From 8f97953d2e0fba4c7bbc3f6a5a1f491899924176 Mon Sep 17 00:00:00 2001 From: Alexander Mafi Date: Thu, 27 Jun 2024 15:35:22 +0200 Subject: [PATCH 01/24] Update system_schema.tf with workflow schema --- .../public_preview/system_schema/system_schema.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/aws/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf b/aws/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf index a95cda5..617dffb 100644 --- a/aws/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf +++ b/aws/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf @@ -12,10 +12,14 @@ resource "databricks_system_schema" "compute" { schema = "compute" } +resource "databricks_system_schema" "workflow" { + schema = "workflow" +} + resource "databricks_system_schema" "marketplace" { schema = "marketplace" } resource "databricks_system_schema" "storage" { schema = "storage" -} \ No newline at end of file +} From 420e98b0d41a2a4b0e975b1c88aad351fb586770 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Wed, 17 Jul 2024 16:40:43 -0400 Subject: [PATCH 02/24] Added support for AWS Govcloud --- README.md | 1 + aws-gov/.gitignore | 43 ++ aws-gov/README.md | 137 ++++ aws-gov/img/Firewall - Network Topology.png | Bin 0 -> 161896 bytes .../Firewall - VPC Resource Map Example.png | Bin 0 -> 138275 bytes aws-gov/img/Isolated - Network Topology.png | Bin 0 -> 88140 bytes .../Isolated - VPC Resource Map Example.png | Bin 0 -> 103357 bytes aws-gov/img/Sandbox - Network Topology.png | Bin 0 -> 129234 bytes .../Sandbox - VPC Resource Map Example.png | Bin 0 -> 122670 bytes aws-gov/tf/modules/sra/cmk.tf | 121 ++++ aws-gov/tf/modules/sra/credential.tf | 217 ++++++ .../tf/modules/sra/data_plane_hardening.tf | 41 ++ .../data_plane_hardening/firewall/firewall.tf | 251 +++++++ .../firewall/metastore_ip.sh | 13 + .../data_plane_hardening/firewall/provider.tf | 7 + .../firewall/variables.tf | 47 ++ .../restrictive_root_bucket/provider.tf | 7 + .../restrictive_root_bucket.tf | 71 ++ .../restrictive_root_bucket/variables.tf | 11 + aws-gov/tf/modules/sra/databricks_account.tf | 99 +++ .../logging_configuration.tf | 150 ++++ .../logging_configuration/provider.tf | 7 + .../logging_configuration/variables.tf | 7 + .../service_principal/output.tf | 3 + .../service_principal/provider.tf | 7 + .../service_principal/service_principal.tf | 12 + .../service_principal/variables.tf | 8 + .../uc_assignment/provider.tf | 7 + .../uc_assignment/uc_assignment.tf | 11 + .../uc_assignment/variables.tf | 11 + .../sra/databricks_account/uc_init/outputs.tf | 3 + .../databricks_account/uc_init/provider.tf | 10 + .../sra/databricks_account/uc_init/uc_init.tf | 8 + .../databricks_account/uc_init/variables.tf | 19 + .../user_assignment/provider.tf | 7 + .../user_assignment/user_assignment.tf | 11 + .../user_assignment/variables.tf | 7 + .../databricks_account/workspace/outputs.tf | 7 + .../databricks_account/workspace/provider.tf | 7 + .../databricks_account/workspace/variables.tf | 55 ++ .../databricks_account/workspace/workspace.tf | 99 +++ .../tf/modules/sra/databricks_workspace.tf | 156 ++++ .../public_preview/system_schema/provider.tf | 7 + .../system_schema/system_schema.tf | 25 + .../security_analysis_tool/aws/provider.tf | 14 + .../security_analysis_tool/aws/secrets.tf | 19 + .../security_analysis_tool/aws/variables.tf | 49 ++ .../security_analysis_tool/common/data.tf | 13 + .../security_analysis_tool/common/jobs.tf | 59 ++ .../security_analysis_tool/common/outputs.tf | 4 + .../security_analysis_tool/common/provider.tf | 7 + .../security_analysis_tool/common/repo.tf | 5 + .../security_analysis_tool/common/secrets.tf | 32 + .../common/sql_warehouse.tf | 18 + .../common/variables.tf | 36 + .../system_tables_audit_log/job.tf | 34 + .../system_tables_audit_log/main.tf | 14 + .../system_tables_audit_log/provider.tf | 7 + .../queries_and_alerts.json | 664 ++++++++++++++++++ .../system_tables_audit_log/sql.tf | 48 ++ .../system_tables_audit_log/variables.tf | 10 + .../admin_configuration.tf | 14 + .../admin_configuration/provider.tf | 7 + .../cluster_configuration.tf | 53 ++ .../cluster_configuration/provider.tf | 7 + .../cluster_configuration/variables.tf | 13 + .../ip_access_list/ip_access_list.tf | 14 + .../ip_access_list/provider.tf | 7 + .../ip_access_list/variables.tf | 3 + .../secret_management/output.tf | 3 + .../secret_management/provider.tf | 7 + .../secret_management/secret_management.tf | 11 + .../token_management/provider.tf | 7 + .../token_management/token_management.tf | 7 + .../uc_catalog/provider.tf | 7 + .../uc_catalog/uc_catalog.tf | 164 +++++ .../uc_catalog/variables.tf | 23 + .../uc_external_location/provider.tf | 7 + .../uc_external_location.tf | 114 +++ .../uc_external_location/variables.tf | 19 + aws-gov/tf/modules/sra/network.tf | 85 +++ aws-gov/tf/modules/sra/outputs.tf | 3 + aws-gov/tf/modules/sra/privatelink.tf | 321 +++++++++ aws-gov/tf/modules/sra/provider.tf | 21 + aws-gov/tf/modules/sra/root_s3_bucket.tf | 65 ++ aws-gov/tf/modules/sra/variables.tf | 273 +++++++ aws-gov/tf/provider.tf | 28 + aws-gov/tf/sra.tf | 77 ++ aws-gov/tf/template.tfvars.example | 8 + aws-gov/tf/variables.tf | 105 +++ aws/README.md | 4 +- aws/tf/sra.tf | 2 +- aws/tf/variables.tf | 21 + 93 files changed, 4240 insertions(+), 3 deletions(-) create mode 100644 aws-gov/.gitignore create mode 100644 aws-gov/README.md create mode 100644 aws-gov/img/Firewall - Network Topology.png create mode 100644 aws-gov/img/Firewall - VPC Resource Map Example.png create mode 100644 aws-gov/img/Isolated - Network Topology.png create mode 100644 aws-gov/img/Isolated - VPC Resource Map Example.png create mode 100644 aws-gov/img/Sandbox - Network Topology.png create mode 100644 aws-gov/img/Sandbox - VPC Resource Map Example.png create mode 100644 aws-gov/tf/modules/sra/cmk.tf create mode 100644 aws-gov/tf/modules/sra/credential.tf create mode 100644 aws-gov/tf/modules/sra/data_plane_hardening.tf create mode 100644 aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf create mode 100755 aws-gov/tf/modules/sra/data_plane_hardening/firewall/metastore_ip.sh create mode 100644 aws-gov/tf/modules/sra/data_plane_hardening/firewall/provider.tf create mode 100644 aws-gov/tf/modules/sra/data_plane_hardening/firewall/variables.tf create mode 100644 aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/provider.tf create mode 100644 aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/restrictive_root_bucket.tf create mode 100644 aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/logging_configuration/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/service_principal/output.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/service_principal/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/service_principal/service_principal.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/service_principal/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/uc_assignment/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/uc_assignment/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/uc_init/outputs.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/uc_init/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/uc_init/uc_init.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/user_assignment/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/user_assignment/user_assignment.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/user_assignment/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/workspace/outputs.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/workspace/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/workspace/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_account/workspace/workspace.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/data.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/outputs.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/sql_warehouse.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/job.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/main.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/queries_and_alerts.json create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/sql.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/admin_configuration/admin_configuration.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/admin_configuration/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/ip_access_list.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/provider.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf create mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf create mode 100644 aws-gov/tf/modules/sra/network.tf create mode 100644 aws-gov/tf/modules/sra/outputs.tf create mode 100644 aws-gov/tf/modules/sra/privatelink.tf create mode 100644 aws-gov/tf/modules/sra/provider.tf create mode 100644 aws-gov/tf/modules/sra/root_s3_bucket.tf create mode 100644 aws-gov/tf/modules/sra/variables.tf create mode 100644 aws-gov/tf/provider.tf create mode 100644 aws-gov/tf/sra.tf create mode 100644 aws-gov/tf/template.tfvars.example create mode 100644 aws-gov/tf/variables.tf diff --git a/README.md b/README.md index f2beed5..b5ce12d 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Security Reference Architecture (SRA) with Terraform templates makes deploying workspaces with Security Best Practices easy. You can programmatically deploy workspaces and the required cloud infrastructure using the official Databricks Terraform provider. These unified Terraform templates are pre-configured with hardened security settings similar to our most security-conscious customers. The initial templates based on [Databricks Security Best Practices](https://www.databricks.com/trust/security-features#best-practices) - [AWS](https://github.com/databricks/terraform-databricks-sra/tree/main/aws) +- [AWS Govcloud](https://github.com/databricks/terraform-databricks-sra/tree/main/aws-gov) - [Azure](https://github.com/databricks/terraform-databricks-sra/tree/main/azure) - [GCP](https://github.com/databricks/terraform-databricks-sra/tree/main/gcp) diff --git a/aws-gov/.gitignore b/aws-gov/.gitignore new file mode 100644 index 0000000..1a768a0 --- /dev/null +++ b/aws-gov/.gitignore @@ -0,0 +1,43 @@ +# Local .terraform directories +*/.terraform/* +*/.terraform +.terraform.lock.hcl + +# .tfstate files +*.tfstate +*.tfstate.* + +# environment file +aws/example.tvars + +# Crash log files +crash.log + +# Ignore CLI configuration files +.terraformrc terraform.rc + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +*auto.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# MAC Control +.DS_Store + +# IntelliJ +.idea/ \ No newline at end of file diff --git a/aws-gov/README.md b/aws-gov/README.md new file mode 100644 index 0000000..b25be1a --- /dev/null +++ b/aws-gov/README.md @@ -0,0 +1,137 @@ +# Security Reference Architecture Template + + +## Introduction + +Databricks has worked with thousands of customers to securely deploy the Databricks platform with appropriate security features to meet their architecture requirements. + +This Security Reference Architecture (SRA) repository implements common security features as a unified terraform templates that are typically deployed by our security conscious customers. + + +## Component Breakdown and Description + +In this section, we break down each of the components that we've included in this Security Reference Architecture. + +In various `.tf` scripts, we have included direct links to the Databricks Terraform documentation. The [official documentation](https://registry.terraform.io/providers/databricks/databricks/latest/docs) can be found here. + + +## Operation Mode: + +There are four separate operation modes you can choose for the underlying network configurations of your workspaces: **sandbox**, **firewall**, **isolated**, and **custom**. + +- **Sandbox**: Sandbox or open egress. Selecting 'sandbox' as the operation mode allows traffic to flow freely to the public internet. This mode is suitable for sandbox or development scenarios where data exfiltration protection is of minimal concern, and developers need to access public APIs, packages, and more. + +- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. **NOTE**: Due to a limitation in the AWS Network Firewall's ability to use fully qualified domain names for non-HTTP/HTTPS traffic, an external data source is required for the external Hive metastore. For production scenarios, we recommend using Unity Catalog or self-hosted Hive metastores. + +- **Isolated**: Isolated or no egress. Opting for 'isolated' as the operation mode prevents any traffic to the public internet. Traffic is limited to AWS private endpoints, either to AWS services or the Databricks control plane. This mode should be used in cases where access to the public internet is completely unsupported. **NOTE**: Apache Derby Metastore will be required for clusters and non-serverless SQL Warehouses. For more information, please view this [knowledge article](https://kb.databricks.com/metastore/set-up-embedded-metastore). + +- **Custom**: Custom or bring your own network. Selecting 'custom' allows you to input your own details for a VPC ID, subnet IDs, security group IDs, and PrivateLink endpoint IDs. This mode is recommended when networking assets are created in different pipelines or are pre-assigned to a team by a centralized infrastructure team. + +See the below networking diagrams for more information. + + +## Infrastructure Deployment + +- **Customer-managed VPC**: A [customer-managed VPC](https://docs.databricks.com/administration-guide/cloud-configurations/aws/customer-managed-vpc.html) allows Databricks customers to exercise more control over network configuration to comply with specific cloud security and governance standards that a customer's organization may require. + +- **AWS VPC Endpoints for S3, STS, and Kinesis**: Using AWS PrivateLink technology, a VPC endpoint is a service that connects a customer's VPC endpoint to AWS services without traversing public IP addresses. [S3, STS, and Kinesis endpoints](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html#step-5-add-vpc-endpoints-for-other-aws-services-recommended-but-optional) are best practices for standard enterprise Databricks deployments. Additional endpoints can be configured depending on use case (e.g. Amazon DynamoDB and AWS Glue). + +- **Back-end AWS PrivateLink Connectivity**: AWS PrivateLink provides a private network route from one AWS environment to another. [Back-end PrivateLink](https://docs.databricks.com/administration-guide/cloud-configurations/aws/privatelink.html#overview) is configured so that communication between the customer's data plane and the Databricks control plane does not traverse public IP addresses. This is accomplished through Databricks specific interface VPC endpoints. Front-end PrivateLink is available as well for customers to ensure users traffic remains over the AWS backbone. However front-end PrivateLink is not included in this Terraform template. + +- **Scoped-down IAM Policy for the Databricks cross-account role**: A [cross-account role](https://docs.databricks.com/administration-guide/account-api/iam-role.html) is needed for users, jobs, and other third-party tools to spin up Databricks clusters within the customer's data plane environment. This cross-account role can be scoped down to only function within the parameters of the data plane's VPC, subnets, and security group. + +- **Restrictive Root Bucket**: Each workspace, prior to creation, registers a [dedicated S3 bucket](https://docs.databricks.com/administration-guide/account-api/aws-storage.html). This bucket is for workspace assets. On AWS, S3 bucket policies can be applied to limit access to the Databricks control plane and the customer data plane. + +- **Unity Catalog**: [Unity Catalog](https://docs.databricks.com/data-governance/unity-catalog/index.html) is a unified governance solution for all data and AI assets including files, tables, and machine learning models. Unity Catalog provides a modern approach to granular access controls with centralized policy, auditing, and lineage tracking - all integrated into your Databricks workflow. **NOTE**: SRA creates a workspace specific catalog that is isolated to that individual workspace. To change these settings please update uc_catalog.tf under the workspace_security_modules. + + +## Post Workspace Deployment + +- **Service Principals**: A [Service principal](https://docs.databricks.com/administration-guide/users-groups/service-principals.html) is an identity that you create in Databricks for use with automated tools, jobs, and applications. It's against best practice to tie production workloads to individual user accounts, and so we recommend configuring these service principals within Databricks. In this template, we create an example service principal. + +- **Token Management**: [Personal access tokens](https://docs.databricks.com/dev-tools/api/latest/authentication.html) are used to access Databricks REST APIs in-lieu of passwords. In this template we create an example token and set its time-to-live. This can be set at an administrative level for all users. + +- **Secret Management** Integrating with heterogeneous systems requires managing a potentially large set of credentials and safely distributing them across an organization. Instead of directly entering your credentials into a notebook, use [Databricks secrets](https://docs.databricks.com/security/secrets/index.html) to store your credentials and reference them in notebooks and jobs. In this template, we create an example secret. + + +## Optional Deployment Configurations + +- **Audit and Billable Usage Logs**: Databricks delivers logs to your S3 buckets. [Audit logs](https://docs.databricks.com/administration-guide/account-settings/audit-logs.html) contain two levels of events: workspace-level audit logs with workspace-level events and account-level audit logs with account-level events. In addition to these logs, you can generate additional events by enabling verbose audit logs. [Billable usage logs](https://docs.databricks.com/administration-guide/account-settings/billable-usage-delivery.html) are delivered daily to an AWS S3 storage bucket. There will be a separate CSV file for each workspace. This file contains historical data about the workspace's cluster usage in Databricks Units (DBUs). + +- **Cluster Example**: An example of a cluster and a cluster policy has been included. **NOTE:** Please be aware this will create a cluster within your Databricks workspace including the underlying EC2 instance. + +- **IP Access Lists**: IP Access can be enabled to only allow a subset of IPs to access the Databricks workspace console. **NOTE:** Please verify all of the IPs are correct prior to enabling this feature to prevent a lockout scenario. + +- **Read Only External Location**: This creates a read-only external location in Unity Catalog for a given bucket as well as the corresponding AWS IAM role. + +- **Restrictive Root Bucket**: A restrictive root bucket policy can be applied to the root bucket of the workspace. **NOTE:** Please be aware this bucket is updated frequently, however, may not contain prefixes for the latest product releases. + +- **Restrictive Kinesis, STS, and S3 Endpoint Policies**: Restrictive policies for Kinesis, STS, and S3 endpoints can be added for Databricks specific assets. **NOTE:** Please be aware thse policies could be updated and may result in potentially breaking changes. If this is the case, we recommend removing the policy. + +- **System Tables**: System tables are a Databricks-hosted analytical store of your account’s operational data found in the system catalog. System tables can be used for historical observability across your account. This is currently in public preview, so is optional to enable or not. + +- **Workspace Admin. Configurations**: Workspace administration configurations that can be enabled that align with security best practices. The Terraform resource is experimental, which is why it is optional. Documentation on each configuration is provided in the Terraform file. + + +## Solution Accelerators + +- **Security Analysis Tool (SAT)**: The Security Analysis Tool analyzes customer's Databricks account and workspace security configurations and provides recommendations that can help them follow Databricks' security best practices. This can be enabled into the workspace that is being created. **NOTE:** Please be aware this creates a cluster, a job, and a dashboard within your environment. + +- **Audit Log Alerting**: Audit Log Alerting, based on this [blog post](https://www.databricks.com/blog/improve-lakehouse-security-monitoring-using-system-tables-databricks-unity-catalog), creates 40+ SQL alerts to monitor for incidents based on a Zero Trust Architecture (ZTA) model. **NOTE:** Please be aware this creates a cluster, a job, and queries within your environment. + + +## Public Preview Features + +- **System Tables Schemas**: System Table schemas are currently in private preview. System Tables provide visiblity into access, billing, compute, and storage logs. In this deployment the metastore admin, service principle, owns the table. Additional grant statements will be needed. **NOTE:** Please note this is currently in public preview. + + +## Additional Security Recommendations and Opportunities + +In this section, we break down additional security recommendations and opportunities to maintain a strong security posture that either cannot be configured into this Terraform script or is very specific to individual customers (e.g. SCIM, SSO, Front-End PrivateLink, etc.) + +- **Segment Workspaces for Various Levels of Data Separation**: While Databricks has numerous capabilities for isolating different workloads, such as table ACLs and IAM passthrough for very sensitive workloads, the primary isolation method is to move sensitive workloads to a different workspace. This sometimes happens when a customer has very different teams (for example, a security team and a marketing team) who must both analyze different data in Databricks. + +- **Avoid Storing Production Datasets in Databricks File Store**: Because the DBFS root is accessible to all users in a workspace, all users can access any data stored here. It is important to instruct users to avoid using this location for storing sensitive data. The default location for managed tables in the Hive metastore on Databricks is the DBFS root; to prevent end users who create managed tables from writing to the DBFS root, declare a location on external storage when creating databases in the Hive metastore. + +- **Single Sign-On, Multi-factor Authentication, SCIM Provisioning**: Most production or enterprise deployments enable their workspaces to use [Single Sign-On (SSO)](https://docs.databricks.com/administration-guide/users-groups/single-sign-on/index.html) and multi-factor authentication (MFA). As users are added, changed, and deleted, we recommended customers integrate [SCIM (System for Cross-domain Identity Management)](https://docs.databricks.com/dev-tools/api/latest/scim/index.html)to their account console to sync these actions. + +- **Backup Assets from the Databricks Control Plane**: While Databricks does not offer disaster recovery services, many customers use Databricks capabilities, including the Account API, to create a cold (standby) workspace in another region. This can be done using various tools such as the Databricks [migration tool](https://github.com/databrickslabs/migrate), [Databricks sync](https://github.com/databrickslabs/databricks-sync), or the [Terraform exporter](https://registry.terraform.io/providers/databricks/databricks/latest/docs/guides/experimental-exporter) + +- **Regularly Restart Databricks Clusters**: When you restart a cluster, it gets the latest images for the compute resource containers and the VM hosts. It is particularly important to schedule regular restarts for long-running clusters such as those used for processing streaming data. If you enable the compliance security profile for your account or your workspace, long-running clusters are automatically restarted after 25 days. Databricks recommends that admins restart clusters manually during a scheduled maintenance window. This reduces the risk of an auto-restart disrupting a scheduled job. + +- **Evaluate Whether your Workflow requires using Git Repos or CI/CD**: Mature organizations often build production workloads by using CI/CD to integrate code scanning, better control permissions, perform linting, and more. When there is highly sensitive data analyzed, a CI/CD process can also allow scanning for known scenarios such as hard coded secrets. + + +## Getting Started + +1. Clone this Repo +2. Install [Terraform](https://developer.hashicorp.com/terraform/downloads) +3. Decide which [operation](https://github.com/databricks/terraform-databricks-sra/tree/main/aws-gov/tf#operation-mode) mode you'd like to use. +4. Fill out `sra.tf` in place +5. Fill out `template.tfvars.example` remove the .example part of the file name +6. CD into `tf` +7. Run `terraform init` +8. Run `terraform validate` +9. From `tf` directory, run `terraform plan -var-file ../example.tfvars` +10. Run `terraform apply -var-file ../example.tfvars` + + +## Network Diagram - Sandbox +![Architecture Diagram](https://github.com/databricks/terraform-databricks-sra/blob/main/aws-gov/img/Sandbox%20-%20Network%20Topology.png) + + +## Network Diagram - Firewall +![Architecture Diagram](https://github.com/databricks/terraform-databricks-sra/blob/main/aws-gov/img/Firewall%20-%20Network%20Topology.png) + + +## Network Diagram - Isolated +![Architecture Diagram](https://github.com/databricks/terraform-databricks-sra/blob/main/aws-gov/img/Isolated%20-%20Network%20Topology.png) + + +## FAQ + +- **I've cloned the GitHub repo, what's the recommended way to add Databricks additional resources to it?** + +If you'd like to add additional resources to the repository, the first step is to identify if this resource is using the **account** or **workspace** provider. + +For example, if it uses the **account** provider, then we'd recommend creating a new module under the [modules/sra/databricks_account](https://github.com/databricks/terraform-databricks-sra/tree/main/aws-gov/tf/modules/sra/databricks_account) folder. Then, that module can be called in the top level [databricks_account.tf](https://github.com/databricks/terraform-databricks-sra/blob/main/aws-gov/tf/modules/sra/databricks_account.tf) file. This process is the same for the workspace provider by placing a new module in the [modules/sra/databricks_workspace folder](https://github.com/databricks/terraform-databricks-sra/tree/main/aws-gov/tf/modules/sra/databricks_workspace) and call it in the [databricks_workspace.tf](https://github.com/databricks/terraform-databricks-sra/blob/main/aws-gov/tf/modules/sra/databricks_workspace.tf) file. \ No newline at end of file diff --git a/aws-gov/img/Firewall - Network Topology.png b/aws-gov/img/Firewall - Network Topology.png new file mode 100644 index 0000000000000000000000000000000000000000..5c8748e29123476fddee9ac7052a681f74ebbf2f GIT binary patch literal 161896 zcmeFZc|4Ts8$Yg;R8&q$_N0?6kwh6=D70B;?1M-$84@$H%xIAc;T)l|N0_lMV;Kx7 zDPo8*7)z0c8Dp}{3^SJBgFfe+&+>i!{`vm?`}xDm>v^90zOVbbul0Rhx2Kloroy`< zcJcA?312ijZ_URifZ^lY(IY4TJRzf7FYxi*%3c>+?8f=%=QQOcS<=%EmM-t>ErJDt z^_xR7$w4zCu7WR%3*7PNHXqgOBgWHm+4P;sgHa;3B3cb7YND@FW1)RjTkkz}Y}-6` z^SiTq^Jny31fLJODH&lP@7@R&C0U3q-ktE+T=I6NfT`th@R#l89tdI;p7(alzs|#e z(Z|0r`ZmAtb}(}oeH)&g7MT&is_|WyRX)C^tWaRH(Qmuc^6Vt^G>^s(aO$yw?>64? z)yUzgmaGVq*=fwxU>Q7azWMg?^=k)6X$lE(*P|?bZk~oL$8^Eau%=cjFBKXZ;j{VC z^dAH(Fy&B7FYihrWp8LRCLQF|`0UoYD)I5TJ+^+VVn%tMZ+mnM0_qn(V|6TOH#QfUj^YaC-)-3a!^CDdcyPO2 zd!QjHDr<8RKBua)(2*7Vr@r^N^IZps7{?33LovCV!qRW0nG+>)kp~mYDA~R-*SR?6 z5K32!RtSP&qNWx<%!Hvftr%ZW4DnjFuvsapQs;f<3>Y9ZWb9!A(hZ@?U4CJmIn9r7?2 zvY?lYZ74qE{d?i&b`JIJzamV6-G@YIJbe2_!q9TDbC|cAM_=?H4KvZsyw$qVXQ@~+Nrt0jD6z@R-Wl|G_L-0eSy1eJJT1*4JV-88yM)KmJ3-nG z4oYWBQU8?CcE{*_coB~!JzJF!Dk#<(+r2T?O-Vh3c0?#--qd0Sy^_sS$I={csRuf~ z`H{z?qx5^y6qMsqFAWFY*ORk|FlF_l3~ilT@wDLLcU={g#q`BZ4ySw(Fe4I{W_Ro+ zhU1UvZRxc<5xj?F3h(H z=@f$yDMPC(OLk;vp4Rgac8aV4RPhCjG_~|0=0H@pwdO}}QxDQftZ)LJdX9u*>O!@T zOM+$)Q@gQ%RHBDB_1;b4`t3maTT?YMf~@!eBiL+`<|TI+KYyL!z1rM-Iy@*{21TFj zYvFpzK_;a;aAP;Io~;e4C^DH~@QW0G_2#LLy>WDW+Uy8p$M0dau4f!R4c*L6x3Wxr z1kRFvCQ8O(+X4D%fsr02shh&%Gl-4=|9%(q?F;BsK46~5o)kljuwC0B)#MZz|HN^Z z#~_+d0`-?{-cmEdY6U*UW3w<@?SwJSUFwmAAwvaG^jEz48C^`u=6U!GuRa1x3PJmJ zV)}5HaW;lH@=H}UL&dD&r@m@GkH?zF)y(9pZIXU1xIByoSk!>xE#bLe#y{wn`Bis_ zKEz`5e=SkQmd^pWsT%n7r1$<0kzlbc5L*jN+;mOA7E<9z1M9<(RspxKyXejd3)->G zZ8%kn$&moFma*F8ki$;nq!V_UAMR zVh8~o^iF>n^3~#&{&=MY0f-m*r6FY0-vjE?Q$1?W3I?a_TG(8o*d1W#BgN?%-y3a> z1rcE5`!+FKce84YDb;WL@CQw-(jZ~T%}?uY0H0c#Di!TNTtowQd`Kugq`1NS+Fh4% ze(cQ9!~m4;vMC8oVD_;b?3ORV!zC%ui+Zgu;=O)~+a!|)^!-NB1Q}mX=17Rgw->q7)3;Y<(hMG53s`9!0OmdZ{}vlfS5sybA;{|-+FJUw+d|R zz2*sL`nhMqgYHp{tKR$;B?m(OB~mVrz;d~Z1^2IjV~$Dibn^n!oyxn(4$4&y zcJ)Nx1#qwcgy*oiwdwMP-I(SeUjt{s8|CiTt+pA6oGo(nb}$o_PoSZbNf%!92BcZ} zrGcYw{tRNC#`>fG9jjAuf`xZXU0X8>Orq5HfbvG)@ zG4diSHJdJxr?+imM1N(25XRbdQ6tw{IHp)RXIB6@gdK{dO4-HfJ>1-HzjCOw^`k?2 zrx$#3At`WNB*_hUyHM zXe3#LSbOTuulc-o?6+pTzKiVhbWf4GrU~AvxIxO-Ep;Gd(iE~o^^~g16na0*7N&varvek5j`qWM7 zdl|P_WP=R1#-Yr3CECO6`K~IDKo@zO&r;V2uvoiCrFA{}Pf00M`BjzB;3^gL2fDosF=kh51(~(6 z09rS6<-=#QJkXt*-vnFZ_RrjjDQp{Zoy&b6k3Y!*L!nBujDXGx? z9_)_Nvv|@CHYN*h980O}o|C^=;YR+yDc=A8T>oDfjsI7!-g~3Z144P%FkVkd*vv3> z#PX8jo9EV-Fm$XCX0^qY$04|ofhVu9`YUtYfXnP%JY*%%u>Ww12X3<9R<>5FED{g`#o+h@Op&k53)BjuQe`o>jIBg_x&__Ywj zHWJ+0$o5~m*{VuZ>zoIZ3HiwttbIaD}%($ZL zjnj;kQzvn#IN%|KH$BRVG5yWH=g}qzB?|sD^!rW2LZRsH~rUp;~Sq z{Xw?G9ul52`LLvZVKR{}6fM#&jg}t~^te6TOlz0P>(y zN5iKUcF3+?>v)6rG+1pnD2c8s#mactYzPc1P(CH;*-em>81V_d(+y^pD&L71V7=EQ zqqZPlb_TrBa-Gr8%#8q_%#xUl!T7Dtgx?m?zi^yYpb*YmC|MI*;|^)5t#OHn>_Rj> zE_~jda>ySNhkN>)^%lM+noC{KoSWP>Saar~Z(z>Lwxvnzw^F6zh8h0Sg8$%z*Km}G zm0~j%PbfL^zO5UgzTFKPKDdxwdNUh!KCvDNy(xxkcfU{UgKWN^v6ZhpwZ-6#ehDBT*SQ|)Va>CadUG4LVUH;xjp$+_;Xm$>b>nSQ< za3`cmu!zQ`Z!lSflSs_aHIU+_>h`yI>9=SKKjYGja1|UdXG{O@AR>`Ioo%0Q=ei=9 zxAs$ZwKZYenYHn@!~AsASi2r7(TS!W(m|OOXZo4^3=qtAa*6F z2I6bIUY>hCjX)_JByez>Y%R12=Zb}Yd341iLrv6XYvdt_Xchz-4&B)MwON%s!ab!V z#=C%Y_6qlY$}LwNVo6=6epF8*o4iUYw$WEM!rIG-UV}&;fqHqKJ77S^UnPz5Lf5|K z$m4uN7O}}G7u=={nGPR(i!d%3|kgXwn@s|vAs?%dUYjNoPLc`qRi3qx(hE!BK-(grgkp&!4GSZ?#fW*Z3pW#O zQGFy!sFxY5HppOQjyi&xc_v0coIcx%N>!_R>c|tK&xDn7Rda3~lo zgK*V$KJh(xOG ziQQ0Jc3-!Kc$bjOd{{~=Yq_j2611CreN=1|H8T~>)aATwd5~z3OifowAFowFQ2}2t zADM2*8f-A-(5raIM&32^=3=mtUd6)ikJlL&{?Oay&gsbtOn1e_3V=o`PQ^U!HlGFQ zbY)lQnrcpHm8o#r;}zJ^rOH+9e>iAg%JDl2aWzY9?X*;k8%8!)x8JF}7 z${)uxbJ{p!qU2ElxV(>|lxAq6EUGN(*!!%ly7OKkJHxY8%P_M;i^DN0Pk zuQj+%nplt!{+|g{>y>4m8iLAw`#8L&)R#mPHt*Y)jXsk4)Wb8gC+IV=foCU+q@= z*)+6-#&TS$Cr;wRdH5MiK@59zlU*U85lU3&&;Dbe)^WtPOS5?MJh5zD_h2N!%QRGH zYk_$YIo6~N9%+Qt^#x05B;m3lWA=#eW-^V#)r3(A>j{09{Ssl`z7{I2-Xmr?^d0n^ z=L00J@T}M)G4SjY-^+c-I4Db6gZai;hI3WV1uTGtOHS*I=mSx~u>*#0@rm*owrP=S z4{`-xTF1mXdR+&buaL#ui>y&^KY`rW4zUt!#)PEq>e|I zl*3fz;z$D5W_e4s2H6RK0ohM{pzEHGcd`gK(=Y}6(PTO$4tV_cVewC7|D1M6vsSW2v;{x*ADKNUh^3x z@U9JLF*J8$*uPXqb*i^G>+&+8aPaoAt*PuXw8pb3@ z#D!TYY~>}l=QjKwCNYb8NuD1?4d`r?=rvpY6s0(lejTlxw%h!J#4Zp0oniVFKf`t1 z9Y*!N)z}?>Sgae!r4vM9l*-#27t()S6~}?EjO6%UVHlm z5=fl{v1J=F(&h_nW9~%7E>HG1c6u+-DnefePRbJ4OzD#Gm)D2s4t1Zk_Q6jW_oN;> zWqL5Z`jaUqVBy;eF|B?m^|c1MFC`vJ@jIx}QpRKJg;(`{N{EJsJ}C91-0a~oEkVQ* zN7Lj$m=`r9R;BF^6S^+*7-*5QPce^gdN=SGJ!2C$ph`4f$w$H(b*UgZ$c&9~E{Jx) z4Cg4_hSCC(?R|shE#zuAoXkKXPLFh%VF&xT*z_P*AS~Vwdzb2&_|`h|e8D!bmG&-d zEPj{zDXgynSOna1;69`Beu24ozgTLF=7A3?p&!1KBd!f_J?YKmtoFV~o^(21FbPlg z3&#gZyci;&RTUp%tGJ!J`I>G7X6s$Lc|dvuC4Z(*RGQaqHOfgXC;%fry5i>bM#h_Q zX{dwb*^vP#V^qhb`Wje;e#=h#!gaW$*cLl+MNw6g>xrz2+um}4FdQ%Nn=di&xp?4& zRyQ&L%9G)Z?5+F7n9CrXeEd^Zw@5}it>R_*kxH!1OVVLwPKWst;anc_M=O&-CrkvV za`oN8msMO9awK+b8(XPjI&E^NPfXYItb{yfaO$|mq)&z@gn|I;-@;Z=2Gbu`MPnI0 zH|tP9S^@-_J5a1X=Gwz(x8vyWsRprwRTxoX7R=P(#QxSoo?3xm-WMf#Y~+Ik^~mNI zf`0D7u0QXHEDCMc4K4MHEqoPupa07 z$VYg!uz1*nU_rep1&+U6>y=W!caYQ1LHDB`e+fpDK(7$Frd~m|f#qIJ`$@=C*Ox)gW7)`S}_YIjx;;hP|7%#R=?uIr6f$ zrjx);z-4)~BK=XbAa;j{hPa6!#^ORf<%-^ZeRWX|P@Cu6R^xQbrrV^;>Pr1Tpk zc&_ma@`A@+J;(MA&OzMhHlG?O}B_sb&1WPZD z4$2d~UR@bZMJ`#IC1zO(KgVm0>LtU}>tP7$D_n=J>6xo;`WDz2ESCI-jc}FWbeC2@ zcJ&R&=w9BpO|`5zoL6!rA7-3eDCjrnb=4D>U2x~S6`1!qy=q(!^o4>bD@6XNrgMvR zT&uGj(>0148anIQY)61;hps~6#9BXfDP8(YPjOq|wv`FU;AtlcB6P@EOw`a<;4P!} z^$D+!6x+%kt#}yGiSk1~5pZf?{xnDJ4%Y}n#BjO9s~;tO09LGIT-=_!LjPsi)}aHB zB_PnLKA9J;5{)Rk3Kc`5Mi1$UHgX<0cuxj=I$X$fu+7j-ruFO&sNe^($kze&jL$MU z9j-AyYEGv{{Q>c!N&=ad;7+{xV$Ddq$<4GP*J>NI+hF5cX3capn>nOf^46m5BxXdi zB6I4?lw4gvhY?n4OX7VyfjR~ok)m3Ef)d!?uEpSak9wdCrXL$m={CYHm?DcN&$@aZ zHSrOnm>!1Yv7@6r%T!H5-Xl@>?Y0?NiPPS*;nWZpo8c0_U@3(Xg%ShPw8|{22*Fv9 zDQY6LnEH`Z-HCS|;RFx82Vwyg%Eh!FZhNd2c$tBxSg3^%-TtSPn9JGfyZv>FRtkK0q^j z`N&Wk`=y~>9cnUHEcF>ocdwW1iRB#;!KnoJAjkfftR)Uk+{rjmB3SGm0hZiFz1fJ` z^RoDt$AhhWeP=NJAQO?xjed0`#}Tpi=aUK+iil=E9eXibnCqO>L-MrjDKg;c zWsE;BnZGMW45c|#Me}|<$pf7jrDe4H3=a_d6_kh-K7l|v*v`(>iiLQtwm)tDp;6zTF?{pge5PVv=Jd>? z#?rqVRbM@wXraF7Y4nY z96kbpj`Tr{v8i0&{K0Xr!#%db?%d|r^AmNo%q6pYqOLDzDyd|#_PrT~0QY!l1;8dL z2|Z77xS8YFx6}(PT`{Fju~t_t8m+voTLpC=!a~bLJ_O)G>Lw@CcYE|nT@Z!6*q;Sq9A|>& z)m|p~fe|)YdU#j|eOt7!ZDKxI6^#aOU9v(owNHUbO%bmnKU5w97voUtC1E2jEnDpyqp#iHCEi4bI^8 zO@k^aKCkgV3u5kImwa7sAiSPFz^Z#?LmWq6%nEa@(nBq~}7To*O z;RV}nu9qBrU-?#A?F=29>ad0Aa07xzXK!8jxxeRi3)l;>0Evoa4b11t^mSjw{m8wd zEWN-`x9bjC@z9q=+O6`2$Y6+4{u zAFvaO6zdp;VO43rRx&}hXkI_ZnrAjvmR>!vj%1y=D*VR>q&pE2skZZ}doMUOTi*ay zc-H*NY&C6(g0h1c$1HxPX-!uPUiPRQkt6q?doi5(9}5_ZUh7(i%bX*O)v-z@8W(P! zzA(HtqUIbk>8OwywT?dB?)m&kN9|cgn=dK;IH)~kxcGup0BOFOSA_LzYs3pT9h=g% zgUwIq+jsz*UWY@Bj+{N>5vE7XIwJ4Shf~DT zGMjGH5)T<~vStJ!2!1SWbnMQ%-%_znL0 zVVJ``FmZIII(E_L2T^@>2|AsW#qQQCpaCH1Mv4rCYsiE0v{!BHu(bdMHB+Zh#v4`Uz&rr8)PM0VD$TaY{!%=M|LL63{cqsd)-; zxF>i|3RT}jXcKCEY`?ChNT|h0O>nY+ExZ*0hBn65dYst#RIA%iHD^qTHd-lNcDnaQ z05sByL7cJIBL=mLfDx#OOID03NK7%zxE!w^C^w+;mA18jt$%aGW0ZG|Go|~uBOpUP zax=Cu-oPpAiWOoU--PfN(1oBsVsS^04xZmp8y{70h?{bwj&`d8S{exC;`sU$Hq$2~ zOOa<3R9qWR`|d4ZuZ{Z}58y~rXY#gA=gRwxSZwAD7F2DYbY6`5CL$^24wPWD=r(@n zyJ72+lB#F?2AQb@6jX9mw-!{5<4fM5q#0#NkItt|9?nq8i6Z9f^%a=<3CCJ{gbU%~ zvf{BRdw#xInp&_Xo2Ul6I0O|tn3449DtWu6B_AaM32R7^c+v!&t=GqShwchCr*qIu zj(PachqApb&fRh&UIt5_EX*6%R+xUchWEAO5@U{g{`i{#O+SWKKA8F~1U_G*OkGk1lJ{wh3sBS2v=#?_^g?ef#LG2CM$nE6Id~H^pNd`>Lq3rarRN z7}WY6u=dElqjVB%_X<`2-xI5w>Ihx<}u%T{URn`Z0rf=AF6GA=5OL33Xd z^u&y@$P}R({5=@5KAQ1rLpRaC=Qs)$qL-Mdd-UrHLGL@~)ype%OfI$%39%d@|0C0% z%x4c7K7UIrS8P2s{dD{XGPwBc$SLuyEkwcC!E-0jstM$S)TouQA@L)mKdeNQTIPgG z=A;-nJCQ$GP*ZezyM98-_kBzaIns|!XR7@ka5~P7(cY^g%iUjlHTeqHbyWEU4C*y` zDyZ;xx$a}2kB`94EnTCPyK|0QhvhP(n-r69HhMphaL?NZvQuak1+d$st0b{+w$+SJ z52F>icn{QXrytpm3fNUlZ86xHeWUeh21C=AE0g1DaTaG8&bgIm5kA38)vs46-Pq%i zC!ee?n(|9C#Rq%$%nGF>UF9Xq=V65+BTddv90)^^6Qmaq=fP3lTzAyylU#e3cV(%2 zPPU+zTpkz8J&aluax4hjJUbv5kEmr#;>zNk%S#uq3i8(|uXKV4*Uu7~f zbKp$)!dZ~H2jEfn++*RgdMiek7pL%V!3FfszMvAd(4@{&0b4r%1iYN|cbf>X_Jbb@ z0YV06o~+!FW_Xa{>w6K-Q7!P?5I|Rwl|^glpz zGi;phADGR!bH2AL^bkI>o}e|fOWU#C3>)zHZUzh2QE&Phb-@Yd>Q&PlyX~{rix#Gp zIP8N~t)G;_;BA8MLt^{PeU!rARlD0O+ONMI?T0Vh~pT#jgXumMVOTRw(}{B0;E9(MD) zi*IsPuje;dhG2s`545$kYTQ^JI0JF`wkE)P-y0Ssw!LI#W`wVHfMBL;EpuNC3Dt6> z0k0mJJbkYxE1G1a?>SFCYl9uduEJ@y7@=GO8`tB+DBDv86kK8jw!XBNfsi`6umLk{ zR_x02))~pf=fnyLTBfVlQApsbsio%iNv=j_^wi2+t)su5_HaffZ3wVVxM8*3G48JI2-)%bwGqkRobVGlxC9c(}^eAtwP0NY;S&S zP2<>$vW7pvO&@?(t@SXhlmb&=C%Y~(-kN{$1o~pvoqtWmRJ@XY0#};^@Aq?ETK+WO z9lNJ?3~;XqYR2F?nC#%9T@1`BcKXYbua~2qb78=wRGA?G}k=p`XT|PWGhuR)1m-jhGrKeI5LZ zHkZ(;ZXSH`6f&m;D`yp$bfyj(ef9^I>c??{NPF+ka2OWI#KZo1zb;R z3z5x1F4)Xakp0yB#E{OKq?%lzgRqYWY*((#)y!(d_7HxoOCyR=pO&lEjPWTz9R1pb zdJaFcwYRG12JaRpnrC9R-B}Vy96SInBb`RUNRQm*6rB%%O&vAD(z#*%P!=GSkPd+Khel&L%(I^<t+_vs(tgtNf9^;IQQp)T&;*m}fgK<{Z>4-Dy@tHA0 z*Yvj=k|hlFiOKwa)!6Ql-2=JY!O)TLGW{eDZpl~Uq zwPxuR90%5x=D~e<`LCs2-k@4fhqdR9MI-!|+Xvl7HUCdD8m#xPd<*NU7`cgELOtF{ zF8q{ou-W-z8dyr{8h6lC%(8QJb>N2UTJtB#0EQgR$DuGK<0YoXHOqu0QDfhvH!gpgFxwtH~i?dZg2okbt9u7JO#SK z4?x095ISsExU4w4p8X}8^LWr_+qtrtRjRp5ELr48OF4NaP4~$JP<u)Bk9&op82{&GP}vwR=pFAfqk1E+SwcJpYfI!75xP%E zMP{+fPUl4Jt5B%<{1fI7I@PJUJ3%#lN05FSR2^tp$C0)>^3&(f245AwF%f_PB7>5YmCV1h()eFSg*Wk9 zzJ99L1yD~U&l3kQZN$wxlSU}I@4cGt%pMu=GiG=k&!MG55PhnHp24G)#QPFo(h7D0 zF4TPQi|j@H0q%bP=@$~W^YyA))rUvFb^o1q0vW=F6J6<%~geY~r zaK*c7pDGKS+BieO+VGo9bs2;)M(dy>V%8H2VF-!OS$v8nr%9MKd;m_4RJZetuwi{Rk_S)hMi9d@8vXE|SItCwmOUxYGG_6V z;+KPd-xe!w!K=OF_P0~$z8s)gS>b<3periN#$2IK!6;K|!0J}Q7DyD(0e0iW?)+1C zk23?N@|E|P3Zt#7s8x*XlDD+zaE`b;3%5e>^p81&Af+qEcFW}14j+5JDt-rOz2T{W z41oqf#tqV1hk(}ke{oXt^fQ;hTr!*ksZZvvYU$CUhff`_mi|qSvwrY)Ka%RdB+oSvMm|ZcHx6GEhtw4_#lfJT ze!1&CBoU`!og${=<#y7XJ6a)h2UzCvOhcewXoD3aYNkbe_P70r9yhy*xjLkrRZ<5 zg7{zchqFR7GQR}xod*5)DV)`HMSrXI+o<+SEILQ%>zsaL@7#VnpFQbcpN!wzRNNhm zu4RU=@$y_(Xm%Eji!Ew>5FNQ<=CnmH_uFIHKFG8nXW;eCl5XGZ71auJ-s+S^_~39} z#>%vpMfhAoMqoP{Kmt1PnM|!GE3JS9%SrZm&KNDZPOxEF+Jy8;CV~YRg&%QP$`9(ZxW{`R=~`M^{!(Y zH}gbN|NKYb+#zzm8}QpQsu9L0(d;yL3IJD%$fx|(6`3npD|+94y3Xf)?{ck-i`Pkk zlQ=~Xkpt0xOq=$gZGAbtt%R7{26wN#(B{20yQ0COFm4YsWIA7HYk7b^|0A#tV;&J{ z5^@30$FQoq=J6P-JYH$kLnlgU@VZO5 zltSOinA)m42j5Voi}s;JafU|dOG|wxZzTYT*}s(4HyziEy&nQ}ytY~)mK=Xi-MZ)f zfix?;xOs*B}IC+`V~q^RG>YkWgq7pw95M*@^{AWO3`}H=bipalaA&h zUM`D&&!>M8E1sUM2;6i)-%tpO#UFabRnZyEP6)sG{u5pfBCK#H*yWasjqu)6K5Zh- zvv@zp3eal+HpXLSDuj{-wIJ`>78~GVh`N0|pvB;0&OY9G$}>=E8+A%#5~eoc@zveauaA zudwrBuB`1kj9zqiSz1qc%iQGmV#B`pNxnD{Np0(+O0mgQiCq~q%?WxIrW5u!jPa3p z`*0E!$9V*H5Pv^`cJ{^c3L~vGD|Zd_VUbGpLYXkit%)+gqZT6Ts*Hr=Pi-r@v&{`& zT~sApP180Ku#{uBhib2r>k_U!$^`#IKo7M)NAXc}X}Y6!sJG^nm$C*Ld>_qcroWa* z|7bt&mY6n+3uqMBj_5V>wKFc0IK9x2Y^k&OxcLE4iN`B4D*!ifwPm#2yiSasgnQWU zmxy6-(aG@@xkhJ`AUx0@@L+$yv6nj%>`iq3nX6!aLivpIbXkx$e%Jq zw5>YsyRs>jUND|L&nn9D&@*syX<2R6BekI(W7DJcv^=Rx`n281J4%&8(RV`1r@zNe zXdcQRt3jpl%ED(-s2Iuw7zQ**J=5NG)bmAB8Uw}ry?0-x@HgviVrAhvzh9fN%k%Q+ ze$H`-Jh>E9$WTbaF^*i%B*p#~#Xe9n&y>yr3%H4Y?n4<>rrcDzEf%D~AUJ>t~I{#0MY&CW@(Fg5 zl|ucttA%@aIAnY>tWL1X5k-j{BJ}lC;0-9p*adV7C>`Fqu1fOr);9VlFTRO#A@RtO%fgsbQtcR_ z@p|zXob*C)y?vjHMs#jHanMZx8+oEuca6~PQhpW3&{`vuL6_6vnech-2Z|IZAr|&7 zS07M2aZzkdgk6TKgv#7(N?%l2Zc`#)He=Vmv*fyZMSX#c*BadFve(`B#TSK zO-!aZ6H7773ZD$rwacpwgNnyAu47+ct-S9gRSj6ds1IefJMVC}=7bP#&ZFdcSfL*@ z9z)0Uqeox&6OZcSES{D+xqN(bqKnD?SHzP+7BL_kRGrWq=6qaJmO;zvG5 zk(sh-I~)~_^9bX@kIZZ91)Pj20f%#EbiJ$sL)7T^_R<4mOiv=9Ha{;=*FenQLDvkNh|D#W#%^&t8gG$|c`2&h>O}6vP=t zT4~==GR8JBTS;qUbY|Z0peVY(3h1j`!d>;Mn zUGC{2!cNOtw=h{tRw8?FiQlZYS*o|VK2cn~)0nDs^8DB5hPH`WHq*(8TOgzQMp*vp z%W2fx`N%1Ko!)q*@AJL3FMV%A)SumusxTKnyZt|oyW=rfM2qx?h4|qKjl5W|cKIi5 zA{HX57oHp#J0#-PlAjL%SzB$zL7t0=Hp1-fU_&#+S0rX$Y7YruipbaVmWceh6)3s) z;j9WaAO4TDkq@{z)*bfqIq?-OG!po8xk?-73P21NS5}gJ*q z**HExR7$$wb^xKKL-c&jZ(y2wzJ*!l8e{%x!oP6Pp%Duy;di6|cL47O*91Ta^*h^4b#}>D ze>$mvF3CPKH=x~GG3vyUS_+Nr{Ky#hy5eoi@e@u{;5@q((`|)7B^vg2J;9{jIZ;Iq z2n$@*CZX(VW3xCXPj5YzbOAS~QACaN^q=N(Fd2w;@Z;O>{!xhh7d$fvGehWxN&~IZ zf!-Mp_h&~9!Ux-|jLKB`)2ark-`;D94_5N10lw}OL0jM-Zp6kNB<`nBf$Mn#F@XR**DhX}5c_5tA-a^BdkC5!A3lbVz6i8(#tOk677Ib# zgVWEj8CEcxu|2a29ul{3AM{Oiwp0phyEYv=5fFTazL zMX#CGdtbiTAUrwvQxR<;eiN{fOp1$LeJ4x&Qj6w$dVg*k>b|7X|H>+Ho?rin^(wh# z_Q$u&0`kDUNO)-i(3P1yI5pEeJB{U1av`{0D`%&;7D>dF6@r!02FC@x z1YD#CH6L@}t&>zqT4$+CE0!s@y2ro%z&E@4*tWwe@9E1a(y}a9I{~+)msFl_b%A_2 zU)80xeSD>&gb2P3EDSDw@Xh!DU5jt0xJzXZw}q~i({@tPRKRnBPzzU~>zGD@5xek0 zzH>wH{J9`4_4*)+?2z1ZrQ-n2T$F-2<%+5AJaaMkOb^l za6O?-#Bk%1sJJz0qSbTBlj?9Lr)|D3UI8eMd3ciI6&|F9oY022)IpaE$yS_#M5df^ zfnd{IFj!j{2#4EGZTlR5B5C4gu_sw{PVYij;x#*+JGfZS?;)m#C|cKrPo2$w9iIY4WY^jk;d> z*KC1h%V?ob4y#l}2TUx46N7cQpO5- zwc0CojnTgKmC!>#Rw$W@o_BkF#SG|(LavNaj89v)Gvj!k;JY!PdaGK({N3~#jx0LZ zZR1}kSWa8oQf2ZV2kx8$9JoY!?}T{B`NMz4rg)0Szd!y)=<2D@+5j`C_CVJvS)}m& ztZ`^MaUBn=n}`R8KxXa!3|6lPe+#vQx97MS}4auz!I|#0Gt>++n ztz9fe*I5BLr|eT*yF{)}%(WLQzbg$9{#N5KBD2Gd{_m%L@Y)4Q`}cu}S#FJkR;6w- zX+m!6AA(Nq-z}C$Vuz-5Y@d)(?T@SWiu4MlDX7$a=uA7aHl4W4884}ywFqCGTz*l8 z+IHE0D9jg}A&78Ksfp}Y%hUYq@%>4@C)s}>RIt`>lzIp#(d*qY`!G6 zMY74f+h7}?&m%Rt4cycX>b2%upRtBs?^$33hMc)z&LQhN?RHa`l- zvRnK5GCEubA8vpSOfcDh;kc-L%^gq^LB#n#nA!vy#H^Ob64*!crgZ|Bq_BedzHOlb z?3jP*8z22<9=AQ}E7mtCbDK?5XV1UUdY_PE z^>#O%e`BjXslsn{(qA}#S!Zjh)8DTqowvFD?izaMmfQ;%4fxkCA=xuqn->0l50ozK zTe`sE4(e^#8UFuz^98ed1F=Ap)wSX9yE$?n0~bwy{=RLaD&zcvJ-RlUQF0&bIvhMt zbiwepo; z5tq@2+VUdl-+0wt2qL-K`nbkzX$t&znvbPxu%=UF!%JbqAwRp@S%>)kANJln9Lo0n zA6HRA;mMK|QBsyvq_Ry&LZY$@NwN+V#yX~CC_)HDjGgTJlx3y}A&n*LU=p&9!7#&Y ze)nj7o~QTc{W*@`aeTl3d^rvrao_iKpXYhK&e!?6&g<%;_TTP(du>gD zE*`r5zkm9^jQam90j!^FB*FjxmRJY*6E;J1%u}WrI`2o6onrPYI3GICYw&{KHBNp< zmF}sB7vAyyRkc-~*Sr6`enu(;yXSz?%(*WI55+z^ZTseN%QaJtV6|t@TRwUQH4XS{ zpW9>T#KSXn{z=B}4@Gp)EWvw)jLy&NHLaX^HG?XieeGA6N661JUMbA!TdxKBYVVye zWbO~$_&RlHToX89p@W0QzUlw=FCK>*u|^n5=AXjL|HblQ2Mu>z@-v3TW7`@JFv5z> zAPttU59mjS13ESdS6P?d9jkh$M+~6y-~u&-t6mVO!H$e`h>7Y!^7c+r*0T8_T=N*# zUu*6`J``a;v#R!R+Ga&MZL(2YMzQ{0*G0zzL*}3zHn6St zCY}J4h2^aD!U5LQ^}QvwZH=+_-&*T)?%3I1vJ#HMoM;#EWnuE+@qrcS zJy6sFzV6n@wySEIyT}S#DA}V0| z%vD8KWpy!)Tqop>0dm>w&Shx)iVfNePAGrexP~$~EQ|9tZ~8)7Q?o{e17o`(TEcyv z?l83NDoAq|^?IuV@WkwuVt>)cRbo+(p$kvRU~9=JVe0TxLloy{jNU5AdTtBpZSMMG z>h&21#~Y%+yP)d&Di~gb2c3%J(WTs!DGbY#oxdDO2@l%D$x6bN*pF4*-oldFS0G{) zeF7D8-FZJ&d{v%>D@;d8uPT7!Z%So_ZVelAxTTLE(-_CgX?_3N0UqCxR=Xo zHZ!uf4^FYeEL<@?Nu+3k*8p|Ffo1nW zRp9IUkO1ZZC>Hlc#ei=c9}WK}|EWV7h*k%*-YL<8YrtVk9e{7n7XKDsFriQuV7`t` zZesZ$y;K(`jFgB$^zk#tFAn|3`00%rEFVqS?um7V^6&u@MyzWa@YVHwDDYaT{Hwg1 zJ8an1H(h_YEXLZ1V19p#*tB1GiTUD=Y=OZn%Yqt)%-gc7FaGiNa2`IEkPD(3hBP6{ zJI5DGG=nS2xnV2AtIQEgMX*^0o~u(~!cB8zSZ zbA%yzF9#7P6$KM~8^0{gm#$efqY|vVufMu>PyA0q%l(Tj*7n(R#iH}0u|XXQ`0YyE z{UsAOT-KlNz+N&-RNJY3>UA?`Kt`>_`q9b(O5^RW0y>oz^Ax|zZ3B20S#TEuM=G!~gBN|up@;`F`N0Q_s#tf_y z_6PIKMAjN?IlG0KsCFy9B_4?9f0C`5^v;bl3leC($7vP-IM>9b$sE^LqzhK+C;dY9 zv#=Il(Qh&J&^Cgad!ehee1?=%Ab3kUjwcjUFkjk;c{PFs&bI}~B62LuJ zxCB-656Y!hSe}nSIF zx}3S$aXa$~4UKL>alTD-N}+Uon4Tp%4@uhl^hDYrEvekc0Bm%Y`;?_LZ#l;OX$CWf z@;PC|#o#jB9W?1vTHNuZan=1iU@GZ$R+|rvG_hzd-^M8fZePE<7sD;r|E^$_DsGs|BYraX%WsjI(`z@Zi7k z=U$QeLaiyc%BtZ~rLep1{A=&NcPfv7yBDZM!Jx$wpt|rMA^80nP`R42T4 zQOC)$AP0VD#*{ovB@MJ5z8*6K!Qyw}C)GJh1-)CQJSe_bdQlpB)Q?edGHa+@QRf@9 zHXDWWc}EXV`^&CPTk&a0-HT5Jg55@j)o}l30F2N20||zOg-6q5!IdpZrf%MA@=zaa zx@{M|RTnNN+il=}h3{pn9`!?1G;l|-E|y*z1-o%WDbZ+n%m#i(_&~lXLg_fj#L2oV zXY-Now+C*>{OC|Ie_PJ)Dl=DUIjTeO#rSIzcY0HjtyA(+CG?ohS zgbLTBS2x3^q$$Wb{-o+X`Cz%{THhn_+s#beJSfV!PkY}1S?%J6<7s2LYKiU`Zav{s&N-!a&B_72&#b^1;DDK{2t_}9vxG&F zQZqU-F7iRZS=^m{f-n`$0q~}Y?SA0y^4fPzi8eXD;SrU$Q4zetf`dmbZ}oc2=JEX7 z93Ixu>Q@Z&*93ShKf7-#z1ddkB%pzHkv{EY?&m&Re%+i1uBMm+ht6zm<%n&7R542W z`9>lyu_?L~_X(W73K-0MtT~KV5fhetWjBqwc(bk3hcha9pB(zAiv!zX%SevDEV#Au zzT|n(TyV2y{oXdsdd-c=)Fur-r+|0%Fjak}RbvLuKWg7SDZ@}LtW}mgd*H3;ltEun`ZrmbzORvgW z+7Hfl1dLFfJtX61p1SWSf@$MDAc!9FwkY=aj+_CX4)mz8iHT3ySgx;01$&=8JhY@Z zf)fOxDW-e&oMGU1TZ}ftPU%aXA293mJ}qO2UDYA}RflvkIUMJ@mL}SN*OiM}`n(cs z{0KlMJto+H`*2Jt_+A zujn`-Cu8c5oepp(5{nW`CU;C%vh^{-q&c6jD9v*0opnLt(*d7$HAU^adIW#Q&ejqn zl38G>Okpq-BYl^cRjH8EOcTK1+>EMD&v_n)}>39a5fr74{R2%&AzkwNtG1>yFAVNk&-5 zeJ3D)OnPNOlj-WNCef|&2acRGQI_5hx4rGtc1rrM0b>E@VkZGJz0tVSqx^!-c5U3q zVGg0hoC%93vgXh9qw|#PBSfVS_j|N27vJnIeDcgVv+VeFy0K%4(`a=)L@8x-ac6U6 zVP8t*Q6m?zIvy3(q8Fev-5sH z&Y!a7Ps_%Hoi%x4D9l#xgrCdfXvseEbSLLdzhp=cJYG;By=!oqV~@0nqt)Qo1!vAM zqn;x!G)F(PV_h!$B=wO&n*B|3eet%YU#7i!!2@%xM=TQtL)r3fD-$D?Ew1#8;cO)0 zB#3O(B0tcgX)_$^$^|dhS0bUNgedn{h+|SNuBH+Iqmoqzz!CkgqRlfR@4=+X%V#_z z*7*-_P$^H&=pP4neHuq4ddI15jS<~uqR_#wfGW)NT2sq?RjtUdQ?*UJB^2)U@H>S4 zq0+O;aCz&I(1>!jfmFs>LG6%Rx!lPiGrYg?JNkd3Dm^Hphh-XZH<1BjCeW4N2zmt@wD2adp}Cg@8qglj6culY0UCPv2_)3qp02M?Y~ATu=z000ujIpW}V5x z^6>uWGuCs`3OA24l6ZgN3KQ}=RQ^rDzCj_&y{}^brn+Z^J}7@R#xObpB|*d`#F^b< z71uBW6@;tYLlq^2`q!MGuh31^_sQkHyBLoRs{yDA)L7UnN8;a8_G5(oqBMXeq_V3i zyg0=hB>uFxk?_8pU8CmF_lr=>i`4(;ixjL_(}v$s2Wq#&&O0)n!Z`asU%;0`$D!8^ z{9*SXi-C&n^$6auT>$0f{wL+7K0t``v+%tQ4Iv)VFbw{(>_Nb-3yp|6JN$;hu=DJ) z+hJR$w*A9)!SuHVK;Xd&hF;;Foi<7dOun$_o{vfF>bzln=@PVu=1kL%F;$j0*@_Z) zy*8-yx9jT>o2viQ<;1-~Mbr;EEy_h}J>%szYY%QxKce*^L*8RkmDx@y?lzUo(Fux8 z9bEN*G7TdL7zX-B!<=1z*37eiqznr~Z@9leU3? z;AI>)5Ce8vu7_OCeLWlPuU$+JkgL3G$=i*}{rMj9K_$Ln~uQ8_}mfN9Lc=pUZ_pvPW4h7#5WZS~AQ402DL zM`iRC$>=x%W&xDGa@8@E+L?B1(=ZI_Kh$*yS_V= zWfobqKxF#X-rfOgLtH^WdnPEo!aqv9e2ZV~u*RaZ3M+ooDlulkA$XAgyJKu^-afIV zo!Y{j$|a!HBUd(^v!XgR+1 zkGv|)4X7ZohE?~ize4(+_-aQ|PSOe-FkcNUe=n!Z ziE|fNvv(M!wo9RDDgn5>@xItlf@K`dZ)pKKYh+d;?h_dbWz!5<#BnjJrh3Nb9N=^Z zt%WpOrg=ZXPFiISGWFbRukT=cVi4N^i)hAk*V|1%5B|EhIC@Sd0Bt^=kPIiB%BL+6 z7ohnuHU=UncjKkmmIiX+RiG4n`!5Fon9?Oxva%6(-OE8yYO-f0$dM@>q-2;fMeK8q zU|dHT%~NNVgq7C^2d9G8(-7toYtzS_)7@Qb6e1|lo45x0@(HEY1}d8VxsChP*GWbC zCt^ao<+Z>MB;(hzjyn2+FG)3?MD_5Igm1)<%mFJxGcRvkZuF)C=1vs}=sa?MXx<&t zZ+h$|kR8r4E1Eg(Kp;@)4H_(Ln**(fS37Pes!`)W3+v=lA-#B{Lt-9>IyWj{ofF}) z)@tS3cFmO-hz`^z;=2?)aBbZE$LDKSDW9X}*0J{3teFE;k)olfgY)acMzm^{5O>Dfqe14hX|pca5c18_F;Rxq{f zsqr%oARGSOVUC%=d;wATf(F4Eo{DwWrzFx~bkfDECf9|elfgy%-3Cv1L8{wLsmDHa ztKd*GC=MZh#Srz$ayi`kP&&R$VW$EAi>>z^dr8x-{w@dB);LtO>15WIgCW<~22q^l zRmD?PslW`r6a)fJSA9`rhKm3vWNTnU2_y?Z$536pVbob~bisOoHXdtmNZEV-A_PA; z;SkXoprb;W$`~X2b}bzQsp?nFSCA}l3LljTwc}S2l&6RnzyWvAfwCL#v8GUUss=Sv z-&3Y?htk##(XX~N@}_SSRptsa_dvPSz5FFX#g`r_Y8bBc-Q{~{zWZ6#MK*7xa+*1M zk?IzXa~vw+6>Txl`D2fPrQZ{+^_S#iJuphz z4pY>%jANd6s-d?y&n66?cix*Ta=Tpy8}vnsU1>W*#cGw9c>{W?$|^q0RTPDFXQI~U zuq$Lf*^BUTHjLDWjADzdvm@$YQT0sTB2~r7HwKY%$kN-IimbzfU&0UZYbw}aC5$|& zZ?>sDQK3&8Ak0GIL4{Ls$YP3yV3?6&(cG&Fc+-O_+rc|>;c5<8M5*p?@BJ<32B&sQ z46>^?I0W2;rwSYjNlVe`R*;)D7cE~lPJIb}{tPX7)98YErd9lTTZfMjp9pgI1Qp?e zc#AB}7nOOcKaA2^gI@KtG(7&pe<}l~dcEziSudwZqcwB^Cbmgk9QIj=7Ir_q`s4t; zHXV37t#BiO)+8gIuG)-9CFcQ8EA<2L?gI8K7}V01SX@UM{1h02{-OsyIm}^33T#h2 znK6+^-*IZ_*vO?L#n+>e#rso=_+GjycX7NhP7O+hp8C4!A1P-)Yx2>~^Xz-1q*?bN z+7U~8xocKp2v@amGUhyI@Lc46NR`}*1vWiU>MY!Wo)qAiXq9R4T3Xg@hdnZ#gRCD7 zR&V_2sGB$$V76SWNoU5SB@mP37S5D#ftM=B={xvkJ}Ktkwr$K+C|DhLpUqLLc5XE+ zy@(Guu9s_=wdRXVZNr+D-$3eq>QNn31Bc2zGw1Cv;JysQbJL~kCpc=r>Dt6XA4jm} zr)E-8p(YzjLBWPt@O~=6VN871Ec|xOip6Yfy`7+k#M7z+L!u$^c8xmiWa>FWcdyW2 zBO_hz53*nG&YK9Oek{Q}t>VTjCOIE?8G%!i1y((Z69H+cIqIr#lKBU}+Q$o3>E_^> z5GKp-7kvW2F=dhwQ)W@H9U=UtIjVz*__ZDOad^M~>Et2?$1dOf)r^bH9bi+Xgq?NWui^Kg8 zTWUYP!JEp=n^eH<9L|E-e9skZbPr^skLyLZy3Gm-WCmwXo7@ZGf4NjYud+nyDd?Z% zE}kiSV*R!TT%&_`MU@0a47VDt=OJVkiPkY2c`LG2{R8r|k7#S_cYV-aq+P3>fa z&TKcMR3j0OxGmFyNvFVpBPwz(E_;&MMAaNJuPev0 zB?T(W>@~i9#+o!iMZ+p!K^-RwFW6(Bc+DP$XF&MXS6{@5V}n{>{)=ES(c&hqqAFVk zz{W{z4)_7Wfv`Bt-~iaUn(y0k_=K<4q4tEXhtuvKu4G>6)FIXfJ*{`pzk0mEpnT<~ z)tzXq5maK_v2%TsCDKpoH@^TEf1R$o3EweWOwXjxH$XWD>46pGUIWu8Gc!?vc-J!) z*`$m?xT&~M)g{jL%8UHG_29}o(Ov~wuRzNdvz$3_M0Xfp$UX;fcwu*#g|kclk}EE_ zd#>E2t}1Fy-s!ntvHd`gqLL!xS%1}@L^t?JymC#MBp6|CvyT&8Q>fitU&<56NFRHB z*eenih4+A(C^I0`cO|>6dKSApE4Md4CKZax>wnLc7nr%yZtvy-Ty;GrKj|1x_~lL> zqtQtqk=M*M*B5Ee>#MDKiyq+%2?OjuCjaTGTia7eTUH(=TW3=yfA~^;Lq7x}P&ba5 zLdr9Gn$$uyK9=ZPMC;N$w=&*UlL|0j4PK;)zLwq9cCPa~74_Us^R3=M=;+^L*w#!< z-^pxU3D8#b6!=}cik_66#p24OYn8Oh@__Ny}3m?&W(}qxD;Fq!7|5&j=5@fE> z3K(MB3i5CTzEV7wUjcBcK6l?VxsV@2b10)bnm!ny&>Tt_4BfNRT@*%aW$D!JTc@1f*%ccb}L0%*jB@`DSa5<8L6jamn1w zdO=dor>ewsw5a}zf)na#$O<_vU{9%5p3GVxM^bswJ;SMj>y}#g7ffustK{8n+QXoM zHjeBK6ho8Sr5Ld3l+Rqbx!56@D--)fZMZsIY|fTXqtIbTs*))xRZ(C|a2?|r{ANUG z1-_(;B-F41UxIVvFow1oaK%{%QzamTN$B1z%vAV84I`qVu zINaUlBr`boNuz@;f44{gRA(Aj>tL4L>%yXJd{QyF?s$PK|^XnRL0|3Vh_ zLIf#I+0v%1ceyrI0b*(B`>mz{RwWINdI&@%XSo*;nyQGzOeUmGYJSf`<@HNE-zNSz z+p2iJS%%lD^sTwp?dvbnWj>7nixAg&W01wS8jC^}5x6R8J(EwZgP1DZoChG^c9CMy zGlyN)Mm_o0UDpQP>f&4ZUY3!x2O<6a+mR;?sxIQ>Ufi0E?g|s36xeRM)a9_V_-@&B zh%DA-yM*hRdQ#N-iz@f>ajYpb?#7x6N1^GhV-limouX$bjeoLTHPt) z9SlLKXHS>?oCZ@mUCf!hl_x7njNBh0!vNsRB!HbHu`HlayNMNojMq za7_fRVseLmO-w5#l-lV=PJjdyB;$(Md0a z0NG+itvheoH5B)CpeplU)aTc_nup*;*PjPxyVPj)lAC%*o4u}nI>S&^WY8RTM49{4 zw5B(=g_SV!R5Zb^L$|D=%>|hS(~aeAGunV5&mRAve8c!4Yo+{3chIGpcB8>s1twXQ zF1y(hkDh!?>NF>$(S+s&GDEmi5n08>;U8(qJdQ2;Jo$+0rNIgZaaZ;@&>`#fKax=by3b%QE7``ieXY|FMUD%-sC z-AE3;=C)t2TE*r>{=dr9TrQX-Rp1vI5BU=~_xgznPy;}gIdZ!FK4o-UWCBs^n6z{M z(z4PJ(p*d3l2Ab(!wLwbrto$QM)FyP6Ze~rh%+XkI# zu8_dJfg*Cq&sC|@;;eXq5lr@W*hf-?xe6p6bsQy(J?gTryXtqW>dpI|(1e6BkHMiSaAunq`B*v+@C@Enyy2auwWo zc_+()Cppker$Iz-UzIU@r+znjH1Lyujks=G1-%$nn9Q%~nmo7_CXp1Mf$va}4(?a% zcQB~Q!}QwPy$vhAG7QfHSfr$iHKhPxLmpX=&7%@z+nRy~Ern+j6z6BZTmGlonGNKX zN>iRZ%L_UJ_hww7I5oZW2ta}md$b`zBpm`Ih_wxkXDP^mvkiKA|2blo!VQYBG5^bg zv(Z(1+sifL68IICfV!>x22~1NQ)xw7(_F*v;1qEd6>#8Mw`Sunln*e8vUaiXnRwJr z?62lRC!17kM@kdQ_n3oelwi3l+ohktvEp#kcfnYDM0-5HZW~8Vc*$u#soFiwY7cH= zT^r*|Zs*{+qU=Y==ZOVoyIKi3O1U01f7iX!K5)C%rpjnYthQOK@G~ z?*hiC0{;&6tWz+?j!JX8J9RH`*(_`dWhH|9Dy3!tRpf4p%` zmdQwAkpf6&XYjk_Q*(LQ$L{UyJWT;Rp3B5A)oMD__NWu(gFHsRJ5OowE{a+~o814V^dTDBxWR z9MB{YhaOC#x+kDn0F@8)(TWV)8y@;9I^Xp=!|5)KD&F(tmkbApoxwatCuqyNnF`ko zKU1S6dX8e)dp0Tu1tAr3@==1cmBe3a9&K*!0%`}gUl&N+yUv{JcfKnr4|qJQSpg++ zC5$Q3`T}Bk@XUt7o5+CO$4mTM*_#q&7S0>4{!#NBFhT?R{JiGEUhY2#sysoL685udziY_< zRwV&*JmoQhwy{2sIozG_P2T(_j{MiFJOwr^XxuF}RS&dEy(bSYpv)E~rvbe?5BSgi z&XWJ7?l9%J4p5WWn;HG~tvsB7z?)Y0g8~2a03cES+Xzf~^L8R&ghZR4RONsIQ%hoM z^#6XX4Y4(+MWaLUyCs;CEkJMn`!&-mrd8wzx*Iy(Hyxg-W&Q>vfQtWTvG}yRIIGrS z>)_Pk`fsZ!hpqpk6_}#rXzin4ax#&LR6hSv*Zyt!0)0V$Q2TB& zyAUf%{H~5|3g+H1ssCL~H$owSPT+GuKMgD6TGW5JM}x+_%RGa}zOO1VDK?x&RO2M zb&GF}jC{;S#so!8LwGQ;0D)b;iXp3WYaF)PmO?q^RM z-I$z0VjHUkhOB>Yj0`puJjayA9`nou0qc2(H~+o2R3n#jV{)En_fr4o{ehK7;GQS< z1syFIsfY?F-a!aw12Fere`vT>G-!WtNPd&1;rm8W(cq5TfVa-_{?_VezaYl0;rNP~ z&Kau;S=h*HaTk=M{8}y`(T09bcd6mli9?I&2@>9W>1E^CuH(&zymjT`BlYHEO!gs$ zWb4i;iLHIqOYp?BUAop)Dk(wMZBBkVqtJgiCzVT$)d^T13r@}T|6w=xeT!d8L1Uebsub@LzfU@W2yun{|9+hW z^C2Vu>xYO0et3^qoVqI#0m@JU*1`Vi$qQG-StVGthOdr^O)(osnJpX#L7amt4l32P z+GCj9oxtS&TNozXVF#vX`KEW9#SR0>#J|UrT?%LU`i>=Y71Q_F?U_^-~=RJ0j;N7F#w@5V^J`H(@2Xo$SDFtsE?Z$a+$EyLxow@U#n?qO$twPgdn zfV#kESoMBjHgBEAgo-48?wnBl<3o6Y{sKPJk3Qt_j1i*{3zvX*snCY)g`Gdi9^>wD z3+O6k(K)AX^v}Wlew{jnC?==N9Mc~R$82HV4t!o_&c+rV`kDaKDT9A<3bP}S`8g8= ztY`{lg3zDgI?^K0xpZ=hxBAi>s-gt9TYpA`=miuq*WUoD<^E^8@dQanYL zege|I;_;RoF6 ziGOVvE`?pa1`YxgrBK@Iqfvp2i@PLusw{LyNqVD}-?d=Nt0&n<{96;pN7om$+bE0$ z1~qng)_V9zR1@OzJ|NSkvj6JOzjtDlC-Vp|Gdkv(RC{%-`zb_)keewGrS|pJ_~I;D zh14rLbl2rBS;%1$q}}1W{65D3Ejl4blBcG)mmeSD+nlOVzey!rnUDw0y9VMV&q@}8) z^8E8#Z&dy+5&GgOV7B`GW44|Z3SjSg%8b^_PzRUd>$aI z{4IC=4uvO0f{I2eFo6kfY8RHuQ&nLMipMyn$9H*H@Y-oohjtP6#M<7sLaLOv5u&^0 z)?3^IJO&=IiLKvV_l_mht$Z2$^OPyZ2>D93`tQ0v}-?sK8lGd(E>`s1|;*5sK* zlFC|y`ypKSBUYD7#h?BJKz~QmbP(=#N7?~cN@E7$G$Ep8*D2fylExisq6BQGs^6rZ z!Nqyh=lV{xzHddq0P$TFT1VtGc?aN5?U8_~mOtg&U-t*lkz6-dy+yE&;QT$dx%^j_XZnQx z9MNX%sb}9XdxCzl2!NZB?lYYiPkUXWE$ZjFG=;N4e;|lZW@lsE5#%O&4DVk5<;!yB zy^7=aadi54WVAsa04vF_rqJl+>`r-Bx(*v?wRQdCyv_2LvOjr(1t4$Vf;?_#AWl97 zIlmx{L{r!h28Oj2mJ|i*4Zqps(rgpCr5%CO!-{45~)%>-oi@!f+?+UZhM&rg&zg)Ol) z-cdMgg>oM%+d4{(@$@Eu)e=kqX`ZEzSjrup==}cN{D=SPxe2@d*k`sV8(ow;GZ_&V zxrN!l5@m3eBDvripCN-l-c$+oQ6~uvO6P-AV<*S+_0oe3yIPyIC((1CRJ1uTd zm2y8k5L~NfwMiOwbY|n3OQ_(mBfZVQ#--nx`H!rr$EC`;<3Y7N_u9~Wr8ceQd%;LMA*Tj1h1NlHvgxrr)z7Nv+xn4-IfJ4IyCf{pV=qV zoO2|C_WGVS?rxVfi2|ISW5L*~KG}&pN|})jMf(5`A;zzJ)IO$;tc;9XYS;RVcPgcQ zz7L!mIOdz~78N)}_jhln)U6OM&4ccEiAALd!Xo+AtS{O__x_z=v9x~He3E?*U~y8s zZUR>aZp)ke2(@*!u{Ax$-sw)HjZbGkX8zSeA%IxB{gzKfTB*8`-vIrw0o2-4hmazr z&f}fReFef8|Ap3kZH5YIN^82c?}@TC?8KxkwgoSnIibJKG zuv=5!B9G^<&aPA|*wHVY-VBO_9jIny+%yt#U`myel#`<7<}kGugi~UCx;fcKrVzbB zE7P6j%s9S_kH3?&4Mrx%Vr^EtEK~rj*aBmCBQ8P^CDl)~G2x(Q4pD@WHMLAF^6z}T z!v@eGfSp0K+Umt0vv{dqpUr!AC;G1cU~P%b;0eB+l>LTnOS9Zr$2{8eq!lOFLM2lm z)2|)&LV9+hQ3_7N)?OcSKrbPFTU(r(p>ufO`!B!hyAVKE2Ngf2XKQwBY`y)NQI{vz zCnw`+X8`iCZ?(M0uX2+8lFxFQb`%!=K7-)b);LBcTQ8+VgZ!gV^zoDG#Rp$|;LR(2 zJf|?#GhTh$bNH5~d>1FpvV2Rniy~Y%9s?-A|Edc9j)g~LpFQOhw|GA}sWWO$jtM$j zdG)j-vB#9q@MfvMQm}Xhd%etS0Ihbq;`3!}`h+8@s#{L`%3-IrPKp6&h8vXM=esE% zo^4@ZLM zhLwRHRwv}WD`qpG9Jc4SKgXU9TF0&HGWHTWl`r|M^v43ncqVCxh)%v@&_EflmzZk=Hh&^-mv zM-@M7=ImIFnIZjSb}-wHb=j3Z@hC_SErZLx>IkUJa6v$rn+~JWua=3mUG@5Py$bM5 z6g1IQXp|yzPrrs^e_@?ICpKZnDLZC?0%ZAz+Aw^FT~i>5p5!K?s(lO?aA0#yGnf!K zSreNisM?RXxDa6%DZKG3@AY17;8!a2g7G4c5uW8sF$8NyX_sjoK<=0Foe0W{pE_kN z!hM!&S3L?A7UxLDl+(c8T&?}0Kes`{#DG$EpEJ9K)+;B68V9z7QQ4%fkAY-e&QsvT zD$Pv}z2)aGLYiQ^FJ`kn3$*sZzN{eGH!$({(us?(!1?zG;Pww-EAY}B=&Tp|*))Ls z-XC8LzegZopQdhZ9($DJuH&XUuGLbwG|3f(B37>Z4OyF_M%G7R%7N}Ge#5=vo$dZB z&-&uQZOf}b7Awa{M!63wS~uCPuVI=oyfR{Ber$F>)eS=jBi&sgh~kTg&XhfHDCi4GH(Mj&(tR}kKK zT{pkQ?Jq^>gi;89Q^^c(8O za&;pRu>iT)wtkoJh?O}!EbgS62UckEamoQl5h#(<`q|Kp#4nv*<+F2rvi_0Rd7~Ie zcRvOolYA@(+&__1DK|UD6e=&XQx*CuDk=R}R}_r?)o;3p17mu}k?r@j3=8j+We6E7tE2mBAZY|@J10I@uJW>T*S!*U^c!_cCU54g-V9TPs?*?*c80Zq6U1AlvMG-?yG8@A6v3+SX zjbsjEF`!#vhX&C3@r$Rx)vYYeLkg58@DL0IFD&)7vzS%WP4- zeIFx{@^cOH%M$Pc=X~GM!h*8Fe0>Z5zcHMsrAZ-G3#0>mP^|eNjs_>j4#Q|UEe~Lo zL&fO8)jYuH4vSL@XM&=x)%ey1BpVqr$89YEJ4)yjP1yyDG{&llsBLK_>l5EQsm&uj z5~HXjuQdPyfd>6<-aPAoVncrBuB`pc6`!ASg6{NxFdSKF?BVEzNRhx9=yL59F#q7RaxKi@rIx?-DUuVT&dK?)h(WC zW_XjSpr=Eta}uz~l___T8YSPmeZVH#*~!ovg2B9RV|BdC7sxUNH)TEj^fSTRp}>N`cj}~Ou_Bc(H$?!&xl~l3KxFVH{mb886}5c zODV7zVtZ~;NBPtlr;jo)?&{H#(uL3VSK-~AcQ7hxQBc~hG4fzY6{iO=7X>R;I7B0h z>7m?{x*(xrHH3eT&tK>+`<|^{xvy?)WT_32xhsKNaB->z zw>E!geb|)dwv>!}CG%R_0@DeCRlc5`FjpfV}=vJ zyQc%ERfQ9lM@Cv%(;v|8@% ztj$qdajN9MU9{enpgo)GvgXv~umdEQr%fc)l}XQ6t3iy+<|&E-%ne3N0Q)TldiMoR zKt%h~PCMZyRLPl-_i(HCxm%Uq1-7b70ID-_Qm*hR$aJ=|jpp0=Alwh2kvJtV_!HjT z!8bB>vHxo!+#N$nBThCjOPvH$UMBOZ#?->6wJM+Ns?9gcT8jxY9aXWqpDC^Q$rMiu z(0Pjrvw~PE@Mp~p7|i&uj%q)S-?w$P>Y`A4eE{tDn3Bujxjt5vzo9MAf8+6d zA9-&Jm_}bOf5=QhzqQNn&I6g^J8RU4Id+(ui8u$KR(q(8qes>;X!^uSc3_(Bo$YLT zkFW{2_Otf7q{XbgrqqZ6*@8V9=NH_{r1Oke%A5p3^519naWrNvC_<%rgTY1*yZq_- zYvx)~mXKFa=NytnsBE))tW})-raH!sKEb2PT#MZ)I$4|V6&|=|^9nHsxlJ*}=0Kcg z_vU@Y`^On)UKxEK>3{lTR>kI*5x$m@D9O=RrN<}w?D4L1gLjwdpZtJ){N}^Pi~roa z^eubwc^Lq!VO*VvVw<&sXpkvT`=LlXfOnkSg_Z|sEN_(cR}4@`0Y5(02EF)#IW7Wz zk03k+%DV4@aVqtLGhhvij&Mm~%|r*g!`Bj;kb`h2m@CBe+FBq~@Oz~HePLifeeIru zL>zEvd}xF!fyo{KU|^b1K~B{QlKrY#|Us0`yp3Y#MPw$Cj~xtYU2)PV-P9gaZojA%58I#-R09&uKe}&kY1Qb z(T(R?z+_y)Jy3c1WE?yAYG*SXrHM+uY1anqj;_G2J5_U-DawL`m@S!|MdF%O#UP;kfP*NVqQzK&3?Nyh*?nk~xeb3`=*tr)$}(_CLz+Mq{J;XkL~ z_u|Yz1>faC_fRr?@k95DFvdo+`J3?YJwMLyY5QV4BJGD z$E_@CN!2(vQZ7kfSz~B+*FuW}M&I8YYitT)?!~syt&vR~FMd}x0kj`p?CmQ?{!9x$ z3Isy{KyQ5GvTDh|ezRDvUW5yv!v@g8O3D07QP;2~c14Zm`S= z=yv|A-;$NXNd0oU#ry4*{PC8H%_(p@%;zH(!Iz_(Ij)(!*Oi`HJ!VtfKz8cJhw-g{ zNI9`FVw>&u__=r&zL!fU0ee@7$MGMf`;>m^27W>-$>pOf+iJYBTmCrU-n1KjEoa;d zJof@^9w*Mh7}OjZEe6y#+6h#s3xJl{zh$BmS+{7Kp+d<%U>!5$ww#|{_t`Rf#WvBd>>uV0gd z&7PH>a(v#~6uRcO4`q<#2A8nX%35(rta@7olG!{3^*Na!cV&PG3s8Skbh!M>F0H(P zb}U&6XjHe8$UmKT=hj$fluN984y+LN>S*P5tPW))7raU@CET|$uwibURtI2lV@04N zEhN>}a6^TaF3=q4Qj^-X!OcB?-|u@2ST4Y3h@zdE`=uMVz}EUQEGxeHEfXX6SS`*N z9O^GU4Gm2Z+r79~T@&-yCwbOzl^+iOjVNv8$P&qeNbJ)iySWjQnPl5zBG#(uzEV7J zy6^Bu~0W_v73e!B%svIko$sEhz z>cN4+?t_KWg%>2I%R}K?WkE8%mw`iCfr$(pN0BHJXEwuhZc$OStL_RnQ}uT+08jbw*ZnA+nD$WZghyy($lCnpZei}+srq@G1+yf5W4Y<1w-?aTPe+GkZ3IaTKPO4-1`-z3%w zDB9s*gwL{k3S!R8-A23uQ_(qoo#cxv0Hxf)jM1xLEc6RkeDa*c=oX8A%LXe}ZdXKE9jn9S_ zTR^V7)yJrc4`xI}gG8&wF~m@>3s8@_AZYz0;4)jjjoPU*9mq%ajY7KQywT zOPgPx!iBqV@pA+3{Q6hBo0A9v7Ha=rz<{}-a(Bti9`$*2i0-hB6`0Y%w?Ax;J zx+Y^NNPE2-gTAhVQ91Z}dbK+y>C$Q0fjjkWvBjbuw0C%OVo^YZI->wv-aGoeCL`kxeRsjev@uUD%yHV9a*qx42*SUYd;bUycZ^JN=s2 zC#N$XP%~|HV0dNc^l-~?w)cFe`?bUXhbRb&;?)MIF~DGNUjj5y{k2zC?FvTB@?u6T z>u_AoP!K;59X;U${=7e!Fi(8Q=<_qdYl8#CYW$TEaPmc8b-Pv9zv@0(IOGB)@1XhG z@6n5+FQauSpF1Hvvk}|mre`r{Ze)rh9SR$MXhFsDP0g}2QX3KIUjUxZ!=L}?zdgUg zA@C+!0)+F(`T|8Ji!DM?-}I)_|Hs^$M?=BJf5R#gl1d0k%935yB5PT*GlXoF>{Rw; zC|Sx{)(~UMGS;kRo1zk8Y(r*3l0Cbz%oy`tGrI4)d-*-jdCz&?_dI{-KKD5@b1mQP z^Z9n$=vQqzwt^9HxW;SN+EI{yhAb5;rBAkDqKoR4m-Twoh} zdmInpL1con(P{6Kj1NhjX*MmSCEfLN6u2o+_&2AjCAAbheMxQ$(W(kh--wQ{z8OOW zGlNzE{W4c#4bR(nQ7q7+BZpDA5rnp11M-~C1Q%TKf_|PQd=(9;A4{fbcQ`3Xv_T{= zP}2(!kcK`3|A&IhIw$f~{*|8j1IP84wdjm6YpwOUp*&|)i(`9Ab3LO9t1;@1X)PbC zZN!DY9v*tB;9ov8UeBbTKN2Y*`1LTx*$-`{*=fodz`4OsHb8QZ(^v>Z&Gai)T^%Uga<#z4`j^&k`0_1G7e4&`vJF0eC#iqlw%KNg+x2%+zNY^-!l_?A) zWjzbI&X3=@ko0R(VuWo+vVQ!nI9tzPE31TEZVC|~<WY z5(p2Vy{;ahqe#*XmZIBcmbRc>4%~&i8?By#{k6^y#-y4vDRX>8Up}xri}n|^c(5ye zWZ$5B=?@b|)j!MrEm=pHOkG~Hf(Fl?(*Rk1{9}#3rG1X(A24PZ6D-{S??}E~afGSA zm!-sFa&uPbk5)z^4k7RL1L^B|iCq0n+T=0Te)UHt_`%$G02PFEO7R~qol&o0{l;D{ zXq#}Uc(2Xtke9)h?;ot{zvgi?G;Q#ev#3=7`W|P1Tx7~d>R23PuY2H;z9|5_rUvAs z5Q8nw%6su^>Q8h{r=C^#RPjh|oWh*Fjw+#J9lF}i*9OJbAF>_0{MT9dQ#E?)ejR~j zes?kvrfdvm6EFFz-CSF%Uk&^Gj@6E;wC>f-sktO?kP^uDnXT*BPk5G_RjJu7pWgzv zp=9o^7sR2T5AfwXR73F_c7(`v0yu&$)@$0IpKXV+r+w+VGE?O^3Nf{m%FGW**a*wF zUtna)kCmM(e1i09rI*>te{>7XLUz$_B8SGsMOUzSgX1@090hH;d$>XQ5WOj>3X(c4 zCVx=yjM+W`VPDgCAE$~BAWC#BrJ@J$+P5Bl8;mpx^RZ^;EKO|>CxLTRo51aWwUpmS=!bwRexS? zigfo5gP;{&se~aW(=E4?ygv*+eLlSev3jO;OO0xv@w!J|5YvBM}^M@&+!JUEY4))HbqD1AMITCUz^a#E>GcC1^xCdf@=QHz+<{DLww+Xo%3EPZP81qEq- zZgbleVM(9={UKt+8r{sswzku>sw%({&@}XF=(*85{zjgBrj!yTySl8ybSAYzg57Ay z1M_62N3Bb&;H*dCDN;-Xo#ONmTYaA?E*Pe1Oh1z@7M$+tlW0jX9W>w8T zo&V(E?<;q?H3FO2xNUMuOOX2s_-|+j?Tl*>8l}A}Ak>i4Y0Yy7Oiq8_JKAHs!BOwB z#erHWmbo@=TPWi87c!-{gcN?vj?|Oxmhv7z#<^nG>heD0k9?;41z43pbyxKYMJD&lesw<>YkyW_2s(5# zYss#r3N(UewK2QZ(3`5#!Psca)Fdzb+iWqg5!QJf>~U#sR94O@rf&ztf8z6(VsO_L z+3U`_XRLvHX~}tXQg*RdUrPAvz=26Uxy4)ViYwLEkn{!4=4mb7a{+VhoQ*yCZ3-`} zTv5|KQ6?PY)0*nm6>dqTdgX*2{kF0u-%_-rTxIg~%i7(ww2tufSLD+IA_cHZ^KGVt z0e<`o?rpy-$s3(d;5Jjb7hSu z&Jr5$U6b&sL94U2tt=cU>C>yPte}P;GVqdKd(D=Nz*}+ouQ#xo@OMsou z#Gz*Y9V^@Rk4dz~CZGEdAPqw*TipkK7NkXb?w_U9F@>r00MM_Z6W|@epwJrR*r`7= z1H)%;`t2(SY4M7%ej_h<(Rj?1V{KM1zf@FbufYZCXImK3QxRu{cip2Wp7EglD?~@f=A2_iSnN^b#Sxw_Z3vE>E976VL0HeW2)p{Cqd^vS#ZW0 z+L{x`6v7>#ptm);Ngriqa;m>xa*Wn6o(i9q;w{+n9D1{kb|9!{b>WiA#tngB)Nl_7 z3`sFj6~2yR)G-n<$71x@r^l~XIHqw1vHVOJeq7&xrT}y7;Ayl@g(J5B7sJ4gbk=bx3N|IChqt-*a(dnLg!p89M?zlGzgOY(7 zI5W7~B;6>Q?6*AqDsFK_dZ`9qveT=RyB!cXD7j(b*xO3D-!-)GgTfCsTCfdwePmsi zQrfvIzZ_5W8iq*t?UvM{@A%pHwuI!z1>RdB(r28=9#ZrhY?;xzfe36+8PXe)Bob3f zMHhY?vMA`P8Zz5;nb)x}0X5OT?Q%th{59J{?xu&r4DX({3QJ@jjjC=QU-*1=u=GId z_xN_jD;>D-hfT?@RJr;llvOS1*05!$N*GL7=<4%z1=rLoB>3Staif3dI#$&bTu*Ck zv}M^7sF+{Vj5+a?Rs4f1*)6JF(B}NIC6R5&~)*;sbkq~|{ za6b@#(#$s%rRbU=E&O$gR0;<5zW}8%!muu7h2RbK(YhISA~tA2IUauFfL zcALNutADya8qZHhU_A_I5n=LKbap|?rKZsE<=W3mR+r+Ui({$Ke#iqMq z*0H75w8XeqNGH5{C!JpO(;Z^o3d#<=xy>hD99nGYXmS17rkyhU9Shvt$U#(jz z_tV+5C{Gx<6rt~kaqHAdmoWzMM9TGrbK}dH;-`)al2!!Yx(kJl=5&Mwgc7 z{Z&7=lN706S`k>2U&@~13Q7x9&pak_rIPWm3Q=;YdJ?Y^7(HM*Z*0AW@2TqB=|Zt1J@g>k$5GzhV8W@lBS(jMEK}uK$QAI)Y9|q zW}|)Oauug)4V=nr&FshQORGBmEVhe_!zu;OgWhFcIa{UO?9E$xqZ8*=3207|&ntW_s0!0%l)Ra5~dHUfrSt4w5; zL|0d5U6|kIkI!t&k=Q86Ai(On1>6{!K;IRqVb~xQ;kP8tKrjCecEZNW&h>L#Y14M3 zb;0d0tYrCyYm?f-eg^vTT2#Oiaw^5&UDdzeq3NA84lsaf;;m|EntNw;!WlJ~7m}%I z3bo4}y+RBKNOqs!gbnA%=}u`}(#(l#X)7qNqW#5a{y`c^Z65pr;8a168Az)*+P4&p zl(mPbj^yx*USHRuV*|S6Y+`vqFo!BttYHlom|yT?;Z>i7pR~fy|XJEtSQ(t?f64;_4NtsH8$5P-?Gn*Vb+2lS_K53 z4*qz`PFU_nGIaOey=ADaEL%PM$rcDjE3-rDnh$nlI%bvtQ-WeIrUy$&EhWec9Ph($4>=j0wPeeEgC7 zd8ylpn;RD`)=axkdQBNQH&r39-S9Msl=Gln_n3RM{kl08>XqtY(&W6cHn0il<5+bX zlGN68)tt(gXHdmR<{IZ0)w)A(KM0?nDGM%5kd}vhQT*B*l>Bq6)vF^d-7ky=EwVFh zbd}l3e(qirjKkraVyQ_OcBr<%|JFFZ!kith2$@$o3FF1mI2Yc|ZjNmmvZuqg&gwQ* z)|PH6VQMC-cFj*C2E(A3)r&hYvmI^a_E8CZ`cz#1Ksk~Q6Bk#s*_@JEUn`swJ7m;W zgrr!Ymf**{K3p>$>0UE@DnoUQO)nkVMV z&+@7saGqR0(p~NPNqYE3MgDskR-pk|glLgywOovM14(^b}dFAhq%Vpenx zDVH8jafS`Lb(Y2!pe!-F6}ZdGn>^!N4LKFOJSeC6gaI`U&dVPq4Pg7w40nKD-?da` z0uROy9O7b9sxzy!ZTtBdu2aK)bd-|+thT;(j{y^#m*&Czyh-p+a*?njEiWs~=~_Ix zCN@a7UT$2Y7HBrv-DMos+Kvm1 zdaFP;+U{Ux$Ao$Vnl|dx%7sg&$7=~OjM5>dovj3P*8$C7kID`Ew#oU5cG00%U+Pue zIvf%TC$Ize<|LHx@3g54PnUs|ii*GkHt@>SjL4n+@6{Z-d>Qi|iz#1FR)?JSU|cXU z^N=VPQ>LE139U^_FrHR1>pDDNAx!tk!zj4gNoC|2PKNfmiv?ZZN*Hjq&6Al!%-259x zrD$Z+NVrejI)NK?x<=E{%LG~-j1oX8%`5)AuI-4gb+vcZ>#VjOxtMip+2}?1d<0&< zNylHO)vCBQoBi;5`B=)JrfhfhS*1c~+UgGbEM z!XG@P%~At4QBTKvKFuUdjYFWU5h#Fd$PpE&+Ifp+k?flt7XN8MSq(NJIgY5bM~Z6? zWPa)^%r;?`zC&4J%Ge>#vmWWgj&(45H8w`>3H2FG`} zJx;#(0D1pK=&W{+av}1N9ay2R>fQ=Jfrl@g#_K}_&gAVcJO*@OF@z>E-%NZ~a^zS? z`Pq+mj_u9S;dSA}2S|0S(SO+oX_!Mb%3kSN62;OB+4VzL7dq*%;K=yF|1>9`C-e^> z>2p$?%*(vs;I==cfd;(~%qv^^@qg`E*5Oe~i*YgpstjD#*&%$yh<(&W3}ZLvcT1F1h+7TFU6Ww%5J_UihI~E z@u&u|yC%j;Ts9$;Ol%U4!i|2Z;`hadrP$NH-}WI+YKdzOp%&`KMrYovEVnYWwJoQQ z?R=CGR%t5?N+4}ENkNoY8)^EaZ9~o)!}g|&=0%OAg1RU#)?kcSxwBF*jC4)m2-uRt zvPub)>@byE0{UWSI(XOKbHr;%wT%ofqL2SJTEMIJ#D~kre;>k=}oLfxh3HY zXM(5Y@b>5l+Dy;Gw8fPbYhLlcqz$5-j53;68(iSQ$m`Is4AaBh#`?waAiQE?j$qOF zIAZxDg1>8uRl<1irWk!mp$%LS-pA@HAUv}aMz1-NxC*7tTtrZ?|AWEo( z{0bGdG>j**aiQeE)h}%Z?e_3^fOzsYXh^aEH#DS(@ z=$PUuv-!dZ!8FI4D3?kLS9SA}~XDSV}rPHo;N~#FZ$w{a0YU8CDtucpQ>1$z373HMa7hVpz zw22E{f8_VNY>w-288BuWZtxFDI~~*2E+_}%S>qICB$e$v!wDCZkC_W;_jr#h!fJ~& zpd0r$%NxW~8(XNkT-eLJ1-vZVMoe8(Mfq#Q z0>)MF@@f2tJ4<%GD)gX(;`7;7gEIpG#Rv1*t19@N(TePZAFpgax%XF8fD5#wBqsXR zlF#2T4Cp%#`UEb7&G>}rtCXukcdDSCFU%E$PCfGDovqiBWneNv&nRTLOWWn?JWBPn zbVxlBUhi$ilTobJ=NXI}E;~@l9$xXMK6|F{uzP>j0%nbJQv#vE72ZcFm2eCQ>Gtoz z%OXpmpcsxTsdwZ;xSi@*UFO|~vJ*BcJ%SIFVSbOf?*&=FSrR6oA_KT(wMTh`?S=RF ze1+U_^2!o!=f_1=XSIXl9OC>}7Zgq$zte~p`&8kIzpM0|6~=tm&J}}Tj)|wWeiSpH zg|1DucuqB}-RCulydoE|Ufz8nU@8?`n z9J6A+JM6$LcLZZ%LXo_o@b(Na#jxqSeU~^Cs=AUf=LK84&9HRpI`r&J=L0qD9$vqA zwo{Ek7rm{iL8X5VguoFhMoG)(S%*-3WZyko>HnOkI0?+s?etTj^*T0=4z-tPdTQLT z6FlF!#&zDBBPGZr;B}m@z>rl}t)tb%f)n@8&);#*ZKwZX!A*7i_aqZzPHNI-Up0B0 z#H2zaF_M68a$IV6+T=>qv75mpWL8N%IS2Xpf!oq_{L%|=t8kH1i91)7TeKjug?P6<-*;%VBXk^IUv4Bd2sYp=qbS zS-#XA6G|g{2z$xW1O{2!@pG$m7A#eWz!(J!UxOog8$>43Y5k=zLA5wX!g>{gi|a)Y z%I$u|v$BC{@5i#4BLCR>F#WTEx^aBYS_-xp-88McU)D-iqw^}C3F0ojNbZWb&gHmt z;4pCD5Z@yOI!OERB!()<8ki-u`B1W8W2MK}ZX-E_b`We1CK=zkY-Fap|2Oo}A4U_o z3MUTpo>z$ThiP6+)2UqU%~ZY9H$8*bD#~^&N5s@ut%>LarMn*IC9Bgg)+QU894Nnm zxaLidsV+9FgkoZ-y$>JgWGU<1rKgpMD!5g%`_GkpF}@R|CC<8Rp2;jpQ{zk-&nKvH z+-%=gVYkTAy|d>iJ8X`?~4T{&O`Q3YhAKufjryQ-)8(iC=O}CEmC)Y|koERm8;;%ol7( zlm>|F=$uDAybQ@Uo?~a|EBxV{aR7d~9}b7Pwv`1GACT@qxye?{4-A zL7ZlbE1a0kQ8-Wy(-iM-Q$>H`N&l`L9>6AD-%5RhSu$05sa<@cMu*BeC_P-~%E{QL z$Ai+ncg8Q|QMofqh9Vh5Jb{zyn|9+$qDtT0sc`1LQRd}YhW5MTkczXwi?uw}y6$l5 zCKud#)aw_)Ai<;jVmC&~Mn-nVY74eIZs@9aB_rKoTOKz~Uf>({__&j3c+Voz%(0WO zhU~-D?V+ZAh!-^3#aKI75?4fKd%tB2Y*3VYX{B#+o zTO97j-xd}|B}p6Z68emFDLzb9yu+?AB0DKY>=~>3Ipv?1^s|-ArAyfl+79a7X|5Gc zRpty=t##Wv#ZT8(O}}6SbxDm0>8%aauu)FF{qT`hm3&-BTt&!ju<%L`{V&_L(^ZF% zabkJ2NWxvp%x+6LmW2GO^{uBJ)Hh}Gm;GOmVh)K}krz(Kcw!PI=FzXfDVOqH|JCN3 z>n9!WdeSMv0o|{Cp3$$_D(3frr5&cD1f?)F>%*fSve?W zSz|U--gHDRbJ-q0vUDIuePG3tgr$(&sk0OBqwlpJ_TxXCcRR<~%;8g~Qk@O|4O3$H zx#yoBGw1}>L=YmtYHy6!Gau5BW#%xt$dTTrX0$z&Hoy{}nm6A8>mRSl^0+o_jNW!8 zv`mg~C-JSXPy3vV94=I8?_Sdcq5ltP>`*VJY+#l8#u3RtXXo>=4Ivus&_C^(ou?o% z&lp_xuG%2`r^n&C5r#92gN{*eQcVHkw0wYjA(FaXzt~s=<3_y`^Ib;pwbw4C;Jpz< z&_Pfl?aZ)Q40C-i#8&>hZpMJ9e>?tgK)|5xW9{u_GuiO{T&xS@Ro*+2!QzXkse&WM zidbY-nRVF&-4N=+mqJn2UGpjHN7<9oJn2?d!3U4smH_Ug?^3BjfUM%r#)=2hhjT+M zMaSP1c`dy7e5G%j!^+5882v^;^B0RG15ww0v8oG+GV+8a%@)dxQ>kxQ<8I=c#>_c8 zMxE353pBG^pPOaQG|ln4?TMD|>wY38ndD+@W&Rk=Oy*%E0DLsf)1a;YkH~qTI!v>v z%wG=hI{)@((5*#e@dM>s&b;A6R1W7%r4V%2; zRoe4*U75+yk3l6tWX`v~5U_ZA!!FMUyr~28T3ktLf>hrA$uT{`LL_VnkkW``}@kdm5)X=aZ7dc)O5tz`3E zXbDz0q*MQ=G-dktrP;8R35FT+o@Dst>A(pOKrJkj7DH2B6@eSd3#+G}3`=~j97Otu zrzYd4Bki#6xqArxxBct~d~bmMH@-)L^C3sm08b;YA~fIhzbNY7U=IE$L7KQVshcGw z=<2q3dbvA1W0V8-p*?P0`mlZG|4J(O%%)QSSQV7=vtMK+z}h|ZOlZCy5?wuH6bL;j z0}r?+vlz`iHpomOM)^S8GY6l~QlMJBKdkr~elTy_Uf15Z5NZR>^~04kt0NJT@^8^ydlay^}J4ZWnU()Drm$G{hDe^pPzi zh->QHh*LISJ>OBjRJf8*C@p%4I9=MLU~_*~1$yv-=Q8;T*<;`}`5wz;x36z>(DN+; z8!N696St9Gik4gljQfzy95(1|g)2svZ3&3eI?#jQvFmT-2b<4a=*0-crEF?bW-B`#9#{W^bSg9qXK=(nSk`( z76Bh{{M+vx)y1|Y8d6X!aJ`sAN_uRR$wL*v^-|n_&6R>e^-uv$;=&{+cmz?1CLbrk z|9X`GeklGe`Q)Lc);a-9nmwUyz{usG4NTd--q<``z{w$-_4%ITeH1OacevTzj4FAy~$p) zna0N4uMYa&T?u zCiO|`YtlcTTh`yR=iaWZRf2|_UkVt?JRo(chjDDhX#au2FmNF&g$DI+%J4y(f^~m0 zeU?)tSUK2)0c9ZVIf(&Hv~e(ROy%l4Mf9V8eTjyAdgL#OkrF)vnp5C6^LHMx&4kcsLBs1mNpwK`TX4bh=yJOM;VY_E zjK()R6n`nHK8v5)8!fV;;=K03^FdODqVL_GVj|^t!s<_MG$yF3Ih2=Mb7pCg4L@7t ze$4%aS+mmQ9$}ghJ4sd|8`>Wdks@C z`hP9wL&6|2(BjxOb|3t9Io;B5fhoRLv$<4QAC`S&{RO{ua8>nmJ*;dQLs1z2uPyww z?>1k*WNZgrq5$7917lF=ANy_PGN-7EmJ|JZ9nZI@)u=3|wzz9Ndhrvs~zw344KE@LiSsB3M!Ds&35nz@! zA^Rz+8RsM@C=&Pmr7vKDz!^l-En+-oc{Ve7ws|SC6s~~0+df(Pzs9S-=Ca@A>l;_n zuC&$di)IJki6k-S4JYegn#oJ@0{<4oo&BGVE(4Eoknu!X4$v7aYZ{oePHz~P`RwmD zU=yN}0RD`AIU}%t{Qv2kN(_CQhtwChxAAG-G_BlpyBy5 z|8i$y%GsLWkAF{{Gz*bEC;m$%Bx!ihgCR%;BnhMjR`4GR$_tb<{|m`A&Z3%KP1=>~pswIjzM=ZR+?1QV4-W6!+m8Q( z0@-s(|ASUO&+6d@e<#RbpobgCEAn3k4SZr6<^M^o{msboNxqykw_BcB|8!kY#%~~c ztnb;(8IC>8`@hRy{Er%_^J*w;^JkUkL^rU50~BEH)F9Sjez$WWQaLEu<;#V648=!! zU|wNPnJ7gv4*dU15dZhNkB`@D92rne(nAV+;%3V|@J~lWM$-%9dz+>tyXRv5!)F8qWc(r@R0qJwYmOZn#39V(cM)K+mOpoU%=+yzY zq|c1Eh$6e`nidf9Kw_SrPv?17D@ZJz*N7+IqfNlY&alGi*0)}mFS1A7MmVFJ?;Gd;w%Z< zoQ46KGC6b@Opf+%lOvVy+W0_$Vb%Fg|L4=qYS9U#;55DR1Q)Fz1dP|6c1W%{uV49&u>u+0wkIAohF10B-r=kOiaIho#LFB5`-l!~K(8zxb z%G*mRe{+8I%lfHsTw%F2LI9Lx60OO35WsF~lmTEkAM(41lzdVp8I66$BY3B0VP=d? zTew!-0?w>cCBb-pYr&X{v;uNYOafH+NOdX-)r!6S(WeRC8n^3R;j}u<5&U6whH|#! zKn~-};v*wCiAPw{xlI0#`48pI5|H(Iz+5^}e{W z$5y;h7uEIEIC;LoqM>WZ7^{1&jaGiSo(}8q^eHd2PK0W~$X9$^@%l<@j)X#xujfa; zBXQl)SnA$l_tYUXSfYtqu;+ZEl?P_+W`;0y∾5(d+6uT95NslP>P_TCPVPQbExl zT5>Me!yPunUdzEWALH|RK2C8n>VESX$+889MCs|1OPy0Cu71yJ`2_@_J z3BzN?NepmOxr9zTk_PUW{h2~oTs5(jFR~;>{eSh%*oHubyt9P@EXKz`b&ciu3C8to z>mWsGaVbcmJ3DVftF@8#cCA4uNhd%>q8o7Uh&e098d1^z-8|kOd<)mXrZLd@_Jao> z-SBe6ak>MpelNXLw*nIl$V!HC3-P9yTWbWmEhPx7`oz24!S8^*De;`Dvm;*ob6ym; zCv;jX`$o2JCQc{60E(+N8qNYLj@zUTj6iuo@LiRW-_k6ojaR@px~a?fvTmyi3vz0)QkRo5)FRD$5~FHS&^W6c81ZN zEjdYtYBGhTH?lbMwEL|@{-Q=Psr{olGl>Zp-XhsC{b_i#MTg)W)R0hPG5!~q1KM0pN!n2w z`blx#=yDy9CIn@%lKh%rR|(pQ7W3airf2fc6C7=R_WrF!jL9li{jEN2a9QW#&xx}dCsr<>13{fyk?LDA_Il`h9n4#@ao4gte?Igo~Nk8Tz$k9_}SkCm_?doAbFB@ zT|pj#l`TazowZ{K@8PeqRN8FEk|YH>l8fVTP8^5~v64Oof^^pD`r9F+8w=?-b1P}8 z-GeW;8Yj`zk4-fpp@UN|98IB;E_=z-gOv17aHVG&me?W zS3yWl1~S}VxYFi=>5#p{ALJ^}G!k*xP`FM3Jys>HxLx}&sBmuu+gS>H#Y)g_l&ArZ zQ^u&o{1S$H&J9lrN@uTgd;|gVf!4*T%I&A{?yNbK3_?tHGlB1FO3q+*BT1Uz*P7MAVm zggJn>D0^n^F&`LwlG9RBxl?z^*d&LB(Rkh&Tw$k9r*^YX+V0bA>^&-xS{H>tGh87E zvI2t{G7erTxIXn({?yM8631B=uXHl&AO>X4!U7A%ybI4RDQ7~zJdVf<+Qph@*)8de zLciPtN6SZ9uootn=xIsiBNAMpPO4LwUP#FouhGTa_+o!qyra&@2Sb8Le>u~}Wj!WC z2)l7cCAMNF*BakHBd6$hS3$GmTky`jwQBH6Yr`$atEi;SCYeDh1Wd(6ZUcJ0c2}Xvh77rV(N}isy5l>MyGXLyIe0|N1Qm+W^)vv zu;Tz&jjt*9Y3oZcCbXOuHnKoVTvjtP4bP9Y%YweUoJix?c^r>TtXX-x;mBI+@uj+8$Ej({>3 z1fq<>VUXJN`9aup^<4MM>!_L4fKiSNkIt3eRGFr`dG^Llb01qL9El>hzWE#^6p!=0 z3OTO0jZ##zScGD}kX*Hc99{pCu)j%Sko(OJ`2~sD>vM-X@;QDjEW1y;XLn?W202|( zl)WPhDM{y*I2keW#?9y=&w`we+#ClIb!Kly3qyC{s&mAHZ3 z)&E{GHxlfvHmS_S#Z;Y&LS|y@7gpb>!`Ygu?;zeV75r56NzQ{o15U@QdCi{mDrpuq zrskcw`(!XJ>&_sR(JA_pgw-3*3+< zEA47+sG&OITK>!ThLB)-(%p6HOx7fNcr0=GVQ-Dxm?CVy@G>%PSM0QbS099$Pa)Uo zt8$Vj3AvST|1enbfbVVwU#^|mn%Z3q*Lp;fqu`p+PvIklCq%Y`T6?^|+c*t>EmOtB zSCv-aHT&9{QioVbz9dzCh6-RYH0cDB|SQ}lp=BVH^4h48s^ z(K$HC!og~1YBC*oX2QT{@I#twTf_CgWuL&+)iQx`ZS`CufXpsqc92{ z9|KqWCrlARlDKb{OWJ{I5F=%jqYNi=#`a25FON@V)%g;*I6ycd(#PXWX!B7~>H@-J zLDfqsVQO02$Mnn$$8vIuJ+*D0=HC*L>!3qNp<){aoI*Nw0>6zTW`=xMX3B$)S*~>n zhke%XHDRm{p7v|0)^5!YWwRUMZoe)mA>Mo9D~PAwGSE~xO#kR3Rklh7x6-3hPmG`|>N}hF|#j z^KuqzL6ry41JrF2X(|k5X(Xl^3}?;3g0}T{U>^|yTkm|0lY-SC79sF{CKKpQJ5S`8 z`#h1_Z)AGV(L&hbpH2;NNSb$^?Cj?zqrPD=;DYNeX~l5Z zjYz&k*_SsG1{6vLhhGT@^&xpn?aPt*78y$bSLFT;SKJ-I+vkcaqgaO!7k3$Q)$}=n zxA#S58lXU&p@&_PR=D$OaKIo=G9ve@g?DXIjdqRM0(K1gS`*|hv6Ks>uzq@}a z8kGatGaKg~gSZGm)y2h`_cqMO*10XpE!BwBs> z>+!KWZ6#h4{QGJ+ed>bBpf01XXYdNGqy3I7q{=4N<#{3U5$4p(kFk|*qqrA!Fn5W` zA}`vkmb(JNByn5(#s&c%aq4$52D9oHg>e!i3>pLHkF7|+(Wi|qSCc$&Z9DDMbyw|! zzAyKZP52lea`eLdm9t}QpX8jJuvOC=EA#%}r>$cy)^|kQ_7`qu@MJ9J@PoXkL|JaD z_{`v?M_$4PlevLDOS)OSHo9@=1$shmnPo8~4klRHBidZtRF`p={pC;w%pY6@`W1hJ zwIDty)4CS3UJc!vzT!v!vy~qiAm+k(=XN;Z^QoF!wMAu(m(qPWvsa35S*|xzF7cCF z&yEd+?axu*bFcCw$-WVL$sLggbr?QW)9tjfI9Al)N-C2@9wjcI$?lBlUY-j4xH5`5 zCMO)TdLc8WTw)N%-W&;E2b#7mWl1r=RENr%I6kEiat2vZ@^1ei~ViaU%y|lSibC z2_RmLp3(x0#!XnGf;OVl^D^a6belG|0f6kr|D2nd7(<^T;DawuF-X<_==LD7 z?X6GBs8q1*%$!UWIEqF-NR_;*s;#d% zhJFaDF$viyL`E&#L2YEGa*Pewl}yu`3_SykfUN*RPjhvEd~o>#gHeQxT_% zxpLr7r*^67bhP0ubu%9as7Q~f7pIe;!Te7`6_EA+2fBI=m0=hk6~T5eaX3YU z7bb0HJ&sfQJ_&BQa=oY(bxu=!b^b0oc(J6~z~~8=QOJNgR6^a9;{dMn5bA_sJZo0H#n`4^0@xc>hcx2`ntG@H)1;DKQXnH}ZB}U@gN$G4 zt3t{!W4jPIqhg>2nDf1lZC0n|>BgE%5uewPh`{r>?_*E_T#w~aqzJBsQ@#An_UoCS znH`jn^7>uBUUoOR3;xJyWNcaEQWKd@%#62rQ|oil7B6nOb4GRJ-aqS=vTmqA>_o?v zM+42Tct$qx15qkjnSCv1&mAt>d0aeTV8pB;j0qyZ{GV z2xYWE*_^rL1`=%Asyh0!^d9ybF?!iB?B&EppV@2sL5gk#?#5{B z7h`uPUvc6Vivl-;cfI!L(bk6{)$;n4iZ8LxOg9QWSOqeEQ?s}b_bgScCadqNvh>?4d-F!Xg3nCy#p_DkNYgUirI6h+er zl)j#uC9svlpm;GFke~P{Nam`ofc87={GIk6V~3pv0BLuYWvzb)`mJ+*;%P?+9Fh*> z-~gG6nJ>b4^#V8fv;G)+WOTtU9?h^AS+K7p9 zq|DWF@a#Yyn-mF)<v3loM=0Wr-Skq>EPZ;&X0P_g?E=R@_sRQd)@U!W7Q#S#)OpuJuqOpVuNhvZh2(Z+-LS985x%XOv`Mt<^d3a3bDCX zyWk1U@-aDFke$y(Aj|ZFJ~F-*BAIu5+@owY_V}aQV#*QMY(maT?w!Oq4cbaoCjOqN z+x-TmE$X0xlz+vw>;_-7_FA~mdm&{(=DvQ-?uJCJHDRjPH=VdM!;qWeCf^vJHFv;= zph>)rY~0?yry-@K?=>ZijM8mhlaKc;!YFy^>1YkAW>ubmfg zgGT~XMqJjxGi6$8#+Ef}O$1l81RS_R(WW4;>icUExjfUvMp3{(BE?()Lc{c*XE)UJ z3xVgkE*wc;jWCYdu(Xjsc^h~sOkR^nBi~vTJ2ffOWdP1Saf4(ZTlt){as$PGd#@cR z{v%m2$AaV)=QNQ8h8j{%`bqB#PB(i0I0o^7ZdR?-o(}q{zOo*y8Ui={>UrDqbJDar z-p$v>;35boI=OE@Md{fW&CD=-jxf%pgwzE&J2y6QH?L>t zsh1Ppb0*WmcURSY+Av$4!Hsf9idHEhd^eyb)!z@u91biG0M44X~l=thvOv(~KOiw!hEtv+NL* zPA2gXn|03y(l{O~ZhqAkk7YoX$)CCOmPTC_LeBfa_zJaXlRH9<&pKN42$Q1Foe=4L zdoJV;Abd!t>~F?=_e&UF4QvTJVtHdrF*a>O4_OF5TSyBt@Y-SO%uOh}d>+?hI>tnp zlUXyOWAhI}B{zsZwz}UHnXL@@1OYi2SuE}fUK!P?;O*e~6H*?Vx!qiTBvkKEjhU$I zef66U7!S(b8rpr-e;|C}Kqoi^WzyyHT@lIgK0UnE6K6jt1RwUwf#N4vNxKPZETn9= zv^L0g^X}0wLMac(kpo=5-cq0nChA^4nM5F7o@0ef(86`~uX~~1^-h&H3mz%B4BIW9 zQ<**#H4y{XHbX#n>U!-6@QR>MuNM(oZe@0;MvE_?ixw*J9hag9{4An!}xRd5RH z4<~mGTo4WD{Y*G{I8g*{CTQ7XPD(vazEF0YRNDzK4{j^YUE2Ba?u>WZwDoC%t><>E zk9t9nr=4P<|Gd3*a|7Yk$iAUlh+Sfi>DRmWJeTw5>GYPSC&z{~Lq)lSZ-N#s-xj%D zY?$b!yJClr2cyU_(#9)tu?z zx{Y%WX4dDek3#3(IaBBFKS3l|69wwmJEv7)+w=3dPVly|N3It}H)fY06ZZk3xbr0r zXGF~K>{{uit8J7w_ikS}z%?M&^`gmHk2tE!2Goqx_JPOhPmZeQCM^@uu^`XP2U^@z z*X&dTn)35pmFxZ}JMO?oD4V`D%coe~Uowk#-w&Lq1G%L6XQ5&F>*nr|!$4L?&stF| zTGApwpOhj|D=t^y_Me{aj@%7snSnp`3Eq|JO z&&qSje!s#p9bkgOMF6%b=SXt$=g$i;8h&`#-!fCk2*b@@w4qnm=Gj29>eFxvIdbNP z8>0){BX-CQWX1COo4*RBJD><)NjlTn7bADBy{?98Zf)y#71&F~E}se`(Vbwt-dJR7 zW;$Z`*^EY*F+GSv&>wGSeq>sCFO2u{So?ciju&89+HM){?Nq2gd!f+(1O1vTHoP?_ zp|)Abe>XWQ7bmzF7*ejs@JNmPt9O8aMYS zN5bv0>^%XcEB(7oJGl{Rq7V%!?n3{`n7-`ZVmDbyFu!Sal8;+Y^axUR2B7i%N4ChG1qjT^=gavxg(Ysf^F^Ul(9E6qfBCb;d3{<<#z3Ayu7sS|~X} zahDZ9eW~N`1*#HXWFR>Pu1t?HQ!5a+J~4csC8C*)SyPsLeLOpAkWZ|L?Tk4d0sfO% z{g<%YU0bq8qpAX*hmO1AiSrmb4Kr)CL|Jz_wByB(h`H=yLCA-Zy?d zC7zaw&ixh37o$SKq0V>n784jQ#phWQjC&P0QsO-jIOoK_gY4@onPX94`$ku0hp>;% zgc-Zil5_6FFWqk@w;Z~psMSS>Wy@>gRrcy*4#&gP2+IY00nGzq%yBMhn3r}@ne3

