeYbHcciT+h2B!osWj8(-8Na8o`NY(o~<@&1sIi#q<{`!hqoAS3lGx8N}5- zHq6?(=IU~4H2D^$nr<@>Y+Qd0BD_=|DZPv0X>4S1X&IEx$mIH69;Jo)ZN)s4j5zVT zi&DzjZ2vkM2;q-mWQCv=iSM(dip4=c;UB z6zKinxnn60Nc(-;X9C_tcU*Cy$ox5d3W%bp$||@Bb|Cj~&WMAQ^}4lRqgX ztfj;zz`Pkukj+pIwT$m!YMdf67BEb!t@jPSB?<(j>CH$jJbnB7U`o)Ru5awl{WDoI z?X2hFSt<7Ia5+PSnf@E)dA<1$+lKA`v3UmfL^EQVplefA_L3U-MazAMvGrlE%i=rz ztM-g*gGLGK?ayR83^?Q>GaK(?qEEjL{DqJn#;2~mtBdMMbuJt7XC8K9@1f&k*mFmw z(JO^s4f~GX@>1qnL#E~#e^19+vr7cuj$V)SjJ|0Z=VP=2-N7OEhg{O~0L7mPvx-|zI%fLwoy%Mi zcfPbA4DE7>5o7Zc4KW&aYG+iAiyjn}&h@Bze8}>h=eUz2JLL!^Jt8dC^L@9}a!m_> zDHxST#%-V5^nd}b;?L-mt;Y&3eiwxozO=qi^-8)w>i>5=Q-{lO^Kx&lPCU>Xz42hk zL6$;lLO`GtbKH5BLFV85WOBi!P6{`Vx!#vO&!|2il$N=GQ8upFf?(8SGi569 z$cum$devj`UnaDbmo%nlB4;0IX>K&GANm=&%-AhEip~n+8Hmb>?TKoN<@o_`7N)45 zW(BN23A9QprkqprRB0y8s=GnmYHGWuk|(M$^$7>!0*h{=!b|raF>DKvA_1}+64$s- z#A3;L|Neq92TR+Ueut`GDgDpaL!8E-U7)pV<6s|O>Gdyy3%dnPFOIvbbmEr#_v0pn zugX=;KWr@v`&w4MyA8vaqC1v!;-&9<^*_kDW4Eq~cTBKs@2!`!m#uzyT$A>yJLH1h zpSf0uvKf62GWR;nkL3w-?kE?&VO>ZWmqx#ZDn!?ICO3kol0^%ecwic2g3j-&;o!J6L?{)kPV) zmr${NzSX{)>WU13%lpV`sDAWhSyX<^_WMs`A4x|`J$yeCFh8}MHiZV{Z$&CsG)i^G zHAl`;WOw<`U(Cl1+)`0CzHIT9b<&!&jfcQZ7!woY9*3p)rbZ`z-mi%0e0E!`+xzZgFUhSQ0RZTkuy+2PTaXx zWTQgSF@xz!cY51F2Sp?UFQ3caaM$g{iePNOfUS+tE<3B3Ez1wetK2mEFfbF`8N82Y z?pb8COd;X1sGl{tZ)voPvBcfC94Y%mE8bREKDO4|wAW(M8=pV2_lejlLnhv;TJm!_ zo3+OZMsF}ZA9V)+gq!SqdHvdvHbHgo1rIiP?)y`(M;22*NJO}03%D!CKAbG-VuLyU zLdiU_&+U-Gl?9mBT0pVLPt!?sTM{{wuBqD2wN^S5;l=AkC?a@739fexY=z_)l==kMN zDoG;AMkGDi7S1&JLu)I}k4~~~QGFd+{dVmF}XD_@5S& z!pjo9wZzi0m3v+C-Tpl-?k&>|%*d!`>+OrI?%a~()HE07cWxGLJ@%k2nERednss4^ zZTHIsgU(%#!y3~>n&XoDF8ueOZ)6U-M$aGN{jQB8n6z&8fA224YaMiDL+MGpoyQr3 zu=MxnXpJxTJNk#&lXt!YjJtru59;kPIQQ;5zVF&0mx_7H@@4n#(S@)?`J6;tYQcBicOZ@ao|A{@rjU}mtXcLYhjkKc)%dcv) z1=5ThKg@)!hm1e2tC2So1ap9DaogfEny=I0`PMfWLkME3jrWIq9RUv*{C8%PZ?8V< zOBfDRG0x9Av$3-jHI(}W7dvt&UO`Hch2j0&a4xZdW~V_!-H?8vg^4KSJ;Gc|^X{&3 z4@kq!OWQ9*z2k_Vg%$!c(XR5JlV3*YYfr_65Me;@qhxIqLJ#_wyyrI4SL<-1M6HnQ z!L=Hru80w`;|@DgPOLLNMkmi4s(m)^Ht({i*WD--xYq72jqbPd5XY(x$&a!SD=kX3 zT;GW)TeFOIR-0kJq@zq`hXew+JTn2a)lGVXOCe%dyNzQ8o_eT#ikz~k5)wC(UXCJu5kBdp z;-oV>aE%SADZ(z4<1SLfxNoIcDUx(tXl!W(K;Pl{sim-TKTETGELa*vsCHu5?P!zh z^ROieo!jN_P)rGiqf#pXVeW#DH z{78`*cvu`%roDA!f@3r~ey{HG$bB({yuGb) zq$0mYf??}{JAOjSSaYJ~!z8PzuduHefeL^2>Up`-RZou=;NRYIlzk)nMDexaUAdH# z30C)9LS`wHDc*>EJbU*{hT$o_Lk4W}3)T6AaJSuQy%5%$q@ARSzT-3N$e3pW{lSxG zsAtcTzKylb|Hw-5mco@H75Y9=-2|(^{G5xdHl!=Ib@XVDDYf`OZXePc68?cVy5;0~ zhPIAt>CpEOr*D{1ES*AY5AP33o_2)Ufw8>gV68)9x|n&|ET8r84q3)mYf;?Df@SMM ziQxdwc_PEfpi9ZY@4{Yb$q%)-M0mrzBZy*r1*j&R=jz$&8+!_pnIdg z)!c4*qr_0UqEYo@@m8|l&DCb3v7Hmzs28Ur1|v;n-Oo{+t>D^8P>o?QuHvksui_9t zuC}2xSXC|&94J?H7T%HkLX~>)z*c*~@E%1Lg(+72&2n!yj5b#3+oLyH00ESvzc;cxuk6>~uz-2+49}{}&ec)6@=vpL zR1;GX*?2TTX36A$xF3J-SEGsPMCouTsjU-?oW%TK)pd}LLH!@4+0(Y;kSU1-y z?Nel(S#@fW+8bS6E>>mk64)N!ikDgc6luR4_XAg9^oZRp3ISZsFan0F!a|%Q|_x15w=W+AxTVlw*P`d(r`MiXHxex^DL} z+MeB#+kvfB(YPDdIr7&y zE2$DL$i!tFlTy@{s*B2$87bmp8kZN`n=Q#mVVY+@ zmvwg7v0=8v%Xq8$U~)xu)C@jR~Yto+?cGFN%N4cTvTOt3#>*HKxHZE&AR|Fvk2 zjD3zAWBfs5Iik09aWdu&`^#x(HhH~^y9_JB%~}f52X|@B>xnue%f%E8lpmawVGzv< zGh62@J%Jmv`$(HVv^l|`|5YN8^bz@Pb*W`$_2hPv^s7DEt+S5oCaA113&-+_o>9qB zw;{c?`jMQt@(=&6nBUMKAqxzP}xZFTUKOOH@ z8Rl&!7rpCIos?kNDsAOY6t-xdVNU;9r|VYssN= zbN#2tb={?Vj?@wY+e+Mf1ly%(^w7hS71!r=fXG!px~9Ca!7S5A|D14O$x%6+vH;9E zEXwrt>8Bkx?>h#W95`UX6+W^Eh&6y|S2rH0T{G^;9_;R^wo@r%goR)Gv5!2dqC5Q# zcf_4*(-XGB^eA7E+;@+CB=w9%tz|r-lGAl<^VafuJuZG9PZ(UT!37gJPMY`DjuVJ{ zwdaE6cVeWrS;Elg1h4qJEp+|D*N+sv|AlYBAFaS+LdNk;dymL#8D%Z`1=Y|*PbP83 z4e45`wVHn})UpQ)u&A`~F@8!OTMWwo$sgwvUlhA${oHVYK8uGH_4A2sl9%+Sm-Y+y z3S-xUuf%LSx(Bb8p5XU)QZYGMYtda}HiRZxlnR&({As}gw~gxG21)BejCYJeOcSM+ za5q0KKE~h%`bYf5(r#ij^MAEY&ZM91*H&={5*fFn@n|pElrq2jZ-B4+`Ct=!V zi)ABjY>Ti)cNE`LXD9BnZbH(r=}TPEvTAIqa9Wd(KX^vUE&G#?`$1jWT~gnYom=#@ zyC+vP1dVj2;@_}`j-E$W`)l3FGFPL-f@_;YD)}5%va&B0ETV>liSl}6M7j7gG7@f- zq%$j+q(BF6t1afj*geMno>ttw-*_NGdEs3*Ct3C0*sLmleveP5e8i8$e-Ip7>I&Ox z%6L@;(L=zNb=xxgeg=AR=wS%M^(qVH15Co-6pY%}YMzIwSIzI2f8KTvOGK~a?~9g( zeEcqkd-18H4)X0>Uz;nZDHZf{4l)ap-O4A5i8P7Dk37eJq3_YRq5B?1nC>gN`qZGU zTjJ+W)H-dvnFG$**%X`NTs(DOBi2q&7|5dh=V;0k$DGB?$9k>SaC-u-gING9NWJQN z(`UBP*LynFYQ4PbTht{3ItA{nf60w+(bI zROJDWi$iYhy(!y`-FN*y0sa~Vu6#On9ZgpCBUumEm}Zo4RgcNqLyAT+1@*U+6FNK} zgsB#L(?vcN*-^erki}_Q>`cf@pV~e@`PiTxbw)(y^6o+3A<{Z?MUQg{D4$X7#USkw z-+|uvDs!ycGK+6j@AVBOJ=8V_=eW>{P;-7VRc~!RX?wU&?a}L~nCS5{=GZ(1Hgazl zS(B=j%Z~AbvCT!s8;v620@Q&ivnqp18%i&lb|LCN%ohO&V69&NAldYCnYFG``Naf> z!{utw>+sAG;(1zjZLNlCQ=MilN)!P_?o*YQyct+{X;8_f6>y|{zsE}L>(gO2ph0QT z+dF>UeKH_npgUKNsN42Y{g#%X+RGn)1kPkG7skrhc@{tDBa-RkuR({N%9yfz;EU?S z&!%qre2>|Hp{;c^Ka3;PK@iwIDP-?-_xA0KauUoA}H7!qah{JJ+& zCits(pE8Ic1sjow>ONdPS#4Bgt!ZyGCamaPaKasLa;eI~T_uu{gAeN|wriGg{rlcT zbpm^MMU2IyLn6`3E$_H{ZZymGyVCHG^3CtN+C!oqxspSY22%U@h`Zc;+zZ$f==!$| zx(x2i#g0;Y*zfo)9HcK!T~LB7F%&L4_Ltk5+~kk?syZ3|boZV1Sa0o=ZLfUP1iA9Q zj|5^o-G&=|)c(pb$0Ixj+pW3;=BW#$cH8+DS{7VdDMIJp~KX61;YHfH<%ICAm;|?Tu0;OW!uMkXB2I7KcUO< zaTMKORupr-pl6l%g}y#y1vAv&`sWd9zVjo8Wxa@R8EK{OuZAV8p~}5L!a~%Wjh$s; zNC9xdNP9opilNkJdPtnl5Rqr1AgHmEj=pi7k+zUS6K7{=ecOHO!=ElS$Bh?74K>b~ zWA&DI_&S;f!o%pIqoxS#x7q3xJh-+8H#>uEtk_45FneS6Yt?3BMUd2Qk^WjyT4b}v zl%wc8JH9XDnX_KyXexUAZi&L|bYD`!W|GNF=qrQS0BP3DqVdOz4+Z@OM%?!wGVYWy z%l-V+m7q1>P4z$>u)${uM~6fUPi!n`FITmsKR!IayUVf2_^N82a(xFwRkS#gK-@`A z&>Ar0i~2B(Aer?318Ki0)*^~gJN?O8j1mT_ub1c6eV=(OrC8lp=ER)?5+`zD zWvYDI_g31m>UqQW>Kn0_fuHI+QSYdT>rA~tb>BWkV!4(4MDC+&6B-`e0y=$QOyft^qi(3Ph zVT9DhcY>W)4+ptz`AdzQ^Y>4vHk-Oc#Y+Qzj}`d#oDoVt(^Q=yhnD763{{L2hOp~5 z?;FGBk=(f8Vz@jYC$;gTSFuZe(p;HUP`6mD6zQw z)Zg2Fu?;v74Zm^iM5Mu#SW++=G*)EG-F2hoRs)jNiu`e!pI>mcW!VG_C}h2RCusb0 zZ6Qvt@1&*s&S*iv0A_$9jLq@P^PQy-*^#8lsF27yWZD^y;&JMA;2i>^o=C?k+H)qJfkM zH4Oy6?m)mK9~9KIrkRO2A`1YjOvB-rAlT}{&zgGTP&&d2v}|S`qQb()Y+6b8S~@!! z$3Tr85iXJ5*Z%#3Y^ckV3IFve?rhJMJeDXwbHIVD(3A;PMp>pkwf{nn=6eP$lz!NM z4;(u4>WOgO;pMK@L9oY_F2~MO0k_;?V30Zt0&+BP)Uw!Cs6>lwLc!!B6V}YW#ntnM~*Yo&s5Wl`Cg(y;iaKCVXBg{Bz7%L z-gZGiJBKq@_lBz3-oXC0$I$!4;KT4gJj<=1tP*|PucL*)j#m9n&Rx@O<)ReifaAo|7bu_xdAI>>^xz_x*@h#dNXFwG*|iVd%YIPfv|s`4_KzBM?I zd1a##xD>kKQ2*yo53FW7)J!KK1fuK`a6g;#kje8HQMXs^TC`|_y~*3aMO zo=exg5!xS2x3N%78+A#;AKlO- zXT)}XUqnSE=&2q3A(jIQm(8uM;hV-hZKtrc%}h7P2hRksgldbbODdy>e8Ik=n?Z@P zVLwIv8RMH=)3!7#5M9B-J!rZAda}_}3K5;JH;RW2IDPHUj9D{k#a;mr$X%bteqRUG zU_WSI)Oy9~Oz}=zhjO;%fNJ(B_jF6^&G-ywgdp|jkSLAhN;7&pW}4mQ!GksuSuSx> zriDsjq1-9IG;$wXL`eZL%gA)%R{YI8Un7Rfb)e548J9-hfISn?2;T+v`BFC9!yXK> ziy5`8(VwEV>N|*6JP{c~5*qaBW#pSLl`$9b-O!9tOf&xMvL2j%+87QfG&GvFoO1uQ z_V-&)LCl2FGyUBUnYx@8a{g45^RD9<)Ua(9 zh?sf--HbAra>!uh^5@;P9)V?{yeCl>_rb1qx1x5HdV=xi$z5)SPSHm?5@6CrXICJ7 zmaC1ItOXJO0V@p+Z*|>>WdU6bYY{}LcI2oNU%(vY+rVI=AP1ZLb4L0|pNGFVaszUw zJkxq)$XSmeeAbxU$zNm9acqg|N6_blP6rroHo;U==WXHlFOt@bUQvk`6aW<%W@j`< zdG+#>iBCV3pN-!rT?4LdU!aQ%0H$uNT}0Yp7~L*C!J-enyZMIX@IyFLk0vYI}x3892}iskWGKgqNFQVd592 zH||jS9;a$zl61C34?p3cD&tD^DI8k`Wd)H`wW;GVXp9!NzH)#yfou>g-?rDfw&t`| zZ=rS50WGDGOYbtaazUBVv8cisLmRj+%_+z5UhYy45{~os?i@Y>ChT{k~#5>+5I(M~Bbsqr4u;clTVi|NRhbTNDiT zb~X{lWdq1LbjR)p`z=dq785`kaOXKKh#zFmbmy=+?tG6NCI0znnTwa7~}HX{49~=dC8poNq$?`mVfdkO;>uPPL`fZs3z4>n&(3l=|=vwB* z{WpUEE2){e2sYd<8XK?Oqn>-Se81sgBobW~b0ls97cWb=%e;r)9Zk-2c zMED_seuzXbo{Nm?onrN`RLp>ftZwFzJH)3iT|2J|zuGxOlymWG$-Q@c4}>Mw^^$&Ckb4|NIO zL`39)<#ZtoZ1z?13@w0i?+pH$^~&Yf*>nXr88b~PmqK#Et^9sPC}lONeSwXfqweoTuL1o+PU&p zbu;roRF9L&oVYtzGHQl>G4SOnLp3N6-T9Wi0Tzjf>-FtAJGv1H=$CRIO0Va76Z<1X zBRP>03VALbTxwXDnHD>!$4B+Nw?l*iN~OjSmGnp{)B*T+8x&V5D>^`eK&zIAS_O%9 z4YkMme#o=45=~mn{>h5%q1Z_`NL>#$e8X)#E@1)Mt_a2Y;=R=d3fuyB0jgxbRZWE& zw)ftgDdbF5{QI@?h~&x4M&eIUf_CS3=vS}}jYIA)==y&2A<$?JD8hq=9JEAKUr~N) zjJN1?zR(p)7UpjPrLaSJyY24$+kjoFhlp+myyfezLA_sz5Iq9K@MCbeAb>*)85=Dm zK0|MOXu6HqLpk$6=mFdt=cuo?pzVSM1asYjQ02;u*;c92cuAKvD#%QN70rOTw>nA= zltLKCuj{n<4#wcm$u59T3V`_a&{FTn+JMJCqJGBcih3WCTq#x{2J+393IvWGvWT!8 zCtU3NdT9<(=c6ix<S%lN|IUxm0kc zRu%DVazJ%5%vg9^4$qKs$5R=L3BqI z8$kp|~;bV}((bb%dPp`E_HgTf5{0y>3) zWR*H+xy`okRhf->G=xt04mOZ-Q|RTHYOtW|oOIhqe)D`I7L{66XwTJQ*$WzpI>SQn zMXZY7m)SruqZ0`6IFC~(dI;Rl=c74hZfaWB`z}uKcBqUSL7MHi0k-nWE+CQu#6ze- z?Y;my0@tEqq)H?w57GvPXE^*e(Grq_k0f~Dg9m$c5yU^?k}H556WkN_0KbCj!38%& zt9E0z@k;(Z-Kmn#6i(W0{@Trip4O40gM2R1?mHWWM-R+bBdNgBLT?#tKF;YfT?ys< zbN|xl#2=GGhAd*)%ZLTuQk<}{Mao>YzK?b;wx*Iyhokj?PH56p&HCkBSBIHS`Yh`Q z)Acb9q+aWwN;2Za*&&NFS;&|*W$ln*7qfYYFwshsb5M=5gd{JD&DT3W=S(d_`ULR0 z|FLqbLgZ@TBA-K)?h(5mE8d9`2=@V~~Z-GQQ$WJuGzN#qF?Z3_i##qNJ%i zQ`frx+vZ5!s|!YhE)aE%EwyMJ1%kz=-WTp{B3hfbtoj);>H8DqX~{7+Rb&5J++qFv zCS>^6?(p`?q*_6)-O?3uo{m}_5Wgwa<;T~QZ|VR}%v zL+Hi(T#J3qpjK=K2K9=t0M9)9+R*cAN>b_o*?M+=DkJl9g>9humDe5z5 z5+$*Ykrvquwu(UMjMI=i|9T^@kOrjP$X{2-g1+PtWWNs;LJQJV4HoL|4ZPE!uXPtV zpl1a0@ee|ic7*CtmOpUP;S9($TIfJ1T{2jv#KznYu$GKJli|bv@srXLt&Y zRA^)N-3&e#Kz;p`K>A3Utjo>F&jysXP1|Vpapy_CmrXVkt7Q*MAv^y2_rv69#5nm7 z`It*%;t(;E=WoMPdKA2)*`XpdM^iRk3v#V?1+ym3hI}oXxd~SayVRx zq{z4@7{@E2rhgr%9ZH-?M$5($c~>V}Uk1HUL4qn!D_euQO%R0VIyc2kS~zh8IIJ_0 z&MOqSI45lB2~?#~yNGH0Pi4$SgbcqS7SmDbI$LqzMkZww@0E<^@Jvc6(2B8I`p#Xl zQpVYK;LrP-!Zz?~e|EN;xsiy!XvVBTF8;LW1m{7tVwMf{x8F`{9X**8HtcjXeT2>% zZ!v~=bE@KpBB)6GQ1K+y9CG-z+xCbmi&;tv9l`hq6kBZM$IuKqp@H>(URE)EZa|b% zwfQ?(0rN-7b{KRPZys`Qy(3>^=JC@+;^8;Ctljeps!w%qAr0VMVdx z{&bOerY311pHe43W_uuBM$=>pOr5H-$X`5Nv@r_B?LUZUW@;b^HJr`VIp23W1KYiL zA~i_eIdpwFWbnNW)r98Qn?H5x)TIJ2fmjD918T0koWF-XkF!W@;&?yWJplQ`QYa?& zDqYi{7u0<3UOc|9HARHT-7WOB!*@b=m`nB_ph{xWJ)y7Z&&N6Z8T8dD8He?Tq z9T>Blp-FRuQriUoNY13(_Eue>9nF0L)q*NdFLRJW0{n>!p!8r*II4 zhCqJo$@snwJHdENTj(3HfK!9~?@1rRQsQ@SMqH8jeMRmpHWw+#pX+EONVz!^`r`B8 zYwGL~i8+`q{Gy%H@WOb_yxo4vT_-Xcuhw+u!K?S%i`rPLU!eYBMA0;*l3^)m(vk#G zg8QKqh#!mnafz)8Iz2JTv`C7E2>*ab)FEfJy-jE;*fNa)2gw(h{<%1%aLBE&iDqPtKP!ibnXp`HWe0X5`>H zom9B7i0Uj~JaX659H@>OotQzAQyhzn!fRLS;JVTK8y=1{YD}fIIs@*A>h_o!d%Wfkcaq&%GBa<%ueP#9#ihK-H z_)(&WFUBzB=Brt}H7bXYXWm~b#-~@-%VZJC`T6OzLhf0bdNW$4OJ6+m>K68+B%Exh zDz?|bDuU{s?H?Qu*17c5>k~nRA7H)bj6!D-S>vW}kx7=YYl+;K*~?&c*Pwclu05h6DBx&b*FZUTo88mayl#eYIn(=%Cpi_~7p&0qnWKj3Y>Y>s)A zgrI@@0^kLnqAGLQI25KB|J)Q)a_o0OIiG1MX4ei;>`n+so|q4mNy1Iz)-4b+!zhGK zRYEr8KzkSizy_+|&faTnLK9BA@~fHh__KqrkbE0awqtowao|4L3&C&gbULBM(ENm- zA9_zl{*2-=n-4f~``F0~Rv=$fMDK~Gt|g(B5X8fuHa$MX)3G*IVg-?SXd*GBsaLtp z81$eGfDzjOE;!kshIiZ1LY)JV)Nek^P&7H6J5$)v6qywK*C%SSxNi(08fPCF(jE_# zL0T#$G!jGeP@G3Qt>ySZPK8zP<`tv{f?D8tuI8qs8AgM>Nv~xe5pvWuD-N{c7kkwF zCL1=qI@ds#^4=_;8d10!c|YBM{rc=bxq`2c%Z(301dnw}kVK9MfjO)xe}I78Hq%Sa zwtqCMv>}zFx)T!}4F$#O*_E-Kh=XxdD-GS(Hw~_xiFh9mx}j7RM5MH|=>B8{b{PQ4 z$d`jhLR*oEa(GpBSDti1c>u&{*Rze!-$Cdo4A1Kh&vdJ!O4CT! zbedIDP;CSrB)8$!C!3igq3oal=!;T0@*E$Dq$C*+N<{c{3Y#^8(^%|+n6{{zkMeO z#N569LYu*st!p!->1KyqAMBMv$n&qieKYiMklA4XoiFQ-y9`!%frWP}OYg3rv%R!; zn^^eS$nITYAVdw+M+$`4y`m#5|1b&`I~Ny&l~fKjg(eT&K~7kT{jGsoj1q~jq_c7m)1q?fB4q~qN?4P)G- z1CVdL20=9RYO7kc7dhKR;MLG6SwI)bZ$9kPB8`yN`>&tai~9%3S+ZT;@yl>^{HX8F z?44TO%{tNdz+Idj!O1Xe+U}vjqZzZs&*uLZ99E~{?wx}`?8}K!DBRcOWcUYl>(Y9u zI}IDk_3`TC8K3dYnUZ*WEYLM!oiMjbqd-2S6yg)tj$!f0~ zFx`k{>+GgUi~1MK`wtZP7m&o&tDNqF2;<0Fk1XB=Lup?3A$K(EM1(YR$BhSI^@M{` z07o`h6w4LW>GAxphh^?Kj7W~NR0u=edB^Z-5j-gCaUt}VtU!cvEdQ83u3qmV-+uohlhJnt@v!>5BzLiTJ<9+26CNrV zp4Gx{qIl|7eTuMFMNJ`fclK_k)hy9MIfFR=CPwU<}0- zvH+)l#D`_W!(nY-Cv_?E+3$C$^&xV=n3zuZZ!cEs^Q(B})8cC_c4f==<|I-J*2}xY zb9ZXlT+C-4ao*5hQ)(A^F#7K~AxAaGFP&RTS+mh3zWFN*RWPXx%HgKk?wQj~OPvJv zlLnj1_gwZb41MDWd5)??7GNGhZY4xI-;meuw*MF3ZoBs{dYF2G-WJb_%``&;aFiC` z^>*0o(W57<-!m>-fp+AmRHtlcQUscPxR}^*7=|5X9<|%2Ss+-P&he-C2nnt0s!ksp zb`b?F)d{K=9Z0`3))9YLx*~(z;NN3S(1PK@4p?^OaOsZ61jlDsB+Xs*toUY|S@13I zLjxmR zM_#l@Bfr1_D^kcgigeN;k?Kp}z=5{60RZts5Y!rbuk!{VI4qJmkPU+3XOLn&)`D9> zm5bgAX|#dn8i(%Duk+kO+YT*B3I-s@o&bYAbHy=x$FX>zF5x= zrJ3r>KNv~c1>3P40(VD&k+w8uN!`Tu9IC`$`5IPDEb)41ICqoZ-6&t}GDK>=gQTfj zc{M=8^fh&Z=O3j@<~BCXnqlX81VSVMDlKic&!9x(KNxx#=|m%s@+KDxXp*&j1svNiiT7L5xLG_XtY359S?GL@r65L2hZnvQA<0q7Uz;!(^Y8-1vAdsOdM<=CQ!O|Zc)795 z{D6aHUWZOf%0tVJ;<++#)!2;RCxWhbq@P$mudGX z5V8cfW4g+H-)KXMf}l-8q~MHQBBP@|Tf-@sFWte!o3-QnY+PAAk&o0jwRL z9+D}x+pDr6Ik^>p!(Wp*qhyRWPAl*hAniY7g(*|&5+G~Y`+M6sOKz^u&Z~hacWoX| z{B(weIy+iR5{mRHq@5wgmwsrW2oZkM>H3x*kyQF8_@tTGmQk@wNi=1QcGm$`tUqS2 z8t1$=!-RCHH9=Mv;*Bkdm4a$l_VdLTXXJ*9emrMFRSgBO#}&o4wjd@u4xovUuI!DE zvDYZ1jO)U)!5N{O9U;%Q&RzunWI@5tBl@RgGQAhVCTaM-P`}dqceB-!V>GC#vdnG! zE0MQeKF)FYDL*TZ0`HNC^Vs|`&=#+TS}?3ADBMr`GpJeH=bidYO=606U|^w2d~D{*X2epuQ;)ce9QUav2JzY(5tD@@s^#5tQv z2plSBzM0CgQEJsVpJ&$b75@s+wZvoExV!J^GzBboaVbW8FUiX_SkcFE@%I%}3&dcv!;mfyFbhWu zUEFLM3azCOdF&L%KBGR~j26~KhG!sKqpB=`EiB-0Z#}r91gQM_p-|MHY)9gNG1Rd3wr%^{qR^=(MA zv5(_S&D~H&Di$4T9C(kYo*S&MBBXJ`2XRYj7pbn#0q{pv$#l8$3IX~-U+4&M)6a9- z{q3a)`zVJoD5KBVSJAu2!=Xm?C|s+^K=Q#F<7*F!^+H>jNR>&*X{i1km4N<~2N<5b zklF8xo+8yKGuIZn1gdDUAF$6@y{)&nw{UdX8D(GN5A(7&;JMt%a7WScGhDx`R?0Qaedag{h-|zrahI6!FKE>(JwQFsCEz6+uf!0k?yf^=OtyzF;X@X@gN-wT zCdOfk=M;ae%!@B?DiDZ9#v5Eqp8+UrT5nDPO77=FBYqywoGRQvDh;MLtd9+Tz?b5I z_^R849+P=v$O?1*oIbBagbwF1P8M(sDX|=BVx)t7B;Ol&#Sc*m!>!?b`X;8*^L~LP zH6$r(p-j9ODLjnzP{oKo4wfnOS!vaFjX)DwB^<4EiiQdJrl;xbN>P`%nn(*`xl<+o zT$AJdh~&53@Le`ylSmt{_%@=-j)?%3`KhJ6(496!NYjA%H}>)>d0FmO2A)82 z{GI2q;FcG4IxC6)_HEQ}G>{F7f3wXNs{aL(Hg&zqX~N_zR#$XpJrB4dy%0G;sE<{5 z2bUNDm@xo&90|>FCwWdHZj>ddHt?2?S^q2Y)>t$-*7KhWr;%v`>o-KG=BfeeWh1}O z=&ktgBOUE7IL-;kdekgxU$ydtaJbmdZ{3c z*9*UbfRUA{4GoRm*QX9^=ILh>!G?!Dd)_c)rBF!Hl-j z9}`jifZ3WztRAj;W)#3)-&;IW&e@iN_`u)OHb6APPu;)=-IS!8gUhuUkDF9Z@as%$ zKCSbwjHgUbED6Xj-WyIHJFtd z=Z(4&o%~~ShTgk`rC8nL@A;F}LxAc+@!K_p5`!nSJ|`;w?y#BM!R{bp==KW=s;o>X z>@5~LG$0;U0O=Y-pcz8uiN?7}2MOtLA?>)yNIuGTetXG*;A7R`e@9egts~_kL87N;3j_8w1jh zMJhH4H2?CqOA~ziuL0Ce-DtUqMl8FMCbHsNw{jX8X)vK2wcWn#pwSJ}OhJ@{ReMJ&5|We<#g!7yVs*^lhY^lQx({VIRk_Q`#LJ?f zqymWCh|6n?5v?_5jcq)ukmogmK^+(4J|*e=3H3;Wv0;x5;fG2wQvf2%J#e2shZ;Y1# z2A<~r$H}K1l@U$o1FgAXRoe!}@7>BRaT5*5T^w0@OUlJJKQTzJzhW?l;ik624^dWLGzmROG4V0 z!#6=l`3cDlq|-{ywpcW(D(j9-HvF4qX-wQ66d(AV{r`jL)6YD7QT#?LOV@g=4)(;W zUc6(?D%icgk z(T$#dQBh;YnXZ|Asu8-QXUWG>yM-7C_0|_5!)_wOUExVUcN})ubWaukoA;h-SYU$* zJDs;qFsM2-=tB$WqiU_-6W_sy+iSB1pb-nrI`z@Jx{>%Z!96>@9{alh00o*NI>T%0 zh@%~sG-FP^C%Ey%>y)eINxr*ua#os}hMRjoRiq^|TVBElz~Jzlg9%=<_O0z4s$x>Bx&cYbuU3Xo$)LUz{jts)hS$+ zX)!a|g%732e`aWY&6z-98=e#_7Bx8&lIs2p8mJ#i)5X_<;!1$_4otB4N z0(4Y@U{Wir)sF9C-L2zTPyAEM!Tb1ha@z*A#`-Y#H!B!lBX#mB`5L(nYO`*vS&DzsKW=lA@*Cee;=$paJe)2+G1E#EfkX7T4fS2_iuZ znBvtDg$Bj%k54bilSw(5k2KwT;HMs_L z0`X}X_zw|xzk9EH%CPEG8Lm#XSqrMP=c^|F_&Qn|I-dv)kMeWm*gt--jyjfHF_J$B zMGE~GxWno^mv<%$V*vEi@$)p+BEl$or?p1<>mcupZFNk9fF9cku=}j#rj{!H3-=`& z;+UZ#dJQ-n%jNb68<)NDz)sa9@VX|X|?9h1<~)D3p}kk zA3M(m@@3zW=YF33^dkOnfuF0BO2nxTXWr=uO0clXQe`!}s2d+y@?kcHIXMrlgNiS) zW(-punyC4T5&5474e(297#0lomYQpqKmF(t31F4U+wrmay)Y>Cs-+WRBtHvSdBqF& z*DMy&Quo zi2QOJrZb~$tP%iSVV?f^UOgfmTf1z0_5p#E=&_|nd(~bvzmon?I4B#VU%;#ge^KB1 z(>~Lqtgq|Qc}w?eip6WD+*g5gf9)~b4~Q=W>>VUwqy1O#wZ8vFB>wL|9)6*#r}JF4 zc1?B>;3*f)xa*YwoXj;?$iS9vtSu(Pa$7e^^*RN`8RkNM-@^&B>3=7f(aw z4^;Jv%O5xp=@!I&=}W>@8_t)csBW{0H@~oNrMfX+Alf4SzNyQ61z~$nrrxs-lJQw9 zNAR$xX#va*{D$IOfW?!%+e&{v*YET+3a+Vgo^C#vzWfiH7Q12^FiEQa`Rd`9`kma* z5E%I}Wozc)|BYw7oiy)et@7!`#cP+4Ls#v8iWv-@dNNyU;5YmAbvfc<`8>9Y;$a>Z40F*3sG1+vmDk_9 zM6QD=L5}s`3k*4flJxEg*T3=cjfE2kwfKhPQ`5^nvo-kJ=>G#J`4{Z^;WM2D^YlDU z4*B)8@s_FR;(6x)FyJHY3@NS{3mzg-1HKG)1Tqn ze1J6YUYl+lkp|`U4?I%2EC`s`<{98dW!{d~HgWn@-vj?JUA3xRi)dVRaEHIU^D&B9 z_xI=vn-Od2{d(WH6n^2oNMO~0ul|bP{{>$J8BHavY=5+>?mWSFJ7n;YxT~|vPrlnC zNS~jz4+RhtKwT2u9T|1wW3fJFCaog;dWuz0YRULo;MP>%IcPxA@2j9ANJ2Tx{pG&|VF4d$6@cO3^cTG^d~cwW zz(S9L%;wT|xcpc3mA`$(E!o}+GJEd-cK^lGcPEG&A{}7#J_D*t=D!zn%a{fB!PT3lluuV3@_SK9vsM55z2E+0@CXBT`7Mcm zi?kb%6fja{L4C;gZQcigB(6;V1Weq2ssX7Gz;)3Fo3&?PDElu12n-yP|1vn_QU5X? znzjD$Bg7*p=oZ`e9Ds8(%8MugKgC+McLR(N;6yb0|NVia;#pisrCm`ufbaP4tX6H_ zv=>Q`2SrU(A@;AQp?nTc~BvKw^Zrg4<7E5DedER zYaztq7}22$k&8>3or$}LJH0I04o@>SrQ^#z(7XVbk>+UpYp!J7l{ytRJhY2UNc1CT z#o=C+ogMM9^t(0>0tDO;R%ep&;_t7Y|1AllJbdu|-%mrB1tcwf-`|T>GcBf_7qN_> zhIvw!^CCmT0wMURm9|txLKf^3%KF3$$WpHBCd*e7uyEx3K3TRzqdxJmawR94u0jhKfhZFP?Z6* zjY+_`DV_u(7jFR=K`1zKsTr5RwcF~pIMw;lqD5?)mK4#s?BTQDNX`sBSvG9Ti_rBR z?rn6ON|ELv(0)eY>dNe}wjq@WinQYdz710Paq9Ps@NHf|RK0tr^_?-`Xfrqk`1UI` z=qWV*ey{91oc%vErT^pk0X9>>M;o2DIq{pjP=mwX;T!S3+ZIfTOxs}dMa}yU7M$Pu ztI*G+`p08?&xq^#_>Iy@N{Jr38`O!t>svFT!DDHJeMx5;j%`4cmC4#~KY>Sx*hQMe zl@P+BE3$GvXwEEY&T4-jtB+Pm&OfUZ0KE|czQxv=VBmMIyBV=NN9>?6g}I7aX&%sI zc9-0pt)9r_TW9_Y-+6F(tvwYJC09V;=3Pm^w$e5Qdaw~u4Lc!es{==)hLD)}q&D&g zWtaKzN>ur?f3GzTYf~RFPxIj?FplMynhWVEelyH(*&qf^hHXdr!+LioXDK#ZyP%2EIz zjuxO#OVa;6+To=K0}~=r9f07;wrq_9C(ff-L|>Sh40RM^BCJ16gxG{vZb(K?kx@)aaO6X3O?xCEYl zcxywSvUmH1{N<}1TmC__D{5o;wm$ab`@i$t8<5+_=%s4G#B7q|ZdlgWgx?=6+L}z* zU!ie5(OX$n#K-bZ=kmWump6l4epS1Z&{aC^_S$4 zh3+fGL$MeHhkJL`aq@g z74H1obz8^uj(vrIQ7!%Q^9zrRMlU|;(Vhccz7YcE^G`4x9UNyECn}-Fjo|V1XPan=4wIITNG=EmEe)4_vaG8!Irs`PD4 zG(U6Go+&Ji0U^Lr#P0;tlPZ(Y@1$8^_hAwW2$CU*SdNF$+dcNv8bU1+ya=ozEk59} zwVRiKNHpHE4=?JY_-fMj6Qk#*->D73o1%McqOf0v8-YOk2>|od$5}-0+-#ssM<6ZR z{$xyfp;$73)%o?2Hm1YY%Q~AfE4%1rFb1|Ue;nS6O;2Le%(4x(rc2!9f~X@&<@3(> zW<$?OI)97*mLx*(gVN?U4VZLtGgnPj^fK*Z{j?a2rQ`1`_Ksjr?Gzc`Y?(??{TTsd zXdKAZp(F^dA`NzQl0Ish6I7|+(92EBuDXA5QO&_&Awc*ac0(#Zy2;`{lwbEdaH!Q5 zxaNml9o>!hNfeik^r)jugC9=9wNx^cd#5A4TZ~@aIlMP-Rd7*$kw={!^R0#iU7xDWO= z%ar#YKJ5dH4a{VnuJX$AOVcwvV8)N;P2#RV1CXs%e&+dU7IHng&f`;~>>HUVK=Sg5 zhy=P8A|`G~LIR9|q^98G$l9{{)B32lsZHyZOm2A}`lUrpzq_uGiP!@aQ~RA84Wuq{ zBnrAqqP}w8gCbZ&E#LIZRAEzK)4)HEyGjVdM0Dbz%=zK2P(I856bF1l zr)21*`7jUwsWF0TUD^h|y@jbTN;8&^3G`}_A#G&1FYw?asI2(=SnZ=n@8Y9pSB_Q{ zD}be2%2CZCsro7Z9z~M&DNUEzu$vHX;7!<|Pn!i_r)|%QAVjfA^F3LpYiV=;6p0dk zxEYXhh^)j!3gZb1l@7Iy+eK{m`E({4Y!r#s2m*7EdYFm?EizG&fpxLrF8@K1|Q%Clq-}_9(&waay-FC6^ojyUjp%BSg)1A(> z`~!SqOqKUk6LqWs92?Gi(C7G&bZKsYV`f9$BZ2A>aVS-n34=>ue>XAsQ-=zP0~Q#88gy?lmD6TBi&>yT&KIyW z_+vPhrR%cnlU>=D<6;}a?$ zUe1I7Hv!T%YZt8Ba4)m@glimZy+ zH8;SNf`&msrZYVnCf5!(#&TU5eNcHqiY>WfZ5djyrqc%$`1O+4^ z9~@I-j!3TpZdQR8diD8jY!g-a=u6G*1lgfcm94;e9urUufucds&r*KgEX_%g4`?hIu*_z2~$cW+re4 z2OiA8^tEhZ0d6=%3klA5KKE;F41Cb_1Rr?ox5j%rFU6}I`qz$TPr+1|`x-`Jic>mx%%u}YCl(%5gc?vU^1np1}m z(X~?do;96^%Q#$(tr_ohOFb`LK>aGGYH5D*TXj6pcRaegpqs{4y2jvDK9CyYV2uhz z>%S|GtS7gA_exKRIh8k}wkOf~0DhBYUqB!8m(KW$Vad1->Vcy`Ya&P!cHCw=m#cZ$ z{p+8_K)sKM?JecN&ih%%yp7$~p9#x5CEnKNbBy$3T~0ap#k? zC`GfV)i26~qO8s_%C7F@ts=-w7M512OfD0Mj|rKS4u>sS7NNS)T+zVm+jqfdd7s+b zb-)4BGJT!n(!2g9U-?|zwH5Fmpdq}wEY4vOcR$cjNQWHSsU&4#>j?%tR#Hd`$N9rO zd1?VK!+%^6(K9h|br)1sGkrC-q9=D=z34ETDx4OFCB6RzQ#jIKAZmCf|{@A+@#<6?$+- zi9WwB-EbJX8FOCJ6DVv&L+K!zQ_?KhHLoCj?l>1t*V^_FbCp-X3F^n2(NNIgqL;7J zrQL%CXJDv!>;-CGMrN3gXq=(`eMANQ90a0;3OT)*(nJP+RH&VlzlE{jtgGtgE7Afzwd(Sbi8B9dn8uVjCm_ky%=@TFs+4h? zJ(YbESSp0Od5%h)p>HYmsGh7V5toXTwV{5r|BA0DW!uRk|Jk0`RZ#RpyJZvj_AYHD zU?reh(9-q5`(v;+P0`33;h*5~TmN8v+`pX|pXDtrYO9;n*pK}pVJdp9=UmMojVk4K zP9FR86n#N1)>^d1BqAXooVcqzQ?@}0`)_*kk#lvR?CoC~k{9JP;Es{}i<6F!t2!w)b!*%@JxeX6 zH&3m=#D)VU)DG(QU1D<-N-M(c0I#@2Fp*OYURRxv=^I`I?R3Ua1~C_MSRNZ4U~}<} ze{EH8(L_S4?5=RuxNV*fBZc8AC+bFq+@l6;6TDMQh% z^VD;Y95{8*ROuUf_Sdp_9L4|?sEGZ-* zaA&~LoOq$krYY@6?$wCL%C6RbCIi1#>r0ZS^s89ndQD<53z*)8o6-^by^Vw%-vI{m zhhAM^;)-&Dvc7{^SH?zf0o@{D{;0ukE_P~ zu2bC?V7nV@s&L@a!3ziZ54Nd{R)fEhH%C{9_iW*W;Tdx(adDtMUh<^sJIrk}jY%Bb9Q+mvzDUET^J0MJG8B+Ob2T6KNxV(JwgPLy(F0$w|qccG5QbALX z%Bju$zN@G8@m$#A7CYB=p>XnRQL5pTdC=$azdI$DVM$Q`1;i%I$6#p7k}f`>cHn4@ zyRNqI)g#;`q`6&xaRzD58lhUI|WZpff zaF$@(m&cO#O1xozzW8>)1>#@iVlWEM5!cG76+`Z(cr`YS`V#(!d&OLDsOHA-AJd6n zjC>=Mh<4WT2xGpJkJyh`Ds+O_>cqbr;(!Jw`$N6%5x1?5q;91G_j~BqxGg(am8;qYOm+Afn)&3t@KyUCi{*qU6|9K zVaT++k$LSbtadJ&XAAg>=(Wk_C!*D)jLJkQD&$vJTLN|AZh>z|t&7ewGY6T6C4PElUiW&#-jD2Q4}1>nse-y#&>%L*Cr&eF{ql z%4(ayK{pCKx=48?n=i0qpEiQGzNu6MYFMB407}T_?$^vbaGLYD$OPxB;popwFdqmk zcBWDvr-=xl&o%V=fh1H1{*NpnQE-?4*s;9g04$NVHt1GfyyG)j_hEfKQU;`dVzrsa+80{E*Sa(xMfyT0a#t(C-|VFR?yY^Om~d_cSFhcHUs3oGT*3kY zdBxt9LuF6&YDv{rbhO}(MNW=&*Vd8Ic{MYJ!#Uvs#Wo>ouS#KZfIm7#yKI4M@~Ah2 zElU;`nX|?27z$2&%yHUmULMBLo!W=bB?s2w|ixB5!;vqX*=q)|ZK+npoiI2|Y{zQVh3 zUI=ep+64hw^G8oFVWcDAk$4qdqHiJ=iL(tI6)rjni^*?ZWwpmz3j|IBw4*jj^xV{M ztqZne_o#h-323Y3qZ5LwZ+$`VpjCC!-eHHGb?O(7FZg6`l^`>TvOlAwETTLKAsp;? z-;rDH=w#hE@@>^Z=U0ssyPdS@&LAlx^DzGGfv%gz-6mA?GF?flrBE|2Nl8}@DsWys zmU=W0M#??}3xKjeSbV$C2ny0GQ7lb(NiR@G)8EiJ{K`E!aB=wFOP70e%4k6R5}ftG zHPuy98d*2ZEbuiat5noVZc4m56EV}MOp_Cc>mtyDFf-y)60lgEj*zoQ1yG`?JQ4^k zIb3aD$f^1PM++0Ri69{SOya-{2W(-g$<6H`a2 zUVV7g5xqZ7qtpqwO5F(A^FsNNftcJGf_O^ne z3Kxq>SdkZf99^{?>N^cATxEA>ru$c9u)O+mWKzr* zK*#r`yq7S(SF1iV4{g@%orL*4czDM24jAznpO6#@bn5TF-*`qWMqL$3dTQ~NQx@ue zZs6Km_QV%V_3VaUha``wU%9s*(U_JXM>{rC)Y0YKkcOW#FqGJPc-^h**7AiSa;ER= ziBnwgH|l#P#9>3Cr2&~MHUlc%bBl{bFHFk>Ccu5rQ-Xg9T>ca8e!o`Hr8II9W#+j) zR~nm^fr72pfvII_BP<70gS54UsOCd4rQGZRw`{}zjhzl{jfp7tR}_ z4DXgmTYR@bJ!c|H8F+C4Wo-h?!rDUl?F1y}C8Xc=6m0jpIpJ@PhnTjA1pXe#u?^Qn ziRnx&6&B0nM3p)03w#rB&%Nvv+`ab!UMs!RXIe-{WJ!50G+Sp;%Z@w^>bg|Ty2~T< ze_RU5aOdNgi%&AvSGd96=ASP9Biv+4+QOE1&kb_psG4hE9f=qx@>-Ihf&}Ywc-?% zno(*v+F&eyj}AQ7R~PjUdW@RukmRh2k4!JXpHh^m%$eh&kiv?1OHfxHUwj-5lhbn} z@}|w_Jwb=>jhL?dtWV%VMQ(i~0o$os)I$DMo~}n1x_&?hB?95l6E?$iz5OuKrA7ES zmoy_7L?Wj_31;7BJmECj{wDOR2!i@;6w^)-#Ftd0U%2-O0|6XOV754~hB~6ydB2VF z&Zh;jTJJ(N&rJ^Rr0`;oR`8ymDzpnaOD}D^A)xIx6OpvVK`XBCipLJiJoZnO-niY* zBsOBAyeT1P@k_(dWjQa|WhD#)2uF5d^s!8k{(@5@hApH_;qzAKqZX<^^7Vc^^e+&r zJb5v1)r>k7(lx0}&_(d*O2LlWAZlwyz9RY3S|!kpD@)32Nl^aQGBg@wK;Jd3%<0kr z6XcTwk)Edm<(JA%;M6-*qKC5IR9`GsJ!>$e@b*`yk63Bk^ zMTe~Bw-?oqU7BMQ<@Mfr({VXAeNXDxwbd*}zg5|b?%wBzU_;e?1}C{NCT=386{NO< z&p@fyUqH-di6VyB1UeP$EW*8}K)LPTbb<~WN>8-smzRz-uo;b{H{wW^s%e7o zj^q~}AfI^BkvAPD1*Ez8mc*JC!3%mV8?j__rB;tNP2H=w6H%gf7%hK>}j;6S4p8_`B=l8)mIwGBdPO&PUPv#V5eAS1}-G(qzBL^FBfP%bmy!z@(k?vH?3UVl~9h< z%b+B;870!>kfYN22f|C|u6wX@hRyYmD_j*ozRCdAqRDG`89poVVKC$@>Ye)cc!w17 zzU5*8Oq|<){5mj9z9ydm!&`(e{-R1^07OczsXgF8A)xxpUqYv7FoDaop)=8GXB9 zUcG^Cx@dQ*{uIVb!b3ZgtT}&Qn%DRerl3mFWkw$#HM4y$KOz`xi0gWFauq^nwyWkl z@SQa2i1M4YW8|}!gxd{DuY~=1X{{kJzsj8(DBKK;ip7_k8RbMns(w)bv zuwE|rarHRoINRYwP*OA*HOEsPV>n!J^aNEQjvH-(72w$n1*r7LlTYrwvV7kiaFmVi zJ>A;xr8aG}KIf;WH1F7aWj5N@2N&|0oTB_;yEzDHgh}iHBb&*=ln)oaou^P3ata7C zN%?n#;M zMh*o6dmTFMm-P!Q4VpQKQ^GK^CQ6jEZE&PhC4P<{^}4Rpr(dq!D~}e?TL_iiWCO+= zBPf;F5esW~0pc_`l6l|bvQabjfxMTsy86p*gx{0;561JxxmXQ2E<*y4qq^(+hNQ!^ z6`~j8eLEPKxO@2u*h?!nvL?wGWjsDD?mQNuv_T&YF~a+)mYj`o#m9Jn-@Rj zKV*1V$A`NU^3!6bZ_$0PpIEB8j(hvSqYI$nX zixh(5=QvT2$0sUN#^c~RQz=ns##bI;H!spltA z9)&V+=YLT1t?^i1*(+*oqp2>KFuT-%Kn{?VXiE=@V_!Hcqx4gMg1j@23+-V@XpY&3 zpV1lTL#!B`0FI#=s4A`k0YaZvg5Wc??><+^D&;=ERNQ?)3i!|lf%)`Qd?+c^|8vD^ zXJ$XHg)5&=vo0X>lxd#*z~r5~^c7H{3#<#YUf~*XSu&*dG1CJ0#uX#&%O-eWjVS>^ zXhII@vctC!RrZz!cur{~mNeBH#)BQJIEW0pycBR;FO?k92GvG5ARLq>*=eG5Q%ETP zuH0%8S!B!f(YJ2P^rVhpy@VRFZrXh0V}jG2?@mlTY1-^I)eb+&R`JG2H@1ejeWIaQ zKXcqYFRjX7n4%_{!0^4=aayG$%Vn0HL^%$>NzAJ-IG>xW>MxF01Gb0)OMZDG{jR@* z^Aihtf1Rk3k7CNlkJx14D7mG2J9o30L{r=T=s8#N*YL?W!AJplZr?KrC zC@caVEFZ&TTQn!T++OHhg3q)%i7)R9dRC{g_Vf@e3#I|4dAZ@{wwLe}x;Z?0cN>pA z3{$H*!LX;&Zz^dim6}OtKG3~Z5NgmpqDn7KY2On)&eRiO|JtB055Bw>KK%{cybi=? zzLS(R0{+u!%+@S)ay*NiX;C!o9B#7YrmnAM^ER0fANqQwchXSHa zK5d&jr*|DO^*X3g2KqP}NWz_j!IG|%a;AF@dIqf7K9=k5p8VGip`E(j_F^!#8}PLu=3~kWhmpPXNAVi|9@aKa)TYe^`R2`i@y#n# zdzvbz^M3L70?ECfmv%|=j)csZ$oyPrw_iq#YT+lL(pqU(M^b2A(U3w$h!4n633>_6 z`{4HjpOtvfz5uW4;V?cui+$CmNFQK7pu^OztG4g{0c)JrLPhGdjeTP2i5I`bX_gvn zg=bGh^6Jvsm~rCMHdnV>DZ6UDJ4>-eOv&D@^>ai%q)$)`E@T21GCaAJv%UDi@f$lP zo}y2ml)?*_c#m)2u!_JJJAMUqNQ!lkhN%ef-Mz{4%~95e>E2GT0nwW3x#c&Lc$a%>xThfraw*w;@5XG+4 zv(e`DjAAJDHt6FnlfYoNaez9cZ+-bLakH_s~kix6Ym=+qA&OwcQb6{{bAH zB!p)HT$uS&H5Gf_T*9`S%`c@7N5>$Vngov(f|P&}!J+g*5~mwDoz=GXY7P(E?Sk05N9Zrl4pc zldt?NL5kHrtH0(c;qHGxEv@mF9yy>vKT`+rsh9P3CuwF4Gx^c?rA%rjiK9u5^OaIO zQO@ndv!jDI0QNgoQG#o*W_QNwyor3!QwV6pmMV&-YxLQ@tr(Bch3fm0bc_#}nee01 z;!p#PJx301ee;V=J>jZAvXQ8@GFI+e1xAOTB6MUBI5d}3IK~w0?}o1y&!wie1m=~}IcP0sz)J=zn|m>*Oi+{r z4N(bvNz#RCE0MvEcvaqqs)~!&Sg3jDwz;P$X|sNe*}lw$JV*LBn)SV2>v>pakbL5MV5sN9I@d1ai$4xk82e$ zXf|O?0<%sGox~`r{?f0z}&;nXJB|yOtYl{!lD9??%vHv-QvPrymxvN@%w*fKVsUT63o(27nuf;u@U3e*#{SOhfn_by@JyR z<)#?}bkewHimRqpvo^g{@Z0wXu6qwIAH37wFB5vqYF0z+_T<yK~9L%^=F->f*b z>(F@>K8;Q%v4BZqWX1q`jR(<~QkduPTJ?a0U;>GH2v+7Y=B_p9TT;|L7iu6@I}dVY z0QXjyVxa8x{6P<^8uNV!h}O9$T`wQTQQS)}x>L=O=?Qv0x@4>TS0jcpudk0Q;616f zHuL-lQ$=7f;wSvz z-!zZel(Isq9|rCSJ|@pCXa$!!LFdi&@{8@q|F+!k6mTJb`b`~w0%YVTPw)HF8w)q` z*ZfS$b%cn;_^MgUv;>&fS%YR#7>fjPhV4!h&?HtK@pL|=kV$jWR&G{DgaZ^{Nuh8KRt@^gL^2SnwH9lTDX)ykWt| zHKWX9{!eJ;URUYlY}dobdL-3ey?&H^y_W-jNEyBWz)#Ajb4R-VbgjOsQCZIQ8cVpQuP=ua=*beQ zE8~~j>hrjQ)1kS=X}KIZErfA>nm#;zN3vOxdP>n)8!S07%)2S9}AE&``!5#^7ZVZ&ni0dKH%dICz^E-3w> zD7`s4t~51aCIPz)1~2GDEbo15A~-MSrQea&;ZIZ z#Wi3V{W^?E1|?#FfaO}G_T*r<8FAt@p?SFo-_9(cjkQO$dF$U3{J|g(M$PR_oD=UsL$;?X2fe5RN;( zv7iu+=pg829?4@0t9{^U2;+^}S3AJdIHsxAKgI>mQs6P>;x=Xek!UIXYyoO=wa?b2 z$zD7|VG2Eo1A-m9JexT8kWkI+6LJ-07V7 zTP(87y9-qFOLf$z2kP{NJ2x#544aej*lboOyVE9uY{%+JibYd>x2nre{4HnjorJNz zU;2QA{YS8!!v%VxV!DIWRX|4qMlZJ7VR6`O+6C@h=_qXl+Dfz`(;g}u9vmzS zNJUL7NJY0K3^SL#ai7~#zjZ~Gw*+qpcI&U6rnN~KPm^sHnIGgP^8fLsemtX0U$>%4 zDp~j2lqtbZ$K_5}AVu_c?`H2VdiW8$N4f0w#YQvJLLsreJ54|;XZbjiu;sXCJQdvE zS|+`+ACK474apG%eb@f~`fK3SBUycjBvTpZ0%o3PB4=_&&j*6dR$|inu1Pk7Y|{Bi zcU?fgRxIPc^ksRq1la7p9nphyy7&ZNQt~p`s!Apj5qh;AvUh%w-k$yYg0Ke1`o&`j znr;cDC(yO`c(r}+{Wva+CV%HHqosX@kNA;D+lH`*m)`l-dipQ>&E&1zeRzeJwMgCk0_0a%MeaOcIN4Db6e`4bw|@0r>GWB5mirYkXYWnf_+Twn_pB`}VBJc#I-Dy}8DhYr z_}1dU3+unhghfIvPyWM=SmL&un54Gs0?t)0mmO~`jFQ&>q1IGT{NKkVUj_`pB=6z% zggX^a!22)nLzt#S5a;`uS!-6tqW|6XMKowV1{=Y}|8fnlAHGAi1w{V4XX3r7Q)d8m zZGSEB6G}-*ArWAVop=^$I}#XX3t;IBnn)IOnkBEHFJ-yHi?}C%u+$UmJZn*J@Wcg- zjXGU;6Q(u^zuaQL)x6?GP}J+kzCmJd10uszF!0Hmq&PizNGRF&_wj-(26zjqbXUl% zi$$F8_RVIUln0N{;nWPRB==s1QUVMS`G(QMCj0lYyH8nC`y9kFgQ3V7dkn$7+v9RYf(yCq^?-e&VB<6Afuz4T@_Y=C>yE>s+wz zy7@9*NP|(%Rox6-eSwK;zWUfG5*1K);#NL2pJ54V?6h+k9AMdT^dq8~4ShiK!};W^ z?i@fx$j9Ea9t%Pg5|<`w^FD z&&Lj9+zOsR5u44+^D}-)E)N4utWKbiD$^EXDt%KR6v~S*${zQ;qn4?Ka96^9%K`b4 z>g^Jr(Iu@vxO2q%-#BCmjNCHL;6}Jd`rEchTC}#x0M}>t=BH_`QVGnkkuM4p`a+Zc zz9P2T^I*f-ig{pAXH%0kHeGUeKcd4-L8mdCxlz4(;JJJ--<`n{TlJGwcNAh90>TNM zKwDFYh5ZMTvtN}R+8?p(q`rC80hx6TpJ@po&MFj(Wtkr--mCi>#o}{wc21%Kssy%z zSfm=@6V=uJ%;EI}k8(~?pTRT$D<^KQj1bPCfcVoaxyoM3q>fwO>d2kQ{LkPpl`g4U{8j`QviRv2! zD;r1@f$X=(7bzeWzLJLo&ru@aog42FoX_%U{N{*Vgjd7%LM~FVe)8ZnZJM%9YPf4j zz-hAgH+-TrEf8iuOo%@Eb(bo+#_KrA4(!qq+xK`oA|erQZ9xh6zuEb82vwi?^Z*)G zOB(Zk+MbCEQQgH^BKx8A088$lzx==c_x>yaM@CztEVi>F^#j!zpMkNNE*3zr#p%rm z!rk?%&#!uj&9>a;+?9i73a%IbNY)0gjf>g{S^<5(;55`v9Tq_=5HK=*vv=|Z;(D0$ z`weSLnyP6=YXf6MaUtn&ZC)B(vdC|JwpX=|%Mrjn={Qj_vg9_PX9b5mh!`^0{8sq5 zDyLujAM?21le<4GV5++YK$_n7o3Q0q-|WJy@PfVGTYZgk=Qpp>lz1zIMFSwT|%ZvE^ z(zNrorL8bhb?={hKCNe2E-W^Yq;G(3QLXKI-7eLVr3&P-Gm0`eTwi1+(Zh{qNvLEh zSRdS7LF~#KP=NHD)2Oj^2VqhJu(65pN|8s~EdO;X=?zN@8ye>;x*a5FL!j-60w>Dm?`S%$5r%3SLMLQ`+UDk<+2An_{rq<$WWY zZ4Hf4{rNp9fbouax)PJtgx_Ax5aUHme06)dV+5ZK@h;{sA>3;7f!xYW72f>%UugDoN?R@jvnS32eR2;#XbHnR|>2gFkTlr12Cj zQZy7l^+Nf(#%l3%D3wQEpAYbi=HT6x5p12-{0$#x<3x7Cr6_#TO!2L zq&a%@1SSq15^4~77qw_4{fteNJ9A7a&86JmHF_}Y>VdwX<}igAHMX;CdXym?x;k+L zN$8b|W)XLEXLve!s60KOy^M+@$GOD;)A2eNP96BqCC0ILZW`fW*MQ0CR5i4o*8QZ3 zUiq!9WkAd?iCQS1MiS2FqEoUI8Y;FW=1P-y#-!jphz`{r8x-`@jPHtwYR`xihgsy+ za`8xTIBfr*DC3C0D8z~3TFAZm5(8y73YB0t`PA~K+sZ9Wf+BRB3@NcAS>wsMdxKzZ z*wxq=WnSWu_Sx-5IO>}HJE6(0>c{@d*Wyvvppf644!Ik8!>7EB$NF;@NDPjed)jPx}NN98@TtY2W0;TKvOsLC0+2Pv0%B(q| ziEB~@mU^ip7ql>8d=tdGrDi!br~rIS&4@F#ujD5>`gGjN>lKHH39dD8pzx%%h#Ax8 zbNUG)7AvTM)mH^014{!CAeDGz=%yUXI9(UH#)b|bn7c%r+#j#Hg0od=e8NIB?=R?SR!ZG`> zai!nn)j;4!a`J?4=ly}q)n2+}9_8?yD@LfmZ&`Blkq*5?De4rAlP92DWLUS&Imf!s z?-A+`!z}6zKY46HD+dHo7Ivt6e+99f6r+PWC(_1#^O3oJv7R)2hRc~TyM0P1=<$4a zxey0>7`mILM_|>!4T_t|I;a3*Ucv50+1#4m2%qNU0ed9^TP2)fAI;b#jedhs;iv$K zodV`|0aeRRM9qR{CycQaj1CC3o8G_ms!5o^=^h!)l-ku?}*HNC7z&!;V1 zxhDOBOx^b`vWu|JjmS*LjT4qlV%ARd0abjKH|yw>ygpKR~W6JG%tYH3dlkO zA(P22=TJR-N95H;I5YZv!D`~#DA#7v+89?sP#vx%hY()pOjCcC9N@c-r#&KvwF$k` zO+OVyc^uw7_dtfIr^iJr^{!D2O2HTQ4j<+GRb{`-%l*1Dt^ zGgPh;S+fsDxNwz7l$~--_B~@~5K+mf$dX~~qL6*b63WOjW8aq$gJ>|8VFu5suIqX3 zx$DP%)5+CY!Lxne0{64)E36b+Ii z20O@cFv2?^Jka(yE!JAY2U6lG(7nBUKosJ2I1%ItA(V^;^j+)f6;>(S}8 zIwCz?qcY{A&Wu=0C3%Z!I#b8b=7s)&KOU{)ni&>Bu#X?3cL0@5fN*boOo7*dFJgG* zy$2ZQDS~&FdPGH07w8!8?<|dx`;K<@BZ1Zj-cP+Vw&FcW?V>_W$B%F>o-O6e3r6{N zD`IUmS7Y_e;g9C+XWh`3M;{ZQn=j$fplP9sx_CmrTdlLc9$3ZkE(;;kZtABOl~Qh_ z{_yBDPmRLddBE2s2#-GYZlP?hcnNp^*GH=m1+@Mtcx6(xS`zb{d3QTisPVkTx!6|iW#`d5@3>=$8-7zkH<5CCtFYY=Vu6H3bD>8a~LKGwIt3tzXaxv&oD z3evHy6r$%4?klBKK$#S@x{d_}Xi+BdYE@O*?tol*z{@TuaHw#R;(FAT=SMR^xTHymW zb@tf76mIdo&p3El)AgR=l>oXxDqGlur;9yQ8nM2lF4^oO6)HXXnBM85swRdDs88OW z$a2+pGlbb>A4L>l@90Oq-tS`t;zLF7E3x?7MmX8Jo;(~+`Vx@3Ye3GESH|pos-S7*BXwk#17lVzfp?Kr=7oD|QR&EC& z9rR#07kVqXRPycKu*%dcz3_>vcFk^CV16DnL+FysrUae9wtG&rkz#Awd_*P%v4ft3 zb~`Edb5pdZo_`*(t@r8ilbp;2DihlWe2x-b_-O^m1D$XWLnRE z+fCc+mT&w<@@)d64e~fq!!oO$0EeIzRe7*!EZ9Q9CgDddsb4&=1=wfGV z%5~SSSjzqkiOG838l7&K6X|k? zW?i-Y*jPH|{Brlg%KPDuv{Y6GiTC2`i-X%3UAWo2nY)WMK0yhRw!vk zb`?RvIt2SkgS-`B57S{!8Vh8jwZt@w-KdZE3l!=1rtWI-1cUZo2x}2r9V2T0x&}OT z0h?phlXv}Dhg|~ZPj!*SQzZ8Adwoin6F|J3pxBbNqX!e3pZ3-E{j>^*CGc8Bgg(v> zmq$B_6ur~o5rL;DROE6cyHrQ7V1iZ^)P>sA{QSP7_;nOCBf;v99LA#qs)IKs_z4R( zl-}8FmXb}`?@A&f8`( zL92T!%Ft3c7drU^C0^)evs*=}BN)nJ5ka7@Q zeJ4JEVriDA(c?UjILU7|Itd-up^?gu=iii9ocyA21*RKjuTZ$Mqd2g_vnV?S!yn$u zsXtD*DZZH?-*$_0%7-{NsOT_mIu+!z%qHN!6WviW6kiC$OFfcv_^t5zOY#w^og3#% zpDurB6Yl$E&n=MHZS+ODg%m}xsJJ@G8(6dw)I`FiC3preO5#A;dY(>S(Yhs`^n&8& znyZ)NiNr93xAy(A=ngq^V?0|qPtTx|d4ds6#@K5T)NvI5nEAajfZ zv?obj@P*bXc1eDsizqBHo|19%sx}l%E+N)3^}hQKt@oAK75Q%nv8IcTu3%9)_XS4v zt>9Th7%jodZjZJ-VIkP(C0xrTSeuO50@dcEB1~51+ObFWi4}no&umq@ueNyhyqoh$ zjoj^4Y^3zQ&Ms~v*Sf+#_@d!07v*izmg1fd-ca;S8Pmd_o+bM4U6TgMLf`|lU+R_b z81e@>iMheY1GP>dytCpYP=!yFg>G(1cpzFYW{ zs0jR-nl|4?0>?#o)Q~C+xlpB@GN;hG51>KL3H&S1P8Ls7y?A#TDj&d z@l`nFd6-kJ_z_R|0&u(6FTDFxX=Th|;5^M%3G*H`05mzn)=RO=iuEh0-PWzhV*^Q= zv8hUKpbof+S>cP`-HGHSSsWMNUcdp*OI@NLwrQe??0bEuce42%a6ZdmiZJI(l%o7~ z>=e8n;GlL2E$*VNBlWEc64N}XUUy_K(fhbU2asuO3Fbk;k!?< z?ua3C?8>=DsaXwp`Y>)h0kiiv+sP}B8c&Dc3e@I0P8q*u(y4fK>NJTz&?qko8|IGw zP_0B_FOyObIJ-0*5dR^GEJNU<7S2`=38_JWRQcEuxGPCH^w|>^VJ4evX9Z%?1IvUI zRHr@h+iX*C5|8rf(J%_EViu$~cw@S;cJIWNAp}c%PY?9RZy9xshYk_A6ePX`{uXq> zm%n1li(=--wyca%#rn9XHd0D0lu6gh+I{)mQ=5=}F3Lhh(YyC23^C+r!k67ypt?TY z|GF2nJzp_$u(TKL7rAfXQkg52CyLv-L7fPyr#IGPDKQah#uHF~_Tlm@Z)1184${j> zMLbD4)zb>$W8ocA(@J_y6bNDsZ|E~zJc)A~;dYq)Ws!T-T`9);4mPq^E*J3*hT~j> zlIYGiED!kPGutY(IgfQWeW7jiT-ArSj%|2P11pS>a_WqhBcFZ)Z&ge2Irh8O`+eg; z@v+QL=elBns1(NlRo`)4v|c!mb2oTR4*;_&7pHFlCsNU8>3U$UTVH zm>xrXcBB2X5*1oj?8B}^Mq#4HOf>CSx&29sJnS;P;i5#e9^`Xe)MRxEY09hXqK)un zc=$!G%3j~Eq)|i3g5w`#Nm`eQ79?9_pyJA z2eX6Gv7#vCNm!sVX5|&hny(GdCI$5Bm*Sq!Fis(ev0wu12g-=0SdQP&qz!#5OuMuB zPH-#85b%ft#z@Aeyr&6O-zn6AVpxi~uYUne@(}LIxE_~)4<+kt zHhZp)DPQQMe=Wb6>#H10Nx>1gsmboxH7R#scPV-tl;bH-akwbDf-`1zqm;dp0(Mx5 zrxHndDVdU47L+fDWz8;G8|kU1w9w3NfPS>|9QNJnrbNUW@(8bMQ2z35qps(m`DZ^9 z{9c-kHgBxa+hJK6|6ao!sDw+)EELIHVZ*?}vvBDPJ*7rXm1+6NqEOh~Jj1}$g@(II zi`>?iaegDeV3R3heG3C%7oT2AuK0zfvk^t=U}+E*2x2MIP>9#(AT0N;h7M|O8&EqB z@$nOjL)Ut>zWBYStt0ix^G<&R@%5=0)nq_{$Y|>>E^YjZc___SeB^8`ZYi163Njjh ztek*WL!-gR_M+J1GBSN`4htwFuXhNp$GQ<~Y};(WchU0D#d zIdly6232AZnJ3*R3$L4(%#e=sZ;}f4|9#w=51m{3$X|nrBSo8@g?z#xzIYC%0!-fZ zT~eB9A6KIZX(;TC(OkTza$4*Ycn5Nrb2hCO8k^Yo$>UPLPh0cq6C}&jnXOVWJUH&Y zO)Grzh*48p;L+L!B~$wc2s~SuYc>lR9ke1p8bXkn;QBse(li;DGCCiUBZxtAr+6%J zLGkmxGt|#cUpFYRyE*%6sRvSu)3-5Bi8fYx1 zhO6$VKqDqrio0Z-(4I6K<1c2numW8d&fc944Dr7H9Pw@Wlj5%={ssE$5s$zE{0d(k z6C0bMobxer#8!d(IK%$ux47&PKD6{9myfv(+&cx6BiZOkQF@VmDMg7iSN2VDKfA8u ziaujtmuoI(2*qrX_pH?NksXM=v3p0(@|BC7igGS&dpR&-@iVgdW_z`aDlbZh+KKRW zWvsogL>k8G7;=oXh7Zs?E8=37g(XN|fS{hANC}bScR4k}l2-_dS^&5sK`H7!$qTfdMAVnO{xO0BEqLGdX>-$;^NpSux(U`>d$ z3ZmJ>=Ly=M?EW(C19=gSmszr(FYXhFzEpA61o%}bf*^(OM(%}ZAxPHI_cCM5{>*mv zcTXJY9?I~zw$ezE+SN(R6$|s`XfGke?97k7S3&^4$XE~bmD6IKdPa1o-rfinwAlY5orF)y zDp&~^bK{RHefKIyK6oOzCRkV*UZPOZ^;}~-4SizCKuD3pkh3~PPXHcV6%8lKq1X&^ zhd4KqXw+mJY7dC7p)@c_?WjtD<5{@-R8tdnJ(Nas;MWwXDk_-!E6Q=Q{f4Qr$UptX z`SC>HwmH1nOjZU8XL6YYCP+D+p!;2i2wW1EOWA2(6SeIiMGa+!Pqr|l!>PM#{t8Cf zv)6~^VF62FF5Ah=y;7BsgE+P9CO3Dsn_2CMCfAo|HG z2EEjw)!|hFl6drp%;JIT!rFPYx&0_IyNip<0-UW*eNx8S3H--JZcMHhKq};P}ya#y|9^# zxmt^NZmu`n&Q}`;qS^;f#*UZJxBst8{>wEVS-PG-Clq=CTYSNJd)lWdTIo)k^WBO* z@KyKCDVjRXsgC<}Nu&8odXmlj(*s{f_|eg)X*nM1L+WAABP>9R?o8)J7ZCJtUQpTg z)KP2cbP1RSU5~1(@th{i5Gp5Fm~?*F2)Npnjce+m%oW0(V8bb`H{xdBQOR0_xyNAQ)obh%Mrqi_?O|Di-gTvD*Q+3q`CG2ZwD^8uX(jb;C zzk*tA86!VTEw?OPe0nt(6!reHGU0oI+K~4$ssF-dsH66j4+KSWv2i{V)6>gPlY66uvx>buDjm<$WCDM1_e_-M!U;VGwW7^&y?iXIhF= zQti~9v~#GliF0U(DQfe$!YZQY@JBXgNMbngXdCL>uc%TLnzg`D{8E_dv!gBH9Y;qT zZpoB3`$0qHX_neclsP z+(|LIctJz!NDkyBsBrydx_t^-I>L?b~VoRT8~@8XDvQNrWp|6US9gor*-z4j~&%Af9qMg^{39tNWNsgqyW}N zbM^+G`V$xSHdL)!3vkES1*1Ho%j?p)9xz^zX8iE>x^1Gd&Y>|&-{|m3(c)CEU|A7I zs^!O-8`aHZgI(?DV|M7d{RwaSFbu7_>CdzOUa08jC3F%U` zg7@`b%FaPR{^`*6RAW7$v6NX~;JZ+ubP2n)d?%a}vF>cL))i$<7r=2eyY4&MV@tmE95TqR zTJqble?vdWM;8y6@T%M4e4E5=b4$4&f);$UXC!hkr1C>fS$VirO%s@!n0)G?wiEjn zJhW0;Q(AiwC%c9=z@&>LfREB1oT@(yk~WQM@cf$#d^v845?ETWD(j#swZp2J{CEq& zr?op-)Ewd|!CLo9Ahx{dTn5(z8=|Qzn+2be)BB7WuQk8va@+Ac(N7@g(>Jr5$yt-H zrL3oB2O~b?=#yPOULNtEjSkWfZjT=%tLLlGU5kJQQTRqb6m6G>qNcE=!lmEVF2`E0 zMgY~iZO(qR4rVU(4B>);S~eZ&b-6&9^sVwlPh*gFg4?r+{Vldpo+?iTv| zcS-6KKJ}S!;m*;TzC;nA8@j*7(hwV=7AEbMAOd{B3O_U5v;UN)e-D}4%C}BSxMG0* zTdZjU?6nbypr%K|l;#r7u~UULB(n96Kq`xd8`Wf9#m8g5zcTn|YB)$fKX~b&_4Kcj z>2Jg7daoGS*qZG+j_oECv9pIo+;bItnG9wRKz;;b;ZH~Y$ZfB@QH;(v&IzxjQtGENXI768FJ2)P%>oJ4b-xwk8kZT877 zb>+Pec_Im*GQb-x`uCakGl@vdF~DlXl-?=bOE4&K1SBcXxsJzErbgozfuOVh63D~{ zI}3o^{&&_p^sj7vh4n6t<^ur{(9=opgF8?2e6rgQ=hAC^%ct424YNiM0H6ggj^_1k zz-Ax{067c%|56zIomPLa6HcHxp$d|vuCHqjsLxLt4^%_yNF;J@-!Na6ot@o!`s3qn zfFyoqD*xo(=NIR#0a_)g=r&+E1dExKT`aY_l?fOGAY~t@Lk|%4Hb0-oQt^Nb3!u^u ztzRs1r2jhQv%j}1{VgKDeV-P*FJZM6aKHuEdNsIbq{0K(A|_St)(X4py+~MVKA)yK zEn+Zs!z|mZg_L?o8IVN;+u$~BCmWn@`~=tBJopri2?ua5rLQJNvfqNw z_KOt4bg8-^&RPCe&;hB0+F)McY|0~T`!r=O-vMae*xwixumIQ-D>;y)B>nC8Zg)bl zA7$=9z}GP-+JDX{amw>2&_ocU1n63vfNf0()CCX}kPK}C(8fPt&)>9u(qHpLq((*n zs^F0%5!Hc{x3&$MdbqldN90{h)|j^VwJAfDIQ@AgR=ME;-q5T#;T+uKAUc&o56zVtJdGg zs->!k{+0#>e|F(P!nD($T}gjKBqVbIc-St>CM8a%{K;`7P%KWRg>kgK1Nrd}HT(Y%U)xW@j2L7S6!yV9opRNgx(8`ldD%ezN% z%@V!hA5t(US4!V1;gL*5uj5zz<~%{pk`8M$Kz@~q-;yRon`}ZiwO?DUjK2qj_yfH1 zz{d|iaYwh$>(w8ytF<3jDhnq#^1^=aka_*^n=|((a9kbNu99XQIAl?d;czg5CraDt z)y@SOr9AuXCGq{lMq$;uqMGV*$^qKiXG)3TucBr|@BGxHL zX$E*D@?5ae>>yJ-RRaLrh?}8~j5wQ-+PBP~HnvUK#oln7{0T459{?FVm9$sBPygs- zVaqoAz;?v;Y8UgYTTx@O0OJJoe(PC}9DH7GDx`=>oO}EL*;_P;7ZpX!nBszfI(zwX z1@BqvRiTuV#Jmzhc~(Yxfll%kV0{&S-VFVDfI$YC50HpMRUSx-`_5n_u=3QA4NaN= z^1{dMQ9$J?DhlxH-Z?yh2SWj1t^&6S_>(2{d}87+^+1mK1Nj#vUh~JI955exd|Isq zygt?gBD)Ta{GME&^y8I)dzQ!ixaYxxfJ@%Wk6rlJ*42l0Ka^5G{|_MLe-e&<-14fy z)X#C~=hh1r;txsRUt70)e+(RdZDln9Hp$_c46x8 z_$Q*)Pp;N~=lV^-S|u-&# h{7vA#e}}q%`1JD4Ng1J|t%tzRRZYF$3)SyF_+K273d8^a literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/managementGroups/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/managementGroups/media/exampleDeploymentOutput.png new file mode 100644 index 0000000000000000000000000000000000000000..cdd9568c34b3df6342909634096fd067fc03e5d7 GIT binary patch literal 229300 zcmeFZcT`hrw>PRA#fGv)L?cZFg-DaoL)%L4(nPuf5h($wp(8drNS6|jzCn5qU6Gd1 zTYw})g%BVRdT)2(`|jdC=N)H^`^O!3eBW^lHLN^qt>>A2{^pznKhRV~cFoCJP8 z^IX}`<=8RSz@xv%BT37!W5*7&RpjsKd6>=bd%x3jYuxm{CMbCE(j_MgclkwGXpdBH zq7pfHbuCp~I(K2ryG|Nc?rn#tt8?2_sH-%F8^1bn@g$y~~Vx$C>m^_(E`ql{)8rh(Xa_VZHUkrz5+Um(M&VIFpQc1g!k# z48-tvvmTzl@%q>M|NTF=u2SUx!&ksP%FFH0sQ+~9>tA*DN;NtED=z8 zZ{@N)c2EO6@#g1u@{{)jaLuPl+uKX{~^ z_*y&QXS(TV_AkoV6N8U7kag-0p1gwuFUUcDdi(2lIuQ$!7mu#3ef?{nrM|x@{>*8%~?g?@$<6#suKUr{=RG+2mQ=fWpMij^2e=S&;L5~sLb_$o|rV+ zcxWoBw(Si~)Db>Sw~-$Y#MIZXR8m{q%>3WvN^2z6kpVcVaDfHDCYgc;Fz9 zRL2k8WOVK)&KNGV_3g2Z?>QeAj#x9@@8XEF0__uz)VncaJ0Ugg@x zmpfSR%4&*jGSLcW^4)LmP)tZ?WYK6Gb147%Kb|9tWq@G6s~58EXnCP#Q+bNe^d>Ym ziQo{>C&@>64}U-#5pTTDQLbYa9vQJ_mvV+RSH*Zdh4R3&_||^i!1guMkv_Ob_1L9M zY#eC8I5M0~!10>_aJDX|K^TguMbLh=Eci*X!T)?hoeQ%LRlavxpKbRpX&x4Qdnv@1 zeAAJ?N_(zuvrm6XJ0MMlGOM361W36Y4?DYi`J)%5 z?&=>mL#ExHh!^?C)ldzAFz&HWOd5%o)un%)J6H(sf#R9y5Bn0dk{1)=uFC*KGBkrYREhfRG zt90p#uZYp3VT!6HPi@lY=UQyx<193+tP=e}%?C4OwGm~kyQ#6J?Tv9D^9p0~pS$E- z7{Yw;H67@8GldGcqGJ`-<6+AAC_C(}(gR3>yhrM(U>VfOwY1WzA)-OtMa{m zri>EpJtftHOqi&G(F}5*``mkq%^=$=+z}Ni&=zmdn-X`bVO3?$(Ag}b>B02^UA2*< zODB1095=90bylBPFwRG&ChCY?{F$xhe7{g;nyMH|WVO0?KZCtzgFaPlOLP}`fu!w9 z@q_-gx=cg3VV}iiLuc~RWr%w+49Rdo0Xnd%Bk(HCnH|>)k5#2WIIGj?QvAlP(60^C zcSY593M6b2*)@l)C1Imk3eMKVS?3s+u!dqojMdU-qr8I3;^bmp^TyG!1a?jQ&6ZU9 zh2Bf)t7eww@qe1KtUkaN>s$a%z5)VdFV-TY)-UI^DoA`)*v-V9inz_OmvsL*V86Q&el8S~!31B`dzlZSrEJ`*Va8y~Ymb))_6FeVVRO&t)=nsIe!UZ`_P@VylL@5ss zz?^X{{g605-;q%)-|z$4+tPwzbS5(oXf?$!Sl$@pHNS32dt{Rr)&TPO@t$2Q-y2_o zZT!WSHFq-lt46y2;wa~4pqYWAmuHNgVFK5mUIA?XFCkkL-WS`60&@(n`l`Zn~m zt~!mCbgSJ0)KDuZzN39_o!L+yp&60Z@Lm4MUUtkT9!WAlEEUf$Mzl<`_EI+H6VXq? zCoJ-xfNAJ$qQTwN7-}59A&&3lh_iC2UZDAI%XlxEb%Z1wI8_v>i79JI$f{heoyWn9 zZ?}ZmCHPYLzbJcK*#K&jwR=QCgZ`)&l_^;yGu+;XXHJi>gEvdzej{Tg<6yH{I9|dg zw~IiyDCEB#0R>4~N6|eZ8|Kp82fhC_`VgQcPhC^AjMnQ2tPllO1lJ>KFq0fMPZ>DO z)hW{!OYrJ@`(WlJz;S8wu}>!NWclAPuNEy#z^$9mhsOJNOVl3jPj8X_3NX$d`C8Ji zEs`3cMr}*y^AKhOM}8ti@QpeNsR#jaY&?7`cH3jI zLqdQY&eYbPC&WAGRugn1Z1@2a7w5eOMfJILOaHR$Y9<;9|F=aYMZJKOm{4NDlf0N+ zA!^0Y`}R+9l+-AHIP7tBa)oN8br30{r7#|*ZgH*-#Y;mht-}y(I}&+P`_l(m43hwj z0lx%-3XFc6uSXyFWW&xUGs>R)_NNzbR*L1~jmWSBQII6mq@WgVgoOERzlGer!FdR% ztLAi1A_bpohQWO&I|efaIHv8z>5ZX36W)Vka@rTY7YqiP5YN)Qi{rrxRZV|N-K^)o z6mxH|5^t+`d|3Ns<>?vo+sRj}JhQK&n^EB)8;RtL@|9irjdXB~XcJ3Dq*`{QKF-IO z4Ny=|b&8XXebfA&Y3^8jWvi6H)Q&`YibX2@8nmigfV`JB$eglUsN;rN09_qL$23Vs|oPkG2UpfeUe>H9C<19r_WVB{)hXrNi55o zEE6&heKi&anTtGQSAJVd3kQId1 z@}uwKynYz}Ho*87>7>BEJ_RlN)I5$`?r6r@T8-AIqDWCo?v1NUt|;FvC}`g>)OUNF zDY4X}L2B)L!3;DV4|xtK-V=e!*4PQ#WZ3ttv)hf5_pJ`s8%cJ_Ru-)gRPLecc52;1 zvR7}kw_){wA z^?c*8DoFLlt=J$J<=dTK(XlZdcz?b*V@)B665i&1cwh0GZNzHx)~?8okXoXXK|@$- zm9oPo+hm`m^=Q(EebvpH>_q!C^OSw#8=GtEvR6{Vj0G6TP9U$I<$~3H>-*K!`4Ymi z7|8RPYa{K-Q;n}9hNUM(JHwLndSH7l=@KJ(Qq|deTk5->;Olnr677psp!Ma|k>Ysv zxhi%uUQ4-6X$QY5!Cr5tUYopDMnA_i%dt(?p@ z?rIii-h}v4Yf=k%TvfqsUYgA>fW*#z0c?KYOh==tT4QHOea`8ENb3f(ZdbnTzxGHt6NHz}NB0bdJ@erMk8V#cOrnkQ73Rc}zaTZ#&9SoSi%Tgo3SyJD5 zXy|vgGUUB;emGj_?TP!p$ID_ld1%_1bT7p}%4JE=uDp`{?X%l#{dCcXB9nxOjnFcC z)3q}bjRd)Yrs-(c_inw&goBBNKhl##h(G~7yh%3&fs5^yR{2lZ9ovHW>DvMgZ zs@;hnOLsl^DtfQfTH%T&FI=!?Nq+^3w(gGRC$dqS~LinPUp?ZOovc7uwER%X~XYs_A@&T5MSlNRS z)n7EIJy~TqVCVE8pf@#NpJz(6x^J_g-MSOLFXt(>=SY~?Uu2Ikw*KxR%(;xbKAtO-`tUfm5KxCY)$Bb8P?>BxUaolR{^PMTbeecX& z{#3|wx9~O3&-O}_V49JtjxT4*GhlK=KRmp6QI|gSx(bU$9(JrPIfc%DG?v-m zH#Zh&!GHe!wzHqqo7Uu=qIbau7N$k$=2Y|9#V>UY<4-}7x4jN4#jln-9^f`65(4)( zr7I4~Kf*#5{ko9mAn@&^)oZ982=AVPj`t(QM;q<#$TtbSUwybF;#cGOBle_cq%;zx z2!?IO57ZxBCp4ORCED@Eb~w3UJ~&bA$FF+Uw<22}H~=20SU73g33DCg|GNQ@@63b|IQ`R@dOdB^$MPW1b8$q^R|xmZ=HVqu#jJFD|+d zdivz-*2iA|MsbU$JK%jbp||}ltN8mgiPJDHfC5_*^77|_y(XX1%n&R-7Yeh7lAiq; z%D-a)l6YkaKo5laos&VcI_HV+_8rAVkF;bqKA@6wD-#rMn4J>(7KognfbyVkco7o& zeJfL#^+vGT*>UlH@Kup%qx07SjH==2_F81>LsyMkJ0^J?ydN)nV>aD5xG9ug$<2n| zm9MF3!Tg!7thhb-e?|QAI&8}c0f8(DmERcZGRp4q-~_Rqe;2C zjb`@m-lo?!(qfaPDNI_Rtt@+rv)ILf+Tt-JoA-h;#s($mV5(u41p7+SSv5cqeBuIl z?qmBdZ>AN!*N)YNIvQj@wbSidIEp@yKcbHuzk#XP#0p0H@tl=NQ>a z{nLgwjoXPn#3kiUIC73IqDNef}RsD5E(AWJZ0Z9uh?_9#js_chBb+{^30c+#( zti!i6Yp#*Tw>zh|Z|#}<>Q(Q-UOqv7`Q*Tb(Kp4{any?_cutzkYsLaz%`v5&D1p{f zTjJRV`r3=favyx}Aw_6>qsR&i9H1Wb!qx(BQ&Sg>#k$+Ay?WJxogclG$e!zST3K*h z^K{FXsu!7vf8C zgKP7(+?jinXKl#%B;_a7YD`^cG}LsO)wAh*44yGNNo%v(RAa)ulh0t9)48}7Pgh1L zgK8#>V#Do;VmifhQp5ZR1qZc3PRuwVvF#227~;E*_yV<~)CuQpWr{+0;eGWnJfZG^02|KyD16)$7T)f?}By{{^G1X_St z37h_Fg(W@b(C0!MT~+0Ga^Zds&N@%^ctgTgKB}0Ub#PbOO0i>Y)fPf%)*Q3hk6Rp( zKWBb$@jeG>uo-6;Q(7E|ZGibSKTBwouLj-q%HAHPrf+lT@K-1-zS6xJ!BhFhqKa8q z7J|+~yzcsHX&Js9x1+@y%D#=ws(QFnN9r}hNS~|&^dT3mkx3Kcl#FLUF}Y1Dwp4y$ zTzFY^1>EYTNH8hqt@l4el@k@r>@`xdTIb4KEmZO2%~cO!-xiDR6MU}dv>q4s3f(-t ze9e5QvK_x6r?$XhEnwa#?z5Zft3|0HNr9!B9{G8EQt5NKH|11ilyicm9JSiDst$!c zUfqN0Q~jI9AhNMZ$N`?mU!J-+Fvwg{M7K5e+YWm9pF>@h9#0Cx zG*4Gr*RGj6CbRcABRCi9$fr`Y{<8MJeEGMvFK-RIn_mV#dF_w1=1FpbCXj?UheqH( z+GF2<`mwSE_H4{fZZajV|HZ;GQ$Vk)*+P`Ul7&$|l*0;{S@wAku%w1(3;>1B2SG*pG zgoo)#NI!KQ{1O~L`SNV!J(#*be{zCUv%C0rp_ao>v$AVNVTFv~Ig!13sR;~iQcnxX z*Wa|i+&+HHUuQqyg*v8rqO1wt7+mL%=#jKf)B3a6pz{K#3xETGFuckG)4YSgLGq5m z@gtjQRw}kf$&iE==jf#f^+%_J-F0X+*#O&#&rmRh)$vz+$j2u6*UIMSan#UBIjI>( z^3~F|8lRx%ar}~OFS}Fd!lL5|zgv8(Ho`yk8{aRHqYtt;bd0&8R{#u*1?}PZO{fSz z%4^qBym$i(Gp>}B{s<{4w#ujEN`1~Rrehf>X*U>k9pFBf(X@YW3Vkcl^qYB`Mk~l> zDPn6*npW`5P#=6at1OLcQmtr2+r^I5=2nVZw3nJS&SAzhPg+!Cfk>me%c-~W;((uM zxJ7~E2{YVwrvd1ZQgc;m$&HI^nE(%z|-lo;k^GjfLi*W?wGJHcbsd;oUjBI9MCoECB|4}Ym{ z;dz(LmQqsX7Z$Na3A75RMn`dRMN>@0&&T4D^r<{fuT;&q5iVQU6*~v^MomS324S=t zZQdDz7DA7-CABj278>D-WtA6aKsefhEkq%Ao{Z#Ls}w$cAj+~&rc;04Jj=b$Ia`s@^$HNlN;m7_Ms4tS8w^DEl-S~X*|m84pS?2wR&uGPyH zB=qIH2`{|Z%Tj^Hmy3<2!DqjOmlY69A8acT7uq1tyMp?>O!Zm?2E75S$`aSnw(%vR z+1qqup``vaIgbus!u9o}>~#IuVsVUwwPjIZQg=KIP%uU}d-iuE$WetNSKR9Cr^8Ig zH@at2tND!dhWcN1I}>zHY&_j{pC!d_`iW1h@{l!_=b~nvjSmfjg`9QOL3Y&LP|}7H zJ~}RWQMw585RKG&bBJ^|?48%Trtq=r?2Ar|k-T?LaQ3U2C+nAdHB$ojPL}t1*F4E2 zqc_(YYf&!v+ld!-nKT;dqu%S7^kACrwYCdybgQhf_%s#oU-cBaK8;;ND3d}iJ68*R zhl`7?7sejvabEKn_`G+7xfs75!f&iVL3Mmp_@wP^%|dxwbWnA7P{dTN&#Z-Y65JL0 z`sBa~vefOT+kv_sdzCogCCq?Nw8; z*uZ(Ebv7VpbTRxM#fD`MKJD^l7x}sDPsvB}Nmcvr08Vd&BE>`M-qEZ1U@elb5 zx&H6UQ))01etIFqZ!)brsQIX>1-?yyl(b2r%h=2hef(XS+g=O@dqcAUYxOTs?AHdW zI!Iq>ZGYWcsQ{B`$EUrFmuh>(My!Q5oR?ENQ^kjku|RJ#2DEG+Hu#Q8u-(xPFd%~f z%hhP0eI-ET2v%UwqumH!8m~R{utGiw?~g7(cs+zYCO)g%b@#xkF_}wj%Ks)Yf?)1E zn=CeR;)?mH;a$aeeQc4M-Krs|^2^F4uweV`dwD||>W0I{^6mqsu&-9PU}6(x9?D%J z48I;e>+pg><>S5E|%irTXn8ZAFcK+peB1(j_a;XVTWjk$TF9t!_HAb^gm7`fp<@ z3KBjYSUo(Z9zO+xy0FtI)u`X{zJU1>0&~s93t6hY{OuR~Y8n$@ z-VNTuOS?C@2qgIIyL_!G^os=RH;Z=M)xG)Uya`Wijjh_gyE$tSm#UgpmrOu=Dz1Lh zWXV>B*$55iNd7CJVJssT4@`b4Dd_f-fVHu36{Q%rXzEH8r-VZyr(>_c2>B&rarZcK zKy4Eo19=`z2Ewn;3ePDh^(R(e!IwU7&QiB?UZ;{K`M#~{M8Ds^P}3VlPC1}hy>+ax zv+EL6ul|~l_NR5UBOeTT-bK9i5@j-fZE&FHrZK3z>9PyPYSUl1gjG(<$lX;+ryukEY} zd~7w##(3oJW>ONhUwVIbd(XXd)nKPy`J#9ddE~9qsfQoudQ{R#?WCs2kBAI^tj$|~ zJKS6CwLgqje1LCebJE2Z?LfX@M-`rpKIxKyAs5l5e3-J)c)8#eLxpqJ%dY~M|6Fr5)ML*wO`#R5_nzI;uKF31|*3~ zoLvy7!U{mor@;+JL6gFs!ed9*DPr!l?~MlH*!-RZwdGZ-_AjD>xAIQivHIeU7(ap< zkxbz0IngsS5%);r!Iqy_2l*+Un_O`jkGK;rAB$-%xMV_`Drp&C-p#Jr^J)Dd0Oh38 zFIu{K!y)dj9!6#6rj8N!x*Fws5YIjP@qqw(lDB9q-cMTemxX${=j0hxsyjGs6zeGF z3fbD+$%97)PZB0qR&M7x=UV$U>auE&NEPL%9iC73Pj+4^nUV3ZY@i|>69Q9kWmkeG zzZ=R>Ca*rn4`{KanHTh)?8kXOvw2CjTgAs}f;?XB(p)`ruA#qO@hN!#&$U_Wl#{)? zMHjRVcr$ey=poS`(P&ZivNuYVT1hEGjGdw1WE8?yqhK&ci=I z%!>JuQ8s>N+u1%w6PJrW%7y4gKck8D9(q7z)K$teSM%4e9##vUO7YCk4g1aZ-IgY4I%Qd2b^skX1^E2G2mM+(hy@Lz=Hq zj!>C+R$tiH(eK5|-6K1rFP~#(NBfOq81L!|(3mH{hbPvfZvm>Zf(v2=)u_dLhW7r5 z$s^8{^=`;?8rz0Th#tqSaOM<@yJ;)7b}a%J-QvChzA%fYztkamEH{Hg15?Rw_~40g zk4ANTKygP^l2F<8H(^E=V@yCfBO?MRXV}O5ej2~OtxBtPpqkIX_^f*-km%|0CU?u2 z`Cxq}eU_e28dUD{JUR?I3--=7ANiQ@srNNjBafR&6%iM}p&+|Iydo06J^M7y*lRU* z^d@;e7zPoX5w(>gFP$M^4O1Z>rg>&3QvwYkAI2pK;oHMojW{|k&j68Z-_@+See@Ds zy4-9!=h51Qo+qG<0;>7T)fkPcnm6|yj|)z&B5gsVLicB<#yi{ycBqCAwoO!=)jY+^ zSeF#vCt*r8oJf6kabv?I%+*%X!Ghe}uUjT$%D?R1$&V9tge{L_EI;*}X|rMAhAp=RaK{9-c$qZMou*R{BD z_69!FUeRK%Rw;gs<+RtUlZN2~KDYPeH~}H5Er2uM(meqn6hH+h1M-}^<(jlYcf1e~ z)9lw3eofQ>)!cC(8f(5^ECP-XAg9F9B0$5nhc&(uVwn*hRBw|TVlraj_;%Au{s@9>M zDIO*gE+P%Qb*76RUEGdaJQzre7e-o)w76vVhHNnqR`^699#c@Q0CDKt6yGGGjp?1- zq6V!j`*>s+#w#6XY^msrytQdC)aKAsrEy1Y6IPNN6lZh%u9FTo&7xfdBiPZ){Y@BQ zT4MSd0V_fwrGqBSrHMB$5s6?I#BKsSs?=d@X+vUSb&!(-A0+{-u2jc=GuDc%7Rt{q zynB`J5`fToC4OVwuBa=3=U464gmL}% zzZ@5S1bYBrxA>*@z)hPa>y2$q)OgrURy16oIHo^si;bM#t~;F5XQwsei8kcdf_(+Y zeBKoJ-IbkLH?_AVXzGuE?(_|tKNLiaq{oN4edm|t`zAM`E5G|ox5zf=Wxn~XMN&Er z2<_?)PI+fylR>_E*}9{=>woA+!uy-GX6!qU_J_TdtSn|~`?dYc!I6|d%HoC9>CvXW z(nq~YTHOV#{m~OUJFAen7~P)ARoO#W)2017%|Xw%MV7dSonQWhO*p|c#F8(%1M6W7 z1*Fj@2e5LW_dtT*t`{YwS9a0DGTH((>d$Pz-#PyQ_q#a9`H5Xz^!KHi$@>)4$KN{| zw-gN{Kq8|F%-B{YGviH>-T2OWI+mtF#z`I_E*>4?-K;T$j3iLTIM`XVCP(Rxe15L( zlfB&2786hMAxk7fmTE>P69!~}UPo}}k*LEhekrN)LYX3aVAIVPR{( zG<+`6{rKG{IzXJMqs!sDQ@aa7Z?e%ZlHvQgm`%Kmn8s4PT;?u=si;>|MTMl8j)R-- zYTVjp3a-P8x;$c2U2iK{obG{s-Q!GM@Rb!_$g#$D&VasICTN2m#n=<~PB!wT)skAD zHxk7T8u8LZA)Vhrmxo-=%O@ajHN<>EjL*!+?l?%8sp~BUxDhp3Q-t?InwHLo2t6xfn_rumk-nK2`%72CI61b5J9(TVO?q>=F!H4>E zO8mE-BmThnf>9e?$`e3uOw9d~qDvLhFvUh{ClG3SSuib1P}nX;Ehk6In$JSs7TFo+ za9SYWTb%8#qUXF99TzYe68B^T^6Vk(s}YLh>Ha$&Q=od8S?uGf?B&>SU8HitO_z_x z*kSUs0;q}GJ=To%8^Uii5`B>2G8uAC5T@_AEn4;B8Waz=&OVGC zU3WBddw8v==G^Z*NQg|4Fh0o%fJ;D)m|ByJAxtb2!Z&cy;{+#A%8hzUNPRNUjtpV7 z5x*w^6>VH!gYJ&H@VALzwm1&1Z1AF+fx35Nt0a2a%|;r3o8D++y)Ch@?CY0XhRg`U z5sLTbNVqw(wNHr7zC(*J!i*`8^jA%z@f~w9X zbV{e*|ET-e$ElRg%w&Te5GoO!Dk zV~@9x6+?X+$mspS&m3(@mI(kME{%z4-Kg5+MY#Zd3w5oK@u%>ZFl3c7)fMxupJecb zc!jk=ulP8z%uBjG+_l!>jmw^HZ53XxkT_$q8a3d}OKEBC1oqUSvPlWJ(?Tw%N zJ?mkQ7nRYou>m4)o9OHhOsSn>IC#8V5|m#u)048EgB>p>N-}_24RXguR2UcCK4McH z)DDX>f8DIG@Ol71L8(lR7q>=i&X2(C`(feHd?$`DLFIuTRTRmpA@IPhbJJf065yb% zw>LB(yRp?Cv$f8q&^mlgCZ(+?*$X5-BYG1@e{00eCLGKbSk}hczk$}bk#s^Qk-cKy6Ddv8m|aZNOkwU?n;dU=p%R7+B~ltg3@ zW^5IF+yVzCax+Q0HQ8;~sf> z+-+9ea-&!cdcT_WX&n{l0gAm3AU@g219yJ8G*B*tXe;QO6nV2E3VtRoAT6YOo8pq9y@A?PsqsGSm?@rlaOOeMM)C%kNT7Z)9wM@>xTH2>Lex|x>mfqy62C@~<;;DHJ zCm=Z}Bkgko(#_6il(cX)Hej{IJ(+aPMdPW?#IRdzdXh*W#nT<|3j1DsR zn`?l?qwEYUlnO*Z*gJMOzBkrQeLJ{=amJ>`7*}+2rL)0I{iy#Zg=mHXW`7V~a@^_r z5N2MNsv5ylR)vN@UCwSStk{cv(1W|CN(j8NWiSu5i3^ZJIlXcGGW}cnZVkHe{1NcV z3P2pQuW#PHksZqf+F#N0^Y!n4vpQg@TW-oW5alOF_H(G^ICteH#Q;MuSG+9N&}bTu zo8Hw~_k$^NnEXe=*{TOXOedm@!&8lDHJMoVA9^a8k2LWh$);7g?O}BGJZnd7AQZhR7^x%x&J7Y&2V)(F&D~o2gYjYP}l*`p8L9dVpD@vlBi!LMba8Z&Y_c zH-E#|=bPqhnM7T1Jia=<-pB9WSv9T;RKyoofZBaa>4c)PHTm)wqQ;cAo9@{`uT9)o zpn!^vt{dttzp%bN}vGWU{iIYjNy#uvUG8L^qR^7zs1Ls6B4f4@Q zo*_*CJ{~&oD>R~N)huQv32<6EYe0W}yyk&hht5$msT-T1$Gr^dg zdx`M&4yr$(@ZWDA&}*!}Gf8}+U% z^ayrVMwBn;YDL@wjk59OCG`h1xF$8NjSmiv`WZs+x09k;+iwo8U7dAZe^q@!LL1uc zy$6g87+B_9{N9^_TEwBe#QN;^MtpE03k-x-0F66y{R}tAoJ~a%YGi$`42<{BsREPyVTrf9~aIdW!MKJd*`bB>6L3 z{X=Q~KKNst=}%bW&s%}-LuCKp#^100@uYX(Bmei+|0MnYNbu9Z zaO21j+w?I43)oOZ1bccv{tMOiu2l|wP?xlV_U=@j0! zO<47nq%`Y!N(Qc`dM8Zs@^4ywroE;=J@A18H%&qSm3z1~HXv|5Zh5!3)2a95Oid(_iJ zX~!mfEoY@QL+pjKpMHAAJ63cvEbCo%?F_0g#vAEUWgef6Crk5{w*x)lZbZ5?M|88Y z74GGdn{&%A=w{M?*+T@d2e4iqzn23uY@>cjqRx(BgK%KjWlrgT?RfQ)5th$WhgR`s zYygJ+&Eub5-9ZQY3egMFL2lwj-#ae`$(0piOt1HO8j9ZXiP&|NW(WWKPH)Nf4+a_}EFvO=#xw*&iXq5JG@Kq5`B zM#5V7Ra+wD2E1JheXtFz)`>}0t;0M6MuXS)iD6VC!hDRU;R;KfFS)1|GiA`I=2qIi zQqjeBsWGiVEDe!xx^I9RG3&)~Eo*xGR-U`k3WGJR{xA+yp*=La_~ zq@7T9dn-z}%>I)fs%73~0JkCSp5l92T2Zl<(llk}kNlR+y1)exxprn>2*X*YNNCrv zlHM$>o?kkNIGz^PtF$IFrpt9s6BU|sXVS$*k*OYJHi3HRCYetDP=~i%`kFgIK95Zl zHDs<$+w@A6UAsz@+<(XWyT-Bzm=SZ9?y)_;aYqPH~F7fZfN z*qn2X^i1MD0St@(_2)M))dD&nedvZrhiT4GPXEmeuvG0fwT3otIiAgQVt>rQTbcU2 z+9fl0KF_nH)^y6Kt^kP=gDkL1Wp{NzL=7}CzaXZJxzcep!*$fYeMnvD-ILWm@pF6R zD$CV_rKWaaRXLA~p&xb1IepX@jS$ea#jWoa1-cMeg*P6*CpTlF6cU$?FU`{bu31^_ zGY+cF!BgZgVNv(9ZoBd`rIcJY7pgbSu1g!eQ7$1yKxR$@!&P$Qyr!TU> zeA^D1;PM89(Av$R9&4LCq^FR^{CTh*>o_A0FG?_$UafpV;d8fhK#uXA5ALxXfqiwi z*%J0@{2sYE(FcE&dPS2ZZX%T|f9Q3_{{e^6Kj}KBnoox}^ybznsk79K8A@3Wv!4x{ z8vhksYE#;4UJ*LqOL23?_BBB4mFirRV722g_#5!nLc+3|tKlIe7nTS+qZq#+#s4Y=wt<1< zN+uT2u{5$dAP24w^QDI5MWAb+HW_~}h#BLfx^n2q6vmvABTtSbPS}z1T}9dB4jgU_ zo0;`2xffSrep%cGK$7SJtabN|+!wp1x&;+d{LoE>;^n%0qbw2UVDqSm9YxPR)6Gv> z`|UhCqbNId)0rK|H9UFL%`ugDy+v`x@=LY)%(CU#&j<&rd^pgxuy*_>hH;&zLLIR;u^>MFZsL3h-589jEJsI;qG& z9y0P`vc}l%NZ)=ipBA})ch_>fU_X`UTk@oTEJJ^hm=V++QcV>1Pib+ZF4*4a=bKxfm|6!Z{Iwd_h~+_SZy z8dS)8wFJEyiSp&h6tgSHJT!~*{fPg(Luu4;$m%G>HWa=GK@Xqm5x`2>Ey%f!9Um)m z+MXS}M^7DfvV?G)G$hnLK$O-D$P5gW_b>Tmey7(I^hoGgAo&zSy;N_mn7}Gsu@9Q% zm9Ua&&nq8k#7|MvZzwPl@_gY&b(b}B6qb@d#Orh}d@$KkHMoC2kAAdGe@v7}2uu&O zO3tp}b{2)~INAq@7=11e&$oRB?yqv(e%A{z^#O@bb!pEQ4&LNA^pX!5af9pzfh`py z6C3DK9zDJR(UH-(t6Cb*PZ)TbF_0a;?=H|WKKpGpxTmS(R$kF_?B*3s-P$%SRJ))n zagLx8@ho^P;>AtCnqKp$-$d=+<#gSzi_x3%ITePdh-2rONR*@bvn2GV?GB(@;FZfH z-`H(&S}-eD`;o`0Z+H(WB1=6rrPVB>k8-Z5-eQ#q^oFTg_My16e__t?5np>ZR1>3T<=-Z9OJMaDHznz&nfh!QrG{=`-BrH( z5>=SF+!0##Q4-9)VwzK)hI^JcAX^5v?*8<=Q~2r7C?lrX0Ghq7{84Z5Su|MxRQ6%A zH|YXGPnQd5F@JUZjYHgLc&fw~2@r%cCy}G>i`h8?U)T+%^?5&Lhm8sH62-oN;BFg*Ym@yB+@#gw!9uHLP+dAT3V z8}q^S8Q*sW2ch9FRAc_j8R}O&csIp5x}iXWC~gqqt-j?){}DB%sjG4ph2>Z74%uI! zrv{Y@dfF7@ccOO@hp3QPtxK$vC#sR13tp-ff|=iqPO#Q>xW!pmY)Zy4a;9`v8p*gjfi}5OwgW{~J zByCG$`X;}AI;l~%Ab)lftj73rB5>U|Ho*5LhLf9>$puvN09LD~8Uut3^jeUUPgu`O zJhd8?Z*2`tpPY|~m2@p$GwbIaUSAk+qGq_(;!g9*Kh>A%UUKIk%l6MyKe^Y=Uq)cO zR7Z>rpdo$5bK;sxW+2)6v{i9g#menblMt8}5|#`S{F8unsCUK& z*u|qxc5m}hV^64eYGQJ!oN?#_`FNEF&3Vn`xZYLs}h!|`yRiFo5Gd{p^{or_d4oB%?w|5YR#Nx*yTq-T{%8UvkO(Mai_Yy?kN}> zv|QUX+F+G*3HPr?`^)P_^+J|T8cIsnFZ{4nYI2B#0GHlT)Y^gH&BW5?dxf~NU4^th_M3O3FAbzjeLK`5B zZG0;9fcahQe9pDkX)bq#-xUhHVn1+f0cFW@O!5 z4Bq`FFgB;8Rz}oVsyRJGfPH02N!C-VI#0p3ztMfI#p%ULxU3s3OOkPC2))?`GO_%g-1MlQ-1!Bg;ATI;ZYE>sDX#IxkNV5sx%I*s(1fqgK2KE6jfry=rW>s_Hbzr*))bH!3vLxGi-atwmU9B^P zgo$B#*APX{+O(Rx?$RW5R66c_&2N=Ul-O~R1551i%@({JVwCFIYw3q+9suIl#M$E< zw@;y`eQL^hXvkmjS&wMrg@9Sry6{sUUn!l6Fj11Dz~Eie{3`2G2=*M7^{}ff!>HX4 z`1uLNz2&9Y06DVlM$`+J%buwPaZg0g^BsZ`9DjyDXrSrsQIYxCxP&F|FL7Vsd_t zDU?Gt<+%cMj+vu3hUiOqHotE#$v~Ze1>Pi`%EEk5IUDlkdDebrty8o?(CwtLkh_mDKm>mVk7jv|P)=8pRQ zl)FI|o@A}afD1ON<4tBDoZ=E#h?6u6MlvCGCAewY z<1yWqcRuZxbWrhGMzjyFWIt5^OqK&Sm?XY#hGlw?FMSD-vVM@XK&bp4t9Q!mRqFm; z&8?@B6O>1*1gG;llf>g%pb5k2xCZBsswgV}Y!xAm5C- z&bVDsG2(5OSpaYR%FkGQ9roCb6sA`!$=#sjjYb&F`1m%_86iwIJe7p`wZTYSydsLH zqO0T@kvsEZ=h=9Jtje5wJCVU`?fzGF1$1pcV`x(Y3oyB$iK70IJLj0@BjaV)@mdnx zmnP z_Hm(*5?cxW%=^`Ls-Uf)GD;RGEvU{96+ep;w+#R;+^==lX^T9aAaZKq>@`6UA%nN) zJnZpLPn@ygrlC3MqOehz?-G(EM)xDZuwo2wmJs^~D)u2aosMn_otFuD=JksAqhmru z(MPJhn*!9>2)2>Zuwu%W{C2>f;)!58o6(-ajBftvJ$-`@Xlb2EdNFtklj^H-gB?ei zg`yWPX9dZ?Z#ejA<(e?Ca}$)iiV-lPj;`N#Ztob)m@O<`Ot?phz%&XO;NNIJkex!6ct4WrKKop9?}+7V`{D#Qtfd% zDK*9vQ5tHVg&5LF4IyT!A=H=IqM-lY|9mb50=h7BX6Ak^l}vc4AmMIV`16Cqu4!Y# z_thRpyRTQZ*yCNkSGbZ|vSZd?+BtrnJRg8Yqm}(>uLdTQ3uwXpE1L;T>~rOZJ8kVP zTp*Qh8ItF(D>~NG6kqu2Nz|0~K!h=xLB{O$FlF!Hj#SkG3igfYzs`s2QOXZrbZ3=_ zhkHe;b(n;QKASHo@I&coWQ*EcgRE=`jG*{R9P-kR*Eq)eDnXIVlhc(*mdW~`5rKc* zY6F8xE+LG{;wbAS16R^o(+4XkSX0s&;X{_7m?dCs&cdbvQMIw*suPdohr~e80Td|e?+W|2s$SI&jo)mn) z92-IO+<)5mO`drU_==m4R*Y)F>eroW+w1cEQ;N zYbN{;jMS6y7N^OQO=+BUTE8(pb#_WDQYGWPzbH2BvJWWbl_ zl?J5vF@%D*WQrbcy6Rrjb|2z{GBc5+yz4>S%!wTD<{JOmxI)`nGik(+-&{uteA<}v zNKKjV(x6=SJX@KL!56j0kHraZ-_ug%K^{?E&c5Yxr$MGUTFOt) zENprjb&pXoldHojySUbe!RF6}xp{c_kqs0R{oJFg9EpUVoprKAN=RqPbjQ-HZYiBd`yccWsl69uv0MJl9_^Jq#xVpl)KA z$#kE;IGMvT=O1RO9In+46devb0$pwLRvON@&@C@^@du|StZorU@CmOuz8?XhiNR>+ z!o9mPlP9ygJ#Nd0h#WfmCMhYYvbf{k1*QS=(tXNM6^Xl|J=5;>j&p(8)#b%;{+U#lV{bi(|Ha%objxT5`^pwCg?zyRLxK=f!1 zQYY!GO`MPESy<%(Y|~luRON27jIsdwK=PBE8Ae^W;_ltM8T(q--YJ)gZ{@7fCDnDh z)v6BExe&!!{YuEaxD1Hxz%UMusS9LG*NGNJnn1R?v&ey()il-jk#iz9cJ<2-YVd;!}qg9kNhk=q8<8; zVsMWV%&^Fh+4)+!S=|xoKuXt`EJi0MJ=Wo__9kF7Rhw>|+5X=%V{q+b+Xv{-_f%Dn zi8kCR+dmY~OYQzvt#p`TMWNoi1%oN^eW)f*FU`a@ctO6)Q#XQk`sfvGe7-97^=!6{ zy~VU*tUc(mVSAu=uY5xfhv+7^a&K35Wxjo4#4|DE z$>J}G-f}%kC~VucSK>`Z>SbOkl;asXv*G{_cPf`==s+e1t1<35M(EU1AqjuuAjY?2 z%ni1c&&s|g%S$-cOd5P@NoTFvTh@lRjOt$QdMftCNJ&@1n)q(9UIpTfD8Ja9Ytmy@ zE#7ZcY#(bnXraGjfO?$2$~fyQ4USF(_agg&67|`so>;foei^N5MAUxntxG}aAqV~I z&0cF~topd@KYztf9>CcDHiLJHC16=b6s=1?*p{!kQb}lrZDd6Vlks=9a2hS_!o%;6 z>n!iio~gE-TRwzUgAYw9?yUm*q~^+)7mi!tr(^yWdl&K!8wZ^B>@c%6dAR4|j}MFJ zSS#*Jtms9rq1*HwZKrr%?kTG8pQ}IoUQv$Z^RACuyn2cWHS^+H{6x-ilPjyLG>Fp% z$A}-8AYVl*Qy!Dslj>VL3fCg5xVAsk(^+FY)zhySFfDrejg(iMjl&|z9xSj0;@0Ro zaSOvZVzrkY`V*q-`A7DJ?qhwUEjA2zX!gXl{9>~@UN zU7w`ta8lZnwJ93Xc#KT39d*7ADYaiJ1sbarvc5&y9IYKba)HV^mFRb;$Ke_&bD~jO zY_2g^w%ZAo-5h$CR`tlEDj`g+THCt8zQZ|TOeg$q#Ce|_HI>k}iY?j(7hzk?=tQ=n9GX;ALm++4!C z#iIFJx9%=j4&s0LJwshL8=|E@S}Vlz(_Xn=ELI5;$%3CY9WMq|`lFMRkd@T(;kc8A z_jX|s$kp&*+*_)Xk40kDM$VI6fp}xUL5dcVhp5BVtpXpR5oqgMnRvA7ti+cXQ!;;`=69~oiNu@dcmk;Wb^Ia{RvfHyy{{Q9DGOJB0G2laq5M)iWRx&g}6hf z^{!6n?*-z@Ui1_47Hq?@(fSKhTQ#I^-67Au&?7RUkLP9-h-sI?%x&j(BkH$x`<4{7 zQ4Ap@jmZJd5#ToK*4l3Uy|4xvsL z99%G7U4%l+sht=UKnk|Zfc5!7QrM02`A*soQrrbjIWf;awdk98Wxe>FUhdk@7h4YM z>_5l=rtFzDtpVvinUx)-t^VNF2;MeR1dsVA`r)in#@zKbDBGoYssfbY-2dDxL&S}R z(~WPOr431HEUVUrvdZgj7iKCyl+Ui&c2Jf2w{(FT0_iAq?zlJ0IlJocWpaHEaMTd$ zoT`K_=5ytD25eECIVvmg+o+c=b;hc#-iBLWe=3*-iD?Ilc5cGl80vOgZusS9<$n6L z5_P-1miy1!!ryi_Bn5%=Q(|*QQt{gMoAq?JjTkMd%c0*ZgeQ{h8a-3$w)~gT2|c!N z^^kbfmLO-GV}emUc<`WcS#^22nY)Jv1*_a!vy$!^N>BDo_CL!oL8D%S{cTh8@NGrO z%1lRm&}i^!UmY{Ki0Qa!UV&@{;?-^2$9=E{=`ZUZgYiZ2(V3=j46Rq+7^A(Qc(5e7 z?E{y+_F96g{=Dc+UiSSt)wrml9n5%{v11(i+{nptRHyR8QOg60s2ezROJXKO8E z+d`vjw|>KQx!ei6NS_=c$k>i{Of6;7zqQQ(oL(Mn>6P8NpUGWU_Zi*+Rg2VSR$qb3 z$7o?Yo!Fr>4px}O)!@#q<_2wE1M$JW*W#o5XE{+pV_{@2%Aq*vzYXpZOa8jVH(kT( zL3bXzzEHaNPlK!9G5DL+09Wk8@go(5={w?h$1TcD!=D<&K@D8wvCX>vVGt8Gt|+oj zE942XsNMi~U=~$i<^pYcV8>EHPhMaZ;U)&gO7A|^R1ayg+*Z9{lI7>DnVXj(qqV&{ z*6QiYB#(i@Xgjt3IP6`8OYZxm7VRBy&?^Duu?Pz&=l#|peVK)WIM4jZTL;fi_=4jU z0r?ef$()C3#Z$G0opkzTw*2*^ZQyeDn)v5h@)e}KCufcTLwJ4Di*5uc@?BnDt3$qP z@9&Gd)knVT^1b5=Kri(F`P>@aWxLI>F|<}w-A~5IE1{`G`pwA_sfYZ+7!LE9`C$rH zC6_Zd#=nvj@zfx2|7fVn-CD@|$4TC?9rxGf`XyqLY|a8pH}JR%P057$lwf;q53XyV zvhNMG;Zk*{`|P`%dWVMO0kA@`R>tB98!nXsZ!!&V=1FhZKD6xc5^GwCr!t+DDQ(DS z+df>4VHc8T0Q{RsGCJ>G_BuMW$R(5?xC@wvue-cw_6rYBve(tCPe;PYos&sMxKeLT zvB9t2d*L0G0Q zSuWMGvn(i#lHpDE@UgIHS3ae~ZH;khooMpqg|6$=n78>_tQxsU{LfSg2_@j-4E)yYwI zcPUGVFo&#eJ*ZRhI$Atk0U#k5FzGti{;maMJdPI(&WvT7K`@l4YN@7g{zi)F;yJZ(%!5%!4V z1#jF5l-&~;B=JoxD=W#o%04kFIM(*H%j(RX=@$?INTyYMql#k8+OZG+!rHitvApGX1&A0p`=>ugv^pFUpQ z{D}-(EaM%0p+jI#D@}bC)A849+JuJRWPr88cyldJG5N=_wDLh3N%=>uAN3u4>~v9N zo@Z9J%iQzNvt3sxS=U}oRAaYx_ZOHeH4nDAzA%UlpDo6Cl@;frBG#Zcupe@3nHeym zxe3?ipWTv&)s?z6fmzZce)JeuY*kE!0m z(+GO>y3T(FUm;o_!t@pdtX1OJa-)3N$-}k`HdBUcHxj59b2xEeM|AbF4YcXAKe@Bo z`q1qieG~N0V*F#1^&D?T`0Kh1Nj}d_Sq_5O%5_IV9JRTt=H}JZFSYgy33)#WqIS^@;BO2fiO=+nd_i(G#A;zg8;R4#ovqwCj{VdN?XdKH zuJZqzZ>WBI%@h)q^Vw3{@b=49!yvBbtANXdQDjGIpZ--6E;J!xjh&_*E#t3qmm6dFBHfc_b3Rd@2Qt$B*PyBx!vCMMMy zzEgZ}U6_5Cb8vZtzQ93oz^P@PnwmOta=DdxWNlu4RCCXdO_Cb1u%3-9vBr+-l!|uox9E zAZ+M8r&G^@fq+OB-}*#qGREw_#e%Z1kx#6V{pkO?%xB$#Ya`0@Y2+ z?~}~A#67{|TUqPFa0)iAcdsjwSAl8zWw7iE>q@ziL;l4wVHtmF&b+Q!m?{u01YO8C zhV+v9pFC9b?p^=0i^lEar0p3#$7_vQe8UY0VC*xEyvPKB?fxLqr|SwB|H|(Unn4DO z&C;(155@0Rwg+q4A{Szrr#v|8a-c$`JzlC0G7_!D8}kf}YV+03M_^FTN5Y&Wt{ ztX%5#MensZr7}Iu*fAvF@2c}CgO3Kx&(+1=>hZowMQ2joS!drrOzt$Bo+hGPrdr4o z1D(|8xwGX`=0;E#V;w1p+xk1!yp_6r)_a`j4oZXgS;a-v9NYFN`hw4uk#eZKo1b4r z-ECi)uvOC$wewgoLCqQ3+qgthhL*x~cfix|N5^0>`ytN5dhz{kuV24rm<{ekG9uC4vFfQN!&vt4^xewDKn` zLDCeDhq_9txRMeKQHr(ZlWsoOQQa;9=$irhzX&V=YApT(i-kboScUiRQH6auSg74N z1K9YKV8fZs?v$5y|EMeh@f=z|jlmj#re9=oY%Ftra8j|mVcB$>_k#xy!?g%OAupmU ze3mAzd88fx1nH|sPrHawbthWKGP29|{4Asl(7%TX5(v=JqZ+vvTAE}R^L zH?qDu$R~q)AEJ@28TD+Nx>cK?fx&3dt{VN4aYlH1qN56HZPkF>J&}S8ISi>Ad@#;P zM8N-**P##-Y~Pe+XL6}{_(w`(ha2p|acGM72NfIHn>lzZd$0b;dvu4j{V z$0TwN-4l=u7f=tXDV|#>nX&Koqh;-4&!d-NQ2KVXVFMgGTp@-`djiXc^%O|R_haK&vxz#W+W~Q^*KY? zA=RsE{RE{K(hC2L8icZ57K_%u9go}a99Lgnx#o2a$@9Hi(5H^ohI$(|;SXup%lTQJ`Zv>(M7e=~O7+Fea*D009}(b%5Mbj zb_a7)7`QkJ5%AtVL^>C}F<`g6fE&Xb>dk79uM|kD^AV?N0aRXaiyc5}&PLr!R~)YG zeQ@j%ai)XhG^`gh2%udd{gk}oA@<1jgBknLAv#i6B;W(feJ1sS3=$Zf-^!fQsjbc> zQiz+Y-+nSr%E;c_rB|78yiVriA!W2T z60e)8QT&`0>`vK^DpA&+?!q2!5c~Yk?nD#qylDHUiHR#t#UDpwwC+ne)Fco;yfElV zg>jb;k$nDYcIL8Ueo=<$ep(q^&e|(GB@~%6+nZa|dG|2n?Qk*GKRXgm$TaOST1EWO zcAZ^$tUV*}05&KSwX8=Vvb1eL1Wehpvzbm`S7%9nPrZkA^>>o#-?4W;ACEab?3K*z zUSQ6y)KnOIcz8_VyPgQpQ~DLWHtr`}=Rw^j3!gaXAn}u*+wx&E$F2H%nGu)+4y!d`+#zCCJ>u6oi6Y?W2`=o4oOkTBu zsIp2Ca|TbU5B8hP@#wxO;;NSOd4^a9JkE!fJizB-`ig`>{1JyO0ncd`^!+p3uyD0!I^?_T-5DAIG& zpj!ol9-EPlmobJXrRB;5@XmK5O~z6X64t1-5;(6I7kd*#Y?mV)AP{emKyi@wyL`<_ z>NiWGCF{({)yS}~mU1-}6~pd{+K@*_V{ z!CXE_3~=RsqZVDN7JI-7cdB;k=v?r2K(5xz0(SYmC-a<@%XfRn$ro`nmceWo7bJkD ztOy&C0bzFGU?*ra=M@wX|HHEbcy`LJ+B253Sf}L8)$Pt&FSJo9BKw_^{YbCEW(VaW z+BeO|-(c+@E#@h*cvGK!d;k76qNQWsV)(3ha*V`hE_@~drmaP}G@9q3;NUKyVzsrW z$-=^Cm`r>A#a6F6v8DV*xi31Yp&CA>SQ7o`v0r%_I!Jq@CJ7l0-WuHX4BuJ3FSQK- zdEHKZL&H~R?Mp9ZAm%!KBF!j#Kna`_I^Rv3Sy@p@M(E;|mM{Hpz2@We4@tin zGx~XJ6vj-^R4)T0#c!Dh+=Bf8M!dHxBlR|MbL!~vykN@$|8kC)iX`xP91@||)YNpm zFoZFpK_~1NFzGL5-%tFqVTnhqau>$FP0Ri`6uj9F5H6uz#ALMRjbDiSRsESR?*Jor zFG#RGS^|aurA3kZ2xJeLu)S(o%}IB(e!E=gp~I{^Cu}eYkkp8;k(cQJy7mN#z0S* zgf$p3ICS@5-=&aW^YkLM^u3w1eeEp-e?cY1zs6G0zF~s&0@~j%2bX5s@+w#M&sNo& z$%F0$84N2vQ{f#mDaP5K>pd7${29IfmGWPYGw!V97@67GDUeHGLAfV_KwdkTigxn> zZD!{OD|&{+H_gsbO^V|-$FPa#Bjs)`H@`}6w4o&f3s5LT^|^zr z1=8zt#EtcpHQx>^gOJ+wSII8tLr58cR6Wye+q(7_S}#TX5+Q)Y;LVW>4=)uv)Xk8} zG{ZM)M8kZZSM3PxEJ2vL5$Z=*?h`o-oiJCZm>U6e5Oa9@z(P+ z)jcV#Gc_*fpDAVdq5c>QW&a%@0TGfsRO}eb_ag#e?>}`Hr16CiPdteq_`XC)x&Q3G zmmfCGN|zD%(vjeWe9@ommFwr2I8F7ojEV)u$or*d>t7B$8q*2iXM3c9%op>^oGX*Uo@NonWOy%+Xb#MK@7(+_Dey4Q zBlw4w?ww7j#|_cpA(sRF)8p2O4vd6H`i)vjcE*@DGhOAEje{KGOonZzh$>#-CxWM( zaP3Tw?MPE=1qgAfTR)`L1i3t!yu2vLkWUHxiBog^_}N_ICNL<3hjk}Jy!y8cOi1W} zX4{9~{tvlS<~P%AdoKMSwUAAKhZh3#xcLJbq(lh+OO_=hbg4|?fyATnPmzp~3EYG3 ztQv0a<^-IO(Bpe%Z7US_Qttj6 zQxLW%eCi!8E-p?29=FaM|4dGpxiDAnGe^|^ zAIl=!>2xdZzgFi%i5>C7b3h|pe!8u-#%FTs#p#SUQksD^ehbBp4f4G?Mt*Id&2x>h z;2ZvJ?T>YV)@7&pw(z;U-2YId94VdfdKHB48&Jjry>;Ri`=NBqZegNZe`5GkwL_;9sI0evyvd@HWFncx^?ZRH2 zl@$yzjI*vWyac@b!}ZI!+-p-Y+U)BYAq)-IhHx&sHC@B+U3T_o2k2Z|q5{c_KdprH zN$Q=(gf8Dm`Rnczu;6uuO+8^8U|K-r0t;N9U22vI;yD6OR2R75Tm6=Ew|8J*X8u(z z1k{>POmJ_RHx`F^Tn?I3jLYRPLB?OB*%1v5FgRtDI(3sACIR(-AIh3W`82n5t%*Zy zrw)|IQ()$E{Z3P3L0XM;a!FA1+q+4)ljwV;j8_>Ues=g0keP`Ex}>(1PMyUsA=+z; zP@@tcM^S=uu+7FXC`Z?SGU`%O4@+nvD*Xrn!|Yt1T`oOTsltK3AaQx6ft+3IxLQwR z-SC&%d}4K(-`b|QZxrZIj^ey2a|fgqiGXJN)rwAnnGe$%EZ3Z?RvXNvjxABz?)(YeB-JJS-tU07_4*&U?SP_$^6E zNy^F3l|S=|kC#=N+{aX zHu5;s1|8d^{!f*~oQYRppm(cXHT4V@W5lfjBq**9%}1=Xw((Z(M8`z43yEpN=jgP+ zBt?hA8f4om1Dv(Ff)Xfw7WAQgO)_jc1PdLXCj`l?U7(+bq=_B5@K#PUgHL4}(n2!c7&bF_Y+NM@~_PJKn6-ct7v4rGx1hgEwkWYhReHRc|(CCjP6w zE%P)GoSoPJl<=_ops5JKc4Mt~uU*xaT0kOD$1b~kFCp-TQovV$PW zHHbb8fw{N(&VMUAhaIbM1sxgR;VObx?gzPB2Lx1^-&v2|Q83-!sm*C0G?9uR8#3*3 z2|PCa+_Z^<>u|M~ao%lsGi;kSV)ecG5Xh&CKia*Buw|@`!YKcYCKU(Kx{d|8KRR&- z(mF?LgSwZC-!zJ_z`3@S@|^quP3XGCsR7bp1m9`Fyumc0(tZB{{lK6KR>e^o#xwS! zhtHp3*r%=aNbI%_j)`{^b}T9?B5?;6*hE}T0_T&6(gmXDVEIW#ItimQW)rkL)#`(N zsFj0w{iwv~;O%wQCo^eu)9h?x`g+4^<7`+TEo?JV6bPPw%^5Zl2632sUgnq+1@-(^ zdVT!-d(k6PpCUz!f$4>^M*KQ8u%a*O z#*lPHoANKUQb-AF!zSDFYpB>n@y7vQ>>wYdH3Qqxhqcsrlkaa1TI$bv0Zm%&KWOc+ zAvq^83FQ+x-wIAzIp{OH?Y3C5;ZhwoB40=M71yHWfUYnqxd0q%b5WHAOrp*lJO}8h zjPV(cSAjw*!1%X8B+p2W44YA1t(jX|a|{VzTU#Slcf9YH|BuZiMRZJlGU+TBwHjt^ zmZ4^j0BPaAYOv?rs-otU9Orh_+YYQI$?ONwwX+pvrWq))&gRNC&Rws;hu&iK=o~J7 zD@)(jL5`z0hH=vO27p+0F5v;tjZsIUaiX5pZ?{@QJ`K^hU2DKonBN&N^{9I9VQyh@ zFzATCBsly6c9n+D1dalfi_Y%3apLwb4y!$B!`(-8;b$6WefHcdc4_zuutK`qWt{7l4s~*Nv{~3}&&eS7!rR5CH+#vp zgD&5X-&GLy&if`H z$T%W}HR@Z^v)2m~Jd@J0K;zA}l-ic}o8D_6rv2`nbtSJz)N@z%jM}~?*tT_PE2ZIu zKWEY(#l)t}5VY((UGDH%=bji4F8A&~*L>quuWe@aIpWVwLQ1jAy+xL4JMWv`{q>&7 zS;(F3l#IRSbq3eoKPmo~dq;p;{cE2RZgQ~}kPY`TOOX$@TShBfV=l6$;*~?z=aWru zRh^wxN}HqALi0<#EAV(*sHP@GV?C?Dz_PLOpi2p&#RaJ5BD%wr{Uv#m?#_Vse^Mci_QH8(ZFT#c@Ib@{jLc7`B8u6V z=S)xK4wgAR(`+Ig@sp~u+WNm5qJb#c5iyIcB%LB&AF-!-+sBtj4 zu6|Gn(mO|MR_d+l~&#$~Wc6AC2fYCQ~^IU(3{cC^X2b2;lY3Ke^7i7<>tEy`B zn%y<11nE+GS+~>qM?dc5{^6b78_>w#NHg=kC1KrJ#xTh;MR)l0t`t*YDGO|P=Z;i( zF%BqMG;=l>z;P>55j{^XZnh<@-2z+Ml~CO?2b}yg02>eWw8I#+)Z^J(LI&GDymb#pRr%g)V)-TSCEY%g*CqD_4-_%_tY_+fE~d#%BRWwii9B2V^gZ&bY)W*mYTUa){Q_mSZ3C%TFXT!I16Bl}j0)>w{O) z!xkJM{WI1f#Ce3)9w}&F${~NPA@5Fm1%%G38ke(q@Rv+3 zNz`0Vo^ZS6W+4K2;uzb~zEAIfZe;5nDI@D#4E1~9~N`SDaFeZd^oqOKhAZgEryPHl{=fpDGVNuJe1DunG6@4TeI!N z4^ZE7X&uT8U@6g@+Pj~(1$qAkaq)1oBKP*-GQ_lu5%sI}AohR`8{tF?SMdm-bU<_a z!Hv3o057HwcMbPExI6-jQ#7gyaoS-5SqlF4jTKIWZZTSVOTwM5J9hG2+jdQhR7Qzl8WByi_ z8qQ-;Nwt4r??4{Y*V}`a#?-kXU99CEr$Wx#NN-9pW4PBuXCWbRt!B%T<7s@fV+;r& zA~=%`(g8>iW6EfZB0^>mn**K9+$_aTyHBt*Y~1 z%KBFvG3)P2l0wq-4 z6U=J{COJPRV~Bp8TBk+C&z?!iQvJWooapAc6iNUW$o}iUF1`5o%K!z^|NFJgv-JNa zWb=Id-z}ugPU5GoN5NTGweG1X83m`YpCX|3SR9k)5#6{>^Y~-acdTv!*F$*he6W~j!p2VYyT8zO`omoF5y8LQe9qXdd0XcB(!V@^INUbhdo`b+T5h9&B3wl z!~NTLUVadIe5IExtpeSolom>;t51li`WyS3P^RV&=q5dDW^N|fj%PIM_iQ??XmSFk zqis*g)s|=bsU^>>Cjj^zTBK#s!6P?3jVpkVR7B%V58WEP$XC|Cfjb`!^7EXU_kC{vDbr z8fA7_;?GOk&fvyCI+9uil_*(%lMtBy~mm);7I7FrcGjl`WhN{QhO6RJHoF@{elSL(?;@&!+gw=j%y)CtY;= zNVg*S&oki9E@?J?VD6`Lj zpy>NOO;OO9G}uV36V7HfCrJl676eF0f_zDU1|N^tqIh@V!CPI*|KIbsz3s!9gMfUU z>P11&%Q{y|BH0(SBS-bcW#aj6KO5h<+?l*%hXO4q{oWnec$V+f(;eK877@A>Zn{lR zt}b*9U%xb{PU4)|^|9q|xr_ktA_?e=$ZOIF9d__P5NHWG?q{dQ>KIgO5RVUQkOB`s zYA&e5b$LcUHYMzGCt(*j_Liq7*(=LTS$aD4PspmYPRKQ|c+g%TQc;kaovHXoWSLOE zS9&LP?Ed-dL=8tf(<7^E=K2jhYTh%KIchFCwzR*ANOoQ)1-jx%)By1_#yRb2i?_t} zg5Lfi3Km%vQ+rnD5&g}I#MdDGMO3SuiRRc|8ddTzm-CGfKDp6VshG`&_XV`$*>Esd z&x&;9b}u-PJlI$T^7M~c#o*b=_+>Qt6Mb$WIRIGVV}FpQ5K548eD+2xA;MH1%x258 z)Je4QxbCadwwJnb8fF6bL}AUfRgEyjk%7hdbsm1WL}8Kt>Y^>JFqMPm1r8IxI;>*;ftP(6V99^XuG zmUuK;yoUuYEIJO);Ct($H#qHj5~X;H!^5l_8bShJE-M3k;%&fPzwx-gE zJN#N;LF1CfP}Z1M(;bM2unX^i`HTA;^&|ck)+bmdEh{ zjC6)oTc=XwI|3u%%U5&K8h^R@^z>n=JDJY6wvldfBZNuZksnL?i~|Q$z#^ITn~(9g zQx-`iW2(w4P%}|`{`~nG^Vs|he|r;$n&Ud@p)IpAG_ikj3=A6xc^Bt4U}hZAS#TjH zE*qDNE5OB+W_BW9u__#zR(69njg@hrK54LLwtlI9Uuja9CUla}*I!;5J(LA6Tq7Dd zGv-rNmM26yHMN(V}TGi%gRbtd^FIwzwmH#`L$8HRP z;$-gm-f|DBv4M}4ZW$^ZUZfux6hzxh=SK7X2cx70X(~H@#{-^%O zlfJ%cf%*(!l zTwzB?2cxfVR!pqKvB6f5NGEaZ{79g3#H+t8(RUnFUe3;Mp}^aM2WM|ITfnT=Dqes0$Mw_49vN!AC%vpiw>yL))*xUooDUrZvte*;ZZ$c(>(H zgpK@+@wb@``Mpq36QYHc< zo+|(AkUybg<aBFGqpmkME3VDh%}62&H#-{K<>K|kb4AVO<>y$H)DP>^v&2% z&+(@jVS1oeaH3uK4gQ{@u)3NW9{CFOKpGD_mlTn9h1?F*+8H76;|yocT{ZWK_ECCmB7-)Xln$Qfcqd_yZx}#o1Ie29cRz5$I^TH%a_W{D++e=P5z ztA;iqnM|;6s*h&Fte$!|w|6E5n>cH#v!9BKh~I{0+j@W*8s2{A(CyJR6O(ng>;pt` zit@vLjtH7h40a#{cCe1Dy;{H!KeaK_x!v7QJa|cUOkIH#5R_?IhJPP9-2iXFToHfL z!2x$(x#uaNeP8kTCVZKn$Pu;@$wLD3o4?YEc1~Y1zuAxbPSI+Szs5IY^K<<5w~}R& zk7x!)`HikN%-hAEYVFR}cM2bl3>V88TWrt>4<&`azd#F5qn>LEP5~RZpU?kzrFCuL z6dQS80JsEOG)qaCe*FXcz7?@ywriraIQQCwCk?4x6_wZ2g}MUotGqME_5C5pMpe2P zqHb+7ej2^b$!$ioMk_Tw%++->eKgQ6K{~g{rO7Tc>T7{&a4ESvVYNmE>VIpdJ!3kw zd(L8sVed*QVb1&f#{z7H29B4CKQUri!D0Hl1hoMxaG^XokTpZW!sU?6ASCsG3U^<} zRi86}h>3Rm3933YW&CG%q|~z4f+HxW?hJv!`Hiix0 zx}t-%<@$D9$W?MoM5g*$^TM6c^Tw0UBKDty;ZNZ2H}2pPZWG!EelOwkQ7LC4l?L0E zSWWgNwJ(FE)(FMhDA6gHB4=_;_$jQ;6qa1sn6&))^J9m6?5Hze?MV*RHcPn_)z}zT z&y#h<$d83sMW3IZdG<<97*&1cAXvl#%*M|>!PAK-H2DO#=t$m%+TS3@*J8s1I^7AC z$H(uCHYXegB70&#hyVY#fA9_8Z;(%@G9M!}u8_`C(`Uu*&56A{WYEP`>vT$3QSOb8 z_NaX=n!ez7Dd<<|`)k>dh@VeZ?lYe@e3S{_#u^)gp3q5+rEGuuOiU{7G-u<+w%tdL z<{BSde;ppw<|~oiJN@@%vleZx82dY6LI8Gyi=+`Jv*=n+Xvi;-I5~&um*jE&QXY>$}lVe!iR1 zN+h`sN$gOCH~Qc3@1W5dpfBOYjmdKVS&);k5@c(28hzMkn%(_-onvo3{P!nV+c~5E z>@c8Iw`Bi>HTXtWz~}>oq*k%*Aa@uRd1gz<7|7w^zsPNy3(0dH!_Zt0*&gkiwkmO4 z*!WAl#D!uw_W6MUAahrz=ePvcF*syBw{7DGR(oAc3OZ#BiOS@7Wi+3my5yXevI>*x z@4UuHC7(Ei_g#^Uit8Tk9wtsx&tZRPTvHaHbs;nJRhRDo&fVX*tE)yoYqGtN|4-}?A73rL6`&M z?RJ?r0H=K6zA-gPq??%))3#S2NbM!#WTlsDB2EoSYpKRF-^%VwsQNljLHl%ajnd>@ zuaG?eLpa+N0&!SB#1F<*q}TqlHq^N)?8LQ5Vn+^SMhMH2YZ<)-vU*>l&bn)RnyjA0 z4kG#5KMD3rV`2?jTBi`6o@Nw%rIkknP&cGWq-)UET4V&JWu!?H?DCN~+EedER!`VQ z=&;%>xdc8%9;GjY0Zl>du=$KN4N?6l#-ZFVA7=y9s}jqfL}KYT;C9TrK=FIeoBU%; zCaf_96tlF~{zZ1Gy$~?|as$3!tj)-Yj?K${C>x{5Vi&F)S?|ji4>AaBukBrVNB-xv zwzU84?=aqkP7z%AY9NDy{Q zs$HPoK%Qw|PfsKT#4oJaK^Hj*{Poo#NgeO>is;5|v?@D0J4qW8n3MllM>P^4#&Y** z13Fi&Cv4;dChOe4H2Erd{3Bbq{2r^kCGe1Cmz3vH81KKDV*cd|Rz{xQwm&q}xjG!=BCNV}5TrPpbG@`m! zv_pR?#4e-^caiNHq}Re;HxiZ_Pv2M#*BEAApKUyCj*z0$aoT%Uc@I`o2b$Bg73&xI zDtE(MG!vHzZ#nNUmuX?vl@Cny7Mn!1PO+2cL7iDF(-~p!YGZ|5B2bJu0yN?~yS zqpOJbi=W$FWm9#j7l-NBV$9|FF)F^SbS$S}QQh?>Mw;n(yF??5z(BS7KrGmUEn=r- z;s}zar!g{e?evJz=+TVP;?ZzL8mnt1j^X#1C2FK2e2$zG?wH9Bx>1R~S<-z|n-5uC zsj@nS$wtib_n$UOr4<&$Ah}*|01q&jC7S+aw4us)uS#!h#F}uAQZ-WXGfaBMQ(q*f zQ%w4Vq_(3B>()oZv0Fg))Ang=BFXnYI+s6UBHoTvTKx*;Jw1!`VcrRAFqiLN%efh@ zuzcTqc0KK|q{~nO4(&Ck+#nOC>nM57zS?{6IC(_u%EoXXXc@4`(UozPg3yb9-l<*F zK9L1?ud>#9)OE>irQvPA(;C3)q;;zj+ms(2RTyxFki{W8BuBGKq|;8mDtOn4k@k!J z+!z)znRFx4M!Wa-a=Ggz4i!V_ef>SYBO0UTxi^y(tnhqtk1#e9)JPwQAnKn>j4=A` zM52F{C54`DJZPTj;k8+LF6=`}*Qj zCh=f{3_`Nn0|qB^YRqQmvwMK92N6uTwIZ#s=yz4V^Vq1%hKzq2rvS%vycX#v&Fuv3 zNRTSawT)xs839N{3kqvVWV^V7V!(`NQ&U3!-38_p(}r? zbspq3XE9kW)MzQv%3GUe&V{qsu}j~PTot~t>gAF&-U9n%8m8D8)-%U?fMLpQ_39@SBN}@Nvnw$v`TPlFhZm5jX2O z`Pc4CP51EsG*7uW(9qm{vzNM$>pMgkV?(KwBusGn>0#V$*egS$Tft-B#$W7*~-Qi#_<$Z|}y@R7K_7|0V zwobH!LVhalYFJdGhe{ye9yHfanA`A&N!|5}isr1*I#S@;ViBa4b?j}%2~6Z2K1U&p z@J^?&u;d`mqpgc+&2}_I^-c$9{R+5OdR(d!?mIsH|JZx)x2CqOZP+avREk(=QgvJD zs2~VJY=D4(bO;?pO6XNe5}V0%+S|1}>pB-s)HhXH1=h@C8L|Z+t1=i)7W(B01oVZNaaOZN-IDu!#V8{(pIp} z(MY2#D3CBy$tVbYtVO#`gw4tV9G%BJCkB)`amG`5E+W)r@Ap$qsNIy(uaPDTSKC=p zD{!X)$Sn>kn+tmvWd=35m?A~1_mT!hN%25;?H3myX-f+wQ}}p)+~oO*Ss?Q`X`$=P zlhb&1ho_}loBiiAX}g%ayUqcUftkGYCb?p>=FjxJ37n3sC#b5k3K#x<&dv4Oh zLTcM;Z#64Zq=gwzS&M(3{<*LV&E5tRq<(fzzYF`7`Lm`@QV#eQHL^x*TC%^DD3$+6 z_NoXNCzn4|FLJ4vAm-JYtOLr@MIy0b+n$K${%`yV;?>ae!yEIv7i-Y1kE2Fjil{Zi8}5sVXx068>R12J^Uq-c`tx=0Pch!FtLp6B6h z6S1)8yuE;>d(=bAK1W-{Sk&yfX7=pFbY4^cD|b3pSt_K z1!h((b3anwYY6DuUY1`-JjOmbrBzn$9}RS-nFCnKMVWTWh5cakpdfjV#*Lcjw;o$S zed~`iZ74k5xX7%1(EBoylM6>^1jU8i4IO@CiG6k9!Thaxs-Y6d*ZP4fg!2~nVB_3` zn(Lxy7_*}sR>E95kNE3lXK8-wyPI!5a$Ku`xdK(0Z@9SWH&rR$CfJ-z?M6g_=6BGCPG>_cADlVU zhE&W{$4h#)WecV&r)0HQ=GAcZC z&X3`BP}J}R qY#?G;9;2TkFfR1V=#+Ifn%Iqp|nr%kGe%w3! zuj35)#mY|0CX8bU6-eomck}uLn3DMmeH?j+@x^v}qsB2N2y!p?j!7%+x_d~ z-cGndsG>mB>UscCd2AW z7NXkR%BU{yUXGT53Kp!h`&>Ue3AWKr2eZKry#Eo_DRMbC?QlG4rjIJ**0sqkr!|>+ z`uZEunt56#5tGSO%s|LwG;=D%#3n7rLb^P;cJA7Tyl)DH8gJsxnw-7xjO&~2hl6sL zFI{kn`!M}`Uf#iHcP^!TzV_+bp=$xVIg^~8S{qb7eOxQzT+?MN;@SCQglj-4Mie0c zM0u8ZX`8LrT{O$UmC9@dt`^Jmts%7Y;qZ+aRZ#B&0{WUVeo~g-fw~c@6A2&u9cuz^ z(5S_}o5QnR42^FjzU4gxzZ#v6SU8Xh+2NFDJ1#sSgA}dgP8>vsG-W?t(bQUP?&yu6 z&&nqi|4_?bdpLOY4nuocR2yORP*6xfcUiwkyl+bHcp>fLrr_h3;wbGAwcBGq%Rx zjHo2bFKX|hJR_#WXRb!5jN;`38`~C~g6KDHswpb{h%`U_c#hDxa>B^!Ur-YqCB2dD zMZ7hziC&e8$S#nHJS=miVjx8#6kgJvL(mscdy)~{`X*SW*gs9jvlMm*2Vr*xS-vgM zJZo&~`t#n^iTVuL577ht^}E-?yPk#hh#Vw@szH17*UP`hyry1GU9`OinHuMmG5GrA zHBCkgvB|fxqx0~7SMeo|=igXxCI%NEvJKKBI-(hGQTD0=*)|*7Kt*lI8*3S!9PEz| z*hQ-gjh66%T7u)Hin@E=lB9!n?bbJj0LpN>sK0mUQFS1^lc|AvZj{8$Y|()&WsCSgfxAKZRLRe&#HF+5Zo8f|+t%Yxt{0WPRcekpR zFmXQR$qhyZcNCQ#`6)wf>aMJ{YV>K1B=>Bx>tG=ZFiMMOwM$0~mS4ssGlLQw7gx7j z{AvRrNVmCLChTH-UiKZN!?FJ6&g~RD>Gk+{oZl(M6Fkv*3_iCIBO0K&* z#8+9}@oD;os#Q?U*f7-RKDyZrjn_l_dhbL{`nY%GrCP}edtDOIc#f9Ne_?4=;zRb4 z(H{#cd0|%nhZG*X^&ECiRR$8Nv2^Mgsv3Fes<@=F`%I<+qQec39;H85daUhW25Jjd zqK*oJ`etw?=IH}Ept8^u$m$<*-Bjg*$N(+xjg}A;t<*=~$_^|uTe(jhfinHIio0vxFqDJyl+^S@r`;CrR4Z@{# zCv_>9&T0r^<5iCimjStYF6KZ2<^9Ik!T5!@i#U}-eYwld0(rTU=2)Xt3@dLaNsfTE z4BzpZzzeh6bp>Z}31#Ngdi#)U@@o{UbGyrtxOB}|&}Wk<{XyK`bW;$^_~OV><;@Y| zJ0hP|K})ZrwYVX|vh_EbCmSKc18T3Hn(_VRy03MVkqhk|N;hVI*;YdF*xhRD+6{Q! zYy&QJbukN6Z}ye9R*1ko#jJ9*1`%HY9U5zjRLo_c+c$8>4P2*#i)|G6TRqkvsQdh- zqCV61BMCNrQq%Kp49$^j2(*#KgC3OY`Kj?Mgd>sEWtqW?`HxV{3HDRRTK$BEkV?ai z1hC$MDWA^rq`$8NY2pmq)~x%(2ZVP(n1ES$jHQGYY|wDSX*5{^S`22##rNfbc!V<( zk_Dk;d^P1teN4G$wB7wCJ-N+{ugUJDZoSIv+e9(?l{XbP+AnZF3Ny}!ylwO_awAFx zEj(4|WF6x!nAItEV_jlyH&AjHqbBIdEhdKUl;g;N3yg<{7%kbRLvQdf;Ri3cPBbh%Kz6HwVrzlE7=id{m#N*Ygd{yWeWM zrLv(VSI2p6vjQ_tKNW-snUBOTzl+dYV0osAWYoh3Hs!4dDplwNxtiHg6=tUHcvRs) zxYa>h{EOuGXUMS2cvDVlis$#{eRo1?aP7axPMqUAW>XeM4vtUzYv4s?Ma^BD+^4*> zwo}^IEzV|wOS%UQEi}kp+!5nDp`_fC1#+KW%Y9UXD<-6$kEtR`TWP)-wlqk?eT=&r zgj8Q@-u#xR^iqH;UdS?0x=-9mxU8(vgm>-J_s?pu$;HQ6s`Rz<mw9h_$JC>8`x4*Oyu1Q4=L4JB^`5$Nx31H{cP#I>FR!?}06eT!@6;o=ne$;b zoIt?vZjt(s8jv#wmh^-v&TYC@p*A>+5LNr}%LUo`XmnBJo zywA3psFX?cr^IYL$OcFiw`C5L_qv3Ag;4#Zy%opDf8@^8{N8znx_;V~VP5&U!sN`V z6LHz*HPvizvDOXrMqv|qstc9yqMGu-Eldl|u6w!un8w#4{Q}h>AQO@O=3{c=BJ)l3 z-gX;tsn;&NO`HTvn?jA;47li@d_7S0phNG(>%?kk>7D^@deO&{wBCxd?^xkRQ&hXP z^)k&l@^i4=7uB2Cz8ckR(>aMAX*I+1V)&SI4j7#E6uYG39BxH>2aj5ggz6b%C$=@EFj?F zY|hRL!B{1`*E=qtI{#I01j8|c`O5#{#R_=2{rJvsMpb&mm+zf6-_KNgPYrBeX}FZz zNd|9^M0r7L?%h-O&QO%%G08MFijM{Aq^G&Y`v`ESJS6jps-rOorR%XT3D_IgoOimM z&peGyW#)!K6kVsQzR4jkDJ5B5FSO#fKMPJjhTJF0<^Yxb8P-16>Z|?zny3sGy~BSQ^S2F>~|M0jpBssuN=kfUNJfP?MTK+La9NV@ZTKW_+YOKK#14ndEcTurg)%mYnuza*n$% z+^5y;Y;#|t6d(P>GmOv3=*4%1Pw=IkQBikLRGYBHY5R=lkPiKoo!8;5AE6@P+Ii-# z{1uX6pE`BRj1&(J8RELtc4Z`a?p_n#_-t=Lh8}@}QCP2Cj~To*-biBuMrfQ)!`E$o zX4)x-XS=WWSIwXm=uj`jdYy+nqoq;&O#Iz^QX-ptCaki~9M>*_9;vajy|R*CcwwLK zx6XFs_c=*`;h|54qz_I`U=+Q3Pgb4De!GG^6sM&Sz9rsR;7zz zw4u}KE-A(pr|M|O7NtAQIY#bC7ZJYYuIhe=t1Ls`?8K4PXW5`m=$~~{UFZhtiM>w0 zJ@#nz#U%9|K|xL6=3om?`$K_X7GO=N^&kY=89s~=&iAlhV^S(HKf6bZ`z*H8P1TT# zboq!DGbLodtribjnzS5$6iRH+3%=)P*BF_c`c`yRADgufz7i*+I;U(Csq&JkPI7L(0 z4)@Flp-!jxO45%_S>3aVeZZZWk9nt7`+ceFvp5d{ZTwn<2Mx0`0$;bC@fBDHkb$}8 zzlI=dRBCX7v--ZS>=l)&BM1GX!A4@X72nEix$Ryn2-jLaFKU0@Y3^M}UhiA5NA>@F zDS7n|XS<5L1ckD%m{~?P>8z;p_m+5JFE`=WU?oN8PwB*>;|=_-2E6CdqG^ZEs>P!q z$oN!+v*Rz4q!P;R8y~khkrjS7zNYuIA?W*{=Rk6p6e6nL%hA!*NX;%Cmkw&?HxRVR zvy7~04+xdEdpjUkosZ}~Lw|o)E1^K(cmp;sbfx4N$iL}@V!)(MPtDhJ{s@l~ZX01_DHP@8UY+-E2x)>2tk>DgSz<4k{Y)b@Y}ER4$3_y}xWDv-V6!K0GId#jiFOl6t0_;Xcm1&#p)y+ZcRHFC6_jw$Pg8 zky`hU{VGkIXUYz)^w4wopt{@W5oh=Xk#;L1Og;sa4`_wmRRkEl{J(7YPP(~H51dZG zo5(AyFLX7$OupG8^?P~&Mcz?xNy`vKA5PKf0=p$WJ-8|<*4Fzen3`4qdEZD(k-uJY zGPk)LTfOPk7bfs;OWG@?i6D=3rBq^>aLG*lYMM8@N)H!LF6{|R5{fWR_qb-j{CYpP zSzNL5=4N4yjB*0vv-zl|=NK`FsBS>XMw18?POE)(Xqx4U_&Q2S0B;f+37F5Fbe4ww zydk1C)H&C>M$NIuzKi;}CA4XXh6PN=vju%NjraEk%YT^;%Qm3+xfZ6=4Mdk^i1jeH zpR-;X86hhDCZ3Q6pG@e2ZVoguW8SVi0A-mc6Uz>Aku}i0&Ij#JZgHZ*O9ix2+z@%l4`(oAG!S=nuudHf;Wi@SJk>N8KQvtUq zlmcm<*B)tUAS(x8H?2E!XpXxQQM2&KrU7!nw%-Z<7D2VLF6_bICjIuKog%B&od%k)r%+m5uke8YvH;v zKH0H4#J)N`b~WvrIyuIoLoI8*G!i0Ca6`l&^?UyksUMAkR8ii!bwYBA-WVEa!fN^% z%{QGj&sk!2g2Pd!r!w^)I-kHNk5$FrVdWq<)XXQ<>1d+uw`iU)1 ziQWcyCyV5__r{?P1gIl#W)a;KQ5?kzf!J0GMSL|Vov2sz@j2Oe_Hp~`I_1>S>Wq5S zy)W8&tLqjf?8>^0?dD;><1nR-?0og6rOU-3{INiBXTKyEDz^2};fO6eYkU3LVipi9_3f)3?OKppssHyrP^gGP29l?gYhVO3Q z9=-D$nA^MiFxT6vYh6XM9zZQhy1NZKMmn;w#hDXe*x2;UhpG}NDWT(?6EqLBwpLPr zgiI8A&trngHaH&QxUaxl(beVDk;(A7B9$skrZCvNa0pTe8j!2g?J*KR?EG2)AU19XbHMeil`=8(q>bRFL*z44n`PNi~ zq(dG3gg#lRFan(IX3$i~E)8R9O1>~c7mdFH zIQkbqz5#$$2%Y`92;njIh5Zj$L)LZLIP(fKJ!-@)VAKbNiY|hxbScx~PF~N^br5Tm z9g-K}A!L42CH3jB&k(uid`eGN6*xMNwPn8mA0S*+q9%MbAfB+J8LMLARD(dz>R5L+ zhqPZ66>^kqt4^xl=2{jXcNVk77w`WrM}{)81L`%G66kjGxlz0$Hj69=GG#D}cxM^4 zJEQhK87@W1Z~~7KP+Eg1&g^1HeqSFSo4MV0w{+twA!W2KhPT~MzWUV37HL@#J@l$5 z(q^#PCp({#UDp<-)L(PX@wDuYXoLfhE}ePak^)H%NzYbJO}CFV;nvEZs2pA$w@#Bd z=)ZKb>aT3j;3y-=Hs#*kCcKvg5WoT8gfUWo1c0ek9r64UnspT+0H@#e3~MPK%*A8B zA1<9Ei(*HqQFqDTII!km=ftOvZi(nfU5t6h;Z!pd(Koo986?Zx_i6PnGlfv~1Xm*g zu7vKtL#-nDE5@?t`77G%K0fE`S&oaG9KDF)%%*5BJBQdL`yAx5f7S}17o=r=^}hfd zqPSr0xA7K&5Rb_I4!>IvUamx#F3Rwdm3V1DCIdG&?WaMY-hQ{yzY;YPGwC(DwtAz@6AU6 z`Nz0z(|0PT(7^=h-+kVB9chrHzdBP9L#VHt&;2s5n3W;zI35!@K<{ignteJVd%3VXW8PPNu^0@neuo#9Kk`uwKC23t|m z^-~Be54`0vv3|*yy!7rFj3KrPSq*{mSOYarE%AaQsXB0j7r$~Ko%TxrTv%LvfH33P z*{kf0FNdaguIok*50cBfl4Yb4MM@S2W`FEpfS65|vGV|buapS2oA+GUF6i?GcAr6n z#K4Z4HneY3*s?MQGd#dx(~#{BT|GVvwtgY($g@ zkMxxdzXl(VS<2lo3v7g5io!!-O~awr!0yz7;l&nHSvZ-UZFwby)X?ld=caBi+ytn4 z{G!z&KlN5JkH(|cLrqUW`I5Y8KwS6n?+htpt+5)y&C*$!U^MBG3$LUs3Rc~;RtGY0 z$Der95Fkr(Onr__fPEK>$byiB{6|y_i0^_bPARvg*y{bnBNuFKBHJ2l~rG8$QpK$z#-Gz-2z!U zHWc_B@p3Q81HHDr-Y~3wJU!&)mBL+{FYKMMAcy7c=3|>B;(hx&nrWKh6_-HIfY9!h zwFHj|-~NU(@hU^$p^?hY9Hg@iw;E{sp&klytDI+<9*UUS70t4y!E4uX(2Ef38-;I*kT!oU=jJ%dk1DUs%2fm9?-b{T zO$I!|C!bffI$h_r+^VV|M8K{RnW%GtQ2*&XB4*{mSB)TTf>V9EN|n{i2Y$xA;7l{_ z3U2?-1A=8I*#KwmI`K2JC1(4Qvt7)#$6KarURp;~d-1H9;FHjpC-?%nny}X8->N?* z@#qi5Sip_TfB4zm9+C#ZvJlpzZYEpPhJtOK?lz1=eLCweooS68RfgV3+?Z$flFqwJ zg)UO6ijV9yq{R-@wS`ce?6PowJOVX!^c5+ z@)j!Ym6AJ{yF?svk=>HMon|8*mo`IbTHV7j#yt%tOed<_eEeKp2DXg^J;Gi-IaOkw zA_3U5H8so``19jD>A?h05{9#J#D4t+EP>LRt3uTkb(-$gVq}eOe*S4k)Etl08{)%8 z*X3gB*WWo;?weceConX;tjag+!a|$Mdt&8Hz18W{s=t5NvM-}(lFC#)R#D~i=ZN2?E zL`dz3DdSx80w2wIArLz6OF7_npwZI%13G_ zP4h%LZ`8BFHpr0Bwp4Tjy)fMj^v7Wef9ThjC)Se@2~7Qzw&0Yv=CoNkXm5>3e!Xuq zS~Xm|gmO^RX}5j&kK3}mzG`p2XmYdSC64uu>b8O3iv*{ka0#vph6e6#9> z1+fv&0@+QhA{0Ytw#k#WT9D7SQ03IgBmgZ)Z_2Em#s>JFz2Rc^X`PT65PEA0*6mkP zzApMOkMC0bIkl=?H`7x+2V@q({msKu+R>A#+Rc7bnhK% zuG#&zk=)zR#9CG^vq6I2Q^r-41)>*dTC7Omxgzv%jFjo?-RqW>=SfAz@q(DmBNh}N z^#QvgI}@>oj_j^=QUqzqUd}qPD`@y;4LY`noe)h89-_RJ2X7;{6`gkSqeIp{FeP4f z&fe~@OVWDS-@dcU>v4$r;KaH6IL|{|5O{K=XC3)1ueazrz(3To3x{=uwb2BV_Vexg zR{v3@%65?fbOH2)T|I@A0Vfbdctou38MCLkoG+GtDXu$aZSIMDSDz4A_G(a7RmLi? zboAOtjs8RAhZn6DrdPWdLyvg`%3o+2yKj`3ZBM(|#-7V~%YDx3P|@`guu;8;xCg*` zfC+ZSc}493h{csy^h;i|x(MVc{tAjzykDJZXTP^NWWaRxi6Uk>b|}?!V}oQBdTlJI zkW>D1WIt-)%k<(!Uwnbo<*0|(Lgp7R&a$p9e6nL3mKyhKx!7YQ2A9D7E4Uba z9EofofOf7;H0e(02?9>HQ*ozYX60c&>ZomUnb1Tm#mqT`!dH9PFUbCF@b!Q|Z-wMw}a7;u8_$4Fj~CSJI&rEj`zxBzR&n zD4u5}x(9>k>>KJ5bsSZ2oi@il#%>MN47na^}VfIZt-tp-RxI)?`s} zNF0^?nsC0`({bShltFl*^^N}|a2?u-VR z8wWJNd+K;qT#EW02zm+TLodOuShg%(H~yL zi-q}#?oO+kM3+MruR;^;>zZaFlTksIw@Jg5;-fz-Dn@^JE2@+|*}Urp+Bf_|SO;Dm zxv{ivxts7fJll`4UsLCs(~l_!;vECx{k(g2TT-amsb#6UDc)7@RyX3iQ}OrI+6q*l zrFAkws3FxM!^tcC^{;@{duaTC^~X}PE=9ay%3#8t_#EEIn2OsT4Y#~*3mUY>E;f}< z&Yr!77+;e^D~~9Tdzqi@vx~Au%9QFC7j9D;2d*S(%^Q+Xt2e5zuYKm-2$OC&l7DQk1G*=7BtF*O;)v~Vr_;iO z|BoAe1$pg04v9!!On3`N5GKYAY6)xW(;jB0>{jkpQe7dPWvx|M4mpzY9=B@ZVWh{ zc}JPJ4hl4ve`(`9atfPM<{O>oX$m5*iSDdgK@M_Jm}aj2tDLdgS!bFEURu=~z8w2x z0J}%1WFOJ5ikmfLT~qYU-xW7WBU(2_lj^0|8>)`wD#?7w=LT?{3C$6GpsazPUSk_} zeD>3amTak{avPYWw&g%|#f;zfP-nZ(oV}v)6NF;V5aD!Lmd7x9aN)vED{vGv&UW zCvbRbE?r@nxY;5u?IY`z*KTl@>reY-tVLfmBncG2&V69fg-b`%>JYP-=$Fazkmq^} zl`0N-vln-Eme&hr1EwjJEkG&!_otev;HJIDOc?Fd4;hEZ8-IPaw1 z<1^c5mmb#ly+$L@?$I^0wTomqdH@fKjxS1c#-hI%J2n#;0ZM=iA-v9}|G7Vxey?^I z(omE|{?fFUdKDPwwKCH9^wG1(Q-mc+$;_&uf}&q8rUNao!KP-;dn9e`oXCI)+6^ zf_hr&?5mhLhhd;tK?8!NxeN5=``oczy--b00La_q(jl!cV$PUUQ}|od57E3scSq`z zQFF7@*qfTvoM`l^>GZh+WtyVsgl3+2XqfRjr?qi10lq4(&#_i#w}|iW2;UKs7dIiE zq4S8<@038|UnL7b50qnXW`$RbUJG^1n_Xoar2fPwB?(1R}iI5oVK~Cf!KLX~)yvnLgJX zwY)i9q_+lxQN?}%+6_a3lQ_ufiR5sH+kK96(#qq~g_HRAhB>txlRroicu|E)N6I;= zkU3u>{iN)Xn3~7!<|{jY-p0Gwo-cR5jW|>e$iH0`c$-c7rcxR3Gk8&&9`biJu za=HW%I%M^3Gt1+`27dByt(RlM4%p}X%BB=7&JpkX2-~Q4WF(-|(g)Cpbo*|#&`%Sa zqCN5wez(~0sfZBLWB5us`KgcMsH(nLqYwg4e~&<;Z;4!K-QEAGNG&1OtPLC@CU$VI zn(5WK(x1}E%>CzhGcE+?rJKti9Vay|ct$YWt#-2tu}n~4%^0I34bB)oMr5TTsqkTE zuBW8!oOs(K-vG=mWI)}f{=w=@OXJ`SDV>*#%P#BdNtH5tF=jn>2CH~R(gUYfZ<(s% zK#*QaAn|s|3K^*&8|kpt=_g(%8~qu7rb_<~IP&YPL7&ccq}sukUnc5;@&hh5X`@5S zop0*cbH?r&^+~9IKf8WwUuKcSU4q`Y@rnw)YzD7q&UII}AR;qa@|(QYZ3z?0}`~Neu;q8!pce z+xwTETfI72s+Tw%wa~PXwQ9eu7xX0dC@)tBrv~rFd3$n?R|9NVevs?<@BYpk^4~HT z=bI)1+Qu5DCvp^knA4foFeUjtdCo~aZLeMsBRn_nl`H1e{a;fH%f$Y0!Ngl~KSr=( zGAB}_H$6nU8-NP$mrgV;g^Z7z?#q*=2NKB=zg>sqtAm%qzA;V8(bnq+x!xwLsDQcR z+DqPeozze~IO$Zs5Lmpwop-J#j8dhc-%l|H6WK9|o%?El&ziq3 zCN>fWe4|!p`-tfbDf8pV99Nsq+08*$2x&CFg)OflY%8uLPh_Q9blE z$7_s7Lu8*LL!3C%f|(dok(D*LkddAUG8KjC(@esv4Cl-)W&EFIdU{_IxTBw1=Y zM8@0Kl{7m=D*=}BusglS9|#3?+U-m8mb{zWKX2gXZ~6CXiYH(9xbXYkBO1~(CU4?q z_vjL@LvDzP?dzZa@4@s@Z{a5kx}qlq+$odrrIw15k`*G4M*dj4HFTw=DeM3*Sb*md zVP)&bEDGh{79h3N4AEjV@UJ@2CqT=h-(m8tf4n@-*9j2NTuGpv`p3(w+^#PBu4m#HNB;BWNAx_q&UR&> zk5tfAY7`41a_@VTo=cO49$0GmC%esf^MgZNSO!%?<}aqpm;3uW_B|5Gr%6H?i&}Tc zy8ro^`}zrLMq&>ELiKGztgH}k{7vtrJlaX9=szZP-JYlbl)oJ`LS8z?TXgS&kfD(< zbYZb2;n$P&@6Q7UI0nq;zpe~XU^4%_J{TSa?%hAHGNJ!F|BRg~HG$RuZfx$o3#-Nd zn6sDGK`x66z)c_Q{f8p?BlKexmA~Im@&DfN|I51sR^Z?1Av(7Rg0e&=D&ORJE9}5v zzM#LCxr^^VSM3oxe+<{&oj%-bmao?|gG*rLaqt3f3%wjNd*5AjpDeSIcT30zjEXn@ zwZnhDabKNO4{$b&^-qfCuno4?P-%cfsCxL8g2%TfhmwlagTDRV5IOsFbmo`c=Bg_F zhr`Fk+3thW=W0zs&!x^OgcMhV&^Dc@Q%Ggt#|)>;ezMASpw3U{ zNo*$8m)txi5J@p+2o|%)_k#8nm0!+@{of-5ssd@7_A66SYtf8w=zz0uSRydr^QZY+ ztNpWCF2PAHjGUH9S}&-Ny-MDxS7tI!3x-7?VAn`~q}Ge!lRnBmKq%Kj`$=J4Z(y;} z&m@xfEEV}rDIqT{u&&s{6+Uu{C~d3k!^`L&tWj6o;A>Zx`WLLR^Oq;%MR$~B_L;~v zOva?Lek6SBcJ_-;-*c#ienS7a4}SW5!270ZydP)&7*LIHFQ%|nM4dx(0r^CA?jc~Dz!#|f*B9Uo z1b?l2+r_{Stk7{u_1#Tc%mDTPA!4GgS}9yo9{8qRX89O(rM5S8PpEQ|!o?JQ@+iO1 zpCnGCJkQw{iL+617T1#e<$}(a|6}}KS|)~K50{uo6o)uLs=eIM^j6O}Z0|&HKxLWk z1_cS^yQ-OlzDqyI6;NTnAiWrl6=cw%^!LLjtJ2iUts5r-T1HaV>GqG^6Ml_c($w7#(Tg1* zCOk#*V#PqCwJ%96XMgW<(ag}tq1L*);41huIkQ01sW;2bsN_`r=f*b4Ec@zRCaZ-Rl*hLJ zga2C0;t?4`=*mC>DcxAYE#bL5Xm_oxW#e@sX)or+WU`EP+A~B7th{VzW@`I1hoD*u zlo&=2z@TKLysd|ZHTA9mvynG>;qSa?eT(w+5guX<(I^V{}`ZpDiD%0&JZhFuw`uLdkuQX62 zE_?n|NckTR_IPsYF`iv|=2hzEk0DaOY^@v1{{5xM8kza785#>%=u9pC3XzbJV1I|L zdfP+zY{25lJ^Rr?zd6KvvUFH4Wni7rv+E?`zpPFIKCM~kNhI=uWkq0hXEpC(QHY9~C)ZvqyHPX1x+W0mr(T=}$Q>!N!K1Im6Af-0C95gj(X2R<^-w0UD7I^8s2DswvH!q_uUJ8AQ)SXg(BtXMt z@~4**@VE?!vb7|qzNCO+Xi9D0-N@oqU~X%5KFNgNTr(SP4)M+RYz_^F57RB-+^NF% zk|AdA_Pq1he}zl=y14fIx5~jp_{9-+(3h5N|29xXQ1%1p^pq15ikbLumTyu3VHyOb zuEJ0Q!NRV_On#rxd!=*eY8q!_c>w9 zR(%=PkRBo|V(m5B3}W4t0VOG%74Ns&n;dr#GTQbvSQzb6v%krwM?>y{NCSZhu_?ppVd^n<&x*i25z;u^|5Y z`tTYEFK+PvnIfyCa}AhgOvSazt@Fs@f1Nw)Ja2dN!NhV@PD}z7iChh$;{J zHdd>{APs}7i`;+nsSmH%wxfI@WCS+0{@VJH`xNJZF6szo!b&2hz)R?RhX;<=#5|<@eUgdcrW7oo&nE;}zl!ux>q@mLNx+ zt>`794AWI)82LG(yhmZ@E*Um<2D~tBxY~P@$Sm)lO&qn zaA%X_a4FY@Nq$qKRgM+5Vh=y+5AimO%G=@E!RL_^z>)no0?KI#?K?g#9lbI0*QPNa zm;7RjD|l8xcZvFb?*Lnd(T-jGU?3Xrk zR(7UvD9fwIoH6*V36thRxe{rGq%dY1{GIxdz+MNC>;y9=N4gG}I4u&@Ehz2XZwbwr z{;eGiE)r-0q^lDv(q11}wX2t4b;p{mppjL7Ux3SgiwIt*U-NTNu{#SqlhdgEt-zG+ zHDapWCcee`Gl&5VXQ|W{s)AR1q&rEIYzk;ryzbhDLt1o;b@%4y%WVumXB|N7M!EY5Suk*L^8v+{O1-sU~ma3Bzrvzsf}=oGSPrL!U~ zW&N9@K!jC-Jn41U81W)R%+>?&{5#FEffcVRcai=RPE=2fvC27c%5mecB<%8LYtHDnu zumR5g73lN)^VWGIWQG5l%pd$&xfdR4`ur6r^V(|dwjwutee*3h0CH~FU-r%uB>TKG z0r;H94XMR4ri`KJjXx8h?VBTjG^{|QoC0ghJ%tH~Yw3G7c+JGc?Sh}Cc*cBx+PeAR z1_Rg#m*MO%DH5__a)r2>o*57fvCj4?y{Z8C>@?*Euz9W_xn)s5D_i6)=HeP4db&g7 zZ7v^G9gz!kpmd5n!*DRs>?=cPKGxqZC9a4M*Dkt4jcM>1DRV&3<5l+XxBt1?KkJKW zxSQRJFzh)KL3q!3C-~t^8f!N&z*ipYYBp+}JAu{O6p8=@aasZvVx+XPzWgk#r_v|< zdrUd669NC~6jC3cxHW76n`_ymupBxx3ZKN*`}3Zb_bQ)@WFb4Maizdfo?23bUeZ_P zl$#wstG3&_x{$X4 zb{hU-^1PptWmw6AU0}X0-gA)2QVSn9t~$U`$o)^K$-L(eR=Fz6@2jgQ%2^uF|C#Hp zNExvS3si3F?^ATDQwf)plJF7M@NV{DZ+$)=wYAHXK!5t%R~SWqSfjo9tVT`G^k38E zpzfb+1gaW=)C|DEpHp(_O4LZOt!TyTar_q2&5eYC=_LgJw z;$R|X>pJc|R5W+1dEi)fZ^lTuW3dSlf4KaZ-}4AyVF6W# zoFpl0-Sv?j+`RxX9&20c4tLgoS?J`|kooT)%kGNV-k8R7Hf-~QaCz#deJ9Y0>Uxh0 zR02yU{xhilfb;?in7+&>NyL0O!@pVvJaCOOwQn*q7!t;`wg@uPs~oqtRpr)g4yMQ7 zaN*;841<&f1HKkef_Uo~WdM`pwh;~`0oofZW_jhLdx}m5A~~+cN6`i+m&IBDVVChX z-Dp5&VZDO{=q-UNyt195{jS5d0F*WyLKt?I88Kz0n(EL4RG!&ev+YS02=Gxt9d;)e zoe79_1^j8twj36(-j4@por1}EG=RnZ6|E9pp80~AS)fwohbz|%4V=ZNbXOv7;$06$ ztxezH{%szZr|duHspt()wzaLJ)1#fO zay>_R2;l?a;yN+!C_@Xfzo2r!HGVZ!hy0(TIl{9Cy7Crgr=bh70t2qj-j4rm(j44M zY6w6?17tHYmi7H*Uw}@h;gU@PuBKr`4?x?Aq_4aag+UB z*%c~#OtO>N5mPfQ988F3Lo`u|OuEot;ZnKOXS~)TY{=1-`WF#|HHQ)>umqqFV&j&$esB8 z%G}+{{9NT~PTZl+fP3+M4}#~&cuuv_9Ed0e>jMStHxbirrO2lLf9$<^IMn<9KU|55 zq*IYd>YOCI%D$H(gu+BsrcPcQZvE=0!I2vLzM&n`#E&sC^OQX(p472-??rOrKX-PhyMM# zU7o9JYHC1og$pm6r0FRefB~PRS>EHQW2eMMmJNbh_g;l*2Oks+V8{b=wBZTl&Bthc zP8My=&!#P|ZBY@oKG<_?N8h^stv63=YDoS6v^ltCtQGCQNmycP5rA;J2xo&Vd1SSFxX zEU3QxSQ$#k5qp<*`%)%H$3Ij5nT#>-^z$G2F%ecLPy|k0(djGH12V|1(8r{?(uO@Alucu79&qYz_?YJPbanw&q?q7(@R1rIEwK z2_W#yOAgQq-VHc$I8!+gMIXg&xo>>wkeaDCNo)$)sArbg@Y)r2EbyPU8k!CS{zvkj z3+90|fOOugNdMIh0?aWC+KP8`xqcwqYtT1z^!?aD%fU*=_AwxdQzsm}?tj|)VFVYs zWP4q{sDa62Yf^W8sT{oK;yGJbJT1Lk<HgbwB%+Z~ckALGv| zwg@QsUzXRpz^U#6`p{Xf4=uZyfz<1tJuh&t9{Hj@c+DdSx4PtT8vNRhCdW@0v$%FlbZCk$==l-MqF3Ud7RUTZ(G7LHlu zlk`hGmniS17!14&04}U_3cvt$&u?C2i|CBy7F+pX7NrbgZ`!bEdGSrq zEiNa8UTeqZy8}{6n%9d!jolsA{exgh|7eJjSa5s8T;RaQZ>C15i-lrY}D3Vplos_`zHs=S7;~L+6SCV8=YxVQa-| z=mz^=ZcR&#tH+r2x783EfaY?y06@_5r5%Dhi$jXVsl%q;X2{E4#Cq8ww08yxK}JU2 zEq~H)wr_NJr?)oszoM^(pF)tmoesxAZ0`Ard&||BfXW7tf`@Jz-$J$_Hi&`oH*&#J z3vAj|!-kWZ!3Ah1ob_o6R-KD6eq>s6lvz-LBIb-jR~ncA+qWm2c}0HN6DHLj;s+bzWVn2Z3XnmT5O(hHjy^a&h=s_ghHI zdBiJ->hW%Z`o9zIDt=T^TN4LvFEVPp#t!{-R1nkUDzQ!2=?ive+@kA`+DtfbqeYPu zFK_hx^TNQ-Q!cXh-yDs13Y2M`IK|%%+pLkG)*bKfu?LhutfN%(Cd@eglmqpp9O|+O zzx)o+Y_KLZcW*tf0-7Drqo#qccnJD0g?Pc;J8M1u{6-D?b@y7ASuE%XNxw_G=(!EP zc`n=n82Zt}X1bbjvCx;9N^rMc)3pCuhE*<2_I7YfA6L(JgL*k#Ah@kv@2+SY1;f|T z&Hf_8Zn#K3PXt~GdEgx%Wjf8%pI_c{jUiqWvJ*73HTb031$5Bk1&17bjDhwLlBG5oJ{PHYI@D(LM9!I1pmCmwh!HaYJ-OjGy8U_vhKdt|G1=g zjestv1|m&{a=n%^8V!!)_hK(Rt2Fk3e&d*qSMOz0DatQO;T1Vn|8dh|Ce^y!TO z7j!>sem(XJX1^aj3&nW6wN0+AxVG;+KV9u^$9BIu?eY*%>+nA=vYgJDr~y(2PqOWN+co25vkA}wsa|)g;x+Wt z7=ymiaHt->D!*eNSLMbaGpkxA;RVx8bOb!g$0d{^Rwm%+nVwaybK0H zlFj%^2jDU|S#&1)l=w4WIt*J6g2hz*rH&JYUrw-5hJU6G!*U-jKRLq5B)->67JB0K`fjD5E7}>Rc+^T?f+dBIjY6RA+}Sw4w|7h$KTAts@-N(gSWP_o~S*>cqLz_ttRflD-l=2d<#Cjz!Fy~ z?e24x;lKPYWd0QrwHm^|t@K*2zs}VvgI<)Fet4fScjOe9B9-8yBf_xUDbvwPL8ru3 zLDzH)EZ-kqGU9hi?iRIZcdIaJxCXRZZ`ebnFLB0ShOa?(SnO?NUrg>YzKa z1LD8tbzX~ACf70Sx%n!@eB`o9Xrb6VggQc_A8|jM|~1-2>BYe@>jds^R!cu=VX2J1;L3=bG&qEz`Z}w zvm4k&&0vQB92T<70fQN`MsWA_G;*gNbF!GJ1$DSSF)!kQz#l;K;UseZ0gaR9tlQiv zw#l?6yQ=h#h-5p7w)uKJb>9BRxwCM~kpAS>_po@BBfLA0fo8^%U+D%xt~BnMT1elj zpsMjapi`1?$Q^IF#X7;BbcJ<7q4ZZJm@D1GLxYT@;v8E(S*0xWVMs6X+KKeIjoRJK zuSTTZ!JqtN-R<8=gJXR>9xAgt`sGmE!c=qwo^RO}*Vs}%iVJaj%6}z1Wwa8vJn}6k zE3tuqj2UYMNKEYXipueQJ!E+kq7GSBb*%E)Ur~?v05YwVb@B}_S)Tr*q_qZ`& z9q;Ryo^AIiz7)so9fdzac~?g2h0#=|=(og29VT)+ubI1ru&E(z!rFwnM)R34ZVI7O2hvo&qwv2Do4A)P@3qw5K#0-vm%}&h?NRQd*Uz66<^bE_ zCU5Ol%likui|01F1?jzvn4*+=r_p0G^_fn|R{&P_$4t=_-Zy*`D9a)h=7A?{7I#_J zjjE;)s;~PHscMjRI#2D1J!IVV;{6_N=RYO7r+{KJ;Vzo?CA+ig{Mx znUGSlecbBaQBzmUYKJ~J_7h-Pk|iudfi@!Q#)n?{BQ?TLB1&7=64h4POUFfXv2l9` zPmc{4V3gWuQZbrbB@3L-UD7 z{CRbmI>do^pCed$l(&bpINYo%|KmvSoa=Us;5;S#ZeDJ9jJjtp*W;Z{4SAAbKW^?5 z|8`GWTgI;fV zx@aQ`tK~vM*$VDDUTz2wHN9kr`q^q(A-5f2^jiNKpH=+1p}5mh>l03#bbvqNz&vI= zFY}ujUClZZh5%*E8`>Xr3Lx*He$i)~m)hQMMc|swB^P$1*B>{%y+OAFKGMvFaorWZ zeg!4rCtgWCkDEb`dnr1idgr!5R#3)Cf6t!vff<{u@C@ab9~o~9=^9@3J?q6k9=`+! z8XcBj<r)rPoKN?cFnQgx9cqd zL94vK*8UtIjf|!z_b|^rYT&WyjY$^_+TJApW-^lT`9d5GhgUB4)PlB+B02n#Z*t(+fJ(kwu{x))U4v=&7)CS zXYf<=)uGI+2_^%^6uz3W6|faBTi6P68O@g+bRwG@sCurgmaXaxOTXpg<-g+a@GokO zk15J(j#)+78f5f~UT_CE>+vk2qae&@*EvfFF&w@=n@IV3y_Bfkv0m?Z1^+~QC-Ez+_`<+O5tKwvkn+!EO? z_4)o~cL6(A?svrklLcilEq%X>**Jl9@ta&7$plDwW@fTW?PJH4r6v#3S0>0~DefCX zf@XF59bK%^TwOta`gt(wG*+4TA&WyBvv|s^Dmuv>dv2xu1Fj^CWai$XjzWi_Ghmk8 zHq|7?q8KNV)Aou(hWfEP#bgnS1Kk+a-0RD;Rj^@3b;AZjp8}*dbE1c?TFJUKSrT-i z!2m1oi4;D%{Szm8ltqeGPT7nQ^wrFfxLu!fU|;sB-Y;-g5y*vtFOrZaw{D4@)wFNR z74=kx*N-2PL4Lo(y$E0i9h}7T>6uWvnaf(qF@fz`d!fP`ekDEl8V>@kbf-kdgw^4- zC>tcFY^Owe0pvQ7bMqv3)ABCPcp#znW__|APWH9#C}MYn_`2f=S4v_D0Mxp*^-SQ} zr@%NP_cFqaPg}y%ih{vHliy?7saR6z{AH-Nl`kUuuj=W+b1R9h3-YF6dKo zX>d^sb}5*YOQ;WL;LWxsua3zN>W}KpG|kE^?2nGDO^ul@V4O%O^-NN7o=-=`T$%Tx z_hUkYFlU&@U^eXO;4Q5vI5#K?yaps1wGB#fhsi)9lICtJRcsGw34Y~EiR!4^FwJ-q z`8A-sY{&FaPHu3ic-gU=RN<2DiVz=ty?zsQeEh`^{jz&I2?xkHSH8u(_ z4dEn1V)5i;sJ2Ph_QkT8KPghkU1q^J_k=$Dy1Kj-?!gHkn(|oH6$mML+!s9TbD!+m zp1J-uL6sVZXr5HNhAEq5Z_>pQ(M8)L~{ zhEq z_r26yP$$?Pc32n|oA8=nxZl~0fjqo3_vWotgRnf$zI{Ipf_aAph*Jp?4DCSw54M?m zT&hS@&s(d>8$;$i42v-D)4@SaSp3nJP;Gz$RZXniW0#uK2_fm`71p??rih zE(|2N;sTh>6SL-#TD~RFS7baaxnnX#0tv%rtkFHO{b0Jb+)?u74*Hn8OgtDI(S7JD z_=arRBk|>PE-Lz@!kFotSZ~N{+!b#-5BL58BRgwuqLNyxsg+4Y$>eO8@{)JR`u+0v zy+2F71eDgw>lfd|OhVghpf7pXKJmvxLwYcG^~RKr;nh8?Z|ov|ww>Otp}vh}Q+qXh zwLMI2(xquUcvT-e8zacRuD>}F>uG2y4|%rNq~RZ~g?35d(iiEjwl~Gli|uSB%je_+ zJU%!}SW$O%{$B? zu7yRzsR7$3)Whs;^EUEj%CCKwqB@#3l51%3%~y6+Qak4&1-u$ zZxu$?AHzpjTvnnv(h3L2ZsAFLo2zEgq$n3bC<5f+%HU={uf0U0H~ome>!E;M5dR zjn<&2tm=4mz8@zc?@F&4aHp$pS4a<0KRzt6dloX4EIK+sm|?cw0kLwrK9_G;_Br&x zvBcA=%e{}YYQIn}DjhR;y8l@bv0$JJJQe|FH8^&ZgLot(+{z;r(X!Y%UiYj z0Z2s53d)@!XUb&GUWi>c9t+jW$*!9&s8TAp<(o0-kLthjb}+bt;i5THxjYd8R(SGQcqRCsL?{@ZxPfg zQhapTtySYq)77}a_@suvgN6Rcw7%kc3#}wS`3WSYcwhar0HV1~?HZr$^=}H8@K?|% z9+=@`xW4oH!blw|3CNR-mmGTL*pK_Z(qUz7ZH;m#Kj(RXpZM9%B}ach3AmS_SJH%a z!7hcj4l8Z=JwJtcUeHp;-UNUufyNr^q;;F`JTS>|K4iXxyYaMHv9!0*R_A+s{EadU z3~wuOrX9U4#(vN;uEsrF$)}5Pe@g9FX-4f3<3s=HK2TK&{fgh|MX)FFvmF~U8*LO3 z_bzoM%Ah0z_+|E1oGDK7r2HpI%UX#6C|F}UP;FlGQ-^JQM6Q36`|1hJl?RsfuYX4! zusLOF9Cg3OXjJrU9(PHbd6b2}O4|6=OomyHXz2)mDmFtRYGZFiUCs(wKSQ$R4!qQ{ zkq=GjkzW6Dy#}GfJ)wn6b;)Y(DYxx4RaM=s^O{mvnea;W%V z?Wmcr%VTC;iv08cn#`sH9 z+>0oQ>T%R5vlM&yRh^E)`m^{smoqiu78mjINtW6sclx$XHnLp{7Nzhn-k~lkdDhVh zgO%t3Yk8+M`KjUR#gh8VcpV`fg7*4b9RSgCG_q5Thc!qqc(mUk_`oKGq9R_YU2~w; z@EIUeu$Sz!ukck6Yi68Dq9sg0d5JaPJ8HWVR4`h(`!Q(fMsn}-iV^toJLRx%qJnGN zp^$ac1SEvuavUwP>W-3L-u*e7h?;qZqV^)ZQ<)naLrBHe_j0h&W2UE2kk5nW-%QDJvc3yC#zWO7?7uN3@9DwBr}9^| zL=Kky^a>ArY-u;Ish#oPx|_gWOlezI(nyt zlGcy7Z%t|P1}mg*Aec>G%Cr7cvV@4Z2lX11O+xQoAGO}0qkmw_X(a1q&7CO<*@5iR zfj5E=wIyr6#MDW+E4F9qSDU|6p4$|cYnHHtejfRVv<1rnxD{ksrrGp4e==84uJ;tS zT%()B>F~J^7PE<49~q& zqe9=z;y!wouI_u?4889x=jBlhM8o3xluYlwn$BwTyATheOyj3(pnZlu$8P1GD)lv% zG*|%C-!7TGQzh^#1sp<4;brc5q8e!Icl}Bb;XPYO_l&Lhi(gb_K6J9NWMS zWfwpcD8rSlxbL?69pdwHzgR-P&r_{S%Hk8u$_`x96LNw^%`h2eQ*VA#obz{Od>JgxvT~;sv;imfB5UuR8#+g8?=z=<6?>g)cngCld;-Z*4f!od1 z4WK<2ie0V-m!3bS8&v6&H!8DeWkV0eM#yB8K5)I@ytVEBW;rt8wX2o{fwUX+l8O-S6hn%wx&`kg$ni}t8;c31%)LXAC1v|#WPTDm3xCvG{7N~-wq|P7sHL_S zULE8XsxPeH7pnU<++?FTjj?hO-E!7xRhOMbyCJO*<(v$!fdOH81E}0J9O9gkX~#$c zXiWn~FVI*QHU0U<mhH4kn*nyR^cX)sv}}YZeoQTfwr|fxRj!U2SrZp!5;) z4ucsA$O*N?dQ!O#*4S3R&L4bC-8Y9GV%v0tAm3aOOLZl=Dn|VKvOG%;_7GpaS5wZ`2d^5`omk{n5z4+NLUxIER{M z+MN;2;WV%MUf7siUK;w+V>0+b6P+2b%^$ZfuYhCEO0k4GDOnv#!Q~n6^`>U!<$0M~3+6|_sJj#-= z5vEFXu(W`3$!TN8n~wrR_dtCpsaffC4b$B>E*)^y{M%K@uWt6btYI6;y#C_y>B@Bh ziC(T$k}CRR{2N@yp=Yg{mk7Ejkw8SBmAze12*t1&{>_$ZYjHdo14}D#`W7n)LmN+y=!JRgR0%W zI`p5uDON#;xry&CTz?bKZ+$wXDQo)e&5jZ$1LZ?)y>-SCCGIpgA$f^m{yr8i)y+*X zi1ge*S=XWB=VViv5D8Kt0duK?yaS6%#@V~@{(N(2a~2PyK0yv`m9w0^{!?+uUr^wzPc@bS^Ng_X9>hc-)|YK z9EQD!u^veEdIx5=8HW<;Nk^>~i|8?_`k?o)cHE=R{u?+E`a(6E)W+xA_1IZ}{*&<2 z_;TF7eHSk<$w4K$Ms5DLBXry&jFLQjkYeTq7FOha_Ln7X-hF#G(0UN7U&*-{>e*af{dY^Bq{j0Ljr=HJllfV^(gWOy7nAvPwS968CCA$;??Cv3GA zmKq>=dHuY2dSI<24cq0OS~M*Hq&BPE8jS>B53e^cFqTAsJoUAX>)$d(Lfz~7peW2; zI+$;qeliIg)yCRhrZn2l`4vJjBABzxW8u-dFeOt)zm9s^m3p}F*NSLM)&nSiJxJNH z{NXAK;)~?#9ly&N6p-OrjXgcqBudKTnISxBUpBJ7{b#`(6?4K9LUK%QCU~uX0f|_8AW-ScW z;&OesXP@_+)hT>yCdspX$0Ppk6F0Yw%{jL-nOh!~Ko@;Xx&qV(SPFfFfsgA5>u9kp za}Dh>+r@=BMUf8a*xOO{l-7svQi+A-TU`ln0oDts7BQoV4tM`O)3+Ny(6yxeb)2aJ zw3LG#Drt!kAHvr$Vc=j~Hk=VQ__lJAyY#&{_6B4^A?n8f12o`$z-ZqujPITA=BQV* z&*Z0sPWW}ddzY8Nz`+Mh!Dg``ivD+sZ(z(zs~&uaWNnT#<%$*mQ5UhV5AxnH<#t&KQm{#?Dg>muY^ISDOWfliW>{+w8w0z-tI>T8alo>`@QUx+Xu zgvO&?a=Hr+l+(&mK_iA{<~6^1j^W{Cfz6LO=2mxWwO_5LK5BK~F_%Olv_5{c&~+x# zfvd%1Y_|U0ijBPoJdxtKxck>D_c100ERh6amdU1F?!b_0Z1TOy5|=YA-SL=_qO8#G z-Ni~IE!%k4QMG!;4WAhX7&5peX>)1TG+)ps1I^ayD*<2M{5>D78oHJ0OO~n{5J|QS zH>ZFKF?H}j$&GRy^#cY*f3MAZ=Fa_A%*4|8=~gl2_JoDL;dKWzJIo|;9k9)}g3scM zZnjGV+Mc#-7jJ(nz%lW2#H!;DpHZt+--W0Putn?=ZdXmcc}LQ=`D;v+6mG#t{m$Cv z*Oj-uRqL}qYXuFmwp?yQsR3>kHyO<7yRBeec#37Bdq?5wpMw|5-23ZYtJQmgGl*lf8nDMWe5!mw~s|=KFV%pV-f){0_!<*GGT^W!VruZ*XQv?}Hud z6YhYphlB^%-Oo>#gu_&77I!DF=`k>7n{xSEHdj56S<`bYW_1u{4olC$^?DZ<&E49H zO7xxW^5DVx^1)1n(+>bL-f8_9ZXvb3+}3i+((hR70JWjt%dpe76~O5|zXV4|xTCwu z>^lvCxdXXH;g9VvD(DvNmuQZhm|{OwBNA07gzd# zI*&)xwf;OMJ*XMwY283euEI+}pIR-{%9-vjbA6J<511r)Yx|zEg@}YtdSdGq_j-oa zID*Y{gUEilL5b&NznEplwCW|pt993EV~!EHFrIRTmbQ@D?)0s?B`_2CzZU!LTCNsH z%^AtX8AEkO&8*_({7DE`mQ0h8Zmm^nbl2Nd9Br;VLD^Cg-oNrSZNu90*+~!Pq5E0w zRqrBXUh&!(O3tJ9**rF6gE9tg8+hF>k2{(KGVKC`dtZvxJ-#$y%{ktQmYnQW-F+?c z$}g;+yOc!)<6#<@4|9aebwbL;Fe*uJvSzi1OqcAaLZ)U#KHS;*&_dsJkfD9`O&?)K z=DxGcH9jUYHEjG4a$#_GWgaL@KB550rEOeZyK{2)vv*W4)`+~-ih4~rkal!-1WJ>G zlY}bj-0EvGPy&zKnh(v}bsukyKGta>mGMap2UU}OaPLSPXv>7H@4Cg%o$HRHB8zt! zTTYblHA~7))y4_ZB580Jd6U;%%@$3Hk-}St%Vq(42qVESCc~@AR<+eH?Y|LY66&t8 zAtm1wMHcDo$KS17bWZkA{qeYoJ z8`}#h#;wKMbTvH=OiDcwxVn_vn()3xhn1N6BB#EK1FeUY@C}pJszPq$=#sF<@@U6> z00lH2>_0GsIZ9{-a>J|Y&6Nbz%?}SqQeY|f0m(ST=IqaRKWnU@;OOrAdl4fYl)gYs z@ykBk32qS+K$x$AiF}Q@cgwQe#*miGS(dA~mji%QB~~Xt!*BQZt}XcG<;Fgcz_w)C$H})1&wMR>WwKD6+fzK9!*ko@2og3{ zx4K9Hsu^opfnn<{6G9#J7DB;enum}e7{v&z+f6cMwYrPd66HMo(+V>GTPA`T}>Hh6rm>?06Q?rT? znYj~|i36yRK(iD{M4GGlqVeJ=kl6XOwWkr%bDN;*`qFn^O1CacYRbkuHFyb0p99E- zQ15%IeTjM1m-q6^GRp1IOCZ5aU?!NwAGe=HA0f}LnNgKWNFta!1)w9)-|_bfF6`_0 zLuc=l*6|N&?arOw2IZu9)|tGZ(48%3R;oU<3xH##pk`1o->vmX-Jrj^#CYuU zQmFNroI<5D5-e#2qsJObwUFJ1;M~#ML1@WZFa&D?gZ(s0_lXDs!!WE0&sEd|<2?^qUaL&R zY*K5U7au6MzU29gh`9iJ71&IgGMK|%#WmF=GK*O*z8K_)7OXgHsdI9EWs(7MkL`fV zNl=+{U|h^)GWs(oSEIVV7(ztS`3^k*I`ai0P~t=U*>{b`Fi@)Yns)2!@|j z1@?ntywASSX7jj+;K<`+4dW72TVN_2>;c)C3W07nczInyn72^$=`WzX$^NJa!Jr@Z zwiD$s+so>*!OxPE|GpgN4D*A9EV3+ej0&@JXg?+(fllMU@7`V31OT+ROt?pWKV&`HdngjJ zRi1o@GT+yR9~h`*0^y>6!G_=e<-0I^1?xX&G_xy+&(h;g-sy6QeRn-HKn#;j3ZjZTL$_%Tg6;$kn!_!=2~eZYGlt*!Q{{MSE!w4M*t3Bz|* zv%W*SmVgWkPr#0+K@=Dr)^4oU+;!ulc?= z*IvfstbPN~<|uF6u3|El$XZi?;1bn9AtZPLI57om-7lQ+gA0IsOaV0T04{&>bQb`> zZ#QoPwtgU%7#tTu?vy8%KuX5|H^a~IzrJ#fjl?-Nwa~G;AUgPVs%qQ(W-?`;o+^z1 zOHqF&8OnF+%NVZ}<%XFKK( z@C57h?pcyD#w!rONH$te{5R1LpAEPffu25|?-Mq&y^^mwkh>{_I(|Q6x6x{U68zwBh4#+|KHeEG_(uv=7wc@gMXf1A}rAJ?vb2t z_eK*NDCkil2~pK&O{3P24L}Wffl@gOFx4Y6r2S^PI^nn6E4(Le>=pk^P+jDEuwsGl zb5Yh9XNJ;NZuq~{O8kHjhiN8pVk~WRlI6XqCYjz;6OhHV-_kYS{+nvZdad$OV=H4m z1?Rmw)7=4AonX?kfCYjdlLZ>nTY~~j?=%@81#+T&1a!LjWo9`8sSttfWxl0CelPDO z!_*&^4e@>cGEJ6Vb!{1d!hlF;VpUaptBXpJ)(hZt&g5S?$eJRXJ}9NrS5Mv@WPs|K ziQ`zwvFr>1C3sy9-!P4YFNhPoWQF1GNSOiDrw=KBFtfR@JQ^>v3owPiJTwpt1RU#f zV*5j7xqy$tY;Wc0`8dEn-Xqarcgjq&fj0VViZ=ZRQ1yT_qa)|swn~iw6UoWs#bsd^ z8-S3&QzEH%uDx=wDDOk|Y;EceFj`)1kH-W8HTF9yZ23S?6&NY6ZcX9WDWJn5?>_x? z41j#=^TVVpakaj{7G^JG2;O;X0 z?e5zO_Po^i2+-gE6JP0n+)0V*(Xxkd=0qc$&>fsa#C8D>r%$-__C@50m zIW^mR8_Pi+Bq(ZwLxiE+=UQTu%5gh{LyutAt=S1J?JTz8L@DRmZGs?A&tN^$s;-aA ztIA{y)Cl3=T-tfap15B*VF1Y_up9@r!)dfAx>kGor<~spYq%$^H+e8(xijeFXH^t_ zYAe3~3*--b=R!8T&yQQSBG>tPNkgTxx@a&am(6V&L5J-qni@wofR0y}p>il?@U<&D z$a0WTs=Eo9GvJ+fn_mGGN*_GUuYAed^9Lr6vd)^uAN2^yw6cSK%m7LhxZ99gc`LKt zP6U&pl0B6zKYsb}**OxBDu~QNLGkG4(|}{eC=ZoYje6F)Tu5_0$DY9#WyLKWpBD28 zu*dD2agkX$fc6Bb%rSi-o8?m4#I9(0ytdo8Da^fHs{^w~-Eszt^M_^`Ars^g5a}k+ z{;5y%YW~X$Xm)d0skSNgTrAzx zUD96D#3;aXl&MXPWoIm0>ppd`4_@|+UwP2%_N^kEeJdL&vZAGr-9830v?RuwwLe={ zm*)Ah2BG9!LZzKkJ-0FANKg24=kg(ix4*JmAkVAT5U}VA=mGxCHdl&g-^R~h5b9XX zx>$4c8RiD3^BgBis%gz(r+WWo?JL>gyW4fInCYB`Q%$P$GCD0i#Iw|IMsjopAzSJb z_ukat0k1;w}@fSs7S04p8YgF&yL zUm*_%p+d(r%K#TEE2L`#g$eLMx#v_me%iD@l}*Hjhojt8EKfsnpX{G_j$lRZbgR6V%VaZP`_HCDb^wurDi2%x7NFe-ZoQe2@D>$n!_Azub{GfOUs+Tx0dRhF8>exjHOk5 zyQhb+2#~r&efja@qgTCObCycKYI&zq=AhAWHGHShYUs<8h*zFtCUZGFkKw-w!r*cV z$T;Tgp1#SHD(uIv#fe~^VZa8ic|sRID=A|2VAUvF5tijzPvBy|ZOPFs#{eY%S2qT7 zC-vG#z>I7r(Jbu&la1DsTEL3vr`?)Ux%m?ko zxnxP}d1i(|X91_v8u6klBX=$D8Ixz$Djb%T6V@j?9W;|U89wZ!J}wf2BG1ncHbj8a zm>CaonEsyuy-}xY_p{I%07rHvTID*apVpkvVA@mbI`to|j>)|PZeO-*i@el>AdUwn ze=nwL75;;we`Wg2*W!P241g*Hx7%P$ta0sMp^i^f2Z49JUdn$G;YIv0#$m~!`5p*n ziQz2a!wkj{zokC!@Njtq_d?Gt_s^c6@Jmd%F!^zxF7H){_kAV?otf=ymCT|wjf)H< z4(Gr2UA;d+^cD~WWat3-g7M*zWw(r8`Qy z0WvzV+@l6w4WqxKxcwQ- zYK-6dWU>Fk!}#5Mi6}+to$>Q#FG*3T<3%OJ=W~#j7WPR*#`ET+=xV z{y;~aH$}WVN=8-RjCwCMaXxpgun*w*leyUvB;ydQA= z-}t#MJ2#XdmOyH>+EM5FNsK41c{K0+rag9;EoMPh%sh+;=@QjHpuyT6x;zo6NtH59ji_`+c~|iPJ1e2@Ej&*lqHCw zA;+CnFTodcmKJ@XMZXFLjjQgrHM;HBR0>TduB9{cnq6tD?o(7pAKAWKB>{bPGS{bq zVZR(EJ&GY?9d)Bs@Riu3qMmoO0#*KJ>?yYKYZBI5A98fL zS?6(zJyk6=xu+m+WdkOTt5rU0UkAo9Zj*!+6JJCwwaPW6-WqaxxLTWwL|P9YwtJMh zT5>PzxoQmFpZdTs&H3Tj>|z#h2Vd_fo9bD4LeAAH%I!}o6z^uXn?un@p~>DV49=`_ zgWcJ@NGD8C@hIRe-S>QQovt~mv0Aa^#uwnBO2U={eH`p?_f7vgs+Sn1tOUyd@?I-+ zc`E~QA*^Ilgf=#isr`g3P}OZv>BKMR|ISuk`BH0k{h(^_o#^(wc*oJYu~o=fOD$x$ zjEeO!WK4ot*n?B-nANw_FKRf!ZM>TbYAwSN^4O!>oAS`_H{NemQJgmj(_5X zj798xu5CmKU|M%ivHU@!GlhyMCE_k6AU)mUaAZv`e1h|N22@{P{W*F zefrmHkM+W_al5s!-z`!)hnLN)5EgCg1)iU^63;EBTtodXBsv$}S}zPK`}__V2tNdw zg)V20TYdd+{ZdhhXBEFUIMwx97+I3Llvba8)D_gfws=YB`UQPk`ZbAxe5c)&j*%TL z>`Nd5B`UHQqKLFTORv1Sw#_ah-*D+qo0uprvsi&w!S8e3k+X??zmDu4f779N&Kgq{ z&I-Y5Me>i_g6$tGtS=a@@+v>LgK~eIuasNkY+52{r1~N<1dJFZT<)2yhA|=EjV1uZ zH&W%Ix+ZQ&g|3U=`OsGsys_RtP_4jv5Ht5JM4YXgTDEWH zYx>PZ9W}HjL!9+9?X)GLIc4>G?IqY47}IV)X#OxW%2`Os#UZhP*B_%&IdbZ7OjU2*A^@)!amM_%cEvnxCG(t9v31RXHZ2X9%_4JA#%qj>xiYN zL<-*>qd$P}w&vh+N^CS&ift=`_Ls2Q!_u8z=gNSDKLg~~M|3RZkV8Q4@q4nAZ8B+^ zRyx%;W6|njp2ri6=BiN%F65^OQ;iY7*K>Vw0=glrFZBwh2K+(4gC|utpF6U@C@MkXgWFdjy&BhM-djb|J!|Cx{c&|hJX|Ii{4eS zp0Sq+s-@>81MWb@*y}&V*?9db&_P}>BV|G6%WH9+E#DE81$r1HTdIovBdOwq%X4ob zo8lsTKV;S$Z@1pmEOqs;kg*xN*0>zxV8v_FeTn@*}J5< zT83CKs?>hqfDdmhdgiwYzp3Y80e#8(3{!F2OfvK~wHbD@OSWuiRdh$(G!NSr@2^2RnysY`|!}`HRvZ1a7R0dp6Ccm=FqVTR9eJ@MXK0Y z1<+aJat5vfe+(5&T+%z;FcJTDR?85#FwhwrS@a1JU&4Q!_{1$$tHTM$_lzTU_Q5TA z38)%te5-A^o8l>l9Xd`~Hh{RuCghs-C)%{gDQ>6U1eZThRon)3%yHt@mxo$ZG$H6B z;`~id#Xlu$c9h!MkRM1My%pz~T_fnfnm?h-$wH1ELA)(7t9*hRKZR^a_yZPKYj(6V zQ+0Hs-xsmV*x2$xX8^C)w%zY0j8~#z1BUXCHKQA?D~K(&KeaUHf*D=8f(RG?>T=t= z?$(ot9L{~n>ma&SE-hRxRX8Tr|46qlkOry(M(H#tl!uwa#N7luH6fvCHn0J5ya+NK zJ(OvI@c*Sc{;2QC1#}ra{@#R4%Z&X6)mEk5##KJN;U)ZULaNn$ep0I11Ac}1J^6Ps zttL~nsqdHvlj0=bM}V`=A_wn=JtY^{i-nwY6^T$UZNSsqn&RO@DzZ!Oyb%SBO|qT{ zjCFtJZ@Oav5P{5b$x`QsI%HV9(A*hY-q(Xyisrx%n~lB0{MTP$BAR?;tWtEv4g2_S zFY^AGAk1SEPiYtTXmG2W#5~Sl{KJxxA2eFkhW=f^h(Q4*&;MfYKckx5+AUxh#kLhh zREo4%wvCR`TTleHARtO_5s==iv?O*E1Z)&(5l}z^L|W(xf)D{A0z!b$5kl{wBqaG( zbf0scXN+%*_y0TI^}`YkxwG2U<~8S!3-eyYGq16^>^&p3P*|jTetPf-V#CYI6ffd^ zqO!cimFiJ15%~tQ@qEMZ-#X*m~sxI5+sq32`uUWwz;#+MqAJ_ z=+T`ou)4)&>DmSAiP@r5iSh>Y=RD>tYqm)Egp-nJc+U&O!Y4L08fh6ovps{fWkF&I zAz~;YVvLD1Q5xc!7I^Qk#993rD;v$E!6K%na$!%zKW8C;g%W;S=6$*;QAz~XmP>l* zR_PbkFgAfONoi`16^09%cV93MYRr9KP%QkaQn>u(ZX6KN^g^ftUKZA;RG-K9=KEd& zQOWjfz#P3cF{_}49Zp%Q^q<%nDbt4tpR0x_Xc&67&-PRm3%QM;VU_6%m8KQ%E<=gj ze{mEVfK8IPH2>0mC3mb_eDHq2jM|7bh2+nVSemUiNtozd3PGQY3*oVnIG7Mh2iGWj z2pt-6dskj02LiaW5z@)!aTnZE6w^QWz=+3|esG6){uy(8FD_7eWA{he z$6rsmg#)ykZX0}NS3{%pH1q16~olU zo;J)q<(+yGOr~1ey(~QmM3*!TR_%yl3O2fzjs?06zIEFQL6=^m=IXNcHvE&jyING?CE@b2 zf{8PO{HoIBaCuP1K9%k?22zOUDL zEDBalNvYuXKYQax(7_}5Ma6?p_mrr^#Q$s!QEIpB_2ZS@s-MIZ&|q^|^>)vCXFq@{ z+|5?Crj}+=JU!}liM{KrX;o*ds1M=ewZ4vuQ|srR&y_x9)buGnvss+7 z6-&iFeZDxsMlyH#A1etXh$0P#;xa3pFJdD%`Y*cnU#sGX;Pg`F35J!qnS3cOsF)a7 zWAt9-cE9L_aWdL9<<@a(p%OTqT4A6-QgAcd`l6Yok|dxF)(4UXBsofmNGwkcJKdkv z-BT-X{J!pb&6mCRv902L9GtD0tpVjbsirN3Co$Fr&o!@I zkEqOw9t4h=QGxoOyHsoPLRwC^V7X9D*jkP)X}(0gvH1PnUe&A*?gK$TEe&ls<#c`1 zZl${=E@xjyV_r+noe)Sd%~tRz(34ul$@#q>X?B>lZuCfVW26Kd+eB4{j|WWso}ROX zO~3wbdYILOeINxuhwWABir(DE7M-5kBo=r`=^ym~$Gl8_99bo{XCEJrBL$}VW#2Fb!&2U&$5LbUyU~UbYccAzPu26YV`H-^}_QQmU*N!6r zC252GjyIIPs2q8z&)-`AIvp@vaJ;VsB&Df<1d6RA^gRiX`^Eqg)|96Y>q}kQLC^Mp zOih&$`p&NV*mH#sr9Pp=yG+&sfR5!<2vgSD(QqBh5pj>Bn4qZ1C)k0%$ssyfoDOWU1@Pk0y{|GT)M}u=}}&7oWssQ;J>0eZO9Gg z_s#<@hHfOFgDs{!1uVRLcGwSzgvQ|Rbr6HSo;zmTh;}&04H?=G8i)Se;bs4T91g|>lk{sr8> zN_(1n3TE<8TaJuaiLK9rwvY;=Om}wxH!d3N`DoDJ_J^qRe)I9=+XpPEYWb<4fhJ;b z&=)UtVCv#yS8iUe=@BRd_kER%@bI&m#}5_rllO(#>X1HGB@*IxaUbIjww}YXS))N&41^1@ zmv-g1k%AzIyofKWv!$P87unEH;gDx)%xI|!x3F?wGx<8%pJ+H^<~-`xT#!Y9<*T`F ztynF$x-7!ej=xeC0W0#a`1CU8?s)DXt|tzzo;R;{$NDI7=ep}Peo^J;OX*#9m^f}& z95AU*Vv}0E0jl9&X7mlze86G8nZbXElQU2Kzt_XfXb@B!CO0hpSB~N|t8mQMk;MvpM)AIN%7tAH> z>1}<{S04;-Q!Vp}C8H%*U(aPF_>F0vS1AQuKx!3J}EM_sEb%^hOr&}k* zDQsTwhivD~T{OoXagXvkp|Air{(e=P8~u9_K&>D@dFbz^p=-Zuf$Zsef9a>b zJK!Nks=e8}-|YBc4JD%nK3771lxR>2OwS#dyqgUmls|6EoCP}2bC`q6?%Tghv4FnO zcbAgEOU3-EhI%$pxKilyNk~?ix5^zYg|_@=^m4OQf&>hASv{Y&94OzPrpG}92{2v#ZmkIn#YL^HUs*Xj+yRU zN_Eyp$xnsBuIXV&^7(+g>mazN4>jblg$vkNBI&K6ZOxx5 z;p@}+2eZu|v1`=q$^o0cERKCu4%{JZEEIvzmVsUBTM?>YdmO0QKXMT55B{L3{(VGV zQ1GW_8vbT~3Z4zBt6^4q4zX2dmNw8ZWBj{`{%x!oV z``7~nT#Vc)KtGk8=Sv@0B50261Sp55XM=F^cNJDma*8+L4DsX6o*$%6* zut%r>8QT9F?-x9qWtTZN3GqyEfx&hLHxt8@2yhs!1Zs8z6-wLgGrqP+Iz9(nV*|PW zLv(oR2k2=E)QcBur(Tf*th@ni0h@c;xkkTHRKbPzg(_T;fb|)un+&sMk@0nGBtO1@ z7BMGPQ3;6Qf6Hh6i(uqP@d4z*xWoELn^X^`0}Fr`h5%vlJe!Bfrqso-$aC$s=tO0) z)6fi1B}%>I98e^|etvnk-oyv2tyjBi4lYeG_pvOHPeR|&=9WB16hX%!-k(v(KFIGG z)}QY@P+KU2(W58Wo_tSF&m`@=U_-r>6C02MuEaqMV*3z2^199!Ht8;}8+*z)IFwr? zucelk_0kjo_n1?EiSy!MV296&cMWnx^EVqE?8z%0G4TsbAk%J)1P~VOY69TG)@yy$ z!RQD;_8aN>1t=ul|Ca^4{`$`@hdVuc*?g0mTNB89H-l23)u|VV<*EfxD-tN(Yyt!U zr8-Tktv=5j>ZSRMsfVA`+_NK~;mN?WN;aS0^fO!lqB3AU+@f6$aUv_T@DV4$K1mv7 z&0>!D-a_(uo(R=qu=g5k>M-ZrIr-Ymimcutwow-bNb%GIKY&x_eLSm{eZ{8(F$Xq> z;K*$|ptY@vf`{>istBq3w-=&pQ;4tc=Sw_b@vS_l)ho3x{pwBJc_YIKZB(V&Ijk?{9 z0Q2eR=_HhdMbURQyx01n^{(E{Wl*Vsb68%vv-csJ{m_@VaROX zQ80~?b_=)45j%`u?w!wjtiF&)-++#NOVqj+I)^gcy=T}{Q_m7 zJ_eA+7(pc-*u~+dVtxg|R)S&|rhJ?TFIGlc*l-oh4TEgvLAMQ%%wekqA!^y$C&4oT zxxZy?dK64&mw_r!2nxx3H#fK)0$KdI9G+bdP$NS?7$iWOZ{YtwKJKR*?ITy}he27t z-e4QR*34#kjn@2nGufv5*WD64~I}4a0M*teo=?d zR(yTGvL3?4jrL!++M3`Tikxe%);+8Paq%9k?Bqc^SA$+hhANmyFv>z6Kahx#^;2)C zcQZK5h#U+StmQi z0S>J;6R_Z;pI3((a+|Ep%)XgiF+P+mK1gOur2~{gWQE%k#HYq3as`n(-`U7RXE!e< z>FKb{D~iC;0*dpmgsUIy&f{+exKo4MxvNCn+D<9ndaGMo>V0@@>bW5Igz2e;WBXe)&T|;fc$GGx; zF>zuaMIwGr9mo0GiL!pSk9OzFnAEicx+!_ugPIsjT zri^#p-*cBzD&faSecG1ya*#6iky#FTY!C}Yxc8n;BY8}bq)7*H!djafp#czI9uhkB z`Co!}N4hE5Aok*5c$?JrLRK}N4R9eV7j-_IR!tfR)jBIwq&1gaaT+aVNuU9H5@=^o z>Q5vt;-UEOK)i4ap^BBtnw_y`V%IrH|NZzTf{@CDs6(x!R3uC-v!#;jR zhVvMfv2B{?iApBh5>|i%_}b@ItWUn!?C=mzBSs#aJVgFyQ%^K)(F~oZ%a@n`)AXLF znSy>oJi9S7%H)|p0I=-kd!JwV^B&G@I_WYHW+84LBwq2YHMwb3h?E%p@~TaERT1?2huQpWOi-pP~SrtbyMyk_y% zHuuCADP*()uFqEPFh{0%ua=gwcTdf=xe?Q)Y{Ye<@&wQYYmc%}$Y9(bOq8*PCVbSC zo>4)^qL+(iLlxj;myO0iDyhWn-PMnh*>Ai0v;|+3L%KXg_=KekmH?9jkR|9~x!HGD zF!-KU@=0PDAC+8ZtV*92a}>p9U%LB^i~!y9xnuEL!M4*|KeqT0y(M3J!kP<9y-9xW zCWLtMOdI*!;PaN<#m5WJcX)sfpv95({9r&A9ZSAfxf~myJJbU!1T?O9z_)&j0l4(; zMC!dw<87oZ=^~PkZox?MWt}U=Gnw0HVMf`ylDD#9t_qkM8!c@mg+CbND@v^P?G(Sx zAbm!H>usMOjlzaQS`sg^h36|%ciAA#TtGswfBn$lg&{u|_`*61RR`ULMdQ}?5Ywh- zl2cNqTMDM*GLrMBi)I&F3i1nzF1TXTU%DUtw#O??QSnZjuB1!3*Dra+2KU6WD~h9c zVX;~#Us~?rPkp&pS20=VpZl^gM|Mjc`1{nU$NWdEweEaHuB%nEa@UGF?1te>*O&BB z#$Ta}5v~l>B+w>ZT6!wT?<;RCtl$wfDFegRD)MpEyvaid5o1h+y9iBxa&^~Cie>M zZ|MfYig;9onw7B|rM$i4HNC6Fzjdv7KgV{tV-deCBp`m&ZyvpM=ai2xO1W6kC3PpI zP#v~@p2pWW$Juj=Npzsgk!)`ZSHnYVrDLh)En`aoTgph~qiw32pa5mO_jkpx)QP}e+;JYkZw-808daD4R4Rupy7|5SK?XGsuD7ct z$!T7#jcq2d@S!FA z`w**@tt;CsJJEe{N=hqJ=ZAmx;CDghQGfBIBic%#zCYH4+qcZ;%1Ln-nH_~YQ}PX! z+p*#6XOO8Xn}vv~N$*cAbDuIADm_j~Y-QiyIYheBR0|!`DeTNqZDTen+jgZhf7$(8 zW~8SlN+5j2+H+;RsVU3^ zQJB1Wn-O(%dmLfP71#R3EFgG18Jc)(wMsyWS#%V`z=dx)Gzmf- z-pOktdF5-OV@|ppKjvnB^W@c6Y&d1{3)_J)rO-%#Wpm_S=2x$fL;T--4-S%3I^ zdSq`hCDt?2KfP2Rhd4n>4cPS_w^58~5?d`VwM1k)?ro2=7^cV- zqFaMkOS|LMS8E)}h#ex!b`PdBSxNk~j8(}8#Xa|jbkup8*NoMfdKW6~5B~%HxF@V_ zRcC;9#QjXV5oFFMck)p6O06It(@{)-vkER#(H0B5BZ-` z!B5Q)!^f8dd*{JHKYEIMfZY6qN|Qm9zkXC%3~@w0&OhlR#y>Wr%;Y^Tjg&oV_9pw` z^)QuFutDFD!8M#DF_oB9yOdhKTCyhRy@}WZ)=>7inVn3_D#c}T&eqKFgull8JZh(s zM1gP9uG>a@;z`10n~VhDXQ33&ziAoB7Bp_wCn2PWpg=2-BibO_KT9I}HFDZejT`0h zaH+$uFzHSH(VFJ&A+@WT81cKWCSmD}hA;b4lNo_%|4ZjM-?PG8%nf$w~A$M~@i`fKWJ z@;Pa@GTO|`TB(((QW>b)P#%(F9!ER+PXT6NgcLIi)`DnJC4?w7Kdjpv=un&S4ff$V zKeT0I^byaZ-<2AfZpH2-k|?7e8!Eco*ljcyETF(;wC>8i0%i|w}xcrxfB@I$x- za`P?P>lef9@Xuz?_R!cQsNgfygBRPYo}UE8=qnq~kHxS`BmMFH{zUqvI31BUFNsMz z)g`l`ze1X4ayJJzY2i?I5?C-gzbNVM_FBF!%HKJ*h)^EE_&a*6z_#j=#zvo$&a3xZ zT+#;@zRE4E&Jh z6k{Ms<`c!!by8-C5YhV?gVP&j_@eWDs%jv^T8>6FToq6BKzP!h% z5)PooiY&&$t(dp0m@2KI+(L6PD`pPAjARxmYiA$g%rHpd7D8E1loePD4sEL*>T5}4 zM(_0HF9n^!??Q@Dl2)~q7XJ6$_KSvUtu)Oq#fez;SL~=*GboXTUomjq;_S$FIiHD? z+uIge+DJ`LuT5+F#~$b@-`x0g+awRlfK}-vwv;$AV8`6sPYcZHsWL6!i5x1L9W1a= zK&p|`;w>1ejyC(U{Px!55?~{5nLY6^BbF@U`oNaM66{2WW9SPO1gR)f_c?2O`w)j# z;3NKhOsWL_pWHz@WhP>CCv4LD1*|gMym7@p!uc?#F%&x!q=vrahq!&**8`y2Q;bw5 zBbt^`jQL!(+TvE<-D{~C=2G~~80QK)ck51bQMYf{l#+M*@Lh{`fmPuqk?BuKbo0ZD zif?k`ov|L1N?B+NjM0ed%vZq`NKv|in*GB3nmV$le6Y5z7@2P>1%*+(DVM>+l_ay6^xWR3>oQzvP37&( z<3)Ei%lxQOGsx|vy)&%Zot`p}35bVw1n@zaL}{yJ^8!r9KEN5o1-d05OH87UWkqFO zO^6L0e}EG+z`w6Z2*QGG_hDt1`D}dA%@mfC%A-%6sXs-o#nw0f{6rp+eX?^-x|zF| z_?V&;5<47}U{)tLPZVCypG=^B^gU%fLPDhBk2F<%inm9ciF%o@{8{Tf1uY_})R-$+&T7DwdE(T-D$ zBme3CM+CoR_AFH682tjXC<)E2C%Bn8!o=p$Y*?rMG3Azi>MIKAo)rJ$oNhlT!-^ae zy*F6g7$Dq&iJ7pC2|NrI_q{ONc#Wsrc;QJsWK#U1ve#1j&Jk-nXbY(=zli$Ss?^17 zqp*h(wh#@YynxNTa85Y1SAl#!bEk<#(=1C-y7pONcaa$$VTQ?%pQKjYoA$KH? zSzaY5HW6hQdB&Tm9YIRl#gV7z<}j)toFs5+NLQ*E&+4SL`d3Ls+#{z}R|4~8Bk3xu zaPaF>pzeG;Gu8n{_rNGwY`6cs!@LoCcsYnBMcm2pmTjzGV7>@~)iDsLj#s6PzzJ5ix!qM*S0OV#$AP%s@FQ~VIBh| z&IaKVu}b0gOHIt@YvrBcYo4D&85U-lO43CHosDkfdbXogvGFXGGLAqj2usm!!TQhS z{~Qb<7wROWO5&yC0t=aqyuS}`=XCh>3j*id)~oK=>Zt(mVzj5?iq2w5B;$ig=q1>( z>fhE28#DKh04&nPd1N)xpA1v+v&C&BN{H$?e8`t+Ah_lh8|TwrZo1BcI-30_?gc5F zEQJ0Gf>$dk%-UrJpZ6?|VxQrf;e^fYk~zoPo&B&rMqg_E^NWEqo#^NhR`Cm`w!60Cz_BLEjPI zobl9jIn7}=ijsvt8HMU9vY`I9o25Oe*j2@!z7ajb?Ij`f#K{>tt+d;0+)@89l!Po5 zy1$qpBeHpRK1IUir^QkGnh^9Ak(S>N7#xJb7!@(UJ2Hs=>eo=DDpGop@MLF8=Y{f!V`OCLOJvX3OBr~vAU}lTFLte$qbAh_ zg>Ir&ZaId%h@bl#gRA~bN*c{RVq_Z_J!kEoe&OJew+YZUXqryW`5a@J<{lQ!)K)k} zekQ3&AtfJIPE*I&N9OSF8VtB8|24d*+Jmf6N^3X-RbMCr77N<87nzlJWoOmG_E5pB z_Ap9Lv&c0;`)4r&v@SXN!=*Q@ypX-uA@p1GndzRc?M3${;bN$^W`#*h1V4$9_3erX zM)%aTt#kEGRiIV2Q+4Rdcm_j(nUfm*@SxQ^@xX2Zwb%0ANq=e%;R_zf!E=Wl7jYv1x_A98UFT|_iXWt<-$52z8y7l>1Z2?+hp7}x|qn@7VX@;Rf#>mYYYZm)^Z-PhG$sFzzEO7 z0ZXU zP9?rchAt6x=N5p0!QpJ}Ei^ZZhu{}&zx;SZELYB;qA=?{jJ4iesF(&O@5l}mr37UV z3}8||6Ra)z#{_cY90x~`4~TkY?9*}ZIpmEI+ye9?Z#j9DC5QOZYQ;?;ES$w_R9l)4 zn#U4Zgn)gw(XxKE4$&N*H*OyuZ1x71)&2?B25k`Zo)9>z%E0=RDy3NM2?!kV0ToR9 zw)kbE^}-#)VG-*%{!5!BPdATIF7s>DQhm7Xm?(h+1)aH_YZ>Q2c)o}{*-2R zwAR##T-30{)(P0Y_^X^$6g;7cVzu&Q#WwH!6iSn^GSFwbv)W(jue82L&1olDj&vLa zRh+d^Ls1eyCE|Os$+{9vbWQh&tme{AyKj!dJPT-Lbk1P8jk)M-sos@zq zBFN#;d){8u(AnjvQe2xqzCV3K?kOk7Sz6ifj7Q2m4F>_G%Ng%=UHg7cgbHQ@3Gh`SUiR#%Sl#KwFgRGPVguA}rUL4}Y=b(oJimSda+{o*Kk< z`#T@$@wG*h^Fg-Cvg3}&c`lKxR_{F_6T&qn#Y%H+#4dxHu*J68a!LxjnRg158B{6TiE zp}y!6m_WnS5rb}f5!51skuWptip5rw5A4R+;|s>ND$_NW79Fkp$!^t_Y>$&Y=Jo&g zt#^LE@cWlLet&G%pI5Y!{*xf&zVzAu1i;wo|0nlP_1pi%^8^8z!T^Zz)d_Yc?67i(rx2_m=4wuCvRr9mfy7p)DyWm-MkDgpdpt71nT zA-Qpz8Q>RQDzvM?0)OrIczO=3$b0lP%kx*&sNO8bhT({)$|aCzkOCUgRf^Qnqx*97 zHD&TUx^)+D^mC-CoK|orz3fn(``!w#*tC!Mc+6P&l;OJoSU3QKc?QlSG`D}fSqEyU zxoqF12lnE;w7ykgcU`%^w6+rOis4Z5WvGZ@5OgMGk;Z8oNu(P2eymv*R%$$Lj8w!WO zJHEX-p9|#8NK*q;YmKL65?6Dfv`(m*Pas@)HnYjj9mr6)qu`pUfNiF0eT4uaJ;g57 z1!K@afEfWDU}y$iBs#)_OQMXS`6b2fzqwd$VDtV1%$yb6OTH4x_Z?U+fGw z5IawZQ<<9Hb*TCpUxy5{Q9$Tv+T#cA7AoJXbDt^*?_C_|^kV7ctpR|hQ6p}n$1yVZ z3h~R2S-B6QhXkZ0#rvDFI(vVGrlDcxJCN=s9J}+(bFn7^4OOS>IiuarD2I@}D{?kRkoe?` z#Up$!Jj@+RSC0iu;ZA}jnVXXk7PR*GucoSF-HUZ3`xz7>)H)ovqo8BV#^bj4o1}Nd z7G+}dNYHK7Uj{JAsn|8y4npu;Z_m_pq0HvB{?D(-7fAhFYRrz^|4WCHy;VV_4Us z(?4wXW$FAM%|sf3NWYiQ^q)UV)FBEZ8S|Kq*WZ6b7?S`Vr8fI*tcj70AzFX~M_@?CQTpbJ zBzoVGAO!U|cp4`)zvE3_R~oT1v^Gt71zQGk3j-o*`Ou2-VriUm84xji3XUT+adP5F zg+KneM<+p)-tHK&I|kAuf@+{ z7SHIm!^WMM>4^{5@m`@m>-S*422KI(?jrW8Ny@v+ULLX05vlqQt`8q8xZRqP6Hb5Rn{RAL%)WLzZUbu-RxzFJ(?kK3cEE!7le!r(|&k_jp+J; zNM>>&76*fdcsWyt*q3c5CGGYN0V(X6DJkE;Jzaoz!7eqML3rtsHSQ%DF<2>_vM<5r zQ+Qe{`6yj}!+ZL!TBFvJ2WPkh=i2Dv);pqWO)9sMnj1~u-(8OJo(_UFPi*oSs}=Tj zi2RBRlv`}BqLloNm9PNbD)hZ$W} z972NH%XgDx{f3*9&qF&BNRW65D#fyfSWZa`3~`2x54O&IUz>C~(iVNv|Ha(jT#-OC zoiCxr2}yu|td;V&p@#C21vWn>=j?mk;Bj8NBq5Ok1=7#dA;DTG*R- z!(n4NNil7ZJSiU#AyZvpZ%HMoB>EfvdSwPS4 zltS+^sB1ugge%zIU3``6M3>KuvG?A0xvobc#sF%A>C{W6G@esAOPku!d4zusJq z@h{%V|179|J5Af^0vRn7VpS~d`*JpGq`y#YGK~^zQU%|RJ?wciF_Yc0z3ueu|0PSq1U&SARDp`E(L_QANz`rPKCGvW30gZ2 z;j=T9SYFJticLUyP6##?i??mE4x}WavO$G5TR|0?-8AC7t$a;zo9$fHZBM0^%hgqU zWTribAK%Or6d>Sj|56b{A{q6ZP1vtn`P2=a`BV`u-{Wr&%h`#%v2@+z2{2jYxxTkc zQD!jdnIPC#)y2w*ILASd(!`K(&t|fO{0lCNrM9l=G>s;^epeu^3yD##iLeqREPC1P z>915|5)pERuOss|-Z93qL2EC+nBZf9f0Ui08JZ;MgRM?#BOMG<5#i>}!De z&F3Bx+g+G%o}%MCaRAo5@`;C0acr^R7Q*Wj6h_OhEjaMdeBlw(%N4o1U=n8srw4$qq&(&o#fDg^H0PZto(D!>Eg+RVRz)oIrdNnt?(3_^#X9h}kQ^p2=>! zb4|0q(LKHMf*+YQIdL;sM4KySf^8>F_q;ES zgCsX9Ea%%e?hRhnkMiMqc_uliT4r@QbiRo7@ai|dDjxOGrS6@uwP=S)!Xu`p;ves7 z-Y4X$;8v`C=I{fzD#KSD zlyp~>NMQg}c&!~Z=}|Z7tay;s6n28*YBo8iD?}~F&&4=5)pCmNW2WMV)rLTtIbjo1 z>wCt}obOiK>gt(iTMdVZ0*$BNk}mAAmWdjh)n+|9v9E((itE8h$VgxdJ**f*9S;t0 zDn)Q{^X`t@&W`ppdtdr0S#ke@T4Beqh0j!fOtvcg~b^Ql+~l&60!gtp-8 zsg0iWeoogfrCW&1S=uv_G*pKK!f-D1)A`p3^4l>SlLT~MQu>}9fXoCV#Nv_IKIW>o z?+48Anh$NZZf@Va;{1%m=u9_627y!6{OqYTZ+ceqMhwbeXw!G|I*+;^()$7jmz|lz zs5WlBN#5~mMVDyB$nd)BuQPe;t8Fp@Pz}+x=V6Y+wQ02brZr$sJxG7RrQcaM-bYaR zF|Xc6aVRy{B&}X@8n)C;&>gET04^A_NM=M}mh;|1-T=~sS6!UeOdQbDDx3}WUo_s+ zdHQAV4TM+Am$KRp^D8|+rV$w=7_>G)BqPSz{E4o%y(=6Ivp}Rp%Z5E}oul4UBlkCp z(9qD0Dqmi#9Y}tAPsg3s61>uYTO^45Vr)F)O)#@0ze3yTO;^mqEs6$)#Qh*kHNUSC ztJr+gO;^~IQ}=Yt`E6x_{6bkI)bnF!)yR$cm;;hf#?RY2eQWHbpRy6}>p15gDB{=J zhgtu#o*_QiY8E9-I2~m+=goIlYH6ufX6>`N!(0fq;$0uUs@gAG{D<>)F{U#~y`&a8 zNAGFD9SEyiC|fNFY?=^cQXLwjVGr~2CI9rue9k?wF1wuMW0e9z)}g|M^dL)cQBhb? zc3@LNElxl*6=*j@Wp$QMY5t6%-lOeu;Dsx3<7LBLUO=AZUL0(_`~51tGiDGROyF8*ZLLx%wk?Pf9lw z#tyLab;mrux4j5+I$d!j4VOasPlGu-(IByEm0^;WB8d0h{H`7LI z3wY8yO`@*T5%aX&WM_t5&8rJ9{SCE#^8 zAqt?70Toc#>0D%BI&q%ZVHzPOJPb*YFWy=GY`$5}o_!q*&bq*9Yxzu9Yl3gjQ$>EV z-JP!70YvRLOWNN4@;BC7mBM}td>XY7?z)^TPSF)FQm!+ z$k+V3_kM|pnEP?nPp=<|pU?2S%KJ^+;(*ujTYnWkytc3>M7@G{K!tdEn$Dyzfv7n# zsbA7EF=^;RZBG*Y8nRbl6`pBgS^Un0E_3asWWy8QbCMSK+Zpb;m;9L9;4LWY9TchG zsA*8ZJ``t(WDqG7Dj~oz4E`#rJis3tM6!lNDdiM5cLT@Nn!N9%t-qd*QLGu=}Q1`Ww z)<$d5M+a``DOdMzC?37Cb|8&FjXsY`vl1S#^}4rSYUVtuY!B1?WiYcf5kE&&CjUMn zvH7TqGgu{YPKwND5#(U8I{@XD7yr97iC}3U>WJ&K@ek!QG5EoOebb8b`LceImBNtK z=BP=~*{8em;I?U+kXxbV_aUp05a@rdhQO)nt?i8idvs*;?DsrAec^bUWR&Su^d0lu zU1vAc!HF0H#?h!TeoGgHzYA7ndhoE>Shdm8vGgLDw#_F-_7;j{_!C5% z1ct8;R}}8f4BMVWEya@LtyS2ZRrw|37eX_TF2+y9Boz-=dSh9E zZk4l|BAGL6U$Jna4+Za^WtwSr@Mx^x^mbz@s4nGyg-gU;&vp;oJ55_4Qm&UWZuP_~ z^ZVZzmpdtTNXR`HVP07AhQq6B{9fs(_v6)xaP88C!lM*(b!O9Qw!Tjd1wPC)r-XUw zfkn#PG1}1iHdlxooc{_~OuFM)+o=6sYz9IwhTMKM)}tVJWzk6b?D`Y6-VcwKEYo$> zmwi%jL4o1pu{_=DN*)!4OqnT(c1VST#ghl@$kue`IY$%dfsW?6oIP&3=g7WWOxe;m zpTBAi^fSKAc~Tnh0=vJGcAUr;d-XguAo+X-K6}8vj-4v_v||Y_E|Kri6h?k)TKmJR z?;$?El(&rPqA*QtIA|=!Pfh!{=4)V2MkI;GYv)VaKy=^5PCD#C3dq>o za>dBnKEC3F^TddD%ZemX3Ne!Ez?(n4!*6DnUG15WtT`34?WE#dD5jnAeC=dIb}`d( zBRgJm;8LCd*@|V^-7#T`#9n@?_wmO889>HUp%_#n$Xeh%6OB_iXwzJ&OF`7Kq9+OA zFvRxcz>ld_|M*Q0-h+!@L0|owIJJ$`y4~Zkzr?>5i%x0 zjPRctO+F`1(ADXA@MF3b{W`Y}c;F$*y(`GWCA}#0LRzC4;{w#@MuvLT%r;-Qyebsk zOLpf_BnrUn^Qxa7q5QKa%qhi%Y;zVGqErI`X|)ZP1aw>GM&4KZ-WlAtvE{8U?a1v+ zypUPwzTfNEcbh95P)G~Ij8UnT;hr{TgJNov=>y5Vi3RjZ#ifny>?d}BFp=lp1ZPg3 z;~VI@H-&Q?*9vi2oaHI`-*Xje6itcN&3qG{s_1hg+lX<6_s(I`6(fL zFs;1>R&RW27JA2B2TE(d<0LI==KtR6@nAhsHs`H;;eNU-anoVXqcgww z$!eem+Xcj^W5!N3JSbj@f-j((a2Qq<&2otic9FciVFkyNd^Dt8S-%KPTlt^;(S(=g zj$y@vmWXvI4X~^3*v~!3Pt<;Uuu3DOgox$RO4C>F9k$i0m&<9-vZg!{u)SFei(ZLs zNG$ed1HfohPM&pDh?7;-c%YiYfMmWFL2ikdq!_5Bx}i7dYTdGQtZmK~R63g&nE;Xw z?o&jO`vy*Gf3;IJ3Wc=COh#4u0t)k`E|7$@74EWzWlXF(X^EsBc<-Koz1@K;R? z)Pk%MB}_ddzTA9if+;$80R{8VAgsjBelepL^@po**Eg$9$jLs{yPzsw>{`s4keg-K z)2DsG@lJ{d`U#d2{=-dccIz|APH{%;YPyA=Dov1nZo^6a@XwK4;4rG(5ot6As4(~K z)!`m;HVluPddCiwd!KsISHHh8?vTV*NG1mNn33%v!z%8#fJew4^%>6KCfNTXLPOMV zjyzLOHs`A#3|2T%i*@-ibZuhfB>A&ML;bdP!Imr(8F~UD-?ZPT5OM4B*R3tBEugz4 zr8ye2y)o>G8P~4as#nmQkLKxj3^kKL3RhIw z*;ayoe~rS(8P`CG6Aydf$(pS5EMJ8C}oy7OLa4=F%aVz;8nb%p#( zQ~BB8wz0}3de5tFi^PyreQQ^A!F?-#P}_OM+IjZpCk=|b=E%5hJ4P5E`7LSR-&`X9 z`c24J(uu;DZpU=qubvbIb2KBVX^wngL-)?5-A?_0EYxCMVk&+iPS!qbq?s8f>)PYl zoR=ZOcrlaJgoqBqYkFB0;~o2S1newNsCrWc|9|YgcT`hZ+c%7g8kLq?L8OSnC=MOz z(o_U22r?3S&nVJ+CkY^eQXL(NR0S#0Lhl3w0R`z&3{^0+&|4rO$-58g-1qam@AJpE z*7xU=HEWh@i6J@X?7gq+*RH;3!&YpT*6-U!%W4@M#HS0ngrTt|CG97mKV&g&llG;z zR%l?fxn**9zS213Cu;vB;97i7_s_a#)Q!&>AlQi->;7eKvE#U>mR5B!Pal+Vis{n^ZL)zyw?^p1!spuh{d6uas*l=+9O)kF@tf z4`M6(862LHUhUG7`A)A(MpM}i4C{}WaKxCv`J)M2nXwdh60r(1>*}l8vJ0GpTw|=1 zQgQy@(he>3u1{15UB~@|@Kq6^jw2j)^*x z$^=%H%uqS6T2^RphU%)Hn8866on}M}lr%^QXI+^R)Zl(5qzdnI+&urM`Ao>M>4e}0$-{wieM~X35%-d$Xw4ytm`z#HCH3}#>*Gl6zzw$8M(PoS5qD}-wA?UU2y1TjfPWAm=55TE>rxD>!|=wT%yx z4|AGn3zpYdtC8PER^uPlKa4q#f>VA!I89Lb?)da7GT<0iC}#v5g#d$!bQDUfT|4`G zu2I|Rm32zgL#qxS`epCsQS;e9>#)A7?~g{H%Z10qTZ)~xX!)=9&SLj2^yp6&^Ear5 zi`$MjY#Fvp6c`Us-@Qb=O0!=GGk8Y$u#Q{XvQnl#C27M0ojj9?ge_TnplBtvkVf6T zyKAPEB1n;I!$Wgx87c1aB!RPn3u*R9|EXfpaZ*b)dw!3D`Y zTCs{#TV!=s&fsX*c3eyRjj0a);$&PI84VWNG#`mHij`Mc^I?lQ5w#pf9Xnk-D$lXo zQ7vhfuZmN;JpD}2uRw0uM(W|`xh+oiHtFakXS7s-PR!4^p4uc(kgj-B)5}&uD*MoK z*u`q)Y44S{QW%m`$4Kc}-|V4)UD?G&2^Yo_ZiF$nC+~KOem95;f9)8%)0n$gnzVM_ zTLkD^_NE?}u7|}%sXYIj+u9aJUkfq{2-IiCb)ur|5P)C+fDP@NSt&f%g;d*9n;q(UfFo>Z?#^*w7rxvG?k3Mx4)hk9szq*BgTI$&o*t% zITPiC$4|*tqWAc`yg22B5bBwUuu2VvauI`(sMn5&3yG$>@-t>2vCHw1drC-<8e=Td zr+VFaa89j7yScG?K|dqh$hUflR^~K!hqH>O2e*xvWELi=pOe2{zcuilpN;qZTn@h; zyM8o5C$-Lz8=|}|Etx$yoa|*7DkIBoU_w=jhfF?0BEcy*AX$&1)<{)I-9BiMJJaltArV^^O!twdxB=dyPVX2QUUoe*7YM+!qNpMKqV3da+bJp;Ff`sfFV@xx9en^x z#`;Wf1x><^{NN3*)`E*wHzaeSFS||bPFgj3H*hR81wadL`giUXA}9bPX*n8T#FEmw zSDfqxJ`f865$P^3r{a@O?Gsr%jH(fuZQV%gOQ076&DIRb|P zv2Pi8>`-YoNFulcA`Pz90JfwL;)d!pqr7^8j-G1xE(Ml5d9&lnkI(uX`l$38J2crD z8JDGFMrnmE8vBv1_k$YO@FhH4Dx}f0%or7N4krh~C*!&^Q<`i6m9`D^HvD_s(+~q5 z_idCG8Z_ZMo8mEAJh5nm{(SP=EAvvwNVe>PM}8qrGC2Ao%% zA$TTrpUJK<6Iofv!wO~nXZlWPI@laB3*iQRX%_W9_9lOf(&8-~YL~j{RyH9)9ajBb zxudP!zBG@`Icu`ps%&u9erdjXUwhZw7+2@bK7z>8XMg|2ZAZr7EiWMD%iIVi08=gp z-`K87SAmoa0ws)1S_XkF0p| zw*X9O(cVI|3CeTJjrw}ALa;)3(0i8RgBnCo(uohm zv*{j$sZBm0J@ObBb#cl(hFbsPEDutLJ|+C z`nKSc&4-l?hFJ()-2-MK;Vk8Sz8gv7x#`G$grz_0u5cVx4pZ+9w{y}{_~&~?&s(SH zGFPAUtxYV4WD$KtY=e1{K;~>3rjV0k8mgfAC%LJS=bS;0>kNR)qeDP}>tK*77W}z) zYDInhlOV``rDuvk1e++YJT?8SKH>4k!vm1CW&7)F={)F8vRPI4ie$@bp&4@f z+}n}p+_oRj81#QNhy+zd4eV_?i<>^Djj5kF`h9zX)={@P(Y1&0^X^}U%a8FwG8OXR zEx{}*X+*B`l~lH@$DF_OSPisxvvxOTvw@DcO4cKZ&=H>rEhji*^i>ze$N%0&LKDH- zY$#sNkanM^n2cl{sE#5O6H%aMn+I^WDl;GY1|HhYEl@N4wvZ$OQlTVS&-nu`xL+&OdU^iyr+? zKa;3G_P~@k+{n2GGyM4@iIqN`B5Xg_|F6G}ErrSLk%K7xlqA^!NaA(gT%gUK;M2*2P1#=} zfp2v7-{^a8V{jwL-w`zzo?QTc0I$ZL%KJ@?F}QW~mBn@TdAiqTQ#v&X9?`dkG{`y~ z=TLa}07H@cjhyqKG3`kh>fHZFJ<4DmD51&z%I7C@Ii?RVcyYV|DBPn?;=}#FpF8`Q z>qvBXqr#>lIaOwU?5;`pH&<@@tSgYNHg=u+0)D8#ckJhvK;CO^3^S)a)M2Z-&B90@ z+XYZQ1H+N{d*B+B&3H=fzoSRYHReOJ?G2q}Qb3M%6>bNF!-I8B`_NzDvLw_jciWq9 z$+fn5tT^HS;6BJ8;S&Nr@@pAv(*7lQ?GNpf6Oo2`6f8c?ffsvOVsY-PP1;?|?&-AK z24=nw9AONHuH}FqHr}W?v;RwL+FpkS(VJP##e;D#)5h*`_n9!otbsk%*72tIaGC9W z@;BRT_G_ITV)fFfy|uP-NeLG+_mSw0b#gHh(uXC1jS|6~7*1$$Td8$+bG(TJMEPw^ zKF>cTsVOfn0y1Zt3?!7$As9a2plp4^5A1pPgzeAC3R2Vo8yjYyQg7=hx1gmvd8KA+tU2x`TOe>Orv1X3e+KCj?5J;^S@}W?ctjSLv{L0 z5tgfHt8d{S+4OKLBCVt%V{78+vIC^c_F)gtnRK=!}&luKmOv+3a3Y z;gT&$xmL2i*7lC$V&TaF{R}P_z2B9IpQXZktQjwUrGD>m2yyd%LJJ83W139#W_Uq1 zM46S^O8Y3_<3amPY!3Z#x&+3Y3y=blWl$O2pXNFEY90*6%!zUo3tM#W!Qn9WgZZ}v zQ+%#-DXf22G2l6JY2?+L(67QOH|fN~C&C+7V$k)M>o;i84Ht{%GeqaZ&)E0z#iYj5 zvfXDhC&cn;>foCVzxuho?mwA6o67cm4JzLTQdga;sj4v;88gYHG5p^nBIZtkBL1)e#sbFE0upE5-|`Y4<2izJ?|T~>>kA}>;-*y+D4P4x zO!sc8k>6wxCBl~<#uv1s;l{c1;iUG>iQVm|6$d|jgAOuPUf`#&7?oYHDAW@PWZi7* zIxZt(LeeFFiH+!MpziK%?hp$s1Vv1#R%BIiOnCxrS8jyD5558u2h>D@*Zz9%LIlzO z{E$Ai(s4FG&J0(c;y-~mXMY@nMI4Q`YlQDaSy9p|^Aomv4aUU}HWKFBbTHTiw82NK z51@lse3#4>)D~}^ct0t4OuaHRC5KYqBW}aO~UfC`F{WFtB^FL zEMRvXucz2m?W#9vk9^7uHIZmgKgf8c& z64UBlWObQXaN~_b0tJAS#w0E)if@^0abx&C5LYYCC+1;AjQ5o9nI|jP%9EB8H#_ib z41sU%{H)Z#mhdD9<3h~kucEvwjpGx+0Ka2Dm!#7nx^*+X9%N z`#d8s22D2kXy?V+1gsHa+>KK{dis`N>OJ7Z;r`Uo6&snfCBA)sbck^^h&FuYP3VNU zzbf_9obUW+Tj5F-uYn^K^X;#|vrk^@nEz`?b})3&&!ocPmb-a!ic__3K+ROi9lz~w z7fzc!Z#8xI^!x6uh!dNC*wnaq+ZFx6cfB@@FPHhNSWKQBh%&UTSqm+mUu!#ii#WJN z+hS*!yMd1WQ6z@qt^twnj@-do`nRLlY;QRktljDUnLy_L{j@m-EXhPn}^vY^rgU-fmXCCu>K?>;S+%ha& zS!Q0lF(wOyjN}VBD=_g;8d8b^aI6GE#ezj%ko|54%fDDdeU#E9XsxMK{eg?4(g56@@1mylKY&Drf8@U}4iNxz)n-2P0_=U#J zV$(A+LZcdTa=fX_i+w6nm3`H1kq@61CM z6M4s7_CTItJa7oLm-{Mk%R1bo?~FMjeA5El9%2b?RWLv$5a=T*6|u12X3wocV!Pou zkvQ%V@`ug&^7A9X>F~D&_=*HHIPa9Fv$a!FjVPG9u6( zbz$PU+B<@!vyq5+YulPCkYt`hJ!^mVfI5!>t)C$}b{pg82tc#uTkk;c6V7vONru6u5fkTKhddyh9eqeR(0=qVc>Gky!!@pJDLQ8wVGdEeH?W8a%4) z&M7}5e)LW0`Z|PcInH^3vv=AM#5>*wf2J-$SF*0NGgqea_{hvO@B0ZDL%jOHw}eXF z%n7o4W*uwpV0?GyOKl~P({Q-iWXl;y{M9pwKs4?YMmtc3EK+0URvmpov)X%+-ZGK0 z)AgNwUe%0jXIyRNzv^XRSOpL{1MDXwedehT0s z40~-pAj3?|fx=OJg6oOCDi|>D0Xl6Wq8G|K%B4bCN1gcq+{$@9@{3aTaP15S}Qyq(aP>`s~NFX80HEZ|NZ{5aK-QV9Nlb= z>D+^FftU6bS=eK+~kugN}~b7Vvd5hxuN)baj{pMncFMPmDb5m4Tdk*Qmi^lE3x zLNni#&Y5?{AT)Cfwj_JpK~rXyFV)Lf5~KH_&;S6Kq!=iK&@-JjcqOacKl3k11tmck?%gh`4>}dNP zcXKUh|Kc?`5g*%)F{*=7D%;&V+->Z$8UiWF_5~jTBANKNbBmK>52n`pRvhzWfbC56*|>*?!~2z=Tq}xZhQ%HK}H_0}F}gv*^*A-uj$Xx{t~ms1xj9pS4N8BZ)&q z1O`xxyNTF|S;(+*a2ftvS5R^onlfT-Hr+aQFWKUigoMPfmqyMvsJuvvOpQl3&9T0%J1Xnp|`^!LN}Z75u8#ZFLKX z-0uLE)O>uZAch!k;pZx;(p0mxVd~#GVC!l2fb6!j{sbgn2G>YBmbs}<`-tI)UAL6q zbk*&_uCx`cmmxYL*&bbJ zN=#b&uxUMh%X@Tu@N`8x>Y1gjh-!r>`Gs1ys**fim^zKfZt6|BXu8z+}JlzV*OCI&+wUCjtxjQVz z@oL|TdEusF_M`xZhrn8VKJB!eV?7;5r={K>;|>h^E3Nt0#`iHKsF^k^DjbY!i!pmO zK30ajP?y8C=d2-e8&gs)3i=brxyf44dhiB6k1|GW^}|wcaBiMB%9qR`Y79(a!-X#6iy!A(AtDb>gH!r7W`%%2GIkgD$m+2|C)))2=QBbUH$)@uJ@BYRA2j8y`{6Ry{@h zzcn2$mmG;ZO^jLVP4guBHAMRn2-Wj6i@RT~e0VBh4s8MO>!KaR2*)Z{qN_3DxT0qH z4A1ei-p#}OmP+2scglVEfvSA>qZt&mb;{2BA{8meyq%CIJ7qc}E*=}=p7 z_y#}u6zWhQ?&)muqx}bwa<>|kj##$Jab?^N-vie9@ z-N)vcP=hYBTo`B4r#IiAo)esTj#dPiuqj9wZdrxqs5B?ecW<&Pe=)!G`W5WqS+6;R z@Fh_Lcwt|>ts0}8K;xMW5tG5XgC38($vi9tD{X}=he(xlz`lZBJt`qU_Qv9M5Q9=Sq*32Ok<{roPhqpc2%A~P+nhddwHt2*F$h_>`(%unJq2z&^( zf%DhvZM02{Lj1D3>{Veqqe*;k>GPw$^HsHRq~C8S4UZca^GDU99lCM$?8l?8+A*>T zyfv~=kooRn&vmj~WA13E#HJNNh4!ORS!GIrx_T?X9}<`w2G+hKFQF z?z-!2pwE0(1pYCSVS1lubJiUYZYtKDFH_NarS=@k!YcFITEO?TlCPjZm#m~<_vM{B zp^Wy_u0$6h8wV@~Nm~!__gMZi2RSnBmUoS6`@3IB2`)8E;A}z2Rm7^7>^-YVjq^m{ zYocwdk_rHI%ZPzU==}8c>X1J9TGj&Yxl+|QzAPQtTuo$IL zU-DHV{^EK){tJi@k8en%`E1rngYYNyt5vT+keHs{NgBW>!hOTi4+DCDyVZQ8lr_U{ zIr+4AfJg(_e$}5!AFM-6tx*O|E}pV#&oRYEYrJXY!8ugmaxU^v3y$~ce*z=~s05o1 zj|k7iDbx4dTP`CN@hBB=2e}Iy#2g(~^A7kNxuiShmy%;x|5^qp4$;%D9`YO{r^qbM8wi<@OPtH(cs=m z@SJo@*Z{G6_G;V_MelVqW5hrV*?S|sM-h|OOsa&xS2775{zp$t*}M?gNodXiNmpSa zNHV0#Tf0B>AW6bFV4Shg0{MQG6@ou(A)Xz;mrGq|)*T>G?oZs_&pO4T_uR-UU49C@u5Be{ zmRn(pA;IwtBwa2~y2*S4eKx)yQ@1&=+1I|*&8~(3Oxv3_%}QL?N4J}oS7!A^ucvQ~ z``S4AEq|RjeSZ8|<=7v37Euy5S{8hEpTBjGZ`T+t>sSQ0`M&Br_;=KGZ0C31Byqw(b9xCfoV*=sdROR>WJ{W{98E>8G+CxX_PKc9P6 zZ2)asj^iDdN!hsIzBaY#&+-;q_jbh%;ZU0hN#5x*_&0%6#dOG|3pRM+{ zrpAmFqyCedQIjiEU^2lfFwSaG1j~C?0USTr$`lRLyYakK+-k@)vl91W70j`T2rp28 z`R-VSWkDhZ6l%DL|DF+FB*2ld_1ng9p(tB`@fxJ6gic`SU+`Z>)ROiQC%`^iDnQB;Ixej##$#?af}l%(~lmI>Kt}e2;#==5yKWS?~~1B0zr){G!)<>5vW7 z(ZSzpvIk%d#}0+THe`tgh+$cwO^wFwxr}I$rirDe5>6u7rnjmP;4$DOKHbRT;TN+9 z`|)$H&wP}luTO$z8%~m>o6Uzhs-z;Hi;p4?Z5~e^|id030%RxiHhr%0YdP;OMCNR&)Qm zYu>1*4ES~;+Z!a6nwpFj8-~SSE?3p- zVB7HXcQPiyQGch;6N%Q1>=4c6a8}ethC`5w96k-v_EvS)SfGHc%R#wN@vaVoSMWBr z<=AnQEo{f~RW&52WRm&9sU@ncjQkKe#m%@V71gR_1Ov&BvHD(=A z!?G3bz}y>drF#qv8NSJKN7GWpfZqX7{kk%WUGq6&rkQ{jH~1}j@DVyt|A^F=dwh)1 z^wJ!LfX@5&{Sy;KRf0@=aznUO8liWfrON3P76Czg#i|00Ty9sT4#r{|wv8q8c?p)Y zA55ITl8tR{74M0JNfXuL3Yy|mHnUT%&RPPbe$u`5WPRQi)_BVcZWncKxyExO)n+9r zKnH##mC~0yMTaCm<{`YjHNO{q=Cg#0MR)l_H&y&QrhslU zZ;lbY!pO0%>i*jU=BA-S_c1wsJXQ;^Q-?h4imo$v1~=B0@@Pj|{`piq z_6B<&r#=`@aM7U3@zjy1A{&5sxM9*uoD}iLJb>C})FBo2T7zw?FG5`F#A%Tn=CS2M zMZv8Q%!E;G#T-)c{eT}x^_foK*l=9ZjNLhCJRr-W!C3`Wc9j!oMKctEFdyC_zO-9% zKXwkeDHE+;J>{Y}t1aAlu%WXxwk4h+TMJj2Ae(E4-MApcaE0wZK#us(pctsr-&n?& zPqX5ap0T-nrhCtN%c?FG>K6tGLp(YdKi)r5Xs7%|{la9S;BSu@tfEjgl%t z2Z5$&DRFxeYmXcmvgMSgMO#(>%fm6pIr0$i4LBLXy22 zMJ)IO)$GV(^jY$fb3fz&fH=8uyZ2)vWL4kw?`3o}W!Y;WIw-~YwHkA+yZR)IN8|Ns z*Dde2a&cl1dMTbdiXIVd*~xj!MYn-RM?U{^arRl|_=~|o)U#>O`rg#(O8)C%mruIv zZ|n${3@#_VKg~85ngCPBu8qXQdRl81)Z&&x#0AQftoEYRF;1NRjzCsKI{it%z^`_A zkmtIi%_|_dn_bFbHSSKK{83DmL=X1s41{jS9U2~r+HD#1oER<%b`$`Qk3b+#Grysk z%8WuF*SG#$>SaUFZgrLG11Hp|I}cjsfm?B832eyRv*kfcg$jU&04!DJzFgL4%ee!T z^c>&jAh9j!Rn8YChLrHxm%mQ1%8sT+h$;>7QS}_`!$0qeOrx0>C-;(aP91-s`*j&_ z-}XZtwlA*q4rg#-3_|)_*D{ci=b+2RCVxYHjAz;53k0rgLY1+*0|{`X>_MLZ5FEQk z5-+Stht4gZ>O_~2Th0wjgS=TWSCNcT*&yi+&QZW>RKbli1&2ZnkdOM2QG~$<;22dx<%;v;g30Ql9g-DWBibKwNwG z{yZXxS_fAHJ|4xk0(N`q{m#xC>XU}rdaxr5j~=|f&RpxyCLeJXsTUBnkf&gH=D-*c zTU!A$)X2nZSdSjMkBKd;nOaY!p0#Q>aXM=eBAT(_Y@}z2nv?7I%Zh0v6jW+mx*nw< zV$4^vcxUJG!8Qo7!a6>qje2!-&PT~rV6GLUJb>hTL0xkl0uBCELlxuF%j7ak+8+K( z6j;5c)!Qv!#UbTVHqe&Q>Pda5mn-wfT3dHr0IbE1@a0~Lf6sI%43}!Z^mI!Lz()Lx z$=&fV=Lyf*w`EhEa`yMP2BD2JgL-zoip(+F4dkWT_m`7I7?~OaKXw10?tfecK;<@F z4dL4U`<#T@eU?KOax=L*nIX5RGK%;`2*{pti4%fXVbYp7r1SYcnFR@FsxfbX}Jr$Oa5ty6-5$ z&^WpJOBfIa-o8i^ZufdbiTrUT++7w5U^ip~VvRHZh!Q|I#;~aS-$V%epa0Z<6H5S& zzVWR3f0Z8m`VId@=kVh##cIE&^M6^TWdV~W&^{a0=|>NJUc>*;EO3&+wF*>juP2Qn z7`f5ZM(V-$K=C2?KPW=-1BeBw3yr@-KnS2N`ER0;X`ubcO+I$m{>RT4uW(@hnl3Ln z_hbB+2XuY^dHrwH*N=t{x*-3Xp2qplbHVWcB_Gbqj?rNTn?wW0146 zN%4G01`+sn?m!&%>lFnAK|Ub41(LEZv+qRRZiFO#^WcO!wFDxq^qEeAjI3X;z-?ym zvA}HAc_2U@K6#MV9?yD9M=LE=g|;(|KQ-d`wd8`RVbQrUC95A3IDh`bGAj`82j8g& zgr#3_BmB5|^?Cu`@YlNneNw{_QE2#D)8=kBuO1`liN@;;?2uPT%e5<@6^Qv2tY)|k z2?@IZ{kyrh(ak>aq!fg=W$v>eceN;srQL(Ao3j4fi)Gy^X`)$_f0Dp%wM;+}sF1>- z48*vx_wxW5dzK`!@Rt2h{=2*7V<^&Hv8-nt#E~jjWDOYE72zwuL>;g3Y>^GvNI-_$ zLJ@H3$Jgz#^>JNF)0@^cb3{mU046|X3~m3J7O;NHkGeGk*>*;(RFl1zt6NGIS~e~A z!o*MYn|TsqTP|B;TD$=3Jr3zM6BWIkBn$tNn+TAC5IcY*m_#oEz6=EqpLQLd( zgYT_rN0p>?^QYGWv_FtCO5Wuuy=Ntgcyl6p%(x9IeWcwCz%ygc z-Tw-fGh=DX_=i9bm(@si8v4o@pzN{FS3!pRHe*b@s7V});-+xR>PsD(ws8X*C8-o~ zyB^Bm;siraFi)S`Eo1V<<8}v4oHIe9U3TqqU8xNUS}ex*bJMC!H;M@U@ z)I!5S$T7N@@hC$h1uxb8D|XL>EL$8sd|LM#3536$>M$w!^VSt$0oeL%Fdlc01%zGZ zORY4A@uB5Ye436aZ)nI6+-}MR*H1gwyt4^di~%9Q9=$`ubO>1T*#4?|OT2D1z%hEf zO*oF1uBn=F#lx3kZSw2>0g=$?>yRKh$I;=uT&HR~2ae|T9kPBZj%V0Wui6Vt#8Q4U z(T!PtT?Q6|^$xfZUrxS=vUCcu=>Yn)v6I811}t6dPq-1Yq6R$C4W&S566X(6Sy$L* zL_v>j29QW|#7ofK_6SRuG_1^Yr6di;9sFqIi~9$HN*D(qqoXlcfzkmx@Rpqfv8--u zi&m8=*Wwr=$*O*R4U!;p99SsPIN$PhL*#htj;NWuu-y(=Nt{}H+@DnDMlayNMAI}Uc6ziB-PSUfyvZD zMqYR&>6>PNKs|MP1mOCyAkbjIJ;T@~6xlQ7U2NbMATisgz`XW6*_Nv_CU0z?5KzM8Exs#nB1|DC&>zU{p~HFPq@cKfucEWITeNZusI)1 z$1DGRXPELq>~9#zu=slaFF8EW#)uab+^(mrR60K>|C$rc z{eCRr;qVa7_{?Od)i+p+HjXr&Zh?4%f38;93-nocp(5KJnaB+sf-H+?eHtgScQ(tyN+7roOIxd63&W2mVot-|Buq)2p))V z1->hS9y?XSwrqz|g={bi(aA7g{i?d_3MDN1wQAygW+oB$L?w1 zYH^ZAk*DXO-8yG-V$pzmF3l(EH1@A48N)gb;>9&TfB~&&QD{pl^Fc?KvCLx%`uT=` zK{1Kswv}itNOQ)#ga+!TOI=|;F~wj=$S>z311BdCW3#|7KAoI{R*cToGNTBWyC_Tk zU?E6624^fx6f};Eu;qGUoL;j6sD))29laAy-*;!zh{t+l?Y6AO-?JPNH?OP8KIn$3 z1(i%+HwKOFrh~7|LL4k0vcn4Pwhl~1h}9Ii)wtQ0#V}afJQEjdaYxr_$b-nrMc?Rf zFu)Lmxy>8g&)W2J>|L^&93J=SWE&a2JHmz)v}stqPR`~_9o+C+<+k991B-ikKg&^1 z?T%a+bY>(#R`B8OD03`J+zuiF!4QpVC~d)(eISy($VG01b`L;0Yz3@c zcAAz!GyN-h=bgNo`EZK-%g=hoD!t`91 z%`*&Mv0k{vKj@}o;JWlU#s+1?RE`F?uNjNrA+ZEFf_qOMk4749-C?aY2G`?g>E+c# zpaX@h($j4ddfa_U?TwEG%)Q&hbG{D|0EI#j*J$;x1cX41&A1OAd&Bn6I;yd!xE~UP ztEn?icd4$_@egxYIQW8CS^vXGNTwtW_P(h**J@2Tt42P=f8u8h0IK%P%scUep;?gb zc;5il<^oAV4-CF}o7CL+_;;KKM_YdH=`Wn}u4zvxw?HoEx5>v5R2)=@IsuAr`a}%8 zDn^_^1q4I*;quSKB%Qn%DZU&dpqZLHZcJA{f2>vitq;gzhas`8oYAq*8hO z&;&?#knDtJuBd&))qRF7{A|x8r1$&qWS*Om_e_AX7sNU!4&4#&{9Wi3j;gt) z6MhK2U(eqVT{lMXOYU6{WfWoNHbd_uQ`6VM< zfDvRR1$;r9H8ip4N%+XI&6$M{TL;$2zSC80)oW2$R^nH=Z2Fw0BF{#N7uitX)2XGd zIMR*q-R+!o^ehB}lTU7ZPF3~~vu$s0lO*#}W0s!oB7Gbz22kg+Vn9r8-O56DvtMx+ z2)9b?QY4M0QvXFFKzc)H@CEaVKVb=yF(pbOH6(R_29~O$swCQ(rrIFu=`2YF(%St| z1P(U1ZZT*QCBnV4E0eZafNdw{0+mbpCJ5=$hVpHjQLnmpVa%F7Rb~WaJfFdo>{+#; z0+XR4=dIZf!q~bOIAFSvT*Y>8Ti6bvoUbcNe_@T8q5BKdz0ZKD1!@gv!J0 zEo{=BGk>TCvUljkwvV!O`4b1(zZJpEQ+!+J)mO`T3HR_TX}(#oj~XsS$RP>Ie~arL zL5(HQK-?{_t}p=xJg)6>EJy#1tB&A64EODL(@JcMUP3rZ1*d_LfyZqMr_N001v|hm zQWn02u|pDe!+C z<6#QJK2Q|{;)L$+rI@4^>PkqhtO#SP_(7vt0F!9l(XaC4X5pQHnClaPd7SV|@x=Iyg+=ilQ{l$A^_Zg_+b{88Y6)Y70 zo)w{w9v!LLl5_&jl+DNp_ky};PJN7dC`dLWZPD0{ER6o_ykPsF+V4V^Gxv-_u*+bq zPv`)5DbMYQ$wBB8l+-Dd2H90mdRJrw!!Q&?`^{+YJDQOlISR>&?ad@tfIS$L7LUX_ zg2r=Bk@r2GPEtRu>}gPm8vDME=Ql9}W~Wozc@q_|2EwYVFOZ*A`#DrVMqLYy9&DY? zb;eDxy2)Vc6cDWUTbLk{Vy(#iiSpX$IaVb1v}SqNoO4KN2NVyK3Q~IUm_tAbfK$&L zA3mzE%4N;hf(u9KH|&91^_^BJuUFwKV_%2EQ#<;PLFDCwr}uFEYR4}25JmJd}h z{AHX=uWTM}C3?^IWhx^~fW)?w<-oSSRlnP6X`SjcPvr4da4Mmrt&AMpL4?q?e9RKQ z9JC9)aqZ{je{}8jErd06yCC z;*k$%1!xG;E|k$@!gnHmpw;1|#m-Z4+YdWrap~_Am(sT9brxJtf)uM&nZEqj6*mYO zb0I0|wSq?l*WWArt=GFV-3R=*Z3Ull z<)vD_Vmx z=wQ71pZdQXm2#h$stXVFiLKMgJ-86n)gY1@ z73cf;?m`iA_16=6yK|{M24G{;rVKvQXp^y*Q7Ln8xD+w{uWK_foXY0N#9-()M~pXA zL=$Q{V(#vT-71{5xcAikvJlgd!DOeK`VPqC?BLoBaP-1-P%=TM^petiHRV@V{=;6V z?jv*XFWtMBgN=IAFE6`yD_5!&$%OSKBJxsX?DdNyVXGR?GaNE#K!rv6zg%YYY&9#cZ?X&uB+i1%H1)KP90hPPJ15zb;A9`kE7rm zR7*G@_>PZ524gUn-2X5u_hI%9H~D-Xkq)cUhe5^pxyFAY3`JQZ=G_b>ni}8-S>SU~ zmd*<2c(|TOQfeIuo(8sM;~IEo9*x*xD9XS8oP`k}e1e@eFGR0_)b%R>TYNpFL$O)f zJnxL5qB}M;Cb$qK%nF}PQX9lkpDE=$Jx&+G*g6KD5(&2LvsNF8wP2G-40S_(?VMS$ z=aioiPduEbmNDJ?$iF0@&N^`p$$@y7fp=hvLHdI9d0T+E0>a<^$JHq_Hpp8$f1L<7 zclMn4j91p=E&$gB5u2qpuG)$F_?&?IuqkQraaPOMuzs|Xydf)&{lA{8*S`fPK#}}< zZ}M4dWsVEQd2-2iR+zHqezIDFBIDtj8Y}k3pCqw$af+$H9Q=doQlC0o_n8Z&)W6cnYX<9kpYdNN;i@$+G zb==Rw!IV&IUb^u{6-CU`CxWPpu<*6cXy@@Z*YVcfk=uF5RG9^n3}j-tzr~4N8drZ? zKvd{J2P$tO)T^?fmuhvcOZ3On5O@w$vG-Q9C3*>9gv;L&H7wa*5Lm+$tV zFc0pMP5@$aGz*L-JuV>-I#ZPumrA>BB8rU8szMPOfXc7sOp`f|-SQqu|Kkzk2-mZ; zHmtF;RCVG*D(+H*tK{8X`Ep^ugo zcYRu}Q)2MfVPg7(zuk5CuBCU1CQWm=!Kn?L4W zrfXR-fV@Ahx}$GGaK1u4b1KKslwC=z!)iwVO?3$j-KqpdS?U&7n=?hYA}D#{{I7SQ$n=F| z!a~Qc&ka7Xso$^^zy5TKBHGRUzFA`JqloK?N+Y8h=<+Bn~Wr<>Eyj*St}YnCx5 ztttSzG(a2a&AOY^2Sw$>{*2A*t2mzdB-h0-WB{62V!Z=Kb=z{1lcj95;oCd_@aGLq zS;H`@WCS~Gz5`h_hg{)P{&STLqOAspX>Rl*LIAuI(gp#HmvgE?Z{M_qOS$vqIRXIqAv6_4T|i zLeR2_RKXwuou8X{k#qr?LG1NiT2H51PnyUCWQ&1lz(Al5Sdfd_N?gZxc^dY zVck^tl;Dc{J*nWobv;SJVEQS)p)7sTvYHOiN3 zvW14b@aM<^$Pu5g1Y*#R^8{6cc{*=khq1r~BAA$ zAxu8|W^g}O;;l7Z9q~Emp$Vw=t&>)u)OehsM#$q*fLF+z;MDg8qbmDGc-*i0 zg)0>$Z0~Wl)youU1B;g-A!0pwp(zy!x5l(qvlEpmf~w=^dB&mbH{8~myVNEXI8jRL z3gx#U1Pa(EZHO`VW9#;EDG#7dAkXs&tX!i?hRj9m7&$wONNy{RnJ&&rSz?jI;P{3n zVy0xHA0*#_nyUvBcwdKblt-6>&FPJ{>Fd<$a?o2()jeI?viSJ4!JXks)2^grh3j-H z0MkcuW7>8=->$vPddTy?t}rQNYb3w?nV>w4B@iwBTRmjNQmC*M{5!7MYAfjLDnz;+ zsO99d`VPCHQMC3WA_NtlRxJ)TEH??6tf=s^t$y{765^@{T@k9E(kODz0k)g3eou-d z3KDsUz+1i*B9*O!sdK9@xRJAAqsnXcIf-Ocwxbw_>gbds{Vow-d4Ah7#P0tP_vZ0X z?*IR=63LP}Whq%orO1{ogmy<+5`*j#vJBZ{8e<8kB%NdrAwzaq#yVpO$(DULO7?#F#U9>41kY0O;LHSg>Fe!sTo>-lV>Key@b`rz?N#&i$w zs%!)jIcVX_g8>`U-V3&4fUVr}N!Y52C&SjSIPX*hACNOb7b2enI{YMlV-2f3rLd;+ zB|f{;z~e&FHoLl{#f4h%)5zZ#N~%)eQE7wjf=$5i2*@^psD`CicW6^h_YXg#iPYje zP$L_d87k;koSow7eNBPADV+9>!N}#bV%G;=1kH#~ui9jX2TeUrRPlD|QtxO{O1%|H zb_ZHR?tTf%OviSO9}CVWnU#2^p94(sY}`abWga_+iKmFpna)gQ)* zT;l%e`qbTq@F{g~pQX0oKmx2vYOdwQ6X7GAl{uU0w8x6I0L}$+bzStoOdG#ARG#5C zT#?&MWsF^J>ROUEE6-DW?Rs+Sll3D&P_$;8y6Hs)TyFC~h0Ez`xH{!mLM6YQ7ofXd0A*bQ#0GrK)~$J{jwSG8NDOo1Zq=<$8^So|8n5ct^h1hU_fh7#f~hx%1nGlFDRMb-LrMid0M70c3{exsHd)A z^}AOge8H0-&p8q(fa}CrdT5yfRsiwcq|;A?=RX3g2!#>7JM^Wef-+tlOKGVv z|DRMhzs||@e_ZEpp-N_XL?`uKE*kZ+(|1TQd?ZPoMm!*2vD)^cR@>=i(c{!(bWLT& zkf^4yHNCELT03nIfTLmn{m)GVs`ct}FypA;lG3+!A%dz5ldwr8q(<1 z(|VaWglKTBTu(q@*YAuUKK|X?nG~Z3@*BI?YwY#@EP;^Q+wWnC)*V?(=fodg8%#*I|=`8RET zzRykYl%kZfaAst~5x3U%QpPv<At`I?au1Ey`T~wKU(F5nszJTL>7vqsMh>(=Bu6}} zD^yP*Co@b!M3zg}lyIn`Z2p>B@#Sc<*@T2`E52F)kF+vbxeRYr)iY$?hA<45@sK*y z+9y%mtsQEf@fpDUeiMi<-U8^2vve{B2PDLCxdk;JOh_eN>ShAxANkBwEf90OIsU~F zIPR47B#7bHUz2`fIiT?R^~w3`UwjbF#)3Q{KS8C*gHb?%+QO3!gC>OEN!6i)!&No6%z zq`xdydJ$5bhiE*DYj!G;iBO9NG^r8rtGr)<8VxWf7j%+U6n3g>MBMCBHMJ%gYTl@V zLSg_8yRBUUQW|K;DS?d1^+(k=*J$s>QqPsEmTSyJ(AD81rKL8Ftp6S%32207b9oP6 zo&=A0OS2b`-TL(6@}wz1ukR+Qc{+{w>Kp!60Aqm$rQ?=dgvc@j;l*gIKti^kr@lM& zg^P`6YgBjGEgwWCYXeTr~&Ede`Ta!{26%ySEVG zg{tMV^I0h)HdQrh#loUvX2NVQw#^|=R(_iPvavhP{INU4%=K>@XW{Urv5v7!jV^mu z7nO;$3^+-L@88|k$rF?X=h&@LE6E0WiBGWAlo4r8Pl6oK8r3MHgRJW0&grturHcpS zBkSgNXcoLqi+_Wp4zBY3mV(ZUw^Ju|_JkV8>LyX9NE5L)u_^<+~OF@nl z0LOIvsq zDZBj`Pon52RS=%0&<|rEIrrjZD3VN1^yHnom)h(B5r#pU1aNKA=DnJKZ*6cu_O;bO zTkOGd2;+?oZp6TOf+z_F;EOVnzyfn9-y1|pS;_U937&QGbX#4RiJX^q3&><+jzW>g zN4_NQv?D;E$%BV$N!Zr1wB!W9Q#%5aIWLRjWc_x5wli(?KSaFt1PM5nFJ*r|)}H{_IMXJ@p`2j5)qYn^nF{ff=42=d zV=D^$#$Sh55@33B8~PExw&?AaDPb(7-6EYBqi(h*NO(k+ZR`G?pe%GPT2G5Zkz8;= z0BQ?8!MU}xS2gUxUISGSaz)+vLmqt=1Cc`cQ^w(6r?W3104RXRX6VN8QNV6{W~XL< z+sP0wxhVfOiDm>lQt>Ci^LWl-)E~bI7xpD6^+Lo(0#zCIi=CrA=Z22aB*|8UmZ8+I zAa%{#wo_}k*|47ec?Iw^K}G9dhgUMV^+B_ZZK~JAtGJ$7%SRQ5_h4~iY>(@raRoY+ z;~9l;$lgU-m=3I|__I;Rb(;y= z+coX>JWp3w{>@`s)uGG99H&N^81ZTp;OLny?9ySZ{mAob?Adgz4-?GYjY2J$UFYBU zam3l_s!stFt2Mkk$o}FXTtfMnIl#Jnt^>@k=L7*)rp_qP72khwEEyDPizkl7Mq<_0 zzemTUO&Tqlet6^#Iqzz1JGkA$^ld;*)x-d3u401y2xwFBR&a(qUkEW2u{kpA`yU2k z#16C!(`g*MpfR|KBwuhwHU7l4#H%$D##kUKYEmMz3}izuNP>=4{sBJF^x|-ED>A1J z5_~LH>prbRwWEHI)^jp&>2%NbBm z2H$iIND*ZLIs%KoxW1srI;V0~1uUg!+|NWF?g{pdfyg2BGjt_)XF?ppcHWaftf&1@ zOsMSF>sVeehjvIge@E{DC2q9(_7O<_MBAJz^22up-Dz{?9D7vy<0B?SRQd?Jt@zysl# zq6x4TnELJs6lFWsG6|^Fpf+^xmWw;EtTHDUAmlmd1o-|&fdcQ};RVyU{qKM|coZ~W z1E-N~BIbmQ3dr>VvaBl^S#N&St`SJ6RCNF*8996wLPh7BSANJAI@a4C9)t(L?8sw& z9YT2X!W);5r!3+S0 z4i9uG@xIQc)QkivJ&fxjIgkt>s`1bxKN$aF1$6J2!Dp}H=Rqx7NKyT>vh z-dOi3*E3{qqXNQX02`%@kcwY`JbdDQ(CgY;pUQai@BPy|%!PkroLgNA_&68+E#aRE zcx-@f@tXuJ#0h2XSW*rxOHdq7Hx^N>0kRT~5GGFhP}%^nW3iCv^Ebu4k)m%*-F_)j z@uNVCF7GOoAOrFR%1;E2j|1BDL7ql5$OtJ;`*aNO93Lg6dfb$iDtCuq0n^PNPKazR z?iD)I44N5T%aTDK5n~nmQ&AW)u;;{?;u`DHYVe-8)r;K}0GKVEEBW`AfP*jbXsd+8 zYcpv}GPe{sFAsK{?3Xl9s$1Om_D00Q2ibGGi`Q-XJ^-F*jUB8T$ZQNaPXMEy3?U&b z`&~sruP=WHtg$!bF`$1`iVp9Qpj^{-=Y=6XY1-Pu@ywx=t_+|7_Y zK}FJ4FnNPUhdbl#fzQ-4uR+z9RYykzk{~f+ZL@-Ab6$Exz)V0(&1?#-|x?$fi_9_9~{c5)V{1|yr`e6vdCd|^B|Lq zAykMgeJTBYt6P|^-);Wo=hqx6+1z4d;=c)HTN1NzFQwv*SYupfX;mw+5rr~rw{#TdNcX=8Jc#^a0;B^cGkib-7{A0 z`|ylyip8%>GjBkb{tR9E=244J`_}n9uW0{$150hQnuG#%kc*KAUQQ_>OC5Qc>}*^p zZ0&mjI%O~6if(pQ{2{9UWuR7M`8%-Q4~QB+M>Q-bd402cV`Zv$t~B3$LF26 zZ>(x0v5f9Z4$&%0h$8JWK~-VEH&zuZh-Cn?ddC3 zsI3;1x!-Xyd2q#hDe+3N-8aqK0dU^aiQz3ZAp+5WHVJ%x0J&hLAS4(W0y$8cOV`@? zBmLcg$KGU}B=Jq{>fKGXYsk@G!T}Jw+fEb)keS&KpJ@?o=x(a8f|+jh5+H<~reW+Q zCk{0u8qy zwE5d*mLVSPdB|cI5PpZu<(b7>{2LonFLWTYnAL=M2GuvR54_2Gst8Eq-$9w>Sn%MA z5CYjW7MJWB{8Ev7>pmO#u`xIgxb@AN`}y9B4U(f+JlDu>JlGz24k zTsD&rR^)0S`=6Af1X;wld4N{r2I)8?Tj2_*V2saH^cO-GAxMSY;jj2?jZ!?xd5&}J z4;h)d&QqLQ35i_V^|O&54thli$`zpoEQ+mu=7PeFtbKPChZ|%*E@c z+%Yn;mo&Y#OuzQ#%-PlZGp%_I1uE;k8ekRnyza2E){%ek>T*obIt^^q4?0sdNb7mf z)B`whD~l&V*D+-CN{`ISg&d6`tbcoJ>&gI_RZMl6ppy}Bp;eXZ2!b#D;Abaf&uf4b zmDJd>w)ERPMXSa>va0ou87wi)*(VHJqJlNt;f$oltCA|z1}OEhlI=sXw(ai?vT9QL zw}ii!F+O}aFK5&6$P@6GjoSJ5NuteRMUzwkw~7hQBj<aV_d}0aiTx zcs33jUH0x zAsgyCQGkYROKt-lMnngjeF1~KKAa4{oWfC~twnhwK_w-M=BjzrQgQX{T)aNsAyZXX zgE*Vy7MoCDQ5C;fP}}U9Ve3u!Qg5kgeD2HzMKv4;pOidi!Xtu6+7472R@h&_5zvw~ zMIq9v&Wek#m1ln|k8m<2om9m>u@D8Bn%b65Rl+EyYw?Km20hc#O3tD44_bi7m%5;t zxj#iGcvrj%JZB!;7v>_Q$|5as{x5ck2<)uG-wn#cgVuNX0h#Aw?qWc#)_qL<@zA2h zso^J4r@77JFXV(0dl@$V+k95>QWhzHj5e30T@8Sl;N4BI|FvI3Cmo^Z>>5; zPs&`oww1k9!H_e(-_$V9?mx|W4iA#od5lAPTW8m}*`dvS@{Y&ZCqe6KZ9svGZ;@|c z%_0(8;=X0mTQtM%n{v^;q127>;DN^A8eQMf@ja3Bj{RAfKEKb{P_d$+z{RjcoWHw8 zSdhje22!Bhd)K%%f?lTXJ{#A1Avt)w8h$|`50{8~yj?u6B4t^6X31n}74^ZHV3l?6 ziavgq_{rQ&rWQC~f9Zsl&tr?iAZFHUmZAz4ZWfeDVNn_mXO7)U`a}|I#M1h_U3+K# z{Icz2sLc8jkPZUN^6ou!nj?ou%kx(y}|vc{n{ZLDshF?74HL(VW!f zB}Sd9$M-)fxcj!bdntI|LdW$lA@=oKo8{+MlHArJke6_qXn~Gsi`?y-o4tRE65rK- ze0u2H>FaAY<6Xk8SXzN9(dxPLm7KS4MO^V$S-D@R>Oq4#zk({boeSq5V%TM<3mm)n z=!@Bo!HYwqg;D9Gfy{3VA)ui!i-%+A&syciC$*8>x`lSff z$J7>l;kn)mqExIF4fb*!NC+n~@7+H{Li7zH!wfkB^j@DkbM!iooA+KFcoqp`ly7Pm zm036Ytto=&FiB-&UNrF?_X~%}a@wCww-FV-B+FXB?kb@EkdJnMhQ&Cq)X|HPm84a# zV+t^W;1?Xq1w4^j&^=IoCTi43GFoPtYmgC#Tw1e8Rz+Ki`spM0(4>dcU_1{?I~o^W@_j%d}eza`b84=ddiJBt`EW z3=Fn%a{Mx^t&9QEPG`u;j+T}wT*$6u)xkwBrs16|>ZQcQEBq$%j=j0F96pumTdor| z!%}hg52;fhR=ZDyeHlGG@1w-N>ZA($Cb@pv?IXjc3YHtL?Y^?hO=oMby#n&Vz+Nv6 z2APCi^*PtKh&PJXWM`$Z0B(j0;OPXm_j&W1SedK;c<4N;L5R2pJ+g{E`E{A1-4(7# z6YmM@GoD~Yy0e&?e=%Nc$Qiz=rS-IRxT4#<;$gkn9UZ(t1(-XQ!ta6Z1e~ zgdA(s%WvMDRK>}hd)DRXMNOVA_cSYppx5~$Sp`oEsuzJ|H7Vi8507f8XDAoOCT(U0 ziy#%_nOR%n2uG{EopJ~S#{Sz|c&(hX9|^M>n)G9*7dEzwyiC?DEs~Ty)gx+s{Jls* zl#z8|RRZD$W3iJ_L$&JCQ(J$BB(iQ=WiY+e`D^mO2OB<0e^GsMF;=aL{^~yUIyTzn zL<_@4#YDkmtsbAx&HD7ZFxIVhnzwp_VKb_sb+FuOMR*iNI}VM+ugPl?69_wKLWdpH z@?D2s54?33^w!ff4&|JAE}j~;f*LS5(}yIToPQD&y@C?{&Pe$^JvhB}0~dGay18-k z1?>-{kvI3JRtpWLEg0VJTPTQ5XBd* z-EXg1D9x7xTeo6R{1mvDorQsbNSZ|fGS|t2A32*%66%+}u=lG*x%jTVn^wKsgZT|3 z>~QDGXHsX|1<8V^nC^@21p1CnH*KtuXOaP%JmG3Vz`zGD?59Dijs@wEmMCEd(3HW2 za6ZAv_jnZ=6aqt?>X)Spm(!!qY!iDN^`qIKFPjc+i}T0|E0xsaTU#iCakTVK0P*&{ z<7XRd6o6}%DV`bjy|aycM?IEZM8G%?#OrCkD24su?Qn!eYJ6i0e@M&Zwmc8)CG6B) zj2;o^h9B%86Gso_d^@cwt=U#81(uq3eNJ=0(#5{9*(L4fdDMPyV$WA$Gm~N=v0(+D z#jWErZ|@Igp>3=gtLX|ws72-QcK zUZT;5S$UBn!~x>nYD-i{auO|L^J{oVvDw00V=*3x({yaOPie2(ciacR4`2w3Paq&FD7(d(LVH z0?zG0%zFt|>|(S_Zx$N8K4_g@A%S`S7T4oF+L5T-D+O)Ow=r9(5`Dp>d4t+i$|~b> zx@n)}wV#%-=XGP9W|UA_zh9Zu-SwgSc&$^k{aS~wzz&!!^7tdc{_5gw4QuWXhz`|i z3{FqD0IbRpRr}|al$2^>K;K$Pu16A~W@j}-P}}oXjrom{hDDm8h~PVs2EH?1ZDKla z9>it7>Kr;bte`tfrI8LC-pZIv3=3-e{8=0Fc-p*u^~dexpN(2}Xk_Up$rNSG>W-=p zW+2REGl8MM7M8o~t?XZ(f&nM9#CKKyzU-m!-T)-6S^XtVV`H&guZkWW>$}v~I)QHO z(l~N>>yo*Z%_O|Cawcq%(I$n;*Aq6YgnY(J<3E7?;=pFrk_6P z+EMa*c-9H5flw6B?g15^xYo9|)q#%&EM^q7Ke2!a|E6xvZ99GaKPwqn1d&=qLTuUe zSPu=bs6~hB_omtIKXP$s>6VU0^>ks))+-A%>D}76;Y*D_k^mzP4|>4C7D+*?zYosW zpISqKOnF1U@D%!+u-S*M)z*Syv#bNYL%xCEa93~3WSjTO6lq+_w=Fa+`z*yRE-9&? zR^^MKuO01m?sy*|Qe%e@l z<2G;LOf*pIC%|jKeAxYlveGn)c4N(EpbfSi(Z~k~HLuI28vv1bOPtt2v z2cv$M-vpn51c9gfs1-0m?eVf|<@C2f%(hc)_up)P$$gPAd(H{bqEVjRwfbtupj7Rz z9}Jse9>Jjc3b;9`c|9(?Gv6BmX2Z3)zvddN;32fKF{<>2N;E zIuNj4!!qxWTOUX&N1ZOzWP0%X&o%aX>HZ7#a{#SlW=|$8;~whpvJNPY3<#G;zH;R^ zQFNPdVJ=&`S_loI#-m*B4rVF^6RqHMHH@=-w2Hfzi-$F~DT24@MeZo+F~DitPc?Iu z-zjcJYdrzpT|5g1@1q^$_@`^9Z6?W4M=6IY)q%IH zs_?>R+i4gS4KoAcy7kzPx5`t2hS)IN`8PJ*b+t&Wr+bWZ|5|bfU_0&rXjkW0Df;J& z^fiNGZ<{o2l($707HNfHv0O_YoTx=ii8C)&r>smhCqT{>;Epd^%gNn7Kr_F~XERyp zIh#0WwP@RAHj5^ud3bny>%7|UBDl^Gz?ZqQI0kc>Z5AlN*m4S_Hoq%&97k#&u1V7(b7Pc7O z*|)2`vN+4CK9|j}d*$3F%snXnXV|9lYgQC<86>bX+ z3`+1;y;HK=@<u6|qqSdTVN(>bbY6OiSwWv?TQ*-4yw=Ys|%c z4*VulLP|a^a}`@Uw$QYHsmz#VFPlX8GiaOlbx6ZjD7u0f&yEF^5}OY|mAX&eSdC(A zL@6!{@Up#NXO>{gn`Y2)4BzS~?M!OQjl)ChdxIMj2Xd|WQSN+$W4^{Vc>PV9cB=Zg z`U0hjjhTkSusf5mG+p!1QR}%r{NeL35hbU`N2ATMa$4AT(=fg|_%cV0?avhnFAPQl zRy)oM=NyW{fwSgrii90d8jF)@N zt=wh!8(cqM(Z(8cG0*YM)DDHy=X&l6LhfbG=RUl?2wH>n#th zM#7Po_Oox>`7VdxP9Iz|Zc0{Ba}{%08|y|WH+c_7rjuS6pZ*WFM_T!Sp zxvT5kAG+wjvY47wN!Bb(ksg{g#-Cbnyj-piyJw2E;@8N{E0s}AkUfSnV=3&9LK$w(nxtGwuuvE33TZNx=SPq%6@`T5b77u zS~!&$n?Gu0!7Bu|;P>74FPVs3;Abt+0=!7S4jnzio!25nWNr(*53XVgB=mqLcx0A` z?eWQ3USpQPTwxRsAG?ti*hJ80&K)3dGduqX`-^P|oTYABbmzsz>XX5B4_v^$_tw$z zi_F8}N(1}Fv`qVvfw+5L@j_PHp9g>&#WqYwu6dH?L=HyPj8kE#dVzEM_w9l3yTBSA!pGbgN;zHlG&}V@q9J z{H*Hk-=6qQPsiQcHCg0yHq6cd#yU~sS2Dl4kZTWGDJOp08TNmE$iHLV$DI3$WKa@t zcUWB5!9Qw(WXF@`f}5SSJYvS!8ngFF7+|4Q zln@u!*42Fhe8P4+W97l|{nq1E-v7&G5=qf=0gj^vayclY==4LQzYUNslnxYdkbQ9) z29?kS+}b)6l*}1cXuAkrbVdBAA8p6;`{#avT$(x8A=VUnA$qaYDzTtfB1y<1cgy0( z{(K#iLc8A<1xyN&ir4r}E*rC0A}CAV!?10ge*>6yPIYO@>7~rFfgH-QN|&BFe}0+| z9YM*);~6<2@3XUISi&)h+~TMJlop~|JIWO8O&wpSxH00>~5=8lS*e3`$wFdkbV?z#7-erG5r$PlvHh8o5OH<7?v-b#az5A#k6P6jxe}M{TL_^B!P_RBj?;bjdcO7FY=vm zrb-VcFCip@&DX63&0sJ8>mj_X^arxHSUP;QuN|e3EVfnifqsI#G4V~)*2Y@F_|y=L z*@$hZEGPmz2u5GK)d*7QH84#{uHz|XyNt^W)2#V?U?LaJaU$lv95*{v(SMaYF=Q{d z|E=7srBHy8UzBtcB*0yMV~E;o(S^|Ub!_2wCY ziI~(+dV%Y2fYfH~si#gyS$QRmMNHEi7^}Gti^>I*J+7Jm@eifU&#_5(Pmw8lKD<^6 z_Jg>Y;%>%0Az`{F?ZSi0Fn*Kz;i5~~v6bTWbiUF^cvg!TdaGfnr1(9RSo+=oKG`o^ z?rmc&=?2oUjv#6Kt^>yE0}=u;{vit|IFIqJc{?3qHR`v5F=|2Zr~`sXiy83~4tMDP z{d~THmHP(el0UD=Fh);hqhtj&@|_Ahu+jylE`TpK08Unejrxr`Ta7p<-nQN>Q%Aa- z@fm1O@JZlc#sheiJ;ubAbKjtBdYo1@3@F;?Et%zg(@R3}p!8m{aVFr3lO z{~~~c1|Tre`K1g{wgNL2Y#k#qZsC8z(k2ow>QHxwF)=aLw60w?R9Bv|B4R&0#2}OZ(R5 zCdOIKXFHM>B^4C+16@wOXppNVkUCoriD}14 z=?xVTK&o9%GwRsNfZ!n}BJK2U|-#*kW2> z{T*#>a!Powj7mWIO4#nxlvjrl012-u5xXGDdC~FPwdw*C!#A2W&KRV`Ti!Z9T9m}Z z|0$|DwDMmY&|9CQ@|@?)_9N|5%+{O**o;0YC6hPeQ;l6$C8EI;!^DLFdZC*FrLZ}L zoU>5+nbj@AX>)TE-NZ~8RcCK3cj;~@1-m@5k7T-3c$xq?HetSHmY46dM3#*w`;NKB zZH82`f88&v*e+#kAiQ1+;F*L9F}=k5z_b}i+gS5m8}Jv@Yw0%$ej%u8F9aVPARD0I z|2^+UoR`78!!hIp*aBSEaPj2E?cs~2!|6gidyKAI!+T9$0Aq>PO}-~V7k`s`dofbU z+%3g_K}!x)zbh7MFPkcXs@$q|8?TS50*jB;VsA@WfW;}ih@dASUbdKcSSSEg)2a(! zz51=tn1>}8^vgY9#w=vXf*ezIYX`lX)g2^5@)oeU#)TiI?g;a#@4uq~Hs@3jKPP}H z)+6V?XY0>jZVN>I#u^KJZ}=yQ-XWBY5dC|qZGJLoRzrsxO3c7MsM-Qaq}cy@9JiH@ zN^+iK-^5ag%rmV=aHYp5eXgQ-5q;AESP* z`9PqQ&pVhO{qf^RJK#Bmn_hf~1NEY{*qvDHpU=IOy061;Vz@8fsZIwEFbz5w2ZoDj z`2!nhiqBLz7s`T)S~7&{H&j4bM5w>|M3LSkwjEJT1o$(@BSY? z8Pk_*|HIc~N(6x7|GLhlL)ZU>H2e9-2kB4-EHLkm$HK|T8yVdX)y2Dsdo z(!V|c{oA(#%?`Zv1yEdE38^Rm6q}8UcTrx?i)^dQ!Twe#_V0H)?L5G`Q}=0PBFG9n zP5Www8U=F{bDiF8a#}n7fdAt``2nDg;P;E{Vdv8#20Ozobr3LyadC}Rp>NiM9ed4R z=?#F1guZCO116HGbtr}R>$r4!Cnsxu0!v#`T?M%Ncv;)#lTYA4eAWiCSt;`p(#me^ zST(p}m$GZX##Y5J9sblJ7Btd;cx~U*Q8oY4BPw3mf;+YBUuQk92~GXU-_kA-0ou@I z^wXcB@Kcjo(Weu(wjLL1+V7uEm9;{e-{-A0<{!jTvp*H&KK=IXo}Ay0`>N$%8^c?g ze=4#*Fa;Q#^35pxcC-4g)qj)^nt6e@o@j99Dc=8dz)ff7^R2F=%@CiYu8DRf&xw(k z<&CDg@p3&KE}@GTT=RB@BoO^`AqU>-Z;EJsT((+TY4g!_HBK6?z{nruUDYFfPY9BD z5#RHS1A1ztFs<4C-Pp6^wR$BiDn@dnn%Zah@XddnSifmAVkYML z-VUppivIG{n%eQLJe1|R!;c4t)MoB02Z6hOiTrD{7tV8T^;hhcqlR|a_i-eN3oH3W zt>B~uttQty&Hu-lyGuL7;A|U%B%+KNcP!#ofKcP4o1@_#ZX)(CshH!t5_)eKy)0!XwrgSeyA> z|F|;F-g&i4w9OD#31@GPyvYkcA*zv@o+ZFNQ|eluvvI9jVHNm6N3PDG zL11d%vCu#BGm!=|bl!^tz_AA!bs@Do#0??{PE+@ftjKl#=@1wU=`VGL3~d7U!}Hjf zXJ=*-4~pK1FSczNNd?Am=RSl1w1ZPfeqe20rmJS?$F1J#rnrfzE7dN`Z)L&6VrkLZ z+1npn6b@Jp;+hv{8msb_=q-l}cruWb5xb6pnuhj-)r3m^4d=QdnPqMbm-5lDGC<_o zNG7dq*p^Yx?U>#5>8Haq_!r-=GM~V1 zLR0}a{I0N|p^kdb5|yp+c;g{$b)=BJ<9V9K5IVI?d$BJI?d!|-B3edf;fjgK^;l^} z^O%2IhyC|Y2WPf6S10a(6I=jr6h#T+0(l-Do{8VaCBLWN1=ym^Deu9=y-PT08?53& zt#LeXL3(QuO4ZU6w4DU$jjS$98BCOv461ilbCoy&ymjbi*ZUR0DTmYb8|r|t>iJu- z=bmx|wkImI8L^V3lQd9RBH&O7>;oaigvZ94VdS?OE=rZgz)f)6;4GZBdz8Q>-FPLDBHsPJkyHY|SbWxAOug~TYZm?(god2VgE zyXp9NbX~2|2};a2!}vqkj=p@by~p!e5#V^=JTpwEndzxB}1=XAkuY}rw zyJh;sD#f`)L3-+RZp%&dTr! zFXqak=*29MyNo>5E3=IL#_rksg`*p{2?6Kw%x|7km#rZ&~~ zGWHLB|Ve1lY7ISMQw+3N=3EqGjB4 zTO z8J*eptdNEmz#@nfuH_q~eMKx`+s*;3pR(V#Yh$$MU?R6pARH03R^7B%P!1oe_JjuF zQu$)#+aXqDc%Jftq}Ds{1-S=J2i^8Tdw(`YW*NkT?SQ|~_Qs22j$z!wt{$GAwF(Ne zIs5Pw;zWha@pcGgTx3wkmYW}}xLT967A&vP+HwJAFW z(A|SJV+t$ry*y>~iZ|bVgVm58=&_^rw zfsc-;x0;6UC&C|IF}J=4a>8Va2u2U)J6`4-hbeugVVI_IK>#E=clJoUlA9|iK-O5o z0FcB1v_V|;?2S|!g7*~ya0$F=NIN7wAuMQJ1&>8mAGu(CX^fa5>|d0bAY)T=R^ry< zsDi~bb(Pp=C~ddeE~hu@*^3i~rSv)|3O*#}as4o8Un?^w@ zLa1+T6%>4ALRj}dCz@eOQZBe(>CxEo?5c-K>lpX0`fWN*G|J2X=xCP>YVnX?!9EOl zme@4<_vSiu4OPw^^(BrpJ>HzYA|SrsgP}O)e5Whb60uaXHK_cIOzTi;Bdlh-J5_56 zxxzy(*%a>WUVT6KQuT#^SU>YFrU(4MRFG>Uw()}G2^gtu0^#~$HI64(*D;u+$K~JE>yf& z?Tr|C{rV*Cl#j~cYiv+2YhabW@ve!g5j~4mdCtclwt_3++CiJch|QU-kRP=z$ul7e zEj2>#YjISQ1~MjU)R~g3{qPN_gc~uLT(%As8n@tO2ieHEk`7Vsq^se-;myP+b8p*? zmdB8~b`wD+C5Zs;(bEqk{9`$Y4!qLfQ2sQ8gby5S4n5yEds2O$IsA*Yv z5S}%YQn(b88nZPzzuC7+2%c04V^j?`DFB1>zLLTOZEc`~>DxDEGCgveaqMx_^aO@A zZV?$aacd6g>$()R<3TWe3P8Ltj!)(OB!|K)4Spx+y*V^+KEFEP={vC~q^;G?1_|mk<9eFhlmBo=`c*Nyz>& zLd1+a6;v&7dwU=pA(PRE8)5Y;kz_ju)|B0RP8oU}k(#8w>YLP}nJ3?cl9BaM3iHY? zEcf#mqo4;JfG(86V4f+a)l5M0LMJHFNIcG7z_Fh@W4Mr=IPYxvhx^L6riq@uQe11a z*eEd=qwZ5bG6L8X&;YJm1nUnjlnfO=TyXo*oqlhNIpe4#MfiuH?pR5oqRX>hm9m<( zvs^v22>?=P$~mse{`}0=K_4}XGsd&|Z|4BL&OO_~Rhj$C*436ly^{eJ-pZk_07xLe zl$f3FMzT~RmfOs}6z9yNFO(0BbgD%i9Rxkp1eI|`Rg;+EP){EF{&CfmPl&bST^tmkJ8}YCfO-J>;7pd(u z9;Gtqe-zw>DhDf({OT7A*oy*u`uD&bht%*n*?HnUBU!mU#JQ4pyIVp1c6**NMZy}a zW3Q8%wn&a^6JMJqYTJdkS1CToWwlrYe!;4MK3}lU-|DRfppzm&t2+>VN!Vt>#Q&4g zUaZfMR0-u;D5iM`xSp^ejnTwy${Fw;u1x*LItK~-?`kEveOsqz-)(j@e~$J1yglYb zb1WI8N#w-6_!u6P)rVbnZN3v4G)`Q5wcZNxU@;xNp~GCOFkXNKM%?I&+s8i++5@+M zOi52qe;!f^yvyRz2WCf9ee&S%H(KK7Wt|s>ifz&K45G`14F46Ybo8v{8_tKX%+?JlWQpaO(eY7rwXm(VFT(-S5)e@})*UU}-DJbqe|YzRKg%=v;WBfDRYdG%f3^1uImU=eVD+?&r52WWn23QXX$l zCvptYdqAXafUci#;o5x*;3x+*l#~X|?rcste?Ba5 zfNZ=cGF^RSBJ}C?w7N<4#)_57fde+yEW+z=-v77@8W9?vu@AB4z7BK8s2desAozUt zcgwcE1_yFX$Fi`w{)rSTMn%q%^`t=vtC z-pyQgzQc#(t4URIrT2S7;b1|U26r<{)zpxd+ zwb(V4Td?`NsS<{vdMzAAOI#j>vZ%UYVb%fV@NR{kvO7&q#+SzgjTz z3{xLQ4)}@(oud*^OR0PuEO?oFn7g%EeNV1k1b_W-B_lM5J6X*wp!Oba6J{6TZ;nXM z8R;YRHgjHdZC9EYw|7`lbquJM$Cpbf({gzSM0Iqe|`r5`NV&CFZG=*C&fydeiYOjoikzISn!2C z=a|Cg4XSVTH-LPXVWz-x$BanPI{{WHRa9r5hWp3I7u_FU;js#RR5m`lIG8w|*^Q|b zKO-UQiLHLA3flp>(FkP{V81@{CWuZr0OaerD% z6#FzaG_n!S$NQb^IVkmLzkZ8%SBU8{5;Il4o*KdNfqJ#rrbiin-`v}#b|8Is)eDZ* z(;SMbHnZQ$^>`op%o1^yuBt@oWVCHWiYDx6-}zcgOH_W;Fcyh0qATryEum+`#FY5# z1_yJYnoslA;;Y@G0hRZC2@VWWG)E)O1P5PFG2u5MCN*YGBvR9)Ng2B<(wCp*EQ@a} z=6KKR<0Nk9T0arr18l}z`6pN8^3nN-br1vsIBO(J5dLvSsse8Xan(> z9^ue5fP0n1Z;y0c^etZJmVEP7GJn8f-MDx?e^64vFY6FqZ%@lzJScbE<77S5X!>EH z#NR5DsmPLBoC(n88BJQnMi{Ony1-kEzQ87fm^86FO zbWmx4F`Io8n6Pxg_#AZ_sN z`R3+qWieSAn>tQPlzOHD>>DGV((a5K!y-iuWd-No zjDUP2K{3aNXT7O*cm0SFX1q85y&$qU1=M$80cBe;aaQbH8`QI7>2FCLO5^ z*hTcmn>F?B1HSwwBxmy>8Cb99F>l`|z(Y%f&;(xoTe6-YumkxLz6UUV`R5#IVJymbl@+k|$a!XO$!E06fRb5p)JW=vMQy{vwznoEW>^>VNz3WGdb#7+rLfA-bbex!h&dPehOs#Fz6ZUn_m?8XV9hWz@W!!bdKK(P_zr# zod3R_7S&|OQ;z?8x1kW)qFyID$C1h}Pby(F!(|qpVQY*pDCQ`*4YWg;Sl+-3K7@D( z{b6P?2xH%$A>9ekEp{OvsaGbt`4$tN1bI7u17He+`xQ#hIk@#e)M<9-`sI5tPF)2b zCMGFZ{Uiy{b-Q@t9GnlB00$w;_>B(RLXM<{N8O^0b~RVqZvzy(zC~-V70-}@q$iq$ zk15(tjCo4h8#0v#(0Bn|5-E}k*7~hE;b_1?rISI7#@gE)XIzCjz&YYW=mxB9g zRwOizJ^6xI@x}Y8t{q!Y;WRfiyf0M2P^TSRsC=GI8F}BSqz(F2<|k^C)Mop08$;$V zZ?6K#RT@VA4I&b$;_(jiZU*!exUc_T?7ewB)a~2ifeV)g89M9M5sLBzFyNIQfGz&wOqE`?#pRT+x&>~Xs?AP5}xoms3%Jmvaa$6ObADQp#v zOM--EC-cTCkgMDRAdVhh*t6A0eb?@?=!U}(z(fJ1`JUQL6>zQ>L+!WNtX}4^lj{mv zsj$=%r*a@K)_9~kqWnu*yNeB2=Il%`Wt4-gp)0ksSB_Uz8)wLJrUtRyfEc4&#D_5w{5 zKC?_@Z$tE#=A6qlXSGH-?9nnB4MfViE`4N~FPd zCz^sm*E+NqURdpMHy|CZZoMc9D;=Qyd1KNIm17ei=MAwGB0J3Q-Z)Dcx|Zn#vo=!u zDU9Bj?q_N)2y(YRAAZm-X;Q1Y{;fXa(^6(-F!{1_&=o(PoQ)V&cn89T_5HMHonbQ% z9L6L{hi!d}8~{zPQzta}S#sY(`eCTT_yGwRp9wIewQ}SJ`N6GbTRWD(4k^TIi~8~~ zXl(Vc+Pl>j7^5wZ%`=iDcbF>IW|C~)5>ewxIc(O$H0N6~=kY&1RHjj;ydxl&y z8X@jazO|>T|8yKr@LQKqa87lL&7D|H7uU30*=Jbb0JKffWpIE&E7<3;YgaDlhDZ>A z>MA69gD5z0dwv9eyLG4Tq5G*gIO%q5H|6gK@YlZ~F3&9AJ_t{3%yc&NzI5}MU-0Xb z-+~KHdf9%w!5A)@k@II>vKt`+_{7L*?7%%f5)u=fV$!SR1t~P*OM5cw3L*&nkB|KI zMsYzqVCI&UOg#v)6kzQddqx?rUZGimSgi`7n}y%bwYQL zeb($-6Z{j;;aXp!go4ROs;~;C$q0cMHqe%;ZJiycrhRSBbb?^*b2)f`Q-AF2R6lNY z%6_?EVk)qHf~Cu-prMIRZM8YImj4FUT)YbSO@K(&WU4C9m!6PLRk|I&JiPj~L5PC8 z!hq8X!_qa=*A&{zvJ~f)w{c4YL1k(1)L978X&JWFx@cE{N%AbzDyX&S1Y%l^NoE3aE9oX_Hngi-BXH`EsKs>uxN<^ zF-WL%;$sk_xO2|rMf9-Vo{Y3FGdl1UB+^LeLgURtIoGi1;`)OtnD5^rcm!?|P4j)I zMo`J9=v&xexp7OsY7b-AUW8vp$9Z1^NvqAaHX+Oq5V!k36?503(y|NlSk65S%~(ei zz}p$Oh}a@xRGKu;fVzi;G^<6h42&B`$-CkH0_6>#RdaJT@c|mn7mMk90@QO3$J*$u z9TG})W*gdxe|Fn<1rP{)_Alg{lx@SdW(Zr@E|3pKA~k}T!$UnUm%&CUyw*j}DKq@G zR2^2u^9|xNF&!(IawvFgsGF8jytsKckH(%0wuCVJa0>`yUitTf6T>qbP-6Vt6d9*0 zso7%%GR?oPGs761QXzV?Cva`qyVYzJ5TPCyHB8W2ps}QfvircX)euZsq_@LZS<9!{ z@2uw_R`S($h0VY+he2r76w#Kk3mZ{)T&iL;D*WE~OAx>ogM{PY0x-rzVD4z5>oO0nR& z`Y{fOeEPlLjDc=Sr}IfF@@J}VHa)hu_&ze6pksC$VTEtu4d!rrVME>XnLr29lz$yQWVx6oe8{%UEglDIFDk0{!^3C) z2I{=ZNlNlY-2!9+@ldk=*VTsynJjHSFm_OBizh-jVi@Fgacag8M||SuU&r>J1XZ}W z^z`|BxCM0YHqDV!1X$+R4v2&vc@^Em#o0#4H2&r|51$j1B;SOs-%5 z!hD=fJ%^MAype>qe;b5#Cned727Y*UU?gc)Iq=(9MbU2F3nnF?O#$dS-PjKD>R&h& zR|6(3DsM(Y^$8Ey7|3PGt}RIade7irzufwUx)`oHfxX8bMn(`=GxFkl{2xDl-1g$A z$?k>&=-p3Q;|+B{i?lxn2n;f_%G1WJkjtaWlW?@xF9?JY3#>l^E?8yh>QA;_WvTQK>y z_#xotDpGXjVN#ebsQciAXY_z(9T){v|4!AaoagV8vj>Q_sB+laj|w%w%YLZdqOyhO zPgP!?7wic!Rks)U_6DM&hS9dYzY4)%s}T(aW!EG~#RP(dZx28q`RlsN+YP)?p{b>| zWtOX6VN0HyH+t7oR`yss%$!{h0q~k3OL@?2R5=f-f6)R%yvY$2;3&ob)CBOi)H<+b z*3&Y(2+ZPtUHg4NQpJCVgoZuX)NcMNTx8~WLXh1=te*-&37U^T-Mp#dJt%Z4sD#pnp6*kwNn`4_Y}GDzf3o-ZmyRvJKVR7k zn1g+vE)N3olVFfW*Qz1k2B`4mGv2`C2`c0jFQ(R48Pv|5f?xKEh=ky0I=kQM>&50j zD;xmjzkgk?mww_4U%;Kx4w|t7@`dNV_+#Ctz&QD@4Lp3K^7rfUGh9$w?{4dRa1?1@ zobELQK{4(fCs%6$_}{hz4yNYtuZKea=3My+Cj9oZ{~u(6zQJd(7^%}2|2tajZFdi( zmDzO0Y+Fd=xe!XXCOPx(C3D+6GLD;1KM9 z%i>I1%vJF7h=4oj-&o9_#L}i)s<6pabx+%4PiaFH-Vyv(j<9RS{2~*qCIF0sog^ym$u?bDwLO@C3$t3mf{mUw^0a z^ukW=>iyrku)S~}U7@XDldU*~1YO4{aaT_Rs_f~dtt8O!rSZj!7lAsx=C*f6_JoEE zd8GNYd2s$mSlJmpw?3tBNuQG)$48a3JCnLQJBtW3XOXRD(tRLj;A{ZS7Hy!2^a+ju zw?f>151-X^9t$o|!Xla8f7_S~H8nNe{{Ho&zenSPow3m`H|R+Pk#wXQX|2T*ELa;pbar2<1vkA&#tX_ja~)J{{S+J_T0~l#ykgakqLnqR^=b#*9(#N+tMp3*5nwy} zt5rZp^rgDYk*hF(3Cj*$Ge^wD0PRRu%t zCojrthRMxujeYg8fRc1HzWwylf)tW~`44L9r9ea7>yuvW@iLI|=n9nUuu~~Grscx< z(v)A${z|7)oY{<5A_lRYPojVEM0pG@Jn?tWHkqS^eHh$mQ(*m9_^YkSC z|ILef=X{xG9`sKp(Bj+&W-rwo^aXGdWqy^ClwO7qzh@H! z-FuLr0Hf4<7cW*CTKjYC{PyvV6#5eObp^#wkGjSqCB}4EsL{g3yF_iDdhgv3vsyO^ zTAo}(ZA?v-7*GFrU=kFBsYI>W`cSNIPLF>7(fb^LpScgLQuRr{Z zcTHcmTKaHkd+5^a4Tfd<>GE|j5rVHw(1Dv$=wkN+3M9j3?~#}zE&G-DwCu2Q7`!Tk zgp*2(40WY-?!1TGr#31NR`j=aqqSK%IbEa-OOR-V46A?;HOukAj;x@P+eOG332@wd zDjvH|es1#wh>4QScIvqN(nHu}aX`wR3RH?WVK10Dqh;2gT3g$JE6`1vYT8+Dz9FC3 z40mP!wpW8{S}&==zUn}>t`1=OZ^1A|tUk>gYwZdV{*X5ACJ8|*Z>QNb!G#7Qh!)iE zlP?7ffg<8P7L!&2&-Z%9 z8YmKbK526ufrFwD zRK7GQkuNBO4x~%?9{@sp&U?g9DoHVvQz^ByrjoGXSS2r$TmppYE4LGairvi_Ei`Ny zX*ZETPqW_V&b6!%#=6R^nUz*dg}HN~fOV^1L}{ZeQe0-H$k>eA@um z0@H<05VC^%{wgd9?9Qk_R#VTmR{2lg1X5Y|RY|~)M%^s~HeCpUsVncM{i^uvZBZWX zm)Gs2PPybw_j;!V6-~a(3V0GZGVwC&>Vu$oTJzv(RbdI|Z){NoY3y2AFRKZ^Wl zW?68O8ilhuSJt}cnrWe`sLLXsK`JDE!wI_c-$J9ZTcj}yAztl*{_{&74Hm+6eHyTo zHvofqzv`osVlq-&rC>mY`Npucj|jbD!5B`L>iWLj@1HKjz%v^3c-@ec}v;!QWX5H z9|Ez|Z*ChCZDpwIj>n$$La2eHZ;+#;K260)N0!6*)>(PGNBxHAU^~8=-msME)6Lvg zn*fY!p53#hRmlXiS8>r*<@FO)bTUCY`k)3?u`CGMabI&zod_WavJ}X+UpA1lxBT_! zJz%GKc6=*$_5o1pl))DO%B0AxHU@o~9NHVLCV`&eLU3K%AUEn5Cc`k}&Nz_-Y6yW|xT1X>&@1tI{-VDS2(Y&o{vAezzj z-v60QKdk61H65x!6dbPMu+NVl^Lt+EuNekhi^r>l@YVS%Ig}Z$tm(GI zgcmPff!yh5WdEX03FY$$NDWDugu_somhIaV075uS7~tc60m=by2k^ksr2<|y3QALh zo3fVX(>qPanlK>S+2TE@!d zfH{5>c^CAF>Y|x7=gu_vGG&&ntWtbBjq;edoM#u3ogb?1FWNgoEMWzzvok8 z>|n1WBG%ffh~J}~;F6MbP!S5?ZViCRXF)XUBqVhZ*H5|G*(ut%-7B}8-zoY;dnetT zcop_?xQrO4(urXPABUngg#eWcHrhNvjg&Rj^*kzBms)@vScHO{yQ~Syf%UA;SPBW> zKR2wpRNx7#u`X%Mq|h|n+;CS^ z_bqgcGEmidUINZ(t$xWx_Dx%XzZugQW-ANsn@6DHsXxd;|JYT2wR;O16GoGH#wPK~ zqMA}e3hxwRQ_GFL%!NLLage-v?_1g3>y6>`2{L@hY9#t@WC$>cu zNFF!QuoC*p+2(v{FYl7BNc|-cH$F=Ps1#1(w6lM@hG!$*B+HmW*2q4YGbP48C6)#7x0Ksu zBf9GHVAR>z$y{6U=a=l3gSUgy7`ggflLIVIa(KlMxoEwbelne54{h$5qQh?NTTHgaGlKh~?+|9c~fTs2rMiKZ48SUNgXMNsb{T&)$ zyXSa#A<&xUJeK$BuY--CUn0bTa`u$eWQo+R9 z0g>eOfqZJgi|p8%yNZ{})lsTE;t-p5p~?JVlF+-75{d5s+$yjKN5 zOdgEwv!lhew?{?V4*P3iM}auY5QGjTG?kGe$L3cD^&4~>Z}kvuxYynF$Ql{^x*8l} z^19gh)CYEhK9uq+*_H0p=4-vgli-{+bG3@`OkAGGjwM2Jo(&Xu%o|Th+BbhJmzWUk zU_bo*3Y#4ln^3{X_qXs?|HC^EZu#yf#dp!BQ(D$w}s7?{q9 z1Nl;W<}vHmuseX zdw4YcjNqj5OGA4VEpOqvy&Jd+jZaQX`_nU;=id1Ul7o1u$|gGI3Vlf)2(?-AbGSM1 zC#J^0ge{SaT2sALn2G5N3sueGT4Un={vYfHtg#lUn!ZNtf(HO%{eEr2T6_CSHsjP~ z^oG8C#&)IhN!H|hy#J1{@ujJGUa&)HwUeEnKotKia9(%q`pd3(EGL~SJ5}57q`B>a zb_uY?@O15e|9a^Un9YI5GAv-^R?S}ZRL^?UbjxAP7g%~FI1K@Tq!0cuOy!S)P1p_? zHP1&(^Ui%iZtB;sfq3-v(BbMR#G0`X7SZMaxId(-L&~F{qoblmC@lKR_`E&Lr2F`A zsp4=HVx6;y*~7KTOY_rz)iiv<+jbAo6=TV^t41;!9UlDL>6!uEWZhb~FU8b|o4|KM zQokb!n@(3pkz|QWCSDeCskG(PM=9_7?&PDquD@AHXQRb2+DksQ4v6&d+P^1a7g|(j*j@LJf>CPu|JTVf)rA8R4 zf@*Gkr(^BT*bdU7&$IGr4M)2M)nty|7x!bswZW1u$UfRx>cTksEoD6fl|B4GTOY4r zHlJG?7FN&bDnsSnIW|{m(lkv>kT{ts+%2qFI^6nXM>E=lHmLq|5N^j8{!;&G0;-(( zLg%WwnN5Jrx}y^nx(TnvE=n!U0ArzLGV&$pV1ya8P8Zr6v4<^HZe5C}yx%ipTBv@b zY{0i-lT$IeB10Qf7W8%egOZobJW-V|r|xz^noe(0h%dW0cYB_ud31{|HA!x58hf^Q z7w8i;7J9pwdim!HGE)Igd#L~gU@(bxB*t|+x-9xn1R6}xy6A&2C;Lcmn=?pYNjK87 z*wJWXwXW(*aym)1BmG=DUQ&8g)irM!F4`oQ86kP|Uqh}#9~6K-it{CzPtNK|1!bT; z@rQqd*74q|8+t8=^OCifrw7YF@8PZW8jr}ge_dOJOd;&fmpSfP!6CFkHp}^>PntOoyQPs{qL8{uZ8c_E3oLaT{Y&Z0jXXEx>8O%x!(eY=NVAysw1f5!cS*Q)e8J%m!n}tQLX`IyHlS$$>?K&a) zb5cS!hnO1we}Q%FmEJRf#;~aKK801vR!V1bHBI2jA8S%5QZV5akXOB=^L9o8_>{F5bjIcCrAQ!v*OWSgJqi+294Jf<{;MUaMRQjcNh8=K7 zO>iBa{kw7Zz)_3Y^7aI9@;m~Bk~ihKAU{k02GZ5IaB!MI7GJ8}4`Po6*{f+DvSas5 zGjYgOeY!UeF+2kfkEI|=M8`mi$m-5p@tVFnhMbiKXOC>j1I#WLpnMwANWj_!U$)>& ze{Q2^SmA~&-bS_GL^Mp1sa7)vVTg@3bDL3Gb3zpEZF9M-Gr+!iQ?$ZBmSq z`|&At+|ieY&SKjyMPD!%B{C&--}M@G>tq8i<4w2@I|@4u5s9 zbrNcb_l)oq**~YMxL8J0SgL>F9_f+X2RCbl{b+Q}PD8m;c7a%x{F@{!OWqg5thdhv z(fRE9yf~>194?#WKDiO_d(B|ZT^eC5L>gW)8AHLG$Zg1rsMgYtG+|o265ESYlBpHNXLArWI|P=U%0zl#mf8Okqf4 zMz7xPG0$kI3m#cqn?4mB>b>6|{ui~_gE&1H92v_d2Tif2hX{o47mwA@2<5>DU-+88 zG^UVv_08};-IS*ot{Ra3U15g6R{Iwu=_dWJ{G`?w#*Ijw-CE1ReZf$^y-!C3`xJfM z(mJ%R6frD!V9QY`@@gRPZyvqFFqBb;{Eq0A6U@2(-WLfnVbfSmBVomB>GpT8zp;w+ z^i$Bv_N~w~1@!Su^Yl`{*=bOTdEZ`XI|C3GcY}hmv9N~w%;+lKV4YLMw+{r%Fn{{> zomv2Jmq$7z2VtxjX;H_q`RihC2n!$Tkh6>r=bsEn7+urWK|t@X_VaFu1G#}`(euC~ zZyA&IT-{83j?6p5*hu*hPq;)N3z;yu?pn1FYr9cZ;M>6S3#yM zN?v^{E*Zu8%X1qpTr=?E%Z*k34#ckR`|icB^906tF$-07#Ys!_^!M=xhGVS)Qmbzg*@vEaM3;-I&RR_+?1wQ!jFS~n8$QuX?{p0#!FL^-)8pD~w@KRTS8mIq~oOI5qT69qY ztum#&l2y6b>yyXipv5X5e9~*AhVk#GB?&<%={Z-0h2ema@;7?0o6OF9*O7%^5}s`b zE_Tn?Pb$2BCHLZn5XZh4E&MVbMtIpv&Z20{S21>omkNR`vn~H!H!N}5q4`L9ZOT@=OR#tPr(&5N6dXNg_gO8*MFi*vzkgyMFF{PdpLK0f8xe$n+l$(nqj$FEwj2fWcLd| z-MHmM8jsl%LtS%*TYC203zS3&8)QEI`ksw=?M~ z(y6=t!=E5ow<-FOl9!lDclLhg!lPSRz!LLzUv~P?F0bOQytk*(GOG=YP7=LLn&*bL z|CD`WZT%x1_FO|9`W)!RvlnV6@fp5nOBf*FOMu4p{^N=-5xHO}x;ZT|`y8dfKC$=M zz^%7(fg4Rogbm~G+C+|z9V$texl}fPOQ^$AT6G-CZTPZRL8}yjVYgFS*$(NUyMv{2 znM%klAZ(KggpmyvyvG zhA>h0#_PUqm?+>|zL(=m{PWncV-9C;c(?Q}Iau#kmpdjQ%!;8-#llMUt4Z5$0^scxXVcnA=Slml&Nv+gT2*93!l`FTraew zQ_Vs4s3}rCoz~rG<`Sj}e72 zA=n5;Vm(#v2uxHBl05B)WE4vh(_&LeS5vhPWBIYSdel?hUjrCFk49h0rk?H8AM}ei zr7F%1McL@7Q%8YUYx-5iT~mp}0onN^yhwLJwPsvO5r z_-kfoLRJaBdaqWx5*Xi0>f2|fW9>{W)NVX9dl^Pah@;4Qdg5BlOmv4YD~K+(zw;c_ z%n~Em4K97`Xaosj4h7r^&9KR%-57{Q6-cUuRW( z?1qH5TZ=MKHEHf@S${NdoKS0SQC+p00a#E}?|4ae?ehx&N;cG>7ehKLbe2;3M_4Sc zDaJFS(Lx{JiK{?E)0=K?(|Eu=Cise*G_Z%yk!aG1H5N`gzuFu2(~#!pr#n*tK+)L1 z+h%w*FqTx1i>H8+tcR0541!>C1VDq1`4xomu^d_wdQFS{T}>u0y%L4P4ZIrX0p_yq ziE%#PT^d-}#CwX{<4_{ykYU}e9NhcR|Dy%ce+*w~jf2{gK-HGfi zPNgz{H^58t+Br+GvA!e}Enagen@|#vTh1hYEEpv@EJf8Am8LJ7o2AM^iPT@$R&&sC z3@}C81Ze}#$!kNP67wMH)dZk1I+X4IQ_3bBUv7}wutTlML zwX)(e@IV=v@@s)_G8z8_P9CN4_a*7>t6&RWS!tqlP0uJzK~*L4sS-da{0-^w22XcCx)))nL$%4uw6f-M@JBibw1n$f9Ej12?%gM5fH^3t;5(? z*>!*9?{)ropd_=R>gGaGF@sX&P)+9`Bw_Y;A~D#;E>9pT{_L5&La^&JWc}uvdAIcj z{(iV|K=JYIr+|;XIG35Ig)r!)f!0$8-?!g^RHbh$A^kS)QN^MI!@Afc=i79}Z@_+1 z)7&9#s77n=SERCHico#Y@8dabw+2L@RoLsQ=lPu(@>Y2)DT}^h)qA2 zFie#!bTDR`d;JjM4%l!*inn9~lT6f1ir`Y!#2QGR(A9Kw`8Ayb{R!s^ABptslx9pbt zaRH>ZO+_tM#cC)yI=0_Vk-gW`Kk1_YE#EF|v?B&qaGvgXz2nh~f(=8ApOdR1Wy56d zjM*jG?X!E*G~pe5y-!bvv>GMrO?HphM-=ZSWy~rng2sV|qwb~xQx;(KSoamQg700l zwD8cYyQFaGDJyTp#0|kJtwR*Bk33vi#}j%Nt%8r7+=_N9Fi}fYYUic4oJ;2qKCO}4 z<)LGd=H)>o1UaDsBqC3FVozbYFdX#z4iH6|sggk+6nEA|(%g`U0h__LaJm8OaxpN< zmrzs$7*-`PEep*@(nPgm?muXH+tH{fw|&+nFIcC-zA`5Ngl}@d{_hp&t!r&mzAp`* zAY5qm^1mwv=i5 zP#|-x0_R3~MMa$BwKJb}vBp4m%HO>4=70V58NH2`*LU-ZK}(E^*YLul534;spDYMy zTw&1)gwEA*vi!t;H_SVu_s@3%LDU>zuB>`}oo=;dMKxXmofPL9EA(>YxDH5K5 z&imJOH%f2Ai0pLb6ArM~m=UEgr{4PiVY}vn$HS|3HFYuN8 z*T;qa^M46Cy&of?6Z-7G^#^^M`FW#+nYVi>D)PU7WTg7W?fCoK{y%$@{{E={&yPmZ z3vfRvBU!%lxG3Z6*KgkLNO3KPvaY{R>JK}9PU=H@{>KKPDhfXrKsWR!ZO@S!3sGX3 z_e8Vm#Uth|T}2Tsc7^ug8~5e!ck*iha)MRz%z)+pjPm}uTKbiHjv{1?QbfgSnYiNs z$g=8_j&^FezwJ#+fT81tht=;?`I*Lz9%Vllrmnhtcl4ebukmwWVY*T7abqfQ4c?xl zY73fJ{Oh_Kb@t~1GYNVYD}$!8j{tpcaBk4Q`RTr_ckkZQK-28!jN8k&!?zjKmUfC} zi#+Ny{H4?7mNbC6H&k4Rm4bsBr(4T!;@eGK&;D7Mk6c?_XpttV-T8XaYFl8>yGt^< zx}&te6ZKY{+n&chZp&DfCxt{7wG^BlF|Wk7(c%;TcP^nXpFlkcI1@NRQLNxN;PJC; zNaf|zR1bej+djsZC-`=ou!&_NDCmfyDO`R2ONQ+=j>Iqz6I6f{Hz z$G{cHn+0-#TgeXi-c~29Z{XU*Qy>CH+W()i*!|OD)HCMQQRJO=U^6N&jf31kJ#E6? z(^4z{@xC0pb5>MCEFNk}ayJX}W$irUQ^q}tqAl5tbai9|5jLQ!xR<}yeOAh+IOPn) zqHOpY0__N}8m;lQ4&TRYkWmI&?rzof`56$H3Y9LBJndkw^rE7t-rCMZc;Hs{|I3}9Hz{(z9y-Le5%Rpzq6En0y3gn zTO2-R;#Je|6IurL^r4`c4r9s6Gf}?ahmG}^>flhhYp;t?C9pG-k(F)P4iuTd{iMw* zsn%Z90uD?v)wZO5Lc=h-v7i}oD+!1l41oW=VCVA8%DDklJxDs+pj(x`MP;tG-!;NK zS7YYp{@c)OgdVS5S+~t|S1>PeNvkdMs?HsUZ|i*eufC@_%SvALbHiDN$@*U+un?dS zl;_CD80V9I1?=z|OM#<#l!Lf3Xnn?Tvrgm};MN6}+diPdLVU{AC%0Ds)PbX%1I)&idd(isx0r{Br{F;9ZVDDz-)YOpk zfK(GID^vo3vd4$z<@V%cP=0u&iZLhYTJHp}=x$`vdc6!ttV68cDc%sRD4!s*;^obg zKw~gv$lesOy5^(P28^$2Mjn+$FXcPt5SB7mAdN`U^XJb&fq2kQD1fe_p3fy@Rqk=3 z^Aw|W7}wla=_9)ubP)aHe!@JtsBw`-Quh~J+(_=^9h|Kw3#wg|cq*yfoL17D9R_ty zJzfq9s#DCz<|LmN$knAp&?H>RKL%AZXW5IJr!A2i%X`;WU)m`=4M|h!fRJrX$VBAO z{{cE?it(Nf{ZSYMY&MGS(jdPvNWdrSd~Z(@RKoyXhWByr99;kGi7o-28M=ORdsc76 zb$$FgIhmO3S=DXr*Dq~=Lv%Km_j0^edj3)YV_r9jRscP}bhQGzL>ZPXiU#w0?V5+4 z94DwCwc7Hn)d!Y-&Xa74%w^`3x?k@$28xj84oUzX9X2`V&q1--zTVKBbI4k(iTP4u3CW>CL_TAe2`O?x-P-DIPZDyBT%5rze6v$5w!T|L>{{`k2!MX z$liWmgyr1MYB%lZE2OC;n#8@9{Ev)GM`ZPFLu*lUq5-MGN$f$hPz|L_M}OUW*nci) zKx5DQC25lhv#l1ivQ$z2|*(u@0%;hlCBE<;xp zi(65eUJs5cXj1b(8qEb=#Ic$3x=Ape%#i_TS#t*RpYoH4^XDUR@7(6@K+OgX}-Nkv#VDT2KLXvhq^to5{5n@AT)Z986D3LV7&YArY z1N=qGNKumN2E|l&P(SgnOj?>GsA*wi3cOvAUNO~b)K~uqmOWmZ3r7z7bKFNjMJB7T zuu85-PQ)EGRDeoh&HV}1w>=^zA0ahnzfn5g9wBXG57h?%e(Lno^mYaV2fr*nkBzDcVJejJ0Mt~(=RybM6nx}eUS6A-=+sYVup1uL zQp44xk9ytrGZXa7{%J!nSo_iC&tCXjjv=*@z19+H*H)3f%}@;{aJvDABhJR zgSSD&&zt(z9m=IAr$mc83cZfey*ATv5bXbpGb<6pw#4t<{&4zVL4&G&9F-e7vvF5< zWAO;}Y~*=OfNTNzbp_Pg({ZAYKD0DHDjkrY5kZ{OL=`#-kUFFNfV9F}2p3cBk3OA$ zg7$;o$vw{!yRh1+Twyx_I-sBH+5fDXXQMX+u3L2$bk^*$5*%0roh-EY;35O$mCc*H zj$#Z&16#*^ZZAJ#EUiy(0IxEu_f**HH;{eiBndgZeYx4(K^x8qG(bI%AKQM+F!!Wa zmctmRWT8Vn>2Od==(_J>L~9ZWA)RsZs=e;>diwqq;Tm68{s z>&E>4^J?&+Q@e-k+6{wQE&B$5!-|zPz zS$_4~2JQDVL4W4*H)P-PcmT@FEHc&U^2feqTr&i^jh(~Ik%-}Wi2kaH{pfUL&lIha~87{Ny)z|lLU$%1^OyX<5B(F5)a|1fXRuk`MFTn=S!j*WjT=B@en0$ zBaVWST1E-V2f(-`DYREdMqXrw41V8_*EjpY07?a;SB>p|L4E>mYfv*8!8+dfw9|0; z8M(gI#-083u=Yf^>Ksiw;~dyH3G%lwkkr2D*k{r247pBTcf9wB{}>KcnyLxxkwE$t zQ)QJ*y+Y0K;m43^+1@Uv>i7E@c6LjekB{V32J7etV@;o(6V70ga|-V*3FmD%x8L6g z7?Y}k0cdwgTg1L^i>sl_mu{XTFhl0OWM9DwM5WqQJ~2O}%kZXrCC z?6m?tnA5;~)n4?u@lhP=Pka{97PsGenZ11bG?V6uiv+;+N0$6<~q-b#t7l0HlOg1PyoY=Y?6K-I+H7_C;KBJ zE?(@dxM%Ul51{S#@L!pjHO%X25dY4e)E~Fxxyq*bTH|8JR82(vfk0)%v)@;Wy-E-# zb?9!R6Lz@q?^x}$A~s217L@Vr27gS0jMAQc&-@BlCd_h<~xYW7wrkV0T`>9;^NWl-%E{CA`AuODhpg z%f}|dpHC^~NHQM{ae6l#zhxc9`V^Q--x7U9+V$f2;jpot=8~$+XGD;o%`ss)*8MW} zw$8bJ7O1{{A-j6-avL(2lw0K$lW&{b{;@9w7RUsu!&&l;!f4iFZ^aj$Bx#T_HP;0A2$ zHCO|s!xcRLu?rtsp+%D362!Z-nA0jg(hLHax0qXSQ43OqTR!#mnk+fS>k=Vtj> z;I*-Jb_wIC5(UPmaUfO2e7oXF^X>8mfz~(znI;S$uKoUj4ocn;6K&;6-y%QZOxy)p z4O;fCw&~VX4kIv2P)m-}S9TqB%ogX`kk*Z8#k(mR-II&|kF* ziKXCOI_bfJl@k@-M(YPw2;l77r81>63-t$>t6WtG$v)l=V^JqnmW8)FKMvbzr7&a* zvtU-9s|WkRuz^e1G0=ZZdg7%i=+-vRZUsHb0eCB}vV9FW2!83%b^*QB-n7K~rYi>I znZ}2!?wpHg5?4ojOBh(!lzIDQyOuuQsI*`QU0QW@nb__O=G-Q0Ezky|+~>94fCMw) zP>&XKUulG{5)jaR&OF;t_Ysk}_k0`@vD)-RB;<;a>z`drpSXvJ?>&(k{Sd@34X z9K)D@FHf=4usQUWNfkN}RaK!ub?iyFc3UTl`dKMEA(F>zSPhkg@8tbUSk#YH)rC$t zx+wN;eo`MAR(Su_abx&$91cg?C`K}$`_5>MeD6H`BLWh;ba#RJQ#Pb zHZ{}BeTa2Dj~ZjFgpzlr6s?+)3KdyucUn4A)R)a-h|$9~b^)oS1`ebKp#@yf5@;g3 zzVHH{Ry6?C&vA5AXhrX=ZoKH$rGM9(lb)ls z1*FbR4vfE(Mol*Ya!^Om@X&sp#(A4y{m!0V0{fZAl?iTRh|E z&iT_@4@4+@T9I$61AwJ^+G+an=xj|}p1{T!`RUVkNqTsw5hz5(3Ri4}+IaSIy8S6Y z(^tayYy^cVIM9jnPiji9U)6Up{94bICDC97C~2xIe5Q-+TpSifl(7lv3Zd}Q5XXE>nyDCgT_xk|Jph7@ZFd z?T40IU8KSsuZ^ixj5<{tk?eEN;e^!F3i~}JVT*V_)9_)nSqY$WE*o86j)qg%@%jc$ zD`-h~>vXt|6Vdg%pKDm?k9x>I9J!p_=nWZ&!9)68h!an^yOW`Vj9OGwW%)|ca{c%q3-3I^qjz50nKloSIuw$S}bnJpQ;(t;1-ce0$ZNI3B zqSCiY7tpPOq7g(vi?Rh~QQM8z5apdQ~8lPy(nZCDaf|fPi#D=rtka z%!PaJ&-a}3-Eqe`|J=KVLotLf*Icta^Lc)SFgKo2faxR;^}SaOG+R4;do`b|nML9O zT1OF;3<+>4Xkl{%{k~37jatE+hy^DXJX` zV?WrhGv86;i?M1;AYcJ%yZ|UGVz5_ZTxS|GXp=v zDdX2mX1iS5hBkf(Zb^pEkRNM}}>pd=N-wB6q+! z6gXkNhqS7w!Ck2Ehqhf0hn32e)n4~QqGO2#2O^rr4cBGc+o+VI?K~okejS%Q!8N%UHlA0 z+yTm2;dXCAl|JwIIR_`xbPO;LqDP3%NA*`aPVdE$4$(zmr>+>Ax!j&2gXPey0+e&!vrL7~SAlyN(%jbzU+$~pCx%tx#9t~tsW>oxh5 z{b7cglv@X~fGfJdxG=w)LGAEGE~3=RShPXQ5&^Oq-^W&WF2vRmGd$rXB-P=lKsITU z?9BfYl8GM79%(|U#h$zz=UrHAN9lPchBNcXY7-D-iE^My+Dwy0ENchMc(e@y3}TFe zrA`;9BeeBZq%3wxkB-L|7#8hOs_;=v+%9eqJq6Mxn*bas#rzo%xZyG~S3TPd3}n9x z7_aY*u0ydEmt0bl%`v3)As@HGWMfyt?p@?1hJ}t|6Vr7MCe3D+^){W<@ta>G^_um7O?ucNsj(S3>v~ z9rts{5JT_X#@4!PqJ<<@SxPfXepjjQa^y~J75Rd^|^o(%L7@xhQo=SX$mqM+t(>w^-Z|9 zmow``dUCcuf%N~J=S~Q~X#OLYiKT)7-7MI+1+&cliV8~hBn0yx^c)8B!PE*RpS0wN z2A(*^eMI@(0oA?1l`MccS%KE0^xCGV@gt~1tM67vN^R;YZ&u(^GwTJolw98O74##g zaiQi0&OT#SwAJb2=!TO1w5!~^={(TdCBy#G4@mhduofWE)WXnoSF#Db5QyS%nR zf>wI!nIID(fT)F6=He;RVl$9@ndgd$I3B+Xe^>!^X<69g5m0D(O{@KBe3>ce{R*jX!Is^@6MeK7>_&+Dg(+2i^?=Utqv?~) zIH0YcFGP8q;PmW}WGc+gXs&XlPXCN3+|_k?>xGu#HnK2&jp~&aVm)3Z?*7@j?6{A% z8^vxv%y(p$I0Z0U#?vHV0Tq(WY$#4)d(=$A2 zh%&_lf|oyek4Q0ptZ79#)fj>!N@x{U^(oRGVpD$PNj$f!f zX1hGY^37+S8}c@mLM}VAE*U@>AGHG2aWiOkz>}NfP$ zKX%a@wt)5_aH;g_10$uorFI~n_G#4ZGl=sqY8I-LTz_vv#Q^s14*LV@wf55NF4&T^ zJ%d$!cZt_1}z&?h`B>UUBG7C{8Rfhau2eu@<_Dpd@$s%NAFA<$RX;GA@P;jt-l!;m{Dnt)73?U zul>s99#NI$rWqKkul<#lm3^!xuF#?;|Z*$iwk2 z-s{)0;GJCE8D*ErWZGS7Gn%3-B7UxZl`%OnPHILS36twDEQGvdj08`X_b_3`PULkv@&z3nUVo?_@x#es+h4 z9~TBz!aAUnd&ri}p2jEiKu}p9N19REz$ZJ2_LUQHzeJgpU<;hs~hd72LZ`|#l>KoSr0xEoH$X4_NH-VCZd&(Y_tWe}1U;?H}$ zzjLSoZ|2;-6ybW5SkeAN&R^0d7^}4$ZhJIVBBcps+b>WVj0{02OP0=FFZBj6SgFB1 z-7(-I1c$;13pwAh4~{ZL=lAsVQ+>Azw+Zg9GRna+ohMGlg(wp?3sf(3%C!FjK$R;{ zcaz_lR^Ed^d(pA&(9CR9laa7WV)7B7icLyQ}FYU@bx7~CoF@Go#AivrHA96 zOwZ}F7^?H%6r5TDA!azfXFp(o?}U%ifX|>y8>C#X$6bY~$vSE?OgD+~W$_Da$&Ory zv&=8|XBRWoE_@k_Tu<{f^m8sav^O7T0bn_pU4A&YP~IzGYUt)_KQ`L6OCJ*OpJ)BP zTOw1Ll(n5>yWd=~_@Xcnl@IlU2R0$@fi6fwR15nRz=1VLWc6s<{DQnszu{#=Z+z*v zU}jkHM$)A&-kak{*bsl9CZE;#5*|?QtDRjiWb3Xfa2Vkf?+-E45-o38zF1UcUD9oA zH90E4nvgPy)HvRRCXhtRTDAa*xlHH|1|n!kG93yThSfv9LEN(5xx*Do2LmW9TKHkTju zuQOBOi-`j-76gnsB+528{hagPq!x(lxLWctuGA+bf&%bV3Cny5!+cP=v$G4e&Y3f% zLnzMQIsZ`0pf1SdbsW0SzFSLvZQ(NrWi)|ba5}Sl4I2?6$gcZ>0$alCNzQh<;~O|{ zCx+eK`_|t3jK})-w-pF;$lTyEKHU$f+XE`4{j|;y{JdYt%7zb8^F2N)HYa z(CtIj@Q&9ONSrWgf%Teze^muHkOp%A28Wh9;62clDBOg~)oY0pkO5kMmn%m+pK(Ke zi5qx#SISD;<7|*Bayc?!aL5uk%~pc5QmzgIE&tvdQ^eu$b7|tGdVW*oa*M5Cn>b2?w~{5b?*WkFJzMpBkTEK^AdR079+{uAkLEfP>+Z*&0lY@Awfp;KwtU+=tYlrWVc-5Gq>1pRK*3t zWv*NUhaS;@idi;5wmVSkCG-#e{$Tun!6pq(_wf56d{X1f(QM zTqkrl;+*?(?;;{D@7)z>%HH)ap1jZkDJ}Yd*M;Gys2QT2IP6isOD0CLl{Pr0ef!_x z9EtO|iZ;zu*~^k%#N>XEx*Y}*yueRa!tsc)D*$Ukcr-i+-T%Gbjr{`#t#q?^u+{$` zlD`}xrgrFbMdJEzH@5GAF}Sl)TIWc{J|pk+?Opeb{GlCpw>d&uAE|huewKD;?yN;x zvC?es9h|h1YYTe$M9XR z<-viYrzKB!g`GXviCJ~3>%lpfC_Wgt&Rd_6pL4d3XyIJvOp4LC6cQr6@10TaI}#`% z20g0E%F03)4&)UUt|?YVMSA~^Ku2Z$0+l~}pPPFd+)N+GH%yp^&co=Jy*)i=K|Nsb z_pb18{DoIHA4K|=T(Yb+c5-q`eL2v(@C8h&HvsY~3wXExb=A@R$0LKjaY}pd6aMQx z;H#e}{?Fg`^(<2@IFLR4aQ<#?iUs6fkqXzu`(!T%ew*|zvuIQb(dH28hbJGNxCMqRAHyIiK+c(|ay}5@B z{=H>S^!Dc0?=OYP{(t#xm~orY=MnxZJ3X|PHz9u?t^RHPJ9xlVroz*s(bGHe7pQ;7 zjsJdEWqNOt{`-IEi=X;&(cuydQ%P*43IF?#g9yedXC)-`IK(XHclsp2aJHN6$$AwZ zKl%K(j|%g{+S-g3_QYKA>8)GoYZCb04ByQ!vecomn#5B-^+~7uI2?FS!c}O5thdo# z+&L~Je@4-Eb*g02w{lqc!i66_Lqqe=!6@`H2PoD{#-%D#?Mb#yn0y0t!ay&4aMkI2 zRe5>ee@wNX262($dcO51*!FD{a3)Z1FywE@2d-Iiidnw-`SZ^tY43cnA*qnf;W0;Z zoQ46|Va4)##5}J0HR{20^QWMQ%gAZh{xq{s?k$v+{STTWN>y!lg@Ix5UJ}pp@Y9 z0{~8_zh-U*96TO6e2YzQUK~O|5dZeyw%mQoXQymNFY_)sGE!K!=UeXKxdsdjkoy}d zH|USEi56V&xD}Yu6mfuCeDw118+FqQNV~63Cq1)kaD%uxK#2VOaQxOCb7o^{0r5ewoZIq>Xn z-H=%DHac8t#u*3+1WStEd?B3*G?V-{l5(_;NR18qW+4#$gFVQ-p*N%GGe0oKTUC*j z7J)4^8E;>Z1E#er7I8>G3s`9XeSfI4h>Hr(Fx{f-Jvz_{4*2Kf&fOddA{HTdE_;5w zWKyG_pP!#ywqp#On55dQ9kR-DS_2L`~;pji&HO^xq9wSX*0r=iQMi2XJ#q_xpd}6@RL>H>2_t ztehC>@anjY$oZ@F=1#miDf@^MI!Z?w_9H|4O@XHk{7brlzW!MVQagT;+j%=?Ja4W{)$NlBbPz*uc>Q6p9_G%SuFr~(U=7wu^ZExs`e9>tcKAz#*? ziS2e5-Ys$OdI!^bd!y3ddp#)s)2F*58n?x5$BI{hgGJBc%jn5ZY7`A{7LLf3UQ{mrrk9)6$WTo8RrzG-~c>8dx7%Ssbj$$n?x(>l{r|PMONn^ zzkqC)zI*6Yc4sY=;H_SbB^;J??Sg%L#wqfOHw0c6w0yHh0tk5TT^5|+#OQNiBP!f= zU4t6hmarIx3o~^Mc&TXWdD}~sDgy_X5_5~^miWt=K5mePeZBrg}}BBnIu>FZ0r~&ezjV) znwy(@>SRg%iu!kS$AyN{UPR<DokD{E0U2Yq8=A9k@ z3ILTB8Bybq+;_ zS1??RP*{%Tm-sdhc|kq@lAy46yV8C6HU_?G)?&=BoveMf6x=Jl-&UM9Y*?rWxzA0{ z!k%6+u4=XWdi$+{80m!qSxg{FZbY zkn)OgBKqjyXR2|X1WvSUB6Vl@yUX_M%*hK^hbN%;VvQvc6klKI-P0^J5{Po*9DP2d zb^w$@b+o)45E?o@`kMG}KHa3#ovh6z;o2Fq6-rv9+fsE`VcGE8?M?_4d8WD-||Co8SJ031|v z=m1d!Ey?|$D-?Ov?dC_BxD|4q{^SKYbm(Z(1|H|eB%a8yBR)F0GCy*GfjvJ9kvwRRl~%i5tXfu<$r-9ds8>2YUh{RPm4$Wvx8j!~g`zy|BYbbbd>o#Tr!vPx3$jWrPii(C_LLsrwl;C1Ko$0basnanKao`YA{SS~Zuaq5%e zKcy_hL%}kC`l`|AaX-qVZ@`i*#o8U1U2Xe^E-!_Ndu;r;>@Y;S7a6{O4TmwJ=FA$J znc|k+oXPvN={~%ar{e_7(!-%pE@N+T$Imv~lgud#$mWiKat={*wxzJLi#DTRO8{02 zIhrrL0S0=?ba>39jx~U9n4LcM>vn5vYx^U8W-g*)U*PLkuUwi?Nl8iQLhJ4!{DWdW zffZsiA#kC-tsN73wRF)PmV$SRE<2 zd>c}G?=Wh_5j>Uk{u;9+pjqh9vz$D|Iux40-P`qEX?2BOgxZuvR-Pi(hh%jsdGEf1 zWz6<17LPTdEKF#x&OPf8dNNxZP1%UwAE$`p_|R8EHt#AZF4n#kx2u6)_Ez4M0#cga z4!%}6PT&6`zt||Q0Q;_`qS1)2S3Eb-G9?yCmsgWftg+c0Sd5)fbcb1rDPm>tm4_oA zuBXo``DkL_6PHI;LBK|-^--qC6XhkJkd$(Y%~Vk}7Ms1>8|x$|tON6v&0t_v>9R>d z7k5(YXBPsqm7NE%J&J0J;rs*&e-|l0tY&5N7MSc88{uv0nq9sfFS|163-MmDK1ces zA=YEvO@Lyph{>`44pRnumf5q-bGHp=1(T#Dx(^2WE{=%6I{A(sIpEBmu{$KEuE2W= zE${W6`!7Z2cqQ5nTyQ9lRZ{`S=Vxh}JZPkvH*(nDjf~P(&Bc9vmzVd0n>o8>03o94 zRy!s$bqxl}EoE8GHlx6CFUi}<=um^V)2SPkzD8WK9MiqyGs`YpmHGMV>3%`)n1Z); z?ira8+ZjZL>SCtki*O0>y5SWi%=UulS7_q*Sb&M&f}5DIOHvB1*$!zT|7mh%GVB7? zvc)R}-5vWNZOj6u6BWL0)Ocnx=87cs;|{SZb7i=)42-6tQ1a-LZCM0H&1qui5Pv>c z?7y_`Y_Dp;%s1h8z`F40F{_eCD5~rVyKvu}8cm37WXbImiy0(HH9rnVehvv{*=pg8 zdK+7ophO6qCRKK9Y#uwN>1(19rvU%PR7PTbbhr&9@lr*K@Srj-1WADnjwFefE@WQ2 zOHwav(F+J6p`ANtT?OA$=DeLsy~d-M_ouz62yeQmY9&n}r(t!fu+Ct^cQDt8o2-`! zuvBa)R;?t~4ApqX;7A+bB%jPD4Wh z`=jXHJ5;KUD&mJoC@0)^2oqT9-Nx~wwbk=h&2;)K@x6_utNc%@410j8{R)DjLl@(C>|-0;NTx7J$>6G7fz?T7Do(t#*Z?W-6{!^2 zw=@USNR&TA0)FYwxrfI*iYGbgV=>!nr;9BcqDt1^7X){FV4oYg1y6I6Za+y10xQDy ztUA}0^|t?oTsP^lkwc6eZ-eW`4pr9HUX@Uro>Q{-<~&<4$<^&yaWET^< zHhKQJ!O!#&P(hWj8t^!<&B{1*OQG=4uTIaWYf^f2qmBLVMn`Ho8#lA(?Ck-5fn%x;_7lsS(1Oy8rM z%H&gbHv>URAgg@sBj}$}PvGO2ZC32ISS;>Qh|bwu1bn5JjgRP)7HWB#HUiHR_F~;& z>iSrIrN(2+=8t!ZutP6T0a5m9UwtRv)Tq4QvV!lrO!$BAityEsiob!CqRGD46`(so|Fk zPMscq&8&(u^8~1Ve1E;jl8nrXQYP^2YNN_JW9KxvjBlDYDCw*#ozW-XvBljrqDxr# z#yC5Bu_I(m>8N%Fr_&Zf0?MTja#9Cj4f1Lk*UWhI`%x>eb*{Rl>qOs2F8EBYe-6Lb zfUa|^VX=slxjj7STt1EQD502qN~ym^HXYO%>BZhszNsBINn#pe=lO_HDe{r_QC4Qj zLN1t8VP$%P4FYu5MrLZ$$r;LE4E$t2NDyJ9m0mGiv#l^JF+B&I)?Od=kGkj{W+0Fp z%TG;2kRTHCQTk2d=99JRDIN*wwMpeW_V!t2Y8QD`FxG`pdfplJtcrFK&GHEURV=#Q zhbN(*WGZj8N%{HA3+DWQd}<|&(@Ju>S85jLWu+KL?_(6a{CKe6!e-PsU8ge>US6*8 zh|s(fI|4=eHD1B;#ltFVT&5d}AMl{AF%D&cjFMxc!Z+ike-y#nCJ^N-VI{$w39=G@ z26}`%?Aj$ul}!$e`C++h?OU;h~J{fv$#7<<3dvNNbI6ziV|pCqM`jJNs~*q2X44n@1x8c!F;Y~J^yw|qM}jmz6!7yd9U+iUhuUxF1c26vqfM5 zkFAvfp?bTt7%y&}U#Bg&{lQ`-#$xl*(Dr=l(c|BuUD;L~)t@GDEFv@M&jU6N+4iB$o7p&uqm9pCzOrVn44U&rE`KGZbuPZLXIwtWP< z#vg1R2)1_Y%)IvVp>2!$!%sA|u35U978yQYDu^qL%oIrDWA?%O=~9Z|xpV6FZSrg3 zA7Z_MvG~`yAly;o601jb@&p~V#Ug_Lx~2PYjnrt}yT+;Mj8N_R9Z#)F?-X!f%XyhL zqdJ@Y-`yS3-w@5z8*n`tI{i0T+U8PqDV-1Gd}K$wzg=Mp+HJboJ8Sd^<=ZJQ2;=cH zhUVY}M?Vh|PHb|slHe8*fsnkd;J0*YmazB-Vc+}RlcL7C%*V=+^HN4u>{nz9#=dnL z6~4Hj_bS5aTTTYOmnAa@EHPx&#}dHXxDT!d9^Maek1DGEM`Fy>`qK^b)XFqczQB8t`Fq@eKMD7<^)Ym^aGWPt%4X z?CiC`ELOGN-d?(<2819G%x-D`36m=imaP59J7hYxvX~BL`j**%a|Zom>I_)M!;I%1 zaQWeiB|I_Ze^xsMJnX_+2=SzvyeA1e9;t5NS2(#SZ_7=O7Il6h5bR+b^7e%YJ`SUh z$(O@w;+r8W#M*iBRfB-{z||lsI9si_kH@t}^R`X8JbAJFDJwx0})o!~R@T)3(e0Lm&my##78FcyaR%l6Gt z>r?*8NMtVa`2f1ev8Jq=1|J)YbzankX73v@hPmP%m-r0PMVkW$B6lX%dLzRlk)KXgGSr7iu5-|5eNHg8(3gDU>$y;;z&K2zM=Uxgm8C|lTv#v0~QVX$;>hpp9O zi3C8p8_wx?)KeT3nH=R2ot+`sXs(zL6&|Xzkh|le8GCeoZXixs{wL+GoAiu=5B%|t zGbY?ESSzJnvkOOP;!l{@b=p+1>5FtF3_N}l`ryhB3+ek&qP-n-T7?80B- zOW|}BEiQ8Wdoc|QS0Zg_D(kd9b0#^>=q4qA4~>@2SlEbeeAFy$(=|=jQChCLx`m?N zGdG`q?z787@?SqbxYj#W^8qo*U$?q}pE^l4_0cciM9uvb=rBD)F(6citku0={KMi| zF_8bxB338d>yLGCdW|ZR^nhliJ3BGS+*iyY` zUX&eT%gfDu0ZR{Q^`h@*X$0>}R96E5jxaUY>HUt&_4FODp!8KKBSAOT9f66aZ9g-E zu3g{u*ptTVd%ZuM5dSth?+mswbONsSU{!=PRnXGqv5*iUFX7;*W~~@a?-#0g!AKpQ z?u#h@e2oC*Gzye|yw=*T$flH}q-9cQl$Pqx1y%K=lVpRS`%C3|@h@I?z|I%eV4IUN zVfAh5J0Yfh!&UmdZ4D`V;sDQ0@GZ-nmS&U_tlLvBZIb06%x+70^h>;&z$?LXg2}}w z30V7+ty3Hz^PV6Ni0-^se7=t#S4xaDIJDxjV(9OB-!xj@YSw&s`thK`WXxo=S!~6< zD?TJRB5KM4R@j6B3%tSs-*Y!oEc#C=lSfPQ6oqz>mX6b-YE$eGP?1Yp}&Ce)pA$J9iJCQ)m)n8X6}0GP2Y6pPIZ_!X!2BUVphgwWVkMV@}B%D1G8a z8+KJZM&BQJHFP&fB7_#a*;*e=!7U&|6ayq%A|DG>(dyp?E35|0%2zxqO|UHBZ>|B> z87@Pm*MQlrLm7v=3bG8F>tbxUINL8`)?R(d0zd;_e*Ad0(wl%O?&b+w_Zi1*eh0zj z^vt|a+bkh*Ua`x&hTt0jfPbk_f%D65I=D|uEEX5cR3}4D?*fotVyrk=rcslcq31$E zRg?Ucfc{O8oaOL@%O9(Cv9s{8NfQgo7qFj&8CRXP8C`hCYFo#8@1Z>z#7F+~-Mdp~ z(2_^4?xa;}wSWX%myp~eKUHdFJ**p!{^|5qw*lC|tMG$p<>28Q%{#9^BtVXmScffcfsmpj#590OF~KS; z8|}66B;AV3*n65h3`!6NmX_&jASqEs!YKu7ZrUi8q+8Kt05r5DWdq>4X3M%j2K23~ zDbEgOePCbdNc1@kj>9B;5>}%*3-~Ty#^$y3meBDB_O+LlJhI$OS45^M;=Ct$q*N4w zagt?*!){j2oBkDMWz4i1E9F4tA-Fdl7$mn3#XgFU!)U>?3^2WI(JZ)^iATG1{2kI+rhrR~ADC-um6N^t)AjW?1~YP$ln;5`AR zLs8-THINq`95HT2;r^(qA8BX?Ko1oiu;UJ(JJD#LTQ@i^8CxG{;yDp}V|r#+TC)(; z9v;QcwiI_7f;qxGEv8N=?~l$+W2RHCEc`Oxu%)sUT2(241-P_Wb;k~WSh?bif{S;a z#IbfXcf+|go?-0gsUreqpd#}#CCaSgSuyj)IhtQX!1`RjX#VM@Byw4xx$0YS z!z*Jwy|SPLQrXrtvf-8OU!4ukh)?EOBO69`Kts*Z;nq!AOT)1TK?K6S~Hw!yG3+Js^hghX0zVfvj`pzI0*e5E*``Mz> zElnb#?WSb74R{4y=DYv21L&iu`v0{fJi8hW3HxkIZERdBgP++KwnRtFn42MP? z*5I8GxW$)Xr70_HUok8|U+h|Y%D4T}o8Na$l|?-xGqBDDn?SLY9GH$0Puup4(V#}2 z-%DMpFx@y#U%!d3aJ^<>hMUCl#FxoDp!B>t04w;u*3^6r@7>;dRgb$o_!l{)jcx%|Gbym~Qx z{_5~qWxh09^#+g(+80nDk|NUvg6eajTvv_J`iE(q;ZNNEfyKQ0r|&K>1=ZwTKA&4q zQT_9ygzChyVoC%eP7XKnqivXdAR*S|na0W^1kHh{4s%x6i%<>Q%FxNNH9Y;)2YUX| z2O1Tg%}s*J%t|IJOI!N!>C|qOX|&ZFXm=U!9P-9-yJB97d*m*BX(!0RL!6?R+q0h(Q^GF!q zYY7o$q&Fxlg-`NkPqr=3ZK!y(&Dt-FIBoAPsS3WSr5aO+V6oq4&cL&U5zp-(_8q=J zcbMe`fW!Z&2qwS1OwG3$o0@Wfv6^fDuQw#Vv@plu?=fv8_>qEt?zLU`v1_m=e=6wp z&O;gkacc3fToO9LXJG-gP>kxI*eOJiHc7@plums)Gn_v-CWC^FE@=(S)JKsn$7`95 zz|aIT(HEJwls@HFxl#ym@-7jLxF4HH_e%QbQeVtGH)_k&kg<{BR#pbWG+03RQ4ZQf z=9#IJK6O0w+Jh$SY&XC@zfbfrfL54PduG*&+dY{*P}rzTI=BPUKlVU6$rFg#!30Is z{+Ds2#Wf%-Z*;N4=3Z6{(K)MdEOk|{w2924_x_D!-;c(!#?#hqNObxUIx~ayj#pK6 z_sD0blERAUT`MHLC{}talg%-c_kyzPBucVuepbjydE#>(@855sh>i%xc%m`(14U=R zK_EXZieRqibfCq@0y+kI4O?W$@-I2|=H(LumpI!!}K;N;IBE3?I0YK{C>&xL^ZGAp5 zJ*{DCn(RK)pWvqKIq{@SZGK{E3S_>WJJJ-4!2X%`JMdQJ>R!5I-L#aW{amSp@XF1NgFl3a&)Q2JLLd3PXP~c@!H*PP8?F5-)IQ&nY7Nt$7?TUd7>Zq@ z{MC-z7K#9eMDuIHZ94xQtn=;(cKh|)Tvb!npY;m^)zRz#Nb<$&AW%A-(p5nb-PLWFq6Y2l8o?fhndBT_gr zp8zTz_aG=CONi4LtDWA0ChWI~xp!wC_RsvG#;5~sYeC-qhO%=30P=U_$RX!M>%BMp z*I%RR5P(UTI?wTgHbHy!)LTdH%&wq&aQmAK+_&D95ghN4g8;?xA6G1Zov5A3w6-+s zGHPHwcVT=P;g7q#rH%mD-EE8*O;u1Ub>{a03H|h_`mr)`kI8J#$uB!rZAliksV|rE z=XAbj80{i2P?b{mK!OJoF(+g*KV{mOF%Jh2zww5gDPiIhCWKIm%&R;alZN5{Y&rk7 z$9(YqG5TVKD^@Fly9Q=yC1^Mz(nz<$=(DDtcr&Xj5O5wPdH%-a3E8!zxl*C*b*)0CJ5R_L$TqMrY{*Y#KnVwbpbOKaw z%6XRnv0CiTk%Zq@a_GZR@gfd3qYoaaS>cC$Tb4K8714(^d{1ZlG+q)F?M=wx*hO*w z72{!Joi!dAzK6H@y-9238a(u9;o$)e5MsEiRd2FluT>R*#MpFJRuU;A`=jicqLtOv z$yfqG^dD3xH}i=Lx6Q$!8PsPyv1z_<{bfd$c)5WADbOXq!9EDG5M&w8g2cWasu~{09}fVC@@2TiI4foVh1Je*3w8C< z0y;N>)>;9s5a_`Ae})PF`Roo?)xylZ3nl| zX|PRXF0|EfDnME}`^dn`k%0a72=Tp9@u$GTj4QiTCHh{I^ z%kuK-)0;&F1+SsgBFV^VJ)>vyeRTV-wEk6}b}s+*c%vYYF3OVrI_=M78= zxhyI|O4o(1F)vSo4uP+5Vh*Hw%jsFTPQ@oCrm&R;qHW_gWLg+G)&Hjn8`khPGCVG8 zhj!Ner&UruZsn=OoS65t1}JKpmE_RW^!HmSG~_g+IyyQ$x0Y=Dm%l0}dn|xsFkQ`L zesN^@v!_od-X9haZ?Oa;a5mQ&gT=N*9v$xp38Bp4fb*CGf|+0Pb}XO5l#3(4Z>ibv zUfEzA1IMi^V-Czj{;Phaq?$D%NLgsInP9V>y`J^u`58Lp52n9)%jKb1Gt%C!c>!!? zw|*Zs;A^%R4N%8R@r1QH&(bcQVk%q*XzI5Mjbj7Vihs~=TqJoFgqtXX6R7iy^tp3` z&pT5upE++=SiZW*+ib~-GjhBwqi>DHf%<$g02oC8Qf5!E*y+Z|aH$jXFi@hMs$K2r zNquPuKo0@b00A!~`hQx9RIq?C0CXw-dUI+1jC}zav2)_29dj09xqM!>UUS4OP}S_a zk;360)^@@1(1 z9V|v!ol@Ah)no$&dLlsNq2g7Pw{3tv=oJ|Hq#jV-@I-t`Pj5>%Qf-7dD!Sc9$) z$Gw$~T)aZLy8UJR9zX=TfD=yD&dj3n?Ch+ojky^RzFT;yTb!=iIjKmS!xYf%9){pa z|6FWVptTDb8#E_Ia(&&DDMS-UEoNm3a#FMAo%1%j_ifzf5vnF54LR;N^TN%ybPNYZ z*I^c}Qy@j)bBhin$Qf}ZRaM4Nac_3>d$Z?U-vyZDTS9$n@y*KU4=q6Ps2LSqRyH}6 zvKx1Gb4XwUVBgUXyyTD3Bb=O_CrOnfS17YJU}q9l1Cr0n%s+9a046RW;j?x!WExT7 zO*DiF{?l6U?-QZRKs`^|@K9u+EA`BNU8Hoh5bbq&gddM!fo)Fha2-TPEO7{>gu15N+1V|o2X>P`~5T7W23J4D-j#r zaUatq^VWAoAt)^vYEMEHeCC&!hj2aGjUdPP&|x!GD@A&{xWxir>F(?B+e#8PA_{i$ zc|EfO5hzozu*#b~vOm%8oRUKTqoj28n@cUIM2YayvlxL1DfswMqeTp(>9+;sCci`u zG#B5^Lp#iAf>9JpypGfIb`@P*ZIKqnc&L zCkUju>G^aj)8xhlPJsN(6E*VeVIZFv57-OuN=d+(v7Ls(++~*PxVNQMG;j6LlqD#{ zl%YQFvMpcMw6=~8t0}fUNy5JM%>@UD6#LJ0O6d#mIwmc5YFclmNzu&sGiafehx|Af zH9Q;+rqr(A)q7v1aG)V!x8WmL=*!L_K-O2vj#5861^rKtkZfA_!7kQ)RFXXx?ElKNI zFb%oENAGXxbq4fYsi^>POQJ$Nxzvf*I+|G@KfcvQt(u0!_0Sv(BwAO{Kgc>y?Maaz z!c3K`2V98Hfi72)a%jB?er>iF->>lt5IzI%u%gW+UdzblxJbUbvK&sQ^*BI!&}^m* zTR9S-w@^F2xxdqLJ&6e1YbQV|LCh-X<-+p=-AC79+9^>(yGVR{&h{+a?^o}dCxNMD znJ8hvVb3B%02oWDF$>;_U`49(*#fW3L5>&zCie%Ca^l$|LDfBnr+~8Ni^B^II!~WH zOS=m`!i&?F%lIPTKn?ahWcKd(>=YD!iFQiIFzBto+WNDHha9wF=L7}m3*+}fR0!~F z3hJyDu0`8+Qh*jarMAlNu3fNO(GbYW5`q;pcJaK2 zCqsA6seN zDsliM%RY(xLrrZ0X6uQ&-uMd<0G*G*Mub4~bbU@*392el9;%>Zk^?*&32%eDy~!%N z$U{4Gi8LF2wmH=YP$!lwFwvD{Se%!zB8W*?60j@Y8LLuD)68&&v_ZaUi(lRhH?DKZ zmh0MBzq=Sf?mP+Yu1^0?pm?d_M__vhc+JlW_VIa)Xamp6IwK7i;7(%xe8E?6I7~rB zKw2k79uq0M7s(jLv$L->QZhB!szB8H5ulyQptRp`9)LhQ>#d$$&Ppp<|FDW#T}_l& zP5sYiNj9OL9NNpNe9GYqbypXCAs}eiwqd&tGSTg?;48jo$|iF%;UAa0tU18qHhK?f zXJcI%kze-;99=mU1F>(SLf2sjP-&U0DTJU^=Hpv?R3iY^f#M872(8H78!*#&cmjY8 z&`{Jr<2K9KS|`8E}%>+^2*bc{r`hKAufI&Xbpg2H6NU2B}51m z(%^p!H%F(jx>506SNZ`MVwRNzo1&mnEmWx@H8h2QbP&a|6)aSxigZZmJ%FO3AiV?#Rq25Q zX#qlcpA~Q)&$;K^@7!_kci%DI^@k3HBr9vpHRm&*UpoVi9F$ktH2bFa4~G_TVz+LO zChV)t!m2@B*U9oEvY7mTf&7h$R-=!Op;N&t<!yX5kdfvzm1`l?YS`c z(wBIFDEa+cPzl#@>Zr%=T92w)x}}ml+HtAyrX5ZF)%`aKwP+vjGg-uBAZQvUt#q`* z?ur`250Bk#ac`A-+ZM-&nnx^h>)7*)TabPB$a+kb2qK*TYQY6Ad6i$IFNPH?dLMI; zn@O0)K4Dkkim@4T4t0&vfj**KZY$n?2TiMH)%9$CX@2U}I^&Tu)!_5BU)}0K1IzLv zjmn2~t6|Qne{8LA6U2n4`_Gn}d<9NIEikDMT!@k%>9CZVElCq^A88Aj71GPrO;o*b zavE?(9Tu6nzZ_H(d-} zHRP9S%vQMY?ws4Ln_29u#GA?qxkIJMgwZ#J2FSaay#OIwTcc#`Nuj290)f0-{@cEN z(%1CwZ9lTus9uCGJ=wyQmQ#)ifRS##%<*XH+YUw5D!sJ)eC-}Lx?RpP;qInp!?vbx zh?L8gUfK8d7I>pts*v-&=yQ44OF(bar8SzQxE#(ueOb2LWjJqG1~%3o1-fxG;Ud0 z;;v2~{sz`{qO{5km^Zhzk);ZtD4dLLqAgv~khPv`^?I8YdI1dxmsKBwcZ8EXfjqr|OL~&ZcUdwmpmQpS`h}mbJmPSlAH9>8r>*YGeNzRq# zo|<+lB$n|Dw#sU*U%Faqee_Bsh$r$fTRXD96$b#2Cmrv1^5n@cbB#U=4=5EdlCn)J zD}2OHUOTCBM_%%6lbzIkWEvlVlyam%7HNnOo-FmBy;c7@HGiypY-#r}SSKoS9kuS3Hz>9hd|5Qq?_JZauOK>9Yjf!lZXTWeEJeRa7{ zBxY!7#J@6o`0U7*%&1?EGZaZK9Ktg@_6KY~;yy|Zys>O29?Zc za#~yu^OjD*e_@>!YzsF!H`~t`Tm3T)0Nz$+D&+ zMOgcYu25~B$vo=2UoDkx?5Y#m*=byEk2b64c&8g79KBvQew6^c?B3lQ=cJk) zPe$n%DnTllw|YcLA`F9b%hnh1zXtPWL63&lVf) z9i7b{e$;{zYax)w&`MV*6`4l9AHxsZf7JmK$eXTrH6-&@g!^FO_R-( z_QV#@i}4~|gh}l}GZ-lEUs+XFcwEb0p4f_1D6urgDKouS0ESl#CF5D|7nx(kf?)5w z1o@cshf7&$QhY5dqWXc{fv!sT}XPvr7-z?ruMhw+lr$hH|`i$6b|50+He9 z>upncPOoH6Wnp;<~NV}4FM<-R?uQc`W>+JV899lznIU6~ex*FA70@zCbh#~Sh> z+1V#8Ek;bt(%X2Cf3fy|Nf8k$aR7x#|&_;WXH3TRB?X%TIfAU|_|4+_9AW*qm+t)wkIx;R8V984U$tDHf=D?xHR z-D7a&xR3l;X2dGsy>6q^FK(qCai)E33bmuA%bMeiX^q$(*c4!#Yz8*&3f#a{aX7Y| zZs@a&y+xIEtqDMp)iO1h^R<=zA6}#p!LIH^tFU?DPVkrAYy0@aqShN=)%He^$z-+j z*?g51;NH5c&>mkODmW{Pe>BG!ZF_Yp3&nIxU8y{lr{;)kfi9ccFfFu)JmeI(JceMp z+Re<3Vy>@~IaogbMsp=8ZM?p5d*15!mz+9Q9|o;Beb@Qf(a z1D6oUTc)@d&o_ASb4Q=TWZi4`g_|`pQSlqD8^(8QV1V>_35ztHM+7@3oFS0yNM>@J zf)L8chAHRZ+p`G6vsufzA*cSln;XqD+ut}-M4PMwiyn0U!?WD1t?SNb!p=S-@I9YVQ6nn`V>5T^E1h_1y@qdnt7~nl10LTI zqs2z+Md7@7!#%0>=o(b>RBahYTb`|>4s$U__43?pf@F}C>&olWdAElhxDDOeofW?J zmawYCGPD^!`fiuUUUpI^0$(rY2bOn!ZqJBKz2Gf&q$=I%v!Cb&L*E>A^e3SsTZ zjYG~G0!0!a8H(L5X~Tedjebz~9#a!esaA!_d^`3!tJto1CAHHUKtnX84HIN zJ?SYSus%j!egKVhmIDK$>`&H5Oe9shjfUHo94p%Y)d?)Ne52R(x_*HHeystIxu@pu z)*m+2@{@U0s%7*lye+Oy2g(*V(>ZlFvxWXpvy9-!hV;mcIN)}q0VlP2akJyWo77j) z-QF6uj^bCJY9j=xwz?AIK^A+eEt_tE>`DBmyH5zGpfaXLW77qWrmwoJbf#X;2{=cG zKsJ2+&S(*mA~q5pu?L%7tJ>eZfA8CH-Td6W(%B)-DdSbTelOE&W8q6d;%-xK9-RJM zH@QR1g~nh8Vr*;%LUaONei!d$v#2v0b#H3csYd861*?>NKs3p+Z54@uz2Lo)4L(x& zbewSzPpyb)KkOxhta|H8jf&ML{zy+CrdDMN8Wiq_lJhCDzf1qX*+3abALqoidK81a z%}G#&XlP(?2%02z-R|gy)P5@mnvqwK>dO}QKp=Tb#dABQQ2hS7@cbkJeU9gd3D-_Dc#@O|uv<)7hHtm>B%)>i9h83&Cc9!hNoEi8LP%`T%*! z!6#F_@-n|>g8oiHgTd4kwAud?Q&VW2sj0-RY5-g34h@x{xT>kNmX?S*p2i(}ZO7|o zOJHoLf%XmH41Ws}!YQIuBKpDrK5_dltGNjvFE`oe9qdsNCgq-*Pa|h-Fd^&$lbM~J z1)}&c76-6nF~eO6N;2L8+qDQw<1GXV_}@r-PbvT|$*odZ3NGoy8R?L#i8qh8ZGN0S-h zXih(L&|f5oIkPb+n#~PRV$G~Yfcmn*yz_7IF)1dLc>!(+0c+4~V8^!~DZ1r4g>c~*4NSYY=VfW2@>jjD4;98ezYwD|qa2qF`5SuQ z`fvF>XGc;k(5JeUEV@S_&KP_1{mf)zdT4qnDZlt9AvEyhpNN>cvwtIER#yH8BIX^b zZWkquUS=xB>YkKEp}c5lH<6Pie`Z<6X5dr)(;UJ_>nlkw$xvt%8jL2rJ4{V}?!)uK zEShAqdwytOV~0z6o%1eaVS2J&t^OA%n5Xv3K)~m@I zg4&FckkHR}qR2m%I)bcVBFk<|JJNm2Ev|>?PHhEt zBwoFo_w06InRZ^Jxs?*J^Xhiws-a?-`H*PSQvHP1L0Uv zg{SJPy&AB8T5QYZLN+=h7qEGGQ`HS&gRsSX!MtToIv)NPIRt-DvmP8_^`sVHNOy|! zb8GPE+W}UC+r<~WrKGBy#oBgO!6zzcbb`N+fzzzk z6i7A(Rk4$+Te^h^Y9DQjm=NkN`5W&Dybc*pcbHC90D4hlm{O%GL7QX0w*inH83?!s z(q)--Rjo*GujY|`2Zv+eM)@XZ7}66?=w(YB9U-;1AFT-!dV$y!Kmz1Z@Pk5*iou8L zC0L^~3#9;~sHsc4p-9Nl8icm=RZRi@a^EW0Am^9V2OpgMFgS74M8~3K(mq#jb^lvyR^*j$D{e zRoxjX#<0s%a6UCj2REUnmVeEhTsu#uFwQkz8bYP*F*H1|i?URG*V*UQGr^dU-=wbT zw?;xGMd@w(ePDS%Uvo!OT{m|-Fj!wk#RqBsLx~OB<{X znR@s1K;jMn^YZpg0+bX6Pj5BQwId_e&slJth{gtE&~|TBT8M?(p8<}gW!lvoOO;8f znPnfZ9zBf0-kP*^+}b{c%i()h(FXj}BZo+QBK4bYpnpr7)!^lNmJ}BGl>6N5tphU| z4_^sqV&9Zr;)&L2`Tb5C<r++VPUfUH zZ$1H3Yu;1p_B8F{iDcIU@kxFObBS=%?$Dy#a-ZH8H9>>Nz`8`ehDUfm;*&%BQ zklpD6Ca$AmhSEQN8~%Qx4P4Tkz8_`_8X9RF0em@1bm~#@G46IF`E}kE9<*hK3$lSXlT6 zn!wtn4y%9&RD|h(5JVrpk9OfRDs+sq?a2P{cWkZij4k?4-v#zzNq;vS7(cuDh%u0U z{=NUFe{DqT|AV>6n8^u`dWBB>3)f1ZJuWaRqo1$Y|G4|-+Jf@)NBnoZME{rG?R^N4 zqx4E|XH8$JPfkgBmY@=LQCmAybmLFoqd}T6+b9?uJ%0Q-*gt#%zO!luJSrW(dbkUE z7@;%8xg)?9uEcX#(|Y{WL0XFLuCrwunaxz&Rz$Hv;$*4g5xM~lgT zgYm#OVC>+*5PyKdK*~(r7f@r(N0Hiq-x2j=5@&pnY!KrqaE}6%=RCrSo^LbUvWo}Q zRNRI&0GWH$JE#y}g4yEu&!5q-#=wl#>Bus>@6gv4>ayJ^$Kr`-$*^r_?q^q7N@tl@ zi74k!UnSOZ?aSk*APS=z%>53d(deVLB{x3*iV&GBl<;whdfUrWLYDbcZ>;`XHir!_ z7!P%5Ya9!#!=>SG+*#Jm<~ z@@IcV2;~(a*MYh@g)G*d6BCe5$>%_rP3&^3q83rIIl6_N3^<3O)@~KXQ@(!Zb8?ie!rK!xMyu6zwFukaf_gc_~j>sLK5nQ{`X}5va78R0LbY`ghmB0@DYEL!CvSRNx$*93~5ZT}u zZbo<#v>S&H95@Y5FvE{GU4t%tk#hX%)Gyt>@Ls+WjV+#+px=8K`o1+S8gf#9$aB7E z{(XCyN1KRbv%-F;s@8Wq4QbAQS-HtYG+qYyn(B#Ka;uCyW9d@$1BBIi#4pP#WBv84 z(=w1MZYgbq+x;0fBVV{yqLB;tJ_y;#@1BJ2NJ#n>R9*5X*x44D>X&WXR9=+WvbGyg zTff0zr8Ein^P%q_qMpw`Pm_@+N7hZ@Uib{ahN2?mjBR}_93$F8lJ2! zl_OoZ?$3nWt+h4Sz`m>w{{j(7?fN1qI9#`-V8zago&3tB%Xy2DXWwIlTJYm3$2TFK zVBxrRPq5%$1QLwxM(g+7x1VTI{tK)Ao*Wl<=aW`Gg)#O1?>k4Sl(r2;WzYQDlRafV*~Xgjcv5b%O#?KePrM zyzD4Nb&VJ|p#!J0b9Ut|c^#e?I?>~CbEM(G0w8e~y+DFJZ)RrJz(o*ZNM99I%3XWY zz!b3t49Z$ezA%YMRbNRBmR7e{)YFe zuj9SB9~TxA4#|Y{WDB%@89hOj^1!g&u6@Qa?Ko9rez@*@{Q~smevm}UrnN&=doK;z z!WdR?FfHk_*_{h*%#)6NzWFBUEQ;v#F;v1Lq(pGFJIu}Ub9QpijEhDsa(8jtcLORd zIpp9_dKv+I!Lca_e_EeP9qfNsL1D@<%Hh$W`k{u(q?fo;($Yko>aXh5a8?FHfTfTf zt?{B75WlMkM`&D-UahVkh-ghktGuWageDJpP>5RF+q=wJ4VLYLSdgbkCfyfe6S;+q zt=A*C=OJ_)xEo%z-zPe;<&dB4RPLPNZUm;iID^qhkp2TJaa7dVD->7XqL@`r%2UjA zK_Vtb1b#dZIM|-BK7aATd~s%Uh|W#^^Ty|3W`Vq3PrMm`i&lKOb(1*JHd7P&{-$e4 zdl)oH7htQIg4s^#!b0o`e@^|&JnOCVh@Yen`>TUj%GV$r(w7+dUS~f$8=G57Ggrg} ztD(Pm3tf9Rb(S4QYlL%ewGiCOt}B+FLbqSaf5& zhOASPt*8TgVI1~%NkS^nZu~Xi*X=QA!x$iX$Id#IWI~j;fJdFC)1ya^RCntVUv*8< zes$e)oj{}0s176wYM|4jvAp*n;tNu{;vUpJ9tkPubzhp%?Fz1Tb{VDeHo;cV57%zXj zoPYCWit}CbWs3W!zD#5YitL^xUnqKhrDri{UfcD)pGFKOlqMehxvyURu4lVjV*j14 zU;~po72wtLVYnHQ12)v$+mWlp$4-Iq7Za&0|riDMo?^K47H4W>E37PhDFMx>l+-d zj(tLc6NK(VuLc~$d#8c+Kz=D~>UoVRKL;8g-^a4ReJ9`=02^9bT8SlD0XNaXoR4G! zTt>PXCRN@-&N3|v6On)Go{!mJU>pj)nzcjdrqCPz1}O5;ain$46t)NX&ii{9_1}Xl zi;Wpk6RCRxd9DO`r8u8rjnwNrR8S}Ig49&aTsCLO<~2F{cHzTmI$1{+F?=yf70%3~ zpCv1PT2sUpY!MJV2Q9t@2InCFDVY=;h%GHQ&cyR;p9p&&+G}U*`8{Z=Vwn~poUCp6 zt|B3UF99Z^BQs|6O8(aSu1#3LP4AorB?`IM=c0;=If&Pu z%Xk%U6C@V{Rj4ZcgV%{Peju9rbKltzJ;+=Y-InE`p+*5-Sx~i*t zu2>1aZ{Mw7L4)E@lV8rwP}!|7)?c5xw7Ao{`?Fz}WRIeZWzB@UkK>#t#vVcIUcUR< z!SV>V>8eW8FR#nF$o%O)BAx?|X$fz&384VX-rKwx=_4`Y zmfNn`hx##Z`LshZAUwuwFUy=XF09upaLDNF%RQ86Bya(N*lx-j6D`N$+J`3quC!X9 z2a7`UsbL4Bo_wH~rjv1UH5u1x=x4&YDZi@K$zVHRZW<)467Hq;AsscLor}ffv;Ly| zxrT>P2WUjI``-+Q6LvE5mrKG-|2NI%XRwz!IXy$pi21!b-weB9m*{MGaW~$!V3UVn z`4o#kSf16+_q&~&qQ&ogC5fQpD|Snl797orBJC!9j7iuLB9IiPhF)II8CrL#kxnZb zj+FMfbi^SonAfYpedltjJh`yRtdypuN1Ee3bfZR8Mg7x5(YxV*X%1@m+;3Gcru8@# z*tTaH)m_zj<(oN3jL-&F7EY$F!EsAL@}*V z_1K9h=a^OEi(3f;C;Uuc*eo<< zrUzKeQklH{G*GkZ;le$e&Pe~t(o^nJzBKod^Try?StQzt7VF{=EKMB(nG<$YhyUs% z7COKd6yU#Y+}IGh;*BSjNV9qZRloV>!U~-d0zyq7?aKxP2cIx#K{{;B`pb-nkmsQB|8&`5iZX8La9H(>55Q8hHdU)JI%`tVbPo4W#dhIJN2* zh)IB6QYTgCv=*aP+_4(3*1g9FSwNrI?wbv~&bIk$?VPNe@< zC~qjAeqcxzCME}ciYg^^4rqRv97e5<87zL_`*AG(dq48ddW`@T zz|lp|AE6K>&P8tZj!n&VnmjoD$dkE9Y$VOJXQFBhNK-C>E{m=7Z;7;_Jgp4V8xwt* z2ZZM1Bd)k;M@)D%2dXI6=)>6xDs!CSUJeUV?GrsFatTot3;cnwbK71yeDYbQVru8C zpouFpk)7sKpqq8Q$ibu_$F@)_$P3|#qzaX7oiF(lN2?VNh(KFEAaZA-_Ih?h+dcx{ zZ;q0?=FST~wIN_=F1E)wr{a!yeg*reJL3gSzFrpbR*zqA?#`>D~28t~A4?n5D$a zsniJUK{eZ*;945&+zAE$yF8A?7Cb@(1&3U;k8%Sp@7u>fGzq{Qyg^a+1a;rf<}uP; zQa(L0d!EnYbcoXcyd)qZk~FR4zBCuoa(YJ_PQhers_PqX)`fk6zm_M#fPs*&8Vz#-VSvxZMS z($Qk`qu*wy-Ym;_kfFJo)eGOPpEF7{^*W70ewWW6qwdcTQY@9qUEwfBX+xvy-P$#b9BJ(?- z!-ln-+i`7f7wfy?B4TnY6ug=nh?<}#$@6&oVAgzUx&Qtb7l8@e$rnL^pM2EoUif&H zqjz%wk%3ldR2)O$g(-m|cb1c7u4fO!T|t5Rs~Xb}nH%mZV^I}6`0P#@L3V5UzX2p> zFa8T4F)t?}$~Efy?=1O#9X_iPIzVB386=-`iYe{1ZZ}Vwu;ZJ5w02>9Htq)FFSt@n z``0GMun0}R-rHL@rooIt^DfC3NXDp?Ea}JJnq#pu*1z0myEnqn>vb|2vkd>a^3w?RPZ+g@mrhL260Hre|xyjqHTJ2=|^iC4?FW31`0 zB95)pv~wMkU zYbXzgE8qhHmO+dh;~?3=Kgw5|< zTNuaK(G)&*lioywILSvxSW8Qa&+v3DglrpK5j$uo$A8Q@KQ~pf_mEFld4|9z`f2q< z7&j%-nE=D0CFRrX=w8xopI1a7rwGAeudwOX_BiR6kvDm-0vNdG%W~4L!0_FaWR&?W z`r|V>wXlg3rb3|_ZU>!&PtN;RfNKgl*6StZQ$A}Q}Fj7?X*Yjry?k2w! zF$)+qQT;o}biG;{(Sod_Uv}rthO&U+Z07)E9f4mOE5rpsmE8&D-d~41W5Q*ckpiIZ zd1&YmXK`Kv36!2+$A6KAQqWYfLLUfB2qI#+>#r9fWdbAVh>6hlZ#t$X(@f8Rc%@>aSEBlg1uV0@) zo`zVR@Bg{Y$(jYu&nNre&foj_&Hnpoe*bsg&0r%$Odu{l!%5MXu3R~&5+)duo_@k| z(@&@KUYarADC|1^?_!DyrE8aahH0YuRdjUE?;rEf9&_V7+XlxZXAF9#@kRuFWb>i- z)2Hn3SzEua+x}Z&Z|e*VXioek_1?)NGXk^2-^AW%B!==QIt9~v=CyCaI^LdDDej0- zk=~5g%lQaqFJdqmmGHRQL8@m2>Zh}EU;pl`p7e==li0DV7u3{H+ew0Y*=HF8}rpi&A0ldn=enQJz*ywm30LqwV~LeE)p_MRYfqcf%)tBz6J~JX8wD%?ojOu zU@BTFRRs@5y_k*pt)_F^xea;Vx3W6g*um4_Bxs*<@*#+%R|8GVH_h zr1&vT_rCauU;F*gjRJ4GW7K-7q@2IffBsWsvhncVy?amEja`k9bP5ptH91L&Sy>+e z{RU%G7GAR&dt5{Spp+O-=d(b&P7?Ud6FNb+68#jQ+!*m%TZ0*@!r7c1=0jw<`A0Hc zzl`Ek#Jt0=wF6Kt?wUiDKbqk-TOad>!u zs$@|ErQ`Yj(Iab`)gRI^S8$%UJ^C!mU-ZU!Y^cqG)W?Of6}S3;7k{5Q1#7-6LrSGk zKQC3Tj?m|2gog_wrFpv+3*yYv9Xf9|bKiz8R^3tPSW(y6KYoCZlB=G0ElvH-F6n4? z?TMq8{LPUzL9as*u2GEj7Iy-C+Ookcc;QF1(L3+;Xd@v~f!zy84U`ZiLBf%prttqb zfcgAC1u&y|m;NlH8F5KDpI;Hao!Q~~-eX%+dpp}HWopeU2UgMHh9+t^Z4CTaraEJc z(Ig~n$!+Rkl{pA-%kW;xqwZxZ?k^CtK%`^15hp?$xn!wbLMh~1Tw#;9Hz3g&4M8vo z8X`~zcNUIi?c$L+DnyvMP9m^@+3AAx^Io@%A7a|NB%&mk2{?Jh%{AZb#!;`)6#6H;^#g!=x3O)5hW`UlRlb1U zeePy6G;7LRRfq5fA>rGQpqGO;?#TSMo>N5090u#$S`oCPB*>A}iWC!jdMzQlrh9`0 z!9o_-!_0Zc3)FR&b#yF;qEm38AXXA}vK?ur#D~0;%CQUdP@_n?2c<_waxrM)f%G1d zM*__o$la&oF3Ly7ufLsCN^&r_|5iCU)_P(|N+@zgGkxmZpV z0T%gEvB9}YFr$QLw)`P4$cf@c`38-vxI+MtFz0z=v)sHz`Abz+hTP?Y!$Omqd1-a0 z44$rv5-Pf`p{ClzT*_)lfuI>OJ(DjP>hcaIr|)(vOACoR(gS8spoCPjiLm_ogkLy& z`YIyuefJm<_-?}%FKlK}giXh@ztV~9+OIGZIP4=O&6Fyr<(+EU{!ckhc_MKtuU{{_ z20KC@X}B&zwnX5nHN-5QdTS1Bb5-{arn~^*<#wllm+^+W=$TZqn*D-TPq&{gbs4BD zq}ZVf*Q_+qcd6VvM%z=#SXo4doH%Y)KPMg znBZq2o9HT^K)XPs?i8Tk^Xgv8$2>4B@ggrz?dToLvo0{F%5H-}&?Pkk8NISesD_eJ z*#>&QD=+M>+?lu4%)U~35w^|vTJCr zB^bH-iW{&=aCtoOep>}rW3xQKb$Vsz?y!VAXFadQoZh2=qZ>Vj{=KUYjSJ=BK`lX9 zjJcrhcJ9wiFjYg@*=V+O*A^bkRZQpU?KYGQrj+t|Q$=at(OqN z#he_-@X_ua-vY+C5OrQkhwvoW(uaO|UZL^A5#)LIhuh$Ct^wg728DL>^v<>#**{Y| zQ&(T_nd)yj^%+dHE$${dIaAD3)LFR9ytPMmvViRXqIlEn+%M1T+H%)x_4{(=$z$=C zt8JK>zl30GPs-=$8!eUIy`OsN!JH{JeKr&elQP9r5#M8CQdklDYQ;X~K#kSLxc>Ic zVZ=x4e&v#P`T-L|BG|K$HpU^stG;+jT9qUDB3ofb=1G zQsq(8bdm!N71;(A84}M$c5)rgJ0&3n0hRX%A01B_q#kJ2e5;A46!Z1>@VZC2%R>FK zb>xnnu_b}m-MF-i_Ky2xfvJ8u?S8^(8`Ra3`UOaLkDf$@Dy&Z~2{ zgIzHb=gE^h4bCa3zm1M<LmZ55-^4mSXHXQod&U$czFyL+K|q1C{D zKIFFO4CE55F)1lX?@!})i1Rby`~$UD4x2N4v)9r?h{v;U%&%~G$R);XmwXp zIe>oCb&W#5G3-`S7XbNHhgxQjbKaOOi+;8dS51v{DYvSQZtkH4x)=oJe$*tPKcyS` zVP8qla0^CqQtDmaVDGwjqhm8p+m#Epz-&o4ms^jf<=fIpzaXWN!dkL3(*r~%w~n=6 z#yK2Ywo&ns)7v9?BF*W{gnay3G!Upm7Iy4YOELyqaz?akpQ*JgqqiibSTc+QwZpc1 zHlON4S^R*Vd1#p~`<0WGbsyVR4zU)^3>U{)vP{}3-zBg;KWTpPvS#i4OtY_gV&h%e z5SDAR`dxk+oE0rkUkB{%-o9h|0K~#=F`z>VHtMF*JxFAvqKHtTAUfQPo(5w48sCm<)j@?fcVcT*#H`*+G+>@Sa=# z6$jREm@}D;U9R%a+Su$pU|CymO74Dw=1RAf(D8rg@@1-|T>A}n1Qc3CPM0?OPsJ>T zFuW8TS{+wj&mh`l!=JUu{{Z$wArt>^sFNj1(ocKOyfsDEFSLEkxf|VHUn6B? z@aGZ1!}R1VSonM{e4D_Vp;QieDX*{cgabqLym zuiziPk(VM;N&KTeSU2awB%M(0DXYpF-A|n|%PO6GdfT#%UmHbfPYAEPvMa{br3M z)@RupF+JZ^z1~f(^|)bqX}A|)nf+3WB{3{CWUcDRG$kM=Z5vE$gf^wT+suOXnGjCz zmq$HxuMCL#MXmixN9I>xTXx<_iQ5q$PC7^l>$`?F{tLzQBySCwpaovdYeH=Y1lMzwUS-Bg^J{KEr&r3He!gb6Ia}1U*7%4~)g;=?2 zrJQ|a1M4JRiqVnZX0hH;p46xlMaPPK>l$GfA0A+iK9%-X7Pa7J{Zzw0(EDwLqu*Po zt!o&>M4$%;hlNSU8=6%{_rFWCG17mj7v`OJX0tI70>p>Z!5u>UOG^1ZvWvs*s~wKX zyvjX_nX#-kh`oQT^t<(wXZe_UodU9l++_)I zSRkw@K+|FfyTKdBYo=U;BL4!J16vWLcFtuli`05`!ua%6FYlCk5v0Ch5VDvQSb=?& z9#;i+wAJg}2T5Zm^MBwz9Ar68U>FSm<8#O~)#c>`Yb_Yt8p#H*sG?7h>+G!d8A8C$ zrR6(CVytvTN`!eaHDGlvJ|_X4>7iqTF`@ZMR;i7&XZP!PeWC|ZdBskDEl!-H7sn^} zIJdWYU2$P4vrwzuH~9I(2Maa4_sx^BJ0L`dmoJGviY>yMuYPtK3iqauI*lCOQg>d- zl+J8f?u!c(XHA!rzWp)s;MI8-MWc)&dz$PvSDYhhX5O7gHYS>=g702UYt+rc|pTCA3 z#qF6#oa|^ys5>u>vI|5=5wrm15Y&B}!loeEq`F4oH?Md+z;4OnT4CL1v8%EWhp{29 z*6I%a+0fl$KKnTi0y#)2muNNnUN-BrHkHh-R?!NRG~JM)vyLT)*1n2r{A4@a6?k`W zf}@)o-~ET7BCuE&L{sPvq&D{zM4)_)`QBnq#vd7qqcLibbm2Dvwb?78R(%G-@Ee)P z_45-uxpnrjR+Tg76DYP69M&W~jMeU+h{Auz-anS`H>!obWZT8h?RoVb952Cf1MHZe zCW}Ar{H4Pjb!2~9-tgJUO5Fs%)*n$mle|PbHtmuL9(&2qFxi!LF=s&u5m)81<(>cv zKQ;%c20ONHCkbb;+(EOAoAU~3ft8v9t+66u;_}Pj@S{(jOsvLV z{X31hNvyGnW>Au$3)-p>99erS>@DG@^3V}po0hTXfqjCxt91!vujwbI7HS+{vG*@1 zZZ<|&q)elOQ{GytP%Gcv+o3vgwSW%YkuBG$Md`3J($ds4DefDa{Sqmn$idO+Lu;WY z#u333&8n?$d0FOVALfl@7SPvF;UtV|w4C7>ndC!kA*$mWxnDn-h5OwGTf{UZ(rI?g ztE<>trNZMf(ZImq#+@um-z`JKs8V1wJC%kRxi@~f*{oR-T}4nL-P5gHpwLqHj&h8X zGrGg}{Mv&e`E^k1^Y>bFhoX4PfojWod;Ahm!w>Y8Bc7;)kd?hd%P8}qg#^fihWrT2 z;6=z1%IO)@Ym_fQ=J{ic?hr#7t-Bg04Lepj`nc${)6JVV@B0@Sd(DP)DATn5PLi(7 z)*hgj=V4oD`+4jjI+30(9*&{yniX+q9ezpT87Y<@swKEACrilxgErl7w_$vMHCCYb zi2PdM&9@E1U)Ibtp6$GMT^bNfbfH$dl-$n3p~ zK`()n90^~hO<*<#cE(}5+Ox{uDwJ3B{l}ak>2XPfDzf!IQbkx!t6$_X5B-mpyQk_EfYwzvtHGVb#r9KGswn**h337$~5^VrHrf&Eg#(+3$+^R zIlpqYb9+3WoZ@Sdy-Bu#G|yrsD*bpU?GS)gs5@k`eXq})Y>N4+fpvimI5CcTTvZ3nSop4_ag*J0-Kd<=Df9Xi<5^3B zv3u|9UuroN4a>oPrLKbGZks~x-s4bd8$4@^tNKnBOYgTuS!0gsmmCAD#poAdVV1>A zn1;)h9_yNTJ1Mt-?Wf(D{W)A(8sY=br8@e3(Cjj;Pfa~830AhFsi}UKP@Hn$MPi4U z+rH1URfE`2mmy}Gx}ge;LYu86uHL?C&4z`zG$*`sV2?EF*fomqjY8oJBVu~XRVOaa zqpc>%F1m6zzupz)e@ZvHtr)KTMzWvs(A=2rNDc}hd{pM4U;>kfDMV>RX_2yRg?DIt ziBiTFXH;)>Cl@jyk9rBMr=a)DS)T6=tCv~Mb8Q6|@AM*p;L~VOnQ|pb)zYL}+(3dzwhUT^l7yk4+R@)$BluP1@{0S$MycG%n%d(ZQ^7+>uitywcjb z#s~S!KMOnA>6j#J=m%s&W$g7m0s5BJZ|Q?;5l1%dV{JQgITmNgUpOD4m`nVNy-z(( zi|gtEI|YRahJMJQ<9D2`r3pNJbNMm>y z-JX5MvFCAXkQRS3h#lhh*;)4aL-Ovf_?SnulWe>>evazxy?RY=?r_SFrruu`k~vAnT4bfzJ!z_Gw#<)I3ZDbS$^s%+w*M!f!$G- zS{nEL>|70Hjm9V=iu|2XIwdnJ?w9Qq!X+bd0e*J#GzMc7Cuu7IM&Bmp#Me~?^d)4; zjHcW^4@RSm6sqrvtLknL8~xd18`3!+LCkjG*dMwMt?d3UGIt;c6iHdCruBS2Y1$nm z7UFtzcWF*CVmM|eRZWrX=RMUbm>=|o|72B65x?-!re;VhIA9{%v!*!cU`N%v)U{&5 zVUwlhYEq&^C}3nf`n@wOX9qe@ zUitLkAK@F$9_l)<;rUaKGxi2&{(||Xh_;Y8$D9-v1SX&${X@0T~r-{Z+S zzSa+7M-r}x-=Hsl6Tl}eU}(8JswuXT!QPXTi{tG{LAoLLY*eBi3p-ki4>-tW9?2jz zmNio;%lDf`!U~dpF^}?3Iz>^X77gX4+sEV`-XXc~E04Nv;lWy?j^FbICeAFqVt;j< znKvel8>&eRYsEIec6L8GXN z1G?#4C)umYD?b=KlNIEBNG*ElQ-AN~)FnvJ2DtAgAEJRrH$(|f{z)o$lVg1Q_>NI; z_qmpthQ*MDPruY|nM+#Ll}JK=@=$EPD^XNz(- zEB{&+f)kO+wNiE|{mLb>+A~awp2p#PnsLmdm9BzntAmqXOMhZGbJV|tIAi6D^_Anc z@>ackz2}zOZBC|G0QU$)NMdNhnYT2Yv|H01I--7`7-xHbA{ak?_O9O!(j1p6^N_t- z602?-hx?O9ndI`W9GT_0h+6B3z~zN;v0siv_q0UHxvo~Xnb?l=RTri~DbI-o<0@XfdNH+6y#AP6(kKv8qb=XO)}~c> z)tNPrzMvz{6~RffSn8)=8W~%x#A-NH4>|u{H!5pZ=2rcK>y(0q zW2PodOvxKeO-8zKUiX{!-Oo^^mK7hU)y?Pc1rQ546f_VTm;!1mvm&-})BK#?wQO8P zFI&lx3E5bF09}xyq7fl5`f?oI#k`A4LYQ~di-nb~!9L?%MN9PyJoO@Dptvr7o#E3t zagn#!%vwLk%Lm5x`il|T1iTo$hp(k9DC!cUjiwRuIKM`|tD#M`Yu00SDik>zD&F5&E5){h;g<<7R#;v;i*RuVqmo!Vw{yE`9hNb* zmN63bGSjN}cRN~t&`tjll$FeoGix3Mnw|zkSEjHP3mpF#c0%tt^^!F3PbN-n;zGO6 zjO3cUz2o_V+ZD@$tOg2CYGdTfug~WvUwCn3P!z*gcWJcioLY>W>;$PmDCP%oqh$wj zVe~DOS+Q zH5=q#i&!sA4KA!(&@gG@8NYex_QGIT^ZSQ;t~fb4l_ku*mi|8f{aZ75%TEieUqc1L z&*^2pQip$b*1%r;nH4t{%xFigzp#ZdoYw!rlzfFzhphioGl{X&S^rn8`p?`#g{U=o z$l4G8CqK~F$ecVR9(?)Yv4sEdNB0T1#<4mnGt7Vf)1Rl_`rkRnAJ>cN|Hq5s`0EMX z%>8PS5+bXV_g41y>bvCTO>C^JJ{A1<^jUS}zN*Ipc>4yD;Sw&zE1A#2*c&{Uw{Q4( z9cNr0JcUEhUu7H$1jYluXMgb&bkXwAkFP-`eo*85QSrK8hL6jyehZS11_gas{aPi& z#5Bg>wzjmxIOAuz`RB`1)|cgST)uLJ)ETzGbUpRMZ9xGLBxEws%f4}eL)1d`!=#S5NzK=3@*tQcFdt+w}jT?mferTD!ep6a|(PWhq7K zQkKg?bpg^rK|w)9Md<+%73m7fcjR3L#+LQ4Wf2oOlK`pH-GQeQp{%* z!2^u0oBmjcxM;sVE`nX0XkRKm+6Jy@4@g*CXvlDMP(2X3 z{`iKoQ5=Ayx|r-On_mK>G~Xj*k>}88`zo5XnB0<7@-u0!G5e&;9o<^;58QFEL7uiC zOgoHf(W+%?S&Stz*=7i|d4(gXNY^rrum)-km~KX$VNg3tXL&iAo~SvDCCcsE_%du~ z%I{hJ)5grY9v;5_6W(5SdOo@5)Lm#kLGb?VdqXo2m{5Te|LgGs#K0#6}fIgMa&SQIU@#T`xeF z`o-AZ_JI5Vd;C+hScT@CPFLxQXZx5tysZe0{t)7|F@?GsM?ENZpr`BJVufv}1Z%G5omJ-6G~X1!3ZfLwu*- z>#-75N4Nt+mucXydf5rIW>Ul&7gltgm#3~eW3nneZnlcWYD@^d#ULhMa_f`UUL4hX zu7I3xp3OpKRHtms;uKX+HTbWQHxl)xQi*XmyAXN!)^n53@RChTm@}~fE;;!XUb7h6 zUgmSQ6_-nQ0d7mvB6^K-;>-afz31pHYLGKf1cb7g)Dw1lz3opt@zZ6kkp^qVGp?rE z-uGT*eyemJ9x86MEu!S6+PT4eGRPgu4QYma(stfqjLpY54A331>%mEIRQ$orO`Br} zm|p{PPt+q8!}sC`1Au4N^#1HM-0V6jxbUFX-HVl&s09*qfcO3=R<62zh8S2hnK)=P zY0Fw`3*`kG>-HYyrQOn$uI71}(?jyvI!s9w)<=HgJAupkCY^t0m}^8+JKd-J2W~LE zrKxsR(%4?2@^9v`%C+;A1iAa-YMTx|>sz)<)<`;ICVYgOLwzt7oh$fJo1Ed9=Y!e2 z?5cEXXPTh7{N7yiJ)Di}GtF*9;~P=_iY&r8qm?pO=U2-5Z@fE9!)IPhYY|!I<_mrj zdd-;=dKiB&z=&T7rHb+2Wnjposv zRoPo~Ol}E%`h{ep3P-K)GiH1b?lfpj6wU#Sq*%_Jw;YxzQ z9-SMe4x^ItG1#qx<%etgEqy?g`bI5yG?E)Mx&n^~Ox4$Lw_w@M*UDPFPqN_subtdv9zeXs!Ou(h$-5y5Zxa%Z#3`uvZNB1zh<3>h~`STL_Q^`LT=2mdvc>dWXz zlGyl)n4{Xpt(0LmA)eB*n^w19ha!5D9yj? zBvK{m9OFqVW8;dmYsGDXlWAksv~Db4vz553rF^5ooLSR&Zwm# z%Wipn_N~v|K|q6D{y3skyF)DT2%iM~=C`L`1}#U@jd8yp-Y2o6Z}GIpbo~@@D=(Ir ziheTh#(*a&-S56yeXUESxtrMd^SRt(>!Hr-qvJ@@+629Xr+Rgc*&=XgcAsm4(*0Q* zDK3S6$+5*n4&P%)z$o-$-nS+sF#1>NIatc4WsQUCH&27R4Dz|wmFs(8sI>74sj*2H zNcvF^Lox|I@vRcz==s-00;Rfvb0JuZzua7lef}ykX{-;p=px6E@mD>0bTTXi8|{w@ zeDgM#`=LH`3e=WpNsC)tTJXN_%?GZ>N1ne^VkES9^-^N93WByY+T1eM1sIR$+y zvyF;ygjM1FU0p|)KymimE7jEm$CsMmrhxtQGqp`{XM)l_)z*`T`PLWP6(?+lsps5E z{8_iqBD!0QasKL zhAKfF`X$LbKjcOZE}qy+6?Q=L7GqIzNHC>GVs)lYxgxbfpAQ-u0LTK0Nydr8*Dr z6Ni2t&XACdYu7pmX83OS(d)^ndy_U>D?r$Bn#OL}Q|;&*Z;dTla+$8kUL7>+sUe3Q-7N4V&N6d;ixDOlspRwYnrnL07}IOC=cM_lJ z-Y2FlKRe^9rH!`7J;!|XV6CToWTHy7%o@-yB)N2#&5e^(W-m&Mf0C=GSnv;yG}4GK zqw7A&yAS((0-zMdW;M4VsmL^(P;zpZu7j&fsei&8N7hRcGVlYTe{9li>@X)9?5aqo zk@v93e)!f*bnCQU_RvdznkQxc%Itnp@<){sah&L|aY;or%UB4NS#dwWpMcnj*>8`3 zHn*R$n?v1tq0HVFyE$WV*;M(icINK=Cbdt6&$KN*b#xj-4d`j|8SPWof5*Moe=~a+ ziOp1UI<_-27iM0#`%0DD;PZxn?nhSKqi5*&RKLF!V3g7*gE$}aG&8Vs_8bfxjo2}G z5{yKD?x|7ZFq(CYYA=z0C8Me=@#`U^o{`AZ;);mt%rs37U*m*Y43#z!Rlg{zr<<#CG zwXobYyVoqI3qr&Ii;7Jng@MvPg$#NN2aAcgLLX? z>#c*8yni7sWgo12ck9Zjzhz(84-bm{+@y#n&Wa~3z@r|>T(K47QQ+s)tE|@G9cyFd zGS9*Netzsv3LUPa+*}{olr7VkAjhuv?f1OBq@Szg6`v~AsBV8N$Eh&z$+56NUx!%3+UU(fhM<8`WN8&CAoK@V{Xj^>NtA z&gAf{=?{lH25%Sv55l(FlvtF0#V7?#_I=%1PeEu6?|#F(;Nu-HeM!As-6>bYvu?q# z-&>aOUROC?h-4SDTzq$5APFY|5tFm>Vw#4InxMhPDs4aGBZRb|Y zDtr=$1{C@1U+a1ee_m$Uq)sH6^ho+tO(-M%nHlbqt6SsW`Ubb3dLgdFjn?FzL|?nL z`AieD7IAmUXO3=dpJ7&(YHhM$2s2{n1tFc=)d?|x7h9Ld(>*7CBB&t z-|QUsWfsXhZ+(%`Y76UrtKK%=iB~tQ8Mpojce4eT{q3514fb;LBc3(GF0}`kwK zG=WMe%SwLBq2wz7FR{BtGO~9+6BiR(Ebe<)(yFSxJo=E4a;p1Kb@*2L=LK~0Tft+9 z_v%g^$M;6Im3r1sq_`E8p}(Ii0PM8%UCDG_{BM>1s`*1Y$8W?bc^#uNlPzqs{ApCt zH;1&24r_oj>qBhCf{LH$#J#Lm*Ae17nW3fo+z#@ zyE&eC(wU4#*RH3;f>0;Pu;D2p@b+WiI|AQUlT+p-1K0i zmxk=EONKH+A@r1r zcF>}X5NEAXA&*a6sVQ^z!*nTeOIK2}cNImq^o%lbyd*d-&p%+!+hB<6dnG+KfxYQG z5(5RCXGTOz4hYC=_NHVPc7X)4$g=b>Z&=$3pSY$M*)^~NJ;Ho8R|XsO7~hk6hAQT?WKli~ z&2>S}<59mcQe==m7;s4fRzd?nVZeph3}p+r7Rf4N*6!sPzJsB*Tl_mXx+>NdC~C^5 z?$GMP78@peZhC{%HNjIrrzE<+w zerB|wjN$FRWUT7ya)wckwP@hzNb%q*57C^N9uRd~FL0P5+1zx_C|Xg#=C%J^;mET? zx|Q;Tf;r{8el8kbKX;uIUBj%`r)1f~G|t+Fs@P74J+gijX^=aA|8e5}?x4dDdIaBa zai|M-JF7NV2%5*EplonGI9u21*hyqR;r>#mkU?T{a}wwy{Jt6&>-e?wL?6^mq=PI` z>0mSslv-UW53MiFf`YPgkc5Sn$b8&wpEFF|+Wc<%c~dv+$8oFEs>sr|Qkg#_B1xi! z2Lyoi-VdZSYR$?i>shg57o0wk1B;1l0R|hdia#uGcxUi5w^drA%AI>Ocj?#ecbjuT zf9K{bc32>iX+oKXY;zMP$)H z&<&fj8K`u((cG#f-&wj9Hp>mFHzKsgES+G#Rl;m-Sl?4nH9B6nrm5RGmp1KL9)^?v z00Fys6bf&=PBxa7o+LiULa9Q8mvibTms^)-?W3NwJlM^vDN*+P7W^C}8kOoaSM{Ck zQrp=GYF&pdhci#`^MMsou!ej-K9KyNt%8qJWCuBkP%r0>$M>I+({C5FOT7H8Tks&q zs3jzoPEJmW#fQ>H<)?(XUVFFmB9n3acU9Y*or*SEQ+A z-QiBF3g$e=NT2~*l1**k!n7RV3j(` z(pB=0V=(ARVOXTWt|)GPv6s=NqTzvCKOFk5AlnK+A99LHQj&*X_Xk!6hB2CLNI6W?R3Q6Xwl=8bf)#)(0FOtZ^VvUz3 z4Enhb`TYT3L+4tx;y5^H2b!De@F3VZ4kr&2f1GH5>=^!0{iZI9t`&x75X5@rParph z5uU*{Eo%=c7C&>2^IO+cw*JMa4;lT4l~pjLA(I=sRlTy(KTjjY(4TmDInjAQ;&NW} zRaLE#RFFDlj|4t4$Am2qF0)&mdrw<9jH=OTlzqJk!5;0=p@zof`enD61y+e-htY7r zZiN$-LVqFb2@V^?yO+Kj4FfUu_M^zSHxzEq5S?N|gC5A$SW;okBAKzFMJ2CY5i&dy zOj97N6Nf5DLR?a;TN9^^1DcyaDe|&B_ld1iJ%k2wXCreadikuG4;17s6T%XvAE|~c z9t4+<4_v-X&{~$Oj9GJ;S*j@O0i}yYP#Oj|7rtE^#ZU8XbTX7Rqx{s$%O7cbhHfSc zkY1=2{V=Mf@@a=NCk03%imzTLRUWq|f8WFDIqahZpJ@;p93aOaE>irEM8A`>P%)BYEOG&alA$`y|}z(<#ka;Y3wF3CUo`*^MWz zWvVHlDrM`d%sRc5SANR|HScriL8BlCt8GAaTH3?I*eSs}bJhH}y__6%zzlQAe}4%H z+CrCCbm3T(?)oz*4*WdX7zdeB%&)Rly#F0+0Q95)4gdlsdv+F#AV*I{pkVZ}_BIe$n!_z|ffLL&duVc6~5vU*RFe;L{y6IqDe(!3q zEK7u~NJ+2{j4}pzy>F}-*r;eGTGEc$y;saa)-s0q(Vv51E@6{%sDcM6auK(WtMb@3YtIc;;3{hK&Ah9C(S68|RyElb_Q z*SjQ5dO{FE@;bGl7XJ_e97EgD!^@aRfONh}TGr*{;=5O6?lAho6$dt=4DSB-dzU?p zY3nx(*z`bVSyf(@%I;qu^$mNT5~Ll?KRslC1^QplK&fNT=R56-2agh=(g`^8u#W|0 zu=R9;EZ>O9EFt_@rtYm9>n~)5bD?Ba%C=la^7mc;yx*Q}y@RLMu*n~&a?ZU4SLa+7 ze}4Z^Q=^d`G+t3&e%tkN#QkYxw18xqpOP^6hU}k+b#@1ks*)$6&i~BtV(cH(GK_9I zM%OzlX!5ndp;2sXsioGh3v)%9een!a6z#LXTy3+HzBbq6!C>1zfx?)g02^}VQFmFM z>UIVtb_TE+WB;7i*{;l{>xG8_LGmgP3x7EEU(U$E*2JZOt$(P>(_Z%<8}|Yc=q`Kh zJlnNeijpc6{fe*lcGNBOuk^rMFN_HOo_O-tyS~wd^yQ}C%I|ijsW>!8^(%SoiZXqP zRa$&?(vdCs{R1_;v17mT!aS&H<%0nud6Scqp(b(k$nh)k;OxpZ<&xl~Qy!q=- z9RL3k>;L)Gzl8AmAN`%4$NsBs543!w6;wnjxi-x${NMij^@;yeK*4|djQ{-c{~W=< zG5V+Fr<-Te)V*)9@K3q{#Ud3t|E0I9>!~NSuR}lECB}@?z&!5)m~LW{W0>$`20VN1 zMlOoz8yRZ)UqH3K!)W`(91+3nli=uS--%41XuFD56@W3SSx>KcWXPazgt4IDkWqCKdUx)t#)-_@0;{sS6Ux6nM?~;;)cg7N_vb2iJ6^?( z4P&8Qy1{7ftF>X06l`JRT&r~|Sa-C4K6x+a_L2`;n!Ld`A}o~oApcT&3bb(HtAnwW zT5<3X)l2@z|w0x4jZae92#a}t-f#|3Q)vOxmhB~Ss|Y*e&J6XE9`!8mp^t^1Q6i?<_6Jx-!*q6 z{R1C$E2pQ-T{0!spSslOeyKKi9Z@kj&^-W_Gh1D$0P;+MUp=(ieJ7q7NnMs^k@wz7 zs>g%zD?K+XV6PjNTNU3=w5O77Oyj{7%?CaJ?|XDZT>Kjmzhp!PFp&WC)WY`ubp-^M zV(MNub+JD3wR`hW9XVs(OzR?&6qX7Vjj#fpDYVOKs8|K zDrZV@H7q4+eWqlCowy;l9&~`^QxLVM(n)03shYJap{=lSq8P}~RQ@;X>oJjWKK`e; z3!o=Z{op$i&55hzJZ%p5Y7$hOJl)G~ZW5MLajJQAV(&}yh8n$pD{w*ZfQfQH(AHmP zdNizgNrug4>!pNkVdME3vstqC`Otw66XX)+infM!t;^ARa>Psm+|NMMwRfhRej3%^ zC?8V=D#n@=0quo8NvI4(*nV(F1A+8KYV+8d?(oIeV9NU|j@T0y%0TPHv)hoGz{L^h z#@ zNEA4BsyhdprQ?ooid8+}^FvlY4%T^mFBfXzsA<@rFyFC9gE~nX-tt?6CH5|Ep>y*X zhGck`Vxve&{i^jk>qzQtrX4eT6AQRb&5kF``x8Q`PUOe2B_^~!;6T=+7#3!AY89ei zGq>xZxvJAnoum%H9eFSr?)XS=mzsn98g4@M5rbX z-Z-z5RV&yMlMm$!6xB9O`{3zT0h}dEGbvmK(b(ch(2YAntPU5i#tH~b& zbvXaGNcj+%GLOC%MLT>i5F&@kSk#Rc;MomyRb%oE!F%x$4h&3L=A%dx&JOQR?~!Wmb6!h0oNcB*jgZ-iFNKF7 z#~0hnG|q{B9yscFLu#!e?~jxd^&*NL z={T_i39*!TihSnM8Yw9sv&AH1am?lKiS|W0t2RhqXaB}q#omO)B_od2dqVV65Bj|& zx5z!&Kd4}yG``f)2<+vNgN$1Vxpako&{!6`@z_0aLRHHd`}HF^4z<|izp#G1%`t2m z9_yYQ788rR6jc_dDnxG_P<((Cyo&(T0UUk+b4fxbQAqXv*T?=P30NFszv;#HRe8IR z3D*R&4%NL**q8>po{O^`X(yA>bMr{W)i{!2Q_XT#DuT=)XJc4%BJ`5#!~wMjvjEQQ zq#F-5=3pH~T;pTIZ5BNFINq2;*tp!3miq;OTjq$yX>=b_*WAs?u`CSjX;(NGxce8M z&UHV2^A$X=J#WrD{9HoTssHN|lH3Q#tpQ=jlSh$`k_n4`=IaKl3)k!3imCp5jrSHc8as(Qe@~Zj)EaM-45l;Wa5;j*p6-<(JE#x#yNR3g`N-24{z@wMf6u)C!oCG18PYDmaxW z;()tRXg(oh)PIovmtE3HyJ^3JC5_d3Cr^QLl|L+kWGQ0n73QD0pn3d2NlhTSaXq=G z$FXq>P6_kY@#gn#;OT2~9R~u8I~<=(sD-3Ht9>=sef1LONOln_m!` ziD+Q=B&T!h>cc^4V^o58>YNQLX7(EJnrol@Ix^tYLpAs?Hh&UX=$ml$=-+%2UkE&F z{y2j;|MzVsMn#gO_zwQ9E*=+RHf^oHOGhTd zO6r?@y$C@5u6u7`H3T!{8)`<189H z7uFv?T>!jTdsU?xFywRF0D#}X`UXIDa&hMtGTH*QQ@BS-s{2YFi7IZ=&D=^>wWA>t zkeMK<{1*`$rX#4U7@qKGTy>x1yLMC@4vIg#-W_llZLC9_ln0y~P|yD-G=rO4htqWt zpIg+bqwe1}Gha+6Nv*5+Tx^S}2a~ZS!C`Y&F?T7hNsv31{3e5ato)3UivF zrZ0k^?`o7?yFnwk_9#q>;Jt)TL@K^^saVG%%0@3_#tA!qIZQWkpJS0MGD~>JKn_2r zh{M+bwZyA4mY`T4q0;=W@4>sbK%&#N4`bwpx(?Srp6f%~cQBgCdf6b6O#@L0gk3^F zQ*p_)QI!Yp1y$x|#cHpOG|DP8*1^ameeI-$P{Y(AH9{aLp#go)($>hCUdcEHY@NyFGlk+D@KB+F@jB-iC#gvy;BM;CEyp`&)W=uR!vD#xW>~W3%QF zVpGndYsm@B9_JjjTuj2?2(=Wmw!(-37k62A`*hLa=Ok|3_gSxU5XT-Bu+SD3B6{9KY?OY+=_Ge%0+ z-{}V~=v{M@#l_)Qx}jw3uM%lyfRe7)RIzXOdp|4DHH3yuPdIb#cZbn{V<2NwZ+PcA z4XTT`-*#cI*hifJWM-xniJ8SEo5SlB<&qQPUV(TcI2r1@_|q4o!>QHV#iRkE#{Gwr zza*dhS#=deZtdHz$+G6}Y4-Oo)Vk`;mF2S$!u6}fhCzBR>coM!KaAgYU&$!LW*p|Q zny#KWfhSW(;t-R*{-%3C$57UbK#vnTP7AieFb4w*2Q-3eP~lq8=UO@BBP{6$F_V7P z3TUAc3WWTH&2O4uEgJ6!$H0-n@F*9|8E^aXP{FVy+^ve(Km2?}1&o*(DIa~4V#%dz z0o_)3pjbhW=U~|O6}HQ74Jxb;0l$QDnTleF{FHJ+E&zrCrDlp>e7es{W|77jP*+awKSf@<-TJ)FdoAtoTcPLhUY z?+z<`^2sYIT2DFfT(CzgRgMSnDH1WS0s^UzK*vsFgTn>?*@8wU%xs3zE%s z-Z^Y(Q5U4OG{3O5k~J|6YjpXhDYCVcY0~quEmMd%pp&*FWJmn0xB|Zo4<@d}mB9(1 zV`ebD(`2uwBFyYa_l2Ml+2OK^Rxw8^k?v_6fF=x0sJ5j^gQ{G*^e}5<9$tTcsI7l< z71Xf#gB)xqfkhPF7W2F#=}8+`8=pH`nFi2;78XKE?Q>&szjJi?uvw6V)1>%=rcPg) zd2EDZ=Wm)mNG=Wcbxmlx9d%abVo(usPnB>i$Cw`uHY|3rSlD<3B#rBUF}y1o!Ho~F z@Bd!yTijZDi>Pk+0imDVsv+BXeCJb8ht~$W@2n_r`ukp$F{0#UdVpSH{i>{bZ!*=h zz@NV&urt~PV^vB#Ct~+1vvygdu+p?N8XZ;@>+wx+Qa)TDmU*q%@xCgGq)`mr=LP7z z4#=*>X09B-Sx@^7^?|9|Z-f=XLmgM`NKG|;dI^8F-9i^D*GvEQFA9CZh`9LF-N{g4 z;F)e9{l~JN$;Y*Z+K+R3_rIV+4ev})W@q>IqYRuy1N+jMJ$fS}FIfPo`QU9f(dDyI z&k#v+@6dm@SAM8lY!9e1E9mE46+~~MT6`b@k@t05WsgyjvDS~~53Rby@IaWbUBc1< zrs0)SZMTLa_IPqgcQTrL+cJw$i74#mxZMWXEd6t-F{G$SU37}KO-?YnqDHm99x6Gk z8$?_z4|AGe{{D8tB;Vuw7SUdMuq3qD#$Wp4R=|(w+2Ad}uFNHhQ>?4s>Ypcx_V>I9 zVGW7PPruyJZk+@xI=T8p>{Mg$F&>Trx#rJ;X$f5(xn4JSZ5`&YloH@e)_?d2gm-sg zmmsv)8T0`#`W?-78EEkeNB@g4xibDQ#zZz+f0{OU+j`U+YXK0#Papd!!Nf$Gu#p_z9Rnv0d3)tWPB{ zid}AzX1$q#pV(PHL7!$FGWhJCThemBmGWj|pmntjqp4gBt33sYLJJw@NTWD$@g67B z&5Qm(o%gi}=r^kawkelugEs+|*ZkEY;5O}2mYRcm>!eVreB1c`S=Oh}fPZ7y!O5h) zGsj-E;cxh8<(=uxDus6G)I6<8k9H^DxmAr}P0&pHtWY-ks!1|9{i7pgd<0?6B&K+F zvBUwZx(`P-I}=Q>F*Mt>Q*)YK;JpYDn=3B>O3WP$if$ZWC3T!rQcXN~ zrbiD!cu_2S7BxI&EkSB!m`HXq4qp-fGQ=}RSdQr&)Yv0fw25A;7!12Q;V?Qi6vFyi zVYP4dGuYN~ergSgNqKRb<5?+_RRD6GpttaOOl_Ckq;(dPU~fZy4#&f&pKg{O;|*&G|V$F`Ctgaq|NZz zZR{n+>t=y)QT)7TRK(V%PkwG&8*Z@}h2V*9(~u4vjcn1=db#2CY#2bh$k7K&Wq;f^ zFfeGS2tHO?9UUVTszk*8rMZhv3pYC@#cVriEcEsV&jE{T8OnggS0oKUvHYoiEAr37 z*YThSpp07e$oSCUeOTx8$|E%-!(hw84-AXOGVRw z_WgQ5FVRfull+4Z-R`S{6Owv)8qEcQ#tBUnGZU>XQS!B9v`9EANdZ+_ulw=n3lAPY0;ojjRQ&6z}28)d`v7?)c9~V15%qpvFT-X+?1wc*kEm$34F2BXnZ7i3ynAeVD>0fm3#y>gvT}SC1d`CLZP) zfjEBGV_S^6Yv(I%EqoG$8yx|g#%6D-gk&AAvsq8Gsc^Z0 zoNDH^!B_-mgW7LTZYoP|SgNGm(&iAt0SuvHH-*4iL_LcIjbjf+ua*+96h0dPX-}vF zWa3Aq>2nP!jB`cEGQc$lbsjrn(lpBO@W(g`$dR#64?P@y)L&bcHLiMP+Rxhe&qS|) z=|)qI2|y3TT! z!61FX`;!j;Bp3)|HmKWb^gR(YvKAstWT?8CyYqo zxT&2LLJeRSU><~bSFD208HA`n(E+gx&>&F>NJN>$8y}+gN~h4e;kjSBxZ4st^`B2r z5?0Q7mDN3Tt+;Y)m&g{)H0=2teZlPVcm0^|9j6i{cZ~5!pe%DgxtN)mxf%^X46_aD z4U^h#B+G5mUcZcu8%#6CNTZ%Sz2_F^cM(w6yf!Hx4?LI0^<|I*CFYE0MVQhUB`@`? zlEG_zS!HWFvRT;!QkY8_idjqQ_I1K>`+^y8>q<8(;i<$@ELp8z0yC$K(KcJrcudx2 zfv&v-#=?*s93DEcteE`?Km)HxE3geMS!#&4PN_Wd5Af#mAn)n{U|bQNF-{D~#VLc_ z>_Dd&TB=?%#Pe@myu9uWdC+@7*Dra^GHh)F{j^8Zp_(ll)NS2pYikQNF$TIz`_ATE zSo6mx8l~Zae+lpk%T0N87{{&%`Mqmt8UxV5XGFz>bcwldk^J1d;TxiBU1LGAm2;+h zI^@RSX(t0f+)G=SbgjVFo zM~_Ils7-}>a)qsFfj=Jco8tA`q zgEz)MPel~zK3rK23YE(*vNzOuO$<*jY|yfB$jSSekA5fhsJ_c_7W@?7H3rJQpD!aI z$XRb*01{MYM^mzs1%-X>v$f&r34sG>Sts9opIakc;2AG&EvQ&pl9On4K3TTkt|9tFM6%iS8*Tkvp=VrTJID-CW-S+F6EA z;;!6qG9*I??@9FX0toZHV2}(>pDrhM-r(gd!I$c7mT0Big^4L-A`i(ED@*XG3ZWgn zi%pbnF0-V`(AJ?szft*%?jwT^m(KC5Dk9u3D$3uBb8A#!_OFH!`ScU95RHwKJ2K8M4=+p7yP@nM1;^!1#^x$ww@UgCE^N?Fe zM(t4-K`z8Zuzqfc6xi-ZGcN$(=>-_>mB-rjG=>zw+(QOj(k%G9X2k>0x9DOIY`DS+ zfHUGqV~N2PwV4`u@x_D3GwIke$u?$VgOap6QK-6L!2DHpSWwJDc)IElX?KY67vd6V znQVOR$H@Y)bJ-tW-AAggS15T&C?w=lAWzbq$Qk{1=V&enT{JndKz@$yBIUt7%`q&>mHbfNmerr3>4XoYIm6tV(uT{eb z(CPfVp-PS?6jBbv)hagy*j@rgCfkCcR%T?QMz~?jCu(#`r9!n@ z1IsvO;k&pwKrsWjvKrw&F$-}b9f0hDZb@{c+MMRo-I0#k%~{>BDqCDPU@~t%uQdp@JAq{5nM9u(1zv z@0rt}Tf~530Sd?}(gWEn$FYq5KWO}yco(0Y%Ed>T)b13aS`)f7!`kYO_B2ZlgTDrm z;A^l6lFHJ{7BGBv&-}}M`SQ#`WnBq05-DI-;kXhpEcd!vZg_RgabCRPO?rc#M|)eM zh3MKnj0o(ZB3NO(yHIOPgnb5UVZLGm+8^8@5w)%HbNx)(`1;o5{D^20qtt$yRSE}q zFJo551w1|#mZk;17~Z||n!gt)phf7L1hQ5`<&KCdFm!4L8n=-QDS3X}tko*?_nlt= zTeh69`#P+*$}_=j>h@h@QNo}~J+xh7cda(vnw=cFU~p=Hd$ahkmSHh{Xa_OY0| z00rE?^80^zu5kS8UGmZnw)^L1Z-qHRo!!Bd;!u)9j6k@~bf4t3Vu@=9a_83Fwmg5* z_Iq<&d9oc*1OYg^DUxxXrhKz0!rxVh3sDT(M9V&T_GZ&vFKz|4Q`qDmdyx!7T`21y z_?rV<74aXW;p6uA_@A1o96cWudQ@)YnJ%b20YU7+mvDH?bKfzr(YN}A`27pb8s7fy zAQ9a$4BBw>fjdM+;rACu^C1#x@(B)$eO`QM=Z{>9n5OT&{x6o$4#EDJVGq+_n==gU zc5jz`Pz|{<=rX?oGRsLbD#An-^p*X3?P>TnW(CH=1hKszy4F)q?wU zuNt>}18y%DAoq#?Ow)X6S8UAq>vF~`h(wXE5Wzn|B}r$4={c|e6Q=Xe=l;LXE9IY0 z_CN3;Sw3N-*7)|nII2J{D>HW?R;}JRSK9Kw{r79h?BnB~U-o~yfy_Uj^S`|)ZxH`q zt}5Fm3%!s2XRaz7N7;js>aG8$XqMM~=z;EX?F5|ut$kJh4^JU5Kvp*Uw_l&%YaF^O zT@*P0Iwl-c&I1NS<-+pTFM(fCX$n|V7TV!gOZy>K>0b*gLmeu7ES~`Ny+YAy`4gJE zK?z?z8$PbhoGlZ=nL)$rI-UO6b}~e_Uk$_-=^ns)rh`Z~tr1)V6Wg)Q!VeLg@GaC)L~E zo)+z&{}*AZQ|3HKSYF0cu*<{!<%N*JN`hnp@Tke-mJ0mCW*7+R);LHBY0_$yNz%^H z-M~oykeVL)H&>MA{|aickBnfb)gZzy7j&kndW|-Pz9(CQ%4rfF`M1vfmd`4Ts&*}H z7OP)qFe69x*ES8heKYk%tDV@}WLVvbxv{AtKKU|eVSrjQr%e%-Y(KE+l-D*`U=+7# z1-d=iQ~TD-K&%8iTkhh9i^a z6mR_+L#^2+y5=t*;u}$Bm$#(<0%yRZ2&fn6!&pK}sH<^d70nc)v4wdWfCx|&qV%h) z<#fq?U?O44XOqIUvGz!1^yrZrtMCpD>uucV->w2ZF0t{S5In8c#k8TK^TA3;kG&o4 z6#*(+F(z4|vcH@uw%=5-(-I78x$Qp_zA!txFu75>%uK!O_RWcIyX_Scn7@yUdJrT) z98;T6kv5p#$Iq5l37nEPTa^-oehA{$f&$B*Ho!lH8+vJQGVo7HOqxb+<}3I3k#%1n zbZi$auZM=CFn1+;jDmg{$OMCO)bqQ#blY{tozz^2(i2|XTsxlsz5yQoY7+hW1?ZuE ziE%SK4zPdLhMSFrD$pZBld=W@`Wrm{#CZ^T3+`RScEUl;RaNm0M1zx2<<5_n%Q+43 zo_xKP?`|I2cC2>$JWwnZ*pljEi9{}5p=RlXU_ZSzC?kPFnLU?)#M4SoViv9YY7uP# zC2dL$r`NH4{t8VLYSfuJ4nPsdgKqO6qa>;124H9cL)2WC@cBAFHa$$#JgVjC?deg& zm@N07OAGB61QQT02H^diPUS-_hP3w9`Z&@ug-&rx0PO&my(k^>R$XdRg*A?=&ool? z8cq^-{%XqXDukG|$H@bhqhsPVWK^Sjbz!qQb-fWz}9O9tHj(#127<%3pZ_gHTS+B{L0vo_Ah{Na+T zG+$Vv(6L&4{anE+uoLpVuJ;h7E4VY!@vM?sA|ul?T$Z;zC7@4!XXQz?Hb=W@v0F9_ z3^n)d2st}k*T$)o29P0V{(&%H&w_=d+xnremF({R%hT}qina!*X?L3{B9-xN?=Jka!xB+yHNt+~qcpCV#Aj}I42R#Sj@&wlZ zE5);X0t#XsBELN3&OZYrVtY(T@TD|gFs|CwVb#wKcu4He>`F8Q`t?~*_pv#C$P!&C=z_*gE6Wlxm$iHtS>I3c>46knO0~U2~LGJGH4f{BR1+0@BevQ(+NE*Cl?Hw z^YbcPaUlP=zK7FdKP(uG(sB|qsKyJyJV~M5H`F!fh2Isqk1E>`%*=GUVvRrrc*etrn`-~g2#1>9BSB*a}` zopQHsSb1!T@kBK0iZfSKE%J+PhLDe2HJmyEHEUNzON6;tvmdfAh`<6J*6|5yd6Gx) zF{AL-1p&61s)~KqUSMMysf$?R^h6M;Cq$i;uy9oY%nS_(u1@nLeJ<6z&VP z;#`Sd&bwS4sbCFi`Bu&)qWinez#=n&R^H{>-;6$0sa&^tyw5A%Xtc^#yZM{o;Y4(6 z?iqr(h<6o=7zZh|pn#mKwC>X|d?i3esQtcUL5vq?!ZaqbqT;m{=6 z2+|~4i~3E!VB#&23UE=UpFF9C5tY}vDzpy&3A{ zeUhQ=wR=R);1?6WHIWB_y9(6j?sQfJ#*W7ucBJ5ZDn(A?W|E zyGdgC4ozK}_HjH_6*8+F2G`ATb<+D(*}_^7Wn&+%2e}kXJPfHqQPKiF8I}Lxlkve&@{(vEsf~X+!>8f(BNNiVgz>{q6E_GoYQVGM>j1KFM4d<$3Skc@iqAUB46ZX42ejw|CJo0?puzAQK_Lu%GrUwU3IDk+Z$jk+cbl zvyDIxv#2wAwD$D{&>G9|tWs8WVtQDBW4}&y8kTAMp=|NxakJ0VCbruRq^Ohu;C(bR z58Uv^(7;(mgb;MkrMFL~tmsHuc#X#9@F)J_l_$?j)Ko0C9tIu)_7{4I_}7bm{eSam z19Y%oXl-tuD+gqWr)h$)fPB;N!@N1dhXxCHb{Ykq+WBq)4h%-RcdH|J7=0_ZMh)}) zp{E&iA0i|rU8Xka0INSWp_~MDP0s+6m}RI$kCsg8KB-=r8hdm0)yW*-s?fUfRrB!K zjfXV*=M4aID{}|US|fvDZwr;YESR3aSOn@b{3r@K>3u9>1u&q)OUr-uJjB}#25Pqf zKfd|P`?DKx;1HgLuLbHgq>b0F$4T1;tkFM&%5a=kgznkt5-hM;fG-8SPa3KE3x2z6 zNFZqmSMjs#V|rsl?hMO&7QOvw=ciDOL6p;S)sKr%Nxmrt@_NlXO`o9-vvxv3JgSFk z{~9Xgj`6pHa}*6)rG7Yz_dperIp#m*1;Vl47E^{pMvGMf36;xw9&jC-fL=XfjmjnG zk=LhYXYEAQ(ZjzA3%wI*Caot+vRH=eOxC5rAV;Dl6Jjrpqz@BoH@S(%Z0A;u@bRHp z=6!G4xVpV$jd4CV$Ef?!uxR%F$@>lcYQc91@UX)B6o6w@R#c?p*3^jjjuDPI(dc`KA*-GlEfhap}8Mx?@O7oW|*?gImbksD4#V+TUl|7z|$!9Au2W^tOXEIM@4pY1V>*$2}OuZERawFEJY9$L?FpHBW3A2B7-!k zi9ifWiLw+y4TKPgbfgzS2qb&%MBKS{_uYB-)4ut@b&)(to^t1Y&VA1R|2qPG56>~I zc;X9i+^6tLH=-AWP^~MGE0PJml9(1s$+Xt5UqkFa4Njpy6CW>5Qh9+jh_uU~tS1-@ zKyp}eX5)&=7h67^c?7tSR0O)(VC%8b@A58-==L7H^pQ8RlipCS_<*i(Hjee;!~ESH z09Ji-otY7J&3#1GxgF)E5D=Lm7f8UbqMV40@WNhoCn9GVehwf)N{^NxP5EjeMYB~& zDnW2-l)0lN&y97CYKX*B;9xBPJt<;fm>ioI*BI!e^I(8PGy;2ehgTYD>-bZ;tn+;1Gs~myFcK+|A5&PMlJ;9bxq~CI5p5{#r#! zE~F;8=kK+MnzR8*0#=T}sc|sO=q92h9P2pDq|UV?{zDb~2ls!?zR1O<@HGt#XXl%r ztF|c9cUpFt1?BLjonBaE?{FgK!n?o+I&@|(_xZD8v(>+|Ep#3TMY9g8N<9fK0}cDM zv*nb#_Tfr%A!E;0Qvxq<=TQxZm=o74!k_CNJ;eY!MGX9^PAIPwBz%SC*+lM5g+!-H z2g}=+llL^-dAh5<{|@^c{zd{}Xa9|j_KRNTu~u7+O~Ut!?6$EK+G8pyN5FO zwhsR03-OYrNw*3U01C{sTN{;R-V-51zX^p+ec$Onpvl|6B?g=3&Szb*Et?@8Y~W5z zRISZCaRu!=tAyj&WydYe?$3Qbn`%uk(fWUl#THR;O z{rVA2?lOraNo()k(9Qe~^jeoxh14q{-`B<f{^6(D7|&9$XmEQ&`QJ>@m$) z=?t@1W+bYu6VA+vy@R|Qf*#syOEDL7Itl`b2$FWUkhx5H_wZQsyb7Sdp}RM=>YmW) ztkFyQb6J_Gb+g+J{L!yEQt6ye28C*7Hc$|0xC!}q#h{MkCH?qa^V7Lo5BeW!w;exT z#dvjme_tGlPB+i)1%rE`;*&my@aS}sKSy{vdSB^%3Fzfy;Z7voDcaEfAdtRaC*Pz* z)8w&FyunqHJ(|$B9PCU!h?_Aq#C;ZtF8fMrfxC8?)NtEHg0yD}sunq^5*A)VF;=;bhWWhGdq%d32Wkp5v1Y(k*G= zRp~jjSG8MQqh5xpcT4e$!Jok|Lx#q%Uv-=f&Y%`3i3i`G9@DhgKkf@Gp*$9n_Lt^n zM-gU^Qp!{IUa>(6)Z8mEKe!=#l$EJLu7j>%-AW#YE$-Dl*w}B5`S9ZjoF(#2!ODfC zpn}8+XUlz0mI3y{?g(?z$U}H7=dWJ%eN;Px&)#66Utc(8&qzB&)lB>XrLQ#TX78 zNA+tK)@f+T4=i9P@eNt3e-Fg)bogI^7_`vl!$2vtq^L31IbcXZzTPS>dTS?Y+e)m! z^9^M?W;;YBsm(1n4p0jv6b$+BEBGiPxi=qt38p(T;wf7+?$Z}CL3Tt$@W!%?l z-&QC(zwn{b^8eQ|clcX$bNUlZ$ZADTinQ2uuR;P-PmYKgEOgH&z6ZR; zLK0jkwOfFl&O`q+v<4f0fVAsr*9iwA(HIyUh5`6_VjK)6KIEq0v$9 z;kSn4{nR9kb7!WSp!sk%8Mm);ZP@3ldPyKd}Y=TyMLuzK8um94`>x4N>C+P2Bxe||HIYEtyl zT>~^!DYt&^9>#PZfJmL64-p$p{Yo@py~v`H$)qtOYz<3$150k5pZP(xw4^iBr7OWH zN0(;C${Mvhvg$g);kz}4#q3UE{CFMh%!a~cNJA%Td-KH|8&i!AfPF) zI4i>|VQ)^yt7PlF!+76Ja}$$@Yind9@TkWu(gXnFFlVotx^`>GW1>HoS6aM=tWC1I z;UsxKk=&+xxKe_A3xBF=Ebf_D#B|kq(uitCJ9!nmu3jBUY$dQt)O;t(no)>W9+FImFo9 z@2!zdOd51&DJNBZ9H1}Nr6ri`nN9LRg|YcXT(qp0KCXGmN+Rg5>>ANqYWnE{z-@gjW?%d2r0g{AkvD~k$R4lW=X-od+KSzH zg+aA17+!sKd!SXs9+&D!$~bEd`L<;bU8$6Tb^Jf>i?JLP*8yJtH!HX+bbpkF(2W4B ze+3ka?GeD^pWJ*Rt~c;?V@t*f6NQx)R4udpdeDsEQ^i_XjdEb=t%?5^x`wbCDG}0b zqtizTbTb=+$Z}{_5M(pzCMYZEeyp=egRp!ib$>#;;^Pdds7udotj=}rz+lq0W;pj6 z5Nf5ae4S5QN~>-@eSPsxmS5>wevA45#I;9{RYOw9YB#a5p0T{8tem&}-+!m2#qziR z%ZlXki@)7N<7Kv+U@_ufH@-+hgov5#vBBrRLnYmR+Q=IBX^_Jg{(tE6v3%VB{-l)M bX^~)KUB7Ow-jQsC-tvvP< Consider using the `mgDiagSettingsAll` orchestration module instead to simplify configuring the Diagnostic Settings for all your Management Group hierarchy in a single module. [infra-as-code/bicep/orchestration/mgDiagSettingsAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/mgDiagSettingsAll) + +## Parameters + +- [Link to Parameters](generateddocs/mgDiagSettings.bicep.md) + +## Outputs + +*The module will not generate any outputs.* + +## Deployment + +The inputs for this module are defined in `parameters/mgDiagSettings.parameters.all.json`. The Diagnostic Settings resource will be named toLa but can be changed in the module if desired. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions +az deployment mg create \ + --template-file infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep \ + --parameters @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json \ + --location eastus \ + --management-group-id alz +``` + +OR + +```bash +# For Azure China regions +az deployment mg create \ + --template-file infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep \ + --parameters @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json \ + --location chinaeast2 \ + --management-group-id alz +``` + +### PowerShell + +```powershell +# For Azure global regions +New-AzManagementGroupDeployment ` + -TemplateFile infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep ` + -TemplateParameterFile @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json ` + -Location eastus ` + -ManagementGroupId alz +``` + +OR + +```powershell +# For Azure China regions +New-AzManagementGroupDeployment ` + -TemplateFile infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep ` + -TemplateParameterFile @infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json ` + -Location chinaeast2 ` + -ManagementGroupId alz +``` + +## Validation + +To validate if Diagnostic Settings was correctly enabled for any specific management group, a REST API GET call can be used. Documentation and easy way to try this can be found in this link [(Management Group Diagnostic Settings - Get)](https://learn.microsoft.com/rest/api/monitor/management-group-diagnostic-settings/get?tabs=HTTP&tryIt=true&source=docs#code-try-0). There is currently not a direct way to validate this in the Azure Portal, Azure CLI or PowerShell. + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/generateddocs/mgDiagSettings.bicep.md b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/generateddocs/mgDiagSettings.bicep.md new file mode 100644 index 0000000..4119720 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/generateddocs/mgDiagSettings.bicep.md @@ -0,0 +1,46 @@ +# ALZ Bicep - Management Group Diagnostic Settings + +Module used to set up Diagnostic Settings for Management Groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLogAnalyticsWorkspaceResourceId | Yes | Log Analytics Workspace Resource ID. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parLogAnalyticsWorkspaceResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Log Analytics Workspace Resource ID. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.json" + }, + "parameters": { + "parLogAnalyticsWorkspaceResourceId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..cdfbc1e032cd57c6835500243c7545510e51a7b5 GIT binary patch literal 5863 zcmcJTc|4ojy2qoXN*junnpMOk%ng9t zBHRD~0BB^WX9WPT)v_M;g9lhOE@~@xSueH_D}yV5l1?!atHADg+3Yd^P!@k^`vwQA z%oS+p7ys27ybbRt`)Tr68oj#XJH;ZlgWs9XOdwA0q z05Fvz0swh@2mqk(AQ*7h+lUi(Ng^C$lertXCi!%yxd)}r;1znY^JdR%Wpy9R#O6<9 zc5y)Ch5I~!>mrvq0cYbf_5)sC?Pdd*O8@6R|0OdJDI@mt6eUsNrwoJL$*f+TW2`|d zDjd#KjgKDyG>R$gss5Kn_`m2yBf49rg2IiCF?d-jh&p1-nC#s^OH%r8tl2}MX9P!< z;QImBdG^Hpf33(*y(VDdkCp1W9PZy${C$C{3)U?3S=#^t3C1qcv21{|F?-_vV{0-^ z+|HjrpOcZHOI=;f4PP32@7~HUtbM1tLCC*leQ_k$AYLMh%U|El4xNNX8{fWNQ{-G@ zg$6mvX@*nQ=u(9T!4U34hdf5BgRJcAj)<$`*_@ zlC-|QzLk~Lk0t%1e2A-0B($K>hlQnDT3W0uEhnAWWTaJ8tgk*fK6&-(Y)A5x6Q62F zk8s9|l<3jOC7i(*wy%a*c|r+dt9S8mk6yQaN@pu6FxM{lu=T#L7Fb0B9--N{2<(Bd zS}3=&LV|6Ab?1rexg*H|@LwhFEB!z$85366b$v)-c_X4(F&VLE37V#;D;bgY`wT&Z zPDCVR?FfQzAQQsb`t_?v0FM`2Z7OL!ns|~ZRa9FGy$By$zyNYYMw~AEJQM%GySxM) zKc}CV8>eMBZ*G{J4_wgMv;%k{|8kOGbzw9t)F8$@)uV%kZ9Asol624W3C86!Ptxk{ zlu&R}e~gUp#EIQg0N`T=-NJ^Ep9OgitXX~?{1xtso*dsSfp500xOFBfNaK}}bKFH^1Y=v&r2-!k!bbehhs>Hb^q*${B~MG2rpnYjYDSt=w-vwkpzLZZncQR! zVF5h|QZA;gnOA24bL5x}!q9=9;;a$bW>d3vPnatvWnQE`Q3cLScHZf>R+3@MkmW-d zemN~rg7Hne?a1AU`-m0O02%;WSDxn^V^i?>V*snz3`l`MC)h&n5=~xMbw$p|cW?|V z=ec|vQ(c4OvuDP_+3xnABz9+{T!u`4h?GQ!EY-V4%!-qpUR%_yi%(aOcWg@{e()yh zP{hW4#!ZxQGUYeFCMHM=f8c;}UycETL)(+e)R+!<+LzrgW!aw?1O1PI>MosIL;I<5 zb@?V?QTO0+g22*vZ3gjKyIZ{0tYkuj&PEgO^aEaPugXEr;q&)-I8zZrwgHBgrB1^^ z*`Hg(C6F%WyE}`CW4WOy(eFp!+7%~STWHZHX6AHuYmN#E8e3W>INzFlv|}k{?;P~V zDNQrH1a3423n$15$eSm5rX$xU$U3xsYb#sZ8OfkqjI=eJkLz7kc5(N{FDlL)`7fOF zDarWC(8F7^s!Dz_E^Ged{AS=w8Xj#&hsxYyoWlvBcvV$%Fi9p^2Zi5e3^uHTegs&g zT^dqmGf=xvIfaR&$!Ji9jRMR|iiy4Dm?tlnwN7u)T^ZD&U{c^P zR~UJ~EI2rLTbie|zJ3(Od;Dx8Y%qTkF^;6y;AvU~>D$xt6sY$X(vbq5NAqs?KhHDR z({9fS)A4y`ufq(lao!IE4nPKt2F(U7xB7P!6%}V**t=+KfbSk-7f->tipojS+Fmqt zrq4M+$9~gaoe2+_ZB2RNJcJpj-&KA4_APDH05CV6HcPCejWm*H4T^>W+Mh z6O|Xe=odH%YdHVyEcx48%%P8sqVW2YPS^l5QV{pOs{0ubam_;(3CXU0&*F^*8R&k+ zUB4F{ubBAy7Xy&0n;-A^&U-s}9Z}VLaCN`u%8wR&u6IQu`FmNmtB=Ft$rj7(tD6J+ zyS_b3QBy9{(MA{u6@R+lcqm#jl1>3>MXn?Ko5&q6&rSWRV11(PAXqF5wuFD5dHrR5 zE#gg)b9pcJVguoYrpNkL`3&zdDc^``hMm&|cZ6X@=DS{FledP)4xf(Nn2ZU~5Ei*L z9M98!U^NW-XujKP8Qe58`x+ib-;d@)c#U$oKF?)RXNoyms56)mq}%GLP2v)DR6e~m ztHbS%$w*G*g@L@L+!roVh>hjZkgm`hdCiG5(z{F^$@xI9y?`^FWNp4;!byxQ&@vc& z*4t}E*QS+$Eefz?`hGDGOZfmLQ+k?!6rX0kYBU+Bwa`ZEAeS?bhR%a*NvTNR5rK{& zpqTo*PKjS@%Z;Vx0EgGz&zwH(jrja@_(o2}2hGjt=LG*;9lmajE5P>aouGqV!%?fR z$NQ6?_bHga)e!&Czo}U)S6SFEy~KGet&n*M2tk?#lzeRyVI4CbE+g`*lTN<-;Is4J ztgHm=416LT-_)yYAvaAzg-(;vi%ugKfu{(E&V8S8QC74o@(T1k3j8>6E~4jbua)K}N*_SI2BrDVs8~Cu}*17Pp+xa6Jx$B*$2zB8)?mK4TK0R{^z{NM#`L!bv zuFKV|Xz*=_@9G2C+(DXllncN_T@vO3wC@8!#_xQt{)s6W@pCH-G#jn zKuKw69epB~Qha^K&nR+|uc7;*mp-CPi(Y-gyLb~+yj_B4_+aTCi;|C}X{_EZSoUNZ ztplI7*Dpj-2RT;Vm&S1T$`T79!S;|4p^KpD;Zvz|y_28xV+A+S==_k#xW$Qm6W7?q z6W@mrPg9|rH0lq#v5CC-cXyG(Dq(s{k(QsbmuIx0J&=Kn(L zTjVy*tpC6qF%aSQROwX#@mUgHb@xFh<(dFOb+Adf?tBCS<3{B)j9)-&ws8S2$dNMo z9{J#|3c%k0={bV_!ghI(r3AgruF$gvF&CpXYQ3_uns0c|e8ib{N%x_w(x@wVE7$d59>eMnQrZ+TM z8(CX7irQsn#+&I$m2&BsZ7IQOM;GDJ_pioFfZEZZRTG1fsg(yg?JrlNjB-$Bjd6us z)hTj2ToqLjr8brDB@F-bv9fH@UO#(l(&El%rJ;s#3sJa(qIc|W)I^v{ukuP!(V1{W z!shB+9l1&ua`VGOE=prh#IL1Y+FPb$NIGn&{&qP^560L~=~Qn{)wrZiz7-Z$RpdOh zp}|f&Jg>7o$xHAoW)8Y)kNQe1uI+ZFXoPI@XWjpe=c!#lt^CZpn=fO03n{pWFXuLy zxshl3uqU3RsXE7}@NZ{Y+t|p!aWr%ta6)k*R5+-W5-Pm)2|HcnwDXm@T&E!xP};8N z?SW-B4_VQ=Es!RC-rs_!;?#`4?uHJPd&U<*E89}L5yKVU0YocO%@E@Fa#49_a66;g z-WB=nk-_)X%0e)6toK`0=vg(%eN>rW-t) z>}edsql)tH?=Cdn>c?09(l^&nAy38Ypjl(Je|#(eojFF&N8gPR!pA|eLdxh;6q6j_7<0yem2pdCLtZj8@SC%* zDOTmM>hf5!+lMsNLfPlGcQ=}yy)G>`?mvIM5zyMz6;9^}K`|~Zu6`7-KybRd;36tD zT~pKSDUapT0-MV2YzBu%RkLbav*WerJ54i?^rdlE!7~mg>|Ji>A}FJq*IgM=p|>pe zn?h!&?aCPQRIvDVLq=&aQk(ik`hDQ!6}69!j*cW3>+u*Do!#wKDl2!9aE@AO5hB;; z@hn}e3W!6>0gGSrG((%ZJuaL>aBWUMCQ*Ob&b9q`v?|k@Z7t_N_sZ5P;xo`{B^|qo zp7xr_tl+nVIueCYkhQXiFaV(p(hP|QTRS)q3)3b{*??LomY0`6twfX974{|y3HlQOL?9r;Y2?UM${UhD_&=(dMn#Nk%yHuiNiQy7)?qwgq6yS zUYkqs@gs2djqk|nhWO5O?{txr+UGHLdf4%(I^V$>6(CPB9`V$?nUoUJ8MNwetBUfvFktWEk~VTf z-{OE%0}3e#wzu0_sm*R@(8z=?PK2T5pmofNP@JzaisfvfvqTXm>?dsjBq4g>EB7oh z>oHDAT4@NUB+#Q#7oVaX`s!$k`giOFr39SPZds;{Le!Sx5EC1I$E2cv%vyj`43y3l z3A-u)!KfD%nt4!BSZBqC2J*$z<5AbWN>3LmDtfFgr6-uFx$qA?>uVr}E0d6F4*nU zlLT24v|&(C8C<_V(EaFt!$xYv?Eo_7it2K&+1*ZW<`sR8iSFYdx8-rjZ>i_@% literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep new file mode 100644 index 0000000..0cf1e74 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/mgDiagSettings.bicep @@ -0,0 +1,37 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Management Group Diagnostic Settings' +metadata description = 'Module used to set up Diagnostic Settings for Management Groups' + +@sys.description('Log Analytics Workspace Resource ID.') +param parLogAnalyticsWorkspaceResourceId string + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +// Customer Usage Attribution Id +var varCuaid = '5d17f1c2-f17b-4426-9712-0cd2652c4435' + +resource mgDiagSet 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = { + name: 'toLa' + properties: { + workspaceId: parLogAnalyticsWorkspaceResourceId + logs: [ + { + category: 'Administrative' + enabled: true + } + { + category: 'Policy' + enabled: true + } + ] + } +} + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json new file mode 100644 index 0000000..e20f3a3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.all.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceResourceId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.min.json b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.min.json new file mode 100644 index 0000000..e20f3a3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/mgDiagSettings/parameters/mgDiagSettings.parameters.min.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parLogAnalyticsWorkspaceResourceId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/README.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/README.md new file mode 100644 index 0000000..55cd4f0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/README.md @@ -0,0 +1,156 @@ +# Module: Policy Assignments + +This module deploys Azure Policy Assignments to a specified Management Group and also assigns the relevant RBAC for the system-assigned Managed Identities created for policies that require them (e.g DeployIfNotExist & Modify effect policies). + +> If you are looking for the default ALZ policy assignments check out [`./alzDefaults` directory](alzDefaults/README.md) + +If you wish to add your own additional Azure Policy Assignments please review [How Does ALZ-Bicep Implement Azure Policies?](https://github.com/Azure/ALZ-Bicep/wiki/PolicyDeepDive) and more specifically [Adding Custom Azure Policy Definitions](https://github.com/Azure/ALZ-Bicep/wiki/AddingPolicyDefs) + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/policyAssignmentManagementGroup.bicep.md) + +> **NOTE:** Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder. + +## Outputs + +The module does not generate any outputs. + +## Deployment + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Deny Effect + +In this example, the `Deny-PublicIP` custom policy definition will be deployed/assigned to the `alz-landingzones` management group. + +#### Azure CLI - Deny + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-alz-PolicyDenyAssignmentsDeployment-${dateYMD}" + +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json" +LOCATION="eastus" +MGID="alz-landingzones" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-alz-PolicyDenyAssignmentsDeployment-${dateYMD}" + +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json" +LOCATION="chinaeast2" +MGID="alz-landingzones" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +#### PowerShell - Deny + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDenyAssignments-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ManagementGroupId = 'alz-landingzones' + Location = 'eastus' + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" +} +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDenyAssignments-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ManagementGroupId = 'alz-landingzones' + Location = 'chinaeast2' + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" +} +New-AzManagementGroupDeployment @inputObject +``` + +### DeployIfNotExists Effect + +There are two different sets of input parameters files; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to a few Microsoft Defender for Cloud built-in policies which are not available in Azure China. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ------------------------------------- | --------------------------------------------------------------- | + | Global regions | policyAssignmentManagementGroup.bicep | parameters/policyAssignmentManagementGroup.dine.parameters.all.json | + | China regions | policyAssignmentManagementGroup.bicep | parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json | + + +In this example, the `Deploy-MDFC-Config` custom policy definition will be deployed/assigned to the `alz-landingzones` management group (intermediate root management group). And the managed identity associated with the policy will also be assigned to the `alz-platform` management group, as defined in the parameter file: `parameters/policyAssignmentManagementGroup.dine.parameters.all.json` or `parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json` +#### Azure CLI - DINE + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PolicyDineAssignments-${dateYMD}" +LOCATION="eastus" +MGID="alz-landingzones" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json" + +az deployment mg create --name $NAME --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PolicyDineAssignments-${dateYMD}" +LOCATION="eastus" +MGID="alz-landingzones" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json" + +az deployment mg create --name $NAME --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +#### PowerShell - DINE + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDineAssignments-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz-landingzones' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" + TemplateParameterFile = '@infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDineAssignments-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz-landingzones' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md new file mode 100644 index 0000000..8d81092 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/README.md @@ -0,0 +1,86 @@ +# Module: ALZ Default Policy Assignments + +This module deploys the default Azure Landing Zone Azure Policy Assignments to the Management Group Hierarchy and also assigns the relevant RBAC for the system-assigned Managed Identities created for policies that require them (e.g DeployIfNotExist & Modify effect policies). + +Exclusion of specific ALZ default policies which does not fit your organization is supported, check out [Exclude specific policy assignments from ALZ Default Policy Assignments](https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments) + +If you wish to add your own additional Azure Policy Assignments please review [How Does ALZ-Bicep Implement Azure Policies?](https://github.com/Azure/ALZ-Bicep/wiki/PolicyDeepDive) and more specifically [Adding Custom Azure Policy Definitions](https://github.com/Azure/ALZ-Bicep/wiki/AddingPolicyDefs) + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/alzDefaultPolicyAssignments.bicep.md) +- [Parameters for Azure China Cloud](generateddocs/mc-alzDefaultPolicyAssignments.bicep.md) + +## Outputs + +The module does not generate any outputs. + +## Deployment + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +> **Important:** If you decide to not use a DDoS Network Protection plan in your environment and therefore leave the parameter `parDdosProtectionPlanId` as an empty string (`''`) then the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. For deployment in Azure China, leave the parameter `parDdosProtectionPlanId` as an empty string (`''`) because the DDoS Protection feature is not available in Azure China. +> +> However, if you later do decide to deploy an DDoS Network Protection Plan, you will need to remember to come back and update the parameter `parDdosProtectionPlanId` with the resource ID of the DDoS Network Protection Plan to ensure the policy is applied to the relevant Management Groups. You can then use a policy [remediation task](https://docs.microsoft.com/azure/governance/policy/how-to/remediate-resources) to bring all non-compliant VNETs back into compliance, once a [compliance scan](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data#evaluation-triggers) has taken place. + + +### Azure CLI +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-alzPolicyAssignmentDefaults-${dateYMD}" +LOCATION="eastus" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-alzPolicyAssignmentDefaults-${dateYMD}" +LOCATION="chinaeast2" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-alzPolicyAssignmentDefaultsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alzPolicyAssignmentDefaultsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/mc-alzDefaultPolicyAssignments.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep new file mode 100644 index 0000000..79c1ff9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -0,0 +1,1416 @@ +metadata name = 'ALZ Bicep - ALZ Default Policy Assignments' +metadata description = 'This module will assign the ALZ Default Policy Assignments to the ALZ Management Group hierarchy' + +@sys.description('Prefix for the management group hierarchy.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.') +param parPlatformMgAlzDefaultsEnable bool = true + +@sys.description('Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups.') +param parLandingZoneChildrenMgAlzDefaultsEnable bool = true + +@sys.description('The region where the Log Analytics Workspace & Automation Account are deployed.') +param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus' + +@sys.description('Log Analytics Workspace Resource ID.') +param parLogAnalyticsWorkspaceResourceId string = '' + +@sys.description('Number of days of log retention for Log Analytics Workspace.') +param parLogAnalyticsWorkspaceLogRetentionInDays string = '365' + +@sys.description('Automation account name.') +param parAutomationAccountName string = 'alz-automation-account' + +@sys.description('An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.') +param parMsDefenderForCloudEmailSecurityContact string = 'security_contact@replace_me.com' + +@sys.description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues.') +param parDdosProtectionPlanId string = '' + +@sys.description('Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group.') +param parPrivateDnsResourceGroupId string = '' + +@sys.description('Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules.') +param parPrivateDnsZonesNamesToAuditInCorp array = [] + +@sys.description('Set Enforcement Mode of all default Policies assignments to Do Not Enforce.') +param parDisableAlzDefaultPolicies bool = false + +@sys.description('Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter.') +param parVmBackupExclusionTagName string = '' + +@sys.description('Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter.') +param parVmBackupExclusionTagValue array = [] + +@sys.description('Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments') +param parExcludedPolicyAssignments array = [] + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceId, '/')[8] + +var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceResourceId, '/')[4] + +var varLogAnalyticsWorkspaceSubscription = split(parLogAnalyticsWorkspaceResourceId, '/')[2] + +// Customer Usage Attribution Id Telemetry +var varCuaid = '98cef979-5a6b-403b-83c7-10c8f04ac9a2' + +// ZTN Telemetry +var varZtnP1CuaId = '4eaba1fc-d30a-4e63-a57f-9e6c3d86a318' +var varZtnP1Trigger = ((!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyStoragehttp.libDefinition.name))) ? true : false + +// **Variables** +// Orchestration Module Variables +var varDeploymentNameWrappers = { + basePrefix: 'ALZBicep' + #disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + baseSuffixTenantAndManagementGroup: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}' +} + +var varModuleDeploymentNames = { + modPolicyAssignmentIntRootDeployMdfcConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDFCConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployAscMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResoruceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVmMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVmssMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployMDEnpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDEndpoints-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootEnforceAcsb: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAcsb-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployMdfcOssDb: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcOssDb-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployMdfcSqlAtp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMdfcSqlAtp-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootAuditUnusedRes: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditUnusedRes-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDenyClassicRes: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyClassicRes-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDenyUnmanagedDisks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyUnmanagedDisks-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyPublicIp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyMgmtPortsFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyMgmtFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyIpForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyMgmtPortsFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyMgmtFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployAksPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPrivEscalationAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPrivContainersAks: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceAksHttps: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceTlsSsl: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceTLSSSL-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeploySqlDbAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeployAzSqlDbAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzSQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeploySqlThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDeploySqlTde: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLTde-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsAuditAppGwWaf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditAppGwWaf-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentLzsDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentLzsCorpDenyPipOnNic: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPipOnNic-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentLzsCorpDenyHybridNet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyHybridNet-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentLzsCorpAuditPeDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditPeDnsZones-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentDecommEnforceAlz: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAlz-decomm-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentSandboxEnforceAlz: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAlz-sbox-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) +} + +// Policy Assignments Modules Variables + +var varPolicyAssignmentAuditAppGWWAF = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json') +} + +var varPolicyAssignmentAuditPeDnsZones = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json') +} + +var varPolicyAssignmentAuditUnusedResources = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json') +} + +var varPolicyAssignmentDenyClassicResources = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json') +} + +var varPolicyAssignmentEnforceAKSHTTPS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json') +} + +var varPolicyAssignmentDenyHybridNetworking = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json') +} + +var varPolicyAssignmentDenyIPForwarding = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json') +} + +var varPolicyAssignmentDenyMgmtPortsInternet = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json') +} + +var varPolicyAssignmentDenyPrivContainersAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json') +} + +var varPolicyAssignmentDenyPrivEscalationAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json') +} + +var varPolicyAssignmentDenyPublicEndpoints = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json') +} + +var varPolicyAssignmentDenyPublicIPOnNIC = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json') +} + +var varPolicyAssignmentDenyPublicIP = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') +} + +var varPolicyAssignmentDenyStoragehttp = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json') +} + +var varPolicyAssignmentDenySubnetWithoutNsg = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json') +} + +var varPolicyAssignmentDenyUnmanagedDisk = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json') +} + +var varPolicyAssignmentDeployAKSPolicy = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json') +} + +var varPolicyAssignmentDeployASCMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployAzActivityLog = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json') +} + +var varPolicyAssignmentDeployAzSqlDbAuditing = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json') +} + +var varPolicyAssignmentDeployLogAnalytics = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json') +} + +var varPolicyAssignmentDeployMDEndpoints = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json') +} + +var varPolicyAssignmentDeployMDFCConfig = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json') +} + +var varPolicyAssignmentDeployMDFCOssDb = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json') +} + +var varPolicyAssignmentDeployMDFCSqlAtp = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json') +} + +var varPolicyAssignmentDeployPrivateDNSZones = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json') +} + +var varPolicyAssignmentDeployResourceDiag = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json') +} + +var varPolicyAssignmentDeploySQLTDE = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json') +} + +var varPolicyAssignmentDeploySQLThreat = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json') +} + +var varPolicyAssignmentDeployVMBackup = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json') +} + +var varPolicyAssignmentDeployVMMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployVMSSMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json') +} + +var varPolicyAssignmentEnableDDoSVNET = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json') +} + +var varPolicyAssignmentEnforceACSB = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json') +} + +var varPolicyAssignmentEnforceALZDecomm = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json') +} + +var varPolicyAssignmentEnforceALZSandbox = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json') +} + +var varPolicyAssignmentEnforceGRKeyVault = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json') +} + +var varPolicyAssignmentEnforceTLSSSL = { + definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json') +} + +// RBAC Role Definitions Variables - Used For Policy Assignments +var varRbacRoleDefinitionIds = { + owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7' + aksContributor: 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' + logAnalyticsContributor: '92aaf0da-9dab-42b6-94a3-d43ce8d16293' + sqlSecurityManager: '056cd41c-7e88-42e1-933e-88ba6a50c9c3' + vmContributor: '9980e02c-c2be-4d73-94e8-173b1dc7cf3c' +} + +// Management Groups Variables - Used For Policy Assignments +var varManagementGroupIds = { + intRoot: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' + platform: '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + platformManagement: parPlatformMgAlzDefaultsEnable ? '${parTopLevelManagementGroupPrefix}-platform-management${parTopLevelManagementGroupSuffix}' : '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + platformConnectivity: parPlatformMgAlzDefaultsEnable ? '${parTopLevelManagementGroupPrefix}-platform-connectivity${parTopLevelManagementGroupSuffix}' : '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + platformIdentity: parPlatformMgAlzDefaultsEnable ? '${parTopLevelManagementGroupPrefix}-platform-identity${parTopLevelManagementGroupSuffix}' : '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + landingZones: '${parTopLevelManagementGroupPrefix}-landingzones${parTopLevelManagementGroupSuffix}' + landingZonesCorp: '${parTopLevelManagementGroupPrefix}-landingzones-corp${parTopLevelManagementGroupSuffix}' + landingZonesOnline: '${parTopLevelManagementGroupPrefix}-landingzones-online${parTopLevelManagementGroupSuffix}' + landingZonesConfidentialCorp: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-corp${parTopLevelManagementGroupSuffix}' + landingZonesConfidentialOnline: '${parTopLevelManagementGroupPrefix}-landingzones-confidential-online${parTopLevelManagementGroupSuffix}' + decommissioned: '${parTopLevelManagementGroupPrefix}-decommissioned${parTopLevelManagementGroupSuffix}' + sandbox: '${parTopLevelManagementGroupPrefix}-sandbox${parTopLevelManagementGroupSuffix}' +} + +// Corp Management Groups - Used For Policy Assignments Restricting Public IPs +var varCorpManagementGroupIds = [ + varManagementGroupIds.landingZonesCorp + varManagementGroupIds.landingZonesConfidentialCorp +] + +var varTopLevelManagementGroupResourceId = '/providers/Microsoft.Management/managementGroups/${varManagementGroupIds.intRoot}' + +// Deploy-Private-DNS-Zones Variables + +var varPrivateDnsZonesResourceGroupSubscriptionId = !empty(parPrivateDnsResourceGroupId) ? split(parPrivateDnsResourceGroupId, '/')[2] : '' + +var varPrivateDnsZonesBaseResourceId = '${parPrivateDnsResourceGroupId}/providers/Microsoft.Network/privateDnsZones/' + +var varPrivateDnsZonesFinalResourceIds = { + azureFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.afs.azure.net' + azureAutomationWebhookPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' + azureAutomationDSCHybridPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-automation.net' + azureCosmosSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.documents.azure.com' + azureCosmosMongoPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.mongo.cosmos.azure.com' + azureCosmosCassandraPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cassandra.cosmos.azure.com' + azureCosmosGremlinPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.gremlin.cosmos.azure.com' + azureCosmosTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.cosmos.azure.com' + azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net' + azureDataFactoryPortalPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.adf.azure.com' + azureHDInsightPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurehdinsight.net' + azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com' + azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureStorageBlobSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureStorageQueuePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageQueueSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.queue.core.windows.net' + azureStorageFilePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.file.core.windows.net' + azureStorageStaticWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' + azureStorageStaticWebSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.web.core.windows.net' + azureStorageDFSPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' + azureStorageDFSSecPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dfs.core.windows.net' + azureSynapseSQLPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' + azureSynapseSQLODPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.sql.azuresynapse.net' + azureSynapseDevPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.dev.azuresynapse.net' + azureMediaServicesKeyPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' + azureMediaServicesLivePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' + azureMediaServicesStreamPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.media.azure.net' + azureMonitorPrivateDnsZoneId1: '${varPrivateDnsZonesBaseResourceId}privatelink.monitor.azure.com' + azureMonitorPrivateDnsZoneId2: '${varPrivateDnsZonesBaseResourceId}privatelink.oms.opinsights.azure.com' + azureMonitorPrivateDnsZoneId3: '${varPrivateDnsZonesBaseResourceId}privatelink.ods.opinsights.azure.com' + azureMonitorPrivateDnsZoneId4: '${varPrivateDnsZonesBaseResourceId}privatelink.agentsvc.azure-automation.net' + azureMonitorPrivateDnsZoneId5: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureWebPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.webpubsub.azure.com' + azureBatchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.batch.azure.com' + azureAppPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azconfig.io' + azureAsrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.siterecovery.windowsazure.com' + azureIotPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices-provisioning.net' + azureKeyVaultPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.vaultcore.azure.net' + azureSignalRPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.service.signalr.net' + azureAppServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurewebsites.net' + azureEventGridTopicsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' + azureDiskAccessPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' + azureCognitiveServicesPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.cognitiveservices.azure.com' + azureIotHubsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azure-devices.net' + azureEventGridDomainsPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.eventgrid.azure.net' + azureRedisCachePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.redis.cache.windows.net' + azureAcrPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurecr.io' + azureEventHubNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' + azureMachineLearningWorkspacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.api.azureml.ms' + azureServiceBusNamespacePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.servicebus.windows.net' + azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net' +} + +// **Scope** +targetScope = 'managementGroup' + +// Optional Deployments for Customer Usage Attribution +module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +module modCustomerUsageAttributionZtnP1 '../../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut && varZtnP1Trigger) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varZtnP1CuaId}-${uniqueString(deployment().location)}' + params: {} +} + +// Modules - Policy Assignments - Intermediate Root Management Group +// Module - Policy Assignment - Deploy-MDFC-Config +module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCConfig.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcConfig + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDFCConfig.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDFCConfig.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + emailSecurityContact: { + value: parMsDefenderForCloudEmailSecurityContact + } + ascExportResourceGroupLocation: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDFCConfig.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-MDEndpoints +module modPolicyAssignmentIntRootDeployMDEnpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDEndpoints.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMDEnpoints + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDEndpoints.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDEndpoints.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDEndpoints.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDEndpoints.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDEndpoints.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDEndpoints.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.contributor + ] + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDEndpoints.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-AzActivity-Log +module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAzActivityLog.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAzActivityLog + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAzActivityLog.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAzActivityLog.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAzActivityLog.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-ASC-Monitoring +module modPolicyAssignmentIntRootDeployAscMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployASCMonitoring.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployAscMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployASCMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployASCMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-Resource-Diag +module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployResourceDiag.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Monitoring +module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMMonitoring.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics_1: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VMSS-Monitoring +module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVmssMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics_1: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-ACSB +module modPolicyAssignmentIntRootEnforceAcsb '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceACSB.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootEnforceAcsb + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceACSB.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceACSB.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceACSB.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceACSB.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceACSB.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceACSB.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceACSB.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.contributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-MDFC-OssDb +module modPolicyAssignmentIntRootDeployMdfcOssDb '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCOssDb.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcOssDb + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDFCOssDb.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDFCOssDb.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDFCOssDb.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDFCOssDb.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDFCOssDb.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDFCOssDb.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDFCOssDb.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.contributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-MDFC-SqlAtp +module modPolicyAssignmentIntRootDeployMdfcSqlAtp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMdfcSqlAtp + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDFCSqlAtp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDFCSqlAtp.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.sqlSecurityManager + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Audit-UnusedResources +module modPolicyAssignmentIntRootAuditUnusedRes '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditUnusedResources.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootAuditUnusedRes + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentAuditUnusedResources.definitionId + parPolicyAssignmentName: varPolicyAssignmentAuditUnusedResources.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentAuditUnusedResources.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentAuditUnusedResources.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentAuditUnusedResources.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentAuditUnusedResources.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentAuditUnusedResources.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-UnmanagedDisk +module modPolicyAssignmentIntRootDenyUnmanagedDisks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyUnmanagedDisk.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDenyUnmanagedDisks + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyUnmanagedDisk.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyUnmanagedDisk.libDefinition.properties.enforcementMode + parPolicyAssignmentOverrides: varPolicyAssignmentDenyUnmanagedDisk.libDefinition.properties.overrides + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Classic-Resources +module modPolicyAssignmentIntRootDenyClassicRes '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyClassicResources.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDenyClassicRes + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyClassicResources.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyClassicResources.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyClassicResources.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyClassicResources.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyClassicResources.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyClassicResources.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyClassicResources.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Connectivity Management Group +// Module - Policy Assignment - Enable-DDoS-VNET +module modPolicyAssignmentConnEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) { + scope: managementGroup(varManagementGroupIds.platformConnectivity) + name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDDoSVNET.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + ddosPlan: { + value: parDdosProtectionPlanId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Identity Management Group +// Module - Policy Assignment - Deny-Public-IP +module modPolicyAssignmentIdentDenyPublicIp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIP.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIp + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIP.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-MgmtPorts-Internet +module modPolicyAssignmentIdentDenyMgmtFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyMgmtPortsFromInternet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyMgmtPortsInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Subnet-Without-Nsg +module modPolicyAssignmentIdentDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNsg + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Backup +module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMBackup.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVmBackup + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + exclusionTagName: { + value: parVmBackupExclusionTagName + } + exclusionTagValue: { + value: parVmBackupExclusionTagValue + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Management Management Group +// Module - Policy Assignment - Deploy-Log-Analytics +module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployLogAnalytics.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformManagement) + name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployLogAnalytics.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployLogAnalytics.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + rgName: { + value: varLogAnalyticsWorkspaceResourceGroupName + } + workspaceName: { + value: varLogAnalyticsWorkspaceName + } + workspaceRegion: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + dataRetention: { + value: parLogAnalyticsWorkspaceLogRetentionInDays + } + automationAccountName: { + value: parAutomationAccountName + } + automationRegion: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Landing Zones Management Group +// Module - Policy Assignment - Deny-IP-Forwarding +module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyIPForwarding.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyIpForwarding + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyIPForwarding.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyIPForwarding.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyIPForwarding.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyIPForwarding.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-MgmtPorts-Internet +module modPolicyAssignmentLzsDenyMgmtFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyMgmtPortsFromInternet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyMgmtPortsInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyMgmtPortsInternet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Subnet-Without-Nsg +module modPolicyAssignmentLzsDenySubnetWithoutNsg '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenySubnetWithoutNsg + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Backup +module modPolicyAssignmentLzsDeployVmBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployVMBackup.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployVmBackup + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + exclusionTagName: { + value: parVmBackupExclusionTagName + } + exclusionTagValue: { + value: parVmBackupExclusionTagValue + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enable-DDoS-VNET +module modPolicyAssignmentLzsEnableDdosVnet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parDdosProtectionPlanId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnableDDoSVNET.libDefinition.name))) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnableDdosVnet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDDoSVNET.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + ddosPlan: { + value: parDdosProtectionPlanId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Storage-http +module modPolicyAssignmentLzsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyStoragehttp.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyStorageHttp + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyStoragehttp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyStoragehttp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyStoragehttp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyStoragehttp.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-AKS-Policy +module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAKSPolicy.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAksPolicy + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.aksContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Priv-Escalation-AKS +module modPolicyAssignmentLzsDenyPrivEscalationAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivEscalationAks + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivEscalationAKS.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Priv-Containers-AKS +module modPolicyAssignmentLzsDenyPrivContainersAks '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDenyPrivContainersAks + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivContainersAKS.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-AKS-HTTPS +module modPolicyAssignmentLzsEnforceAksHttps '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceAksHttps + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAKSHTTPS.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-TLS-SSL +module modPolicyAssignmentLzsEnforceTlsSsl '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceTLSSSL.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceTlsSsl + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceTLSSSL.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceTLSSSL.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceTLSSSL.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-AzSqlDb-Auditing +module modPolicyAssignmentLzsDeployAzSqlDbAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if ((!empty(parLogAnalyticsWorkspaceResourceId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.name))) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeployAzSqlDbAuditing + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAzSqlDbAuditing.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalyticsWorkspaceId: { + value: parLogAnalyticsWorkspaceResourceId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAzSqlDbAuditing.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.sqlSecurityManager + ] + parPolicyAssignmentIdentityRoleAssignmentsSubs: [ + varLogAnalyticsWorkspaceSubscription + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-SQL-Threat +module modPolicyAssignmentLzsDeploySqlThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeploySQLThreat.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlThreat + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySQLThreat.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySQLThreat.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLThreat.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLThreat.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-SQL-TDE +module modPolicyAssignmentLzsDeploySqlTde '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeploySQLTDE.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsDeploySqlTde + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySQLTDE.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySQLTDE.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLTDE.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLTDE.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLTDE.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLTDE.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLTDE.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.sqlSecurityManager + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-GR-KeyVault +module modPolicyAssignmentLzsEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsEnforceGrKeyVault + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceGRKeyVault.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceGRKeyVault.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceGRKeyVault.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Audit-AppGW-WAF +module modPolicyAssignmentLzsAuditAppGwWaf '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditAppGWWAF.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLzsAuditAppGwWaf + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentAuditAppGWWAF.definitionId + parPolicyAssignmentName: varPolicyAssignmentAuditAppGWWAF.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentAuditAppGWWAF.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentAuditAppGWWAF.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentAuditAppGWWAF.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentAuditAppGWWAF.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentAuditAppGWWAF.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Corp Management Group +// Module - Policy Assignment - Deny-Public-Endpoints +module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicEndpoints.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { + scope: managementGroup(mgScope) + name: '${varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints}${index}' + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicEndpoints.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicEndpoints.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Module - Policy Assignment - Deploy-Private-DNS-Zones +module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if ((!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name)) && parLandingZoneChildrenMgAlzDefaultsEnable) { + scope: managementGroup(mgScope) + name: '${varModuleDeploymentNames.modPolicyAssignmentLzsDeployPrivateDnsZones}${index}' + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployPrivateDNSZones.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + azureFilePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureFilePrivateDnsZoneId + } + azureAutomationWebhookPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAutomationWebhookPrivateDnsZoneId + } + azureAutomationDSCHybridPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAutomationDSCHybridPrivateDnsZoneId + } + azureCosmosSQLPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosSQLPrivateDnsZoneId + } + azureCosmosMongoPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosMongoPrivateDnsZoneId + } + azureCosmosCassandraPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosCassandraPrivateDnsZoneId + } + azureCosmosGremlinPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosGremlinPrivateDnsZoneId + } + azureCosmosTablePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCosmosTablePrivateDnsZoneId + } + azureDataFactoryPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPrivateDnsZoneId + } + azureDataFactoryPortalPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPortalPrivateDnsZoneId + } + azureHDInsightPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId + } + azureMigratePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMigratePrivateDnsZoneId + } + azureStorageBlobPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageBlobPrivateDnsZoneId + } + azureStorageBlobSecPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageBlobSecPrivateDnsZoneId + } + azureStorageQueuePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageQueuePrivateDnsZoneId + } + azureStorageQueueSecPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageQueueSecPrivateDnsZoneId + } + azureStorageFilePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageFilePrivateDnsZoneId + } + azureStorageStaticWebPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageStaticWebPrivateDnsZoneId + } + azureStorageStaticWebSecPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageStaticWebSecPrivateDnsZoneId + } + azureStorageDFSPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageDFSPrivateDnsZoneId + } + azureStorageDFSSecPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureStorageDFSSecPrivateDnsZoneId + } + azureSynapseSQLPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureSynapseSQLPrivateDnsZoneId + } + azureSynapseSQLODPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureSynapseSQLODPrivateDnsZoneId + } + azureSynapseDevPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureSynapseDevPrivateDnsZoneId + } + azureMediaServicesKeyPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesKeyPrivateDnsZoneId + } + azureMediaServicesLivePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesLivePrivateDnsZoneId + } + azureMediaServicesStreamPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMediaServicesStreamPrivateDnsZoneId + } + azureMonitorPrivateDnsZoneId1: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId1 + } + azureMonitorPrivateDnsZoneId2: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId2 + } + azureMonitorPrivateDnsZoneId3: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId3 + } + azureMonitorPrivateDnsZoneId4: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId4 + } + azureMonitorPrivateDnsZoneId5: { + value: varPrivateDnsZonesFinalResourceIds.azureMonitorPrivateDnsZoneId5 + } + azureWebPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureWebPrivateDnsZoneId + } + azureBatchPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureBatchPrivateDnsZoneId + } + azureAppPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAppPrivateDnsZoneId + } + azureAsrPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAsrPrivateDnsZoneId + } + azureIotPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotPrivateDnsZoneId + } + azureKeyVaultPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureKeyVaultPrivateDnsZoneId + } + azureSignalRPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureSignalRPrivateDnsZoneId + } + azureAppServicesPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAppServicesPrivateDnsZoneId + } + azureEventGridTopicsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventGridTopicsPrivateDnsZoneId + } + azureDiskAccessPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDiskAccessPrivateDnsZoneId + } + azureCognitiveServicesPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCognitiveServicesPrivateDnsZoneId + } + azureIotHubsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureIotHubsPrivateDnsZoneId + } + azureEventGridDomainsPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventGridDomainsPrivateDnsZoneId + } + azureRedisCachePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureRedisCachePrivateDnsZoneId + } + azureAcrPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureAcrPrivateDnsZoneId + } + azureEventHubNamespacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureEventHubNamespacePrivateDnsZoneId + } + azureMachineLearningWorkspacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureMachineLearningWorkspacePrivateDnsZoneId + } + azureServiceBusNamespacePrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureServiceBusNamespacePrivateDnsZoneId + } + azureCognitiveSearchPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureCognitiveSearchPrivateDnsZoneId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployPrivateDNSZones.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.networkContributor + ] + parPolicyAssignmentIdentityRoleAssignmentsSubs: [ + varPrivateDnsZonesResourceGroupSubscriptionId + ] + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Module - Policy Assignment - Deny-Public-IP-On-NIC +module modPolicyAssignmentLzsCorpDenyPipOnNic '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { + scope: managementGroup(mgScope) + name: '${varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyPipOnNic}${index}' + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIPOnNIC.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Module - Policy Assignment - Deny-HybridNetworking +module modPolicyAssignmentLzsCorpDenyHybridNet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyHybridNetworking.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { + scope: managementGroup(mgScope) + name: '${varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyHybridNet}${index}' + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyHybridNetworking.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyHybridNetworking.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyHybridNetworking.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyHybridNetworking.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyHybridNetworking.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyHybridNetworking.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyHybridNetworking.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Module - Policy Assignment - Audit-PeDnsZones +module modPolicyAssignmentLzsCorpAuditPeDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditPeDnsZones.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { + scope: managementGroup(mgScope) + name: '${varModuleDeploymentNames.modPolicyAssignmentLzsCorpAuditPeDnsZones}${index}' + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentAuditPeDnsZones.definitionId + parPolicyAssignmentName: varPolicyAssignmentAuditPeDnsZones.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentAuditPeDnsZones.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentAuditPeDnsZones.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentAuditPeDnsZones.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: empty(parPrivateDnsZonesNamesToAuditInCorp) ? {} : { + privateLinkDnsZones: { + value: parPrivateDnsZonesNamesToAuditInCorp + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentAuditPeDnsZones.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentAuditPeDnsZones.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Modules - Policy Assignments - Decommissioned Management Group +// Module - Policy Assignment - Enforce-ALZ-Decomm +module modPolicyAssignmentDecommEnforceAlz '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceALZDecomm.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.decommissioned) + name: varModuleDeploymentNames.modPolicyAssignmentDecommEnforceAlz + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceALZDecomm.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceALZDecomm.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceALZDecomm.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceALZDecomm.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceALZDecomm.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceALZDecomm.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceALZDecomm.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRbacRoleDefinitionIds.vmContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Sandbox Management Group +// Module - Policy Assignment - Enforce-ALZ-Sandbox +module modPolicyAssignmentSandboxEnforceAlz '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceALZSandbox.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.sandbox) + name: varModuleDeploymentNames.modPolicyAssignmentSandboxEnforceAlz + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceALZSandbox.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceALZSandbox.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceALZSandbox.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceALZSandbox.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceALZSandbox.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceALZSandbox.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceALZSandbox.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json new file mode 100644 index 0000000..03011f7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/bicepconfig.json @@ -0,0 +1,114 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": true, + "rules": { + "adminusername-should-not-be-literal": { + "level": "error" + }, + "no-hardcoded-env-urls": { + "level": "error", + "disallowedhosts": [ + "management.core.windows.net", + "gallery.azure.com", + "management.core.windows.net", + "management.azure.com", + "login.microsoftonline.com", + "graph.windows.net", + "trafficmanager.net", + "vault.azure.net", + "datalake.azure.net", + "azuredatalakestore.net", + "azuredatalakeanalytics.net", + "vault.azure.net", + "api.loganalytics.io", + "api.loganalytics.iov1", + "asazure.windows.net", + "region.asazure.windows.net", + "api.loganalytics.iov1", + "api.loganalytics.io", + "asazure.windows.net", + "region.asazure.windows.net", + "batch.core.windows.net" + ], + "excludedhosts": [ + "schema.management.azure.com" + ] + }, + "no-unnecessary-dependson": { + "level": "error" + }, + "no-unused-params": { + "level": "error" + }, + "no-unused-vars": { + "level": "error" + }, + "outputs-should-not-contain-secrets": { + "level": "error" + }, + "prefer-interpolation": { + "level": "error" + }, + "secure-parameter-default": { + "level": "error" + }, + "simplify-interpolation": { + "level": "error" + }, + "protect-commandtoexecute-secrets": { + "level": "error" + }, + "use-stable-vm-image": { + "level": "error" + }, + "explicit-values-for-loc-params": { + "level": "error" + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" + }, + "artifacts-parameters":{ + "level": "error" + }, + "no-unused-existing-resources":{ + "level": "error" + }, + "prefer-unquoted-property-names":{ + "level": "error" + }, + "secure-params-in-nested-deploy":{ + "level": "error" + }, + "secure-secrets-in-params":{ + "level": "error" + }, + "use-recent-api-versions":{ + "level": "error" + }, + "use-resource-id-functions":{ + "level": "error" + }, + "use-stable-resource-identifiers":{ + "level": "error" + } + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md new file mode 100644 index 0000000..5cae91a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -0,0 +1,212 @@ +# ALZ Bicep - ALZ Default Policy Assignments + +This module will assign the ALZ Default Policy Assignments to the ALZ Management Group hierarchy + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. +parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. +parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups. +parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | The region where the Log Analytics Workspace & Automation Account are deployed. +parLogAnalyticsWorkspaceResourceId | No | Log Analytics Workspace Resource ID. +parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. +parAutomationAccountName | No | Automation account name. +parMsDefenderForCloudEmailSecurityContact | No | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. +parDdosProtectionPlanId | No | ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. +parPrivateDnsResourceGroupId | No | Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group. +parPrivateDnsZonesNamesToAuditInCorp | No | Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules. +parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. +parVmBackupExclusionTagName | No | Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. +parVmBackupExclusionTagValue | No | Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. +parExcludedPolicyAssignments | No | Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parTopLevelManagementGroupPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix for the management group hierarchy. + +- Default value: `alz` + +### parTopLevelManagementGroupSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix + +### parPlatformMgAlzDefaultsEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. + +- Default value: `True` + +### parLandingZoneChildrenMgAlzDefaultsEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups. + +- Default value: `True` + +### parLogAnalyticsWorkSpaceAndAutomationAccountLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The region where the Log Analytics Workspace & Automation Account are deployed. + +- Default value: `eastus` + +### parLogAnalyticsWorkspaceResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace Resource ID. + +### parLogAnalyticsWorkspaceLogRetentionInDays + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Number of days of log retention for Log Analytics Workspace. + +- Default value: `365` + +### parAutomationAccountName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Automation account name. + +- Default value: `alz-automation-account` + +### parMsDefenderForCloudEmailSecurityContact + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. + +- Default value: `security_contact@replace_me.com` + +### parDdosProtectionPlanId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. + +### parPrivateDnsResourceGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource ID of the Resource Group that conatin the Private DNS Zones. If left empty, the policy Deploy-Private-DNS-Zones will not be assigned to the corp Management Group. + +### parPrivateDnsZonesNamesToAuditInCorp + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Provide an array/list of Private DNS Zones that you wish to audit if deployed into Subscriptions in the Corp Management Group. NOTE: The policy default values include all the static Private Link Private DNS Zones, e.g. all the DNS Zones that dont have a region or region shortcode in them. If you wish for these to be audited also you must provide a complete array/list to this parameter for ALL Private DNS Zones you wish to audit, including the static Private Link ones, as this parameter performs an overwrite operation. You can get all the Private DNS Zone Names form the `outPrivateDnsZonesNames` output in the Hub Networking or Private DNS Zone modules. + +### parDisableAlzDefaultPolicies + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Enforcement Mode of all default Policies assignments to Do Not Enforce. + +- Default value: `False` + +### parVmBackupExclusionTagName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Name of the tag to use for excluding VMs from the scope of this policy. This should be used along with the Exclusion Tag Value parameter. + +### parVmBackupExclusionTagValue + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Value of the tag to use for excluding VMs from the scope of this policy (in case of multiple values, use a comma-separated list). This should be used along with the Exclusion Tag Name parameter. + +### parExcludedPolicyAssignments + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Adding assignment definition names to this array will exclude the specific policies from assignment. Find the correct values to this array in the following documentation: https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies#what-if-i-want-to-exclude-specific-policy-assignments-from-alz-default-policy-assignments + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.json" + }, + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parPlatformMgAlzDefaultsEnable": { + "value": true + }, + "parLandingZoneChildrenMgAlzDefaultsEnable": { + "value": true + }, + "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceResourceId": { + "value": "" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": "365" + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parMsDefenderForCloudEmailSecurityContact": { + "value": "security_contact@replace_me.com" + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parPrivateDnsResourceGroupId": { + "value": "" + }, + "parPrivateDnsZonesNamesToAuditInCorp": { + "value": [] + }, + "parDisableAlzDefaultPolicies": { + "value": false + }, + "parVmBackupExclusionTagName": { + "value": "" + }, + "parVmBackupExclusionTagValue": { + "value": [] + }, + "parExcludedPolicyAssignments": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md new file mode 100644 index 0000000..4787208 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md @@ -0,0 +1,138 @@ +# ALZ Bicep - ALZ Default Policy Assignments + +This policy assignment will assign the ALZ Default Policy to management groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. +parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | The region where the Log Analytics Workspace & Automation Account are deployed. +parLogAnalyticsWorkspaceResourceID | No | Log Analytics Workspace Resource ID. +parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. +parAutomationAccountName | No | Automation account name. +parMsDefenderForCloudEmailSecurityContact | No | An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. +parDdosProtectionPlanId | No | ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. +parDisableAlzDefaultPolicies | No | Set Enforcement Mode of all default Policies assignments to Do Not Enforce. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parTopLevelManagementGroupPrefix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Prefix for the management group hierarchy. + +- Default value: `alz` + +### parTopLevelManagementGroupSuffix + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix + +### parLogAnalyticsWorkSpaceAndAutomationAccountLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The region where the Log Analytics Workspace & Automation Account are deployed. + +- Default value: `chinaeast2` + +### parLogAnalyticsWorkspaceResourceID + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Log Analytics Workspace Resource ID. + +### parLogAnalyticsWorkspaceLogRetentionInDays + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Number of days of log retention for Log Analytics Workspace. + +- Default value: `365` + +### parAutomationAccountName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Automation account name. + +- Default value: `alz-automation-account` + +### parMsDefenderForCloudEmailSecurityContact + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to. + +- Default value: `security_contact@replace_me.com` + +### parDdosProtectionPlanId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues. + +### parDisableAlzDefaultPolicies + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Enforcement Mode of all default Policies assignments to Do Not Enforce. + +- Default value: `False` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.json" + }, + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { + "value": "chinaeast2" + }, + "parLogAnalyticsWorkspaceResourceID": { + "value": "" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": "365" + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parMsDefenderForCloudEmailSecurityContact": { + "value": "security_contact@replace_me.com" + }, + "parDdosProtectionPlanId": { + "value": "" + }, + "parDisableAlzDefaultPolicies": { + "value": false + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep new file mode 100644 index 0000000..41404cf --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep @@ -0,0 +1,724 @@ +metadata name = 'ALZ Bicep - ALZ Default Policy Assignments' +metadata description = 'This policy assignment will assign the ALZ Default Policy to management groups' + +@sys.description('Prefix for the management group hierarchy.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('The region where the Log Analytics Workspace & Automation Account are deployed.') +param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'chinaeast2' + +@sys.description('Log Analytics Workspace Resource ID.') +param parLogAnalyticsWorkspaceResourceID string = '' + +@sys.description('Number of days of log retention for Log Analytics Workspace.') +param parLogAnalyticsWorkspaceLogRetentionInDays string = '365' + +@sys.description('Automation account name.') +param parAutomationAccountName string = 'alz-automation-account' + +@sys.description('An e-mail address that you want Microsoft Defender for Cloud alerts to be sent to.') +param parMsDefenderForCloudEmailSecurityContact string = 'security_contact@replace_me.com' + +@sys.description('ID of the DdosProtectionPlan which will be applied to the Virtual Networks. If left empty, the policy Enable-DDoS-VNET will not be assigned at connectivity or landing zone Management Groups to avoid VNET deployment issues.') +param parDdosProtectionPlanId string = '' + +@sys.description('Set Enforcement Mode of all default Policies assignments to Do Not Enforce.') +param parDisableAlzDefaultPolicies bool = false + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varLogAnalyticsWorkspaceName = split(parLogAnalyticsWorkspaceResourceID, '/')[8] + +var varLogAnalyticsWorkspaceResourceGroupName = split(parLogAnalyticsWorkspaceResourceID, '/')[4] + +// Customer Usage Attribution Id +var varCuaid = '98cef979-5a6b-403b-83c7-10c8f04ac9a2' + +// **Variables** +// Orchestration Module Variables +var varDeploymentNameWrappers = { + basePrefix: 'ALZBicep' + #disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + baseSuffixTenantAndManagementGroup: '${deployment().location}-${uniqueString(deployment().location, parTopLevelManagementGroupPrefix)}' +} + +var varModuleDeploymentNames = { + modPolicyAssignmentIntRootDeployMDFCConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDFCConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployASCMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployResourceDiag: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployResourceDiag-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVMMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIntRootDeployVMSSMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMSSMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentConnEnableDdosVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-conn-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyPublicIP: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicIP-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentIdentDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyIPForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyRDPFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyRDPFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenySubnetWithoutNSG: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeployVMBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsEnableDDoSVNET: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enableDDoSVNET-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyStorageHttp: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyStorageHttp-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeployAKSPolicy: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAKSPolicy-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyPrivEscalationAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivEscAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyPrivContainersAKS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPrivConAKS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsEnforceAKSHTTPS: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAKSHTTPS-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsEnforceTLSSSL: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceTLSSSL-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeploySQLDBAuditing: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLDBAudit-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeploySQLThreat: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLThreat-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDeployPrivateDNSZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBPip: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBPip-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBSku: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBSku-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLZsDenyDataBVnet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyDataBVnet-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) +} + +// Policy Assignments Modules Variables + +var varPolicyAssignmentEnforceAKSHTTPS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyIPForwarding = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json')) +} + +var varPolicyAssignmentDenyPrivContainersAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyPrivEscalationAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json')) +} + +var varPolicyAssignmentDenyPublicEndpoints = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json')) +} + +var varPolicyAssignmentDenyPublicIP = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json')) +} + +var varPolicyAssignmentDenyRDPFromInternet = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json')) +} + +var varPolicyAssignmentDenyStoragehttp = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json')) +} + +var varPolicyAssignmentDenySubnetWithoutNsg = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json')) +} + +var varPolicyAssignmentDeployAKSPolicy = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json')) +} + +var varPolicyAssignmentDeployASCMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json')) +} + +var varPolicyAssignmentDeployLogAnalytics = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json')) +} + +var varPolicyAssignmentDeployMDFCConfig = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json')) +} + +var varPolicyAssignmentDeployResourceDiag = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json')) +} + +var varPolicyAssignmentDeploySQLDBAuditing = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json')) +} +var varPolicyAssignmentDeploySQLThreat = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json')) +} + +var varPolicyAssignmentDeployVMBackup = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json')) +} + +var varPolicyAssignmentDeployVMMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json')) +} + +var varPolicyAssignmentDeployVMSSMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json')) +} + +var varPolicyAssignmentEnableDDoSVNET = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json')) +} + +var varPolicyAssignmentEnforceTLSSSL = { + definitionId: '${varTopLevelManagementGroupResourceID}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + libDefinition: loadJsonContent(('../../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json')) +} + +// RBAC Role Definitions Variables - Used For Policy Assignments +var varRBACRoleDefinitionIDs = { + owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + networkContributor: '4d97b98b-1d4f-4787-a291-c67834d212e7' + aksContributor: 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' +} + +// Management Groups Variables - Used For Policy Assignments +var varManagementGroupIDs = { + intRoot: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' + platform: '${parTopLevelManagementGroupPrefix}-platform${parTopLevelManagementGroupSuffix}' + platformManagement: '${parTopLevelManagementGroupPrefix}-platform-management${parTopLevelManagementGroupSuffix}' + platformConnectivity: '${parTopLevelManagementGroupPrefix}-platform-connectivity${parTopLevelManagementGroupSuffix}' + platformIdentity: '${parTopLevelManagementGroupPrefix}-platform-identity${parTopLevelManagementGroupSuffix}' + landingZones: '${parTopLevelManagementGroupPrefix}-landingzones${parTopLevelManagementGroupSuffix}' + landingZonesCorp: '${parTopLevelManagementGroupPrefix}-landingzones-corp${parTopLevelManagementGroupSuffix}' + landingZonesOnline: '${parTopLevelManagementGroupPrefix}-landingzones-online${parTopLevelManagementGroupSuffix}' + decommissioned: '${parTopLevelManagementGroupPrefix}-decommissioned${parTopLevelManagementGroupSuffix}' + sandbox: '${parTopLevelManagementGroupPrefix}-sandbox${parTopLevelManagementGroupSuffix}' +} + +var varTopLevelManagementGroupResourceID = '/providers/Microsoft.Management/managementGroups/${varManagementGroupIDs.intRoot}' + +// **Scope** +targetScope = 'managementGroup' + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} + +// Modules - Policy Assignments - Intermediate Root Management Group +// Module - Policy Assignment - Deploy-MDFC-Config +module modPolicyAssignmentIntRootDeployMDFCConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployMDFCConfig + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployMDFCConfig.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployMDFCConfig.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + emailSecurityContact: { + value: parMsDefenderForCloudEmailSecurityContact + } + ascExportResourceGroupLocation: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployMDFCConfig.libDefinition.identity.type + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployMDFCConfig.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-ASC-Monitoring +module modPolicyAssignmentIntRootDeployASCMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + // dependsOn: [ + // modCustomPolicyDefinitions + // ] + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployASCMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployASCMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployASCMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployASCMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployASCMonitoring.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-Resource-Diag +module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployResourceDiag + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployResourceDiag.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployResourceDiag.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployResourceDiag.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Monitoring +module modPolicyAssignmentIntRootDeployVMMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVMMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics_1: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VMSS-Monitoring +module modPolicyAssignmentIntRootDeployVMSSMonitoring '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootDeployVMSSMonitoring + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMSSMonitoring.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + logAnalytics_1: { + value: parLogAnalyticsWorkspaceResourceID + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Connectivity Management Group +// Module - Policy Assignment - Enable-DDoS-VNET +module modPolicyAssignmentConnEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { + scope: managementGroup(varManagementGroupIDs.platformConnectivity) + name: varModuleDeploymentNames.modPolicyAssignmentConnEnableDdosVnet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDDoSVNET.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + ddosPlan: { + value: parDdosProtectionPlanId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.networkContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Identity Management Group +// Module - Policy Assignment - Deny-Public-IP +module modPolicyAssignmentIdentDenyPublicIP '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyPublicIP + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIP.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIP.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIP.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIP.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicIP.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicIP.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPublicIP.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-RDP-From-Internet +module modPolicyAssignmentIdentDenyRDPFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenyRDPFromInternet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRDPFromInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRDPFromInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Subnet-Without-Nsg +module modPolicyAssignmentIdentDenySubnetWithoutNSG '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDenySubnetWithoutNSG + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Backup +module modPolicyAssignmentIdentDeployVMBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformIdentity) + name: varModuleDeploymentNames.modPolicyAssignmentIdentDeployVMBackup + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Management Management Group +// Module - Policy Assignment - Deploy-Log-Analytics +module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.platformManagement) + name: varModuleDeploymentNames.modPolicyAssignmentMgmtDeployLogAnalytics + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployLogAnalytics.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployLogAnalytics.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + rgName: { + value: varLogAnalyticsWorkspaceResourceGroupName + } + workspaceName: { + value: varLogAnalyticsWorkspaceName + } + workspaceRegion: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + dataRetention: { + value: parLogAnalyticsWorkspaceLogRetentionInDays + } + automationAccountName: { + value: parAutomationAccountName + } + automationRegion: { + value: parLogAnalyticsWorkSpaceAndAutomationAccountLocation + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Landing Zones Management Group +// Module - Policy Assignment - Deny-IP-Forwarding +module modPolicyAssignmentLZsDenyIPForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyIPForwarding + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyIPForwarding.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyIPForwarding.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyIPForwarding.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyIPForwarding.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyIPForwarding.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-RDP-From-Internet +module modPolicyAssignmentLZstDenyRDPFromInternet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyRDPFromInternet + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyRDPFromInternet.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyRDPFromInternet.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyRDPFromInternet.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Subnet-Without-Nsg +module modPolicyAssignmentLZsDenySubnetWithoutNSG '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenySubnetWithoutNSG + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenySubnetWithoutNsg.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenySubnetWithoutNsg.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-VM-Backup +module modPolicyAssignmentLZsDeployVMBackup '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployVMBackup + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployVMBackup.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployVMBackup.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployVMBackup.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployVMBackup.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployVMBackup.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enable-DDoS-VNET +module modPolicyAssignmentLZsEnableDDoSVNET '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!empty(parDdosProtectionPlanId)) { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsEnableDDoSVNET + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnableDDoSVNET.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnableDDoSVNET.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + ddosPlan: { + value: parDdosProtectionPlanId + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnableDDoSVNET.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnableDDoSVNET.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.networkContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Storage-http +module modPolicyAssignmentLZsDenyStorageHttp '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyStorageHttp + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyStoragehttp.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyStoragehttp.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyStoragehttp.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyStoragehttp.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyStoragehttp.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-AKS-Policy +module modPolicyAssignmentLZsDeployAKSPolicy '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeployAKSPolicy + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployAKSPolicy.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeployAKSPolicy.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAKSPolicy.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.aksContributor + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Priv-Escalation-AKS +module modPolicyAssignmentLZsDenyPrivEscalationAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPrivEscalationAKS + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivEscalationAKS.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPrivEscalationAKS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deny-Priv-Containers-AKS +module modPolicyAssignmentLZsDenyPrivContainersAKS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPrivContainersAKS + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPrivContainersAKS.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPrivContainersAKS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPrivContainersAKS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-AKS-HTTPS +module modPolicyAssignmentLZsEnforceAKSHTTPS '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsEnforceAKSHTTPS + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceAKSHTTPS.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceAKSHTTPS.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceAKSHTTPS.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Enforce-TLS-SSL +module modPolicyAssignmentLZsEnforceTLSSSL '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsEnforceTLSSSL + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceTLSSSL.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceTLSSSL.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceTLSSSL.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceTLSSSL.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-SQL-DB-Auditing +module modPolicyAssignmentLZsDeploySQLDBAuditing '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeploySQLDBAuditing + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySQLDBAuditing.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLDBAuditing.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLDBAuditing.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Module - Policy Assignment - Deploy-SQL-Threat +module modPolicyAssignmentLZsDeploySQLThreat '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZones) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDeploySQLThreat + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDeploySQLThreat.definitionId + parPolicyAssignmentName: varPolicyAssignmentDeploySQLThreat.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDeploySQLThreat.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLThreat.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLThreat.libDefinition.properties.enforcementMode + parPolicyAssignmentIdentityRoleDefinitionIds: [ + varRBACRoleDefinitionIDs.owner + ] + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Corp Management Group +// Module - Policy Assignment - Deny-Public-Endpoints +module modPolicyAssignmentLZsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = { + scope: managementGroup(varManagementGroupIDs.landingZonesCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLZsDenyPublicEndpoints + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicEndpoints.definitionId + parPolicyAssignmentName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentDenyPublicEndpoints.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDenyPublicEndpoints.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..83520f855a47a5190acbfcbef9ce80c988aeecbc GIT binary patch literal 495304 zcmeFZXIN9+);6kQL3#%P!O#i4BTXeVX<`Ufnh-hyMtW6&C_R9o7m-8^Rf2$YX%av{ zx{;zZk=}bd3!mrN`#nF--tUj|2_w zg|;^vzW=@y9~Nhy^Q1ncr!4-_KF8sNYge+9{U{x8f<>YZf<&(8i+)em6S=1vJvVbg zb6o-?u8ZHM7SB3qywXe2pgLK&P;e0P1eMZde+?8)qe}W8{zC=c1|8q~PbJRk z!wUylaodie`;u1BNe&z3iiiKlJk__h*W@bx+W=;)5&&(?i~I*o{LvFir0K^X*MHSn z1o!`<$4M=b|EPMP!)g40(*I9dQnwOK!B)ZVp?c>mMNO2l1(?Xe zXzg@ug8Pk}Ufd8X?zR^BQ&3ow4If%GIa=HP356M$vBEqHTigwo)kz|CJ|7Weg*Dc> zq-uV<%yjF@QJU9V141FJ`{uVOY@$YSrFpRfYvPAQ)n}2^&LXo2;_5EHVaFTK_cDcw zqJ^&tWXazUWSuX7M4lpfiZ3H6E?($RtAiyAGIaZMnc`wtpd`1_owfS4(^L0o@YkB2 z-eSG?s*4w^DyUZ@r#*|;D8`$n+9wS|!Ay*uzt}&7yJ_5D(Q2J;3%WzZBu&gh?;1() zl)LpqJuw{_ug;p7G!USRW{T!DN~)QL;$DumL+_-kX^{)0bRnuOz%>1=&6A!ytRjr$ z-8G~67T``s?Tl^>2%V~r;#WIqc0qJB!v6_fvMugiIH=e-dI+q?g^>}D;i-*NEqezA ze_vj%4-W3fqIebRlX4wwRMeAVcq zENLF+Yx_Y~-DO1>`&V7F#I&?T3kTQoH)8H@K!)=$CDy9ZBFpjdewb=HCFNc7?y)0_ zT+TAt0Zf5>elCHP3Hk2!k1)| znV9M4G2O#`UXagI5@Gss^6~;evzK0JV;z*q6H$kdTmu5UJlE!{&DZP72v~Z}O?F&G zzNbP8$+NXwZcU6NC>%BVaeT!f8#DK1XY7-3vW;|=Cs+QbyX0dJ0PC`x;gg|gPy2$Y46wBgT&i+Z$h1KP}v!V%} z@=IPfsW@CZ(5ydAtrixSXID+=RS5xa^WSP9Uwj`O#cuF<@=RrOWp%7OkA>6VL20_5 zC;E69(_>Y0VXo4q;V`~%l%=`?8t?mIL9TQL5n-%zwv2^{UT^bSL>bd5DR2V|i0Y!h z%JF5CS5=83U%6g{{5sR*5?GR0)HV$IQ%){5)t+9}M{pk2XWwO*UT~uAOzjJMZ<`txO9j1y9x^C04+JrHhM@z;wWo;n)kn9D&`8btDr| zWEm|9=7CYRWv|~I9Cso_p`_Wg*8M!Hq{Px!QR)$I7Ow1W_Cfc8*Ln4-Gpu z@H&F%)gzI42R10yI7OQmcbgPc8-=LGzzQ&`5zyZ;a6%9)-HZC2%mOq4$rHY$-HFBH z7nFFM@Sq45yZ|Gx3ViR2;$R{%pj_+h7eEQ9Hg8%1S^@*jRpk>q`)+byxa*ZmEbQIa z8Q}-mH#dOUcx7Am&fT5@2Nm=a$pD0)r65jiqJZrVoK(0Afrhjhq_21IC|-(K+~dBe;P-92MMrG?v+6E5WK~OY0oTw^xNg zOEA|J4b;B+1)18)oRo@)3%$|c@zUUijci7dapBn%jkg>fW%jvAq^XEwzMqQ$7O!$ce+&<5 z$$fplw2Js(yWBFIre7gBIr&3C81d*Ch>^bW-JtiJ-9YD*-lO)%kEfJdQFrq0I965Z z*aLH-ET5bLGY@_+dL_QxDCW4X|Eu-OUO}>vm2uRhfmZ22W!1ph!hc~$%!L+?7L;HJ znxV$_?4mp=4AnZj?gT9X%z(>xMf2?z3s-^9jw@v8r^6@T~!EnYuY`7dg zTLZ?<$YnclwJu4kRm3=2oA;4GPVa8dsD~grN|(=7HiMa&c}&PX);vp>hbw`w_wD!0 zo}U6*CGc0hf%xFakI?pbeZa0={mm?+ko8XTwRXcO?npU|4r$T1NN*kiDKz~|j{Nc< z)I2l)a}muT@|f`q&u+u{dKSI^s=-TM3i;6UwV$_T|^!_0D<`>^Ec* zzsw;_x7x_(Ofp3)H0;JOCkEnsCqyaM*qY@Xk5-c|!(4-8ZQi~T!tb^GtXsPw+h4*_ z%19fnfdo|jm6-5U?Y#XPQwu%EO14@_ z&SoBju|SHnyZH~(4(+s37do-gI??38$0SqF3(9}FsI5LUishp}8JgeL&u>}X&V6}L z%u2p$vg)>IM)xm-xQIh)dS{Wk|!laA8pG_ z1!&%XcT>rs9(4?I8=Us>_40x#(r;SVcs;aP6Lnk$>u5#VW<%Nt5UYwLR7C3a-6jKJ?BR#F>2ynp}812{nLqV9JxMlIA@2SkN(N?`8as*hly zE0TcACJ8c-P1{v1Nb@*oFx1SViYh@SEjsyjHNc3ZWe_}KF zaQM=#sdbhM;4CXKG@$ESw<(+l^<;RFU+ksccLz&h2uS{`1M^$JUa=IISzcatm0SJ5KJ z5rOH+VBsA1fz()t3STdq+US4d+7@9Tm7pcht}_cI&aK--PI;#-w3Aj{>cr{* zE3(Pv1`WlOPX3SJs&3o6d`T&yRxsB=(jU|uO7b!i3B9u=77g$UBJBWMjK-FEifCrL zTCsi=eoED7I!`WwUI4MbzuW6lkzSZ0Mt(EVf@AAYQ_~~2DkGD{+BCJjCMJFYn6L8k z0gW(;1YIln-3E(Xc23Ui0HxpG8;`p^SYr8vr`GwiKS6u4Z(hI0Ll!YrA(T@1G|)0F4D?f z2ae)02TZc$ego)qH~`|H6IM9qj#9cU-!qFf5T_x#G>d4fE_b{U3j<%8d?y3e+W7P= ztb71i#V6mLO)hkIRzMX29lCiI*+aF zs@##>5Bp*hoVLb&Cp4^b4Fos?ry?K7dHmi!D0@&P9yVGbDIxK8$SExMhKhHsi3SzB z8f6EJEb(mb+{k@gt>&LD!t~oW#AkSMn?XlC!eV0N*3-0vr+v?WWj-7;=+XcxwNib_ zNCp@=&+Seu<49DSOT90o($}kG;=pI~z`HeR122r$pTiTi1f=DaV!RCn7=n+F9m@S} z5$rP22_h#}7yaHXf8KUQ{Q|~ZwlOe}BsDP5=hQlBI=r}5ZJ}@R;oT3C7gW*DW~Zj= z+Ls>-i%oLBq>Vy4fS^VDliZpGy}GojJLmemxhr%NLPvEWR@H7*ql*$eNUA$z zMp)=XYrLm5ysfMsX$kaAdfm8?nUyA+svEDe^Ra!Jmd{xI=@Tg_gLg#uj(@$J$ArMl z#*h7Bx!RgQvWO$JP|B$AqZKrxT4gjj`ACUXhy4@%ImCmEOHw91bl;Lwl4+C!>L*H1 zyGM$Q7pIQuI^4|7O4qtK^jvtg%Ke3de^xwvJ zyHj6jDVE|{+YegYTzS@X2Qy)NF0J?14UMgfRqo?!{&nEk8UtY-TM1Hw{DC(5NZYcP z;*33++39%mMsXfk!R2<<8KdF;zpRF|1Bnr7NajMe%>RTZa#*F~4$1LB;`;81~WnSkULJwIk| z?Po3|BBjX13uyzZ6`*q0O6%lal7Le`@TM;c_zMK-of8h4{SIW~4Q7`N|8Zgq=fO+_ips3CTX?l!5Rp9bwqbt#<6h*?jWiUey^^YkZ&!T&J zdeYKxYQk}A9$UZkiaG*U8=|$t7e~A+T^A-x@QdC*BR7wIV<(@0u-UsVtWkwKlk>PU3-d8%DN@R@(N<0oy>D}%l zQGTmjC(=b2)!fztFVb5frlL&Y8F6ddTJlQDGFTX{r*4;{Zq7@7&;{KU+341^x;eL5 zy*N_Z)Sn_|^)z<6?4w^k&9HW{F?XVxa&=I40S}zIJOne0lz^ALv%HQQGNrf*F&FOh z^cq6Fx6d_Id&fle!r?97Y6j>ygj4lSYZ49?5aPpnb9-jS51i19D7C7u3$Wy4ij5j6 zZHrbh<(&CxeVS2vHDPXWFskdS<3yc5fScGT=fCBvb)CWn$Jx{7QOr$@hd?Rrko&%t%-kZU(W?q(c3D|*>rEb3LWSGA!c#s>Bc z5{J4z3^^h6*&=mK8oH;n4_9K+aqQP`N1T4Lk*D*Y>1+Sx=om2| zvF^u38@jVk4ZwQs8;Ax}JaXN?b#XIy4ssuBoKqV#KD$$uwk6MWKa__~LsL;n@_EUJ z!rBK|*v>9>Pj`0>dt6V6X#POoP+!DNkw;8k3$u8NO~68?rOn^W4}IuN#2D@FY!`n- zT|n2?)~xec6D|d*B=vn*GS#SfcKbFC_NBXbal0lzC&a2nZhbuoj{M|Xe9)HN@ArT~=-Zv}A9ZsFtf7$m$fr*>Ww7RSVG&WTj`hR3 zNYk;2iMZ?umx_jiUupBzZFw&=TPZ)t!9^;|anEDk34b8}*XqlnE|Hy763-DC5s z;pAkYU1v?ch;k7JJl(-1j@?=!9jHZHt;wZIJxLy0Ej8^c@$AJTD1H9Kr1CjYJ^k*G z8SY;0x8H@4MeV52<5&;N#*pb}hWxhcrY0s;AGN2a^Z4~M5%Sk@a7ncGf>%w|k06pV z3r$Ua6`8c|=U97twaOQ9?3PwmYEO52(l+}{%?p!noleHz;EU0m=GV^-|NUA|2KEjX zQ0Feps&j`o&C9&l81%k1pP$q3oXpR>dEDIy=;L2wSS{)OZ+6ta-rkWy}(?l*r*^PV&6|%R$ls*E?>K*N0W!Ct@p*f z3F4+?glI+_q*|l=Zi#{Eqe|fT)W3Jn*V{MZ!kyajmB)cUC*yj0boqi82E&q)=HhO5noqCT1#h-kk?VrAWo|~wGZnsQ9CxW$E}V8Gf1mvwc*f?=L>z_Z*{D@KU4~FLK|xzM{v5i}{29Dz z%$4|u%7BrdiT@;))xotBxV7Fs5jgh<3q^N0sB!LiS89W?oUzp94W+dhZeNRMuz90LQvAb#)qG zKaRUSrTg5gKB4s6@xTH=Kp<4q)bSHFyhylr_KSGCH!IR}H(%sQ9Ks~`C| ze4pEN{-E%3{dd{4R@s#+FMvB$V#h@_^Uv0zDUg`u>&v3~^fI4H2~+Lu8hP`0KkI?% zdqDy}cOMa>{yni@0vvv6ATO@~D)Xbb_R`)$NGQTBAeh2`@Av&Ve4hT<5=?Va%IM{J z2)=*EU@Ve8-@(xlzh>2jio@EQTGrW@h1wY88Wi26-v2hudGP&5-I8Zbx5oG;=LzA< z7no>Dtft-Nu=Qgp$9|l2!<%7J=C}9n@fv$YrIbUOP~+~_W{-2}2}FQ^0(mS@7iH@+Pg~g-uiycZaQ2hI5LB%OgJy z#DMT2DMdBUnEI1Z6iHZ^)PN!B=!D;4%s@5%mlBUHp(8R9NwL4Y+PJ-<=+RSs1Ug<*>9fOY{vobTX6i>u0G_O`E4v`)8f{WySn zuC#J4>VD@X>!!fzDt9uZa55kNXVk*&>+ve8!O0HLel0U6gQRRXG)$L(3D3CFm?h6ophSYadWhJ zF&{e>=we3 zrs++07s9B&vPG4P)^A!<;bAOR{R@dQ6WOIK{YJhEYRWWh8;^^^#@$y}Id9MMCHc3_ zva_(LQ37a=9x`xJp|2{{OiAa4lAF45dPZ84b(FSt+Z*j-1;p0N_If&s%aUojWu~gh z$|?#j;IZsJHUMW)$|&nUw}i5W{uoUyBIq*ES};&NC3$%UEs@oWz-9* z>r8FmhKLm(#n@I|IzTVCd0 zj*on5_e^d#HurX2jBvc|o*GZDy2JN|aWNXSe))51TKZOvGAm=^Z_0AF`G-QT6xF|! zW|Dyrlv48D{8Foi@FA9Kv?YcdN`3~p#=Si~H`HLRxsb^jQ0up$@p_G(=xB1%3$utz zh#BnuyurDOwzh)zCokeTZX&i!H67;;9RbKeZ;HC|FrxAqz6~ zrHGV!0~#-3EN{b$D^7bUh+nt8x&MhI!IMP-Q_ujM7i`cH<4{iyD4{I4K}#Ob+8D`! zY!3)HT+`ogF*08Zu7Dx7DOzlHsJ8^@(VSHtQSZBJi_P&e7hAmMK@-`;*;%XN34%S z__6>uHTV~C?$*xwJs$eU>&+j2&cMiI7Pl0>yoKV_CBBa;8jx(b&rHjCShXLyuDH^f z#L(d5pHj2Mfa-;MoCNCbQrx60jU%Ffunn!B-%2#- z__8HU=OYZu>-!Wn`I`E?xQmKB!e(0^R68EW`!-RqyhGQB4!=rMEbtjsn81_i&p(7L z%Caww1VM6NLvv#^xFUkwkNve;QL(I&wDCBZbQj2*muVv`(2s;SLl56*6uYl3J)P3f zpo)?ywMx13TfnN}4y7-$6oH0O5MGf&Clh9BNF zEj=6m{d?c!UHiFE*}zjAMXl+_Dh|b(jZ%wj*e#QQH6!QjK<<=os|Lh8EZCq%AR*j`gUU)-+}II|Bxb~Ubab@}1URM@=F0@ad7Q;$N%REk?rEza zXy)Xnsn5H?g~|dU!R}ZPcP>i5ke0Jku%8U#&eEvPoj@d}wdd@iVD6O7*Q;=FVY=Yo z37VL*ef4}`{*{o?&`5d)+rPp!f@ohfNUrdiF%LZFC*r2PWJJY+w)PV{f}ijklu%8L z%3cR906JbQD3H{V8G3pgA3Q}5tya}3oi;#+FFi6gHU>iZ#S7Y{u9YtAyq~AMLmkzkYrW0Z8cu^a1w6&V`65nS1qo%O{p^#QvBp9`1PRle zo?x!$cns9LMrSQJvpLoKiB6SJ55NY-Pt0xsRsNoqMNJo(6ac!Zl<1o9?CXwFdO|E( z3(}md0U`tOXK2z{>BSQkL<@GX{CDx=oO_vcsw>q0R5O1_pq!S&OzaJqUmu*^+;@|8 zm1e!BOo!h!1v;rdlPj8{+Klo87w9k?=qA1EAi;c_1>s8e95!N&CwkhJzXo3=jsgXT zEM(bn-XlWXwQVRaQ#Hx7!FjJ@`Ift+#FoLE(8Vy$J#IMp>nAm?r{O9wBmJbHL)3LA zt(jYOcT;Ha^iEkIP)%T?Su%}kWx`vwMA{o5c<)y)$Z#(*+TD2Os*apjMIw#raCz?A zVb4|Mn5Q6{z8l%@KCo`!rO^1dtc*R#_0fZbtHrmAjWcxlG~&ZiZ{PnTJ4Subj!-N} zx>?!?FQ066xMM`8nob^s_($4{!#gG4ff#6UQ-b+_p%u{}N&&9Ke`6?(39;kU{~O(D zmrTNU0x(d% zXe<)cg-x``{mK?Y)@F>9cyZx;IT2oAj+F!*GO{A%@EVUc+~K1g??x@gMc7P7bvh^~Hp zH!`~9gVQC1*ymi6d?>vV!O}nJ>9p+$FK$%NHE{8+5pf_kz3zKm4zL1%uF+AT1bbKP zMmArT{^E83?tRANo7cg`J#Ml(v#|*+s0Us6mRyuo{v(fkP)7(qQ|zzJ{a{;yE??fj za)c9c)(bc2QjXOFdxTq*e08dLAO+`P=y#S`zJ48=hC0?(V(OYj9JZo}x|biKVc)uo zK3X8qowj9Kv$4bgifhqoFtEL&V?K-z-k7M(*FR5TM;MO?Y~xK55~(!zoqp9N*@^=A z6JR-2C8qlXMoUY}Kh1*Ebn^`lXSDT1Ga{rh&F-J4AE$Imx^~w-*2caucKntOvip}o z2wyUR;$RBsF@EHixlJHw3tsXjYkO|x@y*uZt%O|*$OHKG$AG? z_6xsnTMd_9iU_>7sx65gV++NNEcVS)DvZDN4Sc18)fIgaQdZR%N={O8#zJdC>5%WM zmcama3i|DeGqeM~9JuRC&QZ!-TeOpQ;Kj!+loA*auoU})>@%>I;gV_Cwg`(7128k? zAvX}&gdQj-q#e|$6mvW;@@^O35wq=BSt({o1gLU%$jwbn1!l;3&4};$S9%(S(sXMo zjeN*MLT?xM4RRPhyHyDj-QL;xzD)T;xC?0f6Dm47dSA5!Ca@ekwpp^27D%`d(g-ca z1!MV=x{{-@B`Yg&pI^|Qjkemt-Q8U@rMIhdHW*>#)f)p@JG`J>f!|3Yr-5{K;(JO~ z;(Cyj9YC`Hw`LxP3sSL8?%E3E+N~1`{3SYSb3?#Tz~vV8rSng!EmoGCR^5&q%mBvS zMPz1LdN>dm#D|2!iKH1-KGrAt+zb@Svxp?z@TLJi&F!x7^Bc7_Y#g3#K;xtmGh1FN z(LOw*{ANBXDFCMkf>gyKh;Aj@O0RTfABd&^7o3{fTI^kKfC+L|{EL@Lju3iRC)rYf zp>ih(HU84G>Ymwf-^11A#T33FN+7bP3Cs-2SV}>mpx^1rl`B|DqH@v4%z&i%lHC?8 z-PO|3fm`yPRs6}tXN<%&7S0qwGz8KDO}&#J;_nGC;F}(@B6cTzYGoA0 zEqfsjP{G|!Z4Zz5;wA|bzz7j$TK&v&S!+gRIPfIv0b|;+J0*=08Qt(qD$RTM?&XD5 zoC)925ov3tA}Ps*?pSG>TL;6mr!7Og4U&5uvh+3cZ`=y`gn{ildoX-Q_ zdpXiLm9sAAagnyUN?s`BSn$OQ=eOK{Ro0Hpl0p=iQ@$&*aTJ|Rmad*YgU(A3^<8`X zoB&gF^k%tF;NhoFPk|N|*l}3Y2|sXx%5f!lmcf3B7uUx&!TYamt((HY^r{Oa9sUib zKmWXS8oUSLlB}h~2OPHBwDIlH5lSzdmmhguhGcXz z*;Cxr3ge-R3=-{qXdcK`tnXN5mY47nFua2=oV2J^zm2}DFpqAdb4=FL3j2hrwunQH zjlP3{A2>P+)24KWqYh{&(t4i&-DngW`+9k|+1|zJlH%fl-Ppk>uj}eT0`b}PX@7J7 z1Wyj4Owh(|s8VzQJzc{>i34&dtyXim))|`=6%eWMh74c;qUxjTTe4&LF&97>6|Twm zPz}gRu(0d{aK~b3xU_~eyRiZ4@F{S4c8eN0C3TMR6yT}n4rDDSX5P&Q=uH?E8-ipQ zA^3L25HO>EHIkr}X5zAQo+(2)r$_ses#b988(J)smys}W3D_7JNo2q%v|8=R9Eg7! zRu%1fOd2i?9P6*j`<6&3_?}3l96O&4HHIj{WqiVCC#_#+_yaOtS?W|e&cjNn%er;L=?kCCIP2(`uPR4`(fas-;1DK+hs6x7!O0ozzTc=J0G-JmIJcf?X*< zUjj&U8+#ejJfLv5mr5tHly^x%Y;Uw0_^;vDtOG7wIcvg9Jx$?^Mn^yj7|so|(TM>) z4ga~x;JpKo_R3e_%G{D+W}-^TSYe7{#*^aswtfGc_RWjLo?;XAeF|tk1ypGL!U`x>EDZqpVE^|vq;UM=a(fjW)wnVb!N#- znUYy3E)N$0r0u6spjmND2e@Xvl7G?8_u9s;Rhe6>G zU@rP$i5>7SPmSQws=II1?5J~Oo#|JHrAFRvP||pff3Uj)A5(MTDNk2y;UiHN|$wmUv9VUo&4xXEY#m6NSHO2NvF+CmRY0SIJvv$ zi;aGuX8X)HmH@@A*HtCf(Vw~Ida|4He+Tzw`-^313%w!>;?3!u_fjaj4Mx{_PY2xd z`0-^64o+(Z$Hh&+3T1xB1Y3zMn1GE;-}N~`1sHy3q%bi_n-~9>tM}eSc2C5~pA(Al zXq&oU-}g~oE?V90xYW9O2~nfpxM{rl>8V9YYBtMmQPI1>^s>H;cf&w@Oa5HwODK+^ zs-==XzI~82R@>VblC0eZSL&OX_@=e%1;!4!v_8@&s9Y@Qm?OWOcNa{KJW_6orLjZv zXV_}VJ3e%GcXmFHbdCUxjw)(+SXf(F-2VJ#XkkGDu9OyT^RwRa5h1{q0L8s}+5SEf zg9ye92*zrZ|Jr?hm3RvSP#W8v3S{AhwuDF0n7}q8VYF(~rvS);SGt;#glqu$fQMCW z6y?VFYF$jl&|<9O4^*U|1=e_)7cHkL4i_Ho>q`Ym%}XBvB;jBkg{&U?CrB`4A?(x| zEnM4fOVFTnF8lrpJT$g7s4oXZQMQYukTIHh*R!&q)heETPJ`h3ldvT5@Fk(I7Xij; z2Rym65E;%E?cIg~E}S&vy0#U>Qp<*qNt9{2d}TD|8=^IczDlN2-&cwYdm=1VYmS6=uKQUKFtOHRX5Ce!Pf*(l49Gp5AJu{F(x2GC; z_rdh|-rMwA*a0?{jfPf~uMDPR?3b6Yb&V$ndgjuCB*wg0pNFncqj&&yJm^UaM6|Al=iBSi8&_Skxn>QM@pL|6renwH2MX*RFbr3r33unVx>>zs?fTM?? zW>`z?+L-NZtop&cit?7GQ%1}PTo|^+$=_7**=Tz4btpD|LLp%4RriFIaEim*d}){B z-o=w|{3`RNR;?z9k$V99V$!ZXp5xYvPqmUe^OSSrkCE|lWqIk}>wZyfw({&$`^O|< zkOWUmRbyjq6+g`yb!-f~QjpeBl>Tnha&~<%N%WKQ{h$fk3IT>FQy%=3m-+W1Q>-ee z@x%M4yl)D79LqiG4(fM0>kV^l)&N{Crl6HkpN~HE_vU`9datgo&30Ute8|!u&O)~Q z!-uZ}qa)*^ixyT)h28Le;3AfJ%NHOB85=*N!JpEMliq8ND$I66f+jO}c6Qo1P7R_d z=63@UP+Qa#8r+iyl#yGJfMFig=>oQ%1RUTUtY%fA$*>xE0P~;d=HvX>%H!*gj{%pE zN5T4Z z@+Z9^dwESZ?>QisNlr|K4|4N!(sHt}fGMV<1W-F03S0^q;d&AjT zn^5|1?LB6}hkByUNY@N2b`<_55U#Gu@5}idL0?}8l)FPdzezC48}=Zqmpw48*W?TY zZW!Ti+R=6dfNsVvk!|OE7Y7}3CeY{W^G-7R(;=!TE|itlN-yH&22lz9VG@&|HX3B|E1BYPxs zdgFi82*#9^yzX-ncjRGjW=>ka7{wYpTrmYupk#hWKUrF$IQ3ugNN4q{?hlW;*APzr5VcP+@%7lCxhlQl8i~ z+noEg`6v^x=O(5P{I{AH-i#I*>&C0+rP5!&IsE9c^TWp>R(S(aL$-IwH_Pv->@zfz zGh787CQ$1WrN>dvpVV>eDzi$??D9^pQ&I|=kb)s}&_>XZr6Ev$dmu40OkqZtEkm50)*|9? zI|+=wbYw?O9_6)Y4U~#qO_4=GJ1UhbPhT%?`t1BpaFR#9qHwM>RUdyi^_4*2j#oAY zoG~}8pk(d0U9%gOl#ywZ%0c&W#ud#d)AMEKXG?IF1woDskD!Ze-D)+hhB3%oS{;(* z*IJ-aWcyihi0st&N&C58~VAw;;^uEQ#g`yuQfRt-m&zO?*_e#(bAlO#iOlH>O zdy<80&5(^|w7yT6c>|&^ONHissH|e6(5UYdza<9&?q4fcfSB~2?{#S&+622>cRe~* z9M8!2kO4`6;;m)4z8^I2R+5(o0Z>+Cq!{7rdQ)EEX(ya_JogJB^j%O$>FqxH>Ad>- zVA;T0>3MhQ1IDe=ky1NgkbJ7C9ax!r`h@(IS?ggi|wA~^hi06Y|p zKT@=@iZv>v6|3SikDLfuk>p6}^sR#cinQG#`FIXxQS>6<9jC@J`+c{fw%;(Aya`{CZ@5HQT-g<(|L!ZT&OFHL6Ro0rlPPfP1qfrJ8G_ zl>Gahf@R@@y+`UkaS}5npO$@Gy=nq_AVA1yq`!YXiT_Nt=VxsF(!hJP`1afMFI(S? zD+fdUV?oy-D{kRz8`9=^eFA8?e3-DPm`JAlV{Pz=raVLc;)msBX&z#JxN5E^Pyaw| zB*+5-S{vj;ELxxi?A`3BD=)g4fu77q>Cav88xqQ7DHj#ZZU z4IgB{N;<~AFi;4lm@JRf(#ESZAk#cPQ}{#^eL=COk!rLxz4z-*vjb< z>v89a1pEe#09xmlY&1~4`OB9`!+cgrxG<{`p=;czN`VFtt_5Y~vHElkV#>wVj?#Ah zMaa>K2n<7xiT-lT=k$AB#v;j1m7>!&nG3?zT|G-9`U&JFns)+-Yw_hM(HVqG@tUHD zcmHn_fM_0&q8#eNc808o*aIlBF$5w@3%HCJ>=_d4;zZzU2K?s_uK>u_oRX5LcII#= z;{iChFc*|T3c!y2&@(EWj5M77%xeAB2@>hX1voHTI%fd$(AX7-`$O7VhJUyEx->|o zw9g5HxGsHwKDIk^QUBH7@*8jNig0UoZopxYdbZ29Ov`p0rH%bgonLts6i5whNLAS| zU{9gC&%6P+)S0tGr1&4NKT;#dnz;b~k^fw0$$4H9uWq~KKB70!2wAK#lCbYYd43B#U%Y>R{8qnO_b= z1Fbtf0WR+c7KqO6pg#mDy>j5^63soi{q zL*O%ev3J}61CRF&i2&uBFF{!K0)my1UjmIYHRCx_I=5-bF6(OKbvq=TS&0iFp>OtPX&=U^4 zfxyS)f_59gjc*3XBY-~<4guBc zk51?V4uG}*1DPh5a=r9SN$VeID~~7)7##~yv7Vmnpr1etiZj7LD}U(2rYZ-qRE>+2 zo@>0m9zf^7Kq8$57KmH}ZQBqcs?!YfIbH!{{2yp?4sER3g zlB&}L|GwtFZ091Yep6Veb0+r7He0Kl($dh|;3P}+|8HwiH}q`DWJ(+}GO8#pfbN*E z5Aiv8c7-(>)H3N=4P)nEP3+A01Z1g^{n>wR{upB*f8%mcwOfcBnH*aG+QLUE@B9QY zhA(`1ZMH+>9DYDyz!ZqY4}uxU&d2kc2(Ns8EuExas_np>&^xEgS3cx0Fz+?>*G@lc z56GFV9pASt`#?^arp-@zQ2QgTW`Hnjqm|b^(ctpezCSC6gKZqv6LqOPSQQ@D&=cVO z+wixFv2J{J?&YSBn2sOuo`HrU_Fdc+JP?OXtnK5GYjg#D6I3lev_!YzK?l6KTcP&M zAN!N6>0(4Ne=i>jT=8-ZvBTi~vuX?!hsD)~1IEsH74LmH&Fj0V#Ei>V!XGsT zUc*HQD{@3nb(cuNb5TFM7b#HoY})~aLoStWvrO(lYu;zr%ZFFRv1bY=f3jI^d)^wh zTxmFZBTK({0$C9aXsSaEkLumt-hEKq{O#Od53mqj<*LNYm>bRl$O%{hAjRRbBBJnx6I;3drFRBP_*%E}>LTOv!_T0XNZ}bg;1pwQ{$3ZrFmNz{ z10u@QRT<|~ty(hn2ndMa7c5-~wxV{czZaPPp!^>a0sW{x$;i$Ir@)yqjIhwQo2_rS?_zNnyU zUiWQcf~Q*ghwJZPovOJ4jFn+PYURK@6}!^M6L*t;CMS7dp1?>}f5f=Ge1m}uOIOCN z88@l?S9h||u31y0$>EiKwx-eBJnV5A&F%3yp923?cXU?QUNZPkUDjA6$uq!Z6k_;$ z13$trsit@-jNkH0Ny^4B^3dIHZ1+8Cz56F9^Jlte5yhDPj`OSt#h2}GRN{AMaE9W4 z4;1Km*{5x~qiOOXPIra715Vemy*}Lz(8K;E*|OK?#K_zP5@_0(Wi8MN&5@0bCddmfh3o%n zeQx*4(Fs6ey=#x)>~JU-q5=?dXK1h|CfTz$$UQQ8Iz;q;lZJ>G21^qxw-_sDJ(V7 zgt*h|Y(5!Ru9wY-{b#YuNXgi*{uUp6{4o2&bL@UZ$%<(0c+WorOixSy@NKkv+cK43 zuf6Oesj`ok&tI0wmAk?r|E=({Pf{9kj3ZMg`sJd6g2G>RrXs${;N-C3A<`IPHS(ba{88UKg_Wc7ACIG3-{&F#FOLZs?F|J!r{ zO_ocQYm|3%X56m4TGiz&%~BH>@UQNkJSh*Dl)X7|5wGlLDWnkAke@H{xWXMXT(WOw zRob36n9(bJHEWPpQ` z>@#Zgg*Hw=0?7lend#H?|P@D>I0s|Cz`laQp1VgE&(VxzC|FplZ>}?(2Y9^3g8Ry7f@m5VJk3c zqnI`noM;U2F|fYjs4UHDm{p)48d;YkFr&B-La+q55f-9VRlWk~B^w?93-Z0^tHg8` zV9AQI05#gNs|J05ESGn^Wt0p3GPPIKy~((a?X-C1a6?ZWYy9IeH79VL%zX+f%&XmV zs_nc40c(aLk#*FhAsEnAB2M5H%?yzJDSQ>le(K-V&+kMqZedA8WyNTV2tdJ4_ug5m zP(up%LeqdMpHR1f#A+WFr)*bSfFLKfJy;4T?>y^SaT~(ITyCr8BkW@qsMO)8^i1&W zyy35?@Fi0)NY{uw0u(KG3DR>M_jskv2;xHjBN>nni^v78gI9^Ux8n=`)GppH6vy~X z=9sWSIZq0tNu0q8+UX)d?zbX^bg!aq>e}IOGcOBt^?>?w8a3XH6|esHD2n7TyrKHy zn8RCrsNH83qoK7#8SVlXMyxJASVX^jiy>HM17YxuB1?hH9d74r(TJ8-ef8bW?Ued5@A}E ztYqoR0vLYayR&5P4OLRco9O_ofSmod`Ab^&q4(ZX?vs4ImAG+lV#LnjO`T1W9 z;w*C2kqlnJ^K?KRXR_y@yvAq~$K5S}s(0O<(6>0UUJ5G#f-|a>mnm@3r>iePiV7OL z8WhzNsB?u36c+&}LkmKR)IHK^MfogNh%QzbL0G3k`MU2XS;7fUJkKMvf!u2x2@5pm zz~m+9(Ie(UN?cbRxcff+neXv}mLlz>>LsZ7t(4`?na%+x#zqVB>okm|-^H)i40%zU zM}_Xk07~)Ntd3YcPyIOYr)QaYG4vTsfJvv!^h13;1WaBve91e2L{o>ppDVG0M}aG> z=>~9}rCEDWB)h+yGt`gieZaW-ZV)lKUuj>h`%(2@E14ARr~u4I(8yfJk>qcXxl=_x+vkJJ&ha_5H~(v7i0yXYIA`b>H`T+Z)<& zHgfbj+>?gS_))#X$x!Q$mz-(P`a}ihSHzOEBA&=}72`ikZO;ldsR>Vkc;SggUN;rj zXAXPqBDtJcwvQnG-mmPOa^E-~rWozI$eG<*+v+fq;1dY9)nGkpJ$?LXY-D8FSu_|@ zwoHZAlM|=odk_Vx9*#q>9$IDbiD1>-&+l3O`9%QWU+qbuX3Nty^Vtsyj}Ff6+!E*^2X%kYdJ+FLbfbU!!bTUA9;t0W@F;%wyaZgC#@dEx`c=7>rn7OXDhr!}V;D zSs8I;W~W0dds9E1JOD@MdA7ouzTr$R>g6iy-zb^fyp`OjQ?tx|q?J{IdJ%CedWL?AOwfvg^p0GW)3qg;Q3MwmP%>^!QM&4 zxLtdfV=cV&gKps)Z|+27^BAm9^Ze`ozq(NN3XxH`7S#^!nSK;JNhzK-*Vdh z6`LaXtClFX1OZ#fh)EQDZfmbUIiCRk^vXlPTr~ct*HJ{jb)DChtvv!Lc3M9jG?P|O z0xk{_>ZK;3&TL#`KZ)!Au0p7c@d93sA9j*7Yl_1Vpdo2H@)yLw*~kP1%_Y<5>z(}C z)^J1L&AriPPS{aJn0h~kwvs36^N2~*7@&r%hj6!4bD0F)Qh1oE#0kgy?w#lh2A$a; z%N#-GQWE&D3;_Tr(vh{pd@9`aa5z{Ar?E}u!Bg&K@E&_g-*s(W-o#09wxSCgWI>5; z;Q#^ZWxRz&VO7xuMH_o995KK9Yx5g67l5LyFwapHNPsrUF@))Tr7azsf;t~DwxX>s zK#6bK5CMqnAoG}FE2^IH^jm?JIeV9s_5s1WIdfcWe79z|0THo?VD_QARe8k^VR2pt z3go@RcR->Ij@fZt*2qCMO}z`jR6i7ZAFrFJLGrl%<0%Vcix;mRFJ=$8(@id^;&DRc z8Em7fYHLef%oTC!Lk8DMCO5Hz{L^+4R4p21n@R5O9b{<@D2H;O|aI(>HjApE7d3q`cDO>ucH2sK&!Nd3rs4ZDIHM#mh}sqZ?__ zxaemK_4V~c$J4Bu4qcH^~~hAb;POi6+lqWR0z;oQw<40!)P^0?W+Y0BhXo;i*m6 zIc2jKiko#RHw4 zh!sqKCa49<1il@&%j5a34Nl{kgSIvpRzzNHtxtCDddCS9ZvqE(ITXG4BUdgf{$Z8&H>EVom61L6_uC^DKD3XUkkklX=A?wV?U09c8At zlxYcYNyeC&z^38yNgxKxN72-~VaX4Ns}T#+zUU^1oV3Qo5sM3pNeqt<)8d|%FxO*U zK^~CazRV_AA)*%M`q{e$%(!uo+_^Ht~sQ-BR78%dyvXwXv`x~n7BQ! zghcWC1Td`LKyH&G#PI4R{d z@+4v!SWIb8J5Fb4EQ}`2|%;zT(N6_HU<3g5V2eJ_hxE z`9dCok5G2G@W>DbULxPTQR-pXumL2oh2&GOjX+Y0Et1$&Fn@Uc=tn%vUgE?vKB8?Y zJA{ly>G{$*Zm5iRN>%$fb@0g;k#opz%gU{TPhn?1l zk6wkGM`O#gzEi<9iaIaril10uJV{OP{T+k)h-=G z6Psbp@}Fl%9F%i-CmoRN6Lx~2T$k37ukxhy!vIcl5J#i1n9qJ74#38Y305m$cJ6=x z3P&CKP&hwpLtlt>7u}65wI+m=1sF>wRVn^L8&>NTk1hzO!!4ZQ-6QL+QPE4-vAE5_ zNROZ#MM_Jnt&|kZPV2lSk9pRqtLNX1dGQ_rCP6Rm)ndZsmxVl8tI|$S4_x>@H&%hH zOw3Wg@favvdwX8a4x^C+SCYNEyMbE*=D$|>lHY4WN%xW!Gy*YLHgtf$!`)|j!oOJCL2T2DF5le0z1Q+$b-So5?sKUTlaZ!r~+7wwngfb?T zO4T8?B^h8-CAa1OXH!=0;ck2p+16u;!()d?_?2N=zqR!K#>quVisBK3F)=yu9ek--GB3fC{oQHF>jNnTOqri{ zXxX#_m)%KxlD&|5u6}ffX`8c`F$;8HW5mV=Gl`m7H_$HC{=IR~Bmy40Wvb-@&D!hZ zd+z}4K@@T}B`>*dsPoj*>uMripSd;;f*0Ch*54G16&4jLPc);9KwaLhH+=25gM0T* zwsYA$>-N*E;VtWq#G)n6zF|3#up$Gq?lo3mhct^D(vr+N|+)G zbvad2=ZP5jR9t#vg0M>_zNk4{g9v|cy26T4z~ zDM~`3Uc%2$41*4QtC??e*gSQ)d5A^KPl-VN52Zcf7#yr?Khp}UzHVFNPkfIwSoccZ zPQ{60i|Z@^EE4`Cj;X$JcH`e|AtL7Tn%y|WUuJrZgIdY((t2O>C-yA2r(*YiiPa4( zKF%`CJFJQ?(pvZGrfX?@=`rPWMeJBWIXOQsUPcr&Zr-<+*&Orgll|7#_)B+VYik>S zP7>w6j45(d`1jmIIaI&;!eb=qYMMZPESDKB$GAnC5{upypO$I(+-;E&Ypv`^FRCs( zFmTjpoz-Ki_^6*x4p=`pO~IlpI|kFSMm z{5SN9bZ@LdVDZm`+@+%*0=90-%ES=7U?^{jp;Ik|f<~s4M87`3?0kOKmM&N$LE;y? z>sjZW*+1|Vo(xXaKnygD?juppRLNCn`=FT*GLla(mQ=Vu_GA%+m|7`oU7=`1-T*uR z@B&82x&=Z~_*A<$_N>*rwo{269#8e+qR7kas`Ycnnzs}b&Apt`%ku{v$_LTXK;!Y6 z8#XZkyO6kCem^u}OQ>Uy5qtrtktcw(B$y&tRjENu8pzYIk1C(Lj7T{d#-xR{^W6k?0t>5FZl}Q_xc>2@w!= z0XP2K!Qvd#gvF;8#~k+{V6uwZdFA~OJ~mdijQ>~Xu6xPA|IesN?vEueXEilWfR?hE zRZ&vpV9k3PEU{?R-D*fpM*phq7vBGjcY+D^9+L_ozA6+}CWGK@jEnuu=;zK5E7Syh z!g&MJ`FE65D`4T+Ba$Y61J94+Xm_3Glu>f8sRtZ(!dOh(WSo2;H7;_taGWQLE?8Jt zVQ?E{6MDShwZ%QhDxrTdaoE^Hz38i#I?OGT#~i%Vo)jTx-dg}ut?NEs<(X4xIvg_B zVHURt5Q3Glv)#M89W?&&`8TnjV%2SEF{><1VVXY{0|*2#3JkQy#K%+6jMPJ_a+l}b zYYBDzv^=PK{ckxn+HG+bfa%X;L=_C8UCIZ~^ogFnVvYZ^av(O2&S=32l^<9G))_z2 zP*Y%iql2>I!sq5dm08*@oGykXq4&gL!|Vtc^JwO`M`yxs9}@rsa+1UG@;~2dYY1W# z(ic#|KQqZ3}TYTymm@_AlzL{QT-9GLp2#x1B|C zP^j#EKbAXGA76}d(R|a0nq25K=Z%sqC6&PlxC4dHKbY+>4s# zngnm+Hotr{mvaB8sQtTh%$ZRiy3iP`3>m`l(aBoxl%QMYLk9;0fQ^G(+ImP64EGVi zO;3{kMIYV<^CQ;*cSfTF-JEORjxMwSAKUi3Ph#93SR0!=k*=`~03l+W)iC z7JGw@OI7!0jimh%2ZcYfyNSU{(&(A?Vbm@ZP5MevOzi9Cs{WhRHxm% z4f?0&DaF*DOPOZbzWPZ~Qyw3k? zP)5;)$<)w`5y6~&UhP|+M5*LekE8P&aTPQJ*~q*6MxFZ5laZ=V5k>c$x~gU^@{I{= zh+rS40>~%*#MX%JqNa}T1CIVJsIy)#u_FQh;&BMmsSO5_4)63st<;VH znu)eG(m5?1E+m^fvE1{{9bV5^9Y|Mwb-8;LikdR?%(g^SO`|t!1kLGZzQ`dQxbW}k z&12hLtm#;eZv?VgBg;58|BPsJb}ER_JXP>(obZ+P%{}zv4f**ovX$k=-v9bW!}UtZ zW+~0#a{nq&U3vOrw*_!nauwaPbavjKs&VmeG&2LHq+df5 z*#?;V|95qod39-WhvKLG-0a4P=o{+2c>VKkRn9CG%%&f2{eA(%A^l?D?BuS-{*8Pt z>gSV$ZeZxR5# zFSnwJwy4qf|NAQt7<~BnT*R|!0ghL)<29(tU3Jpm>=^}Yz22$6*k&vCwX(A-(C2)i z(QOWtN)FXx$vwUsdR#YcX*XxTfB#N)YzTk$^5x6AqY=Gg|C@^hE(7nIs}r@{q1v6g zppb^k{qFC(H|LGlM@CmmM*dr`japoD8Dw;o%a{(9E!v2qjevNM^vQonEO3JlUjN~= z;6exfq2Cxeb7Rbxf`8yNMzrkFI6gqI;ncBg-TMEb^56aUXL2l8_m}_vIkk$xOJxeK z2s02>&Ht{+0U$KET>gi&jLAU!*Mr=Qxp0wi&Q$!*D=;@49yy?(2mEI?V^(h*JDl4Dx` zRpn{6s^7LtTEOOB$HJbrXi76MWU#H21l}yf;-|*B>dmSdrBKR={{C2{97X2A82__w z`Dhxa+G*8iwK2|5=(#M#sp~J71}2Q4jFY$%vPJCF%H4)U-3|2d_0$O=k#%wJ(VtW~ zDM&Y_9yb6cT8K3!ykaw%0?|O05P}abn7?ce2^m|Zbl(A=C@8q{z)%vIwO})cekvh|bG@|G9^HS?H2^ zngREq%z#_*mKDpJ7q^*9g?0M=`=xK6;F0``L^Aw~c5=tnCgU4C&8eWwQ2G=GX^nWhqtYFizStjC2 zSG`IG=tE%tRy;nsdBiaJE1zv|a^7czE-{bO~x&xwy4}duH+$0sqyqs%f(p5NFrq~}PumS8J)P(bg+e|yx zTmeVTw^W-wLSs%s8WQ45m!Cdt%f?n2`DBSKR_|tDujlEkj})or%}Q&+NlLG1quZOM zT9$>uMk6F=SJxvOhcd;lPqP%tLJImuQ(tuPTIjrD*2Ca=e2B6%kIg8k@QMRElSF6u z1KKMo+F6?2`inMJM8oRkF+9N-b0dq`zWcY)^?B9j_YhSKlqnhERr!+aNEn!vskOg1G1 zTVw3y`I$bRTDGCXSV~{ec)`~iQa^>9 zPCb^<4ce8hAD8+L-4D?~oX=ck9Eiyq6w|~+-_S{ZgICk`qocoY`yUnQfmjC^lhD~IA*6;3qe*z?9uL<7Z-*fEYhDFcL^#8F zZdSOnRtl9h9_-8O&x&k&FKN4O8UY()WLtJ(=kaZXC>zR`i}S&N0nefaSY;!xI3H2{ zyLtY-$x`YT82V?o*3SQwVpeZrV-)+*Vu5x`3D~pY-AWxHK8z-^%7(%mUXR*XHb@3U zyE>N|bD{fW^w9mo1cTx)Z~RuQ7e`*4je!(`45L99ev6c=A3gK#jqbj4gz^Yu))}UI zX}UiT7@LR6%e9^?$z&~F8dxkgMzle`pOx$0J43IhKgv~^TOZEvh@mIO4g%&NOU`pw z^Ya;_8t(Kbo<8fNxK6-} z;Ns%AcP9|A(_^u49A@hFTFL15J;g;+h}5zu>f`JLYbz=|4_A3|+2a%ym38d5PT8_R zo=<~I2q6yNc~OI0T)v@8yRx0!o7IG2w}zi#I9%Ja^^v)%<1vk2cl-@Gsr)nTBrJ|@ zhitu2O_x;2CUwuy=j@gYKeY6>+%Hh_uhQASeAB_;dmtZ5=_n`Yx@)sh4`JR%OcdH;^=Six z<^Gr0=NE;7$-*SfO|PP2b{ha8EVDmsaAD6=m}Yxp11PZPKWZ)cqyP?M082_os;+%aKT1wDm|B+y=>Oqzp8gdPQn7_-o9cbPxLj+9EQDT zwy~WC!qaI318_WbJYLWX}D8XDSmlI_dy zykXRy6EN$$DWooEV=5{7N&k97RWK|w`|8x{aGE}rO^|P~r1>}#Ojh4{U)x^@(chYy z8g*6?etvy3`~0WnA;u<{mQZ3xON?H%129d&Sn~s(t@O#t8{rF}hTV5ZE9MB=4GFKC zV9t6V<9G<$yNINZfChdzq+Y7NxkFzv-Gg402NBQFamSLnaqSfA_GZ#?v=YEx{TsRB z6@Y~D#nL(OKwhP$u~okwQ|Nz#EWQVW0ll@Qi%6xWm37JOJO2UDYsaUS-@&7p>l^40 z%MxsVGUa2yC;y{ucRI2*QvS6g_C{=oD;2vp6jZq_zVt`K6jS$xW!zg-y^Jv)7$*R|a_S!{{Hv=g z)j&mFLS&s@%5>0pdxdIgfT|0;zCXC)xP@M$F$RUa^c|CQ?JMIQ^C zil>6*9I?|KVs5@^)WLjRzlNFBO3pSGpifia@GJbh*Ga((9q2pQ>w$=TExGxu{+*a# zv=t7db&8HACbz>U`}$NMXn|e36?U`BWAMDJg z|JDHnCq4^&PEB21n~Z>)#g=Gh=9-UBo>9As0m5`;ySc*@dYhuQXT-8}er#~n_2|pv zAUXXPFFKS{|M4>Mv7@k4rW^LWUj5Z^q7`wL^)=%Bma))CMSC&&4bk|$3Q54)Y8Ce) zK;yUPT?E~Q31WxX-T~tua@CP7We z5gikQs9{z!%Xw;yNgS`41B5CsF`$sGm!J-oKxgDQ(~+WHI+|mSBjBM`=E%DT<>lpx zFJU_FM>;Ar*{4XtBTyGcQg`L04%n6y2c@fcC!$}<;y27Jz4P*`i~D!A z`LpD*Wi*kX>=9wdS*)I~xGV^sY|m-B{9)5d-THrw*FqM|6NSI^wgFbSjHw~Fx%V^f#eQYjxxaSN*lEd={B!c- zG&H_j5R^B$he1bAS2sc~Gbku%_{;!u=`S^J%RgY&5pD0zq^zVwNJuDXi&PgA5fE{f z7VRzJ_?iwMj>p&d`_-skHEsffKAzNZpZr890*t^Fa!3$WS}FGo1kB~-JJuhhyNX6t zR0DIdrn$L;3m)C01o?E_B=*6h;g$K-P(^P8KUICN-m)p#MUx{62r4cG~TPM4ou?d$cs+L&+5 zPM2>iMR#3blbPVUoq1{w6WTr!pepFkf=h4IlBvtIOm3d%stDl{_KkS^_#`AG#PSjo z5vs3v2uL3U>+ZQh{rM0|ii*caN6FNL`%YhCqGCX;Q=8QhCsyTtN{IURJ2+Ri{{*G> z6bJ^?R1$n;WhJgt7Hop@D>zn9!F?`r7nrTNLCHqU?RooL2(Aj--VcBHGR*ZvkkX6u z_n!$dvDjHq7m`+u3wt)Kuyovk#`kj4ON#`)a`!@XZ3OkQa^1*w&j5v&0(JOLZ7=bZ zh_HrR$OX7Uf@*?kY?wl}EGtv|=$y8psMmb(sUfsm^ePQ88qmSNKM1=BZ4Gbx$XIhK zMeszv4NcE?7$DcLj%bePG%qVI?wxz{*Vr&_cKBAm8FL&-`DV}g`P!O|Y>qv|-9)9S zuwM^{_&E!GRmgg6NnX>_oqBuBA~TA-+^+i*VNFR18p%{5mKT!)*fXuhod5P6e{)~5tMf{duZUIzyZUC32Vmdx}+w}_4f%;OX#D`6TLO!b@r z=LQMniD54A?kq3oOGz>Kgza%(G?QA$kw$cCEJ~y25p*|Zs(~OM){l< zY|Rn6iEb}Y`uh5<+p8N}TLq$)vIvHXc9L3eIo#WIy({IDTTzC%le~Jh1O%};qbsiu zw@1!GMDmA=996Dm2p`1cE;=8=_?dox>RlnZoiqs(G{?~QZB!l~6D>aZSJi=0T3RZ7 z5gkVVkBV&qP)!@+UN4@CY8!yJ@y2^7}Wt;f3()PTqqSh4itO*^ODn!`uUB#{- zv#d<7|9Vh09fW_H761Up(`(`ZF`LTcVA;Ru?p z|M7#LdkElXPEgXCGiftJ16_Uo%0%k=;Rp3dak@5?P}2MH-|p7~7eqW+Z@S|YY)bj3 zZXy1akk+hsXGYJ)*Kp{p*-^5jx||fDJMJo56S2C{vl^%!ldKU&4^Sq^-i(OVEnT}| z(pooPwS3lvOX!U6)j7h(r_23dP-sT)S&v%Yf)xnU(o1G$W*LJJ?|R+LrvqXooQJXn zb!BDF01sF%AH&tz-2un?v-wD_qE}K?2jHYtMjO+?CoDW>jon}-ZyQ2T7XE%$rQP$@ z>RTZMTY{Tb`)i1ed6(R|Veqxl&G{(3&nC}ZY5McNxOtn`OiT$}M(vc_o13z9W!|s- zS>t7hqr&HRChQ^F#6HJExj&0+cXnfS!*t*IJ0{fE=j2>8Obe97HN^(Wt?!);3x8Pu zp;(oaBCg6Nct#IMDlxyU3vG}`nR#RhSu%dc)L>I#Y(hND9A0}UO{2R}?1R_kTm!b& zJU+BBH*RIaUORQ#&E*QPNw?u64Bv$nVu>hchHi}fA>mH|&Lhw8%l1SGa{=*k4jY2E z=C?pS>$zDf?s)nhRV_6>Nw<^qZYlDKTO>gJ<_WP+b z#>zW}%2u_7wfTBet`{_*bIVs_WMNT%xv>~v_`A-}+V`XLaMW3ffe=`_T8xJ$unHx7 zSCRP6UBt%zV<>4X_BX9sPICOYjpF*_3981^wxfSfjBF(8*~R%eOhVsd6UhN}W?&OH zVsRHjM3`NhAT@$emm}R=Qv0in4%I7bIcbK9_MG}ZO48vZ2!=es<+!qCh{ZkL3@2k* z@2n<4Z-Oblot86gyS25J4!@nm;+{CUqGscUjWA1)cHc)9u8uW+Vyomm+q#^uf)`5g zs@Wr0mA@-Ze*pQLy|9P~-ffxpKs0qn7Fq)vEP98z&BK(@v_43Z0dKsy+6h>DVWjJl z041!cs0iN0hT}7I$`Oy!im9^cf+CldA4)tcK8oJ~;}~!;86&=rE4po!>Qyy?_5>is zk*qv(+*3lY7?do8d$H84qvRy}d2-OTLukwp{<)uEc};Qg9Ku2Q-SPv%5KVEzc+JTY zxW_KC5L1}2h+p{9DHOgG2CubX*0V>@X{Es8!H5YRY;ExagZqu8<2sx|%t*&84)^T) zoK29jLBmuFCQ^2BJAOMpQs?2iYX_vzfyQnpo^pM%@$7W5cudU|>Tq9b8J5QY->KD3r#;VbR%I0g4= zV8U{J$6na}A4wC}49Gg=%!zyj|Fs1$?Y6<?6@s_ z+>WyLt9KWrG!-_2PSW>BDxZJf8WDXi1^)RYA?muJ!P_)dBE}f=#y8AO8WhzRhZ+d?uHRdg5HDFb zTN&1&o~fxXgKL}X>s^+-a&gboRle3E)26ZUQiPQ&@km|){=NCQ(fL5a$b0^`a9Sdq z)-X+dKQrqT`zYqRGf5RrOk-(dH#YE~>^uwH0BeO-v;}BWc z-B^_l=SV3NY(;m$P~rum0#7K`E&cuJ_ULr!Rc+!r0j~+|@*E76gDO@|US7Tu?-_z& z`K+0$p`;y+d&dOHFZzAJvV3^(wnk8+r&aV&#H^rs);D;(29J3r%6B13sN`zJ1QX-$ zDqtE47l5VD6$>$)7x;**Fwb-dh>PpTM7m!iIb^TBqrBf3f9+TDQoe)8h{Z>#f8S7_ zViohw8fh~cA4AiE7AoH@Fo--gHLxvGQc;nV5<-aD$?(b_u*MY|is;@;e`t!VrL8%| zspgo&bR3Qv1zfqLT}*i+O#PW0#^jM$)B;RniHw!TnB0Qhny2bo~%8@QDTRu!BVF)BE)_l90^tW!l-yuQ-{P!be@Z^0C#LjJsz2DF~O# zIyw0&I?0=R`QwFr@M?1p=)*L^eXlkGd=8dDn}uRUMJ3Ssk5q}SJY(T zr);xck4VFfgT6=wY)=g5k8S<~_D@^y!Zw?mn-6-WjK*bOjEN<1;U)8{dnH+>e^@Sb z;D32|arO9mYxc5dYz!)BBTVyC{WjmiAPAbZxJH&%D>DH%?DMRL#lWd@d4B$m`+UHK zqY(wY!TWHKIRs(h5Eax&mcm!FN{ONj^Y1rk)Kswl4`aKkE3wOa&!?WU9Pezgeu}p& zLFF+yrf3D&GhKIIH)~XX|m~{^kt^Ah_ zbRj{wq$ValsCV1g952UJL8l!a9i?ZdiTF)y?HQ+YXLT&d9Tb=#Tc@n+^gKOP$(~T| zZ$QqDez2>i!DCx~GaZb}_ycD~P!aKHxY|+?-aPQ?O_K^(8?bO?SdD4#=t%$Pg9;@T z!^~;7&yYaE{b}m41z%LcNe0e*CCMAFs{b)JH|1;|NQjoETXpa=*KXlZGUuGY0m9}eAmVK$G!AoXZt*+%q#AgBIbCFQE~rg8Bnncc;@ zUEZeJTi-bRc*z2~Z^#+8{pc3WLTc8XC7z!37V$=h`%(0q5)?bbs0d&N)V$es3NU z+5-F}&>ImbS#8|5ryi$64%Lm9J&p|PZ;F5PclCwczpDVMO4c7jWYSHMEQH}R_Wis~B!&g7NkDOo5kHHXao^hP-_+65Ycpe{Zr!KT^j<%zsBL9&b7NZJbAKfSx@$CYUC8 zaqmeGecf#Y=m!esnx0{q@S)1V#q4DhF$xvB?scDlFx<_0$gR1$goj!@kpYO923CUz zKQ0YmcF~%XV;U{>_%h_$MDr0Hq(9ps;Y|1_S;=hG{Jjs7V<2xV9XluaTM7Ep>^eda z%w%}ASI1Axn$V8xiz|fR=DiWH9S3B6#zk}-{2l1)lAZ#mLcx{42z#x~KMQ8FeoMQx zWvz%SazFp!6NK?Cgv{GjkNa<$(a2k|!T}pg3H{&xR`6N%0wMD667O|fDnniCkVvFhbq_%hHd=%_&tY3HocknG^vx04R1- zOhPe0KptAOSC>?RY&@BY=;;??01_xQ*N?r%6_3khnrXb;2MvmT@CZow9dABhztior z5H(sVL=tAo_0>xDJ~bg~#&ZF}o^k%O%`$7yhK4n2ra#(osZ0d%&-41_G76IWm|*4k z&eEsY`e0+^=Nx^Rx>vo%L$)8ng>@@5a}bxgve5=<@P&TsBenI7+o7Ryg?W2FC?B5( z{jUEK*Jgq#$3Dl_O6RV5>g!%cU( zby3#Qk-p5a6}{4%(vlOVcYbkEY*fqq?HCv%1zdIn+(jrUDKdB!SYTAfZ0miJ?P+WD zM|`a^iO4NxBf8(6MFlA2!+cX8cP^`WF=Zn}hm-OFz&MvYdx@PRMgPm9y&DOHdw)VuXqHm%b81H`Ms8o9{`buQS~Pj*?E>EKji zBD=pX)UbDyEaV7o3?8b$`uJ$nsAVSD(ge9#8BgKC4hs>yIQNd_3L74|HPW_cXS*ve zxflOZaB{Ue7#?lul8O2lkI#r`@rIS%Nn&LWZQ&w~7W6L0V-RxXzvW1-pdpdt9?K{9 z&&o-02Yd29jjCINPd+GX)zcmK(G$pWh=SixqG+gVUDxIhE6`_v$9*_a z`P#AZs>;mk0Z$9?$Omz>v7#dETd3k~1Socxs!4lrFAnExxr$zaSZgmE4v6}jiF~3d zly?dQnHcaZgztu8?ho5S7+Q*oirU&9^`os}*V59w=8xXkS5Mwta$VCLm=)SWNmE`u zgqBRKpW75u#`c(x=-0i4HhlfAVj72h~_iS$$c`MPIc(ADD%5_}g zf;POcE8yTFJ61F9^;z)=IVv1!yjVM+}s{mJY3Th+rAk6`=s3Sg}Rb9q7cx%p>%Q-9}LLLH}m+(rOf z5gq#~(29xiiJrE$^v0lVC8&P~0TXzaX7p&WQP5$-MHd@iIUla4F)~UHf+$KA58ZpS z%f-ow3vORalem~rXrqPAb8aS>f5!e`7j7VWBRp54;!^6mBf!Y1#$o!W055M@BD{a# z%D>TG4-!sWz1;r8_|>t3%yRzaM@_W{}Bh9!K_WK;)Y<;KVe-Z-Fh= zUFzAD1BsI<7oyOXofCsP&%LgAwpCZOiW&V=m0^_ZITj*=!uQ5!mOAaTv=AV2^rnjV z9CcCrj#&%1sw{>FNqe4M*SG-UTdC*euvR0NA?hMi>YOq7a7=A1h}+zX<#=*BjzlM#Y&yKhj0hF+CPoc(v9}?CXKG?j8k??ZHFUz45Oy#RTCH zzn_8mZ4_4b@%N4NG4-a1g=YOwc`U8T&18o%#2V}myB}xVV{~9D3%>-Y52l_cmsyXQjhki5?i*b%y=4-!Rb?XqF?)AiI0}z%K&;F3) zb?#70%@2gb@h6vwV{3@jXG0#5vUW8jqrF(AwEeUY%#PH~#$*U@iBxMQ=e>bv!FxEw zbgjotmK}zGRIMy^#b3oS^D9lOSl@nU_1C9X$#=FTqsFgFNojtrCYOjA`fLeoE&&Ek z{*bM!IX6@DGgs|^Bdvh&D_%*#X#e|SLpl*YhwWUs;T%9wm>s}SmUyj*-3sEkrz!D0>3EDdz0B|-b~fKG(cV4$ipK- zf{*(1MS{Q$ZlO8lPk8$dG?=Hm`vqr$i=7=gwZ-_HbfvYo^(JWlNEq5;Jz?#wjs855 z8Hga_W|CpFPM7Oo5`Sx~2l46vy!+;7<0qtL@uH?kUsfouL71iUmFUt0Su6#@dukhC ze&R5L&h!=#T`sngs~u!;!+xgu?mz!dY_l9f@D6V8E=Fn#!Z>NN$1r*|wItWcwSMn> zW2`w$u2OV5aS*g)sE;U6$n3xFy*ZOAsV${1#WlylrD{B>-!bu^CTzdCp1l#1@iwPy zGu=BHH7uVfn06CCAaY`Nx6br1!K)Er=*6y&xTTjvmTJTd<{sT0Mc9uf&482Od;3Y6 zWm?6kJrRD&1?AQF6u(g?A^p3InwN=)_;+@u zzv0iG{i%+%N)ZciaJO`KJskP__wUf+VzSg}(|q%t^TXWS&XZXwF|kNXRT*Dgkjunh zo{MTi$APnj^e?=Nkd|1`WKQ}sXn>T@(rbdO&<{0xU=KL}>iE$vd?KX^hcPHh)+~mF z6f>(54<_EJ9;6nu-O(=+IEMv6(q1LxX{O=wl>X=PzC+eyAAu(>78?SKsz2{{E}vH_ zRGMNTOxfBNKER3TMc%PrfX+j>xc!CV$72f)F*u(PyTsEv?3#zNDi6qU5bF*`C}|Qs zI>(ZjzfC8z0rb>2pl7K;t+xObJdb zC`zM5b4$B?)X;Bu%5pn*;klPE9YZYW;PLx8%5GCHjOKpz_l+0ZnoqgjLCfS^CbfR4 zBjen3IY=qZf>z{=FkM3Wr(+7zb zHb=908P<+#J?p@xZ}VA6tkG4IP3{}wy8Q_;&*vdN(wyC|-JX{#dRlHJCCmhCGWAqF z*>EQl9il%^r>BF_`JX3Rl_jzt(&AzVoLl*~8}l=KS7e$uI_uJ+^FK9t8TzvA@qK%2 z8Q`;C`gu1D*OgdV;_7fgS$uCuO}WtP9it4TEX69ejV2`=tX*Qv`~e3VXo`vmZXj;R_>+vv~d=-VaRzDYXGw<=!^DJv=|eI*E3jFl%D z__wWa)$NX-D5W*HZ^4e26Zx#r2EdXnCg5`6GtPtVIAuwJzP~{(>sdM%8|Q_1by>~J zKeWDls;WY9J=nJC`_f;uw878_$#oH%jsG9hq`;`?G-hgW9P`}|^fL*zStQDl5bt7LUwhBnis7LV}IOhX~SF7uEx_Cco3df zdoclbP~vP~1ju|JZ&Q_$f^)ku#$(p+B{CcU((eHEUL&=Ki9=zA%*T&qJASd)%1V>p!20-CDqUl4a zd8iqlvyq^#^@gV)@Plk_5AdA!!^YsrU*;8|Q7 z%#k`d>opUEQe2#1Vl$=o;-tdyK^t7qJuvL={U^Vu8g|<}W_@-5V+cv}Cq;}NKco+S z-A8$)olKB||bd`LV8q4|< zCuvw|BNs>Kc&%X5&JXn^roB;c#ZbXK>$!$8fia(q5$MtwZGls@yE>-LMB~5T$x{3C zCv$tp&1uYywMAQq#D0H_{~=%6+3&N1l|2p~Q+;|wst71JAMkP2z5O8(uRtg2dfE{% z&vO5xDG7@*m;#tgC8*?3-A5SKJKsae+BX>knoJW~x3H+bo_4%RB`Ah+lDFq5UHyCW z!!O;18@kt$Pr0)c9?h=XsBRY6AI*73z!ZJW5J@08H)jQ1t4pU4#1iizA=rT2zRM?d zz&9-+K@^JhYCZ;x65;nIMJb009MYfJh3~Q~3W|wc{00>U(Ypx$H*|*lSu*fYxN?g3 zL-lZAy^z7mgK8E3ZZ1$Mk9-1iwzk%;b05BcG8noM2=84s&mkxa<~LC@#i=h8{CQBVJNcnG!aPUU~iDdM9nqLiMW*9cDBI9Jxe7tk#Wa9{1_F6l5 z*wSY`H>XrAOCedI{8;PCiGUFAnZi9)o-Dcg>pO?-Lyak~2ifV1r2H4lGIZ-};5+BL zU)=0Tp_epA1;RBe)(_{1DaZ!xWUC>&H$PN+WqO-pgRpfgg5c zCs#h9RlXjWJk#4bliz|qrA{ynZ%lRRZ6DmY3R5oiG6DXlH6dpqZEeq5(YG6K!aLGd zH#U-!zFf9QU1EJFtX();NehJ+8`Pp4n?lF@K*s-QObv8Zy*TZVx}IN=WPv$*n%_m$ zc^xoY3cGI#H($%s`w{Xi);1rIaWUqGI{Hb{yPxDpUD*UR0nY_ggX50}Qh}2NTfSUd zFEWSUJbW#{4LS;I*eym|o|Whv4Y^!mEG#NT0iF-BG`Zhwpgju9>>ulp+6%{__r0&f zT_(t13UFO0>6W#Z*8`O7r>o8K-exl(bLRWYme0eq8L_6Orq(Nd!0vjI&XOkXdx|_- zeeH|iHv_&xS@L|$EDWCc3R)KYl_Va_nv4sDrkW4?EAGWeE>Nq1vOUxoQU?zoR#VC0 zw&0t=voD*|@9ehly4?Ocy0(%9@a?2V+h3aBI)o8RT<*@#4_r>w0Zi?c_QqZZ{m#x# zT53`rbRbapa@;DUyDwu~mVVx-6#Jo4jptr-sMLNem+u?_ZogVC|G;|j7fb5lS6&4yFFU9E;CN zVTycKE&s=fM1wd zBl!_u<9mE%d(@6{-|L4TKH@{(rMNB0wMZS+rCM%zRB%+X{>=T)!v}$!?ZrqPkC}xM z(O2oRhk@1Ic+DquQ69$m@G*4%h0%E|alk2~b%{cDm-d5M0M&UHKzYMAeJm~I_!mJ= z;&r%Mx{jkAiIVL*Ed_qEx#xNCIlWC1-=)^hIO{g7y56c z;#%4O{i{hki+gK3GCNhhu%4OLO6;#@vT=?c4)MF+B?SExLB%-+G`;NY`E%V*e^tE% zF8F9Hk9%=3Ygf!>?9UkEFp4}SeCk2UXw2nmOau@VZ9FRutw*^@NBGSzhU3tA{&fLi zTx_R-P29xYYwi4KgEN63zVUQEQZt_-c0F!md%>2nXTs>HgM-zg@Kx*uS(I*Josa7y zl^gdW#d6;t|BI=w4r}uJ!&W*rN@6qvq`ReI#1sVuq(pLrfS@2DDK#2~NQtPx5D<}& z6zQ7M(w$0o_j~;QuJ?N1|F>P|IXllepL2iinA^!Qk{Q74_{@V2k{n(mJ~3tG#6(uT zPO4}N<{1MM59fEVh-267Xaa3z1S*$YX;qjE#U_ z2SsqQe~E{SKaj$jnBUs~ihoC31e>p8V4%fk#~W{l>fb)3guKjsZP$S%&CpLtR{9Cb z2*Gzkt|(+R#Z*eiLgw3dW@hw|sE<2|5$swnAY$)`H)yv*j9W(9H@7$Nux)J2)Zb1L zVNvUK(67yY(JvY_W>aA=u>!=fqcnAtf3-Ky8}ai>7{Z*#^7L8&$0r8VVb91^ym?@t z<5wun1QOnp1?q^w%e9po05_T!E0VTisM=RVee*Z*duIrY6Qe$!q!vb4MO_)u&C&h9 z$`)SDSIlWn*M_E8^3k>)l?X42)bo0)jf=)L$Xq8XRu*L4KFe|mH-F##H%zT-r+Uhj zk^oQngDmaqz;te^?G76NT!2+3`tKsSj1_0S_%gGlZ5gv^&}DHy!~Co2Ra}}$u0GxF ziIv!^Z1pTE5Q)H3u~iUemPG$ z)AA(=W{hW5#|<)a$9>}JWv)Nfkm9bSdj;?J$ogprVSGiJ*pd_Vvd)6!MpW1+k+rV> znjpB|Sh$D_9g_B9&oKG=|Y)907dIP=x5OS-k z1|INpzc6NcBs17Y7(wQzaeo+;bj%GW8DfhFN|pV?M{X}CUGr(s{yS~G*0q|PVyJTY zK`m;9Y#W>u4c%R}d!x=(&;k=@+(b{SHeh{&e(KWYips^~jPA-F40CMiXdIuR_q~}T zR|eq z#~ZGbILsY?h8;*s2>-DSH%)s8m29+w7dLR*NGl_TFy_PDy*v;^`YR);ipBDHr9a-N z7F}o7h=mi{1zhemoIGkc00I~#a5ioIIEx=xp@p7=i~3VfeCEU{K%zDw=r0<(V%TSr z%w9zRQpOWUYh28CeH_OCCZyQn)_Kp?3oozeBXTlHLr7GB0KK<@)S@r#9Xo`ITkSxB zj73iIJyk)f3{q7cwX={-4Mg_yw(JKnZ6T5U8(uk)hnzfZK;mtAt`M}e_2Y8fSyEDR z2n`8W2WR~^O+_vy8flK*0vT+zIe*2>1salqav(2D?*`%Yga+xdDT*_ehuR*@%rsVy ztS2ZapmoPJy-{d?UnDRYoZeZw!J!SQ>5%FCyu%dm6mJ~o)S?z+B8?K^ z&6II*cGfXs`)Hzo|HkA+92U* zA!FC7aNf4RHB8l;prt2(ekVf8Wj5mG4wHD(b8a=ZH)R)uO@RaFN~>qvpbU%@IvWFI zl+~5I-uFti)zv=dt)#GB?V$b6WT+sl?DP}g^JA9N0s({o0^WofC1h^JR4HiRU0+)Z zgtPJTf^U0nag z@nP`SuV?@|aOsFqHq()8qz3&-wMOpLRNCxwGSO`8RKg#o-DqxAr@Com=1c;hDPvpY zAozOO_*up6#u!m=+=1E`$yo`b+*>9!`%A{JW0du;sKB^v|v;Y zZB^o*($STz<34vceunRe$|!uYl39=M{^k-cHd?FhrY9P9PI)z_!o_tbSHSQm!Gg!QWe+WEXSyDMa4<}!8u(ywAQ#kBwI2TmexuFup zNT8y%33!2=E<@7jFt+Q;&0ZE${hWnM@awPF7?jWE-L4K*6n(a5nZWh5w0fecpAYCJ z)$k1qUV>=`;B@MBcNbkD~=s~niF1Sy&51KFy$2txBK;Rb_9}oJi zU8Mcim2r>)0eT%04uslIj7hX3QV4ibjxS7$Eo$6`?KPysXWV@(E%u3=f%^%zs_JL} z+{B76PK#SG>=&aQB9FgI-4cHe%0A2UHp|n352q`DO)iEycuCrinXjSviAf$v9*s&C zVn!R(ZYa|znql}GZA^*0D37~Qtt3{(AHT3Jg7M&^o4Ig;)a|o7~IU#_1EVdCe zmBmoGStl2u)=j%&0566W4m6#mjvPaq!YH$@KDSacXNDGL}dr(CCVze+*#U;h$;G`BJ^TyaNA*_g=QUo&Nj(kHfB(Y$Cvy6bC@P8#5JR06{&$aX6rzRj3;xAI5s|O#&uu?;+&*)0 z@*(Kr0CYwgM3^LClcN~Nq7b-F2wYsxuCy87pcMxEd|=h;{quRXwEdWc3}%V9KkL`F z0|KTO8VcdHwJHE4yI2Kn@AEmmfYtE>=jA90Hu?Rd%W2W`$=-{{E_~~Furm48c6+@% zLIfvA1WY{F2FK^c*{mZK4#EZMfkZq49&|Ahv@lp;0Jg}7e(e~6cFbDi&PT(o)9!5l zmE2Tp)tb*@)51UO?<4;KNB+s|(jA?2_r-gfyT8l~+z#>P8}N2tPi8Nl2^YLz=6e_` zT{!VlxTQ*{DRBItuW7>Tr>KO{c7A;eVa)NsKSHHwpod5|Y-NO?Ymr%jmv z9Ke|t<7cKscu=Jyf5sl^KUb1AD0!XzsQ-Wxt4>&5T~)r?|uT!vQi12 zq$l5qvp>4;|5*!SKeVXykoGR(rA}bpKb09g~r{r%Y)5cjwIkwu z#VEb_-ZIxm<^tamEZ;ntmEHC<*uZ9JjEjku4@wtgCY;x(tG;a)*_2+oMUkwQjJJ{- zD@|qkL=8C49=$yC^IJPX9MX+m7Tnc(+;MAQb%Q0L|~nniq65EirA}>gXb-V9|I8Vxa$&K`dL<`@d=;{(98ZjG68yh=GtMCdOO$CouUe zhk^5@5zc;JbXzxs=vF_O;EGM_G;SZ7-RZL}buSj)l?gZh1h~7|R=9N^KHuRR6adHa z*gz8xGwMTxODxIgKsKTEzU9Dxves9Ri8i`cW*QW5yIUbx4`L!W1phfO(sS$n9z4Czzi6+FnAa^Cp(&uH zAT03D7{Ac{k7=W8B!!BDxmU2Ue2?;Rk-q$r^g=!ypRU6rZlU8a7(P%Y2jN$odTHy# ztZ#4d;_8!O{xyKW9qFKjl8K0j`i4K{<@Iw~A%%SH>z(o%&zm|$5~@PF{)@x_Gcv5~UdB=)j<9@>O?O3z}ef8rXsLHi&eV@&8C zCtcrA`;DJ-b4^Uj=9CaXxe-uR&Q~B|1k(UEumxxxn`=IYzvqC^T*Sm3vK))wQiWV0--ZDY&AyXT?Cs2l{_e z{psoL%_{wP&$^R?zkS4dkXa0sV1;a5MdpH5dT<)b-JJ$_x+_3Th3LZ`nB@L$3MHm0 z0C!O4j=adk`@++<_Tm*CzpR4dVq+VFr6E!Bh`AEGiiOd4_9xE*lp_5`koZ8!YnD<3 zlQ4X(DFC1)VK(_uJT<@^8rban4F6EM#$LHRyd~vAAf81JCH1yW^78Vu3FX4;XuvR= zb2GV1cebDUD7vnH5KI;2vh%7nmRG2yU{{WnQ(=j+vdkGl7)K^hffYucJllwH;{&w; zd#!Rtr!}R`S&R%C-Y@*NySWORJi+osX3|2h+!R`$-1)cU(5E4ta^%K82F^Wbjj6&z z+%LJxT)cu;8|*sV)P+EKhvb=0uHO9k^P>T0$JYf#Zi+k~sqy}rroe*InNnXSX^O#n zdd;f+ayGf@w;sjU6(B8NN3Yeyz=fkXXF!Z$pOZkGt{8Xy_{0c+ZPGbz+;TsDCZFUb z_wKm1?-#~A20iE`mG;tA*GHa%i5fCCFctbKLPZ03%YT1aSeJwNu|gmB)dpwN$j(Pg zPGU7EFw{J6Q_6we15>X>|0p|c9MPYCS4)a}zgkPJkObT?wHz$Ek4c}H zl?nL?3hShX8zg3xSs`EE1kyoMkr=dpFYE4<%wm$v1s8qhe9w)8QP$D4W_x~mpoj{E z&%NN3;lE^M0nWXVVnE>v zmODX4&)hRrODc}HbmLr*f?-FDM|W4(Jf+q7{`{Vd99JzgLydUR3-K zl0)WDIdGa;n41eNlH(*MfW*w?Wvi`z79P-un;jcVpiF<28ABQGIPeOh_wBLTgG$x|Do#WEBaeS+?8iTi zQ5l#sp&$q$SrlNdWF2nK8?_NbQKQYNASXZsO#>xOIJpQ!DW-}%R-Xym^78a#SM+hT z@mFM_-kehK-RG0xH)2M!Fflc=br|0dgFnDO?f4l*>JsG7;Mxi~W{A-$NB>&8l^49l zW5ACy6qxyGKVd3{;`ugKHOy5h8a8|!TFQzoIDm`NJx{w$sDIs0m?o}B7PS$`n|#-) zqIsnW#R=l&q%tg*3%>Hwka-%3bc|2}MhK`uojVl9b1Aw68_2h{-C4z#2lU}p7Z{^^AFsz#Mf{_LGiaFd_ z_C#^mS`uNSc0ah=KJ`~z$(WZbZMb>$byWdFWU}2BHe7H#8{R^P2*iL;BgQ7o)>neM zCqFR>ri6&k;J}qv@t?qqidMN!sXNNb@x5zkqrU<6y6)a?P22tsHb01E(_eL21`>i2 z_C&iJinZ%&T0Kv+})S@x_d9yFNHRf;uwmo}8N0vLTA6v?C7qvVlr zL0Rh6Rnoe?VVa*<*wf*L%u)?GcS(dRz1zp4IZ7=s#ark>-5AY`IP{NDfF_gZI2}Jz z0@i&@ic{?()6D zGN^d8zkKf~@};}$%WFd)t8znJvC=|MPgJI0$`!F5m!k<#t_IK^TLge(_*x0^bJ`~R zG_@ZVGAb${TTjw`_S*Mv|8bE4eKcyU#NhSqLDBu#<>XkN8!{CzDWIvc*0UyBzXRsJ zCYkxA^g)<~oRv-KvAy3@$vy&oT(=;4vMXYZGy<5mKI^;lM`7$sW(s*YWzT97nWM9u z;){&Q;1Wi_`Oi@f+{d)VivDtL#SDdk>_VD|Lc{udaTo79$yCH10wOOGTj=a*nfj~L zo33C$|A~?`)HJ1n-&aP4dz?fn{O_xB^4pBQ1TdN+;9s%0$Hm3PnoPe`Fv&JHHYR?H z6p_+@O(RW3XQN#`fO!r&-{RC0H^N$) zi`y(3yjT_Nyu64!;voPv?{0bLdi1NnAWw`kTW$Yr6gL_Q+!D??52X)xkJGG>UDpsc zge45mkQ|BHk4%Dwy_LkAgy@|M&on+%XNFI*Bszpz0Q#GJ=Ci)}fQ{*xi^;@ zH3SH+CKnQZK#sv<=L}2B(471o@F)6N1#1z6q5$?g;UmZ&R&z5kv*<-Au4nJ0doaSz=88ssGpmw6jKl+oM) zCk8pWDmj{Y5RWb&!VCt&f`{|sqyg;pe{OVZsrtVQc+01tNO~E;ggN% z4Rv9?yLUObte^!QkLVEUzBEzQ>9$Pywa?_-F>uQ99@A+|w{NnuX4BgWdAL10XHj%GrzVcVFF~mLoyNzvFJRM}cFxyV?ERdbU&Oi* z<@#4wpRl*qUx^wkzN?!M7G+CRtZ!p5DJf0!m?pxXH`CB5FeHOo6b@wHiOIF5>anB_SZmlA z-V*Jc?;;QE5XBi+1itwGSiR{LlB3gJw&l4q_XCfu(krp4gT2rq&BdaSkHq58iHudY zfPL}(zH?^EYY8Jj9sj7VZ!*TMH1%-z&tDS@nS|K*7&FEl7t`-&qZJXg;&_Hg!8JS=t1)k1cwzbW{ol@R>ix3{vwNY42(<>vrkk>s zzh3IpUK!C|-uPNg83)i5p_*nzg|jcAs$SkB%DDE;4bG%H!%|Mh7TbP-YQ8~;zcMZ2 z%+9#g|2LWJbGr!($usE zD@m5STafqO_anNsfi9-w`}ao%R4iZBr^#5tp+6n{1Y3^C=Ip#n_NYoYMr1Q3;Kh(B`2|IM|2-_^S$u*by8^8-R^P zI|f&_5WLTZxa`5s8EfxT?yJ%qUfCUvo2K7A1h;y{`-u6OXpNjHVXe?6D-QZN?+Vy> zQIYTwwA=+5^--?teGgo~>TKe%#nTuDc0Y4nghSp}#Fl#vicC|o1HO0i!`9Ew-ZfrS zmRNFDBR5}V%(7|Yh57dvQDDe9nrA^BWlMx8WEzX+n-3&bvVvFC0WaMRfQYX|D z={Fp<3JjYJsLqeBtG!|jYQjgji(>^+Cu|ZBL=s~*$(&bhVRIwe@~a(i7Ov5zYN1C$ zDgHn}3+5X%HG-{5s){Q(pbcUyar=kTe!t$?20X3E3;LLTU41B${3J2ai|yU5@UWJ- zr?rTYdFeH_)JMfzeQO77RXRdRveoT{c#^x%{5-t8-iyit-*ZEOMd^<7!soXzHK_?t z>E{X0t~6PWEst%KB4F+&?w%2%@9e0)7JvB~8>hGX$BPOYQ5~Zr;6omA1+%gcG=voN zELDvPO*D*PuBLpJ++tUADM3)fEEyzSmprU_>Al}(Fp~sLlutl?{pGNEge8nD;?YHl zXFyS5RRVMPgkrO~mrJb5XT4|O;@_P)WdvQ>^C>sG=aAR5b{NTR<9P#r<4*4Hlp*=5 zlE%~wE*6NuqQpWI?=H*XRC?zhkF_>KYX*(LEMqooAJXPKffp#` zS?bG&+jIm$FjSAD@hdp=3tal-+)J*K?e_6Njm=Pn$d%)lJz4F8-S5u0c^_lst@UL zfbAbJUOd94D_R;CqsQAM2(L2qIv;Jd&_rqv{b$HYAs6cv>Wjev#|KARiU?y<#3#v> z;((1c%2AAV4H>z3Y{%NugVo`IZuU7ieGKJIynO}K@EQKcNKlN z(&(CA-^nu`Hach@7Qs@UUbxqMDQt7Ll>OpNPF~c8$-19!C=|<9X`s}|vu_m)jb0B+ zNAPYYC6nqL(m)8jDyz1&#Apo*9#TX+E*uzhkwHyK)O5MXkZW>=_G9jHt7nx=Y~0Bk zSmqdWm@l^bHs&bw{l|~ko9C;MWJ4AARfYz24qE*`hEHWy2f5$0Z+wx>J=&Ej^wUM` zk*E0*_I{yZP7W97lYaZ=LAk%kuJ(@XbAXA;kV&bpjj}3Q@qrcYnlr9Q{du}Hx4>N3 zgMuNk#Xl>Zz+o4KoIf{6oU1p8qjTo*eYQ1mrQ@9KL&e?Rki5WZ*Dnf{>?^0yS=p%ymbh7JujJP%5=f_9a^0p;}6gh8$%& zy)luT!*3nM0c-Y1dAb-u}v+wXz|BqqH-Kd|Z6=z!~` z_@TQPx_`ba7DgKi0K+X_US2@<(n53hs0=B8`S9;26XAOFFbNaXCSLs`zI20{xBq@J zM0~NYwY8NC*bS(Pa&Sc&s8vv|{Wn|`E-AMiGcCgiXnKzRHuI$&Y`h4Xr4LT*!+O$p zzNBwopC<^0BQ*c&b|0!!qxVsV5Oq05TC%pjzS+^y(S-yRH8i&f0p0)iaZvOI1Ltt> zEmoYb1n$pnQ&UrEe?K@vqru}C_v}(1+D|@Kd2TtT<7PP{*&BG95A|NmUdk(L$J^U` zF6mK5hK~1^IsyGR#-zIen2NA3PMC8NP*4ouy*@mHZUeipAV=@|} zx=rDfu&&l#LyIx*ojdPn!Lf0l+eb@aS^FstdwRLq?i^BI9*5ixu?Nt8vU7h11#trS_y=X!UcF7A`LE&u8DyX?;7dhF(m$!An@_*?`>s zVki~~J}Q6uU17o=N%Yv`=r>oSq+T3N`p9R_yw+b3#kB&$QEp4Et7~~5vRPh6$ zTTc*W3sg8vYxwn)i3Kf*MgDNf#cwoCV$R5?q9CwpH7R9_-HQd!78f5+e0I$wM2_y+ zp+YwN#FL8m8e~k6R*{Q3b{oAevF~{s`&4{!8@J5I__`W4SiN%%G3~*{SoUw7s8K2=d#MFDzqI&#Bz)M4t0CSRmq?CU`a6v~U@N9JV| zoUTirXG@&;Z+LvqkAI8B?7S?#nj8+gv2l6N&2Idpu&0PUnpGuJ*KeAi?)SNN)Hl2Z z)w@q6xjznj^YvLq+}|c~MtWAj6+8n_I0JRT{|Xd%D@(RmcaXavkHfCplJ{D zOExj!MpQEQU`AR)B0A9;GTbyVQkn9t7^b>-$V(!yU705Sr(Qoy8$A(`Itr#lCwD^fh?=@VHT#WnmnxIWn z4$a>;P(K#^M#eG*v=mD*oLrjx0ao4#ZKKTg{en0ae&tjQzk;AykmEsj(27a_eqb0H zRp5!k6ycpTVPae$1xpapr_q`MnV-C0s5^V2I9v5Tegn+9o@9(FXAr$KvyoNQ9t z*9MYhWW|-9+u11mmABe67cmyyCj*wsYX|Oo>38itJVG-fCU-Pl-_NQ#e7->@5=EF0 zMOb%sP-GL;+BY&J-Ip_%|8^??MBM!SYcI$0b>%)#+UI=;)c-~Wa>j@aQOLf3G0!$}qOxD7vmsrH1Lh^RZ>NEMwL2ky*hYBS-t+k06@s2p8-1<&+ z%}c}Oc63|@FJicb(LGuk^}+Fj<82{&Ni>T~H|8hG-PRVLE^)@sh7x^#{!MQU3N$Lm z>K-2t`zd$B$q@xE#!cP-snaasCr02&u%1J#nbC zEi$4-?cVEB^9p=sy&udqQA+U!9a-pDEl$_en2cWgZ!#Il|3-m7_oNfOKGTZkd89yA)Y%;p< zvPW^h^>^pJhA_KYXhQoJzA^i2JSg=J-d_yNQJEHJ6d*6G#jw3gg$0{VEEEdTKhJ>m z@0#2orql$|uOOSC_qDj#V-JP%l|$%8!w?iKC|vzl*LIB4Fy5VtP?BQesO#d`U&o_CUt#(R2QyLFasS_&SKCWTYgYl{r@lonL4#laCZumT zyPr=2&*j-*V&{s>PfUrkEfD9UkSR=1nY7In>H%sfV?qaYoyXqs;y6>#arhahtlqOm zZzi~hvlh&KdlpvamrsdyxnwL7!+Hj=Lb+4BcVkTY>Rp4LlLsqV+NS@}bAv=)d(pxWm*zGbl+lSq;@Bw52Lo0L#*lyFBOfU@Bmrjh zI4S%eHJ|R_&^F;DJdZ#m0t#D#Z{jiQG`Oqgv3nah?wtAMldSbj9!jB^kDaSyooCx_FZ5*=IT=-JjwgyK-eh4`#d?e1zM5yj9Ma7qB*%~tcdrD!s z`B;LSvCK4D40VUk=!L~agE8Z-cbkMQ{Lk*p@!0XNEorI6r-4fMLN{0(Zk55OT)lyS zFC2wLM_;4Nbb>?`#3P_l_SF>?Kf!a_Oa3?0dKGYO&5+YPLl95MhUle&6j(!R^x_6X z@5TN1uwhKyP312bgyTiOv2qC#>_|`rsu8D z!aT<%P)#5L4`19Mjo4D+H07iD{_h$_d&`=50$ z#fRyB|3pR9hl8 zn>(K{Cg0!b7U?>OXVkG#deLR-GLRgThtIdS6B+&4dkK_JJv|h|uc~y9R~(kzI7H7C z>;30Bz8mr<1HVquZ>T#V$xZd6LHLx(tWg6Y>B4>oN}i?}5U)N?VnTYJ56JP#{s z=?9}MWN0DHJqi;O7R3=840S}I@L5VR*L!*2YFOTEypU_o!rbN2;htCi@S#R`YH7ex zYE;e@HvWeuN<$_CDw+SGyBqo=#;l$4RdXrZ`l@m%hcIzzqh^pEH1vptX#uC(9?6sQL0iv(B%pxFPz*7 z5C@L&f&3wfbQVed^t+t5&e?_O$)ikI8ZZF-5l9Eg2mmV)9SNqKT*Hx(sx3pUcSUS} z*yl^5QXOY4cil=kervX<;s1|J>-R$b9aB+?ICdn)J4?-k_CvX8k)!MJH5m#gXvWbZ zG%A)P_^s=f$ctv$-5OuSSNpUu>@9@AADSHx)-oMWbl8Dvjd8w-7RW3G^{-K0;=!K{CK)w$(^qAlbi$VqGPZ4nc1a(wEWP$`HHrHftD@ncWoB z*3cFrfM{tF)izt!FaVd!EEE}fKMOnTm?8|Wt}rs2vj}xSG#nXe<)o(nwJ0&j2CCW#N753{K$VD7@*?+%&AosrmaG1L$DcUpX};D5xhhWmDzFU%g-I{(?b z6-G8X9y!YDrI4+bc%P(`u{Ji#ie%`GZk`E(=cC$-M}UE(a7+DOE4NSheBYbxmoS=& z`nrm6-*9|c8JBnPQqkF@d<8@K0Xlis`|}xYKc=(RR4e8azOy5;D=Jsz|2`T`^UN}| zg&|hu&7j_G>cL-KxZ5#bjlX40++Gqqf-oKvplPG;$Ro6bPmZk+mm~VaysPIg|1EYl zXUUvR4%LR4UYNeX&@dy-(9({N6CNd!?qr<7(!aDA4lctFo`d?5@WZy76tNL=4DVtz zK3%yeD1d=a;tB1c>fLi@;ue?$Q+Nwl`XKn$C6@?&w{?LCabkMa_JV&OaGqntEhG(B zs0|+EGe9q$FNNuQFw28!A48;p|A31)R*bJ;(1}1&xtQ{T)fq>1snw3LDIHnR>QE?FgnWP@j%eKdC0Xy`K>KQOM+ z4iQa|8^7C>uCJWvUY7!$ZgmDJ0nP61nD#Gbr?qz3r<`Zq84((MenBqaEvYd9zXeEg-s6;OBwkO2G zL%+Z;#JEo*|JaegP43-VTkZ>Qp+1juc6N4DL!OpA?DGMMy4n%-P&5R+f9l@RPf<2@ z_on5-D|iuO(<@c6A0rseVN9tL;?7O73Vj}Gm7=7c&vw$xl+0tmRx%p5w2MoglXrQB zotP3s$;DbkNpg=Tjx4C%n|oZ&>W_J1>MH95ZC-?!^3ku?)~1!rmPDKeCG2G+v8bZOOCsm!Z z`1vHQDbi?-tv!$z5}S}P!c3!7pbkRRYinyC{o6}u;(k(6{5~X1WWLmV#h7UFyGtb+ zB1Jar6s0 z^(HGaX&B@q_P&5A;L`XC)ctagg@n@5}K>)r2YnIrB|!Wj(9U2yDQ+Z z1JY+Qwzw}JEjeHXvZ&`Oh&ye1PPraV{I4A^q4euWoiA{Ynjg%Wn1LuIl%HQ=Z632i z+Q8i1Pp>f!V;JTASx2s8lh=}1{h!Rg7uq{mbUQYCz|x9_lecjmI%%*b@38E(BGFO48q?ljr$+RZD@*`?Z}aZbeHLcKAsIoAA2jMIB|^&? zQV;^aspoi;+^L}2b#1E7kC<5|quaVufkk(HFN2vG1V%a<y!JK~b9HZnpQ3(X)=D442`877v^KH+!;_DfL? z8`Rt6iE!W8HXnq*qWfSmQb=phB^92CeZgc_>oV&z=0QgfM51xA*H{+=(LxWI^}AsD zgb3wNi6TxEGAN!Hl_YXX8JFSd>1nVqUvS^JZ4zJGO#E6y^P@#yQ)x}5frv5c8)Mj8 z*96{-pR=A0e$39QdvnnA-kfM~9;Hbte1Y$fTl(+h1=Iy}Wzpr94e=OV&yLr!J$Pbk zTe5dEF{8>6cORU>g=TSZofH2*`O3D)ty;#Jxbmeb0fdF<-%;4_`-3<)X$e%b(CR7l z-&x2AJi$C}rA)+O?+VcjvFk2DqN4Ma(XW)QADlH2v#&cN7iULljn?FMyNwDduj`A^ z>X-Wxs&m4Dr|Aw#B6#%2PnZNPq!A;$!kKYch-eOo z9pd`*I~aWz@w&EF41425TAf--k9#WeX0?6zMgmNNEg?sQ>S6X~2|;p9)%_`6H{`3w zxIQDqW(`@)Ow-z%pLV@h! zVo@erNR$QhQz*Li@W>a2$c{{-Iv|<)N$0-4_l#ABdYl$WBnzxYUcIzYV|# z9dK8nWCE3om4ttuS1TlHTP^=}h=O=7vyF;f+YX!bo*ukX6;G99IvLC{>_Yw6%1d84 zRYLgAEP!;@EbPNZOpw<{_(GNDR6`qBupmQp$f-?6n=(8)QlptOE8kueFTWxHO6pO6 zb$OPQlq5|TW)usfVV@o?@$~Y_mR+22q!?tH&jvfhg{43;A0vV%i+;cJoEbV-wx04L zcnY7rxWTDhU5-|LyODuPDSU=Ob4KAayy5^oSu#eY`ZtZ7$P0!b!dvcZnWM6yDbR=} zJ2(pev!B6i?DH9Bo`7}wAZq- zg7OziqN>L+G=Jr=<^pw}5*4wDw>8h0B{F*&pL9LBlk4tjms{MxUP{ao8U2c;-`e`j zPsue4X>QYN>M)vD zkd>EJX;9K|F|2CNk13Fy+p9Ts753<1633C6YREFRwWN#!grAn=!0(8&k&))1(Nm-k zUB%&M?N&2JnxfTSyCPf3)zy`)33L2ig-R|2KGqUi6tG4D0_2Hg-d&btuDZkza+-XU zltK>xzi4)bu+c=bkCPcPDs*iXTooTzDk_Gi>+3UF35vVMl*=DEGW9>@On+4d`~t^S zIIT2@kdOPi0GuEr^QB4k*^3vna8bPZtgNgX)5^=2{rH)cAhcAgJ@bc~wWcRkgEUq9Z={T#JV|t<;rXV6Z#(~JiN=fz(WQ&?>gae|d!eW$Y9N;EFqo<= zN2+yTZIIQ+htG{wkD_MAW(~XR#b%s(kwqAe(;MkH0b|r+w3G_J2U&&c6ui%iOvC27 zyj507b#It&O02OZ0&Q0Ne4!m!8UJl3`b=sKmAKuir^9nY-JvV!d`H{a8Ml|ddE?>9 zsBOZ*(GizVv)|kCSH2@ATH5&0KweboQ_+swa@0ngcNG7rV~3Z*sWctU zEe(zIyWj8gfsEzcTJN+yy;7I}EBhs@+1Wh4;vXj{Q{>(ew;D=?w49O8h)#K8`Nd5b1WPW>hjjIzS4i9XZZ(P)7XoCB4xZUnvpzP;`=Chr-R9&(F^jzlNq z*a9(}fVie)GmUvG5AwQiwX)$Rlw4&GRqd%l0%SX<`$*JkEoS%=kuFBgA|JFZ(P+}5 zxm4Bn1uvN3b)|*mHP>v`ZL%WY;a1!^#}9la9rJE|xtXe+QeNK5C=vbe7OO7IeWX4H zb4?HkN!?0hWr&_a=Pt$=3+O~NEnkxwuR=_1Y>=VX)|5vvZLfVwPMIXm=l+o-wa`7z zG1eZ>o{^x#I1x=8sDqz*ALbtyrzXJJ1NQryn$*rWB1yB}CMchl6c(Oc9L*qdT2iU+ z#>d7QvHw2sts7-5LEq<#ZEUp?<3MZB{%XT))t`OM`X-rp*QSP$l^eoHkyCsQY-Pft z(XF$&p^&HjOMI!bnKNQ_%IR^M~YBSCNWD9PT73F*$o8(>z+mo zu&;IuP;N+wLrflL=Cexa0axBvoqseGZ<)(hZ>o97YdbYzxb88RJrX(&%vZoKYz2Oo(M!P0jU35@;z2fYE2) zTuiKCG0MgWDq2wfuJVU}=tkxAlR#G7Ypfo?h$NB2+nPm2F%W76MCb$YxTb_AH#tEN zY<-f?aav|*^;H`C`8MJ(Dz>4gIJ!t0^^0VwPafkSp4ie?@+9gxH%lb;_*<{?0EWTZe}|am?(qQ>)fr-@y~xxc;`fzB1W4 z+?aUx4~m%aJ9-?TO$-^clWNA8J0%1G>yJ~@)}(EHe8l_0M6;|aji}zVlYfhsPLmZ} zc%DTHtgmdeK~AMnlgsOUq@3ldN&9E#$9w&!_nntT@7K83;1wm;WltrrG_CD$tg{y| zn;(6=mC02hhlpNqq$g;-yh>oYcot=jR?$#4l6?5e@$E58zayz@>bV@Lkl%V#pNYj z&J>oK|AO1~ltQTte;wjja<2D;dXaVXL+>x7uo~Pbx}H;5ctaXhc^g6BHkJK#X3@A! zCg>PiroI%O&jyr@I1!26u_`sPgoaVhosOHzFcEyfcYg zOa*Vez=lNe#U(LrV8vWB8Vt+}<>lq0T`5)(dl4#rety7kj8%iR*6S>eQW-b_Z7f%( z-kh@?y_u4lo>9-`s-gWvCPP4c@!)8t5(aY{-y3WQtFvk3zPR?9H+F-ka=AM)&3Oy?^)bci;cq{Z+(y zU)THnzOL)_dOcr{=P#?(kozS3FzfBhh+(cW_VPs*zC#x*ac8bD=bLc-q;;FOLs2`D)Wmf6MEJ5?+qhC?=o2p7EfE>joW~O!}`a)SoCHo9}LVbZ3r7F zfhl_y#ZMhNL?-VCt(ebgUXVM8#rrqsHc<2gHrxH-N^?7C?{YI=gwN4JFdQ{gceg9_ zp6POLG8E)FPo5p+SW$-Hc^j(2X&tMROW4?g$vyEUaG0%f2wTWl!e+=5-2x=6>E7!CXl<^f zVCf1Kt>f7;kq03-5kz9E-`3r#LlrRR;W}pyiil<#jVVRK&1bF;8u7=VwJF>0?yzCc zqMwCogf*yg#g?Idax6NylTi81625CR*Ch{a)k|U^XakMx{hh<~LSLws1A2+6BBeDl z)a2MqeyaU=bEiq}c;&7rK7-hL({lm}c!EBO!?QVg4o z{M63&X6wV%IK_KEeNKCsyvRF3KTANr^sInp=2V|mx|YtZP99P9jQNlHd&vrWpLNqk zwXxSZ>)0M%ry8CKh`vZLPwV3&BavmUCprJ~ck;W7H&F&je6uDvy!sIfKhEq>=8%x& z+drdFHGYzb$mT&dE$!2iyW`~b|7_m)pe}Zl0vZ!5ZQ2@`@6ysTcCR>TV@n2T!M?7) zezB_!#RezxeHRe^T;{HgI^_JKiqbZuIkmF8^g`AG!bU7C*Jutw#=^ z4`>9aVnswm_FW37BOUDROF($AAK$*&%Ik49DKyoF$AA|EG>-eK^IH24s|bd3i#tMJ zZW_LS?^!HyKyVZ?^V*&irEv@}j8_h#$y0iIGZMAHVh8hwY=B3v8+0wT$e=%Ut>FK~ zPxW4%h*ecmxes5ae2Zxx!8&f-zMI#TppCdL&>Vg=v*t8@J-%HlS*%#7K>qtzRVNe7 z{|=OI`Co{l)01_$fT-{Zm`JuC&p1B5S=AkZ&|@WS5)N?om#-Xnc)8hlF{W8uT7jeC zx$JE!!kgq=OC1uH4g!zvv!d_=>35^(jVuO7yPDffP?z>^3U)$#e3eyYVJcjVp$%vZ z`GlwSdw|c3p@GH)-pY6?c<(ovP*6mZwZYSwceXbCpbfJL-#Q9XmAHVzr!n2#4SA0k zMR&(4m*l4l0gR7}i<_N|&6$_vFgxUq-lD-Jsv|ECtarNyVAeD|i_hOkAzayN%@zUVm7AeYK)R(UJ+Z;vetB;X zZi$f-_p9LFfOy`|hI}!6O!;fdZJ{c;BDYN&tW%@+R&2_*eh=Suf;oDyb1ZJ-oj zdYR|UAJbr6ndY!VM##_A19TU1um;~P=@a@gZSDq_C9|dRh^3_^I4sQ1m=tABT-+FK z*tfVy_46?jLM+EFE0j^R&o>;>V-cYHPLm-s%A^gQ1&%b!bg$Ev2mumG2UK=ob%3M% zOBvEZPu|GIrVRLm)Po8R*4Dr&eyRF0tXCp=Jqo^Ui8Rw1GmB<_Zgzqv7ag)d_AGOB znn&a>t2vHXwLQ%3{_ruc?M#!Nl@0;xz&n$R)8iBG^U7j0^a-p0nl?n3I!qvl&p^H_ z-b#P4=8{>54b0k3MPg^$x^_2 zhx4zJ+YGZG>cG9VwG~Kmf&aJEr@&7D_MMi+7?Rk>&M(8>W5E*!#r2O+PZ542IQHFb9UG8$y-I0bkcLc5O|6~c zqrEal)iOQ^z|@6@AF!#?mLD@A>3LgNZMPft%TioV>UgPXglMvqv_+uWh! z&y%(3i9Cjku^Bcpo7LS|;>2ULk~wFeLz zVq$a%+jkkl`|mebpKILvLpc)2OnN9WGXtV2tg&eVT1Q5mUkZCR2!w2CG#`qx0gYYe z4M>a3Voxrtuts)Hh#_x`pXwWTA&f?kUG5#~H#$R&fTN`MVn>d-`Wx}o2EBrX&&K3$ zXmp2wH>A2lVZ4wz*Vi%NdkpTy@d6EJTmdvr(b<0-|2HjvqN&O$E9Gn7*7K*Fm$pOwOSe2aG!*dLpUS)ytw%ZuQikDB zVE%1gR4-%894beeq+cf<$)@RFY^>$?cdwI<+yoL9H_Y5AKmUGXQ1H(uvJG56iW#zR zSCEN}F%T#U6hM{M$NJStXK9qWN6bJ8=r8eA(M(hoiX@{GB#$zgGE`o7KgYWla)ZrH z^Iga{zgd(bgq9Nov1S@kIMF4j%X=wSR#FImAUrG)h?bH5VG8LmjE=&PMq(_=o08$? z;9RJD25^v>g&BNoyC@c&Rz8%uN`$RIq)Pq}TS?c8Hqisem>XwC$-hArS>R*hZ!0gn$ALkhwx)4<94>Ddix&TAGu$?#HPkMb?SJ_+C#Jm}XTg?rgEys3zeud_W zXSZq@dx8K-a!vIMW6nU955AOX?f82xwh}b{*1JMdjp)xOnVaipg9&vJ*8V&Fu8$FA z!M+ILq*qxZRmr`PL=1mgw;g>?Hgc>S&ZzB>G96ZM$kw_sLrF-U^On;+#Rj?iL+t3{_02X$vU%*0Z zaV|a;F*kVY_&C`tt2-#Ft%ygEaX99k8FrbhJprOj=L7-N^`uOq9K-Z=Y;lTD5VEh& zF1M#D@bUh3@hzt&>97*C&il``Xv(p)v@tAU$`J7Ek?*5c)3zcSp}Di0`%UQF zw_bNqa?ed(6G)|A95{g&i_cTF)>6oStsKi6f#7LEGx_`WL+P7Q)4V-Vt%)z3tO%GZ zJSUnWcw1%L(3R7xZKzKkMbhL-qRvck7+Zt3AgY2?#BuGdnpi&*8{sg`ERzYOWBOZm zMR9R{^;5Pu;~r!WEy8sjI5Tze@JI70&mUrjC(`W6IDv@U&22jbI`Bo52rs%la@OLV zH&a>X%3%rhNBEOuE&1GmyExd{9~>zc3P2WrVBYwA(}eO6)IgO#D zq0n!rjko+9`~0<{e`dC-;P18GX9VhGl~_OZe$&2T_8$f(Dy4*PYc$j#1w#!2TQ3j1 zl>MWlm8UG85T(7u^K)Fv{bv#v^Ws0PeO&J2%JMy4`6=--9Kl0=q=*Z)>Ka%G)n~`gR%}GqZxwb7d7C9z(yO`y3qmkDNC`Y}Z!T_QguG>+4xIWn!NmJP{BR zlah)K>ZY<-T0&~5wJ5HxuI_8?*Jrt~dS9M-izs1#wkuyt)Ri>Zl7HdDaACLI;+;v> z^wCCB<5>9-&s9U4+|v-@vY$T%fkSJpGq|XC?}$=3-`4?xW(`}Ld@LO;Z9@fGs%6Qc z3#_d^IGGBUR=*0A=sa*!J{J}bwG^{_U~ z`^vs%Sn6eX7NDGmRzh`Zp}rMaM@~$OMJQDFN*S-$@mnk4T)|;Zxt?8eh=?9P$Q3$U z_%jmhf#~gl#@C7qU@tYI(ae@eP=+9sWtSb2e!I;=yS}~sn&?TG+d$8P8D~@N`l{Lt z!55vBU#?motkJ|7*1f#~eIKg_b#y#iCUF;f z^eBT2dM6PWNLT2Bs3m4OiwFIJ6_QU&PKet-){~Sbb+MJ8CIborWPd)DPcwr9FJ6%+*fEAs1*(beP_J|6xH z_7J*~sjOIk=)esT0IKU=R4y}Fq zl8KJ)X05<~izQD$;R*iJ;(R};^{)|2y;lLhPB;aMA0_80LlFFh5HEoA%ZLS{V#To%5a*sCGCNqagYT0`H)XHEpYet@lYp#Qqg$su!A2@81RaopN1YufUa_`GpXD8ukNoA!U zD}E^aB+T1Q>%-aMrTEMI&pfzu?4^p`H^Faq4cJ8Yn_Of`n7(ZW zGO#t8elKIBhTs=+>e+DUnlXmXD?jTwN<8IeLL1TKZRib0h>jU%ZiDlxme`>}j#C1I zZe^=#E%v@*0KC{0y5B{?e9JgyNX~#WW8uL&SkvVs2@PoV}du=)V{~l z1o^5SR4j0Rpt_n&2|^MLa(#>=VZi#3^TY`!?F@Xf=I#SMqDlHMYZD&dG?Ap<@}KlT zLz*p^MuOFj5rfmzJlx%PHnxs{`rsI7pZg%Y0!>S9u7LwN??;dT|HY%-vk6ccS!l{d zw}I`6#rHCFAtr`_Wm=6h(ZM-4{Ku4WLc$?t4gtax%I)?GVzVyX` zU0OvYQ|di{x0I#~D1bc6?Yf|-f_ErLYL%t6Lj!uI04i{AH9j&oknJsUCzKDqT>ppj zsw`Dxx$Y4e9W{N^SpELnu$u!uiWS6~jk1n26br~8tpi=Xw z$XbjsasT(Tm}#C3p2ghq<71Z=63my-ByM#)FsWSw>}R1sQNW7}I>#`iMR2p$IR4_l9%oKU|-if!RYu?u~G?$d|2 zudS}`nW32)&;TLWyf&aqHn_JrdDnVdU*hG%vnbA!H((m?d!-+A_6okk)YVBk^Odk% ztK*>ep!9dIXM&ll!g6u_$9-FY&OW@RMyUP_vi-HD+0+pGd|vZq10?#_9+kP} z0jBXDryOpnmb{JMMb1qa&uGup+FNmu_ zDpH}5ShhdYzn=yAQd-FzG;Id`4T3_I17pUAG4tApUTBUP?gTTK#HLi&$<(~o+q;eE zB}bX4NN8pFDOca{U|iTgb*;;|W(XYtUfp@29rVxAFX5%Oj=UnCRVv43+sg9F^L4Xm zpjs&yl!D*7CmR96XQIfv^5)h2c@Uy7q2)8s_SvMgr38+O5zt~d$~@>vASGUXgQ1g@!k{F#VLsmYUaRV`mRcMzF zF!n*aE$yy=U^;l#Pi&y3#zy8j^u+UY#_j9YtF4e*`B#0BN`9ODFvJ3!jqW!YM@znT zw--bgm1%;+`5N*l<{)b>5DHB09k>_1JgN9juZ>8}va}AGrI4567Avt>oW|6a2|Q;Y z_h59j2_cJ92QM|uiP7;reaB2o3l8KBoHh}di3H#A<{PxJ$^1n-==t}*38d3OP?tze z3&8#s zlK;9Sa2aitGM)JT8@1DGBm`BXm;Y4x@;?0wO4l**mtCf%(!jy+7tGD$p?GLFeGH7A z{$xCu#bSp!=r>uDTzGSI@S}mTW;DUSy_tt35=XsLb^`Y$VdQcjM(|Hd$h8TKf}xuLiu+2Qm|WLKJHX zJ8>x!phA?W%kG&<`;rf)OXzANC_RcE!sHETmyll3)3YXra^NA@o-YwS!AH0*J{&&) z@~ZhK-r%Lq6*dnMg5`?8yoZ5lbBNgW2>{FMG5N$P&uPr_|K^ZhuGX^%0+_GkTW5M|xWv^= z8MvQZwkL&hA@3L${U4FxEMnU;NrH{Op2?H{3sr1}QQhTwR&?F*=#*95SvBdD7QO{? zu(W^8OjF%s`7z+WQ4x`*gIpXf`NKf@3OCo1DPt)Q;O-KW#C|>P=7yVFet4+-NKQ55 zR6gdki?|>$$`r{-oJ7n(k;<6%x#43NbifN;&WB1)Rk)}+0d5|&KzL5%A1O?KKq>h$ z92+Hw#GxRxIMibJ==m-Fo5p23m^_!Ti|k0qhHGWr;mj_SS7ANmT_km&F*!6C_86X27w~`rF$}1BJhk>x0lkK`?2On`# z0#387|3XGP(n>9@zbX!hv?l7EwrD4wsS0Lt4&OX_=KRpwAiff!7Xj;)qhn)Gi5)J7 z-!TF(f8|~@oOw~CVyY((;&KK2#cI#n7_8LJZi(`HyfVh?Y05P$CVAMnYD(OCaRmSf zA<%uE*(O2&c2+yKe~>WA0Kr?Pzp*a7eo^ozed|{Fs?!+1 zy%j1l&VAA3l`p|we(Ari)HLn-a>nLS(?{n% zA{h8MVI%uDrfUT(LVVRT*Fc`c8Y6A9>@2#c`Iu25;k@zq6a-Xc$eFq;`QW0Zl!`f2 zRD420Odu<(!e^jDH!Iav%OUVGP`Us9{W28=1qJA!I+GTSmEkV0EZv`2OJjF#>uV_D z=jZo-6e0P$il!KEH#I3nHv)8|LIS*FAuGY@t8=+wj0y2*YEQE!?#7+452Cu3l zGV(djG;_4)n>WB?$n9jubJvsz4m))}5}9>pPwSHjkW3@-eE_*rt_u+FcP%W}#BHPB zym=7YlNk>+-x5w##``rrJ9`cE4>8|}A;eYsy#oV$%d$u%;*SvP?dgbN^04dzXz|FG zz4W{`bgi#yuBk1R*QktuI1na2UY1?GRq;ZX&-~7dl?p%!f4Vb;wlczFKV-zN)5rhS z2W*Bo$&@(m=ctUM(T9ojdANwlD09qYj4nJIxM_^zF&!TrJvKqE9^m3vaUt!1`SR=6 z9`D`>C3Wb7^KNlFwiCYyV#IpCP|R(o0gaxTva1~#o4Si=3S(lb8Z+{&)!>?~bfVd5 zHEg6K{}yCz3_Jzg+%{}Qds-sL?NqaUPcKmi%@;_ox8{U78pny5?67MKTc7h zJxC9TyH$9cMIzPmp2y&e|N6tGtw}PXO1Et4FH(*sf#LmRuzA-? zi?vm?m$@N3sm!$G@AVCI}no01n{i3DL$1TcDX=H7E)=u8hlFv+lZX>_5LvjJz zIsXbn?_;4DBLa>A$}2ZqtPnv5L~;d1=lHZO#UC$wO{Jglu#& z^d>J5OB%!c>A;w1%>ul)oFF)3$HiACJ%8YqPZk%jB|P2HUX z5FIJ?u5DKmVqy;RJA&HL?E&4BORm1)u$#+8J7{eH03MAj7yTpoG4`}N!tty`GVy;~ zfy>eISEU3)-|dl|RKsrR9Im*7xCEn^&TQcJ0>KN=mU8MJT+lW&>|H4X-7S=V7sK^B zE?$p)C3YxN`-`nrt0LKvSaPR$kj!u8S~6 zO;@=Hkf}DHGmJ^kfq%%Z?6AJIR5$Hl)IEa3{sm@dHG(-YP^AZ;-G4De55##<;yvJn z%a&~niKukZ01&S{KG0`^N|br9B)YsC~U;+uL$Vq#aR6~ri_eGv}xS9cZ! zl50NL&+e}$K=%rVwRF*eH%7Jq+SdihAR!%PBX|Gz+9`1Py_Y}7BbyqeuDQ)@rF8kS zBMD(L9*~{mHZ$ms6};KP*`F>PM1(uN9P4*rPAyAhpLo(r}z`0dOClfgXNN1p?mU-aT^cH}t9WB&7 zv%vnF`P_V>e@UkOUGE6;(JcD#zX6G4{}rbtPX0x@+@BVrV-9&heW#9%_p0v2 zV<0DFz{#}=O+odxt>N5AqRd(DhKJvOi}@j>{_sIa9aMSFVl~aa?py+74RrL2&-&sW#x6Eh9>zZNt4W${BRpg!3GhSt;ZD;(qam0CA}UWKYPeqAL#S%;0TBnIH|+I4Uz}NSkK*B{8kyt@q3p( zbALJ&VNHxb<+iT&?<-?P`3k0}uusTwNJ>gZeTY@sj`7YC0Kl5oF|sWt%Bi&I7+qOd z{0$Y-%@RMQMTREFP+2{1cxQ+B>1cUxm{X5@TIG(bV{0&_|D8nSbk$rRDRZ$%oJz&}j7plhPIHF)y2sqS zNlz8p2j1+jaFlS*cyCQMOROBKwl0?$pQeR=+;wQRkRg)YlYJp`D6p7Uzetn%8ohjh zFnJZe21_RPv{Q{%$ZCyH&yx8+`HZ&P{G;h}#UuPAIg4E`I9HN#%wB%RGOX3rZ&?_b zR{{JjR#A8;*Xdqk%1`5mdioj!-+HT|-ab;_+s5IqzqhX)a>V8pQLEl9EaE1CME`v6 ztOq4KPB^?YwSHc5!7CRkQfc~Q4@F6>F-N8P?~{>x{QkL@ZM{*Jn3~MRqJwCpfkL6? z+6U;!7rZ4Lpl^6mF(fH5Guaqp+)(@?pMeo~@1kbO%kqf-O=3gNl)dK|(ZV_Z_7 zmc;wD;OmU<1I3y)s-z&1?DX`@Z)XSjmrXyESxN1GOH5K1>jXn%THN8NU>?eVb?v(N9^ zOf1&u!@Xz0Zb2QYP^}k%7tkopO}}exYNq+)*RN@j{xax2|HZv|RuLmbyLi`sah%s| zS~f(q>iaeBtMBUE;~P&Zs%s{x+a=!r|G^Wj?91i=J8|;jlN}aHzhY9Mz3tplETld2 z$~!n%0=}%SYurO^x#FLAXo~@kvIKZwURVpC_2V=RAnjNVVQZ^8Mta*DELI1Ly@ZRh zKIVZ^k6(6feRB1EN_nAIG)^xoV|X25eu53I>P~R;lxuKN>)TNYo(jXcM*Y!M*U;Ao zcw_FbIH?K6rjmaAI0QYdvW@BLP&@nXxmNvWUd*U<7IuO$ElsVqw);0%hC&3aSY_Xa zXFqwQ9Rz*tPZxxIUqnO~Dpw6W}qEJz|*fq7WM zYyZkaTjWoniuNHXd-wJi&mTv?q0@Sj;^VL+&HRjNhI1w(+bDHm0lr?A>meEZg?uG}nX zjoDejZD%$y*?O%p_`{sYXv-^Y__8COiTVCV<&t#L&fZFBv?CR@DQ)!F)Sr<;h9u$I z*>szI*%f_$KJQRf3B@NyZ%*ez+5QFncP(E&>g%k9TPB+GS6Y|D@7wei%? z8F5o3F)EZ*)=7#<&3%Ms#e^WW|45vv2mgm5eCx0wKMz#3&&%CSM)nsE-*dE)NWH=V zfCL<+#Kmk4dwGvuqC~~7paveSpj%D&5M(VxSgd>UfqIKR<=2R(wB_PJCttq0r1ta` zw!@k4T3F$21mV+rB=7cHe<*XM80zSaFz8jsyzJji=z1L)e0TJRiGiNB)uS6==vPyd zBhW>)w-B9!12l#zU)4DGRzS;RP}fR*W(J8w!1ePB^e(;#I z%BK*>{`mgZt$#<) z%wMvIP;BgT3!#o%^CE3Z41_!*eJ9UNss93w@(O`?5JC~;a(aGH8Y+LIby9=ZkY{1y zucs5BdBS%VeZZHs5r!|rdQVvc1@6#&WSu00JZYytctJ&X@actvfzr$4ijbGhiFA3b z(@Z5Ax<-04Gc!7sv7RBn7vdLGH`C4tzV-k;8$%T8u{dmR@#V8J2Lml*a&p!1oD|$+Adx=p z^XJsmosA8$P~=A(hugV3YKh8O{0^<1P1s>))H0+k9zkSg<)pmAi9-M)nV?|;0dmG}s~Snubu~MHS_StLxg$>WibY-5kwGjSsyOlCm zTk1q*o*2b5tQUA(F-ot!7L*%~vQ|Pjyz?zS^LWgKZs$~vi7Ik?Wf0e_9KSak;M4*x zU$zxVNp_d=nYRHWs>QTaHe>$oJ6UcH#3&nC_*e1=Mvo~Po+VQ~G%e_!clozb2iZ70 z&x|3^Qid(^B*Z4Q>$S37zsh_~I&HZNXXew?~aUN}S#im#&ODLoHjK>s&SotsZZHzx4D$EBd0g(Z2%A zPx>+CVi?#-7fPHC-NPXsg3H?~_f?^6F~6@+;(8m)p{()9UhPioLENI=Zq_C;}Q7Gwmgs0@UXV zs~za4-?npLD)--sWGkzn3go$|D^BSH;{CcGKhy-tvBu5oA#XZ|+4mW`XJhv2D!_faun;01^Cu{L~frDR8uz_7YB-nVntypHIS{R=NNE z7sJQ0Em4)`SK5WQ|DO>k+)%S36>1H6Mbf%fK#=r5W5}B-@E;1*{kpI=87K?jvX73-#aV$Q5mNSIeKf`LoGI`BU zSJzLRJ`LJOG7F#yJ(_>OdSx$=^TqSZ>XlJf&wP1fi?<_ho<=9AeVp!j)Y?`|EtGgl zq=M?-{_hkOfO44yV{r7Gwi?g|(ktN6J-3T}2C_svbzQ~bR$rXCf*7NDNx9+XTye{H z-?62#B1ZjDX+8V3=eUBfHR+wRa(vWJ0O$hUo~EPoD}q?T!;SHnySf)b(?eC?SS#PJFvU%ktr%RYca?1$AWV!ISV~Y8%wqr}>@* zegPR+9IV@E2|~-gDk}=NK)HO{vVga zs_0yq+-M9Z&7~bQFvHBuFy#b@0CpMhA6COJ_F^bNSY+L<=d7ga4B|t?X{Q0Dbeh_!bF91^cqk7YR{2@xtB9deYds}i|zq+sgq`5q|6*0r8S+M~5 zEuCg`cLuT-J+3)5HB|!z0+M9#-Xhq`LzZ9(eNZ|%)#e0V@gUhomc5Eo4w3h@k~j{7 zR8p_9hc*E1$@#Q5pSSib!S`g&=Sa)9qu$}mo9TMZzw>`XJuAXYOMinF<+3t;E-Jg( zOUByGrz}3d%c>4Q>I|GWfGvT6o`HeRuN(Sy&-0^V(4{=E3o@M*bMG&*NbE4?Wkg9m z=DL~A6|W9j*-V-E&2eeTGg9>jR+C6tO-tc)WrU;X7l(s`AT~Xt0he(7m-jltcS*3h zawk1BcA<{q)D|Q^0mW9jyCDoCEqS@u_Gj`BO@%S0=j+#dw2p~<<~U7((B0Wu5Hq`Y ztZjpqlTf*`(n`M|bBtyqUNCgO6AXTwa=h4lTi9GYh9G#urbnV|!saofa8kUX_xacQ zvqP5aiL~pnmuH`rBsBEh`dhry8#Uzfw4KMd0WKYi7Yj#qMi^gRZaqC-;Wyq63) zbSlpH&#CB`1z-6|G;TX4#_y~idbpF*ogQ!Q>Wz)r&D2zunlzKs4%!GqK_s!0Der`m zgNM?R4{+4g*VaZJB||2-$V+iD9@CWp)QEE><#yean`kUCO4b}hSgGI3LQqgx1U|J3 zzWi^u{*r8v<+^t0&i5jPP@$KtAX)4w)9!uB14%>_MN0337Tq7Zg%!3wz2F07#qX$Q zQpjLMQAg$iumpZUquZXwM4YMnK6B*9rd)eV?vk>fNjxNeW6$ zk6Yf9H2$PX8}kg7K>w~Pt17QO25f_IVH**tf72E}bhs^O$rD}Rlwg4@fIbR=vd3Tm zF@(&|toWv|(19+@)Zi3n7P*=4%IfNTo6`X215zx5pjWtVRMZEGJSbqpe(@Nm*HK8b zAoVv1qu>Iz=l;djmR}2m{7+9|kK3HjTPHJYzU&@rgI}M)a|Pa{fSTrQM<|Pt;V*Dp z0>;9$2LYSAhzLxC=UU1`++lg)gqLrAIwl^CXc}2gJ!;U8^wz4lf>Fe0aUFV>ZUTv$5c-%2&!= za_#iuNCMbM5b^j?gc1I&f0+93VO>bd4-LZL=G*mi<0CGcqdk_X9w$SplFanX6D1Sb z{0}~&_e=LvQr=w}M=B(Rv`a9b#;Qt0Uek7j4p@1eC>gnqZ;PfB%>5ZnU?v@D-OcY-1>xn!C@Uje#b^3Y<3Q<-d4^r zB_;j)2K$SuXXI~hfV3oM18#GbPB%8uwfl|uW=j;K$3l6^ctlaE$~Nz8pJkKBDW)iM z=&P*#F!~FMifwwJn=#R{KJcDyO3_6NuxdD;_NiBJOZPv)oro*#${qRhIdSUYa{r)`)U;%u3_Z_ZA2E?GHO%kL@9kv(oT%5nTxNAeG_c(O79)b(af*O{hLQ7c zy!NrJ`}8y3rv4FOeH+zj#sWOdepbCR!HN|GOUks+6Dq zkbe|S5gW_Ez`zfDx-{76oF6k9T^~4EtSXj$t{eLBd1%}5%}-sMA_`&i|59tZSAK+( zG_-@pf^6$9VkwSsWr>IT@a!(zdhwwzP(AZzmM>uB~6O_d?&GDzwGq`5eS!#@vsgRpLE^w0Oh%eGP-yIo2D z$CQNWq?CSiH2wllS2$Zvjggsgc~vQ|=i|0fs4VZz?X*Gm94_XcE~*0FUFg}R&vF2D z_zI}?di|?)v$U{Gc+|yT$;}+Cs-iMkpjoNU6Z^1iYod-<>Xa&W!&aOcc!HQ{0FzSA z+?<@#K%&rXJ2#JV{G3vd*?dBjl2S!n+qLo$YW`;NvAJZLn~hyxch5d}cmV<}4lCvf zC{-u*%nP*2rkWy0(U~?p4`aKktKNgCI8ZUZaFF%+aP8kgRWe1;gAaKkK0MXcZiDYP zBX;9iLIfaY+W#f(q}|&Rk`Vfs=m?0@;nyRTj+0{f#`=}8i~fGJ$Fac2;NnAEY7StK zvPc7KC4KbgrocYWJhX6rG}X`WK$BHP8VucjF#KWd+diS+?*5lRRb zm19<^AM^*NMJcF8H|v?fnSf9PR6r+Be|Bcb0>R%N9MDZC_*K`tktp;%S-AX$Gj$Ty z^VRa3T973ql-tuPw>Wu(Sq@GM32OGfDx@2%sv8}d!aoN?CS5HvGs~Lxdhm|--DMHy z-q`>6@tpr&j)^|Uy32t0+yAtnxY(%n?;bz^oPzS8J*y=qPig3F{zJvDirg`jgdV{& z*V9_5^`581p!s+wFDGr^qn17r4|;ls;bUdbT(50D>c~S}xA5DKp?MciIr387{FS-K zw1E?Pnw!&2SVp$QEl|QrNHv8~5jIM$7ijm5H->}kLS-{J6Z)QgEh}%@@LoIxuepB@(=gxP&;b2&H<*kg(36DX4blH6r6}3fXPNvp z(wF^!#cQ{|4W*$UC;mR1w?tY9l-p;4L4vlnwjAUflNCKvd4;>!=FY|^^rXD1%3m|W zkhuuhTHLh!%tp4G5iq5JcA+g5uJZ2{6~#=b=~0(ou8;iYHb<<7-_s5*ktxFL#entE zeDUnh!oEIUu>6Ifnt^3jb#)T&SR->VgsrRXSM9td&KWI#IITL0`y!BJY*@{Oikj{t z$g<_Aagk}%Tz4ulM?WpzWn^YxVx;{8crV=#=KptMl9dJQDnZWH);E4cuO;p=K+bdi z=f+9i_vmh+(KappoDhi(s%k)gP+b3Sc1cy-V{`QRS6Pq^;o#uV8q?e_LK_s%)Lj5M zdo2-&`j8}PUI%&hoPk8+V{U^0thltv!0>+QW_?L(&)3XHU;gznw0RI&louXkvzZS! zR}#^SkZ%UOs>X9k4ip6Uu(Ck2@R@--BJ-YwlTN7|io1Fn#cdSy^?5uC%!SY7Pf$K4FCiUmXjv1UG#Vw?%zdBEVw4~VlI~of6k>maN=!&#r42J#N=E)> z&zO;mC?hb)Ze}+NXl@R+n1ExO_FhA;aTH^1?B2a`){XnSw_Nl^SzOfVoF9x2H=Mzj z_2io6e{LQ>mxp64ZwV{y;d=?iubmstz|zpy{_2VsG%Kn~o@;;A;P}{4IskC~S%@^= z<&GFHY_y00_LGW~bhpwM?C2AB2729f$QB&)N zLlIW5TbtG~1V)m#=<{5PtS*p`(0yx8mC4%NTn2y$e=hrio19t+>#Mp4{Z4sWk40GP zM*@c-?4pF@@^a1gie#8gZ3vDmR20%O-63}wIc5axz;(qFr6W?i%<+SR@$gA%rhfrM z%ILpJ&I3uUf-K#o@d?EjYvCut-}s_+Xyn zi!x*3BUO?@E}^{1lC+4jZ;PM|U2{J9@KB4nGkXwjj)%g*CqY_GAq!i+H2me2UkFgJ z781;s*6#OJ^;&87%7a*9oJGHCjxngyL@Ib7z6}M*8s=<*Oo4^USuW9kA52)lrkZ{) z)$uVRHItS!Rza~Sz1(F0CrFQv==F0Tw_uw%G>xHV$!!bX^qU=n_-vmWgz)sW=Jwa)o`fOgiW2=M@pHN0_vsooMD zNHOcRRGyfaXd}E$R-d!yb!y)x(fjWD z8EWtaQ%RDG4N+0H7+^BqKtA!5r=lG_{&m0g7wtho^e|R3w3Yl>seQ)on6|L_vpkIy zazv(lvUFd0c_p8?xIfbe-ZcJBKJynD#_xHy3NdBiOu0sgdr>5j7$U-4HqslTyZKL- zvY_Wv7o#br=C4i%dwDw?=>4NV?4w^F0*}n_AbNzwK&IFZoqC`_l>th86Y!5F(59CZ zmzj6(Ootdydj0`9A`ufz#=c_vA2Y^_uff9AMq9fmV$fj+ZM83spBryq9q(mZc_@b2STA~U2pwK&yy zNt^WSYJ^2aQ6Y10DxR9Xpe<`e7rI6bmt8Z&{OhYUWda}W@ao_!72x3}fdkwE&_A`( zeT;;fAWN0GdK#lAlIwm@?4}YUQWs)$KZHULpV;UDCxZQdFUb-7<&JDxCfhc4E~h74 zNx#!GAHj88M_&D3jJq@_g!q@|@B zL`qt^LAv40wHA9n&-=aSJHNC4lD+PG-gAyQ=7?*K(6m6aue&4;kcyI+bN)>=+wq4r zpkp>L#HQRSEAC+Co%h}FA^slNu1DuXdGB;ARkP#!r_tSy!cejD3VEnGI}QqJA@V(F zo7}{>v?7C4u*;EHQa()Q-x>p;~b) ztQu#Zic3RU%u5m!Vj;z=gu|7sFiuq{uS;@Bly*xn4Jn4N^L(Ht;~})+9Oqcl+~4G} z-s*z~5du-4cwISGH-7r|!z@Q-3REG?e;eo(3LIMTA3Q3Lgub7dlQ&OrVpWBH|MrZ9 z!q-8F6#Hto=$xTph4IasBmu%3pfkeY)*Gs-8|Vk(72{m0`D!v~H(Ai5@e6-HZpt`h zi`o(JUS)K`ma=+45U0uMIe+Tq|LhON`MAgeLCWo4c`+H2CK&^teca-SN?NgHKKq3z zOu!?78a0B$#+}?1Rfhx_)=tUwdApMX5lbPD^l`taZlAv#_B&2G&nN}u;PP~@FghnT zYp`pC5)?KBDAR4J$}wa`|8g15VQbjLW}F&6Kbo1v{AVF8#>F`Hx^DcWSAQ!n+2AXw zpu~q(4GI=(_888TPi%&{8_nE6w1}XYl-yz&|_vs zpaz<8>^8RSnqj%K88F%>3wt-yVKuj(36e{rgh>eCM{Xi#^3GE9ucG0(Q{it0$>D&{ z%gZPK8N*~ZlVsGbqS9}Z#~1prF9F3iUB!U>IMSmHX5efjCn{gK!Xz;EYS~MSYwE>D)4;u2`}Ej$9gS0pvF^UIG8y*GrxRh#n?vp!3$Il(;|ZX1dBrjBIR)(eZ@gJDATCNhzI(Lv0QZ( z?a23o&grP_c8f&pfr005f?UC4ydbLfwbWRdmc6$FnGlO0=oNKIa{h}06QqpsTe_lFo zSN`4jU|=L;)}ekv#7?CfHwB6{p<*J|1w%LLP-71}DRmKv@tF;^85R=H0fz<+9}qM7 z`J~b^@O`3Xs9F6GQ)7soD?CIGxfyt?XIMCJW94fF7(}zLU506g;&PT^x76i)2j}WA z!g6uV$U2^ASbW{Ghpn*PL`&;qn&p9NEU}*V<`mb&$o|j;xq9XS=TdS(ZcVNz!O;Qvue-;!sg0MHFV220xcdKKPEe9h;*Hj>OEE6~EL9NKx$rTn%LKP`7LIO) zX--;j>RqiYMNDz=PYw<6Z!oOl^pFt*va#u)eys)mGmg5zg`|)pm1S!eRWf zkZ1aW9#7GCJxPCkn?eS#Zla>RMd}zpW(rP71FiL~vehOAAV&Ab1aYJO4heHsy`qlp zbY~A!ddCuPIk`=3#O7?}$Y}URNpT(c{Tw&uvUXMrl(o8!!v^F(k>Ds;M_)MT=d8BF>;C-e$}O;tj%drhnwW z2WcL(_UkHnN6rklugFjEU*tBtBE6@L!%7$~gYHyC+SEZTp4tlka(=#-k)xx51AU4a zR+aOS-OZ4m<)1&)zCx1v8*bickn;Kj!LiDHESi^D<#a-D7hoUC4wb_;sS<*BtbI;{ zJ9sto(eqnwHsHPNwXX%e0g|S^X>Cu|lR?{et4NJI za-#JMeJo!(2Bj3}aXn_lU)i$Z`c#P_opBIi1NQkLdQ~!?;K#RgL64(0{yY>KUPr$h zIK`yLf+;RXZA7>`RPmzTTg^f!-11v$1a_TzZg&=FCTX^lo`3%97Vm{$yh2+GY<~VB zRWp?qp<}ZvsQs2PU?H6L5So1##HPC6vQ^Ae7ccNWVLf&oA08W%4Vk=U-O*9vQq#$s z90)>dbKXE6euZ?inHU#^h&QG#*`;dcxouoMj#}x^piI7Wea&ehgmOYDllx*!VW~?G zvB%*Z9mF8xh%vs`&Tiap=JfF$@g>I$N31dL%SRX?F;>H(Yzv~BWikCESk6~nLSVTe zVi+&2F#t(_4t^-(QsXhb#5fN&S zJ zOyBb2@pl@TehQA%3oV?cFG_(AQd|Vdy%q-Ak1Law$}V0N)%j4}kMNma?~hbgSi(Hn z?CoW-^NC;-i0_5S{N(nz84Ts&FJow7`h~xpr_o`i?en&yiY~4H?Eh%%9f5=M4np!{ zax+8imzy&u`Q4#$mts`W`)4=jzZQHIJlKeD%hmS68hCOSeRSjee6)V2w{ul1Os(2b zXL*JaEdYLlT2oPdcpR-P{^2~s>4tF!UmHx{<1!y~*|nkp@f-u}GG9RBQVPG_Jm3vK z1<&}$aV&t8(Q}Q4LiK!*!Fj@i7C@Ppqe9Q9(-SFt*y7aR@Pmb)z@mISVT_M(H(&p% zS}Ok)=$VN+z@M#ZY3gw>D@~Dwcoq7uj5>va-kSn5SHk+j1fMw*SGze_YX6qo zd#_KVoGRt_wl#>}M;*YxFJ0^!ww^g_oLTH%z8Nd$vbwvttbaVt({N!M*!T@J=0uy5 z`C7=xA`A)}MhdmY_urPw-UTW18hY-AX0u;Z3&zGN;Xy5UjAnzAbFpb>t@?9dq+l^N zE|=9RFw~)2gZT!#ovmFNr*kOf+Jh2hcgj9=M6+|_e4KO0+q317-hN4=o#A|(y+x;Y zqw9*MB?Z{JdWbIM#%F*34S?M@*(4Suj}*aEx74W#4IMPx-dr89DEs)_iW8%Cwz8>r zk)1r3MD_`QYv56?puKvcgb+YlUZ~&+o_A1rpCr%ic|>=rX*lux&Hq+iBFHNEYpu@a z5$$XR-l1Z#~LEjDWFI>HX12pm7RVjz7t0UxhNU)B%tX$0L zri3CsFK%s4RC#Zq9gXto9Q)L}KOUHx0CyR;LN+Lf?GF4qkuj(sbi)7HkJ&?ugMue$ zA)JKa{3(5#&Rs9%Bp)g}`~M%!y#2SxrH4wKkCgbMeK(5fj(7QJ2(el+b_(&uYs$+P z>-|BKg$H<{ckhBG;Q8HTei;JnP^- zvGvoX0zbxZvKCX;1t9yP-C#wDsaNY1hJA$ji1E& z1Z4wR9!ey{KEmAC0U$M)xf~)ib7F3`Q89n`=T!JP=qfJ#Bq@QgVP+yOjRP5l`2zMI z(33rKcxu_>HrEeWQpLduFvllJ2OKmXKXBVVs{ddR-K2e#i6folp>&Y-2ON?-^LqiW%$F*|MMg1cZJ96Xa!n`AhLT zKEBzicC4-^7neqPpNF{)ex&st9E_cu#9%cj9K;AP!e&v@|psy)BACUGVCi^nF`8QfyE^ zuBXzSKfyvFpQ?uWrcsy#v+bs;V1R|dfQ7TItxJSahjDN~HV8I*ogW!X_qO68v{gNh zsX)&`ob%2JwTN^~luVW*kqc=H5fxFSjzW$)%Q!7DmF4S=bx9O9ll*2rw2aLx)hE%G zmi}NUNwG#%vd2-HN?P2nM}XDv7P6{)xbryndE6^ZBbkI4BbmAPQN3op^75s71yf)e z?_-QQ_&+l0z`Ga|f?IbJDJ)s7!`EVTw(ActK-;>xp6B#<_r+D?d}={=yay?m;=h1- zPq{^a86C%1=E-B7aYN=%brnl!?^}p2b5gJQ$xYGZ2fw5JpzPJ(mo;T`Ra=dsz_B>- zW{w6T-yEyd($d#3Jt4H}L2tBDZYPXu;epPwqqje0A6iGr@)E&n)M~ptgJcM(^xdCb zN>u;szBwv~amR_79fvZfGHo<79tJ$RXnAkd`5nvs7NQ$khl>eBwoa7^bcxi_eK3eM zJ)VKgJ4hJEosx~PPI)r20wLv(77F|+G~y$`>Jf)8)NJop%YuoyIh{UjM4$p~VAcmP z#ov@#{MfR|Tyeciv$KY`gnpfCc4n>enlQB*JxNj8yB)wwMcGYGNSYy?NWn5@6M>~A zUaYB*-B$~-%mRUrN5ReYNeZ;g11|_7V=vPol@nkqPuLr=2Qj2GgKviGQT5>}fhr5o zSE&iJ-7Rdh2WOxnq(0?uQM4$BvS;&NVI08|ix{B+rB2RCZN_aBXc8IE0k6|t{U-d- zW_I5ky{LWu=wv1RYr7IJ=?y@HdqfzaP)V@V(xCoj7cap*OlPVIV_MR%rYP{MJsO6% zDw=FE6DVUmXqelsP9YGb$%uzBV0*yu1J-yS1h!K5;WipLn0qCaY#7s}%Af{_vYP}O z6%#%N8x`)rTUJ%fCT(sNktD$$JRORq<Y|3juJiLIfM@CpkGj`QtIa^lIO zcVbbjxKMC&`%2n8U*{L%_S=F}yN8~OIC$>wUAF~CqR2rXOV30g+;D-;sEn zvh|Zhn=7k*mD81|Ts!4fh?;exN7-}ccqf6)!NG!X5v)7s#N~;09nxxhBP8|;iu%N4 zWb@t2#Gp{V+4z5}wyN?083|1WXLh!%08m_*cCOQ%--T10_`Ot$(y}Z6B15*AhkM*T zcp`6 z->%#1``OX4us{v=;uCsMX4G{34e-pmb-vKWE%t=>fS`i-OiNC0AyJP$K!P7X7fg6h zgUer+?jl}&aEe{0xBa@Ng}q9r;LNLF+DBpz)yoNfL1`C~}U zy1lHQ9z^lsVILh-n#ru6YHQf1=`t^O_dbYheOL9hKF~;J8Wv{4j;rkKTwx=V)}A?R z#V>GAuTq-&L4LXRWq2SklfhM^E;Q2`uJ4#LllUJFdxLwG>C|aV$I$@?LPN3dl?`bu zJncEapxKi01qKFH)Z0fTT3sbK%sWgN9!0c9f<)EP{Nc|BAm@xKMkdkY4J%farA}I! z{bpB(1utXNTacoB!Y+!2O5yw0KRw@i$!OAr^M5Hj5PsO7CE%=Gwt{&{`2;jzd(M!6 zEk)%iuCdORrBR>`IXO6~z3HzqIC(3`7F@Gsfe6xW#rx0@NwMe3$~gM8X#Rgd1l-EO zDSYM@oNNDE^*!8iha|236oqNCQ)4A4Y1IXsMWvAqCZ1OGpd%F*ss zF}A{LA$uO->TcACFAITspI-|!>kq^2cNX{hWFv-d=Ba&wb^l5L%~Z#{XDzh2;iCb0 zZ_S+qydL|#f1fIW^>=2ObYy5Ub}j8%g&(5P)dJvbfH_&IeQLt3{vc)h@Ab0@Y7Agj z)-vfTngF7cW=BjAD1g(sk>#1ot)r7&k7a6UD}QH(*naaTAqyZwmVk3Slkfw8!ZvSO zcAKa9?oMrAfjb%`(Q`k%g~Vc*awjbkypqurf43Vp9+(UIk1pHBa> zYcB-TNoy88a_DiyZ3O+ig|Bv@A|6X)Ec(eWn&?38H7`DV()cj{`s2Yg!IPmEQ&R+s zLGAx}2h(IMQs`1b8A=u3$NZl+nDsnXTSJS4evQt(%r%dHNS-H2iV5amK>)IGcVk1z zi3tf8x|dV_`-i&2uBP)Q1L&w)$}1&z05URy`DVPTJvp@=0foe;(8!ArbTc z1Ap+Xu|L>6;P8PMt`HX=yZUmSu?MK4x~N72Ddc?f%Xbz-A1nl3AOZNo{(NP1-=6g!)1n1@ZZ~3MVPs^8 zl>^=ms%T8{$B%@n+3Duq@DCYrv-I}#S(R)5^P3_lqsgBV!2*7~Z`wmUc-#`CH`5sp zKK_>7tklxPdB^~+vA~zGN;VqPMU6EGfP@R6>_So+MACUD0C<2tkg*2ScLSboV-2=E zfKt0{)mf@}HX(rz`K6ujuY}X=U42uLU#ewvPLcxO@H`hz>z@6j;{%`ELo8HRP-sA^ z0?g$gNG!d#H~hrIbAb{NjwwpUy}23~!rY%&Ig!j&bGIz3ezw?Qy9k~q3?z)M5Ebw}%PvME3=bG94ILIMEd9Hma$ z1##f50ZwpWDBq5J(<)%kb2f2~L5{@DW8+RnLb3b~{(NvjL9bCUuQ1y+)j`dSF$FWn zU0fucf4jN;THViHwM5SMH7{wg=Em+K(esZ5cTe7EB=( zIJc8G^aFcj)n6MG;A(JwVNzj;W!zwLJw~iLge%Jf&Q9=s{ldyod72aL2dC!`K@})@ zm)w2SVhZ4TG+x60pAj1q6C;qFVDEgsvEmG65PqOUGot8`&$$ikZTO=-#`y$G!D0~P z^uI+G=z-imK+m`8p8%RKTJ~mjYpUM=hOrwD@(GYmRam%{no5pbQSrxKsm$Wa$}}XY zfcvCfP~m6r2KguGqQptO`R5NM@?8*?-TCNU`s{=2ceM&s|0kKnq8x0zlacR&gcE4% z+;Iyv^4$#^`(?+f&b%k!T?r_HVG?OTy5LvMC9_pSG_crm>bciY;Ne8siAe$GkmpZf zPf`SSdA>bZy*AjDl2!$t5*ol%bn)G6*R;rp@D{cg#gfGt0z&6=rW%7*kNn;qB2!A+ zK*nTj4^sn4_1nfBlGWr0>d|-8zC8^5a^)%E2m!;A_ILu2fEJ?(N|L08DfU7wZm)YQkSZ9Ag)WrrCnWeX@KVFyV$Hf8 zk_@umT71Aw7#rg)l`T{@g^7aD%OJVS4T;>tOU@ID|38Oa^f6vif3C&+|i)CMhkLNUC%%q zWm3K1^&T_la^M3;5(rN~zB$*bfW|+hLKTT%9Bd@nmsizi{vrEBxkE7dhBBNVSqVYZ z+a6MbJixl+=2}63Pai`4_AD5onRt7`ZI(2Aa{$fW)ET?HzLQJ<3lXruV8{IW4-`6*hTUgs5tEVT9h#g zsTSV1+9W2W#mi;GiIFJ=-yz;0(^3$VUQ=20&mmT49^#)#Snu9`Z*Z zCQB1~hK6X6`&T^S77g$vgqUpc`Du|gLUHxio^2=i?9IsFM`PXoe0#lR%%etVQ5`gl zW%6!WYFl#bL6&M>9Qo&iPkzez$rT5adfII*1Y5VjWm|-`(5Ogt82rgxTal~-&YY8j zA29sr)lU++((rF-CEr3qgdaG!Ybl`g(FF+OhTw~kL*$jpmgOC6k( zZ*0phLhUcNb8Y={4md+}ltCudH=dHk_=>)rOY(XL3er)}j?i#E+jUV>GWb95eYaSD zf`{=IlH^C&6nH6A;5a_wG+ryZZixj3D@z4wIyT%+TCPHLS6;+U;5XgP^)in@u*ks* zieH|@PHF2}?2r(Xl8qO;UJPJWFdPymy-_FK1K;sObHqJj@yG4;;^Fp7udV2LZTJ*( zZG}F6O>*n;o)xB~;9j~}*xr)dZFi{9i+-LO$7{RJXFL4~Oy2u9A-IT3QgkXk(`TEG zn;CpFSdlt!rJvhNf>@+}c>9e34)}=;8Y^@5Fq6t3+(B?qPf4pFn@e7%ct3K}X-h4Q z994_pz`rOQK*hO-L-HPu)gr7H#an^m;Ii@Gb1B4#lxV=>0RQDy#v_lY`v2lF5S;ce zk7cX!aRRUaJ>a`YP_}AV8cm-t0(#E`*O%QOKNl7yo6DrNiP8L;P|%-njQ5JjhJ zxqDs5Zi$D9vo1CMp6Q&)YyOQoAtB;$d=9yAsdSZHdr}4F_#NJ<_?%o2Q;vG!Tc9o; zpQTR1^NG zTKPLR9E7Mw2=nC>2j2Zd9edwxFA-Sh;&}!%d}bL+hdWj017Hq=j>~kzHPi9ipa3AT z3xCSQYD|6%#^S6NH`Z#&1WSLJ8E7K=Nu5F9-ko}dWH+!nlA^j0!jc5LqsRBL?idZY zYd|%I3JREx?!h1vA?=Ht&aP|x`^@q3IVzk^r0i+^0u`0!potDx->nca@b~{imcv9w80}IxU`^F-H{(0X~ebIo$u_Qr~0V^R!=-H_bN0y6EL4KvO zk~G73(EqG-pv?qgcw^+Uneq=lNq3S-@Di$Zm~#F-n*&AI_0BsZ8-RaimGnE0`Q|KZ zQ;>tbp9r`R`4=pINC*87HZDiq>wLtzkYigne78cn*)U9Ea%!qKK5P#g>!eFwxGni3o)0zYWTs#%FP%>|?Id-O5h8T)Df&oiL_F z4ELj+_rnjiM;JnD3>kAL(9+UbB0MorkmGL$+C8|}gfMf8ML_Z>xKOtGQr?b%@R~>u zr%c#iukM;6&-rV9vH^>IcEtI`&K)GezHPp&?PYNXC@9Gv>pS3@X$(~72il)Wuc&?V zbw5kl;ZH0u9q6+k+iv_DPJ0DH?%|YZb8r?1(MroY-kdb>cR}SKTUylcCkk#_IA=~04iA5!iq#MOQKgmfa>ZvYSi z*wIM06qJNSzWueR@Qd17BiLW0Fw`D3aXbM%1FvBFWaf;@kfCJ@Wvk^NJqbl6IEyn4_-y;S7?G6gUQ2@SbLK_|J z{;ATxqMs@=^G={YQr?4mR*>ycoDaRWXLGVaC+@ASYcE1HZtAwkA*dVyEK9A5j|V9! zJ{K3rm6ukRWDHteo42UX&3s&5W~+iYv1>vMSJOs!hlU_1QLb5_{x5}jg%Pfk7h13w z$i>{-;}nEjXmK*swT7>9?*b|T2No&?uDMrVvw_tfApHK?XKd7f2nfGlJA*L^ypih6 zV9K3v{g4Rm<%{)Pw4PXERh2`-HAJA~e0703JMz{~l z+-1U!q>Lf9Eej((9>za(ieFkL0B8Yn-zmGLu=0LcAT8HBYzx4fP|sgPnx&;dc*n4RB>mGB>%m;2tmdqjvURG^mGlHxqQylT8W;lH+Hz?pZB z96OW>*s=ebwMw}h#Mq#+9#ZLpbOj95Kp@Yq`Oh>VHwgwO+U(H@s2Cs=6APz}0qeJ# z8hL~*PltzLYirBIsEc%~6Oe=sg@6+Y2ra3hq4A^}aQ0_9@<^Q?TK;&&`#9JD0=wTL z#F&#EEVpdcaRnw4n5-?(8x z$iKcb>Hrmvuv@T_Oj-UVvuIo$Ys2;FMSYHd05Y@@5CAC;T$rGx9+Y!c{kLhG|B@j# z;(Y{ite&M1MQYs0@JJ-v^^A;|6>EZ8sz{$EA!Tz@mzjr;s}*^)52sR``4RUZ2YX^xvPi%F*Wh5vI98$MPONGy&;>Dd(w`d`!^UxW;#|EY0kS!HpW+ zUjUrZAVYTrKcP3YxRDqN0d05A-7_$OjnLLIPUUt4C7YXsD-v12p4@-=F1=C623~??I zR4xrOk_q4?Le7NIjN_X5N>`adJ9vz1oUV!dJJLrq*4F-Sk3W#m(au-zp99!f{q(vB6zI| z$E&`72gsUfX+r9rJW!u3@;Nk~eJsGrsb?(Zfy^VdZw}3pR0R_G45*6QWPD`=e-_8A z1%^;G8=+$+8BPdH*@$~88v%I(j4uh4SN#{l`xplpbs5y>0sJ&~1C9sH%^7hgd1@jx zgV~r3sFJd^x`|XO38ql3+)*4XETmNFSzG%8F3OR1V}11(^}J9iscV&DrW4<}NM#}e zYzKZD?j%sV27b{Bm`oyJ6ON`RDmX|Y(3HbN^?H?$iT^=U?BHlhBAlTG-4TqUGPgsB zIKxKzz}o7RK)`ap?-DwW8RblH!dVdbRz31=NR&IEs1x%sJ`O-|fH!m1 z7?_fJOZS`*Jn^~7L<|6VhrmV#2#Td;9O7gH1jRC}&-7sn`r!W`SfR{E2v|S>uL6hp zo$ZwnSMuopC$ezo=?RP9?u?n4IcO@5^|)N=1mK`wC4;rN5u%mE0Z zdl((h&%f_og-*V*&36;H?F-FqV0coEy0nUmlYpXj8|}o8$wTWnoD1kzsp0@tfB=8K ztl(~}i!S`1eT4UPNOJtOj`l_xH}8%IlRxZPabj`qnd zIv!pMg#r{qT-XM{CO8c1OJp4S-*Mom2hTdN)j%`NTeoiM7H>A>hU`_RA~6;CukGt6 znIb3YO1UK9;)#GP?8UKL$``QMGk)7?-lBEB!c!|jY#B|4*yAz&??o4dcnYTmJ=biiQmQT@pyEA~u`N|?&92Qcp7lZSppuo%QN5OIP=6IiP8cV8-^U>B! z2F^Pkb&a^Q(2%5=p;*^0;$Kny<_~wq2}_6~x{aA5S<+a_y8BT=)SkTj9WvSbMEhOy zjsF2p(4?92XyPCN3Qp4wxw?OXBOJPQg2y$Cl^lg;9ga6Er;jgjF6{!%k=~BYX%gt#WjY3;k;o$fftMOvU3yK%4oK&>8}UD;CVnO?c`3-8n_jvX z(TX1_N$$5X3uHVfYyyu8oD@E4vRB!@j+r?Bo!X{yW~JaY`Y21i-RiRs7dVp3 zMSkaN?^X}DFQ&ISd1(i+2y6vFtrHdA$}|9QLbmJ@z?~OP<}W28@oL=@Z*I_D z*1o*uwa3@Zc2E%tbWn7xd}H$j`>t=1M*j2ltE-I*b7$k#1Uh#;_w5^={b*9CovfDG zWhGCdRpq{XP#adwll$^zYjulnaB!-$)ZE;yug|J)KY?%0FxShq-d5SZ=8I~q+{+KY zNV0hz5G5F*!%*vjkEV^&Fl$ZNE$)9WLpi>Bss0uRP46*b3q`-z>ol(?kUG66wdyLh zqGB?+j@FYg{-WHnlWlUSM3!n;uUY;yGhV8GIoYx+xU_-xUmcS4`{uW4N$)sKKOqi7 z6-&3m(YiXd_O+X~DP=g4=^*ZZAt#eIky6A0i7YG<*tvkUip_5PHIP>Bzf}6Less!7 ze6Y}?%1-39vin`V$UN<{rSFI=dX)$7WDfDw){dqGBW`7Rd2uzZV1t#w*rtkD{eIJ4 zzxTy@k~vvxe{RK^YpU;tXi@*@@YIXCVkJ!Io>ZpROOL>3Dp%s@vQJyQnMt6nzZFR$ zm~q^!-d@1uUP|K}z+8e!#!j8EPi`^9HrW*4x#_Q3l{HAh;8qpcIyQ!BY)qkBBTF$_ zMZu0A{!Vi7a0=Vy$6kJg)I{GNOT+4SulcmgXg?Fq#NUc%j^n<4prqRRf$QOZ$*J#` z3n~3v$^6kgu7H`)>>#Y;+A5n7HZJkSorPJYGRLf!+)o)IIMQT`HPz_x$fkr&g~l7k ziv-f2Jxhn_6ddWF+il_yESa^nyRAa3(L$RSRf`*niVjIt3S^lq`1^=*2Tb_>WZ@^@ z*{;8ERo0&Y{cQ8og@x0$-$ZL4fR+q}i>(6#&)4m?zf;h8F7oY+hAD6h2noHyl^;Lk zZK(t)wgjexrkb10weB4};Lm%xn4CJ^o`s(VdkQ7!)Bi@c;oW?9 z6b(J0cQJ<^!uMRKeapUnMCB@LB5X52Q2;L(cy5<9ItwYks|hsK?MfR&I^`26*6H4_L8!n0VKi>kamYxR^}m8!=N*#crzMJrLN zvz2BX3nm9c=l8=Z6rLEQ4yyUSu|c{-d`>xi#vdY-0;v~<7SsxL*EVon-7)w&vhefQ zUl^-mCU&=v7OuIRVj9cH7zQa>z3lDn+b~vrn$+t#q7iy}m%oO;>YRkWx<FJ= zh70)fB%%5ZGty)`H|WZ(?sMkd4&P|YO_QPi^%O_&ht+3gMtp%kfOzzfxQmCn2AUjht#S6IFQ?v5}8M0ZWc&_#)|Ui~e`>X@+FMHVyCo`Xx+TzI&2v z?o*eWUs_p7fG&&9H}5PJomcNK3VK|ur45a*QATTjoxVj|u8jd$hFo4AbFXwy-(!hL zU3@CSRyALf(Q|Z^yw*|nWjiE2S3)=~Ek(a0Uf#3r+jDvaD}TzTPoHuOzJPaN)4Jy( z&?n1uG~Ttiv*U^F&QF68+%(xFR-y8fBq&_WP!$sulo2i$*wDW^<+*;i|8(s*81qbk z$51{aC|O@uVcGFc=Jm+T@#`R1e#ZS!3qBPm)$Y;?Zr9mKJ@aY);CHQaO-)9RleiL5 zX{l+;pP|Wh2vpj6@9Fdx6R)`@M{Dbio}QGNe|us5B2O(*U-LciNc|rK$uiwth`ddyKrsdem4`-2blE&OR3ZX{-cRd40vQG~o?Cn%choN6lyo^O zt{*g=SrOS8l;nyC4^l{EYKpkioQ02ui-jtD{-+KM`zq`Q$L;3VN>(RRTmF~R+=5fw zfAh-A@ZPmDsvBmid>pzdDh9vts5{%JOnZ1beFKcD{$qV}eanX6xKPD9GiX1QirZgW z2TrgsiO2RATj9&~d#@6H9AW?Ar7I8c)pzsK$^G%j$67~QdpEdAEV9C?OqOY5;wG<4 z4r#P8?=3B3s3eupt5+Do-=>5L!tsC62BtoZ)x77xNek-TK%1t2znLE$n}#@tx?4xf zWlPoF$Q^u>x%4TBR2*k)W!#24xytydoJ@4%k60MYp^SF(;rt4OL@%i~;Q3VnHEvj^ zNecr>1aU!$bbAymyw8Z+aLDf|h<+{p7zJ|}B8>=pO>NT5LHu5(qktaLOUt3bSVH{A zLSZ~Fl(hY$dLYNz0qy%!d(nns_0r&{8KFU$tqm`nb{@Bt5hv^AN{ZRh;D*_#TUWgy z$Bn=TACYcn%^ChvMjT7DTvSUylZAE$nSDFJ;I%PF^WKt+H(NKNwA6NRWJHgd%LgZH zN(Uvkdnl{fg5AYntD<<(i7!|+!i}=x0TfuJhkQ*B9F>&UU8=y3* z50I5CY!tCx{uHb79O*wEMt_ch|4hBWJ@iafqU7cuw4UDHu1D`u^{7oUqq~2K+ezP} z#>I^onw(5lVA$NIFyP{3NKkkeG%3Y6M=<^sh4-dBCg#5R)gOcMpb(l|4fed4M=GK_ z^o{+f5x;)@G6L`wIk_2lDJ-T5#nJ&s+gLtp1u~0P@b&9L$=K{{>DLe`8eAyb(~|Jd zyG@N4Z>YXilzD+{%lJ2D-%$1k}Ldz+qvDzG5Pg%r1BR+joPU(Ra9gV!ZX zGkb5QP*HMaXj5E&lNs|W8qd$;#EA)S2N`$#L0c>tlWlLIXC@fLYQd#maE*xo;v+M< zf0+zh0Jr1`C5G#qAN6tZk0?Nb2y_AF&%>lGZv!@u$#Iv({i$9s$LG?Ltw53j2)7?@ z2JlrkwQvgPY$svs>e!UMzQcO{T zF5@s4netP->A}3l*l(OMEQfc8ufqP`!6(g@Jwu)Dw!`?1Q}u90l-p0t$QH%n-Omye z6BCJ|(Nba*6mH&)L;rM0W@n2P3d-+iLMHlt4d7~o3kAjIqcg9kr)Q5DX8sKngTRZe zsl!889UT(*U$+WM3b-+3sHstYxR!NsCn}JoqqZ1nB4vMyz?a9kheQ{D+5!pC<=lp%{cZ@Ya@<@p6Yelqvhfex{G| zJJ*7sS8u!Hu?BtFL8VKYDHhrv|;y9fH zTTon35GwB{1zMp_eHBdfu>cqh8NF0o*H0V7g z`1Ft2KW?^9W98JvsI4xIM%5~h-Xi>6zbCL1#aOGGs zT)o@M0zC$nD##PN)C6CQ121h~8pZHqhz=$$?jIFi+6~ZX!?P}R_$MyVQyzBgy}|H> z{P{Lt2gjHD+{s``!rKW!4U>E-sKPILiA>o*5vOkVqv z3zTfm(pU^ilnVsmMeDaMx3}f5) zZuuxCG`%ZvA+YQDgCum>_2_(byBp}}lq!n>+A9zp)J1(RNM2}i*WcX7KsVV_F9_n| zKBH_8x+RXr6u8UcZ7=qV$^WKExn%wZAE5NJ;cj)P#A9`Fj?8l?UX{SA7cRTzAG@sM z^bsw@&o2QhaH&1qwWER1@!)8Qe@KqIM)*!3>R${-Z&s-Bl#zU1maBE07DHW`4l+_b0 zm#OEkZ*2j&%%Sb_(`wkqi z^Ah!@Kj;qiE#q-~Z}rG%bSHIwB?yvixY)GUy7BX`nYmdEgQ>DTMSgn1V)vv84TMaf zkG~=TMnQ929OOf7lCI*u*UO{tdy*X-eB1SfBt2fW%R22-2FEH=8W3M^aDX2JYq&gX zFu(n*IVmkEy3+()&wULs149g#M%YTGX?N~$Tv5;-4~$&UEPw`8lIVOQBJFlxK!Ix> zJMXS{7;D_Gm^B`gnAgEK*_afC`&yn2S>Brmruj{?G*aPlDDU# z8-8z-qn|+a&jTKz+_MKsGylY926I0rVgRRGs ze-K_Dw-@u>pAC(H4GzB8$a$wgyEhw3@hu~OSTb^gEKEYP?l#SW{?&ng>CI2G1$*0k zZAj4qh8e^13m28^_*sXp^(m;wDJ|!?e@g&Tq*o`0&d0?CW(4Aqw;Qg=pE7(wC&CWZ zf{(=FcOtKj!dcrzez0HzAUX!nhwCx96=# z^}J_qhc-6?A}x4>rkI+~McF#&Oz2zIm{wl+g&vipd$`wa8L;y5!v&U^x0snV4fO%c zp6;0J!$)$K*oP7jLwdNF?A0Fr`< zIjw(>V5n))NIQV8zm9Zqlzji4&Sdq38Pp`q&+ziq`adfOdWd zb#*q}Bw>@KNo~tVb(d}HdPVWWIx^HBiu^9tzy4-9-LkLUx$_hy0;`~!4EvJW1T1-} z*NH{)q+HryJ4hk+7}};HHm$U?jfSDB*a2G08MUoWo=)pA$76-W`HFKvMDnN?^e!MY3u19z9BpZF3M=TH$3gq< zsouL!a-Gc9y}V*z=|6>pKtzZ4#R0fg8AXg)2@;jnH#8VxJx>v@2Za# zG)kir%@&R-bU24KxF00Fz8tF1@<*4=2TGB}dluSfX>QT&TgzGuC<-mCjT7fr zehTv55|}Y;^&Oz{08|I##T>spl%zI!`gggCfa;t``JC&a6oY@&|XtT`y!>gt~_WhgR(@(8jGz-Jjeqx`A(W^epKirL`o>9j5(7jkI zJfl&+8@p<0PI=#;Qau8)cP8>wmOUXWNLN$yHy5PgY-+m%%njmqkl$c>`^WP+FPV){ z8(<=^NNxjUAU3Er_0LTCgCN{r%X>bn^7@IXiHD$;?nsw^sgC>yrQ9cw<>h5p#g64v zuLv-)g!69wxw01yq@?G!%YTYj1Q_^>knd(vFBc@htogQ52;G<(DM+56rNMl!2KA4d z_V@85X=;F!0)useodZ=k-4r|Q$&Tx6sZsQu9k-_3oM6EwLl zlWG$t^0Z6f^(6*Hm=DduLuEl(p@osm#wT}t>bMj!pS0}*|PkQYUOT3z6 zxeRzzAi2Ajc9rad*2_YO#qiQfcaOND+Uuxdz<`*P*ocet8K_u*2em3s96mrtJ-?GF zOO4M;1QH?@JnN(~4P9EbQ_m`&7wXPQkY4HAt{SbnQb#{o=(ni23j)K=x*N`+GQ8{} zB1cO}_Vs6d0^n+rrD3O{b91wBkp?wx-N91QsL16qa(A@lU4%#g7hj;%T|8g`X6rTN|S=~pgwr(O9muz2QI8NYi>OC76{>lX+bj`PF9Y8nkz z+QLcjtN}3Q3z*o}+S=>VBMyegb#-=iX%7@O``89(3?|_=tsqmN?sj%qprP+`(6>3U zzqYrQU*rw&15HkRG}LLYtGelFy>Vf$$=KN-2?iPsH0UQ2K_wO|jN9@Zo}PdjF>l)$ z@t@|egN)ymyBVr^z>0l?tD2{tA_RRnMt;*XWNFuC8Eo$;pWD30SXA~0eXc8?SsA#Yw@4k&ypHW)@$6hfe5bl*lUgy zCIx42qT#~S+(SBCF|ey8{VVG=r9AZWg=l4Z+^6V#;^=wmd2|~OV_={c zVOAjsYShn=;v@|V5(jnFeR3-++ifntMrBHqD^ov`GkhR{p7({?({S8 z8N5tgB(v4(E)FL^$8sHg{aige7Z)x(tbr-J=~|DIUDGv)<#Snd*>pKFs$g>4zlQ}n zAkXo};wI45Jo_|o+wBXw>=Pi7Sw)mFz2ydyc;+V)Q5%`iZ?- z2j+|nbW7zeJG&SeBUhzPeD(fbvE{hu%1jD(f3nz;CY)>u-x50hbwxQmaTG6>$@5@~&M zx~ACC>CT( zzV9o}^Ei*=IH~G4CxYGCm*-u?sv@9~VhZ_k8`r@W57q#!hoWLj^b7vl&572#UPz3T z!ZldF;oOts{eEB7RC&ZylDPY5Ay4SZexdJ!`}cPf#t!%Qw^Z5K8RXLEd=JKs#}tEu zd+wT`>YW`Bt&o9q*ZAH9jt3sc=}z_2hp-BXYqDH1 zI2_gDpe2<@(ZjL*@|s*2&!0h8Uc5PIcjVKsK*lsj71@d=h^NP(mz7Z-`zO`DJ1d8h zWBdDqdN0;;ZG(Q?GV&U4OR5Hf1Z=k^A0LmJZrw(kxK^QI#;<#~Z)@x8r=UpHBcB~7 z*QdFC>WOsuy|}}r7rvg8-Kyum{sHa5S>e1*zH7nt^o)|yO$x@A72>m!(fAg{md&SN z_v|n9{Z&}Z4dJ9#{5vy~eYomJC8WFb!sp0Fw?V_B`=^obk?UZzogzykagd*$CLW(- zib?(BPQ^x}0A%QeE1}6K4pSTOf-yN4AOre|ZF9)F*U!nJ~%p zf+kPA(hi(d_~pnfM6oXk-(6&TKk6=4F=HrZ;NFh!G4Z5tW~*{!d7kTFaiE01?lI(5 zg2|7`wX4^!W03UM-nnzar1mXc?d&WqE$!`rMS;Z0;YKw67QbOyUa)MsZa%iKU*kE5 zZgkDW7q@ptJuA}FCtsXw$CkF%pB&WZvcdg%S>gF(2zwE`nfbEZ!rJYRCB;mU$6Shv z!Tj}y>z*rh@`aauPuzXwDcuVD<&Q>f3hVm-N>a|6$pyLd^s@fXbqHsyh94Tz&Th(p zfP;;~&Tc6$TU9s;q!UA7k6&MEtbg-C!RQn&cQ~_2i^}K*JHWjwxq{Ie-=M|%93NVV z46{fOY*5ck_*c;gd}W{NV1&%Ay+kmIj7c9ahekwDqsc=RFS;>3Gh5p`J3!6%q4lr( znD-6~n%w(T_g%N{XEl!F?TY$T9EnwdgEmNpS$AJ&)}_?6&TR=`m{w1Ymc>^vnd-vW zu)V#ftgt0oQZzo7JGb;%R@rs{llShR%^`JFDHlHhUFwZS>2~Vz#26jTzW@$W%Hg5V z_1=ENeE5{b147F*a{Lp9m**`9Y})BgnOlx#q>q#9Hhx?UUsqW@w^;_{SB;MEWBfp=PAKbCgPb>lL?QPijuT84HwU{Z&84=L-* zR<25VAe`}0hP*mHycpEzz#(%Do-ua!MU6^6TYmAJ+6I2`=ADNvVXU*d;T3%fXM%Ogb$7KxV^-{;JYE>i*VctYgt17ped}` zM{8+WczRNJb`Zt`o^ikhVcj{=N^DQpAaPvIX0qNCluxw=-a;dN5VOmh=Rs2D*WkaW zE$9Xc7CP4`@XsNy+V67g+zge;ei6}I@p(w|mstga9hAeVK4fDuZ$b(66+u**Pjpa!}@djin2giJ_zWWK%8Fk(-tN#em;w zSs>P|0(edF9caX<)}(4-Yu5DNjCk-{?=ZbweFD~1?qv_NV3~Aby`gEvSRwjr`Anmp zI}D*%MTVa#;s_?$}5B9}GVL+W4HmFkNt`7T{sIySsK; zFnMpP$0-?d-JD$8oo>;p+o>H(ZwIv$3dWbKEk=7mC>}u3ZI?XAf8jNmuxayZZ9=wc zi1fU;zJAP7kWC{8gqla2SyBLns0QLXKPpL4QBgAEgD=!6W213#cL2aCq$V$}^GA}; zsX!psxMJyT7Z1K|c=Zw|3^-C%yHZ-0+X)Z(Q6Z*wD1dF>MFUZ2>eCKzQ!cvsHr_`d zwoAh)Wpq;^4)3#)T9)|0ilbdSIK)2e}WWpdw?=MU8_J}0Y0G-r2!~2 zY$b65aXwlnQ(01ahK2=fQ>&{ETMy3P^Os?MfIvKY7lkjofF|dhbGKuG?T9vAS0pD$ zqESZhYDFY8xEDEh>*_ltISs(86}?xkoezRcVEADlyU;4)o7HLE758hJTT9rJ{89oi zDCQ_-6W`O<&&|yh6twy8z1r6$poN5m`?|Z8iQc>8^3iCp>7=KpKL?xcSRo^~Qs7Rn zMRG(FzIj81-5)NL&}&$LVJ{*iXvznK)jys%XAp>=aXOiXOQ(RaOjYsjtC=Mt-lfgk{>6{n7HWT)Z+xc$?bqZv>NsH1 zsW(QD2sj}cUs!(}F9%HXN=mP0;x;MHO*;i*Iv2L$dCjfQaW-dWvgHH-Gq<$D41jXBNqqg%Z7xD&n3V z9yx&-K9O}(;U~MQApOlyjOBpI%iZ_8CeHypW^VN$sRp1wnC&ya81RBHU{oB&$;=6R zu_s-~<9QS}(mn&|hD@(EJ5hokyXP%k?_IrQ72!EI!CEyk=~ll#4~VW}vF*fqhc{4x z+gH?8LH9n6&m7BesKRLjICc(QEo{vBH)j;dlE;fGRESN7ts7_2<3B_qdi;O>qFktVAkgvQti?jhd{N}$P>JaPzQfw;|=!?dZGoDjoTE5nuDy(49H z<$re$G`XgK@BaSsxW38MYc@6Dqc|gIbF;b{x8i$3(W}nA&wBV%q&`P8$5O-SxGVNF zO$Q`&#PKdopsC5vN8O{Noqc_D!3}MRh=VBN;RA2ptwgXQDjm)~{Oy2qsvL&%>5Twz zZw4e_Qw+YlgqwxzWe0j({SL zhkpW=mJa_pYc^8Semb8L_9t%D%Yaz^{%VhgYWGhI3v*7!A#t(nrF)VO59NI~X?y~v ze*d0siCvqxF8@)D;~79jED5!0b1%ygvxFFejc8o zVdby?725Uev&$MY5idEGTUhf=UZ-++s9zou*VZA|938~hUuF0L-!fGyTDK*$jTwHggUXrN1I((=_#D62if4U)fB#7X zzfZ(B2Ya`$x)<^m?5tCN{&a+&%(BP1#MA9Y<4c7LC7-=cSL2~$a0Ba8_WdLKRPstd z9t+Hw=FR2&;{M2LkpwQneo-S+yJ-o?9N)IB>?~~VgFRQBe`aS7G_4l`*tLBRD+s-v z66ot~g-hz{RJbj#JVm!G^cQwpSOqTW8iB|elyevv`xacOBvv19<=;V*larG{|12uY z15I$mdjhbkbKV7zbegh~({PJ(b4Sfubx432i@XqsvnpZ=#N`wnc7~sD5cxwA#pNNd zAYg(-&t}v+4OjzED+Q;p!)l`7t}3z>O6%PN ztgl^wQc%Qjh9+|VOZm1N8a2O<;)^xV)9bY^yW$V#giU{e`X(?5DC>P%E`yEy9>V#O~7Z)G4d+|mn@%(Dn7y>CAKF+~<^Gmmi0Zu)gjuPiNrh5raR?dgKAUA->3leA*~Fb;U0 z)s(ty{8hG@c8xaFAF{REya@oOTXU`=bisd}07*cJJ8E>aZf=eGRz{IUvxfJE$FN znQGcvo|XP^Y1pIJDOqM4_^0pb0=7nkq`e(>uwVI{=CF zsn_P%uNeg=R$agpO=SA}lBXWzETWGG3v6SPcZ7gT1iV-soeW%!&(ZVwqmN^6>%591 z@tev!%P>|@Ct_H-#cz=IBj&x7A_}cL|D4;MLKNy2;O%02H7m@9H5%U|EyjhIYQrf_ zt#3cuOmaP8KeluV$H9AXwl+2ki;ExGNa+0Xp{3MkpDGGh4#rNNtX}D)cMk7vcFQn78GBo0A6k`Y!46H}9)MyT5!&4r_B>z%VzA;mxeL&2hMQ z#LHtz1ZZ`Zp#~loHY;6lDK zcfXITNg8oDn-SZ`dV3KMA3l_-PwBLLF;=HMu2WebQl*9-0h4IDZK2eb4W8iw_Q&a# z9wqxF(EZ^a;&rq4*)ZJq2VaT#c}_hnrSGQXkX7!AWK%w=J0Z2zjGzDJC*i$hbO8qC zvt}}VM(1d%2QCz9Ff!u1O5w{vKxtvI*%>5U&zwuN?%@$9Ok9k~cX7?62n7K?;OJ@0 zmz5b+DY41Kq$JRjVmmN!zD@edRU$WdISHauE6Ys1@gm#Z#jwsR&Z9FQVJaD$ zb*aqB=rzle+(pA<2}z;>14H~sA8y#~n}j56g9ldV!BSL9Q|#nn8t4x#uD0z_cIHFG!f zpK~Of%kRAmk4pW_Go)>>H6E~%NJ)La??NiKYHjB=YYkPW>(0o(#SSEmjBIwb|69Z^ z)oMdjJ%nlO9cprHk5-+qsESrKS}iD)1(beh9WfXIq>pGksF!*uv9M0<_^zJ!M^=9N zbORE=344lWoxbTE*lV8Qw&qMcksy41_F7B&H|P zrV@1Nn4-y);dW?bZH7-qMa4=9BL<#!Vf*DU;o#go(DQv1`xT5ShZj=06rD!E@hE9Q z*UzhpVz^;@M|ks+xV|2sy0K_We4zKMyKSzl?5XYs2-ba#GBEA!tv~>ZMr9z?mC0zT zfxSw3rVQ3qaGHNN&g~Ttk(&9C2%e5uQqOxZyU&mgelO9KMp*0YwGnehkt4Q4KcC2h zu8*5vw2?s#rH&QV7ilp66R!`aQ%4i3sMp8>@Fi z*dnyQnA!@&-Jjcv_bkj~;CC#{+#NW-&u{pbnefOe<9%-VVWo+q*uDC>a50vq*5@qA zrP+;}L$Mb&BQyIKLgmu2xfxm-85r5ZSeFCfwNhpYVl3;jE{kiI{8VxYK(jH^*4gM% z-DI1oWwXD~9ShVRVId)#TRU2@_e!%}e;;)~Rw_yFvVM4-wr)%OHII)|oML%hB#kJq+p*NQ2 zr8s{!>FeXlAK;j7V7|hE)r6ym7dVd*^{qH1EVOtZN5UmS8ei%&}YxhYFm;5o~qc{@3?F*Z9(nvDiq%hVb=Hg zEbBOd!=bR1crPw5D*&{n3w#-3$gOQabP}iWCM3kYnrO<>zD6O}-k~q4 zs;ZCe4^TzbzA1kHFShQ@`dL^VSr_rwi9p?#kC-w?w#iM1czYr38Sk!r(D82igir-W z8s=0Af$~LiW?(^fEX>ZPSf+8X^nAI)1$hNvf~xZkEaNnojLg-=6{eJ-gZ=%vmN^?w zpz*A#;_$yjamkJ#7Y&VUMyBFh&H42|KUP2uku*ud1jzz6I5C_D#!AZrs3dK1$0T00 z$%^~{rL68X8B8iI-IHkiM>LXc!Vwf$PKs0)LsiMzA&gX@exQ)W=^KG>{kF36C@Tx} z>;i`NNKsKxKPY}w)`7cvsZ{JMg!6ARty*3-D(3T8Mx_!fjK+*le-3u@E+lS-M!>O~ zDJ~2y93HxxsN*`2GQ7Q_T2B=%L8}Z#!iN7AB#`R+ETuL*y^DMOqe87Nenb{Sx1>{QuG)xwYM>oJ2d4<-geu6{eqTz z7gwsw2?KI}Z=0%&eeXHR&9mO=`N7!zy~bS}?QdZJ7_GbcG*AYKv{?k$K4a(=@5w~Q zWPP>_^AEipzmcga-X?E7P^k;zzbO$H1qSl4o~kzPMyb#6$@6b%iuKd}n8?Z&|EeYY z9XsLHf))=-+bfeRQDA@6(1Wg1N6iO4;j9y328F@XBLH}+Lz+aKXtA^=E=)O^9x+f% zRysLt`r#4ptlR##P>|8mUk0Me9yu=B_2W99d1yXXuPlRyE~rNu^AqbATkiY<89!TZ zjl{fvN)svE=9{*@>LRw(hXdeFr?x)qlY$}}w3Hgj^q#dVX+>sP#=udKzGwhf>!^Yt zzM5(Tgb56(-5Ig7ov*9E}_>t4B(9#`5y)(>Dp5?6P#S zcZhh4Hcbx{4XYd=?Nq0WYgnKlIi1-p)2%qo&7CdvOPHMoXfc_6YM{g-SDZa3fOJTr zvZUNRvl}8vKc``0t;`Lv%7()cuS0P)Spg(v*|Z0#kT^6OXO-1KlMDt<*Z(T03B@7P zdY^k<8lp3z3g}_B5e~b3t#?&1$SYp<-wZhzIa&PK;D~-r`p`eV{w5L3IB)$YBa?vd zz_4VE#A*$!gLC3>?&9Mg)L}0ejTF~*Q`A{UiW2-It!lZ4Hc&|ari z#`-j-yL^BG_MkGYJpo6m4}G`%3mQ2#qXwjOnR?lX^u)ZyU#1Wpt|DAsoubN+RqiIf zH^YShLYUUB3V>seG^)LNxp~$M&U)9gg9ny=AH!BL$8;Wt!bUl zH4=_W-J(D0)xH+W3-sA1yU*ug3j=HCwovfSO>3YFo4)%K6{KJn^T8378)F_2C@_7kc@Qm#@STV9+wIn;CY%KamU=z z0EKS&6%^zW=PC8wA279y%wiwKeaLmwjK(W={!Aa>E0h(yn;~Z=T#4uD-HUUqr^7sUL|WoKUTl3<-C^V&EClf?0qhASWUpE@TV*vhN( z({*VPm$!HY-ke-%(2t?3IbC#z_rG6MJZ#Jhs1bq1K5t5p)HP%OrW1po^q6L0BX||! zG&jz(^)d=XHEnNWklUJ`sAiEkOF^ za930Kd-qCup!O4-rUi~}YS&UwAF2Hg=r~M#sFEJ&%U49NQZZJ0Jcu%LZM7D?Pi&8E z`&(XnZ?wNBI=#?Wjc3Y0o7n&GcegUXdR~FU&CkBnf7bN`^z6(KW{YYvv zU#Si2^A#~UGTv!QYsDoA z`;RkvySO5}Oza087A*S=s zjnM(hwd>Y4WTZMjI!JtIWlwJT+>S3~bs`{2eii0KhQQ#S%3JL>p4=sM@Q_x(!)Q>Ps zQrEtqj*RE7UPSQ4BJ(kQj;}AWl05B}hF=*2;@3qXE<%%6yC<~c)2R1BesbM0FxJL? ze*?gdmpsO`6=l_hadA0eeBjKUM%RvvRaLhoQkU~zv%{AEzI_(IUqvrHxP0N< zi<)B(wuB=9l=>bY?nx_b)9k^MJBfUHfIM3Fg05=t+_nym$1<w@l(EeA2S5y=XNHILn2sEp(z7I)3|7ccPS4aQ$&2r3Z`m_ktKeW(6>9+RP1iQX` zjfE`^^Dc{bE3aZh`}$8nN0Sv4S>=Jn5Q_Y(7P8kZIVnYdKL^f^2mKHa{ck0=&#Y@P zzI^88rSEh*D-i{UmQYg41%JA{?&(b*8c$d6Qy=bQKDhrA_17XP8voYq`j6+-MW~vk z+q{DhI-a>- z@o5^V+lyPg;k@K8kzX9k38UPBPcd!LA2+2a@IJyFD`%Su>S5RW%Ax&VH%7Ol)o= zzaijWX(vLv7M2z(XRbvb=o;#F&ATGo-HFOS+KAN_OitP4qe5eQb3kqnu2hkPeOL5C z(p9icF>T*IZg~=g^*9Ik2BycyE5`+DJRxCW29-{-v*Rh%XbXXEu+PeBN6}rmKzpUK zmy1X1U&)^T7Jl5}vp(1M*bBMI3&#)6{JH(By}kM7l@P14a%eqMj8tsCJbW#XwbB#I z%AN-xCV8p-HR8!0k*V(k-4|Fqk(gz83}E4U0-sp~dMXQL1FAgOcy`-RDGQT3QtSO{o9#A!{^BWszF3 zn4rii_`ZC5o9Sq`(Rbg%S6D#6i9`DGnE*>WSE1Ne6D80#f(G;55tOk4!4EfPB^AlVWY!2FO{BFTy(G+czng;5>&EGYR(8}; zVWE`bspkb_!L=UosnO+cAWY9QECZ)d-_wEsJ1BnzF!}7N{VdhJv@Lq3GzIW!K79C6 zO!8NE%at8||KZ?mh|MiWfy!Tl1LjNiTG`PPQKHW;Jf=y#Ef=+j{s5H%1h}@h+F{YB-%Pm< zFiXupLft8Wnlw(?k@%5`d`ONQ^4xGgX+$z;r&uo*{L&AAydcXoDb^YE5YyB}qwaNG zabUWRM&%Xj-6G=e5%H>8G#KVgTq$7B&rdr1c}d1%mC0ux>_mqwlDZeHN3BGcMlcwleU&<-Nt-B3F5Yho1S2k4#MI39xS+6_rxdHNuK@*TlmzT0kpW)vSigl_6hRb zqOp$;mQQOF2Gi3Ng7F7eQbJX}+E3C%()Gs_2tU8Og$JCKuUEnpLF+c9cQ@}cM_fL= zufxL{&Hre_O6kzDXtE+y5=K}Qj=^JrLgsu>SI|4q=Y2!s&QHmSHp+BL`{uJN8lVUWXcfv}_K=rJTt zB`X3i|8dm!_8CjMwU=HV)>pKOY!#roQSUz&0Ud)Jb#0HmJb#5)`qyFO-h@!ho(08+ zUf==^kW-znj={`*5dg)2Q;yQ`sL%f_6}-^F;h50B_bLch_o!wYI-dAp2iD zc;ksGE-y!qaB`oazr^dX8w>-*%ph$f8XzZ2G59oVq}$+CY?OXZc1ZvLt)E|PWW3<^bHK2Ad%1GOP>=);C%D1a=lo$PLO%erSR&Tkb-KnB~)o7bAcSyznEZF8oX_o;FCfY`>&v%HzU0 zAHPnS!uNRvpq2#?RlvaOz3DG7)4JA(zazU-Gts4JlJcuTc&EF=A_MA=Nqx$h{GfTC zKr|3Y4LYU+l2{c%`Zz~13v+W@;i2Z{_5J<$p(Siik72ktedxT)Ac(@@#FmkoHLD`c zs~65ipr*Q2B^^D7DL0&hDTDbcS{Bv-@7cA#%EsEd%T(CcYe|Y3FW^W)aJmu_2-K&xk zVAop_+w1TW^MA3KO<)iOl1YS$XS)bj%p;>PDde}8EAghDNX&|!0xA@}_tekD;a?)J z`>0QXDk{0#9O!*r)R9&CXhQSC7J$6{zOFX0_d5?P=Ie=2HoP5M32!uUp;RO{G;Ec* z632F$T+w9LE7G~GZcBr`GR(`LRDZR#b{P$ff1-GMR(Hm-Of0pK(^CQ1;Ax@@ZqPkx zdYQ=h8u=AkoXl9P$;CSHAXxUdt9bWZv_79yUhH{MW_SCs`PtdohCti!GYDzty_&zH zf2#N;VOy6{V>x60i;O%El!%cG{@tvMD7()ee;cZjtk4wNhz21O*`Tqv&(S16wrAS%fp~FaFEVfn$UVTh=H%n(Xbha`>01Dg zR!LpK7%3U*0i3m-Of6)wZo&>(s=Zfm|1$5F$ z8UebJD>cQAY)P4ivPj|2)$aBc1B3e%4$MQ}h`eQI5rJ(=O}=IJS(VI)9s z5@pMd+Vt>_j_NP)k#X14)&@m>9m6mgW)S?#Rf^4hSe#v~+3%DGjRoA?%ss5*`{n=# z{45Y5e8i-t6jUca7g`QxR1l=ox@_AO8F*pqCrF6Q(+CH2f`lx&|jbN>P3XT zJLqxc8WL#gWNj^wq@r$4x4suHdH8w^gsoE(>s=;-bQuR7PM%KI#U&-d9;kV)nVG+{ zip=AnOb%+;t^{bH2N@)@r#h#fI5tzRI8Bb-5x;*C(3SCY_HcP`Jr=S5GAA}kOA#*KHP@?U7}k)s zLAlYha!2_mD2o^NOWVORbVO-gs)4KSNY8_xG!R`O_9%t$Mh!j!a2W6gxuU?l%# zvEGfKiVFI%yqp{^xqtumWz1>a_j16uO|&usZpL3LIO|gNU6GuP{38&fimKFCfW+m& z|6dkvKw0SoSfW^|1=2UPB;POgC`eWNd~@?=kEW_>I|$=%uO5Jy;GSFKU#^6{KeYWGwa04E zNbG*9gLV$xX=%i%GDNpplS{!jSj-dUk&%L<-TdS{aCL+UGVte~TeT(|!u?nxcYIZi zO4|GV|4XU$r~lawkUQzPlHmkA4y+YDq>my0-E`a0I6QwnZFmD6-7Svc?5~qFT{C*R z`e_t*0_Cy;7MB*P!PGAeO9r8WeH0YK9C7Na!dQ_t__(bdWb#(0cOk&r3+g{P0hGm@Ng~xdB#0D~&`qWo;GvQupoQ&m|D@(h;GH$@ zE~FSa`ZOBzmPJ5l?vG3wpeyFR`yTb*uws!w(bhf($Tv$za|Se+e2m1$D1)BGNN^jQ z7#>D2_{8}5E^8s$*FHqzJ~Bs%E?6!n0Qi@r{{Yh5X#dSDK!I5G+DWRI(@@+rqoi~$ zaUQV!n@%N_R#w^lXhcH+rTekEuRq80sz0)qF|yeyPCSpXSdHVt+pj>eYPOT|sc=x9 z3M9{;od#a69N38Wit%kr9Z!gCGI3u&GnBJ*qhe!zWz?eKY|ZYV`2YOn`|`;Rj~s@Y ze-1Ur<~ zcWSdP+C4gU5cQhbUV3)_`ubj7)n2K(ou#>9n1W4<2ECs^~x+s81(6UTEFBdMs9zVyHhxt za-!{cCUo2LrFDfgw}XIBz2bGop~)PLT>F_%$wp5vL3YAI|;pLh=NTxNJSDqds=t|F~L_qkMvl~Y`ofk$QbU47`5edpIg5PctVi9 zF9eFNxKd0G2`Awk11D!(W{rvyB)~5_5{^`T9|C%$ zy$BH>0Xj&%oa&SZN`Ngq*es)SD{W(#qrE4iq))WT-|1DF+-9|0K<=i$YegSEySAtY zUgAIA!79IwassP0jgW4NiYImnhq-cl<**CLSFBoOJG=5xP@WFEuB*=;)pVEWgQmpi zC{P^DxQO-l_Z1KD`0EKrW#BgVYNFEs6DgD6${YcP(5~(SC>?rwLmeHTP&{c*_kR2s zaezm*-(vLHHMZuYpr8Qs*N1U}c7EQI&t34u4J`TlV7$F}CkN})qBp;uw{3WqN`6(+ zcMqSZ>d0fDP}2va3sO8$PB>g(+bd6R{b(wnqvt8_?yd?LJ%In?LG;O-00`x4?7(?Hzf<>VN%MyR z)yaKnav zOrH$09hB?TwFo3YF+9tQ^Y$-Rz)c3?zSFw*bHdJ_o!Kn?ZtO0WwTJtqfn2vBe`GV| zxLxydFA|#@x^Vzw%H*dGlv!ek#`|I7dS*68D!qd-(NNIDi@TI73sj1IU!RKRx> zy5GwaJu_u&cdd>=mrq%2amT=H#YHCEVocXnoMKK-&}5nF+VJ-+R+6&*aiMM3O8m{B z5oqMM{OYVm^OCKtE!o|qfW7cS1Ii1BJqWQyFC-s7?=K|v(&8_Hxy4|ru%BW;;Lzh$s6YyGW zm?*Q+;)GdPSS)S_S|jP!5634;`!aDP)mMn*wcywgIT}K2p#;9w41gW-7V^Hn_4=tP z$3TUeFs}Aqti5P$%|WzBweyjvj8U>mR#;VlZK*^af&#vH<}Mg%m=vLNA^{MjfAZ4DCl&O4dUoH% z#YI!~>R!pI;96^q60J~U*90yApE4_hAIU^|$}7m-c{!m5vncd(o@g<)w}uAA0n zz|jcEajO!rxlcI=)@4D4)&>hUn?ZNO8$OQR`tw71aOu|1pV!R{ndp^)_%~&;u3*Nt z7(vqo=Q~k*dd!qRA>Zo>C!s*c6B2YTOGGj$DPc$naJ^8({Ye06W=S1%PfxQRf8-3j zFaiyfDHSuQ)byBHs<6C>96;UCRz@|;`M-r?o(sf-eW|gBp&_o`VirVVd>3mkR7waDqWCV_Jk0_T1eK>mrjv+>|G3EiqnU~333~RH8n<{=}o9fnG9*Bon-Ebb$ARMy??>dIQ3>P^O ztqX`oFArBP{o81$ARd2-B|qn6RbJ}2@nnj~$H%AE4MIEja12#WFJ_|lV0*|gJm4H2 zfTTqHVejFtP+5Gtyd;eCA6G9gE&?X*v`cFEzy-StDKMba1TIc-O1~A(rgEzN=9C@Q z&|TKMRNx(sBMrGQFN-%%)EB=ecD*Nf-eXiZFjF0_6&GqX(g=>s&&>_)8#D==qVQb} zIO&x-u-Mpe1{LHuCCtXHP&py`P$fQJ5a1Z_-D-HA5n!5Y3rd%mgkR?S;pNhIbRa0S z`g9j2gIXEhA&vA)dAjZ2`C$LZLZ}qqiaRWSvydH!AH&j}Smf?fdcxs3n|RE=U0h;3 z2}h!f0Cb{cEK~i?5!2y@?;8Ki-@hDv!0sVfE*HeOm4KA}^>ZA)lwm)ms+o;|>sedV z4s30>Xf4yyBm;8rq8C>k(lXf?CMSW*4{uI9Ue&sC<@O$K*yqXol`3WKiMkvR*?KE* zW0xZE^JpaYk`_a$SSD_9c^N1&Fgc6jV+RN{d0^m9^G{Q*rWI631IKc9sMku8`$sM6 zybJIlswQ6&wo?vF5_>oanWJt4bc(r{Tr4=qF;Wz2IqR>fgbCBwhXM&i0*PT@eXOsf*pw0cbq5kj%s6mH$kTrv( z{<8lxx=Z{P4lVXDLjrDkOe-TG2_z_a@#_YX(MYaR-I2p#9<%3MagV7W*S^`;dmewg zxX)__9kD)tV1D%Uz&@vJ*#Jsi@@q*o ztFj)tPpXT&#C8vZZKq+W;L=X`vb<4Viifx$pDJ_%6^x(WjBUU21dn+kRjKZ+the$%1_oN9Ok z?BG*mV|KU#Yt#atR*|--^WVIVQYjwbtv)i@d*@%sXut%l8pc?~R4nJy9V0UhWL1A( zThgrv3&rXiOqg}BST3kvF7=GV8s%uYbC6weeK%MX(!O0=-_UGtdBcmzN->+(DEwyLIra#FrM@*Nw)+%U6{dM&Wk@Eu$VmyYSmB{o?Fc0!Ic?x*=4L{!p zHVrsw7y)Bk^bhQ=CM)cP&*Z?168h_U|92H$ZPAB%uJ-+U<(oG?*u}??N5tuqbR3Tw zlCC+JfRg|jeJ6_oS@7uXv{PkjDlFAE_B-^ysk_T-$NXD&SAV0m5`sg5u13tOp%S9P zfZVXZ6<&Wd?5=$+fcM|Rd)?0RR|DR*);K$1-7#QlI<4G1ldxGC@hLh6{_Ahb6% zx93zo=pAP_Ws7pmFSKwT`1%!=@uj}S7&yZekHUH0o|7c1<-*efuq-p-#%rWwymmuES(x`m}8rVfW|2F!29b2TXK z|60Al?Un*m#M{Gi$Tm8(vsn>%|6^F^Tj3lqg92OOhxhMmw-0@lhee=%@$uZ|1zeSt zEh|B5-NXGO$@$i@Ee1bHsRa^%Ei{7~nN1=-|9qh9Q2h4ImjI@ko&1@)VCQ)T>i@RH z-u}rXU^ony2*k$kOAmRkx$lA3p3sT`X}J0R0fowZ$^wvxB_;sHIm{QFbsu>99{;1p z73<=0{y;`KxTFNB>c|)@*O2B^{Y9GL&u@^f0nK+Tc7WaWzFbQ%fX`}^5T12!igTwk zSo00D`i6ZSE1n8di~BC$<8~vzfRpOK+yn%C4Y~y`$X;H&=VR|(NLvWMb8-bGcrSfzD&U9Il40U&#FV?^uzMnW#sLG$9wA01 z7fS^_jJ+SX5~FN28?0Cp;4*7W|q?x)uragTEBd#ngNaZ}>eSQ9;{*2Zt zp(FKl)dDM92)KJ=D00Ab z2GM#CClU03*C&QhFYHmSwX4SW*e``~{af}YmaJ3-a8)29aGbPOVV{mpTbC~GB3ibb z4D(2Wub|0*hTdxGiKCi6C-`3B;K#1)CO+#e=7)QDFRlkL-rt0tUOFF*G)K9+?`@}hFm*ZzCN;pa(L&LzpfL$o_qQm1uv)snU2br$)YDmNE zO?<3o;*)PpGQ%0xR8~-?h7WX2W+k9$NlD4Vzn6XwTy-X7?}a$hlVykZ(4Zo16}=95 zrHzQGXTOv^NKshJT`Y1u{k$4HIhTzTuZqffe>W<|M^k~E ze!H6)FqEJSOG{uVy#irVM2a(EOuUMD!gt$N9Y6ji4X0Z#D~c^QUg{*?l?l%Yw|);i z5IYO|W`Eyy8-5%W?;`rk+&SP&)Mcbb3A$2VaQK$%a5$J&pLKa2#a9S(z<^E|G&4N? z?5SU;OH~`6F*`Lb(|iC$_62lEcA*Ia{zxB(XgoHT0ELR%rzo_FW|fHU>`Y?n*4l{%}Gz>PxQNdBOK(y#!EbF*n8aI$XKU0pqr?0Nf4!kTeTH zlM!%RK&OBc)Z@u}cO+Kq%X~&uE=SY4OY%)HED;H%?&qH5Nph3WB@Fbg+M1=(gqsZL>m?BW6Ujn=W#MH(seYFLbG|j~VxM_eAT(Vf& z_H4Xvk(z_jZ%07TvwR2>j{slhh;6xk>NuM1y03{&r^N!Xsd^(me4 z8k*dOM!Eqi!}d@1snd1UW{z}Y0Y3`Qed(0Uq6Uydbaftd3)on0%OR#_Z-W7*;%p1y zroc%?p+oA<89_wA^NGVf^~Auvo^O0mGxR_ct*RP6@V|aubYB4y#=*fs?Q2(}eh48~;b@SkZ4SPI`c{csnujekDM@13ivuGTsIdT}6dvrL)$FSAGp zFa~8{K0aABsY?1FrN{5X^N$h-t+s(414E+%Ii(@+rRCz25C1V44Wk(-r>hIaEyTi07|7c1Q<*5cdWGrLcy3gg>F0!4m^tevpdsC5GY=DkAs%1d_lfO0(_2k>6fAHSl zB!z{6YG3CX?~{-S62lLZd*+mHL4FOSNT)$u2UJG%oh=1qn#IlP&11KNA0X+68l}}=pIYidJ1Hr+&&*GP=G+YR*`3zl@@FBHQNVBx z^{M%iF+deIX5`CIM`az3Fp>F(qU<@dUHHL*Csk;E5Qqea1F8Lq(Siep( z_>(4qw2;bc4e6Rej8I(B(8~3zSL2n~fCnl5PwnFWpzBS*p=|%R@o9fh)DR_0BU`c* zl3k5`jlp1SWeXwuP7CrNjBMHWG}*EYAtc#D_AQisO=Zje|BRmJ`+a}!`~P)3$MKlC z@B5nTy6$WHEa!PL%IqAHQcb~IJ~v=_xb-9C57lJT&CF$HOvsS(DW6 z6^mex^gtvN$jwRFu-8k16D#=03%q32Af`$*h$q z>bdo@u;ut6Z^@LgWfB4CZI(D0w4JmR-kCnf=Jdtc4KIWIpUS}RmZQl2yobN=Fc*J0 zHxhZ2Ea33{h5K|3Z+wejpQ}2-aKV-I&VN6B6W?enJDAaO9s|9s4 z4RrbGP!d^1Lj%zE_L>#xttt=GkO!FYHwV8AP~>?uEd)$_+T8l#N_mvBEJg+4z3&}@ zWIoJLaYl1NyK5!yGS^3c*4JRA-EgnUMfkcseC~UZJUYG?;gZS(Yc>uecxJ<0JQqPq zomsF8M+f;IJ;bmc)Twb2Rg$X9B1;ye8DX35Z=i3i^C|*=@sa6=$4o_R^_o@%jUoPD zqMFUHeTGVqWPot7SNW3VPZMMxJ%No>${w*>#iuk|6f3u0;X0N7?C9YE#`VrZSiJfo zTP&=i4Y{Iqedgh)nw4dqMJvJj*ZZ1S2~qaw7Tr^MERk*H5_YVUFTEve-n@O)Ij?(4 zJy0<)2|LJt9toX5eynU*o10e8XC5-31~-p|QtI>{Jp@#XIP=!C7G~B<1Y!W|r9ydFdFEFoL!K5@ zzczFGr_OkyUaDVA?Y0Vi``xw9UNrlN0=YTXMY{9Vj=?^PuO=RoIeFnDy0?b@`xt+l593@!n|VBfx*VIh*n9vb2F#& zYsGM=DL@t{93<9O>GV#?bAR37c&@1Lbpiss0JZ79vdZ|EB&zDW3GY4r^O|iBt>gSs znPG`gec8P)kI~U|7iScox>e5o>viRfLa-T*DNl8_fR;&l` z`3Cjce?+I<5s!IOO0fWZe=kKV)+6zU3bOI7ET}osX`7k=#*6k7>aPDK1^R>98AkHs z*R8V#ZSG!AECJ$~sjMkJ-_6$CrgkM?G0Edk%6Tt=;>AVivj4AKaueL4S_QWtHM#2Ls5QRE@V$ObuMXfI!y zsov?mrwiQ!Gv-o6nA%-3ksD&Bw#({&i3evHa2?|!vy!9IQ*3hQ8W|j^4EJC4suE4= zGvnVDH!9Rh?;P0|9&s#xCwSuqm%Wnsf76p^bGi9CJ_*-sed;F_eqbk!4mQtkasSs& z@<{+!M8c1W$gnWb?5qP_$)z#n*npqh0hM4(B z@Zk2(fVcu+3213&LgfS`h%h0P&|3n8%=%~k+!#zfb#wdZE~{A+vpRvsBINq%zoJ^$ zl1AT4YIKh;E(R1{yES&@K*_`PaiHk?PLK%$FV5a^;QzsB3u-Cmx za1n*|g3j1|Z!Wv$PJ@O|;}mfDe|>WYv)~MVD!!^8!;LBKEy1SPuvX9xsJ&a8**B-f z8*3H4J3Av44qvzZ`!!*$OPNo6=SSVr(g(_rKp&Fmf-pDKiD=}rS+A_av^bAk_Ye4= z-%o|a@&Qb}m_BUazvVP66o3<8sM{-LBKg~!|Fi&C?gfvR)-LallCenPoBKPeH3vgTd}eV1SU*z2!vQCS7mYKg@Zpu7}iV4 zu}2W^pI#2EGZ8XXp@3WG<`k_d`D>Uc2 z4_oqrT!N)in!2UAhX+{fagzvynx6veySHzyvi~qhKp?VjL8J<(hh(Y95O1W#nNpJD zk)A>(h)3NQqZL$!me2*3hY;Ep z7C1>D2DA%xod-DJPfO8*Uyj@&c@=#q}Q!IPG&5^OKoEdRwd!mPk?^Bp2@I07=1OxzhnJJ-FGpnWRX04kViU#w9?_ z)5$d+l;dsm;Qex=tllAn>#uDerUEw`29Ba*hymVnf8`eBO%y>j!~)Q1(NpHRMQ~5B z%!d#P3LqkXlw?vk@aY+Kjt%@d{`2>0PtPnT9C$ZLN7l`OD|9_3$DldatWw^GT|hiC z6j@x?c(-{1@#aFMDVzx58&wRIh!8I_=%5-5l-mRK*C3<+fK*@4gYST|o792WLAojO zV}Ck8@|uujK8X(#debsmLef_w4+{+c@h8}ci1<&r-QcyZ@bc6nU7nt{m~=D;o1XM! z-G9?+p-#Fu-Bc-{nSad&A8_Bmd< zBQV&?4U#jN92vyyV8jAPz)!$$AP|pu*ss9Nr2eWkJ_$7Hh&Kr>To*|H51BX5fp>$@ z|IsKNHjzXR{U*#nZ90oO6i-WPbWok$^1||sgtmivL{fU`xP{kSAN;QU0Eg(17+~`c zYL7G5zsx*5e9$)#N05sw2Xw%};G1)vU)##hw>xOEUbbdlpYz6Q5oz#(enrz%a5W@2 zlP2TlrUyZ$YfS1r=@q>xd2@06EvPDBkK8P-&7{5A{kPmDP=R^d&WCuf2Fgbw5)w}} z7ZHd>yaMDMOf81HYu#Z(nGjv=$TKrD?DO<3a81J8s+WFZ=CsM7nqj)3Nz;vz_dqB>O6p+veqDPD zT)W2-=Pw}coG?Dd`|23tjV7pO7Zglrjgh9)lUm58JD5)7fpx$YM|zzIS5gN$6(6iD zkXH0E`(;Ce!?mM`M@z^cVBWZPun_&zfm|0-2Ycgtw!&+EpW1B0=TTX_v0;@Sghwt;Iq)+Jw{*!v}8b=_~06f1pfydec&TlrSl_)i9z9J>=9x}?;I zH+v%&mNv@EODF6H8hMSP6j*adhkuGEZxQER@qxtaL$0&T3vWvO#B;x8!aXX_!b3rh z3j08q&{#}olU*v;ddenS2m<1v#YvX~O&7D#NfA5xyA#420z zx<5_k-r3O~?doFLrKX}hRZJgGzB~NwyeBAj@Bm%CNJ{G|suU0|I4drFo7Q)a=YV^@ zIq^J+d;Z_=I;I@!O$s3q7W50qB_w{Hl(?nP6w}CI#_G7Y1J)nmBI-6RvS`Xf!meg4 zycK)n@;`-j=sYHUs`mRRusV4WrEm0S{5`>`l9PE9(et2WS0DWg4Q)=x=74qlI60F~ zd_SR)$?HR3UxVEfYV<;#v(O(iV~)_A|D6eB>a2y0Kx?`zH~yYvO@P1 z2P+MEgDKhl$~R1oeRDPoi&3W0KIpy}y5S+wlX4luOEFiX*A@feK)%r0IwK#zNId@^ zqkti{-^jybal9S~h_H2JX@78$r`Ivp#RN>P?n_g7VES~hHrS9_v-STskaBVHRhvC$ zCWecfmUYr$dt{*?sm4AnyDYrd9u2%JHIM1LKEMIY2SZ(!(w@Bo?rA z+UP|}_xVsbz^A;hr}?sQ9};VBD*#V;w6&XomKn$YgD3>*VS9s7-vu{6zdGTC*`N?P zmdEM}mQ>|$u0FUL*E7G(_x&s9+kTx>$200p*0y~ZIJ)N77OAhdb%qTyZ%Va`dXE2}2lwe2;&H$HuzE&@V;l5q_~XU(^nV>yntHDG;0|d1 zIk>KW7R(Sfr>i}F5XZyE`;%x-H0aXSMO?k|)t!x+ zOe0A1Zlm5pe4?{%9yo%UEVA&emm>axi&;pre1ngNym@T8zP-`qKG$t+#1+65%=F72 z0$Jo9i^BKsc56n8Rvj|MwJ8%cHg|oo?|*`F{Gh=t%|-{)&zTm9-MA!5($x%1fb=1_ znhwbBZmv_vBJ(zqLKFZ2uk!_9nEpx+6hA-b43va@0$vDJYhODx_Q<;`IUa62+EM!ATd@PP| z@>n7BFEgM5AZ|4}i9^$|KRoEvAU-X(-6|l1A6MCN;dHxItWcE0BkJ0uh zsT&G)6B81$?(|$x^_Eo1TBNp*;zV_OqvcdBl<#FNHC`v;x`4>gd-K=XM3<6-cLc(v zzP>TkL2I6VVC0~gsDSWGRF%(KE-61pejtQi1Yj|DF*#XxFga`9-fOSrva@DjRgqbG zfC7S`BK=wSh% zTeVPZGi|FvlPQLqri4Cp^v)M?G-D(#Z>E7G1yoR2&HM(&GHJmJCz-+#*&ZXpJshr> zrh9ePS+q){=I2vpQn_unrOqnK08t^(1sv2v9Sw2}GNNrLRJihGS`}5h@hw!iPO}B2WpgcvQ`)RA_PC#VokfgvjRMYz6g&sF9>Pd`}YFH29t- z&jkLSSG%g#XCzS)$tvucoM(Y-s`6|Yvg#Z`+d8B3)tGzsad_a~czcox?@H696x07a z;FGKcOk6A$dg1bg>grY{?0$DwlIT@n1P0b6|6MP&F#x_~N+46OAk_y*7&xIjSJVygtyk`e@SGA+;|2pGH<(Mny*9j}d4%3Zy8ryl-Xos#6he z6xBVrO6c``navIxAN6fXaNQkrb`;*XM(TXXRImr@38^?SSH-~+vhe2XTHzGhWy<220+K}rDbm_vcZe%5+E;$fZN$=$lvXc zZjbqX7YRB#V{Y}=c5=@Xxkrk5wAADQqd-^i;NeUqzrpvn*A~4n6!eGSMX3lPJ%HS{ zdNXeZjPyz}wVrAYV(J+fN%bEm3U!P>U^boy&9GZ6pN6wsgfvrG(%ryWVmC4Jv5 zQlZF`c=cqegUF&=V?*OLe=xJVdooS6zV2N|JktCic{iI0dEkan75(l1@dYiIGk;#<^1P*KuaGo8Qp2dGY-Op*3F_}z!vyglUk$4=0$e6-Y zYA!BT+ynQ;#l1;2WAJ|PW@^7 zzj+Yv?HH&JY?YZeVQf|>{?|CmE+{x?@xX`f{{~y&bwXSPuyaLRLVDG( z_y>+$3#PCJUzWvTIM~7DXqHJXp$5ro*F?kIpzf}XlTOX+yXpXa+>6mh`Dp|O?7G5flUtHWf*)8 zhsnTq1Cr+;i+WCN?G(5t07)6=U=j^~Y96@7KCqo2nd)rFNLP?_B-yc|Nu{7Ah(J`r zr z95OTg*R@jz2JZiG?SL>F$tVFw4udy3%!-IRaAE}djPC?c{Qo(}K&>(GX<(?_fn4MN z(TOFr8s!ES07Z3b7Y=1_l^it)hf}Y+c(h9JN2IH!GRPX5I9v+5JncBR2@=nNKEaGx zN_RhBc+%+0r zWSm=W9N#xiUjAtS8F=IRV!pymPfs}oovy>VmaKGKM(2f9QAXsiRCMi~KjbiA#1=I2 zL|hT1Kb5nA<)YPzq2n{SlOrODx|D{_*X5+mDO(KoR47-mvk78)-dBuNyp&vK*B~O{ z7`C<^_{8WGQIuz0nkiVFlO{|?R5Svw+WZd*%WWW@h8RbgN7t?v%bAm!=;`~sMdfBJ zfKAb#IKA1R+7vejYN*KOG)65v-z1Tq*lbhly;v)2nRhn0#Lcw``mBQ#%2*RW!$}Hc z+~5mORLk}|^blqIs*0IET1DZb30R%;7BL+&7gjzcI|&H*)kz1w7!5En%IKsIm0QK1 zpbM2boOar?iG6BgTUaeK??K?sPHrR+9{TdK0c#9TG$-nQRaJr-$43U_FUz*}c5r$# zjhnVk6@ls{5(9Z8U`$M}ZGwvloCs`xLKD^byZ#|N5zVH(B$7B(3ZKqfW2!i%;PRru zFXYlP?4oz6l5`j6Z_YP0#ubLOsW17eB}NvuV}VSIe#?+Cs{qxhne zgBNC2au#*DW1CkuHqM9U+3$?~=V75FBVAl(!Y6Eqfre8wV@R_(zoGJ{A`Bf*w9t5F zUs~%-QG}&nO6%JC`U^b%gr8#G%hDRfJR70PcSX8fjutt3>^Uy>_e3L32g&Aj1_~}R zd`L3|(DRzJ+c$oS6aIhh=fRl+Xg*e%t+)*%h7uqgwXM01EV?^$nv$`GnLoM7ta~KM zP#C}bZ~J8>CdWS<=Ae!HG(B_#J!ght<+>1RfxRKHrGJGcQ0P=|)2qPD85g0*xy8kj zL7PSF038IDm_VhsV(|f{RYW4Mb6!Qax2#0{>I+4-8wF>MZvR{JfB=syoMuP4(|E)y zTtj0V{?qF_uThasi!tk3^BMi zT@oaVu2r}6er9+Nxqc!Nr)v8!5~r-J4DQyUz6Qy{GG~4i5`{{@Jd00xwEtn?_ne6N zz6Q)9(#+`l^$VlNYF99^RIc?TrN=t-zIBq&Pj~UJD?kZ^LQx%##AP>js#?0E zyjevk+98G@ElR+rF~QG%5N>~Tn>1nc{ty39T+9j;imbT8ji zEpfe=-&p0Xew4k1 zOD!ryHb@3n6>$q)%2}ute5IFJohA8wL`(LeeHDVZ-mKqJHj6Y|i&MdJrv{4Sft|?X zYxg6Nm;m{H29gVB6WdC;UiDR8^JrN@|wk$DLb}-W+=4 z-#x@GkPW7PENKC1L=`~o!0sxl&V?O&c{w_G^~>EdB&qQ6zkeQSwJ5eq+}(FR?ZmRT z8-EGRsP3?$7jM$j-|p$muQsk4@6}zIpL+00r&@nE+=o7%c2~O9oFDtXdUoyjnJ_KM zW8;PXn2eWHvwD{zz6cQ5e(iK=y_MZpl-x{gUQ29V@tc3R*!>yghn{XQX`DI?99RnZv+i25->zXs;mGaK$Jbj-=G{3;K1w&s-)lH3BJWZoWy9v({nX zi{{@fsA#wM9OUqvJJGv8kiFbkRn7EcbJS;{Ensu7ZSw=j>gvrnUp@CKMjJeG=T3H= z2-1C4{n~TlCCIRI(qLm^0NCmC-fqOC>)Nf9^atM(HLH)O}0`{s65C+_Et;yWxZ zMf@n0r?|;&A+X!xA*lY${d(oDWXq?}8VLV>0{#3?d2I+Nebkmc?bwuZ;p5GMr{b$nm~ew8gv9XPa30U<815s?iJf!533BgGmwwB0(MYdZ*{4#<~O z19|!vQQv+81|mY{iNB3)wEt>Ct_z5He)UgGNeY#_)JtWl*?ZyGE%Xz0xkyFU==@x6 z0MSHs%v|en&$cLI!o*b9eb=A{wxe@vcqGBu#UY~ibNV~G*iOqk^;PThC@Kk5^ALRv z4yb2}Q<*SIIg9lkSm_YQ%KkQsm3*ha^t}{{r`OY1Sw~E2ygdrV|&?bXg@ zq(_C6S1(|Mi@Uqoi`kO@4h;+C`_$eQY8uOXduS<0#`}&XzM3VWjWhZ+aIHnwLnf}k zU}Bram9rs$J{qa20*SKPN4L46ql2@ivI0h{4*_7CuTJ`2JAfuyX4f&z3l3DLQnF4} z7%oi27U<@c8VH#d4!sWlwx(k&;6Vw=|2_FJ$th!kDfS8j`T8kJAP9<6 zf$YeW$9=!BfGpEOnOsJatI9LuckixB$=`_2?Q`ZjfAVNYc$n(oveCO=Ux!+h2nLA> zadY427MK~D%!@)OR$`gl?X7%yBU_E$Ig22JfbS*4VdG5L@v?U%?iQ8`Mk1|Zi~8cU z`Z&F`u^$-1tNw+-yw4}SnZnU|8d%UqKh zw_mN{8_G6mp%yF?(zoW$`nvBG5oa68ZYD23GopXPiXy`PZ@b(G{G}P*&$J3x*d|-L zKD>XQN($L7Qm{?_Y6;f;I7Ok*#6Gd+9z_J2=5{(xlmJb*zg_c`BM|iX_#NpL!+Rm0 zKex*O{Re*fteIG~?BRHP)P=O0_~(B?Aj&`gX zwWlE)9PO07)+^=QFkv*N(v)4jb9P=iBjU$3R@N*BaazL{DcLuxuZoU(l9iWMbanS; zk#b+RF^Wycl$wA9wbyz8-tA%E8X5M2UA0pw`0~VhYrs2a0#n1Mj<(fPlsZz%*6VnO zas#C}r$o?786HkCc(^#nr(WF~2TajP8Iw2SJ|%!A9a5?3dp<7@^4FbNw>u8LX*bD& zv|WqIwvLztX&J7#@FX=)I(p;`_H_2jnuBLLE{^G(sOB#Bpae>!Gu>9=Oz7oF{;Hoh z$;wOKf}qJQRQc5#IXBKh@?cQH4JMz(pwT_wl*aC|Lg}v!9R2mkpK--AlI|Nz9TIyV z6P@VE^b+pd5{rw$F@AGZ?9H3E>YwOjkr7xwW($Ed4l$0G?KOQhIQGc)DJR+7zJ zqrMWrrC$t4S?t|#f)`cftnH~FiQ?cm(J{)05{Z!iwSpg) zXNh>^Z(wYg^(@`COS)zH*D&(=I4^C8tFy}k)ux}VR9aMdX~)+Zh&l2Rc-y5NPz_M=cpqSI$ zI`u0oKmXB~GG86U!*VoYm8X6x$8vlhjrlvvGec5(A=5eDD9uN*pr4rEyFd|;Zj>F) zVPYMM<&E_G!sN^6T`r@1cJ-S zZa(Yisr@qcwr9yt%f<2N6SK-p-m?+Fq!Of{LN&1PlS`Ytro)&wI@eann!P>w{M_RA zz17I@xytU9K&B;d#}%vH_B;B}Zh-R&$I z`arB_x|(bdQ1=cqYWn*6SJ+tDiIfrj3lOqMXlrRH!e!+AERa(^9wCF?d@IsMY|ZQ& z+6Wy7#`8{TAVj!EAYMmJ6j~Ddw{|Fx!yb zUp%Km!Fo{o*h1SyD1B@G_4B>~;>KGIs&Y1zTU^gjW#E^@o}ufgBu!2JxG2)7tibAA zF5t}EI&tDY&~@oTB3Ongot0mNy5$%sYk6B(`L-|pd==FqeY*+hve--1D_SIS)dfxC{nMsWH2!#6n6-$V=1mEAXF(frKyqPMc5Ebxmt zCI?H^%uWmwKsjxCbH!z*=18F~x0H@Dlj#M(D*|)oIT@=N0QxF9W1XLl@Hwj!^GJ`~ zUuJT2!Yn)@188eT?42_Zqjq*-Hv_J8pCGlIG4ZF*n2zkmyryX}A*d+M>KV(U`<{}@ z3k5QPb09bTcEm11*94H=J<=^xDM@GU#46@Vcq)YNJUrPlnAz9T;>eqjR&f1XThEhu z7f)8R39yV%!Ll9-P1EB)-^wPw@D#@`zvM=0cz%h*53>{3XMq+?T1kkYeGfhVOs)zm zuUAr0^eKq#V1+=E%}{LS0qovZ@DnqRn)2A?B7lm{9W%LW7sK>p?SB7|*pQkA+61%k z14LUDgrE7_@ER4A8Sq|sR%u+4a>k+L=BP@OAv@7}6;CciU=u_U^p&$BY20}5z)OAK z*LAv(BL&1pdgZ&gA;0u*OEx4WP*k3F@sDEK9zO5#S0rx#CtXdN)WfZeW$jjL|yT_g0ntM4{jSX+dgphoOcSBx>c3bxI`Nw z?AJ_lD$sU`ag~56JRKzSj9rr}B3SNHt-ENFg5=&nT{q>n=Iw{qqE$YZwNE=4mFZ`6 zPx0#oX{l_)DzL7;2c9^9?!@ZEO!CXJCwZ?7D^{Sub}IQ z5GWz$`8`g>q+N~US@l#Y+t{G`y({U-)Bj3))spDRI3h(u-nAe>q*sdeG;vhR>6Tg> zknZJK9^Te@@HwTiJZUHrcaUbaxm5755cmB;sV4k49AS6wuCLMktCs$sh&5}Yz3$w< zi1#4+iHqZYIL0|79C&oFskwf%BcDJNKqa*ws~Q~YHy>1KN*=9_&SER*zr=}ppsEt9 z9I%%h*5<#+%<#$7;Ng{s=8jbt4fIRRX6pj&COTOYHFb3L%BVceGdj8BZtM6Fi7Gfu z)}srP{oi@+KGo$uFLA>lBQTc(HRe4d5t5fz&??6!;U1)wu6@62&Y3rbE(#xt57gH# z6Zm{r@+(v%n^cjc->%?}(Z=P;wT2bt&1{lZyHSbBQpG%LDiE>Y$`VDAX->b$>r)XG z@SXcr3bb-gnsi%Pd=kVsVDkGi;izbanMapn2+97Cm$PiVt;LF5bHUx9F4CH2slCZ- zoZ6`W5S{OSc-69Uh`Vwfp8zrd*W#44Zwz-1Lf2mqpmMX5pZ!nAe062{_F1Q9r^jdd z^mp0L5?hS2&}JLclHp#4p=Xm9OePL9VZFD@BxofZ{Au)}lvfX3PfsATDjv)qdwYpi zQD{RNW0X~VzEJla@t{9EXMBQmmBQ~8FcszHEv@Gztp51$4d2^Ws)H7Sa$x+p`}RIv z>gl5y)-%+L;nI4Ne`D`^V1M1A<^GzV*Rf;Sf$#2N?%zk}zx8n>q?Zk25BmARND?xr zbytEBS_E>UzX>!^`1_-HFPF`foydnOBkUu(9b8`h{su-4p!U5t+D|FgKx&)ljHFIBVd%X2T97Kx!OF zeXk}@kdX6j64e=Ot7OLfpKsQr^9Nn>@5D|UiyOUYXUvC5X(WyH4vrFOtc z67t#g_amxw#6=g`{ zZUxzBx*ODv_o?(AqWcD@E_0&FmI4_V7?iTR!0zmA>nk|3^(pV)0rhlg(b@@sWlqA8xD;=Kj(~vpRNG4!6?OoqOE~!oFftj<*8| zdwgjRu3fiUUR)d+dLsDY${4n>hEc_u@o1^0zNXELJv)*1;T>*6b6K_vIn2D2K2TJZ zdCpc!Hj&z~f9bDN+79=O-_z$?43#Ln+I^HR*77ujL3;Z%tAg-`%yUQd@b;bUV?nWA`;p z?ZBmckX;(LL^?k+No2}ztfW3ywbp)c#(L#vPgtd)?e6pKy{dVYrn9h9`nQ!xOZ{@80FA6R3m<+J33GG#_uRV%@v!j>OEC37>-5e<%^Xk<>F}HIs=w1qbTfQ9j&|@|5E(j!(3! zYzj?=<$YKv^4RB|QdR3-Q_@`o_wkF7xCA_&0}YG7%@8<`P6+=z#6h%H;GkZ+ZQc9G zU;NB}+ou93P%xcz4dI;elqjzW;IadjcRJ z5&zr2M}Cki@V{L|yuWo9L-D^}{hE3es{OzHvsX`dEdM0wKRuJ^K(9(m#I?!fX$zYQh|PqRo0gdfi1=7EssYb^kECh`OSHGR@8 z_3&G_E9wL4t7{Ko`)R`E<~E6I=i?PvgX>KM*je+EWmwK!iT`+r+R??q;g01^f(-h@ zW#YTHuYi;icc>%PTd4AFNspMi4w{`5TT1I*&>Q(gHu#KU$!{HhMfr%&?kwtC4*)u_ zuX>&&-`f1gee!qj_4*7z4CnV>&;_amqZ2AkfO=2P=WX+KGd(O=*&A(6Kxd70O^oQI zsRMX_?gE2_i)xTA7~AwG<*-f${Ac)R5*($>((tiL=DC*06Su+bk?&K}dF1mVRtF2v z!_nV*Pe$lm9tj9^ACbNX!-<7nvuSzIm!FAGa7OI6gkbuTE$L9uePdX)9 z?n{7R3=tF{7wpU)X`1`^gid^vD~{`R`AY5R==j6N5J=tGWzxNnkWqpW=zB({xU1VO zVWZ@NGhePGb1o;14@UhzSri9b zh`Gl5_OOHvZ*UDyxI%iGAD-JqA*dwEr zSRLcu73VlHlLY}dZ7K|=AhK)bXC}WD?rAEI2vfNVjyr-gy2Uj_m1oCRT*bQfvKs*9 zdb~Xi@|{HuGnp`hz}VIGtT=a7fG$Lai}<>&uR7fA&^5xb>@NUd>n!eFSj*HTm;g)f zw7&U`xy+bX2H00oOSX*L3JU)g7wzxNVbYA$!3qtFUC-3zR$y(r5%@kjm@B%$8hl$i z`7lWn9UDamvK`pi`#eeQ>d?#Es5w5~2nF3v*56D;A8VM1MB?&<0{_2duG)Zrafd~B zJ%%txsl%o!LeOrCU6C!vl-E4I^6yQcBGfj;pM}v;yCSnuvrFU~4T7HDw}i;AvaTM36%^%B^_-LnJi#NQKK zw9}h)5@Mo*s`dtb{n*y}@gH%;=~t#wHjFwQ|#h9>|VTURg<$>FVvS zlRVK_KjAp#H2Am{mF6|`pHf<<2G3_Juq@5VQh9vYF?t{x$3Rmpe+F=lEsQgneP6yX z=8Dy48cNh; z+-^T07yuj&0<_1eLq1d3lbPZ;p6nOK&ZS%gP@d)0p7&8AkZR45Ugc->LPmp?^=3wJ z<3u?cG6p%)GjeiN$j*lX%!>Y`gv3fc3l!;}S7pc=A@f=Kupk%Ce5M%il1YE*!%X6y z9^*dp=qb1)y5a;$H`be+QO@cFA&k^p01vU@^1GHteOD+U%hBT`8QJGo<3HWmBkN!E z1zpwWCO^w&_M{i_`3|O8hAZLV%Xk%XBFocD4Ts|4WOhetJm{@Trx_jf12&dI!DyAD z!w7m6mbj=Z@r#)9JQ-oSmD{*t_l&JOYOuWfQsqD77ukjRJ*$kk>Z%1E9cPPZ5gbN3{@e#_WlKl- z`<(rU>w8DUyB6A)y~kQaF5OENNU(X{cF{seajNrZ=;Q*~eW`VsHXrYe^7RS9``cmf zs@L<~`i+(+elD&JP}9hDDO?JQdiB1i{6f+rJ3+@>28337`S<-i(N}VpXhsj;M1*en zynLyh{ej|*qW3}~I*H5mjJHh*J>%|`J4X=0cg!3?ZR4IFfBlYB7W#GK{_%h>M?90% zxEii#At*V^wUneXZPeMze4_a>x5v`(UN^J*m08_`Pkwzgo)Xw|ejruFZdYdty~oEn z$@JNhh$J&gJ8XXwIQx^<)3i&yzZt8edXx80L8=o~=^Ue)-)N5Grxr?^=>%t>riqd_84(F}X+Qh^40 zP};S?qX=DD1sBd?)zp6qi}^hB3ASrJ;a8u!R1oA$)sS?B70n2r;xJ%w=}}K{6lf z*?e73XNtKM_ooj=(5ORq%1YL-H4f5WU zLFmKpd2w;l7MtkjzZfu|vReJ}B)9@T&8*mE`-L7t`0K$n$_)l&z|lvxcbuA%SLa1o z$;l8m2N;Sl3S3|8KB4B&!P-;e@LhO*w1}BC-3(rz76Lpr89IV|dA>oX((s5km7mxz z7&m>NG-@aHnfs(d^;T~|QSpyiilc`~vK^6yg^1OgNXmdy?9>-1s6*t~kU?mInQ54S z?EVoQq{A^!f101I$gq6@!&$Y3eb=eut9TJ1$Bqfdr%xWMb7pp5`2K}Kg&m1Y+8h16 zBqRQ^(-P<;>eBA;#xhs9Xx{tGx8)u4aysH$nn@vNjKWKfMs4fs9LSMMCw<snk4sNp-o9nyn5q$o9b;ZiSH}S z?;e1PspD4g#Kv-`)L}zqB<}AJzHuWu{l7G0ZJa3U>oOna$29r>TFOxMtmc zJV5-FQ-V6yn5|k88@39m~7mw|W~+!Rs~nI2D5W=U%-gOJN(q z^H~@gBs~pJ#_#jV2DJ@`X$bglZ)!P9@HDhsW-LtEr@6GbTw0!%yz{@5?|Llb{x-M9TrRx_% zc<8azlm&H8OPY0YvvNE#0DV3i?U-oogJMpWo~8(XyT`0$ce6o$d6;(EN@Llj@>R2R z*#lpOfF5g?Zt96%nw7G#*Z8QdZMQ)Fxs$R)R}^rV{7u~{wdYI6uirFv(uMZ|e-SI#XD(hdzGfcw}7YeR$nSvYNLqMa&Ad#=VFpwy4&J(-bYXG?+B4PBv$4 zK_pR-`6HUPyeqGE0Th7jEIez-<2uYweMpwb2adj44a_UnoQL)AvM>aizkY|JDdHkx z!c$b($?MZATVm38WDq2>DSfG?>9Q>SoYwF? z{Nz|UPr4*%tV~-Sk5i-Yw#(#V3I)#LikNeVK(gI;-IKO!eCnki=^Q-<&CX~kY?adl z{YJmUG#f}3VDAr{W$s{bY(;lbd2vO6XX*n5xO_)9_cn0DLnWen_5R`3D5r8~QFElw zN%_eWjXqEUj7g~NM%^WRG z*7uD-Y}B3E{kFG2{bwBRjq)!RUY*V2)vw|;GIwY1UXD|7-B`atEIGcj7ce*&87{#a zp=5d1Ve#YT$YyjnTWtHo7YeN2MjclQQkan?#vI)a6tO4F`F+EV-l> zv)K;s!r2YJZqu2ck=f(Ut1{_T#jR5%-DqV3X8jZcQEw)@u~Ee$q|V~{Y-oVVEtUud zF%P9Qt*#BH-4^pgh1~8ro4$Yfeb1$RH)eA z`Et_d!qU>x1zI5b)&4Ga&662!WF*i!t}#6C7&y|Y;7|J+mlT7o6wr)h)N0Rv7-^ef6~aw<#TPimEFh2EyjwIc!YB-h#>N#3rAmF>10GRv0^C zh<1~QJuUq6qC>|FUaLu|AlY|aB%T55X-;g{p#W8!If_ovktxTIrq`g`))`%`Yk9vh z+qGu59J!j5CKbZsx