YB?k1TcZk zxM`WtiC6CFR9Fp}c^tFG1z`_?%LLE8B;4vB2sTV2kEmlVCK;Vqw9YKA2QQGqca<*B zzsznPuiv;KsCZTY`B>p*r2zTsP&6nJ^mvn!b3c(IS?LlyQ$iqD<_RH4# zASEPysrigT83{50S^_@|w+d?ASG6mjVZ3#`PnTI|#PkfM`DH^#{GiSD;o3r(ob93z_Qmco`WhyL#@0P_&`aiG#XmZHEv%NU8;H^t=BKhy6mQ!iLw3J0Rdh`o`sC?I3fZD{(UmM%@1aTd{$18)<6sYu@^^Qjs3}ECT-`;*Y zPiS;;yLFLZeYwfnJ#~pCws94i)Ir-2{cu^xzJhAuLpo_(CQ`(LF@UCRGF&FL4k^7n zwO%$B13v_J+gcOEbD=t-rmw)IDIsZ7dM?d)OOU>TlZvld!a}FJ65Y+^IS+;P&u!al zhuQY$JTrONa@5)8>fo-&|HIdt$3xwI|KskoNC`!Skd!Q;?7I*e8v9b#3NaXCO_rg} zQd!EHAwy#qvhSl(gcxQpWiU5lFxib|#_)TMy1To-pZDYUUymL&uj@M3S)S*4opUbN z8@9()*0xn*UL#okZ{0iagxpW1eXtPhZlP-u(6<)gbMowJOi|5V%Qh;sEDqrK19s_v z_fZBx$cgXygNO80AzbD*r@6%iv?le`A_(28PdhaoB@Q=dH3HoULUPRv{I%%Y5w!}rRJ%riE&p8O92MU`iv!ifsxA4gB}WL zj(3#hBjs5Qx(<90lO$Jf(l4;0Q%LC*(i(Bzg6~%!^+NxDw)7Wkp*Ty?VCcQT(^YFv zQ8t_wuL35@=}sy$osa(g+@kP{Wg{913CVpcI#+KMJY}&lT*y&U>DGY0XA8jima|*I zLHZB1XiK|o%|FL4JObJWb_u9m_FU{h#!eEjHTOwcW*_@wqn5P|r5tya0tSQrLoiVt zRWzG5>kI&M9@dBtZ_h7OW`&w?dwd&it9mQ$9LAMIfHj4o`%F~YyqlZeANOa50Z(J+ z?IKX1Cjw9o1_J(RffaT_mbzNWK7FJ?-KZ8AvF%Y&*L((h;r9I40U7}D7^Mdf6~^_? zO{RGnpWSbH=$84Zvy>c8qors`dMO0x`UPQ1I{D-_;ZywdeIq~0v7Mw8u!g%?%Dq` z_#1i8i(Y5Vt{u?ejM7#`({iUT0>OIs>#7qIebM3(78AQy#3f%e1v_KCJC!NOXnjM- zUQ2C`w=3@hVS~n-%>D%I_VjFHJR(My+mDF#3w2dqS+{`3f!s8mw_)^xq^>pMojAkXd zn~PJH$hn;H%f2|yHdGm_C-c)sKqJ5Vqus#&Uk~H56DXQfBvKH({RuOBKu446xWmC; z?X#ozuqd(YIwyS=AK%uV9UkAZbzdom_ouAS3z%|Wqo0VFFthN z0y1B~eeLo$Kb!BFbbmWf7nADEt`n3;;!BE}+jpwwYbsGBAhR#uZ+Sj!+Vgs|@Id0aqqD_{qyxu*m)`g9R&05d9Z?PG z?sRfoec)%TvK8rJCFo0j<-uMzacRdsZ|7AWK2Kw|IH0POD4_k5q5i4O%Rg$RV|9we z9~H3$ZgsrQ`rKPtR5Kjp<3A71*YhY-a?i<{J!f4SGwMr*^y%NVp|>3PLK*;cmWC&We=1XXr%4~ro}LX+)NO}4pr?1U7)ITKTW9k|z1hJ# z23v0mT?qIXnFjY;!SCg7(A;hpy@&iM!YGG(!;v@#-`+WPwon-8#h!vQS}8Rp@D2Kz z{^NhR8cZ+&KwoiLv-RryVSPB1wLLwmkFxH_NuLg!oDlE0^;Hwx=%hv8P?ylm&@0+-M<8q_VVy0~m`iEs(x zIFwJ^zuT(xulmW)1Iy;iJkBp}zfm>)_RxClVCcr@>D7{U{S#2f6U}A$s@t2TT0qGU|E6Ot7*!TkFTuUmK$`6BviyFr+us|6oWF$Mjm^k8}S98%YFMJYbD) zpRL6nNgb_)tsYpQ(XXS_P(_6dZcij)6T(DND7DvEk5)8$Dn6^Bg3qb<&; zLjwRZ(`Av-y=hmP7wg#ao4;of1edkU5zbeFTjdOgYSzZqpPAr)&XkaSf}K9=2qRb+ z2VB@*U=}ViIrhiO?(8@(L^BGis()3~J-n6>XV>f%V5O8xigBZA#6~70WGcUQ87xJE zFoyrAu07{2Cd1@_DDoNO#(zDJHL4yWL|(qy&bc3=GL_SEf+ZFhDDr#VvfJMS&-`Aw z0wbzgr*IWu;2n|tmCZvZe)j#e3p*CWIVLeq12=#s_{scjR2$|Q)y@If?8y^90gtiu z??T7>Qa5*78GzLGAl9VfA@5ugo{3j?C~9qTz09e|X(v%?2mShXr)mZJt`nv# zqY^As;ez2u450=2=pIsYjmV8{KkZLR>!vI(!*3CqaF#Tt_>nz8rcndHCv!4gZR#BuoHunYBmQc>E!9@_Jm7*fk z>nc-=_f`?WQJHNxm>_|Ao5M^2KV#nO-^G1Q_DsjBGMu@n_d7N5IiO8a>hyKo;TuVk z*LrV%*jsXB)~`CaL#tNPndCCawr^~+n8+;?(Ixk~bDdAbHlH;@@yxXR<{Iz?0rUTS zp<*GOqyyNHFT;keT?|>1Ys^yHfebJcJ;J9|zcU}Js`J+mRr-Y7b6PgIKMzUZV3|?+ zaJuBP4z|y0@{$(Cf!614laf;vrrX0q8Bn=_%!lHojT36D{dXY15R~FaRJ&In{&ons zL>@YbA?COqvEgS)oqRzwzA^Li!_a6R-`QEKjcqez)OtQpFv`z>RZN$G&PZqX>wUPI z%vHfQlg2w!%o3P}w9T5g#5P^^ET4;7&${?hvOApiKR^6Y;bfFb&EoZdA87VYtCWL9 z>-ar}#N(x@RcvX|qZdyp3~A?)mLzJuDz-uUQ9X^`AEPx(O;q;tC1?BH{aWSh&NoPG z$;)xN_H%H{g#3pSWw@oOc^2K5D{U=uk-V-K8k$5S2C~n zenKb*cMYiZORviJ{B0ai3}MpnVO>g&YYtw`$u{b_dZ#+AQ=$813dEi+U_?x&#PASO z>0~xNLR_3K!L(6RA3WxE_|>uF=sP^+cS_wgA@s)E4}0vqiJ6Ad_3IZp6ahxdPoA~) z^(|CE4zQVIdEJ|c4-_~-bQx8+?BJT1w@A;`0A@L5{ULMlx4ocSiTbyaW0Q^^cLR-u zyUR}^_gVKIrHZ`Uw+`WLw^uVl4!{LXhTvUVd)WKy>(rDm-%C-fh&YPMIcOBRD=9?5vvNb%*S zx~|$M9CR0Q9~I+=@{MhODFE|IKJO={L;xy#o_S}}|HfD}O6`{Uy>0gqQ}@6+Nuom0 z2h)n6)_9Ql#&+Jo-){ggpjH>YOLqO+D`>8zG=h9sBoi0_dj%4V-De&ROqsdRX!tG3 z|9mCa+7hOewc997Kge=G^a8)%JvETt30{kh%v_#VH=qe=9oY{~if0Uo%?-1QRSElefxOWYyR``9SRuXm$s(U+|c}3^1t4Iv2s084tnhh#orY@28bXzGOIt zh7$@Zyg$hqyd1QQDAO$2?^+E4%DU(wzfmDmFH7jbG+xh6&BVNQbD*bx8{4~*FV~DL zL2Ym8pSTS;<~tGWDj0;7m|Xa3W7-vw5REH!o-em#&*_;esap)%Pq@{7z?|ux{^Fik zkq1e5I-D!*l9qM%!rh)c{?xSOF@-pI-+>;mYFrN7=H9b|DnY=+t>Owln@-iIx(0{X zpNcmf54BBM-fuM4%@JIJhGPMvf>cWtgMrGsdEzd=`MY29vqd(i1#2cy#H?rajVla< zDh_>Xd6(<>wbQ`NrQ)q5gBw#WZrcS&L9k1tMcsw?t*}n;=i8UkI^VPo9a~GJIz2Snzr8Y3^x-D@3CDTH z0ueu8Mwx~CTREi2`=5d=f1Ua)(EPzv^lvw@d2FU?HT2HLN>RTtZmSTfXZ4qV+g>(( z({pJ$+1e}T?TlH$Qan1XT&3i7*{5IXDx6m5+{!;-gc#zhY+Ov-qjiXFv z|My!{3p2Ov$KrlbA$4dNpKh3(r9+~-4R_cPh@PuedPFja6vq<@%0ngHi4jT5TKn&&50oQqNxu4&h!~C*YTJAQcyXnvbQ6yZycGS;W=GBP*iADKNvt zmdFb2qdSV7wZ?#-6JzM5DRRaB*l$d<+vP4Iu+Nw^H792$$Nk1hGli;9XRpre*H7{W4*`w+H3ThlW~k!|icz7X7Zus^EscxLpg5ha#kSp2*1S z6pqX{8QUm!>`nfX)L;J9)ssx9vKpIKCYObGGg0WR-h+pGa<=nIUuON;vN^2>??Elv zU1L3yz*Xvmzx*m-*iq;1VNiCogLxYK+S3pCOp8Y)#%6q!pv9B8-|+co&=T*JEx2$G z!ImQ7iIoe#CCVN5#zt0F@HU95EZOuh@;amEK=RvLr@`7-0H0Tx>LQ6;2u(=dZHEZL zG8EOR>DpC`8e!FpI*Y9#U=~x{>x@Qwk0nNf@f$kcFD+RNAr!l>Zw-neU_a*sD9x+d&(>y*WttsYy z(GbxEs;r9M51ucKrDlZw&p@VNiR^eN3W8P+2Hgo$X?d$|=Xy6#(G4g?_5Zf2oTnBz zMvy)2d@92HN74($Pen;BG>wjpD=VzT{IjUal1@K#%8cq8O%b;M6Qq9Xt0>(M8$cL> zS-j=VT5-hIt6$r;`7F$*C4A#5r$Bre{#M9fwepi?WGoC;{4~@^mwJS343rnE{NV{M z5pVzq=rf_Nze(Gip(pf4i^pb~3C4ajARl0Rcn~3#KCfRv(*ACmqGfR<8z`=+_|Eo4 z?wih6VD20-Zfd~tSe4kVhgJtDLH^%@t}EnVyZ7I6I}6zx$DY-8Zcblb{qXBh{xdlS zVUE373@Y-#ZtokzT>`ytFSBMU3h(ELXlL{SEpm_w$X3F9%{r@&(#|kzmF*ZQYu!>r z5P+0H4;hehWm?=^pRRJNBuOsW=9N(L!~Bb)xPX*^CS1;9^?wl9ZhQNEpd}knS{2>c zQ|eCI`}6d~VuSTVcqT3ZCaz`aR^hG=tRFDSg1Th~)m^S#-};`^R7uB}%2+pR!fa9I zt(>7*=KE(O$kZCS2(5=}lls097_DXVS}I;T=e=!=-qM< zJ}(!}W#tlarIpL8t2VbI{q+qk%adl@X{;VY-`Q>_IR-B*?`Qt`QG7vwnnfBypmc$N zcav{Ax|b2rk74gfWM9TMYmB`8!4q!tLpoW!U8RAs15h$L<1d6_|0>{@nSE z5siN%Xfl6Dd(+}0Q}WOIt7oeGO~!!V4ca>Gz{>fw^1Ordn#3!2z}4#DPD- ztNVLq765;MMloIv**Qh6?hOf<2s1ZvDg^PvC=?Xf!fswy3Ntjnr(gf2Yw={l!=ks% zpX~=&EK7#Ky+yT5NuV4Tm=t`BKYQs3`B3bcKjszXKv}ypn)F=ij5aQCfka+k(;u0WV)lRe zApnq?wyYIxS-Ad#Yw>_rJ$rT#RA4R6PZO+v?q@Jakz}hJy!`_yve-D-wBD|*-j_wnM}$*N~oCxR6Npl zJMH@D$HV&mV6y#2(05Hki)%q;K$``F?~v-kH{8lj)Qn2ZB&Avdx=j$pdWfzlx?{g< zN&x>3!}s%8VMu|^PpH20UYpLV>%^V+mkD)Mek5c&ZMCbM-8fy?q=$y~g(HkeveP{aaC&vF{BGqa3ZulmxG56qEb+@Q=f_@nN>N(>f> zhp|tR^9w((x`7x$)>Bn)bDjmRo{Qdf^9^VeRJu>`?S>XO_1<|;hbVJK9#-DUvhf5kJ2~wywlO#9!P5c7|I$U)YF04 z+<>ChL3fxsE}t4uy5Qs$%q&hmxr%t>X!ATGGCk`+X6-UZto!0Zb;>!hALk#L`-&0kH9fAdUdlJyxN$*l6szpzJ2OTCAjbxKk{>Q)Bd?K zj0;y>UMFk%hZSqQb6uvz_o+wT>cHm5*tl?NPYqa!jtoed<&oiMRW}Z1cI^``9mD)g4Lrg)nownmSU}R@o+q(`I$@vvUcfL%Q z!Fuw;IwP!0R;k+P-RgCgd3gr%t_ zz1Ia`xaY?XZfl1DN5?LmZJ=fb9Ggks!{|iQOVkX4^W6> zFkGSNnkH@ib6jgp2|5gkdjo1jS7?ia;~~N&XMwr7w**V_S9H4I&zwg>~V-BaSZoWl@YR)hB#tZuC-sWP(q%|qYF#Sd#MrUV>wwiQ( zVd<9PI~Rh1_9G4(mK2AdQ^i;G$X0h%$)WoAV(#3JBz#t3ujZe_>kR<8({WGt9TkT; z!eP^v?nU*L_Lsn*0HFJGKtfFuSNd&ntD3BqG++&!{kDo&v0A$(n3d=>yE0Gp6lS6a z=>xN2PaHQ>o(raXybjQ1E(Xc=b-7)?dXCv{PUa&tP5Y!|B4-(e(iow9{M5IqV4G46 znbB@L>+os!#P}|eF(61VySGgl^3}V9A z!QrZR51sP&{3S!Iwz#d=`=lODRrU{@(RVW=Zsny!kt+9HKYlNQRuMK9;7Xo3i7ge| zQEB+cy)!`6H`axZJqUqLu1Fi1oQlH*w^(D({`Aohs}1GHdimEbHx`f9p6fW=S*5xJ z4eoeT`0^+NUvbSu75z5;mHwE|PlXHK8l6+sg7@eY($6h625TB~yUWlwM;=?#CM< z+KY&-PRTzuxIcfZfDGi=J3@q#HNqtiVZ_LMahDG>W4+<3`mHO3JtN+ZD$?+l9Qp>O z0pKTpjaz4kgAL3R+p3-4yHySh>`(j^MOa#^nnVVw#DN4hrss`9N8WU2a7`M|(;I=a z=?T|N_zvC_aeuKQ6@L&>Wo&y~19$jXl}Z6-!csLCXGvqt3IzN1?hWH;zF88 z!~)2Mt;ao)(E_sqFjg^9k4?l4(;f`uq)oddaSh!|tM@|5uU203rwep`;4g8apWUYq z!StGjWIpfYqt&P#j@A}ys(^mG6hY37u(&%s_W2SKqrHbv6AlHmp$M=jKpUhf=5DjJ zNc;=QN^g7=A`DJ;#Ti9nm%S~ri7;!Rrt_a+w*GZb)sCH!3)h~!RMWJ}NXbkXRJayr z`9~mi5PfL_B57iocLl!MuTj+^_hp-<2=Qc=QI(;{>`p`$C~(1P7s7{Di1jD*;JoW| z&_ShLK4MKbKE$=Jr&&cT818O1uU;d4bFP*Ilt`RpKd5Elz_!J9Gp6gbI)wO2Hls|7tx{:N zEg_b}im$%di6n+OzkUTg3=lvMYy9(2Te(NyYk1080*N&$IVT5_TLEPMgwD?R*PTw! z!HvI?|HL2PPD4m>V0rl;H*V*h)xoCBsNwEvoA;M30Ifo7@t5Kc8eFvmQi+WmkG@h> z5I+A^@z`>n{)L&BMHzZ`0sM`q;>{Qk0sFy?E~3pRJ+APEHJeV>A|oAP7MpYVV|YHx zFxricfa2%G_KRCo%gzOfLoHs(%QW6d$M9j5b@{%UN=)2ZhTO5{m;~)~lQ8EOnaa7u zL_M>#4-{^Jj%Yj!$DubsX%i)cTgY<5PLSWp=6TX;aO>h}h>d1q#7%`yS;QJKC>?_P zsrl-f2KZ>|^wy$KViK3xH_CSmtVQ}zWrCjBCb?&!w)l4_0+Jo$u@TITTRkGKAW}omT=r1c)~Q*GYwSyo_K?A0Kj zU^Fdr0ga*0k-mkLRIl4$f(N%lbK>Wf$vePb5J#xnYn4`=SnXAzDTIOmJt>X@1nVPl z>hkUzpM*=O#V0I(&XcRd`?9X!Na{hfZ8%XR8EKzuLInRcGi7OK+&1-KC#7mEInH@W z4yLLuW$XydOmj@V3!g+-cn#%|o~5i*CmO|*(gx(mIPd$={T;m$s5S#=b?r;)$ZCiA zH1`rvBI`|UH?zO0y2P34LIZ{t$1+Yn{4ydpEEZt}*_g-@ABfFXf~T{dp9qWmI=SJ4 zTWuC?_R0-vfG15&>Xig>>Cdd$Bl7%2Pu!f+?)7)H(QhG>{E4hGe%&2rEC{IuTV0h4 zc$IB+`}{PHD&W-vT!F`>=1<5n5;m2y&4Lz#e;!xTR$g^86f+(wotUl<&(mP;7r{k8 z^@3i@y&!o-@O8SvIqrnwvBXl;#gW?il>%XUMx02WN@gik^jhFzrb77eB32D7IFw_6 zOrE4qJ1S;0ISQus`{ZJdE!W6*gQe+YBu?+)>RsH#vOmJ2y)P%h>vJ9{vxn>-Jg-)% z0*plfQ5Ejbps|y~ZpA*qD+L@oWOzOaHtZm^cOZx~$&Z~qb$1bX z!uPsUfdNay;c;4}e?VNwcTkbLYbnUbtvddCer_D(DZSR6YBTAco7&Nh(trs#fq(=? z$r)kR%xf-Yc&IO`fWubnUXiw!e7J8dQw&)=2CrhH!Pc1@hWGEbeqK7));lbmnKPyQ zW!+Z;UFVQ7-{&~9=%e{-`Fd7Ehu_*b5E6ZMu!PTGV`O8%8>u#IP-ydR7ZB!XM%Cue3THjeww$QMsK9aDBN_i_A>V6YFvG$ID(wy>Ks zYQ?bIg0K7J`tNnU*T8)G;3ZV>q4l2BRWPn;Sd=B=5hB%mr8;iUtX=eUfFFUPxW#?1 zeZ>feB_&>m>XSdhA)9h1DQf{oAi+{<=l9z0U!p4?cZyAAr5loHXlihP(*v6kC>mi3cEOPW8VGUhTsj@}Y9D^l`Q)l8e*P>d0-&Rs$4L zZrS@FCV5C7`0z39L{_Fq4xQVlnav|JHFJ<9YCo`bz7zr-?Ct$MNzO9{DY9@I+J z3Js4l9T5lDUNgjyEad6(%ethxF9X)#l~75(mhaCIjp}?}if}sM$#ONAFPzZ!|F{Hf z*NeI(&VvlU8}px?<_H#LMygZqG20-!VZrJxL+A zM#io!)kg;3Jk7)Gn|)pLs*#_c@ox(M`;~k>(;Mm`;ys!Q5VOCov4F*yPHG?4vN2~X zJb7hy4eV22IB+SaJ;x~qgMK&PcA19;Vi^)yqQ6f^nH$zllZ#>eUn$ggO-liv!tSc? z0L;Wn6bHYLT0PoZ@YfICuc^N`In;bUwaiH1@<)ywU3nF;FxeZmxWY^BAX-fAa$os? zQp!0V9rYis`292eLItytiQ70HcJky zw`F3kWqae~gWQ@zC<*<(%;`zjgf}JTQuE-~5j4g{c<;z#YD}H&tY0|rhE&(1|5p}w zh4!ky2}bKQO=hNB^3LVJq!w^*8MQex^`d|>x?Vfo1JdpV7hs~54gf#!e}xJB0KY!m zaP$1=+K=M$C(Z#98tUm+*v_SS*g+5^puAFYU&-3QdU{{9AE5id4A3(@T7aL~61t*) z%D7Z|_#e&9vS-n1w?t*u$QQrn@QHF?MA6b9Gw^ZFeH!I&I?`U|G zAtAkCDN4{wfLol@ijGstv~#SBmn&ovc`U+xxsl_c5lT-d*{ct4O;mYKpn`?}n)asc z&3>Gf4s^cOGPoMRtZsfu6YtVB0X z#>R^5Hd3d43crzgQ?pUQ{GgU%wuZ2m;vnCT^T5w2ivrL5`20D{U^ZwUlTNe{%lIkD zh^!-;^qBaQ&-2KWHQC-W8iH3^V28B1MK%11=e?4Ex9n(+VZ@!)zTs`(?T>^^xV!+d zrq|*Dq#-UWuKn`vB4n+N=an|G-^Mb%JWkT}iL{15_q0mcAC~m6cB1lT|Ll59pu-j- zzUT>e?buvscSItw9{Q@1?tz&4G>IBr;4jmx=OlsT(Q-Q!#~u0j_Ml}7ak(Kdq-Ew( zaI=*Ax4MxO$pIBcJox+T=_?0TfH#CFtA0q@@T{ZKVM8=J6y3Bo_#-yaQ)MB zagf}^Oe~mYAwHQF8>!U4nOlM^yCCYAoh4d0ZG!bUw_31ZF6hH?)0Tix zqmFc+k}H}b>mpEx%HZWp1fp)t-?sy{JlW=!hYu!s>)qs>qk;_ zRp$m|KeW5)c&-K!I3y;+BYjbe9}Y=pXwZIC<~we7T93csMubhY#p2k*H(K)rXFI4PWFaX_0Whr+XLH%;pr*Ls^=7HN?HO59E<+rLzK$Ahm zc^L>x)wSv&OqvfBoAX-|w5;Y943`>arcJaA3LW)TbZs|Z#!TAASq65XfP)MaeiW1;7PLiiZ9I=T#E{)gs6nuCU&CU z0|QHhbA8!l`F0|64d7^q7sD+~-0lzxwjREm;AJtX4a4ACZ1jaAhm-nPUPJFG%fr=P zcj9Vd)vy&dZM5D6DjsKmN`IVgI~1>{oeR#d;yEX0j2n@|-Gzq|9F8fz$3~`YD}Zqt z@vnf>l`CwE`gNLasR1nBo3mAaeFWJGi3*fOv1suhPx0cOeD05zH6CB{eUO7LL~2Co zj=9-sy3QQ8^r6j!9>_=Qrg)wM#>h3Ue(B1W=}AA-Px7LsnL~s-XE%)zsiRL}wu$cQ zGUT{K>7b$6^|!G?!7Vcwh*NQY&QsKul&#vxiP{EP5iIgN3A@kfq;MikyavWmi?(c z{TnszhqX9J(?Z%Nn#MU?-YQBLB69ldPR~GwQqal^u#N~Ue2pU9u z0&t7B4ubDjl1e%CI`AA@yCGYe846UOl^b-fsoPEmgsYYJGY|?b)O!AUvwmWEDM$F# zaGkGCc9+MQ(9oGVW=dsVVZHZ{3!Bu=SC3}q&fy5IZ7coV)-z;%yjF1B<}mi|R^>Im znq0Dz7+|NnICoB)WypBnL)N2nHLeen`h%BloKsqs-!^skP@BW$?K)4tl}sZJA z-401Z0Aea?J6}6j2~i)wm{nh=$PPNeIkmbvp*z<8mlO&CMSxx2e8x^yE}0P(_Ch>P^h!*^ZB52HL+Oisy(=9c@(#s`3?3Wr3kAuIp!S{<$L5qu{`;V)N zDgEF37LM=?JjVtrKpj58=4gBi5(`S332Pw)6<3@=w`97PW?)mjx9oscLHr1gyCE+; zs^!}PGuEMljAa9YSA)Omo1^VD%pjYc~HnN2eoN6Rp!IGOYJJ(Smr~E4V5_Ti4iDv7o2s z#i65k;S5${WGzI;ur1P5YB*-a3al(&eD{Y(H8OEBD&2nM{9cNz78ZuFJ&>j>A5MVg z`3e>I7tH)EKT?Z+vJgbIC%4gUx(!nU3ufumHFFvI6#DE>U5c7E)h`P0n*V4cRy(ki z;Wg^fY&T~|ck~_oJhT?^$S%=Vx`8-A)$( zSMyTym*v&HNc1pMz8qisU6!DC3(|1Gly%JM(P@1ML16QH%ct&$qq+Di;bkz&i6xe| zSP$O|fRlMj%0lXMV~%CdXc&hY(KcO`v3)^9r9E2UXW$VmrJU;*u)Tj*d5xn#`)1Rp zM1N*6{-7#};eIuq)b*=xG7zbRaQ6m&dNC2VNkCZ4Oz(**sgF#H4R0+^-yd9`W$qp< zHQg`Q-8E7K`m1nivOly0h4dr7UT>(M6Zc=eiw)p*7C#Ht>8o=j&*gR5mgU=mCiOVo z1catp3(L~?CiQ_%B^}K8$YvB)huNJ>3DC!^yThgaGc~{ucQqppTa|baC97snK8|)QhvZP=wjy0*UI$SMq)8 zhUfl|d1-NQ!lfUpGiO!gJ`?;gp;a4(@-NQQ$QzpqZtQ^448YzMDo1ibl2WN)YtyCN=1Rs-A1f&gk3W zQv6LZGb9br|Lan~@ix9bZ6{RkKRss~1B#ztyvkX4dQ_`{R|W!5lo=scl4|GlUTlN; z)Eq=Uv55gruN|{-36T;PjrGZ=0S{dHf$NkxknA~53(JT)pDd?747R z>kjzHo_$DF8FdVNZrYLPW!4}zIaP+SltwxnQgQXe4<-DQax(B_VJ@FCfE_~9bMM)z zDc&=1M?bt26$M43FWDm20@`%u$`WwlrC#vj*LJcs6@>)(h zR$ckR9Ju}NO@k?W{zwh4O8V8lvmLo3Ru4r6R9@|xbuEPT7b|nYB&&maK5rhV5F&mB ze0kA84TjIe-2`Bv(aG72pl3j=5a)T4JnIyPiyx5dZQVZlum%(w4&-5P6u<7K+}C}h zHAGnZ{N9J0xb0NLzO-ou|2$_s7Uo6eSPec52d8via&)xE3_!d1Y0A2P5VL0H#3Ey0 zRq=A2YEC)+jV%dbc~?)pNG^iU4>@?6b@=C4m4YT)An5?cYEq(Khfkx8hoj#M+%+#7 zsf91{De`73AJii0GFBrB40r*cxQovhA(eMuz2WaQ{t2ZF0Zwse>owzw;A^BgkZ3squ@U$_)s3rXioV8Zv+UzH&2BX{2Z@ zXVX2iL=Q5v@b!|42Yo$q@^16~XeXs0mf+3VS0~Es8m-%ITx_AnL{k7n`9)CM|Nhc{ z*qli$PFnqpab{DPP!C`F$%m)MmsA2+iWXO}veL*-C72YzDft}v#rwUx_vcXpykAyZ zt)&yoLtr05(<1#OdjDs$Sk{3#GYSmZR~&uM@Fy4cUk-@Dg#kag%X10jWin5bmM3E{ zV`P-qKoOy=Z6?|<1*j|wXX*Q^?GgFV+Jk=*t`piOS27;$vRt%ug@XBe^bR)pB)MP% z956hQ4Jrq*&-@nEF7m$w+AH-q3!wORxvll}@1a!|g$Hx*BqOYSdhcab>bI4uS9MMORbLmeGHCf*sT0eR zY!q0-EBh4=+EoT>_w7%yg}-M#cMCTFx@gGi5{1OY-fCCT+5E7;(UU5$4waYsJ@UW zPz?G9%k@jH`A4)Cf@eR4^tcnxyJRSyD8SHHKWE=7)|8L!UwqO~_}yiEZe!SO`D(sh zVy7??YrB}+)o`hrHzGM^5nE%f4j=F~;5GR+p(5Bf$!W%GS*=p)oMYwn>#G36{U1W` z{#_rItjni&we<^VUkvLR`VY>1&mmb)qN4(4IjZ(CJ`Y`Ag{i1FS39@|r>o0{+O1eq z2g6i>%e)xK=GS{RU`-&M_*x}McO0L)cO^MqNFW?I%{A;)O6tUpq}pS^cWvtYFLu$- zoBL>{rtw)K_8=!!GEYbD!jn>+3uKV8xP)i=idni-)=EBBr0gCuQ1u;U1J zCUmq{FL4mu3brd{JxmFcxEA;RmKwViX(VVmW0vz|aX`;hKBn@8KpH1ZHqQkYP@?bY zS>QUJK|K29K}g3*guw5$Up>o{zP}KCJXE9ceWHf7LBmvtvLn7;#4>f~L{-Mxq=(|G zQfRP6N`5}7YWyyCB0)m|O6)GZREAH<)mTscUq;Q~#ByrRleCP*JT0#0zP%WxYA=*J z*ykVar@@xTm7?+%8yaB>xnD%#)`pDE5|%q;uP|(IRdE&vvC+ddE!el`UN-C^JuHE) zc-N9SR-G#^&G=o`EaO8l%xisQAx*~=>2ahFM(Ej`Yr?Md35)t-vVB+(Mk_1+&hw|9 zb;XMbO*cg^7)vyiqr&|thNSw|FwFYG3~;k1AF81a-5XSomE7-F9TMQ_Zk7?>uOI@AuN2U0oNOS?1a3*t!Cr^c*a-bmYO3+ zarjGYS~ybwN2uuiwbj+No79n8`8u$&2~Ms{y>{Iaj}e&y>6N*Y?LUK7KDRYqFSyG} z{v>+)j(NCcaUw6-R1WQx6K3SmkRRd4VdRwM04n(2}5?O!W57 zm?v$>OJ!W*RpyA18~Sg_LJZLO#fTuQ+o68T;B7 z%iHTM;V!W&$UnH!oV+8UEw&1-R)EvN3 zNMJfg@Vj3a;L9colTeq6dJAz&5lGFyrAeoj?fJ1Hl1<7La>H}77tc*^sR@>hMdrX@ zQ|r=^uM6u<{M5}(XD|a2OWF}8NdzAl`>*5!Cx}*h> zDObJf=Xv3c$0BIk3NAA^PKYD_xIXSPxo!M}@SgCmmeaDcXdic4GHC$a{PB~5$vgVr zkJ!E5G)iQhU>zhbr_>JDWQHvqt@EJyAXVb*{w_W3umbk7kJ#zuFD;X?Pq%QtI5SMf zejTVTaM4^Vk1xp|3E!a?L#VY~^2e3}o_qO;|9L&)K6_a<@+r_g=%zbju`F}xvM;Jb z3xH9RrzJ)!IvBo|wKIX!Vd!pAe%T)ES*9)le9+%Bu=}+15r|uQdL(@{rQ+E%Hw#)s5xYg!Vf!CpSGbgyy9F?e2ysk=mnC3yJbdcLJ4*{*h? zsbJP6b+V?A;xrPw;ztt&r`pF$Y!e>@{i`zbqB$BN9aiE>#^K?U$=2iJwPX8}5rzUh z;{mn%NbVx_TDi~d$$5lM`Sh3?GQ5uGZzzP1v)k{OL3ljga>Zb*1z*BBSj&pXZ~H^d zAW2z0ruOI2QgYp-MU9Q%k$}Tdk^j-0T+&mecTe*kWNVx3(<6I}ZB8|&+8($i)Q^>u z6y!55o*@ZY2X_gDI}!d$3tPMNabm&OZq#9Dc-a>se1w)3ndM7yAo?tyi%(h!dQQ6o z4{cE!>DGyV?Y&rd*@Cd7;e_*R-rn3C_sjS1X`h@}EzeNf3ty&27#g>%M#og%bfEAA zHu44pY=`ToMh;#wgwIR=#3g|`+3VlBsxR@jc4ye(+Uss4jXu1l6iOUiT@pPK`?mp} z5?u;KnG9dSg~im2y;G;Fa-lsC`VsYddXY?!JkMoYa9G9FQzbZ~N!wB7^a)j(NB~SHjLXkD{g@fG% z*Afj>GL|*`V`eI)o4|DPL?F{3r7mYjM7}z-v0!7)=ZEWIEq=RFG!*$bD-7w2QF}tT z-l7P?nc=L3mwRCJmvME^rnJF|27bbtzFqOa9rW}k3H*HXZ%W+t$8GAq$7bftFdh#H zN>D8$8q2ywkIJwXV;o8?zw$4!ppG8-hP(5kZx#B!7WV!GbFd($hVzVc@c*tPUeGj6)HSH#U%#o^{n^m`J9bp9Fn-btk+Y`>DZUa2F0 zaj|?1ayq8-91(mr;mbbl!S~P8)n*?3z`f8%gN;)~ESo;vG?L7RD>E79d!!$!R8!~A z<*rQ>NL?+5(7f*Eu9UZ2dY2Ri<-ZCT&miK-(==BdAFpr#;oZ#fC*E9EWHhaoE`+XHyyrr!C1uwGj`-=8L?Wl3=QD2l890Q++ zgp~74uJmd`Znls_Pg}pwPB8l%9?DwF3k4&N5U(2(>E{oJIJL*Z}PHVDLqEZ z0r2+zZfuZ3stXDIeW^mxo)UA?)W zJa6g2B(m$e(5Ir&?(wNns0eW1;fhaWm(<6flXs5dkjJVsM0`{dHWz>upH_H_u{GnL zIVx>8bU!*Pd+`1R%Pe>sw)6*30q({Z5(=H=^LXRAz1K*1beP^b516iUf`)cc0|McC z>a0oF6}xZC;is|tA6i#FI$?G9X2?FBUsD*mmUO4gz0p`sp(f3m za#{<=FQJ2>%q%Ikcgx8cTRRQ8*SH{}>3bI3B`td>G2J=2&88-B(|}zYclX>D8|e^4 z+ezlSOAb=`6>XRW`0c83FMEC2O0UB__`Htn$!0Kb4Mv}ybPjcbPX^A0Gc7S@fGEq% zp(g}$E=z9@>sdJPc)%!imO!YApHZ~IlB}-BwKO8a7X}wszG7Nhef;KRFRl6I{kYz= z1DlS$6b^V=FG_ijppuNU3LoNcpOXr|zU4yeIJ>e*pp=5W!%Clui()!*n*q7MyZh?R z(aQE1K5pZIs0%2bEz*rb8=D#Kb{}#UbN6(b+L*dE@%rv6i{>zMs~WPbl``42A-VAexEeLf?4EZK6lMoKpE6+S z!^Pll@U^*P?6m`Z#Vpsu{x*PM@GsUD-4dOT^Ng6bRXJa6Ua3OF=e8C%kKHh?)n*wn z+{nvll%)lF24NFLBhLYm(YbD$9bpUN-_X&n_u|#<;b*u!ms!jTPG+mz(4zvo@9 zIH|~$6feD#GXnqm*62muxeCWUW2k7md4_n&49r@0=an3#;kIbW1t6z@$%?r;ay|+Z~g>@2}9v5?1eV^`=se_fVzQ zU|2XhGXhn0Vo0t7!w3xHU688X$*EAHux?)dXr3Zc18YJtY2qwr2ig_!wsDcVNOEGfHW<)37iiGI!PBaOM8 z#N3?oV@px;ZRie-9=4V8>T*NxK9)7+vDQpHl^!O0eM^2>Ls!wN{smNf6y+ogHA>7` z^=*6*`Fg4`7x(yAlno#`zr##DjGdp$cjuCe zpChoVA1n9PQOGM1Y_Bp;wY)UH7FQ>Pj5o__P`=viWoX+bp4S$PWxjIfOX(4s#0 zU3m}xqmFZ`RQTLt0OgbI#r%s>QokhxdDrd@ZjS^xMqoi8(8O(5=ca_$oFyfEGWj9M zB!*`I1ZYhvp52T(r(K?K)$!UL7Q)% zcD^~Y)-mK9ehusaa>-1g>UdvRsXZ@fQGfJ094skZ=?}z1sitR_GP-iqbe$53+q;G3 ztUULnEjrvVAM+D?th!YgE+Et!lffPi-2Mkdlg}BPF1UJ_K}}xAacjntyUg)GHOc`5 zS+*5y+wU-mo&c0eO-O1AJ`Mc3mUk;}ve zp1jdu5X?$O0!Z;}DzemK%d2ppI(CUyLNjhjn)#3HY!DiC587B9Rqf$#k(S<}Ozr%c!K>as0w!AG-?Z7aY`I2)qtW%``2&T8McRW(p|2F?7 zEnTSV?ECvPmKxS&=FJ_VQ_P=QrVftC2Z>jGt49Z-HtXdhNBx7W!pOVImj{~H=eL9G zPP&uyKR-s7A%;giG`X8WmTlio7bKU8iy+m)0@n~OFu;AY}x&VIknf(7&!Yt!xL4*CShs)}FB&yT}5nDb9a?Cds?7!F270*?u~@!`oNDH|Pv+ zGlBK$cvQ32iNwY2P%?I~Fyp49%l*82c70W~R8+J6EO^SCm)7%E_!}?ikX1b&YPq^f zxlZRGB__&ravSa7NKE%x0Vl_n(?-L~%a&B-XRVGr>w|SJK0)H3({tJGpC1Fbw9;** z)a@s?9pqUrL_38b0WMSm<4D|o=uV_@@sOVpMP~!1JSh|#u=rYCTgU&6SistYO2$`* z%0S!gj9veH*)6+@p-HrBtK#F}11g|vxz>4tQJ_)Qvk^Hus}86Oy2Q@~fnZ;)mWqva zGoXoIs8GLeVS}5lXdt=0lKWMr{l7?3uJu&W+6mO^ogH?NQob>CXB!i4Se$EEyj3-JPe3HbL`=nLScm*up>r*b~L8{&VHmfv8xC{&4o zk?y4K|E3@4MbZR~kd&xvle(R*$Mz}It{eXA1jFbU>4Ex}^3vZmDT9)QGWo${YCHcl z6d@UU`&9J6KcEeEP(g&6{M+_O{U7<7CR);PTh-#ljoGXJo0-cNTm{r~?Tl(j*4hC-D;sr@w9 z)td~;nFk8|Ap2$5V)v4ZV@3xlh5Y!PEcLzMhc(6JNugSTdYnErTD>*qA;0?%!wszj06hXE7^q z`FYz)r-TTN0791>`pf2C38MpZW5aKX+RZE2qvA39^Lq6^=>48e%N4>sLH{RiNSe_#{o=nifEc^(7vucAj61i8#~LA*abD#-lPZ>4)I@L&Hx^&8PBVe+k|&*w0l z_n4(WM}h|fd*0}ax~Y~aORsqx%nQ@<23;rGxApP%(sU8+NupCex>*RAnZ>(*?<`cm zvpbQWcfx502zMiSyg!>VsNl~(vjtgqwWgCq7vPWwW&Scu)$q*ET>$0~;T7B)(jIpi zoxo2+IDuFDiuvdH04~NlZrSe*KH^E730xTAxQ;lK_A^BqG|D&v)g90we!5K==AsJJ zuA}o`Ah)u%^d9XqYG22P)`uc-ho;_q6kJ^>XUDgJjuqbeNR}Fq<`Y!^b6~(DeO3G# z+~(U=O72i*sqr(~I}>n4j)p0ycVXPqXf9|RSgE;ThI>*v1i`0 zi}M4sG-aZKfPwUn#u*SBWH9|S)n%=6&rPo~kX6^eSR!GItH<*iNX>yhWR1W%nY=*q zTd|UWKFPMoRvr@-y~Y^;xV$Ll>%rgAM5uoSB`tL1pT=FO=Gm5-t#>nUa}RV&RM6&j zY`~pSj0d;;Lwxi@*5;Z|(c2TrQ6J3#ztF<%zjrIh^U8M5oja6CBCC>L{3lTBUl#n< z=Ne4V7<6(%Xts%f6P_7b^F(I%I1iCb7?0WHsq0?AP0S@maD5axOi#_%^}oUD zutrK;e=~_ctylnRr6ykZTS99AibqaqqGLd(uDab&q`uo=@RN|-~@7Ys#iK-Dt6t~YFKY$z2wBMD{u&dwL<*s zAf30e<}J;o1Wq#g7NPFaEbSQ{IZvr-yU-y}&m0`Z&%mB4J(iaDX@V?T9 zU@s|uNF=y0w>xbJUbYAY@TKXy9|57M|6{wr)h+v;N6h<65duug$l8F=x_yF)VfYvSQfer1Lqg_kQ{XxWNQ67UYcBj$bGu{g&h?m?)ji9q~GQd^THM}`R5Wkvm>x6Ptr|_ z7xjJK4EFKx+da)*OWQ4cSG9F5*LyeuR*(%+Y4rp67!S&cu&^Ie?OcSOyIk$9Me=!A z-S>I@J)2mamaFWbj=wzyvIIbz>~C6>T+&-c(hW z_2dJItySpiLed#d|$pusv-x<*`n!pDQ6VQx7^@spX@6w)d7Z)qYbVFWvlr`>3%5jYZ^N z#v(+|9vt_7XeJuu#&!WN>ZB`f&TWJC?^sTCz zwXY98_SMIqyY~}5?O6=pOLS#h@%MQ{=JiPr{zJ7f8B=a*$zQqn&6koiT|DjM--ECC zLyPTz!3oK*DZHC;FNfKk3Sav`l=Yv=sch%%i%y8qC6hYP$qm&aJ==>FzCM3pjT<#Z z_yua%5ll74DrBu?r1CHcmH~kI47QRGC#G=^n8)J5djCs&bs+ey^?%+b5ht}0Xti~ z?Fwe>+by7W!=#?brPQ=j$atW6moa-M-7ZcN$E*1?J=#z!L=jT8WImabhg9{a%^6VJ z^eP45a|i(tw=!?&q^u-8b=;EjrW;9av^A<ol)*$h6*~Hg zerkgcIe2?G>Vs6Ib|7`&w)j^K0ELaach!89p}(}eLNf>+A1nh`6jKAfSgxs+oHYC( zMQbyA3IEUvE$lpewjLxL1bAKu#1E1rtRNzZ3Y zxt@-Ju-Lwr=3pqO{=87Nr7JQXrshOg&+_>^a9>1%MDO2>W@T$Vs7cqE%d=daC#W`1 z1@dAQ*53=$vo_3&SqxpSx8BKXH*u7Le8%%VEKTkrkFckZb$T)_h%O8 zZ+ax1N0!X5=H?;!u>GNt&{Wtb&0jL%Ho;brDpxlJ`7fFODw$q zjcq7`kQ3`GtBvvOf&+=hkDdu!i{Gri7vP7aVGx3-kQDIYz7w%UMusb6h4?U)v&gk-Gc28d29fC>tt zD==6X)OF#BX=Gp)g5;lv-G#g5b-y4`0VE;UaN``P#0>G?zs4&N?y@krhA-DtCmmni z?1r&ukM!pH`jDK83rJ+=59@2_s;2amo5cyEVnzSMmPk*7EfKz(?)6Z|kJzhtS#jyC zVzUP{2&v8IZ(nU$NFfwqpy%3%TJ!aJECRW|YMm5an#dmwHwtRwHrL zbm-w^zN2DFaTYlK?l~kCx4yM{`$qG}7FC(ac=n!@En6Gw8$uPYIAbef{|7N~W|$mf z4VgTk-?iy!eGyNh*p=h-YV!R5#nC$1{eQ-x(Xl7t2~`)uEOBheP+V|VhQ!L9DOg^Wla>gMa@4B z?1KQIkNLwSY-JAkvC!R6Ag{@{+mf zp#1D#Kl@8&ExV{Tg znn%@dUi@D@e}i2*U|a!rOBHo1`A&6OeC$+{6^=aTJs2*sapinU2B>*A1Tp*`Ir6?6 z)Kb;E8|xAvvfgHeTM*(&42U7Jm~LcW+Ja0bmb|#%jR=kOrRqFTv9yhQV>h4+r_=uF z0tA16M3w;dr4A}2|Bkl;CS4F#CW5v4)uB?VIZdy3nC99kkMjeI;Z95M5Cu@fpDP40 zXNZ8RGU)SwV59Y4h6v?4v;ryB5unN33t)8!0MGe7S_cUxKnA+cLqb(`0&Jb!A6o}5 z6U$Ege>9X2$n_Bo9y!1Wvf{H&RrKWTyGeIw2PifJbH_s9GuB&M_zup>FP14KCM-b{;^!pX~2&Hf?Uzg4auf0&P(;( zn}Y(FpB#-50KYl<%iaIG!Bj^E^29z}`EQyH-%cr>Ai1T+egww|ln(G?TcO1J-ziUM zv>tA5#b9mrZrrmcrF>svsGtR+?|F^L{)KxWDP?1&p&FaNB@xP&|D9=urgSn)Y{8R# zx`dY(#y{oZh<&&Ym$z1G&vrI|m z!)h1@v1uN&9=7gMjy}z`^pZ4n+zTEbH8ryKgKGy$BmdB*N`Du(*xEqsJ0#cMX3XtJ zES#%kfl`4$rIM{vF7)Bk#ZYohw{Lg=!#aL_EbtO@?dP#pMPG7Z1Nru)Zoy)=bL-22 zlsGKAzJX-^f=uD2&p3PiXe+?oOBi^^hAFbI%{6)SBcU$^y3R5^8WavG@SWG0yc3Fu zSu8Hi34dyKC6uGO$PmuzpW94&utdeoMm5Kr&N09o?yb{A*ZK>O*2*d)+9Azq&v(=V zXX90!GVUilD%oc=OJ+lr2PtWHNTtB=rZOatmIO`BhaK66Kx?B-}AaHh)uJ)Go zR=MF2I1j8l7#5)i({uU9YW!p#8XpHd1VxEX0_`O^=^n1(4NP--8!GJ=PF4c|BCRfn z_Fb8LS8WcdJW1Vg_Dj_w8SJK2K1SM^gK&Dl6JU>Z2q)M^JI%Yty3dPXYKtolYN))W z61>Z_R#VD!2I7hSJXV7Vi}~=DK@sM19l0(oY>!|<bd-AdhM#W7a`1D%kdZ*g%6T)SX_ib_rp9VMQi zVzAmJtTK;B>fLqfmg*E6N||IXYGMrK`;2~Q6l9ma@~Wr+1?z+fLsOUai-;+JRCja8S_U%getZsFFPGB8%5XX^X z=;T?oX)N~=S%&g4hhwXWC<<-m0XQ>@U5*XC>y^qNiYi!kJ-7%%yNeLy-H&#o`g&xu zNK)wCUGA0^IBZYAh$I`v@zQsCA(|oPK5`5=#9sj>56=G=VNXH#-bQe+Y#K*@=LftP zHnFFdH6t&YztCpz!+g=^ax=N=_oy?P7(!Qe1SL|NZtG$-!i4j$cy5F0I=HqlHFeFY zH|l~$vv<`(1>C9q?Wlq};0An@Z0L&~%8qI+a2d0Qp?iAfCCztM!O8L@cd>&SOb*C7 z|5kX3+7Dtb=p6A2zki>(3?W8+JsU_-b@rQS!mY>PbxLb|+ZG1iVqPBmIcPjUQJKJ5 z_*_2Wz!N5MOxe9$?E=ZCnCg7)p)aJ>nl){Wm~3CuwK~8Iax_kUsP+8T#Q^R{TF%i2 zFrX;fHLGsK)k(b(ZmO-xVbwed_FW&;zRO;OE%_H`w>A+4hHl)1<i4cdd!Wv1mDSAFH3JV--J-T-&`L}bq03Dpl$@F&S)-D4;M z$rbIX|3-MpOkmx@K|iPM>7e^v@^CD>)?0 zrq|?kt4mWH^>e10h#zxNty+oLTud|t{?9Fi;|_hjrr1Eq#8EykCy&!oMa>qONs;8i z`qJU6H1eoxklt90@=ekWAC2TpZ+^g2)3eCcmAA=v6=4_m9;>6Fv|?l@Q4B~%Rw^7Q zG1(^Hc^<)DI>qE-&T{VHbJH#;KAOMk$9eJbsTtIzf7!lnrCEXc(JD;9YCRry*M`In z$UYnb3;d)UERCO{ZI~`L08AC+{6hp(|n6W@Je2lFB@une$>)<3 z(#5KX1q)ijB}koEETB6=qZIH(KL>hcE1f|Y6TXqz+KHwMaGYd^!MlU_QNS?faD*OC z_ubY&z|Qw-Z@`B*ksGb9B@~iK?nfPubBPZFJcwIAn^^ExX~cPFhoK5>hE88V7LLMw z6l5wxrSn%;g}6}c)^dB`XX>_QY(Y?q$I8XDBirt{FFdx~Cl&{oG^aq0d!AV4`R65? zHTABbsI956T`0}39yY>I=$-zSBxQ-YouHfNBa0kOE};T`5=>eY#&FQ`_zyAse%OVC zgk(%>0zMX%4jX11vdRat=uVd3`N9BUA(?sTYfJufz~^YD@fRvZi7@X(?;{&F?~+1z z`fR}mCYO+@EnIXkR^wWL9Q%jX>P?5cx5cB18kAdeTkWyrl+o}^wg6p+i$0lqLF(#!z770>r=W4hQ#F2KzBph}&)*>Re?J-<9 zDlvzJBYEZ(46c*oi!?E!kkA&2RD~fYr|MV%g*A5yp?d9%lyHvwP4?)A!|W$}0r4b8 z8W0}bf^?1c>g2~LZ;{56xxh6Bcs^MXu#|2idx7gQX2G`2{g;x1! z449D57;j&c3DH-?uzhEJ%uO~32uMygs292Fw7*yU2Z!s1XPC$teBG;CNo@D(eo^6F zJt)#>ZK{b;tI*?~S#n=ZAIX1vCZoh?wGlThu^$gE9}MmB5V2eCE!a%$?|A zm$H^tHMT)YISxD!KGI4q2wV=+*a1ss3NGf1$0P6LZtE3~ee&?voK?3t=KVH8^wF*H z<1M0_a_(qTIq+(3ymsWa^-6yoXVpxH)bR{Y%se;SeNo*Fk~rWu25haRb|az#X3{a77L)iu;zt=oK_mu8sUXP|HSbd9L5$qn4ub+v^}#?9 zXZgh)s9;$VH{2TI(%?4tsCjs`AU%I?Y}F+umSDMCC$^^A2eIMD1`nKj zztAt3<2-ZbnHK7^sg}oXWw+LS!Q7z1VgF^*nhSsnR|AM8B^L4n{z+g7jyoge^v!jL z=BHi1G8^JLVkxO9s?H5k8r@1I``w*V@U~ATRt^J_yOWcq+Jp)Nmw8bHzkssQw6BED8<(@Kith2 z)@468nX>LuRT(`vUxn2hOIRv9fb{8t(uRgbNL494_*Hpu)lu*EpXMu9Y!#Bh$k|ON z*9_xdzKpUV!3?3im-+DYm;!TxL9{Ij*8deP&OX&f+{bzL@5>Cvr>w;C#J@ zA=zuZLYKk!G@y@XcQi^>JUdA&(?>dki$uCVBQoGWx|>;@JcMTg#j7CVvus^P?F}BT zy=1tHzerVWNc}?Qje_yx@;$X?O36EwbG8__dA%bbD2w`pQaj2X6)p>Mg>nBF8ddVG z50w>xYB>U!etPgO(Nf3Td5(~LKq3{;sY;L%{D;h|Fvt~)ABrM|onw$If{<|j0CFnx z)ZtTki*=-=Ul*wR^!;InS^I|6Kf1x1`v%yZX1EjE`xdYT!eI z@+FBoc|7E+Ox5iB2N&vFH37GiGJ+d(`Q^weuRb#G5xG{juB;ZI2qzBS&7eEE=NFnw z2!M)l+_i0Vm3MEjjw8U)ock{@3~c^=O{lcr{+S96;X_xR{JkoGAH_DH5g+$ynp`Cq zk^$d`L-PHypBvu6pNZ*^b$oG_wxbW2-A%fcm?+?M1~j!-o|N8ryP}#6({=p8Mgr(0 z|3LtHpO5{{U#A1ZLo&Jxws$vQWva=?6ffM27u<-s_x`f6G)Hsi|6&rprxld#0!hh) z^2icfz~>58+W$I>Fo@CSUuipj&cc@jcN;peqXtXjAb*de?=>Z};+Yl=1c;H*)fbQ~A_G9Zw5TYD&*!@b zjj(;yOt9rogl5=cX*ZzhEOaS7!8lSr({EZqHg51z#$p1>6iW(6-(`-KX|XRmQbkMd zS!}Q4*2i{AUiOTegjhYvsRegSc5t=s{gtorr%=@S8#FY$T+dzWUlX;c@+^sZ8AO&h zoFp!6lo?*;*4)!c$!LmB*02>jFTT+CbT`_#ySa4=r@y7Sa?=-&Zlsq~K@Z*h{GPF# zTxV6R_R^!`!qIz`E!I7D1El1M**S5eQnv<`grjfnb=YsuHjQo04y=(3E;AR&qIy@Au_a13Llh!|wXVeTQ)K54 zb^K0yvztF-+^`#LUIV?^1HJy!sszsfu&s}Ja+)$v}>%w z{(|-?83xy*Poh$;iho+dJ%(w%Yo5R^*i-7cu5C~>de-qnJZvR^#0($V&WH4K$Sn|0 zcD$T}%IvAyix#7%$E*>Hj&;L3|0Ze#w8KB`(Kf%2x$)|GiEVYKpBn2TqFcQe(%91moN8Hb$mjh=h6p&gDg&@$>+Po9S8qMF z&w$PmFuwa@?akO;$FmH+hrsa%PF%BMDNub1+1o_EunAQ`DQi&UD{fsOmDyNvxUMHe z!ioH)V?p2Qd^{+i3wE}7?D*)Cogr6z_-Oh#G7;S!cwkvsVVx^HkJf` z;Y{GWH|Ng$#zP2>w0dL!+BEQJXflG2z6k#j&R3+NSGRG41w~9uW*HnvuTy+Y3Dt zbsuhJuyA-hc4&RIc~pX<73r*tjUgJ8uQx0KdN9LQ2QHBkdxFHA^Ls8U9U7fZ_c??U z#tdHGV+&%aK_9?jZ@KCmKwd}+T<*@pap6gT-iyq9VK_^XCIhe-i7iOp4w-v&p!y!6bWBKh0D#9_+3q?YRbnh?M z@`Z$JMV!%i?xXp1S0y(H+U)$G<5%=mJR_4PF?;iC!@Cbmba8rq~ z?YG8liK=VMyO8mKgAYEg?wO>2>hMr*Y#>%V-eMn)|CVW-@C@bSWk7fdV7D(#Ze6WD z)o63YtP9@s>4`3*GUiSA6v4m%u5I_lzd9mGctfIn_Ju)*O5ZWWi06gE_fANhR4u-*E{cz<_%sxhl#xDr#*P=T*^i4 zciz40aTk^mOI1(Yc%?PFiK>cIwF~8A@D(q`<_oPWW}123-|Z!I*Tf7Vhh-pfq*BX1 z-B2n2maC}};i{V{Gh3qemZk;Zb+4Fv?oh7Ny_@S|B3B(mYk9C8q|-vSUK`kY_+AbJ zz8cAA8*H@=ZgOt;?%X&etzTMr*z<%}ol~)eh z?F)kHQ9&GUWHt+0|HZK>*!gwPw?~ChPE(*ji|+hcWy8!!y6VT%>sac7Jas{q>IMwrf;x8Urji0csYO-t+{?$G0nwIn%x#ZiQY+MjUr<_R`ZvpNm5KdUEZL)deK7P3~^xCy6T? zAPLxO!NqsH{qzjHy+^3F{323$=ReVMoYOVcj4OS2DQe0BB_1|a0`smc@ zy4!5{oF40Q7kruS)ir0^*J$PNKTWE6oH2Ejo2N&+5pS>N-yV1)ahbDimjCUc2S+P7 z3M$t)ONaE{lJMcvp~A%t_da^^L?AoWZ#L+@MLQg+7|I*5EoZ^T3Ryza-E&fALF~|G zHHcFF+*UfivvFHJ_VG`Yu{#70oVhr%^Q*Rmx|C&Z4)+;Wd|tf7F?e!xJ5J&Cr1e4| z)|c`)!xy8O+GicCpIs35_nNMJB~zO4cHS~VP2s-|MN#9XjG+rvyRm|zw;CmVoq`Y! zFxpo-4Fl0o^v3|Li+~t;8~Na_+eZLph#t_Fy-!+#t9R^kH`y(vY{RZj?D!J>eo$~N zUZ3C2p{G`Tt$9p;(khs2v*3L~do)epmoAF?d zgL%Q5A2Wj`*He*H)|0swtW%f?)-;v9ln38$m0Mk((iktH3~y}cv+w?Jf3W!+!n6tJ zl7SobisZLT+2r_|-u%Gaa)#3pnC|frV!ur|n$Ck|r=IK>qXD-TpuWop{EJx->MNio zOee^jeE4a~N#(p==6#YjTFE!9>$s2d5j!=BHrx*B>TjAWg!UOqyt#CA0nSGGI%K{{ zV@gw@PuM1Sz??q7ry=0fnbD=9AHLjs`;lI6-Jaf{Np;i%4nArtqIK8G%Gg8&k^Gh{wI98t&FJxbzlx?C>43|7) zW9E?l!JsX1lS6F&3$K!Q@1mwOlQQyJYrIOANt*c@*1gw*E&R#jZ@}$b{n58RnzxtD zkm2a=_sz+MyDDt-iQ#BGN?c$BbiPRyx`0@0cSP*`$3g`8itkejRRU>9o%G5>Av@%X zYBLihTZP_+xPwiTd-?R%dY1A1GPxJ_9P4$-zLNxqlI8J+a3bBuIih#FabE zuLaLAjkqCbJLjgzg51=%lOI$HcQjmO*blY7IKrw_cQv?A0N4`HH&*v?2IbDiWFwXb zb%7j_{^RR?RCQ-}cAinxvl!3-Kl{E$|HaRkNC)}tWE=71vtU=nhcg1ew4QDMLym%c z|DrF_9j2$QuO)_AB(7A_BW97*w#2#}BMZ9Hf6Za(lbPaO#D+l2?Ss9;zJ=Si7QPdLi$nKEYIBtQi*;$%M|9sD+f~FnsD;Nb zk{{&zVAHLYPknI*i@Aq+Kzb{rYSf;FckN`>U#OxCJl~!ap*8HX9fLW}X%22OI zNIm#S*|u;r>E5z@T{xPm=D+PS&!2)#(^@aWMeVSLm3A?awq3mp)N-~AJN9eAqLIJ^ zd9ffn2hM_D!v6J_Noy$F3KCXEUo^%gASABe&~PZU=#M{%diQ(vX&?>=BLd1}3 zTUEgdo#X|gkr84Se7NlFTzi~^2sKThLrWgUAab!0F9FHW_CI8ZE}mJNIV3@FSBI-T z&V#Eoc1QJzkvV0%dq-d!dvLPzujRSeK!1Fg;_Bxafv?-in1JQZ*nl3wpg)y_@oN43 zL{QN*lw8zPBy{S#Aag^0yewjF8wpx^g{x1NRBx=biZ%G-TP@e-(@GH2j$ZZa)L9fe zK6Iddc_gx?0=GIY;{~rdLNtdzD_Wb0(DEx^d3~_{ImI8Y!6@S9ej&Bk6sL)OI-8H~ zU1~4CE4ffYy^6nKx@qzha^-_lRk_jw(0L44HKiRuf$i?ihYkzi=2i=1*X|rlSMjmu zxfa}~`+ZGl5`0i=VdkkfF#%O;V;k&;_;QrTUc_*0pkTQ>G(xpBEt>$hqn4&s9KH0V zYpFv%b2h7?rULrv4UjJ4%59oiUUcpPINBpN&ZK?xnSAd#e0c&fMBF`M=M{UNOV@%e z6l&Ms|5YTAeR^j&`sp4PB;_91I*XH?HCAdIRKrYlFSaY6&)@LdSCOjaUX%4cS1M@% zK8nViSMzVIZ<_{-;_n1$Dxm^>25ZsSC@G`Qj{f z;N?1mH?w}9HJvGs6jznZ0(&0eRu-`VGk0+0)V@c4ggTh&)apk+%Vjb}aq+dlh=1Hb z;6fg9eMq#mNqWEnu9*sCTrnKYAQics>ZIzw?IXA2sm|sj#&&y+DqF72cAsaBmsA+; z{UYA2a3J~FtDF^CNyT#W3Wc>j2Ws5jN9-mm9QYC>se7?zfb1or|qW4Z;;(I zKFZ$MDp=##!T4gWy;fAMU|C0)TINwumrd$leD=d{%CI=8%;I3wPXCBaaP*{Hrxb9-4obiJKnNSo+^1qs#w4&%hEQEMVQztR)S0(PyCC1 zh^NsuBzeqg_goT?B%8h)Ph!;yo?CrkJg;tWO`|)9vtq_OFJh?wl79A!&52@_NiDPZ zyuP6_o=@_QQOMW_kaXm%jqRA?16^e}#R zwIIvOAl1s@JFF+Es-M+2S{wgCNwQlnG$*x&PPqp=a3iR>dFI}r z6)7tBh!J+QC3yyPC@|!0dDj-JCU{)<@n>hEK`d`s^Da-J6R&(D4cEl)&-uS+p|spT z@(8Zcn43p7iT>d!kw9C_zLY>Bu8vZqD^KAqsr=AGZn0d)@GK`;u8z&t5_#5*1nwNa zFx_J@b&u%ki)%(!7E8O36XH)P+iV^fjUNHCv({1wKL3!nV8vIPi+d2vgsEu4DX!y>!=phC4SzAm?4_U4O# ztJAAh*(&+v51!ph7S_+$W3R9#f?^*J>`av{f_^E(R~!$sD&+J_V#KpLiraQdqCQD$iaHo$W1}7hzbM zVKb%0ny){r^|JmDMYCvPwTh0e8(3^eFS;e(e50;|aySmEC}9an{U%mdK;T)ut6RTT zVd*DKaSG>0e9CGdlOA@?R%qw&+ub{l;i`w^4?PnItq!WPzfR<`|A~=PbF#%qpf~1_-rQxI?aVlsoL*h{CR~j- z%RVi1#?~gV4Q`k>8y<_jU-PClf?>eZj<##{O-CN3S<0>Z zf0iB|ix<`(3s)-`v^psz(rf8(_j_pY^q^KpS+aULHrz+ZCd6U?I&QrOubAiKOnxnc zo5b5AB=iFp-ynUjG)$FVa;b-%DYtMAE=Wr_AH9syxJGz6?L}SaHfYVO5U>d@K=?N% z6j{CF+NIeG)6!#$n;SZ8vG_E_*!@8AN zYI=%PN(PfWu}f8>bT)K9US#Wtn@J;7_jE0{EIbf`=B6oJa6?SPNeFyib^)2|RQX=2n% zzH#@(Wx?kokL!`;z2qKg5`*%&m*6~bds1}H1|QRY<_*r=247R|C|t%~dd>#<867xv zJfLdeZ?PVu9g{nanPy{Y=YXbu+z#QEFFpRz)hK(3&25~d`J+>AL~FYypK6X*DXA6O zWUYo&t==A2(DuTuHvnZ*mzhHTU>E$J?$PZ+`-;@Xy8|nvb3#W^>a@VjAzg`R(4{?->P@C0d?|K~W!bYv}c-Q1((VodV$4+2>qOItYv_Cuo>?6t)lePQlmD zxWD0E5oifQol!NcoO_$OeEHP1-0EyxkzO`(&1s)$lhsxsktxhR9G~;wVYZxxq9Rx`_YT1vZc_&PzP^SLS^nz}-mfKmtutJ#(KgP!fUhI*riE$W&AAK= z_OooF9E|_Dy}48-5x<#EYs>feOjG~;$%Th(cDb3_r{3tnr7Za~6awDI#$a%BF8URz zY+(|I%AK@hvDVY&@Zq2`IH{Gua@j;3$0C{8H%OvX2K4^7KUE5Ymg3ekx- z(4p6$VKP!us4iYv{BwI0nSQ*NG*jd@YS;M)55reVE|+jPy! z^ecMv?Q_c~&Wk6g(If~M7ob#ZS49NZRJ{x{#I4Ndy-u^`A9&DI-mO+xmeR{bMDW~dVRK8>~@+)UQ14O^QK&AEJR^1=x%5^ud_0aHHu zQ4%tFrgMpNzRL8*6xA_;cq0P+cxRfT_>C>E&TU`{J6;@9dvlWSlrq&1wos#9P+0dx zV-_pXNiRisX|2*!;X+>@81kr`IG!!CR3EG8G9-4eAueFai#^*KdtX9nR6@d>#OCNX z+X7;Gk`8kmTawTUV5ZI0>ZsI7id%bWV@4)n->t<S{)wDvFL|q{b2`y`rgFu!;}z!eS>E%@1Yx20OFA|I`!Zq ztWflGpD(|SzI^HK<9l|ommaQKW!?<&i`(Ha^>9_tt7hNfS%Q|TfDSBPH~`xBjI6E=x|wC=TbiUzU-u;Dv@f7uTapDxg$+#--kVL3P!3? z|AJkTercpw4r|!cQg1LA%Dxf$PaWn)@(DFbh(S6y28E(x5mWzRlRlj6dFsyQ^Kh5S z`a3~q@1_T26N_z60vjJje_B$1l1(6+c27IArB$SAqu>v%ufC6$w^;mW7kwkY!RnQ+ zj8)eMgK~@{TX{u*X;Vr@X>^n>)^mC%JT^i6rD4RlUG#it`tTfY9MhQ1tm>8O9pqQ1 z#1!1e2BtamQ?~F&BuTDc~hFsv!0RN}|ulZ1hGs}7=hdbXoHgLYR zrB?E2=ZCYW_VBgEU7TpsKR-2pbQHc&OXXH+kNROUOS zIqkHCV~&SavBAhkm5GGW*Y1ea#rZD-P~ZU#6o6cT!BF6`aSH<#_0_w%eFGM7Uu%2} zH4uQDk`MIvd7-ihN#%rNZ1<&AaINZDc#x4fL0PS=g*Ozn&aihZPT892w)uWdLpN|nEA(g&co_%avCfec zNj|L(A~Or*D7ejh4nY4AUjBZBIjX_;Qb&QfULRI`sHI zkO11_o-H4`tsdxkk;IiYKEvX0aIUHWg5$RA1DymWEKkyZ$8>42iHasO|AY^Sk23kf z!At%BZ4A6+^w)yZ!W-V2jGXF~dG6A`MA63^ru`FDO^y7l`#~qQSmTlb@-8mHF&G zdfqZ~ZKq%(x;ZxR65w+uF#RjE(cyV_1BGCK8$-jm^9Se#P~?5qExvfgwW8+0@q>XY zXUJ@L-jL9p``oVpm9}Ocg$3tj`R&m>46z9fYm;#_bre9YQ3)yXyPy=pEbuiV}dwsxlg} zu^ovmQzZ=ncnIuBOSBA-ZI`<@oDh6 z94$Sn$mqPbl*7{aCW|fqD30r~d( z{&7ZIk7?R2oud|RR!>2ve(z-Z1wjm%{}gmXEb#c-Njxc-%C*moAaI)F}@p}fWE41fM+ z3?l~Cwu%Yl!_A6|w9Nujc~~*Bk8-7zdA!GS!ioXhqZ&aBTIR&4`47kJKPAE~oZGbW z@ac}MWbZz%01vaTD3J3~6N1ah%{N#kB`7~71Xc@8q zFUO+Plu@_mu)*4v&*}k4*zxZMQ1BtPlG!k~Xzn_Ar!#5ZlmTE9ACS6Skx-C?tTwJfR~_GmDC=yDtZ&t4Tac5R z={8pAJOy+E-@VUb7{YUZRT`)3W2zODa^H26t&js_>G45*=@g)wl;p(S@e36xnQ)Hz zupUukhwqK7(Q>st)SC-7_H$B#Io8j2v5G3y9?pg;lkwa1>Q%+&f?L}WN4jR(haQ(^ z)(c$MklL)4Ti$O&5t0ymQ}~Vq3zy_`w#V7+a@Du$Eh1pVHeZO}0#pPxA*bQ2I9#z( zv)3n-Hn_df@`ohVA>TGU!{BfLGF_aXGYjkAH6DgCRf}gon8S4msPoU*PIKA9!(j+< zxR5cf+KXMA67c3W91E>(iEv){lk8^J8=%D34-K;4Hxuii=RU^2u*oY5fOBNy?xC~f zJ-KY^XkP4zS+ujzRM{s#8m?&QlWY#7$+u5Ftt~BEAj%WGc>&3b^rwMq-5IX)8_X|~ z;-O5Fq63*S0624mg3bDttfu-9YOtnPC7~-1A=Je!Br_sq##J@=-cq3ZX53ny`!~5| zw6dCEpK?!4(Zfkz&WMp)vN4*&5h$EXgUZ@DO^zbHYyoVD8h#3&Kg~I+^<-HydwqD$ zN^aQg!GT|!Qh|$JGPfOen-yGFY;PZ~PmM6E*heC?QsP7V;hS$CsJ1z%Xnv0vMpFZm z-{BZLnEZ}>zW%v8o_ag;lggVw6ekXwo$LQD$f=>C6i!q^n@R*1T0eftdPAdKyx7c8 z94u)N9HQ!hh>L$M%m3&l5{L)6JQ1-Dx~WZWZX_enQ(%M5LCs@2R)8_f`LoD$w){;S z`u(@j6AQ<{#L*JF)j@{yhdD`6iERy>@qe65ll{VSYNRBGdX>`B(~OOGCW_Z zcCL#KfG_F0^<5P}^2NjR$fC2h{P3K(nhR`+>F2_0IN$6Tsaj&273^-8y}|amet)C> z#M#siG;bt<0yEu?rtl0kv5I$kjn_PIL>JMIZue@bCawGXaBFl;jIXlYpl!Pr=bv!R zavLy}@eG87KAyB2O&|+&B#lndeHs+l0-dEYzRD#%|HIR92WPmBF1(0F5+*9bXy9i2 zpGvWrKv7r!uT{?J?XWh2!H@*$%pHznBa!yw0wgCpc31TtCCkT(TM;oM9y?2x&zrF0 zZ+8Pp@q=)88(;g4CID%j9Y80F71$U&Kwfnn8Jqj0-`u$6%~1kmYHkS3&+xhTzX-r7 z2`HE&1sxvrstIa)V$WMzbql2_9aNw^HM!27PhSNBp4xO5=fM-FCq5h@GLK$N_r#1o zeRe5*+We1x?)2A4*8_A!=0YZXrA$8hwO;mmq%IDtDVwi#q<8Ws3r?%wro&3Suix9t z!n>ejXlmRZilkwJc!pVc%+cPd%u-oB9;1Q()P4=iERrLTi)5Od%Mwztd}OOtA09m} zp^}i4*BqI9IVH{@l9|V1c+=Omes9Z16WC^qSz9$Ni`v<>L3-E^G4C^vJ7EU>pkRV{ zCEtLzFfH7TeH7~C=Z*KBE#~kIP;jhhsvPW3dk{ZvyF6xt)8+G_9&aK93x= zyS?dnvG2v4e3hfBm65W@DG#8){*?PKgZNmv`x~w!hZJ#rOmkS6>mgevtj8$U`4YIE z<(LK#C|PSYB!wBIhi~1&Y2q}I^VQ?1tETDZm=Pb1$OsKaL$=ByhW3&w0mn^f^4QD1 z8y1d=^`06w_lOF2IkmH+JywepmHR8p1_^8G0lB#ImfwHZimy|E9S8yJfU#fGYB(Pf z^vsCKDWu=IF?aQ<1brfP&Zb(nfg^wv7%Gz&E6reau|Di^(?w=Il}XEG_vb??f@qHJ zx!k0z+~T820o!3i_l?_tQSOpW8Y!%@3QEgJcspv~Jz@I<9T*h(a9DK&ZWk5M$| z%BORLI%z*SYoGR-n$UiBPst@u6{YsIVMNhF$b;8jb{GYkESI0lH)5MP9>S;5B|46Z zo<5S3`P8KNlUAfGSLHa$ApJC@z^=ozzgS`rutlVgvHlnzZC2r8*3Rvd+RE?6i-kUw zBEEm#v6d|u5ldO7a`4pCmnyp!$Jc4=D}<`jw#EEHp=1beYI|(zHlEP7SIyH&EJ z0F?7Qn#a@DOK#c~Rp7kgZy%GwjLcCUt`(9$V{jWNbHK)Vd4p;Sw!hC=2}D%4p^X|U zk0wU$*Dvi(7106(&s)MNi^8)i?nyYEKW>&w@s3;OBd*0M`>2#}DhlisiJJC&6dIXo zE?i`37f;@sBl(@{JgpMchtT5)M^~nmJJSQjtKtyAcmW$!)Ak(z%=uR_fn30)o_zit z%J$HiUcpnVeLnLwy@kW98=-gNVF1F$6)4vOVZw_6o$SQLImcynI9zmwR>^g3Y|O%Q zFj-@G;XK(vjM!(6-xnJF)D~&k(CEZYd-B>=@mnolnvaF1Zw$|N-CeDiLC zEKn!Sz#iE9G22W&nh-6dSrIYx+NjX~N=mB&SD@1CiA1zv4nV!6T2!ch2Cx?30F2A#$grt$lrfND=jF?UB9h&AYFGV73;3 z@_EPpwO1i&^bewmiI1j`47D_J_$A7p^z0J219svP}-PXd(#|`LOv`-!YKhjS$~o+k(!346}o_&w#vt(YoBO43aB2`XN5=e`5xZ z#*04{{Z2gP(Ev)vPbGel4CFjcgABig{aH7FSR%7IbOd0>6{_FJF@1g%VDW$J9SEC# z2q%FO-q!Ev0cT{F>RiM{s0_4@ALOe3rvY7dzWgX)m-}!dOb1w`Cl@h=pp7pdi|m}Y zfF#PX4-0uL|FM{Bky>IylwoQhJz;tNmGzHbJ$Y6nfAlI*waWrA6Fo>oRu=fa{)@vS zpXPy`TrPQMhis^0_-o)q@;dbB(%?G z=`>UEx^17mzWSnSRjn0bEgq4z`hpkjLgBoV$AJI1c0D^nesR_93Fh^Ly$yA`>V2mE zywTMc6qlP?I|=Ww;v=P0lM!=^gm*o)Q_@C|{0^v^IlyY6-&lQJ@I&~7s;!lg5Oso7 zE^X^q>m)|>Wa?=6M91*Fc$)|_w7JG_WD@`ERgZjl6V+t13?<>+j%Y*!Rb6UNnFIie=R7;K3MeVZSr*qyH^37xbx>PrhEN>xAduckS~QaR@<|Zr%Wpb5 zL3SmeF)E-C1>!jJOD#>s0TU0>lOq53-5-Bj4$xC9P}BvP63PF4dj6M|fvU*0tf!kY zz<)uCAAT8u|9=3$#2p&V|9dPt*w%(vnE!eMkO)xWu^Sr3x4qUR$$#8A`}<-64S&=N z@M;%^-~cKv>lFt4_%c>WmYypo|F&SD4{}}`yNzMRCxHdmJ?kj>(YPGA%7X5inj+UIbn(1g`WHbEAKWvT%jTQUs^u%2Ib_>-fry ztUDp9h5#ICZ_I=s&DE6LJ?+z5Kw@v(zmV6=v3ul$!7rJ7st@Fin?qRHkH-#+`wb-C z_H(c*J_7o{Hn9I0w@)zu$rc|e{2@Ph8Z>tF*Bq4lR;KS?gu$Z2DwO)C{ghvR^x^=f zJiX{#!Ug*g;3;AAL1k(c1QLEOMLs&e{LcBKpct|T)E07H=%Z}>k|yp)Ua2*vdHyp^}0BL_^ ze$+b+?C=%;#hRNm43F%y!o8)=0}Tp~G~(Apo5lQi0FBN2^S6#pTg^6{N0a^MNN3Vr z(E~?!5|nrRw$I~c68#TR&AgYuU__@HG(7Kq&I;pA>~fW6fqy<@)- za^hgiK%Mz=*jdMYlZ2AXq-Kp&PqO22z6?A7Qkr`_@aeNe$9hVZ5qn=f;3T4I&Vrt@ z{>D7>47yh)V)Xh`u#;4d#-Uj9K=B=2cT!zzl^+;DijRRzU;jpsUfz$3;mN695@&&S zBQ0@u!6j`*Y(=fQW`>}rIluS&6?J!%`wSD%EHAhRn5IN}f9iM++7UvFJPP8b`Nf4x zF}#s`F@qP7-$pI#l3I_HCj#W(X*7a}?ycq77WwI3L2$grWuX~Q>_3Z(X%^53NK1pl13DJvPo4a*ZR6Pc}!fkuAU)z_!B z4!Jni7H3!OM4r2C>RFK5h2NHql}l|cPYQIuMoOEIweu5fluvE3dm8mw55-DDVs-83GKjlKDq?^#!5djk zl498158JAUbl9!vU$~IV)hoZ?CtVH(7z4Rvn3E7gQ5MCnq{&2z5w; z)i!#>OWoL)K!JsUuxJOAkGjN0X7bitl@tGQx3B5enks|_cv<{baEZ376>t#%_JTuQ z6*yIOWQHV7*f*c-NBaLb_|Y`Kzc%3acx4N_a}SHn?Fl|XAmeKg>lsDqK1P9Cu@Xzy zI&X-Gw+`M0fKFK#y|sxafdbL-AZCNUES#MeEbBXo5FvBqWkE0=A;K(Kce5&k=rUOi zF<1w7#8P6>P675hmzykiWHCMq3+n4vC#mcMGFtbuGWPqeRS746Ze{kt!~Qc{Mf>uC z`;j(MP6V;_jJpTM_ztH`G_};Md}Q@&z%c+=;LSPL@kB8{);^Q-2L}P(JfVq}kvY)f zr)EJcSL3;{Z)3<}St>6SQWG>wb#Q=uSbOZw0QDhD6NgyZ*cBZj$-)id_}bm&E5ZwA z@)zziJbKuph~~UZ&cWy(t|-R5A=`iZe8WCqc+->``6b~dH$UEk6Xi|qVco%s#H&C* zPw&REUDae&AP;OD|JI2cN&tR+=MU=!vakQw8-SD!?@}0(h95}o%~R3j$cg;*)ZxW1 z7jyVgslzYLKl}vre<#$U?EwHj9|Vf~dh)IJQido6(7WjcK=k3&Wa0E})wWHdFvXm~UW(7^<+Qva>^CMfW$nv~`|<8LeRf4xEJ z(FZe7I`(59JQBH39Gm2T6m&v8IZ!!{<;aJYTA<#nz+K}?-t_NWrIuQ1;S#dYlkc>C4vj1gf*m7&Mqj)UH+pO`Q7oB=kgh zX{XfHIs51Y^gVixceRyO9eB|CmtX+wq&Hmv3S^(&|Lk_Sbk*;Edwz_2W9CkMmCm-34kn{^mX;iZVVv%=kWCmjRPeyrOr|4)KWMP;!c>8U!QKmkt4tw4seUp6GLNNdfHIhd0W`w5IUYN&Z#O@{oB%B<{U(|mvOyu>dAlrs zi-ADdepAZ`xyyE1Pg0%8upe;Of*z2^)>l;X-yH{)^8J!k;M~Wkmf(_!>=^OW@A=Nq zAx`vswKG`Rkkq0F(*J;C$xONe7WiIVP~3A2wDFsBQWS-vpZf+pZ@h684;%$2<*lre z>nVIV7^|QxgvCph9i)8Z7ut(8%?iLypYn8qLBEzBj;^mr+!k+LYRvoHs^Fr-waqc8Y7e}H}z)e-xU z|3NH5rwMeA!%`*c*bqxDJ{94!vZ1|Sgj;X1GkYH^{G% z%2L11VBmuc;%mRW2M400b0=Kk6zmKzjS5}kkbS#HJ8!6fj--7@7jPL22i{8Wh%npL z0OGPI$x(=Z40f+24Co^K8nd$|`!^Y2)B(~xh*s`_qq*^}gXNpb{@y;xcd$(_#q6*t zt8&uqtKb7pv9D*`{?(~wqCg~(ls>%^PS+HGHZ0jo5Z~XaY@S-elQ#N2he^TvIH|XW z{-}^Y1%ao9;%{0k2OiEdy)$@u;~-~vd?Yb2%%;2ZNz{?ypx)$WVhM>@yG77YPCN%p zw5;N>=EBfNtb7ECZ>GlY38qWb33E6@!i62Rv;(y-d^*JPIG=^HT@Thvx4$?l2n&^? zBB;0Q5{FUSGjJQ6$^LpXmK1^c9Q<=eIjkuHWRT~)-n=H4TKz{Su$}-@ie$dY%>M!l z@aXJ|=7|E9ot@TE^cT?bOZ>Mw`uCChZjL0i_CR`o%?wJ30`tAK&|iF9`CTIv%bYaj zU?KDZP-gwCs5Vw?9S2)4nd5pbv7AZtz?j%>jFHx8x3k>MeJ)83a+R?FQ>9DYH67YiD{+FqS;`g2c-(5GJ{A6b! zr)FO&QXT?G2q0Gfnk_-d!v336SKgzT#^y(zw=;hUfXl)ZWSuNn)&bYRT=?I;YtBS2 zC(buu7yUw>=)cQ|LISV1D5vV?C*Hgcv^W1#6P7Ag9r^dVcmD%IacL6{Y4`|_H@xjzbxz{uP;#<2y=RF0D)5`P*6dF`; zmb-NZKaeHQGtV-Lit@mCf`WcisYC&H>A%_FexS;wM{Sj*Z(1BE7(n%dUkv`2u1P)W z9{FQ|01{9l<-(tp(STBxaSyuJ`K_@Q5`d~FnHDJ!S-W{0P+l$pX zp=K=-uirw~h~n)_#zLjoVYLc9jG~a=&A|QFoaWa9(O+%^?7eVB4#N^}CM~0+q)jCKrbXebbGI%7^(Z72hi)62YQ`XU-g!1 z^D|_fDR4kX_IHc&_!VbXx@MOgD+XU9=@9a#tBK7Y82YR)29vRCu=c({uazH|EqqSE z&Jg?TI>E8P!S6>>N;>|;D^#DR=F*oR^V2T!iaZI?VPJZeTx{CioXxg*)}rBf1sb@0 zQ{`$Mlok1$T3YjP$tGnXBTj@)S88cP+Fu5OA?D3hm~tuvwqc!8tDKZ3_U>Gvz=a3B zNwKfX1TRLob(|8jEk{PYXib<~Cs^NTz2DRM?Z>cirspkUwy2w}7n4FW(k1sqw<}tn zK3yO6nsZK`Fv)=$Ib{kBs_N=Z(2D9-rjzW3^>1xX(*{x}Ybc3W9Khsn0dwI8CaW^k zFAud9g}xG41<37RM)Uxg0dkwfORd-_7yK|Lgjmi|CdKxuN?;FxzwheG3 z4Q{P8?Z19x*3*s$e^-vNvkHF`Yj5IXo}*w{n(AMDFUl4_efF%$_$sujWR)y7v45Eu z+wn16MiWy0?F;J3_npE2p?)_lb~&xOC#*lm)<)TtM^=gH*Hoe8^+6w;?uc$AY4j6#Ng_dL6dOY&6**GVhLh}9wQ>2}m= z55t*PhsOChOj%0yLd(cwqea{k4#w3>%AKw%dECfVtT-F7531@?)KOYnbIa zsBzWttAPvWVaj5zj^G_NDF=Qq@F`$Fuik^O{4=2E>=3aKQq;3yP{<6^ndv*n~(qDC*LCCn;sgtat69(@AKQ)$0wRBml*6;qy z8|xX*9N4>q>kh>ER20?gzXCV_zya*>;q>bB;@4!en7H@JraN_pGIo&u#kaOR(X5-Z zB0CRW9C2v8J6p-<;A<8*!GU7?jK2@Q95X0%4u(?$fmLNz%&j#_$Kq4F9ueFrP1o{VlMN3E@JO}C(}m&ny$b`@Y408XPDLqERZ#4S1btxma!Jt712{Ja0n@xufx zSbVd?<*1u?c0Kz)Ih`k?>I{ZM@B43<{8&*_j!RhQ04|JP`ELk0QQ+Xo3Tw>;U>iGK zdehF2WBm;qYN?g(|3(+i=LOWGV~=W{AV&h}@%G(DVl|s>UHcu3&NJ7pfNg2WfFpz9 z9z^J%hz6X#e+c;gdg7+V{{{>H&sv$;YRWk@Z_AgwO_^akfK$S!{&xTe6R}WyNsd$U zPCV+46+~}E9Rwg`c>bRr;2=x^pws{RR_)Z9mS+!m&!Z2xTHec3{@)h&XT!-wfiPS= zXh+TSfWJKY|H8PeuwL`#eXGG6NoSxQQ*TAu1HHjM$dbLUClB5zpOO#Q-9Ztz>)-D8 zv7<Oxo*dIk;S5Jgezq zWK6E06&s2N8+yCqgwf2ibjj>1QLnpiW zum3{g=I1rcx<|;EPci53C zVNT7U>{$Pp#-3h&Vd8|&9+oSKf4P3Sb*itLXX4+k$WVzJT8y{QY2$kD2(qf}WiodX@qI)LRb43@bx?>`GOj;jyoiT!D3c7_{Oys4)^KerzgCle=f$?q)Q5UGQ-bl7HC6 z!E>YYUCF0ACdm~gDW@+_?k|hiX(A$2ggBv6!_IaXE2YN764~46(Oa`klG6zG>wefM zV~y|Z%f88uktgiy=E_7|84gTkw~*W!CnJ=)#6aDw$Geql%|)tA<-2VFjpv1b4CTLZ0p`VbSXL zO6_cL1S_#H{X1`a4WC1R?aTm_>jf)bG}T}ws5KUTVLij&mP_YGP(ew@vn$Y%t+D5>R_oS=v+Ik675f@lrx8pxY4zJ9 zR=f^>%xUD9U%;me>6G=aybn#cN~cedN3)iTX^U#?GxnV6qDkLOGEZeE0L~Mz)9wko zmfsViNw*>fZ>6ln>YTF++p~B0n+@WC|N0Bp0`@mi0HG0`&QMffV}6NOeK%|h9qFuI zegdnEGc{G+(Yr~HTf^m)g_zr^FPj;3EW9~~H;!Z6Dak}!L@O65(hq6Qw7(I^-NXZb zzCH{vQZ(4UYhB0Fp|Tc?mM(_&~~>iyVS=Gug1++=(Xt>l7MH}%^r>J-7;T&~#7!DyAFgO|t1 zZzq%O3ripJ_BWYNib*AazlEIx$my}mC(-E*ZTB#AIX#Qk;FH6b4U~X_LAYren z`M**xWHBp#rY`KXBO{hg@E+ZfLF&PZ?Nc>g83PttMsW3t6YYZ`8Y$+Cc>FzuN@%Ff6EwlA}KA~jJB*<`%*VOzGx3p7~6THsN z#?`0Dyr+nUQM?p!z2!Oht{=ztX6#&oeo6%u@wonQXS21kw=n%lxcW_BDkz4n^4aQ34x++xMAt1F`&L&`o7=z){=nHccFzW3bG#9Il7J{h63(h)RG9KhyQ6Y-e1*Zi>T^nUDHq|S-1#Ie~PL% zwXUaD2oJHVvwlSugAPk}E5yyoUENQ+J|ZmzYDX?7&w9gqlB5^1kVGLYzBXpMQ&y3@q%H zXfkvEl^u%XNsMB1Ebh*4G!jBD7*;LKN{4vD+ji{K!CA`d1QyS)c}r`~j$$^FDle%5 zn3B(wTE`1dQ&yeWX&Uz6^~73nz7WW%x|XnNrIETyv&wSc0cmiN0$wXhlQ6ob#Dmm& ztf&Cxw2J+{Qss((j92GaHwp2G!vLVqeR(}&XVmJ+tH_ffNpMlPjY_0jxNXSSL6!)d zD{_o>+;;rUo=9H;Fb}$a%_B~sQ%*U_`T;uHFQ&QXm7JAhMT$a)eT-NNBMlmj@O}sl zy;a%0I>$?=UP~NrzcPH>(9ys6$5+bIspEN^GteOq(rA8@>~olZe7#+FHe_ss3b~tf z5$)YRYlh@6)`m7)4SS<3Ypi#ROXe4vuM;14Vp z>PG94Bb&I{t$Ulo@pf9MscSTr)C%=I!VMJPV?nS%_w_8#sV4-4cEa`GN%bOHtxDCxe zUXSSgZgv8;t6!Yn_S{Udb`TD{YM6`IQeWfE;+Ie9V-1M#6pPeELmM;)w!DY4Y?N=W z%y6#>;8@+?3U!r~geFxuJ?hr#K0&rz4Vg;MZfR#LQf@3Vw5FU0(c@klHY3FPh1vN8 zJP!XGLEQlIb%*(w5mi8*PAJnm>3Jwjxj}N=2FT@(?b{9IufUiQvj(;^;zb;{Mx?_hke7b+DjHLJD z70xbRD!87O7T|Dq97L=+@S3S+B3hb2#~I(r+^1P4Y{%@<-}4EPYb?jHo@hPmjFQ zySV7X8*xCz_HSS zG8r;)1&DF7GJ@m^L#pETssK2;d;wvf*cr@quoL2)f4;J`j$`+B=AHEC@~BXXBxZrT zb!^*k_szzdH+$1JjOFn>#;hH+fKcX_e#?oPoeVH$J{}KnO4&)X;mUWPvU<0!fr`}; zDScb_gt3+1$2;@bXX->a~=%zB9{+!>1J+`*C#LEj?) zQI8x%f4iJ2(g*o;4u!g`dz^iYX#itq5*N*R@wGLtR-G4Jo<$kxcD26@7;iBMqm!By zV=z()A@FJI3GCo9l`^<0i(`{!WJ%9UG1i+oJ*%M*^rLit%LUjcjG4=pen5;LI1;T< zw2pR5uiw=mFMNFA9SdAtDkFR|H^Mx{?5=1ZSQE%JSbn;7`zB_q2;hG7Ei*z}jTWkZ zb6m{427G@IVg2y^-#9zy-$-B{7S?=!(dr)Y>@kY~fPTFcZ|2pNSGbgm zc$xgt$Ln-y8is#UJheRR*tPD-u(|U9x~nfFno|Xtwj!!<@ho!d=agM{pUDja{46|M zM803!uXW(}PCrD~hTecxbJE&+{T1Gnjww-k{S`V1q(lw_c~Q&Oe|vTpP1r^; z6DwB0gvFO7g_tJrWcQ)zcg*Z;m^W!_B~sroKj@NzhyC|!8VH^TxMj_}Nvo*tYCFO2 zcIr#AeklL3@o(SF&kNafde>_0;7Xl(%jV1pBdVd1rQZ$n6gLaV6w+K&nxv#Tgje0T z47MFed`P2M&aOXKamqr-*D~X&Vurt+g^2RMu=R~w7JlbZ=-JGBP~MvzH8npl`Px>z z@oY8bId&P{PUDbJEoj7M^gRCS1hFu(ODz5)J$f{62v>a%dRiNfRlJPg&+UfbK{W&8PQTz~UL(+6`~`?(vH4gbp+zeBkSZev>u?w2^NIL6NM%#(u);VeQd~ zCc`Nd;Y~nlBByrV(0k{44MbU}3(DD^oFY3EGL7QMo%$nNa51xOBTt=(oGJfT1Rs-Y z&6kU(@UMa2W)mrOR|suD$3@u0f5k|JQ?XsFGyc01L$dM-*!RuBMn-M3ioih=ir8S$ zAt!s;V|MAXfElt)KzY_Knct}7;}^xP6FO2_NeyqM0eXmB?o9O@mBpOodP^a)dL6KT zO{%+)1;We(gLqKxn0C1f;p)mbe_Tj`zkh1{?GBZ7Oul4uoCbmI0oahK++Pt3oJMCq z>IWo^{#klb0L)Q#^!C9&o%t&{G)6g_S6zk?I<_V-Wd#%)FN!5ZYmUQFH{T>D!kjK= zO!z01)p-j*S-e7smODo^c-H^2CcI`Djj(~6Pq8!?PvQ(YE1hOH%G&ucxg$-lf&M-r z!u|!y=V8iRuM=W_L}pYbY>Ls*z{0G(#!tZ77)-px zEBEkG89;f~P@s!QQliPrhSI|Q>LCc9u64qb@BT0d4MixYtL9|xNBv1hIG1FAQZ|Gp zJVEQ3qN0QDvZ%*7+5FR2!O5~sCEsS3nkoV>&9FysYis(00SN!<0Kx-`{&&t8aPQqJ z^iF{rwKYGog5BvNVLMTd@cH_OdiU3!-%01+n3YbaM~}m<(kZQNZ`YS-oX{IT8YiR^ z#bq@z4%2usj2Fc4t%>?<^54pV(x=Mw_2hJ?2Sd#teAo3)ZdcMwKN=UitPA)|S=VW? zXPlaxH~NE zm{(FuKW@SHj5v*c&?rc^CJ9(SxNBYL%zhai4z(LZwzh!x#>7pSGrPFajg2Z zEXg&+Y`y8_Ps+c65ue$Ea!FLXqSroni=D(9$J(OtIGqUke?TiT@1OSszQ(yK(u=?;&UUeHJJ8WOd)Hs# zXsr2x{A@`Y%N$Y<9qbLEb0$3>NT+i+o?p|DM#bq`9NJ*BO4*P+kC#oy4OEwtlDIVP z4}P&1q|kVoGvpt?TwZyjGN6t_cv+-6z$_}ir#6a9W4CE~OjpHUtL!2=l8kfp$sVD7 zQVZ;;nZHVCXhR!A&Ap1La$%KSbmMdH;tc*_c;gPznrc$oY*zuJ+pso-NW7o4;&0FZ z8aOVKKta)El0ES<6x9cz`*Q}g73BYEosipqJj2PVJsn2OB2MMp$=TtYlh_3E0x%>4 zvlxr_v4PWc#<6ub5crpR68tgcpQd6P%1ohLo8HFXD6F7;U92}~o$K3pW1Mm~h0?}# z@|Mq!XR62SHcYVP4ox&uk%2AQXS9olPm=gxlloG2y8#32L4;H#eo?%)aqMn@TD_t< z(+<|}FfV%Z9~cqPJN5TYUDYF%9B=A+t}v9XNoR(_W01^F?g-` z^*NU7l>CeA9{v~&q^7N6zrJ1@5Fi17$6?*M81o_Y5*QosX!x?G@$6kDCNm6&u$d+% z-*|1`YFr|4&jT{QrJf>ciQ}w}oNVJ42evQ#2PA*scA1qnoK9(~@%1F)3ja>%DXEY? z#s*`RAA-jtnLSImjh*j#j#IPpK)1+p&0-ui}Z;VZsX)z!s_W<~c$&-Z_Y$R0sS zeY&(s;EWK#W*R*j#G{JQ&ztLW`^$>&))Gh9z=-d9i28SRi98R>P=>vm&V4H|Yt1l} zF(n=fRB|;$-cSj{g__sOP_y}w=b&bxoOG&+VH2tF`V&7Z6SIkNK$v}4yIi(XJMXgj zgLJs5*xOCSwENrnU6CB-XVjD!$U-h(=6%bBw&(J?uAYl8`=aM5WQ_Sv&G{>b^N#q` zub^BV($saboFP?vY4%X%u93@pWu}9b?^wD{-49QWBs3SOFZDkwM%2;9C0EyqAB8q! zFT}Xn`!#GjPa`-xLXYlPDQjM6rfc<88|8%18tG_H%q0u*)V~5+8G!FJ(X0tHfw8;EAE$rP-b8SyH z_)HA1oPv;XgZk{M<)ZC#`BtEpS_3Uxt{mP|?rXGoXoBmNhxdK5xP^h^NODe?@`TWJ z8B;L(H*cF``QGO65|t67U^|mLUC;+Hv%7W7nB>?x%~F+G^XU<*Eg}_M zo3-}%4z}Syh4qvE1sz1px?>q=W^S$psW1(~P;ozeWwe^@42=3xcv(+4H!Lps+|@|g zYg+X=Lc_P`$KSGQXP6tt8!(s$rC(is<@s<2yL{V>-``^#S0d7W^zQhq*@~Ii%yBEi z6kZUxDcfqT+&t=i4+#hf#_ONkYA)gJCvyj_b-)_nQvYm=O|cohsD?GB>H@pep7!sY zfU6*5qbL9y@dtTgJ=cgHW8+!1T%196ja6Z!lLf1Y`8_KH*7k-+4y3-I%qZpWD1n?l z_*ZVNBZbB|l!8CXNuY@+`@H$xk99imU?A4^Ea95s_^e8J2%!lhtJOegH!0mQd!;Lc zaKX;;uewArM7oZj`%=l}d3PqeCUUQAtldk3*Tdcg@u`|mn5)0RykPESKv4)3*5l1H zA5pm#*ZiX8#x2Q?Z$@9=D-3q77_dxN|I8M~0y>_(+J0#Tmt@`HGjHbA8|*g)WDu0* z41OgIFnqr@;2mycil$5wSTlQ9@Qj|4(MhN0OuzAcFPkL2$71C(5o}&UkBIHv3^aIX zYPzPT`ZdTyZuX+qNS!b_LnEgLgB%!_R6Cs|F$R1L3U46a*Sn!nzs=D+(O-8dZcytL z)HB?6Sx~I~XeLT^GI%W_KXt>Kzj$E`nH`N#iMaYxE#_rZxWWUPP#u?=2>YL}1}QmT zk!La*Vhu`2uCDwWaTGTHL!!tp5KTBoyKO6`-nz{wXwhK90G^B26cRTRC-NR+aSwh9 zvzgiNpGmu;q&e={(#-Z)fL$~q!bf1$cOf;wRL-j7sbCWS>$}v#yjM6@LKs)%&Z(aR zt}>+kd@-&jTuJClM}vf17TY83kFT$Dot9v*@cnW`U-rpIRt78Jz^{_J0;kR9g8G7b z%oetexRZ(#m#D7KCul(H3FFO9y4pTcO9QOLFY4OPjG+R7X}aw<^Bb_kUq?$7rS8LI z@HNvlg|^nTNMWeN(9?X!iKyc0&nGQpb5KLd`=kP{fVXkXk#3!0E8g)ZE~_u$xG776 zw0GRiqMuZJiaQ}Qe8wbm2>n2U&fFI!lejHLdN4##2#BmJab3D9+!G*<7p#a05>Ck&a+*cpSdC%%Lr=j+VcYmpe2-W9B@g2%-MVqt>1Vc+f+Iv1X{1sBvS~fBvP8l% zCeGh_7kCHhgEGuP`i#Yb;nJ6^l^LF;lVN%JP9z=e(GRS)lNn0WR4geO`9WV=Aq_ck zC(iQUEZCJZ({2y0&Uf;oV*HRRj9qQe=YlqkP@Wyy3~|T!B}O2GnNe;fX?4fOHkvS` zzLcDyBd*g}olU0jbPPn-tXAk$F=Mm}LA=C@XI;&55Ll4hq4Czb)`<-g-wVZGd)jbclAoS5u?hXcaW zcJgW7rM7$R&2z2tMhRz)*mj=2nL)p&G|n7yaz`{{{PIE-U*ww+CnDA^wO1F;t%YEj zq!9B<9~$*?S5OK*>F(o5`#8toI+S$@gNt1I-1+{L4R6{6O5eBbt7=v?N&ey@D>sZS z>A5bik6nJMbzED${ZYfLa|rsbJ$hUGRXPq)IQu5WS={|-{+|1zkjCb*`ZE>=whDv{ zbz!V&d7qtE!`O&7Wn>SgAt)EGe`{jWKBw6Mkg-W!=5n7LuuJ|+p!8K z^JD&?=GTKW6pj@stlWqfbX(FI1?8{YxeZy=hJGk8jG5A9=;cPvh}z_Ql$~xSPRy)* zlz?)x!Rs>g&K&Cw0J~EOR_ou8{QhwI9bde{K8c;&4-sjwdg19fk4#d$!H~bTQBMDo zmy}8ZJfH1hD|>B8)A*0$e-_@#92)OX@OePQcElnI0Zk~--OY&a3kE&iva`7GzD*`+ z;sQG*@ABDunP#PuT_85do3`MWb>Oo@PB#&&2A-=KpA43&kC>;l&As8()h?UHmD)b1 z3R-h$t$VRrL)=)+Sb4~iQfpS9jr5ED;+Txq59D@Fx6%&K?72O~t$RE1?c>sOC7MgS zSzJ}#+$Ns&xyP3B>Yja*=vIT}#Mgisw3lv*tX9$W1VAj%-Kg- z%Uj1&DmSXJHzM^3-R2@q8!|j;z(z3acsJYQu3!P}*1k)y5h6%!O70K(`Bs5@aa8QO zp4)&WPdn>&rf-~!k|vYwvKr!K>+BozvZ7E#p`YG+1xV+7fV={=V3%4zx$fxJYpi6~ z7Cl}fG}-ND(h1Hri2_DN$1U4gcaFC*?N{wWTD@tsA>YPX0#0flTdE6gNYbV6t{92N z%Vgzq<%OiPd#8t4gpU8%*fgCS|B>%nF*4n1TK>!C$R+sa>2j(*Gpn9pIJv!hQE%`D&CqF3loRLEtu5eil+}tDQ_taz~ zpW&z~!|7YwFPhMJ4`=5rsF7`gVh%-(xGI0K(G48~1ZuHC)a zxStn(=}R?ys4*dPmN5%=iMInFgEV(+Pl9AQX`t=PM;n}`kYF4cf_7v0gKzyOA(i=D z+!5nHyw5xiemTl07HGUNgsK7z6M5y_mx2v$1A0DL5~uPiL)k=|QYw>8Y`=wtrdnTE zDAJ%pMvuo#8=H24=Ggbm)1g6^W&E?6)Mq+E5Ny-_>T5=NkyN-f&+~WXeFEA6h*0n` z|8};@h>yRaC`zg9+Np;d&o-o~EFwgmfbCE2eU6?|yWa^gT^>oI8aDrQan@|3v*g>9 zb~~?8y8$_>M@WrbnpqJF@&faGxtms?X z>YN#~0NWhYlu{W)S#JK020X(iHuyxl{V4?UU3*%7#OLJ=Km$_F`kuXaYOoE*&5X}? zieCs|WOU2>D55J797Jhq=G)<3?l^qPXKqJJIE;5IR(V{%!r)tm@{FCmq?BQi;4lWb zoH0*W*uH-x&x8>qC47`9y#-upN|h2qO%$XBLTE`KA<3D5y1VB&7w6(U=iHo&-3PxmGw;0R_x|3= zOw*@^R*cqfu@53u&u(zPeDYV=TF7|g=J@(UZ?99F;byg=J+huW1-8Y+YqxGW@C)O| z^}j2p)Jj$j9^7kr$&i8CZoIB#*5q8Y@Bj>X4>t2h#qI0u@7^vMM%DZD&oy20D^k#Y z*;4GQtMs`3HMli;%8)xaJ9yB#YQrP4n}n%q;e8DOeC@q9kKJFZM_D zoi}yu{U=6kDGz6+bs)CA&~>b(sSw^n4&HxOrjyEr-?Ok-ga{`r4`U$4!zIF^FOD4Tc^#VXpO5q%d!D|wb5lsIUvWoO#b zH@H@d0m5hR7x)0*(^Yw)4y*5>}zCoWVB*>{muO<`GW_P?q)`3?pS(I@7h1NuVL=`(B8XggB!7nmvua> zm0N3PU5|A1d0*Zp9%w-+aDY+O2ui4wrnAhJ(1kLG?{WU=@WGC6A@gGaFr}uEtfHw^ zZ?cDHygY;Yd+i#hpRIi2V&MjoWJ1o0`SHE-4Lx|T#(^i0IQ+Z_cmkW#d(w2wmmf`y zwLR_g_5|A#)9PdGfy=w*4E1}_Fv+j!p`?_ zqjy~+SA9J9(fY)mv{QsA;TVWa6b@L}lfq1bDC1W&-=DE9wxNaFEQ?14{@#hzU5|G$DvjkU*h=B&9@ zj{&1tWpP$AgW7yyBB-ws@m6pii=nm(>Z%s2@TW)#cKhG6-aKGyCIv06j;fk_-R}M( zn~ohH7gd%dm$2r8DQ7L_dXa`YGxYf~SLBi)HD2=;08ArE=85@zp+zq-)8wL;Rd&Gx z?Hw}Bh?xs-oJlj{hR(MUj+6d!Hg1jN)5qwpZR*UpT|ubC^aif(M@$~%GVEh`3a)?` zq~b+d6HSEgUDrj+-l_>Ir(qgPBWRuzi=OFrIR>WB8zN<{FG?fP;b~Us$_fZ9t(imz#i7>9QAJ{cM{5JGFcESZ)dVAks9&PB&AEtP-1?4So zu|t7@a6^Fsi=W^Ux}oFmp%QeYI%zHeW9U{DM=u@S29AR@jGEX*_Q4Nb8YVeq;iRqsfc(r_aeMn+Pls%?8_0%QzpI zzR0W$e=3>3nktidJ6fabqYKHqpL57=Ch2J(arHWhLTwo=46sLOx2mhu&(FH& z{z?AGz}zr=dTrgoTZy)D)Q_07Df&^D9OKpooM~JmBF_0*3WGz4n~3FSEpQnepIeDR z@z|^3V%M|}z~@=itpAJDs|Q9Kt<&>@VN2)X-Sq$zl?;bH8#L`>MBLf>aMMc*J&0;x zDYWc24@xw{O(`zB!rVye$GF=`bsIz3rHNI$vYopyIra|gt=g%q*}2k?ptm8cBD?s# z^Z?XCd2llF@1{It<^D5$rGY_aN7J?xN7f$bAucE~~ce;uE$T}q_%ou!^~k=1!UZ`#oc zesSk<$Vb*~cfLJRc*llqG2nJbe=^MBqI{e)EwFFkiTCHSgT>^tap4HUPf&@5@gq4C z^BKP&#d;l!;-Fwfvyy|?OKl=l&fp^SC-#{R!(I#>+$(ijoup}$KGbz8i|cCii{b0p z>H`7r8apY*;M?b4E1wnuA&mzpae6816VAip=k?-9=Qd=PuTGfPGrpC$23xVgJv{^F zWhck#7?;q7)}3nSPWTVFvhcNjWCoAsqd7hCt^&GUwGWlC)VO-4*Kw1zT!iI5tR?^H z{3sOZK3ItDzGViFr3D5F=6#imTRccm{aY4qiXLKEgr=U#qBF9RxZ}6*=Qad6&ign^kNOp}a>@X0fUR2|8*kb$ma%JhiUnx+ zNfBd=9HSJ*a>^PNxEZ7+YlkBf>win?2yIQCqNO5TFQXDEqn$epasO4N z+Z6tjKSSQ+o?8q~lc8T5jtCi}1q{eMZL}XYX(*BL9gpD7zA=FL`@=u8Ih@_N?!C;? zO%ub7zgNGdF>^E&MUP!AHMgE(<@5bm36Hbj_2B68#1}AUUDIgA>zh{>&R#aSkytQm zbiHhKZb{;)pEjr>1&sT-+Ro+ai;gU#Dbu7;pFJyB07>SSPVwE5yANg8-A9n${C)$& z#_kf!=9YC^pU2KhaP*Nan)fi4@Rdb^f?t4(sa5g8IhT=>h*&?AU0i`zNS7+L?O zq;(;XCBQW4Cy?vbSdzK*wg(P^PI!#R?P4}QE!;IwM{ZS=4e3%Uj30mf--Lb(sR4E< znBAA?M|dQ7XTzIzLW2EX4k3dU{zMTrRYz)VX9z0VaUbfmHjXou|Ju-wiFh#KY<&H* z^9C;n8{xW|yRf}CT;{0-GRRYj2~+)MVY>=WQV#j^1GBh@G&0%_M)HL% zMb$Tdb`P!`nmkZWB$)#XrgDE4_0mKcgOL}A#DqS?loUgLegouVqTvE2q& zuHNb!pJ+a0w`f$$cL6z(2(pe}(bf}%CC z&utk}b+$zQ9V9Gs!qOir_^#`6>v1JDhZZ}v?UkC4e44|fU5=uDEw`vtLn=BM|?fLj~-nq)TB0_iI_c!GH_8->F|HzGBgcK$P6}(r7(XLX+Yf?$UlystA4Un9Wt|3 z4Y%IxmrRc=S1@*0i>xG4HPkJe!ZZ==ka3^IUT!Rvq_7u>Ic9YXVsPrRBr-OR5wx7nS z6kQC$)T5DcLg$%RZ$f6L2j8AXmA3#*s9vi`X2vNEdUon}AQoBajG28{{H`hQ=X*n$ zj5T(bD^-;mIMmosYO3~Jg?Y#HIWM<($q#Obv zRgIxG|7wezJcUH?Ui23iTXM-M_8#4#oUU;i_f1t|vpo`j8NnhK45C82L9>;1R>gJ@ zZwE3av?uR865hLB(mX^@O|-%0e_x|Co6?f+x1(Pyls_w+H$B`Wj>c^bVv|UTL}^I# zx1SHOKGSN2KwzC}BUm8=Q`-Z(C8KB&?|%Q^!EmJh$%hS95AA297&Hm@_9tF7m!D%# zT2;M$hE1_T85loGpNPeY<~h3F(F)f$^!a&o>R%hin}%Gf>YJ|a-2CMdMUpe$^Xt12Z_r+JT(nGBliy|xclXDu-ktR!j zP42g2AK5}#f9Nk`cX4mXw)4m2TsB0iSBcW`*A^?==_WbIQkZgCbPTpY>DXh(jIpTT zWTz83hX)%S=Jx%E5!ptp-2Rm=_}ScGDhq> zmKGNKIv6%KRTR*2U#u+}>SROF(H?S++s3~%V>Se~uR4PoSa2MZ{@C89af7gA&zaI( zBmMdZU*8INSG`T!(Xl$q8iDz!eE;+4JTbM#7QI;b&~&P zNxOV&uk`ZI(N_NzLL(Yr_?>p zt$-ZOmTw$w&2V+~%d=c^`Z{r(j?6yn#>x)*ZzhL0Prs=R@xQzw&Q~8RjdX8sjAAIh zKM`kq^-(#9oBl^_b7?x0(j^_h8I=;D#<^9PnXR#~sP^p@h6fts$FUNR80(8q7dxq_ zr%rS#@4g?s>eet#hulhI*5#$~?bEThJBREmE0u0O3L))7w$Wq5 zhMnW!^haZHb?jTvxkVjIe%rymBQ6({qNQb@i>nsD|NeqEcVle%*g?pL+yk62we_E>NL#=pO~e$-kRScnnUa7UNr-p{^N2^GrnRV4^Wf1OSPzVbVg#?M08>>)5B!!Fq+~ zLj_lxeJ&c>&C$Hr+L}*c@-;Hq=XyIrH~l}%0szLXNt|j^LyMAdBjnUfAkYQ!qs4sPAIpqEuhM@Yy_jtPB*`)p_FoPJ z6rHv_C4Ml#8!bEA=_A_VqY(!l zMUu)^KQB*1kqRCyH~gY(-qibok(jy8Vq2V?{7W?J6Ns-n5RVoj5yy!YF`tVwjh&h&UC zK6frYz@aRQCTEY}ll9?d5XjTDePn;Fes&`!HjTPULd(_J^!c@M&~LU5348TlRO<4T zS4{=;rV{Uh6YStx%zsEq@fE7I#|56M#3gcb7VJg9kKA*c_=@-L!}|prCEn0RC^8lX z;%Xcq0Z-DcM;^=tSdb(oo>72}1e(k%h&&og9hY@}orFDVjuDYAo|C34Pj`Jac5E$2 zt3>}Q@g}5U)u$CAOYr&=xIN*XB>1#XTyf28Zod~Bpw~LZPWR(ji9cL7fH&q>nl0q> z=*)3;)N!yWM|MOI*EC;@VbXP0B)7RdF>s;@ub=B`R~fUZ#Yn{QM%N!w;jAv-*5v!IV0qZa<=3Jy#_9il zDVtT_Mek;N;$$2L*`rjMW(s%`uHf9Jx^^;aVk+*?n)ZE8{&p;Rtui z*yn^z0b(c;*5$(anC@S5;UX+CQ_PMX?@IgS`DIzKf8Gyt%&pjS--v;h*k-8xs3;fo5DXy?RXi zkEaQsi8rcR;%zJ?8k@nFyEncN?>Bj8*aN8S^>zQRHZ#i`*m*ucTRf!WZTBXz4P?$q z(rVC~OMd0_Q{3LHXEI`&%+BH`h9ooF?)9_2Vqhtl)IXt3q9 z`uog^O?tz|#lpUrDJ*?H7(67QlX=-L;Nf#?Y;0o8R3R={TjE_=( zQ3~vxw=WJ;$s5Tg&g)CuaZdqq0H-kIV=5SRVN&kkO2)S1*L0{^vOY_PM~lb3HaLbZm|2B{jljVWL9FFcTS&I$Y*) zc^xiGxV*#8OCq4DvsUG4ecL3i;`Ie>isgc~gfcNW;5_$YI1kAb z?jEQUtMFcPV}@hTZ(+}dr6Got8_?@dH)1&E7LrJ{xG+c!^*BZS+k>Pi)u!06ttLqJ z_K{Fv4p$2+;KB3$0-FvKWSgSTb!+zA^DxL?QS5HAE2eDv@*VC%{u?_kT5D&RH0l40 z6u(pKjML(#Fv9;dLDCeP3GfRMKfZ6iOM=O3LxHMs9H1B?FCwOkRW{mzcviAMQNE?Q^upk&;ReA=gpm; zBBkBB_7K(A9t<_1n5^H7KqiH$NBhvb|f)+0g zQ}7EOIsqH=O-zsnA2@WUczxJ@Lfk_R!~8f(D;?hZn+Y;Q7wUsqz`nf$P(bfSgk0D& zLt^l(o8-zQS>g)71aX%V{iLB;+SNjRu?Af&`!Q7!@Fm5dlavqJJuJly^?-&JRvHRe zs5WpJyp{_03bJPB-oh31%3CP@)6^CNBBcAkAvNW+xK~}{c%4JUvLZM!_`TcDNHdg{ zg>~GG%U~pT;_Qr;{xVGU0@7O^%X2Gh?U0Rgm8RGN$Fjs#cR06^+%tv|fihA3CvgRP z?n0@$FSh>>d=`iNo8x4PSCPqC6@-ybrAZv{ z-^TLXZbi-p`+^BlGEl%-d4$omJRxyBg;5pHCyeH>&Bt}tf-ZhAg$h$3g9kk|Vi8>1 zMTCTP)BGe=FuOVv^X9T^kwK_VYh1x66AIo-63N=T2D$R0eb8`q<XA1Q3pZPJK%nCaBJ5fQY=By$@{LukvCg;SNO$Z}27>g_-E|~Db1X;Fn zVuAF)XqJP)U1(~%hgehdruBcwE5}c))`<;V z$8Il^73i7{EB=ED`%g>Jo+?wAH4?R zLT5W2=k%Ft3^EjJnwCv%_#Yk7AO=&DU8qd_jgLhx-Q&@fvpq02k5H@>GT<+0Tf6p$ zU>9jFA9-QWHpzq9ccEfKE@Sd8o|ZI#9wp`LPw~Ex@-?wbEt54F7j=8KduW(YK7X^0 z*|F#mC4?DnzRK9ovv;i&dIDY5#3u|T9T-hvZ0qUAtd% z8oaS;f5l~XRrTiTXT4$1q}D;pJ~UBy)!2lxr-Fw%mLn?zzJ%swMCtb~kdy-fjShUH$X{+U9j(t%w0xs z3+TL^H9M)AG_IIbqZ{7ghmewXgTf$Pcu@U2XJiI>IvlhqwdPx3L23OacB3wh(g}HR zeeR>en|nA~IMx@c^h<(Q4!jI_Q1)Z_$;rMf^}CR4axZZ7FGcSQ!}{wFB$Te zvWA%ZR*HzwFGGRzQf`lpZaRlOb2Xv#ZXYS|>@QpKdLJ-^ZFivxU1$vdIJlqVEc(?l zgcE4aHJAMv*#?W_9uW=Jvzi`I1axuu?Z16S(8Xs{U}SV z5&sZR89*E;?3Wg2)~^@@g@vzl+)Io!f*K-(QPn%-O(=ZlpvwVY)UeOE=A$8>TP6h& z1O3)Ggys(~eMU5o8&RcPvZeqxD2pI-S}UImzP8|6B6iNusYYJYSH2J=53=tB9EbJlW*Vn(ZF;)`dC`Hi^SIJM>}3s}zQX)y2Lj288OT z1U`m>1vcaqMr;^~InY|HQMQ-Q=ZdzM`*@;p{wzG0W&jzKr9 z*?Hl2p}@*p%!>$?{v`BA%zdh2&4%?*E@M5^Fq)wr<%g`*y+2gt9WP)_u8tVUoBH83 zwZSYhoahtm-yDXS(I4Sz$fH+Yl_S`k4I@GQ$M`0^XwB%cccj= zxpgBVbo?BhC1vbfB^nM@Tc3P=<6&c>{>Zy54CdVZBl6V`tx9uQN?-+8RbE{f6tXdY z%ZiT&pAhvh@h{dxH)w5oE(l=qFQ)XM$P{%}bREZ>o~evb7NvUgf|H}*T!JO8(`cSP zBk2?$%0%JXi<=yigk-eT4=o*Bml?hm*fT%|y`CY~NF|15_`%_r`?@L!wB$it(DBiP zkG_wgA(g6~1|#p3gH9r)At8fZJkNn5QJZxAq{Fp{j16vWmIl6`6~1@*fey-;xx@o@+RN z$DAJ#P80jVtOtOZgAcaJA>>+wSqXD~2yGCQq}>J;s~u&=5cKUHA5@UdiTgqhe6v_o z=M`&oe+RY2oc#wOcZzdjC=A*O0HT)*FlFrmxcVC8un}Y#6r7=Z0sl`+yci&eHAwc_ zgTpC|F|~`mivCNruk8F=st;tOs6)3lc1S^%p&T}u&U`7;|6H7GC`v>6-~3<(93T#y zKE@i|`-;wFZ$}x9%~rr)Xc5(e38%uKR{|SdBCp2Rdz5P^U>E1I%?raIOO%$z4=afh zetn<)Fa;Qa5`VrC6ZUwa>*h-Ww3y<>Gdb(~q3Xz~g$-g z1Xpjd(LN)N-@rwx8KFH{f#uV(Z~&hFg@)f7roJ#D>Q8=gX>K`!H4iw)P5t~z*0%PS zYEK!c$WUm|145WS=8QA-3M!QLxWY18|B5-M$TYW^##!>tFNTZCCck<*8~AUOt&Yz- zQqw$cKG1vB8a-{tQ&v+vdWu$s+SUbQGO^z$1> zg_R&3pt&@(9%NSjCX~Hg@)3Ty3{KNWH!n)aD{2s4{VRn*tj8J{h;|mc7hmLCjW^@v z1Z`?oWb}4o@I-zfhohre?lVft3pC``DTr~kg4_=vzGjnc^G1XK!~@9#@fWAVCPU4g zpOZNUrO{sm*R<>j%nU6abB1xpTO?hmFJf`hgb=O_2(l}{~=R`w;;J#NG% zkrzK2tmP57c5?KS5B^ZD^}@0BJ!4|@K7xY#o1*S)!q_I>{xH0H z^wMq_H|JuyZhpRqF*4bJT1qW;hSotE0ymNCq8lDMm*nRj(BMa6oM*rCp#gr+y-#zp zN&o<#5ftf%FiQ+t@(HbeMiMZch9nP~u4H9S^CvofMv`uKix}&Pxg}rgdnRNmu3W+S z_a83ubm4V!^ApZQoYg3wUk`7>5O%^sgItcvfgj!IPMr-V07WPl*!Y6qtX6WuC%Y!F z4rLS&;HGSlQ+RQ_3T;g0|7}puHQ)KelN-X1K_E9MuDp&xUG?qI23SqoaPrERgAam4 z6Ql;L?NCD1O!Sw)Dh7krYKNQ4os^Qq8o=l2o-{u{PWo!mTZ~G0o7#H#_%;Jx_(6Fb z$9$*cK@_G%s;4lX#4JTlC{~+(Gdvp10)*Fv?!6dtjXXT4@tq#jAZYu7UkK)WtSYH2 zUOKSJ79h;=KzeuiWX0hdj?DY|qr^yn4#+N}N+5bG4>0kxPvF0;g}sX8YlVYK$eH29 zW0Y4S@Erq}kjr%Wpc612sY6lfA1JW|=Y@2E@VNysaJ#uRcy$z2dAbk)3Hh*RM=C5F z?jhfrQ+!(&&Ic?Vu1cgPBroE75@dw+lW2Tdwq}$5Ob@+T1~r#d9rzVqznJ+Ld)@c_ zbejn>#Jl8r_s929CQS*+B>~3aM+%xBT0y>f(~&Evyr>ICk%5FE$+!>Lej{_wC0*e3 zX;kgF$C{f8WDm=ra;q7O~F3+zS(Kv)!RP+jH!x}=`&vwWT4pH(s=ESnCi%d zx|<+dncY63jTZ)EcfXsCF%aq*Fh8+8NZ6WbzXQjukw>_X95JJpj-c4|`?v=tO@w+$ zq@#4nApoumQKCx0A~jkH8vKO2Z&fAW90W@xKj{d5#PLwq*C`Cs`fR2dddW}2X#x*` zV~$mMLGh%80X8XdX$gflG^f;C_V+jnW!0RjdSPZK3(2gdL=c(vO(>^YOVW!iyLly9 z{JYTQy*$F~E0HCh+`N}hNI3B$Y0>-oxBQhD;Is8dB55gu59&h;Sy#RQcgCCX4tugt zH(e5QziJ}Rj{Ov0EtFGRkE{N}o4#Gz9L-HvkVk|LANC$CihSaACQ$5D)TR0I^exyq z6ROO%nhi3LrSa9#8{+|MC3-LCz#$kSl)1#>20xzFGt9aRozbxGOW4CXf~Q?Y;O5`T z25_Fzd0$b1d;(y+Tq?SBYiT3iE`!^Y5zG>QAN;~)>55?B+AkKv^@S-D!HxCtx5K&S z)!+GwY(q`h`$y{`p5(z{)w7FNz93DILF?vv>n|RZJ{R6KnxYg74-$%RxX+MPm6&Xy0EARwc~Z_5xiW-<_ez1!w%$Y8XxsU%JG`79nlON)463g-Rvj0vS4U!GR%{BqyY!q%Fz8&`r8k56dzjPS=0 zY)p`<(ou$aaP|8LUFL!VO)+{s^thkoC!HnE6RtPLR2KHaoVwP7DDu8H2|>a&6`$ak zi*s9A-j|(@sEf?#=|l_6o8Cc;oQ9@(_19a&AYe%!TT2fa{LUz~b7x`L zg+1}2k;j#H)H$zvXG>c2wgPG6LK(dqcfn<R0x`(!^ZpzhZK#e||pD+<_3wliFUosf2;EySYcpGKqBSMl0h6qRZaKO+I| zHU~?6i}rv-cxYM&?Jqq?#pO-AZ9Ke>ShnB?Z=jNWMm6W20R3Xvixcn*IC0LwYoY36 zv})sn2B&cZ9zh0%L6YoBr(=q*kU|z}!vr>F)*$IdSJuczoY1II8C5f$C?_YIKfD8l zJcfV^^Pvh3x#&vsVt2?84X2) z2a7nmuMcW*WA!sxnI2;uVsP`$sz1qdadsY~FR^~8f$jvx*yDyskEs`xUkAJcz@nsT zz%n43eWyCltJtP3(-_kxO?It(EEWs-hCL%z!`PI`d!tTCiP(Nh&v?DLQw()mJ?q27 zPLu|t7oaew^MGbb4}*r1Zlj9?uaoD6IOBk(W^p$B+e$je2DAc28gib`koTaM^D@ZT z9W6t8H}G?>;rg?8NS-ME910K6l!%v=FU~t};5x^n0Wt+_Ia9YAMrJ(y+V`Ar#Eb0cE+Q0ypLVfq~eTPXCamCl`bc?}~G^PoD1t?WKxpD_*ho~`!-dqhe z2*+M^Z~#?v)#xsCF1dJT`O^DBP1e0C44qrgF(>>$vPuB`{9)4cCWSG#+Jw@m5@5r5 zE_0EpTeCX^gmh1r?tpWgSC?~}jQuC$dLl4rq%#iPPYH_V*WH}7VgD(c+iV>C9vu{# zZD){=Pb@jizukF?>Y4muBHTG~8+w+TC;F2b9TdtjD!vl$vM@CH)LXPifcD#Duk82v z^T+q*Qf{-ZO(x#eE94#;r{!RcqzzT<;}Keg!)z(GcnCRS8f7P+5F^Pai22c1f;Oi> zp?)9dspGCGeEW}#T2d5W)d~S-Ckzt*3NQSi&qn$dg1?H>DACRmDNK57YA zSs$Z?i5_n5IDMkR!dTP>ID+Kcl+A*+&$N;6S~h|M8y4t4$lQbgg&^mJdU+30@ML`c z68D~$ePIgmu9c9eaV408IbQ&*#ea4wleLScn1mZ7gM!kaWK zCZcTM4H{Y5Fi-iAd4A8h-bZ*$^ny+yyM$V56a0)z|h4cmsw| z$0ytnQ~vWp>SWVny|KtPLE9?8oeO`AymhG+7mt*219SpNiZqvE*5}I$KAHv9K72p% za$iWE-vI>RD*N@edLK~T?LjQfn;Io5 z^una1pt4cczJG%M2^CwP@D!*{T-2bv#gpBN{S8)2Fx$qXyY51-b$>-5=gqbM@g_qi zxP<*kYi++&pEl}DWklGd+8H{g@74duks^LzlJ$}Qp_GAEDk>S7H=-}!nBnUxN zk<|I`=KIz3*_W_q0CyFu5l^o@IJW^Rqi+@SV&&0O_%2Oia9gLKt#UOxUfEl~>N_d-5FPZHFmv~uBP`lRoWcTvVTQN}e~#;p$U{@XnOBc>YmOz&GH zm=UzqtwCx=_hvz2(~eU3A%l-HOa3}oG57#vj6;dIe3t&lH*Z$}?>!9M!v3>>Lj6N{ zbyFCWHT%8V7NfF|d3|hq`YSP?)uc&$;k)th@$y2EqxZMIe*~+!e(_(0YTK1pvZ%2A zZq`Ufbox3-pKJpl*+2DTS>aF-Xk%HP&q)6NK(Voz z!8T8(0n!#<&o-a?MLaI@_w@!jH(RR%rvh5-=r7I0OOZa2#u8pfoL*U^^b;Tr@9I0z3DaOm|Z;qOZ@3Y0rP9!80c7XdttK~I1pEiQ~N5v}>K>av; z9k|bsU52V!$H9H;Wbg@a=&5@^mX)sBTd(e7}JUz1po>W z`;uwmy0XOYn+(%T<6O~ryMfzR%Zw%7*>-c^JGFx(y>@ooLi~jFuYaG@M{GO)b`&YT zp9jiLwC5aiB%35tHGbFMN&L*Og))ny);MtVdKTtG)$$6c4zw7!6Rk&|;H24-5^wTm zNiLytIoFb7pORa}x4a;~5Af8+J#vPGz?B6*#l~R=G;> zkjiSZZRU=e(_s3*qJw)j5lepH^zb{{1YY_P6tc_^T$R}QNdGI~td2OTNL+G=W+a^F zkZ;EO2Z?W;*c$KwK8lo(7}G64=`W?PZ+BnrnCjZS<8Nw%z#^-)Nab0U3aM=7v%jAB z4X=`VSKX;(X-6e+9{eS1Bz-f+KCMywl6Adb5$l3V!4YsA`@4<2UEtCkkGPegOH_|1 zh~HK~82d+?f}`Iza7oftuB6wfNL&V0yiDc5!>L!^N_lI+3B943{b}nm2kGM!@hfL{ zOFIoc(Uy=H8knQ#Rviw`n7<{yp1$$hSZ4+g;JCLb(UKYQ;tw^|vZhK$bIVz8slsyB z%%?D2QvoduoI@~wXn7qQ(y82N;m&AAJUHo!0~1~;F7Oo3wZg3`NoI`C2#;*U6;4iJ zrb5$K7QM-KtueFO1}7D@v{1$C&n!-xCN`h16#P%(-G+ct`f4t1?@w981-<2|erBt{ zxLzbq%MN7W_)H1ZP?CIn*%PsmF`|SH%N8jmUPt%MB9~40n?A-)3YzEH$YHGIOepJ} zeZRhATRaudRl3-R0gsh`50OFURtJ61VlJjdlHcqYi+s0NBkIjwuVg_|SNZiW@zj6X zyzCvduJk@p=iF2ODczxEuUy2s4R7rza(2uQBBuv^DgoH6Q_!#~MPr68spl1K+jS;U_7tfFnLD(~39oOLub_y(uSX^A8g z2RTuuzqACy2zQ^KVv1F2Y=8r_GAqRC-hSVp>m9Shs@RC7GN6arWR02>LjDxcy5ya2 zdITmIRP=C%C>bn5@?ZvVXtY4ZEN(o_a>hWbl+5TR^4CZ_3ttiXA)k}ts^d>-^JS;@ zO7pp;`I=k1z11}|Ik_*~Q8~M+@$^2wWYP#~sTp$tj6msv2k<;;KKT6W?4VOvy`JQdkZi zS3eY}BJZ8f4>w1vw^+#yR*j?4S((#2rQ_v`P-uATyDAT+gx{qBks@7re_`DBJa7av`Z+?5f38Bh={XFwZ3Op3yvlX*z+{{ z^B!fdY~@`yNrIu#Letgf!x4p>t6aD`>ciZQU!r&%nz|3kX)rMIPEPmJP1kE#j?&~v zc4V^o#mY0D#15&}9R-eLQ6vzzz5Tagr>Y_++Ym~3HCwjDIajG5Cky4c@)6sX!r<8X zcZUd2<}{&O)+om^d9*jI^VRV(1Q|nHiI~ynMWT*ezC6rA1tpiBu z?C|}tNOERm1NRamDOvqSM#c5G9SbkMibA)iD%`UF+jgO|Sn_<(bEq*(`o8^=$ck6~ zlf?CJR+D-IRIiDTjTQ^gaCyp`UeBtGVO1ni5uv>ao4U$!ccKA=I%)Is@!BMtM5Ekb zj0#&?AP+|{gOKMZLqQ_EyQ+2S)vAa+Ppwv`+q8@72P^-o?c%&)to6CJmEx#TT9Kc_ z;~K6vyG^MX`WgIc;hQVcS4IA8TB~w)hBeO%vQwJU#Ksf#U3;>>mhh#Fv9;YlC>W+fCv-XlTavZAhG*`h1gx)>I znsb<`xt7AC8TnM3Mb7M}%)yHDL)mMr6Q2+pE<7s?m?HkK+}||2vYHbo!?k0V=P*xc z>!dbtckjhc35`P|v^Q{o+vpWTE(r;#Oj%pG5wtW^CO2Bk>+g}@a51S1jBeBGSngBx zk23W5a6PkkG0El(6TvD=Uu+hzE%yeh{KN)6IcmcEKFGbQ!k1{|zCAw`X{D+Qrb02- z<>KW>2TxPi5A!uO&X{K9hVauSR!i&?SHFR8z4F%+sO1%V#9@;)u%iNxU*N%`k51oB z%^Q3YYIgNpWj4kb`a|`EuTz;b)`@F8hc>`ml2dKds72ePHST3&NlQf><9rOfyvB!f zH@79}d>qC$PDC#^vBQeejI#A7(A+H(;ZEf>dF1U`bC{7xYYi;PK0RNpr&m?hGYBa2 z$T#<%sc1{-xqOW#7r|Q(__F!3Tg|^>H>;jrycwG5)=Hdx^SUHEf9kV})$mP^v>n&g zCC?`IO|88!fTJ2wJBg-p0Wx6Y5tdeJgK27IO4gh~P4Ft=1O`~SQurK&!h5U*HfGVRw2;5o{LYQcjcgdT=*bbXMh!MCK%G|p^sL{)tMcbhWN370MSh1|%ku&@NEWU-ev&bEb&1!eH zBln#F%cr6Xd7@4-$;~m9yI$hWgMT#H*PaX_^yhbIMI?WcTd))uIcJ+jP1D|Cze?iH z!*Bi#eGHPX82n(kQGZA_S*hd(0b18$iD5-Z=AQXa{M1*a2t?Cg7FEuCnI=4jm0)Rd z7=O9CM7;Wc0zWVygx*%L>S#yF>39cLr0G&^(z*L$EU+5vnDXx+iZ+Faf~1g>%kW_J z>jjk3Elp1L3v;;$?%pYbpR(q;is!{<@bXUnnFIKD=-NqS?z$*9e0mTvScE=vve3}&cF(rp8+}RA z`f52Xm;C#>1cCG-^I*8d*^#&90{p;i%C+O$k;ReJ(URtQ>?M_N@^?4}6~#XBn(Je& z@?=tuAJER8{bQ_(9&j_bO5#xwjnwMf=L;JbyboSx@5KPDz+p6D(KAu+K*2sK&7qq( z-v>l{9WQ#^<-k*@o$9buA>T)mq=EVS9dm2=PiKGQ98;FFto8P(Fs}FZn$dqrJF&=u? ziC&sL`Vt5IK^<*b%nqkVP(8a6etf}a_RAIh*vX&G9X+>&NXufJYgNv#=2FS6{y}%# zx0&H@G(b2TwVKKjn94uLB~&;B_O1Cis$96C$j8%#}0|C zGEujmw^2Ar!e{g-U`&i9ELzR-Od|RxRJ^=C z2R=8qUi;=MJrYXgfF^ znpG&8>H|N&A?+Q=V%(9uUXFg+xB6-V_yV<3NPR!fb&jNda&Sq`;xHoVZSucd{p-63 z-2Ozj>i+dJA|_c9Dp%_gt}dpOl9>lLCXOU<_(q?z$s3OS;ohlNSC{c( zRr&A>FqS8Kxvpv-O<4JB*UR#t@{|8G|^NeTDyP8ojn8^>L%W`% z*S_gkYLW1fU4^B4J4Kr=MfZ6#L@1Wm(zujxFRnnj|v_OPB!-)Po`Ca?=qy@wq| zwI}xG`b+zBn-!Fw#c83tI%9cy90&b!Nc!VoekcFkx0rqWWbLb-Z6}p(SDxE&fg@!f zFc6olBJ?PHz$uneps#=(aHmjxqWIOQ0mZe;f-#!=?pnhnR5?A)NDo)5 zcM5qL40|SaoDvez>oSl0#(p62&6>0mcH0h}R;YSs_nyNu&*3{^L~dU2foDV3ObE=oj#y3{Of|6}eTLpjMjsM2qM;^dmxA;9yTcG_?7jdZIw_-$)d8%m z=gyQ{lACDY_*o(sRCH3VH!$*KZZ@YTaG=j7niJ#+Y5c$m`aMT``01|KnLyPbYis%q z$(9jBGA9cYcb73X^^yYR(-|(e}i{RDxb`8rb=0Q~kCYGwMR zu7*n^v2w&3OP^i#ufZ=cIZKWPsqLejrrrG&&TZ7*9vfKT25S?-db64|S66-p*C5FI zcuov5iGoFhG)vDQ0LY%Jw73X;dyNX8Ne|De3kP2R(ViRBsl(BD{g=|)>zHjBpV!@d za2p{PCu(@<9DjtxYgB~P;R-ce{Nt>yMj4&u%B=dF5AUb8BnJL@+R)mUu6QsUvoD$6Y^e#aK+A&G+IBR>g7Y&pw!cN^PAF2)>%Ebl} zNgM^wa0W3Gc+s#9wCJIa#1_2GQ)}7n*q3Qi+s$06j8?R1=$!6bVHx)P?0aVpCAqD; zCKWZS;3;m{%Fc)GxjxJ0zSG9U!$|KOE`y@n5LF*4HoKNovr?QeKADi6Ovbyc0-AHY zYpS$mN+^Gnw%a-&opykEgLxcy33^3HKwOk6V)scm8(%uuYs>3R*cT5s*dV)Mzdu5S zj#R{t6#&%1mG6};1e*e2I729_d$?kx0Tz)TW$m+XJWn83i!*uQS;NgO&msdX79h%O zq}`y7ZozZ#pU18o%z5r7+k}4_FqMX&b`@tLL~P&z)Jfvi2y+kqaYT*7FLUxQ_3Kvn zYTmgK=NM`IIj>D<`eXV40SpX!j5+V6D~|0WbY}Bc&p^d}y;9+e3eO_LS?V3#3-|1D zRSRlgB~YtGgM}Qw6*8#7l{P`_p{SB%`jC`$0GzlwpmjFQ`S7V90&$hZ5fSSk`ZnAW zzkXB#n}Pa%3Z)TdLbRj63r&10jw4Y)P5#_U;xQ^ikzC_)oJ-E9&h(u8*}Ya|5AE;n zo3LS4Kl%Zd#_$sXK(Xh+`J-H0$t{kvo5yc{?+*%S_=K~cjj#N5zF~7!!fDde4~+;5 z26gLjH=O|4kr=-?dW|1yA(c!gN?nZnYwBQQ+>#lba!>0Q$oGvN)M($7KxxHwwv$mip>8L}$_7 zlrO7i@{j0d#khCyCo4yTZwH^LWQ>6y3I76h%wgqD!rX`O;E>FPH^~6(bM>|&E}Agz zoXf0Jl(l>KD|qu`ql@ExiMqm94D?SmD9gs=mCY%^;HGZ1GMS1yiUL~5-lNti=y!aV z_~v-dmm;|=Et@WVC=!pb>lZGzLTsNtP9RS>(q=$W#hTK)KUOBX$c<3CHdsxo)j0MM zm=6n-!R3GSHa+~9_d~CcVpOA6tl~w;xC2zv12Ly10zRlVxkEVB!_elw2Z|2Pfs)cn z#m6u9HLvt-@eIuCeUgAaSpR%U7RM2}m(IaI;~!&Q4db+iV=GD&uKnPdY>fZ7KXsIY z5{?@VE7&b2w+Uans405BqsNQtZ&xRrpY(X$fT}U~Ad~Uh;WV>L)FFRB2%Q#kXz9}c zqlMd6MqVaYVReP4yCqYhAySV8o+rD2K9CuV2qC$-izm#ANBD^9%HwS{G%Hbr*hw0{ zomHItZ1<+R-b$lE#NN>omXLjHa0*_T={5+rq`&VHC0;$%f^qF@@!;3L3Mu5&;O}Ok zi~BAPJ}r(!Y!6pI^m7J}@j_jS0SeZVdaZ6(A<_;K51=VBJzzHnQZp<-#EAXy6;?PO z6m=u;=*QO{Osb*hSCO#t?jm2=KP~Uu2aLi1sw_C%ziQ!U^;0BrGR$ox&q!jE2UO{= z8*BG8f)i9aZo9p9Y%fX6-8r1!xwk;nV>EZOZ1^$j+HW_A+OOj|Wtu>nDwh&!Z!J2* zAKYZVA}_2XP&yMU5*g|-UY0R$Eow770|X?EjFG|-U6+u>58)itZ4p~dR_dY}E`7*t zwpaAgX=W&%NDHnoHJHRgeO{ySgSL$q;4q?)ZSqXO$oNpyPm?#*(+B?7<%?xw`KG93 zjGXn;2`1j#?k=$#^tI1pnL3##p0=*&q`~%U)N%|H{OW}ZJvHT+HOv+2Rr=;%mqLn9 zm-KN1u<@zKwu{&Pl;0P@hREw@Zq2+Ybk7$*1;wW}ItJtLv_?WDE8|WV$jcIn^mRG_ z{f+7<7i4o`G14Zt!{K5-*C#&nC~!_}+tKzux8FEF!Qp~!d;7?X6Oz1Rp0&r8nKKF$ zAVfOtS((1I6n>dHQHhX8V`Y54-8162s(_idn%?0#IP};u zCMzGEvHM6r9TKo8CH~=uFNa)Vg3le;9D%04%n!_v2ng5K*%8~^moC&7P57|RzL3K{ zKTNhcI6xTAb%;fXb*m%CR2TOI@7*<$C=gl2x?pJEtlQK>kMC81lZ1_h8e^(|V6oxP zi1Z#hMsin^R!u0>TIcPxiC)a-159LJjTMdJWy*s)12*IyM5iKFh83eP{xWLdy`lU--t>;e~fnhU(3 zId#Z1S?I%C&C!#FJHpf8bh^yJCM@lF!|PY_nl5#*VPE~fHP5o_V8}g!Xkp+$5*jDE zubMn`db5xF;agniBI?iqa>xKzI1RVzB-$&37jVV(aiyM4u)vYyTa=1($K)LaEO2<) zL9sUASsEM)f*fYgF~!Q0*4z3`o03>_Y+zSviHI|+yicJiJGQp01U&}z!Wr@F8yqf; z8}t!IjtXd}vqx6EVbhZdAC7d-L)6Q@Kn8`j^<2wCEGOsylYO~y;SQ*{j@5jc0PO02 zwYNbfS$D_rU?pl_Q4|fC$Yj{Sq4u!0kO4~AaF)PyidPAJY;ybByRg7A2-aU$#6by3 z-yUXGq>2uT3I=xfuMr=ADXK1VqPn@SrDh~$bLj}VlX!Y_Re;y&bp8A*{1F}QrrCP} zaVcx3B)!`PBvM%qB_6hx-_;5W_A`rsGua@|{nWt@%DEQv4R4tY4~1OxRH;A{(r}z1 zYmlr66C8E^2fIW-Vc!I709LO4pMTgrZ0%8;->nfJ3)|fPQA%mK>$t10=a(wN=CnL> zn<+~eX_@V?Q9zo#T3Z6q7Gnjv)-I5`5zS@sc@msF6YIZHgt-Z>YCu)~*eDE>sFSwW5kr=-usuMl%^(1yUoE5dJuo%Cr>s zX@x>AI!NjzDTy3GIvH%)Eu3DXzE~G{8&dF`E{_>#>*I`7tEG+vWp@pAi7NX#g<_Ts z-p*UW0*BMEnKi-!<1Ks{@=|&_)~H>BkPi3J#9;gnmv?v}l7}xRfXN`wG&X0<}XH7qk>J{^R{s6|kYK%wJxK4izTprXU$SWn!x1-wq zAAmQ89ql6!s|z!0z=A>d`!^Nu?ToE!LS~gD3g3iZ4m(^$PG3na%%mYl-t}+?jv|t| zt!|fjvu%jjZGmsvXpr&e1l0THR%zZtKFz4reBMzqw6#jMsFSYISizH=;E~a6{Azy& zh1nXA7+&EwCau;@*M**zoji}y^Py5YUZAJC1y1+jpLd%$fxnB6Q0tnJ2_;pK5N*%o z@OyqYB*iqI()SRD?0Tn)xW^d53*dfOzO2|QQDqu~EXNPhMP+DW&eynVR8-b*YM>bL zdr1qSOg|=R=gl-=p0Jmk6n#N10X7+% zdV;?dgc^v-BTK<9n*HG~S0{iu9fUyR_tK?c#EQNCS&$M0l8HnubAq`^mADe&RY`<`3mDWRk<{Y9{NxbN~b37jU$WN0wKfyO_S`sxemtk^n+2~<>Rc1KB<%tN(I zWlPe$YfN)*_ROVju1|NKgvu12=pTUR}x_f%Mzpe| z2q&WJmfYQrh`?UI!6})@hNf>9VSwPe3j`PZCCepI`YY}6Fy(>%AkwW&1E_L57|e$jmqc{+ zW8x)L?mJuJ)KG!cHh;^qS3EVpP&T|}+)wg%3VI$f)+K+`u7pU*^l$K!V2?4Eo8~QH zuDjL{9l)O4^r0G|8}Dw7mC?e?K%i+q;Yj`upYrx{ zDmbuJSoTF%3Ma)$;A&R?9i9b>@mW03iNL6hoa7ph-AX^dkq315enNlhP0T4CwhYG{Vir) z6DfgyR+I2 zuUj=Nk5idqug0$ku#-&yTu1WbVE**`Fi#!}Fs3$ z(7rtbUi0)1YU=79IHHRTL<0967i#Binp!bRtED-($^NW> z2tUrgIP$N|@C>$NqI77zsn*RJtm}F`t<;K+V@op?*Y2K=unDR#;yDaVlEFm_O#hJX zPF!Zd(~27ZR$J6|qxE*|46Tn5;zH})hW`S7P@ z>LO=o-dKG2%9eMPdnW>fI(Js2mG6Btbb2fGdw&}oTml%>wo_-xaU07Fx}_*_#0mbn zpzeByY)R|_#Xrxc-Y&?@IS>VBqmxvx?D{#zR^eE<@RMsun{!)1Em`i8C#J@)DT`{j zE0p6q@T!LG$d;<$El1v^FU<$fN)eql_f2iHBL@Vin{FuG#pYp)h~+2br0-sI*nA4^ zbl*Z5an`#Str4DUi9d}kuBLGyv_;Fl7C&zYSGB6GvVXxjl^XCh_lJlg6)uNW;AyBc zWBk2J_ps7mI*mHDzpBvt;u&oOz!3AHOgSD?!4t5Ta>nGQYY>`h=Bvltexcn>yS=-M zHQSyWS@n?}L|YfjugJj(_dhxF)5;%pD=qE2LMxFQ3)!+%RfsLxrp*<+3mcOme&=ndQ>}f0>6g?n_ zAs~mf#)qnNtZR9vY}xgr&U{v)J~Qgvv~cMz$oAJonx+==6!Q%- z90~z&7A9#2AH|odnqZH4s(8qygKu=yLi*aK)CRQY+R1i|LC!G~VnFjDf&A<&01#I$ zxTBuQwN5sdy)z(h>Cy8vaExM>@1KJA-*T%Rd|}nqzYFt0891~vgo~P|rptX|A9s|t zdRgRqgxL(l$w+$0$-yXS3(EP8SZeB4YHbCy3Qc&^dMvTMsn9DkyH>9FCm}&vVbUGn zTgDNj^l6AfO5g&e3Ao(=yZ28uaym=qUVn#Sf7@+!E$Oyaofgn_nG7M>C(pc}S2%V& zzIy>K<=dSRvEneXmpp03jTuo&96woN8z`eJV)FIb-Nck*bTibWI@GU|87P1B6 zIarxCHZ}d;?J`OfE&eDEu;5u&WNrsYT*<3v;3b#ayC%s9DoVNfIJV^hL$-H`_Z9^QRm)b4y+ zIsBzqr1tmdZFetzN;4ROg=0rb=rxv=9D@#ho(XCih{UcHq}f~?Bg@~l4uX^6e2**< zP|?pUQRsaxLz@>}dhjg{UpL`yYc;){d+MSM;eL#pY87h~E8lE!LsPgkv29?1t>Twn zc0tZ3vW&J4WP9#MWbj`e?*Ct<6jRUYS164^dvnopVUsWLh)jXIcyw0M5x?@AE2(c7 zq_@{tW$|bA{u!{8em*=Q2KAGn2aHw1J}Tr~{-u9(!lv;fV%Wi-*4G_a+18WzA5i~Y zXmxVE)xV<}39$9nTDDr;w?=59+1OxxP@Bn_7N{U_k&Oi|FbsQ{w??l10#HC7`b92) zeSUg!)R139%zjnGqBt49h}f=GT(bY`Kvf2l2pGnUY>upInJ?-%D2gtR`n&>lC4Mte zS}Y+5y%J2bs6Pa@(k03qzv3E=qD>0f-<4|QS;O-;KOJm@Zg?%I=2qC!gUGKa)aLj2 zZQOx2;ZjK{=8{)H!U-CBR|8K%8-@0$CxCJu--QM${)I8UkfPJEkzEqKa0Je zB-Gi6o^9iI>RAlm21_Etq4POe<0nDcpmtS$2=$okmOdlB$|HcAJM=@W81fb->MO6OyQNb{>k&l#C z)R>|-BhZU+ti%95aK2{ZUXR+(jqB{~kmo!{{lK|2MmCzws83v+afRUk%z! zQ3U)?*m0NN!%X=?vRX`o5CI#JX2nUoiaz(9>K-XnLno z#CQx9+z2d+qrQEsm3Vvn#|&=^YvPxz#W^SRn60inG6dA5$nLJAXJBSZ@OX(L^mlS5 zC&t01Lm)mKC|((b&X+IotgPHi;JHvPfYfzKpyBoOp`lVjgfV%tF zelUF613edcVKg>(nc6H53NvBqH?l5~{XNf6~Eub$@c+MnYnSaft*y_m2lF5$Y&kJu|j2H3$?dej)_ z@!t)Q`S-5sZUT%o#9&t8r3hCLNZ(Wg)v`JdSAMqZN-JJ*gt zAhB&5bU`;o|It*0SF(bJAaRlf?F)0U$ws?CHxd76a_n6%n&n!%_Y8BVDQI0&`Zi1T zpB&nsqY}zpNzYv2Xu59BZa;keP<;%-_GHrr(1?m+zxEHgT+}wksk)nTPu|(7Xsb3O z#T^*#*hVNVU#|cf*}bOSL3ztK^%Y`^xFR40R%jjrqpJ1+Xh2U-@Llf5cJIa zOr=1V8#+JSxAsK`+&TKO7eMs6c5KJCFyL9rUqvzHV2hvF*|>P|w*l7~)KDCh$+bIQucpj5r(Dz{DkIkm12K94QpX4y=*^ zZVFmGbOr28{HaMP{gKvQ0F`n68=ICsBLDq!gteC|@VT;cd0m*n8p)}MNuWMUT6Ee6 zbq^g7`!b;qi6n@FA%!IhF#YtzV0x1a@C(G{s7; z?hf9Tq#Xt9>NyYWQv3x^n+R)^qIsfwy7^O6Zhxj7U=xgSkw5j{cB^INGo65yT$+)2 zl6&weD`GDi4s32~ie8H}z=soJJ1<$w4P1%d;?-pel2o6O%9Shz3{l#lwK#3UTB^}? zcT5#|Z)_^d};su5qa& zczg9BJbh_wk}I0AR-ujnV~tN;Oa}2LVU9;9P0#3jUG)eI7`r_)W2M!1c_4^)euc8K zK&lev&2zM3=O&_{w|$-RmeNVw@EMj>(o(VZSI#F_R0H&iYE?^!tO@F0&0~d)bFuM_ z;Y$tCq)d7}*QbH&(o)&NLJuqczSbN0qab*Pg%m&SZ z;VAK)w8qVPz+T{AEIq(!{-W1~KXRYN9kE&O6m-Kby5}IUs_3-u&hC&Ed@jFM3|kyM zMy) zbtw9J#${KWWDJ>Ii7|7E;Zb5&Yv0uXGuFS5e7yLAh_MMbr+CQLPdx}e?*jMPZ7HEH zpM1%jjWXYeodBD$i*k7nt?;Y`?z3`?IxK{Qcz|p*!|~Fo;KjgR#O(4bb^h{r!Wzrs z;Bn@u(pBZIjmh`#y|gt2J=$>DDtXb=q+?gcoik6f&nA{NuY}s#80a4mp@9<*nbzAz zonoWeMTHA*#5ykTvXtZ{H(NMpOSfmbH;PBJW1{ARYLjwfS>HI~HK-V6fJCl9^AwIT zu71E@#5NI6*RO8#V`|4i>I!#Zq~MqfexZEUk>BHE8w;U+aCqZ|d4qQdT*;+rdJa#H zE5E|nEZ;a*o#WPxk9Gf}hh!J(O0K-cAG?oN(&8>g>8ugq3TlE%`-l=KU#&Uti4v%- zdk;7pu+LIL)}3!~geOW>T@cdN_9nMOH>E8_&(71cB=5I3{ciGHdXQjv!1$i_@%LWQ z2`|MzTy9)~5bW-+XOrfGj3X31#F0ckpdWvHL>Zp=70pusY*h4KnGhoLZc+NyeKoJv+AJ`VegW)IuQcc%HAV>+<<8 z?Am4gguXgSzq>zBo&50a5*Q=ZK`JYD+aj61#&Y#XSvxEOF04oVmDrOhXFF0a+F=59 z`S#9u(IM{DoQLn5SENTYMZa;c>OK`ZUGE~YpE;e}C$;Vi&0?RLGU4f6YXg&mi@>8v zp_#*C*acL(61~3CK{Ju*+k0-8RbxPw(16hKn@ku>C@A-7$N9t7-2k zmaJZ&L%UO{pd;vRF9Px@H@}#kMWYw;xXO)h7XpvOYhp6n9jyEef@Z^4FrZs&*ntEr zN>ZKkx|@f-)}DQK*&g|s2afzhUe=-ue$;3}gwzgq=ilIA(;Bn`OO@p<2 zQrgA=ro)0ht#&Gb@+T>G0XZP#7-3TLO46R8-{BCDO{1$e=5zF;k!@&;1y(7($})6d z1iGuQIeY7`F+l}jj<4=%DGz1RJPeNnZftr6vB^AW+OU2ct~sL{m^8TYkSLLMm!sUi zC0jM|>!xt+oNv#Cwp00B7gblyWRJq?fXGeR(8WB(etYH2vYh~>cW_$*-syOp>D4hs zOox;Rr*P=m8Ypm0-UC)VVUSsr#{nmi&Y~nN7G&W>xTu99!nj|^_WlJj3B^xOY#tp% zXso2agV1Qjjjs0F*SZ*SY;UTo_nz4kTXc4yPbTObVNj1IEv9a-N`IEU#jP_@Mvpnp zzj)>^{PqMlh)dKOrybt$!0dyRWsBL1!6YNISHP-ZXFA8(7tr8BFvAr_|d|_GF$s-p=Zoe2!UQ*KU;ratc=Q1H(gGTLv<%qVpwCE!&!Gz(A8@VuU$L8JO}TgMUb=5;)}^0y#dk9oIy=d zPDeAh_;A5UMmWpw25*E#&!vUJOC%axd}xlFO2rAa8JHs{<$}%nnQU-RG`&g^;@?Vq zoN#@be(h13y3SEXvH0Buut(Mroh@?QG(`-Ckrv?jluEyHE+M5gqd~;$z^}f1%F`Hk zL}|TBrlwAw@5ZJYAR7Lvv+G5RxW)lMC1eLn5SfYX{Dr^<)oEo91*`kwa7A;hs@~UN z@2|{+<_mTTy*o3^H=Z~b@Kwu(NFlIZ0Sd^CD^-bud!f8N{_G8Cn1{M&TdA0I9TQU_ zKgN*DL)eaNhjV@sWV7Njf{gZ!m_~XrdBu{S9#M?2i(G$%O*FI_yXc)*<0Btw z-y78MdRj&pZj(QS+$Zyx8OXpSQoXA68CIHQl=I-J&?^atK5^GyCKX zO;PS-BjcIBTcc`@GC3fT*b|V^Q|a4|kR*4O)KA?p5RQdZJh=|fZrcIRgdt3y-gOL0 zcUS;FgnJPypMJKKYyYy0`fP!9Zr5Bad7H9CUy!jUBUDQCi(iT7v^SQ7qNb5~3&B)E zdM*A5ukHa$4KYGqi1iq>p%1fsK?A4Oh$0YqD<*x8MdAJ)$n}r!wb8$J->d^J^3IZ`{dr_ zOQ)8d_v-3wIs5kn8hN39am)pbhuC)RqtzL-kc`;u$wv1^UR?|rlL^@ar-{3Y9d?svl!vR|v%hBIQuF33* zi#}ZFp*O&)e+B7~*jpogC0=Q$y?IHtz660!ybOXpDtwC-`<*)ea+T`y0dqTuJK9dX zpUd(kS$4)?-(ueka4O6sPFUJ~)jA1C&CqFfLz_-(U~=~9PFocicd&91?o@vvt(pg& zFqqVTzNhqycpWED2{zobaF>iwUpY^8Z-pXMlEKs5hTWX=?W9rOEY0gZibl%k8OU?w zB23l@`PHX@$*<}7Qt5KL#FWO8cC5O1roT|qAJBKKiT|I(q*?0jNz^R0;lAu2Iyp6s zbR;XvV&IWezu;CaPy*P7R^u0V2s^Tj{osZBtNrT03e z?g}aK;$NL`Q2v!*-fMaV{D@roulG#*`&Ho;k1Bp|w z{hRGZy=e*ulURk}S;y3BJ97C{MnCZ=r9!A_>sr?X#4d5_PjpwEj*iYPeC<2Dp9JzD z97(ji3ru5hO&)^Wp=k5K;jBqTnxm%BGo`D>qpd)`@^9(GUnXag5+s zYh`q+C0QG->rh_8+!ls1oev0N6uvd(cEMFH{%39bKc6pD;`#*RwbYXqRa@BmdT<0V zMHY1P#9EGO=d}AjQQ|sk2-$l9OpoDni~p0nDJB8Oe2m)Mc!z&n*T8i()As@G66)(= zU(Opy%Uvfl{$OpGd-BZAeXpZE*woSk9U}mAbs@c~*Q7p14iNE|pSZab{0C?};-4gW zdO698v=C@9)ouS=TNvln+6z=1rn>*!?f6Oa+>K1e5a^#|gagAATm#|-`*CZi>GgA^ zItR_lU(16!_pOm}Kucn7<})orOenDm*F3rAW4<@8HHy6hg~_cYv7BY@ol_rsw1ZwD zj`k~!h0G#fsLhCibk``|)FETsmb=|=HC;A`v@2kp%Y9?Y6qL`^Q_>D!Qv=1O*d#3q zhZ(H_{OCZ=IeMtqowInc2aam*rRZDfIzTyPJ;fPFt`Dz?GEPfb=9VdeDBbokAmt2* zPT;l1XC6Djgfu+3DlHu?b?zZD8A&a)p}I*9L`siZ->h+{IZA zA2j}M4U-_z2`ZzDod;GsrLXN|sc7@&l>#su?hJ8CeWw`c`&xbQSG2ia`8#Pa2+A6| zMiBxXSX-(oSG3ukD%4-Semqge0mD1Zv;Y|juOY~JXwJE8668XA!$O|syt1vNfKlf`^{Fd zZTJVcb^maStH(j@_pHT71?1+vhJnDEOjzX_)3hHrKDXAt{(lN6m9*4FI<~SDkD9Wh z-Inpsu_Fql@s%;<5;q*j7 z*%`IwZ;uEHn*K0e^o2%F?*-m>SUsZ}V;3(h1d@IDjLoNN@+Q~^T{xX9*kQ1lU{_J~ z{QL#fR3L^2hB0RMVCIu4q~%2t(cKsX0xk({GQu12hU?SL`4F)t1QKdxGt+Wcnx95w`a?&Z;s+Wr4wQ_}x-x6*(8hf&cC?pM{n z*%7vSpf#_~Q@?Sq_g78;a1zKZkIv4QM=giT2Y;Sf{f`?l5cAc9&d#7?K8G?cKS^jKw@)Z;i14spAB^t)5HmcQrJIVGLVKeY{Lm`aX(@1+U zKJdD#>MY@A*7`a1oIQ`-h%X3_PC5UX-ZQERm|GCxPQGXDL&v4JRaE;s~jBj4%CU17#nOcjGe{&7E*ttFUTpz&z|m?lb&;oVndakskwy=jvvf zQs#1UU^Jj>I56;VD=;X~6*%Y%8W+$9GCm9p7WDf8^cBs9_>Z?RxY>~ZaSguso>53e zL`n+ut7770W@hJXY47p|Ns(5{cM5nGvzmGtx7X@FNfr5%D^i znsY0QivP1X=#G!X(#6Grn}NaI-JRZ@h2GxDf`NΠIDgnSq)43n<4IXHPp9Babh3 z&ZPgS>}^49y72$k(EPLA|Nioy1$i0XyZ+x;@ee-#eF|bUKLRhqe-0Yx zhPzi43``JAN>oVI1N=A>HUr}~)&OBUsak=v3wQykn3&fO3Ziy+V}|=8Qn~MyL~4Q` z!G#KBJ}I_HpS9nudEW_i4#_Q!