6z{83Y-i+ zJn5L6XmWFXuRw(l#>&QQ32mLGuXVY7=X(43<4*dNd-IlEl~Shqp%yq|XNYh9?KYo& zsddURqf=octJTLST$dXXxtu*%X@Ki>d`!q|>Wb$VyNqV<>AB))6dYQ(JaS75f33D< z=qX%=J-9NbOHP!rNyJRY?e-K7P=6(O%v?OW>kEJE#8?|0yzDKlU%IvvjpBhP1ErO+ z_}{#Hw}kH6yd)pKaf%^r%T~8(-p6Zei`3&0N*CrzJSi1t`p@W)6V!ck19CH86eKEX zSK^~&Do*(bH2;5`eFa!lQQPfUs34%El8z!Vlp@mQDAF~IfV7kdNO!6@A|NodbPmJN zjkHLEbV*A$NH^R)`hVXa_kRC>@8$9FVVHCF*=L`9cC2@;^%@zp!P9!#4#mKvp00E+ zsGkokEq168&`4k=)A}5EK|`oQxUhmO<^rH@aOAKwHm)7YSO)K*PNq%4KYRQ+YmIb> zG&KA3wu1}x0fL*z{N)p8}vlSN?XTkBguB2;lP^s-cAA#xpKhV`X z!p6q)Mujhy-xp)`l(h_kubj98USL9Joi7vXj3@BdLs^uhWcml7Y&5eyE_le^BfLu7 zYFV67q#2;r)Odb|=T>I>z!*z9=Y}Z~r@XLzD4AQzI`x_PVa0jWs8+rPZ;b3lO<$Hz z-OJ_W#RfVunusxwc(RYT$m5=InLT4u+_-r%2oQ|IA z{-VwG=;miRF}-RH-WU5$AF?H&dk7H*C6=i%{2ZAKcXYJx+hMx)?d6oc0Km9B`+L2$ z02>XY-t)L1HS{$NP`%JwO?tYztuwY%a^!z*q~+-y2LJ8dfjz>DL2X0hNZnVV8BkypLZJ@3Z9JkmH_w@b90Tow+MP2jpzVJPs z7PnbG*4|F#ofL>)S%DZig&d~!^0TW*fZsGp1b zs$0i)>?ozaV5iOc=?xE&_?94>W)R$rYhrvwP4Bp9AI(4!NQcWsi{)ZlEObw3I3YhJ zla$ku9NU&V?8ucqA>^(Nc0deJ47U^V3yyEh6Q36@hLpTybTV5_Y2;vXG&|R4{^tY1 zpAQywVrzZFQp6h4D}CpGe)Jf{6$jB2pnu{nDVP5Jkca<}M||{E)tvE>J~UsINT2r4 zHO#)j4X~?BLw6vMvu&BDkC9a0_*SMBvpxDgq3RVm-yW{wKZM;K%972V6W7apppT{c zc8yhtEZ2DRlk{lVdZT*81x}AkAV*fpEm%tEeKFROn429 z4|%r$J!-&|=2Z+8M5HHA^_nwKwpl|7K%0lI^9pUhNdDXpwh8K=BRucX?G{5X3&e#J}>U7cdf(nx{&R(Tw-r^&A(L4_lOAKk;^m&t%o2!RG}3-E~d#247k(`2=Ou56-vs`>F#ty zQrF^+zpj-^{jFs^C?euclK!1{a4I9R7jjyeEj>(RzCSVV8w|QFVEz4Lb&cNz=t`>N zb$>vUUJk7~qGT29L_jqo+uA!jcXmnhY!vdPk+?A6il5M_#bGm|0o_Dh^I=1?GPOfv zv_^hVwUrS5{|~lHx}bulI7JV@DLuN$3S&}-QKfGleK=*PC$llvs&LV=YjzfiSFEo< ziMnY^qE=QG(wAj!g3)ZzTGp7yLsW?rq-h7K;H%%IfEE=Yd)|C74YWkYwu1f`Umd6h z4mmZC&Nt3#YljT?)vVibok(^rDe&@YYsK%&;7Fg z?JUCk;9>vPc{167{r!btLzbUk(~Lx*WZ^$d3j>)&{ePFh2^VjuOv)gV4D%K9JH%MeN>cFL< zsW9L<-#;!SiMqzYZARfY-4v99-sZO|)LgYx0+Z|x)j!Kg&YjguhPUF-ejm>QV3Z+q z$BvPi>(XO?CX7EfqknAgR9%{auHAX#s ziUKp~O3yP%RFN>9qfgjexJCt^cZqk@48(UWBM4vly{Mb3Zp z0yCY!+ly;`8Aq$4kP^;Y{!R`h^umsG-1+x_eRzH^mQmcLXWp^EACma)oj(7QTe*AW?F!7% z0xx5zlHl=)aIxJlBa`~n=Oix3F&j{&Y~-s3y(B-M1ZNPpnF2GrliZeJTMJld9Xh60dr0hK< z@g3fh*Ee8BdR}Kyy}Um4z|ZR)n5S3b5cypL!;J*W13f(m*xJY|*Yn?MRhnmqhn1Us zii&vc8boLz5*ONxAJVVVTR@Dnv$N^u(2#F7L&%K6lX(}A6O+M!np=d9w_@Tv_m({7~g(;AE%k;m!#d-NI8Gx- z4F1)?p6B$`;CQd(T(Cwx{#bH<m%pS}}^9R5b6Ok;NSOmsBR-+6M6`j6#UwWj^|}4*1@6mB{!1XFHuUSh zUUT!)V)Pwf9?KKWg>iAx(Zi~rqh0`QNPKDhe=bvh_B+nc$$_+)J_Z@`In3sB1;B!1vBr$-kZ?qHPUFPqVwK&e*J% z*}I3%7(r(tW~YuzgQrF2suQuPX-w^|e|UC!-};C>e@L8-vS%d?0wHFmj+rGYvp0SY zjUf-L;iBFoHF)Ut8G!hc-rx-pm%S%6E7zdyy5VlIR`Xm@W?r~K9?f8Bm$V#$Im;Jt zD7k;o*N8>c)R7=bed-?Y@*+8?tj5ZB#@0QZJS_ut^1}}f4l111Pk;M}1GH}?*+Fdo zmq+d(=%)~2#FSq+TsMP?XLA4L19DbMp0ch)qXR}NY`iXQZ6a(gy+$!21g^8=6p(!m~F+F1+dI`cq|-1xwSaUPD;3V z{P;nYHq69!l9udDJmW?4guWE+GUdu#dkj)KS_T2KzM1@_)B@>Hkj+lxF4$*KZf${e zdm-Qjq5sM>TmkiiL(ffFx@k|1&_! z={IJHO+Q_b68C$S0`8GZulgy!;RRp=37gx8A6g-aZk2kKqIF@Eg=N3r_?{&UfC$RO zoUB95cMurSsqu^>6y)LAtXlW5GBfkj$)}8_LqNTbrx^!XXZkbMO*2~X%~h9MAcvCw zrB;l-dgMfilY|+G@i1+iZAGJwy{sE93ZwP?{r%N*busY3z`)b?33n@7gZH4Y$Tmro z``(z7IfbqD@5Ark&(i{H%j@k>Ih4ik4sZBywT|?`KK!H4y;Je57tJ*dly_DH-g9zt z>QuXf`x6sWM8)1@e5G#DFugGfILa*I2QmV5Ce+z>TXO**(Xx;LEpQJ3j29G#$@@A| z!q+F6@E)!BC*$G!XU6StPv5r7Ki^%{($%eY-nb)aVQU*gD9Fdx2pVm083RAv#)=aY zc!Nd*k69F$6@adn^GlrkquEUc92Iy|oKwmH-G=`>gz-1ed4EJZ--6w_SoVAwSSE2*DKcU0IIV_LcNGGc9$gfZ^OJF}Xug5fY$w$E~#cWL8geTi1CvoD+r z0@VK2vz~j~`Hlk9mjeoVNTiyu^Y6Zpt;wRg^ z0M1M3?0o|(#kMUf3C(p~Kg(*TwW{py?tUDZ#m02S- zM-f5=I0E}}dWQvYTq@CGbwBO(XjTMta7A`?aZ%81*Fq>xSKKGnWW2)3%HDoETwNCv z^S5+ATPU>}<)#T6bp{0@`|2RfXmc~VD$9NB10^Wb{uGoM0#b%Pw4YcazM?<@#;jr! zb(jJP4sE~JkIG7f2ZmK`_q6f$r^;pM6}gLmCtrfCY*if2K>Z-F46}Ux&^Q7V=Q!wM$s!W%b zf``m^l<}5K{WKEfX;b=Ja#2_{7#WX`-DmSC0S@0OvUQC-O-tuT7R(Sel!szi>vZL3hj14cHiV ziX8z1xbZx+{WtT$oH)U)nU+wnNQa~=Jay3jzko2le~5_e5Zhs*?eb3C^5Q%=m97UG zZcHq)vBQd)dnrt8(!jew{A^2naM}L!tzKrgNkJ61*Fl?;<;08KBV)v3uadZE&3&by zuPsKh%%MAbd!h$3ssKv|FQ?xWSf}r;jjgV)d+jx?mz0$BJOK%d7J6SLc%B|8Nn?6i zYgw3?7dG}g;zpQ5K|qQ@*pUN>ZSUp-zm^dTMQmYJm1t;7<>9dT-MzI-?;nEK=eN87`>(0vXSA-JCpa-VI{@I0LONW*;)AZRy#@G z@GU{%eQ}@{;-%rFC6Ykd3(@O{R^fpWIu-Li&Fq0yN4Zo4NH&slo%!p6+uTa8g)+=2 z?o6xYNc@emv`iU#IadR7dkHPF(WUk-*JG6%7tq$$Mw87P*?!VWUE}QJ{1wp*toM4> z@_gWvNEo;q_87u+G!mPso{NAsH9iv-5)yYl^H{nmxp}&<5cN>0^7nWDu-?|%*GX_M z6{mF)+G~v6(GMR!^nGezG!w6Dl?dP6 z*#(Jon;3)@ny_#X&WYCYt2c<|SNt5bg$k2RaM>MlnmE}Aes{N8a)P@0w?FTrY&x?l zEvL0Ut!7guM6-!-dHGL`o7nzg{w^#s8Qqn*qLwKu_mGVqfOc(0S$tYf35oE=6tFJ_ zF?;H&@#IerqkpUrzKjrAQxe(ZpjD35Im6AI`iyWIRm|92W--Xr-^{l1@UJdyz}yRX zro&1hc6QLIBrnf(=#Ge5*=SkyVhV#nW#{W`TMOOhUw;_@*|*i4HmHr+}$7mJYAloCH$v7-t2 zxaM$r?9v)t_cF4LvhK+fL{w2tu9uNfYHrQhXxShoq4Df5UX^PE-m0phVYL=~BLlGoWia$U#K*UHGF1{&9gn^I`mxZ%hyDE4VFBiTQptpZUhbOt zCIE0Wo}Li1Xf!UYKHQYEkU(u8zi2rS23^>HrjM1yayNid)~a#? zNZ{=SQ7SXw@~xed~SEZTph`h}D(4;V5KblFTDGfAQJFn;Z|JfPq` z{%hCSb4T4P+)`Vx&()isV5Iz#Xq!s7JkwOZw3U@duEg)J`x9j;=&n50^ZzMCrQ+$| z9TAfMRpSm{l)UGeEpzB2tIeaK_Mh|f9aXz9T4iXJ9=qV__%4x)?Uzu|{Yy>4>yFB0F`ZlA7_SJ}HFb2&hoISlq!RY?G7R*(vDQq@k;*SJn zLOWBW0uj&=VW8Mw&R$Y=q|hpFKR%At=IWf^G$|bFF?wxg)@ovhl&+c3Yo6EA)Cyt{ zl|3U|SXPVJ1%tI}&X{FqWcBtvS=CwPWgW)K@o`nXWdzQMgJLav>yf5zWN2DJxhtMn zBIClv#5b_DeOs^D*Y|Xj`3EP4%qAME0tMD*JaHwwZw`-!h_g9U*R}2)Sy`5%+oz`a zCH*e@?r#Kn$rn~gP9)1_gH+Y{!SmaC>5v5(ZhIm4F3OP>{~b%g>4l`7Oh$U|K{@>xn+ z6A{dal|r_DTC}QaY;3G(Do5l%M(zl=`1%l=c;vY#rxKH$(Q0p1hc+7ZzO-4wUXH{Uah~`%b9=kvDr~4JIJiimX5CCd&FdO-BNS-S) z#gKx~MYBp7suVATft`)p*u3_wUg%DdVn-d1&WlO0Cp=1cc?FUe9`dy4HPl?(rcO&; zI$r~ha-R)XXAt%%$5yb!w0CfG91rK79Y(PvXwMNvoqY#$`DR;g7w2GQ?Iq)E;P|x>*$?=xvu$u^}M=LwzTLjb87zgmsbDt)L-E5yAAPDTDv#mA5z{QS6?PlR7 z;zvWBRlCE>eS*z5&VbFX%M7bvV@;=j`!m#W zJrOrx6YVd8mteGvzg5XbOyF<{?r87Ga7zI0CAPIv$fBqW9b*0f12ut)AG9cegmhFx<;Kgwc#0W1y@X5sN!mLM7I5n@ejE2^`n78h(E z3r~_T&Y?i$4)#8Vk*jMCH%;4k*Z!W~mKJ<-SuqD7J%B z+S}cU6LRt6P90Oscb)B5$DzT*vk4ZPE=ec9I%dT-u^^%bGtzPsrVLSQU!HgY!cN>Z z$E~l#_dttB5VZ`3M~rud5xp3S(AU8~L0r@}<%H`pC)nyO75Bo$KF`_aR&Fl65<41- zj~{PR5|3{)Ilx}@IvIRTsLo|{2zLEd2Xk60AbA+k(7*uS{reIq_XzG8L;RaEORUd* z@}1i~Nn6@8T)|Gd9PM}bbFnuIsG`85bI45)mdbRi80#Q82f6(tC%54B`Wm(kx{0FO!qz(dooky0xKC57&8Kh*oq`4lOG!(^I(xhWJ; zl0Mq9@YJCk0&xK9r%9}Wa&897!ptlg4whMkL$PhMmZLX;Afi6G zw8_(!K7B${tSMBJ_d5~&PU5Ym6spp7$4rEw#&w5~GK7nRF|d09kJg6@T-dW=9#?nNT`nQPkQozXhDnV`F3c z7VT$U?&?X)GF}QGlzC-ptUxr=eYAJMQ#?DeN|!XdE~R@RoLxOV!Lz2u_IPq~@@P-0 z&x|sBf4r)KoSb|cwXoR`4)1X-VJV^ZHrW=-ULV>*pH{+ zQ@{lW2m5YZJ@m5|qzs{v(<>@3!j2n&(2#J!pUWgZdtP2|;BYEpj3#`+LA5qo_E3!P z8M$;c|M=HhYFkUk0fT&H==_{XXbV&OA*-vLzdztU5Xx-*P-eAX?70VH%8q6SJGvfT z1O}nv^IAqsOzfH7r!H7bpv0>TIXBq{_*?qNwX(Tp02&HbBdp%Y=A@*_{QL)gw3iBb zd}8C`z>>4t^W<=4<=Rew$wyuvZD8F*<bL=Qew)0(F&*ejyI>J z_sOo(XCtJ2HRSo7m8CU@M^<@N!=+QTYHpGM>doH{vV)3^k4}b1$Vx_^cGDq}l)Gk2 zEyrhw1RwT-mt4Tv!^D+2SURH*=Eu-Z0Ma^ehFVROOZuBfU*Aj^uh}d~+LL-_TCB*4 zf%lNbkVsR5_9u*zW?Jw^*s{yH!I(T)>}6&H!E2y}e+}B76Un?3IqQ}Jk5<7QDhHkc zEiF9;UQ%4rbNqX$Kl5R4FFidyvUw5rdWp9E8VhqH`?}Y>W5wENbya1h`{enAia)nF z&WJf+(UZp6o7vi0ScGw5w*18y>ECsz6UxZB;n6EIg}o06e2*nHRi&fnx>JL>Zh;?q z`tTMbkp3BT&1ATul9H2y1HkPA=Aztz8)hr6X*KN#0rmN~#=*%IFMigY0k;jSudS_> zg)XjzX_qUjap8A0!fKJb1Xa4QaKKo~YkZ<5IjQoO9y4IInhh9!BUD*q4xR-iBeNkb zvqIkQ0#H{ux#K*RWcXN3h}OhI_RrM$v~%Y!sOk2xd2A-}f7&^4-3{GtH^9vw}(2M?^2KJ4nad7d{@E zn!58m2LU?_tp>i`E!2plM2&{2eEE;usTq|Gykx#zIxz07DW{hzqw>tHX-_!@Xs=Od zlt-+MkB(NBqc@zhl=XrB#Maj+S;~py za#y}5FY0knQTo=~PuoJ}aL8!FvdYS*K?3Zk&+6mO@?f&RC97AA-j;ZBc_<6L&Dp;n zX}jDJ=L$G2UeK7;g(U;Sm$7Q*6A}psUpU;mKr0)Tt(MXcBrs+2K=|pf2dFF}G|yoa zMLF8ruKssAOnC~~KfKudD!wsVXdw}92N1fR8YAzW5>^1;eD)?6b-rbeK~uP!Q74fh zicK{&d?}4HK#v-zu?GoOxWWZIABJn|vN3tZILESgk}lp36D#*nRqfr}X*|&x| z6y3+Z#Gs3ixfbxmE&DVuFh;@X-@$b%(EL_o7K@`(cjpEZzr0e#<*Xg9&07CFbaj2; z^Wmd$=?Eq4(Mc@mF1%yW2?@)qjQZ2j2EpkFw!vj$v4m2MDfziW!m5h zC*&ed1!=QNC7~lsNoy8GRopxfq4x`s%UqF#zAlmBPi&LCqlldrKTHH``iPw5^S$z$kD-)=n%PYT z4}{L^Y(AjiiI8Ega9gT~Y+GDdTIlL4tcM85$C6Yalad($efO>B%>2BG>tPV!VQrX# zl|Rk3#(N3edK}RlRF0_oy4VwtDpUW$VNd+oZJpyLi@b3vJhUSA2U=k>rr>X-IU!dG zP6tNnJ)=Q{GEsK`J`l^SQgn(LQHHX8;XO$Gs#4p7Lk1JRzCS~B$dTWH%0j$`w}4|YRYxz)#Hco^X< zvTyIqq zL<+3sELyB*L~DZmx(L@RH#cEGQwGF#UnayM5O$qgc;#+pn|!wLfG>ybmcRc!1I-^j zt-PTv(QUc9lpSK?PHV;LLvOifyn+u;&w&nO3{@hw+q_)!>&nIRye?^3Dx;=3(pAY@ zpy6l3aAr`PVUqGEu)AUIUutNOgfZ!SX-Bl~!+R!Vm_xZ{h>8#-7t_(l>&C4p`B^(b z7?Wh$W(ZUbs5@zVy9~+iMOM2SzgF7A^mqK{5Nu?2QrJY(|-?`NP>JLr?60D(PyU z>(lPL{D6>6{KuhXX5i3k>_#y&Kb{B|Gw9&?(EJSfahhw7})rW+iI<2HN z5QxuBuz<{qTBQ!5hd_Q=YsLvrVq10m0O9D{%O=}WF7HQ*AY#aS1+0qnpOD(_Szj>m%Gu!eFD6^t^p6`r3fN^Y!x(>#xu4N}0hKD_ljbjc{5BgDAM|qYS1grSK+| z-B&wBlju`z!3%(sv%wzlhQikP3iuV!y&#V)D$q!E$lE%w;1mnVTx$Ar(Yz&?n;YsW z6W~vdl%xBJ1}VuPzwT?b+{IUU9PoCl??S#oOE$L9w9Gc`dA53vHz9AOt^hU8Y0_oI zQ=6h=<<^8;k*u89{if;gCiPR~Ej0#gTV!7@y0ghJzx4oE_+`rHfjib_ zY}VE)vuZ3hRzxpg;lD+gAavTuvVNK4eIjtg(>wiJllT9gW$8f1&t>$;mr)8@7rq67 zTqb!A{rGBN`Hbp~JdC*a0jI&8qa)H;#5!@rAEew1(+0nO}?Mfeu7d1GUv)df6qlH~q| z%;OiLs#Runs;|BGpqZ7QN}fRrhqC%jvSYcaZL@3{06)ol;qivrN!j5K6KsINGv7=d zY1riV@9wk5K-e3Hg(LLwmpdsH@~%*qZl$NqeWKpp+5Wskm6L_}=N6zPLqJMSfAtf) zov3z2TFQ_{$6=R2u46huq!lBop@Mm{|X;7&I9Y5sN zJ9^szCols%oJSG!5Xh0f!-m>fnK9I#*2~~W1lXZ?DmV8R&QEJMx}fPU||Az(tHcqdr@r9JYn=i(}bRkeJ(_?*J+^#}rQdt@n3dVQWEC+#= zU~6alZ84qY4Oc7{>+0$%nJjujH;KT_?6~x6iqaB=%3v3BG_wOchz|CiKR(Md36;4M zUa(O&?y)}gqjGh>Ta0gL0@B^W#nlsrj*(=Ge5^AVe*<48I+BUX z2hQtjzeOl{t{08G0qM$BG9NK|{;uv_{6)kT4hTncwk}wZzYZV52Z3|IxFWg0KN&&i_8iRLO~@0{+EFWPC`4(+EdV%@L@hc`N%Eblf?t0udXP z6vzYPJ-9wrAuP@>W!EeV_I3TJEk?nWKxJ0x(Dd0^j0K+@>a(Qb-Me>T;btzcL2ScT zk8p9m|C2tDMJLkaVE=gCF$D^^s@`AFC zSjinKdi`S0shon)^}9y++eKq%tkaz-2Y`Q0MLbOG&`40xoPPTycYfRPEt6q zo&-+Fytf$2oFY$s-@p4dL(vYc*h@lNmOised|fN0@KXRL5B`x#<2&Zt6`DohU_2j$VcASPVwc==Lvr zK`TJ*d-2tF)~~(%`ZZL&fz17z(pXi7AYrNigxum|l-h)9D6h|GC!A1<{1=?-6)QDj ze+%7h`ZTxqO-cQ?zts$?w@D8Eq|uuD9z<{1y`4<+UA7mzaXQ39@@jV`6FgJ#LTd!B zAH=J-5}bK^#`+rwDCV0J1rE>ADi3G;t?3le&<3f%hBphGjb^^n3kjpN8(JyORDbqt z4J5$1c;Rv6h{Mq?XEZ;FZjG3@IODZTz~G<6C!{5{X*%io?pQ?~5AO5n5;F_SE(X0# zZ?^M3e)e{F&8xx|G*E66B<*Er=tv*C_kW!3+x^7ALgVXae(L9P;+}%15%z)&nT-O# zt=*61)U7VUC&%M2myzG0Nvp6gJg3(jGu7;7Au*PDDx=n5U8m~X`$_opZK&zb)izY6 z_37PcviU7kraG58;jJqdUne^+4{!!cyW`1uLxR!wdtEfG8mF)34w45otdWqah%a8F zEC9L74qF1hs+;ELj-@)ph_21pZVR9v&@lcuHqShE_f^zAV>IzV7xMTsgv#GuV%dWVwN&%R{Rsf2cnO*_7_z_F!l2|m6T^IL0?tBm!$(} z+})$t?b=*eIvQkBYM!;jkU7n6Vvg?Kb%&muYyFk2#lJ`bMuhmds7dioz4`{zwVVE& zT!*ZmpFDYjY28^4qf1Xw6vZcj(ucQiAe-AFxl9Uf0VwR%+5}@%)FiOPZ~?@( z7pxSoABl>J(i0LaHiGmiWWHRSoQ;MXNy4RzA@(p)u?OShT!~9YVL)IUJ<6;Yz=SgBgP>e7pE>& z1LD)E#9L;+qG|xE+PC!0fCyf)8%yX_O;c`8P8ApqjWJ-0X;Frb3=gNqR3;uytExlU zy*d@BRAEuPF_%R75tKnqeX!>k^xuJ&xM@gPC@xI~+pV8oMS3LxEb+|RtLOW%4nf7{ zN~FMkqvdJxW_^9AlIRDMQJ|Epg@B28&3iG4;~ROu$4MwZ~&N{)P$E} zI3gl-U0cj_1a^KJ=2m$s!a|LK*VYRayi&8PYqfP`qG#i{t!@8U4o2~31Q)hE` zidE%7g#4*KAU0Oo9ho?g-1-d^%GUbI;R8sU9h~O(c12QlYMw@FM17pdj)t7p2ndV4 z&@^5yDp%L@=wIHrw!K$#Fu*cvK@!ygUKYgSKsN0Im=Tv$)7Ir{(OyAM5Q6re90vUwIySqUR#3k*dG4PGU<=mr_ zHXR)ud^l~E@DgPRlF((k(V-eWMCb76=9Pc^{${oeD?P9D2wi zVvQ1T1AqNW?8?SXE%h!j7a;pzKA9f0c6?8*`js5QoyNE zadgSUKtB8rT3fC#{>JrT(k!M>NwkHa!J_t1ifpfDzH{(w{F93ecKaR+Z5BupyZsFy z+}o}v-;YNDgAcH&9ie)OJB<%J#oUetI0K$#_bx8hILGuKwr1vnXrjS8r>PkkkY}z$ zWB2q8%|X?5C!d(%r6VKXe-lLZlSW>z|0@|E+SPdUA+PdO-==tCm4E%E>> z_~_&m3B#$GuQ-kXLRyu>vKsJyv4|IS15Dme1DxCK{`W#q2dGG0Pas0vSYP?lmLT8) zQh!Iwr&W28^F$|)GSHY==2oCl?$vhvT3DjVKWOTflGQoh)W2Zr4FIMV3}rdg4i_%r z>lmIu*S!dm1Ne~3EODkz%zLaw6Ag=M24)cRZ&Vwo)Y6Yx+ zr2%NFu`{p;7swu{ekX<@Lwz7HF4cS;lFH_lm@n~PKvSVA&+cVTKY@4aH*||Jdq30NJgA=Im}3rTy|Qm!U-&bQ6mA#k6UoaTOn9#{O_9N9m474L3q z;0|&s;rfoXC_CCa#P*I^K&ITm!&YEs8!x?@?~^w3{Ue1e(TE3{tY3RhKAlCam7rF zeCeXf%H#Sd7O;y-CG$l{2K4>tkjL}4PT$sO03)QuX%@wv(H{N#B0{Lo#vv_h@rP@Y zTT3~CBnp3JlZ$zBlo{n>o1*_F(I+~T&vxczj+7%Nm?l%`_iN~1zrpok@U_<>iu&i< z>Y{0J**9lj#7pDgC9?4eGpXj02bQHVLM^#j7fwT2l*Y>JwBW_sQ|5yF!Yow&6tWn_ z%$WFiJaqv8a#V9Tqa{FG0QR1M!gLy7(eh6c7?`JeeVt45UIk^QqvPo59Yn8Qu>K-I zuZWXR%bj0*EL;EM2Xf+@3fRFg_yYaKMr33p;H@|G)aP9P2MG)S%4Z?Nr=Z!~Q0|T& zLQC^D2m#OQR_cn+lS#v-AX4J7VA)iE|7z8sxRMuuHEN4`PY9S$8-2a6K-YsNC^3aL z1toO#{%}hm6m&Ms%dV()qE`Gr$XBU$9s}#>Wj3RHja2PzM#^oMD=iw@95-U*nQOcR z0c;rq^qwA`Yoq451%Qlqz=Bv7|Ap^uoFT713N#GsS$9o9vcn!m$#YQA-xS~x5drxC z-Nm@uS%6VQlE#c)zabysTgJL<%Cuf94x2MXN_*?(_Ah?$T07w?7jv$v!d4Gp{Q}@dL0ji!IY!52;_k4+Jv&qH~?VZ`-rvh<`W!e!O%d4wZZjooB zo(Y3;#M`c-!1;tZl>ZTbP*4C!e?q=!4@+nRyne$brLHHh zz0I3{mQiWxWLJn8@2nsY;03-8`N)hDXr_6XEM{Y)`)-pW0M}cb;Y_fo_J~cQ!qE0? zbLz6!+6OXivOy?UG@l|f?NUO4%z>J zE~*UUp0`qpdU5TZu+a|SZZAi~y2KDO7#H#2%?+wHq*s9|R>X^K7>#?$MHUdKq{NQ5w;Qu#Bh47H*_m`zKDg z_r~|=OdtQ{YDiN}r!Q%ps@Y%IF*{BZ)vzwBJ-gSJsi!i)EOs&&J9Gay&+rdgS>$L& zNmavbb0W-_uBsx7I%Z~hl>d){Q;JnH^R@%)55x-}$NBZBZ5ZlJ8|}RLAn*m)CFom; zXbKk-wuuJ|oQhj0W0Q*{-8VZ0Brns7xBmOrrwMW^XYYxZkYRlOipMzV7ZbTK5@x)h zmM%{<^M`_k0yoT|R?0!Pop10|uya1*_3&eCfSOYtV&l(%9v8V{Lfm-mZ4c6)e$(rWO(oF;Og>682_{@{`SL2{X+na9cv3!$~l-> zlA`$gILxtXY>YSVVSgrqN|$Rld+cAy((wWMXt(KZd^eDiY>@#CDkF~)srB8PyrAm{ ze1h;G^PdyR@3DXrXMvoTZXJg|%g6g$oTkqt^^f1CWWF=mv8UuC!t{X(AjfmejTWr| zd!_xWU`14?z+|P1kA*)eR3HL~?42lMe5kq=C30<~2m;|_3W*v7hvKxQMf^!1J`vI; zn&4=b;JJ;u{J$sQZ2rp$H2AV*QeCF3Eqc#Gexju_^!}W(>-*1BEdQQT{|X8DmU6kq z5J=Jf#m`SR@Ld1JcOWM>`1XC(-C)_Df*O){YW0X9w=dC#`fUuJhp^5x;uWk06t;H} zxY)Q0ZwWraEv4@S7uW$IZ@q@10-+L(2QAQf>-_%ej}S}2Bi zGWQbX3bPz-$Q01v23!R0i0jhzAqM%)1bJ|d@2wXh0{IlE(YH_E`w~KaD@`Y(mwoH+ zIFbNAM)2oPPd@{5#oui*K)8!1R3N2ANXu^A8aKNRF)d&U1_#UJy(5O~w}jB4v`I59 zAh!{>=78S!6W;TY!q)I-8)27np6Q1wRaUCI!B=P{UO*Fq?o9zPB5@Xy11M zNE!f~(ONRlKM_sJPC=OO{FxY%80_0Hsr)IOSC`n3%;}i>R>Qdn2Wp*QdeXaO|VSsLhuo(TFjxJpv zeZXIw_W(F#Vi2>|6(KE5wEQBlncu(BWw-34A-}@RitA<-6VdGZ@bM~hOJLLTR(084 zk)QAYLb*9!<;INHzfU7I~i+rXaD#6@&8`e`rrbR%sDgWm}5N8egAGM3M~+pT_EMAa#}Ud%XfTHs8~jdG)JUD zBmsD8m|kP*>il9<8k>m7EpOj8$q>|h_gVjey@;LhtDhTNz^{ND8oxSMiRA9tZ}O2# zGy?DGdtZp+w8{4+g4-ZxUB&I^&wSy8Hq8607b4Ii!#(|tfCKrPMJyqjB%c6YihtT~ zxv)&F+X9slT`pIz{q#XY8YcyysUXe>i_Dn{Fl><5F@ow&OCZX2<$J-x=>o{;vm|un zS-?H;?bYVy256bc+Z`%+bZrwR32Fi(2MBem@P7b0`m5y`-JD^^SPKxOHVcbG3W&+o z`x2*D=zcCb(bATbX53-a(RN&r$`Mlotlld1&f1w?UZw&-$<_73F^4(^i`=_1dP zVZ0Z7!eR%f?eE?lRlpvhI8ia&=wx;WcqnU_q~~+8968urc_X$7va=_*qvp#p4@7A+ zIH=oA!u2v*X8{P3X?7{9Q@FgG@hOLU?k!M@Gf`0d?(KkUTW}W@H9YyaD&XWjF(9w} zDI~v@tINR3D($@Z8<0Jpa>}Pi4%w6Zb~ISNq_TXuq8-P m~W-%sO=M;E_E-IdxH zG~uNYtbCc7Icl9(4FXY#xh+<4ZBvA=$+f7Vny^9ZBM(l&`rGf7cf}4Z(%qIBdBPv2 z6H-D4^Kn4E4w*YKJmBmb-i_xHSN|eNefzrd>5=inU(Apn9=7iaL01U~l5LosZxEWQ zB20VWFy|pWgc&IgKyyh;c#M<(qqk+ceAL4>c72{QvE@{m}e{ zW|ca?sg6Je*I25nTejvs5T-2dJt3f}wiGz$KOC2QF!|}V;b9%Lf6ga=zIEacrWC~& zr^4|n$xG7Rzlc;1CqKD=Jdph0WZOW%TTLzw_}sBJ_px`5{kPCkFM@=b1}0zpB25vP zQq|&8!LtZa5B+eLzkAoopFie4d}3l;e0yb~>9#b*O#Cl8)c|~AcjJ{^&t@lEIZ8V? z2+0r4m99%7gg^YNpTaMyCB%fpOW*#_!PbU^V^@bg~WfXy0Qe!9b_h}2@H+um?De; zMyME+^#|t8^>Zd^j7gEzog=^&+8a^3c6gew#|~?q)(&|0W@>#p6hdd;7e1){Uv}v4 zAWh{j!XtuDYY&=kYACB>p<$^1U*cVLh zPSl)xmp*)bowDfFI|`$-Oz8kQd|TV2EK&T9;wu4BSYPBZUaj=UlZ4O?3~*0cs94re z>n?pq!Bpk|f5TjMNCA*Sf*@i+tXg>d48vL0#3YMf;6SmL&F`d239oDLN*dj%6tk9H z0lMMb?O%+;ZLzuAQ2HR z{uMkCj;@e`LcNO@PV?^%8yGcXio;%bw$(byG0UMEn?)qRd7uBXoC=r1F=s}$-V+l$w^$j0EE*mivA=ZY2kCFtnk?bj`pEbWHz{er zru_?e>)SDv?7l1Yhb<91r1R@u2_2R-3S?jJQ2nK{_%FvKp&IpfXxAPhV%+lRP6E=)7oVk zZTWS@czKR~+s#F7pl$pIcUk7!=N+50CHlOUQ1k~hhKisKjW%zDCZa+x=;`0?u%F$P zS|WjA`Ny3%c!{%hc75GNP-I3KNczRR*i$o$44 z$eC|U)U%3=fpdEYg%haMNA}NuPmyc-zqmnf>q%2`w`Kuz@UYq*y4>Hrm5G%9L1W}E zTu+|y+}7ZOjAjBXlNUvZ75gu)ryG4FGTn#3cWx3%yg1 z`Pq~?z*3GH{+hoSne$;a-`Cq~I!r?s$9 z1Cl%FM0aK@dlD{w-IA0xfefvcBBEbtWdK|j=nBLuH+fe{sB;LCw$clny7y+pIa9@O zb^>alfABcLG@GB%017rXDtDWVboB9nE7`;B5j<`?JC>7wY`lH4^*EAMKBP+<8<({y zAab#=-=D!!-5l-ybH5Ih%y?Icv!SkiOuc4T;19lOwk$h`0@gLT$l#CNJpe{a=3UP- zW-#=ttdohr`^;ROQm z8cZ42MW8@!Bt>WE=xFC?Cx=kBpzvJVUcL9W8+G)-ak_AYVW1Lx`BL1*vBwmtH`M&> z@m~8cQfRR?t{^kBmKig39ey0n44C#8XvUnc*<`sR~H%lI|09$93m<@xHa=Eh=o=gXn{nB$YE>h87$>w zYS5Glq4dprI@FA!^0=uIp}c#jKd7Xt$^)fwPjE-R#mGGzh~1GvfBUGzMFVAV?5$gs zwFP11FHS;}BjoFvGeJvw`7EvWdGv)N48Qw*y}k0Jk?N8Rk0o=>>?xvCa0nw0^Z|fK z#QBcN`2yA1F_+(o03Lc3F&IU#U+z&mXiLq$PN5;xpUJot5Q9+uCibk zCS4kq@hy^(==YSM5v&^O&Md%BZ^zUk;Ak00O+Fs`%Tx64{`GGxyH98pf8d*~^a&^nnGZm*{Oc=_@QdAh% z8p42s;25aTk3{l0ZAFcEYdIhq4(aa6G}N+AE9iVi!kN)K^ET2)emTSUBYE#!TNoR@ z9YC8*owUt5do@mlMoM;I1DA$Ve__<3oFJ$0CSJ%?$uM^JViP%MB>~}1&Tl%A)rLvZ zSnrnmQaYk|$$>EZxZo|f{Q?t_^u4f*T`P)Jq8}m$T&P~!hoT}I3h|pLT&YouAqfgY zfMjN%yP%yiBA)<3=2p-6r_>3b2W-govvt@>?mFx;Q+=}A#V&R@U+eocXuC@69d4BF zSJ9G`@YR*e36}|90?ck=r%KrU1UGiImfa&wgLF+!U-9q78l1{rbZPy zK!;ue$f=(U;Nk`sQpsuv`7E|_q{;DD2$x?P8Wl_C$@i|21vOQ>#?%`zy=AwA!?sR6 zBe-l~EPkffZJA!Pvn^_>oXbOJsg5Xx?B0wnwQ{e=7VGmdzjSac{{rR&I}Z6QhRkME8B7AkT;>AGgC$3Z z-m;j%cf^`mo`t2hIq+=3pFAw&lH{FAh+FtD>E!Nk6?nc60)j}-wz$xz?+FRi}Ud}pBI^R34Hh=|r;5)pk2 zskoF>O+yR`ZLdQ`=@Fs_L_Uc1k)_}2`%{m;LHMWao@;WPShLT^f|+k}2kp0>IBp(5 zOR!Zq!HXx{!MME0ac$vu`4diJOn-d7Gqh|C6m^J1_n`DKMfBneutzH4Y86)ww%1179f@kH|-~cDGVuR#AqUofTrIO6sL6D3 zfjK!-x$bnJeph;$xxg)r3J8G7vi=8a)8&}Gv8}r1<2+mepnkW1McNpqH@;x1r4{Fl zFeaSCU4^?D*hy;YS=pT@gdz7ibGqICN5D$yyO81@ zErZBXIFpLt;NZC`j}tj$%)npoOSL~q^okaVlkKkO)16koCL)iic@u!v(9rPP=n2wo z={GE$TdNp9Krp^M!^+CY!eSP1oy$%~M<=4?%huO?c$3N1uj0f>kuf?`b!1Y#|agncIi-b4BHi_DIqbjxv6Px8`yYe#n0=^E}qigz|VPu3M*@PH*Vh{Tr#nhuAS%X&ha@^ z*{8J0poR!Fj`htV|AL~TZfl_u$Ep&e)jtg<-%LC8dTrh8dDYmML=x4ga-+kJFr3W1 z{HL+x!LR(e$0uYMYGHZGPFUo-mch5o#&7r-xOONZ>mm}FdLltZ3p<_0?mN{Z5FqQ7st#_43UFtRdc zJhA~;MN4KVJ**-CPZ6J*o!B_By4}%Hrq3JEW=mY3;M__2E>PC1&H-ern=ROea9V&DX0HBx$ZeDH%kTRcuCjqi7 zk~KV5#%cjS&k7_27F!_(iI&DtdTw6;fr3V@66h@o1Qtys3g>?h39QY)(JoTY!vo*? z@oUPk+=J1oml(6Q0EpcHPyy_`KD!ezTzd`{JU2wA39BZz(r=fhcZT z(kcnEv*bZx92vSH;4@FRppk8e;(?aKd0GLcEMacOL72Z7G!eiRQ2xLTNqv}$!TK-r zO9RN;O4uEw8pvZRRvo2-c<-gyb1P$_9W+~dU>^8E7uu+T$h|K#l!0DjeS9hum_xk| zrSTn>whXk93CbjyAChH!z3iXz;|vP2=8R!hoZLohE9K_6mYNHQOG{rhO+7HnwHLa9 zL-!_O9i(JrUe}Z@I#)t-bNj<@#Fg4Dy2z`lKz-@0xRSppS>ec!;_LBBGT2XE@d=`+ zd;QA}1EH8DLnk|9Hy`gT(*_5I9lt=Re9dtt&;<};KpsR=krIc!PYL3s*G|{uvRP7Y z)$TWLvA$u&$p~T%PJulUzH86&_un6ZUE|kTY_Kzec7eb-Rv;VG4kiVl5-~ER@7t@P zyI}9H8@|*0tU5_!r}^aeK0#^xoK##wLloQxEVrt zh&jr?z2h}$Jl~Y_V+pcW+2r)T{&Iq2-FlTPcEGgd*4rOHx)%XQ`cnQqf1wSq^hXnQJxfcdCzltWy*Whp>M4Y(;!p4_gH zQBgT}>ctSVdSWg%y1bbMzE2R2YhR(RC!_D`J8hkyD4Li!Nv2GVMzZmZ%|B4caPso1 z0;~O5V~tWhz-tL-Wr9N4aD%T(+F_?XElJN$N3L`rEiKI=!49?SQaQ3!e<-T1-f6im z=Rb_9P|c?o3MxuR&$!$SAjm#7m8|deDCru_7CoQmls@%?5kn_%fsa)-UX3Q?D)Jbd zmbKW(a9`(f3!sFY^pNDv!G3c_Ob&(3Vxyv{qva(g?@7?l%+B9_zp$#`j=_1}x^^ub zz&Np)Fq89}bIG^=03v5Ii}%xkFJQ!XfOAWbqa$s6_Kc!x2-qros(te(3tq0{nbc{x zUkMfS()X%{^SUxsT~KFslVE1XX={WxGlw>EW$!UL`#nrIK(Te6kITWz?!BW_vy5u& z)y1dqSSJ@2l)AZc8CWxhL43%=y6X^jq6hw)emsvQ5;tCNFJSoj4aZI~P4LySbD1+A z%ksv=%?arTOBMkoV6JN?y}8?%-H&dvrr?6OxOQ`s)bN4I zjRIg9c6AkMa>=hN*iO27Dju0m=6G1v#&Y&-+Q*)%=cJza-b{OxA_k|-K^u9{VGh>! zq_BhBO|N|j1nH!eX7Q6el019CzFb>87fYd-iDlWTxO}4MWyz-3F?hjadV2bG{2s6c z?_Qjwy(r}YTAaeK(R+lY1LtBY6GuT;CD_sywt;oTF0lLs8E+YsW)N4z- zg$o zh9S*n8~qDjM8t4o`6{w&<$h26(nIxe??;uRV5PkV+eCOO(*JF=f}trw?%~_Zzz%^q zW42_ZldYcEt{tsF>RPIe+mpiC8Y8$pG=c(-nsDR5z*oKm*=bTKFWQ7fMLDUJy%t}P zu#|_=^?dS7_^lVY3*sp_6=~YF@8$WqH0olK^Nx`Y3NV4F8PxajM(a%r9mycUby{Yg zoLMJMknVjMLuym3zdTy2nwH_*dtFGqf4&URY@^c-l~|f?pR^xQsWqw(ZSUT-7|~5JV~fk9w~OT`+$&{veq_Kp13*{g6coL8_@wK48^*f*e+tq{&*bP1U@#n^jkcvd zpC0O2lzo45e}00%U$lD)t3sV{X-koKX7}CCpY`9ezED*6`k1K*@l02&z@A+I*BKo? zSGJgz8T#&){wsqecQ7w<_b{3HrEsuQM^OV>2+Xst2k$+-tW%#S;ezZFs6TeI`5udj zTZf3SU{cQvBPE0*Rbt09>OPv4S78!QPUaa$s%-a^5>|CiV5+}M{=QxRe_Vg)423<`JclN;dvbT+bOObk2 z3?}m*`&;AS8rH2D8oG(Z^-bs16fJFR2+^)JP|CQ9G3mDJWNVa{m-k3TE!WkQLAEe3 zlJHxann*AUxA7-F&m`k9)Ss_uHBUd@yN4}I&*<@qtoyA~Ha8>=Wl{xem}gUp6jjPQ6yo(?^BK%`Dz zWK^kEDrR8OoPH^x9@FqGTxJhDsUkF;;jV?SIevz_zG!J=1cCt|Xd<0hpnnBux1*!d zF1iizX8{guViC^I$CulWtYYUYv?)+0hbYYHL4}VYiT>B)+o#h>vX$6Cak#<096px) zw)Zx_ag7p&2~_9<*1#qP(I`kc&oR-inZ#BnOm17PzK-OXD%wWNroEmP;bLQt&>Iq} z_FkFQZQ+@`a|e80f&Rwane*@Q>v(kCTI@C579fn)^;127f6Z>Z4e%>IqFwO&{S_EsaJ0fWFLUwqJPYF8Q_o1nQ>IZdWH-&??uL+xzd7SIOiSSaStJELrz2aZ z2n1KV8%1OF{)aPRj6yCM*Y5&R&l&H0KK=!oV!RgCev$tnh5UK28 ze%AM&I2-u&oId2)G^}vQ>(8_1Rd~opPX!gzQ-La?@snip{3KlF#rIq;?H#+p^?dZ! z4f+^}na%38slx*C&?tiR?8!CBJ?ho%ex4g9q=?xw*-D z0-XAX+mqqpapNf|h3PM}5Xlsr%z>yhw04j>htBy3+^t^nDQEmf$H~m_tmw$Kg?{c9 zkH^bmOkI>?v$Bn$@4ch=aS{-BtV<1t230tS-Y`&&7PETD*x|CyUiiv=SPow{8+ez*@-r-SzTHJ&of_{3ykhA{rRjdcH^)K1Gr zs@8}MMGJwm(n@hE?8W+fxz~KZd-!i{0Xw0MGHP!D`BHBID4xh0Ex@kZ1bA+5Cmr3( zOse|D(}3$zHOTpRLnyHmfViX>*cN=m7Z#!d-hCV$1qCmJ8XG#+Zl3V}aR|v&eYQdn z@v!l`I%U;HvXC&zm!}j&m#?bDka=F{?(FBC(ml5(x;_?hS*VR)RYboLxc;!JEYR2* zap^u>UfCau7qqI|&aY2U$%Ycf=J5tjllzxwNT;2}Ba}YSYom&2A}Kb(sfm}YU#|u( zD#XBW)31Hmd%vg3UyIY_c05T@w>=ShzWBa_gTr-%cRpruX+ei8#s{IE1&q2cJ`ee) zDqS3XrYR2|e96(u-`&}bajjmf{w5+SyTM@&kQSV3QvTb~4wq74GI8doK1D_?N+R{& zN~MH?Uec_^TcrT56+aaPK_fuC?fCR5+N9|41E=(S9qwyCT_p)qB<;A*Lg)BF z^0>J3R7<(tAo%5TurBK^uHJ0~lqTSez5%Wff6`wl%10zd-e)yJ+laokh;zmuqHOOj|}cFww5= z?%Ie{zn#UEz2y}dNIfy#S&M65IWLmiH*Y=9oI&h`QlwTyvZ>DkCl?Pdg2Mw_-bo4y zJyLN=Nnp@+Yu%Wqf+|8*somaak+5<=Hx zuIA5JrFcGuH+l<8fn>eik@ap)Dp*_8X}&<`efkdHR3rh+J6yj%oUM^u<+3hZivJbcJ%7w(evt9&d{!NQaETkw;-!Q@N z7x`e`tClvml}3PA{Mk_N+Q(s`qeP#u+}#Mr*~;7mOcLeQL$5Bu#qdA@fH0hk5DHpM zN86TPOA?pMw^W%Z@>vaS)OK=pjYj#*3|aNf3zdfgK9^Ws^-k3djwo@M{T%myI;Q&V ztpe+`C(z}`PI>M;z_(cYz`4}{1hW=o!~!EToFgt8ewbNjmFQvy312Hf)5nu};KMR|%n~3#9dS?XFepgZ= zturCJSv#X&=3tw;%r?tn6VUklebalx&@4~&j6KBF`N$-;7ogZI);C>>4hP^U;o^$} z7S-7nB9bHu%2V%81kc3I3|Bbl%x&)*XKdwTa3eiOla{NiuwDTV>m)i6CypPt=88~} zT@9x9TiNnIgcLwpm8*Ev@mzUyzCA470^1?>cdXSVN|?-sytz(tmSs)xQCZvA?}t+6 zo)pSj>DSl66u+%nzt?`g*m`PAI^^?EX*bOpv4M_N$xS3%=UmPm*CKNP0*3i;zy8pW z;Bp1d1hr5QQ;p1}ORJynWJ9+PxF7qys{A@gMFj;t+LF{Skn^pfjo^MQj>Ks+)A!oX z+!)$p(nd#p9^b7U_XmD8jWe;jBosJ|pIjFq`d#sAhjWruKHAx+l`h!Vam>X^oJz^6 zGK?d_tQeP(5#Z&vHpOiqT)(&0Zo1uQ3S}dYprBkV&0FnasP-rWpS8A5APBO(it2uT zAK&%%KOC}3Wjgv5O zN)o*675VwY_98m6^CA%U1Fz4onNvc=L4Csu`sVGJ5017(m$?Yo-XPKu`A+ng3&r*E z>mw!G9F+6VYq8)*Vg6$Z`Cqc7P^L^+E8(wmI5D zn|8=51wT5zFTGPWjs9uSVR@Q|fPW$<2SxiKZF>=0V#m7UE;H|H1JbL^P$SFl&DXlG zBu&ovy~o$=`3#spJ0aN^7I`v?RbK^7K z|FAXnqf?9uyRk#Dka5-h`3y?gq{PIGppN==kAvl+{hgw|D$KLD^~Qm%1W;^Iv#MyU z3VT_OzKIDmD-PPKUR@4<3A>{rRnuriyVFp_JyBJ&)*}=U5CGKb>U>89s}JW_%k6Ho zkMk2fI2VJ~n8sJ^Q@rHC$;NwGy>od-onx$&8_kc?%ZN{oPpboE){6h3qYq%iBO|Y> zKH}e-;ICW%Ib3GH9d)>73e{LZ8l!t9zO_xav-)kngAlC()*Nj8!9u-*Ks+JI?3#v# zK|(?fmZc)m0qp(|I|BhpGmu*(?CZ0|g`HOD^{g^N-LU@j9d5eX-Q{pRV~hC)=jemN z%wgk7=lDbSBSe9aZY9xOzf|FGj5yZ15&kk|ec2fiDoo0qsbEw71z%YSF>aD{p}s4Q z2Ow3MYlkk#)U5wEdcPn0D}ASPvGJ}31$uqaMdjs7Z81EoesAeZva_p=TE?v%9J1bo zU3&^9RnwaLt@EzXZ)#&SW+5epJgCY3D7ie=&0;SSUvcEr$B)bszxy7>pdp#wwGZ~T zYvU-Q2Nz@D$@7Ls+`-cr5s5vI{3SWqSttgRH9(9h<=PtV})qG!nMTqwl>UOhn4JZvZKFYuC6xN zJPeV2q4zwA_xR@b~^erSPN+*;^^qfVT#z?q%>jO z!*~132n+WE>oH!A1(rQD~;yQ+Dnnb?>j!+1G8 z2BkRN8A4eSGUJg~-{HvccJ2B0AWwLKf}uwLCRDtuq7WP5I^)|sv5WG5V~Mb#Rqam~ z0%(rk_D@QvzS(4|k(p<->T^#e!ZLJl9RIA*ERB#3q{2?T)Dn>)>Y$16SHRdiI2^DZ z1dZ>7jce>I7yDnBM1!QI ziTB_Wf1H3G8&Z+X+#C4BvKn={a4RBUGcz`fM)Y%Y3hNinb~`Lk^L`4 zTIc=OA+Bqsc55tIvO?H^90pXOkAy_ckbRe>pg&|j`E4y5BX3)bwfK)-pPiS??La_1 zC>MxUW!g$TDu`7tr3c43(+mGMopIrwrQmzapQ&TfS3^fq<=-UQh_DHq9^{^>x|;Nu z=W6dzyr#VX(=~b)DLVhG>$~C43=*dHE{u$=}0A8*5o_vAUdJ*~_LAji^r$_ppnBKQL$v1(# z&Ft!Oy}}ziO8OGHj?HMYv%u6m8oL84 z%qGOy+d8MRcKHwa^Um`0t5sI3m)g0%lHPec>|Bo{&wvKG)3ShUAmu=YAf68X*d3>l z4XyelC2dEidZFY`8)UDMq8n^nc=%HR<@B z{m)Lzc)h_cO{2fd8}TM5lQlO56vISaXQp*nI;qaw<_pch#7ypuhzpAD3%=EkV^u@F zLk-8@fA}Ni-FUqA|C{={vJQ=^GUk^$WMYhF4;dM}GqS5J!lv6Ia%r$yy9KXg&-+6Y zVJeh=@Z-Kqw(U4+e5ZvmY6~Kz3=J8pU9DbUZ_($7UtG>zF+pW#a0QVnn0wF|oaI1!*xO&Li0PPi(a6p(Dk_2nrg4>^sKc1`64i#(z3Tvb z;G7tJpCVnDj&^r<{j|w;^6l*jSFucictVmB8Rq>zhInWLR=`MPA)mkg!*PpTs;#9n zTa&*rQnj{$wh*c(3KJO*_0MehBE?jhg!cGPP}d zd^TE&sR^f^aw=HGvXuSQ?`%}9GXpy^mmP0g?i7f26<;|^yS5~@l^jGi#QSXriRqYu zh}~&x`|F5n*3*aUclZ>ya(ol%x}Sq*f_bj*T4gAMu2V3ft&H3qidvw{W<-@ z58|XrlnzBuZEkLGtkq)g{=fD;zN%#@RK&Q_y}?k? zbJ4FkoO|s>{r+HrOk5Zc<$RVb)vk_91LNygc2`a{=K_E7ZpE`w!}YMVh}GiOn$jHk4jiH7GH;Z6JnJ*4Fn{SE~>|f`edjIHpe*f}-!hqL5 zI*s9m3~C)0`&ap->|HuvXF`)wO)Z)oP+ADqng{m&T8L~8&e>V|Pqv$ISOs@0yqlgeJNM-lvn=NFFE1y! zHZuZ@s@xOF-EUR+X;gSH<)sxF!33g>DB{OZ>LP&B3YHV75jJbJEM57p*ZjBB^Od1- zCIc$=#!x$E;?_m?yO(Ob5(f^_(Oq2~9i5#j7A2!!zMB?}?s&^sA2Lsf{c@C+O@10X zp=(FrpXh|XxnNdk`oTg>>s`)Ze3&-=peC)$>yP**F^}c2$>#9T#_gda4{8-KOkDH= zoxy9z1IEmvnctvOB%Rg>3OMg;>=QeUK5T;QD63EKJ=EbjXxAWq2$WfiwNSG8K;Ns$ zJ#|ns{n;x9U3aik*_VAS0|FqnqL~uqW>kz~`EklwV)rmUus0{j^1Pv>6@#|ikdW&; z!aKEK)s+NIj9V+*!1*{oBg$re(hG^(1NqVjqa)NayuNcovEe5RZApbx5DuMXLt%5N zHO6)5A!O_#U-P@-B z&O`n0mC1pW^t19{yhX6d2W9cD6#i$i9~#Xr#kDpy6w9;e)t%Ui*ISa6u(gR~jSQ0B zIl)vVIr2$wTvA*9e>iO?UcB5O`uX{kNaRePv*ZQk8 zh!x3wF?%v!-+g3E2*{T@U=S-5T!&*#x1(sW+KRuV^Ais$8_oo#1}8kOE0ZU5In zm8`eH?bY+#2qk>xsj7@=oxV^%e!lb1AccSu^N8L2Gh2Pm2ol;7|4eL(kJEj~o%oQY z)EkoMu%4v6$*&>gmQT@^h+7=_cTr*g(uf@B^k)J>bf(Hk#hsCGYWvUHC>-1}j&)+X zu!v0gy*UK3yM&R4)4?+)o8P#nzJ|Sf?Qo^rS@&OBm~o40>KYrY(oIdm?01}sqgg@$`5+NKZp z%v^OsQ|df-d%BzXkQ9~r7dGDy7W%gAcb`KUC^=q~e=NySQAprpOQq)J>-Za&NBw*y zzv`tO5qiJ1zC0f!`vCQVG0buQ0JC%5W<-(abQsLR;^k_Wh&Ysa=`7A9E4I&E5l5uT zjK0Z3A{P2d+uKOu+bwOGW+^+kL~~pO5R6poiL^7RdeOJPUPUKN3EBl$G`geLIuoSY zQNc@5d-XFyhy96yaf=zwzdu-CU`N=MqY)m;qpu_6g7xh!n^xTIhL0V&Wd_P(t;iY~ z^28I|k5Z&OUGd-DEJm&uXj|L_E0k5~kZrk$plJTci>|SO8UFn=NA3U-m6q|mi}g+h z=&avX^&}C7K2f$Ur2W`OKF$RT6n*|bzbwYgYbZUNbdK+sZvR3h5dY+ak4(WXtWZ<{ zzfFZHzu_Agasl&J=~Z#Z39p&E(vx;8X5L^CjW3`Z_qpZZrnP^h^?pjYf=y&ri@Csw z6DN|5KT<3$+E*CxSr8Fje9wiD{Uo?@=FDL`Nh=G-RNJH0bOd5Jv6x0ETp}J@T`j4k zM0AEMnPKfypwLaevC6kEV*~9)5?Al5oxKQ2BdVF&$>Efgp#3`!lRdBgu<%s%QlM1T z%CY=A>U5IJ&w)9(f4p5q|NPM0$3ETX{C~Tzg6`Ux)uR(;HwUSZ8i*FL zY8;rK%|Ssww*rLD-T>^=g_k;Vb^Z!yFH2t+9x}`RpnV5U^NCm1Qo;ziw0(t)w39?c z3i{cP_uihXIG+@W6_iP^NGxE0OQpu7U@ZLSSu5G;8H}>vv@7bi(Wic6=#629b!^#Z=Un+4ZF9qI7AdokbY*-l zd6)Xxq_tA}-qd8cT$*Nq0i-B3S1}L~?K~^#Y7-c|&N1~p(yGZyfWbOvI-?eXV?~zH7Yyy@hB8WsejvHYk9#~f#g*EkA^}NW%$;NktgoG$yAQw?I z_uTa2MHgf0UUT7Y9ds97onz7_%Kq{B!es2GJ9^-Ywc99A*` zzSA;l?`UkL(eiS#lwGa78>>lYF80;6GtFjRw4jh3H!our575i8@>)up9!^mAHREYZc^EFTYj zyfpq%FjPXJ$jBop2}`%W_&weKc9VG);jHaX#3dOg2dc4AInR_+m*{h8qGLm@in9*y ze*Z{ZKkg`!7|zZ%ioc3(8~=Qh!I&#fWh0q#d3<}GIFh1{=Hj#JStffI()Ja#)*UoHIPz8bUC%?F!ykm8Sr$NX> zf~w*rm&%DXFTAQkY$Z(Qh@$Dds~*m~owEC!htKPlmzEco7e9t1On%>586Exdh30C6 zUS7PKmyOMQM(RPJB`-igsDc+47xj5#ugT!W;+15)ci5s@K@1<%U!3Z<<|IVrS%)84 z*gRNX*%L9&3hwOVyk^#OhA(iSv%0#v-@whmK_gqz&M@kD*?|TdwMfuwmuS(c3pvUZ zK{{vi;)4XH=t^K&~`WBrT9PCIsa++cH!6xW^nft z=9=cl*KBGSBel zd>dlYi^@}hLUyW3S5AEq##IH{3(f6Yh$QAlo9TCw+|1XFr88AgLcX_O3Y@yeWE z{(f^NPp%N*2(bfOW&5m$c*l@PCE}^EWmKk_Bw|I%|G?-}qd~dK^!VQU_sz1qTnwSw zABneqK6>|}-!`KontE-hZ{yv&{oSoiFO`;XZrO^83MP$NkNREjwEbJ<2EN-ruAEPK z;rOx)#w~AGce~^~GTc|D_`Z<~T7)6;oR~0&d9LP<`_jjcQBh^lsAo)(cH@3NFOtUv z^3sg3z&&>H3>P9dI#R#MEYrU4g#n76pAQ)zB90g?UDTl#@H~$w5>p#ryJ;fHhd9h0 z-{I4uv0hdq8L)qSKP5W>n;vdCRBjMs+fs@5Owdt$|IHqy>M=Y{X}~)G-$&0C+U_ zeAynAF%KoA#!ngWNRO-OQ}&uF@AW%iQeA^&0N$MnFFtU%m-9Ja=P zWem2DIVmp(?c!a%+#QxnugRv}6zuOX95y8IxlZLFC@CmXWHJNQw9;}!&&c4nt(?)z z%i5T|2G)aH-geck5G7I@rN%KY6N6-*G7*6+hFuH?8^2JZLl_CSqlS}&usUJEmaG5i zY#FCHYT@Tjw9^frfNW2$t0(%g>1;Re(l|2csx-z-TUdPL;AHD8VHZb)FF9Q%i5H8- zK6M>(*twdzNuEFEdLH4w<>8mumY2M=^wk8LSEr|XfBWkJm}`l(zJfnv=a!|rp3Dp7 zi~6V-QPEUzUqtnAahmUZ9qP-bc>v0*bW;3exNMgAw#mKl$f;)8g8=n}Y_bB76J%?* z>VAJf6*)7y!RM={l&~#nlxMpw7mY38SkbH4+&%?^$0%37*Jkg@%}AWR$fQ;xmR!yo zFXTuo-;;F-p^AC`<$H*Lb;ixt<;mCrY7*tsKD>zeR+Exe68wM-2_7W$ESSehkoiL! z_UN28TE=frpXLjR=e@6#zk!ryeYDnCMLgt#lF<3tZ{0FLap+EwQD%#BwaUZV#MV|+ zGoD=5k;eBZ%KGk1k?e;!_^uMGH*mA%-lxF))M=fXfI1D80E3%#N0nu%GWFeX#dVh7 zHQ3nHiUDJ2yZ0o1>>yt4%fdR(WZ~T1*6;cWMuWCAR~`*8lsxY)C@O&UYKVA(Sv!ex zw|u3BlP%ievvurU-(hzZwBOz*;C|Z}l@UcsRw=IyY}S~rwl?|v`tHg| zU3qP-anWGzYg}c4Ms_xXKvb)g_fMgSC$eB-9z4K3rla~YZgq2%Gu3BryXQjH54=@s zk9pE}HDroS3d^+*aj~&nw_=)QSleu~4Gjm%tu5X&Wj@^okZf93v zR%d8k>G!P3yA$_dyl+Lw5Z!-rLZQ*Jit-PXB&Gyg6@j2 zxk!}f&Z3PJi~r6B$<;NhR6jJvT8t@uykiztIbRQaRo-8d-47hN002Dg!oUl+^LAq6 z;`jv+iR#btz5A~p1RAqKe+`vY4Vsx7kHJ(N5#&i5R{sUmG{41Q)PhI5VQ zKv+D(hMZsv_RYz6h~aRz0(APd$igk zE-Mo*z93RKs`WRF8XH>laoi0(RM}(uemmjRYj@CkZ6f)!BqSHl2^nXm_pRrJYwmuu zJ^E4bLVJych2Pk_8cT~s8ebUjhm^W**qOn~d1 z6*V%c8rchMQ*GbdZlk|2J%f<=_HXx$>U@Y{jVX8MR{UT;yE*I>4^C%~c^N=J^75dm ze?W*r5O4b&~hZeRC&GE%Ll)Z zRI0RhSd`Lay9U9}p%86S|@^noxGMByJCrc>0#_i?g%i zjO4!Djjna=4hti1Yt=wU{%kl(bdr>P3ND)ZiS@@ZPVVYT{*s8pm!WvK>@oK*L;Kuk z#=Um$swh>ocM9)v%;EEh9;>cnTCeV+Y1dxLqCl;cZ_`%q>fAkp+}lYDaD8GjhmaB(I}oI z{eJ0d-<5=R$*EjTyom$q1Jr9eya#NxhsT@*``a#aIoesqkxh({{1LDZP|L6Q`n9H! zmg=|P$B1I0JN(a|3V|T$m#=(uUO+Ys-2AKMa)RM?&j^%l?3n5}U@=nk?0aTuGxxGF1D0ARM3$R| zHXH0E<}aD27l2D~di3h;2qLWsdyTZtiwRUwnAr$XOf*VeT!2C;xW#IsWPq)A#HI1F{i#;5!EB9VP=WNR z)G4wQ!63T2vJxAo1&Fn?tUfcoWCU1uKg0IQf-rXilTkZbv`cJoSY5X0&bXkmyi8y# zhL|?Hf$(b{oEFrdk&_Ajp~qSel$Uthx<$ltJQzRDNQozZkD-!ZzGnMntLtg&WiNp~ ziaT-_Uyy_u)H~aFd%t#b3&K{H7KA2!0n_rEBaVZtKFnQvJ#GquX%-QL0)C|pwp4Xq z6bja)FOHr0j4ImA8%h94>NUewsEdqPGJ7E>Qybve1#!c4$F$|p%7M_kt1l2scqSC9 z6AT;Y^a4|W(9_HI7bFjhefA764tSaGe71koKEE=a+p#&}=*k|pczp7a>FLvM?G$Y; zBv(Q*S$IyOGF8J#|8(~+Q^g?J%6N(}$eu#s#S2noP&iGkTTicyA+LP1i8LW6S<>JPhMAGa;NwOh0vp#R$ zJWm@KDN%})NKqO%5JDTiDg82rET6V^_XTp+1ceo~d5)*FLFQd=U!yo}tHxx%Aj&^o>)6QL4ar;x7UsQ46tu|472T$Cxk5J~tX~#G<-P zjLpoBpT+!6QcSc{xvK_K8`qhlKV9R0`dKPtEVHCfGs@J-yIGV3XZUu2Hwv(Z9%H+8 zi-T=`P*X}1EoF#~jpnJ>#*x6OBQ692Bc*Rg^u}Eg08FmCfw~*2tmjZ zrQrGZ5^!uyql3Yw-BOmCWlu~Hsu+!;s|{!v=Y|50q<4$i%jQLP60!{$L!c(D9FG*O zpQQ}%flOLgfr7elk@Uo5)HWFhD5=fM!}@qyltPj?CN2=Wu zF(Z^IC$h~NkkbKu(u6do1K28ya>+JZo0qsK zcd8@J0?a16`cq$XdBhM#np%3>aFA`|NmD=KB?(nb&9gK+OK;fro0%V2E@O=gAt=*h z)nzu5jSLT?yHBl=+9mOQ<`T$QxNPz)x%YtBW9CIx_Cq0~AyVIaLP9Fat|vMj0Ul|uredCF-ulu`|M*6`DF8!r z)Oiwc)H5h(qF7Yb-9rC}2g$6hHXU=D{^5}8R1k!&8@_-pvh3LkLO+A$+w`f&$P5c~ z5sJTv55bTsPtfImo-s9MoOlFtt8Q zo*r{}1}gh~jr!wzl=IU2pX8COidSj^ZKIZ4ANnj&Jsm834s z!25-87T^0|)klf6A(Vha9@52GPu^Nh$T38)+aS~F^4T62gE;Y1$g_-9JotTg{;j~W z^Ek2+rX&3!ePVryqxk4#>SDW?#E|_l5M&{1r{OCun)^mn4qE;TO*jq8oK;=s&0A=PbS7Iwm&=!mm(%6 zMxod%Gl%F44UsL31UN{S8T}zWbp0vA<7o)PU^v4I6CU~SRs7qo z1|kV0ET3a#%eOSkN#hf0JN=5ru>EIfou;MmXpKt~NSk#R`HgPSNeNLtp_N^h)fBYY z|GU(c)uUAcwok|y#$~^O)x5PYnpT_+<=wa&TQ)YA!&IlS9IiSqpuV_fo09*A`QxVe zRdjJL>5>W6o#Q~|)~g=LU}U-DBT;+WbWtyp z`m~DmmN9pi8BMdEQO&02uGD#oC^u6vK4B1APduiS03pWjaM<0ODGV6Q5egN3P^+-A zZ)yWcQ2236ByHTQ0_znm|4WJ2+Zt3EnQ*JjP`fsE09e#Uz2UX{r!eT5N$ztbjM3f|UYzgdFpcpkA?DokmJB z$_{Zi5>??0wlqFp8_M?G&m8@`E5!pr;;aRdc_lQSTqp1<9aw7Nn;)`u$Af%kx|(bv z%qP8+JEgMrzy?l4!?>h*FE>M3@s98-5Nm%6nx%P<)}(;;g-I2I3vxEjF=U%;KShjg z>HF{BNp?-#wvZqt7OcMZYIq^oL8Q0MpkJ=%4(C_C;?DMUn=g2(0=xWmuUS-7^y+we zSI-ER2~vmi{p)BBfTa574hOP#sNv?*n9Pgz#S-qH`1sh`?xeWPH-7Vz`1dD}J^-U_ zK(oZmG=ZX0gKgZ4M$H3v*$a^N*w~>%`FGgK7pL>b#2^V7enp(J2J55PUw=367&Rfs z`0t@mLIZ%r+x+DI?KzJtU++r&BP@{7to3D63W6dUHR%kabIpPGOcX<#c{=?LF&9*x ze->P6X+RfCp}LjOH!7O34*g6?ID4$)<3(4@460vBQ5=-$_%&~sHycyPBoUWRZ#N%X z&3j)Q@v;^`ZeYF2QGyjG#rt&iHCVpE5m+%Sz3Zf;SPZR*{!7@@X@U7nWs{8Ro9N<5bf|2Z-m^+0MRye7T`3}U=b%g6gsQ(fr%EX~n45eMPr@+~={8x9K+s=BVU~oPYo;z>J-O9c$Id zD4}FB{>mcYBFexkZshDHmI73+v*c&|)!TpzIJoC~-~)R9RO-C?tTn%UdkqT<{)u4U zt1ubmGiCk?WFsS&%=nucgTXiZ=`(Hq77FrZg{7-_c66UFlO7M8Mu1dXY#Az^)7|Ge zSZBMZxVDM*x3IoF0G+K9-%Mh3RsGK`)=5{uHqZy>>y`JnUoVZ~^s(Nvslu9UUtfMq zyLbQ&iRZh|O`>|2Sl0#%OUYaU+&B3;;_{Xl%z$q?AbNmh-tvMQ{4aL>r|XUKfBuO* zV(@=SDE-!8ZS>>9OWodXTE6ebRg7_1M!^Zabjt+fAdywHJQjPKg4rl4@9Qs+QH{?~TO>u>Faz)u>>*gW zBxaL&-qsXwn zF`qe(AvLa#4*d5n%rX_i!@ zL7WZDC6bUa;?EKhC}|B@+;VFyBWpZq8UipL(yFgC3x0~<#3HF5d5q_eLP?JyE0MTh zbV5hAAyBBH6h!BGz*=h>n=UTAzy*)o8`avtKz?&Q|8ViE$xj&>W?>g7!N&BB=(Q@H zQe+=mF?_;q#J(HEr2pG?%(j|CGtZ!e8##vg7CQU7W5N07al*r6SjM**!2Q)M*2vSQ zXOH9)ZB7pzgKXa`(W^7zu<~GjA5>ahzxlR)+c}U!^8*0~0feojm|?NF+ds3<)`5?_ zR9nH0y+)XF`L0uqdkTR)-7gmbav2$^NV2|_IRo~uUkAlu*y!=$;Ybe67Y)tTO--)> z(hmIn$?54z!P#h|ZtXj%tG*sBW1p|1@wM97CvhX|3UrG&g%gP=+^|Be?sCo>fwN&F z_-e3y^h*ESWpBd@S(!RBwor3TLs95h&~4w%xN#OR)fMtp*eyWCYrH%T&5TKl+b1Vl z;~KOkIqGHceM)g4Z{{cF#l6$$r=yl{kH~0Ep1tCxA&8`oTut(5@tU7$&{^!Q)??i} zI^FLs01rz(XK1J|jthZ<(mV-ho`SvTQtUo6hyU)~rzp@#1nr$x(9+CXsLT1+CMdyv z!@oJh0=_pT=xjrDY)6qyg}{d+gRrr&PW_AbKts+Ej|S0s(!xPxrL#+wCNC>+N*Hs> zx=h~I3*YN9ktb^OZnpOo;L2iq^1#8nd1U>SG}A&-pAp!f(M8$E2*k+w7iwyb+6apP zV_Z@5#qv4MH<}>7=XbM)a!e1N^*L8prIr}hWro%l5XqZGHJm%1rVm-4UfclVlqh7# zxUzclMqCd=1$$2{AqNq*2LSca2y}FamDSYot54F;A3OkNB_1(k5k2-)2mz4G+SP$n zTfN!>aKRWRfyVyLBQuV5Dc_Sjpy6YM{?=x!zg%i(sjI}hAzgvrRjWnQonir;+>QC3 z*zQ$9Fw{9SlML^c_ed8tliwN@Jo!F>hVhC`@;~=2wvIDY1MX zvpP&0`$(o{L|VmgpEbP0VzkQRHsBt-!vE(Ee8rlD+P$&kjxVw$u7cFcY59aH(SoQ) zz?nNV`XN~PY37e%VPapdrb9t^AoYuE8tx>Pyy=nF0I`2R;{E_HfUgx(O`k)T$%Yr~ zt!6)jro$hk-+MlnFG&W9io(jRN200V%Kg%+NXW<5bq=eU|8hj4kn*k#D94Nan`_q; zctz2uOrvr^mMLBw;9&jhA_g?sszfw2Cgl@k1i;@BCIRglw&p1Wtl&^TAuU|sx4nPl zr-ZiTI!!?gK3N;Rxz@7gf)q3S=P|NCO&G5a|8$sl9`WHF&@=Ar{~r!Cx}Co@I?Ql& z@4w~d{Lhc?4Km;l{`2F1`|Vf5|7jKcp9{_Kv4LLyZ`b?JkI7oqO6caRaPN>y249D7 z_H~rcr+GO23zu2uhsvbMw_->1n+;0lFXzJ7(>VCXN-1*`&5F!j>Hag|_g(c^~6^g|>{;}*J^yXxs#PQ-~t{q6k)5dVXtED9JuVro8PlOab`R^w+rsj*?Rp9bgulOn7^?c ze1WPS&2RW;q4@Q!_I2RrY%nH2F-nD09$!WUfujeZ}O)~`^Jw<)vT^1$NHF;I9jDDMl|ody~Rii38(N4Y8|^w zc$nV2XDI)FxNecK%E@GmfdoEk?Hhh4C*u>mMVf^icjGxgz5wUEBmxD}!fywjZ`o?< zN{d758K3+Y5KX2tM2(U7PO71vfoA)L#K)E+`Ay;nAj+stPf{U3?tD!i7_{d4cy`9L z3Cx@tqfW0`UQdi1jYRC8t5-KJyWX;WP{{;{;(*Zb!k^324KgIKx)~~+)|INC^FlQ& zc#;6e%j#(yh_)^pcNv2^SUV;hP`S{FK)(i(W&2vyLUa*Q9;761XsEH6;Aq2&rva(v zjH-Zc(zFOxI5ssqiI}Y^0#-Y^n=Yzl`4|I!r2jUOfLmx_pn9&0|mhD5S6V z@2u_C2P`-vWq3&B(vjs)A$r;2s2Aa^hK*pP3N#9snE(-`yei2wVf_4$Z(`H(=T+pfz(Wt2o|gSXCw}Zf)OU zPX(5;@ol}($3b;)VbAjQeb?*9BLS$*?+DbB+(~OUPZ2;Qd>%lc_7KsH6%b~}ldKeX z{k)5N?xbS>oRzg;UmtUQR`_&l#cj~=4sO2cC)3ayQqduEsgc<@Mr)voCpXQvPW!r9 z0)qYDZ$HX+5r_88Yx{GB^m zyyG#~7As=TFh%45q<2!Fqm8(!R)Ne%WSD;z=wJuYdw$;e*70o__8M=?Sz|F67_EOI z06T+kvqR0Y9?i@f>S)EFV$`~fc?73B?lZ^8<(q`kO@5^RX}u;ybyrTtEi0a8h`Bz{ ztMmK9#nBk|D8N$zLv<24;>es~R$dFpb5-wT0i4Pj%S;^ALu+><3$WvUQ$M<0A6xL) zy`7gV^2hy;>>x4d{oB!28vg>vT}zFSlHZ}elLhO1gJ?}F7jrA8#WDcqt1%`i1SmZ* z1yt0w%#Y8cvvb{q4~x1E08sxFU`0n~7u}Tw|A5oK+dk$$hDhT`Wy$vtGcw9l{oh>i zvU5ZZ(dTvvM#~?uxdQ>|<|%&JF;iQ;3P#SFwVIW#TxDOszW4LXfBacWr%`O~jwUyw zOsc3y-Mi%i@D!TGYln6H#9xDjdX%{QW1nFwvFM6qn4>k}L^NX7{k?c67SfoYHAAGRGY1Lo46R7$aNwZL;L+KdQE4f*~5I^WUB8rsIA7um}FfmXWNo)Mk^dV$C*U>F=%k1_sV5 zebl0^p-ieoqZ@Z={_&x!>Iy;!-YcPlIC_=PVG5_OEGoaoZNDA0;%;nt7(djYUw`A(PhW8uo^(B1SO!^H^*>1Cs|>gm87`=b*nav zheDfqShp9sIpFP~*J#U?sAv1+SZza*i=b361wpv~ECr$G-d0eNrN=s1q)GnLSfMQ| z0)uhmbk_;=2ca}ZZnESYWe*+)r+y0#H4$p42Vsa*k#k-yMPE{%8ApPinwEGh6K&z7 zaclHzp)L=Z-hqT(VpE)3n)&LWI7_2J`Q+(AtmP_@f}dElFzPobxhm?on68 z)Hp(WNex_Cwwg(k)KH4aytkPtpQO#r&A{G&2?f}$^8W6h%cssbw||2GW=Lem;w#uO zO~j|9UM|S^ANvXf+LgMhp=igI-X4}nj&L`Xj-?N7q}YAyNxL}o%II!mkvJT!Dc@$C zvRE{JSrkL2=Q~yk>Xk1@z>cY76xKeQDN-dvK0XYQh@BX9I@9W=-28w=U~hq}1mFT1QF?6Isvcq|$Gmu;1~b-LH=rSu1(|myhPT=7qb+F4%5pcp zWQ`#wO}G@>nLWs?Iwg8{k6v@`50284_m~#YoE^z3M%e*&*1P(Yc+(S_7`ak`#@xjW z6%{{NMx~PmM5jc{iCK`eL;o+$37T#UCBREirUgjovTr`hMpjVG=)zrod=bzZk&SeqPK4%t4d~5=<0Vnd zUM?0+W|OHY-&jAn7hPx+jne>Us%cK^HvtYnm&uPur zJfAjLeSyI@{}FB=AWkUIMR5d($+a)~8@KGdC0pm6%bUYT?CyK|mQ2jrDjS(e)e@`A z)BPr{*SCV@s^zx<%HfPgBZ5;`;Ue+Vcht2FX32tE@qtn-tZC)^$tz8CCWT!Nm5Dv; zi3v&Y;yYvX&_14eFelwo!#j+7N)oLdfe}jNI4s;=GFE&|1rs9B(T?YR)6PqjuTCA; zH%*R*pgrP*>ar9g-tp->$jEHt5kR8)3f5T$kvv)Z22};84{H#!CLG!?sG)gpsmkJK zdg_3sTack8n1s!lmFqB%U((SS7EWy)*JAE0BUCU1iF`KlvJZ) zPeQ5mI1!zR5D2xUv@Tc&EIvzMB(kR~Zmb*e&+D@+r|+OOTDTZEa3P=b7E}URJZWyk-)S>^0W{3Nm-5`&TX@| zp}!V@NM%w15YBZ{`evHR)FOYl*TM)tVD8XlnsE znd(ehy=Di$ISACs^;nrcWsYZcZCTr(4K=mI?QtodTW-Wq=#0dp^0Rx^e?YxDv^-*2 z9^3QRw|QcwxR((mq`upui~tL3`L)cXmAB2g^5_Y+f3j`$xQO3dz9M@n4ic+{i(l>S zw2nwzu^csse`_HVQ^1Y$DqS?OB1c>taqrswVS36C1O=WVx-A+tq-|m~AANrY4H?fP_NyCuQp&flZh3yVV zZVTI{f*p(bN~Fe)X`7PFBEvQE$npl8{Wf{W_BKeugT^&Z0vv+9p8%30G?yHtkC2IH zCRXGI#usP%o(7#sC0KXAEo646GZPr-Y5%~sy-yGI_3$_d3Axx95|E3`cBSDE>Q^hbzmL_ykEsM&TfC3c{MH#SRMld zeT(0=5g=D`QA_$d%d_C$$15xC%S_!hOvRe!PDLaB+!NYz?Z%uRzL{*%2>+&s0)Dyq zirKx2e0Jiww3HMF#UBZ>0SqZ3MkJb>{FPOyqRo!~xKk}-mKd4NmodRFJiXH%K=@s` zxTmLP5>wJj1@A_q7T(XV?qOnHegO$oC1gk4mC${w1FZU*F(|#1H#(5Yi+BMUT4CFd z-`{L)@9gvfG05Uz?{g{BJk4+~&FEd8dI}o^s4KHvrc>W1@QH`Tn4Kh)7~Z4;=oeUT zXrp?%%;`v9f$Bnj6$q9#V^z{ySfN0}_dE^xmK~BmvB_d4UwR!WD~;|VCt=x#=)}A; zRD~t7j00B-i#@e$vM6Drp``-1oY|^$`aw=4$6YKErdmBQk^U2-FmefqW##liZSudq zwQe`!!u?_sPcUrj0yey+I9TkO`?aBy*5osfQmpZwfNj$ImobWY(;b>m)nNj9{l>MK zK)Lnne)u%}8?%S?(NE+U!R-{=y8bGBtn|nqGF#6G)jG;R90U}WDWwjIG!X67^a(a9 zjU#NoiKWMvYBqT))?el%P?`rv-U469q7HqNO*h{$Gh&hGX41dl zP}S!xw(rnSBzMe>&?HLpCz^$00LS&^*|}`)`*9_!g3V!=gH;8t8E|qwkytq1H&V_tIB>+tIJ(_UMmyol{f;x7}Qg_;U)xixg@8} z7R2xZ_EN>$EVpMbbg{5VDxx5k)2G$+P~m$%J%@ju0=`qvrPH$6XNv{8ELBo0FpS^` zugkn8zut4v(@4}l^E4j{P6h~_Qw$KyVK^M-?r^2wOfYN>c8uS&fs!w_VvR<7FR~u&8q%xmszhdO^WHsl|fmnrnVCg@5-ZC&&j_t|t;Fn>TBVFC4h4oHo2j>BZq^Yr~V| zp0e}vD8uN_&+rk$!@77D;?{_?wHQCmkfxsHJ^DBCdTp>4kKcBW?`Ejwvom`*j*-w` zk@7>^rfto;k)N~=_nS4dTKKR0?8A%c1?bf%XKGEk66nS0DH#rV(nK;!oC6oNVIn@q zKNj8A{d4OjTVJ~<+a17IrMr3$k_%H@yDQm3q@Ekg|2-d329!4;;(DKxDjzc`FVnBh z)c~{*dw5r00bn$zcR(FaXO&!_36hUK?yf1M8+aOew;(wBWoV3A>6&vrH~LiuFJO%r zllDZAaj0M%z>>dk;7v<|%bO-bVF9xh@u+HSlwGD@o-3stTn63uW7&RkJFK6ZBHBKa z-Z?cq@!sc-Ox#pZq9(djDl4d9P~|Nf!Bm=|9+?E~q^yi0L`pQ`yj}IAFbc@}oBq(6`4PyoT$txhP$gD_6GhCZF_%fa5LmZ#7EhHeUT&G)!$idl~asT9G+qOpwnCfp%;PDQj#ykmmI`ra;$P zU=rtUsuMhU0K|A*aM*@LN@nQmqG)-^ypf>CGY?0R_Atu6FA1lH>7Y|Y*Og&BNs-Tl zeD?j+dX}B>>7mOcwp?;K1dYpfK9}pQ_f8Hbd%q8Jw7oIESv;}6*5x?7PjUoOQq$1{ zVYU|2C>jsm0}@=yTslJwef2>tx$sNip4JCQz`_dc^OxT8?d{{V7RG&I76_gr=*U}u~T2SglJ<474FP=`$Dq(=A>&UvoWBOVQ)P(T=1IzZOn(@#5>I5|+z|&^XSk5gJ+)h_ z-92J}GCaqi&6TCU1_*JB;){xAhGv?o1rLujxtuv?#Dh8jfobt0!T^~NW0dqMT%AF> z7a-8x>_xfNSi%R^bc;tA06MAv9NCXRy(vHxYujixc#3};+l*EPcS`GW@4kA%58Z6u zJk~soLJ2kV|MC-ZM6Q9VgCGO+3#B|xpo^(@m|osfQCCYIUYu(>a-*iqdzNX1S1m>N zyY$UKunJ|YykyfP7YUBJ*T$@LB|_1dro7$vvQSy(RCr|Lrd{bv4YcMO+Hq_4_Ts1E zvX(KgjkzjzF7gi5p><1MVW**LB^Hl$JCabG3#+(2<`I!GQ#e9!Ycx|dTCm#I|JYY2 z7-K!YcgVJfq_=-KYh)xnv(LDaZgKCeYuaUERs_4&sy(J?WIeO8sLP`4XVGrc zNt0*cyw7606_BHpA(*)!Zl_Co``sJ99xnN04{3u~2Zt?U$iv&3&gz>R-(lp;G3eMo zzb=K{2h9q{YVn2Bbkls4ni&%Z98(7{AR1TqDsOx+d22Lr;fjeLs>oL503^ru-}hfr z-K1SwymzuVBqI{nw|bxycXqs*HeR3+IO25Gk4ENLR|~GJJi$}TSIhWwxc9uf6_#OC zs%?3B@N0)cPN^=pvHF7qXRH!zn1I~5qp{wlmzaqqnDSs}Ti4NxhA8(;<@eBp1z&WJ znSCv@meqsW#*}SJf=C$PvdBi`@$L~}*M9yiFQ}W8;Ona(FoLYy(9_Qw z2^2p=n{6@~o=ugKWUt14>Hur3ynOEPJ2Nw$w4NdELwdZtC}R8g;zM%E+2+k7SC^_P z`bsdn01d%vEOE?u?CFtR(}k^%@1DwwYwBAb>|bL9p3%Cp_whuWZgrZFdrfn-JmH1} zvz%R*V6}*7eSoKogNa-lD@1lgR!*p~MFzeKX?1-dS)H zwUt3mM}GZiprJE!&F)9K0G4y~?u8LK#7jw&)hp2D4fK z>NxG96_>fQ_lsoVRKn>mw(xIL3cJ3VH)T(#;z`TH9~No8T4=0S_nb;8R-glsMsb%c zY0Qq@)xZP!p2LIF1`)-xmtXvpSk`W)AjBQy@-(lIGW<|GFR=$~aXp7-*~Vqz5ZMQL ztFKHcS+01mxgl)c3(<=aCdkIeF3C{Y?@qN2C}C zzLO=w1u9Pw;%bAF*3Q8#$4bR@zjkctiLx>JhR9AC?WUOV?B=5+E@^K`u>J|@A1swN zSnhST-V20a{7UJ1lM&E@49=rM1QY&|P2Ak`DCnI~N_Ng+MK*9dqHjvtiJ8T^y^+|wK8xNcg- zPzGpE36N}t28y?+bBMVJ#-a`z>jiZk&D|vuIp8?X#v5;ADdy($iXPnY#R)quhUc>}x6 z?%VFGga_!=0l;C_4JCFcpL}>Hg4lKU_(`RG+k$;t);^mAhCAh!KxO&^fGYGcq#(ww z>XT6gRx*qTN>R^O84LCvlrxQ9#<9ZR{DgX`F;R*4P6n`nMJ>6Q8GtKlvuKI_?bb>Y zaZ{)yowrbVCnGsA4GgvVoS^>h@o8||$DZ}6DNm(=;9xcPnqILfBQ6oI^Y{X|$Jrm& zs~)=xy1o{xBllH!Qh%UekZWkF29>BTK+vzpCrB*fqZ0a2b{V|T=geKLYsxsLL^1y& z=Cy^*@yBQPD>Q2yG2L4;H_@>mK5-1D#~|bCP-`Hsq0jSQX^$kZQ*=X6n2TX(v1wXEXOKwG;rd*tvTkW~js7{9Z$eElvW6;#C)xNw}b zM&wO2UashNNi>w7n=n_EHAMET1p5ok2Br?Itdy5{Uu+&B&<6@wMvM>dZ_A}h)pWg)WV;nj0)adePFef3E= zyFsn@n~UMQIi!k47GYwq&;AZ&d5V}j@ZDBTubbwZq?X(BSBH69&L?n^ueIYBrcB_$>8R@@#WK#q~Ie4wiaG5_uT!N??*)D@l- z!3U8tkB~2Q*N4)o^0W^ggg88SuwTlgM;YjACN@2tG{CujtGo-QOqU{(zWJc`9NY;$ zt2`hSCF??bcD_znr&hu_m?`k!-h0SN0hyXEtjS9VS~6P`@u`h|6k49J1#EEs zXsFb87B@n4sIAxO-@WcrsSFiueZ#y=E-zHDWUFVnWo3^b(;!E9`!nI#G21+I829UZ z6`4GlvIFg;fwacx;*YNe&~v}A{XH#2WpeBoBfdCP=EOWkY`vhmAey|-uCIiK8isvP zD|N+mYXri>D#43XN4r$N`+^X18p{gNVST)gS9d&qI7hJmm3fJ8#{x#CxH6kUfglr} z>Fu@VBRa3OyQHQ~9YcCto|AfI(a5?tLLYtBt975X;4tM}SIhsqFwsN_%nG|6!XTsT zsDGtA_Zd(ds+rgWJIoIToB`@$ME?5GDUg)lD?06de#)C~oDF^a zE!wZv`gpZzPZ9Gl@966)xt;&J%75Q{z!X_VxCsD0Kdsvn^F=a6d}Sy7~e#+2v z#CA?VOUY88TC)0}cI@Z~)8-E(%V0BAC)(GvJ|ud&M>T5Yl=#)>>cktk%TB2TSPFC* z`n<>a0oi^EbW7VPUzyH1tInL5ei{MrlJIb9_AI|Sd!|~qV=Y`hwY~W?ZhvyCak_d9 zBIDGgs(rj{Y(8s# zbF>nP1BEn)w0n)%)tO?%F;J9;O%uV7HSw4v--kj=2Qb+JvWRZSf7)g&|)&Fzn zCMex;<{{?u>N4Hd#wJS>eaFmPE=LU@0*`snn*3pl7`mPf&kv-6EF)%l{RBU%zDP;YAqC{NQjDOT~N|UhKfP?Ao@vVU!6;QTOD3p-e~9v*85dcPuNj z+uObpfZ4dayL~;DLER@-ymqnJcNk}m+?RVrqeX$GlN9?oJ856rsD5&_Uvj?D-Hm(! zb*N1qLw@df6U`s_4B$T5daUL4SPW|)4JbD)@ZP-C)zTWLUtXgU&g@vt+R7yNXu@nA zD2o^v&a)@=QHIC;R<%Pt`E~4C&CA>9?RJL8vb0gT31()tTfdcE)AGLSv3Scxqi|H4 zg3Gb1aDwlxy2#(IqBYa}f1vtyRfvy*(}&voa7#mRPy}^zi0OvWetr>D}tdLmPINIF4Xu*r@y1l$mPvuE+|MuFY_1T|SoaGMdj;F&p zJuN9IXD+)uZkHA~!xRd1Z)(-uE)Rozq~^pwI#Px(wr8zRxt;f!4~U#kP54|sX^QD1 zXD%rsI}8B3F%WmXogukwwK{#nh%p%F8wEIIDN>)&ZUf*$!kTw)!09OM#W!lh2(!D3ZP1V~_v< zgDC2Vi0ED6MAVo)ZIY4;cDW}j@ZO`tCx++bCzg*TzMtU*IyiYHQrn6KgQF~T~_H^e_M+eqFh(z!0Ub~G~klS z7u7YW1>TyALg0V8@T94Jm>4?o8*TogwEigRb35zfqND+lvn_ZrbRw9`E36~aAGXjk zD_F0qyJ=A9Fdhlvvik?mUv5n2O)$6Ruor8CDeaWE?~8>1E@a zO2bmC&RDCTY8F*3xYQS!QuF4^hRuBKq_v3GA&OuCS-!Kg!?ocg2T*xib}}Fghl$G6 z>Sa2bl5}kz3HzM>Kvv4KDLub|6(y_Gd1({qd8uxSJ1Gu3))cQ3+G&+_TxHna-R|q{ zOPjg3?pxw{5f$z|JQ@CFNW}jL%xRF2-^a0sMpz76xlX6~3#Ovy+{Ms}`-g zEfb(B7f3j0*R^BNN>MJ=PS5WV+-)ie1qIjh0Xw!5v&Ce1QMb^xL+14;ToR3UPw@*- zE&MAKX{t}^0`!0(eK10pDb5>OGCXuq5#nvte2Y9S0X5SuQ+g18!GWFu{k3$77{xd>pyuGfg0E_*;eVWXyQV~m!5L*8tPB0 zwCj%*Xhd~cw65E>!?_3y3=r)^M)!yFiRO`*u-=c#XsCx$C$g5g%5M_$nudnOO|-_G zC+SICY)qm1W4yq>cU_i2LPsITAc^lLr4|KyiG5}kqF*?mg^%TAd>dysAG~=%3}Its zHon7qd;L%>Yx0naUtHbCsuRd~|9q}>!!+EW$byUGSuC0ucAiDV_d2uK-4J_t>|8a$ zqwZBD`ES9^Jqr`SH6BU3cSx5cJ5k%dpc*9uE`mU}JIuh&dKoDe<57&F5tvD3pZx`` zW+}-c4v|1#6FKw2=@g}ZIJww6J6{w*a*)q=lL#UFvGh=oFhVf!?8Ap{Q%>%%&1AQd ztQ1uDvbgXI8ZDsL0se}lsZhKh`7-h=@4b8?kaXYu!Kcic#@gCxNK#aqe<&8{|OYJG4{rejm3!^ zXq4ltxm+lMwdDP4ZAH5qa-G1da)t%%=C*J=0s!UxeA#h#^mJ`R@bD znX@Svmgpg+%WeE$mUKShVvGwup%f~gqzD`cB#8W7ct%H1hwo2g+CP*oIItT?-D||* z6gxgJUry6_HjXQ|pIZGF1y57PPeD}g2+DX0#E6S!a{Ldb5b?&%HMrEt;H8EYP&gH;ig;*GKRCWDf#Q31^5 z1{!WfG`B1Lnt#?QmhkOlKLA{EcSE!`&g_+(k(P3uT1`87&Pd>NzY(1P3osesfjhyZo9y_4tyx@7NJZUC z3+{hXov;41nN`U1#t*x}P0;)sJ}n^;GXKJFBPI|I)flKFc==YHS$@J0fSj z{?J6pd2Z@9e+jMM7|!=UU$-TSb*O+_rTYX5$A4WWcSce)8C=Zbxgqn$KUoK=r=bp$ zef};ghtiF(U3ymgChTuVSy>i%4D18>ZPYH?Y0lALJ~#I6NfuBu2=pWz30!y7Ykuc1 zyFCD-8k^rnfnGZD5?p#cuGqWjR0NmrJCj!g!_jaCW=mGW(~)v=G~mY_H1V0;|1YQD zS_o##RlG%P4P7``@MqF{g7mLx=6Muy>jOJN#@bbEC0dmT_p5DQaKABA!R%b1mg%8F z2Q(+|0NAh-SFzpwx~os?DIym)(!89f7xpPd(!{I-g-G3(Mww)Ndn1u znwjf5uivR5YIm~R1tGz;4{x%#Ms6{(Ebq13iAXWNhRQE-!Bqd&l3wIgXT0};%>Oa$ z_iE(9;*we0uGq<{$;MNp3%4jl^RX+-?G^mRjldQ#!bh|YXHZcvB&f&|30HXislol-dnsAg z@GcVe)DPX6lbjdmN}#a3UOPQf+a*5e^681xgrr9LvLt8F7Sv*A*zMaPyNwa8b^ipE z>$7rR2;*>jC)w?=9Jg(C8o{vCoNe4a_x)0Wib&~QE&g6 zv0GxdTaYtteiofkB$lTmyE_YsDj@g16@CnGkHqU!5neZc=p{CerI2WdYge z?nAKRx1a^*4NEPbdg&0qip}<1N$^+EihaW^n<&(zo$Rdv0R-5L5^|Dnfo{?T2DBV~ z*o(Qhu3wRya@1HHz73)xq(5jxn9k9*Yvv<5-wug8PHMLc!og((vjv3C=aus+uh}V4 zyUvq+u`&}Khi<7 zWJ-_}4YtxLiOrY&ccbDKhgV9$ALm7>!qA--1IW3jPEJRD=L&WRDjx`LplFuMr14E8 zhhtL+nla?h)&H!nhXQ?c7yjvYHGaXZc8c5PuScNXg7x)WjUKPZdV7?iSo?=VrZ>6| z=np13T~RL?N@WU0upU)aGR&n9+7=!E+>xLhCp50?E5UwL*{ZLtlX!n8?tgBw%oT-I zf)ID%p`Du>e|r9jfZ8%zJ0jjA^ndP=^^Xc@ND|+%v0v4?ynA%q^~)iZ*p*;*>jAsn zqrKJtT>rfWl-n9BDWHa1iI?|QO>O+del40@NJk2OPmNNRC=Xa)iF(d-kBVQr4~!K6 zJ%X{71JPV|H7B6Kt&V;585Eh*-fs>y_#k59mt)PV3o2gLa`8r@MkZOjo$OqvCo`jD~Z;qsg$_jhif{D@zG zpAQNR1uE-YET~CCV6R6j1BGya&Az^9-Xu2IbYx3`2zuo{Z27(t4g>_(|I?lV`}aF( zgq6$`Uu%jdBDbNR$=P6yp9qM@j*gF=cjP3l{M)35g7Q;?OO08j@D7iHM8ZonBS$<2 z6t-k`^L^=|Eb+Yj8f25~z_L_~;BL#glh&#!V0VCCb3;k?cS{*?Lc13%xH1dGxkQNrM;jdLLE;rP#WZZKS zqR*gAVu_M%1(EN8;fDn@oz_F3OlmPruZ`OOU8P!-H-4dDig2EE9Kz5;e$^_hUdYFY$Q6xN2+} zBfSL_wjaRCmFlxPd^;YKZ_)HoJinx3O&M1*y1M4ErYNQfOT;7j_zQG8UMyFsTp06pu{OmE%Rb+#cVM72!Y4=**QvP4+7*RW?Rfjq zT#s~)H$(1QnugP;R@eW0Ga9BU)2F4Xps9{e@5z%anO#3p?eeAqwYwl8H!`161d(JdASzvO}g@EVhne&3h35w)ls4NZXF&Vfm0Ov%|& zA`GnOFVzS67P^0%a8nJgy7bu182`7oN(uxujq4BVmJ6XAHV3cN zYKQH_>PM;c1Xl|~+-kvE&++dAgbbbX)=#5EL6N!XJla9@QLiBk#uJb_hcrPVN)QzP z-abH18y54j3a#n+A%yQ_AVI~(fL%@f2o(S+Niyy;k3;&ggqy^Hg~Lqv43(5qV;lY1 zmGOuY*Yx_;XDL|ow+ZKZe$mk4NB=XU)Ol&RlDcw4?n5N?Gmugl)7I4jjYVaPu>bX# zVvS(20ttzR20k0P!4a|DHuT>0UwEo=64mk@j&2E3|GZR*zn%5ZFv4QsAg0R4&kFsl zB^P(Y`0a1gsyq|kx5CRWW=iol&i!*IurTG@dX~I6{xtRE>yarA?5uaTPak*vB5wmF zTzz%2rZ`zcFy$%0lvfpD$oA~t9p@-%QSwuwDON}e$cMB!njY?+r6-4#{4zeV?c4|X1$~aUL zHx1rpv7hG39QdW1-=n9B!ER5lXt+pjhG*XpAm6Z7gUcR#D0TRMdk_JT@hOKFFL{)v zYVRTWXd;eer`xQb65AR8`B}24Ws=-ifp~5HM@_)U_cHaD1($)!JZ(-+OA_tSxf%qv z<{3RivJ;5eC+4^k!@KB6hQZF^$@(B$?k-@`DL|_m>RzJL%{7yJ*##fA^WMCh3j)L3*OLql``?OwoOJXwx2ZDW z;sHNW<$9Z6SxvbDB#a#$w%{zaX!|3=+b@wKOG6q;_JD`SZYb3}9wWR%cF`g9uYP!J zo<(*|dEIL<97MUexou$qfraxZEpU@)7ijbL@bTto*asRvt;%0WP`Cz>d<4o*1;bbN z>P&4xVQcOAm&R|L_Bk263 z6AFQV-!ydM*KZO)I?b)Eu;S*!N?9nrJTLrh`75a*s2R;tz#-mBR<#9QSkb82H;xB( zB1Mts?gp#nx4b8(?2_49VjHQb12~ww5g=An{*EH*U0g2;UoKUJY`>TL_VWJh1-kpd zMhfNY-Kw$8k~Y|U?=1O?XM(-??f1Onl_ZsS=*SJayH#!hXrRM(CimzEtG}O6g_p>X zP(+djZG8<5fOkOHRP~g>a}*Iw)nEs?CGI76J0xj;yHcb;rUsC=XS?y{4y}T++rqnS zc>}*(Sb3;i6qYG`V6YeLdI}5}%+SlXUz4pb*jb3A?5=fhrXF)-psjKORBB1t1MiiJ ze}7L&g6x0zD)jqIN)>qr3WJ?d)^#KfM*^P85)B~r;q#q8?;`9~rgsn=;kt62y)BE6p@azYNui|}1y!sJk zR(F!r5k|F#`mtMHVi~9N1@hA~6A7>dnC5|FK#V%OTAPLKR~`POC6-5piQT)8GI*|n zjncipEn)=wcHHjO?q7U82g(F;$?z!A%I48pM6tHuuV1JBM@5llSt`6VS85#$fL_1h z7RS7UG<0zs@`Rxc4Fi~8N5FOdTRII?yXn>%kbyg~b4O9AN@6FExrv-6^MVnOO@ya% zExJn95ykz_uKnEHZ4Ak~KJIsP9o*BLre?=;z}rv&!miIki!Ic#%)1-3W&pW*w-K0A zttHP+LR(@{qjE{5+r^-&H@$*z{AWExcc5WM!NIm`Lq{3`_2J9`b(fqaw2` z9QanF+`8cm-j9a!e(5KL1hNGenqzpt<@huM8vb{gWLbP!BjtW`t$S=@_efr zK%X}iBTM=ff1f{x4CeS=#&U9cAj^F9kydaEkm+Uci%+RVxJx|h^!l>lJh-!Y%*+qM zn*}q;VC89lw6Ifq*F41ZB7il{*!7vk65~LuKH5GkB zs|sX>hjp#q{iSsV#gYK};HONXnnbpLrn^Y_7i7$vlJ@oU+deP#nsl#tuR}VA%mTgK z!q1`fx~zi+;AipAng=El-~I##-mGep{J(-<2+8G!0H2lXL031Y^5rjdsdh#66liH` zbdVYb9Km1L1B3Ug&v>B~%NNve7ELeEYxIVt5jj>*oV>mAEudP(!Wo*a1K1^6&M+z} zL@_V`FKBN0$euUtV6X>zDUzn)BO1*yUyOp|AgacCixO!)r(Nj0+D?$6Cb}PW&gWjb zpbAgw-fK8P8_PZ{9wl((P0aP=4drkaspmnzNoZ=H_yKwIXds47Yta3{Uym?uHO z)!-2X1b-594NvyO{@b#5W>w6;A_sm@s)c4n_)waOD)UaCx*+T-`a^#@0 zK8+!dw2?&FHPgwhtHXr`6A;Pw46�jhP}E8$w=iqbnAPc5Hb+sxH) zz@}1|#rptLG&=jZ4oGB9pY&S-x#vL znI53yVKLTU)$)bD1K|>1(^w@kVMf(6AMtU)Wyr~tzW5dgtWP=y!$3fZhQ*K`sH(*| zmGkCqyNB*%MRH%?-kmmVAGe1enX28CRGoaYzS#FW0pk~R_R%w7bak&SXCOii9uw2_ zYnM80YGkZIG7y3dGf}L=1Af%t?(HML=ho!8FXtqbV`WstUT0hZK_)ut^W7p?cK^fG zZoaPgZ%L&l?h;IaoNJqx7JtzGprNtLmll?;Z>Ur7d=;WdPz&DJk1{(psGLHnv!+^l z`8Rn^`wP%Vb5K7^9dp@}!d){9*jZ2P4@V#L7(5WEY;Gt|?XhCyKUlCI9bCSE44&~i zaZfGmuVy^?VEOzpS9$X&N{or$d!ksgH23z4ku4zY)C=@v4&2Zx?j$N-UK1oUdQZMh z8$RDytQh<9j|2>VMdSTK4@*YqTfCfXBT@bJTqI~9zB6yRw(<8z!<<=X+p-ill(+l( zK5gazcf-kb67wT%g(@J-AJ&8~*!|74sM;Yu<6Ujk@tO5n<8+n~kX|(ql}-=IRZ=h5 zE-t#JINYXrWMqUhIJzQagjz5-JCgA1&jQU)X9Fx9L{uhZQvEJPKH z;7^n`9{yINOI<$j4Xmt!ntH<+@G>bcG{6;twDH&VZS5zhDkK13CZO;;=1^rSMNl6=kl6uRs#9ZV^z2r}xFC)`!8wd$QAM3098X z0Y$Zr(HTE`>!&@l&R{3=?Rq?hT2FCMRvKW=8W^Xqn%24WScx?YL2ValZpR1$y58#{ zBgGKKkD9SE-aoUViG_2e(={o5ivrxhyH?37;Ou7eFP!slfIe*b3Y4cGlI;eYG z505&1M?VOUlkDpJbSK(x4p+TS>B|uz^)O$HJ@1}Ve>{dX=;iloV9L=dyHjB0pwh;9 z>`?zxl42GIh47qy?-u3UDl}}%=*!$*{pZchvI;V+;VT_-w|WwbxqT% z@Kk^Cv~6zz5QTA`+(J8?-JD>Er6H)oeL@V16W(ay4E(JXTud^U$v`JRKY0heYR?B= zHJ{OWFTNlCxX2EBq$OHVUQIfTYlxyQ z*x$8%Uz=GMNmv(Y-E&oBiV&eY1lCV-ssBDc}=)@{+u=W$|p;m;?~Dye$yi^f4@I0lIutCa+ugv~vx=s}fnFK%o~`%EAK zuBvX7sW%tFRX~Y|c(DDkRZ3F}-Wgl>8qFvfY*I2tHOU+;w84FSa;nC!%^Z~a-6&cp z|4L=E7=syyfg1TXiwc06?QV;0vj8X?kd}Un#IeVPwJm_?hN_A02y;3uReAK4V3`>Q z?@1K(_8>^+H~K}ACM@+Se!JZB9@=z%>aRG>riuTPm~S~xg-H7+34f_7<2`~mMMF8M zuJ%H@N~39Xdrr3s)nNTWsd1`S{Jl%44jp}Nni|s0twPNXylAfKbg3p=iK+eY3Mhc? zq8pZk=Nkn*cFq(X?Yfa+8Vc6#tdE4&*^cd0Kestb+g$MEC6 z#3D>}1@{h@s=nRS#yxPQ(iF#weV(5MQW06zQI_VJdHoSBJJeZxql{iGxVDcb>^u(_2zwfiSL7nxGjmE)BbKgg+K|3O`W74$;u zj-OynbzM_-q>iFyi5+KUU0o3u6htELWH!2hn&*%KOy44#j?u#tm$|Q45QEgIsuG)W z-27(4E+_(WjigaIS%i7fr9XXM0{3ubQRpXKp`P!QHXC3+U|N7Co&e2qZg2L~$YRbpRdG0(=JbvMh z0;&TB5ttPVF-#mBcu%?X=A>ggI0;e(FF>FF_vdftfbfomQf`b*?$!uU>dXn-eJv$Z z&YZGYWN^18$-3BGjvRf3Y|al2C0Sxko0_)!*=0^b?vpW)^;nCRj`g}(>RUFY)#_W& zSqtNJJw>tjk0kG7tww&a2R?g=Mu*wr$5t2%K>0KkJstVSC)jU3QLO6Vq5lBf>dw>Qs&znzh@GI`{M&uvHd0^!T1v3X0d$HEk9zl6WM&*g9w3K=A8DnZm_4uqqTj z75r-nGC`?xmUwD5a;bk5$eGv;z#)cy8PpdCz&c1Gk!?`?N&%$xX?Rp)U34P;$iYy| zBq6*h@auqo*VeM)Mk?F8Aym=@au5jm$tS9hvs`K;d(GXx>fgYAoXRL3E#bL9JQ2de zx%;XqRTg$6eQW{p4|%e@N4hY+Gt0opdPjRSlcmxLOJiPC|>MRzs0&hWBP>1ZgcD5VM> z(YZ+W=f%{n#-C)lhoTm$srFsy(oeJoVw=kIH~xZI36$5GfENH=lvIf5{_+|><4hLX ziY^QVhs`^80L^Ki057pDH(23byi(Ew0{`-C|Md7cTVvu=i`~Tm)HYxz(FdX0Zfo?0 z`{ZIXFv{RwVyF?ZbgH|*j{$o}dw6v(X!qmbV7O378G`rvU#c!x`{UOk`-USUz&aLZ z@YH!PCB@j9yyyn!ZL*8GV=^y@(1!@iF-jGjLARAq#DnfGy7nvjTs=13>pFyAOkr!K zyroaZ*_8vBWemw~LGig)$}xRuyf(@hb^jy1U@8RFUm=fWO`}^K4NHRWeV5=*P~+z- z1;jL-e2X%!%E=YVyYv*nNl8iM$k%D6rGy%vr#3VYtZ|th=Z`0ePp#;y%rd2`s}xlj_i zbGSCnZIHzZCTMsd=jG$Umchy6VlrP4=D(E+93QMx;dVz~ZYZmTT`5F>Jd`DOX1AJD z<9MUPf+o&Bb-z5nnUbmX*9ll3kU#w@5ZG51#b&$0lPT)>RHf3AY*AZ758tv0SIF+C`YXYAEF{QxHK}s1e58oLK9k&LS|xi8iSx_86|T?>?%uO_ z%xcR^Hre_r#Yt}*c6d<8$M`b>Yh)*Kk@(%#k9dOnQ&4%uJ@f7TRbwY4F40edG@DS` z=&(G65=wcJ7=>nJC^3y@qw3~aQlxtTxOQ>B|JHk&9FE>MG%$!n+W48^M!v07z&qZ! z5t)aHP3$n--(|o1`@yu5VK7rF81dpxP>Ukn)Tv&UqoU*!5U>Z6o2TCgCl&pO$>(;s z1rSB!Q%|H$nHuRxgZ}(#g6~Gz@rE$Cs3$zg_sQ5Pnz+fqK*`6?k4oLrIR|Vy7eN5E zaS4`pOXN2J`>#Ba`^{o&Oh*?tNSm0+Fq)c}4(?*lC1BbV94-A7>05(~42ng%DgQdp zU9b*-yma^56rge4Jp$kSE?aWN$^EUrXQR6|4ty z>0|XQwj}m3bh?KoC5=fqpwyb`HY|CvqF89qg=3FamPe0d-jsX9+>$mG?M5;FvNRd=;n)FQWz z^qF?}87Or|o~+0?aag%qUu2p882|ldR7PW?XyteHmw&*9in5zTOJPH;Y%rA4j(ANEUUwa4*CTEo95c_-#Lu0+xb4%4Rd(J2tj( zpbt1&{#^akrp9XcZY7|rpP-rK3`Ag2&~6sMm(S5 zPnww9V`85Ns>4nh8C9TmD;sSD>GFnVBHH(6#)6v^-sAQqw_0Cj0L_oT(gvU|A+!bL z3_UV3wdo)#{KT;6+F>mxbe%G3X7lX0mz7~~)xB2}XIOGc-vc#!LLlBKr@*2NkPsft zs_2&-^*$_(dL+w!Ss{t<0&8q&C}q-+CVVkc-rP$^5d{XSar1c}i_x#P%rkBJ;=9pa zAn~aLTCB5!2J!`?C;L>rgg!d@68tcr;&k zb-tkn3H1Ln@ReiBx=T!~DkN zHB2>CZjdP^v)BMp7uiy$UuvDeQR14=vlT6;R$#Q{LQrEXjvL(0VsiMmngv#_k2N z_|H4nZJkPyfrn8eu=q}sPjmvhfR=%8;Sxa(qeSYl)ecDK?Kp%tfN4=oAXg6RlXu;w zE%~trG@|Znn+1!SIDY@TspddqYSvpThQIKkFig1>3)%`aR}O)(J&64_0Gd&(MGU+QF?^H!^K_f+@y+L_ zm%k@rpKs6n%+xvv2<--WbD9WX#`3PAkA)=ioe?k1YXrquykb$adpX-iqjxAii-TEvlBV&E|918v-#>3h9eFa{_$p|Mr(zMtv zc@{P5QsZOkX&d_d@Sg?}q`po}%rZ_mpVG!f`*pfEnns_EWH`k?)pY|H9_wUxDc`Dp^3AA(nhr#U_<<#xp2^>BCzqY z@JF>iJyt?bqzXn(r+e}C;vyL~$HT6ubLv<3K-Y?lc$HhS7x3;HwnKqUSqbC!guK_0 z9MC=>6jW^lJtfT3(u!u@AvG6Dch|&i6h=N_VfDKJk@UkOCFviSG`RqoEF(}D*5Y_X zL3?i(iA{&}O5zO+M*)Ca&l{mo@(!mA%g@Ghq#XTP1c=Tm6#;B|qrQ&4s|Q+Ksc4SSvZ zVv^wq0GfU#tPVIQ7u^f(CIAs32XPpD@O9-m>p?Ov!k&#t;_GsS*lU`_o8J#FI3NXY zF@A1S%*H=R0&yi^`he=ix~mg~hB_~ZJ%4SHy|i1`|JEIPEG!&fnBt&Jf8oO`u6b9F z`U@JDXRpgkX{-;N2hbB@X@9k;Ed4?T6_;6VY;_TA`4B#1UO(Gx9TqgCyD}L zD|8)H46p`wdN|3B)Qy~edBAC05ko5EZrvv7|RHjyNpGS!GO?I zY1`Jy=g=z`oWPXT<&s3l9PAWo{uWE?u@kYB2Jq%CS~8o68xU{k(kQ6+*bW9M`4`vX zdTg+f_tHj!-y8AjeW2Y2J7Q;2z(ZE2d|mpGH#yOSk*O6}C(wf?b3dlw8N*4ABCL&@ z2DFLv=U=3@c+1wF;DKdhO3;&{U+hj|xgiaL?@U#!8;Fc)MJKH_=4UT=eH3#|4T;}a zT7RODHqv$ns2Yg8>ph>TNQUk2OHm=De~{Tk&M5-`VrO*PefI_ldKaQBtTHx5>w9ef+@VDtuZO8r_^S%n>`{;w%*5|)nm^35yt_Z zr}Q-f@zQtA#-389^#HlA`KM&w#3ah0|`KAV*+fE3DaeyoXO*@EzTUja}XG~0rrdtR<6P1J>oXQYCh>wQDU+7p@ zOTTviEuDJ?Vau~T698oA51Ilba@ccp`n#lf<_8@=1KH~ha>e{j zq$;iF$H`d?zLD=*G0!w>nI&wI?Z$@(pO-BJG7s&SRI#cj z`fBjBQ`-mo0sWdC&4J)de=8p2a8%k2={&XTJn}q3C{lsM1J)HBWk@X5`ZnK>o!w;1 zGyXLlJ0}i4j5TD3O&Qyp4p5~Y^YjA5{$DRn2N%w6s=;-40=&TiuaG$0f;78r&3qhI zbD6mzAZpOAeOe!nX+LrTFm>YJPCyQ27az(HtIe2yl~V3-IeM<_>tk|2ZmR>SNSAWq zwLcMvtQ8&2j_sL8yJt%F6spP~SF!bLV}wSwPUtz&xvBAv=<_%#gxT?g0F_ImeMbdV zY!isRTPpqUl>JoMoHxncW)a{P0%FPI<4<=E8wfVS4H6mowWm5C_AMi#?o8PAj5HOU zBv2bjEN0q8FZ2vWvrI;-upXKuHf1~>69AO4We>2?4L#Ukh$KA%)#q>2*inRWVmjPW zi#w%qZ2e$!a{JeDf{VAOZ};lXz>0T((@ElNv8Im$C(Giw0CEoABm|UuL3e&6 zp_6u-CSvbr{F0i&`0qGOMw$bqbnpZxN8ZrF+lQ>#nAT;rcFR_ExKGP2S#HAhM;N;0 zuQ8*2h>nHx!om#H<@XNSpSeCp4Lp1?_+okuknSw9&8v{FIjrhK^rizAHGzRE3huKh zUl(v-K|M%&dCkEQ;G>9A0~HP^1!-fCO(_AD17nijJ~H-s0Qcd`Af7~I`V5P10EZji zhvWsE0Ly3dAE4qihZDdu0aNhKLnYP8nJL}Oe-o<*UHDbE>N}bpK0R5Z zL)1T3-0%Gz&E$Q;8|>G+d9}X?cw&6mp-_!aXAo~8Q72dHaH(B$0qzHgGCRRekZR_A ze|Cd_Y1M)od`6f)l?@mvbOm{A-B`@^NU21;G^1NKTR69UhXr(V=MY44;ui1gI7{K5 zqR%DM?b2}WC1RB42CiP7M>o7;*cOCF`Ly=#(<~&w?mXObsT2b z*Fz$m(a;GJ*u_wugmw_Sn7uGqlfqzbp}l=Q{C@RBZX|&#LCq(3)=L3}g>soX2Ap!W zU7OmPZS-BC1~JO1X8&$05l|7E)eKRU{CT__r+53~${4ayZV=K*SRP$-mb%GUAP0RA z95^~R(ERnny(k(stK$4U;?fEQGWl=&K46hwK&TdsvdA_D^g&dC+T8#bzwYsQ@>l_y z2}*?lH|QATVOpQc`QFY%zqD52gHACE^eil^7NxJhVY$e95)POEWR+doj}&PdOiSO= zIpI@r?3*JJz<7hs1?)(7nGM@l;=8R=-!W03Rf#h2Num}&LB6enJr5SXi#}8ia@zjf zJMEenD`V_DbhQMSd~jG%Lm;{l+t8#wUlDezd_;C0LoQlIy#j^XpJVaUvR3feZ+EMc z1y!y=dfO2I#F*K#>|*MrfDjB1ysKqIU#wW+5ItJV1zldur}zKBLX0RH9Z?(dqpn>E zHO_eR<7SuF($bS5bm$66T<5S|zu$6;HWcpUVC{TONp-MHNhKj=bkVS+@s^$zZA385 zjL5?;CXFQ~zSqco6d%}e1x4H~jW8|9#m9i(p(m4Yjio+mV%UI}+tS^`(-UhdZ_;B_ z5n%h~jAxrWY5Ips6V0d6#iZvIu9?cY&kjatD_i1V&us0x?Sz_spN0aY5=LqH$EuSO zYqm>SO?CZmVxc6@Uetpm&+2M`J7Wzq4Y*r63bN`h`2f9yHn0cju=r#LF%5YaJmR5| zkzJKnoq7LicS0-yC7wF(UNo^jH8J(}Hz={pW~)grX?-YQR;#@ERx4nC02GT{5Ej0= zG2^?~cmUeBu~`&K2}0&~iKiK);W6C<2P4IzJ|T|Lp&Rnm?>nA}7I81pPal4dI1Ijs zWao<->93YM+wCH(3RhHQWO`-|VlUKB{W$myC@L}5`WqkL{~ItF@2)c8UIJU^G5Pp( zOdF`-PwQbXc|HK)3d;!GQ~(C%*E*NT*{K^vy708|MX-~5S%+zCwOTxsp7O~m`Oh1%sh%D2&!L-k!7YM>4h0)$z5-1zqmIlva~ zVvuI(XViKsMwWm9T&Vf2R#fev!*+%14s9CnD_&fr{Xt6$UUIG}U`b}|Bb}Ot>>8QdeniuGMkZo2%z?w?33IIY^PEP3;#>s9IZKfzrfrUpd2D6l3d4}SyUo1lwGe3YAS;mEZ z9Ul)lLZ@eB$VLW6n6?cGpXA7>Pv5uDGM*Gzc4#p{sF5o%(a@u+dXoPDsOI&DNi!Thp37x+ zKkIqhC2A>A^PsKbZQof@f=h9y0RNlXYs#7(2rSXD9Nw|dAqr?zURxCoK92x}sB!sA zvbCoi_Ay;t+xNXADZ?T|oL){N%<8K{1=G{>@@&vh1Q7)zmZs5W8E;t08IILdP;U8c zg8Q*|$z^P9a`Jc{X2q}4Oygq!0%gsplY?Vv*yT|poI%mT zm7X6`p`_Z5bW%PXgO(3y4{Y+}C9lB4;X$2C%}WfxE)CR}JhO>QssD*%$&JA%$Bh;E z_vn|79<*i?2=3PJG)1WH81t#fE64&(Biclc4a)V9^9yZaBImn7Y|w$+aX5H7DH)qq zmf4t9CxyYeE|&Y{fS6!oG{wmQyU5!1ak53>PG+e%1Gnv1%*jdAo_lVcV!Q|7gTI-h z>C*(9MMKqmE1?vxH!2EUkS8L8EJZHs7qdBZxoMWCp0=ABWsEnCiqZmL+QGh|m>6(( z-?Gzl5@M27e({#LMq$l!w=JK}A*2$7QhKW8&)iP7ZyY_=WY24zRb#ioN88tXi`5UY$CSlHa_0gY070c^?B1Z$>W4$mv7qDL0%<#wC2Nry1rfyEY|^JwGmzUZ>jT^bz_>R-D_&6l+S`cwDz@pty0#a8!WH(j92br_G&N#*PUO zDI`-Ns#@)KV)<06xdVdb5Uxt3$YFj z`M%)NX(xh5(xzY>eA(RxAgbPXuRY1Cef?)7a)&X${#pkvk&Q%4!nL(^9L~NN8n>cS7HQI;aOQq+)7DKoWpR5bkKB_*6~Db2!W^3Mik61iTPb(c0(PB(g-kUp9o_v614`+40_ z3{axA**LD`bg!qTq)bfvOc#!>^Cz`gWoH5(tf4N#f=6iU@6CpTk0-vKj2@S8>wYiC zEbeI8YgdeQ?UaZQ}zC!Kt?3s6f{I7&kfB$#XE+8^oIDXk2H>=^v*Rit-sEIIww9rB&M1`;YAuEM2XADCLX# zEoTuZEiKJKknd)|FTy%b!=Ru*i2;jt5Lpqyi$DCLxVps*ri_mwrGUV)Mp-M=O_~~f)+Qfp zQ4xcx=;=$ir`bz+T@Ok z@}O8I`|FL|bERsUh(op79CqlFCmD@*qHL%iX+cs{3)ociIJ{?x{yN%COH^9tiO98xb-{eblU6Yj^MYEU(?();n1qRy)f$ z-1eL=vGYFPf5>fSX5Re9?96t(p8U#ZFjK~-d-v^~8oXKy##uy~yY*`&wd&7zgBe_ElnZouQeOS`lk0+8 zldq%wc9*vBH^Hk~Z=$a{?eF+I{VcAvj8}q3MK)IZGd1~!F|A<1N5*5WN7MSc<>@Fw z4u8%Dt%{o&w$r|(a&dIrUwZyi8>^>~?T`B{1s;;U({eYO(Sm~Oib4~nAhpW^|ITjG z(917Mv%o-z`M^i^WrSSK9y}ZE2hh7fl&alM3r&H4>HVvc`L|^`a2U>*ngTm*a25hH zOez(l_zqei0#$jdO9t^qRE#zF9`I|R;XB8pS9n$Scn>YEqIUW_1qiz0FT3>Du42$5iA&#SHwYy zc~zg$`zQasj&5*W+y|^pT%^GH{T8V(s_o?pTSL)}U;-$k9mXh%fDsYt_K;%Qu?_et z8_WrH0*vbRhnt*p5qBY6n~z^KzJLAA`*dqg#jtcnuYCm!3z_Kr-vB8*OgG9rq8!x9 zK5QAu9@kG5|MB9TCAZY?mJG>}%BpqAx*1}V&8d}VguL}q7}M^a^tRz|&!yDuwScTi zOY<)_M~d$oPNshkRa_W@V-1SA<^9u{fncrcp0)Emw|A6L?>^H}kgC?ypx3N`sDHWm z(P=n3-3yOwi@2I%%FdAokK2iWsZuc*N8jlZoo{R4FN78t;7!^=f0VOB;+3v}7AmQ! zL}BFmSfiQ`bNW&2YVdnC-x$i-D*HQpB0rk{&2N{e!Cw?Iyu1e>SJqGcedLaBask=; zW^;$GNc1hWj*+%TYH761&;r7pv26Js#QP=wMC!kt2AJ8ybeMKtQ`b>TL56;UJ$_><7LMTbT zzFSMX@Q%49+MMPZ(WKZY#ZoAQYWw_bT&k|l6P!uit*=MV1}}2JP#st_S|;JNXAgAQ6Ci_QlXE;-A9W3haNb1*KCT+!P9EOh}M(r;ag)_reZqTCQJQP$MC^rKXUW z63wmt$0A;-JOd-oD=d!_1i^2T57)4*XkOvkL>D#^5=;>L&QxqVMxIO9_|IqYm>GMH z`RHzSQsPfns%!IW{&ZaU<@la)6EF)2Ep%Li%}1+!IR{kP-!7|luxQI9rm!T=YXMjK zZ`xICPUt-J@kwmMBJiTvO@5`xht;1x+&nnDB(@ukn+^EBa!htYy?E-Be7jll;nW!m ztSozynm_)Np!Lf`rtnvMy|6(S$*!Y!;f&wK%+ZvXTp>=sl- zfdeWJJQ%njwG)~hwv0nST1FnOH+6Of>da*37f8n?x3B5WFsU0|TU2_2=2qnhK=ehud>ft;8$e(j2lZ zppT<0Ax|jJgaf=+&)6WMuzAj`(JXGE%xY?(F{_o^6pM;S$_qrT=Nd^x zDw-Z8thReeLtDYC)67!hTIt^(vYfH<60Fe1wt}<#ue|@XxLHXpG@{u7k2`!GQ~NMZ zVD83wI*jsB+z{0u)oH<-?{Ur0ZSOz5d=dN8Q5wqHU?Q%Z=EBp$1hNIUM9a<6V=-sI zB<7LV@u-qqD4OviIP*%1vcY;vxu8!$s#T~!gesR7OWScmS$Zk%1u&6H}K`iBq6?&QTL1vDoVi#y&v zl1oW8)e{N!%h$TC>%#gUSc))68x9IIBXP`)HvK@G!^>=Df&?bM*U5s_`9c1zFp@Af zHMMu~JWa%X`eN2_i=ep`Lbz#Z@#qQ&-@Kf@7U&$q(UGMh4yrOkL5Lt(^prtW%H6zr z;`n(0yZ^0n0M17^E}=YqclJhSthkEwc!+WuacSw|NUh78o6V<3_FZ?W)FuL?0}cdg z9Z%U-2TR>c>=UXZv`&>PDpjwpHtlnm7@qMK%g-$mB#l-dc3A`CvYSyM6YC?XpmxWm zLUm?i=Wq$HUE*&nmge438dHVN)yf~^ z5J}-=;5P(B*jQI<4rsKgu-&e64BYLBHMmV6eE+`#Q14bwuU{P~E&NDWB>*n@ZJ-RO zl;&jig?BixKdmtGJH0CwcMUeM?7}1Nc4Kn7X=~hGDkFrIEI#6XV$6>piwRp0aOAk@ z)R0XMD{I)9S=>0jI2zS#_vkb?V->m3_!!(*OuBdM&uq6iYk*l0KER zN-1XhUTt>qx8D7zG!Wp|i-kR#T|-aKO!)8g2o$s@Of@Gp?rlnzo_J5JG>_LR7lvGk zKHIU`3QNZrp57SUJDW;@bp9Wj-Z~)4=ldR4LUsXRSyFmo=@bE_VV77yx2nAvL^Q|9GuT%i270~b;Oy=VVOxBTQ{W18yw2*amC*nVQ$b1ow^6H`k)`9w6 zbbh5^ka$|i$)kK*zFYhHqz#F;f{mGTt&{b?^l0DYuw}nwp-cu)V)hM(=J)?C&nIYH zDd34|HwgeCa#XSCx<5PCrS-|w0_jg_qMkjgy)^#X@qBLUD{^mt*SN)HrR=?ZVM&6r zg|fcBvHB0T9s3Wh$0K3`etQfz_qFE?2T@j+-h76Aj1S@%Q$B9Bk2rdGSi4w%Oqmg+ zf$vsuS31AG97y{82i~t?C?b9>xv+S>b1nHbTi4N5ctka8Gb4R?b|@7mOd2Y(e&SQ8 zO7a+s5mYrZtld`eqfj+R{lRGQ{rSzE&Zm;Qk>9s5+IaV2HJ8sf;!+kCsc+BC*FhkI zpLce)y$txWawp}^-~?_ML5sU?9A-LxN%4pcekQvb*aQyCAb~|T{u^*FZEL$%?{$GX zz3z8ASd^)#(v?)|Gdt@g)KyCP<#g1nh-fx0`YDJAK)Z3pV{G^q4{f1N)-DxI1&Lhi zY#t{yIo15@#Zx>3iElY!4321Y2pRZBQmVmOtd1EJ#%+|7Fc2YZu0boDuFqapQtUXr z+kwLITAc6W$aJZ=ZO=Ki!RSa_zFtE z-6DVgYWk@xXyz>FC-XfwB`hNPSpe1pB7Y|kUjo~DBdAZk`k&DJLJDfS)!VzI! zb|ppcY;TKsS)Cs2xY*19=5eZN#0cJM^w3p`Ow}Qoa$l|r2~?Gyj)I`i8Nsxy95X7|osyCE&i4KKz-9mXDYY;XmH9G9+IKkdnADDgHX!H(jC(CH7|mwE6pOPb`v^fn z@ArUttLn>_-Yfy;RrU$HJOxtZ;F)EIeVY z$zQ)bSErv=RM81gpU{O6e+;TWs@02x4USx;bl^YzNNsSoLIM?*BquTegO$V9isn^b zpohUyX79Yp>dUL%5+1B`Z&0MC;SUZ!_Gqm`Wvz2egOZz^O$*@5ZR>=BeG+Szv9O50^ zFyz`+Vt1=D>F@h8xf?0G-e-#5y$x-MOVXR@{oW!8BmZw3o?)Y9Kf|=<1z}6=Q!R_Y zBF+CHgn4>K)4r1Muct#Kxt^fT1R2oA*5K6Br-5r0PP8>1wPM{4G%uOWDXlXIVT+&b3R8r0ubbQ*F&oLCU{*$wnC zHHz3$rfedZ#&PnYvHDGo6Nf4(H`6t@13AGaY3>nXUTyHg5hu>zsV z_``NbYJv{+y=WBjA;cUIf6OYQ-jXK>^dv$)_Qu1QH)hmG*QBF0R_oCmlfIsM@-X!0 zRO20sl_fJXC7*bdYeDn)C*3&+@C3F2H8FUKi>t#uKa8Imdp1Tg~NYMu-^Y%{ zxVQ!*rS;ii8f;b#CmvNThiDv_Vv>sL1lbPYYTkHw72GM0w^9Em>Fe)R-n5uSybPkh zOURiRo5Md#f5e#Ucd!@8Lld!|jAuZBTAxu+HWp~}%=F_NqJ?r&XO zT-@E801rnK$WTc|iD-)BJV9pZoV~(*TDY4R{_Wmei>s;k>118R!5DHHpnAO&mXccd z`BT&8bZoFxKB6O1c>VgdShsrtP`}mE@0M&x*O{C$;Vy^-0h_)>r8^K**C7yqtN27H5(a?Iu5>VEpoH zlZZ~#il0iluVi2V`DDG79YzvX+*=IrsuxrC7uxQ7_LiyQCZ3VNeeZJp85m5zoX89Gs#a8}^3I^yVO*S? zzs0VSI0es%7>d_U-7J>Ow2;`Mud{%f6Knb_9b+ag4CcSlmY-+mlM4KM10|6IYw5

iH_arP)2 z9vc4nhw%2+7Q}Cs#{KP^=!sm{Uk_o)PEe>eI^9ypFP7?+Wyq6{(>;gKWWypG+aI} zG*1u#XrIRP1}=K9CF=d;)%t>#mE+;zffbST{QsjxXAs0XfoD?kae$xktI_`eQb(1*uge(X*G#^~jU=omq+8+oiH!OBz1cA>96OZe+G7{OXf9ToI7@YXXUZzBOS zjgSm{;&O-LX&a?EyQZeu8XV+uLjYlr+sK3w288qSkq-}IVt5N!(1iS94jNAnF(RN; z2m|Dk^RwK}=)cTbG*6z0c%E?&!IulZ8GnRZhLV*~cO!o$duTp5`@7}@bCWtPRx7~e z=zQXc#|94X%x0`;dVchKgtnO60xZ%(0+TC6mvLlZT=!>5K)6c|t6dCt4snn{@bET1qD;}iUzhI?;pTR!b+I3 zIGjAZbM_*dzWCFA>05BBnFL%J<%Y5)LVS%NT6ohP)I$JW>gecrljUx0ZVsa*vKgF1}QRAu{=b%A=n+f3mhu{#tCz?27=s|<8^1uo(% zr7DVXV}7pXP*xlo{q1Clm~AxTF(Kh+0hzvmfdMNWEd*9dP!>p;TsYu6;roQqAe-sO z{{;-Fy^pE)tM_tpxN4}nR;H~mCnA~VB|GKKdN$I|KCVe<$#TuK6hST-a)p|6Si#*n73r5HYZYo^8ZGi!I-DN zj$Bo|8$ZQk_rs__5q*Y`8VED?25`0J{e&KNNAR^KL-H$9~qigO1>5ux)&ka19+vzKRB?FPkTa)~+#WVrE5=aJnI z$H6j}4BIA+`@4(9+=yVJcU>UItsD$z(lo%NufkH9D%h=+xSmv_NkC968S!m0wNUir z!kTc;*4?cqe`S1pyt4dC=Q85```rLtu@^6F1kyVU%5}w_KCSq*x#Ynd>)?6q&#Vyr z`J)gOVG-n8#7;wH1EpNc@b4LSQ#iB>hfT|(aw_7oscA-<5s>?P8pBIVPnmgmbK|Av z3aD(wDi-KWPEJo8j6sr0!y`V-HNUPkTwh-=DSi7}Ozi<4p@PmCRbf57sm#g8Eg?K2 zamRlZ*{K#Ejxs&f%_3n9O+q-9u{L#@tYoj#%`Hiv=F;$Ta3~T{fohp2G-PQuDJb83DKuZ}l~*_< zsT>V4S^qtpZgVS_X>VbX`|TSo*ZJ8QV40rdSZUl8PzF`xD002MIu+-uZGX-*`I4?V zGp5hG1Iu6h!^^mYt|fL&c6`xzoS@t9Uy~@P$nK6npliYs1Up3ky|A4BZNsm5h6GfUH9hY z-i?fmOiWDto4!9J0E{f8%11r*|dWd_6quEG%j& zD(u~;&>3&29^M_q_?!TCiNE@`5AbJme#xk4A}m7GpimW{?)xWn7jN7pkC~Yp)<5TJ zKigQ*MML2BHrF^0@C&yg+X3@Of6kq>drBR3K{1q^2xve~2!9{nb)od=ep1v+ugR`Q zry62xl5k^rtPO;BTRW^>cLd_U6F6q|luIY*RDJrMWz~8Ke+Zs}ewn0KvsCw&i<650 zZUuU~-l#ve=A2KPi31ap^H<(Pa}Q)=7FND?my~XI08E$eix(_#v)5zW43b`rSO`wC z_CFUFR0lmCeJEvR;2o9N?B-=oq zXaG7IW{>_B7Zr_dJEJlD75F{3*XQLFgA*r$ky=EE&S*ROmG1i$f>&>53=tkHL*9@$ zZ$gAU;s*x|Sv_`zM)UN3f8GPF`TpG})UD6`w|Kg#$7Vrl>XSwfMBmJl9dXq{QcpS- ztD{vVL29|-Jfa!lpE0@YGPEOxWjfL8{wgc`WpTjs{u+oBhG?Tmz87NN7P5m;#OZC7veAQ_s&hcF&1lsELg4WjFUee=)y#z~HTDUAM zl!~6-M1QRLRRvyVCa6CxElm*7nO7Cq{^?MEcBzWl$K1_t`1^Osh*W(gD~EOgm0fZ< zIpXH#Ay!fg3iMF*J@Z5EN}ykLief-v&!ma<5LjpIAz4N~MCY3TjEvQcX3h&5*n8c# zfTEp8xYf+3Pt09iACJ+P2UEv<-}s+DrwNlaK#b%P%~;A9fWp!g=mIKi*2c#*R&l3^ zB(VxZD89Mua*B4~mQ&E`CYM+O{dag5^6!>LGQ}>K>gYse%D!lqRDF2YXxVF_v3eau z?8R-dDYkihvw{F|q04SnZ(9_WNsRyZ?M_fBK$7~1#~s)= zJgBJnLLJmPG^VS7aV}Un@`nY;N}rmF9#Yd*`QgcKu68V+5VfscjK>c(Ljx1}<(LU4 zHqxJi^R01QRYyIk6%X8LOL?Ra)JRADW2G>4?jZ!~Vt0%a_SWvLg1r2{fB)38`R6J5 zOfs^wv7^6y`Lb^PM#GkoUNT5tk;N*~+k%jjHdToKg}4A#gNV2wI;L@scL!*THI{iE z^0mF8{o-NUt5>fW;U%~8tu5BIL9~}vDQ~AL$;mk|ra(sDf-E1|cFN7)7#~D@{OCMj zaZ`*7{YgwbGu;mC+g#ufJ>}&o#{XvW#Ec9dM=25i*|?jy8gW=8)tr_LIuhM==*Hc< zHsR93b87OyQ7wDyT=x;oQtn++CLXLU5onjZyOZo5*_fvC!$u?}7LTVBo&be*KITcR z8fg?73{o5o4#0pYxMlb)RQMe%EU%c?%47 zSP{>XpUsjFCxC?o1%Ap-P0gapE-I;zS3`Tqzj@#AcQo7g(Ua%@3cq~u6DxlCsMGJm z0S0bsC}B;6$o;1gg2EY#=ul)bpr?hS(GRT8xW>_Dc$xTw|St= zAijYE>#*XM72u7J@9Lq^#2tQLZ!q~fC{w1ZB8blN89D)VBrb!|Zr^@yS5!IFMZAxf z;}{`=pnfic(#}!Ri7X1a?Ei(d55~lTJWO_`jYW`sU$->(a3ROyWFEftNf?=E;8k4n z7<{QlwUjr=;?J>rbF(qc&H|?moq5NKHa0};zpGA(O>+d+MW$_~H-?gf4D=ilH@|1) zVP|LULScgYbnW=k{6-TT#wgeAE^ZHj>iQesBru-0wF@t4e~O5>=$f<(c%AmgGDM*{ zs;cMwA8Y=2qxK~gWsKx^v-Ehqw;KK!2^s5&Y(CiIoJKxqai3~m3q|ddADIv*i`?8? zC$D#eXxU|eBt4oX(ITxHUyaU4PekQ2!a#}=R@5+mG3Vzt0w*#Xk?O6B^zX#&?tT_1 zJ4CWC8<}xbv$DVqt4d30ZdZ182-6m~CQAWvkCGBQWXV|IgV(rFsBglrH9&-%`#IZr zSaK)XY;Hu20N@ zm@!yW;4Aad*CDYo3{pN=^0-ff%w)OE_%h9LsU$acaKPK!GN`>#;&vZ}JU<>MQ3y1p z2RcoN<^hGN2YCm5WYiZ6BH1LOz^UD&j0=$MhQ!fOicW%h;pOCq1H1a4}I1u zW8JMrFPu^sVg=^FSVNA0=i`?|@(GcxB$M#KshJrAC(iCQQTL;Sj?W4zHRufNu`y&$ ziad&2<_%gjBO?R-LAKUHY;pBwHlu4(+Q_u|q$AD|9GRJ#8WbzNmY0s4k80oC-Ie?3 zmm!c!i|&q_*lzqy3JUY79eYa%g3*nL;~`mt=#|)^6*d)Z$#8k*aTJx9u-*t}(jqv08Gm}Wl^HQQ`a1j_ zn)^-u(JYz_pVLQ=(LYiqFl@KIza3aFjUR}%cTRxBd7yUm*id4@dl3`Pm`wK%)ataN`juX5Tb1C-(-3+6oSB&`) zEct91ng1negUZU&heaXXszO2{;7THfXp_z9YRjTYH*sMRMNrr+taO4?F8ye?W2|z(iV5*KKJ-S`RLl{?3+HKWP*i-Af3sIiC*C#7@6Y$&sgWV zT;!^X`0wh{N60%tpfeQu9pqJiujPaGvMXTuWe`NteYEtA4PLN$V2hu*k%7rW*b*_F zi>Ik+_CqvTgp6<*zm!_-4rqCMwLcyR+E0Td;)(v5>g)T(14@Fgi0S=`9zTu&g$0G$ ztd30I%b@&7Qsh2aJj%w(h|Nj173^*_EElYQ^LP|zX?=|GZi}{eDV9*zo(o9+p85rF z!$OXj;o_^BFZPHO23W8R9>Hebxq|y~#aCCm(am*aiQ>=10)zdq_cvZx2&enWrXUxI zw)09lQh|5K_`|{?%{ofPnO}3Sw6w5KU@Kq$zUzxwgpEJ5sBJGx@D}A&Mmeo<(n_j} zJbfDdyUF7e-^}RM?FMHMt)YRz@73pJPdRR2E(#s%uIj|oQ~yPQm5MG?fJjQtDN~?n zo^3ETl1%2|!$TI{Yav2JY)xMCE+sbr1U_QSt7La5T&_pfQFgv;?=FBgG>7+RjBQrX zKQl0WqCkeJ3+&M>#<8uMv&I{|!g~~572_=J;Wu)$*b#^luA+U#*t$cX3U1bPF4|yy z#XAL9$_@+)O$rIs3)S}2NN_Q)354c8BkQs=2^mn^@MzU*8k{#H;+_~NGeU5GmcC56)DR&nv> zeAfKlp1pJP%1S-~&c73nTcZ!HU}f}o-8_!c4>nXZ4800tEX-WeEn_^=`iK!7LP8tC zw6A9_>2vng`k381h8JTC3kt{bUVuzoV2_MgZY3SnMw|CFMVeyaFCihJj@!K6^78WG zB?8yvDjG|?fB4_@Imp8$R%M{jFs`U5XDnFHHvNXajyyk;EnYFEA@KWW3Z~q`2Ffa^ zG8{z@iQL`AgGfrcY%o6vjcFfXTv9mU;j8q+%)NS*fHAW&NM%jLOfzZ{DWT9*8NBFK z9JDM^Ah922nhYc&E*{C(lct;g-qA6qyj+DlY4LB<<6USFbZGY**!D5b{J7E8?j7oD zh&dn@$nQ}5>{+{|tLxOs$;tEvl~C-X*1ODxg-0-Cj+sF!b$Q?o4nvM2p%5qB)O-6k3BDu)kH-Dr^eR3c_qON%vh| zUhY-wW$oERoSdz2JO$o~mz|33LlB+FlF5R{kE0w?E2u0xvf5GW)&FK49*%=6 zmFl~$#N_g&I#v~pp)rZeB#AiSWCUcwLgg(@Dv7f&Q0P#`l-;QZb|=nEQnt8})Wgpj z2&OjcXD>)+%|589#bKmvNbB{Xh+jePx!sC*5$9)(!2j!EI5AINOSs?78c^6aeiSQ`(pq^ z#dE(kLX_|kc0mElMw|7UH>6=WEbyxS_ZEqmt}dj_LLei&nJaym;h>?RJ_>lns|c2A zGs)F=AzjW-+K~a6^S!wqlZS|}U%y%;x64bTy!PiC^QGC%l<>c0IFAxY?9&g_JPEUT zg-`aKV;OAvND?N|YKJ8|$pPzeuaf^0MUjSSYIOssO20ZE;g-w9BG!oiYx> zB{-!5WrB9bLGEw!WD0*^r-2m~76S0*SfR6vO8~|pjNffzTZWVB;(XpShQ+EXKff`j z+A*50BPfeK3S-8)Vf!S3bLWl&Dx7UzHGqw>U^UH83;3h=^{d;p0xGBqWp z?F zTEP5goKvs+dG9I$wAaN!jSX&c5Vg_xVUsuUE``De*H~FKO z=y7+Ou=sRCg_ca1^2cI-$cvI7>|fZhg zJBe#+03$^MK}1N{XXRu@nmJgY%=SvZ}J9(pYd z0@`o8R^c)fFIZZbzu&amv|LE)LPt)}EN1jU34D|CAPj z^K4xD;+=Tx3x@;7e;UU`A+1dXxL-;CLA+@_p2I;07yvT2Q4*AOJ;y$yk5HZ#_!?{< z&5|$A&TV$H6s-d%lW!X$cdOQ9PYie|xMLWW(#yR1C+$HjB#fLq5m4u72SHqk@$epU z@#Ck`b>`R9KuxghyH^ewwNzQ))7HZ2^1&fGN-Qk!<>!+~rbi@++%R)lqa`B@%t8#( zM@SrYI+OB=F}6E7AY4D1zp|uE7PTjjkhB6T?tN&8y@~D9$vX}1-yKbQz4Ae!0XJZ- z$-AYp?Sq#EmJXamd5qR3uT-xx*J25_=Je!6Ff~$VMazay6qyLO;-;2xSo8~P^^F>~ z?ox2xdH-z;#^f!n)rnl@0>S#%lIK3N2;;hjcRzgG9gRB{D(l&Se1zqr&8@fCgMY|1 zi`2V5_@nWMIav{e^AtXgkhzkLd~2pc#0tfm5Ajzs}xB<=Vs zfqlrT*B-JD1`i7kW~K!wa;1R62~mMDe=`@lO&nuJ`1GGog2Br&F_a-D^ql*zNw#U~ z$7|%F+i#cH0V^94!C}hp7d=w9>-RSk#afkKXSE+c))uW_U0sd(oP9LC=%gHH*T?&$ z{44Hs)j96(hhNtNpTBDCI*2bhP|4{yJ{2JKBAAy;j-*?h^4XngJ8#`@`1&<5Dam3` zKOm`7JT3U|EN?Q^nYkJ*`VS(O&QdLfQy2WOHW4j*T7{lq{JkpR9*5yf#22>$8x*KR z5Lgz9Qv?GVh;Z3lshi&okFNUPgCPncAOqb;h&V184%lG_95%zUs;TNl%K>45&(B4n zaZ057JT&U!UdfuuspU zw}X}6j-|GXSwE?O4(xnS&Zv2uS`4Mv|yqvKKA0QA4-ctL@k z5~^+jh}`OMc@_s;ld|cGXAXj*%c%ttlq62+s8n$S;`$KJkR^SvtUjbXT7F0JI< z>Z{e!(BNyk8AxusAr}lcR1t??QSMpJtXh27$vnZN;1Q3v=7jn{jK&gdF&ynke7W38 zpVO)D*K_-yoSn-&P$Ij7XVD>K$Mgb7td98?{0jB;2Et!^p*2|1L99*u;h{1(xaqGI z%+}kVHb&@2&ITs=JW60Dii2ogwB6n9pA!?lR8wRAQpA?O4VROEe-9e2$#V+|Sp^kq z!Z@pi?2Hc`ZyrFP-$6!y6VX;6*uGrKWd?f3wEEV|#hn@*`J=JmElVthkQ$5d{zB~z zhyG~L^fG+@b9P!rS#kO8Nud;WLNyw$`hgkItj*~Za7F?kmh>cXYy77e{iDQ6uT!yw z%f0cuUUuL-i~QB}>_rB|)M@=YMNL2L_6)@s?ZV6%VcluDMeHOo%uT9LXbv8NDOwuk zKqwsO6Al%ij`GLcZ=CylFf%iAa*BiS(ZCFd4T7{KM||+J*8ucAoX65t1qzkhf*lrI zNVLRaa&T(N*yx>v*=F@>s`S6h|0X^#D`QggR<;{ep08Xs_bwU+*wh_khg;|NG7OEzGl6l;-g&$w5<9VH_aJz z5gO5Bi-wE1khRHPwB79O2Vh7^Ng3xw>Eo7OA`n&&Tu1qlap8>ZBBI$16xe^OS;P8C|8f8Qt&C8rpzg zHmD=|Y^W_uln!u|g6$pjl-Z%j=%ECg6;F;`dT_4MHb9jL6>wrTEQZs^)qkvVNWi!y zfAX-HCVqZ>pvJC<;=cL!;r^^EgqWl$H1AZxiiMF-nCa0&;I>>)mVm$hAW)A7TQc&~ z^4hOph8sShcS>bhbyh_XrS4V^bE~{)_5UOe2Zbp~H=Ks4c^zE?llr(m;=Mw%z@Pq- znVI{RZAO@CT9U-edaxHQ;{s$!?83T%a z<`AbpFZLe5rcNpv|^V@x?poJlvL5*tG zeJh6pYc-s1sJbL+Kc6a()2D4Ve7}pKh)2lPVB$)j&B6Pf?A!6$QOR^TT(|3H{t$EH z*!S*_(Wjc8Uf4tAGE6x%54#NL-r=ED?h}BwIk!29X3qBd1vpR%cJ;R1MSXaws!9}F z$V7^;)&)rQ-?21?=Ifd1!!XYX(EV@0VLT6VoJ0;Wz>$HRVqBSrtiFokH**;F8dVPu3PsX8r&bGFVy|rCB}QCp8DS$+wML^W9lqELVm6v4_N)o z4?%yxAvVZ}H=j>Ca{9ypvkGnXpC|>UVzh9TM`_~rFlqz}xaZAiq2WGZY*x*X;MrM| zFn!04v&lw5fL#(PkV{SV{(s< z6wr~qmZ|7`)A0N_mi!DlaouVfaF`S!`WvM=s}s~|XzOA;!F)&+oGLegq)1Nqk1yhT z-m>7i*R<|)?dpRkq3vtRkmS2#$$$&f_#|!fT8EsI9}jlxlP${$qmPrL)yJd%xxD~_ z2|1LYF&jtUO!g_ku=^QhzE-rn0_m7)JiR%^PFQ++Ug?67;57Aa!84(6E(vE?LNChy zhEZ_;DO56mmEy$_F-YD_`JU=|WbR3Oic#F{ypf`#dtz&AD+92SJ@;={*(x6s6X%h7 zU+*>mMIM>0?AsGIIVX3dw?rAh54dmeJ$}v_56<4&-L0Q_Cy+|$;JcpL(9+Vv$yI6= zu;6pOyR<~|6G;#hK|pZf;$`dYeY+pl9+tt+2Wv0$PoKzLtWieJ%|1Iq#MJ3NgxaX29SW%)5~vd7nh@u*V42{k0D3< z_jmhcx?H-*A||*2g5p1V`T71rWl0G_y$wi{0|Swae){mAJiJVVhXupK!xx&h{pb%J zYMsQE51Wj@PgMCWHNJ@bnEnZHL2Wa$7*sZ|j~L;1UfObMYQ&(h`Sn0z-kgfDKr@(K zWCqJ*!ooLqg8!}n9Cdji{xK;bp-X^6HD<;Su-(a(N3z9y*UxsJ&%1TK6E;szz&v0q z3XS@_TLqb67XCXnc5rvS|Ek61F&#s={$nmbOdpDp!eu6N%6<3kdpa24@Erz=EA&OQ$*nAOiF;!=t0O ztMyZhFyE6r27e3}7uPg5=yJYgfBu_$UP<_@@8Liq7xpc-Qh}xt_({x)a(uD3&g%lD zdPjRJU?Uxp1w9Uc0N z`pFY|8k*~twp*ik+qFPq$@aKkg`+3Vu0Rzs4h|QGE1Jv~tOGgN{eZB4#)$SEk;+McRB zKR*q`gsL!-XvD;@X?d0*E#vRt|F_7Wm#q@SsXF2q>+(CDAWq|Jx0{jGgBc7kosyg! z8E4H7vx7|6d4J`~qB7aZC7ubj_bR)sEv_qyAy|J+*6Ky>f?&ou^RjU*I zT2;4}kMe60X?l4lu)v-mh-leX00XM22KJXF3y;e@Qr=(F-(3GTx1rGu;T-buo zwu%=%s}?(1JMwOMT}lCdH@9&6-q*LS!|d~-_kHU*CTD5_f|zf1FRg5dk*|}fRG3&< z>7V%ie+I93FGZFYuG8rdFwRAs2gDlt%^xEz1&!@o8gt1A7%8B-K`ihvz9w32QJ0-*;`<}MB^nYw zM)*%&Mv~tZ_4TL!qG%YcT=k~L^AsT70GGn2ZGX;nzN0txHS@qC%=CVZFG_x8;bwTj z4SQaRsu&9wmd4e{uVtSow3uZv&VH#q2< z$x5G~pxzid8U`9{7@%*yG4sR?1@z7rsHoY7eQ9&vgkHa(HUhe3oERa~&(N!MR=T@F zZ(0k`vd-#n{ZS7A0%ri`^KvY+LV^p+G(KT4GM(!ekniGNjIq z{uEa%@vTU+f5z~Jeot>t*dOyu!=tyn(c{`Hj;*YM%k?nUkIVi4!u==AoOP zm|IiYA8KtnJHmZHLtNbL-~ns4@n>U0C9ufz=VJV0_s7|{ga&7PzLx~tvVp2pI!YjPg!u{(?AnKH2Uwl4{fDHk;K%ecS0~Qy#WF% zk`eyGB>|%8e!8W@Se=`@41{mjy;+~#dIqVD9dYj~LC~dx*@LGM-w3OLk1)+BzTk1J z;&)hiw*|zxRhKhvSVVP%=#Jdb}LQY7#XdjMm-0?h%FQAC}EfME}cUy&HR)7}wJlk0tOqRM> z#P*`-fdkhJ&^HkVzb7;CR1=5Q62PRviYr7I92l^t?~nE}#d@RZ<(!Ry3m-LMBdG6l zzV`}Jb9{FTJm*_ae;eI;-!iTy4kpL?`eP2l0ge?TTfj+()QvI(ngk^YuL5+T{{Yt= zR2L5|8~%75iTu!SLwIp}VVI(6=Ki^@t++ZC;n_gy6x}LzETG(HW#o^MkJ*p9ED#&K zgldXO#f=Mk3I!-cVYWWZV@1NFgy+Wvh;@-1|3uS?#N7|zydHdu~rM>{)LMaZ0} z4;{Q=`g@veu)o-&)9HdMg$hKOQ!{X*#k#eX+Y%Wtg6p-iXEZHuAE; zMLydp6v=6}74$OGFSd8Z+SIIb@3(v4hGSF1lYb5AlWkMRtdtTmrl1e#m&|1NBcpHs zG>3zG-e|ft{4mte0e0-^eGmCD<#mKbfX8?i za7DB%E#-X04rz4q`Sa&)`|@LNT6+2>l+!5kl9&i+4GzUdmyrsba>IChAU|t2!1>Ul zhO~+MM!9mgxY2Fty#@=wpe!Xd^={~miBB&2_TO>ko8&>;>S?>}?WUs= zP4|>y_uUM`a*lx&;niYCYVZXyoy{A{<7KpN%fjSGe%r32_+dK@%->e+>9XJYOeV&f zX~cT<&z{jK#4v5H4a_9`-lIQaJd!>7=bmafF#=FNGPvN&PrFP*%kGna6^zDw%GHwp z`fdC4U}@1G*#v5;7ay7>Y90ZazAD=B(KidULqKaD3pb1g=cNXd{UI*vZWitb#<(M@ z^2+B)cRtFgTZ)pE%n(pJQoeI3tUpZ8sVh2Y@hMx;nZoa7Dtk0659}TxHsQ4c1&1TBOYp2sw z@atG~X#EV}lr?55#H_X)Now$uQKwT)X;(xrvezzD&y)#-0pRn1c|%ZV?9ZEMq>sa< zle^q*h^bpJ*E+1SmoDaq-L_qmKhQsG1Qaa^mw0tw~D8_G8t zjg}T{T}2sDX0^7H3zzmTZ4Ja70??tce=S?yC#_3f* z!&h4+7Bvh;#tl^~LW}=6Cemw(z!ZbZTCA0k?n|9%`j@0z@vUU`^ks~Ru%P{pxYlj3 zNdvoH3FBF&*V;$1m}9hYsRKa96aG@{A=~G5^g3jil>)!i&W_f_lOL*4IypCH@e;AzV5H7Q!{_}OzfGr^<&t*YwTrA6XI?eWWXc(bU3tzR%`Cl*8kU_ z`Oe3Kmi|k){raq<)#ckGp*Ia{RrQ5+nGct?wisDbAJO1kWuXK}$^(gC)@rY=LRQl>% z&ab_e)T<;{_&;g>ijQ9($y~!HBz<+oXYtDw*lEBE^@5$b!i;j)9tgqoB1v!c77XdF z?R#y;TxlhT$n~3+hkQQ?+;RYQXf#j>NkvamrntEM`wcy+73x{ApR&nUO9OaOPQWf5 zG`$-DL`1kLXlNMTz87l;_@Ims{V^V1>h~$5_b>8gDw8StpQ+{ii`Gh>bh?^QtZ0uQ zH{4wsQ+Gd26Ldk&`Hqnip-tQ`NqIwe>( zX;f0cZJ_r6mVBS?wq|4u^L0d*LFs6$;6XY)Bid>oMq~3z*{ZU{iJt{=^X-NviH+R& zzIy2jEC&Z{38oB!1^!YU%@|}*YO3ygQ=+pVqHb~s2ZMz>k$|7)_wV!nLB7ChtQ=nS zZJ>;<(*lVN5)DT?%*@Pva;k+So{yHZ1j@h@N4Asrv;Q{a57<7<7V!?}Ig1Y||SfLge0cEA38dHmO%)@fKrzf8LCe#t^~3R;uK zV#N_(1rYf@T_dX%&^NM)N1k{CrB-SuJ7AD)aQx2R-c{7X#UEfvm}04@>Fq`v@wr?j zNQs+1zqgyY5a`ivGY1IP7LK-GyG%u_o|k8cc?SRA9Cr6B%e<|A9`z^7^yv$RuTHHv zxqHpm9C4@G{&OL0maD4xT&geA_xAZ-Nx1UVU*8|{^1LQq=-G_{)9_^9nE#!2^3G^g zf3Fo@pLK#mpA$Fp&7Ug={5sBJy~M&_Oe`O`FAteEr;2f?VPV5cr@3j+b=L-n=9>=S zfYfPT-UhA-sij~jB5=t(4n7~hHN9>=0WS=mE_L}U?&4b?Rjxa*3yMi)yZf-Y-qqLC z41v&>5CI`o9s>=eP z^N_BGs4Q{!a5i{lD_<6-MIjc)(hO`H+TBe1eWpGTk`)a|g6nPr*|j_3=+CtWEkbg4 zV|E`4RvaQIztUIpX7;aiA3IC_u*<)pCs~+pXW!`~{=*&%OY%dE!+*47&fA`+nH#Dp z!~#;~@c+FINn6DOC@V8_;a5i)ZV3B$X%sVXGJo$Ls5Jd1M7W8DLlL6ox__HKuK(Y^ z)T?ti<#{S@4fJmT0Qfmxz4q^hP{z(-(C z!tg?l0G#Ony;{#F>zI6>po9`-@}JTo0W}Rlop904mp^3s5@bMX3e`3fYfNabvzZ8S znES3b3-H4yp%`)cY@jMdo`m`5miu>;;p3HNh^+)&kHu4^z6i=}&!1g&ZimY~Tslqi zcHYO^m6CVTPd7eh-}S8!w+9JNtJXZ1lTtE?C*@(Ktf1JuI$`#do77pGowc+n{qt6$ z77gymmy)y*GFx=S1nGn z=&%$DB~(-zMDu6@=z($iHuy2o5p%nJhe&8@s14sEv`rkm_Rbhn`HvWybl6A=EgpTZ<=w3pT~zu4`9U z%m=r)vfBe_o;0_{DTa3jes13Bd}ikRQ*MzIN=tYsy9!a_2w8czQR~`>rk5}CZJzNC ze)kF5vK)%`uV`I9O#%0Ri`l*C2kia@te(g&IcArF%T0&RL0%A=tk24N3Wo}g@7C#* z9sF0ah$fFyqTR#atp1Ywd1Y$S{N4BT{;%WLIw%cy<{kcmcUe*+PBGhE>9*P9IsqMG zU^W4MSrL3Ddn!A z7fUdL0f|%kNEsjdT{GvFV)en=fm=3N2|w+a{?6|O{>t0RkGjzvlxJk}C54 zRRRX9*@FdynVXr4P|$s3V`13O?pj^!tthH!rY(`_U<;1(IxqEEU2pAX zHXVjFCkKh~9)wZbr`4+~uIHY9n+L!6bi^Oh75MLe4nb&sdqWMU`<~89E=;=EFHq8D z9+%68M9yM$#hv_Lj)55aE;gBuEB`KjfXVL)4Cm#lgoahE!-Pm75%#BMU&Pp0`nUJ9 z60|xOx@~d@B3E7<1%DM+VuhH(i~j_mogT7+Jn&2cv7;}#}B8pBUU9I2Ftm8wQc(ub8Gb) ze{mrHuARHJ$=49!H`LOwGAtVN`8y*!tgph4f>V|lk7oP?X*eBZy{S=X%%yc}5(=tC ztpfdDz81N@q2W|W!ktvTXaWn_M)AWXCDcWz3`a<5F}@0+f4tJfD2=}c?{^n1=8c{q z$jGgGEzChb{^pHeTxVSNr;XzjtkU^A4;TW zY?DP@z6;`j>Z_mH^SN{-xUdE2@s!SPe;TPlNC72lWOso`GbRkQC4B$ib>Kac5pPSc z{=LD?cyM^H?;_9oK~_@TB=UMBZE+a|5oXw#NJEnxe~x1oajh6>M5O_?^?Q$Hsn!-)b0U zlDaWi(%6H9*6087YGcQ8|0V}vX6imwO8~;f*aKcPW($sxn(g?dQAskQrU%{{3h8Zw zN8?RKUz3uO0=RDD0@B{7h5NfuV@;d64k{BKpV|}D`dtzn+^-@k1aFbKcM z$R{G}V$VdcwBE~1&`>4z=*(~ZJxL&ZK9h)6VQ#uxZ~Lpk|KtWgYKB&lzd|3GVGh1p z0l^V9FcXO6|L^|9X=oPK74Mbvw?+*Z2V)sSP`6kyI%RoziFq5LR*c|DYjUB04s*%- ziiKNTB@lskyce%~O^utr*>*f~L&obz4s!ot0m3-q;3GfWD)OwG8V9Vy7rBFI|7eHD zGa|WH;BAfn@A2Z1QeoJQIy0G+z;_P{QwTGY|Gi_Rc)mRXY9p8n_nJE$m}GH;y33O4 zQ=;OcFCH6!-=_Mkp`nN6U`843LWZLibrx1Ss|OD=_pdl&1oND0YRvE|RX14HED{e0 zs7t3h?lbwa-=ImE@6|&smKbIESA$oy$_2sM!7zbna;_QC)LvX(R&<@=>QzvpCjExq|?5cJu+o=f#&8Q0qCBVH2~R1b_HMCu|mXsm5@H{|w;)$zc@V%zTNhtQi4434M2xc{triA2{!b3j`)CgZaWNjWb+aa#L1Fc$$DhCcxyP1f zDb@4vaUcq!x&7m%5O`rKpZ@pstohL8w70Ru`FA3ONlj}pL!vG4mBlNza6#20SA04A z!oy$RY>}T`(2z;#Eo`-_wasN&HK>?k(dop@eq?fjZ`}}9K0K$5F<1Wk1EcLZ_rbmE zJ73txYx8~>l#7SiS{B&vD%G2k?D|daGMO|@>9bCiPX}%NwuW@XSeu7k{5sxCc7cA7 zVBeWM2fZjARjg%GQ&Z=Q7YGcT)_io~C)SaRm z9IkPpT@k;I&vAzr+Ppj#G}}y@M0qN00>kn8`Z_3Lk3MS@M9d8QJYkl77|3(ynlN5L zrxQGpVfo3RE$Ul?$c(6Tik!iiJ#F67;b$>%-~&^M!l8AESDU1CvEc*(7voHVfX3@) zC%-6#`1O(E5h{eS9RM_{p|FK-wk-_CqDbc*DK30Vv>pIu8zdsiBL>8ggi z^60-?JAE}Y6dxaN^c57%L;n8xalSdfiV{1Cl8M$%L>`>)KGC2DD|t9xV4Zi#XqE5A zmfj4$OShs0^S)`ucYe)^uQV5dOa@dOOU7CNQ;|V8x&#JhYoZK^GWfaeTdKs*vZzu$ zE7NzD)pghV)u@|m@rj>cTRw%PL?5S@^f>g_L8MfV?766Ox`w-C%Rh=vJvtonM@DqA z38g}lDm>_|oeW$+TLw;DTm^obbmR9D4aWKyf+A+#d<<77?%w10zLgMfdMRi(5#}(K9crJJ-B_NS>L7-`%%!SW* zQF5p&C5az+_TQ~J@zPtd!L*Bc;|K=8Nx@wD?u`j%^{%)07W6)t=Jwd_TOVm^$ib}f z@bln0W|1R9Xg!mlVXQsFautBdv@u@-9S{v6$S8+RhUtF^jA6 zpAk~%zHs!02_t;L_2k;Cp_@}+iYhkY{w$l`io_2b9tPaF!7Uf~_bdV-6>`_@X^*Ci zD?7v(#Iyd-dw&GO-|q-u~4Yq(n4B#!kpy41XylbieR zukOELor7Z5EPUv|jK$VF`}^3;0nV};8PVG4a{WU)`C1mJbj(eroC(is899i60$8p=*H_bf@>E0RajeBJesai2U`lx=@DM zgwTr#lUQJV;*ho^tB*+$m8ez2o`cZr?7AN!e~Bepg`fYydmN8!jC%QZF%1^-?UvCv z?Lr1Z>gT-;^tx7?J~N6fxvoy!^aMDpREX>Ea;u7Q$?7QE+;@F_WH2~Gt~O9vvoq5L z{n+Ik5NQqgD9jR+8L3UhpZ-u5%x%xW@<%f6KdLN5~kZH%!5b04BPS}jq*tbqFbI)0x(*>Em+%8cT*RRKW;93?2Mp-7N}Yj{Lo~ev zsa^koWhA4f%hbez#wX?sXkInE{F2Ny;P?&lyPzrFRtBUTB>2d^SZ<%@I9OPl3XiC; z@al-69hO8`L>S;=vVA@mq-yLLOXHKOe@r70E z{(YzQI%jM2?*xCI;P7x!)|3^ybW2(v8Va%pp024L&x;>Fc46nd;O*_nm^8S=T98P> z-aKzyKI!x6>-C9m5@tDml;$W>ZLCZ1ty%`v_m9@#SFS$)julQ{&NV(AntscUm;Amr z7WS=+iI%GOx?h`gnA7-IUjgL$o0hMfCo zr0^v)y^f1-TgK${B_|U{cJ?%={?%pZF}X zhVJqg2*>f1(&B1H zHHkqVLll^)CB!b+8JsVMgT09=ks^<3n8JF%Ly|0uwV97SrLX`=jf;4x)O+2-D}ciH z5>QVmU5?W%^%PiTwjsw%E{cnb21nR;D#*&-Y_ul)jcWG`nVg$TDA$|%__0DrLP8v2 zt_^)yY17r24dA#a%#69iB$!#f$+OoSO;h){V099EdUGi8F?ypD+6zkJ>m5T#iL;tV zB!P#AQ@=Tc%;1pY#mTT6tyJTtA#lbaosf1Pf1(`0p3ez`zt}pGkHf&hDvnVOp0F}E zH#a`0J&>chP+G`?hPR?g0ilB;;yjl(%m>!nkVZ>-JG-Cw&Fe z`;VbG_3HVZV+=T^+(5CGJm{mHKs^|4yW%(E*=k{G&Wa@>W?tEkWl695$?wJcQ%*nl z{(K@r0RHk&sM`FazU1H*E}-MvQdeAPV8>DdvpO9+mo(VcDy(OFs2}1n>4-_@r1W%v z$vI)Z8R-)2VFMUmENvpHXxX-EXN{-SG*g=hWK2xI z#5$u#^06enCuQ%eisAuTP5e{e#`dZ~gS zB&+vDL<|^!Z7i@|iX^8XF-~u9es+}-N(82zmoJqzPnNH2jtiQejGgpW`R1n~$mXUJ zX?`<5j;+Dk3qsE6J{o?l_;V$xHe~lcTVtr?Ff-m*Y;?oV#iepfV5L$e@`3%N*gk=$ zbg}lju(pM(OkIuWIWpBp??MmOho#-$s5@UOq@{Z8Fu`l2QJr4X>k>IJ55)I%854FQ4diB@}8U?S#}|ldgX`id)x{}e4VDQd|Fu6QDBLjQ=S>tz|N4}jsb8Xn8Krv z-vD0F@01CRKKr?P1jpM}wYTSqIGBCrEc)e!4Bav@uk9K|9w;O)8)-xnTJOA9|LS-? zKR=i6>RnMPl8h;U&a2doRS4r5^JHOE0>$QA5F)=Ap__9WGt-cfG zS=*|rTz@6E-e|J1W}ESCt}3w^bmf~E4{EP`j51Q!gI?&}f>lwzo1k9i+JjxZKufVN zjHK@9;8J%sav_Dupx^lLN-~_(fWuKRJeKhCB`o{&G^Ajh2IHhJhixA0EVNVkuCJF2 z_I66|zcfkhFdVuwgY@9U@Y;aeLybiwA#)2c@GUH{j|-BY2OV06hE}u*3J&m@p+JRiABW0Gs9okoMn`2@hH_B8d%?u3 z!Y8>$Ft|=hiKua1Qeh1>#c!u{7=oUPOw!;0G}z@ij}HzKk0Q0rJr4wLI! z%__<7%*&7N{HA8Cw3#k~_sFF!lJoFbBD@`}McGNAbd-XfLBMSvli+RD+1OykOHzuW z4@T1|^^((8YCmPU4luI8s3E!^r@w=~qQE_n|)klx>NT6t|ySei3 z+L_Uqf5aR6DPJ!^z+|3S;)uA4?3vKH#a62i?4CO zSig2#6Na{+UP{EJDk%WetN7>slW4$$fQ& zSi+j+1yl70MW=)?l*o`fw_-2?9$#I3%fU9?-e@h6IoQVsp?vNZ>eW7DdzB1nt($Hy z2)~UZi#9In)05#EpHf5d&UlQ_pwMS^;D{EAmDMMf-86x3ePM2|`~OxJQK)+m#?5J> zvAxvk%lR?&Wq_X_nH`&(NA}C6&KR91x%rN8?fdr%#V|z(cCe+%%TwPz`4hcTRP+i6 z6pyLr?gC2kLFf{I23Pm16^k6X^Oib`L9S#QdVoMV)+G8*lUL7+Vm(isL_btXC16N9 zNo}Eh!Ye+Cl1GnwpuZE(7`Ot8&tGI`&(wCMNuqHs;Z0C?3GsQjmqKh>VQ6&8wx!4Z z=k!lyIC;0t%6NbCU^#><;DbaorRW3&KTtu{%2v16G)Q~ENPlbqhhj-L|WG#i*BR&ru zc(Y?2JSYcp-n)_S?^QU`fQ*f_n0SgL6{Di-I2KhSFKUk6FZ?MsCMHRmGL5*>S1eRi zmr}W7W$n@k9+w}?*H~Ul8553Tyry3!OixAbQxpe|pd zu>gAmj6}r9(|18|X!}fv*Vt#&iZ|fT&BvZZq#h1Vr5f*CL-*UQ0Kq1!V`NzBB8^{YCs!$ypZ}w=Z(^ATX$V*X+A;@Z zFAd^ZHrzf>Bq+VNv+P5@O;V<}yBH`om8e}m%ZH@Rwy-b@`p|7*Y)!V^_a~JsE}tU1 zrA7s_I_}$U8^>-jjmM(IGYL?4ce&fqLo*bs{|9%)S-ve?G9zYYU5$8I>&S6$?=$ZW z0Cl}wtWbiZn3=fH$mIt&;L=?HA@R_@5Li|oVbPCsb4j^50~Msm@alQm#NlD>8MOsU zGUzed3Gt}!&BWCEl<6o?e^Q6T*An%jxhkU@Z=@0C4ibk;1^386hbd2FeMvX{`!@?X=K(@y!0ZH&Kq%w zZ1$3ZG&z+q0H~?{ydUC#aN~W#V{taQdnYoLVdw-u;ie6w37X%T&RDXy>Np||v%P063B{!6@V9_ia0we#pjMC}CT@*9k<&-Z-oAOVW zizdIrs*$_ET31FE!S!MYQJo4(kINlnbwKQ8gmAL6V<6E(3svFN9~&4NYJ+~s$>~XI)j5OqloVFqlZT0>jXv|!6l@Qo_35CYT2RtCf93pxA#CyEc23LD{ch0es zaUm6AP5IRvP_@;ywPMdi?uB3Yhx5?_Qk$-c86gWtMu2U4{ls-q3MRxTDS(g9Y#GMo z2G!sD{I#`Vt?$<mG<9r~hRWdBP^Q)S@uvbfT!odC(^XroyLZR(7h6}T3FmyfOMDz# zg$~zn1Os=^Xf26!#XjlJAtxeLQR6lik6sgzMi%GSy3pzOrQzC&rHWUe3yw!WUWhfK z49{PA^Z?iaOYTn|E!V3>S=MHwq4dH@a#;;kULFGA38y8FzF5toJ*OVS&8k97ZqCmt~zy0Y{lg)fv z)k0J*{f9Fri6#uFxhdq(VHReP#-a`el`x3Gg?Ihmq0n0314FF9y@FUP7k6ey!K9ZD62xzi$N)3>z((J=xhg87Urk zwpcds_nrIo!oC%TadN-@)YNmxf(99xQyxCn8&5~s$=gn&)E#R#K*zyI6*PQ=Ki z>W9?|E1~zqpg)h}YaC14;JH`<^zW<5#l3|UI0~hSdyE));-@4KYg#{Bbb9@-ecHLm zZ+&qzg{&vTUAHupc$OL{CBFj1L<4t^-2s8~F&C&m@unvltd{ zB5|ES9gCy5Ho5c=P&eD)p0?J)zy;*2$U5p9ELlx(tsWhrMxop9xE!)j?wWQ6CQ!?* zc9z6(F zsd`A=rpwBJ*4FT{;V&y=QvdRV5c@$62`A>OL9OJ)CwHDAyDL~93nCL|suf8KB`6kD zEWP1MHXKQSKha@p@XR>96ZV*L$l0ig-5x?imQ1y3*Y2|b{9@XXW7+}(haw;h{JaxR z@ojYdU|~W2g}h4Jvr9v2>%I*w|Q^>w4u`d3o$77b)m5cYJ*rKWwh_tGb-c*4YPc9X zvvXlH!!cuG6R&PNZQq;Mcq=)BCU*l1lxeo}pGYMre53a)S26loJ`#>*?#1F2u+{F<*c-w5vt*k!% z0JVRfQH>K4U!ek?)4#dRpBp00%r5WE1ul~mXCz9?m>%Z5{f21lryZ zlBkHkm6VvMf}OtFmf5@37Je#qm0x29B~eB8Nd+qts`!KiNf+vucz$%avsc9;9)GvZ z7JzV1-sa9*z3x|gWr;zZbFrA`)>*SZGtqn$Ll7{`chdSoZN0bv7$w5=dRC+*!maVPdI??C}!4ygAo3=-&U``emfF8x|-)X=pf@qFOa~|{& z?Go^6Iq&B!SR)t`VlPra!*R=#g33sEGmh5RO7`}hl=9z)xy`WbL=ZC&&(Qk3Wh5za z8QMBgV;e2s;0Fz~JoNfmTh8s8N)HkE{M1xRomTa`K0eS%p@{7TB%Nn`I|Y*t4$+!U zgEw0UG`aJ-xh&L_GedbLCC=WhzW^>VlaQ-GsT72T!%fLTOGlmwx9Iwnl$(yq%* zhHD|;H}nIlPDH~ZeLo7Ogq<2*xJ~UJ{N>OyR3dg}W(L4%{6CL3b4g_<2weZ{rOT)8 z)Hu7HO95HMk}}|_qJi~Y5qdxdr47R&!#nCkejRMfawi5oY#vss!&J>Bbyhi#niSk| zx=W{p4e$YnP|1Yf)`ExzIDnfkB=EY#2#HKRR`!3j2F+4%?{0c{-Zm4=oK_oI_ak{; z)fUIutpgK6P^*{|se^Et9=}Us7>W7r)6on3_Br*%r zvX5AVWM5u4EHgI3q^6~jdjM}%*O1zqTNy_)iEcAqX&0{Knyc9P-2wKi(EQYJ6`r1) zz68Ijm*z?N>u>TG9fTvJLTEFVZ3i%%;}#jv zVmaiGEc>|P(LY8V;BEI5(Kj7L;HS&I8 zDtvBL8}#jih7=4lRUP~z$+*a3B6G5QkAUr6KR|WP0sx1NP1wec)f}^|T8>uh4U9A5C<^DQa@+R49(gNXLyJalmV)c3zuAxQmiTFW){37 z4ICnXvZ2xEsGgY6at}u+x{Ono4f=9er2|>oRK9@uTmzcG=L@cYIzG8^hcTd;6|aBi_5_0qd-7*7mJpiIY^lt?-6<1 z1!qZ3^$ZMT?Y*p|M5&kH$%~u`n}sX%ncook*uh8LC{~c&iiT5yk*&-$jCP`yi3{uK{sspVpHLiK}_) zC(mI?KV@NM#)3y+ic{vQ8{{xfuE);s(s2R9C)9B0#dLdA57rgyZwqhMY3#%&Lz&+;0`WD6&vwp=QC27 z9=bjMHd`dVG~;Cp2YVa{oN}X@|M5vTM{$YV@$C<40s=2<&3%zncSRArGO@jgiFn0) z6yS?Ye+>l2P?s6Nzr+Ii8A!d`hI+A#p@S$VcgD>BZ)fd7p$2eD(fcaKYbqbeoWjMx6Y|zQOCS|d}RU#PpISj zB_9l>7F6ExFwMz2H3vJqO0z})gwtWY#v-jdxlru=NevjUpVfc6G zhiKc@UZIW2+kM;L%*kEI$jAYsS)mmSYKlnoHQA;^QWyKo^M?PmbGRg+th z_{u5WgBhN;NQcRwA_Lv!6$FGPOYzA-WQ60&=lS^fJe*{>k?m^&1~XS=JY+uA#G`qi zMUNc=)#yzOc838bf1v+M4T;x%5UmA7WY2ss$H&KgYM^dFta98V=mQrh!)?#!mK&cx zH=>dF;@c}?`;%bDWf~01ss<<8 z?czK;K633H?R$yHVd?(~8kq&1%HLqq7Q&3WR2bkxe&XjHT)Kn_B1{`JIO|qwG zs#lM>MF1Sdd~5&;n8%6fB}Dm#JU#I{-rkz$mZqm&n&+R~I|~7cg7p(OKVLg;Oyjld zrDCjIdOky4`+W9E)u;AW*5qM$7)gX({tQwI5@nRFYxB>*@u5!`{wBU4Ct=Z{Bz3uK z=1Pgr@xu^xOchu`=!X)@MVF>6yS>!K1_p;*-+PWv$4u<$Kqh<;lU}7j9N`duiDx~B z8DF0TGZ=|0`)3$a1q;Lc{rj4GjLBXeULfR1mBY*eBxvPY(EKy|ao3lG*9h=vI5T2o zWs3$8?7`=LWnl#|kBu=i(S)5W1dg!me9MLja-jr}u|4tUY3t039|L0huJE!2jY_vX zd||l!QZ$jae1*{@5+{1zyyBY4_V3g0E7;P;M&A(6EnwFI%|-6Bz4*rZVlh$H?Iek= z1Y0sQiUyuc73?yz(7Bsjr^7{R@e|p^n=06ctT;9T@phil-*}LHKnl$#y&u-Ul*VzD z3?QtWaFSijVU%+C`mmL_^MphmKM<3lypK0ry|_RB`h6A{+X|qOhJ^%)u{~h=P*Gn! zbssRhXOKs{ zc=wJxqDM%VsQLWpX(LA$WydPGtwv?Y#g6k9&;yRbp+y)p*$%A1+c&oXbq?0H73-VO zVt1rhOS0C6N~A6QZxBtvMce|7cW{IS;LSqva==ljs`{5&YV_DmUOcTK@m|BDQyN6;D63!9J%!mCJ15THM2m9j{R165L7u5@3 zYt+)s&pLk>F+{*d85gW;S#h{qgYHJ_&s)sHzUEq|Dqud>wm9e+1V8GkGq8fSZRCO^ zpUp{xdK5Y)3G7s~{p9D6>a1)DuZq3aVe^qB5Y;c$rk%t@{d3c6Foo9!;5!>&G}bGZ z+lIE%x7MXw5|R57g2-+wVL7q$PiFmJq zkY|may?aClAfxf2M4eSg73*g&n=ZFB8U2dyoc7J_X$Sd7uDo*KRE_!943)*M1sx zyr-w0|4JW>-5Xf(Del{sRuMZC+62ig0S|9y%1YAVGMjOFgY@R)@G-Zk@8jJhA68@O z&P=P3)?HfiBPDGm+y=`t$F6_3r-@JOKj?&q$ zZ?UT0GUD$2d}NH1<655kO^EgS9YD`^K%)S+;F~5KKcTkhiMYN;aB!y6CAKffBAQxQ zM0iYph(Xc?Rg_QzvnW)}hfCRI(;|YgR3VNFA^$q?V&06sd7>1=HPOF2z}Q4(C21Y2 zn8y}2y0o+dR=Eb}!t=2qf+ABgvIvZ9R<1Sl%3q&(SKF00Usj8_va;eXVNcP8P?3}!6B7fxtAAP-P6KyA zj{A3UfO5V?VmXmr`C0In2MxvK>MB_i3F1zqH~pmq0`B4fZL8;T1F~jzBoTgw&?x;Z zp0nK(9VlvuCR*9c$X6y9iiwJ&TH+TeWa+5>3@M-af{dJTx7|9^Iql6XX&n4uOk zAZ!X&IAW=;f71Y_pnmRhWs@WzsETHD1c)jnOw2-^p!+}lzpBdRSyKyM?C{@(_UFgP zGc)Ej$>BFUVA{vkoX2`%3CN}lKJ-(?tpClBA{uz0H+q~-Gpa(oi}H1I`?+-L?f~0o z;c+3q`pR+$ym<&(u{f500b?6IHpDGC;DPe9l8wR#Mo(?ZVc=HL?;L~)QiZC$nzEzb zuSUEU>|@5A4144&-|1fwTy98uQpJbG0co*al~?K12Ed%l1njSB>`|LhZ6eH`5HIR&aIJ^+MG^L#VQSAr?c4O5EwIaXLqaGo zMni|^esiUrcTD(H8F&&nz`Mct6re<~U-!l4sQUny`DOtYy(bo6;@LO!V*#xC7Un=t z#W#<=(fIQVtpXo~u;U-_5*lHOp^5jI*%?#f9vlPbF$|4x|CopB>b-shjfaKS!Nfq9 zc~Pi!Ol`Nv{ibRrVOkBNjo~k-;&Vq9qziNnBaNFuBxXeg40@C|A|l))BFrmFX>V{dd%yOPbW%#*e<^AE_`t-lN-`~`-Dwe4hzFykh#!_>T~xB|NWrgcj?eJ zWr@SOeeg=0gQSaVK}Djuic+irRV-;O2y1>?T@6@7_YX;*kzyuUEmOQNko~#-(gzP< z9sXWSHzt>sTw1IN>rY2V8dR?{+UDox|Ct+7zCX>SK*F)1rTo(8XFo+3izjto)uD=0uVkX)p1^2qc7^YpoMvjTpd2$k87UQphNs-HmR}9(;e^u*S4lF#8fbM9;D0pDY~DmKIQ z+AmRdmLdvo9v97_SIU3349Q(3hm{Msej^cluG5Le1rHID|`FC4CkTLl5hRo zaV!o(lm5PsG})aR5zX#W*Z%(ge!^qC;~<&9Nq&`I7@?X-Pk*X#`~aw7OOH1LNQ{#P ze@~`G(&7f>J#K+%G45jn*!Z~KD{yt#P|p+l^uLc8OuB_ov3#ziKV|~Y+x&|5 zr&J-B90d|AMW!-))taKzACVK#qu!pk`)$w>&K($Ue?udMy+N4`nS&3hm)iLyMW8ch-n0TLbp z`Ls{ZD4pXCrK*LoG3{r3N{!q6fY0+r+(4dXRD$OBr@Fe^+-U@a9?e_9IzmD5;;~+> z+*%t%{a(ADxBNHE>hbZw!}RoYke|A2(Q5_O7(D<8*Mig6?om>|qc>~!#NU3A`3FKN zc66kllmYv#g8ckJzcQ(Og3psm!2p$Ur5_yDtdg|x{T`uy?1ISNnTg(Bi;}MuDLu!JfQ_%sBdE zR2Qv3jCI{MftOukGe6J9+6rS{^e!RZ>&`8{e>be(EQVW(9-jumFg335EjIH!oo{ZAA&@(q$6fZck4-3m>XSK3z^_qynO{P7>I4 zb#^KtGhxwlJj~RT+0O7#D^bUfI3iDOj9-Hob6B#207&RW!ijc))-HNg53N!qCn?(Q zzaEwR%!j`wCZOb9g(a-1ULs%xW9BnPTq?sC5FTXD80~v)U)rYys_sVfmA+i}Bjm|4 znGazs7whWIHS_^CTd&_jlO^^dyU5g6qKnHTL8Nr8@nnhv=dKpBcxbI!DtWpUWm<8^O&4k2?*6X_3TY9F<0aAtS^dZTcX1iHNGZ+SW+e?BOv9G#x6vm26aWS4Kt&COjY zay;w>(>0g?+JNZIbMPO+IC*d_u)m8#Ih?KPP0IFcqn}Nfg8Z3Dg#qt*jDNlRE?#U- znzw}_lVG;BIqEO`H>S`9Bq@@C^hAwLN{rLxpW^SYwk8n}JMZZ^sx&m<^P)k!G~AJI9V7+KMqa(L#Q}RdMlW9}Y?l$#8y6;WaRbyK zZrAC*(Rqj+INQBY^~rt7g0i<)A1UQr%GyBng7kgi1N#bv(8EgA`fk5dDM=V6H8qu% z_R!{ab}Fw{R1Sb_(b3Tr|C~&J-wwx!b6tH)iYXRrNXO%SpY0ghht+l#uL9bbLB#`G zHw$Aa5IHBMm@HFXvX(IK(&hi-&B0qgCWT0rLLa$&fJT|vo~>i4Hto6Gb@)10dRZVa z_9)Qe*}{hlRdHq-JT9NucRyXrx@Ujg@5$oy(|^MGhdNkMQ{iSNBu%5Tb#vjhK$?~& zUagx((UHR01Xrh5%n|Cusnr4Q9GWMiu>`WB!p25CA9~izi2ZsKBSu)2$S5gx|%$~BN zGF3L3BVM$S#(9l?^XTY^%sh(iY<>Gm-L>!&#GRtIb#@))Q(~YkaPsoU2Nr7hzqKBT zmxJNw05yudVoIZ(%g@}I9w(El&&kPYUVQ{Aw7ReO5J=0wxv$t@22Oe0d-7K-UsJy( zr=)|# zEYNjBJXlp#lgCR18%@%o1lZLYdF7jo5MxB;y_zUKvLZxv8NxU^1Ven{?IQEJpe>5e zgI~0_1I5VB{!IX`tqi-(0tLOt*5W?5OHQ;}Vcagn`+&^%6Q$|Xkpn4*IK6Wq)P`b@ z0AdoAl$6S|vSQ=u2aAn>ox&K+Jhkf;(hW>T?}ti2O@57r}^9T?3arA}QXuHlvXK&rQ^)cl0 z?P-RdBodIh2=E%&$?Hjv#SutuP-VcSOFz=%sz0Bg85&22GIjKb{sg9pwV}e|nMJ!F zb67D=T1>W5jJ>MKsk;@XoLdnc0&!BrR`+N-%B?= zTcZQ`SY$D6OqgP0wju%eRBk1+zWgaOH1hR!%7SwQ8wf;_x{nHu9c(EbWLZ&iS4_fr4{^RxmS(oq=J24Opl|bj7@+QjGx2A#7owpiV!#; zt+{&l3v+g%mB{fB7#3S$L{2&QM6|zKsctnV^C(eR%41ya^`{Bo)G2D8Ea6~~Ym*G- zEpb8of1gb*?pYIv$kqw3(A#TNgyB0G_WPVtY%@}y0}B zNK#wX$VkMjCX17BA)oI7irX^VPi2a^%Nec=1I0Ko%X2s{FRyk$jpX2jdCIUWas2>- z0h^E4|Nh*r{}mqD@jg|l*I^=!mSOv_9i+KX{fF(xk{N5L@jN|jL71f5&IknD^m{VLW3LUv9&R&(}^ASn4 z>sv;ab=5e@ZJwAgDLAJ@Qg>aDVg$NzKOXmo9HdHKmc3k+sUthem4M@odadxSlN>WM zdj;s1#E|$HKP=N@gL6^=C;fo1;fY)lCcd|^E6sz$%lMkoqQGkniZ z5gE0hIBj}Y7!otDwnP~~=x7wgrHjoDlT!bf!c0oKhCU_tEA!CpwTjOL0C z*TZ07uk2*N3ezS=yR@Q1DeTWdreqS!eLrM%m68zOl$lvbcp!eamwcF%Ia_72&i zQmXUcEbFr6pDY$q@gx z4{z(xyver|gp0PZEmCns`UM0q&(L3^J)_erQ4a-brbY@b+N33 z@A>es!9bb2^Yqn4ApiaS>&Na&EKlis$19KYuhe}cfo_C-9coCD{45IPto&mEE-WlK zHJ-fh2%2C34dCL%N00L9;`>1?j^zbUg$)KSd5X2r!_7-cgJdPdG_cb>)ZmgF8)Gfj z$T#3&t__M_Fd?YcE4-cT1?drqL(ZTPUHkRii-SO-V~gzNE530@EZUOqBg+*K*F+2z z>k)1dexIH&%CjLl>y!uiH=y-k^NyG0vY$v?xd8KR%G8v3;oGa2&36l%;V3U1wl0Z) zKMAbOg6=jN8d`$_uU_)>KY~5pZo7_juapUwfdsPR=G9F(5Ipb&Sveh632YI1wo!79+I zV=@lD9`2VXvg3C8=d3FC!d(r=&xu~c0)|<`N&iLRb=e2LSyU7Fk;e8NKN*MZt zl*E5IntH17_4oeTP#amjnNql1@bW|;68V2Pd+V^Mx2_F%L_tzuCG8C6cq-Lk`fRQke2Q)l}1vUp}Uc8{r1c`&-=XZb$#DI-}&R5!~AORwb$Nzt+m&> zZv#tPIXo@xm$YUjX@KxGEr!u>dJ7?0xN%f}5foA6o-g81(`}Y-&k|k`rfct- zovzfc72`ZSa+YM?fuaVIkh7#Mt8truG2q^f=VM`A5YmYK0JRINad9W3uQ-AMv@XPT z{DJsGxmR8#Bml>u9|h#*IPIL(v$S9MNpo`(54N14siB{*{g>~a4w;j1B+Y_HvgF7; z{wuubrIuk6a{H%UO#6Ayi%XNq@B=%TI(Xx@=vfNv_zL9d^9l=HChP&f-2k3G`Kl%1 z{Y{p2T%3R4+|)`k4GQWKH^5Q3E2d$==H8z8NLdO(Ux$lE#4C!e@DY&Sg^o{x1sP9CEM_A|MGGw({kl+Ps@bcbi5WO2x=vfiRvr*}~bNddN+n<58V@ZaE z`g(W5AHDtZ0GB8cKy@{@N>?BL-Yy?-HwE<(sWO|UF#|=2?F5{IS9i7EpPK}|;VA!0QT!?I`k74S)L@sDxBELpC9>?% z_{a!Iz<1LEaMlwZI@7X=i8F0mJ>&7aw=mve&X}mF8Q0aJ;m{660+T-ev=My0 z3DbIi+aySwWb%(EXbl1OB&}HX8g7G*RaLNr#LDPaPMHqoV_Xt>cl)BB3)l#_x5eZ| zU?4y@d_lLgh2i&7;BFy6c~B!+S{uln!;aKKqo5(ZG4ON@58i9uc^B3CY&DNeOoZmaz5CX-b7%7s`TpO({kVdg+8WoL$9$)ak;QA0emiU;=6XS@C4(>x5~tAl zOQO}Q-d`Pxv-vz1AB-4Y(U|z}(u{8fMf!@&vF}?Y>QfY7(tb5u+qJg-Wlf=r)Wxfh z5&j3`>{u;4q-+QTQve-E!RF?!kjJZ0e7oR-MqE4uH4c|n<9@)ewpJCIEJFHl*fR(`ltrVKmh(Vy2I!##BsmY{%-lKU#K>te6YB!`dIEM@&;G*|@E zM}00Y*=+F|rf?DA&ogEGL^%^W*EoJUet!F`M&|Z}(~3wN^w)UpA4W4%1_p{pVn4~e zit-y8w$`hmTm!cFChT;Nyq9igg(RE`(WM6y0t7u)ySEYoq)91hkB+YTdwRGShyZNU z&z^%o>CQsvlhzgzoj;%1%x!>K5UR-G9B5FSIy>7_|D*Wu_FaYrr`MabzeN7Q9K)l} zn%nafvI{1(eLbE<42SLaV*A$qEx4ij<2eqBS4qsvchsQ)FIaOFU);4wIb%{F5=GNfg^yYm<1lT%p^uLJ=T!?fclhiyC+vMdm-S4+2cGCXdNLfhkUFA&KUE zd)W9AfR7r09vuGrBx}fb7@1lw48KBA`yF6Lj$|e}up>Tf!u?*54IqU+sXmce8_xMZ zm+|Gg9wmgHT+t$Ca$#7p>hdX|Lt^_y-QeZ8$|44BuUg>0H2|QG@(cVN|0jZ?{>Eb= zjtYj2d_>}^VdK>=DixHjmaE?J?dp%G{ni0;un+Wt@9JkeKl&Te5(JRhIG_M%D8CbM zHIz{qHdf1khI|F+Y14cFTI~4KB2Jxa99EM*6Z*+E)WusHgKS2N$d42yMa1Ay);|KU zM~1>rQJ0{NfM&w>vYo_bjWxyBTj}aJ3Vbm7e?G_z?xYHNkcYyft%A=b5|v6jjis$O zxbbogMgG3#d}P>oQqKo7JK(6F$_zo>-FWhjWj{tnJ~_tG8Jy3dM7~%x-tH>{+Ow|< zuzbPa?Y5%(h-K6}kK0IMfLt5LNRbP5_N@<>KiAwk#MOYq7Is#ca0?S4m06w9G+8q2&Y6!W&Zpr z=axF2(@w%wK>8fHL&qpWH_QkPF;h*As#`w2+~K22iEKBKlaoTfcCT3R-14^ zHY;HvOH1T%ITZQhV`wuEjYWT9BHxRyr?f_LbXh}IUk)4jI099>`}Sp{;bncJ^s$GX z!NZKCp&n|%sX<~wY5Jc8D=em9bOG<)j@o1&0<7gPx!{>1da0W=4Mic>a6?DH#@=CUqL7+~t^Mn`wZd z6$GaXo0MOBCX@1kd3h;c22`krks@DnCZC?@XjIPZsFubI%B>i?$a20Y?oddEnF&zy zCCj^|GA`4jK49OVGnL4y>2R1x`G+!~aEigwCPvNWg$q!HXq;(2TvZtKNm1dTH}IOA z-}N6(Ri1J4>SRyva`PVSG*4Su+8{x$XpZ_(_Q7L8#srua!|*E3y$C5S%@XKsItubi zw^WJ}(YzTURW_)^S1FVwgBftc!66xt%S@x_BHI`D2R&-!j5A)_SPUd-W|0_t(tj|l z%Lv6u8vy7rWsbBK(TI66VVsoC2Cw!8wwyRGkq;~1jg$*ga@o$V{VFDV_f(RVVc|Xz zC>p2Iia-pcLKm%4mmA%0iSM*p6J)aO22A+FO!bf5ud8~3qwWO1_BKz10`sJAK%5@X zDK4CTRd~;Arim$ml__-hn0RK5YTk)FoIlNc(y$l3jEByr?nouZ2_o2*Q7UwmwoV&>2%*z)!^yHZ!D z`lr*V$>meux;lGkqbR@qIZN-SnVbNDKs zXp9rU_J(_L&hFcZqtenaU_Ly4oU<&{ z{ZK*&2WQuqCN4m$WW3_5uVhzVUbi~@z;}cRe0XyO_2JWVRO{bhaTHWvQwD&^&;YwR zo*c6U%f*jQ&nE{pd8VIo5l7xlcwu2L;EM9{zY(wG+cUCEP~+}hBm8p}C-LFCr$qSM zAxlv@x!|kE+?BFjgY^KAnVg(ri~-gnZ4ckqCgtr0Tb>OvQX&R2f4YW`iGkeS!P8{j zU*Gakb4gjgxCj55)Mw%3A_~8__AAm%hAp3+2{3{~w&cE!J(b3jPm<#S~R?gL)^X>&F(ubrbWuMsAawU24hdw$7eu{L~ zCq9#wVNQx%w<)-G(AR!gc$vFRuek2~0Mx3LusnD`m7Mgs_RSt={9SyX9e)omFPU^@ z{U(>m6&I7exbEfH*w_hgz|YI0nR3_B&MxWm=TFHg_BJ*@{MzmJ^RQ=HW)`9-1S)6t z4qs$LuT=b69?=nX9avd)8P|YvW(rcS1!bbGwOVdAKk?~Q+3ZDz=uo0x#-6^SNO_qW zJaNotJvDd$qGL2aWjv`br~3)KtG@o?6$UdY?#1;xkX8vwu&EV;^$h_N9l+QQm1bB; z8l7QUwWQX69M z9UWRa32iC}sDa0gb;W94G?|rffy0EhJrX)Ihd#Q7RZGxBGSh^m6RscwL#y$ytwA2# zAw%mZZ`JwqJ_X(U;d!W>EHLLWY|Ne?z;W({A=rAfJd?d>7iyV~M5o#5Mt=l3R)h&m z+E@E}?tP4l>+9_ekBpdY0nj_&zO}apE~L{vzC{Bn<1*r5s@;G<9@~0w%hEEZvqQ>u zYtxAK`)GW8e6B*5)rds}x)d1<-^KMGFZ$@Uq7;5<8FkP73q-h7hGArGRu&>sl2tNe zc)_V|I%&DM`TioHkXod(=i9jw2`9l8#D!~Wt-03lnY}Pft1*Jte^yP@r{~!2wir?_ zEiaE@YYV{XbWg8&Q-NStV1PmY3fDO1jhX`#d62Drx;G=Cv3^wF-rl~jV7#2ARq{i^ zgd7CrCCCVBR2LRCu;~m|$jGKMcB00&!k&Z7 z|5$*LhOBfwBo8yUaiK;?-c0watr@4l4%yAgs(cKuH{g5{Gm3$84+pb=hM4Q4(=3sX z?}LD-Ib#avA7b8HV|~AVsXli0^1{AXGif$f1}7GL2nu3wq(FXEkq1o)*nPD-0lYze zKI_g<8Zl$yhM};L+)VYy?h1=Z(H}h3TwS)0v>nm zmvKYVl_q`nw228{RQ4h8Z(*c6y%!hzOge>Wy*j=9xz8q>ro2!;b|7;3zU&-dL@E%oB0cRNHL`0}(6B^lOAyy>CdZFWFA!x!31?CbuaRr&=ellq)(UO=(1 z%p8g20JVsiVwX?WPe;c_oB}1;7aAFlrjgWiAZcaJoWdD{uEekoAJk2+zWdXhT3j4Q zHoUl)G5h5K4NZro!%U-b4RW5|_|-i3(*7-?`Y$ODD5)hK{m*X@mAg~@TVrU$c5+gV z<0aE8nK9HTnnm))`q>+!kKq~wH{a?DN=zh;S^&SClr9TN(4bmZgjg>5Axk3NwPD>b zBgQKx#>eHq%OLIY5!^7Wlg}9yMMFqWKhXN}1?H>S`YGMwZ*3&~NcibYAGBN`A__pU zA=+L>h-H)jE|pwgb92TQU6S;Emt!2sfK6G51joXihR#khUGx&h@yI z0D*{)Pl(%ku>Ob;fWngZ zl9IurHU)*c3JKK`+Zx)2e^?8%wBb{hxt4?83JOs-qu(b{3wx+SFjbX6c;MEDyYIdz z!!MdS9@38Z`wfFk4K0El#zE?|_8(r@+lFSvR0nu9~>Ql7x!Y6QL ztY^vjQp7MD%E2JL+ru%F5Zayrj)?AJUtrugs;Vh|`F!(zl%U6=x`gRcP$qTsfZonY z(v%R`xd8GN4;fkDNkf^@{8L}56eWa0NZlS@kvLNzyeal=h-_qN+P#&~!YEz#dl9@< zRb5g-LPEPB0K706cJul=E-vn!(H9xR<$a%zxY<8AASvC$9n-gUum^vDf$cLoZ z1u>TP+@#pIwBaV>Y#7wF*_W!cS+w5``Rr@>`G6I7<3`$ek!rpd{FleG{MF-&kL~$X zAW-cRB?rRS`ORg{tv|cwmpI7v>|cul44K0z!7AO@HM)Q-`Wt`KZ|=B>5m&=j|4Le& z>#0uMqGP<>PLWef&t`TXD>J>iTC-#vzy|#8-$BkBIyx$8n43So8}rk=>#Ih-N${|W zs%m|u84R(#2WkM?0nYBDPklMsJU;7AooY-V2#}VPsG>#c0UNQXVp(=k@DA*=iC|px zHiQ+WByI@!RDKCyrvaqDu>9CH7#Au2ttcqPcL`R~q4nlwgNqOJuoI7x&LVh=hI$(b zbO&nUXkMgQP-0Mru}-(Clqxi%JXgBV{(`0kX~s3m$K$ecRf#65Fs2692kxavFyZ|S z5JVLf`ghe}N)Wq>-rX(k3GHzbfW>wH zPKf^)KV?__OZE8R*Dr1g&Z7WOYwPU1-@cYwGufr!MEGFWtLKz_|2Br&@NgjXmqQgG zAPfzabqVP95=jeii~8Ro&&-PIdw|;9Bbnen5%xXg9O1|J%us(xdU?gK!kbjd)d^8u z3iE%5SY)$th52gSUb2FE>ZAjzaZaSYN0tGzVp?&DW7iYKWZX2}Cq*Np6f#}Ui}Gtp zs|Em=$G063pJnV6CCQZi^EY%{*MzDpSNPA>r(w;t-^jG-6y1Fc+}(NK&VjlT@4vHh zAc;Ak|2A11S+tBKYjnM+!x61!7#WtYx%b9)-67$FJ8z@DW&ptOH75c1_xXhn3`&Vn zD6Ae6eYHAH|8iWBgcq>5IE_0E9HbwXz2E)(akZT;aUb)3v-Bqb;yU%w6>1GX`aalW z&J`zHwMU)yKlXfL>{FfkO?e8l?B_3#Tf!--C zz6fl(AwveM=7+Bg6LF-}5@5hCPA?mD4%cJb?sZ7GDa<{^Sid*$MFkG9aPv2(sK$%6 zdo4zKH!9Wu8$5sG;Mm$RC7*=MeK>tuftT8f^Mn$Ocn6tD^QV)!_wj%666bK?{_azl z_J9a%nzncJ>6-`G-hjv=G!$2|SR00Q^CufCKql(x;b9u?>5k2nk_zh9!OA}P5oq~Z zYy@!|(Q66$O^*A=!^*6(vHmH1Y6pG;0Mcx^P25Z`6%r?``_^ExfL*Vp zba3hy{X?@?2H*DZZU?vvV&991aD8w2UOygmfdb%>x%-RG8^v`9>Nnivp(*WYigp%^9AKOTf306)}@+Xcom z_XCG|bB^QH^WH$3N{Fwj2N(rGruqc8%x&WLYeWCz$mddhs;YR8;&#ODtDT#DQY&d;Wj!lwsJWAo;lZu*2r@L zpqsLuUc2WnQ{I&Ay6EW8<1fBPfE6O?vU?R+A9O+B=mxzLXtB1ItcQCTRhk$6RGWnk zMVWyjg^{Pvx%Q;LdD)fLM^vuqHq-^UUkr-t>U2O2j{x#sh z2@jm?oa&nDx`puo4zjOTzCtU%Yamtl_Ja>1*G|%4vxAKcBlUE~0q!!%x4SsO(F{&2 zSO1NMN1F9{oDCWm_u6V%*ML)PfOI~$6(^H@d3E;&(tkO7@L9Z)j940B)1#OU<@Ihu zx_2K94b@?Bc9u->5~Tt3>5nNR8RQ2!fkSZ-Cl{g6x9|1CXwa5t<#&l77VO)S15&1F zQhZg)#$1JobI`Mx6UI>WAtdeoLTCXT0bkawFE3wN0p(FP2l#W3Rb1u5Jp5>`%iwvE zT&u@EQ%J&zooa0!CTIvND_fbR_%#j1)DA<{7iE^^)AKeH68;>NrCV4B}(`MbFy_cq`uJJ%)wFqr2-CbD5w|BPx4syX6oKw3jm2-2$eX=!UH zIYGsjPUAj))5I0P<|YC%u)mTC(AF z7P;i+^cI<1d-U&S<}BLi_lzTy(2(h0J0!{wc#m0Ec^Y6#0N~DKm}0|Ac_9pD>~|a^ zQ}NvW*&E8sWnpoEfwd*dgkiwYvG<$DhmoX93i{!{0A>gPRa@*I+IEz~3lK*X6ck{c z1azE<@@zxcI$$dY_};V(2zK0H28WskKqFx``2?1S;nlT6zwGcJ4^ssm3NumXt+9F; zIw8&U;SFPUHq!SX68GIx?1yndX}@JSUa5%C=nVweH)z9gm&)#fynB2sjPYXqv5yIv z5#d-2-zFgNVsSHDVQHJbzqSrpn&dZv9?HOE8O&nO&UsCB=wxNK$+{ByEY$4nQ>@Jy zDZ>K&pQ--<@VE~pINy#=b86Y@CAS(!b}mj(_I^^Pogjys?9GeYO1Hw2YyORvqIvwhSxjbHJv9&^I)cnj^-? z8j@aj3qwS?c(c=Z3Z`%r6)iVcJG(@1}}So*VO@ zdV8uo-oI&9i8yyNU0W5t3MOiBo2mpxplKrLJl@Nx7X1S^OL` zncNShGgkIj#J?)xB`mLPOio`Mz)POI?=&6fd`a*5Oqq-d(D-K5UvyC4go4Qze*(6s zza3=5RX6BNGq6;!=-vstC9OXh3TQP4^o5zkA^;oHeY;VeKE0uMc)`lX!K1+-MBqFa zP!-+M!mEc`$RYk|*ZN0MhZ-4q?2tRbdi8%LZ-jilk;dBObChbX# z(NndYg&tvfYed^LSP{Oxi&<0+7*d8M#JWyy5z5fgxFDr$uJxkd-Or1AP6aJDJi1CM zD)6#mT@2h&_cE1hijlUSq5Ero@C?}#V?!K z$zRN~;rj&0a~2gyB+Zo4^i_Lj#s7I!tBO*kly$U{U+u`8uD2>qJ9ygLbI8fK6cZex z2z~Wnst>m_W-J0qPJBequn+XTWWK32-$x+MqIDZnqdfLyI1Dd!2rqqa1NQCPb65A> ztfw>XKZ5;Q7gyiz7R(}&!=iWBv6gskx*AmkREF&ENjyJhadM^h*Tv`ef8^}B2F?_U zJ_aX#eq)0m_VTB>HD zjPSYnR%dSFqadv@$OC$^Z!~@JVbD2|jr?nEp~A$$qq-jsV>Ea3+HJ*c&8)tb)Lf4H zEp72w&ye9_b(3|OQ@Z?c!QqNwZ_w8G?EdtJN5qK9VtVbdLHg3oV(l-B<(kGnTNc5| zzOPXhdC7HQ+0X)r#gtrKjPo@<-0mmF-Z=FBIa#p^paR)x3Gz+I@Xb*DvCSeUA?&o@ z!`s<&X~!T-sKVC!!>cvXH+7St%4^3`Aw1&5&9muZrDS)az>b>?Cpd+Z86Rs^A;&ym z_P5nj4D34cV(z3uxPd{1t>PNpdK4x0aTE_svpGa~+98(}{rW{iwmgL2a#cdzZ8fZA|CbTQ6Xwx+QcRf)r_%lMDtoZ?q()tVso$Up=%5QK)P%)@&w-wUm*?JDeJEu1(~76Z zOx1JRLp|9mu^r&-cj{Q)5#i zhL_hoh$}_deO*hXt9T8D9S+?`4ZiAg`smxIdjM5_MzF7E9rUX!*zeR?rk*b* zG`nq2IG1#~9$t)sN)dU*aNj0FhlpIjGza>m3(Pla!Fo>-7~S%@W%KXN1f|a+3x^lj zbS3(!cOTs3sN+p-_JSV(4b;%rf3HNFs8p7?}Z zSse4aKqn^@$LSloT`fP{q+^VkQR>Ri=U(f7y^Hr!zE(;ObUa%{w~FQ!Aix8SiAETfRqh5C$NM@q#5zL9Ef`JfN&>$o@DA)u^eW z7#SF|QW|Fo?aj)phQ9)4=8Sa9mg0W{L06se6 z(u58drNw&UP7wf!C-x>(-(h@5kH3x|#Xwg;wBcUAl&k1>w3IgA;|s5HH|rXs(7FwK z8nw|4B%$| zbSu5FAe<&-1XCc4Dr)|4rooks9J$R=gUbGh%pTq%bf-Qau{4~#sWr)@VUR*y?#@Mo zJ>BBT3=MJG0}Tq(n*GJWNh9`ZS?y5^ee`z9;lA0^A9aT>&lVFDKhxiY?#{JP;Re>8 zqWSY2H^|+0ZWA_N^{l}f{!*4_t-nPKyotVFPIkwAwuMm9<=FbhshT-7~luFnOhP~I2#*xtKW+(R;z6^G3OHLv+;RzUU;2?=T?;RHtza2`r~ zM@N9Out2`UF?0jx(VG)j{X|rz%R#(iE?#f|$i%X-vswN3YRkc7lN-Ska5?ouI9Ai# zp0L-Mlc_05jg@1_9T^B+AY7~+a6)St>*{jV&+LK{p&(JfOh~)HUGmC-P{chRyje*H zY_E#J*Ih%V#{>k^8BN)nln3~UN-bBDO*}pRs5_)BV!Lh1s0BR$^SrSVO&)+j5_8?1 zwiG)Im1kNaM-PJ^SF!>~oiOcG8W|bg=@$8TN9L@Tt)y$&#eo>K&ufJ_dDMpI?gtv- z4|Z-!tLaDgxYE2=DqOsYYu=;#7dztsAaH1e{Tj>brJ5-W$nTdQ=M6L#Dznr+2T47P zacQ3wgFXB{5S5qbf3+g4F9i5i!nuVB#metf2lpl`t8Iim9~_x3;wHyv_r5HQ=Zscni7T!P9-i;I z#Z>(JF5o?!t{<;pKDG1{uB%$`=;)M+q!Is4Ha4zyDe7%gPt&`JG%i$clr-%}JyLHGax>0K)ZCh74Y`F8QaNAo zb1Al>=_Z5z!jrbc$2FjtMCEp2Y^A4vIIRk*)c|c9PND|aB$j0YUeVey&l6G465F@n zJ04ShU5?B(se>LJQina|+{XyNft)H0r1z^9x|LvrIY?C6{=F1sbtGCReu(TYBBmgDzBmg=ZrywK0l}$^C|GE)j-zGiI)C%9Haq%yKtGY$=QgX5{jMDPU8d(ChPwWyHU0hIz^*WGYXFbX z{}vAP%PG@cd<^`w#AvaKeD(Yuu5$Ac)t@!GHWl0rmIHsvR;g1&D^9irD?r`m=I+Mq ziK-lHqO6*ZP8=USHv<=aD+Wd7<6F<7Xd6$zHB+1sb<^IH*T*8j785sDdG+i!)C@v6 zyEl6|^JoC~t*MEhL$OA|&eoPC?{+X;ED|xD^YN$oWGlkS?D@l4QrgN4)xEVC5zFf7#SwT6tO`_^eRb{h2J&o8zT4>z~cWJ)b| z%446VCi<7@Kko!r8;p;@xacIlf1fpMYTo~wUxgP0ufW55eN&>aSYdEaEAJzgMDE<) z07aO+eHG*Kuf>sj(IBlYUbfv32D6J9ShN0k{UhwrCIOa*+7i&yt=Z#dzi6DgZL6Vb z>!f5IgJhY&_CeSfvs2D`hN!>7ub?upK0Jex3tt^x!YytYG1Vz>^7Ca#GGr! zMO?7dVLD{eJctZd3!KNxR^901H*7iBt~kOsNZ0^gte7>6#6m$x3jSXwPHemYhJaMvu z20tYv7K?4?4Ruub@@z#A7s@=;n|$lOQBlbNVoJ|*?@nZBGKtK077pi`rY6(^-#sGG zW9Td-EiFZAqRA)6NHXbGPl$sPd9i^M7xdkoesNbnYxrUAjGzE(aqxca3|Dq}RrSqV zgeq_kkIK^p8^A{?JYren7^cuABhVWcIwB#}x**9~wDt8Noxz>8^@*=vH6E(wnXwW- zAQfzT8+2OXIm<_>z`T&32`Aie!;g61aPV_;Gan!+k$78VMn&z^&(0dE=*KxkqVp zRnu?BRAE*_7&c8<-Q3*qBFk4sMnaE`U@|I-(3~q#srcmsQAUR`9!yitHQ<22=nY;PaPv=i{Nlo z$(#xuO7hJHNoJUZ&3EE@&pn4SWiWnR;9g^JuN1vLo%rDR_y__)3gwFJ<6!5w=i}4P zgudIy>8~MQa?{nwaG`@$u%McpSKW&1&Fdxw8-;YI#e^xgxbn&A>0kco4O)4m&W04< z=GG$;Wz{wT`dGC0X5M)w2=roS+bFt~L<>{R5RmS-gBamH@$?bweg z!xziv^!bvj`up6EkHZvXdPn>jc*OZBeqW~gEGjS?eM6*fvTx}Vcd9lTz8?KA%K!1G5n^7ONF$njsl!f9g6xbOM-6*o94 ztJ@HxUSC;RIq&Ri=(9rh@9T2}6eSU{+ds)x%>Wr%7wca*Qmgy#{uVx~ticCBLs%q>qjKAEN zW*pW@g>l}Yd+Ek{yh`Qx>Y8fK%ASm$VB-_I@rm+TP-g`-HNIq1{uG(GYk&|_O@$BU z6{@!}eP*+-4v$M-t=RH5KYHMa5{xqZ7mHq|b-$V76-zRdE5UYr>of}8ZN`M3O~)Nu zkD3l_q@`~+Em7uIcN;+`qIoTyv+2(?!96zQeqX>00rQ z;QbalxCM)-;hkUt1y`x_z2swF;nc5f+m!PBZ##TXcggVr!xA_v>WA(FD3=Kel%}kF zzxD-uy$5Pa|NG}EA~4CnsW_L^{@OU|PRzlCC^vwhgf_c}OOEvo$VmUvzGUk{EVlw4 z;q|J^)Xo zD|aoFQblkVVnN>K%fRej>b9{^L5v!-dFmgFJMyFl-+F6G2qx3rd5(DN?b;iViI7nf zzCK#I8xRkpl_3cX$aXltp8P}=0i=|qpxuNgQIbO+2jT?({euMwvssXZye09k`J^Bf z`_+6B0#U>UD-1V-%@7^<9e&q5Sw16v1OgGD^P08eNdo_96F|V(aTNDRL*RK`Jh{C% zdFO4&goU&5vusU5qYX>QTYEb>Iov=KE3Z$Z5Qy?hDH0@=cCE7%+<<)P*>EEbYac3m zqInbYG|tvrFzsiA(q|K12t>V3OMk=7$HXND^-xuPJvc^FOiM*y@)k+85)k1H47|Pp zsXp)-$M`;fFEbk4*Llyv=9$6I6_+3Wx=e+Kc#u*Jv9uapZ}zX4kW#=+RSxnC>~shq z5O8M4)5Dk4Urq^u@DW2@utZ^yZ+EOdibkmLLB1&>OeeJ`9zcwkHNz$m=wAwdl#i~X zMEEV4qr>_r3NlCwlxs7o{lLh~tP&hvp;~EPrHyrQTS({#H8!k218$4Hetprei0T{J zfS!YA=@<@NP7dT`qVG2?Va9}BeE zKpgkF}0)J4z#DiibqIX+_BAH7Xm@H zE$!C{77$a=-GoelM2~?3a?o}NGJDwCur`W=a~K;^O2(KKSMy08)w}ARe?*76M{niO zyCAL;{gyacMm9%2V{srPzW+*Y{;XA=t@+1QRYs2mA{cLj9!*Y6{JwlGrH{ae7*Wl2 zU=dU*SUMAPLEaYme}9YI>G<&nv=uYpS%U2(0&fxnVn;#{oZ=zuBLjK6lQFb@^`ns( z&*ldBIkIzYwNQ#7z6c94!HSmT5c8+j2O;{u zNmU0@OMr3Fm=`Fu4xqmYf5Dkhffh=m`IMD93n{vL6;ABFQbn5R3tnLWCogYQ0exZN zmCP`xr9(fy-)L@QQ=gq32vmpQ26xpLnn}Ab**F_3tM_RAtC$2i=UrX@PA#Xw&gh{s zSsVz2ur5BKqHg-E?G{=Ao65n~z{I487WwpUoTP}Dw@)bQ4OP{vA?+r)xu}-w6_pfW z27I?>7X(Vu*U=F)x5mBLa}30F#>Y1{J}z%rRw@qRp#<`;S7Rads_^!q6n20>s#(dy zDn!I1R!kre4-;a};rDTa=(VTJju-N+pWWi{9tG7%B~#ulFkwa#R09R1k3ZYnRNb{=65$FESb@Iw8mjzjvjEG)V=NP?af^a zULfPXJ{>)GaAq%tnkl1KSFZp@20+wDJz?YQ*PNGUZS)^;ajh$CJ#RW{;P+F$9;v$$@^Qjai1-?M|JO1R{ zT-0)Gr@>0@%uWTFckU&xAkMUdyiMsnApg8`6B2<7hPYYVJFJ@rkoACt7NSwn=ssm- zXKnqDI*=cZBy#H(#iNGqdFFQ6J~+r0LN7Ot=?H2Np0h*=LXNi_-rwI}yz79LSz(;x=*Gpx1^D8iHfnY03Ib-rxf7ipm=t_` zja#$snK%g(U~6HWKlRm|u|!|72iYLD-jnbDnMHSkw>_xHC4hv$f%78{&Utt>(42OY zvbxF14QrIlHTS*nQB!N11-R?%7UAV!wq_zegXsdU@^GT2waG%C*DxkzLdE+TN9?~- zXrDaH*+S}nrcj{NBuJD%3BbJS_i)F(Y+2w_gXQv|amdWZ#sYo2q{$6B&_aV~bjdzAOOiV+1dEhI64d`rplI*m_{?aA|1?eJ?8F zVA0X3gq}f~Gi)Jdiz6Gu=u4570NF=TK>>Y9ghok#w5=R84{7h!4 zCq{Rhq1!0u{jo@y1vR|yJ(BZ|AN*O|+Yr|jdB;C@9`(nxo#dN`hi74pL@QLn(h_iy z7VrzkbXJ7>kY3wuUk*I}S+LS$bwv zS5#JhQO^qs3es-sjuuHZ7(sdrTJ9FB)JXhYCpdrA;o$*rfS0)@fB%+A5lIaOZvvm- z-SjxwnroU(9RTm7ap<(J8SacOD?8}R_`l7%0(mgLB5bLU11C>rCt<~0(X@fc$jAyG zt>E8Yl6f^dBYF--!VSqOHLouw4S*1Rd}&OC8%V0|qm;x9r6fMF4BjFQUu$;044~w( z7CW%ZgO*n`as?2t=7QYV*v>=cCi~mowGBYZe%HP`B z+pE1s0XBFy)^9vf}WgXG+i&o50?ECSqOv(<+Bz*TuOYci-=m-$S;C+Um?q!?g*5 z*+{XwvVRq)rYb-F)V~7wMnJSq|KDhor8@z1Ut26;=1{1^sZqO^5V(fJ1Nz3i*pJ@T z`aZ(hP_^bkE%HvaEO)b^#ksls)VMiZItKQl%jK1d;Y=hUc1$ymT=;pZ)kGXa zI!y-jz2ir}Ip?YOZ0OQZQX0G4PqVT0Fu6wrD;v+LJeHNy_jGiGk;woEyw#&28;(V;ju@ zohVk%qT!;v!>np;AguuS83h1$EwB~~Y@=iu)k4m`bkSi^s~x(!-e}pYqcAk%Rris} zHMNqQhF2976mZow7FEx@EZt+F!#fut@H35;VJCJRr$UXp2Z!2Nh)`J7=cthH&zx@` z%zx7Tlm zasmEYiFd=XU|2eF$3Q@0_4Is9ltzCO|uJq&jpHbXZBw-q0%5-8NURu1fVm*zm@32_5qJQ$h$Ziz%gbiAY~($_ zqz|ppmg?xR(O;r~%uAMO)8G>jdV&xy*um0`L2QI^{J=#lfhtV^y(hY$J<_&i7}^v9 z3H9V*DPp4NO9x&eLrz{OHyeC+<+vEr|2wx71NuIRdEQ0z-hKAE**)@h!Uak)caK0W zpL{afObmq66C?ZP4r1d>{D|56axWugyW8*$rwg(S{E2x1?g_nM`?s0kc0ML8$;BX3#=0te(nJ zXZ^?7(70<}FlqyA79Jt+H3shg|IQTbA7|<tdr0P70* z2-kw@+&_zRs*eoXBUM0oq!uJ-mm&zNT03&us{=aojS2XsCLdA$Ii)!j$}}`${!wPf zzD;rvdP^OZHvSBqP*!MrPqtvX`rY!tJWX*;fdV5dhj|>m5uBkyg6JLX=sqb#D zKSo;t?1VH&N5>n&|CoOwjvL$C^yu#Bq>g*8H#GR7yX{(`X>Y6N`0@d|Z^nMb+0T)4 za|0;5N>^W7nLqC~Rxo;ys|1D0$_%*Kz?usUYE^8wk2VxJ zDI@v^1{hF2W?1KvtE(mhCmaiGUtBa4oMyrSD1(L-n9W{zQo#O4s=#%c5>{%THrrB91>uH0?|as$Up>~Q9&L^(}p5d#D5IIvQN1Y+_G`#QELY?D)z<9 z2-=CxKz!!wv*MvdS-Ek6HJ=4d|HqWJINTUk)3s+qb-AZUPpY#M>GqE)J&-IdC51$t z2LbzAGtAt{s5G~VA=-|fN@AuAOG$;p zLF22MtI6@PawDYBSJ2*6>vQ1#R3F;gc{Ldh>!62M1900n%%F@nJ8*cPkfIoigR<>3 z7nHlKYfS6zf|Uk1r2vr?c%C5S!_LQV%S(y!t3FEtH3(J!_5pJgFsTv1xj>l$z>^~1 zo&qzL*wOnfO32ZrrGG0`{Cjw3;APs-30sRM94^7jW;b z)cJYQe;{an{p*T2#h}zYzy16?Cnx7!IvrZ1ebrxq9fn#JkP~)%iSm40Ts>&5@eo*F z>RQ*%1|~^xd_qdyE5BDJXrq0_P^a61i-aT>txpc8vh*}*BLA#Ox_XC_rog8MgZ#E= zY<%oTIuUxN^lu$sycR3mxdCA&2QpviUU3m|d}2%{2O>?lff$Z_rrH?jXb*5|tl24U zf=N^HpGjjx#%TtQ48i(CUg153K>weJ62kh8`8+`Ju;d`4|M}z-mRaCV}xS zBnX6Sy{xpk1b9Z$$N%-*vrFDQb^Lcuk-KW$L(i1>HGodqP~U)-XT|@+*n5XH)pg&Z z>T3%KXs9BB!O)u`y=rKoLqK{_1nIqZl>pL1mo6PdKtQ^HfOG-r9YlJUE`)@;;`@Ei zxxahPbMO6A-R`Wt_S$RBIp!E+YBd%&G?bP`5q2%$sy_$J3kh$)?*EX3!U*{gAqQoS zjrboqr~n}cRk;T?H_);Kok&IP5ONo+0h6-v>CKP-Ik4!X`t{1*Q-Kr#RT%eg28xEp zcp(k)ZhlV1LPv$|XfkA~XSe+;QzxNv?TFa1Ol6nP1+pVI!JYML;i zaz^-4_`2!uNREu={oTRU$%F+2N`@-`18&pUU-(`AY@YwDotQ%$}rC7wq5y~Z-%v*I9F82(iMVSmYF`P z_rFjf2)1>;6Fx)2A`ja8beRBbxP9G!se}L-?Et5$c+USZu_CqyRkZ(ZLzQY|o?4k| ze<1}A1!U}h&vi3!Fbol}qi3Q;fs&7GZ7c`=UQ-a9D&j0#B!js0RX!N3xt}%yDF)1U z=;{9^`@(nKPKCro^a!8?IB?VZS2{X6{?0UaB1cMBcvQx}u&H5*Cc7(WQTF$P{9EW& z{k!e%dWc0ktbXVFo0D6$ZX9BL%)|eFTLP?%4Mz79!U%KlH=oy0Bfjto2~r2FX1H0R zB4d0d;Vk+2a20a2e5cg7cF)FKo4Oui1-dZfnxCoKGZa~aa=yrotCf1a>&cX1Z4s4~ z1`>C|+Q*gUo@8QHoIJJY0(~Ura_rV`(~M8q_+_|f*Xm}EZQvRsvZS*{s>*pbyQ_rk z`TE}Kalxrb6qyFOzvR)j5Q^5rkFf8U@--Ha(c@n&w~V0gnyv{(c#4BHKkmp8f$^( zhjjew(a{FD>HkM@+*Ilhpbmx|g{q`Bj*65>luIJi%cM#uryy z88}7t`jv668d&^+Z(b`2jA>2zA@hALotzYgL!EbZKELBRILh3xxV-ZPN51g=`>Rg3 zRWvwNi|G5m{=5l>|4UCxu=*xpeqy{jm6-2Fq#n?t3QDAGyfZ26;94 z)%BrzN$=pRxBdx0B5y%=|C@|>3w7Uv=kzD4Fhw3ANe+4I4BE)!-HBwH1)>RH4t@leFJ6cxu|a++6py!|ThluRjIod5T{X66O(H0qMx?DX!0ipPm7znGu~^Sr*bwfdtX z<=gvb-_0s;|NQf@q&KwnA+G>C=&atrNk^2L{_W{_BojC_0?Zytz7O{}P2%_%G)V{Q z%m&=l2lg(jE~k-^+2T*0u+N9e9i{hBgk33hzpu@HTSTTm6=0ky*>~`|zc*k6(aolo)n;|KIy_DRioR%^#|wz2OBn z4e{!Xh;ZSa8@d0Vivjkt8gckH4;)?w_0BT1%>be`w=r2uh{2^SZahn6@`!x>Rg zrT{2&7Nue&Y@MC+pBS@JOccw#hQ?glTUEi_{9)X>v(LnvM8A6ykfe7n!Pc^?;g{FR zNa?44ACr|FanZj*Z)Rdbmy;1j46uWAmBXVDQOa;|4!i|y@4KYfBI6Uc zVgzbrWagH;o2X zO(7lM(vgor&}&sTrBrP$z10Y*9oe~!>;fnuYH|_S_(oOS5-^|El?95i%P~G?=qNjiD+SLc$%$%^a zJ{{hX=c}gG+oo7--|S1P2HcSQLC|bshJWY?|F~lwm636MQ7f=d4Md5Y5eQbBYu)cD zS@w4fuu8?fxOVVg0x#jK5|)9d4jf(x&vEt?rcQSkeR2G)K6rufw62v*L!l zx8d-%j!kg7C793lFrFq&Z2Xg5_Y#k3rQ(?mpeQz!3w?*H036N*pL z>nXZ;`sE0RiApJ~#BT6GZwM5{gMJxEBuc*1Y)s(+bdADOw?VaJ?t30@sqelun8yvp zW2sRg4dT+$nUPkvS+9k|{PbE>?JG{aME%s4G?t`7Gk4F`{TXaRZ&vgt1?Dsw1~~+j zz!2JTs>jVcn2*^(YH_~i_KzxOPu9HaNO2rIp+a_z|GpaSjH&3Q1!``i$<{V^dXXgm zl}U3e+ik%k0Syi+QVsx1L0~YMwD>U$8qG;zz`@b@>{HQ7*uJ{;ZJse+4Qs3$xN>9W zxU|w@N@a2*%dNvqRMHpAveK8aQ|uW*be6_JF9_DcuJ+cWN`WSog@J-_j`ZYrj}clw zSf}jVXKS2y+Nj$MReivFve)mS%agV%Q+bMAcbp5)ty z4}Jc5^YisFi_LG5DMagHaSCR@S3)AuOzFmW`F9gEeI`t14U)3-8eW};ss2{XS-BAo#Q%Y$yCE! z@dmR)GZE@;GEA`Gt5^4Q;c&W-u2I$&9)INXESq6!on|;+Ut}jy0wy5f%4RV7pO;Hq z|NQe$rRva|`7FS1hjo z<+$>NYXK`&qS5WPTMee^}$XwWZ3dOicQu48uT6 zo6{cB@_NSQ4FtlL7!?uuOGkk2^GU66v6eoTk4p$ztCZ}8gfB|PVPa#+i+e#TF|J)- zTv$o0Zf(`v^%-=g+iyQ4Fl~_g;sw6S#l1&Wd0GOuC4JW^INozog>g-8Zl#o%>4)i! z4o}+ITU*I9p*AVSN6#eY4pk-nwx;IVAlu%*YxpbOw6V#0DQ3_CwvTtP1=5TUn?8-t zj`Xfi+8Aqu`99aK{8(7omOeK8=JeK$(^5Z|!>PFwZc@&zCuYjUvlpW|+QnWf7tiEo zMXx>5`1q>al-(>XWoXAMw|(o4Uz0*EAB{+cgK{y?(}iR`wSGkAkKmoAvDbr@+AXyn>x!iD>YJ0y{312nu~p{!PxPi{-N6rNP9f;lod)b9 zTC=bjuB$mm{9qfLO4b8@Et}yXlxhjRFLzRUgOtb0i)Fa1t!%5S`78HoZHzNkDPO$z z`(`qb(TF>8Z^SAhJHQ z{soG6$V&Vz|s=UI+OCQ*>fRAsFc zONZuj)7?w2R=NXH{vy15?mO0UN+^_+79@BBXiL3ARpwS5r)#_qHS#Zf`w(9KkZ{oe zr!7nLul`Hdx=kLc-cf#sRy)se+JsEJE?7IhU;>Jbp#DH=%1ihg3V$jgBwu&BK<~3; zEnKX^4^CSqx`O5>vO-7z=_V()^A(>4(>uvQ!^`LIf$F}K6LjeFI)huy7V?eMnFHpf zr=O|KjsN`Bb(X=_i_Q8xbl3kkkP@_Geb`JuTK>g&3%lh1!c6PyR$}xiViA=9<*w4( z_W&I7;oBe0K+!OMte)!n)jpbtznM14>oJRORv7@Dyy62u-VT=|P6D98{vVk4FZxDF z0Lg;~gj&JRuoCcrn*ep`dq%)o{^781ZV@qz#rC)l$O zV%67n^ssHdMGS$@(BD^iTv=_!7<+uJ9 z366LJ9gGA&z)Qe`|D9?JiYwsm94n8w0VB$@J7MJK-KP0BrmM zWj_F_lgmy-1e8B8T%_s|hchjzGNzJ4AfH$Q5l?8$Uevz33QqXkJ-^Q57t{K;o(o)J zg7ZQje?%32)AtB3za!5Cv%S4-FExEF4)c88Kp#Bg>~F0w$E%PDA$sP;xxiYo7t<-v z=lA)b&}XV2zj)GSZ(c>nzhfivz0U+c#Mq;2nG`x1!9VfC0#t)#k8g=pPsj` zf&NzHB%q-k1$iOwA4v(^gu!~Whp>+Cu&mrZ29FV!HYo{nRH4V2uc~UPuMdhg1|L`r z=CRo{$Cd_vQfI9jJTuS4nu}M^!b2C-L^TU^gWPqVTt7CRx9 z!KyO({l)V?)GUYZ>If8>r>zF!bPw?ig(v|pL^@0T=;zmGazL5j@ZBu5Wg2hoxE*^r zk&`7ylIQYr@8y*zh)Zv!vp3TlB?x?z`FA~WX!KbPs7E;=uI?dDbm<_Fd$j%fb=^8( zpjB{#Cp)nB9hmEpJQ>p zvIY}@c8a+ai^%!dcp)3i(nmQ<2KK=6eFUY%g`*3AQ7H+` zW~-;fZTZS+BOiGw=05CNfo#hn#-kfNuktw=U3$MACYng?D7A3EtgCJNIj33x~x&Mz=94Ih)8G&BoTJ{Lz zI!Bxc$AxtxK3YQ^oyQ1)tKAKiP6(qYVvSn@#;0hg6O3!~XCwA9r1tY?X-MstO;f^c zj(6tFWo|2WTEvZ{{796jcMJdz6E(ZK^0HWGyy>CZcJWHh6lDJAoYPS>xfL6X`Vj&# zD^C=AE=cy(T3X(sVghU(Du5*$Zr9|#!_D!bW&T0KNx2ERLZ`l2byoR|YfsEQex7AHgk}wuJr+Udiea zIIG)2*%gp2p~|dxc4iy&S#2cVURG-=pWp=Jr$Hc=d&ErQ5p zg?35ci9zYkzp#hYmY1VcI+@%wZqMK+%rnZeLW9OL!BYTZnpNMVkqaFc!EWGJ{;s$E zb~dP~^3&-@zxkw*GV4hFs70pHUHbT8KH7JBG|oZYL4CE?$xI94hkX$pWhN37f55`!Lk3hX5?TaL)>!k4^da! z!3*-3?H6nr);;;?Kr?B;41J!NoxOl>kb}nTS=reoP@1`@Ds*zyd$6;@ypQg~=Dc?d zwJy-*I3fC2pR#MUmdUIg>mtTQr65TjK8WO@7GF-b=e1nwtjAQ;)ULL5fJkgR%cH?b zRjdW-@gPicuWpd^D2Z)6*Vb03^awh3&sV{4Ceb= z@B#yacmh~t-;x{u?jRfc}bMh;AqYdYfHGLqNk)Ofj~7s9!ia_V2~)`f-!8e!M5B)8o!G99$ZrfR8U3Pkk)XKb?Ox5ih{GQ1sLN#Aq_4Oub@t(qof&uvaX8&o zTC*tS)W4*y$YSXyLQM%?ow^F09pBMe=+Ak9kKSxEF-)0DL}D;1`3kvp{^yNzJLc6| zEXH8DK?hA9?xbSU(m-W}(i;IesmK5fSGucztEZm{h<7B{I%Fro8>!H_xWTd2SE;QhT z&?;wj2^yBt(}+?=DyY*2_|sCCT>o7ovF`|WMQcx8?!;ZH*_Hh={T_%X_GmQhv0=T} z;cSDqC`*pf`6A>5kKF-_;%68BK=nM%mt7VPjYj4u3q8Fq;8^<6V{D8^^6*B{Jj8Tx z&6Is4YoxqRAXBYCKKquaMoC=1yNej_yBicW3>`woS~{ZE?gy@3$CdeenJ#Vx^2~Ep zcb0hYXZ_+uMe`1;Lx6MtXR;%onT4%!K~g=1Tg%V*ay(lPnz%LNu)Im%SEf968jiu{ zEM@=T>`#Zk|M7Mj5>5vR20kL^d8MWP`UO@QVJ1|p(P3)US}?Q zv=n-h+L#?cY1Vw{*ei9a(_xJk8q@xuPgCMuAL$1(r?t_+*%54u@ zr@e!E$@7ymQFqpMwtgTVw($G?N|t)8)cE|*B!5%CATKYkpkTgM5%?hU<1h;gq<~Gw}ilZIZ{R2$B`C=>jMoz^)R!Jto=rf*eN_S4$2EPE_-wQyqac+R@ zoI(|H(uJgoy7$>ssd0ELoE}<_m8dTWiU_={-0SV-0-BoqQQeKzRUI+<{N+!8*fUHH zZJJXx{1wdL^JBK8-WR(M>I9PbhfIs+!#;ywkBo6e{%d+}wc6TicAzPy?>X+64Yo7a zq|KgCaF-Igw-Dv+?R|b^k6)g}dB-KiVf=B~O?moW0?L-1OZx}8;&34K8?s1_?J_OX z%t|#k9v_(n(D9KTe6b8+KLM2FwJXNY_{A>LF13+64gjNOj;B_jcftDP;v>s$R;{=| zqG^4{J`HCCcm5upf+%FPXSh%UWbxZuqSb6S3xvhIk3LS=Dp=@WnH5BD7D;_jGuD-cWBZ=2RBE5L>&^hBd(R+)FaFV1R zh_EWxLDPxg`9`^O()LZ#K#82^C&3KkTciL%YrGjIQ<$3*{P4%z`IzMCK)|)*LhIb% zU2T7y_7eK+SIfl{MDxlqKYv)*drfw>#IAxU<$P2iqO6@QY+g;Rl-ix*QA)4cPivWN z^y}=ULoZNB2L0z`v|7pEqr=-w;)p($kW@-J<-QuJ>@piPjAAye`Pz{7b6R(voy9mA zQ^>fYuq23@@Qc^1)Igx*65n>%tC5}TR_>OSkxBgd2?7?Lc!goOs;a8~_m>JRwD*m1 ztJx%_?j9Cz-;{y#b1UNvEpeNcRw@6HbA>ZscOLqS>jpDPs-S=mu!0LXp38sEoJ$um zeU9Hb2a+&wmgk~ySpV~#gtP-A+x+GI0J7Qq@SOfa!|!I!2jqppIpKF{X-|uq&J_0p zu(KrgoV3`Urc*_$d*0sI@c?dy^y%LrDo7&PLg~TjK}5!4SR1W3P(lt5z_wXma;Jc{ z5_()J=8`HtjS;}cpW4Vre%Rxpn>5es)mebU73=~)W5VSFcA(non7*e@K=UCW#G)Iz`Uj z#V`1uMXBUFTRJ|BRcXS`dIMdYY4ya;Y<*(a50bTRR&P_6gC_h~)B7V=TU&AZFx-+c zehiquHa7Ylz3<6a_7D`{V+<~%2tSy%w;aeDVp~U8Z^D4MwbmdLlivg>nisnM2S*jQ zbV6<9(c0nX?qdyRy~jHq@T{T&WEaz=emiUQ%C%ge?u!2oVHP&D(7M^)Nb zBk*m;XTp^Zg)X7c%?0Z*)(e(=z8m}c2gE3&f%jA0`=Bb7F;^$kRohr4@ZiB?$i&nT zc3IyZb*k0luM{%o-yCHQuagN(T~NGa#vTk8NRp$bW<>T6@EiwDnXzrHX0M z7{6pZnUKKx5N-H&tmN?Uc&H<#+Rm(}y}cbsdDhyes_p&%G+(o(Cu@sqGoh!W14WH7 zHduXqePNpSI}Bf5-Zy>Y{DZy5;bql!F?CPl@>a8HmDrJ@{aN0X199v^>?&e1HJvXzo*wQo3NwjHv{MaK=Oex9=7dy~*(Dv4X0%JA9S{q+We zIXG&ThZCYJS~FD@75vKiLB>a|*(E0?@~)qF_V!C;qvIC34^_j15}MVJEWE(CR4DM(I9jQF z0p}Y9H~rGtknwZbdIR*w>5Jv6i%qi2m9F4|fn(?VrJY-3Q1$SF`tkV4h%0VLm95v} zyFM$`wX0VP=dv4jx6?!!zMSLPnN00@m_SpGZ&ChdFT&cg#x{UAT$^Ev3bGT#O~DL) zNGY49x%2J*Ku7^FI5|DaI3s`+-UGV9%dg=_1lXDu^D<&lh#bG;CA8?TrH?Z=McAE{Esailc?!sl!SvHtn~p!v;(p^Q%{( z+Ft7*RvBvm{2L0={@z}h`vdvhk}|Cq>SyqhXa48jQu&#HbaH%fHoJ4~caH`D_g$tj z?Kdv^KN}TMY<)zVVerKzWH#UOae3Xku&DE>DK8)$ar8?}&CGy^?$SknRn`7d{CX+i znG9J3&jvM}^x6;pe%E*~UD4kFTc6$Y z@UmK;u66#beDwArX^;bK>XEG0S4UZOcgYT4&7TN<_@V-z3PhMeep4uvjfxmd;X#n9 z&;|z`6dHrr*<0#qZEfXaKFPp$oP$EKtVU3uibAIY9P~baj)cey%St6Xupazu2JWmj z0u{2b4S-Dudmq{GCV4D(KjI6|q{;Cfe6=#>w>2gzaxh$ee00=sRBR8#dLE39OWpBf zpoO(mssCSQFvX>R7V0A7>d`87!pyMaL4GT`&mzk?q!NfP)KQS;;-NV&Nn zYmsf|ePsf7R4Cl*h)DTe`weQL*Ds?(E-ul>Tv{K@RRrDJdsJ4=&v@`G0Z({hyIi)m z05D()2)Su08VI}V`S8AL0nPR9J17JdQ5#^aR#x)I4!F#>1bT=a4G*av9+PQ;Mh;^d zz%{^aFlu9M4L4fdRIJIqu={67Ra{xz6!0q6i;RImc(vqtssNG|R#kqv7IX}Bax8FX`~7UNwI{XO zTA<%%#Ly6M;K@OMaXA_M@#7vzm#;*I${2p53ExmsVz&;n{BxGJppafN$9G&F~xj-P!s5`}dQ5>hb$mg=n;9ZKTO2ZnCa_ zM9_e4;I=2i+ZE!GKBOqB&INy3237-4E#2r%e|4V?#bBsx-kkNzz^CB5h)5`d4?$*CWusarCTPTuuO2Qgobga-d2MYHH0J8e5_m9tpoJ_A8@A z$WaS154shW-32#~GAd6B1!YnuZ>2agnMVb&0OLuT%57D63{T?$G-9gw3qNfbHy1a^Wp59CuXSEw z#o=3<&fViQgZtUhFF5gWSB&bF+V?#6$T35aTyX#_M;*jdM{b-vc-3U zm2YgjvuZK4#tO^u-ahI6=c5?xe8ji&1X z@ezWFzRgOJGj$P4ve{QX!P%z>s7sTmZmw3jHN32>?0mTiHy6};3+R>` zW=cv**n33rro0nhzkcN?Z9G-QuSwe4*;VOTK5pjW{0=&0owe}z*!n%k18Dg`#dCkz z{D4ZOl_oM)I{TqlaNhB=)1xi&ZyeP~_~88fe5v1I(ZN+o*VE4k?oxvXs)#1T%zH}Q z*MuH~?eF&{FTc)|dpX})M#beMNS}eJMMOjQq>kI~^xS!ENFD<%t*^)CQX8Lc&7GtH zpF9cYrS67$_cbn87n{wDb9;OWQV21S$jy?2$bA3s>J@FEz$KByFJ_#P+ge*Q!PfA1 zB<8dm_u>QF0`H8KrYJqCwx4qoqFX{!aPxdtL}+mv%HN@u>?G^K%DE%tB-(qybtOm=#{`*}7&-hE#)EI2 z!`mu!uB7|pLC18hB3BR7#SDCfKYfHWD7!pLy1@i@O#!63jg4&d*@EOr?9q{%0wOEa(t`*pDAh{ zL$CQZ>RzgfHj~@5^!WVq&5XA0e-;%GgBox5LJy9PfD2&H`Jbrs@%LleP$xIH1TSQ$ zZm@<Cf-g)XJ|jQB7&en9dx8>~t&P`P!&2T)6S+zmR;dmnAqp457V z_9`HNnhF>r@ybg&dLsnlqvVHXPP;+6k87BFl%y1Ogh3*Obb5OFd@>(MNc33=;n^W4 z?^z8fnfmRph!UL}IfG+bg825vZRM>P428@dX#>7?CH=g2?zA^Q-D`cM)W^(i)a$q} zt+}~b^0dRBE~;(D&Rrq{Ova}VtLy82YfFjv-(=^vNUA+&5%LyGToQBbkNU+HboamP z4`qO6zi6q}VQcqs-weHwnf$&d@pC6LbK(HbF{omK-Cx39qPu?FtsoGa^zNN0 zKb`-sAvv$HN@tX|pr5I+@f;T{5Qo{idl!MgFWaNO`EFSor(~qm<4#rp3Fmw@3eTE^ z9E{D6!MOOt7?@&!$~w`=>x2ydlkD2nYlYr9fRX=l9mZqqXEn0{_)3zQfL!V_+vMMr zjOhx7)cVSo1w*<>3(vQA(nY=9oXNW4Ymk>AkZTse+f30Y<#9_qMcC$GTcNos*8D8@0CiXn#Buf0AT~m}p z713?%wU#?~j+3OhO`i^$nx~{xfM!VozzAiP?9ZGB?$CLqPh*A9!DFvl6FR6N{K7mD z5PrA)%6yPGaPp^kcRC@0dI;a;!C81aun+*|Y8}Q|-+U7mwy6U*WVha7nl(=~qIP&} ztXMwZUpu(jov4V2UX2c6L305~usb)qKAV3nK}FxXlBeRkhUe&@*I4h?}0^x1FOqRTI~{hP)rltpKjQzlw(N52#PhH z*DdP$`XGo-SQD#JpnJkzD+3-3Px2g)W~N?N`|fqI@Gaxg=5XTcbE%})wAs}WRK!f$4hkU3wLlgtABN^pX9(*@z>8ijly z84d@&0lN4uL4^>< zql=>1m<*Okiq+UpV%8>}9Sj{}s=e&Kod_H<8ODNibH54G`w~E^W+=7@j;sNsyZdoV zOIGtU8alchK_olSwyZrL($9AH^))fc0*AGn=>r!pv2-P7VE(bTbrMKz^d3gk&{k4X z#}7`A*RPTA4?~qCq@?OMBch_N1zZH2Y&khOOO4OEUVJPJT8*8OHUe}&Q4>|Wd&@V3 zfbcVkJ<}Symm)ueOG#-H7ZYNS!({mQYz=Ct4mk(RTvla{m1l`%EADiCAvJ%qK|Z8` z!r)=Xkh{yLEY7FDN^)y|ERYXobbr5kKf_CkEb1)HR>RnCP8fzgJ+=6vE{_ZqrG2?d za;kuEQ|CK4P^;lD905CEfL8#>ctJ4cDb`Y09fz5j5$995edkX8b;o+`HDLiEK51n= zed`U-tS5q-RXflp2d$JVCo5-JaiFm(S6x+wx{6X7-~vV`2hn!BUSluHgl1mT$6zpl zmweMz@>wN8wN*U#pXT=fh+v8(s!g5ES&fBiqYA6ii^{Sc9w4Qdqd_lqZ;E0Lv(9ZbKWpcF76+`)466zp}`Ap;{k? zLv8Eb-4pwB*a~&jWg#b)$@|ngh^zFOK}*y0^%r+ zyc~qz?=I!=PS5`K(*HaOHi+o?=iQ+u(WiAr{p(gDv4uC1jJ@QM$U;pm73AUX&g&p> zP-~Tv;?pUC!_7?DP3q_|9O3Y z6?+yK*6X1$#d46GtCjCMR8vYdfRt9@aRtkuC#RlXxzi=2K6+W8d#EC737w-V$YOdg zEs0px-sA709{2z_#i*XD#_zg_?j^sb43mgoz?f@nR;AYn1Y@!MQNeygm6es5%}-#J zL|0C!j@PZ2W3||x^4;`5SxRJKZa3qt?O0G}e+m%Fd53pz-g+Se5i0-u?)K|6jbVZ> zJ>bu>6}gL(n*kYFW!|tY>Y1I*k7tq!?(aKBCq`r>!~7UY-mFR-jC8+XcEJXzx)8X9 zOi(Y%A1o&(W$pBU8?Uax#SU|x;B1JpsQl&D^7U37zN->gK!=H!Ux|;1T9wl)NswhYBB-C_v$VUjaui@#U@F*5Vclj zc#eu7KqxOFnq}_Za}A19iSu(&t@|f;=;u$&lydgwXOs+N;$*L+DF<=u`k%tx?4Sr}%$qRTZVE@fKe;}jWmx8B)^q;K$ar+lDiEg*T0TF1W^PV> zh*=;fS72gVOuiXHPX3v#vMxk+Ng=*`5QUNkG27&&h{i&hoCvjih1-bYmrO9W`h&Y( z8T~8=n1+U>hO`;J?vl-u9MV|&8{R*b?#gW#mFCGzi%ML%kMk{1eQ#4L4g;&CUWJ9+ z8T3zr@@7zb-y@6sak!C@9G<5YjqUyEhz6XIDFIjh%C|DvK+*Gb>gRT*3-5qFy{m*Y zR zcI0GLNC;$XkCz|BsJ;yi2rEh=;2pOeAMe7f{KAT8WRKMwk&7xREgjPF{xw{Pgag_e zM~9iLtZZTKjmvLBJib(ysuqn5%C3?jL*z0v0M#YK1VeuVN70l4MF~BVp3u1+PTb6z z`hjC624D^ww9zjZiDXZ;*1;EKAYtrGb~~@>9~nMie$c!)mup610j4A`)Ld$JJ>eJ@6K0wwuAp1Azk1%oc^Ga@wshA$e z1k8)x?iE(pk|-R+ni(-rUYZ=8?3^rg&ZwPf9JD;?YRj;c$lb`2?d_-4DU4x1b|fU2 z`4ZM#^k4^=mhb1Fo=Op7v{R?aF3K+~?@wpN!}fB-YUIa{2e@CL3P&Fk)E^f*{B}_2 za||YDP%1%{as4A4J`>@mkQ-}5{U+Lvt0X3i44^N`GLa#yG>UDEIJXHU=9C_R5jQJ2 zO&ZS6|5`K%f0>Sq?zfv3@?HMEoc;PYyda7w2q6*;VN+U;Lw;j6<)z=*nM%gE^G-Vn z!xmDY<>d_JF&N^^KfMvZThVj_tQlk0dR0uORX*)Pxw>GzRRTn<65t^-cN^LZg+EVi zQE1s!r#O|TVy<*cX*0nniL68kA*)6{vxUyqp;zHV3SjObU<|kEGbL<+AC}+lvj>kE z)}|~$ZkO{d`<5W?qXL=kZ7u8s%oPR;Y=~Z(iARN?8|#<=oD)I&QUa)V#y}qIuJL_hV9DG5>j!Tr`W^g6IGAMcKsK z!P1gx{1+L&;V&J}U75hz1uC@wE7;Pwp{4z*XTwy=mmi({$~*Xz2Ah$jwY1N|-mNp` z^;~F=&}5h2$pbF=xz$!jfh>>h=fm9URn9v@?i+Wn%vjis{=inxRjX6vg^nCtwfXC^ zBAsS-hv2coR!RLa=+tdzdjJjt#g`=aDm)`JgXcYi3`P%WL zr0+}l=`Z=k%5?bF552svT?LlFX2DWZCDvBZM9hTr=E359Y8WY1&AIkl{qa-`-54{d z@I@kK>BG5X3WC2=3NS5_U7N(4e)h#SrbvMxRTBS4PbBRj&5f1*jJXUDS}jvkfmQZD z^qBnHzHXdcDrvWpFas8an$u3hRO<;7XZPZf6241BMf1Sttju-C%ebi%ZQ%CVVv3KE zCpJ1XD8E1TIf3_Z&how2uI}+xD|(ok=;)aXTk`cB2KmmN!)knNS>$Lo5>!&$x7J6L z1cnAO^U)OEL^F|tNjD^|w^k{rpZpK~ruG7aTLn9~xENRP2>z?g;-T@X@4>sv!^OJk zQSDiOomzf>0|ufWIvzb>wM(0#94oJ@mDx1og${gL8$jQntT~tXp2VQsIqHOPqw0a& zmj46(V7xYj-!F?42z;A(;>QM9ZN7hCt}!BMpluwniF@nz+p3q#Cz0HaklRF;7g3hl zs;aCsN-IwM^rY^>HVfpjS&`>Vzsh{Lr^Z<9SZ>h8>vAxV250zgdjeK~;5Gd-XvPN2@aK&)y}tw?|rW|d83u{u^7x>Z*%un zEHJn(qfOTlNpqS^3jn^0B@ushr6#4fZXVeh2>C}+nhh`>o8Ov`VI`9<5;wIkOvOZ_ zcLvaBUfMn9+i{KitmM3^6NKIl%eWdn$1h5<;zL z=1TIvESj@TD!5AOw2i$^D8UON|7)YO7(GPMH2fc%X5l;VRl_Ei-Af$ZCNkT`GHBu` zaFXh-!PsDTn^%8Tq0g+$_s{WhjfzYr1vQ{zG3S4dL%>S41P$w4ER6vn$#dgqtIx<$ znU={EmXY6V&j}4-`n6TrOYZR3)p<*Ti^bH$L2ddqNU{V{dbgY!&en?v@2A%^Ve@GI zmZSLM=_xHsbf_|N?sRe}kzRO8(r6K{9EW9XQvkGcddL_LoA9MLjH9tg3Wr}bhUZT5 zIp|6zz7AfIN!fc%RvyDf&ZEa83)5d*iz@72QC4RDt8o3*Xx%nXbNdb@SR|&re+90* zogIU>Qh#40VWuOUvK7c4_-17x9T@YeCq<%!T48?zaSz+cSDc-TDh!uhSn5g4&(A*w zdaADyq0+1{YG95*5>ft8Z*h;QPk(W_T&C#(dto9dL+7A#9s(k3BhdMe%MDn#*tv~b zBtPfp%R-#Izqhm~`x;vQ7*cyeF_jJcaxJeruMINA4!lL9y?{TYdGXmncD^Mdpb!qA z@jGpU1|_TBE{q!kz%WWScI{W2B6F;zG4O!h%r@nVufLL~ao;wg0R>;znuCWSyW{PoIcX00!yEP~vA zukKb-V-yAP#GlnVV|k+~pD_@e!))45FcA?@UZX`PCT`a7a>c_040G(-v@qz`j#0B$ z$OXjN)Q2h+w6p_&5=N;o>f^|jHYKLKLHMc73Fj3agYm?Wj~A{1_rjm@x?EHX-*vC_ z+1XeaLbqjv1r=Vy5-saVf@Zk`%Z-+$yG+aNo{+iOO5Ocssl#jgEw-Xe9npAir9CHA znt8-+jih1ba6er~xzld5=Cuf)^^$VlZMf-+jW~z?o?6FsnAso|aA~*8{a^$IXlyz9 zTjZSrNkVK>4t$vT|IB+lMAobt;y+$0o_DMh~bo4@JFp4V4Y~9&GvdhhG#xK z-Z?+VpfCo5n^ACW_)ZJje8;1wORf1XZQkdwPZHvvm}Iw$hYA^qz^CJ#5GZ=f8=%tq zp-vw8292&WtK0)}Wf4Q=uoqt+K9%q6vO>6#926w4TNwF*O2|Da9K0U#Ug9@Z&yU{@ zz+1T}^H!x|jd?djHwKw}aF~oKE=D2?1c6})!BnKc^5mXSo(pu_QrJBi8nZC$b(bke zPeaa}M-y6334t62SHA;FU65+)l0+0Jw}>;XBNSp(mF_9DyttSIT&UWO zm;9RU0nBpwyiWN>hpm;$_e8fnZ@bI)@h8p=tp3wb&2O1fAB@#I+yYiyN7Z$}K%{3$ zN4@bBnW^?n2G|xo&$vkEk3a;qn&&wtwYO`^cRDYjZKAL5BD*1lYxLW;k2d`gFL{wj z3%WZ-rTr_SFQgFy%(SLe3N;l==wUmRPAcUwhq;SPAgH9g&@tV9)hvfP(UKqoPK|a< zTxww4zN-~WM&4Uff zc0kJw1fmsKg>T1G4&9&{wo-~m^L3-iJ6!;8jfKfH5ibvo`2~CyBe?!<4M5gH$z&Ra zPT@YrY^6X^x$5quM?i<-MjZmQIlpw=va`@O2@d8t2(k&-Erq=Yu&H`B7$q<)$nb~5 zEZ_HrvcutgF$A+6(J-^3J0q=VA6ae#zV&D{-KyP=Kxe!O`Cb@O8Vm}UFleO%%iM@i zM)mvic{wd@YB#_yPUNry7H`=cNY!Dm%;u*?au>W!E8jW(E`<$vTNa`3#5yLLO~2B7 zhxrt!$vos*HB@i!tRH3oGxu(Ek5|YA{wli7jw-<~9CyRYOENDeBmlXEXH<8Q9z4)ujhUY5KuV2rlhOhbYX;LmhFD=yjov% z=awR}@P`zsys&Wn2{Ecr6WIx9YPMVAi!Ci;9726dPGEf-m0|4=z#es&4S4k0@(zRr zj{IN+@!{_UKpMyf+WmO)@~gn3*_jM*`O9CBu?fHc1-j(cg~KkZrHDt5cqfjY(9qe( zVYr}nIjNWf#}2d&CAZZS2R!Ff-+7{7bQ~t-SPFFeX$$1JRAHhDx&0V{@Gbwnyk?ng z07QEiJAlrK0FmdYIIW;JEjDOPA-b*i^pVIE+Ysux+Yibx>BN27zDWZQsk2J9$Q z4});vtbwr|$A#aCbsD~Jw=09FsvaGeLPbt&324RfbRr?OOk_B`I2wRf{r3278xwyIQgq`kQ|0BcD zLwdDP)a=S*@v=RtSWBRg@&H2GKY!41*C7*={9mEv2^GFo2bhhGjW~=x^Vzja7kACE zXbeUzqr0Qr9QZtc43Y(!@D8ZcuZNI{EbA?bAt})4J9r_CesJTEo14=n=_BR!%Ycka z1A%meZmOOis7~aYNHg9Fkq-4cKzX$5KNl9mQ3X$j>U3%#Fv-|u%n z?{|EE>|^iEx?;|G)tqCT zwQrbS2Z>*!k)8W)l(dgRj#uLj%UiK?z9{<{>GM0uIZ(-<2_#W8@dS;51i=w>s@l$z$yV?jr}tN1uIx8=7hE_$_5D0+tEZxw?n-x1ZZm`o6%pos^KDO;5oG{ zzVoY3*}MXC$Q^=zi>;v!IOjIzE1GGh7+0`i^2%F3M-yHPMn4NlNsM^D5(5jSxf4T2 z(v!~$3ftN!=}fTRWn3k3H<(3#QCw~@w%`A->=^tiSV>;8mMO~L^*L2|T}0XIY#%Tf zj|>IX;Vj8m)BK2rt`qr1pj=RZj33;LU%5j;g9g)egmOe~H^-VhYHsuWuVbxrT9b&P zK2ucR_fs;G`z9F4=KVQGzLUQ{X0(Av=7FEM+xmSSN0fM-bd=UIz1N;hMM+5niAkSm zfpK{$Avg6168UR{NGan(S1Qj$DwMyt(<9+7XboVDY3pg$ydAN}#g%~HwD9$HXy`i6 z7%fFeH(mVmJ}d7_=g)AXpKkRm@F#a(K$Ih?)Aej$$H%7?`aZwsj@xKdBuyYy>yfRJ z{%pR6+PFsH$DWsL`xMnnGJ|p%@eq)SkenBDvOWM@>djwDN_Ts2_(U}Y(BwBK-g(@t zro-|bk41Q!BlqDEzHFrOpJF8Dkok5j>H|9s!Q&KTJJ}x9IOnDKv4xAD7WScc!dGDf%-suY(rzm{= zUqs3&SE53OOe!(Twq9Z^O@$%NH?;0adx`ink$R2q zNZQ-C^VE_ESuXvMpt>wAiP72yFH;3N6}jeZ)m?@ljW)#McAmQ<-x$ax#&}7ChF6?h z8$mc4L&PSXKj*z23R@-J+RC5qB2zk<_A6i7~ zkJBTCYn|Ao5Q{{F;l-BL?V`8tyU!_TDN#zwegi}E3`)TbgPWIv(QSw!$D?swBrn?k zFgp~gZ4*PZbicV3-_m2CNfqTQij*)Bo*89wswMX4D3;4&CkvVzAA_X<*FYOYnM3!# zNTW(iEdZkZOGuw8Orw~&A+-qJuHvciavHX8`%N=5JX|3@6D;(f0ZAKM+bd3rDV{{1SSalWkPFtRFP<xtg?0DL2h8;>y4}$45=Yi)4L$q#i0lNba9#5>^k@Zp zP{k)#Dm|%Y!|eOhrmY_#cACT``9Xise!jo1FORh!IsN-y%v|n% z=1P{trOxjRUg=zdG3~ynd+zlg_PZr6Y{~HpmsM3Q+m|ok!*}2z!(eOc_wNkVQ9VCI zQ&hyMF1tVJFSS^-*(#Mj6@n^SSkK${tbr<=9&#=(xf{6F(rMj5IUEdNB)%9>?R)Lx ziIl9=C~kS9d->vhOq1UEb7-p=JK^P?!{_%(j8GMAFD_XO(Ua3JEKEZ=7u{)af9i-L zK_bUiNyr?!jyCfu=#he!6h5fSLFfH;wcay#m^`|3^;LtB56TXn(-#RqHXVj}Bt?d_ z)Gm-B)gn75@NiGTT8C&$Wd_V%7nyQXo++Sy2SitDXroG7KCHQL{z}zL8!oksS9nAh zCDps=h!t}%5uZn)Iy#jlS@?4i<=^%6(;SI^+rq5YCX6w1-SrD-IQ9_`=Tef=*3j1{ zI1LaXJArP-fItGs+c0$l(N&`)e2or525t_ae^}xbQ5xZFARe=LfOLi#mP7?ST-}U^c7m8D%JJ ze99u+e!^xlDTf)Uot~l3&f%4-oHj%cid{b)r2K8dNO*%GH=#uJ_u=R$R`T8_dj3Rt zg*30!H7RTjvm~XDt<-ILWWTIMbm+P(SIoA}JG73LRw}&p)B7GOp>k9hz6En=9yZ45rHpi}aQ%{5{Je zyD5iQe9Y6w;KW3h(b*;%^*swiXsj+??H9Z|h+N_UqkwL2B?8xGCLS$nDT+&Xp*4 z;3^y5(D$85;-mATxjQK(@n zCS}Pe~f_|41Z?`HllPFU)yr+y$WnyWZ7YRfu9*IUf z+@wbi4xn>G5b9C(puQ|?HZF!3k7T(FPj?vZU>!|-@1jWPu+$Nl+i}<4S<}^LCB6U? zR)}nw4|Ivsv0n%&=sNQlok!YsEzPd>cB9BI1*s3}oTC@WhNinV!mF{M3RX3X;F4{L?1N(_8A@F6nWJfGc?{z!fH zl8p3+w_Xfa&-cvN6(#NQ77oUD&ePG7*tg(%E?FZ+873WH=`~sb+=Z%D0 zLi=0n>fS%eYwgy?b;;zw`&CCs-uBBD^ZAS(LvIn=ddK;sBt5ZMNY50mne}j}tF@;d zn8n3cdbmqxPzfTSe05Jph%9Kz>&kaD*5oK@yhEb!+4&%d*_9=P>K_!NtLUx}Zk)C5 z@%Axp^3Khc%D3*X&|#651Ve#{7RWeF^knzVw#onc=2vSszj_0v$$NZ(DGD!Z#4?m1 z<;qwA3>fm`7QoiR@z>tUFsT9MRs`CAaQ5A>EwlI|S8Sy1KgX z;%E#Z45xyiqRbq?u!MgGQI1zQ<$_S*Af|nmYVvWmO6o$%>-MM!Gx}4ESbepau>;00 zomqiEQ}ahGpVV%^1q8y$#M?$Lw|@uAF(NxhV_cTtQR8zU&Nx_Pi6S%cIdb6NjkoSe z0TpC{?EJbb)WXjOuoAMxx5de@bF|jDZI&1oNeUWsfzCL+6V^<0$VF{5dKoG-Y68cD zq279_lKAdUEc9 zD-UQUwZ>v)s0mXb1W>AkQW}v$NL|yAYPP>H)ID0~F3J0#S#DoRU;n5WY*n^R%*_?E zmGCZ7A<4Vy(T4*uG&76#sNc@a))E8AW7YB0a(TWgt}1q;zlpSqd8#kHevejxU4 z<|7R>0qas;B=}5AH@7zY#}6a>YMyxEcN z!fudJMbOI0DnKEGLuEoJir^YE<*Us5v+Z+H8w@_UqO{h}Qlq#~y2cLz)g&c@)0lx1 zr%rO7H>mgqKL3MetLR?_Pj7+$AqYqp%rem8P#p6K21TyH2H_^Hby)k}p*AZbC_9~B zPV0^5QrD7~_tEGw6YZs1JJ4dTS571RZ=_=gXe2E1K1){t2%yV#d!s<_8 zU$RJK0WU(#Fc?fY8?%wwkzd4hj|Y#55y*Fir1+uvCLQ_S;$5Yre8kBSDvc8A{o+-! z{eaLOeAAkK)yQ$JzecMtM7dWZFP;0+(b40~fS`|P`JiNOX8iMD;^>6!?Bb3eBDQlL zFEO!dXiCRfDYa);3C=|a-diJ>;Q?4;YQLcfuaO>ETU{+0iEc$)>rC}SSJ0*;Jq0K% z8z-L9!w`YoNpwosjyzZ)@K5~8kiK146Ns+=ZSXEjeH1~*6`!9r+FDY<<>P2!==q9d zBt0O3x1Bk&+%b&Ne$=q$gGP8Oj~pxgZ|4V#d!(0hT?b$8mn+cCth+WgipR%mf6ey` z9Iv~w;+$9$(T`bo;|A)Xd-eF*2%R)_9}P@||9IqfJr3;Wd?{A18sh9Ho3-@T?%JxKefG@EXCsN%i-eEl>@JwID9bkc zKsHe_;OJe(*3=1VYK-+PTIa^KYvy1^tWBWK77Nybeb+vVDSTY(ecOM7gK+cULPlyS zCUd*>M&L1J_U@pe|NofjzGdG!bo*-zW_}Mv@#;^mS1c*D?5~;b6g=)P6O$5*8@OUE zK!7ZD3d*eZEKt8+ME5YBjR>85?CR7n$icznY`y*~{J*Aj|KI#s<7(+FW$-g=9IRar zN^?KS4S>kfRo%6vE3u(%!KBvlndPzl7%8!O;BUV(gcP<=L%S-GJ-vPcBdu{|`cLxq zj6yR4YRGK799e<-%)GnCJGy)klaKOmBu-J$UHXwr8~|J-g*%}wbHf%R1dH!kW#!}$ z9*35sA!31hC|k-osex=qJ`fIpoc@ZI6Q48Da_(P3Eq+l27h{2m6Z`h|6xqRj4l8$0 zlqo$DRuBO+>CE~G%(UrpN{0^}7A>LsU<hpvJGUh44Q{56fPjcM(5IQQ+tnlN z$>=eAuVr_zYMAm(v)5=)ye*2yGOi>OEea^NV9&6^+cUcy8TwX&q3Co{caw(xkr5Xa z`8)2u6WrQcbtKvM-xx$ne@IFie@yqf)z}HM9omL}@cA>nB2ZbWi(@&eUw{Hp25O2G zcfhd{of}LMs=_eq$V`CeA3rzwZ{+RgHU1~7OpK*aJ|}zO)QU8UZ&U1n)K?Qw=q<(d za1-1?s=K?pZ|$eKJqN3?|Bno9h9TreTkdluu8N`t7~Sz}_x30B-FDn`oVK3+0prry z$N3$nX!EId$9%lVuXH3EHE`__a>q=5k%|s&+eoJ@ew&o`Mau2--x0b=|8m4Jk-^`K>wyxTY)r<`>7D%N*lyH;dXOI|G z(ful2edVf3-L^=l)DA;zQufl|@LMDBHEqmz5M$TheG2ey|1~4aQfwH1vZ+0*{A@qk zaXxT22eFr!*;A%%5^zcqWcuY*RWhPh7Pp4-{Z{AlwG+Kg<-NuGL*u=)tILSr)C}BU zbb2i?t#}08;;^e(uH}7#C+oXgl#EFqvDULkMNp6 zp7*7>7WLJOT3-k*;?^t5_EK^1ZS48bTuScpo}KjmRXI4aS*}>NxpuUvkDe~4P0m!c ztyQnKp8v7=m_G_#sUz2%Vu9L`d@y0b@LQOl=ImWrc+IDrC0KQFTnHIsy0SFdlh1Fe zCU62vu6n{>HN?itOTUBgd>rz~mduI&pubE-0j0-8JM&KZs+~IF1}1arsQ%`0s|fu^ zYh4PfbzM|?-&?%be=rt&w1hxPjmuMuJ^S{;iO4P@gq^4F)o$ ztE=%QQ(T&tzz7z0#YkZJB$0u7lvlc$%SMHnIvqV-k)BbQ8+gS1V&-P1d6=t!_k4$S zzM9ATO`Q5Lx`SoJvJu5`Ep~}LJ*;m7j}rClFZI5cWQ(nGIB*Vpe0R-=iy$;vyTU8vQ3H_(#cILt zG9$MiZ?X#ImpSrZcnEm(z8x7VtjR#JOv+fSl3S1d%tRmNRQ!C>|DeVT2ad!LRq<<& zIVf}SE!a1j)&A}%*({Y8u53G|fYnD--N=pNc2p8sjSltObG7Kk9?g5&&X}-6L$2B1 z0!0QLjU?Kr%s&v84K!wp?X(?J$?ccml(m#Ni1ItYB+3g__Wl{SsCo0#@7>}Cx`mQf zu-7um4^t~=ep4`iu4bq)QOTj5?O}1Wo|e0q>Y;M=jQa4-lQ_~A(-N?I$W&nnejG>Y zPaD2mLi-~afeV@o-<6F#P^^25?cZ)9`$ zUygB^a4ck?mlr?HN`2Ef|I>5*@!K*=b$|YQe6ypuvuMwP*n{bT9$SnQA3j!>%&+IY z7gZx<&PIx*sy zq1j9%#yYKMF_~n3xu8%2u~%swzIy6`WWL%#D`O!(9v(0SH2fPtjT|*_nt(0FRlURpjmMWYv0WyVk@sg!!eJZIdIU^FfW*{O{kVBsv!L4Gb5^Lr{jLVVcf& z;4D2M;=uFSxVPPs-N+5D#DX-bG{AacCwBMqkK$;lkr6F3hf}E?H(8#a^iCGfU+p44 z>HQ={rLT10ebS3R;yebX6rEfRYN|=;F+ssRU-yk}Kgx?2F9yrYyd%RGVItdhudY5d zB`2!s%=3PwBJ;K#B3AaZoV;A|R9iyi|Dv-iaGloBO5nT2hD_^L%KjRN&U-Le;N92T z>ya}zNW6THiBx;HVAo$j(bnx>Y_$rmY%|yWFW1yOV~N5;7iD~tG0u(wfp0`U7AnyJ zCl~ceGcDDUT5U2d6BSH!nw}I}79T6%Dmo*xsE<=!bE=d`+HxsddWzKfOA~d>O zXSHT1b&WJO^wS%ay6$s~|2HOEF!`XcwY7D`VPV5&5U09tTA35hSf-hkP(PmX^XM=Q~s5w z>Cd65jsF+b**~cVEx>?NYEhvQqO*T_!f$#Yzq3zz`%Af&zVf@X;9}@_G3aG{XL&^h zLqyw%#mKL1g|15P#i=uYt|Y9k2UbQBtEb{Pu*To=FD5jo2_JkO+2+iTTlfdj?VgTG zF3VVr6I2W*2tEM^PMqS{FX3ZCOdIbHk9lq+@u4-_m@HOZ4$Lx{#bX_hGVnbfBhE78A3}MWbpSlpJTV&JF-ikf#tLe3XJ;skvoQW z(Gln2pn*@ZwC>j(h7XU3j{o1_&Nt`EqIXBw!@8neFF!k%q2yooqnD92OZkwIUv2sxs0DChpmMiaP=1fuNAGJ!XWrGEjanyz5YcWj%h z`DM;LO|g$}1_$TIB_If#1E3d!5hurKpOdwPi#dKB^mj%!0(UXFyWC95e=Nr4Ttjm7j z9$~gn&FbT26ViI+yd5Bg?gHD>ZODS!IIYDvEL58$puzPb9RAkzwxoL~t~jgPf#}ia z;zLEQuV8eGHs;JhsU*i0Q*SrIZ1$NrB+c)%-7zfLxV~j}L$aAUpuv!X!sN`ynmQoE zs=6iWA9HL|6w}#;@YZl|O9?|ROkiorKF<%#Z%H>7v+1oZ8Nq=V>02BSy8EVW@JdYWqCChjrwY#7Tt3!+k|gThK>rg!_F z)3`4To~HrT%*{HcPOP&bFok`^6`4o|Lqp?1OI4|Jo~FR$0#z4XWm)Y+*HDXv88JtN zp0Pu zigd)S;B^AvtM5c1ggrJcbShw}FCw|aC1^A>8!lCnx{IX1LD8k z{L43Gw7D+%%hB)C8`5$aYnGTGpL+Y)^nA=VTHhv1gRX~NAWVj#kIY&-UWLJiCHLR- zQ(SAw+Gp-jlEmB#Z+3Un% z&HSubaK1zxs!;LlX7@MZ1`nKM`O(qGv zPpy*;hN1nB`<{RL)=wb(bHJr0SAp)U?Bh@{uNquhxpCFl$r?b`)|Ca>=JJRZJ8Nsn z=G6NP)agnY=9ec#aesM7Nt@qs-2e64v*_!98hFC~TP(jUh8hS0*BdaM^gbAwP@Vc5 zCwlq6;ETBSbXerlxPqZ{j7FJu|G9Bws1g#XY#*gHl1VfsihIc5lUh;&=|>$?ENQG{5*K zN@8)ON=4B&U+m?@b5)=9ZN}cB{P^L3i?`G*d&(=zvj6zHV+}JSLt8Y^j3gsk+VVd) zUPPf~(!<$&Dx$=P4EOm^pXj0<3kp_GD%^=``EIdi_?Q)QhRq^D82{hZ=x?)2{slN% z!mT!#@ch*@@pH}+yz?jDr2nTHz3=c{1s8aHQTW?uoWy=3`X11N1V{QtP_fu;W9sXf zw&274f5KV~Steut&1$_)=J{);eGu>{`b{uf@#})}BGFq$KnVCFGtadKb1)RDF;yo; zByCw{?sG`75BiJr%=vxxRpkGbbo7Vf`fbL3h}-*c8UQSuGDJMrhh$7!Y$z!%4~jxv zmK|X>h@ptj7fHTmoEy;^0lzQd?`NgidM{*TjAl&folJRn&W-N!xR=RR*(Epk z)1PGWiI%?mQSRVv$;!wSli`1T*wIH-mjU{Cf0gHG&v0N7!4}h&>Xnrh@`;Ta>!AQp zVn!h}8Avl0kZnfa4U6d1>2^XxUuQcRdhM@sR;O%k^%3VzKD`0kJxAxgrKa`?k*SIK zbD;gKOuyf4a$ZiLFm{b`5yQl?V2fX6C? zs*l^DlJz&v*}O3!Qjujegl+9u`7d6g)n^FZ0Fr8Jox%D->==SL%gqA{&MB~>&*U- zZ!fE#n~!Q;_%%m;M5|7RK3Z8M*5)bFVNvIb|HP4xD{e&CdX}1+kZ{M~*uns~3(pWI z{3)Ow3?MogC=_Z%AgSMs$ro&mE+RDd3c>jy3^W5{`@>qmQimg`Q5YLVLj2;Ls9HAU zd{?UU3Mb}a;)W}Z&>Y|MMc+p~Hxrt`^-1sMsJAfVf%-4c(eSIZE5g*&%lAI6={pt5 zk%I_;34sYAzAOp81w9fVa%DNTG7pk$Zd8?%Jk!=fbeJ3(YEMo5k_g}Lx-&T>mG88Q z2b`e>AJox$Q09|Oj$Nrq=r?S9cN!*fYU6A{4-q&Y<(R6DY3#vyq!;8ufE9RI9^tPH zFjQy5S-W&V;692{3T@W+p->0CZQx-b!2#O@DGnQA=!3-W0%0d+8y|gR;7@rI zRz4vl7f%B@`$H%*&PV4Ih33h3@sE+(KpKTv!&vFdKltcC@p;onSPJV$X9yy*u1XPFlI-ZbS_ z0;<@y+2cOtHW((vD$*VEFc=;VmbRp;V*V>v0*UUhGCduj_xkHn^=&D-A)X_%ONn@-F=J=0g~;JNbR_R0VfWQ zz+GrXV!65wNV^T~!?D|9Dk{hV8|0Fcj)&F_DhhZ6I604p7BHM%fZAxV`RT6c+#H81- zS^<1@enCN_VNq|^AI2@1D3aj=9_sk+s~YF56@J`khTU$N2wIYFU#{bJkNFr|t16T{ z-Hv5(8k_~Y#Mbyu8KWk6gw()dtd%RS1IrBM0*89s96;=mhTHi&L2 z0x)@^rrYsKlBmP)vp0ZrPhp?pD2NUJMPtClQ%a%*u|!{rkh^jAXtJNqe_9~_g>5TAB1SJ+?BPpW1uTD3lp7c&a+Q{h``q7QrQX@ z@d%E4d)+zyKEt(ZH%zd-rG(x}+^>6>HD<#xNyrap04Ztt9`9c;v;akNe2HB0C&P2_ z3uLk&l$Y@77?>=b)eFd8Y-d*Jkoi^Dj$cMBF>O&-`cT;AGYnhVh5%{bNt~~MLWTFh zODyI$-X66f-g}JK#;%`S(G7-4Tz@_LsUjrp%P%s1>oQ@Z_eXo-<%GNymn=axb%F z^R&NS(xOT@$>RmKY!1TWB1HnX{jEr~5wN?rVTqEQvDGMU=%UnoI;xn|@55ZVI?hB}EHhD$y9}4Dhq@HN|M){<&zrMq*SE znc-gv+>Ft7#iM5SGN$8=A2iKfT;yvKArwLu#Kcm_{dG+hBJ1VO zzqo#>@9E@(p7DCtI&V0}-r4gc&-Em&8~>1uT=rqOX7ItbtI*+3Q&FMhB{zP(HLaVM zUURLQl)rxADj*NJpb}n!vIwb+ZpoJFyy!S-5h1 z%j>nJ=J{>9S`5A&xqMI&%4oa}L4f$>!6o96p~RuO3C>Q)qunHMaZwrZ7f;)~u-RyR z!Qw{$wA*#7dAoEaO@^?%vQZx1krrw~>GD@3obiceUi(A3Y68#p-6+&J#+_jeHJadL zBG_Y4t1gyi^T?t0o}e*X^xJ>;iQ3Svd@2k|RA9_ETOPTPZS3iEj!1o;E&+4Kk{F*~ z|LB&5K~GEE-yt{6c17KeDoM54eFEyv!Ocgtb0;41SB`k`e^{pSd{*|lC}6f|zaDg0Rk4M$-zfW-Mb%?oiJ~Y@NJ}2{7+U5QU`XIs zjjGvC@4H``^aitjN0P9`5+K|b0JXvuFOzN4WA;_H>oHT6$uJK*kTn-^U+AQ~^hNo2 zJ{vpjM-|iZ)tW26G$TI^Tz~MI47tc3$tYznL>Ro0bG%xia^AIcVwAwGI=XXyNcJ(1p>*XWECa>;&{jI6fwAI4()}?y zT$jI-(op}}%+D{NLK0{S#p~KJKQP{iHoe|vqoFo#$Pot^0kwKNqdQmQ;`;6-7b<-8 zZWe{%I^T?SKCJTas#wcyHd|(h&60 zb)1cpGe}u4q|mwgUjD!b-8RW)QD~d`7>mWX?4U>7Cj@+Gt%UFsck2f0{M<+VS#hXg?x{7UPga;yViodu85zhxz+5C@xH|7>)(;C`W^jGFL8 zrEDlfS{NSTKRR0es3lLee#TH+Hrn-uS?#xaIcHvS}}#pAqjZbEYQg z;mZCMsp0B~w<8DhN%M{&j-5%)PV5!c-AT?ICG5BCn^U;Qth9A&7`)W>Wn67fQhdP@DIQ#W()hc%YIj?>clr$j^ZCd6XYKQ2Ujld-mjaq$MhI2lEn86sH=78SG`p$ z4n;A9eN$1Dr@UaybAo)ycsnB5-3K$Nk`dk_a z9;SINVTSfs#ngDNv#2suS8ot*thVl5I8VeD3pEA69wB;BVNTXo?wGLRuM zJiL(cj-8#Ux(=806;=s2eVhLX-6*ODhIFLkl1+7zQ{Q;@cG|cN$Z> zb&BX5Z;k-j*gwtME=6+-@F69%285TE@aY@ zIY`lGB5YBYOiQSc@~0&(x0vUtY3mC=Xm(|aYrm4WVbR>ajmge7hl+$pY(Abg3VY@j zX0JP!s@*pCmy!=oTGnT`nwF4j$KQfL05dF8&Yd~sf4VY}?sT$##jqHJxC&XmQULQ;J|>5qSM$xtuhZisx@&n`Kmg{5pDczN$l3U z4J0lH)76W5<%hrLYk$%}S84h}$(L>!5kdQ)s_ccX0L7K@mVzmdG`W*mYU--0@%?l5 zl?|Wl8Nwt@dbs@ZcoF>C@sUnIn}-X+jAXB`5143v;p_AK)9$#(e4ze*ajJYl-7Tf& z`L%-lpkVp}B%_L`@AIOoG{&l`_wd{Z7f3|q-}hTMcnAc@(FT+P!0UD+2@Q4U=DNnr z=oc7$_A~4l5e1f*qgCyR!-XcH)sKfA16@C4m=%jOR0iL12}pC05eu8O4ZqIrcU}{WxUQl zLL^e2kj5CJHFnTJi9Isq?{6MgI`prTeVX6VLe;ZlATSZ(_|6x?4Lh4@l%7xK4t*|D z8v}4OGx{9DEgb(gz=|=+$%hLPM9L9Ht-=F{kmKE;mS$pJ{#!RMPirG~-`?ayGfz)L zE1mVeo36zFN0Zx=e;b>*8rxe0z{AM-x4&nJlrDei`_AF2`P{(Uru4~U&=3s!%4PMM zaX2pc5Q)fhN+;}aadXcXJhbMShA#RiS=1%Dn@L=7aKO(x1smfMZcrnUBjZz3RSgym z)aX)pexxLuOTi}%l3$^r)~BEc3)wb5+l6_ER#{kGTwILe)J8;5Nz^IN@8b;(sI3(& zR8&Ar!ulqR6JhZROx{7!F4Jp4&aohhO1kQv17-WRJ)xf z#PNoEdu}dx$6erPb%tJq_#OY*XOB0qpYP6{kFfubW`j(%tP8j&ClwY5YYflge0!=u z2d&M4#csAhUe7pyS3ziN<7c5TTTqh1`8W>b#)%*Nh3x*P`kC z>bEx+a2~(i8!8Wsp_t|g{yPLifgysK{T7h)1C--|oUoV+2WPYdgHffM$;>o8z8XVgLvwpy zw#pr_yY9MHSGE{$fL}e%H=NqeDuqmUBp z(TEU!)s_6%wd1!pX4J*i7$0mL!XILu!CbVS{oHb+I5^i0y`4$x32~l^BJ_;|xsTu= z%H$?#zNc|`PD2lm$MN-WasO45Q`l`+@x_O5aQt$Z-)>)RvO8{97u`Y6bciJf*#N8+ zJs<^R7Mb6>i0uFc#1Ovga4^|b=urIomdI@%7@X+D4ozpzRBA@nBLjob~CY0ZMyEinw!rZk14P;wen3J9bX-98HB;)NON-C{dBx#W208KN?byM@$ogX zw9Hj#1}wz!2$Ymyq9)mU0f`IaA>giq(K5Lb^>uW3s*enNTNig12A+Q5W1p>+{Z4lU z)`{jAtpPI{^+KKU$CJ-ntV~xjXN!4r$1I98?#@=Y`MU~S58Bx#c*m7MKdJDp&Q4H} zbRhbDMX}>z&-7G`uHv0Ws!79g9aSkBhucvzJQ!WKlVxuJ6Wrh5K$btV-_OWC&-yxq z73n6l^q7w+dVD~DDghik1c(E+2n?f}V?i;~)-N5B5rd)0FU(7*bydtKtAD9pSrb~k55X9c6%KmDkJc&Yj-B`(VcEykC8W zbVixF9%@{d_sKIFYH$i^Ks{^RHQZE)RjJ6y;aRZ`17doNUMIAzaeIjR!=~19hRoko~v?_iU5BHYk`*6VV zT*SwtG)hU5$;f`1{_;MGD+E99cuw=$-19cgf6iShU08y_{-I4O+3(A`XORe}F+VkY z+Qp3+Z_liZl;Q55O=#Ms&U)+nUc(CiEMc+Rzh^X)GE$Ax*Cy+2iwW&5y^K5!tA2ai zP*HT6l#r-`V2{7z9!uM<+rGvD({!)-^txB-+*J@lh+dqAS`hwjBkO8=U+oEYvHnEUZVvbsR>bDAetVNP_p$C?eL3P|+zwVC+C*o)tVON4=ri+@( zugR1MM94X2s(~G?cJ%{^J{zNuPhIr&2cR)Tvd1iZ&}NC@?Eenx|B%_QLRBNNca)c8 zEUhw0X=Vl*O<9sTU(2{xtDsExE;eO*c#KS{4is-*3f5)2%o@e0<3ngab5;1?J3;zh zJATNjv~t8C)bjyT{G@75PQSAiC61ujjYueJ%T~!Os)JshnmB#J<6-7N?7&wUW+alE z+Z@8kSGU7yMM^wNm6*#~td7(Yvz?Z~U&qIHC}U%x`Q4Y!D|L#;ZF9{W7-$r~-9{dC zd$C18GpSImm8&ulZmwwTE(>C^XG(IkZrr$5tTi%e>k{ytk}4O)V15VL~-LI@+ARNAVy;Zlg~}D2A0} zvx%pDgLvK3*TQtb%u;11GVl!9BLX}mGTtXv>yZ}Bum-rfHa#0hExRo;gm9Fb=O6ey zZ|}x0{L?bFSQ+|c*66nS7pL$a@qa1i7lVvVCQOk4a=;!j*=`!4Hb`?<8Irv-C5K?c zBOvB^+la&IKAsdplZm)B!%+X|Y10_~go(rd^r>-QizS9V*2Aoe8Fox0EH-&$af3f6 z`hw=9=sB+>As6j0qC#+*e%?FExxEPsGWm%s)_mviZb=Wvbo^Bi~NW9QiT!R=KN%h8m*uDMgvytYYlp&U$@-~D5|s>*9gl#%O2udVpflvGEi zi3k&KU%hC`o(+caMgQ3D*KcD!UIBsD0v;`{di5NWtg4dvE~SNqSUDOX>NO8{U4q0| zFIjvx$s4rHZ9nl@YU50;Y@T65*?c)71g^5Vbn^qkSXfS^NV7&K8f5+lDQZn zAb@lb&}Sh@v@U`f2)qSb%(kYCV!ku3qfY(3f7R%SUo}kCvspBIa?$2x`^Z})-MdSO z(5=`4qjZ=$z{qncGhV&;d8#O^+waM6RwxLu-#2Ah@ykNE?u;jJa8LhZ!|UgvCio#Q zw$P-w>TI%!@C&#%o7aS&OnUlx4t~G&9D4^Cv16zv6{rbsPGm%tQ<&9{bvk05AN}X(Y_~F}p4Q8+cqz;veqNTiky@0N) zdxitY5m>)}F`{rdseVOGwcOxN^Dxd$c_uQaDa(zK#QI5vY^Y6v8R$)U4#J|z2XBTG z+f9{o`%l0mj5t6%74__db$(fydT#$|Pa!ymTWYt4JZp_bdAlYPDMpRFk&av>#f;kY zQ%rXme@R15w%6|QJduKSUy#m1E(7LVr-s$bHJDDQ-6=9*ONbvmOCQfna{V~l4eDU>XMH*^<`PA4l? zVqS9OD#fYMuUxJrOwhH>fto@am>cUehD*c9+5krwWEHUkdkzDkO205GeJ%H;jg<+z{QZ`MaP@N`Ga$;c~DA^+W)_+>?udyYC9?Rj)dvf0@%?;)I0 zJgwV2EObTw=hoNi-Vha$)qJFCk;~Yu3muYEJ!xs~~9@6aZA zRPFwLRS_MQcaIMFz*YfeG4UkT@*o+Oc(_5u?SiIoMY_x$1SvW{dZRF7At4$R_uICU zQgEk$@#qv1DeOvy7?OMYoMT$R*ugBaJ$qeFR^n|?zE6)L&-S4KiqGMR1R}d~pNg;`IFV=BL~@yk!8~Go|bf5mtByt za2Mz@j~)!rBP9F_BSC^?bF!J%KSAFh@C4>Jri)6?LDA zMej|)=fr@nX&p_i3imy)ff_$=-6D*6b#gNontzc*?ZSbqh=zxuLj+H8M95X^+yg+egYCgFui_NG~fJ>>67cyN4>}tsNZc9dTH2Q8OFD2!9ZQemKhn;Anz19w*Rt72 zMv}~|_Y9e1N%ihc7Q3M9S=W`AXNgYs|W97@49)2p)FobUhwC!p!W8t`|?NX>01dAG(q4xUo(v zM2sf^tLkLWIZZxE8yg5fzRKv$P6<=wbIeedimxw#fY#pgw%MG>Hi&Rg$WMIx@nd+5 z$+fICt^O!24TY1l$s3}B*kbpSu{o4I{dBF(j+XHIqUgKjIu2A+aZDUKLKKxDz z5m?-H&mIX35tcjaT2kI*ff=BvyEZ*CwBsruNP59iR1{{g9do9tw-yBBj|lnHI0&=t zuUDfr5AJ9tbEAkO{E9?DK1r8EjM^_pj&su6o%{e+5(+_}}8 zl@Ikijs&S^?ryBEx{lghAS~wfzYomrKs__9py8fCw7>(yZjB7ByStLrr#JSlH$1Ot zyTiwpHvq`_`MFgYxnv{t2eih6h246U^(h=k`oPq%A0NLdFjA+F^h$UvoTxlFQ0)%@ zKj@yM9Gjfa76g;8)(@)WDsPy`M<}(-49uCvPNT_+%VJi1N}j?5He2!vLgkD}k9kD* z9X>9Wj-4#@_2h(tCzEBycza7x7DJ1Vxk5vUzgWl_vBhiAA}J5L{MJS*vimLgsgb9I zlE>t>3!g{ad3=dxX0FjUZaPPc847?>h~Iq56DyW%Hr>2R5;~Lu!Zp$@-Ej>{cZ-AqN{4jLpbVfOFtjvCIi!GqFocRo zi8M%e3^2sd{VlxXeeUOb@0UOPIeTWuT6^!c&UKu}c^vDE47YFE*z@xIh zH&5}?5cu}bP`Tqb;!s-sGgY3HZUEo3d-6iB$nOUY4is`;ri|;?cj>iqNJWueyCg$X zIT3|&Bmo_{=vQm19#n2=n^>Rk`Zupo4NpD3vWE=Yvt?*k~{!ivGUyg1X?`Y z!9dz8wm;hm&(Se_J@vajqGwtoX>%c$*~#4X};zdM_YIVeU7p zK&2NLc>3C>I0N0?u-WU#SL1p-gkxjbtw!wgnYq>;|8yn0O?oSmD5ZU6hOBXBPk zU7y?dM=+{zC0C3(>OUGcdr0taSo&#^Wg#FfshH!e7Tq#nMIQE5n5sQj$ipY!;tqKj zq4uP|TQ;eS5Zv6n>fj)q>3h}^4f>gF?)i$ByVYrZ&*9?Ycg6G1K?nDKqCEudL{l*= zmQJ>>?x~F0i+HSF2k?<$vq90XpB;%R>|BGYHJi{ZotBwLNt#Ohac5^=j$WEPQEiji zNTG)!M@mMip%q{8UF{!_7K-)Tjm|BgjZgc=&r8$TgIM+vi=yIU_*P zQn~(Q5}L{z1V(g`YZ`4n(u!8>9p$4e#@C>PTY0)FmF*zBhn_~fLq-Z$^UtHvHjbUS zaXW;K^+Z+W5))>Y`OosF3RcB)OVSMC_Yb ztUs^nsDdh zl3wQQQb`t=5YB`5uY~ju!GYgU1Ir&1bXAIUHvGvf9Ts>yZ8&b%k?FInQG7qj@3+Oc zt}xvyM%waFk(%K56rhA2x{6UBIMJm)!mDgDk>$o*vhPsBbZ@+{%(qBsBCgh*WfMQ- zmV@ozIImndH70|_Aa+`9v@rc`n2gd5q zW&$@kk`COb6r`#!F4_Hi{}d&yt+4391OkryYm`8RCV>zcYrXfg#J*~@gII-DT~Tl9 z^RxnGpM51Ds_Szd_C^QRJ3(W+t#^+2g8v{Mq4JyQX|gXdG~#83b^lV#aa1h`W64z< zbExz?T4x8G=jxq3;Hz^DtnZW1=wtgfKfrVU$v!Ipe0{oDXQ@0jSXrp0&CDkBJ9{sK zflW7ynsC*R#luR=;=G)N#WS{Zk*&Z6m^lnBe$Qi<_1L2noERK@fRr5y4IO}1c&(Mj z52kJ2S-E%*x(M;4eZ-hN)JK!!>b)A-X zaMXK5mScQ-DoNT=qXf&XW_Gl0E$v)xf)l6Ox%MNGQK3eFFuJgJ(r;a~gW zfN$B<_^7M@5zVuW`lF+zmKJ)TpP-NI&t?UJbdxFyZUSq>@Jrhn@Nl)>1;#ME>X*|Ta_PM#Ly7H%2($TV*zGPc1c3uu zQPxzZHl;B$BzEsZUHwiE>Ww0^M~Pw1^IAJd2e2I)q~1LAmCXTBS8?b!a7FDezdRPT z(DqAoJWny1k;8Q|5+V`tXaVL&daFNJt!3E*!UDZ(w1pYf+g^P6a{sREy?e^XAYv=O z=zmof*;J!CmbNnyU>b5*#$=-KT?0ISpgU`IcxX6P2!{a}o&Z7YQ!t9ul$1=~VPF_F zwMfzgGLLZoWtA*tyHwQ0MauUlReQN+p|`qBC)nF;_{P^3zPGnW9{mQa7{b_cTkIpR1os*{23Wp?W6H{qyXzBv z@X!&yq~YuE z?#b^*DduHNw-_w35TUB9xjWtJCA$_M4Eg&-09vvncHa3urfa}b%!vw0(0>eW(xozgZFAp2*K03Im0x3o}IuD!CTo?89WW;D9s5;$t}#Zj9b zlm%cT>bzTtWFY(g@880aeMv_~VMAyE%2W*NWW^KZHoX_g;2uWVfRu#wkp;f%JIDux z`2GpFp8sp#s8SfEjAMSHPiH9LLRT>zC98pCHCdIr*~a)d<&q? z$HXdh2h>g!LRAn(&I=S;(>*^?((_?@oeq|R(E~U0XA8n^+6Sm7Sjv{+S9FEjjeE_O zN4RMs$ao$MPyRkm`Hz7<0@Jc?jj&DOQ2cZNn z{On~B>&ZR8eEAU{QlYAU_d};TZ#!Kdg6BUsc|K8MIyT48zM!kHl}bzonh^i&f~Wb0 zys##JTe9|~wN^pB>;GyGxQ^KOu*#=P;6MNFcyLe_`!4Xq|L^_)hl7e(m##=A z`u_Ppj+>}Y=Bo&e72f0?WqfA;hqUemK(5j?a8xOGPIP(_S%!G%xSnU54_w5-=YZ3M zq`j^I-IbF4(%$YQb6YPy!K0X=0J&N960s?)W>VAUXy@$D(AVdPo^G9<=#P3hCCmIF zoihIL*+6hv) z|NPo3^hifoujuS(R7_6|E*d8xu6O;Axy17btR@@$9~^L9t8a{YiO5aIAprM9rM?lg zDi%F=STyY7P2bg)ne)+2uItCY&UN>6z{Z}_FA$%KsTyv4?k$@N@??hW^IAfh`AooM zZ}TWN6p>ryD5vprz;D^N4GyRUGvL-*^=TGm=KQOXQVORWDHsFf#bH>p(cMgGVL>M` zLz1VjgsS)~G7CC=0`FWsRhH^M1yw__KEHqV0!knxtP)vK5SBPf#Ij%|40WhLBHuc#oK+6pon1jb1vow|IQ zR-JPa=q(c^AqV?EKE60gF)8K^-bpbz7Ou~y`FQE@Vrw4Q*Ak!8ZmM_Pq+bVY@%ZzB zgZ-dLZ9YvJ^=yiX7Zv~s5d3}1f1HggDO}Tt*&>vrpfp*e3Nk7msKGmws030xfpkC% z-sHu}#a7)o2mA89Uh7iK)e_u$utgH}PNZrj1)St3$#V@}TFqGbf>>icwU=NsSQZ#v zT;OK~k>8gEM$7-&>K>jSfI{-${%nVmlQ9ORn2f)Hkhz(p)G~&TCSnb9EhsSz@QZfz zL1+oFxwb$GC4B4Ai==~2lm30dC<374FFgtfFCei3(h=ML*rC7qnU)OXqcqFB%DYze z-#>~r{{V_zyw_l>9pC~H_30)!f{R)l@iN2&n+{wpPUR%|I5fM#|ta_TokeQj8 z`Znc>6YB}W;w}v>#bd|ek-wG9qok}Hk}!j&33|z04S|7->6)#39gF`)!!CQ=D)TOQ zr#t581>nQ4PEVYj1N>5|Sf2{nsV4Ycx_0^OzO*4%dOMKMC8AI$P*(TU)9U{GS^hFH zZen8V(*z9*iw9Tc@S{>gC$DP`o${OlV%|1xM+^>X9r;2Y6xiThraup?%HI|i7N)gR zl2Ao6V0{d=3*8NJzWka3fzw2nSI6SMZ@QO%*zvQQwty?MCiRWw*Q%|a?KmHotp&%)!A zX)$m2$=celf%tmV4}EUxu*wYdnX$AvCcX#|Hg)pe%rOeH)6yqdWt}DC37Tjz`7^H=DMeEJ$et5 zs2a`MAdr&MMJiSsRR>KuRP79D#X>w%v^m;rwlzaU=4Ve%rkCFv7Cpu1EL7H7!ZzG0 zQKVM_hznsMLDK#pvM%~Lo6D|Q(ub=%Iy&l-k#S6NoRQCJwXEir&>-v4{AVaa;m}$6 z@sqf?;JX+d1sY&$7Xt24z~p^F&VY_R(x?i%w;Ce1u>oGLbeaWt!p`n4hgO^RXBW}r zct-g@Mip5YG;KIw4yrJ2I$xSK9GvgIn4 z;8vNy@F_L(__M9>r}cD}KbD1im02>>eU6BXA7vygJnfdx)GV;U=it@ah z5S#{~Kk!0*&kQm3^0C%0L;7Go(*B;0+mlTmr9MjbaC>Y`1zw(Ss2?_h%~n>b za<&l{v%IETexkPxcZNCzIR*1?KBF)L;7hf&y$4h`{{>JBy6nmh2K-@coO(V0mFuV* zHM3P>TshL!0W`>Un#KFCv&e2Zv(V5pFo5~+gR;0Xv4pg^wXV4N_kSN@RfBCVFz_;X zhG>Yx;$Dk`w9_-8F;FwndVB7%RTHfq=)#sfja1mjs{2U;;a?-2(1NS_+E1cZ`E`-wY;t>^>9v>U) z^lA_OXIl+>HYk*s8KYYPALk*EA!CfDAS35G9Vh?y99(r|qV@XzOD*1W0d)Z zMP|<4<)-9e!H%?$k8gqGkt*x={QMX+ySjRtpb^HeVOdexsOVoA(qa8Ambu;G_Oe` zqbyT~+TFz&CW!Q|EW!RTF#x>cFa?Di=C}Et1l#xtCt*dvXtXte!xfnom~$?+u4xvu zJAN$)gg~Nnin<4YMB57A)9aF71XciAupsma!69$MkreJHBTN6>o~NO@?gReR|%wc83N_}E4Dhdj)o{$ zUo=HnCNY258jLs^Hrp-mERaOMY{v1-q|*f%CUid?wAcIz5831pXHW*^OLGH9E+qzJ z6BIubrbW-IhW43+C*>9d-N9=ic*JK`^-@b2^6|ZWmA%jABgfiwxolJ}8L{uBy4@o; zYMUBx-m1b;xun5!T1$ALwl25MlyMR+4f=DlPMDc@LcDvt`yz{%}6lm0_t~_p@8K3k^{zV@cTjdltU?a zB2#^h@phzPgv*_)wh!TCc7QHRSEZl4ap|V{pGUzW2fuhX~Bi-rPejFgC%NS1~tD1 zDJp9l8A*tyPDkh`CnoF@0+FQn9sh>er=zv?pR{>sTJnK=`+eq{L+G$0P8ve-^D9Sr zMV%mri}*ac-*ZPTuW!A2{G0;<>1|Ul>^`Ll$#qBPIIaz`bFyRgqeWqz3vQQv4LGP) znr5{@L&eP*m&n3fWrrWJKU4r+KCQkf?m~RAhQDYk{LF*%xrSYGFeQT(F=F1){e|i+L~Kc>&Kxcdb8m^7Y9mutN7*TRJ6lB%UGP zf1|DoVWp8+F*3-zoFMCT820sN3Scjb4H*K8f{S;-uziEqf?#I*TYnz0GPCwvJ+`=! z{$Zx*2fGtQqY6ftPxg7H56w;A>vI8^-0sQG$HIl;>x+Zjz;WznNvg-gqCrLGn{|FOz6&l=9YJW&2alBi*_h)Yuk9(#{9 zSHTdT7=AU1@~Hb+2uk?vn>7;Ewt=Qe5UE8v$igs{8g*)Sd-I0%zTwrB{mN~G0wmKD zGl6M%sLR>z`66yrXnzL?E#zEC3%J)71Fs<`-(|TWM?v5gWtFGLsmc~SgK%xXNpclW z&hDVhMUA4U)m495IbvCED>zjK^M{@XCl+1*$zr<+{U(y}9aXHJ$ zS`epOTOsyoKI_$oQ9M8wFKGj(%xY~8ZNU%R@xy3vDX!*k)5(ZV2JoMIHWes!rzSLB z7Yy1hZH!AyqIjs)b|My?r}P~>7gRBMloh6nLUv*G?#!P03cB)KGQ^jAL;*n#V`^xk z5Zat=UKFV(cM@>|Qk-{LT=|l6!aE1t@4UOJ?3TRlTR&XGya5@o0TdsrhtzOb*tge@1CWjv}b~%Xac? zu!}(FP4W;P!y*$!c;9rXE}tIx{C2G)AA9JV_lI;9c~GF$(%;;(irpBmpL|KIvTHAy z;2{noQVN+ozrduv{sD*+bLVzdfAGGVl*HYc4}hGDfa_jb+CFp?^*4rB+mflo%ubAC zJ9wJaT_p2X0G|8Q+q;@ml#`f(Ew>r>E(6y%!Xqc=A6DV92W(sOYC15QaeDrGobWd1@(2#}HOe73-n`^C2Y`R-*u)ZfTyeef71-Irc>t9|&0F=NTogbWIu zzR5Wx`+iOTfas5puPSTu6AO(E62uK+$bas*cQ42+Z%RmrXtW-<<<-}Jay^^1qALlF zYV2R)`{fv=i`iM!Lfmf+4eI7LZz&M+&=yYBn4G|u?Cz@8){BcNwWd19mFx5Agn1N` zg(+b4-9U+p@Ptqtj){SA=!KizT>jLLCk}&G);RYGq#oTY>smO#ZPV^lMGF>BnwdX( zc$Rnfjas@!37d+On-}kG%Q%(;Lr1PP~D(yiSJUJv8g&l<@N%H>ZlgWRc|A5w%lIp z$;nAzxv=FE&v+T1jRmv9G)mi2<|Q2=o0xNPP$>fu8m=HvHZ*JmYR!nlaI`wqz>_IK zGY_m9T_vf8(Dd}HmJD4}jgeqV5H0u+TFgG*G5f9)&q#NhFX<_(wPb?z#2s(Aq!}OG z2jo1?Mgbvb76E>1)o)AoP)oV)OBDs5OKFMD8iTrWQ+Mhs_G(cv_#d#w`(OeJl#=o& z0aP6Ev>kE&rfsjhy8)r(km)}(hS46uhH7mKExusZVF(^7g*9NudX?Xn?)rLz>m)rW zL%RCxhJ<7>B|f|g-6ZOGM&;e;LiL;C2t7x>J0+`@Fz7P`Eiy$xG{qp)Cj=VXH_wc>pbqmAnVehii;wyoO z$~8)^anfoW&^mA3zw)tl8NuF{}25T&8{@PspEGd;9jK(&kR(*q^l?@QhUR! zr$qrGtI@QtbQKxs#SF$w7jMsnQblHNm{2n5Q>%M7#P?9@1+np{&dvzQ^r+GY@JpY| z?LLA>j0GRCGO`q^*eZzIX+$yHp^s>_)RNs^+hz*n1ey8AAfTUd!|bd@FeOwLUx9d} z1&dhIvsmNJE}|6SqAG_rocj_dti@rK7`L}0bGYVS#NFxFaP}Au-D(8xqUx;Bcyv7C zp{&|5h&Ho+WQ(wzN>3X@`>1O6s@X!_v~&zvvS*A&;%-pkD<~$FoQHSEFNAG z2cpzOM$$ZhgclnY9XZ2vLX_UG0$D%sSd89{>Tq&)dTt-t^~}oY_C>MP$@sScQio2U z0aH<1-|va68ad0m?(s{nw>iK0hK$#Ytv;`<;@!9@n;IWst_3$9#)!~n4-_NgZ7ct= z^bfAj1RpH?>CpKPI+DN9Ussno%r`V2(_qIzK+1 z-i~uG=H*QN*(0+?uEYXuxAsX|I`bQk!j^d&RBJVcvfK=JkWE!(;gjCGH8u!_T2o=F zj5OUuG$M1@u4dl^6e;yQ`JEVgE>6Y5l6}DoqS2(3Q~w7eyBRFy`fg9+Kwkb4yM;n5 zxq916G&*|=!wIJU>Fp7`VUfWXm0LkxP|^eU!*^EQxW6S9ZERZe^XFNAleN=+8uO&6 z=9w{4U@wWxw|6XUX9pquOh!hm{{L7Et{&;99TgH%8`HaW)Vjku@6%|?C26(}tW00A zkDmsvkqn^O0RjF>;3V$$!zIO)OTU>rM&jQfw)DUjvm1D=Rx(6vZv&@haJQ?X6T26~ zK}85&lWn%w_(#9o=Tdnx--_^-cT-pyA@>(m3&g((IcDv4_MipCA$`&t9#c#w9p(Q4 zzFbwEwidh{d0+bSF%&8?Pn?a~!8>M3mGQvr9y|XZ%w=+)D4YSj6oHo&b}6RRI6$bt zv$3@U1O${19>dqmVBCf4pMQ{fMJVN8rUWb(-Fq z9G1z{t@xkR7a0epk_DLyuVqPtA z2GM2gI0;1-<9t@xn zS$`CW>#b5zt7JdEN4F55{YeHSZsad(KF=TGT=@+2pm>9b(g1R=H}K-3>J&mI-U5#J zp3(u}&zH2=uGzvtF6{en|A&&9ZOYf(-L0YC^`TmN#+4(rQ_75QC^7O38~fUa zD_NaAE+O=cJ~~7(N5_DBp#vimq?!kh{({>RPt&Y2+4?3e8>h*xmt$pB%p2`uGd8!i zW6X2$V%ATlhpReOjy!xs6kZ%sTf2p`8%m7t%9V&Zs(HXX<0$IlEipn3irUmzp+LM9 zL|yRm26oMy#bul8fGarTTF6;S-9ZSDW=y}8Y3<}&kCkGq83X3UnhO_c<-&`V-EEGF z#eZ-Pom56VLf4;oivt!ETQgSL*(<~m4#GQq#r*#C479x_e#a+GUx7=j&6JOpEQGxv zo;7!B$#WFnV94zNAm+?&BOW6L@~gxu9I#gQ0twAO$?Qf*Eij4cC&(AmfpN|cp;CHRYDqx@yDp+uV}Pn@kiOn(~lw{9=!_Tt zw*P?!r>U}Kc2QsVO&UvA|CUq!wg4Gq21`YwlhyCiby@e_$v_*Fs2DewmN_ zzegu-`V&50KJutHZ5V43py+;y)m1S0jpE&m7m83&cK@#T&&>55x>#U@90RW?|IdMn z?%)lLyg#VBC98i?QD6T{>>dkx}?JWfTs1!oo*ZhCfNQa1(t8!7H7vvvw1SMW5GPTt(%yk7c0aN_wXl!rhhPy~J&iGoeC zOSU(4g{schx|{x%L(Uah(4_ivreJpQ8{o4Aav_h+#(tu{QeIB(DtqGl498uT4eXY}P>mKW@W?OYg0KB|sGI#k>#7|+w8myKhtcF#V7g!2y8 zviDWK$?e;WoJJukf3nAgT_awqW+H8m`(bmF)%qS4NocbIbJ&&io##qt>Lm@x{r{E4 zjOu6(=BNT$MZAByC@6zpTT+Nlk5;-{Xz%M`o%

F?Oz_+_EH-NHb-v|Hm9=5S{&4 zSWsM=tBIWUj)SSfV|@dz$Ty^&e%P&; zLC#3j9Y!$#0qG!hiIBNb1-WMPqyy=M6EF?wMUQ7IVK zQ|}}>z3XNCcFRg8oqPTB>Lp=ONl$+c#4fWZsLu;xw#tbmh!2-n>Mjlt-E#5;t#EkF z3CwX{ZfPYwWxUp|^RIMjdNu;IsBoD6B7tjLx}J~=l+nMpg4k^L7)t0}n91f~$)hCb z$T1ee=C(fZ-|+A~`Y4F#oLs6+PBuv@>;AuXP{2anmtWg4tu~;}?Llvf2Af^H2CIXC zflRryw5y7)43kAs^ktJ3e+;+yZc}2^`?HL8He>5TbDR&wW=J+&j%#V6Rgx4@ueVgz=;c2%tWlHB=tYR;YN~f zxmEw;>5z~R_*=yK^U_nT8xW5Vs>DU;=FgzYLU)N6*d8^~X`p z1ZDp7oK{~xS9VL|y(B2u=C>BR8`H1Vgt5(o{)5A#BGXe-NDl*lpP4N{DRxSY7?=IZ z;}?_NnY71P5}Itk(j{(6ix;NU-L0N9T7-l#0;dEK&eVFtXxT*8l@Q4%qi^l zufuH_AkI%F;?j7y`0DFY6Uc}A(U}MkWsw2Gk0({QCCH;cXV`U#Q2a_(j9HkP@LjtE z#F;W1x4!?n$-T$$;4H<&U!)R5Z}jiWFfF5k+HlokOqEu%gZ=CGq1mW!+#Z=k_H8*s z1F>vK4c?&Yfq9U?4-`&zu)ouSZFoRD0i2vKQRQD_s^-TgMgwO19t@z5>v#7aDa>_LT;%T8ynav9uK`!!qG<-8{*upIn$hL4 zMhQMLl0wGorpUbPM*a5B&%drXv@rv!RYS@{a9pwhKp1fH1$?B@f*Fyj`;S&vnGh#X zs9UD@lz$oW{s^{D3G|c(XdT1}1I}-JY%4fCAW1Ta)-tVo+#+?AqAuVtaKDEG9JLga z=h5;OH1X2%4Zvk6ba2z)J>-BfHTjtLwu(r7xyBSQO~>$z%om)xbHU!a^8|+6xWnLWZrebA)pxC1avWyQFo0J$Iw<5RPaE` z-iiC=pu5QzYH(=7@5dyNp1nSdu&kv&S`ol05Y;voS$QwCVkA&ucpuw-#l9`rBP9&k zcpEZm&UIS}&X^k`aQO=Oa2M#6pbR6o!Ll~IHAkGn7wiL)9Vpbd`$NH-c1)1JfD9A} zj;_Xigg~Zm+ICY=w;$fkB+qSOXMsSNu8Ln;1bXqkcS*=|zDr+$+)x~O52JX|M+bRD z#KbN`8dh@-kv|}am%MXv#NVI;LG{4o#|Pl_-*FEi@6*HX!x>Qpj z9tNWbsV#;;3dngD*+4YzkZwb@D8X+)_t{fNlxO!sW5Fo(KnZ( zLTWE5NYGC`PB!vy%uexWIqs*`Ao%ZT=V}>v;ghSO-lkzt^~3oZq{o*lZ|5Id$Utj6 zDhltz^M`TvzjtR&MmvBk7I?|+IomHR*jo={=$!KeM zDG=q)iZf6<0Y?Kx2JH*>d7r@vAe*l|ff7!@eE2zg=IhB5o0FenExZj|OWFHKq0Ro` zcSh#|8^?@9?2w*vl3sc^eDdG|y&XB}p4mrAZT5F7mYp$A9(x0nYT3BuzzGH`JCBng zK1`bFY|<-&ox_@roh~l1*fIbp4!Gfw-g2;-Gp>L`Z%!Dq(b=o1!$)b;L_tvo$~*_i z6IB$^z%FY1Y<2UR#r2b&!L|gsA8P@XCO^wlFF`!sTDs{dw{auu*|s1ac?;ttkyO z_Uq;g)Jd}m*`WwxwTvrI7|RKf597=?Jdr!|I5?deNkzwSBUxDH7pA%#PaovHwHCVy zS-#gYV5ZvEv!Z`>Z8PS$iUt+;wis$@WVFEWjA^q5xm){PK;oy2j^Rr6xb0 zHB50hofsvQlo?bb&NsV`%k-bN%q0RJqSYb50Kf2Qtjs)hw6aP!+qws|VSIfL2@9P- zOcgKr*v{^`jZK&&P-h8ZV~9m_kyW8kJEu-|b4dPVw1rWE#jB-RdkgsRdMtEMue`uZPOnd3^-~PFjCpQCqF$iUmMx(9 zeH>Cr+sK+vhgvL@1dI3KFHFQpw6FT$M?pnm+3@kuBe_RrW(f}oI`_hfRa#iaJRuAC z#YG|jRzI4|}&Ly{t#ZIx=mZ(a^?(Qnhfoj5Eu!iX zr;-o2$2>o;uai^fNVxE0mCF z;2u$h<(4P*-CZ%LyAi1vf-*Jcpm`d&>&}-%NeN0Gm=e$)gMG2%ZC4>diSV$@pYl2A z<=p{76J^bh(R0(;8r<~Qs%~ZTg&-QPYK;ArNM)(n)qIb6_9N3^c-B>&5%Pj znn=w5sj6ft`E7kodUNsJh$G{zTUpEwvPc(UPl`LCVxpozKnDo1-XXu%`h1N9Jk~n! z@6JP%f(?62swY4)Lo=cM6IVKVFnqSQ7}P|Sm2Eh>=z&M=m09^UGTy|*#N}tjX3T8X z_ip7f{wkFLI$1V0HaH^90$@}MX$^%6B90O8(la~GN)=+e=h|eoY{_V(2`_g>r|O}i zoucT_Fegl6M!y%a;Fb)Hb#5LNVT-eKbp>k}P=D`*|NFV$@gDx{Oco4R3`O<=0$`-t zI8))Q)V$5il51y{eqynA)hdt@s(WZ^sH#kNb69q*%5Qz#H&XGy?L{D0LI;5$IPs>+ z0dT=tty!QF!Z1v8s+fzPbRb_6{lz5~n5grutF$34RLgX}?}+Qmt8!yD_qKMemCd8w z)%A-xjv>=tpejHPW^`8Y?k(EOAlg?i?#N;vTx<@VuE9>ZtTnjPtGj$WJZVzirD_FI zTrfqLI23`a5Tug%qbApBIIC6=Vk&`cUf{Z2CYVha?dR-?hT0neSM1h2_7Y2 ziB2bYi*&Ni*ZtYEd@T0(J<8PF{8=QO08CHh+6MH`D|{A>jx|z8$Hx>hHN=pfx4O@^ zzo1O>QNj-mXgZ_Vwv&!umNyPUb=UWQ4(pKBmY3fo4=b~1l9iFM5~c%{Sag>Be6si2 zvw=`7G?qk}i+Q9}hQn>je?um%nwrZmK2Kn|g{xtpu%v)}WX6>$q9q|AA#&IA$R89{r^z8@q2v~g z0ks7MOF2xZ%l;cp7Mw{9vKvfiGfXNcI=1@#VuIi42%ER*Sn?EG<0m?6D)C!Be)i`x zkUMRw6PWiv1u-4)Jd^hRM~Z+!>2&N}jH_sB4K{6!#8=dC13{SMFDGKn-Qe$7ZSqrw z+v`i7f@-O}jKiS*spwZO$m2&d+HYsu7Cdy|jYlg*?e_^KHIssLk==6V0gdP;Fh+K7 z$D{d@R&fQH>v(*g|LJC!+)0~~EL`FG)s%>_s1#DLdrt8OHf^UjT_<{J zUY2wT4JGtvB0?I5%w5P9DDwCx@5jvA35O2V5vw7_3LX&3~TG>b1?9YatK_LyK&?((dcy z2L}M;%}vqfG2QqvsZ!84CN*}x%yepnJ#A|?yiBYT4WlE`(&SVFxzyEzWA`-9#SmzJsKc-Ri0D?%KN&XYZ-&kqEqlfTPKHf$GMyrB|)p|O0VUVBcq{Or& zG+wifWNA8oa+)-{yjpelbOYJFw2Sxip5PN>o$usFRv2?=gG${an@sd`bRErv~$BhR1w_Y z|4a~hSZn_SX1#o7+PJLkdzsW2 zs`)GsQziFc+lK)h)0r8DUVCrtl~V_~fD%4l<3Keh;DurgASHkOI^MSY$>jT^V~GrY zKypt?eR=n$)~Dm+U(^JipIwb-D>lXo%56>DQ>XAbVu`IgKX(`$u0PzLE9nB7S27uZ z%}^fQkgHR~2@|2~66%(=x<_Zb$<3DA^(+rX6+BxYcZzF?pyhN0ru6-|oui}Cyoe;{ z@%ksCsmK{xM0QOQnR4^Y<^gC= zq(WmYlL~Zb3EVH+@_v$j5+>f_210zM2pE8~y><%j<*>V%;kGV^i`oYZfnp+3BjPLm#alkk) zYba8-JOfT)E4TtXbuc@*fH+@vXU`+c zP9>Vh+)ad{U9l|8Gjn6(ELA}Un#tXKi>(;;O!d6jfz-F?M~@!yHy*qje5U8l074^t zCSoyJnWf&(TZAqGfp=(Hl05q03060$1(_oA|0SF0JWUqAu+Y-@0_LYvxz|eq?1ei0 zr31e{qMuo$B!uNH7*VJwdpgDQrlSkZop-uxCx;(C%6kWm`5JC75k00re7Mu!t^Gnt zge9asPD|#&9}jM-&e?VdN8~LXE?L~5B!Czo`R&`RoaVK)JCP=pA3nLxoP>;wJk;zu zT`5CUAv&U>{`@FJLpj-%jq<>bcS|4hh?w!!Y^r&CW3B|^=9o5cxL&)ec=P~_y7aZR zrQLJRj92ID8wicNFpM?clT+$_FJubakS7dl{t^U6>{g&Mc_;LDid9G4`q4x4J<=T< zM*?I1|IDw>k7S}_n359B?WAE!XUsOIP=_M@ji&R-uO}~uTcLz@_Dqjock~q&w|(oz z<$AP|IAKnr{#wz=-={6D8;;kp06g^Y`1E|v&$|W`S?rzEZiBxC)x%)~et6ZTELWG4 ziw7_yKh<*cDEr$65ptuone;Sa>oBDa$AZJx;zV%XhB#=p+a${n?yAGl|ppOg-# zb}cp%5-bivEDl-<<=<}cOcv>42KMwjb9E07)R+pM{OHU)nUB+wHOS1by0$;k-Kg0* z2NqsR7JfH8ysJ!3x4`g>vq4eh>9{*1G7y}*HzHc?Yby075$m-s)sE)b7`0XO=Y{jZPi=BQrx82ITPBrMB#9%GmUj?d#Wf)GQ8v zfO-ht#L3KKLiZ^cBnXWgYkxp|I6zc#K>L-^Pyw;G3%su!nnXoq&&Dgebt2i>=DU## z+*mlAU~%x37V|YXEvEuhzZ-Jt!wt;?wjKz;LMRNzQ}Z8u8*@!tNidS#rf=FxjR*3Y zrPW#-f6HwVI>94b+&q)T`0Z-~qlz%iDy}?WCc+}OXL3JX1_GhTGX$x>qflt9eVdU5 zB}x5EObo4sPYhUAKV67EJBSAN2=N*kyL32gan6w7?x9vlv+L)@)s*OVsXR1bCWKa& zFdqk>mDzR-Org2yqR=$opLw>kaq@FR_o|Bh@j82MKQ0$#YH9*xV(fvSg6?-+9zFQa z?(WJc2xK0RE`bxWaCP1#m&dM~bNqqQnVn_h4afdX=f_P)gJsSeYoK^w*!*~n|C~_P z!^?Sne+W(Guv6(pS3x*&2Y2Lft+IQt!0z?3=+1Ur=E=Zt`c)hdpR&M{WTL=ELtLrsjzP05V-Z|6MXcn0-kUhmsopepDtga#t7qoQA ze7!w)y%GD~=aWK zcly+j2VuzjIga7V&tGYvQnqWCfEFJoj5E>B_FS#$q%$7P7MDzP)^t>4(GYknij{)| zNspJau?(X1r%(4>&Z8z~e0GJ(7PmvHc6Tk#{gKffZRzRh`dqt&PJTU!f?nJ37F}=e z8Xx`+v2c+i&Zvq^KLV!!EE9PaawN=qb0Tz3A1p1D97I^!Cy%qV6P&e(N969w%M_QE z^!A(;HSIY7!y;SZ-p`p(!cfVhVp<5qcc5^7hS)AX27L`!KJWCkB3Ek=WA>GSdzEE+ zWVMZrXPr$1?sy|hIAYC;UkAS8Q3ucdBnEq6Np=`Rp(jtW1mlG5BPwHk=#N-GTBrkU z`F+-Td0x=!mh3>lac3qw;e@%2fBGVM34&hwMM(ga`L_nqGBlk_a_1rN#t)6vKmMn%3m5MF37Ubt^Gnq4Rchc6N4h^7QoF-Pz&c;Tdnhf+aH#O=m|(c=uAyOa}-z zPJ#1bcUM<$wlHIK|7W&zO@3b9(B_%@cmFm6T8h9;^B7y_u@eF0J!)z~L`Ll7CW5}h zKgLNGSg3kuD@e&eC8lnWLR>!u*0Lj|;4(1Ix9V*DvtKXeWsX?CdvPsqWN(PZ%%Rd` zX=$ki$VHTNc6I{S8f^~g!+|)XQqx-ZCGrUw#%L!;M=((ctaIFRNRJ?{RTL;PbT{W$ zQ;syzU}jo*!52XcSndwQ7=Uic&+RQ_oZ$c5MX^}I0Z|YK2RG%f8gT3hXW9!OYs^tp zRk@=fpmB31I^f`YB>k+vXFNJJl|J4-BH}BpaQKCQ$pU_51z;JjBisQ7y!c^T;r9FQ zM9(c)X-eZ8h=N~0V>{GF0if{ece_%=Tjh&kAO`aG_F4wKRUjHZIXa#z>@NBLvG<-~ zQDy7eZlNs*ir59Bf`TO(5tW?5LJ39A851Bm=crPEfIyK!aww22NdyE`BnXlPB&&dA zkemd*x3s(0>b3V;d!OsO&aZR)B~&qMj5%kGF~>We=YEm^OLi9>#GC07Yu@}LKx_>a z)C6m7)qDUdR9!ogA<$B*C28+n7q%#qVOd3PkcG`e3E~%Pv6;zisB&FEOs10V+AHll z^Y9%D9*2Svo<2G>N;etfNa0x;8l?0<6wWakhZ7c#vN?Ul@TJG*VsD-n z+W;#n=UZlXI9Cjk3mN#aN}a^_dX;EM3ENHIH=O{Xuhj3Gag4$Z=#sOYSeU6T$7W&( z)xVIzSdW#8446H6GvD0ShUdatx3a537suCkSTD1&OG`;B-sPaJ}B}N8wmHm)KhGq2F zQZ_Tw#JhLz&dJGq@s)_eK~NG%?fsAuxza64E%oKRDAdd$CmCKw@|RlX zyo|l^;kH;INSSo>z{r4pm+xz5a>RfomkN0x?9>TR^4vPu=^wbsgbe)cJngh=J#3%8 zrvn7k28qdGajNt8F!+*XoJMvgo{? zTY>45GSXssy@NwTbI#S0Z&GWkJ?!lxoV&xL{ZBIRewD6utm3SaKiGDBl1Y1?%dDbR zLE2d8Opi^oaVbG>+acG%;$&ShbeUQ%M?I5ab8G7iuNiB4&#ZqyKtuG&`8Dwq0Zro| zQ~!8)-SR5UjEN%_AWhl36i)Osr{gKMHD%a-T30%Km@Qf(6`5zkKh7Z^C`LjW8vB>T zBNnZaMW#c(W3jeTs>QE++XIycmC-cvQn3DB)^_xCjN-*&Uu7x!B=AzDV-`%-58=jPgyx)#h2)o3~iRfUB)?`6qEF-}$m6STCna?Fw2o}nedoIO_Z%o(kd?UVNEB#Mgi$~Drw zs8eQZw`Nzj&6)5)LfKX7%}uH*Kx2;#0&cG`4-X@wQBGNfKaZnJKeGFVF`eJWGK*18 z)TEoc3@9{(lDKH5(~51*9Gd2taja4;P`v?aK|-oq)>mA4m=s=4gK16ai!v*9bZE)F z@bB-o1T4UmCzrHCY{AONm^scbn3Pby$&}e9Rj*5SiN@HXY!H@+?f@@RiH?)`h*Zrh zU^03T(K%^9xq1XFJN-fB7tbH6A}6jJyCRknh($IdC4l3?_B)>tKN%@ z^LO<_KO|0r;^f7&&W{tn5!$Vnv~wjtOur#+@+zP`Td`Q2XU6LvKz}0yDk5e z4hc8?PZSoA2dp43u=AK+zT3pH0LdCnT9)zER5ZEH@5ngf%x(SAj~N`m-v7Kd!AR(X zbkYuOA3Wa3>=ro~NalN8LFJ$?o~TahPI$|X3{+m}kXKTB3G4Rv`~m_H$`~!rSR#l* zSxliMc{VcNWxRb-5-v3mW%5>-Ym$o`m-9MHCJjqP7~`p)M5QZE?P1qmj;PzJ8un5~ z_;2ta`4bdsYBb$Ncv@m)WQtt+KRHa42c%;^WUBFW6TD%ZBRkgYaXPfA_1`_Sp8dFN zLUT$tUlVhtPmIR+=p;DP*v_%uF=cEm#Ic+^uBfyiE90%1^uyw34~Db^_x3iurkB;; zNSQG+X4YS)C@CtsLKCR`vhBkMZH^i=+ME?dk`wy+*g0rxlrOq+23eKx$eA*t|w0It-(m32l7LQaC zS1+*)odIrH3Wg+%&^b`V2K*#=;j?qVrXDk8kxg>ygm?X&+@uK>My9KNk}o#yoPmKT z?e=XG^B@?A64h7^f_SNNbE^c0t~l)M-g9>U5p~;xGU6>eENJ4C8N0zJteQ%GB3aml zGyL)WQgtHpcS^gRUeB2GH8lWuI4hZZ)34~{BzChYhh$dSGq0*5R%$@w8p_Nl=?c|! ztSVZSDwtF@!=sAh!~zR5ivlyu8YmTwE8#e?l#Wi=>4;p519uWl+_9x~g0sCW1Z@2C zOeX`eZKBke!+l~;w-gHpEIFxGbZQ5%`76g}CvKJaqcsW>O7}1Ji?$7JA|py3A8MPi z?L0!3r!Arw7I(3@-@I+Igi4>vbgCmoi4j?Ojw#dKRa-{p3#TGWNYjjA6wWz-AvR+N zmmvn|Z-YydqlXqcs#e5P0znojAs2O>vcsJvCX)asPTPdNb!B5xGm2z9~<39ESXD+4B z8yYfz(M(k?I^-M3$pkUP;1pRVkw>&d=&n!)N8$JqqLXQ>6mIz(_#Hd_4x4#xrL$9+ zm1?nX4!(N^at(|jp))0MDO8RheGQ9%cV^*~^?gr`1C^wB4b_mg_wgf@Xx>^y>Wv6R zKnSGr$343QB#IrScjKJ>dlf5_pWO_zdqImq_dA9*_gx~{*o6nwZ&aR_1Y<0JIx}v( zqrVZ*y}ex-m~-~0X0+?~(HT|Evo-|<-e2)y#r_zLmHoQ1eV=9;5?MO`mP9>=W&d1@ z2LS$uWTzsViT!}E$KWw&09+Lz~=&Wiov+t_8f&S=zgwklxc%i|jto21hjq;DfUS*7m%Q}U4ueH-GCl44L~>X{^Os*p zjkilj!2ltaQlw2Sw(xFnMHwBcq}UoCfNT5y6YbiV9`5K5g-fQ1+3v5GQg#SK+xC6k zC7Y7Q>k$;$Zv|gE*x33vK{kcQ!OCuO+Ah6+WX1(XBU8@~y(9L(d9NNZFK18SKi0|j zh{y-18>}Lt0^-8Le7sCoP~0F6{^Hnp7eHwXE3Sm%c1K6eM!c4`FOutfovF(K(a$cF zIrNB6$Saj>=s0h$>{|N~Q2CNX2Ww>|$ftzzxw)3WVd_+?pJMFKj_kssFP~rK=MpN6 zSw36x2b1G`SQF(kwz@9N0M+qzcz&+P+n<*e<$I9lJk_r=o(h`0k1hhM4*6a&2LBI> z*Yx{mOa5NG_BOU*x-wk3TG>(CLW4%{-(P6g(ivBl4lwd7wTm2^a9^xja&R`Nac=9% zo{#6C4)$K!`0(Kf;m$m|rv1U$Z|o|Ztv|_PzGL`?hBx8A3$C90n`oQJxM*%$xI+A3 zpr3HM)?x=2Zrurylx50{PT0ECzG4Q+FNL@2tXGE*?w%GTSnr0W+Aqn;(8MJuFyl#- zAH4XTG=SFiu(6w4vCVCn>>gm`kiF&b`BTqbN~&|>pxk8cG&Eh6bf7ilK(K#T$Rfp< z-)3~4P$7-RFfDDwbOV_7uvEtNnfW6RUR?jF=Vm=u0(edWeYGmUC(TV1)ia}h;mo-+ zuMYea?9a(GAEXcLkXf9=2%)4881C;P;g}URW3$E81chu=s~+v#X--2>^}YS_{QB6W zrYqtIBHlGQtm)zuRqb`e<@9^h68Rrr?5sq2@Gs|P@Kq5ZBs}t(M&1FwS^6LQyZtulSN2Awf$yZf$e5uVVL(>$LwN@T}>I z5^oaU^Qxxzm$pQ}X3U2wuL13`S$LTk(K-4qf9Uj+b@+e)%f#HEhkS^#B6s3Ng@&4; zJrR+Ygayq=pk2k4GjoKWEe|6Q0?g;R)qW!1W7eXLR_3V+VTdOVo$3ehlVYDM`l|>dqD=VO;%vCiEQB8T7KUSu&La?Imtnp0%jwd2Na$WxjP1J`m#9;m;;z~S^o|W#u8bz) zW)utNH$a|p1qyfioRW(oc{YSbpEj`s2mJ|*DDzkmkVmRVVVHyM{tfmfD1^m;(z%R6+DvyK_M+bSv# zblQYt8Bi&5teM9uiJ*@8dE(LM;reFJCGwUpT79)s7bwA4uMhQvZ(SAXh;23Q6L?Ul ztE)Tg;3oS@UV025@b|7F%3|EVE`(eURQS-iQ**-A6wS#ws?>wvX=-UT(Ed8sGAna( zqQc8!fflhJNl#&*NfPEj&8!U4K-o$66C2~i!p`LSdbw(jOl*T7DWU(DLs*Qgge4kT zJzjXb-Mg2e%-U&u4Gj1ZuBQ+Za?kFM)G~^g|7ttKo+3H^>o7?360EGPRj+m%!>v$u z@!Fi}P%Kv3>TL)f9wBka>(bBzpMxGTSjB(spC$OEg!Bo*SQ}y2agr{T)y8!TN7fLj zjMyu62Ynr*o|{P(X6H(tKmQI}OIB7^-rwI$UIH0d22d3`reNpyi><4b)4FeKEbQ$2 zK70+^Fa*V+rrj{9+iD{@*=tu3O{He2?KIqk2p&GZLRef+`nEbA{<^yT4pen|yPsEf zg@uRiqVL+mNeF5yLte`7@Q56>o=27s0UTCQ&5vG+TRcICcFk^*TD~&zx9w5@u0`$IY-o|6U-C7 zpj}@Y&eFY>q*#je)RSqRG)AGcmPR4slGyJH6yru9m`3@mER+WlW5;~Laxqo%q=8OH ziBkRM$wg-tZYPRC;bTBp{gMe+ye_)-CZQQg(b2}3W{`d8RamQ>v9^Lo5EV4Bmsn98 z4t9#@G@?NPgS21bA320bEb&TXDLyaXOwtNPlI_aM-rj1Rg8jX) zi?!MrRq{&6S|{^+Wr%48_IFfXvGx;WL|sKP#HX_fpK(VH)tfilSH8L`u0$%!U`$|s zTth95oT&9z} zdxmEY9Nvz+I+AoU&3ODxOx@jLZ8@2ih6?MkbgVvJ4(fhU;Z*(!v~xU*p*Jp8R||t| z)4^f2W^>d)$54?e5*|s_gPcHDo0NGEgx)T!Bh_7ZoR*ju2Rs&hBLd$I4$?H`kolpt zw6t>6>FDSNJ`KxctHI(9^a;J@urU-dE{8?;?O_-tYG_5AQV&^CQduIU$Jjh0vaUFI|fpDvY= zlbZ|DC9v2pYkRu7ep=d$4Qg0kCM}nOv!7#XM7sTr)*>%2&@~ZUSUl7rK{Z5hAJjnW zC}BqX*}4muSGs7;R#+3_HP{R5ihLX_xT!;)JbCilp@(RcxY)JAt`cnKU>sTJm=Ij@S1s|Udand3o-&CTwF9{M;t1LKW)WH z<&pcbqK@z&eWn&FU`WexghUKI!VtygL1{Dgf}gIzlFDbX#yL!0NTJ@SN}^KwnWkg) z2wcLn+qMwDXU~-|Dc#iQBxJx!mHvo3{3LRv#$_x^#hC|rIaY2+Pp?bn#ymOVbJT*u zE8m2;hwBQ%rJI8!APa44gHGlFV=1C@#@@}V_V#OWK0d{UJIqOG&ptXisfg;xHG`Yu zs)B`6^hzXq$HIaY&4XaV*{XGib3Z%4YW?%v%REC>@a6F~+%3+_YhAS60(M0QznBGjwOW=GM!x@=fD*Rm;(N^p7JCW>!v+ zzlYR4gz4G!cfv0NLFxBS)T7AjWXgL>8>>JYqbYkqXhXS<1322#vEot#?^D@JtFk}ht3RN(E$!oLv zD~Y)d>?)a*Zbx^#!Y~;Za3da2Utqo?dTP_!19<8S*ZC3_j@|kZq1X@HBrNdF-3vfX znmpyRR!^TRST26jbv#?VZE7VNvtB*6t;l%MQ~$%lMyC~U^ra$aqLu0{5;MchdNR_M z@JLv5$JLh7rZk|}WOsO~?gFz>McR-l&-w-#sqDR3`n~TYy}9h?VB+~^FIfH*{8`BF5d-HQClmsS@71vqddxxq4zlPrPz@q_;q6mH#!70B!w3PdyT~BB3Y(#X022OXJ`d%FtwDb_3&qRt&A0Kxpicg}ZoR^1ZgY3q5X!Is0GgyKpg-7R zk&=?K7~?yF=sfg}k!su;1_@}Wqc4dLM@+}79UAWQr6Ojj7xF#_wf#Wuz74ml!7BuGF3xL-(0+P^uHYLZ|-G`H^X8D4q9CbVpp9 zs5&PZsTrRN(wxUUL~3_r$(tow5l}}d(AFClt;=-}HWJ1@0V~Ht@Z1Ruz%Nwtx;*DI z=o8}NBnaQ63x)1$A|v9vt2Uh-V_UPa4c`nC{!)~7|HY*Rtu=F&$-5*jzn{X=d@u8Z zKQXc&3&TswU+e_NiZ#-(YYglj^jiK<>k~L9O1c^P=4V{fq zkEQjHC&i6j8)6-vuv3^N)kNoARO2Z;L>D&IwprLSdF9nc$;;9^U+d`C9H`b97Swl^ z-Cfv$8E$faL3Gr8iDu7p#xMJw$@#zWAo^`CPgj%2nn;xnyc(G_(rPX(cHfMo_X*@x z&y83TH|syJ=o1(YC)MeCS;QqrbQul_o_Vz1&E4< zyEz6K$A7s+sb{3M^@?=M2hK}Re!2da)^fuayp^Rh$46iQx^XdF-rvP-qTK?yJG0Q| zIXkKJ*hA+1W=i?o!6}P#iWgA^!{cLLk5j@@8=icSf>jr?Pn@2#uQX*9fv+kGf3Wx$ zUBZj!Rc&S(z1iiVu#TxqF_$oPAANr!KgVB!53}@at?Fgr^X=L^5$)gG8BDzCdOQBC zQ7EH#4lvalP5E{L@3EfqHUi^c-gv)w<+JV8L9lwMokVh#QDQoc1)Hv`yq+o@D$tzU zkG$&YB`Yc3-L5SD=7D(Z6`={Q9O;_TxRj*x2~Q(dYqj_yb2QmcWOGvoXQ`TLS$&(5 zbSSrW^Ik0Pc=Z-)E)VOv3inYzyO=cGQ1|&mSm_@Hi?gJan{MrYr&rAV-SqksW^OA) zAt=gvZU65~(OWg%)kCJws*7MWl;KQ($c z#)mF~qrHP7G}IhYZAb5o&GGz;^IT&1K>4n?yT*(|ikHT)WXqen-r+qOi*wdWXr#3b zda&}CPoqxqy@k^G*>a1a^5v35A$@fY>b=p0`1rkw*!}8&pL#fJA6V7?`tSkoKZ_i< zJj#AyGrCOagbX<+SW(BKUcWcuq6u^*2Gw82PW+$RIGCBo`tpCAfX}^!?mj5R{3nQidj?d@$&8GSL{SY7PKF`_fyA&l$@4`O0 z($~1-7aR*#MlkaJ;->Pijr9DwdxbLTe@VH{+MJwcxJDuK`x=8nRZ1xEjTbx(c=whV zD-M?TC)oz~n|892_xafi@=47Qi2LD<%d>k35l>+*ROO6My%Spk3o*jh-}GG3FvaWo ziVRBo*)e;oYrXUk98S}ey-4!;OTrEGKCNO{`7uPQmD&82F?b*Ud+faChLfX^)?;`LeliyB991jX0}Bcs(Wviq53p)mY5{e}1ZLxhMCm|iy} zBNFy~?6ZRN84wR%WW1>TE`gvck!3d0^E99Wq~piFDf*+YC13n%kSP5fC=Vcbr2o#J zj<6Yfs(T@#@|XLvx2H4c8p28fxX>A_1`w3^%twz0Y3;3W`Q-VktQa0ZPcQU-AUH%* zYqO{=S})XO^@))~RDtd-ozdzn>c=!P|Gn|mnD8m)t_lS|kv3C*V@u1`dRdr1l==3{ zRvYsNH#qzc%ybJry=OACX}ql{=SaF_|4&oxzp=C)b6K1>P&;-*tH{9N+{TdwBp7Pt zp8gBj+9}Fw4)x#}SYV?H&p3cV7;zrm^;Fl1;18xpt|)`&bubTnw)%xqnoo#K4?`}4 zta4daOdQ~0a<_TQB^;-p>UK{Q<&^(3{rVByHUHj)`8gao`Ty3V`M{)nM*cEWE3fm3 z6H3Pr%8LwSi0@yf^$>`IHQ5{2)e#b;gy4EM{Mq^hq)#`v~G{qR63SYQ%*^ z8Wr24B9{;n-wij?Y(FEwUJ4uSWKc6f=&E_Nf8;tt-fJGs`#E`W(b}05Arv>-8G;pQ z?zFlci%9i7`$URy;yOGrTp*@IuAGztama&o#1x7mW2w7T4$SILz~b6NaMoTxg{3aN zWu-;f(yiDMQp?k@`ReTXM4Qv=@aGa}y24;{nGbj1AxUFFP%Svm9+qajss3c)t{30X zz<~r5DZ?7H51WJAR^>3_8JDKTU72Q*G=PqVOJx91FQ14Pj&suNhnZQIS0K0F&2yQ$<5$5{E=l= zRKI5b@fbtE>z*(v9^k78$8D+*ykNBM?%K4_ls42>FH+K1*;UxpzIpk-2{Gd>GQ+ z!$Z$EI*&*~M&>lq{tBkKVBxZp)@h5w5+syJ`+E%0ilxp?d762`!orD!`r=*k%1~^6 z26h;a{b;HKIq-_4{hy)++6pc!78DOy=3kbq)K58pg@nL>ecWXOo0yE6{w zng*p?O|~%Q^Ns?*G!?2B9wBEm5=y|twK3q~839}aW#IdrTGGf0- zn;n7%7o71K^PXb#WLw$U(Mh6NG~FiUg9~JeZxLmYx39*volaCV&L%lc{Y^@$Y4Z4* z{m(>Yf}>yQ9p&P_81xj4CbPN5$ngy2$8ZC$&7R}ro(n22WBLd%1pUvRf#}tXZTB4- z(4&*iER@Tp9N%W>Z)-Kj$YyiB&m1tC-l9=;JrvXsA=PjEJ5sf&5SOjZu~Rd|&3ziY zV73=J?_C>;PRt@UWeHbiZCh2WD0#Eg{q^hT=EsR@cl^#V89hV_#LELiwgVvc@$HP1 z%o$fbN_&7T$`%uBZgpD231cCHkr`{>s9bG9Mi759iIkloqDr;8@%9VxsDzH8;XLh` z?io76#y`>N1jo#<4BCV{Uj3puSDZkh?&209L72V##X~FGis1nrobYbIN<%MFl zrH}<)e{@j0&UP8J3s6@g-{Guydzcl`{0;y;e-d&CqZ!Y}SnrGJfzQ9?v(W_Y)6Bosz?ZMhCG+2Z2Px)5wYmocyUo1>$PK%BKdkIm+TqkN{&r&~)x_mmg)4 zJUrgA(PMii;zcP(KGF8Qlf{!zY(3Z+E~NG`#G(LQVi);%G>92<&5D^W_JSyL#v~iuIhb6cVcF5>P|`PaH26;{OW<*ngfm z|8K|$a1H+LocuooR{Xz*Jp0ex{WA>4D!&VB<8wehsGUK|zr@kmNTVPj-W{5kGQLxt zK~G@t6n&=)D~y`qF_yr8hCrNB>V*- z$HlzJWsQN{jTKU0V09Ndx87@B`4GZX2J0l@_Yj9t=naq=n_)wVLX2s-cj(;GsQE#1 zR~Qd0yI&ffF4%B~niMVoXi4y!f?mTVIP8it92pW>&iBvd_1YhXe3^2efIk|rcTS6L z^r^v(|8lf~-W|b0H;JE^o&WS;m8zo;BjM@jPs4*>Khh+$H4bt`wNCz%e8JekExWa0 z(6(etUI@|&LPLsQh}0%of$jKS@pBMu{8cIdK3mXf$YjjU)`7_=@|(cy7&*wEP6aMYLw*UN{ z{r}hy_5XMGuN&omLi7CR2`DFC*JopDEH#Ap>30H+?A9IheF&p9 zVLgE1o!N$_rKZbIruD=iNx(n-}-kB&0JQNKHhpVa8 zz041kJI!5}$KHfWVpDI2-Q<^$p<~S&qy>E)c6%dw3uD}W4&~{8AKc3a=gz|i(P3cP zfP;*?dzI^2r_!5215W;G08C9S^?Iej|Mh6)y5dc|6i4@DA{R*@PU^3-_pkrq35KQ6 zd^++U_2&PUU_h%#og$kZnbTE#4S>GCeE%HOgtfuHLj(Wa_b;HM0|J^1N^nD84s&s7 z8h6&i;W~3X4Q(n3)m-2T|2rUXQyYw#km^N{jYXAU*9b}BHT~wsKyMsh-42=zs!zLs zA|<%cd7A9N$7|_dq~59+09%ro+^>3IO@96e3MDzNrUpy4UzOIppBY|^XTDFZ+zfcz z#Z;qGiuYb;qjVWml0utkSk6uqoU*m6ROrWSznhy!5rgOn7xPBRD*SRY2dC(sR#L#_$<rFxbM9&0&9n|mqJjG%sMU!hGd4d!&i4=0wA;*JFq1pE8Z5|qZ z&R2EB=YxK6ebuP-|EYMG$6_Ru1O}$VzLJDF>A#|Uw|+bHI^)ehJ?{VK=MAgsEKR&V zY_(UO>&WJgmfEKb3(zgd)l|>k+?}b27395NE(lQui8f202zN6)l=pv3muSya8<6+! zNHj1F0F$3Apw+IURR#Mk%2mkOrrwVo z`>O@m3GTCGvNZQy+|jw}RADtQqzHkdznX_MZ+3jzky$ceS*d={ z%;x#W@$D<+dl~$U_~a%{rCE$LG|F|Ys1po|e6}!DySM+*3m)~;iZ{P0LU8y6LEckk z`ED!kuw~j-dSCYJmL$+Xx*d8`N2I9u>{eyaWDA42+x^(RAQ{DTz zP`zS56i>v!}z|zoh(bb0%wiYf;<_^>3#4ohy{#<^sM`M<4o2?hl)6rRf z&cIti$m>U>eRY#L|CuM2MIwJLxNd5wahxmD;ZTQ!7&a8a*0b?qz?_>Vn(5aX3f6U` zyhei*-dbz#0FNURNj#Q*F%0v9!rf$3DT<(+&+aCL3nFf49*B*;BvPgi*L~o7w^I+gw^xbAIERiP&OcGY z&-WQ(WaQBoz%pM~x759T?0QP<0stXnWbu~Nt)M?9lwLO0-8d7)Pov365#?sbYechV zX3XGk%CYm+wu_#h!k}=c9`9JyZI?XA zo(d~AfFfLXPG*{%$MV}FjEr9d+GiY9$>XKK%(sw4Q={lH^OcD}Vy7~1cHs8pGPE*f z0}H1BCoK0b{T>DhU|41%hw2J1Ba`Lo94&t|SA46R0yA)rFDCEbL>QKVugYzduauj>~U6KkhYzQ-32 zsy@WBhYK?cGgL)cQRQ5k??4zjwYn&O0YwiRI=ts{We};@;iRXDcgde!qd88)ODH$i zjwH>17Va?k;1pNC14a<>Io!NMwOqI0E)&+b>iOFJS*mD`C>bPKzzBuSdH-byv6}COo6CA#Dym%*UVN=vVzV|@jOQ3 zUnl*)etux$v?E`Ti;3pUYgrQqaNq@K;vdZNG}9021bBG>VT=0QP5EXdoTtx-ASpU1 zbJ(8w+Z#32Z^F-r#K)n@IX9(;@rkoFPiBdWf?_@?f?fVDx;90{KpGAs@)&6^m|dkW z*L)NXb~{Y}W;vSINY^Pu%MS!X2oGiSD4vF^po(zWU6pIobqkm#%Ac@fvA=B{ly1_$ z4xiZe{uHk>>XG`n>$}zcs;0#cdcqbao8hWgZ`5vXu_hfqo6W!$6cKuTRJQ4})ijlA zV%=^1#NeL5T{`^cR$p6Hyi=*La4ENFq3A1qzm-v=nAQ)w#u|LYBM7p1Q$z^bOWe1i zPdsn-7AeoHUY(E0J~xqbj?4%1o1-TPRy$Yu^*d;9-Me3Tje%Kt66ktlt9A@1f;ixT zfjP2t|G7Uw8}piNx)Ul>_1N4GOTjBFizdD5s-5S;PCZRTEvPpUrdQ7cG!#6p;J+4CMT-$G1rL&|?-@$m z>?5u;1pBJ#{ptY`A~haI&reyx!7^b0*Fi!uy>U1b%kiFMP!(OPh3gP)At)}-Z2!h; zPd*^iTq#BFMu3-f;&NMgC#0F&ge8!`Ovf0R)n@X1qNE%1k68zg2p;`>nQu*xTcX zRBjctx4O}2dn@oUrRL;zFjjPIs9j($~ zb`+Fc3|BWI0MdXo{?vrS zEbK#QogspAkraen;cI#Y=ux?9q#Tzco5xGdF6AkpW-zoEPk-9S3Y=uwdS|$TdU#+-1z0rox#BmAIiEv z`3br0_Sc0VC+C9Hq=inCqz{O3%Xq4ah}(7E3(C_Q1$vl!r)RM-fX9QQR%So-nqpbr7_2HS#?x;aCJRsEdZ|+o2(nUYyI)sMqr`Yik7< zWm8Fy7%D_$pM?Q%a$;}LgOW?*zPDZ!C0Dj6N*1(>*dNPbK2eIF)77V zqmU=)!HpNTxj3pZD1DQZ?P%CM?IDC|T0Cw}<6E}Q_QhUcVfSiNu}0yRsN!9MSKbvc zz{AzK7|IoCaSU^0OS%+#e^#qb9xv7^j|{nSVo*&|a^8#N^V5&!gb}S&=3v3bN3SyH zCTHwDoupoKjY0NK7R<%)?>j#*dgnvOXPw@dR9v!hvXB4Z_XUOTlAymn#Jl}{z>iB! zD`p`~%!<;#2wY_XThj2s<#65hwP zne4p8r^NP+neuc?&y?qB)rZTZ;rjVst@kCgk;JxoUJU1mZC!Uya;LtTR#DNhV8;@f zBhM@ucKT+ZSi|bJzEJcF?Si$gQEkK2(*;qjQju)okF!n|Iu;bQ8+F?5jO*u zD_c4Jp)`c3e6z2wulMtOs2VPYbVk~HdoQ*`=TTXQU_Yv$_kWxg&(;R-ZiZ!Mz_N(a zVN#6D&gjt4I8aEY9EBvW$)s?66!cI+9l4pE+nf@%9K@O474wFoihi=gyrkEzy_Spih~z>vcPmSH=Ukwzhr~&5OsW zJ2c+C#(n_Lea}qf_?3@$ugEhewSAjrqGL9C@jK4Vof@yqjhboP*w|1+?*rv6U2)jD zqNJN#TDI9eX-XhPNe^`PM-qB5X$6GKWBiC!cFkX7a8?;uq6z7eX7o=mrvt-xudI5O zYxW4Wv}Z;9>QD+^Igd+gK9s>)=C`UN11()8y}WJx8&S(i4_Q?R=p{mbMxMi zZn@N^DzXK_3{}vamoFQ>a%DpXb{?MQ)Lq#af>E0x3I~|5cw8GzgxHCvqywzVE=Vp( z1^3I5{^{O$d$WQ%*C%zk`PPC8>Ag8h)}RBAblc>Of( zuPfi!;h%08e0YE3?c}oZ3)Tf+mA8){N%*#4@E>AZPh_iAN+ubJh+W%vMKja&;XGT% zS7*X!szlO)`yL>>%aqV9&cH_!39_rY&L$l`=~x9j`31VXPvwP4D_^{D{_^(d&9eZO|M+S+Tp<&ijjZWJH|xxsmaWHSe;`nCUIr6e&N8AN>aOu_w z)gSMz+2fG~rwY1@eD*Ho_U5E&XjY-l1%5g==pFe{qZqfjOFuKEte<1Vmr!P%MJ&Mo z%-r0P?xVn#0<(d2#SS*}x2$)m6M`{V`M&rt0TX|%aNHx2v^-}3L7&u9l!?LX7RKYs zBHm}}OSaS-(iW8a#>ByeVFy}YNJvOpT3X|E;gx6c$Q2k<_htua$ZKfd$WRQ)Hm@vV zGw+69j3O>@Od#urt8*rk#4`pLVleBNq0Q0lnrQfyziyk{=~HiSxkrK&BeIwd1w6v0 zhz(_)tJ(Co=15pyS1w;gmDe0GWu3LHdX}X+NRr{=Qez0g%f04)Q?L{#4M}1{WxH() z>0Smz0&Jn4+E8jXnUQ%fDSMOOR3m{@cKMUYkH&H59-#y_6c{gDdOE5rD+k8JB`T{T zarDDKZW|j%BO{)+VJ)d6KS}};r(@|7wcOfVi%9~hj^!eqef7x4Ug!x|LUOOX413p1 z_}W!jsLBh0ZLD0Jx_*~uH6G?iHT>zLC$JpnEzqiuy5gQ9pY%nhN3cuPjVV=t^x-LK zPLCft4JN4;PIt0BQ^)=`3LDPLt<^Skaxyy&e8}z&I}EzdoOiY$9!D1zfGkmVjl(sh zk9;wuyQVnTqaASZ)JqyYcV~zE&US;oTVC)OU{2h6*3K>o6#?X*1Dy9VG(DG zW~FX17E84wAxiu`iAyc-;C_ej%(P-oGLq%MD$9h{w?f6_l^ps&wEqd@QN8cA1PRV7vAv@~jv z#yR}syX4M|gXwyT)$QT0Z!Z?S-`m}sN%;&c*eZwJ7ada`s|EZEeB0&EPG}n%E&_|D zW8|9!fL&b}^6XaY#Lq4E8zG55K)-Oa@w_jY-u zrgW8rHYrKJ@^W4kBnwNnH6PO6!XeT-sI9G_u&{8+XUPL7cv8OMJK5NCzzcXo>}5V& z=L13`FE1;1_rdYy!u<*R`PxN(6O_znJ>-PtbX1}#1yt(}yh_W41$D-2L0v$FN z&u90ne@hUr_LvGC8h4v(<6i(VI62J)mC^1?#J-|!PS&vJ^`NKAnY%m}xk}gZs)Jj~ ziL^56lEVE;(u6JxcM-zKS5c{NSkzMkBeHsfik*l!|7p?yGpn3YptFbHFuQyAD*&q5 zP%!#YQ4I~DTJi`EhA7~mI$9qpr!S!d{tb# zxVr1%;gK*m48jORw(n@>0z?uDiODaW7I?SORCE+%F1rU3-a-8dEoXjS^LYLD2)6~g1mOooxey~syT-7~(=gUhebff6cqiJ>nNax`Km zP#ZS%kf6;xfl01T;0zf$z7GKiyJH7p(HK?ZEr8W!3hskD?1Ueh>Zqe0-2vB!>FHxxU~LOYcd z7_4{R^!N9(g=lHUtXBSLO7Y|p5ZKx%8p}f3-SJK?36}cGv$zk>|2OO~>pzC-_IdXj zS;3Bp^h1%q&iSUUSw#d&5Ji$2k|B$%mwq>4CETC2kgj&>hRj?c?BQ;2O{ zpi}B(jR>lkA?ZjeG3BbH0rm3ZpN>=v?Ge7XV9!&H zYW(Qf-wa4Lt0=F~Y z{)kZHZ;5$VF0v_`D`3s-98a$#6C_5%tG2JaEEP@Hv(c!rYHKP(oMnTIA!hr_1ko=s% zOo{-oVVbLMuI;ri44vlG-`du*(Xi;<_S@Di*m>VXPjURjKCq=ZK(zvP*(i> zlYwMq{_1bZj~`zw`~)F{pB>9aOVFtEt`uXANkf4M!G){ z8J2U#p_z1hJbotrZkoj8*iNInL;u43hvRYvQ@k-pu4)9TTTa>QV0QVvwz#h-enpTi9+ zYDqmV1*RpQ9E{996m*C;87B(#QdG$V=QrpNCYrdpxj_XPao@`-gzMqkgEzh;LNWO6 zP>fiv_q{Gw@@K~y4r#bV;aV@Xs(%(t;>3tUs74?4kxw2=HPUsIvjpU(oj@X>iKLd{ ztA=bePeMYvI%}`Rq-1o24uLI|W$a*olcxG(JcalUPW9QmpcnfzDK3TSKUtxZZlFUpnnq#>U9@}YSu%~I~t zc*_{HrIk~!DVGYXiuR17rH_wzwCA~w9s_mR?l6grcKVuS;8XJ@*j0;0p?HwlnfUBi zyVYYeYeGR+XySVAUk8endqhdGGOMMPAL}{Fz~7>Cc)aQ9>9ZAYsHD?GRMj|awogxg za;e+Zg5m7sjqqH}j4moNtM>sX@spHN6y%~2xH2x-C$T+oJ4;hf*ps_uTY{dKDNqL) zw|l6R?b_Ri^rEVn&3nvIuHsJzSy$G~YEFAa7*yIfOxkb1sNQud}P4TK(oA zNE4}jIR+Lh4CFicdp}OscJ}t(TskQmQIvjFkas=0-!LO=0-U{IXIWog2fot&KG9Ct z)A4aiaHI0Hr#YpD8SdEb4Nr+l%T1r!+kfrQA-=S_4I!}4v!`~}Y1j6mwG4CA&929b z>DR3X_?(%ZEz#y!dtO`Xor{3)Dl<#=(@Vz@oit1r`(>Iv4wZIsp)!~jD~19$8FJPy zN;_4SxSqx|1JJtKIJv)Wd#8DNdVQ{c&$~{fPAfYj&Yan(Ryh@$$(r%zloJ4~nVDG( zcUvqD`}#sL1iu_8viy0!rna{B;lnqcoJtv?U%uR##Tq{9E)T~Q9Y4{+ZJ)DB+aWr& zy30o4J2C<}Dbq6xUfYwgIa6F6YG=Gx^~TaC!KMeKW%_exGP_P3x$?7;74%$3vamwF zSv%0@zVPy{jCsN9;1#}5oc+vF19_BpPwJTc>O&+k~eRoQs`-E>Cc{hZ&C`B z?+8ymqFfXk_e>>(gf@muO*27ENO}}9q6&|-?88MBkNx;o!OE>*(gU1GX{D|?NA*}m zMMb{8(}>Tu#(_H2aU|e(wi84}F5OhkbIV0VtZ&uB^fZq;D@V|6_h2Fy^i6% z99^O=sR$b>L=u-V&8Kovb04Zcv7;!@9aP({)Y#fH-4ZetW+cB2Tw%?jxiMESd-GZF z;*1!KP+3zctXN{D(999CnC3TWC`|J=Ru4752b@najRj}%^amzJ) zZT9;;s1s^C6yF4rkt=Xl;&USmyT+HrJobb{BO)TDhNEzMhYw$QwRN{#6HgPt6=Ni*VxTw0de;5lL5l}$T zp&S^xlrBLBfng*hq+1$9x_H z*FSJ(&(5{?UTa;~^^JBVguI)lSWweZ@NoSD$IYLEY-&}$!9X;s&x-uA4-IK(GYiaI zRt_dL0VlC-`(9YHH#Tx`@Z*P7jcrdO=oF7U&U(WX3skCX3}UL}GM!13Ty_W5mRWWJ ztt*a4O_SEv*E7&NhaSU)Q+Mv%@i;rAV1~KYQC)MWJ?nf$L`1|-vW1To2=2Lxk4yYP z*^+oI$`mCE%4A#MY8fu+g;?$7&Va>8~8PeWp2xW{t|E`~WUB7kR6FLyZ0zHJ1&4vd6@EU;zH6?C9_ z4$PbZ%$`9t;2MKuR2b=&&zHPF+0$vX?B@KGzw(Bka!_So-8d{;EPZv4MsPP(|VuW!qNr@ zwTp@i3fdgD&8y5Rjm&c^Kn{VhY`@NcL!~yD!~zfP9hbm{loSJ2iYtoKu8H5L3%$1; zp*dO|$uvf@#E)zaS}cjk0J1%|a$phLqp78Ogfb8zVc`Yh z%MQY)0(ED>K;J=ebZC6|SObCDVlX${6l8!ufA8@E=XJsY!@WeDx;3SxrDPvodLPXA z%V$~|8Wwj%XRiR38;Uh5eUYD}`0Qs87vFxlU_zJWaN_dv8V7lhb#z>@t;@m1w<*jr zWc8fU)s;_cV=;h50{}NbHP7KW4+|0A>jCFM%$7zHF=mF1_DPmsBxyJuQlpB1VXmcx znE^g=awJeEKR7WkprWUzS7n<5Ub}?|pz;WQk~B`#{+OX8(I`<^yEiu9t_B=s${WYS zkOvE$#8gDha|1>oFGN%D&^{O?=O#Q4OvJo_@N%5=ubvmcR{;g8r|G32I1k(e&n&h& z%ih27FnCxmQ#Ad87>CE+=xS7Pe8ueS3;f2Jh@Zf?jn{E#BvH&wnU06)e$qhfPGYD^ zf$A}H_)({m9g7<4&}HLgnw`q0znnw}@fH>qmv|fv41B~;hup8q)up7Q^*olbxY5@0 z(OKyEksgS;js}c0Ol)k-EbZ+*JvpM}DTDohe!rTY+j7$*wPB$B5BRPGZ!Z$6L5KZW zdKNhe)lk@<#9qHozq``TuPt{*PxeyT_1O7OB+8h6_&^StJY+*5xM9{`aY8qV02VjDI`Ne5&hwV+6ULf zGy@qPP(z4Fa;cs4K3(*t0XAG&=}d%#t)}mjZ^&l$G zt}DLl*sOH4LuEXb+R@p5z4U26TVFe0+N-M!a1Izw53Q4flk;Q8LV|xUp;Wlo*+JTZ z?*+U8Gsd|$Up!RCnPBZ@M@%52OAdtTh28k0Ux6u&$0pDpe-131aLOw7 z)f16gC`3V?(Hwf9cBijB60-%NW`Qj(7FYggM0W^CjfU98o=@)Ai9CELR|s^PwmF6DC$76`DG8i3JPo1(I!pnk1t)!+x5;{u9*LZ34)MGMp>=q3= z-8X(zPPkmdd(A2WakZ~U=MB9T*-Sv^u|3^SCZhv27#ZH{1**BLl$3Uat*x1#X~3v6 z)3iV7>1<>3yZiiCH#r4)jV{;x(DXDW9_Y#d;r~{Gon#6FgN$k;AQ}sQ(#>^{xZqT7DU(G8-UD7%BV8S`YOGPf4yCE7i9{`x!B;|}yZ-mr&NzYWm~?b} zLaaF){?z9#kv~N=Ii;y+SfcltE2<@+71H(qnv==1JUGagbKl+$feNOc2V*^ukyo>d z!tiUADVeWt4T)13_aF71Pt<$AnyUPahj(njIHv?E;qG747_aSSGB*x}a$EAR71aH^E>a1tf5CQ5q4WEy9r5Z8wb^?famnhGjCuR!vX`YUQ!St9-cT^MvynizS(I~+zDoYmf}aflt~_Rv_<`NF!M+b z89D~|uFT;N?U9;jRR01?3c$4d(hn`a;PApeVsN=ux3Evu=eikdgLHFQ!W*Eh@OvJW z{B(TKL_kfgZs%<`Td-g8x0ASw+fp*-B$wK6ti;-Wc)+uDn^It_X`g=iN5LifL`SW& zrltY{{ zz`E;+)Z*?@Wcl?-1i&QGugHIDiw;ydSH763ER$GxP*tikVCQLk$fkGlrq3)3*|8tE zH4L(47pQqsEaC7*tNEaM;>?n2r(+%4*m}<*%K>Ypu}ts^Dk8?#_GYX0+OGLo})c4YYQqS_cM=)*fi@5DWGWD%`H4kpfR zA1i08WPfwKQl=B?{?dH2jLTcboEK=%D;k~IsUcQq8Pl=7>1YqG@X6X%lQ#3SLN3Q( z@mh3x&hgplv1;z_&!(WZR3>{gP;hNueqv{(t%Z=HpLyNAxaSfH=n(-===dJ*9P{CD zQdD=99j{x|eG3S``THvOvP#jnD^+C-b8TNwfPFzAxO7y90;;2)lUWV{8J$8REz>G> zm}@EJjhz_a#-JX%A#lJe&ekVr_OnM)r+Q!fZJ@F6& z@LL1=8(&;WLM7XyKI+XbG>k4U6U@%8kQBoMQpIn!81=nH6tUe=S$}3~>$I?2=q+c? zI{;rWWmpiYCJi?@+Ub~UM879{T0bt2b!M2m61Q1jOA_zq29bF#FbE2OxauG7@V(Ns zPL{GQ06O_jvP}02#sXQ`+%M=tluX(*Yg?y82w3ie`qtJaW-d=Mf07Lthmfw6J(^YW zsrp= zwwkMsDO_TJdnRjFJIR@g$0~>&3ib$O@eX9G=58Wg43!4U!>9q)an|mb7g+yv1wWzd z+WhGJpu4+kkC<3lF};*nb*8<{0-IYclGL8T6RZC!$=5xl#kp#?yN#psZ#qXR|7AB)wU0{gj z*XP9z2FyKt_b5MM0DkNl8jyU6L;m_t6zpCioBn}hh>#xfDgG=t)i0pWOXGz$C{tqD z*1kWY%si(o(+Sks9-ih8)7}N~(^<%iv-vb!fiOL-S9bGcT&vY+zQnTiK=$Z-yKI`L zV4-e3^M#wHSlpNGZt=p>qz*7uo6s2(8(>aq)QZz2<-Qv_YBf~A`O=#PZxMgcanyq| z%eJMw^z)rxs}G>Wg`g}3k_z8`Zq}V$m?v^1H#G(7S=_|1N%(DP6Pcl&sML&#I-ec(f5ktdHwwDqbT zG{y^3jkwME;;Q((UIT<78NsNm1!|V)q9A>wa;j5u)wjIi*zt>`6irj;h*#Ditm${F zg3BBU065I6n$1QB;fLI*YoFEeUNcEUDq;64E;BL))=$WvIPes?e;n$UgdEmxc`kbQ=Sx57snE;V{f z(Ss@eq*uygpEo}uSGOT8TiRwgRUe)fBGt2?9>0c{_l5qb(wqTfRY300~`P?!{wkYZk znsC`Hg6-{QKA^Vn=pm}*-IpH)JX)zckJ-1?*m@`WOA`T$SnqsAEfNC~gWaOr?~BRs zrc04GNU_l3FpR)#Y`u2CF91IR4t{3~YZWXokT3BDrcK5yKrOPqD8OLUZ_Voa)T2)IrwP}IhiSyaQ)Ct&n_LbMFmWBK&0oXc=+cKnBGC(G& zR&j6YfYRGHr=@;x_*@udhU94(j7t2{(H(+RPQZRnx%&P23uf4PzW4DI5cl2y5EwyE z5eN$(z`r^{Wq}P(w%bXX_z`^$9491s zZny<cJyZ zd$ByAne7KiyG_5q0z5Fp@#A>K^o=phue{!;pSxfT&6kj&CHw6V~DZwf%HlGR2I))!o7@G8m9sLxB9_B(jA7 zMQ9#w*`oi&2e+&u0z)tSy;ubHP`(z2z{6w04%QWHoHSAHV0jb2D0puYd9nmE+3Yt^ zf&bIEi#j4hDktwm^ki;y<*_H|n%a*&obb{EOoiNpNcL+8;e^zUPLpgE6jscVziGAz z$ldXdH58pBw%VRnrzH*bC|H{21M$+yR4(l1W$TFqp$}d(5)dI*8-$y$9is1%q=s9J z6e8nF%A}PYl{7@7kgYT037r=JOMTw@{rPO7dkipj%n46RowPTCX5Er##=7MZA)+5J z!U<6%#p8=ubg3D#MV7IaG(fa_L$1Y$Tahz5>U+PFcD?DGf#p&r-%dZE1Sy2}07(OM zNM$b)*<64&0<(!if0DjD_J^|cFdhIn9!*EfGDf(QaLcquNx36v%Kf}FCB*ZohmTj) z?V^DG&^g*DpGeDIBz-go1}hou2Bkd7w#Eb#(&tgUN2<`ZX?3sexx7>A)IS&f7v(77 z*uJ^1`^EbkJVUa`TG2Gedi1Zp7|f_e*_f3oYg8?c*xhZ1pi!ft8LmIpIChs3&reAj z3R(5E)!yirI0iG7!3W*TvAv$8#qGmcFpjpq#&@YBNTjj!4F)5+Fc)?hPpm_>iV{>| z-1amv%pbQkX!7P=v4;q8;1f`1&6sZKj3~})0#8EX>!u7C%)athSAhj9NU}Ji+8CjJ z6hV^M-bBp*YRY^p`Y_QX;TJ~+!Ea`CT`gsK9d;IG5TU0B~S4A!4kL74f0a|gl zs#r)QL4N9Jr~hZ#?9F;{eeUdsRu$&91~8HUWy z`N8bZk1Xk75+cXv#iQ&v)jLc6xEkH0(Y(Fn(u}Bitc_qEFA%Yynb*M>>-Mz|2bzar z_?Z}t3Nza?7rtKGb@K$}S|-?bf~?OztVQyG57C{1=?#4?!)#U z(xy!&XQF>Wmv$X;6dMNne-6lyo@A_h z|2~BlQ+gxKvjos5Nu~8B1gHZb&5I(FlGb@UOSzVOP|MHn$4x`y^yv3ry_b4jZ-h?mey0?7sMg+@1>zoIVYhr6Vo;1N zQEX~!M909j+8%`Zz5W8r6yyE~WSu9E5<9q(xL6Z{CGXlK<;ozBjIOXlTRmr>qGpHuR zy89lF$4lr^@&WeBp%NF@K>Q`>(zbDM!z-xwm9ep50TAp2i5_b)`|gHZX1J){rsI`J zkpT@ojk7k2`ea@x5V&pcm^dZjW__0w7}}itHY`!#x_5WlHgMEVIyq=|st)#wccFU# zB(3?im|^A~2*|R7P;~T%!l}=;pcHCZw(@0KA5M}I8TYa3U|V2n=jt3f@=3P#!tw*! z$(rop)lQS`lHo$|Pq|IE-fI@PWG%0+bCO*LzEFu~Me23Go4CvqzT04kt-X3gcvHcZ z330~Bg@(LmdFl9dJVoERf&cTM>@hEyaSP>TLD>EHh24b>8P}n*RO!ZO`6^iS?NH_>(5BSBIB;q!59?;#_Gn zjaYmD6pIXW-4|kkgF)~UU6+}rQ1PQrxgzSUw^>BjoT_`xPWqzjx5!AtRrwN-A;FeU zTg>28zYmuxQg8^RD5-x5KI5L1Bt&!Brou0u_{a)BXSemSehH~8zJFdeT$hRqet^S$ z1rZV$X3%PxnWUTE_&T+}KDbm+mi*B9PAK##5V+~x}L%`$HC5% z^eY;(DTNR#&kZKo3e-LD*G=$N07&TQ`g9aVsv$D4*3*;ha*KQWoWpV*F!b@&dWyIHGr`LZ1in~R(g5+h*#@%FXH+Ef?wh`u+9PY3t z9iXBvJ~q$g5fI?v6-`}e@#SuY>}n?GiU5bp;>z_&8W1=wm}b=P1{bmg<6r-R1vC`% zB(y9qNqAt#L#D~j#aDeU zt^qh@E?wZ%TDr7*WcK;=*x8$DqY{A1qJbm3{V_kijFbNh4@0`>b^sWu+X8^1x?_4)Gi`BLS5Qd{8LkO( z^>Qlrc8SU1!g_wXu2=A!O=n`_P@6xY^|Jdh=ow<&e@_zwY#Z| zL|ZxHFuRo>VRcG-?4aXL0{mCKv{<6e=bko<3{wAE2RH(dgjF#E-gq6|-O4{-<`uTO zR}|_dB*mqnTx@KX7LGT@shv>B6wU#Q!R#Q4jfvW)<}yVxw@m`rURqlLnONGI?eVE+ zgh1;yOBRdH8(b}{KkJ+Y9FkWPTl;3mazhqnW-gX?TjAi@yBj2=LzMKPa{zBqhBb`Y zPCHp^d^-AjB2Z{{yA4n@vJegIWgxc*xThnT4`7+JCo`*|a5(m-Mbu&PXK%zL$*43Z z*$A@bLHSwIvBLzopju~dwV#4d>0zfn1(TDBNI_Z2-H{O&J#SjcpG!;X%%zgI7s@QV zWxGX_KYl7KJdX$!D;=>C{*XVsN+v=Y5dlyXJujo%C2yNxH8p^|`N?Aa@4Z5ANk^93 zv8nLNczMjdCz|ssq9AL?2)?T83 zX17m+PvvMO0R`uiG!-=|V0e90d+fZN2~=dOJy(?@TJ!o>nQ2+>G=FbiG%;Onc5nx( z7nk1LE66YK*bLGGpe^smp_%$*l9e^-hPztc2g4z3KuNrIb-iydMJg9MIX3VS)9M1) zgiem;$J=-S^;*!rVE;H+q8yl5=<9{{x*Q~qCZO5L35r~53cVkJPP=Jzbh!TPIiTuD zMY&cm(-I$!$j3U+!=hI4#f%JN9+#gfcpk&&`~_Z_aGRq5X*hHkxMh`6U+;}M`ua93 zWd_z(3kup6N>;k{n?Dl9llJy@mG8Qquj}B{V^;y0N?5q+)2C+(t}7`Og`vj43Z-4| ztS{R8Y$#4eqEF&-ihPU!M4rE#G`M>&f#rF$tHLATm2&0dCJr$=a1x@uC;nc zTWY{95)^n%c|Yb1wvCN_l+T=Xv34~Nm?RD&Aka+;{m}E`2EH$IATOr+?1w!Cmkxhi zC-9sHmw4;(OgWS65U?VlwH#C3>3TBBW|ZnoM1 zb?%~Dk^~$kK}BI0Z~~h@>_NdB%-=VE1c&u1YBDp;?XId7K5V?tP6#6OzhD#M9zO4T zd{56_dpx<)1;2pDB-_oc#%_lo%0{+8d=F@azMX%q_eLlkdCm~%r9Vn@>oyF-%{UXb zJ}Kq1b9O|d>=>5qs?7pM4KwIU!Z7AJutM!x6htOlkY7xmK=0I7+-2ct*EG@dgYi6? zmn35OD3}u1Apl%eFnXt7Ckur6>C1N)!rvbH1>NQ6QN0a0q!s?={d0IDAwyEsdLO)l zuAnUUHHfQEuu3W0%F60lBo1A6C;T$b@<8eBv}2c&H<>@Sb2!n} z$-@v44$py6LR=FDm%ol1)at&v4^0AZ%fYvUo}PQb#iu@axctQhh6zc6?W&+k8+C-H zy7`ZLXU9aFNmq8Ppi)iOR+##av7;TfnVW~0<{4pSQIR$8$1FzPSUK{bsCB^pQ;y~o zcb*kWYvpy^q#N{i*kCKHLm3>L5ODQ;U63>}n`vr~PI6rsO-xK=i^NP!lwRh8sw3SG2BMEUHdT_w-V<==0jh>Tm1G~E26M}Ba;O_ygGOVP_x~z{20XC6tFt*4HO&1N?-(?e6 ztv2Wj42Dkxqn`k}d8Yozw-ZN4i0fmnvjClgS5^B8NdLx7@MJIVxSJR+QjOBC#>h(L4oX2ZS{9p`7NCVIrPnmE2 zVV`AeT2xlbE`0rs>2rC9&m>WnI9?z;nhJEM3lxCW)_;9=G`H{2EuiHWL z-d~;=9^KnH@+dWILf|y{S9gz2&mO5I7gm5M;k+qYccI-F45UdJG=C;{Z0 z=4>phr5@+2=BwtE`k}NE48;@%A;F(!uG)0`)e-YbozkxUow5$~bBu~&1l)n58F(oRJ}>C>~HiU=Y?V(G78 zvi!3S!dLO}mpC((<&j5MgsJ3nn3kQ?k}dUZdf-g(iDmZNPgSz}Owk+5j7GIx_VGh( zlw^NMV&WNnK$%8m=3RLD?uj~>8NO1q%_=39!Ulb7IgNI$)66xeHa1mi?G0<@Dr90x zmzO~X?)Qm7T5qgk3zZSVqo(=7jXn?-r9tV&ZU97VMUFE2r^jP1@hW+N*BpXKkm?4A zHe1Gs*40fSBEqH@y#RaHDs=xoNQf~77cM`L&-7i9(VP@z`P^z0x!t>*t|xtdy-n54*Y~#!9yAw2hxaF3G_Fe`~;V|M2_BkVTQw z2{d$h>7Ro{NS~J3Se64yqJM`dOP( zt?hQTvKE4obTgpHle1hF8293s>+iuR5189N{*c3({O1UzcL8r=+83BFUGiDzf}&a; zdw&7Im0E;Cn#~AA0N@tHn2aG%IRN7FQo;vx7slon^l+B9et!7D_(HH{(iA1me$s5B zH2JKX&vlPm0d$N%Q_DO{0#K94momZ0{vmMf#>h7i^f(C?sPxwb3B@8mLz&`~0gdRo z9NFbI(!;!|d2Y#fpw8Fo;$c|d-a8KXTfB3Vca7~yBp@;s=4D5YeQNoAQ%=QPRPmTp zW?>c>!-Ke1C4MJIM|V-0N#lX?(?^gE_9j@JP*@Nsuya@_$`~6^(naDv~7Ai zx#nuz_YoqdL5H(keQ#kcGpz?`}nN|HOpc6eUDx zY12h~zb)6zcXFWRYUK&fN9HAF(UMpP*}9Oxc#NIc*nI7Xig}f`wSOZgQ@WZw()Y1K zXy!_;W`5O#9pWg23q~LIZuc7Ss!~qKD;-Sn5y~$aB7XMTe%1hC;ZBgQB;((YUC8m} z{hT{I|M2S{N)`tU4C+$fCq8rjl1FR>qsgEEHH&N!H;1QhCWDlW=7Xv*c`OU1Z$onP z8d1x!27dO5`~0BVe2G6aIMQy5xjGhe=~AT?Kj16E!Cil>DAQ<}1Dg-*wN4`@VwLvy z^IMLd-E?EtvD}3=F+Ti4dyPsB(RW>)*DDJsA8iS(K{No@ap%Dw_U@qLJnHTD06=?% znhVDh)t>!kQ`N2FyIR|$2s=u~8sK>Ng@!xqL>7!d%Lpe74p^z=6dodfG_R+@7?44JE4upl4 zQ~vJL20>9-NOqd3Mjm+z=QFHDk>({837USNw?*n5R#C&+=DGJ|NQ|q8Ry(Gz-GF(#&OeZBI`{6!2bK0z@3lfr}<4QjCna{8n~L z@j$&m0&2^nX&Ae9$>kq-j1h&$M&&tnh>TTPm7C(X9j#SqB5EuQxMI|2WdLnJ!8{UR z6@IL5t9aOK`%b1b6N^~~FMhV-e<)ns?e~fNKk{nn<~Uc$jt<`<$a9L{^Fa)5e%%{D zT^UOmF+ylrKm4pDuPo~r^Nr-uvE*9GN?V~&+jL@yI>1p&B8?1fa zPB@He{FT~cf?lNH^mZj*B0b*p4@`Fr!#ho41;F6C8~2Qd*ysP6^4e4Oh{3c_Vllvowu8|ju4ITC%v@SjJTH(DI>RUusUaz2#RbU4cBMz?kNLM z{9BoU7{H3nf4^g#yK^Xo_!uez0~3>k@rvxgI)}q8W!aWcv7=8~FA$(s^MqaaLCVY3 z2ZI>h(B@2Ae0G4R32i<^@!jkxceVKku;Nbfe@hviKEr8{fFm(NA?6kX7(KxvbPeF8 z-MbcvQLtV8@$cyz(FfTU<1HcTyuWNKJ)!=0@D`=$ZY{cWR>v%wnjZW66Z$oV!g7Dl zYnJs5P9$_2_s7b9s!#y2b>&s!v)^%3&!ERMS$Y~L;D7Og%pee z10U1e$<9uN?km2w4D<~F5^l{GN^cyrjG6!(FFOpA&-K#tawG<1Wo)RN=T`f zN8^g;dqNH!>2D8HuOl9vNX6@0C6sUfOf`<<#L-V0p}?SNR5%$w~klGu{Gu)qdjp9mfv7+TVJK4hVT! z?aCuwCZN-kWt4{I1yVPJ)$tfLAj7dyPGzr$@L>cE#*= zfX5?rXQR?FT7ew~+`|fWtM|zM?B)qX$i$>>$w=1>KF0tK;+lRQtL5C}aT0M8Ne`1Q ze27zW=6?hcvM{Ne*4HiNA%AGE$aV6nrq6qNNT)1b1rhT88A9xsEYth~-WQFY6rQqo ziN>OC3%5nK6{<(hbDny)=7|I-{9ycG{7{#xfS3qx4bcr^Ga>MM)d+}l>#cfwZ9p=D zl!R2{LbA>?s;b?Nc77q)xugJy%BOic(H_0uPbe-3!3xzK_DJQBp%i~s1Q4++l-o%H zBwH&1OzBraxqa=;&mOF4V#R~=&taHhcHw3j#&p2@mNmNadap;eWihYA8>-I?OA=Z} zJ5=LrH^#1v3zkeevTY|F%%eSqa1u?=z-~cQ;X09%wg5>1@MmV&pEV_TU`a*X=hKlS zN`MrNm#myHA}x1(-@LM%9`BL#V*oXv`Ua|-c!GEga5|s^rH2z6@ddOJJR)#60m}e) zE%)#N%HYcdT=C4t0%&;uQ?%+oKTOLcbjNBkmdI3Isg98~nJ33{xDTJJ>i|2|zmo=m zR1$+7-Hf=a`03Awk}Kdt$!O{iAg|_!{z0)ffQR?sMPw~)$*nlk3wV%9@wC<~+>a*Z zbg+E`UV!F!{b0r{>2&%YGv4dW^>|&tJiGGvnRTPYn`dg)7alQ1z~OVcyKZuoSMU5lQnRd)-#*Y{xi4DWDD3>=Xy zp6`J9!|NO1WI@4E3$LfuVI;biIEC{*JFXx*Z7!I^Q#*hbG%1a zOGLC&fCSK^OE?aj8qN=bN*+E37_a?zfw{$(&oz@hLm&EH6h44{7>a;a(o-8ATgmBr?I%ST0Ng3=i+K-&OcB@v*j>*Y z!DUr&K^Aa02+j3ReAegZjjSC#EKz$=yxvMg*9`Cn4Q z`iDGcp8GG7EFqKnNcc~F6fyz=kpXPRAGPj4DSp^uo_hm_G8NugocS~!hUqB^eEa6x zebwCZ>C}O(!%L_%tlRTCvBW`>S=Tz%+)?T=3#4!F&Cq5mlagDI(MJ&1{mI((NwNIs zCxyeSqRodMV>s;ENS?}9EnFPWLLQU~AGP|319z!Vu>ysNWx5A;=f;VJLl&CSqbe+| z5c8rta=dM-N~teoA~9tvweG|o4KxwoaWmxQ!59qIu;>mXa>cd{3R+SsBjN{VW(Tz5y+ z$%Rh7^m~zkSL&-?(u*vyke4*&Y<6Fo{xSVoN$!|)!H8~V%f*2edMF0Kv{q* znp!>+L{Vh#!;mo~;dM|*?+i?)ULMsVl-X?A_jw zm^cfKyIL0Ilx@^E@06>6L`|cxU$<+9fTSh+402>F3pW3H>43Xfx3IgbbM!}I8r(>X z_L`Yo3*GJ9zeZ+%NcI{B2E{-vAFW%c2I4x|wBqI&8TS_GB8yI+S!6sV{h0JP(pt~1c@yt2BR_+Rv{fuP+ZG$ z01zfaZWt_XsY0m!lUcDy2Q>6c7@Q@#6U2Z(@<=d*2fBkqz9v<&q{^b|!HuNX_RN$` z1o#Cs5++x7Szq2>YJBD7Wa8kVWS$!#%eX`;)`QLGW;9Oh&QNxW3l^(i_LbHc^MN0h zMEHeSdrx1ZMQdlPcTo6oX+IlVd4kYt(0^uGcG<=n-3SZoH3uH=8~y+1s=E0ZUV%#6 zs7jkfQO}*sMpC87Zx*%dn@43dfzmD^?I!(c^e;dH>bDc~$ix}~fye|(uy5ezAFC7q zjC@<)$`EB<@r~l?&W)t0Bor3KP{5Y;a{NMeWP7X%@YTRcdRmrMjXOvFFFf;*O9;r( z(USxWTvlA2S&qcezaX_(fc<8Wk3_!~$H-&`GH~|f3&C=uP>czsF&u`?OzHPt{UF!Y zO&XfWN@ry2+eV~cAD8U*l`jsfMsp&AW?gBk_$RKBn-JA2yFBY<`>^VhJ zZW^Ar_bPl4fMhDA4@gxh9G*j~2!y!^9P#;8@RtDx?S+^8xkIA_|3LJPq;Y)yKu+Q7 z`A}+hrk}<6Um?ANmmen=CAMY_FFWpPN;9QDqkv0skN?_QuHpqq%)fBD|5DOglfH-d z8cNk{%#+O$EOKr7y1$nQvK)fsI41RFQ|}CNDgvNU zEBK~FT$v!`3J`9fY8Xw*zS4XV@WVr_Wt63&MN-r`zH#p`~Ug+AD={7zw%6~yp)^`Cp^rWG#u_@SJYiR$mzKBbdE-1Gd z0$vy1`z3q(@Bg4D6M(UXCC$wv^L$6~&l%+ZaU=fc>z4>a1{o!5i=v{+)|DMFxPYY1 zwXeT^bu1mE|0%-aNHV!k%^R10{)K^>c>@-ci~&TEeDqTQ-iWaggmViQ4ri7=Pi9Vx zi@h5g^K6V`6HC{wbUx|8+PZyPPwi3VC3%X!Xemarp!b_3x>8-OgG4T=gxRQL;Dz0V zU}JQAtm}RL2iQ`rpZ}H<`K7x4y8k(6bbr9y$Y+p6l=^xhse5gc83>}220XENv$PMS zD-jSOZvKYiygsozdOx4YTsycF>yV@V^Wp>&R0RM3cDvxP*(xMOOW)At`OPX4ZV$mc zS)q>^Gb=!BQQ;dF!Ip-U1DZ%q9j)g>^;}|=Gnlo`xhO-_VUFqt>aWZn|KOWJwm-cO?=_F#EGi3@l}v!Q^6O4A#CIXU>^yOB#rWO{;Z@0KtY8~D$@F_b(N*w;OQJO4AzAAoGl+b;m;opi0#=9Sz$9gqpm;XlRoaXbn{Tx% z5MBpC+pOb|sf9*|Ns8Z+w*@F{wi+qo)&cl&hR5b#vS(c;4a@%Q6d;=I2omw@R7zt& z_-`87You!3(ElZ>-GoPK6!+b%ugDF1Av1)_-oyiWA^y2ZnqqS??&4!-Kc!rn?&za@ zFHB9cmCX{}j(>@SWcocw_qy%n(S|#OC?fj&BXO)sW05dFO)xl^PNl=x#x@Ag z1YdZFC3Pi-O3|YzLDJdiOVApwshU^$mUfHokZdg@8A)`-Es(Ey+SWFqav4Y$Ezl34 z7)VvVgBywGVwmTUZdqxKOCi^)wP)$xM30Wf_HN2x^EFu$fby&`wIwg~rIUX#nY>c1 z?(G%B*hOtl=kqVGi&a1_7?AUXbvUtvJqBNAFfB_px`cdelAAv|I$FM=`>X@FZfkrv ziY66|Xhm04?BKsai!$uG>5#1$*IAW~`uY1uVRPPANHnZlQvj98=Wr@=cB{#CNBxm zfrmA*JSiSED{gApJB7Tz%M6qL&ZvHSSYY~TJTt`S`)0yhZEH*SxWpItp%_f2#Ldex zSrkthD%wZIlZ9X}!rpZ+Zo1f*U2({AVb?4eIMLAouj0Qk-tI90@boy*%VkG=sb)c) z7*{XolgG)5P64yjPRG+dia6eyFSUP9(a%jmy=;6aBxCaLd87BiXj(fJ(}1NPATRd#kOT-et6hXzwj7R* zp3NBe29`*x9oXe-F0XtbEq=y~F6STpjxCF~#_gsPJ@+}aaRy2?5RYk9?^w1wD76AI zehNwfPr_y|PCUlucl~=`7YEU1Cl{#TzavExUtMIrT6(Pvdb*&)*?g;9g3(YBnrL~7 zcSTS@snw|H3D84yS>gD*+w<3JD$vZ1bOp1)lyU6`^>w!m;fjU*Lbf5({Yr(Zz-*7` z`1kKC#$gtJA*=ZK!vTHL0Z@w<-#i3h--N%RRc5MVSKZ+NMJ+Y@hPjx1^(*sn>A+Ib zYqrsZ0w4PK#St>OqXYSym&ou`QdK%kl$0ZKh!W8y8HAjq%ln6njEr-a!r_X|+y}zJ zTz-6UHyR~;rDHO#;AOV1?#j#RK0zdIMUNU~JZQa@VSeF@xt+V{i&;`J@7KoZ&67?B^L@=GAhc;>w#_r6#?E#78n!bB^|FcpUKam z_0gM-bb7)=hDAI3`?Llh$?@VDqucq!gl_*@;f4~1)`x968tU=qy6V5XsI)zE3(w{w zP?>(#Zdim^g{sBQTpEoBpWT z<76Ypv1F6!D#u|a0;VtypZjYv$V;iUl?jA@nCmJNj1hq$g?gPASh~KvIy~@($oV7q zTkdOV@z`Ia6Z{=-;44dROjrPa*Kj+Wk>CE`yZsXIm9K1UjI?v0STld;f_DCMU^8LY z+;I6ZP}!roORYR+<0VOdtG?UPSuk>MRKk1DB4pr#;71oxR&L?yi7*t_Vud99jIn~B z|Ejc9lW{vm(P_aNIH*>0TH%gki-7L?^aez3b*8s#FoU?<#tpsgAiW@Gnr(?utexec&p zu{k+@@VGci-$oA07F3h|eO`+e*3&EQ7|a?AO;8n(4l#ARb}xV~*V31*LP7*|nNb!K z%T53SfXdI{hYb&3<$PayFkPUyoHeYx_87tfNgeiY#k>Ui!6Lu*c`yg{=7ZN5y8M z?+xr8HD-Rpqq;y?P-!Uui8Ckm6HQx9{f4)b1cH%?L@N$0wRY=NwqdJ zVoZsf#u>;Sl_Y>#{0g{8c`5#g)|NCY-NNA_w};qRJL#t>`N2LZsyt;YgE>g=s@;zb zM&(-hoB|dtY2jdzY)wFK;1Q;X*eGC9w4O@f-{ZS-># z;z0biWCLy#2Z(h4dHbfH7~o{We#+)o9v%kg_k25unaFm!RC@0kAY{_d&Y~#03YYer z)b33Sjt@)V2@0hEZcER?TLTob%->a!jEjTw{d;iJv}4o46r9z*tTx3$$CY@gh%R50 z$MqCoWY(Qhr=_7$Ou`u1dRZG;A3ZkFzG6$N{rjr0ii=2T zd6AGHZ{D)HJ*tHuZPs7@UY=@ufXk27ZNsZdae>nF+bN%MPEI77BR{v=zI=Ht-TuhM z+`!Al=vNPVj&0t7Zf4i5>eHp{hYW@fGW&gk;XOrJ-?cO~S5|3%AMt7LS-9GI*|_ZV zK+sW|Zzm1KgkZjHbY^S;>I3sOZZ-|HODfAMb_TW&M#dNSuSQC;vU70&!U47L!;CQ` zGPHS|`U&CahdF59%x^kait;@7-8!XSx0z0C(_5d083`^5V9T4Dax=L2s=r^9WRL2< zz9G~^JY~sOaA^d^nC!u!5EssFj}(30I|B-!(_NxEwEBR5=OZI5%d})pWs{}#n}5u}CbpXKLuExl z0Ysm;q}A&FT_K|5;=i*G$^F!h8LDEY1>!)Cs!-!0E61vqaOZ7hS1-vm5H6Y(B{lhQYPw~~XYlkr~M)|fKFYo+@ zFTK|&Pvw3a{_Ap;Y*mL2ShSiaiBw6E_G1A4`$Qbn6u6!8j~JP1llf|9zj4`Eq?E7M zjCc{ldB>-%?ilQON6gtdZ@mLHG_o3)Gx+r{1K|%;S_9>g-kz%0P2@?%hkS1ft`p); zF6BezdF$XCQV~ra2a-M)@Vf3*H*UHhtk39CEd>MT%jzV3W*O*jqnGiLIY!rrg4V(m z%S}(c0i<(J?<4>Dp)DK^ib#*N>;$R!<8;hu0P&nrb>9M~jgXG^2vWWUR= zoh13v*LtCSwR_^3=o{o`^$XZ~_Ztx4ek{lI|FHGdVNrE`yC@b2sC47V(A^ylNOw0% zH%LpWl=RTuB{3i^AfO=4&^44wH_}pi*7!W{`+etJXD zHnkEOQq4NQX@ww>e>$t7gv!;GBhvs?}tkDKT`NMzJ^r-0Pa+TRVul}%tKSSlLH>&2OUOQ~O$v5xuy>PuKVrEB=4WP{i>V-b70RdJ%wlDMG!?&AT z^ph9#4CiKN0sAM`@hd}J*`&g1^=h@8g_Gyh@(KM?byt&6%lOlBX)zM)bHg0J_^2Mu z@L-9D-aB_uPajNfo+uPt6Wzbvg0$*T!r##9lg^x^@MMS=IiLYeL7hhHZbV>D*QaH( zz#bP0x;YxA*ypM4%&RARIq*@rk0w>@Y=fFG14M&sTGjMc;xorM_=LQ84oK}sfv2X@ zCazCH->264t}S<-v;D~U4cDfmFn%?IwHp2P%Hb5ZQ2h7+3M(koy-bVy%ZG~bbCmCV z*45oaxWoA}fHYRd!S^}m*Y<)PCg1@@2k%?4m?nUPEd#KpwgVM;vgqzstR_K;^-~{e z5jArspY;CcKATw-buJ7lrFfqL&)A3E@WQg}cGfg&P&=(6UhcvT2Ic&kyu{ICRqPo^ zHNh%Gr30dB+)nhPS0kLG?mf?(T&Y$aFS=#|D)V&73u67ACBM~aA>Ii zgQ!1whwp%B`zP^!nxfVLb1ePRMEiQX;}v_kBrK+grK`cHNh`;f78EB9P1P!xyIRb) zoTN{FI6ft0;$&hw3i-6Km%Ee@fSDNF9odp0NHw~%uf&Ep796Af(A_&A5N`V`8 z1{5cjb?xgH==wEP<+j%M5Qe~=jlMRVT4{S~o_q7udkT1ATo_Rg?*!fL(om0wk_Ti5 z!K!apYHYXBh9;r;9;(&P~N=I;2~|M zlx-k7FPB^0G_b2qK&VX)pu4dlM0NMeAjlk7uS1@WL3mPIzuiE~$gJkNpq=YkLvO1p|NWvQUVwR)sh=FuHc*3sUHSNJK zOa+SB{%Yg|_PsxMBeU{2UhQX3=s~%NUb$IBu0Yb0+enL3|t4Bg%<3j%X)TV2@ zcs(6EIJ!%K!T9*0T#;s%-wTgds2{FH8ce{gui7AGZCz8Id=i~kL%Ar*%XKo6Ol+Ml z-b~sVr{)NxAuXA2dj~i=PUen>@e6duajyQ}I#duPcWiqi2BwGEJ@>KkO_Rv3!wl2w z4y*b!3PZByw@Q+LaYA=LM>14{rwZ5ij}>-lJkrZjFHWg z4WiAWf*+iSt?2cf^^f?bOYEkt4Gqot)0-OtKaMUDI*QJLro8ydU-S9H{C(YcQjj_< zNs~!L7bx4LD669$nnepT&;8Iteo$~8`EfclLC$&gZ6&x4=$=}>cy3L7lWwKeu#tJv z6_Qf$Iqz3`PDUKTn3HL0PJya^#=?)2bDLugX5uMb-3tC!9Jv4*nPQxpVXj9{9PU(E zmBG3eU4N1wCl?p@1ab~X0fcOW9>{>75PLNnhkIvEH9a2Itl=0$HqSeS4KUHT+BLAU z4MyfOzFS(FuTUu=k$z(a&FCYIk};6#pV8xmZOc^6U3t{=p`*`6uj1r*ca6(8px(1~9Fa zn0J9k$4FAFM{ZP14^ykH*ya}?W^`zaLt08!q9t{4)mFLpeSU`(aT?@%_Fkdz?dcZJ zu%K~e{c4g`1o7c*1H+5keX^<(AuQ9`d6maL*FSsTeR25}il}`6B9qSDtkQZ-ss6c2 z8hQ(3&VBLz)8DNkMP}hU98VMJ^n~Aju>os={cAhTxs8 z&8)2K;t~6p#1I*6`4BT6hV8c>>Z|u$TMp0t=o9vKw@poriyR7jWIG>`JB7gv(WJ*s z5*gW+=9Xys<u%ZjQo-C#txyS6z zsW}kiKi!aV^VcYa5;^m(l$e3M%bLeFc3LWE&7f6g^`+YfhuXP|iwm1VhlW%y?gUrg zmrmI_+3^X$aHD8<7vASkHeEI<7i=>7oV)Glw93|@trpkK@|94=keY-}3tLKGMPSvm8V{73f=`%SB9|`K{Vf9SG$o+M6`8`J%R;2ko)`DX zCme|OIPfdR9^AeX?cpOBTYahd>27ng?Zz_{DOSh^|H(rg?|^=~UZAQM9H4Yo?~YbEXH=ut2bJtk>#?Ej;B=2TbmzDIo1e2x!IF zU94guI#I$=&k6|hCJF@+QyXE{gH}8PHFJ50byL4MY9Wu8TfejBnv|>bTte{HoR&CVtVju2A&*cR=JM^E;T0Tdg)MM!9&L$wwhFn3d@MF-F77 z&$IFjg(g)rlw^6j&Y>o5g-Wr0YZo5OSLs4cO$`PlU22TdXJf`Pz>p<+(<0u){$+sp zqewnedx0`o$AKx8yJUSUrJ3Nv5+Pb!6h zkv(z%=2BE0+s^Fg*7etnK4M}l?e9?zi$e-_Vl_be%%II@oB0v;r=Kth^4sG zGF2E_BSszavr9YIVlgq+6Z(TK^nr956K#W3Mw(W{5*;}n-4a);$@Dh~L0;E9y+PSd z;Fu6^zD1yc{}tpy5m{M+Pu!PhfD$e{C6JVuqi)Z^AKUcwZC%uZj(w7p{!kJ&6@6j* z=^pJnGv=f+t^T^3^#;)a*gm5`H{3FF2j_<6x zTOxy5SKNGB+q4*`$|h-{(1j1P6&~uO&7AY18vqVERZgf6Jn>HMKA;9VO3k|BzZD77 z%i|I`IQ1IzSSfW4Oiis<3%C>U!erS;(s`G80qM%w3vk5mUV*Y28^<_pK^$X{egAC(c zVBf`V+{!Hf1mU^dj6j$EsCS_&Lua%=)cI$KPb)Q^BbP>jnlCS8fHG&mg2S}sbjNLY zJiayot|h54j;XP+AUN zL5*q~-i(Y+J9T^}jM9~PJwrF&*2BmxcVs0q0yHDwhrarh1GJ4zgjpYB)G*F9qhEL zrh$kbz*g7Tcb?Ens}HUpH7RvFaGf2WGAYK!`dN||RF}wRCw~C8N1$iMP{Pi<8@6YFIVri;ELdMGYEiCf97GZ31O)y0%LPmjzS2oMpnoyE_%W|;&h(#(Ur9sc zQ_M_?`);-ID${dk`nW>%Vl|DSgK`}EP^f-p4h5NJk}=A`0RQU(mi&~C?#fw~V$<6% zCJgEDToX~^laJxt86>&mgTu&h*12!(B9OCE$T>*bybWxD8cxTCV9R#uM9_*W$_F9L zD_T)U0SfLw(8ODe8r=n)JY0e`=}=JG73VvABag2V5(uN=CGJZmUJH}$o&cb}97J+? zC#_s>L*l!xOqHDl1Fd@G1=$9#CN6TRB|1`u@`<5;t4~JH#ktJycdE$+NSM zu27V2(!$OpnkL)m39*MzCN&K>+{EmbYaGi1T>ElJN(%Ai-O!0lp-MHzpGLM8?$Wjb znQAcVx&n)DGg|FES0nXeJ^w8ls!RV&QgB-=_EC(yj~Uc?5mxfn4isI8Yfy^1mCTMd zEFdS`IhE8+K@;FgEo#s>irLVje~1Ax1?sjm7610n)MrO@;tzn4;ckb{eRSoLIb-;? zZyi-?>wnY_C1Lw%YI*NZJNe~r=&SJt z7(Uf-_)tnlG(%?TGgWKU!aB*EEJBCi*{Fkf+`0N?LYyVNh;<8a5}QIgov| z?`3U%q!yljf-2j+Z8@5NoX|*sAE(;Y+tnK+omLBv0#xkw`sQ1M|AgAUhkqIyL+7*L zD_GWcROGVgM^F9l{_MYzYjC=!Ec{8X*$KC{gFxm0((3P#z&D50!G0ZS26DZg0BH3$ z^V86j691uuNKou`Yashs+KCQVeXZ?EOCdQf#ZycSD^IISU1QJl?0sYYza5MJryh&< zji^MUb$@@__fJ6UK27hpq^iIVJj#)B@n8Gr+GFLarfHg&;oYJPyvmU~EjOuJuA2d6 z)uXc=a)zPT9CRgOg_Hc_LDKj z?US>v37r>!Jcv+E@*R9&Jm*%S#X5O=XW-6=OvyMFBb%^fwVq!*k_jU#+)j@2))*Ex zz_IVTM{6bnU`KmI*G+V3*i_Yhrkwsx&{OLXOK!3v+;u|#r75~TyILkk47E3w`mKv_ zg`!0MOw)Kq6adhZtCOY4(GpvM&8+F{IQJXk+y+^9>EvwpRwivI4U19m5I~Z>n zQ&o0up)l5y`fU1Mh*;cxxb+qV{F+C)pYzk>%Yh%f*H+zo!UF2yi2sc_^A&I&C0Y3C zEsE0O&JkO(K(stq+fcL>y#X}x5{@+y$ zBhSVjxBu&`!L|pJ%zo@C+Oup68QFnb`)3PaPsjjibt6OLm%>bs!J;rJ_@6VM)!$zK zxOM}m{~4ThD#RDg&ljB6{rRr?N2a!EE{rD7fmi?H?j3Lkka~YQScb>X^jMQs=%m9( zw@;!)_)-n^^7d1TyVH@hXvxDS8u^E0$sWQ~AeNe#zux~1{pT7=#)jtyF|$VJ$LC7w zylkBsvdL*|`DqeV=y*19I`2hQYQxr!nvlp3+Zv}t7EJsT^rtMk>IH_2meg|k5>@3tI#`akV;!kekioE)$3&|nb zst4{lMgABodiEvrv5Z(1U)5H>QCjYYoav&+5dW6-tCx93<+ymp04KOx2~3NWxYH89 zHV-|wnQv-0%TueGy11Yr>!R&3@ZGw8moM#6IIv1hnrJWgsU58gS??jiqNwNxgduY@ z@=iVi6=OPlb$K7Z#A{N8-jfrLl7X-*p{O=8@pIm*SOHJOE z>mg!M4Uc^Wh|W6S>_jX|waR{8y>9kjZGrR{h>Ql1^A)bV^u4%)hZ3#%&#xPDjOaUc znVqVDC0#2FG}&aPrug-;0xW)g#$a7@D}udnaD~~@d>(-6jnte7qEUOR56< zYNmMn!{68XwUZJ5+!6f4knI%zM7X~zjM>X3_@5o%ZH6s>bfD+s6Pg5-A~R|@J$On} z*B{ud?CNuEi>FMI6jp%?)%PfZTW@~r*e9K1oPzh0NfGD09mSoTBFV+}t|CJBElEmt(sX#e^ zPGy$DxDuju0|AYA(wdQYN-a8^r1LXATcc*++Oq_XJ)f&KQKMS1(^VH)d$$ce#N|__LB5HwwVLd`HG$E|T{D|Z>THked z107&6Cn-&pB>@%VmK(26kN*Bfg|6Jsatj}0y) z#gMDjfz$zPjNSFW`^iwS(kvx0@sUS2U}HgqfA{28JoWuX z%GoW94GVOK7ZlOH?$gcvm#v5y;S>$_KmN4>XyMfKCOy1uEBhg3|weQYsSr7g4S z%l?^&F+0FKfjCKWY|~vlW3_+v2u{unG$llStr$8&LE#E(Fka`9vfR^_b z>{zg8u;{)I-Fc_p@HpJ(R1|6f{bY=o#so00R+_S851H0s3Kv@%OLK6m^8{dRYQT4S zjtl@cv3-oox8oWjfl~n@7E(a2;mr9_%%t&DogeHNuJy!(F`1dSpV)T9^LJK;x+g2~ zkAca`=jG(_mij@9-w&whAi%)xHFSxq^6OC&w`Ew(hLMN>R$o#?k^yqfg>e@UPScg> zBV=Pwv5di;z}USHE)THu(BN{_`{0cLmGql}1)wA^n(gAd;90Wm=WryJ`1qdB^(#S` znYqU^YtD0nAu0GRNRs@KQE64x@Q(>kQZjIMg&KW&tb3kKluiQpHLajMr^vefpl-H# zL8%wpbPMnFBQG@+4dLHZVkXCH0e6=G3uVPGz;6@0=u=D#2yZE?*df$q5I&V>Xn4OC z_oMKxR`Hz9AK*Pp*+n1>TBjx#%InT(!_DZk*psmVl~$!hQ@;!k9D8JrfjDx;m^$VD z9Ar+(n?(yT-C{6g=?JxmUq64Y8auwKlUx=A4xZ+~|EX#9r;l71w2<*$vs)Z|^e4Y* zrTg6nrI6Y*tx~GBXw9Plu_usa;2NGr=nb+IQ&mQ&BM>qPq- zn6ea-BSJ=BI`Uwn@e4++CZ>9Nz*~w_pA}#wXfo{WpA2|<)C-4JFeRwC7LA3BaskE_ zI#f>}a1CgyYX4?d%M_XG?@&>th(ovX8d7l}}4rN%i$+ail+U1?u808@r28J=R>EMH(;PACoV z&|5!6tE@dzi#_&U`QLc@KJp0+UouFc31m2&%G>j9zM^j*KZe}kElnOcrW&ss5=)sg zPEnMDLSNsZ?BNooLhp*bQ8%&Br?s-~hU9Gpx$rpj55a3hC=Irv2a20_OwhYWQQ^r* z1KR38A4)XeB=cE5qo^kanPK`1SAo^4{^Xi_Lm|zKjExwQRPsJoKkq?TUeUdiZ8~NF z1X1Zx2N_%x88qBdf0ZBO{bTO z-_tU0f2xgOrUF#l`z-5ZGAYYV@!R?FvJG$i@M=1;7*u~v-3zoBM{3jW zdrfS6Jbl>E2qb2i7u1r)wb)Zg*4H=g=rRNOMt%~z`sxOL|1)-f-Ps4DENe9=cjh9% zC8oyq6x(q9{S4r>gdh~AKzO}xe#gB?BQHhIMDP8iUB3n!NO*F!RnG<&$;Yf>n7nB2 zfNNgYqlM5^K^)gUx}Lq5V1Py^@@(=hfTdHiMKGK^Uc=^vCoy`Ba{2~XfBlSJG;6uR zMkYqytZvypu(8O+-@nWOiTM3AmEMe@)L07G2@spmB_`STyQm%uxCegv@26$6{d(7# zMWFtkqx1I3oswTs_-M+1^!@k6 zmV$Urq(j&z@o&f1zSVMHw~vOEReQ|Uw~)(6z@|!z`{4VYamgG}q)e6y$v_Qga2RG# zfau2nVWq(o1TsE)5|T9sPgzKgX=;Y0o~P4=xGwXvhDMtCR;ghi$o1*EPu3~6M5au; zwhP80`5^U`OI1sWm*uPK!2|Y`OJEq6F<89X6@rMy4f@iX6mg7?>`{y-jFh?c^t;gB z?_ERBmh0aOa}$`IUefMgDI-A9lc?pRPgsd2IP$f_SlS^<2pwyWW^bq&Z#rO6yv2`y z!3fcwghvPC*eJ=V5C%&={;MC;b+71F$m=nk6gXkf+5S8`F?M1?BE|h$o=bX*qQPNt z_%eIWz_=oielL~I)L=>Jdjg4N%^AST-*EBczhwhSQTA;G5osr?)H|DC3ziGsI;t|A za-ztt1QogdCv8RzsGTr+fVl$QaCx8vY;*jjl|Wt&K#srZz0etU6|E8nionj?aSxx3 zj?EDJ5EHrrsg5#oOVA&Roh}FHQBl(>ZA{|@1&Z8GH5hTk?Uc)}1T_YwWXjzm-D@a$ zxq`mT0m}-0dvL)ND)aJQXr$8>R0i&?#YzJRsa|7UpszQwTWKCp6`AsDl3bgZak=NKG!X){`zgjy6CuoFid^EBAPrkE$289|Y&XaN{L ziJ?u-%hlF|m}xIBE&(+{@-lZ2(4YA|eC=X#O{zv2=UTS`<~!H;r>JSAmR3wnY;GJJ zc;8@rHUTwRqczNcodG9B0BDxXct1`uFhPCIF79e$C7wb-k>esr^_H=ss_M3{Pf%;C z;?WV%i^Y@*I(|K}CR3_c80P<5(G<_IPd6iPYHF=`dc7rJxyeS5GCEk<$}J6;$6Y1a z4^M?$OszGe?64dwfSqqqynNVz7(bAN`YI;=t&2r>X_Qf{>yv%0tE%&#sSD;wBwmV9 z%Jy;d$s|#w*48df?|LmVCATLs|JN7a{Vlz$@l9ZI=D#^9Ay*Vn!eKf|acopAtqQs? z$P|;*jG{^3wF}&fQ5+df?zCKwmV*w(JS5Vpu}|9Jxy`TfSP7-Cli8P)7()~t{;7R?PU+#vnL`9%KaYWLO7aT`DaX!H`L>uWKkoGAkno+uzm;hCQw z3WQM;pBa?`W%Wk>1@;F?#h|Yc3|O1Ye7YY;K6a;E1V=sV^uNCDv$z7iM5G7C>lnA2 zXaTQbw+xDHYi7ui{yFRgSR+QhTL8m2x&BOd=9B*QcFB_!dFaa8tQ~&>bxt#*>X8N- zwMFzlGa?$^Dw#2Z`q6mQ+C=N}AWKDjv%b#)Oh_|&h8}`halNPgW87?%q~vX41u39VZ}NOvHx$^2eujmM@_nK8S~oMk_Rp z`6;v-C^IDV=|!;+w+2Y`ybO}+JpMkJWSP*F&qJEp-S^vL<%i-3Qn&qQ7ceFoUf-&p z-Rj35_yAJp1Gxzs{?Q;@AOE8wU!O~xll-_3Dm~csBoEk-v7bxvc?+WV{~# z;EXH(?M%=Brg5uD%p^j@2aWEWjrzz!wS>Ps+| zD`2A_7xYE)0O(}AE|KxTEft4k=oivMR_}*xsq#afsoPY37=6zMk@xnUTRstUTW+!< zzz`n7nt)sLKycB|Y3r+9uhrU!*fU zJk$Mt9rVZ~6oIxYU_DiX`~_uHDKb+~N7gOzCqjPSEH%toPp3`a(pNJ@Tsv8mEaL5X zQ`+L9c6yaO^-vA3vOw_8l-LMNd{MN9XR$ zR6E<+vkI{OX>ZhSDZ|QIclxN!*0!!TtA`5AsS*KN4U-0uCdDo6zp}Jk{fgIMIp#6sK}~fVJD_Eitv##IgsG@hKZre5 zqx~n{EM-FTnj*Sjtkm1vDXOCjbE~z@%u7}fWUNUm@H7Y7}J4dAd|7r2U6;HzugcN@XmhV7lo0rIuXb;dVfbp6C?Z?lb9{@*gmf1qH&w=@*Ly-fNc3++JRjDzHDkK5tcL0TbD<&a^Uq4(cCVyjTQkcvEKf% zny)pjtz`{PGyvMpN{-NG(XIT>Xt<#UdIMR!&=oENQ~k1z&6^!iHM&3de`&A z$@2dm6%OyQ@pnWRl%JK0{Q3oIFZc(7!$g(FzB=f@0U&c!$ng(J9UUrknI{80q+Wxa zfC#0?=ybLgaBBa1nEt}?B)iG=BbMD{^u;}jwiw^kHSyQ}TR>1_)M9>#DaCMdBW1v< zN#ms-kR?DD7UaA|GKL@E#xm|MCl6aHK0~it;@r?Izf&@h!6=f)_$@?R>dWJUo?Ud0KMtamtnSAR*khH=ROewnBA=Dj1X3-?d;^}hYNy0ER2~vzP)?+ zhmwb{v{YOYm0P#fP22ywwW5hkV*W_TFGDZ_T#(s-Nkmrh3 zSL{j4qHfX^s&tYS17KvBS{21H`4H!A>;6aOfmPFnrCMD2_c5MxWOVA3Pp-DQGrSI^ zgCW*FpwNrDVKr(uU-HH)4J`fg>0QsTu{#(xEGl7|KsPKAD*t}k!L$6|Ked`52#WkG zfLW4t3sr#whK(Y?ezD(UNP*WIOgc59hj9b!;91ZPs7cku0yjxdkS}0jX6 zbdpYAE(;B9f^05( zr#SF$gSz0II*Rj(g??o=etrS-@IuB2{+3P~-gLg~wtE-`1M99$FmciyZP26}O9M`O zn;yaiqX3zY6RK02Ha)G=-A$h;qv(;R18TMkNiU!!$e37@4PaU#o`FPji5vl9lThKd zP6-bgt4~my2YRx?i;XI4!T}0_kFo1rwFz&RbUp&}R0%UNcA7i=3}AuhApp?!iRoCa zPu8Lhr-o#MLT~iRWLzAVPL~JZ*4eI@FzG_&>*gF6-T>W^*La%D#0jMq&fi{-g*L<^ zEe_A$s#H=lK~~>s?aip#xcNVK(W{cU8jMVY$3v6OxoIOjGZ5tzAi#`R{-`H9^-bbE zIOGbLyxX30_VN{G#&_#rHMKU4N(dH;Lx7lY6tKN`yYLi!s7^N{UgB*UP%kO+6Hn<| z#fg4$I703!QaAdoiVp1{iLDbUM7pEChq1xA>MDefb@l*<$kX96pclu5!F7hLm{Pxvz=KXyDq5-*TrB`NZdA{hjMZAe_DlynS8f#V?Lrgh_gZDZ%RH%{>Jp`A z*u=?Q#%oZf(~r!z5J~r$)h7>pQY+s! zq_?nfYXwU5lj;ri%;nP}6^C8K!3Ie1RA6CCLhRWJrzcM!a~kY9B+_5Zs)78UL6Qtg zW;NzIxRKxY@^Uh&#y$}^P>nm0JS){&RXPOBsII z+ne&R(nRQ(>rZXEZ|Nno5MSK=xqbsXpnUTs5DNjjd*4G4q=Zsl`$O>NDhLa)@3N(ibhm`TO`R{zv39I7%sRv?v% z86^0_-w>=Js|L!eFL5&LSGK(07O-#5&&izns{wQFpyDeK1EV8}J`yKN9Up8zkPZ+-?LB_UCY)_%s6` z#ib-;22~bW7=8=N0$MLSI%-1!nTGq))42UMD5$ASBn(cJO>b*S0s7z^g1UguxkZb? zmjM4i-{q5YXDQUM&Uv1sKECJJX!&|aS?(`GN|jp^a9m|x;n1cb5h|U5cd%f_Rn7zC zW6ycdF>e$_gPIV-4meZbduIvNY@vf9nu@=ykyQ(zE6m@e#Q-osT9iHFEtmmj9rOJO zK&ARtbIeC;GIW{mpHIvk@c*HF+TjTWx`a`i2^;Q>ljBLN9`ngEZDopA!|yaodo>S`Yf2KV@Yvjs0PSqcNyn=5L2GpN*`hBCDWV7p>MuC%|Oa1 zqD%kMRIiG4xYOjIW4dy^BW&HlSXZ_#WyQk*-`l~Sf8 zg+w@OCl21}9HlD^K!HDpqZ=w(%t`NhN*}+_FWzm~tlv~ZXjJ!(JvOY`-luUFq^v{N zE>$K#hiCK``=iLwIp7b6Yi);>$g5D`--{(rmkZE1bL)0dHGl67`m}&U^0Oy6iZ}XF z5r+Yj{A0yD^@1wYmg5n3eJ?VwO0hu2@!z{diTk(uD4S8*m7-uzVQ;)3h6n1}w@TTuy%B?R^` zM-}2RBqu@+YQ*$XGbJ4>96by+Y_d? z>@XTcpnK%WoCVaIWHX9A{;>*V7^%KK#>L^pPe58Fo!*GC_g_4}?pZ(lSE^PJ4zPbr^~!S=PGsma_%c}0XANt5Y2i4nT9pY`;=k+#J<(+YnhRNpl>a~hwhwgK zQ!H`s@Bt{vwtqx`r~B<7;W(rO(AJs0sQc}uyZ>LTgTXfvpv7m+yOUMyVYIJ#JPy;< zoj%;^o@@6twUv0Yd~qpMxg7VmhYmW||LE%c(|7&Ht?w`P;J<&~9t@b>U)sTNftx}0 z55FsTsYXNPfoYyC#%HpGVXG{>ma*643|!}*)(RYMe0L|T5h@waA+lB|7MH2FQ@JD%}ry!Yz-;qH2IjkU#Gj#50 zl&-Fes88h%&*lzKlIZ3RC#?gU8;V-vtNgF^+mfq}nJW12?pD^7FJwu(S_ux4J;r$Q zP>9!cJ+o!&cX|1UL!peoz5GXuVJDqcD%vNTR$0QsuT-_Om=Rx|e=r!VkdDvDV5pSq zoB64Bnb&FdL`>AFMC%C~J3I0Ct?FTyrcB~UL`6PKsif!E*HjbJ_oH?p7V~gpjWp)x z`&g@@ilKgEGZn-L17jP;8hr#;4AS^yE1NHkl+4!FK0$%UyXJMzYCNZrylrVJ{X75A zo?R0oBi8Z?{P9gLKCU>!+-VzXG7XYu2F;b=%eSRc~ zrczW)U7eMUTw})a3^zBl+VsF%6nK-b5|NR++QCvXs*sQFULA$vEXFapNez8@y#^&a zlsB){*TxPR)!X?n2m2ux;Ij^4=#kAxH?ZJNOI5+F>OsnwTdrD~r9VC;GpX|ObgHZ= zGXPgvXRDA^fN2JLCv2w4rT1Z#qZpcBwSE_WO!Vd!bl`8&GB7gO`Y;z1CnsFBccVDG zI<%X<$%wsp{PX&WH0_VW!$FmfhhMY5te*@ybi?VBbTY1-0<+FJR>;j~cz#&l?}e+9 zzf)&^p`bXBiRb&6aH@nvN<}$JfSr>3{xJbL4s1J^GscjF>tJ`NugvEwBjJuRQd+$K%xX1#{}3{EyERI)40|`1*BY zWTbVjabEF3b$3T)OiPF8JLxB#K@W6se$~x6gzt_+$)mf?xVWnEesTFPEc{|APWi0r zDwOq01AV->JMlj=9e#g13_T8v#*qhqz`>v=DlslMI7O^Y2RI&p!lUS1&_vWJ#}Epdp<&Q zZzDdtDHRVdOsZg#KKr}`+lXb%L}wdn$3`2+jT4A%@V5PF19R%-Q3rpVTwzs-uanj6 zi^d(!;m^g8c*oQXeqH3p!hpv;MrY9sWEPx-E}=0^Kmr388)7$V^4@30@u1L z9zziyP7&`#J8Xr^R57;Y`nWO6p?Ch1Uqx1S`q=6k+aS`Z1ac5m-8mxnBGgh z+%D78H*WOaa`-0iy)f8}@Oky#t?DXCqSv@%eqi@0a@8EpUX+bRj&sy4AhL;xYt7_nfV5)6U>)4DYz-I1KodLcNbeZG(_T( z{T#65zWVYmnVJgp{JjQ}XywFZa%xb);-_wVe*rcFov{H0tHhjw|MX_?_ z(KwDK{rSG?lhFAQ_(N_#KG9#Cg!f`%WA_N8U{M<3P}!1Br9{i|D2TC&?29}It&~j1 zi{xm!_Fr!wpAx;lxrZdv$dd!B00lR-R6pSyxfDH4DZEcsHuMKejCttYyZE8Ucdx(@ z!q?S4je?BoPHnn^A}cSkB2Vai6!1OJV@*%_VQcqxhUc@WN(zgF1cJnu-lb)MJH)RD zvdmSe6sLoO)#^UqbernM++Aa1aMAeDo?i2s%!K|Ad>W?UKRXLxlvU1o2bMzaw6*2(SW`FUR19cYlhP5qqWK!2CJPgHa?5it=R`=Gr;peFfwyo*kT z?31ThT=?B&{@v;av@i4-37Z4=oy;|Pda8ld6?W0mOn8ESs~F`#J+(tlTK3^bqh)h* z2Gy)npH`0(T=2d*HAeoJxhWN=MDI4^09V~}Pa7&cobQP729XmI)LdaYo@jsHYKTr622D_Eex7TRQop`3WL* zqj8)nT*hy4XX-1JnOv(%N(%u_IOe1+gVbTDRtNlcNV8FvMp_dXcadE>I_eOxTKJhM zRdGz%)Wf))dL^QU72?G?F`LmJ1)qMy}LOLd$5 z63W2pYP{vgho?o!@J`!P8i(xO$4oq}Mh6P+0k)Lqy?&$`C3Dg^n=e~PNJs{l%fGt& zC@Cwg5O46MTSz%67fV@j#N~rwU@i<7#ph@J3OSakc)g)phFfBrBlw= zUvs{>a8r;=cx)^^53=BtsEd*bl}6>=t1%&{b&}gLB;^+1aF+cF=PVq+l7K^A^ok}b zIxSk^Y#y+(vM1_V*z}fS89RwLC&Lcq!B$YEkRWB|AAwK`bN_&E*iuho0I3;KTB`UB z-qlrPb#$}M$BSajN}GvL#=N@I>3#_9`DRvFCMAudon7AsHTQqx2OpxDVK5)wy&pLi}1^fE6zY_jlACJqxG=yPc&j=RnsCO z0=oLzY~Y#A@)iw!ArU9PWzzUM;DWdZzDYW^e)Qd*g}GctHuUJ|@GKniNPVDaY-vm* zY=JsT`uL*GDV|?B3gVs2A-2v!rf7n zZnZy&YTg##l2XZ_4+;o;lh^B1o0OQiM~k&b@yA)IKPY$DvWdoho5LX1&1>H+P|Mf}l-; zd$;J7H76(Q&4k6Qic6BnJr3z6qRiwz7UkxCsK~!rQ^T4bo8u?!FGU`ycw0a?>lCO< zx9LWhvcIq@QGV|%f`UIRNHkaIpW3~u>|6PzH~t1Qykw>@XnGmz!r$ZM1VnlNGpU)G z))>m#o%@StbeS=7lSX$(?WxQqd^M{M3Ax>};Ka&=?Ax;U%)|?uTV-Wo>8y?$Jz6+} zf)&Nns+;5|MP$SznThvIdYr*jI}`2|Bv2zm;tSOu3W+bfD?@^10gMi`nF~&KPG7Em zjy&#hxwyKLgZ9^Ol^P9o&wRQPEvUAz@CHlA%F1eKl3mL}u}=B%MaQQrzXaREjf0Zr z7GVz|;n+ECJ*^#AA+yo<3Po69LF^^>|J)AI0GPC35$I30i>tSNeJ^7yqv_}<8N$1s z=w;-Xem}d!qZW?pyrYrMmF9ZnDjOP#9f^Z8(EgQ!5QmVE%+JKssSFOos{&~@xwiGTO;SDl(cHuo-^}h*L_c%APsSc%UWm5-DnKFtGa$VB9S!>v z_Jyj?@W{wWos9Za0SkW9CpV<>(-RXD35kj0!3)>aBosRxNvogrgYGketTc%e8i?Aj z#u4Hd24p!8;jC{oAdm!)>TPGaogL;4nvRlP-jyM;Qlfjm9!U`s6B81V^?}zH<^^s;o0Pp`;wOPbjsQ8fWlD^0R{pBP*jche$!o_$l-ggoK2Rzr6aRbjiS)z304> z0FFFYAx6JtfYZ>XXMqtn|4MSygwIV7N%Yo4xayVns#)-JRPsZGU&qOj-j%!vW#y;> z9<|;V$2=`_a1pCQ9ZphS4tBzgllM`CQZ=jtJ#d}K>i2>Sz6kAjx-;Y6!6b_Z z=l*GYm6e?xd3qIoYaZm9;-0=qyP7kMOEWF&aSy@ur22w8AShXz=Y#(v5# zA$if(-~^%F_e42Tr@{B`U1o1aBcdJ=+wu zw!I-usQCD$Pseys{%?_1wR&tsNofnX4SclqjG^-;p5Xb^zJkaWuo(vi`M;aqrlO`6 zf7njOXvjK<1Z$%0VnD0vYY5WH&C(+}RRw(s&$w1jYuse)(nv_$c(=xI_O0gTKEtIt zrIe8fGhqtW!C?|I>{{=)K6l@;pMvngLpcll5IssB?Uy+F;`DW!;gxhc)tB*YmEr6Y zEw=7t#u@0;>LWCgldL_deVvz&{tsc_8P??1ZMzkeV(2YM4Fp6%2)znoD3LA#(t8sS zq=?d`1wsuXO+=)NbdcVggf1ci(xms^`(5sH&Uf~A&VBCvMIIpUyRx$0wdNdij4_Xy zr5PO@d$VDHr*`AUesJ)0e$|gZ#Td)V%7kAeO$antv6oY#$0wmKsW<;Df>QmSJHe%O z0g&U+Dj2~#1G2DX2h*r23k|tLD16$b8c4^Vp%0-Bqo})Kuu6)Xx$^&&MuL2@BxUXA zE%{(%^VOP1PsJrtcxfZUFg$74?y^(Oq7<~;AMJe!N=3zqFXlbF+5!Eo!wA6xh)mhu zaM7i(bNDT^Qr30FsMHY|QS3U`RbM|dv$RCknI_=o6Hfv>RB>4DZ+1chJmrSnkfbg6 zsfxxa5qQ^idV$(k^~`uiXcIL@N6@yJf=chfofzxG@(@XK5=c^3ynQ|N4Wt^_i%1Fm z@Vf@iyLDrc*5`j->lcU^%u{w<29XPCLaL{>s*GC7hA{XDOZfYF=$lCS-JS2AN_`iw zTeoh}_V#(8nz;EH_%pRQ2bW#IR(05aw?dLQXHX4oc*V|Kh?15{kL_mo!r~y!7b{DC zH2#BcRp?I5U23*I z#Z$Y}``f=+{c6%%MHO=AVx)j4c9)iNNP6A&C@te6g!=-$mr7Cj${Yo!e5Mu!lnjGy z2Q3fbqY^9b0xll$hZwDZif~9ZwP3>`5Iq@>{6aiMVMg>jlWjL>}X%`@bq z?tiXL@Q#Z6e24!y?f>nz|KsoSKzX;KCCduIKx>q2}aDY(A=3o1F;DI%?!(YLULa&L|%JDdH)p$Yn^>)e3191DR zBN;vGRWPrs5ea_-BKQytbVp$v`ysIk3$FMVX&cs98okE(=c+se=sI@j_kJ0gVDKl@ z?+E^v_1=87-Tl$F93X=7#V@~XuCz1GpgUkR$4Ebn|S zw^|hW@ad!}McLi|l8tX%I4lXFClc7D@Xh?$;b?uQ=i4rhaOPoi$wg9X{xcj|Dp`*a z`JewqSgMa>Tb0pubJmM^&dTKF9>D2A8N&%kH`#3BHWIy;2@kK zqDX8k&W0_@c=yTdR#Z`x;1N2jIE`bGvevMcy{{zVYG`=qt%uL2XC%+*;e$ zLmlvt2kix7P*F=0Y$^-MKsW`s5~Yxd(No+ZfQ5eN_wOA-6f0{ssaqHaSsEpF5stVE zR#$P~AvE~(>QUJJpAu-P+2k|n4u!VAFDD&glF~fY&gFz^!?wzDDgl`3pI<*46`Zj$ zX)x?DXRO>EZZ0nJ!Lh!cFS+Ge@`;Nhp*BbTO!qD)xAsitwJ!6E5tf@@rcUY17V&x( z%P&4$d}C3vx@k6~1b@>TsoPo@i)v#Er8hH^a5$oX+3?4R@Gz{dt`^zbQV)(cnU(7d zYlUOxiy>v?)*C0sban;V3hh!ERxXz20*@&}oOgT;Twx>Q8xunR0X^2GYpUdgbT5DT zwVq`)52E0&U%wKEhXHS=L^XyetKRS%AjOz<4-YT(*MyNN{*;iexS_=sr(~r6D0gsK z#2Kqg+bb@v9|-6NiFz2gsHnPO%$t(wv;$;FyPW5%akX4IeE_>=KQVjvUg}k`s>*Zz zL!603&Be26%w=xgsg;@D$bd!dp@Eqq-NLT^Mft@Ri_9Zrz}{ibRt)u+Qz7x}V>0Hw zAEF`{a8Ok0+u7N*wYiw$+6i5UJ9LLXUm3cy(8Da8*}s_l;Y04H&j8(>b`ifzYoI3| z49>D`41axtM#fOs@)v&)g3+cA6pxi}lH}?n#5;Y*isZ@X>CoK_bI`GmuyEboX{WjU zFZj3^`!Dp^xcx`lD=)9w#NWF8O9|_TewDwE{Q3(nNx;~LoN7<|TMyKF7DX=Anqw~O z7D3HO!hOR&rm7kD2Im4;BqFqB`aCfx+`Jnmy!46_&Q>VA-#7HI zRG7ocs@lUNSq$YMlBbl0xEapmZotLZslF*SH+N+F_;I*OeDlEOe$}XLetw;bN|CvP z<3)Nt6)X%?Y5HXlvR?53rOfZHn^2Nh!peE(~Hxa6MyzjbMa%~C#u1xc*tK4 z6&l}CC!m_V3GL<%>Ax#jq|sWRmAbh_Y)~P+oC!+d%F0acUIN#C{`kwmrIGs-gaXgyJ-0zbi(Q`C69zIgP z5q&uY2Ft|6)LWpOV^h|Awx%*DG2wld`s|T3`n^dvmc|*mupy6BV2c4=k#-1d%ymedGF7$Cn}&I3{!4o6?=SvolpjIC+Lv%iH*Pai)X&T>0vJ==blS zP7YGo7}&YAi5PXh?xoQF*6-gKs*ZO23ej_%%WlHXuZxt6-E{}WvWDZHy)T*>YP*zn0zBQn3TT6BN7t=du?`UyWrwdwC$YqF zC10pr#@b}B@+*m7PjLgE^uHEtj!!-xg)A+*|xN_)Y8&2-5SCo^~zL) zkJ&+Tq;AiP5+vECh)BrBBQw5!_9Z+_>Y;hD>>C(KTm(-XEV|2JGZgd1ePe4{blETL2y+P6XLkz=i!cVcpB6SzAiESN|2^e}ZNYx7f~^XQ!bz8- zrO&=C9-2j`NFBSC!nWxMm_fV_W0QcEe*WBLD@3d;;{Q$Z{-^l9`dLZ8OdS9Sk3AC} zvP3Zp`5`igmU(#Z#&rt{&5<(aTGj8W!*>iZQf8?5XxJcs<_xxu1l{vVb0;0Cc={vv zv5$|BD{x>^RVASMYHY5G1j@hKi70iSmB*?2&dDw<;Nd>Bv-_55qa)eW$C!JK+jADp z`0yzzD`*p}{%TEycMpYwVKNP`2G*UQynQ0&vjUJ)(D$;Px847Vfk84Dc1>DZT31&W z^}V+woj5EQFs&!AV{Q58^s5uJ0&ob1Ielmv5g*?R z?#Kg`BoGW6n=cTh$0(@)HONR{V4zLkd;e8y8=K^J@0i=aD1#U>SYFYl z5FlLCTtMJENy?HNe0jqhw^J&BA7hDP6pW>!x}h^>4XF-Pv`Z?w>`_80+%x21LRNGo z^YZWX6n1CWOiWCi&xG@lLLe&Y$v0ORNLj?$3JtCnB7F?aaL32T0MT>XGX^s5p@hfI z`7L?RogO`UZn!{V2t%2_#9pqY!15fu$D zmrm_pcKbQ>Q~G@GHm~nPz@OFUp~c7vi1V9ugfK;oRXTRg?STEctw21nv%8z&=1mZ3 z9#v`GY3~E=z;NEq&f6O)l0cF5`E$*uPdK|06?JvcT-uom!Rd{SEbSoTG~zvs<9-6Uj+A)v>xfR< zL#o?)BTSx%U!Hj7n+o>u zk9Mc$(rRq7y);iU+sw*n65fVl_6S3cl2u)QUV8B6lvRm2vxw8Zn4B@B`zc~cpP}*; zamD3Md1o+KCk@99Xxt#igJiP&h30y zJAr2LSUq?qhMk&L?qGg{Babu6cqEx(YYS&4<1_a5b~c*^QNWg+wy+b*n*#FNKYnN> zEe%%GQD$r0(?6V3^&rsBSc8l7VHfe0M!$9+LBw1jt84$C*;hq&RgKi3_dJo)TP-bb zU^zKyvQQUm>xJ0VGp#4XKCdD~Ge;o=<}~gO+S=MKWdTf4+P3456r4%=ENCD^xet_V z`m`TJj?jvZWXGJ%$U{P>srZOi1VVzj*`#-5d#w+Ms3{lXX6 zzoTz;wkS|xG{R3%`=8ljaqNiO&6??jp>JcxG*#ZH6=T{)TJ1FLO{QJc+r_z!ct&k7OgjQ3VGF zUWuHI<4%AXvs%|kgX-0Km$H+t#Z|2<-pcO+VN@R<={)_Bbo2XS0PL6{223eG#E#{i z?U!PGBWwOTQ&fRS$L3)fV@QQANcljCe6rhU3QPD!>CMddPpiDE-Y=ga;{}vdm5?r= zkHpKQOv#?F9Ub}cis+zE10J%$0Wjw^SWse$JfBzJ4I7WTvy_y6DfYO|kEK;I>z^Kf zs@BPCpFJ3F@R6hq-%Ok-nY1S+C{-nw&?H_%_kz$7R; zMAL`DUO+HP&$xb_k@t2G@Ee;=m)34SU>qbser4II_lM2$Ii^H22$;ZP3Z9~(Z&6Z^ zR8xa;rd;^`FZ-ewFJIg zx#`7Rj%O0EK}k#~DdUKuXY;5W3v`&)gi;cG4SVgO`uwjErl_+$$A{{#(M|ti4A{7d zQf}2432SRx31Nk!zAd+232f!L)mp~r|JsB%HqDIW`qdI>ctcnf8;4rRgz2lyP&dL5 zBx84$Sm$iVs>f&k4(xQ%{4fy3(BM~*Ow&+skr%=d2~efGu)JQW^`Y!nwpv}kB+Vy0&YhYP~X}45I(E# z+S}L1+7d*WRvysOB52dsHQViMIl~wAEMGpd^_OI&69H0o&xG>Qr>6-7udy!TPN?Z9 zcgCboA3k}4>o`7pcDDq^}A>eWM+&FfThXFU5u10S+!bp^25W3tnPd< z=Zq!VB|^^3`uNn7-+V9_94rriWSo(afymUl(+VLrI#PgAO317GA@e>`$fX*YU`J_$ zw5}X3Kyo#HhhUcXwyGy+tg>hG8?SEBJ&+J>qx_b#Zs^JAy_Zzw$25*y?VVdynXl ziePZ@WJkJ$!ZJc(;?@&T7ig_0?IG;fRX6^ictXYQ^w9{-rS(-B$W#90k^~L!BWegH zC7uyUjBc|jX)Ot1q5r(T(at&{}tBI$z$- zCwOP-{YVy#Zu6gZtKQiaTuq)`?4;i5AzA*+b+;ftzvt7N4eeqojr^N&c7mW=^K&7~ zn;tW-kcKho#zoi7bcHCJ{qJT2g!f;F-~or%v}JsdS=^nm+BO~A< zc519h5FZ^Ksn@g6oxm52kdbaEE@rj&p*R_?i^*F%gc~HyZ!h2DN2AqD8 zXYGsC?C#~Y<&BHqfj4B%m(@!|9mlImiV^*#`R(Si^v-9x!o{{_V=UkVk3RC2UNdW) z;+y-c7@uWr-RJdsaa~4+g}M2gM$G7Hz2|<|#Kw}(mZ`0+t(^-cgWF`|)bQA8bMWqF z-L6R3#Y}tn$l7$PZ1fn@JYN$J_vl2pPTs>s_vv#yJ2zin=8o(J#FJp-3*@$85;tZl*%krSDA1S%&DrkK z?w)QoI+f_ANs0;3hKC)01yd!Oq@v3VL4T}`nKt_|f4_+g85I$gJ}H|^=IMz&o~V7f zo%LtOTw58+OVhCR_P)wOC-{rwmEOYp)MeFHY!f{(h>eZQPFmMKYfg91U)Rq9uBnDq z&!^Wbr#`%YU*~)-p--O(dJ>OUw~`(IKCh~>tsKQiruPP%o65roUJFn{Fuei(f4K|% z5S0>I+x7(NX0*%Z^72>3Z(?kDQGIIEhrv~#P1jdGqnf#04}$B=GuTj*^htKKR-Trp zz?{oBOO#HY*>Jj6l}^p0#4dWP1$5nuRS~%PwbFMfNwV`Rn=JPu z!{u5&aXzmk)q#Q)t!SSnSW}+d)T6t@yv=wq{~cDYwM2Rfghc5Zg8WKZl+EXF&gD1L|z5}ZY^85!!{ z&j?gc6GLAQF-6TqqjU4}yxbhz92^+$8rdikuz5pwCSFd-x_TV%SW$1chTu6P3)h&| zjJ1^HCGhSX(43L#t+I}1aZ&fhIZ|^%HS4=V@^a=ueeyl&5@B3kQ4v|`gZu!s4d6$g zi6L)U-4AM|i0%llxm||_DRW%J;qR~CHcz(#$#@oC@iEZcuE}R^4kOfO9ns(ll?YWQ zAtOuMyzbf(_W(jf^fBsI%>f}Fg*5E9tl#rtdP@GekSp1@TDFQ>MhRbvolV#6mJZQH z6x^XfSG%vjYh7ksViEJZ7?<3JQlj6d%v+$6d(pP!W4Z-8YkncE(n4Z{X66LM_iSMV ztWe7KuwGM~L8ViMebdYL_n7yXJ~o^lZgwzqJOZAljb*N;ruPx>oobi)JJL}cVujOhthojaDjmU@ z43T2IpJaZ^qB|-os! z=fL*hZOjM3{Q39+saDczV^~`kY2)X{LSE-3!fJ0!s$H&uGyL~>wd-cXZr{@}_n_acsjkB$i|G&GN`F}gp11M5fnd;(S~^L3!E?N`)}4*Z64?Sm zCBbMIh4@F#^mnZBfn*f>X;UOf^XoJOQF7O0p9hd8Ol{^B7Scj)OFe()`3oOo)Zq5i zSyssMOsO|x^ZxVD-voB;L7tH-A|fJadMKs%);{me_R8P28Xm!g_auHDZcHHG6P>q= znJd)dLw8(WFRS!pFHmzk0lTg8MWQum7@tW)5K}PXV!Zlr%IA>DEvU$_A>sg!Q!X6s zPBPY(x+u&YN?prB+1l4uNagaEE>tFIJo?XGc(NQi32Zb>akYmVEm+%#BVSQJ^?}KO7vr>r6Fa-n{bhG)TIUFkRC0kf)Zv!-{iHJ$K#q0 z<#=s$)Xyy9D07O3lXYNmN@PO9036cR(Vm~5-@c`8RA|u=4Io;=$|uYcZl6j^L9IZM zE#|oxk2jE%Le;5RF2@&ToGM2HWiM7tAAQegpu$=1fEe!GJN*k66QO|qnIfgE2Ng%O z@@F0gzKtv<`Wm`WjKc2Dj)A^GcXxLzpVc}s9AaUUWEQ_1#(!hHCYmkw`S|OhWB<1H#?%1wXa4pV)u-^*BfEa)$3*Q%`R+_i;{u|Htm-p3ctZ&$AusK*$S%=!y!F zkXD$l!(A|fm6cV}iptqQN=#;E<{mDF-MEO3LtDo)E$P*9*+urW?J}7gqy+=;iHpOzZ^k|C6 z6vt`YQa+#yc{eY1QS(+aHz*cl>GQZ>e9j@LiZceAt;gm{W3@qLxF8&i^d! zJd+DBV*RmShP)Tgq*nQ58eixCB4YxFs?PG(bgS)~SIGFdjOX@t_5-AS{r#us{(mBE z*VI!0JUtx8J_EoVSMJI^OH{7h1HifXobRArK2eY2FnEg6iUo*hS2y?GwQB=he#w%S z!Aoq8I9zie!6O!D4cX96bOb>VzxUbW)C(cV^6v4>CYey7^jW5+-s8uD@CZgMOghq* zIxT}7nSRxr!JDq(3(huzL4a&P*~)6DFdXI|Yo#!Qey{u#7a}rztqrS_a06|aXZTi0 zTXh_J>x1VCo$oZ=z}r8$T)?Zfl`2@C+6Qm_0-fQXKS82epFvBzkoP(7_kF15oj7QC zxEZSLtk~-5)2Axyp)*V(zk(`Be-Zx5N!$fCcoWBb=6kb z6kFf&^CqRNsl}{68m+Kr_vnV{J^OJi4dL_*T8`EKb68-Qm7W&&w#8YktT_TMeeu)4 zDeV^+~$Y7j79Qi#)dNp z)cC`IZfKX&l@3DxAhzVXt=KE%!W^TF@7bc?G+l8<-}`$EkqWPncIDdIaXD)D0J>;r zZ$I{n)HC*LQK7Z7Ges{81XQ0*L9#@MOfR8==sh+HG>R<05gv|MFYDhyw;fy$ys|+v zSx7EAmodD)VF%ZIxHI^T=(PfpZ4Ai|FWcvb-?x&@dcE)9E@^qqr@bGE2L1Q&ku4TP zNb?VymL0l3-igX=6KNS}@%~_M7>-CSeg6tF8dL-do5vkj?gx&jAmCcBIWUDjVvGv% zj*d@dC)6iA#{HXEdE@CL`BNTQi)6t<)(c&;+fQi|sQ!GF-vU1F<_#?{-t%0e^Sz)W z|8ehh+||~ceA-_4X3$iQdMX-bZ)b`VaZ4&8YgaF9aS)lEU9##Rxh?;mj3u40nD~@M zoV7&`1c=40{nDr7i_(YUvKSnFBxe|N3Sr>%z^eO8;U%kB*pq-(b3S^P6sYDIAE#y2 z!WUv`bOb|bX66rFtstl-0$yW`uoPo_>IiNK)6{Cd&&uk{a}gh11xp&9deu7poR!e9 zAN$E1$MQx+1Wud&ZWpbUTMQp4r-O|C=sE04*{=M!##Ssk{@xas^cKzNT-C3dBzc!t zk*idvoABwRL%D z-zu}A)VnUovJr9QCrUk=#70J{s`g^z26Q8!-#4D$*C~JTA^=wMxv-FQ2!D(dLX^V+ zIbN|ZlC>hdI*aCs>3-5+&%_Ux*g@Q#;xnm5Q4B&a zbKPBrktH>Jw~cZKY(D=;6+`cJPFCYr&7)=r1!-t#{Pq+4#HEC^jI?P;LmKxBoF?jB zb22mK3Un^FLS)VsL>mWQTsElXoHidePEAa#yGii*?xhXc4cQ4LvfR9RlFaAlVP-Zx zHg%zM)|q=YTcam((As!;3Npa?#l_omVc>ORt;cM(3TL<++fn>|*4KQ%X3g*XiJ!2f zU~EFdt+9DJ`wT`4tE3ICK`IMoBfiK$BZuv4zG5O?76WEPX!cc^Am&p!-h@Tla*#7Q zPBn1EDHR#lT2~};Xkv8ojXQTP_d#oe%*WGJF(AOJJ;);No7uXyw_I&2(!`prLT3L+iUQqy0 z;H}Kb0GX3vV-ztoQUQFoIE_b-C?Mj(;vju&94iu(r~mp@;GQ#5+7r)|am^gM!}8U- zh);~iUkH*EJ2*W2a`mTb@B`=lm7(@_d7cnhclR-cj)c)h^c6O99UlHGy zo0^(TF4|2JRk9B!z37yG=^OC9m$?jNIb$_Lu{uBy38?tExMpm9eZ6fRW!CE{gruaP zgajM>r6lETqb2=FOLh7kqSq2^KL~q%3=g+red_BGaQH!`-|0lMsAH39=!Wmvtl#Ss za?P8N>yv;{K^ijqJu5m*4*Gp{zX@w{`D>V5(|4A^L>-i?;E>~H0y=!;#ZiY$gZutX zNN4F9aO3G;ZBJlRIL~W5$=fdB$B*@D#ge6;C0^3Z;ys7zpZl{!_Zt}$C*w^EPlDi=5c4f{52!F&$ z2z%ev3xhE*Fi`lry?inB<42qM0L$6$Q&3>z#=my$Q-t?(DB11C%lge1Zd*>tAZrpZ zXV`1@k)8r6#1yvEp*O|AyCa% z2*q^!{>D18msO_%4-$-!EQ3*7*Vw}cT5==?>WKJoBy)jglS z`tI)Aw;J9b%gSa!^x(HU&u3xrmM&gMRM@E6``Byhl=*>dL*g(Zvnn&Y=42&~8}Og< z5%4ZLw44W#vb%8ia-c{hb`BY! zOL7pc!M^nbF_$t{3FP|XQSx^KzkN&NzI)qaalO(EVU4FLn*bU+@0~g$0rCJ5w3Hc+<+4?#sjv>F{dsq>50**M;B1-bN0hde^)T&gEHgx0Lc(+Qy5FyZ?^()au4NmP0rd)#;bhm3oB?%0?Frh zvXmuKNS$YE!S@#Fphmw{3~Y!e|Q%@|k$B_F$)y}iAJ#74g4`lPbk&BRwoQhf5j$>UVD!H`3n_AIH%1mn55w>YAAN z86h(g`>vDbmDgnJtF)DTO_V7W9DI1oe~2<$_N$f>^mfN_OALX|A~J{1HnO#pZF%+M4~4HC``0rP)yTTj z#cwIvgDzCGg4{843kw)-O#u<9AHGY)i72w@vDOX}slqvx( z`FDF~60!PD^jVzUxlG=Wed=7KY5)wZf%b3~pPkrLCBxg^ltq|z zc}bkMR_O8`G!;6ydP7*h0I(%dO;bNcSUE$*d>j32E#*wU6bAfk`*&fUaRaDLQL(e% zefEsrX!fwmkP^*(`!3C3ULv5MIXTf$F)}2d%UH(CP{!tsHeu&W+0O{i?%jX#A)$Z<~;M@{Q*&dB{s}+yBYcPcc+_Ml;CQ2%?-!>Pz*2j4K zCGSWedYqC{y{LnhNc7?6OJ-Z&Jx1($M_uu^;<`rbX#UIIPDohM;Q|FfUxEzk|{i7+f&L}C}5#X;6 zD~XxTP>c>EV%#dbl()W^YHza>L0IOleZyz(UHj472RI95xg5zMC;v&1lw(wkIBrZ) zF?j=vQ|8ZnZ*dlbd)+&Tf8J;Oq{`~{!{ z2bCqnX(!2l7|g!?B8n8OnXT%SbxYhlcuFQOE?Q=KAj`$0bDB?`pXRnYk}0rx)*Azz z_h6eY(jwOIL$k8iKLmnHxUCXPWZyZ)Vf&JuQ>V-yrfj+18o^WG`dRWl!1We>W(}5& zn)J+#f>~sqUlkN{&ok42>sRj<2Tsyo$#7VzXW>wudsG z)HFB}C<--+9_#BbxQ*bY6-(DcUF^*3O1AGSp!ZI_r!|Vr&j)|B1_s_zW2B>kP^Fwc z2FZOGX2`)77w8jFhf>+J-k7W(_C$c`Uh8pFb}dT`oi$IAaTQ4ECeh=zuro#NZJLtR z)^=3%U{iT|&xc8ZgS&1$Ma9pP(1-tt`7TCN&&A`EI0|1~{cUhUaI(50Slhu$PN?!O z`*R*BIQ6Tja|^Es@uhJ-*So72ZRvjZMSq~?>dG?z+x)ReBdX9xUHlwYNj`Qi-ucT- zSL8W+zx;>(@L{w(`#<5Y5UJ+yZ)3zA2nX+$o|T8X<&$k$Qpc(e!m?5Hp#o%j)_16n zP5Ta-N*u^r4ou5N3k|EimuI6vB$c{^xEnA+0T)UvHs5)Roqk6p!dekS{-+N2ojS~0 z%zoARRmBt**debBakKawP5a}is_z{D$c+NN>bU<_w{{_jB=i|RnlVBEk4KOx%2&*0 zwbVn!699*vRn7s}e z{r(+L@(-kmNI1j!`HAv=rYtG-R$N7r0$wX!r1AT*sj`|_0+<7tTEgl=K{5*#hVgmu zAh6S1MJ1hRIQ8#wV+7851X(b~?<=QDESs^s39CBe*n)y*>TZd&|IkAKZG?Jgy@2M8 zOb<4O$20jaXV}|B-msgkWS&Wuk89HB^baqrWUBAXBkVN|4bL#@b^FKQfiu-%8B-u1 zlPld2c~8j@&XOhxub_dJ>U1@dT|ry!AB)$)Do?Gb6*9Ja0WJ~D=es@N6+&q4#J<8C zd3#!6o81!kOddQ1!jRiBUw3v*aS@YoB^=cBkxq5n3v`V~?Q@5u6m668rJ1!t*+C5L z7)W(N6INLB;^`E^QY$qfHsKl);BbJk_5!*CP{SFvfRQo68Ut9XaE>CVoe0cTr0WS} zDzjnO&_S^IF-KJ3^w6+zAS`yOM}gccK4?P+)D>=*IGeLoP(Vxd5pecM%T8=?aBxxG z&I(<_QTuEMOa04G)&t(?!EV|z)`}2IBoG(7)xiW`P5p}3(9qc0=>{s#TWasg=_vlG zFu^a$LkT}vNS-<+;^g0k)_F|}{P~&L6=HFeZ1q^h(3{fwO~Q>^wTHyv*2!W(Jf`hY zpwNtn1C-sbLfz2%pcoX#&6J9dRmH`bsH~w-hINJtI~kMOAQ>`|7-M8hT4UD}dxRA|3B=(7va7 zi$%N@Y)hJx*kfh%4>|^7WyngsBd*|AzrlR#{>tqRw0Aa3p#^RVQ$^6eejvfvp_lIt zM(+?u#!@*xh=Bz+o{nJ+wADou)JtJhAkotM3%RgX3l(7c@P+J2Yl+!qkNQucOcJ!) zGg+&tRtO|&vUZA_lR2>9&Y>buJF(SD8-kOIcba6B&4Snzg^`QR7-G0_L&*$PP&FWJ zop-Q1+jf_cVY|PfEDGi)IkQGr$zH)L?JXwdetzKdXCfthaaiZ~ywQJ8-94ko2(vB# z_(5(%Dbv`UaBtW?X^z`Y6>Fb**w2zgMP6T+G-<_F`nJ1oR<=eF00W`uf}Lrd`M?ML zYeyb)_2t>;W;oSi?R}vXZ&Td&ENCfK6uyhY*4+EAX?d}Fn~tQ%ulPGw^cwOaytrO@ z+=1n{TXlPNhv^NUqpJA}oR__7E=jc$yjpwT&GncNEd>?LltpCfWGsRfqz82{(GIG^ zX}c<2AnZ9okAIJ~@QS)<9_ZV+D@IWQ-jcVWnC`8KJkCV#JS3Tqz1ek3_^rAfSLzQ9 z>D;vc{f7e^X|MSd{WB&?(>tt{XJ=)p{>#}QCuQ)$qm2WZQXCjyf zyv*C2q5IP#rZ~?rph8kTHaIT0R7lji))5#^cQ3=ws^LU$vrSaoeYAnY{YvKw)xx%@ zhZ4_2hp*}_^0NHV5kSDa00-=2OB@L7oq{4XGDq(V4$0uT(3eg@6#Gbf!hqLII6GvX02~i-Xx@=L9x?OpFTL zVMAtLV;~*fXvVI*p<|&hU2?;Dw@aQ3hd+^?r#~g8cR7r4Xbd8Y&1u`Q8eAX&3R$4Q z3GxuIlvslIP|y$ZnhatkkVyl@ddL%RX)sSE^J_glVTC{&?d+>x98+A-DsxU|H(N%8 z{2Xb6jJKa0;Nvqs7h-!TFt@=z>Py7Jsg9ZN&hBNP)G#!fI9GI$0FTG9iJgpY^9zd$l)Hn2gDp}e%)eeistaMtk@8mU#8x}+ zBBx27R(d_5r<5;aD-MF?Mtt|5H8)eN^gB`PYMCWM+9{ck>N&B4Tb$N;E%oEDwb7QR z9Nvji9Pxa~_(;cv`ut+Ht8r~-J&>UWl5eQQRzzmRZ9PX+u1YoqMDIfhkcrNs_jtU% zUV&h?e1k>Ia7jt@{IdCEPN+q^N$d$S8lrcgKjJCsh~ujXxp@2UQoS{NIAaH}Cqh^W zJj^T&2)N2$zuu$L;&z7l>#xhbhjOx7$@&KRZTJjfs^|U=(~X!;l9;xBH@=j?sIEJ6 zx1M}Rj#6M(%K-*3CcGvdy~b?QFW+^~1D>PLN^VXu911b6_nhA!o@(0B-~yi3#5Zn~ zBo&`mGy@OnhKm}s0)Gk#qmKOx)$+tpi%9;<_P$TL*~alB^HMymdkUjZ9Y=MWZQ(1W zBYq7U+v=b9?MAzpxES+VE;>|%Zq~b={w(Xims&^c2b@pK?VqHIyH;do;&%tH2WxY? zpn3>*kCIUVx;zH}rkeCzjm1Pek^YCth4G`?*@La~Zu;v7-%DLU@&mL5!SeE;_oGUV zA`jHo;S=4$Xz}3aX~;&}rQ&Da7*t%#176x0Hqxj_T%3w?x!h+B6x^O{XU@eqf#oO{ zByVqLo0|SQcy3@YCb?N>QLb<7yF7n_zV7@&2?T=S-;)v(kACDxgSOmlS>4B7Pc9Y! z7y}{wBktiUkJ)yvZ{`9cDz)wF901T;UVD!cyt>*0NR9rd4a9@M>xG;Z)-24RB#d;n~~ z9hEh9PYpVC@mp5i$08Oa#qN1o+1UypDQ-`^Trr(15r&M?S*dn|SX6F0m~VxqQ7^VA zu3+5%h-}8`fjv+6WR>swF`coBad4x1^7^lGd-YTaZ5bx3nmtwGi#X zw@Gq+^d|Q{fXQB43?XBgaqx0h~iA3wKXQ!n;%h6U&TpmplL zJC6Zfb@PxcGGZzGr}npZ|78#NK#*y61h_^y%PVmzDCqzCB_M$QH+7%bK~CcDkt*1w zu8Jcesr!$>ETlB&-GqDfJHN!cx*aQ5_fPgAnAV1(qRqYKzh}5+Z~Kv zLFE+oV_sfu$?asc+@RhQ18$I|TlA!gX|yMz=h1RRfG5Zep_hj&A2~Fv`Q;8Q;zSYf zDwpH$;e7QGNo{w|UW}{{7nw-<&dABjbHv{myOBr9LXGMRGf8=iFLu2z#fxQHab`9d z??tcBv(KLlY4x2#|I^Q|rzh_*6;<^$&qz)|B--c0LRKp}($mQ2GROY+<(tnDl%twF zUFcB+gg(AA>5V>6y~V&~N~S5^FNk~W5&+k|Z{Gn=R1D0qwBN>jn|?S^FRhj#r~23Web{YzOSNZ*a_Sq_|Nh6?+EXCb&<&{i1I7b>pqB!t!6~_C z`gr4%$H!`I6-zweP}ZvHr}`KAj75!;(&}ac1CS-ha+A=z>aC}C#hvf!`)t&p+aRfO zvfkd?83`sH!cS=~NkGQ%HF7m1nlU$GRi2B_EUsAZs##p3Zd@Dx^XV3kAQrG$L}_q| zNr)I5mE}*5kh^Kp($aNt3kc2q2;vnrNseXD9%TRRUQr$vLPED+ef=V@Y%@CRGaJTX zSsP0a-N~;zX6KJ#M$CQtM*b@XB<8+b%>;vk*$Kwp%lAD=e4ad^n~9ByiTNWqTczIt zg@}W^q6Q$o3QW_uZ1sO&VVzn!ntvy_#g@l?;nKqxX)RqxW%x2`&u4e085 zBqbWRkKhnsr8YG?obZ*7`tfm!;1fu$G=GP&#Kw1hxM`Ewtv2!Thl2=%T#iP5-R9#@ zipAzOHXWm7{pLgq1Kqx}k)kEQlV@#h&B3k{ST-zJlkqs6Gx0B6ItyHIxdQU}X~tR` zG4NJ$44)-QnX9zBu|s3eAaI3v22g-r?UxVp^W{@YEx1US;VJ^xANZMo*&JG7e3Oum znt>hxQs9HuTi)KTP5*c7fV3vr{!nzdbnXwi~gr#$VTzm_5 zMQ|rR9IVP>FEdo-n9ocbCR+N$*3NFFozB?S&XM*>PG(L{$R;TniO+Vp2`E!eolZ_Q z9L<0#`f8V@szwahCT@fa3TC!i$0}#FXJswn@YyMXbpIvf)FH6Az2$Ll0994zJrRq@ zU~lbsLn3~Dt2D`v`=9fPQ-koAS}kflvZD>ZcG^Um?tm<}sQ#d) zn6bm%*w|R%a;hL5FmS71EblppB&Mc3)t@|()LZCJiI8j&DiD~v|CY(b5ha3#e%}t$ z*%^Cra<#onB6NbguU%Hw`}y?Qs#6`t!z}JMe`WWJ-31b@k{Su=cQjqfy5$lfa~#}n z5OazwK3qcHEnsUU#r&-m{la?>zU5Ib2*kn2%m`6Q#=2f6!u2lPq;LYWi1afqxetN&%g1o@W@ z(>*D%S2JzS{LP4gq|4i>7e@RgFtL$GWbvdPlh_VVdifX-L@LGn!VcK(eT`(`YrvUs zz6R}FYQs>>-N2Er_T^?dGd0$C++$L9+lPiF<|loheT zvQ(7Uzs4MRpB3@+-RHu-d?#tadj&r}4b}y{YqBb5yvJs&EdS(};GWGv;Z*FM8yq`X zlb+YnQXEd5M^+l(E4MB?1~S1Xg@*JD3_b^IWd+Zk3h$ktpYtXt|KWGfk@+1R=BUd& z)=L_#$LA_9{J@NSXdQFwZ~IKh>`>=+Nj4q!tly%^7S4w!ocjpz~#&7{Bz- zi6Lzb4TPwS-=(jOkhp)E|i|T9JzYW?Ur9oh5>5`CAh8O{rE|D09?i3I~YG@dc6cA~U z1`&{wlA*gnq*FQt^j&=K`+4sB_j}*t{dbOG*n91@*WT;8&hvA2;Og#`IQp7dSkTsc zBR!WNKNs^T8?yi{Wnx?$pvR^62NXs9URq)drx0{5H@`tvCL96N%BmIS}p;ozlWeTc0sFI|toqDo< z4%4~C_Ol!folJzX4R!GQSY}?%+8pq8;^5#YD~Geh za{gJu7?$WP)o*)Tj1}o>bB)EaC{?7K<;LQLQ{dt^-C{aCE`4EAGPj^+D_l=U{P#IX za2vDPmtAEg^Qi|_ccRo1@itSk1vQdpDa)&C+mfZTGa{L$N1_ZqHz9v)A6l+&7?WIE z4e?sItV^R$??5!UUiANZA!cb|@f5gh^9oBZ(#sdYN@8UsBKh(e+}gu~oi-{nl!Jqv zN%2jS?@)thv+x~&8xAKRAOui=k3_|_jyPGG&XDMh2ZS324si2XbQyWUrdH(`3aAa5 zWW*%vYs&>5icXL4QV-KcDdI57Z0`m_e~A{^oBA?b$m-@-P1!TVT!4J6|^ra#0tDvageT365s_e z6SVGXrmPBQp(YD3Fok1TpQR_`;whASAd$43fL*B7YiVLeSKYi z2C+h>CMH6fRZvH5uO~somhaWW&#p&+zOvmL1XcGE47Asv5u)wjpHG7heOk0Er%zfn zqXKvb%$?Y`$wt`Gf0q~P(+)q4zImcGk196B%$vt4@|#(Hc>Py8N|AfE%jEUIXGXIjcCt?Rc#W z$*vyUltCfSsa>7|Hz-XdyY3;v|C2K>%y((aIPeDa$@b<>DPM|~MTLPGcx6;G=7)4~ zyLdPdL7Ag{l4gD#d&~Se1BqEMI$RneAbA#$5E6oPMn^|}M6S4C6VNs(jI6py3_X2R z8>)eV4&C`FzS{pQ)vL}ciQl+;U?N*6yqN{IcW21B=lS)$LJ~T$);9@Syc)Uv>kh0W zgxFEv!5+acf4sV2Y1)k1Woj-BOh*%jATQ z0SP6d@y&%OGkW>klTg5DY|lp%chhPQw-8U(`_q2yMK6@6i7hij!sg$#qKEW)5!F^M zLUcp^f3pnP1KR@qAMt$uG$Kj7;WkN#V!reQ$cF`|P_sJnE838`L@DtoSEHn_GL&OA zP+-4&r*p}zc(6W7=&^dS+gLPS@J41gYHMO=uC6U4MpF}y)f8jJ>hfz^TT6>t=tr{= z1S>!slE zq}JKZjr`YK`&m0UAafT92>yI)h?Q%seJlE<6=>YmzjACtC&@G=C&d`KScI#5qZ{5C z+!B7>K+AJe7C9}Zl*$*vBqV}lCFglY9T%Z!H^CC!V@q3Ei&D=MWu<#*4^MWMh9M-B zyY0T1Knb#{tB-S&jK~o1g&YJBKi@QkkCq{M@dS~e+1iReOALaNy2^zqMKdVO8w%v? z<&p?lXwZ@Qqo?93pio8nM2Uy@EXw(Z0oRv>k4FTFgkLu6{bPwc%8$#y{#NIp{E{(z za|ZnYaxU3B+~$14V-+Y0fHIsBJd=-q%++hIo3){ZN7kc*TQh-fsJCCWEeNlJ^fG&P z|Fx>-yGgPOti(qU{THd&u&kaKr)^7+XNUW{s-e}bLb z0{us8>n-mVU>DfG+j_ZlNW%K@)%e9Dk>%cPh#PA}Cs_e0qwn5hadO3ZefD=O-ax~$ zI=N2mr|2~u6qnGQvu^(U>C+#(>u!_3KpD>J0$@8y<2~G8DKMM55e!N;oehPElk27# zKV`g>E9(2ikJ%=m{q**=D@uz~Z6DBng982I+9kO8Xur%yPRb?<__M;iy^+Kd|0c0vJ&iux#{igbKnG~CcDYt=D!(Oo$SA50w*5??w3&;3P{Qz zEhG$%k18%Gcnhrn{ziX+oRN(n_5EC>7dUiXHdvNs49!Aku_ZiyI%}%9&q+(5 zJ@nG;>#T{uTTYQaY8PQtr2ODPp7>$lrrL)io*U!tN}CN#;CZ1#S9w{J++N;z#^U?K z>mpygw{-yn-X0zTx&0Q3gmfQ2fROyAw|%IHp#v2c>1=4L`@?$z*G`0Z0yddwlghk2 zj|)NxNl8n?zmJ1v-gf@tQ=T;=!Obl-o6iN6N_dq*PK_IM@{uZ2^O&O%`FrnoC-e8yi z7(lr8}i}(nWPX_^W8ox;G>g&^XjW%3QnmNIg-FD z4+S~D%FR_-E3VaRcjiW1SlPpL^35>jmdCnuaY+;q8iE$I9y2wWpQWWGkop+=o||Ja z0Bt8F4iFOmbldw5^TFd~{fzPg;+O4%1D6)G6H8@>u}??31YK@4j=2 zek}pG>%6+U+M%XCtFrRTmuI;;uNyyf1Y?W#FD_=u zGp|rT%kR0*$43;>hVZzcs}Ay#NRmiz)8eFAndTr<2+y76w%K`gC)v^!c~JeOcVdgX z=u_5E!H|`mgG0rXymJy%o@_; z$s4n=wXum;HaFK^u`O#ht8RutCZ2kX7iP0A?i zJUMf_;eSp{vnG+-)F8p)2gtp^>2PXwU(wny#n)>8JCuuMSuHGA_?L3#dSO zYIkSzD{wA(IfMMW81L7Ny#oU&s+!tkW1NUE`7E8Hi;Iif{@*$xs2YuSPyd`a0$jD_ z`HQ)H5RI1XnAX(Pw7J!MwK9XvhH9zQ3RK?tS-?ZHd(qdq#Z zylKzz&5cvf zwL^mr)Yh%l^J7R##sHlVCASbccm_%n!*sN@I|=JT5dp$O;VHn0)7-$ggp#Mr*Z9Q6 z#bxy7*Mo=-NHv43^CG5V$tKF%;(O4n2?lsE@>Ub$$fzqB+(jKQ1$%TSQe^D!vuBiH z!1gu+WLRE*XC=fp^JUNRnF)u`6J^=mK9~EQK;oR7nyPT9Wn@&!&-oUruByfe0j4%K zykCyZ7ccDw=v-(~%Xg%2$`im)a)1}p0^~^m_G8%8E6d@6LWS*;>0#)GPcUe!4in7T)rxvz1l=$)oK6Eo2AN<0C&23X?5A<8%*5G?7h|Cjj$lzC+v zU!CrpyRHGt>7SG5e&N#hsSmy%Zxu*7F(EK1G#ERar*TfVnYj!c9r?K?z#_?1vFp1g z2?}licLR$40Hliwx)O+K=9H(dlw|N|MX&XzSIzu7duY@HY-#k-{C?*>gF?QFmlp5e zv=Qv)%9aGgK)Jbx&`-=O!Hb91gw`Qgr(Hfv0J77~=CYj6pPMpCDL8%-w-a{hG9Ho3 z!)&}@SugLp%&Zl#_PRb?jf^gw9z>JvC_K2}KknsznBu|K2P`gJ-E;& z@o=uUH_`--l~`hLzi;FreQTl?%F^mMiOV#6QtXs1U_XwQt$Ve*1C-RI#?2@FGmc8F zrblJiFu4e)pMkj2YK*OL7%8z#KpqK79``AF@>SE-uhNUtC6q{}zB~=S#BH}yfEB@p z8P$8ZyCJdW!58n;GmUvdy#8EzA>-Dk+Y*hhHg(amU)mdzhkS3;+k@GarbEH~UgBu= z^E7>-7V4{}=8KEpbdEsYucdFS%NRQUd2Vtrlv;=!(u$UQ>(8uc9>iRcGNh-9B7X}V zSPeyK<%{H)cA?AGy5oy7P`AKPjgO92(&O5;piew+fcyel1+97Cbpc0=0Hmu8GL<>6kG5#lQo6pYt%?AXx$lPk4%e*1jw{-CRv%M|yrA2Ab*2-Q|4+Kvf zRW4`;gg%NETaKb@{TB1#11{d# z5O!NBB|}=y#1`pN3tG(a$7h3*`9I?|JFh<^kqay&Yy@!89nssu?(oO&S0#GTO*^Gkdb1r<) zt!OT>l!@imEHT3Xh~gwYA~J8)BI%uMA0Kcwd{&KwwsGF+U)ulpuq#J{lXT{1nNu## zNs(hg$iA|&vXS?>c~VdC&Pn0Oz~^elQ7X#b{xCr#Xlnw2azuoRjm=gfq|Ofk*U8rJ zL_dfmtJf6xXVk6*CuV6p-Kk%fyaSkHOE~SJrD6#9J8K)@)G_t3w!Uve@_Txn zr49XRXBM^Cblm57y}f6N_Vpk8%7Y4G@ZW34#mc>OTA8U)J06^CVkDN_-v=6fJnT32 zg|?1HhL__tO=I)(F?$qW$c3kgO=?QijNgxZLMTK5%OdEawV>_o?T?R-%Nl;uBH$Fp z&9toxBwvA9O(c^mxQ%onO#N&WbTuWuj20A4$xy##;}+hJ zaFM_~zM-l5fgf}Q*f$TorPbIRfw}iAg!)IrO_0g+RL*>Iz^dE?uEi+-7Wnt(4gpT; zs8SNBGKz5Xo$0ws@DK`6)H0#h()UMxvN^PPSOBdeDJkg%J4ou`XGW>I{mNY2^*xom zefu^jO@7hiL4d^i|8QH|`B+yrzQ4rsvv}J2e0wuY|95J#4qK9@nwr!0q;sQ@v7upF zQqsiiY?d15w80E$<&N1rhzkzBgaraUJ|QYAE{@D@e%xbkd&)9~UOH=n3iyRV^RbY; ztbWSTw+sa zz*n=j)&~V4Rlav{)-$BOz83(*sqi;mZdU=_&GBSyLsmmwZgBIj;=;P7CMY>U*0!2r zU0q#N6fPidL2zypRDAmMd&)8cILPE*ym(=KKVx*m4I}%fhD}VYisR&$g4at^)F>*8@3g6z)%vV$FjJ^ju#t)W@g)f8G2!2kU&yw`?oeiL)us^}wRUzeU zPb|ztxx~opae3yPplr^`CD)ahAnpCz7;FleF(5!0}2KPON2HbgdkWkBi2~ zDwni6tT7t##eVtnnUaF0B0~Wtb5Xo^^5Nhh{2fOIJB6SwfZ*&a8=&qI$&QY)qpdOdT)`{L1QJcS@kvQ$fk{Tb*eLlelm<8V8lk=( z9!&IshzJf0TBvHEuI^tAza`?6o0|)qIRMrX;u1p__k7c>j+dABYZ^T=IVowX>eNH{ zg&mxn<`xRvRrE40@I)UC{#tK?%nVG7z%wDzY&)IApm-Z z5Qm)5;E`z{@_MTT@Q92=p!1_}5sE{Ek`Ki2BdLAvzgOs`qM&F&i@OA=U@mSoS&5p% zeMtP0Zi{8*eRH3DcQ)hs5nqzVolr*p35Y=nfU-sAR9BDTJ*JINzbFSZroW@AFfaXc zO(ceuso^2pVMDZ+a!))L^^^h1N0b3D<@>lcHVLuR%(b}Kd~$pGqUb6cbE_#jB|f2q z{@~ouiV8n)N#0wjg#rR>(8J&ua#{jndMmj>Y6v!|)<=q-fi*&}kNY>msr{|Yfsc#_ z0f(v;78fsL&kTPWTNOD(%`R^tJfOu|UlRZ`;4vhuc5x8uTaL@RdU^rn*1Fe%4uuXq z>mcl!$LIConnFKMmkLuQaV-VAK^fLa)kW0uZNN7@KewX6hA}fDqxgeGNekur1z2fE zt{zOw-iEP1J!2Z@!>!*h%zwuGS%7*kpJWVAl14qNVzNMs6RK(!OR6wAJPl%%0>rDz zKa#kUXdkRsn4vB8t?xs^exxMNHQ`>==yY|W1&~t!TwH|o6V5n~@_EAjx0KrXoIuT# zoIpXvR>jDHVRN7byp8D1q6u5?2&m_CadW8|fhX#wemgk8Nt~}RF`AXui@ishoYX*j z4tap5@=;SHwBVK6Vv4ZkkkFSe_vGioxJ4KRS?9|f?dOjE85lPeGk9>o1XcJAL0P$4 zHSz6ZZ)nkQrBF!QP1nYw;T}$G;9wO+8UiigbD1lVTk1#KBq2;^on)q|SmIoZrZ$@5 zWRKbP0-E;^&3qtXL`;=W-G1Fg$*0y1dU2&({DYZ<>S3uXmxFjSus z+y7Ko3#oWqGb5-}_}!|@&CUBl=}xJS|ME3G&e_cZfR6@VNEvSif^KZu+0W1RMgf|n}^6L)rR&#f^o3u24p%r(d(~ZIYCwbDbX{-P*}LO$k!5RYp_p?H?Mw)AUN7C_!5rY=pC* zcL+#pK2j_ZT8p%%o$&y88P>G?f?SDSu*vOXqBx(`6k)mR>!i*$t<)~cl}lzE=(QlW z?WIPOGyIc4j9_FHLNhVZ^#z!!jV7Z=;^!9L7OQDon_$nu>99o{V7KNcLb|fbpJm7p z!VWm3r>99av+pq3y}RM@hL+617Pi`2U`8#(!4V>cd`ig0?{fF+NkQ7=E!4GdTG@|L znizZK7NJ8w`mCNlzN0Jud1l??ce+~0;*ugwu7rX}z`%A%p@*73amME|d%^A3O7NO4 z+RnyC=3@I0JSmidA5c=UkUtKQ>vfpFy#RKI=SRO$J`Wu*e((7u;)l@%_X?gCSS5Et zHt%_O+P{?kbX%D$SOY}qX}&z{E-FiZbD~eK3epZIZ#>AI)Qe0c8e(#UD+UBR!^WY+ z@mkv2Z1JAIQ!Jx1JPFbP=S5|o7c94Gp{U;ND7|_bY8P%Z`1)4iI}Tz7JEf1I?{9_Z z+lyj8ef>%s5UyypZk}BN>-wHh`w)dBf!U1Gl8?ke_azf=*2}d549zkN#uF08^0;V> zK#&y-&7r5%nTFdhQq?RZDJ-jF)_4F0{co|jE4((R^F!`Hd>3nMccrH~(qejadYGBL zmfBX5qxz4UYAM#=$6W_i4n1+jm5K&`l@JKAw*R--OHU!vv_a5E&Nn z2M4YnPD9nLGWkVzWt@n0b}u)O1$7!y@+6ayD(qir({V?|8y^cYQrHsLi0{1gw%xr;W{5W5!q2fByUd z+;5+HObB{o>=Y2RPAG|T8f0h zbX2y0f@#~riCo%qP;-8gHLuEl&Ze-iko0bmiF&1=1xV#$>N!%FvTi|3#OY9Imd8Rb zetXZ%5Ql|n^YHK_1I8XxHB_B&#sp(;Hw*lbM@Om(+6lnSl+Kj1~yQ zj!&OL9S0t4M!_}boCp~>dTU3gDw=RIBxtehhRm| z#^$DjU3VUI$ZfpD6?3x%t@#8c;vA<)!wCCQnA{o#nY#G6Hn_loKu`!QFSbgF!ku&G zn&)Zou%^G9M&pix1lz(am$^ajr&125{}%^7g+^%mP=x=UsNraT|D|Ng7Pp*`W>y^S z`N9)0!1eQ2JE@LM_%P<5b+1o%EM*Q;Vr2j52`q!YGT+Ol;*pI(JJ2Ed7^cMki2dEf z#F#`{Gyv0DzuU0%+gWp%YXFLt=nV0j+@hik0L1kZSoP_ssX6)hfG0;;*?|Sc^OG=4 z-1Vd1TQl*DiHX_aMJI8W&(r&1_?)!Hgs`k%;_jQH;NE%zcD7n?8mXnqzA@rGDxskp z2H{cKC{HIk^Qp_rBjA!8CTmubSIxgkM0_m?69f47$xK*GEB?5zy3L<2$$Hnr33zUS zn|0i8ZxV^rgooLg80lH*ZI+ebpg@EYU___oJpTU1fWul>DA=|s@^AgP3g`zKC0)vBREHVEh<#K4NU}uQI{m%a%Vm)f9;I@P1iz3fSCv^_ViwmJO zV|=huD1TZB$#0iWbM(8IxdtPjor#}#OWOw)tybg?RX z!h2o|>PoQrTyg0;==E8+V_fUH_Dq}{12?R)B-*EP-tw}V72V|(a5zW_PS_y8x_<-OWXd_3%fUAI-p2NQp`ej8z5;D`Hqs&XYLn>7NPK2|Sx~FLJ4?|xmA=uq8k*{=uU(X(6 zULH>HM=D32FYlEwAawm7*nBQ5*!x8kq+Hc6K7BdIU5FATm4k%P(NxygZ>zq1S`nAo9;_tOu7rnPmdr~6Yc^MLh8{6pNw`W9v; zJ`R?zThW4Il83wI{jyYXDP##+UBs!^1MGX4n(=!ypPhpP)C_-nzc%(d9^0BIYeVC$ z4H5!SS)yV#5jL!YjZHZhFu`tSJ>s8PIws(s27e>-rn!oR8j>#Vj6k^D%3R$W+;bg} z1(<^<2jC$6aF8xpvxHh^ydfwdNJgnHB6W%bHH6!Bq(UcHFM{yb%D% z{El_~2vP0P2D?s#A#IIUSHT@AG{dG}aw3c=?s88JqF08$$|7@8(r169xVgEB)bOQ$=)*az5`Mb%>d+L<2%%XZ z+=vmpt?m) zCVcEr&O96Jv}5x60xW^?%GeNnqzEDq^sigcGR=MnL@PqHd4Dx^T@vf^CiSq0^h*s5 zDH+jdRT9XzM8LVtybrPF6e*{lnVv@Jkfpqq1~rd0v!V5@smslxvPBha7-%hAUb*i6 z?Jm2tada$G%(ixLp!8dJ*_-D)Bc{Ybt=1oQKKvia1nmqYBSq8< z^is}?waJghTz|yzT~`0I2JpNa|D&Y%g^FR%?R2McJWwUXTQoU6#X)}!eVg+(V3-Ir z-ZV-e&fXU1D2b*!fYYMn8P7eHuL~v!Fhk|ZH$CbGdlcW0Q%QRbZfyNq+I3s&@X3gl zySv4k!;}r{T*dTNwoxp;qLua7T-!oBCeaIAp^J>rE=ZU%7gz*3?$ z#=RGG($rg^MdM#Y<&On!gOTCt9@`i!OYHK3;RN_s3<(zX{qE*2BRV?uYLuZSdtBY3 zCjP+O`_K8>?vF-IZS5!kcauj2V`B@jdXIzHG`!}aCJ_-)7kXUo>FpCLV;|BPyq6c* zozZXhT7vzKVti@9Nj13N_cXexTvC+ZsaEMA=JAwC@qTA~@v+q?xoULGgN{zD@C}iF zsl^=9-xd6KW#=MDT2SMT6Df)?;xL6d_E%JdA0WynK8iHG89GmTt&}cM_ z>nB82=<#&C5!H)mE_7_i4>=E%&r~b+W!QXYb{aMM{#?4y_A1uk{wckz#@1kEtU;z4 zo}?kCCVxplk+D=2qOcC znQ<3{aQ+}9EYxz8*)k+#*pLDAIb`@QEhm>QmpBrY>P)b0=Hiai(pTTM3u6u5MhMx# z(+1)j5twvY4V4@2Oy7jWe0nKlUu$(VewtZA%_gu^r)|ZID%-=s%fYdn1b2~x8VS3d(51ehVAe9u7CfRCsCIeaQ*=Cq{!TjgmIB)I(b$@ z1!J0v2*cO{h{3iU*N4><{+1t@t}b!vRP)rhMue7s00cXVd=ik_v9Mr2P6VmmY(pQM zetl+8YmQn*R%+F7S#+T59dpKeL24X0o#}7ru>+PKMH^mWqzD&=K$ugR97`E#OBlu< z&WO)V7&dUr2kY?c$$A4zN-O%cUC#ItjYc>8TukWKO^-7;FL?KOb=4bUbn-F$weYJR zNZ4;?tfKeT9BDKQF00>OW3ngLU`r6X(k8%MFPE5iD_ zgTCe%lp`k41^|`3-*y5L^@MW10X{z4+iX$5Qo`n+`Ly^0&;Zg`?<)OSq9dF6*kqRv zRrh-}1useY%T!e+t6{4`80O`xJqya+6lZt@q;#FB!baZ7`u1?1c8mLv`}FveH_q=U zKJ~dTb7voD9=^=0uv8Bo2->No4UqppubVp>CwRGR@5LJ23V=#p_Db;26fer8a6iDX z(n<4%b5ORCHtnbfh2QY_2vs-z=O4?Wr^Xoz6I=%NS*oLX=&l1GS1Y)&hS-n*>RN=w zO;CDwRhN#8k?ITSEfu>jt>{UdI*`T(+)7F8kd#Tg2bi1)kf8Nn_tCbUP;Hs55{vpC zG1<)QXI%%T8D0!EyKc7+bJBS>qHAEeXShN7R`IJs#T&MojyK|+zZ{O9lm@9tRBSzO z#pwY-bggyPm)b>RljoebN^~Mtk~_(w6a$-G>I^fr5DX>^GbZ2}h?}t}rcG1E^KeuyT2S161NEiW~iHZ;_jSCe>#6*{^2>BWEoMSikK0?i^v#Qqq_|MPbqvSbjd(ry^ zWKCqFNdibiv@JCmW6MDhxCe^KP*|;^t(P_+rlGqwu_6(Y(jpJy3b9~K1h7Q7?-PFR zX=Rv$Q%07WIR;IK2G-#b0&e!}K_bP%PR;c6#3k@YMn0;Vok(5B>kkDDQGSL^laUG857{Xbtd3OFf&puhBbWOa|h{(wsHUSiwT0+*$=r8PQ#0T4{mYJnl3!^^m(7tPixHBLbHv#O{% zl9BzAbwO$8jarwEC;wHL7^`;5FPOmc9cS1dMgL-Il&a%t{*L^eF*ViV+n>VJo^*&* zu;bH|N|XQ>HLG2DS`gHqsQ{_J;3#J`$>hZ_bHh{-fYm~^;fsN-7J6}KKXwX_3cv(k>5s8ib#$k$)+Fiuf}`#-$lBNejY6$Xnd+ z=OMvxUvmA=M@dM=(hoYJf`a=+1*-T6TPE0!8rDQ^a$HHW)W1JcLqlJ&2W)AmcIl{o z2+{^A_Si^Fx=JOn?(^$U&a}1iuqqyaFLD0Qm;U+azYeTj^f5~{$gCss`(!|tK_>j< zZoLTGKm~%i? zO+FF0=3#{%>n*g6jj%|6PvHE+2IA@}Wc4!JDgNt&|N7rE-46E(bJaN8B^F7^a+UA* zTj1Blb(^z+B>K8~BHd@=+UY*i-fh+!s;7B7m4sNgjLLMAV>+@t>YpZah(-n2EE;eo za5?j-Uf{ z!h7#2+t}mlg*?L zidJ64eIiKyNL_6$Q!j2{CQx+bo|`Ndi^Y=Ccg8|>nPTBtLp*eGQE^b+)_qj3OC1u2 zCyC@IO0$wK*qUO&3EUFurZ4#>S_7=$c2c6E?7i=xVuYJe5SAM2lxT|(p=5)V-YPlw z6=S7O&T0knySj5PQyH?b$mnQ-LnP*DTLn3+^f4oI{WH7-9SQipQ-?%9zF7OZGO%R8lQ^3x$3q zrx@QoeLkRi=MYaE7Z*3!i&{wVdjbZp9j)KYRdE|Xq|y#9s?0l~d`2xa!>eoY&4pVe z89^rcY@Kw3%L#601%KDY3eNq%x!|E9v2Qk1jL9s8TUK12uxdmpvgFmIKVl+@3IZX< z$?S_siI$dY;gQ!)%59HS<-(jAZPuk@Pt_6Oo6U|E(;^S0(o*v^Z9gx5J;uil{PXBh zQYtra8ZJ0leKx3*s2_316$3EW z*w*3e*Nn4YL38og7C0Ozi*obxFIM|f6B4w6bEyW9Cg=F5qEkUI2ffrt-o}1K1+Mg5 zLP7!{jNQGv^x#1?S(tpU^NUCJm6G%}_8=pUxOpI7i|e{&zPrR4C&C@jX2H#OpY-kq zDG_!B%*AE=%B#ghfQ%i+cia4-u%wv?WyFTvPp60E1i=Q4MGUHELHp-Ec~3N%$kPO$ zwxFle=tr5H=Y9vtJ#LmorzU}*x7!!SCF987&z_0W3X)TT{ZWRq59j`IXcwWrDLm}4 z!M^0;CvgC$=w1PFSm(EIUx@*No9{0!M|i{v0PW*dH8cc>E&I%(l~)D_nf^R`p3456 z<7<6=H#Zjp5d_S=(eZKnDkw{AXrIHtDEelzF*GSVwiVLp^y%os;Kt_}(n;hIBP2v_ z@?r1|n6rzpo$0A4=g7u}wVAU;)X?~%NBy!84UG^@#)O#pdm>c8NM2#Zg6UBM(-Uwa z9|<0n)OnqQ>Yw4WeC6zZ5U~cY#h8%XwR`L8!+PuvoVfbd@W#&v#t}t};_3Y=jK;kn zJcofch|v@i8w+>~H8oVEfc81{s`>EOd7VVfOjL%nlvFPe-@H#t+ur$VY@j15g@sdP zg0UL4sIu=z8`wwB?^;Um^@W#9z!0z2N*ysytn>s}7<3n~)V<4#8`c1`j07K^8^`m( zcgp|c_{XM@R;boxY%DZNIpLk+Jg)SuvVqhJ=*wrh%IO<)Ygw5e1)W_`gf7t$8jks3 zY9*k0jZNVNfS}B{;Z|psojp*Yp^(s?)5p?M-&AmacJSy#uya%y*)aW73VPe`C_ob0q37;R(Xvra2T{zfS7l7cIH@t>rC)sH21JXJs!+k z>O%vtT8B|8M>FxjV2W}ri%KYnbAL?kkJktn*to#*Zg|n6XX6i`d_-sWv^=ZzULk-; zNJ#}zSNeTqe6y3qyfhDb?5SO^S% zgApTLM4q^R1My>X8b(H?jb7E~*-5+!UBeO%>e#cX!Z~uW8wr(80%{r!Zol70IQ6S& z?Ai;~LFs77uKMm!^=B{PZvd#=2CzS_i>LOjh7jYL^t1-ZT_-Bw{MF|~AP{8iX$s!n zdD%-0%tiOzYF>W@nM^fPXr3Ov_kGilGPjS#`@*CGxPdq2Gyfe5K^CE)Ne@4}0+D^P zZA+Gpf$5@x5=I6(d?54sJ+DX;=p6;L{5+dX2C%Rp(r2wXuCoVAvM)<7eHy`1AVa2! z5q^Ng?DF%zeE6nMK>`=zr2<^H?VOhsgef(xXuQmUjMv85V@zrdJ{x97#b9+E>S3Vw z@w}RT(Ae}7cm6NKNo40zBAktVguK%k6#qQFEd6+ScGu|F&d#(iY|)a3htI}6CA~9{ zdY@ak@pj9G6Ey?}YXI?(aIhm(kr^9XKV+DA)()6>%(PoQAuCtDf2q!%Vn20^K^ zzf;Yu_1R~kF8~3TPDq6F$RCisXv2RBa9=A$S87+VJ zdv0@8iZ%?4=Sa!!7CrBh5hS&o2KVfHAOTGY|J&$s+&z;245ZwMh=>HiOzY ztnyVgDJT*^;ggrQ1O(8f5!E+++&f=0PEMvi^=<$S=DNNl)dr(o%vtRZ^i(ZK!}wnm zS-5P+JxJI8I?ZqYey5yspNRF+H)+m+=l-~j2ok>SZzb~Z%&EMh@cszF%4Azp*j#Q&xI9Tm0{}XU(WR)rKN|f2sA)cpQ6X5DUb~au4P5l z(%)wm=byl}97V-XV4gn>1-0|4D$pkq0PYY&kO>1hzr4f$qwWpREP-Z`olYuHMuU)1 zM+F7!KRpf5-8lu#qKPd)_NC8KuJ8MERH!*)k9l+>y)u%}y25Id3l=+MQ>~~k+V`TC zUGd-1uTku^c5h&BaxR2`FIIgynv)zV43gfYgl0!aAs0X~0)jTK03D##>(Jt*{k={n0el0(pa_uV zvu^%^XEiS`ufP9UyNSSZN|hxQC1o*X573y|RsF~LobCNT@vx-Lna;icn+~g@c#8It zb`YiI<~BZkM1XZ`5b(o;=2Qfcv*_5^h1mDMQN?t_yT^&~yPUFnVf#+;)M~6)m3W5()Y>izQ zioNuahJ;zX%++W->$Y84p)>Z||6dQV1=rn}Hs9K-kKhFlardwKm%V(1%L5u(vdpD6 z|39~%KDCmL2#-9KlmtMs>LOd4pI8x7S>pwyZqh#DHvk09+(-|AJm_QF^_iXU+-XF8#1Tbo$fJ9rku}Q7Z26ME{Xn?MuBkaQbMXyf1m2uv-8Vn? z`~ndu5?8$`_6)Vr1Y=_(X7D8+xDZKpyqWUwIt#0?gv_|x&qs>SEB60o%Qb4a?f;() zAFxfWe4%7>Goy3KNqm&nU4WXL>X*u-o+@)fxnL=15haYxuwa1=+r+Q&)%9C9n`_s* zzAgUkb*Y5RGgjMwG(-yNi%^1|wiYM(p=%XmnyjwzJT(Lt*5YKY&6b!?jYjvy8kjY6 zR2PGi8g|cf4<&8fmFHzXj8rz9TJhDo4_sfy7KtTO_;KIC7jhjUpu(FNkHthCD;{U0b}7q#pe%)1AJ1kuy=KGjvNmZX3Z!Pd?42PAZzE3p}D)e2${l>mOoQv zC0ECcc-2FVt-staF2m8Y$rRVCbB4aC#+@KJC|)OxpA;@+YIayiMuw6A<>NaKny0(3 zJZ!3`8!mmC=Q$t}p>#swcnv^gGnMbfF+N`TuLE3jo7Co_c+cTH)D$H9JRrRz^YQ%| ze1Mls119YnX%r+RVWaW4%LS?T)B+q!2%vx|BhCX|cawCr%6US*r;8ye5Eyqy(e71v zNyU5;Z|U__1|l1JqUr{~zcP-P2C1NN%EQGGAO4x3 zAO7-OE5@S9Y_Oe^Sc4n9(QOW$6;uSl>g9{WS0PsLL~cIbz8&5#w?N3}FSo^HC2k%* zZ$uERCEX5Qs6`nTj*@pfS_pQv>KIHsZ)oaPKC0r@giKu@(EeYh7iX@}Izev8{h~xL zScw#SLh@A8OZRzrsOjiz9UN$AKrP`c7$7uvb^@TTprctq)4H1f>_b|5dYFP426Qoy z39Fv@CFV6Tqqi>K`qgU}sxdQJ)?K~sk#vNk%*^bZpIGN{eEfhF`gdsP2LlWM`>P*b zM76%ZzL?o72?^J^*MZQXzj5#!hB90fPg#MgAd)+krTY8dY&&1jnBdm4#&Dgdfb#z% zRx*Ev1=!I;&{ur_!Tj2lL z17jg}z)jichjns~QSFbzrPYu;{z>h*Q!wh{+%c;!ZD6DKu+7zB2Ia&+R-vY^fDH-b zI&3*V1P7b0w4Ox|MJi~ALtjkM7e4qC0@x;`@8~Lr(Fq5_po)L9U|_`sn&baB+lufT0rM@|*X7`xtd-yv1ncQExbLVjKHQpECZdwuY@)dd>pmE)lP_)xH6roja1IP6qFJ zdI#>uD+gv`et7`kA){~Xu{ z(K%p`e3$V@H7`4^GStgiojHLzs)GSwsjy=G-!?Y{yjtD_iv(RE#i8@zeB87j7prbX zEL8iraiO}P*K$%Cen>m*F>tr z;VsNIRxyZ2qrcD1zoul`5;HQATv$-7=lbYY^HWhp8$mnt%d^ta->2Zm=x8f-#^X-J zC-3z#P!}p}TduBI?9MhFFRJiw-67~ukYuRuqr}4^5j;4#Ju>1DL-%q!{Gfa6Hd&>p zMg(C+#QZyhCVqC^%1o#&lGm8>e@~C6w=Xm4%}L!Fp@PC<);(gIsLrjDPoGY_rCl4C zEe)UPVncvJlN<0ZqDB{)w_8sq{5IEp1zDp;ng44#Or8(Ic@asZVe$`mX2Gr~^xXI_ zNAvyIVwtJ0wtBQ^fvVs4gr;ZBd(;1{yi;9{wSDP*7S%=(@= z-8gLiz4h0#v&miHUK}o~mX;3Cip0l?EZ6u4K7ZGg2%s=qSm3C$$}*XrOCqlaTP!CcY_eSo<)jfMpD|Gz3kcw()>pm>PW5fiC+V@G5W#q+7mv7q=9L9kpXlu_yt zWaF_eRZ)YC<9C#sL;{z);wu(^D^4pBc7{vn!tU)CxlJPZ(q{6kx03ZckgDM zD(Zi0Ol#0|qWTuK_@P*Oq7d=Ko+A$%ge+4+HwfPDKqx}Iw%ax9r_p%irkJn4y?>w= z_Sz@c13xgtOzJvVb37`^tXN0K}4D6`L7ME>a_m zRVlwsHQszA5|q-EOf#X`ED~fyRdzfhGlgMSH;8i7#H|FglkUlQU&`m{vU!kaLAN%G zii+AY_uAX_p6e!cZaofBDbc7GvxEoV@&JTmQX(8>2I=%DNLO3s_O;)*obHZbR$1}L z3V3e)cNyo^F%$hF{>|5q*h8Uh3wyEIokG%UU$Wmq301CJ-2zC!T7IEf1u7GrHQ@~v4Ysza2`t};vNm%@DvbFV>jVuUILui2B z7FU*t+IvU%zZx_bX)k@;QzmOXrGSPjhEdu>Rdv_*;NW1Ih{5OhSj@=hoFYo`@MHc( z>-ni!MRM(XCOl?)DF?@k1r}g{GXP(9IXp0!A!<69-r{dOFo@>MKYhF#?7FLzt?vBb zF^T;2^^^7l_FVdnjV|$sGP{^qO>XrsfUEU8AJcWOtGjyh29SdI>4_qWK>dCA`_^&w z=X*ZCM}=wTJgVLeZMgOE@|HE6(6XkaCdrBm?EQJYixc?x-#+3C12BBF-BJCZFXj|`uZV8x2^<<~EK^KV4L?W0Qz>sHt}501qS4i7?b z7@IEopTCjG_}7WeGQ4^TTS}=K*r9;|#|ZBGR8x$Y%zmO#86yp?_gcOz*x)VN{MQQs zcpB({?po+el$SFIE&p6y!zl6fm7)zBrf&t8wc+<~I^g1{vD`tk;2~xNV6m$mfxkkg zi5W?$enHP};`3g<4FV{|X3J6s&_}bMEFQ0$qQNooaT|cZ7PF+~XVKtysf@k#OP+1L zVF9gld_%sqvq`+8Q0v{7J(!^|*cT(OTP*ll}MNlKrQcNwxo5kEM+L z?Y$4^tG!WYDn|_*S6gppz#lz<$94-|GTmMO=>K-bWS{>H1`ff>cBgHS4tZ z$|83m!~ELPlPC7$n^U4?n`gPRqfJ||GE6WbfFb={ly+Xi5yUaT}=g*V-&0Mv+p zM|Io5-55^!9+He)T=SH)DeJ~?hrkDrQeA0qH~8V9Z=Nj)U%Z%jr?bd$pc4qPkp`n9 z+O5kjRfRu0s@>ULjS%2#yrsC6L80dfH)}=C?_a7y2OXXw85wCjUHI_c84y@ixa1g+ ziUGoUng8tm-c_4msOhV7rvvH3rNN!g5ih&eu2P&Xl%Mb(B79fj4y9Wa-ZbFlDM>FM za~advyWa)|{H)gM2K^JBk%2AZ&5g+ijF$^iIy*o=JZ>jksAzof?rv;5K)DsHhJ&?c z8VkttetDsy??Kw#tOhvv{fEQgRBDd)e`I%D5{cKiSyH=KlVSp+2(PcY%4G)re_|#o zUMxk~-`F^!TgSkFld~)O*0ET4tJaM3iWUp=-9om{g@apP0UGI*-h*TZ!O;N$6_Yz5 z3xfEXi+6*An@w^yDtr!ClSPxk`Lpzv$8YPDja5|iw3sv1i^%F&ZkDpAH1DR~a}o>v zcxM`TtL`IU6;3O&Uni*yDDdnIcA6Dy#Zz$`vWilB7s$wGXJ%t!wO=kEiZ;B}K5FiX zLK*Uz+lqQ|xNiY(#&%7#UEJNTQuD0l{fh{FYU2@rIOe;4ow~=ynVloYtz}L2WA8>Q zuiX#C*RRX8*SSx)J$(E)E4BQALV;xFfu|TfdAMPnuQ5Ql7FiKY_ff;m?7a>n=g|Dn z_JRG8XC`WI%~OFub+~|Fwu_e?7Z8{Wz85bHb$37F5 zt%|I8WcsK@sftHYO#RYV*JeRPwYIIv)@#jdB7DlJgB9%JlbFECH@H2%)=)!_E3-G# z-=P>+MIc+>^*5^TQ0D&++xdThK6e~_mHzCQC|E`M!>n%SRSHF9t3sRtEIaq@+j|OG z4+IrAvjvPOBNG5{bjMid+{|3E-&#_c#Cogpf{QR1ljZ!wDdG_XYfxKQ=XvjVmzeWO z|K_G9(pMqhZCrg6&kCaYTi077dtlEE7`cWylYgBecXky*I`x8shakWnB`0=t&%zae zg;B;fUFNz-EB2ioG4SPoqroDy=6DF@LRfJEjh>^OIRe7PLX~(Y(X5MrPq#OqXHOD} zh%VXJ#>JL3sg}j#YyAzlvKmb}a&&~|8Ha*$uK!!v!zks-_V-7)Gr#G5{roZu7)JZV z4MMGCQpRVYY?LA2!Nq@1gs=YXQZ0O!yQin08Jp=<^eM#YZ=nxEw^)7QIh3rcF40T;;40>$j-9Iws`+?l4|d=&6N z98@Z2+}!h>=__H!%IPGC59H%bb$2=jj7#LOSz&|S`R6zH7LtNQ-H!rN-!DJMu@Ex<|GJ%b zre7VZ+@=qzN$N@{5IqgTLZtWwQX^7P^>?pEq43(Pa zTXb}-3z5km3S!BthI1Sx<*JWN9%`1@>@AGC?6;FAC~{$`Vq?Hinjqc{EHz${&FyR^ zdWI3P?SO(`)yeYO_A~PvZtd%d;()#T+k>Xc-N%kvdAbt$GItefz-;>%t$o#dp@2V* z=a19Sv$eC!e?y$;87HqKC11Z}kQLW1<6d%68+4uFoUVc2bG0~CTJjrG*=V*~w7`)N#{=khB^A;(hu3jBkVXHNV6d;TWqO>^v zuUY=|PL^JJ*{TJ#=*mZ8t|CeF?xPqsW2?GmpEoxmlt(dY{x@{AbW6Zl z%w6H7(C>1J`#_aqsb7rH1K@4xJirT=Ko6{b%}QaB>uk=;I+eSm%WmihJqzshFiD-q zz=jqZG2d*+QS!eK*|NQEzsaYWahJp2ZCpBNs&gk$Q_5Sd(qp%`E?+=hG zcbtMkR((9d@$xk=c~wTxY0~`c)S(;S0!U=F>;=Eyf+t1jBNK;(9v6Dl@c3 z$TTx@w!~A)KAovyx$m)t$6uVNZ{L*>7kx@~`nb-t_A^O9(A)ZyImm7m3FJ@H8&U1j zhdPj+^gHg{aZAHmjWJewW!{GwRoMj+Sebus~+d&PQby39MZ$Kb-=D!Cx-@BB^e{i8| zGxsdyDSQ1w@z63^(lP~PBEUf?sn;#xT||`cNr=Iv;fk1wqt6xYgg~Lxk$S0hHmw5!AUVuzMuw*57 zf=)vOpH4UoXWk|Ls~vQ9MYIb?4S{@c(;kwM`S*n$l)@!%vpYH}x4eAal`j%HYV*iX zDXVvPXQznpIMr3EXm(BGV+iqtd`nB@32>Wj$E!>Ttsw|R8JUBkA^d}+o}K2O_d&=BV{XKiA^hx(=<}m&&Pw%jGnPEZsa!c1&lv_4!4DnW$m8@{h)dUHYs8^4wzuUK%ee- zVGBCGBgX{e$~r}3a{{s)+iKoMWAlg{^ywl~`YV_dHDJ|$nji#Bf-E*=xO8O3Nr*6- zAuy+5{xlVKB7X$*-glP4$`Q$XhfXZ*vf`yCa1mDBK}m7QMVOB87l1vPxeR+~E)cmp zc7pagjX=BtxcH}eoCY7c4xllZDT0ILqX>_ENTPG+q_5)*MxTZZw&QRVq|Y;L`H8RY znmhmNke^0rn+)<16a(M%s@Z8D9Ato)6sWM4mz3~@3Lzk$#8XwQ%zWu`Q2%@b;sFB; z$`kJj^{}CVOxz1-c-C+e0wG5TwkH%7orFN>;ere%STcyijo4lxKHDkJWWq|BaS=rE z@W&|-XUz$!q-O!Z2mfRIMah%&zPV7%&0*O!$3Ok$L{HUJ4e}d+_jiE*Dn>3tQnG>A zr|mw?eRnH!^Rm;Br$PM#1Eh_UgG4@jYxBgJC$=LjRPiH$RZ7eF)w8F6Wyt@>7!8tu z4;gIiRp(Tv_Fo_j>jxc9QgRZ0NeE<6nerhZI+UygbZFA0hZY9<{q$6MVpz5{4F?1= zaak$o6!9maGjm&%1OfH8shkHRUvW<9v9W($qbX60Rh)hds!cW8{9(jaT!Zzm~-S8C!&Xee)9fti6JIiO|9Ls&rv?zB%#*Ow3HW@i93pvK_10xw#5r&lY7dg0cM&Es z&xDJDlH$U)7vbVcUQu%s%WEkLB3sX58g8aBtJD19SYeX0B)6!}gNuJ!G6YNj=ct`K zg7&j)3m{_Cv*tvdf7=Tpht8$F-Wo2PxdAw@{@$mWn&*VM*g1bDP(LAIP~|+tq)rA= zR8);>riDRFQmmq3PL~TT{$0lR#0Ub&w4X^~>XJU>Y2dklQ;O$+NO2-af04i2!hMHf zOUraMHUfcdY=W6twoVm9Y5p(=HS*P>0!fq@?=*M57c1sz5k$e?HqlBL`$yK+vdma= za&n?H>eteq9|vftco^V(J$(SL{0d}H61g-qG}M4!L|C|!AajO?2W7H)r((H?e+7Ea zNmYd=^f)UK6LF3pEC05q!ax#rCbNdjkd>g^!0>*$c{;1tvhFJ>1mf`}_r~Dz8_AOp z+D}a1XkiIpz0tm{p1F}s*aBXH9kI&i+p!*KiJ={26Fp_^E_io~#>1bE`!;ZWL8(|!8> z{tr{M16?&kekpgAYtvb}1P zXu!V&qvZ)jOb3spNLrOT#@`YE)ZosyGZ!R=AC*Sy3szorjz6GGi<&~c*K%M`i*|2ud+$wW!izYE=Rg>w4+UfV9BGzVL-&SEdJN( zG)>uLQ{P|w&!0ycX-T|o>aRN!xV8$QBmS8%Gbbm#AOg!Y<7)Ws-hFiE8c~}F=oRAS zHoX%^yil48tgnaTh6wt^dnYK;*f?bfMU*TnD0>$-*D`k(f@J*L-jY|dhAf-j>=)qo z2rkac3+;mhO>XYl8C31JOL#=gdAeQEcyKe~9_#l$e8b{CC#aZ}r-hYkv=KD)D^Skq z0~ujY$F(OtYije&nq#lduJFX_s-}2wGX7wq^H6->cjos|P6{|Wc-8+3v_hJfdi@{} zUsIEt-_^EQ)M~Evgg5s^@0AO`_}H;SretSNJ}gWZxHcqWqi1N4n3x({x(kC}#HhADsK#_{Z}ILRE+mSqdn`XLs5=V0>VF0d7k9*&cpnH1P)YoAmvY>v(*DXuH+YWXP$w4OzB;CQ##a* zhJb(GbCy8>-QoV}AhR}0=>)33Z-hX2Nt5&(EP>3F&zSt#!b*_9HfFwJDP7@Vp+vz5 zsN`PQ`t{{B@s_u@NW@EJgLreo0$3@>uj{xt*~Iq|)QRoY(}DHY34mk4#pWK!x9PBa z3?BR2?%{!`ek|o6WXnTTQy^UR&#oR5)s*Mf2N#HY`HWCH9l@A5bq!Mx%j0FVpw2~l}o50Tfb+)tfkEk5YZ8za|-Q6PU8ldd6i?AU;A|z7o_~?Fy z+V=KE;;ooisu|M8PZKwYw_GiB86z%`kr8!FFcgiEf}-4Q|M4ZMx8O_ngp=Gzm1vaA z&qF>cGeK=j*MUf_C=L#z6r<`$ID4}zZkH+i~z)t(K&4a-lQ#t>i z8uUpQn|f{!}5mtZ2R zx!E^QuFFReb!+ynP9+3wa(pR~b%8AUwANe-o;uh&6b~PGf+MPDH382)?etTX=KZUt zKfQ?r+cA4q!(H2E^%0<*IB4;IH$4M^h<=`Nnf!SU%pNovL!8hrOoAWV&O!vgt+FS~ zdH$UZTOPMRdh}napGw{b?@I<|a$xABBowQNfAe9Y3T_lu;AhnP3US#VPQnOMROC;w*C7l2OTiO>XBV@ zXXXN}tB8wFQ%R;?h%b~N6>@;x0MyLVS0^BY(m<1*_yR1siF?Iur6ZO)KmiPQ5TYY? z>wQt16i_1mwoiBO0s3L}3)kqc^TiGSv#H$?v?|mgUf{S=v&y#J9an|y&tsCkEkYL&X;SB&S6K_PxWwa&0Cp-ymhn|IEm9bK4f(cOLG?Xjv zU^4Pw3s;bf@P1&W+w#QDke(qdF}X{L>b?9WdPKX0DTAHXA|46SwS6V7Z+Qd`7$@nDnnI{ZA*t&VqG3`A2_rS%48f^5Gv1aqzEU$bR8WZS_~jL%fw=Trst zZ3AnMUq6o>8`8JUMoGG^^8g;TRJ>@w+?+3V9+sW1!C5%T`E71i=x$U;uv&JvmFYl# z$J(}a3H7T+*v|tw(SiY*L7+w$y(#N5uzct{KgR?V5<0rv7tT*St*xIpPbG{4C`y$S zE8fXnk}7X+UBeV?pG8z_Zoid|A%k4Y1Ktl9*%DzgSR{-)sbgI&J9Qm>;p}f}Y#XZZ z?5St(bb4rBFVpemad9arDa#|s5_NCThxQyUFE5(%CF(!P;mFD1829@jlKW!+i`m_R z0iY3dE$-(QB=Yj%;490ZEH!)8*9$a&D?xtCU}}t^1y;?g+h#> zH&r|W&J&HP{__3T66X&S73K&R7uV;KsS4uu+q`9+D#N2CU z=L{RjnKblVWo6~fA1cBLIXq?q+S*M`O*C>X8r*U1mR>YI@zn9(c6Lgqjt-4~kL?0J zlFjOULbG)0lq4X&e>M}D_hFOidk`y}qVSEzXKUVJ!A5-BlW2Em&k8HSk6L9pOR*nHm16a@1EU!q(y9kUN`_ft# z8kPGjl}Q!Z#0qzJ3!xpiYLEc#3RMa3!x9edQh~%tWX*9ix#_;YvK*pp5y>2cmE!$)q`1@-6 zy1l09?=HsvW;qWDZ#EZgy80?G@UR#N{#E8_W+ro4-V(n4+~-QS{toWb-tV6r4I!bh z)2Rgo7j5+vmEf`4J8u^KcQa|jFkR}$?-j5tU2-a4INIZVrxDjwz>q2 zRWExQnioq^BoXxh`MEVd!4>#42sfe4SmhT1%;*p&WV}K{;Hm3h;Xly89A4P++KS?> zQj378b@x1F(j3h_5K#&rb0A7hL=*Wzf>spA^d>lTD4awOm35hF!w%FcBI5YC0We=kV3H|gS(7;|#3sX{Ij-pEJBsVyuxl}B;d~AMwe`s#vSW+nRT?*cC!4jb3Ry0MUXgY%n5sTr4~_Zl zTPrwqj=VX#Bj5Jt&yJ`niJ)H86s_1rcd>mzY@2!2)d|&9l{bdM0aI-aQ~MPHBWs%v z>7_5xMn(0OTy&7=I8YC_q?to(I7q}%LMtwIF__w{#OqgjHrI#Tya${I)Zp!N)6?no zCgyy#63Wg7Q@q0V_4R5b7#T!QmXAL5p}0ir^5>1_fz^+b=i*m(FHL>li9OyJ|MeM~ z*7{|!!KSnzXQ)YN-$yb)bLajJV%l-$hhwOu#MU3$1(Pnmc<}-t=;#=x{6qb~{!(`{ zTXK-7im2lS?*j%idir*v1LO9FATA)Mpr8v?`f>k8mZ$$>H)<;J0sU%FRP#zR!=k6m zBfEtiv1f$wsgr1S6@~rZ{RIEpeQ?#8Ry5}f%jYG$EHg!tSPfw_2C(>Zy9XarsX(yf ze%<(#+sJKWOFm#wJx4yv%gbXM;U(>9I6i`R*+p@%mkO0ZZqR2wNUJvgb75>jv- z6WIUq8VFwgPp?6D)X)0H_06cUb_nlkjk$y60>_lv+TudYUw>e1kvbKl5@ zhlYJT$qo$U$+nQzp3cSnUp3-+T4sehC;g0r=eE60c}pv{pWobxYYLMNZ)SuU^$>jb zg7#zHyS5?CKO$7MBm>`dzZ_>+UbW4=?qT6NWX_$#N3Au$lA@&e`UlJQ8x3~8x^k-` zeyaQRPmR;m;%@bu+)$yE-p%ykQE1uLOd5ONZ37ey z7fx<5zDCmbE#|n-x$UE4I;YPBp2#p58yf>>qj440g|&0=0j(HtfPzN2!h?~X<4Oo# z44?aAb2chm0-!IYl=HR%Vi_X_-KqfE`V-fYQ5|h-*OJ}O_}kZC4Mt$Xfn%Ng{vCJT z7|eg)m_c=s3Zmlys(bTb2SKrp6dwrWDN53h#%Mh`$dE-$!ZS4K_4eIR~GC{sT{y)7Csh+@plwEI;!S1c3&|79~*O(XwhVX;Zd3l`5ufyA~kZKLUFNZ%? zYyEMV_Ss*_1G!4Q^F3gytg?tRLgrg$pBE|PTu1EjnWvKa`i58J8HbDYF2Z0F^Tgnk zD7aEqofegmd73sfJlbM`1G|P8;R-BNg)dWtt7wb}@wQ{t)Vd(yubI+CfRjxSRxm(u z;cPef0_I;Y|2I*v%Qh=eKCEX`7+J}Ep;eePUu%r$1fl8*BvU z+Mv4A;`y}K?q6kv3pkB-y&FBGj71_(@>==%b(-ASBE%Fsh2&)7h5aH~S*_Dh$h)r0NEpoElXJRmL|-J z#n{jAKr8aq)rfzm&B2l|ZERQ>V4R}f_fbE{_d%gCKgNQc<#kuPZHs%DR;7x3l!{80 z;o(u29sfe6=jp7iOltgK8|^&wQ&-$!@-r4uqg zuMiMBv+2pAHIx_NbX!YSCSI~ff%{m7-16b7-3OoC6{lGY{v4$psK*8;Vc_`!59n` z6I?)7Rg(iQz^`-S+t$2*)~6>!x6m*rUQ#<8VvEW+hl4i+|^49Uky?mW??a5D2p z+S$=#Fz74cgEe;#34V(|tz3pMVX~JJd-)SU(kU>hveotmUn*0Ku9)u$2A|s77?loo zlKgDBTBuF36wy8dN?xqGt&LWDa>OYVJ!v19lQ`T`*U~V@4bcn~6fn3T(B*5GQAt*; z9C=XS6$p#0gYe%#>I-KOr>%|0bh9ARCAxeQSp`b$XxZWRqviMa+%{)Jr74P3Sba8H zn{(d}cJ!P&AY+B^7Q51&WSR~nxu|o(ArhF#=BQCC-a_imTXHSW<&a}?F(P^wr*B77 zYrMs<$97M^i^;Q*U=x#y88 za;(ljoIv3v+J=Uk1b5sEXAZ+jDxT54HpYEf==Jx^(|S|TxUM<-@!Fb-3fIHo5;5pr zJ;@sGT>vc7GNHX)KG!dCR}i+bim%Fr2+HCDzKxIDmjX}9oR$zAHzS0&^{zo#rsW2c zc~Q0INhb5sb#%4&TxV0$EU2Kei=XgPU_>%BoV?3 zi`!NgmT-h1d*`hf4CT|-4Yyp9cj(`&x?^@vwpE~>00$40W&nhR{F5-i&1U5a_yxDYwg@vi8sL0MXLaR4FVcy;`6q`p2?I^6f`j8m$EPDVHI3uK$C zrDC4&#%r*%ZB(meo3FiRqrKqf;#TxdyaM%t-eODa5nm!n{k?k*!gc#41@egb2=Nan ze&F_^S@AqC{h1xB#}x}kDg!xY%1_|3jYIQ2&eyKY)0UZU{G5j@A*GI^rp7PmB-t550F;_vx9%=}0|m>J&p0#5P_j_0XTIeZBnU_nO4 z*hwwOX{&u(@o<~xPx0GtwL^Z;_>l5@nnk=oK;wsl@akC2)X)&{3e9>Xzr(^JO{1EQ zf2D=9zMpcW7GJkN>KF%n;Ums);W@QpiwiqbZ0meDrQszZ0LoVA{+$x~9C)wEIyjt$ zIPuhqQ*-AJk>ch4;V?B|kmO8!oQGo+n77Z~%vquceGqMW6)OwVQ7qwS!pk%*oxP!Sj#na=1zuLv2&NRt7)2Y65odTvGDFXV$ctao zfT`sst{k)*A8mko!V9=wzG%!Nxt4scN(*V}xloz`HhA_|b8g=C5k;BUcCf>?CeeHRZ;-jY2(xE6PGXpB2gIu3@sh%y&*{p<>@^+{$JC?P)%~>WWP<#rg54ExA-^*POQgyaSe%siZU5-}DGFM~6=O_ppa>i(Ei(R}94dSGFBFRx; zz{L^sVE+^_87|JpuFQrm@dlw>$WI*rx5t!YU|}Kp^}{sohu3qKqPi@F>6Kd^1Ro$Y z#m&B}Q$&tcC18RLQYGOL4AB@$tpx>3xBiDY%gM>fRqm^toL|+Ss?hrZ$X^eKWAVIP z01Ls^!T7^LTAHMTACx>RFs>^tEtRqmPpJZMwt9JmdU=$AN?B>YY177)+aH(cDc;qW zZ3%z;xE(5Me9+~$Q`tO~;b|tER14SvAhx=Xu4c?+n5JS{)dt7h1QWNej{_Nu#a`Ke z-Kw!@e3;`eBq%5Y{krNhV`7|A_XC}768*DUD=Y2%bG7VF;0A(aI@qzoH!BRXHNG!7 zPNr_6>AMH={X)>9R9lx`(s99OHiV6Dc(BIGx{HqqM{+u*WLD_LOHw5#V+!SvP0r8V z&J+l;!fWW2`J)^)VUe?F-kgMlEHq~i`>(ji;?huAjwPU~y^u`Z2_uhZ+S%SV21wno zq8hv&E2aHd`F*G?w6wf@!a)=uxKqB4#%y6U?!&NPoHiu-Kpy372v{Fi>GAP zTX3GanTK^1_GOOB)U`@-ZfQW6iyL!NT@d6Osfd(g7T^1oR^YR;6x#X7qz;)1iWbs{ z?P_sSMYUOkGMn>b7Z<&jOElzKa;!VCv!Az_rrk;@+h;~*NSLQZc$3;^oj@dT>O=>W z4F+_XyGpw|8#C=nK~Wnvp4JOvhX+7!*>Q_!0vR8MHFD4jxojC-uc;=o`0(x-P(y{} z;;K5b=N8-2yg=w|R836{R%m*(sp*9VdxpZ;&^pQvr6Pr|^*sQEmF&tAnz}4;TZVYW zmeu5B_i@k1uC9ES&VAF^EI3*;R%Mom$Gl_psx}JEFC_HY_b`4imNAcU|792Mk|E?Gs)ncVukgVI9xqZ7JH(D-3 zf!X)?sD>nrWUc1FNRU?7z`$o`=y7`x=Pw^nybeGY0f#yb&CDr>ZLh;NxjjD7eb$7I zWTh;M;0N4s)O0kj9;B_V0DzwS)YKme%#s3Q!^8W(rj#uoKVBQH;E|9>>6pz2aJ!3( zHdTGYBO~$xCcD=r%+D!h**5iC-DKiTt#0v+oXPKx#T;quvnER^(CIGkUgC5(6KH6TM~>%iv$8)_O^2kT4Gi^j5ayYQn2Yq)#{hr!jotBH zmxO#7sF4neGg|Sg#H%9R+}x-yNKp%2y8uF#RlYC8?-*IvP^Y|MWl0~w4|NOi@`7RT zI`AqhZiUwoXJ>17w01mx+=05=TX{3KT@`7EvQtC$ zScEhm?5_I%tUrkM<6S!Vjq8%jP>T-}P71hh|MmoMRe+IFWbOs%_^g!gE~cWt&TK?u zq9Xvveux@!bs1!p1qB6J>48w+y+E)=J9Jl%Z+F2#4%`ffc4=9u^(E?$Wo6-bv!_w2 zx)xom)S^$J@s~Q_1zNBTT#`XD=bO&z>eZ^t3ey+kCGAis6_CVWi?8;Kf<;aO;B!@R zwOU(yTUBIf+z9I-_W~~yLQ&8f;M>m;_Pay|zhBSB*Rm82M&~37Fzwb#GCcQclm^Df zm7&&!I@ZsXfW>INBgo?%C(cjxN)@T3r1;S6uAD|ZLl1jG{<}B?K8i-bPLM844%x{R z8QdOQ;Nd1JB`M?-fpO?D2r$8oIMNqV-Gh3HHT%XFaKIblzH-nUEj|17%vmOWYI|o# zt=zEA@9^mGAQ}^JL#4c%Iu5pBd^B^c1Z9hDwX*&_bKBpuc`7x!eQuLHYibPd&EWeh zqHC_k|M)~+(ZX)XY~t1r>XH}C=qFEdY;7$`@9Ej8BblSJ+hcF9?eME0m6Vm&m=SnO z505umqc?A+EzvB2!f@=n$Kw@}JVPGUKCf>xeFTEvLL`H$su{u(s5R8fUnP|W^ecVO zu&THj@$B31n{mrIG)KyZ>!bIf6-7loBLj2mUIoTge#iHP;B+&+5pUR{S^1BF+?SUF zXL)6xNkL^jv0XE)h@=@FG5jIWd)(bbd1umu5Hr^lPqGbZuwQvj&y?P6l^)ERH^~NP zGhth`BCiq&Djr#Jc?OHL;}I2wg*|9$X6d)eF!toy>copUZ*E3dp)-?ysJtwSUA^#! zTuBGgUVfU+&AyYQwC*C>N-bSGm0m?w{0GCCYi9nO-VR8v-R)iVEkjTTy#9~`xc*=9 zl$CUUj)5%~94{8UX1-~mAxN7EB4vTVR?ZBVL03D^0jE_eWybq-H1GA$rKKeReIWN7 z)UPymb$wVM0MOG>wpfbDjh~=gylB^2Cma;6XLS-25jk6vY^R`Y6rY$r#7Xv0U47r( z&rh6^9BWS%swS?EBqs+Rl)sX&^E!xHuIm^Zb5Mp5Qtw_k0~dz~(`uS%8DmV!@|bdZ zncDiI+r;?owOp2-=Yh$?%uW@^f&q{U^?SJB@Mrk(v~sfV&JaWOufQSQfyv3qPZJXi zzv~(7>}|7ptt$-d?p*uQrfRii@9w^9f7ow-JS2ZRu4DG1#P5l~i(~%BHSQpIyLPlX zJ~A{^0W7Jq+HKpQhQf*pS%FTF5v*X%8;_5oqYjm#4&mz6(F={?>ZSW;Q<9;Uos+ZF zEOA6vNdp#ej}0&2xk3%K4{g+9o;3F)`T6;sDwYQaPXqr(yJKQjB&MB@Vk2JU=UR+= z|Kv=RKF(d#P5_>_vQoFfQMVs{{3~1n2sr@KezfTG@c7fGwZkI@l&vjOlx&>B&d;y8 zlwM#TsN2)8+kWi76WM2z;gOC>M*|0k-|r~~@0u}C>{$f~vQ+c)^14HDGb`#IC3=Te zNFaeKgQ)Yg3IyicpxHp;J|fr|>nTT3{@i>*vcY;vGOFn)5IvC{85;&QR*5-|ojkQp zZ*MV82YK3MYawIuD-Ms{tRM3wi~qc&UzC8M%GoBlUHdEiXkFrHbWVJ?f#J}~(b}

>4tFrGDrq9_1Xl$JJC=6|pjP2prCm&V0{z#C<&+<^Z` zufUHKdiXdwMFRiW42QFfTuUPh0+EWYE~NM+Ais)rLekSlaK}|AVyN18>yA$WJ=WrQ zACwl^Xe*j<+1c3^Q;;F$4JpA#EvOX5-I^W$6*~UASK^Qbr~uIz2H&k8Rcp1lni@sz z7oStZLG6BOmz5S0FfJVZs&ZbAH9u0cXmT!C< zYJ40eaoGFp+5H&ITD9cTy755?L(^m-80X#RSB(b8#^MtaGHA4CG0~XeAgF9_%LaP_ zOf4^;IXxK`*}oiJ$eW9|)6V(6r902lHsb`GT)Zg*G(Qh)-9!j3MWOV9NX%w5Mp;mi zk!jjid7|KIS*#9{{wXYyJEUm-s{cal(L5kFwstF{?qG_+9)%jMan8!hnsfKtUBgmv z$E7=Pu$Th?B;@7YG={@{hU3@K;wfxn#eHmSQ0I8Y_{fhx*7vYv zz{umrTtNLNU`g$=Abgh_gwiXy0q3Usv%#&|51vSH)}x0LFsRwHM~3U zC4%y$_D4S$ju`ybc8~8dMi8pC(&&$ z^m3nSsZN&*0iXWdP%K71b+FE8v{L;sk~%bu*M?X@SS@*AJ3{njLmus7vfTFu^xA@H`!z zm4jku1y6uuO;X6xL|Ajj)i!;dHQ5&44tPUho$hGmm6wH2Ql7$4?&Pxml5FEvXMfEm z*sF!Py1K71PhT|h>1H|?=MoPq%Bs@mic&>VlQk(z>;dnsnb}m1u?19?M=bt1Gc36F z=;+BnKF9QoH9T~DXedtR3t`3SeUJdM@E&QC+`SkIr(Li8*9@Siz|7ZU$13!p)3F{2 z*#IEHE&PNMe5JzWKQ>Uq~}3BT?9v&q$ZdIHNhSG*iyUwlw?e_QnVI8x~$^) zlybQIm^=r9~Z5?;(#Uu7ZDMjZ;Hk+tB+&>cM(XxEhs3EIR3584&6J* zEalg`(QH~+pPC9tm1R9lM@Qb9IG9}qkn@Ppu^jJO>OZg$p3ilmL<=OrndIgjG>YoZ8rEoe}6J?5;-A{ zju?u;$~xL#ijXlkciCF(d-ATOo6kjFt_8)v*+e4&!jM}P!^6XFY2mYpi*mp$XfuD+ zr~qyW+&??dp6@+UuuKU+j`*vKl7!a>- zKpPn8dF{=_TA!79Wl&jLP!|r140r_s26_6FTEKWPDQ3+?qsmH+>)ckrve45vJnV_B z1&awJS@0fTc#fQ+pa3|&x3FKp>6Q4qYRK8m3NSCO;0$g8X3JYf{Q(_Qx)csY>}~sLCr~6Y1L)(`Ydl?|X`*3CWdGk`=TZ_STVmL`J@>t`C{@JI zNWv){NoSBKcmB*ta)X+|#1{{}g* zE@!V^RqStKWWDzDi3U5ak@~{v5K~$EJ4No_iz~|og~V=UCt4OMtpiW?m(F}HK$U)C z%I@8^e2QF7mPb(}PTNj)GZ~arii|lyl<&Xmv zRF@N+{F;kuH7`^t_n8UFtY_PL#yymKXNkK^07Uam?y<#|mAL~bI~13F?wV&y2{t1* zSQca+67tsnNn*3I0~(+{&C>Yqo%2Mxrv6(h{*0Im2)~Fuhd6{u!_>5r zBo`Ya1tRp$vGh}fuQcvI5!*jD{ep@X_<2WyD?<%bItuG=EFMjci?iNpmrwzfZ_Wi& zq!pqskOXoEr>Es`(2`ngct*8;8B^_TTHKf)M1$mHSGvex4|vMbg7vcOH9?Li92_}M z{$>Q;lxK$N2g$aOS$Gy$g1k41i$Po?41kH$CXZ4sudX(927(n&8wu;tQEJ&jB5LWC z=Kw1)xGWvFt2&S9BGOqya5x+QCrIc}L-Oy>FueS{Qwxe4pzgpW;m|Hns$TkYstf<) z5BB60wUylb{9`J}%*a*){@#&^-tP`t;JjQ66%{B5=bzl?V7}#H{J%~Jh*OgNN~zcw ze3IP_+m(u2w zxhmuyasFG~UQeEt*Wo&U9*!x*6rQ5ZhBY%YYwpQB7^6^${!G`|`7YoRZ)s^M;Y*+Q>Ex?z3y^jJ)pWkE?#hb3U0hL(Ov!*w0;}AeUxP6QU^TARHtu zrO1rBKLqF~kg0&n$pmXWvgRpGNMM0qA$=$WFAy~=(epgIP%3u%J&0tT3JkQw#r1s) zQ4n?4Z6njB=+RJ;5%M0_P4foE+6o<=jEogOA?~+=)5!yQ4`6q=DH=P+Pkd0&uZSJ}AAVQ12K8TRpFqFaMd% zGi*+%0+}yBBXYK~L@IIX{M#4@!RpFN(+0P@d0J!7jUk+M zJ1qh-Gvu2b&9La@JOn}-xS+b13v22UoFeh(AmouCshsBECS3n2)AW0^w^G}-tRNrA zxtwE&uvXj;JL2+9h#)?vlyxTSsixccD5p^wCinpZA%5?+<+{-EUkAJec|bnl&C92Q zz*&gac#F+Tf>KWTqe<&AdASNF6*#?Rz@^QO1tEL|aKM9~C(SCpH~#b8cj)C@#I#2!ns#2*W>K+4 zff;0WeIX4S866!>!2qWYn5OFi6W};Mz(~zWeg5t9TglJ951SNaIOxtTFBaj^yzW>E zwLTee80%J1z*H%_jw+voL=YMs^TP@1cJNv+51gd}DX%*qtDuL1qGytA-r?g(E>v?H&c@gd9eT8ok4R5n1y1He zPPiC-*AY71Lh!%N+AP9-L3#ASMyUrN(=2wPCH1`B6X%AhAY!`>j?|)(rYn^i` zdVGQOdfl#Ia7Rank2pB8a5Lf@7KHq%OPDW*%OfIzIoH_O*xjvKFp$tS$EG=NTw!p3 zZNoz}TO-6yi|W8ce(8e0#e6nVeKMTYGzZ zJCx7f-kdI3GfP58x|+3b;BBxEKf=l>vehr{N0WNK8u}U%V!#9!*^1-9`tQUy!GY4AY?C)>3Lo1aLxf2$67vIVTkd z)h;4kAWBwU79P`XY5#vHdke6r)-LW_Jr+plh@j*dq*D>;(4iZLZbe!^q(iU<5fB(! zS|rAik`ieVk&-THkP;A(E`e_i>WSxhzV~|Hxz2SRoY=GH-h1DB-D~~V?>}4;gCl90 zDjrjkFOdWj%{GiO4(%B8bXUIZNa*RvhLSBO#$;?^d3kcFipk|ceZQN6adG`~L%Ie# zOUowamuVS1k28fUlqctg*T|kfm8Rcig`!**&Zv1G5WrR2WG-AXgQg?GXETjIm0k0A z^yNNg;3bn;Jo9*aJ3@vwlKixzv+dLNko1Sn%uNFgMC_6C-`-A>A6BZf0=`zeomIQM z$%s8Fy~8^8wJ!>}B|BK+ao*(l-h_345`&KzksceYpQ|B?PDyj;^*2qRd+MhoAKNw? zifw9|?M)v3p5rq&oB4Q5N-y;9+AWRPCJGs6efzehj7%^Hh-kUXSUJV@LtbD=APQ}F zMA?}0;f;(`9fO7f9x?(e94k$K3q=_qbMIYFH)txIa|ngk>i;ObCe)73HB980Dtu_0QvqoQ zNTfAT^o^YgT0S_GxrZq!M$7 z&2+wO+7dgFo}saEn-zb7<0Nw!Xdt$B&e1Tedx}vwQ{0F9XR>-b?dS6H1VvbGZe0nr zmtsz1_7>Xta!m|Pd_?N%*1I^t>?x;BRPGf)(QFJ?i~bHN;LsJ;$$3i~~k zeQ%MU26dBYaxR{kRiTn{JoKpQRc&_Vc&8*Y@N_<+Ka>kc!q9l?#9{IYzUgLI3uw05 z+9DgLYaEZgPsBWpklsrnVh`6wphfUeK2^^(71mkDJtdOVKAawv$Cz5$*=eP8OW(Y> zmC&1xG1NT^GOqL=nV_?YWwcjAp$pmrznp`myk*AAh zi>!tCVh|vqK?2qq7us2SrdL*cTe%9Fg~x9o_>yorR6CL?JQO4%wB!|At2yV9Az)wq zL^?$_#lLISzs8gwe~TZPkJr@cxtWuOM)6Dv1=aPEDasFz5#igSb$X*U!+5FLk?XrG z5mVSmOOp4agBZh(mt7N>@lCoSuf$30O}J%!VhW$IPA=m+md#`~6N(vMV>085`GiIt zZ6H#}u-%G2%DPg>po9u|@paMja>>W2T#BbF#WdoFkO(pZF3SD5ywwDQk{Iq@`+N#o zM}I!3NI{hNJ=vQsT{TG?YqUk&7L6JM=-^`?xgcL?w#ITGP3nd3#;P zeK{xz(lz8YF||_Dr-Gy*g$+CDR&xDtS+-WoBhXnfyq>7#c*@kHc)Oi$FlPmvc{! zQ9^vIKrFS_8HSlVZxZy;!TIt+u?M=svD8F+W!E<8!e4AdcDHvn$GVd`_DVY!nj^f% zG#5&V9_7Zd1k!da8~V#&v6o*S6ywiR2SrQ;p{GB7l>PIhuAzQvfwKs01U(^LCH-)y zzgJIHzC?WRPs%`$K|=b)G*|i>d#EBiGGxM?4nop4f&m0TZcdY#2_J+b2s#f!_I&&* z(WVu{p*H!qyfhTU)*35pQ2gvM@zP4^@^l?APJ))YcCN*t!BYMdE(+)yp@@X&&TW1m zeSBbO2$FG)oSYLFLlg4De<%e8B8nt}fWpFWnA!s}y`d=uTG0 zBEnD$P`yXvG1|QmFIJ3W=i8sH6y29#q96u=-u|qfm6H>#$T%^T%fvJ&4r6o*il#Sh zZR2-s@~MMcdR=Xbloa&NEoyShPK%v7@9C(ecr@+9wtH)!DpgShqsQCO#va=&L4k7U`w-J@kc20 z;3QkaH8ftZt*vXICYi+$h}gQNcErx1ed-e78#T?zHi3=Mqg)39o!!LHB1vInsh1~P z$8i~kiGF*O?9H~|;AUR2^%_u+)pI!2IYOO!1&Od0Mml-K+BD$O)A{v*IGBo|rG0_n zDtZOCtMrap9u?JVMHE z3^O&uf{W2zh~BG2))&rtdU<6KDJ*{Mpw?pvueo_GqcCA#V`@uQf2ZCIG(!k{ftcT? z3F{Z`){c&X$YX2(2XQsfvTouDkDS7uj%Kk|E=gpGkHjcP2gt1XA8hXI>*Lrdr>8$> z4xxWTiBiK7?UFFJ<;xhX6e0@SB8Eh+dU~6fFsPj3to@pgNtI7Ma#`hglGl8(XwmI! zh<4JiAMuJPMNTN{sFe78X=l#Th7M#l26mz>ZO*0(Zl}>19YJc!t?Jd))f70ie}sh0 zDOjD}AOHs%gMx$d;ozDNN;4xXHwrMc5fQr&jDP%bde0+B+NbrLI2&^N*w&>O+mav3 z=d=7Xh+>q1#makkv>22e?KZK9h_Me#{!wgj@EuXw>9G+H;OMqYwHgQ`t+SsgwsDk( zVaHaoM@LTuXy7#;V=$Asg~eBA({ufa_E#{pI#D{kCZ77JwFQ>c(0gk{L~vi&I(Bqg z$Ct%t#XbrfsmI9u4!ZfM?1w9~RO@VIDH<&eU-%M1WGK~Oc5`ej0^@u`5ZN!J$gNUJ6*|%E8`&~tvN^3* zvHHGc)NKUwpOlYo5w+wk^^4*3G;}v=#)uiIc%To?pz)4ODCeC4)8qoSD4Og7(`h-8 zMH+p)0($7iq(WGIDjLrvX~!J^e$YuRXO@omYjTWwq$x6o$^)WkzO5*d>xH0kvU8^PAe5_6G+s7ABmyNME1M$a!!Zw;z>Q}|1p z-Z8H+v;Icw^-uE1rbx@>(y|M;lZrnDK&$O3BHrZNWEsiz;3KF5ph`#umh?V7-JAI2 zXQwZX?HOY|BY~JtV6fA*T94B>ee)Q@33;M(5D_}u>RmE#-~|o04Qf}N(??@{1*3_N zz%QNf3Smvf=x{J7)F}%2L}4o&W!Ki$TwGn}732%`>4Ib<6_2zi>7p7YoW+CwjI3vq z3}Hr2leO^j#AXJ`s9zZAd8ug;c=_yciW+o6zh35k({P92gD#gRaw%f0uC6Y*)UhNx zB^65@l{*bO6&6+gwrWRJ!W&BQE32Tpoz2MD5(w8H)J08(Eh?!Awfjy6l@b-}E6AgW zgiRFWgLJpFvNj&7+C)TzymUvzKE0L>vJpl3k}LNNPHf&~MmBEBCR2sfGKI}tJIf!G zX=|wnQ~9@*l@&A!tvkoU2o7_6!R~n zN^V7XVa~sqDop`CMkZbp6H^r{=AV|;jyGkB8LO$?eneDU@v4IcS{tq6gJsfj>AH(= z2Qkj(ZzF9`JZBW0x-fUIae{dZnVuYEJoDt+j8y9shpp$}`|gU;tGNl9U+Ebm(tA#l z$->lh&b-vyWWrm~I$}(zPFaBSQ^}_}!tkC|ZqTZ`XKrn38a6MM zF^hdttLSU$rY4w?yjix@&}ia5e*$`A&m|luj-XS9^a3i7LdWL#rqH7oeg zlwO<$dq<_1--Y>6A^XE)r{gp_MVobF1zD7~l^0%bk<%B%>LT_)f7L)II zA|`eHqiL=hFx29d`ngFhnpXh|BF!h*B29oQo3r&Lz$^vZHe#6$$H znjC>$RQ_;cleQ^WkF;sZGN;^eBBsS{oqr8|sFOWL-j#5Y4v_GkQ8U99LRt1=MMqKkMFsCV+qhrO<72?Wu zSKckSE)*0QSjVnFIXooYpH1c*>1r=+n09Y%E{<}rg^*{aHe|f^?=oFYB?N2GK9QYf8>_zuFeXC4${v`Z=6_vrMX4ib+LTon1eJlWAya+31mgd z5m`sx8SaFf7)ZZ;6pVi)iEJ=X&nkjZPkPUSl6=z`oJx_PeK<=pRCZ_3rqI>JWll}r zUmA5UcDhkDLw>2&;Eumh*0A0aT#zUi8ua;KsWfeG$`%e6x}nB z#TO1?I%$Gf;Ql3_8H$DK{MPC%NHO4WmL@10dIfncVI-%heH%xjJ=_ynAWs@t^YG_* zL`4+^Z)QKZq>Tt0VnZf{M(%FA?k+r=QIxMgNQB?xLUL*-zUV?ji5c8AjiAGD==s9j z++Y$mqGP25*^0@1D9C`WPwWsL0(?*IhT|_B9+c zlP`Um;bmkb2mqLku#FQGRs~x;Qz@!ydPN`vm;Nz>OH%Lc>Dl`p^ARp-o%YKUtN`&i z0&&`>_djTN6bU1sAk@q>k=Wx{d42p-2ve$&_STg4E-3cRNtu|A3_?m!czpib;thz) z>eVE6byKw0*U3BO99LHlD2i6G_JCp|6onlKhT31q15L$h}*a zhPfs27~9*oaTr=Ux|^5Z6^GTE9j>y@zZvQMz`3#5X;6flf?T zgcX@}QrnDk=HtKzh@}$|Si2uZF6cARTS{b@|9*VDfQ-na3Nq9gle^D@?j0l|`fm2H z`p$HFs`2gXmkmiGut_;g<8CX2O#wlxIweIm+`r4=B78zaq0XdL2`EkXSsnH#r6K|h zh36=Hi_tZwd!Ik`7a0hk5|GS94-5XXH>O1uCjFfn1C-}MSkUn2% zNY2K^DP|>htuA_b>t{jWarj3CqGfjVD5U122pGPg1PMv{KzVls=uyc?7S7Dh%*@I1 zp7o{DC1quy4%*nMnuoP^kLBM@^nSdPen*e$9y~McY~$jsVPx__oZ|nM%tza;qceSR zV~(l<8iX${>VBGCbzLWft}B1E7sYhWz%AmFrQGAkuyrW5c(`Q!M@0GGkUkZQo8I0x zZtRLm?ip!UgVn+qeGU#+R0Rp5uIV7^tSA5jP4J~uS7+W2xXV-Yw(LdrZN$cZ1%vdC z`@tZZ!|r-xzqFV(2Suq@34~fVZaF#GcdsTa>>kP({lJ9qhiEXTGPh>oFW8MlcFJqv6Ab@}&BAhrp0U`uFiyNiV@0>b$(3gigteWJd4j%hBN z5G`a$w52kDOt4Z7zn$WQuck;7@qLjeFW7_W$Lsja@x~7+}&>g<|_2u=;1p&??v+Kv$ zD0RI@+lm;^l29mZgdZe*b_N6Mw`Lw&bej!d@!fX|awrMu4(oe=KEYrfe`+cwVbM@i zyXnO)wcL0nP@<9{+OMvs>OsdC7VIFiz6W$kpXKSef$yV|0ksN02pjDp1 zV#Qi;?bEtq)&;=D_!n}+^HC^#Lsv~r{j{}zDyS4b`~}^xU$xIjt={}~Y3v`Uods(Pxo%`n4p$CBaKpq-s< zVrgwH*n#a?(?k$-7Z$(Caw$=F9Blf;I&m9I~uQs;1iEnHrtq~v|FI!jW{ za#h~`aMj$oTm3CV~GnJG_zJYkEVcNYo_7zXLl*07)2JR zUgg`5)HJH=ff@;@&~PX&(okkZ8XaNv*RJ><BKSO znlNo#IR8ecz*Stgugmh5OQG!G*OpUcbAYju7l^B$T2l0-g+9X=Udqe*Mk&Xzr<`q! zbc^hV)HxzAMd!SxR{d=4Y7=Vv7{Q0r&dBRM;f?ul?KG56sJbAl&xDx1l(bEoF^WmB zz)`ZZnn~c$uXr{tnnBqM#5XV7=s1vVc$aH~rCxr!-jhyA!`!2(gtsPN|76a`5y=#?uZImxm zxo+ z4A}?0DCs|YQ2+!#Fh8fuE`41U|H*24RkP_4B-`KLvk!yR*VhLWp!W^| z=vofNO>^}0$jC_otqGD`zEf|jMsL86`2FBN20MOwpAL30NW=S&1K+|`alUXf6;e45 zILKmK?US@W(W(Ib>U~2^7z~|c^^>#@_iY$L*aAMkp*}F806#9@!~$@nzaCdQ;LwVN zf*l4feHBQ3@by5BWo6+3_Q(DhjyOX+@l5$AIrgdp83|czlLg@w;KBp*fJ>W`@EOHl zqA<~Yq$e;z(Gso%to*OX^J&m+kx_o%7PlAtiHl`B3*w>={gdkr8ohaH?%+* z<@_nj0*8UuCSvq)NlCRp8NFWlTXY3sIk4TMJ055W{NDBfepVQos>4;ncKJ$a=>47k zQ^;1J^fyKpsA;7t$?E%DTky^xfF}uHP9ZwiIHR8g_*bCoE0z75#BHOW)ALXAZ46=W zU*}dB*G3)EfGAn+5pV+m zO9M)RDZw#Vt?(lc9H6b6aE9K>pXAuC`8Qo)n*w|D`=J6X(bqi#nM$`Wxc;ITQ%*wb zjQ2k&#@g$DQH-O;9XJ0)G2Z8W!R6K6t*w;S{!gIu&-%*mFFNpi6UK)g^u2};JM3%m z6>v-&rj`M_{7tA!5Kc~C)YX#>xUGFGng5Hg2-?p)M-N<=RFo$Wf)i8A8WIVnAR`AR zv;>SBf8!Vr+@E}`%I*HNahjH%?lKr*Ja+P>s<9PlA{KI)HWQ0(%sZqX+Oc`v%IfX@ zA}c$BIL#J9S0R^rcg8pw)EmB7skQahxF&7w>S8n-r3RjYbEFeGPi=Wxh^=IrkCB)B z_A)6ww#_SN0hsBp%`Q-b;U}p`4LDG)|?~&?a6d*5abPwWqWHW3({dFm*f|bO` zC9vJ__HMGT`~(CvO%8L$0L!8lWdd=GB=dgM=|E|i25p79){E0RX2RHMk#{VJeP5`C zU~Khrb!~6lr~*v4SWbb69m4y#B`$)O;M#DdQGp2oB&RrVG?B>R7ct@pGVZ>l!A0S$ z&&~OKA{9Xd7Y%7)GjHs>@pd7Gh8XsVKx#Tfo;j45Ej{{en8rQQ+N_p}X<)oC-MY;5qLgW&^Unii$ejoY!r{NH7Jk4180>VPe%khFoH4Fs8 zgD};Zk2MP3QCYgAqdO*mnWKD z&4bMo@S!Z1V7_@AHRcGSTDe?hp~?pGmawmPO7%!_b>-!0ScShmh~D8x|50VLvvcQu z?E(#$#ALO+Kib!INi8|3{STv(v*+oxdq5YmEtaS(a6YmTrtDHmRkT3dgvYgv?v+(? zNIsXajI2kxS2Rbr?_>3Y?98Y_WSGiQQ&JvvIV`yj%x|wR>@Xtogr!qXRZ4yy>~EYY zVg7P4r#7z1Oz50BQ(u^xltg%Box3lptEUGHUB1Tdv+z8njO3JlmY{xfYnS3b_jUo& z-y<<0q14TOubuZ^QkO&em)vJPvvc#amM((`0OXI=oAZ?^b4Z~Qi6K|dj7UQd_VfTY z1F%tLa<{x|!?XTf62jF@Ef1FY%thb(4k3?nn`tirSWC}>^p?2IVx&;l5J0Y~&l49e z4^5_B9UYK&{awNNwP?>v#z|YHssCECvw~xiQK{$Z_Agt4_ylRj+&RcHkiRamhjq=! zI<7-Om2uF!;Jrd)`|$bTj&sfl34<_`XA}9MV(t!U4j-JQ$!JWud75-bSm{@wJqm$# zD=K+JZr@hm$9)TWh<`*0U|Mw|g|?YhkFOUwm&6cD&f_rsN6L0|^%llq|9{u%yZo1F zp)Y@Hq}+`V8I4TuSYTCgJp$dwjy~2k5`^{MaGYwI(u=p-R=(j;O=hWO(plPWt1Gl$ zyejsgvpl!QTl9YE-O~n!%2OrmhoGng%Ty6al1QP%PsR!rI4S+YubEePRkISZ>wy%w-__H z)XFm=RBRYr(WMV5mCK@q1T5#UrA4}{lH*&|EON=>w6>Y=8=he|8K&k0ho3!*r#@@7 z!Mtg-A<@(QRY+~7Q{)2qI{0!$U@sdt$N*=vRcQP4(hXequGm0MqH3172FoIiTh{qy`BfUr4wdd=&26-KTQ5W%GvAyKmI4u_ zytC&{HLa*Au3KY|th*QQTdQM78nirAdYha)h=k5rlej{%FyVuc-+U+I%0`1ldyBWv z|e%{}b9PQMj^`W^rhO;y@ z)$6!79p`Yns#$+b(NMfDXaJl_s9#~%Sukfo`)jXTp(JuOZtaz9J0$2Yc)M$5TpC$i zWvZ2E_G2g;?&ud45UB9-PWkSgoz-?Hu@k@Ax!RMBV_|~q=;M#@iwcaY>&hKh(ZcScMlW^A%jE0*;n=#| zzF?u|YE0(xLJ$46Xkp^kwuU86J7_GF`r&^Xhx|7Xbl+wK{6ugME;&e@fbJokj4p3K zJJfxPlr9^H=5~~4S#{XH5>TuMYcEm^2Yk=atcxEkd+zv_3_Ugw0CF~DmJ=&-(A8DtiGrZ=Y+S@9m<=J8#FZqMj$j(noKqn3qxKh&&H5YuGv!{XD*ACU&M*<5q~&0{(~}v;^k#r`rn6S}lJb)VM_`zqXdF zE#Ox*UFPw>L-^Ld*EmXthaJ5=!y&&GUir8pKrBP3EKKmFQr%y93348vo15ETkKOKO ze%AMCe-(Dy$7ksJg?<00pJxx@4Zj}uoesk)(TJZ~Pu~!{KlY>EMfbb*uH6<%`<^r4 zl%^Mb!EWEHDaTo4&RK-uX7Cx>z#K$yKV8VQB$BA&$$vfFK7p_mC`13frkNswrKx>KiW=oqI@l)fZUY8I;IYv-wF-GV_V^iCS1=@n@U`Enjd}!wb@-2i z>uZ$zzIMF(4JLg*V|8fbH1{}1vkglwsvy}YN-Dz7`D={8Z;YxhQ|Z~qz;OIsAAf$omW%q2WJ|>qA5VT_f1SAVf_cIWdNZ3^eOzk?PelazZ(Mi z0BCj&4o~*i8E^95I}MEd?boNv6&xJ=)2|PB61@++cmzy;tjZSs3PCe3M%}!q~O1QV2^v+dG3p>*^K3FsiUW)_36`nZ{*l+5fqc@Ez z&!`*xm4AHf#C-BNg(9=3(Cd=)E&|!N77>=NWr!~@pl72GaWb7g%TQ*?7FW-v#i7j~ z4*lY_0(P@sznQLvLen(KQ9wo82p#e~?p_8KZcO9F6#s$rWw5sciv%luX3D_Qi3bS( zx4LYu&MtXdVktQ~T@k=>^jc6=R&{Z6%ipSFLl%l8^x9fnroH+L_InICiHbrL4dct{ zTNWpNMl&$hMX4YDES$pDo4wGjbE6+#nIuWmU@w%d4zO4nJ+=T>!paJ5|E+@&SdsGV zEK(T3F#ivfKq?OSx0BG1Hq6}_5LtZLG<=hhaR$K`sc6Hm55E%1*H#WzFBdivr(bJt_Wh^ z_tlnbal|`cJ$8jeClUUKcO(=h^4i*RCvD4xoiujpc=Bf*-RZyEsBXkX?(P~sNEJi3}3K& z>4g|E#+(c+Xow0X33=I7=u<)P#uMow8^llCDg7h)H41sJftD{}Jm5wB05MUFb+>BP zO{%~e4>)GRNukzQ}QG79)7fmh{eK?oGqlyCk-(7#G zp3}GSn>+OhKUB?fnrltarw@V3C)+p$wh+M=*F@pyk)L*^gz?gJgrYa{%fm@5njMrs zH<-pxC2P!n`A5=iG~Nam)n86`{IFatt1f94xHblzR?^Vu$b1a`Ft96cRkkKO z$$fOq$w4M?x!Dwcy!M8wX>um7PAMHkzNCKpI{`tCL=Njo60(r)P^>>wt$)@Xl3tno z;u8HYHP)YyA&@ng>Khd){IPOFVnJOTl#!7iUUZql^~gX&Gi#d5FCHX39tyLnp{OBF z`-1$zX_~Y2K5zdR4NnbM$koi#4aH8iOio(lV)Iq{|M8{B%HdgZ5)yLp%g9RrZp0S7 zDSBU#Nd?(a_M`;D?d7lCOIB|kTO{kg==Ul85}d8&%&yrLRt-*dhTRr&D0;#@gUlHm zIe$KAn>7;6C1hW)J(e0ZE=z2iIeOHOc+-@L7P1YU4-kA5#4c_r%c(W1cith%WabT-)1cL+K z!->2LyNUrd4}me&gW?>!)XP;0dmH{8fmnKYvUm6MCdxRaZQl48cP7(l2cC&@L>-Hz zlEbq_DKeK_A;NdTUMAHo)@ug9CMPZnAeKzoDB1sPB#LPqFVHnNIpB+C2boA)#PX>e zS0j>0$;T6wk9(CVL9>zk;Rcz9G`xqF|G|e`hF@cSz|X-mL0_yT`t4Gv8TpyPdnsgl zdtbTT7TnTy_hjg|?k!a0x>Xmabz4O!GQ-|5ArvH%ERPgqqw!ZHXVG{~P$AwyBrX2v zf78ji^6^9^?)XkI#}-xT?Qi7{_V_~TNMddex%Wy;HHV-E7pZX#ZEu!_;fkWaSF?Tt zC9&bcWX9QMRY=Xx%>bv3M2Jok?_p!YdrmOtiiHo9=ViuX5w*ABXZvfXXpLR3N(o&O z)9$4@>a`W>xRl#;lAa}XdErmO%edOnPC4mI{)Cq?y1RFx6|9IiL4>A8%!Tx=ge8IE zhqI+e;?+FM>2WSXjQ*NowYk$&()cZetMH%X^76gkZsv5#FByEJbdWgrR5ro5mRKkg z?7FC=@VXp`7Gr(8{}ZLQQ@q$lrDEA$d|*Xp z6jyB5f=$4}w+i#T$6=Ggt|_caA55#RT=((mo?X<<)W&Nn>SSkSZg?99Ptgy$BNJ3> zO)r+PL^s-H=fr{gq$tPN;4_ZJ^88_q=4oZp9O1ccn%ulRAiIlHl%eXR4ubs5!pr{V zwKtZQmM$K6Tuz9QR%nX_tXIp6t@&dNcQ zG((K_4LQgFCU74yT0 zg`n{i;svuF#}EJE6C-VttxN}yoyeW<7xG#V=r_5y$vk2ZZ`UY&fmRCrkxy#Z&6;~b z7&{c#lMT%)R7}Wle`)4F7h5I7(iA7wk4;xSl;oef#*)B8skCYi0KkoBL!L-Oi{BeWJvhJ{s+%=|Avyd*R-?cAyuEpSM#J1*>XO)aLyA+K@*DB< zrCd>pv9UW?`MUH-{?CwfAHQDzm%AHZbX;YEy zq@j`C?hhvu;494D;@tT|%3r$d_H~DwcHE~z3iUqm#c+i;6&4jm2hpyR#g-E(DD4A@|wEr;Fal6e$dBX4E&1jy9#+HjQPQ6dlmPjOw z82mA%B_#|4JV%3t9ymzEO2>0Qa(#!=s^^QhZ2-Zc2geEZd@( zI7ZJKYsf=G=KGdl4~RluxhBSWyn1Zx+h7FEJVQ)GPebq9jM#Ac-AYpSJ+c-hwg-=@ zMwZ^kqq9_5HO9ij>)pS+!wd`!q&|IdvB1+vAbL0)OW~HQTabZUZ^IOrY!37-p;@BS zHp;!{I1o!`i;IdxfU0u`yr3ekysK1!;v~(Ahzy;$WUCme>bn1Fmo0tr2X`fCmX3K4 zNeT(U$-#y^QguGC-if2f9T zHW?Jf`^WV(+2iT=t?C|;DpVGhz7MKyD6C$&>+-dw^g}dRywqbYNgm3j?zLd2XzWVw zpuL-$TF&xr`3{l7IUtdN8*hwZcRSIvz`3WTIQRQfDV1-4F2Yg#(5D`Yol@dQG> z0bX95v}B94IUTb*KEnle7T$I>rDM6S1t1N{Zk~5%gaYeaZ|}tz<>I>%k;-c;EA4(? zT^{?j*mrmz_eI&Hz0yT^ZEuS~S(ZLTKP~oI?9hO&21g{?|7o@$wTg42JOA3Jd=p)L zU8{v}siNm6m>F3;#f>BNr`I=Y(EbuG5=qet=FSANzl0D!T%7s|YcVb2+atS!(p(jy z->4F|(H;f5Kb%^8ZmiqKpNGW*kH0h{f=nhQ*K>{j!Q?3UhO{cWR6~hl^bB82amvm0 z?@#^^DSYE&7N!-9lscFs_$fx}Y5*70_(fQS+yVJqn>-U`AiG1vTrukO>#&Uo zRc^d=guEFAMJel;*mI3Q=J6q6kl93LYGi=4gG(_joWiXMizW6oHMb6({~mO!N2FAQ zT1CDk*vsS2=w^=h*g(Q0B`m~z5qt=Lrf{N|g3(KC)#squEFj)^FG4s~nI~VjpCK{Z z{WeZJOPFc4Q$!loZfjRt-qF_9CPq{&B&l{2-D-rzNW&f`YYFW5u!OM}lMs0%wyJSQ z^UmB_L(03Wreh8IK2aywug8`r=wF`1a&+TefNb7NZQeYUaVulj+CkDlX zv{TTpl47xo?oTT~71-0&v2y`AT^;VfF<)+nCw$LE01s7V}n(TEKMN?4$t&i0F!rAHD zS1z2jy%d*ocYZl54iq6G^eeYc2Y&q86Bd2-GsotV^|=JGjhwlgi>i;djj zgst;XU~{ebV-%B0hYz}QoNH-}P<#|>5ldQ`?*EsE+5yM(1brpR3*U8$m(JBSsM$pC zaZ5He9dq6*Xx-GsX>%biK2x67Y@b@3A@M9!JnfHR7PEY#e`#8IQ~gol<(!^y1zZ;0 zT(0|jGyYcY?W0Gzy4T!>J;#c9C3&M1>5B|Fq9YZVb9HSl8GJp&JIWX;f7@hlroqu8 z{9NdXqd!{i&i4wM+*{2s*?x@1D_dTIGlQDwRzXSD>S|&|g#%N(DwE^pp}``hXcq88 z5D_W0NC;loZRcH}-@N+An;$Hfa^s~X zi!>QCGzf1<6$yHy&c>vHAG}do;-$$^*kzM-mu4RYdt}P>cBGI3w0U;92tC)hH73WR zU@nP)OJhpBAsRJPD^mFNqwFJVa~I+0dirNz=ycoq&VxMplnx80P4Loi8s4c{?K;!Y z0-q2{2!4=^B!1^ER>6v_+(}rl;IrN;ldqG4g}0%DsJ+`Yis`Cms3|}~;X2B(Ol}n| zzp4v8DsP+NDhg2lrke#<5#V)BI5|1{h5JX;*g$E)&rhx$?|l2-UiG7}7J}U52(U-O zd863OK=2FadEq2B#Kop9XjVRT2UCjA<*Tx0~4;=o!z<%^8>&WhG#fuVAxB z-Gdp^%=bl6tl%5{dx<%&ELuou%pW0Pe#Fb7^zOy$KXAT0FfB;8S(&+*Z^9hhI3vQp zf?OFiFfh8t5h-5o{f&cgyxeO$@P%u$EV(5N@6QuWw^dNIzgEp^*d`+<@?ZhS8LELr zXB*Jv!!`e^Y~ec=YY8GKhblU?UlZ7WJ&7?((2rcFqlYR4$QyXxj!kzi?Rn^YNgHhR zLhxmp|JSRY&>`&%Q|wYjH55`IdwVdR?e9dz$!R5Ctt1nBX=pq0@CPD}3!U_}mF=An z`ez0Rts1injjNWMyP3K>(X%ZsJ38^7>g=8Q(TNMwbGN=~8VC72(Z*dGRli@$YQirM!V;4imXcXlU;7&BI!LLyt_1~Gf?8j> zHOEgiLk9KUH}XlXOt41A<;?7m;e|_*?fT#KP}=#6`LNQ?zm{cf`(p&`G{gvd)Pmx6|R!0xaxK*Gn6wY0~W|AnrSHL@G|6sF6Jl#b6rc^ueH44fHJI zV@`Din{pl%`I=ldkayDHh|%OY6C|NRdcXxxwZ3=hSv!B7SocrNbFFti)b@pv%|p>B z@j@GU*3-3lU`^cL*sFe@ z>i_-!k=Jmd{`b?ro^jAD6e-+Yy1g4U1ic(NWs4Go77#)anDFnjxHn_eQ*V9d_ltrC z`9V&GAvyi)m~_vwoAG_nC}Oeg{c*oRB6#-BotBGA&`a`gtVDAEbGTlgq>HL{`+pzv z&^5>i?y#-&`&nMR6VzcFq5)kggg^d%lCb$wa*Mc`#o#+OqS<%ARq@I%Iei8F>ztI1q&mj!(|6v^dv%|uLjWUoY`T`$_1Feii4dN0K5lk9mkl4N4^HK9aT}S5u_5T^Ehp1-BGa<-)`Faa9w^l4a#;GJ@qwB{rg;>8z zaHcwDRkZ@Ap(W##*Z!QRG2a<*?TRd8jF}>%~q+ zKq6X`(srN;3HqSBTZ@)WlVZ(C>-W6jik;LdJ<0o=lPb`pYDZ}Iwy~*jr3Fdqw-{cG zj^=3ALq!G1_)EWPdj(;@8Di$rHw6FG6Z4>XHNDnQC(n@(CeKvb6MxK8&46B@N#C3r<|w@3xNkiYk|lfy-hwFyZc zx_`r(gUzxbQ$igWDJ4U4IwJy()C=DwN*r@f(6^iZs?I@UY@VWVVniA?`s?(&AOA>| zd%as*i1ISE3P<7A09~tE^Gya+uKM#*x

Tz(Oep|20v_jj6Kv`|b`bW~nG-gwF-{*u;<{|@rXCJ2Vn9oCfXpV^;(q_VG?eOC7$@ofa`3`${qcuNufpx-}{F+!5 zOXwR@VF_2oYf|$g6V4=C5>EuaUh(msNuFCn z>vPRk60}2aLgx$xs1ag&cQFyAd+~_&XP#;vdwNXc3jKRK$L>$&?w#W3-!%aebVd6n zDsKCjeBEiS#H)nDOy(MEs`Ii5DAq~A)G~$+i>29fV;aZz{`En81DYAseh~B*UP~M)5{a5Y*7>N%O|w zfZ4FuW6ffgt1BjL3}>xh(w8ex_ZKpzoNEF6V8C9nB^&r>9&nG)S_fSD9zZ-JiwJsi z@b`Jb{eDWI$Hk_Vjr*xuUKhU`eu6mMH^d-Qm4)3jM+Z}UJNhXzGMK)6HN{+ zXdj0NPPjS#N2MceOXSxtmV1-|4VY2MoU%$~2Qgg(z2KS`qWuQ4;nQnPvtU1m6C5b@ zz7+H1R$)nV_Po4MswRG#+LNj_FwNBZhW#5&4u#bAO}(pGZ4P4h7P?gcO$hF6JdI{~ z>KEjTLY2&w0#C%v&Wa@X3^Bhg5~xnTE=0=%W(q3hRYH=pFVYmv%v*-KfoO6AD&UN^qki2>Gwzbyt+|PaA55`w!VtrHBk@}ce zT9h=qH67t&r#-lQwkIvswJJ9oI7)vLlF6){8q+!4Eh~BXMA+4ovviTKKg0_+ z;fsyc@IfwI1#?wC>q8zL{dGll3-cqZqr>u*>%M*0F6k5>Rte{od^rB0{VevBxVGeL zci)`(0^EpVCh_6)`dq{6t2?7iGY_b`zS@Z4jrNu5H>E(wlr_%8zfO=wh?B?TTTZv9 zUQZflvK17HzsjfOxxOac-Zot64UlWK>KGXkXePFmz8VV}SkZ4j8g}h#*h2UAR#a3t zLzAI&FQ4vI8nDD>z#`tVbYXH(7|VCoxc2lmRS0>l{lr{^RxT<&0?+TG!ei_LRT)Ac zc&q1QqZU@QaB!;^t9U{7lqZuXIAaT$SPZ8$B=c);ZvxmXCTP9 zJZISjP7$@l2zaV|VjEjTeUwSRBE!@@DU9Uv%rrA1It<4Cx|d#{BLmvYm#RuW?BINg z_S5yQDP0v2x8sSN&;LT~#ulMe^J?+o2K+4O;{&Wrca+0dTF0#~e@=8*KYzn_6b8)H z(Z0QGGpipytg+#Bg_|T^R=77gyWDBPoJT0@wV`!HgSHiW^%w*~f*(uYeSqLj)lAeS ze`6OvcY-=_p7(sZr2#@AA?FC_f`tD%Jv-74Q?=viiGT~l_k_2cUJyhN%}%ePcb-Zk z=CvwN!&Tm+(~jk)o#rHU{fPMI@h-bsTPm@zX51jgZImQcu9mzr+4xzW$)b;B-BthG z(UbA)38eq5w`}@~0Edr_Ui^vim2ziMgJ|_(Q6cNvg~YJCMFb7ginp{30yAV?_cqFO zcf%G*$FYdOKCHobldm72V1usv^0DDZP@*xlw5=|Jv4%&)OIPD~F=&KQX@c_8rw4}r zSR3jVIf+~AT&bZ*UsiU*2`;Z2rWp9tu6cEGll5Uaw_TjNU{wWvh)kYBAk1E-i{(s{ zvDjNOBfb51;5jJ#^F#Hr^;aY?>>9+1@?u+Fu(sZW`G_YmS!!*`Be!>oGzUWIkq z7NOkKc9wLdzHTlZ}qHd0_ z9baiCAP>Ja1--;S?X+>MvjGPKCqKU?ZOGWt8yULtTl1QbLoye;>a;8v{YGKE0n}Lr zvF5LDM{+hd`>8O+_jflH@$?8IBh^c>EX=jpna0YrP9!99)BjmkfoTSc##{2S6Nw5N zDf1^3)a=)0JjUU2P}uR8&|&Y>UBi8R9J3wOi*V9HqLTp61DBOo2OBptwx>&0-H_nx zFE2#}r%RmF5*87Ca+n-Q4uT<9^KwaqQ2HtNa?1U*y^T!wa{s^5(F}db=tH?bPSq#P z7-S3Z{0uL@t)Jn<5|$D}FecK(mgGwL{C?+{0;tL0Y!t_@=`}goK6hP#fo;Ddp?Y~> zrlglmPjAM6@X2^kS}Fo3B_sZ_32hd%+qQd@$yWSqd4LQjP|`#`f$2wHiq#w~gX#dP zN%x$a9W+VUHWItG33Vwcp*_k(E+7~RBVmPbENL^QbLrienEFl0@~FT@b>6DVVtxfD zwH#BEDmSIDAs>7D8z&=0L|c>8CqN6vL{ONUxvHaD4wu!>h35Hqk>~HpQD;5eIcetg zUB*&V<5rjuq>{DiU$c*%ILFVjyv`>6d8Mi9I4j;i9`v$e89$EvW%0K+9A=z_)uC|( z>z_toss(YXn*-#jabx!?gV$!tlHKItOF17qm+EZQybP-%V26D_s5bPXKsS5pIWKP? z9c3C~%De01{t#jXF{ql{&mkeghCr%kcXu^dTzET&RKL`Re$rQ9?&9DO^T&IJ?5J5y zqNRO2r8}Ju13IP#tHMdMz^Nj0UrDy;`C6DF_g#Xn|I~{4$CY=|G%wo~3LupC=M6{$ zZhriKyI-KEuU*fZoUg3U&_AXUw)xc zTJth4WnhdWxzly2i9g3tm@_i8&SlQ!C=;V&;=Ff~rywEW+?i`@lhi!n0GTwP8*w>) z?QDS$Cilhp6WP$-U*R%WuV23g&5Gh^&eGwHZC&_H@qNGZNdIJSzINQhnQf;U*PPS% z2J2?*Fw1f*s?GZA(znHrzd?H&i4|X`78Wv4_WE)K26?*EZauhI7I#NSOY7OUP*?tB z)fU+lQ3Jrx$i5ns7Cc9PyFXypKG|ljvjB4YmV0Uw@2T+2#%QP0bKd2qqU`k1PuYdg zqmy3Jsa4*@gLSH7QV3_0*m4tsWO28*&fT)i-EPXdN{N{EF1P9gS=;?}H$BozC44B0 zh9L7OSkq%WCvJtAzXQ&Yvih5V}sWmhtcW9fH~PJ&Bw`SYV%Lh zAGzAU(_nsO=DwG||97kBg!nJ9>Cn7NN;a#2)&V2!yvus~;ENLVr+0?Ny^k1B}|Db6cZxN0z*NsV8R# z!14-w0FEA|OP;*&3r%!t{rzKO{t&0^FRb*(Xx>Z66=k5JT^R-Z{ryulCu6J{i?7hk zUiM*I?#zQ6LH_c#t}yhM2YGJ~{&B{Kp1aHVyC-@ZWl0)7qXXJugLSa@5RC;b*q@1m zgTvIf*`5`@6Eq*4!Q<u0Q9agZ~!a-hls}{{G=*8csH) zzu{Pac)hmntMcE4Y=3{l*YMn*f;dc0KAc!RtZpx`s<~!~ed8{k7?IvPr4vHqE*>8- zbxW9K(W&Fag9&}nL?`6&OP}Se(=2C3`*LydL3s3y%6c9weX(|51Q<=R!$IF6<}FzvR@^AsXKpujsD+^frOTZuyM;CUR@anzdbT+c zmJWJ{urYGU20nq&`%O@e8G%MnF~8Xr6v8Il%kBAP#2s_Nn%6hyxi&C&aKLiu1#c1% zqO?dBI4L9MN^BE4suVy{&8*}(_r}*Tx>95F68a=~;a?fT(r#Qt&b~rXVg5mTH~DA# z?VN>(+9KBW_MW;NGp80eQ#6Ugt`>a9!T6@#Gp+t6UKViA-`)M5r>;4qJKnvY;@xQ3 zX)R8kT(UR#2Fkgw5AB~)%0U9}p#e-A&J1X9CYh9E0-mzMp&bf`_CLKStZD>W%exEL zi<8+uX*_yo0X4rzjGE(2NlKEscGH9yt=21wA@za( zW*%YRXLL5wqaC5}MW4506etF5wfF9ojaucR{^JRSxI)!)TH5&d`KBG8*o7Qm?hfo} z>l7ZBd#V!ua`TkhtxV=8`T3gk0@KKI=gzcdJs-GD^U_d;{p?xx*C;Qza&jB=#^qXe z<_Et$sUyI=?X}sufmas_c}Aa z4}X4pIlWx`eQej0;)3WxN{*hu6Yoq1O~ski$90GZ|imca54}`aZ5Tp4qJ>Z z9f^&F`u-)6*LEDu$gY}yX}0q0erl_2(d|*8=~elTD3`ub>6L2@GEsBIesVH?W|{+^ zAt^Q2sI@D(m%dh#R}pBG{tRyo<8VHwYv1U$=JtB4Ow<)Et3j$qAwoWz>c?EjkE~Q9 zpx9=-Wjj{iUYT%s>c>8qpWdA}5q_InGy7r3Qx`fiOzzu#r$4+awu@j?f+@4}N$#sziww%6c$~UZ6SE{|M93c|Yf>uQTGDOIN^xWvxpBr}6d+(<7PKG~u z97HF-;M8{&D1qxM5gk`$oxzt|r8Sf|rOo-vGJoG39Bga%ng8O~>yt9XmA1DcY&lKV zU36vjjs(X^nrl}g2}syTB<%2C_36vc7TNf?iql+1BVn!$UGKq7w7hP@KVBuA3puoy z{8B_)ndZHt3kJ1rDa7&PPSob##pwzT7;&>DCaBv+W^|m>)&tL`qpzna7-%QLipo<4 zKPN|sw6#?)FP|nHa+UO39#2zvJa98zT`JyK?Zk0*VxpT(|Jah}`l`Lvt0vznA)ETy zduKLU52-A*_Vj%G^x`0l&`eSnui<7tW>@5AmtH85g?Lf5Ih|J z2%n@b!+D;Qy|ZD<*T6t#cUP8$xvhDUii?k^bNGDqC>o`sbBfz4jBsC}U)Om4i)T3~ zJxirdt*km3e7hPlw&i3Ve4FEQ!cl%}(ZtBm_uQEc^i%78!l$Fg0$Nq2G zcx6bKV#8`>g-~*PoDgo1^6WM@*0W*QEf-bPmtVa%kTXD2nj#g{>|t?}3hl*{rdNE6g;vYu zWT|8cvp#T!t5Z6=bPNC#|A(oDl6k+g`1?$Ad8=IS>Q$XEy3p3-Abd9h^eiwItk~Wf zTk^e__HC4?1m@Ztomlgb6-Ji_ChcjmVt_fwttT4KmPam?tS#{Mi75|T_$(p20RCz|E9l9QxXI3a;2qdbC`jFc;f-D66BDD z5F@=&77DDpnJ_lOAk9sW0X(YT7$P*#M)T^}9p#_9`h}+~Yat2%c+_;`RvxOZlwq^|bYe(Z$Y#N|<>bD`l`9&M zL)Y>G$DIi%dCrO=)X{{!3NinAb5`b9)!SrOdK!(azY-0F#y^L`sw;Q61<=yqO_r|) z;83&lenUKmiSFB5C_rk8cYqidmbPo>F4DL|Yj2EK&1GHw><^)UHx$%DD9=(h`HEH~SIsxwosgU9-XI-rz$yW}ch z;Kz`#6WMAUGe9>FyeF0HK)la)GLrGcxh^_#)nM!tX1}L*U$t+MtKU?t35%Juzv72z z%VoKk-C7?hQc@`(fwdNMb#E4X;ruuPdplW;%kL9diLkPgcR~s8lPG3IbssI}UGVq$}Jgs+JjLjjzAC{c*O>Vd-(K=;kWzwKc#!p2F1NIzAx1@Y+JtDSxm zV`v9{bOCfwbEox-D2`k;GBcW=_p+xAQmwZXP4v2v0-~7B$*o^opFiOdGhv16zt{|%Kgo*M zZMGHH%r1mw!JD3~t(BBO50bV1Gr}ziR$*UY&H5#2=}tx!x^dGx<<2GA!tBG%&u+i3 zQ&1SV*^6@O(_z?uH{o9xu*&6x^pruUj=W)A4kV!Fq8R*cUg0n~p#rgq1z6n&%R)zp z-T_!h%+H|0N_y=RM^yA*i0{*~xZ8MPavDFa;f;mRbrz6rtgZ+ube)!ls34Uph_%W5 zLVx73ceailBxidbjVgBrI*O!3uNZB6PisRCWk{?9d}Y+dORi6LO^X1NO3z^vuhM;L zewotVZ!IJ(@8!cWlf9FR^(wH0uGNViInaT^8pf9D>u>AP_xEEbnM8f!VDv^eUGs)#x9kJ81l~%cyQiMx*bxfNU*Gi2Urt)sR}3a! zw=OsSY$}@AL6Ig#v5KFge-`!B{;?y(Eo)*wC}%fmeksH|2i4Kni;Aq@xTG_$?qo6& zmtIYbqU!8rVJW}TmlqfFaAX6IRC<9yoD{(F%#K-%!I}y9(2xf(|Eiqx!&L(}xdg1G z;ytGZCGeW_UA9h65*r-=P83h_EJPn1Pp?(McpZ-lNV#d$q_gf0m*`F7IQh zPwvo{14Q@jTWvvBX(>-uanQDc!GU00x}~86*q|nA%^_*WPj^kud=p<&PiUe14(?fZ zIV9(izqvZnNHrx8gt={m^f-P9Bd=kyHq`TQ5ieJEW!%@&`?LyM_WMA`q*#@yVj)Bx zpL%r&Hg|7KLyJP*FM7>etl|k2+KFQ3YyMRp9v(R32*u0+R*pBgipt7!C&CCzA{6(7 z{$W5sz%dG#aEBk(c6Gtah3$j}Ff@ycXw;sM+v(-55Ce77Dm{`;6oZk#ZLm)h6BDB6 z6fovYuJS9=C%y2lr-PH?W|IO%gi zFT>fYjSvA|TO4v$ufo}G-hlJ~8t#e@t@K^8tX-(NKc)z}71cup&`&_D+S%Q3oeI+g z4GxYE+~!c$1Z@I^;vKmOku;yb=rxyr4l8Bw`%)von}tT5hm%T*ct=Bm49@g{a}UuG z$ajqW#w%3Ia9UJ(H{YD7FJdhdynrh(Q|`al+fYgp0X>Gtmdc2KKZO7wmscuxIs(}GKfLVoo;)$ zKaqbqKiv_T(#PAGXGT)yxtQ~-fc3?biSrJ9E*Fri{#6676ubCJE4}Al4jB;bY0I^t zgCJ#{(-*kaQE(cri8RbZ4XgTW+juP2R0%zu$zGnW$sc#M_xQ$(l<}B&noFC_%a?A9p>9d2P|ldZad8A<}%8Qs$Hj=JTuibUIWP1=3*VwbEl?zJeCV{dM%WW zp!p)FaDtFQeldY?K4iJc85*!M5oImzKq#3VCi*x#w~j5b&?Cdck4bWc-)g2TH!r)( zoE!x>E2SlIeQt1lz^Nd==8E^_Gfx#WPn|L_HZh?TOniK&0Fq(QY8!ND^z-v`_0~^o z_!1NI@ZrN-GIFxA!=0T=<2qUz8X5^?cm8vGYo#^ARn&lzR2e__j*LOBQyEIUsj7LG zjzR;=o^V#j+idEzaQA^_ZOPxDIimlgl1Nj>_P>i^*WrJQVd2W7=9GfH66mL!=8)~y zF*_WWjBiULS4iA%eD7o4R`um4kQ2?e)InL>bJIP!&3k8K30CO4yG1ZT4qcU!DzWR} z6hQOn(w~iPq*RVhMmD@Y%5*L+z)xn^e6x9G#_cI0Bw2A&3pDnL&z`M)NP8k1bScxR z5JZ~3NbjJykA*R{P_WhjwNstn7?0I5tMbkRy>S%Yjc(%n8W&o94{JYWH)WoZ_ty66_ThU?0w#;lS-wb58Utq-rS980P* z6B&;btA5c!5i_f_cXEjbb&us~a!%9uOCHT$6gM|FUKK={pyxe17niw-Nlq~DQ|rsj z3Dhr`mPAw0J`T6a^1bS*<;i%PadOU8-dN#<_=7Il)N+>+=vjS+^0yc627di?B}oS_ zBPrS6J0d#j>Fuo#*B7&XEGl~wa*5Qb?Q31fK|Ay1dk#?WPRrwnHzROc)NN6eSH49r zc}+ZPQWjSUDhb#BL z;yi!8&AKc6gE0`4ARp0&(eWgEhwbK=?>Z`ltyNFq!{^qw!B{ktXLDK@3BvzE=v9WC zKFwy$Dws^hGYZYUOnHIQ*tTkn784cif$r4p*M}^bFw*-?uL^WL9ON>{QOYnTef;?C z4G0ZCuSlkP6H`ksD#p^&?UV<0+T2_JygEMq`P-XnSe6h4-!caZvrX2xjxhjXOm40A z7>xQN4nnlW?DD3X?4cExHrx7MZ1GSwO0%0Jo%L+87@V?f054AqLHpy>J)rpUn=mrs zY+>(mEREi~3iTNkUyJedCa%U^q?I55CNlV_@nn2EK8?y(GI}%WJ^4GnB6*+{O zH&-SP@7*K-*A^U3OO{&P@0oOz^3*Ub2Kl6{Dq&Mh>6d$k(_6_k{cliR-s{yM+2-;)^J}_~vuR&- zjMt%>zLD;kYh~ewX4&yEFPbKz_98Z?S6BBQ9_qK~`Bz-JG$cN^vGv0TiR!g1D2i+4 z<6wDsft)?$d{zcma)s;u$mG|02D1V!*rdB2gWt|ZY@Ue7X;HJdoM)VpU7h`sSMJ{~ z!Q1dVDPzB8D1;p(;X1UmwC>wvvfkPJ{Cs7IO*aukpeB#*5b{m9ya**F`X+*+wndUf z{o~%{Kn=3I`AArt(iKm!nVOuGTQBEqvcSM=wofTVE51G{kljNy8Qo&+FU!;ND)5-> zAg-MW;H6}2Rke(bDG>_gzTA98%x-b8mbgx{3yRXBv7GGHyHnji)+~)T0&+SnmJwdk z@o52?h_&r=Pqe){9y%8q?vziahkQYvmLgWjaB5vF^#1a--h7{G9s(pL!ss zsm+$h)4j+_>zs5Jt9x$VoHyhW4o-rr#1B<1Q^fih1P+0oC|@^XwVp*8n73a-%J}S6 z2I?d=Os-F^l!NE$SG=sOEF%3Vji;k7DO9X5Zy*%|#$hZhyvw?O>lQkBF#z*PsPAzT33mF8@fv0G8QqCYCasIatb86<#Vfr|wFKbjX z16UfJkh!8qCMPEv8XIzuffZ)Tb2s%NPRaskTmny;Tjf$#$7HPZgu785IK@j&%8~UK zk(HiK-N9a7dTcrP+<2I#rl#YmLl5N0u!{Ni%oH>#im4k{k&SY4B9G14#M_G}hlPb= zEV?iSL32*#ft!>W30IPSN$w091rlWAQZwaanLS#tMCA{s+1M0AmCz`-jM1rlu4ys! zYwC5hDd-;<+-4$#&Xuuo5wOEKk?O+0Si)a2GcRk-+HIc3nF-ZZ|QlO(Z5aI(PrznH!9m-5!L5uzxm=LR1G1J6Ck_c#; z1MWOEwm$8N>;1cT?eD!Y1K$*#%S96GW$>H*wB!~zwm@b`0_M~xGEDUj6IVh%8fC!C zJDt1+dSkiJR^W*$T(gJ-L{sbQgKb=9e$dMmyl zkTO7>`EqZA6vN%6RgSsVHn!w!s?eM8s1Q?MuK-HK3<47KvppxQS-TVk0B_0vYdD`P zt9VQkno=!3s6+Tpx*UImr?IP5QNO-{0VpDv3e_0` z5iCY1zIkD1ej#|ZQz=_3y~H>Vhii_aRD(jddm}94!l~wBoN>a6xJS9EX10z~IB0EJ znwZi0DyTcqY+lrE{M}zR+1&F?kI*PO+d=9ZV9grnJDaAO17&8Q&n@?LCpR~9G4#-$ zKBT2)*QCa4x(5p)onD3{m28Tc4=dc5Pob!vr!?_Nex4qKk()&o%AG?1jrOWSJ%Sy+ z?3&z%f8IZK!Gfod40`c6tpN?%_ehitXIWZr47tN)m}&@E(pa8k^4 zV`D6u0J9Z`lWtvv_{3cm&!~qZgjB`AIB+&5O|#=m?p5h2Cz}ctHR;h~=y zM}JvQicce!As`@NK?KdS)E7M0XKQOa60*O$h0~%JxI5%8M1*hWzW1#{arB|6NFh+w zzb6+C8vui2AbWJkNZCcmM6`5p4%pZDu!$oCv7;Le60SpKOCUJHnUS2=ydlV;JH4pq zzZzZ4KMe=huEw8s=4@_ow=v{WwtKlVwa+d#ho<&7Eo(+BD;|y&opfxGm*h^aaxXCh z7Ww66Wxj5Znk_d^7Zh_qU+W;-k&?bHHbg&8nr4_91^ruC$P=6lF!gmh= zfODrATQt$5MR-?LGPHuwyCc;Ww69y}=`=Qw9@LR0>)v23?&ay}>Ek7t(q3fOKJHNt zqKdoFWY>|(BvX??qR#?paq&Po(`8wx4LWMb22JbArF+~+@$e`D@BvW%_6~?HfRWeU z-X1NtMKaxf^%(H5H%mZkdAW2qU*9*S**@OhqMXrlgQcSs_alc7ZDzTa4t}|pBJGo( zi_7HZ#u@Y z_u5$5qY4G+XJ8&jqZlILr1u+N>asOc<6x>TY;32EjZGRG8v(EYmZRlmcclO#3%D9U zX`GhEnH1pVMV>*NXJ_~RG*{%|QD|uTd~mdnuRm_zEcY~CH@BqJRCJw6Z81ptH6JJ6 z9w1U6?6WRa{7_CjL^LrT2j~~$>0vTrEX*20@#^|4He*Vu-#~dkHD4qoSVE8$cT||* z;|WUSmW7}CZJZg;Mk|KW9VI+u5fAE2*)egsSFp{3uN&X9ilusg!l0;HlBgB@gSevt zEhXLATG={SD{wmtjqU8*@-H#(a(2XUD`jP8v$3%;Z0^KlDru$3#B@+{#HtX+32{yA zfQqM)c4}c7mq(yx4m>nzvc~Hx$C{Q^;z7xQ$LnQ!a%6)g{$4!twP(?Y^=6h`N16x= zy;Wu=UalbQ&X#a=-r8k}r3-*uhu&G9D=w4+E(|ZlLZlAxMx*ICq4+2+uh(HcH%ss{ zE)MDmqO2IH5Yc22mPo}?yj9HN;ztzp4cjtaa+CYu#Mrv1N?8fPE~bbJmoS>}t42jC zZD?9}_SI~ymWriMg;pXWd2o{NMF{5k-71uyz<3NdpH>Qq;tmpRyxg_qR%%B?OrCAc zs92GTJg8EQ8%)G~+^ihIP%a6e0}D1c%k7Jel_4h0sR)EIq$4Hfm<^|&uKPoo!YGDv zd_@=8$~nL&kG1RWThuaFr16C)mxGGw-yzGj0X|8mu{;$>yzxVuQ(6fsUBArH2VKng z_>J`T;5;HEHx+)|pyBZ?1)UZ%7gHhhFSxzKMgeYaIc>amqgV3_U*!9>&fyay*nrLN+>GycN-=S~=XvmeXT>qAi-A7VuCHUs@Gxq!@e z&)NDGhc1KUUCq5HFs_0argnmKW)8WSn#ij?L!m_n5TqHks!~ z#$APzHj$g}-a!O_gBR=?^VH0O{Jqb$U0*GIe0-`<+2D4uHMMpr_WKravSjcxcWsST zCiW2rI)`%@S7REJG@D);9V932iBNzDz6;^3%?BYs>L}77DZFZF36AW1ROIg-Hc>SQB>xKpo&09Dx7`XcZ}%kz~P> zMBguuJhj-O@b{j>8Z7S{*~tNFE)`~bwZE{i@Dw?3)>%o(j)ysByLq6X&o%M-U12so zwP_>>L6ZP*!hBNz@RDMqW->B<1$pP!_b{GwF(&{{qpgp2r=7}RfrBI`XJ;{n+dW`v zdY55p#mn<-0B;M$U9fz@-KCsTja8QtadOB!pz-jS^x~h!VP5`?#Y2`j+|$lpSXOK; zZgPCinK}4-$Sz(-X-O|O8u~_h0Pz0N+|VFc3w#SyQk`2K>NUDo)iE|Rw7HTm+mO~|S@>;T z6!hI9H*7tjeK?;cn*Gk_#gSJ)4B2YarBGKo+WpJ-fc(|5;eC;J-j5?*$3>-&n^8~E z%)0uJwK}jPdi2LEd~!B%k##+jQp*_foI=oR|?~$w`~Gb2RTOIQ(FEt{RyeGWVn?7EhY z#mp7uFVvXr`_DWr$qpD3b=x$?rpB1a{H97-J1>!T^g$}-a zM#OitfZ5B*L_XfjUY7QO7#hVOz&8d;yp0M~?i{h;Snfl({sMwl-#4~zduypYBiGTO zJgtBIF@Y|hZ|PY9sDoffT5r%F`@EzrayRc`X-?VF%r5=r&A%~01KnRvUL};s>8;;) z^T*9?By`(G)LT9d>IL2szXh_tR(bMI5#5?gp$9X|8-r`8vC&pAfob z=S@gC26oevdU{pCh@4A+;&*CTuRbc9dVD0PLXXroREoNKwVS#ECvix)_H+Q+t8{0T z-jHwbO1A>5yT2nY*o@u}fbCmRpl*@7rojm^G)@~)weOFh_>Sn<0vEVaaxVx*XF&es(oX&|u zoifPp=}=<^g&E44J21ef^Z9xEX})!Wn?trx^4`VKWlLjm6>s0Z#p5dzlv~?JD!r-G zQ8Rs@fpn$W0@bPSV$9-Du4$l$t1A>VQvpNiVqrxEa8#sxRlXr?2U5aM?-(tz4aL6r zgKN~QRz{uz#Uvo@qEIm70|Qma<6#Ob%#Dta$@gF00+yLx2B;f0Uji=b4i0yCJF{pX zXd$YeaMYCr51gsf(DHd+rt;PL{0nv79Asq{Yu6;GOdc+~EFYpnFDWe~8+Qb)Ptty4 z3|cdZg8t}$0sh?on1ufQvCRg)@-{l=QX7@=ua<)GxYNrOz@e{yas||8xs6NSVNgXL zMeurKh?TpZ7o*=wmgz-~0e4VULu(wRNzbP;_jU{gR4+|wQrwOF`OgAIG8}+w)S13< z=9(H~(#;DO4psWCgqmKGH8nAbtj8g9=ff)fbgG-#;jY>togy@|e_1~`3_8B@cd0m} zsZm;bdWWs}4AL~8t;<{lJu1fW8BR(rB6EUNZYgdB{}#CS#wdfcc?3OA6F5De_qAb# zQIk68d;w{SKqRH7x7ZeOFr59%2IVPOBUb>Hp$i;Sdg-SU^PJ1I^46wImv zRpM%Q9P{m{sjCKu%BWh0s1qM@bH zV0pzwie{sSY*Kn9XiLjS5x5X1#@X?dbLNFhnajZ9t^6Ym`q91HeFTtM0TD!?sMx4RZ!BCHg!f1puj%om?ra;{N^Meyx>i`-U2t4KejeP{ z@Idz>q;tK}1WPqJJUzXucQBw@=R&~`^o>q>N&**N5K}>ufz3mSp)e>~dD+~ak888- zNRtHeq;WI0NV2uKQELJ~mQS1e7G_pe$#KvGZq2Kvx5rv*R*zsaGshyuYKD4kb@a%? zeUm^Vr=&O@D3@qrWCT@%bWg>T;{i>EpQR&34k7QX*KD*u(BHYa!ypE#L%qDT56)Xy zt*@p-g{%XV8YgQO>p@x#SMe&(2@MVF!N2S{ZO!NaO}aX@3fjw;o5paY$ax7GNjn2$ z5!Nopc%uCJ&I)39n9xLHarDzC+1+dnhW?Q~0BmLC+CnO}YQ5wpfdx;f-gTuD5fNdb}Ot!?bbq#b~jO?&W3(7Ao zE&YC_px#>hDg(ZDoVNo^2JPgwjg073A?Hung@hc`9fZ%T)pvD$g=66DlofoauG*!X zdiUiIjY|V}bJ!wp)Ax4`I2QG%`K_HL4x6Pj(#Qq*V6-M3ieSy`%b1Qz9wb28yoq&V zQ}Wj?TZkuHcLE{|e{wG}aAXD{!Ws#*7krw5=c4qPOhCOap^OF2zPZ}nLHb$*j_t?K z=R+?9;{$*)>h1Sv8E_APenF2sHHH1sdH;ZIcCLNGeZE@GCAXt%XjVup5ao zp?z1)<(|amSTZy)e!s>mOOdc@VpjI*)0)GW2`CtEosF!A3&yMS>g-kq#@p$I!uEQo z2GM%ylhaNlVcu9H(Sp(SlhXf4U(^qI=kVlT0_+3&;-v&0OIt@rduR27T4*+!2maZf zC#7v7HOLiYoou#l)mxZE01UWOMvd+Elb~gTK@9zN!F$Enx%pdwyfl~g`bFD>BA^`O zByhUp@N#`u;Y5RM-*L?pnZk9Dd4J?fZu&6R`6c6|OK!A}SAF;Br~;%jH_)uW7<(f{ z6tKE)S^aw%M$qr!_d$@K>b1t@^q81edVdBcw;h8Wn}0hahBk#))r}dEOhr#KB9#=Q zSi642;AVVbKdF!uacyM?@*Mlw?(VRE2*G`73SsSL#H}r-0!Lbb@oAqtiT#*^Go&{v zDbwiKY3}h;=NQF%LD~p6^%;z6c1B>$-*m#qvEA7+N9h3Af^>u^C}d`WeD^`er02k# zH!V=p4fFh$QMp|70nPFEs2tRogFF1kqKn@R&l@NgwXCiVX3g6HmI~lmwHs_3il9x+ zhULpW=>4`V5mFy`ux4UDrj>-K#wzP->te$LPf? zxqNrp)mC*0JnKV-%H^j1WtsGTYqMv+SLXl`{@?3HDm%@un5U+V$X~Vq)VihK<$lvb z)WXbyx!Q-!!WVW6!!@d|&bF3cIm`oeK(fDix_73gfN|d20HQ(OugOH6=w9MVnk@}k z&?zlM&DeSSLOT9;Ihu|U+=S--+aBX#1GTSI)zYyG609C!AmIcg%|&||GbP7(521-g za|hbTg8BmEr7UWR|M2FDna4Nz?{Ahi?aoAaN$kA!_}eE}RzB+yoTQ!jxDJw20xVd; z;mR7{a1zjy_+H~I07r{_Ah}VC^n8(GZeSecGO?fzG$OMneiw>d0Q^spp1&P^#xrih z1EsMgDL8`{*hGdsx-Z7~&Dif>1UnD(DA5gLUTC)IzkP#tV~la_eC_YTmiM{4`?l5F zyIf5w95PSRE2(KI#qSi#u3h2gb9tcE3OM6~)b;l7lyYg8G$yUI!~?$iq?m?Fi;TVV zpEJK*`(%h@Z&~?2@X5R9ULK9=tZR6Y4G8GY#Ng_0Uos039V?pKKBOOf_3Itp)Wxsy zNiIo8qg)J_N@o^=vUdY))4)dx=eEi}0mk~=OS{s6{K+s*DB!~%aNNOXsyM^HGs?g3 z_y@WC&wqXCk*4^k@*JAg%fR~pVBL{wYP?1DU+&pko!8Y%O-p0vJP*XjPwKuni-Phz z5S$AC?~=i95DHH`|C)rwW)xm=8PbNPiYHkID*=Z>+m&{?Qa}@BD3UPW?P@vTUElDt zT*!d9y!vmYDFWj?Js(J)?jGzgJ|W-+B43&3xu)Hg%%RqEBj} zyv|r8y(xrk1(}t0_dAt30iyawVD)Qb@ABg;@b7$Z(C-H@2B4_|2D+s!=OY#2Q%{Mb zh7h{~M9?n5;DGqt8sylm&kqxi_|Gi|5V^H?S z)vI3i79{6FfDZl>z~B=NuA4zNZ_VBW$H8?2aC+6ktAnHC|0QUo@IC?vnUCz41!xs? zf99oo>-6LwS>c9x`Yx4(KjDS{-*CYPQbD5E*`JYGM~6Tl1|(@Ta&vNYq{A31q=1kW zQc zE@HqxjsR7r>%AzNIJk-i20lP@op9aSl!M0J5@(!+@`-`v1Hj_Kb$)~AO=##%Mw9-Z z5sG*0upe6A$8F*Ld&@$@o(7EqIQEyFV4%Qh07{wYx+_``2^4ILb}u3cc368>v~TCD zCE(D4?J7c#(+Sz;KmHovD`7K#7q2#sr@5PXZt zmQz#n`sA+1JI8z?Ba9Q|gEO?%Dfp@r25M@N;OY4(D?QiKu(hF|Aj_%cqZNH1+3X|2 z^;=Jb>2S`Sj`eUa(gk zhw`v)O2n;;zq8D=Fs7Ox#zfe3vbZ; zA!~4Cd$FTKVxVEMCP8K`y&(Lcb%#05-5pnt3OAK6Nbb6IrWu@;wKw4EMuwIUt` zU6xKT9#8VBEHe3%xP&cQF^?BhTAG~ad{A3AQD7fs5^!MLs!K5-_S>NnNnFivlK5 zys_m~RS1q5ZETg%tBlhV5g-N^jF*y<2B0i}TM1-+r~n54TEDoU%}-EI5GS)~t7d0V z+G)NQ4yv4_)3bEuV#&rPGt<-f{-;&!fQS9Oi4b8auB&`90XDsz=Z7^!H8<__=d!?E z7G^)@e{6JymKG0;pVT+EFve;t`zeApx}2|o3C5Mg7IrBfEs}h6e!C`pcvieBuTVtS zh^w$E7@t#JRD2OUW9#9=x%21yok8~L?S0lvp`^G(-<$)YbBCl#tznsC0t!Td` z4fIK>m!t;<2ai`D91_4RfLX=2%cjcx&AlGy9tk4^RlW91p(gxnToytm^a4iweayc? zS|Wgs*jmWsM;&WQ7ssY-bs!;*(actL?6)t2y?Zr0)nlZL(YNUT0Hg_^76zUYQt8|N zfo7IveF$r8d0tTwp&}ous7F?pvRQpa`FqJoDpeGV>%4A#esT76troH zWvOx<%vWJBS#P3|62xW5MCK=b#e)^J*Mb5pqb3DXk z5f+lgR>F`DVzdY6_mYf1i3Vn|Ez)>z{C(q1u(8X#?;B4ZY%Jxkj z{ah4&&elKvV+YaRKfLhckAJHzj^rl%$>#r7wj>Nf+JD{tL0J9o@#8$aV^h~wKq&pkFxcBz;`{3hsK4nVr@zz-UG*e9OoeuM?^Z1ohje_G zN0uPuPfO2DruwmGh8+aIt=*rz+lmkcN|pz^{vqr9{w;t0YvDvnSjV5=OPfCmArDMc zq~749WM!|*NaX|ZUszqgY5Q& zOZ@*U{{8|4(Dr&z+!C>wl7An+Om1 zI+d#{im(m`?JoJsoYY!f7|sM|o%4Sem>!PSFEm^YNNjA31~x_SAKvuQO6(>9UCb7s zT$=LAUX#g<`Y|!QWCl~lKa9s8e=z+I51ap4Glc(t@c(|c{eOJIvg-@Z(#OD6K3EB< zMH=w&W%1=Z%N)^9qQX~G<^^oG}%XkW#FVKA%jPUK$R0JV2w8>9qDhc5@KIZE6E94Z}(VWhj%z|a7Bms zsnDOL-%!ImU+bZ<_lJ{o#Q~9U=4$u4w-s^AW7KbzW%*Q)j83AMmWJtxtsvmCRN)Be z>(x(Ws|#M>>r3BGn->{>+~%>MGAToa(E-E$JZG9xU4|r8&{lSs7~118kpC=bdK=hn z#2Sch28~!2zLEXCL*3%W)&CH`AgxD)K0060TUdA{xh)GZkUQRgP(Lv=<2=WH#Rxb= z{3n(h|HTZS0dklVVUMAal*J9-gQ(h}2&jcc#KeR}7>_fyg!C1wQJa1UaqMpaQ;&br z;d~eSUO=Y&7sea-Tu5Dpe$M9N#$9>=q$$W`b7$qR*)Tw?l2l1`{b@mg zDnH<=zR5wF8V&_4q6nDVMBV=kk$vTKHnw9T0vTu?vTuBmGpb%DVBNvs8?O^dwQ%vn zDJ9@ETO9dPkAN~89s2snZedUVaZSJ2f2xc>KttkNY%8RtpK-~z-!%qc!f_@h`IYh5 z7BzHaT)j&;2D^XFJC znL-%k5Eu;vBlQlsmE&TCtZfP;RF|S?N>jdnVVZdVKnvVkG1>3dFKN&AYoR&=!O7-VcvIa3Du!P z3NR7@iUJn=O~?YdOBHg6f73K=eX}|dJO$E6!BxZ?(ff(z*!awQ(^)8sCQr@I_5kaQ z_im0fy7GzF)gTM?`p}n@jV0`3nkW6YAQJD`nSbo2Hvb(%_n%}a2dPB@JeQw!PMGHN z2^MCW|JB`lM>UnM{ogo_GJ?V!rKpHZR6x3e3eufesDcIv5SoP|9V1Pujs`|ih_r|Z zh%_ky35F1=jTS_t8>$Ea=@8C-r4&u*L8hA z-xByT&&x@28BB1@XI!|G^?hUlx%k_0c%THuR3gXx>A|We*q_tij>aDeD&27Y=0zf& z0JSB(C-}w+g|Sgk8BR!AA>1!q7VVfzEmk1V8J z1G)>Z|3@r|Cpub63ze6D@IH#A8YYny*O1RVXP}mZPT=pbh~IELHuguT9q@QmkJh** zMU)5h!c$@8vNSxC<%6-3H;Z29y)GqBC%k~^J><1Z#kQEG{j9i21m@8rqE?!9ToE!imQ6ARTd};uG_;$@7e{Q*}>nbcu zGn?|g)JCRA&@-g*~(DfgPNW~657{Y$UegFOqC@8#yl>?m- z3?X^+K&;U3U(>VLqmXQf@0LS^?zT{L$So9>^H@5S`shq9jrEARfblI{tj+TQJxy1E z-P%k0)tZ%=YUxq3p&Ma+HXr*-N zI*k?{Hv4fE*M`DD1uLcI%Nz!|x60=0x~E7KOuh)y2Ke$XfxbtG2Z@ti;CrN^qP!j= z>`SEoRq7)@7b0E<b}^kj+RaAu@v zp*)%#T*nakT}FI$q+I{25idPpSwnS~l{v#G z?d(B9Bg=3&ST;Fygzj8S?}ZzZn~T+FB|uGSe2fN-z5EQ7Q!zKKA#IWz(^G#|F>cp5 zg)rD?zl^G`Gfg$EXRr>l+!%RJ?e|gc=Zsr4B(fT7>^Y3EGPf{wo+Hn)&;!X|2o2*C zZZpeG17+A#`Z*n4CaWG5%YnV8arwA&Pt0^oXJUkyIoYX-BHXePF@CFc-}7rK%5e`X zS0epQ9%)|jLNF#ot7dVPD+|PCY7w5bm2X#rBvy=i((@ppUX$E-G;B^a%(hvX=QASm zwV)fWVxr@cnErNCM}`fCeWeng)R*615V%v)0CmXf3{4UX#bzKuB4Mfkj@jOaTV)i6 zvRmpT8a!Zb$CaIJbYp^s3Z_j`vsE=`Q% zG*i!o?kwEP%BA4RzcoO?c}u#c7ui>qoiw&+ubdRwWNdDodVmPZ-ia zb#;OiOY3P_2dEN&yt(42&eH77MV$cqcLUb-qbXsbmoI;wM$&vw^Re4fIiudk^0hAV zluGCiGywFgW<`j3@icql0jcy9Vxplt7oVPCVdS>k%hIO7;i>rt`$5GCbAC?n5 zTmLdG?OoJ6xN;T%!EH!>pN4PSbH)i+PCrtc-EKNGG(_REs?6ZrdlSNUEwXnm*}s2* zT>;1Z)=OQttz#z71nX+Jfn)Qb#JAk}on?eUCV24fF(yE$H?|?pAT#P6u;fhkiHPli zaov?9%n;qhKpGd(Qmx9}4Vh;xlyPGxM~)}a`>~5n>kD3C!9&Zw=H>&Tqf?6mVb$bJ z#wvSGRLL%X<|6oZj2Q(wI1EDtlRXv77`Z35(BBUQ<{NnhR_TjX{)4aBB`Uy~1qcOJ zA4D8BHUTphGc`kBpj5_wjY$wbMGakh*wnc^T|U!WdS#6k-^kp`?XzH-zEqQQS|8Loxo>bRXUs+=XnK{}iS9`|;jg&` zl(@E)evn^eW$xl~l_%|T$mD_oMOX>kyCD^8RABxWtnx3)`{taBQF`Rc;uBDw5FigU zxX0UEvBC_(E{40YON&K)htUNjpG!{$UWeUa0(=RnpMzJXDB1z*8;fhO?AFXV(RZU* zwQFx%0o|-|ZZe6)JqfC@U=n~jV^lHph6o;*IB-Umlw%0~>AQg?y z7=NUVLy>yOxcJB*Zq-Z{R;zhE_D<%!=Uw8ueQL-Xesrj!5A^-Dd z#9UHN(rW5CMT{RH%06Yi-H+2CVm`J3BIeB3iu}ZPikIB#1CA&kIrem$D^r+Jc^8XW z+}%o0u(|EHKuHu|6k@_VKK6G0Zm(V^ULtt5O8*?F9YGPB)HL$e>8iX)BV#Tmt1a6Y zbc1<0@$rsU@75w_LM`}YC@vlz_ipWHA(z)ew_G~1oB#XOnW{NYeRIbv2a{JnrwbO^ zmivvhGC&frL)y4Lmz7Kz&^`htS79uRt^(V59$Hg@O_ltG)j`4ak+sEs|6_Z?IHO@w zhHVWETduV_+;>q<+RPjAoY!`atC;y`9Can=aKtvAIW3~XFvv`Q?Tv7hvlhWX9E;?W zbFhQ$c(drgC_Vmf($1dKek&_Y3hcsj+`piXR5m;LmGpm;)3;W8b6&mr z^d#R_Yj5+wYLk6qZK#RKj3DQe(vz0@H}P_GqXj0sIN2ai@7(LtL>o7-h%TCPB%}2r zULvzhbN;)=<|`H`)3gIQLc$@_xNsq4s@}mP>R8=92TCOz^X|tT&3Lpsw&Z(k&D_s2 z84bQBh=GvBzJ}Xd=%~;YB1IcIPGs6acFb=LVMh;yq@C5<+}HmPp8bydwO~tw_TfkkGLKE{9H+=>h-lGRj)@nVRj`X1`}jBh6tU2^$>b)JR@`7N+bc�g|q zEAhR1TlV_gdroP)j4(eMYfPO7u&aea#(c|1$nJH4JdmVynG4Jd!t^jZ^Imr5x!(KYS1MLRxXZ*_Qd}7sPnDT4@Gp25|rrEsX;Zgt&Mzupt~0 zvd<;_=2gjpWzjzW;L&7?qp59*B;6ps+{DBXp`?#wK;8pfj zl-})U4hx0r%Y_;Em~;uw=ZO1yOH76#SG1w8zxes{(}l-w75yDi({>(@qlJ`{4a&Gz zFYWJAOeTx1jzY#T(WuN4b*}(I31|PH9m(anLNT~@YU2nNsvKeEe(UDTq81Il9CVy1 zbzI5KM?^VBDJ3dn@x$AYMIn@mixO1V_QjGymIfnGR5q0gDmdxRPVf+gkOS4Gf9Q)% zg*W6@C%U*o=;sp?6DxB%D|0~opyig9ms`gKe13mjUPCe*CI%+22ffL7uj=G?4xg@A zsnj0uX=`gEg~#OqLTLD|!z@U123GnPM@B|6?(y??AO!@rfzlO0$5?Ymc|{=s`!b)O zli$64Yt$HKlYtkrn6yhROmF;f*lJ~J^>_&CKPK1 za#q>hQ7fzQjRY`}h1Bmns1+9$qN47Br!rgM_M3;nYb>xB++ngOcINY!$!kMRs*BS- zgo4Uu`b1$h!k>L_VCkN_irBrAfWV2C(6Lh_^k{Ss1PnE`6#Z;%-NTh}2aaWOr&FM= zbQ5OK*7$P{Fmbo_Rz>ArHe4oESnUILo3qZMT0~o7(@2!gwF)A!X$-qfa2qgHZ})>T zN`(;56Tbic0B33-;j!aYwJn80r1I<_2ZuME-GN^|ZOXAKvMdcAi|NH4=c5k{w6z^p zQ9%dQR6`GbrfQB-#Ufs+i)!?roLQ{+QY*INii;C7MDX(RRTVRxz-0QUj?O?w-%)ktZl_{+?^-&Y-Ol<7X=9*5ku&+KCd@5`5$K+v3o zs=s{1RV5Ml!GcgG-(X%BEl$D64@J~LP0JdJd~|qzjgN|!8&)E0B z*0Bc}`WHWYAIrdpc={KewZzyMIk#fd08)UAx)<$CvPyKiaG|O=@2ZbaK6o;~6h}cp zL79!48&y~D<`rnz-D+xo!oVr>WkZJhM+<)T+r!QE{*x0EVN-JUY5}v4gX>^670i$; z6pX$bJR~-NM|Nr-YdnxvAhA!*LW?zjSgP2n6AzJ{i)$M;z6i;bqn-5FwyVM(k^Q9O z=x~kq#kS@X_@l%8N>%S?fa0=6-_+lq(&s6$cklGfM4kxNMIRkVQnsIt&S8oYs(F^ zOic$(kqh@gFsh_#ai&LlSKPI#1#%(OZ3k%Dp&PfmMs{H2hAmQprqyyLKnL8cvyS}Q zUPpLrjyen>rTB4UAQ!dZr?Sx{Z|a8V;I5gX$#F38_xJLec|VJH=NFBvVK5}E#`FQ2 zBbte?ixM}q(1|m*!eHX~>rU5o_h@8gNu42ixT}CrAd5&`e&-Jae3{{;r2u<-duTJL z2$HJVNpS9pU|sq=hnZKnclS;_a=Nd4k=11{AttsCb5E$X=eLs00VarIWNT*vdP|PG z4Z)l>d%@}i1YDLMl<>Y7cC zC3tHzlxnswU;1+~kYyFso-1b-CrK`gUU9Y3cO~>CDCJnByGaDTmR>FLu3EmaHAy*1 z;YoV>>kIxs?3(H;?{Xz8Dk{EHlK1iTt(hr%;WEo_g)Q}Od ztfkPI04(d0?z)fjEEdbhpYr_q$@HJA2mC7+5VoMi@$@S|uXRrPW^ZLmMiO^@I&wd)X(uSl-b|BHd z4U2u0uvE=l7E;!L0kbfc*v9L7YwnP2&{C9x4!@We0*z2&B|VJ@6?Pu4^mSJD+bHc3K_v2e00;~t3$gXr+kNY~2ocd$dX_qshc947#x&jVfmB)9)JV#si0J=*V(#e2m{U2?Qj za67l3hRj>a1 zej%QD$cQB5MeM7WDX{gkKBq8nS6YX8TANw(9bJLn3VKz<%JMRB1~h{f>e)am6a&Nx zEX_lvm%d0hr|Kwm86YeY2<7Ev2b@Ae)`$v3QcYh^+kQ7as|$XEQpML!99S36GF)zxIv=3uZ4u5C#I0J%_N(p`NPectYOHL*^bZ5gu!H3gxjrc zSJ;vzghDw{V7}}^vEZlo^z2U>ybsbW(i|J9oCpb{T;W#qK_Q22G9B?VAI@*HT8l4x zttj{yQ{Rb(yE8E|;^dgy4dTqNpYxQQy{$l-y?Di?!J%a5as}4h98ieix_~&-9`rtz z)JV;nvA_J{4;4oHuq;h5h8Er0{XYL-pA_TzDYf$`jL@l+@4{rS$~>BNWL`55;_b-} z>fx;H54kChT@#1$Nf=XLnSXL0a}uUGuoA*jdjT?A0JZ~LB9P?$B$7(f8P7e@b;-ug zhkkqp%U}wHU{KRlB9`&RrWZr9bReuH$!(C4$L(UjZI9%ddWtgsRHa;d0&Cn=ZBzynpQjVblZGG zhG`CY_{HO*Aokx>KK}CH?<*gR4+YJ2C{^ZvT>=-PI!tXV@hfgPccSffJ!i#R+c`$s z{(1PiK=%Q)R@GjsYL1Fb#=L<6kYvncCD#bv`f<;Z;jfjUNP~rx+P+2R!N3e5Zy2lp zq}MPjMx)uI3CVy<|5pRG!FKvx;?Xq1;Z><^3uRsk$xZqZh;_SD$|WXj)w z#Wj!oA8TaJn&v~GfEet50#Oct{R!Mw=c}VPuh@_HA$T<~oa{>}kUT&cNKPDgu{|gh zldu2MA+cvFUx>UQcmv=QZqH?idM&L;F*W%aV(Q{%GhyP7^d*iPPzn2W9HFxAR z6jrmtRi4V2$E7;Qh51jMIXjNaFGTdX5>6IVuf8mWOBXDmtTxvzNBed02PVZC{3?~y z{BlJ^Io_2x6%j|i=;h@_#G|QJH<7emR=?5ANgUYUF=g3Vn0C)`TVj(#nd`v0cM-2q zdR>*cIE@5zvW?6DIelr8et0?r$S>N;*8c-1hvOlp&x`(3HT~IiS(=6mW56>Y=^&lf z?{-e0Pu4-6pdku)`Kx*Opq~8o=%JKL*21k$vFk>9h)my@`$&YnlEa#X3QCXq3mH#d z!;>Dw8Pld1&5AHSIUYSYI+4_hb*2`*wb5$p#^`)BK;OnT_4Zc0J*2IzsEU6}s~k6l zvwUD+8x~_C&aKCnZOz*;GRH7DwfA=Zp^0ef^zUQ<{luofn$@7ZJhq;<{%?gmRMnDT{XTC#($CA3;$^P5cAT%e+~=6zL=7 zLADHATnsG?jeGU_tLW&%CS6zPO8klV#v7k&>bq@mz2kaB-Q#=f?bjIg1(IDxcg7YW zKHXb@#Ab**(}1h~IwD^`#Ptm&bX+xXbgoTcbYd^M}5y3$tZr;R*oMq+$ajP;3!ekjEH z=j!D`&aeq*-amBFA2FcG4}BGRgxVxHgL;?6L=6mnooObRU~VmYvDX_ zL#t9T$StWUV~FUt;k;-pavGA{Z=XDW5Vueu0J&>l4_I#(qaAynJU2jSXe?*qJ$ZpM z0mBeNRftr%{?Se*gP077T|ZQP2pPGz20qA3m{e(3e=}$@C2IyN7%J zAQLZOVjnF;GM|Y!HDInMGYEaS7S1Le&=vfs`bujdk~JT-u5ai$WhZdWlfeR=HJF8q zGtbOdAaCHAJddi^qVSEC<>42`(IsDySzY{A@**<|4zj19NdO68XPml{`6swnUP$7tUe)0T)2@ zDA`NtBU7r2DTd9~kadGac_!=i)+a5WA==djYgWsy)>c=QrG6)6;PkX?=9z7X)l>5o zB3bZJ3#;=eJq~4Ikk_}d3j2qLyhtoS0CJX}6_7i;5fV=}IICwt z#4mUjM+u(BBMqAPHcd%hs0BAG z1f{2CO$T7KudnZ#_A(Ejif^vc{ z$8FmfE3lYu6!IWfSXty=XM`_0PpI|7?$((_D6NQ&nJ?(d*wbNJueC--_UpLi<}L?U z`C#PWyG%fyo{@JjjO2opew^jK`3qdrw@+yVLt}s)<<|*IkqgR+5Jv}@UA%#$5T6=X zK5QZtD-&-Zo}3IS+>`Pu$Gr8#+RcQZS21#BSzPbb2rDGWS_D%Diq64z*D2x_q}y}f zv!}7IQ=qZ0dQ6p^RS1#`ISWO5hzI8m|3658m8o#${Bxw&8|JDLe~Z*=zsc5p~YNVaiGDS+qIlOH~+*e(#!)7>3*5NBie zFexcH2ju@`&Z@IcQp&?J$V~>9=j1e8b#89B88A9UaR?VvEim*A>Ce>)TJW?$5G)eP zgT%X!OR$xW{~K$HjC@*m&pn(W+SHg}Eq26A)+{>JYvyykQ!&Y4Vp6#z{I2ePCb1TA>#GPM{##w87CcVAk;Qpj^DNT|N3eyTJJn2FdX290s2eR7q0mGs^72Ti1K zpYoM=DQY28-DD%FAOk;baDiDa$!aO4`V&%^HeC+J`gVoOQy- za|sj<7i8%3fg#1JUW)Q>4P_l)2LnvErzF1eFEqLTQsJCi`$>lEe#9p2{QGI2arq3C z+%xx2;OqUaK=GeYa))Kq%w@c6^{lpc!StyI0t>c~*L*Fgjlbs@M#MAi`GE9^tMKMj z2#-$05s=c*EBK4O;VPuqR*#UUZ^?}d{V$SW`kglr#bk%PmONd0y zWI>KJM_!zZ-Kiz*v9+}P00FOF+m(JnXJ6mUf1j*+8ftWhYn2iHI?b;9MAy$xNa6Ap z{Er$LOlq(*r3e{*;$_kOe|VgQ)KcReVAgbM@F!BU@d+3NZ+TDu=e`WQMA&@GWRuv2 z>UEf$H#ne52%->0h7>pQ4gy^?Kk({cyn@b@!`~F$E(zWX)apfD-bRjXBHQ1C6kcrwHs25 z!ZHq4VttCkY11XDLHT{1hl}e)D`Zfzvn}=o zu$hup2O--kdta|!-Bcyjks;HUCydR_NC^Eht+5?trAVtSed|3woCAS{)Yajcj7wLG zI}$dpRwWgy3hp`f%mX*iRxi7&726R#Vq8GA34xB(NZsQPuU)I?2IbblLkn)-vv8|g02c^9#rKLS)e^fm4wq9RsXZuBzc2`<3QFn~weoWTwF!Szn8OFc_ zilbqYm**HenoT55@!JQ3eQU*Prc$C&mb=PT&MMVNN<8Y866878mRW8Vg?>JMFsgPY zBw(qJnw&&OMs?P4O4=*ESCut6!?A07qivSn7B@#psHv-~%Z`HY1LQfVsB52=zEp9l zpzfx6snr=gpB-byH=K{|e686m_BXa_WQDnQDCTii2j|s;TIzf*rnKrdb9VKVi!a5U z$?SyMjbXqYRx=qE;1?^zd{q;f=%c>=(_U=3mK83ZLS0^~(iZ5*w`-_$*8 zHtt=`W9T_Og#F~%s+RQmak*hH--PuQEn)~UNtAgtb*19gL}OtnwZ=7`2i`=PWMkb+ zEf_>zq#i^Zi_U_52kO4$r`AuOfcLWLb_xa^y+>=`hB#ST40dvM@XPBCEEV2)Hax(&t`9D)}wW1KgaR6EZaQ?4M2BCPvNHfg{PZDQCKA-LbVtRQH|ZNGy~r zcwzLCAn3l5kCClh?zX^SFd6psD7QD52@|e&~yyvCeIz_Rhc$-^}4Wx|+LQ`}sx5gS8E+e&F-L_2?k$MRzn9_(>6C{X!V5uFPAlwP3jcbmupiPrdZRr27iE zIIM`nHhT9Hvs`O>qoJWv)qG-e==5Cci=!;Y zW%aOko?yT9uVGucWKOd;h)XpLNrI zbIs1IRj0yFofh@gU3Q$XDYri7o_st}#pbNJ_*~?B53xF{g1~ezEJZ`|vQqMFV zJMwmyTcr7`fXNR(yF3hFHe_eui6v-+hgqW|Tj%!2+1dJdLjsKL&UsQKTRtnd^!8_l zoPjZ)ZGwW0TNMd;e!n<}RgaF`n;;`gg!ng2iEVr#eL7I}L+&c3kl7BYUofPyFNt4I zRb)u0=UWRy9=Z;SJrxq5(4f)6N>dv$m#wNM)uXpB)p1PLCsQdDf4$yY7_?-9_>?&0 zxc zW{mvqO#ICgC)!M7VbU7+$=3(ED(f=CgomvtwyZTB3s}w!lA+?*WrCWh=!hHcxiItE z?|0Y#aprQu!EJnWx7^?=@@kmBY}h1toY~rvt|%D3jMm}kg?D5Q-QS<0WxgL+!!Vuf z6N%*Rl6i4T^{~grn>Q_-os3hKO5tWIibG!fa62Cz++IH7kDvjfdZW9)Uy8pqv*r~2 zO~MOO_}6>80P&o7XN|m>J0urGkWqYdNy0jB1T%XZm|$5RxFQiUe}RgEM6cubX`A%Rs(c7sXGg*A&F^6>&u(wSGsjvYJbUnoM#)}8*) z)kPsyIFL*9?B>Aj^4k*WWoq6#n7T?WZ(A zBh?L!O^>zwX(cpxX!f<@e}XCenNm>M0ZhlZ+@%gC6-&m~S;r}nEmFJ=Q~HALzIvS_ zj8%-)mpJDAo`H2CXk(>~Q$7S;))V_2`}dCCdyF^gO#Us(br}qT6RWSRk(H{SY*X2h zfEer-f{tbv&U*R_S?CkIoI`yXL0MwlT1UFSV(4t-c3}`~M(CO>acV z48O0pWF2S!tKqkp-0&ZG*AGU+XhbX-@?@=k<@l^91v{;U7XSsHn`6c>-4KG{Hh2V@VXpV#)@yJuL4Q8oz>0n;O8p|oH`ckIy z!N|QeExc zDJ_AeHG!bQw7zz(A^GNF_OCr2?l-S|Bf!#04Rz0YB?%2rGoO?f>gxn}qqrPgiU&}FN+hi-B zH#Kr%Jj-0Q_cP~YSg>vC79_IFomCQHO&okD!ezsC;}A5X#+Xr@OnWTUnsL{P76uX( zQT3AbLqzr1hUeJ}c6ULx;3rEFBBhsw@5vR$n(@(X6^0v=d%_+h)MfJ=SJiI{qXjDv^VN@Mbf zhmMh(ZFSw8%wFyh^tn?IMaPqTE>*Vm78*@Gp%2i>M&o0Pzqd6CgU}hsyjvoJF6Js} zQWs?H$CSNRE?|76Y7T^~3JJFTjs&>gm!TiszMUw=IP1o8bg1@HUF#BPb4zxjuwnx} zV7a|(m$+k>%Jn*MmEgEVjL9XBRGE-r+Cphb{^e1MfRuPbg_M{FnB|RQ7lfIfmg_7 z*_CjuS=y=|JkUZ`xD?x)!`@+$%v~}Wee;EnvI>0@7ilDBEEoE=x1SPL4f>4ari-Wr z@UEffNaurHY%ddyn@NqBv`P*l&>6ws! zYY^)m32L(ha!oEUgwS%JvdY8>fvT zO#Gs<^%7p6M+ke>X-6TR=dmRwKR4GEwow5Y5QMMfa215aH9QZzutL}!Xnr^Nt)Uw~ z{FeR(G-TgCliSO$`a9QNN?BQv7|7KEPG^VRO;p2+~_kdCmSUZgcozR)LV?MOq$}fAu zdiUWTQ3J_s)9-74zd5rH{wm8o^o(NmZ)uO#Qt^D7*0gMGq3{?b<3>WK7MLJIpo0^`ubcxF>S9erySdIFf+87>2PSwvo5$XlFqN20zOk}Pr z^{i}}R*=MFJl#lYZ?u5my~~$E{uP7HHTn?$TjS}Sq1T?SUgizS)9UN1xtM0-IgLzc zgx(X1BHdJH?Vp$ZD}1rs7V6AvN9Tk)NR5t<@klNK-3gw@FP)^ZyQ>c6f7;N6^Cvbs zZLI1jh!QYYIC>4ih*ombi|EQzs>dA~RAs)RL6q*}>XEv(fi<^#tviT@hcfJ5io<18|L7o#r-CdOl3QOiau< zvGIgcO+>F8^1DYTc@|qBC31 zcm06-HPOBQbK!$RW0M()ozE~tD7I(27g*LWvK9*^KebrCE%s0K!+F*qUzV5kUMSW- z@URN+nr1ofOPvzPrn^suIDtR$K)I%Ns2SI%{QI(?vPY*uJN#ZL-e^R5EN$?D$JVb; z;QKhgsr#4@B3v%u_2jS&Aj)tvhUZ5mxSSba0B-!i)^)vL&CNXW_;LQ@rUGyNz`eZs zP>%XHB2S*_|6c-O{)TLUPTx=d8)V|_k6c{gL+5f%|2GIscGKKo!`#=<*lK2uN1}7K z?`bDcE zz%jf)3mNK7!Zu;BjeBFO!yDhB& zYHE~Du@D<-xl{9m?gQc~c<_g;t-#C&EKs|5URJi7F|hhsV-IM!ZvJ;T!R$(F;@kc; z-sf_&muoH+`6wS%cgn~2cL?}N3o+dL^^AGT}+RO@vef>PP?GPv0Mi)X{0IApEh)~%N< zKDOMc8)^s$UVR4M-Cyk({z6lusB}92J{<>ApLL_7vTM%g=?TJ7hXcFSjvULk1@cb3 zjp4~B>EZli+98vOo+K!=D5myQGP^ZTTdY`|Ow$ zR-VP5bb8L+b#;B9Klw1#*U6b@I#Rsyv8dt`KgI33QQ~Ue@rR`a9;q|Ek}kJyd322A zW>cU)sdGrtT1Y{$@*?le1v5Npc|kL$>xYX%*!sHem?9TX1{y|5EXUW!Xm`EK02evbLOa#-cr1J+115m*WRh;#Sc4N$rzTcKYdot*E`@?ip^r6 z)Noyk3#Fvb@v8@QwRZJFGUjETh0?<&KQgATpPpkTOE*t&(X4uyVLjzkY$F?TxF;rc zk)Bf%ZcR5P&MvbW38SN;@ zY-^Us!c^Mjb@Z=oNEn~GW%T-%5ude5D#xjRi%YhMn5Ux#`PIZwY;0t4?8VHI^5PxS z0L7)ZurZPmy;E9PFsWg!CS5; zN7yc6-Pm42f)H7gTwAq;x*K-#>DJVc5i*S4tCix9?9SO_=$Or|?l}Hzvp(^0kLRYf z!Dn`P&IHS>FH7pH?voO|Npqq*XY^c)2GNP_e1VmA6Q3#uB-+QNhGi=f@%m{kmwPLN z{QG}I{=~hBjwrd$iz^q93$Jd)wPS93e>CB1c=yip*a^i$2uWyEo{{UOo1xWoSHE)j z;_`mp70sV{v9c;;owK${DkB5#TD(5-{GpxCF`|8Th3G5cHn<~aUiX*{^b0uGU%Q!q zSA1*FpTA?q{9iu+n$Z5xI2%ViAXnNE{(6wXa76PQK7>%MW4yR^i+yX0)x7tO zrbBzShQIy=%~QN(hw|Ho{ErK}Z~cQlQjcqwRHiIvm@yu&d9}>xUg*S9g}V9g^gj1N6SW zpfzS)gF}q%Cza*Fm32izBa|puZF~EZQGG3kGnO~>CEyYKEs!%A<{BT9A@Wwzs6M%N zn%>aBV)^>r?m1{wZ$KruVv>yTqChc%xvbQIw;o=FEuNG@-Sqqs6}}xL z8<`~hp~AJBH=T-)l2~i#Ajq9<*}{K$a>hTY$xuwgi@d%zxN%k5^0yZop78pjip zlT+ZO^^&wEW3c=g&%MIJsObmz35P>_L}D_`WI^Xpf9n=w%(t9ylapQ-UA!A^`T6}s^&DX^Zy)qN z%hY07J0B^__nP^TwTWMv{3`_JTNsbe9&}(F^HPe1ZPo@8r zJ`o<9L;GS6G>i+5ku|KX+g4J8V>{Q@8)g;fs4D_MB(Yl1!`AfShja8Gg z1dZy++oc>bQGIR!r#F7x;72KkV<&2L)+hbT#}2Fw-`GMmKAnD!YU4Q>^!paG3tO-4 z@_bUfd}4EDe?ais$CuewP3k}FAX&=pg`d=;53%nK<=_Wcy5nT;E zTddTN9jkXeul9QvXo;GjRIh|Av7^^#7iVaTP4Vr^*(b$f19*%>ambd z^S6`oOb+C*yuwzSXXgsn$CU=+BggzOVM~kaANuL6(6v3>joPFYol{d|FsjOeH+3f3 zJSefmF=@fQ6>`p_Yj=J>ROooDbdK=qCz~lh^){E~F{LwlGZv4uuPnbA+aWr3*aGEt zK)H4WX}pKVyGS zQD=R1&Yv+^VgL28*(SZT<+l&o?*vP@D00v9^>F|G2TEcHCEc$L4|QbK2{oi?6SGHa}GJz8%{#t_8%e%VQQ;R3JY<;HLm~y^$|FbIe zAq1iO+usskn~+32w{&N*{FT`K0`t&Qa_EaMTK*Sx{T&;(Tbc}R4ybrrK6zx@ z4$=c*9=A-(gLVpYiW)|GsVBY*et$rm|LeVwUpjgVMiZyJWMQ6)Y`a4L9>YiY%23r+ zInsCMiDtPSq5g?GNTN~>3UWN129;HPQ@+I)w*;>Jvh$VIhG%HM5=zioD4aCACkLI3 zxIs26>{8(RP!iDky$t76VswRW%WXr!A)Z%IyGI!myy5 zU-zB+R1;}j-f>Jb*W6821EG0f@fW|8S1&0R1^ft?_Q5?8 z`au{fQtThuM@uurmVLxNc3!r#InpyVc0@ts4m~p%nTJdZ@b-RIU7c$Couvtp0%LSh zz=;9;gRBNLcIWBg!3%y{&TEl-VCJosa@SDxD5C9%evJ38nwsh~#SQt{#@TJIN9!!Q zaANQ#FZ&^%#>GEL9OWuZ-jj?=h|TSyG-t*IU#59*D2Zc7qRZ#Km7Um z-=BiXCA2S3&4fyDXm|E-JIdd?)&F;YDD9XpGX3l1vk)paos|C4Z&?18{C~S+`TxFa h`(JN?wzc&-@9bRG&Jp`hU!NoWQ^qF?kmrB>e*hi4JHG$` literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json new file mode 100644 index 0000000..d5b4e7e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -0,0 +1,51 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": "365" + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parMsDefenderForCloudEmailSecurityContact": { + "value": "security_contact@replace_me.com" + }, + "parDdosProtectionPlanId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-alz-hub-networking-001/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan" + }, + "parPrivateDnsResourceGroupId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-alz-hub-networking-001" + }, + "parPrivateDnsZonesNamesToAuditInCorp": { + "value": [] + }, + "parDisableAlzDefaultPolicies": { + "value": false + }, + "parVmBackupExclusionTagName": { + "value": "" + }, + "parVmBackupExclusionTagValue": { + "value": [] + }, + "parExcludedPolicyAssignments": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json new file mode 100644 index 0000000..515ac11 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.min.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { + "value": "eastus" + }, + "parLogAnalyticsWorkspaceResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" + }, + "parLogAnalyticsWorkspaceLogRetentionInDays": { + "value": "365" + }, + "parAutomationAccountName": { + "value": "alz-automation-account" + }, + "parMsDefenderForCloudEmailSecurityContact": { + "value": "security_contact@replace_me.com" + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md new file mode 100644 index 0000000..92036d2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md @@ -0,0 +1,204 @@ +# ALZ Bicep - Management Group Policy Assignments + +Module used to assign policy definitions to management groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parPolicyAssignmentName | Yes | The name of the policy assignment. e.g. "Deny-Public-IP" +parPolicyAssignmentDisplayName | Yes | The display name of the policy assignment. e.g. "Deny the creation of Public IPs" +parPolicyAssignmentDescription | Yes | The description of the policy assignment. e.g. "This policy denies creation of Public IPs under the assigned scope." +parPolicyAssignmentDefinitionId | Yes | The policy definition ID for the policy to be assigned. e.g. "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91" or "/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP" +parPolicyAssignmentParameters | No | An object containing the parameter values for the policy to be assigned. +parPolicyAssignmentParameterOverrides | No | An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. +parPolicyAssignmentNonComplianceMessages | No | An array containing object/s for the non-compliance messages for the policy to be assigned. See https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#non-compliance-messages for more details on use. +parPolicyAssignmentNotScopes | No | An array containing a list of scope Resource IDs to be excluded for the policy assignment. e.g. ['/providers/Microsoft.Management/managementgroups/alz', '/providers/Microsoft.Management/managementgroups/alz-sandbox' ]. +parPolicyAssignmentEnforcementMode | No | The enforcement mode for the policy assignment. See https://aka.ms/EnforcementMode for more details on use. +parPolicyAssignmentOverrides | No | An array containing a list of objects containing the required overrides to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#overrides-preview for more details on use. +parPolicyAssignmentResourceSelectors | No | An array containing a list of objects containing the required resource selectors to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#resource-selectors-preview for more details on use. +parPolicyAssignmentIdentityType | No | The type of identity to be created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. +parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs | No | An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. ['alz', 'alz-sandbox' ]. +parPolicyAssignmentIdentityRoleAssignmentsSubs | No | An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d' ]. +parPolicyAssignmentIdentityRoleAssignmentsResourceGroups | No | An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02' ]. +parPolicyAssignmentIdentityRoleDefinitionIds | No | An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. ['/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c']. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parPolicyAssignmentName + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The name of the policy assignment. e.g. "Deny-Public-IP" + +### parPolicyAssignmentDisplayName + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The display name of the policy assignment. e.g. "Deny the creation of Public IPs" + +### parPolicyAssignmentDescription + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The description of the policy assignment. e.g. "This policy denies creation of Public IPs under the assigned scope." + +### parPolicyAssignmentDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +The policy definition ID for the policy to be assigned. e.g. "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91" or "/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP" + +### parPolicyAssignmentParameters + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An object containing the parameter values for the policy to be assigned. + +### parPolicyAssignmentParameterOverrides + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win. + +### parPolicyAssignmentNonComplianceMessages + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing object/s for the non-compliance messages for the policy to be assigned. See https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#non-compliance-messages for more details on use. + +### parPolicyAssignmentNotScopes + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of scope Resource IDs to be excluded for the policy assignment. e.g. ['/providers/Microsoft.Management/managementgroups/alz', '/providers/Microsoft.Management/managementgroups/alz-sandbox' ]. + +### parPolicyAssignmentEnforcementMode + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The enforcement mode for the policy assignment. See https://aka.ms/EnforcementMode for more details on use. + +- Default value: `Default` + +- Allowed values: `Default`, `DoNotEnforce` + +### parPolicyAssignmentOverrides + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of objects containing the required overrides to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#overrides-preview for more details on use. + +### parPolicyAssignmentResourceSelectors + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of objects containing the required resource selectors to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#resource-selectors-preview for more details on use. + +### parPolicyAssignmentIdentityType + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The type of identity to be created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. + +- Default value: `None` + +- Allowed values: `None`, `SystemAssigned` + +### parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. ['alz', 'alz-sandbox' ]. + +### parPolicyAssignmentIdentityRoleAssignmentsSubs + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d' ]. + +### parPolicyAssignmentIdentityRoleAssignmentsResourceGroups + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. ['8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01', '7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02' ]. + +### parPolicyAssignmentIdentityRoleDefinitionIds + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. ['/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c']. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.json" + }, + "parameters": { + "parPolicyAssignmentName": { + "value": "" + }, + "parPolicyAssignmentDisplayName": { + "value": "" + }, + "parPolicyAssignmentDescription": { + "value": "" + }, + "parPolicyAssignmentDefinitionId": { + "value": "" + }, + "parPolicyAssignmentParameters": { + "value": {} + }, + "parPolicyAssignmentParameterOverrides": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parPolicyAssignmentEnforcementMode": { + "value": "Default" + }, + "parPolicyAssignmentOverrides": { + "value": [] + }, + "parPolicyAssignmentResourceSelectors": { + "value": [] + }, + "parPolicyAssignmentIdentityType": { + "value": "None" + }, + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsSubs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleDefinitionIds": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/README.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/README.md new file mode 100644 index 0000000..23bd6f8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/README.md @@ -0,0 +1,44 @@ +# Policy Assignments Library + +This directory contains the default policy assignments we make as part of the Azure Landing Zones (aka. Enterprise-scale) in JSON files. These can then be used in variables with the bicep functions of: + +- [`json()`](https://docs.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions-object#json) +- [`loadJsonContent()`](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions-files#loadjsoncontent) + +For example: + +```bicep +var varPolicyAssignmentDenyPublicIp = loadJsonContent('infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') +``` + +Or you can use the export available in `_policyAssignmentsBicepInput.txt` to copy and paste into a variable to then use to assign policies but manage their properties from the JSON files, like below: + +```bicep +targetScope = 'tenant' + +@description('The management group scope to which the policy assignments are to be created at. DEFAULT VALUE = "alz"') +param parTargetManagementGroupId string = 'alz' + +var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) + +var varPolicyAssignmentDenyPublicIp = { + name: 'Deny-Public-IP' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' + libDefinition: loadJsonContent('../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') +} + +module modPolicyAssignmentDenyPublicIP '../../policyAssignments/policyAssignmentManagementGroup.bicep' = { + name: 'PolicyAssignmentDenyPublicIP' + scope: managementGroup('alz') + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIp.definitionId + parPolicyAssignmentDescription: varPolicyAssignmentDenyPublicIp.libDefinition.properties.description + parPolicyAssignmentDisplayName: varPolicyAssignmentDenyPublicIp.libDefinition.properties.displayName + parPolicyAssignmentName: varPolicyAssignmentDenyPublicIp.libDefinition.name + } +} +``` + +> You do not have to use this method, but it is provided to you for ease and is used in the orchestration templates. +> +> You may also extend the library and add your own assignment files in following the pattern shown in the examples above. diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt new file mode 100644 index 0000000..32fa035 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/_mc_policyAssignmentsBicepInput.txt @@ -0,0 +1,150 @@ +var varPolicyAssignmentDenyAppGWWithoutWAF = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json') +} + +var varPolicyAssignmentEnforceAKSHTTPS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json') +} + +var varPolicyAssignmentDenyIPForwarding = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json') +} + +var varPolicyAssignmentDenyPrivContainersAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json') +} + +var varPolicyAssignmentDenyPrivEscalationAKS = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json') +} + +var varPolicyAssignmentDenyPublicEndpoints = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json') +} + +var varPolicyAssignmentDenyPublicIP = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') +} + +var varPolicyAssignmentDenyRDPFromInternet = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json') +} + +var varPolicyAssignmentDenyResourceLocations = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json') +} + +var varPolicyAssignmentDenyResourceTypes = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json') +} + +var varPolicyAssignmentDenyRSGLocations = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json') +} + +var varPolicyAssignmentDenyStoragehttp = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json') +} + +var varPolicyAssignmentDenySubnetWithoutNsg = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json') +} + +var varPolicyAssignmentDenySubnetWithoutUdr = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json') +} + +var varPolicyAssignmentDeployAKSPolicy = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json') +} + +var varPolicyAssignmentDeployASCMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployLogAnalytics = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json') +} + +var varPolicyAssignmentDeployLXArcMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployMDFCConfig = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json') +} + +var varPolicyAssignmentDeployPrivateDNSZones = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json') +} + +var varPolicyAssignmentDeployResourceDiag = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json') +} + +var varPolicyAssignmentDeploySQLDBAuditing = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json') +} + +var varPolicyAssignmentDeploySQLSecurity = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json') +} + +var varPolicyAssignmentDeploySQLThreat = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json') +} + +var varPolicyAssignmentDeployVMBackup = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json') +} + +var varPolicyAssignmentDeployVMMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployVMSSMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json') +} + +var varPolicyAssignmentDeployWSArcMonitoring = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json') +} + +var varPolicyAssignmentEnableDDoSVNET = { + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json') +} + +var varPolicyAssignmentEnforceTLSSSL = { + definitionId: '${modManagementGroups.outputs.outTopLevelMGId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' + libDefinition: loadJsonContent('../../policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json') +} + diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json new file mode 100644 index 0000000..9f1b873 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-AppGW-Without-WAF", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deny creation of App Gateway without WAF.", + "displayName": "Deny-AppGW-Without-WAF", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json new file mode 100644 index 0000000..bc0fa7b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Enforce-AKS-HTTPS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should be accessible only over HTTPS", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json new file mode 100644 index 0000000..4cae9a5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-IP-Forwarding", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", + "displayName": "Network interfaces should disable IP forwarding", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json new file mode 100644 index 0000000..439b716 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Priv-Containers-AKS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes cluster should not allow privileged containers", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json new file mode 100644 index 0000000..5aeff9c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Priv-Escalation-AKS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should not allow container privilege escalation", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json new file mode 100644 index 0000000..5fc9b2e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-Public-Endpoints", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", + "displayName": "Public network access should be disabled for PaaS services", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json new file mode 100644 index 0000000..af5e2e6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json @@ -0,0 +1,27 @@ +{ + "name": "Deny-Public-IP", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "displayName": "Deny the creation of public IP", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + }, + "listOfResourceTypesNotAllowed": { + "value": [ + "Microsoft.Network/publicIPAddresses" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json new file mode 100644 index 0000000..22eb654 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-RDP-From-Internet", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "displayName": "RDP access from the Internet should be blocked", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json new file mode 100644 index 0000000..8987d21 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deny-Resource-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "displayName": "Limit allowed locations for Resources", + "notScopes": [], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "chinanorth", + "chinaeast" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json new file mode 100644 index 0000000..83077e3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Resource-Types", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the Resource Types to deny deployment by policy.", + "displayName": "Deny-Resource-Types", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json new file mode 100644 index 0000000..85ce629 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deny-RSG-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed.", + "displayName": "Limit allowed locations for Resource Groups", + "notScopes": [], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "chinanorth", + "chinaeast" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json new file mode 100644 index 0000000..7b7666c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Storage-http", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "displayName": "Secure transfer to storage accounts should be enabled", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json new file mode 100644 index 0000000..f9dae08 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Subnet-Without-Nsg", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "displayName": "Subnets should have a Network Security Group", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json new file mode 100644 index 0000000..d005234 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Subnet-Without-Udr", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the creation of a subnet without a User-Defined Route to control traffic flow.", + "displayName": "Subnets should have a User-Defined Route", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json new file mode 100644 index 0000000..ce3dade --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-AKS-Policy", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", + "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json new file mode 100644 index 0000000..65e82db --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-ASC-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Monitoring in Microsoft Defender for Cloud.", + "displayName": "Enable Monitoring in Microsoft Defender for Cloud", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json new file mode 100644 index 0000000..c01d4dd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json @@ -0,0 +1,43 @@ +{ + "name": "Deploy-Log-Analytics", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-Log-Analytics.", + "displayName": "Deploy-Log-Analytics", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "workspaceName": { + "value": "${parTopLevelManagementGroupPrefix}-la" + }, + "automationAccountName": { + "value": "${parTopLevelManagementGroupPrefix}-automation" + }, + "workspaceRegion": { + "value": "${parDefaultRegion}" + }, + "automationRegion": { + "value": "${parDefaultRegion}" + }, + "dataRetention": { + "value": "30" + }, + "sku": { + "value": "pergb2018" + }, + "rgName": { + "value": "${parTopLevelManagementGroupPrefix}-mgmt" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json new file mode 100644 index 0000000..5694a3e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-LX-Arc-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-Linux-Arc-Monitoring.", + "displayName": "Deploy-Linux-Arc-Monitoring", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json new file mode 100644 index 0000000..4e30db4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json @@ -0,0 +1,40 @@ +{ + "name": "Deploy-MDFC-Config", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy Microsoft Defender for Cloud configuration and Security Contacts", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "notScopes": [], + "parameters": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "law-alz" + }, + "ascExportResourceGroupName": { + "value": "asc-export-alz" + }, + "ascExportResourceGroupLocation": { + "value": "chinaeast2" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForSql": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json new file mode 100644 index 0000000..20ad896 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -0,0 +1,82 @@ +{ + "name": "Deploy-Private-DNS-Zones", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "azureFilePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.afs.azure.net" + }, + "azureWebPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.webpubsub.azure.com" + }, + "azureBatchPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.${parDefaultRegion}.batch.azure.com" + }, + "azureAppPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azconfig.io" + }, + "azureAsrPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}${parDefaultRegion}.privatelink.siterecovery.windowsazure.com" + }, + "azureIoTPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azure-devices-provisioning.net" + }, + "azureKeyVaultPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.vaultcore.azure.net" + }, + "azureSignalRPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.service.signalr.net" + }, + "azureAppServicesPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azurewebsites.net" + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.eventgrid.azure.net" + }, + "azureDiskAccessPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.blob.core.windows.net" + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.cognitiveservices.azure.com" + }, + "azureIotHubsPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azure-devices.net" + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.eventgrid.azure.net" + }, + "azureRedisCachePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.redis.cache.windows.net" + }, + "azureAcrPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.azurecr.io" + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.servicebus.windows.net" + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.api.azureml.ms" + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.servicebus.windows.net" + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "value": "${private_dns_zone_prefix}privatelink.search.windows.net" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json new file mode 100644 index 0000000..5ba3100 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-Resource-Diag", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", + "displayName": "Deploy-Resource-Diag", + "notScopes": [], + "parameters": { + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json new file mode 100644 index 0000000..2ada695 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SQL-DB-Auditing", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "displayName": "Auditing on SQL server should be enabled", + "notScopes": [], + "parameters": { + "effect": { + "value": "AuditIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json new file mode 100644 index 0000000..fb7ca3e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SQL-Security", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-SQL-Security.", + "displayName": "Deploy-SQL-Security", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json new file mode 100644 index 0000000..b290550 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SQL-Threat", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", + "displayName": "Deploy Threat Detection on SQL servers", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json new file mode 100644 index 0000000..fb2f295 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VM-Backup", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "notScopes": [], + "parameters": { + "effect": { + "value": "deployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json new file mode 100644 index 0000000..738007b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VM-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", + "displayName": "Enable Azure Monitor for VMs", + "notScopes": [], + "parameters": { + "logAnalytics_1": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json new file mode 100644 index 0000000..a6e1442 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VMSS-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", + "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", + "notScopes": [], + "parameters": { + "logAnalytics_1": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json new file mode 100644 index 0000000..5ee6284 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-WS-Arc-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", + "displayName": "Deploy-Windows-Arc-Monitoring", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json new file mode 100644 index 0000000..631e914 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Enable-DDoS-VNET", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "displayName": "Virtual networks should be protected by Azure DDoS Protection Standard", + "notScopes": [], + "parameters": { + "effect": { + "value": "Modify" + }, + "ddosPlan": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.Network/ddosProtectionPlans/${parTopLevelManagementGroupPrefix}-ddos" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json new file mode 100644 index 0000000..96ff96f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/china/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-TLS-SSL", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json new file mode 100644 index 0000000..18e58bc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_appgw_waf.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Audit-AppGW-WAF", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Assign the WAF should be enabled for Application Gateway audit policy.", + "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway", + "notScopes": [], + "parameters": { + "effect": { + "value": "Audit" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json new file mode 100644 index 0000000..b7b2c60 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json @@ -0,0 +1,89 @@ +{ + "name": "Audit-PeDnsZones", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone.", + "displayName": "Audit Private Link Private DNS Zone resources", + "notScopes": [], + "parameters": { + "privateLinkDnsZones": { + "value": [ + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "effect": { + "value": "Audit" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json new file mode 100644 index 0000000..a7403f5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_unusedresources.tmpl.json @@ -0,0 +1,28 @@ +{ + "name": "Audit-UnusedResources", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This Policy initiative is a group of Policy definitions that help optimize cost by detecting unused but chargeable resources. Leverage this Policy initiative as a cost control to reveal orphaned resources that are driving cost.", + "displayName": "Unused resources driving cost should be avoided", + "notScopes": [], + "parameters": { + "EffectDisks": { + "value": "Audit" + }, + "EffectPublicIpAddresses": { + "value": "Audit" + }, + "EffectServerFarms": { + "value": "Audit" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json new file mode 100644 index 0000000..9f1b873 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_appgw_without_waf.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-AppGW-Without-WAF", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deny creation of App Gateway without WAF.", + "displayName": "Deny-AppGW-Without-WAF", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json new file mode 100644 index 0000000..34d0de8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_classic-resources.tmpl.json @@ -0,0 +1,83 @@ +{ + "name": "Deny-Classic-Resources", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Denies deployment of classic resource types under the assigned scope.", + "displayName": "Deny the deployment of classic resources", + "notScopes": [], + "parameters": { + "listOfResourceTypesNotAllowed": { + "value": [ + "Microsoft.ClassicCompute/capabilities", + "Microsoft.ClassicCompute/checkDomainNameAvailability", + "Microsoft.ClassicCompute/domainNames", + "Microsoft.ClassicCompute/domainNames/capabilities", + "Microsoft.ClassicCompute/domainNames/internalLoadBalancers", + "Microsoft.ClassicCompute/domainNames/serviceCertificates", + "Microsoft.ClassicCompute/domainNames/slots", + "Microsoft.ClassicCompute/domainNames/slots/roles", + "Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions", + "Microsoft.ClassicCompute/domainNames/slots/roles/metrics", + "Microsoft.ClassicCompute/moveSubscriptionResources", + "Microsoft.ClassicCompute/operatingSystemFamilies", + "Microsoft.ClassicCompute/operatingSystems", + "Microsoft.ClassicCompute/operations", + "Microsoft.ClassicCompute/operationStatuses", + "Microsoft.ClassicCompute/quotas", + "Microsoft.ClassicCompute/resourceTypes", + "Microsoft.ClassicCompute/validateSubscriptionMoveAvailability", + "Microsoft.ClassicCompute/virtualMachines", + "Microsoft.ClassicCompute/virtualMachines/diagnosticSettings", + "Microsoft.ClassicCompute/virtualMachines/metricDefinitions", + "Microsoft.ClassicCompute/virtualMachines/metrics", + "Microsoft.ClassicInfrastructureMigrate/classicInfrastructureResources", + "Microsoft.ClassicNetwork/capabilities", + "Microsoft.ClassicNetwork/expressRouteCrossConnections", + "Microsoft.ClassicNetwork/expressRouteCrossConnections/peerings", + "Microsoft.ClassicNetwork/gatewaySupportedDevices", + "Microsoft.ClassicNetwork/networkSecurityGroups", + "Microsoft.ClassicNetwork/operations", + "Microsoft.ClassicNetwork/quotas", + "Microsoft.ClassicNetwork/reservedIps", + "Microsoft.ClassicNetwork/virtualNetworks", + "Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies", + "Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings", + "Microsoft.ClassicStorage/capabilities", + "Microsoft.ClassicStorage/checkStorageAccountAvailability", + "Microsoft.ClassicStorage/disks", + "Microsoft.ClassicStorage/images", + "Microsoft.ClassicStorage/operations", + "Microsoft.ClassicStorage/osImages", + "Microsoft.ClassicStorage/osPlatformImages", + "Microsoft.ClassicStorage/publicImages", + "Microsoft.ClassicStorage/quotas", + "Microsoft.ClassicStorage/storageAccounts", + "Microsoft.ClassicStorage/storageAccounts/blobServices", + "Microsoft.ClassicStorage/storageAccounts/fileServices", + "Microsoft.ClassicStorage/storageAccounts/metricDefinitions", + "Microsoft.ClassicStorage/storageAccounts/metrics", + "Microsoft.ClassicStorage/storageAccounts/queueServices", + "Microsoft.ClassicStorage/storageAccounts/services", + "Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings", + "Microsoft.ClassicStorage/storageAccounts/services/metricDefinitions", + "Microsoft.ClassicStorage/storageAccounts/services/metrics", + "Microsoft.ClassicStorage/storageAccounts/tableServices", + "Microsoft.ClassicStorage/storageAccounts/vmImages", + "Microsoft.ClassicStorage/vmImages", + "Microsoft.ClassicSubscription/operations" + ] + }, + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json new file mode 100644 index 0000000..220c4ef --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_public_ip.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-DataB-Pip", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "displayName": "Prevent usage of Databricks with public IP", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json new file mode 100644 index 0000000..47c94a0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-DataB-Sku", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "displayName": "Enforces the use of Premium Databricks workspaces", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json new file mode 100644 index 0000000..0b531c9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_vnet.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-DataB-Vnet", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "displayName": "Enforces the use of vnet injection for Databricks", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json new file mode 100644 index 0000000..bc0fa7b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_http_ingress_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Enforce-AKS-HTTPS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should be accessible only over HTTPS", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json new file mode 100644 index 0000000..da636ae --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_hybridnetworking.tmpl.json @@ -0,0 +1,34 @@ +{ + "name": "Deny-HybridNetworking", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.", + "displayName": "Deny the deployment of vWAN/ER/VPN gateway resources", + "notScopes": [], + "parameters": { + "listOfResourceTypesNotAllowed": { + "value": [ + "microsoft.network/expressroutecircuits", + "microsoft.network/expressroutegateways", + "microsoft.network/expressrouteports", + "microsoft.network/virtualwans", + "microsoft.network/vpngateways", + "microsoft.network/p2svpngateways", + "microsoft.network/vpnsites", + "microsoft.network/virtualnetworkgateways" + ] + }, + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json new file mode 100644 index 0000000..4cae9a5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_ip_forwarding.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-IP-Forwarding", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", + "displayName": "Network interfaces should disable IP forwarding", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json new file mode 100644 index 0000000..148623c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_mgmtports_internet.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-MgmtPorts-Internet", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies any network security rule that allows management port access from the Internet", + "displayName": "Management port access from the Internet should be blocked", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json new file mode 100644 index 0000000..439b716 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_containers_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Priv-Containers-AKS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes cluster should not allow privileged containers", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json new file mode 100644 index 0000000..5aeff9c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_priv_escalation_aks.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Priv-Escalation-AKS", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should not allow container privilege escalation", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json new file mode 100644 index 0000000..5fc9b2e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_endpoints.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-Public-Endpoints", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints.", + "displayName": "Public network access should be disabled for PaaS services", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json new file mode 100644 index 0000000..af5e2e6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json @@ -0,0 +1,27 @@ +{ + "name": "Deny-Public-IP", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "displayName": "Deny the creation of public IP", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + }, + "listOfResourceTypesNotAllowed": { + "value": [ + "Microsoft.Network/publicIPAddresses" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json new file mode 100644 index 0000000..0bc8703 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip_on_nic.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deny-Public-IP-On-NIC", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.", + "displayName": "Deny network interfaces having a public IP associated", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json new file mode 100644 index 0000000..22eb654 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rdp_from_internet.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-RDP-From-Internet", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies any network security rule that allows RDP access from Internet.", + "displayName": "RDP access from the Internet should be blocked", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json new file mode 100644 index 0000000..ce36f68 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_locations.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deny-Resource-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resources can be deployed.", + "displayName": "Limit allowed locations for Resources", + "notScopes": [], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "uksouth", + "ukwest" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json new file mode 100644 index 0000000..83077e3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_resource_types.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Resource-Types", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the Resource Types to deny deployment by policy.", + "displayName": "Deny-Resource-Types", + "notScopes": [], + "parameters": { + "effect": { + "value": "deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json new file mode 100644 index 0000000..bf27cdb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_rsg_locations.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deny-RSG-Locations", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Specifies the allowed locations (regions) where Resource Groups can be deployed.", + "displayName": "Limit allowed locations for Resource Groups", + "notScopes": [], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "uksouth", + "ukwest" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json new file mode 100644 index 0000000..7b7666c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Storage-http", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", + "displayName": "Secure transfer to storage accounts should be enabled", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json new file mode 100644 index 0000000..f9dae08 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_nsg.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Subnet-Without-Nsg", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", + "displayName": "Subnets should have a Network Security Group", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json new file mode 100644 index 0000000..d005234 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_subnet_without_udr.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deny-Subnet-Without-Udr", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy denies the creation of a subnet without a User-Defined Route to control traffic flow.", + "displayName": "Subnets should have a User-Defined Route", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json new file mode 100644 index 0000000..3a14cf9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_unmanageddisk.tmpl.json @@ -0,0 +1,24 @@ +{ + "name": "Deny-UnmanagedDisk", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "properties": { + "description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields.", + "displayName": "Deny virtual machines and virtual machine scale sets that do not use managed disk", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d", + "scope": null, + "enforcementMode": "Default", + "overrides": [ + { + "kind": "policyEffect", + "value": "Deny" + } + ] + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json new file mode 100644 index 0000000..ce3dade --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_aks_policy.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-AKS-Policy", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", + "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json new file mode 100644 index 0000000..65e82db --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_asc_monitoring.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-ASC-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Monitoring in Microsoft Defender for Cloud.", + "displayName": "Enable Monitoring in Microsoft Defender for Cloud", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json new file mode 100644 index 0000000..31c8743 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azactivity_log.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-AzActivity-Log", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace.", + "displayName": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json new file mode 100644 index 0000000..e2c9c5e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_azsql_db_auditing.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-AzSqlDb-Auditing", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.", + "displayName": "Configure SQL servers to have auditing enabled to Log Analytics workspace", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalyticsWorkspaceId": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json new file mode 100644 index 0000000..b10cfbe --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_log_analytics.tmpl.json @@ -0,0 +1,43 @@ +{ + "name": "Deploy-Log-Analytics", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-Log-Analytics.", + "displayName": "Deploy-Log-Analytics", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "workspaceName": { + "value": "${parTopLevelManagementGroupPrefix}-la" + }, + "automationAccountName": { + "value": "${parTopLevelManagementGroupPrefix}-automation" + }, + "workspaceRegion": { + "value": "${parDefaultRegion}" + }, + "automationRegion": { + "value": "${parDefaultRegion}" + }, + "dataRetention": { + "value": "30" + }, + "sku": { + "value": "pergb2018" + }, + "rgName": { + "value": "${parTopLevelManagementGroupPrefix}-mgmt" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "scope": null, + "enforcementMode": "DoNotEnforce" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json new file mode 100644 index 0000000..5694a3e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_lx_arc_monitoring.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-LX-Arc-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-Linux-Arc-Monitoring.", + "displayName": "Deploy-Linux-Arc-Monitoring", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json new file mode 100644 index 0000000..a26342b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdeendpoints.tmpl.json @@ -0,0 +1,31 @@ +{ + "name": "Deploy-MDEndpoints", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy Microsoft Defender for Endpoint agent on applicable images.", + "displayName": "[Preview]: Deploy Microsoft Defender for Endpoint agent", + "notScopes": [], + "parameters": { + "microsoftDefenderForEndpointWindowsVmAgentDeployEffect": { + "value": "DeployIfNotExists" + }, + "microsoftDefenderForEndpointLinuxVmAgentDeployEffect": { + "value": "DeployIfNotExists" + }, + "microsoftDefenderForEndpointWindowsArcAgentDeployEffect": { + "value": "DeployIfNotExists" + }, + "microsoftDefenderForEndpointLinuxArcAgentDeployEffect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json new file mode 100644 index 0000000..8ad348a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_config.tmpl.json @@ -0,0 +1,76 @@ +{ + "name": "Deploy-MDFC-Config", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy Microsoft Defender for Cloud configuration and Security Contacts", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "notScopes": [], + "parameters": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "law-alz" + }, + "ascExportResourceGroupName": { + "value": "asc-export-alz" + }, + "ascExportResourceGroupLocation": { + "value": "northeurope" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForServersVulnerabilityAssessments": { + "value": "DeployIfNotExists" + }, + "vulnerabilityAssessmentProvider": { + "value": "default" + }, + "enableAscForSql": { + "value": "DeployIfNotExists" + }, + "enableAscForAppServices": { + "value": "DeployIfNotExists" + }, + "enableAscForStorage": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + }, + "enableAscForKeyVault": { + "value": "DeployIfNotExists" + }, + "enableAscForSqlOnVm": { + "value": "DeployIfNotExists" + }, + "enableAscForArm": { + "value": "DeployIfNotExists" + }, + "enableAscForDns": { + "value": "DeployIfNotExists" + }, + "enableAscForOssDb": { + "value": "DeployIfNotExists" + }, + "enableAscForCosmosDbs": { + "value": "DeployIfNotExists" + }, + "enableAscForApis": { + "value": "DeployIfNotExists" + }, + "enableAscForCspm": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json new file mode 100644 index 0000000..75df01f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_ossdb.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-MDFC-OssDb", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.", + "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json new file mode 100644 index 0000000..7672cf8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_mdfc_sqlatp.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-MDFC-SqlAtp", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.", + "displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json new file mode 100644 index 0000000..930f9b4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -0,0 +1,178 @@ +{ + "name": "Deploy-Private-DNS-Zones", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones.", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "effect1": { + "value": "deployIfNotExists" + }, + "azureFilePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureFilePrivateDnsZoneId]" + }, + "azureAutomationWebhookPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationWebhookPrivateDnsZoneId]" + }, + "azureAutomationDSCHybridPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAutomationDSCHybridPrivateDnsZoneId]" + }, + "azureCosmosSQLPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosSQLPrivateDnsZoneId]" + }, + "azureCosmosMongoPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosMongoPrivateDnsZoneId]" + }, + "azureCosmosCassandraPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosCassandraPrivateDnsZoneId]" + }, + "azureCosmosGremlinPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosGremlinPrivateDnsZoneId]" + }, + "azureCosmosTablePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCosmosTablePrivateDnsZoneId]" + }, + "azureDataFactoryPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPrivateDnsZoneId]" + }, + "azureDataFactoryPortalPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId]" + }, + "azureHDInsightPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureHDInsightPrivateDnsZoneId]" + }, + "azureMigratePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMigratePrivateDnsZoneId]" + }, + "azureStorageBlobPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobPrivateDnsZoneId]" + }, + "azureStorageBlobSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageBlobSecPrivateDnsZoneId]" + }, + "azureStorageQueuePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueuePrivateDnsZoneId]" + }, + "azureStorageQueueSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageQueueSecPrivateDnsZoneId]" + }, + "azureStorageFilePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageFilePrivateDnsZoneId]" + }, + "azureStorageStaticWebPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebPrivateDnsZoneId]" + }, + "azureStorageStaticWebSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageStaticWebSecPrivateDnsZoneId]" + }, + "azureStorageDFSPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSPrivateDnsZoneId]" + }, + "azureStorageDFSSecPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureStorageDFSSecPrivateDnsZoneId]" + }, + "azureSynapseSQLPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLPrivateDnsZoneId]" + }, + "azureSynapseSQLODPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseSQLODPrivateDnsZoneId]" + }, + "azureSynapseDevPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSynapseDevPrivateDnsZoneId]" + }, + "azureMediaServicesKeyPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesKeyPrivateDnsZoneId]" + }, + "azureMediaServicesLivePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesLivePrivateDnsZoneId]" + }, + "azureMediaServicesStreamPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMediaServicesStreamPrivateDnsZoneId]" + }, + "azureMonitorPrivateDnsZoneId1": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId1]" + }, + "azureMonitorPrivateDnsZoneId2": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId2]" + }, + "azureMonitorPrivateDnsZoneId3": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId3]" + }, + "azureMonitorPrivateDnsZoneId4": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId4]" + }, + "azureMonitorPrivateDnsZoneId5": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMonitorPrivateDnsZoneId5]" + }, + "azureWebPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureWebPrivateDnsZoneId]" + }, + "azureBatchPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureBatchPrivateDnsZoneId]" + }, + "azureAppPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppPrivateDnsZoneId]" + }, + "azureAsrPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAsrPrivateDnsZoneId]" + }, + "azureIotPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotPrivateDnsZoneId]" + }, + "azureKeyVaultPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureKeyVaultPrivateDnsZoneId]" + }, + "azureSignalRPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureSignalRPrivateDnsZoneId]" + }, + "azureAppServicesPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAppServicesPrivateDnsZoneId]" + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridTopicsPrivateDnsZoneId]" + }, + "azureDiskAccessPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDiskAccessPrivateDnsZoneId]" + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveServicesPrivateDnsZoneId]" + }, + "azureIotHubsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureIotHubsPrivateDnsZoneId]" + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventGridDomainsPrivateDnsZoneId]" + }, + "azureRedisCachePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureRedisCachePrivateDnsZoneId]" + }, + "azureAcrPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureAcrPrivateDnsZoneId]" + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureEventHubNamespacePrivateDnsZoneId]" + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureMachineLearningWorkspacePrivateDnsZoneId]" + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureServiceBusNamespacePrivateDnsZoneId]" + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureCognitiveSearchPrivateDnsZoneId]" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json new file mode 100644 index 0000000..5ba3100 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_resource_diag.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-Resource-Diag", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", + "displayName": "Deploy-Resource-Diag", + "notScopes": [], + "parameters": { + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json new file mode 100644 index 0000000..2ada695 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_db_auditing.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SQL-DB-Auditing", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "displayName": "Auditing on SQL server should be enabled", + "notScopes": [], + "parameters": { + "effect": { + "value": "AuditIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json new file mode 100644 index 0000000..fb7ca3e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_security.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-SQL-Security", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploy-SQL-Security.", + "displayName": "Deploy-SQL-Security", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json new file mode 100644 index 0000000..fdf235a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_tde.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SQL-TDE", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy ensures that Transparent Data Encryption is enabled on SQL Servers.", + "displayName": "Deploy TDE on SQL servers", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json new file mode 100644 index 0000000..b290550 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_sql_threat.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Deploy-SQL-Threat", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", + "displayName": "Deploy Threat Detection on SQL servers", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json new file mode 100644 index 0000000..fb2f295 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_backup.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VM-Backup", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", + "notScopes": [], + "parameters": { + "effect": { + "value": "deployIfNotExists" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json new file mode 100644 index 0000000..738007b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vm_monitoring.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VM-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", + "displayName": "Enable Azure Monitor for VMs", + "notScopes": [], + "parameters": { + "logAnalytics_1": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json new file mode 100644 index 0000000..a6e1442 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_vmss_monitoring.tmpl.json @@ -0,0 +1,22 @@ +{ + "name": "Deploy-VMSS-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", + "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", + "notScopes": [], + "parameters": { + "logAnalytics_1": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json new file mode 100644 index 0000000..5ee6284 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_ws_arc_monitoring.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Deploy-WS-Arc-Monitoring", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed.", + "displayName": "Deploy-Windows-Arc-Monitoring", + "notScopes": [], + "parameters": { + "effect": { + "value": "DeployIfNotExists" + }, + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${parTopLevelManagementGroupPrefix}-la" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json new file mode 100644 index 0000000..631e914 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enable_ddos_vnet.tmpl.json @@ -0,0 +1,25 @@ +{ + "name": "Enable-DDoS-VNET", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "displayName": "Virtual networks should be protected by Azure DDoS Protection Standard", + "notScopes": [], + "parameters": { + "effect": { + "value": "Modify" + }, + "ddosPlan": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/${parTopLevelManagementGroupPrefix}-mgmt/providers/Microsoft.Network/ddosProtectionPlans/${parTopLevelManagementGroupPrefix}-ddos" + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json new file mode 100644 index 0000000..1143ba5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_acsb.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-ACSB", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This initiative assignment enables Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines.", + "displayName": "Enforce Azure Compute Security Baseline compliance auditing", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json new file mode 100644 index 0000000..af4b887 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_decomm.tmpl.json @@ -0,0 +1,35 @@ +{ + "name": "Enforce-ALZ-Decomm", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This initiative will help enforce and govern subscriptions that are placed within the decommissioned Management Group as part of your Subscription decommissioning process. See https://aka.ms/alz/policies for more information.", + "displayName": "Enforce ALZ Decommissioned Guardrails", + "notScopes": [], + "parameters": { + "listOfResourceTypesAllowed": { + "value": [ + "microsoft.consumption/tags", + "microsoft.authorization/roleassignments", + "microsoft.authorization/roledefinitions", + "microsoft.authorization/policyassignments", + "microsoft.authorization/locks", + "microsoft.authorization/policydefinitions", + "microsoft.authorization/policysetdefinitions", + "microsoft.resources/tags", + "microsoft.authorization/roleeligibilityschedules", + "microsoft.authorization/roleeligibilityscheduleinstances", + "microsoft.authorization/roleassignmentschedules", + "microsoft.authorization/roleassignmentscheduleinstances" + ] + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json new file mode 100644 index 0000000..906a9f8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_alz_sandbox.tmpl.json @@ -0,0 +1,29 @@ +{ + "name": "Enforce-ALZ-Sandbox", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This initiative will help enforce and govern subscriptions that are placed within the Sandobx Management Group. See https://aka.ms/alz/policies for more information.", + "displayName": "Enforce ALZ Sandbox Guardrails", + "notScopes": [], + "parameters": { + "listOfResourceTypesNotAllowed": { + "value": [ + "microsoft.network/expressroutecircuits", + "microsoft.network/expressroutegateways", + "microsoft.network/virtualwans", + "microsoft.network/virtualhubs", + "microsoft.network/vpngateways", + "microsoft.network/vpnsites" + ] + } + }, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json new file mode 100644 index 0000000..6017ba4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-GR-KeyVault", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "This initiative assignment enables recommended ALZ guardrails for Azure Key Vault.", + "displayName": "Enforce recommended guardrails for Azure Key Vault", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json new file mode 100644 index 0000000..96ff96f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json @@ -0,0 +1,18 @@ +{ + "name": "Enforce-TLS-SSL", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "notScopes": [], + "parameters": {}, + "policyDefinitionId": "${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "SystemAssigned" + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/policy/assignments/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..a2c3d584cae939bd598ab03e013891de9ccdedb3 GIT binary patch literal 46565 zcmbTebyQVR`!y=~MztmOM=&t8~6dj_`+c@BPKK3E$C zKHwbR%ZNWK86?>TJMb1_@5G)xE000BGkOX3k?dr(9G^WyZ+rTI>#{8{efF%%Lrzjm z%}sx=5z&ie(z_%|>ag(z{2MG9u>g3%7R4~NESf_31g0XLFJ^*GyowHvj*hlX?O`T@ z9rh}Fd-*2B5LQp(Vxt@nU;P!c$=9# zUnM0e=?0;MLB%2Ld>Ipu;{W+KY5-FX_zfkD;JKFce-Fa{j{MItV~8nX(9^MYXg3G) z)3H#>STmge9Fw5vV|cm}W$>E>mH%GI|9`)b%|n!xlG2c$-!ordUvl!yjSchBHO*ZZ z0c>zkF&aB{z?>O{9RiW}WGyZ(W>Aokk#TjcsZs=Yv|Lf_3l)ouj*bosLqbFA;MQ;Q z;^*g|o}8T2W^Sk8;^wyh%TNcEz{0|Muc6TeH#R)1tfi%;udi=lu=wwvS#gE~0|dYA zjaaQ+93xt5h!tVQ@8531E_+E@u%)G?=?V*aTH0?33Ho(TNUt^vswU7BJv; z^^rSwD z6RQ>Lig5%t09&4>F#NKSk&)~`;fEq^9i2trM{jzuT4Eao?A|5(pB6(I!f0q{>LpO| zNRH6?6mIK=#>N;j;kRFf%rdM=T%as4Xd5*HgJn0x99m2VEI2qXH#bed8M&wWHwDU1T~37YHe$4LqutvHzZtL zSqTphpP8BYWd;VK1Tr%6FdsQNxwZS3912|syFMRAtIS72VPRovYHDI4qTtIgDeyhY zs;a82tSr@y&dLBg%67gL8i;G487eyZghmj!Z^XgDL2PX7&n)q$`>jUAQ+VZ4&5n$y z7#N7=)&(KD4#@53#_lX1S)^u;;u6l8RcvoWK#e79v&G||zg!j%J?;Q~gA0Wk(uVZ4 z2B8dPiY|_h8Z%?G=Sh*qEDn3jPW+fGk#BN&cXv*_shj?!afk(zb|nKZ@8lokcgS^hbsK}}o(FUMo8FX=Ow2J{@@+!wgX5k| zW`SQtMHTfw($7Z~DBF*cd2RI-6%~DP9ojBA7Ca9dZ5xiIot>+ygrJw7K6;+yO-vI% zjEo6Z*4K~Go4U+T=WF+hoK;q(F<#awZ%i-n`*o6vte$r&9^TOPWI|gBFXvqsFZO5C zi-t{GaHSf3+;8WJXII`=e9mZ^C!5b$pxk%1m?37pUk?4;_3E%!Kxgs|ukG+?uzAcu zhM_Km62Xj3ij=zVYS{U6%;Go^=A8`T=^6UP)<K5_)rXR`~VA?^ysqlITo1~ zws;<$!(H;RM0p{D>#6(_`$~8g1_lOZ=Hk@vv*y%sX=x;2Y~bT>Zf{S|%?T~>>gML< zAs`}FxPYOhqM`yuyTpTnmV$zUv9WRH<}_lz6Q-_6u~~ClJz7`E^xW+1Ytuyel z`Ph>6{Nxi7^6p^LWTThSWp7Y==AHBO7<<H<{PTpUw#_;m+RM*sqUQC&!@_Yspb7JRTk$qGmt3l_G);h`6 z3Vw5Fm4N5P-aie4DAu07KH||~UElljngx&DksKLPMiRC$q^72(+7F_lqD=E?{Ej@f z3%UjdL)A&I5<+&RQ3)c1!9HmP5!dPEJ-B2p4TH%bH(-Kd$r68us?~ zQc@kUO(dzIVZ09x3k~k(UauJ$&&$WGTAeB)Umz}L&9^L*Wo(#4(_Qc+RSv8=lm{Ha zDMJrPs#o5TEKG&V^@1)9zVu4wo^PDQEEd%mZS*yH9>3g%A$qsL+kD+;@W3G~?0vk_ z@$m34QRnZrk!-=BrK4lb9K#X1O&uc?fQ^ib+HNUwKCT*qPAdL!KUtlB@=XU@*SM7r zCgfGJsIN%aNGwl3%V?M%`qi$)fpO0lS|y=lcypqt>X?|_g+xrlH{#;rAb8O6uw%|= zVUiKFFNo^cX(~}sOto!H7iA8g3MhMUwOp{HB{J&-t9qS{$TXk*V4Zgy5|&(bU2v!8 zfARXSh3KtTfJN@7ffVlDiDJiftj?SB-LTgn<`l2%BlJ5xuak6oTND}}rdaxCgUAba zpv*#hUDr?Vaoym7w(*VhFD8r_G-95+>CAh=fBHZ9>Pc@?e}DY*8387cXvSyO{VN8+!kNilbVy0a~f|tMbMRnr;qDPlQM4UT8`Pc zp+378-5ZNI((>ZQz{;ouzLA#=IB4H}sD~>_^x9-nC`Ls@)~H)H0^pKtM#X;NqOr~M zu3On<9j{@tBT= ztLfm*$vKY(6w#gAzDz=KC~BK@&?aZjb`>+3IqXNXYDh)7U!z9cXE3KV5ZG$57BJ z5W6&543RmVwjh$XZ?PG#v7Nf^O^H!I1^5&hIx(JgcNxg=G)X~PQ?e&yIu4z6Cdf%M+*&@%km`zMfyvNNMUs#CN+1c62)~=I4 zo1UKD!=LPC{NlPjN;@NgLO6@dsLqD-?b|meLRaUV@mGqdP9N8MzeUQas>WBv=*M>* zr5N8{>`O!w@_xM9vk;YUwtV3sgYV|rzoo*7rK+pjU#1)xY~=gX-!+8i(|p}O`%p`v z<$CWae%x}T63m`XG?Vnh+Ew&IYs@CU zwq9PNLdp_HVm;a4+SMu+fljLst#`)NdRpZ56LbZNK1N*x-9sN?|vTWYN zRM;`>jKsvmDoC8AJ@yUr3P$iD3OuGIS(MS?Z)K9yLG*w5^5s{W0+Zlu?OKU(llz-< zX_aZbuHax;P!Q$IJX%YfYlV-!1o-0e{Y}bhCp}r>y~Bk`NlEkdt`*dt)R^!*?Pq03 zH_~!riQuWv$nSGy3ZQ!52hVQ>I?5oTp_{*fOaRZlL>q)#SwZI9o$# zE+JfR>SecxM`Tz}*1A)#ii*6vd`?adX$ZtJcsf=(yP$w8;;ehTN89n)u!Ex9-e6PK zG;BWZyLNmJ75%GfW3`{Af9vxYx5mPJUu`E_0e*h0_9GAkf7^RB}1B&QT@M*j~6ztJY&uk zp5nX1%Weza3wYbzo;rGrg3mH+zo0sZ9Ew>leJ@vG-I-iXSt}(aRSBojOE9Y1J8Tv_ zxfcM}Ub$TOGZwC0>o-z(%%AqO`!3(RE@ImTvHUH*gt$BokFIFa95U0dm(Ml!8SIMG zi;XKuLqdH%&s6q^>~;Pb74P)N<5;SUx?o${yF?Vdf>YrL80-mCP|xxp;cVb0uo;gP zTiue9cHN)ps0Pi#O5K0lrejz~O(!xo$bkhLI=DEmHW1`Wu~H|J;`aKoc$-g=){6@p z3uZ)aC1jLFNY6#X5I&0yINJUT*3|^wyn5lfPmPz~JwNnkxSWKeqf7bth`1nb8&$I{ zZc&y~IELk5^ZH2{b~+4`3wwO!fQc!*a8RJ*30j>c>FVb-M{z{x@dU#SDp=SmL9pnj z$rhpfL&Q~a1mFDmM3e?zGQFj6z2QfrrKyM>#Ofai*zl^TZIaYIGT)A(C8OM!8t6KM zraMYTMBY-d;N<-ETWmXkcvB`xW4h(Dr|^*pSQZmQX5=`Pb=Lg8FmRk^da1>b48lR+ zd@%oU)=RT)q1UyAsswYPN$@G-@tCHO#xN5_3KDXY{q7Juqd=`XkTbtMqKa z%BU<8R`b(^6j+km_oxI#k2@7kmEWQ}7LQJ)=ol|$9zw`{u1+%_)3p2u9*#mpB{8tE zuwttKAVP0GxjP;5-M2Ql-B$AL!?M^=LEZg z`9tH?N(5cJJ~d_uJAIYLvG}`Xs%b zrBJ?=smO`gwp`ly>mD_(ps;)FV58(HYPue0cnI~* z)^s8v?2V38g<+#G<4_hG3S&O_HVG zNis({Tx{)7l#IL-b4G0)cew}$EI$ZE-ynEB10Ah z!R8c1YE@ChM$4wTpb(;^4QfpCGStC_sZw_AiSb3X)95)4aMvvQ2s&6`w5o8vO`%A; zKJb7x*)5BMFU3^ZP{fL*uxmnn9`7%ySs@%2(FUrf^^FZ)!*L zL{=H4M?M_S(4F>op+nJWlwpdz=z^)i_~XA4P&L6C2p zkCwzz!h6|@I5{{VhetttWLTyt1IfzS1b?q|0Vl(R@?>;?2GYn8k8F zCs=SCT@y__T5@^6%S~S}7lEw>$M#EXEXGLYg?d+3+YqbQO=x2IG%Jd5DMsz-u%DT| z?;0!-Vh!U2kW8&mnc;HdS(5aryDl)_h}nIzoCa{udXVHrt3DtcWKuElyC{F4tnqweK5~S&g@pF)s66WkYG*G% zjZ-n?bv@IN2+{9%VPP1DCw@u`3evi&;};qEZJsz)mov+;rGD87=dTOL^4mrToxTuC z{_5yACL^?k8MAFCuo@`Bd11Y8Q@a6~ckmdKUihnLIb@plLa2o#WayeUu4*kV?X+>Uhie2SB_pfSzS0|SD7 z2wPGc(QI-P$tgrMiyh;!>PKQo&_dx?Tt?OU_*4=0k&%$Z6sEWb%yr_!db85FViJ6h zS`fcJw&FMajb=Fg`vQaFO97e+AB|K11R&xCx<_>J_!SUQFSmFT^k z96&y5I7YmO)YhaS-I0Z>Wn-=mu`tKhGz zA<+#-tte^gxkd5O09Z!)upMQR**0z#UVMLJT2z0TsE6RbA6FyVbRcwazJ7R%uda|+ zG@Vp-dr*&IcHM&EqpYrOz8;MPzv4P)-*q}9D#|n21O19f?gjO{85BI^D~}Y9gbTcH z_-ERVD|LU6s4Y_QhnnHpPxzeVV6oB0ow`lfq{-uofwD+J_EYX8Ia%6xLDXb1Tm9LM zDGeGOGA6oA;!j0~bQ{!*=?j87HbzKM?Pi82LmOSKfG(tkzkJ$xQqO`X-|r`hwR0bH zjiKNXExgqemfWVEHRe7t-J78)@NEl5bHix>n6@b_F`IV$BEsPAIcvagBZcx;ZkS%F zKcO<>eBrcIW%-JQ98sqEAsFN$o)=8jk)b#>l3!)<6;cFV1!GW0Jv#1DBy(X1p0Bg| zCKLHw)-T4Hq=d_~AC7XnB&MXi<-}vsG@LPUiLx+*CqTS?HY&?0a+YH638;{%s%<9! zN^kfwEraV`4Ldg_(fi5>4QbMluP(+*dpTX&@oldboRSgBs=-WQHD4S?6+jpBVT zdjEsJ9VO=*0!IY;Qa^*-KePe^AVQz=1_rMWiyD zsH@|Z0w}%u57(a<)sdc^p1z9-Jr(Ia#xkovQPxEqwaih3$pjg;_08>V^GPow%=;cK z&9e(p{_U?Y(T!LEpSvrzcBg;_1D7Wr-AA~sA~ITl2Ww6T!zf=~>}nD}~qGVyOsV^%d4UK)dwd z*eH6r9L!x8102!}fKun)O?KAz%Rss()Yi2TK>qxuBJ*A$69?0{;c8xH!N8;UG0qo_ z;OOx2?jxOV%$@w3%;v-9Ex|CGnP;12dwYAF7K3&dMDi+8k&$x^?v64tUGl7rYJxY- z$iz@+nQ70L;o;#)eNSdyUJc&Q?J%=Q8wC`~_AU1L|9)l_{a>O>(*IAb<^Pjt^A`^j z(+JSoup3NoTU%Q|AnF&Ju@gd2Q9oH(ZSU;-PUwJz@D>4ry|J;ezJ9isNCV*(^S-AW z_Fj#$oy(L>DqSD}GoJv+FNB0)kAFF4KJi!wB^~Ad_<@U$ZzA@~jD2}~Ys=Ewx~QL zqm+Y3=vrJ9ef_$(uMed!DKpbRON+m0lU_@@CWpf7B%8u(lwB*}=%*p!NY(Y}=4nc5 zswZGLyy~iez?IV8(ZPN$BrFW%4;^)Np6C*lgpo#Ywyk@=i$sYn_&(0ymhAqMi(KzH|F?v1rI92^{=Dj9#GfLQEM7Gm>2 zGS4!T6y@ZQP*4Pcv~-sZHBqv#*j#Q4kpnGpeRGqd!0t{78S3v}E1qlgybMCYU&9X~ z;Cw4D56B)B4Gmu32d|YQq${rOwd%-)g#|E(gj^5Oz=c*{mKOt6bHjAE4B+-gmr2feok z$c0_}U>mC-n*>)Jx)iB>KeX1=yG2C_H@__A{rKFg{(R~iRD7x&ae3l5)HuzK7DDbx zcbT}yq+2_@xcE3#ZZa@1pg!?tuCbh2fNpRsF+)3NaYRj7Yu=7)(xrU7La(MOh=4r; zkC}>2#C`>K+QavDOWtKJAR?RyYij@Bq2$EO!N{oj*o#>4+MuwX1^RGsaOw`V-#Ipi zGU<7$61rlirZjDB4@XDeZ^m%?oW@Pe+GsY}dtU_a{n^zR*szuQ*itx+i!`Dq;zP!{ zQg1d;_^h(M zDfsc+tSQYeIaA_uw2_*3Q$N>9ziRJJP6`)bF5zgpa~(JxjTiQA6aJ)bIXA6qxm$>g zet3p_v^7%W6KAhc^SKZIZb&Z$kM|&mfWNMHi-j&In?={9N@NQ3F8YvI_&RJl2YJjp%vhVQ_LFurcr6es_JH5F+gyEbR${ zdBBeGCoWm38ayjS3%({K0J%V@H53Me0Y328w%PT``ttH}pl}nL>%m+yr^U_Hm1f`l z_rf3YiJhIDbyw_+Gk@h;hlYl7uzNOF1N;EVdhhP+kLhr09TriszV!%YM0ci|)NtSRYu$67h0>86ZTg?=@wF_IFk zFK?UeBKZtt0$QHIu?>xP4lwhYX;s#fK0rTMsQx_5J*j&-WfJpws?7h*;_EZ3gQnX9 zK-;kM@l9zTAaZ-HGa4-a>)1rw7|P5{PbVcHuw;(Gof7O%#!4ecTGJ{vhZbCMoK z{Z-Za3NX?H?@X|}thr!Gx_l_D5|BTi(d}!$MMH?sDbnl&sHp=r$C&OVi%BGXt*W9Fw-K(4Jh^H!+MbW%U8r?GHP6|&zuk4CY-!qk zII}|Kzd+l59;Nj5Z8oiZBFm32K<7(}#^AeZygv{m0y6oeo-3&Z-OW@pwYb8&NFQzA z#_bG+2efZwj5x4Mi}&!$Tb#d{nA6J?B9s(F?R7jAYF9ftlpek-%`Bg9<9omUh~TXW zG`Z;~{YjdJnfWtFBl|nS3|iupHMxZ{>2?FIC5rxqxeB2By}j>es;rSFV=41kqHI5Z zp0BYr0PCH3P}RuDNdMhxSIp+-rpeOHCw+DGYLGv7UeEn;+zX9ODP{;(P;M$Nj`FLm zulEEvYVD{R$n1ENS4)8y*-3ktJ&dnk8y{XsAcV9NL;n_W^8eHpFCNmN<=xFq^; zwR$g;lb09F65B@HLihu8aCy1Chfi_32>U(@oqzViLQz39UpRfNox)|4fQH%~p|-!s zclv(ITvRLC+_hR`hGE_Y^p(Hb8{F^1FpcWU{{dshtKffz%;8<_GC@#(y?PgJE-p5s zu-%KpMWyA3RNJ}QxZXHjB13}+k1|SYl@~ms4r>tHgv7+0Ow(+n%J`divHg?`tM#!mD7NVO3&UHfr})X zxx~V&1$1q3v|lUCt9H+4+HPBey%91=JiGRjN$%j68IZQEihcw?#q@R#mrj@w;XBj4 zqmRPPQ$@z!`XN|+c_at{VaMc;$K)+7EkNY4ZN9%?ENuvweKXVDyc#VCTogWctK_ze zP3eE4Dkx8biEX<3`lzubI>*KFE)VAW`b|-v)WgyK5`29(f8=s4Zyt-nRe1u7JiLqO z?Mk3dF`=9v^`@CRR$};@oK*DuRLvhY;5r5-l_!=|^k$2CMuG5_s@31Qtp>opMTb7- zL>9d#m0)d(&5LI6WZEM0{-_OOnmdHmmP?pB8Q5#wSWUl5j~ccIeHOj^GepS()Bu`H zMWYdrVcUJ;df3j-%tJ6eOLtw!O6^BX@o#Y!a$YDE9ZBI9i^7t&GirVRnjK;g@kRma@_^*Tm zYQ_uYZvQ@LWTjnD%<-XmLZjj1dcJm54ZC$wkj#c)8nKZE+I0=^tAmerLQY9`{Z}z@ zR9Iwe5SbU#)Dr{n%NJ5z6ltBa#1r(8uGb^4sr13F0uQ?wUy6iN)XY?%-NctgdPu&5 zYCjolRh6GLsZ*zI#yTkO42-R#!KUL*;)Xv3b0FM>a&jWX*)OGay!s2j+}(6aF;~t$ zE|)kR>yrHp$K=^`EIifF?G^#-lF$nq{Dr0{0pTzS<(4UT$1cwpQ&u!Ge!au>hyC+` zjH{08kNxco&*4l(SN`0P=kBeQ_6o#Of?ii_$i~m9^H|~&s%jD6Qqd|^E0B6+|QNR zVUn)^cYFXJfy3!-Bd%BgIOxR;Q5@Glq(X+~U1U8Sz z;8&k4{&rG?HjI*bBHp%bq48Y3h(`DS25y?$Cg*&e{pBK(#+7a!xc2u&}AIP-tjKeH{H%3`rPjtSd;)67p=(Og6iJ( z@xt~~2dqj-IFFKL?TL3(6e5qf=au2=&k^fJZwl#=C$M69|DN*z?TDR#ng+85_Lq*1 z&Vh=4$K3VtI`c6MCcuK#pV}B7CS@}FM8SI#Nk`tC^sznyAqw$hq>Nf+t?kZ-iinoz6$FKv&k zihE)SUUyeZeqxSl8iLO=ZA~IqOD|6M*&;g)14WmBUOS<)A>JRaB=X08wNqpOy4rWf zS2NAsr_y(0on}I)FY{~+E6PxvLX*kZ;OLF%?@%LST#*-WJF97c>!MZjP%NDL>iucsq(zz;TEWf*PEF#w`A^Xm~_{rzW3I* zRB)M?9Al_B{`^9QZMyLOf2CK8nl2j;N7(+t3+_zDEs!nm>XNdqOCNsA1P4<9g5 zI5Lq)~-EWs@cE;5ZYElPF=TEz=1jq~1UQ~FC#+ei(CR}0xN1$!v9bv+d{11Lsr`KzYKDUU=waX&myoS)|FBLs(0d}`b zm;Of0+j*(LpCmwXis5_JW^liwab;qip7cy1#)8oHV9Wa?&((jD^3fyQS@gb8NoxN) zM+nJM;}OgH`g-VdG(#442v=BIJiXG!<|Z{41A0j)-UATiSYN#|BE!0f>mg}FSf)_Q z6dBMlTuj>*tLiU^5q(JdNXkpULsaI#gu+P(KtjyCQQnAxILQz|6UjenX#?hg zngPT;N|7+_J&a`7a74Y%z+X)?5b4w*TcT>nl!>7n<5H6r+N0n zs1orqSgzwSizzou`IR)BhXZJg=QcDpfBJ1b$>Jj8*GHAp73Tk? zJM(9nMsOVDoAiZMKX7*ul0WqdCQUq9*166{XYX8#JO6d29E*pubMBWX22 z72x-!OxB&`{bMj@d4=F7lF~eb+;_yX6#3rLOO2Nc60!VbQ)zU-6GJI79w|X9yYX4P zmq9KCfl0H>&lQbSqVcvHQ#=Go`n46=7`)Vv51;yAW;5^U+kP8&AlLmRGy>KRHyO!q zRhHlHwWOs}pL-KYq$nn%xg-8e{vdhI6OHeOUK?BkHgEt56>PQO%pbu|x1c`z!ePj?gl@-YC?eA`$vM(Q`8L=4xj)Zn43 zvLY>i_>C%ZK>q81MGH^cO%tLb;Cevf$*WTy`o|PMsR5V(QD#5d5@h!_{RiX$d%|9{ z%ZzKI^RBul@lA~1fO*b6Dmsz^0U|%o*UqK4R>T>RUvfuwh;3^9jcZv_*w?;wb2lz+ zDx^!^rt;e6X$v7Yxhny=RMlNt8bLKx(Ww5GtJ7Yhb00)5i`tUr2alTosl3~@3QCjF z$Hs~nzg0`r>67gjIRbFF&f1!t2KUapzu=vAd#~n1Z}b_GSrRZ+-XH?cF5!Esktcwu z^6#_yvH-T~5*>9sCB!y8b9CFN;#^m(viV_z^1^sMbuR<>cwa8JI-3&C$3#4@G54{s z^UKNR_vM~)N&k&@b$g?V6(D5%HbB-hl%FN!XHr8qM_q&*6!w_uA7ED>ir!j@+`2iC zicd%=2hB)MP6os~6!6IQ|Ian)VFaJS)jLcft@QyfZX{+;DBw^P zpx}5A&IbrPJFfGLuol&ST<#?}{|9qC>KKRlxiNF3-`Nw1#+HL`Z3O>+TgYpzo9c_m zT(_qri@NkyS4%GS&iQ2ivvuj6&VTc8`u0Ee`6g2t$TGqit>A%p_-oj3;@*F3^`UZM z|GTgL|G@Qv^J)=USxbS*JvJ6PGd49Pn?hopP7n^fOu>ET6;=oG{ zTw);WtFNywc3y=wnRe;Pssur?RaMLg=btIE1CuB~FG4~>6cpbpE4f%$qT}nTv{9wx zo?WR`ofdLK$1qHCZ0)m3Y|5iaUKz(d>K)_MlcZ$2WD$oT)t)dIgtW`id1fDHu&p&QNl1RlqZprvLz~==R{&=y$<4|d!beNg8KHA|fXzr`c)mH6aF(c?}YNW8*Uw zZ+1BqC<`4rNJc<0L@(Cw$hOY0G0xYo!*ky5(9uDnqM|S{F~h?;Xr#nylav`ChcQg6 zY~|CRfcw^?S4@GVuD;$`AzUszz>a-{0umD$srH|iWZT}``}FbSm%1>dplG@O-h>E# z`6en%0a`nb0u5`e+MRaPjMdx59P3d?Uwb zsNv~}$#o8Tn(xE&n^e`FW)&EotL+^d+k|l(jtf<@>Y^v~#1Ctw3G=tIz2Q~JfQN$|`)lkJtnwdmqVL7&G=?v~RZnkhEiBU7R{wrWgcywTG&#ZgzfRA`n6-+w;L_fz`*Fr7^&0 zfAmi`IR6V&V!7SRVRzgV#Aj8row#APCcDj)KlGrm>UsM(%y#co2Nmbb1~KuHs*mph zUaF&Cvpm?)b>GA{rS79Jhea_#IC%U1)WboatG?vfgXr{{;l8d(ZP2h|sYkhA|D@X1 zu29_B1RQ;MYCot}=W#nP1C3A1id4;9#Y0bXlIsA^;&(&qj&D#-i-+FZOwH@R_@lgf z#2IMwXE%zl`XuHJC78 zIUtI>01ql+xR-67H`M$vk+E57+g#eU6SZU$IxyzgdGZgupz6x@__tl<{^NU8Lv8Ju z1ZEu@2Sbq6K0HW3Tpb)vRsks7%86Oo{Kb_2OS62XZnq>=*t2@*o2b9(#rd~VFIpf( z^ zy$%%73=F0VJ_64gC>GMz!bYWTv7Rg;eenn1`1cqwY$&<;-+s_|=H$MY_5MeMR`LfPhU5ukxZ* zHgbMbyB^B=m0U90=qY;kg;iH@Ci;eKn14a_^HIwPzW}vD8 z1&=9-(?ZeJm3JeOH-*K*)U-ccke7xgx2|pmRS>HhL~i%fjp@@@@!!5V1LsyCB8G$E zcRJws6rUHlJCfMR(#Cu8$nh(G?1G78@>P(u>nm2?=FNYF!pkZs)o+oCT81sEDiD=e>7eZUl)OEHrv{kCahM zRV9duCD>o-{`?#CYYyt%whuQ_F2a)GdTLVKFf46)USn!BYd1n5wCbgK8M|ua<9ty2@{Gw}M|T78e%>3T47$Vnn^JjzDE2 zDf24O_K^<3Y7CM1iCE*>Me4e=FI$1cO~Km`Hg1T|*Qy&1n42gCbM*ZzFHlC8F5b;h zZPtfpesX)*JhY5YLgKab7mhj|=qBDWb`pCqSubQz@Pj~F1AVxj z^@LU$hPIN4a9}YcTGE$oS?*HLH!-mf%a`j4F9xe^VoDM=-WZ7f@~i4C=9>8Tb(}Y& zPS>g7PyO#D@ynijvSJOF_R|b1JE#3F(TC$hpG!fye*C7RmwD4lKxhI!8T8W-c5%qX z!Tc>?i#UJ!T(yyloc41jad!9gh~XryoecujeNkc=%yYmX3yX?A0_ML(KFdk;ss#g* znB1Qvii-W=B?7|C%V>fdV4(2JNljsX_+ef3;ToJW*dD%$G(odypsh@fG^Os zQ;8z_7^C%ArsE8pCh&%L`0o(^CTnOinv6gOll(Oa^GM=jC6cSQqGMt(&?C1);EXeJ z3`!eLkUw^8m{PGT?8%V1!#e!K>h~hDF?qnon?DEBy9->gs8zEXFd0rx@IE zbgdi>(rFjjwBW$sdekCio5qx>&x;%^^C-)jD^9j$TEvdV7Q%& z-j9h=7H3}fTMQRHmBl?CVLZO+j#7srnS48_+hu9r0UE>0Yxwf5FC$bqxVH}T&XZXo z1yocQU}#fuKPB;n0efD%I*T_mlTFgPDIiFiDt<6;Mxen|y$TV%^M`&lZg0C%q#4oW z)CRT6NKP?#AeI~dfwHJU+FZfvT(%2z;P7J0e}LWrhJ>MDCx7MSqpJ>l1DYmhp}3Jj z`V6;#V#~ox-83(RW)^V`VK;m!WP(5A}=nRAH6F= zt2!K2$?yf2w$Rl1ZLWacvi>VBGxHJf)``K%*s-@?FOG%`#?MQQX?w+~VmlFOpoYLr9>I;M-s2c)0u(OXMJrA=>> zu7H9G?V$Q9ow`>hdtVS{Qbb||9mdxf#O8_-+dZ`zJ#LYXsVdQ6fo;V+F$NbSj{1KH z_1G3d)=*8?(YIfEzx)ty7%2=fA{v6?QP$h;T z{U%Utn5^_j`B5?f)V#7LeP^ifZeYVA&2{+>2j*}=wBo;0LRoA8FhWYo$v3n#EQUcR&#l{ZUXnEi&U38wKoe$~wjW z2IRP*E%uOB9Tp9x0E#}F z2i+VE*3+U6{ttw}`y1ejkT{du2u34jkbBna#iKJV27mk!_&~bR{2j!^TD*Y_4i>QY zLnbl8!D~;@cVil0$w6+`W%aI1Q6r1 zr&6g0U<%v^vRPCco;a!)Ffe-lHp7BnE=Z22AW7U1g2;Hz6983^`IK80`p}BP%7?Ig zRdI~gibx`?YWM~RR{zr5*yBofd-Jv-{{0K}l1o&QE1mbB_4P?xveuag(B2J@rIYIG z%_}yA=I0geh&#`Rt^7XK6G2;0959wD-#=?%yl>~Sr^(v^>#)1Kd#B!VBLq8+xDtUB zus=_QYO&07xWA?7Qk6GAr5G^kZ8rn&(_gUwLCMu&Or91=EV<^plfEr<9q!PU(I zdS2c{*-8CKS3;AJk}R77O7s|nsVHvo&guqCu;lLrNOyL1QKQwn9_GdE;hR++9)JpG zS|Kx?+opn8_;W+K>9U_c!;t05!da9f(|}20b(ybU)0Bj7sl3=*Jt!n3=j~IGmiUgV zu8_ysmS0X68Dde|L6Ss7U|Q3#D*#d=ix$jE=D7tEC(3*(;|JekKc-qZ>oNBnOyG%< zXHu3rV8S#e)G}F%g!J_td&Zgv#w?at56BX-Pcj62)(GuQezWRSqo#{7*r@@cm61yB z>s1GGMV^zkbE>!d-n+UQ|*S-l%#C0Bg@2pml-&)lMz13ddaB=t>s4{yyVHAPW?T^7V;c z+7aFHLps3)zxj)^h0P7N*yvw={BB(tueSsWj&5C*m#m}ePV`lgqPqOvBQe|SR#}bF zNv5)x`0`WiM>r*mp!0cLb+^2hakd%-0F#fFvH=vWZp^Kbyeh1^L*j{k&B(8N0O)t# z1-C#zF$)FTL9yrT)X5TEL98cVHyz6Toe(T`_5PcN+OH}hz6@O2<0cVyGO}YM zBLW%5n#ACll<aGKDf_EUC;Y8Hy-G$~s{Yk&$^%0o!fO?zw11YVIO<%!{c{i!bE)k%|W)KkrYuLYqwREzf3WE zR)nV+=2igM_7RP*IYv$yZw3W|y9 zC%xgHqa3nv-{Y+1n~wr~`XHep_;~#0w)w7Gv<}xaH;ryFij zWEe5qZFWrV>D1geYa#vOF56vJrRnEO%&tUNq6FQ@nshUeZ<+i@USsLp+-H^x7cCYU zfNxRkbULZ+wAZJU{`h2_im;!iukMeS*jR1;0|$f`KRg&Nd*?UnA7w1M@RYHUnu2Eh zk3S{F{x{}kmPzL3#aeogzjkVjFIipJu6lKqlI|lHAKB!A7O=30v4q5T@=L`%uCQE-#`Nhb5h~)Nq#YLOA zQAYBn1@*$r<16kq01e9-nXmb&y&W5^v#>m7JS{L!JMuIoZ%>vbV#L|AXIWTS-du5a zU$b_f-oqcey4LcuQnxy@;J58pS4aHUt?53Of(ojtb;k<|ezR~;mRCPG$nI6}pLitK zI>~l2=XS+y=QtNZT$Bs7H7r}EH=hpg9VYeE8-*q) z?K4Qvj^FmQQAT**aUK!=L&x`tfBaVM@+0*wym=-G_|k?d!=J%>UxZRjLN%*eP@W!J z?|a#vJ!(R!r5~^Q8!2DQ^>|s55Z0{#LzNA1J;|ld3!u20s?@wUxMS#ff>L2ZbwV+j zAzh)Hn;fSceZh|j;hqgL_iNtx$`4cem@pomOVi3ox3isrQ%Q-8Y@74#pt_)#IS3$+0hT#_+%-*KePVuIKkcfl zqT+*83mJja_dzxzkw|(pC8$ni1u7k+Dk(t|cho|Jp))RfzK6lemd z=V>X^w$I*s%SG_`>O%!4CnxV|D_%NZx?=K_Pf!@9BP3GG3VBG#kxRgizOGHr$$6im zJgq<%C1QWihOz;MFrdTM-K5+ls8^^3t0AFS3w{L;SE=KMR#LQv&GVzS0V&7d4;_;( zF6MY_;8j!B%i&eu&&=6>5Unl-8Nda`>h4#qtgIl-)UT`*;+2v>UIQ+9AS0XKE8G&~ zpkF}(`AuZh#U17hnY2`yK zSCR{#tSp##L#wxvE$&Z5FC!af&rgV zm%f9eLP1e>;SR|3v3E63oVXLhDi~=Dd5Mf*$zC7Y(qmvJ2d*Y<7*)nMdgV$)_VJy1 z8}BA&4mS7(QcTSiU+6vfXUIJ3cK+JCOUe;JsX?Z<;4LK$;!UWr*qGS@z#TP zv20Zipw0rT^GdE^oJ)_1;S?3!DHI+N0Xv1gHoApOnARjhpOBpVT1!!}3Vm5iu6CwL z?_T(7NT@=ESTm_8g?S35Ffatk6f$HXM2c5VHGz!$p|iB~LGotCeF7j3>j0o$xAp-&dyEF(N4_sJcx6(KlydijZNSz+-$BI#+<34 z=kk}EItGFQV=cF`BJX)_PJ=)LZc!H?a{w6eN0rNRJmu|B zxP1P6pC&^0oIjV>(Q^VfPv7=U4^81nP*L=HJ~jG$>27g5A8E6Q_RGu*7nSTnY)7w4 zcpRF)um8e*x^k*M?3l9$lgG@^bxTX>jMU+PUuZsb9pztyxa_~m2)#tQ+p9u={L2%tUj$ato*6b!`BAmrdBRWiN@>Nqo6=^QQ7X7S<(|4Zkaticz0d z2eFH}e=5E%qjt^M`24Gm@1VGkW^R$KATM6}{SL`Oez=`UqL-<f6~{MvUKqIvIMh2 zjBP2?4kPRD`S#!_iBoU7X>JnqlfgdtrI6Q>sE=U(CEdJeK_2l8f1}fjW#1pV&waZ4 zYi(pSaNhjgyZrp`>^JQJA`iYu_E@fbzV7^XazNkl^ViFKDRiE?x6(HrEW5bTO!QrG zaa3)P@A(HBPO{1>DhhE^Q&YaazBLMQEANutvFy}azD4A*z|IMu)n5 z0duGI?B_jeag#ag9gkf)V`INx7Tbggd<)eH!*h)MSLNk5&($Z%g{SEcHBA@2q~fVd zLR1p&PLGf0LB`|Y*hqhSaUd)`q~fE(n|9gilgsyn#>U2!cO7}DVCk(BbK2zdE?KDq zpYCqnrsq0&a`%H6j%!WUepkH-V1i8a@L`5t8cNEHOXM6p+yt!Pm#z?M>v~;~PkOb> zV{En3gZ1`eM|sz+g*_IPHp6d{%{pgg$HqOh=cmVW#ui@|R9ZFb?NjmIdCPsQGaGyn zMd^<_8Omd%<0u>^U3dOC0?n3LsZd{$zfT1d=YFpQ@@-olv2pKUk(*^@3h*rh*f(MR zhONMeuOOuG!a2U@vQmhsu~xY!7^>$VZdEvWlHQMDq>bD6Rk)p1tCRy*g=hs?@3Q;S z>Ib2fd|vYP3gS5qQu@(F%u% zGFNE8kEJ}!)_quWH^(VPDoKjvam?jtE5y{gZ2k?A>WF)XfhBsoLz+LL|%o+J5piR|7jq|YyH%iR2_qotRL zZFofT#7^;-rS|p??{%B3I~UzQj5O!`Y46t1l-IFL-ow%^q{C!xtglcXF7bv!SMihZ zQ=nU=r5qb`6{ob%uw1Na5!!8If9=AnL^7(H2LL1j{VcB^s`z%k`=WQ~D?1_+by}99HYp<2G-Fob<2Z-~j!Pz06N<&TdaU zqq*N$fR=`0jNNNq^Wr{oYoWqVH?QeW|DiqBw0GR$p?2gs9k|AzfhL%vX?L6_s&)~0 z3h$716@|jBme&j=tF_(wYroRNqWOwMhcwe1L_dk`?b4WUO||ft`~HQtC-SsAy|-b1 ze}Awu%$9Dv9+%eN zvA>TN7dBqulwFt_sBio*G(0?vT3J9yC`^Cn2l-Ij^7FT^^^`@st(P8_k(phK(AX9I z{F^S!8h)vLEm>S9lG1Rt>4SM)T82ne*J#T69g7NA=e`95sMpa^aa2)zPC&#kEbTd= zsY70_zjjuQZmne}bvf!Bnoqh@Z@FA(#C`JOx4S_FR}#t(uNhMR@5wTXo}MA<2`hAVItM>w z`ByuqGb)}?CEm?}A>!?UNHb>l>9bwXl#roM;=})7&-_c`$>takRM71RMhzo*x!THa z87lWVsV%*RPXCRv6VF6+aa;cn)U^MVcdYHgMGcMZb5s}Q{HZ>F{=77+1r|vx=s6Q+ zW-UymzCK&39q8 zW_U64f~tkS1w6KIup;H>;6eXh=_M!Yw-Lhy-Vg^%R))&`@Jg9oFD8xyh`boSKsIn8T=+m6a9YZ;K|9co(+k=%n{$ z_;bZ1CHYT_`mh`}d1)8>hD5=Xvz-S^i}xSKJ)*VH)!?A`&~_4f3;zjg=H&^(`!{9vZ&zRv)up=v&WA_!(-aGhK`W=poocHhgHD5^v{r5JO|(mdND22B0B;5y zh&(*j;Z;J=R50(EyxJ0T@_&<&{!&ft|4o4{g9sirtkTjTj5J&z~C> z+F-JMGQ4@E3f8%4X~M*D)+Q&ZqHsKN?rx8E8g~sShk~RpJm<5?zS!Lg> z{HZ{w^l4&_d91DYuz0CC*Vlwc9kcgML!)yayd=s%7yyvpXX4j-6dD>D9IOsD8ev#X z7tF}u)xR4oKhoR}CXARQ4DLHAt783bYv}M zaz4S^m`wHR0bM&gQIp4azdT&?VwNJm532_Y3yU+SPXiLET3w3ak9G0!^E;!a_RFeL z{LAOh*;!dbJ2L2EA4W&B(~BSF*|+b`x$X7hqzrJ#C186Q@MDh<8=O@orcKSB-EM zSKRY|;9UP--JAb%-2d^-Cakl~{{sO2hmwtdnu>h+PYUYHo;C#QAa|q7cyssv{vX~N zHN*eZ8~dNLTo==-YHe+WtGb0OIY$+1;v?97ALYvSKN}wuy&-%@(Fk*VNVd`uXt*2<#8I(ERN1wtjE(i0qW$ zs3B_->vug|QmtbjHSOcbrI3X7)AKa&Y?)Q4z__RNi$ z?UiXdFGc+C+0<-9q(obFbpn!lQPKCy^Avyb>Hs{IHhsLocLpDw>?yCfxcH$%=4dX! zU4jsNYHsfRm$Ry1iS1xuNN7!V;HbEE*J)S1mY!aBkC3MTCujNTzzvaRCMG6G&^K<} zfNJ|rPU(HR@_>C-Ncx9O8V-QmPC)@+l!lg;*Ru!_4*r(9y5G5rG|sxhZs2=oCkBx% z23`5|a^41+`1?)cAj|w1T5`!V=nnt0IsZXvWo6}lZtieN1-ytzpqzKhKA^2|MTd70 zT-S2tj~jyNwyF9p=;oKuUOwh=ec_+-_^6nu=*!N9AAkX}J`oJt*avuI=tIsEHyYjo z8!OwSG+DM^40-;%P7i6lT^lAJo~jj=$&7N|kM9=Jz1$JV$?vTK>ARU(;_71M#KZ*L z8vt|C7vN4C>=)9-Z02m$coN5^1TOH`@IH-=jf3Z766p**<>>;ieBkFygQY5 z(cCtXO~(Sw8T#5h-@ZL`2wAzQSNZIzQ@#E*9d2nKE|PC9Z*8aArebezkMbzGfCZsE zT!7{frO|s-9Q0)m9y~bZ*dvb^X?T%>ocy}EIj5|hxu=b2TkS*g@0Kk0b1z_Gp9#@X z`EwxQ&x|y^%O+-KDi*h!t!>)88SO-XttAS5IC0e1%Wvn^RWYP3AEsy22JdwTA@pFq zH-R_ysWmUZPQ=$%G4#Cu4vcLRiz=$BE?v6Rw_Cyo#;Yn-%b(fz<=qLG~jSV6-oZiBaR=gu7r^EKXGYK)Tl*3+Y39YH5&r`xNRO#JFW-#|@{ z6z{pYIh-?gX;&xoS$J}_wYBxmr<9e$NA-I!>M-($e8bRJU0l`ymE-D_lIMAW@<2%uZ#5L8J;ZxRzFVDk%PNHyyC z@Yq<<^_Cc5`QR3d9XO!O?uR2=MwI3%lDLC@zP=#ZWq7O;TsoW+n17^brE^M1X#f2| z6u3M4{ZmG~Cu7pn;py}XuMJPE8&*~?U?!bH!eoY%Q||ANN-HzsZ9c~lMJX`$EoU6~ zC@S|sBN9wQre=c0_Om3Bp<(uQF3^35%p4wyp#+`>dgV)Is*ynlSi&czBv41F7pH2~Ppsg>S7_o61~V;^o$&wL{1zYTpja63Lh!S1|Urbb4wA$%2N zRrU3JfdA^lVckbZcMcs91}qUjH+)fNgjLvKQySmPT3X&QM~@uQ&XddCe6mW8+}0R; z>K#ABqge{!!L6gyg&cs(AYoKR?dFE-@|Kg>F7n|O&X|zU_&FhbHoS6f6{bh{-hWGH z(;5Ee&}ESG?p4>;zP++A3Ho}pl*>_JVPWWyBqjGO4~>jiz--9-;NPtz{{OzE5;w1n zcNYQAA#Q1?K-=Fho0<5sd$&Rf)f6q`@uT!E4lKe~BmMw*u@DjK?<-R7<6w{@pa1y% zyDrS_+y!{xnsw}$GkooVKq5~pY5CI`W^fVj{14opwv;&i>x6y&+z4}ioG_nAzv!K@b#sfwjhDggF`hqvd6UX`D@%6ITglhES2JI-hv8sxS@KkH49X=CZ1`q$=n@58MFS<|$0GQlH%Vue5 z8Tk*-3f&}F^mfsg$w@>glJmBWef#$Jr$lu;3CUZ7{>Y6nC;c)qGuztQP*f!Cz%3^I z4KkB)pwQ!~!EG4!Er>FwPM^Mo9CPAhb9R4XpF#e@EP5W4=pJqm?0XX+6{Y4#q& zpkNIT2P!(;dz4due~NXI5{(3I7J+CW#GuAPvO<^e&uxy1iu!41XBR#`&uG}$3dtTk zWnj(njbaoQ2AP zO%UE(>bX&Qw|;?qm4I8$&5d0z@OV;CP_WVadFQ7Jaf)}@`&M-jHeL*cQ7I{csw;?q z%u2A#ii?ZG*pi28ky%OaZ2B4zKe9*4cmh9)nEwqWEdgdEX;Cq;>WYfEgoIn1Gt<*l zw6xJjEEuIT3Yc)<+t|7cP;fyai!;>K*;)4#yqQXTS>)+6>C7$cvC&KWIY_(PKknr_ zSkayVicga(u`eRyp%V5}!0;8q`TbuHD6nH}jvVKcgmPDlUr4CAwiYl>%nfNuC6nf; zBKOrL1YU@l>8!PgXd_jBpei6f9urvZz!NSfAROo|FPCE)KTSnSzN+^LAMevA@YQ!* z-_Og77ebx$7)xIIeoAMDUuuswF0>ndQclsUhr5tlb~}(k&(1Duv6xs^6RQ+-h@Y{X z0;dYUBv)|10@qf|Ty=XFG-KpFe*-v4l97zx|jj zJZyXd0?w+bi8=J5S4K03Y%3Djw%yI}vOk-8wa8ZBH3ssgro4v^PLq7XNk&^YCERh! zDAhqnIXyR5B|cRJonvj73LW@OZO-u2OHN6tIs(aleTNz!9`6w8BtMs29{iz>Z|l?2 z*H2B24A)s$UN(}Q2|ddw?1!wjZ{I#p?)mwXFv#cSedze{vOv`?6Ll38>S6<2JFP{a z_FY{%Zf^ZEvMBr5)XPNhxdn7`9~}&3i>C?Wg$fULok5PSonuj01CJtg;C zuv-HUw^C%&px%`Dz~846x4uBdF^f+NZIWuF_}zWK-LvS76d^DjnHhc0cAIoqVqt6Ya-Yxj$nFZcO#g_eK)nv>1+J@lFLzy8ZAEI)$#Riw1r z?jwI;4OK8doSdAlUcG8;{Q8fJ>IoD=jj5Gahj5?pP!L#azCKJ$V8a;(XM)T+!@qn? z zTB(YScRG5=1~+p&GuYZ;rvrdew?Q}am+x>F@l`w?CdC;Sy6G;z_!@87oom?t+&`e> z*1{F39Fkoq^d8Sf?p3*C_gri)IsD$Xz1HL$r!l>zjQ~T+mcp89MMs*1uwrV zG;IhcAvvS;U|_wXy?K(B_Gpij#$~N?$_UMuwPx?SzUeupq~-VPBx+h^CM&TmE@#=h z_PRx@-;Nr4A@Wp?dV8=fP#)wNI5<=)e5kIjUTOFN%BHgBrAsjS7#tV?;-a;`BF=N( z7CyDOaqJ!|q^g#>UFCaK{NDLTFgZ5(TBT)&IULm)x?VGon)$k`I%ofpWQ$496l1Dm zniF9i%fBbWG=JRw?Wq}&B1_r336j`T!@pOTs&Ko1|2F40x_MJ%+(=oO9A=eOwcaVj zp@W!T>Bfy_Wos(RxAXIt!Df5$W5z&wN@agtuq z^Qwp-7k%s#!f3dusYx&IrZLv3WxCY_-A&amS$q2~C1$*)NVg+#4qmdd2U!pEGTHUQ zkV-4lWV^g@`PGY+mqjrC0Tgz2knG{n9@pu{TzM3F zjFV-A2E?tzbx|a?EYSjAoJq(Pa!Sg}+2)_WBwy)x%#t%PVRIAX1GHZ%EFAH?h6kb3?yE!b{T==s z7LcP=!Q~M26~Ypz_2OeRi~D$<+B8sM!U_SD7&Yddo!up9?c%q`pk2nGatUe>{ytnExF^t z*Qhm>&xA@_Bj}dm1vLu`zLri#Q^4;#rx(tE;bXlP96*{@D5+pK??i)+83_AR8N?1fU{T(pCO(bCdL>aXMZQ22re zz2mWwa|#GJXh@x1T#QcNnSnAF^&8;PbMTwf*Jt0c<0fXOeZG&bE;U`Mn6cD2e|{3? z8sW{`vvP6{?*kGQmwx0^&@0g+kE(Pl(Q7Fwg@uI~G2UK&L+0UAm)Q$5$vd0xfw6>a zk0nL+qkdS0)%k~rL=zCEltUSv*qEZ6FcG$CL zwR-K9`0mVB(2I9itE;O+oC{)&WIOpsF2z#4ATt?jhKP?F9I9WL-Egt$E_{}?ID5tX z$9A`Y5Y6ikY>Pg9cz}{GEAsRk-(&*g`pR5|c~7L2OX#gV5}!^;4i}$VURV%bn_GL{ zef|lfUZK-tgE)PpS^v$7$7N)qIR>P%gTikgEv+rETvFaREvW860KDZ_t6z1;fcuoHL`SWEBGyN!4=oW?tw%l!hx(@{D zsoz;jWZ;umb#fAC+tTwOBJTL&wZ7;BKFbpBE8?+tBV>6#I_m74^UfY6AHUzh$xdbe z%_;}Z2tVO@#1_f!qNI(nSR-He)3TpkHc(y~j%)dCFF(|4oF3tnh}t-5*O3hcFSG9j zY#1xM(W>9A@3P#I3S;kQR%S9UUT^%Q_|By9`Tfttt|UMaiB@O?XIiw};2lYWdXg@{4s@rhaNlHWdmKKWHEPS|Y89UkIok|Ma>Z+zK=p4e9NAk4ACKYW;}`ZJi%f8v7nh~3~mYh~AX(FL9shq7oM_m-E9c17paXnpDT zHD-m0Zme@;f2ec#78SLf{y9++H5=7*s`*V!NIoe;9fmns+kj82NO5_DwtO=BJDiEE z)oK>DR#6l2XHw|P$5I&Qy&S_S-F9k*k3=gU#KgxBLbAFDZrtP*@o?xJnX2y$ly_Y{ zH{nef1L8R>LVam8Ya`+Glz~^3aP%S^+%BsW1{R%gZEQAy==z6|&6#jz^HR?r57X33 zIlmdc6@E!x7Pwb(!oZShl>VR+m+*y)hNDzgs7uRNe=M3bgv)MRVR83%1NswqbiJ3> zqjYm+b#=s&<43Mr$OTCiZQn0z<>-<@Loo zLGGQ7^L>6oB8E=V4(6A};FNZ_531qD{pQRz6*Z1ig4j0^NN=Ro?sePIGoy!#88(Dg`$0n&l?BQwXu#O4Xs z9r#+cV$1eq%btF9O-)s_28HcjTOT#|AzhrhDvH9`R#((V%231XguVR{GY4~N!Fy&# zLS*r|$0F%M!eIrKp?*k|iN85gA~-mB8YB{e;W7GDk>=>8(Xh8mIVB#O{bfZ#Qp#`~ z-F;RH)_w0omeMPeV$u?$&(@>|3AiL!n3TGVEbN^7PI_Ou@GZL9(DrMJuEI~uhGSK4 zrbVqP`Jdz+7ug!7G1>=>F5ytL>q2~j14lev!zDWt0GcY>?R?(c1dA3-kRuFAkh_iD8Xej!pc77L@IT*OFV^tx5P4XO5k!7G3 zl%4VeqO|u;(ntrHpi1t2he7?tnJ<}qo_iFgJj=-_%Cs??* zvHpJ1w+v&dek0@Ad!&kn7RkdpxmHKZemr5{v*%32@R5i;Io0I6JUkbo8oa#7_zylv z&3VqooC6~{XOLTT&kPq@6o&dd<_2SfDq~+_w}_^vY~5DSjvly zL@R{UOp^581hStu6Z!TdQBHjnls&h9y|4`A_?B+8jqw+(1(vY}QdwG&GWg=<%fvFs zX4k>PKriN~Ocd4^>aq1IoG*+g6KLR4#|nJ7s^=v18g6;D5qHTL`OGAe;cW8Tw<62N z3CwlCPI2`SPxY`yl2{xUK%$j=zI*Gvra3bY%n-Ai?jnvBGBHj-#bOF9Wp$i|v=fs{0d>>+Kaz!Po zq(sJOpwGL*;8r)+X<}1L)=xyB=9-$1!|EyqA6Yz00l(6{5P3zOgM<&{n4!9< zZBy35q4DKZGd16}pA2oK?-mcYA8s7s^^gp@J?6Ni(Tzc9?g5?M5909^p}j~+q1j^# zhqVSJ(C7vqu&#Ur=m=r^8BbOndWyQ(JXB$E!iQ9t4w$)5W#{HDe0(LpxVQ+g^eOMd zslpu{ncftK(5w8?OQX?>Yfw&?F9!_s5%~%GfQUf zdV!4w;*Duv)wU(pQFCq4@~g(EiRUa!b)XH+;piu?fGlkvF=g6gz>qPrei?d5Ev(3D=|jNi(-&N_DD7>V>aH?Y)4G_!W` z#WvDb|CN3rIqIscg@ECl;?G$kv2EY#!(~)|RUMxzo>QorW4#x$_N!-UWx}}R_g2OP zA*grj;;Um4^u=`O&|H8S)7@fK@vp#LgR_u zc%HZKn;U`b@V6tvjQTpDT~0186o2Xb3Kqa>K`Rt)Ui-bV8eCfRgl+u{ZN%968E_q# zbRZoqqt1XgFD|K0&W#s~hujHmugG77xLhjh{rl%atnHbmYM>w*8ukHb00jOFXzuz2 zVU7y!lYjSWOD1A`TU*a4&WeW znHVEr8K&y#)2+=JR3vQzcqJz>ii(P2+|o;oifHzhE5s)x0Ei&I8yI`Fsq=C<#ssnW zw4BH!ypxz)0IvhnpZZyg&oVGLh_BJq*f<$~0M8;{ZH$qpU&!94_V3nmZxVXq*J)`J z|A4yCrD0dH9$-a0O8^?c75{}Nb5tR)bs~ikb0|1N089ep0L3PnLF~Nvfx_D#5M*)sh00mA+fLr%1ab3XR zm=a-j3G&S)3X*svgBY|gHiY*7jaLYtm*gX3yUpU2u<2P|UUqbF;4}w*gM+=~e)+4J zwY6#POliT$kF+aSt`s?!@ncWM&tJcS#wj#H&*#$9ST>!-aD-sjP*T24Nog9nAA3fh zvmdS|Bp_9RJ3G^W`H`i-4t%i#m@YwuVK5Y(1b$3S4gL4jCF2Dbqn;ag8iO5ZOicms5R z>)K#0xVcHm#gl9Kv%Glm!s|d)OmBPm7JQoiUFpIs5(P|5OhI3-?Nq0|)fS(h|NLI0 zx`v@4XEn3Ij%wz&eCd1XntT9_g;%buxZbwt)ti}Vhm-wenb6G#JW>4(0;@avHzjBU zmi~R&B;WzxdzjRz1IJMEj^gCO0p!ge^hjTmw1Xc%?)~-46eB8s3OKm&VqyntqQXL* z$C1pAr%#_QEGz`OXC{x2G<(8GqCALQrWoc==t^(7nBv@GeC2Ge<4pn;b^)^{`n98C zVk1j2%#ID&icK$#jcp5;VA*>zVvF?S7QJ0GZWJ8 z8W9?X_}42j;n(f#?T5p6wt3;9fzkjtt$(j}LrslVk+VH08CS2qqz?Ye2o>(FNJ{-g z&#>KX+B^JGxRR4vqqoaFcXE}@r zF^mqUL;}M3h)A{OKX?$ts4KWO=r({B&87=;CvrB=Adg z`fZKfr09txy1=iU5to&9vE&UO4-IZdf?70qC+|b6=~k<6hphokN zhM9s7G>xp$N#*C}7Wd92P8J;p-t(Mfq^Ki=BHRBCxR*dGL0!cxpjbvLcZ=@du)77n z_aHz2ag01Lpu*?F%s_Ky$DTbFIX-cuE9yUPE6HUes0(UmTtnH8Sqmy~gdcuGc6%$0 zT&lkuC-u;O;%4t|JnXyb#Mgos#}USG&Bm8VY{jm5u|AP;AZbGR(3W`T&IWybeI287 z=jdMK+w^)0u24C05F=5;Lv7vNSaaZjX)VSx*rWrLg&#l%vIhq1IM9T+Ub!Ju!}+Eh zJ9?hB&Q5cI`I|^7$fpFcN!$DJKfmcWOf9|dAH#SRPZ{7m20jgHm1&2v!)o1Kc3;uK zwAoSA55N#8<6}mg_nC3S5ZdFneEwAI&iLW8ZgFROu_P_67>9_+?@Sgy|$!t z{nLKMUI$Bn;FoUh5HYIqM>V-aL}W2JiS!eFi8Oe;Zf-@{$LVYhlEwH1sJ1gVC43Il zrTp$9U6^N;zg|~t^8#Z3-}jmH-XtYu;XCE&$M~0q?YOvL@Of`O&VvWdfaXT7jk3{; z-Tqng_`^fmoUE+y$Xf59pk^SFn81E+X(2GKolH#iB9vkx4MH8Y|E5)e3Q!M>&7&4s z_Vl%D-1H%EbHT{1Kre_-KO>Vn`A_IBV-}x)L{g*t+Ux!87h?BZh>d74ym|4A%JnPu zv1)F9;2=v+@jQrc4ja{JnH(k41a@@BfyetsJHfDeJDa4Fx1(fee0+T2F;gLd4R4bm zsYP4&viMVoOXDo!Mn%$rB#k8yGzDH(@A0ZNB49NLGhs|Lixq8{FdJxp{foIdQtY2M)XebO(+KLUL|yF2aAoxBM?$ ztOV6t)11Ys`)*mL^!UKnX)3bKt)KP2+VnE%Cc8Dy7jI(-2WDTNthR|+`Y7cSh?_`cv8Rsm1<+d#IC!~3fp z*nA$=#=pzTnt_v0a$;io=@}r*>F^X*WhPK0EP$vI>2tK~y_O}7@n!~4Ku`VAKYvn^ zlLxf=6#n!D-_DdKf0QE$d;leonNtX1Xim@04%$>Xs(7%nz#f0}NPnl%)~%0EpiWFf z!w5rS@LMQXp2WFe#*-U9;anI&;Mh23| ztqc#1gl{bY!@d1=0mBiYVcj{2+?-kSov-p_Er+7lX86{(DYdWMb6z!6Qyq6Rwiuge zd#JW$4RBn@#qE=ATBxS=O5EL$jpgJvZQVlefo-k`TqsR{kB?h3j;SphU%S?YCxYOq zf{AJhTIxcq3P6Dv{}vv19+*=g?^+JPs@Ae2qi1DMObDADVF{$sMf+@YzN_Oq{t?*)0g2Lf0$_99GNRFsqrMV4*KoN_exASRf*p?{L}VItVvI^-o8g}&1G)zW3(&u`>_7Nk>QJ#HPP%h%$lC0}$^OMs^6NqCwidn!z&r&+opvyCiH2Muytaz z%JG4{j$N{=aJcb1HknwMkvfuE(tR--yhb%OHP0Z9us#WnCTd_NvRBGVx9oeZ>D`|Hrrfn{1Ya_3JIll^FJ=XZ{ z)D`!1F{?{?8)$^!3kdTbx490}Nfq41T*l=-OfWH0KKn$axi!Z>nd)Kg>h)5VjgE}vW@EDm+JF5!L`HOmL9zTA&Z zp|RP-o|?uK>ad_}LKY!^1txOlVi4JW$ z84W2*b$Cwnk&koH%lR`!I&*Sz7Ji=}Qzf*)Ew6vgpK;-jj#a;`%M**frJ$WJMSP?Ao!T{LpdZ6DLYh z)1$W$zJM?gb8R`Hh)eS1 zcKswgb>}_S=ZOgYhOqG#4Jr;-{tUpVPXZ&QyEBj#Z>CVy^@2(x;nbOIg@V!_cUtcZ3B-EL@2S%LNM#Hk3 zjx;E#u<3Lw6@|5`5@VNR+^NYT+HmTIuPzOF#OSx}y zbH%HzIg!*&0}YnbPGcwyR(V<~kjycUZ2u?dmk6&h*h<`MAv``v=3nx=X*CeB_a8g9 z1lKJW2>a(pJAgeMj(dS&0+PZiir*eAqKDyB0U(gm0PAPmroMaEpN+h@0xw^HeSPP2^Uhdgc3=;t1Vwre zg8lAqrgr8Jj*Ots?CxLv5_!i2eLE#_%_%?d#tIcs4{!* z#5YF%BnHT6Jp7XuhqC<6NyG=&m6go*w-dl7n%1%C1Qt4@kG8#0QbCf0`?ryAlT@s~ zt(n(B?$O~WO{UhZU+W8=IEdkFEP)l>sD6)FOvC2B&Tg z%*qFu;{ddsq^l*H9Ka2-g%g0~ejn)^$Ha$AlNuhAOdhhU;L|ykaeR=zeBZPP8&1~d ztk*+VFJ$Hk6Es)qK1`C$K4Yj3n-O4-;h~`>&7u+V@T(^bS^=yf;7wcTFYhkU!>Yb! zkF{xFR}mI>MR%Qnkw+l_h=#5^tGlUJ`hwhNxVnVj&k{?S5?Sk&)s~MBb!?-&`f)Ow zx)SA`L}CdWn4T4J@;&w9t~!f)RqN9oequ@QXlANK9OiX?jig(Da30H3To|57)1!^1 zS&4|Ih3*Jb1{Axf&A|-?&kO`yz$Z>z)3U+Reme(sh27s}W(J>Ck@iC=4VR@{R#&#! ztIo<1+eueYjqI#)O5bIVSc{Rtt98!G1D4X9jn_e*La+0q9ZvSFd(7tU9}z9Sg$@tk z0os71m_itkR$k{$M(GK-ssYy;+7#>yU_C4m!&(pu1|~bZwV-+5PEr~6$=TMTJi+>qf!LiX?7Um-S_jb!*q( zL@oo6Ww+^u$h~3V}d8X`_!HnWU=Xas8I*WCy`w?K%p+-G+^JmR2 zw~3QDcj0k>yEZyy>t%kKK9(f9K3}M3&}sWkCf?-`BbNatU><9~Jlx@7{BvNS2vX%H zp~E1z)2VMpOiZYL*W0el-19}q>UPC>WyvqruPc=k-@E~Q+)SL8=#`(mL}l_ZNP~E# zt#~DA54(rag=;O}0tVmp7q5lC-@X6A+1s}lal(mwxJ>&2SS}U3?x%CQ-!HYKatmD< zOOB>x>^qHOz}T6;legF^?dw`pYlvpG)pEi%w_VU#dMD&Kn$K0us;w<%xUlKj^zVJg zz8d^`{`ig~w`dkYZ1GaR#-bF>##`;-&@(q&(3+C4H)kx`A*tsSBvkS2w$n_>?lXLR z>`t6kjT)~gYTe5?NW(18#Jbbh&a6`{Gt;pdxWCsU?ubXpJui5Qo=U(BknDvM$d4;{}443WZCQ}zDgl( zyFY__zDTcquFUBPgTK4=xrsYrJLLOzn5Gmt4{X-gn*GScz{o#0mF|8?&wHco*U957 zBdAHw$5+4VNS%{#8#^fO+h7qb&0VBhwRBX`|5uP#ybrhG4a_VFwK zoLWK9hhLl421`ssE(SIKA_K;BDOFDwvw)?UVKj++^9&#)0pz!Z_5|ZAhoK0I2lw4q zPpas3&5j7QWd3Tr>}Wrg@wp{)(0NgBa{q^_x{S9gg^i>_Nkj?&IQke6hF7x=2YpG|LtMEe{^&Y*fC=zom~&Xb3ML|)Nse*K3%y) z8Oav=0raL9*B|GNrL^Z!J?LfPIB@9bZL_&n9G~Td=q9c7s&CCbmq{I^p6eaatJ;te z_jZNBSQTdUGQ3vFdsyEuy(?LIhndhKjm1pGCq-xn%i^9TP@LUeV4@~DNc-rI+YvKO zy}k8UTv&#(=S%pE0k7c0R!wNv_m=^AOU?iN792@JLn^(|NX%k&&|Yn=vbBI+MW?V_ zMzm{CVkI-8(S+*E=~E@nBfnu-zi7%H5Ou`SwZz*L@YMSJ`dSb6gkM?zR4-OM8Su@z zM2c8DD@E=-2LO<{F$_+7Gdfn29E%b+54SxyD%+03?3H-LSO8*id@Mhqw*mo~#WY>o(6X@q-(v>Yh zd=DOWK;d(kFUPtEC?OVe=AeH>v6>c=?Mw%#Yi{hDBZfktn~HYSy-@DLDqCW8+adUG zNp$jVYSIR*$HH{-ML16Cfe-$-Rt`&4eajQG($%+9zT)B5y7FsBxQq$UR>(E{K%<;Q zas4ckc?O7pzY(xk6rw39MMZn1%6}W1mU37XqpRdQb-S7AEZGJZeePRaa z0oUcnyaED_FexCHVeNz&CxqQ(;M$xk#}m`j3(gsZ-`7!V>#*BaiaTgYns=@i7xb*i z+vY}J#oXHoQ|A>jE8Th3?Yz@x(Pe_RL)C{vh!}MstYAQ0JweR%d^yE)548;T`<1{O z31$B?Fb|C?EN2_#bcTxk;r)TXH>iSv=`W{}$UQr=Tax_i@%d3(kxv_*Ij`7v=Y(yV z+?id{*XZCb5$d8Rd@b_y-1HCP7Z-PHj$(uIiWrxpr9~U0{v)!=l8rGN+`M3`r*^^{ z!Ivv3ArVIwRoP08frbSJ%TN{Em4i^CjvW?6M|16d}PE zJE>pYbc_zqM?a}wrWKX7cEh5N0)ny7=hn}qK8Vp{j_cWm^yg7PCIGX!(V-plaQ6_v zr@%SM%xdTgR|p?2W_d$d0jrO!tc7_vqbV*!nqAMJs{BgCvy3Kw*r3}WW<)0i9s{PO zG9TAS%8)wO;nG?7@ijDvhT#1zooTW>i{Ko>^XZk(#kf38>XV8iKvckk7v@N87tuBj zu2sJ&buQwQWRrY{`~f7)-JA2}58?J*c$el<6TuGCJ$sSG6!u-iF1F{d3M|kW_3lnB z5C&f${%MfiGogeYa9qA$LmkU&haD9zJ_j@C^WT_>QhJ!iFR%yMp~;6pN^L1VdL8sI zkZ5bk*b(*qxL*61w9B86&R!PUlbAB z0_q(bFKSz9F?N7a{g8dJZ+EftQY`Bh?wBt7@kxGL!=knRFFO+@>|~ zYryqLY$|LG+3XMs?O&jbeH0TH{NkC$+o#k9FlGw{g&l<_Xin8e)?#7Fh0q0s zf#CGc=~`B`4H|C7SXg;Ox0d*QM?K3n=M2R+Eg-ee+YV4deWa=R;6_>C)%%Zj*e1Wm ztA`Y>WPAG5W-V;g<9zm5wK_JlwaVPj+*GAOm(#&&^smx!rB zTNC>Lk1iA->Il&zs;}?+uoWOnId*KA zQ^w7=o2#VejC6wnb@~-&skCr`-IIvE{mtCZ~gHsE-}zrVjif7jDutCP(gpDe~57Y zS`c`_2kvzr?RRs?JbVI^It%C(;0c5C){#|BuX+F*3w}9W9UZDqhfN=m6U=!j_L`MBQ!@olMYxpAIt*g?)`SHFEGx2I!bf0mpbYV@ zOm^(D*U7J6gv?EDZN3m1Rj}`hp}BCQtQF=(D)9c!WXwUEVvvHbWS)Pas{6T;P z-JRvj)v-Op1Bpp#wb|u!2pi4YmEMs_y4x)o361LKE#_!1ii<@Ovt}12{>)|`E@rL; zeYnWJQ|S7XXdMnuBmn{xyogaPSwq1mN?Z^kA!x|iC5DecwF1LEKss`BDOIrJ*Sm$; zowhbNJyEWb3fjC#)aXB}FKm$Ms%#1tnQ=z8BN2aiHtiV#ASHJnQj5+ykmL5_A`|{v z+Z~6KLwSRK|B32+i4-Ak=&6+q%muk}>L9+aJ6Cf}ke(xDr;?d6@ybFfP3b zrgK$p+0{QIXHMk<-u}gJUTwBBBHWo>y&z@gX7=H;+Z( zbfS17;r23x#c)Jr=gObMTXRPT=%a1ObO6C2Br7!#LnAu*U~2qDv0rfh_jB?0Y+D*o zay<+F$AS`j0j4d0=Rs&Xytc}QMV)Jp4)<=l>XE_;uN&oQP`SN3M)~v>(yngfA4TtE?yngqXjnhpP{Zxu3 zpC7&iAz9D5>0L;$RPKY^&hn)5ym{HD|3e;n2` zaxO0VZG`uzG5a#uZa6_*0_&@0Lc;6UL|bx2_c?7pzuJQvUSj@thkpLtgz*HtE*BC_ zT^6y}iAq;)^Y{~&qFig?R=>%&Cv6I_ApvUGEe)5U;&)|bOv<2k(3FH`U}Y!=yd(BR zVA*lju+XT)dIIGG+l;HJ3{)6(%JWJ}8EwN&P?EsF$>?9zG+c|{1YI2+-^$~Iv>ufV zY2u!IkiLM`uqf@PGR@ST))fK5`uJ zHBWwPr)m1=J*dm;W~h9p%UybKh~fI8Kall+7c}lUIb!1CR$IxmlT2)E_eBz{v_J~k zmTvTicmFzTV<{ut?A>2@HEn89n=}1U2GP1L2%#ejyMTgN(&o0Sf?a7+x zF2!5qc+WLl`4e=r1sNI1QSex!L8$LBG32XB7MWq!7=p(4-6(G~$=Cvzg&VfEy#Tz$ zC-oLbQJU(h7AH9v={KROhDgx5Pi3u)f6tC3zG{ya*5^_Z84u-3v`c6A-^{mAx61ID zOM%1SnX2t>+^n>4n}j&@Nx^>o<%|A06%)=AE$l!m@?}%$myw~d8{WSQ`>9#)g!5^c z!Tl+z>E~2jRkMkv9hw!y=_QDyna`X#b!JIprTi~H*!Uw)QZDDa^4cB5PD$IR_>1r5 z1(%UBUd-NpmA<~-$emH%Twa(V)x#M>uSdJ?FQX5ap`5#IYPtvEGlI&>fp{14NSc4) zmix~;F|rE0QZl^dW1??m=^M@XBw+Nagjj7tn11!8n?j8BZ zB?IL}#AkMcM-=A3FC2$Q(9)I@sK`UZ)SEHnVIfPkCX~}q$q~CUZl!On-rM2#gK}RI zVVWp(C%Bwrj)@|fySb(vm84f@S7x~vxYqXrA{$n8-xEC`2Dr>`#&NrK`aGULPbor zxR$jg!i^0)bxE~H1`fZ0Ke0v^K^+~1q@f)|_C~1uXFOCuv<_2W+g$K@=w`KQ6KR!6 zGzmAKm^ge+YBfiSIj8tbpfRuKGx~TYY~*ucwcPZZMLC4kqOZRne2~RO(1;w1Kt>+h zVD#aX9WH!p4Y7p}FZS6P4&BLWqE8!Lu0ttO20kvS&Ck!S%dRf@__5+$U142q?Wl=( z8~U&m_#rqG5uCjStFArMA5r@aa z=Xnx7Pvps0)SGy&?E48IOO1;IPb>HJDfRvIWecbHfp#zwSbtR%eianhluz#lzV*3! zO;xoLBw`PTB|v@m&kb!Zu;8On;ctmaPQ@7+8HwB20FR4+(Vo-5K*8n=RaX~1UH+JgD1+zc&#S4a z0m!zEoe8AnB^3aBT=CS=fRXNw5G2dOVn|upV$wyB?^p+gju`k1fcT}fw3z``(>ya; zuG&dDHIICG0HdNH zzi(Lp2ak@OB<{A6;XfF%YI&`7Q60nT18~pR#Jc6x+Cdfs5Tg8wqtQ)>B^a{xeyAR*6ddoSy-2j^) z0}`HG8sR*o^q;+<%92B^gDJ7%;fE9TN*Vg^?{TC0#&11zrxK^4h@6c_!Ah<_r>-jlYhMZ)9D$D2mITsF<|i z=L?v*xWHa2Vzn{lH$g09=SIc%?qL=;zlS<8ty}=|=@t_QIbN}ei5jU_J_cWbHJWaQ zLMzQl8_gFhbzjT+c>9d5a`MYt6ZbJ<;WNotA_5h!MfVY79_6&&He{UYJJm>Y1;H^S zod)uWrP#IzB&uu8YQXI^2uMyT8ykZ+O1dzEw?}$UV3eyQjkvkT-GuqW!zB6o1Mhhx zr=uHz61(P@U+{r2F1i%BvGU4hPhljKDFJx26@Y(Xk|QUR&SdTcBp%H18z`*XA3cWN z6ISX^v6nb3T2Re~w?XW%3Y74UdY621Aq+GhuQ@#V3=hadw$S5L#HEtL1^!&;5=Ty#82iTh*N3BjRS#ak4h?8L5ciTgg$}1``jcwjV-K}_Qa`J{S-Zt*mCW#%2$ilF|LUmqyK?;|4_k*}Yqq#J-x{eD?%W6I`bdgLW1CNW_BRxWe*@NK(LT=8zdvWns&vsZS1l<8b`lp5m51|=2QF4vbS(sFXBs< z0*^4e7Dpd8e{~godW>W=`%X_sC&{uTrzhsqscA|)-TrZ{fS{I`s*+)2hJlSXyPz8X zVjFPOI{+&WFrdSQ8DKpcVr~6GO z$SEj5>c`Y9o;>$m{=Ve-5Y`i5u5fwoa?;ysK*@mu=4~Dnm0;UkXAwVDgr62YSVu1w5TPQP(CEOHNMb!tJP%bD-F_)b?>^kc4wq%XU0FWy^~$5xT)4FTdANlQcXt;TI+ zYQ_`d^J4mYd!OHvOpzUXL^dA_2|vFfLsEvO;9Z>&82{(S?3=n&hd5dIE?!(B8vW+y z=Y!Dfp5$h7#2+kdjfeEIw5A)puwyBSiJ=Knk)VgP2VWV;<%P-edMUuw(n+V*{U;_S z(2(`y$dOXeL=ZMEZOkbvEp=45nKf4nQ$gbF7^rxdv~-w^6nicY0OI`#5dQCU06P=? zl54$Irkvli5JRIDft(=9$6;x@bC13CmE);#j9mcq3UWHBvTi*Xi`{eW3tS3{isF&! zExngc`kH%Yf|mxTB}`a>r%o4p=H6OmVe#6Ina6e}v6mq|{fwet7itunCeGgg5ibwy zb%bpEoSpl-yiK?E-yMuaU~?(yy*q>yIM1BWYZ-n%tQCbR-&|h@rx;t2(T6gA_GV_B z1aQV3l8?76tYb}MIdjH(gLp;^>cG(6==vBd0fzo_T$P|_oc+jf-{-l?tbWj-2(a4)+ATJ zUP8@o&H3CL-rnvL)k}Hx=0_Hju8M1JhQ=iv2U#58NHAXE%n`5-w=T;VUNsP&5@Mtr z(1s;2S<9=gCcv$VGFcAZkuoQZCrE0|JqH_&3$hv}U<3H|zn3Mp%ndfMc7XHdvTxm6 zR56fS8kf31Hr25Akn#4n+a(j3`&f$rO~bUjJn%9!FgMt4lZzr%xKwQ&|jp$N%NYGm8ciKb7%!q41-~!^NY-!!-_1 z1sw9YR zSHN~RGW=~apl3M$S9Am|lq&qw0qv(gANoH+>HlN3@PCPR^p_c}FZ?Q+_W57EKmT_E z9PUu`yLaCp06dE7zqK^C;%^^ELSSXhU-q-fv9|Jc2P!# z2p<#eF2Vm8{zZJp;CVO>@DL5nI{rt*^(aZ$7Z^1I@LKt0F|6e%+&&jRiS;}%UI8ic zk?Shf{FE^n$;nmbSxxS@AsXsE-mxCNM@PD9YPZLkneTs0_>jZ4=hE5qyiCsT3N{go zGi&USUkmyrhi-PWhubwlt4Vc@Ela=zip}ckk9P&@%tg7>C629~4z|IywqBP*fcR+s z@#T4T0&|KsRHk|Ti=5otvS~L5B@W}Co_Z$w?xz!!4B+SRxv&s~k6oRe1nJ{}8qDgT z`-H3d{hdp%r+)vo`eFj|iD+3|^Ha9xq>n5#C@-dUo}mq~E|F7K=1y#%-GF&55Q``_ zN@ri+nqJ4?I|YNw30kwDMFTuV^f1kqobsxK#8q%5OOajls2O(&L)YicZPU0G&&&Sq z9B}#qG^{`OfnFRVD@iN$@s9#8rKUcw1#*zAZTCf@5faBpVy^zbzF1bpi~BNtCdtIy z6C}|XeZ+5**WYR@kwHt6DFWV3wfB%i$5{0n&YEueD)LUx%;dO7uT|5AT+8kSy<)^5 zDXXw*U}DLgk3z!2Ax=?Y&y-#4?fEjh!`|GMI2QGZ8ySFPIf^_uIIu1;5=olgMD8Bp zJZi^*EjANjF-LqciPlth0@nvlg3}ih)Zy*9#cqXz6XOb0R8+9mfGLnwU{qMZ+_Jw5 zN>VrQ@1LgRp{>##7Cs+Cq0wlt2?r0ip9@(UJ2%I&&21vsg*mR@UGb0}#~m?pE@f zH-$f)kVqsv0@z(rw5njj%Pem0vsSRJ{tf2KCWTAt&w6Dpw6en9!nSPKUkQBfHUkim zvLs}uy~^#&hFvO`H+{2v9lw}h3(3SbH2B#jqmjrkuj5mmmOahQ&G1d(dGf05nkC!6 xs3FWoO2R6qEKW&s?zt`b|HqfNpCQni?AwC*3!iB1RTB7hU0p}5=$d8Fe*tM;==}fy literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json new file mode 100644 index 0000000..148103c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deploy-ASCDF-Config" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deploy Microsoft Defender for Cloud configuration" + }, + "parPolicyAssignmentDescription": { + "value": "Deploy Microsoft Defender for Cloud and Security Contacts" + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASCDF-Config" + }, + "parPolicyAssignmentParameters": { + "value": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "alz-log-analytics" + }, + "ascExportResourceGroupName": { + "value": "alz-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${parDefaultRegion}" + }, + "enableAscForServers": { + "value": "Disabled" + }, + "enableAscForSql": { + "value": "Disabled" + } + } + }, + "parPolicyAssignmentParameterOverrides": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parPolicyAssignmentEnforcementMode": { + "value": "Default" + }, + "parPolicyAssignmentIdentityType": { + "value": "SystemAssigned" + }, + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { + "value": [ + "alz-platform" + ] + }, + "parPolicyAssignmentIdentityRoleAssignmentsSubs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleDefinitionIds": { + "value": [ + "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ] + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json new file mode 100644 index 0000000..9a4f27e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deploy-ASCDF-Config" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deploy Microsoft Defender for Cloud configuration" + }, + "parPolicyAssignmentDescription": { + "value": "Deploy Microsoft Defender for Cloud and Security Contacts" + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASCDF-Config" + }, + "parPolicyAssignmentParameters": { + "value": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "alz-log-analytics" + }, + "ascExportResourceGroupName": { + "value": "alz-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${parDefaultRegion}" + }, + "enableAscForServers": { + "value": "Disabled" + }, + "enableAscForSql": { + "value": "Disabled" + } + } + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json new file mode 100644 index 0000000..a6dc700 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.all.json @@ -0,0 +1,51 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deny-PublicIP" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deny the creation of public IP" + }, + "parPolicyAssignmentDescription": { + "value": "This policy denies creation of Public IPs under the assigned scope." + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP" + }, + "parPolicyAssignmentParameters": { + "value": {} + }, + "parPolicyAssignmentParameterOverrides": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parPolicyAssignmentEnforcementMode": { + "value": "Default" + }, + "parPolicyAssignmentIdentityType": { + "value": "None" + }, + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsSubs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleDefinitionIds": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.min.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.min.json new file mode 100644 index 0000000..6025094 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.deny.parameters.min.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deny-PublicIP" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deny the creation of public IP" + }, + "parPolicyAssignmentDescription": { + "value": "This policy denies creation of Public IPs under the assigned scope." + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP" + }, + "parPolicyAssignmentParameters": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json new file mode 100644 index 0000000..314325a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.all.json @@ -0,0 +1,98 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deploy-MDFC-Config" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deploy Microsoft Defender for Cloud configuration" + }, + "parPolicyAssignmentDescription": { + "value": "Deploy Microsoft Defender for Cloud configuration and Security Contacts" + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config" + }, + "parPolicyAssignmentParameters": { + "value": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "alz-la" + }, + "ascExportResourceGroupName": { + "value": "alz-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${parDefaultRegion}" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForSql": { + "value": "Disabled" + }, + "enableAscForAppServices": { + "value": "DeployIfNotExists" + }, + "enableAscForStorage": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + }, + "enableAscForKeyVault": { + "value": "DeployIfNotExists" + }, + "enableAscForSqlOnVm": { + "value": "Disabled" + }, + "enableAscForArm": { + "value": "DeployIfNotExists" + }, + "enableAscForDns": { + "value": "DeployIfNotExists" + }, + "enableAscForOssDb": { + "value": "Disabled" + } + } + }, + "parPolicyAssignmentParameterOverrides": { + "value": {} + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parPolicyAssignmentEnforcementMode": { + "value": "Default" + }, + "parPolicyAssignmentIdentityType": { + "value": "SystemAssigned" + }, + "parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs": { + "value": [ + "alz-platform" + ] + }, + "parPolicyAssignmentIdentityRoleAssignmentsSubs": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleAssignmentsResourceGroups": { + "value": [] + }, + "parPolicyAssignmentIdentityRoleDefinitionIds": { + "value": [ + "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ] + }, + "parTelemetryOptOut": { + "value": false + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.min.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.min.json new file mode 100644 index 0000000..fc8572a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/parameters/policyAssignmentManagementGroup.dine.parameters.min.json @@ -0,0 +1,73 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parPolicyAssignmentName": { + "value": "Deploy-MDFC-Config" + }, + "parPolicyAssignmentDisplayName": { + "value": "Deploy Microsoft Defender for Cloud configuration" + }, + "parPolicyAssignmentDescription": { + "value": "Deploy Microsoft Defender for Cloud configuration and Security Contacts" + }, + "parPolicyAssignmentDefinitionId": { + "value": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config" + }, + "parPolicyAssignmentParameters": { + "value": { + "emailSecurityContact": { + "value": "security_contact@replace_me" + }, + "logAnalytics": { + "value": "alz-la" + }, + "ascExportResourceGroupName": { + "value": "alz-asc-export" + }, + "ascExportResourceGroupLocation": { + "value": "${parDefaultRegion}" + }, + "enableAscForServers": { + "value": "DeployIfNotExists" + }, + "enableAscForSql": { + "value": "Disabled" + }, + "enableAscForAppServices": { + "value": "DeployIfNotExists" + }, + "enableAscForStorage": { + "value": "DeployIfNotExists" + }, + "enableAscForContainers": { + "value": "DeployIfNotExists" + }, + "enableAscForKeyVault": { + "value": "DeployIfNotExists" + }, + "enableAscForSqlOnVm": { + "value": "Disabled" + }, + "enableAscForArm": { + "value": "DeployIfNotExists" + }, + "enableAscForDns": { + "value": "DeployIfNotExists" + }, + "enableAscForOssDb": { + "value": "Disabled" + } + } + }, + "parPolicyAssignmentNonComplianceMessages": { + "value": [] + }, + "parPolicyAssignmentNotScopes": { + "value": [] + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep b/dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep new file mode 100644 index 0000000..c91359a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep @@ -0,0 +1,137 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Management Group Policy Assignments' +metadata description = 'Module used to assign policy definitions to management groups' + +@minLength(1) +@maxLength(24) +@sys.description('The name of the policy assignment. e.g. "Deny-Public-IP"') +param parPolicyAssignmentName string + +@sys.description('The display name of the policy assignment. e.g. "Deny the creation of Public IPs"') +param parPolicyAssignmentDisplayName string + +@sys.description('The description of the policy assignment. e.g. "This policy denies creation of Public IPs under the assigned scope."') +param parPolicyAssignmentDescription string + +@sys.description('The policy definition ID for the policy to be assigned. e.g. "/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91" or "/providers/Microsoft.Management/managementgroups/alz/providers/Microsoft.Authorization/policyDefinitions/Deny-Public-IP"') +param parPolicyAssignmentDefinitionId string + +@sys.description('An object containing the parameter values for the policy to be assigned.') +param parPolicyAssignmentParameters object = {} + +@sys.description('An object containing parameter values that override those provided to parPolicyAssignmentParameters, usually via a JSON file and loadJsonContent(FILE_PATH). This is only useful when wanting to take values from a source like a JSON file for the majority of the parameters but override specific parameter inputs from other sources or hardcoded. If duplicate parameters exist between parPolicyAssignmentParameters & parPolicyAssignmentParameterOverrides, inputs provided to parPolicyAssignmentParameterOverrides will win.') +param parPolicyAssignmentParameterOverrides object = {} + +@sys.description('An array containing object/s for the non-compliance messages for the policy to be assigned. See https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#non-compliance-messages for more details on use.') +param parPolicyAssignmentNonComplianceMessages array = [] + +@sys.description('An array containing a list of scope Resource IDs to be excluded for the policy assignment. e.g. [\'/providers/Microsoft.Management/managementgroups/alz\', \'/providers/Microsoft.Management/managementgroups/alz-sandbox\' ].') +param parPolicyAssignmentNotScopes array = [] + +@allowed([ + 'Default' + 'DoNotEnforce' +]) +@sys.description('The enforcement mode for the policy assignment. See https://aka.ms/EnforcementMode for more details on use.') +param parPolicyAssignmentEnforcementMode string = 'Default' + +@sys.description('An array containing a list of objects containing the required overrides to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#overrides-preview for more details on use.') +param parPolicyAssignmentOverrides array = [] + +@sys.description('An array containing a list of objects containing the required resource selectors to be set on the assignment. See https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure#resource-selectors-preview for more details on use.') +param parPolicyAssignmentResourceSelectors array = [] + +@allowed([ + 'None' + 'SystemAssigned' +]) +@sys.description('The type of identity to be created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects.') +param parPolicyAssignmentIdentityType string = 'None' + +@sys.description('An array containing a list of additional Management Group IDs (as the Management Group deployed to is included automatically) that the System-assigned Managed Identity, associated to the policy assignment, will be assigned to additionally. e.g. [\'alz\', \'alz-sandbox\' ].') +param parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs array = [] + +@sys.description('An array containing a list of Subscription IDs that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. [\'8200b669-cbc6-4e6c-b6d8-f4797f924074\', \'7d58dc5d-93dc-43cd-94fc-57da2e74af0d\' ].') +param parPolicyAssignmentIdentityRoleAssignmentsSubs array = [] + +@sys.description('An array containing a list of Subscription IDs and Resource Group names seperated by a / (subscription ID/resource group name) that the System-assigned Managed Identity associated to the policy assignment will be assigned to in addition to the Management Group the policy is deployed/assigned to. e.g. [\'8200b669-cbc6-4e6c-b6d8-f4797f924074/rg01\', \'7d58dc5d-93dc-43cd-94fc-57da2e74af0d/rg02\' ].') +param parPolicyAssignmentIdentityRoleAssignmentsResourceGroups array = [] + +@sys.description('An array containing a list of RBAC role definition IDs to be assigned to the Managed Identity that is created and associated with the policy assignment. Only required for Modify and DeployIfNotExists policy effects. e.g. [\'/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\'].') +param parPolicyAssignmentIdentityRoleDefinitionIds array = [] + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varPolicyAssignmentParametersMerged = union(parPolicyAssignmentParameters, parPolicyAssignmentParameterOverrides) + +var varPolicyIdentity = parPolicyAssignmentIdentityType == 'SystemAssigned' ? 'SystemAssigned' : 'None' + +var varPolicyAssignmentIdentityRoleAssignmentsMgsConverged = parPolicyAssignmentIdentityType == 'SystemAssigned' ? union(parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs, (array(managementGroup().name))) : [] + +// Customer Usage Attribution Id +var varCuaid = '78001e36-9738-429c-a343-45cc84e8a527' + +resource resPolicyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = { + name: parPolicyAssignmentName + properties: { + displayName: parPolicyAssignmentDisplayName + description: parPolicyAssignmentDescription + policyDefinitionId: parPolicyAssignmentDefinitionId + parameters: varPolicyAssignmentParametersMerged + nonComplianceMessages: parPolicyAssignmentNonComplianceMessages + notScopes: parPolicyAssignmentNotScopes + enforcementMode: parPolicyAssignmentEnforcementMode + overrides: parPolicyAssignmentOverrides + resourceSelectors: parPolicyAssignmentResourceSelectors + } + identity: { + type: varPolicyIdentity + } + #disable-next-line no-loc-expr-outside-params //Policies resources are not deployed to a region, like other resources, but the metadata is stored in a region hence requiring this to keep input parameters reduced. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + location: deployment().location +} + +// Handle Managed Identity RBAC Assignments to Management Group scopes based on parameter inputs, if they are not empty and a policy assignment with an identity is required. +module modPolicyIdentityRoleAssignmentMgsMany '../../roleAssignments/roleAssignmentManagementGroupMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIds: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIds)) { + name: 'rbac-assign-mg-policy-${parPolicyAssignmentName}-${uniqueString(parPolicyAssignmentName, roles)}' + params: { + parManagementGroupIds: varPolicyAssignmentIdentityRoleAssignmentsMgsConverged + parAssigneeObjectId: resPolicyAssignment.identity.principalId + parAssigneePrincipalType: 'ServicePrincipal' + parRoleDefinitionId: roles + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Handle Managed Identity RBAC Assignments to Subscription scopes based on parameter inputs, if they are not empty and a policy assignment with an identity is required. +module modPolicyIdentityRoleAssignmentSubsMany '../../roleAssignments/roleAssignmentSubscriptionMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIds: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIds) && !empty(parPolicyAssignmentIdentityRoleAssignmentsSubs)) { + name: 'rbac-assign-sub-policy-${parPolicyAssignmentName}-${uniqueString(parPolicyAssignmentName, roles)}' + params: { + parSubscriptionIds: parPolicyAssignmentIdentityRoleAssignmentsSubs + parAssigneeObjectId: resPolicyAssignment.identity.principalId + parAssigneePrincipalType: 'ServicePrincipal' + parRoleDefinitionId: roles + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Handle Managed Identity RBAC Assignments to Resource Group scopes based on parameter inputs, if they are not empty and a policy assignment with an identity is required. +module modPolicyIdentityRoleAssignmentResourceGroupMany '../../roleAssignments/roleAssignmentResourceGroupMany.bicep' = [for roles in parPolicyAssignmentIdentityRoleDefinitionIds: if ((varPolicyIdentity == 'SystemAssigned') && !empty(parPolicyAssignmentIdentityRoleDefinitionIds) && !empty(parPolicyAssignmentIdentityRoleAssignmentsResourceGroups)) { + name: 'rbac-assign-rg-policy-${parPolicyAssignmentName}-${uniqueString(parPolicyAssignmentName, roles)}' + params: { + parResourceGroupIds: parPolicyAssignmentIdentityRoleAssignmentsResourceGroups + parAssigneeObjectId: resPolicyAssignment.identity.principalId + parAssigneePrincipalType: 'ServicePrincipal' + parRoleDefinitionId: roles + parTelemetryOptOut: parTelemetryOptOut + } +}] + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location, parPolicyAssignmentName)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/README.md b/dependencies/infra-as-code/bicep/modules/policy/definitions/README.md new file mode 100644 index 0000000..9c5dc0d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/README.md @@ -0,0 +1,101 @@ +# Module: Custom Policy Definitions + +This module deploys the custom Azure Policy Definitions & Initiatives supplied by the Azure Landing Zones conceptual architecture and reference implementation defined [here](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture) to the specified Management Group. + +For a list of the custom policy definitions that are deployed, please see the below links: + +- [Policies included in Enterprise-Scale Landing Zones reference implementations](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) +- [Enterprise Scale - What's New?](https://github.com/Azure/Enterprise-Scale/wiki/Whats-new) + +If you wish to add your own additional custom Azure Policy Definitions please review [How Does ALZ-Bicep Implement Azure Policies?](https://github.com/Azure/ALZ-Bicep/wiki/PolicyDeepDive) and more specifically [Assigning Azure Policies](https://github.com/Azure/ALZ-Bicep/wiki/AssigningPolicies) + +> Once you have deployed this module to add all of the custom ALZ Azure Policy Definitions & Initiatives you will need to assign the modules to the relevant Management Groups as per your requirements using the [Policy Assignments module](../assignments/README.md).