*g6gAq0q0K`SMG#x7OCyuFDm+ah%CTk7!grQ-1tF z1paRl9Bg3fCTDojcQE*WlL9CNMIim*$OIw&b=m~w6KR^d5dAkT6M^I6-sAmy0y#kW zdSYTJ6OHLMxn(WDQ=wzkQN1?vFr^XzXH608!k9L3w`O`L^914D0l^#@Ae?uaH;W?tz;{ za~26Dx#5Um=zY-?dFA!q1X?Q8qCV8Fvq^~*i2N=CC}Z6YryT)*Gt8xjzSz$?e+J?h zYK*7RNq=dv_6fi-?)@`-FgF0H3Wdc7{{~ z_2MwWq#4u;h!`+nl%TgU9mD$+iqA*KF15BvbT)DAq`u%OU8NcIvBi%1QFWNnjl@RyFzfu-(rXVL4d12I33Ra zcOECW_s(svusf6gJ9%*q3tEoPLO(p;hx=b7K~{2*7-021Z?pY3a^Qb!{9iu)-yHb= z$?QSnNnhiz|M?%=2+=omPM7^^dZowf19Ex%vsNlB2K_`@jY{d^L~3%YX)>kbN=^K~ z%OP-IJm5sj#rsd2!9VT?#5S%ESe%aLzepv~B#}wQFCLAowRx(HXK>L*ejtyx$dWs` z@s!=i1NUOR?;l|(v0rJ*@n7*9icb3n^F*Z}isZABGkM&HKwlEw4$mtr$th#l^~ASVZ|vOEyR-F_Jc+oWd0QZqIJ5?iz@~-o>E4^okypg} zyQ~7q=8UeP1WH#t&0JIJX7@9{RQIcVpsd2lQg1k_*?Px|)A6F?-24mHq5dKuRJiB! zyEMy&S1r?*X@vgS_>~-80OQ{M23M=bxWKk`drwA;vz1n(O1c9g^k(sFvBrddr_t<) z-BhX5=Mj5uIRF-7vHS@im&f_{SG#exEXCJ4 zpFO^%I;+~&a#P^#$@K9_vU0Ye(op=Dl(xjq@8f0SW6QtpCpuRE1CZ||2|@&lfFWG0 z`98ug$2>!SgX3nxVX>IWvR!sVqr&bXP4#u$9#nckn0R>Qg*9vT+4;unao&}+G(4Hp z>*{yb{uJ96gQsCH0)MsDbP<0Qid8T;LZ0svN^>a;@KG+XMy^3&#^taso|(wxST|`s zU4UR=c^}sZFz{%?QOzEo+>_!Lb>B4B1FX)48o)QNyHh>As;!yzpauwAnB~}WglI%d zNK|~@;-(N=OOI*WLOt)Wv=qiLi-|M|eb0)zkM!EQzjg+{;`InVT#*@LFk(AZK3m2kak9UB|gQJ?@aFm0FjdW#J6(7otQ=GHqdL8QyEs3?# z1;zPty*=;#xQFOS49WxAWSX1O?eUkOlQ|}e@XAkbQFg1|+%q2;Zhy61|A}&XefCUa zw+(X^;CPlHTE@iiS#^K0bu^6f zpjxUdXFitxnWnX>6NheRSR+~BRg;WTA#-|Qrcf&HO1s^>;&`={VU}w}=pWml2b6Y$ zmqHi{UJeffh_qx4ed-cD?#-q1tNfu&c2-gH4}?C~k=vt58YrLnj~k7R+=iyjMqK^m zaCxF(?jfLMi^la_yd%d=M=;0OCXn&irBAqTw$C?7A2Vi4RHSMP<*siB&%_TDI{s=r zsuT{JJz{!|Ms$IWV$)<&F2EY=x%JD=hLfGuJAR+9zX=8Waw``|O(xq-_T)3&TW>Q7 zfG@m5h)eYrjLe2TI21KT_*!+6=r28PcLaO|7FBEGB(;3bxf?JbRfrLMMxRc*PSboM z&1MAp243F{pxi*&bQ~T1+CD;le*=%lF#H`O{OvSd%2qEeALY3 zt`{!QYJIftwi#%U`}K9mxa3j%Q)Z!DE6U@*S9w7b#`7bgN80JO*s8dhk(fH(Wjg}!NX~f;{9ngTtazbDXS9bW%@9@pd4rnEehs4Wz=P-+3c_FuecZcBudFco!LQt{JG5*P zkzpI*#|$Cj=V1~Lf;Qbc$q1850|&dK`7FybIL%Q|E3}~qpJtglTU?HE5*Cyfp6vRn z(TapO6RB1D(VpHH@w-mQ2#>9y;=w#yrJ-T```b?257P-=(xJqkg=*gkYGd_Be@ZY& zn#E@FdCPC$W{B=2P%7Bf0v{q3{YH|jCXWO*w4pEe5`v%+Ipa)B-U1=5&5xmnUV0GY z8I2&cTJ75HepZVsg6bvrZkWuJ9NpKf_~U%4Zo8Vg1$VKB6}d9Cm6mgqCjJQL|}Z!Ro?|Wshs+-P{WlBnp5&S@*9> zipF74_ZF&B3EsKf8R3eGWfZmKaXVWhEhf!Dqf*YV7L+pl6m5&vi@k+(#N=V|v)Wl~ z&XaK;z~?UCh{{Q53u_K0{0j;?RFmprv1Ti%o2Lh>n<%#gJE$t>zyBXTg*aP*OSrLGb{DqWSZ(OaiznbiX&TW+Lm zS&<5lvGP*AtsTq1-oj?Sd`hg>V-j~aNB%_n@@0|G)%)?NN@e?MKI_os>qMJxysQMo zR210b4BSIdWO=)n+uh+V>2l|KgKaCXqAhek^m!Ar)APL}m*1cK+y2^l8|@Es1sO;eQEpZis~BbXY+1vj5DT1neSsy@sLW7)yiq0|HXOfdXczW! zzYDENE@Hw5pmT~KU=E%k8AY9~-SYIX+=`}FnT@FLU*Pw*J?MK;i*`aTxF_MTm>=l5 zu9uQ}uvbF(((!T-ofGJ`(z{RtI-#p-d`2OyU&6e{f!f$6>T8OQcRz=Vl+mni>gtdREg>keMLlkgDOG zke*Nv?a7Q=jnuGTNuc0Mk@}W@VfwX5W9NAX_~`v7#L-kdO9GOq)wwzDeO;0y2-43P zg=GiV`VPof_}sa)AF|=EIr-D;XGbG@W=f@eF`&=#d2Bwdd*!!jaTZ{AJ6$F(&}S$D z(jNuht=W>Vw)$?e+8K(Io8OXVp!GOpSFlVUmGMvKJCX*b1fU~f^537&C}uKY1B;&7 zwPYmfMeZhs{_=Ic`J;SpioihTss^IuC@DFX~_%@{wKpYPQmhB9e3>6}>?0=acIQMAvw;aE?0&(pUjt z?FrER@PlCFADVNI@J)hYin40H+UX5;kgW-aM8K-3-To8^V0@a_slSH8Q!ss=>Lk1$ zBhqvCzq|;a-ieYRKKHsgE$a<4G3U(n!Pd%)p3}5}lYY?SY1m(dBaEs))P*KCmq5ZJ znGkr(;D-ukS*F6q$%Z>!K9OlB#E9I$v7?-C3-{p}%mc>{i;B%`2|*AD{bkH902TH% zgr1dnVvLQ60_W+4%GQ+QsoER{Nx=4XL0h~G9s(N@*9ur^65%$xf_GV>eS`dhB&U7# z(D=>IIQo2XPtH5k#b{MS)1)bXg3R?6x#6q!nGZq7HIL6{Z?}VGJ-lTlzcN|1t?`8w z4;rG+{fpnTvqum4>Re7<3+B6XvjW){#wP=6nJwI+xtN%O|M){p%};_QGLjHcP^{Q5 zH$1FJVfj;C1()BL%kB9o;H5%aL$Np#nHQ4NRDx=(BkxtJ7IWdUyUXcwPX?+Lz4zC!I(N*6i+yn?m1TNI7ElGh4iNP)vjFq9t7rO$VK*zMHU=)h`{rG z0zsE*xgx<(Mm*P|;$~^JBgMP&26DhSLMUo?2_jKzG}P7BF$(q$2DlaaJ~hNE&mEkv z1;vXoFlT%zyR~xwZ2T5qVlJ3_M58v#U?wws4nF%mTP_E;3^_QQRF)wQ6LL+h(-8f2 zxlSvbT+oBZBg3e$sLXUMS*&A!MM?eTrBPkkC`iM%fHSBI5hY%DRb(uEuKrH1GJ|Vp z`NrllDt#&LDO{r|GiUQWr+50P3=mIk0%ImBkiWnQmhuYOk?iM7SmBz@uyMJ2(jNV6 zS7!jMy*`*ZcuuC%E9Fx!|1F)c>-q8tLFm6NCBp{KGI#C$4uSdhG!Bd88I!K0@12i# z*g9R3ZHhQmF*)G1D{s%vksV~qbfe}R2u>b)BBdHtrB82fG<<1H%!UxEo;zQB)tHQ=)PArQ6Ht{G%vdkasHUgGN!ezD54pV1m zScgVt7HKRx&0?t@a!wh{@Tsm(6$eOb>UNUF9!d{_ia6#I06lxWok%9${Y-QZV9Q(X z%;4l+dr!RX*r9;aV+)zWhY9wDR%vQNT6NjTg2eku2>Xcp3u7tS0;0>54X>KHo0Z6E zGk7HEi!FWx${=Sy15Z(JswQ0A@2|^a-ZZ|lk$3}+@`t7uJ5@Pqv%bIKe#EV^*{^yM z!O!w3zw4MAj%WcrzAH^N)5VS~e67$?!duYp%eN=Xl0)(2B)Ujce&zZoaKRzt=+O|p zVKGQ%mI2Ce2sotV->_!FV0;XUR#FTYZqn6BaJC+2*ZrnWJ2+#th{U3jX1`VZ30p0CGOK@E{aG2%~D7{k|lRCyOM-H}G^N zvR!8N3S(IAMi~Y(nSZDOm^8G5w82J;!V_rNkkbnNigfn#W4Rw#T= z?9MF11lnBl za&F8$JilaKeka*r!tjscr4HRc*~x z)%^}`VPWUDJZ(7Mr*OB@f`t9p;XMc%sFf7jNDVAhkR56pHSoP~rlb2myvi;4PFrl* zR5KKbyRfI%k`((oS{D!`=+*-`@sh~OW6_RCh-NHCXP?TAaIaBDbaF_3Ls!LDwb5sG z?w9r|ciDcu-beo+@%uT5i2pNLA?!}8{KgLOAga-2*dl@QJ4v&O%nvMO#5SB^OnE$# z@OFtR$ud9Mf9Jfj4OJHKvGw|A~O zgj@6zB*9J-6Ao^wEL`8gtfmO=VF+)?P1+vA__j+QdL>|;pgKNRUh-mdn}vV0;*!z# z^pCB>X%KhAZy_sUSc!LkteCdiObR%-c7KPg+y znxwtj-Ld<<@|R2*)wDf!yxI zF1(S>ajOs6)%rx+{?J$RCm2g~c~ESn+WD$W{^@Fa87dBzY9CB{rFnueS|HXk^C(1apcSzc_ui`d`zj(&0d;= z8LnlK(aLXBHZ~nA6z^u)AW1;l{g-u51=?(AD+p;KU9C{dSvr` zx}I)DL-|DPdE964^0Wu=R#!;xVN)-E)-gCd>wKHbT5a*m5zr`i*mp4u=tpwI9yU-j z`k{D+Ya-F!;_9M(h50dYsU!+mIUnfoDOzR)D%9Q^{2}fS@8_(iGAL`v+ea zpT46`V{IknMtjXJym5VVY_V1nUBbgP#3O|MW`9cJQCeY#$5`tp>RPHeV-7fg37hcs z>}sOz^0bc(nsnZ0jNeZ@TCk3t73?!6df;>6O64S%fZJ%zB+ji?Mf|;867F1Cq-VWq zE%(#i5oy_**1`2RL2VWcv$t2sd6nLFJvs$z-_s?T#{6dsL@1-g+t01IG@ZeeRZ<`7 z&B2k-6*uAl^*TjMZX3BSpKFEAXw`^f$f5~#3hBAX^2|@-v1%z6o^leyjSPEFuO6QY z+p)HvlYqmF4qE>H)Hc#=TddpUDdhsxS8rT}SG0PJ6}ru*iu!4)jJ&es4qb8Vyh7GnX14f; zDEz`$*{ZhUagi*zTlW$AUepPz=eDrJ|1R(uq5k}iDzXS6N#4&5y@IZ6L-2-Qcq=%LergF!NaPtX~8makMaau4m zp}GNG5k;`t(!v8eO04m05@cKX3kCh!O{_a$k%^2yO_Fh2xR|Fp9cjOBQD@Z$|p;pBo*W zGB(zre1D7-aB4xRIqQsy{?%FSzc=7*v{8>uDqFP>8f|_Y_(mu zR<|>%ZwJlo)+4XwvkAZOqeT{b055kPNoAZvlbAj|@eLm9e3X_qO@eE;-H~Z+R=>h5 zfQfOxcXA^}6R2s^v6eByYJ>q-VhhLfqLPxU{2SpBkS)9P%k^iuQrU=zqGzl2)^*?p zN7Ggad72vK2Z#bhUC&Vx4x`MyQ;%s;M>FHbg}L&#nB}g3dffBJHhq07Ri>X;b<)45 zM>Nhb)e#OK#)G)Ge#zAl?BOoE3M`(6F zO$nOSE;qhxh-LbhK*W92-VLH{$e91hr;Ry_sMM=z#7pX6cuO-NTNJiadx$1g=AMzj zX3ccuK@*~Uq-(_=QlW*6alTPc$gdE zaAf8aanYx{CVJs|<4ZJQRJ~R=y*R5$j)6YH{TaqI>u~Lau8^SK5Z#FSwRRhz9~VV2 zg>0%~(cLYwElk^6wqck>BM&OHjo-x|u4Rd`pd~MSU~v(#n;F|lRT@zNhWPZ)BpprL zDvrBP0OR!axMq7B0`wDiB2{`}>STI7X-4xtZ9HtsEjG_-sCNCt8!vMp-A448#drof zcGbqqR7tJL9~_q!*ID6h@#vzy6;H%EbjXC!%?b!E^fr3f1{Ub5i*Va-{&1q+B9Jr^ zebBve-j&K=6-fF%6_rso8XgXN>WB+O{@A#n&<4G)7f|P?@6c1|=#Z&$+%&|_Ta%~v z&iaXk*||NipaCIgo2K#zBcsJZg>opFzvLB3dMh>O+YRnHjR9FEJ8Rcswegjel{$GV z5zcZ_NYkimt~BIk?FL@ z77~E8mt{KF8s)+9RR4h2tDR_6^$j(ODlXq}b@#>8_EzQ}{wc#|DaIVq6VFx&D2tF^D zIS@*Nw#WE~94^PS83zkvqdgG)Q2!QsqN^{pS8XbmNm7(d?3={PUQZ~(5XkrbP122c z{P$NW7TTKy1B$S7gz!J3Izo$R&RO%RBb9qkUJS2aCv-=QJ9_gV5jBKqG%79KjuaX! zh#k%m;lBqU27*k$=@Jv~gR=R(K*wdZ=cP^ws<~XTZ~KgrnieoY^^I2Y5Ee?{4f64?td3r9t@b|nX{ga7ucOpI?Cry z_pnI`ZSKE4;c@9hTyWiVkOx`y&^AiPYweV(n3~1d@n5{>6$hT%dsA+Qe?B27JoEt1 z&Uduom~Q@Pc+NdapUnPQU#*wNv?b~P;bz<>?QopR{IP4&Fh(C@3q!xs_*Q2Dg|*)& z-}hE)A|XxhYU{2V-l4S7_*y-4IsGGMny4*Cfpq~QQ@j?9m*8-S+4bp zIM{}!f*wWdUP)8LiN}}qz@o{)@Or0_WAIN<1RvpQLm1`$qFExoLhSb)0~-x!M=BPA zei{Dhlk(EI`12d&{C$K4`QM#Sdzblvjb|=??yG{{j^`W1dvo%%Yhbw0z zVUY>&s3ERL^Woe#vE=yZ<_ozoA^5xwjH23Qh_onOM_p9UeD%(S!O_lWcRLY(M?)?!WdassRrq#*L9b<-_vB#@-vsTrTIHM*qZGN^+Z1Zy&3v-)(IysuDbofG z2YUJjj~MyO+S=GC#H=ohX>aC+O^P;)-WpgzhZ&hN25#kp|f zjOdE~$zn0Fzc}OY<%;4X1~06i zBFl}lxsUjV{-`fD?p!^1Mkm2UJ95=W=Vo!geZIV1G4E6bGh1!?HRoYEgmFMY*$@j( z7fMq#Gm|H*O5i_ikHrfk?8uh%;%{=!8&oI!@dV6-MGy#loduxc-Ep=N%4*Z8^BHyX zA8;7eCNiYU8~=_b4o|9q%t>~TgPV`vub9v1YVZCIF=b<((M-&PDu5fY51HJUIKdhH z>3k5I+clg$nNBgvz(OWP6;I*&EVd?Hkz>Mp=;2x3utIsdb2T?<9E*vBY0GS6x57(_ z^*AKxH8a_sr%I#n@yKog-wOZ(@Oa@sEo%VIni7b-y2lE#!hKFiFlnx}?g;$Rj-mf&V^EN?Uv8Vjw4zoVzOeyA#QZRYLi>d~>FaV8nncf&4f z-MS_M*=^MadYy)zq3b-ni&WOgU=$Xh8={$Kt5GiU&zx5#su=tr#VpWsCvPD zl&(sqA=OkN(P=36g2^j+!eh6lsp@=9H`L?N9Z8riTbE=gkM{C=_r{2+HPUBh<`j+^ zk2jguAJ*r~{hasufI|`B>C8|tqJD1U4MWNg!0QhX`}T3(1iz0pJP64|v3$trQ-g&% z?z=hdAOZGm0pz)nw3TVXPM8N-vByiF0T7>P6H^#kTxOQ?PRD<8#I5yvKy49FBuktiX>3y2pZk;l@#@?-87?HZ!kkSP? zT<31sE{j#3 zk67VEYKcPk;&{ULP^M0tocqc0iL7}KFPA%%eP7HGTqtyJV%fsm?PnBJrE)Bx3jq*N ziK?*rl+9{oQmV0mkQNo2u0QTcs6QIF^+($8+g^C$}wC5TGEc*SnhN750_&-#k zub*t`?yWk0EmETfS(CF!?-f4W^bB`DdRkysu5ac{YFF%mr8QiC*KY;ahs>Juz22kI z=rfWXOyMgax>kP0FUfdl$8W=~ca}JZ!SoR4SG;|zd2BM3!eS0l9x3I5J`y+lVNEBC zj2e8?I!-GS1UIjGpD#~f`>{(K9d1fhKGb0tKwN^dKI?Xm+wI$mkyzvTNg@Ji1w;0u zjXNMAFrjgHk;|LRUD2sMyRP-BIqUCg6(g$sc4lcVmR%b&i3*ECFuNqeRBO0)j7Hy! ze7N9T$p>Z+(e#Z({w_`+8UzGIiXDq#F#l0)F88xIbRoU?22uU+IVVJ7&u?zHfOuXo z0*57eym#g&n?GIMSIh}vt*~M(2`T~1GwZc-sfe$Jbb;t#L7M3nYKz~nhXbC)lZLq) zs9{hbI|=e((Xb;9nYWZg3qU=F{Fnu&ZK4TIWB2T2b zD)v8dukAyKh-5zjWb@x3|W^~LMx7H%)C1~(dsp$x5YGIJA9 z&95w1@Al!)GJ5R1haKsR#X=U@alLYr4Tr2WSb@X{>~v*|hZ6S`4orEYU+665~87wO&UYC^9> ztfX~;p;R(m8b^^wQvbI1%d#u{@Q3Yd%xWH-HAKlXZS!Y4Gaa{H@s%LOBAb6oRcpJnN0qO1@CXr@kSTc)>BUv2-?> z;_lW~pRw1GVMuzb>3sPuuG{q%SDDZsd^uM^Og(DEhU4{q#{HdJ8L5wJb?Dd2QC zcNT`sIRsuL1HxbgdQ8>d5tQew=o^9?R$l2!Z~84RC-m!aFG^?<&gUGEzBG)O3A7q( z=vh7!rzZr+Wc+5MeeVkl-OzjU69vUL3aCYZSOV-A5D5#s0c*3TKLMoR1i_E~>=e|l z^U+Y4e!4sR)DTAEUR^CO34(fBqJB%8DdNmSY?7IH*(5z5tfKMRyQ2FGPWuZ_k6;83 zY3^D^0fn8WSaf}d9EJ>JZko@{8Ex3_o%m<|c~B&v6Rw)?3QKBNeHV{TB&M z4i0oiMUH^g{;xECkKX+ci6j^d8Tp4$lIK7B{67Km1zCyT(fFQ|ZF2vTL=a*X34)bX z6h>`V>R*y52r(4`YIa?OW0+jNzpiNOdZfk6-)(>Cs@WkyBM`|Z^i{HXm2 z#Uts^z>Qmmn%@d*>S7z zhOzPQatp+u{Cop@h|~rGzhcOpuJ|`TG?vOtHE0e$fqzE{7?`$BfG(^Pvls) zF2#6eJhkvF6GALed9&5(_+y{O{o=0Ge7HVI>5Tdp>+u~7DIMs3ocw@@dBlG+l{Y|| zy0yi#y6}3pMVt0kdEEpgdrMmB-WqH@CLS z(M$2%YSMZH?t5LSH8vCa5Bo34r|}-`Z;vr}PA`whRWncV)mvD61v|hP5ag4tBLlOt zZlTg31&^ad6#G|Dp?4NBZZ4mr}I7KTionu zai)u+7~!Jfna!jbK8>VAI_P(pZcM!TYc8}`B-$0*S74N{WST6fH_05?y&;$hc8ON4 z@wG}$=SyvaOv#`jjU<}nq(e1YsY}zL?GyDZ$$7f8ojHwfts@k(e*TGHR14o>>F28G ziw(X-*QY#GiS$O}qeDuU{CYqLgQxY^Ch7&|dr}1(g36O}2HSYHtbv*n?fJnrbJJKW z(%O|#U?-HN<#`vz=l;Vvnvqd0=bih=gm`{EZ7#RxkaC?)Dct$0ilm!e7bG+ikwD0i zn@;OO3?zsVjc3v>l^#zm)aL`u!Lj&6srfZ^P?)L8v;hRrndyN`ANuf zm^t&on9as!wnDQcl92qkIVM%6ct44Deh>eA2}JUpikPn{E;H_n$T2uQ?WyNyIf(9o z-oxYaI&K2N9TXNSDo+wyeMXztd>UTX2QDM6%d$P(ZFE``JbR3C=Vcgn=ZB_X1ogjYtytlwvl`X$D-fPvj;Sn> z4EHSTg_DHu-RL?qWQ9qxs-$Os^0Lxk#XC*#>SgooP zJK)TN+dvOZS?iJJ-BZt~7httP59egs(O~04b`Ej0#e(3Ncm{`kPIT6Nna|XPKeOGl zX<$&cTgBm{tfurp?9bwM$m>^*vIDJXℑ`P$(k-u*!2-r)Yim`Md(4hG6zvBC9?n z?8bT|DAa$r-J2$(7j7V0GL!QjnHclD=ya{1{aFE7a6|tkJ)QjOxVD5`?9%j?(U!T@ z%K4Yi%u>BL|WVJB_Wn=Zu`h3q`OBcsBp?xk5H z$_EC0-i1G*_puJ2^7^9_hLeWNw8XBiAJSONzSCze4?9m3%x}{ADFO(iFd62g8*;@E zhJjZDk7e{&Mm86FrU^fwc;oY6D zT&K#DK$?E&O+aShc)B~FKbS5=_prY{ys9s?0TwF?0qcmLTQ?1k(q1ZW-eAusGoUA5Itzn#1&8;C)^u(_;x4s6-;<4N&y{Z{?qw%1bGEG~`9T~DFL1&S}zOE?;% zj_*M!&?d0ox;vbtr(UI1WsmD?8O??Hd{J~7m+Svllm0b?dq%~3x=Bgz;j#?eNk3F4 zvugY|-Se{b*Guyl4$}*R5fGfvf1btId3UhzFs~(Ez+g@BJJ4;PLdZI3x@L>AUg#5o zyGl3-lkkKupGQ+=7E`R?+T2>PrOul`Q9tck1GyEzU%unPEgyllQ6!G|7u7_-?c0;+ zbb(ABFmB3ZK*ras{AH){Kw0x<%o*C-|L!! zy;X0=31z2TX2Fs7R$5rg^C~&=Am~pb{_$S`?&+mZpNZdSCispA7GazWVpfSP5x0Iv zl{H?3IWD(a^FnoB;pg#=lYnJU8`B4=8z)t`Vc@#e+U?telv7oAp-YB>r?R# z+yWfBL__u*x_evm93M6{Utxt!L)TlqC`G(-R324!pq9z5&3-y(b^9DA=)YA0fTS&J zlJP#ewFSCi0_?t1&-iH=DQkFFqzD5oG~!acD)MVNjhKXlTlW%~OuT@;r4?p-ei~=Z>DHL}u@=B7hCul`GuA8ywNCla$R~C+XKGb85GrIk9(}M!fhN zAyWeOtPTRb4g6@ixHS~F^FI7WTtkAZ501s}nH3MS+Q7KNJhHyS7pHr2$bZJEu6sdh#>Dsekhxlee$qz~dH(e7i#3^?(?1NpTGL?{Fe&Emb%N_rtvtp`EJqR;h&55%NDVOxf#ddX>HNPQzuV>v_B8`#1= z{Mh%}>3Nj=Ty+z!je{b>awsji{eUGM#iv(qKujuD7C8W5Qm)TWb8imDR6U=f8oO@eD z?f$ArwaQa^dpVxjO7nG)wViMnZab!7v@V7b1z0dg3Dvo@`jgA=a@$I1uO&g5a}$FA zI`%jBn=>!0nww-NxJX?%A*WBV@JoS0*1YNFv#5tKHZcgpSuEGb9=)W90vctG?`_Qn zlPBb-WdUA=f5Vg2qz>ErOlnzYKR`CvVJ{=h8^1-M;MAnN+_Y4=`Sjf}pQ3`{Sum&&{>Dlr)BJQB&E&u|&C1wX8^jHxq5+}8x09TIN)I~2 zd!(qy*1he@a-lR9cnbL5S}^WPS3GvB_MI9N%4@SXWv?z(8r4T%>?YniWWX@;mSzz> z-%WlMdzNo8pHmx-yVluHV4zF@0kS@Ct2NE(u4+NGxCMHx5=}Bg#YE5?8bkqFA{u#; zaHo9x?y^XC`HyT250Bv7CD+@0so39RidNWWE?fm&gaQ{>dQw|nsa6nXAI!hnEwzYv zQ-1Vsj_{$)tGk3Z0uU)`3ZXGvH}3)F5I^*aZ0!xH6nM_S1dZpbG2RQVDOPu`mp1Dv zBG5Ov{JbG9x2i$r_;Vo;`+wN`%BVV;W?h_(dvNzaf(CcD0Kr{?2MF%E@!$l4OGxnG z?(V_e-Q8X8koSGR@2q>)Ip^2?bYr3nRddl%AXw4*&RjxA}Lm5rT zwl%IRsn_IZKs^aeXilS>eP4id%kGHmW*o%;p>QzvH*({(Ec$|_`(=hpZY%D z@roEcl$n1y66NoaD5!_AS&xQBRmZ{dIaVQV+i@fq4P7;Sh_0rYF zfo|OjjBBlDaX9iYU#u7$%8d-lC!!^49=4Y~84Nq5&Ax^U=NF!iLQDTD@TYw7w}uPs z&`3m_B#Ma9Kc0#3PdKm~h`@iQZ}scL+@1k)|nv;uv>sL|2N; z;!fRzf2VL-ly&>7zYKx1giWFf$i>v;;bGo2yuQ#L- zKn9SM4WSJ@7b6%wR5=nT`#S=xbMUSOk3UWC)juG*Oy4aVuAnr$0h@8Q>lk37iwp=K zEj8tu34Bz`$8hx_v^i*rFCJ-N0aCkQ(x*uoJd z%^uvr)cH3F>CF4M0?@{wFNk;y!l*=iS#{O750ultXT596JH_BPwt0pwFL*m`t|OIP zGatoBI|-`$ulyFIUz~o9A}5IUwCQt5cz0w+dyeZ7o5jnIxdqURRm4YoTmx|~)<}w^ zcnH5DJG8!|yO^Bi6qgc4-6#!PFEkDsrG+@RR;BUV0wf78t`|yNqgqk>;Z{ovEOyta zKrZQzdB*ATc<)D?#pcYSRw|Bgw9Ev*TuvHX(d$5tcZ{e<{Sh3GNG9J~JGX_Q-FNNi z$J}|3%Ilnt5Sanjq3dZY`p>#AO3~p&mp?02Dpciq;AM;oeIT+0VeVP9JLv2hd$rOw z1SZ#7;`jYEj2*)4DLE_=TE`(ikARp0LP^==YOI&3ZzqvS1JZmyLI=Uu7W`l%5PbR> zgg`u(>3{zz8)Lzj1sasb?JBDQ8%h-r)XIb8y2?}1tTd3^Su(G&a2K56Jyqdj`$ogM zgW+^dz+S&O3tQGzesKAACMk_}Q-A;kIT478z1g3%GDPk~*MmW130P}2K=$moKgdk= zyEqvAA_2FJwF-y8#}BhGS=PKn-o7Br0%_u(rqR)##_OX;+vYA(F&QpTd9qNBg=c~> z1$imhE=M*1-H!GBk=gG7iGH(>z(moP94hUu-exkcL^Xuc)m@nTa%ld&oPCBMR^CG+ zj{ex(=B|Y;9OoxF3STIuFxH_;<^A_$$N|3$gjMkf0HF1>Tb@o*bkNDgCmKdL4mz7Y zOeWrl=z0i ze)JS6l0KzaU*&E^l{(ZB1BIVvr#bH;KK{Zc@hc==QU7;L3SLkyhb?Z!+zwoclr1{k z4(19nbWdJ5Y}`oX&_!#zE;o^(c)q3YnSF&cAJVj9u#>1N`TF#^8Ce!U(V?yF1Bx|llVP-TWrgX*s=xNe9Z_c7ay(@+8n zrXNwoS7RJ92+q+L1JkIefDAn{*YvWVhZu1GHL4z4PSvI_ZQlhcVrp<^T1E+!TTU-2 z2Eo;8uRlF$m5Wp#FJ$8;1g$arfVyVj-Q_&dc4~?{8=qOl)E;Dh+!?=e?(=GJC$KrsQN!X5A=mc${(Nc{njH~8OB$=3txT!bo#J46X zdh2^>2?X5$`U24}(8ElwJ;EOXFWpC;uo)AFlljPM3`;ZEy(_I$*j&*G-CL(SDp{5; zO_?ijNQjv)dQ@T&ZPSyC4aO*@+`OuaV}GsO3e5(TdPWdTlo3N!G@l+3 z<%s+-cpCjqVdCDL1bEQoUz1qVf8|Xt<9%iLjkZt#tb1?sDxu2;6{~=3>(10Kp2q1V;Re-GcdP2WDFp(K|s_C2yfiD7v`3r(&U>omjCH~a? zMNU&`&b7(>xX+dJq@6idyRv%X)wnXh+04z?sZ^|~+!FWv(z6PZ>x?kyEn8s`#OFZZC!< zAQlIlG$nm1r@c6LMc-%)x?j8OMjv?a#8>3aOzGNq(5_!Qh8uN<=1-dn9oSHo)^{X2 zXw>Q5zP81Jd46%vo7pL%XrcR~e&tK*@byQR?wuc)5$4kwI1Bs$A9jwdMnW3mAGzMG z%Ts7}T%1}f*$LI-RsDHfvuE8QA^skSA3%ixZkZ`%V)G+RC*)UkVvkY69G#W4G!cum z*m#P_-vRFda~#1*KP$P15?lirWhLyH#3GUr`$zj9k)0wLIZqW^QM0$`t~G7vC~!`A ziYq^K4>sE|wdsovI;);)WYVrQcB)25Na_+4ZbT>%1^zj z7d=q5x~F*a&5$(cC&yvKE||hJhx`CuMES!@6b*vhl1x-Gd^Dpg3}^DuhOs-uoBfqY z5H^$Aj8TRbt&&Zjst?v7L|j+i`G;wvLSIk$RIcp%wVnO;yu+}K!4z%U;14h)!wGNo zryf5|*q}GuEvHn&czt$_CAVVO+q9l{=?`Dt{zO^y!EYaFrg5_1Hi)CrC}tgSwN^@# zuf5j>->jk+rosR8M;J6t$;9Qw2zte8ykpK!h`)|e!I5_9I9*OH6UV&37+sPp02xl} zd?@%TDhSfxYqFHD{aej?B@YLqcm`~x=12>DPnMb?o3#!4JGV8?aDgwm%jAtcEF>LO z=n}a0`_&x~*)1m#FhA(QGC2L_O)xai-y{7=;4kkF>U_+JzvNy~{OIL-G~=JNbG8Q4 z%ZlxJY^+-Au4)C9?r|#%c)G_+ti@MA6+Op?|RK{?{brqHk6B$!19yM+2BFx zDP3~hA%NyBY3kiN+KN+0oV-SNedY`xf1ax0q;*Z(CFnLU;Bvw2jG}|h0tGj;`|pAk zc@s|&z~Aa5PLkn6utMcOX;Qw2zlf|(ZIsKI)mt3Mo^z1;lKYSo(aF-VH+HnNl@`U^wrzEZ?Bf~ zAQ7<6m02s7pT-5h^=vp1M&Hme_c&5E_?x_iO|+z;bltZ1+uh_ z6!W`m8Vte@V{Qv`2a5}k-{>`InGk>OOOBs^c@0EC+y&(Ymo2q!y_uiXLUEeBGwm@c zEMN;K(-E6u6uz_6I7ARxjCk^H^t^MU&Ci}X2KOW<-97^`Ek}}_u#S*}A#4{kXAWvFi9-n-)%%g*aRiApBV;~mxd~B^fR=2)Aw?18I#8onnYYn@a(2gnBSr0@h z)A0aE$U}kg!&v+pKgoTCWl3lELnQs~%EW<5y&|vE zh&{{1ZO!I`efPE0hGlY^z@$EdoenaqvLx&rq&7~>kQ^BFZjYH2@453=SlSWaj{=YA z3$NO<(1vNJm>jM%E>(K!s$m~JT&5E^y}T5hi1zFi)?TI-T%~0C9{2vcjsmP0V0LvG zGb*e}Gi~nj*+jaz%bTz3{tgv@>~_tw#LDBqNQ(}z5yDC2D3Zci=?21G zDmHT2y)qHp&93&scbPTr(}ffx>)vEge+uj0?26(oKze1%`%@?R6uwKOU#;yxrZYt> z7c)Xk1zqFqdcG4Ovqp#&I2axdQDS8^6AGDUu@nfBd~B;F?00A@);V!+{q49^wCz@b zf`)LZJv|KhEnSuQ7eI=_wc0;FUQwgxKTm}o0yEHF16I1q8`E|+48ay~0-?bK@eT-b^Js9jFOGh?KC!TQ18J4?-W?VejD_1gG0VD<1O zrH(Uv|6osysK(Mv_uTgJ2pHq!sp;eNbY<86PsPVbYz~nP!#(^*_UfodQ93WkjJNt* z@-LteNLgQKu&0i0u>Jcss44$RovH--8Jybm;VwR@(?eK%IJS3 z`9J8||LWxbAfW$mXSa}5L)xg}^5gyW=G5W**~x0hj%`DuB#|uBzt9c8FC-WiU&+g%mMNQ`eE=zx4Ge7`lHHC!ldRWNm`IS{Q?$XzfJiy)aWLkAS zFsxBfE{sD81Xbh1fUHbhsKVc#nO&8Dg@5@&cY~RsktEUHl6wJ$fJ)znc}^J<-G;lt z0@wG_8mK3TYXh9Y>svVgrQ!I?xUcNe3W;`%KZm;o|K0RoH~7#0(JcVLObC1Bz#ow1 zf75KbH(;{)9)}ZMr2Yq#VvGbp&n+eTJN$nDDgM9dWEqe1-UQ|AWzz@OQ;KX?m!pL* zah@5~a_S|TOtIccG_vu<(XM-%0MW;lMT2&L8k|Luowx>*ZWRL1@8W03F4xy0HjjpARV3&52?mEKOqRk+~p zRq00%ck@ZQr^+FvgXiia8}dY4AuX{&BvJYSQ{rLZ^}|mQ53u)0U|0f`-4C%P+*Eq# zbYDw;eBPDg9r{MF$MsQP{<2>ksTOOUUnn*GSfwB9t2XMkManyTtpJFe{lN}G9T1MB zdY>%DYBE3uM0xl4G6<%Bg=3~{ zAAihy-^^Hw6kD#d<%VNl$D=V>R3a{-$cjgo{=Lb4N7FRkM+KhhXSvtvjQcGEkI~}` zw_)tGg2tDf<*qj;nT`hw%C8t7&cA$XJ8Jh23Xdc2keDZS-@D%IO;;_}Yod96XyBM= zD%Q9x5r}7#N$MMiV&3L{hpT#;0VyiN(S32%9aGXxwW0o0llKtai5F($x7 z9fmuJatr`n(kyC)p+3a40ucFZui&9OCpG+)#%}-#Qa_L$wh813$rJ&ksQ_#6{xkq= zXd3j}{c9#ZNcpZK9UIttt`g^-WUbw_H=K&Q&YTfpp3nm8&!thoLM1DYQoz0-4!=^k zosGcP(axcN&ur_FjL>{kY;^tVaed5-whW{mG8;XPWKy23v_Zd6mEnH-6+>I+{TM_f z;HmO?sd1MBAA1Ikgb&&2q4_nTX`;vpLJf`U+m&(Ew{Q$Hu?+)z5OYQBGV06a%q1Zw3|n{8Hy~u}E{8Z>_OnMmpf+e9VU-@f7GT`bif-Zb z^MIj^>ni2k*8QM|o(|K`V|zB40<%rb@2+!VL2D@Bk+KYZhOp1qV5xa+=nQiNKRicx zdiCtT%=2XCn(n-Y)We#sKduRYTy63S)gGI)0=q-$yY${}@WBBQBhHm~-}TY*HJd`8 zj^8{vB+2_fBZ#O|%cn{;A3bM#&KCK5o_HhePGnXg<4^P?p>ax)y~dnr@~8>VVE)iD zlySXqrTN)3R- zf=?&J^eW65>G|P`4B4_x6cwh!^N|$GJPpidUpEt0J%$87=@!@l2$c=uTsr z#4CF$Mb+eREsxCAd>&6nkdc_;R`}RYZAoFXL!ZO?ous+mo1Y5v`w#mQ z#l_$90F>a@3>rD-^ssyP5>>Wr&o_nRhFjIdXmL!+-QhBtk0WkqigN&ut^W78z#n)} zfd{z#VeM(ZCQVEZb{8%g%x(!dJ@hlKXK9b6W7=Ua3QyZaTd?qq$!fbLNgF9ki$&U% zQTcpq88ud@XREyuOamIzeV({=)p(7NBcFLpf(FuRKq*?S1v;}zV|l{Fx0}GcECI1XU@ z>^iJiZgl$<4!9mr523w-4zGVUe@kn)s^v!uU+e>1UcGVo6&nBq^|#C>hQY?>kH8Jl zY}=mXSI(GI&+sj50dLxmkA_>~c`IDAH-4WzHQ4MQGoRh`V+@md)mPqKhdk?qVxwB} z>2$8{`Yz*5G1$>EH79CMLZ4TWqguRrSUpjDLGL|!*tw8g!wWz@2*{_}28_vM2sAmo zkNeqQ>nw^teWE=Kkl~(7*yN*YSxyzl0uIdnFt>9Vz>ZK=2S3-Gcdnq&ow^*){@ky( z`m`k#(;i4I5so)x%q(F8fE48!jHa`HCtMzvT0PjgB0Fd-oa$5&W*=YpNCX*HdHuK^NN8MENSa1;Fcz#^EdAHE}d zlP8GA1ZW(Fgk{hhxjQ|ShZ71)pGck=o9C%y7Dnc_Sl`Rj>mNBi_5d{S{>}PE#(A3S zD1G19QU)Hp(g*ZQH42(OjOLH{`QiI4iR{(Gs?a3_%bX%7u{abfz3m$B*9!;&n~B!3 zmdI`m;5!nz)7^1?o-5GP&JudU-F)v9(Gp*1i$}9J5e@Sx4esG|RpPp%Hsi7$MfI23 z1fmOFZ{|Xf{i`tXhIOz#nI7R;u;JQwrKR=y^*9k?L$jqkB|Q&yAq!+9iSh1BTNygA z6ZYo4*ANtVG*dJ7j_1ANmfYO$pUbV}G8jbaT8)cRC0@P{W#6k<*vZODHkpYGjeRM2 z)rStst!|g=+llzMXo1nc>_2;2=oIrFrTo!zz%Fyb83~hu(dLEM? zk3+M&C$E^O2#kSj`KDCzZRFcK4eO=G_YCz;6e%^kd)(`szGje?XOH)27xfTRSqAF> zW>lqRvS#9(MDSEy7s%NLSlK1noLoraj*m84f+Ls7yvJ`2+v%X!q5G5G$(n-82ISlC zo>yGpjCyIhvfQisze>Dmjo5D7JAUUL0aI9lt`}({)AAb2`|17DlUam{@-U(w96D4- z2JLLKQG$TgD;Q2a9_EJ+>7Su0yq|UFs*ba4?ALBcVP%}9e$ouWNPs&(y#e^7iCUsa z^sl}iOGJ$J45nPx&H|3opW*-;`DP8hvMABp4?k+@G3a9{aV6_{GT)iJ7C>n>j}=F>%qM;Qi^2y;R@Tm#{c4lq4t6AF*8U{6eZIo3-MJb_BV<=Y!7&G zaadSJ-w?!)j}YQnv*@soKl8}Q@-CJdE|xrYV4%FuQxd#%-j-}ryD=q!6B_2{@8+B4 z=abTsD1X30K(>1w9>=Jc6yVYnq8!~qxpcw; z)fkT(|Fm0l_Cn2l17p$NGPmCx80_rLMc@iuz|~7`p|>+89ROWRH(>H{Eu|aTG0w0z z622X*KYYX_gMDBQf8NNBq@;Ja3i_p96L}!N+zo}|65uWLXdp`J2bW4H;yu#adUR^~ zow^qF1 z?{IUF=00lGyJ*6qb@tg4rI2Rh=>qlJ1G;2gP4`!XL%P?v znxTB3ADn`y?iRI|MMoecnsBsjb_)+3og%AMeraibR$aGy+#|FZADBH~KqT<=@-Ey8 zz9QukQ=WB!ukJgDYD(JtRuC~7*5^or@_7U;T(x#oCj*mg??N?I=B3n#cSPGc z-XqSwBap@qkf{b4s1hS&oNLcFN@$jz`)<^xm?FN86A{a(d7;8i$PL%4lC6nYEM8`V zzf(oc!K8_kP0K_EeswJ+tk6T`gI?E73aP7Hbzj~g8ek&%;pQc{u^wWXFMG(sD@)QX zqr>2wNUnsIhWNJj@;D!!^6?8^)ou}(__YooWA{jEN(F9L@kCk5Iih0=m7|hl(D3X# z829Uz8waMEu5Y73MFx`|tW3D}_Z-8nK&cAa3%8@QN>$TsQNMOUBeWaJWdstz?`=c2Ls zWZ&egT+H)g^?OG0xR0^l-5j=a{2R&7xJvRJjE99cXOkh!`R~u6R7(zK6syw)h4gD( z!4yc?-`B)LM=X{e%FUj=N0o}SGW|LiJx;!RhG{J)1-tR5`A;jkxf;pJjNvZ@81;AF z(l4cA#k}(iJu{UNeJ(e(Uzp@#lud{?|6(`uW-A1#JkUSyhj__) zG(DTD35j1z)_EW_OBxeqWU68^Q>$dzSXWp=0DRE<=A!|Vuy^r1RRP;(g{rM_PH9^2 zW(IDo+!TaHAeLgBDhjKJ_|f=bR7O^eGT1E^qJR994auiqj+ic5rrYvake+PaIJk8e zG(=tQMMH&wn7OqAVe%x_lzm+^482U}X6keDRrCK=pla9TFhS7cEnu>ToP6?|DqobE zqXQ=AGo2FEJ#OiG+-$^qpNZvz_#(}pS`;2Pu5GX>;jLs2TXG0@({bm0D~4-qPz@`F zGVs+qp4q9~4oW{I5VEVq!?1G(G+AleVZ34Fbc@S{+Oc5gu9wEXtt|Gcy(czbaQz8X z6Q~PcJG`|^>V5ycg)7-=MHbo*E>VG1z9Aw${EI&&P17hP@smp7>K2g*&W+1VlNr-7 zV@n&%J_|ABNS>jW*?z|U8HJbNXFf}R{=bW&L(f<_-vP;sp)rz0Tu{ z8p#{pnhYe4Ds#9q1)wVm`;(?Yq68H)Ip+Y(@VgGtPps?Rhw*?6Qg7$*uJy48r*nGIHN@q&iL5Q3gjd}uK z;I+R|->_WPH_|EEc%!?Wn^7up?TUJc%SUKc5Pnh*9ut2kStgm)utho&Kp^n_tJm zBgymXe29JBr7d6;6oKTkv#tP#Aty{v52y?UIvo@`b7yBt7@M2eNdqe{l8!Kj)!CqY zP`)vm!rtX31WZPuk;)rwC@ zWa!iA9Er9r$*@DnP<&;U?}b(jsg;}GA#ba`j>~m;MI=)Z6kHX7&d6mKvW%^nuOmYA zeHC0~@)im8%Dz!|-!t<(&?`J(&eO1nbO~Wb1ug>#9*yLc9^#Vbhi)wK~7+)ez=P;!LK zTp*4SpBj^gS;323j_ms~tpXP97%buj7TepISv1;i(clPENxDn1PpG8Gwp=Li!%ygQ z;KfUzstR^aB@5fenrbYY8^Xvw;lsJAn4c{^ z1~Ld*qT1C~xy4M^KZ5wAUxhOEk{;q(&(P8W} z;Q= zy0FDk>HHz5>k`)a>SNP0SxVQt=C#r-pZi6$e2dti3&)>5E=O+L!Qn%=nf&@QJxohR9YH?gCD-1;uj7~)o*2veW@T2gCqJ&X%W!a` z7HE_aoquFKy{jrbQ6&3bao<;&GkrcH`e)(Um-AkGx1`04*C>Hr_iMWA1NnBVIuu@rZ?;vR|Jct;9D3$F#1 zISCr!dyAt_u!qGC?$6yY41L+Ll)XvAXSiV31TnZMO|aqIX`kfGha-hG1N@k_=)*Hl zT0=1pxq~&DF}QjpXj7||=XQ{EebWV_c-d|Gw7YY5W=2%Jtpi%P!>^!_rq|6=(Bbdm zEKY)3P}eJK$x__>44~z!e3H15;7XHH;WcVmR=1aTVud?kXt^4?kDSL%59;A7yyh-i zx}@0yPz<^|R>RI2m0T|Qnf%J$4YfQU>wT4441^RNcI z@XxZ3=h>8rQ6pPOIfc*ide%D<9CMJ>B|)zXhew*OD>1?NYc%agivo~>f>Y(tU85Ud z7E>6M2m+Y5;>YI_Xm{3QDj202EUo93171n2mw3$}V-t_!AfRd)P=$db^PSaF@8@Jx zEjS=iA@i(p9N`JSKkkj_p!Nc_G^h34Kzrx>4fOA-L$w<(7Iu?sK_~Eb3)hv zt%hcz9?qA^Sn;#`G;Y7h`?DtCg@M9huKmqa)$ZiADx^1!Ti<-*^8Qo$Y-Me;uPM*Y z!Yxuxl5s$y+Te#oy7n!}nRg0dDq|l*u?SEl{98c?P!jE2mYWgyeQ7G<>N&fA`Z>iqlOatKy~h}&MJJop$q;duhKd!aoX z@K8Y<&}P2&RdsZXlM-t(T-|M+6(74R-m*gdmBxJTP?3S6z79d^rxrwVz$QZ62uf-3 z6Y9VrN3Enhxa}&(5;dpZFo~7AT_+}Pkg-AQ2;Qc57D7((lgKlST9;k!h^d}DhB`Z; zPOB=Ej(yI`pp~acj4IH{_v5OJ3};*^SNLNX%cjT`iHh7{_KB>aigyTI+icp6VFdJpPJT;uF@I;<I!&DCbcZsP*A&8}_SlKUk;> z`)nPpSOM7{^MR7cjTh<4_H3vD+Pt%O6w|2tBHt>$Feo+SBdz;eO{(ZDmJ1}oYdt#d9;#|b|(ewWbR*&0V@H>)m6r#5~iV2 zix@tR_fR10mGRN~YUm7d3W}8ZcRBE&rX|Ge>#WmN2w||GUywnf0U|Y#V{@&5l~Xh5 z@OI5zfm*=h>h|a(g~dTlhw`_m#9C7VOggBm>#R@gH(;v7&TJWp`xw6sqgGtn;bPXV z&o1gPv<=N%b57r;NZ<^`$zT|v%G61vG?&I|+i^(^W~ig|OA*{UE+Tl#5%JOC2aIhr z$RinY*kFXRH9flZ{cQV{iDNRDylik;Z<2>}y+*q!#1ZQn(u9QkrFOK{ANM(+IXR)a zM&CP2BciIMd{sespUMal5;|F^NJH?05Jls6ZDE9HA-r!w`0;7705kFVcRZ5|B7Up+ z^UcreCPe(`zVS4kvwI4*rrDYdHU$U2MqvfMCp^oEq95X6uVlG~MQ_ zG;tveDPE99AaZlEG~(sd{@t28+U}jmH14#d|FM~cotGglD@242V?eobB-PA)%{ET| zG_xH{CRk7euCm9RX~TBCfjMsepx`r)zK*2$cGyTdlbpg!LcjxCoXPmvv@09)Kp(K< z{J>b9wPk9eEXYrT2KCxpibUs~I&gDE7;La(h|sgkJ%W+<@De{vg}5msh}@4nQKcP? zfG>r^1|#^`q(9CSrK*$T^Lv7Q48KmZ^dl(+{#!0$1O3-MQKYyI(p|ILVWaY4rY-MU z-lw*bI>XZkRi(TxWou#7WF3!gd)^-CpLTD&`h>RkB*V$mz1ixS+CmzLPP4KdTF>{) z=;WP)Wj#|G^GGHhGpQ2$>xLi)uyeb(;7U4Usg|bvH|l@(=YlYWB5)1LW-i>YufN+S zWCSq)i(MbkONelwSQNSoeIQwI{#M!{zlS}n+f^D)YKZqRWrk@iFO?HwtxXv#OJRs`g|wWPYm7WVckfsNf0l@t6GXe7~TJ@#{II7X|qVn$bUK`(#?nBKH+3*kCpP_OG6)VZ8K=843TR z<_tPAIrJS_-B#E}H+fMcsdWOycTfNcROUnag|S56jYCK;0S30ADBU```%ekWtQYxW zK;C&t?BiDeA$@ALls5se7yOyy_DZohTl;7G}Ox$mEY5Rm3f2PQto&WQ1| zRR4JGd?{9lA#vDUd!&s1KJDKhLWqLXuuLlt=J` zr~X@`C&bAd_Fk1_|J}WRw*m|&9yoD4mm0kp|HUT$nE;RsP}x6zq$c3L)%(ciQMS?N z1AKB7JKr9)$ zCj7O7dl9w;4x~9-K$s2Op&SnPKU@I1`dO17@(z_?#?YWvtD8%c8e?Gsyh3k7y+8W7EXVpp$Mb& z3S3*uRqwisx%)Ohu1i-|8L;FlKtwGsyArLq=gG#nVEMH{t1;dt8KW{gyQ^O+UpRTQl2?Zj{(_M%GkJ*k536eQ| zt1P1jn7;ZjS|R{9if#nerZ72bE1#_u*Zn;O z1Gu3I`p~zC^Cn+xxvhk9}{*odT(EuW-m(4Z!@qUpFXQvqkKi~VG9W%iPXp|*u|0N` zW^OE`5UeVZ{~T2!07v7p>lkT!;IoyQk^W=lutgz`_5S|yk16|ez6cI@hCzMjVzxr5 zsrHxpE&vF^Zi5Q8vXYmU{;TI?n;0NB;SSYwMpjeQ+fO;3!xmru$d8H=%Jus7A1~5> z(8(9=DFBHX_pKFb0d)2BvN>|EjcqA@(Ehn5iw}x?xGl;E!RZwad)7nm2qvJTWV)2T zE+t?8QKtXUSZ26Tejc6KrAllYLf~I!Hu^QlcyF@dnm1pmJStGH$vL9DG)`-f_7;>V z0q8Z*+85ADlSj;9N)Vw*Scp{o>z?jz8rf!xH{(ETZ={ygCsVUx`vc6i_!rEsaV;$W zsdT{EGKRM9lOxx-Uu-_wF8q6XIXse7P})Z>Nq*fYS?c-ooJf_WYAz7AREFcwOrnJeFB!J1oG}wH`6>wq5!0LT``kWO}*6VyH1tCD%E^_?Pb^KmJ0=m2tsUHnXuS zH5PVq(H~*t4VE%05!gd7J&0FYoU65z&-<*9rEOKV{aB@J$q~#Mda-cI1H0pnsjy@v z7YCwV%OrS(6n5N;^%c!s510giNb)%y_Ps8Y1Z=#zv z^u60T?Mj=Fpz-@g$6J|Xelzepy4m3lkr8xUTuEFeJvnFQN{BxS zKE?~>I=zq3UOn(5g zH`CvD2)Fq%a0vH{U46bD@hAyHw4l#gN$Isjh5%YT!o1x`Dek^CJu3|)@XEEtcr*VH8bgRFk=^$q+7-q@?F|*(XGMx zkX%2_F2h(EE`0}}2dwnC)~j#z+K(*NXmNjcx_}7A8c6W94VZ;7f4gFy8=L!)iVgr^ zUTFtBppo#%Nk$SmY$ebsdHUj@VQoL$B2}6l3zRSMx;*h6E@!xICrcX%rt`Utk;JVK z6m*Xum&M1BLFvONp{+QdtQd+sHKX^#%jbo)EoGhO^x58?nY8t(TYo(dC(jcCd**=p z2L#IQF81Wn7M7>*P5H|r5dwbNpb>FxC@*WB+c_Oshu6tq9WaM0AIP5v^F^cyrCa#) zPt{t$1DZwTm47a7K7?zn#hF{P?4D-7H4w9s+0htq+dpj+5Ay}Ow$!`CH3bX0S1&ez z9!m3eo?3sY@vNhcfyZkLnOIHm{~l9bXTD z*3@L*z`5Ncjk9L<1X?H5HPO7~V7~w%>p5C=#H5Sp-gVg2i%oCG0$T#)7HjB{8LF-5 zjRFDR4Q4`00&YWfR?T*@anmyi_b0HwN#u!eST96-XYi>aJ|3m4UN}ETbsj|L!;U$6 z-`N%T?7yd>8^y4AseQeA?87b=S;N^7!6R@BT7@?0HKR1gMZyQT?Dpi{H!@M}Z;f+t z^Nu2_vY&ydwW#WA^*9fkrgO+Dn`yu`s!a_<=(!|um?Qw-whUP~opL=@(|8H4a8-Se zr56IJ(s$g3rnf!!JPV@M$91w3>^Ba1WtX>(tqgr4))|=&sdc3H5P3DF8UdyT;4(3hyZX+r|aAx_t+g zlF!zD$-B{+lsEJ3ZH|)oOwMjWr5;$=Qv4&&tr*VC(>60yc;qF(wpvP87s1H(8K4dw zi_7;}RRL)%+IbkcU##BmNM2>0;MNcZaNXe0D}}&$@d*jM?eXMH-x|`Ux<1X-sbig} zQBde#Gi`gk->_Iahp@wC)OjtKN?4#)#d--ueK6eX2(YdzE$AOlI&Kh#ng?TPYvR7J zaDLq2oXA{UoG7-o>^nJjV1{2e`u5e}5{z?3WmrqID)3+KNR<>;X&sLIk z@_pQ$2~H4G^bXr^9E&YVBi(D335V(%cup%(TX~2!lP{^qjM6SlOGvPBROQMYRJZtx zv`6xoT4FCjW64hY36z4_2eTD*1wn4s02T6QE0k-ve$o#~>?cFRo<BBvi?9q#r%IIf)&fv2#+}n>hW@KNzO6ffhU^G2&bMG}W;J zB8L_zU{Eh03%9y4!h7c)o)|CE?Cd8U>Tzr#{zBrUjn4PL{YVO>++sRNDCV&;jL){| zk9pYv&#>ciqz%GnRwGze(@zv`{WO?-Ng)>_RV~PzfbBvZ8K^s+M-{~lYDV_DepJAA znKX27t?Uw@8F|&oFt}c%JI}$IW5*9vVRzp!3}&{x?Vpqv?nthRjGCL&p`|p}sQdH= zoQamZdV;q4Ib4`54*TwS&L@0v5=K*Jof*B7uCxMvSlifG*gY^~_P4qQoAI!>8yqH8 zxsH%%@B9qHMp89)X6`P`U$7iSw9Q+n%Z_4MhR2&0eeqrhQ@NCe zADX;L`sxr;DWYH_|)HVcE7Oj%J}ODRJ{BpK|O9!_6Mlt{$~%QOL&k z8U7)!z%O&u&xk=RetoV*VEMZ6yfg^bWH4DgQu@&$XxT#pDTCWXjicz1`N^z6DVyS) zl<2`fYs=<6X}lktCG>^PKbs2>HB2c3LBnWU>zhuF~5-5=&Z@A}#47qiYW5Z=$}o`u7dg$nAlg%LGyY zu*jCx{XBaOm!mMo=2*5~RBu>6SwYNQodJ zEqMR|X{3?v?#|!f6W`~z-k-l%>nvu^%&yt{zF*h1+u`-wP~nIaMxlYRoS4%`;{1m@ z(|0lvPAAHIkvZ_uds^Q7?c3vD>4nT|E5$n~bE(x@Wuj6ea$t}KTEZLxhjU3 zCm2vxgkWkCA{I^Qc7(5TCqfy&I&f-Jg~`TR(>{9co6l4@;=}lYSR{Q|mgp&i(*60~ z(Nnqx;ZPFb(1J_yt<4#W-CSw#)jOBwrg!UV*(vP`SzAy zduZ>%?O=hO!J;o^`2gwTs0q}#?xGF;83pMUfu`+TgT`^Gc5NvI?Ja+=g|fo8^7lT^ zSL-{2Vko`O)qr&UXO{>(yzXomKD#JU1_rli)Q5J|mZ!oE&WZw46&GXpI6@u4uAhJm0`1>{%*V}Pw754f@yR%!7`Pwl zZ=9}GfBF|%MI}0^17fr`2)+WYo6X1c7}N+#Wi@;%BvDG*_J^hexvfi(rxjyuz-X$- zanp&ya)Qugo3h%#wLk!$2=f@&A@;_0B3x1O-VKyFczZd&+kV-gE`u-4H>>t~aPOXQ z*MlFwGdm#Hh!NUUiN}o_kdks;IgJ7tGe{_=uBHSgXJdDvO{5zaNDvCz`-c@pk{@sK|xoe;@YW&3a-Jw$2>hO=QrqIJ-65rOt$ zMfo{}S8^!JeY~#{$!?gBV0+rY5k8}I1)PLr@HJnA8oZF(FdMj9C1(HuD;tZPPfzOZjg}(BEh@D%XXDK#ty1~T%mO|2<$hPPb!$=O%2pchnaYk_$7KRN zmn)4&0OdPEe*FVaU^T4`wN%)^K&8qRHVlvm5~Ybm%O^grCb}b)PXj(kSg0Usa4ZBw z8C#Ji zg>nqDdMR$ADYksCV2(u$xtS>q_d}&TMv#NmHq72YeFFY)pu%j+Y392tDxnE2%I%@~ znmb~TMj8s&4hQpI)w-!j_#vXp<>5;khvC83!(eVE9{Rr`Dey7@pV2aMBVyTT3nSaO zQK|?5P;GApv8sM!=guR+DP{b*O$3(g4xMy=Uqvx3%QPjY?m^l~qCTn>k9ILxM*mT2 zp;8u%0hb}7Ay2_J42@bS_eBCS#tX`?u6?^$*Sr|<)q4q>Y1^(ZJUh}I@MO<&@?$IWYw`UA7OTtz zZKB1=&F+JKoZbi2^~^z!dEJ^sMt^O-y4J{5N;6}=!n{#)mVrbeBOs!PLF~lCJn4zI zF5?D?i$|~aKfZIXIXdreR3x_YU>YLU@puDIx}dZ_0~){tfhUgn!2M5Q)rRlR4Uh(e zp_;Qz<}CKm&n(WeIST^&y%UG0;o>fpCVo6KAQB}yt2txx7_{yYt2J6|Zc?M~S4l9YqVU??rV&r(?!FQSL((|t2#j`>m}5S3A^gxVIYfQ}$T^ZBVr%pft$!0<^o zMPjlm9B-NLsh`+LV)oI6?RBUxCaiq6C>RB$2|FMqpl;z#t@^U!J}}t2gj7q_JpCfv zb(NvOcfzN1W3rViQSM2+aD%R1&c>fu6cEr87nFh{!!$75Rf-e4hHIY9tAo}#GFriD z;0Ga3eYG9^-ax}+u^Xp?s#{SMm#rAdXYVp@5=@0@p{76k`t1OAPLe`Wky5HbI3nt4 zO4fy*~1A)v{X za~b5A_M5?-8LI9{x0=q*)EFswQRLEwWW#)yJ{2HYZkBZ=*Ht27k*W?=GfxUqDMO8| z((h&KOCb0Q3wg#Kml=b4KF>etCsg{!%;kawp_JKE0%UgQl?FBJBmn#uKean~wR~-b z4y?u+g^hbbqQux#!q3l(j$#D|hN@F&I=g*@01C^|Rwtu|6kMz@4wEufULrb^)5uZ_d(?a#Q zMQIn+l=N(=m?WJ1$r1jc zyq6|bBvD4sd*@z~x*=f&txNq(eEAI#+>UAp!oUV+UbjcM1R`907R+D_sxs&2pc1s@ z&Im1Ld^R^_03SYDF?4{FOF3oG8co`%=FVdg*0eUVUPfes{`T^{eJ825{w!g7`?-L` zSKax2R!_Bq4&$e8YWEO71c^~Zk~Yud%WOZ~j9jC!$)&6hj4GLUvs6v3S zmvST=!)gJeZy_IPZQD`ZT09;oY^F6WU%R!xPFV@K`ey$C&rx3e?uKn%nTuWG=w%ZZ zHWCVd2>*M3y}ax8&hXLAdqmN~LS^!ZKV+B?a9CTZ!6=Oc73{m!^ry73lN0uq~h{0d&IJwNES4}=xpHq>^4B=)LHfsARrP?WREP89G2cilcv~A;f9{0aMLcjP_%G^ z!`#RUlg#X{5RE|&lou;Q(XQsa3Dwbe>9#IiaCx?m5zImtc~6xkYUI_ev@>2eAJ4*E z(y_a7zG)o~8P4{n(Fw$jEh^K_W{f58eouNecZkZGSWQ_{dlP)%CnpSIG+HDnjNy0* zpW8uI>-bLTb%;?-QnP}fAwSK;6u~>=6z8=6O^+$9bR0-QZ^R!UQNpd2_4sBw_Q`L#}l)@ zVI!}43_HkGeLT`+m^eE01&R4+FBmm%SXU)Cdd+kgPc#4w*>au3dTE2x&7e^FOdj%@ zE;5!x;7hKT|Kz|ZK(;g0DfcGhic&^KqDPlf>zpH%{}1FEfMLFZQ1jh4rg2(0Ol2x3 zGl{}Qx$GiI3qGG+;zkb&`#5KqLn|d0Ioy898t{{17jl}qf8fB5b!Wou%du=D@1@Z! z=yEtr`=-bI5K7qp+|}n8m+YqFFO-Yo;1T6|{uj#i-ISs6{YM(m;Kw7FWyq7csR+kc zuQ=wB7gECfM0MK-M0{p-c%<>nI*D5*@?I>ps~5tk?**fS7lUlq(Soq}$HOA`;c9WN z;V}3ZZg0tbIjx|{@F!A-zl~?2arzte>Wt)O{G*brK;(x@XyFT%D%rWAyN6zrbu0Pb zNu=Bt=6=07Lz-k*KnfInV-yWj1-TV`x~Ex0C`_b{#s`ssvAgg-Yknn{9)`=t(L8xI z-$jB%(5f0sAZ)Zj9u($1Q=R|7@x}p)l|->W<1AOzbxa{n6G)wzCbejkne?gLcp0-+ zN8&R(H@PsH_2MLKbn0j=E$pi%h;~R<343Yga=i^3V4E?B+1}^$esN<>!5S5-aL3{z zlidIEWs zvt;3xE_E1vKzND4d4+ro*8oH+e=3fK@FB!D{4&NK?ax@6qnoUm1c1P(KR{qTRWq8D zh7X04>exktg_* z>8Gi|g*$mB0BW?qdkVq4FfC$J-JFKzu4810`3JVComMB!7>G{EgML3)(AqC&iFm6( z;fxeI(oEDrgOiKe0(A4DU&}q=qv+)*Vhb0&X_%vt4f|Y(aY#(-B3)_G!`R$X5lc2V znJl<1ol<9u986QIc!co0Hv`>VZad|BvsjAy9O0a~G*L${;X<$C>1^-OG3~WN_@}Py zsI@99E5CJ!u^+S@RbzC&{umghb3-&(^|c-)v8awCj90gt8hU2*_DY?tpU0RHH-w@L zG&F2XRiuqs-!cDj@b}cwxzdVf-20vnIl^OzlEORn;{J#``D~nO4{BbjpG3o_ErU6V z%+7uXIJP_-8cXNm$>hS4syEa*zult!VVdSSCfp+ji6;}e#FebhbiDI@NfD!HfsS%bG@CY)sIq5UlCPK3R!LMVPRZ`KYt4@ zB9+5e0Vzy~?`mXIif1g(zH=pmI|OYfy2^GNl1TaL=9}MfjqQ!MIuDtTjLOQt**8%- zIN5^ApPQz59OEldNtRky4W{BI-N=408W0Ntt4Q{@Y5tJ=2l5!3f z8_c;AuD{zgYHA>JW+*JyTQw?S>)tC)k#E#e}EXkg$N%o&8JUSc!(xCX6fCmB!9CO@Zr~I;Fr^vSVoG^ zNQiGl?K}qeF99us>0^KI>9crubQ0d=i|?VQ=f%P`1%ORhJD6HFSpGA6iu#1ymqCeL z|IV2Ie#dj@jgT4fF!EfR%9=S*fiN(XEJQE^Zp-3!a;?1h8Z0=OAS4ipvfxf6X z@}46{_oeF94y;N*|G$+K-vGBRqWAT@6=Z(isLb+5G!{T-BuCQ#)d+;De4A7*AH_j{ zI6J>jgLqC$$F&NX{=!k1`86g zTtGJTZ|)d))XH7*9d4WUrSQKI90CB(0+6HPD8Lx|e;)n_$W-?gYX6(t7o`O!JdNV| zcs5J=`LB#M69RK2z;L{HSzq%v))MF-MPu3(?E=8=4kfh{T8|YNhy+?RAi_p6#99It zA0akF*3Cd-yDd_@zMr^o5I~0dt*0me_A#UESL7p4fQqC)K)h7Bd^pV1T=36RJz+$c z_H_SRg2pY-H`eqA-T*Nmc!Vz*5V1W1Iu6BegS@tV65z0#A8!efrkP!jf`n*)DLs*? zKhK=d1D*sEVSgQC+zJBP`WHEI2ozuMPh-|kd&8EVC-HYL`56MFD}N%DTKt8#pdy`9 z@iVzA$`W3HS*q=}d~kK|a%+I01aKlbWLU5cb>~0AxBoO6LEsa*cvd>P2mvdnzuGkL zG@xy*p8xtW!N+ZvbuY4-{mqq8XI6yH@KNA%N4OZ9JBg#aEEK}Y9= z-+#WzDe%8-$U~-1?9XcOr@#KUu;(DNfy5t91x5et>H@rx?o9(-CQ5bY}Afqwcyf#w)eicS%-O5)T`saora0rTg6uCnWb(+Xn zw8O-@$p2HMLrfcBc9Y5HP)6pc!vBYzAqadWL9?pND3K%)idoFbTdf9M^`Z#0m{p={ zwpD#nGyU&7{ynImG;pw>Gh&AEiMM|^m3Rw))`$t?j%wn4oV|c&2k@fzQBiqOscZ@3 z0@m8E^jZGECgQ>fKol;2clz5)3)kedQd7x|D6>#4E`YfSBoL>e*oZO-#VCT~gt3~y zW;#y&#mb8A2}9>vGKqsGzCoHu1GcG82`K`O(?D!trR+9 z*$-e25g*14$RRl3ELfERCiT@HTF#HRc_ew(qkw}3M?WH>ZjNn@{=`uMD*{)6VPmC_ zPyQPG=PIFM*7k6Zd&@|rwaU@<>y|UQb2~qyg;n`>90C{J&xpZw|x+Jq{s+>~E4eE0~cDt?t77t&b83 zT@FOPsyB~3|3$jW?HDd;hKE?=dIBupPaa`LYEKV)KVWE)|vOr!e( zyzzdK1*QA$tn#B~NXTvXQ)y|J-?Md>x0;MEr!9v*;%DN`y(oZ#Y;6n}N&}0qvl5gW zfTbJF9~b)UTqaX~gn2)=_sb5>dGw^H1%)&cqTzo1Z6&J{PMW#APci&9&tL%p8NF^k>X z&a%s9K`2H*VwH=f!gx|#D35{!sHO#KNXt5Zj6`S@t%f@n&U($~` zpl#xv&}Y>J`2NL(EQEpvc9WlpYfe?F2UKG_XQ^32{c}YxriC;L@1F7(*cQWBfwh3m zSc$6twR4vkY=A#tHYeg`u8+<$@DmMW7+E(!S>$jQD5`swWjrobo=DSZ59ze)-?akV zkAMHIGVbox@~;Bz_RC`30=zT-BI4$8K>n!Dq+VuU=APF&j?s4+EJm)9?JN51`OZh8 zXIRei-q;j5qn3E~wLOUfT!51Hr60eRf*?Xhn)P(YAN1KIQaQ#vgqX2nO`S4;imd=b__e_A`>S z$sUfwbY7nxD6YM);AcD!pGzzz&*a;ihEeK4)|>T{g=wn4BbZ7q-^X<^TGUO zYfMdFR~v45{=y946!?Gn+CLhchPeY6>ffZVVY3 z>8n%-WSXdy4rYm|asWUdKmjUq$8{$$s(Llyj1mA6)_jv6k^FrXjG%m~wmraTi~u(w z1)b=*(Gced&y4?ZC-c07TiU0FcbcV5)|~q5+`y4txx%*PQ?JFIJnP3>wAHKpl>AhY zs4pv|sL+3=+D_&2O6p^mJEV(aTm9=>b21>sRX5%q`%29$|DweqBO;p*a(@B1Y5*E_ zym!=MNj9f0LBQfHHWr9rac@MO2yX?6TeWlnTp!-@!{@!r zB}3(){dx6#S+j4FhvLDGFV_aG=z1|itv$8ji6gP<2C93{6YRJ(dowj@-bst^pP~pA zGnrz-GR>%7&5ql=;`eu}V{K|DLtA_q$oB1L?n)7RgqvjAa>JGPY@@Y&=Y_N-yM8XP z>3=yAG|eo>JNaA&QsL>D@L70Fgnkmf>6?wVp@X+dWufG~unse)efzzLpP=TKmk?Fy zPunyPQjBab-pHVvUG#WYEgN$R`g6p_cIoHig*pjV3c4Qw8c(wXeTH=4%-p7rpbK{W z$h_qQflTwM71TfQ*c5W45o?^}6`qO35cQ;$*!AggiVcCm6HA0rlO`)peG9*hz!hR9 z`@zyzZ8Bo@&xS$_)nkG|V@TJ1Rp<8G@!EU>yO$~9eAq71_z7$h>%iXS*;Rv<@|5PD?gALlW6>=FoyisK~j+d_JS{0=KTIc z0+fi!?!b7&gx1 z-{-M>GsSbS()tETgF@uZPM=%)P;c{pX|E`YAsunku2}a%nMR|@=}UWuaMW$BFJ|&Y z4*Jfu@Imnasq!B1L5dy2LSE}lNt!ofjRYd+>ScF0Nc6t*UPC&q-5-74d}^9K6ZoQ4 z$NO&jTUHn*r3APqK&>mv;3Mt=T0M3?)u#WVc99#FZmV&UQAktdH)Wf#@htG--;fvW z7jVV*mGiFC&5nzaI5Fk?*7`Y`PFOjJs|?jwIDi<(k$b)IXqj4y?l9YFtygV9ROG5- z;?9z)Vxh{CI)zm)o!55OEb-S$oTxZ!I$zSxPmRLSkZk`VOF)aV5Bs@MK^S*U$&_@%P#-x_l%QNyXzsSp7PxxDsIAgO?V#NT5O)B3$ zZ5Qt?oh>O1|L7mZ{`Xlq>?r349SAv{7+TQa?Tf+i#Fe&t`^Z*QZ-M%*dW6y4-{qq2 z^HjH64!Sj7l)gOMT(D&zOjmD6B-kx>y*B4(&%d%0L6>uaobV^|cPr{irks9TBwUI? z#P;;I6bat`fbR`0*Tr-z?Y{M>`uZMqm#RYx#>whWR%e2im$K2fVS?3-88bESSf`hp z1#HfJydEh-@#`4k0?&m z^n>^8a(>$re4&FlEjfE4*ww@|+5xI4{Jy*!^MLyki4b;X?nQT*xnEMp7(KM*KtwOq z?u+gVrNRLDNXmx}hIE!tvL*uh@aN=$0gB*L>9q=m0mWycy zQ(0+h`tTZc^Fc3Zs!I%uW>g-qAhav!IAi5@YcGg=605Ml$xT;gtk=HtRF;j3L<2HX z-{&L?E;l1pvSJE0M0FQS4d+x^6|0R!c1Bsp(eeAIPAQv%&c9tTgL^M46h*!mHow(=t|WY)NiJ*VRX)dP?XSyL zw;mCoA6tY5ow^>#{z9eqUyxo<{=KgByWWk%Ivm$Tz+PJ=;Ere_#M)5balfO_WME-Sb)W!ZWR+@7A7o`~7k~q?`G6!L74`d25FyL2eG~Y5ehI^8EsDggpk= z$KgQ<1N&Obl*Jhh>J@>l{*{hXF}x4vvhA(+Q)$si7lR8a1(fwzU&`~Eo6nzGeWX{eE3hhdD{EtggJ?q^uRyx|_IuT;i z6{}yf2FErF)z3vnYtu1J{7*(MA9oCHxKpR)D^e8-<6lI1@Q!?Ab~M7sn03HyK?J%; zbB!XZ0#ovI&;|?CGk^dz)tc>GxCdK6l$ry2KQRA@e$egLXNO&wLUjaV{XX(f=jG&@ zpZxw&D@;Lc!to~4JumecA?p<>t<-OCJ&iSmwXHgN4Qnzk-2=P1Ag2vCA8vMoT6K~g zKBtBn8_iS$nHRS#zZ+0H>K_q6lTfD+g9vwS8_5DixhP&lk~^cqGTr76ZzsQ~?A2pJ zJY*gjz^21N6+(W>{^ve-dpOC#<-e<~X_ekUdY1ZfrC&LY$Ue@amCloPKdFNvvih6k z8jR>Bm%rDx?5G4~9r#-e5*l~m$BDdu5&=?q_EHSeMe72$g7Am{es7CK6uVvJ8sXi1 zL;$l`Qdh_~Nyl+YNmfu8j}708^Ab;Nt{{}A^2$m$-DrSW+|NKF2PI0Dwa6<- z%Z=RKz6%yKo&Ujy%w(f^G2;&va`k(mpbCb)Qpfa9mG10%#QdLdX{qEWGv8nfLbpbm z1Q@>ldWbPp{S6Hix*bPpht9cfJ}2zWR!)y9j~nndSw&^A9yrDxP=;8OSC}qxHXRZ6 z58W@671|fsoiSNiP1Yyxie}eZQHyxnn@_*PW?=3Ck$MU1XW20&Wp_O^2e%l(WWyQE znN(G}xj2m1Rf-M0E#6Ck@E)vXv!e|ebxBmKOT}L+tgX0r`=3gepub{^X)BvzSU?g6n=M$*g?EOLc+sg zo;KK{%`plijO=sIJz_srr_EE;1W_srwbycLkYOITe%LD-ym%#>D4m?-9-HU4pt{iI znVB%R`aYyKKo+#<{OJ+U)!$`MWCe~3WX8BqCnlO| zV8IXix-p|!=x10)07L2`VWNvVAR|g_JMSJPfed|Rl}}`UJ-mp}-W)#kYthlhYR)aZ zdP;_%HOMckIf>{bc;YT0{Z(D$P57^JB`L_U>WY6(v-gGi**4GT*E_tl+EQQDE5K9T zcenHxe47ny?CSGP5d#I6>Jy)kPpsh|jJ8*h1#v+nYK{w z+i?XajK(2WengLr-<8iR!5w;+$4p_baY}?X2Rz^cVngU^zs<21dz)>+J2_M z|BE>tp$PbDqZM+g8FUVZ#Pg^Uvl7d+l^Rwn)3>&yrn|?q$dvlqfRV%=Y}+q`eh~?947l%TML0NOjb1b)NiCdZE5; ztlDTd%HXZ`%|PxDifnE| zTNol#kw5~GYwqg_6ZF9Co4*u*!}g|I05&=#UBmhM)n=rwKHIogvOy38XL_Yw38ttE z?)J`Gnhc~)pQ%XXS{k1?k86g?Nyd1a8$Ps|=-PId{F=MK)fnzvL9zO`L;H6()77iU z&$PY}n6J2dV%m`Iu3cCz^}Hy8Guj!k+a zexd%LrKawR*QaKEoTo?+n9cV;INR-vcPZG&Q}o=%F3i`t-HzR@4=!c>pzeFYe!B}w zvGh<+43tanep@>~4T3#khYy1O{MmM94A+1Y&lAVnD?|XAi&6is&1O6mJYrjvCUt<9 zG|xa0guwE3k@uF{XMh< z+Yi3;=(dCX$H=jmZJM?iAj=Y9h)Z)TnSV)d!EG@vI~XQ&)RU%j^%CsVJ(66g_vkvfEz2G8gxNx zHC4|gTV`-4@msBRngu5^2Ubn#Sj0NdxSs0u4N`bD5PNhFSqaVBZUb8+iw91ujI6J1 z$y-bXw|zEjyvt9X4zJo7kq^OF3) z986v8lSwKfV*-*B8mn~iO9%Jh#Om7xQ#?2Cxn(EJQykv+!A6m#bQnC(EFGFKgx639 zD6En_wpYq745-6NHpK3#l8DNL=z>sG%}t(548u7aO*pO*@z-y%W0^hOqy9ybtAA~v1<~` z5gW+n3wM8Ok!Q%Lio5Y5kp|>nc8t{Gen2(Ig`e`wU?y$lRIF&E{pzIn-3|6LD~C^s zysEKOB9ex&6tpqki?DD+BJNVXI?ZEdZOAWsiH7g6`IR4Ojy^gwl|JD#NJ0){9vhZ*CR)9Y?`Hpdw_8%{RXJ&0!&r4~M z+OS1;+xZycDx!R+k6(uvoNET5J%MB!jKHMApL)<|bOfFlfsf%OM%&c@$L>r?6#OuH zqD##}reE#VgNX$!TT_)QyKqxS@D^_NdZW5S$|Ar>-o$JPRNe|WKM>o*?1-R@L*lza zP;wI@rSr#IZ}}UMmZ(4!go#o{=SU#@Yc*OB31AZWdC|En2*Jqx z#8&BTO0Rd#!^PWAvv#Fz#LZrDU82OH3hvanXmm`f35RoLJ zQjT>(OeP#MO`F=J@sQpep1~<6bo7%1Ep|dH54l_RuF`Bq#pb&zBMx>(AUx6M!Sa?Q z76&bJQPJ@*!&{{{{1c^)!633+d8AyNYO=%8xIH(ckU8$4a=rssFkv8Jjdf(Dwjpj*a(e#sA7ZU^8&|uc_a)Q4{ zA;SZeAJi8l(}YXZxcl`~_@Iz?-M4g!e}Q^IbaiqqDb(q=6{n7J^oEJvEdX#1Ai7qe zlUBsSB~kRRO7#c0zqRE5@O&a4ZP2|tgZ_&JZZ!#3>|E)Z@lzqH32%OP^C&TLuKBM> z>wF}Anq>X!S-ba7`h9~(FGlO477>>?HYiNt3MXQ6V4d9~seo&y-jK1=CeA$bft@}~ z2^V_OMk;hQu~_pwIt@>`#FA2LH04GCF?E)j`)6fXrX zm)fSc|BfkhohKN0$6xS%SAz)@wpAWDYh}GPnvjrJbi|# zt>?2*T|VcJ$>+3j;#~pELc@9JWY2pfdJelbqRba{gVwmyUsufVGWWfedaCV|0bMd) zUI`WOUV~2;wkQ7To{P)zp64leWB+%VVvn+}YIkJHv(fW+*f&;SHWG=Bd_(^NL&p2( z@+_}Pr7vW}m^S=XG9<%sC_i;6r=z^?3Frq7sg`xGvmNZO(68F|`l)yM81u`$iqEYjQIAodn+*-u7*e0$A1~?{8*amvE9gV1obr zgjvIKIK=QDZa!*9E&qjEEoPFEX74U6x7L_@@((qyJt`4JJ7tE1lE!5k+mU$xy z*3oH+1ib@HmDU^FiW=6=ph-1v$atKr@S#2b+ProqarN!Eo*tZlMJZ{l0xJ4<)ouOc z@QWksj^1tW?30u_?y~vgW5Woyzo*x@MjH+P8UA#waq|a^x_n&sAC+4xn7N_q*Dk|t zIsU0SeP?cOa-;nhvgePvE`~Clr)YU6*Fjv2G>}h+9kH+Dr)!=O%ijibSVA=!SU@~E z^6=j{%lhwxZJ)6UfK;aMXo1|A1dE3w0DfKjEZN(0n@LEZSWuA$;m|?~aA2a_>>wYED1gMc4T^`HU_vV z+_ui64bXs!q1EoGL1}aRLNQFOMAEN)2wY84nvTif!+kIuK6m=fmJIcjhKt@tlSv%1 zh8SdIynN%%Kjau>a00~PDcz0N>CwIRA*|rUE4ZzdfiIHUt~wRI1?W8 zgZ^2K8KSp-tm7r>FO)<)olAFFTUWp1z`v(tgyhcQp0tIwz2Iv>QkwnsbFuO4txq5@ z*cL6vlU?pE*={5QCgl6{6yC4cK#z`6B9F_iiH>whUj#dco9-w@KpYu8DpSov)MQ^+ zw%V6vOfa(rp;&P}*Y*w>kV#3dMA(aB^;U`6Dz3HN23bUYJDlmAmus0o4Jvq9&X*%L zjXB;a(73fiJu$L+<&8#0x_>>dM=ce#u~cUnfr6sM^y5v-I>BL%@5f$g@7-izgqP<> z!+RU}G@si)-Lfe&Cc#-x%=u}Q|80W7#ZE7U%I@U|+3Gn3;))xQ?Bc~_Vl($`Dwc^x zf4WgmoK3M&%kHb}@n1d#`b{+7uRiEmZzcYy_8M2P{I=Ftu85a==CFW>^NV>t0*w}N zvz9?Q%h6ON>r;mu_Nai{44QI?WGH^RBf=( zXE-4fxxbQecsW{!K)d+-w&hHExO)f@lbYHusM!3r-Lf$wh^TxMpTAt1`e3>$Ba(o% zx6zK0nph5-dfgyDdvIuCx^^t8O7+Gi4%PLH&5TZm9>Vq*r8e{NHz30~r zP?X`T`dUab0uW%QdJuObk$51L$j7`bPu0<*O_{qp zve|}Q@r>d6gQca-3L2;RP?Y37+i_OVh7hk|gvM_|@!f87IN%4;SoP|J28wmM^W@_M z`tI*SJ;zR4BZxOg0G)#J0b7<33Seo^dR}|wJ+SK&Y6Lffy57?0(;WI6Fsws|sFR_p z?hRiBDO+s%BpAI9>F`O&X{Ta~Bx0spKmbl~DNrEnV~mW5!3Xq$1+Pmcjs$PX9>x4= zlRywxSuwR72+7}#eJKbIjOq;ZOM(V9H%}@HYjxY)4)U$CW{Yp2sxELc2^DN$^~(XP zjTt+C|7D@hKX$7$Mi5C9?-}v3xRV(Y0@Cv7MYgyD?cuf(#UhkomfWC{Y6!b&26|77Wi50=|_OYKFHuAU|A=?$o!JE73TKHx<4>UPZ##x{zF~49KqOqE$MbCb; z`*4)OY}fO|S(l^k?>o)fO+T~w{jg`|KX9KUGNGp|l@>@$0whGyoR!D4_xxOY*FGIQngPGDoe1gsav|S;#X=RrVkkn8X-R57q87*X~0n5vu>i1NGl?HUNk=x z;c-+l0un>FcZ3?AR>^H*h<=As039#VxZ`c_dpjM1mB>S(&>@Bnnvo`EGe|{hU>Su< zSDlB~oy)`9-CuH|%sx?8uRteTUJ6!4X>7=sv@O~hP;o7my$b0!HpI2}Q3}ats{q8Q)8`VU={wHr}+jhN4$!RuXxX+GCuD9X5>vkKarxW-z& z&Api!?e*v?ZMYhykNXvHA(q^CB<7bm&q%>Qne!FmbDH|9RYD5iAeP$yvSri^ zds{6pQVOnWe}Q$-!$zyTaDsK;;jIw?t7ddp>`g*%vg@v!c8e|ZnMXs321!uJoOg>X zyUX5se@CVf>|HO(^$*bXY93Dh06wE~E;=F0FF@-B-nRSf6N=6a9EKtt?{s_VxIMD> zRJX}0w}F+6$}onMWm4?nfN}ez%VyA<-?PD6b^BOd%R<`RWK_es*tw`^_1>g5h3aQ5 z6XX4H)o93g?c7aB#9o=->yp=bFFRUuR8b$YR|Cbs7E1TdVV`3>zcg|IGk5xU3CI_O zFEy;rq5Hi4PP$vAI`kcz6bM;z!T0=!LjwJjt9>BsBNyJHUX6Vb5+8iZg*qJ_bP# zqlIk+!1+aoW0Nb_&8w@T|8=lOgvjUB{BMGApzo)Gc}G3hvq)0g0Yo9;VnJ_iTFhgy{r@`M+9Sd zrFUn(-ZXay8w=*K-);sf7!XG>?|AmRvm0<&Mont@TKqbIIFEjl;YynneOOjZV|@03z5Af+ zZh4H9{JHqB+vR!Vk<*(-3oHT268L+6@tEZShNaoxd}y~!0T6ca-#F>u^M-Z^>eEkg z{)YxN4{Z|D{6VKs|2ed@Bp_~BqVAQ!H@jqn)7{l}a+E=Ra@g?Nxt+@WP|e%Ya*P5;=tM5O5DB4-^|y z6hcbm5_+b;@41$X=om9TD4_d_m}6kTvAytDvgoH#3VOhR9G+BayaQA4X;~&oj_ceY zMSJqshvA#^tKR$W+eMh(OA|ZVR%f-CWkc?AN#U0WGoN=@pW1YMs4Ne_D;-GAsyz@> zMxILJsyMC#Ytv#gSeYpimvJ3bD4rxjVb zYlZ;|%nXA@H$1l<``JYhss4yXNO|E&-XMAC-m}EcZ+f$GGm``jL9n1=EhL%r-cy(4xAHK5$GQ<$~UY3{qy} zb-4%2#(>(fhvOx(hrid@C=;>8&Ar)OHWQ?8-%RKLJVm;$@l{>(ds9l@JFMJYTq|Cy z3aEle+j6?@)>(B0YiQb%`2ZmbX&tDImwa<2tT5TY!sPg^h(tzA{7G>e$;q4q#8-wpJepu zpYwWu&|hu$zS4JdcXP8iZ}hHnKN#>z!e9I-jwNS2ts4If&s4dz7chM&b|qqL^mnxpn;doBtD{uup9|64^^Hv2&=Ocz0oXlgK+Lml?FuHZ3N;pWe=vXNOCU zBju9`v4_e5h%7OOl9Y(_>57XB#a759jgy_YCqgLqvFqpjo?;m&BMEO#wfGB44?1r9 zi5FzTT`}1TC7R`c8|-K2Fv+|(S!Ca^2aV6jl15O_S`$8#dWtwKEM3;@+<#(R7TA5? z)?reqR%%bM^+_$c7`pZ%j7$${>HnkZEd%0cnzm7##exTC zaScug?(R--cXxMK+#yJCch}(VPVnG_;O_SAZO=LHzm=Yuma6J&s;cW^G0;&Q%}19< z06|MoHsj(sbiH&i>$>{s4V)Z=dVSz}BL2B3@&UM)62w9<-JW1fHJ87cIvex7ShKZM zyCcmK11%f465&D6p@L#>HxayO6m~|93^^~x}FXcsYiKj5dO&hSX0NGyW2j~ z0UI^=kQ%k=!c^IeHhU1<1ll|}0DY#S2{ROWo?8@iI-tw3Ck>GeA~|d*&;uXCFzS2S zcD}a^kQDs&`+F6;!Eb?(!pSF-=~c(RuQP>45Vq?$G)ao~7-K6}p>yMO!tRzTxjkZJ z#xyR^a+^#kb({tkC8&i;kagDrMBQOtvM=8`fUS)Af}HOJ?YdPbtc|iYqu%?TrWlC! zG=rxvH+j6m+q}XQ%OHLfgm36aaHCb!H#Ab|p)J7;LHxU`&_+c{A>_i6pC$r^Keu@u zmyLvO3#oXge%vP59lwf`I8AQ*yycpAi#Ge^@DFFM1N?Q(U?&8um+rRhtk~XSfM6N& zIW|q%L8K1ch3KDOtlc-Vf5V2<`YhZa1Ox5?x&AkhX(TxEjl`io-8ObWL9O&Hlm_} z7})T|wa(+RyYfFmbA+Qx$Q1Pz^6yvT<1wePbQ9;Jkg+EwW~QsmMc2p*)T^btdA?sF z9r1g4Wl(jj;S=xv0Ben&po12<7Z}`~Fa}5S2OgD(F=aPx<@NX_^kywT zw9#(T%4)X!voDWTw2k<=n|{5dq2*Ux7O%?8Z4^|P5qC^#m0w=BlZc+0rO#m$Jr_0s z`5NB~whNl8_9q^+T#qn1P)SgZ7e9jHjGaC{N9Xu`L%hffh966RC1|lrb^YP`mX_;7 zOqN^$Y_?_^Ul5=HIh&1s`trTWf;MH}av*NL(Xx{^E=>-Q&bD%Eip=z zzc$uTL9d0+#>Qc(Meoa%mXOj1CM0Ytge5WwL8|Y@sXU+Gw_>2;;6{cR)(YJLyj%t( zL4??maubVqY*sKrv#3Sy8^P~mzN`MsbZTV=tY2-HJJdi)%1bCx9m8^I6czVRC;nh( zQH~Q)Hi6e{tohHUm^n^JRA>);LG@})YHa>ntDo^}?SrYl_S@Wi?o&+cFW-BwytaQ# zX7a0fFR~5_A#tIPSQq0JBzab zLgln4iWH5_wR2GRS4c6lwN*}2k#wQ;_;c@S9bhwP`TdE)Lm`_tWi$-^8Z%aoY4^;NOeCy{<(t5)yvrAerJ=B znOSg+R9CB&js!_B&zwZW{g7GT00*{Jn0b#W@^#f8E@VO(imkW^M?D6G_Na)~6K4vH zX3piB*W$w!_282XNpR(l-BZci{stuSNmNa+1ZqpzG7@L!7wf~lWb4FEjutg#^h3uM z1c2i}yhcS3-e`eDT+ysVjsVO(Q8YZWhvj}<>j%JS9(Doish|0x@!SE$kgp0Zo+>A0 zl?Ieq=>{4pkQ8s=J`9FVr`Thv!UuWvsXia`-3SBTPcKA|6Kstq4#fUoBfe+ct(uL* zGxp`IfUWFSdg*J|PPsWOa-S4?o|`Q?!ufTt)_0}X^>C@2q{Xyl`mjLA?ZmB72yzh* zih540(^laR2R$~!uDXh<`siaPH)R+IVs5-)^3;DGtr0OuwL1nywaj6+&6xXjX+3{l z#svqNUKs+~MsapB1QJ z{K>wWPQ?!pYK^A5HMy#-zfWiUro^?}q739E5Wk0X`3|1;NbElSGBkzN=DJvJX57Oy zZ`!j!Yxis^dj#!T|A3_T=Vfy8_QgquF*{D%ld`Pj%#>uBpe z+CJ7^W&0seF)>2~^n;oHXo@7aieLnGs-!Lx zDJMa2nNj>LA$P4I*;M1ZaC>1QO-{%c1(6h$Gx)&l3MP2~D znoQt!8TZfUR2fG<>~O)OLU-seSnyOSZfIjxB|y4fWVQ?=x?ap7Wp}>yc~kKQJrA$) zVP)S%$2#u4HFLme-`6SWAr`!mSIF|rFP6sbkqKbxdG&T0-fS!o;5lR}rFZeU{}Sh< z+|SEJ1}r9XmlIEYCKCsx4MpbQ3HntHC&K3P^ysSzmj2yK$wYoQ5zOI|9h*6Pt9-9p%hQ;LLt7ghanqZ z@G0;Y`+C=0k(pE{;s(jYJmpw8hTJ-lEd(c0r>@z|t)!SUj$h8JFVv33A& z9zLZDE?^1<8HIGtfnbF7f~LO@PmLBTDR4e{`_!PIyl1yzQY9<(M;1HqCb(MSN8B}m z;BFd@M^LPkxhh0-%lD?jHBg26bS6eL*j`x(^ixV?O*69EtPeg|ehq-~yZsTv`bjwn z&UKOtJ=Z{@6=h(?eyJ;XME9admLodtRU8Bt2Sc?4#HB~$`3me3`p`2b@E!os2Hyt9 zf4ma4fLo>7qJ=CHdSx_{&W3Y)_H3H=gR>^H&1tp~=$Dv{m8KTQ0>s`R;Tm8uXfj`7 zJj4sqWNLRmO|~VG2=r^F@gT>$xi+V|?_kb4L{zrmggME}BnHI~mu{N^KX)-1&(6KgA+)ivXOkQ3_ z!&_*RqeA0?VSRj@8L@{)5VM%zh;%!iONf^U2t^oxfnp})#mSRL6GzBK8e3D1kqZHH z6EU-v7S34#nbHH=F&t74LffzQ9lI4^gsBnA9i%wDO>I1KBrn>AoFjW#A~(%XBL z&uNkcUXH+WIt(zw`?z*O^vK+iZv?rWEe8o^CeJ$%8cl4;soXJ5fN+de`xv<0yWwa2a8yB>y8(0 zF;}8Ecu}2D3$f2$BiqezK^2N=_a{FkVo|r#a@WI@{=E1fSdLHWn%JL!Vn79Gpl@nq zzP)yaib6&Qx;$=QZDF@lJ`iDz8tKD+?=)Iq6Q z6o<=^yjY_vGeVt*6N0$b>0B}~AIM86FqvIYgJHTRE)M5XjUn1U0%2$zJkax=CKye< zMe6h>=!rE?DTlul78!YXFtHo80;3!rA1{fFQUhATk5dUj{CwcZ3?RU3n2wYfhN;B- zOImK(w)kX8o)EU&-OX~Me+Sa+25DuuUm#*S7(*e58Xa6vw8xf}MAHBPSs^$wC*%g1 zmdtlqCEIveZ7)6f9fEfY$qUj>XiVSG&CPM#LfnQY7INZU@kA?J>v%Meo%{I-J@l~= zi2W8LSVr45e~Ps}zrE0a%O0iP2pSWOeRTOFz|x*iIjOIRP9m2~@AFDVu1ALhRJ&0z^!&;y*pdt`nerO@x~ z9#fA;V$m~pGSouu_Grf#L7Mvc`I(VJcd!~n*Hi!Ef1NntgCd8X67iq9J^GTYGqac# zZ<2Jk8Wa7x7>!)cWNM?h#>~+(9~cU@=Tto~X@WN7@roYwB==BzWkbQLRmQ-h+JF9m zz^oMuh(T`tbHV?2!##{}a-9S*{+l#^g5hR+B})b~of+s0OqIkq33486ObWm*Q(4l%B#gJm-l{odD6O*wK!JR{Rg=#KsaS z=?^hgt=5!|0X)IXJmLu9YDC&HWgR%udK91K53=MzBXw$-?7`QhYb0A5sLlEQ{~=TBa!w&w0FKl zftLA#&Xe+n%;WQ)ewN-{ioDd+iCt#rCslj_w`lecCwvbz9p*~-j!m&jV7Wp_iz1f#OkAJ4z z2pZD;A+y7066;BEnx}yZnCh3)uy)qdyW+g_^!E;|f#FaxJ$fu$;&61O^23cOcD$cb z>|XHsNeCLxFVZP2D@!4mpd_7=`S%TLj$@*tTFi3=2z_Lu^L3i zC9`Owjyjn(>jgmCGYSao{YIi1SLMLh96QL5OU-Hma6MR9Z2975`zyS1jYr~Vb5&hA z_qL{Ry8ZEnbn>!S-{HkNd24EdeqXj|Y69eLPzw|?ay%8OOq=0_f+t5$0pzg3_y12Y zDIlg{Llou^o!I^-ku#VclvMmiSGy5W3YPoX?W)Y$(wFts*E7KBwZ8{VwWS4h-jug( zdO?7cfxx$`X(O=+(!jdK)Z9IAONYR8K!NmzgR^B~X8iPEo7Wt^R1gk<>~JA#WcU}v zX=Mw%@Guo0e)NhQg(_rYC-D#F0SGXyZ_{1kf-kO>=mC?Na>l`seNo>LjVM*TYe^Ok zp>@L{53X@HLhK+CwGyxGwC;Nbw>5xbNr2!Vzq!&Qz~>bePT5+@8!On_nsMc$(Xi{D zyEz!^gDXS%~gQ zGQL}cxNh($R`GK4E8lo-c?+(8pA_7t2c{1#AOSMR)XNhLz($iOa@$e$)6&;HAJ#kU zY>N!;W_XdsNs}vyN*KDId;A3c#(88(0Zp~?2`eR4%?ZqeOdqMxQ~)IIGIJJV`{*jT z7o30NKqV=Xh_tNoL_rDDZuHZr92|7YkzuyKo|s7;a4>j@6jx@_bu$Gdl#@tiNXx$X zXX*zypd5|Y5V)NA`7Ifedh}Y&1h&nef3#T$*VGq&=H#5GKFaRC8`+5;&?El1*3tV9 z=KN>P!DcJ~5S0+nO?~YP{`}YE55WZKcNhDy#m+4?$j=3`89H0y0|$%#X^*A}vtcbF z;wCWeQFEc_@qCvhw|KtMNj^_+^SO!Xgm^sB-xaloFr8B~fs%CNU-0{v4TQk-&`0p_ z^2$)qZMS3G!~W+t1E`>YunXR)bXxS!G)bVy-^eliy$*kOLzct~(6N-4g!o%hM5ZP4 zOOiijqKG}8M@%`^_2<+>4Su|)EHFc2DH9bgZMloSl;h4o-sC(%$Vv_3)@R43Ip`+Z z)X)LWum9ZaFAV``5SvnPI%x>CuX#k^X;=CPpbjETm>q zkkKB`;b9a%O8MIMDx7vF6Xp0no%-i$NGg&(N=sgR3<}8}$^RbrmGWZeCqZA-zdD(p z)8lPx5l-KMTAq5-(26+x)-FMCuUALo{1c4!)lWN2W(l46Om3Tyw@s7+zx;QXe>&ac zExq-#LgV}}{o3+xX-Es;gR0T%E>Z_G%rjLs{JS09V0eJ#QE;`WPr*L?ElvNueJU^UltJt^4yb2{0JZWxRL((Q^^f`T(*0(tX7B3{3^1x&aysu z{*R{ri5p8)k2N~|%VQMI%^kyZVx*=9NTMGsd<8H&LoqUX2$;$~3G7LfSAdIava4mM zad6K>Q6SyD^*jdRB(C986CG;L80(Km2EX04Q}ZZzg;CX3`~|U+?O3> zb@6{YHX>9H|0DggqTr2t7ACvh6iT+o6vlvN&|GtlLP}@RO!f1g{Ali@C%T$D>^->a zf+pw=!v~>Z1o*QnBWRlL%q`>KA63x<^00DDZ7i5cvYCZ=kAD6j@#Qj&8{8l_KUcn= zT|1or2n*AS{PCG^MNl3tL}t#Lb!(Y8fAS<5#}@505Fl#Y>UiRgmpT{jO8oXOm`re}8 z_hp$2lUgcfRu{|UrB%D{`(X1`;MHWMs5qmtTI)$~I+`(Q_FB5}cr%Kb!R?uN!r{0> z;c~vAo56E{V~E=(*l;ivceL%`|6e!%*44Uzo+yo)b+d0)pL!-s{IYmC2M@#6cQ?L75-1sZane zf3K)zZ;#LAgFBhd7v*-gY*#%_|9^%i+k*$iG>_4oaw zH7vmp1o+6+B8O0iv`al>H@jE6jgFgY!T3|y*yx7o@ef>NTzDMS`V#tghqh;}LRnf) zuc@9$r8aF>E`PQlpYk;nge@p3n~oNWw#mhnuCQoLX1{fFC@sko{j?kV#@FttTNMrD z0h!6?lymH}+IPJ)Ufff%d+hGjH$N&eJ_7%*O?LnVNcf;?zRvCrPZ19NZ;&Jx7l-smT>J4pukQO) zzc9Q|aS8t2C&8O;twb=<8S}?2*W(SgRo6W@B5vQXDIGt-dtew!Me_1^u#<_jP^eQO zsfU=!t(;wn>#(~S_QBB!13I9Un_V8z6h11shSy=<2< zOr@kT&HeFSk^D-0toQhZvUy2z=tY@tbPOmcU%SaVuo(4!gsW*v?CZqC{_s~Ah~xAi zBYeEqZ#z&PajX$GgY{W{BgcQ6G+3>*WAI(wbzbfIX<}iqFtB$T5S&OMMHffJYQsr@ zM}hG6@5b{_ufeERPfrg^!Q-xPCLqul$YcY_ph-DexeAFN=)*~5a!yw;mlF^ z)G^{C4Zf@u8}dWeo_gxINA2ZKMxqe8Ndg81NIht8@=}Z+7I4(zeJ_7n|24lu?z))W z^@@Vqa|gyVTy(y-xA&tfxMqf@AW0s32PK*~tuF{!wejnpej?Iupcq^!AQr8a<0t!n z;l&AMEx2$OKARmP%Cj4xVb&mbp!faRd|botxoz^{Dh;P3K7uc{MLGWI_RfvNu{p^H z-p6-D&Yj=C*oQvG8g7iz%L+*;uOqxsn8_c|mu ztUwiMJ*4WU6usSf`eFNyb1(Z@|4moIer`(>{&3v#8R7WTA_5p{2Ni$f5(=AIZ_|S=3LpBvEVHzAfqkEC z1Kktpue9#j9Zm$UABdT01CmpN%00GUJh^?JlGii&+=*YAtvNp1EQp?d8&@q;9)Ceu z#^qj4e$NvdUxYCRB|hJu&AxSd9}dMFmxrhRyLt#P2FP7bxA>htcpRDf6fWjXqt`f$ zvkQj}f56ZuS&#-A$m?U$Wao0?akW>rhehN|aQk>MYrIKxx}w`S@riNmP#?EpN{e46JIEAM}z{6sAJ3h_ANqGEWAcRst|OwlHWfhamhhu}(> z2*496GBk}e%&GgsN6oK#v%_<(4qCLT-TgdiaqHwFaJv$B!`zm$y}@&NX4|;z+1&Rq zulK&7r{~xSNJUZ`64z6Ld5@{56$rn6ZSm$;NfgIZ)$R5Ajd9aQnn^!YUN0v0GN=71 zjX$R`H8!)IiC1kW;$okL{(fjT*I<;Edl?rzoKgCW_A^2v9v}x!g_5tD+pQZKA4Z!z znKnP+kC+V9b;93Gcjpxezg(lO-}`QwEk? z#9XB9qejwPS>)WtxwSjorO}a5fW(|5bzMYIa>)nLoUv|Y0sY&qm@b?-e5Wm!0$Z}^*>LcV&>Yv|t-R5s^DQ&52mCZZUCtfA*sOaEisHOp59K ztL(0YkzUhLni|TR+kS z9;~y=ouOIv-P^B%U`uG{g1#GZApv%sCVGBkKB>?M-B%c(kfmB5#d+yUt2doyoc_zT z<`e-l32yW4c;j$xwvx-)l+_%o$63glB%FR@T`vM-wx@SfGI(GJ<=C_uRQ|Jke76Z9 zUncwo6_5%;tK5iddUv0C{1E0F9@eRWPgB}%pV8!h|H&xAoU`*u!!w3uGW}fC4N6VPo81Oi#y^uRc2muy}rY-v!1WJoCDJKQ-I>c4?|E*lxAb zYd|5$kk{R>Se)`ib?!z#&3)_DhMy+p4JJgF*c5oM3pqD!t%)AMi%p?VNtHWUesoVO zc01jW0TUe+B~nI)tPI26Ay6pnNF{k=#WPjX&;GXRaVBf_==P(R-3`X!7mA_ex)Omyd|~U;5&4;-$R||zwZ|KUzNv2PLaIcG8i{J$g(N(Dzo`< zvUgf!lPuNvv}Ho*>M55|r_pSIPfy!;@U5_s)>bwCKXIPmsiVc}G@f%$S}1FRHYMd- z&oj|=2t0f&_8W>l%iPCbu2Oz6wOuHBN}XDnmf%zRH2oxNJOdD{r?vn)(7KTby#)*e zW5M7a6$~abQRCdMKAQ#?QIGO+O|Y23cDaiyJh}VyM?BVS)QbABV=^bxtX&X8vPYdNS zgFHMuW=ekXjIOMai_66uLer_y$k4y(kl(*^dvl}UafpM65@AV)UEW$5QW({AutPO> z(qvL)8x+K2(`oKC%5<{18|@kTkL5CXgBcOYgA-Sq%9W146+3vG^0<|Nsd{9BhXRAc zXx*y`oi=mr#g%r&T`k|=M6QNiugy?Ksg2<>Sa0Exj70$AON_1%5Nj} z{cV+M7z78#IkNglOo#&dz?JMbpfDCP?oE}a53u=NRQ>Q#Q-e;ukvWU&8Yq{^DuQoP z3+?+-qfJexcLJ>mCgSb6g&#&m#K|=tR!F}_D^$plkNr7<8$9Kw-I1wYvqJMcC{P0bBUkWnRd9~5F3luhmRNIWWj+XOcc;Ut>Xy^UN_Ur<-UY_qBldtxs zXj^XIpzjmYYzIBDTr}H4jV)hX%#t6j*)h(^Q zLfHeYbK+h)YJL1b2hOX1j;^o!erQ2}AVMV8Ti$c=bdMIwCXT<>-L8OzTIp%KME`K* z`ryj5B70C^63Y`(A*=2&-D)<%Y5?HxNAVyjGoi_+iuwLH`}CR+(@NN^gPpd~&xyWzMnYyRQ!YyOMh`;F z{_r4gbknXq4^y*B63--qPv9*DQVgOd?ATgA<;s&kd1)GEcRE8y7azd_v8KdS2Xy^c z3qY~Uf31iHdphac6PP`Qj+15A|ENCcDxPTmSUKnXe)i7azLW|ujQmo{oWhj6p;N5i z%krMd`U*N^HVRw+Ri-EZRH$V4gE|_j-=E7SfqvUx?n*I?o6Ds0>X(MfFV^&d`#1MS zn>Dd=^@%Y4kHgJ`9idOnjDl+eUuWFj-C#$jc@TVATysL}@@)cd*t;YU%F^t=*nH1C zjRjTQe5GG|zv_ot=y3YD+WL;~%X6TAUB_9|ON4|O8}@ZK@Dh76MVuyW)aOG4#!yMk z8cseo599Y~9+f8w_Bsivu}|N`ueL^Ij=0TIJ$=AlnE0Q?ceHYp*Ix5d+vuzp!_Y2b zG!e1)d-XGxkC>Iw~{Z2_xM)zWo%?muQlC zR%*{!Au@vQA0F6@oh|>R0X|^M_@`TQAEH8})_r%qF=flwt@Dqb*1I_R zFY?{DDvTbSl7+GuV6kPWH;G;|%mzv`%w?1F{uoj5Sf{tU9ydf*2e|tLvzsf@h6r)FVX~ZeeDD8+Ur+=r4IfQ@I&f^?LoiO#UOdQ)< zZa4&8WP2gjERe zf|+}(CEwosLel>zvIC#)OFf7ZB7ckL$4zRxr6FU=5lE7|xj7Q{xsXUXkQpw3SwKOm zts+7nOkw?Oo}bLHeDSY)q;y(6q?%Ft2VnC$B)Yo+pjY3p29{ zvLw)(yRA0+woD9P^v5}ySkM;K6-%cl;xE*Qy`{_PQyF@EZFyrV*KeW1{*BtWTL_;C)VAN?y4zmF^(WAu|S-m=IcCWTo*(6}-BIPQ}9 zM$lk=oa~OC>b1{?g&DlaHcYQ?Udpghb8d6iBT}m3**ez%pY0E7aB5yZE;I}=e7|^f z(s&T;mDF3BZ#YcPohZ-vv#w-+O|YD?cC$|kJ8PrGMz~W%Jl0b6CYs*&2wM)zIO;PT z>vMRT$jZ+5&W=ibk?+tuSs<8P8evJ~b!ujI!9bXEIErXD>fqp}XIN_6)9ZvBoNv<# zwN7`=_``ofb8td$B`4O#2kxPK%zGLLhE|tqHfQGc{WI>32N%uBv#BQs?xAtZE>HTL z@e)Y_!zOnx(yin+LMKEA-AR0w0?~m(@X>4)%(=!+p$W_0?_0j`_A~y2Y>j@MTFIoH zU$(t_tA9NgCg5)dpYTyfKZ$9Ai~3ody=+?EXZxxu@UD?wm<1T*17sc$KCPK$c+3|X zne~gS#sa~)R}KAahQckZ+&(QAX=#t|;l=(+;&jz41Om2WAy+<^lP5R(VOOxG%*iS7 zndylt=}?C>BqGX|6u5We-8bVI4IC&aF?1%y1A3R1r`Z(?MM8{MxAL-@tQlR-bmSuE z>W{QJiph-YF4@Hh{cu=AqZr;J{CTpWP%VzI{+2KZkE=A;RU5ROh02`nzp-w#aLJj! z^HnIY=7q=$T8sJv#9%~Vq9K6@yMyJr8hdvdwn$?f&Jnu~+0bThBK($^D$~C`2Tv|q zt}^4t4IfL(lWBD^9&KmB;o$(3?!iv!mg^;y6w^SB?BW`KPQhD|u_--I3hW_*dwAu8 zr?x$=!*|NNtN7jTEpM4OLxNwa0aLJg#5oF2-xDdWaual;lZl3OD1%XOt~8m@E^ilM&A=yNb^j1YSKs#Y_THa`X{s z#axCip480>QU!`!h5^!~LrA@@Aqjb|O_i!@xY2jnt#SsgiWC_jmO;ra^dN8K4a7}1 zTCy4xVRA}Yv~oB8Pspa7B`1{YNL3Z)pRK55@uu7-UdS5{mKn-*C<@lQPvb`e)Kxr0 zz#OIvI+p}e7eT!eo=P5J9btVg_{s+7*~8wba7Dk2Y;utLq0Yw7Q?qkn3Em3gtjts4 zzKQu~rSeAY%gZp7o1ovnX+L@1;zcpee&`Uq&>MUW$;9)h=_5(f*Rl3jIveSo@AcS#0C5Aae7+k3Ynq|QASe>{l=b12W{p%QwAJd)~8bUp8w49eLsv;h5q&24X zyi%krR}QG~O2d1b4)iz04WLlRDkzfvh^>d&GEn)Lq$=w{y*HYqLL964>%t@eGSAXD zi3N8kv<5yVxAXafWC0AFk&UqgN&?$(T}-Vc+Qf&Gxw0(eP->)sZXZvPnCY~1RFVE| zaw;*7XhJZPKoSUqNG1`_U2}<9GTPtneoPYsy?pV}SGcZOon~e>41*6`ni6O>DZ(s* zKIZIiDEXM*QdaqO78L*jIrrrn$~h1*^ACs)*{D_03wZ-t0@Cl(G*JU_5V2ki(ny0x zX@DD!2I{^QA7f10O{G(F<#oNKry*&6#=zV*L5aa5e@;7%xE`i}z{RgO10PL`Lm_C9 zG?s6vCffTP?2d>`Ajx4XBUSK(&+ihTRb(QSBrP_xc-me#+tbk>h~4iNg8rw#t?C3E zIz(zsX3|*Q>8kb4%|c`@6m;0^c?eDAs~g5Vht)oZzp*@hwLisQB}k&b2lBa&rA)5a zAW8d&r(VRydu&8LcotBQxb zK%qCX>+pMwEiX-hw3DcI!~2NTN}o-TW)n2xgWK;CVe&*f!wJ5ySfDwpKB~=0Jm>W?iEeb%9UnCK67s{-*pu>%JegI?PJx^a#8jbas$S{E<&Gk*Qp(Fgo z_8Sx_96FYXY|^rgMF1JWDN*-@AU^&UUfz^-tD=broI8!IScni*BEKuy5q$^wR?3XX zO`hm9^gd^a(9T!M^p_1~&kuuatHA~WX2m(J28c-XNUrY=cDS31!AnJXLRmcJh8)~x zYxn3wX-A}_fm#T9E|&>*zKTCx6UV)Xp4*Q^jyNMFS4Ld!b_CPeoiS&w4Jf-*WcM7<&pH2jlD+&2J{h^ zzW$L4XY+k0y(R%48d(}G%i)Tg}Tc8SNgi z&qK(jPAK077tf$FW3D2(*|Xv}cH`Q@;4ByMx0``SK;3o+uEwlRcAtTp=Gk`&ri6^455N}6jv_;Sc?L~x>sQ^{C(VXA zV8!BCt(;gS77Av@DA9Dp@WfwXCWp^~U?0*<<;r#05)O2k;9JLnD9tlVyF9%#Ud`Cn zJ_I?0*^Hrj5uzsy<;t7?htU<6a>j3fK$!i81QH)=92KP;&bZ0WPF|7I@ovq)j2-}=~Gk?ip(kE`Kp03F~FytpOfko8n z>^T;uPjdvQYvJ+MG8KJ5P{?H%{(%qdATn?XD1Df^7nO%MwTR~te&b^OVC#G8HAT2$ zYLU05e&t4D#@>O>On~W_r{BejN3qZ}-(0kqmpP1-P5atSTpc-h>qp*UbtZG3p0^px zmTFwonnt=Rj;j$ZO3Q6v5fNVMX1CFCs>l`|h%yT@Qij)RueR#0GHohP2}w8v;u#@q zH!<^I!*O?PMz^wC>TFUe+?bxfZjC%|E~XjJ^V7VNI?-ZrC+yqib`YFJ&g3bs)At7z zwAtk+wUOUPz5NA&^2EIgtPe&G8k?rE!RI=B^+-aehbZR5fNz2xR%|=7Wc-#7M~^bHEatM0Q}lySL=iK?JqmtXjI|r=$pf6tO!Yn zXl9DfoiexMGQ)tLTE&t=+Wg>zgx*qYTwJ}#b6sdZPI-wbfkIgQgVgErPHI`iaf9t9 zXHDEfm2d=HW{XYVo5&!&jy!k;y^-I!k|32yKJa-kjL7Hj_i~$SwXt~T%VFGf11Pa# z1QztXK`XQR5f^k#&o=Sf5xJ_9XXcNdrOB7&z9GIVt~Vb~`TVp!2r1AI8sx^DX+l_d z2pdkCuB7^PJ~o^+J;!501l|3JSz}mA!KvXe7sc2{$%{s=R~`|Fma{hLIS0^;x)Zla zeF;JDKgl8;GLvBp4Iv+^U}>a5{V>qI6qz0723*ASNK5Woy$T_XG*IL4zSYFLlCm}C z5(;q-DhWuSk-uJir$zymUNcijaYY-A&E)beCOBFgTQA9k&u9W*U5>jfonpYZNhmPR zxe$ji-$V1bJc_9_N)`|yisEi9zK}h9%R1CD29DWB`Z?&|X4EUFrH)62&PO@OlF5Dp zjNg1u>(wt<;>P=3E*Dez(J+bMK0A&dd%GEG@Wj`nvd81H6R-la8&~Cx0f&j(9VGgv zCKspo=6uC_L2bRJ8AHl?rPLdXnBS{z(cb6s8PVuGd#NQ=Iiw_LD?N}GiMhF#rZ^h; z>1nYUDFpX%fo~t|NvoPHr85^1QB8=2eI3B5%f8;91|m&`C6q zRYgx8l8DQS_e9vDHK2HyT|F4@Rp!#!3l{EE`IN_1EpSAR3fYHk0V|+>Dn-Qt=keKs z(%vp~!XFyiS)hJF8cXw?~=%PM8mcg7MnsMbDDSCE}E<6PAShYb@Hn z?nX49b^ruUu#Z=uh0QH~)OQan$T^1J+V;&uKp6)wt_jlG-`w^$RP|9?#@&XW zllIqlcswTV3?X>yn_h6x7Bvow4*zJlM-pJtaZbs6)lte(I^Vq(_Ra1_hqKW(I&YX= zt-Fi8z8w|RnwH0Yo7M8Bi6i(@d4;xrw;@ovTl&>oe%bqs>>dLd6XJPj@?0>a_>u66${3C?{kG@NF7=N`_&cx=BEgAV!F2OQ$EcxS zf-T`*hi|WyX4f~!vO8%*kdcvOx~e`^7!$ER`4k=@81^%b8_2lu&ot z0ro9@0;gTPEjvnq3^f^&$Bo}L)_ME2H?flYsz5d=W82)qQb{1P_Y|+Z@Vft6f!+VUS_ubc{p#qDeIUZ z13u+D*pi!DP%vW2arr@%xY;7 zP=YeB$hV>xq7ak^xxscJAFx21CB<0vI$y7}L|MJKitUu!pEMRwnTcpau_I2Fmd zH`tPZ*}uY3Q0_P2Cnf%qrVaRCMA}Xif*3jHwWdL~a;?GL|Io~SawdQR1lSISX$tp6 zPG@sZKt>92rRZ<^hNdBhGDioIYXBkvIb~`6-18EBBmK={28hMwSDeZmMs*E=tfx+U z4ObKe!{yIm@TIyvv;iyc@yMh@p?f>SMf9A9&kOeC9au2i z1&mPx!&*X6CKSb>ggpQ5>3v3uMbT;$%2j7Y(~F~?CZTND5It7ux9E_u*fAEctQk0t zkh2`m;ngk1HgP!A2s%tj2325JEZvruEf$1PiN)OEo^m4t0C7KsC&q|gCN1#H+f{~} zS!WxYv$a}==M(OOo9?@3KdZi4oy)1g!RBl{K!uiAN&Iv+JEZJG76Wx4Uh2)X#PA}b zQEaJh$JAC~a8|t1AjN@CCdJ}26OO*4Z(MSEXEr?#mJ<2t;VL!?JsluY@z+;{zH5Q*|Q(Wu5dsEp@xRh12ZGTp#g}H5*y*;?CU}i_tEu2h} z6^FF-pm@EOBtV=VXX{!S$z4?yhif|BB~p*5tSLaoKEgFmy)byFmxD~;A))^Kr$uTi zO(W0b#?}_y(05BNP;^+51X+p%YXCZ^ZOw5 z0!xwYn63D;99(~;n});Ooq6L2du&N=L#$ShUruxI!tXTX&=_GNcR3v*{$Yf{r<^;e z`D!7%z9H7o=dieCyvSI;B$aLC48r@6e0#~E9rUytvt!f_Nt&pbU?wtS3g zN$*`Hm7OHceKYC(m8pC8Xk_t@@No4TheOSOT{a*q9Qz>uo3j#l9}Tf{E}Rgn z$nY>51&kUAGmwK4C9?qV0$EM361M#>jF-^^gAnU?rkncaw@8bmQ-pu)8#i+#8q23Y z6#%eRWIYvVGaUUZlB+|Xi|{rCgM9ejuxv)MTF#XShPWvp0C_#>QT7E z@milNmU-5To*T?i;z!HCq)M_EHxSSi3VIJ~%6RU0kxzdGAiVF1CG8k8J|~h^lCg&0 z61*km6&vshG9u6j7}x~48$`yx5K6=n;)oX#l68X|Ua{fgD*~5HJc^v(bqg8Dh8op< zSTmB}(_j$>d5_3TAk8GmEN^PT(f342_J|oEj@Z=+7Ok@4Afjob9BwuFfJRZIsi{Te zq;~T-H-HOfG@BtxhfIibC{8nN#NCjhc~!}fI=+>lLGX6$Y_2FO>cT+AL@%Pm$c#5p zchmnu5npeCulgJlp_8=zeM4epfU{<^l{B`+XOpBP^r4s`sj%DUQCes7c}@gS_godh zmwmT^+Pv`&o*!Yq?M_7F@W{28`{Ve$g8in)*8VW3R#cdz>1SlLdwY(jAO7~%C1~X1 zY98ds@_6uD+W~k50K>ev9NTjWRf6*D0ysD|f#OfLznH|0!7roe*h}9ougN}5U+t{G z2KQ*_qZVZJmBw9o@rWeiR;=Ff6DXl>%AwJra(&3n?Pr@v*i{9J%i!+K%1fg!qI+VI z+#W5&%e*#lkevfp3`PXJrx9#*U%9h?nT{uu@S>8&;Q#!ok+2DE{LDr=AtjLuktd~v z`invP!PdgU4x)gH+UF?{u(bOSZCAjNUxDli%^D>-oIY6jFiz%!X0*Mg+-Qa*_4XW> z#_$35#SZ-n&@fJvKuDI(wAa$j7|zVaMCF{zh{Z7r-#MD4o}lY!=js*aSHF zdypAKga(XnK*6+U@i|rto(D~&Nd11itRI_yb;?k_O#5*|~l^ zmY8cS#ERr*AZT=Y$ofr#jA`D8M)WL|v9ro-*gNYFjO$QrsbEwdQFC?yS6x&u_`K^M zTy7W6xE(4%WG^D*5*k}+ov2cUc2$f7N@}|c-x9>3drKJ7WO;3~L`0*`}w z_8$2E$!7xxE0)hJj7)D#dw_T}%X6~QPHVcOTMj_OhXUz8kl5BIhZNQGN2gN23woU* zM5g%MPGF1wt)Hxibo=A}2#7V5Po?oL|J4qevK(2BJRx02iD(X}ClXsq&ECsZ1QRJO z%SO$$!7@zxbB&5d^iGLRZ!F+t;QUgMuS$P-va&K*^L;<2qxJa>M#kqA3m`eOGt0P3 z*2{8xc7r4L^e&-Qc`t;T2V`nA?HzK>xVn$>fAZcvQIw)q31?Pd{y|)NKV#}Wa|!lT z(!y*_uXha{i6@|DFI;Q6d!~30p_QPRRj%75MHw1Y0}A*={^~{F%XEqfO;Y}O?8bnt}tb~}?Te(f<+C_^_CX{;uR7clVH>P=Mo0~)=Z8S~ak4n-Lu2!p&+T#{Up0rlW3E|xHo zUolJsGIN|@cgM|;)wrz4FD?4htNI78>bv(QCqxz*>}&SJR9AX{$mU4=)UrjDepgbE zO#iKu*))}Hr{h5sH&P?n!6)qq1TGEjhj3K*KOP%ad;jpjVTmmC(G@jGx~>TEu#$PM zcPio)^U-6F4PlGqPjE`KV^Fx1-+clst;wL~M}Ep9|JJbGFXVg*gipUObP$ipuoPId zIL7Ln4t;FBH)igwF1T|mEbF7(W%(pV6KQaY05A8lFyP%Ieq6UvyaDzYevTFRPZzmj z_GaXsgQEnHb?Lbns(yc|EZ>Qem@(N)u?0sPbqgYmFuA_@i{!R?+2lMD7F6Ik5#+|i z3}X)&it|4E<{ARQEHEP}u?gxFMS-;)lJY0$zj_<3X)QG9crv@*1Ki}+>EP4UkaCO< zcH)KVMZzhsVZ`o2D#c9gP02Nb1XKBQftP*wtT!v$AUt?npWE45QKJqocA89tEgaay z$Z_t`0jH%MGPA_7{SQNl#p5qI)eCMRhrvK2$|>3K*lbPp*4?t3rZ5Te`WjmWu}OjBPcrnw@c5kgE)NFR(Ll zl>JCsDgcx-Si<^4BOsbL{ph(h{IzW457>ZVictEAJj&AR;^XuM_9EvRqmg00neO}v z+0rDRhxA~eSMIOZQiWtWNKg$@50W&Jj~A`N9R$FI5CYHEKXb`I)Ejh$~yT80pTPH|nU$llk0;Y!sFn4FZL zeyW&sayHTVPU)8UdtQvITwIwuUX^+v@*JExz9Cd5wjFbeW+wDfLoopd_E^xa(&nNt zL@ZjXXhbX|Jb@&XE;35Pv`@l|DpKXfJCkNdT>y2&ZMHzlsz-dj!|^3bCs0WkhkuU$ z4DBJe!iibj{Qw|vyR zRG^HL{|)oQ0@8tg$P zC8DdV8(?-C7pMMiPoC<1fE?-m94miz`+xkk0yYm(NdMTdUGAIC%tHO$a>+5@C%u5* z?eNsjyIhXENpv4N5;92@30qJ<_r@5}1UIlIt5t(0ZU1rAXV}0it$N2y-RNIteie2D z1(QL2e}Nw;df*}^cGSP8*++K%;eG7twcI7l6ibt5g%57HlEaL5 zWxeBK<#pc`K$xup}T=+vY-h9VsNDc1 z4(8z#FTw3Y64}|w30EJ~P%r#(=jB|_n3u!_p2q48Opn9I6`h}uq38@jX3TI;^Uh z!vua@G!HM?^kV_gs2d2>e(7@etkM z4s+IHuphEyIg}L(>dE!O?_&n8*C?8Ox}vVzF!?`rSHj6^fG>WKNF7UaUxi!T#)OKl zje{K11ZpH#ntz-tFA8)3{FI>`F9YV~6P*h6R+{crH#fpEBez;6T1J44OMU?+=G2}A zHpKQHo}X#6+{pa%he~(uWIT#`wI|XJvl~!dKg?gMA2OyE9G%`gJt?_HrREp$uvNM3 znM;81i?PgP#otg|sfyTPVioq&sW*$Xv<*W-EI6op1&s`zy(VY;+9w9Swp=Vi5s$(` z2!X76m6-Jvy&KpKnSw5C<^!neCB`Q8KA_a$(R-rURx9Es%{H}%Xpv=Zil@OtH=+bK zHWtx{Q3}NN@&yWK8C&C@9(W^Y8!OYla9+x!bU#0y>MCSp>)A%U^Fz{UbVT311rqpn zLfQPI&idcVDpFq%1bAkA!Gs#2jYwHa0;7;ijCGoY2-N2tm-K(6EJgypcJR^YdeWOC zIppnG2*)mZe}zpcK0hIr@_V@TbpHLvze*EzSQE6ZWN|MZNowKD^f%*%9?9R+6*3ZT z_ph$x4HM(6pa(GBwm!B}F!>OZfe<9QajJBrb7eY#v7mY=^s>aCQGmL0Fre8ukJa!;M2sCu(*E{;O4($)LBU`H zo4|yrd!|sx|7{aE7)-7Sg97-0DKp5R*gwq_1ZJEUe1K(7?U+@K6Cy_ZN9Pv|6vE^M^E~`j zSp6@7ollg{_4g@EGEVS+rFG1pe7?a7`bv{D!D9oEb%o^eAXbAtf2B9R)KuL;LDUix z1pnB<|Jaj(XgBccpA?l}if(wL`(N>mte^t1s}VAQC??=ffV>uRrY2ShIpm)#LnT>Y zBCircMw{_JJ@i0|!fCDJ_Htk0j+iC^RIGuZPoZ|3rSgREBl}CdK3d18`(|UE+Xnw1 zvRy8_?WuySfwN5Ih?R?z%oH#iXr<{WI-}Jk7s0>%ApyHtC(Cqx6)qz1ef>X!fg%Rc z-hcYl83^bW(`?2AM#EM^K=}JEwe}g~xRgkpaefVOJ-HhC`v1{8+KPak-?uAkDx8!cbrb=Q1$++Snh^khu98Zu9u1@pH8@>{pYYC z`Uxof$WoeD3wYT&5DP%H2mkvEi(%(JzPBM{vTw~IuTnZFFZ&(A0%f>=&6TX15V7Vg z?E2~d5~Oib#&q}f@jkm)qg{{i8tDC1Iy3uHlU*Jj$yk^O2EQM5UGCFsrN-v)dE>s${#0@_3=a2wjn*M1}o20VQf9Wd!ltu)!_F4H&t z?ST+hFuR>WimCuun$F?G9mbh9Q!i&6+UWQ{jYBzswLL7*bPLrFA>sy30_XHP_xDpA z2L0B6R;Odhx98iUaI6Ulz|zG=mxQrIbOB$RoE^T+Mk__r!^H|7&0FsD2>Q@$Ek!t4 zg{KC)$92CQE)a9)_*_Epc73BzX&$#?09F$Of`?-?Ubu^H2zJ2$iY{Zfi5QM@<`kz#(mn$^?OCS7alxS)lf;5rF0(qX#lIC$>D>TO{@0>A!HX)5tTw#bBXEbH$nk7S%L8k zA?S}MiSy=<&CXSRkHZ*KF)ZshR!htZt-E4)Z3inAoBq?bh4J+1yr&x)yEyWI7x?SL zX|kpkZylKcZDX(`h^6?RIA|Ld;NWEeWv2AkRe0{KqWs3^!22BEVX95}Y||#f_8bm( zn_;X4t$z%S*bTNhT0rO4K8&T~qt2Vi@%$1M5|XbFpjM`oYQJ|_qX)ANlrHdvycXwGK6J(n(-NlBbYA1Ixy|AIf3 z_i%H=#?IRA@e~KtU>9Q0s3;!KS@hQX@>dIVN_YTbNXSSk3)Gp(cCHJ<6TU>!NF_LB zI}zMX$qS>#&+zDKf{*71BOgs<^2Esi;V5Uh`;IQqs~zsiGX-*%E{ywOPU?RC{zvy` z+PBgf?%zIqm=6N_s`OffN8+f8cehOyfb~D6IV<(4h=_=!6S!)`?s%N7N6&!VM+SgR z=(|-Y*#n%gi*6UDWGd^+O5{!GrB;*81|@zxgZAgJ;&Axm!wwV6vG(Zy+sOe<(+CxiM3q*fF0J@_OX{dT&g8?Th!1^`QHcZRcmBveyQaDQtd8#8-7u2)kNhE0={sj`~7W> zF??^KBHgru_7gxFiVGPVftZ=mM{Zj9sZ_lI5YSoO?r{{i8to0k7BHpIQVXfL95=9= z0@Pt!u2<>e@EJApD(r?aqXjqt;`zdPiFDv2ya($q#?=-pv=~x-wWt03s<83w6|i9e zJ>|BYtEz2opZ>_5J*Ug4_`F^<)rUAvKTP#o-lYzr>~*q3p1HbOy2g_Bnh9Obez%BN zue52v?TyRvy)Q<(J-kL-9{}VzeyO7Ej470T=+H!SJ_oa44#%t1R%olZ94AnVYrp?C zsXQL;FsU5-zqGo4{m!Kx3YYsC&ep(xR%eAjt21zM;q?RB@@T7A7-oa}7;xPjbHru; zE?ei7B4ruq*D5(}RQtNRTn910AAvcUEr7n2@>`|WWW*eZ>Y)ZEW3U@7ak9JiI;(aH zi~ZzzP6XC$*TR78f=gn%RB|!+@Jf4s!}vbiNWft^9d{m*di-#)(Nq$R=t6vZIv*_V z$)j_AB48V%Q>2jXyZ`nj7%1V&XzHHMS(FdjDoxSqIYm;m8cBvz4y|1s_6hbx zes;b-0TtV-*I&1?dibu_`bTQ5G6dRn@mn+u5K1*$;3A)_{n&jxmy5C9m_5@@C(U#I zP)*?yY2g)uPPf0TCk;m9%oYJI4Wia%#Lw(;{u3YlU+%hJ9t;S@EFCKFzutYvR*H(F zh;mU4T9OKz4EyT^IUsY1( zzE*r8_~Igni!UBQNQZGzDrJfBm?Nq5>^Sk`cc)_+JNss?vjhD7IpS zPf-4i>@J74@W=@w%@(va^GhM!m)TfDb69W#j_wGr9?zVlnYCx8@})F#BzcML7j2< z#`ea#7wSC0-OiqJ?>8E>FSi);^l&8-3xWM?`TBHvqxW5n@!`EA7;_?2%8< zdLJ~2R#%)h?_<4AW^7YHxTng0{H2~Q1@S{|gTLNpLyuOss5~PQ8PWmB1gNJaFBmT; z^3ECPVu%aogSp}t%<{R!#tloRrb*mR>FM$qLHoX#n=i|buaD)d&m(^J41_try5hwU zw|b_l@9VPedx!Mw0c%9ozLqgPr#z6=V?>F#6vtD^4_~(%C3V)3;)GVqaN6i3M{IIb zJKpF!h`K0smt4^w;!wz&0336KsntqUN4|3^*6u)(^~M-(;O^@vLX&CqRO<4WdfVuA zoYf_fc?HHuEC(PKW1MK+;J7mn92cmCbAvkO<`0Z zMEp5QmC72~*@+8)$-qJ*udWwNCXR)#1N067I5X1fr~pdd?Y%v*8*gn{@5)CJ7s9dP zKY(YgTS+4VrmP*QG**)_15|71TrUqX81f2Y)!5Ghkl)7gk?W?#;>oq$Gb$XZn@O&A z+=sQ^hRsk>V#I)gni_B>iVNZ6<9NlgH_cuHziN?7*=Fa5N`&ZwwJO~UDg+=8;trP` zLn?u77Kr9(XtS7#$z?5=-xh;E3dWf=e_z$N*aKE_v#9S9>lj`NiExJ$r?`Zi4T{85 z*(R4dOl5AQwwv!L_`UOAWX>V!6fkkTSB42#(x|Y~*m-0dybkZ!dGrjJxJ}vq-*Yyz zuOb-YXgUI7E=8rbJHxezTXk-aqhJfgpZx|O@WkCbO))rTOI^jr`6eKVRjPy*{1wK zMc{^Xj}bfEHk&SV7})olfBHUFCdWAQRJAPu8OYs{p>xtHT(+DLvktaib#v-6nX8iH z|6Tp@g<;u#}M&iLIG6G?mkMcYlR+PgRn4LX!Pv8#IGWbiQ zOq4=qX;J`d-Z+BhZLQ5YJL#<^Eez|$2kz4tmP*j4O1mGc^@){Gdil{j9_DwCKuzAv zhC8yN|8oO%rt?>=i~Vu!ZD&K;z72nMylsMuPrj8q_oFv&xm7eewR8&aiOlTeC~lE1 zBwdlZ%b))}szv@Yk3NMRF})z?kbpxg{@Eg~Nf1!WER-89czUF&bg!4PTdfQ4a|oV; z`?V;=h3fqI?7D!UaU6Y^+@J^8e5g91R*ySAMIS@0?|FK**+Ngjpz?d!>KX@Ccw35|ucTd0rARh)6gG+J+174I#n8{~j z>a(ka?@l=eqUL{Mz}kv@hDY|n>6_p7p@G<8wi`7q39a@c?4u!j$np{k)(?$?^!N_nF^a?bJ>TkVxhPY2p&bh zqUiEC762ies5wtw{xX>PHu1e1ZzML!%VSL$BCQh z1erg!LXm@%`Njwjs>Pt`&~t&5sOzf=3L5qoV{_^_HjcH{j|{Mj05{K;ABytq^@r)# z3ACwHp8Tc)X95=PGrnZwg9$H7u{Eu~ka*FNvRJ+q^WuF^x-Asnd()k#Xu8QlhrtBY z;&Ix*?^)rdVgZrv8C|xaMe^BVq5T&z^jfb+J$(|>92k9G*}Sf_LkT03x9Nk`${3jZ z9=9n@r>i1T@sxIeDHNBpFBG4;w&JK1Faz@&*5*6Ck!DiaK9tq@Y zdEBp;1F9p37nD;dTTj(?eQu>oLtOl4)3ZQANh`CLfvo=hkys}Gcd9-a!^TcDWMpLF z>l5G(TnQ+5-g{!VSdi6Y!**D2ca=*QB^vew6%qi#K1CY>w+1A;@x`IYy$9iywXubv z5O9qutr>PzI-U_NhVHFq&><6J&GGffC)Vlqqsq&70hz&H8!YJ1m8S)2*8;PIY+R@Rq zyU?3GSoC@C7!jz;E=!NLbuU}AF5uYa_*hIuwWe#u6@*#(Lyu^6{G~FwADM57&3J^R zhxlQ3K?_p;EA0|xW^H_iVQp=#Bm~Sa2Q6;KkJJyYD@QUPMv_`m8V0V!p~=D7Irzil zr!%4RMd!o4RX3xp_(j`6R@%?bpXb->W2vdKsjP}UUUw@|>SRQQMH`B3>qE%_07MO$`*MQLD?N8Ar; z($g#4O($5;l*vp!8Q`Q%1yO|T=3y06o8 z?WP4wf|Hl-?TM0zB4Dz#2SRn7`5MoVN|w4)Y+Xs4tALk&&?zcFLA2?Zr@-5o zn&(10)!$T$A6x%c=J(E!4dSb$!uf3WeYMQjKw&E#mho zu7hy?V1zeuM)!|<_IuiLN9*-wAsXeP1X4$WPpcg!7mEdmU|XSrK?!!$ZuQjl4=D$; zX)O5?xjYYqBh2Xik>aV!1BFX0`7^C+ScmWaLqbRbawx@(aa7wx`WD+WgoJ&CmJh4< z(4e2+t@&NBWAqUSUpyz=Umpe3^(68lc(d7084q@!v_0%k#eF($TL~Oqe;D+zJx?Z* zknnALZGMM-b0y^={7OXwugP|U-$>AW+Dog|i=DtPhW~pQ%toJD>Xiyk*ZFP>K&`ZT zSiducPB`I4f&*C$~wiipH1V)+Y9>_0mw*quc1vI(-TQ>>0nk z*ut>(nwb_9g~&?~ci>)zca(CgiCskAmKLKR*JW?1*CVJx8vEvh&Wj>pb&kwiz>dS2 zm{aM^<~ul0)E{}mQ{2(X=9!9o;gSyo3QZ4$CsX5S^Y+(zA~!bqg5c#&=84vu(apM9ipJ7nYgywm;5-e~e!wC{|qsRNK^B%R9I5*}QqEIA0e zI+4LWv_LuCFBem%aKN_j{WSBbb*Kw^_ImYHQ`eXd#wK7R#%zf|somvjwbH+-v9hI5 z7L`^*TocP6l{UnyI{5kFWXnm?`C@&ip_#xux~1aBX#K@v&N{qyodJcXYjGw)&^O%- z&kotir5EGYPwvMmLGXn`uUW$4hO5+kj?IYRf2Jz8_@Ak|GvH73vZ)CJ!J+m_hPcSr zIq2mxS_IV6xSe4NyXoYTyc(ZJDqs)>LjjzIpl_778rtl~XP-{$ZqDHuHRDxFg>AkQ z%w^;(`8tMGLF|R_K!!4%WmeWriPv01qU*clAU!tk6rS}NFN%^>?4`6|~&ukVy!`t0_&~qnkwcp{NKWWf` z*uLp3@9xEvIb=5$L$^eeRwUk@9Lsv-r3WQA%9_z znQ&+SB3~*TS*jx@B44(1*KgAP9f_X^$cIhu=a~3p0j{@x~O6vQXn333zg(nY(cb(oX7;LOKL(tVj zS^i~o%}L5>UB?hWu4FN<*KbxLHN*BAXS_rOCayc|j?~|Clawz-){}d;qh_Ww&vZ&9 z-lhSkfa++vlDV>v20ZGqd%@&yF}`u9mno@5_rnQ)ts*uY7;Y@AKuA+jivYw zI?&0xE}f;ETN=_S7~2 zgE#hW?weR5N2^cps=#8UX*}M!2qrTDO1C3s`Zew|WRUM z<2hA9BOOM8taEv;=zcklOHKJl!%CxYIDs6$G>RxA@uWNU8CH~Y{hkH@uCx1A31sf- zG$$`dSaUgE48N-l;d|sJPpang=jbJfnJ@c9;Hj|_H&lckiU{?!Qh8!~2>ivE@ z9x^_NBc3RBd;ykG(JwRK-nFO%mI-;ONN?Nbbm;}(k(q>!e1Ey9u|!e~V0Uk0dAmB$ zXZ_3^hEDbQ&X6vw-eT2TA=s$Ed1F#{$Gzy1IE#Pz-(A@gl zlt*y>wqmjLdm`M-r$L zep9SUa+z4aQ=M&+;j+X z5ntNfXlOm+sU^T`Xc2$VW}6Efd-rCT=0M2!UPCH}FuQ!%oy={qG(s%(7vDG&v`Ckt z4do3cvJUUbO*21a@2GZYewQA2e{VYPq6a%YgRY2A`DOBGw!-~&bODvY@>>xpcYKK8 z6GFBNw5c?KhJ2CVLs}-5jzB^Vi0@rbR{mmtEtoov_Pu_dx9g9C%GKOOI+INo=$fO* zFr351PZCcd{u7P}$)n)oqiw)el2ZAQ*9<@_LAs zqw;R~UiCVfYod@`>8`;=t4kEwaMm-;UGPSu+9HKd)1C(ikN+}tq5&rUBE9v%Qh+nB)L)=g zso+XasAGQ^n+o^w(@j|sgEi7QXXNV!R{>hvRrt_98Sa54fQ)|5jJ@-%1(nX7=b4xt zuyihrR@fM)l7`Zh6+{Ie@G($ZkM??AQ%->}8pP=)qKZKc+1iu4$mt_DwAm-lwO0qgtyR8;*73)%7NX z75}M@ThcB9d%D!2bUT4VhSCqEQaR9m_aIrl9EaF^z19(0e?@FcC)<@?`#ria#avZm zHO6Gi$yWcSFIt7%TBPEun%E{1D7O)JfmEjS-|@D?=eJjV4mR3mhQH`}kiaZC*r{14 zS4u^}+MYD^4rc}LHE_mAzZ!bne{0k%XG!CGNJJ z|1n=^F1WWD1rBG5l7Ijd+?&4EP3e1A74f-0%r4oXmzq69DWAVe_6Ikk&@VH2exdQ( zHoUswzU?poU6# zzsY{;gI3RKa{ju)bpc#0%mkQD*pT2n*k+&Kl}HuhK%kwoFe$68yG@6Q4N#bY%K{jg z0S2Nk3k&z(BS|;#DGUo37eO>pL%LQsLX#ByViv+2mVEjO_;VvsE5Bf-k;iv};$D(h z-bp`G=i5F%aAoMQppC_B`vG&GGD1yI!RGK3*qj^s{=v|vCM{|KlQhRL6vp)9Tg`p@ z#C%LlMdteb_=o2{{Ii1!5Br(B4YEaZ;fpxcB!%-n+D-3S=TLWIO`M4IrVWm&?3ZLQ z6yNP#Eq-#rXdGlpur{jYd$zAU{q}`9q>eQGq>cXo~Fj;0*U*!9~z0xgrx8rJagNSGb`v`wQ(u{F< znz$B2(y`4Wl=g?P%hF7R0sn~ZQOS-#)Uthm5JN0yq-6Xe+2q=hW6m{ZU3Pjy9m|tS z{qrlrR|d<*kcSn0U?uGFZHsnV+yqW~)C7JvHck%e^r*CJe&0MH*w>-)jjCwSbL0JU zbTRP3(y$=qD$4j8Sz{TPn5H*^-=6pe%>4W%Vq*hk4=}*O%2;arPN@6yyfir7FuwVH zVQ>u@c4%L?nVNr`fu^onrXZbpviCOe9%&7;dN0g#DFSM_caZTyUC~)cf zb_R?pe4V4;pn12&4^37<->DKID~qt4KF?>Q0>=~1P-U=G?3GO>e!CWc?$)&`(4mUdu)lIJXQsWw$iO5I|5Mrvtp1`0o!%s|MFGYN zs|JLCHzC7?nCNk9j<>`-){m4|;x#zBRns*P{u7E=AE>&y3u!s{VAHoVC?$5{3J619 zdRE(OLaGy?YGGd=BJAEsH0pw#66F@&jwf;OqkNOlyt(7ID2P!|nE5r-;}uwSOvSm^ zHnZ$8BFqIvb`!wv!B?PCzt*9J`seTV4dDfZ7sN0`m=(hYR1Cz!jTJQt!ZxG8hF&;e zkZm=-QkoFW`o%Cj$vLg#D0d+Kbl!3So)HMLfT?E6n!C)fZ_;1uz{+xmY3)yT{=FdO$N6Fo(f%`3wZ1*vp!;tBKkSD#eo*DpCrjsEue?)4CPq9pWEF! zGp?lSE=e%lC4f-O3G-Zo>^_J-lyn_-;#?bL)uv z8k~VR%Mv$(fISsPoG7zP27LrG?Nl!|6&p(VX+kW|K;FwlxrG?|c!CEaGix}@E4^00 zoqAf}0x%PHrl=DbrSTm_FmRVNcH9%DezaT|S;j@3MvV|KtayCIK&1ImnV@)aYB~xx zsEgMu(F+-fWyB|#>yM4DtvOv}C(wRov|WVAh+eCGEVpje)9WF&+crF zp4_unFUIlf^w911ESah(LK>9mH33lv*BGbu1@83b5*0m9FSE*W0_Q z9sdUK1SDc=C&6T{B7a(3^1hG0WV@x4mD%OmZ>WpH2RI_m0oVl9;y#72tEy{lHZ6Q^;AVlw8EFWm0; z?Fwt%a#+LXVN!T*Uo{w<&o#!K*Zq%&v^L&Pk1_|{Pmnf(5RYASvD`N(&j@`V?eb4*kU4&+cwR3|FP$w?#onn7$L_EQ%+u61@^-?F#BtL1$Ulec*CpR z&O%Lg{LnR`H54okrFdS{RpJn~vEDO>0sSSL$yxSiP?AAV`S}&tD=a^mH?DQjLgCWG z!87R7@B80;nvr|XPAnEAP)uOj&H@Y;vZ(D%%62zLPPUPT^(GgIXYW4?6{_j`aDj%D zZ5Bv*N{8kU3cvkKzNoG3dmAw^YLP<+8oBAIA$b!R&DK#|F_o;00{9n#4al>Vj3Op!PiAMwjU zk9L9NzEy#TAp1b+v$wRNfA?g_$R>HeIrXr#q~_;HB;`_{pp^2(VXHdxWQakUOZU`r$W*FR-!A#Ox`3`KbLG)mQ`5zn3z9b-OBeBCf=;o@0?iZf+39Y zx`-0X;L4O9)%el;*>V6^LSM5W!NX1*-a12E@&9f-T)a?x1c|WxP!)D^nj55x99t6Y zCh{CJ%eQ->i{AuZ?AkD*-%GHwpBr8sm^6RJ*|v~*FAjJ-zl9nZU0hizf5L>$zM(mr zQg+4c@9oXSga!=2Iy!1$sCHp#3B^SzG?IPuX_fbLCx~f6zZSYXDb)eTZllv60#u_- zsoW1utfNIR>30!Pa<%MOPO8xPdbaZq*i$rMNwtG$f`cSOb!bRx#RG6kJw;CXsabDD znZaD>O7CDXAoM@lwG&jo7CAQ;UMHexfID2jTIr`tc4&DMjopG7K zV*CHzI3zB3Sz2??wWBa{WZA@BF2vrOObcPqR&LYDTz&{^^e-F{i8?Z* zx}0sOIe1A63REn%Sx|lv=U$`5@i-e=bmM-_iejczBlRB7G$s}ipeN>DLDt)I!44K% z_KA?{BFeRbu8c|INqc%dRAnVMaAsWhXs{e&S)(SZr)PiIq{Z!q$3y^@IF^GcU#XE{ zva{Kdny$8=|BA}X>D2)`|4U0O=!@O8gB^STG(_JW28sq*wtx{uAR5G2PVkQ{^>}c> z;G}(~M_qa%D5OVCqc4IiV4Q+NNV>3GVVZSs;%51Oj4g?@A) zHFcd|&AXKajXMfj*`%$k$IdOYV?kUV}+K?trlT@VY6OqEGc(FiLV z_y1O`ofNt;mM<{Q?(wu=huTY_rA{Ehy9>~E*o-8y`BX`K6!QU0bc5D|>9 z?-`^gq4<_={0dKAMHMq>f9D;QX*)U+bWPC(H+i2dhhue%eP{Og%BYL9SCiq!=_B^- z*}HcEI*O_cwhe})%?7G ztB$&1=Mf z+hn*J$noU+OF#lJ|4j=lbdf1O>AEJ`>(r*X6wve1bBvdS{!x=&7@k*P{*@#DbVmit zTFU46q`X?NJ(lLjmA@wfr_vKQb@S;CVllI@R~PZ77wN0_SZ~h?emdE=+u?u|bZWXj zmM=QTIE4D~v^aYNE3SvELz^z$J>$kBE>YQa@&h{rLEBsLM2)Cm8R$*tYYF~<+Vl!o zcx1F~XrCyVP=e_5o}0xhBs=y7{9XG~Q~=<~&s1 zxBiX8O%I{G_0w(F8vM%3_qk7p&}Ru<>O%a-5Ci&8Brw*;b2PA+khZ80hNRmhE_n#} zFt`w-!45~t;V(qgL>?rLBka!aq_Cu!)JkB0zVlF90IpC(a5T2WK=`Mm8ZszwFnO}> zpSILiX><0iUVVe(4hIvu$?3T{&n0U4zncAUIo!bJOLa3p5h0uRA6ZI5YYzYVv7fI}!`-QQHz#|%LTdH#vk0YTyrO`LjVOpN8iY#|%TuQZiKIlO{X z-~0W2YH7aDl_Ycv@DJUewP}VXB<@(69C%`-%4hIWoF^jT^9qk@yrTPf9;+r@5?vt> zrvRNGdx>gIIYi|9k8T56{m%O4urIwmb?D@hf_s1@gsI>*=;lXS{mO*?YR$%1n^NT# zW!Dz7kqo7CnC6HpvToLG-DWbIH*!f7{j~DU6hyAQ3stxzYNdcR|M7%oG)|lK1cRyM zDxFUQ;pcYFynK5Wcn9uVmHc4-K)SuILaJ*g5D~Iv2jTHSsqiG0VC;hB;aWVcuXqAB znlnLkw`H)Ur3;`iSUvAM$6!;JeRet|b|9OpI4ExC*Rbes@~2R2+wU5FpyMQx#HSlW zJ=%qh%-a&vvti=|UOW(Q|2dzddPk1I{5?|qxrz`b{+Z^YN~~?;LzIzqWUTeF-%echQI{;DIy79GS9;^>hW9Dju^L{QvWz1AGJo2z6G4CK`lX3_Na|*aI_zf6+`yixW98~c#Uu@M* zv*Q71n?M+urB7!L#PJuSd^cv zPy&QY+}`f_oFWr@(dg@ZFe7{$zA6Mvn&%h1@{JSS`E7py zl?A9qd6k>J&JllI42w?9Ct3cZ1-v*rvkAb9t~DB~ zqWyVR=~t*Tg%v}3^We7Yu3q8#6Z+G6Gd0$n3Z~a-4b4gYp=~8XaF z+PI%RBB&YItwD8KyX6#Zj~ap;fiZDAcKci8nR>}BFwzJ$88U^po^j>yeL3^%glvj# z)?*>A^?m;&2wy8(SSv?4zZJ}$EYuHSV-^SVk1T5cR>!xPAa73j>jngA+!rYqDklA* zSY9pGtFFQLwR4xCm_fY%2#9hyZ3DjsMo6TB_HO2eH2J>{6WkUL#DjmubCFUvsjo zOIqUSdU=`q%46&QiB9@{3IDz;8mKnF6pMast4P$pbiWQ@Dfz~7Vhc4B^f$}^TsJ&W zL;9)wvR>_BH)@*q^lE19zw)=)S9Laz!oZ#g zGgJ`G_gKISIp&^*0@FDxPkC1BIQ%;l5DVIpS0Iu%Ck_eIqeM~-iWBhXuzG^G2KQ^p zCj2|Hm@Jy@{o+9V9yd{{hcj7x*_TIlY+JKn<@Iwb;3H6PdMn9&3x$f zC96)n6Jtz{s)H9ZuI@V;iTM`l`rM+$8Mg?adPwAP`vat8LzJz&iy`QF6(-zG1=<|J zKAY1O@9BD8QeRr3>V{6GLZ+?SfcSDI!xEJq>uaS+f>Ov~hocR62Hq2xC8M)adS{T} z4?F@*cZk2!IU92HHG6`@G%h8=*rWHo#o-Kz6FJR0!uo23C?B6$Dm>6KBX6R-B zMH-~LK|-awQ(C%XXap&x6lqCmN$HS~knS!4>F(jVjQhWT&tChLYw==cyyAP-aePkI zA}GtP2W-Xj@Tcfc8 zx>aY0kuI1)kE=_~m*dUwvfEa>xX#utt}BOV5fTBBHgtTb{_6 z_^>E3CbKn;Na!AYnL{TF)zmy@i39<4>%XiZe%=SO0r#txNj;m_jL%aD%OTHhyd;=@k*mGO!ej#;e3eLm3q2&o({vN5Ti?<-I6khHx>E*MZcJ_+q z9H|1#fzn-hSzW)67mex*D(DZ=oUJaB)g??lYIj*rKp3kHl4}+o?VLSe4_N*3gyN=6 z!KvR8@+9VB8xR5}rY#stX0ODmU@$DD|JG2(LB9!#=|di!*3mdk8J(bGUuQBFjl?M4tadV2f`kDWuCjzj&~-}l6$ZcJQQt#Db*tqGk18)ZArl|&hQiMS7T_nbAjw_#(j_OhLggJADIUEow9kZiu!4@O0AE` zAygVl7u`q58BVP7xwy6`GVc|%`qD%knQ#-!$Jf86e+6A=O&Yi%3fQHxp-#X*6^-;% zg#(Lsw@LT;q9oHbnoS_ji7lMnO<5Xwg>4}gDHfsS=Y}?Y9J6&dVL}&(3)2-?C`VB#LTweD1XenUkG~CI4cdgOJin|n zFJjl06=Wfg$5=(kc;k^FuJ1~1*EPfvp$2g$r5ID`Hv^~F+y}qbD}Ux-}pe+S;T=eqwjw2bAY|V8muuWM5gmI@|m+~%JL)r zte_;+m)yyo=d#29ji%_F z_WKO=>T!<}Uz;;rMTXh7k^lVuZ*G-AkMeZnkaZ;BhqvKZKizk$L7Aa{IM@c~x{^poIsSjc=>F;}hBpZHv|Hny|`r^0AR%pCgZ zkfV^&jOwuXzG|={tDu{5D}BGlvT9H9wpn_2li7u_hPNVsWlt+JA@<0)=i=SbeLx00 z{?!2N5Q$=*2)=C51Cw$pqv2=55=1x^XQS8=*%s4Kp?GRiTkB0mlbJ_bW1$6OPFNn^ z()M8x2Y;eGlT7XAzU~O)nQd5G%2gAZ?Url@7^zALB(QwFE`sm-qlo2vke}JH!tSG8 zc7>C6mPfamra9&vhMUn}ZON}bgAaw^Wf3mbsAyIQ(l_r2;36y@LXS)B_J_n#wx{n# zvxaWe0MO&ZQ;XTAsdulI9#HJ`f<;xi>o@U{>n)@EE0ZMTDgO3B(1Q+T+Yne>esX5@ za@L^3&I-WXr%@v%NVaK792*DYPOWt~qFg2=Cv`tXR(9ahXd5FaC2`J-n@(`-Ix;(C~H=}^Om2R{mm^Yck6t_LKqR9SF z>e58x1PI~u?hnv{^)swwZA)oT0*JjD2tg`Hy_QT5X!^pd$?x~XJ;Ejr#8~=}RY7gG zlAu0T!hmni0`*k;TNHgk_cYj+Xd(4g?I-5!Ygxl8?DC@3RET--(y0Pg#CO8f3Hz{&TSfF1pyI+^@dHF0H>GrNC zxJ9Z1w&y02{h@U=$Mw`5A@qt$c)wR2+qow!V6QL9>a4Eo(7OTLHi(mmbF|ju+Yl`^ zu%gsyDyca34wi9J*ea6kUdE-OxnG#qya_E^gN@P^8+)PF- zzCWBD_M;wp^8_Q4!H${yPX`wq5vWJoo9#(Ftft`~j(j-d`T~$DCqpwiz1C>%)KZumy-Z*{* z{C+z7mtb7uft}H=H*VX<^nfU{ve;PLsurY_Y3irga_qe}_&Btm$}~nfqm8^E9+p=4 z$$NYB=BuIlI5K+O)jEujPMa`%)$F{Sz2Df-8oN)`7Sv#W>KRNW3cj^6GNMKlMUZFr^LOTLrxk ziQxWe;UPYy#$}PWo^rp&a*>pkfA`&rG&oCly8qt8R&ci1WW106_8}&s$>Np@*_p)X zE$^2^nb&oP7Rp;bW_R8j>jWEdGuI%ySRU{VyVk&a(=P}%+s&M0cNdIl{^e}nz6{(u z1XknK4k7}JlFH8d{N5ecFP+iZtp6Qy!po+Sa%Kh*|5j9Uav+#?Cd+T zq+O&JlT#(Ww0w+4jdr}AgD;Dzwr8ukzSyuK%%0}X7D)1>?*sj(WpV>C0M3xi8>Wv0 zorfZCBHxL>8?L?ZaM+55v6V%|>K za(T!UtR>+3F@Xxv?(5CKIsxnEKb_schI=d5Y_11p z%-j#BjxDPJL&3K4RE~5bAECG;3gAS2NUxA8Gf5|K(pe-Syi!fh%B@sI)J76=FW1>p z1-eBQ-%)n*%<`^#wU7&glR7#ok{Z|U3R;iX9~2SAQ4zB^EIHB#!%D%F6%cZM?>C<{ z%OxfEQq(N_zKC0Rm_IQO_n_?~J`HM4p*4Suz@zlS1)#3^aD<+u=*=k+Hn&BuJV6WW zKus@(id&IYomsO?N*uwHBz9$wv^QO8=q2KEx@l&Qj~?VCMf2jzp(`1Qk~*J#CIiT6 z^us-Yw%qLn0Sf%Fg*FUE(Ijb!-&p^@W;o$~|; zo`#@|f>urig6>=hg+)Bp|4zDPaE#BxedVEB;!aQ^MjiRopByUjeM!tpRWE-)gYIF^ zQeFpsHQy{7Z!u>mQg5zH6VTUi;ZXZ^ABAPzg^mSi@bbe;Yh-! z9ifSA`W{i=5q58gS@zw5X-Ats|5Pyx)3psHq<0{n05N}r@v!< z9NbTG$=ppUGh1!5ow7Y-2nPIacH~dPsL|ieEmHz7Lm?W#Hb%5}`wf8;0l}G$d zp3RA;^*|wBwc~-2mW4$@3ln zzT@)2Ep#WE`YOFRMu8MWhxxnX9D(5XXGj-;v*ciZkM5)~p`}4l*ntMqr+!

hHo_ z<)%?qlA&n&Jv`n-M+RR)9Z|F-D=gZCV?+$R=8mHK{~j1#tX3J;e;X4t{wDVKkn!*kg$ z3F4QzFVUfOmAZ|LKkSNYEd9tocDw-}WvXQl?84|}s!({(m~B^2yRv4xOK%#NkUfF_ zO*u;;?xG_agAj+b6@S&6rZ?*y$4#E(r>8mAI>$G3sywWECQQ)J6NN+(dLpD0#>EGzLKD0*?s!b}qEFynaos?x~X{qtvq>z9U=9?IFhp z{w;o2M%6_lWrmH6>iN%KLF`3#zOOb8w%Uv8RhYC}4PNJMM0g5#>`oJk8;JlqtxG;a ztj}&L&oG+i{_BYZZr#yNA~#hoWb{g4v;XUgK*hlC9Sc`NeBZl<6~l~+dcw5IxWBkFR}!nH;;N7aqoE=S$IUE%0A*0lQ~xgWgv25>!1Ls8 zNK!(v=-V38bNwTjYokwrc%H4)s3s~ZiIHgt4NG4#b4AMfU{O?~$aVthMMx*fB-U&G z$~Wee7JwT$jEo=UbYqWJz_00yV3rGbhuYL}tKsq#=&c`RrY-!<-EAa*Y}(AR%5;2{ULNBzJ9BNG3gmJ?{{`)NzPyzQ9J}MD+ zb@p5wvfs%$AU(UJGXdH|B=;(=;y&xI>nq#0om8$*16(5Xsp<=n+qK1&?mIW)5h_7w z(ya*8Z_W6L54Zy|lr%qUrd(V0Covej4ngWitv9#r5`XWPokS^)lE|g`Sz=;E@xdg~ zYnW=Q>BBgbL%G||zBvWY0aRyHXcj5M8Wu^d5<3ly=M)~YQTG0_Pn-M--WCSwzFu2r z;v!Dl3ULqQ$9w>DybG&+zGjsBEOXIZyJer`o7>iWwrC8MrRn0<8NbLmnFg}b&-O5a zV0W0fNAwf1Tc;M6u0|F5!hjcF|6G2r574%y7irevYBR5D0^ytKm=RWy{hu|9ncRPk zQywtQsGIwqZmBYBm5@#ps;(6sIeGY<@9F|h2GJxIEB_^zWbvI%`2B)(rCC>QnxLzg z=43?)smNt9^e8aL^!qz{00q22A|*gQzS!;A#nEyZtoHQ^my#0cNNi2C`+}a4{4jRM zH%8pkt4k{7M#Lqi}8c@Nfl6krufNSdG3 zWI^joaTL$u1Zgbt2Xv=lhzqsJ-E?9X*wG&UdQZVA_py5@5fOB<6OACW2_IaZC&6~&Tv`T1< zLYav@-+iMgqFy(7XV$BOqsrY(ZoJMWnyTHtADj*?!ADBx>b9rI7L%}NdFuVD4Rz+V z5hwgL<_5(s@tf|H)#Surl@>;^eXq+e#=~WFjm0SWovmbw;9YE4N$Wx?3}(lLW2(g;FeWHm2uq?4GF zY&QCms$Dmgggo~};FDP;o0v=gB#qN$bdAm9budlylP=1vv;7r#T`dp^*s`0@*d)~8@ z3}QCDZ%ec}3c{YjzJA)*+XYOaW4{&}FR~;<(EDso0Jr5c@$U%?pZFKOLb$AcJg@LO z48!OSKVWOS1|V4)!KK_3ytZ2gkK6qLNAK!mX1huI@h_HGdi_U*lTHJSSRv};E&jqQ z!tTE`gq&9&#XTgb0mwJ2l{-|Pp`1#oJdtX-^51t_KcKA@71@mCQ^qmB$U1}HolR|H z#1@YiD8tBw+}`iLo&W0ktS$rtk}u@`tD@r}@rw+R4?hlD*PM7~a=L`^=RU*lhjNXE zGMWoDi#@MyEcsG}J=sf*nxEo+)F{;p>q|Z>sYjl?yMZ&?Mb=~pxs#u5jif`>vDd`? zF2P+f6cMRBHXS<|oeLWDLj=mZHVm~+y46vomX(?N3ypH`?SS*nx+4^Zy63y=LZEBi#3Vdj=T;}=Pu>URS-@g{R}P^{kNiA zaLHqtb8l-Z&o!i2tD%hSGN72^{Z>XQ<`S)M8h^glA0TO{W7l;4)I3#S#n)%fxG2y6 zk_)4>*mGA9RF~27>b+8ifRg*KiGnd!8J)v9zo^x?$Vpz$f5FQs4k;0)M%sch#{g)N&5yLNtH01XCZr>9$0BY;>2P3DffSFviCwQJ zD9Z#L%~+updL6CO$$Ok%E&7&jk15|&4d1!r-R7``F2MpWvng3gIn5sRi0QF+=uo=U zcX9e&pKi0E91&6Ke2-OiSX4+xUh6BqZAxODXj=(B61jRIJsde9Qji%AD-R=M*PC z8%c$y6WYcu&%+jYY{wbNxh!5Y`unW}Rnq?WCI@p*;sgFemU(h|vHX_0Ho*@jAxC(6 zHMaBx>vGYgw2J89s-etQ8e*KYUlR#O(UgLUiNaLE9)v4`Pi&^j(h~*6X`tdhr= z8t)fzO zE5?!>@Ck_i#~Islh7E3c9Idxf=MO>qbF~gBygjqh&dBy-M;9cXZfCzVrx0E5-6>VV zSA@4KOr>R2t0LACz14WURwJADaOYfhGhBh|3EBV?%5%RQAS5yT(Y*Jn$%#of|2bJC z4j|o}RM`5FY6h%vG~NRV`QmT`9?P!X6=-+-Ig z^lwy&q7a*J6^GqZx-f?GAlmNtiKSe_h%sbT!-*`fwvF87<171RnvT3scX|UpmlS@N zT`zqcmhH`ypvM)(1;u_j1i^Wser97za~=nk;tivcdnBdP1xpNo*}i2Ud&RDtfL$0M zCVg;X(quI6njLN%Np;-+FL5PB29qAuQF{^z{i5mv7O4U~%Cn`ft||G?KS+5Wuj5HJ z1Zeku;KsPRx>9h}d93xam`~^Ne3SPxrL#_#Kt}w`Yolc|f~cV$R)eXUUrduYUk;FJ6EVaAY=HX22Soxe zH4wK~>%#c6J4|kAff1JI;DTP-El+%<4HCw9<3tD}Djzv_2MM(`YBtX#vPK$2ad#6H z*FzSyg`d}YxQ+gKj{&eUCl`x^eYooli8nU?R-8B@Yp(8~0^cS=Bg9OiR4YCRAyJWE zXz=yjZl>+T=aFDEtS&Vq%X9a(D*Q>(sK>kIFFx}1fAyUcj>{uxJ<{p8PXXF%bwq+G&>yVEC9s3B zIYVLWc_*PjfRD+Z8Gm><{y6A`^;%JEqo3nVm*L&;y2DbfW}<*@l_d#@@iStMcUGE; zVfl_@lYbh;P1xYV9ORCt&?DAH$&X{{0yhekEVdaw( z!t)%mk@&i>yrBq4CZjGPL8-}RkO=r|I_N^dr*Cm)(TD_t-tAQkIjen08_@Z+HUX=x!P z6Lhq=y5?Nhkc~*S_FyzwGNd zrv6-P8A4FT?Yn5khg@sF<>p3SAf+!|13dup#SfZp?|iPjP&L$ZZT){QH3)?{P=+_x zdDI}R=NkJ$Y=5gQ2-WY}50*Jy26R)CbAbXlsw=2!pEGs|w8Az|xRMC3ww_!;zP#s9 z$qKA$(7`Zha8o!2PT_CCd(-yL@w%bw0*3o9zzzok1jfEpxp^S z{$l~~s7eZ+qjtZ(3-%^v)=(j&!Xjpk7u~Vppf{O%uj1DJ&a5YPugug0)_$F@RjT)8 za;-;SD`S6hkU&{^nht?lBK&KroB=bVycMCx%9CY{q`WYf(Y;Ha3-2I+S&80oFB;Y- zHw+|8tFTKjYO5oa4i20qB(3h0!*X zdH!>DXu0IE|iC7TtuALT8 zgLn)mon1**cq*2l3E!T?O2{e*Ywqrk0 zwXvugUxFgaYr7)vgxqbP`GIt}OmG*y7&+!^AXc+Ra$`_4xft>=Ao>1Qi5%{%vcqq4 zy2Xhff~3=FNf1mY{G9?~GSlek80&u&zo4{1q^)*-UP0ZP$n>zsdF!!aXs$xS*C^n| zNOVR(QUox7eB!5IT{aA!#(2b>6)oXpvedAS&vxY9XCMTli6!|^wQgK%N{p#D#CkRt8!#bCjCMoCT-mwg9ik-e+M z$zh|R4*{SZ;(!!RB@=8lEOe2bn{vw^=Raruyse>x$hRLoBG{Hzzo5;ZNa>D=Id@(* zMbAW!{XIDg!7>d#d#RSLFi9(&KQgviOg9qA2W5s!24(O2cSZ96P!2I4YeIrfoi)%h206TYK zc$=Ga~U#(kGLJs%&)vN=<3*qNWADZAMG#hQ3tQAs^}E zInMSRMDr?_MBWl`Z&np}^m<}W@45RgP|U_Pm*$HOE{&0f=&|fgd0%|%(S;1Dyj))B z5;8Sjb72;kFKupYd7kk%mXF}oyPO~|v{-e$loIlm0=l*%Q}Y8u!1M5W`nLh?n-Pp# z=wB`K*H9D$+;4oqm3%p#um^oAg%l}#Op|573D2s1{O}gf8mKkuaZvX2ug~`=UftrD zAApysx_xmrvYDN-E>*fhS`I!(A1;1m;{9`xIQUS$6Le>#cD?I+^cHxU{(i;Eo8KcL z4n%n4pC9@6kLW>AS|nK%;2KJ-;$}ZGn5KaRD?B4JO+UuMLmm4qWC4?a4wcsYyBkXm z>I!jmk+ZdkdinqROc_J+P0lC(L_ZQB$u>Xf7#b|oaMOR^`8Vy<25BHgUfVWjv1@A} zBTMFC();gCjdKIPwF83eZ~W<6pLyGt{h+#)g@+O9O!nVY3o9sF{DA&NVq`bB+Zsf2|sgUA!5aHUQe2qvK@()+bf6jEkal9<`fLPIsVWfNJ z2Lkuw|7B+a08fU^z*8^(PD@ifcEn_!q1oQI?N7vht@G!m>Or{4|Nm~P7;RP`s)m-S z*go`J`U#n^hkb+p4WF^6ffT%63q{ha$Uz0>FBu5jYsp@@SwyrD^j%1GGp4w+90eOH zMAIV++h*g9n8t@}2bG>fxY$vv_fE3iJxB+Be@FTq4l`YNXbw3NJE}z#{4oB6oN(!8 zo7+2nkZzy&SQlkRUnM5H^my3+jn#s<-s77gR5-}$yc^~pYH@Ge>WungW5KD%`1%yC zoO3ArInAi@zOUe#+qO__td`d$h?;!8o^lzH6Y$-#dINyJ%&;QCa zypD1B{d!FQGgSWVE!9$CAxyNt} znkZ!&6u_%Ix5a&3RiH@|1qiX2#pjb$XySj(380{47xf-i2~r zC~ACBzAoL4#zMZ!Q08`V#6rmX)NhhoCjat?KqdI{D9;ga`;CYOBlc{JuX=uZO7}eU zKaQxKKuCSL&ykH|Uz5z-8WMybx^1`$f)5^m56JtRB)Y z7^&aF6cw8P6Locv{H`yJZ*l%>MmzyGRf8!7yy9OiG`twmDNN?JicKMoh*vTQi(!t| zXcq&$m0xP~9HOt+pk}U?p{Ujd9!LTeWwg>Q)Zh{8k(|gc$al7aebqSEQhE>eRM{CC zu3|lwKLs1^!8{FSscrU*H%%_ZVV6r6b&2ghrc{-Pij4MII*!lxv%jb-56~8#sdevF z`{y!Ve!!2+k&BarE}JW7rDHDa`RZO|mfxCxdrj-t;d3u)vXK_MGnX0HL&|^>{nkhX!YbxA<}=_=Ct}gt5=`r=B0C29f;N+B zXd1ar$bBjN7geUeP*Z+$Ci*mY3bh8A6PYbBVR|Ar%y>kNR&n3n3_0Hy&2fD<2skpn z{hmtpPjnLt96~aOXiTtCfmLIpZy9Zx+}*4&1IZFljaT^dwY#QVVUBRJeEQtS1B7E?oEa>IC5vmZbld zPCqKVSC#I~mp52lvyxXPFsTRVEa3Q`{itxSwYb`bf=-wFg_VPT#l=hW45tK;&%got z=(U)+0V(X4{MXiZ$V2ri#Q4FhYXdVUi6XlABz&~n4Al;}RAPz`pZY6TPGdece=6SK za;9h9h&^`B|7t#wGw<0)q31U^HdcV0ssOH4mR;|>26{H)bUbboMZtip59-2VvMb+< zr52`LW7c?*3HUt#9)HzNm0S}>g3q3C38r+Eq0Uj=#TdNJM933?0%#jJ>E)p+qyfi( z2K#j4iP4hCsZsIE^OukJP*J8FMYC|1?2}Vn(UbGNDr0UQ!A!U{|D4Kg>c5qr8RXSN zjy=$yYtOO_i-s%x_4NQ_T(#SkaU!jGz7^kBqW+YT)i5lBsPO)hT~hIvJRgS{fO6KV z7Bl=U5Q`4K&^ZCtbMoWXY%ZWu_Q0_N0Sw|)_ZOo&s4 zk^t~MnEfkI!u|&uZ1|;`0J2<@vV}F5_KcBBv34(0%CV z)mI1lJ;8q9cg}Jdv1krB_avxryvv(<#Fr^A*wItWYQ!{zW_LmUtag<`C$JY@M`?;6Qrn6pz9I zOW`m+Qd4w0`N`Jcb%cMPu1t4iIImf|=-bqaT*^HDB6Zd4s!y|_FBwzdYr24H2a;hn zcH*$}XA18>m_JHV;izb7XNeC9ff(~jGY`rx*^L@xiq!Jll4w<~CRnBzUyv`AeBm%| zu|MEaA>a3Uwb0Uu@#S5kmjFwc1*Og!&BU!X70OcOZ-&%#HrxjxKlwQSYooRJdmG z)OTUc66^i`!H-^$CWzU`OES~_PuvO$T>8=B$r|qa1X}Mg$i*Ey)PA%JLhjgB zFA&HwvZ#~~Y-^(uUF9hFO)LMlTSkZbabk9RJ(3{tu|pfdQ^%&6P{6V7=>N6&V4yRl z6TrNW_@C3KFLH!{1=HLIs{TAyueZRm5azf1{!Ta4T9101DjCK1Vvk@&<>vrdkyEx5G6)B-2<1}=dyeQL zj{G-%X%b^UDmdQg!}m*=`#uJ6z-DUwBZ_}zcShvhU$RmvCUNDlEE%pY-ub>W%u}>% z_$HM(__40On3x9OPJgWSSnz3RD?|HY*{^tYym6-BMVyt8aw-|-TVITVY}2SFnMvE* zHJgKNvo0-P=rBTk&n}IG6^sNvQ!OKzU6rYy9CI1hM#z7np3UNzS5-#)9)ABOtTkXM zln%)k-O~`hz^?-*+I?86h`K9YEjN>J*Mo`1NM6qoe_nnAPR5$Wy-oDnh`Uxczc)8% z|8URgAl-1@lU zCJ*@X@VnmBAE!O27W6rNZ_z1>Rrntj55?>c6>ntiT^uB>{?%xGwg^CGO9tTF96Mia zPWbxXiWVoH-JN3DsW2IjH<+%L{Isw?_BO z1;57JdQdg2J&hrs%=U4&9gb?%8u|8p%)p^i?4a(|e$>*F!#CN%a#vsStoLujMv1*l z`~ahZ`8=%gCz7muRUO3`433~Tm);O?HdBYy=E#5SZhrQN@u|!ChYA}eu|OPOsf&K41Tb?6TNaqVhgp1M4~1E!;6GVQnes)F3Ua% z*v0-YRhwX+=`knInt+gv40LZL%U%E+C|U+68icKPFBRNAwq8hN=S|1LPH^r3{!WjF zQW)_i^Puse@ZfvF6vY(gAC+{IwtPfvYVorH!)l0(dM<~^tVP&v6|h$Ld&`aM%u-o0 zK;qi)tO^s6{!U;(S&43=R`BlbwWkshyOU(tLEN;tt<8p+Exy=8mGbB4nLDXb{|cHz zH#{IN7QAtMe}N!r#Q!x{K!O#^3ZEk5vdHzuB2gdEskB}RUMf_M+h-kaVDckiP?9pn zy@DkbtEgtIAgqV>7c{DrsK|lods$_T{Y0vd|9sqJiQac(9^cW(wVv(Xx1EVyLu!2X zOU)@QlsxhI%6E~q$0;U^kAr_pJ$6_nN+h?aI z@lVzkG)(uzb5Z2iWOIt!$yn|K5Uuc5Y5riBKNR6XEmR?QEVd^e_%x1;!RD?a#V(^! zIFY#7=OWMegJL$4sB%ytxd0Fmo6fHK4o`MX+!Z?_NT&p0&8G?e^)6)$^Tw| zC?zO5hgQHk%ypsJ_d;bS`QY%uyGN%+A8Qji;K+c!z8(}m*KEfC7)Pb_#74$Gc{LKi;cgAmt02Na#_T~*yMDA4u_0c3av6*)Gpx00g`|oRr#RKL5>Vqh!mUNI4YMe ztoD;tcPpfJ&$3&<@aVlc-}D3Vz^1b#Mpd&bNu)6i;S~%zdDIK~7s<~PDRrxKTgAO@On3rVQ^qsmzo~PjXCmozq!7+d9Q`IBhf6FH&>-`>pFLpcP@>?lbhVMVw~P*`32%b{0yFFYrmAE2b8 z-C|pI7JDC85Opgt88)0k$nWn!zs5)SyQ)628#l0mUq~{KcX5N1q8c$Rj~pvSOAFd+ zTAD?#r46ek#hKS-$3S39-mi9HjtIuKqi5Tj)+!B?;y6v9 zK0{}OlJgd_8PaVzWwxN&EL^|HNtAfp&3E}m*`fp}Ua3RJ*1<+^u9!D|BuOW@aKWO& z9p>01`4TC8FQ}lh(z>K4g(c<{1KLt*_Cx&XK+o8!~6|W@p9^ADD@9aG;R}FK?qrU+>tY*4M*eg#T5RN))6d7bJ`h5yI zRsABPYI_zSH(TQiY3yxa@cscAuOk4hsf@P?Au(K=>Y~a@=RXfX{#j|U?V|d#+PgKZ zgsemz@U>UiI7;2MB8=#Fui>Me?!Tymh6R`{82<4k^p27 z5Y3=SKBOY_-eD=MWsH~zN?*peJ;{%$cGw|i)@NT%vGx^xG4;|Cg%IatbI_fMoOmFU zq3^v~UI`3EZ)*OZqf!Ft@s*;Xu;=fw#g=*e1qJ`B(Oy-pz`lIPR@r-sQS`H{-2&7wVQxSgSq%xz_D!w((!F3y5$YWYrFb2e#K*}n9PPo;^j z=s#F@GO7+Z#@+YCiJ|8AOfa^SF!64Xk>VCX3VvTm)qOibsF>f%Qr0V+)F(DV?%R_o zM5SN95vjiPutY_1jK^Ht2oiVt3{yl(tM6v=bN2=XQ1HEaJ2s_9;`tkGH$&B4E^5t> zRf8u&n(Hdjgr4`F)4VaLD6!m>A_4xF2I-SR_~L&1a6o=J#Wp=e6h6u@8M~ zOUiZu@tETE`uDLikwAjWkJ@Ju?W7)y91ROm0-4lRlydqYS}M_6JTDcB6dEz(@5 zFh`Q>R@{#)qPayhJqAK65#*M^=_V)8i)IH(Ta5U~?5Tq;leKA1s!*AbhR+KT^R=M6b#E7om5yCr_2%*1Cc>_ciM zW7i9ue>%=&7v%rdasHv+!C3bJ)mF+i8WslM0};Poq3jdeMZYpJEMn$I+tL`22B56? zW{tERM`q>ilp#GjMJ4vVCd!bnROg&Q)Qo#x*z*9~--8H_&bsWeqSXrtFCW>}<$jR_aB(20|GK1k;EDoEO52%DZ-u9U99^>Y6(v8E#u4j8HDNSNb7;Y;dwv^}BKTZor z%x4Zx=&bns#b5DYtUM=TTuQ+PV@OmS$`9?+#8L^f6O*cxEr*uUF5y*RDel=2joVU# zLZLs*#A#w0lY>6yp9!P%)j+DN63#>T3d{X-#K3o-u%*oRrVjZp&EZ={&imqg>Vcb& zW;mv~8}3ipDf;i%ycgg^%!zq!w->no57jO(4`~s?AlWuk<1601iburye^@(10Bh$< zAq*Uqb{uj-hO<0o6DC7LU6VxZd1zQE!_mf@-$}nzQalE`Kcu5yG3i%IgEq|(Y%jGn zmH)(N!SNN<;SA+9jSI<(0lV|`2l zVDEA59P|#5GsulKj&gEuRto^<-ek?@DWr1+=EZU>VbIBWv?fb7iwlt$@3(iU-pH`x zFp@8eDTH_wCq++kUM$lFwk83q1F(!9s?YtKs$`I(Aj9d!c=__zDr9I}*4xBII={|m}{B0)tC9$%jC`VaWSaA#;j7rRk{@ZJ&&sEjY&*K*8^}f*DzK5LEH+#d z>QW;sjQZ0qvbtCHdGgPl0pz*%JlbFGw-eO^IP|r%JT+9s#WXF7sT|( zE!1}Zhm~L2Tc(Cn#C8x;{+>5Lx<1wib4bdVL`)&}JU1NS_a^Pb*>}D!wvFZ~Mytta zQRtqbS#?e;sK!T!Nsv?l?}mCbDe|%ur?2$ggcc;E(rwtmLwBi^NJ7;h*p&)7gz~U5 z?K0eiZCAR4c&0-B2gMF|s1oR9U=V{tI<-U;RNnTc` zcR!l^+L{T$`=4T|#L2RL&Qxt0D25w}3Mr7Ga6X(2f9H>zicySPf`fPwwv(q#*=IJs zGg;HD1##+$3@8~&7xt9>N|ZHx-#%3Xx5pxk&6lhJ#Hie!yYoNWuh9-77&d?uHf~Od z>O*!ro+0fk@Fa32*Q-ii)RHG^c|I<$WoBkBGJmcdpd*0QkoUN=Cq~_;j>T+tD*(M6 z!xv7*$?5vnI=K?|yX{DFOuPJXaY%U{)4`xMgQu;^BjIfrmy;l{&h>sq7}8ewIUffC zrIC=r0f9q}G<-B00^L;Ff|Hct6dqkD;6j>7Wfd7H3nLvY3Ud_16ig%gndXI0%COY` zkFmD^ieu{c_cfZ{ZmGad_ofO0ulb2I0gwMMlT6eVw1BWKqhOd6oZA0hSSK1-8m)D z=uNhYW@*_kn1QIU1xP#Bp9`WVO0+b#^%<#%Ja^vjj&JK#7A|)x%MkW9J`o-%O?a{H zLFX5xL1!uV=H!oiPHq1pmR&cQtO%e<*lU(fnZhWxJ(!`OEl7HZ(zzc{Et+iS8K5@r<@UE6eCfXA?=~=fZYV#&*2Ew&IKzzh z+96%y;$hP7b+(AE=UN`%s+f?|*~0n~U2{=Yj~UA{Qs2-@O^0Q>!3GbKIy&y&g4OP? z63OP;G)Yc5Fk*!p0KWjs#a?JrFVlN?lxApS2O!h?RJGkCtt=*`9*-a0>}|+Hy>gEs zF1d=|GF&@3*L|Arqn{UDf3@*&T(dJ^slXx;f@KeWJw!h}yiX2^LE@uJCMYai_UlW~ z>4M8O-&yDNvUn?YTB5eo@;f&3sRXS?$NodJk58#i%Y`bvGBJ+~{0#72KEyxtdpI!) z7ai{ji9ShtAcoutB+!p~tP-mp@;FLp^#+ku?@z>2gklfupo$`fLAKIH`l+)RahfN5 ziBJ(3Br_Oa#y8vy+4S|Fdb)S~e$LB2xVI4eswE*JmAg=_^yB62GB!g@!{xqYr%3pv zfXMOg12OL1p00=0&!C8X5w%?W6pqQ@Vk)VxMZ>442vHCS2Csd1U1FZ}SiByEOg;4J z;vwuj3P#Y?@`=4@wad(iZ*c)TeUigDo)%*c%ekV*@@1hY^0{~t`pW3tabxNLDPtf^ zW6dMc0uXTUo7~gR+fP+LiqzLnPzsgGzc0*H2B{Ft@?io?vRf39^wy!2()dSb`YKb8 zEYIZf>}$g5>d%`J4vWg0jeX1eQQ{_*deGB0UE}k_`>_xRQG$$UGgYRAgUO9;TycoB zG#4J%SGGs<94ikH&=70qWTy-Cj}yIVOVWi}sH#WQ{e)T668@3XZa)fGq6UF_Ud^e8oGaMl!P^|!|VHjvAe~fK(RPjE!zPtvi-fN0;4^@ zxTuGUiQZhXdl14QUGI#ah_;}_R@EgTp2Kv)#+Z2t7=A@6Ruy_XZ9%WjjbGensU?A&5$DNAZ5PC6dC;afA=4l0spkiOkO_vZJ2+Njx%@=b> zE{y7P%d?+p=ziqy_P5p%aZkP{lE{DTsskzY_VzV|2kt$d`Uxj*V{J5W~w+pgz>i$-L)_$^jcF3VK&=8(N(He5NE2+U#^F$U| zP`7RZHT1it9RH0Ft=@}L7D5q|FpJH2W;WWP0ANIcucUWd`fKN)cbj|Oc< z-HG-)3CP3)!5Z_;-No_At%){CdX(SPh+LYPcXm}Mo0IeMY6hHeQe2v87a}89ZVgRu z-UPvjwQ)cd--F4|mq3Rat0XkaKQiayL%vtdCz0k*+}EQeM)+ZoCa;TL0D}Z zu7MFB19%nU<7&&peSD&t&BOg<*y#8@ZjLu^;p++KGf!((;?*#;d*Z^)VyG9CF{r{c z;R~p{=;X59W-c2qB|^QsRy&{eXnXl|uPMbPHFn><>;`~RJKEz>qK*lYV;HsgclcRx z;QF!2aP^#}dPN>Al)^@pEztsA{2Qk*tqhYIdK~X*_72>Sg(s?vCUqEb?Q1MH}_bf#3PZuAqAqU7WUct-VQMf>X4Daaq;^8YNc3oa1gX!zNio zPCAF~A`<}{USF%kTVEL9H4`5)u#nof3{#a(tBb`R1;QyJDj;{qK%jBF*+cTw?pwr^x57<$;y z5=uq5Gu7#$cMdzHUDcS4wM`=^<`hP#Zv@~243SA>(=KqInA6^9{GJ~VM7;w84>-2f z_d*D{NQMR)LCu-Md=JbZAEhECE=esihCmpo_uhf9Px-=nEpEeB?`OV)Z_gVo;pq+l zFL&QxF{}KLTQa1_uZ^EXz#+IQRO?}cAkkDX#fqIZ^Zuyito}`|5Ver{xOSmlu|%8A z@}3#x!r{ZE-w8@`eFx@2)HEC&D-F;eGKGPc^k^Eg294B1b1HbjkBqFKvWXJn;em~} z&40-;0Rcmu)m>4*S~^p4(<$O<3#{xn+&ynap@4^z-?vpyk+QgcP9cv%fT46}(|)|a z(r7R&TFQwgeMM3UEJS@+(W%uK6)0wkR;y8jNG3`)z0^pY&Ex5?3w4gTg>fiBnMv-r zaCfxI71@ne%m?m3)Wr*##>{ zKO(94%FS-5EqnXwsQ2N{8&+2TjSsdXK*rRc#Z=vhwsJdQ!BLc z0rB&~;{SThARwhzsh@oR^CwIiPzaxN=!oC1{*!@!eUc!(`Xg=;)-LSOomf`SVBd zxnaTH%)eIMg?!>Hs>giWb|Rk1;zmFNtcX;|1tSBCI18I7|DDc1jRQol#h}-;)lPMo zcZtIPlS|cj2tK?LS}RA9=aT$it|)D&uF#EGDmSH(U%Dwmzi&ZPgSs$*f9rK6^Y15g z$>a)5i1HPa^}blB)k*&TQJw?hDKg6|g>lEw{vTW4~ONeH#2Wx;#x7^W=G-cyNC$ zW#rgd^E`!+jKjy#$P1>mR_3x6YB7)B_4Wp?wljhbx#~;($Vlx)YJS!HDbtvYcVEW% zP#D{vuNCN!c(@g#2ImUmB%v7InV8FlndFlLThpD3b?XMbNGT$LQOUF@aln!U84^e0 z6cE$1&W>ho(N4RpDgXW`E}3VE=pBQpE25Eu#@r26P)1C{6o)*FS>d8`u^c+sB1#WrdN` zQ|&l^nt@9U_gBCPV2+3?l+y64KOt@mm+G`L(MI?_KU~29iHBEl4L;xdvn2Q{fh5%M zZ7HOreOZvu4fUo>d?gO^vLl70)J9+YewSp0)Ou&eg)d2fgD~3P-+u)cNA&lLW|N*P z%=ye^_um!v7AA~CSgmA()wcOl&(3PN@lCdFGGzo%7;hL~-?kH~y}std0m)Ne>K_h)@^9wJ6q876O%z#fDrS(y`P?X#s7qaHa>VFivdkWSp{B} zEC?7yqXG~{vPfUb(ldnrmQfP(S9Q*(-w$RR1y&GFYK~_pvP8Tn0V~NkUI}?;@Xx*s zD6hQ<(_b`dunubmO>aLnDFG{^ueqd$^In271r4|qSptumo@u9{pZJIx|miGt*VeF!rNk zZXs;6rjd6f<}U6~)VeAbqKu!b;m}TV@k%b5ca-Wl--yva#b(Z@diokJU?*>PR_fS2 z&26*i>&|AL0uFVg+nqjr$@j5B64Y9< z*UD&Czrb&uMj#N+t#_K%nRi(qy=-Z(9N!ZIPojhYvlUsmUKKQ*lNCDYtDIM;jexDXo+#v#v00xbIw_d(*^DsE&0ul#5Y~^~i-XG@S zGqZ_s!0+V;8YdJhD@+8R+n;qFFz1&QJbn43wGM<0O$jg6C4vZ1Sk%U><=L0pbogX*)*#-(b*sVaKP02QVi;_Ly0GfnDYhBt&6 zMl&bALVOH^UO*w>BsW>ce*d)MUygH?o5mp<_>vZk#Cf|XZA(eRDn0tW?@0~y<;z&e zhqU;4P-B;U%G#o<>r-d`k)IUWyJGL37Yi6L0gdy8j z>Lo2wdotE((o~T!)FD6GaEa`aNo}U)xk`_z+>T9`yh4=IZQMJKaSbG=3t+K-dGu}9J*4#lHk_e)a(Dof^rtqq77!THkg(~sr@mP)=X{g{C9Z`! zsjgWbT{oV3o~R5f>rCmNOtm-Zmw2G-2nf_opK^7&H^fv~TP)XwS$)2$@W}uA^|D91 zue1Y#l=pQPn~x>jf>&TP1h+_l!q3pY46XBZ`R5V8?kfz=%#qockc7lGyn~6pgRJ9t-G|N8WaOF@4g;J*z?CF<8kM5`JMXHa`qWgxdjd3AZzRBSHb=h&I#$PvA!ulU?$W_jV=!If)IgUe-RfvEo>;H>;?Z^hGh zM0&WHQLgLKiQL8moR95rUwd^xS!=&f{_^!B{d&vSoubfvAtH#_)^Ih<~T?7>!QW1CPXvc5&*Q4(D(Lb8ydsGAO_~Rj48PI9DdlBBVi~i~k&G-jRt+{C3aCi-~lJ zc-r1JNDqoyW`epHpkm|l$BlLsTN%{poz*uR%nK!-64ORS7*wx6)Y21P@Jc0d&T`eh zcqy{S&!nTz|0v|@cuczp+AT_X_`JZu?A88x*8{{*pKnR$aWFpII;QVwKBN1PZ0!`O zCo@Kt^aQwC8Awd`*s(CWxz94Z{CasdJA(?SwMyTDErX@NS8iNxLzz2(GkO~=M?FrK zaOXxR@U2uzP32kRWSjT?hc)931F^y+Fw%*cTJ3|s_Aa7q&=MitUKyULC4<~%?Qvux zN6V+Y4tTB(Uo7SR>uF*ulJJsu^bb8n6B05-H^gk4Aikd;vl_*gQ41GgdCk08obuBu?8{m#jn3+)X1o}v_H9BCAv$&`URbU#Sh75w zvELnIRq>cA?TriI*~|@OI`b;9Ds4aC3}`g#6JmQ^wfNLBr%?03pSM)#r&>5xZ|ljD zVtDoE#}?9;m;IKk3tRcg4G-AI`4qLaB|q%gb*mfmL-+B(f?CFpuuedbaM;PLxM-no z(-1j_1I_!rvZ0PVr93qT{$b90t~7Z|S_ndOyk}R(L#J%cD^yw*O3ReC4-OO?piOk< zlUM=6NQDF8ksb{XJc-z^D4S&h>)x601dX+COSdPeANN(>QGx`f#DF>8bbJO7aM6v8CHr>{vO+scc`BbJ=rAAT z#!9p+W%j1>X%>}<&$k$CaVV{t)hW=2sFaoX{5NmG0|+rXhfcd=+H?z@?)YTEmge!By zv7Tr@MTfg1=?mcI2}>r|6d!*K#T@O67)T7A4AOH>V!K!MQE07^z(GFtQEwd_7aHEvsM-t7koY2I$a`W7u1#T#T3}oxAY2=CY zJSw2C=H<(;>R!jul^)d|)!L6E4kADCQ z7iX6j$7~66_t5(4NrCQ3wtr_k#jJ}>#SoieO-^u)ezED^-}61LW@E)Vm%_W6C{|^< zbh@~Z2@zjXoswtNMBNdOUaj$#|_!9)D2q-Pfpr z)gX>}2@8Awx^*8L5`tg9ehu_B%Cb)J3M4nEYZKk)Nw6Mr);J7{7qg~Seop6|DCRE6 zj)A(h-9Pmxj+;8^7F45xFL}`&X}t6#{N`*sfrH4DSqcambisJB)h7f+L&&c2G-`4~yQp>pbS@=V%3!J?$!eT%2}!*qW&}Eo!;;(y$YA zt)eXrsuiS|2()i#KfRYeHW(Msq3JAVdIMVCR%@$xOgCWoB)hzQnnwuR=DSx*@K<+G z2IIRla-w$Kf42HGCH@pS1e<{A_WO9tLI^?x*8N%mOy;dTs;2(pg_RA~Inff7Nu4xHpt=^Hv#*>*D!-oIA;&v)R8OmnZVtDdLVTNB*G!b8V)?!)4DR%I4!w0PuZk;kF($)iiQt1S_H5WIRh%a4^Q=y%jb+DE1%H$;k(&zM68keAN+z) z%o$=L4(E3o>RNdh^{-A1Hu#ay;R#=7#=XL#OHhOjwBCN$D@mu2RCR8CUb{5zGmu4= zE?3czrP$TH$nw!bV*$dI;vU3kL;F?pQKz9vAQb8x!on#IZP+v3I|s?X!GT!~c@yW` z=$;Q>To&|wmi}DCF-Ax{V;P^D1hhXI+Zfp`?zMifD# zP(3Ss5YSL@!%<>}nm5Wc4K@qZ0`i^*lE27h#|oUN*GSc*A2%$g^N)#|3!f$=n7`=e z*(*WjWkO2mSJmqE*c4j?82i_kWcI5;;ktWi<(DF1M8%lB;KbPJpj)Mx{N0{CY{&`@ zq|)XIBmH*Hco}@~L;4PP-GoQmgwuhi?@vSbS*9cISd>lho$+;Z+#9peIGt#<)pAe+ zjcfv2*XtU!0AriD88n>usRui$Yc4?-!@3w5X$9Jx=r%lUCVWSN@j%p~u%OJ@ znsAt>a^D2z3v<(07C?1QTO~8cqa!Eh$BmbaOR6qxg9Z1MwC>op^f>KJZYgd!c;7>} zB$+5dms0mfOZUqfJ+ll)<5mnq(Wd=Ln?oZj``g=v@86|rb(}!xcRFHyDthk_^uCig zB1xmS$j~h{Fc5cdNl0T0aA(UZ#?H;pp|Pe^SN6p3(%iryi5Qj@8@HM-v-$aK7NQ4~ zmm4WHo~6ZHlj7-h65dsDm7X;>uyxyLMhi+6J_830kQZ3j4dN}mPpo(ARS1^r9w=vE zAG_~uW;E`4uYBw;aiOVtN<&vU=~?+HVi~6)Dn%f1(l=?{tQ{)b+cj|8cKz3GE;s6* zLj(gxp9~Jx1#7Lif7JEB=?2M&a6stoK`6r6!8vq}%CG(GJcTRO0yX}wkzx_pZ{BZS zi$E0Jbkn-OqK7Y>Q7zJZr)CJk@)z_yn~f(K;x))pFe7teggF#kG1Vj2X|c|WZYSvE z!R$~WgWeN*-(qn~n`-ynB)X%aP94jt*nE+F{fG9u*%5`T?&^jwe67BzLDhs7!hKfQ z&RS|O!rJ<2{oqW$2zpgaW3Wdv*jSOgZQshYtW;pp@XKE=CM-U)&!x|{X2h~4|W>gi<%q8<^l zO;YPx=927>2iN|39BU6uLq=;6M3aFpa4^2In`Vb2?mx}_Kt`s9DShQ!+16>?DI&@l zk}F+0efiMbBei`4zHv)s>}WT+?x_&ijP6Mr53JE}vmamLIXa@Tdq_JXlub8fIV!ra zx>hOE!9Qc%7)Y5eWfZ@v(L9_-MxoXZL)cnWZWbi&MBMeHRg%nWY27*bAjhdnlVaiD zeG|sK6o#dz>Z#+UmSB0K>O!y)E!~d~;ahr}V}`}9GOMvEUmdgHe_c-0!)^;DIHH~I zl(=KL-e>R&7d^9yG%Wf(w#1!Zxq3K~GrgdAi}NBW*AL7SnPa3LvffW@U03uuy#XY8 zCFtwzKHnfz%FoNvIvt6sC6?${fi;AV)N+9^zxn{O>T2o=&58t4Ua9d@7BVrl-CET; z51xdYzDe2Cr6Ix8+0Ch1wH^MsH>1J{hAmYZzrfKRro5%liTiotIl+uYd|T7D zFQcLXjFp}d3*lsFJ+g&h%#$-t`@!;^b1?<_gv4pWj#v<*_X@ z-jM}Gq;jO(H7m*Y7?-Mt8#E77iHm%}e4%yFR;J5~Yhqvx`6cLCk-I|s3f@(?Q+ccX z=&xRvL<{CqJ|ipOEpaq6B!e}u0&CT)jCLVjP<`RLtNjy~W~(+KmMirF?lkcxIs;K= zU=ftQKS!{#zPGBMa)~0T-5Bk-G5AevYkEPCoOFPmFBBUNMSU-TvVmbSM*VV8ofyLST%=K7(3dC~Ye<_^ggRdE!ER9d01g)9fykSs z$e&K+e6p{JB##~5Fu>U+45|>3oxrMt?}^X4N8Ya;rJXq*JKsy~hoS(s=UB7`62qcv zYnnAFs>Sq|Y<-mjuw%|6I0RB`&fJ1i>K!26R?Br;=K<^b>*@egvsbI;E$?t?1nB2- zI?JV0`!}74K;*^ydEgDN)m{{277hqwv5}S z5%GsA`X74s2PBHgOX1A9K=T6N8p)+Q*VKrQsKP$V?+=QPCV5ezzoaUv(GPPWGV(jW z)xE4&?k_A8#C?|-n%p`CoT5!};jxxyM`wiJ$Oq zhS$*alPtV;o-F)o@d4)%hIcgPSmPDqu%a{hVrGiKM?@@JyTG77y5ACZ;B=;h-RA1| z0X=!tCPJIvYF`g=jN5UGR+=XelM}Q)Gy;)BDRgtu&&7{M-y{honsikLn=e@|ol!rf_4J;liT>bGYm}W^~lms!%DP z8ZZ=)nWRV3Q>Imon=G8(=Oqv`3%5}zlG9Eo)ueEnxO6%gnNlBKb{k}slM6UJwNFiQ zTBvnoz)>VVK0)gku-2)tuP4E6D0J(eZ-z$21xDQQ(o0X)o-p*zL5_$>uYtwmhCt->;X_*K6TJz^wC zeOZ`4d17Lw-he}D(cVreALqoJF_CUPzI!(Ya`(xDP>Cb+VU9T!D(7)1Cp(BBDoPR9 zRQ5IUf1Lf%L7O}xz8`N4L(YPE`z1aSsK9hSYi5K1No*&a>+%XdGS2$FX;-8rS~P#$ zIhVH8L%ks~rC26r5*tpK;G`$90>1}>J%KNioDiElTd+$n85Qa!9>M)jljD~MUe=MH zJ%?zsR34j3CgEC!njNHedNi7;K+-5FhQx^;Uc;;7cju6PQFNzQw>HW>o^SaGMqeL+ z20M!cu6E1coO0Oa&UCpxCEJ}m_L?#st#k55*&2Q4ff342j*>MZ=#?W;lx`IV?8>HUtUiS zZ*N4rx82)+{L66q>vjiShX=$Q5`L$nCYHgdTJ{Eevr^&r;Y8;F_WN`4xcv0}7s+<^ z)e(eq&V^~2+jPnW8L^78Nu25{yO6MAX}mUL*UZA<2>%=9Rm=Gg%6ke?PoCi%SWY8V ze8=!DE?qxWBF6oYOafNxpNp6ELo*tvLo;;9hG+k5Yk~`zXfakl7vk4#}n^~mW1xHP8H$$fnN*u zVS>?Yy}jb;YG^==t`gd0o85V9v(iSYUS|@lL`_^MkOvQXae9$_>3Do|mK?W2$q6P4A>bDBo(Z4wtYE@N^hZBRY*k zWds(1yhemGKXk92%PO#wbDw^yh2ii{5q26W;9^?(H0 zgv{C8VjjEnT#01V(G?~*9$g#u+y@NBNJ;wiqUkMSVfGvvxm8Ji(+4x!<5$iVB<+`b z#i9;x4%0p7a|V(G46_JB_Gf9aA>w9E!n{wP6_nhj7ca9^e()j~l1osWJsK~I(-dG3 zbT)RU+BcA@@Xs{9C-N{3UYILrI^ePG#ue(HI5j+qmck2eM}JM5s1Q+WCHKia-}uh@ zGGatu%u!p)MMp{wA%(QI5bFYsr}4tw)80?q3%vPdk5PLyO$5rR_sK!JISPh!Bn|I0 z2&t|#f+Z2ULv``C-@U%oPT8d?j|_?8C|2X{m$Hla_sw7Y$PR9^r>J44_o!SQfeAF~ zV~58+2fcyQQqL5M4@p#u&PN{{ru%0A?U^kgp)4~US4n1Z^0D)m(_L}`F>JSZWK}5m zc0zdHfW^QmIy7>b?h7~9z!~qmyk_SR59;#OLvL3#^hkpqM%D|DD<)i~Gkwb{Mwgdp z%y4?XW3;uGP3j_^7s2kVTXtI2@|~`>D=Y0vg?k5wZwAL6nvY{jDWw2-*oLV8^fx>_ zaCNqHB|n|YJgcEa?k4j1GB$LTCjKWUWp3Q37f;z?;FDJ#3*Y>ryZ1;xgXX7gfP?GI zdsc9CX(u^6eQpPDdznx6+_G#krLg&=T;X=(z{as>oYOLX4i_mH?aVRByxR;6*ohW? zn6q<;F~PytH4*GMzKK1p_(0LLbi2vnT2~j;;CQG@>>A=RZWZFkf3!j*oE8-vo4a$G zg;zI`zs^XlOMDHe3plmaT{r~yCh{|pk$Z1-k!3dziTr%l@=WEwirU-TSeooi<@kYR zPlY-T09_&{*Dm1tV6Mh0UjU9#Y$d>8i;b3}9L<=;_}An;4g)VfFRp3Sbo+So z`hfA>cL{9-vW@)lzQXu&kgXjMl6q_BV778jF5cu+bIfluJ&LN#ah?g+yf5E7``490 z^;D>Td4_QzBD3MDOmd}rI?DR^cNuZQ+@JH`jr@g#-sn$shB#k9cU_sIPQ4=6f3$j( zc@XlFtC=p{S`xG(jCHtgiBLAU_fb4MfE&12o&Tg7)mjsjk7holkY8J>+z-}^WF6^? zkJiP7GQ2yK$ZFnrP=$1GTU?-SD$QeEEH3mghNJR7O)l)KyQLsE3>=|wU zMZInAxKVIewjNyC`dUNJYMj+Jr@Tq1Ae&S@mAd_#XrF%G4{I_E=Nk-lQaw-^`9X zT-U1zys;)nagQY|9xnlbA(Y9$Rsw1Kx}LDi)o#~_k1$&VOVNJNz6Pfv81&o`q^Gs$ z&TrZ|aX~c3Lx#0ZUINFn;jc;)pC`5wSRVo^nY0T6>r=BZUyncM@lk@@2nH(DVX>#D zrbM`yf%kyn;todFB;tm3`d&Jhol1t>MODn4mN5KFznLescc6I1JemECPB{s(YhhOy z1nW>5{g2x5BWyru_8?TA4ndM@h|f205^bEVpWazv*5SZmHmGT#s2C1(Q+GL+*dwE+ zk(D-GCDxV4i!){AWt2B3=oM?ERU!4igk*Csx1ZI1-tOSx;s20P~d)DI< zM{PE{AZflg*&))(CWOTeu8pktq+c*Tf!AKA2fh5rCe#x5_NxxX;ML*%c9=wg>lXMU zO{PkAo-*1HJl(<}7eYqchqKirjN8S)p3~~m2eU4owR<-SqJx5WWr7%{@Vq<+dY?5X z`-=2+k%WEZm$Ha2>!LX0S#RS$E6Z%6FlNSs3H{V_B2EP5>N+K%T-Y@i;jrVr&wkaN zD-*h*b6OWnen~4|+T0A|fO;Tct5SLsG}@->^Z8y4{K67kW?MdWZFnS`-bj75K-w}< zc?I2x(`4O(Ga^KVF8bZvok+91>|bzo_^|$ateRe0Mqclfcs?ZLn{V|ER_2RU7We0T z2?8({iIcjD8<*%%`EK(#cT zrPY6p8MWI#B&x*2wN5RuRj6z9EQAXvWWGU4-k2yEYUJKJTspl<9!g(Ezh0cHDI8`# z)A;d3qaFu=>5ny*B!`pf3Pzq@rw7iIzB+d0w)P$(#Cll5z18e0ysq{XNwDj}M$|5f z>7mPdVVNi=Ua%NE+3U^RQYM7k7!B!=nN)(aKDQHcegxA^Bdh;`PiJe%%HX6rtRqSU9AQx9-00%DTQpIwOdq2bToZ4e!$o_n^_k6Xz^5NB^9sEw*SHf4FtTkk4@T2sg<87ffRfo6; zmW_X_J=Q1YLT!%H(C6EI;{leZotuRK`(KdR-+=|deY`aQtZTfo>m5Pb?`gbH%9{(X zgxT8h&yMf^Bv_+7p|)RPz%U^GPEc?KVPpjDhHK@&u-Shr@pp#D1WA~fJh6!H{9W2(rTK2XHDI#RR6kx`&Lj2XMD35QL7= zJ@FrLY9j{N-IE}^{XdmzfDfgor-y-y9&K5Yi2eIrtx7@(!-%TGxD9}Oi~h9T%YevW|P>O7N+ZCf^k+4B*=+_awITP>rn z)8fBV`9IoA-5&z!CDSOy#pFnD)JMwr#PGymZ^PkJ-t;kA0*7l1{ zmDPRfKea->645qmx4luZS-)CB5cyYu%MZvXb2^jTe;@sw#))5BKz0<4r;;JopPpbL zxbib!(e|b{+QK@g>BIAn@SaebZ!p1jKha};vu6Jl#DBidz<WN(&`k%yMn0x@$LmyYQ1T7O2(-+ac%;;yi zcY_j(N(LmXLx^#?eG~2OX!E?|fv=YZD0t?3lDKs2%=bxIzpX2Zq=7C`aRolx`y<+8 z;@%>G_D}`@sPE(b>JK~oCQmjUAwDw~hbkSL#`>AjB!NNjpF3Xz2fVCsd-CMMB_{T* z;xc%ygI?EXqSV!{pYF}?dg~R0x-jS!OtJuYY7*Vw)bQG-q>N17kblG|X&ep@q}^{$ z)#CZD!40F{!ltXg?c+oB+>`!Ks9zAhZBMCj1!o;JpKqQ1d)&y7YxniV{@a;2;Q=_3 zbIT{|Urp#^A-nRkFE$@139B$)=H#Ci`P)WJ(_W1n~CLdD3ic`0)QuTkx+;auIgk1j>#iMF#Kiv!U z!XAP0uF89j@^>%rZi7GU=agps`#f0`n2z6CUw8PgaQ-9g0Q8H5AfktfE-x4{FGP)7 z3fsLl)XjmwkosKmw=e*?rgl~LM|uD(duJ34sj`jfU!o_-PT?IT-W?^!$*f?zJ#f%ieCy9~%PdfEd+ZACsALDzUv;H4gzhVS|pJ$K2W|-^6_0hBH%IZ@E)JA-Yp7P%8Nm^vv*cS+7KW5D^iJAmDPxo6^C5OnAnm z?%77B*T=ob)v0G%s18K}W4c23>6+|sD*#80Dj@9MbRFBEfZh8;0|kYh^F1P|VfPpK zLH07{y~^9?9oIB36ShAB(D1FxokcRIX$ZL4G<2d^Q89v8AivezZW|@dWU!=V{BRg? zdDr+jru~i&H`kMARo(m4a0;jLdhieX4Pd4_qfz{xMbdvqGDtG()3uMYl}@cNb2t?q zJ@mM2cPz6l9(fz`g%OeIoVbjXCEWZDdsSN-dzvH>shqeBp|2U@rBiBi^Y1P1b~tpD z*o$6Z_~v7W(sxI4%Sc7obK^UdD4$X!$@v$Cwx+7fyH~~m0>a*znWI>2} zTuql&Lm^d*nBU!#BpetN#K;(5{~eNjbVTB>>1R5c2g8aywS; zk>VZEvvdn6qFAZ!Pvz!hrKI9Kp#yu1bUcx7%JA8W@|xj8Uem;o>i7M)zxleSoGo;# zmj7*IHHy?vpDg+L03M(^Nux7Z5oHm>H}Zw!n7U!({4#x4S$NSU`4i>SD>q(0%&(ny z2w0is$Bzz&o^QW`xgM^bR*EGpy^4JgotB8vm385{9(Xy2kbX`)*hrU>a|xW)OWzba)s$f7*~Tk;`&FKh-a+cW{M$0psbyP?#^%?d>P zwNL`ZRde1xz}(qjx`fY`odzbjutH8uv*laT-UJ03yZ?8e6~av0G7PL^M=nROKR@7u zc@L}4>|u79q# z@t0~;w-;XBdP27u9y%}&ey_Se&!o66@#50!2Gp)?L~;b5&&36WQ8BqU*jrJRBDu;V zV)h>AJBQe%9UX_&MUKuoOsgbjmLgjRDo8LvRQqA&J8Ma|KSbXC1j~KEf3Xs*8-^ry zX3;@$+Yi?bi$f_j1Y6}GhD#tc+vqd=vghF3#YW8c)Wt@G&yMtC=xax*xI6sZj%4JW z>!JnE`FBJ5Q^@-uc!HjVqh+s=yk)2t&d+D`;2!WnK7F363zC5sL`Y_ybKE;pa z-l(S4)fUyyzkM|Tvl1G7ns*3fy}RR|^@ku7t|UaDue?70_*0U|K)u~|0u_;)+}?EI zyUrzo60Kv9#jKR)S9W11-pA0`^==2P<=sLUYy-5IW`Zlw*k~ zbNL?>^~ulqC!D@P9y2q}?!+l&eW9vs^ZdO}PxkwVhPjN>?Sg7s>C1wQQJ!f51C|!N!krnlN-Vw#R1@RgU19L|t2#-E}1P+WYw6X+CUaD_JX3p}Ts_ zd{h`b)KFIIx#I==2`asZMcFA_pW{KDV{h}kK5AAd|LihbW)pjU(CoBK ze>h(~bw94ed(^l5K#t09T}njEiR@9`D)r!!u+oCd<63v2O2kH`j1yj-B`W4zM<&~E zW9aO9mh7oe*z)G50X4mseGhcBM8y{=JXUDPY<@ z(e&14=_x638n$)gZMqh_E`)bXFAnygLuYSP+6XqI9L_Mjzk;t5bQmgp`$njfKdvar z@@*5^>iL_xbZi0Xl>GCV6}z+hn9V!GhrzbC`KKJ?i#G_Wt)vYOyBX>8uP9|4J+WWE z#mP^XzX@mFT4%^MzAhPiNEm8RcLxpWl&QHc&r4dF%}Ws9U!0d-upAZZ`CWpjom$0D zkYpq4?xfEq)=>v$WP1jHrRfFe#W~N~c;s@T`>iHj^R2ts@LTffu4^8ompA-9l^qsT zi7T&v&(ea7&vuD8#sT_&mR<1bP&aTiYs~`p6In4j#W#V>9Dr$aOWKDV&Yprg8iB{6 z_;&b9sC>1|ZwlaP`Tk4hJupJf+Xs=B6y{%9nVCSGZSERg4B|E7_5T+enX3Q<i?LzNvC4k<~l$%*g*al zij1q^isZF^S_Jkkne(DT=K3arvsDqD*8b6%>f_xZURdfk^BAd-dIwbN_9iq{=GgwE z4fPtLG&=Mu>AtIaQwKUPB)-m7o9|3!R4N@o;sh}AQ=5?piV<=pViLFsan?5$R9OlsUJy_d%5V{GTVAohe3FN6%(~xLY<@lvy@ecR=(@J-*lD z1}XR&KinJ&iokZ&EymX1Yl?x3U3?9;@nc{-zF6vM@XHqHe);n@jrDQXZi|K=Ij7rU zy7z$VyjmVKx#y72uOmi|OeXw!&CtbRMA9l8X$QqZZiqHm{2}w{(#vw9pLtLj4odev_ zvvGn+>Lo9{EmpcF`0zaIoLTF@iRus0Qw<0TjS}ak>uuGc)tz#05CMV_CrzDg-W*1t z%?nJZN0ctCn9J8ut4IzbgJqt>sfPxgb_C4~lt7j`$0@v249g$Rg0Ptt?AQh*o$C!7 z{Q3>E{rq7eJ2ZE8-*V%k?=Z~6+_^7h*s%0grNm^{l>WB(fqM0BTzg~;N_lDfU*tU# zA8d|U$pubvdt-|Ii*tvI3wb5Jl5D+IIeGvtEbC+xBgC}a`k_n_6dWA>hje$CXb{SLCMA@crouDNiB)q7$ze3ow&8vjgWY(*p9v|9ciM$D3OP&!u-bwSZh1v zL`oH0IQU?a&y(z{y`R2CjzU@{2DKwOAG!x1ETT!^q=-p*t6 z-I^{QG1zLIf~g|Cm7ZCSe5;juDW%>rYOE+>^9g1Z60!%|Q)NaCihU>2n?rBVhD?9U zOw*{&y?JU`vq9Leb&j<3R(Q@BEpq$EIm{ZZVKh^0T)@;l%kNKr9i))d9zVPqaekPz z;Nhe9peM&&zK(JvJi`0EFMl)xipTkkX>@BX06b8>nQ{YAJA7sF3!f$B5D$hiWj}hDr5^y zqV5-0Qer3T?KuO3Wb4<9>OB<8jzKO{pjYnnm+3o$s0bp_fGU(}hf-uKtO2J4`o1OE zcEIaJ&u|%2EMZpCK`~)g?_;nR0%AuXz6~L9^w7*1X~%vW%h4RBv1O`Kit!KHz|F;- zk8kVDeW$Ne>kq7G2&s3>UwjlIG};vkF<_e{7qnM%#g3nrJrP=5=M8Wdy!t%_iJDKa zDN-}nYxICjN+j#L3)j@8%$y&6p35-Fj?_rQDsF0*rDydKV!Y4_(3e->Fcq$bPNWy8 z6sgHKQ=A=tyl~}`(H}k5(_0C!)+R!!V#1h4syxZm{KQd*8a&Jy>CWY&0;T!eUSI#4C#JAqTBy&>G0%6Uhei#fvZIIB z^a%Xnq>)Lb7{9Qr8u>Y;*eMhgjsaUH@7pf6r;9Y{)iT_MqtEdnO z?jRIVmXdQ$8N2N`dj5cgYe!$s>s{AHMLQE6qR{EoW44+pR;dhZ@jNI=Y#@{SB6RRf&0j;}4RGO8jA`~<)CY3O<-{nr0iu5n4@kZf=SRnf)kx6UP61%5nSZBa-P6wciC>mxFN$W&|}C9(uDQIOJ|BQ)b8ne#n5z#XzJGu~>|C#OeNtXi~ z2#{2A2_7r;UFkKNc~feEJ5Xt+mAg-;CfgQ7mDxdv+6J(s;&p}x>)R#Qld$BD;-0EM zuew}Pqk8wv)rB>!K|6uh$r&f!_HQ;+e#~bm4LI2J9Q-i}osFwS&G`9Rg(8zE)hyIX ztGhilxGqe{K3%re+PAb=epaB9EndZAO!)iklojfjHg9vk7Uf)l+`Es@uC83$D;{@h z9KE+x{VYeNSjQQd^V)PeOd`a)w=lMnccJ&)JJzK^4-Nhu@B+rl!8ouryBrLv`1YLB zh`u|5^QR(5HRuUiHdg~qDc^$yLL6+CH4}VW4KaXlOXpDWxA73X~9!p19~}B0IGr1zLCXsqiw!YSrko zBE8-;!3MIzx%wRyPn%XZRRb(fb)+ z;}Q0z@TDe%Y_>BwT@P^7-*woPOu0(MecL*q>~cRWQjya~+>O|^WsqJ7`J&K|bWbfZ ziGdMl^!`w{<3`A1pQfFTZuGPb28^>DEJ~j-@U}`ooKDX{0Ny5+QzPv+k96>s1qlY4 zGjhE0QMM8iy%bdp9}hL(&-03H>IPi+g-plopK*&^f-vFnlQg4WrN3rL&{I&4nXz@H z6}C)M4#Ei{rPY-7p}41hp|GvLjxfsq10JLjWZ0qZf+O5k{oD2*gDX<1 zK@yUib8tW+!07kNOu3A~zBu>frUFg*fFa-*-KA!MT6)7%om$XQ-l|a-x<&Hg#pN4) z;+>;L%idZSS*5vCiH6Fh?fuqaE20DU%2X2m(fyxuA=6Y~^vI^fYT+@Sx&1R>cK zVz0W+*TM!rTU_a^AbjS+_6f?L9Fc@!q=y01*6!kD0+09!!>x&TV}~EtpcfYFq+hj$ z)wDhN|6<~Nc}|XsnF?9V+BWhd#=$+j@#``r!^|w5rpL7WzkmiQjj#6#(76$oU~Q#a zULkbmuo*o>z=U31s0IUx=x?ELSY@(234CC#-yqSq8{97e)KD zX1&~hqQT&k^+VjRiJEtILeoER5)joRV9`|5s5DQ=KvR8&wCgK~A{8rSb!Ao8{l>z| zUU_7ToxU}l)Ef?IsN9vnL|q4J1=%*BA(xELML>ZZuWKax*p|W?z&^J?b2Ey+*sf2F zE~P5rnXRGE#}G61J3Rw}fFq_|eZB-<7^Eu^ zKOZ}*Jz9`V-B^7w+8Zwz+_TojOR<$GZC3?xj(hI7Qloa zE(zAMmq+*=GXlkOpAY1r_85Jz7AMI1r;%&F9|->gN%`vh{F*>FBfKk#UQ1~af* zlM|O%>shsGK*j0?&5s>IuZ#zenwMld`>o>(myKcd3?)9-48~FkGi5JvOr#!f*7Wna zfh8x(R1q6#STV?Rpi|et0Wzpy#4T$?N6vTw0Rx?o6!STiC*51c`8Y?@&BSdpgnQW_ zPU0+c&t_?6(tX#m+uK_YtB@;$X7Nt+8=@JXIA9vOX(y%{(HXEE#|osV zz4`;U-s^wMHR9U=lDj~fZ&W9)sEDD8%286|QO7>@ewa-NrPrkzvy8bi$zwhK>Ct}J z+(O@?RQ+hUv)z{|W!h4y;0tHiyHK}CAy(}1I^TxA}tV83ju zI+MG!LkeE0tj;P2T}*8rL9v|<;$KMMT7xMlr-QkT*|DEIc9W_=h9LL`F^Lg5OHOPv z(HEB10py1PQE`f_dK(djBF<%XtC&yf(;oKH-Zbv~)MQdxL zw#r4_xoJj%wCROcA?H^c8P$tqzj3gxRLfyK*XoQ(L==&s(U5@nVfjm7fx+0m=}+{W zZE4vh;aun{WNFbp0$W}_k~L)RS;}N*t?pvW>dQUzT`*SCV9+wr9;8p8Iveyd_x#z^ zlohrhPEoTe$A&trkM)PW=$)4rzz*K*{JjXT_qyv484mf~RE{JJ$H0x<$}1dt*AIYh zNGMG7*BkNxiaVL$BJO$Q@=s+~sLH5VfT^lsUH*0-`~OQIko!X*&}7)Y!|vH^oeg|B zii4@-@}gB|Ij@kQ6i&zCB3rfjOMRDHmZ&LE1644C=3%OOS0R&y)}ee}ILP|5wqtAK z!bZ6%FGpHRfx*#H4MiRNNrP0%Gr+~U21f|KHJ$2Rt35nQ{QBOoMT&DneW4%%*8S|< zO;k&@ZPky7QSeTH3DX>2lQj;dO5XNHQ0Kq@ib;E>M|s<7@X_DxQYx_1f}Au0O5Kbx zMb$EW{I8VL)gNmW8x95wUz&2VK;yqrU>3B!lrO{Zk~>Z5mr0K*8=UE4s>DHxS@m_F zo*pEJf4%~a5Hj{ry+xk@d9?JX=O)E`3ioCW(B|koKlG-jHG~EBp2*3I33HQ@-+1lt zcwTZ~ZFoE`^gF`q4T_!jh|OL>P8I|4|AOZKRIl|7per_?LJ@kWO7st4{VoFV*I(}h z0CN@-5+WtNjTHO~@cYNV@HZ+w-mV^e0(T7qgVX&fDy$bq7PcO+oo*Po3zj~ZkJ<^8 z2CSaWH@FrJ(oX$Tnw$WiTLd+YMs!PBP6h=LK&*j6Vm^i6^Yur$ZpC|A-f9EX_C)+v z#4FQ~1y-1qBaZd$%}w3l+_Vja4UTSWrT$4&O{IxXo8-QrS#hFjYQU&`kyTAJcE1x@ z1ni@G5vRZJ&Ud_n>i}{9IU4!yeJtc3Rr(M354i402dqoZ8SQre-9&(Q$$@yvJQjxR z|Ak=xb!X?tfZ!mVfZ)IS%Ub!7X02_<&(wdYhW+(Wu^TDBv_x$5KV$H(&idDj=l($7 zrE{v@2$lVpY5}H12B?ISU?JYo3`F6?Ud#_=zp{m1fB`8s)C_r>TP%70+249wD2=IC z0LO!-nb?&c2>`;`UXfDYHc?9^p%B1)7ld8T!Nk*-7)q?>rQn3#_6GsLE}y$Ujzm@02KtOpZ zlL^spX*GZKMHz_~kn1X^ZW$*xQk)@Mpy$C~J$d&+43J&)ON)Pq{%3c5_f&{L)}v+%O)l_!p7>gCRrNhr>3D3btFd(KZ7PuFvME`rtg` z{i`fDFDU76f_>4$ZDKbhhrfPBkEme65S9kyzUXG{x1rDy5nBTk6zXqF(|?27cL5ic zo88&CoAo{BeqW~WA|y(~$XzvhQX&T6`7$<_d=I^-ys4rU(iYJF@f^U~(7ZG+&yFG7 z?>##g$^*x|Hnu4-Z_~eWEY3klU^<3WtLJ&+1QPbBShG;&D0-7l7K-=J8j#=6RB^pg@aNZ*KQ`GF9Ye3~bV)7p1E_f${V zl?^PU&TVNxaf%MixI7RgnGuK|11O(KU91lizZP5h5e~rlJ?Tes_^jr+s~SU!>35`jrbyJ*loNH*$qZwa44H*_CuCl&t>nu(N|~bfwDtQZfayjz@HLMHqHiw%DVa)GlgUMM4C^ zXN5ZQ`6A=vF8zerMs(q+dAYI&pGv?|nkCS^`jU}`$dQsTm7sO6wwtZn{LhpDcQdwN zWMOXR=G*>-JTjlD(t3zWnjc#3BMbvWFd_XyObPd*{=(w1_y+UaDurs!v}?Pe?T*}R zgL59DAxjBv4)?`qF6Ba)YW|7xqRL-Xa)NHi{_35$!DR!_!8LgZ1tZ?JA&mJBXt4YV zBGdN=AU^u7UcHib(cs3q`6zw&)dqBIFJJVYiZ<+_oVMw%BP5 zGsz;U^Lym4l-bY_zdwNzOb0au(xuD_W3080uFg%7o(WVH%Ax-)tRz+Aa{RKe^Wn1j zL?fgbJ$L!lj4lvQ@F)!%J-ht6>RWTsJtdJ+V!LB|B&J`BkpqqT%lqS7D=~ z5mzraZ8gZ8^Ep|J%W@Oh?h2=c6@$>ezE#lq{Q$hlvt){W!0u8vV}>l}ut96H^(f2b3TA9jm3uAFtE+4J9s%-EKef_|o~HTVH@ zN3Z+wL1b++%ZP#a11v0rWuujs@_@*{<>1xo2aY3D!heU`TcGoum2fC%;+a02{^EOJ;nf%%t%&zWRiqN^?GT^+cP4jtfLejT!Y`3^a zlPolN!;crXoFv~11BnMlbJ58KpRyjfzPu42s8fYv(i_Md14#ptlwq)%?-TX%BMi>zeZmE9HfZ>49{2RCVy&d)*d?$GF(2h(I!#9ujis!ADOMcvSqI zz@1Uuh%sT#%!c}Ngjr!|6UAwR)ak{+s_W#a<{mi0A(h})t@*XP&$gXYbEf7Db(5fz zpnHy1Wq`qK$}{N3F5mqs0#6Nl+)VFnQ$dRJ=L-Lwj!nj`jt#`?LgNz&p0ZMyfIP!D zJ^1*&r9llMw>O83XU-kSE76P1p$f%u@~g7laZAk++c~fI0SS`t#UY`tVUUyAk*XLV z36DZ=3{$}rr-a{IOX$ zbnJTYV7k;U&XU3}fD8l<^JrE=J`{LgnEY%etC7hg`8bisSoHI65HkH0;oL~7$)jkg z#_g@_AZ25JF%a?dO0Mam)oiA-M=p zl!C7Xz{z>X@ZV<%X8HN9lQyy%eF=W-50M1X{ZL(1o5zcl#rOT6PZA(hIK&*sWcjgb z*#}$nVu+Ygx06*n#ce1v^<6zc%obJP*uY&X{q4LIaNaSq3fsx#lzQ!UIz5=4eg3pI zKoIp&@0x)iVgJiBGefpRJvmQ0_%^!Ma#&UaYf&PcK!$iU3@DT!cy8vH8X#q+rs~Fw zZJUmiqNEZyY)K`Zr(ZR&4H}(qCoam%TS6rHS!X-^a#urh2P=Yd4yddK$(#h)7mVoxK5goK%1QFbu9C>A_=WE z<~@K~8umpBlaP?yV@J3LklUT@N+llGTAJ?s3qsXf{x^g=eh;B0W9Q3WP`mvDLsjF( zFrCh8Qb~zZ^^0CjwIel~NK0w?{^bo3*Yu-buuE^xx{xj2wNzoqhNH z&lsf-Akg~ZS8pO{U&WbGivuZ36s8HZnOqn=2Oq;9qXp|YgK?|`chz?ez&i)0PQ3oJ zozW4i<5r*}?VfJOH<89>iL2Py6?=0os8j3QY!g%BaHfQuGD(8#TzqN4+}A#hp?TJ? zK2fo`WxW)fVa*{szc-5c1+nh5D<}Z~xRl)1GI6(c3RVIU3H4ccCSz{bV2STupC@$$7r5D!|VMVb;*0IPQ;oCHn9x_D3+&l~P5 zvC^uF7y8I$agCUy)F)oHCYx{VBfqLWdU)T z)Z#v$si`|Y$G{(QU>hZ-5H<;6lIK`|Ku~K)qyfT8m3=#v^7OxWQ3!iv*yqbs`6S``tLZ55Y5{P7GapK&sVt28dM9Q?2c!neoEn?5@r`>%IGn&SOc8(MC zb~7t#cCnm1*n}));>w`#`>TX-n4U23lyY0}0FA&ELtX?)6b246j{%M|N9TQKDA|%G zp0w%3M(ntzCY+Eo0j&ZqYs02xF6q@obeP(>xI41Pr9;yqX7{L^oMEt3luZ@-0x^j}!G;!$yYn6mfe4jzMoQ?G z#qL9&oSe>#tHTw+lO1FN&gY;rENVZz4!oV!uZ_KA-z!Wzmdw8H=;f>ny_tze4P*l7z#l>ZBra$X}W}KFciox7CxRrJqHIuy?ACg>lI?DXZh2;3LV6M03 zqBG+*(3(zHh?{Q%mVm6vaoO=sM-qrls-(W4dKP42vJo{R^0uM5IuMgTeY_cY&ogZ` z*1hi`BD~w~9dns#tTLPfuBjsKM!WJi&pkMD!75aq-NkC)v6SgU(3c%g*1aMX2O1G* z*ZgEr(`K52Mu!oMyLPsIi1ZGz-TSQ-4|1XFRB}*~Ya*X`yN-_APlgn{G!?J+w9RUV zW~=y8UC4eU1eoKNLf;v3hJ{<9FOiLE)T@xVk?&IeN zhdj;aDTw_+td06j_DgOA@9L&{c&I{5Vox!7uQSiSk5lpSxF_IR>lr0Pn+sDwv{T0M z3r<-54FhuJLv72KiHz3h3H%%U9*&AwHoT||IeZ)lx~iBs4;<(nESXO-Y+U=s2Nl){ z+3c8gKdML8%8w7wbVOr=iMDP)|3C=OYH2i#N|7mPck~ab8_CF4Didbj?&l z1nOHFjvI6=PV+ceO68B^CL^O8=*&&EiyJr{DXi#oJ>1_Pq}cXWEb-6}`5}YBF1NEx zm!fHsQsxku;n6Eem*{?u&SyEU?VfF?rwpP^0Uu#}8;y3Pr;q)xDAqkOGBRT5GvZi# zHPLXII`+}tE2P9Gg4461(ID5ZzD5v2m_|GrT94TT}d1iygj~PSt zriBE%f>F@@(FX0W)p>p2a|he!GBb*M%Am{1!;EwmGe2a8o;8(DbmL`12*u3yicp{& z%ls9^%{4{7o3Hr1>fb z3_X40>lY?sm2}#6v5CChj)+r;t@#kpyz90u{gbotCUc1} za?{lJI=ZnUbwk6zjrmSJQbo-PL4j6oq_jt7NsPC>4i zRJB6V!TWW%V+&{gb7uY>36+~#Whwa$7Ol*_HTZ#_=0jBa$S(sFHM*^7eZ=IHW_R?& z4fcPq_#Tq@)f}Nx2#<`u9Y5bK@>~rfV7BjdWdD)6f$hkN^;D6i!%#|o-mLaTWdA3j zK7{_GRny#$!59kNQeQ8BCH^9aKil^%F%=yCB|dZ!wkb}uLnApSq>>j1;kfFK$n>oU z4MjJpQA)GU5=Np4iOa(;(|#epo)UW~JaY*$P-D%=v(FygaKV~;yo5R_|DQI(58jxC zd?j9NT%*FL=wqlE-U2c&Sq>-`K7qfV&7UA8+3kE!Uw#*AlA#j)=x$c&mQK?weuhpa z<2Zn={N@q{@R)KHn~r+c@|U#=3`a1&X3b#88!^0r1}~rM$o3(=1c4AJVihz>DL_~V zvMOo)#w6dl!#;LEXSBq;@LVZ>BR`SV&Q4+Kbl)0=XoE{G4jyR9q6Cgklx7x1HkW4U zUqr3hv0i7@LKB!mGpE(vA^_b zUa0AkqfaZtP}BI)@e8oFsbi+S($6DtjyDR zpSV~G|7nx_$MiIvqZ_Uf=59^`Gzx2!i6-DjXcf<~M?ccmd;oN+4S^pcKR|raIp96< z=1bg|**6A_d;{g$V?o2r8y>jFLiy*P#^{sEpa+IB1xZ;BbQ`lJ0-Nb!^T$Z;B66pV zrHSdledRAjiQ#X?suG=-e#i@lu?P*ZyOsETpl9^gZ4zD{)#Plse(Ys_#^D-@=%S*_ z;42sLtnRIVj~#jPLiJU2E3{fT9jYKrhRSlrs;E5-NKS*l#)^9qe9Qv@$=(qz6#+WX zIwQgr*zx$a?29EjOH>AtEtT%arl(m%L`o8~;553|hjBF2G961&0(2MZe>Dl4xuKkU z#^h+Vl?&yG^;>718Tg^jS4vy^-=cKMZS0Z{A4`4S)K*Fw!fWlz4} z=fC2!m|5>hQkj+Blo@Fh$^SNq_U@YMcFltE;*_8~v#I4&Aw%{9_HlR9)ZJTm)_AkK zySbVci!?9rIo2hp?)goNh(3j_a_-7l@Il57pYqnSaP9ZJDl%^QoHmH}RM<}5^%%}r$XkXQ7fDBrZ_6!GF&b_5KFf)kMKS62CSEcI;+cfE*7tw=Xh~o zw>T&eEkttvDT)aJY%Oyh!pdbh)lYrOB&|kCGpd{Z35D5wxuT|s{pWKrRGynzz1BIn zw+r*1Lf`e>U$qj|!fyF47dHdS{Oi*HR%hT|>FFFv33eCnhF&98Xfv~>|y*}p1YJgW`?d^-325z^9quWR? zVgS0`j}O8pY}DFRpxsqLj?pV8=gIJ7iO%Pr)J#TL&f~&Ilr?%m|5A1d#$FAfiA7WEPNlOroU%GFCt$AVe9% zBqH;aND&YMgc%v5Oo1>-AcQ0&IXgJix9|6T=Q`gx=Q=+Qe_Dh*d+oK?y4St#y&fK1 zHqsONQQ}8FK0YD+i#k{M`1mvV_`Vzdfgk(}e(8ICKEAtr`a0*#0&Nz@LtfnS3sT$) zT9}Ei`tkTT;&u}{LYacP-~KSU$Lz4{t?vxY>SInFbv}FOl()|Jwz~D-wH*7=S@5;w z#AVf^x=DnyF)cTrlONx-JNcj|k*-bt^Japnr(J>30K>jvtw9f89RjP^SX;mDHmV9N`v3RW$esR25mJ8Z69UUYn-fcPZM&6?Uv)lxG0_q5 zpx4%VE91E1!RLZdKk(gLriT6e`O7l)bwt9N&Ch(VtY!rEBM3b!>RaWTf5blG>EmaEgOBl@b)!BrgiP({#qiS%=^y#JQ$wBmTGb=J1^=DRyMeLl^F+As3NY>Z`$G8ax+=F(B}0*0a!-ZqRtLF^<^T~e+qA!^2@LET4= zWFhIb^Ly~w%f=$#^En$r%TtuS98GDz<$0keq8s~#Q2y+jX=2xA7CO%S!#RnE!!OSZ z=Bba$!f}>1n-9{%+^1slLm68C@R5@Kq#)KM{Icw+m><0?@#>~>aA?Ut+@@^!q&X@4 zBIBigLbxTG#K`p)+k=Y#Mx&AN5>|sW-%VErU#5Pq# z(8l_u7pFRA;mRe6XjN_J;_cFpkI&u_dsKr{5aA&v*X*!H^`pL4)fY^%`!lKQj;rRI zsIt6*NtM^gH5%nKF$`OKkI+~a7QPaaq!57iOq3^73Unn%NL;^POFxnwa`_RO8ExCo z$)@RPt8F{V9pnh#rTMe=R+AhtDEQoDaw2tB=3r(3j|D zD~7zxy&bCx;E6BC_i3qRFCsnF=8|GU*B`ES2})U4dXIdYcKgh>n+!DVv04NfCCcdl zbHWREjk6o%RB>@RPeW&xyC*|Okmc9F3 z$37IypL8+n9lq){j0?3?S<{LvkgVRfk0MAqFDorsVc5%XR|Ij)4A!$sEI|VY2?!W9 zjkegAc3AT8=|#oJ901m&-g~;%y$g4vXXHjGAZh4S`Gh_EerHxKC-Ep8o~mhi2^nkKUUV3lRCN zEM#O_KMd>TBsBw`TQI-z(ZnLf8~7*If?jq(hpm$pl5=R2t8b0{Al4JA3ge>OxMx>J z6sm?<30=<%G8oEY9d5!jO%r=jfi`ZLryQD#|a&(Q{D($sT} z%6-46oLZJP_6uqri6$(KO6&08X+7mr2}_jWzx+NNR)=&RuHJ_lI3Jyde3xC?R^^uJ zTX|J5o9Zy|53HVkKp^GZBmM*{^>JogJz`^UdimwOe?WBBFX-W)yz(0q1hXbpvI!iO zAnkwrhF^Zhz1{R%Q7EFfWrO}MCvEFMLXhP0nSonB?D??V-Z)<@^vu~yYlBn{(_AA-QczEJoWXeHHN92F^ zndE$ElUxtvTfXa4XLnp}YMJfDg$R=nCTn1ZvE4H- z@(o|H*VAv<0Ut6Bv6g$Lzq|VD@S+uW8qxnM)XM@(eARB5z!WUJ_$hwo@ay?~)nleO z!KWpevr=NzF|^{skKl0^2$#QloOTuRUr8@}G&WK>eA-tU7OinbyZW7OUhu;~o1%I@ zxi8o#Yu7cCbWh&`;;Sf1C?b4M&S&E>x-u`KlArbDLw6K9i&K<}4zdsMJyj7_e#%wW zyk}l67;E$&YqIlt{#BISrwBVtu|d0Gn1V&wN3g^fQR@+aC98My(%_mq^E_bo`W(ExVI^oPKUY``rf?WjcIi(Or%KevZ{I`{L67W~Z4B&OFD-T@U~I zcwn(cH}{-4pJj@0Oi3c;EjzXBlRpo_BKs@PuKB-SMg$b2;7fHf@V%8QAjg@w(ZgyU zZ|6YJN{@L~3g*7xc{n8~EdUX>(#dAkJ90V8281b%?fAY*|0(g>KbM`AO^qK2pTVva zzHHpx*=3^9-JxYimlDmUiSY7cAznlxo!_M6wzx!k8hc-3_6U}EsynJxx|$WIZBjTz zr1@=(n~y90X7}&Mt?G8MG5g9cDlZ{YQWF`PesY-Cq?67P$|{N@0dv@yld;>5=;*6o z@EJ!A691$k2=s6ZX^k1 zUOPZh^6C2(5vNqtzS4Oc;?-i-huHB#>vQlt&8Hd6N!8yrWtN9-rIge)K0T+2d+)LH z`;#>n`pLHtZz@)BpwmeH5=P2<(8S}g?@>Lt^8|r*en*BZle%luuh-vRGILZglP|Y4 zlDUuH$=JN>*7r{#UzT~$&fcdg_@HI{_+jh6WCsc8*wYjZK5P}18M?WABR*c~S$hcc zo9;88r5m~L&pOSb8N=P9fcPO`+t1;pmJf2v()?4t^e##cRAgkg8i;nui?r< z>Ywveqp*;eC!l_WvEmkSYyG!rhT=NkC=dA~;)3gkIp55Qd|5!odLn-#aZPmTj4$GD z`AWv7Q>|i~a;!nvvDu?I#VKz)R-)qXIOhteNTqpViV{s+Q~wLZG%7M#sCgo~QQa$% z<*XA|r-5Mpfw+#>x2xk{aJzf@5ruvgS9HAJ$+5>DVMM<_a+soIYWZ&giC>RKZuMdm z!@SxZdzR1m$Fey2&(Wz1Q&&8$G0fJn$~C^bV_t3txn;RECW|v0Z;=I6D*pHU?3?@U zYR_q9%>gG~QvD;1{&xWNf0nlVV8MQ;YZty?iHq;Ig>&Da$NZ-`BLVh@;e&f9O1!1N z4sbs7ZKq` zUs9}O>jH|Ht_FRVFdEl^{$_o^R+NP7=ZskBP#vtF{U?g|Dl%6;0_6W2*!N#L(HS7m zf4a^X)SwH5?m06IudD#F@$ge2=tfDTzq(ZGOnNpNKq@_+ph)4BIemk#%N$#6^8$*i z$Yz}8tBhj`^7(#dD*t^I>CW}#CgNsasEsp|AoZKkdeLuMwBBVRVC75bLFpGuPb#=d zB|rI|w;?k3(kyTJ_B%a|`()ACG-}IDQf80r%OK&p^+8DA;$m)n2JHl;?9HqR=H8Qk z{@Q7P3gbybWw;B7z2Xp>IQH{tIh#(1E#6SpypTF`4<9-zGEKWz{OIHFxd2*t@iQ8Y zB&qSU_Qo1LbPReY=^1jz1~Rg7*TCb9Ha4psRz%KFDqwa8*vx1 zOtXV3c}z7Z*0~R4pg@HVA|s^V=^<~YPd^tk(o@-?CS7tOi5t-zq=w3>=EQTJZMIi& zYc>m6oZ_tzt-S;)jVuMWFxxY?PZfKFvNo0ljaH6l3V!#+YJS5SX%)@*an{VsQVpY` zT?@0L#N!g_2RpNRG;Uuu=qK0c0du8k;y-*zN}*J5Z5Q8`y!pb|j&#UY;$${G)bE8B zM>^hI@>!`N4iluq+kvuXgplh4rWPGb1W$wRIQIqO&Y3d_{d?v=&biS}zp#~LuRkygTTa8(0dC^+@RcDeK5ng!tU0`-FR zDd4R#ru@tMUwa&`tWG#e&P)>=ogJF{4U@`U)aKedTlT%Kd=`vPu-rEMhDlhh5yB=O ze70gZO5!`;_^%@KUHJp!;Rws+L*5geq{l%J;G+wvdRb*RsKKi4V4pKz9nD=;5DPA4 zbOTZbqmOEgoW``K@u~*I{K%ELH2h>oPDF@QG3Vdv=%2v<1fJq836Nt))4zgh;0|aiW8oK zafC1he4+ZhHe9OR0>>sgB%Vfv_WtqKf)jW+;|xlB>NHW8yko+b;8lu;1U8ArwV~bL zt zCYS-Tc%}Pw?v+WmlufqF2WCHcCiWk>a>Uu!hO5WDta_;GSFHd}aErsFu8pB|VB1p3 zTU-c*+B4J=v*>v!f8vy}ANqc1w|`K>u*oo-t&#h}&x zKJ9H5t$035$$C;2x(9-SoBg_#g3s_usj%FOVaC~ZRwG*SI{K*B@R}bUI53!NBbD6Tp>b@~RY~+zhCOgk({t+T4#RE%n_!kk7`c9W!$PNbA=1I6P9G=iqR2}{Qar`S zy`S9Ua-FL>-Fw40AE|ww5Rs9^;MsHLYkMS>{gbgh;%K{ebVW+Bt8dFjDaLs&C!B;u zBzM-0vzB37omJ^6($RRdlax6W0hKGeJ-SZIagdZqL{9`?vdYX~PF#~stjDeEbILtj zU9T#B|2Xy8>ezf~E7Zr=^~`lb7>{1JRxLZ?v>>w230Gu9!d+U`6}Lcz-p9L zrg~#wu4qCntMZ$Gce@s|B%)WZ$rm=zTjWP=#y-%jtyI+r1X=gWl7}fDXgS86d8~+} z5{K75v#i@pzl(LBu#>m{pTP&}IXU~bUcFi(3vR&d@L|7g^1=kvzrP_B6atBK+Hirc zlZu~Ebz@$$-k8N9>!Y$HN9obo{1C*$b>wT3eNfQ9@(es-PGdr383bY`?}MK51-07& z@4PQ(ZPeiEISYUKe}-VtEi{b|=2UVV&gUEr!|KB^%=)pffeDm?ydKLm1vO29*gAuV z711l~KSFS~2i@2D8*sk)Io189!(&$XMbn^gv#pw8j!Y0DEO#!_uTa0_na2-T>3$bk zU+wa}`@$6qZtoFBuLCtzFcZWnWsM3--S1z>L0GO;ykxovg0-?&k@I?ppfyLW3r~(W zsFF<2f3G(7ZuItW^-S6c$w#$AXo)`=xGTGqB%U&GRKS#l7%$gXOwhqmW}boY28@12 zEeLmFreykRs0qC?b3;W1d*sFki9R2-Sf*AzvEE3pIt3G zXU2AWgU%-sKxO}`Fd=*3zKOOsSg~EscaSrqTq}>nttmXa#BK$R(>7^R@~!C6*vw`) zuqIBIcSaHpb-Ime`IUIy(e2L&qx0*_!tUdpraCEwDbpYh*2xPO+K2AkWK=8tKmmyW z`v~pQn5WPor!pow<52k7f!4Io4str~y0csRGx>CHmkgUa?UJP=k@~)5nN?*+7T{*9 zugrQT#ddwjRh&3ej%_z2o_9YOxx1`FVzynGMC6hzrpZ zx;tCyo>4m_s&Cj<-=n^)k&44rCz&py=K9uqrenC#;f7sr96zQcuU=GxAZ6XY-lXf0 z>`qX|qE6i^5Po`8Tt@|gp!mQt|E~YrMZoGPk3lS)5AB7*_hKqbZm7yxd-x_3gr8XM z?!;e{mX*90GWk+JzzT5(QiU;9-FsZ9(X!Hgizz%NB3EgQ`4jc-NEJS_%||&1F)uB{ zIKt_zOdIz(O#Ez7{@}}_CK$byGJT;Nq*h;==U8Q8KR&53LO?FwePdr*1C&++`6`FH zbL&s3DksVMawd8P~E7XVnU<4x;cj!5X~hI&$O_$`c?v0?qDlC~pqV&Z3~h`s9{{yYo8eA?kz0YnaXT8o`-w0 zju(u+_92(Z7zZN~ky5=z%9?dYN}Q%Lp+iHlUMljZ-Pw{AONVKmX1zm|U^D;Cp}G6! z(z1rd(IHXUN1Z|`P&i%zVC!zn9NtcCh%JEH&U=2vEZ6~Wo2wvuhNF(2pAg%J)|X6w z$fJE>vyPGYRX+F0#G~f%T6tDhUYl##hjLaOo5FrGF@IXk83umPp;uVq3TFC941FgkwE)KvD|c z#ETMxiNRf=p3^4HU2g{BoXrS1Le zsuJWHaSeLMZnd7IUK)s;uH6+aYDJ%${C=o}{Dh>H-|^ESh*nLY$@F;{QN_5>%~Q<= z2O&Yfl`b60OA4CT8(J$<)2i$sK=%e&t@=EShdmDrn%)(!h=fwxT1D|6+GKX)Kjh2o zCQH9L?h$I2Vu948W>1R3$}-kGqMlrT0Uc7iA7o*V%*cZo;& z9Zmw84+{HNO9hTRYTX@fQYMr|rI-H%#L{gf=LIS0KV!W6UwN(j+fTaY+M01P{O|1$ z`iN~{<4izQKB3}4_9qgl`F{O4#6(QDQ#GcY)TeOg={G#$9cSR`>+wB^IZ*D0PXuX8 ziUJ4YKZfO587*3rn2xw^=jng@2%$@aqd$SNdK|dCMT?0B4p{rIjNA6I`)4oz-S~dw z?}Jr;_egh*0^3WV_4~k5hOkdd^^BFpG1pC;AZ3*cMfRSxvx`z{DYv&*^WfG+5_xe+Bs{p@Oj@Nannx++bg6<^sbNcKIJJy694mV+h zjC?PwtXj1;S20Cs?2EMRdp%t0Z>;e+`1Qy`#@boP+zA0N{rU+QO$LZP(QON!6wrm6XyBnJ+L0`J_ z3u>BKjVZ{hYdnpnis$v9kEqf8uTzmDQMUaxkRV;JWj%~Z{X(2tau6M-winM;tCH>@ z>3ST;1@DJ!Q64pitkhO_q`~Oa$pMU3S>SvGru)ICXo!vN8u9AuG8DM%rH`{8^lzTo z02liriFT2Xq!sBE_DjF3?{am9Jz~$W?goKOt9)mg_u0D7tt?R+fYjRObTbNR?U~tM z&}rKr{XFDKDa(f}ieIA{?mhUJLMvYgTJH22n#})jsb(XUu}#3p2Ho zQ3h+xRI$@DqbhsQQ^$!ffqB*p&XB+rw~#Tts7k?9Z;5o!4Q+?hHbw?5e|>;=Mn>Zm zM#Oa4V*F$L>XsIm{~pYCI^G5rH3n=HPUpQm^Z!3 zQ}KEI6gnDH_g=qPWIMC2vdU&qLE%Wz{qyLV<8mXAcTHe~p17|fG} zJo4_d{B>vl#U0mZfQ(9cxe8{^D#tMM17HP#q!nDT|K@IRiEn8V0u4Z}u0fE&UK=Vh z9lk`YH6%22wZJ&Ta*I+dy1R-qlNW_z$FIy7Th=a>c*rYkc9h+a+{TF_>OEb-KXlWd z?MC;x+4DV$1~V)Y7n|3}3xCN2vE+oaukN82M8-X}(D#q)Qw|->0;S?Ngoom%bGkOe zGt8SZDt)!XUW_)IhAQ1euaNMze7m`vF%%=v>wR9p9%94BwBd@l%F;;+BKK{+59Fh1lzX~Xa*B9SvnS#ed(f?;LF*%{ zSvG`&;kHHL#kYNDV}*aV90%pi6muc_CjcQY3V_a|IjesvGSybBVoh6SFPu3mswxtZb4LZqgB^n-}SO02E))#LxcG!SQa+S|UA&fM2qG-g4(n=Z9P&Vt{lkG*LJ$$z{*D*NDBW9XV`zvDa zLj^#2|0wUMT!trMhy~+L zh4|Dt@esUGPRe;2WJbj0T^WsL8EoZAoKe;l=uljRb|O?S$lu%#&Z0jo*^zh=KiB$6 zuj9E~zP6`E@XP+M@b(`vIit6yPdMxO1bxsOyY{feMjM3TbMOx!5d@mb(4-I9HG&^g zVdm_iF1Z35rbohoen%&ml-Ta^U4*r=6ji~Tqgn<9V{ktR@O%5vJ%>NlG;1FZ;b&)z z8B|7VJ^cn*%Eb2wX{-6r3U{o~7&+djFcxCP3BHi5!fO+_T;EebAhiSR+twVkCcb04 z>~^ZmoTR`xY>xNSwIx(-)n;1&)LS;(WFSP>`a_D7s3NDkP3cpP&YYd%A%Cvs+hJa) zF*IwuoM6q+HTFKSz@?b?W;hO0wUe084qsD7@BE`U8CaL>>^*DPqA(*#)}EW#Qi+y# z<1tMxcm6u4vdtHGhXa(VxoR;T!!t3p3nc~gh}t@JdJ}PZ@gyY&g8VD|fLZmsKB9un z?l7!)#CEYLyz|sVIJ{uTGs7+gSMLqe+mMBs(b;yEN#~v9er#DaW$^y3;Q=zuFd2Rs1_KJc=u@G>UoBz_{oPb>w&de3pH5V|^ek?t&$x0s*3fG)JjWEa4 zFtDpu-fPFBt%tPTZJV%Y)O3FHD1OtR*@C-Kxizz!%Y=}QC%)FsvJv~@Is~jc@*9)H zd&Xj#Ke;BBVN@j*n!Dw~O&O}smgV!`9)+vPD*k-UGN6Cq-bWW!^oR?!gfgzq7!yO@ zoS64(CaujJB#80Y3>Q_)Q{_SDd9RxeP|je|D`Zf>q)#wwVl%}@;Cyfn$~Nc$ zPLn%R2S4sn%}Sk&Qmn@Xj_27})i0_Mk99FV3+K zyyeBb>Z(5Mx!yO6*Xm@z6hJt9A*`t4C*kKIeX$Hpb4h-iv?l}KTPK3>X(&>q&q~cauKrwgLt}6 zr_+9$gmsg5#0u@ml5(TRNc>=K9&vG?)xJ*scz!TGSIbMc4_lTcN5sp(3<|W)xV{Ko zJ7Y;U`aDoAQwL5%?!XYzzo#IndYFLb2qSkGqm zyQbRqTdo8x-u$rk7af+fPbbH=f8IjcRO`e``s2wX5cP&?fQ5U9CK!X01}OIZ$rbMW zjj$z0TKWp2P)m|hTe9W4TB%rH8#o-1aV3O^71KRpftpVMZ3!$`;UiSzq@7<6Umj>Q z6!fP0c@NO~?1BB=M_9tb=x~K`i-7qCimD4+pWo!bp#FlVzbx#{=cxd2J(88>25P#c z)n^HK1V`>Vn82H)sDT2sngnR|tOOLUdR$i8d(Rly$N?n0h& zt&^Fbm>)-mxUYVKTfXtT_fD1gk7*6(RX8>Ca2SJXQm`XyGXUCAAbgLaFpiF?i!duv zn%^&%QC5rbatb_`fb5BfGuIs42>@^a^9JVf>i=_|;J=-{ZoKUEX?IxIPGIiV3LPDm zUWHut`*<=+!qX`$$Xh8c%i;sKc-9CDXWG!(ltAZK1&vJg`xq!gJ7OtdYS894oOS) z^bAnYHbnzv`s7#V6wf=SZu|Cgy!KB7Inyw6liY=8hH6Bn4xOYd78=WC_;l*~Na?a? zElR`$GkdkOW>0N57;{tibf3s3g{ye+o8aoZP77vI32QS1+ugBU%^eEBM zOu;{(8xefhevPkLKhP}Sge9O@7VV8jR+);+;@}YbSxCBj*u9>Wan}7Bp)4fV)AKl; zF~CN(faO#^FW1si7CyK!O<0)Tk>M4V`8L4n+ZXcPlDEHW^)xeNA>&+0L7ETDz z!0iRsAhr}A#HXtDD};5PPySh={Z5splN6_tkinbIyXi6Dy!-|S;-wcAYd-WTrVvh2 z6ge1}99=XF3&5}lzzK9cdve|a1K)bLz!|lMZPs!poZr1ThS2K9PC(?k_P3*lQf}=u zm-1JU(w$+A+~%e|@HL@FI3Q2XK_LE(uEE zxl%e(Vn4)wHbjH%V-OI%0&WoriY zO>N!pny_@udewmQbKOey%~5b!--!mdN4~x%cu`9L0yE+4S6O<4m!*EaM?@4HrF4&Y zGM3=7Mu^cSM`_)q+GUq!A=Dki)f_zMSFdJK8~D})2j&Cej#M;9Bd7FZBTP!_-=~DR zqgL%<=77$Y+4lQPaFZriLlj4SH*f8%P?ropvkNecpLZ1GHeo{pm6!IrHu)I6kh*=J z2jxJ8X1x4KQEP@)62ve)xJnPLd2?F#pEao%)TD&q^&_zB9hxyC^jIQ#M@FGXh{0;M zm`vUKzKbZp%7oI+4Pq5olP0kD-CyxzQRYwdhI?22&U2787aEz>}=Ef&f;=mbaf zzPV>+Rk^YQPmh~)nxH>^*n|xjUu_9Zocsy3+UC8vK38R|7TPXg!mvM0dJ;6|6cMh> zNV($f)ZdWLPatbVYF4t#a5wjUDIfpfmA`|D&-6QXpk(aRU1BV{5gNNl>?ydYam+b0 zLKBv!)HRnq*L+@09UKxxp}18qSFf0avLT!ofowy?6J5C3KN?R`5>e|oZ_6h_wDA?G zvDq$9jD}CK0&| znW*SNWaZ`>YO{$-f-?q-n|(+DcB}a?B==^zx{{niAAOy!78UWA<;Wzl&)3 z0|az{1h?W3OZ{wGN4E9dC5B{y#M{Oz}spZqqrouhlgu)uA`L99ap zJJQ82H6yYrUBzfc^djI;a4^Z5dB zD_GL$NLP!X*}kMOEXC4jb%kPSc4|xfI;wRfBlkS^Pm%b7Fl<>|!+dHeTXV+kbflgB zcA$?4KB??s%v)%$j!}>}Bqx4M3VnBkqT^G>tlhBr(C0K;VtwnOrEk{S_IT2UcEE&K z8~Pd4)1lvq*X!(G-%emnPAnh-UL|o-Q9Y0$!zuAyO@p2PEqmsf#Pjolg_?n8q zE>@f(cqIVfIlJXS^BSGJNQc#^FAX7c)S11C5;`ZY`Kc>YYz+OjmACTol=y3Byr;ws z1Qgdqk4pWzq!qlh85&srz9V->Q^`@@j{J+P|5S{yVqSnD!7$lJBm^R1i~j(7nouR@ zwem116mf8^9RTCDzQ%Hcf1J~_!UXjzf+Mix?V*%MjKLnb0jEHf#e}j%+MjjRd5l|6 zsPQ^!G-`7`>{*||b69cUL<#1~6V^kg-DKpt_zXL<3%4N?1r+bz+hVk>PZCEoh7sE; zng^$~PYS^4q-Ah4a9W1pDLzmIAADmnq9F95pea}VJmp=jfPl$V_~irqx{MFbO(}+n zf|+t9K3t!b4)l42PXk{g+x=#c^0z8risC|+&tv9)+Rl8S_IkhThHbwTealE=?g7kx z=K$ct3$QY`laV7qw5%uqO;)RmZgI!EqO3x!0B`XZqy4@B8E*?)gi1T#R=?rG1uc-D z>g|A=CwHSe2#~_(BrvyM;B+JB{WaANSLMr5WQqC=dzmv+(E~X>mYDz9Adqod;U?%} zwl}awDQofy!dgOisezVBtw4}Do_o%aSlF76?Kfa#CJocpf_JH4c`NGjEA2EYV&;6_ z7Ab3*bur$8IOeK(dF0LmyuD1Fz}`Xwz|hv5zjFoZ>nD=7hJ^!Fstios)@Q7jr{9l^ z^i`C3@}Z;gQN`nKFVD^QfB`R@r1b6x!|n{jDgfd{UVtdVhtMl*J03CoWQKZVl);>N zgo+nFFErgmb!->q)t@r_hLX!ten9)39gW>ZM@uZyUx{C5q!=3VU$>nawppO3{_X`h zgHpWiQ(ZFEiRFe2Y34$^7(a07oC_{frD+BT8xEG(cL5PT@N;Ju zibdz{e7JX#Y~ZLL%AHn83y-Uti--n9wF^n#B@l*{!7sfv0_LtvC?=OIOu_3a>z(@R zKZ*s2eLD9k!@BbszZsgL?n#cxxHhF+aign%;#)m!wKjj^tbLKf>W5};L-&_TaTp#OKcQIA-4N+ZfqB_HY zky_9H0~ixX(K~cG%ZFiFTzonxj>NcO+(zm%`8U5z({zsl2F%VgQRubV3T=}IYF=ZO z4Y#SeKHQ|O2G6MX-Z}8d*36sJnqexO`PqVn{jPJ=P$8mp`wBTJT-$4Je>i-x#cHqO zATh$iWw_hTEil|%i`+O=i4-~R{OjLdC{SSxw>}@|7EKL$JY>EOF+&h*N9M--!7y(X zZ(RB?ynhcM#$Wscfa03=*Z$esT!5H$xQWpkP^>)fcRuqY-#5#mi$yXkgT-iNLzq)y zI@<~|&_7o`^EGorr)ZLDvM zEQ?z99X{)9_aU0Y`O=6Hv?T6Hq!TbgG+K4V4eHFxQ>)VEq_QqmP4wMQs1O7Ok&MBB z-_>~Cnu{T;Ye&ieFz~}T7-^oZek?e^hYyT(2(nsz=4FJhofs_|q8)NFGI-Fu^$}qD z^ldTpDR{q3eGMCY^$HMyQbOkvmlt*y(4$BGqTH36C&P)ve zkFI<=(%>1BK#)vKn9WiD1!v;+*1&iMakJ{8D2ac=(X33CR#rNM36kq zKcdKS2J2E*&~aXyF6L|fvGo4XKWD`;bGr?0r>ZSOm3O2~DC1o0FlRF8H{v@XkVg^q zi&ZGQ1TyJ1BDM?p1}HwsylTMnorqHzZD9MP#|Z(rHF&gW{ktcVU1v}M&XzZVhU!Y> zFiI#Z$7qaV$`O7OrNHU?ux-b-IVl_yfOzZ9(~S->5JW}0kv?DD`pt6db2x2e-aakTPaoY|oqR%ndt!4~^7kP82R z5hpD@oYAHF@N)bc7vrtP8ir=#^OBxn5eC21Uz$r%9yHI^CLgnT8Ju9$xwnDI}%QFLkGZH zHkWWqSC1l*do^CWD*^YYs{#y>&}DD=!L-#`$AB1c-?kskVg59;z*ypLm4cLR`5163 zVc0u^acTY@n@7suA7QGF5$4~%w>2{td`{^yi@MhruJmj}24WU_+BMLezV#*GUKGZ5 z}BIu5$=tdxCm9TYX9n_uTm{ znQ#kdIg2UTI);3c9a zKHN!Vrlh9r!;iH`d7UA`!}rpfnVWk>J{Zt*-fYfW1~YcQEVKmogvOv+^M>q4LxYr$ zueqB}YGmFMkL|lwHKG&4&N2RrJQ{n+wf`z?29ugTF!U%vqHLhVryopxvHt{;JD5q< z=_k_w^-p*3NFpA0*{R}sa+lN9*Do)QpOhOEuW-NgBxpB*OG9x`lG5?0yfTatjO{W* zvL9a$)U=l+K{-;yl$DZNQed$fYNIN=Yc>j%SE81jHzd`RUt4lu!<=5xs#@yK45)uj z!CPn}n2bxLLO-ArO9KU zb%he!Un8=CU-vj!HH({^8k1YmH@A7Y@=iOq;DO&7JN~pUq#)eM>)g;s9{qHTUZ6Li zictlmgqnBVb0IY)?L@S)%dfe!4&aSyf>J?`CHp%Rj)Toc=u9c2iMxhOj(rDlFE{-LaQtO!TN_|6m zsAYXJ@MYiO2Angsl>}lM6Z=bvEXnCfV}b?BBB4uj%?U@?q)tRx0_@!VJvE<>GbvS`vQH z0Wdm2|N7-Ob{S3B>EGjVMe4HrCO6b$G}j7t@s~Iad1@7dHbwH&9hbPyed;ek1FRE< zCqaBZ)SVD1aM|!2U9V}k9c*!z93T3z_82cVx9@aHRAssA^$}yehX-<<(_*{O)`9P3 z;ZW{l`YaJ|UcnSf#_Bo+%R|pW zQ1RhpY`DXv+Od8tBF44SW8=vH4W08z%wc7m@dP($moZMU%=*V*1P5aZsMuhhE~8vr zEi&pg)%k87Dz7DIE2V4fV(do$mJ#|@ba?2NcK8_=?4E_e^q7rnLT!?9B<|(bmcVTUT05L0D1XiHGIxn&=6HB{cS zMqavv^O^`-jtzM-T@qwzT3qMX+0mJN;fiVL^9PphS7v!5i@EmM!6gZ`#_#gNZ}~yy zy)PR|re_VpL4)33Z^qqzJ7h?vq}VVET1X7)C%-2Xv!G2>ifLBph_bj&PI!Rp?K}d? zeCUC0V9~DgDVqTm=it_gsY?UoD8B+BdhI#05zk8!n`Xox^qtJihob!o&X=3OJ)x0N zcnfZNLbwqlc));eE^vpjQJ4&6hYkp3_ND|6JTtyt#caTcxSHxNDG6ouPR%x=`ML%0+lliV6TrDjYt5v z`K!in1zW%GbqOZr9_GJ3gPiOQ^-|2M-VINw&<3-%(IGlBqXQ583emz=D8ul}9T7ld z&9oFXtgC;hrr@py2HQ3mKK>{ACdzW6^9Ltt9cLX0z1o*1ky4D87nNas4$mfkF#%Gz z_<(N*jBR7%K{?x`M1m%ymJArrkXd51Cs_)6a(ae^dCK(Kx(P-^7jYHyY=zl>45OOG zuN2g~Uv7N#C`Y<;`E6yY@9>LqYfU%VK`B3C?#1gF9BZ}6f{X`di29MY#!mNN?<`tY ziDd>ChG9GT^<5g){a%v}G1vvYQ-3@0;QVj6O=)9N0Hc;cH}b=rGAmwI48Jk3RLJc@ z%~Dq?wt~qei%56tGC<*Z@QWtoL{sV!l^~83@~pDb&TB}-exzYTAU8_g_#Mj>H$AW7dLZC>(_A7-zCQ^%LY6Yh-wYJ8xGCxOUj6}!ugPDgE zX4(;VQPyv0S%U{hg9JkgSRSV%3xuEOYDJ)W z1)KGIdBT8N4St+s0N1_XX6)ia^)s$NpMOd{ea~y}KqQ$sbl=k1w=zvtBE83~NL6EP z=EkEfHw4?wW&+zdKr?f@W3A*<<}h!%vf9Q9wRDvqR5`bBx}ZlK72jHb4!&gAY67NG zaL4lJHC@@hDS4D34Ogy2`dSvWDy`mehLHDwS^pMGTmZMGnh4h<oa3x+)@m*;55pEHvPZ1%}kO6on*d641n7ltkG#5y9cE5Z)R!Am?? zp8?b52Xl5t7tuK?MnWeCG3&&d8O=kH7h*4Q>IwUJP3jhUNPyQUT<98ORX1v9sqWfQ zaAuj2ej3AR5)nm@Z;hO;gVkjOkZSYZ^3-KUAD$Z)x_02y-QX#wE-7$XcH>jYlGeE| zrv3;$Sh)4qURmO0O-FYN$sPG(cVi{aUPzrV{_*Iuo?#E_EF2e_Y6j-G>EQPG2=}^* z=8)pTZi4Q(z+n~PsRZMm>Y}5`dSNG%V_kobbM@7|Vycpyr|THJ>?@0P-CGt>#3Q;5`-&#DyeCH3wljT;{r#< z&*TJqCUp)P_sl(k&}zn~RgS}Cc5`M8*)|hzB&? zeNx}RO4(M(?f#9`hU7{j=D0hAgj&@)b<1${Dqg0ql7S#3pW-!1OmzG)0TXwTES`KG zt*58J=$TA1Koz}ZxEUWqGQ!c1(DNbW6X-ov5cNZ@W*dk@Gi%KmKxo}G#%wVrot{IB z)u*EL+=GeO3m*qM1v6DO-C7OLtg%$wFFtAG&25PN)|^8-IIv`Y?ekb(?Kc)9aGc0v zwb(BIL^UpTrcWo!r!;?X#-y|3qVn36^QEbQ^2sxuuP!PJ*$-pQ=yk)DS;;v|x+-E* zw3yl=)1ot!RsErO=l_UZ5tvOC7|IVH=;Ki<{qyMB=^almDtGkV%uS^@tR9^2$kZAr zQ!gMwP#FK6=GrXTBR2LUaKCZNUAbiP`QJAsGHc)sbmI{?5>-g?A81{>*DRN741)ul zFoD5Ny(xx5DIrC*q;h#ge5~dUIot}BReXVpso4U;32vLK#^K&Y+8qx!k+G(}o6J^& zRjX@w&!3NK)d7E;%rJn6E&dp@Vmd<6wpW5SdL4J2iTAj!Z%~3_JG^CE3G|-;qDUYeY)F6PN^2qL*jQ1 zKla5WBz=^V{tb-2Z1JFVG^S+rfzrxkM;_&=k~P$OSU|rF2s!*BA)PyZ`ZD;+Z_?Q; z{@a4nrEy7O3Z|o~oOQ&#*i+JN6t$%|6RYD;Vh}#-7To~dvn=)Q7 zB5ZC`gAXMFwUpC$Ow>gYiEEMRN*eKh_e%(Pb-#AY2Kld7<}sj*#zmb=vhDwE8^^y5 z!!jZXjG6dvK5gznS|hphj7xIh3T4?mVS6T+i-8_3v1CwPGNFp9+eFG%#W^XuToeZH zOb9mtf7Ps@ZgE1c8SF}r-TQC50Oua_mIso5x%nGq1QI732qa?dr#qG@o1rK*WszW2qaIjX`lI1e zGju+uT=F{;Tak-R0*hc)@JW$s@zYW2+dTUM#ldfX~>wt5KK}1j1Gbd~IF9ds$oaJ(9-qFgP! z-xkYRV$NsA*~LztnpO*2NV!h)8L~{fCzcUoT;VPfTOU^Ad9L07&@{00dpD@?HMjt> z%dKRCrAb>8ybqKNzI+e1c7cNj!~^ykBQ77mj@;ZOc~}4av?ug?1|Ew6Ta{}9-0ONo zV_zHgh6Wrp9`a#*)7n;2F}HY~3;hW0)<7+Bu>Cyx^ug}UP{+=SMnjNFIn~YQ-fGt+ zdt^J){^Zs$S*ssBkzGC%b>_TUlcK$YyXE%zD3gYjbXTY!d8{1gnt6k^X+={PFe=9{ z#~mGvwb&{W4S@kgyN8?U^Hu>Fs~%#DVg}sFGfv)*Ni(ZBrVnzb%hnl;SL2P2!S1C* zqN9yC8j_ZHTBE!TCsGES7fh*38+h4D9%ylryLV=uVo_Brl=l8fVF*vEL_9{RHAKYo zxO!qo#KmsSSS$e)ewNi|pBT-vmpkQ6dKl=-&}F zq|bF4HM>_H_f%Id*3T^-4Y_uC%LdUq1*gY5^FTJQsE7&byA6Fle!p<`wZKI%VgBG6 zN3dD33~=}hMyluTeZI+S#_fIeBSnKLCAMBt7ol&^B~V3UkkD!5C_RQ=)HZT*7t8RJ zXR{NonW061b8FA4EEws8Ju`Zg^Jot~sU8g@t{N^o%eGpBaFo(ZXrk;-A%pf|0 zxjWa|bA8v)c_yd}(TvBF80vknAFgeD`~3W}TkyrShiPE18nJ*_Jj0QQ2OJi-ml|g2cMYVmxD}efDgsRVJV549gtx?n>@t>}L0!0DP{2y%9H?;%X0Et2o0sk+JJ> zTtYR(u(qWATFD`oq0_F{KV84MWWr)gcX5sG&-7O<#KENN6pcy#jiUXj}#Y zJEM^(O4yD6cDe>D#QrKIaxneIsrmk@#)`nvk>aW`o4MnaaC$G=p`HS#9AYiAS@@Of z()xdCSB|p1%vqvrZ>c3o+;$wQGIl`eY>^1bayO$C{%CpsSVS;XsuUf3pS3x=kugfy z+=#9`ONT`cyuZX}_5kD`hIZZ%Y-C4-xss>YBE~kLVV7Qu)AhcPZd;f%cMiNXwW23= z&g>!nsE*8Ibg7ouBj2cku$6-Q*ERFn-sgY8V2t;C6J}R4&ja@iEt!n>>YqLuX>)#s z{iE}CFGJno*tCHFcN;W~eC8DQpCd(}5dF00ZiXmh9SnCfYEy~b^x@SwzhC&A@2blrbx~ADs@&(*b=p{jHGfz)O z#Icl%zQ?hzWocKO@)ac6n>W1|c6pFrWXne4oh${Zi3Fp0?QOk5QRM!r3njak4<6z@ zqc3=X9D07-x2;}T_7dMyXRtzbQmkl^=CXHIOHl8m^WNG0xDgopJ~$B8y}dVROfoS< zsq4-KOt`S9NH~@@)pyEOn9u+A%cqK`H}8qXpMBmvs7cq3`-H<(_!(xEIUG=Q+0nbo z_l`a}V9=`12pe-lOEz@r4inAGvBQ`ioxfm&+qp`%pp%}vKIMFXrjtto{G31bBYM_zn)bltUS@q&?>RpcKwS_cw)Ig2BDq#@mlJ| z=r{{;U&rJ^oOmRg*p|F8gArXMBalIR=qM>FLZ-oT;E0=|WR)UaiK}8A-JdMHio>b8 zdi&}G6h?--ccA$C>-GLT+?bPMH;gqzFNP1OUJr_-p2Jmv4q#O2csvKFRt37 z-&|5$vGT#35VqULYZeM$#oj5)9KWBJ3=Z`bOICg@?0UKdzam(e;<`8b`J;_{lobUs zh+T5w*o*U}PsR61qQaurU&%;u6o~P)40WiwFnvEU`?|QhW3pUTgGMcTs?rAa_qPng!QU9U{_BGm7B%j&<;!kJzm9q2ERp+TZ;I z)9qv~yJ7y~8|`vFM0ARTsIsM}&!*q5>JEErC;RnVkdy?0o<*0~2P`#WFrsDy$F^L+ zzCXlkx_H7I=GfBY5~6Tv47$irN{)I{Xn5{9f7NUme}v9%59hrC+kme6M2bg{#L*&O z>xNyy^0P*BEfi?Ds|0Hg?|G%j9i+BFQzd8~ah?3MH$$I2qJQtWKt|i?ELy!rZnw2! zL!V}Lqp*~1)JpCavEf}dY9d>6)J198Pef@s?beEN7Z4j|qLW~u#ixjYE3;K*vt$Ds zRGH1$ER~^#I!NP+!+u=aMly|>4cGCRt<3wthjOu@mE)=?6Qm}7@9i7M01dsQmaAl9jP z9789_!-;E{oaS2=f(l+@?-tmGf~Q-YEanT3f)jCzo}uoP$vQ4TeEZxLZ?;#<-po`B z=y`FW^S+)^$>MG)rNdJdiVecy%_#$C8xRg94pkMShUa|jugm9E^hdduHq>Lgsk*(= z0vWwMIuHoA)5AhnvSzlDRTOjub(rzU#Rd`fkRu$j*+KiA%|=3-nAlCZUXltj+Md_= z@})OnZchqjd5<4fg1dc{73{*@`JM3UPVvdgBS7EkFOD@~P8li5kUxTB`{^qkl&q}V zL$B;agQGE|O%14f%?y=f+?~ogol72)7s-rOETCL-8I8oBWt=pxbTViQPa|D7Y*SygF z;1xOSUA$b~kKH_NK(n|0zQ5>YSNqePI&5 zRn)vP6>@B+bBM>wf?e{J#M`%$Q}DHpFw?`8r6e6NR$Pu09s6X-R}i>K-R@2WqLIod zNuNo??NUHJP@p9EEq&^K;wn2VKYWOC+*NNKU-l;f+3!{`wl9ytQwosf4&DbdrNgoA z|7H#R6C;Ula^Xw;K1w?XLB7!(A8&$q!Cz@S|MHBnVP5g z7q<(-h6k<{qf4~5T;RJ-W0Wdf%0n%Ct#lQbVzYsJ-X0A}r8>k2b0iUs{BzM_+Ri~( z6PH%&b}+&qixxaYBygg{ifd6;Pmwn`l##??7pT&HP&m}fGnB`69Q%LS!skQp&1_! zQKrT-?i*K}yaJG0Pj6#be}n9d$`lDwX&85A&M1ILSMnDiPG#l&e((=@#OaqSyl%gZT!Dy8$f@La}2QJC{p~c2_w%PC;1S_Q?=FUMlS+Nkfj8 zH{lx+@nzsT@RneBPy@cBUhB1W^8!^P3Q1Zv@{}G!60~j6_Ey+k_m{tR6FrT&ghZg9 zGG)ZVB(ymOlV`L_s_dp8_^wDJiD>x#xN=-eiw1$%^p%J>il@jNjN_D1-hI2T{l0N> zBpfT#{T-wX7+?h{?uIr9N)ccs)Hv|Qy-Hg)EF^+hsN-v$%RthGk>1`LaO&?7Ui#-X zOoTOwGEF+lIzz73w&l2&b^?U%c$`T7ku4jdZp%K&2O>;tgK9z}iU?{3Honcw&*1A7 zVZb2H$on8<2f3^d5S>L+*$6~fqk8ylSwlg+b=rhe5$)m=YKC!`5#*h_qg0Z#a+@1E z9(etWh*KI16SNk&@A^*5iD>Fg?b63iY{!j$l&0+93M1uze`)2L8~U@RY@#ky$1(lw z3E};G*|#$NvUIP;y=ytHq2Mc8u$o?(-K_yxS=^d>#V=Gk0`wv&-*hwcTbQo^ui1lL zk?TV`!Z#;qTl>?P1E?W85}JH!+AG| zzb_SXyH}cNB~bt67Bzg#B+NexzH@NTzdxM>&J@gr;z)-%W=VmEV`V2>Wa1myCWuAa z;zHP&rw>DFtkfz+S2~x&7Ku7^5d`@WjG+<4UMfK@#3R`ytgD_L(-Bh>s?KT9ReMKf z$3eum=g`MQR5KmAFj}&D$~y3z*{h=M%W88*nI+vCd&p(&b9NStdXK^SxFu0p;f^dx zH01pEkn<8DkRes4VmW>PPe=PcjDB}WL%(V^k5wLg?n+6$Eei^+HPQ1eb5I3j!jwMf zgCrEEh_I8Tu8*B>j9*j@+HpMRwGBj)-C7;i+Idv5U?0i_)zi{qf{UnC?oZ zBy1_y>Yzzep5PA6obF4C@I+#Txj@>aY-OTXN*g$ z_+h;K&DM}yQ!#_K_`^p4pQ1?>4=eP}mi;EInV$pqHejso9daf6pCPGM;7&v`f9s9_ zLq2lZ#JlYCv+tqHGhcWEbl#Okg+{Xt#@YDgR460x9GeAQtO`X&XpMl(`XUA2q3|hHP ztC`wV4QdKFX8CIl5d+I{LfPpwaO8#Pf>pi385p^8dL#5S+0N?Q@lD-Bk80h5Rt&kG}gE67z_6Q9HQ zT4?bp*CI3|;zFfwN9ynXUBX~^=}h5g3oH~j9;=l7D6g69?mLMPwyX-r`GgY4^@#Iw z&71dlIr^}-LsvhLL;c@{W4X|rR!JckW~zz&-^+ffak>q~;=*`}Mc@uiX|wkGE4~Y1 zsXJR5&3TF~B=as^fuI246XJK9}reEYnUVly%0FTge6;Jxis<%7-OKn>ey7G#!2~ zuNrq)c?zVSF17)0%2%!6q)KVu)O!g(q3p_4ffAx8{HU6UT5ey}|uWCzts&Q~hwgkX&}F@nr)At;v+giF*SgXUE$#bi984Y}H8aJa2J ztdTBi&D=Uk zQ_?dejB(Q9?E0(LbD@aILDVdPdL^1Y;3`;dKBxP(@E5}qt3e=?sOx>sP*pd2{4?T=2O89tD_ymRt|N2eR?z}vtt{H@ti#4S>Jee%M|0k*@j?!K@*LkG3IB>cuG0+pPcNN%MP zSd-+oh5pp_0vV(Sj%W@2HQ=m)!Wc^S48gl@%cx6K(h2qUlIR+@LEFV9c_0n#=oVnxMLh-^z;5C&y3ga(A3>Ju|ToqN5rRRj?Zt8qw zq2Y`N(sLL#jZi$>Txs-1%`xP9p{T`l;&RSUV<+dp8yh_J7~H(BXUboPJp*Ot8=tHf z{Jo_KN>hRQd)#vKoYzW@adEDzP`7wC1`-#H)q5hT3dyKaqvZAv2FxSmDP>glS4S2G zIhdXxjBI1uI=~k{bgdeWoHiPn!m}AjR$mW z-}$8fSw(^VDCeshwe{i`bS&>G7>o>{EFd(sT+># zHQHLaxO+dLF>(CbDm1PL5??2LbprpCQH`$ za^Uw!+sWEQi|BEsBbIy-2sVYy9Cmlv;slhOYV&isB^Uh_zi5xI81>#?X`3e+saYZe zZ*)F!a7E7i&iO>LMEmu~qn3X*QZp6OcnR<(-k zBpe{&%+0(@5bQQ`?21B{Sv_)&hw@WdIf2$5f>}|F-qx3m^%nMhodzRqRI~j>kO<4T z=8~B31nQL~rH0i#EuF9IQXS?j_D3h01&6)-a>x0)Vr0JoYoOO?zEs%o3NvMA%g0yD zSLf`fJ4t{(jVuQ%jm5i`1A@8nqMz9l zg_gJGM-*D#7JJ>C9qclXLA-Yev9QHA#%>GPdsfXcnm1d)qY2v|2=KMl9i$7@!x z>wdI*O+jNxa3+6tM=Cf^W??P-SKuG3_%S`W-kc5efL%EAx+PTLK)67-30e=<##8*>>YEWO>b2 zs!}^bm9TE|u9wJ~&*k`XIzk)mp1pdS-XcsHFl3I!H=pnTg*Dep1bmj5*b|%e+%$