+> If you want to make all of the default Azure Policy Assignments that we recommend in the Azure Landing Zones conceptual architecture and reference implementation you can use the [ALZ Default Policy Assignments module](../assignments/alzDefaults/README.md) to do this for you👍 + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/customPolicyDefinitions.bicep.md) +- [Parameters for Azure China Cloud](generateddocs/mc-customPolicyDefinitions.bicep.md) + +## Outputs + +The module does not generate any outputs. + +## Deployment + +There are two different sets of deployment; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to minor difference in services which are available in Azure global and in Azure China, but the feature parity gap is narrowing. As a result, there are no policy definitions for services which are not available in Azure China. Some policy definitions are not built-in in Azure China, hence those policies are defined as custom policy definitions. More details are available [here](https://github.com/Azure/Enterprise-Scale/pull/802). + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | ---------------------------------- | ------------------------------------------------- | + | Global regions | customPolicyDefinitions.bicep | parameters/customPolicyDefinitions.parameters.all.json | + | China regions | mc-customPolicyDefinitions.bicep | parameters/customPolicyDefinitions.parameters.all.json | + +In this example, the custom policy definitions and policy set definitions will be deployed to the `alz` management group (the intermediate root management group). + +The input parameter file `parameters/customPolicyDefinitions.parameters.all.json` defines the target management group to which the custom policy definitions will be deployed to. In this case, it will be the same management group (i.e. `alz`) as the one specified for the deployment operation. There is no change in the input parameter file for different Azure clouds because there is no change to the intermediate root management group. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. +> If the deployment provisioning state has failed due to policy definitions could not be found, this is often due to a known replication delay. Please re-run the deployment step below, and the deployment should succeed. + +### Azure CLI + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PolicyDefsDefaults-${dateYMD}" +LOCATION="eastus" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PolicyDefsDefaults-${dateYMD}" +LOCATION="chinaeast2" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep" +PARAMETERS="@infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDefsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-PolicyDefsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json' +} +New-AzManagementGroupDeployment @inputObject +``` + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep new file mode 100644 index 0000000..038513e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -0,0 +1,1954 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Custom Policy Defitions at Management Group Scope' +metadata description = 'This policy definition is used to deploy custom policy definitions at management group scope' + +@sys.description('The management group scope to which the policy definitions are to be created at.') +param parTargetManagementGroupId string = 'alz' + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) + +// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_definitions\_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +var varCustomPolicyDefinitionsArray = [ + { + name: 'Append-AppService-httpsonly' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json') + } + { + name: 'Append-AppService-latestTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json') + } + { + name: 'Append-KV-SoftDelete' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json') + } + { + name: 'Append-Redis-disableNonSslPort' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json') + } + { + name: 'Append-Redis-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json') + } + { + name: 'Audit-AzureHybridBenefit' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json') + } + { + name: 'Audit-Disks-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json') + } + { + name: 'Audit-MachineLearning-PrivateEndpointId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json') + } + { + name: 'Audit-PrivateLinkDnsZones' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json') + } + { + name: 'Audit-PublicIpAddresses-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json') + } + { + name: 'Audit-ServerFarms-UnusedResourcesCostOptimization' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json') + } + { + name: 'Deny-AA-child-resources' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json') + } + { + name: 'Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json') + } + { + name: 'Deny-AppServiceApiApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json') + } + { + name: 'Deny-AppServiceFunctionApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json') + } + { + name: 'Deny-AppServiceWebApp-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json') + } + { + name: 'Deny-Databricks-NoPublicIp' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json') + } + { + name: 'Deny-Databricks-Sku' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json') + } + { + name: 'Deny-Databricks-VirtualNetwork' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json') + } + { + name: 'Deny-FileServices-InsecureAuth' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json') + } + { + name: 'Deny-FileServices-InsecureKerberos' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json') + } + { + name: 'Deny-FileServices-InsecureSmbChannel' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json') + } + { + name: 'Deny-FileServices-InsecureSmbVersions' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json') + } + { + name: 'Deny-MachineLearning-Aks' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json') + } + { + name: 'Deny-MachineLearning-Compute-SubnetId' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json') + } + { + name: 'Deny-MachineLearning-Compute-VmSize' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json') + } + { + name: 'Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json') + } + { + name: 'Deny-MachineLearning-ComputeCluster-Scale' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json') + } + { + name: 'Deny-MachineLearning-HbiWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json') + } + { + name: 'Deny-MachineLearning-PublicAccessWhenBehindVnet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json') + } + { + name: 'Deny-MachineLearning-PublicNetworkAccess' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json') + } + { + name: 'Deny-MgmtPorts-From-Internet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json') + } + { + name: 'Deny-MySql-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-MySql-http.json') + } + { + name: 'Deny-PostgreSql-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json') + } + { + name: 'Deny-Private-DNS-Zones' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json') + } + { + name: 'Deny-PublicEndpoint-MariaDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json') + } + { + name: 'Deny-PublicIP' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-PublicIP.json') + } + { + name: 'Deny-RDP-From-Internet' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json') + } + { + name: 'Deny-Redis-http' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Redis-http.json') + } + { + name: 'Deny-Sql-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json') + } + { + name: 'Deny-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json') + } + { + name: 'Deny-Storage-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json') + } + { + name: 'Deny-Storage-SFTP' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json') + } + { + name: 'Deny-StorageAccount-CustomDomain' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json') + } + { + name: 'Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json') + } + { + name: 'Deny-Subnet-Without-Penp' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json') + } + { + name: 'Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json') + } + { + name: 'Deny-UDR-With-Specific-NextHop' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json') + } + { + name: 'Deny-VNET-Peer-Cross-Sub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json') + } + { + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json') + } + { + name: 'Deny-VNet-Peering' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json') + } + { + name: 'Deploy-ASC-SecurityContacts' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json') + } + { + name: 'Deploy-Budget' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Budget.json') + } + { + name: 'Deploy-Custom-Route-Table' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json') + } + { + name: 'Deploy-DDoSProtection' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json') + } + { + name: 'Deploy-Diagnostics-AA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json') + } + { + name: 'Deploy-Diagnostics-ACI' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json') + } + { + name: 'Deploy-Diagnostics-ACR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json') + } + { + name: 'Deploy-Diagnostics-AnalysisService' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json') + } + { + name: 'Deploy-Diagnostics-ApiForFHIR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json') + } + { + name: 'Deploy-Diagnostics-APIMgmt' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json') + } + { + name: 'Deploy-Diagnostics-ApplicationGateway' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json') + } + { + name: 'Deploy-Diagnostics-AVDScalingPlans' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json') + } + { + name: 'Deploy-Diagnostics-Bastion' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json') + } + { + name: 'Deploy-Diagnostics-CDNEndpoints' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json') + } + { + name: 'Deploy-Diagnostics-CognitiveServices' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json') + } + { + name: 'Deploy-Diagnostics-CosmosDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json') + } + { + name: 'Deploy-Diagnostics-Databricks' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json') + } + { + name: 'Deploy-Diagnostics-DataExplorerCluster' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json') + } + { + name: 'Deploy-Diagnostics-DataFactory' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json') + } + { + name: 'Deploy-Diagnostics-DLAnalytics' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json') + } + { + name: 'Deploy-Diagnostics-EventGridSub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json') + } + { + name: 'Deploy-Diagnostics-EventGridSystemTopic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json') + } + { + name: 'Deploy-Diagnostics-EventGridTopic' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json') + } + { + name: 'Deploy-Diagnostics-ExpressRoute' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json') + } + { + name: 'Deploy-Diagnostics-Firewall' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json') + } + { + name: 'Deploy-Diagnostics-FrontDoor' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json') + } + { + name: 'Deploy-Diagnostics-Function' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json') + } + { + name: 'Deploy-Diagnostics-HDInsight' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json') + } + { + name: 'Deploy-Diagnostics-iotHub' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json') + } + { + name: 'Deploy-Diagnostics-LoadBalancer' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json') + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json') + } + { + name: 'Deploy-Diagnostics-LogicAppsISE' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json') + } + { + name: 'Deploy-Diagnostics-MariaDB' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json') + } + { + name: 'Deploy-Diagnostics-MediaService' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json') + } + { + name: 'Deploy-Diagnostics-MlWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json') + } + { + name: 'Deploy-Diagnostics-MySQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json') + } + { + name: 'Deploy-Diagnostics-NetworkSecurityGroups' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json') + } + { + name: 'Deploy-Diagnostics-NIC' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json') + } + { + name: 'Deploy-Diagnostics-PostgreSQL' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json') + } + { + name: 'Deploy-Diagnostics-PowerBIEmbedded' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json') + } + { + name: 'Deploy-Diagnostics-RedisCache' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json') + } + { + name: 'Deploy-Diagnostics-Relay' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json') + } + { + name: 'Deploy-Diagnostics-SignalR' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json') + } + { + name: 'Deploy-Diagnostics-SQLElasticPools' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json') + } + { + name: 'Deploy-Diagnostics-SQLMI' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json') + } + { + name: 'Deploy-Diagnostics-TimeSeriesInsights' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json') + } + { + name: 'Deploy-Diagnostics-TrafficManager' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json') + } + { + name: 'Deploy-Diagnostics-VirtualNetwork' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json') + } + { + name: 'Deploy-Diagnostics-VM' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json') + } + { + name: 'Deploy-Diagnostics-VMSS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json') + } + { + name: 'Deploy-Diagnostics-VNetGW' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json') + } + { + name: 'Deploy-Diagnostics-VWanS2SVPNGW' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json') + } + { + name: 'Deploy-Diagnostics-WebServerFarm' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json') + } + { + name: 'Deploy-Diagnostics-Website' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json') + } + { + name: 'Deploy-Diagnostics-WVDAppGroup' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json') + } + { + name: 'Deploy-Diagnostics-WVDHostPools' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json') + } + { + name: 'Deploy-Diagnostics-WVDWorkspace' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json') + } + { + name: 'Deploy-FirewallPolicy' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json') + } + { + name: 'Deploy-MySQL-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json') + } + { + name: 'Deploy-Nsg-FlowLogs-to-LA' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json') + } + { + name: 'Deploy-Nsg-FlowLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json') + } + { + name: 'Deploy-PostgreSQL-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json') + } + { + name: 'Deploy-Sql-AuditingSettings' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json') + } + { + name: 'Deploy-SQL-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json') + } + { + name: 'Deploy-Sql-SecurityAlertPolicies' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json') + } + { + name: 'Deploy-Sql-Tde' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json') + } + { + name: 'Deploy-Sql-vulnerabilityAssessments_20230706' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json') + } + { + name: 'Deploy-Sql-vulnerabilityAssessments' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json') + } + { + name: 'Deploy-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json') + } + { + name: 'Deploy-Storage-sslEnforcement' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json') + } + { + name: 'Deploy-Vm-autoShutdown' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json') + } + { + name: 'Deploy-VNET-HubSpoke' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json') + } + { + name: 'Deploy-Windows-DomainJoin' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json') + } +] + +// This variable contains a number of objects that load in the custom Azure Policy Set/Initiative Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\policy_set_definitions\_policySetDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +var varCustomPolicySetDefinitionsArray = [ + { + name: 'Audit-UnusedResourcesCostOptimization' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AuditAzureHybridBenefitUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditAzureHybridBenefitUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditDisksUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditDisksUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditPublicIpAddressesUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditPublicIpAddressesUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AuditServerFarmsUnusedResourcesCostOptimization' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization' + definitionParameters: varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters.AuditServerFarmsUnusedResourcesCostOptimization.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deny-PublicPaaSEndpoints' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ACRDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AFSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AKSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApiManDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.ApiManDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppConfigDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AppConfigDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AsDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AsDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AseDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AseDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.AutomationDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.BatchDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BotServiceDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.BotServiceDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.CosmosDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.FunctionDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.KeyVaultDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDbDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MariaDbDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MlDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.MySQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.PostgreSQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.RedisCacheDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.SqlServerDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693' + definitionParameters: varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters.StorageDenyPaasPublicIP.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ACIDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ACRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AKSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AutomationDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.BastionDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.BatchDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.CosmosDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FirewallDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.IotHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.MySQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.RelayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SignalRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.SQLMDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VMSSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionParameters: varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters.WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-MDFC-Config' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.ascExport.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'azurePolicyForKubernetes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.azurePolicyForKubernetes.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForApis' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForApis.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForAppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForAppServices.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForArm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderforContainers.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCosmosDbs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForCosmosDbs.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForCspm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForCspm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForDns' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForDns.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForKeyVaults' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForKeyVaults.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforKubernetes' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderforKubernetes.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForOssDb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForOssDb.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForSqlPaas.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlServerVirtualMachines' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForSqlServerVirtualMachines.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForStorageAccounts' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccounts.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForVM.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVMVulnerabilityAssessment' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForVMVulnerabilityAssessment.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.securityEmailContact.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Private-DNS-Zones' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ACR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-App'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-AppServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-DSCHybrid' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Automation-DSCHybrid'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Automation-Webhook' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Automation-Webhook'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Batch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveSearch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Cassandra' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Cassandra'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Gremlin' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Gremlin'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-MongoDB' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-MongoDB'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-SQL' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-SQL'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Cosmos-Table' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Table'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DataFactory'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory-Portal' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DataFactory-Portal'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DiskAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridDomains'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridTopics'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventHubNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-File-Sync'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-HDInsight' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-HDInsight'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoT'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTHubs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-KeyVault'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Key' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Key'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Live' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Live'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MediaServices-Stream' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MediaServices-Stream'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Migrate' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Migrate'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Monitor' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Monitor'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-RedisCache'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-SignalR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Blob'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Blob-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Blob-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-DFS' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-DFS'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-DFS-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-DFS-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-File' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-File'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Queue' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Queue'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-Queue-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-Queue-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-StaticWeb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Storage-StaticWeb-Sec' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Storage-StaticWeb-Sec'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-Dev' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-Dev'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-SQL' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Synapse-SQL-OnDemand' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Synapse-SQL-OnDemand'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Web' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Web'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Sql-Security' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbTdeDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionParameters: varPolicySetDefinitionEsDeploySqlSecurityParameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-ACSB' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'GcIdentity' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcIdentity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'GcLinux' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcLinux.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'GcWindows' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.GcWindows.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LinAcsb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.LinAcsb.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WinAcsb' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc' + definitionParameters: varPolicySetDefinitionEsEnforceACSBParameters.WinAcsb.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-ALZ-Decomm' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DecomDenyResources' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c' + definitionParameters: varPolicySetDefinitionEsEnforceALZDecommParameters.DecomDenyResources.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DecomShutdownMachines' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown' + definitionParameters: varPolicySetDefinitionEsEnforceALZDecommParameters.DecomShutdownMachines.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-ALZ-Sandbox' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SandboxDenyVnetPeering' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub' + definitionParameters: varPolicySetDefinitionEsEnforceALZSandboxParameters.SandboxDenyVnetPeering.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SandboxNotAllowed' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749' + definitionParameters: varPolicySetDefinitionEsEnforceALZSandboxParameters.SandboxNotAllowed.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Encryption-CMK' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.ACRCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.AksCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.AzureBatchCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.CognitiveServicesCMK.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.CosmosCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.DataBoxCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.PostgreSQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.SqlServerTDECMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.StorageCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.StreamAnalyticsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.SynapseWorkspaceCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptionCMKParameters.WorkspaceCMK.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-EncryptTransit' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AKSIngressHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.APIAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AppServiceHttpEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.AppServiceminTlsVersion.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.FunctionLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.FunctionServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.MySQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.MySQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.PostgreSQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.PostgreSQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisDenyhttps.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisdisableNonSslPort.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.RedisTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLManagedInstanceTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLManagedInstanceTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLServerTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.SQLServerTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.StorageDeployHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.StorageHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.WebAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: varPolicySetDefinitionEsEnforceEncryptTransitParameters.WebAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Guardrails-KeyVault' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'KvCertLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvCertLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvFirewallEnabled' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvFirewallEnabled.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvKeysExpire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysExpire.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvKeysLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvKeysLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvPurgeProtection' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvPurgeProtection.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSecretsExpire' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsExpire.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSecretsLifetime' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSecretsLifetime.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KvSoftDelete' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d' + definitionParameters: varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters.KvSoftDelete.parameters + definitionGroups: [] + } + ] + } +] + +// Policy Set/Initiative Definition Parameter Variables + +var varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json') + +var varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json') + +var varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json') + +var varPolicySetDefinitionEsDeployMDFCConfigParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json') + +var varPolicySetDefinitionEsDeployPrivateDNSZonesParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json') + +var varPolicySetDefinitionEsDeploySqlSecurityParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json') + +var varPolicySetDefinitionEsEnforceACSBParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json') + +var varPolicySetDefinitionEsEnforceALZDecommParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json') + +var varPolicySetDefinitionEsEnforceALZSandboxParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json') + +var varPolicySetDefinitionEsEnforceEncryptionCMKParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json') + +var varPolicySetDefinitionEsEnforceEncryptTransitParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json') + +var varPolicySetDefinitionEsEnforceGuardrailsKeyVaultParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json') + +// Customer Usage Attribution Id +var varCuaid = '2b136786-9881-412e-84ba-f4c2822e1ac9' + +resource resPolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2021-06-01' = [for policy in varCustomPolicyDefinitionsArray: { + name: policy.libDefinition.name + properties: { + description: policy.libDefinition.properties.description + displayName: policy.libDefinition.properties.displayName + metadata: policy.libDefinition.properties.metadata + mode: policy.libDefinition.properties.mode + parameters: policy.libDefinition.properties.parameters + policyType: policy.libDefinition.properties.policyType + policyRule: policy.libDefinition.properties.policyRule + } +}] + +resource resPolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = [for policySet in varCustomPolicySetDefinitionsArray: { + dependsOn: [ + resPolicyDefinitions // Must wait for policy definitons to be deployed before starting the creation of Policy Set/Initiative Defininitions + ] + name: policySet.libSetDefinition.name + properties: { + description: policySet.libSetDefinition.properties.description + displayName: policySet.libSetDefinition.properties.displayName + metadata: policySet.libSetDefinition.properties.metadata + parameters: policySet.libSetDefinition.properties.parameters + policyType: policySet.libSetDefinition.properties.policyType + policyDefinitions: [for policySetDef in policySet.libSetChildDefinitions: { + policyDefinitionReferenceId: policySetDef.definitionReferenceId + policyDefinitionId: policySetDef.definitionId + parameters: policySetDef.definitionParameters + groupNames: policySetDef.definitionGroups + }] + policyDefinitionGroups: policySet.libSetDefinition.properties.policyDefinitionGroups + } +}] + +// Optional Deployment for Customer Usage Attribution +module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/customPolicyDefinitions.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/customPolicyDefinitions.bicep.md new file mode 100644 index 0000000..ba760b2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/customPolicyDefinitions.bicep.md @@ -0,0 +1,48 @@ +# ALZ Bicep - Custom Policy Defitions at Management Group Scope + +This policy definition is used to deploy custom policy definitions at management group scope + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTargetManagementGroupId | No | The management group scope to which the policy definitions are to be created at. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parTargetManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The management group scope to which the policy definitions are to be created at. + +- Default value: `alz` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.json" + }, + "parameters": { + "parTargetManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/mc-customPolicyDefinitions.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/mc-customPolicyDefinitions.bicep.md new file mode 100644 index 0000000..5cbc7f9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/generateddocs/mc-customPolicyDefinitions.bicep.md @@ -0,0 +1,48 @@ +# ALZ Bicep - Custom Policy Defitions at Management Group Scope + +This policy definition is used to deploy custom policy definitions at management group scope + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parTargetManagementGroupId | No | The management group scope to which the policy definitions are to be created at. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parTargetManagementGroupId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The management group scope to which the policy definitions are to be created at. + +- Default value: `alz` + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.json" + }, + "parameters": { + "parTargetManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt new file mode 100644 index 0000000..0ae54fd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/_mc_policyDefinitionsBicepInput.txt @@ -0,0 +1,400 @@ +{ + name: 'Append-AppService-httpsonly' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json') +} +{ + name: 'Append-AppService-latestTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json') +} +{ + name: 'Append-KV-SoftDelete' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json') +} +{ + name: 'Append-Redis-disableNonSslPort' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json') +} +{ + name: 'Append-Redis-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json') +} +{ + name: 'Deny-AFSPaasPublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json') +} +{ + name: 'Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json') +} +{ + name: 'Deny-AppServiceApiApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json') +} +{ + name: 'Deny-AppServiceFunctionApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json') +} +{ + name: 'Deny-AppServiceWebApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json') +} +{ + name: 'Deny-KeyVaultPaasPublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json') +} +{ + name: 'Deny-MySql-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json') +} +{ + name: 'Deny-PostgreSql-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json') +} +{ + name: 'Deny-Private-DNS-Zones' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json') +} +{ + name: 'Deny-PublicEndpoint-MariaDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json') +} +{ + name: 'Deny-PublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json') +} +{ + name: 'Deny-RDP-From-Internet' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json') +} +{ + name: 'Deny-Redis-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json') +} +{ + name: 'Deny-Sql-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json') +} +{ + name: 'Deny-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json') +} +{ + name: 'Deny-Storage-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json') +} +{ + name: 'Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json') +} +{ + name: 'Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json') +} +{ + name: 'Deny-VNET-Peer-Cross-Sub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json') +} +{ + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json') +} +{ + name: 'Deny-VNet-Peering' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json') +} +{ + name: 'Deploy-ActivityLogs-to-LA-workspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json') +} +{ + name: 'Deploy-ASC-SecurityContacts' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json') +} +{ + name: 'Deploy-Custom-Route-Table' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json') +} +{ + name: 'Deploy-DDoSProtection' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json') +} +{ + name: 'Deploy-Default-Udr' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json') +} +{ + name: 'Deploy-Diagnostics-AA' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json') +} +{ + name: 'Deploy-Diagnostics-ACI' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json') +} +{ + name: 'Deploy-Diagnostics-ACR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json') +} +{ + name: 'Deploy-Diagnostics-AnalysisService' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json') +} +{ + name: 'Deploy-Diagnostics-ApiForFHIR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json') +} +{ + name: 'Deploy-Diagnostics-APIMgmt' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json') +} +{ + name: 'Deploy-Diagnostics-ApplicationGateway' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json') +} +{ + name: 'Deploy-Diagnostics-Bastion' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json') +} +{ + name: 'Deploy-Diagnostics-CDNEndpoints' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json') +} +{ + name: 'Deploy-Diagnostics-CognitiveServices' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json') +} +{ + name: 'Deploy-Diagnostics-CosmosDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json') +} +{ + name: 'Deploy-Diagnostics-Databricks' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json') +} +{ + name: 'Deploy-Diagnostics-DataExplorerCluster' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json') +} +{ + name: 'Deploy-Diagnostics-DataFactory' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json') +} +{ + name: 'Deploy-Diagnostics-DLAnalytics' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json') +} +{ + name: 'Deploy-Diagnostics-EventGridSub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json') +} +{ + name: 'Deploy-Diagnostics-EventGridSystemTopic' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json') +} +{ + name: 'Deploy-Diagnostics-EventGridTopic' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json') +} +{ + name: 'Deploy-Diagnostics-ExpressRoute' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json') +} +{ + name: 'Deploy-Diagnostics-Firewall' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json') +} +{ + name: 'Deploy-Diagnostics-FrontDoor' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json') +} +{ + name: 'Deploy-Diagnostics-Function' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json') +} +{ + name: 'Deploy-Diagnostics-HDInsight' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json') +} +{ + name: 'Deploy-Diagnostics-iotHub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json') +} +{ + name: 'Deploy-Diagnostics-LoadBalancer' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json') +} +{ + name: 'Deploy-Diagnostics-LogicAppsISE' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json') +} +{ + name: 'Deploy-Diagnostics-MariaDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json') +} +{ + name: 'Deploy-Diagnostics-MediaService' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json') +} +{ + name: 'Deploy-Diagnostics-MlWorkspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json') +} +{ + name: 'Deploy-Diagnostics-MySQL' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json') +} +{ + name: 'Deploy-Diagnostics-NetworkSecurityGroups' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json') +} +{ + name: 'Deploy-Diagnostics-NIC' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json') +} +{ + name: 'Deploy-Diagnostics-PostgreSQL' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json') +} +{ + name: 'Deploy-Diagnostics-PowerBIEmbedded' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json') +} +{ + name: 'Deploy-Diagnostics-RedisCache' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json') +} +{ + name: 'Deploy-Diagnostics-Relay' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json') +} +{ + name: 'Deploy-Diagnostics-SignalR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json') +} +{ + name: 'Deploy-Diagnostics-SQLElasticPools' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json') +} +{ + name: 'Deploy-Diagnostics-SQLMI' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json') +} +{ + name: 'Deploy-Diagnostics-TimeSeriesInsights' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json') +} +{ + name: 'Deploy-Diagnostics-TrafficManager' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json') +} +{ + name: 'Deploy-Diagnostics-VirtualNetwork' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json') +} +{ + name: 'Deploy-Diagnostics-VM' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json') +} +{ + name: 'Deploy-Diagnostics-VMSS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json') +} +{ + name: 'Deploy-Diagnostics-VNetGW' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json') +} +{ + name: 'Deploy-Diagnostics-WebServerFarm' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json') +} +{ + name: 'Deploy-Diagnostics-Website' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json') +} +{ + name: 'Deploy-Diagnostics-WVDAppGroup' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json') +} +{ + name: 'Deploy-Diagnostics-WVDHostPools' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json') +} +{ + name: 'Deploy-Diagnostics-WVDWorkspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json') +} +{ + name: 'Deploy-FirewallPolicy' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json') +} +{ + name: 'Deploy-MySQL-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json') +} +{ + name: 'Deploy-MySQLCMKEffect' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json') +} +{ + name: 'Deploy-Nsg-FlowLogs-to-LA' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json') +} +{ + name: 'Deploy-Nsg-FlowLogs' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json') +} +{ + name: 'Deploy-PostgreSQL-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json') +} +{ + name: 'Deploy-PostgreSQLCMKEffect' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json') +} +{ + name: 'Deploy-Private-DNS-Azure-File-Sync' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json') +} +{ + name: 'Deploy-Private-DNS-Azure-KeyVault' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json') +} +{ + name: 'Deploy-Private-DNS-Azure-Web' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json') +} +{ + name: 'Deploy-Sql-AuditingSettings' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json') +} +{ + name: 'Deploy-SQL-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json') +} +{ + name: 'Deploy-Sql-SecurityAlertPolicies' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json') +} +{ + name: 'Deploy-Sql-Tde' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json') +} +{ + name: 'Deploy-Sql-vulnerabilityAssessments' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json') +} +{ + name: 'Deploy-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json') +} +{ + name: 'Deploy-Storage-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json') +} +{ + name: 'Deploy-VNET-HubSpoke' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json') +} +{ + name: 'Deploy-Windows-DomainJoin' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json') +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json new file mode 100644 index 0000000..a8c1cb1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json @@ -0,0 +1,59 @@ +{ + "name": "Append-AppService-httpsonly", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "AppService append enable https only setting to enforce https setting.", + "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "notequals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Web/sites/httpsOnly", + "value": true + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json new file mode 100644 index 0000000..45e239a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json @@ -0,0 +1,72 @@ +{ + "name": "Append-AppService-latestTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "AppService append sites with minimum TLS version to enforce.", + "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Select version minimum TLS Web App config", + "description": "Select version minimum TLS version for a Web App config to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites/config" + }, + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "notEquals": "[parameters('minTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "value": "[parameters('minTlsVersion')]" + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json new file mode 100644 index 0000000..9c3410d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json @@ -0,0 +1,50 @@ +{ + "name": "Append-KV-SoftDelete", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "KeyVault SoftDelete should be enabled", + "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.KeyVault/vaults" + }, + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "append", + "details": [ + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "value": true + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json new file mode 100644 index 0000000..024fbbd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json @@ -0,0 +1,64 @@ +{ + "name": "Append-Redis-disableNonSslPort", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", + "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled", + "Modify" + ], + "metadata": { + "displayName": "Effect Azure Cache for Redis", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "equals": "true" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "value": false + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json new file mode 100644 index 0000000..8174263 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json @@ -0,0 +1,76 @@ +{ + "name": "Append-Redis-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", + "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Cache for Redis", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for Redis server", + "description": "Select version minimum TLS version Azure Cache for Redis to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "value": "[parameters('minimumTlsVersion')]" + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Audit-MachineLearning-PrivateEndpointId.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Audit-MachineLearning-PrivateEndpointId.json new file mode 100644 index 0000000..217f941 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Audit-MachineLearning-PrivateEndpointId.json @@ -0,0 +1,64 @@ +{ + "name": "Audit-MachineLearning-PrivateEndpointId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Control private endpoint connections to Azure Machine Learning", + "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status", + "equals": "Approved" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id", + "exists": false + }, + { + "value": "[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]", + "notEquals": "[subscription().subscriptionId]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AA-child-resources.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AA-child-resources.json new file mode 100644 index 0000000..1b072d7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AA-child-resources.json @@ -0,0 +1,56 @@ +{ + "name": "Deny-AA-child-resources", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "No child resources in Automation Account", + "description": "This policy denies the creation of child resources on the Automation Account", + "metadata": { + "version": "1.0.0", + "category": "Automation", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "in": [ + "Microsoft.Automation/automationAccounts/runbooks", + "Microsoft.Automation/automationAccounts/variables", + "Microsoft.Automation/automationAccounts/modules", + "Microsoft.Automation/automationAccounts/credentials", + "Microsoft.Automation/automationAccounts/connections", + "Microsoft.Automation/automationAccounts/certificates" + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json new file mode 100644 index 0000000..4549f2a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-AFSPaasPublicIP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Public network access should be disabled for Azure File Sync", + "description": "Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.StorageSync/storageSyncServices" + }, + { + "field": "Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy", + "notEquals": "AllowVirtualNetworksOnly" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json new file mode 100644 index 0000000..734e799 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-AppGW-Without-WAF", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Application Gateway should be deployed with WAF enabled", + "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "field": "Microsoft.Network/applicationGateways/sku.name", + "notequals": "WAF_v2" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json new file mode 100644 index 0000000..52ebe3c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceApiApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "API App should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "*api" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json new file mode 100644 index 0000000..8a83e5d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceFunctionApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Function App should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "functionapp*" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json new file mode 100644 index 0000000..d72db78 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceWebApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Web Application should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "app*" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-NoPublicIp.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-NoPublicIp.json new file mode 100644 index 0000000..0030e2a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-NoPublicIp.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-Databricks-NoPublicIp", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny public IPs for Databricks cluster", + "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value", + "notEquals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json new file mode 100644 index 0000000..8e404a8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-Databricks-Sku", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny non-premium Databricks sku", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "field": "Microsoft.DataBricks/workspaces/sku.name", + "notEquals": "premium" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-VirtualNetwork.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-VirtualNetwork.json new file mode 100644 index 0000000..7042d3a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-VirtualNetwork.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-Databricks-VirtualNetwork", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny Databricks workspaces without Vnet injection", + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value", + "exists": false + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value", + "exists": false + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value", + "exists": false + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json new file mode 100644 index 0000000..e861ade --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json @@ -0,0 +1,59 @@ +{ + "name": "Deny-KeyVaultPaasPublicIP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Preview: Azure Key Vault should disable public network access", + "description": "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.", + "metadata": { + "version": "2.0.0-preview", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "preview": true, + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.KeyVault/vaults" + }, + { + "not": { + "field": "Microsoft.KeyVault/vaults/createMode", + "equals": "recover" + } + }, + { + "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction", + "notEquals": "Deny" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Aks.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Aks.json new file mode 100644 index 0000000..49ce3ee --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Aks.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-MachineLearning-Aks", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny AKS cluster creation in Azure Machine Learning", + "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AKS" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/resourceId", + "exists": false + }, + { + "value": "[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-SubnetId.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-SubnetId.json new file mode 100644 index 0000000..bec5271 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-SubnetId.json @@ -0,0 +1,67 @@ +{ + "name": "Deny-MachineLearning-Compute-SubnetId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", + "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/subnet.id", + "exists": false + }, + { + "value": "[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-VmSize.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-VmSize.json new file mode 100644 index 0000000..3574f72 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-Compute-VmSize.json @@ -0,0 +1,148 @@ +{ + "name": "Deny-MachineLearning-Compute-VmSize", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", + "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", + "metadata": { + "version": "1.0.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "allowedVmSizes": { + "type": "Array", + "metadata": { + "displayName": "Allowed VM Sizes for Aml Compute Clusters and Instances", + "description": "Specifies the allowed VM Sizes for Aml Compute Clusters and Instances" + }, + "defaultValue": [ + "Standard_D1_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_DS1_v2", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_M8-2ms", + "Standard_M8-4ms", + "Standard_M8ms", + "Standard_M16-4ms", + "Standard_M16-8ms", + "Standard_M16ms", + "Standard_M32-8ms", + "Standard_M32-16ms", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M32ts", + "Standard_M64-16ms", + "Standard_M64-32ms", + "Standard_M64ls", + "Standard_M64ms", + "Standard_M64s", + "Standard_M128-32ms", + "Standard_M128-64ms", + "Standard_M128ms", + "Standard_M128s", + "Standard_M64", + "Standard_M64m", + "Standard_M128", + "Standard_M128m", + "Standard_D1", + "Standard_D2", + "Standard_D3", + "Standard_D4", + "Standard_D11", + "Standard_D12", + "Standard_D13", + "Standard_D14", + "Standard_DS15_v2", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_F2s_v2", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_F72s_v2", + "Standard_NC6s_v3", + "Standard_NC12s_v3", + "Standard_NC24rs_v3", + "Standard_NC24s_v3", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24r", + "Standard_ND6s", + "Standard_ND12s", + "Standard_ND24rs", + "Standard_ND24s", + "Standard_NC6s_v2", + "Standard_NC12s_v2", + "Standard_NC24rs_v2", + "Standard_NC24s_v2", + "Standard_ND40rs_v2", + "Standard_NV12s_v3", + "Standard_NV24s_v3", + "Standard_NV48s_v3" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/vmSize", + "notIn": "[parameters('allowedVmSizes')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json new file mode 100644 index 0000000..32bd426 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny public access of Azure Machine Learning clusters via SSH", + "description": "Deny public access of Azure Machine Learning clusters via SSH.", + "metadata": { + "version": "1.1.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "notEquals": "Disabled" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-Scale.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-Scale.json new file mode 100644 index 0000000..3e28551 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-ComputeCluster-Scale.json @@ -0,0 +1,92 @@ +{ + "name": "Deny-MachineLearning-ComputeCluster-Scale", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforce scale settings for Azure Machine Learning compute clusters", + "description": "Enforce scale settings for Azure Machine Learning compute clusters.", + "metadata": { + "version": "1.0.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "maxNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Count", + "description": "Specifies the maximum node count of AML Clusters" + }, + "defaultValue": 10 + }, + "minNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Minimum Node Count", + "description": "Specifies the minimum node count of AML Clusters" + }, + "defaultValue": 0 + }, + "maxNodeIdleTimeInSecondsBeforeScaleDown": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Idle Time in Seconds Before Scaledown", + "description": "Specifies the maximum node idle time in seconds before scaledown" + }, + "defaultValue": 900 + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount", + "greater": "[parameters('maxNodeCount')]" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount", + "greater": "[parameters('minNodeCount')]" + }, + { + "value": "[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]", + "greater": "[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-HbiWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-HbiWorkspace.json new file mode 100644 index 0000000..f7e0aa8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-HbiWorkspace.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-MachineLearning-HbiWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforces high business impact Azure Machine Learning Workspaces", + "description": "Enforces high business impact Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicAccessWhenBehindVnet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicAccessWhenBehindVnet.json new file mode 100644 index 0000000..808062f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicAccessWhenBehindVnet.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny public acces behind vnet to Azure Machine Learning workspace", + "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicNetworkAccess.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicNetworkAccess.json new file mode 100644 index 0000000..96bdd75 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MachineLearning-PublicNetworkAccess.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-MachineLearning-PublicNetworkAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Machine Learning should have disabled public network access", + "description": "Denies public network access for Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/publicNetworkAccess", + "notEquals": "Disabled" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json new file mode 100644 index 0000000..a8da043 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json @@ -0,0 +1,80 @@ +{ + "name": "Deny-MySql-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "MySQL database servers enforce SSL connections.", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "exists": "false" + }, + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json new file mode 100644 index 0000000..fb396d6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json @@ -0,0 +1,80 @@ +{ + "name": "Deny-PostgreSql-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "PostgreSQL database servers enforce SSL connection.", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.1", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "exists": "false" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json new file mode 100644 index 0000000..643df1d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json @@ -0,0 +1,46 @@ +{ + "name": "Deny-Private-DNS-Zones", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny the creation of private DNS", + "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/privateDnsZones" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json new file mode 100644 index 0000000..529c196 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-PublicEndpoint-MariaDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Public network access should be disabled for MariaDB", + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + { + "field": "Microsoft.DBforMariaDB/servers/publicNetworkAccess", + "notequals": "Disabled" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json new file mode 100644 index 0000000..cd073a1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json @@ -0,0 +1,46 @@ +{ + "name": "Deny-PublicIP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny the creation of public IP", + "description": "This policy denies creation of Public IPs under the assigned scope.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/publicIPAddresses" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json new file mode 100644 index 0000000..13ee18a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json @@ -0,0 +1,124 @@ +{ + "name": "Deny-RDP-From-Internet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "RDP access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows RDP access from Internet", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "3389" + }, + { + "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "3389" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json new file mode 100644 index 0000000..73d491a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-Redis-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis only secure connections should be enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "metadata": { + "version": "1.0.0", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select minumum TLS version for Azure Cache for Redis.", + "description": "Select minimum TLS version for Azure Cache for Redis." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "equals": "true" + }, + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json new file mode 100644 index 0000000..f859443 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-Sql-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit" + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "exists": "false" + }, + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json new file mode 100644 index 0000000..951d1ac --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-SqlMi-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit" + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "exists": "false" + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json new file mode 100644 index 0000000..5b10d48 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json @@ -0,0 +1,91 @@ +{ + "name": "Deny-Storage-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Storage Account set to minimum TLS and Secure transfer should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[requestContext().apiVersion]", + "less": "2019-04-01" + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "exists": "false" + } + ] + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json new file mode 100644 index 0000000..73ec47e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json @@ -0,0 +1,100 @@ +{ + "name": "Deny-Subnet-Without-Nsg", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets should have a Network Security Group", + "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", + "metadata": { + "version": "2.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json new file mode 100644 index 0000000..7bc81d0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json @@ -0,0 +1,98 @@ +{ + "name": "Deny-Subnet-Without-Udr", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets should have a User Defined Route", + "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", + "metadata": { + "version": "2.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "AzureBastionSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].routeTable.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json new file mode 100644 index 0000000..d9d6dd8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-VNET-Peer-Cross-Sub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering cross subscription.", + "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notcontains": "[subscription().id]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json new file mode 100644 index 0000000..e7f4e9f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json @@ -0,0 +1,88 @@ +{ + "name": "Deny-VNET-Peering-To-Non-Approved-VNETs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering to non-approved vNets", + "description": "This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "allowedVnets": { + "type": "Array", + "metadata": { + "displayName": "Allowed vNets to peer with", + "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" + }, + "defaultValue": [] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "exists": false + } + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json new file mode 100644 index 0000000..bf1536f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json @@ -0,0 +1,46 @@ +{ + "name": "Deny-VNet-Peering", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering ", + "description": "This policy denies the creation of vNet Peerings under the assigned scope.", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json new file mode 100644 index 0000000..073ac31 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json @@ -0,0 +1,129 @@ +{ + "name": "Deploy-ASC-SecurityContacts", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Azure Security Center Security Contacts", + "description": "Deploy Azure Security Center Security Contacts", + "metadata": { + "version": "1.0.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Azure Security Center contact details" + } + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Security/securityContacts", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/securityContacts/email", + "contains": "[parameters('emailSecurityContact')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/securityContacts" + }, + { + "field": "Microsoft.Security/securityContacts/alertNotifications", + "equals": "On" + }, + { + "field": "Microsoft.Security/securityContacts/alertsToAdmins", + "equals": "On" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "emailSecurityContact": { + "value": "[parameters('emailSecurityContact')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "description": "Security contacts email address" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/securityContacts", + "name": "default", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "[parameters('emailSecurityContact')]", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + }, + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json new file mode 100644 index 0000000..4cd913b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json @@ -0,0 +1,158 @@ +{ + "name": "Deploy-ActivityLogs-to-LA-workspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events", + "metadata": { + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace", + "assignPermissions": true + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "deployment": { + "location": "chinaeast2", + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logAnalytics": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "subscriptionToLa", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "Global", + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Administrative", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Security", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ServiceHealth", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Alert", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Recommendation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Policy", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Autoscale", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ResourceHealth", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Budget.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Budget.json new file mode 100644 index 0000000..127bdb0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Budget.json @@ -0,0 +1,238 @@ +{ + "name": "Deploy-Budget", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy a default budget on all subscriptions under the assigned scope", + "description": "Deploy a default budget on all subscriptions under the assigned scope", + "metadata": { + "version": "1.1.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "description": "Enable or disable the execution of the policy" + } + }, + "budgetName": { + "type": "String", + "defaultValue": "budget-set-by-policy", + "metadata": { + "description": "The name for the budget to be created" + } + }, + "amount": { + "type": "String", + "defaultValue": "1000", + "metadata": { + "description": "The total amount of cost or usage to track with the budget" + } + }, + "timeGrain": { + "type": "String", + "defaultValue": "Monthly", + "allowedValues": [ + "Monthly", + "Quarterly", + "Annually", + "BillingMonth", + "BillingQuarter", + "BillingAnnual" + ], + "metadata": { + "description": "The time covered by a budget. Tracking of the amount will be reset based on the time grain." + } + }, + "firstThreshold": { + "type": "String", + "defaultValue": "90", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000." + } + }, + "secondThreshold": { + "type": "String", + "defaultValue": "100", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000." + } + }, + "contactRoles": { + "type": "Array", + "defaultValue": [ + "Owner", + "Contributor" + ], + "metadata": { + "description": "The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded." + } + }, + "contactEmails": { + "type": "Array", + "defaultValue": [], + "metadata": { + "description": "The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded." + } + }, + "contactGroups": { + "type": "Array", + "defaultValue": [], + "metadata": { + "description": "The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Consumption/budgets", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Consumption/budgets/amount", + "equals": "[parameters('amount')]" + }, + { + "field": "Microsoft.Consumption/budgets/timeGrain", + "equals": "[parameters('timeGrain')]" + }, + { + "field": "Microsoft.Consumption/budgets/category", + "equals": "Cost" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "budgetName": { + "value": "[parameters('budgetName')]" + }, + "amount": { + "value": "[parameters('amount')]" + }, + "timeGrain": { + "value": "[parameters('timeGrain')]" + }, + "firstThreshold": { + "value": "[parameters('firstThreshold')]" + }, + "secondThreshold": { + "value": "[parameters('secondThreshold')]" + }, + "contactEmails": { + "value": "[parameters('contactEmails')]" + }, + "contactRoles": { + "value": "[parameters('contactRoles')]" + }, + "contactGroups": { + "value": "[parameters('contactGroups')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "budgetName": { + "type": "String" + }, + "amount": { + "type": "String" + }, + "timeGrain": { + "type": "String" + }, + "firstThreshold": { + "type": "String" + }, + "secondThreshold": { + "type": "String" + }, + "contactEmails": { + "type": "Array" + }, + "contactRoles": { + "type": "Array" + }, + "contactGroups": { + "type": "Array" + }, + "startDate": { + "type": "String", + "defaultValue": "[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Consumption/budgets", + "apiVersion": "2019-10-01", + "name": "[parameters('budgetName')]", + "properties": { + "timePeriod": { + "startDate": "[parameters('startDate')]" + }, + "timeGrain": "[parameters('timeGrain')]", + "amount": "[parameters('amount')]", + "category": "Cost", + "notifications": { + "NotificationForExceededBudget1": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('firstThreshold')]", + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "contactGroups": "[parameters('contactGroups')]" + }, + "NotificationForExceededBudget2": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('secondThreshold')]", + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "contactGroups": "[parameters('contactGroups')]" + } + } + } + } + ] + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json new file mode 100644 index 0000000..29bef0f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json @@ -0,0 +1,213 @@ +{ + "name": "Deploy-Custom-Route-Table", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy a route table with specific user defined routes", + "description": "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "requiredRoutes": { + "type": "Array", + "metadata": { + "displayName": "requiredRoutes", + "description": "Routes that must exist in compliant route tables deployed by this policy" + } + }, + "vnetRegion": { + "type": "String", + "metadata": { + "displayName": "vnetRegion", + "description": "Only VNets in this region will be evaluated against this policy" + } + }, + "routeTableName": { + "type": "String", + "metadata": { + "displayName": "routeTableName", + "description": "Name of the route table automatically deployed by this policy" + } + }, + "disableBgpPropagation": { + "type": "Boolean", + "metadata": { + "displayName": "DisableBgpPropagation", + "description": "Disable BGP Propagation" + }, + "defaultValue": false + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "field": "location", + "equals": "[parameters('vnetRegion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/routeTables", + "existenceCondition": { + "allOf": [ + { + "field": "name", + "equals": "[parameters('routeTableName')]" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]", + "where": { + "value": "[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]", + "in": "[parameters('requiredRoutes')]" + } + }, + "equals": "[length(parameters('requiredRoutes'))]" + } + ] + }, + "roleDefinitionIds": [ + "/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "routeTableName": { + "type": "string" + }, + "vnetRegion": { + "type": "string" + }, + "requiredRoutes": { + "type": "array" + }, + "disableBgpPropagation": { + "type": "bool" + } + }, + "variables": { + "copyLoop": [ + { + "name": "routes", + "count": "[[length(parameters('requiredRoutes'))]", + "input": { + "name": "[[concat('route-',copyIndex('routes'))]", + "properties": { + "addressPrefix": "[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]", + "nextHopType": "[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]", + "nextHopIpAddress": "[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]" + } + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "routeTableDepl", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "routeTableName": { + "type": "string" + }, + "vnetRegion": { + "type": "string" + }, + "requiredRoutes": { + "type": "array" + }, + "disableBgpPropagation": { + "type": "bool" + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2021-02-01", + "name": "[[parameters('routeTableName')]", + "location": "[[parameters('vnetRegion')]", + "properties": { + "disableBgpRoutePropagation": "[[parameters('disableBgpPropagation')]", + "copy": "[variables('copyLoop')]" + } + } + ] + }, + "parameters": { + "routeTableName": { + "value": "[parameters('routeTableName')]" + }, + "vnetRegion": { + "value": "[parameters('vnetRegion')]" + }, + "requiredRoutes": { + "value": "[parameters('requiredRoutes')]" + }, + "disableBgpPropagation": { + "value": "[parameters('disableBgpPropagation')]" + } + } + } + } + ] + }, + "parameters": { + "routeTableName": { + "value": "[parameters('routeTableName')]" + }, + "vnetRegion": { + "value": "[parameters('vnetRegion')]" + }, + "requiredRoutes": { + "value": "[parameters('requiredRoutes')]" + }, + "disableBgpPropagation": { + "value": "[parameters('disableBgpPropagation')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json new file mode 100644 index 0000000..8525513 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json @@ -0,0 +1,150 @@ +{ + "name": "Deploy-DDoSProtection", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy an Azure DDoS Network Protection", + "description": "Deploys an Azure DDoS Network Protection", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "ddosName": { + "type": "String", + "metadata": { + "displayName": "ddosName", + "description": "DDoSVnet" + } + }, + "ddosRegion": { + "type": "String", + "metadata": { + "displayName": "ddosRegion", + "description": "DDoSVnet location", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/ddosProtectionPlans", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "resourceGroupName": "[parameters('rgName')]", + "name": "[parameters('ddosName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "rgName": { + "value": "[parameters('rgName')]" + }, + "ddosname": { + "value": "[parameters('ddosname')]" + }, + "ddosregion": { + "value": "[parameters('ddosRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "ddosname": { + "type": "String" + }, + "ddosRegion": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "ddosprotection", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/ddosProtectionPlans", + "apiVersion": "2019-12-01", + "name": "[parameters('ddosName')]", + "location": "[parameters('ddosRegion')]", + "properties": {} + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json new file mode 100644 index 0000000..23d62b3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json @@ -0,0 +1,133 @@ +{ + "name": "Deploy-Default-Udr", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy a user-defined route to a VNET with specific routes.", + "description": "Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "defaultRoute": { + "type": "String", + "metadata": { + "displayName": "Default route to add into UDR", + "description": "Policy will deploy a default route table to a vnet" + } + }, + "vnetRegion": { + "type": "String", + "metadata": { + "displayName": "VNet Region", + "description": "Regional VNet hub location", + "strongType": "location" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "field": "location", + "equals": "[parameters('vnetRegion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/routeTables", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress", + "equals": "[parameters('defaultRoute')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "parameters": { + "udrName": { + "value": "[concat(field('name'),'-udr')]" + }, + "udrLocation": { + "value": "[field('location')]" + }, + "defaultRoute": { + "value": "[parameters('defaultRoute')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "udrName": { + "type": "string" + }, + "udrLocation": { + "type": "string" + }, + "defaultRoute": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "name": "[parameters('udrName')]", + "apiVersion": "2020-08-01", + "location": "[parameters('udrLocation')]", + "properties": { + "routes": [ + { + "name": "AzureFirewallRoute", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('defaultRoute')]" + } + } + ] + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json new file mode 100644 index 0000000..fee8ee2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json @@ -0,0 +1,201 @@ +{ + "name": "Deploy-Diagnostics-AA", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Automation/automationAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "JobLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "JobStreams", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DscNodeStatus", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AuditEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json new file mode 100644 index 0000000..2ab193d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-ACI", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerInstance/containerGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json new file mode 100644 index 0000000..fac00d2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-ACR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerRegistry/registries" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ContainerRegistryLoginEvents", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ContainerRegistryRepositoryEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json new file mode 100644 index 0000000..0729d45 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-APIMgmt", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ApiManagement/service/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "WebSocketConnectionLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AVDScalingPlans.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AVDScalingPlans.json new file mode 100644 index 0000000..631957e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AVDScalingPlans.json @@ -0,0 +1,154 @@ +{ + "name": "Deploy-Diagnostics-AVDScalingPlans", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/scalingplans" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Autoscale", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json new file mode 100644 index 0000000..0b69918 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-AnalysisService", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.AnalysisServices/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.AnalysisServices/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Service", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json new file mode 100644 index 0000000..3c43b2d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-ApiForFHIR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HealthcareApis/services" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HealthcareApis/services/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json new file mode 100644 index 0000000..4362a33 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-ApplicationGateway", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ApplicationGatewayPerformanceLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ApplicationGatewayFirewallLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json new file mode 100644 index 0000000..8958c29 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-Bastion", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/bastionHosts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "BastionAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json new file mode 100644 index 0000000..618a4d6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json @@ -0,0 +1,157 @@ +{ + "name": "Deploy-Diagnostics-CDNEndpoints", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cdn/profiles/endpoints" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "CoreAnalytics", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json new file mode 100644 index 0000000..fbf8a0e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-CognitiveServices", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RequestResponse", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Trace", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json new file mode 100644 index 0000000..7979a23 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json @@ -0,0 +1,217 @@ +{ + "name": "Deploy-Diagnostics-CosmosDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Requests", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DataPlaneRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MongoRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryRuntimeStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PartitionKeyStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PartitionKeyRUConsumption", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ControlPlaneRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "CassandraRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "GremlinRequests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json new file mode 100644 index 0000000..43e223d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-DLAnalytics", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataLakeAnalytics/accounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Requests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json new file mode 100644 index 0000000..8faad53 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json @@ -0,0 +1,213 @@ +{ + "name": "Deploy-Diagnostics-DataExplorerCluster", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Kusto/Clusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Kusto/Clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "SucceededIngestion", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FailedIngestion", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "IngestionBatching", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Command", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Query", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TableUsageStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TableDetails", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json new file mode 100644 index 0000000..af90114 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json @@ -0,0 +1,221 @@ +{ + "name": "Deploy-Diagnostics-DataFactory", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ActivityRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TriggerRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageEventMessages", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutableStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageEventMessageContext", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutionComponentPhases", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutionDataStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISIntegrationRuntimeLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json new file mode 100644 index 0000000..3149b1a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json @@ -0,0 +1,192 @@ +{ + "name": "Deploy-Diagnostics-Databricks", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "dbfs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "clusters", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "accounts", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "jobs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "notebook", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ssh", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "workspace", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "secrets", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "sqlPermissions", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "instancePools", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json new file mode 100644 index 0000000..c77b4eb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-EventGridSub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/eventSubscriptions" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json new file mode 100644 index 0000000..51ed84a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-EventGridSystemTopic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/systemTopics" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/systemTopics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DeliveryFailures", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json new file mode 100644 index 0000000..21c357f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-EventGridTopic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/topics" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/topics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DeliveryFailures", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PublishFailures", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json new file mode 100644 index 0000000..25aa362 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-ExpressRoute", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/expressRouteCircuits" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PeeringRouteLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json new file mode 100644 index 0000000..26491ba --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json @@ -0,0 +1,241 @@ +{ + "name": "Deploy-Diagnostics-Firewall", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AzureFirewallApplicationRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AzureFirewallNetworkRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AzureFirewallDnsProxy", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWThreatIntel", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWIdpsSignature", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWDnsQuery", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFqdnResolveFailure", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFatFlow", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json new file mode 100644 index 0000000..d7fa9f3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-FrontDoor", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/frontDoors" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/frontDoors/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FrontdoorAccessLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FrontdoorWebApplicationFirewallLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json new file mode 100644 index 0000000..bcde0b9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-Function", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "contains": "functionapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FunctionAppLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json new file mode 100644 index 0000000..b2a779e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-HDInsight", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HDInsight/clusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HDInsight/clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json new file mode 100644 index 0000000..6989855 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-LoadBalancer", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/loadBalancers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "LoadBalancerAlertEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "LoadBalancerProbeHealthStatus", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json new file mode 100644 index 0000000..1d56282 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json @@ -0,0 +1,157 @@ +{ + "name": "Deploy-Diagnostics-LogicAppsISE", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Logic/integrationAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "IntegrationAccountTrackingEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json new file mode 100644 index 0000000..773ef7f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-MariaDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMariaDB/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MySqlAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json new file mode 100644 index 0000000..c98506e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-MediaService", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Media/mediaServices" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Media/mediaServices/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "KeyDeliveryRequests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json new file mode 100644 index 0000000..6df9c24 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json @@ -0,0 +1,288 @@ +{ + "name": "Deploy-Diagnostics-MlWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "AmlComputeClusterEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeClusterNodeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeJobEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeCpuGpuUtilization", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlRunStatusChangedEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsActionEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ComputeInstanceEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentReadEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json new file mode 100644 index 0000000..1048f2f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-MySQL", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MySqlAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json new file mode 100644 index 0000000..daca6b4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-NIC", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkInterfaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkInterfaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json new file mode 100644 index 0000000..e784336 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-NetworkSecurityGroups", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "NetworkSecurityGroupEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "NetworkSecurityGroupRuleCounter", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json new file mode 100644 index 0000000..9ab8c8b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-PostgreSQL", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PostgreSQLLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryStoreRuntimeStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryStoreWaitStatistics", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json new file mode 100644 index 0000000..e3988db --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-PowerBIEmbedded", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.PowerBIDedicated/capacities" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json new file mode 100644 index 0000000..44f70db --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-RedisCache", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cache/redis/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json new file mode 100644 index 0000000..f8595c8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-Relay", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Relay/namespaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Relay/namespaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "HybridConnectionsEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json new file mode 100644 index 0000000..2cf6fe6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-SQLElasticPools", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/elasticPools" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json new file mode 100644 index 0000000..d838026 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json @@ -0,0 +1,164 @@ +{ + "name": "Deploy-Diagnostics-SQLMI", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "ResourceUsageStats", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SQLSecurityAuditEvents", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DevOpsOperationsAudit", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json new file mode 100644 index 0000000..e9a395c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json @@ -0,0 +1,185 @@ +{ + "name": "Deploy-Diagnostics-SignalR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.SignalRService/SignalR" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SignalRService/SignalR/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AllLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json new file mode 100644 index 0000000..ca3dfcc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-TimeSeriesInsights", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.TimeSeriesInsights/environments" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Ingress", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json new file mode 100644 index 0000000..2bd6593 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-TrafficManager", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/trafficManagerProfiles" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ProbeHealthStatusEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json new file mode 100644 index 0000000..fe19ea1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-VM", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json new file mode 100644 index 0000000..3adea47 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-VMSS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json new file mode 100644 index 0000000..04f1202 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json @@ -0,0 +1,209 @@ +{ + "name": "Deploy-Diagnostics-VNetGW", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworkGateways" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "IKEDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "P2SDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TunnelDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json new file mode 100644 index 0000000..9dbde3a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json @@ -0,0 +1,188 @@ +{ + "name": "Deploy-Diagnostics-VirtualNetwork", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "VMProtectionAlerts", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json new file mode 100644 index 0000000..5db3014 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json @@ -0,0 +1,164 @@ +{ + "name": "Deploy-Diagnostics-WVDAppGroup", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.1", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/applicationGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json new file mode 100644 index 0000000..172476b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json @@ -0,0 +1,184 @@ +{ + "name": "Deploy-Diagnostics-WVDHostPools", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/hostpools" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Connection", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "HostRegistration", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AgentHealthStatus", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "NetworkData", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SessionHostManagement", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json new file mode 100644 index 0000000..215102a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json @@ -0,0 +1,168 @@ +{ + "name": "Deploy-Diagnostics-WVDWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.1", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Feed", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json new file mode 100644 index 0000000..ba52b22 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-WebServerFarm", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Web/serverfarms" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/serverfarms/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json new file mode 100644 index 0000000..ef9a668 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json @@ -0,0 +1,229 @@ +{ + "name": "Deploy-Diagnostics-Website", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "notContains": "functionapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AppServiceAntivirusScanAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceHTTPLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceHTTPLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceFileAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json new file mode 100644 index 0000000..2ab78fb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json @@ -0,0 +1,241 @@ +{ + "name": "Deploy-Diagnostics-iotHub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Devices/IotHubs" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Devices/IotHubs/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Connections", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceTelemetry", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "C2DCommands", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceIdentityOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FileUploadOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Routes", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "D2CTwinOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "C2DTwinOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TwinQueries", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "JobsOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DirectMethods", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DistributedTracing", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Configurations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceStreams", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json new file mode 100644 index 0000000..ede0b6c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json @@ -0,0 +1,167 @@ +{ + "name": "Deploy-FirewallPolicy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Azure Firewall Manager policy in the subscription", + "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "fwpolicy": { + "type": "Object", + "metadata": { + "displayName": "fwpolicy", + "description": "Object describing Azure Firewall Policy" + }, + "defaultValue": {} + }, + "fwPolicyRegion": { + "type": "String", + "metadata": { + "displayName": "fwPolicyRegion", + "description": "Select Azure region for Azure Firewall Policy", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/firewallPolicies", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "resourceGroupName": "[parameters('rgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "rgName": { + "value": "[parameters('rgName')]" + }, + "fwPolicy": { + "value": "[parameters('fwPolicy')]" + }, + "fwPolicyRegion": { + "value": "[parameters('fwPolicyRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "fwPolicy": { + "type": "object" + }, + "fwPolicyRegion": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "fwpolicies", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2019-09-01", + "name": "[parameters('fwpolicy').firewallPolicyName]", + "location": "[parameters('fwpolicy').location]", + "dependsOn": [], + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "ruleGroups", + "apiVersion": "2019-09-01", + "name": "[parameters('fwpolicy').ruleGroups.name]", + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]" + ], + "properties": { + "priority": "[parameters('fwpolicy').ruleGroups.properties.priority]", + "rules": "[parameters('fwpolicy').ruleGroups.properties.rules]" + } + } + ] + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json new file mode 100644 index 0000000..7e7290e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json @@ -0,0 +1,138 @@ +{ + "name": "Deploy-MySQL-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect minimum TLS version Azure Database for MySQL server", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforMySQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "equals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "sslEnforcement": "[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]", + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json new file mode 100644 index 0000000..ea81774 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json @@ -0,0 +1,62 @@ +{ + "name": "Deploy-MySQLCMKEffect", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "MySQL servers should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "metadata": { + "version": "1.0.4", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforMySQL/servers/keys", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforMySQL/servers/keys/serverKeyType", + "equals": "AzureKeyVault" + }, + { + "field": "Microsoft.DBforMySQL/servers/keys/uri", + "notEquals": "" + }, + { + "field": "Microsoft.DBforMySQL/servers/keys/uri", + "exists": "true" + } + ] + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json new file mode 100644 index 0000000..cee5f35 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json @@ -0,0 +1,234 @@ +{ + "name": "Deploy-Nsg-FlowLogs-to-LA", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.", + "metadata": { + "deprecated": true, + "version": "1.1.0-deprecated", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + }, + "defaultValue": 5 + }, + "interval": { + "type": "Integer", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": 60 + }, + "workspace": { + "type": "String", + "metadata": { + "strongType": "omsWorkspace", + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + }, + "defaultValue": "" + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/networkWatchers/flowlogs", + "name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + } + ] + }, + "existenceScope": "resourceGroup", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]", + "deploymentScope": "subscription", + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "location": { + "value": "[field('location')]" + }, + "networkSecurityGroup": { + "value": "[field('id')]" + }, + "workspace": { + "value": "[parameters('workspace')]" + }, + "retention": { + "value": "[parameters('retention')]" + }, + "interval": { + "value": "[parameters('interval')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "networkSecurityGroup": { + "type": "String" + }, + "workspace": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "interval": { + "type": "int" + }, + "time": { + "type": "String", + "defaultValue": "[utcNow()]" + } + }, + "variables": { + "resourceGroupName": "[split(parameters('networkSecurityGroup'), '/')[4]]", + "securityGroupName": "[split(parameters('networkSecurityGroup'), '/')[8]]", + "storageAccountName": "[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]", + "resourceGroup": "[variables('resourceGroupName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "properties": {}, + "kind": "StorageV2", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]", + "resourceGroup": "NetworkWatcherRG", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2020-05-01", + "name": "[concat('NetworkWatcher_', toLower(parameters('location')))]", + "location": "[parameters('location')]", + "properties": {}, + "resources": [ + { + "type": "flowLogs", + "apiVersion": "2019-11-01", + "name": "[concat(variables('securityGroupName'), '-Network-flowlog')]", + "location": "[parameters('location')]", + "properties": { + "enabled": true, + "format": { + "type": "JSON", + "version": 2 + }, + "retentionPolicy": { + "days": "[parameters('retention')]", + "enabled": true + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": true, + "trafficAnalyticsInterval": "[parameters('interval')]", + "workspaceResourceId": "[parameters('workspace')]" + } + }, + "storageId": "[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "targetResourceId": "[parameters('networkSecurityGroup')]" + }, + "dependsOn": [ + "[concat('NetworkWatcher_', toLower(parameters('location')))]" + ] + } + ] + } + ] + } + }, + "dependsOn": [ + "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]" + ] + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json new file mode 100644 index 0000000..2a504dd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json @@ -0,0 +1,196 @@ +{ + "name": "Deploy-Nsg-FlowLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period.", + "metadata": { + "deprecated": true, + "version": "1.0.0-deprecated", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + }, + "defaultValue": 5 + }, + "storageAccountResourceId": { + "type": "String", + "metadata": { + "displayName": "Storage Account Resource Id", + "strongType": "Microsoft.Storage/storageAccounts" + } + }, + "trafficAnalyticsInterval": { + "type": "Integer", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": 60 + }, + "flowAnalyticsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable Traffic Analytics" + }, + "defaultValue": false + }, + "logAnalytics": { + "type": "String", + "metadata": { + "strongType": "omsWorkspace", + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + }, + "defaultValue": "" + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "resourceGroupName": "NetworkWatcherRG", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled", + "equals": "[parameters('flowAnalyticsEnabled')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "networkSecurityGroupName": { + "value": "[field('name')]" + }, + "resourceGroupName": { + "value": "[resourceGroup().name]" + }, + "location": { + "value": "[field('location')]" + }, + "storageAccountResourceId": { + "value": "[parameters('storageAccountResourceId')]" + }, + "retention": { + "value": "[parameters('retention')]" + }, + "flowAnalyticsEnabled": { + "value": "[parameters('flowAnalyticsEnabled')]" + }, + "trafficAnalyticsInterval": { + "value": "[parameters('trafficAnalyticsInterval')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkSecurityGroupName": { + "type": "String" + }, + "resourceGroupName": { + "type": "String" + }, + "location": { + "type": "String" + }, + "storageAccountResourceId": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "flowAnalyticsEnabled": { + "type": "bool" + }, + "trafficAnalyticsInterval": { + "type": "int" + }, + "logAnalytics": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-05-01", + "name": "[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]", + "location": "[parameters('location')]", + "properties": { + "targetResourceId": "[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "storageId": "[parameters('storageAccountResourceId')]", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('retention')]" + }, + "format": { + "type": "JSON", + "version": 2 + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": "[bool(parameters('flowAnalyticsEnabled'))]", + "trafficAnalyticsInterval": "[parameters('trafficAnalyticsInterval')]", + "workspaceId": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]", + "workspaceRegion": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]", + "workspaceResourceId": "[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]" + } + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json new file mode 100644 index 0000000..d644cc2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json @@ -0,0 +1,139 @@ +{ + "name": "Deploy-PostgreSQL-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Database for PostgreSQL server", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version for PostgreSQL server", + "description": "Select version minimum TLS version Azure Database for PostgreSQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "notEquals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "equals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "sslEnforcement": "[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]", + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json new file mode 100644 index 0000000..3c5c683 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json @@ -0,0 +1,62 @@ +{ + "name": "Deploy-PostgreSQLCMKEffect", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "PostgreSQL servers should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "metadata": { + "version": "1.0.4", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/servers/keys", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/keys/serverKeyType", + "equals": "AzureKeyVault" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/keys/uri", + "notEquals": "" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/keys/uri", + "exists": "true" + } + ] + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json new file mode 100644 index 0000000..fbf43d5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json @@ -0,0 +1,121 @@ +{ + "name": "Deploy-Private-DNS-Azure-File-Sync", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Configure Azure File Sync to use private DNS zones", + "description": "To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "privateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "afs" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "privatelink-afs", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json new file mode 100644 index 0000000..39500ad --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json @@ -0,0 +1,122 @@ +{ + "name": "Deploy-Private-DNS-Azure-KeyVault", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Preview: Configure Azure Key Vaults to use private DNS zones", + "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.", + "metadata": { + "version": "1.0.0-preview", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "preview": true, + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone ID", + "description": "A private DNS zone ID to connect to the private endpoint.", + "strongType": "Microsoft.Network/privateDnsZones", + "assignPermissions": true + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "vault" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "keyvault-privateDnsZone", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json new file mode 100644 index 0000000..c677c5d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json @@ -0,0 +1,120 @@ +{ + "name": "Deploy-Private-DNS-Azure-Web", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Configure Azure Web PubSub Service to use private DNS zones", + "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.", + "metadata": { + "version": "1.0.0", + "category": "Web PubSub", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureChinaCloud" + ] + }, + "parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone Id", + "description": "Private DNS zone to integrate with private endpoint.", + "strongType": "Microsoft.Network/privateDnsZones" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "webpubsub" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "privatelink-webpubsub-azure-com", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json new file mode 100644 index 0000000..07fa3ff --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-SQL-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL servers deploys a specific min TLS version requirement.", + "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect SQL servers", + "description": "Enable or disable the execution of the policy minimum TLS version SQL servers" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2019-06-01-preview", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json new file mode 100644 index 0000000..dba8a54 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-Sql-AuditingSettings", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "name": "default", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/state", + "equals": "enabled" + }, + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled", + "equals": "true" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2017-03-01-preview", + "properties": { + "state": "enabled", + "auditActionsAndGroups": [ + "BATCH_COMPLETED_GROUP", + "DATABASE_OBJECT_CHANGE_GROUP", + "SCHEMA_OBJECT_CHANGE_GROUP", + "BACKUP_RESTORE_GROUP", + "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP", + "DATABASE_PRINCIPAL_CHANGE_GROUP", + "DATABASE_PRINCIPAL_IMPERSONATION_GROUP", + "DATABASE_ROLE_MEMBER_CHANGE_GROUP", + "USER_CHANGE_PASSWORD_GROUP", + "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP", + "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP", + "DATABASE_PERMISSION_CHANGE_GROUP", + "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP", + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP" + ], + "isAzureMonitorTargetEnabled": true + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json new file mode 100644 index 0000000..426cafe --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json @@ -0,0 +1,112 @@ +{ + "name": "Deploy-Sql-SecurityAlertPolicies", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/securityAlertPolicies/state", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2018-06-01-preview", + "properties": { + "state": "Enabled", + "disabledAlerts": [ + "" + ], + "emailAddresses": [ + "admin@contoso.com" + ], + "emailAccountAdmins": true, + "storageEndpoint": null, + "storageAccountAccessKey": "", + "retentionDays": 0 + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json new file mode 100644 index 0000000..b8c756e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json @@ -0,0 +1,102 @@ +{ + "name": "Deploy-Sql-Tde", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/transparentDataEncryption.status", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]", + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "properties": { + "status": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json new file mode 100644 index 0000000..5b254fd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json @@ -0,0 +1,141 @@ +{ + "name": "Deploy-Sql-vulnerabilityAssessments", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "String", + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails", + "equals": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled", + "equals": true + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "vulnerabilityAssessmentsEmail": { + "type": "String" + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2017-03-01-preview", + "properties": { + "storageContainerPath": "[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]", + "storageAccountAccessKey": "[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false, + "emails": [ + "[parameters('vulnerabilityAssessmentsEmail')]" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json new file mode 100644 index 0000000..237c536 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-SqlMi-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL managed instances deploy a specific min TLS version requirement.", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect SQL servers", + "description": "Enable or disable the execution of the policy minimum TLS version SQL servers" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/managedInstances", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2020-02-02-preview", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json new file mode 100644 index 0000000..8835ff5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json @@ -0,0 +1,138 @@ +{ + "name": "Deploy-Storage-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", + "metadata": { + "version": "1.1.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Storage", + "description": "Enable or disable the execution of the policy minimum TLS version Azure STorage" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Select TLS version for Azure Storage server", + "description": "Select version minimum TLS version Azure STorage to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "notEquals": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "notEquals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Storage/storageAccounts", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "equals": "[parameters('minimumTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimumTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "[parameters('minimumTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimumTlsVersion": { + "value": "[parameters('minimumTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json new file mode 100644 index 0000000..76e21fc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json @@ -0,0 +1,309 @@ +{ + "name": "Deploy-VNET-HubSpoke", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Virtual Network with peering to the hub", + "description": "This policy deploys virtual network and peer to the hub", + "metadata": { + "version": "1.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vNetName": { + "type": "String", + "metadata": { + "displayName": "vNetName", + "description": "Name of the landing zone vNet" + } + }, + "vNetRgName": { + "type": "String", + "metadata": { + "displayName": "vNetRgName", + "description": "Name of the landing zone vNet RG" + } + }, + "vNetLocation": { + "type": "String", + "metadata": { + "displayName": "vNetLocation", + "description": "Location for the vNet" + } + }, + "vNetCidrRange": { + "type": "String", + "metadata": { + "displayName": "vNetCidrRange", + "description": "CIDR Range for the vNet" + } + }, + "hubResourceId": { + "type": "String", + "metadata": { + "displayName": "hubResourceId", + "description": "Resource ID for the HUB vNet" + } + }, + "dnsServers": { + "type": "Array", + "metadata": { + "displayName": "DNSServers", + "description": "Default domain servers for the vNET." + }, + "defaultValue": [] + }, + "vNetPeerUseRemoteGateway": { + "type": "Boolean", + "metadata": { + "displayName": "vNetPeerUseRemoteGateway", + "description": "Enable gateway transit for the LZ network" + }, + "defaultValue": false + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/virtualNetworks", + "name": "[parameters('vNetName')]", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "ResourceGroupName": "[parameters('vNetRgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "name", + "like": "[parameters('vNetName')]" + }, + { + "field": "location", + "equals": "[parameters('vNetLocation')]" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "vNetRgName": { + "value": "[parameters('vNetRgName')]" + }, + "vNetName": { + "value": "[parameters('vNetName')]" + }, + "vNetLocation": { + "value": "[parameters('vNetLocation')]" + }, + "vNetCidrRange": { + "value": "[parameters('vNetCidrRange')]" + }, + "hubResourceId": { + "value": "[parameters('hubResourceId')]" + }, + "dnsServers": { + "value": "[parameters('dnsServers')]" + }, + "vNetPeerUseRemoteGateway": { + "value": "[parameters('vNetPeerUseRemoteGateway')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "vNetRgName": { + "type": "String" + }, + "vNetName": { + "type": "String" + }, + "vNetLocation": { + "type": "String" + }, + "vNetCidrRange": { + "type": "String" + }, + "vNetPeerUseRemoteGateway": { + "type": "bool", + "defaultValue": false + }, + "hubResourceId": { + "type": "String" + }, + "dnsServers": { + "type": "Array", + "defaultValue": [] + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2021-04-01", + "name": "[parameters('vNetRgName')]", + "location": "[parameters('vNetLocation')]", + "properties": {} + } + ], + "outputs": {} + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-vnet-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "dependsOn": [ + "[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-02-01", + "name": "[parameters('vNetName')]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vNetCidrRange')]" + ] + }, + "dhcpOptions": { + "dnsServers": "[parameters('dnsServers')]" + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2021-02-01", + "name": "[concat(parameters('vNetName'), '/peerToHub')]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "remoteVirtualNetwork": { + "id": "[parameters('hubResourceId')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": false, + "useRemoteGateways": "[parameters('vNetPeerUseRemoteGateway')]" + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-hub-peering-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "subscriptionId": "[split(parameters('hubResourceId'),'/')[2]]", + "resourceGroup": "[split(parameters('hubResourceId'),'/')[4]]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "remoteVirtualNetwork": { + "type": "String", + "defaultValue": false + }, + "hubName": { + "type": "String", + "defaultValue": false + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "name": "[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]", + "apiVersion": "2021-02-01", + "properties": { + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": true, + "useRemoteGateways": false, + "remoteVirtualNetwork": { + "id": "[[parameters('remoteVirtualNetwork')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "remoteVirtualNetwork": { + "value": "[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]" + }, + "hubName": { + "value": "[split(parameters('hubResourceId'),'/')[8]]" + } + } + } + } + ], + "outputs": {} + } + }, + "resourceGroup": "[parameters('vNetRgName')]" + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json new file mode 100644 index 0000000..6e7244f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json @@ -0,0 +1,261 @@ +{ + "name": "Deploy-Windows-DomainJoin", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Windows Domain Join Extension with keyvault configuration", + "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", + "metadata": { + "version": "1.0.0", + "category": "Guest Configuration", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "domainUsername": { + "type": "String", + "metadata": { + "displayName": "domainUsername" + } + }, + "domainPassword": { + "type": "String", + "metadata": { + "displayName": "domainPassword" + } + }, + "domainFQDN": { + "type": "String", + "metadata": { + "displayName": "domainFQDN" + } + }, + "domainOUPath": { + "type": "String", + "metadata": { + "displayName": "domainOUPath" + } + }, + "keyVaultResourceId": { + "type": "String", + "metadata": { + "displayName": "keyVaultResourceId" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "2008-R2-SP1", + "2008-R2-SP1-smalldisk", + "2008-R2-SP1-zhcn", + "2012-Datacenter", + "2012-datacenter-gensecond", + "2012-Datacenter-smalldisk", + "2012-datacenter-smalldisk-g2", + "2012-Datacenter-zhcn", + "2012-datacenter-zhcn-g2", + "2012-R2-Datacenter", + "2012-r2-datacenter-gensecond", + "2012-R2-Datacenter-smalldisk", + "2012-r2-datacenter-smalldisk-g2", + "2012-R2-Datacenter-zhcn", + "2012-r2-datacenter-zhcn-g2", + "2016-Datacenter", + "2016-datacenter-gensecond", + "2016-datacenter-gs", + "2016-Datacenter-Server-Core", + "2016-datacenter-server-core-g2", + "2016-Datacenter-Server-Core-smalldisk", + "2016-datacenter-server-core-smalldisk-g2", + "2016-Datacenter-smalldisk", + "2016-datacenter-smalldisk-g2", + "2016-Datacenter-with-Containers", + "2016-datacenter-with-containers-g2", + "2016-Datacenter-with-RDSH", + "2016-Datacenter-zhcn", + "2016-datacenter-zhcn-g2", + "2019-Datacenter", + "2019-Datacenter-Core", + "2019-datacenter-core-g2", + "2019-Datacenter-Core-smalldisk", + "2019-datacenter-core-smalldisk-g2", + "2019-Datacenter-Core-with-Containers", + "2019-datacenter-core-with-containers-g2", + "2019-Datacenter-Core-with-Containers-smalldisk", + "2019-datacenter-core-with-containers-smalldisk-g2", + "2019-datacenter-gensecond", + "2019-datacenter-gs", + "2019-Datacenter-smalldisk", + "2019-datacenter-smalldisk-g2", + "2019-Datacenter-with-Containers", + "2019-datacenter-with-containers-g2", + "2019-Datacenter-with-Containers-smalldisk", + "2019-datacenter-with-containers-smalldisk-g2", + "2019-Datacenter-zhcn", + "2019-datacenter-zhcn-g2", + "Datacenter-Core-1803-with-Containers-smalldisk", + "datacenter-core-1803-with-containers-smalldisk-g2", + "Datacenter-Core-1809-with-Containers-smalldisk", + "datacenter-core-1809-with-containers-smalldisk-g2", + "Datacenter-Core-1903-with-Containers-smalldisk", + "datacenter-core-1903-with-containers-smalldisk-g2", + "datacenter-core-1909-with-containers-smalldisk", + "datacenter-core-1909-with-containers-smalldisk-g1", + "datacenter-core-1909-with-containers-smalldisk-g2" + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "JsonADDomainExtension" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Compute" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "domainUsername": { + "reference": { + "keyVault": { + "id": "[parameters('keyVaultResourceId')]" + }, + "secretName": "[parameters('domainUsername')]" + } + }, + "domainPassword": { + "reference": { + "keyVault": { + "id": "[parameters('keyVaultResourceId')]" + }, + "secretName": "[parameters('domainPassword')]" + } + }, + "domainOUPath": { + "value": "[parameters('domainOUPath')]" + }, + "domainFQDN": { + "value": "[parameters('domainFQDN')]" + }, + "keyVaultResourceId": { + "value": "[parameters('keyVaultResourceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "String" + }, + "location": { + "type": "String" + }, + "domainUsername": { + "type": "String" + }, + "domainPassword": { + "type": "securestring" + }, + "domainFQDN": { + "type": "String" + }, + "domainOUPath": { + "type": "String" + }, + "keyVaultResourceId": { + "type": "String" + } + }, + "variables": { + "domainJoinOptions": 3, + "vmName": "[parameters('vmName')]" + }, + "resources": [ + { + "apiVersion": "2015-06-15", + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(variables('vmName'),'/joindomain')]", + "location": "[resourceGroup().location]", + "properties": { + "publisher": "Microsoft.Compute", + "type": "JsonADDomainExtension", + "typeHandlerVersion": "1.3", + "autoUpgradeMinorVersion": true, + "settings": { + "Name": "[parameters('domainFQDN')]", + "User": "[parameters('domainUserName')]", + "Restart": "true", + "Options": "[variables('domainJoinOptions')]", + "OUPath": "[parameters('domainOUPath')]" + }, + "protectedSettings": { + "Password": "[parameters('domainPassword')]" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt new file mode 100644 index 0000000..79c2848 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/_mc_policySetDefinitionsBicepInput.txt @@ -0,0 +1,908 @@ +var varCustomPolicySetDefinitionsArray = [ + { + name: 'Deny-PublicPaaSEndpoints' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.ACRDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.AFSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.AKSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.BatchDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.CosmosDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.KeyVaultDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.MySQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.PostgreSQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.SqlServerDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.StorageDenyPaasPublicIP.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ACIDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ACRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AKSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AutomationDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.BastionDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.BatchDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CosmosDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FirewallDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.IotHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MySQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RelayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SignalRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLMDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VMSSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-MDFC-Config' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.ascExport.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForArm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderforContainers.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForDns' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForDns.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForSqlPaas.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForVM.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.securityEmailContact.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Private-DNS-Zones' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ACR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-App'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-AppServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Batch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveSearch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DiskAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridDomains'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridTopics'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventHubNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-File-Sync'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoT'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTHubs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-KeyVault'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-RedisCache'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-SignalR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Web' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Web'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Sql-Security' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbTdeDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Encryption-CMK' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.ACRCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.AksCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.AzureBatchCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.CognitiveServicesCMK.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.CosmosCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.DataBoxCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.PostgreSQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.SqlServerTDECMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.StorageCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.StreamAnalyticsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.SynapseWorkspaceCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.WorkspaceCMK.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-EncryptTransit' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AKSIngressHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.APIAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.APIAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AppServiceHttpEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AppServiceminTlsVersion.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.FunctionLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.FunctionServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.MySQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.MySQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.PostgreSQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.PostgreSQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisDenyhttps.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisdisableNonSslPort.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLManagedInstanceTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLManagedInstanceTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLServerTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLServerTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.StorageDeployHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.StorageHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.WebAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.WebAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + ] + } +] + + +// Policy Set/Initiative Definition Parameter Variables + +var varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json') + +var varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json') + +var varPolicySetDefinitionEsMcDeployMDFCConfigParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json') + +var varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json') + +var varPolicySetDefinitionEsMcDeploySqlSecurityParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json') + +var varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json') + +var varPolicySetDefinitionEsMcEnforceEncryptTransitParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json') + diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json new file mode 100644 index 0000000..b6e1906 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json @@ -0,0 +1,256 @@ +{ + "name": "Deny-PublicPaaSEndpoints", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Public network access should be disabled for PaaS services", + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "CosmosPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for CosmosDB", + "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "KeyVaultPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for KeyVault", + "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "SqlServerPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure SQL Database should be disabled", + "description": "This policy denies creation of Sql servers with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "StoragePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access onStorage accounts should be disabled", + "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AKSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on AKS API should be disabled", + "description": "This policy denies the creation of Azure Kubernetes Service non-private clusters" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ACRPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure Container Registry disabled", + "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AFSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure File Sync disabled", + "description": "This policy denies the creation of Azure File Sync instances with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "PostgreSQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSql Flexible Server", + "description": "This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MySQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for MySQL Flexible Server", + "description": "This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BatchPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Batch Instances", + "description": "This policy denies creation of Azure Batch Instances with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BatchDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json new file mode 100644 index 0000000..ca7aa1f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json @@ -0,0 +1,72 @@ +{ + "ACRDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + } + }, + "AFSDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + } + }, + "AKSDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + } + }, + "BatchDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + } + }, + "CosmosDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + } + }, + "KeyVaultDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + } + }, + "MySQLFlexDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + } + }, + "PostgreSQLFlexDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + } + }, + "SqlServerDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + } + }, + "StorageDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json new file mode 100644 index 0000000..cfcc6a1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json @@ -0,0 +1,1819 @@ +{ + "name": "Deploy-Diagnostics-LogAnalytics", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Diagnostic Settings to Azure Services", + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "metadata": { + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "displayName": "Log Analytics workspace", + "strongType": "omsWorkspace" + }, + "type": "String" + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "ACILogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled." + } + }, + "ACRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled." + } + }, + "AKSLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled." + } + }, + "AnalysisServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "APIforFHIRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "APIMgmtLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "ApplicationGatewayLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AutomationLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "BastionLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "BatchLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Batch to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CDNEndpointsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CognitiveServicesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CosmosLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DatabricksLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataExplorerClusterLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataFactoryLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataLakeStoreLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataLakeAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventGridSubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventGridTopicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventHubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventSystemTopicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "ExpressRouteLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FirewallLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FrontDoorLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FunctionAppLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "HDInsightLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "IotHubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "KeyVaultLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Key Vault to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LoadBalancerLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LogicAppsISELogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LogicAppsWFLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MariaDBLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MediaServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MlWorkspaceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MySQLLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkSecurityGroupsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkNICLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "PostgreSQLLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "PowerBIEmbeddedLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkPublicIPNicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "RedisCacheLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "RelayLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SearchServicesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Search Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "ServiceBusLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SignalRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLDBsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLElasticPoolsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLMLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "StreamAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "TimeSeriesInsightsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "TrafficManagerLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VirtualNetworkLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VirtualMachinesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VMSSLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VNetGWLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled." + } + }, + "AppServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AppServiceWebappLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AVDScalingPlansLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDAppGroupsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDWorkspaceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDHostPoolsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "StorageAccountsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "StorageAccountDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AVDScalingPlansLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDAppGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACIDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACILogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AKSLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AnalysisServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIforFHIRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIMgmtDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIMgmtLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ApplicationGatewayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AutomationDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AutomationLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BastionDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BatchDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BatchLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CDNEndpointsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CognitiveServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CosmosDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CosmosLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DatabricksDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DatabricksLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataExplorerClusterLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataFactoryDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataFactoryLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeStoreLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventGridSubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridSubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventHubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventSystemTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ExpressRouteLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FirewallDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FirewallLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FrontDoorDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FrontDoorLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionAppDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FunctionAppLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "HDInsightDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('HDInsightLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "IotHubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('IotHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KeyVaultDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('KeyVaultLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LoadBalancerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsISELogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsWFLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MariaDBDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MariaDBLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MediaServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MediaServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MlWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MySQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkNICDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkNICLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PostgreSQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "True" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisCacheDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RedisCacheLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RelayDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RelayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SearchServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SearchServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ServiceBusDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SignalRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SignalRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLDBsLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLElasticPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLMDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLMLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StreamAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TrafficManagerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualNetworkLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualMachinesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VMSSDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VMSSLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VNetGWDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VNetGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceWebappLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json new file mode 100644 index 0000000..0fc6d8a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json @@ -0,0 +1,818 @@ +{ + "ACIDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACILogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ACRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AKSDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AKSLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + } + }, + "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AnalysisServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "APIforFHIRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIforFHIRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "APIMgmtDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIMgmtLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ApplicationGatewayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AppServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceWebappLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AutomationDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AutomationLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "BastionDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "BatchDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BatchLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CDNEndpointsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CognitiveServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CosmosDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CosmosLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DatabricksDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DatabricksLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataExplorerClusterLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataFactoryDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataFactoryLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeStoreLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventGridSubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridSubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventGridTopicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventHubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventSystemTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ExpressRouteDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ExpressRouteLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FirewallDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FirewallLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FrontDoorDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FrontDoorLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FunctionAppDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FunctionAppLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "HDInsightDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('HDInsightLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "IotHubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('IotHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "KeyVaultDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('KeyVaultLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LoadBalancerDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LoadBalancerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsISELogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsWFLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MariaDBDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MariaDBLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MediaServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MediaServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MlWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MySQLDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MySQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "NetworkNICDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkNICLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "True" + } + } + }, + "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "PostgreSQLDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PostgreSQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RedisCacheDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RedisCacheLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RelayDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RelayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SearchServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SearchServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ServiceBusDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SignalRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SignalRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLDBsLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLElasticPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLMDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLMLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + } + } + }, + "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StreamAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "TrafficManagerDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TrafficManagerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualMachinesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualNetworkLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VMSSDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VMSSLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VNetGWDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VNetGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDAppGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json new file mode 100644 index 0000000..5d33f70 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json @@ -0,0 +1,268 @@ +{ + "name": "Deploy-MDFC-Config", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration", + "metadata": { + "version": "3.1.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Microsoft Defender for Cloud contact details" + } + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "ascExportResourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource Group name for the export to Log Analytics workspace configuration", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "ascExportResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Group location for the export to Log Analytics workspace configuration", + "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForDns": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServers": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForOssDb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForOssDb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVM", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSqlOnVm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForAppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForAppServices')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForStorageAccounts", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForKeyVaults", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "parameters": { + "Effect": { + "value": "[[parameters('enableAscForKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForDns", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForDns')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForArm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlPaas", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCosmosDbs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDbs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "securityEmailContact", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ascExport", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json new file mode 100644 index 0000000..f1ea4df --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json @@ -0,0 +1,57 @@ +{ + "ascExport": { + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + "defenderForArm": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + } + }, + "defenderforContainers": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + } + }, + "defenderForDns": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForDns')]" + } + } + }, + "defenderForSqlPaas": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + } + }, + "defenderForVM": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + } + }, + "securityEmailContact": { + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json new file mode 100644 index 0000000..dd8d18b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json @@ -0,0 +1,470 @@ +{ + "name": "Deploy-Private-DNS-Zones", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "azureFilePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureFilePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureWebPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureWebPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureBatchPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureBatchPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAppPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAppPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAsrPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAsrPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureIotPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureKeyVaultPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureKeyVaultPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSignalRPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureSignalRPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAppServicesPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAppServicesPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureEventGridTopicsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDiskAccessPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureDiskAccessPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureCognitiveServicesPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotHubsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureIotHubsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureEventGridDomainsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureRedisCachePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureRedisCachePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAcrPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAcrPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureEventHubNamespacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureMachineLearningWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureServiceBusNamespacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureCognitiveSearchPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "effect1": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "deployIfNotExists", + "Disabled" + ], + "defaultValue": "deployIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-File-Sync", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureFileprivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAsrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoT", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-KeyVault", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-SignalR", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSignalRPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-AppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridTopics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridTopicsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DiskAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDiskAccessPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTHubs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotHubsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridDomains", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridDomainsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-RedisCache", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureRedisCachePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ACR", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAcrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventHubNamespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventHubNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MachineLearningWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ServiceBusNamespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveSearch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveSearchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json new file mode 100644 index 0000000..0c0ca86 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json @@ -0,0 +1,202 @@ +{ + "DINE-Private-DNS-Azure-ACR": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAcrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-App": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-AppServices": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Batch": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-CognitiveSearch": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveSearchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-CognitiveServices": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-DiskAccess": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDiskAccessPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-EventGridDomains": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridDomainsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-EventGridTopics": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridTopicsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-EventHubNamespace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventHubNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-File-Sync": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureFileprivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-IoT": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-IoTHubs": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotHubsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-KeyVault": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-MachineLearningWorkspace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-RedisCache": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureRedisCachePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-ServiceBusNamespace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-SignalR": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSignalRPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Site-Recovery": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAsrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Web": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json new file mode 100644 index 0000000..4a22068 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json @@ -0,0 +1,134 @@ +{ + "name": "Deploy-Sql-Security", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy SQL Database built-in SQL security configuration", + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + }, + "type": "String" + }, + "vulnerabilityAssessmentsStorageID": { + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + }, + "type": "String" + }, + "SqlDbTdeDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment" + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration" + } + }, + "SqlDbAuditingSettingsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment" + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json new file mode 100644 index 0000000..d954e7b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json @@ -0,0 +1,36 @@ +{ + "SqlDbAuditingSettingsDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbTdeDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json new file mode 100644 index 0000000..ce2e374 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json @@ -0,0 +1,640 @@ +{ + "name": "Enforce-EncryptTransit", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ", + "metadata": { + "version": "1.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service API App. Latest TLS version should be used in your API App", + "description": "App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "StorageHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json new file mode 100644 index 0000000..f0b39e6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json @@ -0,0 +1,195 @@ +{ + "AKSIngressHttpsOnlyEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + } + }, + "APIAppServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + } + }, + "APIAppServiceLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceLatestTlsEffect')]" + } + } + }, + "AppServiceHttpEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + } + }, + "AppServiceminTlsVersion": { + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + } + }, + "FunctionLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + } + }, + "FunctionServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + } + }, + "MySQLEnableSSLDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + "MySQLEnableSSLEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + "PostgreSQLEnableSSLEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + "RedisDenyhttps": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + "RedisdisableNonSslPort": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + } + }, + "RedisTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + "SQLManagedInstanceTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + "SQLManagedInstanceTLSEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + "SQLServerTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + "SQLServerTLSEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + "StorageDeployHttpsEnabledEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + }, + "StorageHttpsEnabledEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + }, + "WebAppServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + } + }, + "WebAppServiceLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json new file mode 100644 index 0000000..9bde2b1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json @@ -0,0 +1,365 @@ +{ + "name": "Enforce-Encryption-CMK", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "metadata": { + "version": "1.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "ACRCmkEffect": { + "metadata": { + "displayName": "Container registries should be encrypted with a customer-managed key (CMK)", + "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "AksCmkEffect": { + "metadata": { + "displayName": "Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys", + "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "WorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)", + "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk." + } + }, + "CognitiveServicesCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "CosmosCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "DataBoxCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", + "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." + } + }, + "StreamAnalyticsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." + } + }, + "SynapseWorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." + } + }, + "StorageCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption", + "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." + } + }, + "MySQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure MySQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "PostgreSQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure PostgreSQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "SqlServerTDECMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "SQL servers should use customer-managed keys to encrypt data at rest", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." + } + }, + "HealthcareAPIsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "disabled" + ], + "metadata": { + "displayName": "Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest", + "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." + } + }, + "AzureBatchCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Batch account should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK." + } + }, + "EncryptedVMDisksEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Disk encryption should be applied on virtual machines", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "ACRCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AksCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WorkspaceCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CosmosCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataBoxCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerTDECMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AzureBatchCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EncryptedVMDisksEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json new file mode 100644 index 0000000..343d3d5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json @@ -0,0 +1,107 @@ +{ + "ACRCmkDeny": { + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + } + }, + "AksCmkDeny": { + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + } + }, + "AzureBatchCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + } + }, + "CognitiveServicesCMK": { + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + } + }, + "CosmosCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + } + }, + "DataBoxCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + } + }, + "EncryptedVMDisksEffect": { + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + } + }, + "HealthcareAPIsCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + } + }, + "MySQLCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + } + }, + "PostgreSQLCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + } + }, + "SqlServerTDECMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + } + }, + "StorageCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + } + }, + "StreamAnalyticsCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + } + }, + "SynapseWorkspaceCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + } + }, + "WorkspaceCMK": { + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json new file mode 100644 index 0000000..a8c1cb1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-httpsonly.json @@ -0,0 +1,59 @@ +{ + "name": "Append-AppService-httpsonly", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "AppService append enable https only setting to enforce https setting.", + "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "notequals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Web/sites/httpsOnly", + "value": true + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json new file mode 100644 index 0000000..628ae5b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-AppService-latestTLS.json @@ -0,0 +1,72 @@ +{ + "name": "Append-AppService-latestTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "AppService append sites with minimum TLS version to enforce.", + "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", + "metadata": { + "version": "1.1.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Select version minimum TLS Web App config", + "description": "Select version minimum TLS version for a Web App config to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "exists": "true" + }, + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "notEquals": "[parameters('minTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "value": "[parameters('minTlsVersion')]" + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json new file mode 100644 index 0000000..9c3410d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-KV-SoftDelete.json @@ -0,0 +1,50 @@ +{ + "name": "Append-KV-SoftDelete", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "KeyVault SoftDelete should be enabled", + "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.KeyVault/vaults" + }, + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "append", + "details": [ + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "value": true + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json new file mode 100644 index 0000000..ab9a451 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-disableNonSslPort.json @@ -0,0 +1,63 @@ +{ + "name": "Append-Redis-disableNonSslPort", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", + "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.1", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Cache for Redis", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "equals": "true" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "value": false + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json new file mode 100644 index 0000000..8174263 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Append-Redis-sslEnforcement.json @@ -0,0 +1,76 @@ +{ + "name": "Append-Redis-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", + "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Cache for Redis", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for Redis server", + "description": "Select version minimum TLS version Azure Cache for Redis to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "value": "[parameters('minimumTlsVersion')]" + } + ] + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json new file mode 100644 index 0000000..0f17337 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-AzureHybridBenefit.json @@ -0,0 +1,88 @@ +{ + "name": "Audit-AzureHybridBenefit", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Audit AHUB for eligible VMs", + "description": "Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "in": [ + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets" + ] + }, + { + "equals": "MicrosoftWindowsServer", + "field": "Microsoft.Compute/imagePublisher" + }, + { + "equals": "WindowsServer", + "field": "Microsoft.Compute/imageOffer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSKU", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "2022-*" + } + ] + }, + { + "field": "Microsoft.Compute/licenseType", + "notEquals": "Windows_Server" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json new file mode 100644 index 0000000..2b9535e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-Disks-UnusedResourcesCostOptimization.json @@ -0,0 +1,69 @@ +{ + "name": "Audit-Disks-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Unused Disks driving cost should be avoided", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/disks" + }, + { + "field": "Microsoft.Compute/disks/diskState", + "equals": "Unattached" + }, + { + "allof": [ + { + "field": "name", + "notlike": "*-ASRReplica" + }, + { + "field": "name", + "notlike": "ms-asr-*" + }, + { + "field": "name", + "notlike": "asrseeddisk-*" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json new file mode 100644 index 0000000..217f941 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-MachineLearning-PrivateEndpointId.json @@ -0,0 +1,64 @@ +{ + "name": "Audit-MachineLearning-PrivateEndpointId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Control private endpoint connections to Azure Machine Learning", + "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status", + "equals": "Approved" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id", + "exists": false + }, + { + "value": "[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]", + "notEquals": "[subscription().subscriptionId]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json new file mode 100644 index 0000000..21e247a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json @@ -0,0 +1,126 @@ +{ + "name": "Audit-PrivateLinkDnsZones", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Audit the creation of Private Link Private DNS Zones", + "description": "This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "privateLinkDnsZones": { + "type": "Array", + "metadata": { + "displayName": "Private Link Private DNS Zones", + "description": "An array of Private Link Private DNS Zones to check for the existence of in the assigned scope." + }, + "defaultValue": [ + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateDnsZones" + }, + { + "field": "name", + "in": "[parameters('privateLinkDnsZones')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json new file mode 100644 index 0000000..ac9b4f1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json @@ -0,0 +1,89 @@ +{ + "name": "Audit-PublicIpAddresses-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Unused Public IP addresses driving cost should be avoided", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.network/publicIpAddresses" + }, + { + "field": "Microsoft.Network/publicIPAddresses/sku.name", + "notEquals": "Basic" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/publicIPAddresses/natGateway", + "exists": false + }, + { + "value": "[equals(length(field('Microsoft.Network/publicIPAddresses/natGateway')), 0)]", + "equals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/publicIPAddresses/ipConfiguration", + "exists": false + }, + { + "value": "[equals(length(field('Microsoft.Network/publicIPAddresses/ipConfiguration')), 0)]", + "equals": true + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/publicIPAddresses/publicIPPrefix", + "exists": false + }, + { + "value": "[equals(length(field('Microsoft.Network/publicIPAddresses/publicIPPrefix')), 0)]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json new file mode 100644 index 0000000..0e006b8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-ServerFarms-UnusedResourcesCostOptimization.json @@ -0,0 +1,57 @@ +{ + "name": "Audit-ServerFarms-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Unused App Service plans driving cost should be avoided", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost.", + "metadata": { + "version": "1.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/serverfarms" + }, + { + "field": "Microsoft.Web/serverFarms/sku.tier", + "notEquals": "Free" + }, + { + "field": "Microsoft.Web/serverFarms/numberOfSites", + "equals": 0 + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json new file mode 100644 index 0000000..1b072d7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AA-child-resources.json @@ -0,0 +1,56 @@ +{ + "name": "Deny-AA-child-resources", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "No child resources in Automation Account", + "description": "This policy denies the creation of child resources on the Automation Account", + "metadata": { + "version": "1.0.0", + "category": "Automation", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "in": [ + "Microsoft.Automation/automationAccounts/runbooks", + "Microsoft.Automation/automationAccounts/variables", + "Microsoft.Automation/automationAccounts/modules", + "Microsoft.Automation/automationAccounts/credentials", + "Microsoft.Automation/automationAccounts/connections", + "Microsoft.Automation/automationAccounts/certificates" + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json new file mode 100644 index 0000000..734e799 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppGW-Without-WAF.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-AppGW-Without-WAF", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Application Gateway should be deployed with WAF enabled", + "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "field": "Microsoft.Network/applicationGateways/sku.name", + "notequals": "WAF_v2" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json new file mode 100644 index 0000000..52ebe3c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceApiApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceApiApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "API App should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "*api" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json new file mode 100644 index 0000000..8a83e5d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceFunctionApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceFunctionApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Function App should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "functionapp*" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json new file mode 100644 index 0000000..d72db78 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-AppServiceWebApp-http.json @@ -0,0 +1,58 @@ +{ + "name": "Deny-AppServiceWebApp-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Web Application should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "app*" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json new file mode 100644 index 0000000..0030e2a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-NoPublicIp.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-Databricks-NoPublicIp", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny public IPs for Databricks cluster", + "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value", + "notEquals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json new file mode 100644 index 0000000..8e404a8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json @@ -0,0 +1,52 @@ +{ + "name": "Deny-Databricks-Sku", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny non-premium Databricks sku", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "field": "Microsoft.DataBricks/workspaces/sku.name", + "notEquals": "premium" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json new file mode 100644 index 0000000..7042d3a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-VirtualNetwork.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-Databricks-VirtualNetwork", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny Databricks workspaces without Vnet injection", + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Databricks", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value", + "exists": false + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value", + "exists": false + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value", + "exists": false + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json new file mode 100644 index 0000000..98ab40e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureAuth.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-FileServices-InsecureAuth", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure authentication methods should be denied", + "description": "This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "notAllowedAuthMethods": { + "type": "String", + "defaultValue": "NTLMv2", + "allowedValues": [ + "NTLMv2", + "Kerberos" + ], + "metadata": { + "displayName": "Authentication methods supported by server. Valid values are NTLMv2, Kerberos.", + "description": "The list of channelEncryption not allowed." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.authenticationMethods", + "contains": "[parameters('notAllowedAuthMethods')]" + }, + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json new file mode 100644 index 0000000..54f7a9b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureKerberos.json @@ -0,0 +1,66 @@ +{ + "name": "Deny-FileServices-InsecureKerberos", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure Kerberos ticket encryption should be denied", + "description": "This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "notAllowedKerberosTicketEncryption": { + "type": "String", + "defaultValue": "RC4-HMAC", + "allowedValues": [ + "RC4-HMAC", + "AES-256" + ], + "metadata": { + "displayName": "Kerberos ticket encryption supported by server. Valid values are RC4-HMAC, AES-256.", + "description": "The list of kerberosTicketEncryption not allowed." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.kerberosTicketEncryption", + "contains": "[parameters('notAllowedKerberosTicketEncryption')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json new file mode 100644 index 0000000..572cc02 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbChannel.json @@ -0,0 +1,67 @@ +{ + "name": "Deny-FileServices-InsecureSmbChannel", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure SMB channel encryption should be denied", + "description": "This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "notAllowedChannelEncryption": { + "type": "String", + "defaultValue": "AES-128-CCM", + "allowedValues": [ + "AES-128-CCM", + "AES-128-GCM", + "AES-256-GCM" + ], + "metadata": { + "displayName": "SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM.", + "description": "The list of channelEncryption not allowed." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.channelEncryption", + "contains": "[parameters('notAllowedChannelEncryption')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json new file mode 100644 index 0000000..4f40469 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-FileServices-InsecureSmbVersions.json @@ -0,0 +1,69 @@ +{ + "name": "Deny-FileServices-InsecureSmbVersions", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "File Services with insecure SMB versions should be denied", + "description": "This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "allowedSmbVersion": { + "type": "String", + "defaultValue": "SMB3.1.1", + "allowedValues": [ + "SMB2.1", + "SMB3.0", + "SMB3.1.1" + ], + "metadata": { + "displayName": "Allowed SMB Version", + "description": "The allowed SMB version for maximum security" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "not": { + "field": "Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.versions", + "contains": "[parameters('allowedSmbVersion')]" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json new file mode 100644 index 0000000..49ce3ee --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Aks.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-MachineLearning-Aks", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny AKS cluster creation in Azure Machine Learning", + "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AKS" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/resourceId", + "exists": false + }, + { + "value": "[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json new file mode 100644 index 0000000..bec5271 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-SubnetId.json @@ -0,0 +1,67 @@ +{ + "name": "Deny-MachineLearning-Compute-SubnetId", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", + "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/subnet.id", + "exists": false + }, + { + "value": "[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json new file mode 100644 index 0000000..3574f72 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-Compute-VmSize.json @@ -0,0 +1,148 @@ +{ + "name": "Deny-MachineLearning-Compute-VmSize", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", + "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", + "metadata": { + "version": "1.0.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "allowedVmSizes": { + "type": "Array", + "metadata": { + "displayName": "Allowed VM Sizes for Aml Compute Clusters and Instances", + "description": "Specifies the allowed VM Sizes for Aml Compute Clusters and Instances" + }, + "defaultValue": [ + "Standard_D1_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_DS1_v2", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_M8-2ms", + "Standard_M8-4ms", + "Standard_M8ms", + "Standard_M16-4ms", + "Standard_M16-8ms", + "Standard_M16ms", + "Standard_M32-8ms", + "Standard_M32-16ms", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M32ts", + "Standard_M64-16ms", + "Standard_M64-32ms", + "Standard_M64ls", + "Standard_M64ms", + "Standard_M64s", + "Standard_M128-32ms", + "Standard_M128-64ms", + "Standard_M128ms", + "Standard_M128s", + "Standard_M64", + "Standard_M64m", + "Standard_M128", + "Standard_M128m", + "Standard_D1", + "Standard_D2", + "Standard_D3", + "Standard_D4", + "Standard_D11", + "Standard_D12", + "Standard_D13", + "Standard_D14", + "Standard_DS15_v2", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_F2s_v2", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_F72s_v2", + "Standard_NC6s_v3", + "Standard_NC12s_v3", + "Standard_NC24rs_v3", + "Standard_NC24s_v3", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24r", + "Standard_ND6s", + "Standard_ND12s", + "Standard_ND24rs", + "Standard_ND24s", + "Standard_NC6s_v2", + "Standard_NC12s_v2", + "Standard_NC24rs_v2", + "Standard_NC24s_v2", + "Standard_ND40rs_v2", + "Standard_NV12s_v3", + "Standard_NV24s_v3", + "Standard_NV48s_v3" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/vmSize", + "notIn": "[parameters('allowedVmSizes')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json new file mode 100644 index 0000000..32bd426 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json @@ -0,0 +1,64 @@ +{ + "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny public access of Azure Machine Learning clusters via SSH", + "description": "Deny public access of Azure Machine Learning clusters via SSH.", + "metadata": { + "version": "1.1.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "notEquals": "Disabled" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json new file mode 100644 index 0000000..3e28551 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-ComputeCluster-Scale.json @@ -0,0 +1,92 @@ +{ + "name": "Deny-MachineLearning-ComputeCluster-Scale", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforce scale settings for Azure Machine Learning compute clusters", + "description": "Enforce scale settings for Azure Machine Learning compute clusters.", + "metadata": { + "version": "1.0.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "maxNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Count", + "description": "Specifies the maximum node count of AML Clusters" + }, + "defaultValue": 10 + }, + "minNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Minimum Node Count", + "description": "Specifies the minimum node count of AML Clusters" + }, + "defaultValue": 0 + }, + "maxNodeIdleTimeInSecondsBeforeScaleDown": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Idle Time in Seconds Before Scaledown", + "description": "Specifies the maximum node idle time in seconds before scaledown" + }, + "defaultValue": 900 + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount", + "greater": "[parameters('maxNodeCount')]" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount", + "greater": "[parameters('minNodeCount')]" + }, + { + "value": "[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]", + "greater": "[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json new file mode 100644 index 0000000..f7e0aa8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-HbiWorkspace.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-MachineLearning-HbiWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Enforces high business impact Azure Machine Learning Workspaces", + "description": "Enforces high business impact Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json new file mode 100644 index 0000000..6cb2c16 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicAccessWhenBehindVnet.json @@ -0,0 +1,60 @@ +{ + "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny public access behind vnet to Azure Machine Learning workspace", + "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.1", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json new file mode 100644 index 0000000..c31c814 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json @@ -0,0 +1,53 @@ +{ + "name": "Deny-MachineLearning-PublicNetworkAccess", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Azure Machine Learning should have disabled public network access", + "description": "Denies public network access for Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0-deprecated", + "category": "Machine Learning", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/publicNetworkAccess", + "notEquals": "Disabled" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json new file mode 100644 index 0000000..86e8a84 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json @@ -0,0 +1,254 @@ +{ + "name": "Deny-MgmtPorts-From-Internet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Management port access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows management port access from the Internet", + "metadata": { + "version": "2.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ports": { + "type": "Array", + "metadata": { + "displayName": "Ports", + "description": "Ports to be blocked" + }, + "defaultValue": [ + "22", + "3389" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "in": "[parameters('ports')]" + }, + { + "count": { + "value": "[parameters('ports')]", + "where": { + "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "count": { + "value": "[parameters('ports')]", + "name": "ports", + "where": { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notIn": "[parameters('ports')]" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange", + "in": "[parameters('ports')]" + }, + { + "count": { + "value": "[parameters('ports')]", + "name": "ports", + "where": { + "value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "count": { + "value": "[parameters('ports')]", + "name": "ports", + "where": { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "where": { + "value": "[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]", + "notIn": "[parameters('ports')]" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + }, + "greater": 0 + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json new file mode 100644 index 0000000..a8da043 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MySql-http.json @@ -0,0 +1,80 @@ +{ + "name": "Deny-MySql-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "MySQL database servers enforce SSL connections.", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "exists": "false" + }, + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json new file mode 100644 index 0000000..fb396d6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json @@ -0,0 +1,80 @@ +{ + "name": "Deny-PostgreSql-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "PostgreSQL database servers enforce SSL connection.", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.1", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "exists": "false" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json new file mode 100644 index 0000000..643df1d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Private-DNS-Zones.json @@ -0,0 +1,46 @@ +{ + "name": "Deny-Private-DNS-Zones", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deny the creation of private DNS", + "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/privateDnsZones" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json new file mode 100644 index 0000000..eea5b4f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json @@ -0,0 +1,55 @@ +{ + "name": "Deny-PublicEndpoint-MariaDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Public network access should be disabled for MariaDB", + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "metadata": { + "version": "1.0.0-deprecated", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + { + "field": "Microsoft.DBforMariaDB/servers/publicNetworkAccess", + "notequals": "Disabled" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json new file mode 100644 index 0000000..7c8acd8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json @@ -0,0 +1,47 @@ +{ + "name": "Deny-PublicIP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deny the creation of public IP", + "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope.", + "metadata": { + "deprecated": true, + "version": "1.0.0-deprecated", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/publicIPAddresses" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json new file mode 100644 index 0000000..a4efda1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json @@ -0,0 +1,125 @@ +{ + "name": "Deny-RDP-From-Internet", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "[Deprecated] RDP access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows RDP access from Internet. This policy is superceded by new custom ALZ policy 'Deny-MgmtPorts-From-Internet'.", + "metadata": { + "deprecated": true, + "version": "1.0.1-deprecated", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "3389" + }, + { + "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "3389" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json new file mode 100644 index 0000000..73d491a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Redis-http.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-Redis-http", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Cache for Redis only secure connections should be enabled", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "metadata": { + "version": "1.0.0", + "category": "Cache", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select minumum TLS version for Azure Cache for Redis.", + "description": "Select minimum TLS version for Azure Cache for Redis." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "equals": "true" + }, + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json new file mode 100644 index 0000000..f859443 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Sql-minTLS.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-Sql-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit" + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "exists": "false" + }, + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json new file mode 100644 index 0000000..951d1ac --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-SqlMi-minTLS.json @@ -0,0 +1,75 @@ +{ + "name": "Deny-SqlMi-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit" + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "exists": "false" + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json new file mode 100644 index 0000000..9e3cc66 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-SFTP.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-Storage-SFTP", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Storage Accounts with SFTP enabled should be denied", + "description": "This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "Microsoft.Storage/storageAccounts/isSftpEnabled", + "equals": "true" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json new file mode 100644 index 0000000..5b10d48 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Storage-minTLS.json @@ -0,0 +1,91 @@ +{ + "name": "Deny-Storage-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Storage Account set to minimum TLS and Secure transfer should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[requestContext().apiVersion]", + "less": "2019-04-01" + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "exists": "false" + } + ] + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "notequals": "[parameters('minimumTlsVersion')]" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json new file mode 100644 index 0000000..d49e033 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-StorageAccount-CustomDomain.json @@ -0,0 +1,62 @@ +{ + "name": "Deny-StorageAccount-CustomDomain", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Storage Accounts with custom domains assigned should be denied", + "description": "This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP.", + "metadata": { + "version": "1.0.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/customDomain", + "exists": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/customDomain.useSubDomainName", + "equals": "true" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json new file mode 100644 index 0000000..73ec47e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Nsg.json @@ -0,0 +1,100 @@ +{ + "name": "Deny-Subnet-Without-Nsg", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets should have a Network Security Group", + "description": "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.", + "metadata": { + "version": "2.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json new file mode 100644 index 0000000..df42479 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Penp.json @@ -0,0 +1,101 @@ +{ + "name": "Deny-Subnet-Without-Penp", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets without Private Endpoint Network Policies enabled should be denied", + "description": "This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "GatewaySubnet", + "AzureFirewallSubnet", + "AzureFirewallManagementSubnet", + "AzureBastionSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies", + "notEquals": "Enabled" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json new file mode 100644 index 0000000..7bc81d0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Subnet-Without-Udr.json @@ -0,0 +1,98 @@ +{ + "name": "Deny-Subnet-Without-Udr", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Subnets should have a User Defined Route", + "description": "This policy denies the creation of a subnet without a User Defined Route (UDR).", + "metadata": { + "version": "2.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "AzureBastionSubnet" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/virtualNetworks", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/virtualNetworks/subnets[*]", + "where": { + "allOf": [ + { + "exists": "false", + "field": "Microsoft.Network/virtualNetworks/subnets[*].routeTable.id" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].name", + "notIn": "[parameters('excludedSubnets')]" + } + ] + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json new file mode 100644 index 0000000..fecf3c3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-UDR-With-Specific-NextHop.json @@ -0,0 +1,87 @@ +{ + "name": "Deny-UDR-With-Specific-NextHop", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied", + "description": "This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "excludedDestinations": { + "type": "Array", + "metadata": { + "displayName": "Excluded Destinations", + "description": "Array of route destinations that are to be denied" + }, + "defaultValue": [ + "Internet", + "VirtualNetworkGateway" + ] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "equals": "Microsoft.Network/routeTables", + "field": "type" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]", + "where": { + "field": "Microsoft.Network/routeTables/routes[*].nextHopType", + "in": "[parameters('excludedDestinations')]" + } + }, + "notEquals": 0 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/routeTables/routes" + }, + { + "field": "Microsoft.Network/routeTables/routes/nextHopType", + "in": "[parameters('excludedDestinations')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json new file mode 100644 index 0000000..d9d6dd8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peer-Cross-Sub.json @@ -0,0 +1,54 @@ +{ + "name": "Deny-VNET-Peer-Cross-Sub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering cross subscription.", + "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notcontains": "[subscription().id]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json new file mode 100644 index 0000000..e7f4e9f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNET-Peering-To-Non-Approved-VNETs.json @@ -0,0 +1,88 @@ +{ + "name": "Deny-VNET-Peering-To-Non-Approved-VNETs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering to non-approved vNets", + "description": "This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "allowedVnets": { + "type": "Array", + "metadata": { + "displayName": "Allowed vNets to peer with", + "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" + }, + "defaultValue": [] + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "in": "[parameters('allowedVnets')]" + } + }, + { + "not": { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id", + "exists": false + } + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json new file mode 100644 index 0000000..bf1536f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json @@ -0,0 +1,46 @@ +{ + "name": "Deny-VNet-Peering", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deny vNet peering ", + "description": "This policy denies the creation of vNet Peerings under the assigned scope.", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json new file mode 100644 index 0000000..fc32cb2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json @@ -0,0 +1,155 @@ +{ + "name": "Deploy-ASC-SecurityContacts", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Microsoft Defender for Cloud Security Contacts", + "description": "Deploy Microsoft Defender for Cloud Security Contacts", + "metadata": { + "version": "1.1.0", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Azure Security Center contact details" + } + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalSeverity": { + "type": "string", + "defaultValue": "High", + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "metadata": { + "displayName": "Minimal severity", + "description": "Defines the minimal alert severity which will be sent as email notifications" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Security/securityContacts", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/securityContacts/email", + "contains": "[parameters('emailSecurityContact')]" + }, + { + "field": "Microsoft.Security/securityContacts/alertNotifications.minimalSeverity", + "contains": "[parameters('minimalSeverity')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/securityContacts" + }, + { + "field": "Microsoft.Security/securityContacts/alertNotifications", + "equals": "On" + }, + { + "field": "Microsoft.Security/securityContacts/alertsToAdmins", + "equals": "On" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "emailSecurityContact": { + "value": "[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[parameters('minimalSeverity')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "description": "Security contacts email address" + } + }, + "minimalSeverity": { + "type": "string", + "metadata": { + "description": "Minimal severity level reported" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/securityContacts", + "name": "default", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "[parameters('emailSecurityContact')]", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + }, + "alertNotifications": { + "state": "On", + "minimalSeverity": "[parameters('minimalSeverity')]" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Budget.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Budget.json new file mode 100644 index 0000000..127bdb0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Budget.json @@ -0,0 +1,238 @@ +{ + "name": "Deploy-Budget", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy a default budget on all subscriptions under the assigned scope", + "description": "Deploy a default budget on all subscriptions under the assigned scope", + "metadata": { + "version": "1.1.0", + "category": "Budget", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "description": "Enable or disable the execution of the policy" + } + }, + "budgetName": { + "type": "String", + "defaultValue": "budget-set-by-policy", + "metadata": { + "description": "The name for the budget to be created" + } + }, + "amount": { + "type": "String", + "defaultValue": "1000", + "metadata": { + "description": "The total amount of cost or usage to track with the budget" + } + }, + "timeGrain": { + "type": "String", + "defaultValue": "Monthly", + "allowedValues": [ + "Monthly", + "Quarterly", + "Annually", + "BillingMonth", + "BillingQuarter", + "BillingAnnual" + ], + "metadata": { + "description": "The time covered by a budget. Tracking of the amount will be reset based on the time grain." + } + }, + "firstThreshold": { + "type": "String", + "defaultValue": "90", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000." + } + }, + "secondThreshold": { + "type": "String", + "defaultValue": "100", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000." + } + }, + "contactRoles": { + "type": "Array", + "defaultValue": [ + "Owner", + "Contributor" + ], + "metadata": { + "description": "The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded." + } + }, + "contactEmails": { + "type": "Array", + "defaultValue": [], + "metadata": { + "description": "The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded." + } + }, + "contactGroups": { + "type": "Array", + "defaultValue": [], + "metadata": { + "description": "The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Consumption/budgets", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Consumption/budgets/amount", + "equals": "[parameters('amount')]" + }, + { + "field": "Microsoft.Consumption/budgets/timeGrain", + "equals": "[parameters('timeGrain')]" + }, + { + "field": "Microsoft.Consumption/budgets/category", + "equals": "Cost" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "budgetName": { + "value": "[parameters('budgetName')]" + }, + "amount": { + "value": "[parameters('amount')]" + }, + "timeGrain": { + "value": "[parameters('timeGrain')]" + }, + "firstThreshold": { + "value": "[parameters('firstThreshold')]" + }, + "secondThreshold": { + "value": "[parameters('secondThreshold')]" + }, + "contactEmails": { + "value": "[parameters('contactEmails')]" + }, + "contactRoles": { + "value": "[parameters('contactRoles')]" + }, + "contactGroups": { + "value": "[parameters('contactGroups')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "budgetName": { + "type": "String" + }, + "amount": { + "type": "String" + }, + "timeGrain": { + "type": "String" + }, + "firstThreshold": { + "type": "String" + }, + "secondThreshold": { + "type": "String" + }, + "contactEmails": { + "type": "Array" + }, + "contactRoles": { + "type": "Array" + }, + "contactGroups": { + "type": "Array" + }, + "startDate": { + "type": "String", + "defaultValue": "[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Consumption/budgets", + "apiVersion": "2019-10-01", + "name": "[parameters('budgetName')]", + "properties": { + "timePeriod": { + "startDate": "[parameters('startDate')]" + }, + "timeGrain": "[parameters('timeGrain')]", + "amount": "[parameters('amount')]", + "category": "Cost", + "notifications": { + "NotificationForExceededBudget1": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('firstThreshold')]", + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "contactGroups": "[parameters('contactGroups')]" + }, + "NotificationForExceededBudget2": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('secondThreshold')]", + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "contactGroups": "[parameters('contactGroups')]" + } + } + } + } + ] + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json new file mode 100644 index 0000000..29bef0f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Custom-Route-Table.json @@ -0,0 +1,213 @@ +{ + "name": "Deploy-Custom-Route-Table", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy a route table with specific user defined routes", + "description": "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "requiredRoutes": { + "type": "Array", + "metadata": { + "displayName": "requiredRoutes", + "description": "Routes that must exist in compliant route tables deployed by this policy" + } + }, + "vnetRegion": { + "type": "String", + "metadata": { + "displayName": "vnetRegion", + "description": "Only VNets in this region will be evaluated against this policy" + } + }, + "routeTableName": { + "type": "String", + "metadata": { + "displayName": "routeTableName", + "description": "Name of the route table automatically deployed by this policy" + } + }, + "disableBgpPropagation": { + "type": "Boolean", + "metadata": { + "displayName": "DisableBgpPropagation", + "description": "Disable BGP Propagation" + }, + "defaultValue": false + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "field": "location", + "equals": "[parameters('vnetRegion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/routeTables", + "existenceCondition": { + "allOf": [ + { + "field": "name", + "equals": "[parameters('routeTableName')]" + }, + { + "count": { + "field": "Microsoft.Network/routeTables/routes[*]", + "where": { + "value": "[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]", + "in": "[parameters('requiredRoutes')]" + } + }, + "equals": "[length(parameters('requiredRoutes'))]" + } + ] + }, + "roleDefinitionIds": [ + "/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "routeTableName": { + "type": "string" + }, + "vnetRegion": { + "type": "string" + }, + "requiredRoutes": { + "type": "array" + }, + "disableBgpPropagation": { + "type": "bool" + } + }, + "variables": { + "copyLoop": [ + { + "name": "routes", + "count": "[[length(parameters('requiredRoutes'))]", + "input": { + "name": "[[concat('route-',copyIndex('routes'))]", + "properties": { + "addressPrefix": "[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]", + "nextHopType": "[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]", + "nextHopIpAddress": "[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]" + } + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "routeTableDepl", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "routeTableName": { + "type": "string" + }, + "vnetRegion": { + "type": "string" + }, + "requiredRoutes": { + "type": "array" + }, + "disableBgpPropagation": { + "type": "bool" + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2021-02-01", + "name": "[[parameters('routeTableName')]", + "location": "[[parameters('vnetRegion')]", + "properties": { + "disableBgpRoutePropagation": "[[parameters('disableBgpPropagation')]", + "copy": "[variables('copyLoop')]" + } + } + ] + }, + "parameters": { + "routeTableName": { + "value": "[parameters('routeTableName')]" + }, + "vnetRegion": { + "value": "[parameters('vnetRegion')]" + }, + "requiredRoutes": { + "value": "[parameters('requiredRoutes')]" + }, + "disableBgpPropagation": { + "value": "[parameters('disableBgpPropagation')]" + } + } + } + } + ] + }, + "parameters": { + "routeTableName": { + "value": "[parameters('routeTableName')]" + }, + "vnetRegion": { + "value": "[parameters('vnetRegion')]" + }, + "requiredRoutes": { + "value": "[parameters('requiredRoutes')]" + }, + "disableBgpPropagation": { + "value": "[parameters('disableBgpPropagation')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json new file mode 100644 index 0000000..8525513 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-DDoSProtection.json @@ -0,0 +1,150 @@ +{ + "name": "Deploy-DDoSProtection", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy an Azure DDoS Network Protection", + "description": "Deploys an Azure DDoS Network Protection", + "metadata": { + "version": "1.0.1", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "ddosName": { + "type": "String", + "metadata": { + "displayName": "ddosName", + "description": "DDoSVnet" + } + }, + "ddosRegion": { + "type": "String", + "metadata": { + "displayName": "ddosRegion", + "description": "DDoSVnet location", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/ddosProtectionPlans", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "resourceGroupName": "[parameters('rgName')]", + "name": "[parameters('ddosName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "rgName": { + "value": "[parameters('rgName')]" + }, + "ddosname": { + "value": "[parameters('ddosname')]" + }, + "ddosregion": { + "value": "[parameters('ddosRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "ddosname": { + "type": "String" + }, + "ddosRegion": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "ddosprotection", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/ddosProtectionPlans", + "apiVersion": "2019-12-01", + "name": "[parameters('ddosName')]", + "location": "[parameters('ddosRegion')]", + "properties": {} + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json new file mode 100644 index 0000000..fee8ee2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AA.json @@ -0,0 +1,201 @@ +{ + "name": "Deploy-Diagnostics-AA", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Automation/automationAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "JobLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "JobStreams", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DscNodeStatus", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AuditEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json new file mode 100644 index 0000000..2ab193d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACI.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-ACI", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerInstance/containerGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json new file mode 100644 index 0000000..fac00d2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ACR.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-ACR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerRegistry/registries" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ContainerRegistryLoginEvents", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ContainerRegistryRepositoryEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json new file mode 100644 index 0000000..9ffe640 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-APIMgmt.json @@ -0,0 +1,212 @@ +{ + "name": "Deploy-Diagnostics-APIMgmt", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "logAnalyticsDestinationType": { + "type": "String", + "metadata": { + "displayName": "Log Analytics destination type", + "description": "Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'" + }, + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ] + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "logAnalyticsDestinationType": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ApiManagement/service/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "WebSocketConnectionLogs", + "enabled": "[parameters('logsEnabled')]" + } + ], + "logAnalyticsDestinationType": "[parameters('logAnalyticsDestinationType')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[parameters('logAnalyticsDestinationType')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json new file mode 100644 index 0000000..631957e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AVDScalingPlans.json @@ -0,0 +1,154 @@ +{ + "name": "Deploy-Diagnostics-AVDScalingPlans", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/scalingplans" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Autoscale", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json new file mode 100644 index 0000000..0b69918 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-AnalysisService.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-AnalysisService", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.AnalysisServices/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.AnalysisServices/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Service", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json new file mode 100644 index 0000000..3c43b2d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApiForFHIR.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-ApiForFHIR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HealthcareApis/services" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HealthcareApis/services/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json new file mode 100644 index 0000000..4362a33 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ApplicationGateway.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-ApplicationGateway", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ApplicationGatewayPerformanceLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ApplicationGatewayFirewallLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json new file mode 100644 index 0000000..8958c29 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Bastion.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-Bastion", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/bastionHosts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "BastionAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json new file mode 100644 index 0000000..618a4d6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CDNEndpoints.json @@ -0,0 +1,157 @@ +{ + "name": "Deploy-Diagnostics-CDNEndpoints", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cdn/profiles/endpoints" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "CoreAnalytics", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json new file mode 100644 index 0000000..fbf8a0e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CognitiveServices.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-CognitiveServices", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RequestResponse", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Trace", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json new file mode 100644 index 0000000..7979a23 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json @@ -0,0 +1,217 @@ +{ + "name": "Deploy-Diagnostics-CosmosDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Requests", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DataPlaneRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MongoRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryRuntimeStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PartitionKeyStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PartitionKeyRUConsumption", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ControlPlaneRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "CassandraRequests", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "GremlinRequests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json new file mode 100644 index 0000000..43e223d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DLAnalytics.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-DLAnalytics", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataLakeAnalytics/accounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Requests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json new file mode 100644 index 0000000..8faad53 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataExplorerCluster.json @@ -0,0 +1,213 @@ +{ + "name": "Deploy-Diagnostics-DataExplorerCluster", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Kusto/Clusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Kusto/Clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "SucceededIngestion", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FailedIngestion", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "IngestionBatching", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Command", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Query", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TableUsageStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TableDetails", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json new file mode 100644 index 0000000..fe5aa77 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-DataFactory.json @@ -0,0 +1,229 @@ +{ + "name": "Deploy-Diagnostics-DataFactory", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ActivityRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TriggerRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageEventMessages", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutableStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageEventMessageContext", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutionComponentPhases", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutionDataStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SSISIntegrationRuntimeLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SandboxPipelineRuns", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SandboxActivityRuns", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json new file mode 100644 index 0000000..b93b48b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Databricks.json @@ -0,0 +1,272 @@ +{ + "name": "Deploy-Diagnostics-Databricks", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.3.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "dbfs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "clusters", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "accounts", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "jobs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "notebook", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ssh", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "workspace", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "secrets", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "sqlPermissions", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "instancePools", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "sqlanalytics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "genie", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "globalInitScripts", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "iamRole", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "mlflowExperiment", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "featureStore", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RemoteHistoryService", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "mlflowAcledArtifact", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "databrickssql", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "deltaPipelines", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "modelRegistry", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "repos", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "unityCatalog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "gitCredentials", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "webTerminal", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "serverlessRealTimeInference", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "clusterLibraries", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "partnerHub", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "clamAVScan", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "capsule8Dataplane", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json new file mode 100644 index 0000000..c77b4eb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSub.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-EventGridSub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/eventSubscriptions" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json new file mode 100644 index 0000000..51ed84a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridSystemTopic.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-EventGridSystemTopic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/systemTopics" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/systemTopics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DeliveryFailures", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json new file mode 100644 index 0000000..5990ef9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-EventGridTopic.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-EventGridTopic", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/topics" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/topics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DeliveryFailures", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PublishFailures", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataPlaneRequests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json new file mode 100644 index 0000000..25aa362 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-ExpressRoute.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-ExpressRoute", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/expressRouteCircuits" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PeeringRouteLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json new file mode 100644 index 0000000..01d780d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Firewall.json @@ -0,0 +1,264 @@ +{ + "name": "Deploy-Diagnostics-Firewall", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "logAnalyticsDestinationType": { + "type": "String", + "metadata": { + "displayName": "Log Analytics destination type", + "description": "Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'" + }, + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ] + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "logAnalyticsDestinationType": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logAnalyticsDestinationType": "[parameters('logAnalyticsDestinationType')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AzureFirewallApplicationRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AzureFirewallNetworkRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AzureFirewallDnsProxy", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRule", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWThreatIntel", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWIdpsSignature", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWDnsQuery", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFqdnResolveFailure", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWApplicationRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNetworkRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWNatRuleAggregation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFatFlow", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AZFWFlowTrace", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[parameters('logAnalyticsDestinationType')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json new file mode 100644 index 0000000..d7fa9f3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-FrontDoor.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-FrontDoor", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/frontDoors" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/frontDoors/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FrontdoorAccessLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FrontdoorWebApplicationFirewallLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json new file mode 100644 index 0000000..bcde0b9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Function.json @@ -0,0 +1,197 @@ +{ + "name": "Deploy-Diagnostics-Function", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "contains": "functionapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FunctionAppLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json new file mode 100644 index 0000000..b2a779e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-HDInsight.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-HDInsight", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HDInsight/clusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HDInsight/clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json new file mode 100644 index 0000000..6989855 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LoadBalancer.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-LoadBalancer", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/loadBalancers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "LoadBalancerAlertEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "LoadBalancerProbeHealthStatus", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json new file mode 100644 index 0000000..bf6d6c2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogAnalytics.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-LogAnalytics", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "microsoft.operationalinsights/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "microsoft.operationalinsights/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json new file mode 100644 index 0000000..1d56282 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-LogicAppsISE.json @@ -0,0 +1,157 @@ +{ + "name": "Deploy-Diagnostics-LogicAppsISE", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Logic/integrationAccounts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "IntegrationAccountTrackingEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json new file mode 100644 index 0000000..773ef7f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MariaDB.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-MariaDB", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMariaDB/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MySqlAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json new file mode 100644 index 0000000..c98506e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MediaService.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-MediaService", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Media/mediaServices" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Media/mediaServices/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "KeyDeliveryRequests", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json new file mode 100644 index 0000000..6df9c24 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MlWorkspace.json @@ -0,0 +1,288 @@ +{ + "name": "Deploy-Diagnostics-MlWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "AmlComputeClusterEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeClusterNodeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeJobEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeCpuGpuUtilization", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AmlRunStatusChangedEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ModelsActionEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeploymentEventAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationAKS", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "InferencingOperationACI", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataLabelReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ComputeInstanceEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataStoreReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DataSetReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PipelineReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RunReadEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentChangeEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EnvironmentReadEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json new file mode 100644 index 0000000..1048f2f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-MySQL.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-MySQL", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "MySqlAuditLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json new file mode 100644 index 0000000..daca6b4 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NIC.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-NIC", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkInterfaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkInterfaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json new file mode 100644 index 0000000..e784336 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-NetworkSecurityGroups.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-NetworkSecurityGroups", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "NetworkSecurityGroupEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "NetworkSecurityGroupRuleCounter", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json new file mode 100644 index 0000000..82b1ba7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PostgreSQL.json @@ -0,0 +1,240 @@ +{ + "name": "Deploy-Diagnostics-PostgreSQL", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "2.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "resourceType": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "condition": "[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/flexibleServers')]", + "type": "Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PostgreSQLLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + }, + { + "condition": "[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/servers')]", + "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PostgreSQLLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryStoreRuntimeStatistics", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "QueryStoreWaitStatistics", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "resourceType": { + "value": "[field('type')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json new file mode 100644 index 0000000..e3988db --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-PowerBIEmbedded.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-PowerBIEmbedded", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.PowerBIDedicated/capacities" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json new file mode 100644 index 0000000..44f70db --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-RedisCache.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-RedisCache", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cache/redis/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json new file mode 100644 index 0000000..f8595c8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Relay.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-Relay", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Relay/namespaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Relay/namespaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "HybridConnectionsEvent", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json new file mode 100644 index 0000000..2cf6fe6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLElasticPools.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-SQLElasticPools", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/elasticPools" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json new file mode 100644 index 0000000..d838026 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SQLMI.json @@ -0,0 +1,164 @@ +{ + "name": "Deploy-Diagnostics-SQLMI", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "ResourceUsageStats", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SQLSecurityAuditEvents", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DevOpsOperationsAudit", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json new file mode 100644 index 0000000..e9a395c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-SignalR.json @@ -0,0 +1,185 @@ +{ + "name": "Deploy-Diagnostics-SignalR", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.SignalRService/SignalR" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SignalRService/SignalR/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AllLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json new file mode 100644 index 0000000..ca3dfcc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TimeSeriesInsights.json @@ -0,0 +1,193 @@ +{ + "name": "Deploy-Diagnostics-TimeSeriesInsights", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.TimeSeriesInsights/environments" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Ingress", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json new file mode 100644 index 0000000..2bd6593 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-TrafficManager.json @@ -0,0 +1,189 @@ +{ + "name": "Deploy-Diagnostics-TrafficManager", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/trafficManagerProfiles" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ProbeHealthStatusEvents", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json new file mode 100644 index 0000000..fe19ea1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VM.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-VM", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json new file mode 100644 index 0000000..3adea47 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VMSS.json @@ -0,0 +1,161 @@ +{ + "name": "Deploy-Diagnostics-VMSS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json new file mode 100644 index 0000000..ac9bd97 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VNetGW.json @@ -0,0 +1,205 @@ +{ + "name": "Deploy-Diagnostics-VNetGW", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.1.1", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworkGateways" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "IKEDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "P2SDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TunnelDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json new file mode 100644 index 0000000..6d51b75 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VWanS2SVPNGW.json @@ -0,0 +1,201 @@ +{ + "name": "Deploy-Diagnostics-VWanS2SVPNGW", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/vpnGateways" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/vpnGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "IKEDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TunnelDiagnosticLog", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json new file mode 100644 index 0000000..9dbde3a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-VirtualNetwork.json @@ -0,0 +1,188 @@ +{ + "name": "Deploy-Diagnostics-VirtualNetwork", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "VMProtectionAlerts", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json new file mode 100644 index 0000000..5db3014 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDAppGroup.json @@ -0,0 +1,164 @@ +{ + "name": "Deploy-Diagnostics-WVDAppGroup", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.1", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/applicationGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json new file mode 100644 index 0000000..213d020 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDHostPools.json @@ -0,0 +1,188 @@ +{ + "name": "Deploy-Diagnostics-WVDHostPools", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.3.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/hostpools" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Connection", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "HostRegistration", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AgentHealthStatus", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "NetworkData", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "SessionHostManagement", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ConnectionGraphicsData", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json new file mode 100644 index 0000000..215102a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WVDWorkspace.json @@ -0,0 +1,168 @@ +{ + "name": "Deploy-Diagnostics-WVDWorkspace", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.", + "metadata": { + "version": "1.1.1", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/workspaces" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Feed", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json new file mode 100644 index 0000000..ba52b22 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-WebServerFarm.json @@ -0,0 +1,162 @@ +{ + "name": "Deploy-Diagnostics-WebServerFarm", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Web/serverfarms" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/serverfarms/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json new file mode 100644 index 0000000..af682e6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-Website.json @@ -0,0 +1,266 @@ +{ + "name": "Deploy-Diagnostics-Website", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "notContains": "functionapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + }, + "serverFarmId": { + "type": "String" + } + }, + "variables": { + "logs": { + "premiumTierLogs": [ + { + "category": "AppServiceAntivirusScanAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceHTTPLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceFileAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[parameters('logsEnabled')]" + } + ], + "otherTierLogs": [ + { + "category": "AppServiceHTTPLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": "[if(startsWith(reference(parameters('serverFarmId'), '2021-03-01', 'Full').sku.tier, 'Premium'), variables('logs').premiumTierLogs, variables('logs').otherTierLogs)]" + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]" + } + } + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "serverFarmId": { + "value": "[field('Microsoft.Web/sites/serverFarmId')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json new file mode 100644 index 0000000..2ab78fb --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-iotHub.json @@ -0,0 +1,241 @@ +{ + "name": "Deploy-Diagnostics-iotHub", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", + "metadata": { + "version": "1.1.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Devices/IotHubs" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Devices/IotHubs/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Connections", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceTelemetry", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "C2DCommands", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceIdentityOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "FileUploadOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Routes", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "D2CTwinOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "C2DTwinOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TwinQueries", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "JobsOperations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DirectMethods", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DistributedTracing", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Configurations", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "DeviceStreams", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json new file mode 100644 index 0000000..ede0b6c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-FirewallPolicy.json @@ -0,0 +1,167 @@ +{ + "name": "Deploy-FirewallPolicy", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Azure Firewall Manager policy in the subscription", + "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", + "metadata": { + "version": "1.0.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "fwpolicy": { + "type": "Object", + "metadata": { + "displayName": "fwpolicy", + "description": "Object describing Azure Firewall Policy" + }, + "defaultValue": {} + }, + "fwPolicyRegion": { + "type": "String", + "metadata": { + "displayName": "fwPolicyRegion", + "description": "Select Azure region for Azure Firewall Policy", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/firewallPolicies", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "resourceGroupName": "[parameters('rgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "rgName": { + "value": "[parameters('rgName')]" + }, + "fwPolicy": { + "value": "[parameters('fwPolicy')]" + }, + "fwPolicyRegion": { + "value": "[parameters('fwPolicyRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "fwPolicy": { + "type": "object" + }, + "fwPolicyRegion": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "fwpolicies", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2019-09-01", + "name": "[parameters('fwpolicy').firewallPolicyName]", + "location": "[parameters('fwpolicy').location]", + "dependsOn": [], + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "ruleGroups", + "apiVersion": "2019-09-01", + "name": "[parameters('fwpolicy').ruleGroups.name]", + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]" + ], + "properties": { + "priority": "[parameters('fwpolicy').ruleGroups.properties.priority]", + "rules": "[parameters('fwpolicy').ruleGroups.properties.rules]" + } + } + ] + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json new file mode 100644 index 0000000..7e7290e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json @@ -0,0 +1,138 @@ +{ + "name": "Deploy-MySQL-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect minimum TLS version Azure Database for MySQL server", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforMySQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "equals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "sslEnforcement": "[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]", + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json new file mode 100644 index 0000000..055961f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json @@ -0,0 +1,234 @@ +{ + "name": "Deploy-Nsg-FlowLogs-to-LA", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period.", + "metadata": { + "deprecated": true, + "version": "1.1.0-deprecated", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + }, + "defaultValue": 5 + }, + "interval": { + "type": "Integer", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": 60 + }, + "workspace": { + "type": "String", + "metadata": { + "strongType": "omsWorkspace", + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + }, + "defaultValue": "" + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/networkWatchers/flowlogs", + "name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + } + ] + }, + "existenceScope": "resourceGroup", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]", + "deploymentScope": "subscription", + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "location": { + "value": "[field('location')]" + }, + "networkSecurityGroup": { + "value": "[field('id')]" + }, + "workspace": { + "value": "[parameters('workspace')]" + }, + "retention": { + "value": "[parameters('retention')]" + }, + "interval": { + "value": "[parameters('interval')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "networkSecurityGroup": { + "type": "String" + }, + "workspace": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "interval": { + "type": "int" + }, + "time": { + "type": "String", + "defaultValue": "[utcNow()]" + } + }, + "variables": { + "resourceGroupName": "[split(parameters('networkSecurityGroup'), '/')[4]]", + "securityGroupName": "[split(parameters('networkSecurityGroup'), '/')[8]]", + "storageAccountName": "[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]", + "resourceGroup": "[variables('resourceGroupName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "properties": {}, + "kind": "StorageV2", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]", + "resourceGroup": "NetworkWatcherRG", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2020-05-01", + "name": "[concat('NetworkWatcher_', toLower(parameters('location')))]", + "location": "[parameters('location')]", + "properties": {}, + "resources": [ + { + "type": "flowLogs", + "apiVersion": "2019-11-01", + "name": "[concat(variables('securityGroupName'), '-Network-flowlog')]", + "location": "[parameters('location')]", + "properties": { + "enabled": true, + "format": { + "type": "JSON", + "version": 2 + }, + "retentionPolicy": { + "days": "[parameters('retention')]", + "enabled": true + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": true, + "trafficAnalyticsInterval": "[parameters('interval')]", + "workspaceResourceId": "[parameters('workspace')]" + } + }, + "storageId": "[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "targetResourceId": "[parameters('networkSecurityGroup')]" + }, + "dependsOn": [ + "[concat('NetworkWatcher_', toLower(parameters('location')))]" + ] + } + ] + } + ] + } + }, + "dependsOn": [ + "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]" + ] + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json new file mode 100644 index 0000000..2a504dd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json @@ -0,0 +1,196 @@ +{ + "name": "Deploy-Nsg-FlowLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period.", + "metadata": { + "deprecated": true, + "version": "1.0.0-deprecated", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + }, + "defaultValue": 5 + }, + "storageAccountResourceId": { + "type": "String", + "metadata": { + "displayName": "Storage Account Resource Id", + "strongType": "Microsoft.Storage/storageAccounts" + } + }, + "trafficAnalyticsInterval": { + "type": "Integer", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": 60 + }, + "flowAnalyticsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable Traffic Analytics" + }, + "defaultValue": false + }, + "logAnalytics": { + "type": "String", + "metadata": { + "strongType": "omsWorkspace", + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + }, + "defaultValue": "" + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "resourceGroupName": "NetworkWatcherRG", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled", + "equals": "[parameters('flowAnalyticsEnabled')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "networkSecurityGroupName": { + "value": "[field('name')]" + }, + "resourceGroupName": { + "value": "[resourceGroup().name]" + }, + "location": { + "value": "[field('location')]" + }, + "storageAccountResourceId": { + "value": "[parameters('storageAccountResourceId')]" + }, + "retention": { + "value": "[parameters('retention')]" + }, + "flowAnalyticsEnabled": { + "value": "[parameters('flowAnalyticsEnabled')]" + }, + "trafficAnalyticsInterval": { + "value": "[parameters('trafficAnalyticsInterval')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkSecurityGroupName": { + "type": "String" + }, + "resourceGroupName": { + "type": "String" + }, + "location": { + "type": "String" + }, + "storageAccountResourceId": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "flowAnalyticsEnabled": { + "type": "bool" + }, + "trafficAnalyticsInterval": { + "type": "int" + }, + "logAnalytics": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-05-01", + "name": "[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]", + "location": "[parameters('location')]", + "properties": { + "targetResourceId": "[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "storageId": "[parameters('storageAccountResourceId')]", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('retention')]" + }, + "format": { + "type": "JSON", + "version": 2 + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": "[bool(parameters('flowAnalyticsEnabled'))]", + "trafficAnalyticsInterval": "[parameters('trafficAnalyticsInterval')]", + "workspaceId": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]", + "workspaceRegion": "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]", + "workspaceResourceId": "[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]" + } + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json new file mode 100644 index 0000000..d644cc2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json @@ -0,0 +1,139 @@ +{ + "name": "Deploy-PostgreSQL-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Database for PostgreSQL server", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version for PostgreSQL server", + "description": "Select version minimum TLS version Azure Database for PostgreSQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "notEquals": "[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "equals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "sslEnforcement": "[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]", + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json new file mode 100644 index 0000000..07fa3ff --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-SQL-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL servers deploys a specific min TLS version requirement.", + "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect SQL servers", + "description": "Enable or disable the execution of the policy minimum TLS version SQL servers" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2019-06-01-preview", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json new file mode 100644 index 0000000..dba8a54 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-AuditingSettings.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-Sql-AuditingSettings", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "name": "default", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/state", + "equals": "enabled" + }, + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled", + "equals": "true" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2017-03-01-preview", + "properties": { + "state": "enabled", + "auditActionsAndGroups": [ + "BATCH_COMPLETED_GROUP", + "DATABASE_OBJECT_CHANGE_GROUP", + "SCHEMA_OBJECT_CHANGE_GROUP", + "BACKUP_RESTORE_GROUP", + "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP", + "DATABASE_PRINCIPAL_CHANGE_GROUP", + "DATABASE_PRINCIPAL_IMPERSONATION_GROUP", + "DATABASE_ROLE_MEMBER_CHANGE_GROUP", + "USER_CHANGE_PASSWORD_GROUP", + "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP", + "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP", + "DATABASE_PERMISSION_CHANGE_GROUP", + "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP", + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP" + ], + "isAzureMonitorTargetEnabled": true + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json new file mode 100644 index 0000000..bf77005 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-SecurityAlertPolicies.json @@ -0,0 +1,123 @@ +{ + "name": "Deploy-Sql-SecurityAlertPolicies", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", + "metadata": { + "version": "1.1.1", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "emailAddresses": { + "type": "Array", + "defaultValue": [ + "admin@contoso.com", + "admin@fabrikam.com" + ] + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/securityAlertPolicies/state", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "emailAddresses": { + "type": "Array" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2018-06-01-preview", + "properties": { + "state": "Enabled", + "disabledAlerts": [ + "" + ], + "emailAddresses": "[parameters('emailAddresses')]", + "emailAccountAdmins": true, + "storageEndpoint": null, + "storageAccountAccessKey": "", + "retentionDays": 0 + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + }, + "emailAddresses": { + "value": "[parameters('emailAddresses')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json new file mode 100644 index 0000000..8415c4f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-Sql-Tde", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated] Deploy SQL Database Transparent Data Encryption", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html", + "metadata": { + "deprecated": true, + "version": "1.1.1-deprecated", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "excludedDatabases": { + "type": "Array", + "metadata": { + "displayName": "Excluded Databases", + "description": "Array of databases that are excluded from this policy" + }, + "defaultValue": [ + "master", + "model", + "tempdb", + "msdb", + "resource" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + { + "field": "name", + "notIn": "[parameters('excludedDatabases')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/transparentDataEncryption.status", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]", + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "properties": { + "status": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json new file mode 100644 index 0000000..c7ecc25 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments.json @@ -0,0 +1,144 @@ +{ + "name": "Deploy-Sql-vulnerabilityAssessments", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "[Deprecated]: Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html", + "metadata": { + "version": "1.0.1-deprecated", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "deprecated": true, + "supersededBy": "Deploy-Sql-vulnerabilityAssessments_20230706", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "String", + "metadata": { + "description": "The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'", + "displayName": "The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'" + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails", + "equals": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled", + "equals": true + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "vulnerabilityAssessmentsEmail": { + "type": "String" + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2017-03-01-preview", + "properties": { + "storageContainerPath": "[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]", + "storageAccountAccessKey": "[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false, + "emails": [ + "[parameters('vulnerabilityAssessmentsEmail')]" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json new file mode 100644 index 0000000..08cb17f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-vulnerabilityAssessments_20230706.json @@ -0,0 +1,147 @@ +{ + "name": "Deploy-Sql-vulnerabilityAssessments_20230706", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy SQL Database Vulnerability Assessments", + "description": "Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deploy-Sql-vulnerabilityAssessments", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "Array", + "metadata": { + "description": "The email address(es) to send alerts.", + "displayName": "The email address(es) to send alerts." + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*]", + "where": { + "value": "current(Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*])", + "notIn": "[parameters('vulnerabilityAssessmentsEmail')]" + } + }, + "greater": 0 + }, + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled", + "equals": true + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "vulnerabilityAssessmentsEmail": { + "type": "Array" + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2017-03-01-preview", + "properties": { + "storageContainerPath": "[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]", + "storageAccountAccessKey": "[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false, + "emails": "[parameters('vulnerabilityAssessmentsEmail')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "sqlServerName": { + "value": "[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[field('name')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json new file mode 100644 index 0000000..237c536 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json @@ -0,0 +1,125 @@ +{ + "name": "Deploy-SqlMi-minTLS", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "SQL managed instances deploy a specific min TLS version requirement.", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect SQL servers", + "description": "Enable or disable the execution of the policy minimum TLS version SQL servers" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notequals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/managedInstances", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2020-02-02-preview", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "minimalTlsVersion": "[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimalTlsVersion": { + "value": "[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json new file mode 100644 index 0000000..8835ff5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json @@ -0,0 +1,138 @@ +{ + "name": "Deploy-Storage-sslEnforcement", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", + "metadata": { + "version": "1.1.0", + "category": "Storage", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Storage", + "description": "Enable or disable the execution of the policy minimum TLS version Azure STorage" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Select TLS version for Azure Storage server", + "description": "Select version minimum TLS version Azure STorage to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "notEquals": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "notEquals": "[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Storage/storageAccounts", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "equals": "[parameters('minimumTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimumTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[concat(parameters('resourceName'))]", + "location": "[parameters('location')]", + "properties": { + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "[parameters('minimumTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[field('name')]" + }, + "minimumTlsVersion": { + "value": "[parameters('minimumTlsVersion')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json new file mode 100644 index 0000000..76e21fc --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-VNET-HubSpoke.json @@ -0,0 +1,309 @@ +{ + "name": "Deploy-VNET-HubSpoke", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "All", + "displayName": "Deploy Virtual Network with peering to the hub", + "description": "This policy deploys virtual network and peer to the hub", + "metadata": { + "version": "1.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vNetName": { + "type": "String", + "metadata": { + "displayName": "vNetName", + "description": "Name of the landing zone vNet" + } + }, + "vNetRgName": { + "type": "String", + "metadata": { + "displayName": "vNetRgName", + "description": "Name of the landing zone vNet RG" + } + }, + "vNetLocation": { + "type": "String", + "metadata": { + "displayName": "vNetLocation", + "description": "Location for the vNet" + } + }, + "vNetCidrRange": { + "type": "String", + "metadata": { + "displayName": "vNetCidrRange", + "description": "CIDR Range for the vNet" + } + }, + "hubResourceId": { + "type": "String", + "metadata": { + "displayName": "hubResourceId", + "description": "Resource ID for the HUB vNet" + } + }, + "dnsServers": { + "type": "Array", + "metadata": { + "displayName": "DNSServers", + "description": "Default domain servers for the vNET." + }, + "defaultValue": [] + }, + "vNetPeerUseRemoteGateway": { + "type": "Boolean", + "metadata": { + "displayName": "vNetPeerUseRemoteGateway", + "description": "Enable gateway transit for the LZ network" + }, + "defaultValue": false + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/virtualNetworks", + "name": "[parameters('vNetName')]", + "deploymentScope": "subscription", + "existenceScope": "resourceGroup", + "ResourceGroupName": "[parameters('vNetRgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "name", + "like": "[parameters('vNetName')]" + }, + { + "field": "location", + "equals": "[parameters('vNetLocation')]" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "vNetRgName": { + "value": "[parameters('vNetRgName')]" + }, + "vNetName": { + "value": "[parameters('vNetName')]" + }, + "vNetLocation": { + "value": "[parameters('vNetLocation')]" + }, + "vNetCidrRange": { + "value": "[parameters('vNetCidrRange')]" + }, + "hubResourceId": { + "value": "[parameters('hubResourceId')]" + }, + "dnsServers": { + "value": "[parameters('dnsServers')]" + }, + "vNetPeerUseRemoteGateway": { + "value": "[parameters('vNetPeerUseRemoteGateway')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "vNetRgName": { + "type": "String" + }, + "vNetName": { + "type": "String" + }, + "vNetLocation": { + "type": "String" + }, + "vNetCidrRange": { + "type": "String" + }, + "vNetPeerUseRemoteGateway": { + "type": "bool", + "defaultValue": false + }, + "hubResourceId": { + "type": "String" + }, + "dnsServers": { + "type": "Array", + "defaultValue": [] + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2021-04-01", + "name": "[parameters('vNetRgName')]", + "location": "[parameters('vNetLocation')]", + "properties": {} + } + ], + "outputs": {} + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-vnet-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "dependsOn": [ + "[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2021-02-01", + "name": "[parameters('vNetName')]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vNetCidrRange')]" + ] + }, + "dhcpOptions": { + "dnsServers": "[parameters('dnsServers')]" + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2021-02-01", + "name": "[concat(parameters('vNetName'), '/peerToHub')]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "remoteVirtualNetwork": { + "id": "[parameters('hubResourceId')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": false, + "useRemoteGateways": "[parameters('vNetPeerUseRemoteGateway')]" + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[concat('alz-hub-peering-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]", + "subscriptionId": "[split(parameters('hubResourceId'),'/')[2]]", + "resourceGroup": "[split(parameters('hubResourceId'),'/')[4]]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "remoteVirtualNetwork": { + "type": "String", + "defaultValue": false + }, + "hubName": { + "type": "String", + "defaultValue": false + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "name": "[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]", + "apiVersion": "2021-02-01", + "properties": { + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": true, + "useRemoteGateways": false, + "remoteVirtualNetwork": { + "id": "[[parameters('remoteVirtualNetwork')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "remoteVirtualNetwork": { + "value": "[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]" + }, + "hubName": { + "value": "[split(parameters('hubResourceId'),'/')[8]]" + } + } + } + } + ], + "outputs": {} + } + }, + "resourceGroup": "[parameters('vNetRgName')]" + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json new file mode 100644 index 0000000..c79b58d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Vm-autoShutdown.json @@ -0,0 +1,196 @@ +{ + "name": "Deploy-Vm-autoShutdown", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Virtual Machine Auto Shutdown Schedule", + "description": "Deploys an auto shutdown schedule to a virtual machine", + "metadata": { + "version": "1.0.0", + "category": "Compute", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "time": { + "type": "String", + "metadata": { + "displayName": "Scheduled Shutdown Time", + "description": "Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM" + }, + "defaultValue": "0000" + }, + "timeZoneId": { + "type": "string", + "defaultValue": "UTC", + "metadata": { + "displayName": "Time zone", + "description": "The time zone ID (e.g. Pacific Standard time)." + } + }, + "EnableNotification": { + "type": "string", + "defaultValue": "Disabled", + "metadata": { + "displayName": "Send Notification before auto-shutdown", + "description": "If notifications are enabled for this schedule (i.e. Enabled, Disabled)." + }, + "allowedValues": [ + "Disabled", + "Enabled" + ] + }, + "NotificationEmailRecipient": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Email Address", + "description": "Email address to be used for notification" + } + }, + "NotificationWebhookUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "Webhook URL", + "description": "A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen." + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.DevTestLab/schedules", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DevTestLab/schedules/taskType", + "equals": "ComputeVmShutdownTask" + }, + { + "field": "Microsoft.DevTestLab/schedules/targetResourceId", + "equals": "[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "time": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM" + } + }, + "timeZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The time zone ID (e.g. Pacific Standard time)." + } + }, + "EnableNotification": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "If notifications are enabled for this schedule (i.e. Enabled, Disabled)." + } + }, + "NotificationEmailRecipient": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to be used for notification" + } + }, + "NotificationWebhookUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen." + } + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat('shutdown-computevm-',parameters('vmName'))]", + "type": "Microsoft.DevTestLab/schedules", + "location": "[parameters('location')]", + "apiVersion": "2018-09-15", + "properties": { + "status": "Enabled", + "taskType": "ComputeVmShutdownTask", + "dailyRecurrence": { + "time": "[parameters('time')]" + }, + "timeZoneId": "[parameters('timeZoneId')]", + "notificationSettings": { + "status": "[parameters('EnableNotification')]", + "timeInMinutes": 30, + "webhookUrl": "[parameters('NotificationWebhookUrl')]", + "emailRecipient": "[parameters('NotificationEmailRecipient')]", + "notificationLocale": "en" + }, + "targetResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" + } + } + ], + "outputs": {} + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "time": { + "value": "[parameters('time')]" + }, + "timeZoneId": { + "value": "[parameters('timeZoneId')]" + }, + "EnableNotification": { + "value": "[parameters('EnableNotification')]" + }, + "NotificationEmailRecipient": { + "value": "[parameters('NotificationEmailRecipient')]" + }, + "NotificationWebhookUrl": { + "value": "[parameters('NotificationWebhookUrl')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json new file mode 100644 index 0000000..6e7244f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Windows-DomainJoin.json @@ -0,0 +1,261 @@ +{ + "name": "Deploy-Windows-DomainJoin", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "Deploy Windows Domain Join Extension with keyvault configuration", + "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", + "metadata": { + "version": "1.0.0", + "category": "Guest Configuration", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "domainUsername": { + "type": "String", + "metadata": { + "displayName": "domainUsername" + } + }, + "domainPassword": { + "type": "String", + "metadata": { + "displayName": "domainPassword" + } + }, + "domainFQDN": { + "type": "String", + "metadata": { + "displayName": "domainFQDN" + } + }, + "domainOUPath": { + "type": "String", + "metadata": { + "displayName": "domainOUPath" + } + }, + "keyVaultResourceId": { + "type": "String", + "metadata": { + "displayName": "keyVaultResourceId" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "2008-R2-SP1", + "2008-R2-SP1-smalldisk", + "2008-R2-SP1-zhcn", + "2012-Datacenter", + "2012-datacenter-gensecond", + "2012-Datacenter-smalldisk", + "2012-datacenter-smalldisk-g2", + "2012-Datacenter-zhcn", + "2012-datacenter-zhcn-g2", + "2012-R2-Datacenter", + "2012-r2-datacenter-gensecond", + "2012-R2-Datacenter-smalldisk", + "2012-r2-datacenter-smalldisk-g2", + "2012-R2-Datacenter-zhcn", + "2012-r2-datacenter-zhcn-g2", + "2016-Datacenter", + "2016-datacenter-gensecond", + "2016-datacenter-gs", + "2016-Datacenter-Server-Core", + "2016-datacenter-server-core-g2", + "2016-Datacenter-Server-Core-smalldisk", + "2016-datacenter-server-core-smalldisk-g2", + "2016-Datacenter-smalldisk", + "2016-datacenter-smalldisk-g2", + "2016-Datacenter-with-Containers", + "2016-datacenter-with-containers-g2", + "2016-Datacenter-with-RDSH", + "2016-Datacenter-zhcn", + "2016-datacenter-zhcn-g2", + "2019-Datacenter", + "2019-Datacenter-Core", + "2019-datacenter-core-g2", + "2019-Datacenter-Core-smalldisk", + "2019-datacenter-core-smalldisk-g2", + "2019-Datacenter-Core-with-Containers", + "2019-datacenter-core-with-containers-g2", + "2019-Datacenter-Core-with-Containers-smalldisk", + "2019-datacenter-core-with-containers-smalldisk-g2", + "2019-datacenter-gensecond", + "2019-datacenter-gs", + "2019-Datacenter-smalldisk", + "2019-datacenter-smalldisk-g2", + "2019-Datacenter-with-Containers", + "2019-datacenter-with-containers-g2", + "2019-Datacenter-with-Containers-smalldisk", + "2019-datacenter-with-containers-smalldisk-g2", + "2019-Datacenter-zhcn", + "2019-datacenter-zhcn-g2", + "Datacenter-Core-1803-with-Containers-smalldisk", + "datacenter-core-1803-with-containers-smalldisk-g2", + "Datacenter-Core-1809-with-Containers-smalldisk", + "datacenter-core-1809-with-containers-smalldisk-g2", + "Datacenter-Core-1903-with-Containers-smalldisk", + "datacenter-core-1903-with-containers-smalldisk-g2", + "datacenter-core-1909-with-containers-smalldisk", + "datacenter-core-1909-with-containers-smalldisk-g1", + "datacenter-core-1909-with-containers-smalldisk-g2" + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "JsonADDomainExtension" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Compute" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "domainUsername": { + "reference": { + "keyVault": { + "id": "[parameters('keyVaultResourceId')]" + }, + "secretName": "[parameters('domainUsername')]" + } + }, + "domainPassword": { + "reference": { + "keyVault": { + "id": "[parameters('keyVaultResourceId')]" + }, + "secretName": "[parameters('domainPassword')]" + } + }, + "domainOUPath": { + "value": "[parameters('domainOUPath')]" + }, + "domainFQDN": { + "value": "[parameters('domainFQDN')]" + }, + "keyVaultResourceId": { + "value": "[parameters('keyVaultResourceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "String" + }, + "location": { + "type": "String" + }, + "domainUsername": { + "type": "String" + }, + "domainPassword": { + "type": "securestring" + }, + "domainFQDN": { + "type": "String" + }, + "domainOUPath": { + "type": "String" + }, + "keyVaultResourceId": { + "type": "String" + } + }, + "variables": { + "domainJoinOptions": 3, + "vmName": "[parameters('vmName')]" + }, + "resources": [ + { + "apiVersion": "2015-06-15", + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[concat(variables('vmName'),'/joindomain')]", + "location": "[resourceGroup().location]", + "properties": { + "publisher": "Microsoft.Compute", + "type": "JsonADDomainExtension", + "typeHandlerVersion": "1.3", + "autoUpgradeMinorVersion": true, + "settings": { + "Name": "[parameters('domainFQDN')]", + "User": "[parameters('domainUserName')]", + "Restart": "true", + "Options": "[variables('domainJoinOptions')]", + "OUPath": "[parameters('domainOUPath')]" + }, + "protectedSettings": { + "Password": "[parameters('domainPassword')]" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json new file mode 100644 index 0000000..0b8a02a --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.json @@ -0,0 +1,102 @@ +{ + "name": "Audit-UnusedResourcesCostOptimization", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Unused resources driving cost should be avoided", + "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.", + "metadata": { + "version": "2.0.0", + "category": "Cost Optimization", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effectDisks": { + "type": "String", + "metadata": { + "displayName": "Disks Effect", + "description": "Enable or disable the execution of the policy for Microsoft.Compute/disks" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectPublicIpAddresses": { + "type": "String", + "metadata": { + "displayName": "PublicIpAddresses Effect", + "description": "Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectServerFarms": { + "type": "String", + "metadata": { + "displayName": "ServerFarms Effect", + "description": "Enable or disable the execution of the policy for Microsoft.Web/serverfarms" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AuditDisksUnusedResourcesCostOptimization", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization", + "parameters": { + "effect": { + "value": "[[parameters('effectDisks')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditPublicIpAddressesUnusedResourcesCostOptimization", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization", + "parameters": { + "effect": { + "value": "[[parameters('effectPublicIpAddresses')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditServerFarmsUnusedResourcesCostOptimization", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization", + "parameters": { + "effect": { + "value": "[[parameters('effectServerFarms')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AuditAzureHybridBenefitUnusedResourcesCostOptimization", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit", + "parameters": { + "effect": { + "value": "Audit" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json new file mode 100644 index 0000000..c76abd5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Audit-UnusedResourcesCostOptimization.parameters.json @@ -0,0 +1,30 @@ +{ + "AuditAzureHybridBenefitUnusedResourcesCostOptimization": { + "parameters": { + "effect": { + "value": "Audit" + } + } + }, + "AuditDisksUnusedResourcesCostOptimization": { + "parameters": { + "effect": { + "value": "[[parameters('effectDisks')]" + } + } + }, + "AuditPublicIpAddressesUnusedResourcesCostOptimization": { + "parameters": { + "effect": { + "value": "[[parameters('effectPublicIpAddresses')]" + } + } + }, + "AuditServerFarmsUnusedResourcesCostOptimization": { + "parameters": { + "effect": { + "value": "[[parameters('effectServerFarms')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json new file mode 100644 index 0000000..c97e68d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.json @@ -0,0 +1,483 @@ +{ + "name": "Deny-PublicPaaSEndpoints", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Public network access should be disabled for PaaS services", + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", + "metadata": { + "version": "3.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "CosmosPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for CosmosDB", + "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "KeyVaultPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for KeyVault", + "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "SqlServerPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure SQL Database should be disabled", + "description": "This policy denies creation of Sql servers with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "StoragePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access onStorage accounts should be disabled", + "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AKSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on AKS API should be disabled", + "description": "This policy denies the creation of Azure Kubernetes Service non-private clusters" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ACRPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure Container Registry disabled", + "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AFSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure File Sync disabled", + "description": "This policy denies the creation of Azure File Sync instances with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "PostgreSQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSql Flexible Server", + "description": "This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MySQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for MySQL Flexible Server", + "description": "This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BatchPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Batch Instances", + "description": "This policy denies creation of Azure Batch Instances with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MariaDbPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure MariaDB", + "description": "This policy denies creation of Azure MariaDB with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MlPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Machine Learning", + "description": "This policy denies creation of Azure Machine Learning with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "RedisCachePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Cache for Redis", + "description": "This policy denies creation of Azure Cache for Redis with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BotServicePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Bot Service", + "description": "This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AutomationPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Automation accounts", + "description": "This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AppConfigPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Configuration", + "description": "This policy denies creation of App Configuration with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "FunctionPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Function apps", + "description": "This policy denies creation of Function apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Service Environment apps", + "description": "This policy denies creation of App Service Environment apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AsPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for App Service apps", + "description": "This policy denies creation of App Service apps with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ApiManPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for API Management services", + "description": "This policy denies creation of API Management services with exposed public endpoints" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b", + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693", + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BatchDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MariaDbDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "parameters": { + "effect": { + "value": "[[parameters('MariaDbPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MlDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "parameters": { + "effect": { + "value": "[[parameters('MlPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisCacheDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663", + "parameters": { + "effect": { + "value": "[[parameters('RedisCachePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BotServiceDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d", + "parameters": { + "effect": { + "value": "[[parameters('BotServicePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AutomationDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", + "parameters": { + "effect": { + "value": "[[parameters('AutomationPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppConfigDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187", + "parameters": { + "effect": { + "value": "[[parameters('AppConfigPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127", + "parameters": { + "effect": { + "value": "[[parameters('FunctionPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AseDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", + "parameters": { + "effect": { + "value": "[[parameters('AsePublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AsDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba", + "parameters": { + "effect": { + "value": "[[parameters('AsPublicIpDenyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ApiManDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd", + "parameters": { + "effect": { + "value": "[[parameters('ApiManPublicIpDenyEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json new file mode 100644 index 0000000..46e51dd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json @@ -0,0 +1,142 @@ +{ + "ACRDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + } + }, + "AFSDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + } + }, + "AKSDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + } + }, + "ApiManDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('ApiManPublicIpDenyEffect')]" + } + } + }, + "AppConfigDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AppConfigPublicIpDenyEffect')]" + } + } + }, + "AsDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AsPublicIpDenyEffect')]" + } + } + }, + "AseDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AsePublicIpDenyEffect')]" + } + } + }, + "AutomationDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('AutomationPublicIpDenyEffect')]" + } + } + }, + "BatchDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + } + }, + "BotServiceDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('BotServicePublicIpDenyEffect')]" + } + } + }, + "CosmosDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + } + }, + "FunctionDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionPublicIpDenyEffect')]" + } + } + }, + "KeyVaultDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + } + }, + "MariaDbDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('MariaDbPublicIpDenyEffect')]" + } + } + }, + "MlDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('MlPublicIpDenyEffect')]" + } + } + }, + "MySQLFlexDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + } + }, + "PostgreSQLFlexDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + } + }, + "RedisCacheDenyPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('RedisCachePublicIpDenyEffect')]" + } + } + }, + "SqlServerDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + } + }, + "StorageDenyPaasPublicIP": { + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json new file mode 100644 index 0000000..4a121b9 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json @@ -0,0 +1,1970 @@ +{ + "name": "Deploy-Diagnostics-LogAnalytics", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Diagnostic Settings to Azure Services", + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "metadata": { + "version": "2.2.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "logAnalytics": { + "metadata": { + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "displayName": "Log Analytics workspace", + "strongType": "omsWorkspace" + }, + "type": "String" + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "ACILogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled." + } + }, + "ACRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled." + } + }, + "AKSLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled." + } + }, + "AnalysisServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "APIforFHIRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "APIMgmtLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "APIMgmtLogAnalyticsDestinationType": { + "type": "String", + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "metadata": { + "displayName": "Destination table for the Diagnostic Setting for API Management to Log Analytics workspace", + "description": "Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'" + } + }, + "ApplicationGatewayLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AutomationLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "BastionLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "BatchLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Batch to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CDNEndpointsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CognitiveServicesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "CosmosLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DatabricksLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataExplorerClusterLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataFactoryLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataLakeStoreLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "DataLakeAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventGridSubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventGridTopicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventHubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "EventSystemTopicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "ExpressRouteLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FirewallLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FirewallLogAnalyticsDestinationType": { + "type": "String", + "defaultValue": "AzureDiagnostics", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "metadata": { + "displayName": "Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace", + "description": "Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'" + } + }, + "FrontDoorLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "FunctionAppLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "HDInsightLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "IotHubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "KeyVaultLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Key Vault to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LoadBalancerLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LogAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled" + } + }, + "LogicAppsISELogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "LogicAppsWFLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MariaDBLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MediaServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MlWorkspaceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "MySQLLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkSecurityGroupsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkNICLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "PostgreSQLLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "PowerBIEmbeddedLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "NetworkPublicIPNicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "RedisCacheLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "RelayLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SearchServicesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Search Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "ServiceBusLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SignalRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLDBsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLElasticPoolsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "SQLMLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "StreamAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "TimeSeriesInsightsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "TrafficManagerLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VirtualNetworkLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VirtualMachinesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VMSSLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VNetGWLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled." + } + }, + "AppServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AppServiceWebappLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "AVDScalingPlansLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDAppGroupsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDWorkspaceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "WVDHostPoolsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "StorageAccountsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + }, + "VWanS2SVPNGWLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "StorageAccountDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AVDScalingPlansLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDAppGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACIDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACILogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ACRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AKSLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AnalysisServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIforFHIRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIMgmtDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[[parameters('APIMgmtLogAnalyticsDestinationType')]" + }, + "effect": { + "value": "[[parameters('APIMgmtLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ApplicationGatewayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AutomationDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AutomationLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BastionDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "BatchDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BatchLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CDNEndpointsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CognitiveServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CosmosDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CosmosLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DatabricksDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DatabricksLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataExplorerClusterLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataFactoryDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataFactoryLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeStoreLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventGridSubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridSubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventHubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventSystemTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ExpressRouteLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FirewallDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[[parameters('FirewallLogAnalyticsDestinationType')]" + }, + "effect": { + "value": "[[parameters('FirewallLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FrontDoorDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FrontDoorLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionAppDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FunctionAppLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "HDInsightDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('HDInsightLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "IotHubDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('IotHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KeyVaultDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('KeyVaultLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LoadBalancerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LogAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsISELogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsWFLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MariaDBDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MariaDBLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MediaServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MediaServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MlWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MySQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkNICDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkNICLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PostgreSQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "True" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisCacheDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RedisCacheLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RelayDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RelayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SearchServicesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SearchServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ServiceBusDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SignalRDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SignalRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLDBsLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLElasticPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLMDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLMLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StreamAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TrafficManagerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualNetworkLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualMachinesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VMSSDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VMSSLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VNetGWDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VNetGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceWebappLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json new file mode 100644 index 0000000..86f6c96 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json @@ -0,0 +1,918 @@ +{ + "ACIDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACILogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ACRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AKSDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AKSLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + } + }, + "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AnalysisServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "APIforFHIRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIforFHIRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "APIMgmtDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[[parameters('APIMgmtLogAnalyticsDestinationType')]" + }, + "effect": { + "value": "[[parameters('APIMgmtLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ApplicationGatewayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AppServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceWebappLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AutomationDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AutomationLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AVDScalingPlansLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "BastionDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BastionLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "BatchDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BatchLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CDNEndpointsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CognitiveServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "CosmosDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CosmosLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DatabricksDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DatabricksLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataExplorerClusterLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataFactoryDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataFactoryLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeStoreLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventGridSubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridSubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventGridTopicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventHubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventSystemTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ExpressRouteDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ExpressRouteLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FirewallDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "logAnalyticsDestinationType": { + "value": "[[parameters('FirewallLogAnalyticsDestinationType')]" + }, + "effect": { + "value": "[[parameters('FirewallLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FrontDoorDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FrontDoorLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "FunctionAppDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FunctionAppLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "HDInsightDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('HDInsightLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "IotHubDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('IotHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "KeyVaultDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('KeyVaultLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LoadBalancerDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LoadBalancerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LogAnalyticsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsISELogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "LogicAppsWFDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsWFLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MariaDBDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MariaDBLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MediaServiceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MediaServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MlWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "MySQLDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MySQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "NetworkNICDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkNICLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "True" + } + } + }, + "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "PostgreSQLDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PostgreSQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RedisCacheDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RedisCacheLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "RelayDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RelayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SearchServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SearchServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "ServiceBusDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SignalRDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SignalRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLDBsLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLElasticPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "SQLMDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLMLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StreamAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "TrafficManagerDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TrafficManagerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualMachinesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualNetworkLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VMSSDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VMSSLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VNetGWDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VNetGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDAppGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics": { + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json new file mode 100644 index 0000000..b3c5877 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json @@ -0,0 +1,441 @@ +{ + "name": "Deploy-MDFC-Config", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy Microsoft Defender for Cloud configuration", + "description": "Deploy Microsoft Defender for Cloud configuration", + "metadata": { + "version": "5.0.1", + "category": "Security Center", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Microsoft Defender for Cloud contact details" + } + }, + "minimalSeverity": { + "type": "string", + "allowedValues": [ + "High", + "Medium", + "Low" + ], + "defaultValue": "High", + "metadata": { + "displayName": "Minimal severity", + "description": "Defines the minimal alert severity which will be sent as email notifications" + } + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "ascExportResourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource Group name for the export to Log Analytics workspace configuration", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "ascExportResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Group location for the export to Log Analytics workspace configuration", + "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." + } + }, + "enableAscForCosmosDbs": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSql": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForSqlOnVm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForDns": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForArm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForOssDb": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForAppServices": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForKeyVault": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForStorage": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForContainers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServers": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForServersVulnerabilityAssessments": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "vulnerabilityAssessmentProvider": { + "type": "String", + "allowedValues": [ + "default", + "mdeTvm" + ], + "defaultValue": "default", + "metadata": { + "displayName": "Vulnerability assessment provider type", + "description": "Select the vulnerability assessment solution to provision to machines." + } + }, + "enableAscForApis": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "enableAscForCspm": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "defenderForOssDb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForOssDb')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVM", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "vaType": { + "value": "[[parameters('vulnerabilityAssessmentProvider')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSqlOnVm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForAppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForAppServices')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForStorageAccounts", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforContainers", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderforKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "azurePolicyForKubernetes", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForKeyVaults", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForKeyVault')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForDns", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForDns')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForArm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForSqlPaas", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCosmosDbs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDbs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForApis", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForApis')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "defenderForCspm", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCspm')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "securityEmailContact", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[[parameters('minimalSeverity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ascExport", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json new file mode 100644 index 0000000..b872085 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json @@ -0,0 +1,143 @@ +{ + "ascExport": { + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + "azurePolicyForKubernetes": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + } + }, + "defenderForApis": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForApis')]" + } + } + }, + "defenderForAppServices": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForAppServices')]" + } + } + }, + "defenderForArm": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForArm')]" + } + } + }, + "defenderforContainers": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + } + } + }, + "defenderForCosmosDbs": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCosmosDbs')]" + } + } + }, + "defenderForCspm": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForCspm')]" + } + } + }, + "defenderForDns": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForDns')]" + } + } + }, + "defenderForKeyVaults": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForKeyVault')]" + } + } + }, + "defenderforKubernetes": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForContainers')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + "defenderForOssDb": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForOssDb')]" + } + } + }, + "defenderForSqlPaas": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSql')]" + } + } + }, + "defenderForSqlServerVirtualMachines": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForSqlOnVm')]" + } + } + }, + "defenderForStorageAccounts": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForStorage')]" + } + } + }, + "defenderForVM": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServers')]" + } + } + }, + "defenderForVMVulnerabilityAssessment": { + "parameters": { + "effect": { + "value": "[[parameters('enableAscForServersVulnerabilityAssessments')]" + }, + "vaType": { + "value": "[[parameters('vulnerabilityAssessmentProvider')]" + } + } + }, + "securityEmailContact": { + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + }, + "minimalSeverity": { + "value": "[[parameters('minimalSeverity')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json new file mode 100644 index 0000000..d6cffb1 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json @@ -0,0 +1,1182 @@ +{ + "name": "Deploy-Private-DNS-Zones", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", + "metadata": { + "version": "1.1.0", + "category": "Network", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "azureFilePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureFilePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAutomationWebhookPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAutomationWebhookPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAutomationDSCHybridPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAutomationDSCHybridPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosSQLPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosSQLPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosMongoPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosMongoPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosCassandraPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosCassandraPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosGremlinPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosGremlinPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCosmosTablePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCosmosTablePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDataFactoryPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDataFactoryPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDataFactoryPortalPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDataFactoryPortalPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureHDInsightPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureHDInsightPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMigratePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMigratePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageBlobPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageBlobPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageBlobSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageBlobSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageQueuePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageQueuePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageQueueSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageQueueSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageFilePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageFilePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageStaticWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageStaticWebPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageStaticWebSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageStaticWebSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageDFSPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageDFSPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureStorageDFSSecPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureStorageDFSSecPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSynapseSQLPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSynapseSQLPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSynapseSQLODPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSynapseSQLODPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSynapseDevPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSynapseDevPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMediaServicesKeyPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMediaServicesKeyPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMediaServicesLivePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMediaServicesLivePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMediaServicesStreamPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMediaServicesStreamPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId1": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId1", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId2": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId2", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId3": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId3", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId4": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId4", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMonitorPrivateDnsZoneId5": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMonitorPrivateDnsZoneId5", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureWebPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureWebPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureBatchPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureBatchPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAppPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAppPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAsrPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAsrPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureKeyVaultPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureKeyVaultPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSignalRPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureSignalRPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAppServicesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAppServicesPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureEventGridTopicsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDiskAccessPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDiskAccessPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCognitiveServicesPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotHubsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureIotHubsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureEventGridDomainsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureRedisCachePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureRedisCachePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAcrPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureAcrPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureEventHubNamespacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureMachineLearningWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureServiceBusNamespacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureCognitiveSearchPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "effect1": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "deployIfNotExists", + "Disabled" + ], + "defaultValue": "deployIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-File-Sync", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureFileprivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-Webhook", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAutomationWebhookPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Webhook" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-DSCHybrid", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "DSCAndHybridWorker" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-SQL", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosSQLPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "SQL" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-MongoDB", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosMongoPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "MongoDB" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Cassandra", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosCassandraPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Cassandra" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Gremlin", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosGremlinPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Gremlin" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Table", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosTablePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Table" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDataFactoryPrivateDnsZoneId')]" + }, + "listOfGroupIds": { + "value": [ + "dataFactory" + ] + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory-Portal", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]" + }, + "listOfGroupIds": { + "value": [ + "portal" + ] + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-HDInsight", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureHDInsightPrivateDnsZoneId')]" + }, + "groupId": { + "value": "cluster" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Migrate", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMigratePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageBlobPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageBlobSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageQueuePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageQueueSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-File", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageFilePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageStaticWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageDFSPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS-Sec", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageDFSSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseSQLPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "Sql" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL-OnDemand", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseSQLODPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "SqlOnDemand" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-Dev", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseDevPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "Dev" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Key", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]" + }, + "groupId": { + "value": "keydelivery" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Live", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesLivePrivateDnsZoneId')]" + }, + "groupId": { + "value": "liveevent" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Stream", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]" + }, + "groupId": { + "value": "streamingendpoint" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Monitor", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365", + "parameters": { + "privateDnsZoneId1": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId1')]" + }, + "privateDnsZoneId2": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId2')]" + }, + "privateDnsZoneId3": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId3')]" + }, + "privateDnsZoneId4": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId4')]" + }, + "privateDnsZoneId5": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId5')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAsrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoT", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-KeyVault", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-SignalR", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSignalRPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-AppServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridTopics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridTopicsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DiskAccess", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDiskAccessPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveServices", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTHubs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotHubsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridDomains", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridDomainsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-RedisCache", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureRedisCachePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ACR", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAcrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventHubNamespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventHubNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MachineLearningWorkspace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ServiceBusNamespace", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveSearch", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveSearchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json new file mode 100644 index 0000000..4a5f653 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json @@ -0,0 +1,536 @@ +{ + "DINE-Private-DNS-Azure-ACR": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAcrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-App": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-AppServices": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Automation-DSCHybrid": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "DSCAndHybridWorker" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Automation-Webhook": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAutomationWebhookPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Webhook" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Batch": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-CognitiveSearch": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveSearchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-CognitiveServices": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Cosmos-Cassandra": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosCassandraPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Cassandra" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Cosmos-Gremlin": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosGremlinPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Gremlin" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Cosmos-MongoDB": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosMongoPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "MongoDB" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Cosmos-SQL": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosSQLPrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "SQL" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Cosmos-Table": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCosmosTablePrivateDnsZoneId')]" + }, + "privateEndpointGroupId": { + "value": "Table" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-DataFactory": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDataFactoryPrivateDnsZoneId')]" + }, + "listOfGroupIds": { + "value": [ + "dataFactory" + ] + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-DataFactory-Portal": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]" + }, + "listOfGroupIds": { + "value": [ + "portal" + ] + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-DiskAccess": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDiskAccessPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-EventGridDomains": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridDomainsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-EventGridTopics": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridTopicsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-EventHubNamespace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventHubNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-File-Sync": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureFileprivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-HDInsight": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureHDInsightPrivateDnsZoneId')]" + }, + "groupId": { + "value": "cluster" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-IoT": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-IoTHubs": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotHubsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + "DINE-Private-DNS-Azure-KeyVault": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-MachineLearningWorkspace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-MediaServices-Key": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]" + }, + "groupId": { + "value": "keydelivery" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-MediaServices-Live": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesLivePrivateDnsZoneId')]" + }, + "groupId": { + "value": "liveevent" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-MediaServices-Stream": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]" + }, + "groupId": { + "value": "streamingendpoint" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Migrate": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMigratePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Monitor": { + "parameters": { + "privateDnsZoneId1": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId1')]" + }, + "privateDnsZoneId2": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId2')]" + }, + "privateDnsZoneId3": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId3')]" + }, + "privateDnsZoneId4": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId4')]" + }, + "privateDnsZoneId5": { + "value": "[[parameters('azureMonitorPrivateDnsZoneId5')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-RedisCache": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureRedisCachePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-ServiceBusNamespace": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-SignalR": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSignalRPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Site-Recovery": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAsrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-Blob": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageBlobPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-Blob-Sec": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageBlobSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-DFS": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageDFSPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-DFS-Sec": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageDFSSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-File": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageFilePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-Queue": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageQueuePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-Queue-Sec": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageQueueSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-StaticWeb": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageStaticWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Storage-StaticWeb-Sec": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Synapse-Dev": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseDevPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "Dev" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Synapse-SQL": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseSQLPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "Sql" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Synapse-SQL-OnDemand": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSynapseSQLODPrivateDnsZoneId')]" + }, + "targetSubResource": { + "value": "SqlOnDemand" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Web": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json new file mode 100644 index 0000000..5f45bbe --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.json @@ -0,0 +1,134 @@ +{ + "name": "Deploy-Sql-Security", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deploy SQL Database built-in SQL security configuration", + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "metadata": { + "version": "1.0.0", + "category": "SQL", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "vulnerabilityAssessmentsEmail": { + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + }, + "type": "String" + }, + "vulnerabilityAssessmentsStorageID": { + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + }, + "type": "String" + }, + "SqlDbTdeDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment" + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration" + } + }, + "SqlDbAuditingSettingsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment" + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json new file mode 100644 index 0000000..d954e7b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Sql-Security.parameters.json @@ -0,0 +1,36 @@ +{ + "SqlDbAuditingSettingsDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbTdeDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurity": { + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json new file mode 100644 index 0000000..114aef7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.json @@ -0,0 +1,92 @@ +{ + "name": "Enforce-ACSB", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce Azure Compute Security Benchmark compliance auditing", + "description": "Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.", + "metadata": { + "version": "1.0.0", + "category": "Guest Configuration", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "includeArcMachines": { + "type": "String", + "allowedValues": [ + "true", + "false" + ], + "metadata": { + "displayName": "Include Arc connected servers", + "description": "By selecting this option, you agree to be charged monthly per Arc connected machine." + }, + "defaultValue": "true" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "GcIdentity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "GcLinux", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "GcWindows", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WinAcsb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "IncludeArcMachines": { + "value": "[[parameters('includeArcMachines')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "LinAcsb", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd", + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "IncludeArcMachines": { + "value": "[[parameters('includeArcMachines')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json new file mode 100644 index 0000000..748495b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ACSB.parameters.json @@ -0,0 +1,31 @@ +{ + "GcIdentity": { + "parameters": {} + }, + "GcLinux": { + "parameters": {} + }, + "GcWindows": { + "parameters": {} + }, + "LinAcsb": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "IncludeArcMachines": { + "value": "[[parameters('includeArcMachines')]" + } + } + }, + "WinAcsb": { + "parameters": { + "effect": { + "value": "[[parameters('effect')]" + }, + "IncludeArcMachines": { + "value": "[[parameters('includeArcMachines')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json new file mode 100644 index 0000000..7337890 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.json @@ -0,0 +1,51 @@ +{ + "name": "Enforce-ALZ-Decomm", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce policies in the Decommissioned Landing Zone", + "description": "Enforce policies in the Decommissioned Landing Zone.", + "metadata": { + "version": "1.0.0", + "category": "Decommissioned", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "listOfResourceTypesAllowed": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "Allowed resource types in the Decommissioned landing zone", + "description": "Allowed resource types in the Decommissioned landing zone, default is none.", + "strongType": "resourceTypes" + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DecomDenyResources", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c", + "parameters": { + "listOfResourceTypesAllowed": { + "value": "[[parameters('listOfResourceTypesAllowed')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DecomShutdownMachines", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown", + "parameters": {}, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json new file mode 100644 index 0000000..567de39 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Decomm.parameters.json @@ -0,0 +1,12 @@ +{ + "DecomDenyResources": { + "parameters": { + "listOfResourceTypesAllowed": { + "value": "[[parameters('listOfResourceTypesAllowed')]" + } + } + }, + "DecomShutdownMachines": { + "parameters": {} + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json new file mode 100644 index 0000000..3ecd32b --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.json @@ -0,0 +1,84 @@ +{ + "name": "Enforce-ALZ-Sandbox", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce policies in the Sandbox Landing Zone", + "description": "Enforce policies in the Sandbox Landing Zone.", + "metadata": { + "version": "1.0.0", + "category": "Sandbox", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "listOfResourceTypesNotAllowed": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "Not allowed resource types in the Sandbox landing zone", + "description": "Not allowed resource types in the Sandbox landing zone, default is none.", + "strongType": "resourceTypes" + } + }, + "effectNotAllowedResources": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectDenyVnetPeering": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "SandboxNotAllowed", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "parameters": { + "effect": { + "value": "[[parameters('effectNotAllowedResources')]" + }, + "listOfResourceTypesNotAllowed": { + "value": "[[parameters('listOfResourceTypesNotAllowed')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SandboxDenyVnetPeering", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", + "parameters": { + "effect": { + "value": "[[parameters('effectDenyVnetPeering')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json new file mode 100644 index 0000000..b4b75f3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-ALZ-Sandbox.parameters.json @@ -0,0 +1,19 @@ +{ + "SandboxDenyVnetPeering": { + "parameters": { + "effect": { + "value": "[[parameters('effectDenyVnetPeering')]" + } + } + }, + "SandboxNotAllowed": { + "parameters": { + "effect": { + "value": "[[parameters('effectNotAllowedResources')]" + }, + "listOfResourceTypesNotAllowed": { + "value": "[[parameters('listOfResourceTypesNotAllowed')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json new file mode 100644 index 0000000..0e79140 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.json @@ -0,0 +1,618 @@ +{ + "name": "Enforce-EncryptTransit", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "metadata": { + "version": "2.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "StorageHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS", + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json new file mode 100644 index 0000000..7dca494 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-EncryptTransit.parameters.json @@ -0,0 +1,188 @@ +{ + "AKSIngressHttpsOnlyEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + } + }, + "APIAppServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + } + }, + "AppServiceHttpEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + } + }, + "AppServiceminTlsVersion": { + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + } + }, + "FunctionLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + } + }, + "FunctionServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + } + }, + "MySQLEnableSSLDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + "MySQLEnableSSLEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + "PostgreSQLEnableSSLEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + "RedisDenyhttps": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + "RedisdisableNonSslPort": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + } + }, + "RedisTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + "SQLManagedInstanceTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + "SQLManagedInstanceTLSEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + "SQLServerTLSDeployEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + "SQLServerTLSEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + "StorageDeployHttpsEnabledEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + }, + "StorageHttpsEnabledEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + }, + "WebAppServiceHttpsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + } + }, + "WebAppServiceLatestTlsEffect": { + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json new file mode 100644 index 0000000..de1ef45 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.json @@ -0,0 +1,364 @@ +{ + "name": "Enforce-Encryption-CMK", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "metadata": { + "version": "2.0.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud" + ] + }, + "parameters": { + "ACRCmkEffect": { + "metadata": { + "displayName": "Container registries should be encrypted with a customer-managed key (CMK)", + "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "AksCmkEffect": { + "metadata": { + "displayName": "Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys", + "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "WorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)", + "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk." + } + }, + "CognitiveServicesCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "CosmosCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "DataBoxCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", + "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." + } + }, + "StreamAnalyticsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." + } + }, + "SynapseWorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." + } + }, + "StorageCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption", + "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." + } + }, + "MySQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure MySQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "PostgreSQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure PostgreSQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "SqlServerTDECMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "SQL servers should use customer-managed keys to encrypt data at rest", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." + } + }, + "HealthcareAPIsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "disabled" + ], + "metadata": { + "displayName": "Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest", + "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." + } + }, + "AzureBatchCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Batch account should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK." + } + }, + "EncryptedVMDisksEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Disk encryption should be applied on virtual machines", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." + } + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "ACRCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AksCmkDeny", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WorkspaceCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CognitiveServicesCMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "CosmosCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DataBoxCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SqlServerTDECMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AzureBatchCMKEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "EncryptedVMDisksEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json new file mode 100644 index 0000000..343d3d5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Encryption-CMK.parameters.json @@ -0,0 +1,107 @@ +{ + "ACRCmkDeny": { + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + } + }, + "AksCmkDeny": { + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + } + }, + "AzureBatchCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + } + }, + "CognitiveServicesCMK": { + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + } + }, + "CosmosCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + } + }, + "DataBoxCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + } + }, + "EncryptedVMDisksEffect": { + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + } + }, + "HealthcareAPIsCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + } + }, + "MySQLCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + } + }, + "PostgreSQLCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + } + }, + "SqlServerTDECMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + } + }, + "StorageCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + } + }, + "StreamAnalyticsCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + } + }, + "SynapseWorkspaceCMKEffect": { + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + } + }, + "WorkspaceCMK": { + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json new file mode 100644 index 0000000..89c3e30 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.json @@ -0,0 +1,257 @@ +{ + "name": "Enforce-Guardrails-KeyVault", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Azure Key Vault", + "description": "Enforce recommended guardrails for Azure Key Vault.", + "metadata": { + "version": "1.0.0", + "category": "Key Vault", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effectKvSoftDelete": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectKvPurgeProtection": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "effectKvSecretsExpire": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvKeysExpire": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvFirewallEnabled": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "effectKvCertLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ], + "defaultValue": "Audit" + }, + "maximumCertLifePercentageLife": { + "type": "Integer", + "metadata": { + "displayName": "The maximum lifetime percentage", + "description": "Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'." + }, + "defaultValue": 80 + }, + "minimumCertLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + }, + "effectKvKeysLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "minimumKeysLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + }, + "effectKvSecretsLifetime": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "minimumSecretsLifeDaysBeforeExpiry": { + "type": "Integer", + "metadata": { + "displayName": "The minimum days before expiry", + "description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'." + }, + "defaultValue": 90 + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "KvSoftDelete", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSoftDelete')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvPurgeProtection", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", + "parameters": { + "effect": { + "value": "[[parameters('effectKvPurgeProtection')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvSecretsExpire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsExpire')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvKeysExpire", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0", + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysExpire')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvFirewallEnabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "parameters": { + "effect": { + "value": "[[parameters('effectKvFirewallEnabled')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvCertLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417", + "parameters": { + "effect": { + "value": "[[parameters('effectKvCertLifetime')]" + }, + "maximumPercentageLife": { + "value": "[[parameters('maximumCertLifePercentageLife')]" + }, + "minimumDaysBeforeExpiry": { + "value": "[[parameters('minimumCertLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvKeysLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146", + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumKeysLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "KvSecretsLifetime", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a", + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumSecretsLifeDaysBeforeExpiry')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json new file mode 100644 index 0000000..d57fe55 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Enforce-Guardrails-KeyVault.parameters.json @@ -0,0 +1,70 @@ +{ + "KvCertLifetime": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvCertLifetime')]" + }, + "maximumPercentageLife": { + "value": "[[parameters('maximumCertLifePercentageLife')]" + }, + "minimumDaysBeforeExpiry": { + "value": "[[parameters('minimumCertLifeDaysBeforeExpiry')]" + } + } + }, + "KvFirewallEnabled": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvFirewallEnabled')]" + } + } + }, + "KvKeysExpire": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysExpire')]" + } + } + }, + "KvKeysLifetime": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvKeysLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumKeysLifeDaysBeforeExpiry')]" + } + } + }, + "KvPurgeProtection": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvPurgeProtection')]" + } + } + }, + "KvSecretsExpire": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsExpire')]" + } + } + }, + "KvSecretsLifetime": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvSecretsLifetime')]" + }, + "minimumDaysBeforeExpiration": { + "value": "[[parameters('minimumSecretsLifeDaysBeforeExpiry')]" + } + } + }, + "KvSoftDelete": { + "parameters": { + "effect": { + "value": "[[parameters('effectKvSoftDelete')]" + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep b/dependencies/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep new file mode 100644 index 0000000..9262bc3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/mc-customPolicyDefinitions.bicep @@ -0,0 +1,1367 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Custom Policy Defitions at Management Group Scope' +metadata description = 'This policy definition is used to deploy custom policy definitions at management group scope' + +@sys.description('The management group scope to which the policy definitions are to be created at.') +param parTargetManagementGroupId string = 'alz' + +@sys.description('Set Parameter to true to Opt-out of deployment telemetry') +param parTelemetryOptOut bool = false + +var varTargetManagementGroupResourceId = tenantResourceId('Microsoft.Management/managementGroups', parTargetManagementGroupId) + +// This variable contains a number of objects that load in the custom Azure Policy Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\china\policy_definitions\_mc_policyDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +var varCustomPolicyDefinitionsArray = [ + { + name: 'Append-AppService-httpsonly' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-httpsonly.json') + } + { + name: 'Append-AppService-latestTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-AppService-latestTLS.json') + } + { + name: 'Append-KV-SoftDelete' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-KV-SoftDelete.json') + } + { + name: 'Append-Redis-disableNonSslPort' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-disableNonSslPort.json') + } + { + name: 'Append-Redis-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Append-Redis-sslEnforcement.json') + } + { + name: 'Deny-AFSPaasPublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AFSPaasPublicIP.json') + } + { + name: 'Deny-AppGW-Without-WAF' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppGW-Without-WAF.json') + } + { + name: 'Deny-AppServiceApiApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceApiApp-http.json') + } + { + name: 'Deny-AppServiceFunctionApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceFunctionApp-http.json') + } + { + name: 'Deny-AppServiceWebApp-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-AppServiceWebApp-http.json') + } + { + name: 'Deny-KeyVaultPaasPublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-KeyVaultPaasPublicIP.json') + } + { + name: 'Deny-MySql-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-MySql-http.json') + } + { + name: 'Deny-PostgreSql-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PostgreSql-http.json') + } + { + name: 'Deny-Private-DNS-Zones' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Private-DNS-Zones.json') + } + { + name: 'Deny-PublicEndpoint-MariaDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicEndpoint-MariaDB.json') + } + { + name: 'Deny-PublicIP' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-PublicIP.json') + } + { + name: 'Deny-RDP-From-Internet' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-RDP-From-Internet.json') + } + { + name: 'Deny-Redis-http' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Redis-http.json') + } + { + name: 'Deny-Sql-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Sql-minTLS.json') + } + { + name: 'Deny-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-SqlMi-minTLS.json') + } + { + name: 'Deny-Storage-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Storage-minTLS.json') + } + { + name: 'Deny-Subnet-Without-Nsg' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Nsg.json') + } + { + name: 'Deny-Subnet-Without-Udr' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-Subnet-Without-Udr.json') + } + { + name: 'Deny-VNET-Peer-Cross-Sub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peer-Cross-Sub.json') + } + { + name: 'Deny-VNET-Peering-To-Non-Approved-VNETs' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNET-Peering-To-Non-Approved-VNETs.json') + } + { + name: 'Deny-VNet-Peering' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deny-VNet-Peering.json') + } + { + name: 'Deploy-ActivityLogs-to-LA-workspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-ActivityLogs-to-LA-workspace.json') + } + { + name: 'Deploy-ASC-SecurityContacts' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-ASC-SecurityContacts.json') + } + { + name: 'Deploy-Custom-Route-Table' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Custom-Route-Table.json') + } + { + name: 'Deploy-DDoSProtection' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-DDoSProtection.json') + } + { + name: 'Deploy-Default-Udr' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Default-Udr.json') + } + { + name: 'Deploy-Diagnostics-AA' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AA.json') + } + { + name: 'Deploy-Diagnostics-ACI' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACI.json') + } + { + name: 'Deploy-Diagnostics-ACR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ACR.json') + } + { + name: 'Deploy-Diagnostics-AnalysisService' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-AnalysisService.json') + } + { + name: 'Deploy-Diagnostics-ApiForFHIR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApiForFHIR.json') + } + { + name: 'Deploy-Diagnostics-APIMgmt' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-APIMgmt.json') + } + { + name: 'Deploy-Diagnostics-ApplicationGateway' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ApplicationGateway.json') + } + { + name: 'Deploy-Diagnostics-Bastion' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Bastion.json') + } + { + name: 'Deploy-Diagnostics-CDNEndpoints' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CDNEndpoints.json') + } + { + name: 'Deploy-Diagnostics-CognitiveServices' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CognitiveServices.json') + } + { + name: 'Deploy-Diagnostics-CosmosDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-CosmosDB.json') + } + { + name: 'Deploy-Diagnostics-Databricks' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Databricks.json') + } + { + name: 'Deploy-Diagnostics-DataExplorerCluster' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataExplorerCluster.json') + } + { + name: 'Deploy-Diagnostics-DataFactory' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DataFactory.json') + } + { + name: 'Deploy-Diagnostics-DLAnalytics' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-DLAnalytics.json') + } + { + name: 'Deploy-Diagnostics-EventGridSub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSub.json') + } + { + name: 'Deploy-Diagnostics-EventGridSystemTopic' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridSystemTopic.json') + } + { + name: 'Deploy-Diagnostics-EventGridTopic' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-EventGridTopic.json') + } + { + name: 'Deploy-Diagnostics-ExpressRoute' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-ExpressRoute.json') + } + { + name: 'Deploy-Diagnostics-Firewall' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Firewall.json') + } + { + name: 'Deploy-Diagnostics-FrontDoor' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-FrontDoor.json') + } + { + name: 'Deploy-Diagnostics-Function' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Function.json') + } + { + name: 'Deploy-Diagnostics-HDInsight' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-HDInsight.json') + } + { + name: 'Deploy-Diagnostics-iotHub' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-iotHub.json') + } + { + name: 'Deploy-Diagnostics-LoadBalancer' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LoadBalancer.json') + } + { + name: 'Deploy-Diagnostics-LogicAppsISE' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-LogicAppsISE.json') + } + { + name: 'Deploy-Diagnostics-MariaDB' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MariaDB.json') + } + { + name: 'Deploy-Diagnostics-MediaService' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MediaService.json') + } + { + name: 'Deploy-Diagnostics-MlWorkspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MlWorkspace.json') + } + { + name: 'Deploy-Diagnostics-MySQL' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-MySQL.json') + } + { + name: 'Deploy-Diagnostics-NetworkSecurityGroups' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NetworkSecurityGroups.json') + } + { + name: 'Deploy-Diagnostics-NIC' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-NIC.json') + } + { + name: 'Deploy-Diagnostics-PostgreSQL' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PostgreSQL.json') + } + { + name: 'Deploy-Diagnostics-PowerBIEmbedded' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-PowerBIEmbedded.json') + } + { + name: 'Deploy-Diagnostics-RedisCache' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-RedisCache.json') + } + { + name: 'Deploy-Diagnostics-Relay' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Relay.json') + } + { + name: 'Deploy-Diagnostics-SignalR' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SignalR.json') + } + { + name: 'Deploy-Diagnostics-SQLElasticPools' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLElasticPools.json') + } + { + name: 'Deploy-Diagnostics-SQLMI' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-SQLMI.json') + } + { + name: 'Deploy-Diagnostics-TimeSeriesInsights' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TimeSeriesInsights.json') + } + { + name: 'Deploy-Diagnostics-TrafficManager' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-TrafficManager.json') + } + { + name: 'Deploy-Diagnostics-VirtualNetwork' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VirtualNetwork.json') + } + { + name: 'Deploy-Diagnostics-VM' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VM.json') + } + { + name: 'Deploy-Diagnostics-VMSS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VMSS.json') + } + { + name: 'Deploy-Diagnostics-VNetGW' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-VNetGW.json') + } + { + name: 'Deploy-Diagnostics-WebServerFarm' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WebServerFarm.json') + } + { + name: 'Deploy-Diagnostics-Website' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-Website.json') + } + { + name: 'Deploy-Diagnostics-WVDAppGroup' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDAppGroup.json') + } + { + name: 'Deploy-Diagnostics-WVDHostPools' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDHostPools.json') + } + { + name: 'Deploy-Diagnostics-WVDWorkspace' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Diagnostics-WVDWorkspace.json') + } + { + name: 'Deploy-FirewallPolicy' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-FirewallPolicy.json') + } + { + name: 'Deploy-MySQL-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQL-sslEnforcement.json') + } + { + name: 'Deploy-MySQLCMKEffect' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-MySQLCMKEffect.json') + } + { + name: 'Deploy-Nsg-FlowLogs-to-LA' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs-to-LA.json') + } + { + name: 'Deploy-Nsg-FlowLogs' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Nsg-FlowLogs.json') + } + { + name: 'Deploy-PostgreSQL-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQL-sslEnforcement.json') + } + { + name: 'Deploy-PostgreSQLCMKEffect' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-PostgreSQLCMKEffect.json') + } + { + name: 'Deploy-Private-DNS-Azure-File-Sync' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-File-Sync.json') + } + { + name: 'Deploy-Private-DNS-Azure-KeyVault' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-KeyVault.json') + } + { + name: 'Deploy-Private-DNS-Azure-Web' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Private-DNS-Azure-Web.json') + } + { + name: 'Deploy-Sql-AuditingSettings' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-AuditingSettings.json') + } + { + name: 'Deploy-SQL-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-SQL-minTLS.json') + } + { + name: 'Deploy-Sql-SecurityAlertPolicies' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-SecurityAlertPolicies.json') + } + { + name: 'Deploy-Sql-Tde' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-Tde.json') + } + { + name: 'Deploy-Sql-vulnerabilityAssessments' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Sql-vulnerabilityAssessments.json') + } + { + name: 'Deploy-SqlMi-minTLS' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-SqlMi-minTLS.json') + } + { + name: 'Deploy-Storage-sslEnforcement' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Storage-sslEnforcement.json') + } + { + name: 'Deploy-VNET-HubSpoke' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-VNET-HubSpoke.json') + } + { + name: 'Deploy-Windows-DomainJoin' + libDefinition: loadJsonContent('lib/china/policy_definitions/policy_definition_es_mc_Deploy-Windows-DomainJoin.json') + } +] + +// This variable contains a number of objects that load in the custom Azure Policy Set/Initiative Defintions that are provided as part of the ESLZ/ALZ reference implementation - this is automatically created in the file 'infra-as-code\bicep\modules\policy\lib\china\policy_set_definitions\_mc_policySetDefinitionsBicepInput.txt' via a GitHub action, that runs on a daily schedule, and is then manually copied into this variable. +var varCustomPolicySetDefinitionsArray = [ + { + name: 'Deny-PublicPaaSEndpoints' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.ACRDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AFSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.AFSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.AKSDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.BatchDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.CosmosDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.KeyVaultDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.MySQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLFlexDenyPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.PostgreSQLFlexDenyPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.SqlServerDenyPaasPublicIP.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDenyPaasPublicIP' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c' + definitionParameters: varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters.StorageDenyPaasPublicIP.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Diagnostics-LogAnalytics' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACIDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ACIDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ACRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ACRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AKSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AKSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AnalysisServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AnalysisServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIforFHIRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.APIforFHIRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIMgmtDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.APIMgmtDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AppServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceWebappDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AppServiceWebappDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AutomationDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.AutomationDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BastionDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.BastionDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'BatchDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.BatchDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CDNEndpointsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CDNEndpointsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CognitiveServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.CosmosDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DatabricksDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DatabricksDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataFactoryDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataFactoryDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataLakeStoreDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.DataLakeStoreDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridSubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventGridSubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventGridTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventGridTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EventSystemTopicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.EventSystemTopicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ExpressRouteDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ExpressRouteDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FirewallDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FirewallDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FrontDoorDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FrontDoorDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionAppDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.FunctionAppDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HDInsightDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.HDInsightDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'IotHubDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.IotHubDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'KeyVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.KeyVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LoadBalancerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LoadBalancerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsISEDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LogicAppsISEDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'LogicAppsWFDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.LogicAppsWFDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MariaDBDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MariaDBDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MediaServiceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MediaServiceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MlWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MlWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.MySQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkNICDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkNICDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.PostgreSQLDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RecoveryVaultDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RecoveryVaultDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisCacheDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RedisCacheDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RelayDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.RelayDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SearchServicesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SearchServicesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'ServiceBusDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.ServiceBusDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SignalRDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SignalRDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLDatabaseDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLDatabaseDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLMDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.SQLMDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageAccountDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.StorageAccountDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'TrafficManagerDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.TrafficManagerDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualMachinesDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VirtualMachinesDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VirtualNetworkDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VirtualNetworkDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VMSSDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VMSSDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'VNetGWDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.VNetGWDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDAppGroupDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDAppGroupDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace' + definitionParameters: varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters.WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-MDFC-Config' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ascExport' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.ascExport.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForArm' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForArm.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderforContainers' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderforContainers.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForDns' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForDns.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForSqlPaas' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForSqlPaas.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'defenderForVM' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.defenderForVM.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'securityEmailContact' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts' + definitionParameters: varPolicySetDefinitionEsMcDeployMDFCConfigParameters.securityEmailContact.parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Private-DNS-Zones' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ACR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ACR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-App' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-App'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-AppServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-AppServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Batch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Batch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveSearch' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveSearch'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-CognitiveServices' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-CognitiveServices'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-DiskAccess' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-DiskAccess'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridDomains' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridDomains'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventGridTopics' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventGridTopics'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-EventHubNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-EventHubNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-File-Sync' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-File-Sync'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoT' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoT'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-IoTHubs' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-IoTHubs'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-KeyVault' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-KeyVault'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-MachineLearningWorkspace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-MachineLearningWorkspace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-RedisCache' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-RedisCache'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-ServiceBusNamespace' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-ServiceBusNamespace'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-SignalR' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-SignalR'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Site-Recovery' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Site-Recovery'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Web' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a' + definitionParameters: varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Web'].parameters + definitionGroups: [] + } + ] + } + { + name: 'Deploy-Sql-Security' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'SqlDbAuditingSettingsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbAuditingSettingsDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbSecurityAlertPoliciesDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbSecurityAlertPoliciesDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbTdeDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbTdeDeploySqlSecurity.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlDbVulnerabilityAssessmentsDeploySqlSecurity' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments' + definitionParameters: varPolicySetDefinitionEsMcDeploySqlSecurityParameters.SqlDbVulnerabilityAssessmentsDeploySqlSecurity.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-Encryption-CMK' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'ACRCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.ACRCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AksCmkDeny' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.AksCmkDeny.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AzureBatchCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.AzureBatchCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CognitiveServicesCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.CognitiveServicesCMK.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'CosmosCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.CosmosCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DataBoxCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.DataBoxCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'EncryptedVMDisksEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.EncryptedVMDisksEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'HealthcareAPIsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.HealthcareAPIsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.MySQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.PostgreSQLCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SqlServerTDECMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.SqlServerTDECMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.StorageCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StreamAnalyticsCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.StreamAnalyticsCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SynapseWorkspaceCMKEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.SynapseWorkspaceCMKEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WorkspaceCMK' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters.WorkspaceCMK.parameters + definitionGroups: [] + } + ] + } + { + name: 'Enforce-EncryptTransit' + libSetDefinition: loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'AKSIngressHttpsOnlyEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AKSIngressHttpsOnlyEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.APIAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'APIAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.APIAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceHttpEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AppServiceHttpEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'AppServiceminTlsVersion' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.AppServiceminTlsVersion.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.FunctionLatestTlsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'FunctionServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.FunctionServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.MySQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'MySQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.MySQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.PostgreSQLEnableSSLDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'PostgreSQLEnableSSLEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.PostgreSQLEnableSSLEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisDenyhttps' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisDenyhttps.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisdisableNonSslPort' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisdisableNonSslPort.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'RedisTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.RedisTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLManagedInstanceTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLManagedInstanceTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLManagedInstanceTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSDeployEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLServerTLSDeployEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'SQLServerTLSEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.SQLServerTLSEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageDeployHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.StorageDeployHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'StorageHttpsEnabledEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.StorageHttpsEnabledEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceHttpsEffect' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.WebAppServiceHttpsEffect.parameters + definitionGroups: [] + } + { + definitionReferenceId: 'WebAppServiceLatestTlsEffect' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b' + definitionParameters: varPolicySetDefinitionEsMcEnforceEncryptTransitParameters.WebAppServiceLatestTlsEffect.parameters + definitionGroups: [] + } + ] + } +] + +// Policy Set/Initiative Definition Parameter Variables + +var varPolicySetDefinitionEsMcDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deny-PublicPaaSEndpoints.parameters.json') + +var varPolicySetDefinitionEsMcDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Diagnostics-LogAnalytics.parameters.json') + +var varPolicySetDefinitionEsMcDeployMDFCConfigParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-MDFC-Config.parameters.json') + +var varPolicySetDefinitionEsMcDeployPrivateDNSZonesParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Private-DNS-Zones.parameters.json') + +var varPolicySetDefinitionEsMcDeploySqlSecurityParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Deploy-Sql-Security.parameters.json') + +var varPolicySetDefinitionEsMcEnforceEncryptionCMKParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-Encryption-CMK.parameters.json') + +var varPolicySetDefinitionEsMcEnforceEncryptTransitParameters = loadJsonContent('lib/china/policy_set_definitions/policy_set_definition_es_mc_Enforce-EncryptTransit.parameters.json') + +// Customer Usage Attribution Id +var varCuaid = '2b136786-9881-412e-84ba-f4c2822e1ac9' + +resource resPolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2021-06-01' = [for policy in varCustomPolicyDefinitionsArray: { + name: policy.libDefinition.name + properties: { + description: policy.libDefinition.properties.description + displayName: policy.libDefinition.properties.displayName + metadata: policy.libDefinition.properties.metadata + mode: policy.libDefinition.properties.mode + parameters: policy.libDefinition.properties.parameters + policyType: policy.libDefinition.properties.policyType + policyRule: policy.libDefinition.properties.policyRule + } +}] + +resource resPolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = [for policySet in varCustomPolicySetDefinitionsArray: { + dependsOn: [ + resPolicyDefinitions // Must wait for policy definitons to be deployed before starting the creation of Policy Set/Initiative Defininitions + ] + name: policySet.libSetDefinition.name + properties: { + description: policySet.libSetDefinition.properties.description + displayName: policySet.libSetDefinition.properties.displayName + metadata: policySet.libSetDefinition.properties.metadata + parameters: policySet.libSetDefinition.properties.parameters + policyType: policySet.libSetDefinition.properties.policyType + policyDefinitions: [for policySetDef in policySet.libSetChildDefinitions: { + policyDefinitionReferenceId: policySetDef.definitionReferenceId + policyDefinitionId: policySetDef.definitionId + parameters: policySetDef.definitionParameters + groupNames: policySetDef.definitionGroups + }] + policyDefinitionGroups: policySet.libSetDefinition.properties.policyDefinitionGroups + } +}] + +module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { + #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information + name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' + params: {} +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/policy/definitions/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..c0ab41e8ef7f281d18f19c6759359b83ead78b6b GIT binary patch literal 30349 zcmdSBby$__`ZYT3LR`xNQNbWYQUMDA6+s%M8x1YX%rCw0cmL! z=@RKaMbaXsC73Wc&!T!@hCm4h{A zDU>}F@w2BDt_KaY+By1+=Pu4q@)_%;NHMRwB(5U7eeK!p3CmyHxUsV?yS`o`LCvI& z-pFBK__~@y{CJRk!|O@Av=AMC9k&FICb`cKCDl3V<;<6z^}DoAa?c(1Cr?Zcd+U0s zCeCi69yMO+bH%Hqpnuw9lXt-6B+r(hpVu8U+mo(!`YH!{{TQA0S-Wl9wtXHae|_Bl zzy6VP^J6NbMOepw{tLOc3x# zsrvj6f93b^;d(^{1xEHK|83e&{#t#oa-X7 zOO+hIUq-N({ttg8DI#+B;K75Nw~PJftdqxG;j8b-7+UH7s_6e>-9P_d*Zr&R?Y|#h zZhPndj#qvhjVmY=?k7}*PilI7iaRb`xZvr!i6QaPBdW|+Q`LleU5_=CXeK)M*wj?{ zw-?V_TU*B_CMumfchBD5-b;XvLRnGq(>_-(!q4@JWt7G1_~3H_gxiu*;EJ@H$vC$Fa$g#q^Q^NZ^1GfGfR z6@7b=yK(<=3iloo3%YY#S~SW-g|vlTsV-c(5=p)LM1%ov;6O5EPguNC+{1?t6*M&B zv$9SkXypdpB47S0OC#}|x4=pYWuA$jUtL+-Dg7`HPr7x#Qe8uXwQi3w7tE+ik792afyN!z*Ew zqf4{wmT}*~Bg&&+;nQj=i@&Cfu`RvHpQ`Zlmt-Bjt6#VWTQa>bZzxz*$SYk}SH~(K zpc#J7qyFc&LhGK-VY(ixD5vtjVci$lmFT4!R!4}hUwu0^CPsYX7=`<5Y;5dS>U-8z zA~Z}6TPc*8ZCE2;b9_8K!*1PLKG>A*=KaSqjVCXvUdG17@!1ThL`Ft3IqbrP?vXEE zoWazs+raocGUvQ~l5z3v^6`lYT*`JSfbzs>`OO>l4i1WHYWDRzZqJW~{I#FiNo3#r zn)a`-w$U{QV?I6ae7Er1oh!>v#rF2~$sOCJbm`K! zThR}jY;OT%$azUu|aBV$}^*q`3f zF^*L%ipR!vQnIUMXWmpXWNQe2@HZTO=29JUbRnYtw&IGDtT#3kU0lpz`739u@1r^K z_^-)dEvyxLEkfU5LTEltRNFo?Xoo7p^mSXA5YDXLBiqWgo)2~iRAr%y`fkDEqz zQy=etxw?JUelbHf?%JfyUE$VsyEdOX_>9lkFGwcZk5e;n-~xrxLo<+x-QlG&XyYEt zr`*}#Bqz+G@X;tERKD&0!(O_>&bMOg7esuM6689DcCQP>2BFaAkdYNzUU}a$>-)kz zUdQUKs)LX3bT+k``f56bf2hn11 ze^`5U+Lsd*Mz#h6pE75rI)v(cwWp6BPd&Lpa7BcfW5>>>H`l`RW?P4uNdUMpx?b6I z8RhdPcBMEAQJR>6z@3VRC+Uv!tT`9PJCY^)@?vRGQ_h@ntdmRb3H3lP0lDf{hvD3r z?=<<>-!<&_y#ILD@fSk#y|VU$=?zwhKbC66+>ZnoeIhOuy7oR`3Hki;LU@|vw8i|S z%i`qmgln96^MhvnfyRj>+UCvFB^~@@t>X{Nl+@Jm_giFNrll!x<!UTJ zR3{y!LvFoQHk#ibR~YlHQ=T`+@!>>*o#ybu_jT6k=^y9r$#tAbHES0XnCS^OGBI&? z85|8=%o)lVm5~lUp?I|IdU%NAFY$n=fLDAT^a8O(ZZs_H!x|?izUbHwBp1s}*&7CtZEnXz7yi8Xf*Z^DONJcA8V zaQq|fVTBqRm(x0&*=J16OflTXy_v#RBl`I-tEb)4#;4m2+S|31BUpR}lD#--sf@ZS zf&-75g&-07hJ=I+cw%Y(TtQct*qYjjQ;v%RU>`0_rp#z1!w0xs>1UJ zwj$8gxGZ$L^cCD(5zW^;G9SG#VskdTHBsD~xwnFUxYmbN9tneKH(OzwUH9(!nTC8N zYwPrP-+rF!;?m4g=v`^I!CTs74Nn+czbJAX<3b@UAk)DC8}CpMeqYr1Xckh8IQz0dQ$&2U=+ z!{StNQO0Gk2q3p6$pVzcVp6cFkJRboVQ39v&X+22I--tka~NUw}>z zb(2*X#r-ub9^_4=CmDWvdMGw2slks!-6td@F(u_Nhib~%j$)674iBM3^JDQqN z9vc-UirY_7VW$&v&e_hX@sd?Os)t2r`hk|q{CI?EnxJ)`f~I9TAK;MvWUDPfQou94 zL)pWAh2K6`x-5*!3uffyX&KkYdjjU#*<}I-y*6!)#nRg?U_Z8BRzB#Ej%(gnBv(vC z#90mwj;2?agy;0-<>X!fsh?$2POO!6nUNO}G=F}xT(72ZlTbWXR!nTH#5Z#lCMKpp zUPG_E>2kBas&fo=6N9+@D_5?}RM_T)zk7EENUo%Nw4~R{=*LG-09H9YJ!X;&x{s3p zSaC*~Jt{X*s?KJ$0v%PXdCx0d4_9 z13PgYt5;7Z*kM(M2k_`ic(u7KI$=~4lr^n=Nh||U>}|+j zNLPwi2^$(R-QgOB1YlU=#T1AfY??oBL#FfB?3xLIxpPHDMfM{_H0fBmxI^;JGVO&F z?2Qu~YH4CF(`DLLKfk{97PPI2l5Wa#%I3`cu~`79uy1g%u0~cU!D)7a6?;B9y4$B; zjeWb*w+-6ouU$(9K8$Axxqb$#0CC;W&@gM{!_M*PN*Ar8tybQE*<;m`T;q1mGBS^u zWrAJ~yDS1Q%ufO)@?I(3>eR8b{ru_EH@hlBlS)e^R1=iQ&FFl1RE2yO&9LzEo{@pU z6Vw#VgGyRjA$|S*Tc-V%1Ebvsw7ije#r7pXzp{Gx1;yd!IM#4cwpLRQZ9^Z4%gHYT z)zs2EPr1jo9*T?6;A8QS2UtUmq zb@3(%0JwLPmNyr;a(><#u*o*f9aln>G#c-#n<nz4o(ekzp^I1N165~NS8PtsoKL3`W70BoHb_EJvJTK}*lE}SrQc&0E?TO--ssSJd;wWfn%I9c$a(Q?ZEaIJQZ=<3 zxN@E&uJbIQYN|IxK+BqFGFFt6+xM)TIlGn9qjZ`AxbvWUWcJvQ9e}0yj)Tw#r!Pe}I$_Ai6 zM9V9wjikguY7PCFvu+FXM{cT(41yY1)lIn$87M7Cq2@4@c`hk`A?vkSdz-#X^d=B8 zpFLdWIs~mzM`}U%DmwcvnnCg-kA17)yC$zDvHNU?_<>2zsg4 zX*TO4A+of1+5Y(WXZq{cr5z&&_U{kZuFvgx;f9!)W>^y?SX3{xgqfy0{f!YB>5iHP zAw2J13~3*3&|diEza_--=hxE#QLNFUUj_?MSo`|=lB$2rat_fo}QMFl~o1<5EvLJbG-QG ziZxr^ihP2Dowg63`Mz@b%`FqDhow_173Jo`oV2<^t?ZJ2tKZ!Bo;T)ZNz}9aY2#n_)%N;`seOLPmd~v1ef26s5(b+yjHiEfMr%Ib)lgp_g$N!Q z9c_%5(v)f0EzWS%wB?v8yWa+z%IFUtM9F}Nh=@cxewrHT=(NcevSLW%NwyhOOVG~O z(kXsi_wMcn>(TO~##Jvw$d@euNrhN0+`anBrOo>{y&1yfxncM3m-KeG_nL9v*VFA4 z8{$r|j4&>~85>bv)!Z7nQT=t#ri4p_4^(P(RJ@Or1t2Qa*C(iNdvKQb+V``*etsd> zKD@oXW*ms@Ba-JgbAz#-Dt+s+9%NTVZEY^l0da|0eGwk4TwD#cG4k8i-yK7~4;i8B zzFq$8C>zED!IuunU7W!Z1x#tDg(2CwxvNI5j!jG$RfY)66f!J42Xk~hSjH~5?T)T? z&+6H3f!|aHjZFxX;+nsz-keP}_4R(Ab1e1J`@X)ano$?NO*gl&Wx}_Qt2OxaZUfUg zN#8YNdFA0e*)oRa+|u&u8K#ORCJ7dnmg%}Bo6AE4)Wb#H<&c5M4hN8^agyPj`{kb> z&oK9OP2eFN(Yb42JuoHVgu$8m`Hd&fsQ(QK6-K6}^`8QG#(Tm&j7oi253;k@e)QZ= z@`lr(v9>q%GU8jh&0tfiTF1>b^q&zv613;O(|~EiZ`N?$Y}%#5)$@JI`Q+=_w*xS$ zMIb=SlTs{7`k9TAv6D|nG_#(bUf*{&u6lg9qLxxY-5g0ix$OtiS3zJ5Pg%_`wd0uhLTh6L&yIPe)W!>9Z4 z4^T-Kl9!iLP5eUv=@24!^~2W0ioN^OGI^f2oH`#Vu(xxpBj#cHJ?fH%s)U)RB7bIQ zx7Y7jtEi|rGveVAzlOo_yf=$%y~|v&%S+H+RR#)(^S|tKPgwPwpBtgRCv4eWQ8(6G zQ`gcGufom@x+5rP7g@P+%1MI#7RIev)=MxylFLcFLE9ylGkf50dU|>ZHx&pwHXa`N z;rzusPzp0)(LByiM>>kjdaXW4vip}sB7&9}r5m9NM*Q=yGpa)ZL_u){A=cmDmJDLy zy-jhiUn|jQT6qq=>7XW=asAyhOBir|b~1GAc-VO{p~dOS@q!hb3_z03WVp;8<>TXH z-TdGH$VNLmyAu{a?xTiT==RC53BeRtVI9lji4={E<1QyZ{WUsDHazZIv%eupDB2O! z?G&jHxj$F))a~mX9OCR$9;zLyUY9~AdPYWxS6W^(_;hZ5oE*P~o!3D1SAkcDICoLA z{jv6CYU=2n@}fwcBr+mR$vXG)e)%T#075CEppvRl*z?C{prSRT^cgA6pZir-T2fMl zsYE(SQelq*J~6`Dn8BiG=q}CdP@c51wGFlTmTpvckigW*Hiskv!vGTj=6XS2&J=Mu zhmkbQHCHXC2yYEnk-rkoz{~wG%2Uk;Zt}T5XKwbA0K{eaPS1}fLBta@Zk31 z%u42x>)-q3oUG5JP#BBjRa1Xhok+Lpt=9Ee4&wJKsTRCSULEl9P7)B<%Qtpbao5%Q zpDjGux$N8B`wGH@n>JI$@#!51e13TYs&uhc1UOJFkK&Qu?R6wTZYVD|@PuA`kWw7` z_A=JcEpDRQ28OC;G_w^tOFeaG+by4fkG!#A4Jl1--~T3~-2ZfQf{AgxSYhp(Pf~#L z!9U+j_~{LrYcc`yR;-q^>iNI~`U(&=jW@H~VG9X7em? zACxD3UjkMDf^+h4NEdE6S4K0SbWtVj>XC(Z3^2ufmka-D%Ec!sVs!ex57~>IFERM} z_N)Q6Yk>guJd#b~`Os0`ypN>d%jxD1tD)gSXlp9yXy7r%+N-SYwR0A=;IrH5V? z7qM=;q0jiIBk$9i;w2_^Kl*<2%a4@4spR6~z82R}Ni2akPx)%|vgF+KmhLAy$!b5! zD}DKSG;hA9zI#g(s>TDlEx7bAh_l=+;*y_E#vZ*L#fdEvE2G(@ZSD!@hR{!|H`Uf` zlQ@4EmvSFly3rd{;x^*m3B{!en}%pY*KUs!G3@0$u4%abwe8E?Ohvs%8@tJfI}=jt z;*E%%a$$Sjlf@<$4AKP)UeT6*8acqxn(#bdSabJjk^NN*+O*^@PW^{ww^}#^3tOc= zGo|m#;5~*^iH?L7@>l2gXV)YS>^)8=cT6fVe(a{^u2ZEu|KWE%^}YX3(w5n)A570g ziYICU4SX$Dzxh0~r;z)Hn5EIj`(b^hYfIZ(qQs8vt2yanraaf+GOwJTk43k`Kx6@mSsLkSMFZv6ZAs(PBA#h|a6UnXK-80{D|^1dN* zrtePt@y`p%Ex1!R8m@Z6ty=ZU)z#KA>bigWBvl^3b51@=>Vl}KD^-Vzo88pUOQdEQ zA0LknCK(w#1Ii+06B84!i1>JR!oMJ;I7zUhqHAi(b)pac+Y4|ov@+U#=h4{6$j(Py zuT|KyX8Pjz944-sG^U8SySo#_!PlS>o|eWtKcFwiS#ZFQvNZ#id4?h)G)7qQt*!N51DguYAo%fOK< zoqA=#0g0!cY2SSPSl6RADJwfW-J(;XanJ^fg@xS~c=RBUVD@lc9MX@h7iy9Ow!}AQ zWV!?9*F6<*cnzS8JFz&ET>ItAOMfkU@q~l~j5V0PtnUxmc=aoG0k<1Ard+`Q2o4hA z4`u5M@UcW#Jm*30i=^+l{~T((+Nx_aF7zm5+OBtOB;3dPmCL;zYnEG&*C|WNg<8aA zWvR&uPXD;4)ynq=-Oio3&(f*TyHLgmwJRRH4&12#i65H_I9V(ANxu>sVr;*4o%t$t zc8>7qkBU!E@-w9cTEj+v`2ofFeU_8-Lhe^oQi{60W|L8QAm2#y0Lrg4+u=5z3d>`= zM$~r-9oYQfCG#M94vueY3gU(XlXs7H*Y?@Y6WkA4oXIghrEDHM% zmd~PMPVM=F>vhCp?#B9W$1a7mwP_JT>`{YQ8d5RJU~5}j$;}!2mQ$X5CneaiHQUAQ zTzQ-92SV#T96x;hVHM44dp7TkX6yRbGj&_&-mn>CwM5AT$6^sqI|_oq_}D)V8n+k7 z5(R@~sQNExqzb^8KnGAU{{jf8Mf7vxr}jK6j{>#?9ow6b(I$tj8KL8FY8wp=siQ~Y z!CSseNRZybEOlO5+8xzAePyy*LKXnZm2@?05KB`hk2K#~^ex3&%gNCI==Q2JQp6qx zK#pu`Qaiqjn(QN}1{TM51s=DI0!ld$S~(e(u~T&4p9FOfwg#0CpW~D{SX+q`HnXiF zG@4t5RKjv|HLdf>? zJ|WbB3kU8Qlz_bbO!A6NxJFS`H3m}N)T|(?SORbQ>l4VogAD$y@TMC#Bnk@kgD5rl z^6C=Q(Z1f^s>i$e5$-0#g!UuBW-ZO9hr=Wk)P|-qA#bb`iA)KRnC%pJ3*b! zAdoBIUqMz4LP^fok7Z@@d;S1_;92(hNy~ zvoJr~;lXg^>QmHr2Nji-jXOTLH)WWGVs6q5s`e#lWXk2{=CZ^Onja$^6v`|9JkP9# z{yLB^W6kXgN>G95c=R4=aQfpbh?QWku;2SOHNb=SQ2)*T25U& zp;b>0>1Ry5SeCX zs#u51tN&pWDUQ+e?W*RaL8BuHKVGlYgej2UHgRDhBR{y_o=hwuDv5QYQfM&;VY0z4{0Cp3) z;QpWct+4HkfZu02xm;qRL+mApp8(@L{%!-8L3^Il$mEakG!%G7>80Py#k{t&t2`&% zH6kL`nm3+6QCTyREh$G1@YWv6%@|>6ZCkC$!f_st(ZLS=)A}3{uW#wAo9(z4)rK;@;rGMsO2K=;xxB+TFap~Lb-p;<7P~i zy~mLlr$*Vjg?Y0BS@{;H>U|c5O>Byf@|c1BM8@2ipY^fRf^b%HIy&Km()loH33!Dv z(;x8;J|={0K?@G7PzVI2!;}4HF0;?xebZqPwSlUH8j_T*xU+-z3d4{i5q>`o+8Bdz z{53mIBD-T3(I+yyL*yZWkq6=*dLvvDE$cBH%m?WPNI|M|<{I2D_yfzQE&DmFSy?j2Mv}tAg`*4)f?L36;+eooPp;ePyJq<^%rSyb zX6w+DuVD1|k?TLk?Ll-{mwGR2hX6xre~2k+`Odi~={*Q1jjcD)cwJ!Y`k0gyxoq3v zdgLimgGsB`=b7N~g&c^C4)zaUimcN^ z*d7GTnUfVp>9Kiv3y($%zrBLwU)^mCra~!hJgAfd*%$;0A{sXC)Scns_Iz#mXc_47A# zkoth-BH{yeRo6tQBYE1uHj9$ z8|{+U8*0vwT_S^HWSu0S)txZ^dTK7>1Bd$SAoG3NprJ!kt{(xw;?w&?o1T_Nh$Vnm zcmiS*5)`GS%h&bqZhtOtLB=MfBLLpB!&Ds+LTjRHScz0(IdgC4)2J9Y#T1(}%o;GB zgl-@<3VV?MveTB>lQAA77O%WNK4DZm>=!%Hns4~2bCj<$s>mX{rG&n}Fd)j_$hdYS zJGwSoC-w3mL!O9(BPLef_w+ zJi)x_*?We_ZCD4c)VmLQ6kC>dPdN$_$&bvKxcCFG?m{VhNN{K0?p z2uV<>`$p%nGr{mpWJ(NKVKjhJ`@X)tO~+^CL$Z?QwW4iH0#ET5OAN%>L(iZ&S)T@)@(ugRTlan*W`k;8S2ww&_ z8Ofm7E8~ro&PqFW>;RIp$kfQ{3N!{=GCt947OE6h0}TuMQ%T22&rE-kKk7Un7ASjy zaI+Lo+F>Zv4 z6D^O@ObH?*FfQb$#5dp9YdVeBjRYW!Ts@*b=ku|n^Ql#Q5C1|A$|n-R*|eu0a^_84 z&cz24gM(C!4@980TnD~O?^bHsb^4Oq$8UD)Ol`DaTm!-0};t4 zd;U&b4zxAAi{J-@VCZ%^l@2_BeuM4#`IRR389Jvz1MrmqxF}u^(z%CJ)oG*P8#gBi zV1Cal7Z0u6;qC6ZLweFdF2UCnH`v2zk;A?b-@PLS8I-%0rh zK+5SaiHcAy*WTK(GMcdJxFeKKF+}Pxlq4g<%Tcfq&OY;S98D^@yW{h5C4MY>7^@Mpv^BJ2FiTP@ANb73r6$Z&F~)hps#;l2Ji?RlfQ z2z%)P* zgp>3{71y8OefEJ2-2J8X@-hl7GXWxpfCu17@~xwzSCUn}@2qqi^d6>wYfdK>-v@+bih} zf6WuXn9c5=j6BiU>%?L?cPF>wF};BOJDr8(xf45Zi(qwtT|iw3iYV~XxzikBVA}j3 zsQwenv(DQ|9adJ>)=oWbI-X)b?s#truj*MBy?$oid3t_fOGtZteSLHg${nF^-Sy4Q z4%Ia~HUY}KYdCS@gp8e0WW@Ex$>DNat1JpoZfgcBUW`RbXWpGrSC04Xkho$Ql=dJln?A0AOLn6zDUBucf z-zbhKoUon#u~@bLVLJWpF=gY8q69t9O^>3wVF3aKl1yfuw%haDi14^Qv9YFRe<63; zwGL5nxdU6jcT-VLtzYu-t$P=Ix^8~nI^nvldsNHl4Q35N*?`95C;U0O%MBFZss5Ee z6@SJohrMX^H*t5CKbJ_6gK>5CYAm~{eGp9%O8dqew8@;qioAIbF{3d}v)qO?kg_GTMzMry1hf=>RvN)!R-xNwbZ%{}l(ofCo{MmWy`nzdHb+Ni0 zRp$WlohMR5nH;Eq+k;lC170)2AH>A?cay{t;i@PsEPN(qCfG2xF+)7Tw>iyrus?9V zU_YIp)s&%7uFm|4RW1uoBF~;N@=R38Qf}~Ye-Rok`Q1ZO>G$#O4s3_mgS_dS-zx41VH6kc+xi2&F`E1bMeAYuG_{P*7)Z=jqD}#WE|-qf>5J;JxkUt z`T75#Ip)TwoUE(|!WdPd*u(+K6W;A^BKXCsFQH#Wx#28~Rey|Y)$P-W+p6qyu`A5K zA)tbq0e|@W3Z1x@FP|_@JLcV4>GfMdZ@c)>GP@N#C88zltb2(UAIJk)04YFK|K9}F zfA65;YP16}3|NFsEvdpxi3o(52-pC&j_x3f)uVr_+&}*5uAy3vTptR;w+`%RFuyG` zIs?QWLdYdO2rw4Nvu~F~mjPvL!;yW=h#^^4nS$J$mBI?;zdTuh3N`Zl6Fe*a?0~|qM}qd!1hBD3m`H<&Ir2Td;^&E zV=2dkj_slbQ!cZGMaBoNKe#}FU;@xULZSU5$Zsv>%^nr@?HhLb(&MEqrpF{td} z@lrz8$jZw4V!q>4=_|Da%tPs?Pqm;cctIr$K)(ApLut{Ii0kxGVvT-Kyowko{kU?!nuxNKRn4FbX3pBLS$X zsd)*kuaJkVK4Q_2%sAkJ%J;ME?@dPb)iL$|Jv;0_WF|C0<*aw77dR1ScYA*PujP*@ z#KiVrdc;_WF2ZZ}DqriLcETLpf9n{98X6p&tWJSjRFNf@;LVR`y~+ zv^^%2{J*)y?EhAy+Rw#Q+wN}{+9q3vg)A%g8Af>WE@ynty!X`RwX1cur#8}ZU6pwh z_F8;5%eCry7We)d?+IR~CXMoHMpH|ASSA9G8Qx-uemr>n!Gn?Iv^&GUP}>x+(>?io z>&Z&BQ?rNZ#8U-b{)kdi`E8x%bVf$jbxouzW;OU|MivM zH;YWfl^6fs-4`MWHR(e6&fX;dfBGG{ljW@<0656?6k;Y9zi~^{P&n)8KcehGsK#+|7u~;Ax$|)qInp>+j zFp7gALv7$Tau$OUzQqCYoc!!DC6WDq@~a)lww(TKMt|D?NwUxM@%G;GpNm4wt9kHo z)8&6_9u|iK=08^%b9Bv)$9<$x_H)XWG9rwK%Ry&C?Qr=dD$;_U_kZ^d-~T6s|G)Ff zPX*RT${)iP78a-}kMtZu?VOm%DK4j^t^^x4@;jmfyh#nM0p2?C3`ay z3ybzxzl(+=0pn0KcRa4bKZ^=*O5)--G5{YaA3ttmaDkox7vJ6>*e)&(Jcs3ha{tz^ zUly=;Ieou|;t}K#ohxaa|FD{9uQv|-oSi3x5;twmz#){2g~zs$QPTgEp`4?PVTplrlOr#AaBpPMU!yK()kwt}T zzyMnb;uXFD^hDWH3NI8YbGqqnkQvC4@6Gq&QLEg3|KrTejDn`7ao*5dT)K2FK*IS0 zjQQzVJ`GvgebdzOTl-jUzIS50LLJdKOs{d6JKLH7~ zJN@rodo#u#kd`1kp;P(gmF1^$*4-;ye~%DB4Zb{H|9TfV<>>?ltOb(L(I=xIE-oH_ zZrP2e@VVUGym@mPXl51I^9r6^{2N-n=OFQg{QN)t>ieDjJpA>bYbccckD2Nb9&SkT z>~LkS)Q)(Oy>Pb1KdJtke~3~YKYy*3?cw@xk`wnY)zkZZEc>j=^CvA!RdX~Z9*uZK z>>P4BZ^xz-H&?D~Jy$;1H$3!c#0S@(y1L{w^Li?kqGEFJO^3YN*jMed5(%SJsUp4d z7HMOZ^mXyg^>I@!^QmgGN(Z;DeQ$6P@7uF-^w-jcU@@N++E*?<=rbV(wc(iMOOuOky%4B};R^7Z= z@y&#(w0fF`uY+yOj|SPeBsa-zcpz>Y6=>{?C4)BSnEobEM9+l4*QKMQqmbhIutZl* z&ffLm(9D+1BQ8ou9Deb2(Mr&V#;lrj(wfdlYRDFvqv3laJDK&RKJQ-qDNx5Sb3QUDKR!z5-nO3`&vGyn zeBu3P>FsR(S9E_w0rI&IPY}FCoBJkWVX3QU+|_4&FlSU=BGij#pugE`x7tW&e%&WUV}+Ry zWwFhRdCTXW3I&T*Y@x0aSsvL6O%0;)#rPOnJ`x6K&(!$0$1-V8Ngj{>QL1~S_$sv< z$7%0wF1h*vJEIf!V#9OI8J#9(?u{q+mvjp)+6hd3y-jm+Xmpy`3y4Bb>f>XMPW;CS zo%HO8Np*;T!@f?XGiPqmI}98m#s{>aJkoL;De712u%BxToewwyWgQZe(|o^n{`YRD z$?Wzz@PXs-EBB%oiT>R>+#cs+1fLrRcs^~vvVE&z+Xs%oOe5*|;vMfVOMb4sTV}N= z>l_)LKka*Pa>y&X^U=Go^YQ200wN+9i32A;UmHS8btb=R6j~$T0YiA1DK~Qthvq7p zN6$g(dqiOnFAyen*A2v_174x=Di-z--~uIxNfDN-T7HyxcR~pG{(c>32+h4G~DysnJ=c@x+e z;H5Yi+o;@sPH4uH*e+hbel3>FBo3Qhwa`L`5PT3l#@e%ij~RsMr<+Q=S;oKUc#!5G z(%x0{1)Gp;!Lzq79f|u|A#2#{Pp^2{$UeR}bDwKt{JK;<^=>b#*E?4{K zbqR@w#3p|8=1n(2GawmZa->MX6%ugFcgKs{T%jp%$dTS;(Dd#~GJSX8Qz>TmGPcjr zi{mV@Eu*fbw)wFYHR>{FSTQynP!Qj>FI*JytmCzOAP2{ z(nta$gMC+kK1@vq#U-SqYIobVgpn&tN=g8o`uh5+VQR!79eeKzzP5c@bh(OPaMP!Gi}g&+?~tVr>D0_rO9Uhv!~^c&`BiQ#};N zaR{i|+?Bz$Z85N}90VKadI`EwKe{Z?I8eOG|8Q4#cmD?Msat?oOKSI{}6& z1$Ff}NTngT_ zQ{9K3NgWQ5N~ULtt&aX-@a^^{w&BOJhLy6;&tI@xDkIiSj^0WiT}#Oy5&OqJ1U^UQgsCbX}JM*Gp$3)<+8AyzzWEza}JPW#Vk&rmdyPpAsSPh?c7K>X9;-z=|Gjn;EjrkNf`p z`^Qn#M`^IM0(yyemu53b`oZ>qo5C*-~-srTMWfzye`Rk>5;Ic zmft+}!$Bumg|s#F&$ch-O$;<{$=nhN*BaI%5zR^GOX%WU_mzc0O;L{RZm>Y1qifvV z%yEAT7pXk*7y9#!daEO`sy$t}uttdj-@dpoxs;hL$e$XwCoZ1K4pjHm@v|7TIqoHY zSwOB9E~}W7Na^C4!u7l%^!4d1*x2A>Nw9X;pjJUc2AE0Gvs44W0p0PP(a0@W#*+S= zbLgJ^^BgnbxkG4# z4oOE%5Pq8e`qyPJQ}#=0&v?NKV^Q)w`pp{^Y%cpLhG zm5^Z}4pR8%j9<1T%7XPC!!aQ}@Ckd7Y!8y7m%n}bF=pPnaN|*`6At|yM0aj%WCeeK z0tz)bionyhk~u!aJPJ=AX(Hd`{BuPv2G}#T8&Ya4jOV>%BLE}PJN`U9Unn$J_`JJ$ zaH++JoP|JpTzv>eD#*WeBxJ+IPn;g>)~$n6%pceh4opnd4%U85>VddAI#n6~RILvz z3?LXdOD=mJtx9ZSwX=_Ytu#nq`P}Kz_tOQ#%97`zU;8)o-F~IndYDc3VR_P8v?Y;t zsiQr~ckZm@(0Fqmi33GpH7U!`?+70b8=AmKYY}Fc*tQ^c!t;Y2gc?OU;IIhk1A{i8 zn;(CX`jl&PQOZn|Cjr-8-@`ySJRp2RJTGt$J%k-pFO>ZaXPL)p9ttmOCwxIT&6%z@K92m&F8 z*FcCiMqz&9+V}S&q0Mj$lHn}8w2_MHWmwqhzbv0tGh>-$INyQ?39GibIS#WTS#j;x z4{;9dJPjE38h&z~t;96JqlwuAU*b{B6VV^i-q9~NoNhJ5egaCBkIz;lda9<>vi@+464HV<9aSKQ(HXJgJBR=JzTW!ppW z$bjJR#g?Lf9+4nM$7SQT~f`aGWN(u@+?F)nLwRLroFkUY# zENqx41EzU&^}I`FSu0Qn#A@B-_Y=wqD#7Wx8O=h;XE)qE0|bQiM`uMN(c9AEoWJ<6 zo)|}z^Jf%^-Hq63m6Eg)wy`O_L`ccUp*EcMYtA91XA$4uA12J+b0w@sQWeU^t*qtO z7}?nPr0Z#Ec6;%DZjW}YKQd@Mcp-y{uf9XW6UVu*1`s$mkXor#B`85oTfwO|<2Y@_ z80A40HaBV4c7h*G8E44BdBopy9V8aPp9>l^9pm=f)~@vN@reNQAW08bE-x}DXh6+x zal16(rG&K?DV@tsN=+>gXDEP3vo@Kbr@jZ?EEY!rM3bXg_8;By6o*^TJB?j{v4tpY z4M89=MFj~lb8+o7v$XsJ&*%HwocYqzKU{tMyggce<3{`0_pF14iDvoDf>pN5 zcCl4x%e_IJaXh%fjXo7g5wMUXsuSQk6zT_I=f_7G&zI%TxyghIav&(e?0=SNC$^Uc z$qQ7;<`xetm?L{$)g{ieaOJM4I=^n!@`Hj(iAS4f6=`0VnmwN1p{tA|BVg7o!#M^p zz-~JE^Ty^aTh{F6vF@uqZQJ6|6Lt@oc@qrOqV%KFjx?=e3r1E}Rt8I^D@dOPsBCWM zg#-r1-eYi9L6RU-0vo)$v08WD>`)C%spAP|PHYy29VEr!frZKLB$h^TwVdn8TGzj= zB5g)Bp8|v(GAbe>B0gq?{_xMAi-Z)(i{p3ZTifSbSFIvO-ZZ^(I_zE2rkQt9`xP4) z(%5qhP70`ucaBYAZCks51UxnO3KXt*R!>xL!>zxn_a#DL*R^Nj_q+y-LQcq=)z%x? zp!kT6JowgVXUaIKU}~&H*VsGurAAOSo+$iAqAHFjAxXFuC*Kf*`^0d260-WXty@VS z6OLH$?BF?kIPFT=c4CTOvx%NK`+|;Jl12w|ghE^HY+#uOOQ@rqH?wp#P~sRlCyN+* z0ef|iJR{MH_%p$PlG0*zxfLI=OG<~FR0T-YOI1Z+!=W9Ku;yDK0UDr2BajGL3PQnt zEO?jz%S^vIC!mRfNW!o-&39@qM4D#xGK0_VCFkRSROFlqLR-N+PWAe%Jy)dNgVT@{ zpjDHn0R;)nY=n{t4g_*y1tk3tVVKl#!R&m( zY1WGmLM8v;VnWj`YL04@q3QT0Qv8$B3nvDG*+fDi=QoHx=3-^70!SqeW+X@W4r5?6 zgIPa>EFMxxHk_0_IdVrPd*@Jjbqcmd z(0ynf2Vy~+uL90&0S9^O?Q@J+Z9@YKg1qjm19T|jTCX9vo!lIbzd+E-AJ7{|J;84? z@EP|*765_x1k^Et4wnT$CrgJoB8zqwYd=C@hR4ANt)BzDdw85+5E0&!cOa7 z4v=Er;d%%sXB^vAl3&}TEHA2APUo-QJ=Z@yW&Gw#GL6G0-NPkUk7)nQ(_|m*NVF=K z%&qrGniMwc7Qlw|Qpr_**E%9C@RU*(EE7HNntv*v>< zINmA2Si>~f?TW_07dL_J)c3g5mOE8zC}(vQH)JYwu_RdY4G%|ZRd%K%PRxR}5M>~& ztLTl-cdjbB-ZB~(ykH}l`YXCiqj7ZkGG8U-xLUK9`*kmTxjg@a1+)Mqd@b=6?LYg4 zJFeI>k^WqkjIvVShj{kL=qN4obs<(mRDSh-+qWG}kExrxSGI%eBynrejxTXwH)o={ z`)?;wOAilKo%Q}9CGE?2_txojYn#67md|9U?$ny)EjS^uQ*K-*E|`L~+axSwPi$2X zHuFf44V9~^H9T=%F+n0SDLGHoQf|%Wjekfpdk@60N=PKfWt4>{zLr_F;^xaras!W+%v$en zh|772mmU%4`E+}-E~`tb@ccs_#dRg(eWv{iE=kI7PjRm=!PNyHiRN9v%_ClVC?dwy z$0oojJ<+#LukOvjy1wB-@8~%7wxPBjF5q&?qd%4sV7QgHRrqv^s=DxJuLOuWM_Gx=|_go{d~uxa7{?tLOEDJD6YIIQGz-kmDBlfl{nf*>nCm0=YgKxQbTs zH~D!)90Ttqp0a5?M$P}y>!-egdxcA4SbtgBkcR_u$-e3O7EW3MB-_yuMMq0}fBcv- z2PiK6Lc(Wli<`TXQ3jR54^aR*6YJgud*kbbySSz4;kN*u81E=;g_qe zYB|_`Lw0?!eQekv<9c=?fzD61D+9fgN|nHUa?%KD3x)bO=(V#d0REs11PvIM zgPfd7hK9X-+vI?oNnnL}wj$_wIE+;W=&2))V)R!5%~?vgG!1o?{nADRvrvHM}6^B5W|0d-}W-wi7pXdu_GmnrChO3j{(y z$ipNP>Jh1IZqv=a^Ha;b~!>%&JSA@TC=@oUl_JpEIjO6{xh`P}Nl=!E%0=ijhWbUf1k_XJ4(jZZ=YRtyWFyM2`(P)MJoEnzSbLPhX;I*te^k5x|W>WIAx*K=Cq* zn?aPSzN4jDlKevnylHO3$yx$VB6iR%=b5VBsN)(va>zPDjKU<_az8fdD_K`6@9p$2 z<$Fg=FUtW5a$;R4eiB=F$>So+K_k3j=o@iuI-=l^nP=3N4WlOTSSYTB%KR}Q?Z==W zHM@0NCfS&fUJ?IHC7e<0A;h{_Jl;_xh=o#F{F& zzV&i=NCNmp5(G)VkuMF{vkVWHfs>Ju(R5mIk;F+6i|2tf!@$(k9&Xm2x)^vNCQaI1 zlMEvY@PM-y2)j~PINf4zE!zytKtzF7649QLvlkp3+=?|T5ei7A*MQN!GbrXI$wzFf z!gZ4Do#~O+gM$Ii-~CNi-nS}u+76YYQA+jtTp& z$8Jk{YFpWmvD<9yfPimTzS=+e!^GIor_NnA1&+Y6Ng~`r~PKUqPIAo$`EGE=lV*@^= z#}I?ON1WioH+gv#P@m(%gJDC9!E|YfpQ2+_)m|0Sw;)S%Dc{EXJ1`qS(+5gJ1#YBq7NO&)Z9nu)uYF8Pine5F6x}pr$nW9wqaN2Ebcy59r!i+{=s~ z*3ZT#PcRzIv52c*3#c23~VIk6Dzbh zGOgK0w=w~6FItN+5BNpXiISp(*e(p*q85*9aiuzQ(G)??qV8vQZ{F0=9{QlfIYU46 zrn$aTj-&M(ZybC_ncY~nYpd6FBhy8Xg1^lk6Sl0DAjE}dK5AKt;C z$N!kq^h1M1aL&Dqo5_nmD)ux9Zy$8{v}<^)P0!ToeQv{NxV~BJh|{8Gd0V_9ZRpf! z>bMdjy2$gD#fz3|-|swUL`25KjAYYggu`-9cS)tJP^nbXABNjDdKx2}QfZo_Wb)G9 zXW%YF4mSN~vmLe)cqUPYO*M|V&}_!6SROrBTlxiG*?YQ-#1q5j$cjh|dG|5ShAftJ zQXP)e|B^@PAZ?)OmZ~Gj1w^?(G-)c~nk4UrH%$Rccytz>YA?OpGpw#&k1H$m@33tB zHOi7)jw+*#-LD!-5mpzg&y4nxsRt=aH+odWN62L zt0NT?AJ>=fv0mc0`Qn0&fEa^#*U;007m?s{TvRWP$<}&XbHnTZ{@I}%7$#}9LaDO zR*(ga4TWZ?%%1Z*W`hQ~2r46aHJIyT?|Zqqx#PTy7%mJ6))oobcFkCE={HzZb#w=} zL)w~jY+*y8QCS?IRPXW9SRzz;a(#C3L;8AOx9kf z=e!_0ky~Nr8(`(QC27vg+}C%#lc|^FQoJO{Vx_~ave>91^M)o}p?rv8e=0Ub@(ofe@rYWbz#`{Unzdwa$K`(4l4Doh{U+ByDs>2P8! zNdT)kAL6DRNb57Z_ULt4O~b-o13!)U_~VaD#kTnm^%6Z-9Z~w5e{$W%s8P+auaEL5 z*VpSYF2BlW;r8YO4p-Ys4Ky=j)&+KWN3q94N>7a*1vHy_MdkoF_Oo!)htxci48I$t zH6C69O$IG)(j@vV&6@;e_E?JFwcj+|ot&9bcRb~ntf}2jwj_Vq;8n2pOyc9gIn!em z$4lCByJ^Oxtv!?AA%_65$_j9U$LM~oXSeZ52?>>}rmPd;jP_LE&7Cf?;7-~XakRSB zbBC>dOU+rQ_WeQIVxnf&hUT;yOu4GM5qiNbaClg;&{qe&7H7GL zzk1-dPhPn@E-CA<4HdXfQ-4r;_yzkd0 zU;LT0KIZ%`dgAq|$Mrg$>UGC&9jf!XJI(#&=o21yG-Sn6Kl`6;HUGNby3bJ>vn}zU-lAAZ* zOTDUpxcqGxZJjR)Lwk^S^HU%gEli6Ga-W3?#~u(y_Jdj!e2~=La$kP9@lS7q1j>NG zXzUs4KO%YLES?0oJ%1+?&kh0^a9gn`;>h7ijM1N2WCsJh~5Hd zt1RY&KPVjCqQ427DNQ85n-&Fp&kfUmocey=`#a=RDoP_I2ThgjGK>6+!uhP-oHv-> zXDIeTV`v{K2uMEJcxG-$%`4hBLE(}=2gM?4ioM|$pX&5lD{6hMepBRZ8~0?%WG7_> z`ha(25l8$ZFECEv|ABv!NCi;h2JbDZZsA*vQ=|uvw1&M#gbhf`g%_nCRd}b9@dAW? zSO=sv1rH!{g~f|a;+7!G|E5432CHbDLh-@*=rHS9q)-JVb25cR-1Lx~xMy#4?q$Ye zN_B`nn_z}f1YFA+#5XFUFf62}PJNP=*IC2;GigodYC)Yzi9=RC>0?`kszMZg-c6%d zPurn0D>+I7J%%6}L@5Dd-|4dY^k?B+HBS8?ME3@3u9M84lo?R4LoCzr=3H~xLk-hXMN{b9m- zZWZ@G)}Uog5Q&}hh8Lpe-#z5N|1->>2sylZu&6()_R#;|ezX^SEgSf)MOFRO^z73r&9CLH>H% z&ksl+OYWW4(+4f+x@TKqhtEVD`vcE*Q=A=X3HMAT|1V! zdzYR2kAyAyuY?B;qQ+R3eLTC(amMtQAO5K;Qc}LSS8f6|`PYZyz^xVaDsu%jxQ51* zcJ-Xq*}hmN^w*!|s$C!R`cb~{$36e8zbt)F_pr`u++RN(|KbDgPl?{)l}CX4OOK<0 q6^iEOC+hJ#@;5P&{p~Y1zW&zogs;EaG|62q!FuAf3F-fIU-h5SWRV*H literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/policy/definitions/media/exampleDeploymentOutput.png new file mode 100644 index 0000000000000000000000000000000000000000..6c73f3860c44b1486790c76ce603e2ebc4db6ca4 GIT binary patch literal 251847 zcmb@u1yEc|*Dg$ghY*4Umjrir4Z(xE>);N9Yk&k20)x9ISP1TJ!C_#6yTbqh1{q+2 z-^uyTdC&X*b*paOs@ql6-m_N~&_0JJ{Gy8PS9e>-bPmUZN<; zO6&M#AFc%YC12z`JlMT_A5RyLmiYYHql4$PRLXP69RQlU%$Jd& zGNc(KQR!4^3!B>IM!XN`f`^2L`&q|P;r~}jK=C>_eD?9b$`B$dT$%R23IR8In(TiS zdW$EVpZ=?YVt2S$8|uFm##&r8NV_PhRIjVCA}@~~b%znIX*PF7b{*E9PBeMvEX&|0 z(12c2F941Y)&6bg_u1w-S_pirGbHW`@*vTJ>Xz!O5hp9#T1n4JW-lc#b%Xu&NZ|b$ z70ShVH!)F9O@1fklV1vC9waM~e>yz*%9WIOTtXkg*lLFuheiL@vdLFxJ4oHxly-Yp zS7Tipt&4rH6dn{hO7~dwvLkewd*>l!YFvT*pNPI9U4Ib~gRBa$nfj1xUKGrQ6O&9-9XNe35{!BvxDF5NI*~>(T8C*bQ zh8{X{PjQ^y*bYAqrS+N3`36^dDA9ZKc4tB$5}cRSNFhmX;Fx zGj&YT($ep8fNKI8#`@}a3qVy6-Va!_p3poEfBr&aN(=peY}8cknp<0>-J=N@q>Axi zZnae$O8Fgn7BI7=}8EW`59 zuOTMf(QOy6Fz5|8dKGa}^9h@q%9(hjz9^88ok*!bUvee#HD zcIMVEdPc|LO{!mHHlV1?D}%}KlSwq(b)`KjiqZTxdp?2xh{<1O@y9e;-m6lQj{}mn z(uMiO^S7EPzu8QlMI0@aqC7oXDp&yAdwhHRF^cNOP?`qj($hi$*!<}}CoXw^&x0Ze zp?cg+n8mu_ncrx-h?_job&%9+a<}Z6pITAmU3u@r7^vp>8H8t~v8*P6t;6p`!kA#9 z1Kx`sILxchD4j3KWrXj`a4)?H@uEVX(6p8n)HwN`LUsyLc_}03krB9V`~Bwrt4n{3 z*>TH?e+8|ANSjL5jeuvJR)+eEj7ILwQD@f$(FM$38F|G0?9SyLHos--W|coRFMDWe zm_Wgvf9&|F1Ii4pj>h0^30^|S7Jr6z&RhWxssjrTSlv-{z_5;EyM+8pR6r`{Jf30c zH~>(++t)mB7*g)Q8PoD`$&X#C*{3fC4U9cd)F#ew=-k~cPl39=JFw2%)g+~pY z-Y-7jL$|cczQegEJ}2xtVr%}7*?1-xT~{w_D~OBd3G-(o2U5JIG;xq|u%@AY-0t~y z&9KMOY95rdr+VFWRS(0#>k8twK5+Qh>H&jZ{xs=PZ*zOjO@lw|dG5RpcK4RhIq--N z>a+RtL=9(CJVZu{I*W4m+L?(%YVQfRgrEor+45;$@rW88FM0r^>9TDG8vQImW4fMw zmHk~Iw_ij0%iYFhc7xXZdHj4LoZyR z*|}uKl0CI{a70xmG055a$V4(U&StBhRO>eZ{#Z!|?D;Z~ue39}kQf3mD~=Qbjgi@pY32K30x&U1`IgVv26%yO^HN{jza;#W>ivq|W^# zB)&shCg@VS=Z|l$y`(C)SZf-bM~rFCH7Y=t=RYA``k&(P%L-MN>h2_HG|WiUH+Xlav{;nU#y?aKbKM%gfA_xof)swgqn^;hv_$8QVO4%ww*&Lvw0+?w%|gT zKBAdCZn-^l1yXTcp5tY>0%z59bWHeTiBC%G038*?D#ZN1(&I!6|_v7uiGUbkU)uDw9Z^L z=m4eYNsR{T%y+`6rdi57ZAr<3RcS@2zoB6HfJh9?H|%ifDfrIF>uP3+=4$u_`Zzx7 z>TI(Ge)}+cY*&AvivGcd$9g~(b^NkSJ;~t-z0I+(DirLlU;z%wDXp<~&s5PSHoSCH zn4K(d+_QTpzlaE2p+@UF|3q7^|84GWfJY*{ZHh@W@#Bfv{CB5nA=P(Qg~6eNm}#D- zEUtFLqc@rUHq@B12!MhQbDcu%Ja|PF&9ELy= z`K~gzx}>|vXAJb73Bs8BxHC>MJ^Y06`eO@pw~&(}V{V7Fo+mKF+US(eyIxihqxC(t z+~DDX?S3IoZ#%?J6!g#MeeMESTLjCUSQ{S)&>BurZY7SV{$!m?9^t&5n%~d>|7Y2!nr(o)Ga_Ld=DQm{cw|&8sMnf z74t4zq;6DSW5NVfNtcf5DW4^OnU+x0xbvC=Ingm3n2x3hS-WLC(=W?bQHoCNUv_`4 zW3B)Eygh{RRwBvrBcllUW>RAHE`7@pOEhM6&E=BcS(NBkp%xh#7S_e%q07@5%+Rn` zZksY6n`Q)a32EMl%g4_Wy?0cbctt>p+|6_j`NnKuK_|@kSQi}o-Z*~AwWzGO9Bex0 zR6BfG7)^HlXc7LoqS6E@=Z%36RC5)^LID?tO6~~Qm|2OPVl`j04vyK#!A0X-yexx_ zU#R57c!sis5)I)K8<>#nZL?w}+*w3CeYNKuLZGnqBUY+f>_+Ploam^r<{+HTl>K0Q z)Xz)D*N4bpg?8FZ4#6NXkukX>l^vL5PaZ^wpTHQ#@NPq9Gb7}Vd3E^`eTvD1>~}v1 zw!M&6p4`mIuZOqA<$X7JcCtAR>tnEm$iw_mp&8*td7X{XHaB3*{=a$)P6lf~ z^n(e6HWEa3c2ReIF;Bx;C*4_$(Q-A-X~_#+u-Oul62wf~ymEmZ#kygtug3}ywwvv8 zwPl*eNIsWmoVysdth9*bGFCn?8T7*lTueH>%0yMp+I{AM-U|*!?sBu<>c2-VobaFx zU9FR%8ZMk;%n(~^CXu)MBH3T+MF$c#wg%)&IX-=*T?ycMu_>Wqh$&$?>olFbsU&6fQ)grJs!@2?`=F7CO?Vg5l zZSgiwt%VP99;#H45=WF7IFw<$0NA40)}o>Gc*wSGQR4n_ay>P@-@>6wr`Y1_w&P>f zCfAj{)eZ{j`?Ba(&=LNjlq~h`{D#O@zZm(wm<&P3?5cHDW+&OgBw!3srR2S#lsUG-83zql^ z$3?-IS-046qvzQAXVBS|FmrH94{ub;XR0dy8bMIKw3J+kFzdpJG_LQ89U2IEw#k~x zGkeit)Z+I{JuYfXK?2fH`>Q|az6%)GX)|>qeS2%C-F)!dOpw1N5{V0uA%Xh}_hEts%F(-rS@S zXp4+V9%Ad521o_(D}Jkwp&iKE4A0J)D@R?Xf%6 zLew+l@(H>S@gX}diA;hnIslHEa0^vQmMZ zgV046)fJe|jjA|WD0o;r($jB4I%RW8@NKrvp~z`7hvJw!#wS%-~}lZ_>76 za<_2}qoW%Q1!4_A?(FIt z%psRhd^J!5O|-*UC|@8x#ECr`f0+fpZZRyKue$|JSB03(8u4aJh33L{x%`G@&U_Bh z$Afpf-hb;8)bwejh;Z_*yWO zvyc~v`9ZiglYG3+bxYE91uEXy9x2e%k^W+CCBuwF<+=|oH8zf(K^&_Z_{*BZ-;EMF zQAJK!ar=#i4YsEokOzDJ_@Z&jS_=44{9Uts>Ixa8L#gMz4=Oo1^P;H|^ni)kL)j*V zR*EU5sGn(`=UWwD3TJxEA4GV~ma_Y_TwwYXHbQPdFyJi{0K^d}2R?09a?IsPL$5M0 z6q|e#!b+4*5|ee*Ip$~He8Wzs)%!_mYfpXR8=Bto;-KdEad=L2EunQqX@0)T{YM$u z!ZBQ$!?x6glUE$Kn8H3N`k9=*7lk#&IeK~=3&V^kw9TVB@?#uqbhAIE@M0JyT7tF9 zKlB~x3AQw5RiP#wr}t8BJ+vJ!3`w{NKe)hC1a{cJ2ssAfRykLBWQTqTq|q8s_egmw zR(pj@>{{jEsoHd8HlUrj*<4v>KAz~PAlTLOV+*zUpgBb!M6tk>;_T;vT1AO)UPEMG z{YvBN9M}zRLprca0wKw8{YL%xL_w_R@s<=Suasm8&0m^{)jNRGnWonRljk91qu+wX za*hJ65$SvfRvcgoSk(()=vIbr)QwqaUTD&tJk1L4O^`M9(N(rSY4=oR%R)D7L)&1V zhv`$2EB%ByqQeuTl9v)OlG1CrA;_kk-0=r^uF05wIW%zcZjh8Zu@xB(e$#w))_wo_ z1{u7bbZ70jEMh_$l4IV1G>MN-DXzVZW*3pZQnhxn-G<&Dhudd+(MVou%;|N;9Lml8 zx0g-AnL$&)b;j%iyq(>`L_7_><5ZOz+lCj&Pz$1DBZ-1b)c%C%h>35YJ%@3$)|%#< z-TixuC(Dl&1Z~AvKAVcjD|KKr?GBC^xz#&;S=VKgE>pdU=G@%y=ocZdEw=Jye4$5_ zmQcM)+7^45ja*thpxvut1j-AWi{JOaEn6Zg+E5c#I8ZCYTu)A8l?+%yF4dHQazW&; zM_4AQy8jcoEXNTxx@i8m-*mYH9u;5tP%95sv=AK?&{KD#x8+>d?b_Q5t1IF?Y~&r2 zlM8EyUVdG2oU8RKl55Z@ln0Iq1b>;w-xwh!Qxm_~4)xDf>4H4{F_e?jcU$;UEhW!Z z&H=UWebVx%m*N{?2e~M+)9hG+mq*Z^b}^phpNpcihu?Os{YWzkXbsLs!?K4tc36zf z^}x|vsq1w_&f+7Bz>ajG8m3_s**YIr0A)KZmwiW-EAx6q^$*!FT@U) zJ-zuIrt6?nqHp7-H3NtON-h{W;&Q&OFfC~6t{M0YYirR=-k{pp8T2S!>zr@37P|9l zTblB88_ouMhIbwn$+)fA^58~dJft>A`my2KMMwAWM9e*cJCC>gD zEf1ztbOTDJQ!)eDdm4yw0&;ZqoO@HnaU#9++9M`lP|0D-85ju)UcO zmfkzU<}SItrg*qX(L&C~5M#4rg(GiaH3PNQfA__@Eq3_x?z+L<@M-s2P!4Y8gPVCz zZDLKiNl*d&I&i^#dJ{mE|HOyyL&|3gRK-#8o99ANBF@$uosYyj{K{`4ZY3xTn{WTJ;nHl+uYh+$ks#4E4^oolE9kNorLN4XNEVU;2R3Nca)oOm(5o4BUV>6< zvmSvx8uNs$P*~7Ghd)v=zyD#lMAuSL8&r%!ekOdFLLc4EaLE-bTma*nA3X6cWO+bP zm}Td#YtmMgKHRPmx=1mv(Ex6;N=e@OPy4TJ=e5L8 z%|#}N@FbVq6Tf-Gtf8ymx}hYwN$=G8l#%*lR}EK_?3;cVuY9}bqQ_Zdo%3~?-=y{p z@54-lxRFm-a>7KR2grAg(|46pP>b^zxr@P*jYczenP{^G8MBG<_qsh;?O!5ZOTd%f zDAACi_m_kP=sA1cqmokf7KdVoMFynaSA@rPlcC|LXliEARm*a#n^7nQ$xx|tJPhz~ zig z^+|og@RU@BX3Y|nO~*AmFfCV4KyHv${;4sxCduwaI_g81qxp0)(N}aopJDRKECv)KDJv%k#(O# zbGzAGjv#{8I+F0DmUUc?s<<_N?9yAcIznkmI*!h7%LpwXQ`vnAAO)w~P5@=T6@;23DdF0Kmj9ahu zZiEjcYKz6JPHA1y2A8Gg{vmw)6=>c7D~N1`+|1wMMOC^GuGFJHQ5+RTi`_8m@@Tr; z^W6lML{f?#M!MgV1Sx`VtuXyVn~$BwD^F&)Xeyf%O4!ycHWGDRZMK6zOP~AjQS5?{uH^~a^XAFWa#+qIqlWcxf;_1LWT=j^Ky_~`e&3nLRjZ=u9q<=>=n2b44>p08` z^Dp4x-mXmCQk@N}@W8O7ItH(C(M5=POj4C+qk#m{oK-GGqx9Zh_9vayF^c_h(49?; z&v1P!IHq3Irrx4|`V&_e(TyzY(=ksVuYhCL6KwYNsb-7qu*Kc2@6vYr!CA*wsM|!@XRxzX`eU-q5~hNWu=VV z(jy3fQaT_T%kZ#()R4GvOPA7I>hn#Lq$4EL>~%aF>$(!oTqZnzh2xW$bWOO(_dfrn z!n^(34>;NNy6~Bv-fR&dD4x0p3H-z0B%FR@7T-&vAR+ZYckJlKY-mB*mSS5umpXyG zeJ}_5Qcrz!293`zu6i4{U;g}VQeu-^e&@fKE0tqkJt%aL*0d*gxGcm7m3Al{qy9`P zFW0FB-_Z6Bw-e6>9r|VYz%8h$2xNl|84#WNYl25}vuArwgC2Ob=I(6d^t6*N4#f<5 z_{s#&hO#M4rRfWZR!91QM!|Pwp@JXU%$CPV6mkslC1=q+%cc2$=n{|Bq{g{1466U! zL{Y1|MYFGLo=9M6u%kn?Hz$?QC}L#V=2ME8$yklZU5@G#Cw4U?XP%FSY7Ah#rd+ti zz%j3@J+oU6T%Kh#rnJFpg7<5(rQC-TAste2Fx-^3stEBpW48mi?T6ckAqb*Nfi4c- zOFj_#VZ0|dOs|{&L0MjIbcR8(2|Hn4+9M-si02Jr%DU9!Eed5jzLHq0b@=_#=wXZ) zN%8HI$K-Ex^gylz%tDxFRTvuoM3>1PW8y} zE4exd^ooP{o14A&^8q9~s6#2Pv9LTr zT3J5BJ-Lb7! zLt#j&|J3TNGY58)1ELhNqtiX>mt4akWdxDFj=mCA@U86`6)+xnGjj4IwPP0ikl>y2 z6_{+bbUq+2DR4=(GF%*dS}4q?NdTam*Re8zjC>cmz5M`r5s@CWJo0@krE*Kix$<1h zZuRCxdS5e^-8y}@hmc?&G9*GYx{2@x#mBuiIT)Cn7g{s&>}oa*>_gGIJhF*M_!Q!W zw2v#{c@dCm<-O6u_DHfL4Biya+a9U^#HV%ObRU{S4fwTWKnqzSRTZnuwFo<+@bdvW z-2>_qacQR0M<~hf8a?{lB2$t4hT@z}c|RZ|-wmSV9hjjU=KWr26z>el#WOm=NE<1? zc^ik8u-TY;qs!aI(pQ_SiVLYG0vZ;o%e+ zYsAkriZ=v83A(l0oQA0hq}|93;5++Jbre>g?EIG;2{F@;k|D9yF8%&*06&yCA2NrJ z{l$9aT{YR8RImUO5ySMymH!h41-!X%NOdj6++^{qCMgnAOE9MbcPL4?C&x!bBWY%N zh8m%Bq7S<9&ihBqs!bJ>Zm*rwDjp?I6-aBS6u*ur51^Vy`(Gd*%MX2%}vx~3k!ZfVQ*M`p^uOFTCkla zgN7uxtZfa_fqAiZ=DbI~sju6v?Eox>wPAscV&fU&%LsGFpP}q{Yf<~6_{-kr2W_yS z+QoGPwvlDTNbK^~lcyq$rnubu&vFM0M{rNTC~vd*!-ti9M5{<3?P8lb2N!+-%W*4% zolI1PVg8SB5xY-;?TCY^IX%t9$@=BYK(ZD;D2I==2*WjbQ=C8;fx^>wY31~*9)PS^ z^eO@lr}=-h0KsL}y`Ps}6*!n1d3B|eF+7XqeOE&ajg7NNs`6;Qn7iXsafZUXuI+&7 zh{f*%yzhDkYYEuOQV+cv(s)Cj-~}4y9sEl6OHE1VEx(T2+2|j3_N(zwGo5qx?ED~t z=SK$ek7ZAy3&hhV5PS0{V}gHWcGjq-qR+x%XU#1=^{)318E2D3dMuWSwFnerg(*y!%A@8feIjFFZotK^&MRZ$6f1XJ=jfCp=R6IkR_wjGD|4pFg@q zg;ltiy~*+Em)3*&-(TwJPxunaw#rqWVZ9C=-U`!wSmX9DWdaW5)2>d{&Y`UA`VL`^yQU`Fj{27F;!3Q<;=@xqL~nwa%ZR zPUHCWCGP%Uv0+W20!EJ#MMfwy5RcPTEIp}7;b+?fI=J?e)^tUYY1*2$7n7 z5}8Xrk{aQQ{*fLELCL+<#QL&ws1pd0q=UJF1X964aQ4|2F z(N+!{@cgR04MJ8n^YoGn^J*m&lBnxKW01(1pNPv9qIQTnR^D~qvF>)1ubgw-z1V+7 z?d5#qgTzGJQTvTuK}(h{4U9i0G^GjX^4B>&qf$;oGhef;Z?CZ5kUU_V?1@| zoV??wRzAChhF!Kldzp>~TIiAB!fwqG!JlOH>9mQv5~rqu@7ZCaJ@sXs*#u%BH&)!( z{{^19<3U41C(|V|Q6qHH@yy_}fnme8v6gt{#lBOSL1dml#~)1hczU9zXm;<3G-3WI zdfH$34*de@Y&jEVtk9%mR9-=}B62!bQ}M;a2L$qBYD3;ZF1{=#;nSZBG382&;XABi z-AGsNDihoca#y?XIamhE~27gp6g)+>4=X0rw=pvNU zo&e*^+0fEjS?QiXj@j=VF~kcD88U$NMkgC=#IJQD(mMN*CY?E{ zUjhC|V@sZu6RiX}KNXQ+ThVt-{!bGU5% zPR2SUXjWHu>|2huxo&SkRi4#yIXyA~p2f1Lr?R0DcUtsk>0n*qTqa4-M>ddoSoe8j z=3Dua!6UYY)h`SZh73Q9EiF?3cm{&LBLVPzOLn-eUVX-d3+5cd2luO=VfCu^*oQvM zSJxEx2t`!%OOKGaqj-UT6+(pvlM#2_emFn9 zjMob0pF6#}#z6qw;!Bx~yrk&61hhm%3eT3?MMxliUgmq`)^y67GR@|<^L$|q1HQ+_ zwY80UYVC(Z`e|WM=jcDc+0P*j_qBnVw zX(&Fc1ApFQ6^qWLVUl;bg|Scbb8ue!;Y}ujDFBKGb|tIE;Tl@czwm1qZ68@_(#!rB zcBILWYh>k>5|$bHjpphtC)R!;knC|6E&?3?E%Y_F2&dE5Y}j9m^D})>#w#))VSRpj zzP|dD0e3a1sI04a4ro(;w2*e&wrLW^Bs2z=m?;?!g1%Ia^Riox`;oaH+lI#~lhMT% znK<=|LljcJ?S%#R?LU#Wv4>-dvHY1cDyyB6l5-mWzwB?a@^2|z&I&GmLLt3*SXn<7xe>L*`m7c3=FghV=CpX`KLPDJ8H3v2_LALDkv1FNZwtKQ6Y7eMDYe?2R z)JoWFQQ|&o77gBgEVmR**6}@C5_ny6_(ih)X|||gueQ^(x@ioe6!>0TWPIQO_lR4> z^!v$>yE|wW%po7*c|f8-Nhzg9-75We4YE^cB=`Z4J9>n47BKuZ^Vp zKHmd~&gjWqj;|h)roD#2?yPB^1_eCI%@zxnlc6f3o|((F8M}U)$!PJx^O$=LC1sMUW4SDI2}3iV*0 zI>?9iJw)9ks8RcQ+@V8+W6(e2_2+mdlV9ui-xvPR!cd}r)oe)Anegr}tNgc#M>yXl zUFv*&m}EI^eA;qwNI09#{v3V8e0Fc%_dUv4kwaGdyC7==kqh_V^0;_C@joI(c1NudHE*DK(A9KMZjyI$h1*l%BuL`_^bi=Bl%GFK{##F8S;2 zTHYBiBNuZ~{tCr+>($3>%A-`rPxKns#FPKDC0#Q&*A7`M8rE|fyVI?n1ZH#m7MEfZ zxHBuWHY3TU`+HPd&XM@ZGXYGdJP^2L=g{IXRczT{#07ihqQdQ5b$+jLS@*WK%xI}i zStAOaQPjK)#?fn+Vm%m{U{i4=4bG4vLljzdF;$vY=6IH&2daHvaytHPQGE_rNcVB5 zoiPdwEsCRYCO;6dHJL{6f^0-eO?^Or58L+SUt`AHJ>AH8{mSLVb8Q97q^`v(%YCS5 zExV=5H1gLvx}fB*kBZjHGbXu~(n0J}v+G;Vc%d$MmM&uGb&GGa(73~rjWOdXfS}1U z!C&cr+mE6cHVmnP4qEfaNQSlCxJo_*2_Yx#J7M69Z{(@a5WvVGHY4H{4xEtk`0Z)~ z@7G!`Cy{}tY_Cb3fQd@}b0Z&*aNliJ!Gu=GH(ISeIplc+$>Rj@yDajr1{`ppuoEl4 zv-=P)!1A6fYjlV_NjAEs<(BB+qwT`b@z9d9=xv==xLFmjLm=+Ue!9eHNH@5pHSZ95<&^U!Iaf5jLSLSodb*oDc91sH&8Cohw4+=3+r z53*oFib7fNNPE}7SC#~z3q*5DwoE#DEZPJoH(@ltW{ zr7z8ucJE{m1&eQS0Ojs6H6OH@rrp(XDhT4AeJpsX*3tz=$}iA|2aMw&6A0g#t<`Ww zfD+AGobg*w3(Xdipo_ja_V~vmK$(F`g}9_-Dv_1X4Oo}&Rg(mi$!QEC4jy?rcMTBe z_(sOxwJRtw9`HO-5WTEwnC1aU^T0{h#U*3jXp6Ka`c}j+W7}1=^i9c?k9leuq5w9B z`sH(30!!B=C<@Pg0=b`QoG_Go$1Vgv%?0=zN*x-xMM50c)e5ZjrE0&EFP&3%1zX1+ zY;5o zOI6FJ6D1(AMv6#P)DqPB8=GAKSe#O851M`XZy$_}6TaZ!0@CiOI9+=nK* zc-tG$kvCuw!Sk@s(adSG-Em=v>z|6HaAJi_7wa~Z18q`;M-s@kOr65cPf=CEVr+F5 zn7u>fE4#HQf}%L@sS)i}TEpM#{m~%e88GAB;KljfZWx{0+f@k_pK?2q_HI~B`&{g? zDytI*Zt-!3UFda!6?LH9vbifjQrb*KxQTxKHrNBS9Hq6=xz#zB#>c`1ID6DK#qoEirGMwu`k%q?3Q4C}P4vV(% zOjx%JkoVkz_Zab(Rt65l z?J^w3wOx-6@M9dzW^;8aTK4;+ zjBc0#$)Ce5JW*Zy>ylp<4u%14d+3?2C9BSbiHy2l*|*)~mecuV&oTZDJ)@LZ#bSXHB^O_oQ9k{V+3J$ime$Er(p7gYO zb``+zVmJRg2p`88CdO{}t{K$TWp89O-E(?FYg0IQ*+*UZI^$U6!h>@i3q(!lrjHAE z`{2zGpS931SNFHzKA}>nharK6RSJ(K7=!=zmz<{xcS}ZUw{p0@M@<+*lyL1pp2cb< z@7pFBn2Z^9CUU#Ix;h>jQS!#frF0rVEA}uYY~w5VVqsHLYMs7|>N+T6w%LtEY@_-l z2$!UbATXYqaIDt(xF@C&i<@kLsq%p43iReAqd$>=<}rg^$FlZ)xa$~Osk8g|E8)i~ zrQksxgfttrFp4`5B9*SLmv3mj8SjZyZ^pu=lS_W8W7e@o8O+12i)4f<&!P6X?$&7| zSmz98S^LShD($Z^VL5$ev460eyFY(3DkK$lpH4l7c5wTU@OnUTx7D)1l4^t9X{_Tf z=`7M}qzwMDn3SJc#>=zvJ({zly`PRr`JUW*du0crM<LZwfdgY z6KF#RCBy7vL%QKC;xz?%k#-dtGK;ZQz!)i^bm|Pig*Oe<*>yWgx?i)Jl`yemL)8L> zR9Kht*o}K;!_Qm_RUB1|bN)sLxA92ixs5rhW98h#v)jl$3#B*rx|AEKAfDADZcEF4 zQeB@sF5A-FpU1beO8vV#LR388*kO^#FS=Bzmq8puF zi3!9=%5v)Tk(xF7MNV@Vr)2B)Aq5|*<-;>kDWGS>7=E>I$85T8X3KRjj>1-HRf*dl~20A_6^}AAFQQJw}T}u{iZxPDi2(prx{oj>m6D; z3`r>`N^i=aC;N$ogfO4sxrcIR9#ePZgk!6RKJ87CW%O;VF%4!=J{vFLeMp{#gC*{Q z-aA0?al)wxech$^y&qIxFvI4?-U}Ko2NMemQ00$MuC| zzQxeDSTxiVgQqDfV>b7ncV8Sb@_$VU2HN?)+19dcT556M2tTkv9xa*xzMbldls^|t zlYOQP>n2*A9AE(bNbH(Bs;71_5XF$^uGy1 z{y%Y0xoL#*?AB5Z_1bE#>VJQui0Qbtt~G;cP$p>)Vf?p`NM01Rls)&qZ~eayrq+_y zCzrr+(TtN9BhU&#*Nuub1^ASd(bDhl|3-YYv}vi8G$sLJSwr6z;@t|a>){ut7LBaW z>1jh!YBxz7V#sm^(kF0O_>W3gZ_%bIl>lIYE({f+MJ=htr?@~NQM{T`-%nrKK zY&yNAsrwY;2o|rsKW!XfFInqa@mpOb`CZC_>Uh6|qK9Pj_%pbAXZrywwO@mfu*JAb z$VT_>9KBtt%vIG~HN%J+z-?#TaS;emkxyEPom;+nEEPKf^|uQg@NhlKx^|^b;%zNF za<-bVr(54TB@acNf|(6P#};Kf?V1JEo~k~}!yG>bOf^pWxK`vio9qQsE0pkf{8GQ# z4fT(FL4ojq1sMyOsBUbw8J>@*u>uBoZ5I6!+w#!g8s3%B@If>4YOR6Z2gV*4C{;Hz ztVUW&OwoBEP ztfN2`q3GHuj>}n4zXJNR@MSespZpXPJPXC0<62O<*f%K-TRZUcN~|dNvDH1=W}&v} zgjlHL2M1?e&E0p@RLST0ApEFsB*2m zHz@JpX;;hLr(=cGw0{hGh=I9TfXUcu5b%lW82Dhkjlw-vyN(n;24N9*VXCZ`no~Ha zBImqnXW6%F%zM0E2{^obi`N~#t=isO`TYWH1%PGVou55i{aAS_0Zd=%j}p-!nHhwf ztkYneAkaHQyXxh)rS5VCmO|G!=V0!H#3!>;xji{Ro#VTAx?J~SY?904d9bbsR7hu! zwvc>dYs;i*o;zu^iBQHi3@R}UzCV7j@hLNQ|CoJF>K1&Ko+feQ2i!NmdS425p7_^( zCiRS7nEZPFAgrj|OU`8@4^Q;(ecvTu`u~^Ky21#29IZV=12Ojb; zs%7sXnmLRcPx=VetNr0n(0+PUr77`o<3Wqt(we`Uo3dJFw|1qc=lGl$o+zp^7tefy zn*hRe+I!jX!H+^e6qt9AuAZi1AJO@Ec|glfYPdaiHwRdKkrmo(ZuKDK>>}7UO2UTO zF@9unrXF~H(DItMppb3huHRLSQfis83ULn;qp4Cg3>jA0V)F`Nn&lELUQo`kfhmJx zinI^>uU=HV`Hw%FOp&;p2dHH7e?oTox47+SDo5o@9lQO-9tPK~PKN5e#ewxFD1qiD zHI)fSi+nHlaQS9RCAR~!#>(6GeHPeK3oVkU9Mek;TW{U9)xyegV&rA zij;f4C5IKpwYBS3X|kY}eiL4lepIaZ^+!xznTV;~sxN3VmaA^NiENo)GM1-cij?nq zaG4(-l6vdUq{}h%jm7jHXZOm1eQ|H+9b7l)bdm4Y7K*FVKCmz=K-jzw`_O(RaAHI4 zD+-~3bGdDL%N0QK0GaUg(0lksx7Zw%HskE`{!^54W1$KDb}!JRZ{CIw8KDV~muD*^ zH@GPoSX>Yz(gyDjMlmo4yHh{l=mi}K7rTGC35@W+X^A-Szic9_^v_B6kb=0L@Jg9? zfy*ZxVho#yTPz7b%a`!jdI?gX7(gC)BqJtpDCW!^J#*W>b3KgInZdr;ncw_4kg$#k zoRH6VWGW+BJrYHCi-1~22nMtDlhlY&$M95U@54X*G z#7I|NkF+}5x~xTQ55}E*4F_f3yG%6SDFm<`0n$NBPBryXN=I`U(Qn zQV%W`eG%-YRt!_~on%emB8RRJ0^&FZUe>IpThqbb`dvMMq4=!7ir|_FwI4L`Sa8)R zx$ko{Bd;TSXqQJx0sHDlO#j_2rW#v8*bVf4AkjZ{ZDlZ+3*rM?8o9Uv-Ze@ciDVhy zWULAE<`+veC6(Osw0U$Eh=&KBMNIQNVg$Z+K&kN4G zK1QyI4_uAJn^+kp!`l>?_0oez8{aierl{rvyCteE!3UdNXG*&4b1E6*=PZCvqK!%V zBzEq*Nm(XgN#8~X_<|R`CKZH#{gMNvgU=nNG9+EZhaaUbirrj{F2n0SluJpx8*WnD z&6Aha3U+6z;smchwC_mBPBDWtr;3ra4JhkG-Z>Sk`d(TR)r>WojYWx&EqfvO+OJP7 zNui{WbL`%YAvLqHmaM$-V6w8Rmpi4Z?5zhOXVEe((8zt279SLy;GRgSRfrT9T&1QA zX=FgNxB-!C5gYd5S2IC1mL>m^&zosgDBAki>^%s}F@|?bo~4pG2QHY(>OvfIf=410 zGY|oZ#k01i()%2Th^usbytDCrOw?AjDam<*#bry5UuAht0sAFg@b9sV3gSazC0V%} z9l2zK78IiJsi|Ud2dh*uflss z9LCnvxDW{qK3y|B-LMosV|>`%*l52nm)iX*BeL7Iz80D?mZd=HhRphBn?D>ts9bVH zz)Z*NCG@20Z(Y0Y-s;_+;#i1%peW18wFFf=+uf~YF9;{W)-U@$A88nqz1_5V*ATs> z5Oxo$pta7FqQfcg`5k!i9titXMyyWhnN2(6estU@ zwo88Q2PPT+j0!F{Fd0r}IIgpO8v|Sd=yY7Z6xwkvIVsu+;yFT??89%_GOm87bTbln zG$3DT9|jN7&`EU9;&mmC$yBBMh|hyRaD~1f&? zCs7{^LN277gDr$#4LIb9_mP0VgzwxAMzS`uex6Hv$lQj-&Xr#K zF`0$D_z$t)%!8R8kMy|V4I4!Qa9P(80mdP^TSLlfZik~>PD z%jQCQ5W=JFX?U}%K)yuo$)FAG=MCs&fYpI%C!p{2N4kv5RfiKLb|&|x+NrsF6kJ$Lka0_P$}u| z2I*3|2P8*gfT3aF_uzTYIq&!W@muTrW-VrB4Kw$1*WUNu*S_|C7>PMUL0}{F=VtsJ zZ4QEQ8dZLaXS_Bdo@ZcT9@;)Ty^--PP9a?WWAq$y+nNGlTgy`gp+Kg~S#wGt-7|J= z#LtZqy8NYhRcYlUS@Ki`^MXwsXl)~%*+Rt;bT_P`B*Yj4CJwv#>DbVT_j;tx)Jjga zoJIKdVqIy)d-0!hS3g3ab1Lb9!jG{oT7?mnN+1JAB;#qE8{uRjQBP=ZlYx`(%Z06O z&BU^!!2CA_Xx>aYuvQg>uHj!*5jE5(aS3L&>0rxUOq+L1Om#c_ z_U=tt*<1j@&v;@ZljOJhIxjv*QGYPQc%&42D)ZCvRSDe*k+x$=X8OPv>?ZLjq*i>g$0)kZ%Yy?ATN zoq%TKd6E;kS8}H58)-@(@Z;^9tkcV1-9$(lrT&RKr*^90?Dj1^cZp;bXt3LQ-BhlG zS0i|;4xK+tNFI}~-xwBmS&kXB`AlX#;afS>M`C?v_#hMhLA39yA^CFzEtwEue&u>T zyGfsl>6Us7$ACXa8DlClt@%GyW?Y1~M3X<8@XzkS z79RP}DAITH_((i%^IF!1;8BeGiqTcw>DdaS_qNz+#N@n|Ey7wfM1I7{%HfFf#;&M& zgD>&Hi>jXACsxmReI9T$%+?&*5qi~{EH6w%@jYtr_igZolW{)rc0q;F&olVF3|&$Z z5~#d1&z{Sa7`gG^z7t+aTrK?DzW^zW1k!4;4=$mpd!wb^N9sbd1kO>>uqn3ps6>>! zKHgRm8T;DXAd(Cr!HWkwQWD|h#%qL~*qLj4I?pG@75%S*YR3F?sbAiVJdIpgBE-l< zy>$tx;hBQ66_$$&9}hg|Ef@S{OX~2T?VSJGuo?CO4>4U=HckHGT+BA$qnuo}?F8iu z>4BYV3ICz5^oz|zpLu86&|UWDP@7FF6BBr%=pB;|zJgdScKq_j^YQ z-!Crvp{xGIt9$WYyK$(&UbE}x13?dJz1(B zI}VKYZMsgEpPlW9#W{++HO;Mkk4DvQIYndK{jfV-JAqIg99dSAV>~IhbDCh8>RDl_ zR^k1~7@5%zPNrK@l8bG6fuikze0F2FB1C4CZB171+sUFyNxU*a&=^-a2NdlH(_ifn zwMsK6{TtlK+eLq-?F=YwxBZ3bty3^S{@5S|uR5ac@@}CV4oIAP^L!-Y;vb?g({13$ z;o5G0pCafLp4F$QmE0ewbupj7R&$CkM0D#Ch$&-NnvvBVFVeSRux`n*zY;*p(^^b# ziMu|cS*)GY{T;RG8C9E6>Fx$@J!{4on}QD^Mq1|wnaIymfqc#kWys}J{f(h|jEH>n z_OgPn?^(c