=iQyW{uJaw+qZyA@5vo1JnB^ zpSjr2m0~rlh4HdJ!iLvEmy+u@(-3Tud@`?}Q7=oG?>}LAM&r&i1O+vWMd$j-y|!QW za9>MxO|mSmBD0-DP)8olYdmciHJh$CW+=RZ4iW$2jQP^$Q!5WYv@8StRdPH07|}%7 z-e>76i62~3Zs-`Th9#-QIBzMi>wjT)7Ls_ofO_0S9|lQQdFXuP`Jzrq3$^%muM)>> zUWH*z9TS7g){mwCRyRRIk5jTJi|pJtBUeqla`%f=(YvFesk-pReSbMO9c?q!e*Kj zIOB)Ll)qEP&@uAA$}Qe;Gb!Z=*_&f|;B+GmJ%%8rf~y~|nb{;L{5(xBwTz~;ZPrV| zJV*+_IGu>PT|l#$B_6_>%TrRr?wN_+kO#%`WxLdi=ut~W(xtH&mlLw)eEA*L=ZbNs zBuqPisLt)Ub4|y}l)5eX;yO;4JE)HNEIPRfo+hYd zI3Fi;78rUSVvXe=+p>e#Zjszl*>UB+49qD?9LJ3!zsxnLWyVfgbJE^5&HGNRm{&v- z7b%o;a^8o81aCNafd0H)pj;q&2g(?8Ejqt(4esI0q;bs4DO_g6W>#a3o=?&dA zJVUNqQ*}923lD`voVCZ^=tY|e;vpfup7_5j5s`L2-)kIFehmOR{EACWbzJ$fUtq+b zj(pkJwx6|yE7+AKD7#9B-2nYYL`bu`XnK6sZxy%snhQ3_WZzYQ^tG2Te zrXpuh2sxZ{c>lMR=w@8~r15;uL)R&p+=LMH={0(~wh_bj+uacvse!;dyq-#pD=_e#^qEut_c_ zbRILvWWE<_UeF|{HZGPh|1xP!_-6K7?94pnAgj}nWdPWI$;b2O;=S7NrDF!{_aex0 zgrG0lIiv;x5<|(*=VKT5N2ir`y*k&}@ao(-$Z+Ja=i!5XhTrY(51^Yv50wKrJyitH7XT9@MwL7-P_=udedhaf|7L55`1$}TmYO<6|(QbX5tZHkyRip4uOyxM+to(j} zQIB#mgPQ|dv*NOy8y%G(-qOj3hvUgfgzVo%_20enTtOCD%y}qm@9prK`qOprBD`sQ zzPX98G`qf}eV^HMI%<{PsR05>8P{rume&1S7LlHH%5{G<+{H$C6A6?dWR1*Tjyase z4M(qcUa1q;b`;qqo%_{FAew;CfAdOFIT^4Zfkt6z62m6$F{H}2@&bhRNmWu=M zss5({uwF$zlql}4I9XsxqBbue!EeVKe25?OIj83rlw>U1wMW#AZwl% zPc>)^_DGGu5WME>iM)~_jNR-{K`cuJe-DSVV^cMLbEk;gaZRjF#&lvG+^GRmBR)aD(!b0y1AFde;6!ok(5xo3!5DA-}QfqF+{7qhs-m zOGB8W(RkzJaJ$@ai0KXZjY;IwRn?9cQqStq=AQSF6BPAv)^2tkg}Dk2#_qK>YgcH& zDi>Jx$K(*yFeB#}t?|gI1UyRa9ZAobM?SBml15E?JG~($Er1)w7YXoLo|^+{1gR^!zy-SbMvWf{b<5<4m9BM#9(qcNIn) zWv70>8DFEWaa3C%%J)pJ?C;6hu5gWl`tu650#RndvE$C3SEeHwz+J6h2p^!qi?@R; zD83rmiIU`WnroO@3oaRwC$`r`SQ5vE{JVe@Qtb*EvS_?n}RLvwlX7kt$c)(DeOB-Rbww4w7G z&&`~ib)b}_p;-KRS|Gm$|48`aT`9fje zgjVf@Ptj`Qi)b%DSqtQ+EsAaEx_EiPoJ(%B6pI5*8LKR^J6Z^1T4%MHPnMs*ne87~ zflDK|o?KT0f1$Xt+)m{sFUe$sGr#HJYP;AtKF-8ib-6(F6;N6eR{)2uyPIwC+>_xD z7Z?vy(iXUvTVO5lur#Au&@xqm?K4_JXZ44-RWn~@(ACU3wl2;4)c6PqlnSxXRgRV0 zX%q8_O}4o35iIt0fx7gpE`FhZiXB^))--TzPeW>#tZhWEi>RSaGw%u2+afSC=dZU_H7zfEr9RV0BO^ZP`k_o@R8Bd6Ox<7z(kQ$8b0CrIZ2y*@o+Q*Qv~%dD2>$(<2Qr_e?58Lv+YD**syE$=~-~snwq89%OdA^T{vAFfS#>4MH+Ek@vzQ6oC>ve_pZ5AA{5(hz z>_FD}WKGXoi*;^UG$ewY=Kn@l?*$|XK~HM)XLJv56UYEuwB{x-N!Aa*33_*m80!-} zZdAhhY_|YfK2yFfNQd2_Hr1L{B_pg^fs^uk2Q+^CW1Qo|H)aH7zs~w7=a*4qnV_PO z)m;ckvk{o1y86=-MIblt$=+ODI27MT*)n-5GO`FV&(QUqsWRH3@z-}TG=jj)!j?5- zSv6S;YnGWbEu7qH?LIfMa&I-E>F(Ow`@!4yto4Nx^P2VaZ_}O}rB!akCU@)nbGUG)*NN@v^; zTRDck!-w@Wt-M7O*A-nT4_)hHP?LB4B*qD-9#4Pt17JVLXN9W|7|Gtej=t?teiuwb zCj4jzed-`k)^xg0hj+m353-7#^bfm1!_R*b(>9+@pUI^FjgQ%!`c-3-tnJmOIW2B! zIQj?Bfai?fNpJzzf3%Jt6`?e3cU(ZPQc3788c)CcP(6P*mOm_zAkUvw0qumHhq~g{z@~nN6x@g{=By z!0ea9h9jQPl1Gm&!J4}!Fc@MHOQTw4TL)#qgP0BJ=0=AMaqr)$x zxV-SmkYPO6Fz@N$gKNgr1@jbcex!Jk{8{Gr~+^QW~$t~kWolEkTDBcsb9b1>~zt$X$7y(pxWaXR|W z0~BtCCH@5|XcW9TuqiGBeMgBxs6U^K!db8Sza%c*#{3xSq-_Q-b-o!toQ>?0mloJv z)vxjN<&7Z6%U4Yq#9GZ3-4wH`&&w06*OO~t+O z1A%Af+6cPQGX6?2RFS+s|5=PFOybB1MyIG7dR@Vfan$|j)WO$U?!W%ULe6il?*0}Y zVlJHT$&X=m!bBj0hxYXU{|lE2{(s0CkocyrL%m=Ei;bhLs}|=quG55fkS5mP z8XWQ1T`ceFIc;E@L0oqO{`Y6*K*3jBA1j0pooLY#x`m0ZT={Hm1|h?D5xct|jH z?71Wa1rMQ)rJ*~(i;CRR@ILvD%-~F+*8yg09Kp#P+~#|S;`osA*<~fOj&0>2cxz*w zdm4tYQi+W^=TAALRoJ; zOo*smw_uT~wI2eBOZIuj3%;tZS)$)~uj#GDoRpY@nMh`;o!}$F)KtZ){sz@s8>-!( z=X7Do)#(R&mZNk`5!O7|A0aB`j=EG`qn4>$rzbYLcDc3eRk|m*&X`B|HPsVqh@e^2 z*rVLH!_$WO$3~ECqRp>!e~d$Lrx8l$8*6VLGsx~4ACFZ-1WM`!;{+Z0TIR<`P&=V< z4spK+x{L9AdaQ@fU$~QPl1SuDk6DXEH{1!-qmqrwtuZhOp4UVAk_C3j>Ns9?ku`&S zdS7XTW+}j{F7Wgh|cGczgHjq`37MJo?9OI(BJHSP?8(&0uY|p72wKX#UDnh zJ{m5<^J!>CXdUVYy4XE_yOHMxc_HGKk;PhHD;j^^z*8Ma*Ztc@sJyT1dF+le_kDW5 z=3e0A!R!7X5=%XwvrN?wYXKQ!H%SFi8di{#Fc_TYmP{zuDVZ7e%&dcy2Ks#crdtv} z1OVHS#+W6e@Ze@jWAm%;ALmqDu<%U#C<0BDC*%jg#m;a?i=C6`S%tI#ejcmZI`F2D zx#eyG)$R3Sc;5 zFsC?t#Cq(RHJ4SdQZiUqry$Am@*0;7)UY2t8dx{|^WSw_fBt(c6nG@t;vnBMswR*2 zPd|G}qJ}AA_<4%P0Ac&YAs~+!CuNjOlP>+;O!ZxR6w%*Whv$=6*tfCWkST;|RM}s* z{eO0!a~olW>kVHyOP4?cTU{e~Q9p8NyR#&NTBgK$o*TwlS{xOy`tAt>oeQ=JNVo;7;n%TDy5>5LJqY`12L! zaF`B?z{~T(Z1sTUj1ZhF=E}c)09t9$?Odfcs%Fotp>>hIM?XmRLuLVM! z`DNtT*!|h+;&v-fUFG%Qy4O3nScarxN|351{OXsGT#lRPYB0fB0Y3FP0iK3A*B1qY zt=Kr|w9%hCvI+HA=^6kQu#CrxB9#cbbHG>nndQZ0@nZ2|pQ0ZH?b9g%Jr`se`E59!IoyuepM`^vx& zx2tj36PphxR`_s6-f~&VL?Q}T%9&s zcy}buasDo%?eEWVec%OA&c5faIRWqdmcFwJmc<`<@LvDSdh0sGkf!P5Vy{ z`e%XLS8w(fLXQT3QRn0_8+Tem{-7fC5pf+)x;%ZC5I<~;GwBGfI-M>wK)THWuYTSC zbWbdQex#28B(wx3$aCW^{Z$ZbOo4OzX2#;Qkg*Lwz5?T+9#a5mnk2K})I`ojd)D!+ z?xz4>Zw>YB*#v;|Nxnolst~v)k2dEad+^Z5$F(_G02&wia=t1b14p`o&oHwJNxD2d zwiZE0e_%3?LRTNBp~HJN{qKwk{O84wF$jKs9q?m7gI}t>*Tx9=`IofJDiP#{Z@6*N zFmnUXjUAc`5nL<-w)Q-JN-ZN>ONi%_We=_zRG}&Q)cTrkAauxVkL2T8;F&Lv1sLSq zyql*b&(HH@8mRr4qqYT5n=5T`;c+n#LQa@y3qUMD82RUex*$jZ3x9UG&be{V1l+r4 zF#x)`61-X#L?`V<+4^(fdfjQS-o|fxG^=g?;{%@yLzkPDo@iII7quWG;3~+n+=h<{ zC`s!X5C$8XMvn?ri>(4&d z{ut&PJ#KVJDCUsKXz0X7mlY5@RtouhtHMQi&2Hp|2s`9eK40 z3`@QR&@2Gy=5|~N`{4c9>x!9w8rn``{fj;hu>YlkQbj$HGnk88*>q<)ezuN%-a$t| zd6>OBa{VstAH}ghjVXW!?IgJoCRu@Lc z+4kiiQm^E;ERPcw+aoD2A?P=XJP6<~aShLp6dRYHVzM z*B-zqU)N{kK!q#8Mewe1yy8YbxYyamJ2mlw+sF*^pMGajtrT${?xTD>uf@}!Ll-6+ zEz!>0o|4z@qWTk6-n=bJ3Td$7wT= zE?VVD<*-<(*6UqA9^7AvN*~Nv%^4;HZ5d}TP6fiM4|C;Om=hW;y2Mv&!)wEn|09y; znIi6n7RZ__s+BRj?r@x+OxZgEVyXLl23WkzWdr)wd_s%V0Xs zB9XX`WQj-&#mBp#q!G_0=f~2le442O$~W|9Rri6dHOzh0It>h6LQqzq9_Ty6U!5{n zT9`8kt@682PeOgP>L~t>kW10!j91pBnnNW?N~l-s`g6Vyq8sp#<%sO2NBILil7Euk z=lqRu_W(r$!}2Yrj{}mKAq#(lBnPoVX8+$Ay1xP_Fow}ihYqijW8j>|=g_ZU!+07} z56mLWYOzL`_#k2ln}!c9JI=gUkIcyUd)Z4-&BwXA#fSs(tOt>i3mp~9e~bPx@UFL} zK4<#Jw6s#TJ~GmfqBWm;iTyPL*F=qlNn$Q9M9}q-hI)D-L>tB$y7c$;w1-Dm=zrGN z)59hRu}243pE6{`|2Stc2Q4~G*Oij;i?h3ebTbBU>vZiOpH7NEwxFKy!!w2u|nEGut${vj^zA+M^MnKP&Pi4O%GyCgtC`1@NmkdCKg4l*Lkd}egSOg zIVTz}vURJ5D;1IK($0)1%z^Hgk{U>?N86Vj`v4py)!M>9T0}mtLz2$VcD8UDJSd>V zX0n%%V>ZZV97DHj0PXzeIprpJnPZs7Lt+-E31t^5B2W={SHC3y`)k)gXr1|8KVO!! zq+LF*-EoD051~L;=a6GNFOGvt*S4|QU!Y92c;Rb^B{h6wMTT7VS1Bne;<+&#wuLiu zcy3T_3g+(%co?S_FDBHZGh%)XkCpm=rkyv-9I#ciOn+Qme{L%(?H$cOo5v#hsCG1j z+Z)(P<`=sK5K6r2DE*SP$Jl+-LQ!i9^!zeJS}P4-etm0XhsYB)+gwxMSxSnHdK(iN znXUqZ9v9&Rl3|V?Znp6`w-BMHH<|v9F<3MG3p`)3-ES5ASq2ey{JsWNEni$id_#&H z@}(`;(LnzJ$wBb#yYe>=}Iyj#M(dnfsXgwr;h)xz^`DY1hY{e_S*T)>v$-h|ywx z{Q2&(d5|UVV%|4eIMzBeR|mNv>CgWBkt0K--K8Hi>u<;e3(R)3o#q(tYHK)ZL$_oI zlxwz0V7ABKsgn)YOTQbZJz$4J|NdpkxL6KOv1yvFb|!3eByogUV{Jlcj_Qfrj%$MyO<*IedIYb%yz-Z0 z2$ROi?{=rPT{4yo-Cb(ua7pj!rM2Ox^p2Sr$udpaPCuGobi9hyZMn<=vE=_6pG&#o zGogPp(HD_O66*^l1u}JoI*AV@8&JmT*mEzuPTzi_U_t#1!Lw`X?G7C*4lNr22{JOY zZmug(XO*Ca_?*VZLfP%on1-)(lhMx5=Z&%X;P9S9uuxsmMe+Ofv0-Si#fl*wm2EUK zmsPd3CHdnuhZh06rKBumD6ZD`LL8M2&~^VB)+#jd@2FLo5o#eB9G7kjqBPt%VZhekdf>V*omx?4bDR2KNEKzypOABj$1yb=ksMjt$rL%#)+ zq;DFT$wzBOjI>t%ZYen*>K{5Eq{U~jF2=Bgg9cjjt0bIW-L7}EZpk53Dg3qt*9D%l zx{V#B@hGyFILr|Y`>XD2qkheO0n7f*5=yH4hOhX0g`?mfCq7H{0^ACC*lKUR>O7cW&@QWd0N3gxPFExrIa*p@!K0 zS5i{i9GL%!8E!}Dx>WXpd2BpGEZS!!F-Bv)`WT7%(z z#eZQTMrfl6p&g$#d}FdCa^XCP3taT+VD?Ii#j(1{0TF&ttZuNzS&8?$?)PDm{GUPM ztbyTY7j+}q`tlbQO(ns89kucMqlJXx%VRwSG-ldArFT)pN9x$#Ix6m$?q%M|5*%%v zsuJuVExa_`){@XK6OjENv8s-u+7XEH(MT*SRvmt>xFRj39KZ!WkP2L!L$kVXEJS#h zFbuDCOJ2`du}5d@Kn-F@o>jxu5CAr>n*S5*%`{JWDAuoLA-_V#7>AlxZPS|Bv{ksZ z-sfDiy>hPf@~MnkZ;#_LW;fcGX$f9X1;a$V*sioJ;*+E|!v)cLX@45Z?E(62NBO{JJktI=vqWQ4gT@#iaqQ=|7$KR?hOd5| zgsbPRtCG|ODvJi>k9fwlABOTFoO)!G7sUGpgLb<(*qaWDlWiS!rdF0AmwRi&I>&~C zztM>~X&BYzJ$nvI`FZ}+h<~!WS$40W!ozWI^66i4s*C;dEa&cgsr%nXRH#oRu*t`p zz{)}POw-`%9yX)}RljOFWfwf?@Tkd5OU`kDKi*l}Wps~ROPoP}ES@j;2H$&WSBX6j z-w>Z%#d#%SFnT@v!Ma^qtEvqS(>N>(P89a*xn|qxry;g=2Egtwq5Dpc>}u-P@1B?PpPmQkNzx97@rNp(9l@ER^~Xwt9mjwFtW}a^E#i=g{3`uk zsf3m7D4F{>UN6IWl-%=ItTdb^vR^zxJ#$Yj*ZBUhBb25svq`SwKo zAvgQV-1CjG=^3~;?ZY24S1cvNZR74Dg3%G)t^oFkd!sMq?y^K&*_THk=EAcV-CtVC%`l60Wty9NfO-=MjbSvYV!V6=+|``5UULzND_ zLiofz^UVByulw-Ltz)M}Zw^gPA^J&4ZwkA-#yW>}u)LB6PX&XuA1(l9doF`R$i2ys zB|YSH&$LiOlPA2=+=I36dlx_c2S=Xh7wOg3c=~nQick{+t@aL;E{DpF!hDzvu&J^9 zEE6Xd`}U3LEE$z^Zek-+eADhb@+%Jy>Kc5^d^LBC-bGdNDFcys_D|#ecuKmTZSn9f zhWO-+#>%|jy8Ur>ac$`oe_;o(?`Bo5YAY`0&zQ(`X&4lvJjwbCL@aGFX4Xw)#n({T=wse;swT%o^ZIJzsVTxm0%6~CCA02r2Ycnam@A?KIQBf zCs(hR-R?I{aGm9{z-|A>H(l8XNsvvys|7zN>;Q=0AMY5}$@`Wim$*sXRdpD&?%J;j z*OwR$FK*|Etg6F&&yNmfExJm0J)TFj_!}F>+gaV*jZihQG~1eXU@RTgXVnM zP2*Iyh9tR+_7oSBe#wymqdlM{?^^WF=YA#?V)r?gQ`pB%6n?2<-71*g#2_|3h=v_Tmj(62Mlr4JC+*C6=fAt-fE$!aV6Yw4x2 z-5o@orH;DNPS-}_bLcV?NqvrH_oKfpQaXnpv7(6Dne5;_@vPUUXRo)m&FA8LA80<|2Pwo>f}$LudX zMb=-#V2(9h*o4uy#*_J_QRL<&!Ly59$13C30Ak254pb(0nGBvcSf|RDUD3 zFi+>*rHA=v7GeiHVKw~&3jbAc$i4JgCR)n3Z%)`z_TIMebeXVsR_5a?>CaB|pRJc1 zhiAE|+GoEMb*!fOYr8lzj5H^%&DAU|DRDA_5u}xE$YO+)l6pNwq0J&EBU4rBwc3X_ z>c!2K6RK2l$Nc=`!;k^iV*<$HiVHyrxwG@JrWmJy1BO#`Ph*`x5n-Fte9K;e+!`w} z{UK%T$_h$n`bUScd*aE#tiT=bI#PGeha?Uh5IT@FGhdr*w246WtO}yBBE1NVec&Vk z_KS4|!Eq#`{ippBlv#?j4w=t^@W6>BDoGLS_YbxYM;&{|jHt*3rG5PE_2A$md-6>| z=avOO(I$IWQ_YVP3(d6p=f<%oS$=2wF7Dn_$j~kQ@`5*PyfR%0VFP+BX5h=o{{+eZ zi@EoXYATEVM|B*>8Fge-xX)_{4suZOYB?3|c(o0CtaTMtyNG~D~K$<}4 zO@|UOK%@o|AR_@Hgb*Qw5Fp{*fYZOqkl2>dXew`_Hz5(qwwBK zujOS|H0Q{b5!W>4jDNo#{QZlrtzz`n9cc91$78qjv0_?L3HI?G#YZijjZujWe}Y<8 zYf)#jf}5-JC}B-~`45&G`$f0tb*^_myvEtRsqW8zcpunkJvSG;M@sO2`DG^4di6m; z(AS8-&#;KncS4tId}P6w<}=6A-Uf(>s|6M|{xY%b{mrkIeu^Az+?(H!A0`^v&IfLJ zJz1~b_0e3=OubHr*F)rYzX8QaheNO~;xXa7?w@{okRF`CF`VrAK+S`Is=Gq_Qw6Ff z{^Qqd9n7R!Q3;z`xU`t;n@Nac!04&K=*HilN3{!HNUuAYCe#al0n0J1z32z?Yhkr- zv{exXwT}VI<4yu<3{%{iLz3nZc0Sxgi2>g~mJzQwa4hWo zG`l;Sr0n3_>ed2quXZqB2ep@F0_B~0k^DXUiue3jwl7CxXIrevO7nb00m5AUy>`98 z!DTB%^4(9Efufj-0Ao#_3Nm?I?$(^D$Jt`uM&7<)3GmI?ln0%m6$O`st0tsyAAP^~ z?qc_0oV-wp+|dG7xCLCRZ^U;CH;ZYIEnVG1q1mf;6@&$dPC-Sjt+_|kSW5nZg9-3T zNS-bJ6NHJi>PQ^pubNn$Q6}X5$Ilp)P4C&|C=1ck7O5Ja(ML~Ttp@A`%h>4L;lk>E z-H!6E)uwxqr7o20A>m&y&u1=GN3_a@In2R-s3OZhJXP__gm^+~w!`X=PMS1ygk6H% z5-T?3nu*T*5%^@{w)XYe5$%L)e?+!xQS)h~+Ey+2g~oWudUVB=&*B3^nN}~M{n%@~ z^>qKO6NG4neMdhZ0B*{&^KEHK(5Xorq`nrpx9pAo4t?`KE9A|-?2$J}(%WChXc4dI zS})ia@CiCACx}DT>&vEyY`R{`-5J;CSgNOl!g*xc%~z)Ftyb-nSF%MdCnp(mZOU$qllX!b;H#a zaOxWHIK7tZv|=8Qys?z+>_nLa+Nn#@hYl`XzD54Pork0!k*iXEge_oUT`|Joxo`4qGYk>U#VBr_})cGt=o? zt;ktS29Om8Ao?o*8DU?)DiD?m!0Zdz1b!)E)}Eh!!HbBxLsdA)WQ#AEz7c}~(Dkj3Nb6SNE=G3-F?4`QiUOu0O( zVJleVcLhBVa(b+k3ZF*P!r?gHU8ZVi{#QC2Rle;cd`wdofH@r(JLDcSg&&(?TMOI8VRTbYIkes)Z_No)KiiZ%5SU% z#zWfLy^J^~I?B}4t;gfYo;V@->i*FF$MtQrBkaok$Z@x}r4L&!roDL}Dv7hJQM?=a!2Ibg81K5 ziqZT(mIOtPrG!Q>NFtk-0;OQ$Gbe)^z(M`rhuVKG8%s)DLG)r$XTORp&r7p&=s|qv z1CJ&Ktz$m?K2+&)_s*vy><=)pXGe~QaqutUnq1zV`o~E{oj}$|Ua#&q5ocRs%5@(a zZ{efIoxR?8;r0!W!~2DwVZS=%sUa2?8M379kE3X!bfy`XXMw{6KOgam-kVh#Fst}u ze=FnvY3G+OIXk=*i+p$MP5QA2srp$t-ijsR$tNBRJDrwx$E!X3iDOR<2F^E!O@<+I znxBed$sYo=ta*K1aYE`WjAyP+AaMq+wk96*eec8lx>#@_r{;83?}r*)@U+7O^HKZs zK;>7u?N^B(RB%5~Nq#{7)H4if_C7WtF^cISSJf?5J}A5yoTJ{v`o3f_ptUS#;2_Qk zBdf&-sPXzq+mc3pjHl;+6><@Bc*%7F4h@9w`_PV<8rt(;XaMxZdGGCq;0A4-q0rs~ z!WF-`=WNFQtOYlz7QejH^37#?_l1$}6gXJcKVQe!OQ!cA5`JKRP_?v<#0sLn{e=txM^_;q(kp<_?rvTi7Fd>1o;&PFq^J$q9qC z8K@-t5+8^RB50nSkg1!I<+*v}(daE_->SL_B*v;Me%>VWK#UaR8=d#7QM~qIjI=Dc!IF$J`G^j;o{9`f&ll&8rJS60LOxT$SN z0xosa61I{trTTeN_(@DqFrQt(@gNfokpuRwET@Ch+0F1LM{_*tW>5RyHz;ImchhUi ze3P;JK+Rn&c$<0VeqGb-WP4Dyc+XC;i|qiroH{5ZSTR zrRG+X-b&2d=Vur4AB{!WHNqbi7Kw|Rvp3eY&`D$abiIBObB@Z#+#ii5cvpa=4z7mV zJ9j+a)Vj`dw?dqew%S~xmNK@b&EuwL&y_pIqjp|B2U@a|`fSZT1b=@eZT;nq->063!yt#>85@b-JvE$Lm)mjkR2I+D zU02+XE^S!J;U3grQ=;m;va{u02#NYvG}{?!TB^Z-#E_DjNurTB@b#DD&k~nGS&sLm zz~_$1p!64Aw$f__Q&Yk(ofUP@B^r6%&*wZ7)T2V$e}!V7y~?H4kpA3PufWQacoADO-*8Z*}*q zy39Y}48SxP`};*K3H&n2(n0>vd@;-c?Y)yOXKD<%$87rpM=Ru_(a5?AfM_}5dwIP# zMd!fFQdr+2M!PScR-&nwLj|+9edM9A*X3l>tx)^jYEl(RS)6B$%&IUMO*mFm#~$MZ z+pH$-Yz=fdS|&{FpmIAlS-lug=2-oEB7{JIY#ueN7m$6A0YXxX+_eSE@5+G7zI|NF^3 zJ6jB77yxqrH{@zE@R#Y>-RjUR(3s*FsjhH20tmzm{K=6vXHc^92{QHbP%55NIRgGA z9NwfBvMBd!l%~M$qPP?uz4AN^@=bv~;XMHO`ZRKOE-!#axVzTInZ_ZXQ;boFS zQr-Ouz9vbvbroY0ut9(xN7Hk6;!aMx|>2=j$FhJj$>B!j(Hdqd+yGz zcPn2rGP;z2)g4&%)QZ%_nrbTsn-4P>`uK&CGm@7boD|H0o6ot_Ur@s!*_u1y&0F z4n`Sg&VI?}{#>O!hsfRGmqwpYDS#9RT3XiM;P}9=siVd-JAN>+xT|%i4VZy!iR)%Ys4g1P0)xI1JM(T76x*evJGIAri2E^}|_rHcOIL6mCBatZG$c zVy)MJ2$i(38?5f`*7?8+SR&_-o^M!h5VrzCT{bnnoO=I3bE5w{k_Q9s-;$G71+IeY zt%gr%Qa>9`Z=bg_OXUu2ke`O7y{g}e~NZVYrS;R>X3CDQ?r+9N(w=2u3 zCDc$+3@LgiZDD16m9C|?h*3>N#bj4|w}Tld-Q2CQ`qb0^;;N#Op&~lCxvoPbIUn6P zGJaC8kFGPayWA*iQvq!aZw;j#-swNhM!Zle2B7{-H7zsR9Bcs zj1C_QTc$9=x2HceDUQs~suYFTSN)u!%H-l~du6>%U9x!_v6QDi9ijnW(ypni5O@C+ zhQWGZQMu@FL~gL*shoz<%a?9@cxb7Hh0{X&j~P>%dWT`|3srXiMuQK_k^8T&C$%qR%_uZM*t7SL1*M9r)Nc;h@<83m%34m5#&*C3CL-9lPKs#4;*3OS3Jc)h()s zF*&=?R=dVU9CxkTKZH;AO7q%?zk>CBe~)(7`CRmB=**65xMux!gn5#cEX&$lW46f` z>eV}_oy)Z$@!XwzpWGc^R>`MwKCrB4oilV>B({1_#y-i*Dl-CX%&}O8buV;HSXL-_ z`F~k16=1{bpOW_1hO*Ak?-$@o5oVnI`24e8=OUBT>TlT-=g(03)q~EID*veDIui?y z*k2BA$R~L7^(-=0fquGGA%;oN%4oSUayY2R{X%54FQ2LygB`O&_K4DCdR@Hd2{H#_ zO@&;5;$cr7*xbmTnAOz{Gw31j==V(gPia}7P8|6kb)tWd%!<7T^{HCT&UiuyeAa&A zCaXpH`tgIQoAp5SD8`Dt$`(H}@SzvOGnai}ANhUtqr%W*7%%H~!!dV@ZZBK8$agu_X=R>e9J{`< z_D5vbTb&oxZ0b`t90pR+0}x4KLN9(mrE*I$N;CH+QKEqm#@b}yZ*V8mLu7Df|7(E$ zzRyjh$Lrcuw9YI>k6m=G{ha1dbd@ZGPaXAcGaAHMOq`cH!AMIUOH0e|s&Q>o-u5vq zY|qA4WA*H+WZk;y&Z$~~KU^5PaPNypNIPcdJ21gujXxg?*QG7!#%3jr!LB`^vv(cA zwXKaGcTsZOioIoI!Z9hAdhKL}dzomu4l<`wF43Vr$XmmSxLo-a&C*hbXKPb(Ypg6U ztND9vl$t1I41-36gYJFt1jFIW=)yW@wkE896Oix3YhG=eVeQC&gX-MrIsH(2=hkG;z*Bdi*IxW{dIQHZF^buyj_wF876SP{8481ajqrvJ=Bkgjzy6%Z6 zB-Pjn=>B7z+tD>kb|<>OxI+}6hF=#GP-6n}Rq?i9%pC?^W%s%7lUDv)U?r{#rL=3- zOm`M6071w*3u>V7__RqGei;tczc$S?$1*mVLWnA)x6^)%YX(5S)U6m&7;6;|a`>@| zMowqGKQXh5T5|o|zt@UAH}iBLq|KS-Zvm>yip{UyPCx5aDBGMe;|qsDjv$-VwChW> znImA-SxD}1tFzGWrHA0FbCU0GjkNz2?S zC$_eNfT0{M(ta}c6uz1rumpLvB|R5ZQapDyxb@g>mhizDzqyG>2%9oq{25aX-TGUw z^{?smUQdF6?GNyTIW(1I?)ZrN7MN6ZoQso59|OY6+>Y6iM6ab6`m#08f3tNOA9!d6 zajvyR*2P0QegOQ!O7nD4kEuKe&uR%_TUV5jeexisS>zP#^Hs`HL+cKv z`?Gx2#0R#ANcL;Ft!1pG;@W8{P>}E!3Qt(?_F6~$H!MC)*zcQTDzEgTpW&j5nbhR$ z{uFtzCtETFEfA$_ZyDZk9+Y%RN&NXd`EF&!nG^T!J15tz z(Gw@ocKo`N31unaC&N-#UULxdO>_Mq5JDF=X`5vQ0$xbUA(5{VL~Qxb(BpLc;Ily* zw8;zZljKEBjU#;;?zX>a^5ei@GBp7ZLza=g@7L+ z0mr~br*Ll_XneVbQp!oVSXpc*9K0eqyxk;>=G0RVE!~@E&?*kC<8B1w)9z6(6Is`} zr#SCh;!ehE9={MPryFvw>?}zAfjMjx9w~ee<0#rQzIKLD_t`)kIYL%H8zT(?T75Ee` ze@1+V+QsxCoWI8Qbx)n?df7!LZ39fdzGe}+kjeV6T%>)hPAgND|K}{>?pjSS8=mtl zYl7tLZl4)^#V)lg=L{Z^JE}vV7^HTGnPydAT28SdsuwO;R}7yZheAUf?Na_)$?I$K zphfP9hwBUBFY`awXhc7XS22B(5^8P6u{^<)%)ObNyViY{;{$CkDI7V%fp$EVwqJbo z%7fCF>t}GKZ?ouidjhFGqgYM!NHFw>cWg@74v3=HwMh(M$A-K|%{ytnLOSzKts#6S z?nTqE^?4$@m%z0vZ+KRc2_LS9o3VY7)X>(u)&2Z(^%Hw+`sa*b(a9^< zz~3yEns1}|>gWN;86)-)!*G*Hifa41X7Mjis;0=IJ}nuxj-FfH7o87?Rna!Y<;0qF zPY4@y$&zvQuHBXYPY~@9?iQdILyW7sA6=Qx&d)NgAqc-=3gyIC?#3?~Uy(#vH$=(t zC&$o|70mM^ElwVpUEv_RTyDZ0&~lHm>apom{+*kP-zU~nBCP_vsSE<5$*HT0X_BSy z^u7?O>#cBu;@_td3mZZ+i1Wq~n{5>A1T$@8Dh^P=6MzbSD)>C4OwXS(-8S*oI3Itp z5s4k~%Nr*7BpO^CP@KkYsaHQKjjZnuQkAV1bOP&CSKC%>)pbPq(F?=(!-pKbEEhF? zL`@CE3KP6nT(bK2I7iQ~RUMT?_k!s1Z4fU{!Gs_6fEDnvy@Vf^7YEf^@78U)7 z>6c->;ndS57Xr=N&tUK#nRHe3G?CXlpBr4|ENSdf%OSH*G`-6p`)c@5Ha#|mF2}(p z6OF?i*=-_OiBMc5o8bcS5+c$4*1P931DUS#y){VZ zKC_)2Xe?%U%nvVXs#l8=8D5X8I+=AHirdiypB2zr(K<;yKsu2K?4~LroAxJcJkn-o z`y?KGIR0x4ZOSiNZ*Zd(Bbb+1E5RkhU{B-n!gRc=_XgKLJ=t*m5%IP}g3r$7q?iPs(M;OYuy)&WBV939d|HcN zwCR&In(aQ!HGZXzebVPQi0a`MIQ0v8Cj$G z(JM6FT5|RnR_VGx;Ym(T6a{; z@7eTv%E9XK%or6@*lT5R5Z`q$LIW(_!v{}QUcopK%u^=ha?xAh*Gw}U}FedVs zkPFjDKq*N{XVggvYfqxVMtFpfeSP27!HfJA{(yB2Pgra9fE7_wIXOPYgmRCJKv>o< zHWB?dE~d#>mQ5imCb`lz!yHb0$cp>0&TOOSp=>1bsA=!hjZnZ3Z32otsNe#=Qnd+^kYzyT) ztGCJJnZtfUvaS=vQzCDV)22T>9dvPbRvF{{}krX>M8Kt-5gSM94;M%SP8yBa$REGRZp)1Qw`)N2>GhgSG& zzP2(G+BH*kz(ms~6u8HM9@rtH^|LR%9}BpTRah|3sQW$h@Dwz!qqMR16j=Ik>PFF} zBIxmp;!t{H6sfR~niVqzH7iXz(Qy=sQWu}Bkr1sL3Z^krP|#tOCzK$|A>vg6**q~e z(hAD_$!UHgB0E=Yphj>eIK`r#o+}&@-tTuUPofrKhL(RpwMfQfhHes4>NWZb3$YuG z2YP`2=xah#>%M1~C7&X2^#P@>@zDCv>V7<6lQ7;H+(OP9>EWwlW`eFMN)w6TuiRv= z;LLeaGfyuZF)+GNQ%D$s*G5PgCdNNnu{(SPlZ$k--V7TH$_B16?@mkhG0v!az?&r_ z1wBG3dum%~0#0?G$kKu`Lt~1wH>LR9!}3yK<&VGWGy~mGoCV0w{)7A>nB;Ovk~WB- z5^FiMrI_b)A)$hfFjJ-eE>9tUs6m$goL2u)nxd*@py}jk6rLOCAROS%I`wIWb~gjE z>+}}>7KLJz2A`bNpLo|OCs@mC&|+kDJ7P>uqwJ|4_>G%~ci{82kfF7fC1A_S8Hrqu zlsJ4paiN2@7QPTfqSY+I##Oub6tVkGA+Im(vS+Te{j#0hFx=B)-?(L*7xw#2(m`?gi2en{TF{98rsbgZEz^n8 zU$8HWOK+t<8}kBzkJ1N~str>WewBL|`*c+@>oMg}5nIjHsYiUsNi0!`e|3AY6ulwmynkt+&o@!+N$h`6c2Mv`L50NR|GOwM-lk zh_{}+_K1KKJGv?$bTDn=*%+=-4gleb8ErXky7+027FE6(t6+cg71!Rv$IkY79x$H< zspqNY*x@zAa_xhfz7>w^_A?4;ul+J)2#fIseNb&PJkNS$Qw3= zyxk-RI_mehPaZFnT38Rv?50LMM!F6Mn1shuIi}_IyIieT|F=V1y;_24^T)@W)X&IW zJNTmXlI6~cr-#p#e$H$^+9mgO>HTD1bL{iODx|}Wy4#l3PcqiJFNq5b46VN-oagVS zQ$1RcRE-tZ7)Lvpgcri3T!V$r2W1PN_HdYmp6r+`&ZEN@{1#S{r(59Ex@IF_I`+Gf zqRh?n)TN|n+DC@i$=bzM$?8+N!se`i%i88_){^Awwm6N$Y7)v@!{p^g?5C8?2uZEr z$zxy5sZds)%-@LKRdW4Z5BbkfI5Z=0MBiqCuB2L)iPDyUClP#jdz-PSEA9e9LxW0~ zr#E&Y;{HlBT+S;epQmOI>P47^WL-0;4nA)1YX}IidNqp#>Hmf`E)vuSDjq!3cFz*~ zCI%K}?t~9*<^&gZOJ5^IK7pN;wXzHl6FD<{Lrh-FJY3tf6HyzJm$=LE!*WiFAp51+ zVf`S6dQPSTL93$J#LV+kqQ=3Q@?L{C-v>!NaOF?i)qW}Dwq-YSdYgf6I-`+nRZ!T*~uqprw-GBgN8|ShF_A_-B`eAH)%CWei;fT&irZtoFtwH zJeCJG0@xpYM;(aUUB`Cwh8mNT@oKkuf%}1cVizd@#!!fyQETbjQ|G?jpyH1QaD96W zKr1)n`U4Hvv%|-aAJ5S7%XXFTqDlgfpab^ppU#GRRFMM&K3seI1lZG@r#2v4>&iVJ ze4zIKEh0S9BG+K<9PlCbj4vqDKM@=`AlJ3kkh~eN<7=+DLY`qOI3PZwcUXQf&Y+gg z2S#wFxbB9?PI@~KA<|_$!X)Hy99EF${0A=CqIF>j0wZ?pmG2LjI_2bVPN97$j zW0WSe4kr|!TWwe~=l6Z-4zzF%GvhD}3#P7bZ?kBxOuf++to+CoI@X9FU0D`LX#A>| zM`ZhH=PIng2ydnnQB~U`o9rwhOMl30^c+&q$k93w#Ptv~ykh|uZ+XP};8GO9quNHp zO(!$3y)v{3zfxt%^Kj(GQBiTMa@LrEa-O3DI4m1OIHMgbk=y`jg+EtZ(a_yI_PSn% zw4vgcVZVq`N@$W2X$8Bc_={Ba8`PJV)lt)zV-txe6L@YWr>!2*;^?MYW3kxqBt=Sf9HFo_sI&u*tS&ow(K*0ekNFgY8yL!@|1# z+lb+Sojy73`tW7zI~7{YSMH8tuS&lY?;L1kUTr&*#hLO12s!wCRSU)8^wK6w`{U|5 z(yR-OVdXvKQbg1}0M}}$yfU;UQ-whxERUZn^4?cj)oCkOI$ae8tJJEGh~P*=LqWct zBZ+oy-xA!gKQZzMB0W8A%__bTW57`>SBeGB?TC9}?+K;L-LtA%;VHb$)oDDl-m4Z=OQ0qEv zQz2{q3dIy{N@@LA>w{77kmXH{&ik(Axz>Tve(L#$ zS*|zFBu}4YT)9JVb$P{{OaDgC=T_WBWJ*;XI+rl~EH=04lcV{>nlWW1iWYP;$N|w& z31aZ4NgcUBVUn39H}0EZlv=?QCYm{6=KeQ6bMk8e&s(EyW=nAZlsaehbQ3^BRmflA|XcfDMt<#s$t}`Cz<) z{3uLT>5Ao0x;>{~DdNxs%DZ#RLS;ya*n5po+FGSj43zQl&;>2N9iW*HnMoLN^(01R z&bM)e{6Ea&h@UmvE-tbUHu+e%=`wg-?P-56MIrJ`rEePYH^XV&OObY1onnR~vE?#+ zf8xRA)gw;Y__JiuEOX_X?FeY%=yuCU$7?k4_N0R8qit8UF2J5vRNo;T-9$ese4VY1lBTV>}%2TyI^?*UkaS zxjY9M3(0=Ig2QVfE&$Wu?SLA#=4J|8n0nNj4#C2Qw}8Dn zkZc{Q+xk)Ke|n3}x@&_jKW*5G_MvC59^c(IGD^?(i~adcAU0Ri)9 zo1L+4`=IQRfwU&5@OI)09eon@M^M&zz7*O+M0L;g>VL=!^jz{wVDFWUfnC3r=_%z5suUQ z^Vb_SLBDr}?G3!^;a&_~aC|8%ofLEygX5f_>lC_m2 z&qG;4^T@D_df>=X?LY0)^-#O)kytU;A%O&j*Jabq-yHcoC3rtjx+m>&0ZvsEA5l0FOp-GSnJywBcQZXmaL}w?PC-|L%Ydl2t4D4VUwum zql)aB7paL?kHAuI(&ABO=t9m$`0W?(@eqH~C61Ycvsa?Nb(Z(#=6moKB=dU2jx~*F zKOAEJ3i%@=e#6T2B1~=P951t`tZ^O&^Zpiu>D}L zl#v;8XQip^&p;=A)8YpN|!^7#3H#Baqj?$y^D^MD^9U8`IC8@8?4+ zKXs%% zW5jOI@0cV-IKC(QsEJHoD7H^y3ObpWU9e1)YLB~^GMkqrY6G9hdb<5clYNY#b(3EI zN?_lNS1O^d{!qZMLfO;pot!aOGwm5~$Km`|-yWt#AF?A$%OUojI*Sw9f-+_~JIURh zXBxBHM%U~nQWmvzbl-9rQsV5-(W1eZq7qG_L%6l6 zw#1c=k?`TNXIMgY3ZA8!JV(lEj?8BK zvN=w3##O zrcy`x^CeZNYzsLvH1m_0JI@g*9|NJhRmE^NoVX@BZFakb;r>2%{ygqNQK^sxe=GWQ zl8U+5t7+@F#8`sLK-wbqdF;YUlW>|{bxu`gJ;ZFZ{7Jy{cbKjeTE<$g=eXU)qUm$d z1Qf@9CFE&*3Pp`QrPAkM^**SzJ^9A88$+Lja$OCxSVPT8WRa0zEW#Vhjq$&9FO&OA~1+d!H-|v<=wr6E+c!< zSl>(*S-At7OcDUNC*?4ZL|kpM;qpz2@l{B>j!OCrR()mN^igUGUZ5kqx@9{1LY|m! z1Kz`RCcp-4NK!b-(FPnkCyzp?LGZfNO(W0gv`@d2v5Ev!CpHg8VrVunSr4o+S% zn^-S`8b2@Qm(}pMg;J(8ntuj<>yn#fUJ}gK&`;z2thcA+Zn9BkYS2<>a?!hiWg^6! zEK9l8|D;h&zZq)$(1Xos^p0?B+iwd^WJKZ`I+0=CP#-IhJIU)NHcQk27Jm&wuW=m; zE+>M0UA!}4W`>Bw=QNxe;xUtg!hx8G=N5|^U3E_AIRysurird%$96>a>%OPc8nB!1 z{sH!`S;KNF;NKZ0v)8(%*_sP?i~M~X*BYf@6fAwREVWgZl-87O&3lbmoMMntQ9)m$ zIewd{Lyl`{i%3A3j<(6FkCYh4R)^9aVgXiED{Fbkb0>S9r&43atXwXI|OCGnOh8vN&vt zDeuU`%hnD@lcZzM_!xMkt!iZlSKei{oA>5XhecH>?(biTSE2nNcASWQ)6MOP3>rwa zryD(&La#zq;K;hwLbh-ujw3ol4v6Si!AQf9fca{jUWKeG44)v%&G~<1U-l5a8CkL6 zIF!8#dlyG(%sf)0?%BzFg7mg?yH6DR{|-F}mPE|Xfts;xOy_%MMy))%$cHRo4GhNQ@Ht9X&pjcs-rlS4rC7zttZAnfUVYZm?W#Hb zUq}rAIKF(mo9J;{D(#^+|46+4AA&kx%EkW&346E#?B6h=$4#Yspz|HaFG zL2ZU|S$|9zQ@&f@blt-ez^qnl{>z0u1p1F z|BBm*NZMFsaN_|8=zO(v)=U%_tq?wDu1i1Q_tf?F?h1P=mZ^d4Yq-~*Ggci8U4kJb zO$ABkEP>}DC6q4>*$PM5@W<`WXVPwz^)XwAF1}Ouokc4gS4afNx|&&g zYeW+P=C;Go)lX>Wuxa0}EugjN#eR8x zV3)Sti$ywG4M5k4CT8noc=uzq$p7|F>Qvwog zPYvJ&@4IhS-Y>|QSyp8e(eHTl7fXo${sYy1p`Wy2Y-7SQ~W z?~coizePkuAL^x9L`2-23@EMC_~d3|A94;1#G)jHpj6`2+%VfOBOHmiUE4Z$DwX2N zN@;v|-Yd_1WkudE$u#vIYjD9`AI3>lU+*;N>3-Z3ard0IcF$_3Gopo5Jr@$f@*oWc zqZKg@+OjphDRWjcXS0<04!HpTNq=00W4|oVX6D_(?<}C^zxSAI&71;(6rnTxAP^)B zgLYjU6AdtPbhAR5Y|3BVc=kEad%65W!08JeVt%?Pz1Yc_pVa$JR+~2g-H(+RT)OL@f)v z&W)^(mlkyk5M?m7)2kYd+v`9#V?;<=9;Z8`1)MGO<>ucyjbtM^G7G}rS~1&2f28ME zU~Ccjsl@3}Z`PC(VlxyqwbHkG(iX9}8qjy>CY*&J>%zwX!RKp$oQy{`&{DJz`}d`0 z0>X6Zy2ecabi0`t{SCKet|zx;ZaC!Se&CPScy1@$>GZqYmbv9BfaJeWJul4tqinYw zdi?+YZn?O$p>?PfP`EbvK`x=TPD~9d`q%&?esWJzPbBLTdbI7paV|fQP)cw=^x8yv9PoKti+w`^M`7joKqN82Bzy zcBl?_6ys08s73ZqF)F}H8pB#gGA(S71%*Sb2O?(-$0kW zF}-me(3?4{HNY9{{=8f4k^(xSi&!lmuT^0g3KYjB1Ez5A$1Y)e&4bx4PEA<~jM(>P z*-ppW0WiG9{#61~*0Wt(fc;6;>iPNjL}?@M0bsm~rOx+bnfu?=C?4a||5G9_ai6Vg z&(FZ``#vRob$VY}pW3(FKeR0GAGq~g=n!|cUl<&|x364*^ds>5zBR-B$L`;7JN-5A z`+ZTVH~U||k9)}d;)B>hwS6};{C?p65nj0O(3=Z?4)Xi|*+Ka6gFIV~D>W%mk?m^8 zK7p9D9dwEue`LD<_>Jz1mI#t@_eG4O)9I}&DI71%3PHioG^TVi`Os+-;Ox&&QYbMe ztwh6Kgx+|6948?0oaOJgTHs@gjqjF9G-Db0dA^7ETre|cQL|!g(wd4w`yp07GR|46 zjf5CnktSz-hT+<7-}>=8sSsXYldzebZcx$bFq;*m0{G(ec411DKxFpntS|2l_`TJ# z?6l>4R(B-A^L;~115%Sp=qBW@=gdIOcg$8K%y+gFigie!_uC7K?GC^{9S*JR4C2Lr z9^j>Y^H>BqGDV#p!g2STuibI?8>`((b2+mwXApR$!M=UB@}097KPLwd7WiZpg&@!T+przQ(Uym%ChhiIq;@c z=_U6Wws+;iKJj&*RW5M0^3~V!N$)RdOxSuL1QCiGhkBFfl;xO*4yflghDd2F57+FW)= z9Gv?&rLBkH9h2&#{UtSqIJ^AiEP|(gchJ!{uTMKA1f1+?%+0b0i@TU*k!Y8&J5k`4 z>*0Q$SE=@ji$BTrmsljp@-F78dFA_XcE3MrTqf@ml?mKLm~yk;lJ{{`yif_@jwIQ( zfs>O9hw8J(P*6FUJ<9r&dZ?C)7ZUw6hT}YSdb%lR=l>#YP*>Y&$wzUq*~vryxn6T!TudP8 za1dRY`^;OmZla{%CZXr(#u_0;hw-^#f7>V2(1>hB|BLkjVj+f>l9P2gO(HV*;kTtOJO8vG&Wz6FkFhq@9&%k+_V!uIj6}sDnEa zWKNJA**t6eX&mq9;6# z@X^hB^5aX)Up(e?n8%k)`RF^fSbtf(0tEEEV8fOEl0m@+?SYDTU;1CXrSGsMj`Wv! zJZhfE%q)(ZU%0-OmN! z1&ymSEwSdUJ6_#QRc%FmWr?koc~_hgzi`31r?JRG-&B+|6LdV_ug6I!zYJ~^Vk{Or zTWwE)r|eKcn4q2O5o=Q+{1Tcqq$^V>w~>?cyTbD3^_ogg|47^->l0DL=TDgjow-FJ=FXFx_NV?g! z%R_(@DY^7FBTqKF!o^;7xQ(b6Prq&|4J0#TnH_WUGf+A0>)C4?Wq{0p?d3+CoR+k< z7iSXl0^lpTxXGF#`MMoNqG;eA`-&*?J|BP;g*ZYKJ+}o_EB_nqG` zp&*W3gOBIAqJozR@Gb%2Dxn*``fdJghH1|#1#U3=TiU^`^Vbdqmt0r9Fl6ejujNs& zC+0(Qf~xgGqiQ|fZX1!o zTDvmUV&2s5DLmD>qtT5Kody)CNhoMrtWricY^Ns(`5q|xR9ii24*s&>IgPR|bU{^N z^7Qr=jxUn4m=(ip-JD;=Ke2I+2w91)tCkUAXRR)ZRXH^NeHK)ug7;^gbn}6DO!vBAFL z6&a_Keg;_<0OMeP${l<90H@yjYS6Cv)PK}$9(ku=JT)QC)1kyTzC@+JB=C+kTM6zP zF_s3%j6+@|#BXpSgfDMvTs4-?nH>ORqOr8#ic`y;W*GxR0}cmoRV7;$uQtH9@T8<} z1dVELp=}~o1ghF9ybY<|im$@rPVM?4uId?eFv}tx0;l4_=L%F39yf1Vg*03k=^u`} zOnt{5r9`X)%G7}%*u*;UC<&|%Xs`!nW(^{n)D|r0{EPZ}%>a#n;}c9(>tT$>T_%s5 zQi<0KA+p#rY~QA)P(myZuY?w7Q3f(O-B~5e*-*y`(8Bs<9E7drO79+;{L{{LY?bX) zd}YGaLB>}tvz!j9v3I9+EYZ)8->#=X#!PYLk|Eurkv=v()^_9FHK^30*We}G(h8%bCw&KbF;Q91Z@8MN6icUB_}~}D)Q`zk=;x2z&IfaYbOomk2$qkwM>Wer5 z(aknp5s>;M3s|IAieG=pW)fiJ5Y~m1f<4o(Kob-&*E^MEf!?0)5lqkCo|Q8j|L9Wh zW-Uxyhr0!K`K=Cy5SxHyDi*2>`iJb%F#>>Q1CG9o0N9z zdgJs=4D?6MhnYR@@Fro>^yc=d*w}&gvR3VxuttrDVX+~ zX$Sh~c;5aS~!ju|6#UMH~BL#a~n!6R<*+ zwdVq+4`MIZGYSaB6N4wqf(EfC%M5}T*fE$9(Y}6Gh#5>OPXsmQ%od+=wiKYy(7UN>n8Y3 zV9c^*!@0=(Q58TboPL3nk}M-x)e{%I79o2~Gq72APP%Sc*3&}@-_aeXHVF+Yt@$Wc zy;qsaW-c$9j&OXPpM6MMk`vx7BQ(?fv`#@Fq0qS6?pZ4SyN#S8qoZkZ;76N(s9n6+ zIIyeWHJqt8YfyEcx$KV{uFX&idlu6J-vXX|n4@JqEj1nr>(omgF_qI)-+>}&EbnSE zPlkJ#W>K>JypD~29hTiK8+y(!3-A!~qa*g_!*CK^NrQf>`|gN6?FrmEA+D9sjZ)6V z1`*gtJJlwWrtYGT{Ww+MILdP&TK5}G+xSBqRWxm>kpVIarFcwG;9pCsy@bYr>Q2DR z8ZZouj3&uVUYrHuf^j1q>uor115#6rEp3-*V~$bwO6A4@uXmM7 zZTAl6laxuaLYfSBi=kzRMoPf<=*$vNUze-lNeWwAC z7Wl6j#+aT39SDud*?|mmjy*H7{KMueHpB40>8(rU8yyxp+EJeT35l!~Qk*h-85CC} z0ldO^!?5+QGaVOzUQ)^i3YPA(nq2t0PY;I)x}G(Qin6gvW9kts6D0sAx|B5wM}#`S zhE|+MtV9>Sf=B|`zlo?4`wQcr3eG7@;#r@9vu5`kbNp}i!h~W@_teUZyq?A0?J%$4 zrTEl@gp|+}?1!n?<{!$M7w=O6v~0Ov)?&QnctTA!?L!02$xKtywa>|{^%+OchcB@_ zow3tNW9E7`P{3U%e{kqH`_{$!VZ6HGuw}eNMMg|j0VhlW2+2RSbedL| zYucT$h@yo2VlMgY*C>9)3-aWd77tNg*qEsd@hDzVA!kW*cAi{rKR}-u!#jt1jw$Ah z!sc(0=bVwg@VN(32{HaamkePcY6kYHPWWR+{h@Mn4CO9*I8F_lC1egYAU>T6Hi^HB zF1zUdJ>I$~JnrP8i&?&woTP3Y>HsIjeb(6_1Z@T;ythn%wldbQ7h0~i$0JB>Fn?yq zUv1ETkxI!ZZwO?`m!<}$U|GlkLG7Lo4FX73(ef%>>yw0es;ujnv+|}9OyxO zdd-pi5m`aoeHsIoP#|7tlNnZ#oZ`i?&IC!vhjyUy068;MGu8;BI%rngq3T`)vMS0- zJsT!_h{G=k%fOCf+ZxQJ1BO2l;sEfTkH)FZMN*a+(lc-OHvPItXbO{Ih>Iv+aB>yxZUl-Si1^1Z;AfGeF&qO4`9++^+6?MX2yIFTGW>p+wOqy2FAhvR*~-*F*dkHi$oFs&4^ z{|KaqT&S&R+AeVt?S!w9wjeXyDa_rjZtf9J_^LS+lmZwRt!I z2H@K>h?)=2)M)Q5Jyh?Sxa+3Frkh8}03}nw!X9Ax8y-K4#21MNUA-vp3drh@1OkA~ zVW72&{1gKe*hKK$i#M`Ez8xr#RJn7+=1S-^rus2K&)s)LZ&tFUCP(6CQ{G`SMu6I$ zng2iLs!dFW3{0fBkm9V_%lA=64SwHq2OJ13;_=ai$~j>^!Sa$JOdm_dy<{@j+;Jwh z61cjqI5o!e4~n^(tpC(w9VA%bk*os#%F#IeCiJx94z~L^O~F^5%!z?Cl!97DMPe;W z?T6t&#Nh3mDzuOHzFn+V;JA(<2&tT=;|$08o%*rH=`fLrBjPF!emIc9`Gt1LVw2uQHoIzoc%mpg})_mBbA(F~bu z<~KQ#N6`i5!}q_^g74I8K91&7>cXK^3>G)b1LiuoNc8tNtCzVBj|%~80u_H&C+I9* z-3VQ(@@X4V+AwsC)LKuzhm;LKpUcng!1|Ert#Y%u>`xVr+LGtTt%g5c2gx9@4QaMP zb0ewEHGuAYGlEY{KN$XUarvu5z{`~g(e4^0BwR$#4SIPV!-GgrsKwrPPmPQkeR6E2 zp$b+um*<3UrYYzWx>cy{sYRsoA@Ru7XR;PhqX#L*26xfGu~`$0ydD{TNRIIb%9M`> zNvxHa>!OW~l^T0Iz#f=BB6`~C%a7Ws(>O98WY&E6fO&7Z1g}$}2_Z$~o8wD`Xr&K# zm?c7)k0@=F1AvHeBE#O9DFrydeg3IWgRW2iN$>%|x=;R;y1cDyVYyHx&Fm#`J0K?r zKE}bV4J>atH+k|RMugxK{NWn%$zU9M@%B(r3t~Khx>w@Vc;wiVH&De&p~r?j^gI%x z;FN*=O0^6h?HNJ z=m%&xu!2Wq`&B&LPBD~~a%76ccvmAyVOc(L05zkqZr}z&Bo=DtfzAri7|veP?LHlY zHGTe)gL!hE#0g?ylKSk|5_KDVS?uKmA3b-Qh&c`)`Gk({`IZs;WnOVyQ)9CW`uWH8^H1m#;#xUTCU7!_=kvdar011+WC3(N zF3tZh-DlBKNq}4h@}$H4--(+L@Zamk)cR%(NJzcx(NXm*VFh&a3Dk0qLP=N)h<=I_ zXTetVluHwrW8OfCu5oRiwX+h!0W~*Vb#r?@9G<%IQK7kG@Rt^?DU7MyDK@X+LYX&6T03yhMFk1Fl zq?@iz(dTJ`t?BA0SH5!2rG&MT3$X;&8YxEJs3uQk;q4>0wlvrn_9Qj1_o!FMfMU~y z9n8hxEKh$%HgKOFiaC5kgK@zlJ#+!4W`&Prj`FF6(+*jle)5GD&x(FFk?>X3D_-T*fL|2&YTL6=P(qojwR;(q)W!Ue4&5#XQ9$dCa@aq6uv=;H90$F3TAUMy_XlCBf#VolnV~)!(bZPASp@1aEOXGo~{+7{f_vN_a)=>oG z7RcuH#i3u`j7K?01gt!g^ZafU%>e!!hT9Met>hrjL3VoO+;r=Qf*Wl;AHoV$q$dh2 z1)Q<-jInV&~oQI!L(ln)K5WwHI=q6&^G>+6BMy;7ZPq&ZySo<{T*vop3vgvaK=~?Uovnj+5?&mZ72}nV) z3pN9RSTfI_)iMJX=UetPN6xd#2``|js&;a!*{wm9_JznOxFP%9Fe-UO#dd&wtJ|an zOm_4x)Ke3^q`)?GUC$T*iq<0-K!N3mUFbf>NHNl>1HnGfbfp~eg*^@uoK1EltP&8m z?w-2vK#)^!9X%*3?OAhk+zcK&=`|V@;2>|Br?80bZ!>jJ0VlpZw<>u#oY zeI7JIR18mLcfk0^1(R7#ZeDI6#`gujVh^Ww0zQv2mdh?3EKGGWlf;X`-yUizXb1`N zVT{V|MV?|;naI4W#axu^^k}_nFYR~bUA|1c!=r`*Qs-EYszd>)bY4w3b^gPnvOP$b zc0%lSVvu!^M*Mg}jjM0gY_-#m#A{r0%`hixpF1bbe4QKc_*g>Qw0 ztCuG+GGo+LvQ85(!96W<>4!Nv66ZtdKt0MqP`bxp4eZ(if==jATj?>o;Qsu8f8#>F z+l+-0GMmJUJJof9lb8je^KVs`*DSW%0C*mQQ*zN#%mGeW5D+nthl+IUQBfWjq~DHW zd(6?)*RotkLs`J@A<*<#M{UIwOGkU-DjMn>wFDtj>ZmwH~9gW@70jHlC-H zqf{FE;a3o}9g`Oeo2t ziDR=>W}}O&5`1QU<&Auz>Ki!O(m1)hX!9S&77zjzVN&PNP5Ht)IT<^7S3vMaf`5;N z64jSkI>-)`^G!RHh;2W7=x1H&=OKjx9G5n$bfC^V41fN`kEUNC%oUV#K(<#V)dZ)% zG9mL9Oxs=8*7}D>sD^;pA>SM<9xV&)zm;1Gadx%?Y5}8f4}}nvUKRNC!O$% za)$DSqjAEv0&>3!YF_MBdr*Zd;S>-&kAUDRqt;k?`g@+EtKNI_P??14Z<(MRDq2Aa`qls>{0w*d5OW0zt>7!wLW8_q4D0!U7dUg80 zzhI!OVEm(+Xbmhb%gIc9+@f-Qc<}{4>T%%tqCkFvdrMCo!^ryk{%sF)v?q539X$d_ zks!fV-ZiTE_bgQoViwbstq2IaC+f%UOE|kXLpTikD&>@xte@yH#q7O+KBaMzA@C0g zd&q}>SQy{}h7g=WYK3yn&A_Nw)%9DZOxRTWNAak+Z_>IhPqwF4_=KA>^}yb@5-)0}B4glKaXoO?=J&e&@IumEiz8tQOg#MNZ#F%c7Wph*F?d&uZ-C1Jkpuy20U8emG9 zQ%nWE=_gzNjKk(X0m#`iWs${Ml1JH(l2rYhrZFHjLFGHYE`Ez!3o5VaKt*n^GdhX~ zd^6Ywn?^usJz5cp5gukk_O!I#0$9E*;Z0frYO zD**05dE`gUd%M=bzrss3#+=#pmxrD32uh_8Z489*Su;N^R^yqj=#80f1^kK_AsTkX zO_$Yu;#*_FuNnYn7612jw*0@RN9X_OPW}rKqdh+E_o~Do?DGm?^oS-mL@FEMi%*u= z*;4CrzU?je&3f=@Uj85ea;ca96-mv(`a0T(L-zJX$g16FyR3Z3<>|5l=bA>rsjd0o zie&uDm^QA)1J)wM(cLX|+k#BN<>2!qduD1SEon!%qkP-9e{lXd*+pIqHEiQY)mni*ux5F4{oCN0OLXRPi^fDA8RTQF0ZH^eP z5qK!RE16??AXX`X!J7FKTvy*44DWyQy$@?h-o?wC^S1$m!JmH<6AUQ7`TcKbyX@}` zS884UnAQlgWm0@*ArjuSdM3ktu`Li*{cYJv7=5M8a>Q;Cf#V3SQ(Yp(BjT z+gA#-`QU68pX#D0ry1@)A-`)Grg=z0US}zW)8kYT6QAlBi@Cf3(jOTS#vt**PrK^p zK0}UkgdM)^`nc0THfV-wyveFSsxE5M)jw-huj2Rb2sW+X0j_wmPsuY$n$xW0|0#@{ z-TKNU>}hF{Flh6GK!l$iHgF%7vgR~8ebHBwB!_WBKPr!b7zc7X;@busevE$FayH;y z7HJj#DoRs!l!FchU}7NQOP6+m+Wz-DxHvsmH)K1Iik!Zw%tPP)YxJ$r$_ZE-2xJD> zL?CG%&UBd?-#WCO+|u0*fxOKB*3BjVeaLTZS68=imfV%W`5MxmiPOc)o?8AorWK`8 zs$Y-D=j`~j<&P_Em9xc}FG;(-LfeFzX6!LJ(WU5Md!N+;FDVf-pIXhFKQ30x4qHnW zw+Q{HEns1gkB?TPO#8*=B&e3xv&NHcEZolT0r@daJ$p|7S?2L?U0x?5WQ0woj-o<0 znYpTnEj`Ki3c9H8YLVM)7Uu41%p$TU300>`DL26Oy7qkE*Q=W%CQ}L_S6ojvF;gET zz1KUJ>tt5n@IPDwM%|hp>TjwhDLD!~Hgyg)92Y$4mpJN+Nd9B`8HMc8|nRrXuHYVUu0Vx9ZMw52HkVapx&x`Fxs-K?SH6BZQ~Do){TOONy5-!v}6y2IXals%bkXQ^-SIovJnPJ~WQ?!P}q001}Qnb7Gcff~@ zUJid}P#75UAl2-cf!^9@X5U(nF+)|^xs|{K>$<-t(HAT3sO>V-AP||~pY498SNO_Q zZMWYewrzt3%Wh?^u6O5P31KtjNz`}XT^-dma~1Wd*1{hK3HI|0ulh0%w5#_s)1h3_ zg}YJ1_w}oLB_4{L3h5Kk7payAzSes-M(;q0^7C%LJfta?3ky~{yes1fE6qNqAnS21 z@ix1JXmK z3-QY_^hyIu-UL@$)^OI2qkilTz1@duwH_OlSI=gy_Tz10?#9NOGBiFacjH9z=iJ=S zRz5&9&`3ATu$`#=FQ<+c4>Ht_vJ4CEB@rB5?Q)6Lqy4RI6UZaOVO=QiiqU-+;%h4j zUV*ld@K@iM5s>;|w7%ZqiJpmEH&j(YM%;HnI zNB%Bb!Q(RvQ_gTK%v7)ejdad8C%>Tf;cTk^=N^?6*!3Lu2mL!+5h4?8XUUpp#D=Ai zrisEM!hRuZ>D|Fni5o=}vkKiTVU_6+2;6%Y1N;q4nj0DvdpF|@NY^zTEcaB1c)yJ74 z+#e1Pr%bTn7Y@3%AA`8@<{9W+>Xqp659x8)zQAS|HynpFdVcFV4HtUpake+rxCO~* z9xdZll-Z#+?E~_xE<{tA$3g>663{(H&uif@2(OXzd)m%)=EIm(_)#bm*+*UKD zFzmDON(v=^PUHwwQ|Z6M_t=Rmm9O6@B|Nh7%4>==rPX*dZ`gWh-j;gLTPRbt3v!zH zL(4pbO$t^XCZ5%2C(x<>-32S%)Cb*p`>RH_=&?}gX8x!nMC{bd;7Ygi6Hexs506qV z)yh3iOmbaN&m*9aGG4el2Xp4BN+s9KExpc89DI=yBQ>R}hhsG!q_lYi*~~26!x6eZ zb3p_pzgsD-R9*ZPXQVYyZWEI^?1;Xau%tx#9%}4>XGD(LX5t;Zh=KXS)O~J@OOA`Y zS}sNyeP5yrnh$1^*;GnL z@jT5Pd+zg)ZkwluZ^3BzKu?!(q4IyaILzovD|Wz; z8`MCp;B zO_1lNKfxtpQjMS`NLN#DYKFac#7OX)?-dpnK5z17oUgT7FVC zY1To-JFbbu?wXW;Y%2P!3>HU-}qQZZ)18FS| z@i6tBR&RLDH~U&^NDH~)1FY^TzB+*|f4VJb+qn4oX4zLybl-BlI&tyKt;X9@NG~K}D66hi_);Ofu(JWjy_epn z$(+U*nUBB-Rzyr+*kZLNCL?G!c9qDYSKA@J{4HP6T}9H?;Rih6`SIJF4)iZ4jzq_F zM?&S~C0`eyaq#5J39?S7bCJtY?Bza9ZJnKfxRq}G#+Tj0TEK4A{FYP$iDMZSs5Vg17WI~#% zAhOFe7bkP_6N#bzD}5vh4LH3cSr)py+LnydZR^!UBK%iw)|28T>Q`@Qh(qf5Vea@! z6Ov~Ul2BHFR6X&1`CTGsD-UhVdh&G9I5z{~$$vIIQ82S!yuUuQfzN3viSi29RxN>; zo_`!H4q=3P(i%$ou7T&V6srGaiMAAzZbj|;=E3L4_u`kBK zAG3+*4S{LYtStJRI#`JHDh;Fte+0jAL&cAi!bx43#~N!>>$Ub}a92h!Rv0Un#!1Fd zKjJ1%qkosy&ZhD!J5KlAYN2?4nK=}Z>TrFFdHW+Y44dlL$J)?o-fo39HyXu1hAEL{ ziYcT(nX4MaHXqa16V@<9{~j$4kM-Yq*5~3DZc%U;%1-Bc;Q`WTO0yPPc#4^VS2wHd zHR0y#*cb0X_lY=NnQ=(bH;g7v*8&KEK*Tngh(^%%Im4CSWhAxKUD-?St2}j9aEtei zNb=j|UpXDOuQx0gaJ9p6XHP^MAJ_Sn^{ z@8=*126&ta-J|br0P^l`*q3fb(2biGHaV%A`wy+J_?>44+vE&tjdXIP9Tgl(xlCvY zfo{>D`nIf!$U@=0SC4onlqSC!;>pUEDPek4*exl%&KD!#XaiwBB>}2@JRE(1oaWZr z9aSt-zWbHYh;wW3Qct5_db9qp4lzVvE%+Gf=82^b6U=~gUWhjj*|&hQ6I&6MfUfGa zNs$aFK#r#jG6v*Xzljm$8opaTg{-N4*cn>F4SwAx+M!|P%Y2D-z=Csauvfh%eRc)* zu`;NH+6#vm>hRv5j5K~&flOfp+3FeLaT*oRJaIN~hT#Zz@V0O22LPgN#?42PYN_^E zGQFeiGaRhE%CJeyz*^H0KC}7MPN9D>ZHio?savO%$!MXrIgeD9f*G`hNRUryZSRk# zccdMHxjn@e;f(3G#Mgn`RZM*%%k>C`R0vq=Nh2whAOlXyU68EuN(pLJk0NBt#=KM!0lW56w3_Y+_vGK} zC-IEW&Tz9PZFb2cfRHH7Tj^o!|3zkX89kdyj+3d#4maHiyJ1}&zgaVDi_Q?4^ugQZ zx(mLX5hQt)yaL^l_Z?;0{?8B}cOe;-TipyRZQ$+J8@Qre{J;aPSFiW?)5nvInr}ZV z$jur&>6ZC&paDDTip=`EMGUPJ?$F(rV|ro!ZY^!$>U{;{D(QH%3Dj$)A*T~vQuapl zyYMm(c4VOf3XMiQBnEGFqN)AU`J{-H@>4xsBlIh}v#-7A1!a|e7fx436mcvGeS^wg z#b}A`ce>43r_`8Jd1qPm<#+6)!Rn>89$hJ#zP%*R(ZR0&CXE+0>l|)m$~(!&cZ3P2 z%)OjRSnVI>yHr&+Q6)!tdbz`gOo6mq&#}W4>QN}Y#;kg~!Lpn%YyplaUW6RKJkuR4 zTZLO;kI&C6snB5kx=bN3vf7t(ep|_6(@ za)`n#Qaj#iOK+4btT3?7**b($PjS(~*6l&_5 zgg3UW|13;upTC{-+c*Jey{%^U5-&V5E2c+11X{{)<^^S3qG+W@i37Pb+WtBeG@nO| zvQqU_%PcgBglwBH@b3--DT{DEweD$a+XF7Mw)1q&uG)xk0`6wAkQIdaBI6bwf6Xt+ zfcN*CZU4SG%huTW5((5lGa^BOSrrz}>NtHBXFG-AN|$>l*n(sh=Z%gh-aE9Cfxtek zz(Dw3H5X?Ai&a#XI8_2A;KE}VK~91S{>7vrr!6Me{FG+v2kd?uacL#dUNcB8T!pPF zroojibY{ZM?=>o8+-Tr(MwvtS?yE$l3_k+@GddpWA*QMvC#=?IOCFdHeLcWthyRp` z6LC;Tn_s_|(BjYQp9H*c)rmsVvgsHGN2Gt5XED?ovs@{!JYY^m`D?|v?$lknykZm` z4RvU=Zw@3Nm&JJ!NzDJ*Ky@9Te<}A)2c=%~_oSrH1npZEUV^>y_thK^Mw0_28nKly zC!G8&nnLP4;fgYZV@nPiyHZFQx!1IQ0;s}kCj2_?G|6`Hj!E5L*{^Mh+|P}6SV05s zm}tYu3mySH*?8Py*ZOG;^`CYQp|8rcHD3x>c03w~F55@Oa{Fz#=~&!ZL?f5BrUC;- z$ncYj6GoSkhSYAOPWVgx!fS<>Lqzz@Qiv=USF$>9wzw_UK5?`6mu7OkHS7yKDUoQ` zS_WtJRo!BQ>W35)WU=#?;9`+Cpdfj4np@0e$>YZ9a?b|($rIkkqBnMqTuu)t;=|w$ zM2|sS)~_iM+w@XFqVbbp(Sj=mU3A?=GvV%UlGkcv^0{0;Ex$!+$dB)?@h9wU6hpW% zE4YiXQYhnzQ{H>#Zk8Htr7B^cq-IZ7`Bjk_XCUq`z&KzlZ{aQ0T$>FlB%O;zt1wcyK2!+5__#G5VqBs;IzN68K1 zz-V1sdMWUs%aUGK!+qOH61G@dB7rZZD&h%dzu65sLi0W&G!y*pBbxmreqZ4@9KyUw z5ZN3#O6Y5tsdy5sjSBRtL%0tWJCnFgL`buN62A!u9<{n~tFf(`LU9lkFzc13t zOEZ|ELNC$6S8eFc`ugtl5pU1IMkr-K^*WJ68|{eSsQt<82IZZ{elx*BQ>qoz%f`8d z4bA+8v=)iF&|I-Q#bt>u#AL2Seoe)Q7?Fy^lW~JUUhxAK$`KE>NvRIiqjbm{5P%KGVwo&PqM2gy^I)tKm z%I%rhev3qNq)WF9x1!Vdm4lXtHlq5ma?xsj+g^DPxV+!FYNWP3@|0I7df8V}S&B4; zCfee(J~A=OuV3xTP z@OHbwzUlpvw`x+xpi))Eb>PUyK%Eop?63^w5Y*_^`!HADsquc(PkrbNuTBZ72i?m) zRb<(#b3O&SUEsk_^_eur*Ugefvow`51tT&=BGM@v+ViO|FKCtEf@o`K`;b|*DBdjd zu_y1#u+{nVBitV^;}6j$@e$YjR_X+l1&32U?M5^d#ts2iL{DPWj{akeTu|6^BiDMv zK>OFftbVQkq|y!5+(^xt%06fC$b$O~CGwPx4Oa#;3;S4pTMD>1 z;lzt+JM|$+JEZ*fOul;bkhscbMHMuqxL4^(BEv_@-?a^GCkt~aL6SDD1+bu7B-gD$ zRzW}!PROQMKG{{U68xN1vXN4T_G4yqm0q$JVZogz!;Y#<9WWNDKo5KDNK2Tnucy0W zRG)R)6jFz*p!OIGoGFDQe2MppeT!Iz&Q|STh{)?a8guIn8h1aqI*d2RsvJIDnQH9j zaNlqCK`0IGw?%J5f=;@LLcl#NBd!2NXmNUC*o!0J*4#WTE=y46OVGso3~a4D`fBw0 zx$W%LYOB@iDxr_m2XuyyFVxMqoiw4%vgE2eH5O7fB%EjR)We>xxaV2JJ{xGL?mbso z>MZ|wp_B;qvM{X+b$e9%X;0jTpI$(;P_6F9YNmd&~ix~B}v`Z*?3W;{IutS~| zd;wQ`9rXK{zOr5S0(=7<3n@z6QtC(X=cc*Iu+zoCNeUx zJu=+pMCFOT?pw0Z#{d@t$_Kablr<2e4zQ|L`wKd$UizzZ1uN( zQwT9|WvWO!pr6Q7IO}-jbhx$vY#hAFFKnrY4;&-!wq4%>*L4WDxcfFP96k|KH|EfF zaw+~2wG}tRf2yfHpAq_BaD9In915w{SnHoSZsI&zsOQy6GvG@0(n(LDd28reLy7o_ zhakYL5a;@BOS_A;pWWMl%bnmP6{7DKW(b74&~2f0TH)|@EI9Bs-ZsfD7| zlGLX+B-LfS3SL=4dy1j_LiGD^+7+me``0&WXs)UEPm-S%H2L45kIqta0uj$FsrOD7 ziSGy>iB?-;s2cf_)Y9#~$fqEt#(vR}h~BW3&Dy_22Dn@=UZWk(mu!U9KH*3>Q)n zFSD^B@DHs~6BrdG7hKbyI2MK_c$hR07^>hGj&@-33rQj%il#<_--ijRcYQyX-*W~1Y5MYYzmM{3#ngi4&Y>jp z+4?T>*eut7bZIPNP2mQ}Ih(+;?JVtUQX^+;{gh}7dd$iw7)S=hi zXeGm=A;*+d;u};T+8AFpUSW9Gb}o3f0o^ZZEUIP~>Xr9dHEPR$Q3;j}rG!-G=SJ^U z_?P}hmv@baoO3KpaD9xBLYerPxnS!6$E|y4U%M{0g~F%V(F(9pNpeYVQ!GQ8(o;+G zg+KH7j0zfyhG-b1S6kWE3!>uOyqw*doLzef4m;(bdLS@JDRcO$>@4t>Ne(BG zulsGeoKZ0%yCkF@Hl5s(_#mRI*2sD|Xh;6>*YU;9k^i21=~~r9a9|UijUT|SibGqC z_wBkKf)8>i%P&~45c;Qy_LAmeP0Y1|wuJcA_7}6~1AU5@nN~q;J%WrpG;&>h+)SPLV#TP{4K5AtF=tozk<>tOoQ7T6|n4uhY6j#*SxqGc_!< z>Zq!BYL=zuk>mP2p3PVP?G%o_6p_6u(EgYbHh0-9<#VBv?lthHaVbmtVU+)X%2Vf)GL%b>J`X_@E-CmoAh#G>`k} z&ijDFvxddXN|1g-WTytOou#F`TlGQ?QqhGpKRd5_S+2UJer@Fd@3ZTQXZ<Cs)*rG!VR5ecFstc+Q zwnWS(U)Wpfi7jnOywzbLUWP4OD-Q2@1k)?gmNzR@-Wk`s!^8UpdceYYuk?R3%aVst zWKuD~HQEAd8tF}wpXA+KDPDHVYKup$eWW36VUi6KTIyvBG?!M7zAfhn5_xbvB7C}^ zdudQeX~sRx!aY?|?#X4URN1R`+s|{9kCR=eN#wC$qToCCi6zmaarC!@a*R3m0ZV0j z0zxk+3hpT(qSEnPw#*r}0MiJ=jFunTNP$7}k5k5OMjG7FG$9wK79VNR7kTjS{cg=3 zYU!8?M$3$s;Oebl0VSM1mS{=AnGa~*tY1cBGOXB%ET{$D`f-`6?>Y#Cd?6>e2VK3p zV`fYSH#7@2#=fd%q~)LT#F(;V=Ii~6Wg@vZQI^VYy;l=)2a6Dk=9z)Ti^;xSN}GGh z*(hR&Hc0>$VC5a-C|6FgrQ7{oFEU&xBvf@aUxD(TxXmg7A53L?AxBDDmx_&w7;6mJ z@hTD<8dNVl+C-QMqXp6^X4Pe_1X0zW*16-NT;S6SJ0`?PwAz36SMA{C<8wj2GUL{= zmV2&73;v=?C0`Fb{oE6W6B@F1;EL1csw&suKH=w5z<{?sHNAZ_(~?);chZq}P1}g| z99=UC)#r7#;t%gAK$0@5`^sF*tDL>fprrmdRB+B|+nY)aUPZ&7bVEmGEz8Qn(#gQk zrW{=N8&3=1ntCGo=BnPRmVAf%v|c|7pc6<3%{552wmdtw_RYZZv|8Otx#DOc4~G1l z&e-b9mUvc?8s4k|;Y`C}PW8b)fpa{i zH;20BLP`ZxB#L4w2<8>#_|1BARya0Y==HytziDB3ucBB1IZO0N~u{4iJstZ)dx7RS=`{k&vY%qdKKU4?I2PbKXomoxpXB3x3I{Ql*@z1?A)Li>Kj;gO{YC0gKF(p z2Q+bxunLSgqLVf`e+j1UJvbQbc(Ko3BYQ2q5NU~{i&_$uEza5)~W zDzuo22S<){SOMCiUeg?rcrWRDz6i@GBo+hd1z<@Md2;!MRUeEeOnv~fIe%Ta#{}>l4F=^&Q*t-*dbw>WAM3dq5{^sKL zkLfaY!!8ntMD;ldh9~nrS22V%Jrheodmnw07_4q55$pl;VOhyc5F#({f3wz~abeA% z!{60jWKg#BP<2a?rAQfeXWO=B_HhToX6tpz$9HZEwEVLvpZjFhQT|IB&jizKdgCF^ zhi|8537I%tN7|reJrCdTlDUCA*4wu-a}qJEqm7-5H50xb zS&A3=>(Z9Pm(LI{@VV;9_$gM-(&lzVI%cunV-^6 z;o|2?l@k=?x~pxWoV#bg5s$^>2zAa`tiJtLr{JcJI-*~r@6mr+9V&5}E={)dat(Sc zr6i)f+=wToieR36f1}D_lQPHqJxTq2Th#ZH`%zv+#io`MlqHr4(n(_^Cio>rXg^M3 zUZYZa7cERwox%u2j2!vQ=GA5&Y25b{YaO?uZ@uO5oRoT%96->!_x0HA44x;0CyFrR zn%w&rJXygRr<|}2TTJ9KpAs%d3Ekm^ z?+tg@1M}}2xCUFG8Si|2XlYwzf`QN}M@$NAK{B9bMU9xM47u2G%A>5p&M1jtBPqD< z&s9&zK?XXNTL0c)ROfz)=Wt(c>X|KOK56&4(qU65VadBTjANA%&uYQMWrgLr$jB|1 zHYB_vkLjeV{X^;L2dn8l4>C^M87q#uHW2JvxbRv z{eJi5lWkkIS_&QnG?M^bn4~-kXd%sqYF~hYS&C8{NH5^p76R2}IZ6E>wR0Aps=S5g zu8Ha!1^v$DcGgfP)Gn5xLlrLLvzu@ztbQSC?ou{2&yX*b#SKK7 zUct2}wov9W>Prhq7hXyKLibLtI3IdQyOMB7~x$`hW~+eB-0R7a^Oc0JuuQ?}o- zklIlg7^#j)jm3$JY z^Uv@EKPE$aV7N%4Pr_&=RZ!A@{CJN`JEJsvw@a||zxnLYPM|3410pdY|Q#f2R5 z8v-Ob2+;lmW_Q6Xp(yIWF9dv_g{JWv0`_nakcD;r4FP8W0yOdT-(YFRfn^jU<2P9T z1z@>iOsx0~miqxLCH_|ymC#FPO)Ep+-FoM7XsLwC{qZY{+kOpUUjk#8-D6SYt`gRf z*g}3|&zKy7L41qfVreXh=q&<*l53T3^tiu4eB(`nb?_H!F7_$g6>!~m_&%hHP474r z9}Kch#ANm~hGAE;V_kO~l$?V!+vYcjR@b&Iz?Ux&11}M`)7OiXe(jnksWK}8WF|yK z#?SNAvK#v|MWTcn!CbFUsXBq|IQ?UA_;~e9ZMajz{QdP6>v=S5PixeOe_Zwmk-56b zoTlMzzy4**?7^P4g)2!rKAsH)%D=RBTBAYckK0>3U4t~a9zycR!N!}dD>HD{myYlF zrR0l;lSuL>wt1_q4MJBKdTtsL6HM%?GiU?(^qbzl(u+(cRY*xR-V?IQpmIifh?W@s zg@I#&RvEY#p^$vi8~fGfaVuiW#ezRBI4^kl+XY9y&EOV01S?m9 zu_#g&HecCd^e9S}{hqiohfKIseLN=nXujoIpL5uJL+Q|?5A*sjOe;`|m->Ea++uDBVVVt|Kx>E1+u+p|(+%pi7fRtEB@bZ9j?K)P&|jK*Luf_NYME zdX~%R3;AuT~az ztX;=kL>^+y8vaxO* z;*AQMutaEN?4h|;+P*opzMZE=*rnz7Lk-IpV4>WQk5^gEAq|J3t=2QCvIjxWPD1=X zSE2QBvL+1u6ybwjRypU56E&R!K z2@7fA@31L|hKvp7+Ni2iEHdo!X2>bQ|KXDG%aPRgBGuaY<=1O9A%Vt!iWk)!u-4#= zTN|+S>nrC zKEQ1V}@8v-3YmPdS_+aPaUb&VUMRhbh z933-3yY6Jd8#p+>SVXS|%bJraESO*%ILn#$;@^J^dT*cW(8*B#*-)l6&6c_A+T~NJ zg?7%?2cCmp0{%ltqOhGX6cFN`3v*2sg=CoCJ=|sp&!2;}?jv7L`jqN+qgE62DaQTz zC3+vZAADJ4TPnM@n06E*2sHGUV)-d(;mc*;C?`Yyf>ix^W6VDCqohyP2Q(c*`?ijZ zh4}Izg&gL3?qv+o0`q zT$)e~V7PjUCcpiE9#H6PuIc4cFIOR~+M5fY{nYKx`NYoVZcUqvRE@e0j#GQT)rkH7 zJkz~>l5e|V?CImxTs4RCw7e*3!pg4&Fe`Z@%r6TO4?UEG^ZH}MF`oLxToPr~E>rMxSRYAV^*Q4|~kB7+)mNYf1h0?I5x zKqlKKI3OqrLTn?mVGseCLFhDt2z`|Rg2bRQ4@Mw}K!T!z1e1tBAQ6I~2EhmdNeCh2 z7Pr^C*Vw<_pSRXqFYEluIdy8E+Pi9h`>Var`K@O#4D&(s^5TSX<8igyrmBp8FjP5e zml^QDz=|g5Mdmc42&8Ov6w#R7wEY~>NP^9$FUXI6yF}2ip8U=xC zoEUmoO7S<0(z=!Evtm}?uL$*br|{4l+ddg|TCKHcyZ6z-km3|P7`I&0f22BWbNSnSDOqyO2 z6*Q1h67cn1by`!lz9g@HVhr)yBuAB9$M?V_gmetf=AuL$hKf=v-y~f3$n@p-a4e;T zayg!LL*4jx4DdHOI=;vH$1kQcVs1oTGg8Ulpjz7ZP*OJ7_wHdc4*sf@>Z_WwQrmgp(gjm1${IAg=SspQ(34+mPV@+*R+Z3%8h;L%lSC% zurp)=Jjz@CyRd3PP=KGpOPsJ}aQTM(?}?!k()zJZ>wZN0xLE4z;ds6;+zVK!Px{<* zJ)PoB_p@K?4Qa_OpdjQOX}by^^kKFU+T?8}^{^&pbR6rR1H52p?e0`!;w)Owo;m%p;im1~ zxcKen{W-=YY7h<8C@RBGKc&;E#KH!42S3V$&0e-{tjCST%nr&)5+P7&WfZ`5DfR{o zb5-AA&3(5$Fw+J&Zt4qotYsIwDn3zui=DyIt(uJ~OA!|Jc*sxJy->k*Pfv-Mbmuz0 zRdkP+tV9>2a!nn*Hi4J zfMED7Telvy49)pTzS){d;M05$0;{Q@@DTGxac%W&)Pt5u-g4s{|CDR^(ciRZUcr6+ zwVcXD+329ACa3a#2IgAI33e=)m!1K*XjRO$auv~wi07t0ibf_ZUzVT^W5DB_pbTEG zwisLb2K%GG>StcGYbmTCfL4I=i3Jk+NeHHeIgkoR&de# z_NnxxR?ty52yk8BH7|l-L^pe!jo)Y=s?kReygk`IFVdGuG`jLS+$U$ix+-vj^SA~o zcE;51k!grLbS}8c)=ymABOE@;jkvVOp0WN9X*5-yQr@96D4!|@}$`BV7P5nyU4fdF;#PqnNWHn=~6RmgY9I>v`rVt+pF?~TniN^@&%1ebi zOnzN@Hz#6wM|saNxNAMjLn@j3>KC!s;qEoX=Fpm zchN_N>P)l7ws^Gv5XlU#9<%e!cGJQ9pouv@e`PjH?c#@?8cmQ!igV2_;x(XU zz0~JF_;u6$gD0A~;g}`yYt+DbFqd8xJv2hcZc*EA{5_5?xVgThx9DzJ{K#7~6otn# z=-B#nfOuEW_ky7(^buz?{*GgBpn$^W;SZMO;+@ogfvz>I!H1srXZ7)O-cwIZ7^>vF zUXSqjOCV14l;ELw`4Bvp=oQpPG&>A?GP0jWJg?LE)JHznquC1C;@}+&w)ytd;_v*~ z2*iWl8si`u+>n**oBQVVDiqn-i%eqT&tYHDwgzAy>${+!;O54XUgCr43q)61Z`5Wb z$Av3-J`1JAdm{3JKCkaRc20fU$KFsK*~M`lG;)j=*^Wp_zuLBgo=xV&GM|d@@X}ny z8}AN!*fTmw2e;~$@#ERss91~=qW*d%{ygdio`$P0X40$MsCq&e(QAs{*tqJXy!T}Z zA*sCIpk=Fw0nu6>vA$U;cIHNOHa6m2MRVO;mbG7CU0K3clX=7|oMTb_9g93CO=9xt z;ixZc$aZz<2aqqZ(<|6Y^QfGr^;&M!c~&ywvykwqEEs3*H2tMIlIY&r#PK+GM*UD$ zF8=I3u5-oq>vhPcqUB*)P;Q}ycGr0gc3!e$!Z0Z$c;ZjYwJZx@ zw<6(~+SJK-G+jv)+%kX<%EZ}!i6qJqQl+%j3=~__sHA zUs!w#SMhKS2O3V^&7BU8)wd@f=ZV}U==L9c7y#S`tEdJtc(letrVqqy1sFV7b^ILk ze&=ieHz`(u&VcFFY`YJ0Z(}v7)_Vp*R2d#Nly~%> z<=3i*L*ti=9B;7&k6$i~_&nTPe}hRQaXmU~^{L98X!5Qw>cUPQM%%)*cDeS0U!lij zow%AyyHE0Cah$omDJZhLEBhut%A73Vd0b{Mif)lPuH=-^t{+#V?%tOB!?k%`>W`+v zo%Id1)6`CN+_nguxpG)R$n3TELKSiFRMU@&wLkHeNrJDN{x~d!$TNq zMj||QUKd34*WdDPfwIp4syMV%x;u@u4PXJhvhQt6>qyb4KlK}Nt!LQlFm8C3euudm zpdX8Lr0n9}`VzZTYl54X{6(e`{sgdYCu}c^Kk|5hAW$gq!0bH|fAsJ88X$Rep{Yvp z(Nu?U$1^I)u83o?t&zyX+Uikf>A1>AF_*Y@|K=^cR8xWqQa&~i zKA%IG=^yV8ni5`ugxX0z$$_*ZENsKnio>xvx}y#|XkLr&BnIvD7&!j7pkViAhu`zP zOiVok7+`%%haD9Vpln4DnN>?kP~;3GK#&6fqI1me3opX^S@A#yP9kd=5?UhNJBTge zWd^6rH9_b4@lkmosMMSE!tAAP7BS}hK3fz6R%JlCiAGwtrr_(N){)x0DRob?kS+$< ztPP5sev|{y`Ry{0V`P zeacP~{Rg$2re|YXJZeKgoAB(LFR||_O7GozzN}6%*7_lCb;}q!f^zD2{Cp?c#82xj zz2_bv8+g=e0AuzZX&spxf{Z#y4fu91MOBUKLp*>w?H=%lj)gy~DsJyGii6M{rENT= zTxAutHt$8@0q;~t*E;scI6!!0(lcXSymLL|Q-=Irr3d=|3_q9rBhie-?*HJ?AuX{=$s zn2ip*v7d1+94nq`Hh}C$NySRLw>mrkUX(|*%E-|!Ue(_MMfPAb3QqBs&VDs=-3Xx; zN$KyEtjl|A?9|j*%=8qp9=Z$iPDW}1-c%^*wcnd5pmSuBjHQ9s7F)L`)377h_cBRx zKS>S4X$YbeqHhkO&$@d|9dArBC9*{dP%l)sl`g=_Ltw3ucBL?|to+}&k?>yxg{X%uer8j{Rr~ZGx;G9G@pVfpq`K&+2EBh@iwH@gJs(DAG$8{X%SmE%&tON0TP@;vsuWDP~@c_kK@}n9{rA&Zr&w) zLreUYwM!x=S!N{)-6N`3=;`OsuX~r@(QHI-%thb|WjeJ}bBR|NR@iD3%nQ-w>%6C2Ck1 PiT`pu=1^;Q{@OnQLg5xt literal 0 HcmV?d00001 diff --git a/aws-gov/img/Isolated - VPC Resource Map Example.png b/aws-gov/img/Isolated - VPC Resource Map Example.png new file mode 100644 index 0000000000000000000000000000000000000000..efdb5ec62e567ff4fc765bcf6b700c1243d697f4 GIT binary patch literal 103357 zcmeFZcT`l%(g%u)ilCy1AR;+uLCIl|oO6y!kT~Qt3@`?QhyoHNClQH5PD2ooEIAAr z$#EFs3~AtPJm-G*uJ60Yzu#NyxfYAf-qlsz)z#J2Rlhb=Lrwk`;X^_^JiJ?q3Nl)F zc-Lt0@Gd10Tm#;yRv1(Of4s1hmex>|mZsHkbAD;(XpM)*`pGjAq#&h9+SaHa{OR^p zI{drNgqMk+H&kyiTS>jP8%RSz_;01cyP-Vvwzgo~u!nD$L(};m4?JB0ejWlpcz9Q$ zg7K~cze#`}ne@y5`g)Bv{mQ?dFC|?NKGT*~R0Mu&Te?|WJGt9BdknJ6B?GLGb~*+g z2C6C|md;@A7go*|*4#c|my0HNVm>0kBiP#G1+5R*(aBxJN1XmQg$VF`@tTL8_BV-# zgE+l`ss^pJvzs-o0QY0=$Mh0}w6wHhZdNZvv}EM|ZVvn=P@4-A0HP$!Q~Ed@_6CH<>b!r7n6VSk+F8SbhC5uuyb~zz2N)8!r9Y9 zoSyzd(Et4VtDn|BcK?>-p4Q1@WfO-HK z5>I(~#eUQOpD+KG_#Z6|{@s$7UqI+ToBqeA|J_vA-P%ps84Squkofo1{N4CJKmOfN zjOSwL|DlS%^!)oRplAs~F`oaKGzr4ag(eC-JV`u7nP)mamo`(bChO=@hL~$b-f1F> zyu+)(*h+TQSVu90D3wDO3_D4fMu$vmZUNTy`eWGl#PhSVk$nBhyjTu!(8=V3AdH2jU%uEqeA?oM8~tVl z&ht~mz#@~}VU&bwip^4H2Ltw9%zY!~vmopYwy}FHp%>w?HmFx*BFv#nvhq=-j0r>_ z`Fx1E*th4QaiwEIp;3i>7Tz;xiDsP~_2tWVSl{5=^1T10oS|^Bnh2vm)M6#M z=+7<5bOSb8t5%~1zoT2PLX9u{#Fz&Gr)h2Z7*x97%u%FKKa~`C=K}B$cm&P{O^1!6L*>v_9~E)kG=UoIza#of{hxRARMf`@87p8IKf;jl<$FBoXnK2UpezcpSp z;o{vQ(31jam}SD=o|*#CTr!=Ngf-mL*_G2>(+?YS<3dOP0cm?}l~9~82pw2{(b>`K zuPriOvFhdxA3tvr|LqHDrP75)>sw2H-d)_h&=_kR{(H-5<44^loUliv4=>mR{w;~2 zV>}3$ZVg5PQlhIefaSc$=OnyzF=TCejYk_Z^9IYRYl5w102@k{*YgHgvUWb_%JHqP4u(OKvhzJo}^X zxbty$ncvjc@#CB0jl`T}316?msEvuR*>BBuc*F`ZEy)1F-vA zvUU>uNvU|RB>{=FO&7-hkD3Rzmb*Zd!W(0Cv5@|Gk|b#XiILAQto{!~ZNOxAJW%3$ z^Uv}C2LJChFQpKwe_O3g4rT%&lT4%SBsRTB0QZ0^fHOOE!)4JzzM3fz{ID35uo zLBA);aUS2cPhf`zFM{~Df;K*U2c7>c&Q^|}&@%>G$Fl3HoJc6gah6a#d1(|xc;7Jz zT&Z>8IRc}Z2xNQ=dj;PAl=~3;Yk{7vud_&YhoTgIH_yItUDBSBRv@}wh6q~nd;Av z_tzS3O*x;x1uu2!Ldblis}jm>APw{+7c`{0EkeY}#KJ^JPG|)3C;(r57PKRv%K~NzU`3f_7JBrhO3! zXKfMZ3~PPQ`@?unoXBl7iQ7{ zju;p%=$!rG>*HqVpptqTe@@gcFsx^tAP8$HG^-cMl3kswO6x;s67^M;T6Z)5H1->D z%EQ&yD_0pLJ`qXY!p=gl^)V>l&C6aF3U_>d`5`Ei-!i~;Y#3*aOD}ocekcrejQ3x%+16Wdc!L@2vCNSZ(2f8 zH90-0;*(}j)Pc)qlrL?uA_wgc?}1ENVG+NbpXUDHVs-b$yCDdTJJyclrPgPNqI|u= zymJoyqGUM!h^yG{>cVD^;OzUpw(~3H_Wm*c+f8?p&aks*r?)4a(R;_oNuLCqrVdSz zE`P21_cX8fxT`ykCH9Na!#V{91Gj~q!_W`e)!(g{KhSx8RYsHEwbNSP0B1@$_Cqn6 zPmj|u%MWv;k!Ifhq%`J6C?9$uhSXkgmC@ZXIE&1@YfAzwS4?NwNE>{s1F-gDAIF26naL zxj8xRB=G9euWJmzJm`;?Dix@Vnfm@}YG|;HH*<3>c&D}AEd<71gBqiu z=!gnT;^{`M1o6QWiYmH|knhZeuY_>rnAF{T_-!=>W8T(=(_Ic&ktw3GX7I!5 zG11U0yz$gF4R-vA3i@+EqNf5myUKCq^7`Qo+!ckG<*>VHll!^Ro9#4m6Xk68{Hamu z;=+tJf4SS%m{)a+Uu@&1yq(o41-;5|1spKVs-13OKo56QW4Tk#YOl%OZ`rpqe7~;} zhn@?eIT%lY%?MX6#ThgIJU&6gip}cL%06n>Jqu-K!iK)8?w$Dk*7Q1lD&=804Y94` z_T;MOXhk=;p@Yxqcr_~msl0QZz-yT@EngBR$fTGf4xR7JQGNf_N(vhH;buD>-s>dM z*_T9QoIi!$c@8x8`OtM1Yv4!KFQBR>dznvpN6#LC+SW%VYc#M1Nb<(rb%%fk&v?`I z@uurk4-nJZ>L5!T4XhakTG@P}dTq9I@qr*ueg(s#;n5ZX&7$14bMqeSSs85*o}1R> zz0Dn#)cvA5H{l6zm8tt8rYXcQTH$zZYpBjJ+nlDGvUh1-ehYx-lE0bam$G5mbo!Kx=SD$k)Lp$3@HBuB7@&)iq*?Z z6n1))Q+9fY^qK_=PWtWb3hYjz{U*QgzY7=2tQeUT_FmBXDn z6gmto+NBE=zIKr2zwwFYDy+7zlzXDg9ER(u^*}AtC}%J%(oyh~+w903-o8Ze?$z-S zAr-?Fq$t8ukx1#q3AXW+Z$b}IDYbAJVtX|~#4}GdMPM3=mTmcEo4ku71|3_enu^|C ze<^$U!m9kg4d?ZCH3Z;H3tA<53avUTyaqBpM#-n|>IkKn%bnXVb;qj? ztZ7v!XKdO_w|}HTPkgJX3_(Op+?{6VXbuW9fgXHxrc{n$eUTS^zm_FHZ0{|!_x={- z;E{c!TrI|MK$Ts;$V#3H5}3Al8`1_!`jGu&Edq2_Zt7j=%tb6LBu~-oxmKyKl(t#( zbX18ycu17QMsYz7xw`S~%Gxcs#StH7r)sDGNd%hAQ1vQK5)t_MqmVGB{axC5iIe)d zEf;32t=6>vizI{*VcRqxJ6bZiqF1r|60_KIePR>ReTsdb6kmcwz^T%i5UC3n3v%@S zYg1Esqs-3T0jD?5qIYw@^z0bUc+$Z38?>dKzGK4qt!g0VyYl^QFfixa;Z(?8XUn#+ zrjYVou>SrJS#q=IrcRAaU-u)geige!8mFKaXTR}g3Zn15;Ujk)QRN-s((&|N_2M9h zyXvO$jq|SVx2KHAPuxGBdt@$_cEjJBo=*kqq`28%hvU6V>6rPXs|o~a^TdGr zlqDmcw982$`C3!hP1PVSj@!pLH9NpfmTr=xOyEV0=Ybu2!S270C8XCcKh!|x8n<)M z#&MZa+N)i$8$mQliym_lPr=|R0Ta0;($mm=KFAC2#uGJB^i-K;`_f#Yrw5}p^Z6Q* z)3*Q?*P0$Ke%fJq)`v#C_CrLMPUPlXzgZ6W+q@Rx#occ1l1V32@`Ax3-w(DoePSn5 z+atlZskY8NBt4I=U=J#(#i8v|Y(Ge9Q}RU;#4!pW(VZU)Ss}PHJF4EFt_# zGm)6Z=tJc!uag8Ci08b)!jD?~aclNdWt*p&wS zgoBP+2&MBYw&!It>}dkNMS!cOE6-v`2kf)H`1RxOfU9QbBD%jTq%MXsCVHn`N2}*P zh?iRUn&jMbzfH+H_MlOQ&?!jrLt5SF=haRY>b)+k#_hsRx}g3Fq=(xmR(<(hpxg9; z;L(kp{_tQMZHabj=m%H`U0N~D;>QZ_QeAlVkQtk)Szj#jLD4Q*tfl|kw187?jKuB` zx&uA7H#%ASx$e@!lCI#E80-A_9hjM=qatdeVrs?cMlzCGv0gu4Z}hYFHOh`-x{Kf{ z(4Z^G$$JLuwotP*k#9MC5J6VJF`4Qkwds>bW%%*hr=@V2M6poz@`(zEn)+sC?CY$} zgN$f5tKlMRFxaEa|&*P|6AHa<2#xiy+2BSyom*l31(r(9Y* z^?F9ub}@sC-6Keo6|u?n#5%fNh7hWW!9tK`&o!Z|Zzs6@o#zU~nCyueTS6k%_2mZawo+`G2)3UBYlWk|R#W^MI)ZpQTrj=$q+*pAlcJGDnM$1py7WG8@lY+*yP_&Q&9T^rvp+i>lh z{zS4kqlz`8hLoR+*!69#4NMxhQ_n67!KXf5rcdZkWnyS?C2*|8w@L|UI$AkyXdE4Z zU{QjW)Yo=&_(mF$V^V~R#3@>$th845&v)9>j*atrq7IAPeZY{4=5V4hM(F22ctq#H~@`e3ajVgLXfO9Sq~4 zo4l1yZev=ovx~d^2=v)?)UdXi0M~oYKB)>i-(d2oL#6-=6EG^B+}dvU+ScYA=Y|0Qe@iATwCeCIaU%- zm-vlSP!H>opFusowiTw75I(&oC@fzF1iVIp%q`-y+e685`GXBj} z<(sSPfFoZ0)KyWfmNIc;M=6QZaCs_0hb~_$>RVKSK0I}nIGX(#-5fF5{K5)o`9}=# zG>^T#u?Wwr&U4OEE)HKN)b(qynEwSE<` z-hJ;bf@uR9{HJ$8&%Z~H&V4AWuX6AtX>Gv&&@e2so+SzIS|lR_Oj#V)55ozw3gm)8_t1vS@*Vz1^p_GZrw=T!mF9 ziE~LF^y<|gH7lu9l#Z;p;Z09+s}e@6KH$a027;2JI_ibjmGUi1M|D^9cYV&~-D)IG z?tKDu>u~Jc^ijy|z3D~nMmFjdv%^!m3`L?KAwnfRipN*2Uy+hLW7`=$H;YhhdlcZ~ zV7xc`5dKAXn$y}fKt?b4m{P>Cn&<6kezdog&X%hgAqjpvn@c!3a#G+GGS&5Ds1TEigQXc2(=Ed9}g;$7{ zwA`MAhCQ!%D=5;cQtBBPBmX=8ds1&hLDXSXZ4)v4o+LIFqe6NI$QY%5KX6jnX-jfG z()iZbxSjdr(fWh5A21}o7xOW;(70mvh^;)5?0EV`2-PNXHXuwDe`8VK+@Ff_ULAJk zx&+R(x66F69;)6LyPKikw-sPcV=rj5>77nI$<8F}C%XHAQk(6ACLd&ow>nQ-FNu*y z@*_wqbn9*mahgBh52)df9N3`YqQe_wci++<#LPAx(P=(U@Dc(4mu-aBDr|p;rKD~M3?GDWS8U|AxrCD5 zxr*}s@&u#9DiwPC_?cad{unfyc)+^cJnJ}og47_B@Pi$9%!7;_q7Qs1qUb)-oD|s| zwQpV8MoOIsbOR0aa}&IA4x3f_f+ioc33RtHR(@1fpMw}2bNW-7Ca zj=s;F*eh+Go|vnbw20O_UpGAt=Lex-qkBhbD)$c3&bO;T0sf7g>fy7d)Ji#ijL~Oi ztBq-+OWNdRVsR<6pRi3R^#C;5`wL<=oes9BP}~e*-}hhAckr4?^7`KDJXt~PZ`r7p z>~MaH816;$Hs{2WzuiLiK%_a%YP-1Ca6#&@)%)mUKhJs@v->%oM?Xb8a8oe#ectW* z9k0`mG~=)1>rho`H8#>0S)2mm%cbk5a|pP|PY}N6HgM zap<&7gaoF#N~?3@VM^LBP6MVLLYS&iC%e*>*A7Ju>|EV5>!L3!LQ31%IUUSdC4P6s z@^a}E2z?rM%2?Y>mwPsNxY$BG6AFpAnw=*`I?wg2ctJ$tU+t{K zq{s^TJL~k0r2kk5>(Mwwqh+8Qgi&NnSf6!9paf<%>WmL{6 zbP32^MoCc{IVjM#6x)j4>vhOKKrz0LA&DVAF7nE0Sr<_rMZOpcQO3#|sSgK6?edA2wMxhZUy4RdgFV z$M3$3k()^hx=X=>AG%B#UeY7>TGi|l-4~-encY(NS*;v@CCp_95wa1Bb*Rpw2<2I? zyI#6D)T0XC_=tKhQ)A+J&2BplOpb?ZJ0MKF5`*kbMhqL7A2hH%8aiYna$6F7aV(X; zI4TqQM(W-PZuZf}(CO~VBLr#(jVpOe33g73=K#Y4Leju;P z^RtC&7#MSEt@h$^A8avn8i{11zj4A;}wqT|BtoAY}k2SYYICA#_3 z7Lcu@`@w9VRw-zFQTjBAYxDQKpDZP;H5p`{xZMQO7?QNb<1dpSL|U!vRJ(IfW^%L8 zW~(oRRdlVpe39XZfe(p9D*POmV zZ*nEs}^(L5$HYZj_2xg4YRo>u~L}%r2`0Ms6OdiMDkg81)BcOjKAl+1i56( zJCJW;TTg51+{pD(HP7;eMg7a3hjfaLh^!~y2Wo_FT-w*P$>E0ox)z}xqoEam-%!o z1P?zGe|WZ+?~$ATmXl%EyHyCvCJzR$Qxlr=0dEd%Zp-faMJIbMQ_SRV4E0H1$uQ6E zW^603hsbYCQ+fXcmzb5w#jWfD$wL`2wz24GTDlj@5mT|^1o{EFar)~% zu@R9JOh0YnyU3#w_svoUW1T7lx8pkVdi?kRGT;}>hV`9;Il&>nMD5%8mVzEGdbMgb zE*X0+J`AD}atNI#Y>yV7?M#nVT=}fIHMV-g{j}n`ppodneJ7#KoC4V@L@IKO=M@)| z-1ZlZ#40%}L%Ech+9KkL{R4Q}CS}z-%u8-k?Hq0FV=kjY*=*fq+P)dDV*Nl)&-VmD z;D=8a)hSUiM5-xTOtFC)s#-e3Q(xbtKy<`8j31gBv%gG!3movNUI#-_cJM|_Y3|;) z8)sFs5M(=|cabWd%bcv6dnS|Fi@sH@#%<};@Rn6G9)rY@-bm$pP|OB`^ahRwI@W#| z(Al~juz~XSv;77%?kn%dVD8E)?$6)(x{aM}Z@t~U%fjiChp9<1{>iOS90h5IaEDW! zAOsmBv!i6>@JVXayDgQi@2ws+Z^pY59?)VjTXW1YUBU1YR1sn{0=42TKZ;0Hh$4q1 zErh#n;DN!~rChdq(a1MJME<)z9K*KMN02y`N*mDWwk79&#%K#c*sFZUCMiR+$LhpB zZG}A^P)F3QiL%v6OPb4f-m$o-V-bD?Sx9r(keVpJ_hClA6KN$3e!{+(|KUApv+Z27 zY=8>G6%GnkI|)@ey~bL8Vp1sudTCR|@)^@l#kej$lWD)b9{*zx(C|xzTnK5% zIeO>owwkR@41OVfu)QU8V!y8f{k1gU6-Cra%CoaUbBaTgq*<-3$Kon67(=o`BVs97 zVG?Tf{v9o;o0JC;DFC`oTPO<+O9N-M*%*#6YvK7Fb>B=gFGSrlmc%WM=0>vaYw3Jp zRA3~$;kohzG!f}s${Zz?=#kvzom&!=0^Q`s?29fGxSyj{=JI^aCVoPEbZ(9Ru74Ms z-S`$gQU`f5n@bqIGH@B+dvdkpbTcFr>e)tQ(R5eDJvRBi!@HJ*v=jNEt~c^@Qv2Q; zi%FxuWas3Y-Q_Gr+Rf8uZ8~+J%t5}9 zvs3t{^qL(cI4*PK_f|$pqnw5=bx-x-I+O|IXr^n%IX_+(ZNT>JFwF^`oQ6BWFT>23;PZ0TkU%j z7?gXXz65JvpKE(n1@R1YvaqFglvZ%yV2(OV{(POm>IYmj$HA-6e71Zv=w|Y~ED@u! zSCPKpnNC~dN>07fN)4gb_cs{PU3Z?KyotS{YfiYY8`GH!rl-l9v{f!uZJ$CJeKJ<3 zNOL4vKU}6~J&HvNOnwn?(|h=38~-s;-%B4iMD*#5G>&@5byi2w{zY%|dotAxzrBwV zlr?12GucTS1}_a)1M3dNIc=%Jmnue@2R?2%TTgS_k|^hG%Ro9Sb-Pa(jjE0KJeMaP z%MrGFNVcF(cUWe+@=T03OFp6&&SpI4VoBH6R&n->`^;mm8=N02Mne@CMV(BWXaY{Z zUO{C^$hV&5>8d$qA7p5YDIBFg*5sLmd?Rj+VV#v}fAkPhj@rWL!CO?R$qA8PT-1N( zLp)U_@69i?pU<%jWMKyxo89~Be-Wb)&S7J@#SP7ZvwoDKUn}0qMVxVA!~^6}tw4#@ zGGrupe{HA_25RUjDOorgzu_vhRI-h#nq8{(fG`$(DsUZ4 zccP}>Rqy3{4(?Cb=Ecwj@L-^8%^7K)41K&qN@ML%>={CW`J8_oy~0lrYWn^5MXH8g zMiM3UZJ~C?RiCrc`}5BMBT!SbPHWudlZ=3fV-_LI=PV2L(vN$Lk+v`TzXci$3|LOU z;|gsF=2$XUB7kJ|d4)WDrlvruLQmabkK0$(qtSkZ3x}L-TilH3OA!@}b3}m4+Gs^0 zZRc6y`cbx~*|fFi{#ejz<5sD1{n$hK7Z!E{^T~vtJ<^z>QHEtNRoyErGr&YkkZWT@)msb)QsLm3NARtRU zK}^E-!0f@kMYGk5>Cj7kVh%%Jt!0TdrBwAm*i%|qPt*1L0jZDYdKPX6W9ZBr{CPu0Khw_kO<%(;>At1VmF=sB~I9oeIj@dPT->Q>+2$?G&XOU@!dbLUU1BZGQB zBs@7)+H%uWX895=b}Q8_4tL<-^diYwZ$d7-lQ8-VP{p`?A<3lbJzvE-1H=Ft?N`UALJjoD2l)js7N{+ppF~&Nlnv^ zo1jXk+t9cw8HIe=(lmcq-GPr+OodZJRxG<=GqW($J1K#+RFXnn*DB*7sXpebVL#xV zyp|<60Xr04YuYh`vtk<2^*?D5oCK>il}qy!Ny5?3iK?9*}8S+7G)yyo8cyX*1L+u^9Sbh z5|!>532!`yt6di?sJee0Q^rqmbtNuQ7dFWcFG%0h1fB1PsZ*2E>>zikE~0i#7MI>} zo0HJnBN^{exYZV7NO$jEulQuUl0??RxI|1^%(XO_1m|emluwIiiM;6XDnl8kmZ{K{ zpwsadh&Aj4g`HvGieoL!0$3m~&ZW4+1yf`4+?^snQEoky7WHaI<9)5*HUjl{$dooY0d^Q|E#lc*@zaJj zhP-HgO)gEL`fpPn3kR5qU[!~T}=ZO{7A0wT-6Fz!0q_C)ys2W^x?@?)3p(O&Nz z?macLgATG`Fvjo`NTm#tO=XCJN(~Fn8eO6g+J=Dil0>W%6`x69s?7aJW8_ajTkVgp zQw?@aSW$Y{AB>8c4P=N-qWsf|F9CXTHKl9?Woh^W7B4T&Qe_snSkcFPTtT;J?J~mV zaK2{5->t>>v_QXywAl`ATKRsdN*zN#R&r%r)X2c-Na4nI6H>ddH(XenH^tl0f2fw! z=#epzMK{A7g10OsxJku9z+}LQ7|z*mL`rxt+!gdDPd}@a_==}#qq9n1ii%EKSwt^k zMTSk(y2YY%SphaZ4b@o%tD1IjUL!A6^AZP80G9}?-b-?kgZKP~{0;(@Z`=Jv1j^t)8sURljCJ&|`a>Q%8WEJpQ zo8pIrE58AWtlaodHPb~5Gkp)c9eIMCyghd21UyawK+J9zK?QHatp}I{)E&bQMsc~| z$<*{O0fX|M`J+Tyj@A^Wif`gyVT>z8hLHz(prse-6*rnQKP3hpZsWX9h2#j=SkfLo zk2ruebM)S4rh_*jZo-}1yDk}WDdlF?8i93~ay($0pF;dn3I((Yk6yIMk4<}fhJ8%X z5m3z4GHlTk-!Pr7P2^N8&_nbn{4L!rqX&WF;Q;9Yr`B<}z=)9!}va=%LMI~q zvC~L&2(hW)=AOErakhXmN>f8(YVe2|fvfDLvnwcypn5m?X-8AX161LVs6F%`9Z05u zXHE-_B@($ev74?{&JiA_5Aqd{iX(_(^J|`nM~|9|G!^zR_7Q&U+0XH3Tb%X5jXdh3 zGEa3$TdlMTEx_KLC|RvJ#Px5j`_!Uh2bT{_lo%8Rf;sLV^#thNdnV6a8OZf8GNY_dBh;cOqMUR5zEN6EhqE&b4ko`szs%%ysmw2=YDIgMtV zdoA0qOs<_0l`t>6J?@mLk6%?1)~90u2OsOK9ya1|w)Y|^j@uYqG4=2^)ASeh0PCeZ zeoS9-wqCY{VSYKJS4pf9B0J=O3NE!)@+A&g-6?LgI$}>+B5Nx$Xehth7v$m;WNd3h zWbN=`otBV8H(SdPjk+7oG})CU-Sr{eBLOJag^uWrQ=k+ER&;7^8hA=ea$3F zFEJ9G85CCFl`_$A+Q}VL^>(m5-msA}$R2yg;yUqnt#?ZU5V#5U2h&x+k+@7 z-i4cl_esw#(M5WycE<3gkEq%4F@3Uuiu3^(p?4DPv>HMHx;khOPJffnb4VIxll_VP7BzZoe3B{^_- z8pogUNBfIn>xk-iX7tT(Du0tyx~9AlxmjYvfOg$!`=xI&KoFI^;$1_9 zNk;o3816~B$G{*Tupy=Av&^WA%VNp5Z2q@0|JC)sl*CF4sP-y;yY-)CGG5%y5~l3^hY9+dr-me;T0(;G z?mx=}Y~!kon?UmG|D)F*1e}JY!)GVx#xZOxhyDbBRJNQQ{|~wjMWCq~bxlK0Dh}>{ zbWjDL#HJptEdNYd0Se`tSur!O131&8f%+ zwj+AuOl}Ieo;UU!pU|kCY{hr$ga%e>lj_gQwg(`%#}sptty_X&36Fbb0i1RS4YX^S z#~^asFM#-Ko`Zg&k+p@m(`lNWb$%%G!IiJ7C!+ekR71i`M?D>ATth>|v0ZuL`|_Rv zqJsj4hSRngi1Rz#X}5Ew&rZ~;9R@&0ss?^9Uo$)iS-*+H;jkZ67dxL|Kbu$A>VTC! z{9qUYm(4LWboukj zU(66`)GN}IEEtso0NVJ3);>Q#4ofXppKnGq5D84gXhUvc|?g(r^ zUY0AODoSC%wv`xj&)89OJQcRgn^%+q6LlcJMeAabuM2yb!dkpD_2JUl^%$!v5 zHUbCa0E_E1)oI`o`K3U+C@PhG$J})zws*s7df$p`P+D-OQb)`7?l`W6lS}ptzSwF8 zFB4H>iT%&2iDIp06#FsLo_+pj$*Jaj?7b*;;Q?I5LAy2GBzl0wvJ09*9`6N?C@T|5 zT^`y7uI4z3;D3pv+8=ywZd2rSO(u`HayGyiQMl)+2b6S!u4V8xsfp@VF&NPpt=8>E zKVv>QhfI4XBz@5Kr{u3w@>0#Lq&J+fY7Y@^eRK2s)|OYkZjni69JlF9zAlm7cP#}y zCGrz-x_M*5s+Bo6o(!lt!=loD5F6V5D&}VP`m%P`Whkep`PgGD-m5j6 z++b}m8$9cu=zH}C7IaFgE&1Vijodsr4R*x;_0i$hiKgC*y`Dn7!o<;oUbC~)vMba( zDORzc*{sVHfT zzO7pN~y#~J;ld3Rv$~4-MGB&VS z1h{ghi|uA=uP59Js|kfhYJULm>@M0#nz*HwZCB_@JavQC1M^?yekyL%- zyRgE#F{PRvnQ|_`5w2K$uRx|EP8RL2FkasRPH}eo&1E>8=b20*O>UQ-0ojp1jNR>7 zfU}*1eYjO<07xlv(HeN8iQGS(_F;g*!-fOXl`^$jH-%p=eNwpY@iolZ4t4=EqJMB2^&`cer# z9T_Z;5dI~MR{a%`=966IJFFNK^O@H&&U3>pT0OsW3+gMrTByMv>N>6~IJTCPYK4X! zmK2(-HA{&lTR&U7X9Hu^d3!dFnDTvVx^RuzZAhZSaKy2!XH?I#n;nBA&f5Giq>jmm zU+gWk1mVOc%nJ!|`Z)w+&a=yBCnPrh=54BXbiZjd!H_b;qfUIxW*!mpCgYxczbLln zO32s=H`=LN#M<0<-V#Ms)&RqHb*A`TP6`aBIlfxTXpBq57dR#Khe?nFSE=h3OYEh zBzxAXo}bWcod0+t0jJ(diJ7gdGxa=@9nCR^iI%nGdiiX`&E&1W2`egPR>f3u@F4ng zP&0d%K&*q#bR!7$A52Cr_4(Y>z6L216$N`ATS0X?`{QFF-@hu+>Qd$Ri{`FN@@iM7 z86!Nfp4ICsS*G;>D3A(=|86}d^d5_0MV_v|&viq80lT`Y{2VxT<-Qua;X3sWGLOsN zbM={5c)s`S=`3PKO8Y3yf5uv`P4ydSZ@2|ht6k7I*UKgrRp8`Yx20rrr;TjsU;h_C zMFM}irV(W933mz^1#N&=WIWa^-w~BjAO$#b_SZy>#h7AeYa}Fr1 zVRgF`NjK6|b8Kp6_&SZPTp?-EC83W6S>J?XVn!gKUTltp}xB3rINY{ zy&_rl6;7TC7^+eM_At^ryE0j)Jp0p1v;)C z)lxcFP4v3hbq%kX4djI$YJ{+tNR3UONP^5k4v#YGB18e;?7?}ZQ(cskaVgGga>Acj zV!n9@x88ooGnu977SiN}=vH;TGw2v3+&>}8v=zofT=})gxxu0Gx{nWDg)t$_W9U|j zMVp~Wd_kc`Qk{2;IBxHQJ9t8x7*iZ??mvXYHbtv?9tEwWt)*gLoOD5s*Q(nDqI8`$ znKg~8$6s3G8YG^oA^JatF#4uNh^l+2k~--Y=9zl7whDh{;h21Ll_=V$Lrf96a3da?3+{<}GC5rQ3(m3#& z4MdFlLX8(og)8BqfFdm9p}Isrme=`5dcaS*>nNLeQ@4Oc#qpr;Ulk=&5qVG%#8Jp& zK?agU;;1k7JRTCdDMhZ5X1FaKuzaS-Rti?)CqFrG*QDERztMBn>cHR3S}CU}(#Gx7 zM`lkjcU`#Ty;5npay*yvSZ~)8wcRdz24KE>zq-NEMwVlUem~OjCEb;>r|W!mRZ73Six+kvL!l!axyAa z)VXX2rqNb&XWxmV64XXSBLKR+VP zm!$dYx99Uq?huu|#BGSPH21{UbScG#)IA*5uszolgcRM#woJZnO+WD65_x>!XPKo) z<4;WA+Drpe^XLkT4S1ElVB_V81`?<->dE`@&IOnrJxN=abUqKEJ^CT5sI4@Ghc&&` zMdyb@86`t#AtvAkm9cL(jjozeyc9h#VJl*2Hp7X}CMU(-Xrtw}>#cb`3DnVwSGi@l z$W(jBD2_~a-jss|r^v2T@H|J@`lq<}^j3?2qTv%inNj=*^~gnOZnKA0Ytss@E^DnT z$B_@DCC-M;dB?en9zQB}_NK0RU_z>n(6y=EHio>m*m92z6& zM*c`-pXl85{vE%z}FfndGDW?cY9bn z-!zg>GWz%AE~X_9 ztHWb2Ma$~nC!YUSU#TNY-9eySV)Hqo5o_usl~b4xFB9pJc!JIFl8-*Ow`3$-$=U7R zP|FlCM+FuX1JK-+`vW4W-_DS(p#}2%6tHLqo_HSfx#ozvU6r8|@lnRn!J#s5sTJQ&d+(vLQ}aJTbADGHW$=MwU+c(9LO`J{Uv*HO%T81DL9du2b-i<8`2qDYZT=_XPA4ej6t;rDVQrzg zgDDF3^5?!~LW&8F%sj;Yk!u-|xlxIfETYW8Mo_V?QGAQ^$}Y2-&iP6X*V+IgLSG`; z%ib7q*jxr~13f9+1AF^&XdPhrLwOc5f}#Ay%RPyUthJ*Sci^{kQj(>Q(q%d)2*p>r z;SF=$0R@x{x*lyWw7g8*25QX4iv$!<#aolRzi@@VAE|JM>M9304vg)OMkZj$lI-3{ z$pwau4Z zZw3m;L$eV#2N`qQ%0+1UN>vg{y$ZFJRJ^-x1~Jr~mJ$_sp;ENYZqvA<_0F#o@=P7I zsg3sIobD1xem|WGUf=(=OV`Du3(fGzUEi-ep3a>JxAHW}tdyjN1Uw==o@HA9fodyd9w9hLhu9#!Nh0> z{nFZNs#D>$p^l#P*7a^O8*yh!b`(sBoP&!$&YUtEr*mzf5y8dR-l|8=OW*6?8IAjY z*n6v>IHPV|H$W5I-Q6uA5Zr^iy95au+}$-uaCdii4er6+-JOO;dUyV{R-HQM;@q#Q zeM474@j=g?GUj;S@eGPKTy<45OxiNtwurZY>8@iYyA8!;hIG^TkRwGQ@M#yp<3>rE zfJN-HG($*KyalCfzI)-CZAY{ryf!JxG@9qal;9nQD%}@G!bEyI`A$RczLm$CjHh^O zcP&54bd48BNz$i#s=EI4IFB_3W|?IA6F6F4j4@1E?3RX{j+}2;N|3{IA=_uijOx`9adGuD| zChZ1trNg#{K3S|AB~@{e(BhJ`Mr(43vX(g^_(;r4#$RmO#W?+0`*NvFf4l{TF5AAc zrC#&Bo;b-R>a-MOTLr^_jOw@;tdb1}d;2S`;muQ!0&LM{YR2?CMH_{Sq2{Hup*+H6 zuszufEI66*6z4y4=FHsvu6d-EKZ=I}PknodlyLtpye`RW*%T`F+7M!s-r)$CM$+D} z*p-ire;UnUHFdVCUkzrQf&nB=?i+0T*wS-hyl+uOva zq7n>SQ_<>5^e;(+PLnI1NJCg^{mY^F?oa&4ot6RGEoSn3Wp{zT!-Kp5L1&LDC3OPx z_|4meh`BT?+eZd?YP1ec3yy$=JRiOub$4#1MVpx850BO2O{;X_eQ*jpPw5y&ZN_;zA{tcpN4TPg!a0ypO+I+^;twd4=!qwL=`~ zQoqfc`BV33)OGVbbs}HLRW_wKNPoN34Pg*QF>ILI>QS40Gb+DH!N!j!;`|k2M!3y? z8fei;adOH(CYILURx7XemEl0OPU(e=ZRT@WCxd$PH=n?bhAxTSH9wCY>p$`zkqMck z-!nhWICVXqj_=x~Tze%JA(JN>zH)OdTq*Tz9N1FIU6g>xXRb97>_$Z3Z72a8bkuD5 zrt#%nanMTfl?rH^x}%^CvJT!)+H1cnV-n1KymfOyw&Qog5c zWD;-j^$Kcy=v!0oJP?k6o5*32^Y=zlAOX#j)DUDTr}MdW+coTtuinPNc)t`kiw^xH zB(pM*$=+e-U0hFDo$utPW@=fz*Uj7&{Wt>zw$H`NCVky-&w{s)pRm|J$(H1_rI$>{$1=TQxEt_W7Lo-E1KqxBXg;0Di1} zg{n{DR_La`LF31tn_C*-Rh|&#-K8ifQZ!vu#*=i{jLHhufB{~wrt#|$W}gccvOAgb z^ATu6QvdRzg64cs`E$iNq$Pk&rH`u9{8v>W&TN(*NQ@at`ez>nmgKol1hRbI59-cU zqxh|bP*hgok!Qg1Vo1k*Ykeu zQ7pChNU!}%{f#mrv?PPmt64GsA#&3ZH&0~(ervZ& ztKRJp`H_KsenseDAM4xzk5M}NdwL@;I5URAqr2rm-}gkucb0bS%R;XF|SOe5@2El$%dxq7n)~{;M;;9J|-$t~A#=|ClOTaJ3Z~768jed&H)Ho!i z=|EpOjqo$(_Qd&oSXt=B#5~KPTnHDO7l*BrveR6>@pB^8p$!||ac%L==l0|i(c2n+ zPiYhF03ws)o(#2sr_k}G=47@8Gi z)|Txt0e7x4b<=SpkTxk#I$yqVshQQh+Fp6aKDgBV=pRtaZzP7u9+7MTPrS{(Z_H7H zrY=UW306>Y+B%GYZwC2I&eSC>LZe~z<4j#sOnUP>Rj4;Eox7^mDxzn5-^3R`tEgE! zN@g417S92a7hzOh=2{*4EpCn5*u>wFU|!bHrgkOkO1w5+;xuQ6g?=%AKY*fy@sFQc z7G8qg3yRaIn_ug2DcBXil1xxSyjt36bVY!Ry;-`3xJs5e;76?VD9suY|J*LCXXR$ns=BzrtW8V*pB0z(yu(6G}0jI zQ>SrTIx-UtW+fk|an2;knKBnDNh7k*PhSR({Sl8^Z+Dz_SB#0V^+6^`l;+V_nsFCR z_;j1OmhT86wO4PM@Eji1+E>r+1OXye!L_ATzE13o@xd=}{Z+5OEc>ta(eSSLPQO#p zmidPHT%KLB*c~wBweHk(bCZWrKngUcJm7790Zi8mn@090iC2FeI~C6ve49Hm7lO>w z(DJ=`TI|AVc!>GileKnKan)YlVC{8E_8`gd-n$%#EsytDG{W0UfCs4_Z(+S1w&FV| z-1E_`cu;6Es2t*9v=iYOk@5m=oM!x)tMEY>+jkz;&&#yoVuhyRsvgz`D`Mfg`8I;* zHVcHoMyD1ZmyR#=TB)=n$6PdFqFS~{;$0~YY%B5e9UJ0bT%P855$d~BbQ8Y;RrnR< z5kt7QA|D82nnqB67B-Uc#YX1YQcCA>sAZey_-TiAr37z9yeQeIwvmp{s%I^{jx6eG z-UY#iWGiWlnd?ODNNZEJbQ;Z2|Lk6God3?MU0!JTB2qUPBqhs6GfjQ;C&}=4N8VEp z@Llp>qu0Tn4j8E%{ezUqVu;_dyUsygXEPS`}%-gTH9KsU%yu zZs;L1tNP-6?~O)w+yO$Ya>tNTA1*G3=~pd}nb}P*2Xj6p2R~95N;fVHgwi6b)r@s% zC6L_iBIfy(n{}`=eG9$S*kGb*GWIQxnTIaOdyhI~v-XYX+}UTK6Ys!ga(u9@Q&eTT zpl!gE_I}HumoJVP6w>8g?A+NztfMgaVm|eloLzo}$Et^~aI{M5W6E?@RI*&XIvtyN zg#E5UukY1=;roF>_G<{5ayZjJ#nWGOO9~|T+PZbQmfv>eXN@8CP|)(6HcsG7kfL(hX~0K>$rB@=dz zUVhVa;V*cKY|J02Ln0v!N%tpfTe@u4{FsZ~Q3j-j&4@T(**+m1WRxqC7s=#58b)cz ze!dR;@=1wD=*^}T_@1m@Nn3u)SG?ggz2W0Kjp8}jqxcrOKqvjcm)O!aWYV7U=SC)( zbzDX6nax|+2#dykeldb`LSJ7s|b_h&zp5wK6Gp6Ekf>Jcji9FLOetqYApEaRT+| zNm5Kc-jC^skz(ajXD+rFtkR{0Zz=qOp{)p{5sOLTV|}cwCAbjhc*x(sydN>OjXy@E z1b&hCuw7giYD$)G~g7VX`ZBj8Bw<`CT8}en}6Xdd= z0R%0EDA5-UP6a9Ex68ZOcaB&YCZPSxHm7q;AqM?jXP_(`(8#WMn^GR!_uGmne3qNf z9(D>pEO0A3s=XC?AYboyBs z-@enGE|y*N94=(jn;L-WKCUKdZrS|Y014mPBV|LAc|S!=i}^S(q$DsT^!pU(YHOEg zclJyd{8RZ}85Xj#>^g^l7kg)Z58%0%<=aUVpKI6V)Xjl*OkTdy;l}$Fco`#K|OR&}S=%5xLv?U&-D-%BXAKcipt z45>P&7sE()QBLFEP|cWee+|rsDL?HQF&`rJ!2!N1LnFeyLxjrCl4@jwpwi2Qbyb54 zaVf*NszpiJN1=@Jm?%3W&&`d&Ey4Q-)dh$0aaBlAD(+1%Pg+!dlnYxT+Dq%`>E)TyoY-F@V0o8LsxIH0 z*_|4rIM1(;3tUBDbp-$0@Le;qTF_D#@ai&$W zf?D>siyprk+ssmgvZos@k>N&AmWKVaIF9tFZ`kd~^YB}>DgN(Bb>A(h zlPFvW%rdYCZQ-Ork3@Tgfo%8eTJ1u-?<&>BtRAeLC9ghAQ@)gM#$Z8`lG9Gvja+ux zX0h_8!BQ`!RAK)4+l7rc>CKkvr0ihHP0U~vyVS*c85`sur zXE{7>{}75wHt?T>>A%)Q2L9t4F6aJ(V$%ECLTEL@xy$GfDCYnC2m&Qs{9jGR`@i7D z{}^!oFL?2PEJgp9>-pa!@xPtxsluqg4NS)4fB&{x^d|*SH=Z;cZp{_=c4^K%w0dzw=Ezzq+z7cr`gh zj(GpMJc-gaGuBsNSV5Z*#FQAItF+ww8X~mPXtc zj>)rl`N!8D@KoJD;Tpo5YlbMx^z6hCW!$`9();HysZ;Ak?VGE3vEED|wz}&Kd;NdG zPyb_0RC0&@#WriMrS>ucdG!k`gbXsGg3-VsTX5|hR%&gvfZLw4GdUs(78->ZEGF&*{^Jdo2T<-W== z+}Yc5=QEPc@-Svqim)668^@?#X#p{=d1NJe%&a)FXEj3`Kc4e6drn#b ziPk-{5*Y;N0_&ru>9Dr0S{qU(Q+dYQw>&D;%j(5rm`fD0Y&X0Fw>Ph{U3Z?%R|N#f z8W~he24@o)REJLIH%C`pB&}_k(avC~xm3$FEBW~spI{3Pljc$T z@XGMHvE-F5)zVG$b8qko(p$%BOW)UwU(kW*a^m-R|7??s&x?E)(?WDV|6=;SJ+!>P zXW4ZR*|zU6@|}kFf3@(~wR@lP65}s<+8aE1f#7M*i>EfuA-q0TmBH?wX{yDeym#?( zxwDE-9rG2|5XNL9TMuE{S#rOG_rdhSmYKPq?PCuZbfqG7Y}Zh4cCmKl+el=4Y3y_~ z6{Roq6y0)h>2=ux8N~kPt?zu01m)pB=bf#}V~!S~E4dOj!bCdfnr&-c132RZ+v#L1 z5{K#hUpbga81avvYgtw)hBKq!H%>FFcI`OS|7d(~Mg*I?xkWOGP(@O@Yv$G5f?6T2I@eKR~-TTQsmr!|1IH+htzu0ehA94Pc z;fSD9czzI^aq)ZOTxgW1_UL{A^uQe?EV)En;t0^5@d?Cky70zdf@6KpKtgjba@5Z| z?iS-g-nbA4ZW2=khN1UQNX3J5-bnhu)aaSWCOYVBp`aq`@1X^_2RJjF^TGiV^4Obn zt1=!$bhVr2JO5{rl4TWKvhA)*cxdbKVkY~~=lY9;Z}FqxOC~r&fX`(OkHt@k`xgreU2GCZkGE}mm5h_ zK@=k@c#Ay7oVD;&Q7+GeZ`yCkBP zn$hgoSq)%(iCDhZRCdq0xo*|%kDHZ_=TflEYUSV~ut(PT`9LPohkT5xP`lGPN&eL< zFM~;E+-hbv>2c|oIE8e!ZV0~&4X@C1jyTUHMou^R0eVZ>W!9k!*q%+GfV+%2z=xZT zMws#Ua3J@ITMF4s$L}yHwQ7r&F#S1SMX+Yg5U$|#m)LT1$#YeK^h%|dliHap$HR5A zcdo?C$=T;gCd0RylPp@yy3Bno+FR&|VzeFv4@#Q&*VjiZ{hquSj6epm{UYIG;BkU4 zrFM$t?9D%i8-#=7IsPNW#?s>&>hVzb3Zw^NDuuh8EY5j+mix6KzNBYwAh|ZJEkuW< z|HV=z`B6E~fI5uCGcL<%@q~780LF*3DMH~HegC*XXYJ%d@z!vf7pP*rTKHSj*&Fyq zzxH!U|FvzcebeNpBLAX9%xjRL-+l-+R@_xTiu-c>36ngOv7PvdlU2gKMj$-9zY8DJ;?!vlJdWP(+bMnSD5duN9PSgAa zU6%D4SRxx!X3>@G28-Eq7d5TV(2YBE1|4%Zi$$E{)3?rUPO{#eed<2+w! z_a5pyuoT=@uHJI*F}k3ajRA@-LX2)c%I@g!-0n(s>wh8hKCcnlyH9w#qR~)t{mKgs z@{!9(#)+@+d^i;(&LF*ID{-; zfn)Sjy9!3%>UzMJXYE;T)qB1f@>Sm=nsBLARKTy}7B9mLeTR@#t)CwRjk-LR#FRo+ zVS4cQ+g}KfJf`T)=?@?WjH|%V)&ICQ97DIN-A!4M;Q6#ul?5?qyu81VVba_Uzdzk6 zW^jMc-}^M~61nu6({<*bkni3u-cB`4MP|RBS+GwoEi60`+`Gm6kvcpQ0qdiZ8bIw; zO}H-{fFTa6EFvPz?Ks6l#`CgJv0-p{_+zg~pgMAEbK>6Fd!yle{;Yi0ygkoor^$a) z34jeHzD+11yu}uN|0cS{*4dSC`ZCCQD_+tsg$Zar=Mkw0}}^ZvwJ$4=>&th`2Y5JCgp40$Yp;volZ~7KGBUT2G{j}xr{$oIk|X` z?rhfxTq}ax)Y?8V?CL0y1rH(H%0-vs<~P}h+@3!bH74M^qc`4o_JHPFJ-@f17Lk$1 z`I`W7KeLyFqL=FDedxMTf=SaYTYrROO_T6z7)n5_wC(6--q>h^mQU^aUHsZ9eo28Q z$T^Oe8yogDf#=Bx#GB6ja{8klw<&6jyWaG%`sLYWl+^QTtw|I$&)6sebbHV)L-|%` zEY$UM(?bl-4@3gFmmQ_l9f-FE5hn|W8U8^Yt0WBH{)*3T2BMeL@XKlIyz=}lI zlT zo24GB2OTRfAK9A~!}7#&vUCcvc9)B9NsP$_mS22xSA^b0^?93s^zFIsL$OWm>$X2# z5lrx>uDH1!7b}0~145$+v_$o`+Gz#{648Z#dnVG?F0sFyl#r9{-7b-&VQB{@mk{vnq z`6QRtyc>TtDnIASeH@)Rn$jgP7l7M~eV=@KmxLymX#xI>uW^=Rs6+Jd+3%<%kIC)0 zI;E+@Q3CI?bw8k^=iT>j!{0(7UdrH%&%JKpVZMU=xP1d#OC3*b-o2ko&!R~fiWARd zVS)kJvs|v1!kj!xoY>w%Q)x`57=fBptRGByr&$91f-0?MIzI;}L2E#G{g|+=s=88Q z=r)y56R?2_hV9PUyQo@sFhq7vhVe^QirH5YIX(4{S`TpeSxT2;f!mYz$@62NC2q=K(&NA15gO zT?TF@J^l@)Ag=@e~6)cdj0~Dn3a8c z?0xALfKi{o&~ukX^w4$++7P;j1IOhJZT{b(>ifXwdKt3o<}Tl1hi74FWE$E+<5B+k zU>M94)^ypCpcFxUg`D@=8OYr25@#6u&GKdP-5PIWs|iyaZ%o82vdtMg)EnQ~%cXn> zah`$r+MOATREhd%>bLl6a6C@rMuyG+JP-5%6992p^tnEwzSXg;(>X#K@!Xe9m!FHN zgz6a17L7GpSjnGSSkM0o?>zCW#B(W;m&t+W*WC$Pa`@Kkux;5`$7sz+Dmv3{$5M4k ze27y#WJg1z@9Fr;Bu+(UN$(z$QRR-3oq#TKKL@-b58Ti~5XY2?vC%H{ z%Xw>*uH@P#MGUO#Wi;*O^HWubDZ4&}d7$SSR>yxBWCR(3Jkg*6I{O|WQ&<$?tww{E z?5)v)>+KIB*sWWKg|%F%MnC`76i3{B<#^rktRRiZV%^R98jURd}9*sU*?aAZ>q-cT|KPhs=jpxhUG8-qPr z{A%WYVVDv`iky)P48iGr|QErYM;F%Btx_ zWc6~j#Fv*x67&ivbR@2=dGT5F^QW|<(7F6U*^o+MO3>HcrthOo7HTvlT^sC-^ZPT5NdF2w9m7EdI8l|N{b*hO zx!G>^MLP6_ivB&|`%FITBG0^UqxD*(ZO;R3S&Q^usPh#}EC%+}(Nvr3OS*3=)vYcp zq7yoIEp6`;759%1@Zt4lCcDulQ`2|B`zOF&eRgvtgP?2SIBP?pp(Aj&aJrYnazeH~ z$b1E5d7nWOCn?p<&j}408qu4n8B$p_eBvBar&hHKQtV``IUCL)mT>ZW>1Tq%IKDG+ zF=_Og76g5NoW8B}mqNmkoM3?u-&#RQNb(mJcK!14i$rCMBCTBVxO_%)r20px-ZR~n z#6~eWJyA%VCX?h_0X(zbQ%ab(zc}P9NwQ?p9sjw}%tCIzN%#;G=KbL$E}Dh#aOy=q zP#|a?pX2&7ufuKOJPrL-OyRuIEy&>%j+PM4S)LZmwiyJNd#lvY6WiC8D z^v3|FbKhHj@MA!xfM50$Ut58*Zbcfqvxn8eH^0M*oXtT zPt5sxm|Ng#waM7|TzGGaK$<2mduwTjU#yiKE4r+tf0e_pL zG{OGLI4_1&-JfcpTO-MEj~&wW$DYiUhH*ZyuWNJ`Cwm|wE-VPmYEipEMb=rCgFM zUasXG*Nk;eRbF;gzU4^PL*Ye6Hb^>Vt7}svhDyj#X6v;%BlNLaW+Wq!3gFaF@C7~Db z`_;}DQDJgn+lP8qb{NZA?+S_KVw|zQ;Xey`*E5K>x{dy4&CQctXeYT4 zIWqWJwMJm-VMmSaP>>sm`-3#>1ZV*OW(GO`{S@s!6p#1nRkf4|M5*7n+3E8A+l8`&Ih*^NIULVX{KVP5Wv z*?100E3`avWpU=)}%3eb1h?-_r15$i~-df6G7KAxZWvS-dQ&9+GA?LYr$%K zsLj{zdMKse#V{oXd^bLt2Z{c4pYoR~z_>-(IH`(dYeP4PJl6_CwSfyo)u`dEZ!tGR}CTp#g z=-ff{d6)pR(BBY{mFEatLMRosgvKqDSsu4xqkGyw*~bZ!0E-85<*v~3IbqH|`(dmk^fDPUlLi2IL_6*3eB z*Sa6{Nf>9(LnkE@ng}z=KADh0ApXZ%gI-&|0ftYu(i7`EDLib!9}}0way(WNAjOa4 z{7aI95C^-agy*cotUn9-whmITTwT66|GrqK++~!~(WW6!tDNYIgs>6$W}_VV>6n`-VdUtIQp zgGtDbT+p_sDQsAjk6+;a2F2Ob-4H% zU{=@h=A~%i31{<8(OxiL9W-$zzgK4G_YFnWT5T zAv+lK`m65}5DAYIbR1wAm}Fz}KW!4rP> zi{OjrWm+eF6t7YWMj=H{nmJa-EoO zli)07PJ?Xn&_&LcJwHIh*JTiQ+*aKhwaDDKp6Fgt9DV>iJP@@hO+}}`Tgyde+6a6f zfg9a_59-z)g_{saJn|d5Eb)=Eb+6>no3myiyz=f?t5Q}+f-+$i+&0`|bmgxE+LQjK zNe~#_+Z|qiGF_B#ATg_UARe^MH`3mw{#Y{YyUH94e@iTMphFbKLmLbUbe9KkxcF#;ZkJf*eYazGSt~SO>TlNBP+E%!1^(D}xZc_NX|?*#yT|Ga z1z_Jc(TWuIG9Gbsp!4}$QnGBh2a|3;oHF@0;Se=Qe8(`wv%C25!-seP(!^~kC3Ztk zO`d{OO_^_Ff{Sz0yV8~SmJ%}k<9VmNM!q!Mk7UX#Qw zX>Wb6bnX-J>%iUXfp6O0w|V0fd~E>-m^d;A)NR^fMkP;BLi{?MmWWo7mDy2N@go1@ zowm?KUQJIHg-_|oWoGU5ADj64~kTsI4 zr#S0(!H|?3;(2ahbcl$a1-{Nhv z*zB@tIu8hm5gJYXyyFL=-@AIg(X4s!t>sRy4_|#H@V%0r!;$ov(ru3 z%?h#+c@4kdbG>b^#J$QkC{zTbbN)Ohc!GH&EuN-T{C-yF#ozG;eszNCdX(^v$AJAP z_(+fQJ#a>fdD#3IyiDG*czfy@=;Z(fkzr&&{a>cxR-c?bu@o zm`mB8(EUm)0sm1;NZ5!bE~pC4$Oj2(N2$(6dzwc<#=dft-j|EhBaUnlV^Q7@a`rO# z1L>t~7o&UQDgOAN1b#?HTV}TVsw`1=0Mp$ePx`vZq7l9o&C(w5M;X@Uq5gsO=!=