meh%oEb~SRT0VRcDL)g9MWR6$9gyVg%?AYr)s1@UZs@Z`S(~c{HY= zuvY=5=^yv`}s$I>nql!1KytAi(Qd>k|oiZ(0oz z|8+m6-K3;JTX$;h$-8zB3tlp@%Vf-s#qJ6EhRP|+a)TbCYKu4?qXbKFbl=ELrhVa~ zJ;FU6BR1XP)~|I2H8j}eE!ws>5+7_KZ(Nh&P@WwRNJ#Ul>&?OO))V}oB;`%t)5P8h zq1l`LNU+h46OA-*{f*z3m(O%jku#Ei7?s0uwruc(6sSa@x7zB&NLIQ?)TQ=H^qgzsIR^EO}hDD9+W!ez;2Zaz+_eDP)HsfaF`aKhzb*F0E_7zB_&w zF@fS%Z1ddq2E)KEknRB+g>QmD4cFr))2G3=96>8S;^t7lXwU`WLAI2&_ajQF|LmPS z2_}Xk-{$3xpSdy(HZ>minN5bqU$9O?rb6sV`bIKwJdM1ucUKTR{d+{;%8{GTsrSl_ zg*kbmtW24g<{p$_kkrN6eZ;A9UDvHA^bJA;#o0NVvSHpmy;e~?oYhj^lTiHK@iB@X znOV_m16ho#E`FGZA3V>!)J9|+*Aqs<6)vYi0=3AK+cXw^>93i?kkWE33 zY`;g)*U3?n%DY}jbKD z3?f%#Za3IFE0_u+57qpy*c2&NIInN)aw$zG*7&M?y*^Bw#~|@dFdd81Df)g&Q%9g) z{Vhk5f+_aXDXfAEEqK)WX+3M7>+5F_&iv$4g5>;}J-%=B3N5n@eNS*D?%HwMfS}B* zhnBzmsX6O3ALL_)PjA)L*= zT2`Kr|9y_(#+?<20<6OHU3YH=QL7uFS5BZ@l>aJBmKA<)VUMaQIjs=xAFx$#D%`PSHzF91iZhrmHfEWZ}0plMv?1y*m$S*c0rdE0Iv>2tH^;VQS8 zmIc@na{rFYnPo@Q7y31~jp@Zik^nijwT;a(TWF7XSx;b(z!H6}>($QXv$31ob|3MQ@zsie=*ky&syuPiDSc@Z599a&QEeEdSD*v zi6+FR>o3C+(9zZi#Tt|G0x4fro2jAWj=b=B$w z-4x zer>C*ZlC4~j+yzXGV0Hxq+@!I!f%dqi1vpwFV)phqiX!#IvvWj`Sgkw3zf+or z*<3Dw8KVzpxbNd!Th9*eF-rNAV56GeE@DnwBoMB-yD)h3D#+2oEKn8o0j>~Z8`Tc$8ve|Lit}g0Sb-P^Ds4X(-!dEiTXY) zs%pEeFGzNAUi-v$%#I>1w|)0GeH zaj?8PTx{Bo-p$gH>*_dYS{FP(thp*u`FW$*%u8%Jf;H7t-gqgR2YY*ok`ao}RL?i| zXbf7J9pQF3TTqEV(SJh{mT-)~WMxX5cszq*cDgO$n>Iqe4=yDFS zJJ0dxo@ewIk!(0A&pOwt{awvJ{va?Ckb*8vreCTaGGszpb%&SP1px=~!K3iXb$Zql;0SU40g0wEY|}-5JNX8Z?&w zyV2%kLUdL@f3z1l9lAyZJ6Ky^*4G~hLuLRWQ;G^+ARGaa-VI5uP#%&?==*ZEEyM() z7Ko+>C65gGvZ-rN9_Wd$)qM%_`0|}_V^&@3)yNwYUS?y#i5b` zT=?A~0ovGfV@B_Ah6htmPsilay9gH#?9kwa1>N)EHTIwq>}|)KAC+h2U;o_(vOje5 z#`ASUgMlGCN~N?H6=gg^3XMgSbUjw72M*cs4 zMlJq7A-16Zr5Y;z57jXJU$p1GVLa~tDVh2He@bTl0M4er`vbhjef}S2^a)145a{ux9to-j-XqaqhK0rStsXg(O1*>o|GIrKMb{AzWOb@#+T()Ji8kqP~fz z^ncIfM1Tcq3a^IW0(Fwd<;t~Q-u+o_CDOv!@zBWS`{+Ih-^yWuNHUMb<@)0}OsQYt z+yjg4_H>*1_GsTu=dXo!x>tAZyEA1g(3lgl*L}V(D?cnf=nQt3W{1oC6lY@tE=JK` zKE$>xj@ndjW%x9%e$@j?ncZ+!?w)Pmago^DaoZYY{TGJLI*M^G0p!@B*LSh7rGbF# zhUQTJ!)4gdYj3`mP~8ta5j>e_(~d{^#JVEdz!;Vvkr+YJG-3ez@3!^pXh*uV95&Q2Bpo zyQ*-lP7E5>EjDt!*I^zV+3#+o@}%~PZ{mS&W?p0_9NdSfWc9RfcE_P-5i0k8;o|~D zs{tNP`#7{#2(s++{)U=GKb`B?dzq0Xvv%8x--UhFbJ&hCL`1!4Ks*iY>5^D;ce?q7 zdhQb1gN)r85g`RiK|_cpS7Z9O3UH1hmT_w>u7>S#e#c zhdC-cnBJbe+iTLCWpl==+0J{KWemT`iH~S=o%!CE_>4FEv4sIyn#3b~5i|BQslK~3 zDe=-TfmcM9Pux1RkZ0Yn8|_p!I6Y-6b96A7iMaO_0vjpc0~dhVU)eSwj(JW#N1R24 zG`1HuKO8b}zP~bNJ>2exS>Yx8ebKQlT=>soO$erEHF1C5E~7cW7NR>L>x`G^Sc8a( z45Z`YaGs4l7Hv5p>KOjub|-qrBp5B;z?%=BHq$g%_#U~0RVr#7S)`q0J7k+ad|l84 z@$XAG+E{+J;-s#rQQgAqKYVE+pH?{C&>ow|(>U{m38!48&{oOjoNwTD)Tk&tq$)YuAznl%m$|+ZW!Bno!Yzm ziR+HqxR{Y?F71sVsZU~RK?*TEJat~B&vuP4z`Pp@c(0w}HZaZsS^!(-oiJJpbLCHR2G zia=t&dK}g>Fm=kH1m`RJJ!iXB-MN&JGua5UELI5AQ+Dh ze$PKx%l(S+Imj@JbXeTdVsf!aK+(y9=Uu711xCh_jtZ)ZOq0S~+j|sdFiTD72uS@Q zgF9o(dRCg+wLzYVe6`kdo1r73<=qlLvVz87*~>k*3I{PA;r^Pf0L=rLG1qbIDUPcvOQ$L@j&ouT1qsSLFaC8JBEfzs219qqq&YT5(G2C8V7e(l`dT=1+ z%EY+gwA`iyjx2el9!rEWh}CALoi&L+A{H!or6B38CEgrX-psaNd^17u*16RsM#yv_ z=O->79FVXh0eZ5mK)j^(WlsYEMNc$z()z^mW`~E>i+=MI9=4HvEL_o>p{*5CT^7{( zHaVex&O$LjQ%%pz9B)^!)!Za-o@I(i+1arG(>t-SyYS)d;}jCwO>U|)zT_VuQ~`YRFgTzQ<}q*2FLDT z*`rU~pEKoPMLf4jv-G7YjO&%T`TgoOCzGKQ3vq9-Dah3&NvNky`9Bs^3#Q5DqE%RJ z62HQEz+}*s@d|y&ny*N3t{-Qd-@zA7Kj_#K-Ol96?8~##vlI@q$egZ{53qnJ ziPW_wY8;R2Cl(=W&i8YVO%G3aX9zzWe)*M%l()~_v;q3J<+}Fp+*(&%k}%uLnVjHE z-tb6y;))Y#*zF52NV3hL6WFBfSSJr{*PJdGls_r_`s6EpS$_!nf<~zJhC;k&uI#v`_|r3Cz21CoE%mbfZpEOmRi2gJc`EVtl2x)vfLrY2bVv(064nySK?f+ceURxl_gnRA_ zb=fnuSm~DVT>qhdPB;T%+zf1&JJ|WgVu_Z3|E0o}ZwEc115z^v$%Zuj8~_!&B4L*c zqR5v=78HEruj_wIiM%m>$}MF%b}MJl)x|-@F;y7eEO_u+1|+h3{IDA7>yAI)N)O7J z<8Lm@HbtcqEd8n12HgR-+0T#MM@Ya4^^?*&EE|RYhkBC{rY+13Pi%l1>K+MzM+3@ETuo$NpnEq|H z7Sizk3G&c57OhufjYWq@=j9Hu^ko`>^dX$jfTjxPiM;!CmtkA_dkAuL>Wql>+}p7n zp~t(U$aZ z`O<^&xKk3>bl#f0P1SZ6a!HcKJo_3AUfY6k8#Y=oe)wbg{*NefpSD~yWM7uFVjr?qSg5Ny^-f!*7!vL)3C|;V~JJ; zCu6C98@%m&9@gZ%iBVU_!%yybI`obl&`d>ZLrF|ghDSenYzLG~`|h(`w62{FC!}7! zO%O|o#TzeGRoPZY)Z(6yTq*h&FQ-X$mGIYve!FE};;L;7Qbr=5ge)tVdVTtJ`2<^CvOb`AZtsusrna&hd5>@^IyCS9byY zDBIjgBni*%y7qPs$#c(`8cSp_Z@fYddqu!on5Z#UYeRGE?@iP3-&U>mUid1ChB(B? z#W^j%#~AAO_!WMQ;AWFZ^z8V~yqB*WL}rT9WEcFk6~Gs$Px7#RJ8G*cuE~f#T%o3F zJC7Kl-5882t*P!39#zV5dV;BD1~*{koPLkJ`vLWX6WgxorVvVNIVvKE0A zlAG;Yi%tEEgN@JS|}~-UCSVkb?22y^Lc3)MHZL2wcgzDdyK9O6#mrT zf%lS%l%_rxH*%scc3)76`09Li%snxYFvJv^PzHg_bZk2Rd{scC6u_qUk z&V2b@R*n{XL{wFLV`qrXFhR;54TosP>NzrC+X2SwgaelcVARuyZqpzEr`^4&S2xZA z81V;NCqb%Jx2j)fh0wlQRI#uTU}{z;FNFEA5be2HunzLJkxkxi2}4S~M?*wL<&SKH zygMgDqqV^x2=k%@Fb30|EoIy8B0V#tV!>A`%o z%0X+34pE}1wuQH$Oj_lKy9swa(`*iJBa~4duS9`W7T>?&Pg)d)$)bf z9mffw$&XpIswL(9{4IUOpwmbyXA;(BO_tK(W{vSrO4%&jlY*yK#s9I$b6?uKL8bu1 z%^fW{2%#!!J*F4gJwLVFUBm2VewOJS(>n=)r@O~;U4Q`-hMDy+lgo?#lI>b!dj2_z zIARAM!*BeJ<+vjyj5E^qOETtmV?8op-1y798s3WhCNv2}NyP7A_U~eYI)l>WZw-Dq zN4h3Fsu>eVY@8Ypt=hhT_IKlnYoPGS@6+$!UU!7mn)G^tpONvFnq9VC3dDwa!62Tq zv)^23quQaC;qOiQs!yh}tEXjdNx(fZKT_%CeQK38|*$Lg>Py3g8RH0qW z=Dq3svyUmYod@g2IZ=y(meFe2F7bB)3AKI<5@;V|J>lkUdkyUe$lt zZ&f!$`fk%QgJ5PMgjr0I7M2{45oQnR8FMQ%cY;M7(3P-Qr)N)U8l0HL5|tjf@fHZn z+bffzA0P@nb7aXrjON*~n|2-hqqZiJ0C?-9fvscX2c-RjeL)=d1MCjZ zi-v~Fk?d$`m@5QKmY%gdvb(zlor z8Spk3xnQb_y@URRHdc5&|6+;%SY+n^w0y#0OUh;D{E|nz==>?*Jz`{pl>NQ6D7G`zP zg6R?li`iu(x|TN5Zv{pI{C%AT=gr()iW8CRJEdZ8$~CZj|uKEzB=*rPED{;-GCfa;q= zQ;}EwKzNOD7HiI%02bA0^zQdYN(R%RE>u^}R~|P3*Kt=6ok7t8_?U)Ko(I zwL;}}z!|Oo2#M@gBtQHd8=}~B@5~a}ZX+y&d305=cbV5^K{;K09(UW6ox48j=QR&o z5X8wIm`a$QZkxV6@-tt0%$lyKs;6qAf;SGpC2EL~`^svXus)7o1s)mJf|ie#yrGSw)VZ;_EG(ybeEO!osN)Bxj`%`;i= zQoh|=M7l{->3CTr;{g~Euf<(7FB)fbiODREP@=l5b0FwgvLqGt4LAmm-G%nEfAeWO zcPUig9+{UdoYSJ@->m}b|NK}4jX~{fkJK%K$FjPXOVlCZG*VO>r_gfI&ktI22;cRc z1-*^;`-QJ7=p6$8@&$w6)wn${?=R1>+^tB#(m1>UZ*#goqQ>*f#Z^Xjam`XVh`0Hc z%CuK4Q^LOLqlP~TR(X4x0sMr;WPC9Hhsg4$X$LAgyWUScN5s2?X;-2QL&g-EcrFqX zY%PdXhJ;aNr=u#b?Q_mPd6O?upq4^d(jP5;dhdnXUz-D-VBsR0sB6c_$h!L?8y{na zAUjza=H7@8XU3F^_IbMJHH>CNuid%O5ZnC@XA+63#PWPFKI=~R>ZvtfQ0a{?S7lB zEfz)ZM(m31r;o40+dqEci^h*f(KGHV4V(9mUGb&kK0wG8u9F#&ig>xSOyy37DQ;$! zv3thZ@L5VplTw7c-pcioJnHz8{em#Ae!pZ21%9ZQ9Jc(c3 zz{Rzx`Zct%Z|YpbOP&8ZS(iPvdp6R~WCX7or$)F(T};K0bC%tb%Mw4dl;;e0vQKuv zAkZ$X1eO&@LzkYO;(V6D+M2hlVwnJ0I06Ef-x=f?n}0+?ztVaI zdVrT=Pyef~X>PKCOvyyr;{L*P+l`{vPTGUdy~1zx)r)v|>t(SI($k(i5N-atgFg10XuRdbl!| zC=O(t6f|2sv#9w8*^=bUeSl>7zF04+v+rC zgXP#5D`~Qn3!f{TpO^0$zOW4ynn+q~xZBVmp z0FV;MK9l=1gA@^efZ_>M9S=qryGorqk7S--&X>oVe=yz2 zHg9*}vj*U2e?J6k|9@k-Jqs4ZU;+EgeFk!`893k>4Y^#2Gn|eK)7(`hOtt*u_9tN@YChXt8+z8JxG~V7{*c!+&~*^G#2; z$9s?oxcJ52y}y68%LBenW+Tz)bHsRl;)xV+eb7=N#W+n&P!dn#W&LQng2o#GNnY_U zpjV%p+S(=fv&ervS;@gV?nKx7V=COU0UTLcN}2iqrgm}b?tuLKW=tqU9n{9CNz3J; z`pm&lR~+F`v>)ZaNj?4dPWh{mI17(E#QC!SE+)JFY-ZAw%XP>wkH5V#uK18;&(~KL zd0Ul29ax(Gp!7hWow1xylOJGZ0A^9`-3YcOEa%PG+Feeu*i9hhrl3}?;?X9|Lc*Gy zX?=3;?Zo$;iJv?)r#o`8G1(tZQirdxA}h3$6bHC$w6n}24NnwR;x*r;GWFJsT|&;Y zlEr3qvU51~*K;`9VqUxATZvnaWg6ezBKGyM{vA5h=mBc{gD3~h8V~>LV+Wtp*^(QT zQ=lRR7QITAwF^nZikD3=ywxziC-Qc#$r4zF?So{)QBGm*1)@pR-PDn#kr-S<=)*R-Mkx-DkNo7YxmMbD4u}|k zL+2$`yMAkdQ;%vQ8m&b{MWYyK`%z|;@@V(ws)D&J$DZQj_k2LdN1E&K7em7)M~Xz6 zl*ze^+R?NBIvX|HVEIleuZF)VO`v8aZ-R$BMXu{+?yNK}tZ`3YdSbYxwO{In`{MK1 z;Hd42NO~mB7T1FSZ49*_9rk2TDxV$7V}vnfb~W9AGpQAfGrs=p-4A)eO2+z;TM~zN zGg){X@AxVt1s_6S^<5x7R|Kw=RQs$l++7_P`W|rANarkxQLbz4&m^RN%Iqm;i3fr` ze11pRraBBg$B=&p#^61&1vVcNFxG(~v+ca4q7NJC+Z0kAxfcwJk8StI47)B`W-8Y% zB1(PomF)yPeV!rI5VIydiP^S?y6?moWwAkgadgh8vEAL>sqDrNjE#*Cta?JQUNSR} zEGrrejv_953v=KzKiChjFYSe9nveDb7!;Z7s{tQY!COmuL)X!n3v7{u*K#JIdCn)D zv}sp>anhrkmwSkQ0jxhAVoj}}Ouxqz5v(oxwIbRwju3y$)JAlJ!_h!O1>R^M8}35< z&a*}i@^DfSVmIFsx#@kB5za(iHu{)3DcU0`h-b_p&zrAiljcVUMF}l6G9a5S7jU2A z;+P*T*ZSX2vgc0Zm!5tjCAcYmkFz(wj*k=s_>^QMALJ}H^CL=WaxA@RYP<|ZaUM7+ z0K3{{`K_9i>M~xWZLW`nhTlU|&4-WeQHS2#2ZnBtMlYw!^w!f6_(zS7YY+S{hYf!} zOd2Wn4i&FpzXhR0C*+_wN;KF<8P11;=u~tg3j3=7C_EjAK`0e_?EpW)06>yqv938 zt?4mDI>VK5QkE}lA$q{;YcaAaNU5Zw0>$Z&Tk6K~yus-^(qR{y8L#q6VK90(bR5bz z>Avry4HZPYiOf^#ODI_L%y#}=3MnDino*~#GS?Y%z7Z?4W_^iR;|urxU8rGq((VK+ z26yE#t{2?C8E`XqyTt6iw8xK|*`SAaC7trcm}7y+MrWs6f^aA!!ukhCnIX>%&PlnP zMd6uu=^eq%oau*cw~f(C6;EElY*H>s@i}-B=Bh^zOV8`Z+bH4HW1n62rWjWiPDq^a zrE9Lk?%*NqR0^|BL{;Y*XWMZxWH?s*s8@D72t;-E`he$%*C^FE(ZwR-6CUPh`x6rL0p}#e{l-GrQh0)9gHAvW)y0uZENIT^l%nZz1@iLZ#fc95a*s`P z?RjyQPf2FiMgpLR2Wqn4bpz>f`$aMncB;p&`>GIM&gbW6*ld zxAZGU)G@YO^I=L8!ll+#s#Bd4gg=~Y)pq~oMgDER74iv)8yV6f$a~4rC(N+ z;iH#~^@*)=(3Q(bVyn`+(kBHXWSF*(+~N>Ubf{D#{jRJ|IiU~i@t40PXmWEVH>U8Z zyB#~Z$JV=?zo)!=PJaAtd*MAuOXuPR>H*opN`Gt^cj@nSHO6(yitR>*{Hb%H_Xf-* zyFiq|GbN+u`keKp)tQB9^EgidqXREAiGB24OzXUv79#PKihr1s4YQL~-ZLo(ClWR* zOupLsVuJPqm&wCCw8nDOTRUwjouqSj0T?W1Ykgpf>YL4N>*#^&)Fq|0*J}mI-_{$; zW)90uQ57XNK$R=P05r-lyAvkio3Vh+4#RkfrPM0dAP!a2KD?Bcz-gJ_GOPBVd!YNn zo48NL^o&eL#eKYBb^jG-XiLE<%|_ad*N_|?D^Dm^fB&&jz^cmBW^>Ds`JGWI_F(su=%^i#f#lWL2ioDiBv!v!wwY_FrgnXp+jiC zgSOMJaq^}UrI+$`aZQ~Dd$F?W;@Y1Xdc`(~XV_f0KIK@G-1xa!+2IZr8^?%sbZ#xM~P-40F2Pc#{; zC0FY68E@LClFKb(X38&aT9nKiGzpKoj+`vd@^)ZoSvL{sm;P*%3va$^^wwpr!hNTa zWjov);ev&`=DV9lI^24>0ue_k8d@AVXzUl6$9icRULw4IPKuw+nPY`pPMZaB&EXOG z#=-f~DpAdCg2#kACZpYO)_dhC^g*}!%-hPR)l|UTgr=x&Wvf9PdK@V;U=5tx9Zep3$)d>(iD4#VQD@h}Vk=_nWjZ)V$(|vNlgP=> za66PWRX6t(iZJF7#}a#f^V}j|9oDavcd3;5mC!qvqzrQiK8AYRKbgW^NeOE$URT?Sip<|z*Z;mOCbrsYFxxl8C+B|w zl)-R%_e~5VPMVXF=CMz~xxED@b-|4K+yQgETZYV%6eMA+eLl!sV-O1=^X;tc2d?EGcn-A1bI}x)Mum;Ur3%b%6T1X0sz#?>4DtwU5=S3j zAhAbJace;}OT)oc^MSIFotj^hm=A|6s<$`PQd8xdm{xiE3l6|ij(LU~6$@&4sj$58G3aAbi%CqhFj3)0oTuEf`jC@Q{+JiP7+oP7A(K}r(1 zS<|T!@li26)dp6-o}~iHn1KmwWfa}53sZ__R3}uueN;6*qh6r(y0xt#98@D+z;0(l zY5p2|@bmi&IA(5_U$w)CdUR{rtTYFD;CC&0ctX_Jntgn8j;Y(5EI8XXnOXj!y}+|r zIlWLz^_?q`FFmTZ>dP@Q>a3N4%hJ0Z+hl*x=1n%?YQvWjsvaEC6K=LkCtuWSN_XlB z4S?;ZA}QFu!si=m-g9-#7AN*xfWj4K%B#?%iU4oc=lw+(CCTQ`3K6qcso z9TkZJXfuO(9Lz)db||@(QEXkGuUSb)xdpII^DHUmTV(Ks@FEMu+~Vx){Zu4L^8v{* z(`rgD;9jWmx7plsvtH?W-)?q3TtKI+Y;RF>o$AnzdmgIZ%o8(l*zX%8)iP%*D8}ON zN#u0iKXJP#S#Gx$NvtXbtyU{8DDZ$VW4hRplPD}5FvE7M!nm_*bY^TTEE*jBA!Wr^ zBU82p1m@;Bmki&Z`uQ{4>TU^Gh^R;Iu4w)_X1TH-(&wfLRoMJk5negAo|!gGL%v@U z1BT%?zw5LZAde2K`6vNa7kw-!hgeAiA67TnZ)NTz6jb<=#$aM1ZXS*aYiIUJiO;M-=ljECT~E$ zFotRn55twGC^m=QF#1hIV=?L6rmv%XooIk7r{}y?%>!S0RDLgflZU17g+uYpJ!`Ow zH0=#!9w%E%dcV){$%WUS!0_B%C-6D8uBb#QZ?? z6^R_qwO(P^)Y>Go%J(TPhE$lq3ZU*|RZnBJ5_Fv~#ZFH4Cmu*EUNK}?BJQo`$^5PD z#vb*V%Ix_(v71=1B3CuO46y5W$7KO6Gww}HqHr;+Q~Bdu6%c{y$h^=fvS+yJhURr8 zci(vD=%@ofK&TX^3)DlRk-64Sz4!8kDYEiX|f3`#WyvvT84aq@z9xA(@j$IdQZPFO@op?`+h`z z2-rZ--eZpo+jz<`=NOJVw|Z=Rqq4#AK{=Qn;LsH~*y|;D9q3 zXG1Nj%cFoii=15z(@Q{|hlO#^jPgOAa951e@s}(XMn^CQUcB_f_dZ zQkvEEW8LkYwYKv10TyRZ(2v$%G1r<#;lx@#OB)huKOL-WvQ~KWK*Nak#l*Ypj~H5T z-+NqyR%6pnlS_P}DACS0;ZUwwoY}eTm0oi10skFB7*#(65IgD#@%!?8Np&(?@$(-s ziTM3)_=#9St5ZelA3lD>#mAS>*4{1GlGF|11kyZ${y5lea`_!w9}=5rD1NS()3mh? zFS{hC-Oq%~yA|6BzO*YFYh|wF(@Z`993(BF36e?(o7Jav|$ z7S2DZgR+a(;j0r^EV?gop_M+@`u~OXSz(<1*Db+;QHiT>{V4(D;sumE>;bp1!8enV z?T#+DU@q&ujR(SR=k9v7p#Q*bV}Df}MIW-HS3VqEb8f%-T>{{(pj`WADBS@W`KW$e zoNGayv=RF1FcWt6qHj|VT1q`RB7{hxW2;+>XJ4NnP8o^@X^HmtUM(OLn{nNLW|e(a zju`!7s-6dR0ey0zH{D|Sn+u>==4v}5^M`eeK13fnoOY4We_@;>3N+IsjW}8osBdfO zg{5rHJZ7$wnrGSUov3K)Fm%U=e%Ijs4#11Qe|uUzbUX8_i&kGqD!s7X#vi;h_smL= zB88el-G(CL^iNe}$)MwDEkkHTdu<8T88nxk1f}ut9TsYTu~Vyy$~~W0{r5eppAY)e zNL@KXkXI^Qxj$dFe~PjrrNU;i?!WR$!ek5oA8FI+y@06)Fi+V-0Gbwlmaz?lF`WBe zyl@6T6C(k19^q>@iF<@*tO|{zFlyvQa5yDr>d04VaxQx3G?0p~%U*bx?Ba2|GNI)Y z>|?>XDj=E}raYJr@4#=`%3SHYfnv@%FPz>np4E0+pOt3!-MFjNy&0s=8vjG11}MMj z_sxSGj4!{~;w{urOOZ&XXfur0*AM;%qB-g-6CViyRbf<^gTB7te=SdM{t`R@+Ji27 z(vMCQ*wo(}GmYI~#c1^7)bM+Bzo=YoF7^0Tk_siAO(aLbyJ(TfjE_yp^$=xe7S8D5 zH|LJtvHwchY@Q51O0}>pWxmFX6xG+j3?Mw#>4;QN6wXyUQjCCxOnn1=OFT>v;xL^n z;qG54^k2&$r+{z*QluLgwRB2|hwpB}WDRR}K{l;s5ObM3Sr{96B?~IpyTpa|=;&x~p^oXBr~Cebl#h?kuI9Iu`80KiXwxS|TB9cRe$Hr`=7(Ip0KblCJXJCD_ zn_#7#0nQz6P5whwpc$Kk3{)Yp6oPU^_B+xZ)qd`QTuj z`qrh)bkc~eO8gCJ5xNnRm38N=eRKV#kJgC@T?A)Xc5O0-8|V10*P3@}#wUkWA@kr_ z$?YnK_UucRmNCzluYL0*pr88l4gE5@g#ZHIq(>Y17?E&4egU*_MZXh&vXG==+Wdev z(gIcwgzf;M)f(>&Ux0fE3ue}EdJvs!#t74T%54y1dGmqZW_hruKt*#JBmvySasZW{ zFZ2m%n>B36zTMLi8NCzKhpjEYbNx+H>L;c%^o!=zlIqOi$V5@CwIh_TuwyMB0CrSm)d}A{m?Ep<0g~HQl@)DC(LCQrUTx=8XG{2V;N;z^>ef%LyZG6+e8E`lnf(+Z zh&f~Ffp}G}owEyq7$?&om}T$ExT!wEk0`SRx5of9KP^?mwr!ILzOChC>|Mepd&R|p zOtYTmX`N8o*p^%Eo>S2{g)J}4;nC3>0(1V1=PqqjO!abGRCoQ_=cHqH9YNo_n-1&< zJcO>MR7PR06!f-pmGMulUc5k_X`4wjl15xRd`2+-MIZ!tz#^-n1c!6rn)ppofAWGQ zLwu=GemY@h;UxFe&2W$3LO^W(qrh{^9!>se4Xql}g7r3^UFJPZVZOx&ls2NJ3FeI6;ROqofuCcS{{lw>#z|c5tS5sIw;UlWn`pZERLoXlfTmgS{!MmXG8kR{qDV&N4X6T05IBIe z-bHe-S|xE5n7reBAri0SJ5}chWU?s^11#A@Q{6F<98Zz)4ezqMc^@%&;}+&ynOxEG zqb)Ds>~k@ucOGOR4|RPKKw$HWqeI2>YPh{f%cK}8QvxVjcDUTEk~StfI!aZJ?f1z% z(`u33=vtGg<81Pz?0o}6fVo$>7)3R4PxO-;AGKA`<>m5CJ}qz97Sa7xCizaoq<P;Wws`h`= zh)~p5KC-cS(e(*+TU6)0%}G@C)j4E~BIh=yO?tYVq+e1Z5}bbB=xAZpJZmbr66M-F z=6`C7ukhiz^?8(OyH35wkx7MB)&X5w@5FaM5VJOO*Ivh%uVXj^u@GHUn!$Voipcd2 zF;lo}$o^bX+H>(8wSEhL4dnR9|7DqWZu*Z6I64`xg#Z^Wa;b2V1u`H2`vP?MzxsLJ z#^~gE`MUE&4_;LaiW}hPoZJ~nWL5WT%awlnPI=NKBlw9GxY^^-o8uI7{77}%d8b%$ zeBr>{`(1OpL~>5vmOw`={td~Ce)QyFBoOtl8W$frNA58tb~%U?dR1e2C;kYF4EJ;5 z7h#Tmfij0DKYf9WMCR9Glo^0?3)zg%M9%iRBbIQ07|&jv?|+V!@o?cc*yY!v_bviR z>9PEi&t%C&10}I5$3+}oh2uYHi+O&Em9GMqkHy{zNoE}23oskgUhuxMIm^CHkMr%= zrsS)JxRbrRjcj16=A7sLwL{9gL3($OHO%b+plZt$` z${X=Iw&r>U;Ork_ea&*gI+m14+UVktY_4qTQ!@%IGmFnUEVv%!TPWf0tyRY22$?<7 zf7;k~aP^Y(saL?JJUMIavzU`R`QR*s;HOMK+-i?CRxom#5>TZ>WPb#9V!uBOc30)S zYDwG|9$NbUXnX6hD7&t097IIP8x)XM5RjGzDFf+HKsuzmn}H!jKvFt}P>G?tVd$<= zK)M?S7<$N=-{t+hcf8N>JC5(4@4F5VW*BGo-q+e|uQ=DaAmSLkqE1oa0z7|Fr|_ma zObM)L`i|WcKAy?^&YUr$y1X)NWXV%Vunf566xli~A(_z}4ePNQ;eFQ{eC|BNQ4uTH zvokb0L@eU?wpUk|9my$}#uVhtsg?90JH;^xo71qlUVY(-EABgpi?@8=LbL>c#F?Z? zRdDAg0VI{tFNCYNd>Y%FR*nF{-fQ99ukxL&RxC!DKvhCC+G$e{p{k@1b`GeVGLBWqb z>wTBj;uQ-5-&M5(SPrO1VUz9U)xGy z`4#Dktnj)78D^syKqz{Ob-zsv=JV$3t{iz9WnJU^=M(mo>_We4gI<)^Cr=4MfZ8$m zldotcaF1hl54k|;yFO|`1NZx7cfGc3t{vhy_QEH7n&5L?pXZsb8@wDBkte&MFqFD-+g{^y%(-_(=dA#z_7fw}(Q#z{x zg*$m1z_39<@{{B>OQXT{3)f@Os<+P6e3oB)Jmeu#3PTL9Ac-RDCH1Ba&-ml%#2$%( zc#yP^2=}!oEX-Vw7s>6u+wokwKPZQqd)q8=`>Vw@Ci6^c^oVW z788>r>lghQev&HQFfA9M(PGJG-EOJ~b`P0i-TtHjrKBdIstWh!e_JSZZ{WJz4nR5V z&eoOLN<2|iWioxoOAd9J^^Ou8U0Sc-x4$@S2NNy=|Bm+~2dSljCT-ZjcvU z2epNezBsH@Ka$p+9hrQAy;dnsCd_)UvCPzS4gAXSIw7`#<-?8!=$$QUt#AKxJC5wK zA!toz^b|g5)ess*%mI{;^t(0rtn=CX z;T}s(8yO!4PkkMvR1I7AuWTLNFjT~XR1R+Cb>FF{2+;?`$RGe-iZ0wcK~UEe|km7;Q@m^Ldt-jHc<85bKp zm-64cAUxUmURI=4?{SJh*&&iu8VctzT%BUwY?$+{QJ;OxC`_s~Knw>;iswykE!gDYdSMzgO|jcaCo^c_Qe38zcnk z%`c}UuVP&jda0lw-)Tc1v!lV={gS|i=&XhD2acr{WC%#F=CBYl&)rO&s;|*`Z}OZN z_(oQjLdLl#nVSDLbT*&3FG6vnU6L%e`??3D#@LIBIs;b+x#> z6ESp^!x{5QlI>OJ6stn)q{Duwxxw*c9qIeGQw?ye9tq z+0qx)3u-;`Qzb3b#i-Y&Utp^?_(0y5UG5BRcgsQRM1x7}8p zM8tWZW1l;>ySCHzpF6wS_6vkG^IcMfKi*v3D*7F+=)%J@p`QWsB3o{@r_rh~e>$IxjxNW3t}*&B&$x z$&V++hl-oV8OIc5C6!;c_F={uN-`;ReuG09#kDbKIm{I!I-T(oE1I?VAFQ~`N(y;v zmf1AnR4>2Au^&-9#OA~-umC)j@xuKp%e>iso1s4=m#!+(uXzc?1Njl@bzaJ?GJ7*B ziRuoJUAnS%rl{&jT+TUt6_t94hq|KRSvPQP1c%_y?>~2^uOB$>51krNw~H?GoPLHr z1)n@76ZRP_&&e@f)ZSO-*-DDNqbM71g@Xc}<=iEzRo&f4kZYNhn^j5|A%%`jPY+vB z0>jqm-SmdDVIkC;8^%O>#Cxw8ADI#r@h|k8#uF_*D5J8?_c(oK<-AKlZ|t6lLYpU) z8M=%fHf}UnpY*`*KBIVNGhjx+&HmlQqQ2m8^r=X5$TjZ*vX!bR`b)gwma9=;-?ONO zH3hvUr=i)>%-7Zrn$Zu&=mkf~aTZ+b6G1N0C}~V(`>&7ekGE=M8$(LH4Qq`?N&MUP za}~XOQQGv2LNPhAnuq7pS(iDHP5vYPM^(;`@p&(f5~6UZ!SNF65n(>1)67vL~PLb|eZ8=2*H;H-2lrvyN!{4+Hhg z+RA}6OxifO$i$-)xvy^6IF%9N?HLAe!Y54+Kd^|+Nqo7Ua84e?HyvU=7E$Oqlb5+T zpJebFV#WyF@gcFg&ec=1ZO?5-&CU8e-YYLTbhMN3q_$M&=Qn8$8CzZ&QbVU_FZ%6FjFAe}KvyuDZZt%0Dx%V>o^g-joTQ9{d=fu5Ev{`OQ(|^n`CtkiQNpQT zU0(%pRxj$KQT7g33lFaJ`9+|F@u#=t#blluxmm$1Gtp|HNepbLE638pl3@Y}`{QhToF%p7f+h6DxnQ?`{2C>f{tPjmNV3SpKXp_K$(>K?ndJm_ZI z60{u+uHrQ-H3OL&GSgMkhlzo&T3;K>!Ct`xL($$g=j?WD5#zTpa-iWv8XOqJ$T+vH zLOo7!2CC@)X2B|t+`H+gp2dF7Wg~8qZY@+~pTkk~ zZ9!OA^;%=JkAL5HH*H4YWH zj}zOEdWHKdKKzgOIo|EUo-lr+h3S)&8Y+%hunLHYj{$s8t6bQG`_l`VitB4qx+*gW z*=w~1ojx`|wZQoeWdnG{DWWXk8vxx3wU|BDLiz!Pt4*qUw-Ts2WbS?W4?&i|SkD=< zubKVDhPVVAW4EBWhZidnslP(Uo}#Q{I2>yhDNiEbmnPgQt<4#(I3DO(^>rM*3$8+m zV3EXlPdiGuN-U&LoPFn{U+|hcm7MsxCdycs|E;0fL!|EX^a2gC%>nfUj~GUk?}h+fl)X*2THCHr>8jnQSn=K!(?1o^pD;u3QCYZYH0 zmh`FFDp5Gh!Ukj$aTWlp>}fL8q5m9lB&XUY9Sqi|>%T9$PQkE+Cm;BvD%J z4QTLgwIs_(W_K@E3jIJ98gZ(PQcBX;Hcb|kX+JvR9m%s(Bvt3Y8u%TTy0n9M_8rvn z*7RV;JmK#gL@f7e4j@;bBU5tKdsfXj*j(do6#%U@HOy%WJOo~wxyVoZ9M5p_x7d=rmlsk zRA~=)#Ri97Wfu1l%s-5!kzQ=^yV%;*xkE%hH?172H!f=lAFXp-3>XB9R|-qfdn3?a zwntj#sTd|>Qo0%3Jk+HdbBg_G`-~7}Z(#cKVs9Al?<_Ff%YZQML66neddA;vT08~t z@N+qt=ar-_UM6pEg(9Tz(j%$7D6y_=xTPtyZcq zcs9++6xpVN0Ad$!S5vElMSJ2urDxdoG4Q8#y~)$?#7@Prz>1$uYH@(yB15HEMm}0j zKo}9pF&m8M|NPv1(c|yDJ(@e>5I*<)@@#JqcrIf;l4djxdG>8-J_5KcvD`(wYu-n# zV+#pC+qW0k$Wo&lQHZ$*)>0YCjKX;%=a@<$<69TNi-SB#H8e!C4UW#Fl9A|3IENRA zBqD@2;<6$I1A8UHg|c2yPTA_Q{5s~t>!^HMu}gSBKhV#huGE2$)rZAg2U!>&(A^&x zd#iAO6n+0Xiim7Rqfu`2{PM>)Uq7p^pT?xySam*du2`DH{R~E77GU*+>47mAsMd`* z1cd4P$D;HVm^_J_kE|$|p+UuQnKC_@xNFI8-YSa#x40apQ~}L&2^Xd(F@3EbF76Kn zFvK66{h@3emZ|~2f+})yfL1P8S3R$6cJ7|pai2x9ne(tasQ-)kDg$81iPclmP+P%H zN);;rOGF*X%EpWI+~{Hz;mhMbiVB*{>S*b!79XV3sQ7Z+Wp>7SG@|IY!ZvmO$7j={ zd@FUuYXlps{jar0h$I@e!=6YM=b_gL(3W+Dh|S5&Zw(KIDyn|K9GK05ZC+g}Wv-di z)AP^V%_ACKuX#^l$cuzDyTHME_Pi6ywEStlF5aUvdBU84uKdq6T3|v=vy+iAe>WDA zI=0=l?Br#r0=*wP_IXTD;ye>nW(!gax6w&DThG6p;-CR2s3SJQFG(sn2%tr^ou%;0 zzp4`)7=IsrA%7lz_Oig?m%ka;$Hh85T2=-5QK3Q}-%2{F_CWiewBz<&iRVq&j4pmR zh>u3wyDZW=q8FwV=aG5|6+3rDsd3c)dguS?RcxS7jT;*C_Q&+_U)-DkVb`0dT>q8xj%{HW*gFsaC>Ke*42U>8g)6^d`9pT7+(79^Ltikn#7*tUV8}-;Dctzn@%~ z@eXus+nXxz2~=!6cYKtC6Sszs~=r(6r--^^WoQQRxl zUMj32bSlU}a$Y`FF*+5dJ~Ko3X?TLY0SithoBd(kzu!~Zs7oT5{wfr6m(M>E?snbw z^W`K_DDYC#WZmhXO# zNlC1ydVs(kO~&JD19`cc7V8uht!_l>{7m*W|Nh)+*){7!S}+e(?0qJ3u&T6b{aQ0| z-%{Oy&sN={vY^t>8tEay|Ah@9^i0a*5l)_6+Z`u69CZ^szDK}A6Uy>Iy>AtUyD#o^ zSyZC6zh2<@sUHBA)dSB4tSN1&ZkRpWu_?b!s{=L;@L$X`Y)eLQ7b=xbXD7_>lren( zz0ti~XW%{_%ud$37DH)ed3cQdEv3>q1Q8 z?&mdH+t|#(QvTz&RUY!@<1N-Vg~D4ICWZMuC#Odo{>3`x_U_$wLvWF7+@=v`L7te2 zhJIt)3B(PoNZv~76U$p>ap`*93zbed&s*ZOhE8sq*&&1~*gTUsoPtT~3ky3#63>@E z6de|2SBLp(R(fRq;bYyDqrhcnD8yvb_!Guyn@!q&R} z!U81N6Xqp2^*%Ih>7F(Lhcn|Lzbb-1^57bC%nqXGbap+IRfi4w^DI#&5X)|Am%(Qb zR4rdrc*~GE_bzQGFF-v8a0s>W`#BbbeW?_`Z7(ds~wJ8dl zlbFS;R;`rB_K!8y(O6#u=!os;6jeZ<+y$r^@9a};ISr#@J{tY5D!CkbIay{**JhZ| z-Fc>8NHDha+koX_-8;=#Bi!3f`Uev*m(EDceX~B+DOte?MfAH5Z?+uYcVOr=k}Pr{ z)$=((ykz9Wn(~4c;};fQ15wWcH;1lv@~pO45)M^l>87<^an=#m@%E69&6R5)8m3YPA-$zuHJi2`L=)4q=kh^vjYl(RkCzrP4-u& zzp9^F)Ywm#ma)(9>Z`>s`UP8at0aOxJ*)~Q>gLwcd$oD0LAeCFRIU99j68tMzgJ9g zq&BtIIwX_JGP@0t=`k&t85Ao$vO`dOF(PlCLqb_A*g)7#PGzlu2HF?k=W9|;-x4)I z3bCx;1jRB0M16r4^@D>A2N6ckY}-QZFq>ZRqO2+se{t8Ey~Kp|SP={C;^(hUjVBSO zw+AA2-}zAft@0UNn8N?umuZGeP63_9X&zjz&v}(W7$S2(IQ#dPqCN}yk@a^&bng+? zn5^l0Aj{*V8~|luP-dxsO@n}XZJJlj|7v0b)^fIj+pn$4PCdP0Q=O$sbBWDSvg)ZE zz9G!rkS$bms?Q@)uy$yR)I39LAbMHxAq~R5^I9!HjfweBl_S} zFmSsi-h46A2~1EQp)MqWde`>zC>%Qgyd~>J(QggHjQnH@r8McjJ*N|Suk?BTDG%nS z%c!ALhwW=#9|v>t<2-28KjKms^7KSMXv4y@?1?@sAwAF9R8+-xqrr%g%#WB=(v-V< zPAG0e6;`p9B8l=rJGeZb{potITssKw{Xn?aC#VuE2j8m#4C`T?)GPBmMNLm z^97eg6k(RoKl^ZwnsLA3gh40t)(8gbIO4$T`1*_cnjfte> z$a-Fx%T`lIS=E^WK@Z*}*QnZLbh9D1?)Mn}B)u-nkTmn9sjoeAN)~`_nV>bKUd!{>k3e(I_E`u9^Ej0jJ^`BT~YJ} zKMN7-B{9A}Kg={&CT5MsG7nAwtm*G2>?)}~N9V^Rk{Okzbu7}XpVDD>Ak0JrxA#QN zcm`ICL8TmAnYtCY`A!n4&>4u#EGF}tX%YMn|LHHP`3Ov zkKyTP-ekGIjd!IgRq}WvGtb;e(DeCiuF3J>m$ZoypcUH#&;X#}e$JZZE5jKSZLivw1=nJ{!@8nM-;kbOrYcc; zKZzFI=i-n!p(yxd`xG@U6%-js`c2r0CT-BRtg{+$2kQH#&iW@^qb`bUd>0*is0#^R z<26V#{_-6TTxA!Tjc@te817-5eGSXh{OtDVcf@!3pgFxX^Oefv$r5Nk z$|vLfS;PYkunc&>z_?cJom zZmnGMMsSJ)ufB~WNgKfSJ*(f9|1KK~z!NmEG3#8u(-}(+Z`FTBFDGVw=%_>}VlXCb z2XyC-q*uh}{OfR&%Q5+$Oa~zJVj<&|)jXaa_x~}G)>v|W3(i!?#?j33h(qvS9}93U zyCZh*{PPe%J57H3T?_rs_5a?qN03InI@>E-nQL&3yaGBT32g0uL1c zb*;`w7>bWqwBK@?HJaY{$6SOet;BgKz1Fz}iUaHS=VNErjs3>7b}LdcSqJ^I5CGAx zEGe|x*2cyp_}5OV5MJV(q}2}5(!FQck>$DtMMV+SK7WhwZw(*)oo|Dz4Hw|4l;u%< z)W3+Q47>PRAdLC3ir;C%EnB1uyvRDc3UejeyI8t@@-4<%#Fai^3glqgH`PSNE1KE9 z*jyE__w+9vDO{P4n~a{D`-n5?i$^NV7l8xkxk$GAokmqdL zG$Cq?0)~EDy`eEp3Voyzaj_|Bw>B3Vb$yr&t;fi|me)y{x>xeoc8@LnswY4oHaC}n zqpZUHbKGTloxtwmYse%X4w1Sn1&vKg01re@w$#So3uO8~?PC zX9vH%UUEN>m+L{Ksv*OBg`RawNO@p4-5O!&d!YW+W|AK#)sa02@CW!}>^~^%-kNCI zaV^_a$0QIjpN>Lk%%B z=O-tWzIK>MRaO6X;9>oE{z(Ebhk;+e($Vv>k0&o?>h{l?RWSQZ>{?nz(22jdl@{6Q zQk>q$Dlto1iRtS@Z!qTK)6+y7)0?6rZW4#zt4(3;_v&0aoJ2yA%J;YrPG zrC45uAoGx%Zb!>j@|=4^3@>~T=FhI3lrTJz_JU@5I&I8FXRp>S>3yxCd8l7YU@)lE zU5A{r>1E9J%(F6`Nkv%$jIKnc-v}?#y9#+xk$If^tM*sIv(?7Atl>o*cI^#U`@0?z zTS|dtZvrRz7kVoP-cAa|zePnnom1?98G5+Wpf=<0(wSi3Km%+fWIjrbb0~(hL&&|1BtzPga%mCYF zFSGTv$7+^uE#397SZ99sz(J#>j;43mI$LZFN~RWAJq?wuLgdepi9HVsM~N=edsw2h zgr-HG;dCb7LEl~Ot&-%p95jq44LZEJCu&z@<5x2>zF}IM7fgj)-uxu=TxjBb6Bneo zP{Tu$?#NEB$^PDzO+c_ll2&eQtHG#o4S;qQ2-1j;iMb11fT0jcNWdrpF+JC$7ii*D@EqPp6bQyG6UQlKC^F)9V($B}XUo+qtoXv}(4uNJmylZ-%$E$GyXrHb4^19Px zK0o4`*eR|aKW1ZMvZ;iXr0dK^i%#8WW~6vUIg|JEP#`PZwyufw9g8i^jufpJit_aWP0P0M0!<~UpFiPTlCd0jru-87Rv z*!;w1)N?~Hm@~qk2$W1^y>6rYrdn=tZH&SZXl^RMaT18$_8c0M@kuI~t^Aln%$J-x zJTcayh>}2-z~vZBEp11bnteuliejjahYFG-TRED|(-yKej|=oW&dotflW?Dz@uMo+ ziwmE@XSvcx(|Cb(htqXjYQ>)%svIwK|FCul@;j59g-G3R^#&K@4%uf^lypH%pxwMv zM~V^4n;!ZV)d>eB~!ul5Wcd3@t^sL-M%xWpun#%=U-ba|VQ- zpITuJ7>s+vskABc1CguRSaq<_M1pznabp|nG#E6D4^s_lroDC0Z;y8^eq+cDX;-m$9i9DQl6iINDQ_)ENNP!N zIP{|GOttBu)#3#$f#TF=yb4zr_;8NL7uma-Rc4i%SDuJu4lI3t$nSA`*Kf!;&AhYGl)d$!yTJKr&*r(X zAEnha7|053h3PsK2&;fcuWqe^^q0h=DF(0fVI8aUG;H;QFUuTw_llY0Ys89yPy;p% zfY*seAm28#9TjiK%W-Eq?4+)Wg~SVTe^yT1|CBof=f$uu@Am-*DymCSbKz15SRLo*7MR9$eQB8}FK71*8{sNF!LB*(tpQo=$--LPP3 zaU0s3Dl>TfJmRTGAc1IJPY zzFIB)%7*ls9WArANB(Zqy z!>?!x38^y)Ojv9jbij({JxFOV@&R8@rLbIqZpQ>QK}=$E`>wGja5SvV^RTcgC_Gx6 z0-7jIuV4dDsWOZS)U`jE_S5HZ2o9$}Jg`mtqn7(V=frHoHv3c^vv9AXA2z*uIcWSy-v6y#Mm zovHy4n>jn$AndwG4(YWPLUp)4W^>Kp1|VJ*Z5tbCmczNQkQE<*6Rmdc#h@GHz%3; zp@gX4U_}N$DjLTsry&4!F>SDSpbWJvW%@Zc*l!@KlWBP&fIGQ%ha3dA$MW6N^K`xZ z!CKscsi8pJCg5zSBQjzi946VG+u8kMsuGhpuqyi2yG`XfSR=piD}~rqA*Z6O7ztKkUVo_tS>YtaxZAc1 zA6yi7K4FuaRaMQR1apYJz4)4$^7i6%VAC zLghEem3lt_^9*U)v8mu3v0?8GGEcG1_@h_i_H-+{V`k9;-K#tJqR71EBCvJW*FKyo6(I@C?a=8A3Ks;qtRC3iX zXw63nUvxI_9SN_`R=JN1sd=|G=j`+13ribI~$Pr zrUxf26QyZ*qxz55%SEPK(m)E~`{<+@001Ftn62i*^_)-$FJ60LZq?Q*Rbo5 zLX*>yG%MKnkrM!|Hho*C2t=UlO`o>RCiD3hB(B9Sn5$?10wx%}#yw7D$f+sZCwe1Eg1FNXYIZzpCjQP!DQW%C=?%3b{laHl z&llTVh7fDtd$sn(k5LDt_)mW)DacSt7B$w-rMeT-xTQsbWHd!($WEvAl5Xvn{v2E@ zy-)LXk)OP+H7F_6?BzeqWDBm*b9bFnBd@x;ft<{%EA?h?5y}XJAF~Dd@rKHzfMZp; z3(>Dof~XH;+1?2`!LiY*YtL!;&KySkrusr#g?m&l<>d$Yna6AGlj1se_hQP6kGc;g zROOgIG4B>te27t8uXvC@RPfa!EMq3;(Y71CZ^e3%jl~ar#eS>|2iW; z%vo!--ik4~;TMl+{C2GxX^Ay+SGK3`tJ!Yqf~r?jh-;OjGG>gE{@5E_`V=6+G2`ep zLWAuiS-ar+y@W;5GwdUr3cIGeGtxPvV{}K-nE;G7N_M3R%8Fs*(4qfudX{cl1KlHx zAviKrxz(vpk|uTqHpX|+S1q}N2m(*miyD+2H`(61&M4eN#gB}BYPlaCCYSu+9X$8t z$9)T%jR!K|RT?)0h2gu3iVCbb@YSA@lFHHT?At)*Hbc3gp9@EU(f&uaC6J`rZyP14 z0=NDC#*>Y~CFI0*Lo7@TwmTbokI!a@lJ8f9&jqr0V&$2au^`e@OFyVkTT^jC_iD~G z2iTxqOyU>8C~R+=W$Ig)q^Vab-yEryoqttyG;wY7d&jx3i%URQsv3X%3i)Q8qZ6Z^ zJ)-D>L(MC?V0qd3I_qE=DYb#wcnHH@B#I@5`_CR|dvW>`*KAZXI8z(|K>7A0GEXEu z!TtEQ7T7J8oLdDsUGK~7n&xZfRMS5#?^nM9+tis?G4DrFuyu;)v`dbq;Oc=hUMhqi zmOGS*zE7~$fiUO9scE%O;E>BWa!$6CFNqQVYT2VPShaZAI)b_$sLcx+C=W7`;bC)R z=MvMaYf^V_03R~Qq^0NMUtH93gL{aX-Vb484!L*7O&%|tzBOA6e9P9aPo^e+DBtTdEF5jVXG}ALHkGw z&aU3QL(yd5>2g&2coKF*LZXa9YrysvBPD~SU`<`nfYBAVl=0;+k8+`jiRosNna<~n zfZ?+@o@x4gO6YNnJ3*2$$X9Lu&A=8+i>y-k9i&U=p~H^-sEbifW%CXZKm`S^W5M6V zblszBL4DHv)HqT%g7LNE4aw3|Ag(%;>SfoaSV@n_`m*C`FGQ6za1=*rtn-EU17mY( zXjzbX%(S=oivjLq!2#3))rNZkc@LVGZY+^`q1x+R^G0of^3Q9-(H@^!Uofk7n6O_f zz8eE>he(o=L{*2x$PCE$GUk**?EtA^-g9Jp zOgBQM-k#rXtL2WbP%LWZkJEIqsyq5AZ+5x3kX*!Iu)3I3ym6itO%s@#b)M-eb?rRp zT5gG~H6)ffSVPG0WP~^W{1dPIO?axx@~71qCtrz!@>hu%;akb3;*qt%v#;|xW4hir zf}s2zdo{~Op|}z2BI_PsyD@qIC=2bECG9}?vDKRug|T|-f1OK8ALV?_6yl$iZDgnmV}_`ER7umi?Heg&%?p<_$4&?rgT6;;;wjxvgW9^ zmVBN$wo>|+_7!u}>8AN}X1`{*8X)hxX76(=tGdLH6>*dmtP&kwsAfE)wXcZe_WMw{ z@t|p`c_&}WgAGRq7D*IiVkTe7&`5v4b5x~pO2+ZsRfz(R>?zP==0y3yO!MoqsGA4K z%*BCCngq}XH&wA4@Z-$i=1R1=b6mwp4&LkBC$9WK5Po`^!Evnt~#i6fagteLPnT{oT;7w@;uncj0+@Hg)RXtLy6BZvCsm!V9`8fQ@-VT02v7>LBd`3I=vhJRHF<$){ zA%WZc5r*>>ttwY(vh>6i*VYxE4|xN_5eeM;qy4?Nvo<6=VLca%D}IeAy>f&R$K=IV z-6k}yk0Wzv7)rD^5&?S4RZ4?KeFOqxFsmGW@uf*cC~Wfd%bAy?V|KG}xt(xNUs@P$ zp58;u6xoUa(wdAsQq^Zdd)gOi*Xdr+EjaAk%(7N4-g}}WB@#N_x%+a_Uu1Ib;GtAu zzmFYfndCVm9uz`Ra|n_juSQ%GJJYAu_;8xHVWUJ5O+y%v*136YDCUrAiGE8mbmroQ z%f-HF!EMX)6%b&5lvnX>VfxaBar95bSm&}g05G6cVf~*hl#O4Mk^a&Np5^&3%slQ7 z#`3iZ#}^EjM7xO8Xc$81lK8GCt$-M_j(2%S#;sBy{?+}Yxdn&-p$C26{|Pcxj-~WX z`(r%?;X3^M{jRdJCAtaNGsE{5G(60`pJ?X21JbEY$`LL&Jx?1 zOvh+l9Uu_^2BPTMWii~hT z1|?hpptVw44r`4^xwbf66g&GOak=KB(&s~`$>fLl);Tsx%-i3=C&y;{n0E-ggBvMo zpX1v}rA5&SR8I`v>5ZCvmhN^}$oiFQmGx&<$Soy5r~7^^&EVHE|4)Pd*Ixj>Rg_o# zlvk?5e3SDgtWMU@8bAilUH?I{sgut=*Kc!WMGufSS~~X>)}pp5h6oK+Y?k%JQ%?cJ z;oR}$mkOx(3#v~o2=kO4ed;tthaM}6Xm1(>ZFXIPj?FTu=4R?no#gr+HuLD4Tuvpk zt~DmZqYe1rdMk- zlFp#6wJAV7S&b^&RSr%w|Ka7G3>{th>{gD*pn&h~w$Y2p-jvzAb6Zn<_;7h zAg!87fJh%iO-YGRCG@_@^QOPsbdKhVKF-r~qvvyvs1A_wbs-Hv5;bI$^_=Ax#W>`E zZ&dboCdaB&<~J!T{K22W^G#z=Sz#Z~m~WnS4>fOUB}aFfl1yn*$RPcfrWx~q7T9KQ zJPlt^Hu`G@4hFpQCR-C6&&}V=xo+n!3aLH6Q5>S140Yi3t9RlGF``3^FpTIguZD0C z(oaFU%81ss7O6$XoDwad@ho`yt|AxnMi7y=p3KDyinZ>kkp?#AvYpgMdN0D`*r;i8q6*MK)#ce*O z#!=-GF=a$8AMu*^mLh0u5elewuf4ErO<3e#6aM{EoKY!)vhy|5Rb9$#88qJ5(?fV7 zEbx**IsJO;meje7aHiaDXXoN>=U}Sm4+)kK94Jqnq4G9ZXq}}>$eabj?w9?0u7qBB z2|$gI*^A=CG^9>$!bL@DG0%M4gUL#4b)gRgy6?#1M@ts^hZ@8sM#Zd4O$VNPvXwrc z;Ci;PDbbrSg}ZxXyPDuGq@^o z8`uCa5@Tq?P=ZUOmDW(ARb{#GC2)Rwk-xcAv57q*B{A+^YX1=X z!nn)O_m%BkRp(P7;5@FiJFb^`zt)OxYXFP&AT;Wjvb^Q)UwL%n*2l0(Gvr)VGWZ0t zS8Aw?ejeo>z5AH;NQ>C^8(1@dFRDVMcdP|4#x zzY_=h`^gZx%x#Wg;xt;7v&?3hc-yn2PA%`FK(EH$YQ8UB6-0LIner|yFIf5;-tTf9 zBP!yXGHOywTV+Sgli<$*q@W0;=R*qswiy?J!Xtd7vzbWUo=zbVqA*?k0N-Uk5rE_Q zkkwMF)3qnj%?=u}9Qvt~Jk9RAu{*Lwjir9jtNX0nP}MAv#}}Xa{(UG>Ig9qPw0&5n z7UN6bOYUoPE<&d^d*ZFlM;1fy4_|Kms|oR_5b2qI5KCyhR?*eL%yPu;<(Q}tL(pQ@ z9(=Fv^y{I`eaf`7u#$zyg=TM65RD_a!W z`uqtzrQvHciBiOGaWWHse0613dU*CQ{1kyLI0A`t*d1j*o6NYY?|=D3mBy2tr~Ns| zA>z5cpitau2%f|1LpN0k9202OJqYia`UW*|F4EktX!}OmSJZZ*&3^btE0u#S%Lar0 zoyGLU>EVCf74D~%nTpP^{)a*VfPUE^$vR!VSQMx_?Gsf2d&HJ4EQAW!8X2OEdBV{R z!cqXlL*K^Z05v!~1s8N3US88Pf=wt82`#V{9TC+=>UE$CneFfsrbl4!4HAD2vVJkG znTlI^g_qKHcdfW>9LI)5On-Yzyeydy$5G6MEPiTGtXE+gx$XW-t$a!2C>-U7uzq@a zVpa*j@qkTymk(D7$-1(MY-QdUz&3Gk{e%B&YKr4fs4)Q(=eUaegcVtDilI*TRQBjn z(w~64{A>lvzu*%e zJNI{b_xwOk4F#!9SE#inBLrRJ!6@UAPXFW9uOr{cJGV zX@m0{TK%*?CLy-b1nJi+jFb>s{pO9Ojv5Ovrp|{rvt>=E>?rGR8a_8a%>!P!+3S{^d zte83!K5M2Ri^2jFDXLiPG#AAtVyvQ-OvQ&~rkr)V`;E4G(5XY(e`47lsJVgEvO~g{*{!Up;d{wo z(-U3BJL$a7tVrkX%ZE3wHXm(S89FQLY(8wy8XqT3n4G~TNN0zp3*d(Y!SYiis2Vhy za9(X&n{l%D*07iXvYgWv7Z>7g8s(W9bDONVx1a*&-=!w{p6>{_17jH-fpSXpI;i3S zeLiZ0VYIhOU%E6qaPbuFclM@!1)tN;oOG`0X-9|bfmy)9>!bt$ZQW=;3+}UF9#ij? zyA*B2<(Al=LB4}>BIJ((1jd6tr9C>;?VD}@%8#?<^@E{x@&DX%eTH{L+^KIk_6%%) zmyZ)R3II6Wmp$TS4T>yD$+A;o9-V1qkY*c37^s=;^jF`xLr^VN0w!F zw#m0LM{vHN1PMg;DOgYd6&jm)hr|B{Bk4jHVl z%!%E}gv8yUIesciKHR9p_IG0wpqQm`t2|SY(dFa$Dt!5sr%Bvmuvp9e?jXNj{h(_qmZVa^h%#}QR&>bTwz0w1`GF|2(1-HHmp|jcC zZL1LRPqPn~`7WTmLQJfQlu?-f|5sAi8R)t$LX*QT&@^;f|LI2iAMc8ah=>S_R>G%x zcs80^5dW>Ncr0YL7mxg3wM?=3YEJTN7H2VVHxGh;45l>}z`OWo{lmik@B0V;r}Cu# zc2G)WWhoYJjzA|j=e?50-19d^0w}7<*#G4k$l-1OSW+v4W9UkK#AFR%u9^Qnwiy`> zv_o-|8;#EC<}ql=KX6{SVjNvh6*184!oOgAzjtIT;!&X~_svzTVzX!My#PbY$@UtD z|BtP=4vVUb+QtzC3=olS1?lbvm6lSvYY36f0fvwe1PK8tDQS@I7`lcYq`SL&7>4*A zpZ9y-$M5=n{ByXjnK@_gefC~^?RDSlUTKr`{VEHhv(gi@xW9}3m(}`b$V##RR$;}0 zy~%vEBATlMaQ9{pnoWL3qd-OD#bw=6R?I}(T^=$n3k=|x_V=Ln;L-v|k)m1(k3(Am zQAQY#y(6BNPu;yA4fvyD5jKJ8xxyE-XyFudfvK^e*{3E~chgYBCDRV%Zng9&jv#?_ z0MiFkW`6(MY=a;vJkqy-R``AE>|wNcmzQmiXf*>q(8{r6y$+yWbAQ=(dh{SyHs|}h zpPg*38k*EH<>wI#7Zp6^8D?Fyn^$y%_j~tT>n0& z{s<|2#Bl@EZ>0v}6lHX*%g(I%I4`QIzC1y`ckPLCzrhu+h0(S06>K@DPBbAOmQqXB zGY3g7do2HHQg)fJVAuF+?-X4xRBmi)-EU>QoGK{>6H1KpLX7tFpwP&Q__9%`n`dJN ziKbX7^+^$YYP~+#dEeqPp}(ZaT((gxfJ_%Ew&7L+J|#F1A+N2zY7pD~&vyJNsA{0; zxLu;(QMb!jJ8~RfgBIjlkImxW#{x4JOY;+5^2^`jyZ_0(wrag3eXcLAu+R@JNoiWR zePMPxki_J57#$jDeY{+13cnWio8qH*)>bb_f2i`sLs_;tDNkLj)yA*=%F73s?`<6~ zeqNaniUxaOeRF5mdCWPT=OEu_-bZlH>*e}^ncc{PZhZKcY^4bf#M_Gm{y0NAICRG$ zb%pE|Pf4M-6rr`0%_GZyDVcv>l0g$Nv`y{^-0Ru>7i?F#;vua1>Yk@hIl?O%s0|)E zi8t@^C-)`q`{zWl=vVF~Uxe2c^9u*+PnN}_j|7u<8$2Q`JN`BhoUpoocR|&a5BL`n zm{0aiusO?YBYEqM#G(cZn183mX&d*OcVkHn7aZDJzO<<5f0v5?nAfAI^ybcqE_OK< zI zVhLL8DDIuk_D;RV@r_);)(z9r6SkZDbBnYO;OKAUlS}*?F}x-ktnbenM~@Hl==T~b zt*E-~!ZKiprnmd}f#>;$NBE0}Z4dlpsAk$C1I%TG1nDJ`T-}fI&jO(VV#o6|TdTGV_lx}&NNgS9U#XRQ|2#5H6>A~} zJ=1GkLdjxqwvB@)X@$JS`hhhjX0`?L(2LN+P%F|$P5knIkN&{KQd``iue*PMM(}F( zE)`4joztcg%YpY8s2Tc(lUFdGTG3zT{EO+niWL__LcKaqpgx!HecnfDrX@DvSq4Vu z)Q9<3Gndu|I5v5t-TWd|0oA&}3v#dfE%wpHARysxP4ejKena00Jp`#@J+soW-ed`8 zQi*4Azq&k#P;&qO%BQ^H@A8C-!f!COb7-f*6pi~lLJxiMfO zJE0*5Pd5yo`bN1HbIiu7uR0d+BGMvHZDk9ek7FBChb!plfz;F9>ShB8gAZ;90dl?e zaGnlQrMABLt{GAq|DVlSq(rg3dR9MKtqH}pbtVZ}w`n{|Y&zSi_ngPp|4jWU9_W*T z+rQt!N5<^NJ#S4P;;9-(^0??gB*)e7A6CTaMg6PwQ1jr$;~W9W-_h0L7iAWa?Fxgh zH8qKV^07|hzkdCyQ`3}*TSeNcb0?IdH9F3`~@;fU7fwE>DKfz>A*2luW zPB@C-o0t)P{fE#y=I+Te-u&z5!u}h@)?TUWu>xF}vvd@mtkW9lm?-dI4Sm_}s>|f5 z2Q?g$G#Q1vEZE!e5K$|SK^?WbN;(#K(R*Hq^fBTS_qwaX5s6fzu&}T|qZD%dInjS{ zxJZ+~nWmVLBV!Osnb`_#yYiJ5Aj1_jEL^1}qS8Z>ngMCx->wlMqEnmWl`cYJVl^F| ztt%dOTH1(Sr0$CEwfO+w$ih^|bl>x@Lh)UvoJ7v6oW>xz1(!}EvGDcOMG*4RcCg=T z5ONd|l62%qEFd|W9M{s+TS`D}IgbxJm7R*;IIrIwC&q?xEeq-r`e>qJRQ4A8awYdN zgoc%HUB$>xNj+L>=cBrBBBvT>a_S6Q(n-cA#=q#zpz>Cx1mXvjmKX!6_CHFaTl*Dl zlcsf@wDZX}eOr9))<~>3>LFk`r1 z@@h4k*-`9aCAgme=Lw%W24z&Y1QuS2cRJPVf)#8BoBLk5s%V-6^W^SxqDTiWn9ju?e4Q0e-ORw_BNKDc7LyS=ZbLDf==kJsHp|onH!AYSvJIchR z=U_j3VW_smKoI^AwC$O$+LDJHO|RKW>%9T}Q-P@YJ5C((OU`h}i}XsZ&C`3~$u~79 znAy568z=qDAsYo{#~MkElh_xU7!WM-{PG0n@`iT5F;Edu+kTfUF9P0I8Y|;g@;Sj3 zU?Z2>lq&4G%33{bUqniB#=R!cHpQ%g)3gFUf^8%`zDmr|N6=?mIbJEkbh!22wU84x zG_~nH&Z(XnHkX5_iDB3MO@wY#1?9QUE!S$W=)n)w#K8vI&Dt^Y38HtH6JWKZz00C& zr#U`id%a8BiZ(_q6i zh-%+QKv+wv&Fa)}-+B0pbSWatPuVnGUc7Edg7a7Du6TUs6O(tpGA0M2*%WU0Ymi(J+C?R2t@TGLz0JMF!Uq>hw)sW zzUmV|2-a*es%xH8+04iYY*}*0dWRTdqh&7`&~+*6W|24_Q@0aIM`-I)QfIjH5aF235meV#RyO>CljhfUd@qAzhTO=L}9_ zV#5r=w_a-&oqf|q5GW9L?#G4d&nrDqfH1`=$01^xZ++Ywxxa4p?SQ*bcB^qnwlow& zP9RD7v|8(iRq*h}?vLGt?5MUfRN@pt&7rFiWvyvB;pok6IxpMUZJ67sR-bQu02PHc z7kA?~dezdE=dUbYDEcP7@txFd)V$PQ@Oc??JvLo*t3Oz1H-eJhDa!FP(lDOH2v^{G zZ6rY~_pYagm&T^{c#dY(fF(U8^|u&m0o8cE_Vg{V`z+c|95Ul!B5kjJiK^e(Jxi7H z8C*IPEDFWeZtfmisPp(&eF=#~#><^x9lN zbfJGquBOH0dYV#0pP6N~S@5D#P&D+OB!!gi2X3S&RV|msMr=BEM|WhYQ>Ff#(|1c5 zAoVT&mp4K3?bEiUHij^F+hW5R>_b7}#Ze~$8vU+g5TJgC={P*Y1Jy%~Oa zb&kV$o%^t-SG$*r+4Z|JpR&B}D_oidonCEV_qA^ieSppKd>FY%OnflSn(2}VA5nU!0NjLZ zv`ir}Yw0p{XVIg>en-ii;yGVHPf6=9V^p_>h!Fj=Z68N2ij$<=^{u3mp)yW#tTbEe zlEOgv*W6R(Wmg)(VAEH+o@7CvN0GT)KXLJ+n=ksSXNaNkNA>znncv0_3E$i;p!E&Kow(@;&9A1JZS?%uU95_F zEg1~^u@p#)8q8Anv;UV1Aj|lOx#|Zg)hwJp#5xRQjG!D^RUdRL`j$!e>a~QhRaVkj z&&$l25Ywx5k6_cRviyw!GG$1*{CxEu{IT)wj$nIuLB+RBJhaG4)Lj^NL^BCOv}a&I zCictD4DcFWayJX=NK6qp-i>AFH2K-qm_7d?0Y)Zw+&N5@4HYh7E1qE-p z(=xw3SWz@`q_N6=@6nf@>i200QR|W1*NCj6S?iWfJU_^{q#?YiMh&dNT5ev(D+!ms(M8Me+D6#Quh^uowC-N zvWJun-PAc8&=Q9qJP~T}p6%x1K6x$-?MO};6JKoS)>C1mh$g8w0o9wn)$eb_@nH8o{EkTpfpn0##18rHkqux%Tt^S(M@d>HDQf!J_0F zmlUaBI37yxQ&vh@fOXklm>?2OMWjRmP_r%Yje;zzrw)co*UgoDO#ROR3bxalnAt`t~%YPwO%%5{z z#@QHBkq*owpIh`dNW!!qohOKjB*~)idCp?9SURfxg9K`e-UCO5lBu3ZLFzTN=#!2x zzQpA2*xNJ5BAawZnB(aO!E8jyyUzC=+O^+5ORoIfgt~yzOe>tL z`S^Xe(v!|!j&tx%PAR1nCqqxUqu}fLJu995u1pViF-|qknfS{dr6&<4B2(MAO!q4; zC|rai-hCfke1G<^+z9PSg$UBLqB)G-$52535ijZd)~xe6`HjnD^u`Cd1>5C&e3Y2yVKZqw-MF$jr&E@=xtQN_Z0BSB4Kxf$H{Y%9&BdwS z4go{uC)TaFN|Z3~GuPiwC0bg2ik0mv)@;!NYxZJA&ZOazHyMT*Pfl)rRtL*QZo!Tl z5#@VT@5b&n=MH~k5_sT<}!UNaC|6*X`}G!S0k=tXSko5mVjEk!MuX z-4hr$r0K(Wn$yT6uwsa4;mj<^mr-j;>r`T$syv%BP z=x3ri)#<4wZzAFK-*a~W)${4Vs)&pCjSJf~2>6HyCeO!UcSW8sMId^ zC1tIaRVvCy!`)Ghz3p+IDO(=kr_x%l+R(cVU&4NhBBH2iOQ0}~*={!H zC#mau8MXU@EKjK6TWPKDc(WWtdhQxc7SsP}(DvYxZ_C8bV?^lvb&>1Fqw11_hmuxP zp>MP{_c9j0=!h-8Mqb1F-q_~Z?itc9PwNXor%K?QQ*wNg-=1DjHEGg_f`=dI;XIE#TR&Zfa6)HlW4WN zSN_JR*JG56Qif{w?Uv&~ON%IUva}+vlR`@pnlt^clk5M)elaXAu#v|dEfDL8$=pfc z(YO|yHgdhavY#XJU_SCY&3j)pU!l)(V~#MHMD0iH6fjAQNaU6Z<&J1n#TNtC<#4|f zW-N+@tlS{L1%afv;Vt%0l!W)=K$Ft#;MZ%oq|$)ijf4Zes3hmk z<~2>Y>BAN?N7S46mvj9s$So?Ky1M<0& zkX1HRdOxYq*kB%Wv*KBoWTh?f`i$hR1N0EV^KlPHEB!%MOtrCu+d%$)^9NUeIke?^_?*)m?CU{QCMVegTW{J5k zj%{jsYreI^$i}S#b<*X|jMi0GWSi@NtZqt@shfPrRgq^3+cRx;L|1hPoA;63a^mG-FYhZ->&A zx+nKQ97#G24$(eOSO45~v3rXir4TjW-Pl$z6;o+w7~d~Aw86;vVSpb0VdUvo-l-N_ z(G~+B4kv#zx@o^^GX{Fs9O_vP?+8GTk90ATIlmR3J{sf5@no_Zog*b)sdHcT7~k+2 z%=X{DAqWcCMD{wIkX2^3;-3{}wG^ARS9zN)PHj;OHl=L|h1FK@ph!)C%HjFv6*njZ z_83syYn{2rYF7I<4h@-|>dkO9Zz@!l0JZvoiRonvCD%FaBZ}mOso?!T7O+M4t1HFA z$G1qQxHlnO9!ygUo}b-hf(ai1Ww*R`3i1rVj@yr`0De|=4t&0QQU~^P#gFKd*IOl(O}<3wXp#dgz}^!QPjAo`^8KhhLz&ZhO_i&<7RoF)5`M&ut6b zZr)J7Ejt!k%~M_}Sfizeh{rv|oF}_kdnvoww5L+Y?J9=%WT9^-;TdVQ1@U1Co;O(c zpVhctz^0qjlTY$uFLHUnpeaAii^$D#C6j21TG`^f0}hIY5l{~~pp3{KF15O~g5Y14!ST*SZ)&otx`7heKM1DVE zZ?#_oD3bY^1@=MZ#fzuUM#8j;-#mEuu;5VhZ)%=AMnUb8n#DR1OLO7UXy1g6RQu)L zTbrS0k6xL}(}NuW8ObH=V%GYMbKIcdk9Cay;@^Kjw~bt*0L27W)_T{1fXQF>W`3F! z`6nqxYHk=1syne2c$c|<;H9zBlRXXS-?APC@ME1S$*+fMWRu-h^ z1Z=p0eQr3i#%^{5+3i03i^z)88&XK=Pke$6hc*>< znf-(p?p)2}?^;Qp_F33>a>yD~eu|9KhCRtxTRvs`TIy*J^sxKPVtc#0Hb#%PGf(fFX%nWFTBIz zTsvG*JXFlnKTVUvAUFAgOiJ;=xx8n z0b!vwC;iVu+ZtP@7uVH917FhZ@ZMndHi)G`NeI!n%$B`mkx5v+woLsdl=TA%m%GC(oWtqJdHMuW=rUgiqzdE#caN-35l;#j1`}p^1Vht%iY3^= zBsNXxsvO63iSNq-C8>VNth=b!i8>I{#HZ#p?uqs5DE{D;2#S-8tIMGN1s@CaS50DtYtj!n{l$JG2N^G6k|?Gm0$k39=S6@biPObRbG z_S!l|kP&r(@E9vu9YVy%7gKP+oJE)T1CAUgH`L)wOl^8nsjvtoOYL69soIuLF{*(x z9)BUla}wOs%#VlE3FEz`V6GHU zNoeN*yczQi@VZr*#q?y0yA60q5hv6mPTA1M->*2{^@+6r3^G!54FFhfndnH3x0m{q zrdXXsvNZb4eSSKY$vKIlJf6Bl!+m#NJOOQmmvX(0Q2P^mu#z=#zUtGF<&pNYf7i>SV4%q%>Y&o!LG{5!3?TB z$8-5GtL``Q6gxyh!obQ@7aQ#wXA4X3?kcT+U{1aJPb(MLAjf0{$2-#nr z3jh`jE}{Pe6DD!v59cH)3D2`bVek{!4Y@FtLza3^GLn18$N)tEeia$U$)L?u_bhcy|X4?X@iz@%nS za9H#hQN~8SC7NvUxcI>9pmW}(H__5z>xrz-w>BXfH}||&-rPxw_DCU^$bWkhu%k^i zdb$kq^1uG$>)CK$MLYN*v%jOXd><6gw&U6@2fGh90GrI~!gqDfWE{o;ha7ESl8hB} zRhUoISo!bsa@=uS-%L97icg6omyU{dUR=^Lc^9{(tSBM3o$rg=hEVsMyC~nWPyGL~ zG_8%UF%!Jcbxuf3K8CgBOq^>bjd3>_-raS%`?q}e1|3!tj)XxDK455S*TKe`o3$8e z?=>QNb)Wbll_O5i>+7lT=BDfKeSAqf_+E2e#@9=gvt^Y14)qXQ;>|sV|Fbxv^^OuA zIh<|`-h*)Q)1MO?@HD{2{2@wIB{IKhp9Ph2X!7K!nn#@G5cy*LM2r2R0qR|Ri*mR7 zm~xmE^#uJ97r^j7AL?%C)X+&BJXB zPyo(k&>3hzne|@SS`H5re@mMd3G{>C4R-vA8X2GCrzkmssTO4;32O}O z%MTcllh{v8hFhg4sI0&D@vC?HfY0}bV?;jnCe?Tqrt*;pOweN?7j{!S^-**F^oIfj zXP$xp+!m@Ul)y)CRjKVyj~^{k&j2KXWP8ff+=`>Ir6XxHN?vTKyolad{W@ywyvr_# zFOx}%d*8d!IK5RB)2*t?g`f^ucE z9|(0WZ6rI`hyUVN*r|W%OeO4kwd=)MDRCfcXAgd~T_RFXO?5pbyO55kzm>dnvRlB& zFc(`0{FNh~uSc#RYpvVAA5Ay%Os1v;_UfZ}8lFl@+jSrPflJ(EAi}=Bh+0}%!AN3O zE?I#_ICx()LR_{HB31_x*HOd%7H`GYF~8aqpVaenjBSG6>msHsyP?0}2FwRB%n&oWzmYxJu@RX{LroO&-?=a-f?Zrku>`&H@l0%<#yySU6iu3W}2>De3)e5BxOk zy%<0zSnM81xuLd;T2RPlOx_!9nhD)R%|L4t0pt)Pv6iaH=Gk>~t@vzOmbg^|-rfbc=K<8-Q5>R(`ByB z$$0KcSWkV8go}C}Ok=VcRwVLT4b>SfR&JIK_;^2Yp-GqeohDA*Uu008;+KBGx^Qdg zE~Q=j8=&erQwh0V*^Gd11J6?LOjcox)0fA+UM$ldf*-|+m}!C1ka_#y&CVP1=d}yY zyf?ldR^mCRY{*QUcUtGBxY+Vo(I5@Qa$j*`eR4KgM66YNiJr4-SG$^aTU=+quFOjn zg;mfuZ;Ga%Jgd*Chi+27r95J4l3(oyIvGg&F;J)6&1ZXIEm7MQ&0wDdN~K11 zmWhuWf!TLCCS9oEZVh>cT(-5`H)&43a6+4su@Buy@rixLLBpS(=#=`aS7Py^PFR(4 zk9ZD2OT9Xg@Eh%~NS^}?ns7To}WlBJLqMi&(=QR1Of z?Q_@9z6)UA#mBdc;K5XjO##^`KB<(X-?NoCBr5~ihqHj10%{uSK*yV9au)L(^3@g| z@)>2=hOTd!=@X7Cr)#PBW}ky)bA1+4vIl%QMYoJ$d^I4$O*tOqgVGi8qBu>tm(-{M zfkR;K*|A+8ZGL*?eUluKID|&E?qCLgjUzba-W1v?ds;C;IB9T5r<+~OT|SnG&cYe@ z&_;>P?O>LY7fBF7vi4Q?MkLZFy=`lsxx{DPPtt3=l>U6DoT}?151G9quPKlJexg0? zV!*7a7CJTcAu9QWt?22C ziSS&t+W?QX9!Z0{gzuD~!w?#DP20tq z;~C6BCfXmpSWML}Pk ziaT>*Hw2EI+E3hz6zdZx-Nf=eXg~9-{hkip`GK5Ip>9GXyA|FM?Z}7bK2r)%m$`XlGqMSmS9u zIcW9qG2Jz?DqG@_4tBnL3_Hzq&?TCWzt2%-t3Vb4qMa9KJ6ec;R5KC^ST-HusiPCX zK)bN?dd%&*g>*nTp%8l|9FS%tccLa10o5qA!(rVgOI78X>e5OM{JBl9c_BZFnr1W3 zUB`n>u~$Kb2gqZpy>-YL`Ei^8`>t|eZQ zC)S;XnM7i6fv63YZijYA_I=KqAAWF+F@28ku9#>Y2uZm|jQZTBhl#yHTt7KK8!p`E z;ygz8)nNB4l`xjA01DARS<8L(0t|<;nnD7kxDtq%x zXs^a-GYOhlfOEATR}WfRmNEyQdF>ZPO9rHl!Q@5eyq&<%z}82&-PBlRw&#gUb5R`m z(Ee@WpNCIV?pB(XfAY+Jc*3J=x3@h7wEV4|Qg)8@_%EVdqebkW2t40c(2IS8(FWJ; zmD4+Faj%h^i`jdmu85ylzpO_yxD%vH)Vr+uwjuoy+M2;P_G2DNAgY`&^BO0x$;(8Fu=UUih=y)YqquXPJnygi4Hl+l zf7PpPJZ_ytEjUlunX>7@mlvQ*;PAL&jcdUrB7MZazT6^Phr?N@Rc1E=n>CTYJcRYj zZ6Wd|(;X2AereSRc}F&0;+f zPV;-;TjZPibL%B@)#kU1g@>S-${l5tw-4p4Na2jT;o5I)ju9&}ycUuaR3{XesWk(A z$cbCO-?c?ykw5!9kD>Y`5Hd!Ninxm+*Wy9~msO|9-~4`%gRf#C`}beYkv|IA+wPu2 z@!+VNlhv$#TKu}~zrjs8YrkL5d6Efgb}3@{6b{3M**V@Pi+8aVf6YEpDctWA)e_4k z9-w>LeBL7O8YKE@viNajrlL+Y0^J3w=@B>XkGe`*{msd-G|j+KHc+^K7J4Y%{ld5n z&kvPLz?vs|S6gaj^Ue*YYCrgjY8vPIUoHS~oF}!FNV)S$ZIQ^9U#$k`B)ohZ>*?F> zL=%|Ui5Si0{6Sl7`3Tal_F|62vzLEy4oSsT%=*IINcYomyogB{n?)hw_+)|P&pPu~ zb*B|*!1;RWA&d@VZR6eA-t++rAR_C0XWX#&u zoJ<*NQciTt`~8*Y{MYzO{Mh{ykl@wjfo_uuL+qVNveomhMPEK%anTOn(J61zrcRW~ z-A4b|Xb^(PCb?MXGS@}i#lX9?za-4C3SZw0J#bzxQ zW?SnIc!cLE1jCjQooK@~cKT7)oY^h%3ccK3XIr|fB2OrV-tBswA1<~`^z#t{6<4zD zDZyC`?C7Y}C}#8hD(c3mn&xpDH1Me`VFqG%E=ABR1PXhDsYu%bfviLMzuF#tJ6iH&5))0 zIgnlQkz<2aE%LAe)ObP@OJ0zsa4-q2J_J*n(tsqC(?pc;?cVi8;*&Vxv_R{pjww5< z6RtMO=_3w43EL*jbzizXGG-Vdst*yW^IT^B9mX2ZAc{KY(^1CV&!#63B2?S(a7!v| zti|pOPKjDoz)8tK8g5BpZw!@|<(>8&gAD?cU=r!f6=RMOoP_GNJEQC{e?2PwL+6iq zaQ2K~tF(R6Pall$!Axe;?|fW@5H4558Vwua5f5u3Wqo%btlGlCYM(#^W6c+S5=Slb z7YptO)Fv6`q;HiH7Xn!*tOOM?w=NvDWya4>-P#{UCNey1fN|&(g{_Ozau@c#0E@iQ~AIGo${Q{e)lY z{4iTUpF202A^&*A_UFw9RZ!vq9>X8&6*Eh;uhy6O50$G?d!G7e5&68ewx0-txNKqhFoBWhp}{eZ_9R z7z6?V+mMDp8>$eqYs@I`@!w3Z03YRUnUlqb?GQdrO|iI%aW`v+$2M)2+Akf0zYSdr z+Kx6iQ8Kg|^RGYk$>zfu-Y6uSi`VU1tT^tJsaX-8h>dPR7#6)?&$W6aCh2A~M7bSk z0Ls~OiA-Il?r)Dzdh5HF`H>_~nPJs~1eraE_Z_+rJ}vY_t(a;(fBb0vR9*t<->vLC zIU>OU+dcT+Uo*f~gKf~QssMofWUwre7@7FRfD?sehf^h@4MWCNAztc&hZqmtC2PtE zJ)L?7%!zb|4i6WsOFQv+6#&mZG?aQZ*6HQfDkUox87YzOMvV=m?Wn)n+O)d0S9o=7 zLhr{Nk%?FX;~g*iTHXl0K>Aqkt9#xH9(G*D=bA?9Z|e6D(i79tw{Yft5;f#hcrbO&{w6HsHODouhec$k4N{& zNt2L9k`>ZFl9FeQmiyvPDKAeR-x|69kff=sr}krIU1uWcyRogJmu`)5lQ{{;Z6G<992_`9fehEp;fRsB}`Fkcz@Hir9DwpGC%?|rx`;D zm~>N9vDsVt+IYDVfiq9_4K|wJ`K;jdhk1{$Qv#ZYLL4ax;~u6^cyWeAfVycSt<9qy zOkTXHK)1LwR7-w1;bzyheepJk6t&@aAS?+Y7w((hP*JFLn(b;`T_NlC$=rI0SJypO zj{TG--^rFn4pmvV>nntKv*eV9w%RQ0Ju`K>j;@dAiRpVi@n;%R!TjQOh0;NqugltU z$Rh_e0b@s$)>cSBGQA_VAj2p=Tj=z|n2JlrjE020N8oVd!Al3|9-?XY&}Y)>9R)(? zecM=ZQsv&9tVU729$F`ne7SjaP3{zTaL#63TrL1|LYqMwAR``zr3Nz+JM-K@kB)br z4$Y_qiE&MwEjdRL5_QCXAI}72B?eF>&wW8?#1lRMFGqd4IcD8~^xSOiH+rq)8pG&z@Wu!}_ zfZRxDD*4N0yO-BT0#8zJuYSRF(Q&|8UcU9U77RS5RubDz-6bp43elVLh6pcW1t$fd z+QuH(A1jWgo)}=*aB;`E(e3gUhp4S7^n+Ktl}RRT@>IRC0m<^*ut%#+p{7QlmLMmZ z%?C+VEoPJy1PZ>m;^}~O8hRlC&T9w*cEHP-iCy;vQNxvJj{dl2n?L@b+SL%NQAmF9KGYmT+X8+8Y&ZkBj*2iO+G| z!FCZ(To4936Q8ePa1-CIH21*;P$$^XQhD#5t78#NSh9rB!y}vZF%ZEs+**x`gd@t2 zc~xGMrxcJQLE{T=oRK+cWr}zLmYj*6*@sf!NQLSuuiy9@UEt^Mk`cAy zzzX$vo);6&?YjWIT>#HFe3LxRhKQz|CsJ?Z*$?XPW!^MnkT=D8*rfY-_isnGj0>xm z)eFOp{)9toXRe0`_4&W(cP`Y)NH73c9nAeqWu@2_Fzpdv8Ir|wg%gU69C)`;IEx8Q zJC+KD>%9E>)#pf)w?mc=6{XBZyRHMMcvMpQjn0h+pSHwoREF|fcBGFg^2dg^Jd@R816}*EwslpE%~IeDQjT zQAz)pcxJP>=73ID$p~$GT46~u5?sFk7vEhiv8qP)Fxr_&SZ=1K%T*+bIT2}fm${}V zUHdba@G<#g=MY(6b+`v{!#sCCwA+fj;1u=a75 zoBRW`gi?)iZp33OSExT@$b3)K;RlS?Oothlx{7K5a{3DnIz ze}+%o7a>@cYq%ow*W+8EFJP$%=3gcj@HUBN8^*b``9ANPOolVVyH ztYXL<#GRWG`7V%AoR3ajSIDn^1yx_MyPTEDowGQs{!Z@2oqtjcWXnNb6H@f?kZK#p zH9xwzBCJb`(y0q!cgZ9#m#zMm{O0nz5`5CkXsLs}(#hd9hYMY9#ROM>IPRt{@gkQd zA%3*Y>h4L!U!(#)7XUxxDRjcHhyq>y6$9zf+S9dgi0Z8s*8jIPM=o zWO^;ObsX=k3w<6&rjWGPH)vvzg(XzfDB}LWy0JCHqQ1mrV1rR@N@?_gHzvKc_&O&P zobBc*2A11v`lhKQfuFM|#T zEOZ-rnbexV5xmda38<#|M}|ik1V108(lG&q3u<|0GMOtz_&2SkCqMrOOWdnO?S=x8 z|2H$KY5ruNoH(sWH@Gi8h8^QfQR=l#Wx&h&-%UD&XmPoJc$h`3r=b6CNpB<1bI7@| z?`Xk3>Q%JU4}|lr%wX@j)JnZ5YXZ#Z0>5c@HkQfVaqsCDTP6M7n9GL}U`HW1G zGPK9*vPqshU~6S=c{2L$Pz5!MAMX{$^?v^n86@ZW(mQOt%6JHT9$JF=eZzcA8X#;2lcO8U4w%w5DSj$^?Hg_y)yw8m<`xB7eF z@k?0h{#ZtdjD&lM&e{;|!yLRQKUfK9(QzGnKUBUhLMvMEX!|18TTi3!lYK_^!YFqS z|J3MkH2*l!*+ZHu94L^UY*zwF(@vjj%TKUW_X*0L;lfg*jQZFHWKic;i(<&=01Ymp z$CN&Io)}8%a}ZYw70kXY{HzMpYM2avoxwys`;4hN-7mQ^&A;xw?*-`Rg27+L&$+2? zr^*9JU#~3B#04&+4KAV#`%MGwkL{3cW7I*i3$2W^Dvn$T7YR=0%@Te6k z^7jxK+QXY2pAXQY+&mwNuJHVdz$6^+AidvbaqxWrjWx_lT8%+HEnoN<0lyU%Z$<92 z1OCH5Hfaw>LRrBnN`EbS0?zaZ_F21c! zm^TrhJMM@LW{6g3_nW;HxhhG@fc#@tB^ z3(lqWGXG!7g@CCbV8Lbn9}_qBURRe4?LYP^P<%KuSeT+&MSI+(pad97^WTE|3U=Uf zZY@sW$*+Zue#@nZxb+>Ll^8-t?&Kstwvzw5;mWHIGqusb@~4ls>A8xcOSw7eC*Rx! zz-j55pJ0qJdFdZnzxuvjpQRc3=IP%e2%dNcp)38{oyjDve+a04#ZsKS0s;-)Fvhz} z!d=NoK6f{u*%fOJ>m#-Niw{nI%V7%xjlg|J2e9vQ2Y?8Z^n`G;o<5L13s4H23SZKW z#83jMy{{1e%Z$LHw={+J?S$sD_nylG>3F;UA8T(J6-TqRfkHyC1PKK91b24{AwdEJ zg1ZEl!CiwVXprFU?hFpW-CYNFx4{N(^Sc#B?6brj%%Yq4`2XB|0pqrX-76qBBEV&GS35m{?;uMC!jJcu@sOAS3#I5Im#9Z^PGT}(FWo^mWSNM1<#|;5a z2H^3AzO*atH%Lc2P=@q%+bcfzx^f3o0YYhjW>=jV--8mrRI<2xdnx)*|di775#ja+iuqSBs*!??j?f;|i8Y$0|oG~K*m9Y2lN&vjXf zd%A|TN7xZG5XC{69{*cVuQMksstZ5F3Aib-C-(PWE1hDoevd(JOy!Vne zt(c2iJYregD}|->hxFpxtD^;L7fVCqH=#O}KW4j2HL;B`$TuhUBTdWbZVcz5wC>J< zRC#dXQ|$_%7%|mDWn`=FN!Hn5;H7*UwkwGnO|xY%Y@3!8n`k+7+*E3BnZ@t9_lBw` z-1hX_r3|yK*A0~}BHOFJ%a2cwsP{BF=Td20#C89*yI${gzO4Lq722GdI5W9*PnrwA zF|XY5HMU&OWYZ!vxA?8K>{|%OWJmMz%E0T$dA{q4uqKgXdzkmh`n*R48rAwKsS=Z; z@LTdcx{GCG%XM(b#ZPpDsW$OalQF3ecI8Mk0ElO9MhX2oR_9pg*HNE_eFkVKIKTn3 z1I6b3J{h-IbBV%X+DMVzzv4!&#*D`$!u9XItfzD=JFhn!_ts>)Ep1xt*ct*RCU1_r zk0o@xQu8FG@Ek$ZW`ccdns-F zO@2XtK*p$s&hLU3;&`Sd2Z(F1)#FUm;%1f>y`Wh=+ABk4&JlEcNzHd2FIEP#iQM@9 zV$w)KUU(ElTEb@MpuxepckT6Q=UT!!{Op3BJsc8zbaUQyU{s9E?d~%f8EgaZ>gy=d@4Mplw>GWj1_ehSdmq3T zCcoH+t_VQfmo-LNcx1cY^C|_tto83-3usTe* zkZqSW(8%thOM1Wzmf?0hax%Xp$rY?h{ouKlQxT7}gsw9+|1~&TJ42^}2-PNMpOn4a zqR6arys6)fh}YRU)XF(7I%KW+EX+ZNx!z-I#+ z3M*b06)fqJ_P^5|CK7h*+!lD$IU7t*5}MG+0``c{&F=}hDd%V9?c>j6BAGaJ)`3t68a}29O}_WxUSPQV{}g=ml}sWr{N#2HNGN>frRQ?+uew$c&@9*BtokVCmzzmoPic(jZmeh4Rn)35ifi&z-8e$B99x_oHeL?{4N znN8dU!WWh6pShT8@-Z+ncphHNSHO*6kIjA+YpS0fHjp*X?y4$kzI2EX1K`- zB}BNWiY;)*R?KZ{6)i1uCkh$H(9@u8aZ_z6?BTTx;RWoKFcaSmMhhj%8b>m-#c4@P zwi|L=Pk@|OdOz+L$;0aWsia68bPtaNwZBZ`(d7zbe)v`u#vu}hmK4T%^c5sy#ofbf__E*T*Dh3h%m7v4f3yIiuScR1q<(F0#^Z0!k-pMw@T2^Mk(ImRKs7Gl+i_PyFVN1H-A4`X$h9od)FPraIa_{_7bl2QZR`4*JM3q4u703E)t%1G7pi@b_34Fy_309xj!CWI<(pDbx8YQh89o$U*k1gwR03JS!x;N}__69; z?BkbN>ew?8<1ZNzeq^r&or?AP(t?{}Z7f;`#kY7VJQa z4bS}y?nthho$J)pKRfo{WR8Job$T;nEJ(8I&(Ym6p$P3%8Tk#G?<4eW4S2%Jz zq>^mKQin8;8?Jwx&%Buh2C`-=nj?N}2_G=5bNc+T$Q$F4&Qf!BK>m?&wS(z8hZ2|` zU8#bt+ihrKsxWSB;Ju4=m>x_7D&Gq78L1hGK-CC$JN$OCqazFS)Y@ZT73N>W7RVfQ zW>pnDx@SjKn1#CVZwu5&7$K47twzNqVMw=q)`7t^O$+L;r2`t%o;Nq3eLa{tr)3H? zmR%$d7M}K9vtTd;{h%s4`H&yYILq`w=anY6%blvhELoG(rLNW+&_^bK1OrfnNthpx_96^!`!eOuJ7x0ElOH5$m_dM!WN{!={;-l*Rt zId*mceL^EQV0y4`eTwjK>0K|EQaGK#0~2YS_HGfKrQO%W)zPNLfoEjA^Bml>Y8L{c zI2U3|qG+E6OljFck{WihK|x{R;l@KyvXw>#)yj|92@WlB6~XQ;MO&+Y!ZzFpqL?E$ zF<~F-@86}`KM5=XAni*oLthIiZC2+x-kiDTnsR%1w;<#J4X?eX9efO+e3*h%=m;F8 zKE|MPk)4mlGrEQ}KO%dd`!Z9)Gmx!Wn*-l9R6&<;+2_y(J)_2;y-c*OTFiHxaPW;ZU|)w6Br^b)+Db!V#2E)`;Cpt2N>D!DuSXv%r{jA&Y* z*QbT{%wepTk#gtiB9*!o#0~n?<{xZ>pSvVwKlaP8ighInkaJkD+~425t565`=!NVnc71LYR)GdU)7T+)G?D`-Z?6*O69s9m zD~vttKQJYK`V0vmf3~bPPovdHTen0qs{UTX&oQEkO%p5cTkdjy zkYf_v@lxu*kKMbWvgA@7`fQv-AB5F!S`r!eP~Kk(PM^hI^Uuapr;g-gm z*!S&gDDBE4?V8qC0~MTnd~wgt$0W2DA8N`9bcOHHh(bs0>hEvGWXlN{bfxjPzonPi zHV$py9ky9s6V^hGVD2z0rl85fJJ$wRt=})(LpLP2+<&%Gq(YoXOdc!bZjK+P+pI+d z1Kd~MJ~|Xf$g;o~elw9N%<#N-yz7Z+arG~RHpDwFp?N@VzFp&7rsh_@Lv3VUp>!AX z+a-fwep|L@89NdnD9u2{rxvdF*A#L3#E9dGmp^q*_kymq`7$#yO?-%LLP8Y6`r^{< zy7v6QW%sRx3@P*ayMAPK6A$iCYL%|?9NOs^B>Jde8jpV3@k2tDW@%;yHp>bLyY$N@ zLM#?8e!aBp?4fR}KJCqjr8lv%u#ZBZSl3#1;*FF>y6|ao?%-QwTW+^27xwD2EQ{Z1H61S0$Wl*U{3U;xsP% zbR;904LVFLnVntj+O4AQbEyvuRP-bveJrpW$2?0Wr^*qKWZ%x(vs-(m@hf&?ftY@9 zhT1-rK-#oj-hUxNRsDzHkbNm<{&pxPK2m*>o~lzgl?Z|Mm(PV4^1-<_prN7jc!IWbE zJuK@ZRtxTMJ@ll?uWZ7_hC$G1Xq^&SmE(LXl$G5s+<7Ea*NTj^V-Jo!H!VsO`}0)FtHUMc@!jmruM z(=oH1233Z@8)j8w3yJ~5(=WXB z3!2cxm(w}J+((sDdyyN9y-}M#V`X=C?GGvQ86g4kJWxvFLZ5RZ;b$vu3+fHW?BANl zH8tR652noWF0|F@9{T~5X-5Q>64*w0*YkoaQ{H6_)0}h2$T+w&m|~K)0(5grqT5G|Tr}-xM%hfNpI$EjgAj?TwNM7MdBJ7q>T%7*u|uDI3W(GC z@Hx=7)?+JL%u#X{KnMNPV9;SVu9Z%B7+1^!y{kM!k^kZ-Uz~4b`~U+k5jl_KFqN|{ zJetNezr8?{r)o!0(i_yv!?~r6z}+dFCNgbv$)?Q#NzKy0^+xmdHM%7SC%3YUhseJ5 zv9H)23&jSu3>x3uh=@qlWyK=F&3&S-xn8*+9K)f>ALv8NU9Kd~^qgbaQV)%Sn4oI& zsZ`6OD!$(z<4@O+VU{Day~dLjI453m4lC)Yh)H~8Ktk*3O8Y67E$vd!?k|uf=@ueCQKR;^g045;>y!$QkA-S7^6`@?KJLzLnkeH z=ViP}!DdABVufLKXPdF`)^FL7KXMFVqmJgonGl=1=;eC}xiSTN<`-Bo!t)kG^%oa~ zgjhQA1MW{bo_nL>Lf&uK%j>x#;@PC0zzDnQdug)sV7Xx`h~2|#R_oQ4nz>hCXd=R8 zqe4e+kDJTR3M9kC&JFnRjmTr)j1Gh!VYQ!~#p(g4~Re0k8kKzleG}xR5!k+wzD0$kaFbl&qu9bRI~RGScqb&u3M{6-J9?V`+K_Q)v$!d!&SL z)-PpF>1bFMdY%_TIm1m@Dz|=;>##LIB_hjIqvpe(*GjZyP^3Nn**j#b<%$YEm?O67 z7|wK2aFbhixx#Xdb-KHfrNn_h+@oo=fwNWuSv*duK-E4X*(WXRheyu~9!%sJR8@f+ zg8FaVQfaI`mlx&cxxYzVVph&RkG0q(8<$<$b`IO6X+3%7v?LB|`hLg(E#i*#)xLWV zGpih_T*`k5lDUBVW-MWyt)z7WBc0?$?O@o|CDaSPpgX=C==ndmfk*={eY&2{H1$sOrYt*$i@%p zeBUueS&cbegR%nRQG{IT$6FLS=7RQkVb|nqRccLyRaB0Y&Kxytt1D^{;-AvrCyS+ZGsGQ;K4ix-}#hkCb*MwNtp*fkZJ8L@|wN z!@9C@ro@b2lo*8B4sDaW<=mp~tMC;t@##4cC75U#=`vyg- zH2e-9$LSBZ^HL;bBP`&8|FPu?%*bvSj?ktNeJdrpM&B6eBrpEJ0tXGLc)o zAI0`AJ?@CcUcEv;4}!L&H*bIVv!2=d412QfKd$_A^9-H-ojELlL9ptaBTvm#>44`a+CQi#6=sJg($7`Vw zh_^!|3v;;5+9H*X&?!}!t@fYw);dl>_?LULz`S#sd(`8>Hv8%W_Mo`NRJdxPk>?dJ z?wMDH8K%7cyL!J-+?c}L?#TzNjw2iLc`+Zhk0iJL}Jf~~@c`n;EWD_^FJg3GDebEJ_--(irHmh_?r~2LF z@oKc8Rxek$Hl-KN1y2r1RY3dMh87&igaf$9ztU`jzJy^q0qrak5vp;721BE@2s|D({=vhA{REZo$4Jcn}sd&-vPxT+Ls- z_aDaXi^+{WQ17sdrK>f5Mx#w=d@@dj$bwe&h~X(%c_%h6r?YVh9j@5tK|QWb;krtS zP<@f7SG>8rXpGM7M5xJ6gmGqk)GXQ+!Bcx>bNq)-*d4?(_1s#qK>^21*!{34%bkC! z8O43%bPhOn*P&QmLp~@dtxTNlJAycTI?PRbb0urZ=KZ*Pp3k(iaha;z#F0K-!BZO? z^q?XapN%TLb&D;tDKhC$Rsqx54iPOn34z<3!8s`rS6mVteBQdJv=6%yRe^~X zsrpm>A9H!?3LjW0Y`esXOf0n|&4`c< zHc$6*XIO=^MaCv|Lc_C?`=loQqwm8(hJw%K~jmH~`mJ9q?6DMECR+K^p$Z&99ztafNRBBgdBB zSaG%AY;31gbox{*+zDsI1j}M%qZ3V0{sPryAS6ECzEtUyr4*a(Z(_o?+R-!iQlRw? zoskUiwyV{6(~qb+k&fg$I()3R|K%3_M`a|nP`gTMm(4x4hLU(H+N%Y{tSf`>dN#gB zcgm42zsFIDBK3}uNWrjJU0vQ-ZgyMFsyUcV`q)=nQ*JAANI`dyEUm9`?(zbd z7~j%A*Bx7NIA@aVe4Z>dQxQWOdgx~(aZ=f><4ody>=9+%JjU-((mb#D;DAW)#}8y&CXL?AfR{8?^rG>vT?9$R z#l=G-de-$j*W0o@b<1tWl#*!w`Ybji8L<4D_i>BW0X%Y*7Fvk!c69t6bq zzV^?z>sAAao_-ncfa_gfU)x%xI&+MT&Bz(o{AC?lh|5BD{&FHP&YcHMtNMV(mYX34 z)5w3i5mu6TC0jcFTer+C>!iWAFGS5<5K~-!3q-KE%n|Kl&+p8AzQ!w@XWEVa6w+Q{( zy{;AsMbyuIy9R_50a{HC!4T&XlZP+{bvI2qo}NY7kN$i4_^;VQk_?WFcR@LwkP~e$ zNR18xwJ7Gjn#+KevBal9!L1}Z-F2VirLKe)xzb?Ipfbbh$3=b{@S9B@(EXEG!9wvF3t2BJ2& zXhK{$O#j_Bq%>i^9Rc>WVS|HiT46@B9J%wU1YiD& z1#{5=V^DVxQ3&+x4^4yz;#;r@u$~J4!TBRR-WRI4X|X-SRE6IietchUyv2B*;$J1X zt*egeJ*XqVC(^&T6Ws|UIx%W^ zMR<1Ua^fab7vib%kO&B+0c#6RnRm~hk#5&MU@|!CHxE)!9%R-GFghFD`)N?x^QrHQxR6NJ@y5mO z#i2x%C&zH3M1~ti4ATAMcRz&*dRu_m$sRu1J@rmB3k!(?)~LBd*QBw+wx?S%RfOJ! zV()u`TDI--j}#uQ)o0;S8moMl7p5!n!nWzlBs8Sn;bPSMbiqVcl<3_y0wd^d^VXkaua8GXnPEtRVi>k^MqOXBrM)ukUVYP5`gU-?MOSk7hz2k#mtXD@j z0AP31vL+-944yW_+bnM(=S^Uiy4-$aC3ASl~wz z#q@5^?jhH~Nqs5Bd>mw4u0?9mqD+9aTKCyJ_D&P)hl`q89sfzSGlkXnMbLS*0XAsB z)R$%wH<6uoHS~A-6=GvhfCYiG zqENyvdM`kMuW-tS^3qO0C@`if`B2zvgLXY9R(wH0W z*v;jbV5^$v!2vV`l6HD>#3Oxx!+Ejnek6}Zgaxw9=aX@zrUVt%EH8XcwT-B;3i>eM z+l}r-hYo_6J1W%n-FxPuWcZ4XZs&YiVKboUty%(C1Wq3oQAm+!s*K6BSo;Y(aRpK){aqn)V?JMmB!)!*OKhlrk5z#+~ITIW&&hCtq zyJ^J~9Ao+jHqzWRiz0`Nh&(2Pp^)b*vuptoZf>ETWKOO~N~$wyp{?$2;bXVM0^frI zZ*Lil_Z>w40!?|jP7u#C%y~bvRS={*2(3{v$YKj#o6 zbPNcbXhhAQ4KPyvwX61sLp;FvNQd5n+Gja&t&;b}Qn{F1OM55dw0lJBps!=zALi<0 zN%q}x=-v9yIbxS-K{Fv4A0nqcosYJD*@zczdo+)8q6!yw{p)HI(|KQl%i_g!(&p~6 z$($wLxEdfQ#MW@4IxnQRmQUHW8MJO~ZcYsRp4{T*p$*aOtD9lgo~XtftgABw!B3~zqjC>b zcuZ^M8iuswhH|oFX{{~cof6)KOW&}pd4cH{S9^W=8|C|2DQ=J3oe?Fz; z6d7xxAyW1|!?*(3pY<`frG-~w8E!={ffece3yq`Iv!w^Ac&bR_*rZ|yw?GX;=)?)8 zo;ZbMapjZ+en$zndqoZtbLvvg4Z^l+K0^}k5hfqsz4;$KfW3ak|LOsl^acR{RjV${ zBJQABXBb&);(xRN1nBIr76#fib#@MvvnFEfEWrgoeQD=k*|Zv-s8&3@<%{$64ZPc$gBTf1fK>|KS9BMzSFH(4s$Z zO^kNeuhxO+IN0qH5RYTu`*IwdK4Ua_*Ta~3t5vluioOG?t`<5`L$R`c1?Ht@#q}?G zozrJ@`m91E3dt(Y@k8!_)XxQA{OD)BrM6Pb<7eqe&d#F+4iR37GYS*!nZ={a5@4!a zL9{+bg5!O?Ovi7+ePBbGyvC3!o4Em*x0*Idmf)3dNkhh|p{Ual+}x8&@5f%DbHy4a zVxp5f&@1z0g8~%Zu{E;N>&uoRcI)ImkXc^5aObxCDGUK|sO`MzmRNHM7-SP%V7lb9 z*?IQf0H@J1SIPtQx~Nu$AYy{xFBU^<&sQH}Vb*@kGYjsdWWB|0Fno2BNPSAc-3CRZ zc!~wp&tXWjw@{J1jlRdv=6gJ$o{#~xt|Pp{S=a|0$Uu4STi3!1Gp`2-IP!75r>we9 zG5qmWH90azVt#Mg+NoA0vP_0Q6~adW3yZuK z`kW~f<=wJ zlLZ|E74t^eL>{OOARR2K=i_2TYJxoXCQ^3=`UhQc{p6t;C!0MaEIRpNW%|Q zk3e5r1EzDNLbG2LD_(JADk7jdnDe9tk;d}}F~Fs1wUh7!y*Wv^S3O^SbFm9~S1|e* znuG)1fn%FpyKQ=mJQZ?YWmLFj&R-i3eo>twSbC)nIPXtcAw-8XL9ja-e854g`w)I9 zKj8%=DXFv_Zv+>_d~RkpD9Al9%JuNSy@QLK^>uAw4DI<{5{TtbdlkomtVkK!3GQtj z?vLI^G4wthqc|w2&}i*0?-G9R&+QdzP^fI3g5tXC@Cx%QuU<`6+#dsxQAeK@=*Zj0 zw}5h`L)x#pEG(nh>(?81Ur0PUpNj8nqmdYK|CR9D#Jlpc(3fi^)LH`nqUICjHjJ!& zK|^=OnnMVX5*0<^BYDu@DT$q$yNFW$Fdh227Ra|Zo_8;|5xbjXDJz6GQ2DdO3Ept` zH?F}i>gmrtKnequISb#%5NhRN`GIVVQ|F7b#=np``ah;C{1!tos-Es8@|rc|?PauE zJ3n;scI~B&9eKeRTQ-#!S;Ku}YV{ZfX z6a%Qbj?lVPUz^Myt_O^J+40`fdkU#}%$EciTSzzKQ_7@^c)>Ub8E{9zv{X{Cv zrfLm+e-2#z=AFnIKLka-RM?`KW;)CZl&a_Yg*+ay&^wpC`FfrQVM|b-iAGJr^2C;q z+DUPzqg<^2MklUfQ3TLyb$mj<2yDUd4g0-vRk(`Gv`QObfydRBC^pGA4WGHMJ78A&bzH~GgmYCY?B&a6G zqxuxgH5gtd`)S&Lb$Qf31G$#WMDIt_MhE@@i#Z$v+M!>a7lex;F2){~dfnGO>K#)CEs z-Gq+cI*-=cY~{Wow_g}9C%+aKA3i-wh;HJs3FZl>>)wud?&-iGIfNu}eVKu~e$KLV ze157P5TcukQWmv5!JA3~hz-AjzlBpl!bLjXOzyAsxjHp*A{UH#ttot-w>*fo^LUW~ zd@Z7{m$tlbq~o01F-?`S_3`(oh!KvKkU1tta=^$1zT)579Y3rs_Ukq#8@4vs&Y3>xJ0xv?lOz469sgna`l}eeTUq`5)pwNW4)n;p zK)<3z6I7aQ2AjlDF~(a|?z=ESeb~lv2hsQ_IcgH0hYrBL2lSQ|ZQ1QXQB_1yY_-Lk zy*<93^N{4XzIXpM`m3$`v&+@zAA<0UvX_)|Bwoj=-Tpror23A~`JGK%@kq_;nWtE} zU(9pkg&$@>z8)IYSgN4PY;Ig{PmGzdlGTP@DofKYS)B*^EzE~8EjAGoS+V$=E24Y{z3Nv$h8;wUw&9S+QWAulN7NN$ZMb_p9UuYH`#@-pD*46yU zxqo6aKi9KW0DZfv9lmkKIw~q09o{Yj!TZA zjQ-fKk^vQxV-J#~2gB^$Rm}(Go21eURsO0pyN?m=Q$EN4%fUCfCc-5DrrrfNWW_gPCK1jBVtE? z7RWwrX_AU{jVp(>fxIs^U6j$Bg^9p_|^Eptcp{l0YJy&twkLk&(Q z|3>zP8sqEHJ3<1OA((|P7D(S_CfThRjS`#uW!4vDdiSvo9#B}j2Yd43yB&Aj`zA-= z55p?ML&!mx2o!<<-fNQ+VPYr!1Oxk9pt)Md6TEtrpV0;Jgf6kAxzA`j!($Q=2^?Bt z0c18ahav^D_TOkPjZvGN7^)1-2uU`qljZu$8pB{Jm-j2K{LD};x-Ij5D6piB4%+Od zVe@Wdqe}u6<%g}SKbgb%Yf)=@RSE@DX$Lro9+m@(Uh#_t)V3(Ed_yG`sv+vqa#!`k@AQ#=alj{w5S(l*R$_eLAN_*pO}x1z@q zaQ~(FEidzcS77s{I7Z_@1kw{xd_3Tuedt*|Pj=5;1m8U&O9^<*$v=Lmy9mbda=1vo zOu-W!FA*WgD(9?G6O077bO+y`(%!(tl-SR=#f7{ZLZnqj(ivp%bre64E6HU(FR*>v zkK$`{xmtD7=e-*9H{2iC#51V&4~|~{s`%!~_C1_dpSz7rO-$c$iglR$48EtY?Og6z zt0Q|YU?S+V`a-mB8vovomQmkKBP;0ab9k41mp_$-nt;66)X#EGem7nrzYR6Pw~Ro6 zTv32BCWvyf@~;y0$&b<6IoB)Qm|+H*!YCC3b;n?|xFS^1_$!&;+v8Kg0G9f14((}& zRS|O}hwUs0ddBB;#QOPBKRiWfQ1`KGctH6#Ir0o9IE<_M3!tL;Cw&3D&pM+W{=pl_ zE#v7THZKyCY|Ta@1!EpMT*T8K7m;DlJNC8@kV!FUP0*{hwO_~o z-Ln7uYfK+a&8$qeECWr$U}Ilv<5*iAF=6pRI{A}O6&HF)mdf|>a&;(L`H)h+CwBIk z7oMKncGd{|+od4RZ$XJO}-TdpfBJc0>VuX0Y2j zjQVc^h*f>j#^69H>7S3!W{8#5#*z6VMP9AR8#dY( z@c1UYQND|$5f~eG`hkurZ6_D|>@fsow!yVGmMg@7(#wDaL$foE$5nj+%AF(FhYQjL zn)K{f#W69ITWByOqtH%xFll$MA`P}m$4_<^%$E`-RDA0Pwmufu@u2odgCF7x?w!G+eR7Tz#eZ?Pegtkry2if?4iBb48eMJHN&6*h{vYE&1((xpIw4UB4`Mbynfxi;Ut~( zPpCP#-qZleVL?rbC*?M}O5_t8r`?xXbhpOj9XDGB(P1Y5wQ6d`fkZT=5k*>dvgNDc zZvD$H>bj4`JJf0yW88Dzf?kBq00+tq%?FtZ^omLo&74K|M2CV!%x9~El^F#1j9mml z8(-Ix1*FvGWJZEA2>+8W1ymx!K;yxY-d$P64r+^=%)Ge0Z80?L?68nXHQ6Te?s`md z5^`R;lAwoNzb2u1Oo`OTc=wJ}_w}Cr41;%T;(~)fKc5sJ!w?yP_=UwmgUj0OBX^DIx58%}G&Pde0QF zL|hMzTxjnxzyEjl&4@1tCWv^v?|Ez^;bG}nhZkHqeZSpTd$Tf83x8?tDL~p=XaBC~ zDEWIi!buyOG%3}5_*gx=52cd+uBK1~VaDUHLIv#Ae{+iJn;kX_&L0eAA)E+o zNB^q$j1%XUSkJTi1tdpP#xTP@_fLiz-oL`F)d8 zNJqaU!X|(V!YwQ_5=H5F2j~ONDHPKLPdqS>8SH0U8u{W+oscnT{^3jizH|SvpVyWv z$tIOAmu|KU98#=uY%T{JQtzGl<(k4k%RGHDBt_+v$Q)!5JsrKhKTc0w1Vdc}U8;{? z;xZ?iW54*n7xW+a^XCs7+;Pj@QT#~rerY4zkFc;5C+?v{r4Y`uV^5zHYeDfFAF{Pm zm)`pjiBD=zS~q`!?na65lij>D#3ktcvO#ep)m-{^Klh(7|*5em@5N~+F za*e;0IPtbFfk^d_jnckH&W{hzmxX+hW&UZ(Gx*Vo_I+_v5SP#?@6*}M;(w|2zW@J0 z;3McW(kkc4=E7#fGuRz(D^;mw}p3k^PvQO7jdl0z}2#uSh|I#0y%MY$E1ke=kzrOh@&-4 z4cN>E;$B?K_&ua_=Nqu9>DJS-UA;)F#(k!L)c7+(%=wgkTD9-up(aQ<9z*IIa~W}= zzF6k%l=GlJY!So={vq`gluU1YBdR)VzYxpdH&K6IAz#psa!fD*1eW)us2^svz~wG~ zJvuGVC&UdHGWmREtA6HrAto0;!2bcPgGabS0xTZlbN9nh8n-dL)DfFc0}v=IuX%84*w-{awEvlczWHOu_Kjj>T1x2z29_*mIEZ8 zKirpj7s-C0XgulA6QJ0abNP#ZwHU~L^unW6E$k{X0dyZKuJ#rEJhnF7~yYgvo|4kvlhbgBTXc2XUBA)1%RC3 zSgn_v3RpoJZ~rCV4DBC-;t)c34evcKU~I*VAU@HLt8j)iD|9o$a)a&K&RzWHU-aLC9-D0~u={fnb= zrI~U?5R;eNk;RGbb4J06&=*Z1!a zsgD2XYApL$x*kfoaXx-Riy~-ToGRm!cKBHt-R#rlsCu8@Jnv~Bjp9H}XbO<6qOstg zIwaHaf|d0aw25yCU)+K$7^#^WqrU9XO?HP}-sFV8J_eFNES^x4Scr9#afplc7mQ_> ztezXZC@RXOyx)sD{vVGpVX8o`yabE_R)-totBYsMB zfPReJ*QdC*mmGQ*YrlW*$_NV#yE)|vpkuv^ZncgF2FElx<91g~oN%86f^fYM5w3Vd$WyK|z(_?`|Iif0S#@!86Q>(>gxr|~S#(xQnUElMS z1~~#l`NM%exxtH%daYVH>U@?t@0v7LG40t_&pT>gJK?fuNBet|jq;@5aA?26Z&*-QoEi|&nGPJ^& z(9CXov4B2N=o$w&z&8r|F`G6fVIYP2u^hKjV&L2s!IOm0y~V@HJpmb4W1)cmhqAX0 ziz@oshE+raq$QLRrMo+nZUm%D8tIT`0O{_op}V`0?(UY3p=;>*4*v3a-uI91{pVbV zYlb=d>{xrP`@YxOjUOgehrBHj%1jR_yZcK=zB=IkkyHr>*<&3nm?jkuIjqg)&6lI3 zH1UYmH4RGiTjFnRqkj$U=B-~8ZCI(hBdD(&j@BSNSn!^KVjHl(#RCDE8=!;aJ#9V! zbWTLAL3zTSld0aup(LZk=rcFqMge*j3DkqY4X*i3I)`1x5`WXV2orswVch{1k{^mC zmn+I=A+E*tJa5$nwd~8KY)tNyC%;yQRFj`W6Ulv$UVQ<_bN}iM@%=FB0KkXpb!C2} z_U39Y70l-j`{TONC8LoKP>b^PfA17Awpf2{T*mo+uzP)9yEhsi!mJM6itI8SKqK6a z4P`%wgJ)j;8T}@xHa&aL7x~heGtM|}I%_~g!hx*zuyxV5;Quu(|H-QgdB?}Pl3%Tv z&I}~r;Jo7b!^=~PHrC2Ka$-6+>N)CjgboQC8Rt#Q{F3Z8vJmlkaX=i%wLN+Hx?&ap zSnRvrZ!LtY3w4J2{hti8jzK4Pur+%6GEgx>j~>V@rw+XuGR*6TWPU_FtL#KU-2gBSHGU(J|URT zIRUO@hi=iqNKD~GA;PwU&=q;ZCb2pD>?zCHw7vz<*A+v8*?WB2mVbdc(AU$>-x-T0 zjFwl!n%bmVFYekeWDvh)fLTN%sCLV{!vDdSfUjHnbSa&3h5Jn0)%9b${1zlZC zr&Cf=emgFpILELGLtX4)X1_}@t65wWt%8OCDzNsY+%8Q?4zh5)YQalo+%V8KqS7#V zm3VxDlx6Nb7DeLl;?HD4PG)-&vTp+Px)KTq%PQV00N4kL)T?G0qpZ0?hk!mWJHXU)BOC3G?a0=1cx!r|?f=*9QpTlIuRfjSc zE#W>KYWz^?o7nrC;tR}F)m<)E2iwuWWNcnBsljLP!pY4EAI$7o6X4;2eN}FT{)yFQ z9H7Wjo05B?m#<{cjDSRJtLjPVIhCIGUfxNIRDN`g;1?pEf6ga^!hdN2 zT!D04(`B{R7lHCdK;C(UeqZlfk+lBB!G%@;kKbPr&l+=0x;K)MR;~E00Rs|kyY>*e z%MHCbpfWQGcDwBj2UFxTLax#xy2#cgqKAX%cc$SkchkYtVY}UDO^Cl*VT4{ zOeym%vNCqA&$O%XYUg^fZmm;5`Xmzz+d#fNown`vsa}t9@dc{wGnr?o+(h^9l1qL8 zsrGwqHr+3-df}17agXNC6*Txh-wiY*r7nQ<_c@fi6xu~l@m3Vt(>O?u8bqqf!z&JF zUr0s|LP%cB5%|(?dSETf$t`zO%V-HV zmpU1dBd;=OMh?L$!8(_yCDZ3#{+m*6ggNiEXix=@yI3qJS?*q4k&*i%$jBj|3CPo} zF8S(`-?PiHs0TyNr_^-{MNI1B=07kjG+x@(rL~yD1hp=fVrD4526vqzCF(oXYV6zn z8H4}TL+vmx{lW)Fa#SNXq<1f@g;v<9+3$to>!ug)y$~nJNyeA6|A>!vM;3ULaXiF@ zY$Q&9?WaGhj>zoz`GK1|iEY)xv%~{tCz*C%mYwU~IR|YCQ95wX2wGxFTu%5^W#jkQ@aNTu4L&YN4z*K=}`vqyYa; zM)=XIuisZ~-UlcOJ#S_M{$kDcQ(HuEo+n33`T*MVXaVS*qxR(&YQeIK^SFecL+}NGba0|g zb(JGXhAsGq&=T!JBK}gX{K?>HjR}qelu~~wyaF1!%6V=G@Z9xpl@Eb>2WvTB7G`_K zv<1Y2_`X!}bveE6a!Lh(G=7ZU2kmi5QM@w4&sA1E_?BR!fH_NCjPsuH6V zEPw7IDq_ccc0e9X+epkMU1X^!Ym=~JiY3}3tN>(;GqNX&i{RS4DT+b$a*))oc<+!$ zJNCSly})pO!s54ymqz|S^2ND6nX^6jDcKADCn^1MmqmtD9!g1xr0#+Etgz{2U##kD0@HSuEeBELd%J`8PC`;TE_4$#@x+c|N-?y*_RccBQn+D}N`-G`q;dH2R{6>L>WN zVHi@Qn+epAv6LB-w=2JpALEez(sHzHn?}f>We_^=s;4Pjv8pGRZ>_nlU(yk!SLe3} z_f5B-Z}2TQEwy+9lQ~t;Wj~FfC>k6d@?GTd~CPPjcC`pvlC7`$7Ibrq#4ftV(HzACXS?%&F5qM z>KuM)gtn27z!Mu}L;Y0pLr2c^uPH6MTip_HsUt^$7Of09p742%diXb|{rlptG zJeRVSCw(4{yD6enl=K=NelXP=&RikiK1HD)>SsBu$`!$<+b)=;bUk+s0R%3gvUOOvg%qjWqAB&}js92HV6~@;1T^s3 zp?6xM=(#vgamUFM6&L&3aa>h;;Vh-xqmKa@OlY{ukhTWyJ&B@vJ^SMSDf!zIb0?|} z6DjR7vH6&<#IHpiC}hNM_PTiCwjKSWV153LX0unAdMU@A+&<9(DUPa6E8b*b7}k@&7swh)SH z`}th;hX9xPDP zSFE|^dSx*A@+vi{V;8B6PYrT~#B5)WmrZD<QtsRmBr$h;Mz43 zDZKe>bZl=uMoFKW2b+=7Vwxu`PtA&a^4*6{azX1<} z+4@&qj?v@G%47ybH&L3coiBIA_JIKdg;lIffg&~+(dmpmGvK-F(}bj^pLVqGq&~ct zCKfBEuUPmtU4W0V`EcD{6YAQ*oB$EENamZ4|6x0#yVWG%gax1pj%T#nGVuYI9IFY+ zM91Te+B+KU7cB#o^e1y|#yav+cDKp6vTYX6W>aGN;HH?F#>uP1UUVgjSHwlNwIs$J z{%DM1HB}JqA0VAqE9~)d77AL`=OP~9gl_CuNedySG|*ok70Pi!^}c+LzOYA_fc%;+g`ORYE@aK59$ZwP}!f_HXyIuINHoMTP{$ZYEy3({>~bKq)XMPZgCF+v3s05bhtfm zI9Px*} zc;2V@pf&o zhKFzECcD=T3G_bliXm}{-WS^t$7c6b?r7**m-ilecoG^`U!3|W#PFx_DbF<;QCDa$ zw3{JT?KFoH>=`JP9yKp-*rzBO;LTrT^17oHpL; z0gw+%f0h=_;DU3terAT&vOv~ArGtvsSLi(6O0T@vh@APWQU~j}(n-uu%AJqR=0OVr z8`YZuR3u&^q01-Ne8p)*Zi{$7Kzt-IDUC#+`5RHTuxA!{#XH!K*Wyf&Qy%d$>DlZgq7- z@HL4Kx?c6}zQSN2F~1whVy>`iLyfI1=P{h4tZEa`qcoYZ#bHocgoaa#$we1=r z;Lf*QO2pBQ`CZWWeHU65dGjf&dg9~$*E1q@_ZwC;*mwHV^G5_USa!_q`9i5na=~@K z-s4mS7i2vEY7W`H1@)En^@a$4-HsXP_VAXKyK_g?%Re`8F%P7n0?B3FZ8x4ccU;A7eP36>;NKJRMO@=WHKW@U zHRq{=;GCAAD#<8x{jmlqovUQk_w!zK_~bt5f|>{mtJx!!yk_Rb#SvXm|LB1m(gxBl zRr?%oyS!0do_n*I!*cYi-=9cFU&=lv89&}CaZBSnA3L^f)gbW9)t>D%Ln4p&{;UgQ z3EUYH9&6|rcV8G$Yf~EuAcb3jQhPH!yTFxow{`bFpQl_;Ptq@qdXgyK)tr8kP@52TgF`kpmOx*p7EZ}jlGgVz5TaEbP>VY_XM+8Fh z9*L+u#YuqRk?>BgXpnwJeQp%(`kb|HT(4y~ro<)6f_U^}Rd!TMEWX4W6~{&xu7`x> z;c~ItxxjU2n*r93;f?u2v5YHXr|o#-MA*9JO5M@6@p-k7vHcndXybqGPqo?ApXRY(K%~)<$sj zxlvkp;$#-{&5lPyGKvQj^XA?0ndFkrS=F#W_fOaF6#@xY`k9?mt5z_1B(%r%oqJ1| z$i(FDN|xpsk7Pyb@xt1l(O^P(=(8y-sNx5b2J-R_JLccj z4O~izCFp@gM20(FZi&if28+61Zd>ou8SVK=GpC-MQJ1)MGwnAWTXe*;+kSPdG5<|> zYc7#qHl_77zcHU_Rtbj55J_uKxeBLIRsn8imT}VxD#|&&%iPf0nYd)NRv4^ujX0?P zfySw1J5Ljs949B%%g8LbKH#d-k&bTCIUR)D8lw)T${K>Tk4$b>X^URUY*)ZW++{V} zLW~kkMm{W-9^8>TQf=T;c@!}Vz@ z%gqXhCE*mm4?4fkitJfqJZIEBYXigb=pF3(br2?8UC)X7VK6V=eyw{EWH$I1sLYy! zm2EZO5p0Lu=wMiGz{5YJr_Ac(;fQ?Pb^^DNxnf%QJh|lESQJAG-x1Hr$B-uCq0Jgx z9@Xp3vWl69nBEs5%VY#q{X>oR2y<=3#o1r4KS8H3DObOFX0bj{kdBVi1t@&=JRLpS z20z|fjvhYNra(Pxy&hl*oh)tFT!v^dReDCx@}8Fa-wFG4$(l>w(d0hcy7>YFMk-^B zxcsbu`17*zqs^*_y=>O`apey!HoCk~o1;1Tm8C~|_PSwi?x{-qHC+trZO7)jFIAR5 zUanz$w&S~#)5%7FkEZeqhFwuZ9$VCsA$usbN(&z@+_wdu)q2bWc|+_YY>!DxB{<-< z1@}ZT_x`f^Ri`k!P@LL_Nh>Z~7lCn`mjq4PPU~olr#!V5Fv2yD*4NRl3P^vRvxG0X zdvU-Xccx5wm&+$#EQND%rDRz>@)_P)r0{^k;uch#s!+|_?ztAP!09`tFC!x##qYPhUzQDiwRq00K>wz%>gQC5om39uuX=vLT zAdLKdn2l>r0&>AJl*_BQJ`OwiqmuyYd4F1Rno>-=o!CpHx2EshyofP4U?Gyd`dkTd5nx)LY=LXPoUAwc>)9}C7I{m#@97YK2 zQNw}rRxofU)3-H)2n7PcGRbTST8z3KPB0o)OWjjAhLc|#_S?ytZfr`fZK)KEK~7Fz zF_!*h6Z)dB`<-odm#(3H`Ooi%*m_ISUtV2JOip&jP$?!b8%lm%bZ~H(n4j+-=D0)5 zut5$co*V2yV<_j51wmSdHB6poA`sOAV`|e06hattpA`AeuU&8Bk+IIaF&)WiZRIc3 zZjp3!52dcgsfOmjuzBXO#){R!$$lpm$~Bxx2}q}qZr z6B`p}DqLTq?NdA}TARzSU@hFaZhfMhtv5%hKcoY?hDp_>Vw{v>H>hE?#a-nl?IErY z!r#Om;Yu;>p(Q07-dA$Xr3DO3j;jmYhs$y%Wx+W9cNsyfd+7mntpbK%Eb^N;^h1A0bQi*Wvr^a&?w0N=)Ns zJCq=9$}1|>@#grGH86A@pjX891%XAuO_gtgm!n1K4(%IN)DCRTcdk#FGXY|b8d@W; zrn!@4k9eCyaPC6%t97-bLJl+G)WQmas$d#9LtZ|l!z}kd=PySJ$-9P&)A`9}Gc&~f zosFuzJK~0Kv7P(W%aERygOc+K%l#K=`L4gFleG#WpprVC*}mG*Qgjw{evz`rhjyWw zL9*(7UK4~sHsdy6K*S2pKhyTn>dv3v{%$t=Q8pRsX}ZQy6ZS_@EkaG~akUYX(Cxqe`1vA#qLHcsYP5%<^sn@M2U?E>-!hru~fLVG` z5wd5eKN>>IVG5VsGr-XA8V^H=C(}jgmt7zRmM!*I-yN8^zipKlvj%IGp*nsLyeP}a z(5)8&Y&#AyvA`0^o5W7BFzefkAK<~``VG`=w`12?rjP%z4NRDCs2f;~*#2%6y8{Cf z&YVmxAvp+(f&puW$1PoGu)O2Sx|vmvje?B^m zS$;;(rJPyB$d>r0qX zN$oToRUN%@S*?jRKnKeQSwyTMl5~ZN1JNe%v=hdMFscwVaVO6ft%D^qj8LBm1ppy_I1%N|2Bh7jz1Ycnu+OH)2qo#utP_kqsa2=2nJXw5(XnxFa^+80iGcDZRDdA2mEJsat-ib zvE*Crt89c2xCnb3t0s-h?H}2YY{!=LQ8!XMn#Apzd7oensYck^>zv&NS5-c(HV_4G zsmEyWt)kDj3%u3f6!DFug05GXMh{ei#TzelJYoW6S`b_dZ=0AJ(%t#lqhb6pwR*3v zo)a}y7N?3O6P7iDT6_2{Bm=slxFza%Jx4v}q;<_Qj*I}Jwq(8^;4BAGzx@oDS_ zr!BT8YS+*qTgPvor*MIi%35!O3MO-zY}SQ4D;Zj^UwAHBHd$~A;zt?)z9TS2ZtXAh z@oSEWe?GcjY%sN71Xm+1JF#&>&~5EJ8Nxyn@}dR`vTwvoe3J}VAXtj|^LeoC^1A?p*?a`E70olV%RB2(&dR5`tRkuAXA|SY zHd+JzBgT)XKWfP}mXc~x6us$Hn6;yYY9qVvgd--%K^m)5&{4}B!S12yg5WtKsw zH}mc)KQEjX*Dh006V6UaFg)a6(Hhl(Zs;UbJqFC$n6C2NOO1P5<rYu^Z3{Y3!HSY6zZMT$Fl!3;wq)lNK(nN_; zs%gFema4};B=1p)GS|M7(PWW03wdT)nbMXYp`##7Us{m8+f>+Gil0xySrXb(M>ZeR zE9mn(boN8=qg#}!*&xhhY)H}+6U=1~CsSszGTW(0Q>d-E4(36S%4|GZlxwf8Y4nd> zs4KShre>5?qn^jx)4D`RZD7Tbt+?-t=~*nBZ?=1PQgc9U~) zz>%l1+tHdeEUHqzcE-y&HKye~W(|(%64A=55z)CZ!?1s80n|jpAW1x`BSDnD*jxUT z(tf*n)Sf&PfIB)`%XKK>^J_H9MPSXE3#(Oy| z|K93P?)RWQLpdRieYkUa@!9Z~69VOjWW7ilHIW~Wg|$D9K;RZ-l`R^D%^Pim`wLyZ z1C$6)X}K6QVsU{$w3bBT86!Z4L{#-(dlGuy4!#u&Gmfm2$0oWXuK!DpFqriockL61 zU`b%at13;G#Dz$qDGu&pa}PK=>&&*R&!U9$i0b?9k5nY{8TU-?nye-e5z#@qHteW= zl1|^=H7~I`>ZTs5I)0SF_I{Vh=3C+$`BtPb2m7!+#&)uMJmDFam6M!w&M<1$oLNY! zYVtB>cw@ch0~aHJTcdo+CP1XwxNGD;U@D~d68S|`d=qpv4;kR`G8T|b>dWjSDjp$~ z;c$JQLD?;}H~6$I{pJaicSPJsIqseIBNs-z#RPB8Zazo3s3vn}t5PZ0PyIco&Bd(0)b1PRuy9?qt`N<1u0USC^o#)Zq}-T# zWws#fvr@1GI6HWNl%?T)Fv~nnr=+o0cL>+Jl9KzH4O$}+j!E{Qwh@bAsZKp=Mt4Q6 zH({A?80GWQDPLNLnt~L-=+XmvWVilpOr`wE2ITV_H7Lovltig+OAOuaOc;&MPUIB}Z$(eXWeLz=7GY;bm+@3#iQk>Z zjzVZIi7tOt^ya_x==k~(PQAiovUiWjL{1li)a(5qK^ug8S(O2^mqAq2{8YLv_H|SG zBVhfIwC+Yw?T&;3eR4;aG07j?wJk5e{TBrW2#G$3KDwlVWsx5nIrTPr_4n)dK~t0W zO({93aPMNb{v3=x4{Bj~%d0oGO(4nS9wq~J?Ch61(EX^9DiKdrd?g-si_Svz`v&~8 z7w#}&1*H0v~t4Z%&l^}XJ%kVrQ-I6#}oJA{0c^U+mJxrna}?1!taQO!~hw>!jfZU z7Yn(_X{x#6TM*`;3J-NLC4(1RR`rys1yRG>)3_lx*6I|rRc~YJuVOuyIz0+s0&QJO zLXL#<@I3Q>ku!VO*Wrg5_Z*1p&BT?d`cG>KB+l zn;smLgI@DK zYUU{i#j`AKNZu1L8E(SYmt1`vzd6wWF=A^biEoLob7obt-8~}Yu*=b5EB~>8hbByc zr~;A3bUKE0cnS^Q%<^nE$Pb7OQ>Is@PLC-Z&Y(>O)M1Y^=4WrC(DqB8B`Fk_B*Gma z?Du(LFI>h8Ot!Eldb3lLNzp}GZVNCqs0Y>Roma*0QWhP&_#372W z_=Svy&=5zBX4j)f6u=n?twbC3tZ-f$99c2y1139~ntcdgz_N z8Wfz0f5ZrY)??v=j!c*MiZ@CSn-wmHB#(O`mbTlAH#4O)_k$IvX)YUeZ)ZIumBerj zWxy4W-k)ObD`IUpK;Fc$N3ZWcQ;aGs5%~3={^svdA{si~IM;2Bb346?Sa!+nz3vGt zQYD0pgs10kFvqG(@G1)QzxXWkj5Iy0`c&n1M5n*`gOak2SAAetCRy-^v~8_~zSl9r zbbGOxIO-JmV;8rq%C;0ZJ-KV2?PzQM_0hR)__;Jgh2tyEb)$N&?a7Hy_jCUJ0iAx{ zRlqfr7bvQyX;cW;Ese4bBkm1g)yXRHn*i*Un6~byL=9=$vE4-I%Y&VVjGLilXc75O zgxqMQhGojIN+(~8=V6)?>x@fq_hbu}-_>tE>}XOU5ZW2nZ&#MbZaNc!vM6tF=xI00 zPF0##LevD%6vh@z%*I2ne$;$N+)W-_XeMavZ?gd6r|adO-ZWr4g6w3O(&bF;gjM(V zwTuvEcLQq4p07z`;LnRT7qNXB@|FkQBV6j6&rd%j^t&O|<^ZQNQ)Jb|++&JSiD+^4 zEb!X4T>bDMJDXBS@@sGac9x#cJ1&?Ualcj;l_WFY6_cr&H{KaX%`?iS;$@hghkzs3 zs-U1_^~N66edX5}oKH+q&;4VSo%#I(1?|l=vFd|6GO<1MOx}?JWx=DR1xN6;|04Ot z_^jivP93)q;--<4N2cWS9f2lplMT!*Fu@uab%w{|vE)#npT}xrU{>d)LqxPOlU1W| zan{e7d&Gw!sR=3BnvHf>4*XSXGM$U5hMYw~q(0+HUXsj7yO|)8KV^V?Bm9A_8r44^%`b-%;<(ijqSO zdm0ih4kP23F#t=WVvk=pKPF=HJ7Ka?pB0NjR6e+263K7g&H#dJ$f zwQjMgy*2ESW@8IdbA+*0wSL53e6IyY%U?>WFO8~9s8NKz%h6y|sTW;zX>rWKoy06j zmP7V5oo&lGQ$t=;>FX{<{-T6|A^5V_vTkyAcIUog@$h2)aIR+7QHFS-tdYLNV*8w zJpTC?d-20~rQ59N6wlO#9nCwMNjtMo_YWH@{X3Hiz08 z0iuPKpS~ia%Nr~hf7H}vRZvlRrTX5jqpYX29Q1Ce`b}tM81#OgtfpGvF5SrA*>hb6 z(5j$38PeLLs9H_paHf@m1je95PmoB$Deuq2qr3C7i8$jP#VH$!MY()+y|J6GIvQlPl~{B*Q4kXGaksm|Y{HqyLk^5IAKFVi*!FItTnT#k=T>hJG4KG$gEp{L z()Wqi)1y>7-!A+_n^i>?NLQLzT1x*6m6)I4qSkJE=s9q*v0hg_m9rS8TptljnYya&Lg_M)AWB2q&w%1PX@3z1_bty92f?1@D8ac z_rGK#n;v>Dqni`oo%xFiV*qo~_FMx*O8RQxrhHzmQYb`sWHU_T%zWxB+6|vcR47F7 z&1VauQ!~6SUWLE(qh9vAqW&Bkq4$yKde^?!+EdmAat~#73Qq2|=h?Cm4KgZqoVNv% z#uDCZ8M3Sd5dZ@6N}gPJG$}96s-8cv>cdEZz*)NBn~8s_Hc+UG7%}>{S?JGy&>8-4VJa0U(pOcJr}rrP zON|C#$N|7-2wP)bvP0ADLRe}<1Umn1W&9nvZy~avVEN*q54x9@7M1uu?7FbVj1GW? zvS=%o^cA+5a%y4}G}x`;!#fZ?qmi8MRA1eYu}gO*y?mQBo>S(^Ic=|7--$=i+ZUA( zz!duupt`sQ2t{SHZHD`(H@3A)6$r^VyP>ZHLvR2|n?0jlebztF=#M5*nwWZT6cIkn zBR*fJSlOg?-AQniXmhhRVxnnGWXJy#rwQO)5puuGz9|BD?revPF`-7yg$BxZaaAr+ zTno=7w(0%a{!$Df(>*>G8jEgoGl`6o^ml{J3PwsXRUZcgAAvgyMt!v`5Y|+M1u#$x zkG4BXJYt$$W(Vu8Z{zHZnG&d{>%GIuo&oj0mBfD4(9OoS+SNu17M!P4<285vC>|_3 z8r8E+@eZvF;Z;=`2@+<>j{iO!H7?ar=NK=*w?tB(*f9efO5w@dBO3SGMn)QN6RqpL zPw3e%i4F=n0Xp>WyZ|<{WIvu~Bwb(aP`*?y9?soOfv*EOPRHY0+%60m!H2pQif+ZW#H%_EkgK~&|+iMY-Q%w)6k_sGRO z!rrqARsary2tj*-WH9>KxHe~BNWimxGr*ET@FO+i9G8SQ z6nJac-n9eK#Foy*GX*N3l~j(t0QLpas2)xlCXLCyGI&M3Aj>=Ug@ET8$+wl$Uhpir zlph8{xEB0M*gV5U{|(s#@8=c)U~T$Cb-Bv}95Gf*WbW)7tM9{F>TvI-i@M|*17UXS zn6RBqm1g&Snw`55*wrPxbGA`!&M2Atist%cuzZ}c3#rhpl12wRNMYd9O{8Fko#iKA z>_J773U%vTt0qv1teJ2jfZ5tp?cpr#bd$4?2?TvIoV&;jgc`=dG;b$JM$t*5#d+Ivjq#>XvO zeV_JrG!+JG==iol;zKf>xSaqsM^;WcPfq4SIk44*3u zP0EVoF_CYBHUGQUU$AE_5_xMw46O$+WW=q!>om+01B@o7WPIkG& z0HN8exQs5Fnk6~Wg{tiPNH=bQbi#?JY-9qdHjm6YU6uRLmU%^9tw`3*FPO+r$#V+v zU5oZp=aEPy(@@EshEPd<$ry&o{%v&TcjhmT{P;m7Ne1Bl4?rFBw5db71VXZtx0K7q z?dDSLva<}5xUO|7s`Td{z0b^2uHe>VE-LafadZ!l9xw}? zz2%(kFbUIoGbJ$EuiP5iP@>6ipe+wC+X0l2oaR^mIBubv$ycW+0UaReY@c5d306D;4ae*b! zPu5#G?BDt^tFdSmL;9FcAd!#-wfs)4PEZjL9JKL!1N8ZDPbsqd)mVpF@NwQlKeD+r z%7u9;F?fff3;mi{k>avR_IPWM;Nh6%WYyS-`zY)~_#fp=x`u#PR%EA9m8uOaGBgOd zodYQI!pA>ppPZWHoISfhovao^N~w6SM1V+QD+*34+@vcDjQ=2F7?sEyzvMhEETGiy za;93@qNb4`xc0^BTr81^V&{9s^N}d~_O98{2GK+&#Ub{bfJ^?X@6`DQhNACJ&k2rq zC9%j8CA6dA!nhKvAJi@o+mw;xaD1h~=idVH+v9Ql_mPSIvsl(ev280LUM;X`H)Pg| zY-qTDtKNA=*)2n4p47*^NrtBmLBoWTz(Y~8EeM*%;7K^u#UAZKF%l4+rD*tRp@;jc z3h=NlFS$Gp9C$zuJPwDKT9d~_wR7&Ud9JwoeY9uAkB=?I?k6j{!QDcD^#>%+7xJ$x zRjcDFf6^5*j0(RCJiY8xj{3q6-#!{l_Ll+v#|1BRcf)gO%*)n$>(Zu=QJ22-^n z3W|udH+3*{Q%naRQ_6!AHfnAvwRx>#`Z;+4bABrB_3zU%)T#oyNDr<{EO%xoj&We~ z@$u0W$a4ywSH3QObyunpU^B&j;2R&m{=7j4 zu2qJJM(f)OaCfrCuF3`uj@agjwo=&W;fm`D2u#;p>%=@Lx#nF1 z#UhIAbOn?f#ofChG#~w;&E50$zTN!m=Ks;BY+U)N5*$NDRU~(o16pCji)s%KuFiL5 zk3S8_;zSGcrI};(;;t!WI5MZVD-4<;QyTY7X5U0 zNQ7~pV?3+V4#_%au_uZzE1TQ9KR}A)gN5rh2{f<_jjlY=@x3eRT4&h~48#WXe{_j8 z+{$ZH;k9t<>s@&awGdRn&*Tmoe~Z+O%V{fto;A^1S3q9i3b?(S*?yT|O{F{E3a|Yn zvl(Ds`4(?a_+9t#p|}*#do1J5#Udil5dP6q!9eS!GaxAyR+qx36*pN+_+(RC=0kz0 z_={Q@Q0|O}ai-o)`6@Qzy4!qNE;~Am8!n)|+cf0gr(V}p2b4SdrRRrHkun^G(`YM$ z&^G5gYkwxw1SHh)uhtejphog2BojQ5tm6Ofj8C(GtjXn}HM!v6-DulY2*L*oQF5qs z!l2_(0Ky-uR+R%yl?HoykG4P1XCoGAsmMQcRqly4)`sHePwQNNII}02s9(!i5X$kY zZP`7*Ln__K({5wcyF`1B0U1w1Imd65s<}(kLdzyx6WH5;BE4R9RaizAxelvY6#>_-#D?%Pq4JUF`cSU66=VSN^f$;g%tB6Wv}2ojO4QZQnN?o)Ha;;NG8s={VZ1%S^=4#H;Q}%T1a69>4k8 zUxtk<(^)XP{72>R*N{Gq6@eh0)ska-M`iw{k>w zaoxz_)?|)EBfvUbk#iD8J^pd}$cWhK%%6fcj9@=L^fSc~5VSm=7^=rL3;=>4=U<_} zVvwZi*0by*V80ENRraKw$r`=0s=QN6bp78A_tiXT{7!uI!3S^f$$Eo806McQ3tkS> zas|y^H2L!g{~hLkU1mS4sNg>PZ+ncvw61qntn(yRc>SD!-_~a`Pwr0By_e9DamRJF zDGcL3;}#J4`Jal7ffd(4;>S@n{&)=!7@~jp2SoCJJwY%4e<)(4;YlbGP|N);7pOdp(QO4E$#8nf@YRKA2-!Ty;*0G ztUzJrCGnb&^T5%oe)4O9!Qz!}(?{Cq6nrQ>Z<({Iyw2cq8@E~K7GYBcg8NPz_Ox$0 zKt>3b!VFh4NvI^iAzK(LwLo(KZYxLYZX7_KBT$TgybtpR^9FOx+7s3n(VF#YPJ=-D zn6o}5q~6!g&Z_=A5evm_guEI!KHc`R1ILn78ObaW?ME zlk2s5GOD~l_4csgkHG53(B6auC=GRV9coOJ!pW=Gb!M#BsmnHyKj%N zH93{vyX3q~K4SK(p&C!PgESD-ebe(d0so*e`tI1AFCY?NzZ7xgagfw8BdD?pyjGr* zI%(XL#O!swDY!P#?Q%_4dCNh**n@`r#T}BzY`^{bOd9}(wx@ARS3HGEW2c#I?1aBI z)lnh%~d?SZ>jA8b8ZS%9qa(K40c}Zq~|JB`6WO8!t zz&_lZKC*_SZmIfaC+sQL;-WBkFS8Wu6 zXyz{ubAxlrzS8D_*B#44VpPcDU!!NEUN*VWRsM4VkOE z6DNnZh5m$zLW!I3B#+zL!sE3yrPlmZI9;!b&mZ6r9=)eW`33=LN6zE#=bh{tb>`bv zkGH+|w<=q+JWIM1|DeUMFK^ymE^aH{khK2a%o=&oVv{7VZkkd+;Ote}4T&_q@%3#cPpgF=;h z5l>Z&O4g9NL?Q?gT;GTE=F{3O0y2;_Jeh@7A=^bJl}jgcv(kO#*@E3)VNzW;0YX~P zVi)=_JAneTWI)}~SaQs5SvLzsSxn&#o*&CiBfIAfJD#Z>sR#9JL8`7WgdV6iu10F7 zZ+rSJ*)2_W#*NBn?5{20gp%K{v((BdPTS}U*!E2I7i!v*YTJmoj*)FmT|o>sULAwu zXKQ~RgRxuhTC(1z*V$dowDC$J-2RAu)Sq>N+%-C-S`?+KfS`?fGQts*~AQ}_Qz*;@d`)pTp4g9mql3?3xGg9Nvb5G=U66C}91LxKf& z5;VB$;O_43?hb?eoA-R*cTU}V>el_cirH1e%%0udt9z~WtY@vZsB=oa`TezaMsVHX zXV(R>L!LH?a$cB~g7>@MT*Q)qclCxYnG)bG$mAc3gd|-7IWRV-0L6nrod~^;1QzV6 zXz1%0oZ1Hq2nUcucw=0Xi*O@XKMhM#rS`5u-#vZJS7zW^;m8HxSCr7I-uyNTof=%2 zcP+|`wPJc&A8w2OTLQgSEVBX%yBaqj*as4H@X{|WFM2Nm3)otfelo$QV92n~DNs~= zK_#&~`+!`Fv(k!AW8w8Lt(Xl9Q%B z$Kpa9K(ph@7OtAFMMGA=1JIF<1WHRNqu%?hx*P3CXdxlK$2F7Vo3bvY{H2s1HjfAU z4Ks~b6Eulgh2`AO!)5x_?fqL3)rEbIi^2aOHCeRLfDQV$mo^y>1(WRjy@tw>ZcQGz zM@Wp4r<=v?(p@{`&*@fz?)dE)ISjYcV7GT|EnkA?{Qf;$dG%FGYD;Y`dDdE1B#4i5 zYHEgQ`j_Z`X~b8_Sscr)GHrMhg*4w9=IZ{Sj#tZ*jf9(y&_4Pf=-3sNDU)2q0<;K0 z!Zab@LySlI%&$d5`bO@tpA>IaVzKtX66YA&-zEN%U9%#%|0%7|0)ij`pUz@J!pSim zwU^0@+!eil)ODY6nD+qCfOwMdsAOzTu*jwuv1d2TbVFexim9G1dz>1tdi5U4PcU`I z_?rBYuRS2UWHjxr!x472fCiiz_Xx!;~1nc zV;_W3M}G<@h2gi!006izKd7e0Bd%d$#VV&AJ2o_g!uHnWP1jphHU0j0=iW@5IPO?_ ze+Sqp=FwTtPgCA0w-MT=|Kttxl}6^W>#Y||AD0}^M{#kIl_sQ`pJb7y5SQ%VYY=wf zFXQUIkW^;Y`D}HZcgn+|j+@m?2eR0zulI?|w{6KMwE5;e8Qm0)iMpiPv!wCKXSVYG@2IJO*5bUq4$g zcpq{9R396v3Lm3W%k}#>jO1!9WNa^`^C|<+*ymybD6Igam8FrPm6w7<_x5L;S{ZM~ zQCHo)Wpt8JH#B2A(?jQRU@n~m6H^Isv zFR-9x()m}1SOqC2Bv01p7jqKm51zoWO9(H5A{vM1ayYe!G2fqJ74M|=MC6iAKmVHN z;)ZNRjeaq+#%!s-E>e>9Cx-k#bNSW}+K5L#JVWNpjwly4-CluHcmp$gg=?;cW3krw zdjR%*%be)Ly)Le2Br*d=0Jm-$8M zCoClr^uHoTMiPKaN#{oTXSGc*({y+-HJak@i}PKBpW)<@5*C=8g4&DH2GwuF*0Vk; z7nBE!dxmAR(Ma3YNX;Lz&X{gyF)80a&B?YnFNoK$haTusSgo@=`Lp8fT#bcR8#W%h z?X_*!MZjXso>6dJF&pY$G<>LL*@Jp%m_PT4oXq^%Y5t%AP+DeaxbkFa__|#(Y_$3I zJqI7F-Lzen*~d+S^#vw2jD_mL=f@-CQF7=%Nwp7W2-oyjJPKUTmmO7(Mq4`3^74~K z`|#d(n{OWp)9T&y-C}*~1EPtRR*%-(Ka^Av>4u(nsf`Irc4F8DiOo2x={NlE%#2m! zQZz5d%Mwu<2kF*`Vlr>P*1Y{87`jzRimwv;x-Gd}*Ic^qoz06d{xAHMC9%9yO7q{L zgA~U{K^sYIe8+IrG?t1Eecr{f=@uE|g8j#)sOC+O9YHiLY@f6^qn(pZ5pq;lM5_-QQhjcQnOpbDYDuDq%Mm-1wAT9%y)#nT zyfCLTcJzWV|FVSMlQxH!mzLE`Zzu;qsSU^^oOc8$E=be3!cn$dp36VKX{gEB7VBV# zT75*KbR-2f)->vZ%gK>yq^~;0vYYUXXR33G#Z4w)O@CBHPET;TmSgi}2=v%CvFMQo z8y3Ht?;cyJc~M~aZgt68vjMqo#jsK59#<)4*Wg2PXJ*}370+e#tAuYqe(D{hsj^v= z{-mZuJG{7X<+lmDf9KSUaZ&Ld6JWha!vH1OJ#@s6`AaWes4w2j=(iGDP&uu!ueO25 z;k~xYLcx2A<#>oq?r=a5P%=((xnH3y&Zw+2UgD##dK$Uj4&yTO2)GpvjYP$Qy=oIn z*HBAABPHMSLWRV$vcw|_^NRvK*e0K=8tv=C`9}_JgZ^Gr8_lCXnHOu$BvwpV|ILWm zsFXLqm{ib5SXQx#lt@vemxsBRs=KoguMS&t>siF@S4*S!T+LWRr}-Zg7;}lr{|gF? z-LLzTEW(tkY}Xd=7%}7Md?P(8PJjHtg9l4}i!4CbdYn5ysF2j`sz-|vBLW*7XPESO z3ah@~$dSolqH8!6@!Sg^{X?03#=c%*4k%W_}9T%xXyp_4}{u|865w|koH6h6^Q?312tzVYEhe5QS@ z3ZHGjxK4wv&XsH9l7<)&g{!LP;?2xf7vyN`A@a@zQwRbqz zjnQZi(!sF7b54)IuyB{SZ z&=SK~fOofFgY0>ErM-IkI^&|JguT&waQoqIqy%HWPVA0O{5H@3YBKOG-Zo=?Q8S)Rbh|wB zpupW#M9HGsVU?WrT^T@$=O!DMHIPsBDj~P>hT~CYnY_#3h055~OS|9`P=r6;n(XRoH?oTYE>z>eB0NW?n~PTM1+xb zq&dA+o#KaSf7H^9aUpZJ-8mM5`jw?Mm&39xGjsw6vS(&OeRLT;&K5Dh%^v^OVLQgA zaz(1x8k()rpu;%=qI^H*a+TnzrJL^AQX%=cbaQ2~2@y+oN;}wLvy=UeWQp^0omD4m zCNaNN`8^Q%a`t5415!|6!ZlzIn$0tt__1th6^a12#5&j5J-HH1^MRl9ZKjcNv{p=3 zlWAKcWlqNJ6mq3D)Yg5qST#%cC9TJ#+{=Ic-Ty^#mnm0&@JU|nFQV1I%qvG`l)9>j z{RRbS9$rOb!ZUR7YC~|~eCG}MivDk-H=5!rLkc#7>LIn7FQT6S;k zmc6A1D)oV<6iPwCASx;Mjm*X~jC0ShWrMcV(ixZIR9m~s5PSlnKr-P5(@R1_MWwyn zHJ@j8j3a8W`yW>%Zl2b{0eA1GT&j1%<|x<1$P#T|n1W(4Efu-~Ys}7K@X_0)mZW+9 zka`^{zXtLZ&H}BFU(ElXfi+k%GCWreN zQzr}20~{Zahy1^kWT|VK80tnR{f>;nLeo(d5Oaa)ZF=_>APmo#r2@%UMFu|#Q|J3C z6F&ecINwQSyDQX#>@5GG(8O7m8V^q1TG6sl=kLp6EBHDw-#-SQedXnMbAY|Z-}k=* zXftG1PGG)&ilEdHTLVB>*97>iZk~Z}=>j+pAT>9SSP6TUv2F7W+M8=WASH{W;nB@P%HvX& z<*_;cEX!Ie6MVZi^uhGIV7LaVn<#pqqJvd&ugi^`df=tj^XYB zo4(P9jr-K5uB~0@@Y4?T{>qcoRj2S#+y4Fnd9#}R>yqi(74hY&*UI5ZHQ~1+SNrle z_wVpuiUt5VdX(Pj2$fH$U?9;9eO-!ly?bIRCq7Kb*Q+@R&CV0d?Ia z&UW9POMZeMYFS|FjL(M#bq+nBVj{im(^2!>Um?RlNVoGm{gD#Tk7Oj_KMT$HVs#AZ z+U<$Wxbm{Nk{GYACuucc+`INNbtZ1+tbA~NGYK$1zy42NO7^# zo~%XuAsax6gO*5dA~t@qOj`f&w!e4D++OLlnh;>nyS@%MTfn)ZJXalpfF0^pD!)14Z_U+ z&8C@Z`LNaYQZRQR(!J6+M>PnBt*XR zOYeT7C1kb4-FkcA!qdZ0lD^jaVw)n;NV-bxVjIX>BV*692FAUw+W6wS%}%wwh%3^A zgrbke*1!JJ5i_rW8O@n69c)}>Ky~{(2Z5H+5A$1J>UPqLc1C>(OD1J(&mBwRq+*jz zPa@TBK=O|;atiCQXH8mSpN|q}+mHyjs;3ZShajfgwz_zT&^c@z^57aL$Rs93g^Q(s z|GYhT90t$!9kxn}zK<|mQq&Rw##hi=$hGrVAf(u+?0+f9y9|>fN%y zIe$@yC8Gqs5mS`%BcdBl?t#1(6BEOe{=G7XY?8|D?hN_Jfz4Vc#t}$U^a=^I1e(aC z3yLnrOJp-fx3gFP@!)0k-AgcBOJfw@Ic*cm_F^M)rj_=6v@4dF&r5Z) zoPW38J4TRw6gNFlRoY)ru|q>yJ70^=ITr1!g_reb(E@NohB|j=9fxlt?LzR3MV`5A%8jQOnkH=410wE#>g-IycZb*0~w#7TU>c+4dk&j#OoY z_{pOI$4{}phO6E)(0XCaIO!DqatU$ylM;GQ_M`tp_t#-#@ zQc=poFMRI`Z#mb9I92@zQEj@l$cQ4eY{A#cUFpa)nX(n}KwfXb#Ci0K&sgHCv&>yn z@6Zrc8jjF-v^(yYO^PJOp`w0foU$A__d(+Q4Jp=+)M;4FVpH9q;=umqu(uW<`GA&m z?EkdzTDG@8Z%#^HJxGl>EV8`bzU}IH3`ru2XmPPAssN@T5txSE+iXm4{;}{jK7UaA zX=}TU#|6@j;qu1EG;3tJgzuGrT-+q0YoZ9u2~I(x<(j0b8z{-Bq-Pa$!XCCHzAWc3 zp_^i@S3_Q}>vMCZf}}|1!LZU^QvDJz<<$GN7imPw#gYP!l`#-Ce)F^r% zpU%-@k+)c3?Mz~Lwf~}Hw86s=e)f?Fm_?!C-u#oiA(0R}=8!!d)Sfk$Wr&w0^IK2p6U}cDa#q}+ETPl2S(gUlTy@Y?A6_h zuZ!d+@>^QM0(+$k@^3pfz@R9H@{^oT&53y38%SD=Raw`nQMSX!-0*+l4UlFZFR+gS zw>L;evi$I&pkHHiFIFWlEKcW%H$RWkY(mUc!urpn%J60-*I!;NfARQJ;IRX1W2%P* z=il18N}>Qxdx}T=H z{hMRB@~N_PrFBUDAQBE~Mj-Hk_XwiiW38v#uyeIrgZz6BYg%9_q6pbun?9=kY{GVL zLy*S4Zwr*sHJbm22MG?!RW-kY|l`BScA&egSkLwZ|dRv6Fxu%7ia zO7fRCT;bx~p;VvPHvp&8#CQ5U(q=g%i?QsB*E^T5&ME#DX$R=+Tq(G{%`yFo(t2Zg zqya7hL~6JCNUT@QgIj2ea`NGhIpO+fc?QZ|_Z=g>7BaMpe>BvO(* z8ACs9<}8qw6q;&HHK6gsUnbqq;Y9WRhH?*F!Ur#22Gm8V+NpnsRGHz0pQqn;k!-*1 zs6A zs4(Rzej41?@p5+n{SR`Ts=mf`Gd8sn=_vZkM-&{gryDZ zZ*c*5(2I7bOq!Uh|KL$kkO3_Hj+6#lm|1?+*tZwivhSaAcfJ_Db0Pr zT`Cdra5lk2^e-(*jQG~8Z7U?0M&RpRk7u-%`;ord#6X!Bi(U>`0sap?D`-td={!=3 zf+Y?g(uCa2Vl1&;bozwrhtx}Za2SHJLj;c>{V zPo?8D!h(?`@#at(#VdRXT&B_<+Wi*xG|4(<4-+xZ6zbtG{`n#JHk(cXi z=yVH0^ecKknpMADUPrR|t&e4z3^~16SwX97&f3QNTIh$~?27`D2`;NN;S?ksYZP_t z^`2MkKk8d@8*x+Sw$grUiVvf9j#DvMP?RM*Z+n0CiE^kd+vJOOF?fb=T2HsfKw0?_oQhm0yc&SOXqOCU z6im>6B0aqXZx*h!*t}BTvlHHJ|HSR{=gPFtyy!E=vb9EllLf6x)3JJ$`3O<{<|1ov zlCF9wlCE+K6B35#Ftf(GH3Q3X&x!+fM4WB!xTcT*E`qh%DTdF4PS4kWuR`F8I}pO2 zFg>!{#d6}j4rO;c1LouQq?QUBe>yn09g2%^#AV+rb+% z7Sw+5@xNo$pu$P2eF7^Zk~9-twiHNt3O|);j^6}vkMIiPI|*7NkIM0?Br&->;WtUd zFM_#mgAmkvsvqn3JSNz!rI)A)l-UQynfoUu8Pf+`#Y(74j* zA`_HF?)S=sqN%}>Ell~Ax_cKql6OKqz8}*Se9Q%VN|~ttPP|W-a9q7)0KOWx_dlm9 z)U>mWruGWxn5QyrjJ*xW!qjQ4RaekQQFo|Q=&79K(f@Jw{E`vu<%Vb?gNa%po-a24 zPDlj#TY8oPxQI6(4RT=PcB5FJ@Ld7aSw@YjE*V-oq2|cXuBSQD?1hN%dXi>s+|!>? zCeNl|Sl~G(nZsJHxf(^7_nK!VKxA(M)ht13T)@H$efBYST-+L1YCco2{tb+a(Fv!= zw*I+BE0#+Xi8WO#hj|OXwi>bT`ITVi-yi;MM{)eIAyM9)J}j7eG3|;C=u< zgJZi9MjGE|mjrd}pT?5B`OkU+>ulO4eaEY(t-DQ!XPWqwBY^-##{f95OsRri}Z_%ATIz0MtCv_8;&57KA`O0pfJ%m{x-zjJClwu824x7K5}f&Oj!jR^pCO|__q<1Y;s z9hO^%W{A`QPvOg9&CTe-1gS$4rVxLmJ-L_5Yd4@j9KS;82YQ9o3orZA69P8*7jB(G zL(JZNt2UUh8}Xc8usMNb(!li*sf17;l8r^d6OD+)Ao#ziuua3ZM#8~VY%-fPI)Z1S zX-`w4=EK`V<|}h^^OA;uvI^k5e*2x*iwu9kC*Q;V^jBO?@_vg9^}En*Nty1D^Aazn#4&GG3ndFa7_owX++%i1WZH$_S5D!KM7G2 z9^(EXte{2bWEZhmW0%K>RC?bI6$Y;SlNg zjRP3z2#!yN*qki_g%8k&o{x7=s@y+xBm4_{A92x@q-(6VM_Ly?6&Sj>(k?HoU??ij zxHyLenRj_?@iwQ?Bj9Jx_>%9c##e9fh*@-l601J&OzDcKAt+_+)vKYt9pyNlaXofm zZ2mbEUQbL?Fd+E8GV~LRDKM1%U|JA7HVqFSuyXTo%&F86dx89@v&-iEkrKN zPwC2iUmEPl$F<2aBCH->z*H*DymayRcqMz_nC*{nTpvYtqMl7v---cdRoLZRREtz+ z&5zGRvmgD45R&|=7A;cEgl6_fv=I9>a-{ti&0B39nvP91`K~w5EYFO9+Bd>6OL_H? zquJP}Uin5|x8&^e(zMSvP5@*9_>(Z=$XvY}olCiV2cOuTG>T`ljhbB|mmm%bW=imn z+J|vhZ^DU=noK5Se^$+j7d*b(P)svEd=k(EywPwPo7FdVOVI0Kqw}YQFIRlLE-T+S z9FpZ6EI)w;tI|pF+}DPFjZ(oPR$J5)E+$W0JOFK3`j(jyx-Q)k64= z3AKRjGSf$}h1Qdg?y59?<5w_w=Xfcq3%AoS7M!#>8@Co-_+dP=a$mt$%aOPNku9Bb zw`ZK|Dc#_=Glg18fVdwuMVL&bGYnk93hqC;Bh)Yh|GGiBR@N3(`_5N06KwMe)j;2! z2j{PSL4U~}*uU|)|DNG#;bxriro&X|Be%|xAb-xmq-|xwwG=}GVX}c{(OaDC$zAF?k@fz{%?2q@ndUKX#vAL z*JK9Y$%xmhn~X7&Qi0GaJlrUAQH^TlD~iqlzshhk?uC$`%D7n*(D-#wqNk!2+%-q$ zT2WQAS)VZTk2uey!-L>!x%zIz!#JqIFLdzG1b>+=xVrxcz;*!SM;Y@6*Q|_-lwbs` znr$cc-xZ#+oG%B>)%e^Mnpb6ZS?IYa^_cFUgRyuJUv#y`FK;E`Uk&g|GGts}e7Q}* zT724Bt^#tc>eXJh-koN`Z&N(|_2WX3I*)vOeU;grT-@W*Pmz?P@6Z31|C!hGvsF`v zq3VBc$DdJOxiuS2p(o`^{bL-|F)evysyV14Xo&9at0m)FNC3u`Ij`XSyBrs=sd07C zNAQX!@c40j=s9t0w7wQKY0GRDg2?*CPzskK5R}Cxe_{Npd>WBZ2CK2BWaKf97GbHJ z#u#=XEbhE1pD=x;B;9=|^tl;^wnJhzwuK!4!CGsEj;m#gKO_Xw1MqHWpPcwSlgS78VNUQrh-NF^_DiWQvdv zM*`Pd4i~&tly^vwce(2L2`HK4c9y=cU)W@fSm7yYBLTHmd9Sp7%9W~vc?&%yGgy5` zELz`;@Jo%a7W3LomgK%?G7 zdL$acjCa^Oc88udI=}7srQYIzDEUq_twWqIy~;D?XSEEe;kdQCwouq7TbrXFT?P&Y z&?g>bbm4&eu{7R%-nSo!d!{K5v zP(i$1uhr!l&b`G2K-aymNLKlJ_#M>}?3dQ1zI8gzn6De_>v0v~Il z64y}P=BD&0C+@~duLEx1h@TXdT|lNyM4Rsd@IguU?pRJAdeMN83PZYIHFJuBGQEtQ zT%}gkkJsQV-jAQF)Z~i=bK%)hYG@JnszNH3xDww@Vk&J3=KDJ!nC}oI$G)OqE6C@2C({_@k_{FTJZH8CKu zEMpkC#u1odmSWfnJPLXI9bInFEnd-v&AZx~Y)9pW}jhXwS@9RN{rxFDJfm1OcOt-gjJ*vL% zc8wNO(f`(xhL0d1a9YiCygG}70pUD7jIc4-#aA$LaZR7JY^)RL17tr~P;`cLvy?y@ z_dlC9Rrqyja|6QyqZhZqDqHjIS}?;t}>qtA!?G2`<7D_{p*?@zocPArZ6 zI62Z_s~Aal()>yPDEgFbuh!PM>OEOU2}d{0)X`0R6>?G!gcskK&@z! zk9NW}<#GdUL;bOYOgz=I+ zBfvTXUPNe?_SHT`{IV-vSxzJ2EN8t`IDn16IYC5ukWMEvBifTAYsO3~m+KEh)#+C7 ziCVqVNTl-pilW_a1DEu%uGV6ny=@c2U|P*aOb+3BOTjJO(~keEbm(lZ(Zc-zPINwS zK0Bg#h=@I9SN4OzMxW(`ruw7v$1+m)>I@3uQB(?asJ%#=*yqm%N6s_)H<8|c530{d z@r-v36^DHJg|?UIs1eQjZO#g+7B%k0tKRE$&t*spy7RWR5dP!bNM|Gf;5J*Yo4v#L zvS~z%Z@JGMskk8jsdn!Olc5X6nJHOm?I^d8HD+m457HHELHKDv_Nu;k+X7ClkpsmC zH%dw*-`E?mRo28GC)V#W>azYKjk}TRvs+n%L-TWY;|`lTE9p-@w^6h(J+Bz%5Yja) z0@37{PbY)~_j3+w4rvv9=TAxmLg0w#5eP^u(5vxE6)Sg`S2FChWf?dyGt6t`fO6<& z95BQ88B>Vva{?S9RWqA&J4jK5x#7K&ShK!~Fj{_!>Tf%;4z6RHl&*yVwm|WS`(m-1 zE20jsT5jz41EnTx41I1Q9?BCsl=el8C8UUh+QGoOS~z`2Qr41G2IGa>-S*}tQUE-$ z!88i}rrB4{OWMzO8-jRE)_?^Mz~i;E-U~4T%@g+V>b~S?PvaNb=phyuu$h z!(#^yxVq>B_(Hi*+$2~rz$gzf;lNAIu7`=}+9GQ? zfttwPy&{h)5*aI#s+KUendkbD*|wAy)`(RbNB-^|X3N6pHYkXIHoDHATe7s1U^hKB znLl4i?N1ASBlOLY)E8_JJZc>RZ=?cI2kgxvZu=%mdq_OmW)>FuR`U+y==ePU7YQxB5RRmjRQ%}QZcMaPUKgxTnVYCziwg*Z;lf_UuSEDmt71h* zGOG;soZraE*p2eXo zHvf~@?t?dHHd?MbHhV%yZr$~=$isFa%wdZgl2D5i(v`OV#u5!xa_dv>1Gm9RWS3C2 zPW!^^()H)38-j-kx*0v^>vdgbC%prf=hu?^LL$n+xW+@?qHTMa`gecvC-RmePc)=H zTJN4a##Rmbj6Jq;jVTfgKH`pdEaH#RAMc9fXi*LStqrH0fNkCK;=p_xwf?eUCWclY zx3W+=dk96H zR1Q8uU(J|+PCe-r8-_EZaM~LD9&vERoDE}0pw$LiY$~SXaWYZ*xXCd&O{K-*y_Hg& zADY^aW9B1ql-*kf{2f{ZH?b^8T0KlfWTUIM(>=w0T-U{(B1eU$o5v0z$+@EwszXyS zRqrE3z!l9Jz1Li!5X3;-=^6Di^GW7loZYm5xQ{6_>R9y72k2+4$qVh-s1^pfBR5>> zeb=a*S^qQ#VCFYR<+d=jfU$gQ|-c>GMcS*Lk-|3MBQz(VU5th9xH0Dx) zt~U|_BVoB5`V@cCdnDATWQQXdPH%>;ga_zBxPzL$)Fe%`vDVd8E9=ZTf8X_}#RO}$ z81l-6^5@6qntc65j2fX=XD=|;WL$US6dIdk;47oFB%~;l?7DCELxPiXNS8 zxaI=>IdsNQ@KeXsJ;SR)!qeDV6gMg=Nz)75mx{nu2VnkPgYfW+?@6`_Wc?Gv??u^H$ z4t5Rb*f_(lnY^Lq`o-`YQ8cV#ZJY=k$PO`3u5)i#drHgklRJO^EotAsL?;$1vU-(L zSdxV!uLcnl2#$|0A5~=j+{<|5LCsfELjwugjOIp2qqwEFn@(y7Igq zkbmPM`DUvF>@rLv0L1-AFJV{@fOD!w21Ke=?|6^u8G1A|KW#Rwtjr?Xhp21c?~Da` zC==1Al)t~cE2o7mN5_zP%b@Jq0*D+1WhEGW-}ZnEk_5YW5vDYdgBN2VLoaD>ozJWs zAE1TDa6_@NZMnMZX3S55O2U~@{>xZ#TxnClgkReC0mr;DVyb~DDrlTMK*j~rKEO+ZTSo0+Wx z)}s^g8s`j$nyG7+0K=%87N;$c-KJi6!{c^=l$srrWS^xO0K?Hp%88$7A@J%P@r-;; z^~Diut)}VDW7?Z_({rf(!xKd0;!b_Kc=xJB{dKYz?Xa*DYW8D*LnFKV;uzBn8@OxV zkmy?Nl=nD%OgM0V_5r}N#QQqt&n@RKPL@@{7#)yFy{czRyq1kV+58V%+^{#AOXM5< zW<^%}uwE2ag~u%|hG$HX^fz;m$Tpqe2J*Yq`Go#Clm6;d-`by_`sOW^XLCMNF-{7tU+USO%POw1m=*OR3ee{pCz=q0^;= zk^2H@?ENC>JdsQxU#KDF&{d)=XEzQ708=y1j6Xivkx1{e*i>nhe|x37|Jyxs;%yv} zkn{0kRIPT6B@qZXUDU1pDzuFzlZ`9AEeFnfUv$n?+Xt*<*C&$8T4!_L!ta*|&2>7@ ze2H&DLRW04iT#Azaz;{h|5PrlXpxgOx8*=uN8sj=Y0OT|385*SJqIMKR7|BlnPmy7d1)Td>fZ&#DJ^iFGr8BtNTcgqM z28u&UPm>30r+&yleEpDd2C-jA2|UY96v@QRyUq9xj zDQXnrr*Or$vXg$Hs!@);Xu|{iU9pX)G^^fj%`M!u{MTc*hBl#QDDDQ=o@%@uft9)r zaHsGIPrPe?Y>$bsWoVb2?`^tV4I3eA1KOGI*oaHq|1?hgbMG5Jc=oTUoRQ8fKsV?U zgf<|(NJKXtI&L=u%f85@y({n zz=?b93s|O2xAodWP6->cP_>}atS@TeEPe2o+4y#JKVOTb$3dIfFrC{-Jv|S~LWZ?0`=d6$GAC*I5&3-SQQmx6>Zqxjlk5v?n-Mp% zW_ShNKi~=)5OMfd8*9>6dY|z95^X&k^ZQy1OI};-DTPY+Nc%?l4Gf65xgmTL$z-j) zn(sEvg+!UDcGO`h^mWWhPilyKxE1!V{t=dy?j#JJME7TD4<-|WWC)_1wf*WC5$5W| zE)U3L;{d_5jGhane#PsRclGVBu>&70O#du&s^2I$q4a!CINwr8;%)#AP?Y9EZjte9 zGErG~BTx|DG(B%p+LEt^tR`8MP!Wbg{zES{fWnsjwDZpPiTV}^5*8NuQ$Y~cEmrqY z?s`7v%fiCnOYz=VSe;BZ?3$nFzpCf;{E-om|IL^HV#IV|k`6mNM*+!c%!ryfn{;oi-+_yEB|=y?w@cZIlfFzMIs{*k!q32CRmHKEqn#pf1WK>N+2ZZgY?p4&M( zVaqi!AomSyWdL}uJjy*<8i;a|2M<@8wGGjo!3Qv$UYXE*q0x9B`$WHWPa%qji+y7H zEcyevY=J^F4d&B-!b}dSl0p zlZOXfU@WV&wObif;0%HAKp~x`(6$8u!n!5@wqr81#pduI*QKZAGpThGLLtY^FpI|r z;?66ehOK7|nSY317ZI;Qt!!TT(TzrH&?l6_*|8Vdf!<;-yxXjBIwnuUacSE_^6@}s zC5F)~rZ;|*^LN`DXGl_ac|Q5?eD??&tgs)E3DC8|RG7H-(U*w9f3+pP&y;nOa1(~| zA<06xkQR_+%r^C%uX_JEogozn)Q34J`fc39h*PKSlEyLG^OnvC&ydCWk1_78m>T%vAitw`$>UxUC!vF3KHue(gXO5lm6QQH7Db0zp{qir9 zH?ZVaBFL=yoY`M6zgH5M{(fF`ZS>8V#V7yyT-z49;ywS<+S4lcD=G$9>jv-qj9Ad+ zhKA51{)M6QFY3}QGifvp%bNC%RI<~8ZlkZ~9`yp#*wS@R;RiMw2$C=%C}G4-wUboq zWViKkjLoKRpylp%bYLAhX^S2wrcB>8^gLbPg63Wre>xH-0VH3>^%W3mOi3*y2hYCXf_i|L@>1%h$Zi zPb>C2!|1LH#sl#%pvOCo%$E9 z+2gyf11wX%c`r=6@wyM?4ciEtGcdxm5qv+-iYm1EDpCt=c<&KnVTG5#u_c#AGEEo# zV18@I51WvqeF2Qklai0qwum`q9!;s>*DisZ+_4^*+~*Lf+3Ta8gXrde+5Wn~P()9Q`@O!UudaTCYc!FKLmMFPnj~KZFfk5>8 zGO?JR8fzimW$i={AnsMgk4$n%izgj|_U=Cqp9!%LYs(Qo&IkhBxKA;}5CI|8W6;I+ zPzOr{X@}6$I^p)vg;2&o4#}g-=F=&b#{1PIC5n}O40xVXFLXJ*>Cd*=J`*Vgs}V3l zZfv+Y)#;$|0)ejEF`T`Xkz6C#*USa5Vr~U;4J7opN#@IWm(qBvc+0A=I!V36Q{x_D zn?q`|+)p%TID_uyhXViR0&v>`+Is6_;z8(tnFYYB848iS&D*s$=<4on7adTofEdVGreQ{x}>h}mDRqw4x@8$!^8H+q^s7pqDu~J^#nEycbv*TS8 zXxz|N4PW5^q}Q5Bqf<&=`VmS;dGf-k|93MRCy}?=)6`7~6*qy%%}o1ef7xrw{-Wn< zbZT`l?{?a2`MUY4Is{8oN_?6ONfJ|OZIuKgqll(<;^=jiwa0h_z+Ge!2>LI3GNvt+NyhKWzh6&bV3vmYtixO^QIktVT6$D_;1|tB$5gs zRc2*~LVtcxvS$sHOfTF6-fa4cLN5TlM+bX9DDx9Boj}96Jx)u$3jKS;Uaq-+%Tk6( zN`4)0ejcG%zFj2{+)G8=Fud7VIIBE$IrL0+WY%i&e=a@ZvdmZ%ZTI)@m24)rr}_+D zph`adU%b5kf9#LFtg&A_*b}GD-bCTfEQ_DxvT$4Y-QmtKhg-Akvq2L%B+jGP#^hva z8=?*Rw9^7!&t@DiR0_k@#bEOF{i#CAVrb_$-DxlNMR%R}zs&%SUty9qeO5~wm1W0g z>f9IVEP{K7J=K~^AfM;^YMaJWG5B;1?kb*mpx?X45Vxy$058O2^s0HcG2B@;t)0D4 zmA&=fH*>%wifM3=Wl9YVvli3unHZZrbKrR2jNR1==KGu)?01$0cHOdJ4jF8XDfa?+O{!~Me9KyZ#qAt+~ zKC%H1%Qx`yce-|m*#qG-%mz@jh4Ln^MyTx#;Mw}+7aSaOH~}b4y{cS(WnD#)=dLGm z#R#%>=H)XG*0p2NU)ef4?%f5FTEu~na(h4TiPr}1Rzn2bOC){EwJg$E-2D95ysSrU zHY7-NV)wX;7PD_4=HWrw=R)d+g5+G>7Ce6uUDnq=+S(*8rXDmSU`2Ri{(>`XnY=O_ z{g|A3JiJ1_yx|1rCM970X7(Ux3a5V3iQdpiiazJ!fvM?V#VV#$E^j{F@7iU)fyG!Hn%?qI; z3GjE0e-BV-d~u32X7=iw}%3C}N!681o>9jx>F zKAxY0^-9h8RXRJmSFzBg0N3vCv4sH!TsViQ^Tr7#Fh2+S>?&@@{_Y!;?+47rAx>BC z=2>*aoSkb&Dp*<`aDanGwzx0N*9~l5b}zpIYlqdD=X>kFz_pTrv}5)oo#cM|ue4bt zsF?}OKg5h|q;4RTh(FY&aT#s^C&pnsm!CnQ+Ah$Fw?D} zzyL>;dSPYvb4N>3sBc*#yEl_sj$9m??qa^F_LR3~F;$^0f4OQ}_}Q0=GT)(g1s=DB7+?=#<~?2i|s zwU44Ly)}>Qo-&bztIxGK{CDS;SjSJ)r8;e;&7M0$Bo&w2M00l+KzVr1tofa@45-`n z)n}CFyR-q{6HkB_6MjzY`;VWem8P{X;GP8qI-6a6`k?$C4+Ls^p7kVHh&XTsTrlrW zN#pdb=Gym4uWc~S-bF&$bYRT>o9hY1QBfP}Pj2onPsbi0@vwH6?ax>axxFUf--jBA zlHV`6ZjLR)R8O!Uf6Ls}02D`ykA&kx;e>9Id*OZNiD&u|^|i~&VsatZHeU_-*GbE> z%XG)$)`#nXfO^8UrTeG>==-bD--a0j?-bIYq*fmd_4BJnA!F$#xkcL^kE$9DF#gco zdqr5%^;`7bgwVnRv;_D4S<1xj+AdeNSqWd6_90Bm2ap%T(c+;}46^`xsCJqg;6OfT zBI%YLMlFv6cXb}_>^(gmH8ImJk5@chgJzYDkzo(AnzX?7W#Hqg8~nb9 z!p2PAv?RJOqxU~eH3MAI@abQtfs)J+1s}4NG?ctiF%bij|L?@bPJe5DA8f>qDI|YH zmU2UjC|1sIkPv zP;xpeD_NS>rB@?Fhz}4b54@T7G zgbO$KE=HA&6c_c0@<8K;2PX;ms+vL78eOEa!|cC2ktsY$Tjuu#)Jr}YB43{lh+-j7 z%&pZaW`VNaa8!=Jw0t;QrA&R8{Yzc=a&=1hEu&hDA$q;o(6^O6^B&ukWoOjeAL1nO zJ;Q^n&ohH$78m0T)2dxy<;@N~X=?)?`s(-0e`y+} zNCl?}S5vwc76==s=1R{g9b#t@EGoHI&f538hxnT5bJ*S#kvPF|pb17OwXD`*KAfdo zfSNHE!QgMlgSN^1Ac+ImM|(nf**^&8KXmdEon$84_;?)ogc<_!4`a*p-mWy|9wg_w zmmP=fWY+8dnpF^9e4E9yg98M`W_$43m&94IyVuWp?j~%-wFGP zuiuc6`Q?K0qSYufA`tr_v_OXl!l5mk?v2$I?U?Bz{f#46y9le`&oxF4{z8-u*Cw;y z4y=-BZ*~@|QOen!GFy%WWGw7_@_KI&FWEuJKOg7)!uMrLX9nOeJRonmHWzkJgMeLZ zwK1FQ((nYgfJX03zSCJ#;kxuB_c_D0f{OP=@d~_wy zJnMTC(2Cn~X%Z7~w-aTIUcsV!UNw;u-Cv?_SIm5B8TTtx!=z)UAiB+#4kZNvVB?8b zH=<*me&Kp5j8rFaFI9l0$$TXzFzx2Nm4t&|G^1cL*G)Hy@;VM) zoI}d_dSt`jJ1Kef@dMe#m)0a* zpMIkBDOWFd{;5(?|+@7qS-J;H7(IX(R8)R_+kB=5PPV=fG=b$qw3B1 zR0@&KC8i|A3O9{hil$*;@P5X_k;viYma@=~rschpw{|B$dk!;e?Kxuoo-LZ{&hS&xWY&*eeznJP zX)h=c&ez^=S4As9f8m2*;BmU>U2f)XZ4nKLOM!h%RUli!<=8mlI}IQ|i+W{nGXPc= z6Ctjo+g^h9O^hQ9>CuAUE9L39Pp&O)4zAtvrX54cA<8Ca#amSH*J8#CzmWDW*_OT* zhnB)~=WV%TIVGsUJVE`&7=+_ewl@vFr)tm}e*VsE|&;wfR?yW=jV)I%2;5;X^y?; zX!wdwkhm3R<7||K;`NnbZ&wt9U8iMsw0sagY;~;Aq?fp$eD!}$KI1RViOHm7;Y<>f zG&e8)@bL@%JE4~seE=2QG%WK*&C~SU)eJ-;DW#lVH7Y z@{Cj8IG_B)Xfp($!&%t!+c&@A))F4ZkDi$Dy|4^IL~CQFu_C@XHhcm{N|S=3SWqQK z93^sk<3$dN^G0H1lQUum79N8AL@%j`5!_*;*={ zKp0sy7JU>wkcDkNObM$$> zP}2q2R0h<*n!>4f3?h=Lt49QavZKLdabgq3K3{mzCZcLGhBF3$C6GFBsO5Dn*DPybyLu z+M~nq7M#DTm-N-uOHvmOFwbm}&7S^3ReUEyW4N7|jC|qlpZEccvH$!lYv5Pxpl2@h zh{N@K>2wGSxDC)zk8o6vA&1;>`LF%Xz;GaeC)c_UXbnlLalqJdsHGHO87aKRw|2p$ zD0fM#$+o&k?PD)|(K}X^L{)-{hFYdGV|cSdA^pa!;+ai=VF`#Vhj->A_>ZgvY?Dv@!E{ zTS2Q>>LCT9SptZ&t(o{<_yqe+pXI(_Kif-A?-Iq+)I)J`V}ua^DL9T0>Hw`p5s%(> zO{!aaS8*rOwDdp()#zJE%;yY8;sBfCN`TXgbJhX%Q6SqZ$M4o%@F&E!?u^2*CQ`@k zwnzqCXNXW6&jlZ2KTBYszTgImc@7oq$Km}PDZ1C}-=1`fpoOM=S6<&A9FuEp5XdAJ zktdT8IT#(y|CW;XSTXeo)g9v+IJ}dw5ng5IiI+R#6WpoeDi@w7JhTFMQ%3A)2<&DrfzeLjp_slR#V{^pDk6Zn)vkePwhwBNjre=3bG zW%z#z@Q}-8eHd@TL&2}Q(kijKUK-eQHo#c9?8dq6zj7_VIi3Oe=H_+89r?|olY*{+ z9kZKgxo;no{nbls`_6=`g0~Lo&w%yTRKH+wmxBYdt-w+MaL5#fZgM?@EO~KV?ntsab)d$?EsV5XMhj(L-*2utE{GuVG zYopQ9x#3>b=QrGw{&fTFf58F|xYHDeJE9xM6fIPOVW(_%R!utC9M%aljc!D_PfvX} zT;Q7=8;)inSIbIF<8%!XSym+1_mIOi@@ZMS>Pr@2 z7@paM%7BG)oITBg2mG_7y{i{akwYV*eK2)+VhimA}PFT6%e#dnT9K(_GUoi`6|V!v>>z8N#_;wK2@8 z$#?`P-er<)^4_fEQbQbd0@{dj*I}&bdwhhvNzM&-5izkyAsL<}cdq{-8-U?!4P^1iyzB@EL9Sav?}fe>TyIG>H>kXA3!Y-;D!IH-0UhS!rF~6C%+OzzqyQp@Aw+x`jL<%YprZNLjLX|)bKp0 z2X}DeU*=r0DvlNW$hF`4+YzRe!^974ILtwYAH7LN@CX4A;a{&k2E6OF3C5Jkvq&AO z$!5n=WBie85ImFz?(lzS=w7!wZoqcmku$>N*8%g^i%H;e)$<4$N>lH4oltq>zq5M4 z6-f%qh0&p44d>OHv$4njvo-7Tay|0>@1^>$ADR97UD2sMsZ2+=JjmRopzu0~*)>v4 zhJ>BAPm5)y+AkYL~N^1lD!?d?Pjko(2z&YcjO1be}r4$o%K4bo^GXq_$|KG zV8^?J!QD0$k5wOjGk3Jm9Zj*PHJwc375&@pIt-f=c57Xayz;FLgX@ohn z*K@Ny%(ZK768LBHKbL}hB*T{l=4&8U`{TA=Je~uQn80t>YhE@jK<(kcc30Z4H;SI2 zS(l)-@!>l&#Du@377FcKLRAjoq?FS1RPB@RvjH1!IeeZU-&}_I=hR&TCOO&K_P8@E zos65{*6?w?iaf_oJ)8KB1y&SNC+zHuR(jA#0664j1!A@xG_pb{pr1hNB&?Jt_g&lH zojQ@KK?)~@`-OSpynC~TyIn{TkNTw%q-p}H|U_1@hA zj~DQvhCH^>QA?A3=P&sF$G8DT+l_Bv5@O!{VRFhN@pU}WJ(K3wbi8LPvvR+I$@Mq& z6^bJJQcy!mOF<;A<4tfBnynhf~!s5Xa*{(EXKi|SWNn`MiO9F51$Xbb zTh}V>QD^^psf@9mV6s+kTEqF4U&ip;-9y>tWSJ*P6>(UXfE6P50Y$>J0!$*Y4z#aJHxM+J zg(>>iof>q)Mn0$s8Fg(eH^;&+gh+SY2a%h~w{5>+hqkr@mOoD$eFl|wBfa_f!Vc?l zU(O@Hz|I7>QdR&}%;>bk>vFG@QtFDGGjJtlZ}KA2G7M8a>#WU7J36_Q&k2)VIs+Su z1^Zg}pngBr=PUQ}L#wqMf%x}E_}&4I-|qi7-LGANlsizT0ir!rh!sC9awD9Qc;eAq zA{7-BBg)7a-6PiOJa~E1ao~xW^r_5Jls-d7{%3{`&u;#FT?R9Sj>o4@E z%+1&~>FwEg3Df$94~gJZMBn(36V%@7XXv!?4A)brmWi>io~f{Sb>2%7*m87#eFy=PBwu*k z!TgrC+4Y$xb!gbo>z|%zj~HW|IidJb>FNp8{?~eYceQeNd3!baAL|W=k})YHWNeDE z%~r)iKsnCLBUwbGI>?zIwECgAt^!`|Gpf^WgOtdd>D~5`@Oww3%%<@a=)bnrxiizc zhq>oB-dg?&;xx^BgVyAak^vQEwx9>DohBl?yk2J*hg}oZOEDs1kx{x@QyO|HsG#ro zs66Kjq(^bH;~3{90V|(Q0`#j@p?PPK#%l!UXyMS6oMFUDhaL5e0$+DeP_&kM8c?k? zY+Bx{yy!oo?rNa2pzL29P5}A14AYx%BFLa9R!-7b#I9>hE(`@G22STIxY~57C}(1F zk4FpA6h~bgX>!T!g$cY0Z^c*xZKcH%zA+_U8cS7a)IvuL+;sHXXdjkHE}D5qX#30~ zdlDO`se%m1xk||koi$xe2c`XJ`5A<0W!ldh{oqT?YzF#tkaSuvHh_~5J58sX*mXjL z>Fz%(VB9H2$pE8tGAB7^ao9S+V+%hkY?&DoKG3uU(2t!bPn*%R2G|h^0$0IAl@0tb zX={nxC+%kyQOE75X`K=qwT;mf_zw$^;D}mUt3GGD)5MFUDNWC1_ucpLNnfWecVg_($|eAcIl1dNE*~6rwa8G6?JOvUJR?V4(zpS^fweqwGFq= zWMHL)5}4n4aX@kCsH!krWc4x2m3r^8)_X)+l@cLfim$h@o92lMx~<}WsJb&*&w}nEnK(!8hJ$AQimG2OyPihw5omCe zsy0$h9{Oz|no~tx!{8V=O5G<({!6Om!Rsm&%{#C6!OKNkCH7egU3qhDxVy~$Xt)cz zjy(bLJg`ayJUuB!h@+K%Z_$zh3Yg^3wHe4V7&X_a)b&3NjWOO6&h@)4Y#7`-Yq=fYMY~#0Tv}8jH1LPMFoADl`f&FF!tq2 zUcYlr1-Q|;rY7W|p0~Rv5|Hq4Y^X+Mm`XLYq^WW!tnARmP|-*WFStCGSaoS&K83jh zcWkDm4wZ_bYTg)5#Z$+?K=5T^LLGNt9DCxRfs{L8@y)bnOD=}ZtPi2aPk}|*Q4*ka z9PHsP;r60-GDi*e-knY=_L^gfp(aOqH(2#OOk}3=53Ⓢ;h}`Qc+w*m^@Hhwe?;t zSWA~8yx@#R>Ud&C&Zc|tp`vBNW#!Haxgzh1@O&6x|9$Uqe8_ZS+%?Dv+c3jQH2ZWf zC;4+Fe(mXp>W5(MS(dM>-!|}Ss zF}f7TbC+V|^0GhfMW0RDULI#=mo;s5I0BpL9Y}j4nw105_sX+&zP;sQbjY~;hIEq) z;T$MD)M{!E5!g89ESI{vsOl#%Wp-HEg!IQXe`yC2mDa+P0ZLjK50XFiC#s>VR{kJ& zpv3jMp$2xU!{T{uB?+7LnjfWV6Ybiag-BZEpJ**OpgE*(q?b?l z;0k3V@-Zb(Yn0aae_|X==`WfG7RkExO@(5X33J|D_nDQ9MZ{g(u-2TutI9rcwqU5v zo!3jAVZ3ZHp(z|IYY5GgOQFfQ{qgqT!mD~$BW$*|?rT#I7aCMtKwxtV$9fIzWNqek zJFI~gy3QrU;h$Y0dp)S^PA$EaO)cP-(W|e^6Yv?1w}fYPVyyStm2{TT@GEZfr1Bfx z8rflSLJQ*WLFcD!lBHx@+xN=Br zLu%coyz-Vm@988CE8-OwSbn+Z2DNVwYCkTvd$Au!y1R%S96tEooO*i??mh02gZQdb zxjz|Ov}pWiLZ=|_D*-AuvVS-8o)=dcR$(y5CbmQp#7-}!cAEdeK6Y#MgACd+iMz7=`N^3BO)mufV2C1(aE`J$q;&FD>ie zL)lQ^8ZjWvY&L(>G|qi~M(sMpBU%>5LAwcD$Jr_B#l1nWu&s-vv5*KTW5UN4>lToW z+GOf(4LRif$rnMi(0QtN#O*?`ctgABhGSxq20vxpW^o%LCs#Ra;vNzSbqiyXAj&Py%Kst8}_`D3qZ#17{bg({oYT8rS@yI?oFLsm-m6t z6*Cj+!I$$c`n{B$IRQe9A9|@=jtntI&saZow|4#7OzLsYp*wqT1W((nw$m_LtSN+b z#=RFIZq#Yy#;$M5w84nT`Q#1@1F-!K!tIsAYZ|oW62KPpc{>0`Q+T0b9{Oon51w;K zAS;>1X7YL;mm2TO2~kPw>&gG6E_G(t2MGf57UyZ<)Kw&c$a%mK8F4j+LXtGc4HFb~ zzn4|duS^1~yFCyG@$x(65q_pv3klTcLT47C?gG~R%h4Fk)(EoZqa{RxH17R~nPhW% zH*Y^|uYRGGGx|k|e?3|%5^zzdYer|@qC<-&foZMj3^IG1ex{13@0BycjMsPz1(wPP zQ*j|2_!;YIr5;h4!R>+*jgR~hw|m|acQJ;MAKlUf?x3#lvKM$nqC+!_x1WF8bbF`a z;4_x%G({O=2wf7)ZaPEfFU28BwvQ_a^Gz=I z_oAw~WQrFUKkD4NdIpsi4^7NWuq}0DQDBEf!2M}o#LLcr0@iqHv$S@-@VePhf|Q)x z49|RLHr@hfR0h&~zkCl0{XTU9?rRy!6KlRn%c_NX1WViOMMVU1k=d{(pGKp#TMel$ z)f1~W5{~pT(0;KI^@S-)SmRcZH&gstEGL@SgE(Rrzs{#_T)S8x z8@~zNR9~Zq*uJw7ENg1mYFYE494&?6GH)6L)eYX3XN`J)uOqSwo&ThF*c~j?A~G~d z>3VG|kx`>a<*I_t^B^waP0TMLHt-|uOD;aiP~I16J^GVU8m~cR0$new7xphP_T^GB zU8M2THnFm9jl>-7^7`+`h{pm)m1$pmJP%mnF|rjW&4Rs0y1z8P^d;gQK>cWY$clXj z9Rzu)eFNKCmb;**0u`%_c4pdvwEqwoe119h-abUvMY<%Fxq3Vn0(%3DX&S0!mi2HA zEB+@^rTVGzU=}o{P8N$^B0%eVIEh0*5Nffy8sW?TgjeW!u^N?lm#|PxX=`h9Q6rk- zR`Nz>YYRW#wPDBVyz0dR{z2QxrZk!7G=9Vp3Ye3b*c|RRqd2+{POakNn1_GvB+%dM zkDMg#Nir<1gtrC>OvoFoMVyHe4xn{qXx?FaP7T}KhUkO(wsY~5{M9fM)Om`fz3AOR zC#dPV!=(5D-~8d43vHYNGxa19s~@3hB2d$X+-Thiy*z6_M_wYb_#csK)J{kA2ucuE zK9i75+Q2*O%+j&NzLb}QR4n+Iy3(%G#7dSzFmou>EihKmre`n%eI4!!O%tN-Y`bN#a{P0>iB@D9y0;1HBw#65#m&*sspL6>Ft>!Y0)%C_qcK<536FO73%L) zBUr!hvb__vRDXtKQfjB4vxyzVoyp%65zm8yuH8$G))!lWfLn5>m^^~B#cTeyeP85} zJ^0Q}&Y2^Lruin9+z`yVDCJo3xsd_dY87gUV?|5G<$i$K_dwCwvG` zB^r8VD9yp`PwEWR_sZ0+cG<<64HHp`@6}t~8n$iw`y+?sLr*M+UaS4QlQdJN+&HKi zt+q)3nY?IMaWVU`g>9IFp~tv0BgJfgAfIF~vqIycH8?U&(WwG|^y{132Pv243N8D77aXx?^*auOl^MxL zy!Y*|^Os(Z=HNj&FAnkG0W-SJT25D4Y0(|CVS`Cq=Y<;P6t4bzDs^#XlaHpOU1rG}O46`6TR9>#agx(Ni>la6527($%*Fk6fJQVb3|o_`uI)+L?$SWVcki!bI~6n;Kp~oI&D8Q zD3YAvOZq1+zK{5*PlbZ@HNQ8S;sPFYMCDA(A*X6U*qc4-eIQyBn<*PnQGyr;@$jP@ z!`YUa*4>3$wcdH#P3d<^ z0s@`e)d3p_7#+|CEQ8;(z#|pKYnXV=Zr1;M=WZ^>93=WP7}NRj!|Wl0lYcR7Cn3(0 z`ocFb0b`5_1M^>L^cA8z5WpaUn~naxe;bRKl8dIa-9#4C^*1DK+; zs+%*2m;zKuzSe1#m70txWaNY4gjv5RRvmcFJEEtEOFX1O6li)>^p4yt(dIG3%+~~7 zkMJ%^a*KNNN;QHvyOvxWp*l=ye9tB_Q;gFR=J4CrY&=B!=l7=6EPm&qE-9V)@b39l zL6xmDka9jgyC?A83wT$PUQfadWG1*O1F}ALAO5I;ufT&}TZy|5KT|gtD?Qsx+Qy;; z>;FL646W;D6Y;c zOvYn+@uI`r&q-qguLtTmB&fTKksPMB3nW7fsXnD+TrZRzTQm)N{e)5XtetiM7HlY< zRXDrZ7w}e6ua=iQQ?|ovhP!f=eX%V1T1PsF-RNh4#(gxwSuNpBvNrjLeH)B+{UDf1 z#F2j$38j6+7N++rq9sO>F@bhk!vJPp?j5J!sMOs@`KCPo%O??2a`n;v7nH6-o#Zw# z^Choh)0e#fDmS{&S6Ny?y^8A%&|L%&E6P`E;s?@yTw#QdimpMf%>pD8dO>0@K6kvc z9#Ccgh!aV-MAnub|GKDEd7wh@`Ex55tn{-jt0F3?M6wFiY0Z(C_{hK}TX?x+VNj-A zyd|-nDfLnu)Lh1K=&vXABM!f&GQ^sx-|7>L%s9rCSx|5&uX=~taN*c!^g5aS1h6_C zny%P3$b3H7dYf|X_L;k!gh(J(o#iXF4Xm)Uz-8+JOJzL7aox4oYVLNQ2{A-*rNWSf z>X?4vhjcnuti*x43d7zkKIT|vU!(7Y++8u>gDdv<$_cfL%;>#dpH<^L-uET<&WL$w zH>y`?6>WxFWuHHl!XF}KX=XLFXy}hy{{W7j{DSL`D!96gzbZS<`j~`OlTl&0Dq+8`47AJ+UIXsb`u3YpI+xgjm z(ng2E+FdPWxKekeg3~+x;)V_ZZz~0pl&g&BVB(&UB*`A%uvYuV${E1Uptv^QQDsK=7yQE(iLX<;jJ@ zD0|RH+}AKQ-8EX50bi9mPdKPicW?5^ zg=Wm{^U<}~n?@|Fh^ftjMAk7iZ|pLP%`8V9frYO#!XhHzFh(mN&5ikw*J0uvDr?;z z*w5`!Eq;%t_N)G5uo%fB!y43wldpdqDF>J$tyui_1Mk2^!05#W>|>~ zZ0G?OEVe3vSn5$m^)kGz>tGI!{lJ<~Wx8?7TnoZct(=QI(VrvM z@peqXUhv321UJV-VmIM?-=wWE+rLbKr|ny|rodNmZpBXfxZ2ClAmuKVwcqGy{QqhY z(Nym`awx#`Z+he}^!j5cR2zR#1NlmuRd=u+5PArTi0IkM=G&3KawjwA`uMit7J(Sk z=RFs2?9a$&J8$dRE?_L(qe3quiv%$npnvln8@>;$raaCko(t0;*ICmN7M0_R2y+Wc zGVhxgJ8kup#5Uv8D^7eXJ~T z)1roG&=wXc8rvRM1sPehy^;0CS<7kzPrrQ7hWPe@(b_C``}Uu90le>}Vn?sVNYTVs zMaMG7zgCLCU%l=5g#Pwz;NG4I=zi{N>zB3UU;<%PJA99;Qo{Glz%rxrLEoFhc)zpD z8Zp>b@zyV)aHcCZV$jz~IR&3}yh*LQ`` zuWCG?L14)dObO))ckpuH_Fw`zaKMuBbRDlBb0iZ6)Fd6>Kv|Om$fd-Pd!v3!oAcq?-`i&xaw$D4$k^4pGht9+5+(VD2ADRHx8hG^~ zUX1K%^b;AUhw$8@^T94jrjaYm%AsvGDG4@|{cGoPwNI zd-G=8%IEtG`J7H^Ep_Ve^j$FnC zVZi6Zs+aP9lomVR60F1b!_dW0FwLa6Go4~@Sk8(G2{C=%}9_8P+ zeTa2-edMvN8A@>@yjwGL>SD3}-rqd*_NSs^z>$g(^3<7&LEg8B+rIx@TeBCM0HIw_V@yh z`C%iPAO4uXUC)9U*uB)VwUvLkyqhZKyZirRvWl1tQB;xSk_caf%-WpjX#1kI*S_4Q zuro}4yNuYR6n8yAf(0^+CgZoaKV<;_G(2kO>88Q5RWM%^!pMtGgQS^rD4#skO)KMR}b>Hm*ZmrXWE49K1c>YYq3H<2HlbAgC-*nG7 z@B2)BhD3^9E7cTl3Q%8JZ%H(x_2F(9Fa#KHIc~Y!J>SpEFysRENiVIQYP>vp6(2Z1Nus4Qoyc(#;fOANcb!6czD|bSChc6<$_DyNN*bWb2+ydeJ-kg zTDQaQv8tc$fqSD5`RpGZtH?`yXP3lIL)FS<^x#=sdED&lCL027xgRzOm3%Yg{ zH}Lrs4=$)J?1TA4-oTK_*}eu?*l(m3eG$N$9exkKL(C!Mf#GNau7Fj=HXOJ+BN!$} z$jRg7PBf{y`(tL>Mhg|4+LMfbtc^V=UD_Aqa8q z_3aQfkx|F1v-Pd2taUDxna0GU$Cdr_03W8w3BSAGqt0)OL1m{UhPL*|hd-QK$41t6 z74^=Wu&@j|J#%xvR;x$(UkKAYpYM384^9A!lO3n9opO z^fkJ+w{@tR{B))XK7QQN5iT0MCYYglZd9XR&aRuhLOS4sb11Z+vTa{h#hUPNA}F#J zDio8FUSr3r%Zgn##jG_PKrQEq`1bIN;`6Ia{?;|Q3E3U3fFhqdZfif+<6CoSw^=E? zl)LSYgdy!3r<$&_1;In=L>j@hdFuf?ZskKE-k5g!d#uwH#7LEfJp2>>8L(4@Na~Q2 zRhi|_hr|pWV3_<9T-{wX>irwet1+~PL>Kz87%7S#i%F6iQ0XI)EGLcY|Jn>^hh^%X zhjzModQZ=I%3c$ZXem%UC{9V>3g^p19i8@34;OU%z!y}YuEW9uiO20I)#}T;0dQMT z1OQdg**(tD-X^y_lRfW~$c)^P79xpsVvd7k#ez(VKNY&sMi)WYDSIM8$1O=Ne zUX`YR%gX5&LYAK4++K!~bhZ75uPcLxU(l7p*a)VN>!3a&KTF>lEu5^%7Su!t__I8y zRAuxZb7GWRrx~ICVFCWs@Z*?}jDHL-Mfp=|K`ss}pME#xpi9V&+$+xGAXu5>W1%s$ z$3moW&O;Cn9BI=!$AfW`S_x(B*BaeRVBrA>+>wHE9osa*p6E{R$Uwccr~8Tea?SFi zYSP`$Ja3iV<4lMf7*m8-aGD;Oa;M37L@Kh38s|TiFs#YG<%$dZywdYdF;iP3VOa}( zrSlhiLaO_?CTvPE3(wJc$`7i=Lm{mdPQ^kr#>K+3>cxnwiY&~H^2nFs&cMt+BS#BR8}7LIeSSbd$y z<{89eRW%YZg$IV$faC0rkXaH@t*Ie|)41Y$Bc9))Hidp0lYqYpHIZt?ti8Cxa*Th- zgRF>8JaV()H(UC3F=PgcAj)3QZ8*K-f7_cl9}klTqaYF3H5%6gQCE-{*6!q2CUMBi zptxUcSOWekI{w2)A5n&S^}5XLsgzKI|5#c=zxI5PQhA!(RvX94Jhi1a`2fR5ba%Z( zAj$3YBlMZ6wAJ5lQee`#7 zRqYD>f2yNX7YI^-R9}UV7-D2b-~9uCE3wjF^w8HW00?le$w7KeD40Ypr271d$Gu|Mwmlx-mXNqc086gk_QsLE zjxycesOGeeMZ%Pdw)dS5rqC!IID16iuD@4ET$0Lg7qRkB6YVv{jKC}<$Huxm;FBA< zH8n%^dkzPajy%13|La+O0H1%;btMm zx??J82g@$>{BLWK+?6^{dDWqi=!SK3t9sY0=6Jr=9Hv>@Y5nu$VGjm}yea)nQaoF& z#;TZUD3NKZhZDrB28#`*u7PG7&6627VN60zB1xjQ!0`Q1KtaVE`~GY1itzX3Qm+?_VrS~z}rtzLJq+j6I@s;kk$TEf$rKxX(+-{Rg!SjUN7mwPm>*4LV zv_R4Ld_K|_Cc#$zkTf(~<)6%$>|X2%HVso4Si4kU?J^YvS(kMOs2h4ZgWB7xjV^Ck zf!oJ;n1|w@ZFweX_7Xex>Frq-j(F*DJ%E>f66Yxnb=TxoI}GgOU8@!AVmzH1B=vSO z$ZJZBr2DDj9vwuhQi^1TTd3F!8^No}OakrcG_^XYN&0Ud~Luwi}q{~FZzB-#N$eB`mvw*G(I>x13bE>d;dS}CF z9wO$RZW}2$61sXP_3BfOlQwDuwQa!+q3L6}qbfEXJ82BHB4{v5V;xYKr1H%dB`6@4 z>WKvPd&seeniv%xs!x9y3>$GvFcm!KB%qGCEVv|4-k zUP$D?CNK{e!;{19Sxp*TH|(>*TzFK2!}r|2QdH|jhT3p3-vfzItg8k0#SE#&A=AHc z_8?Y|{8<@43JDMIu06Ht?MQn@p60)^>Kl5Lv{=C8Y~Z+4Czo!W2?Crxl))Cw%evcn zPkujl#%7LLsZ>YF-6jZNx==m$Im^S7uvsjy{B)f|Azgbhm)%{rEp;g&l;*#2S{9Ce70TbuuyAkn6@G7L5jLPaFb~n(WycR zMT$RxznOwplsSI3PvupQXKsbHLT0#}2DwKhsJI=(#EU<{c5AGrHuN@1K2=810o#j= z6gTh!YST8c)`+u-*1AWDFuRLv-SaVvjN(qlQ3nR7*k;bObL~f|ABXE!apG!(G7M#6 zg0mv7iO(TkXH>BMHsY1o!>SB6pI4^;NW$nn?F^x-fvsO7lL zY+!)I&2Yx#M?#Qm(W(>TdUaJnKIo~bX{?~OAfKkoFfMRu!MESz%GK-aj|dA}P*%;r zBGRDmgfc|}Vi5|fZ-dlDV>Ug8R{^ADM?{upPq`@3u4u?m`(Cxc_FS}MJA|W7KkI|H zCTy8%!*d}?1q!t~KYckZT$`Dx0>0v$kD9S4x;zQdus4r0l z!$JG(5A0jrqTlPgXv-}}`KAn=BY#lx1DqleF4PhfLR!i`{XuD;Zo~%i-}ZxeGL#JU zvbJhRVhoB_KS*;LkbV~&98y;v?Uh#BZc7Lo#hBb(Y{w5$Q1Y`#(l<6S|J5MrO4NP_ z70vQZ_Gm$-Ke-McSWoz1Si5=Bxg-s5u5|5DY)$dAE$S=q90azChRS1%et>1Ju5{jD z06XN=Iim^7LbNdi9Jzq>ls3@1?)Cv5kf`0B?X(I<~dH}3(8 zq`K{9pP^)%1(s#Ost_N-NMK|#lr9gB+$$ZM3BpA0k!Z+|V9SnlT(>Aj{N+ymW#bpF zt@C>`hq-Q>s6R829+6SUle<2&syi_&63#~vv)AW3&EXNIPeN+100{@NQW_NMAa;YS zd%GDOwvpvej#l3cRz0Q+VzKx>a!`5Jmh+lOhAGoMfL;+y%ZCVY_SDiS!X8a_NNn{} z6kb*Ir!T4eGPPxlK8?f{x(Swlo}|g@`u@MIHHeM*k1Vui^5}5R)f7gzXlYJd~Mqi!z zzD^oMeqwsrAm>I=l=uxYok&5N2QYsh+9;>DgFMMC8~;gUgeB$RUjztUP$5+G7V`7t#9U6@d z=#+VGewBO9!j6v-7?B4X1p`y5?D?bTHar!m|1r*JrGD1Pp@xX(Pyn2p?2287hm+Zu z#r$`T@>vbC;@+!vjVYRuItXq81z9`Q3CS(OqyLAszW}PE+tz>KMeyM6uEBx@2`&MG z6B67Vg1ftWfMCHPgy8P(?k-utLV~;7ZL)XHe$W3q-?{fz-L9g#NQ%|7SI?d@e&cyY z2=;p4w~y|GP9LB%{{Pdnoxk+#W8o3rWiEAhG0Pr=KJogM@6c=~RPTENM;-Rdo&ZJC zSw_e@{deptmU*QgDEyR(*~`At(-7uOs5W3GwyhN28>?Mp>3WlR;r{ZMAPIfBbVMR9 z@%WL*LsJR+ia(R;Z_K#l{c@S@aRyjYg%DhVHICXwtKB2yNnF0>l3zdj)}?E@GG>ut z@Q>x0MWU_=JfS+1Wh@j01CNk-zt1Dx{ObEqU5zfjLU_~34UQt$7=ET3|3}VwxlgT} zIA_r>J|9vA@7K+pf=3VeWC~kbaLMezC>`Qw8WfrGyq6?Zl`e#(H>}f5zIx7B23D4j zAOh~-3w$s%h`Kim87sEh3e8Y=GZYgcydy;vm`DcuzMP>=#p#_RCR|jL16C>V9 z+$H}atMS6`Z5>pSve5KT#}o63=}8%0G86XyMM|j=3v7!4N2E^ZkARky=%~Wz=ko^B zj}WfX95*sDQdVFJdmRFy8plju%#RUzf#E7L{u14b1HIm;$sHH(T@h5ilPI0J#&1gQ3Kn-vP?s>ja5XyLn zPAq(_DUjt)ANQQa-HsUJ`K(t%enw5J#IdR|@<2qYvvU}@V(%~wrG}Z{;|A7py&YAt zF{%4+isGlsI;uH@n&l+L-l%_vj?J?5w)Q|Ai)%Ki?(<^CU{4z>ve(i=y|XxW&Lah_Fum1R{!lQpU`QO|3;Be-%;03FM7SSKH3Xy@Cm!eYl2~` zn7E!w3P>Efzx&Gg{{w;u;FBJ0tFTIixb)3su@hM$L>*oJ(ESQF4>oz%aSH6V z1GRtqFqAm-+FhBr&AfQr(cABt@KD`=Vq>VNbY&ZY|DY!WaY8Zi>H;sf&w#+Z^?NivshLM%}8;@69m)?6Q zJdEWAs#KTF&jC!vBPTMk8%9$8i}n2=XD(Cd8B{v&^D|FK;GrSUCMZ_m^EaK3zuaDt zCCR*i--!(L)qiGF%`c9IsePry#i6_m-`#t1`~CaT|IT1zujKLh&6iv0>J@-jL9H>W zrU7)Dr<>Q|HReAA&H4;KKfM?e08D^dW{SvA9gyS`j!v_-px;Ei`*QOl+RTrp!E*8C zg~F@&eD`e{uf=DmbW^PzC48rFoUCX)q9D(5$@8m^FTW0KcMoG8qSI>HBPG z*~vr*`RkWUYA2SheGI~y^$wE4?n;KQCN1|7{_8Ekm{{kiTAdu11c5S7Z@*llELJNk z2tk8f4+6kuMR{`Gfon}Ev!{+-3JJM`$49RnYpf`&

X2IF%P5 zX(3%-ZB}DL5Q;mX;uePkcXwtLsypsYYGZ~iM7j@l73&_{i4lm;bYG#~_A(~%92Q9U zQcLbN5)ew#0Z@Ylv62zk4Q$o+UEli@jD<4cY{iT#FDsqv;%%OlHs@O`mBV~3N@wl2 zO8a#Yhxdbff%ePZ;Q2erdL-(@>rb`csBn|sG(!L{_EmJ=7c5qb)`)vaVL@yP=ga)OReAKj>mg(&ck6CaHxZUQ7NfM*tv^(kL z)ho+q!PDJUo?{GfLafEcUxFx1!lF`?PqqqO-^N;2wQvn{zWSNt_}B!tKc9&%rt4f* zSzkz?{X!v%%Ss2v-~ z+s%rmil>nK&D_&0O1BIa?gV$khu61x921s0Ela1@MXMKi_T%_j3#G>e;*H=&qYQRf z>j-_a-*y7F@g*dm%TbuublA|M6zal5J)$Awcx(-M z4M6Y6mU}En0ZoP4vvB1edi^S;2UziG#`%FRo2iokDQzNRu@Wkp89;dVb}a(L^Rm4P z>Ud(6MQ4YN65}zixB_>2%*O3;_&!KXz*5K2Ibf>Ysa+{!(ge6Pa4@lK(9lb7io>|R zsN|1k-vl2}s{EsuHzNC#um?oqlz*XR!I`p^!Vxx*(`(4!y39wdSgra^52q zyKr2j>Jb&c#LPWeI6%f10sk|yjJcV_0Xt6q$DfHWfB3u*2;~@1ql{Pm0rD0xcg7ra zi}c74ubes^$3wRTOvlmUDUGZUec38wHk$pl{VJO2jki6o-NL_71=5)N4-D_s%VuvD zIMgy)NZG=Gzmd^|59|J_P`6?qrCF^Ga1%N#Pt_8+q>L-dEau+pr`m#B*6qza7);hf z{ju>8oz>(16=7Su#fqN+^WUhU+zpO)`Cli7uE)rpv@WBbKG@vv+mFiY7&p-=o8MjC znC(C>&1lE)BlukZI(p9su*k?bm)Bge1?hfzZ?17Z!s6fT5`pM=9yF>>H`BMw_U=jg z#(V?*=$`zPk}33@IL|w+oi+Q2Tt%`MAnOGax1VXAn3*OsZB7I&fL8!yoxV5$T3TO> z&tjUORWR%%nyWBzM$K`SZzB5P?bdQdrJsN^Ns;XN+K;AqM9$_LPi`~9q8YR>EIQp{ zMhRO(tE%~o?1}8Xi7E8@%^s;XZSi`SBaqL2y=RWoOuViJ|Epq1Js;pmLULeU{o(Z` z=iNw;6>>V@Fyg8?-d`{oKkg>>;UtS!8?EhnzPBHPr66Lr#pIpn!e^`(a9?*KfuKJb zq*a*Z7lG(whV5>4jc3jNe*5M6{?d{q_$a=;iT8_qbR@*hUgzH1G@XJcP8#J_;$L-~ z)|xhV!qkkPN9*sTJyG-d$~V3i@Uct#D5GoTj+B1ouwiU^y?S3jg4EG?k3)8DXL>(K z{T`D6;E8IqW(`;Vw?fqqb9=3(r4hFFX0v@&`JdF=%_c?_bFbOm*JXWKn+9l$W?w9$ z#wvb{f#`bPc(Cv=F;F(Q(zdfbA5b?+uYM0xwoeGfa#?*d2~e8oHW!>j8fn*70mQaw zLi>xEY?N)N^6YvXn~#4pnX3~bZV1iBJ8bIPRD9}FQ`^GY?Z=#W^Xn=bJ$tZ=X7}bK zQ6BU&a_R?1ZX$v7B-aUv*L`;gcvSX7ORd4cdOp@S)Tv$kb$DQBb93{tdau)?%3t-! z)s9V9lNpXhc#m$5mE__5g|ecl{Fel&p=6ZBa{6sYI}?eFeT#scNH5-QKq7d^S_;i+ zCN%q!dhR+yOCZ>C`Frz`xqWzX?=wk=60sRd4}p{#b5+E|Jh9ZkJY&Nr(L#OqBvBqT zLtNXM6S`n|lJfPZ8zF~%y>f!J2AM!iBeV*NTdl75=aSxhg!b~BCI)76ipx2au~d>K z+$CsFVgkF=G}V2~0TzOsKG+N_O*vQeN5uWYGy)dyyC1&geNQNDudLh8iX-hl2GZfQ zxRsChngzCtr(MXhUUvZWnUuRq)s}>PbZwQVL@3Q(;{(5vuo%|I4=~C0zKCB%%1DTY zc^g#C{$NfVLw?{BZ@2&=t~j401Y9`h9fD@&8K0F4ieJ2{@m6z*UjB!X;DP#Nkw**2 z56fH~HlniDwQfMshOs#FPf>KmBfp$>pdEW`$C{5+n}SyAnxlEJ4sYB3yjDnXMNxCX zJOaVGGdtQ|+U$utIQ-r;CzQ<&Q2clSNCCYa-R8Pd;51w3{ZLJR;>zbfgmlT$va$II zG_;7tt_{khcM$lC3;;nGU_&D*{A>2oG%eS&l_oB(FH5yE0W?9U#Q1fPWRnKDrCmt~L3Y+aU$GcyQL1TblxO~njpiFnED#QnMS4@<^EU@G|z z$~XZ~^4u=K9uSO!=&^&1Q~v!^^dmTe3)SJ0*9cLbm#qC zuU*RGcJNcoIvX@)GcDRwv{#-tlMJSZt5IXphe$~pKbD!^uxeRq&dyH2q3vmQhwQFMFYr2_0F6dgmKSNH?hkCqjzGlNF*L*M2r<{z%aAAkt5w%6y=o7NTPa0Rhlid6z~( zzMSHf2Pxk#ULnS=18HQY4l#Y`7P;;%^t-3=<%`M}&1}`@mrqn{(*~rN#TP+p?);}! z0DCq^aGQ7+5mVa6aS)4q%t)c?kEK&ra#uOp9!n~=B-PA=7ndGsOC zt}cN(qn7%Pw#bS=ZR2XcxF;R~)74(x7$W^!qE5h8NA}@d*Sir+JJCezf3MqGB^`|L z%CY=#jgy?%vI)bj>nblooU*QvIo*l3dH5sHNuGK4ds|q3jr7GmBT1t1JYyc#dod@u z#t(hshbPOP<;Y?&`bq^`6J=8h%HK{FZMTtN%Kxb;JPz6N?pVx%Cs0s`$e&(UlcWdn zDbjTx3Z`2~xm}R_G3#u<6l!hQjJIT@V7=bV93wwHb+DiIbDufMKp~<;Z0Dhbf(wDp zOT7`pD#|@^mlXnVG}z>Fcha?6j!iOo_P&3`1LV8XXo0Lo7YEC67cS#{QvT~e!5LM6 zY%$w5`({~wEL@|lnjB|pw3kE=s7Z0ZwrP7I-MN9CTqTY1{=%jH%n9p=&4VwVBW8&n z`Y3e9+;yTVVoV|A*pzMzAN%y#$zmC9%S*E}!Ru2bCs@K%y|$J2Gfk@=i*s;l+!C`e zT^tl*HStlv9S`7{iE<~*qN{^|FD9%ho?H0WFD>=BZsqE#bB-ZUEF@TS^PWxyYIY{K zN)eY*U3t(EA%|!$oxBu7**FugaP#E0QegBoucD3V)hya_g_fE6Za-ZMqnimJ5Nl!u zUwj2}Z_DG>A-rC_0rvliwCd5FE^PkC^E^K`LYCtPp!(<>F*z`0ay zef^-Ii|ZX>Lf)fq;w7f{C5{94%*X55&^eHVC8nvSltcUU@{>bmZYkSZ=0B_7h+pvt zl@s8J1BZ_IPeT2UmiN;AJs7A3<9Nmtngof2O}C8IEI1ih3mJUeX0A(q*bsQn{YqCG zq+?R`KXWNlv4W@R72z6jsBSOb)3I5SiYuu z&uOStsoFpK0W%yAZwJ?ld_|4fqJQlh;O*e@*Wd$al3s!eVl1%%lb49{x~+U)Rjyv- z59-M>{HhU~`kgd_d-<>`CX;1!Y910!gO35j+aQEjV$MtECGcgw8mtgUQ1UF zIZ0I@6)<^}7b2Fk_jGz4V-X62p`VpB@C`}&vJ&o>B`_p_n{_D<6`^Ai&#*ec1 zs&W0Ou0}}Fd}27@!%JASxg=kZ}m}yYT+ihSFzG-!?4x z28a1@51y))-mvT_fNCUv7(ASpMG3)b>e!lo(H`Tcpzyqk74Tp>Lok^ie(Y3*kGk)# zjj-0KeZ>|tZ~`8L91$A$U|pD<$J1N`5p33Ohy2D=9hU* z(a7(7r36Wr-m&Bv<58Tdk(WoQ=nV#VJ74BEf&Tt*1N#@#-)Q*68?l+P9hMI_I#+t6 zgxyuM!~EYdDi6R&q~cQ(?)o@hJt-%Mk0X^D7&S~hg2(08ndiR}yTf3z>j4XvqTYJl zdY92|j8~VxZol^jO^k?WM`lNF(SoVtpww{V-7|lPP%0Xev)S{Cy*6>r*icWb-HmH{ zLqX4M135+l3{9+#73DnV69wr^Z8-$vJy3m~Y9N0~37u+e@ltra`M9iQCbeL@1{NNf zl+i?gqn3uOfG@;T!Hnvihhn~A9%{LM{Iuyr%GW*#osJcyJ;_7a@KUM<3EMFVp7iDL0=_c}Nbz9+!4XD4! zc{uu#&q;eMo|Us+k2C3ZC#K9@1Bq1lA-3IU;gYhdHXa<9*PE~UtgvqV$e+OXt*8Os zAV&R}1uBpqc70bjNdk*v2*fVu2M-Xo`~^Xi#t^o(bz!ELV; z`1>SLHtKwhJc>p{+!D*(u9t`VgY_(;#QWLL7b_-I791qQ@@XWbOXtLW+=-%7UtyNX zH9BO<#>c1_QQB`dI4KKie7Q|4<>SUX=wyFOC(pTzYB+C#w>|DXo%dRsj#tWw?ESS* zN>N+Qn+L+V_Tl%TMmv$%OEeBSl7RA-RKM<26ir+|$o0C^-<$bt5zn)LR6s1*q(V3~RCsnP zg>g1bO*BcYZ;zC70qtvPt%gy{pq|CPGf1Gt8RYr#((+!WbmbK7Njqcp)_`W_b);O? z5n_2BsVY^C;&;E9LP?OM8uPqX&}OMWeurHlC51~Jk8kH`%;HvCQx_)eyXrNJwO9{} z`Nv+bL^rhOZNmQ)B$tMBjp(6yU5uyoXKs(~!#r7n5T`DNLQVq}_lTJk#TRkBC0m(h z!LH2pRiqNZL6JHzlPYe%U6W(u>*FO`Z7X4cbZ*MR`jtu@D_;`|%|hqW9*Ls4ah4}O z%zAVqET5OI zxZ8E#IgMw+PwcfRT`~UMzB0*2{qpni_9OKEpZix$o_9I#H2TH9y<`u+0^AGt&R;U-i7Nk>bl4?ot&y5HHuuBW^FBN-u6+1HtG06b@!h+RwQ?kEhRn0x zwBtN(-(z5$m18V6;ozR2G)~EnyR+~hA8y(DD?+7DyE+hSY$qKV+c=ab^7sgp3(-j*)nf_Rc^R!*+>qWrGMP$ux=`u&uv|1 zM&6druh+Mx0@ZsyTDf$Xk6H=jI2YJ4J|yDJ(`)p#xy5O&W*J^}d9N$RwjkHV$g;^Y z^H2`W9gzk{6}*OCo;HC2!N?TslnoTxr89 z_ZrAppOv*G&Y|RY>|BZ)f@?&{-%juhFza}JM5^%KIQy-_jXTML%vC9Z%u_aV$zBoynf;>K4S~rOOX*BFwz%4EoXHE%%x530JC&syRZDEGJ z3`+KZa`na58!UmSzO8go-8;&gC@lB0c-7aAUExFeep9T~F51caMgkkr94ZT}AD5`< z2Zt!iZ{L5UscXE6QX$_hk|M`DPsO)f@l(TsRKTgigxlZHRi%WJ>e3cgg`xZaf46R$ z#AUetPZT6n^4CJ~SDB*udynl$eC)@{o2Oy7YPr~pWm(JmpD{=CHf5X~OmeO)k_{T% zyQ3u?#i7!Y*NEw8l~oF3vr~RdLzN`_AFis>b)eykVvQn8y1zIDW3Pgn3WP*7lR{M8R1TDUJ8)yjLh-Hzz` zdL6;l<4-R8vLrCnV}Qt%jP;y~5AodR7pAU%>gGC7?x{<_u#ZWMn=3G>mSy3%Al&n~ zc5yTB1>RUA@KKl5j-`y?FZ<)Zp}3eo?(VW%ShH2_;c~blF)18&;aW2qKWigr1nMU$ zA>krZhg2h$R}l+WBbx#X6lUkm(GKk2FD|aN4R_L_qf;MztlI9tDaftm)P671XvrZm z)akO#b^!b@K^^!RuH5XOL|oMu5ce!b-fy-g!!}4jg7&;fCdZ_Ah=*iEHr-@~PC)WI zkkGBP1o0PDeeq(olw6;$q_A+7=oJi^Y)d^3?zcu-$|ZBA?|YLf#SB}uovX}pjobQG z-*q65^+;eQ>Zy6G1-uxfJLL82ii^J^4BqVOi)4=1l@M%C%NX`xtzNtrs<10w+ZSaV zc;R$FnbB)DK2lY$&0Sh7tZ!?7AAPV>tkc%|jm*p_{+J~8sQrz_bnXf@%yds#Cv^S2#fJR<+f2?o#CJFK1B{O!7qm9PI26;KB(ZRnjQrJXkE1TaTA1-0+h_Vlcr= zh|Hvjk-TjB$W--)zjq}dh#uvC@7dt#5qym844f6TBI0GCuxk*>SBv*`=M^RQudb1O zJM*g=JL3EljSj}HkEu^KYn4Vf58Ucz5soHwhzD6eJq!{C9NB6U1e{^}e4eme5)iB~ zS(k6V54fUaCfr0uSH~q(!q&*BZ*z!hi|t6Ut>ITav{1EDaTd2)pq0)@fve*kC1eEL zqG-uBFr6#TvB+6)@UGn+VVrNc=`tIfjr(@8?8Mvvk8k!tlG;U23<5^wHG9|-+h+-O z-Fn6plXwv%%koJNhRRc)xoL+QQJV_#v)x_P&C)g+2wx}u+(9gu>b!|n2^*akAM4>@ z64H(MC`hG!)3eUtaM__=iqtpPHH{-R#^pw+V11qSE^?B7kDxVx!qzWUEfh#-Iwy|; zw`HhxV;#{w>;%o9g(59NOSg_wa;C<>X**~+H<@}rBwfAQmzfCn`C1b}Ea`bm+cSM19bdk$q+Y{t(;8zo2_e;~%hhP{6~7_PN1 zNXR&U!%(Z=n6N2@qD<0q{w^EhdFEu;adie_zYf1H^zBgCi&2n^9hzLZe`yP#!xN~C zKTh4`EeP>AcGMXv|27Ty&a5CfX#%zCoZ3E1?(8&uL&nR^X6vKfg&r5lEo-h+;}F>00ddF$yW2NincNUjUpu(+NSz?dDI za?`TMV-XgPfYgTOvqs_Ie*7%t;&BP=c2q-qaN;OGH$AL;*G3Du6(`B-2@h;~IajYy zdoOkOW7iZsVp>P!?tvH86E*x&xnheKUu|4{`Bfh-g&FildV;7>JA1WSa! zBvyD4MzhLoX)J^7&T`a~pm{aGXOR^TJb);Pfhp085Rv;-ci3llaSNIjkum}-N zfgv-DZwHWV>-n6m_f)hzHSP)0lZ}%Ryb11aI*!}(BXx)098%r}9=01gEfiHrUG}_{ zDrn=GB3Qzpu9QXRgCnUq;pPFWFT?NG-v36cB>=K~bGG}zj36jr`hr2{x#R_dK@NAk=sD%dvqiQHsO<5{hxz2bCYR?U zFMs-nQlLssnHY-}i@84UwZ6*FCXdz)H?(EkewiGf(2`Q0h44!axP|*pk5392n@&au zi)E0NL$XQ{tYcdwb*I5aEraxxvU$?fB{uOHPp<;Dw9R~ zWfY^~^~}-Z)Mr;Fiz`VkQj3Ohch?gLMC03c@31)!Dy>U3s*g$vzunf$eu}8h@IAhu zH8+%O!4V;O*#sBYd8O|Y%RW7PZe-KBLd{PYzT z;Ehg&*iJsm$924eliRA|*me`RcL?x_x;AXOHZg7UZmHG)a1z02&73^~MXlpa zu%7_VH5?&G0U8UrWjjph?+?#Jxt3dO^HJ@HZwV+c=EVti&iL04;ZGcn8(dMiqS@F$ zkAn-7!K=b>7Tn-JzFJ2AUbYr{YjH`<4>v6SXgu4jEoaVg2XLz;^v@IhxG#xh82r@& zRhs3V;zeBdXq(7a_o(-T>BERIMun?`tQU=MZf{7D2ud*2CEmdBX)fBd2+u;FH7~34 zCotQ5=X65c@_b~7R^qa0>EIGZHjv0zqJ`kCEwU_3fmUFXcvIyFu#AZfSVCCRb65>F*Bb^De7e->&8z1!edpjs{)hqPJ{ju`F8*C$QKKtT)M>tsQML`mqYxl_p3oxACYihhr0Sn1-3C z@uRpgAwNPjOx9}U5l*?|dNV*_F|SJRq)0cr%{n3Ib(`)CncVD##Mf2cdTq_Z#IA{Axz^{A6PFlz8;JHT@}{|r%yEb=J9>F5V0MkYA3A1bWrbR2B~Ie@808Ua1cQp( zHluA|VX1PZrOlX#Lm4h6;=1!&TFV-?z<;dWu>Dmgu9w*kpEbaJACMDGgS^!wEqEWy_V90EqW0woN%=9qT)0+kebPBH<49txdw;U}S?9wVh8^r<9;1`K z2-%83bFpQf?i;__K&Jsbb7G3!*pO9pHeoJ;4c=J2@}o}Wl1BC6#CEv^)=_@1SB&FW z6X(&y_WN|Kafy3Hy}pay&{FLBg0zWkK2_aWMtR!Gv!(blZ6E^a?+>}-!%sBI&D3sUy%RmN3T7eTpBZH!TYy6 zLF;R-{C>$tVtyKEg$EHZ41`u(yZi<}Q$Y3`3;$>~EV13eEj9-qiFI%4A zU?Bee%8~2PPriaN9!c(KO@ocR5x;vZRQLL%6jdZ!IeF3d|Z{Ju&k;q+y%+Ebk8 z!OM&Xrj*VfcoHLr90R^YhiXJ8RCJYuQXr&vZjAteX%mm zU%49*5%F2>%5d93 z4tt}(;z{a0Tub=~bw*td@D8#YIs=r@m(h>FNQER%r21s8D_H{f>GtBVzu$*&O8JWy zojt>_`;2_ue@*TcG`cIPTJLP`g_(o>euhUbQGj2)H&c$x%+$1XwDtFcqp;TDEvEz=!sz z5p?w52AKbSrg^p|vcziCs7A=VK>@D=d!BVz%L^FN$9aNFk`RIwJ(0{@TNcl!bT*rgcsS zBqScJ5Tt=t=?QT3&QSjjNPO8efdzv8ULWslCT%e%smntw=cBFRj7xw~FOpfkB(07$ zDp!P@@}hIZW^|8{RN`Gj;tte=-ctdHQYUHo*|4IX)USZZSO@c!XRMSSE0A>Wz+oRcrwFq?#*13m%2M*hNUJ>xpFyo{iaO3-ODR z5D)&eMi_?DvKSAcBpe83bgd3#$XRr!h_&ciK|r?s+sZ|KyHZp)R~@h5x- zy#t?ba%34t9EubFYa!a zmq6Gdj&zGR9;3=odZdo2?abGCV=g%5YoTbQH&?LW0F+D3kG%C{3-AWF(#R!f%_t0$ zoXwvKWOlblFAbAmmlMFL_BqPXlWt&Rta}1z^Vl{3T1~N5NM6m^`3_iV3?PR)LX6bY z@N6cF(n5g7sJf*2310qYF@B`N>Sf+kai1X+6sGib( z0goL*$q{&gLRVryUg;E@MpRJQ>GPFubfp?y#vlxG8tfyhfWW-q9|!59WHZ2S-%^@w z)DfrNLl9iFz4^iwjNlvhC9kDshnj>E-z&V}R_9&Z2k0-bq9b~C5 zfV`RyWbu^M=~T#VH57@7>Voi`5oHJWnHCzE686 zqgs>+R1)mkK0fu-EC--Mwp_d_1e4BvyQuf_Q31GZ#(OcAHmcjr%?OP zONIWIiPxKfg4?u@u2(J}|3~3+d?VS34f4yAuvFFKy4^@CwGNzBR`J3^=QY-eqBzR$ zx&bmpQo?<;-t^ z{i+EV<-uO@p0mJ6fB#?#kF2y%oYbBuA#ixG_j0f*B#>7_CNBjHb>(h}{uj9UZB%Sb zY^-KanbIE%5a_BbTemluyk7uTJwj(1*g;Fd;-nI~ijZDHXp_f~x^H2&Z=Idk|2`0( z{)hbr7$=0wNO#Zds(<_%6bycSm&9}J*J<|8i|(QZL8SKBf4RW^xces1HeXR=&g_*x zZ$u^k&ujmd)qjM1W>G+MYpOdPlYy>0NHwml z-HfifhizO;v#7g~|KIjf@)KiR_p3BFbg>rnb@#z$vRxtK1hxsR(Wn2tK2pqpj!@kB z%T4x|z)!UkDDeyI1Sq3iC%rI}k+N_XbalO`cNOf637p&x&5ut$+g~UH(+aa8jkLvrErZnn^P1WJ=capV9D6?iUMdU+H^P7Y^$X+_eb^Ou z`Skerk3VjNz`p-%P2hd;A3vOabbALyTaepL{`JBCdF@|E6YT#qK7|VbV5h|q>a$`~73iAv?^m|$>iGbXkndi8+#2f6FptgFM##p&w`ymLU)B4S!8~++$!eARJ8kpx4)wy zr_U#sKL8#jvlCJq6sRL&$YF#SXb+epS+q@$4tC^1+(Ek}8hr2AV*e>J1h^~L1sxSS z4SS0}nQjdq$k*g@1S#4UfOHc$>}sg!D-2q26(6sbw6Xk*c3=C(0t$eiA0u9B&^1N# zMX1AlnL>mD-*Q!1t3kbUi^ZX0_>%@CO|$&65YjhLC3=a5{hBSUUmm)%8NnU|`gyr( zSc?JlzAISh5o%7nCpwfzTn2HTN<5Y?Ke@_Kfaw`orEHrX-}BAyt&WKDR3b!6yZdDXbXgqgo6TLDE3hDz^N;4 zb+XBi;Fd(gLnm76_OmAbk}wvK)xso;%{55EmysZ(e#i}_d-9z(`a~%qELe}C{Pke@ zKi+f^*;M59#COx50yxlkVZZ$V<%Nn9Klh-g&oa82(+oz1&hpxWvsaw%5a5p(6eWxC z^*nt&E>yy8F<1A9-6{mu(gfa5iw*q@se5cNooob4&J-)}#K|UXV<1v;7g~JI9ad)ctC@AwG`uI*L-v^05rGzvDTogv`f~@r`TP-*1JYE+0lpMGds$y- zf+l_dNcwOplzuj7-0tX8qiAYqEP}*-8hSO?@;FA}b938`2oDr(@*n5^2!((2Z$MgV z(VH@$2n8KqZDqVRG!04!djgW1C>p(<*64luW6fWq7s6`rtXa}x2OX8K`|!QtjRki~_Rvf-z3C z%S@GRiV+vHjIJ=;9a5PG4)vocTESw-bqe_3Mpf7b&Id+8rw!;pBt^tr_AMlUoDZNx z>r#&tYng2aPcz70si%%iPIwJa`|0tZULo9R&*lK&oVpR~n~NVZGBT!&0FP;r&vn`n z;79JxxyJg(xLiaoAvklTWQjfj3ChD#O5fjo(!KcU9;Tb?&6jvXcqdoMBc6K~Z0Z8< z{1PCM;H2J~X^)MhLB=bf!R7(n$f0_Tl7y!EIC#`Z8<7Y-(4*GfQC=hJ!RxNn98!Y# z$LX=kHdu#@+3NentE^*rA&%d5CE9xe-@48lhJU+sB54}o!gMIbl{-bc^_{Fe?e;}Q zt}la(uNte?)quIQ(rT-+J_P-}PzPN517;kxNGtJZghd<-#2hdPNk&zdk z`f_q;lZ=k9k?^ud6B_`QzA}*bI85reco%Xt19z>S$rB>{L%?r9{|Zz9)*O}PTYCTS z_MQ6jCsk~aBlP^j$UzkiJ*^&I%fJxNoehjszUNsvi%|b_kb8YXf&E^4-7BY+1(Lhu zo&TpxhD6?aXdBnVwoDf$>gz#W&UQGcl`>>jSZfHMXJMU)hv&Lgo5Y&>FhvPKfntBfv{`Ec6QwfF(T>LbMr6z{;VcRK|L3H?ON z%1p#{10jcd0O%I#okiE}0KoYppnPS}*E@%xX2*y(4yF0msJr%U%;jnFnep~9M~g;+ zr9gd-fKBX)Ro$N9K5@f)oWG<`j{BEO>S1b2=O0e$lzHGV?$RQIlnpvkjMz&MV0RUbgY;P1Mz?U}zB_tb*nKeSOUea+VBH{N62Mp69|jOdUlw@Q8kW|aG!j6< zH&ErUlCVi9eM|mNTLIhqA=s|j%iV>*d~!pec^Dl6Q?3`Pc1?A27ifo!mJdNUlvWx* zj#>k33-JsVk;ID7&T4rC0%vj$uAbjWz$P3AcI2NmtfG)&Ghj(dn*ae7b6~e*kh;Q1 zaNoM@0i^thO1?(;SI#&`Obgu11fB}OKtbK;52d<6s9mEl@QMgZ!PQb5t!2a*jsha_m@4H#7m-h4U*wQyuB0si=87PGP~I30 zNE}AMF0%xnrsa$U6(6ChtWw)% zdeNLI|7`eM&~Q4-OQ$AJ86`HZvj#qF{K=3GpQ>ouA1wn#CWEle^A6hkp%KEvL2VIA zJlxpwjq`Z(_h_B|_reD}lSOYj3F^TSdeDWu6UVQ3=f_pZ`Ra?@&bA*pf9SElI+6q# zp~4J#{~F=}=q+%rnD?J9`PZB2prnbQs|)}7W7c`;oYSDc-h37GkSXmW@1N@R*N+Iu zw2dEEV*#u&|M!Qx34_Uxo?V3buRrnvjEGt$S47)+d*-hz|I^*mp&+O2s&#ZA2C{Xl zx^8T0X=#~Vo%_T6AF?LWcmi0sN;{pGZBed)gWiDJM9<@0)t``x%8-eLKXg=qCSe&9 zF!wa-96tpBWpr+S%FBNTJV50@scV#5jt%T82;Vu$l&_{&%m~6@%4(AYy4DV?pfZ;$ zK4gCl&}s9Ml0Jac9c63hV#brbPFMWVFnefz%RndA>`}3z^KStSXu6se`TcNj!_Q(o zXAGpSNUnTPxefHX8w?lB1v!UMvw!GfW9qJ99rsO4^QJH8pcQP;I<^<7B>r=nSL*i`--$iD-Y#Q4gcL9ah#!CoOmUyD3X zGW6XFpM}irGO){s$hl(L&VVYvR|k=L($HzMrX0`)1B8A8t!W^=oZB!m0ZN2x>L|aW{X2Zigd01Vk49HfTlu zi^dU)pU>{#eywsy0>+-7fBnc3a9HXrRrvDPLtl*jzkT8A%@gDCq}Z+ZpSsG;2HA*H{50!+g8!m)>ew1uLu9nWeyf7HX)ng zJIMUqvZmL9B7gEBU_T0}F#ZiTh1R|ODG(-E#A^hQ7MNbTf+_8?zq4XBRwc&PMazfL z;UPqT3SfF;z~1Rc5uXVHNca!nKx_eUc=LgtKRaVM7+;OOBwEwGi`KBaf`jw-dSVX} zDg-n~pj5CoRCAv5$%hL7mv)bu`8^fRkdPJfDf~1`!7U;JU(rThFsCz)hwUbf;Iq~n zxT`p0in#7LV;I7JD;HxeU^IDRky%33fkRyR9k-=jqBY>=(K7M8{o{bEAuY1$<6HE- zw>i%zXaEWjxJB}X0!jHp1P!vq4}vH}LP(c^vraa|9pS?VAY(xLj)oxXy(j1vatp>b zPl|0%|GVv<=(_-n?iQcD`8s+S3>85@+wRT_au2yL(J-8?UtetbmF-_3o#?}2GvIsM z{^7?uqU|u&L{{#*y3k5PgaZQ}HLM{+uNM8#ctAX4>S7 zXFnV7FajWHX0u4%XO@&3F7g1VbPgUl7UH^q&#Ge%)u3K~`3@KJLGM+xJN)Wz$$2o& zZ7S)gb2p`~kiL8pg3-5eQQ~q$inu1!S2v9tQG5;sV}J~(#TMmYYr&|Q#6j!ca}{PC zsr+VX;i7>R^0mKv*_ZYKSinXw`y@{pen9cKiILY*{iy47TS>n|QB(hPXrg zh}m9A&L}|3s$2*bIlsO6e(2y^iThfYHQ4~HPwbWtk5`RPfzR?ANRn4U{f62MpZD+) zQ^wIJZ?2gh$Cxf50c&c6gc1-O{yKEH#o*74mKR!pW2Z!?w^72Y&zl(3zifSfnxx4_ zK-;Aea_aZG$s4zJ3z$WpzsLQpOp=OG0L=+)FE%|t*D5%#TbW}NkV1uemR=jOOdR)mH>BY{`;jD+~Qsz3k~%38Gvk=x@*MT*rERt zcG&$yD-gWt4w9m{^3u~$ez|3dbO5fCMZ1dqIUy*r-RNk50z5a2CLLf;{q^RqRU`&C3Z6k7B}WCv$i^zW1;a)!EUa8L`(nr-zB~gZo&3HP*-fVwMveBs5FhjQ zFL1}5Sbj(Qo;L{;jl;FKKxD+IJ^Gwnw33WE6C{MK!KA&$(lC8CaaP?v02?FJmFx-z z;cA1VsWyaimU_j*{kwtSePpO~6j>#}A&#Z;_{^eCYCyqfQVT-u61h{&g@o3yn8$Pd zuN#Ekpc~_hg)8T(a8w{io_X6pTtNcIDrucL9(Mql4eIzDUHW%V&i#jd{xor}vuBqC z`2#VS$MJx)pmX>9mWTp$9{a(G{R?{hk4uKZuV4T3T4?tC_Yv|9imqBC)`Q)PUc)Mm zi@Ks_F~7!L$Osws!jN|R?_CO7I1FG7+oziM-JO6pG?qWYJSwimD)Bmb5z+o~dtNfp z_vabBr>hIH8~3+u*UrrmCEX`opBv4aQ{_t9A3E15-&yeAjUri%MPF)iJkdX?mthZCd^)S5F zdM6)lGu*>DTJk%d$&3H}raQ^4Zlv=@1Or`HUv0HTaj&KQt{B(Iwzx~}m_d@@lI#R` zf1S>F?MC$fn%HUW~itcpknaM2kG2;VN?L$j{c|dzU|Narv-@$Uyl~ z$F9h_RzrQl8X4SpJ5QFxEB;JJ7#p}{!9XHOxTClA^8XMFz;vuW&a4wQp>s4?!Y_M} z?!48b$rq2YdDm*SSZ*j-^_yNI|FXeCcXi-|=r3?D%V}cD-`OWsLy^Gd3glnLP6QTK z(rv(RHZr{zTOGQr}(nO@71*=e1_h1lSSWM z!KfRbzhqeR)H|A@@n)m#`7=F{*ppfuN{h|H&T`UPn8Q4^!$Nms-DaZEPzq1!(&x}X z_*=FKM9;=^>$APb^b}uqoksc*vopW;&HsI%I{EqcA2b#$pIk|B&L-I$^{c*rGwO15 zYvIkje*W zY)+TMT`ZLW1sS%J<@KeL5@!4Hd_?D#X7S5le&=50?OkO8wYD5(yR@(A(5l^{xBf!m zHB|DfZ4uP;%jraax0nN*oP^QnljoJW5E>HY&Mh7p3Q2P`0%+bU0jBs1-(_;#-ELeakG|*%*b^GrP6Z?xw(n-+PqAhKle(X|(l+67? ztGO>0i*2*oMxA4?-tgNuC0Y!-zZ!Ob4xdATYUoo9UilMH0OLGFd=m za<+N=oTgz96H>H%IAMXs&%i~zLuiIj(Uc=cjOS)r@b9-(8WAsB2I{WSI&QOavG>*f z)E~u%sJ4yj_xlU;R10-D9k#DfdK25$dq=rjZI_rASgE^wRc{%$pV zav(8>@tvLE`*8ogc9iWNXNRGuk@035MzV#u3%Tij>Q=Q|JqAfXFnt;h%?P=zlPpSF zXy6+ie4{3r@rDq+_2Tit3Kunc8+}_Ot5w;-k0w9O+8MD~WX_={Z#Y+;6^olM)XFa& zzXy(wk4RT=iB@PhLJ7qrSvH7@_-Z6tjBH@Zgi1mu8?& z?GX(^8CTxD^W?_W)a>jQ7f{M|BFH#vT6jl(@Xlmr3e=<##O!5EHDIilK<%veY#rRG%IqM$!!&oWCX3$<3XP%=Xa!v^7>~I^Y<+=EAoI2oc2=Iy z)5FTb5<}v1DQv)dCtvuXyPj7N9KXhz?0&d&?tW=rT9vYtFud)uTf=6d%)*1?*o{3x zy0SB;#9AHBs7gb@*quUVq1r7<{MOUP^ao+tLPRXThDGDu^~AzR;Kl6%og%WWqT~a!oAC1DBI|wELmopTN{wRfF>r96W~kyj8O9Kfd@QX z4c}LFa1dm>sqCmc569J1ofrh=wK~8#Z^=Vw<>uIg@Jg=}rFJZhM{qS_!~tZ}v^dIc zZTkwaj)*sDerY9>dp>8|)xCCDdDS^Vl4Edf{VDzSh!ayE&cC>ujmh0QNl&y#VVjY? zy6{kdx#qZttp6HVO>NJFy9L3#L%r;D+r-X(hEm(=x`1}{|5HA76uU`n+b}-S}P}j z3^*-+Ow*!QeiI04w4iR^bX4DuS)*3&#eL@tOu@rdgNy}Etli_wwQ{lod!TfDRzI(& z%X0OKz(ME9VJGIqb>GPpKNg0U7LxL&D$5WKDOG+bKqwZ8>~J`xoyPpv>GyQAbc5X( z($5@QjJkDVNk+C2u2L^O__Hj+Rz{|BT&LRk#K?ZPiEA{7`C*uC7R#7wOU!C&+Bn2~ z1F7~NhT>qd*RZ?5qhV(cIE~8@Vp;aQo&lM&d;Fj-9lQ~fZ)zo>PURML3gVNY^yKDM&Hk(b2_*bX62}eF|=?o{cmeuH?L~RzJHn)NknH z4vc?QSOT97=HJYJcq9R7=@jkDhUAi=FzEx2tz{+dtFrPW!E(9hye!Nv#Ml_$FDz%+ z!EtQU2a$;abTwgxw~H~sTG=2RF#@7>YFV0<4ljD-zvMi#7P;6YEG{I4xel-sc?!C^ zpWLxt0u|zshj@_S%W_wmpKixd=W-mClSGGIN}8cbtbl8f22qq#Zm}I}{rVQwKG2<{(xjEdm5k*ySIyjs;-nYP zx;cAX)nn4UqctCX?)>G)nhVvf63v?;#3v}|$+S{YMrKJ8fmiisvyNyUH--BRdmsdI zZ%eS9b+IvnnmWg`Zo;-#YP;c@Okp`}e;K_$+n|^^SLr2gtil?-%Q4CS=2kFZK(--$ z2y^57uL}uJ{kuxdm2%YeS=FeQih-2O>l*(6;#-@uJyt4Pial>AK{Sehi<}@c;m&&} zH;)Yfj;Ti*3X$7#;3$Heu-}mvzjs}}p0NLR8(km!VK*J?CKERei!cSvHMGSuj7A20 zFO}#r!bSq5RZ!*XGOQS6s1@g8K;4N?4?Qr)K~WMN^xaQ@L*rB_^6C17)}D{nVcid^ zpgQkYkdqJ6Y4X^XyU$2S6B7I;)1aHfWOoIvuzp7+McFn-VEvuUor{%L6aL)auqmK! zEn09nxgQ2D(nWWfq?Hw?Hz#>EWn2biWAWz;+>N0x%5>@$<;c7V(x!Oc>u4Nr z0KAb!za$bc9VI-!EJ3Ke4dRc1F1J4QewSB}f<(`Pt0U0C_n(Jg4usvaZ~Q!jK%n zO7FhEzx+&(%$Peb$R~cD2QG2XD`EU&d|1L)S5One*bZ4J4Y^VSgvBEXMtM^R4#{Vq z2mvl5fqSxd_m4>C&*T`K7YKHk#z~Di*i;y9Q#$K?ZR0J=_@dRcxnMc8Yp7XR!)lx_ zGUlv!jHzMu2)C+_Da)J)qQ-K$_u0n7ivh*n1OgIwJ@11;HL_BnZjaN0_|1v7?#TB% zf=Yzi7PE74(Ls{>rtb!$>yt}4dD`hP;B4hDn#o~ELCS=?-&~EKQ&&z+4vLO9ObLo} z($p>TK~Se9$;BsNM#riEh)#7@WV)dtJs|8}>E{R~52ajPLSNY&#U!fnn2`uL34yJI zb^4Bhn8?Ggu03*{)z3Nyghh6wK6t;m+2a(8hTVEZ(k=z>nwr*y4;2{FU0lhvIhNJh zx_deHT*P8Th&d4rR#gS<=0zG8+WI9B)b}*WOcp4Ru)46bO)G6&bek353dCxzpI7+l zNdIuo$mO(EP}p?ys!NWX6o0-^cS4t~Uvk^gTuY55;BB{Wx~5#0 z;h713ZZQ4cOnqAWqhQ?Svxu9@=cy`AlPEW2WiSd3@Cpw?nTn@ShC`vRBeU#t#rW~Crt^MbL)IDjOk}e`Qf0NxRZd6^Tl?5CU2gAVWVAhD_K_Y*c(qR8(Cc! zBp2e*c(X#yc5fNandW#ZTXJG5iTN>7O-4|x`EdrlxHDQo5eh0&OWa4Tp>?P(lUT6s z5&6%AIr$@y>8VsUJLAqdmOTbzot}rw1)ar19hR~=HGZ7K^eRN5Zq8{?psyaUYPIm; z%f?zG9k$mTqIIZyuBCY@mM`sjJVGi>GwrT~fa%~`&B;LxUFS^SlktrKl)zCHDo<7{ zP8mLYIFL1%nRxxrSaR^4uD+7kD#U@K-myBxkY2iZ5CvlBvA)Ubr$d-CDrU56QqzDV z@-ow`+uoZvTJbKKyhc2legUW1NW|4NO;-WAgp1eflCDSyFuaSu`B61gt!}*Ds%T#ao2hwbjj9p!RGBd#)~3;jTXB(*c>CLD^Y} z39ipWCKOu)AeQnEgiO;a1!O>y)y$5YW~N^c1=!&d2FhsZ)nOApR(yK&FtAA!{t-_G zQj?({OX4BXOQZ#>eFNr8b^`@&j@R(|cw2i$FUOp?80SOAvTDFM;67y+ubYjsM5wQT zvMZxH?%AZoG_7^t?>Nmyc;cGYVYa_oq;uy6ruzpf+v(;2RtIGo@lDD)P=34<5_X4! zD2hNw0{bpcqPXfa;UGpwIl7Z>XPQwZnxKBZ{4Q4ocZvG9Io11%?n-Xo1I5tk;z$cV z;J7~N%wbBNhY(9RR~-pcFdsc zDY)RxS_Ny_*iI33RN?bYUdc(C|bMmKIQ`yPHCzPOO{fy_Fz@mCNR737C_xaXxrfoM0M?Z_|wNuR) z?Bpm*`YJ(Bmf{8m{0a!Sy*$%k@W*w551=fDtj;e!dv1sA`Ix=1P*!6m-V%s9+GeU) zT$o$Qu?ZXaM)T~B!4~}`k`yc7*?htx zNy>By_++b(`wYP7^dm1Sia_ev)e1a?y*74gP9V=rom7@x!4MY+c-^<1?~;`YbJ7|G z${!0h*da_`eY;~AfLEtf9(Bl3Ch08l?lBbZMf-i;o50h5X;81pSNvLod5k3O6zV&a zYY|Q+AmgSCJANSz+3I`VgUGFZS^)K$&NI6VObNdiv1I^l^xNyaOWV~4do^ZRrnRBv z@+ovcR#&#AHVWbLH9IP=i+FQci7h~tzYC3)-`?yiI12-n`U;)NK=vAeP8PQW1PR6i zqQ#Y#%XN_=$`9f^5!N~tTKkCPYOxSYc^o?^gSWvHdays__B*eF1DVC)qQtAkGApOm zxFB;6Zvr87eJ1P5;vk`6rHgc1gr=EN@p@t9tDv~Mk)75EUsz3!+ha@aIV8ZWDh{}` zu{DQ#-n38otofn%jrA9X)I#2u%G9Aw#rpK#C{R=!mzA-+?_=Hm2?>$Pf&miJj;#p~RoVQj7C(*oCpe(9S+; zcSF+6E_mx*=V5C{>}E#0(b}W98XjPdYwTNtw0fbW^|i-@cO|IM>+}hi20*tPkI~%< zR_>D(r77O<@x-RKAAPZ~81cX`WlJ^F=$r3*%-*&y@m>RHOxN1e=c(e<0OWh`0EAA= z(C)}rBS0uw8Up^}bBWL+AnGbXi9<8BX;zN*fLmmj(fNMA>1QS$2L4w>b`%~A6W=Y* z0pF@r&M+Z3KxNRRkO-JWBWR#!p{wCt0lAc^+Q_z~_aU@77du<}9N8Id9}nBjR$gCu zVBC{b*i!mp`bj528|xxb+Kzjy$}ZaVj*^PvWX>|BuQ70BdB%36pJ-WGClF6j;E0k4NW2-oxKIdYhi)l&tt(eW zYCP^vBVbKrm6h>8yvU6|r#ZFun*{pNy2x5WX}0e9R(yA z?ofZvj>Bfv82i;G;L1$gC8(OH1{ExeRR_9#(&bZ!L5ay;1Kt!T15d*(z}%s-laO9= z^t2BCu+t}t1k@yUh^W#tY3`{vcc#*vQ}cl-LKn;0uAPmUzZxcha}2SWaNUWZ&A2G? zaEW72g7j(5qbdOzYo#0sT-ev*d+>MLy*5`v2$OHfX4GCdK`JaF3dMe%sXun?IEnI5 zVyYB5f8S~pq}iY|{dlbi3)z-$N>>#v`D{CvhS|f*h;zSPe&f-DCKGor+2BL@4Y79@ zXizTqWgpbJEvZeIaPYi!Qa3(7475VM9^Qe>_Em_BM==Babie15HAf>gLm>R!yIrI# zcdMBMH^iLrCb#{n`b6Pm((Oq0TQy8t=+H(upNm=8JKa<`P8Vi_9^K*^Z^XI+H3Se!g^3KYb@_yym!4 zqSP3J6jU)C%n52umJFkvi(u0ebyD66Rp6Icy&E|90WOgg3xFM20y5rmv3SrV&5NS# zOdscH7HwuefO-(6>Xwh7F5D0vB1~Q&Su=PRKk85PU)*E(XhB{mJ6`cS*Ym?~>}PEk z)+&o{sfH}MzU*Y|UEU}m9_A}k37l}wP*TfUGIb?w%E-L?(kO{QPU1T~TRh^4hqn`* zD>(L^coq;#d}mfGZUbRIs{=rp8JjJb3TEnl|GZsTjs9KoN<1Njvyqn3Lco;9rJ{b` zE!E4(;oIcJiyt@_<7Yd`{F9RrI3z)jc#AzT=Sa2+U4Vtw+fObU8GEMBwG_Cty_}1A zbIxJO6za)Y;lkHoS$h{Bw1<9di2A04R{=bvV-QHphX5tS1&)Q0UA=>?}S>r z-})mdWn1>jQ#_-@2Xk#FG!ZDs_$IEV&`;d=L&go$xZhZx4;kcBkNQwR6 zr|i?|Znl?cJc4t(@cTqp8hB<`>I0c*lDbsJ)R?xV)E8p?Og@asBPyKPuHBd9nC05Wr?hNL6*ZNf)rg0 zV7JIW-qmg*g#BYPC}7}qX9tPSI5xNXtVTL`YTK5)d3Abi;-}%k`&|!)f=4@}3JgZx zhDe(4dQ#Z8cu2KFa#jOXP-fC4qtA&|?wqUmem4UqOCuBfxCI%ZX!1OSTQq&nx2h`0 zAU;f6E$>TB_@jVW{gNy_yGAFPgnVgXV(06NY;$y_3@>Z4%~GAS4^-M9=8RXW=s?z> zsF<^W3gm%6cCfLzHgY9CWb5VT5$!RMRzWj%?Oi}q6 z6~OBJOGOQzUILh|a!=U*hC|55w0<}-i>ujr%xeF>eXhL(Z)?f4%K8JLZ3>e{^BpG zg|l2eFrGgoRi^0yv{{ROX|rAjaOma7Z&&^{B>EVw17o#R9oJp0EI3EZIh7~&w-?72 z)g`STWJ^1&>pRCczZzx#7(<~uy7=lh_vQA@&ryFnbu(D*8P2D?M0(E@@A(dxH+WL0 ztOmZ`K5Weye9dSrE=Y6km&C0s8?dm562A-n*$kj%Dc`BdsXu?u*?#M;^YIp0v3iT( zFA~c$bubT&;ygG0bSP~_<6zlJlZG}m@!vP#oc6n-#nz1y&PyTbF+79^zrZYfAjUEB zN#_(o1t2E2Rj=F_hFErD?W`|;8a*)^I!ImaF7PtHulqoa9~R#p!8QU2(d7c99Y6D^ zg6Gh{>Q_;1G=Iba@H1=0Dxz?g3_{finWW0RE^b>=X}bF&MN48>gd8j+vcN@xEygN_hL>{m&V8jaLOy|wgfgqBHfXZ{;R6V{tal-}>dA53F5{7KRP~Y96UBBkg(cfTV!coR?UZwKl$Nf>R)N z$^BjeP7qwceHBtZ!uxQb2-nm6dDX%8dQ{rae6y_F*^`)01B^~VEd0uEc`~TnH5{ra z$^S%o+$SInZ#{3aJ$W;PltNv&t!jT;8o^p>G+sCA+hF5Rt$pz&`;QQ_5fdC}s_yI5 zRckVq)PvSG#QMGB+SxMe&^%T__y0JsfX5y5yMV`e&k#Kjdtx24*r1=Cv&%EFXnCm_ zYM!Xu=nh8}gu#eGf5Kqj&HN`p2miYdu^7F**`cxjS^bvPoO;RYj~@UW5{6POo+6GK zuC+U_A}`;hB2JBMhxU*_Liq=8Wz$XS_has7 z&SGF<XFTQZ!I8p1_v8It z@@KI=A*?INe*O6w_%Xh60g6<4?zwjK9e;80lIxZKSnlPujP$was?q~ht9FbIh4t8dH26ru>$@KwQ0|uP1Q?KwxDnkG&ed}MYIF7X$CB#9 zv-tXJHTYmcz8xb+qC90fnilo#TnkLR`8tt%+H*(lCutr|_6pE2r~Qia}lI)N^?JR?0Z@KdAa3TARMW zrs%{XpDHc2?q3dH0Y;l_Nwkukbe_G53W9g>qTTyC0%w;O8JH zJ7TaA+#A2f{bFWJH$>fWi$hT+%Cba3l^Z7Hv^nn86GS7aC{Cp}lR{x$C>OQ(y(QD) zjXqOb0dPaO%G7PzIgF?3x}90S1Gf4-BcXd1+bLXC>1A{7STV@f#DEm~JMEDinR{jm z$G7>dEf^!kzC*_^xhG5Q!In_7?WV+(-klq1wf%|@BJwv0c2ZxtYs0oPQ*Zrh-i@vz zK_Bct`O1YZi1 zMb^9&0u&x6f)ug_@PXRCVUF2){yZs1%e&J7G9WVSc2Mz35PFFods{EZiT1Cx3`SA| z`_VcwB*yX6i0%0n-!Let?(?p4`L8n924aE@plpooj*AN{m4Ru+Y`4YfYZN)6;Sd4>mo+)qgeq#=8_;(PUN$SP&_Gpp^UIUNd$&=~ZsPw$+K{8@-k=Nqig6 zeo)7&5b&d~>}-LWCbwi)DKBbiIZPjPVvy4#8J(6|069Q$Z{cyJ>WvVCiGognC=mTDrKQ>p zsM(9E5l1U}pw`hf#n?fibz1+r-gqynVM5z4x?|BiHjxP_X zXxQDr>d74JcD$yQwwDOEngvq_YPNC=KftnuURyW4q&d#}WIgC5?8I z4z^2dC8Y6==qh5clO0$mbygQ=b`jVz9L=7Fn{(RC`v>Ttb;WYNq_?n|#d=IBSRaut zC_~4CS*{wMs;w+bb2oJMDspZV;Net}yB%l>(gFz8QCYKva>D@Y!fBjvY}XA?4Imnz z^t<`VtaB6RC9m$1DJ?fk-MgDAhA|4+(HN zuKSJVed6$;UJpN8o$sH`K;B8~MGI z?&?K_94Ca3I-}xM0T9saK{&5QutE~d2_FHa<4moXdV{E#gwMo`5Af9A&>&a^0{SCc zi5s&VxTZkQN1llLyZR6_n|SMXi^&ygjBieEILTf1>$gj6{8D$aPJJS`YB5b3vlno( z8(<7Xd10Dt_pZD}N-z}@IO3Y^@sVuHJwhV_kNJ_iha5SMQu{yx;GnV-WtUJ(f%R#P zUQL|~!BOp_|Kh&?JEWA0mtLX1g9x0n+N)dl&N8}MdrIw~%Oo`>_GN~(lh)&hRJs>_ zU%+QEj%e{gM1lCw`_mHF(RQf@r1MQbZBh$`Wml!1)mJ^4Btt%*fWFa<%}LS-B9Tl` zd+{R~4M}33uGW(|Uj<{m&Hma@AJ#k!bKm@Oz)A|OFlt68wo^)p8_Vde8b4>}H_~UT z;~#)Rr_`PzRIX&s?gL?^v0FPY>`imG#oE;O3t%NhA#JR{7|%|N2#pX@zYoakav21)u) z?EJdlzAoZF;`w+xfIhN%3fI!eEg_t!3?Q3uSJK%w%u(%JmTmz{&7aEw;Hx|@9N=E$ zzx&C>vE64CJ*bk!LG4t|LE3M!eL;GRQ|!j$xu(Tr909CRF&p3tHTQx;Abflyw1mB} zbqRI zoZlLWnm!;n(9N)Q`$`S!zOFd3-M_cbTFp2`&M4JvPcORZRZyGq;*-V0n@6)9U1u6=r|g_6wXCMII3?B0P7(@54GR_9!Hr-c zi3Z>f`+oM(6(`))4fLh|DB{zt^suUxC4~sBA-@1Nf#ZXt(r8bpQT2V~>plREEf}YKcw#A0Z}>E?+>KVOxKc&J&;*gQ^xk@9Yb3Fa z$UQp516AL{R*~*f3&J#z&*&%g`nE%VYc|ADZ&Q_P1z1OB(y;iQ@kYXB<#-+h^Y}wj z`Qk)qg2;=4O{Zy!i9r{t6YiZ+P}jwW8?jf|D{b0=QxFYXrpOR^!4!ar`#L;@U)d*p za6P-uh>d0soeyH`=c!B#0BAnTBFBce_4G}+U%}Z8j^x-l>L$G}Hl1 zx_(V02F^^<_6-H^6~92mx3&}hl$=?#ai&h!@d+V!;#*SYONnEJ>e|;$*8S#v=sT{M zvE64=-F)a9-OB83QYLbfJz&tcGvOpbmcjsfFx0uB^V&l1yN++J53ziC;%B~RJ_;Xf zDmK0_+6-DGz6YiZaiXB!*?>=~EZd<631=eJ2&rs*0=@Q}3FaE@)6CW(zQQIJGj*J7 zJr7htx=?<0dbQ@{c-xuiDCg>pdxftU>K~2_KKx~m3&vSuSwL1!QbszsX|Au$$oELT z9D-zx?>*F_P}LSU6!PLxI^u2@*n1O?m+@T2x0GC2yCuDGb0pk?+&ouUjcOq*K&yL2 zifb%bcj~$4mJK38M) zr|wgeBwo5uJpbC^*a2Zi)m-_FD8~qItonfncfhe&;b<>1UJLcN{L%I=eSGjEZ)v~ zI@_*1t42OMWT%<0=UVIu(s&^n8gQ55@UxSEYkZ&_+s0kdteHmc^9B&*b(2Z9*GE*h zk9EH*5|(_cvRkJrFI8j_5Y?FnDj%@%^t=soCO3jIUxQYxY*Gb9=}*@esa_n)_8NQf z(!mg^!?S_zd#K9m7I2RJIdthw^uZcsKQ*&+f7WO@tjop5&7Hr+(K$ITWfVI`tPa*8jr{^`FF#*(X}Bs8<#6ziEj#3KDbvx zk3hhV_g)k0qS%TtvFWk*ubetEq&pZsu~AVSN30i;+qYe9oSNC1Q{S034%ZJSbnvxN zoy49nGw)C5%Y%?~3l<{Y+P7P^TU7OsVzGQZyG)sgb6koPE0z?Cgz=LoMQPV#U(Cb4 zRDpiYyO#{*WPOE|qDhdmYJs|%&hT4r>z;kb7b#bNboV8fjxV>5v*-(U89ge8whgxc zhO)9z`}m-8sVdQKh|Mu3VuGKoz2eYax_@~O$w`5OcTL{H%VeFZL>-@Ub-pM*I|2&Z zo$`vpc%lwfyzg)RF)u_f3ZhWrZ9d9UV zb^A<0Pa^d$B(=iaku9`T`s2OpjH-AgjXPYT7)>&}4fZQ&7zgUI+bTN7f7D46Ed2Bqc zKj+_~tIaR+WMm8|7oA_JP&T_&0&s*}UWxgBbx#Sg60f_gePUo$yxRLBaZ;(ca#DoQ zP8aS67fB!2+ETVRZLgkgbY-&g&LP=QP5xr6p6}mTfjZ=pL z$GIVR$|%aB+<1J3Mh!h*7{qvq3bC*{ z1U~S+YVU}tLMTJ!FbS_T?JHh)t1xU5zD(h%Sgx4+2qUahTb2g%ORE8LT> z3{JF9=y5bGffXFe^SsFyN|K)#XA2H{7WpUMJKe6^1+nI$A6zHTQ7g|LlI&{(D!P=| zb-QQ7Abmel-@%V+(?{ft@%Y~G)})KEeTqT>M>0!=J&_+GS~;^&JHv-F%>&&j>nvg< zX#V_Zs`46J3h|tAJ<#xaEdPoTNrCff8RVwh#n@cA0_d3n$Sf#vVBd{vU#x(X7RoW~ zEmFjHyA@iNTLD-Ag`(@(U*IdamJSaOw9eJMgvbfL21x2OMiA)%*om zvbq@rHs#gsTUt0BqNt^CEGm*MsTjTa*8M9%sD-7GzLtLSk&r&%dK-zt8(*Un<%~0q zdO{y6OCP(1=}_ei=H$acw2#@>x=P7f|sOc60>lVP>aXjJexU>(2ss$!U&7$8vY zm}1ntuW)+C(iJ(#Y~{2ohuE@sl%=d;}J>1&M~OoJ|Zpuc%Ib zr5ok7#u8F-u0Hw}5gWPwj=KQ2qK0$bV`&RXH**z z`mvOK58AAlIAU2To%V0<8>0_usKb?e{3S8#3%?~O2ek>5lbP&!=h0YX!ZpvkNsS!S z;gydceGCUKFQsMalxK=^DH;GB?oE;S_1o@ezVTL)fp?sP6;~1`Nj#bzYSalmbsMzG zWJL&H1GR=q+oP=kAU8LhP9{R?kxeh$=v}*BIrF$adRhj+S@csDXI&jdz9~P`b4={C zUY!z9_F2f^3%BZIR@ePLYB!)U;Opk&ZlTG>BZ|{>aD1Lvd3tb)Ws_~NKyx}E04xb6#(VK7g8t-Ix8-Z6qm3!5c4Hhu z+&gJ~Q@b!{Vrj{IC&fOg3J-c;YDl|Yu4?PBV?HaEMaA`54jD-l>;z)`)m~Zx$D;aW zUyepSmfoT{2tWycsX1(|>3bhUiT&(0zWirB6YIj=lSbCQgvVqavuJdOhT}{Kt8JQV zB0c`mwc84MCgsH&Sibn`drhmSM|vD9*6PZW+y1d*(6zu#66CShc8pdLWI4fbHfd-M zF&;tXB5I!A;&leDa05T_s*O)~B-?&Lv{O~3f*-1^7_%w=mHVXfDx~b%@5pbO;ADxR z+k>%}dss2X4JW~x+vQcgCNT?ej>6;^=*FDwrO*PIC8jrB43|v6PQ`{RyYiOw%0R0k zypPrcV3iTW(a;i_E+ob!_oMN8M8I#eR1gny7J6({zK9Y_A*-n7UD@dd0GE-f(hK(2 z_lZ#_R;H1A9*I3csRmbEWn)*~^(*P=`0>~fLJvNIL<2o`1K-^X&O3T8R7eY7SI4ad zmx}oDvk^NZ1f;FtyY$L-zDu8a4ENy?4=kR{QNOSnUf1wSsv6&kXE#1-fwWt7e|XUQ zAvHF7R?ALY2B}uxuG_EfcLx3mOE)iamn;J<0Qqobg9lzssGP+b`{m(j1ph{^1lF7@1g6NSa#bDh&87Nrjz8bDS*oP7T3xA;k)b@$5<3~re*B{|`_DjV zUWV_h-f1(^M6|m{4SR>YD8p&Zs}*>^_u=%AoBDRd-o%MTgit}Za|?GrIh!~>bNpf9 z!P#zVe_0EkrxpJr2zr2FL+wiMx)XDdl-bG4!Msq}0827o2ufbaW2KIw;@QmdhTj&k zr9y{wd`&@;<;B<$72pGoSB<9b3b0fK%EK?@v_XmI%_4wfv5v$Jqh614$c{+8YQVJ zT1TmcyHf{RYutQ4O;z{|4m~!@#OJH0mK^rSJ8+eq@sN&_u8EYD2?y=r6POFHl)7ow z+?erHL1zkG%|=V1c9W$qwhO{n>qnTd_A?eCrkKUtlRtN~koLkik%d)87ID0>wbnw^ z1Xa+>sBL(mZFk*fUr7xDakTE3Xmug%uU#SmM&#+kC%>25tJ=HQ!lBNJEnp^SmlpKc>PzvTuLH=+KS0_Y#v3vsqfJ zCHT*2`Pn?d0kEYsu9g4u$r*UwZCM2&E5JozaBDL8aFVgYb9`8Fb?syLewfQ#J}mHqk#JasQt_#{AXPvp<{qsy^e0V~$_vOE80EX8Tj!zaE1@ z-G4lpmgp}5_!=*HL6qxYKAr#4kFlQD)E+K0MkAX*yj^|_RJ#OVh6xe(|1;DFb~-dSk7&{OSPtV;b@DEBKO zkmT2w3r<{Q(yT0XOhMQ3MIzeI{g_pF;3c%q5|7>LXxZ(mHz-erxEtJ0?s=Wwd8FyJ zKpjlp*G(3mGCdB3UM6wWSfJ+L=;6T&z(_pWbx;ua;I17qc8lTH4urcA0`&nQlrnng zp#liQpUKJF1aI9ZL2@+6ee&(Ds4e=(VDzKk9ns#!K<77)Cx?IxlNT)i!H*>=7<hGS#UK$0#;C5<$z=pSr6^L*C`E~UqZ|$+07&*}K zv#Ho+->VnFOucOvKV2Z6tX62PUx$E6Q3~_m4V*qN7?I(R!G<4S9RvaFUUJiqfgl4> z#tteV9y{iKiG3uLyKyDx$Kj8Dqu>d+doia2VjN_80Ar>PiZ?6%quI6CSZE4kAz%Qp z16+8a!}_3PY-S#G0Je?i3hDL8217_>eHwkH)9}7%RO&guxM8jrL z&|q{nNbf+WNqHNrfRFV_lD`J-UNIJ+Iad=x*RzuVx6<4U>bv~o^FbRFfdyXJDR97^ zcn$`#Cn`D)Z~SjVq=c-JtUFGF+xLXwAd5)SUJ(S~r#^+?3;oybO88sBRcz z*JBW69*Ryt&mM^@DpArV)T4W-{p8{!wl#E`#(QVJ10W~RX|V;6TBMTi>|$-Xi@hx= z<8vCViwp(NYWUt9<1VbQY?%Mj-Z(aX2yk{}k zgzphkzDsXdzvl62clyh`-~=xEVVcH`lY>Q|U@Q*O<$C3y&%J=eUUfb(-(Md8)nYL{jtbR2$b`mi+f*%vvF`2qt6H}dpUW8^JMG8f`StFfZy>~Uz3}rQ{@b_t-bS05 zeM3|sr+xhO1~3H3fByCi7y@vT`}2+@{)^=!i@$mOcfU_x-1A3UJ#vQ5&rav`cOx&k zSD*X+pVJpjfxy7xUNj5%$Axr5P*AAL{_p+!c{FkpfJ5+qF*(l^@S}O{OuS?BhQHUC zIQv6SEHGVQ<=soi>c?XgFKw`n$L8%|EGMhD6=fJF7MtbJFxZagm^vKB>zt)r#9zr>pVz-nn~K7XM???IfXpuD>`Eu+OVxU*i4CA`bzFgJRFsp3^eCmSXxJIam(_o3KLKcn1g|jpzjWK_Ca@fF^mqQH{j%>sLujtw{Bb1zm*-XZzyb5f zcRp?Q?>D490u2fBe}Dd;QvlaQhuegQAg9g#{Q=Kz#obUA7km6~-DU-&dy51hjPOxs^O<-gr|f(lrl0BtR0mn>82IJ0gjBCh$4;CC&{JsP|)^bvAkhXkRY}zaMpMP!r-`uv*HXz^; z9nSpE1LiCSqfA_+`y{BGF_OwOy*?`;U9}zjh4&POxp21Hpz}Fj$ U4;Q!R&wzj8BGQktg|*%PFK4!v;s5{u literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/media/exampleDeploymentOutput.png b/dependencies/infra-as-code/bicep/modules/privateDnsZones/media/exampleDeploymentOutput.png new file mode 100644 index 0000000000000000000000000000000000000000..c179093a55337a40e1c709e2b64524d8906bcaf7 GIT binary patch literal 164350 zcmeEuhd*2G`#&nRs@f`AiY^pI?bg=T-XqkER#98+tteWm)GTV&CU#AL*5*}cml7yU;nFRE^3GkI6W%<{> zBI!MnbAOyCBO!^fB_aPu8%<#Q`x6U%e_!+G_FNX}KUxFlvdI3~`aC@A+&}lp%zt0@ zy2c+1Y^Yq6joe5`7&(4_NmX?3Zj+G6k*GYC*Y_sfn51e<96IaR0bjqZ7n=R{o_?xQ zckGxbZ`sSp$1nL8tTWD-vUBY_wXX|5UC9~Hzp6U;G_>etUD(re`;h5jqkf+Q89!`w zhuguUB7%gB^5&cW z_2&)!&5AZU(!aUUCAlnh%1fg>^bmT<_y6mCe*Yn75jFj{4c^G5T)J5S=0tLOUisT6 zzG-1>{@Vs5!9us>EK1bX>!vreeaaMEoFSsuM?JQF|?6CZ8gG=}5$;jc| zKhQrkZ~yOH06fuwjP$RBJmRTvOP5%hd2&&VmRaOMnp1-eFSPzYaH6gOuTRhS!-7 zc}>-ORdaw|a*r6bgExLDg<6)v05Kgd-?c_;`|ZOAk5W6$j2lPqo7apsWj=hJ?_-fR#lA8T2NkxUkhz=oi})%3olqNgP-qu%~HbLlUVtEvuA`Mpl{t$*D= zxaxiuqp`H#flEY|+{jaw8e<2@9bNf5e4yrps}r|d7;gQb_*dh9s6(MEH!Bh^v-95h zgBi44$)FgxprL7C*jUB$(A9teg{9i*K;HW3*s@xE4X3>`(qkZVIc4{^1m1h{ zTlf4*ZY%pk_aw*$=l7*v2kCiYJPh@|T5D7Xp8DdJGlNnWi6%}{-Z)xe)Oj_3yOEj{ z+sOtP;aQVnv@6qS_rjsM|E$7L;p;n0U+mCj=|=&Js{IBV_VJt=Wav~;`#i?caR=cc zxT8sJw3y>K@UAjIIPlMe8oxHN<#>1>1V6?%|J=Jr>9p$h$-tay#D?)V7q=(|tMgP^ zy!*{Ku_nQr#fIV$?16PY`@@EPslz31h|2p*Qx^TweHjPXXyTc8RDB!+pqSsvg;6_L z>C!jeMSge*Z|(CJQoSD^+44z=)ruc^_(Bii>1cRU%6r>F_{HJ2K0rgM%UO%c8UB}5 zw%V=JoShV-nXT5)<&c-rj_|Sejk@`d{Mz&v9T<#ase)TBN^Z?e85Zkzp`a${-ZV+^ z&mC#Xq#*5NA~xs~{ZWE;OD){D7miXDx1Gc|H}}D&bhDz~l91)y*)Bgjjc#B7`=0Kj z`&JCiRqF2SvuxNN?<3mz+&YMp&lv?w6I^_(mo#t2tKP52@VY7j)`KqnJ13vS@$oP< z8{W)sH||UytuGd22HJ&7ZObk67HTE(7z$!XGkC?S6VLQ*aV_UAzB9fpD=X%J>TEpO z?QvTED7CBXc4U>jxcsrokn-jwy{ujeIFGRge%D1fs4dYjl}+0BbMQHeRHcZE(MR9! z+tX`ROhQ=wHY%NJo$L1vaGPidMTCnEb}HYhC#iLLZt8?E?UfovgS_ulS=!rt03iz5 zq_M`bukDZGb6fQt4v0@T7n@%HwZN&XllxNm;B@;Id z3a#JR?dj#p^na|)d(mjRq)f=>%j;?|~jQ2@uHLOdw-pE;#aeZ+K(E(k_J3YYkH{z%Ks6tQuuuaKhLB!L^U0S@8vPF+d z!cSTK7u>8~@JJFe2E7)D!1{2Bp@W5e4_`?`R#Gm!y1zPwQ(C~eXHE3)s{l!>NI z?WHCN&aeJLWg@)-?fZTb+9{oPCC}+iVs!H@^V}m9q*g^^2KK< z#i{x1jNptrz&NKR@&*a(<@?9(A;Xzac)zXs<^y8H`ABN2A!Q`c{-GWO7x3vkV_}?5oAVgt3Sz_puFMMJJ4Eb z>bq*C5MrEqG*2h{*<|C<$KS%tHDhAWQBBe1srPW;eAht*6t2&kPzjIwWObd~mA9f_ zhVXgbk+;lHDdy*9c&D@_DNp4~b>;JvFYo@sTzsBY>CpdiZJ*<-`V(H>EJ4TdninP% zVFt5~Y*dAaZ*vXz)vdiuV0Pdai8M2xBXY*^O@W6#Z4FzL^Nu~~J~@r-oGm(t0R zrbA7olf9Y#u1x6EE+XX!)Wk+?(p`@z2t^xX(5~{(8iSv^s?0ZV33{3;pY5CN#SXgI zowF~pN~U(OVIEp{RQF4z;qpfUWtqp2Zv&VeDe%2_Sv`Nuww>pf%yifNrZM5V?l`jh zvbGm&$RVco`Lgikd*{fQWqS%BL8ooa8b{#yVpjjoR=D-VfFkKGh=y@g<{LziJxGM_ zx%rx!Dd<2WO-xjD(_1Zykxxk2y0^kIy3tx6^OFmFcXg@>;aBll!lO84f6OM(V7vI6 z+^|cU=(@1*{`aC*_a>diaJQdhb!T<2=X=qR00zP4I=Z48kTm$FdK6<{-|k{hUtzL& zWQs@iQeWTm2v+O8ikk6@uTB8dAr)=z$G229K);Tf9J}F|zW<<{v19j|@KQ6J(8)0n z#duVj)TG3IN;fo+fyIwn(lPZO9?r+~;rg2`_8u^33aw9_I(#)CpDN9poSy$E`BTJp z@P|KPv)20LaEF`LX<~69Uc-2v{N_&B1b^=hd>&byD&d)F;R5!gkfP@Fr%C}h5$S`{Qw;|0S{|0BfH0_#l!9iz88Yh6vb<=K5Id8+} zf+xXE5wMASOKxz0fB`55nc{Wn>0|EUXxp1U9MQb{*dQXLxTK(|vEi$(ZpCXDD?RUI zu9G~r0monK+i=muu?e<1m{;9nIo0UX#@JneC@+nWLsI%%pL+^5sr5t%TeOf2?W6Sc zreMr)3*ymoX3Q(9u~H*pj4Hg^=O?_S@hCqna-qJS_SMOEc$1eX6ZNcMD3?~{B8oy3ZqTOuo3 zMFpov<&fv=pKRt?v|jaid2ppADMTTZV%ixIBq`EJ;Qy67?>8I9bUR-uXeIFHqa{1Z zaEn8!@|n>vxF_T_6wL7ShK#@W4}9)Sv~i!E#o~~btn@d9$qhRbRq8BO3kvg*U71yc zE;`W+;i=IeHw$RG4~6{HWliQyY-=F=mI!GS3f-KyO$hMutTL-b&~1 zd)``vo_>+EDf2m~x4FYpeJ|!<6O%^6U)QqYb>=P4@zG^!7+!3habqXJ7FAbK6}IHH zhUz-nTXoC3Zn*8Yw{8~nopz~aNHgkCW)EYy_|D6rwqb1Jn;Tx*)60zF*pbUuBcJzi zGqT~%UEl?|N?lqbzfDEYS+}0Q6-7bE=I~R1^0=Vdrptg?Mby~?4_!|#lMFgLveD*# zl6cjfPsb{>Aj7x2lyAja%mDP>bJLL~sv3bHoFNZRh-gTV!bW>A1?$33bi>pNbM|Xl zaNWsBnzQ2lW!YE$&%sHDdqXLLSd2&WEJ6w`JX3`gKWM*XKaG-Z*pioUAMH2LG@6B% ztRFfzpDu|rHMW=hnB&dtoa^GsbWK$BZ)4xz1tu3VZhwjsV-8=`~$H-SLcN+hM9I%yuj%uf%&N4(cxdI4g(xaO5EqCdp*%g40n}QbQFEQ&`w; zbyWA2w^4z;M|MNFcQ%53i|6Iq4dQ?jd%gX*lwaR~TV6YvLEFPq?#+hvGI^^;b_Zw9 za*o1SsC@-HonGR6U?s!i3l4C;9*1)@4Y7Af3laHwAd&hjS}i~Bg{>iF^puUvax>sb zzLx3RK=8x|L;s<}gI?L!OascqdZBZ9^4YV%tR?qAI08NW{f2L6_SWqcwCv$bsF{Xi zK*rAM1zeXBJHcoR%%rrxQ$it6d(vn(%)W%{w@Cp!i;mt3SgWu~x+CNSS@C-1SN75g zu3zgB;!cbN&q|;c6rRH_6yNtCk;2x|4PbaG<7Y+SH|6z20=Bte0yf_ge6Ekt#9{Wp z3`(<*Zl`Pb?rcc`wBD8fjIQH7+eCc*t@kiT&=jis$*B~!emP^Q15ozyTv}rD9ns>l z#1p+wU=gvnV_PRDlL%Bb-TE{p;wVMfCRKdOd+7er7Up(Of$xp8S?S@VJ9eizWWJ|C zzkK%A%bPvJD4a1N7LXb3m&>1H>4PuB73YlLG<2uLA?(Z2(`L5}K6N#Y?XQf&JpRXk zQt0~@Ml%^5v^mbw@j(BVr7r|>1o4c z-7H11>gy%LNsTCDO&q4i)+Bc^NeC>CJPs-eQD+dcgW$*Q1!|>FiLwYkFX4%^i;-&6 znAa1iZ{GHP{5ZlD{s;cuGAJ|8F)Jq%33MB^!*B(mI4ddc7!iXsAFd`9gn4W0mIy_& zE=SjBfF1@NEhfLq`ub4=ZONJ(holEP6@p8W2u(#{_|pTtcg<#l+s-!yr|YcMMC2aJ z8Ojq6bi)j-@13$)6CuqXU7i?~+o%GBj2g($W?oH*jv<&11Jyw_gDmP;Br(A*@6$`% zhzFsSf?b4}UGR&(%QBDEs6lf<=Ie&E{hyN9^Ok#xhOrNqK3h&a8eD!o>4CmJT?Otp zjJX(4(|J@4_zhd8B_Thm`(+TFr(MyWH{$r2QM>FrM8v)a9y~pbRIM0F$;+0#WKEbQ@rt-%F~Qcz`A?k zcbrwW1@YcFnyFVG(trM#K_zKiZl=nrXX3QFOp+X)`=q#&Y>fW{^qoAk{vc319n~p= zc&i8BrCLtuBDjQ!)2htHcMF*N?r>BCb9tn)1x8o%meqY*sRO0}o%J{uqTFA2W?Tit zZQcg+NwXYT?W0;ZCv+`?Y%@e-Rar5?w@j|D2AtK7QCG3h^&W@Ps zoO1P}q)aJU%=riWJYep6^7fR{Qbn->=`9Atv(riIkx}NPPzu@DSMh?&dAOSafOm=b zrk|Njrh0Z>E-bX@gHirCzwe>`AZ>^pDmT^r&Mf<@<=zx}ol6i?^8xW&zlFN#*88cY z_i!2oh7m=t?4oZFh6^H8u-sn_hNeDwydMsNB{cL%^m`z-%hG3u^YF#F$hMhu(bK zE}(zYU~-{pr=6wDDlWuj6Yt1AFgf!c-tPHu)y=yR33tRaj72dC@LZv!DrZ^`DDGh5 zrPEk{*{?%w!OcxsXs`0{W- z^S$7^43EP@{lqcY`ApAKzS@aFQ~%f4&mc$Ylin{!MSLPsceW*e7;InL&AjELMjg&c zKdPH$whG2<=7iv=?O?TZL9-%9r}#d3cw$1}9fF9hoi#@F<}3=~g`Jsi!e2dGI(f?A z(p^}tbj*iSJM9~7_%|NwWrXXTXzS%Z%f$h1|9MUwAvE9aRD?DZDgAf5$7 zPaQ#wL9G6ZiH29KmY4E$Rdo6}^T4-iM$bJDZe*PCPaQ*7R|eQv`y?EW7q6DFSa3jw z%*?Lk#<_nliO-|1*N-h^WRNM!M`&8iF0dQ><2861Q)GjX_F+5C#M6GhHTwp3NBcJJ zBl@%{E|Vd%p5p{34KLO-wkz(!<(4M!(yaA}khG%)IEm<&lfDy8NypOF@-!b19eBIQ z@>g`Dv3G*!V3<0c>9}krYB3>y6$`u&cjEgV!5?^4Ko_AQVjQrFfkQ#&pmw4sN;>X% zP>V|%uwl1?RhmQ1oA}kaXuk5x>RUoo_;_+g&Vc;_(i; zF3z2?(P1Uiqa;gr;MOlCR>uK~tp?{PCWNNIL4VyvwG>Wsd&8sQex@XO(YJtI1l-O+2U zdzUVoL$LI$5yl@6TS9kn9kaxk4*N$r-^@Kk^B=oH3;4gI=G4O|XQ$=&klT-H$#`ba z`-)I~|3M$y!CaLkCyZm-Sqzsdk2@6wtY$+)eDWH(+}gNct-r3lf`?9F?zmGy#yCt_ z8$x=;(L@CutEY8Z;0G96{dIKfOQ!6Pc$r;WfpRRmO$H_&(ItO%9#SO3H7tK!n_o6g#Laat*V) z&QrwF;i9cJ+Ncc5&IA@&5>A|-@DbSE|kXgIw ztb=ysAW9DT5z};O-T)88G4dY@-QF&?P02U)xc*s{DI$gK-1?n2axX~JYfnbKCA21e z*ZJNXQualciR4hTa*dC4uf6aNk}S(9V{JIQw<;rkY%ZJt{$T=su`SOhZEtts+q^?< zsLi;AHo|jr@>$en-XBL<%aYPhU{#aswN=oH@furJfF~A7*-^TN;lfx|~)KNi`&1ewuTqK|R{?TrvoC3Y}^U{Wk zdzL?PeNPx373MLjuAV5c6vRi2aChZyxqBcDeY<3cY)-r<#TW=|#qK%6dl;7##}l|F zkt>_{gr|tCKGRcIKTNe&ZiOBCwTw1V1YXfCmlI$9p={l?bObTbqhzRyLasODtVe~D zYwspr-8W}=oai5>jnAIRe8%wjJ5IRh67$apypektoaO4iNj^*-ew4iZs@kCvnwE3RGbd@>wYoYG`S-N4~&1Y8- z*r~bQ6T{YPoa0I$R$YzNGtR}E)!d-T(n7fb7SF0y_{;bZKk6l(2XV#O)8W*Z80mwD zcpVTdb8PE)Py=|O>owgPkXcdeti2HXseSNM%ugnsieHDy#l!3I>}hhD422K3>gLV7 z-ufz|X=Cm3iersc!iYN|J3AlmG%UU&dwJHbO1E(q{>$;^TBg$^bw`d4+PdNWhAmol zgi)V2Hpk#e?%?HL&VdjD>x6x1`WZeu}JIm-VWb zG(x}e!k9lWDWf0t6)g3o)z^0S8_tXhpsKXOfP^Lb$=mjRZQWXFnRJ)O&+YjcKIf(C zJ_5{dY{mDFPH-NFAM37egSoYq)&q?*-e)Inu=V2GBabDR+Eppow7q2lW`bK46G?N3 z{(aujT#UQ{Cp#TwEYmAK)iT5hjkspAr(?=%@IeZKr00a}?VkLR=YTolF_Zy^-2yCu zRmF~?qr+cM=s+bRFlcLnam_2X6HbO36Ta(?k%#`~E?RM2-f|zwvj4 z_HG=CosDl4bodS*n>l24#}pve@L;D(mqi+|Or7+axi+S56pq@*Xt%Q@7xB=J!K3xrz(I^aJjiZYzgE+Ls*UN`UNl3un| zSKSP!gVIGt1N+-qx zuh)-`>iuI6Fv@$(7q^Ny?Ha$$J@t8&;UsqA#o)xJJ>grq#D$y5*r0vC%l>d1ne_|Y zd>O_@$>lM7P{?Z1#|2^zkmx%fhjP97B_H$n9J{~nEoczCxgvI+H6qFI7F@TOPw5-o z_S(q(FCy(B?Yg%U%UZNCd09?1nH8XY_MIOz|KMl~ ztA8&^6R%KoBNOxK8u4E20s=HVsK*!C0>0s{4Aq? zG*W;Xxp-US{xyi&eA`RjqD2rDkPBCn!_T2j-4Zd}lLfS_$I6wGpH=cc%?TMUN^+Q4 zCI{BuU7DlkQk+U_H&&h(R;+azb|pmcJTMLD8?H3)7}CGqUSRF{rPzTJ{E&)b4E=T`SM}kU1VfqnV2#nxjLh@Visu6*_5I@=F6b~prWd!#7@oB- zwMWXCy<=pWxLpXY47^`lxEycXYxnN0X`YtM@k7dIN4JDe;3&OF0WF=j=CbP)og2~gO z{2+G{p<$_c>AC{9CpnIUmiZh7nmz)y$#7%q(22ulobh246Mtm=Nr`7ExkqN6zJMma z2vD5yNq4%33Ir|B()9UWHcORraAh%n^P2Q2c(nKHNoZ>Knxg!u~thzR3IXNE9r*$etJSKEcpJHy81CeOz{G;gt zY`)-Uo!&Gc?Tq5f_G^wue7P~u=h~CRXXbTNYdk5K*-t1<#ggP6tLv+SP#xrYwZoQx z51!TX3L{B0`BwZe20HI`^Ai>47NG{mVTnRZ9VWe=m28OJC*B|rNmgFlMg@-a z_<7Jz5r`!f;i^;OW`WgiG5_3ro&fTm6r58-Oa{|tBIet$)n=K;z$@Y8f^SEg2+~PuUr-xNGt*#8vtJ)Lq0C4dth(2_Sk4 zzj?yru`0R7FuQ!KSIP|2xOijoW*~*u<|H-=s5%|M83=tIEW`mY7p$Du(^lQiC*gPy z;I9+v6NNjj#exir)>9PMt_)WsN0(ET8>dJPm$CLS>==Qp1e*48SnO4x*BjEO_*U@Z zFIw-)tUOnpyv1YtA=jCvT~+19u*D}+X=MtQcewn@fI~g|TO6=&buAyc5}gJg@&=YB z5EWs?YFz!^bX%(vv9BC%daM?SxGmYVZE1R7qMtn{eR^VWt6O=#i5pyQ{=G?&NRNFe zWcw(GpFTiNL-Y;AZ&Os*bK>FGn;hIkaunI%w6{IhU;9?P^nMtw`+M!@_sNjqVixuX z{^CByn!&u&3PS_%r1W;E-Y+FS8-KhTa#6QHGyOxm>z;hJO@{KrnEhI9xY$%Bl$YS10lgPDT2PCW z3Q_ZDg2kf9lsb@1LwQ)d27X~#&a({8!rk-QEO+%XfO5J{+2AR7B2pG#0$aNX;wyNu zX$vsei^U>aAoomd9YEL=ZzZgV@9 z%r3v_5FP`zSxX$l?H7DZ_Nna6LcST!pV%^{vRd0oGV}SKU6Q0M^qD;!u(?7;d6nT_ z*@L7k1D)zfA%%HOyA`G&HUl)Ad2Mz+Mz-6RhCiCH6wj`whQakae08*%f2rF5=&P@f zUkP=57qU_VOv&A8!+J`GRhObw^TWK~`f56FNTBUQz#eSeQ4LfhT1I6tFQBbD;Zr8J@tCD<%bc1b$8`9O%ICJ0~f#kI=B5M(X<1lDv%=zcI=@xvJe)PCxIAd_leDp0*4ZkJw?YyUPx zsxq#;@RGEan5u-$R#i_~S&z{vrbOsT z4pwNuV~<>tKU+(NM8e+Sc^)Zk(v2PtslIadz|+x@GOVwip}4_UXTd@eqed)GqZ1D{ zpr;r}#@#j5=m`t$tYkd!Ih3;G`wo<}-IFGrESLns@lF)(XMsOF8Ey!K5t|G2Z10*Q ziG=A$ixEw#_Lz@`+;^UhA$RasW^H}3yv9e%`71|fZlT9vlWXCAB-^;t(<0&qq;}Gi zg($XVpHt@koq@`_FO@+&M%||Lna=2K6MXxQZZz`_Z`}`*h*e7cr@`J~mEt%@ZxBz*R z2e;NV%rLasT6Q}*JA&VWkUe~SL!Bd4sK)vEn(#+$=iv$NI;@XebNw>cWb1un`JH6H z(UmjP-E+voBM%C8cW}nFwyeS?lc;;#+K0G)*)~(o#P>UF6GQd4j*i!zLo^~n-?jcI z6rbJFT^q*m**PsJK`mnzpd++8e;;hEkhpntXK)3 zZrH07(@c4{vhQmUfp|@WMmkV`0rxO}f}%ARaLseMOQE$YZS?oa@{qFJk z`!D&{#u!=d8(fPqAzQHlSen+yAm?xM_Z0hanJi)x-T^zA-^-B?bkTg#6loWdVr-_uXF-d5I#LN0V?@M-~&t z1zv?U2^6kzv|n#^YZ*{ulf}N_>+ajF?S@rp;$9g?u+P-nfoUoFy7!|P9-qF(r9#NQ zXhjiay3H)qBGfhTbIsn(PmP*W3`ytX}dq5VAM)6XNKNzvHk zKz4PlB@Ir%k2tcw5!T}vG~(z$Lq(h{lxxr{h=y){>)Dm@A~SP{`dK^WKP0ukH&j+4 z9#l3+vdTR4ohiqj&OE5;fp@|d8+YL%Mc1&8-npMx$S;oKU48t8JB~9sfv3k#^lQaJ zrWN_`oySl2i2{3RI=*74zO0`%5=!^DW%G2tD%PV1Pq-#n!x|E3nPyhyxpY9GEY6LB zl*mHSGCRUi?iM4LX6nmx0pQczcjz6@(xg1K%M73i+P{5iT?&fJ3rgBq&)q!+(&gu)rhS&pS_#`M(E)S3 z3q?w?+t;e>+DdW>4{k0>0F)>(%$i+pdLxkkK7X@1kl`7o&TdP2(CkkBFq6}B`tHug$(NGUt#}7{ z?Z(RYuHYdvkT4KR&aY~|dO?PTk*6#lL2Y(r*uDAec-@TlG_G`&EkKyqa_&iQ_&y6w z`bp&?rthS|gT;jP6){!Jan4KF`?Q78x9E~eK=$qEUu$on&SiTLT4Ash2Q z2S0PZA9RGTGct^>D=xe_#m69C)jEZNGVdr#UH7VY=>0|81!UGYs&q@<(?2nL5r#7? zp#s(T>jt||HhA=vAvTwe0|LK(e%*qs3|2kOM@4r5Rh5e&j4}d5-+fUuIjFHHkZAX4 zE(8WAdB&%7Cj9bU|47ps5CvFN{t*IV*Dov$S;IIX`ZS6Ro$=421oTxhl6eG_n?+@%drggjP!WK?#OA($?da7O zSE@9248Q}mJbNpKz3;g)7RaR5JP&qz1ia?Uy@g?NKxEP7L*ntlrafx06#msp=4AWa z*On+5f@6oVfZ@Y36C!V0u9%^egjoPKm? z8*KW(rq8f}w{+vCOaIR1yDi^DJ4h=&VQ~@OssMTnUMB(>PS5FR>i8z-3YS(E53{`K z$}?0Pm{7iXe02*wrPVW1LZ@u|;l2lV;myRjOtvOgGy02_Jv>=?xoG2t@DufD0?+1VZOse?2J0#P-q zFF|KM*5fGKE!?dLHtX{j8wI9{RWu9@%g&DT2tBXoJ21GjN7h|l(+&F!5B=uebA{mQ zczoXuC2;FaoWA+l+Ao7IU44=H$wMnEQlgkUvoL}*Gp1LuS!g^%%kR9|q@AgfY({w! z;&{#eWbToVnbSGb1< z);}A0m5|kD$D@=6^^e5l`}#eU(R>uS)j^+_Sok7~N3xLY3y&vHQ9-!N(JD{~c*j$o zp~Hh!r=`TU+WL1P1VXSXhu2)O^y+bzP+u3e+4*8szcil-+}%x|RNDNJ*{k6hXnAho z>(l^_HXwm=!PvhjZmv&!dLsiW!U-?qk|}z;0@RLdZqZ%=Q%>3zjQfCZp|G;$M_iX= zBEqMar!$gH*ccqQbax4{yNpGv8A3)A3@3e!jN9TkHQh9~^E!wruTDCiL3awi= zTv~#iv~8rHZkqlw%i@m>8hz}?Fc*tFz?KzD^qQ19hS6gx&o?|CQKpO?0 z@^y0~4`&E*L+)y%}xuTmkZ?bYA&j>F#9TG0PPw)>%2uR`m7Jq9J*j{sR+I z^V7`j)f*Uv-zhF7;DLO<{lzNF#Ws5l3G3d^ zHxWDYQRlZ|NG(XfK3H4trxx#)X#6~Gyla!Vf7-An`Rh>&dcyElMsH0MAna&Ha!}1)A?agx%qy9Ep_0Lfw6H!mH~hB z^KltirqO*BpBQX2&)jgjKk+6pqg>Q z0cOW45iMZF#3GWgv(bJqLejy~93cSQD8~Ej@*I@6Lr~A}_ zr9aY)VKpKQL<`{1s!vj^owd6#i%VTlDmk^M_LU1C}LFxKRI?TO*uT9K1Im z`c%biX6g8mJVr->E(nsF^a9&N%pjau_n%FizuNDGCe8&?bVmTPssPd_QM=`!lUyZc z^*f%9KWae7oDEf5<>V4Pz!pQo=r8qdeS6n4nLP}HHYz(BhTZ9~J@hct4y9(2)%KXBlML!;PM@xaEf-zM3fck^GadnG*dd^~1=Ag7?i=g^mSdwg@Z&E{ zvG^oRyIHnzseoj8XmncbIRknWhx06^wk%xDNH13s$IUzPNt?Lh=X&offBV~y&0-#oD zguazoNDz-U)Y!vKoX>QnlwUhy>@g)e`u%CpS7v1LxW(w&u)XQ}wPxYt=3#`FGf{9A zt#17Bm4!>RfQawj%4a@zk&kb&=8A;;)F-ME;_fo5xw-gHpm-+lHpXkKT9eQsgxYk7 zK4==Z+!upM9H%s)F%EjKi`LW95W!psSh$QYFt*;r)Os~rMWPl?#e&7*7s3t0*6uPpG7tx1Oi5UA zy9z3FVWCT}w*h7!dB2SLM3vcDO_UI?^4+1uASjvzYiSH~vXVJFwEQ~#G$$9g0)o$I zGmxf=jCBkbqeKIzPJEV1+8|7}3V|8WvGUxRlk5n#HR?OVW-hNWDm8Sgy+c@~AZlyw zO=QOwe`g*(YJ+Hbs!_w&KxwV=_N`nX)nO#Huk}6tbO5;qudw}qFt8i*2!irfMe;;{ zvFW!=Hg$dP7Z?d7Odr>qI6$}bhb}AKu+6kNPqBQRy%Q}QZR}p8@OcZH0Fxc;cbRRG`z@zUl&PG`LOI$HAg!5iSQ^fKXDrwI?bpi1bg zvUQz@W?p7N=(KQwP?Rr{?6G(KQ!IEYUzKsZ?7%*Dvs=nQ)xB>I5Gtr%zm)3PaTdNf zx6t0GE-ojZx9D*pcJ;1#nD+G0`wZIeR%$G6GZ6Ai%8FU)=i&N*6+0{;-=-?zQ$$0~ zFcqf9Dc;!4H58HL@MZKw@Q@~4Rz}t=6L(}C*wmDDn9%j!gzlr3l;HijoNIx&Yo`oLZ>qcW`6YKQwE1xOzSeH(IlOnG+e@^_}4l}4|L*IeSZKBzEB-};xbHoIvj zh%B&D6-L#%ejEE>YIjX-y4K)Vv^ppEfQItJX?JI3r=~?lT*juRb;}#lcJW(4!1Y-6 z5O89`#pjKwU-=9x>OOyR*sjsDp0C-Aa7l)A-yECQ?)el(!*qRmF?tsrojAdzm9ar) zOFie*TU}A1NT^8*&_>II(U`b@EjF$@CN2yS;9W>;gP>GWT4uk!CkVxn+o19bqQb?n z@D$y`zZ!6Fb+hOa?i?l{?rcznIwO}wPG>!L@VM-240y7Pb4}>!eA;1%>a>!-JKKAi zb$Q*OqPrk=n=$6tV>QmAwj&yNMO{sNhzUPKW5U5%MF0?SGM8)p@-m+1OypuTk;%D9 zohSN7kKS_Ilvv@Fa@}y>Jng{%i^D0Q6zVI1X})ZFVH6zEi^GjR!qu*e&em%YdQtA; z8|a;K8sy2KdxhC%3Hn38=3%|vsc5S~(q6xJ8+cG#207S8>N%kW_Sd7CazW1onw*K6 zb0n$rwBK_!(?hj6!l1<|=jfz5Cm|&uOfe9%)F7z(@OdImn?__(Q5hHz=8FZ3BS*L{dzINw2rkv2Ex=zqA34#Q&{75QJuYY zapKj}16Q+KDCY=6a-Igc-!N$=Mdt3$ip8Rn)jr;rO zSY_|A$Jz10UyXGGmL3Ll0SPBC@~%GD?hD7)gpLO755JH!=qwPlFX%9?y|2Mr-rVI7 zM6uTYD8+z&00Y)8{MvL&Pc9&vmDf6)_9pke%L1z>sOQtC>V3wd(d}53+6PkRXFJ9p zf0&pL4RaLOEvylDPXw0I`mKLP9tFvZ$F8NiTg%7Z*U8`zbas*_5lJD7Gu_fcZYc4` zd}_QL`=;RzxJQE_30?{9y^_8zbGAUwbZD6TEM0QwTRh|v8RbieoS7d_k(!on_L~Oc z&}oq|!=}B-o#e3GtrpR#+`%Ve55zkS&iCMRTPEvXTbhN5f=O_E5x9WnF=8G^zFy3l_bTWB+>HdJ12;MeyyPVjSvMfsw|q zvZ;vf6<|WdPZO8*FPlJeaRK=lyT|8VC=sWXYXZ_UIW_O!=;0iwTJ2RUSbW#6p}KUf zYB)|Xef|Y2z>ciJ22c~k4tF{7cr8m(H(EOBULjb*uiF5COa|`?WOXZpOPns(iupk> zW;G$ks&B|?lOY1}}&&9EuyxwepwefZP{~lxTRdSRnP>Xei~ zZD*gqc_81$RWizF!QAm&X-_t0Dgy`yqUX+ExVJNt6kcJ=ds9a28$Uq~}aVv^w>y}3`N{`o;`da~qrFjjP{NUPYt!fu#H(t6w74Je1Z z=5Ys-G&mhZWY{Ppb32M<^WVNzo#$9T0i=?@3VsRDZKL&2kg-GE6Q0>ZoW3;wH(qx4 zY1Z~nJ}u98llOc`otD(5zVHEnuwAm>P-gcEkYu`~muFB{dCDZmu(2B9@#8Eh>XWJ$ zVFT>Z6)6 zvq>553K&p5IIgO1N{?Gpdtvi0Ub+TQ>_wJ-jmku?VU6>bd4((oDga51`7*WXjsf*5 z@VDeSQK<=WXXPasQ`^}>l>do{l~bXy zSfXmrF|h^dDhwg(1km^7x{TU#?<;9_tt~2zLsp1tC^{2zbbG?qhC zn(-z8=yu-}bs2(GJ)2cdX9H09%}DMVAk&vbYUyC57U%!(5&f}O#q+>+?(Pr(JQ`{M z^Wu|-d%G_DF^v;cg&x6WtYey{F;#r3fj~SDOI9zDX}w-o;!wRmB5uViy!+>q|J}En zCS<&ZWg?KkoxCx-b!e|A#?hu&zbFn`+C}llO>a;Yk{ke_rw0N}hjB(#?zST_AJ%n7 zRJtw!#S8j>0{K1vSYe~nzTCyo9+@W1TcGz56pl|v2r&#wM=kN#v85;7wO z08I|o6ngTP%m4eZGZA1`)2=vyzh^uH5T%1vVtnua9NK>}qAQ1-#s87)AF}#?B>R_k zyYzot_8;Q)e}egM6$I$Av<04d|L)q?^8xDEDW;U)5aVJ1gS1ixHE$YMPmvnCaDA6u z7>K1@nG|FBTV>WA|A%AXd{2wwYQTMJJL%KjAr7`*kyCV_x<3{i?&a`LuTgAomtE)mfE$e-g@@IeEf}j`F}8#B2+wGF1z@LM4vjXPX?w``}(@29N1ETG z(NjS|4xEGe8kSD65R&>>gcXFQzqGF)FU;Z6M*n+4;Qy(TVPlIFnUVRM9v1Df*Z_x7*#zPPNg7dbxYDjD%_dDei8s=XO z(W;op;8KET6_+!0GWgtSJUxJ1CLUv_SPZomM7qr`og_1k9}oZ`%JwGJj4`Bi_2br zdp036Y@*rJ!}gr$+xl)sxIb?Z zm=w{=Y5Ml_1@;4TPr?SnT?a{dtuo%?pDiv2%U-Gg0hioa3*iTd=W31an1 zT?^jz9dx@&wQ6YAT2F8L1n39&i516<&{a1l$IkO2Ue{oPXTT+M0UzVnYLN zHMgB?#5EHXtGOB4y&B-7jO)AmysmcM84}QZ_1AGj=LNt;5&;P--MSS}_}%^kGE)|w z0FJ-k?M?SFpczQkSZb=Xm}&j->RSphX#@)p0sK%mtJ(CBdE;)b^<^fcATP;ssWI`X z3}0iW&0}$EVE$#Pw!s0uo(H-h2{Al-e{ZU8`Y+5`-QYsQu?(T@4y~47gBjjsu{%8- z6IZKoY8JbUiI#{@EP%-ZO@P|M(RP% z?V)Rw+)N-)c3b5HPIVXpa0p1-z0OrYPWWSQP7?2)g6c+K3;(uVmE+nEmEb%!`b2!> zbZgtMMb@1y_jG^R&%L6;_RPeugTH)%nxUrxgEv0d}10WL8O~x|3t{-lXhHY;{jw=Z< zpLj>XOd(tjjB? zqfS)li768)6e-cGe{pC{Zhe01>sQSAbVqw_l-x^-2SU3Dl>k21!4cid?> z_R}jV#`>3v8u46m(pxkUdx6)Cdc=#T93M{N^tk`BSW&#qxZSuphae;;v0Cd!>c~&g z*ReV*Ol!r`fW8g#0U!p3a%?y4GM&lp+9`R?11n?{#)eG{n{iRx#7he=W83*WaRn&A z&cFl3K?_VKau3}f2WZP!fzt9sCzoI30<>Amhf6H$dIrGEAc0lZbgOv+e-vnNeZ#^? z9R(?6{TzkIJ!5WrsQeMoXFpZclo2+vv6emhq!v`IHqPYQ-qBku?hNN#T(n;}KnHsa z8&B3p7G=A(!{a8<-fEcigcE|}+V%>If?}Zgx+3ZPZi{y)`0Q|AB|8v>aGO!P!7C3% zryGEpg{sDOyIc6$?Uy)Z;zR9i2T&k4*Q`%#=o@{p8zGEp9j$osVd-w!W|Xh}T#iLi zd}F_AlwH$8b=I4)?PXcog-fZn$wUPy(0Z~WB&T~y`s|nk-kzqidmj#>iQWNLk^PaW zV5XMITWt+{szZW9^dySmYAr*_u>p|$Bnn-wXp`q}#hXm#M{*rCr#)o3l+=RQSo-;| zzMCEU;*NFJTXr$*E%ESj9b6(QQs7UX;)@#*{?@7dX;AeQ1Y=t}c897)kUVUUrb27c zObb?zy%4@*sXpPE08owl+o^ozgY#5~<$g`Oj4~Q9B#vE0GILKaO{#|3SWEPL+=(ZD%pcYdVe%yvvB` zUiODvy}Ynv+A?I`deqaUlK-76q}F1{tgJ2GJ!3?=pE3F@A!rLBb=7q=f zd3^mw9+47uZ!&Sd@E3RsbMTz`MR|W}w4_rh|2bNFeZQ4!(&&6o%>b&LNqbxS?R!~q z=2necjn*N6vS9&|ive`3nk}&15(B~>WzDCR2NgS5Mpz8U00t^;uH}KKLdoFGlU)#` zMiNmPr0OR8GLeXUR$Y>|TysyLTp-`A83Rf_6GbP{_LkGeb=P{0Om^Fy|GvPV*fkw*oN_@RHrG-88v_GjxBuSmEbH1}Uq?!kYV zIw~UYKdf^A09l?NN0CmVoP8V*=Zt*jtXi+*2=&Yg=S+)A7OMf+92}IPe$}<=pmyPT zx>e)uM;4$udkH*hp1BRk6*Xm$lga^XOv9U7vzcPVI55iZHn4}kxoDy3lf{le<30A& zNuf@SXM4V(&y(WI=+6a|z)Q86m0CkmjA;d_A~q%#8*IqFhb6EW)#8Uscu}M;J8nop z@1TtJ)-(64vDf+d0-*|9J~D5VCB>KK_GFg8H_UJ0qlf}co%W$Y=gw<>Eu^Jn9~xjsAL6ZM zdY`?$xO9-9`B=;5oHXmj;r44dpzY*j;;!h14D~Xx&GO(4he{r>;HV>6V%)L9uer)Y zzow(|t_nU*x1bX959L!gKdM(5)~I4SzgANI{#V*9O{1r2<88LfCCdosga<3ww}(RR z;GW~*c11_)YM8O@4g(-X@`f%IS-ZK(hrgUMoBT>VMbRKbBRF-X@zAPSw&vnaUnjG3 z-BH&2n`bF#4_8~cw0FI16_Yix)K;c}7uldD#-~5%>H6#ZgC2;Q5LlJnEAbr)#lne1 zdxU3T*O-=8+`y?M`86BTJc(K1TsPRlJfa{VGnUt@K>3OMd1JpxoMm!uO3e_DEACW>NSwJ&Qks#TBu_K|k>(loGV zW28CP;4TY2dcuiu0XZ@zq*ZIs^=3B@J=k;~8{6;@#}qzy8LKBWIK7TpR>$l+ihJbm zd#_|1E7iOW_`Ko_DG3;T=xjP_H7Z37%~~!5NmhMrk2egLy&m|LBdJ-&<(?{1W|ZQT z3(5To9p(scO0a6ccJRV7^d0nSy}wXbmgAY;TXBVkp2TJXDL_Iq^ce%o`b*Nb2v|?| zo#1un_otBK-#cOeepx+B!v(=ukPlDe(-?kZAzMRDObBSvEQ$)Qd5&5Y$n$e@SAp@V z-eGq?bkz2^+=ikxGpEMF@29SEZL*fc;+~|XP}1Fr@=+xm(2M@7b+A=eBgMWy_b3&CnWt#=> z^D8o1ueTQxXz5iO$#ol@@8k+W$Ay;w87f*UNb1pT17)Jk!vho5v;cb&xGka>DePqN zAY@+`OnJ!-M{14Sn(J+l9z*UQO2t@iOTjfSC;l-&WIS=ybBxlf=o#-V1Le}M0S)Q5 z1zD*$6ns)*kxu+JK$EBW$L9&#@h43Tzy}i8y4hHH@}K~bsW0y6_3csX?MSuh)PRK; z2gVx}R=Fg;Tc}7?;$Ilif_~^@v(#_MB;i8}30DrPCqfv@vAj)dAx>|#f|O0nNBKDH z6}D!Q0jS#H0kDU86VlzJ+l>U>$qJ;M3dI*#HfsOJoQi|r9!)2X+*o!wGRc)n#bJ^n zz6j#Z^HBOKt^9sK8^M0|i$5tuRE9HOffCb_k8L?^BfXptQR;CMvu+2X*Rz?8FQ92v zJFAOa7kXee6|`Kk3RG0#j;L3V+INTQd|Ce8T`|;8oa8--gu4*}3W2dS?+M((jftLu z*$Sb!E$SOtZVi{JN4tAqi|)7NUtP0d5o?>oVU;$%nj>LqeF0$0l8HU8GP51XwhpEW znyRi3W>$i18xp9pY^TLzhyhyQpJAxiJod$0Kw&e12zVrwtf!xl-CX5EM$5%K?Y8UI zMl?{935gBZcaQ)~=`RyDO`O>93~b5pHp#5$~r(5C<;T?MzOD zVW}~dh^2fA5LX9m@zbbSove5FAXEbaP(4M%$b9Cmg1odhn^2$*C`po`mGi2YqyM5$ zAx9!M;5_K|81PK+4$`A~Y!*wM?V!OZ_I?xFprRyT&qAM&Z8sn+0al9{;ofQw(tAp( z(hDm4Ze86T%t7x0ytwrUO@Vy^>AT08(sINLpqk2(q4~HY;F{t@$c@i`;w#T;-q8#v zZwnA`8#>9XfbD=vY`CS)+evkP4-I{8CiQOjxg2C4U}yHzjWGXv;=CZI_zJi|&j+W< zv;~YSat`CtTo_KSnx-t)bdK`9`!V-bGy#(Ii_;W=vU1U%PbIvc%alrz8n&hvyhqnK zdgp@7_E1Q*qr$AO0?>0UCLLK%E@b??)hOrREuVgV%AQFG>zosNyspVU-whxOdrx?| zvf^P|hJw$=y!JD$M@+lQxh9#zdc8|WwdTg{TUWHr!2CbSg!k5Swrt&-HwHb~TSC*@Mq;UW)>KOSg3&2(h=*|NqV{f~G zQ+yySaJ`_n0)z#U0n0OxYnZl`<0Wvu>YQ}oPOf!2JbZuWRhtuU`D(KG_KAt;h`Bz~ ze^GSd0`w?QiW%yYHeIAVnm;|RZq;If!}u^TS<)12GFR#6Qa?>HT^2@^dZ77=wR=_i9ymJH=*%N!_9*HralFnlkwr>W=X{=@flM z7j3_^+ry@^0+ZhBM!-l6?T;G4L*llRt46s8;cKxLf8C1E*SX3{(l@xSIZATCNGZMUvZufDIS@C(UEnSRs<{lue~5n6Trs5ze4=YjIaI@xJ!wd- z+Mu=cRVKS5_xvj=Wq`obu4{9=*4zlVnk9ZOk<{dOf-pA(M@htzQk0x4V_{F!Y zooK`U7cwP5HTPdRnt>7?Ha&AI!L7H}_cUlLq`iQ(pL+$kGwfJU&Tw_}#~UR1Zb_t8 zI*t1G2_>ypGUX*1jSfeL-fDrt`1Y3OwWFf5fT7)dc0}{~50P!|NsdcT_?(a(^$M=h%rjd|!ZAsAW_m zIq$`+UNBsZmgAZzRMhxoJW6fPJ=@Hg4SXO!qn-b9i8_Z3fZs~iGhfU0R-=fNZ*aIA zG;PDEd8%#3SRq&d=C(dOR{p&0gp}UHwO|+xlSrMk>2z@-{%Iz_14I|15A|o8PhpMFwPcpn6RI&Ppr%D%-?7Dwjy#X1w|}L+ zrlhrCUKP5l-@8Ar7tZ$sH}v|t89Ex?r;SaA%CrAonW2}?6e4)c#D(r}}(Bz~x^(RW2+gya>_#yFaEpKcxYh-)TysVPI;faWkfUR{4C zeNr2_Z@a`wo*aa1i9RWz6t(qlbKUG|ntqFQv^+a{S(ar!d~XMtz7GGWDK%WhHXSTU z>~UA&1O#}b&RQCgxUA~ep4)Vu&tUiKuKS*B=X>0B8aJ1yh~Ekr3}8WT5*BCTWVV)D z>N|wI)hb%0a)C-@ab$9rWwdyd^T(OC&!cI4WQ`OrkLpSh-w;Ded5&Jn*dI*=hdGap zJMm1{f?zrv;5jY!SZyws9FmV~V*}%MXUfveD7HCXwZ@suJFK{yP1;$Woqg3>JMhml zySHk4m_G!!KEXgmPsd#8%l-h^eRfpLmM&-PHLgF-F17s(z68b%>J!bBeLhnGB84=kqxm(SFy3=C)iQ&?G#~bdzY1%-i zH!?*ah>~HB1$NH6qdlDNOBhXz1sOa1H%5{rwK0=RtJCUM_$LyVJ_SLQynmV=K^oYF zxr$0fs)G4@iKh+Bf#0fEf@-sX)3>og3CI~${$j4R%4F>7ZS6%HO&UcstF%=zdr7F8 zDI?_yQ=Kx}_k3dA*ERY|H^WC30Kaf4er@zhK1E8SeS-BgDe zzzk!1W2qZ=z|NGK&0G>!n=C?sVs+xv@;vsk>%6GhqmzIbDC&Mfsehsjh7Nqtp$+zz zR8k@#SUe>ODcGWL{GG}8z4-U#{IsZBv23*6U1!fs+TG))(dsUD1oGjB+O1oJ3s~gCrH4w;J|E-cPSTb4wI7W0`tl z6Ad94<1MRaa1L>hy5LYjwK?jTzrvh2rwqaFR1Ff6Vy~Q$ua+oU3hWA+U-p;0l;y$ zu0=y?;vrUi3e-g;mTER70m3A)&*A4ndS9=r?GM!c zsW|%6o{})a54Z)>^Ysya+sS+iWjt+04FNkraU)8VpJPEw0hLw#!PEO6Cmv*Iya;hU z)UZVoWK|C(xZqWDLy>C`m5vYF*cU7Y5=ZK6

DUHC_u|n1uMPfu zPxb@Q7!og%hX3@>{?$x>{>jtO(tig`U>1S@(VbLpfySVK8#es!e*Vu#U|yOXZZbuG}Zse$>)#368w9e`HzPC=Y0yQ!4kVMFO?`)84g!Z z%h*w|_rv)~ z@l_C1@jsrX;Dxz7jk-bB-`_vBvtB0#ufyrh!nD6WylUrf$8T$X!rCa)%i&v_detG`&4H`nWMWQE`n{i7XiC}U-5;uK+GiL%_29O(vjf?kmv!z>wyn@UdI|;w24?=uAYo4Y zT;lBegDMUxjtQ!${82inQDpy|=NZhaKmPvZr9{3eo?^Ol$TwwiNu*9{YPT~R>Fw>K zt~nWnN%kRWU;T!}&CBbL7oLCr`dRTIBR4m<-(L*`0_9mYUCv_2(4)r(1tC%M&<2|; znGwFAPyAA=LdDJy*3r=sJENku=M}d|IRE_b?+^IY%U&{L30WP(U3ULdfLf(C`Y-(z zQgaix$h+z4q-=D3@z>HbB+Rg~};b8<{VECHcJg_nDbrWVBw z&X%GgWN8;0ulSexsYDEi^5!2n^*7qEUXql69OQp=fuQ=^KfV-|qy%p7^hV%ejURom zA1=hM7U`2W#bNx#jC@{Q+Y}0#iXkBS%&$R7^D|!8nLIK;L(YeRf+tvmOY%r8-~$Ry z9LXQBfBzDT@w^T=B;>JThrM_^v-?BIAC-w*OKlfECniZ%kO{`Ux~M#)kM!ilR%hPQ zbp>cj_KN`<=$JCruk75VvOXbDJ}Rrf%RsM3K>8Q^%m2|YK&yta!n{xyyLrjl`!J_K zTlv_nkBXS_cHcU-H}m;~%2=hcIyD`Q?*&$@g19(*A{|a|Z|~=K2c1scIoOj--ohAa zSKn4;oaFGfs>ayr)k#(Bhx1|LF;4h({{AtaKK)9LC^*XyFK z5LX)9Bf70fgC7iEgcQ4e#5tM8X4TC5U(mg9GC3(}%h3Fdsa`erAh3kFyvF-HtYj(zd0fS!s&; z48dhLnlS!7q36lHJOnO?foNH@sDNa&8CaF$OCC}rE^X;WE8gSkLIPq z`A_@aLV%zp&*lbLQWA$g(+?S7x;;cmG5|QE#t7Yw4Qf`-1k++A8d};c9|RWTk;U-( zL(=f`2t;7yn4<@57zSGl%$}03)M#ph%!1IVsT*=QfKa!4H+IS*b?LV@sEHm=ziODJSKr z9TCuUj&OBB(MMun4lFI@1lL#fERH|)tE5O|4WQp&wRTb-(j zq=9525M=;f#e@$UzaSfL#@y@R&_Jbbsnbgj@JO}$(oK(|Rc+-u7Y;hQ5EmEM?>XaS zB+)hU(w4%dqCZ&1WOvuLm+&z|%ERJpcF}i2Chtq<_W}#D@8KB$$!iRp?siyF9Ou*# zNLi?_YT`ur#q8%#m@^=0rh97lMI_X##9IZOP*CobFC~NI&`fV?h;cBK4H@6+77t+4n%a?)^?%Rv6SF z4;YuC(##KOEM{b*71-NgVFTV#rTR8Tim#kPh?0&39?qiQ^TQpD?Y7UaGX4PNHh*7v zu{o-R(|55I8zWc&3)~YmheW~=+)7g%?O`AK$e=?;pe@$+NgH9WVrF> zs|$JRQ$aZnV5IybT(UY0X4^;VHQAHX2Smya4g1+tg*Io zf}p&$9zuT)idDFIB+7{3$ISoq!HmcT?(5H|b#3ehj=752WIv(eCTti7`5t=c@oUmV z;abKHGqtPqR(X?yxK98uxz3st{D?3ybS;gibKiiG?hJ<_doO4pU; z6zg$l!P?ET>v8t8q^7E%*B^Q-J^89!8yIeltkLlk_rr2hr%IX!-fY!iC(MS^R6n1; zX0Bf_K1B>u>QLelPz?7s;xCUH*d}gwnt~;Z$=|B5p^xl`wL1Uxczj-VSQs}eTvTJi zFp?cKdZc*E5~LROMSL$yq(lkw(tfh^MZz>=hWvxzq^WWqHo`MtX~04+uW%TTmf>$_ z%$*vmnb9b6cE3b-pD)UmwK&Om$ev z306b6ILZTLAf6II!F)ueyn_JCK`VUWX{~y4bZpVf{TxWzHu6qcnK1j;aYeda9x{Hl z;Y{7Gx0OKpu_is3;oqUiBB-aeMh;|;lxnvSHPe@J_(|2rf8Y)$H&aF5vbsw#jpIM8 zaaEuDhadX!Oc**H)xH-5n+E;VMYk2+&UN<~5%y61wk7Cph|c_kox=QNA%)Zu7j5Pk6-IIRt&Gxv-t|BiyuR37L4NU%%|4y28c;N= zx9hL)jMecMT2x5?;j7)}F69oBZF-gh zhoj|c{Syp|#rpV2fR?J=3oAte;0n@l?vIdL`1D9g-pgJ}M2#r}zQH($HoE~53Nd#K z*n3Y9=K-bC;YjOdKbUdnQrpZ!MDl)jB9GRJikd7gD(Z9HqH~dik%3{sLjiWDz(#Mn zG*AYbqt)UfCnN;pzo#w(1&>}*vEvo8aa|9w$V>!mh{?9O-^VD=A&<5RD&%S$R9CFnh_<_^&HpD`XRYueeKb7lg(E~@tnW93*nEXcgF7JfdDc;fp@&_rvnX#qj zaqQE%_=6X~1?@^k%0;^J?PsA3-A>5xXZ`r`A-=NmSAmUDlIz7B&D|W3Q_P72bmu=N zWYT}y+>--(j3#3ke>;tqZ=lr1o{(w&-X1qH6j+Ny&&7!ut%Fzd6y|#|w7HJhHAx$s zKo+oXv~8n6xomk83=v+aJIVkRDHDAo60%rfVq&rd&I%c$&P(}`mX6P1p22v-Nhek90EoCyc( zc+pZ-2pDV~P)bfK@vS7hAabS_Jxj|lf zZkJIj{Fu(r_qe%C{Bo9F7Hm8y-KfEG(R5|-U>WoW}rM6QAoXRkl{9JER#NEdUL5V?UZGHASe2G=H`Q_%*hZ}ta zuS!SX>a9gMUOa%g=Bw2EtNn!Q-t*uKeE!U|)Tb3UIB>~GbeUIUFnG7HA>2E^3wH`} zCOx9{t~HvWAlRiVZSLn8DNdUC$D0THh~ zg{}O`WABk>R@_@qh-_b~x80aFG|;OnjdwU(?S_{~6MUvSZK>B6-#~q_FRBt-(@Wz^rriA;>`CrLMa<-RjyWNWMxNP#_WX3kgS0~?b9DlJP+b(D&W?` zOswKl)XmgRL2OJRQ!Ys8QShv#KMV#`WH^DtAHuiNMmu!;G_UXT-d zM5_>wNkwAtN&wf~Rm$QmzBc5WTYWO+$HSSJiZC`Ol51P;v^&h3h#KFrnUJ;sd)K2A z=PAeuS0x1+rQ|p5(_l!qTc!M#mz_S?<)>ac9l^Xm*Hsr3t;&~3zlbVFq7~QTc4o4H zm_j6rnlurNTTB97(S|hH${1f(w~&N(6^$DY_n56nwAS2TpMfHspz%GL_1PsuqeGW1 zshWd)d{FaDS3-i`8L!tXM!7-rE^=E1X70=aVng~XO(|UyqsBcqxxp4tTfm5t&i4;#J7N#kO9e?~{WK5KdG|$q8cH0# zAM{2V=5uasTFIl+sfGLN7Wy~w(>@sxoK832i`kW!X~r1kX@^^fK~x@kW-r`Q!Tw4( zlCO-VV7HzNk-jgtch5^?vC4&c_FUEu#0ENXl?s2jm3!b>$!^@<*eLQP)5Ak=>$2Q@ z9Z=@h$7U0CrTSQqffo2YPL;h7-k7_uC3`g7op5vja&$ zruGg&ro7kHY_ykycD^2@ASeF?92=5dIWRb&;Y*LcwLO$732aGOlrrTAlB{m* zCU!Fsh<`j*I8I~OlYM*c6ZbC`05Jp*C;oVDC@Kpz)ONe32-Z>_dxhf*M9+3kdebui zvB{|V3HS9b-tJ_Mr1B{gN_H~fc$jDei81-yW0Ds-<3v=L=9q6_)L#xS_dfl0Ms?>6 zyLp0SjTWEFI2=xaB~Urzyp!n<2}mjGfntc4ObO-=hEE9p$2!Q2+($MyL_K|cpmR|X5a<* zE2CK+cN+|iaeS(ERtwv9GZUqaL5D3fQ|ji&t3oukhk#7`V_D0MX=-C|ysJ1s^t0o9-9 z1ENRRv*?)4|bdtj_xp?M}XfmHtS=0anvbbe_P2h zGr9Jbb$jY%q5dfS$+G-*Et*XPu{iN;dXcIWTzGb{_S-5(v<#E!N4nU7m1Fo=`quCv zB}5GHdpyA~T~V$Ggl<07{xobwUa)C=J2kU9)vV#N`?CxQXV(uLyC}+RrxFJONFNbVBo3UPd7I4-w}T`pFw7UOhp}j@>|?FGhJCW##d(iZrZgZI7@yIco%XbaU-ne6UkA3V3PAkIvW;(mqyahq?}3DIq$jqu5MObNBAc>#5?A{ zVC876)*n^6yF?ccrrFOO^4KDEr>?&a`D|1%+67y1!W&O-`%*-LVuLL{sU~!tA+dX1 z5h4C!f5S2-q#G^TWC=FjRkfm07SE&Gr4(FrM85nD*WmHOKK0a&`Mai&IOdVjL2uc} zJG)````6=zb2qhpOm(ud1A;iY!Bmifx6Z9`0o=FNQDaSohkEyWuJPnjPCf`h^rl*^ zrs%bAtUU(!y&2L(*IIhbnru{+LK|W$jbuvP+J#1HpiW2fW1T@mVpJW|Ypw!#>Gz50 z%R=JH%_U(V`}p3KXR#x=TuIK1E<3dYQEksKt~oWlY zj5@VGc5;dczeg@e5=G@zK7gzixmsQ|G49=rUb{3-V}6X?I4XWwYSx@qeWT(nXokUg zy%~MBWU;cnmIK2w?t{jcFH(YpQ-7BV<=l;3#29RSOdCn#O{C-XpD~EnE^TgE3@WFL z*f`=rOuii92{VEgZ1hmeN%DFk%}UbI^QF38(Lbi~ITyO64=f8{&iR0o%i3~(tz*zo z(}RY;!yy#q_(Eyv8I^Z|=-;{K&Gqd>xWIjWFnKqDy%~5!6KhyYgpkLMR2yeE&Gl4# zzQ?Ed+zECEg`GJvI$C({E-*MaOYnlVXjBC5HdOf4fQBkK&4Iy<^S1N(rOAcA&5m~X zog|yU{rv7e#dNx5B3D&E5nkf{c`lRvQB{w|Y1_jdt()g!Z?C_*E;=JQxd^DB6d)Yk zqRN6m6cooK4*H5Q7|S9FryE?o{MY)KE)%A}fqX^<(5U42-t$WZW|xib?w&%(YGF~? z4?o}>^CpLbNeI!dO|b(U;w$4$IOi&GjNvH1I?ubzEw>=(RR?AYXJed-3Gi&rlb`bTSA-Pv8w#>E(b zw~Go3gP75XHo=yq&WUeXS!22eFM*JD22);$b%77|Q*4Rz-HT)7zSb|+L}*i+n5zWi z4ol`7w-FTO_Ppu~G)|Sn(TT7G9*+%HRd7=ly)8qLTHth^@~lwL014gwyza+I_m5v+ z2&vW_3*fkusqzz-Fyst=f6lc%t1DAhvR`oC{T->%>O%kqJ~?k@Ld^ZbZZ}1mmKwgP zJVPh{DUGS=Wq~RCsK7c(>^eb4tWZ~n#h^;_RZL+pfqZZ3wKyw^EN_A zXQGzF9?#_*R&$bOt}f`C@-V2Egj8OS{>B#)n@{n~ql3Yt6Ra5PAjn2$<4d7=$u&32 z(jMLa)23Nr62q&MAG7`A^Rey^jUnVNg2qeh`&`(W&$9x9?8}Y96*dufI;=XY@+m&Y z&UWbA~|(wrUye}vR&7hpQBQ_Dm${Q zrt5{+LcN^?&%3iMcQZEDJyz@90ks3PTa0kC+GLy%erzsH0w&FpFD zo8#E_yDo9GDQBj=8iGLQGHN2M@Whi?22+sXkrHgQ2CXi0M(VdI4U96rtbTP$aSo5H zV6|_L11+?7e42IZOQZ+JA58IjvEoie7d+&9Ni2c`u$f9O{6XCV4L1zWX6+WDuV1!` zj526Hw5C~FYEkeI^6DdaNv}z-B(i*gSSLM@3T7tj*Gf}3C5Qog6&IOZgm^?6ENVK}{Ai0W ztk$qOeHSy{#RC$dXDTqmJQDL!<*Cpaz1EFYZ&e)ZSx!&Nr(h(;I=LRv9Q;7Lf~M=f z&xN&inrcMWuwCOaRX;gWHW|IaR@EzKlNi|P+YJpS`c^#EJ*Qu%G{wHu< zq9Ag&57Er>GdNhZ;;&y2pu;}!_5lYZ*E~zn_PCWwbq_e+7$ofiss==TxLCimJ=}AJ zte$aiRfphexyniYqQISTUolCegUVo7OAZZ4vVjM$!4rs-DS|-7``c89 zkp|mai@KtN)6sL5Qe_iFGs-ojt*j~SD*KW&hl@m`9lJEgJ8R8JwOVt$(AWGa3~l@J zN$IU6lqt)f846R+{(XS8hCJSgWuHmY-T`)(&_Ehb;`1J%^)EOO+? z!t$!FH2UszzexjUK~l6Fy6uM=8lFr<_p@C-xExK0Ylw|ZQS%-pyhuvoTix!T#u=%Y z=AaYGD8cw7Eg`QNjf+(cHnh1sk5$%MZ@VODix;>)!#sb<<*#iUG5X$J>+vv!M^?+# zam{c32uV+%%S>711m7}2XoJ(X_~K=RY-!RGkmXa8*B)RB6axcG1^@logvr2G{CHm^ z*_0%P{HIn2Zo9+ccrnM`EKZmbh$akysQA0~y9@oeY7lRa<}F5~(#KQ%WXh^T z&0Xq+t;@1rSPPPgD#e-S+}{~kBRuao<=SKj1mp>7$VX4a`n7kbs;RS*ZYZu#iD|-0 z(#y&+&~im(N8yO)_fo7Rv83mC<{*&sEx+%zIc{LFmAtH$&U@t!R0_@( zZT&y^pu^BUjh$BpG^*r?4R`bx8k~V5ixRh6AZG9ZsEJivg_S5~^kJO{S9xH_>M?xX z>QNjeLJXxTXEK~TNS8L|0rGYt{sa{`@5N_A`@44#yVP=?1J|kGF5S}3R_0P z<(sya16E22i<)ssGjkcY2zIDHE})_Bq|pBUa!|#y!fs18Ak-N2+|@vb!DHE$PcfPx z`e+xeK&6w<(?@F$@P}?7+A^wz7v>ej?Z=fB0ndq!k|U+CQq{LJ zMZR_5_HLI5v)jWxpV&XubaK@K-6dWXiO|YJ{2Bu_IG*_)Q(XS|WFnt8w)6ezPjey< zk!p#w-K)&>hAa2*XSHklpiGqadBcXl@mOtzwY~=9fgJL8CJu!{y0<@r`J4muJ3_C- zp7RJ1}`9sg4|bsE^Rw;H+QJ~F&(r`Jw&%lW#e zbYoqq>+~y)HENHA0hqhNL}N!>cJ5*;5+{0AAnbcFO|dCS;tBjfP9IU~JlU9sw%fjH z_sscst+w5F7{Yf`&`%=HGVku#WOy1ls=%7UI2YeAqs_8B`PwmZ-81%j(`*S1iXQ^H zd@4SEpbc|)G2YtJ6May3P#AXOUq+b)fA&TU)a3rF3YJr&Btb*l(A_YQ?cxE;>w48e zCcE=8}@>zDd zp-mVGx zm+G#YvqRwm1cEj>-UB@%|If|)QIZ8N;fLgF*apk*5eH{pHCb%an}$^_Shj_Bxkx+@ z?{=|V?-D=j!7q#UJ?18eW?ylZY_^i3ncM_mo#)#kyb~&tRDH;fmIRkjF0*Mm>>tOz zm@EMopx7t_?eujWr3>}Je zYrWrAZ{&cKX9^pyr13Ev=)(Ut^YE~Kw98;Ggyc755gR4z)J#aTaz87fl&U3WcMdk~ zN#WF{o1jhH$n08W?Cc`mb&Ism+j|3dYZO7m%D0#H28aAKHy8begxbf|N1elFL$lXw zhsfvZ-k$j&=8jE`Al&$y@EJnMAMSy4rh)Ga-k;2KTamQEP}$8X+DQld&zL-JIn{8s zoQ7e6?Q5Qiy)9T>jL+I$dxUganIzx)fQ07++KPkKXnZ=gu=3Zi5}BkiKKY4NK*}pJuVrYwzEM!8pVc z2wCV%S*BR`(*g8FGp>(tu_IeBMn3rz=X53zaS>Q1879rC=Zue^@*5(gJExSKinK9n zs@H2*jCQrO*G9fZ&)0UU8hY?5;MQal;yI3JK7=i2`+ht##28>$oAhS9M9iW zK^EMZBj~k2y1*$@*-~V=h2@D+BR415xN?%GUHZ~=77SeJn1(x}F+RaWw&*q4#WA${ z=qk_myMJ))CmUYxvyr_c&2bFGliDVXI!@KSrkgjNmTx{yCDK22t*+?J8t=;b1m{uF zJhf=#qhdfuxyzhKMX~(3HoN`C5PepZE(+}5)3JPj<<>MV*`v0hV%c!{8EbluB4#6!1C%C)2JHg%EEw~2~AZT!Rhr-?6-QA&Zw?f}a-#zp8 z%+oX7U!D)oTD58&isEq2W&7Iu{P%AIjU}U)s1=?l^3EaSF{bosXCwS18>XoBMMbI# zRx^_okeyKLR7AW95d8eK$y8gW)^2JGgEo5oz)&Y5HDFa96IF!Qo!XyV5`pgtuD$@dqTfyQ%bUhq6%W=amD9k(t2e1Fw{`-ev(9{EXVqv}2($Q&bf^5-A%2$uIV6WmI{ za;p91h$rt`;v&lg?+&vdZ#dr;>%242N5$MEDy!QLP~0(wbzns@CV+ zwFl&BSJ>mVnpXpFM+yIIN6{}XFRvH-7LzzJs}*{U?iDl|ciQhYrjk8Kyfmy_?*-n9 z$&P7(pM_zO2=^Zl?Pyi>6cs5(v+7@LvF6!udowh}S$u;@tKCvyZNXVdnJEi0Gz-}x z5_F+tf5NkP%8g zSc$4~mjdTylm%?X@uY@uxA;Z%X+Km>_dyhtrqNcC(CW6S3DF-HKMNF;IPtY+Wd?)g z$$F9p%-Ri1CZ9d%pm6p_CWS9>Rzk59U@}s3o4RK#eJn1f8N2j(z3?=7=3beWHrYQy zk>zD#T}?y-VnDe3sxp{4VN1=aXj!hWyBViG>0%Ynh)9=0`-N3MW<3={3d7x`UBkVn4>54@7B?|bauyRNkofD_`9mCmL~nYc|OjBVZB|JkGSOOikOZ^2l@WS zzo`z6MTtTgQyy59kLcoC>?IJ$80~#Fu6Pm66dVjdO`=!E*GY^5c=eN#-18O_cz9`4 zekS^Th{YF3ApMqN8M~w9!a%*P*3~aYy~5CZ=e;!VorjHx=hU8&AlivC(3y?)o!z&< z-kM79E+X^jyYj^*!tIMxw+%{3sk+ZWHDG+W{``ivBV)&U=4D*va9ej|sm%u<4Rh=8 zQEON_i-m4mL1e#38IkjiO7qMl2N=uVp^5dTNI|YwwOk{A24ia{ zs>{mit-$v1)OR5pcTRgK|=ylFw6G_;gAjUsS74bB5dQ7f&cz8C9Ho<*h3Tp!cTzGzrX z3(t*Za)3+ZBx38iqrNmbk%1NS0cL)jsej}z+}EQuv#Z*k+2W+VG;%e{3ViXtdyE=q znPKjkDTvz~uiD)vzMq&-OFwrj?WcRZxD0GiZ)e{?dr`CYOD`E8sokw}n~qY|THR8& z9laxf_1zicxV`NsrEj}o1}pmGN~&GQw2(lz?J~E-fiTC%G-}Vqg=^?eHYpb7H?7PG z+8yiHEUo?(;5f8dj;1!(fRy2toC-1TO`yv2HWB z@5GRsjE|n8^#Wif^;Dp;0~`=x9?0R)ZgGuhFV^N*z;5XN(rtN{##L*1ZT1KjY{e}A zXDw$WGrUr`Hk>Ebsv!Spw~c@Kx0aRm*Sn89RAgw`iH^@aT&>X@ z+x9S!i2X>IhF>D#QCduXQ@rN0wD+=Ju}ZANAJ=(|OW6>sAM&Q1SAG*>?$jF_u4`#f zwtd-G7!nbKHvICGna?YtRQ~w&2hXVPC6X7{g+HTL30r@OhRvnf{A$}Hxwb5j`o$YrF?&ZLYT|%Zx!<1%PWQj4@{x%fN0eU*$yK z%Q`=d5pU_+WCaUZpH$pd0JC2vuv!eqvweu-s{$@M+<2vVOyW2J>AtvUS8e~TwefGo zGchJq`oJ?6SOV&v9)W}+`6H0w>h5U@bKm`Z*if1kX{M*FFuRu0La~FllI*_jbT|3D zas=NS-bCE5lSi0q>U8Jhp&F6>Vbmx&bgvl9^G7)k5wRP-SZ3@E;Kk2v6w}`?6KXA( z70flx8Esg5eMVAU1r>A7!n}*anhsNu0^Nr=n$7mN#9|bemA@ND(L9;*o-C*}?&7#3 zE7#Fyt3`txvDA8>6k9u~(;P%vxLbRF)%%{0TK0A$JRPA0tCtNeTq^yjJ;0rjVx#R= z#YgR`969QiC1b>?p5^shzSY{hd1kfaDCkpG-!H$~IY%6$Ht{V}RHy2io8J>H^YIV@MzHgE zgsm#}2}k*nCF)eZLj09+XW(2MFt+v1_{#BDHo-6v0%S_8AVDyA;9r}~nTYobp#@|U zt10WwL>tkYnv}=7954KCjmS((lV#qd>|R3TSkD_Cx@%Z`l3+=;ww%i8o1Nogqz0v2 zB&5fVTr1^&H9+4Fjq%~=_kPCnYhf)I&mNWzX+N+SK+tJwY6_+*$=(;9dDvv0<23sStAm54b5GY z8dsd$U=CXC%Yb3!w^||w%Z_jP#`?_B_QxL0%lV^x*eENy`3MiTDL*wXH)K?qk|kt< z-lJZ93-DNJ0Oum$*69kP4`)FP_1o6@@pa8NV8L@z1#2EJwqzv()OSalPQoT zCDfK{%PvPVUlorX9x1xRlY$CchNvvSnae8Rs-Jbz_XjcI*AqPY*mcwHk>xNR{?&vN zxg-R_u@n4Z(@NGb!m1F6&*mHLFP=jy?wziTUYK+Dm+S*c>yqebf8b{Pi`3WSto>#> z0wTy1V5$akN!LOD?830`_3Z-d#3nI^V>hX-a$rJ@xnEJFknh`Aqan1aQxT)vN{d@& z2HADUocZgkua)!X2|m|GaE$qKivZ#%P|zA>vCTTMJ=HwZOHYAAorHoyf(_Fl#G$aw z>u%N!)WCvKmeB<#u(4eA*|~0@78Q4*w1C)k&*r z7uM2FX9XS)!k-Q2xTuLf<0wYw7RzU-T~&qC%c?DWY&>$&g9Oy5Y_D!VH)3Fb zr0^=Q-2uQi*<}pew%r~wc`Zr9PWTNNu*7ie{sw=>Dq9!Jcqt?e6yik>ezPh|ZtHDH za22T0L&62)hqVQ&2E7 zWZ)Q+^&nV|yt8XZHGwlJ2&NE2LrR%gZsF&c}iSqJ>-cszZkEz)1 zAFVYu#H1A`o zDyvB{XC~@f4p>WL${_HTomkoyMr6DX)DszP_JEs$yyHhVR_w#W z%a4&xE2bqz@aq*B;-Jl-rOjGebe5CdpNR#*Xirqt8g)_aP3(o*56;=U@w!VxTr{SY>4$ToW)`w zGW{`451haGT~8hjsP7Qa?t40?KGW_~M-pli5*9Ys;3YHI+Ie<|?L}n4o(4S88aAxg znjyv59HNL)Ybh%#$^)Zd8x&hM+N>$Y^eg?rL|o=8WBY1#FhWjzjsxrUc0vE(Y6O4d z1r83;PwD`SVIsGUtOS!9rjO$5vJoRrEA-m5^!a?c-7Cr@sx^wo`s#dET-)T8(Ip=7 zIO;ZvU_JokHo35B#*@B5Cy$z87SzHZ$gVWlTG!j1?3#P~`4S7AoiiB^OezSx?pB>n z|jku>GdkF2^o&9sM;;(||YPf!|NP`ioc|$^8+< zg#?xbfr7C1HLskrED21ngHSkQ9^}CVuTxg$*4%qvRv($AGkvNTzx!h7UYReJkHTo@ zsRbI&IvrLWcm=Z-%=dBZiHd^4=bp*bTT&UQh^$`Y@@;u!RU6qWt_kI%jv?{^Qa)0m zry|LE{8b8Vdx6{^mE`8)FpJs`POq52DtTeR&s)6Q{r3pROyU6G8z@^(7L9I5W<_y5 z#e*7W`Bd~w23G7NuL1xFcnLcHQmR(Ap5Me7OMQ(up>@d#f6Ag5&#-*&XRcQ?bE8V>5#&#*P>8o;+--A&nNj10JJ zQ^~;ku0->-e$P4{<8pG@whUgVP*g;2a;06?7CT#czYguUs_cHyjoIy5<~9>{(ximy znEo5i5@-)vZZ<|%SysV*EQZaLu`jAc&X(c%iH8|b;e*toZWVb>anD|N3pTx4K08XS zUUla37mi=TQ+W$gchbCUJ|%k+?422TCJ4xGilwSgbm!9?HwU<42Q@f$ zup07A{FCVtJK^||^xVAa@{Pc2)EZQ0y>O)GUR|NVU<5`@^X4>M_PycxQ5@pPN#Yed zuLhOpz{BDxe!w|F|KvNyD&wrn< zM<|R7Lqh$ELRlov2umZSgHe3-c;(#BJrkfEg@gcpEO>+XlAkrD9&ITwR$`4M+xgEF zdfM^hE(7c>S4Ywx;lHkHTa~38AFgYyMg|enPB82@Ww#>du|etK1UsXlE0BHGyGJGl z$ib!OC;JVf&`G(P8M5NAhT}PuGnKB_hA?7|H@SL?Z0im$rw8_f)#*#O!>aG1zb`-I zSw#{MTzunrL&v)&ZUlO1SG?|F`ovbSJf~zRDv&sJa^Z28o#86Y=LKM_8djDptwPKe z43khVzs6eegu@K=q(kg^Si2*A=0Mo?4Jq#0{)LwaVCPTtlw?h$YwZpsO#wN;vbmM= ze|`FCc@Px5%5i*5!dQ>V0??O)>F^SFk$@gXFYuGz&Yn^!J%7BNFIZ!o2w@mLqXw@&6 z9@^bOn>fdH^cizm>oBlo#@W!WYpSftQ^~({_&RRje+Csk&1CSZFl2{bdqPumE2P=!%*|Y_ zB{&otXQ}EDQR?0(_@ow!I{OLW+)vGVEiL|J(oJa=0{r|&u$1++HP~l7f=2>8;yS+s zsOxzTUGn%hSUIP8j}l0pC8VD|w8-yEcz|UXl)YT{)4R^&`GuJt%WaJ#p2^Pqch1pJV-kFU4|-@(g@g%oxm_Z7elyZvstMsP@1L$VESGCbb(U=hr5zkX zQdY$F-I_f1Wj#T2>K0SmWVOHAQbaLgx{N{iwHL8JNVndlS~Xm(TBHa90TD9vZ9%UZ zAd0rT4b5-M#f4NzO7$`eb~k9jBD`MJB3Uu6?ax;<_G1Si=8)%AXQT=4+l#vynJIy?|?YHv`X<6?ltnOKQ9~+n)}WkFDMkP8a;%(LG(l z@Rc1u5w=z!9F{K3z9wY4_miSkd}Ts?1di!vd8N%S!Tm{%`}69Qde=R#=t(8XDcs_& z6R-BwfU{$Z;(NUJB8$v4`|B2ZrvMUqAeV`L7NJg0Ch1IzdFo=rd8WRdGeW4E^H@m+yl2s%l4-})`Z5{zy)y&8X{ z9Ie_?b6Ob!jp=w78$i#c-FQ=JY-?`dGIttlU1&vie$DUT@WGjY;;_`L;P(ubSsYM+ z`V@jbD+DJ@7uwJ?dc*D8DUo;I>$1SjhjE_-BX@qRr>wBrecc4+2ZE98({Pd?z_EpN zyIF=_`L{!5&*mmHu~IyUGZIr0i26y-wD@G2j*LJ;0{D9ch9xgbEB2VVhBdA(d& zZ-fzh0SPboHlq{BDDAPiD2z{%VY-o-hv*<()Z>4hp}fwfoTwEQnTC?pnz+Ekat8+fNk@7EdpTCG_KJ$Bq;eL>(-z0DX}dOF06`tzX$Y66rpDJfy_ZecSTw zLb?#*3JiyS(`=DlT&ShP?LM;cY_G;cOXJ@gzPx(PZX(PUJV%7#6D0J1PqU-aTej;J z$)BX^7j@(mX7W%=MnJX@yU8!KmRQlK1Iff=++E3{3vKAcMZ2PH$*mGBN!iQWl>c~kI_l;ka^^J2e@`=*hkbvG6AWB7n7j~Z-b+OK>DoRz## z11i)(@=^{z4QT}$^W_^gFH`8&I@H)svG?5D6K%iU_EWoh)_^2jRQ7(=H#=F5zE}>g zmn=v7wlP_QHi!_uwGFA3O zo@cq(hTfx)o!WWAUt|ndH&K=r=CGB3)!ET!a){@0|Kb)UlRWtjvcnR+#qN6jJ-UZiK zqA#TO$c&w}1@q-g<4r+}>VOV%JxWd^aNkIhkHMvPXl}Zc0P-S<*|gy=$G`oGCuFhe z`!m@yz&uFtcHhYJ%+XONM}vuhdxux7iFidoQMoK>P{brMVsz*E-Ef zx2fmKa|RH2J{bN9+|RP?q}q4n-_X5T22q69B70uxOLct1vHDbmY zYc&;={gj`e@>NfaZON)+aMV^D>R~$I#v7cFQKi?=gvM;)bul7Ab+}3~XJFm^&=UIa z1!9T0@Yl!AUqjCfDNAp!2{tEU!~{5ocvcK2X99!6&fOM)Rm?u&B~i43Rdxr;B`Wl;J$4}dn#q~()UX#Xc@?3IP22Gl6*W9pcfX5YAH}%UJIr~o(l$m{`Tn$dAz4C8q)q0s_!ZBju z8O7s;X*1itKor3K`!#Z%j&-CZZvz1Q3)zAs>jbgbm7xrf@pr8U(?oIY&mhOy&9GU% z`0njoSixl-b*&at-Zy1qz)xU&=`JYn*_gZ3i^!wEn4bnWn0Su&_fhSTAt{SMTe?`- z{j3W<-?P)*S?j7Ja?M4d?lH)Fd~PSABK1VUuCTZGywq9{Zq%F5s~O1B-k6vSTv*CC z*{#S>2#vLZsU22#@*&O=JTf}0rkD6=%+(n`U!Uc9o$e6ob;8h!TL*0y%b$( zgRcndBROA143OKo2@9M@k@5?P+E8gfAdYLS7Fd7xLbh&r^e=m;USLk9f2GfN znjx9)g&!RFqByp(kO%g#pxeqg_Vn&teNwnq4}_3t(imSek3LJLjBd<4Gri&y5p?v8 zx3dm#-8*RvLI<#mb&@kAS847c--#!w>U}fbQD1MJw~|Z-*SRPWQnoa~oaiA9OgOs( znP)0b5VS3dY)Z3bQDw+)x2fu?%KcG1r1z|g`#j!}p});LG|?cH=8KO?5VX~Px!2Sf65%C=IcuUew3K$ z`+7*>dA@eP8rE2*4YH5;xeVqw%27lR0Fcj?8#lzYt1aL{8@_)$@nmNE^t>I0c!zg9 zSCd$1hLp_VakcdA*tTKn+g&|Mwj6Yk&kNp$Yq#fRP9Lcu&f1ukvKOz@I$!cEw)4H7 zb*S@+<=Y@cz@4DrS)!%7{2pU2a9ZFTL?I@2p#i;7ct)Q6!Ow(Y0USe(Bn{67ySt^D zwEIy;QN?fVcc0TcCv-j5hn)pkEUynKGIK!J*7|94^_B|v=`F6)Q3B7B3;KS1nh#{w z`sN$EKMw6RzqJIm4XvJ*6we&2-LFrz)ztc&t+XV9AB~WcRZ69Q-f=D{xZ^S&b+gAk z{wvsen)xmWko$nA?(K{VCHoYqG~;CH&>-qU>JdLzTTvN)GRHQX3{_(Fs!JoF1K?e@ z-WQPH&4u<&9~kr1e1;Igt8z!8L(*?#su83z+B!MJJOYZa-yNYTRJYQ^hrA$2C7D~vOc!|4c&5~ z!z=~l;*FDKABb{LHf4%;kgUnddzJn=1udJ8Op>wd^TMe)J#Ve6Bs0>!2j*0Gop`v^ zX)TB{uK(66-<{DO@|;H}&44yq-faEYyFb>HvTgr7Ox%cbv{>EXXi-Xs(P

Ysot= zdimO0-X{QF-oS=&r`fF-Ln{T(`^-6;`!M zucQYO{Pb-~G#r}wy$ATHj}AKKH|L*GX%Z%|aT|;-r_;Q97CL+u_azAip`i*#F7>W! zPj`$moMmVEnipN$x!nzE@Z4W}QN9k}>wa3&beJ2Bsf%aU!;{#;ZYvW0E!FOdL`s*V zInGdV^{$Pblv<#~dLnae{Cg#a%Dw@K)TM9PSYo)y1vAoOBVO=5I}O&FoY;vf`F5EO zMAeJ{ak4cayiJ0%EG3D~7Vufn{^a)fuZMh^n3PX1}bw< zi>O_O@OFCQ>$C=ZhyO&)Om3e$@<^L4wM&pljH{^4uzNBv#)u)Y(k_=w23v|$w}0#W zO7l79y_3D!#^5!fT&w=Aq6bIS=H{5zuf%$R>x_+Wiqd0=_xI|{12J;dDl3;Aaqx?K&W_hZ|fE&iT&YP?KhGU{o1F5c%Z)WdVI+dgz z6U;El;j$@YZfK^q--C(kH?%b#_mdAT=m(b6Dqbw0QNJDOn_MzaWXbI>IsHoN^(_Q6J9M%n5H-}EV%hBgZg4vk!WzdUawtVk)oX`C-AVXuek1CW#^aG3686` zF<@%FeGYjUT!9e2)^@(wjwNfVr`AmM@IvPVm7-WK+ee5{Kpj!_GM0_P4xgeDU;NWC-&jU*w-{>ot z0i!dZF^iP;7Gi#}$Yflse!k9X^WacINmJM-gQZM{U}=<*Vg3W^2f=l^oYDKgz#<<} z8S_cW<|F-Udmzrwyp3%K>H!ir2U=x>B4!svdwnKm#8w7Q7`D6`S-cIsY$KyvP&|&X zT|Q{SU&RkJXO#-*O#8S#5u)!F{_J-8HLRKu#K!vc_|?gsDBsCPo2sL)F+jwvF1m8> zAZbURrz758;j>_YKT0+BiMe60fFAT0vfUWAX53_>=1K$+aQ^BmGy5JJpc}5>BaxRT zLGpu~qqAeeLUpy!56dt!)L$^KW6Xpfy`mdaZ&v#4mr|dX0!=og$p{(~i)+S#Ls%P8 zAwAkl2s1;Y*a z4T)`z8gYE^V+o!19Ep2ZRRm=-PyKowE}tFDBoBnVbO@_!V6s7*#Dx*ttK0(_gaNegBlah6TgQ8sFIXOu^cnd0=GMJjY$4 z#(hO;!8Eo#^D{&l>b;XlxdL35RoJ;gL6*a-9S}6S+cc3a+qU$ZAGrSb!~1W9ssDY+38jERF7Q= z@+kfE;kP~NLweXw87Q4c)BB!iEf8fAy zaZy3^q+oER>X+_>IZ%}%WtdjFySAbSnM(+wayHD!qKLJhRR;Bj))tI*5Zq^|KWebt zIRBu~+P-gO)>neRT2E}*CX(@_yWA8A@+E@o{tiU@KRKg<*C-d38D`6NG+=()EHPyW z7=bVcl)P1Gt;=JevmAB~YiqEeoM>UYFw#oY7Jfg)yMcb*qHe;tS52W#5T;|*PG>IB z9Ab{GjmDsSEi>5v0egTn&nd&caJy7HJ-_lV7$X=FaaW#81Pnte1NX|9~%10Ei%f9I5VCswzijT|{MwmE^Vu7sb^e-7RMdJswcp>)1XRRR|u z|MaqGp-gj!sUtgCBpAtsYWa+>UMKQSLl^a&t{xsJ0cd;)MCd|QW^nXpleUI{g>BIrKiT;_H`msFc#q>b{@*PpJf8#a-9$_J&pynEy)@?J6gcnP& zaoGPZjQT(4$3J|+8ZT&IV4z$YQ`ig!4}_y*{!bnHk1N&D7ZiMaIWy;-J<6~?VWow& z&l@pb2pTZ|b@~0rF8GIIWXR{27b+^Mp`L`tnwZ#FsiS7xAUZdaf9uaJ*gsreUSiJ6fpXe zV4NiK{okJ${$sEHw_`A}6{S8hAU0g&k1qFre}Vnwcin1UoMD{M|LUt?lL!r-kKEAm z%t)yJ`YM(oz%1X>E!yo*|LyYr$&Z_#h~60Hg&-@A;$mW-u{>& zV}G#I{r_4cKj1+ONWQ)gz(7YA2@n!8VNTY%jXrhdiBF7Il$S?RRf}slYOiAXH=0TT za=C2)Y@qPDUGuUwH`TD~c7;)i%uCT2v8noMqk{()&C^s=)y_i5*}%>H>l1D+l24xfpo0^jbR`v~TdIJythPt3 zuWgs~wbqiGhOH+3nAh3pYXZcF>A%hXRYq5WP_6g7F0>4WBU<5cc>Vh%7@Z_oEoGO%gLu0Y=k$~&lD6ETPz)<% zq$TRF`Ur!y;HJU-4|Uu>H8g*HIH~rxeH6goZp;@_)_aK9B3Vv)R5}tVe^F3in7#td zC(Mbu%fh; z#cU27Br`s)o49Z}*_9t(mju z#S*Kc%IXyAhuGong-1S3ol#M$p(&H?YNj1R3QOF-aMb@xqrLkekpiBMUwoibjNeX* zF_+$qn1dlFQSKUtcfJN%(poH)0x+;Jg}r_a7w6@Dm&FR(*)b-Mz1wQto`ygA)I|(O z=goCd*jf~R1qNKL(*34gHJkO933Vs@3sd{QE_Gn=Hjxd!)ZO&l2y5i;Ijk*||%} z4D+Pi>mOD`ZYj!g^GWUxWVZ9I#*M&VQAL~Z&0gj_f>kg@NkrmT$d8im{=c9gp=c?w zPN2LWZ+htGDYiw#1WR)Kb11iKNF*^Wr)A*bEb}N@p3bO4`1iy_kU{<^C?ABg=;4ya%)(niW~?@G8i{MsJ_vvNWhV~FWT~4ytxhd0 z0v5ffyQnDO)MdHWvSjUvLawBaz0_)OVFLLYdsO}DWTC=ORm?Q?&*=nV({>s$yD@A9ow%r@SA>D!*~Un_<^VuTkPvc4@bSMEN;{ou7@$9VDr_p^GtrubO( zZVqb&{{7lOw_Q!P#hx=G2L8gxN;mF%Lqx;X`>+f*X}Dad_Q1^ik%6FR7iR!?@!#7?5EeF| zne^fum?5^)AEDc9P`B*xa6xRd(GH^P0|@wQjjuP-B{d!*|_m5E#?dv9*>9U^T}M!VOVrGTCb1C_MKoFZrA}dA`0H85av=$C@3gNIk~R1rp&Kv`Fh7v1>k0Xqy4~i zgU)`z5c&3vReEGNIx{os=H{FC?VNfNxEAH3-OS)Oiwy#BK{(}7omZ1L zUyD=A5q_V?P648K;4E(UbkXt|+b$s?i;eccWw}K9^vlx*8ijlMe4oF@OHm=D=weAB zMFIDklC%DA@%TkXG@j}!MNvJqp;vy`Z0s;a>Dipq_w8oWwI3<-a1C9joagIoTp>PC z(q>249W=_K!|O_NW4E1frYXZ}8!|;sB5H_Ooue#gg@~ZpxmR$nl?s?jPKGtzdnG}1 ze@&{!Tw?h-pV^*nr0`LZ4rSdp$%+gV%;E23ID+L!fOZCw-z$83_65LlxP}RkaO;#V z({k6oFADBXATB8$-x+*czeA}n3&sD<=-Q43WW9MG!QG|&I$b}k1PlAOVg6?hxQG}` zb_&7fyysOoF0U@&1(7Du>;4>y%@oB!w3zSB$t6*Bgm`Y0~rg!C{;t-s$)CzqID5TNGa+s}p;g7zum z;nEUH3jH61webnW!FK)i(M0jHL?11o`e1MCh$e-vt*IL5Ix~Z4>q$I6Ov-m-fvZb= z#7@wR@9bOGCPEF*)Z2~z$$s@XoX6D={@xc>;d8*vYy@MbScbN1O(t611E0)-e(Ye%5&A|FodupU@H-S5t!>9m!;$9Hz+4h@k)wlA}1#|+UkbVs5B6&Ypu%g zJhHrs)(F@pc}&+Av7XMO+8@n8K;V-dR8vt2$LDd~e7M9D6%+fCAPQLih^y9fCglho z>_>0`jSueLH(S9LySqc$k{evbR6~+d@d!i}+6Z$U^C^1+ofvYljDGN#} z(JO2PlA_ypyH2oeEY81l?u-y%B^GaIP#23>B54~D`tb`Fbk`g2{RSUwu|~5IqdPoP zu4bJNCj}h(u<#%2 zWrZy)ij2H^5IKsvwuW}`)#E`R(DrG=dP!C1pe_HyWMFgA?aO_s%pY{F#+6gcsl0h!JwV`t2Nq(tJJ;v^_?!LO zBoy!5CoGR#)JSp}CuoAzHa{%hYpV0k6;^>2R?4OprSt5LZYvulhxj#oQW>pbN^BU` zN5>MXU;8(xH|<|gZ{}3q8d{aa=bEArMCcadp$y&RKGR|A5rJ|#t5@2b`hjN6&+K%9 z{B1|Vvq};tgax7i7S|h6m4tHdgz?;F?(s#tM%X(|M)$dcGWJwTqSgYbob!fn5~F?FM#F!P@en zkY~Qb+qlQQdehO$?+F5E+C$djet3Hzb*cO@r2VziUd=uI(>cikV;kkaZ$v_Y!B<-;y-duc*#t-yelb#U)`*B!^VclE|_8}#Yhs- z>IbiX^#ShSuxwl_pl0$0q^}3qrX|+)z`~ z3kkbtT`g0Gox7_2_)_*>kIJ(gjS+MpVK%s0SV;Dd=DFr~XN!GDE`s)0O2Z^__I;nv zWVVQxiJ7V4*~tZ8T7;+#O;_RV~SzMqcgVZOyuNk05YqvZ_wXr{nM>Ef=+X^{RTNGkU2%e}A#RT3+9!QocAUtthdb(epyYc0Jy&(=kmJ3W)Tmv-$R>iaTGa zNCK|x>f2qwdGZ{N!}3+>qetU(mD9_Y5S*n2nvygTOtrt9IUBLD2fr}m+F<2jNli&Fj z46GfYECX%~dIlB0&|ubC?QlXP;Yn`zVdt2Rs9jVgRaq}=XxtAhqmO?nI_06JhVKd1 z4+L){iq0qKQaN^4Q!Iz@c z=ZLo=ZVdL9L~=3WP4V@Uq|YCSZ`N2D|OCXkW9C6Eqh!|`)l zpt5yaqne4E0A7@KnVCly%Or*);sn~#yEz=rIucp+`%5|PE855f^+TCQo#%|Z$Ct8kr1sFR6+g2FuZu~wYr+g+LxT8>k;AF94G`?!ITs!q!iNZ6rXU-P za>GV3|CTcdIp5?wY*Fj_ns$8qp_05dm??+KCkDZA@wHCxC-79bRESZ6qtK%T&5&+P z;&6(u((VPXztz~2%i7{Yctmp-#$ueYbH12K; zjDVQhbV|NT=z<>HTXy-Ri*A+Dov!chI4Qax-pJPs$lA$*IeIRz5zQv+6wzzQzY(d) zsbJa<>;dSsZE%xP?!N!n=VyTm%HCb{jU#x5=wB0Xrzr<&=8gv+w%T3D*eJ}zW9C>0 z=yG`Z&NlE+G?p=yBYGE?nH3~J81VScRy7}MbH94-;5 zXes1d^I=)YW}8~9GxXFmgtpA(7P#UsUr!sZs$XJM(v`D)RK)I7OF~5V;XmPLHFcPF zcwn~(&B5Q8p7~TRYty?lSxez~ESTwt>r-CeC2sn_qNH5&1l=`Xi9oyCb%;CjA%9@z zt1u7=W}!=C^KjoLcjC+VF_H{Kv(PWA@6%}}aRoNPK5q<+R>1Bi^s@yAz0Wpq>4ui; zxCxV-7+*ORcFN~^OO4vOt-ZY-()@5}4dEiKErD+Fui0+v@qaf*VE-oq5_k}^BtX>-pOi9mkWN`+aQ`O4KtuapteiOj7Ubw@Iz~O4q!1Qb&X`?fH?=R)?93(V zUs5W^hPV4X9r7xuMDfi|M_pAyp-2LKx#4tmo4+|0&tH8{_#{X&_j0e$9Y>|$5t5-k z^#>09GXmF==uyrE-!h^y%abfV`F4u7^N#1WXJSMib5=KyN&~*cfu3@tZT$X!j zy~-E{llwm1ZM}=fzT>nyLOp@*4GruHIS<(fU~Qg*6geVP)@yJ%W({b2^T{+(|K_W< zLAvv@RJ-^^L0rHoWHC)4yl3c602p#WW=a@`+x2^ZYRB9y04rFZBX=EpofJnrjNPXh z^A?;d=uqp^CKfeg?!qkPh~N8E@r6O}NI57~T=fwK|6;nn-$|;Qf2R*G^3Z=FxmQEDg6R*lZ-OzoZ+p&$I8zV0r1 z4xhWqFm6|P$koMGd&7?!MxgpkxktHB)%9SEMoU*M2n0 zkRPqYB2O#lv09w#6d0hcaSqgrKVKxOHqF}W|9n}vzu_Jah5qsife@-hmK^L*rnAVb z_l?7dzA5!vBRnz@AhPW|P*Tsk;|$Hp%JKhW?<=F?>auME!Cit|@Zb>KU4py2y99R# z?(Po3-Q696yE}!u>#KZUr$>)>``+8X-*|r+#i>(g@3Yq0bImyy#dd{<`bt@%+?oi; z3(@Fm6I8zhm9K$A7e5kKSdGPae2F3iuOjuLZ z;yo40>eHYn)d@R#O6_1YUrg~rDP_05+IA75A~Gj5lc;fIQ3;!>Zb)_^$jc#@OKqE{ zg{{YUIc;tLrKo;T{yA#!G5<<>`KT1h$R5#a;o*2Q<>|s9hg(Z`y@zFI(Cv3oV>my; zJsHn6Zn?N?_`GkOiEAr%I)LVR)kT4s_2AAY*LwEHbAq1&TVh<+vloN?}8He?a*o_>4Bxs7!_?FfN7LTCMwRKM{t3_m ztWskEpn4um;?KuTHW|uQ$mG6(_w60vy> z5Y1GKc>sD4Pd3`<{4DrcWHoLBKdhmGS}$+P>7B*t4JrBayq@~W`e8RtCcP9mwD8+E z=xKR{L-+e+w`4*#Hq4VfPOD`m&1nEi5=RZuZ@}n56e*h`fSQm&8*z>g0b_j?`9y?K z^3B@7aTXMC$zo%CVgK@GzhMk>VL8|?sZ}|18o9V6;v-DTay66N7^=bwLpW4Q=EfNF zp{r8nZD=qe<0G!UWp^;%Zt?BoJ`oqsXR$*)+|1~RQER&UZG9QKa(HHnq#2&CVI!1x z#pd&88io@q2}S*WJM5e)gcjE*q?DK1zkFkYJFTECLAJD=k5H$O;75eZV{s=4)W;LT zIXmS1w$m}@^@^^^xX19tsLiX5D$+^;L1bF_5C_dsk0j}MD^*C;eO1+qXsj7D8*u82SaRU2d-j#CE!{9w$QgCpY-$||*2qSZ;L$+OOZ4v8#9Vd;#s~GGd4x_Gq#lI|4Nc9w}Ha<&b zP&mcSUYvoIr5YSfO}F9L`7*v(*jRq*m$a%gc7+hFg6fJpmx%QxUdC^$auTp1l&NsI z`=YcxU3Wf5m(AZ?)Q?-!Kr49HP^pyFB)ytVar9(gtT-H+vygGbF(*_GdUe6sV3*UP zoe?Ehdd6s2(lY)~+r0qkt^8m=2Ir!6`X1`t?XV=MjuvHfk_~);w>>Esk}+$mKj3=x zI{1gD7YotwRHme%A7_cu_BvXDOr?K9{RbdoJC1ab&p(i)U4pr(c{#R#KRD166(AIx zr0s@`N5Q1G;&l2YJR8t!px$p**;zqq_ZobBTbH^?u_jdpXnK?&J*kpiyfKpV64q1!yi9z&FG;0PHnYH%{Bo4I&Lq-8fuzxbWGe zVwva8M`mzN=B)%Yg^q(y&&O|DxN0W45&@b z?|!C{Yk0B^s&5!lfE`i!`aihLF?;dxKd+aac68j%<2dN-W8$d49O~cVeP`xA=&Gc> z@qCqdT=jj~?5#6H^QKCF?$&Ol4&4B1x|+fT2F*7>a7UDCfuQzu>{D!12sg({T%q0j z+bhFW0nSvryYp={7{+!dC+?M^Qq}zQaGoD&d?oDV=a9vCK z;7VJHElUmu=!QZ+Bu>-cpJ}c*O~a|`OK8IRYxsb zzu$t|^}zAguSLdR)83(>6eE6{UP(MYv2=wlCyD)-d(B_3)iD|Gd#&&CU3+m^SMdYN zjYxK>1q}<4&H2*FcNq6^zf+)3?m^U#`<*vP-Q37ODr?w*eDz8Th&|T{%n5fFwU3*k z%Hq;j<&s@jEM#W<-GaJpkKw?&f3ZuDCmmlQQ7E<>PjX(!m zyW#nfrUi!H82R$hz`;|$qu{dRgu`enmuMc`Zo-1fP4Wm){z6AooPgGy=2@us1FY~=iTRrY2(p1DaJ@B`tCsyO@zH zrbQ?2dTa}aapMqB<6bYYu7K=Z;X@a&X>dtzvb9FSxR6;r)c3LkD+z5(qPP;_@H#^a z#Ey}tw$$r^9@pQ8QKdNxA00XjtlvQsH%*1&z9e5R$WQN=B{+ril3(tDVueK)+uQhE zR_#QUJ;6_WTCA)8xA6uaCgj410n(_MhW+?$jLbiNcBZ0qGS}m z$loJe0C;X&RdnC`?cPEUA3#MURkSVNKEcG$MD@t+|7sR?WxBeJcHW{1#v76;PSYi% z6FNpjV^u8q(FP6j4^T$}>fzymsMs_1%HK@d-pui67TT`@_vid0(qfp|qx=)jS^xaY z9S+aSreJ-5Anbn3f`U<^K&EmKB0&LrCCVJ?&C5>@xn^>-g=UlOcDFf|!uEo~^UpS< zHhQos6)z&LwgCY_aSL%fdJOH;&?s%^{3<{!b!DZ+)>P?oV zV+rxQ#GCZ$mgO4t16zU>_psy7siK6aHf?VZb!?sBY;8mnI0Jf*B?k9WZK7j#P8+ZH za!q1x(}@sKOYYX2UHmTR?T4F4+J*Y7`_JdKCY}5Nskq#3b?dlcCfF7T;I8mv5j$Qy z8=m)CXt`A;mD=K#ZF`9f54r`!>VE4;q<1Gv$H>+faxfC}Q4pn%$%`}6wNKw8>)(dt zp=MP;33GBvES8p1v|EStK(lh`bJkDxrwo20_v+&fTj%zfy)o@BneNq| z?y1^7cUzWiZyQ+W$LnQU9L_zyp3mw30PQcLK1bK?6F(6(P(Xg**^E6Q9x4ddE?DEe zC@Gve-#@v9MV@*^fAD9=5C1YOt?Zg@wH^*Q5`TV!XKE_jzIVE;{y6lyAE1ucded;O zFjhKNJ*RLQHp`0zTBdyY<@;l7d($khx-+$JgB^)^HQAowNj-BJH#dkX4`_LbLMnIL z(_7H~T<*>Cw~)P+IRxD2O_;ss@8%Wru_tD+%ux`dYx@TjT94G?HMkWQxNhZNB{Z(0 zX;m>tOkG+-`JadiCr!{{Q~>&)x!s05`kKlqQWP_LqJhP}B2)oMmDz$xpHC=G zT>2i#O?+7ODofV+jg5|ctKRzj_n4xZSBN+hG+1Fv3j2Yh+(hL}Ui(1aB-2vcb!UzM zi~S)oP_$i+R{HBElYSWZsZqj-nL)?)y^v^Ic{YjC;W)u8}1d zhFbWFCbJUr#m0L_)Y)3gmd4e3&CCY~oFJBTmkDmwDqF(j)8Xat`wf+AZ@bqd9j_%L zpC(w>9*B%M{k}hcJgw`BU9-J$)NeLkI%3J&9?*NPoj*cO=L(i$ql2&`H)wNOax{0# za=BP?%xGKkY|=e)XjF)n+2yIScdWGlcn}u+`-h zkrNtAWV>n4vQ~sasm{!CjdK*sgwmT0K@;UHQ&C0A+F(}CQN52ZR}wXo%lO9=EA} zvRRXCsjcT8d#?xD`w!!DXKDzQzpf@UwqnZZ@p+Hb1KYkze3>n@aZoVl#DAe7Bl~^6 z0x}IYH9vRdiqg7jk3Ag_!?@mC=Lhxa0i51no%2`Pt&(rIL@E70yFb9?(>tUV%Ce%Q z*2y|v1IDh4+)nEkwzfp^=lfBkK$(B(Rx*vzcD{VSD5X5+lX>wzH5yMUIZ`yinLz9v z&{uL)y=r3wqELfCnOQkk{5r7=IKrr^)+l*YvHP$)6$cr1B~b2F*S$l64drDs0Jq9v zEa{jwJ-TMw8*wm|7o@&X<>l96eG?IXFk7A1(PBJy?zYU`Jve~7%3Ya0YPG!kdavgs z9hsUnc=D;Isw3S1@Ft-SH7g1VWD`P>R+dj9EiizVS9ZpdD;+14*DEpE%!7`lD!q4i z6zmy2+DHIL7UQs3&)!c}cyd;$RMcMLh9xWo!lUKXrLx+b$x|~?f3g8iYjYiRQrw`U z#Tiw3STbk$`#nkc!278pVvGZynU?{2r`q#F=TJB~ZH2h$GkaRccj3j7{o!(%{?JHk zK|Wb>p+_~_EZ9O)~Ml`pe8tB#eWTD8%tEmzG7MN7YN{NICwx z>qyay_#jcP&50T2DMZ+%=OBgD+`~i_ES1Vzgy(+fZhGR2uRm@*RUF5gr0oW@Ni82I znYYHoYZ2W>mG$tNW%~EL%hq5M(2RZeJp7inJHE~TX%MC}gMFn~o#_j4E`2Ki(v-jh zk5tuw!u{Isb-)B?xmqU&O$iMRy$LdyeuBHozD29#)7UAq&YOCvDIt+WYmX(g*FA-c z@^zXqa;i-+Z>nV~kyStc;GZc95+@J3ifq~ruROSajj!r>LzhwYgY3?hn& z%-I8{v0HN_t}>nK5g&D5iS}Z`%M)D-_w|F=Vn%6N%nJpqAMxoSvs!Uop3|30Wn!ER z56hIyfuf8JMB zNRT9yoq!@KB%#s^<7WFf{G0%8YXYQb-EU|h^O*PeLpLn|-5>2;@9XZkRTSm7JBE#3 zhhjn@(ej9LH5)F)wY57$GZVMC=(5UJi4z*DFUB|IUg!giaY0$BIB}NPmrUoTFKtU3 zq!Ry-3euq!Uv6#36CB#fb*a9P$q=^W=vIevi;ozMU_1w+M zKSWQ;i^QUZDMx|@4zkrT113uWF4=$3mhwZeC`P*a@Q0nF&KE6F>W z>d^FnRxuD`2%Dj4ooj3 z-7ZN3y?`-sSQWV_yj!Az0#ej!d6e}>v`9?3Wwzj29S+N!TCLYOs+#hbfNgC@xnroY zsoOK}_3l{GtmCZ{AWSbmwveAtd3M$18ycj3mItyz;QdrRQZjDutE5&1fwSRuEah31 z0LUl~S+je_Q|+*%fO9}(aUC)AxZS%-Ra_YL0)m zHr<;!&)Porf1>=gc6VOsvUngNwR@F*d$A*UZa0BdbIr*Drlrc23&z;>}zo>Hiq3|S*3{u1{H_U{cE#Ed~b^sf{ zH|Iq%yw8ebrH-3EJDkOiD=ZHVmxXR>-~KQ|Y{_LGb@10lg;`z1`YcPh)EYyW1+*Qvgbz+jE%3ixp{xh!1$dpwPnwDB*ael%XEBgM_qn6g(=;e+fl;xK* zG{D4a9dh5N3i}T9%NS!JZFe~{l4B9LRMB*(nd<6d>Tn!_fHTF$lyurTHaV7Vr5kcK*M$EM|*faUjv%? zRkpK?<=X>!5h6MS&d24G5G3`#Fky6FJX(9m{(eWuc>io3I=h(}oT%>f)6e?-@~_S>xY*`f~ntt_$G8GoP*0b)F@M6&Z? zTViq_Dvi^b_D!{Q+~N^vdLcM*&YP{1U)HL?CTK-lp~dNZ=qSx1w*YuBe5See?@A%N zpbSw{folr zk(89&yWjQ;LYO*!dt6XX*k^}wMflb*me!~{5*MeW?tVPo9F`dWr^5hJ2^OwxPg<*u zN>4r$1%+Z4X^3A4;)P=W#fluUp!^xO`jHQLe(Ja~9);9AAtqSKygujWOMOfaEV{<& zky36VizS@Sa#xSR=UNFg$o z4buXtI#iW4`po0J9phUGMhM~lG}Vkf99o6TLu(x)2Kbee%CB=Q2y#Q~TI2SLOOlD^ zq3W5e=cHOGCZxlzu(Z( z8x331Sk(J9%pe$2PSLm zy$f`X)Jy~f*F8(Aaf>qLrLg14t={o8Ma=eS@qHlp7paOOy9J{~IXyz)T~@f^<$x%_ zqTdJg@aT>hg@+<=JuchSxBL}>_hFp#J*RoJ;8=?1?ZIFukA2MC{M~CG3pbBG){?u$ zxw7slE{?qPLO%g*6U1uF>*pi{)hdg^LbX zXA-OX{$b(m$wcRarc9P)ZpHZJ@SO^f1lK|oEwEl?&-*BJn%Tbxehu&guUM`@)A256 zy*;UYFD%SJeOYsvi!N1ECUo^WTkKeKtrdS(NbZYa-8hMv*qBMua!VPZ%drizSSXV- zqlr?vJ6$WiO5d<>);6Nn}ObtUVr#5*=8f4!i*G@_T=WA^lv?F>ED zUhzLE04Y}v%r4qQ&b0%LqPl{EeFMM%IN^CsQI2!(QMrG#B?8*A4)(q{U((*jOi&D* zlqDl1Sg)SmJi)G!KgNB2Gc?1PF3^ySqu6v|u>y-=qltxI2he|6I1fcPe{#tZQ-1sIGZ%TpVWimaRq3n z@3)&lUM?Xho620sY#`Q<{h3(ikmBu9yNo{jld~+sU0GdvCEDAzJ&y}oW1b8+6(K1< z=NR+iwl}fUK4FyQ@1FNx8R;mnOQW(g2UcPkmmGHZ?Q;$5}q1 z3Sz$mUFWX$s!@Bk2M-zgL`$>^`b2k6PT``enEK;Fn;S4aR%hES<^1p&F%2d4pXqWvaWbo_Y( z5lZ;((N-%@Ngc0-sD;nCS(cqYGm(m-z*K)bwV^*1%6KCZcwG2i?T3d&sc2bCW=#Q` z0zJSpoP`4v@9P7v<@4xeN@Qqg-w}aw={amUa^}kUAc6NRx3iAN8@N^6;MMRT!C=$M z!11Hi3aQ@Q(fMsv1;N;p7{>Iws?HV-$3-Z=Zlx?srl{rm3wX<5@p>}J-*JKustK9C zwS4qQO@J?e*peQt|55k?k+hqlG5e)h6bJm8K6VG(RW*iONHhBz`28jl0Yqw$#5LL# zRhIZ*lJ)1XGA5bW4D0m+9k1d9e;ORVbxm_GZ1f&eZu&j~AU_)qAMbdb(<&a0j6g`i zv^DSg+@Hd;a5<`csb8$Adb@b|C4p`lc|LcF!Pr{+N0D`&m}0X!^Dlh00YM9Hryc=t zcPDVxR;cDNT3;6uk3};c3gR(%<-23| zDo0>ex$+9dW5O~+zlzjg6ui%_7RiW;ev9gkYDR!R z-r?z=!cy_$E?ZRn72Ir2DgHe!rgc-g3PWbNdd;oT@0mAbCyN)xfS==p@Di%1swYM&jI%ZDlhm8 zZueWF1iDAFfVrd3FdA&Olb>zX&|6f4DX71E;O##jb6KZHaPQY2If*hUz2Z_)E|iW8 z%EouUVYoS3g5~Gu*R|V=li4o@k&9H+yR3Gxs9ARHCIPyV9eOLN^U%=1-%qd7X?)?D zFUBO;VcmuA)-3rNw)A6^wpFp6lIngozEC!!xzBhk6Py=FEr6@dV04x?lA3PgrkQJ4 zD3nsbN23|H$vNt{B!f1tnO}b!fDj zB8-L_boi{Xe-?O9Y;APE-(um^2uw}4_SX<+&tiz@2qpk}m{w}O=RIXOdr;k+x(0gX zE9PfCiP~Sc*TCxJtNklzpQcCBhy>=X4mT6deT*;?s_QY^y-KAd?-7hbLl2O#9H7yrynRFv%0+S4@vkkLF``y_UrwG|IR<=ZH^+;CF(F79z^&D=qe;&OPqhyS34T1bY7hwlG+$;9cZHT(}z5 zhI%^>dk_c|byl_jG#&;%ac!ML&O6gF&on0C8`f6`~XJuVK$Vd|HAI|AqtT;YyfnZEIo(=olR z5Eum=IdP!U%HK{=>o*edlOv@+DciEd$v1N9}skfeifM{8;Z4@Q&jBoqd!RH52 zZH~G?olSuMwM|06#NGtB%T+pd( z0H}__;_4?fHk6Fud^My$Yd_}+C%1vcS2dRVwY}q#9<4^F(E^8?IJH(r;$=1fSWC0> zWN|*PpRtQk8>V;+h~39EQOZT%v$j{48UOU?f|fb+?{r~Pgs||c`;jezB(lz zfSAL2231vyy#WUr>Y}*DHLuX*4Q~1&njEdGE%P9rY(zn$p2>saEa=5(F`}OfX>G4-Z63(D#M2rseypA9_Ainv#X{uhD3;zH z+dbbbMxQ#(*wB$8hiF+#sHOTSr8mODn|F{Hop`7T;W1m3g>~>XuD)PLFN9wEbY%Do zj=`m2?AQ)$1UK(XJ@}IsSpsSvA>a7WU1``6-z=`B?etnR{H4knIBHXu4qsGu?YmJg zzT>-mp*uD$ytRkIam#MhC=4+3?@g zS03xbySoFqriZ+pQ8mB(f(h<&m-D;#IecQDFC)I3aDvNmi*#Hbm`!EhiuEL6u6=()mY3=rc0AwOZqcOF*csBf&(flG*F(D(-JW7fHR0z_GGbe9_G@U1w7~fZnw+ zGN%ZFNo={;p4{PZ7W@!P^m0LGrOIM~_Pf{p%h>6(&&tT~S4Rs7E=&zA1O6%tz<2_> z_jbr2h34i?a70+1@7`H3X%1Z$*P7G$l3%&T8<>4bh?%x3b8%jR=XC^YS7l!yd_p5G zqV@aTGdAvGqYTw{bvnSJ9fT_l(rSPC_HJMLAF)Np|^1@old9;cJVZvg>&^!_K@N-2)C_ce13*Un;q zajkPZ)}pcR*yHIcJ{#w zg%@j{13$kp1XV@%8UY;ZGlLeaN`U+&o?0PB6*h#yp{ zZxP)hv|<3v*!6cscZ3PtDRJ@dX=bG??!@U{!2aNV{tQQQhsg!;mSHiwQAd-QIZeY> z5JW!fE)H14UcwD5D%dr5R7IpJvZ;7JTNfl9>VMk;Nb1Tp}!h(H?~hNXAJP#*c0YEnKfV zQo5WRx$w|$fH>8Kg37md>9dncVz(Bk`#LVsx`cSwMB;NqXipbDNJ&6qS3z#}r||m& zZU3oI{yxdk`8pos?L5cC#F+ey1I9w+UtMOX4Mp#F(v2}qj@**IUgE3E2^mqKSIeNy zURfBZKl}z^hy6yyTN24E+3}c$Q*jGOh$eMhZH(-=QCh=y%YTam(}opBmAi7$13q&} ztpfo!nnGIff7ML>+j{}tSWy<(cwN;Vl$!>x+N^kG9osr?M{WghAjN#r@>!5x@AJ@l zjhL&F)oMm4lnyMYX(o+qa)sX#cw}?!7e$PqpF5LUPO0`1-cxRv(E411%IFD3bmd*q zAFgI$x(YnaNX!$`mE}qs)WqEXyF2(xg#0(`+SM$vnU2u_L&3wY;UF0vI_6a%LmH;u zX2ViWSD258vo5%w_$c1SA!Kh|EjyQE$Mj0ka8y`gN64(G?WS#!yi z@33K0^c+F~_|%^f%l(2Fl^$o%ye{hKqecF7asK|wzi^*_=ojmuG80|u@aVQ_)IcWYm{kOqh1sN#fZ znKzVOMN?}`Fx0qc5KZ>FML;q7Nrdz$r8u7E+V}De|3w1@^55BM5TC(e+YH z#~(J>zq|?mZd?BU+Xwrf9<6j&S>brBP#COwCMkD<^?$O5fV*Xu3kxHFT{0E`` zpBwDoZ>26XV%vFF%hz`MK{G!>_&;#y|FU$mI-uLtO5PI@H-EZt|89Z*WrKBv_&{k$ z)06x;(EPWr!QXc&>kSQ*bpHSA|9AW2|AFU|d~CB|UTM4-4YbgR@J`+xdfDMZ@<<=4?G*|NgTrhvc6G;okJ*Cx<3ro1!Op#5X@i; zi#8V1Ubsz7l~)y52eP}Krko_6Nc=}%!%Xx$yDq1zn=C7gK2n5gpjLt6ph` z4^Q0d13s$La^p5KSzqtZ1YFY-+XtBw9L(cc~V-CuJ;PgSZ#20Ih=bdcRa9DSvn3 zK`1mL9+`l2{|@s3b&z-$BjfHWsr)A#dw>3y+yy<94wh3+@qRcl$zXrq5s}+87;BCH zEDSnI0qrqbcs|xwdjso98&=SP&%6#qQKgbF%r5?5H15S{gvk7hNgBazZA6%oWP_uY z{`~H8>z6M?OfY%T{$wq<2TI8rKGY~J94t|OA zFp*&r5f6p9nw=Cj;3OlTs|L;#8^uQxrG8N%jJpbMx85k*igHZCDx<9~e0OQ@;^=Fx z&+=kyYQ!BhGCdHepg!b??{_W@z?VS%zqidSDUezj4(z^#2S%VA*WlFH{9O{V34*!Z zo<#(Nq3d<`1VBXv7uB~*r?E)YyTAYZRzGj71poN-sQ32c(L4)iPE%P@Wcjxq#n(RF z=U263V%FwG197};f3C8K9Q5*F02N~S>P`TOqFS^>4g~y3NPnD_9i{*aO0`4n3dmDd zqE7g=z)Lmn49r97REae!^{vJ!iLL&JQ3x>8JyZ~2$!Q=|g+_PSbYy4qANkyWOQ zgFwLJf4btld5lICose=^)80arMe~SDqs|oc8bS{A2Xx*woY8E1|8PApD}66W+TXv} z`Tn8f@yP;c4e;hqA`*cg;r04d@*T(=>1UMT_3YtbG#U3_8vFr--wdX51GGnfkN;^p zYq3CH%Le)J@uQq^eQtL4hvH(2WX5~clGa%Z?qOiryqP8ZIk1B`5Dx!GBpzq3>$P!k zWTc3h8rIeIbxdYvWM#(_%=P}5!iE)g3c~419?(zPJYh8JWCO9B+iIy$h5$IGuWMq0 zpfYaAv4w{13l#8I$+jL&=QDP^I_({<=hxBwUFzJ%1IvKhn?A)t4f8Xq=^_*y5q(i* zp3tFD%B2lR!W(@C@euVo?yd#N)I^W~2jX9}ZsRS9W7d2h0!Zto;PH~o1ae@%0dkY@ zg6v`RsHg{!TR<$tPVoeAKG})&z@IA>y5APULAx>Bdm-BMVg5cWxDQM|%`_^Ugbzrpo5Nu{*+uyNt3Vl zJFD3bAgD3-)2%$gXrj8Rir&!Ba8^A{iCK|d!6zNdmeIBP@}mJzC&^$o{c-ULfL=KU zf3QKI)#4zx(&Bg;NTb1GFl-{xmN@s-{q86~7W^>)zeidAnZ)B^OB5=*ThAF50YT&= zcAvE6q8QM+lC6do?9CU9Y~3F5ER~+0d-KHO;jIn@D6DR3Vk03X)dNj9^x6s-7bc|y5jrAy>uim^N-Zn#V+U*ka%)p>B#l= z_O?kcNiAmQa#|M1|`oN9We$FiTAoE#hgi=o^71AOjk!0o8Ga9B_uJT&aU*$ciL=qZuR z=uS(0Lrofav1=d`!2pMpQ&~;u&!>z!s+qFP>(Hu zPLk@2U0pvdy<&1bU8X%11KFn_m{6oyuU$2?*hyLW;9a^*A=zV)p*6TGp>OZkV%z^7{I^f5oO<$-p;e#p5Ce5=ifRK3CZ}YbA3zDRGa&KbWcw z674Vq9z`xD2haN)eL5%SG`$pf<{%#y@`WPU5~h*kODBan0TEE%5JS(~CXS z;!E#bH#ThT_>v#G-Z3?IJy&C*jbbnizZj(=kl-VOS(B8oWXLC%f`^V$N=;%}-DE^| z8HO&tI*pJfOj8OYc%W(=XOb9j6zh$SR^6@ZOubY~Rof)#YV|l+FFckdJbS0gD$!d2 zK2)fp6|8;~{Ms8|5DJl|zf-Mk`Ly0!~0?qub_-}4y$+8 zi*^QczVHMra5f!}WRV3^z5dn(`_1_v#+f>S-~*W$TK+oTZ%gHhbEV6g47k$MX+{0@ z3omzRZc1yhmT138@1z%-y@-do^ErNy3@@n`(atYT3%z?lV%U9-y`!8#Y7l_Qh}6osA!>nU5oUoCG%svVO8)klFBqEG%8eHEvT* zpwGY%e#94)jXSGC-zBmbMTsv@S2ufns^Rx9fBH^lK8ZM{5ynLM$p}C}IJ)I0%zo3U zK&)daP3s#K<4=Rq9A71zsX}dCFH@zfAsztfpTO0yJg8Q6X$uXvo1-K^2-V7RBS;az zrRMCjOZ5?L6K|@ts0j>u%Xh@0l)7U@4K1OQ@S;wdBW># zU!U)HYA1LH>3Ee^h3sE1cLu3!zR>n2CMWy2pS7#xM-|{Hy(&;i+W?ED!Tcoc(8O}} zlB)1D7OS3@$Lsb`Dd{o0a;J}<-vJCvw zf~{Vowf3k|BG#vaWR+2od!2eccpOswgUKy&%h2BOiDZV4r2U@)*M~Wrj>PbNlJcaE zSw4X>q*nxeT$F6%)q27DZf~D1&Ji1t#?&3%?WctKe81tXLjwtq?GL2DOltC0FV>nM zqRXld^3GRW7agbD6--oLcaYM69WjEuNk+BK5!PuOb_d4fi6~Q=&kfkY;j%?{yweJe zCYEm+Fc>UUbXK25)sv@-%C0yoDt-z??1b=qx{=$+(qORxN_JU|2JcSQk)w>_$fOvK z_T@~!ue(x$SqxOez0{x5wcYM(;BUy`Cy)yM&K9-^s2A-Q=t8%cc?5cx(3&82r?yPj zpCv_|4<5%uy2e>Qm(6|P297_(f+Gn1|bv)5(Ibq^QjD4%n-lklf` zWy<1)hWR2U5C>Au4o4UOwaXOr8Q0m4t%dcf7XqdD>L%r1Xn}+ zkg&~uQzW0&Sgo*UVn3EF)CA5)>B3w`y&zVt%xCnVo(W`eF{Mlgjc&VX=kgypi_e-o^Zs}A zB24)*-wEMXI_K$7G8OH5mVcc?yY)}p2+Ti$w;oKlz6@f~PIt|%kn5mi`+vumeuT8HKXv!1wFDRHpc#E0UaTNQO4>-8-H zdn@-Za0Vdn6n4pt_5iPP3nO5yKVXT<*%R~@oM3n&Y&N2d>FlX-YHtx{0WUZUUWI1d zE0o1+Y{6Se{*tN%=C|}i|ESY*6reN_pfu*Cx^q~IzVyk<0ng0XhBN-jT&eWVvvbnq zxTxXVKXn3cm;bw6&*3?%JL$jk>w$K9fmg;E-8gHzmR_|R#4|7V$9FT(v)CPD-64bt z>EC)tFLz91Y1$s4sy3galx%ypt}iyLEof@xDo==ri0IXFUdva8g@w`dr$OJ_|CIqW z{iJNWYt}`C8Do8GxJ>@)3e)lV^2A{gjANd_`$Z1^S53BZis$WK5{X-c06B`kfPetK zPgYJJo2zn*j(px~z}(n!VIuj2?e= zKxqLQQ*O(b0|g)qK0+nW=UM&~3Yk|(+?BcZWf`6DIIPorH)%&4)7X0ax8jtH$9ZZl zm;D%ZmY!-!K!*+gzZ^DfS5BRa&I!-9)0gaTCM>O-n@K&D3uUsTGxg96FxsM6NG=d@ zc;FDZE|3Od$d7^Xm1^xaS;M;9Ac}jxrrlr=fzsiO^SsT^dEINp2&a--Y*?DhC=IG3e93c zQ-}3$gwVxm*9ZH-V7sU(-U|%D2QKhHCRGfFGcL-&xPANCH@_NfH(vPz&6LRKhZAGw zLs8pvXeg_th5Uer95g?I;V^O#ZyNh0TB<(~!P_vH+kJ-^@5^s$z8N?FL=P}gtA(fw zlh{5^&fU4pw?aEBm`OR(S)+zIaP?hqij zHwWk4?Ne*-wf>ztRb5@s(A{H>`3!sHx_NA<1Tr5T>hIa^H@I)+r-8zn zXkyOHwm!)3%uoyk2pL&q+bY|@vG-iE(^FVw#}xdJQ8QMb4`_^3R3Fu->1q4BUj{2G zD@SO)-$aQHQS8A-QW3yL!e-RpT&>g20#Xpb`cbB4%8vmbKiIb=?^=KfmmLr2HS64% zfvSk|`SJq*<|XzIn3sikrb=o%G|c#|s7__M>5>aj1D=`i`aO=(#!1X3nWSoqVXnmU z_^SI02_;+a2OB9+9wm7;KehD92XQzoVbynvO7Dc>kivp?M7Kyz_RhUs#QOcelhRCy zVZOt{Uss7iFS$UG`p6j5Am!5ObZkbUBZ>}7cPiMD!rM5SvGx;%_dLsq0S@kU4W$~O zF}syC1HgTFGGlXw37*+Z?Dgbkq<=d$XY%U595@Hlr&S_n`93upv+B*%Xwt=dJa8Gf zvd)gY1s}|T&Y&3_w(l?ZRtAfa)rJ1(lH`2oQbD{88t_S^mL~x!(rOH#V0z7ufvvv$@YhX!fLaVc|pNnstH{SWzSgi|ETrGSX-@%7k zy6t?rC(r@JC&KybJ0Qwpad*K~z*zw!Oll=#OJ8?=FaI)|V#{$sLS4zSpF?c~@`%yj z6BwdB7b`Nn@)+lF!qaBu+$Ua)*-r@9PSm|7){csdXzkEgifKDV zImBA;?t3XEMqgca>2&$t@W@UX_1ZMzmM-0tf`J^(s88&3C^1ih4a`-ze*(X3*dl)& zdF48Vo*3+q%B|Mmg-`#>;_eJ$DkYgdlEvpTK%u+=?Fe4wvZ{G8D6A0R(LkmKpuX?P zea`Iq%<}f6q){^%XfmvkhK9rP38vQkG3yncv7Ij|W)sDx3PxPsORPcIEQZjz6=v3@w5&ds*db%g$ZV=_q{Hy zkz@6ow#=Ceee8^@syA7(ca}Xg#O1v}ZnP`mjWW8T!uSf|rXn16HQ2BMp9VTF;j;X> z=YMWHDcQR&R6GOs{B@X}#x)Hw>}6$V&R?&(1*~rOXUW2EQLXlHz?aHW6Cu4FxbtT&UpwB?LJjFe&^8?~on z-%;F{(FcHeum$;3(w&IMpOPznaX6NFoVOX1T3B%`_Q#FlL{)Qe&Q&>FSs0>Qn02Y_6rGl{-J=x0cpc5Z}XMM6*O=r)yPr$O3wq zN`$_wMbydEMe&qxF8apX$S`CdQG;eEx)nn8r#50o#o5fAx%9Bj3-q?mZ9{vg>9=d% zUETfqco)*%VfOItV50HD;AygPNUPok+STzz^tb6a{>ZAxVu|b7+w%iX@qSFKNz&8( z&bX~KYCD}o_$$))`95y6c(o|s0-ae;^B_P*XM9k)DdwytF5CbcWlF?&vNg^`-Ceid zv7!{3by?c&Q9cyb+5yJ2EJZXi%V2iL9laTp#oxTI$J>2u3(DT)U{uZ2(P~wX<=dX=Cn2lZu#Io?7oAsSNlIXEp$0`f$%aZv&)h{sr@=R>&ojU0 zV#^A_-ZS9eQWd zFV=pP4g5C4dABPPOOR%Rf@Aq6;*({gW9e~I#2|-q;s}=s()w+}=?~Pf@bvMywE~Tf z-&Tq0E)~JZUc$B-EwXp<`~;{E1s*sk?(G9g{8tv|sNs}4_l715eXttrhYRqHyE&%S zL$ctL2hGqJXnQ@!Q7?v4#gu31G1st z-{adK^y`FJ=m^rNlF2mc#!xPw!87>GRXAI1Jm@x7`g$MP!(FALXgN+A!pHKY)V?=kS$VJrzo0Xuve1)2+o?gM`x_1I z@Y2LrOV-{wEYQZY3)$tH3{kwm(}J-)y;xiGb*86kNZIyi8gIhvwzRY(x)d&bwK~1d zWOeS?HB!`4>L3Y5@R|=iduJWDl$&@8r)&>Yt)B@0IV5%CuzHYq(h@7bkKjVAUf_4TR_%nf7A`?+*p;m(t z#IfpqZE?3N>RI=?olO34&9{qw`Iibo;vtWZCjC8mrc3JWF!S6%0O-vPjo(BS6MJ2H zI$gAAJd@w^I#YJ$VTDqz<$XhWX4plW@B^v8Zf#!!;6_xTSUTyiLv-YiX-1nr?WA<% zPvR!%4_9fc)I9>B^xqwn7-ZC#k9lR?>CY!Ypd(o8L9^j-_JhqhOO5s?E~DRUeVCjQ zk4GW-PLw=er{7gNHDUfJ@r3&c9YdmTNpjWrJ>wqhH_4SyBrjNwbU>xY1D$D391M9s zj$Pw?-TY}9H_1!+)>#xNoWMg!x0e;gH|=`q?#a*&-@W*8CH_lSj&u3T^lO_axTO*V z823^M%p_>On?v!l+e!zy6~=f@qJ=UFg}#m`Ik`^JvwVevCX_%-#;fW(YjuhlW#a+c}dUzoVh&en{7RF|9*&mR#2W{1Z^cxQB3pf>xe$n*uj;2Vb^rC{@jftqUEw0n3l*lwJ6_q@b2ET1^$!f zJ&CqULgHYjuM$qZ>PzfkCto*Vd+RXk?85O)u8YVI|CIE60gHp+_tED|)2D6`_W7CG zaekQqJEFXB?R9rn$IUmDHnbNi0$}arXYV2u*5jy1a z16lNhe-M(?!rYA6SZef3@ATw+ap*A5gN<%^2ek{?tD- zEMDxR%$kX{8)-%%dDZGtz2?NDPD4lIh{Rfy;M?^Fd9%PeGD+}^9BO{Th6bUKOU>K9 zoZ4r%vFMzipR4|($>kRw^yOOy$g$&|5ya@@ue@;k;V8{lWwFFE;ke^yJeumUb}}A% z)^azq%c>(-wL5@A^KB^iIJH7RkMSA{%Qkp$|y+K!zAG2o^Wu)di zwjM6a=iM`E8tJwb1EK-&O~V&O&NGqiUo6KuYFom1?iJbV5dkzNI&Mp8)aOa_mko0= z_xt{GPpQ%ASXS0>FVcM9E#{=g`SB+`qwD%9IGGFOP zf7|98Wmbhr!w5Pvfks>D(w?VSi3wCUh zfAp|aw{(#k*qV1`@r2<}dn`C@QzXTnYjEeCe|+yU$q5!2(@8r2h={~RZipMaa1m`$ zG+!>=Ghj$4zV5HA7ll*WVU?ti z=v$@^5$HjSfAXB-Kd-qbpXb+bs8Pq=8up2ml_1KbxS9<_;9US!BDARa*NZB`JuK?8 z&_&~YrK{Dj(8%oK%1(Jm?}p36hnvR~*1gQh+)_w_{z(+?SCwcY{uz(;0Wt9EZcsWv zuvu@shSdA=U~}i2t_22^?j#uJ1B_+fiv2x+GQ=(zy+{(6T}fc<9rN+amuPe@cPM#K z^}M=f(K#!uZIf>mrCMo1d7YZoTpc&NEkw*fP%THwUGKIrpQW;>PcH4E0@7eFvz~BZ z!7`Y`DI;6mG4&gv*-r?dr_QpLsoBgBx}>(JbPpX2D@Gb$GR0{imyEa<2rzF7>c_TMPjvst zSX1L>C=JP}l39Qc|yA^rfYyJW@L6%Zk#?Up-qwe;YK&vzGRn6y>@xp;p_gzZ*2{c3vqGr;=`XmW#^4559|RiA}1=5EV3K1 zw(gw2U8^lFy>{J%wYLJ?p5-2!)ux{F;}@6<9wgm$C6JRn_*Yd(8mBvUG~XrJxxbu` zSq%-%r^&-r=Ia(U>*c0znXWezB>YFzN}O0>_rYZc>a_ zUJ*i$(lzJ}eF3#7o}FPYjxErwPR}H1dn6#z#;!viTP zDGy=iy!-aep}1R*X6qgYeF5uc$&wkg-+C2FP?jJwbXZPa%3w!Fry|qvL~V}5zXaxf z0o8>DsEwp1H!LvL!pxqCXUIVzYU{$PMAlWTo|<@C?)y_rLhd?p4?JluM2sZ9*xJ%s z`{VJjm~d!l#g>w(?j*&N{So}r+$HcY%e=Bi6GdktSnO|Kv_p*CL@`Y^Buc5%J$Lh0q|`{nxsTQg~& z;~>9f81jn_CH_oTj=5Jb=Sy-J=XVo%I+-~`nlT=+-?sK8VtHo*JWd&JPJ$RfuZ@qq zY;E<8N@MGx#C1`(SoXtNdwN)gW@G6J@yXD4 zNZO2!T)hl>Jf))*2A!E=%TqSHG1)Ce34Kn^?bpY=btXd^9$c-aBb`d;V9U$W7Cx_= z5dBMLpHHoKjk9+xg@GHopE8H7V>!L=bnbf9Q(OypuDTvkC!nS>LtWRO#%0~Vs(aP8 z@r+)!ta;zlgSQm@$Rr{Z-RG}~73mERrWFL0?mt}nqVnCmz;Y^L(%^M2S~qP}870Gh z_X+1+oZE5rG`j)UKw&GY1uCq0K$qX+J=kxjzPNI_$pLk4-;9-og(|bR`E@4gvgODK z!*pY7EgxoCW;cSb;K?{Oq~5YrW2M%-GSg>sQu4xjW}OkI)V&^sxWOP!yWUbRyi>Dm zUi@#7KwSj4=cK`UiaGDET|?zg)J$Unjgia~SvzOdYq}kmo+v4c-TiAOd81O;kjz+d zABg~M#;vpz`ax+feNPyz;k6hvck8DCScuopoWSx?U7u0jL3eou)<^fem^q^AwHqoD zS(@6TvFgqsmDHNhvA!YWPnFS7xkb+1)A_zk=~TQLJ~x-p8+Ez3=33}gMZv_jhLT$= zK6OSAz35W6^k=l{{uYOhI17x4TL!(EVa;;{EYO%M^fit3T-wj>-?Id8<49nZxQE{L zJ;2Eme_y<^F{nc+Q5o1)U-bB}Oh`*zrY6`={geq8&v%YZiIQMDX@>HB0pRz?ritJQ zc1YA6+=p?Gv_zDBs{$>tnGtiLNGY}$!q5+PY1u%; zzlutwlp9N{b4QH{-H|B$`PL`1{WsMYxC51xB&YU3_b{oCBbzw1IPj6P&n@Xzsvgai z5u(KJ{*UmZ8b#IdI5<8jsjvr8-?taJ&hbVPQ~Psk`XJrQW%8>X#PUIB14(|}FsmCFGN($U+DnnJz7 zsFc1}6lqV#t+Q4qnzx+Tmu!Z#3>BHiO8I*LIw7czyJveWLk54Y{94nu_bal8Pv_IT zyXi_sFP@c?!_i{9q`k^?U$ejfJ0T~;uWONlDWSg%|Ml|sK*wedyeY0S#?=5SW?s8{t(Yi-rr!e zD6K*vm^%f@V#sK07O$0qNZ#HlDRd<2*#mfs4b2br!S9BRs}#b=oQx6tVWNMM%t7)iEiRU zl0-S@h4L0v(on===5!e8r|Kk+Blf_4N@i;*lJQFLly&<)cDknh^)SnPD5-V880P98 z$E^73Sl06P8KU)~LV{F?$l0-DdhW0lv^1w^%jeu~sG&3A{f~25yv3IVHK^`ywv<-9 z1y=6h;C*s8D=CZZBIqW_BlN`Ppr6AE_m^Du>ZRYsdEg1QiF`dW&ML-#yxA!-?^$7XHFCa`e;*>Nx(VEV-XUQ| zobAwqe&%7bdDd)g=iMDGzaC(GJb>{r0>;-&8q@QKI`gb+tKavBIurLsx88Kk=Q?9` z_I&&~3)mn1s6Q(Z_7WUb|B;#1>T>K%r@r?ACC+U}&$W4L1bmlTTB&r4jpEv5cch&# z2Q}IH1#^v)bke+Ir-lk7yZ>WX(}fR{$oy%C%r9q#(1f-wM$pq{ki`AyL>2 z1Fl9|ZFmvXrr!gb@J0h$f7o}uUQM^djiY3DQ}*_tn}wPiN6K zMe5jq`;`^0y{pt=&;tg$W$nMEU7QR}+lrsT1#aSJEm9 zHfp|)SM&bO0vKq__3%E*{Ivcki7!y<{4;=v(z=9EkGf1RU_c8|XT~wr}CR|1!E4Z&c&DE;v`~*5E($+D63%9r|rr z?d{>w$ZSixAI)k|=K)X|VNTQnfUnkH-!knXeCs7knh7?nq)Q197f}cejj4kMC(zIn zDF{AaV1N%zI&orT7o!4i?jNJqEH8Fj)!O$Tid87ZMvq9(Tlx5W_}VY8oV8nQxXaBe zDbRv8e^)QV)884PNpW?hLdf_yQz<6g4>kbSeIfh7Q=aRpcl4e9l7>S}i(D#4E+;p^ zdY7<^pY+}Bb{f`d%jEeM33R5|Wt=DFf57hYkpI*z{9C1uuGw= z(7h$QJeW5)Vf5#x>3Fb00JJeQw?g3;qmF#{w%Fy;_l$L?9kL1E+>pYc6|!gR20r1j zt`(8Aq^_`i zrPJO`xfY#W+L(q2`q zPgtLUWoep%18bT6;qlHh*_Ljte?t3;jLeVtGzXu5xErPiQ?|TJ&@p)<|)#(ecw$GkoAazTOl; z+!eog+c-9}pKQdlPu2iiN?OIxCimO0wErn>i zm{l|9EAd)JV9^aA%Zwwd-wocI90{cM-Ba6jvBvKYt~ywoL+-Z|O(&C-EjkOSW7<<# z)|!-04sP@3b!ZCaaarKLDlaGZ$8(&Uu>fL(qO`4f@cpY7uv*YqYWwa0@@!)I zl=}KNf}yE;78o>&PFC;ThZWAEo;qKh95zqr}q zA=Oxebvd3tgb~_33w*rk#Gt)JZfqeEVfySQLKd8cNz2#twTGeBvpfjdGYPuAR@wBC zs_(lnW1QR3?2K&ibKV0PezAP+m=*pUiAwS3ekUxx8%;P}=1d^bDQ7c@_sr#drht#I zFf~dTGV4q*)ljB;6X&eBW2ow!ZeQasGNh=iTbh|VCHVHQQ<_j0D@=;h*01iDGkH=f zYS|GdIICGoXP&y&?DredyFobms--WvY<^$9d>u1`l`RvP+~W@$+jzsD@)MuJuu@F+ z_99L}%{zs*RE6?hMo~fVlI?PTF&s!T`Pi2*E|^tF6e696DCjGwpr_7V$$(`1>~poI ze^6LZFqO-9J)({h4d$V^zv1^3eUmi&bNoI=I_(BUQ+wI80zR5l1Bhavr_M zxxbONC~#*pap$8W|Gdp;Dtq0hZZF$eOX|#4djbb~XjgS>f94ub%v8GnZZ2dc~d zQPdKzd?=|dLydO>z+sT|NIz9Cixks&VO4)LU2jC$BKx-BmYrt7;yA4}ko6TDpql0~ zneBXNf@X@95K})RB5};hG7%j`VXktO804|U`t9ABa9hrMz6<1pGf`Kv@n(=wl3B5! zJm{>a*p^oR8UYPSC)Lz8y%3a41CV>M zM^Z;D)#I7?uo>$2kgI@%T^v>yg#1z5yuOmt(t*+q>cI=Kw6p}yINP0TlOsW`P&bxF zt=&HMea&zt3ibGoMv3((tyc}S$7Ji#>AdUNTU4?6&pdjP>N*>UL>Gv+vyn=V!w!|t zr`LBJx){{s>?&FuDBfCgJ4&Ee(lxiJ|Vu^J1u1N+# zb$yQph58kWHBeF!RySQKza(e{&=+%dr`LZq5hfRCnJvUUA z$fa|At7zJ%K`b`*bsrhtaH#`|N#fjSe+1|$6cD}cJd;S^AJo=0!ztyvRMT4hF8p$D za*!yu`p}jHHBlV%{JgPKo~kT~UQYr&adLK8^I=Lhs+BVC%BW)1+I$_?6CwZ=`X%z= z!&=g$YvejpZouA9VP@Ws)6bXu;1x~;tQ#cH<_-=pjTElvD9wFEK{Wt#;V)SA-XYu{ zn%8SywStYSOA;_}-!n}WTzljWbpfw6`Vv1v&l#PcAFty=fozuz>yYG-%{AX=ez{Nf zEE=tzGZuFiSHUf=i4CK@0HzW+(Ng=#K|+31q`a|9<=(b-*Yy9#`CXR}P*l$t9BkQb z9i;kvf$B_09mm5FuHhN0rYjQcwCGuy7tdhmR}y$)y){rD(N9PA%=Ilgph8@|d28z* zG?!i+JGs$st)CD}F@(U6qb8TEN^W0LqR7n`+k-hE?J8rK4HsF3u?DJ6Vf#LX9;cPI zl0-j=4OqU(0>wo&G>Pk417^mRxRowpJOe*pswTJSgvw7vgL`-6)9ZXjd@>|b2m}~P zMm{Ixhidlk!BZI@E$u|2+Z!l3E(T?dk zqO(b?WMFEY6I!-OyehQVDN7bN_a!On-ln#?syJye>5(ht1qZh9PDIpYs%Xp*-zz!=Jl4e{ISY!m-FigdwI z&t7pl_wquZH2qg|dDJ+8tkU6LzPov75onOb{+iJl8k|)0L?&2rY~ouAK5R;$w#CVB zb3hJSx%xV$AJjxg{N0Vrtjs5k|Fy!d=vAL6q87AazId}0#7R?9F;ZPJ#Fa-Z>Oho# z>I%vnhdH{>zhg9xrkCpaJMcdI7D_;9^ zK4tzQ%jtr;J728qeSs9#LF@arHr@T{R@8dywJ7a+n{u&yL7(T9;*P+fR&zE<_Futy z89c5z3>hto9un^#FXvGpKn`?sn3#Mdf7wiYv9$)2siB0z{}Z4h*slJ(BS`7c)Fp+9 zLp+X}*s4N+bIu6o67PJcHP-J+*NZJd8-PDCN* zD^hdN8B0DR3KsVqr(a_>-i;xNDwW@Z2n@()7{k3{5Q3F)kK(-zkxHH{^)Tqaj^%(< zJHd|!G_91H?-X~GLiGrEUCQ<~dj8_GBrpZ8^KXsvBzZ1cZ8;+EEjJ_i@=Ui}`c7@j zrPY%*=DWQ%SlO|%nydkV_aF%XpT%+!YO4BEBsID4K+8_PV$iE`?At%%ZJ)a_nAkps znB#5q)NgOummRINAEX~|;^9jc!Y_~+BGL*%Zns$p+!nvx`qmY%XQgKTv1T{A+Wj`2hlG)CFbf*!wv5M*Q>p*%PAu14G zM$y+qK&sF_U=5Z9>h+PY61!ScWGL-|$*v?8^`W}@opJg6*SEqXCR}wA?z(E0ngm2s z?>(tcH0bcAu0Q|i2;(dwSVF?k5#eQd^)-fm=MA3bAv2~1eZ&`I!H$@Qfis;JxD*dJ z5pP+qh>@JsZzL@UXu(;m1vb;+@{}Zl19L_A2d;D%rowfqbU_a<9afYEb2 zAZnAOM3tEf&uIMsHdQ?C>T$%^Yhe+;BYz~OiN%9M`1knM;@!5CGLSurbut_*^cG-m zmZNROIdW4X1{)84W7a$V?Y8*m>G8imdj)jeMPBXPD=8_Nn+m;a7(+D6VWqG+yRpqU zHg-60VVMOMk-5xtFPcx4^hWb1o&8^@zF`C%cB>UE56vF)wD4DzQ5#B=9=xJHDYvm4 zG)nr`UJsc?Dx^OwHl=^36fXKM6Glm9U_)s^`DOp#YuO7R^!KkH1{9wgg6KUbbPOmQ zQ;nzB-DGaUoJ=7=-qp+%*W1uqD)R%QrX2wJq!|;Ru4WJmM&VVoW@^%v{%}~n3;s_n`1^G~q@*r5 zMjI?gFURWS1x>89M;l^kG$8fL2%>)rqY zq(}gQ#ebD|wHZLLSm6@LW@j7jJ5^k1wAGu?nNP*M_hbDU zS4eYEOlv4Lu)}q&I?ADbY-r;Q4X^ZxMg*kPv75LkNU)&k9OAS@^p!zye|um4>4^SU z&*`49IBivGx~d-~qY1KicP$W&{6;=~PXDz3llTQ%U7w1K7(L#I7IP*Nt6(88 zga4;K`0I5RU_xl5egDPbH~J?(8M-QcYs4^Hxy^T9YEEwqq^EhBw`yzY%=DU?s?Glj zRseCffBE=a{Z6x!S?S11Rdq&daSI9HuaqfXTt;K^*{;y_y_>S?V zDnD1~@6+>N3)Fuf>3=(qk`ROzpj){C)&EJ8cY%$~9#zc$Fj)WFb)1^QzH9Kh-Th?q zZ@Ufn2OgL=Iy{Kv|65D{ZoXH_i$Hn<0UliZ|8KjP>7e+WeDa|NduQk)v+RGn_J7?! zeh~5((dCf5(2oD)GRJWJ&c}?cPmcA>-@fK~{ci@tpRYgFgFRh;|9SykfgUXh3U#FBr;jW%HDxDL>s6PC3pFw_ zre&2iiX~dD2xLXdkItxibAjGJxF~9ZB@F$qZdE+8#V_cGsc0sHr%7|7q)&eE z6t^{#LaMuFuUy{f@{s)d>C-Fd&)mt4Ue6pQkE-aFrnAUiDl&miB2%o@_ECCtb{ewX zpe{%w8U%~oOd z{q<$;k1lX-rKew>J?_7s8`7#l;J-S;$?qvL6%#rv_5IfOV_|g~g9FZz5s3K}~eW=e{qM@*w4CHs^$~@ zMpU&EAv~Uzc#E|o$Frt+u*b#+X9RzaFTk6r+E#2;Qzy!?B_bI9Uo+;|A0mpZ>na!r z7_W5sN}Vk&Rvtl$R39C!NTlsfiKtZs&E-R3w|J*O zmtrH+^DeA9Bp;Y8`ko87ai-Tq0(KSE@sz%VzMn-Vr_~rXIblR=1aLO;B!m*mN>HBm zz1#RIxWL$Q2Tm4(o5;8M{X5eWw1lPX6(Bg*&LkUkTCDO1M!Ycj-OF;c$dDfV*t1_J z9ss2_!UvP-)Lp<^Hoo(Tl?7zWU4A^~vZ1}>(BS%uZ%yBHXWzZU8u#xQVLBS@^XKR3JQ($-yc#h0f>xXldJ1oz<)KJ zBaXyB*ZFwGyW6m2m!Ir$S!9>NqpGbg0S5=?{NRS@&2jBy*E(a&YXW$Jbah`D-M(iA z_#XQU)nx3}bMZi_Q&C=BJb*)?=I75)FVhtMgF~6;h?EV!Ix4nZYOqq(y*wwTn(LxHR4z=%k@8~O8%#J1Xv8V64l!b4txYu9*Fjp{+n=2jQp{R`g z?CxM~m?j7%Y2g;HBhK-V(!ZooYOXSke88Xe-IPqodg|0ty_+5>Yz7HXKKN7B^p=-o z<>ZEn?R={OQ@EvbOoW%cwBOkm{|eKJ^w)%n$sbvTv9orPYnB_h+^ zj3oj3a&%u));Ye!E@tgHNmnF|)3!qXT)UJu)A;xA-@pQ!B(tdU8)8m~|5`&(q764g(T#y(oOD80!4M4*QBi6E zflNrfwd6*V{PhT@o9M9Emgsr8hx1gg7>ezXI zj>R+nMuMMWQ5PCD*O z;I=v$+qzICi1W&I8ZuawtO3D?nGQW2NOJN=*GK}b^0O>EQ^^9Krzdh~L}BM|WIfOeOcAN-Q;qJBajV%|Cfp^U~h` z0sr@od1t}Rk5lHif9(g0z`!bCMYy-Pr+7YRHA7nlZ;t(pW?!yc8u`F&V)!bUQI@`H;XYO~P*Bi$~9Ai1OYiwMEc2tC8%y+!5v-XV;C;?0GZ0>_W0kr~uA&j00?JtLKgr5%?{x%b#SIX1Md;07`zgyIMiI=+aC6TvSO z58kjrK|$0FuFDR=9$XJ^JqOjy{QO`pt}gawv2pXqDWA>)8LS>3&KWOGMK_i?X4@rE z_W`7dj=-O?Fa{#n^KI|3)iejIVDSkLXsGW*wBTZH9hY*9_2RUGT#gK5>kKo#$bv4ty|BBNaot?exgywqK98tA5BI?;RV)Q<}ifv^-DPCeFKz>B`(+FZW zh%K|!-t;4Z>?~X9bJSB1MJ)`rtIQLL8%>|-DvUq@qaB#z6=mznTlH9&YhO#A8FCu> zooay$0ioLmZk(J%$j0~2Aghe}cJu5SldW?vg4sofIgW!`d|1>hem30y+8_vBzR~2~ z?~!3_|G`+0FqP~%STyj`{=Fu>VX22s8<*7xpD_~lPmQclI)YW+ZTQI#3}&~(zI~3(6r;CncNu+uS=>e$|7UhD zdX<@cgQ_>f_`IPl`97M^lNgCj*!kuZP5bUr!^1Z!R0w6UFo^$Q<9f|9z zysY|vj{~c8ZfRvls&<`Cb`Oi)YFo5N3JLh|+)C^Asg$G4F!wc^+v$Xg3&?QCd@Nlm z(FjHKrNVPU%+;FCOf1~#__uTbvxL+}9Mv-oHs^gQ$2Jcd z=JbZX^bWfLP9xv}3ch`i`Ya@jo%(i0y62r^h>(=bn;vEjam8y1zxW@dv%T#-#VP?W z?o1w~Qah`KLbVC^;U|3U-sbOgj^+{$9<8h6dDgUXG5Nn9mEEzkVJp#jQ!jU_!AX7% zM$Nt7A#U`vt*$aPjiv`Vo)J5FN#;OO&BF)ntl4Ak&3sFGePc-&Q*5#k#6~M~zIW=$ zn^M;Nh;0k9SYtGya`dGgf?UwBypsGzZ!CzX(hys3$Is&0k|EpuO||WcjKz$Yq>)D{ zDTX9F;PLy(ZRp#6cOr!^HFrltxQl_ELqR4Bw;B49+ebNxFMkkBN9-I~37LX!Rbv~n zh8ujv2jWsZ+H0!rOl)Q%WwS3Y+P=tm#P(N4X*cGdkZw5a5W6*WDdrTk4|V!TvIL36 zg20>!1o|=s#%UJ<@+qfXs@59={_c3GSJ~fXT9ok4>j{=bzINUizRtp*t**HvOr8am zgcd$RXOh?}*i%w3NCh+Re_|5IC;k*wbu@X2cU|sSYKI&O>IL!bHAM0wxR(7oONars z)hX_WFlXgIVjaE=c7)0jLBdLN4!E})U{LYY_{XMZhK*TIaTQD(BD}pa?KYhFqKcS< zhw&QIh~!g1_& zt=ZE0X1T19cV^n5;WH>=V(*L1bTd%;ARJ2EqJ2@!xRyiNFh!Qib@Y zB`)2Zp{lgH92NB`i(qF~?lnL26$X-1bEG}Sf8NxT>|?BUAb@2|=8xX&-h*z9+!Ti1 z+s6Ubx-mpPNxH3yetL8$-33JWC9Z zCcg67$nfyOU?Pu?<=EJmTnIX(!+_KX1H1jIY-vRzKNs8D!u`Nhym`UIJY8l60{-BA zi^rwaDpovR-8iPH1S5$U{}{cS855LCgS*TTha?VyFUKTbNk5v}l@TIFer z!eg~>P?OguG>zjdV7GC`Jr7LkzaObqC5c7XWQ*OE>>Ls zB<>!mu2vhvWAR*PxUOdZfu9u1sslo(UsKtw_v6>n0TI?6$*3k3_i;PvvVq!ng_%{b zf42HNj4q@CHI^@bGt^dN#mvixd*z^H@BLtKzjR@ zChnx&oBaEx`NTzsu8uV9UJ96olvfTWC~8fbm4375O-|C-x>@jHvsVvOe{+-KY# z&R_}Z%5w2E&1IvNk2b?!6yNhxO6JQ9G3Y025m=9|>gKk5Rm=iJWRv+D`v3sS2uDQs z6S*-}O;YBSL7IV{bki1iR$&-QZGvJi%d8OrK4@eUj8ooO?ak>zDXdAx&oXx?7T7x0 zloGe}r0N)VYv;Rt(HxEn{X*;JU`{;f zfXXxxNoRnTs9-?=wH9UPL{lx_);sI_CL__jo`~FNWx)-87Ptgw#g-gM{Q$}da@O;) zI6F*7?-YBg_Dn92N-UorVJqeK%Wy|w-FK>#K5aI?GKdA-&%-Yq`? z|7lK7&`e4yjmiknn6jJDr=3f>_4?_wvog3Y6QrqyhuWSklfyHpl`4UH!wJ_{^~M8n zWSJ?NZq0_w=o`iFZ5*|u&Gu5huu^cPS4fX08_hN+b4`Ik?)70GsT1QY{w+d^7A|J3 z38hj&Ko#g7&G+b4d%1KK1O4FMjq9O$n_ZMj%Eqlyx_iueWu0JKtTdVlvLnhw;F$%&L;9l%tM@qzl6bZ*O`v9W6N3B^>ah&&ds$m|4W#vw4n~@5U?v zWOxoFS-wmFwA6i?zXGg-7sG~()p?sHEay5;e>5Z^SM`UFPW+yyUVnTPzU$-}KgTtW zMD}NtWDs_e3^a?T2BS3s@6S=+d^b>k%n2u_e7g7 z)VC47^Hg+a0g*uI9R(X3I=JdWEmI28g=el;*~F|wd?rlZ&^<~uqUpjcFNr@XZYB5C z#sf7;nmQgP4>#{UP4a5y(*_p6Ki@kIJ-hTHKEgDo7<|y~C)NM>F~mw)SzAOBg%}i` zpS*rU;wom6hrTM7481mmLby;d_njX4>?^NiA(^Z6sl)pD!*Qm%ONe%ZwBg8`-w*-O2JjUXaD9 zr^80dClVZ+Uy;3J5nX8kOSO3w%B4wodt5tM1z`O-vNTb>IgJ$9s` z1Gm74I2UIr9Zxk>+9btD|3k^0R6X8=aQeQ!o=^n&_(6z29cNPbO3-@RXbK`xM=aa@ z@<=3Pb(aktoMuog#@U}LE{sN2)(_B5gbxw0W?YRDJa8&=USSjV{R4JFs)Fvhpk~xi zMA1?NA`pv@_ok=C$t5o+JqvTt_Y5IA%SNvcjEvwlA9VFt;)&!@>03E(Ybdu821nIi zXeBr32v*c6KnBlr;~#0C_7X}^vZXIc?cDT3wH*&PmmTZAq#5LRYyl*?|W}?6Byei(ubSsH)q4N zj4F~Satj5vIw)kjPtas_UkJXvg;a}o@<=$XF6kdsigC141K9UTiqtOj|6%VggW`O) z27xD#1PktjKyZfyf?GmxcbLI~I|OGK7(#Fl?hxGFJqf|x-Q8UV-6wy!dw2KV_r6tI z`)#ZEFcj2i&(qzf&-tC0W95E0yCePi-gJ~reO!zgOX4Ea3I;G^2gFo+vAFlR zKeR#__H4UbR%$n&zIla)vN&u_DuIrPziL3G=DujwFg@JJEq2G<=o67RKJrmggmd78 zQf`dEO?aerH%*mbw$BVTux!MKddhGS4kr&UJA#rEoMQ%SX;5?V28}89&VNLlVM9Io zuc#)|ZMR!*Gi^r~^sMjk?F#;hOR+qD9_7D0tEReWTil5R)S%=8(tB`t$l!B)&^&g6R+uU|dV9@-gF|hVK zV#|%M>zf+gij0|tY{d6#m8Ky9$UT->G>g%;x_JV%70$)fO#VVe|750E^m&RR2R9yr zstYdkH?TYe+Qo%YiQfe8*dudc*G8(h7GEe>YK>-xRPx+CGInRz#++3Do_@9ys+H~& z*%el+bb^YZqtX(dT4NY$BaMkBWB-UBN8P1|^$Sa;6dI%RDO3B; z;NmJVh6^rL872&N@?PARc9+^bZ!hbLI-XQc$*ggLm#pvW$idOB-s5@d1!boJ+ugd| zG^Nctck=e&ldGb1qn_&4eizD`r<_E!+D_QR4$SKZMXq1d&$TkMhef5xLx%=qL@-_w zaUAf|2=uyWGCPgW8r_Y!%fv5;ts!=JOZS2of_0F)DtGuNodE8s;a_|g$1xEAJt}BW29F^SWl3enSwloU* zXc{HAx{y!45~5|3DuT^0HJpn5$J|q5tPsU(0Ab?g#61Q$qyr_23cw*eP*qQ2V(6Bl z*01^nBpHfzhVd=3@z_|B`OA{RZeEVvj%-jb;~Ou$M(NeShg#iIS%g(~l6i)-iJc_X z+#YE*ZI-mc9yLGQKaa%H%{3g^ECP||Ax+{~*pKBYxw%lLnitXFt+5DjhwUD_0}hL7 zz|YiXH-_@#gGPx_3G$gt&aIbr1`qd$Hp|b_+^)?V!pPNog#vR^Oj_(is*gXSAhbxo zddn<}&O%4myNX34yVS}fn@87ZIc7G~VqKU^DQJt;8t`h8xg0nm8IJBA+%k^*y6e>! zTIcs57_nR5w@j~_yyCHL!DdH4p{H@T6D{ZfV7;ctC3{ z!>mrd6Dl2TCsonKQLU^zl zn6CRu*|;cozkESR#mw8y_Osp5V`LcoXM-4<|}pgz#l-s-)(r zWzL4HNud(O?(Pfb@O&a>vq;37Z z1>Ib+g~k8Cg2kMvvMkRDI65_d8CT@43kmCTGlF}Y7x&pE{AIALcg~V+u#D^w7C)%U zMC#?vo>fU7d7m9ka2FUI43H;p;Ps?4v(ry#X|)pS9B<2 z?{~ETEQQ^bHNUAeO<4+VXu~0?kY+>avFxfd7TFTAryu)=!!ps;x@|t`(`QV;Z4#l= zwfb`nf*EoA-L_<0pyUMvmfN?ju`A-MF15keyKt5b#vg7^!ar#;jKzO&=4%<@G99LJ ziyA7SI(L-AskTeDW+|N%D?VEkrXF1uwqTEzo<&BJ8;cBj7ObNiyr*aPA+j;K4T~2! z+CF*I(^c%8DY@4b#;k#xe)4N1HzqGTW_n_9xH+4e?L5iUNl9j6o%}<8rOZZZAq%dp zki-wwjhWu7=9L@T1-sv@%jvJ3Ant7R;r=Qs46PZ-Y#I5i?TlD;vmT+G4dKy0(UIRr zyn3&&x-qc`nKkn^65TH9P0fe;y&aWg1Z>5_NSB@B*_t#3Z6DwQo00KN^}@h6E9JU5 z@dHLsc6Rpg@0uy&Fv)X`Oxj(lNnLN8cHe0!$N;B@EaJK}EgVoH0&EKaeW( zptUw3u-G%3l7tM$4Ae;aN1L?3MRiDPhenQ3YvDYf?RKH(>UhX-`Xyi39DpABMZyptywc_mka{+0@gjZZuy%X|X; z*WW`R=`8~DUQnB~)5%)hO($Ua9sdDcsNm<_^c25@&vOafL+sTSwJ=ajPN;yef?daZ zoWr!E8g7*hw$k16;<$_Pr%AV*gh(@$6@7SoOFm#R=60qQu@`e(e}PKiZa#G zYMRfu%UV$wf2KO!*s~wq^Ckx1<8aAs5dBNf<@*9_DlJv?aeD|{B<+;md^po+?j}l0 zPpzLGtx)0FMKZ^m&LzK>=O#GL%BORq9J~>Cof3((yYX^RF~5XhF956~7QiK2fGLBcu#6SW34e0@Y_q zVyw$l!6O$8>7)62CX|cB$2hply<0!13VA%(eBT~O=bZ4iCeKWM$~N1S-aLGDX(+c) zav9sZ5LaTt*YaTy*vm3rNXY(TorX#^)vZC<9DMK}t|Fs86?2RHopb0O{W*XPvIpVZ zTn*=4n}_O3FgWP$&o)k4*5`iVtrS+Lc+%cx`r1EzRKT~Pd??GeAW3*oaP9PeiZH3y zCGx4R+2+mwE*|O5Sc!4l@!&$X;htY4r`BTxBYJ~fSnyMMBP9WdRSDi6we@`1_P9{} zS{9;K?S2vO7TsJ6WD=R}?3PAd9M!!PMuvHA$TpasZ523YPd2WGEsteNU{F-tJ6YRJP=b~R?USwHRSH#pv_a}1Y=E%YCOM)h{no4eGl@l~nS90Xs!mVd( zX^wlG-X<6hC(+QV`;1sj6s=@`$R{Tt6Sr->!+>@=t4_YLX9nQz?ZN;D{OlkC4)*X`o%DA48FD@N=QY%&TfxyGG@ z>?!x2VcIJ4|5U%wFP7Of)(vX0d5yGf-YGiggnK@|Mnfw9sT0+sxd4R;I^eT#CE)vZ zd%!l(t??~XXxeHU+LY?o?w%S@woXW6}3EIfc6&l;5Vv~Y3T(qYuUW&lcU*m z`|Atg`MT9RfkhtZ#r9+0oq5es3fd#07tXxax1SHZQ~hX8R1hsPf(o z%oj=mA=DB6_^5dRAm5A(`~98jdHaM#uJF)A&gCy>OSEl+%}|wJ2)-l)r#sPc~bBUNd0Lfe&okkMBB;Hr0WugOw!gX`v zu+tMzub^_atdC2*cy}*eq7?GnUNUJX zGCqh}*YYk(KguKhtI8*Nf*LREQew^wy9GqrrzN^c@p66gn>$}|p=`_vgO@8p2Th+_hy~i3aM-zCt7%?+fK0+nw%C=NXK=k_)}UCEBW9e5N(bX&kTD0&rS=2Cer+0_PE zH7jMIq#byFr}qkp{1ZQ;ANU$*2Sq0>3ki5yOvsz8AIF+9ZZcV_r$A|A&gIyps52(L z!rQO_y?hC-SYr}Qp08M6%!4;nU90Jk3Au}wUK0tI>D{U-*(w{kd4>-xh%Cam8%@1~wXU8Crmpz~$6-A{*)I=sZ#t zl2_&XrSJE54c||J(ns^TIwVV{N@8MSyuoE{LeCR&&B{Ss)c82$py?DS1A zP7Rj>ob!-$lefO_Y%@Xx4E+UL&GdPl-&e!mc~2m3-b2fWOBeowO)=2+qL}xAvphG_ z#E%&>Rc8j#rC1q1mR&<(VPPC^=9UrF)`cp&vdq|wUlWCuvPP48z{Tw&+5gJXoY4Q~ zXgHC7sN4Tx(Tv}U)~AIPIIaN@4WqSsp>I9Ey0T^=EJ)>65RD$P!6Hw}I2+$j`mP*^ z*U@nMvcud%%_cAL9o{(+L!|Y4J2nH8{N>@|cR%+tHNpI;_E{UnRdI$5ihI6uA+o`hmgNKt3e5FN=4m=;MSxW>P zFSo2M5_u*&>vC4b`LTFrpX5};JGFg&5v|BNnIi-GI8zCADMmLW*IS*fu`X;`^e8#_ zPzVF9mme0E>=bX7YSqdsSO!i_X|inB{FZ7`Yxmipl8^*%#f`6cvlYfnatXH~x)L}# zd@gq2&Of%ez%I8A=XHb0$N5W?_$auKe^$57DKrF1Dc{Ww1N2wy0dHv5%bQJb(Ztih}0-HJ8lzu@lf>w-4;l#Hy0 z5`OZ}=QMQ9!lPydboE(o^4U?8=ofUt98^JaFg3jDIok!6>5E!rL`W)wAxJ8lyfl@4 zeExVePw&$bH;{Z4x$|R-P!z?GFrr!@c_qK0TF0#z=U0|)2WIJ4{hLYr41!H~Czr4q zp;3V4etB3wsiYInS*oTTuSz(+LIh}ZmHAY2ys_+NQ_=kOOq;` z3N^rD<;{a?0_9YXyS0Ir9Sf6S+M2t{;;D+0+vC_5D$a_-D=5)t9plugaRw_+@Q1w= zq>p%NlYWB-IhXRNVu{KhB(TJ=-j~1PvO;Fme8;@y9~96EyPn1tQ~Hh|Nr?Xx?+1c9 zR#wpGGn^6r?e2s7&AEPAE-jHSC@4o{DSasb{mxO@JJ94XKm((A^!G)1lika$6MOg9>7|C|o)rF^E7eNN&G%P*{PO zR9v~prBv6ZP{D137+<$f=P~44@ibfOeFjaTwjS3KJBfYD{`(W93)t0SFk1slt8p*E zJetCFB)nOB`gBk**VGd}9_MzgihJ%9rr^|+hlFr0_A0PhpO9HQuYu4G(!J77ji6yY zU0~Zfp5(Ud`><_(M(dPf6=Hm6W2z)V7Hkf4?hv~06p}o!chGA z=j!ymr7a;9c3VsDV@w}54;l|E7DY+^3fw0n6Q$UHwG+ppm!1}z_=$635YCc>7%u0o z?7f-vP7f0oUM8*9F`eB6cu)X|L(>%d@XNBW&V9CKu%M~I;MP6*GIk4;VX(abZer0# zMyr%poX|^~Af`e=F+uqR8|@^W4ZKa7qU9Qxzf>u{uoXC>0tH#8n!yBZ=oYt}3+|fG z9g?pBgel`Bhy#;%|FkYI=<6eA3M~PW-y}{b9_egBWY27&|7rO9;^g+h^U$1{2gefh z*;wThm(oJk(1m+E!E1*|EEpZfVF!Mcmlm9_h8qQum_&F?sMnZpZ={^{RIXWk+d(E} zs=3EFVaF(S2ZB*|%%U?VtK%q4ER8zv(wWZ0dAjXd9XmF;p?=rRaWppQq93_$LRGi_ zj$MLJ&jBnE`}q?KWS}IJw{xm-fPhj`1Q+ZsG5{jr`Sg1O0{mbh95$WTurixFB)j*J zNruJ7#+FnV!J@f=^eKd%O!yU-&l35FA*Xc?j!?R7hw;f;$clPF@@dao)3>WYlHg^PnPQJ-tN!4n8AZ$ zssfu6Me!p2JMGD<&MLDRNk7WX)Ue%P4Tk2RI9|XnwzX`UeJ5;hy>nVGg>;0L?Aza8 z)S68PEo^)Wn8YYYQ5_kW)bljd8#e}%Q7R-DoEAmF2U1~fI6!X3PjmB;v5Us$EI`A# z-l7_h^^w=E+<=n2-9l~NSG>r(TIn?&s{(Pv(2*H6I^P!`3XhBGq^+vFB;4_O_ksG= zN)>H%@Q|=!hwSy$YIqE{sjO8Ii9N@Ch!Bv&8%p#hL)`zUcTjk^q}4iYJ0Rc_xY4Hg zx@CwYqW%tc4>z56xEznu8+PU`rjtvS%shBmyy>z-YBl+Oq;9I*D zqk&F)jEWxx`9;8@n*mMU38naZse$oCfV8F@;`bZFdC@EiU^r_p`o5^x{Kjwyeq%UD z&jAeQEBMVlE&kjG5qBb2GS+^~AGz)%l(sEi%q#VdMd~e()rS+AegMO9y(h)4c4ZME zvb{lqkE9m4Cz*EUBsht8e>};M#ITNQxO&WF%jw)cgs7rb!Rh=_!d_NdMMY*>^IMDnDg@;Ab(e0%tzye%jHEdRb6e1`)Mt#}hqZ;DOhaZi+RQCi8_ zdHNNUs3(H0At>_{MQfMyEVa;bO*Oop?_8v_Bm?)MD04(_aZ-?-<%ir=r7hHqI#sLV zOVQ3-U-rLKw-ET@vY>}6hV<2v>BgS#( z8o`bBgYvN00*<(;Ifz4dXQvh?mDMI&{9%byYHe=l%;m&beotn`IlNeHzBaeKto!n_ zvGIm<(I^MI8IV}tU|pKSzjH!5>BvlviGZH+eI4=HP#=gR-!wecBCnaPA;2i%cCXUr zw~x~-$!*vXmaQg`n?~-bCxbj{tM2h3TY#=sKqB(cp??C{oXEs7PjE36w>xO`+;1K~ z46Uw`uWm};-u+m#P7J)ozFDrJLrcF8?K}(Qk7W=W5 ze+AG(Rd<^KdTU$8(R_vhIE5nDVJe#{1KWWZlXlt( zaHIL=L}m?HWy)0K_wR8hb`io!wUlOraFz=gaarGQUS@vF<#7!9v@N!iC_HtyTw?i3hhn)7T$4We)>_^Rh znS$`Os6Co))e%-U|$2fT>&QnZ=qUU-p1JN0?k&XxTw4My&7MA zj2+){1nVVsLtKoN_47C+h(T4+QjeF=h^*}x{w$GHfNZ8hDYO} za9P^KeO)ZD^b%q}MjK0AH^hx_Ki?UDo7&t>x?h4#wY@q`zP$hfrvYh1Id2R*7`^0n z{?c-$Hvuij`;Q8FpcyHk<^0%e*qW8-GF@|t{v_btP*ov#JHX7EO~t#{tOgeE2Yq8) zzX8|VaaP6~uaVPLOl^aWBD8exX)*+wc-)u6qOI!Daz1+6qMn_+3eF7_X%gHrGsx+O znw|FX(ZpV?;+;IVm0NB;P{drV9uPf}*5&dNl%KEw;aeUv8{$%YFHXq{d9(ToKj$`6 zl+L{KWb>zVa+Pzxuw3@@Rz=i9SW?f3XwgcQcXZ1~JhA!8cmZz`6vyJAmI2KRYR(1+ zc^ai3J-?lt{WK+!YoVY9I}(U*N50jKq9a`5KC7r&rJHtf%3_+la=hnf&IC~!sK3bl zp6P`5lA3w!X}U&7P$oRnM6_ zYv}8bc%M*^w?co9*K$6KPL)155^)kDo=aR<-6-IJ=8I z-CZczdkm@A&Ag>Z8t<>i{xJ|!|Dv+cQgo-0skGX;2jiZa} zkSsTq-dL9HO+6-&aSwKvlG*F}dfu_a5g6Vg15l4;T`HQr=y_AD3_*!L*n z=)5aE-{_oMb*6fKbEpHrwYv8xOV=(E+2VU#@-g{3xQq;#hJ}`t$QN4^{np31X{lYy z2z1Jhvd@Jz55$I<&(oko{qfdKw_H|Ny7O2)MI;Y^7_XBuWJplD4^QxoL_{esFtkyd?NagAQfhX$wJ z0U7R@x^2vv8mFY1UUQbzA9pwBxm?z>%9mtC-!IgidSy{h)22%<4*R~S*#F9b>Lt8+qs?&eh2aQm30*Lh1J5C#>O*S*!bNVcN2p(8 zXS`KXz=XMvd)T;u#kxa2?|!McUwYQp=QB-8JZH!eu>+sb?DIrr{bFre>7|80%?BLt`S-+5oz>YOQuTU*#Q(YT9w zBuvzD#m-Qo>Hyh@k6wEXTC;V&@><-_Yro;g`pWp5REOR^U5%6^u}I9p@EBcH>BnBA6>>hs z?ASGZ>%qPVpfQV%8+)|id?}-^sDhf`$-ol0>}v1^RAEiJ=R@>=UDEz72J;;xw^W2F z7N43bFL!%OPfxGOa_+>{t|il<9GCOEHD_?cag$bx-|$3;zzGT_HR9zw?N}Q7R1{N` z7%S(ZI{Y0tz?4vnxfHkJgvVXK{1-Z_B!3WWNy)rQ7iGJUy9(34OL1tY@G6|dp8+2-rkX`YGgMGpJaORoPx z8Clw+Dl0ig`afNLfKm9a4ZwX0ms4Ma{5PPLci+PR zYJi_e@=xgUzaHIhwSSN6|NoSKzf1p5-(@m%7qe<^c3X12pn!l^dcwl&M9-@yKXHO9 zz{RSXito0!w^g-OHA6}0|ERwD$C&!pHb1*(llJlrHW9L{PoqVxF^Vbb}1~ z`|3=A{ByZb6IwOzEgu>_1@qYU_C-`KQ! z?9I-|0B!vgTNw8+@@dF4pIywb9|^_8 zR@e0Fg2gZPDj-h8`JZP2i&75QOLc7>%26D1tAMNq!9;Ho|F@M-o&o|H8JS~eii>ho zPUx-!(bkJUW}KzB*joex^?@!_uj4s z-9}nCeu^Pt%=1O+l=s3kt?>hBC)sTYCX}|goakp1XoNi(gfQC&jsElsj>ndl{PcNkoNN7?1KPI9qc&rG}2y$9IpMcE&(X zqs>t6>w`v4r+Jzgz()ZFkl8ojYr#2$tCFIhUtg-3X)#Bgd||Y%f(-@HT)Qb@u~CWx zJ=`yEAkeZL<8LA@*aU=vP@P@_&adSDG*w6FDbeNw>1d$Mm3CtX+u5}58f`Gb+sK1z(60)Ajaoed*c0`>1T*EiZH&-8fX5w0GmR-P+^qUhu@ z)_XOEI0j`i*kRv5xWOUF8tv#OH?0r{AQYk{S1<_%9h0J=proIjoq;VY3;gCdXbeoB zHAFQ}t@)O(1_r)`-5OS%mcC?7YBU&nwX@LNI5Sx(p)gZ!$PYw+6M8Ga8)6>Uc}DMH z=}~3)Ks?E0F!clM_S4ib0wQ8Qw(u{Txhw`B773oIXI>6pzt{PbWdLQBd4$RPn2T}T zU%q^yr=|5?Q3b71!*$VubZ*sZ4y9jU9#>}=!yM5 zNFb()r{jA{{_429qhjAj?k#l27`yr8K}m#B-NMNs^-^o&2P7Uu9bK`a)$3llwH9&T zoeYuwK}DJoJrOnQ9vD#fK0ZIEL20A@6756SYP02pM@A+Nl%Ls#KD$|wVLSF7Ml$QX zXx)(;16R4CI0YR_Ce>P{^ZR3#4qrW3>qB!=b#?#Y2F=yI@wnc`0aqAFRX3HVdR*{c zeAN_d7rW(e^_ysdpd||1K8Bq1`WT3bwO5%AlJVJ5`cqO;G9-!>&pdyj-nN|11FW(T zDX?%~$T*k`=Hxi1Hu>JBL?uT{N(D;c^*j)Wii_rZ;;tcv!og6I|t;Qi?~i`iwodPJ4XddZmUwNk>cvYv_Sg{U&Vk*x_o^YJNmlsO+Gx}53YawZP=QDr{tpG=Hm%>vS zRZ}Wo4=Zw0lO;FxKDBsojr=(cZxTHYw$0-+Fw~y_LDvA&Z%Bp7!4e|zBp=JCNJK3F zeCwC)3WCHxS5-BkQ6MN308Qc8^?J9n=`z^K@LOS5_c1ApWoQGE0bi&>m zuP&Z>K%5P3x=6INq_!IW`Ffy%)+n`{2AHFb5zzcELmDJrt^(0uh0z?j%rQJz!qAT~ zf!f>8pp7_euj7nhwwy)JyYY0@@uV5;H#qVmF?lrA+(mk&u?1Q`b%FV%GUod#?tNx3 zxHF6_`-M$Y#EE?JCrI6i4wv1E3hO1spL^A%KFW_MHX^!&Vc(XVH6puv!{tfA3UE)B z(h>ciBPTc~yF5PbhO6U02xt$!A>=zO5!NEv23p9x*ANhU+z*YYe-&5Z%$!-l$yU#@ zsObFXvhvyLP*e39g^QANDo%wJ(BG`>!NqzOI_Vc07fxKi*B-f4-kGb%H8wFG{sK959flS@CXFMk0(fdtJ{Xzt%MEX!)xLc&ZIJ9th>KT_`$i z*$?B-lc=>3AXLR=KNjp-Zu8#`W^2t_gyq)-#$IPigsU$oDvKA{t@5~SE&HqSanh)T zDp*h55d=ZA}FGga1^fIu``6H36QyQgebQRv*$4J4q1y6H|u@i}gNYwF2q;f*<{ zTXl}x7vzAj%O$Xj?I&GtBsuC2rn2_d_dY+W?JqQ5zA2q4qm_FxI+V_xT*ZLG|63Dc zWY~Cp<~)&YNqF&y^xgh!^(Iz8y1O80`hMTd>0ryZxjE9t$Qq-{jehg4>dAuF7v%0o zUSLczf%s?W4PO9)Cc z%wG#2h{9HZzIx*2z6C`4L+-@MFWUPS= zp6Wu8pkSmdwc?y{XW6Z|cB>wlZLG(BnR~DwP+O%xQZt{{Q zmwmav8*6sjdF1l`yDob@E88OnZ8~

Lmqx3Swu^!ng=XW8VJ9lK`vsQ)f}MmvjVuy+ak`aIQlslMSuNvXtkZr)|$$xGW4d>IV7> z>I+tO>VQ6Vfi?;`1Rh;cn?f9LUqz`7eMZ4+I^xUHLe)7OEP1~T52p3{xw4A5<%3d4 zSRLxIdJhO8vuo%~s#`rY35=a|_Fv0~_2ub%|)zt_WgmEvO zgL?~Ne6RwA*-)zt982HvTdUg5PsMR^Z&-5FP(j3MDX`ar;3O{KzAVu(3%mm7SzgwRlT+hAfU(2!2YVIRv_J@@~9YB)#* z`P5*)j*2t*S^~P{g|u~lbEq**b32lRtmQHXp}X_{U?9aK1ht%O5!7)yA3tlu6dtNW zB3Eq$9JBYBvANY1!^3ahI`3&#gESQtrKWI{Z0^529cyr6Dy{=xZVb6+9=?*4xENp2_E4Q8l;!bJ1K?P|?# zgv-2`g5bGo_8nlHs;4{T0=<)eCs>aNO>35)SXzu17-!#3j3ur?VORSu^oP^MS{6sl zS;{g~zc0FU%^uVIgbP_mKjkI8~y&$5~8lG+P(VlKpV?+}7z z?4m0z(ebknvg2W^XLo@Ta290(-R}BTbmjv@c6TckX?|7T3uZB;Dh6d8V<@(H)hNKbeVuqL!@5#+1 zzTVkG8R6Wb9aB3f)Z(ZN^Ie2>E~14*C<)3HbRk#hXvCoF!uCGMUiz2gn<@wTL< zQdhs9jf*)K{Pz)-uOZuQMh1^37M^dOk95X;y~Y%qKM{hIe>Sn5=q1a^!XJ#(-^CH+ zKgg*)ucCIR)Y{!&dwK6I-`DKDH!CmDAcfL;5mUtM)2{mBcfc@oR7gut zSmJEc{iZ;EyP)I+1G9+r7P@T%dLih0hS|l4e{#px81`R>=D>>jp3_T)wO-TK@K88L zFI9>EN~g{gXa_4=Oi57J1i@G+*z-SZ&9(G@PJuhP>@>Sy%Vf*edGf(uH@AY?Y5|BS zu`>)~Qt|l#>56ReX1YsmKGx=ClTm20>ZS-(V3rtP31N_j&b= zstZ3L43D@51_e>-UA!&q5q)wK^8w3^eKma&Gh1Q9LwWyA|BaE*-J-)oZX&s$#an2g zQ#e0Q+C{C-#S7aB6MqMCHC^!8SSp{la7?C|YZ zexPh0#gFI#JJWK?8wgU!!{hD4zA_09Ut+&%wCQqNN3W0$s{zGzJ2cJJ{0%d}OYs5A%uFykF)lC8@}Q&pGSaH)rWHnK#iV1 z*%}lA!LcJEJ@8GWo|zWeKg|W#mPorniwRjP z?jed4Ys$}eFsWdq$N;cGLJ~n<^({(Rt9T$-SvbwNGK3{968Vh*rE~k-Yu}=U8n&l0 zx{Ok;^&@jZNoN&btYUIcIB-=3;Zz7>tNcO$931e${x(5Ncyc#LbJ=CT*A4EOgly#z zh%=98N$|At9^9=9sX;<-8Mf}eJV6=X5oww+IJ|ln6Jtj=&=MuvS*rn>Bv}w4toHE^ zh_o--piFv2^F}9>Fg)MPyLl-qxiC8eOQ|Q^R^y}vjY!C!q2gT`@X z>2NP*>xiIYSakWabWDteIJn_if{cE>MvAs~=pp!B>;^t&B#@%$*f))Ieux@+ug1-d4S)74F_9gjbzbV_>8=+O3 z)D6w`=vuLm5a^l&z#G_^9A2xl%$)B}*5QhUYsvNO9z{b%#Qr|K^NPYg+VBr4ZB{@2 z>@dC))P(@n!G;Ndd|dadHS*E?Y4?W8sr<1WVGvm+;q&6!D(ZRmJp#dE8fsE?fDpHE zSS9!T8lYuhqFczTXH)0J+OS300MALj(l3T@#ob`;GrtwURjv&NDLl zSH&g9b^tlh+j3|hlv7<~pUCyo^14=V`ZyGYqFZ8_ zn%I$nEae@n-ELu3t9_PPbx{WizoDnYWL3HDEi6hr#+L{LKNmgsUzu$e!iRyM=YD@i?14h-V=;g!#Of7|9BU zZOFMjv2w+1K1*^(&bNHi9!l->qN;SVTha0)`|~VcdTSg`bbw~Jx0fnGn##G-I}rZ`|y3pVZ=$sE_bav{y-#(kAlAGs!!{lFNkfmSfn{ph?IO zm6Ap}NK@{JHyG(XMik?5N`LkCrA9~Glz+40 zO}~=?0!HAOR@3ejlwcUp6H~Xz%bY5vd*}Do@I6fV*?(eMX=gO>`NxM0xp}Bzb zdF*zYYnJ{fKATh+2(`&?CMk3K!kl~Ts^x1DQ$fj)mJKo%*QLDVl?uJ&E1rSxdosqB zy2>}gVt!;kibgk#ib$~>F;PkSh~*-A zN>rF1q^xjAEm6sQc4x6lyIzRtG@9#{ZvCA8i+I62kX}cH|X8CC*B-c*2oGVuUAY)b4lvU z7Ww)t^@0#}N7jy3$V>8Ox^*U3re+9N3OdRj?p(Xne)0Aq- z7;NSw1CDEcs%wNF_ zbL2Bm`jv=4$hn**5Yzm!6Ls`=E}t3||Ux z_P#}0KDCjWxnA-?ML?22`X%Bs>H97u2bjFEKzi&(3JqO#i($IiyFApB7~pnV8h$ zXZj*}#I^g@S8|DlWT$xV+15xx@!A+kdR*eBbiHqcqbYf^4x)WMh{$nv8TF9?tdE-bnO)y{fKKks&KP)<=ypE238DCW#|g*H zucL6Dd^(UO+%=6hx~{%MK7H8eRSP8eeV7~r-xX$4I)f0#hDYyMBhR+jfn^W;i|TW9CF))kSAKj_Z6L7j6hv5~gqrld)|3v{ z4W)4V`%x=2=1AsFA~S9*x^Acv?3Iyt_#&jZp8BY~e(zy3zI5LegGFG9KMpee@Z`1X zIL>KQu)`J7n&~t%XzvE4`{??x5)_h^tC?5jP0Bt z>Tr}SAGsc=kafogb?jPK;qG)&x9sF|Ef=WGEcFdCHoc>JYw;<^Rzi^f{1HBQAlCC1 zp^&$Wk&4VfOREX%cN;6tNdCq0@!=PwTv}d+*#|_T%hMR91$2f<%GpNrbDkx5PPHpk zA<1%Qkf%%_?+O6&X6pvFYDOhBr8O*Lx!F5n~z)-)<)n#69GnK&s) zI|*dprVsor%T88&v^K4C24PfK*$7v};3CTQy74yDVXKjNGQr22`ytht+-%%?oW!iR zsINo*?edL<5~9OMR&KrFVb6E-s}gPHrptw=K+;6v;_q~KY3>7%r8*5vdHHAVpBqZx)Z!x@>PAW%ZCeMOPVyua?$H*?G3 z|Hkmgm-ZX=CLbEVlOCt;Jltb_POuy$glmfv|yZPxyHM!i{$}0Ax<`X_#UB(;Y6eNU66=+=5iNhM-9LX z=gxf;HOB`d>XKe?x5NZ;T(WFssz#SbCvKzyA&SFB4-C+3jgqE#T16gyuzjMsYbvWW zm6Y~5iY_fTk@hR&K=YhO%+ygsgmzCF94vK9gt&X$7jr7P-_#Hz-#uJ4b(`fa^Jo&g ze}+aUF)fKv2&HA8sOY1%x?-)dQ<%Idwb260H?B$&9?UbGkCTm7*{L?U{x~n=BGN@H z6ziHq9)v26#gR9XH*naD?)*byBFFVe=%mL8T2$w-ZrjsvKF>-6(0djk&^<3zuJxhR zEP-c1{!lp-!92I;r-m8g$jT7cVUoN;wt2_*(ysbn8B*C_ZZ1`TB&BlW9k_nU+l_)mjqnQ5YO z8xa&{sNt)KkB0;5Rh#>fq(!qaI{OovHdzZzprSqcBuM^_$YO6`sWy!l$Y$!$|E5&J zjDvM~Y17R}*L0S3vgM}I!G7$To6wo~1zsNqn22xW?N2nMH5g3(9mwkOQ)Mra^w3im z0Nw-1O#zFSXn=Ep3c4%>w@6Z<_9W5|XSlU^aZiof#a;X3epT=m1knx+D z^6@i<^Fxeb2J1GFcxm$l9pX?6(WySpOcr&wl%#AMJZ_KEYEKgPrAMCc?Qs1u9Z8Ef z{j|u)LO%T*XO!a))~U~5(;7JKG&Y+KZ(j(N>ogjoTU|JyRc0yQ%vPVSkan;ANDsBM z3Mi(skzUw3!(cmX)MTbi@SQzgacd(J%81UX^ZKlm7@r&ThTBTNQnBfcv8(?Fd6pmr z?Q=@5mkIlPvMgIeMOyq=%i}uyj+X8EIIELA0^}d3?1g--{ye?qGkuXlIsafi=ToSo zpuim1Dn~#|TheQx0>(BfjV_r5(|janV36Ul9RP?bPrE{t9~<61{gce&fe4a7m4_{x zq9Eg%ZQ*h=DjUFg{M<6L4-&uo$6LsLORQd2QxQ1v^Y<^>1<1?Y^VX0>Agg%2^`@Np zK=;q}udI&8gYBkUBeL^xE;Xd|ETJMVTB1wwxxX(Mev#w`*nA~J_}F%{Dw8XbMb3sg z<>F8&g@#{f9+NR1nNEP5UbsQP;h`qmAQ1y+A#aQG#dI)2ARd=iP9qN>G%TNOOu;@y zB0YE+!mqE8i2?5L8BJ@_6}|^yLt?quY=5$DPl+??;TA#v{c&|#xk^?)YG&3r!0$VP#$p8W0<1Oxx_JSK#KRIN} zaZ#AjZ5@9}4d43DE-bg%ZgXBTdfD|3nqOEQfXbM?%Ay?bLF45{jlXxkLv9kjPlYot zScR=ZxmV#7RpUypw^3uFdfwXa?N#NOSpt;Cy)}!I)+~=~mFkrV0V(R@C)l*1?gFpX z5pve|q(v2VW?9u9ROaC@`*K2zGli+jbQLYw$*vrFrw5hPOq8R~9b)@Gsjb z+J(y_35g)Howy)2*qycoWf^_jz+7D#6_XJivIe6Ad;9);LqSjys}%`4`T9GzD zjggjb05Ev2h-%Y*F?g~Fc(nlTPVYMU@fjE?pxbS~!rS8IGXCAH0lz02JHaCqLiTiI zZW}4L=&lgAbd?5aS=qeTC>z@jQMP$jjJ5m+E-r3VYCJxeI;s0q$DOas)LP+(VE7G1+ADL{bg&4U1!q^xjK+UJcm>vaZGhE9!UKxB` zO`jozq&e$)XEYk^Cc}VwxoS#m#ctkkBrl+bz})t(w6a-_A-Bq@uXXK6>YQ)4#RSoq zt&d;|cR=1G4y4339GE;epN|(= zMPm7SpoD=OwI$+B*jFGyhL7M_r`$rMbj*9`df-|qdX}cZzWJD!*H9@7)|_?33YNn; zhD5TH0Xd5Dsp;uqZoa*I5gBFRNQ<|RDReuCqrV=tOkwIdA*;3@Zp?9X{iYZ55x!xV zF&J6W^raD$g6l_TMX_a473PU0EhtJ^d4cq;R4lz7aTV{NmR9RzVmzqqBVjW6JFv<( zwZ!QBnWJZpUhkpJ4=u!!o6Tfqb*)@XnlS!x20oSfv`U0W&Bmtc_o@+ISY*1`d~=zs zW7Eu0Gjd^FdnDos8k={CKI2#D4_S$Dr+lA)Gc|mx51@7250kaS0JM&$Q%!UAVvb`k zxu^0mpyxRmQ>Slig z2sXVjbMU2CEB|~uSKDhe%y)OK2qkjt=teaaLB>O9y|pbthDyl)F?^maE6F2V@73ZX77w>PHqGfoV%`?Kc?Jl?A!8&vNB z`r4&ecSnt&|E9Y4O_O4d5sE;9pn~Pq8Nmm)k@qwuH(LuO4RIZR*}Swc^3@wZ#7n;?`we$_W(=vFJRgKP|P^Vo_2Wpl8cIHEGP9T_{R z#GG2*0@;c~r?{h3fnn!|YDca?XSKW#{n4Xn;YXx8*FM)uQEXzN87L@owA&t#k|zLP zhazK1hSel$Rzz!;y`pzL7Pd?z6W29QmAx}qsID=XBYMCp&1 zsN-+vEr8TG%6|EsZaVTM^Q^?FI`;?N^KW_=8|4C9JjshvL^Di|gZEtOq%;-IHW8_V zRtxU#-?ZEC-M;Xit&Dkl3))ONhDPUburdv?)tAiHcfsps=dknF!&cz7{>6x`>jsJq1;(*!F9B6QL9<5 zV3WGlhOs-pv{QnmRXk$6eG8~}pd(=j3}QK*30fA{Wp0V51>M$doa_RLtQ2I^fNnSh zbVHm|{`BT&WEE_?U;U7k&q){<)f>MHEfvyhp6)^16&V{3`FO0-A`ZGNzG-Du{(r>Z zl!x5s!bHLX0_+xgNNyF~ai*HvvWUU7eA#9~3b*P~#S}tYigl zHOpHB-wrxDmS51!G!f^jhhW=CzHVzP#*8^t9n|lb^tCa)b~5}2|He^X8n%B`Kp~x4 zU3}CUZb&_(3cGfnlW88_Q{uE~$Iq+R(F41M{tE(5m0!I4f(}oz_X~3vomZ*Nhnkx_ z2dgP?OjHX<+sW+YEN^o-E!x+dJHd@@zYwPa?qq4BlE(i$l*l|SCy$=#XlxVSJq~uA z9!@(x^$bHY=;Mt-q<3Uq^5nNka>i9GvKkToEW59~z}4dgNkw^ck(~dD@MP0yU`7veDs|dhI*vP2uG8rfm)$ZEC%f>>f$Wv@Z%M8>W4Tb7FIvn(&u@ z2L?t(mQo-K6Mp1YVbQYF4||74Mn;t52EyT8J7tReh&f5YQap*WrrSh=BZ=9^uw$k` z*NK#-N<$QEBpz}Kfsw?6iTr9;?wgBt)UlkRJsp1L93rHn^Vx%z;hspB0(%z3>H$&u zx^pB#n-HHZEVtQt{Al6d`w(BSK3#pkoP z1bFzU+xF2@dG8Fj{ooGSHSHu+x&Fk}wV3@CBo=`B5Za!Dc#imP`E+}bEkf8hm9n>w z&E{Iyt02LT9=Y2XQ$Bc-#PO${A(3Q% zGnR{Hr)D(5LZ@UN&BP-lVK!b~2)ayHsFin#6;8KW5h~NI9+#FO(DE4E_}yOfjC7S4 zds^tRArnpE9eW;J_?we5~4HXKGz+Lrjkn;HMco4?sx^mGb6$-xM5$YoU`KFA{nwHHoy8H38}x6 zA%s^#<5V}OXa64Yx;*xu}!^*tJRc?Qb$5i^B z6G5bh=)Wc{jx!cU#4>}c7kNnxhI%*l?YYBd<`{0x-l#Xs<#YGwe`^#I_jvKGC9Z&> z_~S5^`_2paix9`@oM+i>GiwB5Tm83!UDu=ztF)(xLyNgUIv4uPWN3m3 zqR|<+#H6~ONZ5W8QD4wcIk9gtX2(DEr`q~HTE5}~=8e7#!KVen!EuE|?-v;dlI4#; zT00(R$>Cdoh)pHQhr=?%)l6I+yQmT4e0Icm4Qyo~8HrtXlqR zA(2zrO{to;pC{g0Q@JKr7J6UF1oq_nJIpZ`@H-J9RZN>@nSU4`&Elf#=B}jKA-0QUm-awwieA51XOg~5m7-r zy$WrpU<5@OF0wYsr;0fNYC4Zs6=Fs!5EP?jYRJV$*G}R<3R1QdW1YlDmxY{1=pSPu zRD}|Rf$aw^F)0KWuqkz8R8d)6<-LmCd8@1vA-(cy+;w*nU@jSDbc-Ur)KCRTIR%&> zGhA0Gh3G8J;_BQY&?yn4FkYG17!lae>yrKuRgWs>%c1+~Uu+ z&jI;JpjTv8y!>_uu|)CnEiRc9S&lqP&T`Wp9hHgsqF(z>GV+z)Ib(p6Q{+J3_FWAC zPqcOR|{=Agj z>Kj9Q7?k?z>n+yEzJzk~(I(UqHm;>YT-bO`EjITtXJh)9aBu^Hoc~Hfa0Q#m9ZuDKji--g(;wv(0fD&uf$DK_bQ)k9l-ypC8eX` zU@}f!_38G(&6h2TRDW?o4bGWL#<=0f8xTFzFI=(w?}Pqe!iMD}JN zln)mz*k__;d3$vfbmf1A$>Yc9Yjy;Ml6gHZ4}Ip;f9YYbL3!|pD(F8uFh4Ccx`jzM z%ujsh#Ex*QuB>F<+N{Vr8LfBvaJ4!eCQM_Mgn)QDS+)5hIod5YV=dW$-1^&A!I0Q~ z)hJim9v^MhT*4 zR;-PgGclo)ad54%fw_QjeX~ggXJbnFuIJ&GsxO~CbVL?7zP5*;- znj%wL(m1pCH0Z;MdiO0+`BYunh^d7QB-O;`$*JA3*Z}t|LXuL@o$=UtDzw)3*{lh~4#lio#pF|7C^XeHQIY)+tBr`c0#&mUAl^(IViPmZ#OP}qtU z*bSzm$2NyJ>iJ3CRIpK4-do;0CuGQzI*f{pya!Zh zk&`qGJd9bY;E1xGjk)M@IUHY|x=e!Rd(~Rl9yAd3YL5r7%8j^Z%FOFx*nZ5p+7gdN zA#$y5IEC(UtC}%5;T3O#qj>9rNo?GM8^2mjmIP?51je52JXMNwQ*x6LC-><*yGNew zIc`(8{m?-Si>^5h4#<*+A5QxO@cdZwFw2a4mgm;cQr3}cyTwkk>B_@WZ(dn{tK`O) zBuDMgkW&hZ?~p9Pkli1>am#-lp`3(Qa!stCZBp(Z}`&oRrX-wa1alWC}F&T3HBx>U`CE}PvAkZxF zHTBDY&BXfT$Ndj?3^D(FrT=TTW=N(Gg{p^8S^Q!(5jC8dFHr?NEJAf0Jm?j-)m$zsDy zOxK_4aD=OV#zRxBuTb&RQ@CzPmX$C^8_UfVL}|J9_8{VMUDAnEHXLrXO}F7M9oK#m zmjsNucZHmD(9K-QAkJ{vw7i>cjB^~V(pDux4IVxk5_r(>7RIICK{jBz2&fQl@_~Te zLg(?@eaD??K<-iKfh`(NSTYk^UJj^7mG$(T=bG`sDmz@|SvFavpS&p7~Wkqr(32tEvc!_3bMKdzbBcaVNj zDau3a&NO!5Y!hcURe3t7l|#RbwkW8qAt7`^PC>|71ijOJ4w70`A>4N=?@@?dg#@1U zMY}dL$>)|BWnF)Cf5g`qk4(%1k%Nf`pl0Pg?R>)5OZLN5dE}D z9#h#rkvSn0m4}TQ9r{S*)-`_dias{4y^HBO)c!Xz2iM=f`u{C5=LwO8J#6`qgVi5G zA}EBMx%&vk|6CPzQ`4BUZXLXpuTf)6K&rUTo20grOBAdH+STjEA#LE@U$J;MF5UYr zl79JKfxKo|bZvad*3+@{fs#x4Uuv=~-}5qJMf1+{bnf$WOhicNrGY|7sG0ZJfxx-ah{C8cUfA@S zzWT;B7Xxx;yrFm>WTpOGvgb_?F})PGH#Rhd+-8oNR=40okvc}MFM)0CD;e>xoeZQP zi%z!ZxqG_>M$~BX!GdTLU-DsbFZ|EnQ7E~_*3zrWa=qByGvI`S20C{EqL<;wYzh4HUx46V4*t=K1LA-ukYPs=)w z;tpS(8fh%fsF{QCztI!PorUG}6`Akc8a_WhBjZao31(lL9^QR0JEu;k7HCR-6k5W) z5!Za^9MBS;Xh0j>9~2+w9YF*#M+}1nsp-sPlfC4N!1ptF(AXuB)LgCKyBLR=3og%F z%QqlnfTM@C(1Yi+3D*9=vHf$V0}x&Qzpxxiq5le&)6A+@B;`x*fY8t2$F4~{YMyJ; zH^;!u7C^-=_n#Q{l~QglZ9|d;BX6Z+_1*Ceo8>3uYGDd!7755_v6;eZ`;TtSyova!aH&dIFLA-D;W zj|XiSH+yY0*h89j$j@xMXeDq%?ZZ>YtiGmjY!!=|?dR%T(Fx}yrVVe$!IqQ~ppjY^ z7j1E?ZNyRmTxu_4`GMsmimr6PoJFy3JDzs11XhR-|2MvW{v|2mU$xgM?B}?Dz~$7!(<0`F7n1<) zcpmMnuyFQxEwXmFz;fQGJW9n{CDmtJDos&>3%mGZx;0XaJbYV~s`mJF4RbuGWtOI` zBra7f>uU#rqy8zfVV^|)tX{g)KStX>8GoUVUW6JLSO#^O?P6)C7(bx14Mcn}mu;5c z3*3DmhfQ%;@}Z=0?^w3#yHg@=IzTS(NBZRlU%?T|OZcV#E&C#$9#2! zeuyZ36zUXE{EW`dK(d$SwV^qC+sH}mt$ovMtt%8!KH#VJE$q^IW(k{c3wDH`yi z%EhrSh^Bsn&uxq;6A(}ioWDGO|A&9Hq(%v}i5lP6*L?qO4)|jdOMd%{Ecy27n}*-% zsQyv#f7UYHocE6_zz_>d!|Mwl_k9YTh0cJ1y*zLc0miJdFpadBI6*8=q z0GJc@^WXkQZXHn7K+pK@X)PrEF8y=s+n~_Uob;tn0P{!sr_Tn(o--zRb`KH4QrSZ>2KsuaCqL~;WGgFbJ%(-^4}qU^fB4@eoOJ8fYf8uj~G(W{tOao)?>E4;w1wcI@v6`%R`p9xa@l9->%$45k4@qkm7iV_sb@Wsn)-d(%c{){K6 zmFY%hBQW4C*tMZRu=*3$t zSw}m1qYI>G*W&P>T>f!oZA$S#P=+rBn^9dL7@ILSf77(=loNDjIlfO1S=g>&-7%+n z`z`{TK_mYXA4sgEEnM;P_cF4?PWhPw9Cq{&f85|JMxoGHUqy_fxj+p3Ck?k&pFk|p ztN)Ap*>xtlO;gtrq4aw?oT^1D|2c5x+vBKEWCHzPxSxrGp7ftO(LGUMjWTyS^49j3oXJ@A*uP)x%*%_0PBAw=a%K?ZH__b$0FgGbE7MMU&&6WGu&d&WOQo;DF zmaiW_eyaHC6BDE7cKI5eNg`0Ak%zr?ATjQX1VThj>m=EUK53r+2Y%eoE;dJn zTpoW0!<1k?XHGde3GfIrXAj#atJp7`=~-x48#B`1s;ETS?U3 zL+p#Vv+@AXXEq^Ifl;X>`{s~aKDOK_m^U!W`dS2La>pG{)8e^81zK@vV+_ayX&28_ z?COd>(%Z>T$h^Nu{^@`%GHM7U_VREEq}W7>cD2u7VE9Kb=N0*Ml0S^qhkB@G715XI zwCGuFIc;BmcYBo|MP$m_0XT+~?0l|o7Mppj)LJr#$D34CxVuS6NvSC*yDh9H#v@E} zg?0z{qo;$VbzXCQj}w6`xZ_#fIz-Q|i-f)YcyoEGIQ!&;h#!zaW#)M|o=IigTC?N14Cp-J+3x@ZmOZ*!oVt?+8TkV8_?JtuDdzQP7#C^NvzM?(_x#Bj| z85){`&o*7G6>nolXrh=U`>04-!v(Hgz35?JVXO{;xbJ?8_o}PP$yM6e+H+!6$ZZ49 zu`8ZY*f2_n3F3h~Ven+lt|k5;i3I*>+?`&J7jD+mgI^@ZqHa!b7;~{dfIhv(?c?~6 zU6N@g`lBt*_|}dfUoV`qI#De(;8Efp{waFxS*z`tBb_5|sJG)&9_Z`I$R5qqaQC8a zuQtpE18->g(_f9Tr1=Zk1BI&k0L&_qzmPqj<{o2VVoFbHIY|3Fx#`IYhx-ign2vVw zX-bW0l-r```V-=iATTraGOQHJ1_=aO!F-Y+#tlpEbZ;>t#&;k(Wo|+Z)&U{ zbY1#*7IE>lkM7#V>tTuK70StNBVw(a5i>}g&ZydImX*_^_OrghYCcP_#=;A{iPqo5 zp3mWEVq#L+E(=~sGn{VlI5-O>DNpFg=m>R?H%>=qSJ5I8oU08AwUa)ITsC<9=RCUP z1Z>$F!>Zlhj5XHOSNV^B<4Lf8nk(?Ku&(MN{5yX$Q=h&aZM+~-;L|AzG4LSC6=@eHfKfs6+uP~E$E^i8nRH7n2 zN!&mi-|WQ37mkc?79qB}8u=kS8EvOITHlZ7auaT^(j>VaprUkrV+kuzHQ-mf58&Yv zukcI8J*&!QW?rOEF@+!Y-zT8DiDaN#pN#SDR~gJ`j1Zehr#D+DMA z%*$c=;y3*&Oz%O0dV=FRuE{p&li~gKA+CL3TFayQvh%^2g>z@OYO}$nWwalk`e+&s zBTI{`CgiE7MK2)ll1nNGAtqt|DiVq>4Owue6&4br0>^7RC%ChF@PWF=jlO)je=-ux z$g1`!hSlcod=GFN&bus*zMO>GZkhjF`tjjn><0tl*WD+(-7`A1!}}l`unHI5*NGI! zT~agR3=ij?J$=JfDQI&|QO0@t+lxP@aZLZu^i&di#T6e8YUj=0wC+Xi>g7Z(Om?hi42`dex#i7-V5k3{BkuRD)OZDpuibXxP zQ!){)ataOus&3FT4E&BpQJ;<6-0jV`BU=jfxP?;IV>`ee!3T=J6UcVP3_%dvS3FmTkzFMDL&vbtEG zU*o;V`^I}%Sjq9Ce0Dz8Vw&fCZqFI-*Kz~wuEXdbfCE_9_-vmGJK_mb+N?p65_FO_ro=Ys~>lfabBruCgVj)fpv(k`=r6oF5 zTTo@?pMuAd4u7^YUC@A+k4Ncd`_lQNVs9MY@mf7JHPGNd;HgjPM@k}T?z)k$sF+6) zS&5gONtIW2tC)W!D&dopd2;rXW&_RlX7-W7V}EY-s(2XfL!5}P3j=D}yzG25SdDT5 z`_lL4qEq)8shuMGz0K@PPQh?`7wolVP}leyfPsh$5q=Y;+C?_a9xFoIix5WW z;hDlQ|sn8$;TEa;YEi zHcdY~wA@}O;qvDXSvl5Yv@%>E^1NVrg^kS~>qs_RV115QkEV;sC}_E})fx zYw?ws0WVYsv~%88xQ9w=Z-lJ#b`5!wzI@Ou#os(ST5A7nPsOW3ZzVgBP?+9kw>w`x z>*A6vqTX>!;?~P}rul|Q|-icSN>@>pya=6&ld zx;T)xmRtUaDREo=kJyPX#-!WO>;w44C7-pK31*qf&GKt>lZ?LtdvS3@e?@Y8npAiZU4K&qNbf#IL5? z+{L{xDs|ZH5wTF9!8IyP=~G~~yiwp2H(X%Y=1d&0OL1K&HLO&@QWTz$skFZJ4H5P~ zv7ZPaV+IrO=N_uK>+oMG7R)gUmCRN_BAK$*iCmd&UOM56+=@5#V!e@uC3q`#E-dyq zerj6iLdUfJZtkR|_Ks1o`#n|u&Am$IMfgL!-a{O|fhC75Vq@v;&f=LOn*FnWZB6jR zeD9dvGsMxHN$!#u4PUiC&DqVzE&{$WDr@9WV!^8n7WiE0)O5e?jtNb1a>*#J;U|bD zXlT(x$I_14n(gT!6SpdC*5y{J3!~1EYk(kYW+O%=F2u_)+EZ*_`u4g%liLJGIopO} z^{fnUK+a~AS`T(}xT>ph%VdS%(qB7sQH1d=)+e(m$eRmi$UUA*q^N*-|wYXc& zn_wBIPt!jq0rs@uxz#Tj9D4&|PT+c(^SOgisXm;@(Nafc^~x&RVI`)D`ZJFZEpk=9 z2lU|DxffN&(44|b@5peMISQHs^wpuh2c^+9u`j&gLi;j$Pf7x>Q^L0Rzj!p88y_%* zEvt_grfiHbV;e=%e@KPa5qG@riPr1iXw<$YvPfiO?>XHzZT1HHS{nxN_*v#43|B0& z2O^F6wv?Xly1v03@KWm9X!abXwBA4;J(A^*5-E=Y)8F3CR`(eX zHGWZ0P{_}0{MzT%oa=vkg?5($^&Y57K)Cq0l5_kf0zL6>MK=CT1k&%cza8Jan9pZb zxvAZ+-`Sk8C{wn8{l)@eQp)CfJBZOCb#GYC*Sq97K)J%3Z_YFm-P&K8EBc2KYkx_Tu8S;V6Fpr_3uA$EDVjv>TxZi#&>T#k?z{o0Kq8WA_kU4= z4B|g?vjuOlwi!LW&WidC1qv-ER}}S4S$os00S|IZvb!^nKij2Vb&~IQGf?XDi`iS% z0SIHs;ZsaeC?N-3#P=VXS^#d9UY^2LUS;~*DP0kpTd(g6+E(fJPy{coFJ8lHY7BXT zHH+~A2j39LC@v1FZb{e&;21Yg?+qNEA9!&ff(~iYt{Hk*imN729y%pVpgQ zr>Ce**)u3s`r0IGx@2`6$rjk->hcMn>FQ4Iuv2PCyZT+L#n3?KW&I0%=~vCzT9(%CXK^98UcYvWZ(p49;zdwEB>S@Pgv8gv zofB@|oMTom0rLI>;;ix0`yeMh(Lz>5jRt;31)t7+UFw2~3q#ACJRRw}WqWo$ch zV=g@SslDlqKFw7!QMz)RS-XOyNv@HROVbmAy^)CL3v1uHlGj6kc2vGwZA$)QP!lqcAS^1c1se76kJ zCgT{;gE;R_i8JjAkAbzh;0BTVz_vNB1wm|~oqDfuS>(E>w>QJ`wgbSVp@9;|jYz)U z3=luN`F>Q3+&v6BUMM>MzTR}sd$aN5E`L2wHfcylpJ%Hp;XU47WMr?7&70L3gNg5w zw>W9urF?JMk_Jy62D@ftWE4sW8$I5eZAk0u@6Tu9TMG*cQ)x?jrg-b+b+YU)Y0g$M zp$pnmcG5zDt=r#t#&j&W9@*J#bJxNPY0Y~5iAG9OxK8TnJwr~vyuJT`S1O$rBx81V zG8$&`dZr!{$K#&+Q~#`ZOy_Hah1kpwpF+g1Bua9h-hvc5e|8gjOKl`OpcrN6H8{?H zYjR?dr%i$MpUxrPyo)ZgaPzRb0JsU}V*qgo4!7?c=vms?CkBW^YHF_m;?VAN)mDg} z$ymP6t6wK1cH(D;{d-=^N7gRmttdGAbLhJw?-RaG>1D==r&>CgeBQRD|FWhKqoxm8>+Yw0so~t&E3QxM*6F06P=|%=yv~Q>Li81L zEXSwU0WrtpJ_ZH418vh8PQl{7ubI#rFuM2z&+c^#|L963GTJ57kXQ4JWB5dC35INDESMN)jcCE=)8td4~>+^Vwf`V(!e zp7wFdD$SF+9mU2O49X$pB*Qr~8(HV8d-HXrDLlp>@INbjvC5xv^0UmqoBwysa zda`bH8S@-+m+qaW?=G9(Q@~=QlKd2B;nXt7M81go;4RGhBEmPx7(Rc5#{`T$d!2Qg zTd5Sh8Q$P~#s;#zGr55pBwjfC7xJEz{go~S`nTvvSX(De)CS?49RAe~+RuAgM7YW< zWe92WhMn??K$=nG?$?EmYt(wSf+u^rO|Z(V*@AZ>jAIpYmM7{s>95 z%A-G9@(+>aRloUs99&jNifsBa_;9tGqyx}ier)3SpckIX!x56c({G@Gn1(9fmDV~6 zl;B9!M)TE_8Y#?|go;BX`nujRp{?fQeg9=5JI=8QNhv$)F{ z!I+R~d(|ge)Z#qP$zwC%wz2I*2s)A19=ik#gJ%49w~n2#c)-^Hcy?w9jz38(Q>MBK zl&$V{{O}3GiCNPt^Hn=B#K=6Tps^vNzS=G-bEVmiYO!5@pn({ibiaLzav%7dmLoe* z)EYb6Z+g*gW3uz9@^5-kY|7vQ4&+aI(b+lc8}3hUfy7|~>p0N{mu<(xX7YJ|u>hbu zP6v86A4r4K_N9jEfZHa2nN?2v;%`Td1|+8D&bsunth(%7GgIY{?(33A#PkeXPW?g| z)o<-pG+&S`iuOAYfl>J`<+KGEmT(BxM#IY{Ta*R~s2F(%Qnhay+S~x61#RYq)1S}YAP6|cbZxL)2sQ4<=_oAB36Unz9#I9|T_Al5`iEDSpj^X2yY6%J_) z6lv{{Z(ggb;wl=roYiLK3)dEm+ue>2s1}H#oSjQ>f||QbUshQ|@I1*zo0K+4ecIn` zfBd`{;wV-<#96Y&aZ81GU-FeTPgO2lh>zS|JXn%VZF9aL(ow?Vy;V`7jU<*#0aKb^ zxkSv_x|U z%&{^4+u)biXA0v_G}Vz{#qRNaEuf$#1w+T{Psx0pyS?MvyP51F-XLLhVB4J2c{Ar`U~{8GjC(?N#d4cX}DB13B+d=qXkveh}#@T;+{h z?J6|3tu1>Gf#P?TF(uirHHvW4qPfY!_dStvsG)e>y!AWX*t3xsdCg^E!L|~hwD2T6 z$i$4(OZ)}t4&Pnb{X%)(L$bY>$46xrLN&=c##H47To@wOb#=1P zo5RMEuW3_Z-IRHoGmoT;yYMph40XsrwoRL_pma@(3ZL0WqvAX@faYur$xsdYK=t9E zOsqsUwIQR3;upd62#O#zTj|u>40C$JB_$f3^3pH#lXTW=$5lETRQ|OVp119Vl>sta z$fcyD{(Gav0T5BG+b4e2dy+qT3t|>MU-(yRm0C^2!wDF!H$-W4I#6pbKve$^b#E0^ z=hm(3hCl*@-~^Xl349?wRsB=3_<}Pdu%2Yx{c8c8kna__vY>ATgHzJ$D37 z5JQTm*f$>)t$WI+DCD(MlZDD;nvwEAm#4`+v~RD@_f@UKGsf;wzvxJQ2+Pf|39Dk_ zRUeIXmj?279~x%u;muUvP7BLr8&6Y(iawdtVv9Z0M?>8bbG!(CtU7!DVzR~_i}+vs z?pxxGb8H^cV$vbR0{Ox*jH?RR2rlb7wM3G_(*n3k#la%Hc4jwZa^oQ31T z%bFyuLkP%2_nT&zXmPB#HM{FkMzdfS`&&ijVmMXco~WXFG?o0&6kN2+B*gJ}DFWuC z(zRn_W&R^fvdd$BqU?Swd#t~5oNG5=cJw^iOJ*)%9kXiRHG)AIv|hUE*1ya^XEbAI zdwVh`z-^7}%NuRBU*G7^geIHWi6fQ2*%RQHRuLx|2y?MYTk5}_Rn}I-{UVJ?ClC^$ zti>9?<~9vq&TAcv$nJb*2g&S$5=4kT23u;F*)uIgug%)GZT)qnK@BL3*(yS}ywRV~RmAN@)>&MorzvejbR4_k9&_Tp^+w$zKnc_4Nb z<Mn~_;?72McNpIj=A@kuRR@%7$mF}qFSVRrijZ+m&~c>5YC4AHQ;mI@&ymgKwG z7JIjzsUX~n=*WsQkP-tPLn!%2XrAKXf)aZ*j@B{Pfc@F6n@A#hsgE%_ch+V;z1Qm!|} zwwY;h)CLw2E*n(Tw%%fw>LCbKNp0&Rb?bf*B!SN+w4MxS3uAW5ZLt^Ynh0n(u1rB1 zXOo!Q)J{3`^ajjuMj>?m61>t1+X@*y~Ow;x$3LCdD{$ z#8i2iF7rf@e@1Q@U@`k@uT6w4>9ZXk=8C$6`Gs!+MUS&P-0jkS2U&4TcH)D~%)e0Ejd`!H4G?`55G0xBU!E%b|Q=^sw{cT+7O{czLEqmWo2f98} z@31EJ2z*F(x}9ZQ;*8~o2{kk{oJ<(?K3q-{goC7!1%nud zdUPnN9_7tuM`jxl%zIN=AfN~4cWW^h;eXIcdlAf2IlW<`3rur+Bk84k?=eq*$iWfd zJ+BLhQr9y{9UGvD;3I08_p92kRqO%X3C*=pTxwe}nq&6AcXxM7Jy;`C9*1b>`uqqX z9@s!?7uQeWw)M6Z2e{zF%)PttyH@9H$1u9E5>i%e_tVv;3|ZGn{dL~GBHeZO`SOv& z#FKa}pV2AG%;&;5Ytu#_okc#n7luqYjdR`?xwh5WSuWMh#;E*}_jN)F@@NT-zhA+N zJs&uU8Snd*jlc2FVH?d4cD_BU$GyHOh`n!h9N`1#q~RXfjn2~j(koN(^SqVBF(UkN z_4DJ;QIy);e8Om%5K2 zWq=k_7&m?)L|MH4$aeEu>!!IpxPRa)d0EnEMmF=(sX^c34Y#Pz7VE>A_@c*N6!e5w zm&E$nEMKVzYk0$;KQ#;QWRa;72lPC%_WO|dte-a|=^pm<82NQ-NMi!2af>}Ondafn zo>}l7H_obr5Xp8}>Rt9#S&SHX;)+0@ce|r$Y5Vs-#nP(%v=G+Mjfds`NlJ>pVBhDu zYd9{Nn{w46fZuJk%oro>V0yi&fEj+2J$4!FLx2%Q{hdwmn!9vhXlO;NzfXVTxbL4H zRjunc-Tk5PI(*@}4{g>b+!k{HX*!zoC`VDzegM9Qdmko}4l{1238a`MO)_va^OvP$ zPx*`F@IvhcAD8s%x`#@QQxg{Xn(`x6Xkj9RcApxS>XfSL9k-YSLp5`D7;ANmeIJ%H zU8Xq3Sxnn91AWbX8uN%cM&#b}zA5(!M@MpN;D$xt4ds*LAT^z+YvRydUq<(sB~a4; zbG)CR13*h82IHm9>#jlkYi&oiaCG~#k=}2YO{=Sc&g)*n0dPpLnYI{#QrAdmoqVy# zC03ihpQse6+aC~qZI7`#T=wMifYSGnOV-wobEWRcC*E!`zjZj!?~7|X9@R?j1;Ha$ zmvB)St|iZFxkp$vZGPU(zF~7G6H)1VQloX3SnXL;x4pEz8L1tQxw~Kqzy|B!GKSG) zbTso!of_73THIxDxzMR^w>o8WTsuH#oh)>|U0>^Xy=%EHKr>xr-jrFs9%`Nlgho$O zzIE{8^-0O>KSAo6P>!tT5&?>S!jMSczR7~QTMGKmdkAGg-z(qc9W~UXHi)IOITZl# zg@a>ZF^3{D@(%T*t5CH@ueLRX@tF()t>!TzdkVK2$Kw)yQ^zBP>wxay0SGt1wzt|8yP9lT?vNtV zFBB5;FpTB=)g_{A4$!e?@qnW^IB%;_acBOuEg2`Ib#CWp;!V`}#FEsA8c6}$+{|sk z&!kfe_6w5N1Ai;=O!PiBW1N}pji4(~A0B=u_{i^BR+EEUsmiJr*DN(>tx^dVpO;4v z10MMa=&!dLeyj+x$d%aU%@Et1006nPwsA{1Fer6!@!9v`#>L|$cq5XC#h$E!lV4Ze z=@{}NmJA66v?V0MhqxRLWKKu1=C$1}1%K(Ru!!w>9@vSY06HJYKdPUo-Brthv7rLe zSfc5o$=pL#`aPc7$f&oc!G$fFe*PW9r|PNz#puI~3I zlhbDi-#ny3st7lGR#a_mLs~5EKH77lcy6M$U{cWWcJ@Q$*DHykOMw5Q;pAH>~A_@{7*+_fZ3>va6Lg zg@l$MJogOkAd%cz8_g8{91VKT9n|o($E79C9wkEcRqqKlSn*c#lSOs(GDkFkM>%J_ zo>Lp+Gz5E^Thsb#023;c!9MoNQfPTn9%nOnO(wo~NcR51yFaQW>CRU8;?iEwmqh8# zzH9w9VyRe~U&WTWAM_>T0!=VY?$xOVLL2$cjBKB!acgm>e@$o9)GIp@oIRe)iY4)vDxa%I0~eRt=1I7!{K=N`LEQQv!HgUB8!WE58z8kF&affuobVpM2VaiEcfFOo-eIzl@L$#$_c7fZ{MP4)J{}t zZyyG%cZY)3d*BV+Z#TK^XH=UUC`m1+5rgiRy(l+9<#gu~{3lD^n&RXM)cBz5eyiNa zUQaKz-=K>t5?`;vsEfFRzO-(Ik}IqgMdzXuSd6CLXDop?zqj1|GA|D2514J>bT83% zVxQvB0|9{nxx^XgbgJ8f>VGh~2f5|VVud(aYL-WF$?)1!O`+Xpt8_|@jpc{L7-PJE z*pzC?unS!~pDU56a{EmD^2)(oC~`O{PyNgDncMBDFV$+MQWo3uB|1gf{9LP_u~}E0u`|v+8PCiRu9PfL@nh3{S{8=W`9$zd@lbCx^55}*dSgokE9|$u?KEL^O8RS8O z51ZP%Q9WLQ+NoCVq$Wpzld)*IL&hs};vl=4Z!Q73VU`A@I=aiVDz))NnugJnr#9(p z!?^8su0IXw$enZhHf7q-&Fu^lag-0|my%z04hJ{WJsDyt-|bdioJ?W+>iKR}#187Z zyuI=+#`sC;b~%QObcZMG(-1TSEUL>jRru>557<>v>H*1*aDpS0x&L*o6I!3{7T)os z{V3iy!JvUm{(JyG_URfULxfRWq4GN?LJ8IMOtCK|Icd%^L@()PiC`SlehwPO(b2jU zOx6RLtTBC6S)|l74Yy4VD*Lx|9i^u~c}Hy|Cr(&86yn_Z+i)di>dZMOtI^q;QXb zh`Y25D2(k)NS1-D1^N_x_g@MX&X1+u+L8eQ0c2$xMfT(Q-fxT9Z%k=dFaX>QB; z-Xkx%PK(o7RzMi?GYsblTh8_$&X zF4K~)-7KjGZaewMv1#p^gy;NN(z2OQ=I=Thj~&rcO%C-}7Ho5|AQ+f^j8#V1oNt=N zND|Gb2PtSQ-=D23q4mMFx83hfird$X(_BBlUcACuEn~4cBxQ8C-I@VF_pNQtju%#= z6_s+-*T;FI_ykr6Lm1KO2z2Jjvgb2p(^KJ&_SZUs|4>nHB>b4Pq@wdo`N10T9=rj5 z25t|_?oq{JX$)I1>Mmxwtp!!SIj()UD>hSN0AJc=mU~q)?gm4xVzm2c@gQH3z@+9} zB@v?eO=E7vxF_Y+uucsiK!wIcajfi1i?~#YU41F0WdI?3e~9I5KpWbMO)B@@$0H-Z zQmM#BhpDu6F-+#y8%S75#Cz7rNg-KzDj(+1g4Yx-vP8&{X>Cc{FRDp?IU+S{UTY0= z4pG4wr#Cb>5B5(H~jb{ z%BUTiUGsD*`~EP7l?o?aIpOp=dlx>AUGclaDSrqd=swfih3{0-Y;~d}Z29HMAfa|Y zF3CT#u6AD`z5f`ZE4AhAqkBfFG0MP;Zi{y@a=nZAhjHxPvDU`%ihUE+NdCMpVh2Ka zQf@UHOl>nnmj*~wlBQdl-)DZM9^qMc_Zz&QLIWUU34V)P^#I4nTr;XJwqXU!8$p=c z@6M-mTI@mSofUVeRWN_$*BdQh?PV$Kgj`gS6-he)S$1fQ2-0=e;#AtKP^mY}{M`q1 zEL8!u%?8%KON2KWMMa|P+Z?dKstn&_MxG)PNn~~6+-C=Nce}2AheiNUkF%I$FMEj=h*^bwODYcBUleOKatt&-k&Ela=@PFkJE_gaObs&%J zlASTl0VnypJL6dDk?wr$m!-cRV-0^U3iy=CDcU)Gs#LDxA?#9QrQXeSv5Z$NXKz@H zS61e;$+}uY;1pk)Y^!(C?1D?!!z^g!Mq&P*Rul&{utzkK%19f}x5Prk1Qaj50g7zX zHG2%JNssTdb~ZN&_0uV4{QgTf_pb;w%Hh@1wDPGv`C|yk4Wydhm7!Z*_rbT@NT#0U z(vD+nKQ&{fjM@R^k7~ol*|K%9Gj@O54+Al7gst;LZSU-2 z`AUUdv@3i90)^32yz7<~8hfI)i>a_Wi^nf&-CB}(Uk1DNn_<W(Y2bo)EjP`|j-iE2d7@lCk?a7PG*sWIbB&$Ht1oZ47;+}GjV zwNiWRE%$5BMS%F1DwD|))4MSd5ay>^w-+CYAN0hNcVq)1x1&?RYT@4gOp5%5)1_jL zOPuAJM`}-ZeMCvmaCCO68Bh>y0-UWnqPVb$cR(dGt!~|x-^z-JfH?aT7?K+Rb(K#l ze-!ya-u>O{>C(Gym%87XjfpAn&mFa6+r-e|iq{|M%USbtkA9SSsz$>7sy(b^OTiOX zneaH$)7|s=O;yEt>vJSk-g|Y!Q-<42bFOGBU#|gH^(QElL##robR5usx${aOl6bck z2(r518{FcCLMf4ue*4Pnh9HzZ$g+T6)70dCb5}_oiG$OV`^`zv6XdhMIrT#GQ8Mxs zW&>RWYTQ+Szwu1)f~=ydrpj>J)koGl5Vrq=76!Q~LK3v8Q7t8_DZq8y;o0KigNXvhFq>TQ-PUE%75cWaRl z_8f{m<97zb%Y{}_73w$dJ&D9WTq&EBguIIid{Sqi#}5fL5&PdUMHCM%NWAT8qtRv1PqO*Vy*h9&6=Rpaj0W4oiK;9lYUa z^N+6q-_1OKC-MK+rq3h!H%NDOz7 zyO@Rb>l68==jRHo)|9|4Na<6R=EK)`ueYCPo5a^YKBY0m>VZpV*AYM2bOb;j<(y1d zebEC^P(ckEAvi8+CR50*U*!>NI#GdW-P+)eT;erX|g z(J(aQpqp3Jn_V%s3m0p5>uFh+XLh$7SS#4?`p{oI4Tmh6?B(Tkg;Djql?J)* z?RvwTBVl}GBrnzFEKw2z>)1r%?vng25RS?*Idd^;jO|$B_EO=@M-^7aa}UAYd94Kr z6*VgbzTte_dtE-3Ld{8bIU|)*-BrPXtGTx1`2~u?;)+wpFu(ruaT-9uoJ+O7T+rfY zX4s{*I#7|p0`o}kWHru|tQ>bu2aFh5fou;m@}gX|ST3F06XK!AD2GOUxAW5|6kFie zw`zPzUT?ko3cu~`hV2PlZFy@IOO+;b1fl9@(ZnxT;%na9U)LRgo1sg4!gjBVdP(|A ztn^XcZ;Z>AEl($O&N8?#FXBc5H8l07^19jb(L=Uu|KA409EjY zuDU<^+U0iWMOf4H$q2}Gvcbag*fDZc&z=Ys8cwhXn+!be;0Pn#H3AOJIbUG#-V`u^ zN|;IAP;3L)7y4TwPeR$pQT@373{lzQ?YILJW=~SXHYTMI#b|!xl5Nud8yi?;=*8io z_FM9rh*s$k7rI8(2h7r$YGhrBk(k%0umdEHJJBnsF!|*G>nUjM;<^^>Ls&<-MJE_q zQ_gK7!Y0v&u8EepQhkE1JQdSErMt1?lBtNt==())l3;$CP*hUiA`gWJ&W;c9^GQtg zY=Yh+g#%W(GiIf=Rz&P!1$TB~T#0cIm2a}M_Nu10k!G1uHj!5p7jdtflyNk>nDyRx zOYq(^uHzYjcsQYhE5?VJE2I6~(&$RDl!82ztW~n3gM0nBxb??@PE@mw;StaC#pji2 z(zJlRXfTK}f}eXzdzdq-Ie?|R(H4T)nE~M#pb|`mnNo8PUmku%Dso!?L-Q3Vi zPk%bGoGEvArn_hpvTQl7Xju?HlK-QOSR!yFPkVxcHy-$j`-0;P0|>%@yw4Rq{!j#C zxCBdLw$?f=;H)s0Fh>D^Re&JKbp6fqrUTn6t8v|}#VH!?Sn16@tKF#|(|N*_KS<6* zB)CLx+m?Mf)R0`H_1n(x3U+x|zfAXvwG4etDcfMhv!xPp>yrgqhv`w~X@|RppWwrI zp^uO3TEs|m!-tQOB3%U|sSLt_9rjzwPODg#K&qYCe{w{uwGaY$e zUv`x5l2APe>KNtZPuIuaQp9j=O~@w7-oVXO^jp+?{;6ZpA-H>~_ohX|&=gNe^^R&N znLA>uQcL9OM|!ro;>~V$zO!uU;Q7JF2#cy(o1$dh?H~u7eeBSVgHM`u6FnHD@~!u< zL(g7JtUI8>l>43y%c=`AXxsRu$>~wvj$Hd#J^^gFH$$_h7m!)IH8?W0lEXFZML*l( z1d3v4`z7Ch!nDzZi`|vyPQ-pLacl59jsuT^z&bqF6tzX+E^PHS$c2F4+Kqj^)+iZS z6%Ik+%05E1hy*8zUOo02R{U1+>bKu8ltdq?w=gZfM}>$eE1vZ2?UnPJ=PL{0>O;g3 z%6ZRc+ATFe#UJ;!qKafYX#d2OLKtTdAMy})y)Ax{?5r|eazE9xW@Ji!R_H$oOOmZ1 zfDh_!J$R23%ems~o>n>rzpHq-ax{5D-)Ns_KjWf9ncrdaIY9FQDZm-6#BI)>PnA@3 zS-_RT>wD>5xcsL&Y+<(Z60Ehw(#U2dNo_ZmA90N?pBJgzwC=~I1j@TkxhFQi-OEi` zcCe)sDXz;Xi5$M9OKjLnK4XdVw#0Kb7#uoq7C)|TnVZVn*?3(j_e%8bp0yA>zNq<9 z7;Hr5r)JvGlPaZJ>W^>YSKHHr8T@TBX7K$H%o<*5jN6B*T>FRUEW@mbF)k0`{>G7696byB>=_huy%ad zS-SlrwuV7*fvuMk*#IB*D`JH5>^(Vb(BGF@YCV)jkbBIs=Qu4%N~h+ z(I9^vuWeQkX$Xjk04~;x+I|W1+}oqOdf1skYy{v(KOv>_0k~NCM1s==;U2rqgcYhn z8Q!IsL2xVNxL~`Ylz&nl<#R@#lRa_iAw;xQN z>XKiYUabtmEyVA9{REob7xV|OvEOe`hpk|Cu1}EY1c+ieE%B4DU}hT07~L|DT_cB_ zXV8|DzfM|)e3=?d8k|=_o>LntgBKOJ91&}kU{x^i?AL?cI9CC<2I!*(BMW6gv1RvO z4EW$t>-lc5bN0Xc(z=C5$F6OvKK<*E^51a`8>o0yM&;X&UJ?=#wc%)8O0_yfW^}q? z{nqF9&|&I{F{A`CA?nN5Va5J!4Z)fn(xI@0oyhacFVt~u0uHVf}|6Iu4gwkB*5 zxTN^x7G1|EU%QW^DS`(v)Lk`{TI=|_{1)ZOlbBA%3}j1NMFB5VEsy)Z+@b#`y35~h z^;7@BF_7&(?C9BEUXn4n+hdEt*XLQ&T2e^T1v*yBpA`g%wJwd@TZPEXmTF>rx_VJz zP5AN!8p;krJs!_OwUmqLi@t0rrZqVQWiFHLCfSV+q`S!}`_IxLX2pl!M7lqO{w|RI z_euFL?2JhBk9*s0=Pvtpc6LRQHZ%c2!bQ^JrA~8tD6k=_AOIjx*{%z7&+msr+B( z0ho%v|9FP~z%|P0#7R%r8>95}^+|(2QThFL^(`*o{(xr^QkW2|Mwehjn*l{Gz1OYh zLte8_Xh4IevO`9oZ}UU^9zBebY$a=?j!-G3Jvo$VjM#q3EU`v1@wb>-{9<|h*ss+8 z=bGw&c$%NMthB$gO+NHpivRdTRo$tyN=nks9xeZ2XezuTu0XNw^3@2rHd1?Kf&MRh z>0jx?e^Oii>kAfHh%(g{sZ+B*5r1-JdtN^}zJ zKS$!fz4$Q>Zv!ZHo2zyI5efz;3*c1b=K>9{|A*QB*IS*503PaUH`lNF-}5g%KpX&g zoWEDIoY*fAb*xgD=_X{3ohc_5Gs%NmR4^Avl47ivGi~ z&>eP;f)@HGL9!tLL?7Z;f`7a80&(w=2!!?j-v&9!)7fMVU6n@%uD7pGPR54j``6Fs zj2cl1C;t`pbSw)h_)mV>D**V2vq50SY`TH+Q;j|Kf|HAKcyu_%zBzqGRqH%a(Q550AFn0&U&yi7+lH;#5qnV8#NeR5ZSAn z9c87s`Sib;&i{|m4UPBbBbL(CMo)`(J&@|!>#JF;%}eTnRkKMENq-7bIH_*KM$@wJ zoKvyXNjtJdf1+N_Cn!-~%M2T+vZ`o@{s&9j#kY_BZB@JES*i9IKDimr5Nbkx2(>YK zT_jWknKk0Wg6laL;sIP~RI<2aZG?>?uJ(fYRh_ffau6D9xc`1l_6Yd1AhRN@p$cc3 zlh*Y2o}?&JnuPq!pP|sg7@?S$R&!1rA}1lm^B>V5W}Ar8la?ZYZw81hLQcrdc1mku zZ~Thk`Fz^#8Wcu3!xY1hkn-TL zA#JJ)xm!Ik+amulxoPwuZaBCJ_8$at9RaX}Qi`rad75Xa_5I{IipStbpS~_qXswMC zPViy#2baeM)UU;aSSp|Imgp{+;uG>4#O{ zP8Lg6)velQ|KM+Acyw?mHR@z;Sv?+te}(G(y%BfXN`0`mz}yCBDd`6zR0t`G*C#EU z@h92MR&;5K3n1er+mZ46eAyE-*g)_#8#PSj*W#(b3wLc(xYQTe9L{E?oDYcg&`<>E zC~Q4z+IUvw>(RW~ZA8(8mi1bI@L>V8YjDl#!*{1wfxw{}ebWQS$k{o-iUs>C<%9`c zRf&u5^RRAPD`g3#tN}XR*_+@vdx`&K)W<%Kk;15u(D_#B0zdSq5>^E+w~u|(#xdR! z>}0F8DPPeOFg*PtOnxV<1fA>>8VoJX1uqp%VSu&TQeHHh7flMx!SE0MtPTMj^C_VC zPk%NpA0y(6bz!UmKz=oQFmF~r=>u@nkLN6Jc2Trtw5+TmPH#0IT@Hz7n(c{e*4?S0 zu{eUiT)9%MA$G3N)?dHMxT=0XU93$6I*f>`wK$!^i%O)>1q8wZU67XR?NR>RxC)nD z@1QK<8ZCr~)4zfFl#=ZaG`CvBeZ;m|HMBa$ z1+s;W9z3}5`QU2(KDqO?wqn49jD&(B{4G9SK|@1gadGkHaX)j~_Y>4iy(IoLIb*yV zATdzN_t5wDHaRsN*6j|I1(xwopFdC9Q`j-q2LuGlnVC_~N_Kd89v)XJGdU)jVE?rN z1Nuo|i=70O&(tk$u2jhtvqI!wz6u@e(o!Rt8&9Vs*YUKD5T-zzw- zI$yI0jWnVQY3adFY`A29z&F?YpkE03Dc^vcGS|-obS`jtS$cI44;OO2O)GQrQR+ML z&6f33AIGoQV?`N>ay%MIy5~*>g|Bq(%YUr z2YbZa+~031co?{#{hL_?KwSTviL`{5IH1ke)K(X}&AKxrnnC5WKhLhHz6eX;tfLxM zHv#BDu+f(WPk1OTqA`?8inmGvs@>#X?jH5hDI;QU7**8XO(=TtAxukA3O*`|rNoiu zcnoabXK@Oo6t>HxFQO(S)cJMN=eZMB_{B1O2aMymC6i&4ETMSRo)LUYclmx{6~x;O z1&)c#XHVFF{Bk4kK|X)uG?4G^f2GRI|i4`(&7qh<&vY8C24 zpZ}=c6gc-e=6R7HiOm2l{!CrCZ-uj-IdkFol~{hID%pUN67UiPWiC)u-Q(D#!3~TI z<|*%C`8vk5|K6jql`sv2hsu6sVGYwd}Ij3-bNKi1{l9!zS6h)~i7 zE=d@Eg^z}3FxxTtb=#m$iigKn-F8wlJk!1TyvSZb1@-l7R-%?i_3w|lb*|4H)_|1p zy!|=Ds>v%*T-on4Y{BnB7^gvD04>uQ!msn&7k0tDwth($zV58`b^T_vF_MIG3~5Kr z>0a}GVz4mnBrSsBuVl0nQm7LdDgSOkCB=E=jMcwf|7K!nMGd5SlMD>ERAx2@xkHyk zOUWqKha%qTO22w2Du5EcafHI_k}pJk$ttYKP*E2GbJ*i<9j#gD--cO!vCrjGIMrzHT=j*`Bm`u$ozvA6|UXtcCkHpJDG%&?8GpZSLYPL1AKK zknK&08j3c}Qw9Nm)pw`$3%Txru?|@axRY0?xmZZMuAZxK@np=KmZ1ykA<-Q^j>zQ& z&O4bnI@?81QQU8+9Z5=}(-j#7eGGdqw9p6*9(uwa7I1Xq3&2I_>^=-KOeG*WMgtfa z)OjdcEuCu3S85848njnV2pdEB$Wa*_tU9FZYyaS#*#J^UTb}k3L1A&p zL}*dHA0Mn*~6xPGi`zp0_Ja6Fk je50b6aDvnD{6u#ac z-DXwBGuexvFE*dAsMCA=Lbx(Rg&$ui-4XaH1!t)R*i)Ww5ZgHS1#p5+rn|7-o`$LG zoKDp|uXhoN<=)#pU8#zg47S{Va=PD5^k;hTb-XBeB2wP|DXF(+=Y^}-*&(dDOiPlb z$0z6a6)L59eZ}VT9pku`IGU;t`!d|5+x=Os$tGL9dazh6Hx}?H5kRA|{BXND$Zj1n z;$}}Jl4|X;biW@@5gg~Z4qsw=UNkn{_yJ-y>^k%n+IFPWaQm6sS_Q})fp*3Z_)LVl z`}-rw{JVx2fop?q_lKicKaAz?tyWpV^pG-P-A(bY-wwK?00wVoaUT9+g{M0jyHWTT zeQxJ7jd~1DH--pQ+L-+(Q%S&=m?wxacNsNnu5rX>%y3WZbcSvU2UL@;(leam`Ar(H z!k`g}C2vT~T=ltyBG7v0JA7vH#g(t_>8I~b-zQSIm9TBGc+1Zh7F5u<-|*0wERueC zSuHh1b8W7ZE;m@shBi?wH=gsv5=rOW5vS+zRqbI6Wp^~Z2vWCSTR0wr|lQj*+3l<{=$#ec_nin)9>2%M%KQ?x9a%K@D>GNT~^K7Nr zv%T4#*}lVl%=NiK=iz+GgXJetw7SvC==&L`E{%@SXC?iB%~jBB&9p`r+(+doI2SwH zl)UFTKD=hX`B5=#tTF|ir?AB_z(_mCjCSSw~HVXKVWkGt)T>AxF6}~x(=H~Js@|L z%)iC!t>{bxCQNS2CF$lnh>9~-{ym5%bMFBh>rv3BfZ5O4gO~;^(2w+$CN6#LOJHq? z7-sxu2AcTcCLJG_!<4(v9Ym|Y!yi({&OlbZG)6kBH$#9Yz*CYGfG%> zg=&tSu(!QS0!73xKPm>SvR%R~?xs0Q!@WIEo^$k%b1Mco5#Pmikk%5>KeUzkopqwM zYE8jAAYg#W1kl=i;U~pV#RHtHW1~8 z{3?qbn^pFzxICG;^T<2%|K1;gTY>4)UkBFq8(i$tmAc>Epi`5@tXjc&Y^n*%u}$X! z;kuI9Y%AtaPJYgmB=?btw7ScF#DXU-GZ7qMtd7?@5Gy84c7$w#uEX-w@Pkf~4ZPw{r|14-GQ}_#po(r)r zF#WRG6tWTScn2*ZlHTUQ zU-v@pX;EzBAPi zE>w^6Jl~yWk0^X5x|#nYEr7%eiD|Pr!!0Lp#KP+k>C1xT@Sfqw377^{L?2B9S%>AN zIX?j)J>*HEl^da+Is7QDFVxwh6mRe4VptA3gA8I z>1`esW+E5%3JSvXAV=F>qfq?V8%-Tt?7ehj7-c@v&ehpEM%)x87(e3c+o-o%suQIc zLCD^dnk&sz2Lx@}NZFUFW@RdD*e9V9NYr?1ga}?p5+F#1PK#dVB31 zGja?cw!*_+Z2i_z9;duKvCC3B6o!gGC;7R+@nhr)PUwFc;y2tdbAigXW%6Q;si!OY zm%nQH$DQ|)l4S?(HS(Nj#$sGC9&mmA!9}tdGMsfo{2W&KeK4sBclsy!Wo@FVb0ft5 z$siZePmo?3Eg=-!XQv&VrKqU`S&90UQX<6~@dL9>x!ybcEfPz$RYgB50Of?(78Xup-4xM2>_L$6gK9+$%BtX2{fy0u2?&e=SvlEfF> zKjNv0jIi@mc#$m9%*~8!HtcL;sb;XO=8MBqA-| z?aC}}VFdBz%g3p!S3sqkbwApMIdlOD%p%Q4Ww4J2azIyzeAi+&g{GfMH<+>IZqzgn zi}Rm$6hdb7|tV-Sd-3GnJgYMd!#w)mIUDUpeaIVc^B2q`|{>4^lN04eylGOnpS9a0wX z{30y11Z!{6!T^;}#LGqFcsEmH&u-y%aX$wJ_G06jrsBTuTy5R48B`fk75L}9r8xpCCxmgROS&)Lb&x1;CO_G zYNpjm{uaNEtTFVdebsE}jK+lBiGJLybK91B7LF;;+6d~0iljDGcaY>M{XWFx@t3AG zGmnM~gvQeLE#S*HE-SGddK5{ed@IKOCKnc5bF#Y5`!*@bcN{XHeUw>{g)HSaX^tdU z%CPN!fF4hn-FqGwMG3d_B|XuiG0Iw7L3IwHQVN!AvNv^~MAsQ)i4fs_Wc*99Vu~w* z<;@#OU-I0wYWgKMt6d168RW|)YksxBxQeBS=BTj1Ngwxn3!m9!(irDO?ZbfmCwOvN zmUjQo=voqzdlZxu15)-c!Hd2#2-nbC3HA2b4DBOC<#<-xt>CTrdk87-MN}!UAu~sSLP~n=7_h&C2yM{ubb_ONUw0pG?`*z9X)y$Oyb6Ax#e=+DbC=ITOd+yZuE0!z z#~>tb!Qg&c;6mYK>3M6RHYTuFnVh8Ea(HgA+E`5x7^KfLjKqSjd2W#jExccKkc zcjbCpfX$PW^+^<-sMg7#;wP8gqb4Mz*b1lfYH^(FeY!J}oH@YmpJ-EOc5yl2w|PEo z><*)DFWO0^GYmzjIOVacspAd#UyXfbR9xG#E-t|#NFZ3_!GgOt?(PuWgFB78ySqEV z39iB265L&aJG{=m=bXFGc=x_{eyy=akF~nytXXqa)%R6R9M9qYd>&FP(D_nB9Q8S_ zzSkK;h4k~*K*X0-+pbR+d{Zz#7pk-`Iy>N=kND`RTh;!V$$X~@Iq)GOfnH8S4 z)}`hH^JFXuxxEmo&%Fs(qVD{kBc}OYt`p=F>#!6EWMg(plBZHLSUgczLQM|zRwKO! zL#GmV*{Ecj9_?awJ1^oeN^21M2M5Bcr{Q4T*D6mt|zl`#(A`es#)~ zSI?|@YkEK}j6x#@8NXF2+yykaguVAUDx02ymmM5&gh+EpGFd@l91_}W7gbp|**`Nzfj0#p4S2HAW!Vj-)s@Hw;TwvyBxKGFCm z2ga}oP4rAdzn5j3T0`AJRhou8ps}pgV}|QY3>!T+1?$2)f6szO?y+DeCz1JQiWZ#B zcBKDxKEC=1gWq>D;XKhu+>dn+%YfhnDLO&GNuS^5XQakXQ|k%kdD)v~eyI#R)lp%j zo5Hf#dh_>|NV}m+k}P9x%RmF=L>vi_?E^=un!J-mS}2Uxl-%2%_mo)<6f;|iNXb&V zfANvSt0p2wDc4p+aglkPdJYwaxr6sx^$e5%J*Jk+_8A2@OlUx0ZXSc3JwFdXm2Hlj zVzwi-bP&A*3C%PCuw22-UB|0VM2>xNsJ92D7%LBH^;KD0fd>PDZw5PEtwz=76%)@r*57vUJVa}C~X~8b&Lup4^HMfl}#|>TSIDQ9h~gq z&uTDfOFEz!ox`wGqlGe4X>S`et6=5KP$4qw4Ad}v{#_^XdaeJ8mOp6ozF*pHF)#M} zp|YZij|;A`{PDI<)YNmh=dJoQe-y!J&aBSm9C>~|6Sl)7Prh!sfIE>TX7;@@tEds_ zTQC!P)RN~KY3-NO&oEA55_ay?d9HFwNAeH$PzNs3JVw&B*;f+CVlg`8LwZ$~H+(rt z5;cw)oe)>SWdMSkQ(nui0Rhq*s^3kB3hmZ(>3u7VIQ^jB8vm&#SCJn}k__{~&h7I3 z*ac<0B6}DqP9X>#kO272E5AwFsE9c>+kmenS-b@$Km3b%ZysiPy`6t_an%JmL>+ed zMBcr!OvASR0FYzR%T8P8iS2ci0 zibL>ho%~+vjK|_tjaL!J@rtAr$2&V?NM2Q&38JMqm1CQfm23eNkXa`u`8 z=q%UIUN{Ug<{k%;3)5n-g-)ZUa57#Z2BT+&gsqf^WxhP}2i-G@LUA9&arqCG)S6l> z5oCS;s#1RE6wUQ^`dN`3qERBCrUN!qW+L0WLMi8&pcrWPS5)}{ro97{3ktav#wymV z-!s3gX1VUF=;ADiAfYc-6?iFh=hJSs_WMjDe@2eYRyC2$7r|eHA5M7P zpxoJCEGcS|P56|lv^z_wLiX4|d zG1~LhJp>cD#>?+e_&ILA-Q6*yVTo5#RuYc6Ky;>6)r!;e#|21ebpgPd#(CWnlKap& z?l(pozy6tdR2|#h`=q{i@YmILwzy+l%PbCVjHKsTG|yvSiv9!y^QJ0R9(UK{k=66* zBBF9aUkI9dIoYMmk8~NKwUAEx%=3NlW=SgZ{O_Xt!P#FUBU`&o3 z6UY4}ZB2Joi-znXFx{nYF2$4XE+i&W5F|>%Ne* zt0JkeAEi4Afz>ST`D#+&^F`xg66?DuFTqZX=8bd2@%^2?xCTzirx8uc0-6N@_Sa2x zKF7V3sq+QzDO3*iSeykE3AYLmqszfmkI6(Hdsp^DQvUc-qqG?(=(13x!>bqUTSay! z`3kNraB*U2_qRgo)*$Kz>};8S>8p)$I{I|)>UdUNgub@T^cyt_>#%s`JqCPgF~v?r z#CzEMr=M?Y45A#^4=sACNzSBI+>9zZp!4;h-pv`C5SRHW%cN5YEuAgmY-w@drdkP0 z45}i`nI-%=NLPp@wN{`#aze0r*W`2!PH=PA)KoG9e(X{%R8y16{JhpwcsdkU#A{Kk zmcxL_@oNNSZlS0hv%s$0jCy+^xMQ_LA%t~Ayw-!XifL_R7O~x!Khjm6%^9Y>JA53c z;=}Do21r1`ClfK}lAa}rJ5s{f9iYd-Ta*etdcUn4G>7S&yPp3{tglvnWyvFmxX2po zM|nTT-*a7Rklgq{P^85iuq!vjsyl`?`o2DlCL&vHh|tw!$L-}pHkR!a2VN;+W@u4U zZtD&}kcLsI@S8|<1B!uuB4I&uBAyA`wB~F6LMn5?WO?_GRbWz~CLlq}fgri7OM&%N zm>W61pu&sXrUc@;Of4;`y)LZ8F2NoGL#I3^NKi{=O~n% ze4HjeR_#{w{No%id0r66QlEZ@Ds&7KzhnKRmR0y+!I`*vN1)jt9lDGHmqcIh(or=F z+$q#9N(Vd9?4x2Y!1s0YT6~e`hw64E!yehqPtqz%wla#l4(ru7NQ_W&VQs`0<~VRx z3o|IIGZI6cmdS%EKYncfQ2w>3Q2jkZ*Xrw5hF`IviIOw}*{h%y>A3!N<>N}>OJ;o8 zuXyY?jMs~uI$-?h(l=nM$EWN$$w?FpTXJA)hPTK3=3T&Eu}-Fuxr~bXjJLZwX(NzO zVq^E^FaU($RcEfjBvg>=UzGkcwjVD_SU+&I`(K)9hf_ip$cEYJ! zWB#@WhM$faK(mfeLkWb!cdmx&ie`Vu8k zIQYC07t;A)a71;%?yGen?nM!+x=AkB)RP#!B1q^yHQg(uZhgX3dQY-Qu0jdBXj&(5 zjP&R@v%Z9#)b`V&vevowTu^qIs#of!b}Ot;AY*UAdv56n-PY#=po*SZoU^pRcuknv zz<@9R)AOV0vAa3(K8kVj=S`>DIRpwNRQp1^Q=~L6hy6twvq=Y5w)@P_cV+{tR}E98 zI9mO4#LK18<)16XXTLTSWIdAwHMQZ^v3r&7H0vzOlUl!P9&<1*wV&3(xim74GDqc} z(_!8c=CLT5+N#1`5~NRIQQbUPS6D)niYQJ7RS1SGmf&QSX`~*KC8(}pL|F}VeXvkB zw^&Q8nA34?NUhwAjD5s?=ywelNZB!&oDY>C@e$#k%VZ&meq|R9sm^&`9ZL7KrkWoADrXLZj05i*&L$aUX`s>U6i=)gk=0 z#g~jo$C#uhF-)Ap87-hq`ZC-#0BDP-X&$l~z$>)YG&h{GL{{J+>n$>`Lta{^y^Jg4 zA;kQWtXukFR-PGqf6@JOVma%%7mqZODJy@KXIILDU5dvpg1~i$sBkeoeTLc4^w*eq z{I_!Z4^c~w76Y&cEY|hQ>_drJ3?wovt6mNSc+BJg$*erE#T)faNMVU~b=0`q(uhpx zv-F(vOU_PUPQOQtTP@X8ALo*`m?rxCE0iT15#+?b;}tWB{z!JM@@%Lb1~49(i>0#R zx2q0lh#h(+xA^=hrc2wgA=Vvx*` z5wq3oO{4`-o_E@LmKnR8{hTiNI@^f3H<3*ygAgA)Daa~9W%bTkJYSMswb^YNkdlA5 z{ss~GHt80`Yd^eU0Ao=!JkxBepDQmqgW>x8R=Igql+UaxN%r=c9H^!WD}BksV)O&q zZ7N6HkL87WlHS8io8 zcnc}u^hx}m^oeM0ZZ3qdf)#DQm>iF*Ba5X{qu!!c*w=*yE>;`Mb(m7}7DOGRQRyyv zYzt8ea>`F^4aZZc613{{J4Vx40k>PQEw_d%N z^aLTqTld6N_acJX)i;I`46`DH9lhTI?K~vNI8^WbU=bORYSlk!8eBDsDmG9lcvk!v(7dn$RIdS%2~+f(gTDoe$~4pWO<676O}QD!{Qh73u`Ibfy; zja9v2EK!)Urcn?X(qYX#2r0%l^k17{=~x}|LjgSbP8Z&PJgDHdkx+g5$=V)T7)so= z+Q_FG>1y7$MB3yaS7E6Nd!?L&m6ei%sRnQOm9QqWIF~*6wHtr8y&MwY?tlKs2%|R( z?!~1uYKg|q{A+&WaTCB}!Fm|;yr*3IDb41+DUSY0&~mib&#*t=)yA{asa8vG5G7nlJS2R628o2RjP zooEZGnAyC*$qF#Il1c(>eN->h_f}G_Z;1Uw1AdlAJPh&Fm6_|UEWaDlh#1kU%l-{C zj3``kOs2MZ0{~{{uwEKSe*s_HpL3oF-^tkow0Cs^9o;fcKF}g)DkjKKs?7t_)Z%8w zu=43`z0Mj7k!KtGz4&#*aIWIuz4Lj?vBo_|3}u)1Z_TP%IS`?Q0AF{XRk<*SX&XY> zn3eHuw5AA(q9_xKS{)6 z)`kU}he=G#i1YEv;cBCdNj{=7@fF+hZAiE?+56F=2+ZrCkKQAVi;GJO@-D;o*JpbM zf-BuaQ<|G71E`!i_bISI7#J7;Zd%$=u3x7QX0ydT9nkQ?BJIJ+^jf{pXvlshqsgt~ zHA%7d4A8-7p6|~N)`|In{t>L@Lw9Q8tPw3diW$5!|`)%Mfds}3cr1mpv7$MYgEuVpX&g#uvE-o*_Cj2WPi zIvmjb4r^fakC&%YzO}ekbb80ubyn?Lh@oof?f!k5e0rpEc5%YU%GpR8n-2R;sNxLE z0$+m#wN)2JZC^Fy<{;ox@i`|fZTVng5=;@7S@$R-kglQPs-h3)%`OzQfrUXK6I_*6 zC|5oIt&Pb9IkH@h2ZuE+rOmd{RFj#2I>NQIa936DzNqeq&JcQS@8<`Jm9_ z_W}v#0vh=f77P6!t1kl7=U148^q>i$fCy`J0-M{QEFRtLI(0{QY27h#G4gncPi@WI zbExs6F-F;@Hkk7JbY+Rh92kjdEN3uXuL&f`jdv1IHDXv9_cUTQeU%g~vnx?>$vPQq zCzf0Yd;XE{_8}eZtB0(9qx=D~)R+k?NY&6n>Grp>=MIZnadgiLz7FP_$uw zQ?Vn|TGUwO60?Yf2Jhc?nxtQtlY|Y0w_w{S0j7HsFKV$g@??284CyQ>|6(>DYAvjzj<#P1zlXw|E5UR!sbRr#{{vkHwtM7Y)*FW)7(7T=YE z{49#pslYI*eA0m0CC_$Pq_+cWrPc%1!EeHoo3NU`^!W;2n(Cbw_fxHd;9@9ZZ;hGk zuI<}bA`I=TJrHfR-`bm)02{v4v`T7yCb!A@iCP*l6ESg^pp4kM5nB>CZD-|yqLYo$ zf{u{M>8(TR2KK*6BR^cJRIz8Ir6JauPs}%CI+j#{5A|E(GiQOV0DkFSKJd=U2Q9lu zEs%*vf7&$5@l;DINcQQ{xu53-X{9G7{3j zPW`hD!pmq4<7N8Equ_?}aQAYy%drOuTc;hx<7bw&Kd9{27oZIiH{)PR8lTzdl%6L> zsx^wBT!I_rD*u@PVU^d-Mx>NuG%$1A!xvojp@9b z8^HpU(M{vBgDH{bo&$}F&1QOY=|@daCb~Dw?DGV%F~#VTW1<_PDq$UjoW>A}(<-o! z69pF#{J`w|#7)l2IshNGInqC#`l-)5A$CD_q>b=XrDzR)a-oSv`}4!QD`i7>#pofU z-;S)3hdNWVpI5lvjk(iEt^BGvhu75_AaBrumIgC34ESS1D|6*Uau0rrAsju%me!DO zm*!8GvTjf+=p|A$6to8zRut-LBwW}&SaBEHh?*UgntYhvM$7|AdiQRLj|C?lzW6=I z#U<9{Y%TDX((+O3YJe@vr0J<(VJAV$@wq8qlUsA_!{Ga^@mVhEYLR0J=cGzEjCh|c zsI|qYz|iAhME@zqCVF6$27+eJjpMYJ@?ya#S5YQ@ENcU`Sv925x2O|fNzsiW9Yx_Q zT^Q_Om5?aw=!MgD`Pf|!wY~V6#DYibQ+tJ!#MVC4ct@O?)rdf zpky(G*t>A2pnK!#OnD*)j|+1LR+5YPo$Qe+leeop08%YiWgQFPQ(O(%Zc1U7=m+nad^e3wJTDPdt%%9!2NGQ)kuNkxOht znCvt5a3#;vI!&lUdPcRV|KZSPU*kfQ5$9mD)uJ5ldWY>H3IT`pTxFYjO-9oF>9TIs z7*O>4`m_6FH>A`rpWAaRgG(U^esW20SpyQ5zNc>BZcVjr>xd9P^B)uXV@c@*jee`3+@Hhv<{ zckfZESM`$FGWQGIQ4(@VGSFlEh`}?F*y{p@xM;)q8(Ly=e82c$^kboeN})O1r{BVP z5P_Fr{Yt@|p;AaICRd!V&(W~?k?Mjl8u%`LQxj;RSI+^*y3cMw4Xv_;abdzUXG%|{ zfH%g5T)poto$VRcoi;;(1Q;mTpmM{ds!RSkI`Qc+0n*(;#C*(|#4v(JWIA@o@T7U` zj;0!tero-_nsdLe>oG1$NZaiN>1|d1tQ}AUu2_c_RCLSkxXfdlc090F5$8TP=IN+rcj&DjnCm>x3+Rt}<(o>h*&fKc{K? zK#O%LFW#@e#S;I#^Wre)tk*r_D1S`Bgpxjs8~k<*{hQ$BEjn?PNGz#H_u}M@Es+!w zs#q7xK~7Oq;24@*&MVg=Lq?tomq9PBf-nC#ZxXoe3Q}Di1=e3>obK{~u?%u$P zNiM97=IisZJeS61t^7Lw=M6mzQZB?s;@5MZH^&SCQc|Jm-h!r~u9W0petsBm5@L!;?0&77;+9_Wv@#>!pE0$vd0V9|su5j~kU&*99t!BW zWpmguI#Nbu`KN_2Adp1$IM4tT;-gXbBV;$C@U{DG!WfrFiEHJ(_27PsCYOJl9r@jk zj9VGj!n_&x8n>WUcB&&)|E{W9!$&`_L(~grzQEjSlPissZh|Yu+a`J8gRwE@XuiST z_{T*^D12wk(>>ys0=4Bu;x}FMGKHeoRU$BcyO96tU**`Z__9m5CXtzJnxi5f@lAd5 zoeWf|Op}}Fvg-Y=RQLqBlruWh!uU;$5LeEC{*$P(Tvx0(;bVZ*(+y~v+~U4JQj0-` zO>F@_C-`>2fi~KxG4{jIw_E6WMX8^d%S8E49n=$&qo^(u>N5>c#X1)D1B{*Y8qa+? zb%A$YD-_k`7$#;XJlX+Ya}JtPDL(hwXo(`4nB&VQ`*v>c=Jqjdpq{!omuiYGS(C?g zZ`<}6{QKsUTnaP;GK$ykJI0ETUPQ6W1p0Jiaa33bm-xCy@5W16TpY7Y6d zjD9QQ>(t+`d+eot>gIm7NRa?w1@BQVTA9u|6Xd1V)A6?Ju}ls`gE`sit?0i92I(w$ zcp@5S1HQgAaP3zey36k2Rfu}Lc92!iv`44kMva2?-JRsu-4G)Xw+8*&!GxGfS`m6! zlbM-W^!C~R51vm}4*>Sh-IB{mDXM8mX+|g8@8vzj08GD2Wh88+^Rbv^< zxIKbiJPzhGJ#cd+EJI|TUpgLa@tC%l;wBSne0>EsmxG?$cv)QNydHnC-dpT``st@7 z3w$@d#nb^$|Mc}kELZo@Nc{nUEakz<{KbX{T5s~{@|VYbeL--eQyA35yY%Am4J_6W zw@F{feCqjnj~jf~dFqRXP+sTqLQV142|dsa8~AWp{1o|u3UVvF;u)p;J%Yo#92u%= z?K^@Mm*rC_kU^>9#S0qkM){8@(T^6fgg?#RR#lii@Jf$8PYhf+dB_xMFi0GG8#Ohko&Z8;kz}3la0L6PzqbTLI>~d=G61S4yBXzT*gI-iwtiysg(BS687O2MHRNISdKFn%Hb*?iw)*nMo6TV=FPN_#qU11zG3~u z@J1!Zj#Ke+h@h5DXCf8hS6`x90m1tq7ZR%LGG(s8UHW@VM09TOn3qp|jXy4UvT8p? z3H7ljXd<8!SAQrKXh3~wlJxfOowCiSeIx&fhAAWpOuFMc7c@WSVLc{u*jgdh4`rPZ zMkc=L2w=~eAH{_j=lk*ON!#7n+&U+u6>97fOWr;U+Dff=rLde&3b#}3r1SAXG}&hX zE|g}71>9vFv_&s9hH-U52Zq)HIs#SAp0$_P;qwaAxnpSpqiPrH9at3NjeRtg0DK5@ z173yle7;)t0^xf1948P$G4x7%kl_u1`X~nSRZt$;5)&`1LLUh`c~k2@j+DuHon;}v zqIsbvf2&B;z^};T%Tbu1m#lWojWwuE;pyZ0_-y$3E>K0;BPB0I{|uRe#t{uNmcScJu13s#UdP#`kxKY-vU#4u$Ik z=}(naMFR@b5(S?cMl}E8WPT$P){6OB-K^@Cxkwz8vVbzw{D|`Lb zj8-g@hOAdwtF5C_SjYo!++_eP9(!^jI_Yz`x}YAVWh^LG@iQ*+8%hd7!VPP^J9~j2 zT3jTHK~~0*-ep$hgCk|S-7Dl6Fr&lNZoX~9PUo+Q8ImBssY7Z(p)_7E8Si^CZQ zTWx%1Jhdbz7_jUmODSV9@w4rmm}#Fut3d;dByu)c|AGRSfGz-oSzRqA+z$s*3Ll_H z8MT|0pgt*6kLkX`W5=hf--H_|N z8!ldI|KkEf+`JEA-^7GUd;Dll31Iqu`D23lU(nLu5wA7OT52#R3U>r2vWujCwIU?q z?m}6JvUz#1rP}8y#_%_r+iNCYuNV9C%WM5k*|yx)2sa(eefnHfexmCFkPYh>ysf4H z7id~wU<;gBZ5oBimBs))KE$>w-l-cGGOh^eXSSjZxkeFNS`Wmeypj|J%_-@$P$uYE zRIK~A_$34d%ZycRL;e=ofp}2Nhn2#dSu3?wdR=ad4G2`y2=NmHO6`&%KU-OKF~flkSKTh*+3RwSdsH9V5%owyoaK*V^FD5?<|8e0Xj`|w#fEtq*; zkbZl`W7w|nwtWV|t%QDspSTP7Hm3E8DZ!Ga)UF2`?&C>3)^g#yhdhIhiq|E=I}0a} zxp=WObYiGD;*DT_VtKA_Rb6p7pz0b;!xf2?w1|c~KDZiE`1FPKA^b%?ZKYOi{C?s3 zv4s~Lhp9yS2C=8*r5>WWp!LfTtSSsi1@M$fWy4+61XVw{?}cSdb=lqu)k;NVb4dMJbWTx(A@md&=z z718(oS25u+`r)4O^ZkXLQH|cnRyFKXRkEr;71WGcZjdfLMnn&>kB-TBEjUqYsj6(T z;tP4#?KmlbR-mx#AIh$k%kCll^ab%aNuUabdGvs8&*AB23bcs%Nq(!cLk;&%qXHCd z1j7IibKw5r;=qoTg&Y0#>e7dVmsN$gWMWaQ7>Xk|`50cg1S*Xwu_)i{=41TBV!@BO z{n-)``Ak=f&LVd~obs!VVdXCuhKtUa?k)l@&v@4NAZXr)9WZPxyC9Y+B4J)|%_z~@ z;k#r!aryH%#%HTrj&PUcmAymdk}qSaC9pkWCL{A#GT%Yjii13h>@DiBe37AWzt*J6<$U=@k~I{WVX`j_pSi<5?&Afc zX}-Xaf2@E(k)ToZfr`Yj2Mhh?-Z0GE&cmQ+Op{hG*nG}hfw5CNjx$lTd7p?TJJ0msac;mDpFtFFxQAxBcN6ik`$BjJvlwUC$FfAe~QOuPqMm7Sb-?c zKDV?tKH5WR5fF%d!{spN+Pki(s00-o#*8WL;7=lcEy@-9cxr_1{x-Nl2#C_wk|-Xy z0W;VAFHgur3CJyW59wy0q|7s39cEPp0N>-;9Z7(>#VIn07&O4tUE(ze*eoc3$RQj1U+zV`6e{R<6SPTo`1=R4`ZO>Dw%wo~Zth5{x^0`MeC{> z7gA1M@$?N}bx5&nMsIP~N%2u<7SE#1!}Bxm0m#wTd_9k^;p@CuEcg_~*JVb!?nFYGXQTcO03x-Fa%3iaqtgUSVr0x4L*lttvJErp@_qi~Xsh zMo!St4~vA79S1krQxF*w6jaJ(e{ygCGX!5bFo9~O+~g*d-g0|Zo*yG8I10Z9g|BGf zlzzFX_b`EK)y3dPB;yoax-osXZgEcl+;?gJrOv^x1Y0m*;;qmI)wR7iaXh8DX~W`p z$8XTWJ9tzgL4nYx6-yVj+sc`GPRluJMaHzC)48(x&q&gy2(&ZVM>D_9EPdb2^3H&Z zFrS@-Q0i^I@z^()Dj!F%2G|~gkQ%J#-?h3N!%>J1d~=wWq80^20j>B)N5^L)7t3?D z|8f(-MOL;jPAJ=kaX(tTioV+nE=~7^FdT_4XbN!0h{?v0=86N#MZ7pqWJj^nwF}dW z#IO9LrUN%Dm`NonZY3-c<6@i)$(Zmr@+naQ$DR!_#7$9d#27=-E&}Q`)|5iq@b2g! zOQ8)%!?mdFYsf>Zi}I7-#WuZ9|5lf)PcK*pql77>A4@TFJc^rkQU`2?&C(}1kh8(S zr&2v4NH?wp>P9SL!?s3}<&HL==PIR8$yC~(3hfghEUb`Ek^U-h)O@d&Qrcx8jeIsk zKhkR@>v%%GX5 zG@T96gH@Yx80HVcw~~Ncj7QMdwa;(vm}-lB((e4Q=S!{1$P_ z?7Kcfg$o&OZtia(+!)5gd+X!)CQ_lOt|)2)`5J8C!^5_ZNY66{DxW>iBG*p&nxyj{ zUOGo5hQxEawEfyo?Sdz*4n0Sjzv#pN(DvUiElTJ=Yo)c;V?sk)NK(e|wQ*tgxUI=I zrH6hHJ{X)52l5U7@?YVO*G3R6Z8V`__hUnl)xw*4V0xSYI6IIw1t5@Rh?+_%l!?!* z}mvP`H;U}>GZ=~4hpwz@!^oG3=N_} zfL4&`$Bq?@LV%#Q6|fR%9vfbkvidx&1*-^hL zzPiIxrRA8GF)}=uA=f96mvM5#o*qiKDk)wC2^a!}hKe(p(Y{oFqB-zU|xV*$Mh?jBdw-I1JF!=SJd>BCw>3U z;f?`IOEqk8hGb1*5$4-z6Rvxq2VOyz;2^uva`xi4dEOx4FRX)P_t zp4ZZ{U9>j&VzM%m*58F{HqiYyO#e*#C6Rm)VyQ2rKaqnv_tH*{D!j&Itr_}@CHb%H z#6O^@e_ZVB(OXW!stg8tO-AHzUb zC;oFTN-3c_o7)i-w_SZ9WA^T&zuX|gNGq^vq~BpvB8X_+VzKQL>Y+W33er}kf3|1( z?@9dkDgCSFGo^#3cWg|?eCHgkr-yXQu@;@mhW}&@-@BO`*{{D6>UR_Z z6k*dUGaW>oLIN#;Bts+pH!F#HBns3RGeADf- zXkm~K1enSf@gN?}CG3}ks5M^TbZ*=HS*x=O{;uJF7p{~M%wXwPvyf!Ul$7#^L&5hY z#?%SVDMNCC51j(Y(gPYx8F7JAxN4{meZu~<4Xe<(v&XSJBk&zvG16C_@1z623tcvd zDuJV^ceiv9HHoJT?#B#JX{;F<)9|XQUcZMP{tJ*7JOy-LDV}b*AI_=8e?xa@e<3Lp z6#$pFQ4=;NVh7ON(e0dQAbc|-O3-@8{PEv~{QKR;7D=uZ9xg2tK5hx<>y0ppFAQ#& ztrNlT2+II|;7Jrt$tiB8T2J-^Zt7Uwou9}*e9TC}4&m+%*u8G^sgz83T?_AyBYfB3 ze`@;gfAE(n_&o-9N9!WyON03mxP?|J9X}Reg=#xFgqO6bDVkz9?H{-NHee8P{(F~cVgd--XPperTE7E89|3p~-eRcm2ciq@A;Ow0GGdj3v?r(gObFK3L8YJAmw$A^TM*hep4GoryA?m5W!}#B} z-2eT#jd1bqVat(5Ow|EX}Fp&EVP-uJaaKtPm80)E`1)Kd`-S#e|xXJ*1O*I z?#-1S4_dEWuC#pKym>2ae%O0>-n^yT=FMC9^ou3n8@6jL8hp%$9k%{{USZ3|_uzlR zJdfLW+1bqlXU+R!-lF+R^A^ia0skQLm8Xxb=5L+1aPs>F^X6Uhoww-YIS0X~?7!c@ zKiM@OJ{R7c|M6__-OUA4XD{7$bK%tS!l$y!crP}R!N;<*KRCkX&0D`&_HVw;;crLg z&D%ZCX76`L!{!f>R^%60J6cNk57*f`MfmKy^|k2biQgWW6r29MB!BGtANv;XJGuzk z_M>{*J@yhS!?hmQZ?3+5Sns>-9RKhK-LV9^(=|MH+={_>3A zpJAz2XE_J_q&z=ja6VreDaM!=-fcX8aSsycJHhZpj$Jd?roaZh+7U?QZ6DW7gjBh{`bB%n1H(El=>fz zKJAjNEKW%+Q?-EOlT*tIsX1x}u#Ox?pc7?w8zNJtED;t8H2+)BC~4f z%{WH_yA7FYI@ksyM1hZ8kO_SQZ;J?Knx28T3)b4wi=J=Y>caJ;=MRqeV{sW{{Z)ST zxQq}Lwf|KQL-#ll?)3zG*Ep+l+2H0rsFY-lR1NsU5v{RQ5A@7=Y#&4?lQUuzkimPF=G?&ke7^%O8Pap3OEU{pvRlbzw>QvqhA<>tEi>h!E;z&GN9_YM>V( zOs~zegzfF+ATYfqLfNxDY~l-_qr4y!t=UHPK8V_R?e2qNCsCDoMWX*bz?;|4EZd6-FVS|>+8%m z1PI)oi393`6FvWnVaWe5z^b8s zUIU;oP~%J2)AanMNKzjFbi`%n6#(RWu zjgJJ>WS-8LB@%+4A~lOc;76IXK9_5=oj8Y1=FrJ3yuuv7oddXY0Qavk+`nj!6kFhb zRMj;2w5BC-;x`Pdh0VZNH3+@q$rA*Q8?=(XTtw(EKi-sf^Eowz?!2^0 z4H88R)KHwQim?0V2G`~OB$cGdsxZPgvt(nt=PEmMm7Q5&@LX|lt~fXg*Eg3V{p;mO z?pn%8)(IOOn_4R%?^rc3k)UYJh{W-qrpEb1(qon*1%bPH%Ny&Cv8sOuiOqiv^T3u0aO#IhGx6dnp6?QgrA77`i!@2#bJbLzLhl_UONSHC%R-7^n<_xx~7#n>hU zC6n5Ui2s@2`cG5id?M-TRulsk!_oLYq_nU#{@+ek{GY`+o(pxg+5WmXd4Ut$n&zrYE}wNJ#+)j4 zPFVf-FnCT_J*Ul|O-(SDBmL{;NS#eqwCn2DC{9^{oIuFjh>-X#szr4Cv(z}BN_txQ zF(7c4+KgQfi4OcXUrIF#<{<@x#b&|i#k1F6+@oRv7*e%}czEB7l(q5SZ}HS@^v&n% z$pTB{R3K5~6{Lf+OSb35)_v7kZMKac%r4wFo3?vy&CcAiuUTO5zi8sy`w-HeHnT3S zfxJ8;oSxdeSi!m2ym!9b@fL`1h&I}8@7A)Dn#5bwH?^$P_rJVFyK&@Tm*~b#8eDGj#A3GvXcF(f^iJ?#0a}-qCz43`7(^AP zNh=v%OH~mX6%5X-7ToCz*8SP16+B%1@gWV)3mBPja`4*=3c9(69GPj_E1Ud^>O#3N zYP?Ax^QV}!C`Q$J+xURT?v7j-<99WAfLz`dK8f|Qud(u(DyJ1CJ=ipotHF939 zXYjrYa$2s{U<1|%hQIR9y)ae0qOS?-e4<+69L0XtOk#$j@h*uDZqZ}Gcq4+({ub`~ z;=`b2UuyoCmMj`mTx|XK1hrVuRTZ7$DK);dA++(J? zEw<*{krb@Cm!>7natTIAV!0Mp5Bz~ACBol-b8yQf`6%4_BeOJW{E1q<`ADo>kI1rZ zqeaBIaPgoU25C@jI1Sxnhril6mMGY$QcU*7-s2o0;35mj{~|?DR93wt)QATh;gz zziODDglW)}$s-r>a7006M)Ksy#YQVsN+t%Akujq=&0-cpYFEa2q9z#$CWR1&g|%B| zsHb9`1$q9qKblT2MWwIX$*ScVQ*0a|%<>)^K^DK(+x1H=nPefhVC_~!Sres@W0D_* z2^OT&zngLP4SB#$>g1U^>8v}o69W$}wQ7Am`9eR$a?lT=ih>1B z$0T>dr-m6^Iid;nmS9cqEfITbaf_u?lq=e}>zq&3z#k7Twrtxtd52D$o1&Fkh~@!G zd1ecDW<73fDrkgvcYxp2qEP=^4YH|#$I_B&4h7Z==sM1^&nJuK?p>32XtHiVVFFY? zsiSLOv&x0fpX&LB;sxGW;q+i&6;M+!kx+hxRbHJLzf6upto)j-h~_5BLk_w?6wjUM z)$KK4-RTf(-r$td<4f(cj}|NVL$q?iVM1ncGD&z16hjF%V0S$V>_b3Vz^hpPJf$cIf#47IMk9`swyZE4` zc+{?1=9GGG-2V9H3ilB01C&a6M6SWqQx<)Z5d{_iYf!RItohjH-aBh{QsWGaDb$~& zIZT_f?JG9P49Rz~tkYDI{=*k;KWG+^$V52>D(=knnQTz+)5QanhZ82ur*7{LOwF(P z3pBDpkH0|Y9osu&lG8qA>cBk=O#HX#A9l}N_sPJ2G{k@Aof?iAZ$oZ0ExnN)5dEA2 zXN+^*)O*Ec|ENXV%iUvOAUk*j^J~!C~CU{*l9owH#F$|0_RwS;XHEQWZ)gW zy{ssEvw?S=q-iPa0=V$+ZcyVA4pvFl=scgja7bO@?~=pmZ_BYW8sxqEA6xaOqdIBA zoo8Z2>FHw?+S?4gb)=8JxD)=*d*MI#7%Ps9Jm4KmFB#8Q743>F@FD)P(!1xfmP0_T{}EjpNBvKKhdYFjMDq_Xbln zGa&9Sf1J8)u|04%!bO9nvo~G)=Ao*x_%*Xl`b9h&&h~zdmB031tf_`|P9oU}kHT<(N-f7kQ z05kC**`)UE%Jggp%)}dP9O;c)0=(dey+w#7L0UkWD4?lH*=os90Sa36AQ}GoZT({# ze4Tzfw0GvNdzPCsgOKTxNSz{#WP(;+6g~W#ux$92M8cBBnDTpI#2tZkV;#o`x6R@0 zb|yN|NFouHTtAxIoK6wZcRkd@a!TsPnACE$ zD_h)^Rdjy?Av}fwkMVBbK;qgsf4(PF=vTm2uQ$$&a%|?}{V*yUi4e7D95Cc`pzA}b znAL+@POu+ok1^pGp}zc^B_|<{S!TkavSd9eM~@|! zH!33q(M2(ujc>+O`IT5#myVF>;gcQoE?Nw5_OkCyB;}LvkZh|DYs*H$%`^``(52`0ix>W9p`t&4yxwR55gvB-XV1XPn86jaHT$`|o zS^ZQPgaI?=nhzX8o{)iD8bvZpL1`6Mp5m6=)rg3vW;&EQ#|UW61kkn6gIW})aFFT1 z1r19f#R4(cQp!!%8~;VG^EJU4hCkd<+)kY@7uLYJ;5L3C{jDrF1p@!!AXzG@;Bu~w z12W`bs&k>Vnot)Q-kwf=NVJ7-)T7im)~~2AzY6!oF-N!7dk)J*^)56i(iD!{OGoYD z)!Ak)R9@BHmzN;txb@)-GfGwMz)wZHHs#?L zi_TA5jqD%|?5UIUH=5@AodF{vrJ?Dd_v?FR;xkKKTkpenYLbs!CCpe`=e<)~k zdKeIR6`_uqlov4I4dJFXBcyx;v{6cPlh9UC$F5wm6uoV}<|gW+0VkDjACTb24{<}A z#=KKkbIcmc_f|1r>1&WLxJg8<(psR-Yu;a0V!RE(WW)rv@6~R_u;Zc5G5wcf?%jY- zjNi|mxKDe$La!&Tj-~^3tY<{lGY+uPL3rMB z{Csl(nq2LhB6(^rddj&1ym|^ORG8b7bb_ow3mPsb1VT>n1+56lUEjWi`Qn$Z!9_DdlWC(x(Xz*m(W*lMdf+;-cey4Y6)+< z=6WvAu4$sWbt1p@L=4p=Cda63fIBw+FwY`DK%$6AW`>%BVWucEHEFM$#65iANOqb% z;zWqCWAkDrEL#|Lf>5QUw{1|`2o*JYq}>oqy!xSbsI(dNYLqmHRfuj=&_M{25#g7% zc(xo#YxgXYf*EkiG-~|pDiUpiriT!yq}>R=&TX|sXyW^Vt^fEuKxCx+Y_`oF_rh^z zIwq{C9Ip7_Thp!D^%o|J4?_~Th2;Ak>Gz`I{K9Wo)Pm&Q1pYV)87oFg$B}sMB(o8` zlzeN?C1Xr7qUY?BmFY-7o%kXS`z|9ZlIfM7!ELt`x7$`dC?(e&U($p8tT}DO^d6=lFoG5f?0WQuKWjT>!+3n127h8)fJ0>QA6?$VJO{4@G)v-CJ zr)s2G#B16nZ_s%aV#IQXQ!vTUvDk`BF!X=ESSc zFEQU=$ib|T!2#C5S1nUnvuuJj+>q@l6_#?RJos!sb;JzAH5)8S_YfTKekCfP=$v4l zi|Wn<(#6l{3*P?2^gG#r?=hsFuWwye4c}Ke_ysO!@LiEH^v?o#kXvnh% zs6#S}PgzS1nQqs#>&JRniDA!vg91^$uQrPHSeqj6sFoX>1rO_B@F$Klb)y;$vVwrY zr{xOfw^W;5T4`6h?F&Z*FW$K~OlaH6W((T0iK1d5utO-*M{c1KQ12mPGu&HR!W zHLqxi6K2fG@BQcde`431wWbA~{qoZw##!bZ^lY73%%b;j1RsuGoQyOOzi|`4;R%PY z1?SQBDY!fgukQKDvHn4cp>cCgly?6G1=q^^&HNuxW~+c7l16YNB{@;>zC7VpxF+P? zCOOA?s#(29VonUszslA3j_OmY%z~4Ht!bGS`_ETIeK}B;Egr(36>R8u1*KSZjAkhL*1Dd zcNxGN_25Zi$!;+MjtPQm(riW%v_uRnQ?WJR5HVsR(i9z|*QXB*HJKu;qnH&VRV*S# z`-k%^>HHn8%1NHRYmi}22dq4+A`R7w5aK~D!R$3OimIHSP0Fo2eU*|~ zh0a|4GCyvF#iwAj;yaK8DTmrv&7j6byaP9T-lN;80KEI|$z3!4SfRdHT<>(KKD`*y zlo?6Oap6X)H;=c2AcD6SJb(S5s6L`f<~~833mNkSulYI!r;uc}5xft=AiJ9|@yCP0 zUCgm&Ych%zTmX-xV+U0E7qE)vfOhQmsd`cZU|NhNfD{sMY>nn%5A7f+%IE0ai=U+i zaM{+d4Bf2h95UrV?;a`ZWOKPaBG4(sH~+>G+vxFVmiel>@x&IhC}*EBW{9?${lt4n zptKv1>fy~oic~`LwU6u$ZjB^!Q<_mo-DnVKt9*Y&SrHAg1vnR0DUR<^cRai>YRFe` zuPeFs-DcolSvOU4yV5Aq%Jy1XEl0nc76kOpnFr0@GFr{KxKO5@3F-BKSerQ{JOH(% z3}fUC)5&N{0&B+q14H=}(+PIfjg?|F9b@XEk345Z4jK%k7aG=|IZ_g3O>1_OaHv)m zgZX8s?x)p&q-UKCtnw%onUCI*bIF=`ou})@+3Z%@BP8=(In3v;!h~SnKf%N8n4^bo z6-Cjsl5O?sMpqFiNR0s!vc{#x(8(U~c`6vS(pm|~!~*P^IFW*u=jF)SMqrc3@?^7H zgzO*Ak39l0UY`K6E66zvf8& z35Zg`GI%Fn618{en(OFoiz`l$p)PN!_lqV(-Vd7zS z5_vV)+Q>HB^d>c%73FJ`oLaM173#!e`Kpx%F(5N;c=qX}gbATnq`p-ZazT^IBez z%&jByk}jT#zERV^U){e*jYd7JhY@k`dWA!N%EHmrqo?-Dm*H$fHFotQOx$0G(K)}uv!kDxikc!o>3*%)*775iH8 z$TF#<90Vk+1s|+k4X7Pr$C%g?PcQ#u_I=@B0(gS;(5(LHo{rQUxo@^@a2-_2PL82C zWe=El>st<#4+)xGd8I1qDAv~^X=jbR52dLzrdRmQ4pZl#r>plWer5FJ>gdJm8|co> z^PSF|zw4R%%Zk^pPdKLO=Di%UN1a$-VfdZh_JRzfv8y|8UjFv{w?DXV`=Tk1FG94| z^GOzr9vD-RXNnPL)mTOrP-9{+7PS;{7xo}$geeBG1tS1<@>;Sn=;<0#J^NlqyS-(d z>F~q$G!65&%SimH%U&Iulbv5hmk$>D@f*@b%qE|`C@eAbJXA|o88H^9{02j}iZ=?e zRDXukD${qr@q*BvL>bI{@xVrkj&f#C05I!+s>07POMvq>UaA`AF4*a(g6t8?=rNG| zw^^%^MtzrHdKc^YFrye|t-BC{k!Fmj8UOZ@nk%G&_2n>R>*r4TJHRe1_Vu4;EjA=K zobz6*YutX;o8mgiI)?kDrvLV}>M(ZyD|vhKl4u1FKJCtB{+jwh7uFeO1fj-Qe~-Qr z!cEZRQ0>yEe~bOYt7tw6Ed!;md!!ORt0L)}G^eF1=YAA)YLCV=1zu8p=4~nLV)pwq zWSx6uQ$|)%R90`5<+6d8+^=ZPZL4w3z&W+j3!u@1`S75u;3m!RWY;kOODy47tPtXn ze_jq!Db&3x<`IkPS~z-&PZ4>b`eTCY_BK_!eO<&uW9q7iB&P9Tu}@6Bh^Ci4Msgx^ zP>$Kr)2}Hzh!rgEV7hf>B5HpURG1(3=F;&Gg6n;=_ey-PwW=be{zzX$pJf2Mi^|R( z)*rSP<>^2o%_U_Pcg4QZiuz9W_Z+@~fUmMD#9`TTZQj9g}M;WtFeb;S+1R%la$SCs@yu0avXOwTW{h(!= zf&p`0OU)r##qK4jDpqK+^5U!pH6ZLO^uB9)f!w`MLT)*t%$CbnQN{5Z*-^o=s-rPm z^4yH{{vaM8Vbj6l;z({f#eA>^qSoikeoo*(+K4@LV>{fbI>0QX0dM#)U<Mw5YN9xr^(_TWbD2@t?2clCGyAB5C{eO zb;QYZU;nq3D`^+7y_jOWVZ})HMb2Z75w}h+C8u%wJ>hTl8~ZU#ucN5+uh9C06_k$Z zig&oGLM_^3-(b44UesO}C-6x~3Vv&73M*8A+%D7spM(3W&ZcFU5>}`kBA~!$NUrlv zyOxZ>3&?wZw&1h+ux`c{@0PL0*00Mqd$)wRXet~`G+;!