fZkqxUt@s?JsLk*YFCcuW9c+o2Wv$Yb<2h zu-lrB8$Qg=z>>wJk7xfOjOb3`E-0Hn+8VoLIyJZ9cpxT0S&px1M?*4#29_DV z5}J!wnk8ie<;PTFfOL0oQ_o1p`S+sPJY^1XC%;7-B)uz5YQL|s6_oSHE#l-#^|hDd zF%cA|q&)?^HL;?`lY#hHhSO^@35FJfpM~_adb{ud`$}oXZ6W^tW~c*8>E}bXslvj& zs~;DU;}oK0$7a^Zn7;lnVAs+9$8K9tQ#T?<4rvHrlf^4 zs>Cn0J=dc;+#E9)C>@OE`x++ndSGrA#*N)=Pq(jF+d;}2y=b?5?9d0OK!)EHqHb!m zTS~unz`Qd7@R8Jxlc*#nb;a>}+)^VbsHDXT*{i|^5S5egxebrE`GKL(o

LOG&A zoO&WU{#GOi!y`vd*q&IzJnQgrQZI2!_ZftvW56;DiV zTLM0nD?Zu%Iv=OQxKu{A?)DlSfs+H<;f&}hfIELJ;*u2*)Hl&OW6h+VfO{y9?J0z0 zrGyf1raCci*jm&^g~^m=4EibBlPzz~5RkyS;W`S7Q3b5G?eTJe;Hy#PuztKx;>+Vz z2{Z0^T~dX{XM%15Ayx))594BlOdUV-GcaaD-9@Z?WvL_rfog~r&{v%G8YGbC>Zm||H#XJ&0W7d zWGn@(8k_XtlO^O^&2I~QHzhw+7S`SLK(Oej3dS{Dx~4zSo{esaZu|7`*b5L|0$L%X!Q+=rAgs*L~J6wTL_(A7e7g#MnxD1kewA@%K<${YV2h>V8B`3TVC2o>(uZYgW0bf2wB zHPGB`>wZjsf=bQmk%dme$yh&2U*f0!+Z0>33l9DDs;3RBA&D>>Hyw~zmn>U;*DIN= z#!|fFxs67O_=q_(NK?w}i*0mN%*8MXRZ3BtNUvSr+KLgV!inA&1#b$PSi$V%^?UE! zMg5rUhbvR_KP-R`@Voq;6YlNR%04T7k@#rv&e6TIeegp88&65q*ZRluSl$N9OO~0#Xtqc^02{aRnK*dD76x+6f!zAiRA1y*WFAtXglZqdZ zfz@ic+UP+vxt9v3!7#=5jeOZGHid29ZnN_9cc4I^de8kWywxDo?;S@gBDjlCzNBQ9 zbghbTx6RBK==|+6bAxd9tT198wBOp07B`)cj?F9M)t)%iwC zD#noxCk05K58dbIuB+@#LNZD%r8!|=lhcc;ipdPF0yEk7;v8R4+NO^kav#g=Iho(? z^4F+R;}FFAdsRhhdYy(JlkRNJz%4hnhch?7PVYllyZwv;{{8;t&sQoC8k_}jhi&@j zyBGIopN9gosKc9E9k$g*OZgCwmQ?+G_n&Z#L|nGFacCsGjRj#K0r~+5yZs)u5pl8v za??M-4p52+vk#KpV$=JQe}xBG#^-!x9?3O>K%`c(p_linbAzRU{C+-gEuLYC21~{) zq$-@DU&!^G8wLNBqX#CXz&x~_*%*b@(^n;JEB;0)HzL=flQ_8ag z+Slz>>`0?Q1_t~u;n}f0TjcmuF``jA;)AQE&~WI2gARP#AK@2CGF)@wxbcUe$>)73 z-EZCt%uNMT-WLpOxcAn@Qx=K80!{xsAR}$vHk@(T`$qziiZK%4%qVmk05_;uA?>RB{3OY}azR zYYbBs#GO#PFQ{u*{X-OtmtIkpk_z42s*2$xnF}*?hr(YN2ACY;J3_&Itcx-uoqwY7 z1_o~6oiDatKsmdMHmlZ4Uh9Hgy?vE+8a*Vw0>g0*+O<1;2V$=Mk1Ka9W(Jv{ghWdj zVL-rPy9?3Dk)iKhB0Y&}Jm|iA(&?uV!|<2`I?OdV*1sR#0I8?gda>F(l;M2})=Qhd z#TPj}Kr@jzj|<=qD%=exvd1j=_e&Xf z2NWUulQQAkrn@v3FjuKXCvo`Ll6nTV*cbgb|m-LAr4QPjq+i@DKR{mML6 zect5`(yR8PN&S;g9iK(~Z3m`%FH!ChZ2Nx!*nwPi^&|mFLK&}3^U66(lH><+L<*AV z_>1QMl#viAu}#2o*OT+ebZpawk^_f}Q8WQ`zIK8HEzj}ZoFZyIL>@xl9gKv^Hr)Hl zd@R!>yi9?PvBRz?Iea*op$KW4RETpr~ZezT{8SdogoOU_rDGGgw=EquSm8g_e!m@?@WBX6wl(Na`i z;GzWF_iL%;)*Bv8Vabx8cU#Z3Cwa>mit+?Hf1cedz9fbz>uxn+xAau|r=|8H1Xzc7 z_b%VR{o(8f`Q}~W^>rttUxixVyg?_QqXYcD8dp|SCKrd-`OE(fS1sB7C47FkhpE;Hw&|y5;!U13q@d5#GPB9@a|}H&oGP5RQjd0GlX^dm0en2E zUS@vAemHwnM}!58w>x>b^Ugj=~Wmb*)OACNWwm>l8o{ zl8SZMHhF60Gz}9_gq+nMHWyn_OR3@<7n^@fy#9vhwL#mVm{NRF;um9W^WF?#S+`;zag8s>o;H*-zDkTTn-uXCf;=)4Q)j;NI%~j}%7@s2Ts%--~X1#{`sA4W2&3 zjmc<_{F&W!K^GmPLJ|6`eHWO_WTG^r@kn8wZi*?ktZ#)GC)Hb2*qwZ6nfa8@JgAbU zMxba&8zkw!o1&dT0$Ksan0&hzpV1UDyXi$@qwvN^6J-fX9)b3sj0e!*zY4R}3SV2n zGmD&8n`N%bRC5?1n>8z+7LaI2)>Y&>Img#As&kYKi>sFU2$S!vg-ue?pNnkvmP6Me zWiIxGM5XW)k1jlXuMH$(*<&2rMB8t(zmW+9P2CYLJ01Vh(iEm34L928eZzvM@baon z53r`HWYUsYUeX|cSi1uRp^Q;}x>s&K51n< zmN;A_1L8uf*N7rR2mqusCx1R#Cb^=9za*0KH!P`tuaN7!s8xiY(rYD z_9AvIdl+0JiK$1!t5W|pS?>x7RaG7&&!l+)!o>XcU>`tW@5s-V$3(pThy=ke(rQgs zIM58&)A2N<5b^#A!>;o*#aoyLxbB1JXJ}ds!EA1-mhgyd#0hp?nId)ioj@8FC%Y{|ro18^9u_gvUJ2|4vQtCYHMn`93`ZVQ@`$02L6P zKR}y_+f)wws2QIw)kE%t_CG1&)b_<%^B`fPrunxmwtutH3jXz6$GfLC0Zo{SEcNPNAhE3|2-y@lq(J?|qGoQXNj<=F5-!BdI5By#{X8JO z3h12$gVef!0O#;0MO`A_BD9{T4AzB+i&w!#cNA_N4ZyVTK>0-&If;QZ2ie7HEgLuA*;jh9K9Q^_Z1|Ws*+@>b`oX2nv^uDsN{r2yBRj#*f*rZP ze6pY`3O!>kE_n2rpmu^Iiy5H*bJeAXrl7o@jhc@7<2yV>Lafz@tZUw8fGom_A7D-E zZFJLM`}Prm1L9^t)@}3v=Y1dBg%7;h^t#LkKU~Orachk4^oI>zsCjG=@lXX)|Sc*PL;VV&w?%`eW--AS3$t@Z@_LYUAN*|v5YwH&>J z;_k;nLTDHsuD&Ac+_sXQbRjJ{WJ|P)kzUjI_h51s^0;-d;kl4=_|z8!sM|a#k*nmy z0OKS*upu=UYCw$QT@ec4{*Ch91F{YMtwU-w)p^V2uuYL$4-+0fV=;8xLH~7zY3DO{ ze;@Q={j~Q$Z8NhIAxMZ(6QdQkHb9nTz(PvlEUqG)W<&eamWdVAZ|7EP`6X^>_(Q#T z6X{YwtguQuGE%n-OCIFP^5374B>@!ugNUH;?cr!ba#+5PCSaE$_X_W38~zkx1`7;i z(l`5>jCPn>{jnyf>j#FvZdPM)rb5{$$am;gS}--WsxuW{d6D<+7BywzT*T>770e+OFr zOt2XR@XolzSXZKwe>WG3y&nu5x6HZTqoQD8{|(8|gBOBeoiLQ*iyyQ9T9$vBLZCv} zLVkCXCNKK80dg#ebzHBsj{w$B=6Igy?N8G8pCe(*j6)58Nn>Yc6JFh2+FotPGa~jZSY>=O?(v^*p#ReH(yg~{MDVGqI01zd0m?>WXH==AD zAupW|G%=0`K4(Rf7_Jy&)E_H|eSByB=!F?~6fnaqOvpY-@PD-~-dt@gC%*)UPdS(V zq&BeF4r1hmjmBBrXi83#MK4$@!sjY-{C-FU7=}CNsmBjVC z>Hl7aEHL;NC6#*m&mW&g0l{<_QTwwx)DPgIdpGi>`jI2K(wkXNnL@vCM_>v6UDPaO z$S^nPJt?hD*Z;h&S&|Ti>kyfWWBG`Y9G}0c(Sen#DNMEy6KBAl{e*Wi`p+0lVSr$m zvZGES{gImc?f&zpI=mTp-JXF`{;}+j1Y2##p=W=;0uMwv-caE;&G>RZg}_H(IcQ+N zhNbj>{``-kH zaHP_!jea(*q1}L-5sjvbvOoWM0?9yIN$avNR#LQi%pvQk@BqSUSS#^rFq!I6QZo9y z^+(`q(Ud4JUNHH;)-6+8?X!|L%xV`8XMSWW@p}Q_(by_i<N4-zTRxb6xezHzXu7?|z$;mXx@Qa=m-vHgi%LAdG$jMoa8x@{D%Lyy`l3g?2_{Ry(kp1L{JtKTc@+XkpU5%7RpKO|b?@aCmgAM`k ziv04IJFl-CC$CACgw&tReg7zgrWy8~s8a}iu88kF=E9WzP9kNrAPTcyeeCQLzE4J; z7Sw-!DIH0ieQ?JUrqy0_n!hdRgH%cdKD3R6^T^U)SteT;nfl@*`m-P}wPT zGxGzYW}!N;`@=+Ft5z^L#%Xt&ujjpxm*;0PlHxyNlIM@m=&U*X0L=I8G-zvC9X6Ojl1<^#76eGbU^?Gt z_Fm0CU-e57NO(QtT*>%x9TJzj&pXii8T@u-2-z>mE??~|Nbq2@Zt)HwqGo_~IGLyB z-zJv^uK%F_RLc{EnxWPI6~$e8p3aCbn8VK_Ue#y##z^;0b};LFqMw+2;x146w$AD_{! ze2)>B=WKZ~-Dn>bPV*l3kohdu2&tRIijHOzKA?>d4lDh&}C zb10upMBd|QH7wrZY`5WflgR$)S}W&jZwD91p`J_6FaMIqtGh^e(e6?7TDEvq%_sKG z;|K8{YjZ9}uBZbwK>%Lz$S8X?cu5#BtNz!}%77vJh7o%PAIss;&z_P1&ie!v0=1Sq zTcydq$Pw0&5=yyvXOvvd$z2zdwnO2jft!RgEhCPa_{<{h?7{Oa03@w=Vsuxw%T5v| zpgeV&BKM&&u$N!yLkmO)wHvwG@SCrKYL+J3=Q(j<;+Ja5lGrlLU?Lvd^qf?m#LCyd zQYOCQX!;Ii(5T&RqzA0$(UE3G?o3gCZOmd7v^gF0S63VV{NcpVRDLWc#W&11>BvUz z`Bqh->Rx1~+uYR;pfW9oc+jE6MtfMy@%Y>w^^;jLwA(l@e5P1=2W8xADumXBHi}2f zF~rM=o@tl#cSmV_f3#sg2>OYFoE;^hF}zF+)jA^pm3g_NxN8cGy_>CfYg3fKS}ijBWE&3>!7^`cC5gfJ)J!%Ygj!*9!41PIm+*tJqG;pIs`0fq?>JgB zkbFwbH8WH&awt>Eldi!SNhQ1f_|Kl}P@dyFLuT_Kls8OCVj5#@Jk;O2(3_JjjV!c9 z@{FuNEr1*He!t__Oq2H1c+aYMWiGJe;9k_4*EAX5PKCe(6AwvZF;mzfVEK$#LPQ`i zU1d8ZiV{s2N-VTFNwLkcm#3a%b#l0L0Gv8dlv?ys)20WK>rkcX z4g}6Hwm>K6OlzZY+>geD65RS+$Z^(>0xBZc(2q8#TjnQfHJ$SoqeSkMRDSvgMbN8% zc{`eGIs-Z5qF{&g;17OpQV+Ph!PVI*GWZ(x@BvHz@AG6h)Em;eWy|C{M_jzWbUK=+ zUXbuzEb$_S0hdXdvpSY45{XOoum5Uh0&AaJ5QL*awAB||m=r|kEVatmAJyg4TDUPe z!;dER#zqL5UT0brS9}rV`}SilAJe1Y@u%a@igQtx;z-kS-dv%axUcNfqZ;SdD|}+V zr}k!_lTFs~FCgL```X_sT7<8Bm^r*i7-a`*^Eo6U>Ym>|DtFnFz4hZl?7;gjiyWDp zS=FQ`UM!*$zsfepCV_H&eRn-*G+DwFNm`S~se4x^xlpD@i%r+54b9F8! zr*jLd=gpC((?#n{MJ~zGy9zJod^P`(m_4>k-x;Q!+KtOm!OP9;$9Rb}xGsc;Oe7*J zYI1N$qF@2vj*xe-ov&--;7M|V%j?V6LjKjd>_wS5w$6LXN&;>RoD~**3V2-9*BRufUBrpC^G4ANQnS8?Yp|83x81_8#HH6>alM0RX>OJ zk)LgB^=qr284QZ47XfcxEYdAmPRQGr;I}H;pt-2yBCz*tEI9chrc}Q%vLYO zs>ejlU!z(_mils-zgR&_ge=45AHvrUs>evF#1;C;i}#B3)yAa z@ytS-`i-Huw2B7+5s0+9n2pI|OIFz4J>!)65@7mC7xUdEYv$P50r!S=05Uz^9XdtvdAa=FQ9JEV<)5JR=0g zO4+F%(^$(bISvc{$77-KL0pOKjt_5cyNsR4{CeV86bFTc5}M{3@*hC4nr+7x{o*`& z@ad!HoPh$Jcb%TeS3t?p;Se&#tY@z+(5}%d$$a)P3Jt4TZ1_yJ6<-cqhBe;4@Psva-}Jww}YNWwqi?pev)vCDq8C50M?RJe&p zK`+R&`({V29b+wfd+g;&<&s7L)U|f!a`^B-5~^@#PUrGkBPrZb5WYeb6>cWrT4u9G zZEym0yz2@_JU;s*PK;Me%$Ej=fLzVYXr-?z1(L5}Z9EW`mGCPR z?zZaSwSU_ll+YC@@j^lh%om`8onJ|sNh4@v?{2aI#9QUAf&8QDPfm|Kr6BMd=U%n) zt$C}~2{;oo(`7l^)<+m@i}1MEdC9Vr@nY94-hYQI5($(ay>_b|@X_#2mN>XgknGHr zRoRC>_UI3H==EEK3xvKnJKokKJjI}2)=P@CPv3eDEbQVk@+)xDZYA0y~Q zjXW8=uAzG2Yxi1DOoqO%p|rKS!Pbi6*_fROt+QEYs3(DganUPn6E_D^EP-fYlHTtJ zUMT{h#V5%VF3gX3uS=PVpj-*QXY(!^nXiQ@7NE~tY9U(Oc`QoHh?g(SBooZ7&(x=s z`62%kL2P?MQdO0;V;5g5S6r3PW%4Y8y2v1}p3C6N8wOg4b?LCsr#-S9WjduV_Fo2$ zWub2@$EB`MiuD@eCXMFQyiem9HN`fcEsIwbCFiPjIC0r_Vsc$|8RyF9oZ`44Bmy+C zXPWU-h5f#pqS0cFpPxs3d-)EJhTWhK%ID^@6^DnbE_OW~fN<`1A$QxZwxjnmPoRp! zZI+C+b#b*Q_T3URcFoBF^W-2WRo)BoIYg7;+z(>Elk;6pdoYDlM-#slx#U^8B13&4F*jQ!n=;Ii-Ojjt z@_z4|Kd=98V}5+Q7W5{j>3mEaO72{8!_MpP4fC%95-ePIXF-7ogJhAZaippG{j}*T#U&GLdS(0e}u-wJx9K;M3{UA`)>*NTq#k!HBHCaCK z&|=9oTX%$OW+1p(qgknYq?A5jCrB2kSn_C8nDga%X5?zJWVMec^V*M&> zsTkqA@W;0m3AOtMq9!*8Ac|ZZLh!lJ%>Yl)9ND{k>5i!%xO(qy<@1DlM5I3bjh`@q zt>R!M7-EC?eNc^bk zhFS)^L&K;*iwnZDdG>fz)jUgs`2yzSb`hD%DRyEk?l~d_D6`jQ+_<2NK-d!z^UPNU z#*GtTNvpn5m*bQA9jDo1eaX$4bY`I+75-RQAG-av-N}V^kCAF^C-y!du{!zs)+KM3 zG@W>8>!lE5A1~>Tt6No`?$bUYx(sRbcWAD`ZV!TqUDhE9Z0r<|%W=Byx|!soyzPQ; zp;wTV@IF0G=^f{DXuglh)nRVu&)MHsggUGWOJCFzT|H^LIRs@rNkU` z4pr+>PX$^IZUwb;d03m`-{<-}! zBB6NmX4Z$_!N{*)ugBEO3VIoHv^=7N&J8Mt5A=DlpDLA994D3)?e(J(u!VZXLw@c! z?!+lZr*sFZbp%ZLM35}}2YJfP^uNec+$_4a2GfJfeGA)PcWR|hCVCcO^fp^%+~OY@ z@w3kxeURI&5!ze(d0gIeK?HnPYZl5a57a1_qC*?sx!WcjoxfGA%qEM6Y}OOqDIH4>pb zm)@5j(9fh*t`XZZB+=yca&IihEAeN1w-nW+V>%yg%p#L!{?g?h)n3y+j&!5h+Q`Bn5WW^zHS<;nPOez$vQSv3S9LL0xb z{o-a|iYbTha)|EvQ=o*xiA$z6tL9$RPPGa-ni~C&<0nhX7@0LqHwzzOD90BbZln1r zkKOiuNsBnV#?nEB|8FQ%%9)-x?BJ5s?V(}GT)o0D#3JakKLMUJ6lwt=Qc5k*K6xM8 z0erd%Khu`I`4&t$_&GKYyZM)*c#;(@;(}$w;RR0Ay1p&V@WtfSc=xLMUK*vBvyPMT zZms6pjhZE8KCMxo3uRM|811wLhwAga2I$8zpqYe>k6nKL96*|FvFt`xHWh}q&d3Ry z#Cwmwr0JNJ2JRBUL+cf-?YA0CuFJDZT*dm=~{z%b4T`osl8s z{Q4suM8`aHMK69lH>wyFoJC9vDXNyKl1T3({=e5*>r{>g%7FZdGTbr45M4w;q6}{Yw>6$2v ziRm+})J6%Vd>pUPU3Hh+Yu%ZLKFz#@=*IZ-|iJ9*@w)A*ssrAdmXKMT&AVSsV`lb zV_r+N`$neEe{_(^6Gi?t@Sn_?uc{4B4(e=XMP$4BlUZEA@O$$?!#dfe)o<=Pla3=p)mJZ^tcXf*FU z?)ntzJR+ha4SNeqa7UEpeF-oVmV>X9$!|(lt5UQJR8pYKB*!=e5Ds*c2H4DPsJg?g ze?%_3^Q*$%q=3F=Mo_NHJy1ZSF&VEUnh%_qLWgdvwok26$9rWeDGfnK>;kK3roG2p1H zuWij2pD9YhF)i-knQIA<@1_kqN7pz^X}2$EYBkxlEzycl3l{q`9(X|AMOBR14}aG0 za78cqzzjIsV@ebDs~Q_Bmh4H|KC}xzHy#YCAZh=)emQF3`SxnMR!P-by^5YY&nR^A z(Y0=YY=KA2l^|wRrsPh>FgjR?YBj(R3o(N=CZ;4%rhvQs)nHY*b}IFFNM!Bw_g_q( z&zH1h!Km=TG!E8m`#Fs4L>(5}LDFIFP~=P)H$Ies^nFKm=)gdabDet`UdfvL?iK(J zRSUxzT0BJQS^k(mCNqtw^OzSkHZ>sC-6*ybc38oF z@Fuv80}UazliQvHeLlur#II>a3UseeG_xEiB8wCFK(wLiCYMf$VGoUQHm9$c2n_4# zbyKx<*3ViC=v14OuEj| zXSsN`O(7|EIe9-+*2I9lMG>=oJkrze#Iw#GOeZjN7iA#R^0j%pXRh?F+{F91J&3yH zd!C`qr&7j==A)5ZYtb#1FlmG>(7e;gNYnQQfyuaZY0v6uIr5fma;bR-s!lzm_7;8P zB1d%oM`v2_hl{RIS296dOYHAFF1G;EOxi+gmEiq3-THVB3u{Ma)5*JsVuoExgF#{X z@2Q5XaKK~CC7#W%w$r3E>co620~vN56JHuKJwVs_Vz8J%p(X0|(ym|wp3;_K2@ugo zsCcv;smZ{FbU(a5ni~iVBleS7Hkw_`yiF-=&XwMhkpu8?#QGNb(O5DG=OfScN;jS) zUR9cbj3>W`bcf0?wibC^%ce{p6h6FO!94bzMtw!usqLX7D0sQ=Gg>#!ay*fizBt=K z1cIB?IUqrdkM}z;6WKS=9N7Yo7!?TTm+0+yWVIwY@dmNZkN1{4UNxE<8sRJikO}+< zX}T`hE)QuX*bTf!bscZZ9=d!)B*dCv@)0C@9g-Dyx}%3HtYpT_Z=!2r_8o5}`Q)D9 zptPemGXLcvm`6jvwe#-I@9q|n^w4xY1`(JjlqxO+d+Uh;VF8q#Cr3Gzw%WnzA-~Xz zeJWb7dMaiFc9B=VDxS))(V@QCEuKKJ^IO@i%ZXBVjV4VOiGbC3;_*q1XhX z8Fhss4DQz%*LnM%n(E7$VQHYM$W|xynw_~CV_Zhe+&KgVKzmEHpjc~zsrH=*6sKx0 zwLXk3USdZr#?yE;oOWzH09&;cDv{03qzFhqRvqSFDa-NcaYPI*J!z*ZNGQ@^#FQ*K zY(lCd@K2aIIOY8A^2i28?@D%}boZbXG=@n&N$!2T2%E+f6%f7T=oOQlh6AV=M zn`!CZ4J_mmrMFxKYAXA8@rZ#{<{iQ)6z$_M%~sMBIvGvZ_@L&=1cKKkL3?HfZTRCZ z#K`T8OwUO^$`{0d>Yd3XdVWVVhfk!bbxx{^%QK8U?69+loF6fTpYh%XizHszd6lNX zR>W*EjvsmWO?vuuEY5_0eL0X%gYiMjb#rd+yU5=fW1L7b*+T6tX2)vW*jN=D!)O8zpK)E|f1#c%i{d zAVA@bgsn&K&It4lT_W$c>=r8&pa{ma8F?q`RlJrvn|8^0@eg>vc*yCv?}z9Z zQg0#BPnvr%xtzG1#Qdx z)Yl%2Ekt52LPs3dE7V8w1g5 zSN5Br_Gw{t^PW$6$nj9h0cvMr6oS8Z4u#H|oYnE5mXqZS8ol6=#jlXRyIq0;Rmms( z3Ka}~@!dhj=vgF1WL8V!%mtJ0Mv!>(PiuT@L<#RDk%4jg6!tV z)$_rMn=E3cE>ZO6I}tDjl{?EKZGmoGitO{fIsIJZ9$OvhwCUhSpK1PoAoR)hCL675 zRy63Qxo3W!VPO2Y%7(Z~khPf4zup4&eR=U5xHLM zXL4OO9DK0b6-~FRpf5dR_~DDksv$GUbxuVZiW+ACn~{X?L)rK2a|W{FZ8Vmu(PuWc z?7s|kS9PK&p?rH+{orNaL^dYP^>(W7`}t9FinJ{0v;$m6I!g-V$=TD57aOc&D)Fo& z+lEnYGe@gMZ_c|_QGdKUe>%|;CEQ}0@E*E)ORH7s$7#yx^ZddlFH^WU3fhzSJSmc# zy0)IER_F&Uf7Hw`@eo5r}@Tvi*2Z z+kzsraekuv%TVohWpIbAA8^PAJ((B`{4l}~^PeJ|;HQ+AqL2fsLhL%?TkN49zIZjR zb$aP^5a~znaz@PGRw_}%NWZ<(fAV%*U%oG_6LTOA_R|5o!f`FkeIlV=))D=M58Vp? zK#yy<6Oi zBG3<%4+5>`Y|JTUQ94erJ`o3wSCmLR1;%%)EbZi&*q?X`L`9=dgAq3|u7>^y}T@Pz*XzQXTb) zEdjvo=x{8Xj>}z4gW{5Vrbg2Cg*!p%*y3%UGkBtFq!H|G43NulW%z6WQvd%K1byGt zcX3&^Cz(mReu|tBYosGws1f-$Lfa7WfDz@8@;5?zyY{8_Un~I1GsxoICVJU`mD``p z#BbD6IRNKex^B2sQJD$pO;wq>H6f^rfx@k|Gx%4~s99XgdXZGfJqkTw9Zs&|co>U; zY~3h2)blZ;{xOphLV+RJ$wulUyx z05+`01)Xz%jI=JXprwm7fhT9}fflo?qg>fqsZoGCLb{0z(pJNuwQdM1YKagm}UJ{c7@4l&*scx6m{#GiJpJgk6+ZW zu#xaLzjO5a%CnlIg8UzVG~o6Vt%c=o(hja|vdK=Xt9#vM`mocQa{Yl?DU5;`3Y|AE zDm3JG+{8<6axnUkmivhMM|nm4KUh11&nV5`TmUc^XSI>7yzKNh8|N&3#y^H(m=(O~ z&#*I)d}?r?p$>*RC5DGA`hOqeZcva$SvEP7K@o0T`(f2JbFu(NGLu^F#b;>AY|B=j zj9Qi^pEh9Em3}?V(SomDTuHN3V>0PH536nhU8sE1;jk%<9*Ehxi%>CO58^^#d80^< za3*tgN|q&9^B3)FV`jp@j#Ay?FOVxnTt4$zQ~BYWrB8O0EI!Huy4&H7V~y!d2v^)f z9Q?e0hf5AXyWT&bQ>^=qin_lPE<`kMILE6==iQN+X(vF7Q4TuR3JUN|9_ zB1u0Arz`9x@eLJ1%r;TWebnI$A?9jt$xfhs=Y2!vInt8N;RybG@yj|mj4f2rv8-+W z_J;C-L|{3=z^S*Eet!fY6ri+CnO~!O{z1F`8x>}UQi7w4cYBALH@}(u*#XPHMNu$X z{#RcjO@#c@hyI}PUChHHs|OUs2GmH#289G3G)?%3S)xNG`T{RXbcDKn=-YMSXpV+;vHjj~$VDijh7w=#_rbI1InC63!MQi%EBv=^ zNIh29-Y;k>xnLqv(=P(^qGBq1=825X#h=>YEvi&55mUotk;6>7AJF&p^S!(n&XyO` zAb)hW{m{k6r}|Zq;>?$~46kU zJe!;=zq^`E2&(B}hSK+(ojMpU^V5&)U1V}DeJll}4uNJQJzglgEo?%OGSB3Eh=JlQ z5#PqH=`mOM56NdPMU6(`R1oQrMk~Y(dgoVDINyq%ZwszaNU5;x{+g10I%1p@GTd09 zRBpN{-lQ<+@Wy&>S$Yb~Z-)xAC-+{3s2_oAoL{7S;ve-Q|0iM-KyWwl4UyiH4+5Wp zhk~4b065pS0`1Ay?I%`E;8WQe$MVYVjN@F znJ)dus`F~_~0|Q=u(j-^=nUtjDKCH=0z7J%AP^kmMDWmmJ zs+sW;*s*9>fXZ276O!mK_GrvCY%>Ju&}GSA`Ej_UPOXZB)kTVY%S+qUbnOpP4I8^V zM0NHtT($TkWPH{?2#8F+QbP>avAz3hCTy_JX2ebe)Qt&Om;vh0OHkOwu9D+9U}W>+ zEz^?pIA$e__!-F{)BikxCwNy!dFLXYIlPOiz_8)(p=4_>x0>wY-Yhhtje2#{Z{VK5 zYE&%);LBH1tjKJk(PTKUuhz>pGOfs5J~=KJl`KgMy~oBLCJO*2b1$t4ToZ6`Q<}-`;bLC;46a*r#$Bf&t$9@Fb_dys{?)b!~MkOyMyk>eE^-`<<=G+c&ss{69X~A=x>imSeCl`W@vRic;`W06 zXwU{hI`wF9ix-z^M>&;OieQj5=O+=HN(5u#hRTb;QHwF6F&eE{gQFVVSG-~lgW6XF z6JOg#R~VLjALEqWW;>Se8SPa|86Uu>z8cgxc@)6|JQ|}1--7<7;BX3u!)==I8E*y7 zB|+`yn$AeUNvnSl(?CV>ZU;fu-A#S#o{D^yf02)5BcY^KQTx=zI!qc6H4v!GW|E#h zJ&DT-0QIH=rS-#FaSY2=TlivArE0>RV=I_+9c^7-Wn$19z7KZ7O3Exy?fk^=XnSe8 zIeJ>GmqUMBd)rs$PbKWG)K~U_N*bf5|4!R9If3_acfgw5A9@M=7zUjV!<7~8>-SQU zOAAjG!FF-my98Lg1tw3Qc>C6xMjMC? zwYfJ5i4rlSv1N!*prWYoZ#WQ$u!`Czl3}T^#OG3(zlRM9Ku9siy#fUy3U?MJmIktW zoZM4H=E>kxbOR#-bFZV{0>A-P`1Jc*G%Jkz$>B-AXnT$2Ty4oIuDl%L2+uc1`LgiDEFu>)HB5rDT4|3hSS8 z!ISD$JwNlc)qj1nV9>98oi~MTMtG0cbiIc#L7?*K~!^^`)Gs}b+|`ZG}%QRO^k z1=gfOm`4w0fWuV9#6(dosK>}5($ywF9ZKqz{unx%+C{6Sabv%1LT+o7bg>{oD_Ng! zZ#L8}4}012fI%@xLAQUEg+M*aEr%%cLSoVy2ZgWRUY_kKcSH~#Y52jd~a%GrcmfFqASd} zJ5`no1Z*~t#5a!4uw`%Crnmf4+xP?v4xitOMV1p1tRu$}wOrDz^fh?|7rf^p(E=`_ z)qbv=8hEvn*887hU@I=1%M_qq{IDv%SIJ>Cu=Pc>(Mx{sPOC9unFsVt>E-pUWW?zu z^?g>IjIFaaSdS-u-R?Er^%T19OsY;*+HMSr++_i84GpyfAOm65>u`mcC`K$u!+w zZZUYBZi6bWjs`_Wt}l+VZ)WP;MqnVstaoI-=WyWXQXd&LGa7xa!mlX3h<<+6%tXbd z?XDgx(50%ol>f*m2_WF(k~itsUZ|GXPCftiGje7}S@?qb5t*=oLo$~YPCBWM*R5D#dS&0dG9+xP`%nO@$qC4_vmYPY{ZWYz71M{V&Z{z5) z+*=4Ci(6X$9)p?y0{`yjs z2tc0o2%h!5vel((#^y9@N2xvNB(m6rbpVsdm3dEj+;n#nB^OIC%GPlFVVQ{k4L$I{ zs8Haoa;k7LupVqZA7~;9u#F$nG+zc07)95#SAS7R6jK&FfOK?p$lh_V@j0(%3G7w} zFlrYu+w$EUjM0vjlS~owIsNcQLPOa?)slE(lPc`9KB6q5SW>xTyO7wbS7h8I%wpU) z?L4I~kb+)`E7;`jdgrV^vcShP$OW9)R&yl+9|``kv3Qcr*BG)xQsS?-TRVD3xA4d9 z6Tc5~XM{2*iWSI4+`AiU0&r~yZB6t~&wl_-zdbGr2t-eQ0J<pj%)TmV{y&Sv27^B=BLRrbn2Ashlp-tG_pla6KZ zc*gf?=Xlbl7?spv5K>wNN^;$uX0VHmb{qMk2%&lIdd_1rrr^3IFFKV9+(kx`-DYKZ zDcM}p{7!yqJ9*!njHCJx^4KNyiKhWlLeBO8lT<rck?7df}uFhydwPd%VU z(b8C0C|{z;Ibc2)hbtDug?be@{$PpbvpGMui&Wrj!3Va94Wbl&{#)#jmjVB=b7wNHh9n?#(OvhhfBpSTb36dS#5Uv8Ew@sIuKl3B}g(xY-u!3;-XlbPe zO6$nR&{d)V(bMZ`9!A({`PPEMOtlS!yPhrdB|giL2%#i-XfcY2#GmE3)EUcWEUX^1 zZFV-!>N=*6WD7+#N*6PEKUUIqF4wq~mZJb1KB=*RBHGxH`!M;7`$vXs9g zi1*EUbTl6w-)a|I(={bLQ@hB3;RMFcuEi zm}AN6yedg*R`SC#3GINNVo{miT%MSjnzFnaFx7=|!>AxP9SIytem38MYu@T3Tc4wT z9)Mb}xj9*pKkfR7$KE!MS$7y)zt3%5b4X;JagUvpB6|gA{8t_wQ`A5_HkO(@K%*w56u1X06~Fqu^!K4z8yTu$z|hqLtv zL8ZeDME+4V<<)N8-g;>lDejrx7{|qC8Fy;2Yr)0#T7p0y>MB@z9w8qSW!IEMXKm2P zsQBK5;ZUZ{eMaRN!uxanYDIc9sfp2Hi$v=^b2glh)mS!`yoy^W_W9} zMwJV`mVgxlxFvLsYlzy=iDWy1>P`3|QRA&CzDaDFO7mErdRK~}tIcQf(NIZ*)XUI! zz!f?a!??%F#$tA|VztF1k<-EwD8Dt#Qw};4v}EHjD_|&aX*NT63|4_4>g$Ni6KjDS zRJoj26`s~rylrx>Mz)?T&+GdI9B2gND83Lg6S1d~^ZXdIZ@O8f!2OY$DIF!J^_GY? z0MeXfVwW!1H68H8i890_(LZg{VG3e{frYCiaHDA4hrQG>;78wF$_hm{DSGgTklGpU zj75%Bpt#)T2_+lid5a4Hvr7n(ch?uv=zM@7h<_%Byfqaz!!pHi8nMv<-+ztB2EjQziaSc3 zADXj^ZNKHIE1<<){qc7b@Zh7rV^yOP#(zr++*3=N0Y8&t@v2&%0kwmA zxPXivmR?(Dm z&^fSy?tmS4t0MqkZX47oDaorbY*K@axVM#MGlcXnr6G-6yfxK0t4ltC0hY1|% zu--o9pqt-BZGY7HU|bm`%a*{VVa$0MF)lP8L?c*$3`^EDu|@C)NXZmptk5ufNchQ6 zrnI~sDVl)_-73;ehyX1XE!NfK>DU+UnQ>yhBi+H$$d#H^iFq_RY#ZdY^8}Z`wdo}N z-mRMZ;E5O{vOPKHDVl5VJ0J+H3KUdBeP(sfN`-!Ax?;j{71Gw-?F{fs)Txpm;rtX_yy|Vxx^#DmOH{a$MKR!qRtfCU`Gz=hAtsaW< z<0Vvg?r!;S1LrugZ{u*A>Ls{lKoiMNpe|jOiQCr^EYdGZ^m0QOcrz_>X*(H@AVa|x zP^X6uLH=_xY3GU8tGuq;I;yK}@9;N|f7(M*J9oVTa`F(J-#O}!ye9~EHV(InMnK^Q zo@{XlBf##dPY_PXENv7O*)i)vA78IiH_G{@qpWmpVw<+t*lE3aH1>t(b;C+kv8{Sj zQ)ZQGQje(*i8+{!Odlq(@7d`b$@g5^B!pv0@9&*=REnJCrYNP%J+=8~qv_CSu;SEx z%EbXXzo{SBrl|Pe#AX>?NE$5g@aaR!gF4TINj_9@7QP6R~4(7Ww!mmWXTpwnu~MS{CdyZd{M9C(#%A!<^pORE=Z* z%A2{!#GA>yx3c0!_7{kTM7h2CB(t4+EKN-{oHvzZ4Hf2tAvS_#?ved55f!#F$l@>) zjQ5yl|J(?`;?S^=W`|*eKTaj<@o%8u*DOTR(FDgn2hbcCY!E*f6iyHtEQ) z;k%X!9LN5v0F2@8p(QH-@3iQ*`~C4~bGmj=K%_~&n4&yKhke?Gn|;q;#yd6_*D@Z_T~ zn|CJR=M;j4ckAn=OK;w%a%0M2kn&RwmI7tbucq67m91@zZafoSYnpqzAY`*wwc8!H zH|59PFuP(HnTdCLH8hmjwK83OAR*KmPz@Vg$q-oD{JE9YVVe;b*aagtb;NGw@7O7Y7jR;eMyu`dU#a7jdn$ zgRfq}x1gw57_uQn5nfLp#Z@Lrn#9AzsX+3@cR47bu+rX8x=s3`Yv*e3JPbEB(!46+ z?CC6-&cgB=XN%d0L#gmpzsvglN0zU>jNA$Fg>8h_e=2LymHX5NLJl?1WS0k<9*3HAn*LQSX`<YF zW7&pD0a+`~yZ)EThkZAY16&yql~f+bLw1iMqlQj{0o6F>L|ZNGBBShiGy)*l!%VAR zJq1)m3-KbgBP=qiQv!;FmrpscVSV(44!JM3GenxsOM^gTQRZi!$z4zGE}RM0AJmoh zkn%s@_aB}!u*p4FcWOQX-j?m{A=vNOqTMBHB>O3WW7)nesyI6 z(`^FXTG5+YsyOtyu7$t8r4QlcM4N4S#y=_D;ObYi%ax}-wL^I8dbN(&q)_+LrW60= zwL$84zl$FHt51}VERx2_tgx&iy8MC=6^)m@CiWFtL~~;3I)bdJp!Lf&!z= z1Ac=Q==GSR^7P^2dYSX4!CDcOo|x5WaNSEP5*S>twr{55i`5#50&|WXF@gR2E+Oxy z9!b}rjR%0j`uG9}H5l!AX??c<_;_2e_}ixRbM?Dt4tG$+I}MyZh)R!Mvlol-v2uFp zU{et+4+`cYdxSMsGe*k45a{wAW*TAx`Zi4MSI0}2Is2z4i1R6--Z-@n<;7|#3q7D0|ij@;mA&0F3 z{c0SFH?J2u$Tq#QjBn`vG+G!~r}pAX0iAM5EaT$8qqzcHEEV%ZcVv{37zPRXT_h&q zkl)cQE!O^=2rKOgta95wXK`3x*KZ~?UKW_D%O`Z+zvqpo)mFj|cr9Q16o|N+XiwtF z`U9{R`eZ(5McQEP(&WfCI2ihhLD6rgBdrmRXt#r$C;#X{T7B8vzVyZTl?<8(`&}bdCInH$xw+(os8sSt2+q_5sMfy2e&Wh>i)8% z0oyt^-E+qcT)z@!*u<t4k^-OBjUgBE8RB8JzSqZ%QhTCS!^V1M}O8-`n zpXq6fD7(oil&bNg@~gZXMx1=CcZO7ni)ua%KaafLt;O`o$!Hw&w2j^&JECGyu~_(H z0+3ZB>nmSzzqLiA&v>YCtrk=9S5vn!V)yREOnI2oGMg)aede)8)i%t(;9FVCYrMjp zOkh|t9q*9;28^%)^21X#h&7gAa0bcZ$78^XEcS;VQM~Ps&2^zKCx3s70*dp)|QY!@pP^9!u}q$T*kIC1~_ED`*`5Az&^Stz;n$T|x&eNa$R z)fA~j@)f+KoiZLr8mr#|H^Ypiwuii=aReUy<87GFuu8ChZOI56qmt zg*Ka(P{f5B!5}=Z`xZR5Q+HRLb^h`%iCj9fd$4Sid!o)2eUS2FVZ5~^%3!CmV*nZ0 z_?6EGe~YbEyt%{89SQgzOR0l3Dss6!AlmAFb8hA#PP|-UQ{7;E;zk(SKrl0BJ%4=D z+*Kg^<=b&R*1_V<(PazA*rs(mz8Ig=>8<9dr$K-z!55FZSI!-@pPKpP-nSK1^6^Y+ zDLUR|xgMa!?~&;tZPpv^0~lVrq>(d%Psr>_`F5^uC-JyD=zSHx?Rq$VCvb#$cy~Ip z8;1DO(>JL0TrsnFdlmhK03gtCAw(#GB=;-fbv-41+^AUL-#U|n;pxt3^Sa_3QMVJ) zVKCb*kQ)hAz!V(n6`o&C0p6-YTJL|^_oL!FWp@R7z5`u?Q|1a0Ii{e=d`K459mmU# z%;UmMhJ`N>jaarB>8CHc?HAA3cEr82{T|*6aE(0%b+N-$cyN1zlG-xwvFMdvk>?;3 z+pR1w+FKl#P~EEJP!OP!DW;#JSwQUOi$CH!To3N>y(iZAugYz^-Qrj&$6kzm$sq+# zrR|$3!*F-nG(rat2nl&4V|p%gi5a1PVdlt{y^CWraq2pR!-L?oSnjGAQK|Z*Xf|s3 zLA_y`RsGi_9-GINEl&gZe(f%n2A_n>OhrDfT_Hf|yD!Oxdh2=w+#{~Tde$_WzbHEW z!T9N2DK~AWr{(>0Y(N8+0&2(ai>GQ!h49p`zC@U?S z%C3j2>KlU!i-nAWvS6bEuXZ}*cr}pzrwZ`*9J9jSJ1D*chmVEuJ#khjj!i7 zI(>8P<;%JI{s(Yb4-Xnrx`Kj&lHzN&#Dm3l%Xc3G5kttJq}Bic9CGY)hj4vziAPkG zKqeZsYHGMTb2=jrD&s4aNx&)7O5A{_RD5z#XSvP{N3#^c?5S4`?qIGmzthniC?7Z{ z_MLz^b1#+nxYj{}tVpt|`)%zShs{-=JI0x!`g*pF7H(Bc0WDGySCvE$sdHA#`#r{LwwD!?AY;nSZlfN)J8p%6q zqAtJ>wy(+5&VJw&iH2+UOf7*AY%!Bs+D|7 z^6@b_0w7`Mis-I@I=OER={y~B%nBwQs9c~{Xo9CG=~W+H!R0=m)5{*fojoMp(QWIE z$ekumE<5ML7gVn+wIJ|05&W8?-g2-a)bnsGpGnf^Hw77gkpcl!!o?a3_)set>zw$W z!49dFMw?K!!HLEjmZf|?2$pQ042?H0V$r3CR}~au-VmZZglURerU?vgIe5^LbcwJ%JtXCM z1BMUF#*|m);4ink1EOqw{l#fh_HNr&ZGY($$5$)t{9jzoP(UA|4UOtTmxO0jx}g$$8D#i|r_Mn*ytkUQ-#&cq z+CSeA&zv~qcnz(D`o6!k?n|^phjaQX0dFr>khv9vzq z7F=AJI*VefrjfgrE(#H)k*L$8$h85)*Hj5air;70G(vhEorf^MCT<9VBuAs)WI??q8XW1B zP6%^nC{6P1_y!!BcpJS3<7=0BNJ+5!=Xv9EFE;ygL9J_8qHNgJ#S29J70OT*zgqQsaDioHpkyQk{`Euz2W$ag4o|eYty!f+v%p z)5HjZ`oTk#UkIqE1={YnO0=9x*mQBahuofzA1cDRJJ~v=6~c^B^4E$rzH|B*W(cvU zl$nW2Hx8Azj-y?Zh(U&S(Wx>WzIi)7h zFluDOilYN0mRX)`e=g!q&>rp&wg`vBxDfYZ^8&&IubPOq0Z?Qof(*|}4K?(h_gpg8 zDJ|aD8&~1Hu`sZ^jvfbOMxsl52ShZryj`IV_NB9k@N=ZgY9~ZxzzQ=D3VH*TF|t!`(-xcW(46(u zt|#t$!CPgj&m4(k=j^$EQzv8?ee?3MQ8U{R0iuq{9|MI2Kz`Eo*9DY?gAW8m+ z07#ODYdHMyuN6ERk&LB2vgpGAPJY2k55vjT+nJmZX-x#Y;PGwywG=NPhF$~R^kB`J z{mI-fna-2Wy#p$mQLCr8q@g2D?eU)amlnG+OJ-t(ZlP7`{?07Y!mi}GrxhC zgn!tvp$d*E(@7J0RoMN7{3xqwyC!dL%-;2XOB~mEpt4lI4`Ls z^lGE(q~bq}BJM00y#F#{m6TDc?SE(sVS7+`o&G61@`8Y6ZgKj%!?DPP<*lv7WitD; zsSdZvQl##L8jy}>8=6Qt2(x2-E452!4v>#=-KE2KA}0R^DdoRbm@7ucy+ z7o=TgP?lG5>=c%*K(T8tv=$bnAq5i5jT?dBq#{W<*X;=2sq@pi@5NT&Z6(JRXX&rr zBvRw2-xQvk4zVPA6C~Zl;QR27$^+_4Khc(PmLyI^zT1lyARrV}jJkW=zw%4ozk+hc zQB=vqZE$Wy2w!vAa0Ob&zc|%3JC|{D+!IgUO)(ui9P91iX|Z(qWK!BwE#0rj&|X7W zitjXk{Is*qif}^U3z=)3c{h?h^tK%J;^FA2d@IHmtqa_?lQBn_D+|9mrnoboLCv=g z)>Z_p(Y{ld+=KD7nDncJpWSLt#t5ehtURe9{JZC!ha@36K=-4v_H=(w?^KW+LJbo^ z7aPwNY7160X@%7$GQuNf+XcKv)ry1L`Z#1%OkRXcn%?0rT5djdZtB7pI2ENr8GSQ$ z$>bnQuF}^;(9^oW09Y)szDO~)psL-j*G{wQTlTTw+=i%P*QTD(t5=Q1fx$~oQb55g z&(SKH{D7*={nU3V~=Z8`#t_-LAwk-hP&EPVn)t}%n=Pspxg|Sj)l*Bl~MIH7Wxmy$u}Wk{DyT_W$ze$)?8nqGm+6*Hgp2%De;Jg>ENx!;0rH= z)dU-~PVwA*@HZB!O|bqr_K6%Ia(z_SSeHCEd^<=@1IfHZ5CkMExcs=`Y~0teS z_bQ{fA=F_v;>eHvsH#}Q3?ZI49fPj3A)4*GqVAGt4(3IF@KHC|T~H~!7YeO*r=Vd- z^ZSf8!63#0L)m=wnBvri$EswYB$ONlk?DR1`@IT!XIza&F#Ei2x+`H5OG>Wgms9~= z1-#HOvh)UiCbU=K-u#;u%-}QVJP~yiI^T|Lhxn?}<-n@GVFNBxg&a*O-5L{G{pg@J zQc>*k(i-uM_brnf1H2rjbLFiTLJJbO8re|!7qQ1tgg2c@lg(ogjqTD^N+46EAz1Xw zEX$TG^lI!8gdMz-b-p)`VS39n!SUFA`=4pNbrcCjD$T>+CfLm@y-B^m7iAvR*xL%E z3(20YTjV-m{??fUt)}F9wH;&I&7hnxoZM)Q$Ao6GwG9!#6tJR`{jF_I5dFKDBgM5W4k&mcSZP78)(oFm%@5NEGN=DAQR)| zE<IM}-1~7xy>9dAXkU#19kH_7;m=gy{zbo{fD^t>^a#Q>r}T;E*$)JH3x>&M^UW zyAwgt=Y42~s7WH2=k9&3uPbBsvPkZsC+upA(=sEa3 zTY(M|KaX#456B|Z(9wo+6$2%JTWOMj35bA%YyaxwKL5RU)Yes(npudv|6ZUnt8FO( zp3O>TwmOUP>YejFpOg#c%o!p^{7~O1L^{221i`@hqu*XI_4j>nLLuwwB>B+9w7)tL zvrq?0EW%qWRs9tHrU-uD77gW3Z9fwJ=ALPMgT;hU&{3ytngim|?iIHfnYid>P7YVV zox5JEuHhuVYZoMZ=UQfhO|Pdd9S+Pw*pN`3U8`ZHN>o0?O1rthJs@G{dAi?8y~QI6 zhcxKBK4AAuseR(meSw;$b0-*J1D|O)T=pRR)X6P)l0d9D{hhJYY|X?`uA69Lo0lca zPp>M9z>f$8aGYvWpC9T?<7U?~6CDd{rwqE~K8e9|fO>*T_8X&I?e^k?a%=>yRPQpX zwANA~p@7bxKY{@6mTHj9{e}tOy}mx@yY(H#kMTd`dLgh8&>MV&pM1bL_bNe{C)F>l zqNZUa=Qh;X(Ry|7wcec=ti6ORL3I8^hF^~ORIlg6qm$7?Bb|*Lyon#fGrjMFqczbv zpxivl-azEnfigqp^tu%XvJXg1;+_&0Pu?cf$jh)97h zmp{^$7;<)F$h&v2*1$)oG zqfGwkXN*bG-PMlSnu9igrjB)kZ`3T={nl>=wLos0!_vTfk@+c_W^ zO{a#7xoRfgIW#+@Rs^VVD{>+TW|tNK9-HBrVf?3(!liLoCnCr#=)89Xq~S2tLw>P^ za+5e2=^^n*2W$;}xgEH8cs%F%G|b|t4`gP8y!CMYe#as-0;CH3+_1VoB8hprhNPI3 zJ3j_?PX~U+7QgqfIfuQiPE(HSAH5v)yyG0r6zuo%S00Mu-){cxi-JZBzuEDVHlOk7 z-W~{X6A{YY?Dhtv*Z1R6k5lj0eW9QHFW&-$oK$ECs(Sg{D0nJ(mQF<3cWv_&D42?` z!|KYFsfga*bMCY`ZPL(BXo8C(+%^)L&*?ZW32nci+yh{55A|Dhv@>A?3}GW9 zlH2}=XLmIZcX#@XFlYslUrOZ6%q0yNT~S|kVM6JDlX$<3&|~>MJSU1J+!?;5@S~2x z;!`sYEl9 z@PDkOpd&8ZyE+edg6Yj*f8f%Kqm=P`l2k5h!!0GR7cIu$gX8xO+xslGQ#HqRBwJn%|lI-BzDO+0U=CRbrvF-kgWeJeO|E0r?ad{N6qCLB9Bl zgsSCtEA9edsWxfA6RhSt4hs4n8^n!-_EU?E+>FqQ!cTG^Dg$Amb=5bnWQ{w-5#mcc zG@Pf_4as(^YcyeCyshMc5=$ErIG8*ftA;yNLjF&=eNRzzaZD6jK2RigEUL8Y&2Zsd z3frXX9E$-;K(6bVi;2yv#^igxPyHi)RLqrBZWPEPSo;BGef=k4NV?jOS;Km~u27^7 zJinGIP2Z@i?E%_3B*@w@Y{pLwj6kNjYDrvSj^gP>T*#896qS&h+_Q7o{Mr-~EZ6Vp z%gN$(jU?Pp{mLr)RNdYCZn2w=4#vuQ(Sh=cYCR1qCAJh)_h=hsTw#N za)#yaM`uE0!9K?i1U)E?)@+y}i3l7@4wXY;6hclm=nE_~37VhnffH2l9+`du4v}*? zQahJG7dX4(GS@4y?Aq0(j`a6!?X~)MYE-H)ZQY*BclKVpYT1c89;&R}vg=C%ZWnh= zE!X;Er+0KAhVFn#S)RVK(@+sTj;uH&=umAFkBX@L?^!$=(`IH8G+EBS*hf9Kf#32ZL&NKAXi$x1ycA46tPa{E02F1H%Xf)U^S6=dBJ(RDT+y&UNmCv`N>W9!w1 z=y$Uvh86R_drpzO?hi}`5_EDItqa{I<{ z{of2G6^}B3iU$024dOYl>TDN0C4*?;5vHKjC>C7O`ZcQmXzTgHNPsZgD z)AZ4^^NIbuYsnY1!zW|hhl^H=15CHZEhIZH9B{cD&`3ZwmABU^u=Z{p<01RF%sVg) zJG(MheBu|Gt`yNd97TU-_1+-b-T9*xF8sy!iY@oM$_%A z*YW18?u#a3(8RKwOrF7$n}JBjAJTO^BUaBIvIzm2eYji8O8ju^_a0vP*?fHp@g+9+6TfV}t$t4t zT@>O^y`i|cf@{0P{Xluz8LKC2<{)s-bYN3d$pBneb}LZjHRMD$a;id_+aFO#eKeaZ z0*5wVo>K4x@|TMHK)Gi)DJU-nKPAWk!o#dIX|~@ZR)kL_-W$Z17!#bEB@9~l7>yW6 zhh2T18>JU;?vE14@N^tZtzc#72s3!H+A0sl*VS$lWmPdXj39B`pRJolO&DQJW&|v=I>~03~~l?foJ*d_1e(ZiLw}y<<$L zp=h>dl~Rf&0g}F|7+>+g68&$ProR-*p|A+458@2r`IvB@T9^LlP*1<(y2S!Y398t8 z7r2aHd!y&8P1-$4oV}abP{3}bEnI-9bkE@JD-CISFRCS{sfw-vmtL>Jjaj@!K2x9X zmDqAW+DZ$Lbzd+8-rdO+Bmvo*NqGx+iO$ZY5|wgNiyv!%s2QZu{6-(BYq)gODv9a1 zsubx#UihL?am}Bj_(MU}ew+w5p9DBHdPeXK9cNst!puK%+a;RaPEu@8Ha_EgL-S-E zd;;p^62#}hNk{%3R7{JVL({>$WTO|UhK1zIf10ui$Ubw6r58b)R+$A{C0|L1Yr8y5 zf-X}*sk|~^nyA}SUe_m5?6DrWM(5Y;%!1NlBqQ=EFNY|>mfHzkEu?KPiywO_TkZz1_3@XZ8-gTewFxRVbFx`Fn(u*5d?FIp4P9LSN6Nd zjaM}>Lu9L%tJN++okC_kiD!rm>I*L`0h#b6>k8r;FQ5%+z<{@q0U3|Ei@1sbLZ{36zA!Tf0HHiCl1 z?WP{}bEDh?kKGn}#0Xbf3~^gR+7MJ^h1zW~rrRW3;oTM>r~6A4ISE;$SuK0BMXC#T zq0*Cp!*X7z>V@Bk7fjbC#{`Nzvk=$*%%ALujD~J>^V6H_cT^fCp*pKc zxt2m3yFzojhZ*^~z zZ)Zii&bMlP%n1n2{F>G+6=SlbiReOe6I)4ul)L|OeARjFu;kP=y#jHu#3UHZBII(k zw#ZRpI_@KX(q`BKzB|cvMS45cP-)n8(yUG60M|!>M@q`f9LJ!WF92kn7fCH1tY4M}x*w?p4Z@{jROULCDAKVmAt0t%VJBx6;5tT_H zv+dbv?O|+zB+t;I*`=?IMbC1+NklcZ#(YHyS+@aqyioAwSEY3brAPTEHXK<1hZw4heg*CVpc! z7kAk%2TqrYXB06W4pF=8{h@EiNcFVTXc$a{1@-J2*B7jr{+b2bZPp9(0dz;kQL*fb z4)o;Dmrx5M2@sDW!V)dlV8BtNRC@^C5h= ztEEzBoItL12GHdiX)Kj4kKN?&Ah8j}vcu}Kegvc<(Nt&ucE-KNL4<3O@l^P#DHX!k zGIE9@O6&43L<%MN-Aa-$qt) z_<3FvFxs#8O>R3|lN?uQHIkoF$q>;T9TQ-m+0eq;)1+^8~_=1N$L!M7SoooAU7Nm;d`cCkW{YKBcFR)1l zTwpzVE3exkId)sE>i2xE&ofB)L+jGrTrdYbR-?Zt-(5Z@1D*g5!c4Dqm|wa3Tv({4 z&sIT;oH=7iB2byW0Bn`-!4_>+LzbKkUv>Qm+Q2HoQ@W~#8bi{B&5Xe1CauvJ*eOn9 zTEjW#*$Y4Nar2VtTr92!H202ghkrk>X_Pdtx9V5=;OZ9UwhVY7hJ1Pa}rRV`?Ce@p7(_sdi2dRHph+qJe48WEt4*yj zpGt|2|L8AwqG1^EM^!K3!|5_}Z{dXo%iz{1dmO1mY|-<}d}(dt0K-0)+&)>0JF(wK z*rn(a3GB&u+*$CiMu!f2rVG~Nzc9uUh$z4#?*u5H7aKjB310=w6KEo`e`K8JawuON zC$n9TJ-OBxT@?T&3zMC)r5ei8MTta^0KFuu!cf6%%#5(E7iAEZVU|Yq;A1CZy%2hX z%i%q%akFuC3D|ZMW+B+tV6}^KyT96ommeICN7eSaR&U_*iw)ecb*vkNjDPT8Qi?yO zFlzWY=;1PoB!@XosO3hWg~}T+Qdf=D+v)Fbb(fqK9a0OW4;6+M%)Kyd&n`>ll6Dhr zGfA`MMJ3^V-$#Y_CHxEBRDv@8TGbnS&idJ51s`Nx({AMAwROZKfvYo96uoK95cmIPl&g=4gO47u^_}}eKJ41 z(r0>nC?wf=;kYBi{#L26?leFa-sU>Ygl#Vmu{c$K3fMcany} zlfm#(nD$6A3-5+fFSoGj)KuX`Othmb)_bdH+Oge;|DqSobvUMnz6sW`P=4>wZEPWE z>fXnJhN0Uq@R8XZ`%B9?KZ}$$UZ&mNs40CU{v%`_6rpk6LEN2ns6QMfPSjsosr zHj1(;9sDyKCH7?&zfMf>6*&!Cq~d6+r#%z-$~835%)!timZ}vOsdEAJ6t!j4v(SbU z28Sw8jK}^U9VWKXXzIS$@`_}oF76`Is z``tEs%VP#gLAx5J;k7xC%e-ecx% zM#`W*jTzohoqN{O;zdPhr0Bl6s%|^$$*(+8|C>sx^c9-d#jebrn^^AWDM4+XP7*Lg z%!HO}#=hRjlDZgHsr~vkF>Q#GxKMfTl%c|b=fKH_NlkvX+C$UI*yvfzX$YEDvlK6$ z-kM=;xyCfM6h_ExhwgJF2Et-{=HuP7`tpT?*8^q7$v1|Ro>II9R#q$1)q~r&pBZ%% z3S=KfURcZy&mE7_h*CMsRTB*q+(b|b;mJz}JCOR|e%C7ahZ4Hn2Wy=6h9>Im$f!mV zVOZ?BR9}@SMQIR0L8Exx*M6JPyws}|i5SEwJ|akWtsAqIT&gxtw4hfheIM%H6Ty7? zbA1!hmVlgo^hLYLVIm`aZM|5m?gG-Wiz5!h+LLQfz;c5VIwsWQtP#n8s{sia`mB9Q zTU7!1sV38tH=v@Gi&m|(Dbt3yM70a+ejw=US7?7_R3iRwB(r6oManV4(SC%K*M7Bo zqW|1f>gf<}5-%9JiOj7X5`iiPI=Q3OHwyU6$L>J)!Gzx|KM$yyqE!gmY=+MGF4k!g z_e%`HEG~a{ew)oP7c?D~sJNJe3Uqcj43PngDVh(aG}U+xp+gV{**jc`dq!`d1$w*8 zkvMJ;hm9VQxcLuIHT6fefrc-JNUt;hK`B2v6j}YL0$5&c2nkFF(7*w@8u}Hydb^IH zPCKz?6z3@jtB+Et`duT*H}FWK7ambsmB$r=nFf6n+rW|6jM>aV)WOvI$SxyPDwNK_ z5Ul>Fsk_&$g?+XUxLgv!c0_i^`-(aY_w*Qh$VcBy+1y~_ggrT=crO;P8!^J=~uITBn}>;EX;u$eo-eHaTpfSI|xvS;!1?HH2vQ!l5OSE4Nb?95RLXSmqmof|( z0`KJ>Qx9gV#I(~Sy@36d!us+6mu1G5$i2$<=)c)E;XEEO^5t%91WV4B?L)8T8>9HS zPoJd3o1C7TJm8oIy)8y8G)(YggQ}>QZpo-J7c`6SCevM)$C6nK&6&9DW@YCZ4RX969NobMe2?eh_xjSL{8SFu9$ zC$*vpyJ>n4rT1JKN%yWp^gfj?T=leKF5_AvI8H(L@_A`>Qomji>1=llpGp2Ogn57a z)kgyRFcY61~6uH8XhSX>TNQIK73?XB6BK;s|S<$xktw) zQ@B8!nh^2CVNbr->{2-v7U>@u?Lv?i8AttKAilp1*#OE9H!9Qz^sbdt)xl|p4+XOT0{dB9;d%h|kXfB>fe zqTs&yV%=s%K=K0>8a8h7B*RLw)!kE%-W_9lK31hjWkD{;Jok+}5O`oZ8F2HV5OCDt zTmUXiiQEYA@Zm|=eK^Y8z1nh)ZabfOh}jO!e`;0|wq6_#O*eRHe_Te8NKF_iwi-Fy zbUUc_@}xw0wX=Qtj>_Z|XNdRlrz(y33|&I~7LJ444F``}!*8srUcnwtp_R;AaE~04 zHJq*&IukS$uEIJ}E?S+9DYoKTcL^Wso}Q0ysh$WDR7m@|g?mNsYX*lhw_iVy^?9!w zjH`Q@BAA24j2vH~pjbtw&RafIlFqACW)?rt;79ka2@~qhxK)!wYgw7B%;6%(4kg%w zMg36N1Jm34>}7hx4{;9H&pfhYW!LLR&$xHr&iwL%cPs+?DgW!Q+g5xM8E_xGe&h^M zELrxKe{}zU)yO|(|2Q9xV%Z2ZH=qs_Qh+h)GVhRI7JXxk|;XrE?~VQ1p4A^v6lU&Uf0MG>eAUOH*DMXH5dnKj31o#Uc}dXqostbKbfR@ zF5NF45{v5jEB$x1GA&_%2oSq)YD!e{Ce5hjr2R?L#4Z2o$nG6I_PVhtE*#BhG+SX_ zJaBkKkHag0VD=||7PGOyv;A{86KN+ls>tc!CKYhMtJLrvvM18{;gBZS-B}f(D2z#Q zAKb=+Z_q0#9uiD!4b8%WnFm>e`o! zN7ho~*7B|b1&xhmU5OnPK@p@4zx_xhcvWXeA)IC{7AVUc7VN5cq2b_AVJ5V>fFpjj zNuonqKV77}AW6WAP5xCXkl37i^qw2wUhZFRkYwXKMSyA$MDz`#gh>vl3?LRIZA&>yNbVvg_of5w{L2; z7BG}*c(@|J;S#yv(1^2^8?Sz3>h{nJueZH9b>oKxIn^Cm>c%~mK8Z5#gyXY@mJnIH zc1s5zW#x*aRwI#M8iu-uLo{sqx@VSZbT`d?M27Df6Y}Y`C_Q$1d;n^Yyzl?jIc=$+<+I!UXbRRknPj%$VnlicJs7ju97>c&yO3)Rkw;|3 zHe&sE>jCs?<>P?#mc}$DFOEgIfY~Y?J&qTFK)mBFb%Nrcq|?7gp~~%9tkGoS4Wbx^ zF6&vXS}1ng+>trBZMPc{USddjgLBdwFPP*i1$@S-yPoyi=z^{EiVZp@OfYE1OYdk-d#}wknmd z+-yKbcL#rJ)Kd{6L7aa9>3P+AuGi-ik1qJkxxU#9+nHYkXd)KsNDL9 z;}j%y+=YZzdF=oi_0&-!1>Rt z@%zr-x6FH;=lIaZu-*8>+Cmgv5N7fOmyEP)UP-FY4Xl^+cd;ZB18jZJ{O zP$uri)kO8*)v!-xb8yIT$ZOH60tTCWru}R;Q}&6=uuT5X$l0|29c|s)=^EEFjZ_L` zMCY@YezuCO1=CYLcw=OQm4-CVz0KY$9b#DYfJNE|=+=HCo82kTf9UW(@%`VmX&^EE zMUtUj{5}F;Fa8hgss4aHO@<(mtaig%8!r$bkLTR<7db6hIHiC`&7l*=S1CGA2dduX z+#a#P_XWe|rUvm?WBwX6nCnE^Rj8wEAo))y{a+dF-?;ieAKI|+rW*s!k~s?h6M{QH z*@7^&dkvClObyidhBKwn_{Wi03?&tk9_eibRsILm{r!hu@LzB5axq<%X;AFpSNoFxzIAcv`7_Rt6**>D zy!$W!8%q3da{p?60WGKo6lC$!e$NB?V$B&M5ud%lsNJ~l-`yN1)B{6R1!-{g@=J$~ zoUxea-|emIqla9*ffuq;6>!Fz%`LRbjom8`lx$xMP*ko9D$db}(9)k|7ydt6>c0a- z>H#IP`au*aXa-R*HskX@To4!Qn7JFLIO@x_ zC$*hO<0}o9sv4EjsW*;B@XdYPHL*zwcTi|X+Q?CI3i`i8^zUf%-^=|$oe%``Y~e7I8Ob$eX34#iv6K1uoe3$m{Te#{i# zNvKl%W+k;8rGXH?uAmu~Xg9<-%)fgLar)B)7uyuG9cKC@c~c+4deuHb=hXv&VaWiC5VNxbB>-wkIHx#StEEm1o-U18WzzbU_S&FQoR5L#eY+fBq^jO#9c0p z?-V?p>xuAqSSTB*k~4){uAFH-t1uIzQREu2tU~V1n|PIh3X}_S@TF00I!wpVI_n&- z6xqt@>Fl=8^_x7wZ;ghCCB6earKND3lB+Eo?r&3B?3Qzk%%w6xt)7f@d~+4Lg|=(q z1v}D-lLZk3G^C_N92Uz-IzTKs7$d4JD;ijw@b9Mnjx!*QQt&}RZ;sT;We`p@7&#vq z4EAm}e{23&O7wU608TUq_u{3Ry|8!EL@qZX7cHjg-Q)kkfe_(8vQ8(Kcd7#e)wi#? z*@D(id?Ga#TehyS#!`~`NCk;ANchjOijzGEG~2h@yhA~u&;5*(eJdsi^dv0^;b;}? zOq(YT4F|8!cO)EE3Q>R%`J+AVhn!{C%b?U({md4-2i6EekW7kf20v^%pL2p&(zyT; zJYvq7SJL&b=G+t7|G!*-4W|SJ3l)o5_I?pFOjW2yX?oG}&tecNrOG-@G`QKB8U;2V zIvjivWLLMSl@o=5szB2MV_bPY?FkNfdAoU^oe#J;AtzdgqEX=K{XF3f*S0{wR_{z@_*c zU?>75=cu$c*Q{U#@ ziqrpvA;1QM$HSHRUHH;Uk(0moH-7{u#I=}B(GMG3PaLO#b=gA<^$xmgsP?DI2Q1H} z=C?BpnJa&^Es4f=a)$1+4NP0zEj-l+11U2nK|q~Ds26dk@H4%d#A49R>*a%)O0ye| z*-8s-Jkw{trnZS>#y4gv))HJvTDF^I}#aFdzt4*{-k#fn>0ab$*Kp}0&LEkBAq0z+fe zUjNs8(Lm}Vu$O&p1g+G}fe#IIk0w3-ZL@P1jQy9JH-{j*?kx@)qKH3xex2og)|(I; z#-H9ld#*c?@=d?p(P6%lrIqT)wZb%bJ!>S zLxKV-X-O%Z)?^R$)=N@IxKAR0_$S7&v}?Y}F$^e5RBF}TtCgr)F7zLUlj$NCoW0(a z5!PG2mRj8WCoS~fnLLjdni`xnTOBzLl7tR_l#;#rI}Dp|d@&y;rJjNtSTu?L1~{a* zmhH0n6Y47v_#m?yB4~q2G%U+G8Sk+#LJyaFg&5sI<8$3Xlf(Gl3KdZxDm;qt;V%v9 z%XF5jHPM-51+;^Zb*H=v+r)g`F)VMr&92)SbfwW-E7AB?iL`-j3o)$n? zQ>fY=FlwIzpGh@`K(iblMXOLuGm}yOpXZJ4sFr^-nfDNEx|s%@=hfyJP_Xd#4QK1) z1H#(u5S=9hSmEdD=nBxE-ZL8Z`Fx$OQYCg3&6yV&K=g-rPfD7ONAgQI+klcqNbi-o z!i?MD9Kwk*>iYpHg4HXdJ*jD_)_jX?ZW<4sCgc0}pCU6)&Y^Bz^Uy}ppSfBWZY(vc zezOX(Tbq_e3KakWgB5bnLuN(prYOC?lP=@%#z{SsX$7&7mtGp%uaP1$-uGKWG$o zeJfv|6Wtv=0r=O`V!$=DIUXfQXNbv`;$XpljhMl)>5rqeH>OjrOG`&9PkHp@^Z`zi zhJ^=_|3VlVNM|T_poA%#T0ah`tykm^D*yb@K{cN3#kkN<2k+SX)o_C7FQlbW_+(AF zyp>6_l0Q|mmhTNrbkmL z#O3Hz8bSyu#vZ+2<2|c?c78<$^2SalRdGUV&*u~oM6W~~=Btxw31#ixK0U!5!fPN^ zkMEq8nPhl8;c0@-kwD#6mRgRGOA^SR{k<%=1VqruAE)KG;;C)NmnT3OvaxpkRyly@vfe3tW`v+f1r zHpXAZVGrgi+0;mckJ>o!l@}gn-A8sJgn-x2w(EGdu$8q2J5W^r1O5hhz|>%OGfI3~ zp;akDCo6{vhX>G!6ej0%0Zd^w-$0AIBYLM7JsQXl{S5TE>_y1(;s|i z=x@p;o$$dpQ7i&aPNUkW9$IpV+NDr-$?5v8G}&qSd!KCTLSeSW;ftyoPw=D3nC`dC zslRgoyzsSQ0D-u)t_RO2-eSZwevf!Yw934rJrd!qxjUTW6gwb%I{kfDG$UmX8|*aHvqvlCj5^;x8rNU)qvcIBB` zb`337GrR5mG>+Te5r;~?3)SJ`Vha0yj4)aNges`x9%5q5t268M?>?>!>S(1ssw^0? zZO%oQkHADm4Y`5fvD=2X?fE7JIFmkKA6dt7>4NBi`se~Vv%}b`=T||IzHoN0E;P(f z?+}<#xl!OQw)%7P24WP?K$#)g2CK_F1|CIMU$tpTqLx^cGPa~UPB8NT)Bwz~922zOsskG$Nen`& zaMSezY+RFJ=<>{hBXg4G?PKsQVIy9n-$a`G!Y-E5)_6UgLVKdLax9(i#B$g3=R0tW zf7ii_nQKjc_O|s)r$O*8F+cC9 zp+@q?Nzg4}4zCa%37|pEV!Y2mR2cdT^~5ZY+K?9^OhPIt)>EhWe)?qG_kNZkLIR>0 zG;}2>z$y~y#AQ^dvsmcKTDQpke|)`VR2|FOHHs`eI0Oq8+}+*X-5o-3cTa#2+zIXu z!QI`1y99TFJA9pO=bZhHdl~(s*J7;h>Z-1)N9Hr9>|!;m-6R^f&ml&>X|C8*o|NU_ zugY|-B9VclqScxSCB+}UOzNb7EUgG+N_s`=_wH^z@hCh60Crm&fpNNb4Lm!rzH*{9 zIv+6O^SH_e2TyFoQG!6E@1qs+=bC35^disbF=eipSh?Xk%O3gDB6KOSA<$EH6CEq)k z6koqM&F9gN#!C3C^$zuHH+ep@rz5q?FS@&YHgef{pgT}76kk_oHB9t%54@bWT`8bF zh+VX4+>4SH=sdYgv8v`K^TE|HKfT_<-Wp&-Y;sAewvavTroNNDE0q?uUClOW#f2`V ze&W-GQ8*z++=+DJ3SW&Abv~IiS4TD@q24Q|v%poq?Zm`r%$M|>FsovTa$29ioxpD= zWYYK3uZrfiT(}iA<(#9*j1ZS!6>?H1%r8)L;%pJA(ZG+n)lD$Q(VM#NOaKd?faNX! zi(IHGN^qg@!!e#n+A&kSra9&(9)Dom(e;1Asf&D~@O|fvdz!wov(i+<>bs(;U1tnM zQ!5`D@UvJvVzuT=;BZ+qtdsKZ@lk|`q6!c&AI)-GKcdP7lI(7v9iF^rCwx;f!7vP} z53l+()0}T<%*- z+5q?xHis+gY=xT2_~-ekDKqLH4liXKQwKZqrVTxp6O$W4kh0YSHWRn&xk?7eNjE=& znFKjCrnwM|UBvFg)b!M~{MR{hJ9gDPhSIfM41P}m!~n)KAxH{OqAz76IC2P%OU#D)y)wrrryoDZ zs+NnASGqwDmo0mUk9XWHDlfWz)b-c5(hnW4LTh=wP1QAKYMrcRY+GRL*e<Ce7fmSnu-|sGP#c?OVZ`S-rg9jOP=9_YBb+6BM$`ldh7zQk%cX zVf1TXH%>W-aH?y0q0?IPs>kNjqv06S@sc$kNUg@!$c!X|+aX?a&+;>aFEE+sH;n>^ zjz{K+&k{%^s2;!{q)!NTE#H`}LtCM5j2oYv)_HJtS3%fIoDb{&=Ya7<~!~RyV9>U3pvx zH~X*x`pcR~+}=r&%3zSjxi|P#M~2!CuJ`4D{I|PXzWLBu8S_L3?4XF^=_a#fSRW=2 zgy(vqL3#RPb{)TyNEZFd=LbEDgPJd?y^>(Q!6#Ep5g(Rc5cEfy@S2bNJz#D(1%1x| zKb{be^ekfUV5zBCq9w;D+_b=2^o(%DqQxUYvCVODe_6mS#dxM&U;l7!7mh3VoTB<2 z3k+#)_2;RP=g?bS!6GB1()YhUslhCX$T%(0g{GFcV`AsC^ zs^1_ncjRO-F?mAZHZDpwW)ku(3{{z1$ruv;z=vb{(^Q zI;e6$c$WwX{d>H!rRC-^5tDEu9)QR%s0_Pvyii{n86KZJQ+@mSCICH&%17JkhKHZd z4Ie%cE50{035*IQ`5X16?165IO4xbU`YqnUW5>-WEB_Drd?BM7FJ3#Sp81wS!->RP zJG%+!C??+f9%n#H^xFTS{a&{2tOj!GrlbJmWO8QJ!BU15&c5~C7a@l%?0KnyYa zouxbGfZvsOkas+V74?nNnS`H%m%Swj5-J?T@LkDd_oBz~smrM^e>_kZY3ulUjQb1O zueoV4Q+0vEXymlu_ zo=s9h7;q#*9=p5`wmm54=j#`v*LtU-Z6hi5ij( z0q1?1stJfHmcm|N~8uzsvHgY`XKyt&%J z%9M$*$n*->eXa3Nq%#m=6jUwN{o;DIB5gUP**+CBw7pnmLO~Ptk{kL^Wj!R!r0&h< zSX;~F)bGrcI4H#W8kB819b6Yrsq|j>_2XOx4PBNEo1iF*b-6qouQ!eCTO<* zp<7s(XPh03mNpSf-(=(O&x~_zgV0O_2ngpfg2z7Aph8XU^~I`wL&S`hu<%2G@)Hw3i);LAs@}Gt3xxUH zyqN}fwCgBB%|klieq0+H} zU<1Q@z?3L0aFZMag^)jcHq?vleEaF!)5emik@>0cIJ4;~+Svqq;Dix;w6Y41vDcX~ z@Q7ftE(9E+qAtyvgxccpw*KT^7p_HbrBH4yRl=`2W+WB78?Y6S3Dp`>KM6sIhXP@@ z8saf#XVK3j6?CRIha~mjn+)v@ib);{OA-Ci>9^wLWMzgpw?ddq{bPDg@%*?A`r$5> z4c~dmYmaIqJs+I}tX$|$+u*DPk6)!N1COZ6t~_@xcP`clp2WF^mY=PT)|g6h4ZS`aVT#{I>1U1tU8W5(#)=fErOS@w_MMpZTJ6G8~A!b&_ibTE> zfcOEd%gL@Ls(srwMz33F5#jjL>0|Cdc)pgO)+tNcUVjvxh*q_!1NnU`@)jhBMi}r@ z@r%fO5ZnDg5bV_6=Z}3*Z#%Ttx}!!XpV<>=z|UR(b|+@%AVg&~M|Q)Mv!)^0LNezbo`6h^^HVJPoyQ19|`= zz;Hd42)Tkvy}I=!-=#bT>wuyOe??Z@_q*7+-C;`i?~qPTgdm{sU^!eF zSA2=5N4DGLs9)zluY!0uycUtMU?b#+TwH|l03h;Ek8FT&Evv+ZGGHLnpGh=1#@GyG zdfARZE>-U`ykpN5SrN4NKo_a1W*>CvR1kmlI2E+XZT^-fok^ro-EtyWmr`Kar&TgO z3sEZu&g=qF{Q*a6h(7S*Q?oj=<(j%!^5udtdF!;~WR|ci_1k9Y?i7Zc=K~p}sXYPP zw+6S2M4Xrds0lvFdq&s}d-03`m>bI~0>U=T)v*vYv+1#Ms|aEZD{wZ9MuG0fk<`{F zJ{~*Z>cuma(Q**Bb^;roej#)Y3}on)f}Lf~Bnu4?A1PpaK+q|#!V$Rkm6#c#*Gm$r zNTor_=RP*1?;$ZRn()$O7em(s$TJz12OU{m*h?@dp+o!dqL$%3_pTZ5jfdaT5JslA zi#OG1-+H8SH*pn&3Us;Pf}lf+ArBWG7rH*?&DA+BdZ0{iH@wtQSp|D_jTqT8io;Ni zzOF>cHUCbT{Lb>+paW6BA-V! zd&~t83w@-H77)08*l1%E`-;Ute@-y^MMM8oG@Ylz7|AU4lLo(F`<-KGc_$&8BPZa! zCW+S^72x=d$6xLmxIY60ci)EIn(MT<(hVmQizHt;A3${HiIEwNEx9Paq2XXQtA_9v z&nNgD4HR4Nas&3|YuqP=S6EWi= z9=@<66Z6KF%z>)P`L#s~gJBm-wO$n`f@!48=J#jFjolZdsBM0{2@VP^gpoxEw;UBc z$7&M!m5SpeAjfe0s3so3V_<1m$`CCV!}eWqXdDza@W%qs*EE$=B`P}7#;RvL}yJO-MyYF=^x8ZhNAXnh_BzP#Ly+muiSu;hMz zeoKuGaTpVEJREf&7X$U2R>*EK5!lQ8r8-)Jj;S9$FFlQO z6*>c3;|eOisniuoie`(<>L@=R%k;ngk(xCo1@9#r>;g}8`bGO7avTiX70K6h$&@~U zhwJQ)|7aRw>$xoxF9wx2QQhPEWM2oJqr&AhJTnc{~`cJ zwr7j9^oFdW1&wJ1`pz^)*Yd+;F#0C^A$OD+^yB8OnD*Q#Sui|kCRnFL#~LN&*StQ} z;aE}!!?idWa{n8#>sRyBxBa2Hify9iS~d_JHyWI_FuJ5hE(2@1N$zv5{0`;l3H7o# zAZLD$mv6ery$t>_aM#9a;pkQ|4t%Mt%JvrZop_z{D9N{u00oPNWjb(PWq&*r|DI-PY~DF6t9il z9jdM*CN46g>0?U{^SyV|4Xkm5|F%6tf`3QD40RmY@NKvy7X2uSDWAWFmF%YAWOSj` zUSc^<%cIAu%?nq2<4$TvOeMtuP zQ3bnNTG~a2Ox8z3{sF!rNl2a~7xnDNzn6Mr48We~EgH#A|I1Tbkj>Jb9d^C-OS?k< zxg+%ggk=MHwsZkPkpqAS+O@tw4tMb}!!?#vO8EKVCYzt|HqJ5P8>`#UT&suiFN#pSRR+8a-g^RX~Dcu=|>;=Vekc+Oj}faIrWHDtx%F^{h)d0dkygSnd4 z^St(4=aY*1VowI1z#~X!hTknppG|eVpJJlz5CXD6s9( zkWp_m0t$VJ`z}vcB`+||$zClg6JxT*VUOPg#QI3i!^a0{NQkN{vX|6!|D5|UTd#sP zho{-2alnciS7CFzcMKS$)bN$+x_Hm3I}g1 zf4&jc<}A>9v;W2Q5AXzv8|=*C6AT@;I*mFaCwb$Hzmef_qn(Yd&2nu4Kq>p9m(Vv} z@WN7`lbH5*48dxM1i>I?CDQ34!tb^^c|G3Pd}BP9c=+x{Xi^ zHhV3ng*bVAa#{<-O{FBBHR+h{_Y8LK?k0n3O%IqeAHdz@Kb!&N1IqOysg){c$X>(k z46pnL%bES&Eb`Uk>6cgul=`Fe>J`Ff4wz~kz5smwpnBDy49w%T&8e1OGw3H6P)a4egvCIo=UHBr^CX{3(RTap3yVBSrbPgu1J zD$j-i8?z{7AO|;&t>V!jX-E@nlyGIj6C&0gEu?m@6s?_&1yH}3it3}Gd0o#K3dXsn zS^y_O#%U0Wx*!jv4xYMw?oK)3AiCp`ZSsTd1)u%#D4UiZxJh6o#OK?48De7$2S@C~`&Im0CbA~6iLK=Kp z30274%s@e)My|ykuz=f?LIo}8;9??^G#!b@*w0fsb}qxL`Fh+f&>j&aJom{WAAk3T{I44I+Z^MlJU5bb>3 zg_*6GD+R@OKBI=(epc3H7F;3ppuN~_y@P?A*e7h7&5f#^UTXY%(s4=y*K)Y(KKlNr zX$M^YKk$r=Nz`95*aFf*^@Ms+Ch{YpQ5ys##JgAWUVp`=fm?IJ@p4j(kE=WX5xo5` zn9+YO^Pg*ms{9_qLiz@z|BEsF_fI=}h=INh>Cw{pFYwD>Fs=V;;~y7CDf}(d$LZ4K z^8J5%LlBOa5@L~=v@o}@QaL5kkGF`tR{yun+6hVFKf(N$L#qfeDF&c@M6smGCI0*Q ze|I*g+(x>qm=va)!^7JjT{Hoj3SgN=ceE;hHwr}$O8HT^`)&Ks{pF{jl-%ZK`!!sGFN~8M6(Es!Ozn}7tTg-rE-~NAe(EoHU%E|9h zIFYOq{?mH@&pl5=I!~4xPB!5-j}+eG1^*k@qA4!eF*Z<*P_X)E7Wx0LIVgAlX6HS- zF4@T+oRI%{2mW)nf1W)+Q=G_%_NdZTxaQGOfHi=8Y13s+jM2Nz}&K|fT1r+iso)AE;aaW=XmqB{lt`iL7_ z8Wbtxg>`B%LLi{vYXzya@2Ip}C1Zpgk~S;4Rs(f5GVNkpR;*n)T2QN{+An!qZckSx z-N;i-$J3l7{Xzd6-5B81MBOvaZD+@0cpQ0tnfl5N<}O3A{1K}32I>!2$HYf-FD64X z_o9ZmZibZC)1-V^$vTgkRnHFFZ+AC=_C!A8!sa*8S`a z{P>+W1Q{cG{n-3uQ^`wT^nbnvq~^KP+%f~ViuG{Xl`LDRf;vLj+}Xi2pNmS(GUfQE zU4a3eBN~-~*>BZ_AV>xO>p)oo?St5BEr?J~&X!vwmg-(~Gx&Yp6JXLv4Nc|m#4J(r zdv1qru=)X|bS~utnAFlUluD#hQ>FnQc6zY1ZYOZRVA9l&8ayS5Dm@o?b3(u*TtFRJ z4t~$fv%Gwp7>xDAr2$|F=q(uZtMbl+|I<^#v7HFigu-YHN95pWME@KC$kP7sp~zu8 z`w_$_AJ;S1kH$91MqU$J?=K#UuK+>I#0j}?Y*?+jn3PQ4aniZvwD0$Gqjc#`89Evo z8g$#8m6Qvl=_Yf;E^k*PJBuG#EvFV#`CGm3l`Hg{-k+oQCW(GQ!xN*`s14Xt5(uNF zQqIEwX|p2eBI!2oQ++|BV4`?zk>H;}*MqW@{WjXM*?;s?1dw@%+>NF8@$}n?0kaAO zCXDnZsg!kOpE)t!mr8?+XT^j*X~kEbs`H~|*-bKbi02@jgZ9K3FTUWcpNRDlek;f74(PXN$ZpC!8s$lZsj zWyxC1$L8{1;=o0N{c-qvp}Q9$%_;sfvVWd*!+>|R)c!P){ppDjs#%wys1yQ2`zk#k#d85TYVY`YjD@0^hJy z%#(-NQR0}mx`4*Egb!b{%XyrBv%8YzTw?&4%_u`|p5od{bNk97vrLGqfo28{M+g!D zN)$8Mbt52;TYMz83gp{Sth={B{KM+yn)g6+|o#poYeHzz@Rdm*HQ(a|(r|*>89HEAiXj;7I>uPvCuOux7-rc;khqS+z=;5ta zR;v1j+szS9yKwJ9R-P=^A5MUmCp90Q}z?EeqwVY)yzarWa@v*OS9+|NMmcOar4B};~YU%?7@ zU2LPn)^PGVx#ZK`x!L{(;r9HbfJ{pD4(+w(dTTXvjNkKN9e-7n_v^_j4Z0s51s%T? z72xD0@En>xK0n@;m;QK*klx~&^iu$7a>DcWsIqb>t}uF$#bWR*j(m8}W=XmZm(6sb z-iF!s_`_n2S5iE+o_ORt{ydK9kwh8>o2B~cFbL}k25m-z=Ic9sfe>XPxux2v>lV~l zYL|~Gl`HUzXcL!M&H|U1ltg|E2IQq0FLXV@Z(=7qUJ7V&-pk~dsF7LCSvObYh9Hkb zg-sa9yp@_iN)xlIqL`_t>BJ>82>765F30`$F7EA>#Tqmc&o`+qUB>3m9Y=Y-LE_5U zj%N5@A*As%8{QD!*UXgZNf`HrQeEzj&!su-4UquCxHC?l*@Dra|P{6raNaTY`pLD`b=gVvDd*gitlG$MI_e?Yh@NcPUSuA9e=u+7&p+LJ( zKHb=bW8ZDA{ll^)lX)Fll}WwHA)yh^O{zAR5q*kvUfVF?&3TB0)Eh8=?@IxUVx2Nt7PxcB4qLr3Jh#?5ZqNf+Yt#+-F>;ALT}l*3 ze{Nv*vS90N7=QdKAXEa_#~9i7;5I3K@c9BPg86%WGVwEbGcB&R8WbE7vCXqe%s!sKwdg&ts6X|BtV1Lo{Y+Wp6mBKNS zQyQ96;l}RA%YMYAF_l*L^PRgYk_V<;rXs7M6{It%zpbp5C@@_HKJO<@H`;b(eo=&A zPSZ&7FOAAE=})OMN_^hpe^@sgyx`uq%74zi_XNLGaqgxfFy}bVUO1?Gp!e!RW@)d9LX>nB>FIN7Rc?-)_k<8 zo%1p1loc;ZHTjL?7zdEs2&Ag>q`I}|7Y#T_!FGD+Tu{Iv=4H;~Wqw4j<$30Ae(@27 z`h-^j?fM0{GB0|k8^h;6HZr13)GUbi;bUC#fhHt)72Y39$1H1T3jBl7bZidUZPtXF zFtsauUUD;}hw+g~)U#n%95B0_2T*-&M&y)a1v zp&<V@qP zRYfM`tmtH3qd;EYD@`qp_}JwJ+k?2*lO;D4N`}$ExR+2df5RW4a9~G}*56Ffxf0IA zLF{7_G+0t8HKvm;gaWRz8Zn$zm#>=jAE(7(3{Dr?(<4QqfiM%7&tbf>EUB_ku@&`> zILp0Elhk23E%Z0a9r$<@`w>tdEUk#)HIvVh>cQNB&V9~m5*nSSv)1;J@h~sJio(0s zRH8(YpYO%Y&U2tVX>FGM@)zF=GMfg$?|Ppsso@Xeghd@MI_*1aQVHVt-=PCmUkomr z)j^z>ebTnlxsNOq=!!tVGR%8AyRBBeipP9By-<((K-zmfOSM}!jn_f<=43Tj7ZpDN zYIv#(1@zva?a&VY6?_8v%F4bjoCy+oZHz7F(7K3IF`!(u@s5K&c2K+mtJ3r zs1=pd>8AA!A=7W)k{Z|sK^4dmOs4=>Ajfi{8;4XTz1#=qE~8W$jmkK+LpF zdt%y4&ubi7HY?S{f{6728TbhP9!C=C_`z7kJ`#8&ha{JG?@WyF$I%5xVR}x`r291d zID8}ncFbroWxfjkvA&{QfJO;G!tHGJe|nP}@__wfU$|&r%>bw=B){qLdq*2bewP-_ z5%%7n^=VJ!y~K@!lPS`7m=Q=y5XwZBP;S3CQyVIu&z$vrg_VU(F_;w;?54~DOTd8T zV+QpN#IT^@j=$i1Ft5@axT16CEIO$01oa0_>gKrg5yR3@&?B-lUnnw|5TAkX4mxeK zeaw4i>t4#b^Er_g_iiWawfPbin1(>ZNfJLC5|UuVgct$DX-h>}qVLspfVrphqSdAi z)6`${fQTzqNWbdLZr?}stV9xgG(jelGzX8Jw!pewm?<$LXhv0Kdm`Z3L->4Gpkg5a z54-(Y8RYZO?xkV*=pl1b0AKiscrSU+EB@oeNCa92*uJjaaalj+?Y#*jush?psQd_7 z#YXgDuSPvn#w9-ZAHU5EQ2CoOT+u2%N-mvidg7gS>YwI2reD?UU z3+Oq8;dFdoq@TVgFF_#}iV;-4Pwugl+3OJ&yg{Uj6J=1>>#Z(2>8z1Cj{y(IUs6J1 z_KL%roHU?v<%)GLaLO`xeW;NM-KmniUlJY-V)EfCl zK6YL~uGp?L=9j7Ps}DQ9s@u)k7(U&e@%;#JpDwCO(ej`wg_F3DZmMc>xJ>L-JGHVN z3(Bodtjd?Po!he)UO3|9OdXrb2sJxTUbYk&^9RlwIQtNDrp zQ%cG*4oJod9S*w^xlU4~0n>1SNO)iDo_=xsGGRk8@DXUQK&~dQ+elKGL|(~Dqi`y< z5>@ucaDmN@3M!G{H|&`@x5!Rl(BI=b?{rZq!HoODc0x+Kh8OELWxYP^eSsHD;T3~V zT?{gzTP#cd!Vc%|tVxd7@44W;Tk+)=9sycl1hYo(^kro@WS+xt7#5aaXINSl1c zE^lV%yAMq+kCE{VI?{>dn)#*aTs}GQ@&dwI5gyv#gi>4$yvfPJu3PaV#-gi8QkV@Q? zJ!riW2FpBqvYDN&L4Gv3X=b%m)le>ucy-t+ytAYbd8obU@z;kCvu+@GzA7lKShy`W z3R+TbaCKR%^=KJQzAntC?VoMeqml83_2T`};e7b`wA#{;$RsEl^@M;ZE>w`DT z7pnk3 zOh`SQ2|qtT)`7p;BY)Wp0wHH z?YA*;VNRyn4vMibm^YZBZt6A`QHOh zY=9t&|1#MVgTjso(MA>Q?|{`O5(p*F>(l3;mMDukfsCn=f~c==-Oi3eP6;uPI1fTq z%5UVWTBazhS4hAZb>DHR5MB^5uuC0FIq&Sk2~`HYzZ*a~S>S2=>f5Vgvtd^5E!ZOY zwfvWRo(Vu*LjpHM`zs;M?f5oG;*?Av2P^@TG z0Zn5u5C4D?orOOd#|IZ#XIg1n@JPYvG)rZv#uoGnW1EJyYAT13wkq1Gr(xP#^)eOtj(I26USpFJ^Gs&UK#R-pBH2AT@d4m#m>wX2*lLsx9Jz zLXeIkZcEzny6Tsr2xE;#RHUR9vWtJ9{ zkY2n3(8HJ(+u89nD#}!k)FmRwU$(!06VR0PPic|-;H~g}yhp{X&iUw6ud9vtCLY-x zNoW1W)h zg68`6(kb7&(~b5oN6Z*K3!xyC@AVzuA0cBwSQPgH_Wf+qPk3aF2Hn9`b+XtT%67kS z4;HXFMt+hEn6CT5Kve`A(;$%Q1deU!3^O0?SD`D5YO!E55p57aCnA5IA$RO~sB=~V z@tiLE6|Fsmpg{z-110D`azy)!y(JHn`*ud^>7FSGvPqdh6!%rch-P4Au!@8j;NO!e zOW6$~z=k@)Q?kA~AO8@ydDxr0UD!@%b}1-(v1qgHDVqKUGu2h;HDBqHXe@?cIRax{ z;x|7=Q7-v2u-dohEmvtg?hWYD|K((*PNOA?xj*vh^+6lMd#N?XJ)Wk#)PEM97PS-Q zG?^&iL;?`hq?kP>U#~`i;-H!#vUA;b&m40h?rLohYL0Y)q;Kc*dl62OOyi6(9ZH*=&~DI} z1+)wgCDwf}^Wh&((I?>5i2(7pUElZchZe@RvaJ6V#%1^tuIt#cvY}x z>VLyP>i>mLMG(%L?I32a3N49$p}AM=8jB&|o}MTV^|U>XrC=`Ntk+u)+z4_pA2lpHxgZ&G_8bj7dt{yA#mZ^KFK% z@%U|JB1^|?L3F{`g%c>q-6(1C4QA(1GO(8i2JwCU_osZ1JCW5NC5vd0iR{+7Z#F+% zk$BbL!Y8i`lOcoDiOj2ZjeLW>bYAWe-2}w-86jwD-t5o!7_`D~HBAaMq6acVKzv5t z&IrRXq9k$-JWFMHX58agw;1^*X4l%o+?&`b2F_l4d%Ri+Xf1f}aK13(#9bWQk2VoZbRa?SH?$gre$i;bq&3BqGHJ@YO6G@dmfYHF# zY!8Fai&P8^t67=-+}vqK1|p<$sY4aBzl$i4+6VVxyi ziA1jI&iUS1|LQVPS%`{fHykD$hnc?;mmAFBn!MhRE<8el>*K4QG=$H1C)7msHtYEu zd8zCb41ilZXET<}reGJjDI%ZG+Bs5Cq%x0UH!V)VoQ)UYdxddf@!qYz)gLA}8j*=`f`50fvDAudD?B$*y>#BtfDm^gk_ zB7cRn4%U&0I$hVKSbX-LVHTh|-mSU@lTJ&f-UVW%JarHd@b4NA13|UzE(L-WCOQIG z!Nx-)BM!gZHEW0%dGzghplFh(EyjyC&dydT58ChB$rKW0EBAoN$l)FGu0^9nD+=uH zMCfOSu9}WW#B9R5_LTXo7^J=^mvG3QlI}rt-FaG^SeVX}&(}jV>Ono#Kb8u9b8tnXDV-;mD&2zGT~N+q+~}%ZZ(LU` z>s}PdHZXr`Z_oS`xF?3g@#2Ol+Z^iJ^$C3mmOi|5paQl(VEPUy=Eu4l=UBmnQk57x zRI8OK{t{OpV}mLAFqS%B?Rd?tSEfA+4~~gEx0j-7Zv^VhxZD%&`r^q*nQe^w#N}62 zrtH%V?JI;SdAHUE^GzpC{JNH=EX#Q_v+k&Fgqji)r4&LP`FmhMDq&APY9PkmXpCCl z**0cvX z;pZ~kc?6A+mZ^EK)tfXBmc~5~&(4}*qVT4NQK6|o-HHFQk%ZW>9m-HG-^|{F4k%)p zD@$Q1=B^kPVPL?tZfSR|fyVmC<90F~22W{{42*pHR54`gEluK_xR!cp9IXsZ2FFV&ZKLjwSBU&lQ` z>M|!(q$8(L6w%19f%P^k2^<#NYISpL2hZfF1aZW}!A7`_kxx>u(_%kOULPXx z4twjPu0OXuY*ZAxltTC{EH zQr=|@HW4uzuqR=Y@gQ#H6qh#O!7I(FE5eNGjJ8<}&YeCl(D;oTV|MG_rA=a&93%e78Zok#TSrvJT43ic9jOd6$FV;`XwK)+M&l0(eAsp#~d?U}Wj zC)JuF9bRvBqKJ$DYmY1=JH7_DjX}`?D?Aztl#>JT^_#N=%EO4+=kUfT8;hz0nChW^ zZ*)1Trw?3!-j%b`IE0IAH4H~T>o4Fx{8Wkul7cQ}wNx&a+o2TtILtYzF9OA8yVRHg zuj*~ES=0ztKL^g9ITlb}r4^xaITVjaXKlNTwjIFs*~N#!pnaw*cdHovHd6iq&jkqw zAc)rU!AGLl#8&C`v0dQdj^v9K1$j3~-{J!f24bjzQ3XO*Yp&Q=TQ~fL!&DZ_(<{D% zq7KbH4ZF1&EoF+3K7}8?^!Rms7XJf&5riO?=scqr8?5X3_SbYF5=QOZt@;VGwisXn zIkiaCJm<2sY$yh%cLbc8r9ZzR6E_6WDi^%bUF@vgD+;G;U%2W!aKD7}kZ@_dc;iB$ zl=^VfTjniDU|kK}3-4iV(=W^vudlTX694XdT%O%IV^JE;a65na}bAgex5k`uh6K=Rib%XfQK)XpOH0-*tDMsber!3;}=l%OJ8rt9!P$s{!&f zY`(TybrT^3qMN;NE&>A1E!I*0ZmT5GCJL}jZH~G`ON1Fl z0&HFJ)C4=udbfltNyTv#L)nlp@8+HdYAve|&oGfLIUj%Zo|`C_$A*OCGOZ}Y00qm# zja9j3`D#3mugis(6De%d3chX+KmJ5pF`c*CucbHdC>sDx)5T?EiTm3u`Ix}}tzBdP{27Dp<#YpdtfEb!CljXZK9&Oc-Euh9ZNro9(L zfGuQfvMA7~)E~Nc+S>*gL0oy<_r~#kstM*0>bKY0S{#8evrg1DpjP+RO-4LeNB}7= zqwNuwkZ!)gZhaW&IFM~hT0#ho}IVqcs7rMxWF z8%hc;W{YU5IC4$)yooe^Iyt<#Bml=04Lsf9(K!AxTLfFFdYD8??1LJofo-vFd)Z2d zpMrphXRfEqlj3r%Wl%h&vLtmp9U0kI%tZ4DyusC$n*{iUq7a090M>K_bQ%7V5Aht{ zoi8qv52ePMh~H9!TU2|_N~Fzlp6S8V!(~?xKYeyqGFRRyjYcsw05_YyZkeKY#~6*1 zk;b4S1&~#9^R71h4fgE25Urh*7Kz~y6%~+)p?lXNfLAA&jZ5beiiQmU)YLNRBr2xo2ESV0a?RM3gkKXrO^zkHs_-$ zDFLTieRdno%EypvlSCl(aOB(=S%`aH^8ELF(g+~PAT_J`v!cwFwp z{YD1?Fr6cdi46V(b~=GLym>px0XrV8iznVqir-oC@ypz$6@HhCywSAFLR$TL;r6pt z2>?%CQBLLQw=NP(?I!p&kv@s*5=$D04@idZGdXivS9JIsm7hg$0C1r^K+Txh^6<6R zrQ6TzcKADSQ24-0#s1M>n55xAGMRjpB-`p2Kxu_928uIaVS|chf;c9l)6_5j`KUwn2FGt^{dyugo_5N_TD4dwmT`6eYu3eT+R`J=bXZe_*j$jytKyJXiO<8Nm&W=37dubX+vx{m> zjsxpBu*^F`{a(X7WVD*OXc+uJDPAR;Yfamh5Nv$F+2?-jO6l$PwMOH zQYb7+q7g^vh~=nh4kT3%@>H9g`~J1mhRN{BYUU54+oa@|SGbp?HyO(}p7L+pXox_bZ39SgIjT2a_&FQv)W%3{`Fngjzi1IljI1a{{bKC?4s z0?5dv_2oeV@6`RssuFYbXyHdJdC^FpWkLqzKy^I4f&d&?zuz%}RRqZ7wzhYMgx)!c z6uh_)E;^DN$92xuxW5a{>4WVy?>GYZIBm9_^YmbI7*@YA-Zfd^tYk+ose+ijau+T&vWMN3e(!AXnP)nwyS z0!aZ5JJMecyT9z94@86>I0!`OH*qc5G}nhBnN>|}`h6HV4XQKsSoKRY>*ulhZku<| zwuMs;Cmw9Ze1c;-oC6Z_bD4o^1EG$5rQWt+VrAWOTe^~qc+Qp>y)@G;o&qKEwZg8m;G30Ly?ku16C5w*UVzU2GuNnL(R+ek1b$Wkelsy@-+V=zEmM89O zvLNKQ&9ay;K1c^&P4{bVhFK;Mk0i@lmA_RAVC9!$SEv-j6ZxD*gsA{{}PL zD*K?LRwUD|2%*M__g+zpOWO|;%-#$3a(g#miuro52MjKn-T13ILs<~gl> z2}B_t=FJgNAn5gRimQnsCa-b4xAaF*PzU@i6inB2iXZ=8hWz!3KP7^On151L@z=rN zckd=Bv6Z4EK|Ym&0{cEhZ9d#)1fMcEed4A~Jje|k0Mqp+?op*FbbLDgQHp@j*BQ%J zU>H~er+`%HVtERCb`M>pJnM+?H6e@oNf$=kgThuZk05~7OiYo;hQP}*E!@J^Q56#h zPE+ZiBb{e7lsqRZ5hs@14&??0?T1+TK3_&fANBNm`nn+IqEW~hO*m*6sw9&-+yw}; zc?GNaD29oQ^X6XYgM`)3wZ;pKPc|@D;gzC36A}9P8`e9^fdmoxRQD>WRa8Zot}&3; zj20>#APP|F2w+n^y)(|yjEadlDQ$9QCqpy)rblZ58oByVySK`xoYuqJx=8eQYWJT@sXN7x7ibrr6dL@Nb z_)L_U?bTfoOSyWd;nq{dP#};q1``WviI6NA*t9VdQ;Y&Cv3)eiiik+xy#hTJD;S9x zhAC1$VgINuMIUMD0R2H*C?y9fGZvDB%Ayq!O`SnvUz)_Ynp%~-CZ*5GawxfYRwV4N z<>edVk0)|$tUPAgDFR}SDQ9z;E>ooL? z_en^EbhX!E-Sl_aPu`cC`|4Cpi9#-$jNux%>)ylZr(AThI_rKWh(U;f9NHqFEO|>L zZW@K4y$Wt~e?;Yk(qg-+vrB|0hr0E!O&3|SmT2S7au4}HodS~qmWgRdBKNq-zDbU) z`3Od5Q}xHIb%p84o#P?xaoEsGH%UlsE0Gnpcv&2m9;*yt8+{NL z0UcMtUwb0F;6|$@ncbz0QTH$WZW1^D9L!(zCu$;uR(NmMePzp_;E$d9RL!yYNr2)7 z^~qrjl0xkI;5nb&RP-V%e{mj`rSs}YPof~rZQgXziz8D}PyfV^AZ%Y=9=3){_vnFW z->faFZ}4ricB2YgCwRz>m!jSf{_=c`V?d12?DTznI!NK0QJ`PXjz+*Rbc1~Pq&6D= zlh!QE>0RTrkmaaW(yA#wtYuC<1Z!x)QmB052?GaMQmPfI+)T*Vmk|aFa};vr*WB;f zH2L+pI5i2|yQyIE>vtX2&!p=fB0#~DM*ts=-DUP!C)_A|^Ros4m+d6ZAgZ8%AwAex#PuF+QwF+xg*INBX(jygLW(asX_l` zMSnl2BnLC?q>aoNHGUusB%c){(W~y++7Vsr>)<$Mmb#OJ+akO22)2^5p~WQ6@^i~^ z*^_>fPsR~&xhkfapQ&X+@(cNq4-&3#YyRBIKtbAsRH=^0$a~VA+#^m;_)^iXrWuj2 z<Nlj%`=myNB=87?XyZj6=)^+&Bz!spQofi%flYL! zfkR@g@0xE8+r*x7sK)8f)ejUjc>T{!;xK3ARc*0=oB&|{w2@Pst*)VtsKqb7h_QF3ubvDsDTePS`&LyROK*%M z`R^>9y$I&`&&tk^b_jYpW}d6ayRGiuFSq^5!laz!kcFaM zU_i{J$y*8oOzS|MtT(7Et6S*IP`KeXxNK8wbIPee9m{UOB7BM&>HR<+txHmfkC;<` zz{%loOIS!Co+1*G8-vpkMUU38tiyNhzPxTkVH87ZMnR_1db2V7v1V`cxGs6iT_ck@ zCPyQNUM}ibZsk`D0C)@Rm%lw-8?+0YIBFnqPg3F728?CJ3}7tR_C3wBw9+Ip58A4C zVsb_;lt$K!*M5MIur%%DruF8_6P4{J{j^9RlsY7mTinlRO~F2IfnvPm{>wcJhLUyi zmUA?k<>$u7KGUt?#C_*NJyem`H{_L4;7O0OuhM?R#l_`ZkaP!mHSdqLn&j=n=XGAb%rP3#xC9oWOo@pB1hvt4!rnO{Yf?1 zh7g8-H58Q`@H+65RZgSEmk)EcO(bX6v6&`?g}Kn`yOJVK52^XP4;DMrtK4>q?>#%{ zwiWT%c7Jwy>A54b-(wGZz9Bq(gPqd8EcO(KYCRRQb8biT;bMc&wlh!9m3kM<;P zAepTUzAthyw2FRxrlMl9)Zj>@NTE)>K<2=>${x{$!5IxK^1pDR|G8Qw8 zC1KN(a3^C@is+v9av7FKv+EVfSMWQXNRjfp`9CoqB|O4`;_}$ zlx(<%Uz^udN1J>8f5!TbQ+14|aDI|~7K7P}M}X`DftyfWuL+F{g9hj!7EyB;rNRko zPVk*9^|h1S87fu=6#)3@o*Y`_6gbEB&XmW|t{*n94X&7VSIWtgUTS1~3@s2UC3^ck z0Fq7}?`_YnLsLMZ*>JlFHS#CqrzcN#FS+467qrTf(zeX!A6OrjI8`lhUwts4$Lg1l z0#si#ho0;Did$DS%kvY@X#xb3kEtv6n^o znX_YM{qy25j--RS@j{23v-djAC(8=L0Wz0GH?;GPNBi_KDJNw?xa(R$6;)*n$l|Ij zXt6q5AISrA{9)Q9JTe?gUa=T%(EuHg2~T1ML{x-@y4Ns!dS86bGAsagZu$@zYt^EI z8qcmf2qlCXK7;hfP1<}&*zfBanh&@sNKzz;YoHdgd<}1M*M@e%QWrKQY<_z%bvz?k zUZYIT;cQHG?E@huSdB(E0UuKXyy$BG%}Z%zWzX=zXcczrsaiSr{mlXnvXsVn;M|(X zt!5(SfkgtB(?%@-|09yy&aw@UP|i2?8ZsOZvoT_7HOXc9cOKtZ(AXAop~a1)w@}MF zJ2E}cZ({R&iOJ(WbU$%~a@jrPl(9z-m5}pmxixR3*?D!@N&TZu!9V7n#sFGw*!qJs z)H)^uA^Hw<7TT9g)4iXeLed#=q>L7f4QDe9Nh^yX- zm;*Xj*rmy){rasy@y5Lv*4QYmI{5UMS?5X?In2%)zaqOE zG^B2msuZK9{S}~lQ{iXFyQq`vXWQWd_?rul5u|16s_!~eH3xC$5`WtfYsGj+3<#G@ zpHB!2&ts5z;|Q3PQU?nK!m%8f1-_vvt$y^*L_v^ogQ6m;P?DA%3*-{iUOhx1h&=V}R%OkqSXEzQ?5oC-PtcZPiL3w8N!r~4kcuAZec@b9;5zG@@u{B~ z*A!VT*O(gdCa>GK!P%r1aM$Oxok%APKZc2c`l4vi`6$|pi4at@z#niepVO>H*|l&; z_+oJIj1L54eqXl*Dm7jdRR$`xDz=Hbjy#yUU84ECe;Bw8*S^ltdB>V06OJCTL<^h( z-+9L;q#ui?4?RP2i_MPZyUtrMh|Puq=Ny;!ERIv%(6ZDE>aXI7Q}0Kp&FJw=R5@tG zCDD3C8mAfEsEnDooDmUl{_Ydap*?-pzU;}7W=3)+B{>(=on+O{OaGAzs%IFe?kS% z|5l2|(R**@j+AIW@rac^Pi!MG&wIJCS7XgNPy(V`^gJmA<4B zp#iB^1RLh97UDIeNp86D)$ei$GQY-bWB>sy_>kQ0>BW4N?OI;cMc+b8IM+V;oydk* z_5m#dF2mZ_!Zof}VJ`GRh@%8bm;unA8!{EhdQQ~hKViYt$;tQ@pkNE;(xy=GXDa0_ z4AsvGqFpQ;ZVAn9Yl!Hx7^_dj(o7>PRyyW9Pies&LiB~bym`w+s)Ct17Z9 zvt4Iy$`nsa$>t*F=7@`i6{jwwXR67Us>l=T`H`UGG8=W{&!n>7&RC$@K+2CzL6u}j z(}`{T1cy$vhcOQbH%#8?kYlvRlwX%Y&I`no#&6@T+ZYi7+NnNi#m@o%&-fZq0yD?pFR=*eyPId~i?kRvPUc%%WWw zkL+}ZQFO%P8MLvf+0dMH#SYoD^I~2E$8Cr-#t`trrd09Si2X<2evo-(Qjyb&>|9@4 zn?sUQi0ROa#Y74-LJ_Aj_RKxc-JWKw1|?=#@0LUMbtkvWj&nTr$B-4Vs0 z$w~I{#5D3tm<00D^kILQC?4Kz1aws9{#i>Dweisj`jq{=+d^&_`7Ym5(9TiOIrjEb zinneNz63*B;d>&3NuHADJaSPZcY`g?(!S#kU-(E^inXBe=N=j^H9_f|S z>+Y>$a@t^E{vBff^Qrd3wcl*$LPcmv3P=FHkIi?FXWj|NHV(*m-_Ab5vNv#E{C+bS zBOUSdaH9=`hw>H+czXU=4jp_-36t`8xzb6AhM=U^1&W+;bOv0dD4?dpJt)u9%PkQ+ z!&Ja&F4igX$f{N0#0iRH&Wa&r_KznxlAZB*GinU;_-V77#Nf!|XS}AAaKBVIRZJuB z2^baRl8N!9f(AwrWZgJIaZQetAC_o7P4pQ<>!_cPqNb+?_!!pmnFyJ-sO2$p>b4Jx7w?6cV1HtvEjeZ;Rg3h@ zj^=+RyiB%H`5K5Dkz*Ug(!3oXxw%ycN!ENh>mU~z6sn>(Sb_Q z6qd62In3Uz8nFI6-n!;u?P-lmP7$UEzw=%vK(2l(pY{c1ZQu7I1}w`GtN1ue?X{ zM>%s+G{kbzb%e#xkcjWSRQUKgAe?1MO^c|3u0|_Fzsg;)#zOE}uXc6-dhG=4D zJ+|rum!j6PTV6b&_<5QC1Rh3|Dqi;{wzfBSyD{IC!q%sT8A9v&C^uGVywVpRp0nlz zi-Hy728X(Q;A7n^Q@R|bPEak*sD8OuFZFrT_C%dF)R&^dY^Gq+!l2$!aUiP_WZP+d z{bPk|-5kvW@dG(JTB*g^0~4w_dCaEb9VZNN_IN|@#1Dv7qgwKKKP@USs(=0ZGhBK8 z(#F+1dkj-jjGWHfsF6EC!i@E4Q>Qu*V;{+6_Ykm;wR;;=3U%)5=3|q|_gt#Y+E*tY zsee5%?6}JP1oAmKbFU1*y0Qn|RGpI|Je672ao}r*v-Ffla`joFn8HQ{Fo-!=fy5C3 zbiw{)2g?%WOL!jZb|Z`F%J*6_cODPj?@bc65?BkM8NSTdW4qE9-&Q$VAYWxbVrDfO z!9jvRnlj(}G{&=O?FxvW$v{P~@_^v;+w;B0_z`;LUiFJ;?1(ZqOLD9-x$-xqrD?vl zSRl<$7+&TlMErgk?(>;nF02v_1n@+*M^MyQHZAk!(y3rGt>T%Hq6cmn2xZTpMV0Y< z4h)7H72?m@%D!W%BHOBXWWe~~B$-pU^uBmizLzXy5gT{wjc$b{XUTH+sBe-gN#Zg{ z7nk-j$FJB|7%7ZqFtEV5*?o1dCoYmz6WyiyT#xkd>$c#O8}d@<_=o1|y$WL*shbwJ9+b{Zu0nR!ME0)F9}15 z4iYn!v~?iYB7#Rqk5j5pNj+jsSkcV}v0IXbTg5Q>v2VmDv$>7uqzEd2deO-HiZns_ zMz||2hzhpfM;uM<)-+FN9`#6l2Pas2lqb{8Rn%Kd4b)1i{~YOyM>QufBy)Y1A?1EyBCj%ZT# zeMm$$4M=b2QsrlF&zs3bF(0z`R^7XWa3ok9TR4hR=__sxzX4YfPA%Fm9u7dyp5YW! zKLomzlH;1ugphY$oLKe0fPM)Nh|Ql4SIUDtZoK9r6ZR!E0FzWX?#6AJx4& zF|y#X|DvoWi9~TlkWSXQ0)mvEs(hp=N4ubzVvMX|!*;5g?k7aL_$NeqREKKiK=^_0#AYQ5uwxvHStIKGn-1rVk!y3vhgsZ-lm&PAX9`W&!f(7g+lQAq=}j%5AETDQF87G3!ni{%f2x2DQaNNi2Z#?zTdm>no*En9g`m6$j}{~&5sa{KL@+F>E3i|E1L zLT3(6X2F6r=$UcO`D=L$W}~NoFC8|HsJwX7Hc_}=VgVv3#q}&MSj`arHg~`5Uggaz zMa*7pjA0b@D#3^s)lL-WP?kakTnuIYaPQD&o;&?oXiz0G8ATtU75F*ql17o=zy2SN#rWyK zpztTEUQ6wCM020dqAWzcM!bcDtw}#fEUkNxuFe zg!vZUr?DK$#AkZ)t#HicpNi(64V4H59IynIF!{B7eZT2we`spH-xYug_Fbrg;;*E2 z|7GO;$-o2m|IT>L8Su9-`G4U!O7SDu&C~_kn=bqO6e3E|zSr=Tn)_^CLjrtGftL8m zbLFKl-Os1TKEem2ZVYCKPx|?i&}2f6rpPt?*srU%b8+AenRB%j;JF&FKzqn^trz87 zYd8GWxy2q6%(~h=?t}Y!9Vj|v5JU1m?ZtZbM^Y$SUyx5|?))GxIPK4?6+*rz1#dt6 z*Ze$23%<(1`rua^0WR~f)(!8`X>Zui>*>%nZci5SnttQDW<@=8fC=%?nYRA9_PS5w zk5>EihYZNmNA)SM(EZnq_86TPiu>0qd4MWacIdPAhmFP6LTjXK|LVF;@4mN+&%ood zY3xEZZU;_qNDo(`Q0S4e+a$aaPrTyM1p}LJDgM`YxxB3mI z-BUH47gy$3tda(9NwUp7A1>{--{6K}Cm` zS;j;cj=i2=??1d{g+Q)HP1O12Y5lv=|LzGcA-JuO7gSyUSQh-m z|Fn{o#!n*rZ&d5QO*$YkB*G`g8;t+++K?CE4H19eR{VeJ%FoX6qN%_e6JQWr!y5jy z^S`$PP$=kue^4m@VF3R&R`7|yhgtaQ#jF2$ZSkvhg34+U`+vFBe~#p9A4M?eW6htW z{?8W%StnAif<~D405$V_+yBFHBO{n_tWAt*|JSv}RKN_6N9fLe9Y*;NoimC8gU(yT h9r3@eO~VYiz-gcDvGuE0c>)K1j$G1G>T;3+GzSsAGl)LmbaTPCv3V_c}L@YUc8p>Mb~?$ zZe4o5&sr=YTvvJfpGOjURbp0lKkzWOj+iu)n%@H+S*Bpx3fA#aZ!s;1?2Zn@g@ z$~^B_LI-4$vTo(UhFhlxX8UKhwBNEt6lhD9@07^fKb5N8bZIxd1HDR8gI=9dWhPoz z5(k#%PRB{Pj?70uG(W3$ub$p;F}$%DUSC^b3r2J2;vPa)2`DMy;+cjr`c3b#@d@AC%UsC5&IrnKF5S%3i8q?*7-fda3Kg zPB}97SIn4B(4^F-)q^#*W#m@kJ!b7`Mh*LGv9H07O^Y~P@6|oyt#1>*`w6>j+vv=7!t*HApb`==otlc154Y`)wvN>MdzyTj0mm9y?Vx;$X-WV;{nc z6ZX%h{$YwY7tvh(O>E-Vj_CEomgIXO_a3NBwh`~jcgr=c%C95_)*!8veH*rmqb%?b zAW%bU9dP9`A==H{m)NJKfm8%-3?L5ueeP-A)|Dp)rX#;*BqNm_J9aLMwHU zZ#!S@?`pO62qF~W_6ULV4<|%~t#T|-&-iD1b5hy<3H_yrpbR1DKChtD0DSTu+pQ3f>mX$8lX78N!a0Wq&3B|Ss( z8AzE;aBi7jgLI~q<8=*%QsiW9D&Oru?5g_rykG^OXOk1R`lPVVG|YXJi5h{F%)Hn< zuAO@LO|kD@l)p(Coci!0+Zeo|%B9oR+vpU{+%k2QwSJ}vbbZOF{-qy{Bh01IHqBHx zjuq)a{4*mXr(`C|o?;BS{uUeuDp1`UH&8fPqbeFd;{-Np*Prb(@PqPJ)zImV&XL8p zu8PrtlS}rlSf$!=+!D{9TH>4BaTd+x#65K8MqTDWE_9vvtZHF3AL6k=6l1IM%ukfKI%(~x~S@fTE0tCQP#kgC~<#+UgAC6KT; z;<04?>L^kaxIvm^@$jgA9K1V<_LB9BPFrO_ptQB6X&oR^lD{{aMORN5`2JkS`A>t^ zLijAT7NeRjw+Ag<;I%$WuF&t1VIdbt{gfwW*Y^GatBy5d`Pb2Hfw#n~ zbDosGkD_HKq8Q&wR~fWZvlWAr^vhAh281`7i{L+1CK<<1a&x}cwnGTsiroiSA4@sg zKz!YB^%(~4oJJ2w2`8)?Fa~#g5d(iT_-RrU;+-D~L6ys`Jl~+dp-M+~GaJ^hYRiGi z7K(xV?vQ8~N5V(o6eekY^4l&-9azTZ=qqNA&U}!qu-Yo=X$i&y^eY}A4>77Y3wsU< zR}oBj!BC@X^`+?=ZmUGa%X&A=O*9_6abDCmtpwJPJO~CmzSoA=BdU<} z?~9J@<<4C|V4+MX;}urPa*+3K0QBD5G>z;FQinl>9L3IY4^q-A#ux#j7qxriT#!2) zA!*2oH8%)-Cl_cGeL*+}@KG*B@`1PT4^-Qanc?yLcO;)qVjp&#U#TN4CcLuy5!hoP zTD31XllkHJEtw5fi*K;9=$+$HJbGnz&#Up#;({vFD&da4kA)lylwLg9khK#DTy*vp z7&_vX4~={kITxr}f#a&U&i`7qBb`g-LXMJInO&z4sC{#?IMLH+Zda;f=|@@?x_Z+8 z5(m26T8$=O<6r$-FcVM~cOL?7Q)q#!d>UTr-N!4e~ zdqy%>gH=Ptwm@l3SRu#FJ|2v{)Tu9me_$us?S-r{S8exAj<~*hG~}R=W0H9I{wZg# z@i+F3dC2t;=(wggHB|o1_4~B?%WrqC2v9>-7%y}$;?~FQh~O)Z?icaRBNH{>bhST8kht`v+Dv$K!(N8n%##!>qb;%qgk=X)|rw&?A?o zwq|6VTCbLwuI0*(n0!%42=u_f;$RT^CGdUHK}K}q$}b?B4OQQ3nA?}BXhot?J--c+YFRxFe%lfA2fZ0h(`k>sjI6O14eU(?f}26p zjClTj-8iWWU%t1WNvpf+3_j9^lsZIYT~;h5JZ`?rCo)E+ukUUSNP=2kVxK1^ZO;b3 zMz`3>+^Jck#BB)J|e>xkIeQCC;}ngI6l~q91e)n_?wWO?O=( zX4|PHMMMyTUw{*ZSq9c(F31)ZXHC<;-y5P))BfY#cbEjrp2OO9Sg5p zWY2Ot8PrjVC-DZ&&2CP&v?z0pZq)X`k5rjJ>IEOd5dy_b^jvj49^k0ayPP&gL07JGR`$<(*$z-D{jQ(gV>{d z#N{s^A9?*ak=Z<5WeM&v2y;ua6)XZaTps-vbQet<3jNJ_!3~H2mZC@a4^JRJS%ug9#Q&8&G<07d>g2c^EKFRB`aVEy zJmJnXA@LS*cN9<81r3b`ISw!S>|(sFC`}@{qvF@jtoM)3JD@?;`&2|SazWo#X)M9FW zsUuhZBoy3KI=ys_&hESAZDbGrrLhAz0{uq2xwKw;oK&QVqIj!^3*BG z$L*r$c$U|4pna&m%=EU74Chm>=`64GO{{%uUZY#Z;xrXhC|QAr!5Yl-&K^&N%dYv6 z1{W)l7rX9o;Xa|%*I;e+(KuR(~)UNbl9( zH#fDO3_|)J?+Wee_D=Ngo@X3vFXjBY1!0_7<6KdZNw0on$^G1l#kbX{`zN;tBb0yh zF#yzxK zpT%#dlsho|Oda1#)1Frh1^<@9t+z%6?YE40cecQ4;#c&FC(sdpj$+@l#2u`s8%uFt z4Rg>|N2?~MROg{dBT*2?b88nq@xrfO zS>h8kK+~Qznlv0~U9s!4^hnN(qe>PqWFG~-UAp<+5H-ZfzP6iWV<+vV@cU6ans{D} zKvp&8R-Bh}02kU4yIT*7!>P7jA*_WeoS5B@R7z%NxJ5~+;qOJAEI>ElCEHIqAWqm= znd_?e#Gwhn>czf+s9xiWh;5M>lHXwGEfbH*SvP5pM-9=tP=1+f_Ax5G?}Fr=CkjHy zZ4!Njyuwo*S~t4)Uv_z|KR*6})ngLAj+Z zuKxTwlH@j-W}zXHN5=S&*s6EdOGQx+Z(tnWq+}ScfeWyAo-j$Yvvl`5x+|D!>(k~> zY5FY&YpC5cdhFdGoY;4yvk+up`cnKQNw`q9N%{uZXz~qUB_-;|S)4XgY+$OF6&^{Mu=vlY*|BOg2jA;&Zh2rX?=wJMYY`x1Ma$4vA*JFO3(2ut>&5 z7HjH~zCHWmuKu^9IQms7wlN(8?|xq_PTXu95?ax4N=$4gD61wz7(#%B;3dz)w7pKCl&Mn-lG+x@?i zHT)ihiz+dq2$$x z`J_FW8xY3)CE}_y0N#A1r&oiU0Zy)R#G?_m5b|)!w*xb_zj-u7PKZ|IxpD?5@QlF6 z>1{Wz3tza3C@UaO<*$e{k#N2ys|rP2y((xI*es34O`7c1iFX002M`18`v+FlN!e8- z*boQP2nED=6kvt+0G6xDc*|Pd-$MxDbFA2=KDxNV`7NMG2XAJdUk?d7KaRvAR-dRk zpbc6SI9phn`4M2f=0F_$b7eH}qld@*Bsw^Nvnz|ls}3M9jD~RP7Mu>he0=e&Bw=Yf zdX`2>unK20`7c8dI}1^Y(Q}05=6nFM)J&=`(QzXcbv{kTGDcB-sE5FolS+7JL@uzF z9g3c5T2F{%-8zx0UNFB!2qf{YT2b$;U}IPba;U%m+0<2eVf2uCI{X9yP+~EeKn3^s zaP-&I40t}U!TlFsmnR^+IG{Y8y;SmrxH!g)9Q4l5?F4>1{L;(Q<(&JU>pL@uYqKRac-qa!Rn^( zr|h}PJd^Mp%QpvsT#rWebe;5}sknKf`#_+YiFv@SBJR$-Tk2?}U(H1EoVgA1bfc=T zF6E47BEVXYBgWkODaN0og+US*f0=~B_Ljqk*UN)6bOIt5`EbPD?Q<`8-62p>Wdfcb z26%pfa1Mf_Zw6Tm^?!S|yTuD@3i7z{H7`edE1f7%HqY6`rH($G_tkaL3&5ScIxxO} z3OPbzj`57h7J!~4d>rYISZeDuehi4J051aSanY8bH?1t~(vD*d9J4$DuQ3+b)P^b` zO0zD_?gXXRq0JLUu`D4_#YM>&R4L$J8l0%Mkf7y4*GCbXkPv}J?Hh=rK{$0@g6FGF zgjpzV1Zn6B_MRS+0LkLiqn1X8b-JF3T_o%wJ2Q|1^D=FaCRDrKsnQ`TfD)38cYr(s zVY21%!_9IajjKSgo-Eonnf~P}fd67ocRnvjh$STej`#4!}BV z0a3qnML_S4SIm?kBKaD!E$}yAZJRF=Ya4@Q<)9rG#WdESvPY5w1VvSvo;S zVFn;s1N0$K!