$RUhd7-GEVDc;kAb**2#O zHhZ?{Rryw}CvuOMzt(@i0Uq}t4B)udt6$+?MD|csiAI{1yb`35EIfD*gUC^jzQW?J z#mZc3V8X6}d!ZF>UF%oYGa&pbya`5t=e$YF&jzuk!tO;d$7g$ET+1Fgi-&%Ptx$l} zdN5S_BxEQ(9T`+F=2H+gTWCfE=XMc5XA`Sh%YToz4{thB5h-`t@CRxd-B>dxDD3ev zjr`LoycDoQy_sEBlF~|wk6~-T;YLT_6*#mltjjamNMFdgpcnPFmPi%KV8`%*Ci9ps zQ>AD(03p+@&HL8iWu43kLAPL^YUAo{Yvs6#tzlN_k@bF8yRu{%5ivE{Gd~RJbZGaeadq9I5jx4I zXr0CBV+{d9*&|%lQ$;++*pF_@Ft1|zH-g7mmVyi%AEi%_eR zU^y&kC*w;kwp%jTdiaNgY4myAazT5*QOLPh_eAaYYjgBl`>v*Uhsz%N21y;13AudK!AfzE;?MOdi>>T>^%q{oC7RV{RuzRur$LNxC zcML!p)!sU2_a|chD8Rvvf|YBh^%L$V7L-wL?GzqqA2%05M#oa3jk7 zF0ApI0vfU5i|DwG8D-d^g2Yr*MeEw*h1mS_pT`T(R4dKm!L3EzGnx466bE;&9k5`c znYsomAujYz>jRd4cowsEqW;?-6B}f-HNE)BDnIp1P<=Mqm-rbHGm8hv<{(VVWx8;& z8xd=BME786fsLYElncJK=0FSDGpUtQal}ENbtW4M!K@4*OW@6lU*zXDU?hVWW46cV zu(TYgB%IBhygz6*fGHn`F3@k+OY=z#F>Lob_LjRR@QtB0%d}ne?wvRF-Ln-0`-?kS zjVtkag`}6Y!T}l*J*cakrqL5&3w!5k2YVUllt$7BDiQ^?XGDuH(k%-!eIYQ?>EAr* zNUpf=TgIkD?y$Zo<)_5J0YYHs%cyZ{1H8tuv-P=g7;=o!yXn#V7VkLNMi;L%%i1Rg%6wnl#Mv4yU}1y@gxm+{z%)$dsbqS- zGRm0TI&9Rw5yMA$Wt&RfL}av2nmW|TK;WBZ?^>1{{$`zW+F*rtmbBO+o&IYbqGt%+ zoKftn{D<{{U^V@&dO@`g{(%NV_y~V3TQ37OU=+FcFHGcsB*bsUlzoEc7VIAF>sCxk zv=3+x@XY3CY!r5zLAwfVOdU*>e$^m*+H#N7=t0N}H4L`8!SYgv({8|81=kWU()_k~ zpzR$jt|gH2epb{BaBPh7gTPa zX;0?v@SedtgB2lGeI0b?b8C_(1UGFGN7kSd3VU89*VuaV`_fwQ<< zGb!Ddyc?I=gqNxRNP zqF-a5qhLv6v5Bx2xP=pTTcl2ObZ;Ry8!B+MRcp`sbH}x4feIs+?Bwu4)&iVPv43nz z_;D}2#t1<+KMq?^=-yQ(mg3NAV0^fo^;$dKHkL9L2+#@TqC}?AvR4F#6mV$c37_Fq z&>5k+0H$XS##Ad!jR@GsHXw0_s#Hm*NgDa(P%y-eO-;F8C8AwbvrkC%7Abof8xs5- zC4#=oT4?`(iWWR2q5PL4ffj|?_QEjYy13zg=pBZvcLdD)S~Ic&?zvf0FncOi} zQAqpUG8^`!X^Ew9;ziJkI0SDw$YWOqJsvK~Q}J7@udvIF*zS@*Sl$>q?a)4UeKA*7 z5su=&UN=pBDgTPJ|}S_Hxn92-e;)?KP#N3ML$*}%yMOB6z=5m)wCI1T~xta zu0g5{c(xqkX5qV9B9`k8CI7A-b?Vj5o~Yr|{KbvJ&T{3nRu}ZU_Hr|cI7vAzUE?R> z?F^VjdJ*yE)0Ae%zO_Hlv(0^tWeXHBh}5Gto}1D(4~?W?MN4J`?^Qm{OlD%upd6y4b4PZA7!HZ7q_rNLkY z8dP1BG)=AbKqL9(Uisi#n@ch8uigz8-?6Fg6rj-2x7I}e`R^^n*|-z*UGk?@XTbD5 zVpB}33N#52-Es;8?qbm{8hl4ev<8m52hP9SC0uU@8@`hoCOPf(&U*{etuBnyhuu&V za8dVU?I0RwSd?nG(mpkVf4R=sa49+XZWoMGq#A?Z#1V=}l_xo?UZm3R@^pSrTt!_A zV&tp1=qGpX3$g+jW?|@5uc8-%LRrLuJ-JAy5^#oumWM|+C!edYOvoJ{9#`$GR*wbo zIIl{?X@)<%7Vz0f?sg}EKZj75?zDO9)EGB(FZa)!s0{JyJ$)zC$}_*h?uzqUMoQIq zQKI8Dwn3z$AWXqdDO15NEu$=%6D|nXtH1B7n`K@Y$~z3vlSU1PhxV>3Xw8fc2lQIk z#^}*DJW9tYO`*1TadUMKHNmW~3n3M!%Sws(2d-m(Fgs;cXMAJ4aym#SBk@`wy=DrN zzKR?wv4#PzuFPVzmfPYNSZ_-9sSdePA_p1o<-rkwM@EShNhoaW4SQp6t`5A0NJ?9{ zYUfRva4@Z`6%y&YRHv9A<74Qta#8M+d81wo`pXyaRPo|{R6skt<3RIW!|xu5?fO;xWnkDlnOWM* zp;WA~dpgn`fF@OMWV;w@dR)2a#ON9>sqF(V?8XI^i(HHTJBbI+=+=%rW-e-tq8p?; zQ6@S_jH-Qx%k}EV`{*nQla;0%m{NN>WN9-})wF z9wV4AGGGU}R5fX(fRl_7Aq=9IR*HNkRL;Hp4lkoBwxnHJp#zF5mLwxhk8D}da>ejK zW<)KA3sHC>vc@22&=S35#?8o@S157Gtg|#xC_y`!brx7Op3yuX{Biu)s|ZDU6{ei6;+n-n<*hxta@REn;VcH3`Z2z@y<}{ zOyLv(1WR?HDjnmb5S&N@$M8VxZ2&D4G^Pn%%y~SGm_Cj5qt__uH1d;?#zzC|SF3wHwU= z*_n>68x9zzIx{TJwj?9QFCjX61TFADFlC@dvLXY+KOhYY;g#UmSZ~xHB%wfI&PDjV zQ&zSo4pSJ{WMX8zeD?TLUWAO_qbpO!8}r*$LS7#tmCJ4tpeC;z-yS9!oTRISbU8~w zqGi`c7*4;8d_5efy$$oSBF>Nl$P?F*QK#jpD7xzgDUiNFxw7gWm#O9^X;Tv)f(eO~ zdQ+*0o4!J~@@9Dd9<^?Z7M`qVO=O+I_!vTleeL~Z#BvB>9cw_wmyu*DbpLt*9@-d4 z)B)9%#B^D4fK;Qee#9_}0%RXXG7WI35Ze9lemD?akcO%lS!IoaJ_StW&F{=lnZzvh zxag;?-zcLiEAESAn&}$-zH5^lT^1nYLP$KQtWeR{H=`^?Ni5U&iuNM~Fu)t`>0 z0}9Vs_cBE1CF7UG!)yJr9S9yxn3Zj(uPUBlbK|_tbHZPqSAA`yslGo-4gXw5DG)bb z+v4Hx*6$MMDb%ge7FiY?-1+ubIuNTsBeQnw&M;6)ZjIIT)4cU_ z^!4pOX>sg0sk)L~2`zalwbSJ5DWw4E54E{)c!Cf!Oz7ScfHRL5H%V7s z4Z0nx7(Y;DD_XTrz7}}R$c@SdkQ`qz&Km+_Zn85prot_FFQ|LfO(l^drO9>qSH4{T zsS7%=ry;J%cdPQWaKku<6YXk*)U>~sF;=61Y>ewVrLR7+ z!fpI}V$`mQ{v0A)w^4n&Od5eM+vu(Gnz~0Mc`DpkR6j95S637K0ONIeo3INTeg4>I z(0}v%sx#g%qk9*s9cOQCyCVeEZ2@mQeJmig*MqgvK>>A9c z%UIxaAj7T-mo1wx7WGMR=wIJ@sB%+6+fgs_`(>t!m+{Ly{d*_n9T|R1I_w#5oF!&h zg7&CBWBq{BjoX|St)FOwN(mPN9bKgWaQBqG2FBzkigp7&A~Dc#Ihx3`U+$3`R@I6E zYdk8-LZFpzFY@?0UVJO=4rbT;ylk?ohv71r?4(eI3f%um*ee^2^0M!8OqJuG`&2gC zJNw~8ahoAPG$al6TVJ-x5|paS3xSx6M5NrWlxuq)rk>R-5*J;Glm~@d$=Tq~2LIlT{bHE^gAk>vOoV50>Uwou*pA z9F?joIm$|(L@U})4lZwGg(SQmD8>{%ItQL#9(TU+#mYguW z)Yq0CL;+l|lxOi){T4VSza+6qFwV za<-`{#6R`HscujGDGW#uX?E8-^tDP2-=AXm{P8UO_FKi3MaStacjH)n7KtTMpt|SB zF|*8ZR3yquF%_xY$ko&}f0XPc3&?qjc8^kGkE`Z%Gi!$}oBXjpDKRuHw-@Q%6L!#u zBf_2S!^U^?zG3w6{Tt~iijFA6L>^+BCpy9Ftl@sDL?x^@)@9GwRjtB)-WAG&BL_`$ z1ELy}*$HjWZzPMhl6*$3)D66jHLf+#XG9h;K*(v}HkZY?Oa8$sKlNFPUMsb4J^3^!xopjuIlH6GR2ou6ZNm@dmU)>h@k41>Nm478pt#;KollW z`Ep!iT#(!7ZG{kzqMz?JEGxqBraE6%OL|KE#e;qZ_Y@S>4V)e@cQ2mG zM`Vby<2WGF;$t(X|3I9(%Ce^inrwPf1Mn|?U~&f{pT@nph2oGORZ+2DVto!;Q?*Po z=uGtQtuVFt6D`-vhR~E4tusd(hgwVXy3crgZ`580z({_sGDH0dv`8xIp!ONN7oIR zz+F^hckzWHK?1ziL%89!$mMmL`8Hegde~;$z)-7pj?97XKM2%^`pqLrplDP}qziXw zH>o>&M6xrW6d&?4+@l?3+r7q~SzM;~d~X|$K1I&*{=QML{={uX^zWO~a&m*jGJczDBZ z;WbXel#Y~KCFE}_^TLWwzuRVOxR0t|#MRkMG-YHM_;EoE*s_8Ve=!IbTnAE!ww7Px zBR8uprTVx=^)qW_it<+IVrT7-27Gxeor78 zRA|GW{pkmkT)6f`EPbqTL z$YkuvP-h+q-wSp22GJ&RL)lKFZH(`@>pq!e4|I#i5c>)zd^2Y>+zq?rFDsrmNW6R0 z@a~quR2@rRc!BwCdGnWR4W84DpWId))xvPJTyBTyxjX9C43$>I@dc!b4z#WtdN4&% z!S4ApluYhVG-~QQlxMv$Xm6yC;p&{Oir+UU#AAPHTpRzmim+Z0C}0)fmRgD)_py8B zbx=M`S-uk3mzfGf^tI*EEN;kTyERAL&b93eu;9DiQ0dD=t-xQ^F55=cFKElptQqRJ zNQdz=g@QphX$1c#oKFT+5KkG8r^_m#+M0x)8khe1vk+3WD&Lqu_Z zUTS_*MZHna7RQVes>C;8&FT82x`ZWT?OD8srA{X4J7TO)Nq0KbdzW|^S~SPK1j5>8 zQi=XxX|2Oprw1}Xb@b-aatyMB1vEl>#;swE2Hnm8Ndo`87MT|xB$M(!#P9{|CzsS> z!uUJ;pa>z6wDU7D4JaEmWg*H?S2Ct)iJu!*FVN2kewCSVWs9fwu$iLA;oQ~-!}{U( z0wbF?Nz|3>+vZ)fc5ZPwb(fM3^mC4GSgNgTEq2AqGM}e)L!NqrX?sdMa9+;+CB?M8 zL1dpZ&kj^n+193Wz^dz1;aDjIsPUzdkrJPJD-USBUk$I@FI~2*(UIZO(gJj~PpU~W zT_Jod>Y26WL|eu6^~40oME@35x5%+K4kpkTZhE>*?dO+XWvvo&RNgXNldp?V2*E9i z)Ax}2ys`inLlI3e`cJq(MsZ>kk|bsn$~4NiLHaC6tgum8SwF71@^LA&*3W>s$5FPJ zv*PUrd~?c5B};u_x#30+j88ubZgq zKTFE;s{k$JchG;{%q&n}jf{@p(*5pwUVs6fVZ_mEl(OkyS(3I}IXKmPzp+=1?!#K341xBQl)?H z5-JjC`ZYB8*HIol<0>xo<%yWu3t-|E z9mtz9$`Nt$jCiN|b%nXlBj#vT-QA;#j#EYPcuIMiGnk zIOir?I)WV1VU$c)J!M4riRJ#Cl|j_A(p}sWuBotT%$Xk<8ZizLwHO zHnZUw%123Md+PA|!JS*uY?~cVRXCd)8>W3Plk|n!<pm6PQl{&}(Qk$ftKon!8f^oAIh~o~h!K9TfDhayhxqkus2g|0e0`C+d3P3TSHy>sIECk%_N}v zwQDyWpPqd7%GmHX(qjIvmQu)q7{o;Xm?a838N=vD?j!fo{ssU{p~H=%%s(z1<1)RqeQ!-ud7&y2TXl0i!$H z8|=w00lF-{DZ>znPlZ|Fzl?5dN`;Xa8UNWEoG+Oimxj(o97>OKk-{Z#dyc*J*XfLi zT{(O;nQBXFV9)pxD4FsMBBY08PqXBnYxxZbnf}Ws=!Mcl2=|( zf4_vBmi9vH`nqR+UZ48YLt`(1Tu`B+^AUlv!*}1VnX#2Gw}3M1hPv2kGg>cS zDFe)@si|H_3*K>mhYxDZhU(RqF}`fHj-=6X=IS^XFg1oS^9!>-8t9KD4Pyj1%H8&R z`QuxzObSz)!5%j4O_WMc75`5JM`o!qB|+#OmsKCOc`EjrUVWwbQWaRXZ2wGipZernu~h)A zZo3zU3HoG?dw>mBHVUCXPp@7-s(n@_WMr|gBJR};7S$MPs_1&%f8OPKJwka^ZTQhuO$^ZtB z_Qn~s_ypFn8|gnUT;=1Pli%LFdNO^p+P2z2llrk4pY-RV3Lr+Au$yUwYj0_@t{()X z`DkQw4bT)2hcHsf8}IcWc#U6oi||)5Euc=a`EqYraCS7$7ub9e9njA{()nj|uRoJ%l492^KOo5+ znG{sYMzqjIF@FEd0M1`fw%FLer!vTk=Kz@z%G`7MTJ;vc_>x6_7f>K{H_|}mk|<-6 zlu#iQ&nTgA5KG`WpYYhk%SJFJDr`r;R zO0W!~TecsT|0?s5hAomuBY^XHCBx#wtw|29UCs#c*sy)A{Kw+m~nr7n#Yn$|yk=OdH(b-ri&A z>YrdEkCvJUSr`P2NF-NezFo^Ij#Je8U{l523qYPNTWjRa0xRI(;GZeD^~g3^0~KlK zvhF>mYSSS+HuD&8KzViLx^e#yA!mfUyXzJ>WncLT3VAWzm49{6xlFd%$m8^Z-~Z~@ zDeHbM695ZUexDWq&pcGQ7B<;X>Xjfhz4z5G0+tJFilHyMI0 z`Hxl4BH=&c_0KW)IKOQWF|CC^zU?`LUSEcDe0QaZ^P4e_g4q6^@_o1 z=_XL-Q5Y%OG5k8{2u`OY^H(K05ifejP8^)McaZXK?nP3ed*ai?UPxi#`|BJ~oHEY~o%hbp9V%_Ny(_ft2 zupONAq*8fi^T(;nXHIUoC)-UX8mNJ${lq^W#GVBB`BIR{wtxI-`kUB8vJgGNs|lMe ziFg9!d#k8{M`t@H2e`qFW5aOvUzy=lM_mN|eq$r)-fZVs>40!OKxFkzh3mgM`Ae{& zqiI~tq1n!fI{_T$Yc%EAYy-T(3Y@e7o-?h%n`-JO*07-*#MXOI%(a>Ew|Bnc44iEjepxqoE`VjBu z@X#C{ngiBzzSB6S7nyw@X#C{nk32Q_@OzXagJ!5W32y* zgq~t;=kU<~{zBUvKQzY=&DG21>Sg~}OP&5^uJAfnc%7@@|G%r?&+$WZ{LmafG!=g4 zWFK>~k2%@Lzo6`6PKY+AX#A%r8fU{pQYmlvYixq@k_A4&znHf6AoQ{Odlz5n#(%%$ zxg2EScM95K=Bp#2zfxAZksGA@SYov3zkR46wha7H!1#T@o<31C+&YvI9?2R=&NLuQ z@VrA?YU|)*%`K^Z(Lw_=Z!)=N!jpk3uNS9g8bDbt;!+s>1Vw^tNk#Ju!Pexk0w}_Z zfg?sbV1_cPI?$G7F#2%a1Gmr?=Rsn2mnoM=exqmRT{!l?;xUo}K6d3cgxPN)vk6`o z@m56j+~hDAc|RHO-E`%^TX4GnzxJ*zB#I~u=e0=f0)d8=h7Xa13Q~(EYnDFvkXdcf zMOOn!G-@$H(bXMI&<7!lP!lst0yV>pQdGQ*;6vt`BBuM`WmasvE$%MrHoCKOPG=uh zoy`tCEP~sar^CP;m~a07Ki~QO|NN7T-a_xAI*0J-$x$PGcT^nGbRMd?Axfc zZ^NoPxxEMl(TVN(2)xQMN~IDirqb$c7)nEB8t9PWR5=I`HCeLbO~=rW zE1jIW2#6S*BEDOb{|pb_?(9r@w}y_@z*t6XmuIld3g)1i084T+M}n_rP6L4 zqISKv@&-q0s@3{@#O7qzjvzLpZSR)mj7h5#!5A&eve6XaK1Z8JXAe;z)D^(IF**7Tb?!j5$VfS4xDW>`{3W34mH9~* zxaWLIi-4{ObR$Z~XO#>wd+-`VG4E>ScB`uy6T^J9Q_C&_35lKntWKw+nN!zsf(UBa z#~fJcq%N+C_8OAcH+Z(iWW$}|U4D|0P7ZrkeB9NuvQf#*;SODsc?dq6X?$pnDkkK3Rje;*P7CDZqkA{Um1Nd~=!)WO10%6bhURVXY=T!bHv_po!8X(G| zz@$t3$0Vx5DH20}rz?Uq7i|KaFgGx%n07FQ3BQSI*Am}Fw(gF@0(mgaNE!`!O z10u~3_r(wITHjjdpS$k4vDP_%OuSFM&wierzrA0ot16O`(39Zc;E+Ck^iTr_2L#2z z!37Z$0xk3T7%kuj*G)rF9;c{}aSeEQXrcGmQbh%a3;0irgBxLkgMT>$_|O9%92~rK zTpT>$7x%I)9rULc1Wm{L^B)&Rv1SgR+uU!#(v!^bDUm!qm)sq5MDwXX9LE%9_yJ@nFM!a9dnjGk`}Z6S&)4kqvn z;PAsx1zZ9uby?uc`c_bo%CK%-ULc5sBOUnq3l}e%1^-X4I4+*@5Jo_v;HsMtB7^tO zIF12#5Mcsp%ED9cYOU)~f5LwjRZm~TzYbNY>fS85S`}h)dj0qE9O<${*B~Z|j`0(w zS1*A!9nt;Xi@IzO>L#>FXy#s7>(xt40(S&2cXc^e<*rGfO|6k-1oc0on{bw_E=jn2 zN>pva8FH`dA>+OpjoZ=xha#brKwQ+C=LaU8tI>GTX;;&ztp8UCEG0;&tgM{Z(f)ky zs*l{`q~!=0?T?jS1}*oW91mt2rk_rnot-`dLzicE^{+nZN(P?qq9wkkVZ;}e!wR&IUKO%dk&(>4MY18FvV z=KaH-mH^9Js^@F|!z@AT1lOS>3{$~ZjQorS+VqUDLj3CHa*UgB{$EX=f4!bm5_WzM z>b^RVAmU)qlOiFCQvN_WRp}5V7ed(n{mWadgvtYlix?&ejev2)`wj|-h`rwCWCizV zF@nWzwBY4!rT1-l+W8sdh*v|Jz8SLHB;La7v-?|Kg%pN;VoT8wDIfO&;|B53BBLab zGCIULgj!5C=)nysp|JB@&Fl`8N|M=Nh5~07qe(@hQ4oq6kX}rY-DymJqA>T5-Xz+o zDyLX#Zk@J`V)X1$N@WCzP_?X*l2T6sKRe{Z^P`0b^NCUm(pmGmY*}G|%WVy@$inD) za%0F3<3_*d=tFYZplOhxRo`_KmY83eQ=e+p33P7}Ux^4IB6(682PLadzQprL#8rSIr{t~etpD%wpgprb%<^d^x`6bb@ zO^|FS?XvH#Kl`2(M4dwM(yQ;&bgbmA!xhPzTa;qOgOLXn5!<9<{$P@`L9oyy#3snhBx%<00>^53Pr$FzijjvA8rH(6c0(OSn z{Wa3S12t_4726-yG#@R{=lA|O50UV+x1X)QPs3+yXrpHBv^8C`))M#jj>;37R`ZcO?VYdO#qPiQ@B*w)k9PRY zJE9NrZCPBq*!X=9HZLU!m~nHbi#@h2zqrw7o>V{NQuv$v0lj;W)F-OLCaX7}Klq_> zA#W6q@VYl#P@5m_`kC;rk8&Z4fwOaBcn)*!GdGv2{HA@MYxyRNJT$t4C zPK;NU$6Y+4MkMk$Rm%6<-eBtu8N)S?_o+VXxz7ZgX6scS46hDmF3oKFdoc!_?zn6> z9Co<%ON~LpJs$$5Yn2Z;p!3pf20w|KBX-G z4NZe~`9;w=Kfx4&_WqeVuR|KO*s0@9D;b6{Bd-}_Ir7exv;b+x`kjtyOyyMYV8OW- zF%Qdem*V2DZoV6^fymd&FPgs}qA!poGQ1=l1CpQ++W`G@#a;KYRFM!IcFqUk*C(=@ znm2ApY?ipcr}!9%x243_Ky`7{DHB{4;3K{+P%WY%uv>7v)3w3e!q?vZ2<+o|hqQn*k?XikPb{S*? z?!?}6^Wj1|@IrKdTK0+P(rj5j(XDyno}ks^*{}Ezw)r>Tw!F`K0YjN|4KyL(JFcY9hDv_(=1&BBNqb`>ZsU3`|Ru~QaW>v6T8Ya zXUF{kF==O;R%^V`w)|YXU)1~s?x-f~AyjG+I<$PNTgR!5cZ5fK1H|p}%R0q%hDPlA zB)044I~uWDUTB7ZqgIy5xs#pP0LdCguW6SxWx-%u{f8%t&{#axAh8^`P z7+}oC5?buBNVK${596T|OZ3DpU*v*$$NnR8b>8_NvE6Cb9?81-O7F#f^eYwawCzD( zxBAtLsC!Q`K?Tk8tQ|SmH0c;k?jw^2g9ZD<*j2JW)2u|uoSII%bTZ}IfV#AGji_0U znuvlmd+69s01=6Ad7>K>yGD_^H0(A?_mt>D`r>p~Gw1%VF7}~SeD<3%=R2_>Vc+7+ zW2Hp)cQ?!WRgtDz(JKMisksioE~Ub7q=tuiO41?%B$J#X%)w%}J`F)@BiJL<4L#b}=^K z)Z8}cP;+j5B!B1t;oMBH(|p4p`koKLT=3D1?dSkAwNzBM^~8f$zcj1ScUD(6h!XH_ zuEnScS2q0|<>%j+-d(EhE{f(??3pg^BV&<}R;^!LPw=#bOYU?cI?67p**)!N%Ml)! z?j$i;fxla86AR&0sC~|Y&iU?L>7AEqZTeOz)O?LcW{Hy~>npoy7k*HWcHH=R`9M=! z>)u4+<~XJcOWRfK+=YMqOuCArAH_W2Gz62k=Ug|nT>koQEnQjNly?tu=tdX$*(I^ z@jEQR!cH^-7z0sWliSJ8^WW3`e|@=| zy@EdOb?WF9ol9oM_E<^3mH)C7E0Zcu`Z4$o%gLiIHa!YIVtgKZ{}qY34=`HqRA&V^ z&#gP|B@W8w`{m@3klUtN;S{9nz#VP}T=?3i2}|8gc9thG!oSw2{(A7O0ACAXrc7wY ziD1mQzq~eoSSvBLTq#Gi)@K#;$w=|H2i4GDEnPR*-jsCZkYks71pAdURoZ=hf4$wN z$nb|{5r0m@POoVEG-rqs@zsbeewr==Sksf;S*I2U78&fS*ji+4d(Y%v|NJDbxR+_r zcG$&6KASw5cX;=~g4c+sP_hXcrc{CGt^4G=QbGk* zY|xT{V}`jSn2*B_OA9ztWI9s50iQ(v29bv&V-DR&_0JaYP`7o|&(=q{Y+-M1$m2J^ zz~k0bx;R~t8M2!@Y&`t5y;-wA3fJtKmz#Z1ond_Pl~_p)Y-+B6Nz@FbeZrq8N50sk zx0K`(?bOu{XB59>nd0WpC~%hJ{ashI{RBN{psi_>m?0LDdqikLcB-uFoX?j` zpipu&HFy60+*W2ePV*Z*2}+EI#EjEbf{BCK;5jvt=E z48r*sRyGRd-ZcviYf>CYM^mA4iMi0{`^7`VJ^Y=FZ(*)ERUG*Al~M8%)8ltw#gQ#9 zNUO}^^1bWp(wM5=jtLrdN}DHLT5Z7~do*uyZPZ|D7{vaTJMmCD0AG;^R~u>>(wkQdzX1O(Ui04`>iXwz!jlU9Qna`%rD%6~m#mV&ivh)#^N*oTNJcc6XSHEo6`drUN<7 z;TvvmPAq9T>>$U1xR^@yL`d&_9Hv2Y~bgD5*1YNFt2AVA%}VdAWXS6|he?em^3XYajuH7hc{LlPkD5DEDA#%j$i{ z$tymKja5|qXon1okC>xT-Tn7B=%}5@7~=}JQnemh&!-#u4bro-^8EViuacZN50(P2 zn#D-&Z{=jB%K$fc`kiec)S`@|D3W6w_!nD-!MLw|h}k7OUJ-o4$Dds2z&)1Qey&D8 zVfrkXpfve$YggY`<3WYV8_u(5LLsl)^dGk?h}y)5K*4r&&1}y67)=x_yae>W;2~gWs z0}8S{rtV+@@HZjKA&pQ9)ZeMke|&KN*?4}kF?0fkd3y6LgzU2xoS6)VX~yYq%b_7b zY<}cs5H>TdV8JkAYM#^EStSGS{hd`fQ840Lq15YalKhy5uNP&Fb;OvG_`aJ52@v_& zTi*aTc8684hZYMIPdTBb&QHeBs6#jL1Kq}7@5;|Zo8)B8Nl7#R;>oZydSd0d_XcD7 zJyKRN4f4)Z;u`ZNt#Xap_(D(NeYYQ3^N*43!`f$+0=6*d()GK+*EM}0Wit63z2_H1 zSj2hmYO(YLNcnzoKbQKerqrFcA?T#BV#G~1;~5P&i{NcrFoVzN_?A>f;7@tU5>vMV zI>RJ->$QogJU{9UIHcVqh*K^sL^6}SKw$x^CZ^|>hF+(8YJ$rdP$S6H68H2>=+Rjs z8O%=aP!5N)FVS@Uh43xEfNR-1u4#BbUy05pH0p-Swpx>$MzTII9S%!>$dVv_47j7I zu)oAAlJNMEY!Hgqk?oBE$K8l;;*685(d4#zaXogNdu6M3J8wJbf&c>|Ol%)2gwh+= zX*>)cOxvnofK<9m56B3sIu7QT8z)1wrMZmJbVeug~i90tG zE%H}C^aKc6XE1hAv_E}dlt%)eGk(&FS~WPQXI+mw2j3R$3w@MV<9F8Hd|H2-xYuri~@KWIUaGbk$DAwSBR> zV(d)OP{0L|_2gm1p_^d6PEK-AMQ%vU#hCu#Z&Q97BxkCXc=*aS5hidZWG~`yG$Q9@ zjQVW(7@5Mw)>cv|=Dt4*oCkQS%VxFRYYy5n;^Mo3ot{8ehS>a7nMrKAUz}OoPQ`#N zYIJ^#*B7`*b$n^P);zpD{fy3hYwP+~Nzv@lr2xR828wCg%Wjw%tMWK{F)o7il-&EJ zwA1qKHosNN5k$gr+v&&5$=43OQdbYj{f?$_4fx8pt}v69!u%H8^8Av45nplNo+l5J-*+@GWe7g^r_TME ? zyYi!sUf*OhbX>izK_f{=+-%5=zs{3nvk5}ZZ9BvlYoALxcOzGYR@;lllf8SqDuhQ} znT0wtlBh;Pq*zuH@Fo&{4kwNUf{bovxBZ$#O!JL6!bP242^X_aI#C+)kTCv*JG$pw z1_bg!;J7qG=lOkj2#83<Qfb27C^`!EKWO ze8!*&7U8*}0gxYNV%Wg@e#U_ZQ>&d!TJa3wsC-Wsf2;ZU$5yiq)MUmOFWhcJWL6xE z`Y77b_Zwz(=Q0Ugi)$xJdYb-T*Gz-AfKk6ru=b#=%=M82zNNdvUzXk&sfi7w@+Cx_&JUoEuWAsRBhn<%xdiVsZEt4Ww5_^V+HEXMMmI@$6QvwER_PGS zTfti9hJ}wcOl&BeKlnY<6qrd`XSb=RhOf6G&_H8=8ulk!d+eH9Tz+tNw^i|a?0bWR ziAoE&{Z#q=+419pZL!>dsKei21^oj6O^0BcjW;uK5Q*L5@oN=p84nJHtKF^b2G}a> zcB2cCHiiZ)W%nz`T6&T$PTr4`@$IMm29`)~0l3?1CR0(LJ5A#8Un-ge@;xJLGLtQw zyXPT-HhvDsp029V&S97}j}+}ZgY7ZQxN+41fu5;cDLi@t&^*rzWFXQ)Q4|netnJzJ zOvQH73N?p!D;HJQ?Owhth^6}pt3PR~9-k1BC(6z=TsQ_|M_Y8Hh;G9V`B+1lRoQzk z&d!w`I@Idv`T%3~mS%5S6`Z2cF`~v3<<=QXd{XcND4@7IiHTqaF&9tHIq8g*)J+n@H&&d(R)|>qpm&rLUeCIH<;>2?e=Ku;w8Sao z+}sN0tA`q;y%-ayXhqiyu1NUqeTEf;^ z!tg1B9|Mpp4}eYV$LA}=vdBmq6~6>u`{hL9vGeZO@bt|}jhSa>Wk)pKO`Yc7Z!-e=`>tKU%y`*5Q(|i&mXVw90}4I z$vkw`eijT`2wJ0&$Nl&N2)SP=MA3X|Y96VnvF!UgDV$t=0R$6S+B)oF zV(U4Xi6KJp$8~nyOq2u6n3&wKJ@MQ{dnLp9X(!yV=Jr`xwX2(z!;UzJ z(!qsb7XT|!(ryHfAlk6TUrsIL7>aRXD`mA;OcEjl^wB!S#xuDTvBgGpA|uNIfW$fh z*{u^G-KGmKb6Ae_UcETAk_;HbxU?wBP%AQv@)_7#QDKxOwBf}&ldVx^Q%(U?PLlgw zjrIG1i0+{H64%2Sug-FtA+ulKzsUWp-tChZ!cFGBEBH-4+VVQ17?gkjX3P=6;_t1T zD8xxX4%7D>=}TU$D6{I1X|<&-*(@5M$-JFpw}7eN?Nh=Hl5Ku8001BFPac|lL~!dA zJj#^gYuMA+oNbV(XwD&Fe}qqgin`1iZ2OGWnE`NWt_@7xIz(fRhW-BDyUI&IQRuAA z`ufz@lMkgWy9xa3^4={kUO$w*_1#^FE5CaMAh`xmHN6cNn@AOtCH5#YIZUPfc{~61 z(pY<3uA=*eg=gJi+re^w+k1o`pXaQv^QaAUQJt~mKF&=-$jm$rA}%}ChbuvPLAHNM zITsq{j>S}E4>YY3?~@aAOj{+sIH~21e&(DB{njjW-85XDVVanFFX|1mqrybBi#Z9n zKJAcZ+o~;O@Fqx$g3DVC3CAZ5))}Oc`EbWvE62Yr$2$M~?)DPQwEV>(wjX*we%@ob6crP#2B^yZ10AxVdT)CSe6?yO8 zuXeu2qM7n(XQ(^RtL&C?1p6EVx|2df>n`Yv&la*jZ-iM*v21UV0UqFSf}oYEc(uS} zbJyd(ZE;iEa0Yg0@?dLFyiJPPU!fj+JOk}PYpAuM?Cdc&a;s;dhm@9j56T>8YN_rd zn3;-4v{yubEzv>chup_J9UD|+Ntu*9+Z$R6y{Y!xupehz&epuxT$BbQvI&E!zNPtiyWjh=_z7WP;lZh*Zd=CQxYE+tm- zBOK^E&;Lga|3b)E+W}K?XE*!%BXvXjSwAN%i< zOtlFSM`;z;{75W6W6aV|?gr_TeUCTxu`%>NUbewryTQ|BK_5mDn_pDR)nIk}YdM!0 z1OQ@o8pJgRlXg?RkcCzICt;Nnus(V5je;_b*CsCfAA`@D-3M;R8~%OL^nz$1)PGPB z_E7A>x)S0rC zi}kgseuLP>CY7_jC}?wYt=_IidG`zIu$6Ui@d`4uFx8u)&-;d^VrayPhB8K7t#k11 zY-i5(Z40eW<}&LWoLjUGpLv-!HhKb|GQ+~RYF1LI3UVT3H4$H<*AZj!Tf6!e-|gfu zS_ef>*v~FL=1aeqa=hqvzl99LDPDEzL@1hkm7$fMiURS~|CDz&C&iOPnR~N7g7UTy z;~wgd8z?LUHqpO5c^aRQa_b>~t?Y|+?|EKhFIE`|=D4U@Vltz!*F_+_v#EG#$~)rW znHflsN~gM}WT!7=eH{W)(H9#Hi5=^e+=_@ZFL zfW5UZ#L5BgE=kzNKz1lHfJJnf#uaeR_4*pw+Mrwyau(*>IaIV42zVODLid??C~r&h zub1$FUnWu3UlZ@;(9~sDQ5iti z-eMk!tnI;iQI{z!*(G9#3B46!{4FIe=%G_MF)T38fLyoqgY>7%yxYKoAjy@$gA#rO z>QC*&cXDXcclC0zs~q8~HUJ+NyG|ust_F-_jJKU^xjESsgl7)eO@5cfHp|UMqz+Jra%7YQpU@$oSLZrcrYO;llY#@$rP-vVFc`~gMZ{_uP(;!4#Q@2&Mkl8dc(yDpAm&8zQbv+1tt5;k zO@KGC7%kZMVlY#YC|ehBRVtBhwsCbG2}t(XacMSP!{>%`HO+@mDxa+fGxREKwPh%s zHL1tpO*my$5f^!~=^|fg@jukKt)Mt>_i4}zS*xF@3X0u~6LbeiTXms>_BBI)P!QVX-TcsCJ^G5n44jd=5v6AhAB*s#q zo*hUF9IA*FEL=Aq%5R_Y;rc?ZfDa*m$^d1sn zUVn;>{R1cQ^Dm&p8YF73UHNZw0X0C>{xnvQfMz#gbBFkSJqH4SjvWt*JX z+^g{zfJ;0{w*S09NDi{px>JWFlJ!R1>7M zNcMmfQ$@)A3ZZcg9*4hrOV${r!RR%wJo-&Bt%XeywIA zYiGBS>NleQ_DTtH0F{;O|DRU#{a>sjJPIJRH#qO4h+4g@Nq(%L`mjjeB=~;- --name --query 'principalId' + +# Identify Object Id for Service Principal (App Registration) +# Require read permission to query Azure Active Directory +# Example: az ad sp show --id c705dc53-7c95-42bc-b1d5-75e172571370 --query id +az ad sp show --id --query id + +# Identify Object Id for Service Principal (App Registration) +# Require read permission to query Azure Active Directory +# Beware of duplicates, since app registation names are not unique. +# Example: az ad sp list --filter "displayName eq ''" --query '[].{name:appDisplayName, objectId:id}' +az ad sp list --filter "displayName eq ''" --query '[].{name:appDisplayName, objectId:id}' + +# Identify Object Id for Security Group +# Require read permission to query Azure Active Directory +# Example: az ad group show --group SG_ALZ_SECURITY --query id +az ad group show --group --query id +``` + +### PowerShell - Find Object ID + +```powershell +# Identify Object Id for User Assigned / System Assigned Managed Identity +# Example: (Get-AzADServicePrincipal -DisplayName 'alz-managed-identity').Id +(Get-AzADServicePrincipal -DisplayName '').Id + +# Identify Object Id for Service Principal (App Registration) +# Require read permission to query Azure Active Directory +# Example: (Get-AzADServicePrincipal -DisplayName 'Azure Landing Zone SPN').Id +(Get-AzADServicePrincipal -DisplayName '').Id + +# Identify Object Id for Security Group +# Require read permission to query Azure Active Directory +# Example: Get-AzureADGroup -SearchString 'SG_ALZ_SECURITY' +Connect-AzureAD +(Get-AzureADGroup -SearchString '').ObjectId +``` + +### roleAssignmentManagementGroup.bicep + +- [Link to Parameters](generateddocs/roleAssignmentManagementGroup.bicep.md) + +### roleAssignmentManagementGroupMany.bicep + +- [Link to Parameters](generateddocs/roleAssignmentManagementGroupMany.bicep.md) + +### roleAssignmentSubscription.bicep + +- [Link to Parameters](generateddocs/roleAssignmentSubscription.bicep.md) + +### roleAssignmentSubscriptionMany.bicep + +- [Link to Parameters](generateddocs/roleAssignmentSubscriptionMany.bicep.md) + +### roleAssignmentResourceGroup.bicep + +- [Link to Parameters](generateddocs/roleAssignmentResourceGroup.bicep.md) + +### roleAssignmentResourceGroupMany.bicep + +- [Link to Parameters](generateddocs/roleAssignmentResourceGroupMany.bicep.md) + +## Outputs + +*This module does not produce any outputs.* + +## Deployment + +In this example, the built-in Reader role will be assigned to a Service Principal account at the `alz-platform` management group scope. The inputs for this module are defined in `parameters/roleAssignmentManagementGroup.*.parameters.all.json`. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-RoleAssignmentsDeployment-${dateYMD}" +LOCATION="eastus" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep" +PARAMETERS="@infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` +OR +```bash +# For Azure China regions + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-RoleAssignmentsDeployment-${dateYMD}" +LOCATION="chinaeast2" +MGID="alz" +TEMPLATEFILE="infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep" +PARAMETERS="@infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json" + +az deployment mg create --name ${NAME:0:63} --location $LOCATION --management-group-id $MGID --template-file $TEMPLATEFILE --parameters $PARAMETERS +``` + +### PowerShell + +```powershell +# For Azure global regions + +$inputObject = @{ + DeploymentName = 'alz-RoleAssignmentsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'eastus' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` +OR +```powershell +# For Azure China regions + +$inputObject = @{ + DeploymentName = 'alz-RoleAssignmentsDeployment-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + Location = 'chinaeast2' + ManagementGroupId = 'alz' + TemplateFile = "infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.bicep" + TemplateParameterFile = 'infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json' +} + +New-AzManagementGroupDeployment @inputObject +``` + +## Bicep Visualizer + +### Single Management Group Role Assignment + +![Bicep Visualizer - Single Management Group Role Assignment](media/bicepVisualizerMg.png "Bicep Visualizer - Single Management Group Role Assignment") + +### Many Management Group Role Assignments + +![Bicep Visualizer - Many Management Group Role Assignments](media/bicepVisualizerMgMany.png "Bicep Visualizer - Many Management Group Role Assignments") + +### Single Subscription Role Assignment + +![Bicep Visualizer - Single Subscription Role Assignment](media/bicepVisualizerSub.png "Bicep Visualizer - Single Subscription Role Assignment") + +### Many Subscription Role Assignments + +![Bicep Visualizer - Many Subscription Role Assignments](media/bicepVisualizerSubMany.png "Bicep Visualizer - Many Subscription Role Assignments") + +### Single Resource Group Role Assignment + +![Bicep Visualizer - Single Resource Group Role Assignment](media/bicepVisualizerSub.png "Bicep Visualizer - Single Resource Group Role Assignment") + +### Many Resource Group Role Assignments + +![Bicep Visualizer - Many Resource Group Role Assignments](media/bicepVisualizerSubMany.png "Bicep Visualizer - Many Resource Group Role Assignments") diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md new file mode 100644 index 0000000..af6de75 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md @@ -0,0 +1,80 @@ +# ALZ Bicep - Role Assignment to a Management Group + +Module used to assign a role to Management Group + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parRoleAssignmentNameGuid | No | A GUID representing the role assignment name. +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parRoleAssignmentNameGuid + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A GUID representing the role assignment name. + +- Default value: `[guid(managementGroup().name, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]` + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroup.json" + }, + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "[guid(managementGroup().name, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]" + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md new file mode 100644 index 0000000..1eb63f0 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md @@ -0,0 +1,78 @@ +# ALZ Bicep - Role Assignment to Management Groups + +Module used to assign a Role Assignment to multiple Management Groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parManagementGroupIds | No | A list of management group scopes that will be used for role assignment (i.e. [alz-platform-connectivity, alz-platform-identity]). +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parManagementGroupIds + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A list of management group scopes that will be used for role assignment (i.e. [alz-platform-connectivity, alz-platform-identity]). + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentManagementGroupMany.json" + }, + "parameters": { + "parManagementGroupIds": { + "value": [] + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md new file mode 100644 index 0000000..a317f14 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md @@ -0,0 +1,80 @@ +# ALZ Bicep - Role Assignment to a Resource Group + +Module used to assign a Role Assignment to a Resource Group + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parRoleAssignmentNameGuid | No | A GUID representing the role assignment name. +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parRoleAssignmentNameGuid + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A GUID representing the role assignment name. + +- Default value: `[guid(resourceGroup().id, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]` + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.json" + }, + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "[guid(resourceGroup().id, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]" + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md new file mode 100644 index 0000000..b8925e2 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md @@ -0,0 +1,78 @@ +# ALZ Bicep - Role Assignment to Resource Groups + +Module used to assign a Role Assignment to multiple Resource Groups + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parResourceGroupIds | No | A list of Resource Groups that will be used for role assignment in the format of subscriptionId/resourceGroupName (i.e. a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01). +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parResourceGroupIds + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A list of Resource Groups that will be used for role assignment in the format of subscriptionId/resourceGroupName (i.e. a1fe8a74-e0ac-478b-97ea-24a27958961b/rg01). + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroupMany.json" + }, + "parameters": { + "parResourceGroupIds": { + "value": [] + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md new file mode 100644 index 0000000..c92df34 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md @@ -0,0 +1,80 @@ +# ALZ Bicep - Role Assignment to a Subscription + +Module used to assign a Role Assignment to a Subscription + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parRoleAssignmentNameGuid | No | A GUID representing the role assignment name. +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parRoleAssignmentNameGuid + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A GUID representing the role assignment name. + +- Default value: `[guid(subscription().subscriptionId, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]` + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscription.json" + }, + "parameters": { + "parRoleAssignmentNameGuid": { + "value": "[guid(subscription().subscriptionId, parameters('parRoleDefinitionId'), parameters('parAssigneeObjectId'))]" + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md new file mode 100644 index 0000000..c88f104 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md @@ -0,0 +1,78 @@ +# ALZ Bicep - Role Assignment to Subscriptions + +Module used to assign a Role Assignment to multiple Subscriptions + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parSubscriptionIds | No | A list of subscription IDs that will be used for role assignment (i.e. 4f9f8765-911a-4a6d-af60-4bc0473268c0). +parRoleDefinitionId | Yes | Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) +parAssigneePrincipalType | Yes | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) +parAssigneeObjectId | Yes | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry + +### parSubscriptionIds + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +A list of subscription IDs that will be used for role assignment (i.e. 4f9f8765-911a-4a6d-af60-4bc0473268c0). + +### parRoleDefinitionId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Role Definition Id (i.e. GUID, Reader Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7) + +### parAssigneePrincipalType + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity) + +- Allowed values: `Group`, `ServicePrincipal` + +### parAssigneeObjectId + +![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square) + +Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry + +- Default value: `False` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/roleAssignments/roleAssignmentSubscriptionMany.json" + }, + "parameters": { + "parSubscriptionIds": { + "value": [] + }, + "parRoleDefinitionId": { + "value": "" + }, + "parAssigneePrincipalType": { + "value": "" + }, + "parAssigneeObjectId": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMg.png b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMg.png new file mode 100644 index 0000000000000000000000000000000000000000..67ff829098fad6c9974b64fc35d753815f4b854b GIT binary patch literal 14280 zcmch;XFOcp`#wq}N)RoHh~7(rgy?00(V_*3=uGq&L>tjYqPHkPL>ME8UM6}M5+Qmw zhCv9UjNXm%-=6RD`+m-wb6%WtKED^3ZLisDuY2A1TGzU->yCP=t4@9W?sXy}B5F+y zumKSfF&_AgAtwcX+rr&#fj`8a2I|U0W&JEGz{OPuB^@OqqHpn(r;uyFHN|TU6Hg){ z)`-g=;`qgFJ0c<}3r(=nvp1IOh=`{R(R}{kEg?4bQ*5wJrlxfBJiy6%K9246SE3 zM)LKfa59_zy0e4}_(3HyjaHeQvx1qzjGQx6gNVKcxJ)GCfpUh@auI8wfqUR938*ky z<;bfX5K7>`6p!0)1OKIe8!8-1tIR|6zwpJmL?nlVv@XRUir z&xX03_LES>cm8|*@6GvrIbn#@t5JbsQH^~$|Npf8_udC1P~ZROktkBaw_~i(?B`o# zgdVH&m$*#-va<#D3slhAniXIkp?5*&yU2su*0a9zlZjRg@_dh! zI7G49sueEzX3Lsc;#IQFrw46naV$>jm}*a^KJ)i=ym-ScUd^t-a(?m z!roW-F=dANakp;X1RSH_>UB!WQux`)c%8eA^H@=e_u6=$>WpE&t~Wid^8x&@akk!C zXw+@u84vzC$F)o((oH3t>YHW~U%lh!hzOVJS7Y?bL}GU|e$blutYgOBAH8|4Op^?FT~XL_BhXoy6`Pc6Mm2PDSQYa{ zv5AihLdHSeeTusALt z`oI+lD9@Y!_m4v678Df34&u`CD%SY_X)kRCc~JurN`G_4gTGVHhsT^S>2reH6H$8Y zaqsU+bgxnt^`0z7qjuLuzuB`k8h6s!l)y*q+X4ZDP~>vsd5(2F(GOoWpmuk5N+2=x zYrbvTz{9Yxp`3E`U|4a<^UZUkr?swIcQ`}4>>ouSaz2sw9c;=mj;!H`)Vntyk&i2pbBetKoP|dR9k8v5%~l)t zp1xM7ainP0u%KdQrkNcVQioI64yUe%)=R97?ngYTU#bnGWl{r1_JIrEggG`U*Zh`p zT0ItYO(JoT(VgNAH^6+e> z6bLyk?=5S7KJUuxvoAcpcp7CiT9LB2xFYd@6THt2c}qG>jqBLPiH*k1mN~@~rNa%Z%TTuJ zhH0KI;?;X*sT&(F#{S}PQwf|Z(CzsSNw*n!=MgnGh0&XrRwxcdq~f^7jT8u&f|Q9m z-&KiC_*s&hV9#w@sg+~FT6t^iFCBM~P_`9`oCJUfYJFw{Ct8l?DGB(>0sM#_$a~A@ zXfA{XUznd+5hK#j^;y!z)XB*OHe=nb?crHnjaZ3U$(iJ zYE`2ccyjfy^p$CqBg6;mo$5S7LUse4tCctN!z9)b))sQpmC!KFd z`M2~<@8yPAHWdh+u~=%Nl{%Fs(vP z<0WY>XjB_)V|oQ6F*Q-d!$fMQ_3^&@Wb8*_Gt$FC?Mvg0w8O0UF?opn4EYg0bDw-+ zzccG`wbA^S9hrJA{T~^z^U`qY65WvSHs^ltCKRxJxKc8TQ~|rA%*o;A=F-QBQZt7L z8g|&Q|G}h#g^=8{{xpNJcD`<|XoWXhSqN$Oc53;Slhu2v;chcczFVJ)LVK@{(2TA$ z?e=?4Mi0Wd0=tS{xBB4GfAYY}glBxfn)yKnf~((L-w2qw%IvwQBY9E3UUM?HokgBR z8nci$TRnEt--M2y@-e7l{Xt3S5pAW)bJEh%T0bXj)|R)PV`hRb0-0qz{^}jbFc+Dk zd!Ji*_DO6s++dZpjhEkv?70b@s_7%W!BVhUP~HZet{b9$0PMrOkQZF^uvl%1##{#w zbBisa&;Qh$F^x~6NF-h&LbtBNBgqwGYw=50S9MCY4c4Wq%ZmrFN?l}_%-jIzV%mNn z^DHT_KfLHR4A+masMqk@UFwr`!BkZoAKxphYqxl@ES(s@gD+BQkJCrAFC7*#*E%^g z=l6X}I|MC)1M@(`i2?>8w72^#PNreZ&3+-wxql}L(-R{b0qEfx=K_G3jWIqW2zTNI zfP!jXjS2BHw~FqT0$cRA7||B=c!`P43rpXxT85RYX~`1h>Z&=a=Q9QR+%H4~T@T)~ zsmMyoM)(UsfEk-Wq$bM{bTXv3)sdA25giIS>hZ9N?-K5cW!HxE(!@GUYhBk3Mu!%3 zd7))Fb#>@7|E!s0+*E`T$?nKvpQ@+Gxp3lb1sML5S&D^$!OM%Y%^(Z)e%~H5;eKDu zG*3iHGA_fMW}@1 zU`i1Iv%UdI%dnVnki{syHIxB4IN&8iq zpSq2UyvE{H{7))mL=Qs53+TC-0a}&aCWMbJqYSE?H)0u=9|o*pl5fv!H)^zv)Rs|TPN>f zEBE|=1Q)k)Y*5rH+PeJGs}0Ux4eE24u5)*_{PakCh=^`3Q^DVS_4e;Kf?Ny08#W|A zB8(7kAFHzm+5!O3JLczdZbIVb{gq_89!k-sIRiAFhJ`X+(#2!(q#;B1NrtK;xX3Hi z3wn{6@l)b$9;BztKk!%ImX8~L|vn#44kZ|tUu~8V>hx6J>?s@qzh;`Ka;`|J@ zR$7ahYYPb}ep}xnx7jpOEh_k$RKsg|G~^g+)Iq~4yT{+DL^xP?IXl@uIGA#4+&z)Z zZH{M=nJ-IO&N#4FWUto`I@sRNjoSiN!SezrSQRnjzo{UV6%AK2Iro!c?DTZa5~-c` zh)IvnZ+4Wzbh7t|&y`a?R5;!GQTAS%hUuE(RIMA5fi)z5*|#2d9-wjbC4$YP9OG^& zCbTuIC0egU;>_&YxGs4pW49~6J^fTPkA0r9>CV%KgO8icLxLm&{C9di_3rS1H*NOP zY`5B*ZHKsVf2GSJQVuebh_4?8D-k>27f4^Am2_F({Jnu~#9B+3wsv1ats+CT4qsoz zyK=S)N*G&p&mmi-gnA1_cWK_Ym$Qtpp*TG#y3)U7u{-^KYn>`8u!vq1%A+xQc(PXB z*uPWJBjU-ro23+zaT9>WHb5XZF|gl@ackOEV@w;=SJ?i^;3|i}WypAzz|YuQ9)&wZ z_J59hABR;JFL`Qj{Tk~%k+M$N;>i=-vNx<{ar25rBg{LIxpQQNIEa7#pp$De-K}NP z`)9HeqOAGA)JHM57C`u7PSc(P3gcf?A}Va|(M#SdDsNa7;^&aH|EW$G+#c~AIrdoZ z;uR913AS&eW0iY}^P{_>&$iwVTV(>pIWOF$qa$p?rEyowl6+s!XgOqE@fwaysL68) zG#mMK3OW=sRYXRFzK2HUGSNOA7ax!}9FLo@3Tk#{?^mhG;(~b6+{tR%{>8k}K=(*F zV7E^STNxf26_+zYY>C$P9kefRIVmazbwI2g2BUQ-rym-VuI zryThh7yY)7AMt3O`Rted&H8ub}4NE|}~C(kmLFabuLXkNg8#27TgK78pMg2dNWz`Spg4K-A>q!QUSf z4>1fSp2Vj19pB+d;I#%-T=mKfFv>(}u2dq<68W-Y^Rxofz`-n9RX7ldtQ)Bqi{2F1 z(XxZah?PSCF>CfqqKy|T-B56Co;~m4YdL!-jNVNv)kM`zG+!V}6?aPee9tVHPfr!^%~W7_YBo-k zMl-1>({DsQbFShhk#!sn_xkRYmn#vaHV>Vw=%eUzxDiVvH1c!(F^`usCYQKbhHHiv68Q9Q5E8O!QmDbEkDc^!F@>=wTh#?e;w`lqg#He%etl*)t7 zxY0=HZx&RkJcL_eIM-`_6y(*cAIZ`TUhYbKgphcdYkrO-j*sX{TU!K$wtF9Wk{pJ2 z4G#2FqT&l~4Kb_}mQ!KM_HZSR2{l=Ss69j^l|XB8kBAe(EiJ}VCBEA~bi62#9Pw6& z9`>{F3ME2oiSn$BDTJZPDnOdnMs${wz`8^n_%b$_c*g2So! zx`+geqaX#R1Mn2^DpsqL?b!=xa&Y8gY;qP=) z#S$alw@!_epXx~h=Z@-L@_VW~Pmcp-r1l?A+wvY|`2X6cFH|?|x}}OH4`(Oi^xiy- zr$-2B1f!y2&y;J6ft{QGP*``b*@Hq(E)iv8i$E!mwR{sHv{b;|f^3s~0$;@(uu(n{ zXDCthYF}zO&ZG`FVZEmr)v)CSUjJw`!c?bfF?Wa@6K#OT%$hVBScGP zLew83tpV{YqivcADUczfw@siGN?QIT^}pK0&g?NKU5!JcAL>_O^{Ts(L@xIHehy8VFVw7(&jYXdT+ zSd%sdsz`}w{f&;^0nlIdy#u%_uC;FVNv&&TaA{+SQGotrVV41fp_hrNmY_8F3 zddQcrquxeqAO~cmDr`0~oEME}+V+QD`?fDhFTJA^)fe968kr;El4dS` zZ-MUWE(TuhL4Kg_VJ^P!(EaY36L_qIg}<83#rbOAsZ^p|Fz%vWcWJ@bJElMyGY(gk zqK|2T-KLlH{sOJ>q;dhvo$N@{&>!C0N#cTTFpbEbEAHeGhkRWQ%*DPbOXG{Oj~u=w z88as>YQlM&x&pM=$vFD_GW+;pzx^OLdwrwO(I5H*vwI1v*iX8J53Wa5SC}N-<+(o@ zG@aLSP__?;l}n(TgzqnmaB787dxb`ZJ`&63i2iD$M$a-ZEu6@5?{&@HmLfk+W#0x~fs97%YjsMhPBL8DFp7@G~!{9qS zo$lVP;+;_HuGEQmfz)f>$y&bVlvdu|847}KTm}c~b5wWgZeXITe5#sg!IS4_kc$&W zoEps59`q9C%v8{<4tiL-Xob%2dgrK*qMwjV?cXYR3f}{G#Y;9B>ZfL5C01>lPT&kCS?8#XEm7=i>kQi$#i%1UuZkGNJ}{8QSUoQO@u<%bYCj`f5K>h{v5r zuXQn>FB}HjY6tW|Wr&HT0_OGh$B{O4iiDGzxU!p~dg$cN)<9CzDo#5OL`M3WJ?i^) zkBd^9s-Q>0$oK7};O@uK4#_)A0VfV0))vzKPOAN-YB+UYxt^{XLiJWU)6>JvQDwuz z>p$l&dVZ+%Ub8p$te$%ExKL-xd-QhGuG7=HmB*N~>{<}&k0@JJP5gRALwb*|&YJe` z1eB(G1#PSwLvaBEr*~H|7(4>L9!bMVLYch09LZ)}wGa<^@ZEo?i>E=fICJGxL+hmK z5iKzn$-y7yj?)9_USWo9LpB8HVgSaa!_(F-c6D{F>xG_y!%PlupiYsrDI4NGLWCgR z%63K-`BKwir$yLv1odmX1j2%rHHb zUc+0M^@HwYijd&tS0{!FN#=5P9#%&_H?0af#eeVboF4DGm$51MojU$&VnL|1?KtFO zVmxr-A@j%R8i(A!4fAtRSpfsds#Bn&M>}s|=SdU$e3>3&%GMj#K@NwAMTpe;v)Hj*tnLBu6mT zDOy?XO}9{Uc-^1qeaNDPt>YgWsIN`#JFYL=>5jBw403qz7`rggS(vH0!EiW>6yFPQ zH{YA33Zkj@wR=2C54-Wf7~*d*1dC9aHK~;Xp}qmz`FWE0r|JKh3(9)wCki&QJ6&vfMdIOL{zpy$i>Kddp@+N-Pk?@FJ0!he^Sa_nblKt zB=Ad0+;SI{eREnhJ8KD_tLvNc9Sv8g9WZtEoqF}$9?YuVe%pjdp9@6vLms5hzdK_4 z{3uBy={R5sq8TARyP3}ohH(I^iG(IP?rhe0f)$C0TxXw(#Ue4c2rUAK5~$~7dgxOu zvVNjUR^5rAT!ykhB=I<}rCQ5m(G+pm#dQf3cd@H6E&Gv*iruQ;4C83MX z^l3rOoKJi=n73q#s-Zi|9<8A$XQ|lG+x(_xR`bH;87sh4nGkt?Yr6hx)!oRj5|chQ zQgYoPMZ9?4Bx+#($C0vRqA!pF{`%`W^Nm0^#6jk3D^FQ?XD96U0Sz`4X?}D9S=;Tk zya%_u1p;Z3l**)x}E+_>~qTIeSs+yM1`r>Vt4Ug$wzw;Ij^R!`}7BzpE|cg z6$c)rShU_1#wU46A0fPFynFlo2`cFgI4$S1H%~_6IR;-v7Xg$Smlj7~-*soB%*yu3 z9~YGtPFwgzXqd$$kb{~BsBW84FNlx!&>CuTncMyXK2Wk5XEXk{RlRh>bJKLa^Dz9Y zX$rv0MLzn67t4KDaU3jE370TID;QAe{XS_=E?{hR+jw41+^ASP{Ol*zVz^dvtOWM>mqh2d{L?3}IU6v9zAtFZyOTn{KYiG1bQNroiBgDc+@C2g z{mqOtMmW$sx2O^Z_`qTCB|mf@3dRa|Bs_bjAS|ZGN?)BX5Anw!GG;~m7D=R9Es85} zwY*SH@aO+9S6JST@5u%HNbR6<>Mog|g`w+CjmYD5oAIs1L+mN+X^TS$Kvrrn0Q9A1 zHj0o3R#4+j;7W#eB;X3-~W9T`p|W&k#fH=RTBP;aL2!k!f{ZC2dPQrS>WqD>RzlepdYp725 zx+U?IAGZG)x%fO1N}107{*z*0gAPDLpTRsFk>c-WEjOm?E19o8xI@04BoY=DwlPuo zcC+ioIyd;kKa>}Pq!quc5bxS#{_*GWGy|u0Ma`9WnxDVQd7`Y^ec@LG0j=Zs0Rb z&s`q8SojUrS2XflZxsLrYlELv>&cT~!dJ>!EqUJ^+w@0HACi0=k>)SwzP~GLcIf>? zcWQ16y2OP}kX>ifa|vOPp2eiTcXAPJ4Vil?+tK)E7dhCD1nTi;^LE&1@rwb~iLMij zb9r^+Mneyv-+0CgTG1#%JX2ie=XS1d>-j+g!dKk*GN5{JNiU|+*AOOqZsr(PEJ>6W zMHehQ`-)OHKU<%dQgnCP!NjZnL=Z!`1>wZ`CYAQCimA`MVr~mhBjJDU5E6u3W}51? zn0IA%yCWq`ja1w1;h$`z$JqyJmKE8SO5Iw|V2yvmnehNkfb!p{?-Xg?8wS7>t;l}- zxNys|Fx>TEUl11OaB=kT%K|zdkV=%5qS>(VVo~D@orA91$3B?xiFX5MEztbZLUk`W zoZVwOVG?w_vjaN-APcR$=Gqj#w&2wX+dfvVRj${rT`QaM#PwGTo7JFq7JDqxpbO$w zA6q4Z6w4-&TDD}DMx=m<>nYslU8OYC_kP}M_yX)rKDDq^y8v29BZiDb0U7q;rM`3r z1^)xD!l&8Af`)n0?>M5%EE*faY&CX2Xo-9~-o-VZsmI>=V>>T*1|(l(Lda-fVsmf0 z|7?Q$$bW5;brEYaSXg-tsRFrTvKKS&rDhxfM(KE{C9<%pYIJNYwZ|NwH!6EVqo0OT zG0k`H5Vmk{iAgfHPL=Bm4f7lPPAUph%f%;p9wy7d@Wwvt;tu`yr)mM=3v9cCacX%e z2cQTcWtDs0e`aY}3uYNLT6d4P{`|oD${YZ!t&huWp&|d;@Yfh;w;DrI@8yyFf%x3M z*~$2Yz%%RiP>M3dsRBgkoin?*eQcxEIor=QHGlovOz+j%e1A&1PA?zWFeBaF2#1?) zo=d&%Q!@OqcO{BSbh+d%!)o;=Y=P2#>Mg5!5B$KxJ38T6@rTu$H4(^d=%1ipp8KUn z#hSZ7lJ^$*`#7JGJe?Y^6@$jrqGIUp54^fByXpX;PmRao6aM**7)H4$)J4h*%as~{ z)cU5~zzJbUc@Ick#>=hToX1Pt5egOaZ)!L@9Bs8mFPXC!$eCvUMlrhnz(XwVHuCuF zv?UU^l zl3A8fJu|-Z>nwW)ug3)LxXjEa6@l18gu55-z9=#NvwCgxorerrqN0KQoQf}b`dW^5 z%{J3S*ZvUOIh#l6G;@%}e+~F!h6MUoWngNUd)CPL87nVCJ1P8G?lC}kZ1i6HIDyg! z2#@Qc_y{(?F4Y%cNU2#Z4DqN??{8FWC>)&rJUP4cwX>0aa;l+3lCZX0_+XoK>R`k~;+M9^gG1obv+( z8Ub$XlEC^XTw#+1W-@2Y{u+?&v#RaSc{1hN*hi6aVn9kKMW{ePDR9bYZ9xtPQr#9; z+dFlNw*Br@23-#lRI^;ENClEy0%{zGxDI2tSYFF-VGyABF1AZ-BO7KRcWb@su2{EP z$&7Vsv-i(&mUCHwv7%f|7=qq=iWO;6*_es)OR_gxU*a{oSMJBC=nLWIJWnJXKY82@ zt^pg7Pv@HuJ8cDQ$p}K@D1XO45+$HScMDj^yoA8bT^;2_{KM%I&L6Qs7iX?Pt)jtp z50qrO&=WvrlbHA=SF>K#jnOg6^aTwS|6>k?tk|cBG_JWj*?Oz^fzF3rOvE1Z= zz=_R~eJD}naEeZHDxtBQEQsqjpcreE-15Yarb6Ggl9s(smReVnIX`o^e(py zyDW7`Zr4P(w53P5?Ei5K_9(qxq=Swy$ew|XnnHcYqD3t2uVD$KQ`xdx?RiQ3MKSPj zf#pHXAhlW&W!oTd2d+zy2gIfL7yKv+Ebk?d>lURLB{s=OM;FCSdfa<`Dygxfz?H=0p~j_Krh?kS>>dA+U0vVe{2Nj8AL z3$?tgteIURp=Xj{tz#Ml*W`*F_W+%iw*?c zuf~p^)e9g46T}x!)&Ux&jd>j`=h3>tc;|lT?JLo}muLDkTFJj-{k8KV3MHGoTF})z ze&}{td`NI9v`7X0)nC{6_kx?rLdt{*0%9Xvp7j7tIu^z#seh+%XxYK*uh-1|XVI>Q z9HO>Q6H#gTs^6h1eC`_S^bl^frF6mgYkIk1ISJWn_EK0c!^wH^+>l4cj;dZyLbZ4_ zpADSK5okHNnX~P{QB6^|)7WttUu3y;mj)9RF4(^UY@E55)#HFFPOiPF0S zFxL0K3b{va>O(4xXeCD|&e@JV-VvUhq`!-s1rn)r;w0CWI)BFw z+E>Yp+@gxjCj2{I`kH){KEu5g@j+72)^2+j-ytIwS-P7pcKRvpOWtKhqU;rXYnv#) z1<|TgBbQR6SJw0m8>_io5bhgSm6P#?Rcu_KOlq*Q?TeW!B3#DLt zvOzpbz8X1ZwXV97Y*%BdqVCJMJ=*!|+N;TJoZDATo1(VXJuSTZlRTmzv%?}o{230| z@#}ZDbUmJ_QPC#whD2*$Pd|Pgr=For_jBszr}nv{ZhFb5jG$TFr4ZSNk9XGjDo6lm z`nwACPPf8x_v5(zAUShAJjdb$12-d_A1eLH(|S(PxZZCw?zQm4=%QWgeyexk;#leD z@=1ASA$m!Aur_&|#`U)2f#sVTDoJr_@{6j)xju=MR~~;JdL~-v#MA#RSsj!9NEEkE z@I{kB5&@@|*!^}MXszfFv>Fjgd*kKOg~?;wNDcmn1pQZ%ed;kLL2hm!r_{iqlxsSZ zUAamxX-GVp=4`!vhj4WE`~KeQSTPhcrybVU{s{9)06U;3?g*isBXh}!hy9rme*<~F z7|)pY55QAGXEr^Kzd=Cp&{5UMKK}h8pm$u!;BR)EB5X?4OoXWh}DI zyTRn(N^tckZ^Pid>xHjLX(AD$kLV=qxR|U&ZM&)yEcx%+#--krAt5{XbD_y=7!=A@ zBtFcI?eR8L?_PXUmO`wW7pCL?kos}Dn8jl=50@(8-MyjMuC(jv-V{~rVoNMkqqIbw zNxoU2Idd>Nxu<%tf5=1CKJii^Mh{D#-v}(ZIQ=TQyFKBuQl=*)JYRMnlDZ+|TADd! z)4{w^-H^j)L?||OxYDldnEN3rdmhQ{1%7uY;TB}Q#u=V}{NbtU?7TP^`O zZQ#^5QNTOf_10M0SpY&18G8j6pZ`-+i#uS(;&4h{BQ7xKB2FOH4{Wu6B@P!rMRY2; zs(iEWoa%1C-`;jv@R}89cj8yJ!a3GYhJj+2X)1dqFbiQU`gZwDa@HQaS;ag_Md|^- zfcVy+)8AR)&WDFq|AB_3?ctc?YvcBRrI~A1P1AQr(`)9xrz%k(DORpGV&A!y?)Q+D zuKemV3L4h#5naDo;xGA*NJFdgL2*;p?Ltn*Y+;_LXPS*_Rt#6VUzVi}WEV%!J$R`u z&q9+ylg4p7jvHf}j`SC%iTlEqI}(MbCEfp`T_fJQnxlp6{%UUJw))uOG;8je_d%z@ zr5Xu~1Rs<4Y-%Z><6(PK@=c9>58+=}o~jRTz#$nC3yIZwyCh<^9Bt>x@4lZoOpC6v zHp7Fgn!uA0&Ig7x=f+ts(jRXqHXyV~a5>tTa4|=>ns1=j%_X3Ol1iG(IJJkUSXv4x z3pu&4cIs8{meu!(1fFG;Qb!(nX{w`L3_B%f_hKb7D!Z;X9(oI&K1HZ{C~bgqaw~l! zWUAt6(=HW|6&C2s(+2O-0`EfqApdq@8uW)|Bw1L1P`?^FK+B{j-^U~;%()bG@t_!6 z5H)5nn&?O?uK(IAktK-!>(1RN6 z0XYRs56b&12jnFv%Z+V2kf)%S@=vL817wtm!v8s-uR9IqHG5}1!2ZG>p!$Nmk)?_T z+Y=d?PtXCIJ~3og6~AI8%pk}%lYPbN0{K&AQA_uie{QX~o&UX<6fuc`{-YTcfoAP4 zN}w_;agB$yjGKyglO>Y*@i0Pb%?JKklcX^zQ-o3u{3tQ*d;R}tVRdM0xOvyx!{3+q zB8kU?+McBE?@iU5oFQ8pS?OWvwehAS%p0|SHu;&Svihnolq2!~NPS~bdLL3hxF})$ z#{EXGGFQWM`g}kO$3adzVi5L|8O+9cyD1dj*PNF!TeeFB8g}>SKmqFRdzX2Rkx>I zt-l{it9dzP9;$#t@!blFzf_~k0lBH8YaDvZyV{16`#lnuI_qJX|EtdWUp+U02j8XF zXSaLpx&7IHWZeIg9|H1*mum2(|3@+R|9f3HAWgTp6qjGsH#HT4;J5%OO9h}LGlj$9 zTWyzebqlZM!L~~|?xp@OOPo3@Fw8QB6?&ER4;U~?Eso@U}u)J>%K_< z>L=Ln6VBHGVIv?_MgRSsR9aUjef0XDhF#$|SfmFpWlxud9REIWsLII@kfnXDcAHiF zx83S!;X*|=pdPCPoo~mt{YR!Rjmz*fe`WXmEwPcY@tuIjms)-@;I!)E;+R^xq#19<8S8Tg;N0aitizZ&TeAi-vwK;_7V{QtB(>JT-L4)etW zS~sC?z!djGJM5c+fCDu2@(g;m;nPZaup&W0AxE^!0muq{^d-wFZ{ECll^xKr(~ju@ z3dvI6-6hwJ&mHy`KqX3Wps$Wf`;C7pKEA#Pr)IWi;Mc7J6tndOa(i=^r5=hJA+?S} z?O)qhkiI!Msn%m1lxVq=26}O8&FTW9Iu3{D0@)j*R(N1)IE4cEvX0{R$=~r(vqpHD zXx+;;6Or6@1$x-E2d``%N!fPMrm}6$wzdKlAWvq4`G8js>^d6&)RIZfh~}BCHcgeUh+6gD#E-bO)P|eN7bHO@OMbp&;E&U1k2V zASOaFWx|<^h7I2$^4U7-k@Q*=dDf>2s{JtuR-iP8L-qW!Y)5qrjFvYhXK@!lVE`OW z@ka!WkCjw(ot*dT-(cR`S1yYrXb$@7gF^#vZV+j<-JSaR6Je1 z-9|S{eVz|G6LjESmA;Io|Nn}sq`#t$nZz%HH|OMQ#A+&Ak(FNoeC5l@SM}jle#nc5 z|GobA=Fc@B({|U<0(~Q^gjJt||Fr%09#1L!^N;`Sx~~8AN-~py0sIAt5$(yHQHOU( Rp!$wTQ&ksSrfePje*lb7E$;vT literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMgMany.png b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerMgMany.png new file mode 100644 index 0000000000000000000000000000000000000000..7dc7d4343919fad1e8387e16c468dbefa1a113d8 GIT binary patch literal 21575 zcmd42cT|&I(>|&qy%#~GLjaK`NRciOdJ_>a^b(3dK)Q607C>6)AVpM)^Z=oQV4+Eq zo=}t`z4sD0H$LzC`2D`W&ROfMv(6u^tb~2vd+*sZvuCbrChD=a3MtVYqHEW#k*cYJ zpIp0k19I)!bq4}G;1`|?ok`&1y89Cqg=^*gj4QyGn|AVA^4G3a#S@=f;sW0ZU#LRd zuU%t`y!yKyzqn&_?V8?{8d(16OS6p@{5LfEtw$|>vuCXXEd%beO=h1ny;?R!XGTk! z?%)4RVS6p*je9>mD72J-Pnm|A=#|9M8){oaQ%@~N*1NCr;1W%a$8uO1H`|!a;m;&8 z)1%XS^Lrf6t0Tp$lCu}NLHd{Lau@S*ngncN6bd8!2)?UNI3H^_l>+cn*Ny)- ze@IA#>OXz@l+stud8GCG<1=B!jb4&k!3Y2Saz?0T@VY1<!rbILXz!-jAZ7mcxGzobG|gfQuoAivlidUi?b~jMhtOw zenM%>(F{iImaVkKr)%7Xe8f!lS9|(G91hE2<~bgPJ5e+e`E0+(Y<;D2=YfT4ChYz zEopo?*1rf_a`_$ZK>#%=V&4x;4mdo&gguGB)VEglJf)M`mb>JCW~f!HbvF0t|Frqu z*P7@w;_jZ5HdQ3*iP!RFm7L&N!~7zH@kFn9Ey?aVr(c7xj=%|bll^Zwr5pK}Z?IN{8f~N4JA8jU|D9xpcuctzL$-nV+m|d2gQhRLTIN1qXl;w;oI; zlzM4h)WMo}>_mUJU{FM3VpjTRZFQx|P(t9n%xVVTp^8Xlj}yAH)2Q6Zah;3vLc{pW zvu@bs#o=>7%|wDRvUAf?#AvgRdzOqJ>R@eL@Ho)ay^Ae!;x+vPH&jbwUQNwNZ3c_N zsLKmlfw%4zrcGX(=S%Js{8_{vW>E?%|E%IU&c!14Nw*LSO)->|@!=q||F*o;!H8Z- zs?W~cgwikXyM70&i-7?$Mk+8?pPd}P%}HB7DWa%Mz+^o(PIE6$axF3%g9BQRX8d4Z zqi>;rPyAl^Ik(5=&iuifOMkL_8~2cYUfpF?q!pJV;$Y6;#I-_hpnLW}4S9~ta&GMI zmsnynZuBTNb?+1P8aMTx^c**}v+j(W{^c^`$pcB^(sF}Y<+0zPxTi-)asAhkc)awk zD#j+w^p(vjH4KBQ-I?#ixCEVHex9AEn;=GOp6g}Zw|te7mgZ7zvXpYy0|XID((mrU zHLIa=@~ON~qkZ)?Ss4P!kc!Z(o_aYS>$TS>-gKSUNJp!fw;S!!hF#B(5kL|P)PIU% zVLvW0$KHEpFv7pLG*E|eZt63tv8VKxGmp|hetS(n-%7H-H7j@AN)a9n;?Lb};&*2klKO?xA(zKRq_5CY3xCw#GSK)ePR~A-X977$rT5n7k$| z+mFJFND+VvMneyDRL9JzcB^G5J}?E4ZnxujazHdG6BNNui#*rHHg8DV^)sd!e-ZgE z7`PJyOHE=JE!4@iV5ZS6aGn3Azo@g*GaGwHRGp{SA|hQgORR6y@4Hav1e}uN>dp~O z<+BI?#qfMy-pxdDWh%)aJI@-Vek`xIma%#NA^zHMNIL|ESW4sdJbnB zGR_*58NuB9-T3Uu*TB7Fznfoui)CoK_&ss3fiWC1Po%sOY$jADmm+s5sMWe6NNvx1 z|JJ0sZy9g*E}d^dLnC=dr|s&4bv>9~y$5l-bq&l8#x$i~?vJJd(;@!M3SIh_2kQqlwe=PDOH=rySi1 zlJ?Y;pk3ATU33kn$e^wu4z6BeY3FH8N?XI(Js;Me#t#D&E`^p|bE*Ul&3ryEc?`;9 zk{3Vgn49@+)Ru27Wqao&Jt$~?ncFytH}}ZA5{9R=dL$w8R%{%lgSBY2A7US8Mr#`{ zYoN!R8 z>iFAYaLKCsYjVhIw*>`CA@-`Qn6k^mIOzRPLJ2R1>{x$cL@0?`+fRw>(x}-fOkU8# z>GQHgp3nWX>OExkSxAHl?3*F$pFMz6mRUxJw1*JODJ-m&!;BShi1p&Z`PvVE-8>@A zIfxp$PjUa*HtBR4E@Enh8r3;VqS?vh{bt&GHb5Ysn!oqwXE&`o#dN)aR2 zus}5~HtW^8$nx@MNV#TF-^yw7WwmsJ4m}CIy-z$mOmIMA`x6d%eZWCyU3otxp2N)& z@2weqj5Wr4$~Dq>HVv?bKW=)y`Wl`7dQj5kY+yR8x=j(>)hqzbzg%ot&U=PIfynvJw%Xd7 zx~N4huEm!Ru!gd-Jr1PD!NbAduuRzNjk^1IYwl}IUBg}?vW8q}4~M#TnIalOs4|yxaub zw3P?&(P|KsxZ8qiT`3nVYytLCVIxDz+j+bB)n{_KscdRSayi&Dj5S?&r!uRHDywju z^qx)h9?w%VIP~gjy4Ag!mQX6k{iQHEjKF5zyR6pvVwoZU6N9gU0K5jIL%PZf(hfc!mXCUGaC{Su>A42HT<0go?wN}^;U^?D1nehr zVC}nWvvSLMp(Z!s8@c|w-Okr+u*+41q!Bg6VgWrCw>R(y1cOdAxS7F<%_3u?5(;5B zL-0c$idcEFW#XQ(0@$a(Az3s%e=gaVbnBS!?A~A#g$6C%k89>S1xw5zVv0o7(}=yh z4YLV)r^yWbca4+86kwnj*!z;C`R^XASXFR>O|6U<8=T;@721aNVf%8J0R5^t23pGq zJC;tO$YX2`e5}%Ddb_c*<837KDxTcW%b}y&kKTpeSrdj)XwAfRgr}|CE8srPI-pN~ z*T9&w3hEWaxDUvb0cnqO@Iptn^v|&Z{_eA_OD^H?r(y8l=f`&`f22th2tQ)Aq2|^u zy{FSk2jlKgVlnX?)pt&S8but@*B{HNeOqVnq`*c;KUz*7Md=Ka)+G4*D`G;?IUM`A zh+C_A1;p4Tq!eR zSsiZGzyr{wDZW#KR1jz_KIr^iQ>E}C75|bv`^%ugJo!zRU4vsU&2m*YNCE!s*Y7rV zaI`$=J3`jC`EyTOf=5um{&o7J;zf3tb>BnJExwPivx9xWcj?)^NE$U&PNZ-`+!Kp= za>>E;?_;Ez{WAb{=_Gv!ZdJ|WW{EBa&k!>`D4=s3F07>|xe~z}4$Ze!GAIT>2)5l- z`A#r=2Xsoali&S3cgAiU5M9i3zRef!D*QK%Y5FIZpPIup2V_)dyxHqiNrZ2$if<3Q zh(70dzc%~W?_p#^d&rw|dq^I6RL)Lo+s=DbCs|RXDt)}1d`CcX+FDJHw4g)iRk+0t z37|$C6owr?3_Og#x4?n`!gi7RnNisQLornHxxR?CF;TdKEff7k@?XKZoIcZhWXx zpAo!4DTAIFnTk`T?UX)=2+MqA&eq&TV)fc-C~aXxsh2VX?3He-IezhvEPAN)IT5uj z1o~QN0;kZukmpCsyN~_4_VQ(>77|Rj6?8DiB)bik5Li4D7W|&BVb1-N>@f(t+^8^e z^D1G`Lgr|~b%f#iTISxtiSTrd+m`K6W0;gfD`)w9Xkp}Ta|W~}cMV+g8oN1Jy(G3aaaWf77CvGv3QD?7nt1LyTX-Vt5x%B6OZe4R~5T`o+!! zsLuL=4Rb3YwZtQZF3(?9=2@t)!`!1Nf}Orhf10tvfYSJFR*0s{4l`EIRDgUqz9y7_ zaB+exNRMuyEkB@(F_Z~rmnWZmcfcz|xQj|{XN2Ct9d;%%j`-Rt^x?~=IQyLm{I;MP zYQpWcF|WMem+RugA4VcygU5?WRY^O)bFcg5Z>aE1Fn7k!cZs}QqdAgkCXjGE~7CKs}&Rtj0*5fF$j zofkwi#JGnIu<8|^Lt|%y^0kv=H_d^& ze4pt|%Us?xu=U;Xp*!>O{QTKNUoxoM<_C;7C~U85yqg#ElV|hdO=Mh3ymgp!TnKj@8)|XF@D!NiG&vwd! zTmq)u{H9e??*?|2So*^8ts-XV6yR2m{s~)EfUwp6#!)84Tl7WWW!+JB zhhiX|-XqXx(wl+L>^c&Q$uMS0066#>@z2v|8+$HdM6x$65dgl#ca@qmAUMIYkLD!kXsNo@G=HN45Xov{+DFE&zyM8P zfHH#f3gqGja-zgP7{%8pV5&c85!e-o2kF&Pudu2&{~ru31EA(Btl4zFmKS%fkQ2lTCSy`w~&=8SA9Hgs# zwK29`yhZ5O*MG3*yV`&naQwm1qp$4b4>Ap(yTWz;fa>`V6aOC$b?lscUYPAv(Q=5y z9%2T_q_-cPZMXzEMl$;r0T`a-&jdxXs!%e?uEW`&ptFODAQ+I&YHS0?k@3=w(9Vd|=NSP!@02I<0fM1Zh@01(b@Ja7Lfo%2aknvw= zEfTL^K?49ry_p%~53mm1eT;XJwE=%5^O0VYboVWngD4Cwas@Fr5nMqSMs?1xzAW)N zF0IUG&z~1x?JEy}y)%J~t#tzBGCOm+zhXWAEw-PQ&Grnftyjsflf5HV^1 z0H9X`uV<4Ve9w4bIucFp4~(651C)NU@csKQMzs!$t?SGI`$NuLA%YEln+ZMe;axyg7sRhHu?F|0#+A?6-ZK&}O)KL680D=9koxHd$MN!Z@*3c6=OI}L zICSTl-tKe7@q<(NKXbkuynFIYI+SxigjRtdQSQFYL;vF!Y1al^m?Fy84k-U@xa0T) zTcDMNCpUOy7x+{^eb}X+Gvl-Pzu0axWBEsfB!pYi3)(uKfCuadR@q2M`=BCmj`Pps zgWO@+iY!pzzRKgESQEUz4w z?lV>7lYf@`$FPZr)eP?a@o#`05VCP-0FQf#&8x?qC5YseGypG-9Kvr;O;9{tQP7@wX~=9 zEN!Di5HVV>MlFT(6I_#ZMv6+!by?5@0=X%i$TueVZHNCqzRG}7cO9YsKbLeU9MjHxQ3YG zf$}PwwYD1KnalQmUsyGh_qes#%L^WZp>o9+rhpX~{(A}q6QGzb{duIYRKBqeL*U$s z*ZF6`hYgJ{dgHx*;TwEC$!e>9U^Z!AUEVUR#U}P#*OD{#4(=L_0^I-aSwyQL@1&(d zO0-SOw!SxbeUClDNR-G;DVP3moudw_6|&>2BMXgy_$X;`JG?y&r(kFK_n6bI5=&`S zYHOM23nr3dD(dudP1g!=6%|tA+{Xj0+_zqSiC}J>SB`%VHCzB< z(`WRo^X)sQa|t@k4!Mkr#&`g8a#3dG+;rRIieQU%b$L@S9Oktnwaeqg@sIf z3@b1@>)+YAAkvyO&G|okb+Tc=Jebtdi^2X1js|tSNy(iZL#L7AC3K>U@1;n1kv~5h z81RArQC7{jss?KBzKzxBJFZDvmBvb)DH!iBjY5)2p#6}&MC`Az$f;_Sk=Lr#2d(|9 zNB#dk%BE`Ye7IoDa`1(?X#LN2IlE-<6v9H8qXMm#eY`c#eUcJ;%#6DFeiuIA!xH~% zP3it=rDLXzm`@Gd6IFGxP`j4X9MgpT<`R?759(ezoQHi#Gg|s(T~_+M+M;QVV*^uH z2k>v`sRs8l!wR!@VFmd2|M9Mr(gJ>CP3b&Qgt211dE`4bUdsb zJ1~(xJm5|)OS+*LU=7@1hv$0(m@Jpp=bbD;{*{^qH4dXazrSZ#Yozj3U17q&%|XqV zMqHoH0sv)Rhm&@gh3=$Ko3Jjte;q)QAz&7B?1~#_k0e2rm-WjZ4&oFuq7aCLC zYwcV=eyS<+4ZAH8b! zgNPff9A0$2QWD!L=U#6m;O4znR%f&}Ru;MlwjHdfwi`fQ;mv@X zrsdO{{cA7voV{2Y?M{KQpfTyJz{N7JZ@mnAVs5oEspV(iY0LflIhX4IFOezYLOHc$ z#fd?TmYYg70qlhdHcQ;a3sD=0_4U5^wxg%YZ;bNLdk^dl2{5++<@25XzC~~nBtOm2 z#8s(MGeGfQUptpnN_8X^BEzj!*G*^Y7?T6B=@k#8PEJz@y@|DU@$14Hkm@$_-q3Z) zH=0c5E4WE{CtrEie=m00wUY@r%-n|J#>L(=;~3fl4f{1}>u;}JJF$Q!Btv0JeGjphu+hpiym|IEy{iD47*p-B@`PJI zOALl2q~@9cAo%rsh>pxbGQgGa*XP{z|8rLVH8=sz65Z#;wd)gK@h&Xi_BAc3aU0fR z*_K|hv&Dfnb9cYr%c?&o;!cgtO75hZTpfBB*+jev=&W}rE#U$vHfhOi#%BpKkaJnD zh!k;s)9AI~a78EC^rlYY(wSJ$nR+A|r%9c5DSa#|Qq9Q6t0 zUV?jq6#lT**$%Vt0RS*h0wn{#3swbMkFCxQF)ka}qgn6xIQuuh3vh0h0g$oRToiX> z5#3pb*Q7YJc)MtO+6OYc`>A`aF7wg1cui!VJ^fvuuE)LQ-ucdaQ?0Je?u~22Rluhl z&%CjUdl6Ue*Fnf#A6PgO$0UW`Um4DZB4v9eQcHDmj67NvJSEDTPdBRh(e4Y0DvhlL z=7pLWS3HQb{@Fvphbo!kHr z$bc^yN9T?Ega@+#cOpO@A5_u28!Z+1DKI&0d;lLu<6mzF2tR+8g289!z^jMYCGx|2 zxIC(0_GO#r8?Vw7gBp@U9kD2)!Gm#g7joI-Jb=vTR|=Os{)ux{KET__+L@=pegqUp zO#S?Jw!KoAiv~2uNkI>_+YS<}>~Ny9GoYBF zzF2GZt?Vhhi82u%-M`O`r8m62L>G&qSQlN8pt)k8AOg#=Trn5)R;7V` zaPH^1&`tFWmRwsCsrvUGTzG;s>U-nz*?bCGJ?`&N*n$l&n>aUptQsBrVXX~GZ4hK- zonvMPOEYzhHI7tb&w6>Cooau)?P64`mNLWYMcc0k2B$A@O6N-D%G=Fq!pb7fZCEdH zR%$}|{@Wn>WeU!GqoM1qlHCf3+x7JD$-~-lv$a(a`_A&a_{Nar>nVpIIYdZE4oq(g zUF&Fivs1+~;nv{_Fv|T0g(*26>79l5p;*f%pn6JQ|LGDSW{;@-3yAU5*9aOmdVuXk zoyiUHokm?!%PTtgPmik6BEJO=8Ft-6sK|hSba5NE_|{^~zi?zjvD=@?%bBFP<^U4c zD^Y6oQ9pd9N&xwz!o2NgW7jkw_|3zl4KuGv8*M1XorUEd-U<(F6x1~EWKkbBUvPsx zj9hyAlh_Z95ja*wGf{f%iVHIh0&bKKhhM059@5)5xXd*B=bGPC;lTK+J@F2^t}6!xnm{%lSBC}ejYNn z=2p}@t&u*jVw?smbaFu9dIFo`o124VUy_b^G~|X<-YLhr>3O$qdLZ;6kQH{-E)wCe z+gB9|qo1z@(+Jf@6tOF=fMR?n#lhak+rKt-Z;i;C@^KJ-I|Iid#ur%vUVW!3wr;A) z9*_#?_KJ#Tvy^_Ea^#P3Zdjxpw*yZnSepy#?5G^RjJM~aR47nf;mFSf-va<=+1=h` z;WZ`B7}>Yq->W4}oqW5v{~>B&hZ&)4{=$j!Zuz)0Dr7J5BF}u1d2nDz)gj<-BJggJ@SytgR_c0#!>m&KbIeTxP(P_W9*nD{G*x8P#!Oq|v$NirUj@yG- zV?XzMty1_dD6#OK8x;Ijci_)C@ucz%0~20%Bu@cV1JlMV=>FG^+b|hUuE1f4tJHhQOj?h4faiaH$8*cnsn=GfP&7yG+mJ)L# zV%2HqIvcw?ue*XTCRuKZ`^MefkpY6{|D;wx;RIt=V9lmWkTs6^WtVO9MF_vyQA62X zi^)cdUUHQG-Vthh(HpjqJ8ry|Qc}9`wpOk?h1<3pr~z5JE4h6`PhOKw=;wpjMf@%b zuvFI`+ntVNgn5oOQq{rslXCLi_)nal-EPK&q5=!tGWx z1qBY5dmxl9g}>g(#IuphAba1It{&UEG;VVmr>eIvgX$e&K2xP3Y0#PxJj`$pmOXf) zm_wsiT9Xo>7>0;v+d6}D+EB=k0kYAp8B{cm;`))6{5HI6US`BJkA5g2&*MRo2eVie6KDu+niPA7waO&w^zoH%koa@g--P z$&*_vHx5H>NPei|4pD`X?O6N9T%XmTSfl)4UCBMCV4TRf5Ms|b)K+x=N&&gzDCXK%h}td_TwlL& z{G5qd-W843ft_k>LAJPOYG{wzXj6H0z9Ulj9x;Pr!W{4YcGx*P)-ud@7{tWK0%?HG})crq~a(j8@JRw$jaC> zWjA|dECF?Ix-j&Pn8&&_s5Gg*zfre49|r6Z1gZTS2k)vQgL%Gq&QAOk&7E8bdy!rF zn_4QKC5ntddy3Cz?}60eD7n*Mk_$R9zO+i2cRcLtJ@p)Q+F`pcimeBE`bRHx3YJwZ zRFLT(_j-q6p-t#!kNZVuz}}Ai8N(t#&rzREy-3zIIU_8Bm9KTRuqR?%FpAll)KrQ2 z(xEcLY3sZaszb$!yW#2iiiZ>Ah!#pJb`jNF!8C2;%bZ)o!QlS--hM$HJj%%#4#r(2 zwY<A~>4jMV8znN&2*?o!(USVQ> z`{`$o#Y2GY7q3T@goOzOsL;ebSNakR`n^ofQHa5d8kvGc^09F)K-ic^2+jPT1pgudGa9LO*xAypHI~WbF#GJ| zu_dp~g0_aRy#$g`QC=!5@52Zer+$qs^rymE)Nk@uO4_2#gigfQN1YtBw=JTc?0iyX zey9$PI-tbK(feA%qNlttbHDQRU>JteZed|3^FGSAVJ!}Rd+q+S`{_wXUcC!Dm#{mBQJmL?tt9wa#nv zoZ~FYgyJik`tQ07;EEC}AnC>`RzlHxUVRtnDs)rfPyWby&1`0 zF!gfbQBAqWaqf)eSr==l)Q@HA>B%cym|#XIWWg<}SiqY0EL81J*=<5DaYBPc+yF}r zmQQGGdBgT$2)nrCMnMh@S1|<1sfx0262E-J>+QiVb>Xa)@5v~&`+M2Y`8NClq*H+S z${~_qaGG#oB?V@SatO~^H25C~+N&hKiT!s6fqNPZwZ9*neFnVjj&Uw7Cl7TxLi*PM zxzoBkL)q{<$FlQwk$7kkzmOWOUI>`Jo;3IR{ik>dq~I7HvE8Vya4TPmW4S~&W{pq7 zok_WuH7zh!qXk|{SA|#pEp^jgSurA2TB}OP3B2B@dqS`b6GH+#hp^Y}bcE0sg<9vi zoqCmTHmYD~H8aZLT&MVhhKJOy3he$6vl9l$eAKoXV{l-;a}TG^(RC_y4}8MigP}-O zG6hu;(&vx75QU09uW>g(9k+S}tucVYEDtaHVT{uPf8XBGlb3!ddJ+&v9Y38H2PK?8 zf258L)Q!O2C@`HAXZJF(YY864Ln}-!&r9SVzY#o*LJkq|RBFu}EpcotJ>yI(`5z`D zuTJYEyoUOPjx;QyQ^8d_*$O@U6Uqee55k|Y%g-Q29Z+xz3F3I zI#4yq=N5bWc$hO>#d2HWZuAbT17Mn~a(2`jkQeLj-yHuX<#*D@XT_>Emwi5j#IqYd#uJbG3LzC>dR zQYfbc8lP{z_(ZyEbe1GRTQ-c~FT9Q`2%$Wd`9fJDTLmD$RS(1h_2!oxv(Ng)z2-7? zVBZ0A+vpiDvouvMMqE0bJ1hYsB`H2JmrjO>PslA3t`hc5GVsO7$aX%6~ExrXx1-SUr$2z^0T z@7U*`Qg{s;r8ze{IPhO*5vi{KE?$|s_URp47cucD8(8wMvsec8?u{9W-EaRA=ESer zHHK7uO1vV;QRQ?>oK?D&I|fsK=#S5aL)#Fwt?FqADMdRnse-~mhwI0DKJDK&pRZ(I)IrMm!1@Y(ZkbC%e> zN+fK^te#x22{Xw~`^4SC0ZCp#uBfclTu4bdjHVgvbVM4QE=Y}S|ElY-dYX2{7|{a{ z|I31aAk$PN>RqF+!%XoKE8T~`9^;h{`dN2)1Y-5U^kDmcks;9Mc4)Qm8Kd%}QyXmPXfT6ei;iiLPGv4e{{$O&6~(Yq`eN zcH+kGI>#cv7K{Cn2K!%j0tA#+X{r;9bpXQDi&@rBMysYqs>s#^trN_|0mujj5xEOpwPsw`CR2#c~6^b>J`m;@SSm zrObpcXGRyw;-L@4*`BdkqA6DufDH5dqN7mw#Qx-w!v(brt^h_snec49 zfNA5ifgG9XC1K;X#m=ppUK{99T{AOgJ`OP3U$1n+1v#hb4-2#4FZ#tn@1T(l=&oej zUTCe~9)sgSPp90XBTVq4{!heLaz=C4ueSi;Ck=9TxDjgOK!ou6oneOtU^*AQLhV}H zzD(R+8zSAhuQ7C(;=&vUfTAT$E!L@Vn*4EkxUu&B!G3F3(7%EN=z$nJvz=z%-SU3b zuF>6K)=^wfe#pLKJi&6L-T;zz8o3MX8k;w)MB#U6BNEG)kZvuUt&kr2a|j-9ABz)vf!z(rdyyC zLt9?)jG1308~hb9{&p6z*S%~!i#Ky*1JO1gj$3v^#oSb0yVg^+m25d%oOGyUlW48( z$D?w&6J+jE0|VOU%BKPBxVg-v;YYvBk%=L9@5_Pl#iKr#_<%zU)k(r$ zMyL8FyMY+ML^ZW@(XkARHfr5ZJd4Vq%Bi>&3KiOpW09NDmfiuc&9=2=aj{3c0v#9i z^11CT0EEA}7qa{YsJ=x3mHLK(Q}wRe*UlehYa@&77P=Chuh|8x{<;JgCfqP5yFEzB zoBxda&5Kt6chNWM-6uN!tTT?OjweR*s_de6bX>!E^c61glwF3f>Zc;zcP6H-Bo$YU zdWgBCgQf2o^XQee0@K#Mb-}gATgg0nQ>_D8;uRmAjy9(^-Y01zuX+#Dg{-HpEn$Sc zH%-KsPmrHRKwI%lQe&_*&#R*T@go`E{Ys$gui?U0!gDYJ;JslSM(4S1rCS*M;X)m6 z>_R-@aOwIPK+8?<>~^v?!1n1pDJA@Y9=oe93Gc;c-~1Rc02qJOBs1-X0yr7XB8Q|d z^1n8bh8T4_yupAv)yqmsC>ic*Qm3GL>x9tg-t{oL%&vtTe9&*+ew!lDHgpFid2d2) z@&=)0Wi!BBIdvmAy}CKmCIBXBBTnYVRi}tC$|)nM5a`0_B|T4WTh5P}Lef95eH!&d z6$uZ#>VCPRR*b8x!Wr@?NyhBx*{Ne$T`8rvn)gin@W>dKSHV;ORPLO1ZL9YL+0_Ab zEG-q#wUqLiw@!7_VYuqnegJJAg!|0{r~#n6Y20~+yq11QF?g9cPkYRUVI=$-Qfrp% z@YfX>y`?K|GpTd91@JiDPiSM0OWe{s;nXnn4M`H8#OEv`o zHSMLBL(V;V_(O#y<&8a23A4Q_jPqDs&{>2%HAv4 zR0bi#(@FuNVpd5A?&YyO*d9QePOI>efr0CJV~TuH3zTK=U<8bw$k#{x59dj|0 z&%4#ju0+6k!1}nA)C`&M5c;ZEC*SIkaSODHSRObvHgbdKXYXMK6%T~H*;{R|Nna|zA zCAi!93TZO%Y*vHzhkDSl*r0Yk)XC+?do}&uL@_tyvUnRw0$)ERyCKO_@b%~JB1Am9 zKpD?}0L$(VP#^Uy(K^{ZZ6v+8j75xjz(8u-k?CVNQobMLsHadqb3B4B^&h&YE!nAl zMn-n1B(RP6`bl#ibjlnm6?$J!acD94%VXw-p8;X)AU?1G1yR13|2Jup8=5f6MYc>u z$U+F5E>vQ%+wTURSH791wUGXzQUdXBfXLfqe*~WDV!0#z@`b+hE%rw@iRBf)q+cl9 zg?~CeFL<2woB=Bj5tL_U7Y7$AAe4;rZ9;7J*CLdU{C5qwOhoAM8De*!?v-M9p@ zutK{BH#$>_@K5i<9>=XlJE_ygJKJBTX^pMU8JDiqG>p{;a66_abPonDAyz>#?K$$f_Q|=e zyA+ncrYyFXs*?nw-l)dqURa~ad7>5iDMN#R7J7z>;`oqOom^RM3Tai!e5IR_8_FD- zHL;Am?+J#i%;6VcjJg1okB;h%p$AmoCvA)R0A}4A^D9GFH{{VO1ta*rb~k%l%t0bk zflksHO?_%rps5<|AZ@Oka#*4mTW#wsIPfol=Bhz^zfx4@W0@zTQ2#e`|Ca3CA9zwh zz47vDJ;_dL28E*L6O`j}7Ja{SoMNRsP>9|2bMW`L$JtOefv%fR6u#Wx+1YYsvx|-^ zmV~mIK7|(xh6T$r3`J>&3c(^@RtX#kady$%#vCk4C(8?``_A`E?Z%w%WxmYats!@P zM3umE!4);D^ISI~0CWehMtsB;OccUOLDsUuf#1r z1%KojMXS?x@9YZ=-OqIiw`X@YtC?iRc2uc6q_k>lh5wE9y79YrlR*NUsoDLz zZV!8b%ZsRmwl@?kCg=*7qZ$*czwEOiRp>8lGh+`qEZ>T8+|vxNnypFnh2#b(-I!11 zJB{Iaa++NH^b`^B&ZS!_Mw!`>7qT!p6huISc~nkc1IZ;|8OK2>T~UB^rxHdLa3C4| zuUq2oj{ecO#mdkKRA%|D+ZZDclO$uDMpK}kW=FBLLAKeot#jJEx%WAi;%$mZRq?1g zL>Pvm7mgC|<9Xw`-wbt=ZVWNRGh$bg{qgye_RX6@Y&~CuK_RO6!x11Y4iU|>M22vZ zgr(0vb)0Dr*i~d-AxJRt9rpNh?Hr``_y@b{*_!5TA~g&UcDk6|=B2ur<3TR8foT@c z5=IjX-kb>B^NH=# z|6BJ|fxwNulV;SpqX+x$lZNTwHn07#<%FqD|KCB zZbvOqlb|&x6B%;^UWLI~Z-PZB7{G9z;$@EO!Hr$nb1loJcB<6E5qy=hl`=Q4(Obym zOY+S>xLx*ue(WuirYM!XWkR9MNVnT=xIay&j=OG!i#RNg-)sRjZrdi{d9*$`+(M@sI6vpFU#9KyXD$!@9lAkb={d$ zq(7Y0={@xfX|*)PTU>Ty_jQVwTwz$vYlA5JSOj$!CRr@9{N4Hh0+*9BwiMDtHWq+p z%<`Dj^6Kej*ftdtW`RrYf!Pw*3 zP2xMyXnQ>o-CVL0^P<6drm!yje_vVf7zDghjk;ucWHchjrwjR_gTRX)vPm<2(?UfVPFZow9Tg;%B|PQS13GHlMps7T*Ndcbk+hw;&tv0`RW4rN zCF`Q*(0$X)i)d5Z|DDpNc8z=Bo33Fr=n2P zWAqfQ8yYb=__f#RBG;^L(fCPj*)2qATt$$Bib+7cXtuE3n$EAg(LlAT`Cp0K17-i5 zg!1?JT^yLWH0ucI%w1y4Fit>SL??|^3KVuaB-wJ3QtPwLd88Wg&D8f|U$NhKON1II zSN&UQ7OjQMPu72Glp9_+St`X`J8bSZYtVcdnpE0Ph?c2B8|C;lq{RMT<(z#m)Oj4o zJsj(ZrSg!c^>8lE<4sY9IBO#bsT7@1*gTe^^>iNc*e!L@pvV>1$T-A$e#oYhkfC%W zD-WT~t`gZ=Pu=IctCO0Wo13|5Ztnivo!|cEyWfZ3!{_^Yzs`$8g88iR)Qc}yT03Y^q#MsdOmohkl<+>_ zp+8}d&v9Vrlpj4xBfmX!^u0BMEW|~uTcKuTi1HAhkFiFPhra^6>1#O66U#OVt`rcF z+D1{~a^plm`V9d0_k~yL$y-{`YgBr7QC54lQIFV`*PVkWuA3}z^@!;#_wFhLGOQ6> zhKTtb$QhuJ0-`HHU9))^ttZ}y<~0Z$+u;lLm`Q$ZIBS$!_d(!NblTnDExf_H^e|Mp zMRae-RxmP(57aH;^NA3LsP0XKH|AczO%>{kdn~!cdLZ)EluScv1LQzjZ*vfjk1O}@ z>mGGS1ribvg&#DwpVZebh*e~+9(oz$KKb%cOX`$E8#$G(6N@Z94yFzPSG0IDi7-c`j=%AQCsKaopFHl zrAr$F2!EK`4p`j&2JKg7#0Dx9IzYa&K{{6~VlrMF?;%Z;gb2%Eaof4|b|k(W@0)s@ zU-;t)Nmv#HPG}E@I&;j6BIa0Ovh|R45O1JW0t-Al!+4g5S#Og$^0Q|(fOvw}`thlf zMv!S~d^n_>C_ijMBb2{o-R8Hpsva>1#wu`A+TBfBBf#Vnhyk}GHehxLOf{v;JLT?c zmJdvxd(ak6c5{Ft7DNT~pGi~S#!mow_k!PUW0EmXgH=jd(}3|8*jHfEN-=caow#b< zaGVb(3S&fKI=&fYRZ$m;j+gkLC>Ia_iCC5yM!{orbW}$-nl2?B1BRzsk!a|qd+WA@ zm4_?6zHySjU*SnwS{jlL^(lrkCF%{5xIO&%*m*n+ycT}c1y&h9*0?jGY*^|L49Ep@ zvY@LMTl=Q#yV)MH^8^p4r;t77GbghuciG$9Lk7zaYRf*5JcjVYQ;Sa{SFSo=Y3^Hu zwI%U^7>r}%A=gBt78Z3@x3;#{rz4Nm*o;*^Yhv>snlPjSYoawcTkX}EhieU_PU7y$ zak2|YYWDZzRxs>w|9pt+|9IAlG%}g|4gTffq|EJmV+BPEgs$T@tr$1>ur_dcx9DRD zoc%qn+=-iZ(f50#cg+r8akP0wo=<&@h1Q>83iz6=&Bi=J+x)xoY$kcoWY5*>1%X4q z%s_#|ua~)sE9(5HZa*(v)xUp#h#|A&7ENXVaK5EO^de@1MGU zUM-;MWS+39RAYDEqa$?_QpVfRd{Z|LV==uE?G8Ek^_#heAp|~eu5MsKC*&;0)aA$o zeiq4m&Q(>sW_-yw-Nv+m}_$h#pK65EN&Za*4>v4LiZvqkMh>0l9RYx23D zyEWjRE3$@K@-|JBKfWy>S=WP%r$h&+2CKsP?|f~0kuD}r ziI)ttR>uUvElF6>4;qK}z!I}%u39n7@ol!BUVgekWDAP%ypmdA z?bGI;s=!uMV`)68dQM2DD#73g%@K8jVJ_IN)XH$jZcCt>SujR)uiT8BT`no;i~I$Jh0T z4VQLu!?Ogbv+xXwhM5;VmBIA?FMW|cjblaenz9sXS|YWuAphjC+GtjYqPHkPL>ME8UM6}M5+Qmw zhCv9UjNXm%-=6RD`+m-wb6%WtKED^3ZLisDuY2A1TGzU->yCP=t4@9W?sXy}B5F+y zumKSfF&_AgAtwcX+rr&#fj`8a2I|U0W&JEGz{OPuB^@OqqHpn(r;uyFHN|TU6Hg){ z)`-g=;`qgFJ0c<}3r(=nvp1IOh=`{R(R}{kEg?4bQ*5wJrlxfBJiy6%K9246SE3 zM)LKfa59_zy0e4}_(3HyjaHeQvx1qzjGQx6gNVKcxJ)GCfpUh@auI8wfqUR938*ky z<;bfX5K7>`6p!0)1OKIe8!8-1tIR|6zwpJmL?nlVv@XRUir z&xX03_LES>cm8|*@6GvrIbn#@t5JbsQH^~$|Npf8_udC1P~ZROktkBaw_~i(?B`o# zgdVH&m$*#-va<#D3slhAniXIkp?5*&yU2su*0a9zlZjRg@_dh! zI7G49sueEzX3Lsc;#IQFrw46naV$>jm}*a^KJ)i=ym-ScUd^t-a(?m z!roW-F=dANakp;X1RSH_>UB!WQux`)c%8eA^H@=e_u6=$>WpE&t~Wid^8x&@akk!C zXw+@u84vzC$F)o((oH3t>YHW~U%lh!hzOVJS7Y?bL}GU|e$blutYgOBAH8|4Op^?FT~XL_BhXoy6`Pc6Mm2PDSQYa{ zv5AihLdHSeeTusALt z`oI+lD9@Y!_m4v678Df34&u`CD%SY_X)kRCc~JurN`G_4gTGVHhsT^S>2reH6H$8Y zaqsU+bgxnt^`0z7qjuLuzuB`k8h6s!l)y*q+X4ZDP~>vsd5(2F(GOoWpmuk5N+2=x zYrbvTz{9Yxp`3E`U|4a<^UZUkr?swIcQ`}4>>ouSaz2sw9c;=mj;!H`)Vntyk&i2pbBetKoP|dR9k8v5%~l)t zp1xM7ainP0u%KdQrkNcVQioI64yUe%)=R97?ngYTU#bnGWl{r1_JIrEggG`U*Zh`p zT0ItYO(JoT(VgNAH^6+e> z6bLyk?=5S7KJUuxvoAcpcp7CiT9LB2xFYd@6THt2c}qG>jqBLPiH*k1mN~@~rNa%Z%TTuJ zhH0KI;?;X*sT&(F#{S}PQwf|Z(CzsSNw*n!=MgnGh0&XrRwxcdq~f^7jT8u&f|Q9m z-&KiC_*s&hV9#w@sg+~FT6t^iFCBM~P_`9`oCJUfYJFw{Ct8l?DGB(>0sM#_$a~A@ zXfA{XUznd+5hK#j^;y!z)XB*OHe=nb?crHnjaZ3U$(iJ zYE`2ccyjfy^p$CqBg6;mo$5S7LUse4tCctN!z9)b))sQpmC!KFd z`M2~<@8yPAHWdh+u~=%Nl{%Fs(vP z<0WY>XjB_)V|oQ6F*Q-d!$fMQ_3^&@Wb8*_Gt$FC?Mvg0w8O0UF?opn4EYg0bDw-+ zzccG`wbA^S9hrJA{T~^z^U`qY65WvSHs^ltCKRxJxKc8TQ~|rA%*o;A=F-QBQZt7L z8g|&Q|G}h#g^=8{{xpNJcD`<|XoWXhSqN$Oc53;Slhu2v;chcczFVJ)LVK@{(2TA$ z?e=?4Mi0Wd0=tS{xBB4GfAYY}glBxfn)yKnf~((L-w2qw%IvwQBY9E3UUM?HokgBR z8nci$TRnEt--M2y@-e7l{Xt3S5pAW)bJEh%T0bXj)|R)PV`hRb0-0qz{^}jbFc+Dk zd!Ji*_DO6s++dZpjhEkv?70b@s_7%W!BVhUP~HZet{b9$0PMrOkQZF^uvl%1##{#w zbBisa&;Qh$F^x~6NF-h&LbtBNBgqwGYw=50S9MCY4c4Wq%ZmrFN?l}_%-jIzV%mNn z^DHT_KfLHR4A+masMqk@UFwr`!BkZoAKxphYqxl@ES(s@gD+BQkJCrAFC7*#*E%^g z=l6X}I|MC)1M@(`i2?>8w72^#PNreZ&3+-wxql}L(-R{b0qEfx=K_G3jWIqW2zTNI zfP!jXjS2BHw~FqT0$cRA7||B=c!`P43rpXxT85RYX~`1h>Z&=a=Q9QR+%H4~T@T)~ zsmMyoM)(UsfEk-Wq$bM{bTXv3)sdA25giIS>hZ9N?-K5cW!HxE(!@GUYhBk3Mu!%3 zd7))Fb#>@7|E!s0+*E`T$?nKvpQ@+Gxp3lb1sML5S&D^$!OM%Y%^(Z)e%~H5;eKDu zG*3iHGA_fMW}@1 zU`i1Iv%UdI%dnVnki{syHIxB4IN&8iq zpSq2UyvE{H{7))mL=Qs53+TC-0a}&aCWMbJqYSE?H)0u=9|o*pl5fv!H)^zv)Rs|TPN>f zEBE|=1Q)k)Y*5rH+PeJGs}0Ux4eE24u5)*_{PakCh=^`3Q^DVS_4e;Kf?Ny08#W|A zB8(7kAFHzm+5!O3JLczdZbIVb{gq_89!k-sIRiAFhJ`X+(#2!(q#;B1NrtK;xX3Hi z3wn{6@l)b$9;BztKk!%ImX8~L|vn#44kZ|tUu~8V>hx6J>?s@qzh;`Ka;`|J@ zR$7ahYYPb}ep}xnx7jpOEh_k$RKsg|G~^g+)Iq~4yT{+DL^xP?IXl@uIGA#4+&z)Z zZH{M=nJ-IO&N#4FWUto`I@sRNjoSiN!SezrSQRnjzo{UV6%AK2Iro!c?DTZa5~-c` zh)IvnZ+4Wzbh7t|&y`a?R5;!GQTAS%hUuE(RIMA5fi)z5*|#2d9-wjbC4$YP9OG^& zCbTuIC0egU;>_&YxGs4pW49~6J^fTPkA0r9>CV%KgO8icLxLm&{C9di_3rS1H*NOP zY`5B*ZHKsVf2GSJQVuebh_4?8D-k>27f4^Am2_F({Jnu~#9B+3wsv1ats+CT4qsoz zyK=S)N*G&p&mmi-gnA1_cWK_Ym$Qtpp*TG#y3)U7u{-^KYn>`8u!vq1%A+xQc(PXB z*uPWJBjU-ro23+zaT9>WHb5XZF|gl@ackOEV@w;=SJ?i^;3|i}WypAzz|YuQ9)&wZ z_J59hABR;JFL`Qj{Tk~%k+M$N;>i=-vNx<{ar25rBg{LIxpQQNIEa7#pp$De-K}NP z`)9HeqOAGA)JHM57C`u7PSc(P3gcf?A}Va|(M#SdDsNa7;^&aH|EW$G+#c~AIrdoZ z;uR913AS&eW0iY}^P{_>&$iwVTV(>pIWOF$qa$p?rEyowl6+s!XgOqE@fwaysL68) zG#mMK3OW=sRYXRFzK2HUGSNOA7ax!}9FLo@3Tk#{?^mhG;(~b6+{tR%{>8k}K=(*F zV7E^STNxf26_+zYY>C$P9kefRIVmazbwI2g2BUQ-rym-VuI zryThh7yY)7AMt3O`Rted&H8ub}4NE|}~C(kmLFabuLXkNg8#27TgK78pMg2dNWz`Spg4K-A>q!QUSf z4>1fSp2Vj19pB+d;I#%-T=mKfFv>(}u2dq<68W-Y^Rxofz`-n9RX7ldtQ)Bqi{2F1 z(XxZah?PSCF>CfqqKy|T-B56Co;~m4YdL!-jNVNv)kM`zG+!V}6?aPee9tVHPfr!^%~W7_YBo-k zMl-1>({DsQbFShhk#!sn_xkRYmn#vaHV>Vw=%eUzxDiVvH1c!(F^`usCYQKbhHHiv68Q9Q5E8O!QmDbEkDc^!F@>=wTh#?e;w`lqg#He%etl*)t7 zxY0=HZx&RkJcL_eIM-`_6y(*cAIZ`TUhYbKgphcdYkrO-j*sX{TU!K$wtF9Wk{pJ2 z4G#2FqT&l~4Kb_}mQ!KM_HZSR2{l=Ss69j^l|XB8kBAe(EiJ}VCBEA~bi62#9Pw6& z9`>{F3ME2oiSn$BDTJZPDnOdnMs${wz`8^n_%b$_c*g2So! zx`+geqaX#R1Mn2^DpsqL?b!=xa&Y8gY;qP=) z#S$alw@!_epXx~h=Z@-L@_VW~Pmcp-r1l?A+wvY|`2X6cFH|?|x}}OH4`(Oi^xiy- zr$-2B1f!y2&y;J6ft{QGP*``b*@Hq(E)iv8i$E!mwR{sHv{b;|f^3s~0$;@(uu(n{ zXDCthYF}zO&ZG`FVZEmr)v)CSUjJw`!c?bfF?Wa@6K#OT%$hVBScGP zLew83tpV{YqivcADUczfw@siGN?QIT^}pK0&g?NKU5!JcAL>_O^{Ts(L@xIHehy8VFVw7(&jYXdT+ zSd%sdsz`}w{f&;^0nlIdy#u%_uC;FVNv&&TaA{+SQGotrVV41fp_hrNmY_8F3 zddQcrquxeqAO~cmDr`0~oEME}+V+QD`?fDhFTJA^)fe968kr;El4dS` zZ-MUWE(TuhL4Kg_VJ^P!(EaY36L_qIg}<83#rbOAsZ^p|Fz%vWcWJ@bJElMyGY(gk zqK|2T-KLlH{sOJ>q;dhvo$N@{&>!C0N#cTTFpbEbEAHeGhkRWQ%*DPbOXG{Oj~u=w z88as>YQlM&x&pM=$vFD_GW+;pzx^OLdwrwO(I5H*vwI1v*iX8J53Wa5SC}N-<+(o@ zG@aLSP__?;l}n(TgzqnmaB787dxb`ZJ`&63i2iD$M$a-ZEu6@5?{&@HmLfk+W#0x~fs97%YjsMhPBL8DFp7@G~!{9qS zo$lVP;+;_HuGEQmfz)f>$y&bVlvdu|847}KTm}c~b5wWgZeXITe5#sg!IS4_kc$&W zoEps59`q9C%v8{<4tiL-Xob%2dgrK*qMwjV?cXYR3f}{G#Y;9B>ZfL5C01>lPT&kCS?8#XEm7=i>kQi$#i%1UuZkGNJ}{8QSUoQO@u<%bYCj`f5K>h{v5r zuXQn>FB}HjY6tW|Wr&HT0_OGh$B{O4iiDGzxU!p~dg$cN)<9CzDo#5OL`M3WJ?i^) zkBd^9s-Q>0$oK7};O@uK4#_)A0VfV0))vzKPOAN-YB+UYxt^{XLiJWU)6>JvQDwuz z>p$l&dVZ+%Ub8p$te$%ExKL-xd-QhGuG7=HmB*N~>{<}&k0@JJP5gRALwb*|&YJe` z1eB(G1#PSwLvaBEr*~H|7(4>L9!bMVLYch09LZ)}wGa<^@ZEo?i>E=fICJGxL+hmK z5iKzn$-y7yj?)9_USWo9LpB8HVgSaa!_(F-c6D{F>xG_y!%PlupiYsrDI4NGLWCgR z%63K-`BKwir$yLv1odmX1j2%rHHb zUc+0M^@HwYijd&tS0{!FN#=5P9#%&_H?0af#eeVboF4DGm$51MojU$&VnL|1?KtFO zVmxr-A@j%R8i(A!4fAtRSpfsds#Bn&M>}s|=SdU$e3>3&%GMj#K@NwAMTpe;v)Hj*tnLBu6mT zDOy?XO}9{Uc-^1qeaNDPt>YgWsIN`#JFYL=>5jBw403qz7`rggS(vH0!EiW>6yFPQ zH{YA33Zkj@wR=2C54-Wf7~*d*1dC9aHK~;Xp}qmz`FWE0r|JKh3(9)wCki&QJ6&vfMdIOL{zpy$i>Kddp@+N-Pk?@FJ0!he^Sa_nblKt zB=Ad0+;SI{eREnhJ8KD_tLvNc9Sv8g9WZtEoqF}$9?YuVe%pjdp9@6vLms5hzdK_4 z{3uBy={R5sq8TARyP3}ohH(I^iG(IP?rhe0f)$C0TxXw(#Ue4c2rUAK5~$~7dgxOu zvVNjUR^5rAT!ykhB=I<}rCQ5m(G+pm#dQf3cd@H6E&Gv*iruQ;4C83MX z^l3rOoKJi=n73q#s-Zi|9<8A$XQ|lG+x(_xR`bH;87sh4nGkt?Yr6hx)!oRj5|chQ zQgYoPMZ9?4Bx+#($C0vRqA!pF{`%`W^Nm0^#6jk3D^FQ?XD96U0Sz`4X?}D9S=;Tk zya%_u1p;Z3l**)x}E+_>~qTIeSs+yM1`r>Vt4Ug$wzw;Ij^R!`}7BzpE|cg z6$c)rShU_1#wU46A0fPFynFlo2`cFgI4$S1H%~_6IR;-v7Xg$Smlj7~-*soB%*yu3 z9~YGtPFwgzXqd$$kb{~BsBW84FNlx!&>CuTncMyXK2Wk5XEXk{RlRh>bJKLa^Dz9Y zX$rv0MLzn67t4KDaU3jE370TID;QAe{XS_=E?{hR+jw41+^ASP{Ol*zVz^dvtOWM>mqh2d{L?3}IU6v9zAtFZyOTn{KYiG1bQNroiBgDc+@C2g z{mqOtMmW$sx2O^Z_`qTCB|mf@3dRa|Bs_bjAS|ZGN?)BX5Anw!GG;~m7D=R9Es85} zwY*SH@aO+9S6JST@5u%HNbR6<>Mog|g`w+CjmYD5oAIs1L+mN+X^TS$Kvrrn0Q9A1 zHj0o3R#4+j;7W#eB;X3-~W9T`p|W&k#fH=RTBP;aL2!k!f{ZC2dPQrS>WqD>RzlepdYp725 zx+U?IAGZG)x%fO1N}107{*z*0gAPDLpTRsFk>c-WEjOm?E19o8xI@04BoY=DwlPuo zcC+ioIyd;kKa>}Pq!quc5bxS#{_*GWGy|u0Ma`9WnxDVQd7`Y^ec@LG0j=Zs0Rb z&s`q8SojUrS2XflZxsLrYlELv>&cT~!dJ>!EqUJ^+w@0HACi0=k>)SwzP~GLcIf>? zcWQ16y2OP}kX>ifa|vOPp2eiTcXAPJ4Vil?+tK)E7dhCD1nTi;^LE&1@rwb~iLMij zb9r^+Mneyv-+0CgTG1#%JX2ie=XS1d>-j+g!dKk*GN5{JNiU|+*AOOqZsr(PEJ>6W zMHehQ`-)OHKU<%dQgnCP!NjZnL=Z!`1>wZ`CYAQCimA`MVr~mhBjJDU5E6u3W}51? zn0IA%yCWq`ja1w1;h$`z$JqyJmKE8SO5Iw|V2yvmnehNkfb!p{?-Xg?8wS7>t;l}- zxNys|Fx>TEUl11OaB=kT%K|zdkV=%5qS>(VVo~D@orA91$3B?xiFX5MEztbZLUk`W zoZVwOVG?w_vjaN-APcR$=Gqj#w&2wX+dfvVRj${rT`QaM#PwGTo7JFq7JDqxpbO$w zA6q4Z6w4-&TDD}DMx=m<>nYslU8OYC_kP}M_yX)rKDDq^y8v29BZiDb0U7q;rM`3r z1^)xD!l&8Af`)n0?>M5%EE*faY&CX2Xo-9~-o-VZsmI>=V>>T*1|(l(Lda-fVsmf0 z|7?Q$$bW5;brEYaSXg-tsRFrTvKKS&rDhxfM(KE{C9<%pYIJNYwZ|NwH!6EVqo0OT zG0k`H5Vmk{iAgfHPL=Bm4f7lPPAUph%f%;p9wy7d@Wwvt;tu`yr)mM=3v9cCacX%e z2cQTcWtDs0e`aY}3uYNLT6d4P{`|oD${YZ!t&huWp&|d;@Yfh;w;DrI@8yyFf%x3M z*~$2Yz%%RiP>M3dsRBgkoin?*eQcxEIor=QHGlovOz+j%e1A&1PA?zWFeBaF2#1?) zo=d&%Q!@OqcO{BSbh+d%!)o;=Y=P2#>Mg5!5B$KxJ38T6@rTu$H4(^d=%1ipp8KUn z#hSZ7lJ^$*`#7JGJe?Y^6@$jrqGIUp54^fByXpX;PmRao6aM**7)H4$)J4h*%as~{ z)cU5~zzJbUc@Ick#>=hToX1Pt5egOaZ)!L@9Bs8mFPXC!$eCvUMlrhnz(XwVHuCuF zv?UU^l zl3A8fJu|-Z>nwW)ug3)LxXjEa6@l18gu55-z9=#NvwCgxorerrqN0KQoQf}b`dW^5 z%{J3S*ZvUOIh#l6G;@%}e+~F!h6MUoWngNUd)CPL87nVCJ1P8G?lC}kZ1i6HIDyg! z2#@Qc_y{(?F4Y%cNU2#Z4DqN??{8FWC>)&rJUP4cwX>0aa;l+3lCZX0_+XoK>R`k~;+M9^gG1obv+( z8Ub$XlEC^XTw#+1W-@2Y{u+?&v#RaSc{1hN*hi6aVn9kKMW{ePDR9bYZ9xtPQr#9; z+dFlNw*Br@23-#lRI^;ENClEy0%{zGxDI2tSYFF-VGyABF1AZ-BO7KRcWb@su2{EP z$&7Vsv-i(&mUCHwv7%f|7=qq=iWO;6*_es)OR_gxU*a{oSMJBC=nLWIJWnJXKY82@ zt^pg7Pv@HuJ8cDQ$p}K@D1XO45+$HScMDj^yoA8bT^;2_{KM%I&L6Qs7iX?Pt)jtp z50qrO&=WvrlbHA=SF>K#jnOg6^aTwS|6>k?tk|cBG_JWj*?Oz^fzF3rOvE1Z= zz=_R~eJD}naEeZHDxtBQEQsqjpcreE-15Yarb6Ggl9s(smReVnIX`o^e(py zyDW7`Zr4P(w53P5?Ei5K_9(qxq=Swy$ew|XnnHcYqD3t2uVD$KQ`xdx?RiQ3MKSPj zf#pHXAhlW&W!oTd2d+zy2gIfL7yKv+Ebk?d>lURLB{s=OM;FCSdfa<`Dygxfz?H=0p~j_Krh?kS>>dA+U0vVe{2Nj8AL z3$?tgteIURp=Xj{tz#Ml*W`*F_W+%iw*?c zuf~p^)e9g46T}x!)&Ux&jd>j`=h3>tc;|lT?JLo}muLDkTFJj-{k8KV3MHGoTF})z ze&}{td`NI9v`7X0)nC{6_kx?rLdt{*0%9Xvp7j7tIu^z#seh+%XxYK*uh-1|XVI>Q z9HO>Q6H#gTs^6h1eC`_S^bl^frF6mgYkIk1ISJWn_EK0c!^wH^+>l4cj;dZyLbZ4_ zpADSK5okHNnX~P{QB6^|)7WttUu3y;mj)9RF4(^UY@E55)#HFFPOiPF0S zFxL0K3b{va>O(4xXeCD|&e@JV-VvUhq`!-s1rn)r;w0CWI)BFw z+E>Yp+@gxjCj2{I`kH){KEu5g@j+72)^2+j-ytIwS-P7pcKRvpOWtKhqU;rXYnv#) z1<|TgBbQR6SJw0m8>_io5bhgSm6P#?Rcu_KOlq*Q?TeW!B3#DLt zvOzpbz8X1ZwXV97Y*%BdqVCJMJ=*!|+N;TJoZDATo1(VXJuSTZlRTmzv%?}o{230| z@#}ZDbUmJ_QPC#whD2*$Pd|Pgr=For_jBszr}nv{ZhFb5jG$TFr4ZSNk9XGjDo6lm z`nwACPPf8x_v5(zAUShAJjdb$12-d_A1eLH(|S(PxZZCw?zQm4=%QWgeyexk;#leD z@=1ASA$m!Aur_&|#`U)2f#sVTDoJr_@{6j)xju=MR~~;JdL~-v#MA#RSsj!9NEEkE z@I{kB5&@@|*!^}MXszfFv>Fjgd*kKOg~?;wNDcmn1pQZ%ed;kLL2hm!r_{iqlxsSZ zUAamxX-GVp=4`!vhj4WE`~KeQSTPhcrybVU{s{9)06U;3?g*isBXh}!hy9rme*<~F z7|)pY55QAGXEr^Kzd=Cp&{5UMKK}h8pm$u!;BR)EB5X?4OoXWh}DI zyTRn(N^tckZ^Pid>xHjLX(AD$kLV=qxR|U&ZM&)yEcx%+#--krAt5{XbD_y=7!=A@ zBtFcI?eR8L?_PXUmO`wW7pCL?kos}Dn8jl=50@(8-MyjMuC(jv-V{~rVoNMkqqIbw zNxoU2Idd>Nxu<%tf5=1CKJii^Mh{D#-v}(ZIQ=TQyFKBuQl=*)JYRMnlDZ+|TADd! z)4{w^-H^j)L?||OxYDldnEN3rdmhQ{1%7uY;TB}Q#u=V}{NbtU?7TP^`O zZQ#^5QNTOf_10M0SpY&18G8j6pZ`-+i#uS(;&4h{BQ7xKB2FOH4{Wu6B@P!rMRY2; zs(iEWoa%1C-`;jv@R}89cj8yJ!a3GYhJj+2X)1dqFbiQU`gZwDa@HQaS;ag_Md|^- zfcVy+)8AR)&WDFq|AB_3?ctc?YvcBRrI~A1P1AQr(`)9xrz%k(DORpGV&A!y?)Q+D zuKemV3L4h#5naDo;xGA*NJFdgL2*;p?Ltn*Y+;_LXPS*_Rt#6VUzVi}WEV%!J$R`u z&q9+ylg4p7jvHf}j`SC%iTlEqI}(MbCEfp`T_fJQnxlp6{%UUJw))uOG;8je_d%z@ zr5Xu~1Rs<4Y-%Z><6(PK@=c9>58+=}o~jRTz#$nC3yIZwyCh<^9Bt>x@4lZoOpC6v zHp7Fgn!uA0&Ig7x=f+ts(jRXqHXyV~a5>tTa4|=>ns1=j%_X3Ol1iG(IJJkUSXv4x z3pu&4cIs8{meu!(1fFG;Qb!(nX{w`L3_B%f_hKb7D!Z;X9(oI&K1HZ{C~bgqaw~l! zWUAt6(=HW|6&C2s(+2O-0`EfqApdq@8uW)|Bw1L1P`?^FK+B{j-^U~;%()bG@t_!6 z5H)5nn&?O?uK(IAktK-!>(1RN6 z0XYRs56b&12jnFv%Z+V2kf)%S@=vL817wtm!v8s-uR9IqHG5}1!2ZG>p!$Nmk)?_T z+Y=d?PtXCIJ~3og6~AI8%pk}%lYPbN0{K&AQA_uie{QX~o&UX<6fuc`{-YTcfoAP4 zN}w_;agB$yjGKyglO>Y*@i0Pb%?JKklcX^zQ-o3u{3tQ*d;R}tVRdM0xOvyx!{3+q zB8kU?+McBE?@iU5oFQ8pS?OWvwehAS%p0|SHu;&Svihnolq2!~NPS~bdLL3hxF})$ z#{EXGGFQWM`g}kO$3adzVi5L|8O+9cyD1dj*PNF!TeeFB8g}>SKmqFRdzX2Rkx>I zt-l{it9dzP9;$#t@!blFzf_~k0lBH8YaDvZyV{16`#lnuI_qJX|EtdWUp+U02j8XF zXSaLpx&7IHWZeIg9|H1*mum2(|3@+R|9f3HAWgTp6qjGsH#HT4;J5%OO9h}LGlj$9 zTWyzebqlZM!L~~|?xp@OOPo3@Fw8QB6?&ER4;U~?Eso@U}u)J>%K_< z>L=Ln6VBHGVIv?_MgRSsR9aUjef0XDhF#$|SfmFpWlxud9REIWsLII@kfnXDcAHiF zx83S!;X*|=pdPCPoo~mt{YR!Rjmz*fe`WXmEwPcY@tuIjms)-@;I!)E;+R^xq#19<8S8Tg;N0aitizZ&TeAi-vwK;_7V{QtB(>JT-L4)etW zS~sC?z!djGJM5c+fCDu2@(g;m;nPZaup&W0AxE^!0muq{^d-wFZ{ECll^xKr(~ju@ z3dvI6-6hwJ&mHy`KqX3Wps$Wf`;C7pKEA#Pr)IWi;Mc7J6tndOa(i=^r5=hJA+?S} z?O)qhkiI!Msn%m1lxVq=26}O8&FTW9Iu3{D0@)j*R(N1)IE4cEvX0{R$=~r(vqpHD zXx+;;6Or6@1$x-E2d``%N!fPMrm}6$wzdKlAWvq4`G8js>^d6&)RIZfh~}BCHcgeUh+6gD#E-bO)P|eN7bHO@OMbp&;E&U1k2V zASOaFWx|<^h7I2$^4U7-k@Q*=dDf>2s{JtuR-iP8L-qW!Y)5qrjFvYhXK@!lVE`OW z@ka!WkCjw(ot*dT-(cR`S1yYrXb$@7gF^#vZV+j<-JSaR6Je1 z-9|S{eVz|G6LjESmA;Io|Nn}sq`#t$nZz%HH|OMQ#A+&Ak(FNoeC5l@SM}jle#nc5 z|GobA=Fc@B({|U<0(~Q^gjJt||Fr%09#1L!^N;`Sx~~8AN-~py0sIAt5$(yHQHOU( Rp!$wTQ&ksSrfePje*lb7E$;vT literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSubMany.png b/dependencies/infra-as-code/bicep/modules/roleAssignments/media/bicepVisualizerSubMany.png new file mode 100644 index 0000000000000000000000000000000000000000..971a30407b484e0f63ae41c6de3158c5678df658 GIT binary patch literal 24789 zcmdRVXE>be{%$Ih5Jo5JAWGC338Tm8A!?!|gXj@N)F^|5!7$qBqJ=0+B6{?YFc_kf z=tM8kMK5z+Ywf*u*8X4T(>Wi`alJ0ri+RfL`StsLLUpuMuU)-<_1w90*VNUN^v<2T zfIfHbd^Csz_>Bakvl;N?ysMrn;#^@D%M$Q%$yVW>!nt!LQDn#Fmx1>y&((}w&z)lp zIr}~zHMePf?%d<2>PiatJxy2ByvA4_B>(ZrdtqWSty)Z!Pc#6-_1=&ca#SC43E>d~ zRukoha7UvFJbXtyNA-amoJTi7;ZiR-uHIZDYp-__2J7C@nS7*;qe)pijJbRG=~Ww zUVm}B#gP4fJ`pS#h@tb0X1@RZOup{V1yis}m1i;!?0;vOc~AMzCrTx0_$mOe$Wr|}(Xua=I%jZ`YEqmT5oE@(^Iio0t_ud-oBd1U94mC@;C2KW5>34@q zz4_4Zf1IrQ`yV$D_lOpF3>DOUd0@zQZ`|_q_@HFa)TcR18EdgQ-Tdb;J$u4N#T>gs zmQh2FmE#tD+3MBYe!t$b3$3)~uw0$GJA~Tqv>fWei@aLblcvbBTZVu``02)gpa>wQ3)7-ljBj<7ZT=K*ONBd7^s_; zxg>4l+=f~*zkcrQg=Iv1?}LSUEQSE!bw`rN%sy z=!>2pZs3odUqa-5WhTjZxd;aV3T2#mks!^7W}0b<_{x5#^X5zz*k|VT@nTjFeR-bz&Ha}K^wb)Kd_UHMD)Y{0+bkEH~-OW7SqDTqT8tDno z%`Q*bK>tb4gNgm7C<;uT)A8eaR@7d>UW>8DDZk3z(vSm$oi<@oVvBU-pPniT*vUN* z^S7c@#iZT|#L$c-k-C!Ys2;hM{%OZ@bIZ4XrgE>lYyX$L=VPt9jm|Hd10RVM2vA1- zyzJ)jhxO1SVJ|bJ`?P$sb!){J=Vqe(dNh&Fx8gLhF$p-Xhg1vT1Vu>4q8bFX^^QoV zjXap3>oaVNH9YO6TZaS|p|)i=cLUc$_w8D`4KfVZkJzDJv+@irfKK&=@uBB*Kw?q| zkdyqT@8-(RI)C%FgbnP)f(w&oKqZM@l^{(c|0w^Ni@g$5%yQLS#fNMPGeKmTtX=Wl zJoE+rpLx<(`*=q+dEkM@kEf^p!1HUinhp_VPP4LfokD?|HH#QmtoRi*1pe=loxipbJXv*f!Ddc@mTfWTZzM{Tt^ ze|um!r~P{2w$wZISf1wdq%7c!qp<~p=RFFfbJG~wl6&sP)-3Lt=0H?N8Jfqgy*lp{#Tb2G}q+sSWST@Lc5V1bKz0KXpc{`q0%EQ(Bdd}y>uairJJ z)od%v9bb}Yue}QzH1j_}eVZvTE;F#=>Hm40L4Jc+Si4rUKBAp1{pK%q0z>NfX&N)E zvcBUu0_ccN%8f>H?67v$&Pd56<)mfsDr-##JeXV5T!nPp@*~# zW+-Rj4`#>H4BL?(zgd3}`=Pp`ExR+Y-^frOO)U296^~FeyaLJKh5ban#klo~bB@#f zb&9Q^sUuFm)X;~W6siZK z4?0%L`?Z2b-RP|#M>{_mfS`!!l$fl0&W!t}01*s9B=tfNo-;mNMtph+oa)GX3FG~8 z2sIn5mU*}AUWfc0I|>%oZ!5!PGnVW}Mq1u!UOt+h>)+lR-rL1iJB&It_|^}-S_N}S zvC%t<78q8q0?{#^GJg&5b_Zj3Dr{lWjW50%+s4y3YWr=)R-+$~P0>Gcpz6=PhXo?N zL{#9`-mqty$N@o`wrl(B@!YB1qmk&9AErL5@wURaSg|fR*ZRuM z%F81GtJQW?%#NMTn4mp7L!}o$zHm@79PFKKDK?xjWzlt!()!+9;iugZuZ|7@O=#># zZnE;Dwc3R_D88ejoO$$KhMa6v;tUOGM~Z|gGd_NbT1oW zs2eqqj5$tx;e6#5T}R@^O+L=%`>R)A_QE1z@eYpDYAt|FnBcT!Xy)sF>Mv!7hdFk$ z+>kmq(Xdkbb*q%A5z)by;c0LKjbY3}h(|)2;#jB6q}~V=R&g>Yx91|~SzO4a_zf7! z9C2VhVa2|Vi*;M=0^3r$iN7SE_dNpet(%@vT6<0Gr_Y6>%nsTOU2uiS521hb;mo|3 za=gZ@B=Y5*oiEM|4M?jCTU=mC*}hZ9!W^25lA5IzOA}fM5R`FbJ&Z2h2&HOkwJTTFqG5D+;q`d?e?jbIpQj(`{c!XX(CGHw>R}Dr)Ru# zuwIg|gDHV7xhSh(y28TgjqgY?NU@_s9hV*(t-LDe zmF!)!GFmKOOkLD562cBZE~;IfR$b`w`G!yvRHI_O(aQ5)y~EAJs)jJH!!G42B{Pfh zLgArLdfwDgxIK2Wv5Lmjs)3dUa4b^LQbEnndE_IPnBD}=5c99KJ@bPkF|KJBBnCxEVP?jmkB~zL2aQtfSTbypX)Y zk{yOcE~JVSGR;!9X^lENI-B$d4v9mfV5ru1zTtM+0xF8OYJ}k8l zL3ZpFQ#I3vT7y^Sw!G%y$nH8VA6@!@ww)G+3-pJ@vcxT^y=#%WpB@JtT^QtE{jv~j zk9H6>lM?6-B)roBea!^hxM9Gid-WK0tE}BX&5^6bdj(TOfg3IdlV8`KnL)Dkc@<+| zW_6JT&;qwvoa#I)Ns<4Li|hnxKPev=q?`*D;MQZ;V`oUQ#CgFjoIuBViFFV|#pSZ} z#x>9N9gDXX?2a*T_`Hhqp{3CmPI+R3Q8`um^H|t^ZK*?WALBftA_hf!1;PqVyUFS} zch_7>NGY5mLz67+de0Y#ZTzaLN9fR^AWp1M)>QQv!|s)-f3FXb>JW(0F@%}Boe~(= z0a>**C?k?!Ic_!ab9y|S!J7ANL7~?&@4SQ;)oG=0aHpCr2U&4Lln7oTojcR+*>uh` zW1JW3v`nIT(SZ(ZgQR8`FigWgwhg@^o~Ppkxx;MNov%Ho$Y)>RY;JLXxkAJ2m=^4c zySvL99CyQ%&dxJwN_!;2fxfS0M<$wbf%pq5r z+e2$~v5S1g+{t~OQv5>XzGN%%J?PeIaJeDn3*M2}iiF*72*O9D(XF{x_JSs@pBJv2 zpD$~#o~xO?{)3Dw18SjWEGH)oVq1uG>~}Z0V$D^6;-3>!XWkH5?J?c6xAOx^6QEvV zFN;}QKLac~pr|YG)BZi=*ON5o|uIP$s#UMVIi14+N3yONE z{yecc60M2=t&3N<$Z!=JqDo4<3aaX)fwx>_tjqzYh8nCO*X}LhLIG>!vROPQDaRxu z#Rlu~u$%%I%*BL zBpC15{xeR2ncDDB?{kmk+>Vli)u-rdrGFr6>*{$B1P`PJK2R{$*+JvYOAp1c=;MmW zSNr;;(|9oxhfAJ9LRd<(#;e4uRjL!zkQF83sE7z_rUM1HUi@YaU0vm zk(KJZU5&Rs7Zc*y)7#_KpU=e*XXeY+UI5FTnXXc!a{26&Uv}35EqWhI6+L&SeDPN3 zM>SAehprPkxC^vYfQ}4{jDr&jdm)_f@h1FIR(HI3Agy-;UT*Xni;=4?+&g9o%=|W> zPA!25D%N4>x|YVbs$gpj*AM8Q!MpD}5)1=nO0F$L{H!|kt%pPNB0cgV%Lm_~qlvC;`_zs0%BwAsvqPzm z&~YMs%74k;YgT5fIeY7vr;3N_X`x7$2{j_PHQ#Bj0#9JzuIDcQ7L2q<_G3gYXr5G= zmAjiNz0>{6%O!#3qT3$wmaa62L0Bdj5kn3B#JaaLBwdq$a9J<+#ZKhSD4Q-?y%W1k zxNRUk<*+U_bJ zsYhssKXf_p5L`By)Ykh=tzl@pq|`yl#BZxA%+9j9r|pp$MywF-pPlZ(_y@wA8a={s zP44)enp_0ob}-6C`$rk!1l=LEhy9fd<_|;|Q2>pI@u25QJZM8}#QwPE0QKGrnXmQ3 za3D2os^gOqf|`Q?0@{cwaQ&YEinLj$U_KY)%PI+(z;#%IfadTKb*mRgw z@(s!=U#}4pOOa$Q5d1W>ObrzJ3WmERRaNeP+pUI$L6;+PIr2IckG}d?!AQ=BCsFNQ z5gp2JXEb7(I>WtlGJS%rmyFsz_Xv~s(p`Z-xgI;H^1g1*6AY$V!r;PzDrbZ(Gc(<; z>Qiaz-S0}E;rg02YXx%2Ze%Tne2`+0c`o+=TbEHfh77dBG*DaQ)FXeEo6pIpFKg^3 zY~PXYF|bBQ|4bC0-~OCBQ311$j_ii+ha0dp#Bie>THRAjMSwcWywnZfR7YsHPxK+( z#vI5%i;`wO6oU2GGU%4WJGLaV1?8{;wJJ&@|H`e+5&LO?)Z$%+6aiIInb7iSWM#8l+3TRt74N9##0%te5-9ED<9&+#xglJW$f%*e3(7y$XO)GuE zfu)`Vv(&;A)c~VHlHwJ-kX&^tKAfDXPM4mz2Z8MrNUCkBNS^4|v)q@@aC*R@w4ypH zR@YgrHO!As`*{wUML~X`uR4;nJFP*Hae3O3xl7WbNqivoaI5)z^)yQl8zAOEFi&a5 zKvZ>EIm7U+LQ0ESscDwY>L0QriJ6vG5i{Gv(=sKj{a1z(4nCkx;Y5^pm6qMlrw}Wj zwZys>$tmwFnaF#oEZADU_3bnuF~P3MQ{kABK)zVM${erDpDti_=anC$sL6q@h{u z{a#GJ8i?d9a4RLSu?pbJQfn+1CUfTz|P>Bb>!Wvvie09i~tme@U zzL0#o>-L;0%d+YUvIyyf|FRG&4mnDzIKO=N5l19{VJQN03*t~t>YkULKMoX!hD+OR zwn5viJ4hxjSQwu35rJ=k-OjR?adaam%%h0Dk(Q=to9V4)VeNg9dh#1M+tJ%?;4P-v zGDEKuOacGj0ZIS}P#!!_-*bjO-XRXYv?c;|A|Zl>O6lFZQFOJQ+lt#_JS&%LD1rKZ zVdQ0{h{!nK{qK~=o%Zq6q-qRv+2mBND~p1X^sbrF7o{Fo+)#;ZhBCQmHRWHCQrykF zsQe5QADJ9^Rb9CePU6lTYiP_MWvdiMk?7m^)9pUKRc=Lt31oaTaA@&PXsCnv!}G{% zbJ0_otc!w6$BW_oSXjOU>kSELh4M<$VDM1x3}?Svp}N#?Fgb6@{jM+BrseF8i6e26 zrYy{vN>}0HqkRWkY~4nhS?O>5STZa*y5clg;fCL0kA@S(f3O(Z%nn7a+Ksj=3$tKr zo)`9cW%`v{*PK3i6x`zV!Nu&&37pN0?`Dzg$g7_rTYrea41LqeN!8fhIp=BRcd}XG z{tk*AsN9>CQ>h%4@s9Y(a^?l-M}eXo*GI$O2jYJQ)abL#xm@LLG?LJLG2nqO zYJ|HP$oazKzPKaOs!k7%b=WKJ&7I$wM`d@@9DyxA-pcFdOmlY6rF_LpQCNLD-W~TK z^RFJ;3kXa4l_^6Qq)vk7<1V+lp~o{m3l<8PJb~4q(?1+?|tykRLHa70XK?4w#zrPM4A?C1 zpRTnh$-mr z>Vm{*8(SLpmz#cj-tx%-i*&p?)sv~n414@!eIMv;`}|t$?O|t}dE^>iB=`4IV~L93 zK}Rebc0oFTjx2y);95RQ{@D-zzqBi$EC0V2T;pxa4k%>0b;tkX7iVl<-iFL4*L*%y8Ca47FpDd`j+ z1&~56i}pBvsQveXBr#j9jtqJE-7(j0qvFS}Fqnb!dwsIILtHl9>8!OYr5fSv@^U2C zuE&ve9sVpb^Yl-6_*Z#!)!gf>6Td%@Cr1~{b1y82jG;yDXeE{?{bFsb?wV~^DihEs zeviSFUqlV7fX>i6EWJ?sdi9u-Y7|?VEk!3|;q`y%N!3$EHXZ@E%Pc{Lj1YqL&(lh~ z4#0f~?-`|2WT%f?ibWh?884zVE2l;6>6qW^hY=CU9G z)qii8B^V7Qw|_@3sCdjA4b;j~_gj9Zbmu?U;i!P)g}7`+0o ziSyO@V-ZI5X8@H0vsH9k#~J?VBuD-rnrb%pzFQeJ6)rNzwmba*(}54A+2)rH|4z;( zGo)$G{4Wh}tT0dVJX)>n4&i&kMUOiJB{p~fv@VUbsqGAWV|WwIKZ~t#y=wn&gKF*( zAA7vN+jiB$ss~~LsMUFXO)mH^OPSO6i+&UB{~p)Ev;IdolbFT&r@hD$%huOSv{ZI? z&WgFo_h+!fvFU2hX6@f&is~jirD>YZuV*piFc>$X4*uCIV3gOwa8L$-lwMt5`VjUn z8!iZ1xTXcPaubA2UKa_AOY?E|Rf&EI$&=rJU(elxCvLF+dj$`ZLSp>ft%i!tgCsZr z^p3@o<=R^*>D6-mdXD17iHU!~L$r+#lVTfbHof%Z{29hkfbVc-gjuQ8pNlpV9|rJc zvh~#un7=27gj}S6a}aaeVmGkQuw=@I zZvI<9|BwDlBm%+$vm#s#n^=E3B3-{rkC4NJo;gq0<{4Huj_m?B!cJ5T^=Qqwu9*8A zY4~J;ZTQe1%U^?cSH1~&@2(i{r(@J!+=1K&{mi@vVUcosqDVpx;I*nC2z!^x>F0u* z^#)Xp>BHCDdI-HGGkFUwi}_+%>n~pgjRMh2D(wcE<-PQd)9)VCf#jhA=*ViTvZ(;z zDzq)&GtFuxD5{pfCprHxhdPX*7r#|HO#vDa5#|cQI#Zlg`Q$;x2{sIk=9aCk1&Wao z-Qy_3)LrbtOu)h^^@7|^9{lu`S*x5`ofOYnHT;m0m0p%bg&y}T;I~7|VG4?#ntH`m ziESg>3-uMLg=igY>L-KhnHU<5_p0_Qajv}@{#aKwGkVp@lbN9ze3@k}zqD$G-^Elj zKF(`VzmJuS1}8I%I(V+^FL{+LB_l|FM`5f-hQ4i7E9v{xZ7i)@Ig-KbdxOlWe zkJ8@te;|bo_F#a6=wSK!1=VyX*Md~*lofZYCh4( zc*`Zuf{)WA`1ga620`Q{B-}!ry%N^M%xWN7sEv|iuK?w(@3_>HMFHpi!SyIF-gG)k z+s?KOGc^ZgC>G;Jd(|BJuZ*WSL4~35e3Qzou_V10i|e}fwk@d#e&e~ZFluuZzO&HX z{6)e~%tQKkpHb2-Z*jFKZT8ptq`b$lbs`*qbS=-EwC-CKx@WwcJDI;p$L>C4rN78O zJiXrjv}cj4{@@b|Kq>`d%Dd*X5{YaJvfJMESqGor*C*HtlSVQc8$}sd%o1?U?fiN8 zGw81h08A|Q#$Skx6|x=LY{>$!6#RIjX(n8(3lm5w2loKb=SD~A*M295&0W&#EUIi? zRxCa%B?ptrqoL&z|JWc+qp9y9J{oFi+43r6-ndGP%{$**srWiRI@5lhL0D#cnz42? z6*cGjUTy$j#Pm9EHZ!z-6=`4rSU!}NUji-%jectaLh#HP6h3)8FR=*_Ynr0~1l6e2 zNYkz!o?Dv>|G& z7lHY8FI`6R43svia4f zC`^rx)}0D|RoblHi|fSVf*8vRK9yO0X$5%kug+Rw*U4xq$Y*J*;2pS*v#=G;2P z3kJYIMV#BU)59(nR^6~+d9FszF3%6xgrU*8P4?TM=#HN0X6y{W>QWF!TY-qj3-YZJ z^_vlA{Fyx4E1|YyRnBMptU2e+7rh>O>=#KX!cX=l#a?c@+^SZ+yFct{kvWZ zoH?&v{TGqrQF4-U#Ba4Tzsx>G%O4e~Rn*X&dBFX~7yfh_!Zonml~1=w93`Y^CMSX% zdo^hHbB$&(5lsL4@rIl($H&xQ43$E%&om9VaVMdmNS02LS{$ zx|0x!C}-E*@a6?GHr~@8y}2}Bo(iLuiVm*Y%`&;AcfSEW=o5t&)vsW)vgQkWbiI|;xY2q4+KOKD#_Z%sj`IvEDE^{iK_MbqZZk{ zF&ck>SvLJ>^3VVvRj>t-QRw-460>8q+N1WGMf{+`HH%sBodJEzsm7p#qa}DC$+h;7 zH%zZ(*6X$n2GS~|f4sc7^`O(CHO!W+%=L^Jv6Pp=R%X-bJ?N}&3{a&Wp{B^pjC27` z(-#O^`wU~9HfhH0oKw5(c8A#Z)S}6Y@!Q=2eW&^4)0Wm^&iC08y%Oxqq*Ohzk$GQwNL$C zvu0}|1>||xswpIS+!u&IyC6=vfF;%!-qM$&F{5F2sE0Zlos2Xz^}3O9^ZBIj-W<@L z&sP-?p4I)$fZcMzyR33B9>29k_>YRC=?+yhyQfrw)BB|CSV>!7ewB{b%%4cfZ#uk< zwCG5JdeKKXjC2F6n5wyiM_bjN0QKX3-9{ss^Un{J^GtB5*P%4L^Q_WoqU$)EWy2)# zbZ>L{ebKyeb&=oB`)VCdy8IclWB~GZU5RF#jWC~_JXw3;RUOw&OeQ0UksE(XY1ia< zk2$aR+0s$&Xt;ZRP>>oSS@28QBA9~pu<#_BVL1>q;ZHpA^6hix#}dt4J8zftYe~-ExS1yY@y8l_7|m@W55m}|3hCBWA?J^}oWfPcn}F3GB5 zUEB`9FPY!w02n@I^INgIdHQdW6?rDls-}YX0ktTZMv3~zh}SOVrnop4#UZ$-1{+S@ z>scL7J{I{3u^adUUe-190{s{8`tiZ`_RoM)uMA(X!}KSBPUE^{>F#th#hc3&Bx9i> zlkfNk`;qT<%4A2w;~sujw&4($`t7v!+0mG}xg`0MCGG81uL$usC;Ob=B!` z5-0$6k4heQN}7+H)9e12Hf>M$L_esQ{$Dkik%sM6^9E-c%dNzQ>sY@7J(h!^Qn*+* zg~zyJt~8d+)KfsqcT3y3N81cz^6W@~d~|(d@%DaN_GOKw22*@GOZX%tV=?->~{IP@^!!Q^Y-|Q>` zl&E!G4rd&Xx#V1cxHXq1IE+vto!Z}w@@FwLaeq)R1Pe3rof9w%m2{mi&;v;d8{b(D z;-li)QsD_NjaJA8Ga+06=8V!(C~rDpbbEKysawploY|$h8ZA&%2TLq3ccN|th)}YL z59uvAUJ&|s2F)@uE@p=fRgnxONc9WfVb&F12=#4=WKF5$kNG+&^EAY>Iua9@>9ZW) z#pS5#H4q}`k^|-}#s2~r4l+&`BUODk3RhGgjRPgoK_bm;s{JebOKr2hU1HE!{yA?8 z1#N-C6@&k>t6^sghrPK+7VV1um~l40+q<3F8&$lfSXVLgo7DMhT5?ev`SPuq4W9h- zsP(p?(?^u5lRxWeWa(L1WNY{olS-i&1_><~3d7Q<;t{dJ2-ueyOcKP9l~iHAAKS&4 ztWX?%-s-CP6AcjVfR9r{pg~S zGxfP2h5m>>pN*9IS}vkEieWJpS#~EtLT2?8Tc|=2g2TaQ{!=T%B zs%)}~AyIDIa#^pJCvN^DIGKQos)TrCb{CTNJ4T_a`4X00TwkX@hY-PeR?}|g45!>C zK8hyw(ckR9>}7;G@5x=ixb6-2o;Y~o;L~)`1jq*bleSyljW0VAhBo}JC*(AJ7z^%7 zjKtWUkNKdml{BMLQ78n-Zc?QHpEp%S-3)=?1hTgQr`I*Z<%;&q-J=pO4JhC%lwn(k zTqAH=1Z78GD@fgI8Ivy6u=)xYXMN(ni<8ezaCY^TPL7l-O0LL?Owv$|8j-ep522QpFWtSW5u?dOxY^k1 zY@Dr75Wl?vHqFl1KI&1VoZBX|6T>rBXBS%8^cytM8uSaI*xOEBkkEAN;gZX>0aC{YJhk`RhKZ{{BoSSE{H zSDXE)%VZdZM*#IMJkuDa<+f~2NHtUuW9n@<^#R*L=B z@C#9^!*D5mTlqWXD{J{K)&-nB1~LuEZDajK!_j!11FRn3D5;51Yl-W4^6+!qkA1v? zikP|^(7!8C{=H87hNuc?HH%7)62#^-94NBv&1OueE=(>PSYSZuT^k!BW|6~_Ubj?^ z_Y`}#yHrmh0oORu7^>+9k_{pyPkOWJXlxmAUasHLJOVl>^qP^ktS(6^aRScoQe+Sv zK)$mPzKZ`09SMM_m)fpqjNt=PqkB0mgMLAsD3WGcb-1!VgZbCFqWQU03Is2h4<&Wb zAT-A?*O>TWMj%yc#o&hgixvSoP)+p%tNZ*Rkv#F^31Cj|IBgXgNsBH>k)fhN-2U*H zf(uazjbyr*S?~y8>MCxaS2RrC?cLjiWTo;37YR(N{@_ay&pRE!76|M-p5R+Bf3QH6 zuXrvr$es&;$+b1(jmItxk~KA7odTff-^zz@u&`~rrN6f=<3WkFGfJ+Zc$59U@2*%; zE3V)?Ht2?d5L23UN^yHCP*^ zLlAVt^b$+`$&DG(cOC1$uc>(o7|ed5>O?ZH5qCf+2|Yr}YW_t|rb;kBHdu;^MCyqZn&NeX z*9Rd8H(4tRb_oqxinFsP3s%H|(Aeh7Y8MnE2y_BkZHxv@8`iHSTCWZ+7qGarjlt!J zR@U7^NN<;6yD(xou5K!=u zz|v9gU+#1Np8X6)PX(-8pSca2gN1wjv92O1iS?`TI=+1cx=0}9CWIJn<< zzv=kyCCSchB;8f>qu-k#c193QnZ3QFFVwV zI@QzVO6XB-RIA4ed6rM>C~j}sP_sw3iou*hG82JX3`}>PMw4DTKc#3vm?+t}0C_w_ zcg2!dYQ0{hnVAILa zOEkUQDJ_VkUt}zCAxK?A`p3m)kD}7-xFNG2+k*tlFAm>Z*7fq$Q4JpBr&*f+xJ!*# zZudD(zul_2P|AlLU-^gDnu2J$Pla-24j*=$?66P&P&JDH&RVw1f3qlP`uoI&j6!K_ zt2Lr#U$wg#?ZXyYFOb4p1-otpYD9x z`Vtokob*!p!R>4Gwj5{>IZy=fv|ED`Y`>OVNSb;yi*+!GIcH&Gl$3(9u8ZfmtY-N7 zJz=x$G1RRCdB=1C$B+EULNjH~$gGgb#u7`B(81d@PY{*=*z%M75m$-eU4=eRR)`%i zMS-1a=?4rAwc@y*?{G$Z1%a~FA1F|^8kWZNeXr|+Vzb58VfEMAB+hm3edw;{p6Y~0PiTCM$$>&uE6RX$-JeYMFPza_1ZaEB< zYa4~^ubw)jQjG5?HR8_WXc9J$h$oyRRLVQq*7c=9ZXzY z_+nn_&!Q05MI*+>_A&0jI|h`_Tu05tH`6?=ht)1QEZ;Ds3T{KK4?ek-0oT=WM54|(IaS?M2mVapMoT=6V z?q}$BizsaM^AVCuT~q)T%?~zUX@C|tL!A-P@@bdv{0@9MbFz7iG(8-;Cv*K|&HI*joXM@yn>7Gw_zoCu zK(SqHgU)(Vdufylhh!iyZ6CfoNv1K1`yk*-jt_85DoSk6MxAO`tJ4l8!aONoDb&CF zdh zJHe=irQ+zD!3N2;1f)8*=&C9*ABlgrRrR?<(sU$OFU;Vh2voQAe$n!_l8=t~k*g`d zca7jkQ>{?n30U4vdSlWr`M6m@wewcRSEy=qu4Eyay(^qrZ&oiw_}zhO(E@rR(P z>W0?rg;RQcwgbx!pV@Ew$8U>Tn9l63P@!Vum|-H4rVN%Kv+ov8{NB{-@6He&mx)E| zNHL(V@gwTPW=Y%bMh%z`#gp?;-~W`RM)iA0dnSU8x3YlG^vbtPhnR)FP4^V)LhW|y zb&J$-(0tL)@Rp@GJkWs7)T>&8l2SSxoaBFvBQYt}Rby15p4zJUPgsq*pBts1cL%@00o6 zd%xBKoKpi`f4V2vyp6^F@R{>YKisZm(|27fb869TI5iRU+(>5hUw_+66b=rN<`Xaq zMGR4kCPv1W7F^&VBZQe4OqO0vjGs8p_%>YyjesA-Z?LH4 z!j_7|B`s}u0yKc(U^HLEOe3qFA6UdFib2Na zk}J1YTjY-_ho&|qEb$_V&7axp7(cD~-mF-C0=*AX&elp*Gzxe9ljaHZXK$r|VKQ|b zv0s{iv4m*8kR@OrXX$}l)4$?3k{g`;8_ud1JOLqwois?M_rS$n zO(WoA`y!^H=O_I$Pv#kJqB->dn#+H1pEW*ozu0bv)y8%*D7_BlS*3Ow#wUOdb=D@{ zZjm|kCO=tX&zd~x{wCj`^Vezqr}l8;g;;sQWwkf(nwOZ^gkJ+e+Q1NG-stKd<*faQ z_3idSPy<$OPqu8ni2(3r1^^n(-(Yf%G|2oqn@#!;XJFpg(DCK4#}@a{qOTa&l0v6E zC{H%iS_e=^`QI4+=S~R-45*9n0}2Z%Yytd;ZWNdY+=TL*>NX2KrIca#wB}V>$0+^^ zyj5n;r5YLjC6IK1RUf!U*XR7ZodZdXS2+3hr9Fbu#+$HK0_~NF1)uUg{pqL+5)LC`%8bbp?9lp=*B_t|CgWBz01(YPSq1MO5ew1I;EJ(u5TA}oZG zJ)PYaXz?DblQB5*_L=+x=6MZb0qsrrtXEBk2}~2XqB@-FfVs{?QzV>BQ=MCw&akoBj85RH7Q?egl)i_* zLWj$2TibXuSdP{k{7s+|7t320d*52-rFn$?3CVFqMEovyU37E-hrC4PEt)TurjhXX ztid5zfZ(IKk@UJm``Eg9n~VuiN<#|0tsoH;J_t-TCK>1zAfvs}K|%dRN%e|3 zr))awBHDw8lmD+nN61d;ajS%cHi0< zs1D}HuixVH7h3J!WXviUV^0!MYgua-C<>?1mVvUv>W{a+x+-LbFR$t!$6rjAJvI&+DnD+e5)n%X~r^Xe2KG6g|#&OB`E1H;7%s?XHkP3aixsaeSRpv zpxj@I?dUD93wnN^2d&RWbnWO;dTz$X)qj5blA((270B#1Sq4hLU$gTK zshRh}9?t35G>;6DCbN)u;0kbf%mj@~xg+Hc7vXDFGg}ZvB{VZ1Rw)ubjX^O=Y#wy` z%Xy5u4 ziTF!SGGuDBPMck_tsM8jp55dX*#IRN*Ma{IZ(=fCPQ>}J-- z-OH;1fT~&QcE1(H`S6oJkqpN#CjncyY@nk(yDs#woNwLjNfV7095NXquI_l=vNf{v zD}4V);P#d=I(7sN55<=D|71z2xVxEK!}YYozhDfw7tk54rWEB3Trm{(IufO=1CXux zlAOcmsF65t9l0VL?h^nwPseBow^iQon~hrC1t4C!BYpW1^OkTXfn^?(f6yVsf{NGo z)uBtv(iXk3MXkDNqB2M&08p?v-ZG!1YCzIoY&gI!ej?&}EuSxRS}Ib)B*TFV zc{2cj*qIX`iQ+$sr;p{}V!_%+?=ivZe*}tbt3t~p}Qhg zdRjRP_vjKe)vOU-VL1O9_}Lwn=!Lde-i3uw%W;6S=9S{Y#vqJLA|o-oj!CiX>Ecau z(=%mr))BEI|2=%By@s%qm}p8)t-yb^YByJloPN|9l6qYTZp06Tm|@KaCzyQag~He_ zlF(P^sz#&1OOH26TwnmX4=GdS%z06*NtwYUj(E=lJ4n?Gpvy9aHOudi6fF_ViHQ${ z&=`_wygdd4Lp$6!xO1~jlM{|_>fvz-Vu5gw+rb3eO2FTLJse5sVBl=YqOnlCAi(}W z(S!VzBmiZe(Gj|%?#)N-A23sWphs{=d4rj$+x*H&nPA*Z=WBPqKe9(}FXDQE*OI}9V4Nx75_nA;IwqwN!j|rf zNc997h?To|vNoClqV!m@mB2jeTz5trlNSNqVnQwlpt!Q|;rIJ@Q<>YRJsr9?pV+of zxksiI@-BJ*Lx}unS+QhBnP(Oq@LyH?WB%jpwlcd*4Ck?p%Ruy zN9PcA2zdnC*AOM?KyEbV@&$Ykuf=B{w?kD{_xr*~f+97PLqj=Fv4z}N z;dPAK1EAXHP>+ik;;>V@8iTWnHNQI>U^J9oz-0}y>Vz^~zcHg+jiK8@kb@wcm^vMj zL4IftM30`x`2a+{GqZ0e%(kAFx$qRiO^+rYR?fZoGmSgWlHMBBrovM_$0!)7aQf27 zQxV2kD9Wtb2tB5D0T)a6FJtK`*{*0F~?C9_oV{=DEVWK zV{|*

+$ZT=_>Czg>{st z-!oN`<2OVI-0yr{ZGP06Oq--Z^Q_L!M;ZoFHB=@FyonU{@ zO&?<*xf<1It`7JY1T9O;v&710_hP@XTs`HI-M0KinKM-+g!{Rbg+>Yp3-TQ>)@@+# z7|Y(fCPJzy>;E9r9FO)$f0>_QF;JnR*f}6jl4N7GIhpniH>h{@!(=$v@L{q|jz^o2}K?NfA|GN zX|(rDIg|2yv|yM?jG@xlY3AflF)U0{Jw;*$#V5u`j2u8qdlV<0t{#){_NuA+pOg8Zw`V=vH zlW`VFzCtpzv~=U?P;CpY2^KU9X%oVlO0zb%wl6VMHi@IQn*V(Dqf=m$RIIxN+mdMSrCxgh{_ql_2AYo5q(?lr@JVvO3#sI!~;~S?N6JtLLsdxoVgv+km zo)IU}d;|lclP8g#dhv#`B5=hJe(52fXc2ePenINdB-Z&A&CZ5#Tfpum>kFYN4Fy8d z8x{P$5l^V2!W1K#g@PO50Zd@P*b}CZKG_OQmHUWx&l5*;C3}E|TTcCt=aXfEt@Xlp z08wup6(II3TGpLqPc4X`>XSrL%{x4huTPs+baHkZlFjDLw~8MR{J)U6ens>E++^}R|89O8}X%V#ScRi=5}b+*XXd^Y&X^}aH312ka>?NL4HK}Ir&T2ETFI+PN? z-v-oO@?e;ddHCrw#h`%q^Fll=ZD4aJ(|U9PTh_~DwiaOCe~)T}5uW;UaSKG+Ua#c( zgRX88GOY*Hd!MAi)rWX3K=$y1rT&(L=d$bxNdW69sdm|Q-3LYg;AY+dp}?D8m*BPJ zgqJL7CcO{GWi?SBk9*$<7CGJAYYyW@np1#RMr7*EiI8*C3C~Un^KsD?nX{2L&*4%# zyaM_{`{2*Hb6LhQ#viuQ+N{6_@MNU8sVL;laxiW{z9h0E-Mo{|q`Z3(ob?dbALs8)9E# zwUp4)>Th+`qW`WgYIe16+>poGZvXt24oGl5M3dov~ z$5_@}Wq)jdWoNN^Pds+FM}7N7GFi7i+`HHcZg;5<=CB`K-OUfPJ?rxR9-@DeWOS)j z91mT}vJcSY)G$%RnZx41=TPxjg0lByWRGJ9??LU4`*^XpcuzE#-t=4s835+(r$37fNc|5vHnYQnK>gOghnaU&WaO|b$;rtHhFO@r6;LnFhxoE`Z>|g; z#1!?>u=a7rK}!1ufArz-%{hv80?-C5m-G3VS|<;DwbWo29e21N0GXvaTZ!!{0MZ-K zUNn#m%LB_LGm6{)ozYQ0qfgiKY$pEO@mKe25(ZWsh) z3=sKW>0b%$uE>G4K;}eW`HS-Hk=LS3E0TZ=x!w)}mvOH%m~iIBb&vB)09aCQZL$Bu z%QWRAS;ntlB%kT|bCH?k#1DZV-B3L&MCmWIAF+uK4aH@%G5q43dBKHCQPdB0#9tSNn+?zx>tcV8 z)+G_Ze&FjLe#Gnz2owKcy-T`TNW4tuu#3aiCz&bG{^$fku{r)710a{=1@IV#ns(qh zPnp@>9HiO5pex{a$~M=#Ux4DI6+n6>E{y9HY0?|FGv_s&0}pJ4=B_$RY;Dg<&C5Fp z@qaTxCfYH{%u}F2d)BV>Qz~zMbdYLV;l2HQ@I~8P6Q`2P8sXRlk65=6zCn?s!}~YD zDAS{mQI#rE{s@ZfS za=m{I>RDst0<>^YcVXm96Xh`={le;~dFAKVXmq`csU*b7?n9siY=Bv@1K5{)7lLA; zL@T?$PranZg!(_Vk&o{x9*YcIX5clkh=P={X=j~xH`VY4sA=i`wc%xdVs`O;|ug*Z%*uG*OFQg)&~I#`xkWs z^(1(O+_>34<>nJ#@wK1wgdaf4+7O>}j}2@blCqB|fPnb-IR2Gsg~+)Y*O6y1J*xH7 z5|*D1iK)!W5UhObkee~0x&kNWtosIf5h)>XeMNKagyHIA*F)be>FdP)c!HyY87q4s zj&r0$KFz@VMxhiTx{+=0vQ6N7gUfPbT@J6-DgX2T&tP2u|I5|aJ{L>JD$^%#2q%*u z*Nym`T9{R)FO25s380zf@+WOc=4yt&k#6INzd?C^RAO8SDxHi{v>##|@NvRUycf7( zdy16Mv*fle@Yyqv)p;P&9&qT!4B5tNy_6mW-_1cO2UxasXoz=4Zv{ImRr=aBh--}{ za<`S8e7c>!NqcJ(1q!SR7B0;!VGOdt`#wuwO!x=c{i@Q}J*5XKP$R4g)u~D5m}9bM zPQF%21P7fN@XN2;J8!#==h7Yim>0Zo{XHcnl=zl+wILTT{|pUgPc_&H{s0NmmRC6GH=Z2-s2u3tIx3mS3zB!`TYE2N`{A18*4O)->qf& zj%vV#(nEcJAHzIv`dS0qkxP~ne1pzb+%vPIed9WdL&wt+%TyXj4f5ZFo`1Mc&uX!HI{UmQJXC5 z=5yM4FeB82lDP+U7qv^wFmos4KrmT-#F_7r3f^X6<^;TrX&Rp{T!4LFQpf;P%kf^@kaqxTY_{lFPQd_S%>Yd;u066e+_%m7K(_V*<$(b)I9jEK|PBG&ge=f z#CAZavPXhL8cVlYpR68_kbqMtlJV;NUvfnGjJAIfzmm_ISBkz&=}Kt_8L>+SK;$k< z(R}JrEz3*oGmxJVP664G&2LR^^7?45z&@I%03_C*3fDmz?Fb@akUO!l>2mo18O*-8 zai)ab#xa6>C05NoLz}T&A9=k#XEpRvru>a!a+nDx;*hb!LnV@C(p=lIo6K`?zKOOF2s$XFFL<{ zdy_{(Nq^xxpqIQ=5$G)+vn7>S)uAi%O!_ARd+wIn}sRPQ$& z?tiDqsNySsR(RmWRQ|#c|Kx4uTB1ES#e22u{Yo7$YnZifoR@?sad8I2eJ2q}cL_X0 z4+!4cGefkOH}$k;4X@%3dceJ_apOI^U{AUwwym}f5`YKomv3KmI(0nZZTnT)_zyCQ zR9uet|Gxl?+p%?;WMDCdk{+F@%3kNaJ9?`Ms*x$Q*C3l*=#q88?}=GkH|MVi58h3Q z;O&nXWJ#LG;F&EMHQ?+(#55`2dclh0RQ(g#uSlq5D?}Te$@B(^uZP) z+bE_rq_qTDu|VtrqB*K`*rHR0nRVWI0JpEnBR!Rab^b`5U9ZwsHeYKwL#KXDw4n0P zNBq-yerBwvRw7N9KpGiL<$9#v|NoRU_D$YcgMg(qv;AN_vvCjTnJOX>zLiwUF!C%Y zGR6*iJFECCNSwyAU(NGwBjgP4svXwfzjMU)COQLbP#~_-KreU z6=tr6$O5|_!G`FeX8~n6a zvtw2bRxmh+Z08$>gAk%!w}E~IVXwMR!ICec@rs@j?`GBQ?A@EWBvd43+2Si!(DZH_zO;#_R)=4revfRRP9n({t}r)519(ihg*1tx!A!1y=g-O< zrO_+0@~bNVsnc!Bey@`*nWYqwe$$fZzIOT|S!EV`r6ux;>_QM?g>37S@FDiH5wD{& z{@2j2_Ny5{L0sV9R0h*y+X2gGF`tB+`SVZ#Na%V?Zj`h!02X1oiz4HdD)kEYAUr48rgL=9?ypQ*~V zeEygEysGfW8Q1cTouZE+J)BfEeB~TmMVSXdBO1&Aed^?2kSd^vZrZuN)?fiR9H1ep zGffo0gCe{5uu(L}^`Z?%K8S@y1#dxdaw6GKv!EPM)VVc(1E>oAOLXCK>;Mi8+-Y>e zv|M^cGFHaTQE_9{&8J}g!>Rn4-;d|v&Ch}OZ_+4*8Z1#=i3DY`@np`D+JwC)a=6=k zfSk#;&%KF)6udelhhfCIW2YmMAM0c^RGU08eHj{^ZM}>iFCERxdbT9>oF$M{m;P^xe0;x7bzQA(cJv5@2o(gObPV-mExG z0cxia(N}%vn_IAsxOazEOr2A|Fdb(XH{qGfeyko$(Zm8S80zyeaRgt5p3@az`EmL! z-pJckf2Hq0q`BJ~-!V54E~w41UbOlOE%Q$TtIPZuE#`LO2&xkaYha_|-Ffcn#ifQ2 z&gY^ynV=cC)Q)9ZH|TVQE+4>l!0#+>>?k z`OtQxwI4U;1#B2te#b*!eS5VrGX(x_HlfyF|DA&4y%8!y*db8LqP@};h?g$Ry);kGths`7)z%8r;Av@!ST*;)oGhv$f@eRH5r6^9+?L)q^I*k53@(P`QFiJG%CL#XpMNtb|Ek>>=eA%o?f}27Amj=f zc)~9-v6UMhbT=^o_L`Cu<_DpY>O2t&+snXQoZ#_OF~c?-l)vVlLM5GoZ&jQSv8yI_ z>x%cQm!aOW#v9Ft`aLn07)y-N2x^mlbD-@-E||*b?!003C71O-DJ^O>oOZ8)oaTP# zJc{BVqQ*!G@<*1$mmGEPiA{SIQ(2Q0W2k_7W1xAZQ-0f=aZX#WOz4>?i&yWmi48Sz z7@#kA^k_~uKBV5x8v*toQzUy~xRf`KY7~(bdCwBady!VKy%#Fy&!^D}F?;ULwM0dO zlsA${s>gTnSCw;$Tw`7$Pth3FV6}k?qTbikjd=f?wsA->g*3z2bPpW_)(in|`N~xIgkV>n@?5mMO-CGGY#pLk5yW z#l;W|hfMj256FA5e*&ylqHaoZs&xV5=hK0)g(q6{t)XxLi+SrmdLk^%lb`$w|C?gUsPaJ zqm-S6~xZ_$@@H2jf{P+uviLn{W`E2F)^@pD)} zr~Nq=rNsW8Gv&Qta220f?7&(Li()LZ335Tmx9})oC<*<=l7uNmZ~(~%U-DOk8O!)b zko|*zO%h-e^e%frqUCiu>XIBbrNoTR;#%#n`JkX@o!=tpr3`7iR?UZuGYN(=DrVfv zX$rOI!bKf{;`Dr!99x!63X2~1pI1dB4DxSnejV(y-|_rP)I{JzN-GKv%r!#KueQbJ zM*F<@$$BW4YCe%G+`vwE*V#Ao5@oA7c`B!(#0!1?plGaMOpNDcoNshr^HP^-)1A4@ z>lUwdUW`Rd$TZl)tlA9xAi{!YFR+MKB3wCN3tMG9re>pmM<%tp zGrtYBcn}^_CoiLOIK1$BpQA0f?_{|OZ!sV%jSE{KyF$NYSDB3!W$} z%&6vnxiLK}@PEUlLF_Z}tQ7*#fXP?(hNzc3t~^iBXQn^DcKiuGn)5$iL#~hORzz%` zWBVe~{aqe&rzVZK;^Jp%hz+KTv3yfA0B{A3c??LuSe;LB_ znKMchS8I3YCZ1SrSLe#m^OPLf3azu8Wir5NPX%JDLHKybceE<)!13RNIpPk}If}T6 zz$Z5PTpQjG%|(n~k|Tp`A4KpUH}~H09QRP(j~uQ%H`m?$5qoguIaB}dF~NzbZu<(j ziTQ-YV4sG)rv5!N+_fj?*P~h4M#z;Qj6)j_=oT2@Wrs0GoWEbESu~Qlt-1CFKEL4y-vMZf`He40 zPf44kS`CiIqazI){E1=8pDhap(soh-dr7%bz%BhBe~pV==ix2*n`l!11hjh8$_Lj@ z)t$gU+17qbLs}ejp7mo}AvESmr@$rRtcyN7A8gmgWeL z!>0P})^KLIF?=|MQer{a`_t0$!yWMi0nNxWin1(MHNTBC|B~^(B@@phF97q`hR->aGnSZ3jQ5R08A3Y7@@13p@o*J3Ox+A@h>#5?a zRYb=vsy?T7w@%*=g`Vy_wago-lMK~#HAx1K2`xT~6yu%hK!04K1auOm|EXdK^uGb1 zyZ(F}Vw(mNbjbFQm^vCK%64QcDV-5!wcss#O z^F`{CM858~wj8DBp18sbVQMY2W zjK6HoQC}BNnT#s9rYL(LMp`|pdn+UC=-b~;37pM{DG*s|P~49%(=qfckuxTg^c=B| zz^!N?*QZf0R|&~A0+IkzN94I>s)8p2YV4*@1AXRoET9W_a!4z$9i)o0+ee7AMv7k# z%U=n&_BkU~+Vt-jf%+UY!U4yN8B^&RurCMmFFnowpitmjKzeUG;J!`KDOwiv%- zntNz-_cdo)Bh$=CaE`W9W6hqebOzmfwN{rZOni=Fn=RUXD{q{4g}jNQn!2!)b^qEL z{_V)hCX*fCKVM1M9UO+nrf_o6n$o*T1g)Kn{%VGgjC{EuLzR0Ri2zlg2$!tm`oJ(K z+R&?&NJers0R6JL}!5Nc807-NPzFl@teH?&8^9K+1P zORn_MIjfWyX8OeKID68D!i6L|FAgP$H(pps=9eoEhDQcLp4DwL_A{ku;59q9$ChKQ zcrFS4_rR?!2i~BJ0qpTz(vHVbkK_LDp-&j#V=1KRApzmXtDN#HAC0#u+VBVWj8HIo z`O0_S<{vH5E(wProO`=6SnDUQtXy2QPj39Ak#79Qp=GMQC8;|M{~19iuz{H?o&}JE zzJ+nRH|8r3MzN4{A$+17g_NIgEu)3jnd7rgLY?A)2Es5;163N1Yal! zcBJ#UywJD`QFuUC;6J&>p8MPKP?Pxg@JSz%n0qz5z@2=_)TOHv#_VBx4-Z#K3eI!S zvjyzoazns&rY6UsyDsW-AAAza+6}WNzTV%Sq9IHx0Qi00^y!}fv**q6* zF$H%~-U}a(JRZO8d3opW9Tg6V>;`|}F)@3p1m^t2#UEBKTj90i@QJC?UmEpWV%pTl zTdP3}O1Pcgzv;DO(w$0UXQH=W;_W&(&Q&9770KP0jt{nD4v2bqQBoSllm3~eaZ7C`U{$A(~sU(@)1D-4kp_H`{gJ(T+a)*Wb_0s-%dZs!Ng!u8Tc>H-!I$yodlb{O!C4Np$4(Cwo?JgszJ@e@%b4+~3gyv6ClZkqb z#kA|0GM|t{E;_-sO$h2qJ)GhaakPJ)K931ML?5^Z0V#7`|I0#G*X}m|*UM(fJB3iJ zLbw>6la#jdg1u@VubNC*AbE9YH4hl{?P6NVSPLQ!GG=#j1y`h=OM#ns^tNqO?KU7avs#m)zBZyu+l8w*$e`HCl+$ryGUedwcQVHusAw`nRs2ckpOgo4cPzxcb2S!EJX- zZ5?e7dnr4mhmnSVobr&pyo<<~t>i&~^zW9+QY#Yy^!yOv{SX}I1* z15Ih3x7IR!xh$I8#9B6FOoA~=i)9~TgcpfHZ#BqXyqchwf?}yIoFfv}ACQ}_#^0~1 zLraX)G&5^3o)4BdU_@5s$$I;G(fNaoX$8uimB5AFEs?>ns&*cia#A+R=?yQQ0qe)5 zUW0EJx4Ybf?3qrdpIj=UK5twE9`HGqeQjhY>-!9OAEE7URcM)CEK8rC6j?`H;zstu&4g7BPOJkdTa#N*Xp9ZP?_o!_tb z#31;_EZhi75T!DMf`>F%R+D|9L8MXkM$d;bR*69GQZAQ-XEIpD?hsm4JDRobi&|pO z7o26eOq5dsv=FzfjZLu!Y+|% zI?oALcWs%3gki<9O7B5I5!rScAYdoNVrHe2H8KRoyzsAM%QYPRa;y|rvP6aKzTI9Z zi(|D#!jF+PDlcewC%551Z|ypbF_Ns_L9#ETT8g~^#o)53q`EV+>{lxh9moOwl45Z~ zZJ8gUi9_6$2>hHeU-|3Ix#}CE<-K?$)TGmuk{g|?1siJM#usF3Qi%VuOl$(Extd*T4W5Ucpb(d=E#8GO;~GU3!x*^y(bbZefB54WHC z)L*f#9%&(T4QNY!xfSND-ErPov8lelP%qKf5=Q3#bYi9e9UgO;rTB150`X1NCsI(+ z!mbqo;~~#Rd@_B<@Gw#&WD3nU4aId~+7G^oN69+=jUM;?Y!jk^CF{YHDydf*ju)`v zy-WDfha|?nG{z>)i~#C)W#?i&PNE~IyghCL@y_^&Zq&;deEszc9cnrZLf0YG-IWv+ z?%G!No&@@W%nr_AD;85ZwFMsCVNvXr>91xS+lEztqzfBe@m^A6Z!~3Z*vq}znORL< zi768#%=8soDBBtJi2}j=K>may8NwfvEYoDQUG^#@zcKdmP$y|NC|*M-_fMndsrQ8_ zXBJ+_z;)N2&P9JNr>($RNqZSGEt`)xYGvp@5C{^?HOS=8Nfo0LAiL8K5o@hW$~#|h zL}G8&X<9Xa>mW9gT%cI%fLXgOc=SfEOs!5S7vx;1SpqJ>t=)XtsAb?g2^#`kZn?#3 zeijYhi$`q08FcDtb}Opv&jKUVGN3t7tLc4d#rw8v`vSIq>OOk4#*{^~+6+VXGq9kS zy6!+bmP%kpX%EL?^n4T&^nRlva6=6uzu1{JFWlMh;C;?UGqbq3%&z5l0owpVhjxe~ zswoKoW_&oxjmR8f8)sVPPa|WLF!F_H(%b<_2AYGQmo{iG#^L!p^))tsEJrcgY2Eq& z54A@STNi=5xX6Vu1xr1pGiDGKv{jAYAgHeJ4it^ysE3Y6+(pk?_OaHD;RT-{$)(ck zbX@Lmj3DPv?X;giV_Sd;L_^Lq@=-hqdZRIS%!?4xirhaS2uc~tSdrib0cjAn7cWRk z0t)0bUdDX1UVcfe&=e+0_MJ`$1GO5dE8!+x>}OAu0h5RaF-Tlr(^80-Svb+Nw5#Tz z@y*MvT(ogeXh$4E+R&#_t1k;t27Tyn+1ae`;M{fMI1Ck6tg&H2J5IEAoAi|Q80Xe-{s%M<%cv8MtOpSL+Vst`(+)T&gD8z&e6-iD?MnGV2mf~1 z|U{&R8{~8}O9WR<6chdZpHW|~gOfJ2=2_#GZIo#y+!G&bw zX#K9I7Ma}V*y~!P$IkdtBEaB&1_p_VJ}8$Ft)aXN6=`rGX)E)jRAD_$wi0=bJ5;~z zgc4?8)5gw}S!X#bWfPa6S$;%aNl9t`a_Yd9g&E~@H+lR9-Hzt*+}L+05G57Wn;{*> zr?THW4Sv_xGgF^t)C2yV^+i&GwkD^OD9)XoD`-Oe>dOa52E( zLi2sAKToc$7iv2zJ(W=ey*kud0UQXqYlaN93al4xHe)b?PE=#+q3EGoY1`{hO33Xh1yb5J#}fW3a$Tu>!k z6Uw8O)iZPQvXw>%x3rm+ACJnmTSA^v3QIf_1!tuJF{pUi)s-AoPK|fHDwF013sm=> zbYBkz^*6{DWQyYm`8xEpxS+1-JqQQ(>do1$XR!uyRhJ%1f!O2_{c#Q>S_uv?Ob#u5K7LGTMqCzl?pXT`lhz|;HO*4NwHeld$ac5YpMq#2ELEFh z(J5Ag==c3lU@{N!QjFV(^o zp6Cj6n&Qe$#$fj3s?;zqGcUZfCv?fyc7vyk{1A_c^iCI1ePeHoI!A|ClJ((-apLbE zv(-(T_u|i&wlu!k9)6Sl;;yc~-vo}N%GJ1D5kKn%Mn53#ZE>3wwqiH)4Gke11TqF1;QTP`*JT7h6eQIZIHuT0xvu+tI3+jFQNzD(~X z4(ShU9p6tZzWo{8Z||8s61j8Tc~$NTicP!8V|COR6bo1zf?NF^$U_%94?l_uow|nM z)XO(ICb=4$q)_eEL!N7i&k~^D`__{C%W2PthWpEETQK8`_TI0pA-YpZH$C)mnX&BS zkz+xsWC)AmxBL4EUx^|t_`6|s`>=qa(=`;S1=`k8qP=*~m$N815&JQNbMzW%^?pZ) zZ1ItYx7P`!xo!02IxE|$)~mU^hTw!77A>dm<=+^atsj$RcX`rD(Np%+^_ z@_kwm)OMbK82Oer{UNytVrBe@r<#rv)dI@BLz=q=|0X%>(}Ja(Li zv!$Tv-7~Q{HQXg12fZA-C3?vOw*}gEe?O`f?k``*-qBK!{fJB0EsMr0mgRzgw?S0T z#!44uv6W$7P5_SvBU8cL^W^y^m`frjOP8-sp{s|2oW{a{y8@!J>bh7kERZ>IDR!wGtG47(e^|mKaZ{sL8BdPSG%b*~_`4|s3%3n=q)5=7qd4eCtAh_g^ z#%Qo^K$DI|3ghC2{!iH((}W*3Q;g$pvx{lgOyqJF)*puJv8C+Pl$gPyy7*NuPl(4&|zp$gXa)CQKa>y2U7iuDM zgEDaf>}|C1F>Sis^Q_T>A&_!cqd}nn6{ohZx7MwQr_DSe-B+(Q6~9tg?TC6sSIQw4 zZtlgnDL~n>%N&kvg>#LVTCS%gaGKI=thH3Z+LC-I6?A7Dr59 z0FZ=yGX^=)8;1BvdbY4zhxhVOP^M;~z1HqL8-wL89}8(a=snY{b!`CyXl=32K!0xR zXyQ4R5;A`|iK*r4BIPzn=*vz#1H_w_*HNZ{B?_FgCn2JOb!6Q8oB`QWwzL(ITx8gX zMq!cKWadeGnf_uZ-+2UVJ?#7yY2N2(4h5`cH?LlE^z-i2#TQ}#7iB_p(dq~c7fPY{ zpFDmp3HMvXCf-;>*Fa$>^82cDR3|CwNNOuuyMe_$>-;%`@`-X`6mCApcWKrT)H-A9Uwv7K8Jo6M7j@e8Q6c{oKi zc7*ss&+lNfB)6KFGPj6sE|%EQOz_;|Y2RnV*SD2W*SGvHA6^lb`U*`+^U>}J>876L zRQt`D_8;A77VgCl-hA-M2rx&>oRbV_l-?t{ngf+32`*)t5J~R1&vQFiQ&Hyp1eD|$ zBQSMK0*}%Vz;X~(L=O8ydZ}(3>3QwmYzZ{rZZ(nc9GuunReUazxJ`mQkqpn>)rSUy z3Hup{B0#~P z2R|xwcK@*u4T?j$;8o{Y!!G?}AsX~A3(>rjYe)>F3+xQvf&!on*jE&2N7_T*b~FIa z>_EGbVJ>zks~Qk$mXT7ae?sa0OI&=+E>c1$;BN0%O1L)q2;zTdcBy4u>&!3Bqr@>X z+x&!@ypX9FGkSCG$S6+1x~btS|14cL!HMK%`)d7?P5hj!tFB15H(+Dx+S!Q$7yN_} zQ+@REqVzd1`u8wP4dSfFKIvf-_q-Vs?#AyVdu&4>yBFvr^M+wM(VKXPIhKO|Ke(QH zzrPHIS06gt@mM=12!k{*#xqdT`pGoV=MDpXO+*a_-TUb(wEjk-!1?{(u>A9RipjC# zd)Xs_+CCJiC(^kP%q=PCVI7===4;aiiyN~xW-X^+yK~PtRPm7P5H4MpP4CVdZi%&Y z`}|M)UlFbU>HEhSfE!YrXB&gAb$dv;8lits$p(_agO2bkS5mOutZfTB7;6n@oZM@6 zu{*jLM*rx_&aMP$C0cEiZ?1SCIKO|;o(`SyUb|?j=Qef%synh@jtE@Is{R#HhHllz z!X_P--Kz3WW}*Z_sa=>Z2IcCv$GvN>BVB&#NNGp1^1)ilYzbs0Tj_y+)v381(}GCn z+pYL14cKi#-HcZLPAPryZ<;mXzvetP2Ja=t#q{ep)!6!@p=l5v7;*0LT?n*(`*Aol z{==v)oT}|2E`MfDv*%j-kb&MnaL#XoG}RLKN1O*mr_8megP{thXS`*)9_4HtcBYnp z-D(~BR(zjHe(26s)qsP%4GCB%vb$F;wMG!BW^#=ebTgr&A05p zZ4UoI$0IcHwd;qk?ynw!EA3^z^w3Jv9#CWnz5=&ZN1wG_3g>V}3I32X)Q_GkAwkSC zY?Bu1#7|Lp&6m@Wm36*^c1=^CzrQuj>Gi_dG;jYk1w5R9q!#wlv_AHVy{fr{#xywR zfsR*R3r7ZJ7c^|XCSqTbXPm~YKED1-4}f#d_)BwJMD!Q3T@&zcj!-1Yx^0I=0+{dL zcaI6xM@+d6@O`EOeT)7G+5RxAY$7-~wQJi0w|aLnKfRp$aus1zx3ufmlyofZN&Ap= zJFQLGhr}e#gr^UP#4WK`gk0)nFtP8Ax_)+zTSg3fCO|L+6RL`*jZF=dNmuusU#LY~ zSDT#Q+byU6^Q8-t?GKOvu@auBwsYtD!nY%!3!YEp4SK9Ou~8ws{u!Kxq(Z4uhV%68 zlwFVqWq%TxZo4~bY!dzH;r*viOg>KN4x%&$PT_|a8jvg{1JBgvUt>b9c=I&K5vrUO z8!Z34`7GJ@wuq!4Xv6k?$~7BK&L+3Di=xKj487m}k|{HS!P!Vkw2F5qJX7n?$gI3} zx!PB6SIJfL`L#%$&9@W&@kv0AgEE#DAv7x?9C8R0I2eiwi>Xhgc%{As)(jez6w18)7g|&f3QMUfHSD8z*tEIc7MY$w{u;y<5KA=?dd{@Z)j$ zQlh4s&pP&D9g0X$a2-2jNHZEp-_yHPA{>O2g&GS6RMs4=2S86I7P{Z!PaXx$9j%`) zs-9GT%&c2KIe~u-U#?3Oo@bSl+423ns9*rOpz@z%78b7anAaTEu4vcM1L>ExG0}M! zGCxyf{JT-zb??C)#Uqo%@@)EB?Dfqoyf2A;kPg6t@O~S>b6Y3vRING$br$(WfK2=E zq1=Aptk4+wKjf3NugA_xaW?M1#=vbA@7ExNmPiuh!)c-by8A2J2f!b5dos1Mw6HdaF5(()Sq z5E3AhbbO!4jLiC%vNMw_b8KV!P9&SMnmMm8y*U#oPY5IA4(SHw)u6pDnIzjgXT6l? zEP=ClV4CACIKtH7m7b%jnHH@21f)asX*uzpI?aAc3YaEl)Z);hOMN2#zE@E-n)L&i zLmdK6HT4dwaxJ^u6W)wC3Yc+ytNgQGAF+w)<@Y}jQV)6lQ4oAE$}i%e0Qeh15gCHE z`d6>t2=C1~j6p#(b>ry%afG`bqO-LQ6QV+o>Lqn(xIzz}t?5lEty~Se_OXrG*wF-w zZN)zwH39^HbzrrMny9830HnB!uTHp;7L#zv*YXVuZnMEewVW{xikU!2SZ-Cr3Rqmu za=5X|iJ+LXVBE#)XDQWN%PrKGC}*Fi-8QPb^>X|8cIjKjE2j-EAa1&0dF6A(8jHi|$fZn7B`#gW3ae zwh0WIFg{`*{=v<-IK=t~rq z!jVsMm7CG>i7Y$Wr8tFI{Oq9~KR(9!kOQ=$Ie$b3x9ZUao?PI#(nmLLOMApgBIzXW zMt+8APvwD2(QB^oF5%o~#_2uShwkbQ*1I(`%6rMIES+yp3vw@kF?aOg0X%kuaBxJ~ zWKzG{u)*Ed5b1Lt(p6A+Pj`NCF>s{Ya_fOj!ta|C06%VjQE2iFVnf;memDTHf**k` ziK0s~fZZ+#C|CG^!BwgN1G?XxYeOmzgu>1sd3Vv_N(?S==d*^5Hf8xV zt7Q7-XGm@wJA1cma5?5H<@f#A3loSusdt-9aQewj0CFp=%DqoG3W>#e15{25D98N2 zSbGboIJ$LRx3Lf;cyPBsu;A|QL4v!xyAxc3I|PRy!GZ^Ohu{Qvf?Lq0;S^c_zt+F+ z-TRJv&Nw|rQ_X;`uIid|)|}t-zTfA%+Xbvv?DG5FWGfT-db4Bc6M!fdcTZWK-Ul4Z zlCo!k9}g^iXib4w@~7D)c-erTdIwI)HjFjd3}sF(168XEnY5e6+K?Yw8TXd8gEN|@ z%1bohgheNyR|D)B-fH5WMqdSoEQB`E)As zM105h&Zbk?rBiL7J(L=D0&h2nWakm5=bj~nA4)3VDdJCdvB%ca=XYyKLWw*?%N*LX!X`t#iWS2M^@ zc&ckS^O?P9fiWXE@ijl83$^1WEk3LmpoMCtzyAxY%~^Nf0~&;+TrI|t%|XPIVy8si zp>{59P!|2{@=M3;x=66K=!bssBq>hi44LzMK%>yNMHBY=P1fUqE;886aOLI(>J5r4 zXXz2mNJ9@ff4x6!b@mZq$EvPc(r30j8UEjTDztihmLkbn(nf*&+P<}=m~U1?7p`Xq zE$CC0hMS07uUh))OW~@34km^)iiv+c6mn1K+CPoAO`R6!T?|k?q0ROe$L32PNd5b@ z=mIgu##R)v95j1PwI@9+_?4N;^;s?6-TYKa(M3`*)sCC@;2oYxcQr?g#RsP21nEXgpeiW*wdu~)82VC7HXve~;N z(KDwj7U7~h1?f-weToCQslCVFziIsBbnL^VPbf8Y#u=G?ej1+Zk29vc=5zUK@o5W4 z&B zxGj7U1cn#+BNK4*TF86r4nV&H>U)|Ff*s01JKMgc5 zkQEMc0te{f@^Z*YBEzqP=NYwO%-I4QZEar^-pHZ#E%t1Ukg!{8*AHD78ddXlqG*hP zX%c^+qqs9#;_|X_4*6cuZTQTpmfbYM;>47}B;S9BbwFlljGH2iasJRg{M$Xo#kJH6 zL;QXsVWJ(=r^Ei%1s6`S5A+Koi!qagWmaJf7Gj*;|5_FJ;1qmG;d28noX z!akh(z{*841MLH&u?(ULin0l5SfIP|>dUOm?5%y}He=ZG!@4z}33tpy-t5Ma{h??2 z!=HV=`TU?1$6&20GI;CA0Zp=C+BBrzk&b>JWDrPIfO$Q#+W6Mz55oJBG17^0C~fdW zOxsDm%;&Q5a&v#}H=^kp0=5Q5eH7-+he0r_{VHOUjzd?-eIpaOaV$$m7;OhM*mcS3 zu!69_vKB64+^&gq~KV-HT@$;yX#Da5}FRjvU0Z{FXmpWnf-&uCe90Hus&6T>uKsumZVY77P7V{opsyZW`;zzs*}MXit$aj2 zZwz@_(HCM~&fzdZ4n zkn)yu9p>#?8aIOkt+g>*8M|x7q*QblIgcUZHWflbj7m}9?9wOk8h1F(8d$Ja09pfQ10_sI+9h})2e z5wA~&n`@+2gguJ^a?6M-XU-CP7PN9T?>~=#;FeCk!S9#wpe`jWp9-3O9JEdROBqtH z8SW>ZE0mn~t0U(=7uBVn?}s0?*ibrMeGX>HJSUHSpuT$az0!J)62;@932mg)hn%)A z-dQo4S+Yb zP(ROelP@e;$_DHoUfCw@Jke@TXBP#=PG`g)#j|D}1xqE424e*#7tuPjc#$ zUDaWM<)^no+nI-UC>cjxkul6Vj|4eCv^;lCqyL*bO#M=%6bq~vSUx>kKfxd z4X5|4{Bk>}5|-dqe&RT5A(zWI{WbLH2lYeaD?U#h?kA`B{NZaHUI>ALe7O)J=7=@% zS}9dktOke+FUnJoVE)nU6AUeo(wzw`eUF{xQ;zaxt*l3Js?nmsyW*i^ljNz2g2v~r z(?#90pMlu__46WJ8qMAT|3%vGt}jh}QYZcf)nm$OM&O{9JapB&N7(k$?HQ_0UeRBJ zI*~C^qEZ|KBjAJT6|qRGaa`w&oR2&!-98__Iiz_(d6<6ulz(f18aZoEbvMo>K9^j1-6^FYc8pd~XXHJh=}v$5ho7<4yMAfYM)jIbkFb-cyjmpP@pV{JwVyS$ z3*OUR>wB)O3Sc!b34_V>p=O2fu2c$)BZY+*NfEW-m9XGv07G>f?~4F|09q3oT1|KK zcNA%tuX|m^*J7a`qw&wDsR8*?@i?JOBy!yk$NQFylLZJrGN33Vj8W*+j84LsjbAmk+-N*GBG4_lg&{l<2p?H%0c^_y3uE=^l#LLxH(wweTro*LZ=7k*N6IochQE;Y-=C)qbCSl>V$ylisK-nWa=qF{T60u z*T`!@f79|MWEPyh%tC~+`AW*KKUurHrs-1vL7uO^`tNzkrtceUng-Ahe)itB@Ir$= zEQWigIHT1tyOGj#0E7dunamPB|)??UA3Dq{A!HitVrLr^pprcu|10CTUL> zn)Jzkc6i|&=~+wTcj~Fa_FHlOCMK7{gp*5D^N~~svMLOnvzgy}XY^t{j#Z?$a|%ax zCvSLhI+`^VWI5R3F`E->I0+IW#E`GGvm+G-F;hrR@hTWd&AY__%dxKjSbMqC%(^(C zdMZe(HGeXkWhmi#KEX>@ycMNHDTpqWD}@W~^kBH{0)2AxN2BvXy0_Ua2Bm9KFj#B$ zM-2NZUvI-odng04#2JK*+nF{YbH&2Kv4CriS6lKW{i|-uSMusbW9^v>cZfRA!^;cX zDJLYun7)f@k8EiZG&u2jdmg)3{K^A$6(R*8cJ*O)OG1Csb|iJ((upI2L}~svq3`$- zn33oYJmWsjeX{#07~3 zoGhoS|gX|(W zkB$A(k8O4XmQ@}b3lO4YOpD`tS=T<qy%5y6Uc-az6(Rb>LzZLiI`7TkWy#A7k#}M~Vq|aGl1LY;2;%VZ6=&^-+$vv$gDa zI`Y`S(1do}70dvlJw%6%O&AwS@!_64SD(D`LNxmW0x1RE{0yYN9NaX>c-5wTi_%yY z$19vLmqh*YRMh-kqN3vjmDJ9!86DEZkH@7$CJi2!i;DInR$9dlPXrX~m&$O;I8VWO z<4K+Yxdfq%?}d@$apXF1!bGg+;kXv3yLZT5@Y=vM#bIpm6RsF<8I1t?`%!k% zsJu4DDV&WXNhrg7^$qR=-c-s#UdCJj?Cgcg%`QJ&=Ma6fU?$xnTTabP;g z&HlgOwP===2b)w|bt+~}17=;Zf+3dDX!HyUjElHbs4*QOAakiz+V&cG(J!@Em&F|~ zlAEY`=CkY*!H~_1M@Y3Hzq0Hxh#vD1XhmdTT`^~c1t6$AA*cS)Lg3Pa50`)-@rjQZ zwV#jJqj#Qe3)&MlJKW;l$73HO+n=!s_8QfH>C;}L4YQuGV5^D^)*`C3CfXud1)He< z)peJX3oKlj^dVrJTlbI|rQ8QxZokk7!vW5fES16%#P$=df5-h+NB^hdv9Xer9Wh4Z z>+5)`RPLA4!c?+d<@7anLqE^UxUFVf5hR5%ew=GW>*R#q6CeFjot?DS_-YX(7b`rY zdR@?@??n`I5Tuw-Gw#lhM0TvwqATpi=5P%)`hhN5_8_f+4`-_mFbI#T=b`=brj38wD?@YL>!l>k08g*S38QAhg zQvAWv6Fop4O#uL?{R_6`)9%o`{-&Z$_ke2L95*_@J_W=?|Kbz7?Z6$H17-<@rJAki z``3kZT_jT;SVJT4=L$k1z#=${KFa}dUIX}5WCRFD;wZYkwWq`eS}ig?1MHu`U3~vm ztY8e#Xo!Au05*kG%P?iw;5_Q|X0AS<7p>N}rdPtDPx6_IoTPJXkGrsk@6xI~;??a= zxG-2yj}BIQKp^_$9M_Zks|=IT>($SO^S>TQm|=aFTb$|{=U4OkTPlpSNR-iHMBSf#lN5!^s&tq7Y+HK*@r5#tjaGR&Z6vBmSN($$I)H zg7aQXLYc6C;u*#?RR_yok7zI8;cKjB-&WBV1`7H{RjvtuK$Ltq5oxCoJdnZhBFXb} z9XJ}ty>X)DcIV7L;;Fww@A=$DQ$3qNnmAHg=E*}yOu2r+Jo`%k!KKpo#kMz!)bi0X zqx19gC$8}S^PuGm;zpadM}ppQ-Y?sA!tmj9AR6>FE&Y>$OdfHVb`{yDLeMRFIbJ@+ zKKOhr;yUlYHh&*Fe+C5Fdw2zh0j8C@&gb-+gz!x7J6e{%DYrr&)AH6E^89rl=L!Dl z52Sw`XFfOMc308UZ#u*5qKl44ghz6>_*=WLXMVV6f{!XDaa6^In0kG*OCu#iGmMVJ zydf$e4*7;D;DR9a{GvPrLd+OBZq*rtI)i{1kQoCg2 znIE#-ZUN@Q^F3@HTF9q+h(=9r{oo;4>8Bdz4@(HW*rC#?oIo)ENjXZnxqNY7v z7pUMgA8hsj2cYi7x0VH$JE|;YtH5VZUKV!B3fKaPk-r?}VrB!Q%yGgOhlB)bI9oS{ z{OV9&Dlp@G&x7xAdUYc-}T0L4z49x)wv&{~teUxP={}ro+(OT9m%e1@FQ+DE3L5 z#m^Dqe!B$`e$X{Xdc0Be3lseM;Eeou=R|mS#M6$Chw|;W7+(%bl4g-X93}||)Q;zO z$BVd#jCs}%OBS^m97Lu46Dq+^9o5_^R?0!@H#qI7jLFM^^Tkog=0UNseV-K> zna|r>kRmI;@_(^G8%d!V+i2kRm)VWTS5i8OC06!-cQs&}Q4UyV@z0|-GR$#f1s=J+ zQ*=AL>S;Q7#CRIHkeuAali1F8s0)kT82&MD;pmU&au)%A4WQ4+xH02$(VvTLGH9aW zcy4yw*#gTpI_o!E?9S|X_Nn2s0@oDQey11*CC8MO2 ze=Fc6bo)3^SZQs>E}+msNob6g{{HU)3)r%?(4%}1emabNgWkA}9^Dnx5g8+{BSx96 zON<1Piini((7Lc?R$^NIS+u)pSUeJB8)vrm3T zdD~?^e5VOWfY`q=Lz9L|bt3~ypvdjCMR`{pvX+2g)AlKlK5%;(HN;^VIJsF{od%tF zZ2TdhIh^sItsCX}40_sNjJ!L(E#92}$Hs;}`4xMLJN1#}Ug_aO9oqW@Xj#x%!A{NX z$S+AKkbj#`U+{>c+!{2YAHuVH(ASjVip^N1HRz2;3c&wqS{&hv#qvOw9{UoJ05sDHWe)Oa|?MX1m+8QT+A-<;}S zbI&XxRdq!5_DqC}j=U}~x6O#H|G0D#GGCSdP@B3t4a^XxOvNN6!*Zz+OBJ5exqB_S z9?n6fZD+{>&O$D|!R44W9n1cCeSe}K9Bqwu&t*h!Pux4ANbC{mYb~xF{solvKPLuK z)pbPV_jIPj?wT9}DM>SQo`Br!&6o?z;etK~VIG?i17DgX{=PnJnR0KNDDTdT*?!;n zM=UHz!f3fOaz70_9epcX9rVVz*_AVk0W9K78%YPB+rFG`?g{Lc14o{)-0TcLA=qfP zeAQ0a6pP9Th`h8L-u*iVX$>HI<%z#tJ=d&wdCu1K# zoJXFIpkV_hSk=U)@~pb3`R5_@f9ks{s9R0k7eoiz1|`q zJFC8j0ttm37eDyh2bGkvF`63!f0hQ2quF<2R?|EZL8V_!f6>zPN-357x)^dd}q3*GX_gA8Tyz1zyv4z2gW1fJdyL@J6{bG{;iwg4#gN%>( zQ_E~MYa}B6S=YG=fRBvbwLbSji(q*AOEa+;=3m7G7k~p^pG=c{_{tofF-#o%;W|&W zv9QMt6MJc0RZWrNUtrX7X>A!hXzRl{SG(gTmCLjDavK}}0m1B0 zueF>g%>qFAmODWbpZy;oy7qqpL^1sRfAsqPZ!*wElrTI|nyh{yjIlbX8IG_5QcGME zvnP+kV^LdwSj00l9Bh|R!ZB}oH#Rek_wAl^_)O(FV)N#FG@7U}$}5;XWq>gAC1v?- zQp-hfRe>t)n_Gf}#qTAJI4rbBWnT{J6@`!##buXVtz|x#8%l|C(q5^CPQZ`~)X+1I z)O0JQV*YS!I*@VfR;}>-rm6ep`2Xz{{0I0{x%%(GC*uDEJ`?|E@EIG8Rb_*o!HMke z|I)Ybke6`)5$D;Z7=o#gd;Y^~>|IpoJb4W&kdvvc`=(O%Myt)f$_Y@?W#}TkVayjh z+1g}Rs6X~_bttLyM;=!g|G#D{WE!owDc65uEOBZ$j*)P>40y`h1u~=1?hB{g?g^Gl zkA`2=pX`-6siu>?y6QJY)Z|ds?Ae+*$F}OdDw0bDnv|6q*&SQaw%%{LF)6~ zZjs9rW~Ry)c}yC1fj1qKdLl6u{I3{8eQT>vz~BJPu%b*gwDH~vu*%j@MixHUiqBdYFKodM-Yq}is{a)8NW#;3&iKKBp z+-`7$%@H8a<=NUtcEXe!HmWrh>#DxihFg3g=5jWi8yFuofF5 zZ3!%>T&>^e!*YSJ*}J}V4*(mkG2_3m0fk70#bp7~h!1>xA8HonR_)*MEs|Qj1v`>a zsp)XyFKwF^(71sH`fiZ!!`}1i?aGZX6xJ~bdnZ?)ZsCg6tceoz!}Y#Aw8MhN=0!W! zwbyOFi1Yai<4u9#Q`fsENkd5veO?~LgnhB1`i8t@1SnSRNS6i#q7T?n00Uvu+OvVM zAEk%8JRnptOzBJ&xtbXR?sE{-xc+NkXss!UfkXVZwZUBnJ%qN@C@52E&rvOk`A%tE z(i{K1PaS;7!MsxrkRz5UX-h4p>&9;uy0iy~B=j}JKtH@thIh;(diEO*mC6Q~H6AR3 zd2{;rnknSH1c~?7QOI!%!L2UeL)u#$srcXv3?yL3KlJrvH?wtKgsXo4TFqe>LPZ3k zuQqY%_WKEz*3$pU>1Vo4rrus^8+Jum?H`L}fNn?p-46D=*Ul^C+bLiqidgK60KeUa zq;uNC=`c2}i$InDATOD|){~?k2>EVXf29^P`5Y28=hOk|xT>+0#RB5m9dJT_X&us4 z*l~5%2Y9bup3)!}1kb@~WQ3$(h-4v;w!u)qg4*Mv|%P1TyV}L+7n=bXuEv;D0K)NxejVIWKv26BIXFI3adE zWioG<8W*(fvWzpH#xANLV?db z^6a1a|5cuHzs8YjyzicvxT=REe6i4CmXK3c$>e(63kvibWdl0jL8pC#D2V*-X`^J7 z0S?~CKmi(vKPN)%;7SB)BG6Ep_viA=tp$qZ3azeztTF=+DwG4vXd8-xk-$3jxVw+& zy6@zd^{-`2r0x4EUfSI@6&BG%Vm{f=U_VnuL^x&desM$XBO0BycO~<;qn6AUezn<= zpy=UWz&+3$c9bCGJ}ptg*JKY?#%67$EMTJFLe)AnQDt1x=>Q|`s%poJQCz7~Sz%5E zovfmVn^x*g{ng%!zWOGmXsQM5Hx=bPHxhf!S(iRKuOEgM@!{%F;XM3;AgyR{JL z9x9IFl6HdyLg8h*;rafR##!U6od-;9@tG^W0{Qjj=8%FZS5c=`8U8ini2rr`KOJ$` z{XY4Y^6xWwWoivL)k{9w^goliAY1B0o^aEd7(k6(`r^_5`b2=H@^?GVL#nU@^1_0L z5Jlckk+Ah2>q%@FWSLGCJNXm2!qF}xQD&tgoLe@q!znXP#V&9o4B*Vs{_q1ZpiKia~%+F5GE&*-)QNZoQiychqv`>wo+_2Noi!gm9-TGL9C+THC zvwcrviU39KJodhL$!;PHVeF7@WaR?U3mb>2=`g~gpAogUqy`QoX!`4i$AWQ3LL{J1g4 zJyCtRIQdT!SzE%Q*R*HqiW@q9-{Ncwo$PDmuI<-g8}(lyr?E(%@C6DoFjKblDx9R; z(lkVd)$vD;5snocJaCouw&*wuN$~iXT9vYqLZuR11t|Zzb874@xLZXIz-1NdzUtei zzbG4!clSI2(KuMCBRAMP(UW1|dLVbu;oaNI$lkokyZfvOi$X1Vl@SsdmPEFy5Sqk+ z@I(ZvX}5#8qtBBi@w-qliW1BWWIg)VUhWbud(vv@Q*I@B<2!PGamXW`y}Lrb;rU|A zvX)bW(3}`6vIf{DP9P#!ui*Ti-n~-}dCs z`D){z$UXFHxFZCd-(1@oPJ0t_r4C#QR)2MM*+Y1ki*Q~cXR*)Htd-l%?NvTkq$6q| zeVne}rHV_rgV5odCdJ6FXHj0fyyUuRg{#vTm_ z=*J~1O@5Vk%Jg(NL7i=$Dk+M4WA7l}b!>kO3u*=VrCv=1Zs<*voWS#Vn+3K~UU{0? zh@6;I`{?IdzwP!i5|i!muZQQh7PC`p2XvgrnL>PVFf-2IxybkOW zN6=j*ysTbirO9P@rVhpSf6b@E*@^ zjOxwLWRLlo7r9f0V^sdOue}&{4o7|GV{T$-OXg0Q2t-YjGk?KZ89jc$`_y-zZG<YzC4kzof7sc7Cxh59<#baIsIi1FDsW^k2UnO=I z`toHcw0~4_@5QiL^c88jh+faAXZw7+jN#CX%;mz0j`X^e?AYxj>c^v)7DlMmRQ%HE zGUFw4kT31^=SkF45RTQ9JRXocHU0jWS>}09ct-wx1*JBu-yz*KzpwX?>stjjA!JpO z3roB6Lt8RJtQbMQmOQ7_Y})^sgQwm&|l-*2Hz->m1k5yd*q3ysMg@ z`fALGmp0azHk})Y6T?$dJKQ*ZLX_lkG0>GpJw8$8C%@z8hl~zLNlR;fOo83Ey+7+g zHD0}$Ro91mwtanjwtdZI6uo)|FiJDP@TebTuJLT~BK+j#c+2LHqDdn5JF5afO~q8U zfAbD;^O>j~(@ihbgYG{LF9s?&+nu5&u6#Y?=VF3d_@g@HT4unH{QBJ<0#1jgM@ZVW zCs18h{I%Ke2?_OsO{1vlvL0F@Zl_&3;8fmTNtPP=7T z5b!@NZpX`gq(HHne?KO9stdcQm`m!c=M`*xJ?ZS0TLW*ZbPVJEQ}PF}?GR~vTTdVc zl;|>EXqJa_zD@3@?dT?p_115)Wjt@srk^@1C;Uwe;g(0P~}VS~TNUdvP6*&wY7E zEK}2(kg^UTQ1(Zl!$(t=Vofld=^?dpeGT3(Al{Uh;NRy2E+gntCN&Ih-= zeL~53XbfVmXWBbv^to`8YXQ!yLKaBx)ix#nZ-m5dH#Db%;reJsJTH(Aj}~UF(b@5( zHNd{LP#^`XF~C35_hU`-QzwbfxwBLxuo78}s_i)H&e?(Ts^0Is5$udz8`q3^4&7B) z=RAoF%lx~_o<&buwqB0lZ{OW-9%@f4U@Qo#`I(6swxXHYjO}jc-&%mP?P<;5D-f)u zJ;9!w4z3^=gxK?m>6{H-<7pba2l;5piLM-ozT|oBxxbn{3IqhN+#b$k@r2^D)_(R` zgIsYoM5WvB%XbOjwA;f~HmOAgI|Gy6K1|?h|HDxtR+r5H`29}y`4Y?o`<7=0(lRsp zm+b}nam)nzkS-NJ*>2W9`RzMTINdX5-S-Gejz8Vv=E(U+1EW)Cd%NH}`0%W2**glM zwbRr!QEI0%uSva!||6?7WbFH(B7t;aEay-^k;`UNt8-$`j;zK!`8^ zZvE-DE!EN6ndK2|9~9PLbd>=`@#o@#tjXnLlpV=zY>5|n@Tb}Q2|C28g1<2{$#~W~f?-Q!*=|36|dPEAJ zGXe<3v^dxAX5`lGI@Mu!mf?2pw0I+;p>FC(gpi|eU;_z#UTaEMbcN)A>S!jqz*)=S z7eRW5_3CeTmh(^kYA|9768#b)H!uOMz6)V=9{w*of4tV|5@^lFF~$66-{J_T8q&Ex zw)aOeF~e_k_n}4LZBH^;+;tt@=xc(rfj)cUPZM71rGHHA^>|o0Et256*UN&Kre^4x zdI6ASuk$~7QY2o4TCC+#%LE`dc+W+j1wk{J{&2`3-)P4YP zJfF_d?Ws6FuU;yCxL23Dzp6STK|%t`$@#N&{JPx5I_}|Y^{4z=!}hTQn7cpLy_1vX zYk`FN1$0b43EaNg{$0Om4|Y2HV$WLl&#Py0HJUEV%febi!HU_~Kj3(ng0FKwh0_tt zxgo&dr?>m3XzcR`Oj>;d2HnrZCiny@ zXJJo=B=iHcDGM(jcRNXPPZpmqFHX}Uz^H6ZZcf(*4)rG@n^x?L1$ttubh-|~*UbMx z1%a*AS@09X2`QInvNZ7i*ITjYLoPUv^!7zdB0wSdhF1R_#FLdM#%Z9*S@X@p(o>u4zK6^ z`uWLex2lmY0n8C}d~rVauQfW_8I__4gka8YaZPrp4lEh;&YMZgZ-_0-dm_Fe947!K z2u%&8RQBlafSJIAz;#NMuR?bH%ElVS#M9kZl+U(XaV=&?BtD@x;<<+nmyYVpMfHSt z-c}p>`=P&Q1?Hs*-65ne4t9$8E%X^KZjKu68WHbPIeohS@J?8gSD z5q4Yjd8>U3-WQ8>HEMpF3M1kKiX4FwMfH5&tw&36!tR=7u>LAjHu-!?OhxUuvkifj zOX1on20_#mMD6|R4sVU)!C`Xu#hW6=)Qnj4@|Q;woH1M*`l^@%&#S;Qv_MlUY^C4y zr}2F;@=F0xy6aXi_VDR%EKdvKKvl<#^{l4PSGRzNFItwQgQ-b6_ZnC0J2D*6RJcA+mf^EQW5$mQK> z@$pr1-*R`AEBNI2M<*nvYgo)Y6_MU_Ez2}U|GFEI5|Pf>S$ua6%>2eU`$oTT(MLTjRm>ZGW8zTQ$NnN4hDvDZ7<*vF;arci5%hLf~pdDl^EX zEIa5?uip&s|KX_W74e&E1ZijOUdXH*V$NB)*CkW>>{oi<4(4g4K6>P~-}2R;yDmII zb^6lQvB};Wu^02RGS&=?GV)y7CTrA}o<1c@DlrWL8#*aRpaDOur2&0sOrVC0l0&QU z54P(#-H2LAsw>A4F6NG^z8f9xMTuFtpaVUF!lIe;Hd|uvMGw1IW|y;9T}dnI0|D3g zRC$|&e$h0G?6WQq$M*iP6kJyQrNjFfM>Bk!(f68-+pO|&T2^B@^=fW8w!Za)OxFD` zz1~-R;=H_)C6erNv{1p|jI>r8=Q@EHd5 ze8te00`E!kekO+_@ru3)yqePdZ0m;iLJOhJk8EUsmX(|mEIj5^Z3b70r+N=ryarmI zyC1gS=tf+Pt;HRC&8K2|ddRX!gV@414WiDSIQnu`of4_n*^Q!0yt@HIn%f8v6E6iX zyl)XHAB>n^v-6(-QP@d!|^Cne0#3H?7O1qw~zT9aUnIf z-D)(+vD8fLRQ|}#g*Y1FP6$c4WjYdOB9p1mHoU8nEOaaX3b7p{pOQs=u|}a_JiUl> zU8Tq(bFqougmZM-*=gLF47%CIG(;8@abBd}#@Ckb63ha*i<9&9#A1JbZ3%u1T>YZb z?J9O83%;@VkyWi<$PxoMzr?r|)R>=UiLr2oh2o<(^{U>!>%X zYmF#`H7yj7Vv&~JZ zCO7pi^%6VqD)aiLWt&MXs;jBM;CR3#>0F=}pg3;h7UqZq&{VU;HfA*N;44{;?s9a$RtKPrAzgw#)WD za1^(H9Xfjb3#vfLe2+$@<|%P9y{*zf^PQg-LXO`(ZKxka5fq@^i1n~^+jPFr5%Z#h zG$!UT>ip*RmI3+UKplkrV`=(wdGWi}znmTD`@&S9g?5HlORRd4v_Yjnbc>HyCGew| zN2s~T8?CS}8*8PexLI-{xuRJnpCyw?nsQA^bQChh^?F@(%p58WF;+Y+CDh(WxcT1% zjp0tk?qu}jHPGf75MV1%cYT7@u^SCOHE@6X(eK<@ zPrHP$12mgk-3Xdj^AC@bLYiiSHBPAQA49&ulFHi-gg}EJ?(v+Id~f8+F<0=UX}XME ztZiQ|!z^1~zNe%C0OGG+(1i$HBn%q#F@{Sumiwo9 zZRZx(OC9~q+FKhW8MDMH16o6mSkt&Ct=#bLddlybOzJ3J+szYZ;M5YwPlF}5Iyhij zO`G*B_8Pon7mpj?W55+%NTa*pHaRGc z3kpfNQ$}no4I5x7ziRk-%JYd`R_hJF1ul(`!<5#Z41$7$d0~(7A~mtReGviXa1l6h zJtnE>9dnc&<;F*JN}0aWpdnC#W0?ro+;}iePA^tQRo4s(R$(r}Caga+<6*ia&{U-} z!<+^lElwD^J&(U(A~qmE;)4^|zPOF8XZfQLH{NmIk&Hq~g(el>6mV$T!y=mnUl9H4F~j>xy+=16EgXB=WST_OVJ zyD@m15j{^c<(N+}5m<@G7G*2WqR@ObDtP5<^1B)BNa;ov#jNi&(3bCD1H+FwFoXC5 z0|$gw&4fC9?e&o4B!oRsn(s2l(xu3m4a}n1FLBkVx0Dj9I==GL!YHG~Vj? z0${0Ok#~OEB6CK2l(l1+m)y!~axGwM*$wA;Bw>y{4(SBvYWaj-(i9aznGy?oXe$k? zXxM&O-=pO#t83|PmK2Oan-SZH!12GJ#=V&L;FZ!a2DI39l6EA-m0dgZtKu~h-kUnV z=EI((fx`+6nS~E|^R%R&8AQjGNG|n1km9I`FwWWE2rU{uj8a}(tJ$+Mb{8aL70r^; z(jrjV6L#*O`rx?wKjI9IfXmJoti{1UE_&4J9;#ngy*_3=zG^6@!OOb6UYckb zqO+Tp;S2zRG;^HnDsKStfcziwfV5LF>eLvVE;hChtiy-kKgFxKt|(h4==Y>s?~^*7 zjQgk&>LFF!DZ^4&Cw+SgTCiJD^BvuPqWZm#3L*ujuM#D~#qPfuW=6{m)TH?`y6e6+ z8xxKZbrV@;q6P5a`Tg1@1m=7zmJw$=g2L{xZUmVQ!b^NVTnRiy)PlXM?$?$d#saRj z4A+_CQmv-H3~_y6{gQHh0OB)MuwK#tQ>Hv34|ruQqzx?cm5s+1$SikKwW@7$_cToI zb8&P>o2#HQyFyVnY0({{qbk5tOK~*cn}rNFjaEuH(I0UIQ>e22 z6CE7V>-Zo8h0`3gB~AoQ@|sr39v##=mXGAI*lft2ka?{CZQK$a9Z~q-;g*q;{{gp9 z{D0yW{UdA4wx8X$eIZ{dqHH)Tj2H<|t2-(+s$$>wzat-t3#f)Fj)QAWeW;^hRa&skXqC$DWSn^?~Y zj8~{Y{cB5&KsfxR*$;j;`*Bh(L8PZ``i!2hpD;b%#V%Lm743sS03~@>(X!deD4PGo zxcQJ7tZY*wxB5bMxO7G?vgFMnJ1|C2nCO)z&PDQSpp4PBh`o-bE};B;T_rKnOY>tc zzxfijnO9|Y$oH6|?!pLIU=4c5*&Ojwnn{`z_9R~8u3&2Isc`sSDIMjJ>-iE`@xC>oD3A8P;~+NyN8hg_r8Z;P6n%FaC|cJ-lqtt) zGrV!+QqGGebmT8nVrq?nzsReUU`}1BX^_@2?^n%umt_Htr@D9vGEpUlVN6NRtc8+j z)4D6AH`#f)gA2A&vgIxANgh;@wal24-M8)&H_Nc0Ik>8k8BCiQ_Qwv*2}b>CKNH0P zIVHzS=y&@wC-y#q&}Bz-_R5Baw3Oxi2-db3LN zl7t8g(}W8G!+phGqpX_9WZVPd;vmdi>>E7oEPsD*uDlB#k@ThFCORbYejudwDyIq-~Tef zqGFXNZ}ZO*^NYQ&k|#KR=_3DApAPsEnA`e=4-T24XCuNah*4JT>M!(@E^DNQvDav`2pYXBbW7P5&Xg+KOEmsR3HAhS1ZE@|4CyEzia6Qv1S=}>jrU4f( zWaT6h`>9DcHkmOG6<#%>w>?$O+mtOBrx}YNRi3ZS+f@}JRYg9Zn@<Q%s-mz0H7#bvW zAUOvy6!m+!&7)?l8sDXUJJV~?HAtSTIFe~y+6Yv}Y<=;G$Z^;Osa8K-QOYQROqTyw z^0v5H>y*}ZrM*avN7z-Z`^1TXgQRvq9P+AdvhC(zQO}Ex5T7C^p zjfi(UtKzAIR9du-KvcN3dg>FY)&w>-_Sx@!m94ezZs=@AdIRB>HU^5_91BczhH`*E zbRFu)R#Z=b1xb2_zK z6m3>Xc3>SR@rU_3p*W2Lt4*@)OT~4|!1>F)6l~d0@Yy zJyyG6r|Vf>b_EPw15hAKY1}DRLXq(byTi48RdSTPox9#W27#0m5b7>jTTvs$E#Yqr zmtwaroeak3+oxz|knM3tR1?bjH(SBJo-Jr-ZRL=8IbXt*K1uTRo~5poOh`Q z&ZqLiLqCwu=IFSRnN2-)>8mU?5r3S&wA*M!i{0m%6N!C&?-94)<_zv8dh_7H@oi9U zix-z3iI$tDHCE0RnHG|U!P0-cWQ*?PbEx6q$G~Trezsi8MCMNaB9kA36O zY+9~-4Lv`}pTbOYCpd7QGH1l&d+`^!4gm3<_HG*L_YvVVX3rJNWYV&;V_KD9X=!O? zeiq8jga20vqKZKu4tI285<2wQ7^PiY$WVN-{OxRPEnIVWH*zVmSA}4kD6u z;3C(8`|miJ!~cVmRnP&`SlH|0&2AaaU=f$=QS$lEL!B6tS{w&`8{f=eQ@xaN8q5s< zoi;741szjgANm#kNGAsR@7 zhJVDKf%xgC|6+b3kHr6@==*m_{I8(n|6=bgqv8s-MO`Flu;8wN-~Td z0Kp|_a19dNU4oO~+R(UbBZ0={Et0eMIcMK<-#br#ym5Psm60)6&|ST1t*ZLwH)s7* zl&81;gYN$MXH}=U%U$4sAMajYpC{}k+5e-W--~jmKWExe{@0-)Gp+wv?Ck%-`~H!> z{@Iqi;=fgY{`tXG|L(T&&kvs0|EI9lKR>vX-M>v{)xTmoEdIE^z03!@fkyS_TA*8I z_WwMsobFF6;(h`roZf(HsqHV*zmJ`4Fln6Jbol;zoiIB}=E$dQ)W$aNnKT@a^RaOs4s_<}fMA)4oK3S+<_GPeID@0lHQjd9+G_dwq{}#W_F{F! zf145cTWvp*_XJ$}bTm1g^~>>CNIh$@r>U^B-oq3;#rg=56#xMC6UuJB z)FOe?YkcCou$1cu6Z6~{%{JS74KbDw72v%(i|`+k?B5zdoY60u4v^SY*w`Rqx7Kl; z7L6mFAI3ZDV6RmggEz*38zxkThKib(sd&D7cTgArM$ zyiW)4ob_%e!<(1)RLLvo`?I}lo#hjjhCX5G!B+g(q38t_M&WUP0w*%(Zn9HL{%cev zGZ^cW^%sk?zRdg!{QyoukpOPx=shB=`5~bzRD6sI7p7#*N4?%9ggzyVdL0B<1xh)i*>pDc%lgkdFQPpZn1OB^(<=d<{c9j2v`$xR-z@1hFETed9*TMk?k9D z&Z6@rG11iP5P;ioFh18q2KwQJ<#Isy8wl=%0qpc7Kl={uNoa8fnY;1jF>o0~h7P#DB83bQdYy%Jo?bU%UycJ)JvxFpAv8CeOBd!A9Uph$or&k=w{ zO}>yD2a5g6)tZZx7oyllI+hAzNA8@+)g~!g2>+;dA^UUY#b2 zc8xxRJRMH*z|IRO=tx>G+apTbc|Kpe@`7n?wKC|wzH6g5>)OyhvZ*sob`8fb$@W32 z=BCv0pZMG5T~%f>HV@EAXBSkCK6lm&mh9x#&93K72iHoi`)-M6N9>&D+AH&cZ-Sk* zYT!w4Rc$E%-5$Us^t{XLmc-tJ6}|KM@i$Fo87V8Eb?*vNyZn8&$5QW4z}#ZsvcdDv zYNPp0%7_LC>785l9>2IvSa1Z*Eqk6N==~IQ;F_2%dGK9oCB)TtpO-T_Qk4zkEUiJ9 z&+oD7R-r*Zn>jnlXo#hSk^og~JWuXja@_q+$@PuvRV9f;e{P;XCNfd}tW){Y$k-k& z^#4s1jx+AVDbCjzh|5(lA`#A^f(s~mn*~1-kX$gs3Vznb+udVQX~fc0cnNB5qai2r zA9R)qs|%4gOzQ&SqYXD8p44yhs&{oh*zw5Pd9M!W`_2sYPYC=XRbegIDP!;xkVjbv zvCFEp<7<3q-R=+%o^)_0z2W_anXzEMzw!mryTf)--E$wag9{{soYi{U*~yc$c4@LZ z5mRuRT`6qztzCb&^9yrEpNLM_Nm z*5MZvl`m&F;hbEb8RZG;Swb=G5sGd zKnyH_@li!XXCjGS4ryGN-(a@hYoz`G1PIWtWX~-?HzeBsf$%cVxv}d?#JayWr_9sKf_%<=&&;9_^1^N8R;2!k{oR_y(mX40b^S^!^ zwGbfMFEkbydH2h+o4s~j&Iq!wU{v{nJa#gST`|EKbVQZ&QiKRt6vU{Fm)#DGG?w_gE#=9`TpTI^5`_V=CmG6gu%JS5gIIvK)AcD- zFtg>^wmt4E?Kz-F4mGq_IS+>b#kl~}g+sN7%k0|T4>uiO|{k_oUm5Yp7ziBzP z5N|t0d>(by9-~&r4H_C0S}WsZ1IG-R!>P4_A3CX;VJdRJn}59(M=3iN(!P{#Ke;#x z)qMuTvAJ$^RS}}(I%l>L{DJv_aSqAhx#L|JxuNPS%p@Ilh3~jCNMlbhj9nzdxonv? zyVX%7hh8No2cm`<5&H~u`6Xs{qsh#`xix4^l`%1nlLHYUU~*ro@+zZ-$>}16Njx8~ zF7ra{2n$|FJH3}u&yAKbvJZvnzrx4Nc;PRt;%pY)et9W*N zvS-^YJNz~KWeTiFzV3lHgxAHCD#y43UXs}XN*(un(pqPBQw9YIvBW>nrP?Bbauj$(;(jM8NL3@6^{mryk0BQqRQ!iW~$0#BFF_vBO5pAC)$tATDE z0HAX;nEK`GI+8P=6o`<|vVXc^ue2sEhGsKzuAGl5OUMzE5b@kBcHC#meghaK;nS2* zwWtsnEPpHKdW$=>o@8*wtHg6Z-@<@-=U-ZxV9;qWCRl5i<4m#R_VhQS5boyyC)7o- zW^ceWqXao7bTShq;Nk9uBK4M?M(;W5{0fDmpv4n`bXiGY#6-CkfrGAd@r!5M0pxODyZ)GWN zm!J|G!8Ve3K5Q_Z>_?0S*?7Xl(O6a{OsO%84kcC^jigk z4yv3<8K9XsN;4gM`JNMoRWG`OnCqK-1B*oU^n?7w&l&P^bK%Zg$;SSABgs_x_zx3u z??p3zhzwQN9Z5p(d%EvDEsd^+F>)(I=KzUXXsi3iNGZFNdxtF%wmkY*f%#h*L<#Ud zZv|`)uuN`WCu22rf)q)~%E^iUBtbfXwtL4FAf&ngFuCXP!WHVDhK+-x80&j{Xkg@X zhtI+3E?8MuLHuWeJyC;-CK$4kgm%vp0)#5Y?_y{JXp}sPXpM^LTH>`bd3IJutiJXiB7-J8KRhrvGBbzH*KC~JN)E*mU|DR zdpPb0euzUXFv4~M(XB0~7gpfmLTqfdxYS{|+@tcFC7NjL66{VG7q13KR?sYu6GX?D zKQ5&XB1~6roZRIR({O*ve44z5nXiOxI~HrRk-dm5OsGtO(<{JB)eKN?s9uwuK6ciQ z#J#%j`4Q$?1AlVy!MY2D<#t=)mYS2&<#wWJSIy4a(CToI67ifn2_)TInLJ{muoz`z z`z(w_;hP!=ALSx24^3bUd^uB6(7g}gu4<4KN`6ldyGGX!6MQUFAGN0Cn~D5=sjl#u z-RnPo{rPJy< z_456f1BkMbNCgeTK7%^oBNYz6jC)i35*+r4Ho)u@SewyDK^7(*E!KJZTjXJ)IvXA2 zBiE5RcgfR0bUpQNi~&(zgfG&(S}=o2iU~bA{B!ZEjG|Qv#5)jO(7;g&e0S1Px<{aB zljun1s}lhs{VEo5t45Uvq~zbOYcUj~-}or;ns_M8O%A+1aH`O4P2-T;4(_!3 z^Y=^(ukSES_z$lJf$@ku-i)F1pR*ZfcX`gu%` zf+Lk)c0G;I+ViCahp7|Ux0GljTgkx-B4`(Z{n9r>rkQ#HRs;~2igx=hdTVS?91zb8 zI}nTVT5}crg6aAuqWOJFz2Z7QXW^vin&d((Gq8&cW&UqM$Lg}hwwRy5qov%7K`NKj z#DJy5Zos7p+tZq%bQNqmUcnTpcMv{H4ZYE%Eqj-r^vH~s4I!>sDJHPHS&`y+>Ce>W zhmw>LW#FH8^#BWlCF1_XaBs>;`}^c?8c@MXJn;7O+s>d+{;8cp{5d$R+e;kRd%6`` zibUi2i%@c<4Q<9miP^}PURi(hu&O$)`$1o-p|t0iF{{Qp1TbgB3PyXhOT;4y5DD*% z37@n1Sp)W85n3_6^KW90V11+0J>NrjcL1r|{Yj%Y%Jat<>G$G&$2*Z*j*b_jBF&QV zGHKc$J0phUwBIORk+19eU)|DVa}uc$ zV>MZ5J!d$yAsNw>m6jzRzCWg%yc&<4Svo_8)ySK8oVeI4ne+#>&Cc~Qx8xhtM9)$J z*2m_YLNDPb+)e^lmL5VY2C0XvC9udFdTO$ANhgOSw`|OhJr7koA3^TxO=`5HMT?$+ z1saR?JQ$7UYqmkbk!E1uq5(>&>r*;ld?&b`jrkDz>%@kY?`K7CYausG5{3=ywN2@G zY0~_QY?-P*RXD{E6tCKGl5i9mrLY8EJiTZc;tR-kr;icw70dpJZNOv}3HupdB)9^g5 zBG*oi>@SB@63JfUO!LaCQ(*kl+t7#m98E+en~i+wE~hEt5LVK!KK&`J^l$h~5q=gY zwsr3ms@JG@7WVzVm$aer@}7PKI}w9sk6%1}!U>TUstCQsS5p*hWiB*fv$anWqwmf1 zRby3EK+*H(n&b8kLt)UOO-ae21AwNS+<;7&4$mIO2A+@$)unqwbiQY#x}O5qDc0}n z0eU_FD=alfHl>GS*i->15lYh}A(u3=s@wAt*S)ZMIW8B71n~z9MTehgjERCtVoPka ztHha6xSxLg75%(GEF+7iNupdWN0ROHpF0>8Kd!WX#Kb$}nJz0l2H!<0_&D^OVl>BdNMYD6sXz1$;k=uTu`sI)Hue$(9 zl6)t`tGPxYvUz66Lv~ zVc?4g130-`hfW|&;~af` zaL~mJwf~rXx_@bozZLxNTziy(T;NW^Xyo9kI;FQ{YSf*=cPdW?I$BOU_9RE$m)XLd zv-=)?zpqz5K=#$8mjGkU*WWpk@{xb$GL}zbE_*jVCokxAc!}&Myk{E>MgPbl`7VqX*5EWkcq5j`VZnP%2&IG%Q~`rr!` z#<6(2QiC8XD_b}qe6vdf^W$sh-Byw%xTN<_MrA~?zvDBJo1bjsBD{eD?yqQ$4Y7f_ z@RQj4!1B(}iuO-%Bq?A!{eV3vWcT`~&{c$6^jnE{#H$R?_1Tt@&r}|ZjUPkoExeS(DFl{|U6iIS`cvw>?I3dGqe8cu zC{qsWHZQb8#su{bv$JQnD_URN+*}U|rJ#*%;%vM*J;dec;+S-b&bQ%u6wzQ(w>nUpJiwCql!b5Agw<+9R=gVb6Ju zNS=F+<*BRzEe|KBm%6Q`t4!}3eUAwpPwRxWwj}gYF+YaRhHwTnn(+>Q;>y>bu77KZ zD}M}~Ssww&r`L+x;7L+=fIqIqqd2K$T*DHZyMk^I0w2y z&T=cth}3!vqd*=M`xoz1De-xFU zI!4}8CTc?gF>TWlkR*I-qj+`vs_OvM`Uq7VR6y4E3Hs!-v_Hx)^pnL$ z{1I(OS|DT|N|*5Zn+S-5FqM>juQReOcckBm)v#Z8eY^$2dFk-vk}IYf0(Rn$<-~Ci z4)VeP5D*jZmm`)7p@YC%-p2;s+Ynpqv-j@!^RfNDZ`i3j-w>B#?CxwZk0fT|zIQmc zN;y?+;e>t2onO^t@Am}iT*%D8L+?wz7U-hOxzpt|n|RK?%18cREcE|57Wy|`$o#CB zU&KD4{)H?YtA-^J(!VLNNI!tJUR?0={%3BCN>UlaS$}|`nfN#Z4H-Fz^iKRoS3A#4 z$|~DZDh%>GX2ZY~2emleChU(SY~9d5=LohS1;Wyw>H_rPU0O3s2_Siiu4d`cy%kJb zo*W7+=!Q%-ri-7wL5{T=7%*`e;OeRnl5s!bZAN-Gk%(`;K)d@SI69JCj^%hG)Bkk$ z@Fly|JP5k?>W?6oFc6KJk`_fn zSf~@#*|cTV*8cT@LOQ~XW_(R}9rjN6%yi%{%?zLCVJGSDt1%2u;n4{R+Dgo``L1$N z!R2!im-yN6Zt!zi->9s4`m1f{zZ^5Ud#9pNYgM35F@BTOHsK|E*w%C`U@oKw5GNDU zd}0@)5O8n5dHyhH#!UNmK6wEfKJy^K<6f1M^Bm>;3qUPtpM@PVG~(VKST~?)VXE*e zu1=*9%v@qVKikQbatk)}QuTdpVi`*d&-m;3m0GTC-Gu*lqWF^yybVvjXd9Saz>^JA z&;8m3m6HFiF;*Qjvln9Cs3@*wr%@|{x?(#k<4Jcz{c>p_->v_3eq1X*bf$U7ZK6ijE z>sCB)xdMwdb$|u7sJ3k_ei#9$Q(Xtp7psW~@@#9HF{cfslbSx+j25z3)9JpZVIo(A z2>=qJP8~xt7WN)q?+m{UtyEwkLIMKD$yx*ezuXp7f6W)!w(m5hN4@|OT)cVk z-6ZUn4w&nfWE2WBsgolLF)2F#7j_wj>-ZcLYfaQsd&B=ityR%5k~@l;sPB#bl?)RB zAI3C?2Ojvg(taREVmptUFO6kUU3ZYbX3%Ylal88z8Nf z*Du#jJ|Ng%!MNXZ`aO*Ad*@e5|34P0I6Xb1x-z)xfi37VxbAn=YFT zeNlb>So|Ld=1hFvG5MCIKI31CscLMTx8e7{ud2=$RtZwX5J|0BrYZ;i2=d&tk8Tgv zFkEH7OX;Dafj7bakZ@MK?=<=g)xUy>K0)bI1`xCeR{^sGzcHa*Jf$HWn6_|MAuXk1 z{qRV)ktjgE1kY(L+t&827(RUajP{xQdFro;@aZ4%>!Vz9?Wvr#haCRhOBCA~2n)7y zxUAdt=x5q3YQsDBE~t6I6chylKzQ2uSK(v+-c(X`c;g|E8JSP^u-S1dU(G!=dV z;$;qVfGhT%o<>F&(|G!M<;JI{#JAys?lL=UP%3*8BI+x!pJ})t91Ky?KtQC~*0!sH zG_cZ`k!L{tPrj%Y0zh@$^o$CBO6TcQlm=>Q6R)7$1=bcO>n7&H!JH5TvciUm0CBY{AzAh!LDmsd1eM(1gHAKB z^pO=qYjmrV+s>9`H%%OmJO8C^h*F)|wAz{*Q1ge(D7xUmYV8W;OK*+!y}Q$(8^oi0 z?5=C$S&KR8uM`%uM>zVol1JlQX`$Sa5)xKM4!?C|CFSwcHHmq z&?`)I?lzxyhgxnEc)kNRCs9@mwJ4sI&+dR%@HUdMY`5jD%Nqc!a-V6NWb)*X)a6;M zb%KLP)58gAzN}y7RhSXduoQ?B5&T7!)vC*VNX-?%|vNH;HA} z$7Zzz3H2{gazB}T>`Sua`roi5AHUKjnOMkw0L4r-HTcEO0oiYn4-@FBhwH+r4<1GZ zBw|24f&U`?T6$Q7<`uQJ`msTCAgGgE$0+;KUpNGG390oo1(IwF0~!y1tt+ktS8vO~ zv3`XGBJm|!NH~~O+5T|KCXVRYKv9w__x)7D^^O1;Hs?1_Y*Op0e$u2_uQBeDa(>Vh z`H4%`d)ieRdUD)fjpzhVngYMx39nl$%VRNmz9N<3j}uaMX`}TTa3-4q7&e9Gq6&X% zl`p0>zfAF}c)6*cjxOw<%Q9<1OuG>E(EtD{Lh!P@<^VrYqMWhxw^;CaZJC&CYVQE( zS9@K88mO!$;9VUXk+1<^?G1>ZQ9TFER}Y`JTscM~aR-_`9!nXQO1rsgW8ZAT4FeP3B?O~^(1)vUP`@H!bh21; zB@k>qbJhaaMbNxyu9n6{tkytB_|*+uF6~*EI+Z`f{t7ieMU?jDalUmSg||Y`|J(p6 zlGlSE{8d3ny+;t zGuzZ7o)bi`M47t9MN1nGVC7p&lUsd5hkrT2is`QPtIU=ZiOw>0l{XpXQc5VZq+%Z_ zi=u<#C+ddjLHl+@szm+#M`@{Nlk#RQZ}_PdIAN;%T{1!n;{Q$rzArmimq|KCfI?;3(D ztxomlr~g9%YCs_9_!qUZ?_Zr#l7DeZ{}y}trR)0wRQa7!mXRkyW?IGmel|7VBv|L}eO#a&(e7l*XzUmQ}We?hA2|JqQ< zi4wt6LX_KAwvIb&yJkFXu@4zZVYpw-x2j7hrk@DC0g?`fkIJho*C( zhb@4eU3DS-yF^Mx34G~JI&8c5IU z4BlE{EjHi}z~!POyq8C;TrV+$ns{HJ~FfmZx}rQathf%rS>l}y&E z%2m~Uv*IL3DD-(GgU&}=m_dO@?%7d?RhUtmvEhKp7TM4F@XY8uI#X^fSn0M1Af4m@ z<>mevh0|-==~ zF4u*FpG^y1qy_0tTDNI|Dn-GfhA_WWIPatc^sb}8zM}f$g@DH z+@Z<4XE?rF(6kxp*0$jXPku_PVTL$KAo}5Ny(vGI6<;=l zF`ufhQi}%Zvbo6av-57)Ibw$1*)A+(EoZfs&HF@4RE-?fLTTzk-xfE$kFxr3{Lbz^ z)}4Z_aBynw_M)GvJaZo02i!&TMG)nzPLaiqgv|SdjaClp7AcBNXK}2$;z{nI!F%tS zWq-Z9+u1O;V&YDCYH)F_-huL&x7WM-i^iU-trdL#hqJLqJdMgbxTk|A z+uwd+XIta}{$acF5%uv-S!h9Tk?d&`m=`ZRz3xn3&}>Y>1Y|!R7SRi4K8Lx2I`~nn zz@o1vC6FcQ7#_)r`hy`%2vV2tPKuveSD4cxV3Yby7o7|q}I_Yb)BIo13; z(@F1P2bHB1g&iHzIG;5XePtSzEsJ$K=`Z}L=R$^y`-{ew%vo#aBT0py+dhtxQ`8X2FHFc zSkUQ);vaM8CG|OF5q@9EOH%e>@hTCigs2Dqj;Qn$Vj~~&yKiV=Utwy5=&7vP!NMBy8sXlJ=wZ~L`ZGM!EYFWmRahl1FI^khEACRSIs4_Rqd)>qC9kCc3iiE}c z3SNo>E{KY1oGRbSmNegFgOKb%!j%=vGTixMBnQriKW2j6&bz*p6l%#COB*VWL-L+n zEdalrx&4i(#W?;|>Ji%B4vCD7Aq=#CbxQ?{BGhbgqB0+a%0)qj$(=0G8QkE`3Qq=# z>S9EQHbdRiZ%509%N_kbx0QvGTm4SFG{wt-J}g#%wvO0!fk}b^2Pw61-08X3QX|!C zO^ewicOm{?JpEc~NXuUWyL5>jT$fTS^IF?RZ-%3xIn*-ZQe(W@@S;as!nYPWczYSDbfrWNDgOkfTn1RIMoj((>w$ra@5HoM_o6bX-Uc}Lm*F%1OAnpG zAsGTNeLjj(ylCFzr~%%sv)KflMKm{Za=q>=zM?`*<_MI7aa{M{S2FE*v4d7<`gV^EiyJXjCM$o* z{TYukUH(0juc6Na(Gd$>j{!1_d~y3Jyj;{gyx9)~CoCUpqP2t@8x6JB^CWhw-Uyd; z0r7$PgG?TH9#x0P%w>73Xp7Sp)QgJ#AwD{WTL`Q^uDxdX61X(Vj>QB`r4-KVhel^D zs^&=~n8}X5`q^fx$z=sw)+5~`;ybWkRlGNde*Y?)$EC%Iyb$xwRiYb(bM5^2oS1ii zCV5o8X_SfKM7cc0m4E*6tvtir{;6ND6)=XdQqE*R*B-5jAgcSXAI0LeLTxnk``Sq^ za#XImP*1`iIE(VWlyM^pjeBs<2t{ipx|y-H%HOANx%tP^ShRo3dsdxg zfFDDv`#6ZhQt(Zc2hS>Qp^^VxKap|0yF}udfJY-{?9G_6nEvoaW!@1KKT$gd{yrjW8)%?6qs!}KkKFgIO^eU^^KQ1jnFFI)=OrM>v5GFQh=zAilT^PW?eDwQ`)0S+^ z0{^J)sH+`g9WRe?S&>=#~j zj4TJMa8a4FOSi8yFeQ@Wf*PxN}Y@|{u#|saZf4z&u3p!1F_i$5n$emFT9%N zS19OXP)~({`PpPs(U>=8?D*}YrMt@<6T3l@ofFuy>(mmTbpfH^TM3oMSBzoreP@!ZebqF8g9^yQ$#t`Uyeyl zb)yA>S`i9yEp8vXxE%H89tXJ*>yas&Drk*%B1XE-E73{L*(JJ+%)e`?04z5Eequ+Vf*GFW7k_NxN-0&Efa@4i|GR2fqorl91q zGjGK3-qIPp+oi8n>-AaWGb?x(QTa_A+&Z~i8~e>x^OT071|&e2YC@4RmQ;fS79wT- zyzbxzFy0!4_)W6EjQ0b;c)h>@h=l;-r#pO zVZ0CK+QQoHX<%(NSf#8HvJ%2mSpfX~)%?$-<-gRzoLz>y zC~*%FcFbVNHhK27u~xdF!vwjCqfYRnaWr+<18IKr*Yh$>7mb~g8;|#olp>FhuMNCA zci~+gj#;0MHiPp|cAcFzHwIT*kGBlgk7EY5?s4vmYniMtPqS|aPlU?u$I`DUy{OZD zFW|S-W>cGyae|)>?692 zQ~lcKKJV;b1sh6h1Cv9L}0MFcxe#-^i{e$eu6 zLOV*Eu!L8*t1ZOro_-g=Xr@-Ya;)Qj(0y`*SP3}R;NUSlw9!9WPQ&=8kM zy2;5EzTKY6avcqLjhpYf^c`H+*JQyKZ8A;&&hz!CFI3Fl+3+KN?Ubmo5q0#7UUvBc zrLJ1FkU;H{D)UD44714?+ROx)UeqS3QW=(Lql9Xu;OPzQxjgv%x6(OO!6yn^{0pCw z0ju@#?o9{h5xcW01?k8O@={?_18s|DD}uA!7Err^(?zU`1v?8+#h|z=Fzg=25-1w2 zORByW3U`&xb9FD#sw~(kqI(f>p~sgmJ~9%sq#gn65og3l9QvW1#oM>CWw>o9j*2Gi zBr15m%Xo0)sL0U)q%AkG@WFN@otB2ChnrK@WpnVw*nLgS@_ZgP#QyK>JWGjGd0^vO zB<+9|_VuH%li=tcPbvd_7iJSr9{R~wQ#k3g@80?HDgdBQy&5Y_->C2v`_3eA12fTo#hg!F{Fs0ibaMQXn6SK>SZ|?q^-;>)i%NS(W&sjdyi+HI761%Z^aes<^{7LjOc!#H<=lEZ3CZWRBEr#>cw?h zmOHWUJr}%>sMc^jtHG@*%O0Z?rM{w%g38P^ZS-yaP89w;TH@v9=w++Rz56jq=4{BA zn3Nzh%6_zO!4j5-8Qm@x-@o)rJ&$<%AqhEUPY-vHrB8Ki%i&0(p0O~9;ga02x*(b_ zI#O@m(mJlJ?hVMCs_z;~_W^1d>2ok(EopZC=4;#L`}Kx$G|_^AH2F0{GDI>fw?kJ@ zkigduzL3x5E^ToiUwG!7dF4gK&YN=&iq>d#dx+t6CPp~u*bAX|3Vo=%Td@()L(aRmwX;JP zdAQ2Ic6j&P@?_E(ku-! zs8WXnXS^wo`p$$sQqEzTQYXICxfnaKEH_!ZsDFS zV6QY=c4EB;cfTrkK6f2k3v|NCauUKCb(mFVl%rFJxo_#^|5zAR${>&6we*X~QwM+yJ?)wFaNCIurYT%W{5TKPQ!`_ctpbTVZQ! zYmTJvOIjMScm6X%vzzruHtglg>F@8JDh7Z*0@Kb3{aV_t0=-xLlnwIZpD*Yvs-nUy zHAqnNa$rgRl+zX*33fas9`Dt1M0yft-(A=^?wu3@TeAW$%f=J~(OY9wczMY>Z{WP@ zGO}4UW$@qH+IDn!OIroIDYG|ETepUBBmEmn+)j5`uU#3TYr~v4GWr%Vr8dx90QjT7j%k>2MSDK!vK0We|dMP?mz4wD=CTlKQQBeeV_lkEcagG6-(WjXkN4`N{V-+W-f7SKZU_LlCqbBmhX42~`9=SdbneYspppO-bUNY! z{0N-=-sS68fLD3rVq{5+sm#vZ74LftGB4m*%ru(RHAciQA$-$Cie{k&9EqAhz`Z#oA5Vz|h(AF9+E3A`zQe@jBYROUvAk=5VF8iI&H4s_KRVLLM4 zdZ4#WWXZkNQ4t5r>w@162PkbmoH}G96DgW(STcemOmHBig?%(n)sMYtAoYYgWvgC8 z)cg35vDrkkHS@J(Je$yOYvwlEfw#=L4G(;GKYyI%RapPI80k70t2ovU9&b1 zlyYL9e?-2<>Fmdw!Xsx^DFl<6&Ff$1l94^0ir{^($Qm31>|Tw#=8%s%SDpcDoYDN5u`tM zL9A}jHSPuM^2oU?7)~tV#fEDh-|>#~5#ZuK+#bg{9TKXkso7Tg-a;B-0)RameP2a1 zFga~MA-+B?4&i8n$L&i(qU`>SSCQ53Re$hmSv~Qi+NWhc(tUk!e9e)av0g#Gos%aS zr$aoYow(u8RgrYoHg~P2NHfy)VKVB70e~_EL=`&s5t8B`OS+GGRGA9}2gL}4d?u37 zM*a51Pow6IJT+-uOv2SLlDAgxeSIo!gd;(nuXzYJ)6ks5tlN7h{E)bopNvH`TO$DO zjOIuT#X4e)J>Z|NpydC?y`VR4oO-x3@eYE9vh#5mQdpLK|g>Yf5&2B`QrRy5wC7cf$*bXq0n3Lz5-)~Qm<_5 z1OK*L4|b`n{^dp{Pv3^)mrDs8J+Ko#8g{2R5| zg`-io#tPT?65a#4ZE}jR%PJBx(j`8zNH}` z+4C{MwSg)x6OWu+bTtDF_h*9`8O@vF-8o+Afg6>~=g+j)Gkk$9XtQHXToe}cA&fFY z;9--WYm>c*NujtoQf%@L=;K6n=yMA0A?Ih&`EOnac$utP0zkBf<7gK&5sbxOn4i>& z@r%!HLE!7B7@K}DB`Wa{?qItYkuZXI=DX^lr>I9!u=*+MVJ@ZcQR2Auv|S}yfdVOS zruYEMuIoz355r6?jb-RA{R*LlESZPsDthBTTmT7FL}#-rXJZFqSt)nVOlT^}ftXZG za730<9b&-ZknhD#QzO(wrjA}p1(c!z$>&wMOiKvG)Oqki%ysxY5%$8XG3|M(7Q90N!8N69B zIH?Y0CWs02=zc4VN6{6c&n21R&2A1;m@3zo(Vc$y;kg>E778DHH@DUzX=4)%OzWd? zR7RHkTokXmkrt>ZD2;zqC?esv$XPU7TbX=wsPEUpr&IcJw6KU%VZgiM_JZA{>^J7ME zh2{5Mx?74hIJJ>^%_FN@V9LtYFqHW0?5efh!m4RLEvCVR<;^$Mor~Y!@=c9ZkxcUU6MP3yLe;%-1L?BD)h6-;^JR1$pKNi+miL zy0=5kU(-jjZZH!>r^Y-exrUn?1X{YyxV-`!P2LVNC{8~=y6$@yW={f5f%o)U#m)yc1ft| z&jO?vXhE6Q zV`Tf5EJZ;?73~bT$LO71c!jD3g1{3=vp+K{y6n^I&oMPqyI9$%!*EWRzBcZdI<+xA#TVfBze4atep7k3n*dq& zFEy>sKNcJYyI~^Lw`MxXplM1a%f`0_+0BZQtm?&b0Bp1Fy&yVxX;C*SBL{Q5a))Ns z;V4L3KO#`ct}y3r*6pgHW~ia2hwiU?t!KUOT2juXH&GsD>6-;w!{7F_FFkwbg+lyJ z#^F9<-@=X=C%kXuDeb~U{KIVx2xTuYJh&W;IBGj5$}E?NNoSWIvtOVEwmE(tbEfq_ zShfk9&BS6^!pf-#9BKh1BV%2EyE6*XEm z66zj87x24ur##+8*ng5NZ=?W3E>vK6dQ(ezNO4!15zee{Wj<{f?Xs(3$dkep2te5T zeNQ;3-Z~N&;|17F7nE~wZxAEuY=i+YBGeR?{7L2>QLSPBN4qvtM z5#?7OV2989N+_xa*x|2jScji7@t6#*FCIk;if)15a_>fy6tY8V=)U3gJKe*G0+{ZL zbbk_1rYcxG7gSno(9rz;p`-^wKwq6XtqttZg7V*ce39ovP3FtfGHzBN1Bf{Egt_2M z!r|(Gx$fim9lvX_jYm;6qaZy8T)HY=F5Q#GDonPNSEJT#ZE0IP(+CSR{;NSSH=pSwibW@Ff8`7ZhXCaH}eZA$D zZ|mOg&`oBxaG}$WR&W=WAeSlf3(iDN2mRc!V0IZ~Ly8Jxhl!`KU=HweAex$#3ZB)Q z*1|m0{Gwp}PKPV>Cy$AP%WQ5=eh)u@*Gy{d-CLDX@=7SeLLf7yEy_5<4mKob+uw|8 zQ$pi_RIlNpSSmGnVbH4>X@`+>v8Kai>4Nx8V|+NjfR&H(LIc1~S{jhd{icyev_lN) z1MNE4C6Xv!iX|Yi(hcsX9ZR=lZn#xj62u#PX^AdL0j)Tp^{fz!J}OiArYHr|9=kaZ zVOuZ{qU`mT__^{fAH4_iT~O5Uiiks!NB?*WKIg`$QC9B3Tas_Bx1Vy-9e3o09^2|C z170kEXJ%&pY(xsBJU%^HAelMq@8^)~5k$cr=ejw7D#f(*gFOUqe=!Q)t->d&oay>A zsm6x2l=VY=UI?rjE`vY?3>?NSt)TKm4j?72d+(=TYVsC(l3~(e*H=wO+Hj#dV4fw@ zwSQh5j)L+%uSzuG)LljPDmeEOu5#nPIVVrplkmhMGl7VSpy~ys&Za^M4N=g&-IYdU zE*_B8ROe;Rg827UA8K}I&fO?jP8QM}Rshk}g@Jaz?cu&Bc|FK|uqfHr!SmE(dNg&r z33TR~@dPC!(2mp$TXyy{YT)>9+Uxf@ey+>(_Eh16`KqewhF;Zbxsa+*wQs{n0$Q#L z<*gP~$tyzwD*{OuaG1xiT;xPUL${}rI#0Ksf56tuod2w>a;YaW^zV^>9yHZR+0%AzXkkv-jJPQUB6mq|C~O4$!yp8>M?E%s+z! z$6>pkU}G&+=C6*(ijD|t=uEruhde;UL-vbfAs3*;Xudy334mU$lu9i>M?Aj(S+a-= z%HH$D;O9}vSj-uyFUf#to&=mGxglQ)DqX=5cY}QbwYALFd2NA_fR7vcVClHAEesWd z0yzN9-F+f7j0G@!xtDKyqmwGI(#XuEa;&GHgqcQu0gE>VI1oYrNu%MAxX-`*KWHp# zeI`cCzpbsBX&&gCuC6MKYaQ-P&Wx+bC<_oliv4R5Y4X~7@&$S^cEk@UA1{KV#@}*9 z6y%igaE*`Z{X3OqRWCp?7;~(~A1r0nfc0mkR`tAK7=x}%!y_iVJ#*oq#OuxSBlOH% zJn+LA52QnJkVZj3%EI962E)dO)0_91D%AY(4>>$h9M(1u^y){GK%RgKoZ(Sw!wjab zG{OF3bNO95y=xxQahTI>0!0I`VV)3u6-uibrt#(=2r4W5S~n=wYZ4hEv+~X(4FRFuXEjZ}$)|gFihcQ535~@~8Aw}zq7}O52%AcfurUHkZ#E1@) zYDt-5)}csC#Qr^~z9p-deIA@!xIm0Ex|u}2surn#%_9?%l~pAo;ZU*h{0_)Gl|L-( zM>y&~YKCSu+1i6mIS}`deRf9`!QlEf$S$PmjcH~w>u=|eZc+XrGQCM(&IPAu9-S|b z^+Vo;w^>`0*(OKFd{yUINHu&LUPr}B#NL4mS&5efH#~FKqV^=jzk@Iix#G!Yd1zl#w4)U!*$2{UcAmK z@X-Bz3I^RS-SvBQuH2pLtYtnHo3w&g`iAZ#Fn>-n@9_c(?OYa-}(`Hygf=ZIaj90UPMWt5AL*e+gIKuv1aTsEhL^qCes^WwX98 zZhyaCv2XsTZi4mTF^@L$Q6a=N?36jXUOV-CYI)xQ!fXb4w>PfMEjMP;sv@c`ym-53 z`ewbV?4+p=+!I zOn_o`+!(`hfB;@ke>#qOcrzqEJ1!W$P-&+TvF&gXi>Q=i|7QyY`6lTGV==t-`yaaH z7+#+aWT}gHm@8@o?F@jm6fHl_5itW3<<jLtNei21G@)%@DYdj6(!li|V)*%yPC712l)G3#Zi`pU|T zQ%e}_DfeJwvaterMqN8R^-Tio6zTma@b8)CbBh`{PVLPZ8B@CRxM>G{9WAcD=`_C5 zx*aVm`R)g4Ico3j>3AfCSzQyuf8^vgX}`$in8EBxPJU#4%t&<$8W*~Q?Ib}$Myf9> zZ9)87Q;)^|4Cjs8KWX#wG~8iW7bpM6kwz~dSTKb@91>0z#NGP&z0pYwBkW(o!NIAI zOcwB$PvvVs>FksB=QF$cD5V2$W%dg0qYiogRuK1Zt>>m0Pt3yQz| z`F!?d`l7Ru=+)HocH5!;sEZ!QguY+c`NhrlWapyB^&K*DM?EIXo7=FDBF zs%Tr9;gsGs{QU_mikRgXz)GjB1mJt-TYWrriAzpI+X^1l{KO9!6PurN*jZtE$%4+a zZZNfScEn$kHyu0;r=C+ zDF!>pxm0vB{oXCgw+{)@hfwB)*FjmUCVP=w$sCAx>&Y8mL^pA(tvn4M$IzuGEZ9Hg zh8*yUc%=-7A*HOn*Q=c8##4Fb2&T*$8y}t9WvAw_D+C{*;ocY<$Oz?g!50WH#Q6Fo z1A4%3?8vK}Z$B**{l8WQYT7}EmO6?9dMQX`w9yn5B5t3qyD^&dL}Jz``~ZUYt6Gm7 z#Fw=%`q&pbwAmh?3(Yi;0+4A1d&yoPb(YP0e~qw+eyG|P_upt10U!@4BItCkEP*6u z_y!{xv=}axvCcg5hJ1f8nhMC&Q^b@6#5^h6sRueDEk|@SVY-rQ*i&bM{jajfhnzlR z+LK9qc);0fw-NM&?PSU#NLNOJq|iprQC)z4fzHuAQjItsMuzw=%J^Gd(iSEM|HYbFn=Lg#IUoK#^ z+{il|sn{6~puBvi6pThE{~|XSwA%@gnfH>c3Od}QctIEZ;;E?Irh?27Nk)d%_n(5k zB&mIrsg|PT3y2t{M^Ntr)ugW<@taWtr8oJLn#e!P^ECrAejfubLj^k@-H#YyRtKV~ z>t`RzcfIti4ymBxtn!@0e>I+rNV+q|cX=HNr;0?7N!8&wdf^(5{ni%Cj|fm;+N^!2 zSz`PswxYr!Z+GIXxlIrW3*ap5>t<~Ckb3Lo>xL>v!3f+89x{Q=zA5(S(=3ZaZ;uE% z=h{jyamN&gnR0)*bMpQ?e_aVGb$#3B-JFEbAr|Pxz0JPTRl7 z{vEPK#Mcor&Y_JnmKGVDtpWU zF2h6)l#$fwvC(hJr8sd#2Tq02NJu}sm9PR3vhIatF=}pb14Z)7NEl(sO#m4TS7qHn z>(P=75>(_H@>u8PAU^e!*G%yRbzH<}oiyV7qaX7Rdu{T+xPO zr)UiNr2u(VQ5q9ZG7JtXO-7)yUKp-SSyDfhv9?Cn!D0Lv2y1^*^&V>pc}F$%#l%mr z6}%+&*>!9KPhCI=X3b*&Dk2ebU{Xg2?2se==u>0+C#JQ294iqPCTC!H@F=#H{HUkl zN3RDYH|J-1`Q905AmTb|vwhVz}&B`lyx#owe zoz>=rn7<9IKvB>U`czyKxa22b3}~$K-$&G@U!I{RR=lZ>U$Fj-%KQ2F4VU%j;-|Bk(TCoraG%djvl9Jmub|Ea*`E+6tiy_==afDV@r`qe65yt?O;= z88eB;)<uso^E5vEgFb-g!$~v#cw30$YKCgW@dgfsK>wNY3 zPvD)C7uy?jfldMoldzlGhuxrMdXLo)KoaNi+O$psW}xgxIt4^Y$EKJF@mV3;9L$Tc zz?n{%v&w3LXGU4ia&KTd9u=R78s*dN0K>mddDQ)8Og{3rYv{&bl%+{89U?L(n3?hV z@F>|y9&C#_Sm!_FV5pUd2`r4&I?xo7Z+<*g51V0o(+h}&EN|P<5qdZiUwwaU&Ohgs zO$<1i7Pje0kzohCeH@4{qW`ij({~2<&(Uhby19lLi-?^l5;iufCzC+CVi!!8?XjkX z^oGVTC!+MH_86LP{m;jfCx@6noq{$I(n}gO({U>cm&wWytn`wd&J`L`h&ev|1#w6IF?@vmz zk4|FZwfJ-WIOCsGwY4MK6fla5i&N!sLKO;F+OJ-&dB~;nA$tFy$zg)J!XTWfq?!vz zz=HBZT*8~_m{%BmfeGZit%1IDrkzML(Ex&x16Fh^(pwt>GHg)IJ&ERD&*Z}74N?Xb zIJ1r)4(dV;9s@9Wg6qV@I9ny)vP}+)3sa|jnl-caxADC-YQ_)POM2jxFQtE)o{1|wr(vtPTS{{SOU zx{BkIv-e*_2KaENzf9)ee(~RVY^Bg(;{MSB{1;>KKN>Ai=FvlK>!bwGmgQ;75qO$j zoCE(G{P519Fcb>8pqsreBg+w()Fb)dnVNyP@W1$a|E~en-%R;md-J~`Wc;m@h|nG~ zzcxczI(jAxBe#IWGmo+RetwY5^PusXv7jPP2W6uNaQSpG~L2lO~#Ox92)dVaS z&p)v6AOC(Uz(tNSxemNz`%5mj}Qj# zTQ$Hfhqy^q#IH%qCu}U*=u8{*b%`I)-T*VA#j5J7JY}#Th))N2yty^{f<(~u5fA!k zzuOy1XC6Id?SN@|K)qRC)&s;Qc17gD?aIIc`~49AjKInc(#H;J23F;HRT z`D-0l%FGT}d)BSuviml1eJygWP&$3Z3RT2zpV*p75X`LeM&vHz5V|ngWTrY2BW8a> z_34C(%Qn8^&8lXT7$IUZC&-W=*U}D|ml^qUq?)}WOae$k^)2I_x3BVe^aBl>iTHj=O?4}mV9p7KBP;bn!<>lqg zY2RKfTEoIrbUfUA!UI(Je;X~D0aymgVgOxJI3RB_IMR*v2eM673(kjpxVA+BbUp4k zA5&bwDDvtav1@eR>J;#b&=<|uXE7;|1>#{K8NN+_)3;jb{JPn$&yRDTip+kAjd7S~ zLh(hwSxZcr8qQjlLt2lC;M~y5!-|nSdH4np&S{O?_@i4Qtqx>=#~gdTZdE zGL6fA=l@m3MRPXW5pkTVZvN1hV8~D?GQ-^DJx`*6qqm7b$mRwky)Te2;!n3l@c*%6 z82?OTR>8jzd~e6(x%Ct9ypP}&Q6d!Z%LoW9Uep&hY?o(w7JOzqd3({`W;0+UDcxl@Vrm^T{&oh?6%E{ds`XMK0SN;UsG|Kxc)w?bWp6_x zxBy*GP)$ex7twWUZ}Q2g;Ly)9kcCH_c5Sie?V{e@iFHMG-R4nMWu>m*UH@sxk`IG7Z^`+LNRP(lMwLs8@)7Y-VmL9G|SJ=A8VP<5GRD#h%s=du&qd2;ezYj$YMp>6zUUK_W}O&$M= zNxuWX5_-rveXH@}>zr1Ke)foMcOCy`pmdWLzxdIv(RZK8u8|edpOTR;;=1cJB@H6( z?sd~ler}pDm^+djk@HFj6{0f_pX&h+_P)dW-856z_Izm%1eL9wx5EHw)e5z8?$!0g z!b!{@Z6RCtgdRIrkM{J6k!;7F`dF!=LX} z!fBT4XF9$Zh=Ny=4^)O>=qfqC2YECMnX-GuhNYSjOs}c!^Rwny6AQPEABCM~tC!Uv z2a|QEF)m;T^sW>hEh25FF?`3g3|y%@S}JMgn`^&4_JirF_@<$Y>zna<+^^)-fTo~n_iNO6hBaW%#h`d zbRdkd-9S8~dS+1;QEP!3M}Ma)(Q(088c&lw>YfSAY9n21_F(xcg7NYK&gp!Xc9eoE zvtc@34OlbFS3g|6H1~)BtjKY`gr?{Le|4;gxehp95abnK%xo%Xf(E*@C;@@46@P)V ztdqz0B2rd3VyN>O!$q>iN>*yHM}PRdZgqT19O@!uiPN#T{ZP-oIAl~I*Wfw?RZaYi z@j1i$$g^U=qBMk(`F5Ew>rjRH$5>J35zv_;v?5 z76eEdO)H6Pv2`h@s_ardaFw$r6831PP(SOi2O8G?5Ifg{t4Rz=DYM%ih_ZvQY-?L_ zfwzTJFp3yH7wxojdUw)TcwiQn5Kl*VKsM{k75H9LJGl}tzyMw>k>eCwhH?9O!rU>2 z<_chi^!{LI`=}qqT!<6z1539hT>8H;3^(CD2S(teKaIfYIVPT7{9V{Z!Y83z6zE&Y zTfbeiUOH?8S??$v!3FaZbb@4%KfcL^x)B%+ruOG+rRK4U+J zKjAG{=BIl#cx4qYKW=%>^kCOJe)+xH6WP=wv`DpaP%P7d@Js27MhJJPuB4AIiAViw zn1Ld!N#W=F+@VSPLA{Gk6OwHwKi@=EKf=L8oyKOa*5O$YdxwQ#%y!gNFaHQ`SV4lp zyEFR16>op}FBR0k5yIfz)+c!!+B60U4Iqv)@aBEyNqM#!L_nrUxu2Ts6XOsEE4+NY z(U?*!LZTBaS=Pc33G^xST7MGUJEvv>1;SEs;dYmn5rztrxRd#UMe){hi{#F zyWJL#z}Rk2JVyBQ=1Yvr!{9ij_nivt#_{a;BHm=B8$v59I$gEH!@x|AI_S=S)iN~dQJCHg0x4tMg_QJe<1(D zN**;L{0&GxUp#MwSvW|o4C5zNhu1?RH~ONU9LZl;YA<~p|M|U)5{bvf_#=4vzQ4z2 z`*OpJ@5O;|s6X7Nuv`}6pTPmr?Q>I)X@cK=r?2YTMt|ZF?NU^q?xeg>OlS0q$~sI> zNg?ntQs&GGp?MTXW2zqiaORBwx%nOY$(-k-ejQ^`99w+&MkiuC`jjNC`(u*MQF6MP zaUv!9)pZnOm5}j;z>y31z*+m&wJqO03GgkS;I_S1(`{qZq1)`Qb8c+Hq4N6P{p|Y= z*M}Il%8}M_q{ho!|CILUS;6^z?{$~5A~QRbM+E0v!}1Y|J17 zZHiVU$C>J-6|G0NyLD?J(R-bH%ZAi6`{F?>sA0J+?d3{o?v6N;w^1%$BHbS%@9t-w zY%e~$ynMDz$+$MN%gBjhv##n3f;nRh`Lr=zOJu~p?tFCoIdYS0CX2D4^9W}OWko|` zE;0Do@z(9GLDJn#^n%m;Zj$}LN#`y#%9)TD!W(&7rB!R`Z*QAQ1(5P^U?O1+3)K@x zWF^MeImEqp9IWbqMwA%u=R>zfe5ziXt8t|tp?Krdh0;ew@OychJd*L<2E49T!WJPY z=PE1CpShVnNZese!}yHHlKrrcuX{lJvNyT$ybpa~VPo`wx^c65gl+z!?$K2JY=3R; zhj0ahT;7_yGpx@fZ_qncu}-gH2ch}J%_Zx@+xgg~&vNIt=Y_$Gf^#&b64PA|ncXlt_Ha6BgPztA%d&#-$^7 z?W#=5>C}^I^>W5OlH3INEU0wwtBMaLRp&}`FMw6KYc2N{z7+Z7N1oc;KKM63N~J2; z&VqhmseeL@UJ>#+hP$^38|IDNQ1YlCc@<9KC#Y!^i)~)*wc;uOoKc&jmQ=&{crm4-%HZh4HG5H9Jdm7ZV;j@!gH7RgfYGGGBdUh77%7K znaTJzxV}y2n5IFC?zuwJWndv+9hrqgtUeRLB-Wqd!2SpqExVBJoC+heYI=bBJU}Uc z-9*3h2NOCyBDqSbK_6pwf>E5fScgXhWm!0lInr$BtU7AzM)86HQ>q22xDi4xCjpmU zTtJx9LH}L@InKt_Cq|2(o@qVLMHO+vF0#T-#m>uD(@XBM0>b9PDVl*G0y@D9z<`{t2|b z>I}onv^LBrGG<+>tryfXzp;UvO&fx}@;q%^CTdQ;6iYr`oBLV4>0Q@+`# zEE1%(>tk$Uu&bvf7CUX-Nv4TD0A`uEam6bhoRR@B>!%AaPjWFCmVo3J%%2@ZC)j=B zzJ=u1np|0h?S~N~h9pVwl2m)lVp5wLVkgs(b1T#4x;HEFo0JS)gv`HJWD*3$=74MV zLVi2=&hiMY@R~3vXdcS|>|growmP-V=~=pDr4j1+y#<9IzIn2c&2oy*4@4QY=I^q} zbj=M!_`|UJiMen1QheV#BVsej(xe z%?lo1#UZI({qlR?L1t^J6JB67$|qzUZz%0c^bbS~Q@anm;9~<&rbTcouzHyUrM6#9 zc_gPspuLmYHk5W3ktW=0eZSr~BRyeekiBCXBL7kjP-%>BVcZ(hMA$}Y--1YcdD?St zOg&+_-wl5-68bbX;kGP8JTZ#CLN1xD6Y&5YXO4hd+TBh#q@LK0}*E!niEpHnSFwzhtT*-VHEYlEYfcnq`bxUxB`gvT$2-*MunELOH`f*n80d zQG$=)JGkGeUhKc7`w+us;+X2U1TIPiIg^_+PEjoOg-Ojs`GO43CI<&NrB3`z1+iJ%ibYA+Ya)G_liq2^h)vUda&nR|8=aio^o)sZ7j$zn#Im7%0RaM4XdB5V z#Bh-cdBzNZyM5-d5Ss%>VgL0w>6P@7DTj1QWq?awP|(2iM=Zi}*x6)6De;zrETlxm zhB^r-C~UFRb;g%?c(>d`yFmSN1B^X7y2|$9cK{cmKksxbUzGqnz={_?h*&$&G#5t$+6I|g44(v;HBKHHWw5;z6=4!=(@8x5 zW|5PB#WBC3m5)6z2A;Dr0(~UARsS7w-PyF42WF91m;J|CM zfBsrA_7@EB@e3LNUVQ@{g*EBs<-GpQc_Vz*sqyL9LHD>e@o!pA0F^Vg2#v0sd35O9 z2;D7iXKwteF(LjptFdcv<P(4Y3)Ah$fGbHu`}VRc#tyaKgA@gWm=F zli8V$s=}x(B(wFD%kyM(@oMjf%AnO~1_80VzgU~hpq1nV#@Q(7@dC^uY~}7xdb-%M z0B;6(!ZvU*c-k9**nxK{5@MU`I2IAcEu94YXr&R9*DX}JBP}Ec#|@u!Ta}lW<0H6o ze@}h*=H-^`gi!eH^s72X#Yfc3bMmG~0?~Ap_QV_6) z%rzBc5o9hOiOK%pDz{6l&?z<4>=5$VH~Mhnyg>MLWOMx663!X4hg>=P_`iJ31wH>p zQuY|*K+Vs7h4L-Usyb4j>Q~qo>qb)W2#YX5gIiSCq zTRSXsFI*KnT%CY@=Q)spoIV91|Kcd)k~z4$Y;v(_6u1`3Xs=pJ^^wxh`Rg|LpPcCV zUwxk~dt=dib&tBX0>exQw+Sly^ST9eW=jl`94to4k|m0~zeZu>5l1~XdTUo{Sin7KdV0EO7HCVa;STtXKbTH0_deANK<1YE zBpr9t)@)pCP!7DI$p?f~Cza#nk3$GIvC(Rk{-bX6C|5IB5yVUCKf>#c#HDMdNvEJe zf}m7Dd1MIm)OJtfsG4i?8{eoCCe$v*~Uh@LnG=l z490pp`KiN>3({M|2sR?tVh&hq8Rl|}*=KKaW%erXa#Ss2&+SA_d6mPL71nAjJNz9X zQdJ(qF)#hcCh}HoJ0Pd|@V&D_v=%(rexO|}19RQnF~CUda?-sD|3p|0K70Kl94u-BlWYC&LCXY!J@ z?xi7@X|iaz9giWsLp`vfq#D_14WI9d6juTIO5-+Sp)r1Bm#@9o2K^b?lTHW?pYpO# zecW^{vYfERdgoEvGW7(LJ&5o{13zxw^3vIA_#_16JlG9zB?ES5vj)x~u@Ob=dIumX z|D`EGWWlpSXO$_FX{PpxyY`&Nq&sNH{K!VlDr?p~Gv69Cuek@fQdSy+0wuC)yhi7Q zF798JPcBHYT{I{Okqq@!rHz8#&DBhilr8G*%292|GI=y+8SMo_Y)NLHS7YYFf!Pe* z#Az-D*1MFrgBEn>m*X2RAld1{-Oj^uM=X>04e| zcb=3{Oxdr8AlrB~FzM?4iN59aUngki4?E#tmj~kHS9D9d@}TuRPB0 zrR6wD#`Q{No~!gZDY?8gG}bvo_C7Qo3Xj@7%(`&FHD#fc%=M%;swJlMH(Hvh-{AAz zNr{*~MDiakI%@Mk-DxgZ$wSM|XFyPUoPLlJu5>d$bp#`fPcUU`F}86pgkd(*)RHE@ zVi#3jA1R=>_rNGS;+Gek&^?QH6Ixhs%2ZQiX&c9qL^Ha=Ww_1DYEU0`-V>Ac0Vo4% zZ6bU?B2sC8Jq~L`)iGDrxUHQNnpQ|@o8xn8+1CoTDo{)F1EHvl^6R|%U>@)>Rc%nR z!#(WpC-Ei%SzHU%sv!4`c`T7nq6x0=u#PMK)wQp4Gm+mc< zS?3G7Xj+sl@nxjI*VV4pGO)b9>3z6o%%C>VUQF5^mD{fsjVYg{b3B~Iw$UMkC_I^) zA5Vp#=4OVg%qHHAy2lJQ%gjuh@6(-oA&vr2ac=Zi z+q}E1Ltsx5SNn52!}hivPCyAoS>1RnzMH6-etAq=N{py6-$($lAYqzxt1$9KCEaqE z4$$uO87v#!DRnL}*L~aQ zA5uJ#ADIl^kmARNN>;vPf9M+CDv=g5dBnwdf!?rCGamg6p#->e;*tA@VhDC!_uAW$ ze)m32&`lkBSpMuj)D-b;iOk=hu?0qP>{u^MH^+33_m3V0*Ft2r?WBicBA^BY+W%?{ zaX2o+Gf4N?)cR&y53||!Hw2z02uI(x3p}m{9k;G*62W-?X~PHcTkbc6gZWh>IIwWP z%OzkD^r<6%QD7-woM;f%ymbS*XyV?mp}uv`iEN;m3RMfH^i|VeG@}h#9pD`>f_Wjv zoGH3vbykK}c#xX((;}b=LlngkK9OY)mf(CV`-C+@=P{u!B~uG{V{N;pbMf@myT@cZ z?;K$t-{r_}3ZCO>fNk2M*J!bN#xZq~Ee-nPvOTaIA|LOzkD2Q4lW_67S7>O>` zMaF03&=`i*)z>DF$!k1h7$+t0CF`JDXIKe^Np=qtcj^=hgpD~RO!DT!0!xSRr*aBD z@?SE9I8JJc@L&wA2{qsTqXjVGk(vDQ>c`PHtTTnnhHHVsSev%#n_ng_9bccH%qDyB z>yYyBnmnN72?tubXIkCg(Cpo0f0S%;1YzGU^b!8TWS*rPUn-}@X=Gl=)pps$e}C-- z2Sa!D1M`o0GcTg>r%w?ZD=se9Ygeh(a4^yjrG|;>%}zZo{eFO8z|;+oTvp+cNJA2S zf~^=?#CB34x(&gILYNt5Xyl&p%42Bf&b9Z7|4!8{Gb4EY3=l=_q)CfqNvif=p_Ol; ziR2XyqwHyhSFT8exG9tiG`h zU(!>xJ=Z?q){*EFu9>y$tb|lPlLRS!7mf68Oo#)hv*t!FF4=!JtPmZKBq#MUOQ<4` ze?8&-2VK0oTpufO2+%{Yh;T#_Z8>eSjMFiwuY)4XH>EEYW)?sAPcWs_V5=L z3WIuAM`lJ$$SPqE%8Rjn8u^j_?FD7>hk>kG+7<|WcZBdL+UO$KR-?MKK?#*%iyjxL z0>??BD$^hAgXQAEa2eJfZ-Af{&r@r^+o+*I`kM79_9`lKM_>>R6=#^;H9*l*GxS^P z8|)Lz)ybmaXeijd9bx!@ryBDrhB1F&AYyE%wtyR=IYPo@gG;ee^6a{&P- z3KatJEN{Yd#^Q2<%|cO>hM#{TFS2AxdYxgjmg?H&c8mLvMf<+4(ZD429@HYt4_#Gi zlJ>Y$ze4S5c>GeK0~7W(tA{-}4)dA=25r5uzN$tmw@1G%Vy??!oFXP8BO>I|)0Z+a z;iV2b`|dJ5f9T`oh9XR7G_@3C#r?1Ij((ua#P7|vIt|%h9Difoydd|Qh#XvEm;|3* zWjyXtHEqnsr7JF9#W8Cu7AOs7!re?dH3=7znoESeZ?K5po*2I#WO#XGk|gr{DVfe{ z1i{8WC+3dlbeZ%1()=9~(CzjG0L8+5hgI-tzqej|&QD;5pZMB8F!6PD#w69<6M#Hd zkp(W6V|*l5quC|<`ly@M(@!pjB@W{DGeRR^9$Subh z)P%U(8f2jPy&8*7OXME9QsB6|_IIvW(Y={0tbl0bydpW$W6#T~^+=-*EO5_t;#^|X z;dlYguF-LR$?tHgTSOfcM3-*j7hs-+!xvbs+{R&BfSb$mU+XQTG zA_@gdM@->d-}AfF)0cIvW1E?G!w@W8bLqYal^9`E?4L5d_Yl1xYP0`o7{`q`O?rkJ z4*w7P-6W`-Vvj`g?+?MeCd9SmhUf`u0t3b?=D?Bi#!o#dlV;fzhG6BPJt-T%cSd5Z zTK`(V#Dsv@%~=q~CvbgnzI?sT-Jz_e6PUgdF7CbZn0H>%Z#U;h1~rsvb`+(-pJ_DJ z&xb%-n5FB}(#T|tV+JTbSK3k)}pxVoaH$qi@N(u|)_M3gfrL096e0sWN(NxLD(mg_O`$EUG4A@wMl+T~-{8 zuY9i0PwWL3ZK7cCUk21?7n>i9h`(WUR58HK7}~%j={AO_R~~okO73OXj-FpgOyy-U zH6s3Bk#83Z$V3#yC52KrwPnM=?h_m|MoJoLEZq$Y6SWa6Nq*s5{ssu}K2#;3)iiua zGwD-IVI`=zAHZ=zDB`yCDQ8#|hj561%42}r95BF0Ds_B^r@$b7KuN|-ee0eGB0`9h zz8`!+eSSwbyqlA_%!kXr$Z6h`{KECTW61FR8U;c(j=5IN)=pN`=zy@3-+q&rLV-Uc zH{=@|Oxmc(8byOk5Kh(fKB32A>8W@LPTSvOnsfi{DW(e9Ej+qMX|iq&tO_=>KYtEa zIr;;y0jhyiQTUv1w3#M|)8ESHNL)mxE!B8Q{4zgzR87#8o_X;ZWN-q{UN9&_s<@g~ z?inlU>9FboS4Rj{|84=hyh2*eh(KNl2D3Q0DmFFbrCxc_06=WhW?sh)gjNR#zG2|S z=x98+gR|l(e~s=r~V2?zR1p3o%jT`L~qOW?X)vAB?;WsJU zzBD?_A!}WSe^VjQv62_x4*P`8-H9l`llO*u!}SFXnYhd)UO~$n1>3#63%O?@?;Yys zD9y$)&_%5H2~TV8%HSJI-=gdnJ2sBz5M!@6;Sjo>00kXUmH3OLI<@x{fHb#RuvRAh zN?1b$-5fVnBMU$V>I*Pa&BIN2R#u%sUnHfLp4S}Re7%kFmAt<$QJZqTQ?7Lr3Iv9% z7kChRd-*Y^qw%x@H1v{r5iDW65Us9gHJ^FB!OMhG?T7K0>sN` z2OE4>2B2DtXyaitqveC`EJ>R2rmZv(fG zt5+@9;>h!TeMr#35gRMeCo6NEffrY*hvoO5Q-cO#!Ge!uM-M#h2p3>aj!-9XhJ&*a zBKHCT=m+jMTWj^s!K*q4$L24NpTJQrlLM;jEwZ zq;L9cC{I;qZ@Ca*DY1A<4m)<*!`nJ~L0`2m)Xr3=7i ze24n39|sZ$)Z_wQSXZ5`h*Y<>wr)BY8XH@Q$$WH8ZNEDiYD|Q7hJyt_UM}WrrETjov&Ve3bDix4AeK2)AGiSu8 zLyOGW7}xw4pDq}|1C7g1wxQBq4UP+h?ZSz#g|zd}vJ-y-P@{xT@6)%ePnO_L9PDvN z#W4-7;BvEbGC=%0exc}EaxBsyznsPDz373#*oKkRBwpJM{1Cq#N!0NOD3r_Ws~g@2 z4ABiNd4DUeo?3r^F%rSjk7KY{oiudf4Hf@%Do=%yzIZJe?9)He-j5N?`@2$Q~y!_ zo=vD~3nmGj8L7Sdx19i<{I^*7e~O|1yZ8TtsoOS(D%!gM@vlJJ<+sr3P$q6|H$e-qpeMPBz|sDMeXEx9B77iokI)o*iszdc2tCNs!+|B4W~zTq1^6ZMcO8Ln z*%RsAVgP*_`^Wx@8sE|arU+@gW?g2mK9YvkxcBn9I|Rl$&Ttg1`K)Gn!d$u&p0fhi z*Lpj3xNY;|a?A~nx+ur2fZ9ycjX}<_qKpQ|15G9QP`RVa>;hfV*`}dcmM`q(E18|= z)vr9>LC~N0nnD)DLTWc2EMb$UFBo)6M=9bIU zKU@$f0V)z(4=m-`K@6&*brgE;+=PSlVmTawC z1xw1BJQS+hxAcum*0-E)B24A8ANKa^ZS)1odkxA-+BnP$L^e=Ze`)QyT59xXaAmj+ zTec@Cs8-*q_L+6W$lD#072reC%y}OhGdFs1Tp0G7+KfJvnp`u(#=Yj%b=iVgX6s~(F)jVmTSgtJAlF{ z)&dW5&(XEQR!&_yD?ugGw0i%0wxc~%=kAVVVetVL9UZ;zRLA}JsL^%P1o|MlT}K~c zZ+O_HJWljF-oBdk+FgWf(UL#a>VNM+4OFrp;bA;)mLtF37*fHkCU)FF5@yR1qeyqA zYf^^UKLhtDy7q>MKW!3Z=I*|*F#5@@V)cyA9JJ8Y6XG5`v++`x41V4XH~l}vy#-j5 zZTqh~fKnnQ(p>^dcQ*(~BVE!R(w$0ocS(15N=kQwf`oJqF~oXC-}n2zckTb$YybDL z_Oa(UzyZhMmU-s6pZmPd`*-0kVr=aEvepu5uk!ZN0f(d8-)~!LnpZQkhxK+mS3I26 zg#xUc2X=k?mwn7N@@-b73!D}l!!J<6`R#YZdYAU*67{&P10HTPozsk4fhn_*o|HV^ zFl;YK(aUXlXQ|c&_#P)i-U~}EMytI1hz3kEU~JI{I5YRhskHThCo1@N?2_oo?$mW( zIpjWhM}6yOZkRrZBG7ETcsSuug&}?Vvaf5R>5w15A=>XGgSH+g=QuRyEk`-(+Q90# zXd<1#_r&{6kq-yG(&NqGp|%NuQ+4}YEhiF2q~$$3t6(2q;#ZT0#Ux<@lIn>2_WWuZ zx8l6;@LB4OmIqQ7&OPR>fleWt&wX1eT^jE6u8)|$jSmW?grCJ^+XV>I*TyPj_aU5V1rwLdbsfh-H*W(b)sF7XEZ4nEq}neeL~&{3f5;ad04Hk;=FMU> z_NUOw>4YvSmM(r3@v?LmSAYMquf*`^Dy<`J4S0z=oDHbZ>zpzNz(e#9>ECBWFHvvs z4FpY)o6KDzM596b1!39&1jSdziLa1I%yiFA14*-EJRy@*;+ygE11cG%=ar7cE6qTX z&%x{GhdustmH_~!K2UA20sgygL(UP^Tl+YWt6JB{a5rniOkTnAX=JGu-MocnJ;`1# zojOUct5uieyYWX5h|ja=yU+G^`22%MKcNCE>!a}8Z5JGvG!99jkq9Sd2%gNTRrKGlA!)qO)3JV zh*!N~?PrENs%LUxyI#A77M~k#+$|(*wox3Iarjv3FOBjHK2DP9=Xn#CT!fc$NgE+8 z*V$7M#dx1?AM)V$bd`hotm>dO6Dx1%hBSR0^10%c|{d1(U zH?;`Ns{0jabs)Fe63iWxSV+3 z;ZI;4hD$dWRr^i__t|3qS71fHy0r08Tari(^}ZuT-3t@X#}AobriSi$#{EW1xz{t$ z50BSN+!Saoo|at4JbI}Rdjo5E;ybj&$zOBV&{`3i;ficx0si;^an!!q^>%QTjsq7U zxehyPHd^M%F5foA8H|2b&WNLH!7ecFvrU*yqmZ3_wfP}lk8S5FdQa1Sv7xMfb(=%l z)CdbmCGhjEm02k8*VJyjF9C$2HA}L=dxLCAOCXc;b&+^^K4lJClHkH^v*Aa%7S^fsj4%nz^_3 z9{**eZCmesrLo4C9&qQhy*@S%FE^GV2umAHMzCI})#)A5;!P8$SfQiU+tF|;eibmx zF3r}sAN-^u4E!gW;2{eHLiRp^YfH6}gNcrd+q`zsUDM)v*iHla#tOb(%uhV}6XG<9 zswMeVHt8LlUV(jHW6@8hyD-M|TCx7bNnghmcfqf&C1=_^OwAS@>q%r!eCve12ASw* zpWPE;{cK)x@JKUFP@G$k@Fqo_r!Y7^v*~lkJCjE$r=KEYZV4bZHw!psXq7W2@95PxQ2V)Z`wAVe(ySLnv2}@ z-Kw3>aUDw!S$!pbOu{-21F&d)4UQI)yL^p)$ZPp8Fg80R^P9bE#Mw2})8OU;KZH4Z zwF~b^e6DpzzJlZ|`&&d<#i(*G8XFur(_D&Wo(7k&kDP(#KX7^;!eB@VYu3t=k#ect zY&w_To5=GOOuRQv^uEdV`1YpoXL-JedD^#y&YFa?4{NVZ$pj}oVxP_tod263H}bs0 zC0?bL`q-&KC1rpM%LEv-rb>O(PL@Wp>tdu!(Yx!00W>1@EJY) zEXYM2}QU|c0Y=lO$-^sopcer*Pql_k0m=;iM`uH}-4StJ2`MEEwp?ww7;fCjoY-;a*%)dE(|0`Czka z5;zL6r$B+*P!F|cgv~)&b5a(xxcS(d3$?0D80GY}ZIzvB2aM~}R{A3ff!7%B^izn6JNkfG z0?X5RIXr7snNRgR?cHnCPC8R~NL?nJWq*6c>;5x4t^tv{n8qyM()wT(>38M zC3qh+*HZ0%O9sQ-xtt4Civ^_qp%yP2&FCWM=D&JERrdW%a#GNU zxx(dWxPKG-{QWYwS*!Kdt@wLa^R746rVHQdM^&xXofK>SJ3g^Z*ddCCYWLkUu>+V_ z&l-yh{SDOk>2HJZ-$oZ*ibFzHd&Y6->7poZDN#` zpBm-vvV`CG1E>&BIPKf0Fe!xl^LD!l@2_4I`h=_dFNufGEFHLt@!Z19)U_qQR_Ur* zKjjo~iws3;KN95B9Vj8?MDRO!?-)s+bFM4xI2Vhpu5>pyrSqv^LNLQ*U!#AkSgC(xd*jQB0}e?vESN96p>nHb{fDlb4D_zT1+E zu9=EuSNl;pEy`fs+qu)XL#lv^c3R_Nq1o&{QYGv2qQtu=3#dz&2y(b&IGC_TvM=DRq+U2dyDaHr~G^W zt5Rla0(qmd5@1U}POXmyfR}AX@vV}9878wE%PF1yNB?(cqjAK2oSmakt#E-9AHU#a zaW?RX*HNBzUc}XhT7I~%HV`)V6>)eRrmC$|T>3X7tuOJkS)y*BE^?|dGev-m2pIpn zE&D6y#J$^@GAa;_WuL3IhKvxf#6Z6PcwyUrDJ0DmoOne0&P5G*OM50eShHV(@f_2C z#hGE-^hOK8P6K1OM}>FAY*PK(Kzi?|OiyjwxRDw*pzD#_oqOEg?F56<2As7HeUYq{ zjURxAEzJKzEoR~Qr&@ffHhFZ9D>6)5TPHUt_}$C<4Nnz-w8O(TRY_W%FvH#K>y$#N zT#W0I_GLozQ{{3oi2B_I{-GCdjAwuGssy+<7$KW2WhZ+v%qGQ#Ik6NON$MSokvT3! zY+HUf#?mWf3q>u|VQnFDA4>$vP0cTOwIV5;5bh#HDaQ(KQ>|8S#oS5~xePHW2SnfW z6X+RY*$Ly2H|U}2u9INM=EJtS9*RimeNh4R{(Aim8vSL@oKoj9frmA@E5(e>_2y@g046qBGv;R z9N$z}42SN|vA!M|ud&U`ZwJA?cUKKsBtGYUy<=U^pOq0Q#s3v>$gV6%4YSHic#WAo^FczN({IT?NV#|+wDldnu?@;>uGVh4ZU)m**gUNROW=e$UU zwimd>#*$-)OlCJ&?>@@F9aS#EqTJs0*(dl%mVCuUhHFgysPMB&ur1@yQ9rw2;i#=`Bg<<_zE1jCUkIaqlMMt$JO(H83h!G7v?il%LaMu(kd1i(!@y zwkHMI-W9{@jR%`RB`AyQAS`)6>Oufn#TfQ}u6nygr>CJcO44I}z`M*wjVJV|+yXMe z)6h45nq-n|@Uf3Y&de4O%CWKhrpZRSji!Wy&*J0YblbMmThzwC1`DL!V*aK8gBw7TB-g8fo3xJOE1Ab2AIP0Un+N#Kzk@6o zF@C$)x%4*&=i@+^q&1cd;7L%a0pvToo1sYZDNR223wQhqH3kNezO;P3edc@j5=AAV zz}TN0lij%&Dw`r`k}nnC{K32;P|Pdnwqt$wGo$fzHlT7t+Z}Mf9EwQ79vvtGfG$YZ zFfrFS^|-qk0enrEmsdwxB3^){O!;eil!LNC5c4KowDn8_0lIGi^^$?RlMC2@e2QT+ za%_|4JZ2Ly6u`LMwD=To3IT3QkzR*wCXwdCzOZSV(dAm&*8Z9ZD)q*pK7xfFr(}R# zMAn2sfbicI0#O1AG1k0=RCX1>e8RM*_RJhX^DRW`!gcA{&dbd8UDCg}I~d^ZuJrq} zxW@ny;V2|n(`cH_4ALsxd>qNWTJM!mMhyiWes-^cV?_|&fKU*}biZ`GWvQ+n&0?S6 zZKQ`8C=Z1qKU|nhB5P9{RFOm54T~e^3bqu#@m0Jyk8xz1I-)Pxnuy&tNLyQ95hJKu z=@Eqf_h_0^o|X)-7jVWbrQvLQr?G=Ki{X@9YGdBN``P#3qteL-+YFQWgZ5>UF_> zG-R7^e@n*+R#54<@$8wgrB?6OtR8+)pq{W6E9*?z8?R=KVa+~0+I^^Vtg2<}IQo}# z{2|KN71$l-C`HtyyS+lazY{p|u>`+8ug7$;22T4QBwFwTo(D})-zATf*D8lx8L(k= z1Yp(@qikk`FhDU{C(3$%VY=TTDrIz@1zE;f?-|?@Bt9@TY=^1bY)57IX5gNXF>z2? zWBialZ;z`sJPfGqouoT=ZBcaEA=fTdh0r;00(81MJ@*i@Ah1-n4k44_UfFdZ$Tn5t z&R91)zP+qG-oO#;{0wgJ>FVk6KfS}zyW_3Uy}^Ti^mknM)Qpt-+)CbU>D_TZTC@tX)oUlZ7&ZL1c3JP9aj|T0vd=QXl^YufXK`tAi+DMiR*)vcRgfPEU+jqb~F&-pvp_ZFdShrr(IJ z)|tD1(Vm3^X!vrjK6QiF4%u8U{0#KXJo{SOta)dg#Z5PZA+s#lmxm1(L)0mJeL)z> z?%0=^em~x0B@}4YJnIz*`(}pkL0-q-(yq8Uz@l4s&rMy&+mHLMi1LeNRuhSXqE~67 z#)9hkz1&VPl{KH(RY+6k?3Eio{DIf*iu1nf%+-A8VRaMnzH`XEEq|2I>U=-9EynXO zA=A#rO$O<3`#jqqV;^8Q!&-M)=gI1a_^cQ|fG$x8|9}q<-w!ca4-fQ>qGs~e^XddP zGe|h%?#F&jI9*jCex9<3a}U!6ezx#4#-HX`>%-4OiDCg^`ZxRfPE5u z;e`S-SZ|Adr3ra(D*($lcdOSho45qFaQO6`9)%P6gG-h>OjC}SR4#o3Z6U3XpC*)M zk&3O!#~eHn=?zSDd_XtR->)EV1Rei{l#Kv%fi7gdxNW<70pZ%d>Ns36@qFaTf*znp zt;b9^S&uLv*K39D$B|LI%KNKuH$N`cbG`oGedQlo*I^dA22V~Z>YXb8Ow=6t2nnF? z*VR^p<6hRwtjRrBx?Ss;K@s40PYM$4i%wIv>{ZaW|HI{l0@lgbL>}-eTOacH(FoM0 z{5)jR#-)JTci)wgU7?QN5z}Xz5>9gf83ES2cbw~UWF=qQxtXBzQrw;oDnBjullj7> ztchHztX3v~O=Uf9MfpECmd?NXRE5hGI{(IC&p(hQv$G+o#P2RQeBk=_U3B+_sc+Dj5(fOiQK2#bN?kX`N?H5onG%s_>qkBFmH$Y#=ywQal z29y?iF!z8B8GSFkbh>VmIX9;@WB(A=c|pi2Gp(IvP03hQsbbb#@T%H6+2I!gL}ISV8g#zccCGhr>!^v znp@MR)>k)veM8ZkSKSO+OEh@Pb)n>&3wFCWhI}QE(kA<%v!*r7FE1KO z`3Z=^hKc=Mp_5WXq!p<`{#6Xb9*1hKN$NA8QBmxWCc*fkG%yBa{48wyj#x?OHN$dZeZ%sK z1fXg4{L-KS#RCP6UTZqwd@R!;i(j67rHS~l(=|@|e}#=FZ%b{-LB5n!T#XS=r2K;n zRS4opkQ{d7XMeDWAQD`GJ-3tT;}nT6)%|*u)FBH0G?Fz~KM?)HNXE`q`5PIZyvr$- z9wsf>3v`@Z*4D1>jN-gmBRLdK!tJGtCc`-+tRwlILUH!^1f*~hK=OUo(E-^PF!TmG z&(GF+PC3_~fa32`wgf#HpZ+P9$OBx}0wxgfh$o{c^j<~l*xx2|o66Ym(A98i=|AP{ zu|!ls>JEoOSk34iSGqfQ)o%-|VxeexZ+-5rpDLtRtf8P*l6{}I%`6oz2D)y55+~fy zcDa&_Jq?UysbM3nf&ITgy2Pr%2{I`9voH1=TBzQ2f4cE3C|eZ%i`B6g_e5*>Tk}MG zUwo+Jj8S#5!xQh8y&Hkmb$V_vG4~4IlWsg8F0ORj-4m~R2OW4+z}hRtZmw0#J;;1L zD1~!-VR|P7a|z01)2vGQCtl+Dpd#+882?a>5I~*rDkpH&CkhZh-bo(5Wr<)u?8t(_ z6&Aj%9WfjffVbWp2}t&;8Da+VnuFL@CLzKk%264D^OaHJMFa6X+kpI@dsRE}!?`Sq zU$k%{XmGT9c6!@Wf16MquW1h_UZ^P9Vu#LBOV7pvn6BU66vttO(hnfQ zzdkM^I$krv``Qg^8kqc1iw(fCD}iZm3*|Nfj%aJsV;d8ZjgRRJO-ZC~m^LK^e!g;- zujz6(>`?d?WqE4nKqc~^N;bH?2Jm3C2B}!w-jDl|NbFujLN8<@V!E1yNd$dLQ@v{3 z@MMsb{0^&og?73rGks$k9A61=QR&K`c-E8T|G&(Ikb2-IfQG}#L3etIlZ63ZRvJSb?60QF zl-xX8KvaLql>rpAsA$f+x&oY3(s|*3rAaPrvSVcog0k1X93Nzfns!#j9;k>#msAL< zc8T4s{LN|o22bch@7yxsC~fF0YjW!7HzwM}fg)Z8YX?aGAS88_yrZKjbfcepco{Yd zCSBn3P$fxmrE#HQ&5$AKE8f}Lj^DezMW3A1-E{@9Ux%^QUzvO_@xcos29hewSzS3N zN=>|aQIxDrEbxNxlRmvtA{~XZ(*mw#VLP}32YkOx%j~u#`3rf#GudWfaR7J#Sb#?i zJSc(G{c3Re;WGqZ0s8L`^A`Y{MvR)9v~xgxzCqw=32HNTh6$d06+-CH0*$Fyvr#9O zf62nZ2gdOooZqiF_ZH{(;d}XDmoBW#nF#J5I&7*9@8s%_DE$+;upX2O3#>^JlG}^c zpazYY0)AJalWra@^6$R)FjN$CYW{ikOR}Q$knOyVC#UN1D71{IX$$2 zN8=vz-ereT4l{y&?M0_hebtBN?zqGR9wn&ne=8 zxMUVe((Ox;nUA2Ekyl7KM|39?Pp-8Zfu{EmzsC`7wlybwv`GUW65F$Oy*0m6`g`@y z;Ltx7@h%XaTrs=_SmmPhOUqC_4Co&WE#+?BtP`9A9qk_kysf6$vMH5qKfd;^9Z9g{ z2oQJN7WcpyEJ-^PCaA z8X;Yqo{aCQHR>zt$P~bAu;_bJTJUtx#=3g_PUM%s{6~KdKxoH6Vgyj-)0iSFBKoQe z+0WHuLrRt>1N0uI9$!+7NiKcBUhPOb0#X;r%XA(-<-#F~_0y>zur_Z77}3Fe#GKU$ zPJLWQWzOy^y~3~24517-%W^RNSmc+v^GHVwrM(enQzfcMl;qIR_VdIJXrA~D=qm;V6Vl*-KdW6j_rD$gWp3G3` zwX8EW`1xJYmWluF>?1=Q*(VQl6q%ySy8xu6@gA3;h;YhZ^hnbZ*!4hpHDjU^Z20Gu zrq_5VpFtmD;@LxAos$n zgOES?Oai$l?lrEzdtMVzu4HQV&pDvb1PMPE;vRR4f7)qF^!%&IiLt&bdw<}xCX?kg z9(f1Fvi8QecCpOVL&LP4-3yGJ=1MERq(NS56zR$ajM0BKCVJ3(_}?5nnpbMvpFF1oSx7du0kOOFxB!nHsloMi!&hNn1^-Eo{)WOMn{txU299ZS;&Uld-QlK%!*re0SBbI{J^M~_z<&stLE z0^J&cW6idr6q+nyBkwhuFt9nc-=sLM=kC_=a^+f#?{TonTkmnJDODre^aWt3Z47Eo z+5EiT+FcLd=d|e&u5*P(1ZH;TO}H{(9~AZwCcp$Yj3a#{BGM4KS`S8z74=bnSdTE`^xq|2 zURdb5TKBQN`+bLiU}1uoWO!BS9+N!R`f3rnTb*P;ZDHp>fbSseOj!s8B4>qAORkA8 zKwANNs*y`SXGpOr`V1fV`o|qsx=dRHzhbQhh?Ms^Oqu8{(=F>^mMOhj;%DANgKQwH zB*LPYo!vudwLiyTe`o)2>Z#T7JcLpq0qH_8pz}W2;p8{aeUJ4XX%QK^)44-PNYA8p zzy|U)srYgebMNy0RDG8IuvtVX#kT>U^! zqu|7@mS`)znNgV@Ax_7;m2Q@vS2IqF1OCl&Ir8D&%SI63QGgS@?XmM)KDPKK9Amt! zjD7+WlczCesBmB^ll3O2Ly>?t(Tm|=T)VJ=JHDcIBR;}-RnR~ybmg{pliBnl$T}Sr zfX|SgmgkYf_+IAxYkw=$jzdhf;f5cUtv7i|2_3+vxaZXkI=|C0z&V$9lwix>9(135 z?$r z&n!K#XN~{NqS({+XCJbG zKh%N-2JFYKBImXT{r>`X&w%8!)&5@lt(%QU%r^&J44BAr281EBi5Sn-&U#JmO)f|% zUHXtr`lk>j->N?zSUhj5N-K>qj;3mAW^K`^4eP2=-G?tXJEKCD7j0uGLm zSYk>Jsh0^z%pds%&&wn+{A8}-z)o*wx_Gaoz>GLG=vcBw%w_&-@pNIy@XpM!i;~X2 zqcOI)pbfL?qV9&WObS~Np_4oG2I-%gTJxMpGC%zn#0BmQa-u@JF8%8kV@s(0pDH!^ z`tN7^^Aym}9rnMgivM~J&&}Tf1^;@2oBrRMTK@GMXA%Dsz+U!K!SMzDxpU&W&pmr4 zpWBAzA_*Y`X3ZN?PXF(*98&%nNZKp;%=YEXwVV7N=27-68@ap;8gW$f#vfgwwnVd&rIOdivgX7L*Ltc zuebY-D`n2fRbLaqOfOewBP}&C=K(<)A& z_6N0%L)x+4fsuAA=V!}8Sd2)Q+xb~J>bUrt(8!4b@+aHF@arinbckT zF`L&aYcwQDxoYQUr-#Ey1MpvN=w{!kpS5VLeh8`1~)-hH?RgvLr9qW<%wOfT2n>wb3(H(&k?f` zKZt1`@y=8r!Z&sb)eU=||3oq&=Ii?QO?t%?nwkQ*_R0z+8DYNSXJRfr*#XoY(|syov$=B^0)K5XiR#JidKnV zF-J_>P~~j*;JqukWuJAvKkexMovdu>aUMN4W_4&l=YQT-a47Y0!fhP}7p+aZ1-Gi* zvUQA$JkzSPxM95DlLy?7MpY~2{`DTGp+#>_=STl1o#VP!9AL|x8wRHc4=k@6+8@VH zt}wt5^1eg{SI(P1RQnOvy4)x1=Em*(zOv&MN4xos75WkGd6{6Hk>>O0a$VYa_v~(3 z5NzdQuN?XN75w>Yas^hRpBe@vcz=p!f98tuN1ujoNDWA{UPP3A^GyDSrFq^)*4VuA zhlmkT8^7_95_YKdUR2z4^$WwUJX>#UMpmTgI@R zX1TR9+Q_VAS-UwXjF*lPnS3(DY2;-Isv~$E%utq1smQi8$QlR-6e85&d#*mghz~gT z8HR*a;ij+-6Ycv1*B!aF+Z@s&>V{2Kj@L`38IqQ`8?>42)9{7uP&?@$oSAd>FQz z%56)nG_`cFmV&(?N9&93uJa*kXtPudamqg@HV(v^NO@yFvK;WX{C%y!5Ts1bd15d?QzMsimUQ73|M1o>z z)Ou+0+ocnbv8;L_Zi~2URpS)+&ROE(J|d_5jsrg;GCqge6F1@XlQ-c!y6}Ke?nh1` z?tFSkpLq7BVP2fHutNguqN~N@3(_g>YUk!caUS%{3WWc%$&nYLQX<0B8 zY@CgDi;QT99H(XY+XaA)Xc${XaxAKOSj0oo1v;6wZdjt?A9y3Dmi9zz4$Qels7<_) zn7jO}07B~4@8bBLz4qQW%n3NC#S8cBq#_o)$7g}_$FT9hRk;v`H-v#K+~h|$`l(BY ztoo$4EfX-#_Nlp5i9CCqk1K{&*AIO+kT<#%FV>dT=f}qPFT`RquW01ft}ymH7?*OO z**xKo%blE+p!1|{)d<=X+%zS$`eUvWfrrZW!`}=_eA@pQ7MvP`)ND3@y!UDBHuf|C zmlLez&%Q4B%Bs}BQ@FG+hI{!;6Q32x6=>g_WNr_>C3sE4k@TX$;|x)i(Ud$nE#&kG zZRhP#=LFB7JaG*g%{I|zag~Wfs{Af2u@uZk>`2KWk5uUNv%LJMGLGSy@z34VXc$u_B$I(?o5On}dw7y9H zrkpiHE0^cg#sNg=^vpHW$A&r)oxkAFp$*0CdIYygQ|vxsr-+FhS5U;ChPiVma@^3? z13~Sq#%{|(z~-s1zD9+UmF0|s<29AP^^JPFJ8o5m-i^XW1*=98ja1|F?0$(XII0wT zYaWi8+cZd%~) zXbmhe9zPkJa2V|Ja|N%e$U-0aMs)~7JQ>cSAVbT7!4aeD9!hqJLQXDZdYPtEfApAa zw*Gspp^is$xnaEA5KU_OXXLzE8Lk501nt20o=9H&Y5@7Cu6?#7V;t98HT5t}E$JQ* zgO@?P#%FER_6p2dLm1>xYNkH?bmQlZc zahm1Zrf#W%%a0f5U$SpX!215qURXXPbwvf&!B|0LeI2?V=q=>-=Yei)yrb{M@_ao* zYuOHEG5v)R0|b_?tnbJ0jI=GQAHj=>I2FR(Jo~m+9&ntdWkEv7#)I3(zxt2$HjYT- zhH2)H=`q)rpKR=RZxT~w&U=YrUWxP0SXQ>f7k?iIfj+H23h0j46@a)rudDXgZ*JDV zPP(kYfZ`wAegUD&J6u&@a_D7ZTIKbqBhZ+QijDNeX8(6FU23|IIQ3ZaZXl}wRBlB0 zM0D>qs|O;lFN~&QgH1=H0(OdS)GxXT#wQSViFQLMtB($l;iE&+Ob{GVE7F~`m=HKE z!#jZ&u_hP>)Wrhd|6%=j@hd3Ne)aNRd@h2kj$@e?9abMH9KE$r--mGRl~!{AVx84N@sdyd9BI> zCv0sLtPh3>C9>l-m_Y39&(KBMhnob_@~lmN;`R8wDcgp*+!oPjQZh`aJyVCbTVL2= z^=SY3OOc`$a3Hn%`NRN@GpOTdQKuNBuMz1+m@vTNyDQUM74EnDEYM%F?D$$8er(mp zPi#Fwwuk4`!hxsS2F5kZhrt-hC@mnoFCPJeaBhj{Hfi*B_L~DP=P)s{6a5LFi|#eA zbCxxMdjBQ+9=Cd;b>?QDZ6Vy|*!f^Z(*>!27T&Pgj$NOmhP^SPfaRgGW!U%%rz`MI zj~Wy00QQ%B$-A#%N7VKN6P0z8ix0x!H5sGATjYLy_Ld;h2Sn;P(kj7`=C0OlSOUJIgGq`Nv2~SC6o~UQ3C;rLmWjSz>t>oIm;VYvXCjGSP zRtlEpZG(J`!tW+?F)CFRvw5-!3jSW#d<-8cJKn|qTm?+)4bnt4{%=LU%;%@}wV!^| z;;!cGK6op;jfL27AzWS|W?qP0Y$U)q;*xqzFU#l3koP>HgMG+jNE@X+KZJ zH&?!$=Zt+1ZuY)KlSWkHMXqvvkss_+mWpcnLk*~aEl(5NFo=lilp|WwXGWI2R?k@I z{C-oE%%EwP9Q4l6UCIBT&}-r7IVJ<5l>fIyev^kK-VCQBMy-Ffzg?&R^r?mF*~9w*84 zaGj%C*qnmfxrb?-loW#e#y}sN#=9=?v-Ss}QHe0mXK9tJZOUgqi9S!k({%~B%H!0S%S}6iEOR(Fd#7V=tR^5{FN{={AWc9 zuI2Cwc4R{zr%|!H@^!EFL(gv!o$%vgQIOuc`n+r;2GO5M_1v`5`78M955xQTn3={Y zdNBKMGd#6W>C2bjATd&GEji8644d?*xoKIvow0wuWJS>IGuebTVf%BU{wBF(&BzI8X9p+T;ZP{5)Abl{EK{G<^eiyj4f|x%3EwGT2?igZ;a%+2c(BzXZp4xlr zE(q61=+tB(Hj&PkTlgJzEXCo#thmRj_()r<(_So`&po85vPG-E>-x36!BFb7L{=WH z)sZE}WqTF5S1d3-T7k4r8$YNnBFq9n_U15>+tJwk`uQ))YS1EkXNL=)b^QpS{6NGcXJfVKQXeM7GR0qM}{mFlHY1mJ*A<+oMJ|0&zY>3eI*@Jm_JoF z3Spl4gi6Uf|Kd<$=~6Lyy69o=(uD#N@h#{TNXosbzy58GOdG#5RwR!3jo z$n)@U+1$KV5??RW0;jZ$AWy@meed1z3*&+?$2VgYu<4|A$(HU>n8`l9Z&T|b5zZ?vtHtXq)O<7(r_#xPqn>dex(1!!~w-FJW1nx>cWW;=Dp-b zN8<)(U$Z6filyn3zWN2uo7bp>oc0oT!UhW0bwE_{Huj92iRa@iI&Cg)90QMCS21To zT+)_#G`)}<G!EVX~Gq|ESk9UZn{E8l_ ziyRL`q@HA{a9JKUsqYq_SsuGQydj>aaKGXR_5XOsy4f!z&E~&7hV;%^HTR;|{yvN2 zPY!gIu#ddoiaYg>4u2q@@CygxaomZ!9lv#qdN;+su zUzh}D8fU|oer{val=ba2uz>1`9T>#Z@R^DVCo!VFmb4Ok+AE6ZoqEr*S$GM&Jk*H_ zO~gFzwU5u7m^x*qCzf*J$9=h6J_#g3C!cR<&#rgA&MRM0R~C1vua^TBUWG>iI3hx( z`HPtW^o9)%Wf#-1o|Bs#Rni`+ALs>+p9{BJ=mZonUcVjvrClkF;h$_YIAx6@efF7L z!YqlV42Tc00^&pb=?|kvJYuNdJu_cRpU;+HUu@o9u|9YZkLdK_vM0=!MFw&I@<@wV zsDqF%IZZt@UFek-Gd!8pZD?r;J??;v-8Dk*sH#<$bPB|}u+557lGogvjS+dCibl>+ktfKbzMmOvl@?2Va$7{^DWt;C2dMPNz|FJAy9$0GI@&WOp z;TatfHI8g3`x&)C zWRuLII*#xH*Bzy#Og#0D3-f+N8VYrR+X*gX{j}b9HA8}`G~*1#*Mhe$tprgi9Ntbh zZt6aW1Gc$n)gdAs(Ipu%m*Uy$uC< zZh4pGn@MMd2~QEfw(c1pkD;llsn3lu85!+JRMoh~xA(_BokvbUR-+CGSW7N_1U}`i znm8aNH3<8|pvrn8aAV|SBk%!3riSm>f7-b)CgA8Ln^)$_4k#{t`O@$f_-69bduv_O*$Rtz zRmtpvrgwFXMLM%w>wT)?@rZvWE?V24ZIM}RR}9`~YpvI}5A#}8LBP9j3`)c=DYU9? z4q157n(a}&iWv}mfp_v3Cq|p)2jG%7W{xYMZqBW@!Mf6;k9?1SWaG9BQV4)#k5XOJ z9kN$kx@WKLTcw`gSTb3d(={jf2J;g=Y93@`USVA;-@07E?vhLQ9-nYOI52^-e%1ZRwvtC_*6 zetbNmwy`HVLlrfLG7Y6#NIYK3vQ|K#J-{4*5RvuIEb)6a2QYbkt{?K(U1B z{5y=Qs_KS-$L$4erhr$fztW-hUlb}LTy_Hpqo4->>#3Q|hYZU?OE?tk+fFCPV1)G% zbz4PqNvWW^p@64ejcN*ngF@F2U~zpn8A-bji|o>0j={(jNWnmhw8Y^i=RFko<52lr zUJBx}q9EWm%@ziyDAF5~2uqtQm|!I?C6>l<7Fg5%X5)4#u0QkytB#*VH0&G8Tv~(m zdr#@bx2r}8wM%Q0>@U0B@=#_m#JmcAD7L0fkkxN4nP2^bf9JyS?JK?^$@_wcoLX7Z zG{b9R=>bg7^*mCLl}WjSoqE@?_jw-DVSu##gqrs?|G2fs^7OJp(#z3#z9(9adaMX_ zF0@GOIAi)svz5gS`%zcyy6<8NtM!)Cg6f=2EOC@E(s$Ucqh1RMPd+KQGw`rTq)b@-(W` zKFUnWoxAZ0xFUBpe5%;i)!dIac)y=;4v0A+rVTAGI+Zu|?t^96#t!(593bw<)eqdq z$1ET4yB$^HL2!AI9BjN%CnD5KaNwG-!}+zNm1Qi@_n3PRroF!Fhu%*9&f)qFMiRdL z-Z|n=Z-FcIqm~Zc``}X|M&yA#tNB~Y&EpvE@pF~Cj(tgN#jIUz%!W-jud3OwcAew_ zb`~6;bUR*#ordj=rIJaGX?H!)v)42srMx8b!D5H~)r?v?$?NO=%YB-;F1C4h@hHGT zP5>8!N8dF2A)KaOQ|G<7}jod_6y3%=blo5~rQ4>ooA($W&~79e3%Q zZQkT=8zI2374h_T2kf6?IKHE%bAgLjUaHa4e!?Tb!BdXKrbZhbQCKDjL!R-%GRcF^ ze_Ia8+F-980Okv{Iiul}F*zzBL>e!4ud&=$8}mG?y31Z4yF11o6X$&ax05{$5NGlK zG*niW+o~Dvx+g4~6PTLGT$cbRjsrQ^X~1V0ubx!Ro}63c^+SC>C&(MnT{@uXuI4!^ zx3VfP?C>5}X@7yI@)S9>Z?I(z9hsC27iEFiQQ?@btB*%_8eBvB6j`K*za5-w`9S>Y zZq-G5d1PJh3OLDWuX{u2`yUVWU_fZZMc3mgc;~f`$u&0Ug#{0*cOE9&FcLmjyr5Ft zHZKpLTcGlvxns@-BJ7D>>kW>Nx@#7$C=@^44?AI`N(+;(?sbOq@ z-X8~HtD=LYYj*?SIM|+zzB)uy!LY5*(1jaTaQbS2uT;b2mLD6JM@E}A084rqsqrw;(k|EDBdEkCG5`4Je_{OMy?(x=%zUim>ysphYE_BsQU6=!_ z&`OSr6;)h?Jg8PSTw*MfuS^!MaUxlgXl1F`rJ2uO z8X|~PO6pH$^d=$DL+}-l8C|$>pqo zf#zReoBzdb(G*2+Nl!Gxbz0c#)8kY8PKc<^E;>Rrz_Z2M;14A#+rju>`~~4aSl*8i zSN`c#*zYGlzE=3`?D(KbuDc)v->;Vbc{}O(JquU}` z7XBs&CZ)-ZW7xCw>>V{zhXFmwASRDw5;GHOosZFTC6!G6a05f)Y}WoZQD_lD@}Sz` zg!Gvb!^V1+PPcD4A$QY9j%PyH6*Gtsp6$#r`7}vsnw=q0#Aad#_%ADJ3M5pm9rDDN zB#l`>IZq?8qVuFEEiloZ{}wif&M^AjvI)%ztm20%N`Uox9o0t|F1e_=y@69ag>a6H z<#}@vHF}QICot3@c##N0T=4F<#r-cc;B+({-@i301^LEFmUUOOy;J##zjbM$?7ld{ zkshE=D%|doA#>aOqUI3tQe|C{E@c0IwD;aoO@!^bH-dfg-q)YFJbfx#+ z4b?(Nklv;DPUs*?5s+Sj2}M9^fY4hYoQb~fcklPxYwxw!`OZ53oLP&kFqurANoMZn znd|=D*Hdt|O%xE&P)TJ*&|UY?<9yJ9BG?8wT+=C=|2+<)C+q7|D>bl1S8^xv#QXW{ zlNv#T4(osi&|cs`dON^?#fPzQTFi-Y0PJMwR3y7*{w)5xU%TX%3HHa;y5B-FW?rO3 z?|0ps!$52e9~XkNcrs)O#}bIK0<#FBlphszl&d}jF_CBrUniJFs>_{LUcPwuBuAHm5S$MZC1)GgShA9=PX3y-x3ML=jd zFTRqKN47~SV}HSj7dsBw3N+zNq^APHIqm}{st`r74B_<&@?UKzoi!Gegz1V;5N|Yr zM))alyXlTXT3TAk*}lf!J}_V3+VydlmiB?v_t6EhD@oDoPk33^V{cE@yIhPA)zw$` z0{4R?rLV3pe|VFLtl}5^o*TUZQV1yRamCAr__^fV9a5tb=5f{oV!_LAZNhJGX>oDq zauqOcv}!ojluN(n*uxC&umIPwklDjAC*F|}J|3FRGo|8JT-$6EMeS;|CcS6?jFx(-(#G zs{jy(o7f!^CG5K6CMFS^c!sQI4V%IY+O(3@hsT%PdEuwZ=ooFz~Hu@KTq5&N$ zX(SL4zT>l15gm^9iq2O^E6aFYRqjKXM*VRzHT&j_kZQq`TW;UAONsX?fGjqro;p#Ze;wS6_AA;X>)w{uOj4|XeWpdpiv>pMRMx?0n6r+e#@$a-!f4}9StzVbGf2BkI8K~-8@FPhz_nZ2@&9&`f| zc^=O9hL`1f3s`*8^o?fAp1LB|qWnjOho8>Of-Ew}MQdG5?^KI#vCyYHt8g*>bmkN^ zPFg#@zLu$N_+So`k`#z_VByml27qi4G@#wI?b^1bHMP6A>-U~$&_vqTl4xn^=&Xbp zWUh3N5;mnxnl5-Bw5CW08@E0H72W0cogM)0(NgHsa{Lqtow)j2Br-}+%djj65^fh4 z!Av=2n1S$k{dI>W?QoV=LLyq^`JjYF6}>|zUSs)yz=c9WkI0jTqh|}2-9Diw?Vu+~HyC1v1Yjdwuasx4YKQbx4z6AOPUcvFu3pg}i%24JnL zIimT0Xf(hr!U&&~7PE*YHDgIRca+|4jp@=D`jBT5F2_7|;cpP?-L^3gvzALZlDPBH z`axslZroR%z!TzYn(F6)KyL za-DX`gDM{Q4ODgoq7#Cd2H+DuvA7!eM)8W*2Kt_!Z$*q>gmmo>^2wrh# z2_+tFa2f&nhRa+|F9wVUU0GZOqegwlqx$z%_p;tb-k*iWm;vcX!d;Vz^*8SRFKHc9 zfu4$}``37p;4l!-)gC*U|D==7`raw08qGlIw%2O7rnFAF6{rPccP6KIv69+ z%b(ak9`1eEdcU0zQw;30#j| z<|yLsi`E!vC3W8AByUM1qQEz6e9f7!ibL)5+Yd>*-Z6_SJzYrNsvpoTw?us-EUghZ z)wpTGNq^zBp_&(c_(|RLwBBpLlW(mH{iLZiQt#?GzMYBIftdlyV7AZ_MiAK0*&}I& zvZkbMzwR7j9nm!pCKd6#*$dn3(%yk`;;mfveJilu-zw0{p`A47#bP|d=jv&+JGJ&#L7}LelCv^^SPMD=x`p0MCP81% z382$5Kve8`Q1ygI6}~t-2IJI`DVs zNBHgix1Kg7TFAkM)A9&H94mP3!@bM@y=vRwck?{+0kcXOyxZ2KOhvlk5D*Z@NiBY- zD}m+%OWu`Tby07C(?8n#yV2-&Q~r0_=5L+q&pyzP{~vLc`kB`av_^}3jqESfCHw20 z5$-MWTY=tT3_2(VY|1eI!3K|a);2VF&>o@vEkBz6Kl1s1n|y9ECx|L>$&@x+xx1wZ zHa}E)AqQHKHO}$6=AXGHw5vP}KcCe$JH7i0wR#W1M*(MF*MD}5Vvq0HsRW=}0Evbf z6>v6)!Isy|h`|X^y_gANweX@=I$1TC=q#}##aG*?_7*B?dzsCM6|QUVr&kk_1zw`g z`eLfHFI56kBX{ll1vn!d8i9B}o^ANdNK*!?c69PfWUR!b3A}Bn1H@v)ac+?-aZ}6i zDYrLo)jZYL#z}Ul#18I%A@ly~`;Rhjlm7k>pBn#To=6>&4*~_PnWYO|-wpAIB9^v1WG!RLSg+I-{Fyuh=>huHDz zfEP#8r@c~0jM#kWc!0&1E=l7@n1e<}gsNUYY=bD!$9pSR&o-_DTT@tAPU+51?P^yO z9V+3mXHWfj1H`buY@*6(jq7aoMUd zT73L%5)Gix;^{^P>rh~Hml-!Lc(o`h>K^7|UC~q`XJifx@POnSH{tvpEzg$CaQXRL zc4R~}fk~m5@#s+iC&0A|+a7H&=lQ-3(RxYe@tY~oif`Iso|F842=xCA1p1#E@vuHx zBW68Aw%Ta&UgC}~VbkM&RsNVVW2-S-=;UA;mr$1{*uWNh7S8UFb5cSAJBZK@l1P8Q zU1zeAItOMwfm zT5jF-vh!n9(ScW0B+R?isPcQ%ms3Qu0+Scl#!!nXt2^P{_Rx!G!m&thLLiTOF^mT% z2S}&%fTvWBKCd<0`nTLc^^ka&*Tk9R(d|;AIEQbfkqaF$2Rgj2h6?BAavSDj6BSG( zAiffeoamQF+2D2{1}QXTz!LJ4;BZ|U?TU@41;Vi(mhjtY+tC|HDp{j*Cw@w5c3HJE zo<}QqSHe~Fp|JyUtIomh%0?$qQBV8(65VP%hb|kTnv~^sF5XbS|eqd`RVlP3e@?M!cbEbyd$t-tPaf(5DyjkRM&I^877* zV{GLiWp(b0=nD9~PZ;+@yMvuROLvrGkimV`U{UJRO9_;SZB;LE-m~AhDJba<$(ChSwXi=I=no)p!PVwTgwU%UOT>@HI5j*kF z7Yyat^Q;Q+YMunyZ9PAiet4=&w(1y{2^y_#&F^^3AbwXjk*0=|f(jIY%jjP72y4mI zjqufgzS)d8wj@mWryo8RS{65+6>@dX!lGR8s*4VBdE+6rhq>;!9@gP}W4&d~m5z+=<2`?%s63r{~{St-iLp8{IVlB_Y)cLPJI83yWPV7uMzZ zZ&jo5AWEl)+yf5Z6jbF2Da5hP`O!YnthsYBh%(oxPNkA|{nVkS(gnoLp55f;VPoQ6CdSBNwsN(4^36B2}Z$y~q+s2Z{LZ-VvCs-BItiG*|!5?W!kmlyv zVorY7lxI*!Ey<~w!ifC<2#N@q-CZPcG1XDjlf-_%yw-MKiO!A2akTSF< zV6lZL?w?9W*+<4bb0gQ@h67slT0`KDo?geKu{=NSw_;%C!38FI@;5vi`JlxaM5c6K zBPr4aC=ywsd{9x3^6nCH_2~1zU7-2S5tZ$HiDKSGEj2{DUo9}~cc{^I(unVBE&I(Y zGPwblM#l-%;R7z}E{5jW6=LOB)d4pcP=DG`Svl7d4?*kH7*98IQk->^eDHsdS;t8O z0JM{ah$6(X{;&xRUEy)hi{&ULj|HpFiDy`K>H&%zxmj&8f#n_Q(jjtk9H>;C_MRSE zdG5gKyo!GEE#Ylsf@cp6HhRS6RV%ePxca1A|j0?wq&YLKRj7a+W%1j0oT*5wodm$ zkp!EIPH0U$tJ(=kG#L5V_>MK5eM1-^FQ2y@@M^uBIt5^D#~oIj=WoD?W830ih$(Jo zPtD-ndRRK_S&NeA|7Bfm5y%54k1sLtcfm9T98}(?_~0Hh6$vP-wmXBVW+V1uhHYT^ftJ@z-v^!|~h8-&FIW-I{oPk$@rpTab_RP{2kQWv8c3s;DK#5Hmb93DgP#! z-Euu#?pI40_Qa2mQ~Q7tao^lv@cD}{3*KTYe!%uj5Hrpj>$mt3N!l$8aE7Hbt3H$2 zgFCW(?!ExmI^ysF65A6H_6AR;?n=Ss2!;LGJnVyL!;P@D+zZiNr%c={DRJ|zxY^I3 zar}g|w1`OB>zlOKmt?jmvui45=IgJQ+Z~gL{6pH-v2y|wU&Ij-e2lt)F8(CDUMHTq z9?fy`iPzcv42?o_FHUlzP;O+nIUrrXYCl5FJ)>pj>e{>e(3RSd|NL$_zvjswj%(4*Prz_;zY+mN&cM zA&2#XCp(}*{A0wP4M%v^a2;4kEbaoRd+FLDp;&vb*!Jf6)heAXIQnAT%6I^)O401o z6(c8ZpL&!gE&v@9-XsjT96ZgmUT~W0{=vnX{9&e<>G21AJJMi;$h-Sf1Aw;L^X=1T z`YtMy{+2aiG61lX15WYyw%cC%74XNpiI4M8`*ngp69Ya!+>SzW#nL?GNw?+MC82z0 zMz5RXB32B_30n36xQ6pGyQu{SX+qp|4LQv*SXjCY8lp<={Sj%v1v7M?0CY*|8f;>#vx^(J} zum0e_0L>TWoSaYDn%dI37u+Hr^}A z(U@h&cq&L$>vt+&>V3BN(#SGlV~ieg?eS|p$R$d-q5g?Gnn4q%mPm+FtPkQ@H^DSV zfsUS4LF|pbQrPhz@7KP`>hOP~mU(xMS0_zmqBl!C!4sDoawT=&tSh+nPTI{IXTsjy z3UTZooT@qKr&E#Ode_ymoGIswU*jsE1xhDCxQ0$nrOl8CSd3|>*o86qAI-;*$T`_9 zC%awMua^+!$s~NtHSuTr3o<|cL=R!E!v=0|jo(=o6gdomhx?gEuIoucWhjS^3zhhN zf1ezAI2DP}cNoG2lk)HN(sU`;xB?JvaLBm)-DoV5LVYHhzUO17XC$G_Y1SDLNUrbR zJIvHOdTHUuqU!>OeyGZI%7o~D#hBe={y2{OXACoZ)Aaus!>o|L&GBCn%rWr9;tqxX z-w0+WbRi8MM+uqs*73aQjW;7N#5h4|!p}9(2=X^+o~73uqKliq+HKj}zi2sJ*P^WG z{Vh9s&QpP(jBjZcNT&HNiQKY|xq93;ymOPT#X{5%08|Paal!=!8c< zhxD7{_SOxvK&KS#AMPL()x3bnH}-$j;MR}P@0%u&qh1k2gvBhfzq#?yV|R)*H3ugU zRtWL8rWOWNZvZ-uu8R@pgXJcJ)y|x4*4;qFIG9l?1h|JJ%wOBoU&WdI$P2&Nb=je# zz^K3XA}liMHUTT8F=phVx}vA=oqNLJxGQ4chUBpIU7cqoe_A5Bq8rkk7fUxbUb5+J z+BPpeG{;;X?Yas10LW_2k|G={P>GdIH_le`D=n3$N4riBuvgD)`eH&7ZEp@|5vOif zJeX*)4P!8*q+%S7!fZKK{Q|-^x^Pt@nf#*L=Gm~}xM>l)^7{FWszzmf!}Pdf`twV_ zk6Zp@EN}NebyiwWu?RIi1^D8oq#Gs2sUGamsbFbEO6q|5&&4nGiF{6g3JB{GTfrwbT}+mTd}Cjyp?w(f%ijcvFZT zv>w-C-_PatmL8n)7f1R`i)j+WP4qm7F!ID-_vE9;xB$f*>OQ-Mc^}&dN}qPhpq5HH z(JoRg9b;eTG28;1y^5j?x^`U_R?c{U;XZ+mBX+0q4e)|1x6Lkn9h2L69gbdJBmfbc zb?$L*90uLg?^=D_Hxc3~UwVA5|hQa(yq-sjZDeoRF_4wP4I z(KK)*@!1KtAM_An*__uY#Iwb^e*hkMSZzp~M|!NB>>)T<3i5Qpms zQ+UwxL_7BGh82=6&Br>=HyKyj>Y8#ilMc_8CvWwE6yKpm@a+8MYpL*%YmTXV z7##As&0Tlr$}mUfrGC9w&)%8%aSI^9tR4H=qAKTmaugL{Ptg*2YR-=?Ba5I2ShE4^ z{(2T@alaHk2Ms$F$eXBF-$tOb0AJgjiL)G@T^PH*F0N`2B=jgKhQqVFTd=Rhc^5o0 zZLE=RV8_EKYKld-l1F6PQ#+SNNJ<$o6(EC~s55YHn+TZxu)XiT6Atz;>w|Aps#i@Z zk2yIjJH{yM>g$C*F(nVP5u;Uc@_$ps>x4xY?5>P)tirV!12J9~N7C{XP&<~~DSTeL zo$=S zAj56F4~ZNS1DQv7w*%Go&)>dOd!MW3I2yvtkT;C>h`3Mv5h{?3r6QN1vQyUgK8tvU zN}m4p_}7ratKi>Yh~?pok;@WrE>#Cm*VPv?VjX$9tIEnZi2ay+glV`Xs(?BEj$~%} zFrX0tm;sN8;$cREk6W(@ceKz+CAhW;t}-?N4MSi3v8nhYhBrvYCu?Dy z|GsTN3;(xGKK`{`|Eg#8v&FM@F`vC|B*G*3@0PZ-FMsDFpdYvqbKNWbCxMV?K6h}PM@p-p6_q@lA zpP;byVZ+Bi;CaG{K zZylb3NMN-D`OU+7FK8Jm1IAY-W2OcGfrF(a06KmjTnt>u5hLX$Ha=O%fo%AIc3YX2 zf8HG+cI3bRROCdxeFq%7-UPgnnfRl}Whs8hO;GykQm64HmB|0g3>aVHO908kKLz0P6Kz3u6pqmeNvc0kY z_?%3jeNF&=JKG$M@?}XI=3gy3Z@w|f`KL#SdR@SlWhMUU@a6}|EqZXh#bQ>VDR_i& z?c$s?g%81#2=;Mhb|G#O;Y~6B;870jyYuQV-~6T6RA|=|PXQ5g=la66^fsG|lQhq? zRsNL~aEY^02J3&4I3azy^plX8IasCRi$w}+xnXLVfdFT8qcS(I%bkL8d2vuCM&YKM;VZTfX zSpW^%wY zAl=390L3G(&dHhOfszot-a^y<$?dm|&HAi%IbzU=t9H`S7BrS0e=8>Jv!zYpdW(}w zfPcVlUEX>6d-JGW3(DeoWtri(e5ty}4rMzRE1(!MonLm_kdrm~%B&wybO`lRgMIv! zd)SG^L*v`x`NTW`;+^FtC;lT)$0hIyNuhX@{yb-d(H=Nv&CNSK-3ec;Wg>u;o%z640O!h?0#;8{v$u% z;(&v@?M4!xW!3Ij)FoDSuS7?`i?K5C}<_5OH z@%?yP%g9uV4m2;Ln_>Y&JJI}`<;VG(Fn{hhykcAC`XyL=B)Ld8gLu1FSxjeKCWGv! zU3+Z#`qkhKp%pRyi3hRY{bmAQQ``N+ki$5380lfuQI)plM1i&Pv^NdV_e5^JvD$$V z4T2S5Q&42P_b&NR<-SD3BV}H~PJ|-?Fe)qt zJW*3+N@>st%ETAUiEOC`aYucrg>~Tsh?yNdyWVKW7tuj*<}Ji0Oddak41r7*ZH%W% z0>zC;)F?Xws8)+De>OxPbcc_1=N7(Ddi38=&bjpiGeo>UD8^5P-hmHbw)~>n@6z{P z>h_UcxEagdr2ZH&IFGTK2;L?m3yF=3QGbLztcPp4QhKEk{A|4kx|$uC+oB_rk?QYK za);Ji*_Mw{$&yX)mCYnTMZYyY-C?73P2?;yJ*hK2D)tY{Ha3+i82l zll~S*wrBBN@TEMmqZ?@3v9gg5RZO4PfLmPc5|V5kQSTe0>g!@*A|_QmNv!0*kT2}F zs91sQw0(a8^fOOTF4wpizI#u5gGRom=3MnBPUjZ=Px$COfFiEu;j#DJ1u7){Eho{a zF}-(Rr;O}_=2At8w=BsGv11?K6B-hVZITgXeS5m$m^_5)ar(8Qzl*E;>_DRVV(CepHm5BGLJCf-PlWpWR*Md zM91b@p{jk&`G?yE;FhARBIauEQ<0KD;dk*0V30d>_Bl zth+nISU8H%u5Efz+B>3Spcr<`W(_kW=5ku(UL)ik)M0gJ>QM$HThhVo_CpWN*KOfW zkcgzxkNfXC16gPF3$Twb%^UM80=Sl8`UZQm>&Io>Y}xHuL%WR3YElX5_KDXcf#N7l z*`3C%2IS~v2ussFP>~GVZJ}xh`v%F;oK}~MPTuFF{AVY`%9}zWdGS<=i6Tr&6jt~e zY)JV{P5G(qj5>Uu^BLZ6_P_ExFA9jwYi|(@OX<0uB0k+f)WdiOxA8mMk(D=24<~Tq zo)xj{6e&oxR()mdIF^Xk!4jp03K}>g$Ya7Nb~?qFbwreeWsj0 zBF<;VL_C#?lk`TYVGgIz?N8D8DdK`wRbR!{;`M^6y(~hfr7nVKD_*D-@@dOBTZh3K zy*7tsy%!zQPjXvIjnxMqS|%063}}jSnvL~~E-oN48S_1`x)(b?BS9d|i^Nl(qekgO z#sxJxCkm^%#mTK|Gvz8;d@Ik{PB2@L)1;{(!4n8u;c^vYva3mhg2dI)B(LGMLc-KZ zea>d}Ry#9BdPWB0^+F@uZ|C){h>~{yqF05c5(Ga~1p~ueuK*0=W9-A*(#mSh>K;xO zrFJs>u!#?yvE7TY7IPgd@od|^q0jNuYN38{4IiwqkC5FG*DgNl`C3;mS_bvL2&o#N zrL&z9i|-Cq0Bzg~sK|}zO<%o#HkXo-6bTB{mu)KOX6y#7c4d6@cGmJ=)5_y_+{B7m z5EVvJ@z3&C&ovXfmYjCzmpfle!l>rDH+B2Lyg6h(TL&l79m1alY$Wfn%NRO!=c9C#sz zZK+2gx0>!oWf$LHdYUrd8T$t7LlRi0*wHj#YpzYNtl302Xk>6^07Y%8Sy-s9h_zG6 zl1H-))i2$!sIJM9GRn`)k{QR%b@tGCwAN*$dAgv`bbW-wC>A&MR-0P^d!BaVI}Smj zDEPaB*?Fp&r5D8KJusVbQ{vDq91a%6shpvW$&fvB4Q3Y4rPP#*)y61dQ_(_8=Ho)} z=HsB0%JD}onFS`5D%2kx@$kPR1PwW$;y~Svqd(oN?!5_K3WZDaq?c!525!f;8^c3k z+T5jmKZ(UYv^F0Fd%Z_3+vVP+aQf7LD`X^QVDZ|3FE%q|Hvu(ndyE~PmlnjEkDLZa z^Qs5C^Ojd6i((PLL)^+#-n&>DDwyGx&~!O5owsJ<+^Kc%DE(Rh7D8&~cnU;CEVy3c3>7 z`El5^>(C{9l)#1ZHXsWU1KdIV*=y#5vXR_Z7g7t8X+fxzB(8%pSRE7_0|O&N2lXDi z@MK2i(K9}RhV^Zs5J($BDU$riGfcbgmXq1lN`>UyVo9ykNO=Gv){=IiPM%%D(6IZX zV*n!FU9B+!^X7T^qWx$k_Nm)NFw^i*W~o-|ud|ix6d)MA-iz_S)My-4;T#^Msn<4B zGCF=S@I6!bm^awDV{`jDc+sg6+p z^esKdcwOEoCeOQWUImu*Z$g!aGN7jUpAc&dCqm_Oaxt+qwK*t36Os98N$&?8)Yq~o3j^SmbL_Km%=xkt5=v@Dp^IOWIhBXS zbxnyDHH>y=uvVc|x<{i1=?}-@{Y6v9)4>yiW!Jq#jixOXLNL`B8pPDpK=sE_u7px! zXPH)5e(c!b4@RN3?W@^(mxZ?W9ty%(M$xWcx=stVpv}ZhU$ZYxJJQZRKkbxtd(|DMuLu&r=QJ5R_7W{U?iTkPAe$WHSIW&ni6Vt<3JULZ zPlTE+#gt~gv&vQny?j(zkw{Z=aEjw#q+sF_QxYW1!Dq8|6i_Hsm-@B;IQ>T_%$Nu~K^Lk>8qIWf2Wqot-k zP&2vB^!j?7tdlZW!yh+haiwgHzVOU42w~>i z5r;ew3$yjpn;4-=a?W|~{Myu7r&3gpJAWXs!bx;16XI(2F*i<`)^_ZtsxWAQw^gJ9 z@1Qd2An9ZOq7mZD!`-M%kOetP;7P^NvwhydGl+EAY+}*w#co5^_eU8UyQTpsO#cd3c;%A_bZ-=@B&1v)gR;_|+JA9Rm|RcH7uvI#wG!XMYx4Y*o< zXylspY)HG>sjT)jMBX6iHu^WNLv20}s!q1KHe4}VoPIlAo)GH5qvr?=Flfa!2bI{t zU4qRg>hfD&o};1e`2zJ*r) ziHe0d@}A-An%tw4%H7WDc{l5K2JF}Vk|&`A7S9nJW+#4&tz2%TO7SUedagQ+tJNcA z{WPD|y&O5(I#rLiy%Jw{C!qHG@V)OG@rbrW`31&8tD>K==ynTwO|Yn z``L)l+05Mxp!+(|t`Z@2%8*u((3tVYK7IXOZ$Ujp<#_#Zr}`RJw~m_BSfhP%yo%+W zo!0>|2Q4D2I~Rz#wrT(EBWY%k8V|Nbd!>JIlXR&OpJ{MurAkh-&zQC6F2_2TyF;?{ z!3!1b-6%LTYb0@jZ}+CQJL6WD@TWF1G0>)QMQ(UfU!T%pg5H{t;$Wb@zqx9$T99Gt z3K143_~}I|+0lh-`N&n@-o!+^7&GJ2XolNX-3XPe|M0@|uGVBQ_^DBf<~yk)hB+@?$)*njYVFs8NY?B2ypY6|M#+MdG1DaK?!{=qtAVonXMJvS35IyZN+z6 z;LEe655zjZZCt*zQ3)z5BJ5$}ehW$!DkI9e(1 zYmz8=2`*B-23mxzQaTkjhJGI+@H*h?fc8RHOXR~hEzBAnU&Fo6wW~!v3{@u4Dkd@?_6g5c9`Q5vYI4ps!76BKD=>@{n ztDhR@Ns?o^`95m}LfMmIoKcQqAhR?Ano{H?zE^Uhm%hyi>0HRlu7y^8?IogA%cm`I zahDo4TO#n4`LbnvRI%X9A1Tt|ff)7Q8hpLi67Ek)b)_H+gD18gf9BHI5RXBgu7Ik< z%6ltEUu20OH8&GPUtAhr#Buo2C=bDDTy*Bn_hLDkAf?DuQTzDndwm7?(Y_L?kE-Up zyLr#ymwEyld?f9M?CWP4iJ+EFRhZ|*v${$+7dL-Sn|;E6XRrup^q|I za@$G2Z2Oeu@`u$(n%P-1$cx;F6$N;FmKovkE`&Rmufp{AuB_rrNWg~)s9{ku+#}ZR z&OV7<-c|3R^#=Gi@6hQ4c!2beuq13?{>y=}eoPMfauiwppl;fQ3nTjj+^8-)qI>u5 z4QbvVbx(}=d4KN>kuhe?!ebX#JM1^NoK@uSKEV2%{*#~&Gr{?!H2=9?^;Zmxa2}C7 z$YRpS6Fhw1Ja^E{_7peHU~%o7s-V5A-4Jgg7BEVljy4I()%Ax=%xGW+>+uU3j%fyj zNgD5jnjfpiZX8?49wf`wkb+rjZek1#Ol|C|n>0Hd*WOGHUbVufg*cFbO3A%_;FCi) zlLfJWUPyzSF9oAQsOfqS2XuXPO5$|*op023aWn|^M)|>4CA&sjQC46x1FF!{2dgSK zaDl;+c|Np+F9nEh8sy!~!2jrFHgiVBb+adexE9gnxv4$ip~3AC@#iJrv8GB6`@^7w zhU=ZbtIR**;Up|$s@(s#Jz!vb!(&Urd#rRb7#N=i z&lhR&%1v(md7;7s{hnF5z=O$m(_DYH{#>NR=J=foq!fko_uaug=!pD}h3*OZp5q_O zvuJ^oU_G#whx6Z$Dr+L`|B%-5j}O4W2<}P!^Ur5dALPl-pHG>I03lEGItb96`9GF_ z+3nB!HTaprZm$}n{%$b)Q}X)qP!7S^e6zysX7bzC|6Dk^dF;#D- z1PerdzWs0S9PL zhCVuYPbUajwtxeiEq|8}|NQweFqjk!#ed#mtLBU^*Zwve1LHn2$nohgiJh+I Q4*GQ^d3Cue8S~Kp1!3Qng#Z8m literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json new file mode 100644 index 0000000..d30044f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTargetManagementGroupId": { + "value": "alz" + }, + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json new file mode 100644 index 0000000..fc89250 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.min.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTelemetryOptOut": { + "value": false + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep b/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep new file mode 100644 index 0000000..5871760 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.bicep @@ -0,0 +1,24 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module baseline_policy '../definitions/customPolicyDefinitions.bicep' = { + name: 'minimum policy' + params: { + parTargetManagementGroupId: 'alz' + parTelemetryOptOut: false + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.sample.bicep new file mode 100644 index 0000000..16f91ad --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/baseline.sample.bicep @@ -0,0 +1,37 @@ +// +// Baseline deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- +var policyAssignmentConfig = loadJsonContent('../assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.all.json') + +// --------- +// RESOURCES +// --------- + +@description('Baseline resource configuration') +module minimum_policy '../assignments/policyAssignmentManagementGroup.bicep' = { + name: 'baseline policy' + params: { + parPolicyAssignmentName: policyAssignmentConfig.parameters.parPolicyAssignmentName.value + parPolicyAssignmentDisplayName: policyAssignmentConfig.parameters.parPolicyAssignmentDisplayName.value + parPolicyAssignmentDescription: policyAssignmentConfig.parameters.parPolicyAssignmentDescription.value + parPolicyAssignmentDefinitionId: policyAssignmentConfig.parameters.parPolicyAssignmentDefinitionId.value + parPolicyAssignmentParameters: policyAssignmentConfig.parameters.parPolicyAssignmentParameters + parPolicyAssignmentNonComplianceMessages: policyAssignmentConfig.parameters.parPolicyAssignmentNonComplianceMessages.value + parPolicyAssignmentNotScopes: policyAssignmentConfig.parameters.parPolicyAssignmentNotScopes.value + parTelemetryOptOut: policyAssignmentConfig.parameters.parTelemetryOptOut.value + parPolicyAssignmentParameterOverrides: policyAssignmentConfig.parameters.parPolicyAssignmentParameterOverrides.value + parPolicyAssignmentEnforcementMode: policyAssignmentConfig.parameters.parPolicyAssignmentEnforcementMode.value + parPolicyAssignmentIdentityType: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityType.value + parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs.value + parPolicyAssignmentIdentityRoleAssignmentsSubs: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityRoleAssignmentsSubs.value + parPolicyAssignmentIdentityRoleDefinitionIds: policyAssignmentConfig.parameters.parPolicyAssignmentIdentityRoleDefinitionIds.value + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.policy.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.policy.sample.bicep.md new file mode 100644 index 0000000..c8341df --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.policy.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/samples/baseline.policy.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 0000000..3d29f67 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/samples/baseline.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.policy.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.policy.sample.bicep.md new file mode 100644 index 0000000..03d739f --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.policy.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.sample.bicep.md new file mode 100644 index 0000000..c8eca32 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/generateddocs/minimum.sample.bicep.md @@ -0,0 +1,16 @@ +# Azure template + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/policy/samples/minimum.sample.json" + }, + "parameters": {} +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep b/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep new file mode 100644 index 0000000..5460932 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.policy.sample.bicep @@ -0,0 +1,20 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_policy '../definitions/customPolicyDefinitions.bicep' = { + name: 'minimum policy' +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.sample.bicep b/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.sample.bicep new file mode 100644 index 0000000..2ec98f8 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/samples/minimum.sample.bicep @@ -0,0 +1,31 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'managementGroup' + +// ---------- +// PARAMETERS +// ---------- +var policyAssignmentConfig = loadJsonContent('../assignments/parameters/mc-policyAssignmentManagementGroup.dine.parameters.min.json') + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module minimum_policy '../assignments/policyAssignmentManagementGroup.bicep' = { + name: 'minimum policy' + params: { + parPolicyAssignmentName: policyAssignmentConfig.parameters.parPolicyAssignmentName.value + parPolicyAssignmentDisplayName: policyAssignmentConfig.parameters.parPolicyAssignmentDisplayName.value + parPolicyAssignmentDescription: policyAssignmentConfig.parameters.parPolicyAssignmentDescription.value + parPolicyAssignmentDefinitionId: policyAssignmentConfig.parameters.parPolicyAssignmentDefinitionId.value + parPolicyAssignmentParameters: policyAssignmentConfig.parameters.parPolicyAssignmentParameters + parPolicyAssignmentNonComplianceMessages: policyAssignmentConfig.parameters.parPolicyAssignmentNonComplianceMessages.value + parPolicyAssignmentNotScopes: policyAssignmentConfig.parameters.parPolicyAssignmentNotScopes.value + parTelemetryOptOut: policyAssignmentConfig.parameters.parTelemetryOptOut.value + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/README.md b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/README.md new file mode 100644 index 0000000..7308245 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/README.md @@ -0,0 +1,62 @@ +# Module: Private DNS Zone Links + +This module is used by the Hub Peered Spoke orchestration module to create virtual network links from Private DNS Zones. +> Consider using the `hubPeeredSpoke` orchestration module to leverage this module to create virtual network links from Private DNS Zones to Spoke Virtual Networks. [infra-as-code/bicep/orchestration/hubPeeredSpoke](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/hubPeeredSpoke) + +## Parameters + +- [Link to Parameters](generateddocs/privateDnsZoneLinks.bicep.md) + +## Outputs + +*The module will not generate any outputs.* + +## Deployment + +The inputs for this module are defined in `parameters/privateDnsZoneLinks.parameters.all.json`. + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions +az deployment rg create \ + --template-file infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep \ + --parameters @infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json \ + --location eastus +``` + +OR + +```bash +# For Azure China regions +az deployment rg create \ + --template-file infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep \ + --parameters @infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json \ + --location chinaeast2 + ``` + +### PowerShell + +```powershell +# For Azure global regions +New-AzResourceGroupDeployment ` + -TemplateFile infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep ` + -TemplateParameterFile @infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json ` + -Location eastus +``` + +OR + +```powershell +# For Azure China regions +New-AzResourceGroupDeployment ` + -TemplateFile infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep ` + -TemplateParameterFile @infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json ` + -Location chinaeast2 +``` + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/generateddocs/privateDnsZoneLinks.bicep.md b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/generateddocs/privateDnsZoneLinks.bicep.md new file mode 100644 index 0000000..d8e1c99 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/generateddocs/privateDnsZoneLinks.bicep.md @@ -0,0 +1,42 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parSpokeVirtualNetworkResourceId | No | The Spoke Virtual Network Resource ID. +parPrivateDnsZoneResourceId | No | The Private DNS Zone Resource IDs to associate with the spoke Virtual Network. + +### parSpokeVirtualNetworkResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Spoke Virtual Network Resource ID. + +### parPrivateDnsZoneResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Private DNS Zone Resource IDs to associate with the spoke Virtual Network. + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.json" + }, + "parameters": { + "parSpokeVirtualNetworkResourceId": { + "value": "" + }, + "parPrivateDnsZoneResourceId": { + "value": "" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..a0ae799a5d74caca824df856d9b5a741fb008857 GIT binary patch literal 36255 zcmeGEbySr9`Zf&HDT1WZs0{64DIP3^9TNA|NU$-O}BSAP7o#gLF4T3^UIK z?tB0Cy`THv=Uw-D*O#@%>zXS*dFF8*W4MNzJOLgh9tsKyfue$p777Z63JMAuI}R3b zWs^~41_kAwn7y>LhN84Iy@nh3mA#V<3W`E_oIbXJb}xCFu@*!1Q0}`0j4g~$#8UY5 zEjWBq#PqR5=#oFo$jMBa4BA6WKQMbqurpiQYC26(;IsBM8kDnvwIn73*8ENa+&9{g zDVKv^-EH?<(BE9)mKvmlIiP&vV*Sz;hWSkHTi!DTb=3PjsE-WLDLBhCet(FHLMy*l z3*|a+L6Mm-^Nh8>sY14qtF~r*!bTy+e~s1lDS_}v66KIJ%|HtSMYG#jg_Zahcd>*q z8u~k*pnJ9~u5tHlnGekxR4qlQ{^+6nEHo*7ijPwB>ys_%No7W;5nb27<5mrfH$v!^ zNH`o#tZR#CR*LFb*Yki^-GoAh(9z!yM^@dcLdz{VkEQODlYcm=*G3F_zz@EpGtr#B zBq(yIeJWzcXPa1;+<^J{c`@GWGUg{jSe6{`#c?j({N8Ii)bfZZzKo_k!kgx{m7uV+ z72_8mwtVtlTGn@1Q%UTJ_QSrQhowXwmF4eaa4N*Q@G(LdaFvo(zXbc_a#f3Ie}Bbt z>24A}SN3}{z}|&exd16-+^)H8<-j-{&O)TkP|HpZl9w*Vs?dJvB9$}p%36_67&0XH zI4a=>825Fv1SxsWP|t@KjG0GD*Ol<^9ha8Ll_4p1j0@(msSitk5>E83^sR)scW~m% z6z53NNG@;YcQhPgb})Qsuo}e3%E8DTz<#Z%(QL`CMz-;Tb?>#iq*-Dlf7nz@xqze~ zxjJVszE)PeD8aEwBEtGgM`89uTx)2f|Pm{utlGbVRM8tbXiymJd3pp zqxyrW=c2_d3o38?qcZ2`O1rp+tBynSF6`aTJI?PVxZef8q-RlMHf99oKc{#kzK&KG znndeEw2wWW`MflO3Qc~F=IZ4#>QEK7^>kmojp0jp&Q0AT_#scM7pX0t(r`A0mJ^h= z;8ofBvz*7j&Y~|hyON&8g3mPu2NBca*6D<^KhrrXFsD#=*}aH`qiKFnqM$o=Q&#Zp zCf*|~DeXBP=iTHmqgCe|dw}R%T#AXasT^vUXz00&$SPCdHa!1`wTpH{8qUqu^u8n5 z90T?3lRtt4w)H|yji~h3t;}ZT;6JO21TuAd!u&8o6nGLg7S>1qjmJr-QyZ9d$mN3+ z4w6729TWlYM5Z`WHUSeahW5I5LUZ<5?HC3q#sYNuOSt}$^f;&w=&_y#>u}S`r4vjx zV5p#twmWIy^>t{K;}xS*b&!{%?_ym`q6^@u1;1E&Tz{|ht+4Bv$6JaF!e;dJ2N(G>`2O0D~d4GwHDf^WEMO>SQS&x)X>0XHXS1CiOX(jtC zlPnKyF>T%gJ{@s~$Gl-e$&H~#@}jCO$^qF~S(c@LN{GKb*7=%SDQ8pGCm4s#N~c?+ zv!^>Z;PHuXKSsL%YBn;1DTG>zL0xi?*4gQ zt^Xuxuv)=r!id4hzr@$bxLVC#G|S2ZUnqGXdoUNAo1W+GNK)fmEjS}Mvo_OIGh1`* zQSCA3`Nb2oqq9vtx;65{qr_9N(YI0A1Gcj;bdzIS+%rP5$uU+m+LQ$|gC+)Mv`Vz8 zK%)_!H|kjT-V(hvd2543fCanvTH3Eupi?oF>Yh5)`TbGab>T?OQ<5CnU+u4JtdFF)_e?Om%WYGE6!897U$>gO19&NI%QW%I`N4!XvI zCDVFDYto*G8i}+*Aihc>J0gC~>@6cLh0Q`=XMP*3KVBCE2YY{lsT^c4&;^JDeDFWN zhOg~xChs(j!lo6HKL>v{mKQsI0b99pKHoXEz4&$wK0d(X#$UqH!4|n!jkAjFg74o~ zX|-1FRbhrDh^-iWAG5{wy8K&}I)+up%MP24Jq9BNMTQ-z{jj94S0NLj=OMoDR0)J1 zsNqE4Gbdl@eYSomz?;&FQ}%xALCNRB&$yp=9@EK9%PVFj$z^6gmMeMa$v?wtL^@A| z4j5@R%l#iSU22h{#PX35QALq{#0SLU90(^g(U(%+2i|#yONJ{GA3U7~DaIIm8IS1! zO+IZ?$5k^-8{vg?ZEj_APJuN%YnXM%KGr%uUyV5#Jt2&!mTAbEK#K|P z#iX&seqB)Sm^Ij?OLG16^B3n3h2{G1-H)9wo-BfD;t-DmGeZ9Q@Yhft~-k{Up1y#jW{TuKB8qouH#3AN-NN7YF#m=nA%>A4F zqw7qs!SgF+vjj>mKXaGuhtsd&O6_qm`ftn98oC?2jv%LJAE^}iUA#W-?KbwdUGC~F zl<3z*fT67~b~u+^rbVOt$Y4?X`pB2Co;1$EQY*q>x@u7sAD@i}2g4CPA<=CfgMLze zT1R82_Wds=ZRLS4oZ@sR&DS9pKQMj55 zVq=^0R`gyQk`p<<0kfgIC$@X>6Yg`a-S_QVI#U2cfZ@sbzT;@!Pp~)kF*a7039deZ z?M=srSFg|xA;KutIw+fm{&F73%w3)K8lP8vJ#cLOyyi>1;M3ID@FkQmwC6ZQnq(No@z{{vaAKpX+)bx?gj> ztMqsO7&zDiBorTP3>06fs-mz0=Qt=BsFWy}z!@s=5ksZ=_qiM@GYb0Mbu<)|Fnbh? ze?6lH9B=#AVrj)FqYc>6(B)Ovadv_EODW8h(+sv=|scIJF(4Ysu5^l^5* zZ3jifM+i7|w()pL@8j&`;x6PP`uOe%A>jP>GS_4JyGJ}6MIRfeYS2rA-E8RjIJr5w zAB*A9)6%ceB$95hbu0mW~-rnAv-Y+=8Znj*{1O)}TxSw-9f6f6s z!Qt-f;_=dl!^Qo{-$wpdJ2E!zR&MsL9`;}t`rCG2T7o@2L?1uC?dacsf5&O#WB)%r zxw!vpTEGOkZtrkCxBc(F{u%JUSLy%PD~yG!LQYQJT^SJ(!4h(| z=;Z{zRDZH``Be^l<#?$M7U;hZ|2CYAFhYz{sa2sP?N9UC;*qDJqr2@;%9gFNHSv~Z z9^rdii+&bb$tC6{o4jN}ybqroHD>^PCcGg2U&pGNMbhG;V+M@hQ z`r4GL4KM3nm+4;Whm(|{#e9sw&O;~m|0({kS^Fat`{~6eD7ViyYUF)|Lk6V9p_(9q z=F^fiqGKu54K7UI5e9$TA-s0sEg=-vf(^>PVT07_C+JY!=!f&MA^G-eSdpy5uhtg3 zTlCh<8E1;&v-OjO@FJQ2!^o5;CDCGXZTv(3TZ=vcn(@U}Pl)lq^f4F^Y{{X%|54As zqVEe__I;JB{l950y#&32gat81$-V#5nSUDpXIcJ{mj6qX$l_DG^~;wp=MaDXSPnU# z8p|PXAZm?NNW~vlqUq4Kw3z*Fs8&Vb;KpLvMo!aFx=!)p$t7$@aLWbGM79I-NBqa* z$X-!DLKRjoj<5gN!hdYx|L!{eaS{J`&i~s3ihpe3zarLu;=+H-)j#Iy|8{fr|7jNS zk1hPi7XB;E|Hl^oV+;SWh5zKpWyJq~92bg)weM>V>J11VG`n>_vW*>8 z7jH@Nnz6Sz<)ynrsx5f&{EvQ6tN}#}Hf%y#>N0T4ncj4jt@`D~O0>RJ6Xfw-;_J>t z&;7OO^WXphc&56*B;ag(C1dsXi$V6C$uh2;i4r!)$x^b|-vf#BxBxu*%53QuR~viw zp>;K_pj%Ee5^=qjn_$LT)_S#l;j@l9M}LQ*8sws(#pnt>bWSy~INknCBkUDhRN7eR zG*zDIG*|x`KH5Mic9F3=-&98};A-J7auq&5oGq{3`nl}Rlm~^PWoJN1FQUyJ`3?wf z#Nu-`mpe^Y+RP1SN{4lK^qvfgo16LV)r6X|s@~Np*7YSUp0`!0`)+KcLjxO*x~YDx z_b2zXxt%PB(Zy4k`&UHj{aqFMruI#J#X9h!8E4Ds$PscwZW+l|)~uBlc(vtrak#u& z_YHc74u4VtkYxvxllfi71QV^&HpJD@bxdU7#&rmV8S_Ew^}c_0z2EJViH1QTAtBGN zpo`4Rz6UL^KC5U^J+Yh9(XTD${Bn20(@TESZe61)BhExxzgzjMZy;5;hs%`q#s#LW zF6#OH#Q)13uKoK<`)2>|vX=9iqq4;P*}5{3(;;ay`{&B&UR<|ZT3(2W0V;xsBvIi; z1`=%4&bm;AF_r-%yNF}7zN-VZH{(PuH0?C*lv1@7T*}i0=+OEsp&ktLa&>yA-!?I% z15}b?&5yJn)SnCp_ke?8fB?nXrunYxaK65Ow|9vwK~)1nj&NGDY;#4Lo3j+AG#|^n z{lWgfTQkl~&uti`Jv{n4=pYc*WCMuEN*m;4HAej-a`n#<*A@2PR-Od84~o{Az)}xl zZ_@p>X#Ed6j(aP{|K6qNP61X#z*tzFh5O2WhQ@nNb6}ymK;&{XJ%0Gtr+~j*`I6Tk z_p$w&00&n2yY7~C&O?zmfuFbs3E%oL0kRv^0W8N`61H-!Ak!wVxCpM+`sSPS*|mm^ zG~+G4(kFM~{o+aa>y>V|lYah$n`>A!(qUks#m{zqVGif7pgIGBI?ngthMJ=OdcWz{ z=2}m*IHEp*hED&8@NRd#g8+eVc3Nz0X$Hh#*2smGo%SH~H9%(AviXD0B>$GyPPyp0w-(1f zisH-#Uhl0Xa5k62CnLDxMg7iC%dRO5>~$sW=G zWPr$giv+*exXy(-F~$9SdW|mdIOh0rBR%~>CjDdA7FFs^{bJ@h`6H@o~Wb ztU12hRl5g_{Lz9z2ri~vTe2u5q<6XpEd~%a54aeJ#AVszt{3i6G~-$)7Gdvwc5v(E zE8mOdFxxA$dFs1mw_~K|wr4EcSH$FVn&Q5%!sk5069_|Q%SWf3nwbBs)toSMUoC&< zsGHL|-<#FnZ-FiNK6M?uot%V)D{4^hQWu^I>)}aI@BVxfQ_I}t-#eTbUVAgT=Ld`C z`+yuY)SL4w-Ys_)AS=UvwmH}U>5c!1d-re#j*1Az-`5O)2FqK$%!2^2#I)mNxD~Gk zV0VAd|D5N(9Wn;6*ufof#%2;0mCc`D-0jYr_O2IqLWU7a1_;8ABa93OM@8?=I`Qoa zBnks<&PB};kO1?MD1X!b^r1<^8ZeAsRDy5s^d0CP{h#h7EdIY={C4`F-tXVPU+|Gr zP`m|yOLx0E=y{#nWb*n4*;-z*3u_o59cPpGf!Y6<4UQpii$B-twbA%c#3+tWVBWtA zteu|_KsB>w8qzr}MRGIQTVp7X0E{3>V)e3q-0i*+0Te>_+muo+H5w&nS zd7QrBnnV+NPLb%5_kzdgo5?{~)lgge>KI*wa^TtQ8WjbY4S5+2)xS>zKON)p0Nn~* z4h2!7Kks+L3&ciI6Uz@mYN(mj1=KGvlpoQE2X9ley(l|ELRJ>gV>BB+r0t2H$0;F! z;_bG+TfDb8@=wVc|2|x@;naBYqdMYn56L2a{i}_+3_jb&4z0KoVG9t()jbtC`c|a< zwZY+rc+{H>+y5*Xiz`?>@9%Gnf5RUjdilcjipz<0(*MA_ug*K5Etc0YKILLD0%?Z0 z?17ps_^s41nxEj_i9SbAD|*cI$ZP(;;tc^b;WX51(-2S|QjeQZ0-GJ($=HLNj`X;i zo`n^ghUg8to1Np|i((pLHy7D!YG63DgAGM@BCbrUb}2V z79Ce%2a5be@ZG&30L(q5M(K9!-05gYfMA70CcmW9KtYi}xuwJG&Eqzktlab*ne#D3 zJbfH&K>TIuEo&UBWszwt)UhalCD+R+woq$qBr7+k=3uz6Mz)}&20y_-TFQD6CVDvt zTmG8jxBt841uRYQ*Y6GA7KrWo@2~D@CxPn@128e=BA59_ju&`nEW~z`rKvPf_|Zgz zyDgQFhusGUy@tZ#sfGv|-|_y5fRcrYLeHJP)Xn54gI~qQ)9Mk=uTRGlSOYoL-k_l2 z&}%#jqC*^p@i|VgHv!(1%^mIIhuiCKB%<)EA9EKRfhF*`+Tzh-yx6Mi=G8A7oNGtZ zCK^?fr;M#mu@7cqCXo{$sNnN+cXufaA_fh1oPwtu@ibV-h)Rt=sP8w;&1}>V2zTP2qblT7pIOs5&#WLey<; z2l5Iq_&n%Q(e!`k843*Kk-;uyv_uUS$aK=+mzUr=>8xv0>PnE)x?wjI5q@*cH91Xj z&^-M6$>FoRxd>q3sQl4brv{b-1+9i%!b0m;N&1LmS#5hxK#y8&KO$_Z9Vt9FQ)B)t zcblN-tV4Nl3hL4{oEJ?udZ=1E)+`ZrpT=oiSHA{`#{1$qO^r@yQRqLt1BODpok9Z4 zOClp4=)<9)=7n3yIBDW3U48amz&7SYrt)OuCV%m|d)>|O0tC)rEC6=tTCO0i|Qe)+_wRZw)sZ2-lz7bB^=T%chf19ebb&}WK{W~^vSQFUL`i~npF3b zSf`_#o5FnAc=NvcL9xm<(<}VsXD@e;qeLQ1m+IPXN&=AAi(EU+Bp?-6QOVP(5x2zv zm|u3c$>)u!*Ypq0Hn^MP ze50qU`|w6#Cy=4o;ghp7H>y)E(sPHG>f)$mRjn%A$rTPMF+Dd+&i7gw%*uy})%LR! zSi6m7d!F0A;WIxxkG<0%U1^9D-aN)|mLq%~CT>lR@f~YmJT>v5ARyyPxH(Q}tFCQ0 zxT&@ub&3`}|EZ!Lw$u+%HsaiFw+^H6a_vkB_SEw0PZwV#=P+88B0UorhSI$S7TT<0 zR85#e`{XCa>>FB8#{@f4Fi7$8l|S08V4?)M0g~A_Y`JKFQAwUyJn=1^=H}YCWDjr8 z>PYdIV*HxRI&Itj^CG|XifWyLSKANnsdPtCZAg7O{Nb4P8U4OMJCOT+gMjTzAIzs{ zQ{vrw$ldPJay9{{dW%Kib`rYEuXET7MV!#>%r&?p?oqn9?^g7zn_n|sAGEclLJ^l| zkWBcNI<#`urK$hm%auG@%x2R2_NPM1AK(48PynMYMvB!*S%;o2NU_JIXo`>vo?0>u z)ppdiq_~oK$>w%!!)M#=(R4jW;&i;p#p;H2e?}uCw!I6g)IuD1vtynd>UVM6j!rnG zt8cnyetZ!np%v7t$dszXMSZzrj&$Ik_s|~p8lK}tUQM_rDT8&~$H6qP({B7lhOJ9qQXo1vj`; z&PKr=6EQP!4{r&1?QVhs&pHKpHbNj@Wq5I&FcM-vNIxY@Gy(MZeEuMC@{vla&^W78gsrvM(h_E$jw9 z42oU9Vn{i-+eH=J~B4N<*{+{8vcIyx_y>cM+oT{C&#OE*03%EXaQKJZ80;wih1L~1D z@4JzTS&G7rnXo!4>$D zF5vXDGa$Rb4_MB3w_4rti~w(Jl@3KTB#U^#FODt;dCsk2^WJrI$cvtdB7Ls9)rvs< zQ`3>kp3X2rZ}$rSvvGY{LQMyYtTfGJaH}su!06*eW*BW>+XP9f@$%=^HXvd4Y;jr5 z%(OLPRBD^$YB|+v8PplYM~iWAP%Xv0RZ03NGz^fvQygWPHYIvY4d2Y~R_Mrdt=!_a z0jPe&yy6i_&otDfZ8%gMsgtWdzPp0G5jkXj0RTG|#?Ce4+cfI@0ZA{uCjc8gzhA#{ zU;F)#0k9a}yYEQUm?10B<6fp&0G-(fsXFfpaJ9iJ@pZ|=;@w=-ERItT{CjvNLq52~ z)-4A5Q4DOJfdfydW&uFqY-}O$+Bx~T%?JE^)s?H1jfS1eVcO69i){VtVD~uTrFIGQtvSVkhk4ID8fB3{Li5; zd}q=eIv>Ky@$9TeY4%Bw;*8O|tGlp4CmC?nH8pl*ChAFOG51Xy8{@!yQ(m78pYT)a zwwrxcet6R%d_JZ+IrR=0($6Dfw;>CQEDP(Bnh6KjdJBun^BKqFb%X{O&74$(nOo!F zQ=FbrFW4(OJ@Bf4#_cD=S?$)3mti!ozNH63_IIk`-MS3#AaTWw+l6^)OdVN_{%>3O zPR-oWNC>7cR_KtM_vZ~Po;ywyLt>)0(PzxhoLRYtTdyKo51wVwl5a<8?aFz+CEzRf z+i#GkbC)eTP)QLOZi~FB08|iYI36RSI8Qx&zm? zuyuY>B>cn+0Qh+P)-qi!vJS1A_G*98nP)~qvhx#^1U84gSI=j`g9kh5%Q>K z`SP(JzgZR3$(O_Tz)<&JPqFK^e6@qZAzWLqt^_E2h0Y6bHI3uJaJ~TVF=cl6b^bwF zElVVRJZ!;l@XQC#r6_a*12jJL!36y-?o7hOQ5l&N;x(${!35n9A`6^bdMu3jy{m|t zJ4%N0SgtFX)KVZ$NLYVhnu0o0;h5< z2B-Rn)`08AfKzE@R7Z33B$7mGk0Hr@kV(%_O+i>V(lMYsEL=Pcje1_dQQ)o1>7;=b zfi@Q|CfW~3;$~HgAFPz$=?}K}g=B{r*^GWs3$uiVCKn|E2_7u(HMsjUJEdI)b#@Vn zfI)&f3HawMV2e;_pxtkwo#GV;r9E>DSGHV~Tjxi(qbREZus60Ul3`qwYFSn+CW#`x zm5U}LRs!5dbXu-iz1F-U^0Ex+!MFr%c=3lYRlqq7%hoOiUaxrr!NKHQ`7?qJO~Bui z(c6bxg|M++rQNJDi9b85$BXYqi%CbEe)IbMtY_6*fAhF$@n(SL7g$H4AWiw^>dZZv z^yikhYS72;RAe=|!TGBE^J6U&gg0he-nB`1L5jRJpvmC7NL>!_!#uT0QIjmHL5gip z)G83z)GjAXQB^gwbya5b?);4nROm`8XjQfY<%Hdlb+{3;Gjm7T&Rqwibcv+bzZy$* zNOEq`mTB%=R5rnm>y2@sgi`U0`&o_ri4B9xbm(J5txY1&4I*U4#n`Z}ku4 znTb1(U4A6j8WyOixblPO)n@i(TVs*_o6=qw90wcJ8A?zE==?%@X@`|nP`JwkZ|qO( zNPUynvMne-=v1y-4!`4HzEq?nADvmkuo7{?8q2r%VPDn-^#7j^} zosd#N;p>J+qNddcorL1Mp=k{0gYI| zE#Mm6Z1W?i3#&qnH|2EsV_Nqi<|mG~DNUe0?BP8Xyfd8qI`@59z<9b`@W#rYX$-$> zd?FX=I(QSk)J&rqqJel37s$@bJ&aM3ls`@(UKas1-PB~8VOG%4l=wy~)QKIGO^tVDp3@8+D@H&xFu!V4$l?MVA*@WFL8WRAoC2_~u-tVa)|^ zq=fCys0qL)vPJV4(KPo}#?X~W{uFK|kuKOhRLjgdI4&w{O+u=fdyea#LE1>KR9qjL zjF8|{6q+m7K1i&Vi5`6XH|MVgoaU(9?t>}`ax{|9>`9`(Ae>3IEp8{8@0f%mzp@XH zZsj54V4<^cHS@t=4@ywtoZ2^fw< zS%IRG)@WC1>n2QATE?G{;H*&NQ>+IIu!@z938r3Oi%LWJ3%pgdWv?&D?C{PSnNNLH za|&yRv?lS?tMAnkW(HrgnGAXNBmnNvSCWUcxFTz%6)1vSGH7-1X=ZG0Flq`HiYBvm z2nLg;Z3?g74&xw9ujxqk7ekS}eg*M;FQv->o&1c3ARVR4Knh`R$~uz7oC@81k~??D z3*aR>+Kzg?HP(#WM{^OcRBBX(ysPhL>OO*Bk6-1}KIn9le$ZXFGqTC}N|YPddkcJO ziQg>v@;e597vn{Iyuum3YsVgh*$T$dz9F$!3dalRI zIkyNu<-JUsH2gDemQ%wv)fTqucSkNwd+`UkIk2%jBg`I{79KW;a$n0SkPPaC3Bs#5 zHH-rSwAm0dNGYwJ7%3+oH2NH${ET=jH5tW#QN)_%VPZWEn)n!rqUe_oWU7V5zQIYx zl*!QCh8~q;cMOo?w!6z+0%`<+YXu>C15>=OIJl3RPuk#Pt)q2q* zS0|olE|Px(ks@V_!%^|zJTo|KQ3xhU#R~hDvxQYV)-L1h-GNCVFd!wJf+q-+O4eN# z9<)r(wLkSSDH+Pv_3>{wn=n4 zlgx7p+yKzR2#L6vcUcxRro>k{MJ32Q3evd{0dn9mDwbdsAm6DWuGUNSyIaLl*( zk=jPViSk@2Sy3z=hI|))UJR+Cop)g-`LH(-o@x)nWvLC=EGt3a1ncQ0Bd&N8MB+O1ojSOTo2z!2BR9z9ivLx#CKq^w=pl{F*UyrP@b2sCpk7! zIjW{?MXY-a&E0Rs@JnP?mXRv5rM05E*VH;GLh14L#_8l&w_^Q?25B984HT znTV0_b)vro!oaH=-08z(8@0|eY&*W*A!x4N=c6rlx=VlgN}S2Oxc%_QQg&E}vD*-GO%rs?8WL5C-129N;Y72lP;u+d3W zGm3o`c%l_uX~{98g!iho-?~amCKI}OAOIIOH>O;mhaaR^QY$hUbsK3BB>(Pa(>gu=8ZJ6dcz_?{^8=|<)< zV;p;ND?gOE&I9$uO63B?$oLa^(1jegZk*B-8dq6QPr)(cChVYqlaWuhILj%fmy zk=zxKbRTiyi#b&4h(9QgN1NyqV%=`Yq@`}P8-H3-tfMsC)tD;e>DGkBq(^`aGQ#uG zaAA(1jUX$r&R)w2&>W0<^x{>0LI;CR?(gX=$5C$`+00J^G`r&fUKA|t?=i6SuFU8Q zBt77~0A@(@;vuPh{U=aO$+(n-RuRXb=N*jP#Rw1<6L>aQ3^S6@NK8+^V4jrR?AlL& z8U-gh13eYpX6-kmfkkePc8%ThFKgal%MLpwX9;sHfooB}Gq^NbF056^~%x4E_@ zGpMZRNy8#`Jz`24xT+(aE3yK3_#<4BJe#F#s`~ldB|}2rZ?3mgXaOm{6^6d>$kUc> zLG9xE%k&bWkl4l{-2b{S#bT6n1x#dt@;Vak&ZMM%vc zfTS*c+<*~^vF>UM!RGz- z=|v-c%VJuse8099f8dAyO0vfVM!Xmxpxo`zq5@Z9XjBy5%88-;U6JvUXZu;EjfF0c z{*Th8{iO6x8Pr~2ffBrR%P`K=aLDI*91?>Ng$H5sDFATi(u&t+4ykp9M_)s)Jju{p5-rqf^`WKM8-+;^vcjKk|(8e;!%HBf<^>0ab*rTF$$Z3${ zfhkm6T315>SkkA491}fBg{RrN>O1kcRR~!tB7k*FTDpb3TBm{w4=C_)G#KaG;Y5Sn z&KBiMq;dwY+w%ZVP_7V@%esq0&M{gf0gltv>jmpQJX%i%ubc0P0G6QcY-e)NdDORB zD=KspLz)?r3-1Sj8%4lvZ&@7ha`v_g1B)!!*&>ucS!-xb*=K%JcyjS)CoI&a z&mWCye>R=@SwS#%B8-egnp%N>y^nh zmU1SyjHpT|0ag5>>hfE(A`9I6#<(u9!CwR_JUx+8JRuKN$3lYuvKrpP4}t^f&RSSK#WG!e9+iUi%t;chYu57l z?*dLe0M@S@(c;w^G{RBwcjxR6A)6=vUAth~v=(N50sG^VlDN|+?lfj#JmvM{Ln>!U zP&nfGepndK_zC^{s+EtzGY{mcmmx713@;D?^X(t01xE;8fP@(t2zL?oyi24!2XuR`Jan%6p#e)zA%DieI9;EDSQA~Be$m&wib$joyAKw(HSJ;_-u~1lr0lqBhL>jdl07y4L$>YAk zvMoMi+0vrAq`N$Nq}F!f7A40kVHlXObb;4d01B#o8TTpp;Bo`f<_Fu~&u#scbdsZ? zS)b2$Dh>8uwNF$ZEPeu{4A#;v?SZN#u}FXF3hS}(XPj|qUk#*$3%@3x2X7XF%I zoVf;DM!fG-mg7UO>>gQ;bA>-g7B?gF5s)7pb z0g#8uV0;bgBucc-_?-XvZZq6;Z@ojSE7eCL+*Tx+2lVOTl zAHx@7)E)9TDvu>riEv^WfEo~%UN=BN==DL@3b>o!7(P*APHVVBSunsfnl*_b=lsgs zIbqh=4k@j@I_6jM$r}fo`GV_J9cNkUyo-p%G{2hSsIac|X+B^E0qv>eUDc8#>X;|H z$=(IVTR^=~QQuD^IR!9won=ABp*{mDv(0{Wp0o=a1^_~4rX68%1x^TtD%QHpVB{m$H@ z3GdW}{o)tjRBOC@)N8gPMoD6Q?xT@#bv(I^drKt7f^dLo<|>pV~ih#w&(C5Yu)o^D=#Bs+<=RqHd6z1q%Oe@;D{n7CO=M5k}Xnpq#9tu;JE z1{%A3?s@@_(J&8GgC`h2J-UZ{I+l=LHG=qz4JvFb^O%4n_;_s}Fn;m1R#02nPj$<7 znXq@Pl`1L=Tf8@j2?FBTid^ORnMjsVr-8_?wNCa@jyM$gLP3hCqu+r)0_NSVGY5)&Imz~JdLhFZ)3FWOmprG{w zvS&|DMOT;uh)uw}iJYaVo2Zf=AtqyBnXAR0xS6lTo#lOV4pVXJm*2eMjr8-u$cg+qY33a|wOI;7$ zy>NalMx5AH(BJSsT!{v~yH=h8Z-3F)NQuHDN=&rBP+jyYDK^d4GH;vKvG_yy%w|p| zS=jO8bfwP*KLhs>NBdt%0>)jPMt!^Yfaxg*z8Som496dHv&b@I3~*;r>;Z#3IC7r> zc!)=_O+&f$+|S|Kr~HG8CL!%lIqe7D0z{BorF7&NIJ>hqT^vAeQYWzCsFk6I9%I(v ztEATt1k_NaNl-&^N_!WbGh*(N&t~`C9CvCTm$Zt-pK)IqAXdpD1B}*0O!n;_0ul}+ zySNdDLa&32@KqXDLCl82{OXFFT=shQY8F`}1$DiOwi z!SfX8a8(|!ty%#4Dq#i~1N9D)zpb!72Ilub@BR#N5Wux@OI0k^cPUva?SB}k{j(-F zC|rE~`z5~9%sZA^SA>5X%NL+9ukcV12bjeWz_86h#ihC%4AFZXpj9ok`{W_Fl$)ev z>l%~jFXL{Kz_h}PWyliqr6}`WfY0YlT%QY8UaA5n)Y0MoZE1gu1i*cII`IDv=kcv| zPl-jZ)ybelC+XL&e8tIVzxaKbKg1~;NFjUD#q10FllZcK{30Sr#L)G?P0h^M_ zC@*yz6iQ@#0=Aiftd@~gLlxkFPzJ^TqF;a}84k`-!UPE+{>&YBjxwoL_`0vJ29rR$ zk71k`$LX#wfb ziPLbFY#Q@ublc4y*!i}2eOt*ggKXu(Yl^E!lxnvNiyAYHthys#M_=;ei)_s`RC(^r zjPJpKIxgANTh+zu1(*}^2Ift4OSSLqn5A?qehCnTYcTQ2r@F#PltV>!imOxr>T83$ z>RxeAeEj0gzV}3|C$HnhvNSbi^7F37(g``mfPzs+#JBo3ob@P4T^+g6!%jo9^ak?Yx(aVj&^8=B<^Q!bq z)%_Z?TYk8nzJ9`@S-(1tN@0U%1K+K%2JrxnHYbxTUs^P%7z;$>_Ne!2FDrGZhF0Y> z#cM23VX%u)b<)6`VU^SL$QnPlY@zKqapLBcn&2Ag4)D{9rrw*gGN`HB!JCYJ!HpEF zZH|m`*-T|hC6=J@ZQp5|gy~oo?GJhl#6gM)oTj__ZC7!^8|5!McY$?cg&^3QA9!21 z0i>I00Kao~ckA3PZ9eW(fFuHhlG_rmY_frz=im})sj zGsIUJ`Y_=!a5PEUk>$2O^)a66GXDuE#?j=$mmYR((Dr=B%ct9t zTKPnYq*?`S9Q*A#i0N!!AXtd9B9+e!QzZRBeU}2G1pNU7<%hEm6GIS?nL2I+f7x%a z365b`!~`LdC^$^4SLCBOg;<<8032B=lbBkG$ksw@6W%%>9G!d4J#2eh6r7Dw7kdQv zLHGh#K!K;SG+~U^PEr_-2riTl$n>_U;H_Akj7Xjj?N4{Vi2H0Rx+>fkRgn^CNVtnF z@9LCqBw~SaXgatRD_~R-B^Hl#JC*R2u=ATL{$bo|mqBUlND_9hRZZnKd5_N5evocI@XfmD(oS?d`w`Dn$ z%4zlI=l!V;x?BvJb2I-Eg>!SN~ToNnETkgysFgb6(^@_IvRaDbi2Zi@Dii=fb`X<9I&|b!b`eklaOwd(i zYc?yu1}biWAOG6-b>H9?JfE_12IvumFwqHA?-_fhS%ChKvH_T~J!*htB)m~_5CIB{ zJ9>vpGI#k_9KZu^Nm4U1i?3@E0@Z`pK1ttyO~Uj`M|Qn&U};XU;|5nHn35o!B$0>b zQxN?eIKJ7_7mS}(G00OrQegRDUo ziJ`7afJ39^Sw+=~>%z*d*~HpB>`EO1Y6SH!6Q`9|7qqYbKkc1oR8#Gi$CV;Q+Dj3o zsuYo~(pykKL_n(arlAVO5snR=07Z4HYy#xd)p_dp+AoC=6*M0Au znLBsp(|qtt)?#szbIy}}_Or|Hzmo+y%t5b?S85M#oqYX{-0)sI@K2qA2X^W28h1b= z&m#?v%Gf7W2Tg_5PYhaaNn)7WyYq*sK{O@nJ`1vr7mdqbi;O!p)R}g)ktzGt`Va7n z@B4k`G4jbyV=}?_`j}I8F-)0Ij@KZ4!t+YPKK(X~U--N>7dF}rSYxj(<*oN-ROmt% zI!}_ZS(y~8MlXK*(xsa5O4!WJQIq7ux^WTXX$?k~CANL`eheno)Ug;SbVhvjPxb)~ z++1MEbTM`tNPMc1Dj|YRH>~Ifpu5S98EF)zzv2R25EtCme90812sU&yx3LJO9oD7y zX5~aO{F5z6dRN6XY*1Bd6{4ODNfnLC?s5QDvY(BV^pM0hCEc?0N7MA;^g$0w0*{1F zZ0iy+R9dgK59H{XuQP>kqheB1Rgez(GU+`^l12FEXmV`~13FT!-KO;MQ2J2-K8~_4 z01Z)DRtoIPWEm}s*yn*#fGMrkc+P9pGqaienG?TQH(^~zeu zzIT8yNs@3#Tm_whRTD~b5(wk_|qVTF+G)Gn5laVqT zuM?z>9YCkSaYY46?FQtjJV|IHK~d?Iq877mZr`8zl~XSAFMYZ>9JbqE%82$B-*uY+ z;3SgNuy&YY?M_KH7eVv!^7wJCLL-@8uJ9$-Dk& zf7ub@n*}(&*`InENIoI#Cs)Q-;A6Pk!!*tV#sdc!kLwVb zi7q`v4|gO_WI&i_qU6(p$Q;&3oVbEr)EPgd6em+GpO{XsWfKHo8L%vj&qp zt~O$J5pF5@ou4w-Et+G62Qiy1sj_lYs%sEEF;V{{c@*$uVJSKhCee*vhUEx-aTkM;)?_NVMCMjr|DoyPEA6z#Zn#s}=e zuR)!%Hw|E<80qgM3XtL%3cvN~}k{##P zF69Rh%{dxBsH@-UQ#YqQi?aaxDQ0bQa^j*)9J~n%{j#&vKbaN|?tF^Jg;qrKL()8m z+M3ad+OH7WZNm^LlAMu}=K8GX^R7B0sR$17#2{t&0nLvvIJCqhM2(;2CF0&?e#%xx zmJikQiJ2D^_*=g*vGHek-#glEhtwRRTS8f!K5oKKlWsYYqy!T)3|(xos)SlzR9$%6VW#FPG(bqt<zI0 zIuGW(nflT;X8FI*}E)9vZm~Mc}Nx?_hl{ur$vGo$M+^ zcpK=8k*L*$P%d7Fr^0H)O~W#vJQpD|xd&F$p$0IWLb|Rr`eebOP!`m~nT2(7pRe+OBWc1g z%8-T@lOX$D{a3QVIvUN~6Fr)^+RqPZC1PlJ$01G|70Ae5sI9}ggi*b2QN-ugE6QH} z+G%_G08Ds@gm+VDup|}{DBTkQe4xC67??A9O%5RJUQ&<6;+oYbDDR4<%8K%#>Zwa= zab-ZM)D~HRajN^4S+C|;97$h z=G=98L#d(f*`<^=#a$2m_6PdShCGiC^bZv)M2FGfX{9KcC|C|uSAX*CV<>!T+x0%* zr;X?UyG8Xh#C{&s2tH4vdiOmIMd(LqTFKOcCC=!%wPlq>+wK4Rsq6vdC-5-eYhM59WMxMwP!+IcdfE&+hDVgOS&9L`;KS7;Zv_a0#*(cA)TigiK*ZX5V$`Annx`W=^}epo6Xk z?FuVtp^>dp`n<8fT)s=^dy|n{ju}dwp zNmE#3#uGJwMEQC#A1_uch-l07Uv;Yrzlv%6WVw5WjKfiu-KWfbu?j14a8xJ75lyKP zJAZUh;b#|awAL`0q5Yx392@FMS{f@qD$N-PD{7dm#Bjm$Y2dE-wpjKQdH%+ z#4yjp9p~MH*aT5C2pHalXlCXnX)|@5`>u4N@&bmd>Z&%Qyax73(Dlf5ht$*yBP{?V zZYHlQOcSkdkAT2A2FI0fdOA+00T-y2_Ws48ABaL4PIHK*tpMes=C_7BpemG4N+kc-1+)JOV1fON?`fX+uwH^Yngr@=;kT5QO2xy8y9Uu4xr*lT44@IUpei8Q%JQ^#UkqU`r8DdiTBYu}cJA(RPVw=i8I?Z)Ok~Q)$RGQdV2= zUYhus?N0HPYX+G&V4WP$@qNOw1z9zJBWZvCbWBb1NE9pE_wQN-GiRGDX#Acs2B@3PQ74h(C5JQ;V=orX-njIhjAuy|&U1p%tc&V@t9k(y-nlME@OiN== zd{*kYK9$+MH^n-3fsOlZ?d_M424D`t=?(ym828c6Sjc@>pnfknRu+#tY;RlbQamVs zCsOYR%YT?sZeKcf>1@rSJgKA~P27#>g#9q9^1|>N&!_osja2{{Kvl|3SOG#>S}a%< zXRd4X-djo^`%!YORT6US#yUCjj_Us``>x@vK9{o41~Jc5=;-06iv7GgbUee;LJ z9I!*Lux5alhM151l2Yp9>keuz$)E9sGM~tvFEw-X;(HyD7?auw%W47h@01z}Uegk+ z;yWT0f}&=KzTq?Nn}d1ht61*r&Wjp_@)0p~4Lbu4{1okSY${sm*+9f~`3nO|2tbub zDERJIRRSniA&b>fvl$iPc&FT4rRkXgPA3fH1y>G(b6^&HqB?a05jT`f!kL8HKP1@> z${GQTFLgq$-t3#4Q#glOb?1mD+Gj7#k+^?-WeQRN;*k}LoKFye= zS^q^4>iJ9dwedliEQ zrqwL`8#)_Yder5;xytps5C*RO}h7>R0~>z0`vhZ zWW1Kw${ZRH4tp(J4sl8^izSc~WjBc!Wp2GEj;2_zb6B_VtrtqXBIGuY@?N^MIlx5f zB++8H==529PEm=Bkt%!fk%c6hpHiq0#Xg0to_X6B~XH^vYiP-V@iwWXcX zw!5L3KQS8@;0xvxm;rS;^l**MbK=QRp(UiDW77HY9jd{loqjFP@s^g0jH!#sQF2?i z>ZVR7zR-6KT7C)1!W*wrdt$OLpDGfZPycc|4rDK?A7TZi* z19w@MrWe4TID122WS8S?2wW5FXC5BY0c15%XHYqSTC5D$2)d`YVFoL}FxlrUs5@uB zMrB@*OGIY$Y*i}^K<&e(@xmzTW*&+*mDx8-vnInt9aI;XHiZ*WO@7X+RLxPr`SvVe=`wX8!xM*d zg%($?>Q`yov5H}Q$~UBiE`RXQKf%*K&0RRNd?hClp@X*p8JFf--1vf0!fTgg-!?}Jy zgo~R0@tsg3(FGGV-UQxEr9_kFN{en9j@7#|vwCe@k=P&$HG14ooDii$!pne~DvMgH z>3!rc^D&`(+8Te=JK!|jUT*m%85iUe{rSwu!PobZfX0C8^gIY7#0+0{-_=M3V0Kic zOQE}cx1QfUUrAgAQvav5I#Ki}L)$2sC-OnG1uS=EdyCLL=_4|ERO{*ZX3klMmcA<_ z{b6d$4Zokbk1gP^wUJfZ@HgEpFA4AaTT7djP(?@K`#<#(U09~U`&Qps9S&x@iyVHA zAPvlHc^Yy$+FightH+J*R$3NgaBc}gi4xTv)}_blAsE>4`^F^(s0f!X1HQ!EboM+H zzn!$Gj#9-J%?Do7P6eg)#PzE+$&!Or?@#f%^1diG6qai}qro;laKW1s|Hkvgz+<0- za_2tB#}Th=!6vC8Y3XiI51>k9uKBPzlBRl2W_ie3{P7RTGhX&Ug|(4{S+D76Q`oZ# z&?=>PUYrL%ae`GHKMR2HfqCEqjUA*>1dj6+6ZpUnW%|^E(Ty2?)`gPJuMQWnoe@7J zKyd>~8YW`l_YH38>UT)IMM=01e*AqP&Q+5W)`t-f6jVL2E4Ks1ZPR+qagU0_Fq<)t zr|cusT{pmBhhDDLn9`_<_owH@N8V8rR(KFkCa|x5zDw}48K6DQUFV=zD$XT(c?z^( zR&8;Zamc92}K2qwEa}2$ytT9^BB9?PhA+f+~EDd-j|0v6zR4?x7VzU;zo~sDK;+7U9{tmims# zkulcPapVn`eqX~y;D3Z;yDv6o6#9@I7gM1o=TVIrOV>)sj=gg^DAehiuKpR82M`qH zYdUHKiwOo#1-;{mJ5hLZ)<%P`?k@7vXsseq^h)_Tae{w%ZV61n&-EL@;SpAp*qD&E5Gwf$h1Q6Df9Kn<4r9)_1RH_3uxt3+V*FT;%7TGU3&t>f0ZXm?0}cZ z@EBJpH=L?)FqJ*popr#EXTZl1XGAQL$7*y5V=_*XyrBc4-B4;!N52`#@{kskt?2Jg zClgG7T)z(Zhe63FKZT1llfaKWExkFd!SNLPBnjg0_ft5K<#xNL8E_SpZyBrZwAOkYBjuf{C zgF8Hc8H|@a>@4xuF*|wePA&tYM9sEEJHL?B1L^CDPs$y@V3D7o5q0%WlE^9iQHouZ ze0+OTn0gzQOc+?1S~bhZXM#?v9w(Tmzzv*zC9Tp)LL<8(Y6_+q0QzPL%03{6f1vIID zJvj8>#`tYNn^aL9rf)tYrYXWpyUo||C4VqAtsq2wfrW6Sowg#w$DgRd&iU?lPGF)) z5#Zpq+5=gz9L^ntTk8PiA-7F;LehnvVrx}aIjFCDF^~H}_iLqd-k`+vrVhEaEERsB#cO>YmOwdpJB& zU@mJ4=1DjJxmz)q>lPo&Im9oMNWKnQU~YM2UlYYU!8C&wh;ZJA)oM1dNU4b=J2;y^ zWj#GwG@tG)-XjPC_{0sv;L~_LIlgg{B`}Ot31baa1dE9F@ z(gAdmJaHrXUVXrIfI%qb2bNy`7Qc-8=1Ed+$|E#Hp7YwH7l7wAUDGMNOt@+gY`p-_ z%hk1H@%sT_j9l%Lsr}{TBa=ohV)kkpJEeA#F<1-vTTgMjs5V)Vq zkLhv&`t?t5`+t5SMHQmxlf2Wbcj(%@Ux|mK>y(QE-A*NF2#rqu3gpV zqc4;cE7R@>w| zCV!FFU%8Gtst!uO z_2oWDal$AP`;Y4te>b4t@A)jAB6dXI;j2bGPNT0DRFe*EkwVb%N)%eN!K<|-|SlUtj zkH2`^f8RASf)W%(^+pKAzu|%Z8+Q#m=WT_UeY*1jExai)@W0v>{(ha%U8C2H88fyc zf7{Rh;-4R=f+$edK}GXdO#b)X{XCe@86BT0P5sZCH2LrM5dB^Q;F^Ei!S6M|$7}z} z4g$hSc!^I@IS&@*1n=3Z{wH2iPTtEt>k JF1TS8_#d|f;o$%P literal 0 HcmV?d00001 diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json new file mode 100644 index 0000000..f0bb9fd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSpokeVirtualNetworkResourceId": { + "value": "" + }, + "parPrivateDnsZoneResourceIds":{ + "value": [] + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.min.json b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.min.json new file mode 100644 index 0000000..f0bb9fd --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.min.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parSpokeVirtualNetworkResourceId": { + "value": "" + }, + "parPrivateDnsZoneResourceIds":{ + "value": [] + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep new file mode 100644 index 0000000..b36c5e6 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep @@ -0,0 +1,20 @@ +targetScope = 'resourceGroup' + +@sys.description('The Spoke Virtual Network Resource ID.') +param parSpokeVirtualNetworkResourceId string = '' + +@sys.description('The Private DNS Zone Resource IDs to associate with the spoke Virtual Network.') +param parPrivateDnsZoneResourceId string = '' + +var varSpokeVirtualNetworkName = split(parSpokeVirtualNetworkResourceId, '/')[8] + +resource resPrivateDnsZoneLinkToSpoke 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = if (!empty(parPrivateDnsZoneResourceId)) { + location: 'global' + name: '${split(parPrivateDnsZoneResourceId, '/')[8]}/dnslink-to-${varSpokeVirtualNetworkName}' + properties: { + registrationEnabled: false + virtualNetwork: { + id: parSpokeVirtualNetworkResourceId + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/baseline.sample.bicep new file mode 100644 index 0000000..1e37ab3 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/baseline.sample.bicep @@ -0,0 +1,30 @@ +// +// Minimum deployment sample +// + +// Use this sample to deploy the minimum resource configuration. + +targetScope = 'resourceGroup' + +// ---------- +// PARAMETERS +// ---------- + +@sys.description('The Spoke Virtual Network Resource ID.') +param parSpokeVirtualNetworkResourceId string = '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/' + +@sys.description('The Private DNS Zone Resource IDs to associate with the spoke Virtual Network.') +param parPrivateDnsZoneResourceId string = '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/privateDnsZones/' + +// --------- +// RESOURCES +// --------- + +@description('Minimum resource configuration') +module baseline_private_dns_zone_linking '../privateDnsZoneLinks.bicep' = { + name: 'baseline_vnet_peering' + params: { + parPrivateDnsZoneResourceId: parPrivateDnsZoneResourceId + parSpokeVirtualNetworkResourceId: parSpokeVirtualNetworkResourceId + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/generateddocs/baseline.sample.bicep.md b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/generateddocs/baseline.sample.bicep.md new file mode 100644 index 0000000..0c45d77 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZoneLinks/samples/generateddocs/baseline.sample.bicep.md @@ -0,0 +1,46 @@ +# Azure template + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parSpokeVirtualNetworkResourceId | No | The Spoke Virtual Network Resource ID. +parPrivateDnsZoneResourceId | No | The Private DNS Zone Resource IDs to associate with the spoke Virtual Network. + +### parSpokeVirtualNetworkResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Spoke Virtual Network Resource ID. + +- Default value: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/` + +### parPrivateDnsZoneResourceId + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Private DNS Zone Resource IDs to associate with the spoke Virtual Network. + +- Default value: `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/privateDnsZones/` + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/privateDnsZoneLinks/samples/baseline.sample.json" + }, + "parameters": { + "parSpokeVirtualNetworkResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/virtualNetworks/" + }, + "parPrivateDnsZoneResourceId": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.Network/privateDnsZones/" + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/README.md b/dependencies/infra-as-code/bicep/modules/privateDnsZones/README.md new file mode 100644 index 0000000..6cce7a7 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/README.md @@ -0,0 +1,174 @@ +# Module: Private DNS Zones + +This module deploys Private DNS Zones used for Private Link based on the recommendations from the Azure Landing Zone Conceptual Architecture. + +Module deploys the following resources: + +- Private DNS Zones - See [DNS Zones](#dns-zones) for more info +- Private DNS Zone Links - Links deployed zones with provided Hub Network + +## Parameters + +- [Parameters for Azure Commercial Cloud](generateddocs/privateDnsZones.bicep.md) + +> **NOTE:** Although there are generated parameter markdowns for Azure Commercial Cloud, this same module can still be used in Azure China. Example parameter are in the [parameters](./parameters/) folder. + +## DNS Zones + +### Regional Zones + +The following DNS Zones are region specific and will be deployed with the provided region in the `parLocation` parameter by default: + +- `privatelink.xxxxxx.batch.azure.com` +- `privatelink.xxxxxx.azmk8s.io` +- `privatelink.xxxxxx.kusto.windows.net` + +**Note:** The region specific zones are included in the parameters files with the region set as `xxxxxx`. For these zones to deploy properly, replace `xxxxxx` with the target region. For example: `privatelink.xxxxxx.azmk8s.io` would become `privatelink.eastus.azmk8s.io` for a deployment targeting the East US region. + +### Geo Code Zones + +The following DNS Zone use a geo code associated to the Azure Region. + +- `privatelink.xxx.backup.windowsazure.com` + +If the Azure Region entered in `parLocation` matches a lookup to the map in `varAzBackupGeoCodes` we will append Geo Codes (value) used to generate region-specific DNS zone names for Azure Backup private endpoints. then insert Azure Backup Private DNS Zone with appropriate geo code inserted alongside zones in `parPrivateDnsZones` into a new array called `varPrivateDnsZonesMerge`. If not just return `parPrivateDnsZones` as the only values in `varPrivateDnsZonesMerge`. To override this see the parameter `parPrivateDnsZoneAutoMergeAzureBackupZone`. + +> For more information on Azure Backup and Private Link, or geo codes, please refer to: [Create and use private endpoints for Azure Backup](https://learn.microsoft.com/azure/backup/private-endpoints#when-using-custom-dns-server-or-host-files) + +### Prefixed DNS Zone + +The DNS Zone `privatelink.{dnsPrefix}.database.windows.net` is not deployed by default as the DNS Prefix is individual. + +You can add the zone to your parameters file with the required DNS Prefix in the zone name. + +### All Zones and more details + +For more details on private DNS Zones please refer to this link: +[https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration) + +## Outputs + +The module will generate the following outputs: + +| Output | Type | Example | +| ------------------ | ----- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| outPrivateDnsZones | array | `[{"name":"privatelink.azurecr.io","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io"},{"name":"privatelink.azurewebsites.net","id":"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/net-lz-spk-eastus-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"}]` | +| outPrivateDnsZonesNames | array | `["privatelink.azurecr.io", "privatelink.azurewebsites.net"]` | + +## Deployment +> **Note:** `bicepconfig.json` file is included in the module directory. This file allows us to override Bicep Linters. Currently there are two URLs which were removed because of linter warnings. URLs removed are the following: database.windows.net and core.windows.net + +In this example, the hub resources will be deployed to the resource group specified. According to the Azure Landing Zone Conceptual Architecture, the hub resources should be deployed into the Platform connectivity subscription. During the deployment step, we will take the default values and not pass any parameters. + +There are two different sets of input parameters; one for deploying to Azure global regions, and another for deploying specifically to Azure China regions. This is due to different private DNS zone names for Azure services in Azure global regions and Azure China. The recommended private DNS zone names are available [here](https://learn.microsoft.com/azure/private-link/private-endpoint-dns). Other differences in Azure China regions are as follow: +- DDoS Protection feature is not available. parDdosEnabled parameter is set as false. +- The SKUs available for an ExpressRoute virtual network gateway are Standard, HighPerformance and UltraPerformance. Sku is set as "Standard" in the example parameters file. + + | Azure Cloud | Bicep template | Input parameters file | + | -------------- | --------------------- | ------------------------------------------ | + | Global regions | privateDnsZones.bicep | parameters/privateDnsZones.parameters.all.json | + | China regions | privateDnsZones.bicep | parameters/mc-privateDnsZones.parameters.all.json | + +> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice. + +### Azure CLI + +```bash +# For Azure global regions +# Set Platform connectivity subscription ID as the the current subscription +ConnectivitySubscriptionId="[your platform connectivity subscription ID]" +az account set --subscription $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PrivateDnsZonesDeployment-${dateYMD}" +RESOURCEGROUP="rg-$TopLevelMGPrefix-private-dns-001" +TEMPLATEFILE="infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep" +PARAMETERS="@infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json" + +az group create --location eastus \ + --name $RESOURCEGROUP + +az deployment group create --name ${NAME:0:63} --resource-group $RESOURCEGROUP --parameters $PARAMETERS --template-file $TEMPLATEFILE +``` +OR +```bash +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +ConnectivitySubscriptionId="[your platform connectivity subscription ID]" +az account set --subscription $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +TopLevelMGPrefix="alz" + +dateYMD=$(date +%Y%m%dT%H%M%S%NZ) +NAME="alz-PrivateDnsZonesDeployment-${dateYMD}" +RESOURCEGROUP="rg-$TopLevelMGPrefix-private-dns-001" +TEMPLATEFILE="infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep" +PARAMETERS="@infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json" + +az group create --location chinaeast2 \ + --name $RESOURCEGROUP + +az deployment group create --name ${NAME:0:63} --resource-group $RESOURCEGROUP --parameters $PARAMETERS --template-file $TEMPLATEFILE +``` + +### PowerShell + +```powershell +# For Azure global regions +# Set Platform connectivity subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'eastus' + +$inputObject = @{ + DeploymentName = 'alz-PrivateDnsZonesDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-private-dns-001" + TemplateFile = "infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json" +} + +New-AzResourceGroupDeployment @inputObject +``` +OR + +```powershell +# For Azure China regions +# Set Platform connectivity subscription ID as the the current subscription +$ConnectivitySubscriptionId = "[your platform connectivity subscription ID]" + +Select-AzSubscription -SubscriptionId $ConnectivitySubscriptionId + +# Set the top level MG Prefix in accordance to your environment. This example assumes default 'alz'. +$TopLevelMGPrefix = "alz" + +New-AzResourceGroup ` + -Name $inputObject.ResourceGroupName ` + -Location 'chinaeast2' + +$inputObject = @{ + DeploymentName = 'alz-PrivateDnsZonesDeploy-{0}' -f (-join (Get-Date -Format 'yyyyMMddTHHMMssffffZ')[0..63]) + ResourceGroupName = "rg-$TopLevelMGPrefix-private-dns-001" + TemplateFile = "infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep" + TemplateParameterFile = "infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json" +} + +New-AzResourceGroupDeployment @inputObject +``` +## Example Output in Azure global regions + +![Example Deployment Output](media/exampleDeploymentOutput.png "Example Deployment Output in Azure global regions") + +## Bicep Visualizer + +![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer") diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/bicepconfig.json b/dependencies/infra-as-code/bicep/modules/privateDnsZones/bicepconfig.json new file mode 100644 index 0000000..ad3802e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/bicepconfig.json @@ -0,0 +1,124 @@ +{ + "analyzers": { + "core": { + "enabled": true, + "verbose": true, + "rules": { + "adminusername-should-not-be-literal": { + "level": "error" + }, + "artifacts-parameters": { + "level": "error" + }, + "decompiler-cleanup": { + "level": "error" + }, + "max-outputs": { + "level": "error" + }, + "max-params": { + "level": "error" + }, + "max-resources": { + "level": "error" + }, + "max-variables": { + "level": "error" + }, + "no-hardcoded-env-urls": { + "level": "error", + "disallowedhosts": [ + "management.core.windows.net", + "gallery.azure.com", + "management.core.windows.net", + "management.azure.com", + "login.microsoftonline.com", + "graph.windows.net", + "trafficmanager.net", + "vault.azure.net", + "datalake.azure.net", + "azuredatalakestore.net", + "azuredatalakeanalytics.net", + "vault.azure.net", + "api.loganalytics.io", + "api.loganalytics.iov1", + "asazure.windows.net", + "region.asazure.windows.net", + "api.loganalytics.iov1", + "api.loganalytics.io", + "asazure.windows.net", + "region.asazure.windows.net", + "batch.core.windows.net" + ], + "excludedhosts": [ + "schema.management.azure.com" + ] + }, + "no-hardcoded-location": { + "level": "error" + }, + "no-loc-expr-outside-params": { + "level": "error" + }, + "no-unnecessary-dependson": { + "level": "error" + }, + "no-unused-existing-resources": { + "level": "error" + }, + "no-unused-params": { + "level": "error" + }, + "no-unused-vars": { + "level": "error" + }, + "outputs-should-not-contain-secrets": { + "level": "error" + }, + "prefer-interpolation": { + "level": "error" + }, + "prefer-unquoted-property-names": { + "level": "error" + }, + "protect-commandtoexecute-secrets": { + "level": "error" + }, + "secure-parameter-default": { + "level": "error" + }, + "secure-params-in-nested-deploy": { + "level": "error" + }, + "secure-secrets-in-params": { + "level": "error" + }, + "simplify-interpolation": { + "level": "error" + }, + "simplify-json-null": { + "level": "error" + }, + "use-parent-property": { + "level": "error" + }, + "use-recent-api-versions": { + "level": "warning", + "maxAllowedAgeInDays": 730 + }, + "use-resource-id-functions": { + "level": "error" + }, + "use-resource-symbol-reference": { + "level": "error" + }, + "use-stable-resource-identifiers": { + "level": "error" + }, + "use-stable-vm-image": { + "level": "error" + } + } + } + } +} diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md b/dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md new file mode 100644 index 0000000..2eae1b5 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md @@ -0,0 +1,166 @@ +# ALZ Bicep - Private DNS Zones + +Module used to set up Private DNS Zones in accordance to Azure Landing Zones + +## Parameters + +Parameter name | Required | Description +-------------- | -------- | ----------- +parLocation | No | The Azure Region to deploy the resources into. +parPrivateDnsZones | No | Array of custom DNS Zones to provision in Hub Virtual Network. +parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. +parTags | No | Tags you would like to be applied to all resources in this module. +parVirtualNetworkIdToLink | No | Resource ID of VNet for Private DNS Zone VNet Links. +parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. + +### parLocation + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure Region to deploy the resources into. + +- Default value: `[resourceGroup().location]` + +### parPrivateDnsZones + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of custom DNS Zones to provision in Hub Virtual Network. + +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` + +### parPrivateDnsZoneAutoMergeAzureBackupZone + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. + +- Default value: `True` + +### parTags + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Tags you would like to be applied to all resources in this module. + +### parVirtualNetworkIdToLink + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource ID of VNet for Private DNS Zone VNet Links. + +### parTelemetryOptOut + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Set Parameter to true to Opt-out of deployment telemetry. + +- Default value: `False` + +## Outputs + +Name | Type | Description +---- | ---- | ----------- +outPrivateDnsZones | array | +outPrivateDnsZonesNames | array | + +## Snippets + +### Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "template": "infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.json" + }, + "parameters": { + "parLocation": { + "value": "[resourceGroup().location]" + }, + "parPrivateDnsZones": { + "value": [ + "[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))]", + "[format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))]", + "[format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))]", + "privatelink.adf.azure.com", + "privatelink.afs.azure.net", + "privatelink.agentsvc.azure-automation.net", + "privatelink.analysis.windows.net", + "privatelink.api.azureml.ms", + "privatelink.azconfig.io", + "privatelink.azure-api.net", + "privatelink.azure-automation.net", + "privatelink.azurecr.io", + "privatelink.azure-devices.net", + "privatelink.azure-devices-provisioning.net", + "privatelink.azurehdinsight.net", + "privatelink.azurehealthcareapis.com", + "privatelink.azurestaticapps.net", + "privatelink.azuresynapse.net", + "privatelink.azurewebsites.net", + "privatelink.batch.azure.com", + "privatelink.blob.core.windows.net", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.cognitiveservices.azure.com", + "privatelink.database.windows.net", + "privatelink.datafactory.azure.net", + "privatelink.dev.azuresynapse.net", + "privatelink.dfs.core.windows.net", + "privatelink.dicom.azurehealthcareapis.com", + "privatelink.digitaltwins.azure.net", + "privatelink.directline.botframework.com", + "privatelink.documents.azure.com", + "privatelink.eventgrid.azure.net", + "privatelink.file.core.windows.net", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.guestconfiguration.azure.com", + "privatelink.his.arc.azure.com", + "privatelink.kubernetesconfiguration.azure.com", + "privatelink.managedhsm.azure.net", + "privatelink.mariadb.database.azure.com", + "privatelink.media.azure.net", + "privatelink.mongo.cosmos.azure.com", + "privatelink.monitor.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.notebooks.azure.net", + "privatelink.ods.opinsights.azure.com", + "privatelink.oms.opinsights.azure.com", + "privatelink.pbidedicated.windows.net", + "privatelink.postgres.database.azure.com", + "privatelink.prod.migration.windowsazure.com", + "privatelink.purview.azure.com", + "privatelink.purviewstudio.azure.com", + "privatelink.queue.core.windows.net", + "privatelink.redis.cache.windows.net", + "privatelink.redisenterprise.cache.azure.net", + "privatelink.search.windows.net", + "privatelink.service.signalr.net", + "privatelink.servicebus.windows.net", + "privatelink.siterecovery.windowsazure.com", + "privatelink.sql.azuresynapse.net", + "privatelink.table.core.windows.net", + "privatelink.table.cosmos.azure.com", + "privatelink.tip1.powerquery.microsoft.com", + "privatelink.token.botframework.com", + "privatelink.vaultcore.azure.net", + "privatelink.web.core.windows.net", + "privatelink.webpubsub.azure.com" + ] + }, + "parPrivateDnsZoneAutoMergeAzureBackupZone": { + "value": true + }, + "parTags": { + "value": {} + }, + "parVirtualNetworkIdToLink": { + "value": "" + }, + "parTelemetryOptOut": { + "value": false + } + } +} +``` diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/media/bicepVisualizer.png b/dependencies/infra-as-code/bicep/modules/privateDnsZones/media/bicepVisualizer.png new file mode 100644 index 0000000000000000000000000000000000000000..37b0d74e4dcfe5328b807bf9737d61d624de0a97 GIT binary patch literal 69089 zcmeFZ1yCIA)-FnbBoN#ag1cLQ1a}WEgKKaN?gWC9K=9xMcXyj$!5Q2oxI2T(X_9>V z-~ayiuDW%lZk;+GRa4VLcfZ~5>h&&p*0VZ9K~4hY8U8aE7#I{ONl_&jn8)xiFt9fW zPk{f_T+|r=UymG=B!po~1_`!+AFjsgQYNypFm%8+0u1~ke3-`%hX5b`M=$@eE&hlG z2JYAYVPRl`%wd2re;p$Sd_Vks0X`4s{QibZfAr^Q;D70`e;xf8J{|6_ZP=TK(|*LK zi~?VXc9I$nFfh2351&U;N)(4MFoG~rqCzUJk9Jd@HW7+JyEd{TrAbJA(J?Uv6ICKH zF%U`8NmPZE%?*Vfiv@twgK^4yQ63}t!9If}3&q~*9BPydImK0yLLd!T1%pvG+!su2 zJ~oIx6P`@zPi@$ zW3?&%b;n$A(L zJz#r)-?qzW(LKqF-?Wv`Au0W&3k-Kd`md?P(3gSY~7v#&&2cT4hWQ6Tx>V)yjiFWVf@ z{O*6K*dI&n8%KpM>#r}PyuSP&4nao*?4YC#yvbk2?Y~=h!E_A3*1Z%;;Qagif9p#A zmfzp{^Y{AsKiPi#?UMgPAn>;}5cS!yJT}tt{Oa9v>|0BQu zeM{RRWA0N*VS%wa}z-(o(;B>87Yi!E#m3k?CU+d1*^&dzq_#`t3@3Wq2D;FA(j3?;iR4q-<-!m z^HKW@8_V z4tM)l@Wpaiy9{%)sC`C1c?C;n6YmZ z{HhV1o1QY^kh|?bGS@3@@5?oVi6RZkouB$E2qXwkr|cQ5Q?+VF&#hClG^0LKe0?l)mIS=k&X17W>uiF-2wn^g!2SmjyS2!DKF! z%8)?dg2wQtDKVw_v}V|(c?Ua%r7ieG?wj9Ed1xQ$A?i82V7~i(Ul$0jdJbcGiUup6 zU&~3TY|m2)IQ;nZBER%S+S;BehM#`Gx#zel2<3XOR_{5xnZk_B^_&AF;Q9cZwxo)4 zoca8hXgXvBNA-&;2f6dxO&pLH97koh6qa3!f3P7`;XXn^N`3R*knV|e87Sx^hF1CO zMrF0lD-aw2D5NtY=0#hc47^4&>I#>I%U>Tz!egpmjbd@y9;;c!=o2GHP_v^x{b>Wf zJu?WvQA2Rp7(}UE^!6Bnd+YZbi?70bBt~hjtBnFusrpGC!HZc^zn-YpAX@SmRuOZ` zX;PY1b5LD7DX{x9G;HK z*Un_y^PvX^eh=r_f6h7YII4migHRgat$xdsIQxV0lRJIy`Eq?LfVlSYTf^p z)!^!MYwO0($ttjbj^YD}I_%icH<5Osr-U)$Pxvoaqu-cOs=r70wbV3&J`hyCUT`HR zocMP6IM!5BVrNdTgn|eb6BdW|+vc3demylI89{`TI_z)ACQsne0Odt5eQ8!$WiLbp zeIhf0KT#Zc0?c8-AeIiw|G4M*7Q+`4j$=Yc;M16qjIA|~0ERZtgVvsrr7z5O5qU5; zO)Q+ZoIf7OmI1`REg`r_>s4D7TGnEDH5mB^8ru^ToC#&eHD?^r&T5wYNXiihQTn z5G+K70LCQc)Gb<;(_8>Xn-zXrQgD$}HofFQniPL7+lck$j0{Cw^Ar0EB_qJtn7oO2 z@ro)1^7ttuTwuiS=P?1V>$()co?+e$ov^e-)#in_piDpbk^u)zA^RgglCn=9*q;v+ z)5`{qJ%>f`doh?P{#iPu$~4W3)4~7uIDpPjvKamNbb9+n|NDotfbX#)>8S9hgi$1U z2iSjn#e;FmYTdl0`Nue#2I^=_$y^R>5*G-6A}@dqwk%Q zz8}1Tc6n5T=<;EId%U4j__rTfWplQe^AMSUr{oZgO_*2ZxHZy`!T;~8d1FZ*%vo}J z#u~l1wNhdHejdM_dN6|jroQJJNBMzds-iXy>EmxJ_pb+iKL#coZ`wxmZ%==OP{jcF z(75Jm?cetKUr&dDkE8xTQpbyR_CNRhTF&Xlh$IL#yTxm5{{i?e;{`6TmQeQe57hpz z^I((#ij&5+jCfD}b%A76dChLO6x@<>wowvHs_?07X264=mxQYC6wj4l38O z(VA+8yZ|G~&)KQgow%3=PUbc%P02s`BM{#iz?4kYWb35HX77F z;|VrmnmOM;y7oBhv39=WlPTRPM#JYM+dZ!o@b_&8-Iiab^{~`kjC>6Tx+9E%K z%x%0Jb-%8u=*l+@6k%#AuwWg+dRf1~(@wf^PrhrnJ9%q!{6|tY)IYtRq#c|E?u>ny zCQ$X)Pbn#;Ezof2NLosYCPMLYcM&x`xCv-(gOupf^PcX0*|cgW`LE^RyG~KoDI^id zh{{iPx<6ZLgI9J};t}XXwU24TcjB>BZh5a(>z@BRY9JZfhR+B=KW+E-YEiZQ&Pwb` zg}hHJeBUCId9CF(q_t#uEhlw%mxK@}qXosa)A@CaL$L5oke??5_U1sXv+M2$`eDCU z3u|$$JiSrP6cxc)u4TJgkat6gVLHZcrSLtw(qa0dF0Oc!5!~zm?r-T0G5#82enkDX ziUp?x4yl>AQ#({#)wnb~+u-!D4kQu%Iq99nXKy^8?1O zhqotp)?YJyd5&D&tEuyTb=x35x@GctWJxA@5xcw9)OpuNVE(-u%?-3pJ}6sev7lc; z`p>d2pcvY{`?woHC0r(bCaco~!crvWwv)OT*@py{?($Kd?ub}cl0Rv%+>R~c=e5WjXz#kWSDv~Wf|TKx8;Sgx<4;6U9MVk`a^kk{ z<=27U^wvr)*ho3^MC;%iNa)VqxTTcqxu!##h6Mj}Z?E>mrEqFBRLPGxE14vJsS&!_ zOW34cFMZcZUkU$5^e8*SmJ=2o2i%*%WoI2J?J3}Ev5N!7*y|QPi#MM|eme~O2l|Il zdgDlc*+2{46|!z4eQq4DX-`|iQoW2Ctp?S>&(KiZo1xLAvo6!1MQs79ey`{*>Ikgs ze^@NRMhtbMlj1giaxl7@hR1v!lhaN z0oT%v76`4hdARm*X_QPs?01tSYg{!Qr}3&pTIC%7`@3^+wOY@m6BUciTwU4uf=7^U z&uR`x`@PtZSH&1lLeSRj!6aIf@z&K&DOwmFb4`S7<(?!};-c62e0$^K?f&7A)xBc8wqn;0A`c+hei^{q81$c4~OeRDk5?dH4e`K_e7OYVG|&PEE(ox>iE!Pc@^ zIoXdAe8i%PUOEF{I23a6PYCxn8v^Y*F7v8JpOaH1^t%XMkiD*%t_6Oc&Dx?pgq6DG zfxDy4{69aywWSMvY+H-hBO>y-IkGW#c}Q}wsO1>OynxgncTcqt6^|8De2= zVazSh_nXfb(#O95X(Op_gRzvF+RqJvdpC9K>hX~_kKJ;KDYuOjq>RPyzHmJAugcS2 znaUaCNT^t(d7U9rr@9(i3Py=ujD7I^T|v^K zMPczXzp*Ow(Kal3-pC13uricB-$(&=uq^;-6mp|10K0fO=pqdE?(=@?y{()keG9d) zjAw2*o9WBxO%(9)t~+SCE+{7RdcxFvIzn=<3MB1PTYLwozCbn|nc}&ciYr_g*olbl zngqlE9T9DPlQu82otoVlQQ9Xr3DurA^f#%tN7?nRLmcNPvc=%*MIDj3<7)TZEmO9W zxybzi=17XckL2~O>5{b(BYqH{br6xe*_-8Ha?EnK%lpK!zQ(Pbq@1ob79y|H;e3`l zM_QS=F?+qWA@!)|g~39^lxAItZkDJyIv;P}ltHY1IoNbI*!D?HW{i;*Of?;!m0r2v zrmk@IjGXHA}2d+Me}B%`64KlQNj;O3PdB;MTgtdzO0!i zMbNypA|2X=Urx>{na-~%yCn>HQ#+&ijpPX~)3|7}MQy+{d$!K)URuqglD8@CfkAeI zA@?O0j?bLYd|N+04LX4c2zVYxr}g8&RTdX)9MpnutreKF$Z!%#y-t!AkK zuv|_ZaO?A4s4v*}E^1P4UEpT39^^kjO^A7QW;>WC;lno&BLHO3JPDSWxZHaTM?%BC zxG6b?_zmV;S??>a=@lgxA90U#$`bP2TWPFErs$8a5YleaGg5igkQ6%jYtZJqF0 zmj;ens0Rib5WD{L{gyz+R2i9-_>`4d$G(ShDMndNs#6ZJN8q9r?Krd??U#>bgLkJs z@w2}0ZEjn_)5GJOaw_c~p17Kdydaie(u^}$Tlc2d%;BjZ6>%NsO*U}Xa zn7e{cS3q75qG3LgxcfwT`K5NwUgiSgbBBe>vs)&&r=DO@tLxc+MLIqqc6o(4ge{VI zx9OZYN2!v1O@@7QjU_a!n{|$>}+-^?@n#NH^g%|uR(9S3+w!{ z^vk*F=F_Y#x3oe=<5l{)M;Q_VJ^6QvD%;8o+MijQ+u+H<+yeLn_8F}MU@NoITmajb zUN6mnzYACn#|DLtd6&icd|qNY^27Bc+nmUR*jSqdCCn74#4o78_Zb33_;A6F&2#>X zV&bO*wUahd?ZKwahi@--;stsvI_5o3I8gcl!JS`w5rqS{S64Hs?I1g43%=!s9;Z5vNVOoi{S~7%NT!o(u)5ys-LURP2OI9uJi)Jt zoqUdm+I+ZOHhQ#(8cIarMC`kp;b2)(ZzA@2udE$40M#(%!5gVL68(0i`Y#@l!MkBf zV{S^~qDMZTLSikW$dyK;E0F!Ri#zYU77NOuZ|FTzM9WbdOW|>`sRK+)8(^9zrB0Pz zavvBGU#q(=UN7LWzu)gqc-5|Ve>G{>i33ux5LVC%BCwZq?c!O$U>`17pB++oR@_jK zI%W~IZZ~TjuhTYFZZx{o1VAlX7c0c~>WZZ$Gxb0Hke)G|UdrfQDY@=dPsT7Nqr|4se!1K6fW+eJPd4z4W=~(ocVUehGTR__NL{dF5=R>%LfN$aL{~?x>E}FR)|>wU@d&_qcA;&*G01+PK&X;^m^|YcF{a- zmD~&=>$O(EgRl~wEgkG}&RQww>9z*|W(ShKv@R{rfBDWL`uJ+W%*i130cIIGFHuo) zgEH;Z4{3`7Fa$zkkOIANe5G4)^~5t^7^@1e;!nkHfiVlv5|`}uMUW1MM&Q;S>5=A= zhI7zx9EcU1=##Hb|SCAItc?Gl=g`XDoO!}#Pl z)_K8ggG5jAK$j8wXh-j!n{Y6Jk)CHwIl+e^O}*W#k8+We0Zg_7?pd6%?_(UbSS_6g zTtZ60&G)DL=-9@2j3DAr+f%m3&jm%A*TQc1Y<*-RXa$!#u;h`CmtrQ9 zXC`$$tcS+L8YVPHxp#`N763PnTX1>3cu&L*CPjp01!BWbOH85`AJwpkxJp1|PpDSR zrJP7fgoFpfxOg%B?hfwnm?fvmyeuTiKI=AsF9&Sf4!qABtE?HNNxOO>IvMe)Y6?7O zQ%3EtTaG?Ec8jr!)GoO199EZlG2*=O)G82Bbbm@bZE9`B`qK6zCcwp2VCCQ)jU=-fQ%FQX2u~mlv!0UrA^pdy_@Q2;;Ee zofvD{QglZQ6J)yx9Nyw5&`7jWBYIhAMH|Xsk9k#ONs2RiM#*w_?T)ghxU?ZszYF77 ztqjyoDx>P^o=r3TPy*Fjyi&U&xLh%0%2i*kSa<4A3R4(dc>sn}b4+DDrL#-Dp@jkC z%l(m{>(rE#(hb2i#-2x2my{e7^YWUyZ_&rjmv<{6a%o0f9sE*)@fVCdgIpWQhq(f` zJ;Y3_P{L|rR!lgk(at&e-iwX|?-}I_J~&`0TXTbQa7PokV`CZlh=GJv&z+?U#O z<0et-B&tul?DZ5G`QUmE(O?wKhe7+kIl67Ei#rTCd(ir{9Ds_O1J1vRYj=Yi0N7pG zU~raT%F5!&RT2C9<&L&51|cFELJHpPA0EMtRFt+{S!{Qi zEpQ1?m-`b;M{RiIMUNaXuZ!fMux}C%G!~<39b^`oJ9&nIZ>1=G>^>&r8TbH#y$rpGB7GkHE>-ZtPlb4n3Dd2=ozjYaZ%kL%t+S_^k zK~&fWqN?j%eDlg_0r%w6v$^va|1xV4=gdQ_t=c=D1Ob=)$DQ~Cu#p+^TFN8;`B%}M z^A}^o6u7T*6YQH--%a-o>jfkyXNGgrS=B8CE{!S6%j&7=BA*(Mi{vlihHCc7VA534 zCBoM=)i{Rh`rA*8MO$IWxj7L6HJtqRuTJbmMFj9%`WB@sn(sStc(}qa1x`e>44r5! zcF2h@B`-E51QPEqRo6mOM#pcLOY?e*o^S3bQzT^wKzL8yf*Z4sw>c)EI9iVs2E)A- zw4KIPQ~Y;KKBNafLy?I8`4tDQ`4$szjd%O0eEC6CEHSsE89txpu1CIorbL7sIn^$~ zFQzfRlzs>IP7vH+%bVT9&QkIxYB1iLc^qvE0yj=mx3dC>aG-D>Rqo3uO+=8NT7FjW zjo$4xs4v9#j^I)dQxkj5bU9F<#3h%zd=1W|Q&3Ot;0Lqk64Fv-+HKKdN~)#eojX|i z3vDceA*A4yC{w1QO(C9c$2Zzho_$8b+ntqI$7HM4pWBa8cZTMZ(t3g1 zqOV?oRk_hI$~c#WceJQMh+U}QZcmn^`sIG-e*H!F#%Om@35A%ZbY9It7%Uz(m)2fz zQAyPR7kXX{42EB9ltre!7ibfqkRs({^HT;L=kcD5mp!YrJq0htYM}bcMfi2TtYBi>6A~X^FSDRy;*Aje?XZawNZ|)jS+Rc6V z_?mS63uxsEI-$=CImfqeR7XB!S+RHDPN{NF4?L#X zdQnLu08y7W3ku9L2)of+9$<#GQ!5DE7TttL^-Er?v7=QJRn2!^izLZf6hi;2& z*hTtWXVJXcVeWkwj;Jz_RuZOT5;Ho zn+=pQ)xl=sT8Uvf2saj?GlE|Z5Nw`YE#11MS?mm)3?~-ghY}aRdV8SQJUdpOdmc}A z#NISTwzY~x^u7b5&&h{P`L=r7=;&)RR7uCtBRu@A<$fn=LUlN7lk5(>CYGW*c7};Z^BPR`hO>fk(PR%aw1)qX+?_tQ#4+PX8Q{x_4~#-&d3F##MJ3T0 z)ho@yPW_|CSzBvh$HXwb<0Y4o##0#)HA?61C1s@~d|j)w(Ucy6yUOh-m;}P`LN4`p zx$vl#lY{440`Y;#xLgISR63bZ0*mmMT&%h@<8yAyv>U@}4bgCRQwBlV;otm4D7kv$ zR#lw3SP%=rjWzB}r#D*~<;0j1aquR^`?&}_lw3-ff@=zsuku0DQ&QNqSsRMNE}%et z&-GVnTVvP7^*|-?$7FT`2WV9cPe&z~L?tFY5M$@5P=pu7yfT5K`{Ku3Dj#0v&A0jOi$LG|nQCSMVe zT_bafZCYt5#X~nK!=Mn~lMRSGdB%Rz$)KFr+K!Yqn}D)k$o7dy_^m|?rq@_~aSfvs z`mhRDqNQfaRH%wFpZlWbNO!`k!8hc$Gy;kls;NFSLZcG3#(0$FR|WGH3vZmR)2i7v(A3fw5*SMa@@nx;E3ILq*Rx6jxs+GT*Xbeo<<&AKQDD0+$#-$YkT%MP z2d@W|XVt&;95HR~U@(7ftA;$rifF%`J^rpe?sWM?1oa0sU$^%~pnG_wVS36nV8R(v z(mMDztZ~FlrBKa^dQPHgb~*(sHNrF93pznQn4dK{q&5dawHnkAoiHOQ`)PZ6j!&wx zc*t+Nc+Nv7`a^w9YP>IK=-Q$Pw0F2_y{3x^+IV$mauJkda1AWdrXNr`GkD+ZkAeQV zY8rgnwyvuWt5sr>p@bNzNKf9#ysNU!lBm|8#%11h{GaF~_a&)DgBUXPA(>-nvSZkj! zBGP3{&5--a%gO=?{CYO6J!BHioej)4e2ZV27ur(9ea+|&89bluV`?mtF-+$UrhKBQ z|502j@8ng^QU(6jL&7-20nW-0Vccp|k{US|hD3(!Ud?AO9R>Tw4rRWT2O`|vN83FI zt3!=y#KL4rA({~eC!nNzum5y zz%qtfB4jtOQjTqA>oW9w8(F59(L7!{2JpnH`7N2^v8)j~8pSe|3Q{Dx%-hr6fGNz zWv-gx8N}b+GmKKqZ~eBc;@EpZMoik3rwCc=A@%)CQs&x`clfhxylqc8H-PITE`Kz%CcDWc>-?3KWNxjLa2Pi=Bdz^Ft@U-`yoCkYy?5!^O)A5I#NpdC z{^nJ7-YdQ(9xD#fnkj;{1}fQnCF`i}n?Aj}3X&%aKKHj<=tmYiTl>cgXni%=iez`S zUx~fb7%kH{Cet&tWs%1unPll>sKaNu0MKg`sN#A2M3qD@(mKwF$J^T;|4>?qVSRbF zi+_AJ&05*RZ(8fj+o)Qv1U1>&%7J7D;$NA4S321lNP1nG=fvr${1|&)?X61Hv(vU? zX2zHJ87tnx1_NOmLCQ0i-i2H;($I=4qv>vOJ$d;JW`O$QhnSeGHSANv=E!PVYbP9L zOsB!pS&Ch(Yq0Yo948=mhuaAk}EXgo(*4Uq|(n% zMqw?fx-(ppzFh4b3^4$!yWR^GF2~7u?^__Yb$W7KUb#gEW^XUPi+tOiY?z-?o&jtAcXJN=I|Wz4J~f4Z;2=D4hQnT3l?jzh+lvD#>%XriI)7W zYI2Fh723zB)yZ$ecxha8Qhw?C;HcE6w?jv;Eh&1^MW7cU2kwD} zrtc=(fm)Cm7Hp5*5Uq$BsyasGYdM9ELFYxzH{bHl9)Ss(|rQKP|0W)%Ir11dB z$HV-LjkPR*c}^lu)gytwL3cy?-AHf2@j-=f)J--(`FgE0Co1AeiJ9;-ezHWoTK)Ls zM*7`Y26h}a%H)2Aj2e28e^A;>d4|_BX5=E8=f${t!P8x(*N?$E-{4!FoA&pYrJCm@ zfb!b)l$u&4;`_Cl*zq{M0`2+fmCI_Cn%7#OGY4Hps(#gmfx^rYuX^iKZGZi26PN1b zgXs}z>sShuld@H6^RwktF?7v(!&#*zD8BS^wBEapg9u9I;RC({H+k-^WOz~(@^0=X z!y-3)8Ls+rZF!gJ$j{F=OPse=ONqnvwj5G$ypm+$i}852f%4nT$M0?Lyj!)R+)iwK zw)4yMhcn`uHv@VQLXr+zsFUyet5~Y5L{Q+fy_2kaKmyN;6WtSwcL5@#3X6ttv6`t(V0{&m zc(l0;EbxvTgh|zW{wEa`{ z2R}-IAW7P9kX}nIX@5_;O9Rr@5dt14o#n`qMHDVKs|PWV`~KAHP?M)@PcGPM9bLa~ z1YQjA`&|GQ{a4CSd&Kf;^VdM?i{GEG>al&hU=T#u?;kf^@Kht(H(uKQhGFZe;F-h+ z!a`9`OMk32YIac7$BbLgn4;;O+Pj7As|voo7KUHevshSv;%jxA03IXqN@^M=Cqb=R z?jB}8B41gK* zART$JYMQjk?%VlGCu#RL_8gL{QIf_drxt4yK#`2>VyP{$BB07@s%nG8WGx4=S3K}) zP*D#AI`+Bj(;JEXB>!f~{}AxIZ;FM%Ppj$%40^V^iWAw3bP7!^-zN@m&N4K=EsiP{ z6RXlEM1(EJBoQvl-T&lYAg#<{OkZ57UavWGyrJ1LHW7|fnLXy6Vz~jTsAkLFwrVx< z9{IUfyV$ZzAc$$+q_9FAaW?GdZPRKvHI}&(^un~yd=QU0%S^q5%X_-QEp1JE^KoHM zE_4G=pv$1qw(Fso4zPAMXPJ3lnWWf_ z`_;C+q{QX0jN3`$Fmk`xBbR5yf=lY$jQ0>#-LruIcp?j<`%`34li3Nf!rS3>fU@^5*-84JpiLv_|BHMA^F8gs%^GzAa)mZCGXm*?(cMMf1T9LVIOx}1h)b0N9O_R_g$ z)urkcc%_8k{e~Tem+Sor%H2B+T@l237s&(N_5Fh%SNZ_DGUt|p0atH!M<+9&0e4k$ zZ5Fw3Jwejs43!(u(+v!Aad=r?9R}kxB-yjQ6qS44d@EYT!`a0<=T3;Zy05Wytgm<%e6?* z9l-jfV|bpCufFOs)2KUIb5WmnGHBbuFF==pv4>;1LM?D9we+Qx=F*CHRyU~SICf}U?gGEx>>~dv{Nf%D>R~!p_a3G8;}cQ^MBg(nI5puQ zwsDL+&S#~#ktH)V1&vX0w2a@{A-CtBZ9T~!c*pgVwU_HjK>*vb-0p3pGXIs-$&ZU~ zl$vgn>yEU^r_SQ2ABfcw_-xWRMAhjrw4&@>mICnNuoqO+MC@y|_903LN<7*j(Y%e!g3kurkfD9?73*ZzIXU|us1T6(Gv; zrY2Q!fVp%8NXOR^OIT?aqPdVWq4rXjX=A)=b;li0P_+8&IOz}Xsj>_`G_KVzbDV1z zdO+zeCER>m6rhg6_|{N-c^g@72IXky2#X8s>0u`sh_dn74Y6DB(L-d0zIYzxw2;)f zYg4W~T6{rM@_-bJ@$8(2tD5ctmCvL*Hz9>gxPHA6KT^(jY!I^pViQm!bdBR#J2-94 zMRSB8kT3Qo82!?ae}>62TD;G!mFv<#^BoyPUQuF&GG03>Za9X$lRFLaX62LJLnQ%f zd}#reKlZSudkNONGz#a+8Rg>#iYz=K&eO-$o~ZzN^$kz};87)AtWL~#=T4cUARZ&# zhkNX}=yZSL9md{6X<&i`(CVz>lIR~5;bRod9RCm^)8W{ga?|1J8Z@3QhF`7IP?FyT z5Ns?8WV#s{DcElvOekJZDO3^8OCm8bDJiR~;RtV)&5#(u3n1cW`;5wf`hz;;<3dQx2TBaZ!9oJY@xq0BijhRGlT`i znw>Gx8Gvx_{zbAH7-vKLoka;Qim$3@M)HWj%@Ufkdwgx^cJvC}BbD$nR|`2}MB`B8 zGIp=4Q%7Ty>!M-;5$5Hst7_r&_1c)|svfGOtP?z`Hw^3O*H=vlMJLAX--3t|*>IAi zM}h8zuQMiVP^--ZC6&DG@!QL}4gPpJ-Th1+oX$-#d!97LUwT6J1(`fGvY*)%I(NAg zf_FdJgZJ_yb#(aP36VP+Z(W|e`rHpi-|6d&Z%uKhE!Tj(OdQ;!1`A0cxtU#T01^6# zIX8BayoT`@*E)GC1wn885eD?7O`XBejlKJ%R>O8dAwyDQ^-?bP=B;$Ij|ZL9+=*1= zr>BID3PYan0ct-Zfl}^CC!Suivwok8Lf18*|95Tg`?{aLh`*?#BTv(AapLTGIt@5c zB~n?!<>{SxX0q0vC{M{ti^Sy)PmYw*PCn1vT)!t2Kb=jL1bvBrFuZ^3Jf$7wW-Y@q zW*aVjU*YYjoAP-fH&XRZcf0nZrwk^%A^8wB=f|>KyEt?xc7oxw=U?^W(fm1SZOiuzM zr72>JOoZc;`DN>hvT))VOCcIvRP;9a1G{!wT#3`G8z-aXnn5*^G^74K_zfpp@;=!sglimYBw$0KocG>^?~$>pVRWH6EY82m?lQwLR)4ZzY_k zWONzvn8O8NM>)a=`3s%+>=KAkUoExQEZR~c6zHCyIlUc?hzVsl-Efh(TktrLy%j&n z7mpw!Y&p$l&X%RcKYSU2Uce6U$>sd=&U!#6WVvU?60_Z1y*ay^L_1^WYpd;MSrObJ zu@ujUoW>Nl(wI%%E-hlOq@3kIwGZX_nVteuVX3=BPve!iVh}_o)isgPG>tOwYD>?` zN8WaPt9TI)KuO-pDpEJ6qIrnB&+yL#eLz4bectCl@~!tiwo=A8Hq<(vknyfG1=Q40 zLB2r6L*2*-lE`0aVX~B2yY;?Ko(B~yG#TA__HD#kwt8W{KRrH*bajiTWt9<*NQ+?B zl0$O4(CyxR?=>M^g^5$CXzylREiac%pvV<8O)*R(kF3J}l`6p-Iu5GL%}Pu2xw~`> z7skRqc_xKC)SpqY)=MHpQEhC;|g6$?P{~Z^FrLdu8nzNiUSs zu2iP&-JIW@n~PbaIGvvmnDlK{?oOOAzh^(--$-fae?WEiMD-WaaoSUEp9Jyfro=g- z5A2l7_|Ut7bWc`aEkQ;XwW*$*eWg5lU9{AaDA6$IAv=7J`F^Y?LH5|UDyr=Kc9mJ` z`H5lrLS|_4=yjvE()6yKxsINjQo>6bZx#REJQ1#>G1^__1*oyx z#${i{&IdSDNuF|B$Q=i96KZ&J(j(pLHWm=A^yU(L*Ra*}Kk&qyqu`&xZ5I{XfY z#xQA_V49@6jjx-&$s=}TUY8pL3vw_a1}w$eLLol_4V0nopy_{R%L z>9!wLlRiemV|v>uFc9D}spAqLLF~m2X_C8UZxWkq1d6ZOie~tC8SYi?6@&2~vx$@- z+z`2PMZ#@HJf4?IEYq264QEPH{rmMBsVoL<{#9KH!-@7Z#<}uom;I(n)Kblm zL~@1Uxalk+hY%A(W>y&oRFmkyTeINLRuiurZ3Yz{qwuu=YjZ@oa*}BYlFEoPWC}g* z)fiVWLAh3xuPPDZ4E`7%FH<2xmWx|I%=@MRvOOL9Gf%2*;7FDIo7lZE2(E^66}wQv z6PST)&^Aq|;Nr*Y{YFS=7T@I^_p_&LFT^N&rIb6CfyN&~Y=eAVE5t2ss_TwvNMAxe zSu<0ZI`o9ixNq8Y+St!UUYz$U-!GoqSb!kgC)cZ9@-|td1!PM~?;lq^cJ<l7KQ8)C6YKc!o6_4G)GX2V3h1)S{IdaWP z8Q(g15I-JcoO*-aC2fB>$cqK7QRj`;C8A1y9y#&!O>xnKb`8C6 zzt5r0ci2<;Rr%XP_-V;`7KcSTrM_@fHLonk~0mTQ<#3)Ve2e0F$r9BD~o5f|zgy7?~Jk3%|e);0#b9F?v-ap+x_CPPrx}o`ZIk9Xf208o@ zMw%L^bKa+HrHywx6%Lw~mdge@B^Kt!^k(DPjCB9haYKXdYFRzJq}P*6DldSu@XEw$ z*q{R`T2!IVy{F4TNfVLs0P7MR�n-t zw&ZtKTKi)qOrFETy(cRP-$7e71nQ6b& zs5v=$Hp>6|iKV{)`e@Epb=V>yHS-2Cy7QQb)!?ZbT%H0P5}9em{uYZ_8W%pdPrWJa z@Bd;J0@+^!=4SlZS;^{T&tZqG&eyj`b1nfb2B$m|$hQ3ncqUD3vMWJ5Geog}bay5J zpt15Scwv1HwYD@cbW&3eN>ScZvsR(Q*PI`p64Usnp>3$sr(s`j61Gk0_EC8sp;$1r z3W+=oy8HOlpX-%LQ2i^tlc1izCOISqNJIx7bYf1W5Q|x*@*~_OTZjiVs~J_BIniKI zPJW=hqHdMsBDc_jkFloO^DCJ6y(D}`;3;5R$S+@#sFsOt&o{cLyR9CwxNd%7*%^Pa zG~jk36SI!~ms+m@Qi>xVv+jz1k4}2z9g3(ieXCQRN#vy7I6kH-$6nO{JWnlVi*4Tf z`Y|_xe`=fyj{DvlqE%~viIZo|k$>>)wym2rv+c&s)?cIaEzk}ytvxb6Cj1WpWMINm zzy11UArgpbYg<#KcuB;v-F*AtOHII67Vu#ENed^O**G3>)Qad+HQ^Aphq+`>0&OO6 zXXm?_|SeoPO0m7mv-Tq#GeKW zKDl45M=ODl;_|fw=cZEH?y{`+Ua0mu?MIp$QyR(2KotV&)`hIurwLgaiHe9jB z0CU~)VQgF8kx`V}lb|V^KW_~5wW0jgi!>p=qh9~37m2Wx`L1AO^E*=_t)e_F5Bua9 zGmqvi*tx}8_2cohbCC(pdf#lhMQ!Iy_r%I-&H=H2&A`ib5p#K#KiYe~KIZzSYvk4nbQr@ZD{jg=IKuJBawj z)hXqEYbELLejq6MgIG%Skmj|brwPWBMm}vX$k=AgP~w^>ON=yYO7-&8MxCgD2cdiK z9@iN{r`%#~DxvB;HH#83GcB667MUYv9h$Stp1re$bj__P47UXs%$$_^cZT6gm=ZtvW1Zan0P7^L0I?kHXjPiE2x>6d>9wrg zY^lvWd@D)c=ydzt&CrC_U}T%g0_o`=b$M8Kh7{>G<9pG1*dLSWpJ%3cT|;-@f*)fv-9F6kOQL8XlQmzD>KwqOhG1zAlPe1jOkP5ayV_MCkad)%Arx1s0 zPusE`AT12!$jvq_{qRINKK#S7e;6i)tW1oJ-L+a2E>Nu2ck z30#e%to(mG>P!fXw50sPp0p@qB}A0btLCIai(V_DcsvCZKW#YM#1^|>>8t{3jvg;A zo}MAx8=Kw7EwlxYLS&$hpv7hl89B@(zRhC-)dJS|!TCx0GTX^_8n^psZ?lPSAPw}|{uQvutSF7R}D`zYU10sBGR=&9$ zEGz*iJ<0>aSVntCQGyWX2?{e4k?{<4?Q~<02oy} zXTW%92fREY*SVW0%><$b8&w1aK}rdc zlx~#<2?>z~=@vw~1OeTYAd=GE-3_v75D^iOZV(V9H{A_q-Js8d&w0)n-x=qN_Z{Q+ z4}-n;9c#_C)?9PVdChCuZ7+=yJSZZ18FtEK0Wd(pA6g~I77Tr`2@h7kOR^R^fDF