$6mYk4#(AF%YKZn*c6pPgL_;2TvhV^ev+@Hl!r(IjTh+#9n63B$~hv zfNLvA=OHnGC`ZDH00F z?bq35!kQr2WB)u)dC|iBNKgim_{a?x1?J zID)y%OOlbgM02l>9_lsLafkwv`*f;|sHEOEdJ|0)lw!UnVV9Rnbd!a)q-EOjOqNX} z&V=U}tuI;9|C3KRpJF*B9ql;_P8g4y`=VwMPDLYf1cK5fsBaBNFON<>m~@aHkspD$ z-wE6V+L^y)9Y{7^UhJr=<~E$dGwpzlZ^Ubt22CQCL(|0Hz|xQ@fXG07i>7!600M6Z zQn1S09R`sXDDGA3Ky4jsx&Rc%D}zsi6WXyXZz}UwT}&s!Gu9DW-!8cLbNAk?@s*5V zYtyS3$1ThvcBOf`D<`aGWGCpz-*?Kp{I**Ks7A#?_T`;OcnC%ENv#4=f4O=;R*;bl z>a4Q}QVX&kX%CV2m-PJhrMqe_=CzgihK8$SWhSY<=2}? zR(}mR5+7G6L6eI786*bMU=~Fi%k?V7)`2=c=Rko*+kH$NyN6v zlzwE8r;BC!fAyYlTYOGl^1`1hFK!dUu!E+a<)%UHmWihvdzs@}Z(itH?1qC&v@`yi zT1aPAe3+kbRb=wN87MLdZ9=m7=LL%4XD=B8oS!v5?Vw_Tc=>cvL%6u$div%lt~Uiy z=~K*V{<7j)vUuO)ldiI7%9dL;)kBgL+h8?nWfKB4cweekn>BfiIRBBW!8Fw^5X4SYjDdgkFMH`al<&ztpuHBh+#W11OA<(9q77MIS|> z_OY2EBoPf4XS{olbBdCWI(i+NC)CrjWHQsg=|paDP1e%8O$6#ZsA2x;iK8B_LCZJ> zfYA4+yIfUi^oh`dO;~f#4QHWqq4&(Vy@aI}nf<+SafKUM;h=Zk-SsQJahLTG7tK_a z(}x^rNCz>epnALn?#VOMR8sV;O&+5-+yo!Lq#MunG?7}kvbT#!kxkx_`*?pti`Ng` zCsbP->eh;n&s7*|;n3i3U<34}+g@|B0E1i(j$);=9sC&GIj6u!Uw4PU?TQ78n!Iky zYvY2$p@8v&Qt|+W>oTZcCi)KSh-Q)SuzdLsJijKUxd<-(jYeYSs15=;+w2^x85V#g z?^W)$Ns{5_t6X+2V%5}BFI0TAb(FI|8Vog^WPRXQCn`2;0bo|5ZI>XyOekN?!LxM0 z&CRKMW)^zpBAs3rD;ho;>@M$LDrI_t03?bTY*EyR@A}AG8asB$!AjAI(G`cdDC!_} zVfb#5xyUP7HZ?BfF25UvCblbjqfc2UUL7Y9?5%l@m1oSpp!B!llq5ExX@7h(BInud zv3M_Sx9ch|(NhG}xK*j}$un@^GyROoPd>#&c)s$7)X2HPIr?Ty(3jJI7izE=-tsg| zn%fLJs&8~DaURC7d@uc^`i`SjysX`>JXxWgTwxrW1j{gKU%Z)Km12K{z%AZbeV)nB zyIq2~eF=&%VF;zp5lLJr9+u~g zrjKnX+dqqCgJe^FRfaQH#BVLBK*CB^el>Q9?=?|1EfRk*O?LfpLb$j{qVQ|bM7=-L zv6|T%^)SSFB&iG#LCUptC(F8TIkUWrH%+Nd4WVe*9+=a}+d9#=@V4?WMN$-k*ke%+P(dBUEFe1U7_}$pQ$Ll(2|I&ul7r;yx)LhxjDzX zr7SQePFN%uwT|Q|ivnCamalAB*aDcE0(DD6L05De-~j97&vv!)AjR^5P4iM7b5wI- zyl%dD<#$AMhoZOU*TbgSWc_2W#sGZiqnMkOlb8FFKDG>0Y_obMd&3Z86*f1EM(TV0 zw>_y-le#*rnfDs3X9B8%X_~vnf;2x5SJ!jZ-LR}n1z-7)#v*+9q~r3pO-R?CKLj;7 zJwd5$&T)%L&u|<~mOvy&J@xwA{}8|SyI%Toc;j*_e^=*}uhh(BHr28I`fOz$BS0T0 z1ijlQj6bHZ6tKK7SQdZ|wd`s7)Woa0?F^j*!cCTSfMm_6ATXcs-)*$V?7TZGpIHwk z2+jTu>oD^Y=@l%{OA15IR7NlUaObU$4)dq7cNXu4?mXoPrL7>k{q5@@Z`4qyYojT3 z`3B>HEU&VKebT-!66oPV=j7F7?!;5I3MS;Q!0zFi^Q}XuH;J{s`c-=ecOMwq( zeyr?}Bjo7%2EU1c+vG&3B6KVFFD}HGw?#aIcHcHZ_Tje%ma44bwgLiO$}Wh4yB_s$ zY+XvR?8~`!PBi-ix^Cx&N&#N#*_;*0vy6}uJ-zpWnefYsY~vsENy{}Pzi0Yk0nDV6 zmx5XADaQkrNB@KpkIfA~qF)V)qOsn{ZBAsxv~;qz%~>`hy@N|>q=~Qu7jghAxW@}E zM0*XC2KUqg8D)PNOkaL{;pa2`4e>eW4eRToLr3DXOvd@`ttjm)B%s7+)#okU=DA!3 zNR(#L(1iWXK4;N;^<2!bK*og*8R@^!u}W# zu5!_Yv5t#g=QVH15|lNXebio76le02mxnmrpI~lBbwq@;b z_=YOkT%BL{Ml^+2s;pA`=hm5Ol2p5geTsjjwJ`z@n-?HSl!F6tp5}+B6~$V=;+i{* zg)8U>=Q~z-pR;^G|H3jedT#mfOC2X;Z&>oSz*9-`V(iO6fezn(T=)Inf#M{SL%A*< zxFh6no}K$O zsQf-G32NZWODwzg%6O?e?ue@rnA&dFDIg7H*rLhqy3iT)a_O? z4`GDd(4l0G6$D?>0_H8{QR6WaCS_FInq1BmQhZy1oSLt`E+y5#WeM-W5lx?s-9b} zWuJ~C$29;!jp*O@V0@6MN@O-t$a5VTBTN1D*9-kCF%l-9`&(v4%M&mM^badZv}`?S znmoGj0dwF@de6beCw?;f&K#k9QmK?IHB4#Jye!{PfryxJdcvDXbr>x={$us|L4S0ZG`4f$N?xPFh$2vA(QrbrG$E)WhWyj&J_O<;z6_X~G z*3^>(MCB;_ZZl%)30E{8MhLMkm7PCm(~g_05xZ4NxZa<*wQUBdps6RX-bBAH1zb%5 zC#J^PLfF$VdY&kxlp#tK|_$wVOIla_sIuL$urZZU*8=@$8^I*k^zHqSVEvxqGc0j-_~3 z`0ct! ze@391P>3|tfoGU_2lM57iPv80xc`@_bw1QEq2pK{r~keL?LvVXWdzZXe9G4S9$c@rl&VgW^?A4zpRK*O~2$OWftrAJI!S%T3k8X;{nX zMeoibzRmKlXuV2nXl-PBm&zXlH}|a7gCIbE!^&&)At0L7TLH5c3dvpIyY5NQB$$sFAm8rz}k!8pXO=2Dd<&eEcG2l z4h8C)9;aKyl=y`7>Li&+Qool!!^7LpH#BJpTm1rhifiy!A z4CR}JK3QBQETvgH>1442GWitPVED4wWp)@5h@C%~obqFfSaHDnlQHm=Rk27AhtPe< zNWDGFx9X=JC?d$iE0qNT&WejZ+rI{0{@eu=Z} z9bStQpLut|jGqo@fQby-+iRByzMgk2+Lr~)L;QP4NW^T)du4V2a26}K>KrECXmcw& zvS;L#M2J@4J;27Cjt{hs{oLPm54msY`};zP!pqKv0cKUkdip91T3`XZ9BgeP+kF4R zAv$1a-=~3C!WO8nX~aZ$eUU_2&iU4m_Z4%svEvs7X|BuHO7Z9Gw$mqCew_jx|NrR3M-gK77aJh5F3N=w~P45BI{rY2qs5tPF>; zc?bBj3eQ65&-CFx>zz3n3r8T|W=ecMhG+3#*3SmC8#ZS@{tw|LzqX(ogc++}*(e7w zKlJFv1<|8=@+ys~k?Be?^VUzOo=1QIAf4I5X5V4G?oZfrd+G`F0kvUx_wqz_ z%YZxA6Y^Rg;Mn#_*1yE_bB-BxHx)dTzi7@Ae|H&;B2}`#h84ka(0*i;=6#QJ8+)tV zp4%IK=q9F&JRXs@J6gemsdDO)lNf08hLl{?<*Xm!j3INLlMJI7**b%7-W|bi9q|KZ z%sBT^-#iTyy%1?VYD`P**f_4sk$5gL@#%yl1ncpQF{CHW@1Kj`%9&3cmbzkIlRmHZ<}r$1gGb*IcOgCD5|hyH z$TPa7WNU&91C`;K<)`@C-YxC=o)Iut;d0n+1I94A@)68>|CU1up znd-p2B#$scyf$t4tvrtHQ>*$1VA|75j-CZo-i{FgYEP9HZBQ?V_&M5Rqkjgd-hAQn zNP*Lly@!%}85)}7UA0|-R}H=G+ObcOQ88#A>#nyBQhu-EiyTurut`U5yjt$b(M2nUS`x3wS%TV{In_=|haOgVifmYw`tnvgojjoU++Lt}YDD{#j-a%@n z^;ny#zM{9b(Yb*Y2&Nh0DZ^i}ZGSn8Y4+0@mL$z7qvKh+$eL_Gu>bD58r}~dA}p-; zP3WhmcI*He_AVXKuT&K{GQ}T9m4(HolOEqf05HmCgu!F8WSzSf96j zEU1)Xct>Y9j!-EEsXm|Rgkx)swuKOGn5zXO>8)^+zkAl9ylrb0B8|hEuiLZF=LkH8 zUO+-u#B*JE&)P!brc^77n-yUH4$~|f)+O}LDpDUQb4TJ1@2I>Dm`~hco&W?!^Qnzn zP}N_xQ!^iUnJ>4jn9{)z{kI{f?Zgc9v~UEio_i;;8FY0OgV7LXndl~K4>oA%?gTN1%#qhK@dk!VUP@+b> z$F(uW!uWjcXC3=865ES{nY90ZGzrIZ!g;Yma7*>JuvHgz=p@T{Bg{j{z(xIU}rwVIKhe z34JObYFu}M=3PH?ER2bLO6NcVyR5h=ZJCqVu6=6gA2XKf6ozrPWeus8O56fOplyLh z#VuznBZ1HzrqHq@Ib+Ti;T;uP<(($+KBvs+NwZFAeZ`DX<144kjGx-#@6oi7g0`6@ z*RX`^yGJtHW~##6g8F|{i9rx)1@pv;8!;GosX*fZ%TBg)`5vLNWKqIU3*dA*a9x?X zwt6llMqq|oBmO$XGHEy{_x!HiTZ%;?pMai!!$BZNt9S&M0al21yeAxpk+mlr#Y{_! z5C+g|wSJ@|pxIu1q@wLYk+x)oHGLShPZ%diiuYFDZ)T&2=V^&QxsPJTcn3LSkA{l=uqQN>Zh0qSqH^-sli{GDu*tGa zccUn1W^Vg*WbkRLU-v!Vk^sN{l=1GBgd$A#0nk-I&DG`tlQ7k_k_s!{sEvDuob>7| zT8cB{B=Z_~9AS;n>rBY3f{9YsYOU=i@$Lq%It&2=^Qi zl4(F~3)HkgENrJ7JERX3kLuO8#!dN=UbY}T zyo1?TF^7IgV$ z#kY&7pDF&k$>4m|A|Xdnu%7m%U4J#r$Xie`IK(5~y`kYDKji`WEQu<*%O4Zl0uLkg zhC}ke0#Nb~V+LYS@Ob^xZ6y_ORkMPzp&|g#{NJA&wOW_~roU>O*zlqo?~1TAtWDo!jsusO?|-cW%j4Kp*7#8Q+(HI| z6g4=a7(G=Tu=D~*E!DFBCzjjpT1v=<-POd66UYBv2`wLA;&rjrT#(D?aa3A?`@;B; z1)f4;w^9Uf~;2F|Dt>%vb zeRcg0^)ne9!=)jUr6JO|eQ1GYn)}aW_po2xNLryJE-7!h`=k2Qhv8&Vb*Uzlw zFvRD>`ct`l&aZZkmFgaKdZA+T-T9yoJv!~#lpl=CizJs)el2_(Z7<$@x6+c@BI(^_ z858dxdUv^PX#r$sM`)@pD%~u-O$|V&|KL%9>OdUNzK$Fn3XC;vFHPG`0W>MIv!>0LTbq$G?Njhv2M3K?g4-5;AP_HQ#>!K#|C*4<^ zmAAP@NTl;s6x|Z@2tiMkUV4E?M33i3!Te9|Jk?F%_fj$#I!``ss=f?N zt+7BNGjE@R&E3$zp{XU`_g%3brAbaZ8H$4W3?R}Dg8j011w!Dv$gn+~AqK|H5TI`0 z0Kg)x$kxp>cx#>nCTD-`y}-j32E(tMFWKGpmfAV|zSs~PYg+cLy011Yg#J)bI?2=7 z@dC9K6;vc%LvO%JzA{aij2qTlRLS!8p(4-cASzmDiqS(=LFvx4D^{oMs=Ar)uJ&*1R^m=cfzaim)uRH*}-HU-js+7CtA}o9hVV4as)x&sE zOL44Q?`TAmpifr=^|=jIBmkj)3kkEQQahM&&kF+hMO#(Akv(V6CSNjjA6Y6wduu$< zdVy2Aa*_G78QwN?_k!yDBMM8rRFeU)5zQQ#Nk4n+bYSWwZ?(2UW6v5VX1}MJ<<{@K zQc3G$u?XfJVKrGGbp0zL_FpJ!2n=K>`H#guX0b=rSAw{pJ*;4L19YVYo%sX~|t zeru<~_nGUvdC~O6d$MDIab~2J0Nq``n;0D9h4P1c!?q6WQNq=A9(oS0lIt!`*1*yI zJRBg+m{@#7jF$#bK^47NW&xSYi1t&=HnXpNqMM@YuXfCQP+-$I4sUm%Lkw>B>!%z- zBJ8z#TXW9$idg!sw{WuDl~p?LyzvgB2|TWrrdSXXyz z-}i`{gXY#RTGYLe-(UV6IZ2^kGuU=eqzaEJj+AHR zk}2PS=HP$0`V|Nwh(O~yV;io%5;5uavWyHZ8hMY0?6iB;G_5n+(s5KX=P)Nkn%7qN z>*9nG&``lmOaxduc@=b9t3G8^a64N0-cPr(=ph^AUVYT!q;>&4?8{vbp`LqfwdvVM&?zem~ds60B?#sI5o;`*Nk06?8iE1{}$K!FGF!OA(F#`-;F2bC4r zKMf7ODD7@7Ic%CM5tl=6U!?y~%rP^z3~C}DvyU6!h^Kq$ZBylb=}#(9Soergk--nk z!WZaX6fgw-`X}5payTOSg}wV&ybn+!|mQl6_J91`ML+3#zp7% zTn8Tce)AVH|5uYY&^S>7nkN79BE&(8>{*~XEDEu?Vu^MqDlBxIVFD4&GD4xQiz*Az&+p9IEx{m-~a_&HF@ZyOAGr}EFla}(x&0bHQ}1-F5G{%;S+5QFI3etF@_ z&3v}AM1x6zY-Cb^_w4>14Qi+Xee8&cti`!4ocilrUJ|^CL?=5iXyJpC-2Ng)`DJup zUUAA~)N%~zylOka-wx+*N1Z2rhsNkOlg_&`q9k{IiRz<0M?G(6M0L{kcFhyJ(UMqP zlwvHM-0k2VQ$RY8Tb7SpI7A-$p0TVm&5w*qs{odtuU9^SUR~V4oe6W~8;cXs#W=E< zEiw(ftSvjqJ(h6mA5b)*c@t-8Fk>b|(gyB!r!k%rweZ}(v)kOjDpVf&M!O2hc?KN$ zj_^92I|%%HWrh zQqF#-!hTohGV1$)sp=?!N9mt@Vg&BsR$VLJeE#= z0w0jKs;nQ-e#(EoRqaZ|ow(ZtC ze*>=3w{(-{F$u3qfNP9s1ML2es2_uC7~OFW$G_fMpLNOapCoe4^G#6)BggwpY7GdU zq8^_T>xbx45+Md5ga;gN4|}m$zJ%vvAk#Wq$Szu}lLT(4Ar@wnvJm}o+;E-6CHlR^ zD=$t)uJ5KY-f)j;=!^V}x~=)yL=+^EsHjoGv$kCSYw?bI0Skn3h#WEcxx|~Yg;pMo zG!gMU9?S8TRpOfggSiVrA_kM)ooU^aI&a~I&A$1|I9A0?;P@96v%H_fLyH670$2lA z!eWC=4DmJ1$TDX|7WuQ`mQpg@9e6vgg5Z{B=4X#EQ}H0hr=cO4Vlru-$7 z67i@Ecww*?7E@GyB5a$n*M(#@UCLgM&Pq!4(!{FLiMjO`#UKu1e#kWPeBi#nDa-;W zOb}2g0Z=HrLg6>RhGeCJ@An?sb*SCMmjDI&o23i8lqyX{FQa*^O+}&*h{|u))!3|8 z(KuT+d3QS?deBRvP$%$71==7v$dh~b z=igH5ysw2e|TWU%m?(rE~W9+Z9tfwFQUakvb#+@Jh)>g zz53iDxxnB}X873Toh>ZV)SEs|-7`)N8TiaK(Jkwskt5h+QEmE8uUF0~^JgtZC33&# zNAVkZ>iztw4&SsP&lM*|;y^gE_^nYW zW>KP=6By-hygbKIxRURU=v21c+y!ElmmRkVLKfX|kXT_Rt9+6(LgpLFbqu51#{c{F z2>-r_gG-7_dUFm-COnyH<+jfDqAiNl`Hs@mB=~yOqKO6cPEHMCX>x}Df$lfJ)3b;@ z&rF*$-~k@8Y?Pec2?G3l!oP&sxmi@f7V_y)p=g%1d-5`8X~C6|8T9!F=}${CP&WR- z|3HGgvGTI!iCC8VvFBUAqFnWK=Ir` zufK>Pw+>V}2O-a!X-R4ipOf=M}P`*_tBGh)h2}Catr> zEr@a&gi8F^^I75CEu8N@n9? zr_Yv#slTo9yZ*Crm>V%8lhVhVJQwDka=mxbe6poz`DJy(OF-bV+{a_2If zSvP;+>EhHS!;d_2(dT_C1Hw+d7WG*+m2(*q8e+ed0OJh2%*CD0i8;2UxQv9VT8gGu zxIe#K6UIgsy~2)8Q6i+M$dXL}b?Mx`an-D&;9;Iz#iKP=+~`Z`++^MihOVD^%R8vA zH&Pc(NBy|=Fx7uS5Q*CuE>|`l9sP{@PD2V}nM~;zXJlcixQ#K*|A74uP4Zg*rgpOi z2CDV{!b~LqOa6y087mY32LJ!HPdMw&nki=7WKaAS7VtsC|FchqKlgE> zw>r>-0+Ep>ji`Ttg;yf`^tX@eW1w>_mGza}uYDYoL@cY~761ei{)_*np$EH=pcR`*7yC)w+@j!WSzDi>s;CyXijBYj*WPG$(3INuLv6TdI=-(7#F=l!wT82DW0 zoiyScg4gWw#vHy0L>>?*H%46pG#qndBgpQGgqX^l94PO-?D(;U9j}2v2*Px{mXXCw zzdpI{|6%UU=jmaz}dJ#@ZxPUrW$ocX@Imf`Df4W6CV=-?$H%6=YPk=0DfIClr z-bZzFE2c1&bk-)u|A|xE||75ciDc*N%7DVSe8VyU8W(T`Y4qr zt1PdZ;pzLWhhKJt?)pRMerH*Y?vtqZf%|M?b#NEC^KetM*Wl`THaHiCM}yn?yJBDi z#Bff46*qf7JhI0J+J23nt|_y+IG6iLPXHbq-w=r0WoY=WDiYE!=pTU~7ehYP6g{D4 zx&KQy{Lhl4)H<)hnHc^>(Jtp;An9Y;N0~&_I+vooF3%MgD>G0lwG9wQAVL5)xtCSg z0UrP)cZ{}n44K+5Kbxh}pH?^$cgy7UkvB^AN}?cuvQ+nn0BMT5TB8Q&DTDQ2Y%L#w zBk225UJS}B4loZMFV08=?y1&!9iZjr_SN|votFl5o}ubAZ%o=izd+#V3{^lywwl&A zmo~D}aMoo-Wp%25&H{-Y4DEZTdOff5g8swnuU*nO0WQx!0v`G9S1vQ$)|5UbmoqgS zc+=^*_*FPguCQMCX67lJ6?fkIQv;=-$Lmo&t8`ZU$K#*QZmlp)x6f4sF5e}JXOxru z#TJ?J2OblL?$b{!&WgKvgghh!2+Z}xOJ&BeH``ge$L0O|xG>mzCA@LOx2xN${{3^s zN?LH7sr2-i33nc|3>OpW%_FLZHNaTjB0xP(%!HoXwL~Vs5>=D0z4zvK6A_itBkH(2 zksr&FWscBg(qA1O__cB9p{Ft|oINdUJ?gN6ARrdzf9k-lIVl2$b(B~o#2Z8YwzYq| zM)HbGt+9ut5TALbTd_S+VTXU~vieRhGX7^$I>2d|e>;u7vhxX#aq%J7ONAoU?c3v_ z^TiLa$d6U;R1P^?|KR5neZ&f#7uEl9^%?FwUXBw30lMvEl@JdK^xFTkYv$HymIHOw z+oVHEMTBMwB4kXBi2fmUt}Nv_y7c^hQ=ZIVtqc0lb#z5dw0IzX91VRf6>Y*!XWoPG zDrRbc9-y9B(chVNFFa5kkPK9hI}bQZ_aoru%fG1x-5Yl^Gje26{$zw5AuaL%@*`yY zCclJ3Oe7xQkY!3YGsV^5%7Bd2h=3O;2b_0WwAm9YBxpi!~i>m*p-!XiP zbG;SNvb{P{jvR^0YhqoBmIFAG8>hmn@y zg-5w^)5(VMaI0JGS!o%olZ$#GSnmFEi{7LJXK-h&ZqK8a1$UYxaUx35na zuwH5PQrr%))T>vSFPN%TT<&wf^F?fm7Cxqdw$*~h=xrnuW=);*lBz=vDNl<{g`Qr% zIs!1&tkK;QAZQJWMcp(Y7ZPD`n;gH{dKcsEK_P>dhk)~9V9qc4)zZFnqJ>IOg}1rt zL*}&AQ~+jxyJkE@Mry@YpvSeG%`j%RFPI^6|5qxM%5kABFNxFceun!rLN$A%iExrwbLdXClQ6#M|}Dqk%__imt*_V-i%!EC8#%rMe1|d;`nGuNk(Us-XLH&ZU0!stLNU6Njx7V3ccwLRpMtsJ!kcL=VgNvKUVRYCyeSKEZ7+UfpKM z{SiFx2Q#*|5ATMrLqPZn6EEiNGXhKL*ZMG_qfgyXifu%eMv^`3M_zQiunKJ1+$sa3 z;Aw>8WAV}=c8^b{5sKh8i*QnkST$|)!+u;X;N>3_If1UhZHAqRyjT>>m*5C5#FlT{ zkXD>9QcQkBVNVp4Zx|rD{xVv{Wud8c!ZqE!n%2Z?>}VBi)GAHYC}G zR5266SKkyu&4a8h6R0w+s?=`nd2|MwLpJlUuahBKF=Eg;bPAcN-}6RY)gYn6f($?6^apKS_%|&?;rQg7n4j znqa1N<;QfvSp8ctVGF`Ts)+_7v!UO+T_ozqNkc$jcrB^l^tex@sz)Uk$c0cYNzcQ% z@k5PO@~u|E3&gH^Tk?AK_Z39FA&4)rT2Tc(J#Xw!B`Y0bLgO6kHxT%{sH(`vQ6_*> zJB6E?c&RK=nARsmE-l-(85q!2G}#AQA1SM^CsBp(WXBw`1ahpy8yL==WTu&(%(Uei zF&e{tnsarGgvGms%hR0*udhA-B8>5`OM zQ{#nYl$1fnIh2;_^|V<$>)@cvbWoVA2rKS7;8zogU6M@}RWV32L_Sm|Fa1DK@S8-I z3cyT&l!c)&M5%cv9L(>81L1zvepiO9XM2i4*^E9=VL(d~XAZ)60wBpV;&6<)iWuH+ zQ`W@VKU6DE>D~h1c$23^rdJ>-QYKIVP{wpg+x$?OrS}0ea)avp1{?YbR!hHzDIDS`e&+q81mW)31zG~ZP464`=DhzE`m0`Sa zmKfsnl`@t%$1%4lchp1$I;23Za?Acwtn|$`2-*FPe1nqRI^X&|(IXwZk=SvKDhZbN z}~bhM65+oYsd)11B=`{&PX&9dohwq#Skco&ow#$54lHJ!}ONdF6&Y#4NT_FNEu zCH%Z%9i%OP#K8kK!xNT9rVWwcg00lBXAi8tmpS)C_!c(%9O)corC3IO17CiW0 znG0XufUOW3SsT}Jx&K`Fph|85PaZSq#?D=mpR7meul)B_AK6x{u776(Kcc({6Z&><^>H~leQJ=0tq_nM{1T>_6Ms)!dd~FT zvO*fO8MQuYPot+Mvk$@*&f6KZ=mHsh-YU@uz+XI{+JavLC-;hb}~B~ae&Dq^fK%p zOjccs>Qx@L;C|0-I`!c{F$}-}Rj)9EOzAac zh%$55G~MR*?s~TUyH#@d-NUJcK&f?TB$#w}F&2@bS{4pG)!fh1(7~wd zz%@G#?1S5_kA7hU z0E0yW*IdvCiZj9c5hv)W`cEhcz%Yz}YjEY^RlYz8iw+{@!9oA|LqugbU3n&(4g$n{ ziwcy}*I=OX04M(cRB+!iGuF_e8PvO6HPh>%^Bu%dc>i^QEo!pWs&?r1N0zyioL90` z1KWaZ*!c2c-jaW^hOWTp0NDe1kXd8*ex-%S-CHrHO13ABt)KTB5hAcT&}P~RY3cvF zBXlQF3nVs+ldTua6z5`38tWb?BHXtlV3&`qJn7N@7qkDVbzq#6>F^z6>o>58>jD+l z;DZqMq@_WDkQwk7*|H8ozbUzqvYM&A5k*vWCH_)gV(} zVfTUTrHjDS5WdRkgBUNQ__eEl{Y!JYcO30iIYiY7EC3?WP0AQ> zz>tjo`W^2}BR@zUUT@~UBz#}NXIjzI;w-LBlZeBDuO!EuS=Mmn`zKldP}Gh1yGYzp zIImMb@FId7xT~%AwgOUlIaWXYpHiSJ=muWO7S>d{be=OMB{fn6HdUtyC1uxHXpoyJ zCyjQsb0z!i$gNhX!oYR@l{G?sRsKY=7akpRMkhAUf!JJp!tr-nC>ntoTC)M7P^a$j z&pcvzr+2-tO_ke;0jGZaV3Ai-ua$zj=Pgy@zd3V=2~xg3z_m5lUKl_~Uuk(NayI38 zuSY>VwgBEpJ0&f?Cd3cZ6eLB!lsfemucl(p$_)wl%e(hD}_}j;n@AqBI-LgG_%lZAz za-u2E=GTOsGazlkBhTt%L*K1ON+rByQPgj)I$0AWljqbe`cO~%aNB?15^9_gy6in3JXRVMl zC{Q5O(bwPKe2qd6EPe|wH276uMv))@-5rj$FNis5ayi!6Wn6aMRLr$4@n43m-GJnVq?JE{5r;bQ>BKP!>~mh$1>`+k$J^(l!mYHBgk{HyErA zSJ<1^oo0HBEr-Cf(dcW&tELnUtDD9cmwcJJPe4t}|A(RRWG_V}-PvD>{ByXu)DrFR zXP+Qx5bJ&ZOlv)YS1fmhdxArQ-99rWeswM3RC;!uNsC`AqP{podC}PPvgq<07!(t# z^-{T<4gn49`DbX5lx_VMb~*Rv+$ec7A;3vVovWrAKp8&#Pkf)8hq^Tbe_Xv3wrzsT)&pY zYE)a#>DMe3;!@DEabpVod zf9Y}1lZB`&qcw5%k0yw(oYWx#k$oH_nMUPv65FEzQXfZ6`81D2x4GU-G;u2 z0m@|q>*JmLijReo&&7O!1g0knZEqPOP~8kYVm}R#j=CpgwWqxrWnNsM2=Rd0S^Eno z5JMlEacWd1^a!x*X;{+TFd9@a)y*Pxn!NW0^eWgjg@>%7p?EOmrFU&Y2gCA4Y41VQ zbb;fCX1tp-YEFfdkve?z>>&Z=kaclk?Auk6Z+b9IyPt9{bSu^8N~7c&v=IyIUxp=~ z`wxofQ1SA?>t&wCEME3S%qr!NKlP8 z2o+}R-#dux(|~2j2nQROg4-+mOGE))r04 zh2Ux$)}C0kknNksbT+58zP^&z3NHlIz$*g(O5i3OnC^Dm9~_YBRplv}nRNw|4nkU2 z9(R)#)KO8nNCNJg1b?YYMuKJp=fqg)3r!2WP|6WXr-pzew0NveOO~%5 zF<&usW^-vO94ZKVF)+z^*C><~*LekQV~eib3huBzWW(wFt@*wX-XVRn&Vg7}V%J=z zdsxn74Ufow3xobe4e;JJ_&uHL{3>w3R*oY&3dprr56i0|U_!LloMNUN*-xeqJ+_7dBo9{@nZ_6`6?!I~;lUD`k@zd1? zX>{MH{FGI&i8)Lp;iO+L$QgdaG%tUg7#p)H$ajwiK)#LG-vgm_;UzYs^!e#%LF$w2 zijIzj_SAE;F2-w$y*WaCFp%|@?}wCUFsQ7LIF}ItXACJ)EUz(iMv5&8mGhLNC>Dd2 zGcntPljR6fYTo3B@qK^w_!sn( z+ha$yc(iRsFD;NYM^D6~%5-)t(-E1>@8F@aANEPApX(`=m?U z0LHv0MZv$rLx(5Hu*(R4iCPArl^BfJn1G`n%3h7y2w^ z{zTPyJ8F&aj9v@jD~4KQ;MU-z?PESdZiSsXZMYy0@RQd22`5Q8e%0eD7|%A<#Eu?Z z@t}(bnP_Acf*Y;bp4F4ma|jifNtI6}sf-CRk(vRbBtpfJYEcQB3Vv)$<}KqgjxA3Q z7%iom3~2~26e$_sE6_s&oVpVw|IcKX-sm34r!1mtyc48Or?q*BVhi$Dt%?U@x;}&+ z6pqKOzan%r>O?bKI4XSxL;S!Bl1j9cbJ8W1CRU=ljcGHp@RUr8NsYrdBz-Vef0m`7#Tu*;Ks+ zMhX++LlK5T)B62igROJsO12y>>bEcePaX;w6#B3-RaD>l782GKsyVeR+2o$}*yC%A zTBpb?Du%P%fRi4W1T2yj|m`#Ko0$BzG}itkhtSK~njr-ytmq~>*5K?J?j zny?Dj7p2Yy+10+n^AdYAnjx8<+T3|ghgA^8ZC&q;8O2BPJ~5uv6b!Y$)1O!-(0^ON zzDeO)Lt=<+&r5n{cJSYUp%p0+hdsg&a8v|4;Rrs2oLz`r*kco{yI(B4dMoLAFh>#P;*7HdyIc=M5YUCk{F`2Uc4q&hNTWWtwp z*isO@{FvGFrTphffMGqb8qMqvEas=Qh91nTO|?}!p*Pzg|5!rv0@)1H_lCm=4HQui>^Tq8f zgz5_hlfcqOWHoVtTbPtOcSz)W z_wTvp53$JIO-)tpRgL?c=f>zz57^~nz%IkuV@^7?>C(Ekk&%7(vYa6f831@iM+6)a ziyo8zup;QDEy`o)#GqreFAm2cmH$fKO_}>XS85byoVoRV!Ope&7}GOMd{1G<3KlLP&~@sI&2vt@RQnA)4XoZ9GkK z4dwv&JY7E?#1^;V$z(4tUpYCoG!p=}0kZ4MB;bukh8}l6Jlt&_D$?(W7Cfz?5=BvMRjjpZ|K+A$$K@#;Vq!N%B75^ zm1120MWy$@-~I&l$l5YJ_$DEkE}Wec714slE^Nd=<=q;e7XYeKg#G;FK#I_7On=z zao<|on#W`+wc5qZi9wJGzRJ7J4(G4;Hif2Mt>>ADxI+GV)Zc1*s95YQ1-xOyskTbM zO{z!50Szl_P~kox?f)-^yjAUN=eq&|>DI@DEIcd28{ggOVoNPxDq4Nf2crT<3bH`tP^~SCM^G}FLKZP79?kRv z{2Bn|Tvi)-OlBz%1h}68C>4E*q^717)vI5ul;e6lMcOAH^(=v4;?dr^-(jA|u9tx- z*oq8X2|e1>{TBw@=e~cZspHJ*6?N?d)JhV-l+IGt-5KUL6g&J){wf6>oSyv-J3S-GU3#?uP0G5n| z0H=&h_{)IPZi+xsny@JgL|pH$$-)tqadL2sjfX~%!gq6JTFk~$T~^JPyenc)=G*{- z0>FE@vm=gnQ?D|vuoG+TY0{XKk79sXVPlqfJ*oqt#c+{@ISFb&C0*Ezj3E-kmCFS8 zL*IhxS2mpM7m95uGLDjNh-v{)QFy#f=`v4pHdT6(EDE#!%8tLD_CKuvigufj^|MOa zqS)N8(Sogde-4_2C>D$58Z{&;`fUflF=B{V{yL_8w_zf3>I4&s1Q3?HT7#}iJGi-4 z?QwdBZcs#YWOlj9pQBpOLPJq>{F&+baR=E?a%c8wR(mzge0V14`+keB?sIRyq~(_F zHgUW9%_#EKh0ce65R%ozqrXPNn1@ z2)TnU1e7jhSCH^im&lq>Ppj|bCam#Mv7oNsc0N+lSJcG= z(<{=Pr*p~jEN`HVf^I!csCmR_V(hF}X6m!&kSF9E>`8}?2*a@w{&ntkbxA=(rR6g#cY+TLm9Y^s z-ig$!(4Z7QD*}Q)8QQMh4&|>Gqi7d(tCvo%tR5fo9>n&`&HA>9Os}I^Dx}kMqrb;3 zRVS?}Tj)(iB()rFD?FO60!$hhZhTyWW|czQyGn7&}KJ)gPtXa<=S%&UOi8;x2 z%gvUMG=Q-Kg>H=F#zI0l3(Z|Kp_b2cpo7Zx4HNe+kX=GIdKzLz_OkF>4o@W*f20E9 z@~C`Zp`bEz?0fcc%CW_hc}W|-L+>P5+BfT7BkCtTl=!dC21XV+{LRcAK!nv`>)`h) z;Q}4y!|^G`E;eHEa#=tr3fZVap5K!MBar1UAP!2*i0o8ERiD2bNAv6OgpXx)ft%%jH?dAC|nR2&s%2?>NI zp5G3+ZH_3IG(_ylJY-+N(J%Br{I+BqW;`)pvf7GiSC7-GIHa zYB(b}HrKtEk>$utie|{ys0Y3W_Ia3-sLf&R?-W!xUhMPRGNYEOn6$>&-pmk7Lu*yl z`Rqwn4ia0Oil8OQeX>@hc8t;W`e zq*H7xW;G<6X)*secow=->Ozh8*ZxNKCksG!2?NSg$L_c*0Y9ojP3OF+F2?F=TLka{ zGh?)r6m1PX=DV?E(XR@M=55%8=Y&|!8&08Y#Zg}I8q}<>EUPE^!f#TWc_}50O)T$JpGaJkmWzD#k7X9|_xu z-@x2wxTMjV;#6|iaiuKm?-MScPZ+Lr=yMPY@=FzV zawbToyAWdJjKg62LVzs|3q zv3sY(*vr!e3-LL0FKpcs)7d3VcNnOK7SR~jk5bqrf5;!ntwlwjG}Y_W5oUuExnj7n zH0FxU(x}@}m4`*Bf$-I*sgXU7ds0D9=%8$YicI2d_{3iEAe*GZL)6~NBa9-#9Jhur z?A??K36^(;f)!t6xKQozlLLEUL()Cpw7f0U z_}yoD48Vz@p+11dLrGM5-Y@bp1>N4Y^dp}tEG_)93~q$c`4m$zst`%+I)b+Z_$2&A zfh^*wa^1=W;M3G2GSnjKla?sQ>T`D8l<+x#<#WdB=The95V<+^az}0r`MzUkYJ_Tf z(=CCx&{vnTlsbOJA2DB2viCfVY z#?%%ApJV)6U9Lzuru^yLmJ(GLyA{Kf^FS-a{Ad&H^{Jq)M{dMPirLp)T+JDrm2>yF zVv!Gd5^w>Xe^Aw5?@LVs#yO?K#zIJ#>x?qgDli0+sixA{ooh5rcy!V`tLW9a!8`dkdi0{@=X%+hcv%C}L-#PH{_N#V9O%I(y*rUZtp&R2R6FK); z$$78Hq8zu(2g%(W)KYS@MC{aaP5ixRg(&g{+`IyUM=e9MPthu0Qw_Ug`LcnOH}Ed- z=_h)R@M^MLgil1WTujH;g%W*X@uK*s&I*Jv?(1sr%T1SOL1RA9)CDals@F$0@U+~- z^Q7rxS}6zs0iDw(fAgZvu819#=J1$gH5wa3mP=<_lLyB_(tEk{ewm_gHbvl{6<${n z%d+mS_~0Zq}T+n$qM)j)!C`1BgR}7Hjd#qz4um^vuL5Tu)bWh=X$t z=GaWUeNUF4S-|hgxA@gynCBX_uV9Bm5O|X$v@c=Z^v8qBE^X@uiIg+WDCh-;WPJ zU~Q{2zHBw0{<}J%w|(i$2?g$ece$O?3IJCVbHrLl$$)VY>{J=5dU@P642k5l=vD{?HIo9{cQ0~Sk`=VKcx=KgoVNYk9E zh`uv#NYUAMEG=pI2)XQ)1Ic0AAu+Vb5c3hhp#bc& zwT^M3m$X2Z-1x+lA{cIrj}o^v;Dc#@g!jvy_7p5QjWOr8qs^>-3G}XvR##eR3~!rNC{gbel-i6L3TcA9T95*=44p(rsvgj|lrEm3t2 zxI9TguN?gA7S047X))-`nJxb}f8c9C=3=DCILz-Jt=O zik!0qAYP7cGIENCE+TdazoIPh!#61Fo%>Zs@pzx1guCmgH`>{S(uCrKDc64#z{_#+ z(+K>jdmnX9)dv&($H>oX0#bvLn9*EJ5MUC<^B`%_FK2p0x-(4$QG5G+nELRyW66e8 z6rkhDrr2RWCPvpQhd*>VmQ! zCbiec?u;@r>KxiVo2jqcQj%sjA(8?HzJ$ArUjVb_B*W(%ARUlA#|Bl5|DK8vzeDiA zen_FKdN$DHv*sr)zIo*9u@?RW0*73&({Y-rz886UQR-! zD7-uOpN}LEWAnQ6fu80Cw%>1bjNX8nrnjP6c6z^qIWAt;88!W91uB>L@L))k6)7Grpmj^ z*49uRqaRaF5$AT{PaQ^J-tpx92$Wgro=ir-gm-d34kdbHTN`{(TA66M}>gX%Vu-RV(Hgh(E5A(jXuf0M6dg|u{c=8x}*sN^d9Q=jF>}9z~f1~V> zubrwa#|&&PzG+hBKRds8#r4r{yWB3&u7UCPemvJ}#vl3)?8Y$e%K~bOa7ktdMTK*< z8rc{0V_#g_*ck(~KdO)Dy>t!k2`mcGt#kjkgM|`i`+towe~%XNJ_H<*+xdUa2r~CS zSsw;=tHP$k_Z;fs|ApHBEx}}-kiI4+r7x57^_ljVcVBtk_ZFMUWOs9|I>bPKX}?E6 z-?T6=aC3P&LObIK@w8HY=W_W>C3FYKB;}5OfJ$h=$H_7~zQ$KB@T>pj%{X5Pl?|ef z?RHh@=(noHkAYLQB!rTZxCRZFsyGMKF?TL}+EaCp%rX%E6GG$23Y=gylG3H52=!V~ zcaRM!6+aFb_R+=6DTXMAI=SP5l=sGhJ>zW*H2Ck3Mp;Q9}0@5;03Y^@YhIu<%-S|5Pmu; z!VqNFaBsf9Cz-hBobrN(g|o z+ozo#@7b9hQm6I>4utFsI3Zu@XcIMNyMh!sQ(im21Ulz2*M-nL#V~)GyCMOx{`?|( zJc@Q2s<)AJyMy;k<`~9?#C<^@{}7nIbrIM~J*p^^_0%ydVecs#^h*4@^93#oZ}Fl2 zpWh#}0=kg|c8FX3{(&LuB$j5KkPXzhHRmni%u*_B25a>>Ba}aGEY{Te@FifN8d!N^ z3Okm=`#s-hu6Ctswq~(w$h2-DanLAhVr9gCYzE{N*f&!<2cMfMMbJDP?pc$8mwT9Q zJe40~Pg%2Q8Gs%=@2X-k1uF`&#%vF}gApTO`L(wLBwO(zn0E(n}Xo zZNbUbiHsArSWzgOyAv$S`&MB8PJdA%d2bs31Nn{Y(wEXSyZ(@Yu4Jf)8cV8Sc8W(r zg4#t(*+b=if2_$K_#qNE6-QXSc@eROB1is6F+de0c= z138Jn-Y3hRMy<~$4}=_FeBRQr@w{xb0|B}b;)d2t^|eyKqJoth&s;d zq^^xYPN22h$HGva2rCO$i zK=`ALN>nujlSywv4n%pJP8Q4On}1bDa@gn@TX$>s$wuGb=Rk;6w_9sy+i$K0weSp2 z!@9Sau4I^nO}>|{l@;q#&ecWXx%QZ<0Nn?AONJg3PZ<>fW3s3dAKF<5oVxEkCTgdo z@SgmHP!x2KDMT20S`<{k$2^hwAhIzOfaM+Z5oxU%#S>T0$7cZFM^J&=SvSZC9Py(I z(46W&*ep^)TOWg;O9I|!eNJXWapk;3YmB_O1PC{^sSKoSC$wZf5l`H+a;{Y4PeV$i zPI5{M&&-=$c-5;d&u)j(V|{!6bRJ)m(@le81x}w63BG2}Ic%RiFjO`xbtt2`^0O@X z%sqbd^yEvYi`UXl0s2`9z(tl~<*Kp|y5!P)z>(QB4@HHCP|J(VLO?ew`Uh0Y-0yyr z39Y1Z#w8|o`ni-@HhnOl4|}_%F8Y$IiJ{QoiRVeaAqaXqoG!QT zlY!zLtq+XUJ|_`;24%rF6O!=zuE-x%;ks}Km!Tl8cwFUOo0C~FD?_#?30`kT% zI-eVH!qj!G^w1Cm9hDK6%Nk;3i8F*=nNQskibZAo8`cX~yk-gK=sm5!yDENhDd&!U zG+JRzcu{5(ynKMSa6m@i>BK-vyt9o>K<|FfSg3qXhmK{Eq?B)W;JFO30*PVE(EncLiE3lcYj z;4Cm*Tkel{EN_i2%|4_NV~DZOOpk;x;^I@mV#sE5{vyDezqLSa(2_* zpy#kgE>GpkHP@7Pe-;#l9FRC)_DIkZc>{${PQU86H8i$9L%G~5&#Q67LjN@tSGY)c zcY$x8TlP`7YO2CmvbFyi)rNgNM*)kZPoGX(R{4gkTsZhV!a$aqI8tlt64mC~F#;;0 z41Nf!^jj%%YR@2kSxJ*J_ifH=%~(6N=1@jWJs0EmJQCmzMVE#%GIF+otfLebB}D*e zNXo|MPHTZznG<&I#bXql@NFNkjkY40jZe!#QFiCVA_{S3aN}ryFk5P{QvX~Wq?qLL zx~1yz6?jh7HV25Eu@FMs_?$Q*oizsMM{FM=!1?`NCobpOED1K$%sdCiy{^GW=|gxv z36O>&E%A=x32(IO5zyw1^dnwSd6N1=x3!Wm(f;G_|71C2nB8}6R_WsAqhnwZ<`;A& zpFh^NuVJ9OON`9*UXR+IZX2O=v@5T=Q0wogOizwJme0&?S)Ds=el92MMrhg<)CFyF zO7M3M4VJ<5<-{(+TFG*dUHXVqrCrC@a)iQY!bOsk5SqVQEcqtc_F?q7H_(6r_t_X@ zGIyTjIj5&cWR~QjAqAzl+FvM)1U7OQ`!kMaLsNM~9ZZPj%97?Z1>VF=m=D-%Z7XDB z-MVCag}e(FH=oGIqjMLJ=x$_Z*SyYADIzrJ#Kqh&2lh`x5ggU?w^0aC-|2Z ze=??N0vL{`PqPIAuEF#S*W_2$;NlL~B9?}iZUU|Q?3QPWjKZAql&BsTSomj#Y-R0* zA`Yt0Djktk02LXK-7S{`$r)m@99p$?Gsj96yOkI392^ROWHVBNm%$du9zUGvLLdLS z`^_Pk>E2%wz=S#{|IMk40?B&cv5}L24iU}?^Tc62j(bu(1)bEoG)$ak-^s0A(22YW zZsU%I8fWHay0_M$X)_64QL_CCfIDGq8pC)=(uYRyplBc#oRPZLSw`I$U}kXd8?%s` z#lMmr8)G#m7J*XEtQ}$eiwVNh*zLkv(yNPxak4g92>18TC!Al!2cih(G>M@@Z%Lje zH}(OBmyfaJw_R32d#*P^Y8&gc;)`TZydH2vD6n+r&;e}7UakF$>sKy8Kd?4k5=(Ua94|0m*1>I@#=b#hev^PpBGf03 z#e|T&#%#E5tr@U6J4b2x!9)#`HLa--fQ8MY6Z{iC~$U<4t9?F^$^y68!$Bb*p?DKHHu^L zeVH}a>yt7kZ=dPt%C7C1rY?TzjSEkIbX>_Nv4}q}-s&sH^S>`yX;cwyeXh3JbKkJ2 z=#G*Z!)srq{_ZYtHRqQb64oq!8H51fjW=oPU`gbym|y1^uvu&T+v1IqLsGgm-exXQ zU2|9!a)*>Hy8gYa$ul{1a2D`J{zyRv!*0~$5{H=fT(l6Ahyt*lCP^Qn_?m0pIdVzg zw8htu4WY6kl2vuMErF%t^!AHu`Qw~{IqF$W)Gyl?h$b_(z=Sismf6V)=;ykxo^_5@ z@~CZgyho(6S9AMo{JLylYeztV7tuJ4XGxh|zj~~EpSdIrY9U7}JKV5;pGCJG&H3it zz2_7;sm0GOSU8`wWF5QQK6;dxbXKm!9RlRU(^frGo_mth$1l#5`L=X{6~{KI_VAhD zV&AsdJ4@MBGsn*Uh^ag66=>^h*a}#$wF6he{l`R<0nbxe!?q}OqPk}wN_L_7TX3}} z`YnLrIv3e`65Ael_G4F89ss4!f!&c(PLvSAm(d|jQ_##5UYMySRgfQ8q^}*Cixkso zUFJ(pV>dxrQ-imH8_#6Fn=F!BvRpo%aEjy$U_X118Yrej>#R;<*44%eCGDq zMyGk!oEt?u=HD8&-6?-&hJ~`EEcHFSI?&>9GiiODGUyx4Dz+$Ce0w-VCB%B4@4I&o zR&`GE2gR>6-rdjtBqVv}4q2@f1*Cs~le&qhE@VmH?>Bm5>sUEiT?HDb)4ErTC7N;> zv$dtrvzA)brFHKo&KzDMX3qRImr{z#`eGEqd2r&DpA?9k5&O|(zAIGGnNQ{^OU3z` zMfE}@uJfbwDz+}$n8pckq8u>N%C0o^$AnXN(py!2xqlR(K&U8x%Qr6^z-ZlE%QG7% zVD9ua%0Gq5c}bJRg~!OozS|@4hbv!*QPNG~(&~wZ0n9D!JTaNtm-}qxhur%vuIg)- zyb(P<#!k;F_F1W&OicIUyq(jjh3e&P}59)efobW*+F1eXs_GU zhsUFxPh2xSv{7ywXjIm)(LEuSRGewOc2&IXTf-Lz^8*Xpwz$fT)eqch3d<)fhuq1z z1whk7OHTsnvCkt_Om1&SJCOS!&^0`d2=00Ru6IQT_;B=scR{#6Y>qeOyYP73pBHhE ztHBv2e1;pwm!4YG9SBr0f$M2Gq4B1Di)DoZQ%8ZM)$7OXOyXmLRIlm~(j)K+h$tuU zIpGdc%QN!biy0mf@6*qdmn%JjE`EyJWG*&pa4JISqQ*haW)5gaC!y72 zDG%)`UFYvVk9m1JWqIP+n+L~e2YfAN9yr0KoIFD7XN>g@zf}fvP5=7t`mgs zmga${lijsidE)mafkqSRK$}{FQ-2?f@e0;pBUKG<0}7nYQhInHXLb0k?8l{&R7qKJjXX#C zFaQhFWmW%M@V5&8tDuY~-vZnAyj&XqICN6ln(CPu!$9&4TDwK2BNVw8w6d{fR`r%d z^vT4537!Y85CHU}19oAvpVsfffZ-_mjN0F;P`j&sh+vThT5G`=tRJR0`iN8*c+~QN1;`6Fj+uK^<$jUTzt89>nDk}o z{(%?loY&1yIKjWL-{mwMV$KJ=gka%jS$JL11B?D|5^^Ov#O0C+W3!2O`Cq*$v8PL) zne%oU^C$D2OtOghakl>wBdez5Stol!sfnXapcMPbGV`062cN92MO~3K&J0?gnLWu5AS8jS`H;1cJ5DV~+PBch&=z%{p^J^C4ne&l`XF< z5U`3#2WS5Y#_eFDe;6~3Z!LliA&S(*WS#a)B@Bted>8-Hu(?q=VS!wHpEe644=TS5 zFYvvDVM|*$FM{#Z^|no8-<{;-cFa!tQWos}M>2@fb*kReu4gQ6Z+^h{G8HO<+NVdO z0AEXfn#f#nnkC;uKtX+DB&H>#e7wBZ4iu|hf`8>ch&*dGwQbxApr*iP`R{&#j+z2p z+|NlJS}Ep|QDrr$5s-Rl|5Gh;paXlNXbLc}?Q~6}?_$RO{(y2Xv!J05v5@o;zwOQA zt?Kt1QN1{Pk$cIrQ!F2)!j^L{N|h?-x>k4^{&N(Q>3x1T$Wbu!75Ak(Lm0cM(g#i$Jnt3zA}~KQKX6aQ@*Ye`9c4 z3+o>#f9`Y!OQ4jQv}^L&hU&>t&38;|SS1UxC;VFKq9sY5w_Jm#ap{p*r%a3&); za~UZwDUDlkBdv4EsMw^Tx@7+3jtf-16nhxdwQ`b))McONHWe0vc!+kH8!qY|QI?W2 zqF6~WZZ-HV=bl)c%8nksq2%AfYE<8mA#ggUt9YtOJIZo- zz2`xz_Z#i-M~*a~zEenuKg{F6rDctvAs?Cz|9eld?^ho8hp(!CuK`E8^`Kv*`n@wO{xsi&ixX5 znW?&R%X;TkM!rGD_y~lv$>+xG6;I|o2qwQ+Hn63T4`>6YdbUHa6$$j`z}K7z$U#Orx>{O?cFlv4z((aKgY^eL1J`cbfvke_L-ubpn^J8 zbl)#Xi&Ba?yM~Kc-(?RUp@CsLSbI&DU*=eyxtn@^NUFTZ)pkB7?C5YK4tL!%$T5h?;%N??(&xD!_`=wN2|7PtVYm(c;@5NKZ-v&n_-W${9SeTv|1fB-R?g2-^>fb?o28czU{1pl zSCLx|0949Io}P1ZuJ2hMSB4!!y&=&-;eO9o17gCLzuhw|EGquPiZtH+xfuAE)eZ;) zMB}QnQdhH23Xf|!n#(0e%yD<&QuvE?76QX7t*xM*aYmMn%}v&+f`DVjsaXKJTQ(PJxY-|t+; zT2s0aiq09xfw!t7%D5?Nj)e7hpvEVqILTFr;<*8*B7z&q^1 z<_#nFjO~|P^&czI@*fSD3a?k$80v1G-T&s6_S=LMD%LaIt>{GCyMia;Re2V8FHsI7 z9zr4I>PBA`RtzfmQkLb-QlN+RKHCHH9wSgDeusPHd|MztwmSp-1DGL(=~YhUJzwLP z=v3#)lT4dzPN*IqUGD^y**$VgS#Rk<1K-qZHT2r<~fw?v(ZNIj6Si^!s@rE?!74st>Ijtc?G^n0xbh zsJB0UeB@GDuDaP((n7LkEwaRIkz|QvSF$goki-}Y-6E1AONM06*mq_u$!@Y6LPC>W zhQW-P`JMOFy|?bYpYQkg`|tOM`?!xDywB^r&g;CkbI$XrO0c6>)JS}LbFXLem^4fu z?>@|t2%dpMuMnVAsng&|3FWqlNDS9&$sHG1&W5q*$&Dipq(8aXKDX_V(3$jTyFe=; zohu+8-*#f5`Mr|lFU$Gbmv_0uKR#Q$t8=^WZ2n;Wv`@WYQtGog31vlxB#&M)-Z<&& zsfW~1y-fgl9zBvAJC{^C4H^RlPj~HXRGy_9TKrtHYC&Kqfiu|L}=L|fPZ)>e6H|RT# zK6drdP)o*M-W!`Kt?zGzo;~R{T*uEg^fgQEL8xJL-`62Ic7fGuYty&)O7EO{lJRU# z7gdQ$HbP;AL$k)E=1aTpecgMR-=0d{w3|yub2WD9Tj&$At%Po)bD~&^(|^cCtHgwu zj-+=Sj)}j(yUXmv;rrcDcZ#w@69Dst`P*lG`V={0hs>Z-=Z@m(K<}#`A~mF2BlSkg zQ##7iNRK{e-dM_ue_2+eVoE{{+Vx(@f$tSLVA9TQq>|PbVWNZbKNY)4+Y^>0P_4q3 zxVrQ$?>5|n=iGf!V&vktbK{6OBaRJp_tEIlatY^#%(K7ybtLKQ*=0=|MSduwW)%4l9_pr&I+UESt&K){_bT2ou#zkKjg1G}!BItNV%v6iC6lL*L6W32 z+`gz@J`FCG2*(NcgKHmhm%BJr#>0js>{BifiA@4ov#zJJS<*=UTS@at56@=D=lNW7 z?%Jhjr<^be;z0I467aK5#6Laxv+H%fdR7H7LiYAAz9zfaD1CbE(WWS+A8HUbeEG82 z?1?^yG^}JqLAP_^=w-gu`h&oa(=3aLhaw$H=IY2zUKUiv9D@Z~&Dw-ZB){j(`W>qc z$FAqw{=CD0`=EK^)+-z0b;mobEUod;>?wavdcy*o!02%p6z~*NW{_3xpjp@vZhCA~}@A?kZs|}VI7$t{F{C@D;)eaU+ zrdHLl@Pi+Vc3Y87dh$FvGndhK0)uodCt((g0 z3SrmvjM%{P=`mxA6X;R9ht1RXC9zbeE|ETPWX(8L2XG}&md99@u0B3q+txSw*FJ9< zWE_paohzCdo8Oo#bI)(Ow>>NK*<3q{>$sboB!6k(?fuzUDw_C?Jd^n{{I>hhN!JSt z#fw{S*h89k{BXQ(?^INcPW*7B_F;AQW#7PNQlI**_VkQq`_pDg<~vg{Apl_L6X8B6 zAD{~)>Dg2&+LxSE+A(rTC6-=BQ#)i+SMtAC)}v%kymrKvUV{5u0F-$0j2W40e!pxh<< zOwwu_iko)LTKs%h0tDCUcgdI2Wm}^9Tz*s7+%2Z=c7bKvZlQ^%{$qxt=a0FYA_8`$ zQYnVlc#E3s3ZiAzTa0XKX~qRG=L?mX`7NH?UCmxST@px4c2uZk;Dys`&*$SU+y7vS zTWGgy=820E_@044_a@k8Z2|?g^{(-c?4AYB@BYSo0nK0#!A1u=;e#@f|i*^8)3v2Eeb4b=Pf2*k-H+7}(b*ytW$*bho&va4AW> z`<|lCh_Qx+a@e&ejMbATmA{6ycR8wR1k~9RqK5+xI0Qd`b{B1RnAMV0jurz~u`_>G zRUcO2mTvu(fHHn91OyZa5J^B$3{{@G;;aF}M=ut6wo0(7^IC6q>sR_r?vS)tG&Gp* z^w&W)6K*;C?d6=je=H`l@!oOv1*4(Wo0UG-PJ#{n^+QjkBcYN7qjc|BBtK|PqUHii zOio2zejB8lwsUeb+bhP=ld0|kD9Ra^G{BJGiY^E}2VBRvBiGQ)5uWd-I+%r$HS9rR~?g&`_K5Jj#DBp@O9D%sL@_u+6TaG)9Xv!q8rcHT)-|%6}zUd zFU(Q-aMsd@kDu^9J=^tg3Hzw;G3qs$rdywqF$9vM>D~0z-7_bPO=(NG_}U9qlRfy{ z^eAhUYFb)cCmKtP@ThRr&!--lsVp9(tt3Z|N?EB>OncPga2Qka^LEE^F~q!|Ke?aK ziLoJ<5^%IZRhhtm0R0D$kKJT|CaZW8v)LIB-54zrfF$_Yj2aFs@lU9q$@Jfu_uC$Y zu4On$sWIzb_8#sF3cRazRd^dZI5jBziR;=Ea0eV#w)0;oL6hmm;7@lv3qXiZ^_-Uu zwG^yOPYLg~NDKv<4WNvyZg(NHeQLsn;5ad5M zR>lX($oox3d`9ryF|MR_pYHPj2uk0EPF0Qi10XLm5TJK!jR2fI+Yf(t>VVWMWn!H> zDz9)=Lg{QGfRrAcej`@1`F=7j9*7WW%zWFrj974WuL@zP)oZ`cR-d7`5+@6U=adL_ zbA*2sM&?c~q+Ap2Z_4#zo&bMy-9o0ujd1M+0IR!fA+LXK8vsx$kperQ4aU4bMYRHB zyKhGYYZzlyw9!J47_-nHBy2l}^ZSF9{g_1*V#E$5*)*NyHnVvtVH+3G`xgV0nA9wB z6}rsD{-XpqWV?0UnU+%XmNRvV9@b=ynx&+;Q(qTzZC3jHJ!(FS`;M1Vh;W;`6Kcgt zeT0O}F)z!xfRUJ`O>%`AY-svz7v4!wWqmvC)5zj9#ySKZS! zFOF1^3)d~V*O_4kDi5sb=@#h~djZCH`ymf<&rNWx3dRpTi8heL{iQ+l*X2*_OPGK? zsaGzsRigvjMo(Q7fQdF9vZ1GApMSaqgAGaNbb@akS(Ijh1+hW+R!3tAwVMx%G1};~ zC2YWLsto4N?N5VPIH?y)Jyh(wI6H|Xb>p%0ty+I_`}mtx3Wc1mL94`9YkakPJ{GX_ zxOj>3<$3X(#;qH>MEIBnmn+FTebucmv%k}HL1&H;1@sKFoVWLzsuX!?^#<%63VZ$J zqR4=5^4)bY-m=NE%)medEU0H=SO|M3y5q7Aw)r-Y@>c@wBVV#EK`2|t} z#X*A182<~w`r*ki{)U;yX_)AMOQ;zB?!kuf5Hd~Dq4_VYH%18yua;8UoEh%k$%&*0# zar@4Su=70DO?A$u{l(=2J4$aky^TA2yNQZdw?o2$3hjDrbS_@rf$;hPCIBYd89lB# z;^LK_NdGKf$gUY@0Pe)MKBGcQnsn^rutAFt@#SDAO<|79|)0XD} zGQE@eQ-yI~0}t#JRv$Xm8bK9}7WPLoJ4Z=HIBa z+`A{?w)JLw{$nbv>NtAT1#8vos3dBl4aKy0 zE|6APikmW5oFd2d$ON>{o6jJ|7ZOOMP--P6pJ*sJb zM`<87W2f=^=PI%4T1qc?zg;zlSxsb$DIC`mS#4!FMz{Og9(T23wDO0zQY791-DR}& zLEGWQE}ThS>GhViSH7p*N%EQF-UrT;Ww;P%!B(H?YRt*ai)geq`T}4fBeikaC{?fd zA_GX{w3#KYz2o^?GdQ>saLa|yVo02;IhY)DH&oNS2!y@ zY9_1vJXg8s8}H|(#E`N;7WYs~nepez^=o^Cu{6#1rLB+_C`aF#?6H_-YY-wpe5oY z`7^zk*Wl`VD9qmV3=3Lqlh7cRvMb_eT;b$TzRf1ED%)?y4IwH8J-mhA$zr*njYe(x z=A#~*8TXs>$`NOO0QB;<*+xy{GZ%6;)`i^Q10o-KVRt6YRZeQ6sN0EwPC5js$Qq>T&t`nH;qMaYKqh?Fx5?+vp`R^68VSkXhUS3~Bb>Ph zqeh9t^^sFmi&R`f?ONYs;v|m-u^RruYQ4VJ(K~O?tQz`WUS()yj&U02euai5Z^RxnAluwf_Pon%9w zS(;4k3j8!VxU}7JF4XcD%aPN#`h*9+E8>ccoSt)~^`w=CY|F_--C8#k=L?V$>Ni_@t7cY4%u{~Yx#e6+%A{)Un<%Mf=da62zDcBR}Sb0E5Jc;|U9as^IQ-n0UH zob?C=+E_QaJ@bCMRlDVg(%=e*EZWMuq#1Q;IUAp-LAzg^hV{Hb`h*HJmk}BCS;Bgg zCb6V8JUoEZbt7vnR0bJHqpZ_=`itk(ZJ7pVMFxF$d#+syh&8c#;(cI8u2vqo+kE(n zr6atSEGwy)ql;|DoZTDz?x-}3Uqz3zukCmH1T9$5n3G)9mAh~CY_7Yw0i!X>fzZzi zh)I+FOr|4G=9-r7ygMaXwMeiwn6X1)5E#i7oBcINk}Gm08gHRbdq2-9?7uMoe2GrF zkQ)NL`Bt%Gel7J8K5DB?!f}bbApDX_!Hui>e_X!mc)#cUpg~Z+BSQd?}2Q z!7efb!?0u;OaOt>l)llePgX1Q53qUsu8qamr5#j?+PPIhlInI6W&SzY9HX}{H?zWI zxntGFn{*MAWEi*<|M=|S;%sz2-H7yA0tBB#BPa$19s39zw_M;<9Q;M?M*ynhJ*_H} zK>aeB|B^bJ3D3`vbZdlyrvuiP4hI*x1MNtyxKUNg9F}f5pFEAjY&12(Vxj6bpnIFn^9Qk#Ax`!b#=-Z49Q&mY{_wK0B8vo#wC!g9oipom7XW*V4 zZHm!%BO2paz0xq;MNR53n09I_(dy!?(BO7hP-m}$ci!6_7O)^^qgRmD4ZhB!?pX3b zHbLzlU(nOrh@mfj#uLYj_&jyajftxH-JXgS!(oU6gpRikg07S&7?mXbdd0mJTt z!Ky;RMShrwHW8BdY?A++OP!)_i%)Z^jWCNPAAxCbRb-Ili;A|Yde!cs;bkI!Dkj&Z z#s0%4zT9Cjz*g#G0u(`9qL$-L*j@+tM_jGrVKqp|n~sxyqvdwR)GYvO!|}4wDMEgK z#Yj0bY?X(@7#0+$1=84{C#g^@haKtyPS|bWiR*YXDN^f@T1+ku1S$2c-ZZcN;>y*F zXcbUpqDea(t;H=@7LJRuSYqfUeaA5l?t0Z+Fiqh)&CsqP#K(#~vA-@n4cG%SK&5Jf zHdgHoCn!y>`=dX|wd~1U6<5s-Zb9m*YVu`^mbItrNzZFPQTh4=Z!ORo?Fe@pg=-HZ zMNRiXJ6_dE94q?^8!Fo5>^>%A0iTE^n-NL*Hrt!geg)1m%hcv2)jI9TR3G5~C6pG` zN;co7H^xtmkU>dS6+-5)iUza0`g_{-TUh z^KB_z$Cx_MSNggGI_Thdx(i)HNix?$kDpj3cULZwKW=V54fSDIWx-_MbRI9v*-UfX z`fUl*vwQN7ZPv`L_D0%-#ENoQ+oa>2VGYoMDuy$~8IsBfDwE$I>2v(@h#T~24$2*d zAS!M55srRLI5Z`vkf@8BPEejQ%Hmn6Z072di!)6JpsLVRN?PV(Poq1=tyotHgmH z)7KDBQmSqi?mdqc+X^;kLP+)q-Rqh(xs~Bj)N04Z?$R)fx^s8-3w^g<*TUB4C^O!9S@Ck1I@Z8-4=LTU;Me zVPHXY$y@LP9EsczftB}8U?vB_t}FP1qZMRDu&d1{;cC3lq}7&D>Pg$rJ)kef;6vFe zK66yw9^0J6tNyxWL=v;nctWK`S9|%BdF$!jk%->Uk2uVQH%`u?Xqs;&bwMZQR`5!Fpv!)umyT<5O&YxHNbx zI*@*HP7D2V-7<+f1s_#0$>M3FTT|)`#_HTYP~LvtheI3{^b9R7bTKJ7eBG?2-?*;d z`;YC7O#gfN80=X=$E}xhGj9+>EUPtER}4L0JKj>{xdnVvTn*vPsV_za)0-`Pi>=o5 z=(sc5=)nbShcAvsqHkO$wfXxx5HORm^Uuly0woKys6A$;f#QOKo4ay!#5>rcq+B>F z$|R9ZQ7p1MIgA0%NOz#BX766?QeB3g?t`Vc01KOxAI%B0*I_V@SYcDhbbR_>@;%l{ z%U!I>`ub$9Xav{cLlj}&jAPb%jzrkU(aYC64p`_-zNR#5LBZryTkPC6o=v4VZd(K!8Lc77HI6iYzx3X z7Mn79VQ)#HwHL9EVJb_(uQcH7}@gI+J z#NMHs;E~8#i%pz0Uf`z|}z%(_!5V659 zSUAXE!PsF8KAeccHK|;t!BZk}sf3#|m6q-gEPEnVab1BkY1Kv8haIzQo6on~ytJa! zhZFO|l3Sl^M7b`+Tbg2)YUa-@1&$hDi=)?)f<ywhafekGefd z#VASW);})`l`jpTJ2yxfn%1Qw9PwP>RV1`!VRZ)qJs*fvB8*5iH$;|T%zW^W&F1g> zxz)%+Vk?AOYa&x^J_IlD9_&5o%Svci?6I0zgiH%F`qdNNyPJ>Dcj=q>vJs@Ts@;tG zHgxRHIF1OG%V*|46xB?vvolMw*S;;8h`l;Uf94<6Th@)Uh{b-Q@D)mbOt`KA3zDAs zX$8Io6}!3oq@+%vTccH5;eJr}^qJYa7sU7X; z6AQun1_rlV#x&$zJ<8+JJ1>pZ->otrNnwI{gU&H9lb=>9iP{dF7kecsU`jDUBfE^nLmKfo0{G{}octda{~Vi%(~*ObeP;OZeR0vlb1k0)KOMW#B;8 z-JWv3-HVR((OOc%7X^54=>hvVq1vHUKJ+!GK-$}a{SypE27vPa9Gzh&cV`y(BDG$( zd#Glbf=UJJ+xq2$^=5E*(LP_b@&V8g$lX`wKD4fuW-uGErpq3i8aNR+{JFWv(NVyK z3mKU@y<_k(5aWtFmt%y9)rFfqn=nS|@+D$)d!*{MnfKDI%1i*mUIoPa_qu$`d;V!2Hvr7|2_tOp> zdvRQ`^PdtCrBvOQ$wIZ`IJIv(wTXZ}kf>5=E`Nt62&UhgOht z$tcA${6`)o_fI=scaDu4S3Xnd z4SS|s*7Fk_;+@-y7be^!vfGLtuoX6VN^lH6io6^q3{Obm)cl`0#J6N_2a6?0i5}2M zd;FfPwwS6%zl0Lj{s&Lyyg+MsmV7)(fn9`hq+h_#K^BO>)Jh8xhCUBAu;fAQHK+)~N@lwUa?z#E#0#84 z^mCe@_2k|Kvb+n=@%n)o&$%l5(7Pl9x&{g{TmffK$7*y{rE~S?e=06-FmsxC`ViK8 zFPO~=`iZ^=HO!<_)wNAugQg~LvysKk3CaApIs zU1?J(C<73~9tC|kpi@TF_&!kK`h%h>E$PWT;aXrqRlimS5-0kD=8*oMWX|EHa#W{= zPuKMeu!TA7e6bZ+mLIFWico8I@Z0B~Jm_LTs&m|$NAuH$OmG6QlqkS03tQa-9d(3o zFk0{|pI2)W!ROKX$jwPRCet{PK~%tkW}rH9WsMn>5PDDvG5X0-+r;XifqZemdHd7- zZKOo*>*C98rGieQukBgvC~sq>BPLM$uJ{ZHfZ`U+0`^4=yt#z!F#83n9C)AguDi9( zvQ;jsuK4?y%rz7~!f}GoE)UpkVN~EXLCqP?=v8i8*~?<77;1?vp!fTw9JXFT6ID4Yt#1$N zM|Mq{3U5^gv^ISEuA#x}x}zM)8D?btiC*K=gKdS}ZYG>rTSX!EIO;aod62jLRa%~b z7_e-a4C_oxTYPAFnUA&7v2?giyYy9Z;Uz6}`&g|aB@U^UfO>!dBgzwlavwq)N%*L& zAbaH{ zmPUcGG>}VtUNM3UgD@fiJc%m*k%`{K&s9dX=lO_BKpt_k=XU~WOdY%dGl$Je32Q#_Rj z3nFvu1J?cJNcb$&&D`cWEQ4l+Brr!WYwQp7CFQ~Csb~me6=3ptW$9*E;TfLL`mr?WWWz+$Ix#ZSuSQ4;%T1q-YskF3sMfWP z;tMr3Z+I_^i=3e__ceh~cs7V_0gy9WrB?ZV>Y2E>;*J2c!9TdLa7K@{&ae)A@QAZc zL)^HZ4vE&d)P-s{QKnC$_Tyr)B^o2^g|+xD)vm|tF}cw3KrYtlU95x0W?id;@wCX$ z-fMBB+SQ2d(mnE3TN{-s=KFW^vdiz^!hLnGl$2i95w_BZ)NK;N*F%kjSpag(>3CtT6nCgX{jWX-gQEMs zJ#mf)9M*%*+HOxyA-be=5GMG4`1;*Y&Cf5%R*&y^##rpftoFk+e6_4k8;(m419(bp` zFQA)iYc}(ec9R@)Km1(dz&dubTX@)W^c)7>h?7K?=d-(~RynTcz~}Y=ak!q}83q8j=B;H`hl3WT-s_K6QTYb?=u$rq^KLt#fpv@F0>LLt-VH7DF%O63#ys}| z#%eKeE2^;cR@9c0si+GZ>ugr60m_wc%@17X4VQxORv1|92TtB$mfy`{Opc1Xmm9A1 zrt9O~=OZ3jRwLY=3s-v`2g{s=gD&yMBlxpQ!S{+}4GjPFHHf-P1X@SkpJ)b(Pt=?sy+zdv$Xob)#>jHVy*Q;FD`rmjkEo6_oNcLkIYayo2woV z)m%dy&A{6Xv%cSXs2Co^I@`2F(JG_VHy8P1H#+BWn6EgzDQfFBt+p(?b3Gs24BTM? zxD!tNEi1%`^Nl?1>3wBc`BeN>wraQAS9Y8CESm^Lc5ZF^5)zG9KES*dF+x*Nz9^Qe zK0CLb4{rADFfkor&56vc8a%U*+m;pU?HP$l?mq&=o`J}bfB5Deb(AZSoN=7{UbYRs zC=B*EI&r(Z5TEOv#=>7`dg-aBt0wQ;v~^WZ%A8#wTaRenH=%6YoZSVjQNPK)S$PO6 zSqouc>aznzW`SHW?C^HDEnD}zgxWb>kyuPrs+k$Dr_LGqQn#`}hw^>4%Xb=YTGy^{ z(M6Sir_YSg<>_PP{s4mM(J^W!5A@m4;9;2nwM4*{7}5i7ihiefgT8v9(z($^Ha*4F ztH3HauGB1rr|XMRBH1a?!JUW226n$$D3W+y*DT&orL*Wt8R~@t_84T8Re)G4G~ba3 zXt523!4;(M1bM)MI)3N&5KocAzmcK@60-=i#g&p%Z0YWj`a9SkD(@w9L#yL)&&5w- zTuDc%ShM~5W|<#EU+8l!g~V=y`wU$>3TAuWIk}Yu(Emihq)C$0&^q(G&c^I0+@qizdLf}aizv6@+$@N zBsU82;>j9<^>+ zARgh*;#BQ z5e5(bz_fjia`fFiTN(loAI@fJ1CQ{H5D{{sthO5w9qJs$098l@JWgZmqzphF znfkLbWdqJS*lc5+)uE`zy!2|eiI{=*V&&#cxxPed;nr=PW)eYOXP-b80o@AEf8|HY z%kjd}KR-b6;jPc?!NDi6*C2*L#X`!K6!{75cXpt2DbTdR`O_1O8osP%gJP`IP#`i&9^%cJ~Gq6ZK(w zy%-Z?z1;<{e@_l=8lu`$)teRdsO;;77>rbgb5|5O3A*|GgK5bIbZCO4sx%$FDjtX! zj}5_)iSe)f^iCk!tVG_wK2FqcvOqnjU3&tcD6nWmZZhhbP~vRyilV~rV*Bh8h?oD! zSUBXhmWRT;ixl_r?mW!TtJBO&>6X{K5K-H&|KS{m zuKVT0$Gf`$v^&MZzjf33O@LYUPP-bc`9on#)WKEcb2F(o@`~^m3W^k-Q4j=aZFmU;2*qu@$jc?53Ge_)j zQiap6w$y#*=S;iV-ClUY&jbAm_~=@o(vRW66auz(jW zkCUrk9m!waNi&I&M|G#?r%&qN40I@aM-FRyY$26xvJ1^q`)gm#H)k93J0ddTOa?L5X9$k+0B<9ED`23m z?RKK#N5#%fJjXBN`aK(Iq@D8nAA!ZU=Fg%w3>NFWQjdx{smDo7a2z+VU&BR4%Loa% z<#T)L-3;s_tp4m4VNSonPh9FLVays4fZonI4G&uaU zKTk$fR`)cYThQ9Jqvut1Cjq)r;OtU{h2Kr&mJDzTsU(~ z(DCW4!o;J9+7G7!M$*pN8-&Tf9w^hmIP8slth@xNM=Tz{$=p?!iih6I5n=2u6_w(AAz(ms2xwJtB`Hd(R z%0-!iM8Aej9@euVq$Y__`?y9;H3WA6gz z-ku4{k#W{Og0t}z<($5PfCz!P@z;pVY@}$v%Yu-Hgz8!Re<+DVSboX4 zWnHU8qSMo*uehcU>P0VQ}BR12{~RM~$23N9U( zV8N`OVp^l)Io2G^`a%qp$PxdqqXhwS^5v0Sh@AZM|7`?yjy^3Y*#SO~k?eSZykm#r zKb##0DjNSF*!(ESQ4&CsJ{$J;G0R#gR9)~vxg2=C_CuZur3?Z)s=4+OMiSl$MM9## z_w264}jo>VW*vsiHx1fe(`m;+;V11XOYUo%)05GUl1|+Ks_bEa-HE{F)<2RutnE)_7HXC=9bU-Q}#$bPkdK9o9 zd_KrS1p$u3|M^p`9DUMtAdd$y2vF873W%`Zd;X`hjN}Szr6lB~+EIw{hk=4~a($S6 z)`KT6T~#U3UD4A-oZYbxf>8U$8V!{curORkdgHn-wBuXL6(1|_eE{*+=j6IG`%I2$ zCoWj8L4CImNnj;S06M|Xf7&uX0y1H^t04TuuMkuC|FL|7k_ghZlmThz`=I7d`X8m_ zp9%4|LikUc0~NkN>g>;J!bl_;1w2pc?4Op*D3pEvZT`SGhZza{wUkKtoFjdNVQ8OJ z{d6;ZZN_bE^|LB1E)ejZtGcyC+h$m|iYTGZZi|*DsiZ0{qn_S;FR03Tc zdJ3Oo?<0H$2J-JgZtPE5E<5KjTtKP2iOF-W0UYDzmY}f6fVi^zw*M?VEa9yXpr>x) z0Rep(2}sO8{o9TKiMbTRj_8yFA-te;{83gAELhpJoNhv?(AM~Nk&^!~Z3A+aa_xko z4504CRZeOwsUM#U$B>A)Q{=Cs8inhx65;;I8a5$D--JM^Lwi*9=hc9AhyhtNK69*Q zK4$+2qGytpwEKby6#D51vM4B%7k;k2p$(`xlSo#QKakWB$7iU z#DKoKMX(_uFb>R`%+TA!m^;kraH#NCgPb9KeI^k&rcwYHty$IbJC%f`afKK#f1+s- z&ksiB<6-Y%;1%jOGXt*HMgJeh^+cL~d55CdqKrZmXo8wUJP*)jLtM7u?3?qzY=*+` zHo96Lp79@#GwF0iqPY|RV1)wOGfeg+W|MZ4P@KceeRbbS zuf_L%n_g$K*h@W9(0k#Kw>~odOCJFZ{2Btpy8~7LcirXE2OFpTpb1<8z-sH3PeS(@ zoEyO=*#rq1&^~v?Ylrv5Jkb)Vw z-sfE(L>I=#(7hEX)%k&lmoy5UNRM1|)unGl(G{ydC%6_hKG0Ad7EBoczw5TH6Gb7O&2k4GS{osK zWagc7l8B-Yb zVqJfP5eEBcG5p0A#;R>xUmRk-flw#H04-dhR?N*S%xh8bt@3=%=FJsOjV(W^(EidJ z31I}E5j|6@MclqrB@lCdU8}qbqV_OYk^@#oN+0K*3T$$zuVO#<;MfAVJ)NujUSC7o zW_Nn(FeO;;k%uRkwynpZxklMVLu;!%x>V-oeMXL8;c+gMKo_I$izo}&6T(45D2Li` zGr-@pr`T%t4q`_?;H-xHMNV2Eu>Kt2C%;Yi2z$l#;HZ02r8RzVj8IHQ1y4t15)Fmv2_^dcU(BjsrU~md_gyt|!=GK) z)8*OwBH{ETMJgxE8!(@lbMK!~DR^>1Y0hxua5aYN^U8e!F_kYBgPvF(R^%Dg52Qc) z)212z$cH}yitYfM{sh>{{f1a58(^p=>_#0frzlAGX*`%7*KGXDFLeSdy<{&9CB= zNa{a1x7Hk4*&^6OHR1IPMf%5-g(Bt!*|EbF6Nu{*&opAunL_XY>d~lH1&G3r7`CW?NR8Zrz~|a9@HCI3GN+q6wsMt-96Ssasan6c_}`C2j~ z4udbY9UsY{98k)zN-G;BZwiE~WMBubPo^LHmvDMEiDS!!QgNu#fT?sxNyn_JRn^|5 zF1mU+z!8Ahu zH|_X4{`Q<$>vA~(t~2q}BM|#4NJ6Q-W4&0mG0MHCOxD-}(&{m=PX5xdR=&4ih9Ib= zdm?AxFmxN_Q@r;@1eS}B z@owD7wqm2iwUWZs+Amx)oj-X6l8T4btZ;#iW&Q+Prb0$2+r-HxYq;dcN1?w20zT+$ zC;FM*CyV*7<{Dy;mMFDun*bNz7w7V?U9PBc9Lm2~mapN__OnxG?3bDL#CuLEFV{Y8 zN4C)~+5H(l7`tbteNaf@B{0iI$MdXPZ&p$t#|dmGrL}hWYRuhus(^{#N@ZF?CM$j{ zDr}55EelDUT9;s}a64Jy=jh3Kl8X)?|u3B^1}WGI5`dpF*iQ*iiy$iVPRiv<)q*$%&H4 zJaA#8!S%>(Js!3D?If;p%2zj})ucVHL>J;(`ysIXdVe>NC)6Q@Lu)*8Ko<+(U01&% zQJ8FK17EV~Bg}xXc=Z(IZH}=AC|uSR#k^i}k5_EP$#&z0r4LzA?Tbb(@+R6}pUlY* zy);oA;wCwQYbZ2hmi8Zu?Xs9i=+d@((9UaqAO+QL)7+yZtR7N4Fzvg8M8^L*KF<^V}jd&}XAd!-5wH`!%F!BavHSRKa)B7>m|I*5OjE41v|5|lW z*{A^M1ZF5Vnau*CgT7WW1k%}L2Q76`%2CnyX}KP%x?Go(CL6^9z>anFt=oka*Ecxw z&saKeR+OMLghQDoBo*ddneK6inJSf8-zSGr70RrOQBr#r`8?K7w|w8#Jl0sz(5wjr zPxZTtq$HKOTg%{-B4TTE!(UYKd*J_;nrEnRoCSLAFA1)i;S?S@7-MLI7&+DR zBGYQ~Jv){3;!@S3ouj_jRuK(AW7L71Jws)dZ|x)kG^R`jP~Z&w4o7Pc%0$VvO@iZA z8(<_nmLTsQo z+r2Gwy@*A0E4-$(quYnZ`yE(kRSM_2$flL=4qL_CM&yiN@DoftDX>3xKAAY^pYvb( z%>`UY(N1BhaQ5}^$0E!tO%`$M58TOk;c?fIO|HdKLe|?39rx<3H`9kq-u0avy3^Cd zr+%k)N!}d^_)$KBH0$!dwQzD0=6Y$r0vtgqee)(Z0Yr#dQ)9Rt6(F+j0+C{WD&`@@ zwTSz=Gw&7tB)oiu5m(k{9)QN6`&SYQBF%hm@ZIjtay5N|!_(ARN{UHShyF~G?*5vZ zEWM}Q{A~?ybWzxVxM6$Agn9v1EBmm?F8NsC)5XeB#Wk-NW_>60rEJo?BI1+Mz79lO zeHjyvrun>$%%`1scTX_o+8LdF<*;+3>_wj`^@hu=BVyQ^LcSfJ5@-_> zDPq^B-Y=XGBZyP4Tv`ur<*=3aJ|b_}NR*485W-xN*KMR_^JnGwi%IY6I?QOjL8Z+@ za?LT&9OVvXiZbx}M9UEkwPY)skB76B^CC#GeRm1qBWIECD$cW5S(~rze;-I2u4?*MO4b<>sXe z=RAgL=wqXCTM-(#KIllU*AUUBPKCGYzPvrHEwc)Z-(NPfhfcOW>(a495np6cc>KDk z2mW{?*b8f?5z@R22RZ2uWZBw)0MbA%{EzIPktvOBy*U>D@QmGtUB|Kb=d=n$w_UaV zT}#}PuY{zWSy_Y5H>vi$kvOap1i@rhi-Qa{RV2zPEE!ID z0qqVQ|DV%!=nn}#RxGEWkMK8L$zRih-{}kwKyfSP2fLtp1}`#=JA~OsSDL?m5$w`# z7^-U>A1|PKd%jZM;qyE4$ja4;xroP6!REr?3d*!=EF5*Fk8t}8!Wuebe*|%X{Zz|A zt7+zUxw{b++FI;K`)bMR4cRaMP%Wko%Q^DZ+I0ND1{#~Qh zYr0<+DE-`I=RvG`&qsj2EhwZxOmq50{jh;py^X^r$v(`$l)XH zo*zim|EhjD4F8&^$#H}3?r&gnPe6cJdDw&D<>$N%l@t5vFiVTs?T@L~P%6mW9$U@vWef+W?@%e8pi?E|M#Q_vafaxYNOLPM*D9K*|z;kCkm4yg_>iyY$5O`IS z{bj^)H>(S!C-Xz;vpqTJ9C_x8|NMpwK!W-H4O@trsCo%QDauT~+ooI}!Ldf`QGDe( z4G7LL*^1utsW$oFMJ?cmZiagCeGXMN_)Bk(!m`R-pUjSZf2go?*30YroaF^y4WmzI z17FF_pTnfVF4wj`kB?axE|uW&zkZ4|Wao#9(N{k?Qsv`HB9&un3-Spc>+f$44f|3^ z3wX8l4>1UW>iE~uS1m1r7zt$2R&F5r-aC+gofY>m-y@OV`g@q^gIm=_|lwPbbe1JKR*4{!c7IdJWy z7o2?;oZ#pWLh**Gvn5{%JQA8w=@4(6 z7*8n^pZ~CVl%S0KL8{<#@2-S3UeTtDUhE!jq-UKTJ!M4&I@G>%*P=U3!fOJ^JZ$A#k$Lpdh=hL(!weT$BQ zg-!rRuWas_sZKk!Ktn1EqNSR+A3Xf#Pa~>sIQ7zsJZkb1+zp1xJ+sY(X<%Jzl>m>- z5j5m&k3%cVDc2%Z(lf}pyZ6I3)Qi;o1-8eJ3gT@7%}%pFziuaZCODCWqcHwz7>kqo zfr3GPb&b}p?pWTwjk1vI-Alh;ZTT3#s%pj^b{E;SP1;JLD)Rqf?>)nsTB5(v0D>YQ z*pQ+idK6HKbfp9Yv7vw{(z}G-q?b^nc@#wjsX{=d_ZE5)6hx|YLK9J12tA>Mz?~f| zc+UC1&wHPH-%t1Q0c9t9@0m5L{nlEuW~S`+o(wrLW|zPw#I)o>Z-n_4L^v0OY!xNUdWeXWIL+3gdz= zz;ah`bYDq~d~0K5&fMz4S0)hz9Rl^!7eU|~BsK?ngOa~S+O3YZH7&oo3ppa@yjgnF`%45N_<5L*uEbC$FipF`mHFF0dP2ab?7bhdldf>%}bx@ zd36Z(YBh)9x0`b9PtYegaVVM`CMjQH(c}rpJ$^!$+2J|sH0e9&L3z_TE4WWMnt4{c zdLB~%7avohNUO&yxvpc~JCG8)ekd=cQ(c1{_O}cceoRQml?SrNp z_akp^`6f<`@T0`S7QrVa4*{Po_Nv~3S(EtMJB0led)4-r!MjI--Yq_ewbVDYX~VyUa$0t>!_lT>3}TvWJpL_Ew#cgma`=md3@V)6tLH>| zd~Bqj;06??RwLm)YXbOg_;ikq5eV5CPq5tnU8J)YUwZ5os#84^9aEOxW?B@wuKRo! z2n&W)5Xxp6u{kXf*_Gl0(*wz-sQ^$O3cNtj<)sUhpXpan?2Gbl6idYAF?|A@jjUl( zz~wD18pYM~NCm$J!f%~-yy-zs{&AE2EP!2dWMiYho1Mp~#kf4_vu=2OPQ6c4JYLVW z88lX_CkNC{QYG3f8P^%JraFUErXGMd*Xm7f#s1|e6drN|A4ZYp!ul9tuN~{udWunh zw(Xth)EY0sc3M~TsnbFrqyAijP`^V4TPmV?`aB}sqf>&FN{k}44U}LGX4h&fAmMjW zHU?l~F%`3Ad?LIv9=MGBa)YHuGp}t1^3&!%0M%C@%-g)+_kwjb&rFY%Fv!LERO{*& zl+GcwLr43f@>oqT--=>-YB6EpvQM%4AgC7R15q)3QJ_oKe48i@ePpy{2W)$@WWtpC zGG(zQehz&N*bP}(fF;NS81D~23Fcx;~q*p`c!*wrz!a!K< z+ltr}i|}7I5pw3rmeL{$ByYtIA=6#4(K?8P>53NVA{$|qB7U!9+qfAj(}kQL^}KcK zqNsKHXBa; zodTr@p}QC1+ke1U?YzQuVxWmuR05K}8SKSJSZkfzKRdxojMMzcM5ARYQqKG&ao7O< zP?&VYL&!+d*bAiHC}= z2}_t-M?}XW9z{e)RoR&<2Z`+S+Pao*oPZHBEm^l2&7|1|&QKf`xUCTItI3^Dy!$*o zKu8H#vxo|vK0vgB;anWo=+Z+z)w7u1wsYVYIRB+$ zL+t^x<>5wsoz=2sPoU4F>raSu5zm5XZ|@B^l{G72-3R9?PCw4(#U7z4Ux&M(7$Cz0 zN#pMY10c?_$@C?1eIz2X!_mYmR-;+2$Yy<4byehZwwO3mQ0wvJn8+X_l{3p~H6w_s zJC?tOtH4i#aK4P!Gj&Bpqh3{pRf}h%0tFRUM`!**auOobID>R*F{DMW82+T1Yc?_c z2Ru(lKEd8Hz=>EGRMWq1y*Xh{oL(KhAH046EuAP&v*pPH7U9eBDbFp;k(Xc%)`<~% zc0J?%w-p9(@Xx*T9-mptHfLfO%oH&6SM=%>SNflUS^V;U6D%Rm(U~QcART_f5kOcZ zD9}PAzfGdTmGYZTn8tL=iJ7oaIlKLy!V%7b>qr8Pd$iXRp4vH$;0>Wi^Tcj0pO6z9 z-p(I6-|VR#kzO=um?t)$k+r3-ZsS`tssH(h%E7&L*+8aXNM9n|ICSnAlokOl|3&|F zS_o@cC16Ah?^&*kUrSEMn7Ub}@r`iYZf-8L5kGs}z{Sd@=iOU}6d_f-HG6edv)rjK z*AH&3T8P>l#CThMpqhDI!Rh{rDoOM}EV$Vfnr zNiU}(X5AW5!r2BKxpo0~Zu*G`o?Yggvw~63S+alf5riFS(hz%B#dX*+rVBK0fIt9( z&HTmy0)aRtvMW>NeCNdxV(&OZ*R}Div>!zg+u1Qt{R_&DA&`P4Lfz;57;_%oIb<35 zPq6a4AnJ#*5exNW6A`;f_}iNwd1_2J9Ahe-eiK!@Lae91)7Y%tLZ1tFv5tMhB-Iw> z$A;y6YIiw}laY)b$(ob75+3XawWU12dfW=5dUn@8kO^emlR*;N1-!>nN%aE)7WIxb z4AWxR&7w&3a8yf9!Q87z*Bejc&oXU`c}_ds@R&9A&E~rTv)YBEzI;%t2Lc|-DgYcG z?upT4K*RIILGk1TW`M-n1+bJ^*nI93h9Y^;ku%1B$C5$mH4liN6IoeAuAPbw$TKT6 zkHr`(sWv9u(YZ0Y>0NC<(pT~V-4HR@f$oE2k{34MiloPAP_F;;g^$y-19 ztR0pPL_hvOU%%$4{y|Q$0r)Eb)PvrZ5F>6oQvc)VSW-IyuLC4brsYrP=HF`uf>hg} zP_^yKXAx!9yk)6cxvbsOjvm_>%n8Cz9RI{%z%dmAnQ6$Gy3`3G!7e}E<5hVP@}fWn z@V}_Gm!T_%v>_7usbt2#%Bzmi2QI2AShj|qSaVdlwF6j^1GK~uiyKfaoD1jq*?=U4 z^1nv9Ksnrx*%Uz7h2^81;vTLpm9-cK7z03u=e+K{8Xvb982(KE!< zlM>d$b8S-U0Jas%Y?Cd=<8^6pJQVCPIMMpwI9%1)!ac1{;#Fyv z#7T7#svt!CYZpL&s9pssJ7NGkXrPeWZu5Qr6yq3hGy_P|ckO2Q9xWgwq+sYFq;T8@ z+}Cp2fV&*z!2|zCw0to&^ed}i!QTLUJpqL?T~`3AfzW~jID7ivFOo+d8lRf!n9H8N zL9sopJ@{K)6aAnPOOyWGmv^hJu2o?&3-1rEX{7F+%~^AwPD?qX7kMR=qlL%-ojCeS z^T;E^C8$3;b==q7bY(mEqpWA0$H1-~;wli-T%CH>?>$qFM}aOjuxpnt-ud?N`3%m^ z$J3=vX60U}459DR*id`bZbpvgl}do!7m*n!mh_2zRqLf^gh@qh@iLx^V_0e9)V5Ej zgxGX)lqOPp)5fNqkKpJWN~*^jvYW1rc4zCAFM2CLM>hX31AY%wIe{Z2)u!p~1-Y?` zAWg(WO@)VcJlkkXdR2cL@Ldn-VEU0OVx(W4=2^Y4_ASiupiCD5H^3dFt4KU^J|^J7 zscO_)Tv+?6w`|-MzT=(Xpx}1w=Qj0~!1IF!A9&7Z-Dl8|lj7Aq1uS|r0O>obMh*q6 zr?%5q%(yo(5?u=Q*N-I`lDAvzXoMjD9awTu@lo^DkHX*>o!7EDS13Y4%luS96+M>w z;4tETKUz4<0NLH}G!cdGM!$^SG&+~;E0_2Z;V@-Jmrq}0QBG~^LXYpnc3~L|WbgPB zGg$O=$^@`b{Rbk*m(Fk%>gxFpDu+{Lng&Odr+`HQ!RY;Ge&)%*+$}ZRzttV13qsot zmDzeeq&$IN;EF;dn|t>22~ZnNk13p^%jwb&2-NbnkcjO*Eb!cX!o1-#AcHp|CQ#S( z9otcpt1FR|f6={lx(SA*r{L7mCmcU*(xihadYju-%cEzuUS)kZfq+MfMr0#ximf7k z4G%hVIQtq+I=wtU$q7m#9JF0gQi!hg#%P#aA86Ckm&APv)}L%x!7K-b+LW%=?#}7e z){ zoW%N|D7U)GQl}5ZZh?m1^YUz_7_>hN79s+T-#GEvtwZvxristcN{W4b-Vq@!Jh7*~ z&JI_02WASobK8!Jm)EE3UV(qfkN$fU zZ-q2ox&CQKKu0lE7uda+=Lp1f=VBHAX%WsA`|y4X)MD=n;<|@I2kLS3Yaz#u=G(G5 ziB~0EV_zB)Eo0}nr=%S_mqWfc6sdT(o*ltf)Or6Tf7b*^08k`61PR%j#x!LHXH*aI zQ=5lV8-_)wpN&11OvZSYD-;od2bftjJ*}rM>9FNpKSxnVUs7v&mQ-{np!&)AH^yLW6@8-e zOTGrK6Yfnsk@ivUrJuQy+!{KnIU$6f{Z!)(_40^_MVr$iC$j)%nD#2X*|0!Vf8L_W z<8cfD!}g(Dn#bm)Yl*N+0RQ3nfA08AiE5hM}qUgSqBnNmc|k9$AlFS>i_77Wq0 zd4`U;i^EeqiZPe3FyHL{%Rpw+>fJ16pn72@=AqtMZClme3Uoi-D&Mn)K$mlpIujjw z&(8{^>G`o1N{8xa3-0`i_xby=^)BVO;o0#)bxMfWm}DWY%6s*##t$qxgNy^298`)q)DH<-E}&;H0@M@S8QWMXZqsQW)vvXY4+_-S<7IH%p)OV4@o84 z(3y!DCiLvaUl5pH0{beu%x=#_b%9dLbyv#Mx5XVB5n6#FI`W?oJ{IM7F5Pltrel^? zG_kr+I$xv-Gn+6#ZzS?xGc#fd7kNuO>vD4yt2zoQ95BgNHx_#x0B|*mdcq2de%gWy zzUuP}$ZyxhGA{^(eQ6v$I_*FRH4)yg19zOIRw#ZS;id6%@~Fv6xEQ z5xa?IYh9IbotZS#AS9jDAor423-J__vQ+f;&S&}us-_6UY6bHX4fNZHYYle{aJQF3 zqWgqQ3TV`XR3&EM_Jg!a!7kUT(m>VM*lTzWl%ODt-3B{O$cMsGXeaKelwC^uU zvJ#~CBF&_0)~E+CmOP5Ub)owzUkLw*ErTs-G_}9V(olB@79Pa6Rfj}wiFq1go3g9* zZQA-AN2ZKo>%(Y0Hwls6`Xg3p{3F>W4fPBRcW^22yl5J1Y zNHl$C9pa8qURDPnOIVClpeo&rT$!HsRW6=nWUylh=u{YuVy- zkFBK>3GE5R$CZ++0> z!}XrEgOr3dQmZlTeUg3QfTHOlX&6?SMsaKEoF zw&4}&r| z4vrOjHD!#H=WA9Qu|HaUBNiP<5%8dB{`_dw=GtZN%Mspar1Mdodeuk#MSC0oqpV?- zR(+eiBW5n>5-M#pJ|1+^;Qv1Zk~BJd)ex5nSr_qg~dqpMr_MFnxXb>7-&C8U$r zR!sA*9w8@Pd=aUOx$3mkZV{C%8L;o5uBe)1nF(a_SCe0uBKBx z7AS>iRvK+SbCTJfHt;$#+qLP5l_E4#Acc`!f>5oNR?rjH*9&zpIihySsjj<)6~^ap z-{`=e9*lVk%uyb;X}9i)idN^AK0M-GHlBgXMArY@``xBy zBB}r+YG895JH<%?wGP(TGUr#*EIFvuQ6(BW)~x9pz`GQri^smU5x#Cxk7$--2t8%e z6+du*L+7-4Nx)0~%EPvFNlAs7Hlmv`{pltR5d=`^{DUgY2SM?|QNrIvP+lAM*mv`o z@6_iR9?o;>AA+?zzo1gY81lx>&_A?c{EU4yQS!L?#E5~7u87UiH%d;V)gMrXTn7tp zjC~>$?Z*c1y)=S7xQH>>YsR3-X_pY=#K#)tZLrn2W#7*~ASf!HH9{xg*3^0`^M zz}js8u(6d35x))>wssCll$kK)pb{g{9}0_35DFyL*FRxR^}fLxJDO+e5i~Xs@*t{< znIPe>F>xRif%UDx#n$P zQ!tU2ijvK4tXKDu;*_mIHy}VM2)Q6BEVYdQf_P+~DEv(sBdnzcBoGs@4ZYSdbJ)+C z+0(Ccbq`Jkz79nXazPfjUmCldoo&1UxT&NL%Gi~Z?6^_Uz#5gz3ZrN zEkJ}X;5z3CysIZ1I}v*VK>i+)axcil+zpemY0~g4kBvhCH=6gjb;wS_QGyTxn&gPw z#8)CH`>^6~Gz`S_&(}|TXXG@Z6hNJJoN^;eD%dULTHBGR_ri{Hx`1>8Ia~Y_?57S> z$%#OT;K}s`F?JZ6FXZuCLjcEVqlzllOQ#bQnX3pF+(HFK((+`*JZ^|6-P@ujt6+!^ zTWpBP%g0T#$2@z1#+um_qfB2wA?As{8aKid)2a|19&f~6r7_t`-0lp~z~$HoyW4nS z53;3tb4Dk-%&zNAdUZ8~+-+pf;DwUbHx9A}q-qj2BCEDHw|V_)bOT(b=yia+w}DQg z&+dP*7qo5pS@aiZLlh5E&HS!MBTEQBm8sI*K+-+07+Qr zfR-Q-pxZUkjRb5n;SR7a3;aKp5vsj)XsjrVrbwK*J+GLrvN(`}CuyQvywOQ-|H8dN z)_J4fhgV_FuUm@H-uni+It7!A2arCE^^3&51*DIZ4|@~h?BoW%J2Wg`K-OyQp#=3U zkVh?s3e~>)q=3=@P!j(1@p{GPYE^ZdES~ixR2abWA8{K19!^m)9d!1%X%c@O?8*B9 z+sMh(-QeVt@f}qNP}=EH`@P0JU24jyWywM++qKwxZUW!~wii+`|K|-%)Bfc0;*$aE z$DwNN{~UxWCpj1SV>?fWBIxX}C(--U4?!cp7(53ft{OVxYS>BMgGH{l-!G43f@;p8 zBY4S7`U_+{cek${-~cTke!5A}o}O;<_6oBARn8y#2L6~Id5;0KA!xe*fJy!_xtji; z1BP~0P=jqj+a;?0U@y{-5}ZF`ZrfWUdY1HE>cl2&s;7-W-PWGOwe3oWls0I;OD3cX zp(CRIRp9`~u4z=PKk=Y?ol}*yFRqw0O%gUIxdbqS`VI2_AZRa43)t8MZOQm|T?07H zk|mY9a@Mt#FpxgIVIx(ojz~}zA&4TI?)0ADqYerlz}_en9NM4*QmRyM>1e!UFL*4Q zqpfzNZo~!s$OwyifKXN(7KXf$&5O&%Y_V{FdUzrIzZq_MP&EAY|HYh&G(ND98%E4 zrH=C%q#O@7{CSPJtvoA&K1UTzTo`(w^i?$}3B}m(;$Dp94eVH`8M1JwzFo+K#1wP+ z7af+?;az5TfVP6n3S)wgGzcjPqYH?$m@}BlSVpl*r;OWY)D^8@6 z7YwkQz)Re=j~M{0eddYgwXA;=9VyJ-ve8wQ(e|j+qZ*x7%^D#dQ5DIWj%=Y6qnt;VdRvD}Wg5fiC%m=#Pzt2(l<<>}OuJM3qr1uHp_MPq^WLh_xd z|JYOrI!rj-fZ}tXt0~%Lr^Ub1mX!GsGd!oOA~BbGL(hV3IJ=;vJ?J3-P{yn6tx{S5 zb^UelGrBQ^p5Y2B3LzdeW>LVq0X^L zWo^L0CNnqm9wLMP@1!{e$GaWao=v`3F|83|0a0Zuerb#JAvwivD{!*;k3S=4O^u6$(kG2h*~c!wC|k@ zBEJ9Y)d+$!R?&cc%g7dn8_@=kH zAsqL%#qKD!prt^V zmelTV4A;^=E-w!hh03HTcBEiUlY{CrM!2OBH-_aH+Rmbf2ul-|9i^)#ZvC2)=$1Rr zX8J`;$N3~riwNP>Wvzm0TxBN$d#&BpS2&(uv^tl*~-n&zuX$^={wCJ7lmo z-08`rHa)2Euqi&yTM^IqP>lyMKtGVYSvFe>XTIMr9;hqt7ddh_VCWEkgMsraSFu;SMkYCbkcu;;xb&MNkdPG^<7vq%~REde-Zvp(bE~fS<=#ehAtzSwxkxf88vK= z0|%%=^XI+08+nr-nth_Nvx8{4Wzywf* z(^G4RcPb&h5>E5Y^VjXx1-+AIDmDm*+VKSxu$W-TTQf|!d%HPxIeFqO?leDp5`5HA zYXc695>Ro0r>$0bH!T?Mc-AYG+s}F z^jCE9dTH}~2(|9o3>AM~QT~wZQqo6zocxaYf)i=LCSFD7&kuM!dlIX9gZEv=mwq}B zXggQ|w>!`LDhn%{I9$vNc><}M3Z7BCoFe!-9Q=#gxrDi!%;KxQN+U`fbo6^lFsF)$ zO1&?$!_HOYTQyK>(Uoj0<Ye4cO9Zik?_BcM+4 zkUW&bIj5Szi@4(fPBI#b5B>T?DLQ48d%Bx@qn{8al(zXII^l&(=P4KcQ5O+apP87- z$ej4zZlYL3YXgD-ly#iF*dS!0G0>$l!DZ52Py1wO-V5iJs+mNg!K8XvMg?mj>-H(9 z$q-M>9x!XUDyASlB4`|5Pv4upT~QTd?EGxqYsL+v*Y4aof>WR&BvK*g)bFB}9Pma| z1}Og|#$LQ&>VO{Tnf6Q|eXE^gIGiyrsS8AUYE4ILNuXINpL798=j&R+Z*Gs7U*H?ao->&^9B*fCKD{cgyxPnfyZ;#qiz)q% z?5SEA3$53(=*8xtOseTbvpam1L`vc}E3Yihoh-3NI{&?*`9;77+nVAgPPebEViqOrO8t_?2X1dMrOD37v>bp%Of&kea zBeBD9M#)}$0Ua)}3&y18aE*4uYDUk;tWMx zTX?ZP!w8tDCBHE^bA3DsQ)e>Sxr$J=l#VqutWU#`33FcL-BS}2%U6B(H82h9?_1Ri zb{FQ{FsO{r&ucF+u1^h@^;bfDGoX6|cENL znx5B&(lRczv~OMTOS(Yl}4NLX+LSaeSVswVcx2jpb14I-0aW z593Lg#!QsMTw+c!j7k@F?}Pq`JjTq|#X`u}j@8Gv>47V;-^o?KKjDGwh%QeKl`gu1WQ{HG+sn>l zk0ng_H?>bMn2xZz_M-OPE2TIYYda##{_wu5N59p+6?3^2Jtr#t#5t=;&8YH%reh~< zeVaHx7PXml4w;EfJWXOV@}>JCe-8MRr#{1|9T;i0T$<=m>s1W;{f6POcJxZ!DwWI6 zhs6?_-s|^%m-oZoJ&@27ILrCI@_garj#+KuOfl-6i&rx8X;HE5e6!tFa4!zY3Nn5o z7Gl13hh@Wy?ME0+l)R&ivl9sKr4XQ7!-*B^chb-get8hfD4>wh5Xqh^j8{IhwLfqZ z_JaNG{XW-QyEXArxT+kE7duXxZ6QcJ9e_TJh7oX2(wU%7VQ}>b1p4+jZ5rBzaX$C=xH;2(NR=z zm)MhFR7GT0kSs|ksa83pJxtR+=&N82=TQRVBW|uy-Q6dV`aSu>_)^}S+ob307-+o9 znR6kK7?QX)MC@OI<2BRw)0Dsjb^-oSJ;0#K5ighb3&}40EADqaJs= zpbUqBWDWIq!=04hzjBtsQg3qe;(O9{BB;QSp_vz}gY{NTF02~+V()_mvgcv}WPM@o z``{t*C9FumY3uk`?<6FRc_atbYK)PumBF%`mr#xK1@N^JCVH@o{+g&9^f+JbBV|5d zKpk+ZLZwg&X*qs-uXh*z@kIPris@0(Y$a(%>^3(APUHkU5~9zZFBG5NEl^L?z>d@e zf&nM^%o@mgc2;;`r<%5z|Esr*D6OD5`>g|X%AEQ>tAD3;TKW-K_gl?B0uRvo_XBi& zb3dr(Gmf~go3On;{&jPs*=}g#A(}DCf=ez5dHH=7G$(dSH{bg^hdGJjr|R0h^(_>h zadGd7*|rP=VzF!{PQgNZkE#V~zk`(piUJb^<48Dq)WCipn7!^EupaAXO)z{7-HP`T ziL>_{_5PJNMHCvyMD9(U++VbK=v6UA5GBL zvX_7Os6?fBugVi<$~zddOM};eV8W04?&jIuaO4%$FJ;g#Ehok&w^rmstRuK`h#Fpe zzgbv4cQ3SN;Ec4`_6Qd`0R5K(sZ$?5)J(yEMh6sNohDIdDDQlK!Yz2hI7MHtG9h?_ zxsWNL1Ag+WBA|jV?MJA6d%^`CL)d!CCm87cdX9frD&VKwE86BL3c{W>s1v2=ZfbhD zEhf-Lyo(kG+K9utD1TiCe?dPrRb0?n0>0x3zM%a)`KM3f8`Sf({pg`{Kd!)tL0+IW zI4s7W67-rS{}_%u1O0Gea*nDsKd!)L*cYMhHs<^Gvi!K@i&TJv(*s~F7b&Q~KYEMx zVMpeEFcPdLs2xsqhxXTicq$H4Obdre#KoGq9QG2M-79KUHX$w_$!y6=A?s&qxwS|4RVoA>wrNGCR!T#ja}D|^DQ zS04_pV5N#Q3s=288~FzHr^E}XH#R$V137){Bx8W4K>nb zoAY||cVLrjbSj)9UJXT_InwUySIyGMw;X0D`eR~-oP$0a?;=sbsS+c|`PLRJb7s2Z zXnJdoekFd{RIk3_0li+mtN7&kOoPZ<&d(3-t46ivxKuM_AMg&Y9Wb1AH8)~!#x;B$ zIR3p{+P^giUBY0?>FMlg=Ig$--XB}0Y10npq@7VIBHGx$oR>N@OygLsKsR7$E6Y4W z!#nbw)ycc)gH5|Jkv>=AH;WSdsc8l7JiHLVad2{DT36G^m1k18s_q#5!M7Xx%0fa( z-jdZAqWC#*^Rjpp@tAfWjUzE{S^Vmn09N=B7)2Gs_;B^uWf&>5j|oMVIy$o=BPT)~+~ z0|V7-iyM2jM@nlhO=wI|J}#{>6*w17r+Y)M-b}z=$a91ys5K|z_w>Mjc}Gn3E`MI@ z7B7C+(m;^VL(B=JGGQj#H>HbKYz!wiET?SFtw>Urfi-q>h+i&iZifrWG@_m zQ_WES5)R*ECZWaA?(Z3DN>@iCl&O686t>w@0I7x51pnet80@;d?_QWHH(&|amz`pC z%3*YBa4Z~L%?F|Z^JV-cK`>Z&0Hg|(|M#E8B}WZQJqVZ&HvgOVVZJYZ>x|XkG6j>n z2E+z79RLId=Jk7dVF`cj0>l!D==7G7nEc8B7f@< zSoZ?B0e5|o7%ID(FC$JnurN9nJ15QAC+W7j_L5tLb4mal4I-HH{-W`YqFjRx_cP^0QIyml%QNp80!pe@lbp zN6Qm{YWBQ4zcy&%!6Ci*MLPv@AC{kX%grt{OESQ|sQuO(H9aL65y4ju0zU&b6Ebk+ z@Nkd9zrHf>CJ#RD6SI>+_IE3gZ5%fhOqcRErTW-_-v-!XPL+|Orf28lnI^&Yn&Cta zO5d#CY7G3p9hzXJg3KzW!2Gql=CtUXTP`v18J2sFOIGLEQo z>W*xTjK9IgZYiZqErK_~_?G}{^%f0Brw7l7!UPtcGC@q zL}~QqjaZE%5OK}py6C)TWjDVxmGQykc5u>{j=yA*pEW>CBA4@*{(RlY2&J!*{4c8w zi#+{3-IPNG@Eu|E-b@R_V5fGh_~S79ZsAaF;B)%MyF>1e_SPx}79~IhOwo>Y zd(hZ$XpzislW`L96|3{><6~0J?MoEdz0UiA_1i%i<{LjpRm0&1shceSSA#A4{t!oT zqpw1N+e^NijFYnbX-Z>{!Nh%kYZvs1<%aGx&x2s}x!fFjBVHQVM6%v!-3?RS$y1No zIW;EcZi4UC#OJ=_%L*oI&3}F?WHdAbMI%XwX@wl}c79im0k5UJR!W%t4rE}cwDEJE zeJ8=*pn8wVh26bC`F`2C_7SV0yx$fApn+Wh44Xi+gJEx1{CdDCz~rhFJDHqdF2B7T zp7oZAS9&?CGID^x?%hFWHqS$hp<@)j$6dIoTt#3t`%1P}NrGf8{}%dgI>(7^@WG>1 zGw4a|w{ki4+H)`{=Vs>`(#iYfccT7qwtly%*Bn5Ww<8yf*6Jf7528Ob(IrKq%F8f4 zIZe4|4!<@n|pW0hAii|4HF#pI<7zLAwhNA9kP_-6%P z{of~^ZuK8r?1@Ct9@6w4_yX4W99~N zc**Kdi%7vONCKUr!@iGrtmi}bfroTDvl{4B3*4t{D)2Ha)dh3^NE=MJHlYE0dCjVi zi-bOb4BmQGv(uW{6w_Q0y=&d2-`jAZT42Nz>u(&1A`xcpdfx(~!T7%gTqO_8pp4_p za|p}94xMtPFj0&=i-r`s$LxDZxgGyo;pXVbEg|+|1+f-fZ+%7ja8(@c4mvYzyW zwmkjeIY_qig##puH3W2862q+gfNq6mm&)-eZu{Zft`s8rSsOqof$j(1t8Qj}NtT2y zyvL$Q4k&0K$h@~0zqf8vC9KHTeXQ}ZKzlSY8Q64K&EAcMt*OE@2^?Utd~3r~gY(BB zkP3@DZbh-J&I5V(Pu>e8zjp8K*BqZ>$gkCXFi1^LR^Q=oFC~Pr0~HPy``X_gJg#Kb zqWbE8_j9uP2MX-TAX&S~IRNba$N6;$O z+&aq z=ed9BGd_4Oo^QFQGZK}fkxWrz%d>y-TM$^}kU{*jB3{Pf(zW$EY;0(Q`@XpaNM1JZ zlyX~uJ?>AC+2cc_UJdXLd;|Hs&mFX6oDrjQmM?233;N8s4`d;Vb4HX+KuW1Pe2>$8 zk?u{38aU4_#(ufzO2QYQE$_1TSJ$mWz}r9&wyg38-!ym89)-d+BbQYIPReG z7h1b>>*wodzwW)U+m~dRm{&w0R!jvJ;8{7xqpS(SQvnRSZ{;n(pugo}Y%d>27)9>w zVYkKCdJZ!jAI7ppmDkw!x8=xJtZ7aZCp3@@s5oK17{LC07pSMXtW<(7@?|~e@R|SK zPlrE(xEC<2ExNBc?ho#ZAM(ls z`j;>8w|%<*bu+3==DNL`(H_gMKDtAr5wQ&3*&q-F#I3CKlFYr5^2!aVAqrT}4wGDJ z&-Hj8yoF@5XT|(jtV&AYo=Qj$$T0xTUIwXpdRNc>5guyTN7!$V;9D(8$hlmypG1n* zvD=yr*u1rD6g_qlxUw+^w_Gmqh(hW()laEQ!KI<6Bs*Y@0;YESSB%P+?AIHl5x^(Wk?95`2>Tt`t6w6mrXYhK5K{2A=a(r0BX60Y7rw1 z{-&8QD6|cOiK&%wFwEj;?`==Y1Za2M0HH z$-s!Ub_bob`BfPyW{6>>H=bNdl46*`l`u7kv-(s|cbqlrk=|BwYkpYZJ9%;C?y$bUcO{~gu$|5SDU&-XV+_&xQU)302Ko!jco*=#M| z5;$?f*j9E)M?&^Ko_&s#rQo{$fRNL@02Tsr13J5|6`dmtbt&{GamZhKuQpq`Q;eK$sO%*`rXp1epTgugiC8 z%wZj|yCfezbfe|0T3T+%)-Jiv`oNsj9t(Zhjdn$o5g!g&lN#m8G~ds#w-U5YO#2tq zI5^v=7+&KQ?9>>!PJB%o)RF1BO*Sf0i7Ax7hM=@or!u@XfN7Iw|Mf`TmAn7>$QPEf zbT$b;pLnX<8*S!6_7e=bcMkJf5h_r;eLYbkEf|ag+%zB}^BvN6xd%PY7>dFgacv~d ztu}5uO7yXI0|i9!{ju@?>SIX|79`-oLVx)uB5zofuE{2m5Hr21hF|sq^|9imUs4@Qj-q zVbvS&3_|^$kY<9#30s1sVN~2Mcr^(ZI-AKIOkNK#(JV4PZoxm1%wkRrP6ZRrV}!2$ zVauX~yv`refzl4XuQFs14Mw3upQqBPr35y3_fIoT9zXFFq9yb7U6Q4&MBC{^sm`{S z9((rh7fd4*6si89i$#JMpX`<-uy7n{<#TUt#e7#IGm=s|$(o;RA|U2_9HI35e|`Uz z&L`n#U#hz%6;MlE*lL&jNn@)-;DyBI%_VcZhWIy`Jglx?%=k^fuzo&qRIWjurB41> zT*P$m=Bj6%B;Vj?3#(HQL;pDrh(G%Z0sZCw&>hVzaM7caeQ%sX#5B%I;pS9cmG65g zxBKUOfi-XGbG^+NSGn(hK?R20lFYTQJd5(^0wIQRFvDn**&eVPSXj!q!4RYbo(bX> z@vQ%%;;~(l6Pvf3f~%_T{$!K8bs+XoC~5Lo`{c{Kx#2G&mZaRfWNtxr|3Lyutg7`? zVTU;^pM3B8M^te%2^<~*(A&_NgaVncpB^ZgH_4>AG^ml#c~Dz6lRPH}1H7sV+33s! z#P4Nckn6dg;Q#PpNse3!ccHiDS?Eb$tA4Ym%;9rvzL{hqIT-jUtC;T?*&niX?Xx^P z-pXgAlI!7Gx9sYYRAI^QrzYXS6hx|L|c_mp3y;4jX)^NEsLcWnI0_R|VEK`1Xua zI2{L-3FvDBVGgpX%ekZmFL!Us5j}|Sgfo}|7C;9wV-T4#3%8q z$j} zes2G|jQr9E@`%y@81eYGdlDCqOl~x;Y+CNo6!?DE?`hnI6%Uj41d~gNJI9EZ)gG;< zvcZ&3ber~FY{%W_)M_6MKDJV|{;t|-so%_HsbA7$De%S+P1>B$W>xS=_oiJL9&47j z!Z9vGBc3*AwD01x0r6l9fsp)_j<%-{qm&?JwgDGVoKBpVY)i9f)j}tGOnxgk+B4OA z+)5UrDmwX3s@BV1QxWPNiO`$|qoZTuleWL8WFBXdI-j#S*{c#!#PqHlBmV6|leVT& z(|YKuye-D+Eu$ET5hmMJ6p~(PU#C-LRocLDyv(3ijz{PW>$ucr)#l+30yFu!=8c{q zqa9O+KN%FFaIRm{O)v2!0g17Pym$uO*Nbs9T?&rLJ(Lp=L3Pw+oKnS>3*6@NrVCUV zxs0v;M@2d|EY)2}Et%utLuFhtEtac%Bti4so2K$-3XzR@neMM#7K@M7`;H~h30POP zdj!dupKi~?x7qj`X@B)BQN6siFMuv(BliRKRomgDx&1Lm_UA#WT>fu4ZV8i-n=*%9 zdQ8sdBlz*E=Es|+Xy&bD>Li)Hn1Q@n-^7^#MYaWiJ}=!S1fVNF2(6yn9(zu5%i(AoDI0-IJYprx*9jO z9(?vCPNqbSb-z-^4}CiZ=ftb(PA8T()epYrh++G3oi)`{Y*7nXf;_Q*83F)m_D{aI z;cBNP@%xvmj=wVfAXs+Rf43dg>#(!Y-J^3?rK{GehOdd4TC=|osSK9!{z%L$_PMc{ zAu+N?M*AZuKA9WzEWtnZIXmX&+Be@{d4-ef#Q0rezc%D;A*@r(M*%O{3FNW zuD!D`6JXa4?R-E_dQ~MbY46j-)!iq)=fVOxlBMV2T*<#zg3A=~no1#9q$;$*h zWFQ-{KfqB4cf~OpNtEYe9M{8JRfL8S;0K9y_(Sxeo~8KwL8 z_x?1T+Y9OMVLr@{<_woA>zgR`@LTk205=}Ib57@H4*Z(qQzzz1GcN*N-ni}Ku zS_CcN3r5X|)pX8In^9uBC3DKE-I?~7)~lZI?#5kcy6nvLh>!Sz%lfla67%^yhF4*8 zLU084{FQI`=`o|4v$=ZX!zQ{t-afSc^=)k??o4^l{>kvI_rq*88HZY3qu}}_j+r;_ z#rKm*$NwLs8&xp#dn)76uo^Z;>W;Gz=*l}A?RV)c6?Q%d-`R;g$R7M zOO>N({w9~>*1j|ia6-MSCHvcoV3NKgYK^6X{$iwlR@@>-GCN;qO#|iYG@C~c-LiiU zYE*>DD;)IrG> zeGzMz2}-&2x}|ELVgK+)4vJ*$$?9cx#zHh9u;!#PvWg@sQth#kEz);6bK@+p?x zpJQd^xO`~NLidVl3i{%-XGyMNHk*rvEhFjz0iHHDiuMaMHu>nZ!Oomm-oUiqF^$Cc zR%Dr~hj5!w5gIBmUeDO?6nL1h$mOq(t$J2WGh9ycis&Q0<+B35^4GhN$GXG+rsv+I z(>*ZRHxm9ZP~27~(SoaZuhZaR&`SMq(dOZLZtbgMdhe`I4F< zWhQcmKHH?Ud%m^x?^7V4J|tW$(Rdu&qbbi%_`epN=Z<1YDKf%)oe}eAfJ{Il8XQm0VfuGx2naex^e$ z>GBe5Pi=R@jx?Lz$8~jex<$e|_cABxK>3N)SEj+ej7tNBqkAXnJT{JhtXL{lT+x5G za&?f#RX?<%VO46YmALgWyAVC1C0jr(Dc*wGdbN^^lYi#_FcR#}GpEYp9DmDkAT4-# z$!meIQj+Dk?0S_%mW*^v8{x(u4$ZhO+hiZ7vIJk(8t4om%4fGFA@B3}#5e+SHNR4B zLj)sbvU^qXpLa(Qin(x5Z%5vc3uh1 zmi6id#3p0%Fle2OasQ>0@_)ec3$j~9Tl0+un_qIotV;J7tXImGFS(CbI3+CI28ROs ztk%n}jt^9?2CjH-RgbC zK1(Q)#8$WG79yMDzD;3^Ra0Mn8Jtg$m?^VT*ap12=%0$1jKil|ly*rnzt`k>!+pxC z5cZLBs7KjQyAz#bGf`T@uRgG~>%M7GZkO`x1Wkcj5x#GoW#$Z)W8liRj7+wG7??Oy zTtOV#u$QL9BBjaV2#2N{{BVAXB{tXDVL?T!-wapUi%ce2w=Mq}pirWgWJdR?*I!V+ zW2`OLRokefgdsE^t_Uog^G6Eq8C$gQON;x6MYpD9RVPUWSh~(ZG-#*MmR&}qd3-Fq zI8j(;fPf&375`w_HQEa{OM~p*QU_0dCTg5) zh$;-${o(}9!xomS7P93Qv!C5=H)L0$W?gkpe#&49OS^_M-*8 zLu2$Qv#Z}uyjUv2Np~k>K2Xhm&P^1@EMvK1U8ifgJOyX%WmO1Tp80LIz+L)hMCAfi zTw2CF-?O}_i2woSMNRvIQhuY;-@hvd+M(lYJW)#}A_F7n5feXMoW|Xr$*v(;w2X~U zyypSCCdSZ5v`5=^rDESAy?`p)CSR+^$ET)ry7==)G3{g2ClhO2{x*?1Hcj^wS191` zVB_;%pgFG>_uzpeMs>yQQ`*Y;6{$Q4u#k;#DRp9h{1h)a)*07+n*sz%?8f&v@qMIa zFbt=!#qB!nvRLbTEe0LuG*B8=?WinZqRi0Tx03RH<*kGb(@D{*YKxz``qa?`%msgx z=X1gW@FKROP8X)R9L-axNV<&;LG?84I2onoiAq-X5I*PL{45a{hv!JYJZyK0D$Y?|1Mn1Kup#?R~k+`TK4e0_qcIDZXO-eOp#L8NdiaSO7$hq z&#z|+2=`DQ{$q_Mc1b2?gbO<7zYeP1VpG<&6mfb{+I?JcG9c`@K&FhXqDr&U5J@Dd z5>=Vw&Ab_p(X-&(wjnaeH7J*GGj12)njnF}zSlM(dYA5}T}0od*Yj0f6e#D#$ta*q zA8)=!kQX5q`1=2YmC37lV7He2=ra;a+Ibkf(m)L3P z2cnZ!*u=iTlM_cXyrn7$EDS@=p2|{PVSrFQwpQ4KdhC^GpH`C0^i481kCUDMKZ8dZ zR*WAal+Qk4e(mN-{VJX%ll56HQ$sDY%$g9tTamMX3~m0Jvz%cDQ}Jm9e;uoMce|wl z@6XPqbAGrsG5^zv$88^HNLk(9y=7gVbAh(_xSYyl9AP~sp#~o8&A3O!g7bFQk3d=? zM|zuXL)RTCo4LGX6?*Dsok8`xVLj++@w^({iP+8_lcvB;LUbjfv!_b|J=j>b59QqA z;qe056F*ZR`fub$8RyZJd#^>^j=4E#Q{cw`#oK#FHJLr}!yqdb1PdZa6&p4{ML=p4 z)=E`WS}2N0Gjs?LLvRsLQD8+u!GNfMh=d*pAp}vHROuunp|_AkN)jL>d7q%WuDjpg z?~nJK_vN7HBs|Z(bMKv*JM+0SbI;r3*Xo&2j4i;daOeY3UlWVt5Drmy;ihI5jgpxW z9>=(5G3{^)ZI*m5%PQkkgXZbGa7BZpWI8*oc~*gJ%vs%4fioRrgDc6)i+!2WaUVRg zlgZsu71gdSXT%NO5o-wTned*jQ#TtlrT?5f1M*sD21{5aFYtenr@IMR@K!X}3c6<# zb$JD*)E}sDf7T(a_YX3+D9|!nTC>?4*HniNnDJK4rsZG9pRLg$QcUR69m0R8nrnHr zqa*PO$+u%LmeoD3lm|JdpYA(-7cF+n6Wg9xq2RvCud6nQ<>u};rGN5{-GsbvmF$e` z&Iu;;xYoZ#=T!lX6$O7}WG9zc7~~N3H3QS-?gvWCHJ6Ti=Iy&?TAl zRA|6lK1p$2#z%YXc#tpBV{zs%HU8tOzWO@Kj^RwwJOx%a!6Y2TJwnPM8vB3gaD zEm0-c%P_zKwX-Wd*XxG#jt?G0V-)UGj`XUW*#r2?zo1v+SH-wxnY0|qr2Z``$4+R| zrbh$lcI!!3x2Be92en^6)LhgH(Hk$f(|0Y{w|#hNx^X;>ck6!I2Mh5lAH>%hrO9od zbZ|4F-*R^#)Vuy=p#jr5^aPtRPUz{11^F*@h6z7t$)8_%$Af&%5p%oj`MfK3y?+Ui z?P@`zq}>FBmvbBQA2)Q<-B$GUsm3e2UZ2iqTsh^fvMqS-dQ*(~sTqxCQt1}4TM#&J z0zdjJ)PCCOj0Ya!j!mgRSfHt&pADf6Q*UupgLj|Q7Sho49b3n?;*_aq%0J&|;Bt2g ze88Dn0^ecJ23sE0^mU~!Ogx6Ghh2_WBGiZeoK`gSf}XS-P?lINI3q@`A;mL$fhFl~X;loJat*~~%$dFWA0E9K>ZQ*JY`x6->!nI8=rS2eo-|6*rIspJOhZx(Aa zv!Ye4tXs^YigvK-%#CK4?G9pA)*C%{NiFLec;M6doI0c9ofLd)PHr`g+5W0~z}aT< zq8X=ZveI1PWWiWa8rjqUBM~JMka5br-Sf~*O_$TBXRy~jt1~)bi7Y>0GOvBIw{WUL zaA(Y{RJzwN+gZ!?qfhSc4Vd=M>wEQ#tKV(jw`?ThVI^Xn12@||?ci02?(E{VqPYWW z_f$M0W)*VfsqxvYNY+weta8|&t0EdCa1qu{XZ&Sw{eAdt=TWkSlp6d;!OaBavCq{} zC&ONE^Y?83>^RT3oTBS-%*r@NQ6IyZ`Uay0I)Pr5(RLDh3JVNIyB@qx`;EHL=T^+P zeqfM#M&agt2&faZp$xt)ReQ(AdoRT{t}sp4O0#TNm~}nasy-$MML9_paD8Az$5dM6SJjbYC9`^rk+p&rePrIjeS&f zbJv2U1j5yHu55kh!s&U{u$=ci*zsl26c zr1Tu=-IJ98G~--PY!=Z3NeB;+eq_Tj=#C~9WrQ`SqdM=cEQ08gM7bBL!PiaFr{Z{S>lIw!DCb-D_I51Tg^etoR&+ zPg8nU`Z~05js(6tD1eh;TOHhshiWqMPymj0|pW z6?cyjEx-LD=i9YU{ZE4l_+2*+oxH|neSAdP*;8bqCV$MB*oJPp0(k@dP_L+|qZVM3 zjL#!c4?;>DuK-;8eG_2*%lie`DpBRS`Hj1bbZ}pr>>52)eWaMxk-i58JKCc1O+>(O zeKPn|cM6NMh^Gu_X&H-1XWZRJ++0|nu|$AHCuuu;qvNxhVixcsyi>O7%PO4Ut9Wy3 zV+u@RuZA(Oh2^}ej>^kmG(I&^jPHF7@Ykv{4lK$-ye4kX;hXLehZmrj4OJWfves(A3ghA$mLy$i-GPqAut9ZI7G6szo*P2%81 zmGm7+`8pUm#`GMz%s!se-!*2m9J!B$>zY!{jg&tKY|uD1`wgGHV zgPIFA0Rz29Xd_{(s06oMh3O-fC7+!ktj5>W+utkilJOBz#8gI7(f^l)YImQ0Mx112abn@^4YO+9Oq5s4a_`GW zrNb$bMeWsRCPxGEGJ-JaW=POzif^G5v(Q@C;N~PuX`@xItey2F?07cFrlS)HEs381 zpsbR+^m>CF=`E8B2^hlH=NZhHW#U1mc@#$PoV~vpUy=~cV|`spmbFXf=#=6dtTak? z1O8vX8}RP0ewb09ItnA%(3SX5Q<(a+0;Ngqt@oW;NMa)LyIvjIULIv`2=w2ZLPI>z zGeNf_UINU$N|xSFvM$g0=sMUD>VdTb&WP9}fW9y6($fkkeRIs1x|vxPunf1HW?aL1 zsXyER0U-=@`In8U{-A91S1J@Np>u-;Tz#0#9u(r<$J97PAjA}XiT8P7~m zl*~Cj(Gh&&9N-=KOe`?2Opa}>_CjR0vjRY=y8LhFDaMqfW#sz2ChkkZ*;L*he=9~x z&d(v)0dYEioy!AQkbWiao8-IzFzWQk{0huHaC4mJr1$iN+AG!5F`sjkQ7A7@uGO-N zb*8zUS{~vx=BE9=U+GV zw^<42B5vHwx>sI-%3)eetur<;|KiyL+B(1P@je$Lz*t`J^V~}}np(OK^Vl_}KSr_SoyRrrIr5$VSC4Fd!LhbX zf_nl`6U4zh4%k=~Y_ zuj=8YPTK5X^nW8u#ri{NyxBZMt07NRw{VNKg=LRuxmR*-zfHlI)4>;=PAfGqJcFU3 zaiT$L8O%Gb%YTY(3RMep0~4mS$}2(mEOLMozhbE zaMxSzWR~uOl%Ng=el+%qMnA4{v}5%jHzuBSQio7Erh~YjXP0{R4z9iZI6A8(}DAps0HYsbLIOH6nq6+=?aZk{*^<;I3J8_bl z>6)&pQ36?DcAy1-*}o!IWY!>?rejj||HxHv`M4wgzz1t$9GzXr$M({ooiya907dv1 z9(|J-)6-q_osBdrXGhQEYM|d~Ud~Xgs0>%SRsRNtt6LRO8IFQ|Hzk-yt;h?=fdp=j zH^-I~QqGkHsR7%P90wj~KT%XKzzH>hXwiR!M*fIX6R6A0NmXG^-5_~+F&{Gl%YR;G zU<5)c^1l6)l{xKRhxrjMcL%IZuxQ!y7E|hFdnRrcovD@Pgimx-u$eBW@aqv|D z(d->Bze^_os8*a@x}oje|)$Hx8`02JsGZ#})!gC);qm76f`6CZmfo;(W#IJ)y}R z`2wm)r zzy<0L?E0{yg+7aWFFjt4eM2$zOt3KVkF`7&lv@(eQ^EV=J^~!^3Xw z#B3S6R!S?3;P$U$B)~^`tyHooA|DW4BgOyy6aGg3X5Wb#`%d71d{S2S<%O^Omj(k@ zZ=i5;2Ljhf6MC{Fd|Qz1b@bp3IIV1@9R&6nV0-jV$GBAMK-VxfC%OCTN~fe`oX%-4 zG{_D&$GK!&^-yZF5*&?@;$g>n(5<0G1GCe7ON1B7GuyTLPDqOvc7m`en`NwvJHurK zH16UK)GCCxj4+xo?G6)APB`Qn9nt!faZzm5%?bt--7n{8f*~L}irxZu0R^b2@~+m& z77cefj8e#m#=|JG{SpH=Zv?&RFM#Dzk6?*uPz-=+nTVD|lz zc1~uwz$nUK1U=+c1&i$AdGXkUsO*D8GyFMv5I-PG;))qO-Y%F11wh$r0(c+rRn8df zA769L387;jFR_0KGW8_b&Y059nL2)q8|#v^(5Q)JLFc@7lqs$Bo{%r&CTy!n4Ub?D z!hq&xpxGdq6auJRv@O+xTA( zW?)BpZmSs3Nw3aN`ZT_sRAOhM!bwIX^OE?czYXej*~tqryxCFF_#1GS_k_4|Rz1Vy zvigDc;N8rc=R3fi{7IHCF&F|FdsLe1rDkMfuTiq=zZU<2OW$)?tbudOOHS$l0t@Q^ zDcks8%|~<$o9{KR$w)VaHQ(z5H6C?vM{L`sy8dOWc%s*}NDZW7C+J|H$}`#F?6mR} zG=fW;*?e;;KRbN$%Ey=cth35qc~5jDGWtgND<9)BiC;kDT$e-JJ6dy;XF5Kj37K%P zzz}i{s{4^LZ)UmKfm|wW`|{pfvY(9XQ}eHXT*uR9jlm#!b6P$(xCX4-cdfXv0M^>> z(io_xx^sOO_J#xYJsdHO20^#H`VNHaS$sbLy|S94BXr;*knAC4WBe}Qy1)@GbiUQv zKH|NgwpOq3f=*+5q5|l=1g`C6*qWzvJMAv#KQuMac_f~+C}MK!;$WWe%e*$oL?YYv z8*=Vbb=M$jA6Ig!i&3;w_DB~aWcmR{>GE?r_D#L_^k6KXWV}hTx6}CFJs8qez1P+EQy2FBKx3Svuz_@#1+rk$%|u7|IQQ44g z!QanwfPh04?Ji?t=<#AH>Im=*_aT*ugFM``gM zJZ^boeUJ*v58WGG1#LV$hrVK*+a;;XmD}SDqc*YaZW$(cK=p~0EJH%svWV+4<}&9FA7@2;(9;#H${hZ)5B*h4Y=+-M zUXF}pAz)?`^ImD1k(s)?5-QT|6IYQv0C!o99R3Hg_nR)!BdQ89mmoW7ikz7w?Hg%~ z`R(Kg)xYMr)U*ZWmQco3&5+(HWzD_w?9#N`X*1~!;hl_!poAwCTnkZ>1S37HW8igI z^V>~ADOQm?bwf10n;Hx|5A%aK+4n?P7;aFK#5(j-mLKw`9ZY-=x#5|~U#l zVK0;ZMU%@V1iwDRMVpm5n2KY#v^OG2BWTbar5iy{l$tHN?W~riwcgSvuDPzl$ln|L zHPfgS?fEKkn}4cRJhtN;?Q=<@7^t%Q=y?(DbE~`l@zWPvrguf+kta?niDGsuW8cRs zEr^`daOLD1=s@~4DG*XGZ)810Zdzf@F^D0*ujh127ma~Wmw3)RKpXiE^L`f?Xp8f= zu4=r3PY$gFmrkjhEKDWz=6k5vU5%XU`lzpPvWuoD)(?j$l2lZvW-}Urr;6(9FD(C! zMgA-F0bn!xpjXP8?O!F=id|We+$0us+acq$q!@VN=9y3S3K0)-pth5PCi%Lwu56+2 zanAKzRM|NXrR1MJQwh$Cs6!KD%Ak*S$I-fi?Lg20OI! zeBeHl=6bM}tSL@2e4UXeF%96Rp+XCosk7Y@C_whAt0tmc^X2t9dy-SxZWP+;e@P~7tLEnze4C>g{0S3 ziG|gE;DUm|%hL)Qb2t_2fD!zZjw>;|>VRqIB1Ipo`YEtp9wd&uw8e^1bY3CB2Po@u zijnd-C-Od;pG6qzV^=4A#Ur1G9lNV0or?+kE)D;a{-AfYi0LvWxyZh0%km zUVZ_$cB4`Qwe40AZ2T&6& zEL-=TFoS*PJJ|#FLK9usjLT(_if_!>i|2_JJ9hUO79(hGMD0S?%W;f$Sk{r=)E_5m zKsE)(k1<^`onZxYD;P4a>h4OAf&{D)6{K@ zdMwdxoTK@?YJ#lB@>`XNq<;r0iG9W8ifl14deZ)^-o#XVz)Wv;Hn}u$7t+nbGa^m) z7LgUVb}C0LG{2ORr`VlH?>cRidXCM$oLre44!RuqNYP+IuQHo;>APhc!oGAj_(&!i zIf3ppA)Bo0y39CAGb8QjIh)P0MYptizLBo%ZCCOwZ2N9^O#KI$uEn<5IQbvHt|soU zddk89ao_}D_+F+K^Jb^1c)clcBJ9lgQ#3;LcZ<-H`#CBvZhd((8)nTYx`4Bzl)$|> zr^={LS;+Ga_?B!+PS@dEuq2iru-6F8)Zx4dd8@+uM|CBvn;v?3@Ke(cX}I_C!dh19 zpO57|?iJI^Dq#%}Cc7B-93!05HA|DGudZSk9sfa_AC?g=+)D!=5ijG`zwIA&38a%6cfi4FHDy7HfM@h>E3tA5@o?GKUwH)aPnv3 zXi#|9vra_U=#!C~T+IPsE~CmXv>$9kxqkP6HZSl zEf9!4$fQ~3M~m`qE2;HYp(WtAKX_0Jdq1=}%qcX?8cf@+(k(bu{}m;F*!CD%eq@6~ z0N_q0r~OX**!O_+L^u&lVDDY9Me8;?3(c1|(SyF$mV*q9ey>c?lpBa|M8`cRkjbktC#!iL zm26gVuc;vJA}5+oK4C&GJqnK4;w~VirTvWd_!Ioqir?+C4a55|%(d(D8vcqs$%|g| zGj(HNZ8MkZ=96L#l!dSb^18$>J(3f%F%=7eEbFKo-63ncOTJ=H4RY7k(IcH`>zUCu zbTNbxAbRXJf*8Je?aKJR{M(G$oV!NEG&HD9VWwydVvsR{8Lc*L>o7DF1hEzDniyin zq(5KHE+VwYjoCc+qD7eLK?}TYXB)#m79x9Gk9yC8;v*y~+6lrp7eqw$4f`Z6jCMWC@s=Z2KcI<~`J6aWkWM-Qgsr9P2AepzVpTkp z*iwRI*mtVgYP*l+sTNFG(MrS}iBzpuV+0R}c)X$7sgrGe4o&9R`_%-JjT~f|nb0DK z{pQ@~ww6&%j$MT+NdFCN-ZEJ-0W3b|$WnPa&XX80{o5>f17%K6`qg+r78Vf(BrXW> z{O`!CWh!A;ch?yuowvwVYL`Qq&Zq=y1yGs+jQeDL6jDN?EAp>% zT2}nrZ125POD}zdof!&jij!zo(96C{CY)WKXCaC=4br z^T0=o9tY1xh+Eo)7+P<}Xc5LsU4bIxudD&F!ek4;wtoe6Zke1hHezbI;(-u@4+g7f z%J*c8E@Mt%woADB>Q>W}Wfa*rnfp|6Slk0)X9*M}G;>c2|CQ|Ni|S=aGAM@7|62 z&ymuB@87N>HNdmw!1nP=2H}p^KfV=gD!{YDz**ogLDzQoe|!t1HgbVy1>OBy5r6+y za1i$YmWb!$o4K77{sU?LNB*~faTENvHhz^k=p2HC7(uK!A?&h8j)Rzk=Md~^pURcI z0glH5%{$SuL6m@OI6ElqWs>f#SxnEZy#91A0#>sLY(#U*9m>mAr{Kd`SviRjVUzN` zitK|)U^Y3h^nO+N1sb=Ex2bdrQLldKjj!pmUP_(G^mZcKgw0QJRRhw1x-DNRPXCDc zOTb1H4o?em-mB(Dr}iMP$*TVDXQy`;xPFKio9~4CmcvleqNr4*FAsR}J6ha;Jd$IK z5B3u}mC1NI&Pye>0*6fJ!9biQ?^H}8PT5qa@>bK-N^((jo8=p56}3v8+nx>>v+cqKI(v5*~3V!iM_3{%}vd1qM+#5bY$$&_*zv>9+9 z76TWrHlLGhm|{2H;du26t}GqL`dMQDq9gw)V}$2xx=b5Ix@cu-e>>Kl)hja0`ih$1?kU5wX95o_#yNHA@!YAM-)nu^B?lDt#-T#(033m}svE@NbN zB(6X4^pj8Q+8PkH=31{txM(Q6vAZ1B9;aQV3gOt4-;fZAt%tn3+Z0k+!3}*5eNHLO zygRZux+bFGxaLf1?nR&yg+MPW&}^`CgoZ&sgu55SQIBjvxYo;4JXi5oLrcGF4nM>?CUgaImQ7r$sMK8`g?jU>FkCzEdOiIb)&3tyU zPEJ%@y|etQqew$4-8_AK#UUgi6zzhuM$=L=f$BFUc`vqVLC7am6!jfX(bk9yYo zEng?;LP97b6<+Io%Ct^YYigFef{4cf5H_7V6*l)yVqSioLQqO)RxK+&Jo>3CYq0Cs z(7Km7P47nhcJ5sC71>jma4RJLFzQ5lXH=&+TglZi3xUOIZ={pE|l#Eq^GB=~I-x|!h8 z+TNH`5ln)0Dh(FVM(OPjAQ}pLca{~48!4C{qA_RRE@V!`-_^%locqSVZm7L$++l3G z$4%wwj&0)U44FYHEDi({#$)~aaXUB$VS&@n3uwbe>Y!7pcKb)mefHfn@w1^n6h`UP zvuGjm_x`v#QQ#CmpXKN<1KJ4jB$b9-Jt#;m2KM?lhOdt@L$oH=%xCym+_qwU05u#7 zQo(ARtPTR#^=OuishwgQLGfpcLZg=kqQuE}P>RJ>Jyn~H6@u=x(2Ut>EPi2nx@{J8 zLKL_Kr&g}(x&2wD*CC>tPP}zx(3F;<`hcxvYK7}%Hm66h1i!*G=6cH+O|Os*^88yp zT@Myzge-oW4?kadlLQMGFefWnr|C{rX_RkY?;713ukx6Fugk$U=k%Xqhyf~HV{smH zSFH@Cmp)XE;JN}eDvrZ^`y?El$MrD*=BRrL@#4g+t=uJU_4S3L@p1`WZGjUwpwh<0 z*-`I?k#N9wiBF$hWQrzE$gfLPA+)6kM0<75C(O0_Atuj}qW0)A8vQri4ZTewWX<&Z z=_yjB0;bh^`-GD5%^_R=Kq$vE>+fP~z@(e`@yx>J3D4AaA?xYmI4bK+_ddJL;v6kY zx8=w z>`hh_@!Y298f^!*%vlBU9(1$f0-mC5Y+YRe$vYjFUlp%2qbFuM_GhA1e5l|2BvmH3 ze3`7M9kfyvA2u|0(&pLX`t<8Np>8#QxUTXrkk6l?=-HMt;z;yy^K>>WrQ($`kNcY1rcXQU)mk)K@zKgu%nzaZs!8|P(QRxsY{oXPrO2=Qo4#0(!N}ENiA*)v1CDa}9_ed$9H>aCUiTsn zn(>g@ejL`$C8Jf5bO}tKbKOzMkl)+1J3c6SG|XJv!Kwa4j0;odX~jq_2yFy$ZJ2%T zwBvHL8y zu)Z|EP#Bf7RL6oESra#L$jl*gx$-%+10C#5Y5^gLysu$Blz0_pdm(C5H`@C}Kv`!2 zH=d)%29!wJoqF7IH=JV3(H>6`%>A{Ezvz#;zcTifA5s-8wuq=ic&#gcsn*_46gq#t zOqEO1kJi1LTM^`Y0U^;c0n+^(E|C+tTLnr{NDi9+Ob+mTVIZTof8f=9va5D!vn*-Q z??{&)=Xa<2z+zOPaS%N@nwSXLZjubz$E|8thFnlT3V5o9bsaFB>%H1MbRLAJ_ z@=4lDVN|sO*qpRk1-ju30ReCGdocoIOua_6ho7hy^IH?Y@L09DZpi!fh_l^0QGr@i9{v%TnFogX`55kT(2Xz{& zM7W&VvR;10)kS45eXslUy<6%PkQ`#D{N5*rlLaG8|blb;%#P2%g~9?XVp`0aV2t5JpJ{@{T}8D=+Av5bhSxHbhv9e0r@cZFIPls=8H z#zH@@ZE}DA8HWt+r2M+mCF4k&vkGxL^|IDT-+jRw zjHO%gaSIxQ0Wpx<6yhn8rvz~^WHyQD#uFMJI8Gnvq{TM6-rNN-$q)YhADM`%zaOJ7 zmbpl%NU#vl8`t@*2K3uNDS1RQ85u;Rq@P6T1s*Tfb`b#=TAo{%yfD#sCwx6aw6IRH zX(U{co%_igTvGp+!|vNi@h9^T zw<$VwH$_c7>F4SYE0*W&gilJ&3+mr&G^)q=w;9?!#;CKpWRJ0F8wfx1>|1NS*Z(M{vg7qhTFBgRpfYWiU#NFxT(rDd z4-vV`j|9`us&-xeh)G3>ST7e_Ie|9#nlkQnZ2rnUoqt`y8y_0q`!y(DrJ|zwGyBcC z>~J@P(=ya7jtDucjR&35pH#B8hDJu}rMKBjM>9pr{p2_xC03#6Gh<8mrW;1lag6Ib z87HrJdF;u5bpb&3N>oI;1@`)fXnN~0V55DiwGT}<(9vwjkPhkdf{LQzI)iMHZAv!s z?D|=+#A!T;*8kI8Km3!Ii^# zyr|$DVu(#02;EhEW{olDWTB~9eQS5zVmfXLotd^*SM_$`)VS}uf$OP6zC$$%r00^qnOXq%KiOD>Qh0Jp*Ddz z)1rI_;#5}s@=0WyPL~rJ*lH6bj>kbN*zk6iEk(oi1sO?<&mwwzE0#6C46EGK)Hthq zHD-yCNv$dP6xvV&(eE+3_C~aIj}h56t7d-v|91{EdWWEh=pj|9~o14M8CB_j}v_vf6=SEo=T1RidbAt2RWdx;&?&p%c47wavALVv>2+#jv zkT#)#51QX&_fGJ%gK9(QHw)fmv9S_i&0p!=oykML3Hn*#_hb3ajbE0{SLW9tAX@z^ zzFxVPd+5*Z)XsSCO1DNxyzdv|Y zLw^K%{op~(yTQ79>*ri7EuEuJhl}qLS;MTJfk^ zXSrfZAbh=$^YnhW@Ef24v1#Xtjk<~BKrzGTSsvicW);A^9SusXins)nEzZixf7RKs zFA5CQ9qT;tn3{2+7pRPx<=r8Dbfd0N^$D{#uQWVRF+vd@DL}_>se+ERfsUPsVKj1i z^>Sv}o!M_I20{_t54|3lpPnG#mSB*f|Ms=i%@3w!`u)j#nb%8y+2!!NkWgl=SL}90 z?zF8FAq7v`A?PIMMaMronLe>JaT`aMJ)% zrK9eoS8;(0Jotww*DdlK8ewhJs!5p zXGsmNHOT9%QcO83Sd{l!LBf*Kc2lptEajMDK~-?_S%)p-#EBLjtBsxWP>&9f2kBCm zTy2qgdhF3dWkHka7wAf=l^aVW1K6H1@1X6pR)fk&)(OdB!OY|OhAkU^lxIA zr+*NW{{9l@ToXG-Hpt*8gA>2ZN9@bG3b5Vt6c5Mh&k7DmH_HY3(f8;}c*}{u$oNv$ zMtsM$wzn+cFVjKO($n2MBX0y}f^+3D0c2NY(f#g^x;u0PjT}<+S#I@zevEdM(iQVJLyb}mPh3kmNkf9nUl3h=<+H$GF5==-a@0r>S z7XF)#9w}1-|@HqRC5#?dRA+LUxCf_M3LLBSvZ_z=?Q43)Q0A+sGB)bb3SX ztQ9(1JS>3>JSGXHeg1&5LG(WYO5qDdh>y;gae};qd6^(Hjj}JkRG`NcpN&FCB`c_^ zUV!rX`!}HTh}n9f=F0NO?3XP;U-M}V>cIj<^w)2Rcn3fy&ab%Gb%SukV>gd46@s_( zu5!lkA?4>)5f*}HwZb$cJX6ruTJ{_Sx_AELeH0GR7=4qEB7u)WM}5E+d2k#wGOMs zoWbUXc=cCxdc+{gLhSqLYOT7v2?n)2MI`%51Hzx!hsE&&4(Ncmiu~IXRW~g9TVb`_ z+R#*ndMjlGSL9HzbhpSMWFgWOJ2@HiFg7mqT}b`0&B?T37o~$ly?7F~Pf?XDMSB)6 z#fS?Y7^#JQVR46XuCUkTdkIPKTFw{NO+SzRv_oY6dw0+Q!!5MM>{z}wVME(?CH15n;eQk^rH?hbeyaWG~wnv3qvgqC)ehoaE;to>h z9U?UHv5PkSJPW_EM!r)&Dh!gbena)=^@1AuLa*v}BK*%Cdy(MP8!e78JbtU;S-Ojm z%|YO{LExt=#OgONWD_RNOxgN3Fjd;$q3Vx>!=QShg3G`i;lR(k*(^}MZL?bg(-hti zbVGe~`CFfIFaMx@c$~0vCUDm)@MAfm?zBTVIpOeTjGFzKU)x`7N+vljM1f;AVhl^Z z{Hy7@b)c%e=hOu1Vm4N}cb&?1|FH=f;QF+&CzYyV z7}3Xmkw&N$d4c#=UqSNf%XS!{GKVSmR=;dln_n7e99QlwIOc7+NFy#k&=h2Ggi_xT37y9(qB_yL^Mh;LBKl^Il8n2pCsYl$|x{$m;!VMP|&WH zs4#NN?E?9o(fmf?<0}mg)y4APEzM=ad&rE&vOWQFa+VQ1h-gQQ(+F8{o@JQT0 zrw2EbklGZHEA4-#T5~FaO7FS1+P?Ak_K&ric|S@eC3x-oSMzzc4W(CB{eWUNA!4`Rk zeh>#UnKRcKoqpt(C@z>a;6Wj)?hWPRdqxk%BD{Vq#f$6-^CacoB*zBLoc=GNKUc1o z|5ZC_4N8A>dOKh1qF~f{X5XpEgzl-o69rCmd{QPWSWiL2g2~T`0=v$ts|$rgH!53a zFKQnUyxODooth4ieW;-kYWbMA|4*{b;fwEHCINv|DS6B=}O2w!pk%MPK~Q#n%)Z|)R4=-=uhs%(f4Tst2&sF3rt?A;D7t{ zA51VOr*jW%_RH)!vR})^J`hmvb6&VWT|hP&@daLsj#W}aJFT2AoR7|yCTi4z;Jln+ zD+a+H9a}b_9W4B(7t2#aiI0g~KmfG}l%aEtb_O_vTKEMXaiU>H6{wQDCpi zy^L20UX{O+sI#cl6yZfs?$wkwXji&M=V8-6g;w`1PT30~C!DpX@ss|=fGML&#oSn)074xf97 z)YixKr2$v#`rVH0|MFFh>`wudzM$inzqQYDaU?%uQ~7=ce`M(AR`2yvYA1Op(Y4jL zl&uGbs;FqCpm=V#1^sZV?I9tw@(;NVdz5;oA!v33dpmy-1Aq3XU-|PwaGX!R%ocwL z9gs_fk?7`YirfAc&FMDB#m#3%5~%T)g$ww$`+}5vRh_1!W^e4b?p))XnBYb2Fhx!K zMCwu#Z611&IP6w?R3Z1=cMOR1T0~kfshm%HIj8Wv^QSRKPD>?8S+YdilEfnl4)kDbB!?ia}J3!(9f#eoEQ&Z{S2RjG7J;N+50Q4t%*)#;T z=-?(Y?#wjfn#3Z`2Hp!};@kqN)H9b%Nz-YzTVNS(}Y4fNophA@VYh|Q0Fz=hB z9OqIPLG|TLj(lf7Kv0v~(pQGZI1e}DhyK+3x#==fK;_{F2UAQNg2ph|im0;FYpeGw zTRYAA7%BHg)zhcK%j8hu?@#h4Q?LWp+x>$cA`bqLb)Jm&KLn<^{g`+AlS;U9?+`8_ zSGNx5(nP0E4ETN0sHHdnCh}JUTzl@cNiyTG+Q~3r=KnIMaO3QJ_5EA@k>QhOwJbL6 zU|RTaHmQc-q3+-)bbFgW@{*)KGN{X;wpL}JxR0(%-bwrHP>X$y3$vc37tz$n0hdcS z(Q4M^9JCS?Pbs$GG3G+SN+*{x9{kv~>J&y&?t#<8`68s*u@7$;GAHXE%lUVc8fKqa z7=Gn`c>f=1+K5R4L685`!MamyyxoWWqq@ul#G$HhUmY*0V}?58dv*w&6WC@>DxY zs|JRC*sx^b!xPUwDUAx0egNbB58KbIt{kvkwH1O*phuPnZi@DXb$Po+WlQ%me#&2R z%e6Q^`amtKpRG^kIv#Tg^=})sQ~asX-}0BA9Uqj{9@QO-uOdr(*QQhMd~T_wzFxEr z-EUng6w>Oa7b|BtZ^Kq&59B$879HUs{U&Mfp=&Ek_;fTjq<#Zbz0~G?K{%$SiL!{h z!GLqyc0WisoZcu^i!Tydd}vThL6jqMvgcmxJG>F2TZ>;cjNjCie^s{T%RpIvxCtNl zVl!;oXH*8zLV(z6!s(+0`$DZ6t|A+yip#U4{w5c&1FmiHckp9Dv1^O-y%8r53$bFr zJ|R#s5>y9b!XGknXH!3XI{wMC0=N3QlA79y7)871(l z3`oOv_jiJ=kq9ThRzK+W3GbzA{jJ0~+AzT62heKhy=g9UOkb3#kc`#WiA$5H^nQnO9 zS6ILZA&R{hH-0x6qaXW?+yiGTg;|A4)_0m{!|!!E5(Y7en##R9fq%B=NSeME$k1d6 zbT%#VHAy=VQ$s3a*0n#+lW!YYu5R3%=l)O6Z2B{W2t*?L!$&GwBWa%oSGWDpb3Qw| zVNOstzyh2$LRq}TXJffNF7(Om{2fG?c@>tkY*408TvTH_l<^9%6k_}bY!e*n)DT1- zHz3hKoV0rDz+@QU0=Xw&cL66RP`iwIIg2&tlqTb(8^zPZOMD)A$@&M~@&h(8jm_9M z;3w=qNub8fpvy;E?928tuyGVCeS2H9c4%Omg>~UxpYPkts{Bg=`TsWt5)P|c$eivi zSmS&TJcVK{y0Kq?jRmA4oXWoKXp#c>@^V8E)jEBqirupZPdYGqkws>!8z=csZ^pbH zl&)fyD(#qnC?XDKuZqv7y7EiP)<>E+$kg=dIQ5}r3!19WFrZQN+D1L){jb)QuP;~A z=b?sQz(G_!*2S3$+PT`L`WZVd`z7OiL_s-kT7^@Cdj3^PBPsP4e-pVyxR*hfIXrq1 z721Xq5sNrDdJ*kVlzqqX!fygGfL4vS(hZaGuDu-!bmW@BbCe1!hkT|Uk$v*brgFf= zwodEDVhz*kHCICS;S#9!PB8R<${(nCM?Zew50mG*%RoT_^(kmM%&A-o5k9|Fn{5Cs z(r9JYl?TKTZ3n)+sQ)ry(SuBD*k|+| z;F6~|Y69lUx6CHCrtC;k40x-r!L1nqxZn&ye#7?e7>NcqorRC*YNOQNlNP^em0 z-WERik?z&&i1~lmd(WUI-uMqNfD{2mlq$^%Nbd*&Q4ml8rT314^d=pWSg=r4q<4`H zq4z3EkrtE^dXOqLQUZjKWs-KVnLDIl4*;D4l^YwI*J3*TT4SQBZYdg>&Ki1XyS?@S(umR>V|kRiU-&bm^!3)G$CshbI_6t+6PNvG zQcHBL2;*NIIx6r%0ely=w0fs%m-cZXo)L8!SADvwI=v@j04R?mNVVpY>&8}NYP5~1 zfRQhNx5X5-R>z<^M0saJSi8RTvZZ`+na!cAdFu*YeR1)hp84+Xgs>pFDNt5lYbq%c zcqZ?QF6*L(`E_`;j`;Y{*dd`yZ>BLX#)ko)K+N6&s!QxAq^$kIib5lU?nMFjG8dEEe z9qH67laGElw~`kv1-+2nncQ$%2MhVTSsri_9k^!}iD5kGBmPo~t0~f?Q7W}C>4m8@ z`bW=ufAsR&N&vTkSqJ9T=FX!klz%tJgJ#B6d7d4Y(=~SPruhKs;Sx6HwMSrliD0+Nf z*C#bP&{&Aj}MP~w5mzf`Jihb0xVuO=5Q_S|XQ7p#kEtG?TT`C7HzmR0@6 zW`M;9_>AYHs>lWRIcX1CKt4v3r+}FM4~%Jm??o~5AFsI!`HpEN+j$gX^?k_)rBlB> z1>9*A$l>5!JcAJ6BMA3f{f)t?j+x-mW8XIUj=&c!>8Te7aN`xO%bJBt~#fBK-C8 zMA4+#N^N1)hyH+jqy0hL$p0WO_d_si_M!}Hd26y z*U92z;=XL)FJ3*#K4T)&I~eI6o7|XP=UnZu{IsGhdRY;UsIRL!HuEnJfgU>?k8o*1QL?_|&wQ-7(*J%f`kC%BJ^dSO!{vRU~)KP#}$p>MOpo>idVKC( zbLX7I&$O;P*`eOnqj|?BTH7bRq3f6?$oo3y;q~=)N5Hs%631qoLwd{B?O#6~-M9ud z7pzB|&pxL`WMo@zAAC+}o+Xi+hoqfIT>9e9y%XypL z%m&F#b-TORooK-ny>IpbA@@v+vv=>8)1ZanLSs9%s|lg+NXUJorz?&b8W240$u$L`#wk->AW&qyI(NrS$g-{3fGJ0rr83O ziSU5>I(+}V{qo%wMmh#NPHfK`ptvybU0iN55i*Dy$M@KUNOSm`xPQ#|N2T{RRLPl4 zcE3UBb254)dk(2Jx_UHeU5zbg)3tnzUj|SV4b09h~~=fuFc%$ zoykVO+})}IkS}8D^>WU~-^GM`>}W;Wi@)C-YZAY^bg;)M@BXBUV@hV1>^JL6yGY{n;A1Mb!q0q^yqak0}$1`>xM=4dTp zt%_L50)QCy_dC4azRoWK#R02CqYnU-s7DbVW#JpN-YnlR=UW8Xk#BXROZq!7@HegexHC{}V28Janc3{>F&_YUuvkg3}td6%Q9sXcQKrdt8p~pl7 znp8}Ro>y&2TgS5AWU+ zg0el&rm){x3|@Z)zbF zkQQ?t(1o$`oJW?DPHELKVnN0(Se7aP>T0VNmqHnuZjG9RbX862^-e8SE^7zWSKAxm zAnyGUXl7}<)x>KlKPrTGMg=V`yX zVgbS&c{9+=ANEf-Y)ms=J1X0Z^Tp0`ob@OKfD*Sq=3oO|E{Y|E1FoCB%QNe6xab4( zX7#?D^9H*FXY*;WwNU5bl5jk?w2~vknq%gTh}-{sJ#U zP~*UAi#~^kUI;W_5ag`{U$ztbCAZTyNv|EpMO}RVFhNy4&po@Bp$l4p>VE+M_Cqx! z#RGUnjf=Xet>M53UwCIJnn!Jiy4K@lu%aMKCj2x2Q;Tpd zs8kH|fKMKnOmQ0llM42AFt2ADz8mn+t`Q9CE>MD_Tt^J0-?u7Ytqv}NNivC-ZcI<4 zF`1#V0oT`nsAAgxdNkf~0D# z5E&A`t`5a7gQ32T<^#CQe$LT1u9P4)t<@ui@3Ir zyPgDv1K#?y?SGx|Iavc~THAOQ3hf1M2>coI0Rj;?1KM1QB~E`=%K-fQ;IJUm@0&BK zodF&K9ErO|TuXZj`7V8O|0#Hampm1}BwsIS>axmK6{@3>DN%plrO4CQvr~2s#**12xNb zkfnzY9n1x(w|GJ~>FC0iyL?@o37o*m;^!CkzZ{*u(>=WxPDY%%w}}KE43jJ;-hftL zrh6u3e8!CgBy#1D))b$q(0e@=2ZlEE`rz}=388NMK%(#h4p^Q5q7EpnW@FE&`QZD` z%W4PzdJYbP(#Q`;=u0~MVzlw~|HCIN697<>!{h$?+fU{r&RCq|;2}#PzwT%GjRaZ3 zlcH_9@sU5Iy@`194X$?rm>d(X{XpBefzKNG=VEOVq${3~-iq4CN4UfRi?`7R(7daw z-JV^@Cdf=rbWT3+Q}{khzr(@A6}R#sFM=YkVEneunXD%C_c^?~^JAUQ2r3p+)qks` z50oeRoHVMO_>c$?1G`NR2n%$bra)>cWR4<=s%T?p*?1+&_7O0L)dXHVRF(DtIiNn$ z{NvTuD*6fGz!JyC&Wnn;nrNW3H}`2P-QoF{Vo4I@Wv=@7v^n~Fa)lB&e#KI%uIUP@ z&i4(o#RlFMCeFV!bT}dQ@NqPSsVEtLuui^TguZ|yi?tNeXKhlCAoI$G&OZft)wzuf zj-SS<;xJ^89T{xm%&re5#}>_}-qy{Nf$O{z(-fUKVGaR62MKnQ%eC4G|!*~Q~H;d=K?}e z>4E6x*p(g>jn<`CJ2SiMp3mfIn()(wB|(Ip+-rn$4KwvWwh1-@5OeROEe>wK#stG6 z1Ubm?_~ArcdGj4Ic)6U_Gc9buOr>GoPgeq@y>!HQ-9KTlBEiTyiuUd{_=hrjne!Sy z5OazWo~TOi8#{T4M}G?lg^m~P`(4?3g$O-YNZT=u8r0UT@U7<RHQza$(@P`QKkKG^u3~g5_jc%ld+@Fu!MtB8cj{8iE`Ov^ zFJ$SM*}Ab;A_Kd#F?HTsst>hgIi>MB4VEj)=+M+IOFoGCI7G)gX;&sl#Y{8i9ZE9T zBs4V^ide$gbB`9MT~XjqEs6OY@N_#jAm}S((B=fr6a=gM&v+!J?rb1=Ccc$5UeN49 zIgWBOCVlW^{H|WUF&xdRnd~h4(ZJZj?F+cR!Q7YZ&Dk-9d%S?Sy-)LdSG^+ixa(AK=U9;~= z0x~{yS&*QJOEaT*?zhs%>tO}^c>8h*69EO`7?u4(6!_7I)Thx8PogBq9CfIlUC8;8 zlB>rYn2Efw#h3a*Pe$byiMH882K0%D<)zlN$a&kS77DNBwr@BpAQE5C6>$$yW=mlJ=sZ%jMz-!A8I{C(;~~ zF4OSPCw+Ku?Ba*pMVavigLB)pT`c;xclDGC9fl*im`F88}OYW&bud~ zh#dWPf++YVN}YOf<6M4~8IxPwg_@ zx>y%Z-IA9_V&Fqzq_NH&G2(}&tJ2-+s>*LvSn>5MrU3QX{^pMRSCpfzwq`OQO!`;E zHALG+&7tRoP&KRXJvA&uy|-GtOfYQW7{pD+IE9{@ZyHj+uV3YOnVn30NMP zma&9x?p%v$NU0j6;JE_J?fsU=8_VAPG>ze;at9;Y0Huc5T%xcG9n(eK!_n?dF5<07 z47`R$VCV^4Ql^`WQS%^fEl9le+w$Uw4HlBVhh40Y`)T}52C7781c96{0QnCDV`AZ% zawuh=GOnbmQY83K>YqvaV0VA+ysnfZAHKVFC)O5{3A1ln z3utPP^X>F%Qo`ab0(-tKtQb%@HMsHH`VRI^;c5J<)ahXOAYBxq8$(anX ziq*Y40-4u^8x5TLN8nZ6GY$u;Enxf=vaa{T^1rC(R=AYNS-rILm_zH0IXsDCXx5Eo z>CR*|8dOx>so22Gi5KR5?9EC@%M(rtsbqMb36>739O|26yw*kT4ZcQKeF3(F<6OKZ zux2376@=hb8xvrJOe5^;He^ggaob${Ev3DV`PiLfpkn>saaw~64rIU2rATC55WX!j zTj6QGPO~AW=A1+2m~exB)lEy*ZGlEjmb8T zQfTydk~>F?BvDo3{dr}?*PccShD6K ziZI;{CiGWr2 z@SO+`(1`b*&P}Fb3cnC!DYb$XE%#l#yD>2g$Xq(t$(F{jHW8=3XLEg{Iusdu6 z|5OM-1TyYE3%B@Y?^TiSQkY*}zwE5H`pvQ~f`0R+*LUA{ta1 zEdxYzTBTIki-R0jHm8Y>xTc;+%I5nwx!8i7w`wx>7JTm!)yICzqU}U=p5T+LxZ4%_ zg2eqSjb=&k`=6}JeHZD58^wj+MvQg7Uz#pC30>PJ+eDC9%Dn)ifxVZX>ngPrWEGBq zg*nBE?1nVIog1iy%Dx>lWkaRbTaJB%;LYMB>^qxmAjmDN?ROCFE4yL)o>qWY z9u^*?LbgUS7pJgea3lSn1q=!{uUZU;_$tG_JF?1lx+3WXsXx$LH|)cluf=evo@cZa z5XE^J7Bd2TAReIV2Iz#Zsbm5>j&IQ8%UG-avw9dT)JRuI`Rci0zR)b3>ovKQkI`tP z?urSMnMLvHxBcA-MF$O0Cduy}+n^(? z4r8NY(75_R*;juDD{A9(HrNDaq%}#UDLzvX=u9omIXf**5!6VCw?Fl(R->wpBiBkZ z-Cl|IGUhHe<;U%lzsm0`MqhHV9f z(UZ|!@29N$AD8jD7m;kHA%Tj}|$smr!etv-*= zkVakl6}5nS*=psOGPx8^)fmjt7W;Y|co&qmsu%mV4N=DE3)dDBW(oTF47ad9@@me3Et_RdvYy?dzB&iI6*JCayk zMj@+atrt>H>4d8JHbMg`J7*y!wbxvNTZk*v+Z->r;d~k3GTVW;68}p5cTo-8%Vh4O zZg+EMRj&A>N`0fL@kZ&0hFyft<_P6PWwmQPYRiR4RkH^McI^*jgN0w9%Sw1|qGab7 z{uLZ4p3k3Z&xVpmQM6q?VpPTNM(LN*XBoDR%0C#|d(e}S$mw`*eNHgtb+S1SUP?%n$l_A=S$V&tRo*7%_^djnf24x zV&KqSVV7V#_u;)``HkSgH)RyhyIFpWxvt|D&}7|t4n(OHKYhPbm2U}tnue04P|j1P z(b6|{Q`nf=JN~)hCE<{hG;cTR)>V5bSjuk>oC;fL#4YTO84}IV>L>JF-YL7Z+r1Gh)BPJws%zL1R>6UX}!Q&+< zY=B;JX0gBW81K*dF;I7i+!Pms#N|%_&1DtZp@f>+cb1bX7(@oCP?=NwF(l$Ju0U>N z3$_JG-7zDPw6!>qP^c%ZOkjkNnSfQz^Lhn z-UD0WdSlT|t3PWmm*!FQ@Z|`J8V1Ruz_EyFF*Q(}GInKDE66@)Id!?E&y^IUFzJoiNzQnK1CwUyLo$W>eK| z>`=01!xAV>zp4N)yRbv!hO6pOBx64FXtHv>3NH3RJN@u}=sbcCm?s?sq$GE@d5+?k zekVp85KuW_yhg74f@y7)^e>~un`2UFq9AaZPGFX;?MmOterC7u60T{*+{z;F=)TDBJiu2O{8DoEn% zzroaq-BCeK+nj^ZFYhybjTZD3(8=!b;K zF^fS&FBl9hgoC-V{0o$%k{c`t3Ip!=gEwvjr`}+Z@E&^@ej{kI6yl}Wb2_-2`fsK~L;Fuc-)o*F?_aVT3O2DaCNUsz zUN|Y7byy(Iy`@kj7p6wS z7^gR=;F$!=9|dz^m$?WA>!Za4za%&Q*&v5Nl|8>q5`#cnf&%UI-}dnKu~#tSM#NQ1 z+)!YXgJ`8OJBRc*bt>n|TDtp5aNWC3a^NhtL75=0mX7P)hd(Zwrs2Zf1qBBf~tb%j^@ zJ5oLo*F5RdA0U;lhNV_xU9RWQG$>X?vNO5_*D82r;yp0|5#j{cU$Q+c$?{u!_VG9J zaG6hRpBXP!1Xk)&*QfweGak@TM${r4-wQut%eYQkJee1?)I~R3c@dzZmW_GOylb!T zM{MFVlXO??utY%BhJ5?+ylM0R9;fFL0{bh}VPb@(2R}5kTGuT>){P+r`|+ZK4@xL< z6}mFz+B~bcSc(in%QRxO*)c(&Q314Fzei!lK+lsN+)#ay>o+jno`RR!P=weLu36-- zxU@B)3~m$1UMhV$aV}5HhA;JU-%ZJmyk1ha^7hJ9=v3%Q7c|sVm@3Es(ayzof(X>7GcY*dFt(Ibl%ZV~SpUhk7vTPN= z>kY>qF)5)6p0uJ9n&|qxpDJc*0he?s5g*woo*8^#osaiaI0Ljv#l@q=;n?{jn<&3w zp5}D+oL*?=;KCvESOWq02h#TMjlL9E|hsE78tDs-e~NDA<(ZA=x~^ZuPy5^4FK zpNx8Od(ip;gJOPgx5N2zeR z@u)|A6HTXKb3xF4w&QsS7m0w-XpcYoyFVfTza#1y7bw%b#6fsK?{z&+&-sCtqzR;0 z_F93!2dTJ<*UXQ4PJ*PK$h|gR6c}@u;=<3QiR6!3C)Nx1;1;;0PZvB2dz^ISB>hs@ z35-Ta3|2i~ZZ>4+;<0=MyZoxvN)9dF9&mOMFWZ=8;I_UOQ^E*Iv&y#}xt7*OakTXE zta#xD9w;f+%?UDo#H1G%Ua}~geLHzYj-%L>?YzONsr9MTm&7T$(sI6+6>TVpVWOTsf#+o! zSq7z=tfAbP^u1We9%?9wvV1;DP4@YLQo8+@NoRVAavzo$B&t?lzPDwNz4(*Qgr`qd zGUS67Za~n?kSBGp@6ixzvp}bvl4NqBF|$W>(5f|;>2{A15QKlG5o+vjMMG`-jqF6i z{s`6bbT|Pg3D@zUM?tgI6j# zUZ}Y~KT(pgFwpr#OXhCajnpEj?b$!c+vrS}-kfsx!w0((!HNz>)jcV5+W79k0GJ=< zpp#G7iOMZXQt4x8FQ{8TXZ)+NJhD7Hrq-}R0H9}9V8$fb6=y zj2)|-MYw*6WFFJop|q^|lv;;x{vjTV$xth-XSFH;y6nkJi0_CfAKr5$Hu6X6jQFNa zv&0|sWxK%ue!-}1FlG(`1Wpf`OQmUc>t9Qq@NM@06Q!lzdMpA%`CZ3Ca_JpfOS-8* zh7BHVtJbM!gB&MO5o5J@&z=HdLz<(g)~gbo(to^po0qUUMBbktZ(qxWA zObLR`|6lndZm08(Go!9Lc1^o>Cit;dCL)48sY&#Fzk-5DDifdJUc7scB9R?GFM&hY zbEUF=KT1Kgr&Y;XVF1^Iz)x_5fkPyVckl$ zOT_wGrc}}6G>O~+_2VsB(Oh6cL*WOv6WtMH(q4NnwQPL0QU@C^q0i{B4T0Mozcwx4 zJ@?t$i^h0jq2^{Lx1k0+5#nEF=JY-He!`CL}K?+x6ic0yeOpQp;J_dHxT(N zlntXNyJ+6$Qn3kEUJKNL-jF23qodfiY6dG`OPOZ|Yw!!Z-8D%96TzR_V)q7aJifgZ z@0XgmH|)^F66CzpK9j0fVj(#k0&Z9MYL|_OM5^TC#_I(?gd1Fm7#t$h6rw^I|Jcp* zmzU$-pJQ(Amh~#5(mr3_o0%w!R)$4?aO00C(e#tQjSJgzeKfo<|4qy!SA-qhj`A{m z$%M{cWtPG)^DRd(FWAOy#e20b*3Qg<7f{m9QPjQb3$-?6Y)aG~-&RIUx61s8@&&@- z$Qir?D!Qfc$BSj#=UF?H;q+gM5k1OH6~(#8rc6S)Ju!*W6uUmXpw&f_<-D}l_o#l$ z9I{_akl_$c&JSJ*vVHw0n%rcVnvNhm^lGhUP|ynv{`4fv>an5Oy2R%Nm2{6j+`*j% zot7A{&(s;%#R4TR9~2xCwTOO0okJ6ynvs)atMnP-ciziNhZt6|6+gIYop_@?a`oGK zM&`8lXx3;q11y|hF=_xYkem3J4NP|ytpkeMYksu<(Cfy%m&gnR+ZIG@#nbajS_oQa z^Pa}qJaSY(q)x$ddER>uA(jmmiwRNjd9 zc)X0E)LcZLZqH-V?yt#b3Y%g7yq-Uni7-3(HDs@GT|O^(;;PHB$BX+3AIUe*2a96E zzTQA+h9N1!cd(lbI#Yx9kGE(&4|0K@rO?CG1TFV21kGk@J9IP`kmby6CGASY!p?GU7Gn0)u2GSeJ zMc$wHs6Mc1AH`TKn%Q^}t)ycZjfxY=f#y(%(Wn*8iKpvd#8~*Hnj*p35J9?yjV7H5 z+UeIWx*fQ6xg0eT^HHH-BP>cf-0RBC?)KmtDCs7d`&Nq!`@7w|M-tC|tSeH`OO@Bl znHPe5Ucsw9@6)pI7;)#r%z|=%E$LEAR&OQNL&FF~Oom85U<);zMV1uT6lSI0+?Hj91rK$1mN0Iq1S#EJ0wXfef z9mXQnd?uj`5fC5>Mp+Qo6@g74hWT{75&@qU10je=F17=vy>%39JaA6{--jNP#0HR>?Ghqo63 zUL&sIGru=;Pu851x(zY7x&b&d4|bVm1kru^d9qr(^XY18U2$$>UtCiPA!Xfv5YV^T`K#vlg1?r3)`v`fQx_&-7J-!^)h zS9c?B`^)!y=!j)dXNobuN94*%-JGEt6-Mu4W%8@~oP^Ps3u0~4_ufRk~*6src7mZvNK zQ_+h*XBfW8R(@a4AIk1d3E}IW7c}S6Ehy{+7EW4PzNKzHxj(UNZ+o+1PW%{C3?$+* ze7a!?b$PoeC7<_H_G=MmW@3SYu$|Q+W`9?s(bd?NAIdR2oQLl`mrFdWnowb~N~RNv zWUe(i8H1M236^8I!&HjQuqfO{EMCh}5TQ#05VsO%|0aKheDSbNbSyCmSi|K|+FXqn zJ@SiQ7A7gL5RXr!*}l-r!F9Z1ZSFRxU9>2n<|nbrhcdm?)DF^&o?g8lP_9Y!>~%Ri z)#INMw?DI}RlbuJ-#!0@vz=P}9Dl;8jtifuZbx{xy(B55{dDSt5p5i-v_mmYl=a2+ zuqTW!w&;%3BK9n^e%l<34_G7&Fr|8?3Tu zKo2w_ay=d&$JXiyewN0(s045Ono@T!FfdvqD!>XPy0mQZCE4VxB`@`6P#H&R&uX5eEmy+7v>sqlVS6>+16W-LGnwh?7 zrog!{KU~!lp4v4xjh@5GM1W(s>Rb)|AaLiqlTG-&1qLuOvOOTC-B_WQH1`mzB$NHo z=j1ufh6TyzkqHgc9F}E|u2XU(INvqBPX6N!ER-hwu--oTBTcES=M_y3NdB~&`}u)G zw3meA(L<)4zR{#GR6jYai+N$LCmd|$dUO()j=FbP_Hp#x0BSqz|IP^}ThEM-H*)@? z2-vTxs$q;Xs7kr#=WckDMG)$A?827H)2Et;I56d-J`&h*MDjRo^rUYU9yPs?bN<49 ztvWqi`L9c?@*|V0VbrI->rt3M^Zn(PUeMM|Jv@5GquI{7)pVaRqHK+f*f|2{MM|N7 zN7p-OszB{4@liXy!Ag&zNmVo0^aUv%w0x}2*_iK!9m4dVXJjznhdT;3YSQPdEjHGD zCwg!x4Og=C!iWZytIX=!|53Pji{g$bM$cTNr~SS1u2=l@`-LpXsi}^e=OiSaI3^l$ zXN!ahUwLO?%!?k;OWEvNJUN5d^YY*-HUBcFBam8j1{aS|g+*JlVU0_YJ+M7Jt(FOg z#i?xC)4M!UJkr9C+Nyr4tqT(Csf@s}Cq-Kv@2ogR0u5ZgSXhWK*Gk5 z-CL}ht$VrS^YgO}t8>^!+APJ03!w{29BvQXqAi|vtiD^G4f?#X@VYDa>F}#R51D>q zZ+btB=CzWPwDFaejB2U`)KDaNIrP0BiKGyGz6!Ic_(OB|-54KQP$xu-blq2o8E0ZK z8~$M0+Ns6@qiYOOJH1dr`?8ZMGWxOBOHZdHS4Y3Q6T0Bo<#wzDqCfL$WQ>JJ2a>Ml zu36V-KQQnCu06vhbM9H<2_+&=^SS?QG5PLi@=n@k^XkfR86@wOa~MgqDGVOm(vLXR z5t=Adn+8c9w}o3!n!2Y;?3A1=-e`F!1K?rgQC)-I*_uzc)`<1m`9*}qoYzaD*<@!y z#0nz5CbD(S?_pw(d6etl)rnh}_qb`;=rTOM8-NXT_S~2hE1|WvHck7>{=4l;w4p6g4G``Fa*W$^?vp1J(&npisYsv*72IDHaZl>e&#)%o7~LR>z?pL3jr3kD<*4p4d9U_ z9OR?^(g9rj19nn2`4vs#+>ab5diLmk)mG(Bf9m|#9}S#%X2}QqsS9NbsAb6Y`Ggzi z84SI6^~a>hhx*8kVV8%K#^th4e%Z7aD63iDN#FEzHfd&@Hcc4gC8l)3_*KJCBnR}* z-}h&Y)A-Lnvu)O$_jZSZ%;kC(vp1~g4ZB=70PcWrq60|;XJ27YAkDAetp#r9yhBBk z7-h1P;Zj1|to<1))#N4u?3?v+_@RuVWUO%0^;3vetW=}Z>#lHeQ|yCa_7RiF-cF?Y zI`O9b9VuiuQjmz^ZJj9@?<@I>Q5sEi%kZWJ^1%%S1Fx~qAv|Mb@cQBSi=|5ejn6iw z9UJF|o1%eW*!B6=Q-5e_JSmM~!anKsB+nUB*7JIDObg}pMf%t|7;Vf3I|qqQ%BL>R zABN3(6n1`V!gDjZfjz@bfjwedotuFxo^o8vvykwKCK{Kc;MV`R+Km-3@UL29Yg*CF zik_eK%*V$o1JBmM5_Y;eL4_%#`Q|!SB##kN z#A|%b>b0-gf4!^SoCN{irXI?uYMEDIJ3Yo>oGnplA#(djxo6zpNMwg}_FW;(qz!wo z9QO_gA+ZQe{@5{Zu0msc0*3sn|3uFhTsE+`5bazJoT{u7&!Q zA@6_A3?KpXI{yVp5|E|B|0_-;OV;2wi&9ncxhO5olF%}j{-Y{c@(WE$6&MqxfoBIT zpP!lrJ{SQwW*?CFhHf^KyRjcLWqzbF9)1KBA_m|uMOFCUk2lM2CR z&i(&H{og04P^yamsheOxH@^Sqrh=CY9_1)(mYYgxDgTd27}pB}Z)gnuV^bBt%n3W) zLcm`ZAb9YUPuP^dEQbcLoOQRxg}*FL5wJM9{|9fC3z^w0YI?(bHQQLgq=@c1QDK*h zur#@sq%dTS^=B(~Ju+%F%wrx4XjWr!O<`*(W)CFLToDT&SlB9I>Ov;Mf{r}iC~u4t zy6O;QQSV_}m9EgBV=Eq;IEZL-wp2giMbe`QGJ3agFrF<0LW8YZAd#^4QS~ zOsyOJkpsr8Z2O^>pm1|K*n{}Z;OBG-_)piCFjE(fiaddlBv(wk7{(tY&@~Xm96mHB zcI06KqX!f+%Pcc>4deswuj%ZVg@FppDTP9g-1*ytg2EvI`qSG0aU0EkgaX#Wt_Od- zySBuh+U(~s!$>+g?C1=}Pa*MZtts~r1FdZFS$*X9V3^&hesFz;0zwtnrvnZuF=rC` z6Ex0_E6DwNitWRMma&w;)vx|C)qlkc5sAaoLkmjx8n&kd7jW57U)2V7(?6j>k0mav zZ|fO|f9r)XN8dZ0EfVN&L!uBN23GQnjmP^HRunm)r~P%Gu)QV*QItzjs9{>1=M@> z4O9o5b)qU@&F_c90I%0b3-;*OxXpDGp@CYl`2tTK2D(EMBN4O~!{Ptwvyl=BH+w~+LhsbDkLOAv1#Qi)`b^5;zeYkmn7qx1 z188FAS5xQz>}$#U*)+*8=^7;`0T7+^4$Krok^eV89j1Ru0%9bu7Zh7|A4{!da> zxCu%w!q=)seDdDe)1d1qL$>YS&iHBB#x`2#62gr(IB5k#k8j+E@q zIJyb;M>`zM(tl=%IRXUo$3z!FR=3Wi?mcbFSw1_j^aiG5BLl@=Zyr?n&w5=iPMuu`6UPEBRxY{aI|<7X&8a9r zre{eE*#2|thH#kUb#>L<5lWX6WtEcsOr*`3|Eq^lyW*Sr`@w_^6S4xaj^w5K7lwEKs`K?>8NMlpquJTKXnn)xtJ zap&`(m79NaTUHC>C(RUAaCdyIOK}HfAJ-jOXpGQfO7^sW0Tufh@$^oL| zW!%|2n^-B*B6FY;-oG{0bFiQ6BGp9+|4n9$@ryI(O~!HglZaB~QxqWDe{?4xJGFE` zn)RKQYG%U*)YoailWzROf-;4v8o(hu-JXWr6jU7j4_WRc$ZuH}lk$@)MF@|$gh0dp zXuK>A=C}w@dU==>cKhF(9y4`Jh$vQOw_$gD=C_{0{z;Uq8T1bi7f9iJrdro5mVZeZJ#JhiJq$fdE!gxlF zRo&+vJ;SU6dkg^{aO=ne%3i|wKR+x)D7ZOxL^*5hd^ii(Ob#%fdsX`%l3S0No+mA! zDqTwBF*#jyCFId$tFyJKQ>%Zz*LCO~C8S{|&^Pd~pt&@S*luVQt} zlvFplD#c+Xe*t(y7G(D?Uni@zj~RI?y*F3aP`%2~JJ?0@KS-3F*1VZ39tX1lUXA#ZXN+z(W9AlID0D=r z9pF^09uw(IkF~~WmfzoeD2dq{%Q_HSt@1I|)csiEl0e)`u+6c%#}w9mkCBRsT}h1u z_H|XhN?#Q8roSs$dMadxdq~h^#kJAmYiF9>31G&Hdt-RoSIjr;r+7pK?H%$vebWEK zlvzT)YSulwrgJf8I>pdaMRWB%;CJ7E9jaD0I14n@#SNYtjHx_Sc6*bq{7hEK+Jtq( zX{`6PscRx_R9nn#rHp!O3y-GhiswnvQ)d%5gr25s;1kZcwTgDj3~6)DB<(Z=g69P+ zx@=J1v?V<(AEQ%qowFc3V=J}$jTMd1zBB(4Lp`3@;ab=XYr-92bGsib8(5k7W2Wnnx#c-gXPRmci>@~oUn?6>*uVmVdxG&9oet}D zEPL{;dl zxVxn3aEJ9&E1|8jv;6{t`kX>+YOY7JbH?#a@i${^dqJ%M#*N-ij$@7QE^^Eu_61^6 zOVTyz{r|Psz~<=H*ZoWp;k2RW9AfdKK$NItCvPhf?sH{3E`IsxQ!0v1n*A{qz3A_^ zD*T2oaj3ebw64! zL%k-n(ik7~-UCDZ2#+x)ropA3BC0bQmpaPWaYwBJyD(}a~t+QXkVYaf42nJF7qYM2rZV&3Z?P=N-OE-^c+4R$=EDY-l2u;R* z{|N8IEH_`6WeEDJ&B{5@UweZ5jMbRJ{EXK*eFbR=vBJRQ@p%O@`0$QLxnWJWW;0_~ z`!W)(3IMiUu{haBfvgI1R3CCto~&{`diR9m1y$2daHuufDdE^X*sw-?k!2@Q7YsWW zmfWOJW$Zo7&mk6Ag+cUfr)x2xF{z*YQFq)6u=~0llnwtBiUMLl__-?@ZHf0~6b zwh9{tOr|iU@@HxG#c{7kqx8JO-ALf|A6~MT>DO&|Z*{`#9?ojy#G@VcN*PbHCU<1JbD?xzV^U9?B7E^z+tLGc2HOoA zc`yn$yPRoPeK@Rx*&pk@uwXTfZUQ!KyrR^UYa>KV{w%eOhodYEPyeqScWa3scjEbl z&u3|RFC1fITlb>xr(Zigz!6^pvg%BF1I7dsOJF<$U9JI6E9+uzEYz?T!#J__N*KS2 zNUJC7^uY57uqy4~7~fbW%<&e-{JV>bS)+Xlh-eZsKjGqZ)Qm3MUNY^f0fpxrRbybm zNzLV*`@MG3(Kyk;=i6uex&H~PkD8;mRcfa4n4^UD*acqR>~CzRnfGjJXpeW&5S4CdV*|~1BfVx8oQdYo zE2X!FhiB$ImHL@uK92R_Q|5EXqG|vceM<9nU4~r(*6NO#>NI7W&GHuJ(nBA>-nGB8 z8WC7kI|vtK|*uAE8h*$K1eow{-&_@q)~xICwr#93;c=TE9+tnTEVRG&X9 zO9-6UlNUgtsA|6rG!EhPDI}C|Y(?UXhM8ig3Y9)+-_@*MJ&;0WJ<#twm@Lw_k(PQIU2~U}nwDHHb3D?6>v`pw z=P??7k(uo7F*x=}yWx_qoSacjOR@I8^#$HSu`vD}aTCr@1C1wFO<2_jAKw*f67=PZ z?x$$x-PbA*BRYP1zK$ES#?5JUu7&Z9!wcLZA(qBVdI%Asr$jqH$6SxglPPvLHM8y z0Pcg1tzszCllJhLMvW$OyRzGm% zVhcVt$L{G#TKI&(fFij$Q*(Bb_iVJ7x;jqVTB(ijKfu_d?wu-s|#Z3I!qRjTIY2I0+-NJCYIpp8v%! zy)|dP^WB;=Q)%Bn6LGx4DlE4+_wohNXyA_yW=`zI7XtMSUO%&FIhPTqn~$V7!0y5D zJYlHhgpT2$Dk#ORZjV&>!0>A@hRSZwHHXTo=PkWPtG$Ab8mZI5HO-19`?*gL><55v z*VFuA_j*sl$MTpdEAbIlJpdY~b;&XeP zS)R^!vTjrw{(Jn63}1vTZ6GQ{A9dMA34mT)v* z1{P|FjEwH9FhgNgJwK(sU2kzVrLBoBLtOz1hcxAF9G~6f)XyozrKAOB$_>OH2MOf- ziDNh;$Q=2GN88@l`rN@!k_8@qP)8aCYP=pXudIC*my|W~Y6sx^T;w{rQ`%Lm*JIT! z41<7e87{*O-#I+-sT^xFzm0$#U^e+%p(6j^>i8f@uK{OjxlClMnExKg1MFmfwAb~J{jPL5zGVkg3Ld$J znWMFc^tRoF#-$0jgW2v@jTHg#ZN3VCnoUPYeuZWGZiI{w4| zbF&0Q>N6*8^P`b|6f24+X2T3~*D^d0C00WloL;?21Z#g9Q`sOS%xxIv0&?|r@K zb#Dn99%ynBD#0sqrT-4gAipa>cQk8#egQXV()fs5lD}mE?@}UUfgCy6@#Zay*QNus zu_R&Vfy>idroW(c-&!GOYSzVLk*k&`9GbYHuzM#Hk6mDtc@|+)o_ksvmr^ysqnIu*OydRSY=M={ZDJgNh92#@giT~y=uE({jzFVcDh z%=ui0G+f}!DxUh0*CRg&x)&)sjEt=-udN8sE~=k>*f|oS2W7dfHHlKIMa7OzL+pmRoujw6_o@1sg~rawq{U{KNpg2UMoc5@O!96>d%w>)m{8qELtR6VNh zC;ifoU@@iP~-NsZ@5)UK(7kWuW6ZTmZ7wyHxMd;Hfck> z+u6-0-sdb{iw=OKNKT_ovf|bzU0~o~v)bRPco=rs2M8?+K1aC^AsPLt|LJBf%b0my z?3G*K*6ZY`UtyqXX!aRDro!RU()?jXp8%-JO(u0b2bFhgLwQgZ;f?CEY120xrTmu? zvo$tU>PE6SOrR8vXRm24+;mkgiFw)HV?Sf_S`@d2Me#@USy|K>HX)nE-F}*8~8t%5v@GJ7D8gAy#36l)_;SB))c8|W@(@D9kGvoMV@f*2Qtvcqo z)HZ@uIn9mjc2w%o@?T%!7ye}92{YQ9ufX(DPnqV8K>ml>i~ijma`xA9YcCj?Ce5er^xP+8k9!#C(_yZGONv@gc*Su5l z%f*QValye<^?A=0#dK3VoCeFz7~A-ib3a<(z~ukjowdH_X)04OrLH^^ZtJh#A^NJ( XupqW1^)ZGAd*f3V_ao)b=Pv&Qc=;}_ literal 0 HcmV?d00001 diff --git a/aws-gov/img/Sandbox - VPC Resource Map Example.png b/aws-gov/img/Sandbox - VPC Resource Map Example.png new file mode 100644 index 0000000000000000000000000000000000000000..a990558bc8058af7e0bc1f4eb2b5c7c89b6467c8 GIT binary patch literal 122670 zcmeFZWmH^2wg!r8aCdjN;4~84-Q6L$Lx4aaAwh$?OK{i5g1fsD+}&w-O=hmVch{Zy z|JG$yuRdL8SM91@w&g3nt0+mMAQ2)#KtQ0#%6w3RfPkZcfPmaWfCJ|!oDds=f0)`z zNT|q4NRX?zI$7C%w1j}5|LG9}kP%nK?(5M0`V$qF0tUkg2@2T{Q4xjKLOjTJGV8>L z2PLy|*pH3U#>T-WoG_U7dp3`^{0Bt`0vK2p9w~M7rudbySveK~XFh;P`99xvvjKc7J{_`@wvlIjY%C#XEbF{b`uT*v}J{EPPKp z1!Q*MdsW#{EWoLoHu;=Ahu=sniiklsN5bk8-n5)s5ava*XZMMj-*Bt8#QHq}O*_S@ zg^#er^9N!D-u-4cR($(od-&!yfc;p34csq3j!5i3Dz;MSc}x*z`0>wlSQS>eIz2f{keQ@HZy-^C27RKiBp`KN~wI8z(0Vn1aR4$I;!? zo5j(M>K~Q-M?D`b-OOEWo!xDn9LeA6H8peca2KYed}H*VfB$HwrMK;WadLF~XScu| zWP5wV#=*+Y_MdfwiweEv3aHq6TYl92VCw)D515AtHy@YKU;6*?=D#@pw~{*lRg!~; z_y1M&zrFhZ7S(jKbd_*&0P}Pg`LCh*C*S}6@}C8T*xtJS-$d~bIseTC3t9w8i0wZI zO$6yHBXk}FgeZjU2QdwA$m0z7WGqRdeq&$hmMQ+0U@{W1555VslIZz(z+7y|0)#2p z{4j1YQS<{foS3NVH9?uPHoT4pWydZf)on zlj)=b)14z)t%dv>zA|skgZsBk|F3!fi-`VDdjDgBf#;st(>5!Hb6k_lADNFgcuZQ% z-wCLsU{->3W5Fv+bcXKyy5n_wFplo>ev-=P*Gq10RY%wlurfv~SDI7%R*L)ED{s$$z?Ph0XJL0TU4L={ruG5~=CtfW0huRdoLB zj4M*!c>z6L-d~vas|P$}fI^K$-s7f%-=QH?b)0|s)`;^IT;dT6hWUw26D|owEefUjrL)cN?s?5V7$iA!&r*X6&ik1L@f1D)`lKW9w)Df8 zVHS)(B+~tMecLlcw<$JwPvNS(3&bfepPh9uG0B5|$wN4>EExpi+~U1FZtFOLO9fJO zzI3f;;t$KeF&X~`u5hnA!;1#o#h?L&PN#TGgvAdOfA^Jh6v#kFH&F9&yH86i^4qQy zLiW#`%{!PBthb!|ub%;p%`XO?>q3TWp>LgOrQ5)hLk!v6AjDh)7#NAYvB{zN{2tGt zvIFr6Ind9HnGG!54lJ;6&y-_!{%&LI=-^*OWB=fCj||zNBG+@<{hcH50kSF`TmkjQ zkI#UHwig{M?Ps6#H#X0q|I7${5dL3CD6#(5^8<&8lfzv1Z4Hs@p`Z6R%##fhvjixV zQGZTQF^nc4sXl- zZ+cGYyx5|1zu>YMAb0uW{gUc>bEw(uvQ?O`kfIh#tN3ReLC5p2CKW_4`Wd8)?HyJI z^;ZQG&8K#Ld4_HFI?K$LOOT7DmOXYMI9qFD!ecdv|L`4CHkG?rxIGGy>MMjW4dqw+ zu;#U9H|bZZkmMM|fAUW3Y`)sFTyF zd=sly-nV?Y9;lpwdv$#NY2v@%BinIk-*I2lHhttB^S3vhfr#nCep+`yl}Yq8 z(WJtt)s*AF@#}nmnoa)` z^;_G_*o;i$r7;fb@;&xCoMEV}S#P#)Y_Cvg{;|m^b$7U{KpY`jrzK}Gd{MJ;cD_mV zyE7SDJ@Cn}Xzedw)c*6D)3n^5zDWCVA_YJHdFi{9&>z@I zmpCQ+BG~?C;D&j$+!6B3EW;w>HJ{9%q_}>2lUpViWSyxMvuVS=;Ngrtxq9I*^O3|#KcB(okNtnmZy#6Q#RthGXOs}kiGQbgFFoaPgJZ-|Ea6w}(q7y7joGKD19t2K&aFNc`e1lt7rqLb}=UnLt)g->jM;Q1-O z+#Qy>K3rO+@VhmD_`EXFf^5p;Aug92osenS4F)4pYTZ+Z5*SO^FmpxqJwr}9q8tmWy7&+nS2fC+Tr@0WX7^4rJFZjYZ@>TErXh~7KKN_<0w2Y!YB z=QNEL9iBTIuG$0~;$`%F#~LPbil1;SI8VO!7@ARGqM^k4js|$qaNQYW>Q_!jXf*q6 zXW2WXDbUe(wut@i9;$JL)(+zRpZ+ZOEZtu!Vzw$Bnej~eQWXZxjMnit%+wx-8dG($ z=52t>B30jEw7vm_8iYIO<9N{-ye(?crOJg3%|khq8MtI;FW2-w*F5 z?oOABu1+VaYsU|-gq*fZ0D^&=!2xUZM48PuXr|QvuQ92%7*tE)4GiKZwg`WL3CyW? zj}E(gB8S~h+EePBz#NeUEuz? z&Ti2lmQLAm{ISt?dgpA1sm^S#vKQH6G8ka7kM_m#FkaTx`PH#lCns2#r6RO*_+li5 z>vn79O`!v;cP5uT7rsKDtADo(3+7ATRkSp*d+W8hrzro3Lc9vY>~V}z`cnb`7S9O> zKMOh51+aDEPd#sfIvJ10%eb4Ap{Px0CYt57n|-blZ&aF&rF)+Io3JBNLWm%>$N5g= z*#@hr;J5cTL9tZQx6VN04;I}1eG0gig5>m}bbj?1^JnqDD%3_6Oazcg zh?;OFP};2bhh?Qq4W3bq#gOIcjTn)eruU>y+sm zLz<;GzBouNL@SuYc7vwNX~KKG#qyB#XXxSj&B)Ewj}qR)Zb`!RV_mKF_(9DkDMChwpXlY@Q&z)ckBHIv#tlSi z{HKRYStCvO_~``lb-?cEe3AWZnW^$uXOixOdBps2FJYRFk|IrF93gN1P{GrRRp3q~ z&2YZtRpH$B%9{cmB%@4jITU~S`>EV=B-v#N=vzyuqy0-|&B!rCTzuVSqf@Ne^CUG> zh+Zwf%0&D(BmOe^E@vOXoZI>1`|76fk|T7r^FIahErFdk`+_FA2!n*^=oT0Q>P1S( zaE}N%FgqN50uL{Eb;i?pZ~@tYK;N5^W3^1@82Kc&#Ve%*#sZ7+L`5>dr|qy~jf>wo zt)eL|>x`O=gUGURhgV}F?@L8cND=p^FH1zQv9O~2gKLjQIFyetjX(sa;pkfE*C!N+ zPqi@!7ea_1l%c${q!tM9+injRSE&$8{X5p%{Gx?a{bBoH&$l^)J=T=6_)FWK%P8F0 zl@?nZfJ$0AH&}%ZQav#&`VEKdr3~>r0Tl-P1q=3)G*%7{nT%CEPb)dJ0&vj38S!y z!?^8t5vo<3y~-(JI}CcUk2}o5fTgjWqE;(#r4hbxxO6WgdiSgIVBlw7te_VwgL;cb z3}^C@&`D*?nr0jOoGb6wZZ0Tmncq+kUqU8tuG^@%&6Pt4^_yMm)A@YVqJ6GFXMtjC zg6=`YB39#>rO~bGl@%L{d`P?In;1|Gdii05(C}!|ICM%MeHwoYa(?QOIq}h`wesly zc)uzQlUuI_6-Q*Fb72q8J(k==kB(+55?T+N`EV9Z9z(kQ6^We|B{C9jou>qJJjJlF(4Z z_qXGPoEULii)|jg_1(!LP+55fINUC!n1;7jQxKkDMp-F*0A6F;)8p+EY)ye98J2*k z4F9J)`QoV^k9AAoi-5GbskY^LPe}x3o=uL=F;WPy!R=!RbJjM`MpO?0CIB}X_Nx2y zyz$_+CNT~G=&soJPiYO3Y8bnQl*r4rTP>6R`*Llz!|&S}kCAn1odJ~2@N>L#=h$;s zuX?!j!|D9Bpc$~l0H!R%xJ1clIzLEJD94Eb9-hm&le?M zHLrhZ{FTo&ego}tD=bH?F{(U^5MY|?etH=xoU!<@y@ghA#A`S*Prghe$G?)Vi~Llr zSvrUCLXJZ8K8E58oLt8X^oc3{G2-mlo`a-RBr%0khvBrZ&RNIuFIjfD$_^ugJ|;An z(jvnuWN0*RH9Y!HUA2Jj@|^4-YX9H$HIj4)&nAIZ1;72l#|}C^r+0Rp<5kZ4igNAB zhWC9g(zHTrXYilo%jsq>IMZ zVUUADYr5nipbB`q=u)eWc17^9B8dd$n6^hb$}S*jRDo>ELpGKQpEdU(qv-nEr)qcQg_B^pKJ2}BD3s!alIvS}k4n4Eux*zs-Yh{O!Zy9r*27k8b`3GOcg$ir{$M#X-gM`A% z#v~TM+d-58@J5tWIH2U!x$+6E+w1o%I&v4x+br76M)iQ= zP^O_n2~132OJgDjqiRk0;c}-Aws_0G)^eQD*z17We!hGfOOGASKASeheQgMc8Y@1V zqg770RLbU6Vc>dn%ObWQGDEhuI~I>g7nK#WHsr_ZRv00-8DP+Iw_n_BLU9n_?|1ac z(BE4x=_eo(b^hhuPIJIX3+tRKPOS6J4^2$A03pPISV<#w+=j778L+XHNf{j{dQAht zbURnBx9=5LHeKudVgRHIrb;;X?dV^CLfYxj&~eR+|9taYV>x`oGHLx=ZcU-EJB>&! zPl{)?p3Y?i6elIUX$sOez(EZcE$yK6N4>At7E9ofD2Hb9~{) zu@F4DBe-o1#OIW$6vU$r>c+dyLqJA;$UU*PGZP3mX!TYluwLwH@5(C|>+bVyg|+m$ zvQl(k$_mWP76z@^PRKMktm2QvIZbSk<-Z8tz#y}ALu2?O9I{&;asyqBt@A}D=9NGW zsibtcD&tr2oMVLS&QtPu)-`72JYybf#%&VeFgrFuzzn@yA6L5G$RKm^r!Ez{BmF(*#Y3uh0 z>FC-zAzT-j+%~m84mX(Z3Se3ZHZCohHSyS9_?)!61n#E&3n&69gk~G_C%Ut_(R8ecMLD7w`CvMCB;UB%pN$rfrVJhrV!+ME= zVhg{&Fq2i_Nx?P>e(Ke_bEC0alh4)&BfHa;!7{k&PmNo;`mM?kblrF=qIO^|x5C$8 zuSOTn7Km0_a)?7EBQkdCbM_lcHv3TKuV>U4y>t6H1aT{W(oeB|_8o3(ADMx#pr;KT zja)0~u9->fz@c!Eih}pgU?|i3^Pj)tF_T5Rwj+PehvQAlA%0pfGx#N+;{+r_rmku_F6S4zk_(`Yy;)eU>rdrk&11q(WR% zY=h9jqq|pL5C)e+(wGTj#0)XcI&9Rzqj4;rA+EiziTsG|`7JgSB%=U<#bx}(S!J*t5K$-)U{F6>^v-ZzpJdamP(M~>zr zqZ1s$yQXaCukkGEdVUMPshkoR0bP20NVLDQ)1}+kwYs*E+w}_+kF@40eaTGWhvQ3s zJ*g^)l0WBYYE|m7%Em5;lWVHbO%=$OvV5CF3n+-^Ic=p8Dwp@Zv!;I?)o*m?Y4Hf0 zquYWI|M;7!hvOa96IWz78F=SFg%SA0(VO0U<&HmVT=ZNR@tsgGzskQi-_yHwU7Oz6 z$U3a*gY|f(rh}uvBG4(z-xVKhiLaZGVKM7n7bzJV`ap|5ULRC8s>ra1%Q(7sreL< zn{U+uFV?Ikqjn-Djr@U6_r+FVH52N{4SsYokCh8^3Ma8&r3;tvSMg*qX{U>uBQ1DD z^^l1+l}k3m+eTq0nHg?a z%pLPTCeNbikyU-dW>hmc*ZvbZHMMh8A;1l1FfSGTqWb3-z9o9k^p_rYF4amb?|YY* zL*Wcg#Y-5q?SvV%?VTAYw(qW?)3Ae^6CJ$y9vwWFk55+xLrH-{xi>|}dw5QKG&sww ziM#+ka!LIc3Q*uGLvpKe^GUkMnrX=B)>ifq^g#^Tc2BeZ;}dW-sT6e=crF%d>Ewfrcd;}Duq-_8&CtMmpVc6N1Gmfqd; z2#7P}fV%FtD*<>5Ec=nUI72$p;i_C1&}>LLeP4^Rm4k9&pv+mO0VZj@?8h5}fv+e@ z`r;3fPq5z=U)Y;&3JI)J(#&cG5SUpEzw>$^p1r)YJe;c!kHCNVqJR(3di7t(6`7n<6= zk%T)y9YZq)(!^?O#vrsko|p-<)rs|p&&O&bQWy-)2yv+O$un-ddsffc7KH}xNBNC! zTZA%w3j{@E3}0BKf2U$;4dU$!+w`%nU2A8~4EwSv-$^{JZ4NHf%3$b+-O&s^!MPQ` zzC3+wpE7(BlPwm47z|8a%8u9z6>81z9bA4`+{NLzKh@3PGOS9e>d7jd16>4 zid5zmpj}~HRS|TQ==0EECrHAiQY+>0L=jRxP&^mk*%MQ}@>|w?({+15)o-cl7;Mhy z83$Y}2^XI~m=zl`hR-mS3UP75MJoCpAG7#yy~^v^R{Olt5D4FW)?mq0^(1R!H0=L4 z>l4oyqvh<_ce%BMoFlt)EU=A9d!F-Q!FQwP1=aHR4$)l#=4Q)_QK5-|vz zg5+y@Y{-Q<@|Y9AonHouo`DwRql2`gL=!qoHk5}$Fp4aL6rLolT3|Dn$ol=ZuqjW7 z-!5^aOqf34^(nc%-Ek4(ge2$@h&khOKhg%(I|}dA!HgGAN!JQ*Q*k=F^`>q?KwbRl zolY#QlKU;5F5G@nz+#DR2FaoGK51{Mjn(Noe0 z-ynoK8DD~U(dP<>R;D zIn^m9DkiF`hIhqi?6$&-Mk=N(5v`@-dVE;SGK6}+1&~3Hfo$vuToeQ*Ifs$>umY`$ z*`i+8eC$3x>PhFP<0^1Eh=NG1IPwV$l{l)y@u6k9-OvXMS^QIfyujv-1jJdNy1eqV z5uC8^ZERKmv7^#rhC z?epR^fq1OBr2E_eBU=pyAgE@jmvg|&0cp6`{;t3d2)H49$DaOZpT|gnN5BS(9yK zLG%M<%O!~WYHo@77opZbVZuA2Tcg-WyPQ*R#t8N0M;{nubMsBR_{D+zih?@V?MyW# z^6lvv8fnXDH9l;uHHy=o5Fg*??P3eLIGI$9K?)c1es?d#@wYI%Xb489nSHJG3v2So z@BG(iSmbU)2A9|0{(cW6EKbLCE5|+2WX4&&!{l%zW7L{M8e^#N{BS#6`>KG$ zxb@c|^glHyIfzY*(GLQ&KeInNtXId4Xq%>jeTW6}4oe5{L8OjzB|@L>2VQsrp!EG5 z0qA`h_i}@d+fPBD8ESQdtJ(I^48bJ-^<@&B2Qyd1wOyW)j)FNHIhGoyjF>sAhaWdI=h`_kzUA?s&CG71uBPhj zP{ru;%i-CEqq?=P>&N1uUXL3T@hxSKR@4rS>rY`}Ow-DsdV{#c_==4>J|@u+ImF4+ zM$(}k@N>13vy|+_Um&B(CQa(s^?!Jc{xMLxsFwWkEg(b=nT6RIu05G6c^#hU!(W5j z*>tEE?NjSSdvy^^N+^$Z6`b@z7ns_Vxwf*Nikm2cz!u!$q~w{XRSuX44>c<<#2ro3 zi(9&bhN{{3Z=VeG9JR( z$}CEMUV!^YV19iR2TA45T^Nn%)rDyL&EednU$=C`jLY_fb63Xuvf$9g7WWr9Yv@L5 z=8v9NyXEAIe}KB&f&+-W##MYCzYU7>t&hZSHLTf|u~BcKl{}3Ueu|Ry{#l5b#yi_* z5kdDoi2THMaAv-@NVsC=Gc{m;=#+yr3Ns#2Qfcje=n*4QuUH%DL60R3FBlQ zd}mbufr%U{_nK6m5`Nmdec<;a#PP4AX^k+z-5?rj%rehOY4Io$VO(mK6`OLXf?!qD zrlY-)VeSgabXO{!nPnZ3o6~7+VCWX{{R{4XLu8Fb6|=kN<$B!XWegncF6qi&ypsjx z=YSmT@zWL=;dam%DbtF=xycE+`S%|mRP4~mOp%?mPs$l@OY&7o;nA5z>~OIBmVDnm zF+eAv(YlA;e0sBe=L4YO;A%-FiLGnDX5J7U1^mE%-+R#x5?k-DGz3~H-%f=$a3G-a zrM;`6(-71t8bmk+*qoz1+K;949}j)xT6BMkau_k6^3!|MA|~L)5x-m#{uX|@H*aqf zp^HJ@wAy&acTB;1JrC{V=!$V@Kns>h0!h zzwx^#pv}d8CRUUC#-JYPmO4^q4yk;`W&KfADh3^EAuceZq!Jt|Ti8R)SXj=A>91fH(QWJK4Zf3FCK;r!9866=^-mYbZVF~Ia|fC3%dk{#$9!BE zJ*vQ$<_}WQ1f{R+8=q;=n1v^UI@?C$oK?xkn5CEi25)b z16)=eRIA5&-0MZU<2#}TpzHZ~TA9gpfRM4Qn&N{Q{3*nIw!?HzbJ%M1+HxdzhetOZP!`fK+j^cZ6ySa87E{P>v|C&WSa0#LXJTt1+X1fmTP7iq zCG*Le>DE}Js3W7fVYDLtNK)bWm7s}dNoHC1YDH3kM4O1*m$)2p+iQZd;cPf{+gjhE=S zrh13iqw{pghDyd(T%~04MXWbR;#;r+qla1|mtt!DL?YL6!&yv{+umHoRv)A1`5kmm zk7=*Pctr-#<5Y^^k26!iU(BA2a<)&cmG31q79Fh?A9gv5KKHas(z^YM!Z*keO4FU8 z*;^4f`z?ZEz51F_SItoIU%I7H+p25JX}nIenfA1i9^r#%b@O0Tmugv4AKA97k6mXA z0#2(cpjT%%l6P1p^m51DyVcOnRE@bJQVcNH>rAtw>5CwaoxrTARRt$?d%Rd@nQ!|< z^xlrLK)!=P=NsCcE8PtdH|BM<%^o;>Z=E%Bc&mu#*Tht-!gHz%#-`ZLSCqf!yQ*Wg z9MXI@|MGFSjDIPW;HC>kEtT6AhGRj|SPKYtzKhq$bicgAezWr_FhrYjAVE(uB=Q4< zZi?P*>v^w18YMbn?JtFCYtqXZyiTNT(H96y779iZ=s(68GujWyxvWR$kQQoo7!Mjq z?delEx}F^L;B_SieanIVA$X~Lrs=JDk1!G1cJn^cyW?r)dyDCY@DfFD01|(5;H~js z&-aeQ>ZJp9YZ$pJ=qFF)+=6Fr-w4v~R^67?nO~+{_o=*2L5`I_rB?-<1cyadqJ5T( zebm^>+O{3vCG`#ZhOD)Fc|&h3XSTtHC*UD)ivj~cUybyUd_Fx-!aLRuT@5k$erz!g zJ>xMGS4=sxBI2!JA;yc>iJFADJ+Al3H1kIux}p+Q{w{huLHItPG6y6(gV_HSZYc6Q zRzM<0p46c%;R;Ng9D;PvcT#T3P-MKi_2pHiKQJyc+pj3)I`@`8r(hVzLk?*;Ws_(h zZvIRMxjo!66L)l9<&^6MLUFqFy0p!~v|@+^?kxh$9w^`UO0*L*z;0$;?kQM~pVfDU zHk`mid976@==<@Aa-8pdosQ-4pI}#FDc!*=a|?oPsvh7G!fQD0D62!w#an!-b0jSn z?Oeh|z|u4d{n_Dp{#^O0sauiqp#3E$zo&1kkj!+%!h`&nLBXU zb4`;}=r3||Q;a^2TKm|NRJ@yP|tdaroH>i`BvMfbZ^{jhu%kt zu-S-PEVEX`D&zJ~x~p?}pbwA2es>4AWP9u!7xRB$eTlzR4>x7e4g8ukujeG8z!fK) z=*BNCRm1OW!8qYtvb$E5ji(Hl8Q5$YmC8b-0Uh$#7u_o$ zow1ld-04YFvIepGPZCa#N&O=OQeBgLlg zRKPyG=78?GHT~%n&`8MU~eQ7 zBY!PwhvTl=(Y&up7;QRQcbxxJA1~y#u0x!ZVs?0?e-@uLafjEuFTJTR?GDwcFLNKO zx{zE5z_A-rO@yEKi9NuLZZwT&vWQOUQS)>SgL(=Yw5vMlWxd}1FtNKtoJB_HL@o@-6C&Re^R^K?|3 zDFai+CLrim{H;)U(`Qbrk^T2tG+hEKO)l!n3mY_xSU%VLKi>ccYNdn87K5=quHU6? z71|q}Ruey$LAE?su!d;EObI3ubP$Dj2H$9jiYA&QGK^gU-4ANELB^2&b~~2^N?VCv z7-)N{Ogz87JNWVr$(f?8XRgE}hrRRnAKN!z(>ewi%q=))c|Ne7CR9a= z@rY2@J@!bV5KE@IMIeK^v$_`!TVa^69``b2K%~|dGd7Dqw!PVOv)k5vq35+;oy{ji zO;&Q3%3Sh#XQ2>o!-&JwR*)bEdb&Zh652Zr*j+)B_-215`GGW9#G!{<(tb656Gx|sBWPuD>>eRy)^gNzPtaZc^ zOgDJBL-J>7rQXO8|HnN5@}ND*&!ELC%JHYS#zP=}@PN`0A~7A_NQm|zX#1&{_P*3P z$<{+g5=&|^?I`8_C&USL%1=I=yx_@z8KwqfGl*S4O2_mU&yE2e56O@m%f7$nN&)y* zM3`E1T*6;~nhI8S(T87?7vgW_{$+9kW8^ncSPK8z-v5defd`V2Mm#bK?;kA(H~xQ1 z-V)&3NKQ5!EdMLTKTC@KLIeZ!?c7`cfyw<(N&e4=P9i7`Id6$@+y4^x|0MdGBM!c) z^<5=zEA&k&|1zziXRCD)=_&kmwf-wobUQHf5JD0*>VG3k%=53{djx9}W_tfhkZ;2g z1RfwY%9(v{ihn1g&%AF}z`o*6|68$#q=K2}NcAKCTN$-dh!%wK)+HzY$JG5_WGO>F z17?oEBVZ)+KV*rXfw0o%r~LAC2JlND6ZWM>BNeI&-23ZB`H$fpcq<(=xihT2orRLN zb2w`+re@UUX-L-L3G$8E!no;;-x^9Nz11fMxTqyB4dF>S&a;Ib`=*qs;gQ>ceQ|vKwKW+RbC5yl2J80)5M>OTwV)mwb-& zh6f9HPl~+Gp$yRIrr&rLZ%hl?jeUqD;w=~xRJ6QF4NNcO_j(C_<~y`*cDX8?zFH%7 zpPv&6c-HBBoY>4GwG1Bw#{$y%-B@*eiM#o?n_Z^0+M>?{Jx_o3C$=y8QXID2W<}PR zOkyt9`(>>(yUqKiK7psuWJqU9ZNn|J1Ki741`u7*jx=D_plC_$nq}@n^?rv`sOV_k zX~5dpJ@GM8Z)o`@bsq+xe6M-fwk&@5-iEbQt1^zD_9ceLejdIfS^97ID*`6_d8PL5 zGqYZ+Mu+J}Q5jQmkGtBe zKNfNwEiM@Lg>JR|)I^%YY+Gls!9PhM^E?iu^WpUQc^F$4==cR3kydNJKbG)kQm~33 z0_ehlA%tvuW5v;t1iZ4itVX%hsd^$jg!&2RnX%jKSNpnP#`Th$UR8WBg(|J|<4ONkUu51o^n~=gOU$cQ zBC1l7HfU3Y{;DmWwrm7k`Dk1S5r~}DW8?{p@hEOaYZmC4XRj2ickQX!5`OkPeXbsn zwe4M+dfNTkOqS3QUA}kEQs7Gzly|4Ac=&dj6&gx*8l}vGaWrwe<$#2by0tQcygz_L zv7G;SLEmZEqcU!x5 zEj#z=Q}vn7Tv)61hbUXBnw62K2k`Dk33KY*T&CLgVsAkqbw%Wo6 z^gOF)de`uAmEt=lZ9KCsr);zl^!0-*mee7hb^PKaa?ecvs%O{2CMH#(pL7~nAxEZ7 zZN+)V%+421GW4CxJG{qT^?kova?=v<>~rTO12d-TxCpc5pL+1xYNtD2KC8V^>|W~2 zE&qW*_4UO~6S@C(B%dpet7&bZqey8u=*u^c<--N#=AnLrqrnDHQr19GNo7}v5Ox0T z`bFl>P%A?v9up%XW)GUDV1Hc{;>s+FEs0OQY=#^IMjt#dsq`tk!(W|2UaQQ2YM(2X zTB$7jvp;*eR(&prp8yt`wnQp2gIqlzjbV1Zqzs1~yeZ8geSf@JoBI)Vf3bCh$U@Kb zW@Aq#b(S4qdF*M1^m0Z(Y!2?nUI~b$bJx~uBUy|M2Q_)JcCCxAVG8G=!g;Jri9oUAr*eI zx3mGnhh%O)Lblwp^LfO_yacY+BMuC&zGea4qIR5*kqz1c{igbwTPjPp3YnuU+54+e zzQ@touHMu(trcFq8xPXI=>j0mMAE@${;c zAd)!s;#ru;ybV$+%|#dGEwS_YsU1#D#i|H=0a3VjgtTmhvQ$~0X5{*qNWoC{sXN1B zu*vK+t1(AkiApb_a(b8QpPfL}V|8>U}{Rj<+o+ZWTeuC03$QkzJO6dw5i9F-E`c?#Ra0o~-w6 z0_+|HubdWfJ#kE||*)y0hU4jJyKbyhpWaaRLYb z*+SM*CIp^@GWT z&%pP%rhY5+K_*{S#Ma%<@|K6TL`!zc3 zUQ=pL>rh-{a5KHr8a~EN0#N53x+PF?b3jk-N!JJU=KgX7OGSoaioR8k7)rvN5IP5p@W z>K`>ih6T*uNv01Ypa6yA=|^>reExa_=&u(m6DP4U@l9;^-we2vt1FStOB1h?BxlFvBRc*ejr6Y@<^p#S1Uo8e+r@Y z8_@-d)%zPfzp$jc&1z>Wk7b={8fHn9C=;qI zNO~my%Uy?%(mJAv5WD@@ry|hnCRP6o4*;o;-W#65s4R^1H9O0dw=i^)G=M9LIVbzo z^xlTQaLw>f>4m|n08hMH``6)hioQ6BuaQ$+dKM2ICr_ zNJpZ!Fhw9G+Y&TYjelFr>!69Rr z>V*mf>4`XNsVQ8Rbwpw&MyO}F_`_oCyH66JND^U zjlZ8qLbr5uDBo#~(KzUra%Wqy-%MqPG*3@BJ}qc+;}4n%G*Z4g>Ei`7I#TMon)d_Z4`V$Y;QpJRp*Pcoj6IHf)j(iymjzznNtIPcleO+ zXyxF3AnI+M=5G{a#dq*#kM|*}$o9rBDttQ%* zz4d50ti7nrrt%{Nn<3U7nSxtKXAcTW8M$Y?+gO+9cO1VPZLvy4-66I5L0!2XcVc6S z#tcWJOUH8J{o(+8V9bZ_Sc5=0vFSUYqrf&6HlO|660N^G6dsu~T6ZV%INVT3w1`bk zw=J`7gMl%J{47>AFpWVHhV~4Vv9yq&Bu^&kmgaW|HrNeIPbc7`u)v}nr;JYTzG2s7 zH!A=liDYcmVt2uts`cuVw9XY#*=smypTjkgS~MMV0o!mJ9WX2P)nNsP6(}FdC)q^B zK7W4+et4z3!h0!R_D+{b3$8~xT?5h?H-Kc6(iYHb4S2R0DUYHZ(4i2I_z2>VxzFcgU$RG~ z0g(3PrP`JDJKRx%V2n926qCBbgqIp<2aJr++>cFp%p`N@heAQwTW8p z7tVdzGUjW)Thd>V87nt*h_g+wa!?A4c_&>@ENe$OGNkX#B3fU3RY4Vz7o#dT!DA`u z9nPxJmYk)xqtz(Ae7Utq{;7PbW(Tu*;i-JA6z1_Y5JvrDOMy<0u>sKE>_U5hH}=Eu z4yl8oS9k^T^F~Wc*k@143*W?4+h2DQawU;q83g7$Au6TL=8$t^L@BlXVGkdkBKTX5 zXJ_yksyXq$Ky7#5>D#~xJ(6E{H#w!K(NIhDUHd-67v6XC#DHhn#JbCICMRoW6O8Ne z0^-4{Qjk_IL`KwxwHtmw|o5SRZl48lu6?t9ONAOF)s({i&^awH{B2 zoup924Ebqa9pBjir&4;;loA8u7$YpaI6=Uri#;O3!11jYpPaD%GZ{IzOH$>MoX8EZ z0BppDWiE@RIcm!2G&dcw#f%xIkxuzF0^7SaiT29aKJR6c!l&Fh@t*k0SYGCrJ8ON7 zS>k6>_p&v-sonLB$Y@PT>hc&{a)~2rpx|)1NjFH~A(yub65|lUW$&-|Ir0>C@;RI# z@L%qj6*6JOsQ_`rn>s$idF_0qEWhFvt`E`yjsvDLMKU9RWjDJ4GjyWLh-g_Z9yoOF zUsG55!fDD37&YnhDns651|w1{=)|kUy@E}n=}a^$Mfi-)QFz({l5$Q(SLT(kaD55} zN!oEBEV|c1BKH+ET;^o&V48ifj#NJ{aWVg60F6^lS%YE*y!Q0bdwBgXdbxe8ExiMt z1w6iT+h0~}^iDJ4{~~u%=nI@^Nik53Gj(R-J<|Pu*n7*MI-4$S6nA%m6Wk?1g1ZEF zcY+5GuEE_Q1ef40!8N$MyZgo+&P|?~@2mHmd1ro|e^a%qVAt-u`|j?wR`*(ct*bSr zj7Z9dG5exxNqQ+pJoEpA;J^PxT)G}W8_pNoJ$iKLjV2?#GZL>&C3~+M>_b;UHNuPD z(vq_gAd|tS+d7>w`{*j3@_}A6C*>uIh0updvs}Mn<0Ci>^hJ9y<5)~q#5>1X)x5U_X zs&xy3qvAMo_Tf*w8bgKkS{;~S3hZ#5Zd;nr^y;oDom~P}f;cOvExIMC^}P}=l`MhS zNQ;F!mM2g&=&LGf!3u>0`4@rV$=45pR6bUX29bz5p>g6*Leh~@edoe( zCO4qU<~CA{AER;A;HXSkBz-#&$7Pm}AW=v%@_JIyqMX?muvB+gh~HI?cA5|-P)A`3 z+i(7v4bKxMvw0wk4|WdsCP|Y2!g|^*5q0=7mHMSKC%;Kak|X) z(%($iN{kNS5j3P#)?V|RmO4_9LXZnoODNe7w!CEd_WeBUKa>eZor&`d!=L+62R8{< zQ54<@daGD18Yq=0es6LQA9tt(1z+F~+DX{Y1Q82Zu)A7LSC)HAh`)lNHuxmq3aNhN zKAV48O6VlJr3B$g6e8mxkqr}VZ*)s6=3vYgi?6GGZE1PctI{IrO@WE02dxJc)Z{iC z(T~fC{IG>WAcE_CUn$(n1!2sZr=8s^rl5fL3(rTWNU>6o-$Swhe(-V>u9qN&c<^#L zVIhrO+syQP&MFb&)oYXykz>aZhNGT@Z1_5J>M`EOhK)lT&+PjSV zFdf6yK*#xTRguUBDL(lf_G)rVDeu~8c_;6X7fTEXc5ZBZ7n3>YwPZ8hEB`c9O+XekF4f`Se4Ftc zr>}`Zb_Go(l$Gb(%%G>U)#o!Cy0POjAJgXU4`1G2$tbhcRSYpR9qHj$87#xg#LV!-!Z%G7gaVWEw%39PewYA7}zH~r1G0%K2q%j zY&IAhID7vA_5jGv4rEV}$79x5=!1n^c5I9r>MkOTkWWxLbycggXxTR`p?;z8W=6<1 zE(aH;=}<=`Bg#oR;_K+UGFcsB=J2(zaLz!?6E4>Gr5o;oIgd(?x0>giRM6~4sMBa@=R43=Djho|R2J>0fEDH6W0aks z(fXzJS>?W3C~+4*A&?P9h{iT_PQQkJ5M2V-K~eUL;#>5rLwY@YOh84gG`V&{(dPQA zZA%5{B@C1;zFr3=G#@q&N0oj4bww$V@}vK)jfPYZ#Vp5_()zQ<^~I}|KCH;bWrdpUWq z8pp7Sh5~H`z9p~g(cl6vyD`1aZ}kRumSY89`v_QfUKc_vw<46fv^cDO2rsDxOpj)- zux`p~IY!plXzb>v?U?a>G2J}n)~sNCH2;|$GT-3#^M)cAmOKId=WpvN7<5VXoI5Ls zX!wxdUXTe28ZPjw;duJ^=T6I}la2(}Z_?SrE|)&YQRF*cC~h!Ot6Me&7LLXK0}}B$ zVlZ`}AJf#HMC;yaU~SP7AxQ~M#yYF&&pRvy>2*_lLvD_uUMMm@%bCKQsg3y?qUNir zUuQFOeS`vNqYy{DPA3x*H)jG^GPK~yw$o>4J0+%LZO`r-)-rK{s_PKDG7rd4LMzPq zPi$WU{-`CDkoe3_XtGsA3xWG}cHBODxH~a6_}<2u(qH8f=ml-Kw}>^?8j^k5Qr#S= zarq|V1lC`n9o@zz(^LL2UUhWx0uMMDdd0A_Hg?>p*5qiige0;G6XP(94F#c-!O!mc zeXv%L2<}9ri{&SbN%wN_3N3Nhtdf85ZrKhwb1817Pr5(j5Z1cxYRhk>VJG^*iLI8xw7$Uvp~ zh4!v;qS-keg@&kN1He@K?F)g;?x4|RWzz(iF)t$h`Nf~zf)SCXo*hA&@_}X3!Y8Lf z`K;djx0&2ewBhcN?Y#jGxAl~~GZ)?Ofl?06t<+xdUBp6BnOqiQF!rTnh3r)AI`Bv# zXkXwB;WxmEwHlot>$M6_aZk=CG|GO1zh|c@6`{wIH!y-B{>Dsky{yb6=CH*6t%p4C zBH&7Hz4Vn6ac`3oc8flwv7L4I;){%xH?@SylU)flN=m~c5em_?g!X<{E`)u**%Jp@ zh`p|)^PU?D4=d+{o48g$%>EffVuRbb;0FU;IUk2;Gf?nqJpgf)3x<$&W z9NyySq(w#YUURJ3LvGgT3&~&^XF}(BP~=b5fEelvx%AYgik^oe4Ii8>!UWD*LW73q z!J$T|?30OhJm{K&Ehc5TuetnwDT?i3=-MJRzE|?OeO6e1ccb&n64K+~;lNuY(~gC! zS~|cRaw%j;wZBAlFa8uhKmyM@Mx|cKPrW2Ay=}{^&s7HPXagJ zv5HQJ8=)&ty=Yzr&j>*2If4qmUl0xAG=$=MlvVyw!_*o5Q}yhUMAZ_-Jv)L~qVH%M zum@HVj>~Knu26gX`|Ao@!FQVyHKvNzdo+5S$5qMCrchv%%FR(LS6LW1ws3s@AdSD< z5W#uE{z{U*eVcP5vFk@poYX%aA8_1)u$a~6Pk8F&^7!LQZe_0^Q#8bXM%NP?LvK6o z4s$;8*@l( zMpJ6CL(=L`N2`EIH+n+$bZrj8CEB_<%{fZG@pZCFB7b2y@O7p_3p$9pxcZ)DBSLUYQ+e7K@CWdQ z@)U%$;R17{xxsrlHoXb#k(M^*UtC_BzDpfCS?NrS%vzA+!V(>EILFxtkBK=r&(FGS z=v5-UD|t|^p`nG5f?L~`&Z>M-WPE@R8hvn-K$-OfG1wDPT~zwgLakY;ROE>8Yfd?2 z0!KFw=pD^ui-x7qmBxF-b@hLEEcxoE*yQT)#nGzCwP(SeKjytaZQO`Qr_*G5O=wz{ zTnDYgoADyNJRRAl!>;yZ+kMM7;JB^(Y8V;%4VcW#?GmQ7LuGTGX3y(<@82%gujemk z7W$L~1nZV4o@n;Ss|w?tHPKHpSTj>ZM8xfb!*s9>yhl_*oYL1|@?7QM zG3Qs4-m>+Hn;O)ZbiI=9pR9~X?VpP4KEV{ZAYby*C(xHg9_u`#7z%zt>I0#CA0O!T zmBIBVp+J*`Cr!8mkv-Q+Fh>|fW}WmbD@#5HN|B^8&T2be3mlb4IvyiF+@6-(+OA%& z)Y+R4t%Uy7t#Oh@tG&`&q#{{Stv+v@AnnsXD=i7lN4(s7r`*}mE)4Xm@GQL|+CK%a ze}GbgO;od!Dt)=T#)Ww|vM@j03uXq#>=1o&PX4-f6R&5v_R~H&p23X<0plNPN^*}@ zP&C>Cboi96!q=HQvtIHEHNP3EP2){yEFx(WG;`6dB4;X=$`EtEJvbO_@pbMT2=YbU z&S87&D!f&q9rTS-9ni0iOt*>OdV2%>yv);Qx&p8tV$}TV>;MdraN_S~Guu|!Td58b z_!Kd(=ltW?{Pus0KC+oc29-=qM{X#dW8{JnE3ZZ)9&|BxluhN024jE3%{VJk>~(78 zG0!S9gIl1JjmBvp^sUS*+N4+47BBDX>2hQ48vgJ)1Mh_?F$IVh9)N}5Jyg#3r8LF|cde&C|l*3fKlrxtWeyMBFWEVd`7DkAJN&L*1LbV-%m zF;it~d?4y_+-rHz?bPTZqPNWipORpLIA#`pgXEKkK`ykWLr5trlcfSjrt|sWw|`yk}Wa`_4{x^9iTiA6Hf!5o9$- zo?8vSl-t)`UpEY?a=Y?6yd7#f@WLkfzabmQDZx?Rk?$BAX8%1&p9H{E=m*5`h@x*` zhS)fOuT%0~LxbiGs{!H$FQ?sb+-~`w@EAapSw&iOY;RQS4Vw7he0;~=Hq`%Hh?k{2Oig$I$%$qBB*wW_31o-cNT`%gsLe8T?-F(pf7{0R!nRL;7Vn zC5{xJW+vj%;@tCog3@&Qi)-^M6!qN-FTDDoiHi}E0man@8gVrHPtsw*Kj?5)KImn9 zl!Y-N4J1^KZ-0F#s-bw}bo- z8%eer?2A6@F#v!_;SKu)FuM}Y9+PiB^bax#(-DCGs7|jHiljk72lb~=zUjLtEyT-> z9+Bd6V7tAmo`7%^GcPrX=2|Rw8|VrD!AiP5zMfhFW$YGr_@&G7<(Qe*Y$t`Sy4sP! z%;cGP@f+JWlQIP-=DA#n=Y&J1;klil>Sl{=qh=PQ+iMKL*58Eur4A2mtdR4?S} zP1}yq?L9Z}sez%}GEs74Z)2IW`wTG_4&a){`fJ)j5tzU~Tt8G+uW(=ZNqRuCyG0V! zC)wQ+`9qwo+xrukV|6A39M-e9XOs7z52nu@iS4q`sR zaS%S|o4tu6+V!6SNZ1ZQMS62&Hu8hH^${iMJ8ZP%q7$=J=%yH@anO}z&P@v+vWp}s z8%6^FDRg=&4u5GbOmNN^><&gX?H$&<_;TQ&1SBxLar{1~h&sJ?DXDTjArCJ0B^~G5|2Qt9bl#pjn!5d>HTtkhC$031xDuS0WIOYbh_j zQi0sg#i2wr$>+3rj+WcAwd5hX(y`p&XbRhY%stOiqj=q==rl;=gFXlRkHSm2q&@pBkWpA_G}`h~QxiF@7dzLUzU5buPqdPh%RLNM6em2O~kwtSB` zSj=BEwYPq#rQ@RKw$y;|9(%J!y}c6)r5$#eKJQ2;v5zo#2AXQKlhHm$bhmP-tl(8Z zK7&^^ZIoVofI=~6{S|Z7jzN1@RX;S+zt3PN}}`h-3e?$fyFlnj{!FWTJ`~ zPWvdoJE~3bIk_ys<#1;5TI{YAV5^XdE+?8{cblNtNrEEh^Miy%>Hi}Y@67%4qfP1J zV-~SsIUN|~ACk-6=1>1nYY0N%KoIKB8`ybvo(I;j7VYTw9DG$F)aNRrL5=ez2UzuQ z*bRI-U;Li~PkcHv_i_PHS&lZ3_fuZPokf~XgFy{e&-d5uTs5Ua1AZIuNIPaz>DFwj z_qc~T)KMg~D;_uMt0;XZE}b9Cv^kRI5)*6bJ3ms(rA-&0Q^6>e1Hh#g3lYC+qkh0? zz6vA--e?)7qu^|ex@LI-pb;g^CHWI)-^siI59BK-ra_p_?UT7d9>}EaQ7GvICf)X$ zN_rJ`ZhJv^s*?xo?;dK{v=wKK_@=L@WRx=7TEB4SMRVGVpsHIOTi%_}(N4 z{!7Blk4>1p0@+MPL>#8ha-2#!{qlql?!U{QIBb#_6fx(}@;XU`Uy$C7f6nT^Gu>3t zta~8wA|_d=hVJLoU0g`yy1`5$qCrM;u-f`nc9Ro8T(TZ$72tgNiJ{`yJ_E>fjaoX$*e{X&Gfh$ZrjAR^6VmqU|9} zO&X6mq{nBm#bDJ+BN_o-eLSb%{)vAytt#+x5a4w5LQeL1<)d^-n8Zfd03h4*Rvz+! z=Zg&%HE%p_dLuv80g4)?DoE_b8_}=dP>4P;0I;!X8{L~@%^BMoJGA`0m1Y;yxl=v| zJz9tg-S%=HA5-b%H~`NHJ20cl4XSQ8-edAu1h}jZp7a&M4xKEf7NdEV+(6^?UzK~p zu(!jM1Z`KEMl{*Hj{7Ha9iHaxdp6>DRi8zw=Jci*bo4qf-*y#fVsLhzWL@XbeYoYl zd4&3+u|ZKYaJYa=Jg;xZA9kszXu}^S4bR*JD>L22vk^YV9}_T$@tBvIC6hS#g)&+S zOGb}e6p<=Qf7Iruld!ehpYyR&UJAf=Fkw>3#o`Z!Ev75wIP^GtdU*u|;SI{>j_eC? z79YmF3luF&wUs*6Suh!@g*W#ZK~FVz$)dQ_+mL%>NG?4bSe9elb#0$$&=sK6%7V0=vw!dc?8>oZ}V{)h0MHUDpI$Djux0=BttwGrmt%8ow2# zNvnSEun=a)bmX}JP$!d}VrPG62=VB9vEbhbY6{MzVi(&=HR9LLu+FW|y39lT%X+8U_CHh=nOg%u^H#>sq@wtU!;s2u;7qP>VUune)f z-*m-$PofpZ2C@jKsOn?HtGw6Kml<4csZ5AmA^>lC?vJJ>6wK@L?e>EDHB#@XyAxqQ zNHOTaAF^etoBNRl7w`wKuOm_fCF+`-=CX0N> ziA{rsQBr3dMO^>P@9w$u+56o`@k~yV*~{IO8b&O_^k%2TwSqA?hllIA@S$ma>cboN z%U#AdYJ8#5*UZ*Su!tP@mpd?U3`^f}va3~(Gf8wbC}_plc8w}BF@!9cM|3<~+_LzY3V>f@TV%I)x zP}B1RYL-|y4z&f$^UqPFR@O-h3sE&Va57S;r!-$){r*d6IYqa&N^h#fJw$<5i1^bL zRS1Xnm`7+iu15X-XL7!S+&?rMJvLCG7OX==(%J!EtCd*fGVZcPs*TDR=9)w2>qUBg zN~DmRWm~0wC?8wJi+wV!34d2PCo)ri&4!0|$dnMcHv4MnVv-c47O zL|{BF+-=CPpzMwea3~7xM^YXFKx7r-xSbl8LHb4UF&JnZ8cJw@v2=-W1SmWnY zZ5~PG$f3@}7gZ3}Z~yueyYw-8O>vb*A*Z_#vI3IOhhtO-ELXJAA)hE}t3vE^;)dBe zdvpnF_dU#eI1G#C2fvrG3sp-O+g8?P{-3Y!g3%uB#d9t&wobnu8z%TFt@Y39@@?5` zF>YxTtCp2=sBT@l&x1J42dc5V%NSLU5B2f{C*JK7%}&c1ImWU z2WirSW_}p22rl5xhEs`a`_~tdK@Z5F&Kn!;66d}76!?K;W|h_<60%D7>-KNop?Il_ z)yjl}=Sxnrrs5Gul!|V#BMx}h36uw2*OTd>&5Owr$UTFsKA0gYlNr;mD9FJ2nX| zZkV<@8mMRRct|Yq1T~M&^OVC;`t61_sWUdE(JV3wD%zna&^7Vc>yi;jLOf`$cINQ# z@bv@~SD#u$LQOtMW-%okSk2kwIHvV~@bT}u`qowY%~*G<`cwiS%sMFn@QuYu*AaHD zox>s(b7ux~{z#zay2*zBdeHSL6oDK^R$hhj( zSZ&Y=#SUZPNH+~q^G}0=%ZIK23mBXvlf9bPoC{SJN1>^gXyX{w+rBx`=AFfzcDtTk zB3YO-&L;DqBW1vi_|OxEQ$;{Qh(PHHaz0*}5ow@2)<=wZXB&xMF7T;k%MY@ba;x!3 z!B?Q6$$QxJ+Uyt;qK6tu%++n^9G$~_!@aC??_RretRQDuP=lKDV(HD70@fL*t#y%F)EP2hm^G?1^PFF7oN- z&L$-Gx1v|ohoWyD1ztwAyT~Th=yOE@hFFWU(-UhQnGZn+Y|Yh3n(?W(V$+;^U^hQr5cFK8(TCcnlBI0pTWhB)}2th-G5GLirjM+n6+CN-7 zyYMvJA{)bX9j%i!>hB-JJ-BZk(~m+9g536E=m~<9Bot`YhEMQ@i;cvk;NN)O9dW(J z9~&@-_1^(j{Yz1)B@SJ+ISK8ykY#4;>22=~*PH%l;Zt0$_YkTil;ZGxM+-Xzvt_Bu z196lp4HPsfzirlvE@(O+JEgObh#n5{+GtlcTQKXm)5L)^aPYzRwh+R{cs+DN74|$y z-HoWABo^s9x>Vq^=hY@xy5}E7Hrl0&31_WtU00Utt>s3=#z4sMBL~ zJl6KvT!ZaR50mSkn0v3?@nP_`bGaO@@WwPM%GHNFV5r7(+>{?D1lU1t4=;WA$EG&{ zEA$3CgQ{1nuu(x0DtNs6Vsu^N5{&3+XB+uKBGY}q=C8;leG0-&9yI>F{^qnMFlzD| z6m^E^^30ON$t-`rNk96XeXS+6?Z*Q&HvO)v?PsO_N{Cf2;EXKGW~qJ(fX34NHdI?2 z2?*v9vDd_c5Eg{XqldWgjOFO29m55t`r7k!WFcj740rWPY|ve9o!o=V#H>R91RuSt zJ^6eR;tVb~I6w~-HI(3~`JEm{3=7IcT0GzWMj4VHdX7V*!;L9J!Zu-s;ZsEUP=^SF z9@fI$!US&YV<7W%oW8^VAzGQBfyRztV z#jLnKXqyQBXlfGC>2@@3yE1tzq^u5iLzV<_GVeJKx_Nk^S@`G5b=8Adf+OKcc!?gDf++S256f4T<$1r<@eDbGiaW12h84C?AF8aU zYuUI7C$KKk3NXMPjqA$dh!(r_$ zXtY1s!XSITP+}LGV|#F}JKOHbUCkuNpJXQu!+Jdo;}2SbSeEL&cnJD`^I(ZIP{GAX z2t4&0r@i)nDYc_X0CnmLl(zIc@lel4>h6V(AAwNhQEa!nqxs1Kaxu`~Cf-B^n0TSV zA@vMqj0!NfHc3yak-{dUUO)^U+=I+=_X*5P|fLpDOr?{sZ&C2H_ z8aai+&0vTxuAk!B(zf40M2CSun{-givc5Etn?c1{ymzbP^xx_zeZD5(poOkSao#SEEWiDxvQhZU^Sn%&iIBu6e%ArX zM{-Z@WLZ^y;zW`z>d%tEa7q!cWCvJiw%OBD$sj#gzBiD?aqx6+-cvUA{kEi%ci`Yp zSNn_FM)~@^Z@{ubX*WyY_hIbtos9 zG3X-E=g#@m3n4WU>qO-6`dlBwcK98T-BI{eNsn9NEL_;gtlbd;<<3e7!sM%WM4Lyq zMbr;cZSc&lFw%-A#V4ihjN0{CvIMi^U4h~IHDlE1!gM40l`)PxrTNm>^pl0?6;wr9 zC2EY1*7Vk%4@J}#>m3C|g9pLs(fq`=oRTsbSNMs{`We6M<_i`aUz}*pib=|}>zrt; zp2o{{wdr*Fzc6r?qi#7aDKGrCZC@dsC{l)X|GHi?h_`gR;hn)jwiDnBtSjKMf*H)# z-PCWUX5)mts0}o=bqOtuyXDr78oWExcmf)J?bSY0{y95x5ZXtg8cae&B*KhJ)Z^}Z zakVJTXP{QGdP{kh`}{c%aML=YM1l*SOK+mS3yZ^+&7t zkI9WIjrQQ<%n`&LO+yr8@C$g-B36uTa=AkQYC+>jwN&cuNc4=4VC$-wMU3@Bk|W~o zMg&$s0+Y(S2#N617(~|%sY>kc3xkT&5B3)-sZTvVDl^(H$3M8*sDsO(( zvbm)!6HfPxl*cU#fvkXT{*OM}xD)U{5bX+S@q}Vnp5`n&upx&Op*^AfkL7?hGX=-%|`GFp3a;S}ln(yFKNzcD0t0 z^tGYvSI&LA-O8HqRJhJ+PHBy{FFG>|&s%ULQ$WCGp;{H2UcH`yZ@i>{&FCi|3GYGh zO^cwh53^=5ZxD-isqPZTVgBRh5DyZomiu)}rX$@)h3vGePj0w>mp2!{${7+Ey0rlt z8rw{%YZnoB&og0RkJXC4;}7U{r?Oq7`#^(bASrrO|1sSGC1JPM*GO%fl)*n}TdayvNdwSAA)_AHO_PU&g`{$6i zBU(K70#&MPJx(u0#IEzskdg+n0@2aK-rjz2iHteebTB#Q&q8sV8Hu^v-mVvPyy8`+^?Fok20!+cPSPDDTJgTa`v5 zv2eQYmF2ajm>#l?0|TI$=?aTs0%K?F;M>z%=iDNF*=(0pugu7r_?h}3Q^KNWZ zQT)!EaAeE@&EABcoKjLhI9{a)8l6_ORo0zUI#QFYdRh^Bo$sjBT~`ENa(&Q}ts^8N zl1(gGOzQk4^z3d8rSsJmdX@Y;S9H+ZCiX?XBN<4LcT*{HZU+T^=hdgkfWPqUY)ss~ zCqECct4dhSWM;At$>wczr_cv~z3!5-U zr%0E&ae#n5U}wC{6NTii6mz1bdEcio=ifdCUcUdmx+(uaV|7yK+-}N<=_}l*;yOSP zW~^=p>h4rcp;mWh4PUj65p<(K6Avlaen&BmgG8|UjzR&I0ZpHzq84y{n0HCcG=fR2 zQoQt2`LvXz&%?iwnGFO}CkqBZ!A6wvUL zJog8XLMCj{t8vsuNU>^(Gz*sCdNz!olK0?t=vQP6n#VuBeFy2k%OWw%2`)6+C5kMj zs4U%{gOIV@ZW#EMe@8!*zPe6ES0DGVTJIaMxyvLlC<=4Nmfm`%QGiA`_0;>kcLuRd zV|*3!Rf<3+b@YjWZ)<^{D6ke_NPK>CZpqKBL7udH{Q4=#7+JC5$ZET0&4g*Z3p4D$ z_OPbRr0}rfjAKBYbPny3gy??*E&n{Q%FHX^t}W#=DIs-7Wh)^+_}6a+mKr-DgJW&u z1dP}Hs$6ScrXf8YZj}R60oOS_M8kBDzuEXHpNA^jBb%v#IZ9QseH~ctR=hl~-0NIB zN&5COv!bFRoryB*sA6v9FyNMFt(lEbxZ3`yoKp!zz~;izMw7*Rt!lN9e>@+oB>Ql; zle|xO21|C_@=>%KrUXr`*(Ec}~K|92S#HeYby>QL)s z*?fea*D-c8ZPu7?whGQ~8#4wZJ77k`Xo3a-SLXCEtodRe|MP;1qIQ%tIODim6pk?< zj_yzB#>VsexC^MO=+lI+3&|{4v@5W-i=P=$R(){3rsMNy*h z179mi1)+W~Dd{cZTA$`AZd=Xglhin6@;dm>kAFwuUxwsAzqkbY;!&I;d|3$n>x*ha z{h^6v@Kn+SM(sa~{OiM{j6f_z#|8s~mQh0Rh7k&QGfazs3ffRA0j7!-ajrL z3b?#eCriJdEqL>o|5jN6zuqh(`hO~u^muc&Zj4F!-kj`vD2VfWh~5xEHc23Mc)wRv zO9~YrxQHn^`b;ijRV_RpmqF-iA#gPb3A`=aCveZ;jelR68x+L#J^6SS$G|hW+g{N$ z4$!~}JjJbdY&IXIzrQ~XaB+@>K-k~9{$=JMGJwb?)DzkuI4~+`zEGoSJQDV4pL6Uw z{lT{w$!^2Jcqj6PfZpWM_#xRONGirnro7F|e~jY4)D_U7ONkc8$FqSgx$*Oqj&$M2 zTgeVo_z=Y|R9LYlinpoxFP~k{5M1STTgHvU_>ZYjhhlS*gKvKae-QCsKLL!DuR0U} zG!$_S{YNka*U`{&Mb{$|uT=iei2uJEBlQD|K&KuPEl$Rx+OGZkD-;Si{2CUQF(n`N zTd#IWMkxN13*f&LI7!kNT4k!uSLsRy@_+i{CnOkw;m0aB`5Bm~f73%uzfG~Ql-YiX ze~N%yAdC_~x9D*%|JVh=RLqd*=mM*`iZ=n8YGIxP|67n53LtNhAp;~1i$dVlYh%wM zT@~GIe=D}8q|uTejbO4mXgFe=SLq>Z;!-zc|GXct6Gy@T=kuI&16oM|izvQh!j#g5Fp81XZJTTY2E0ffOkCA789GiU zB#NvBLTcL^T{4%_3mBn}FhPeiTsGCgu;S8x%oaGA0Vydl1`J*`4IsZA7%^wn(P0U7rwtuASpK7GzmyT(9NS~tw{_>Z*7^n*dCA-(yY#dNKCL*I>n_OQ_%uK z66>cJlBdtY5g0BmEhe`AwV1sL5v?GYcu1w^y~<}l;I;j_lc@fVJh(hC7vKT`4q*T8 z(f$-Dhu!{IR#crRtv5MA>j1P~6bv=PN%!B04gQag>jti_&;Oyx5W#?PfiNr0EBJS9 zph3Vx#W2&d(Mh*bxWuL5yp{9oAVWjj`1y6MQ3N=4MIbDmRDPRc!B3>VXL{&=XZv3y zy&a=Jjhh|XY^=N~*z`YsheLt@H%w@7KEg3YK?o^_=`H-s{MW(}qjk7c{EglHi(YnQ z!egNzUhbVrt^FgH9sYuXDY09&tF`-0r5F%@-)owJbgi{WN_`Qq8UOP1e|{0{r9eXy z4<)cpXy~zr5c{X5^;4iprZx}YD<{-!`I01w=ZDzdwr6xh%|G0JmwU|P)3(2+WE53PP(tNKi2yS?Ce<6t%_Iw^afQFR#uO%@XiSGxEusMoV5R4=_H zqmp4Wt)nsJ=)-w(daavn!lkf9rD%B4^i8+0%UAo+x^H zdfaq5Dd`D$odSUT;2;!YUYUhz)7<@(aM}gW>ZK;n`>@S~;~=F%zm)J~^PWK;i`xt@ zy*k&;ZQ7=O=Vz%|n|aZp7tNjO&%r1}s(l35&U%SU&1Yc91TQd=uUCl4*OOb~K7`#@ z{hCp3T&Nxo{LC5mjRSd3C#HRtS_*uoXiO)0-4wGwEedHB|HZ1(1uJT|5Wm{kW6eUwM-DG5{A~))5C`vWSo#IOU z&?o~UblBK?M{JYNe zn@^o)Hy`L#w$!d;yML;^eOY0o_|2qM7~?LLbCiHj->C1}s|d)8{Y8GlGBaE6-+pt2 zqDxcU9IC?aY!6{GI{%gPuW+O$m~FgnvNL>pJaIS%b1yIqL zTl~Y=o(HfE=|DpKcpJ6<^LNaLoP{IzQ(lU%%MICF_nY}f0`(?A%3TeGRSr{fG?~=E z>4e*nNPbn-{=Kl4KBzK+-4JSg!YRXHV;nSJNQe>eO!$9E!OgM9^Tt+C=sSd ze&Yi_qVo7;-iYH8&Vu>U5&HSb+T<}~b}6k@Lf7fU&HMgP_LI{EkUf9uX#|n5qV^cR z=h1%>@CdzH#q27oal(F>WAn?^k9Q&73H#(d;rPL&`pF3;Z9-*NzesXuD~^1yy#DUl zg{Yc(d6fj&nCPtv%g?n$10G(vh)0&>+kBGsZ~lGLD=*h=l|FXD`X4-68G9px|3v=$ zjYXa2vI=)dWZ35V8^gueXEIbhu-RShk*&PD^lJo9?;_^;)k9}v)DhB_1?8&U@qA%` zrP0PBrc|m{^6cf zH(AZi&D&?l2ywuX3cPp%SMeVG5WMm{{65L^O+=@1 zSQM&Lx=EzJm$0rOU3)h0UtBG>`Rv~E+6`sg6EN16)omR!?qIv;vA+@QUKITd%PVnx zG^4oH4)6gMD>ddU-aPy~QyhD2o_x6endp~y`<<`QwJPU>{iHfdP&iwD_rVD3dlflf zvWkdbpOcwNzGeCxs9wJaRy-E=dEFLQ@~_Ee8dijFx$hReOgAWcsgB~KUR9{La?$T< zPQ=(D0rcs=`iQ+ka9*FI4+-A&C(={5_O9Yne#TNi`SJRv($IYR$ad-R*8J5>HCBk3 zUj+GZF1ytObvz(cA7qQDEn|JWb?+yy)D7dT%B}z4cMjXvCTiXvJp9-BXFfet@d`K@07isR^A z7dUy$wAf$YE0Q~TcjFEO)I!PYDR=u_uQp(d;xVJ~bs$Cb-O?B9zY0MT`-s-r156*O zT=!PO+eLyXn4p8@qSi&v2PcYFwoT+iJ9z?r^@l=GCQZ$2 z2bsrpx$dWNkyejIfuFbrcn&>|Q@d~lbC9DXW^=FnD4ILgNF!b`WB9=xo$<;0D+lO= zgZ(&*3yj%eL`Y;_*x^co{&k7E4FF6crBEd46Sbw!s-) z+j23V6$n1afay7aFMk|Q$-f%x{&+xginvI8ufa&CNrQ{L#qv?STl_LrY(GBv9WCXH zvGJ=Sd)I_rbMkJ~S9$ z^qJMO)f5SR6aZ9ekz`5*DH+rCoT>R&ej4+v99(UGfP7Ktp+dHijx52>(LJ_cb3YXS z)GH1KcXR&I0W)12BpZADS-?OAqVG{VQO&qG63UqlCkr*hs<2n>WcUhpBP}A^yW=qX zX2)D`F6?UM$?JphgpewvDX3UA8|>N41o0z`{!7)*Un6U_wpFU>Ifq=;FsAht?93gj zR}&F79~`ANT`W|mN?)#)`EMe<{CRxN@n&9;ce08X`BYigD@dqc zJ4y_3I}1h?q4*MgPRFmMvzXCUe*IeTCtE^#_m9v!@pYxHvj*O$W|mgqz&+$|m=V~x zR{#+uYE^+(s^AM5EOT#u$w|Jyn->^L(9GNvT-7CP`xV1Z{|^yb@9wS(`ggxI2T;Cu zmae_3gl*9!(idKv4kZ}97qU_Nle~VydIgY3O)}T)HhhqFIvkhlIS6*R$+#&i(wHDu zDOQo1$>5N@+FuQ%Q>T+}AIp%q)NEWX`z$e-zVs_b^S3u9!7aNo->Pl8*2iOZMxRG7 zCTLi*0^oWZg&u?*6|M>ZNTGZ%NeR!soSm@RVoK0Xo}l#Lz1kO-Pj3y}7SyCHDG8^# z?heNo2-VMh=QvkRl;}V_=(L?dqu7F%NTV2WYcT=|YrhXdpW%LHaI<-8HECq?6a=@S!1*`^4FxIo>Wx}t1mNS8R^OlbT;ZFJWysR@I_?eT zFTS1^=%0wgW8Kt~xcAZ_VE_!^Mlaa=nL8z_FCi7bybHRtHLpMVw0TZHw~eYasWdDi zz3=f4^qKO~BRe!RJn6#P3i@8UUh(67NTc<t1L2vck41M=$(loh8@}Ali--;Sm_V3oKSC z>fft9Nt?c&@euCbhlI*NGG4ovY@I9C)ID$SKLH48By3!+`}S8HsI&XdIc=WPua`0h zNhb^(=eYi-)jA%8(F@Uz-D8cx*F2=l*#v zlU5v!Ax(Wfvv+UuFr`zZp-yD{@`y446G~RvUp5-Hiyw|UX~N-uWvLr$|c3IzN8C zS8RNE8RA{1@-wlKILdK4nV`_MGwnm6%SZ3g=CUaGMrv=53cf(x(fsnS^u+tH!kbRE ziedcj*|D44&NsyFCnb?i`dv+4eN1%FmpMQhVbLR9t~AB~ew^y{nTMKP_Yh=uJ}DOt zo;0wpM&22WOa9vN5`aVKt-^Ur{{QHlqaL%+m`Pbjw ztFW~;2`p;nB0_rQ0Vg~cN8BD3gSO2HM$LMZc;=^|y_G@VY5z#o>}7qpUUZny;4@l@ zlZA%bZ+n^$C9-Lv1VOlF7gKAns=72YkCl@o8LY2An&+~)F1~XSc%+q#T@}h0x2@)l z@}$AW9BbATwvdk=HXg=*^VF_kkFz`Ny4;lj7AQRXNZ*3Q2EeRXcH33Edr-6vN7&1G zzZ}UuoL4|z`P{0lUw&#HBW(VNsJ{1d!Dv=!b~IV+F~pIsbau;8)u3L?c+p1$E>juS zW_~$8f{#&3Ro+yB8M3tFjV|iYPHNhb^e8sDhUd@@_s8~Qj_*flD5|dqb^mytCQuLx zS4K&k2~E(5LA1~n_YKtYPcav}vMLRhrj1O&_MlEcDn0%`?{4!Ql;#ovnZXS4QzpaRyc63Nzopj%>DtPsn1$^=Ez&pQ+ zk5;7mPHl8;sXEQ^)EVJ}M_DgEpRmdj@&-M`r_`#m{vuE=PbH(~oI$`Ph>rovMmxil zUb-)}?&GgbaWmk%GvwgUQ|xw^p3qB;WaJaw|QB!UjPtsQF(rLNjC~Xa9c_mTP#=G zj=~zNTRrC|Nm7)*(6tlekP9D1tzskr$V@k#NcDq2W z4BBmjUpuO7ooWmgP^ddz+WQ`wilk~E)|>%7t`<`czU;CQblT5{qs!rBwh#nm#~ZvM z#J;cZt<;BM+CJk{iVVk&BIT~aA0S*iIz>Mb3QdOlwUMN=(->vUfvg2))2~ z0Nx?l*@28ee)5aK>C2BKxY}`WA#h>TgY^vZXW#}WV;jHt=~q_ZQ*Jx(5$?&Q-&b|w zK|(2Y`yiTUl(iCqxhdCE-pv2gj!*6plN} zmdX`6C)pD(xHG2wNtumzi<{Vu^+g$lBrs`3gW>qN7ucxtP6+>gvn<_uW$vNhv*zfb z$JK46IMfscuQe5yg1g1@d)xA0t0WGUUJ`r%+Q`0YEiRwO+SkeeS~d4Y>$s%8oj3E7 zGr8b=&mZHi{emIuQAR{%dfN;axqju~!V=S%U` zSM9D_EzE~&Z%c%Egt~ZjCH1p9s`WhHD}SHaRrY5vTtTrB&I{SjHA)$qh9K9T}20L9PAZ>s!^}> zLeGpW68PSLz?u#F!xFyu3Aink&{{X7rETzCbyNDviEUFj{yf2S`P-U8&94jLTTX1n zPAm9wLh-JS=Wf1zV>4tLa&zkq@g_5-tR9^?mU^-aHk+-62}M8n!mWyz+g2^mU^nXK zqUN&n?XU<>3U5@4PU=xJ>Ih<~ch`u3I)tatALi>mhVi9${2;Am=&2JoxmuH6G`QN3 z-u-XZ$>)nirb#5-g;htZ<86I6^)Q7QQ6t1{w)g)5VF)_~sx=( zJ>Cf_V-0tIp=czEr%|rPF4kGP&NLf^)8E!FkE(cORHnWw$-R>~E(%{mx)%BVH*-a&3bZT=VB2QcT5_8|yD+WxcG&RxdM zOD#rW|r&4_iuIv_nlpvC!(N>TZ8Q@5DK=#$#|R6S8~dHnmDPCYB|j+ ziwBLMryu5;P+q@ZGXB(_@xGAhq>~-AW=*HwmD-m|M_gsT8A{R(bqNzPGrL?S(?^K(K z^~4#%OT?>W8_Xz;jIm4 zsnvhNT}B-(?!d@`mWlgS;_n%UEXy$2u9l089!!Cr=t1D_e1&E`kYtiWOjFC}I`Lgf zX0gc%e#2W%<&@X{U0E5CiQ~Cl3YrVT{h%HHjKrWOJS+tc+?c3terQQtP=_ILkUX=_ zr_uZ9HwWdmyvUF9Tn=kR^G_VSLBtdAJ1?%Rzj`W7FrbG{)g~6cs85ODnMz6~(6UNy zQ?L#TzOi8+F*>##MPG29WZ|WkO=~MlGUV_tUn`Jgi&HHhO}5`N=gxX=NMaxCyLkgj zs6<&HrYyEku+;|53tD45j!qw?w^>?aUs)X$Nj$>MtoO{~?FTqcc$5Io7;9qHjdkUE zo|aTH_o%@_KPF1ViK{g2nWCsrJ^*9r08)G#;-oi-&(<=x;Q-Fi=Rk(W8!S(XCMtdp zetd?e74C|T{^D3>&$;s{B=lBB?$zKs|C*A%X zCz5>Wx9PZ>pi2DT9A>p02_5&uG#B{Bz=6rqSisF$E%seHX=I zYl4_@ER^uEk1}B&O}Q!~2OffVt+?E1fzn9oCRz)Dsv*>A)a_0 z{v5SHCO(>#lwm2o+=f^N2#Bl(t>ALQlQP2Quji+(r9El#2wTIVl-e^(S2;tj=f@vD zEg8>zUmK)68%t2c>>9NFYRCPB!^<_}#qQI5GrffCX{IdE=?#Wp*xI6BJBaZ^N3rnx z@{B8M_aG+F9gL16&3tpF+)2>PTZimxi@_9#j1}p@0F~0Sn*_Fe4N)K)+$EeSy^N7>EwcPS z6=OKa(=eB_yL^zi9~@vfE_le!EK#CWBT7{m?SU=sLb4+LA|CLrlL`HaQ}Vhv|JTxb z@|i|vSYUVGN;X~E$wV>OGlSVV>%73lWYLs`j7SvIpVa<+znzb*m^*;)2HE)Dz(U`V zD`-Tes=qg7tt;i>TlINW4k;#&A_OxqRCS=>8*4t?L*!rYOYA=_FSBonN$xBr~Dwwa5|syX6`Hbq<%s?Fuo7zNnZvJZPj_yG9}&V9GTSs=U=M6bep zmWE4_U~fv||5^~;g#1(BXG5d&EPwxI5X1%@QkWepc*4Iz2*7@GjHsq{?4R4AAeg74 z@!tjqW*`hD@!+nEkTSYN<>PnP5DBO09q9(fcdfiL+_3-tX}hj-6#jBn913;Jf;X&_-g z6nFo!;g(mOW`6152s!Jpw58N7?fzNGb`5`2UwpF;6`a*na&4jIOnV;E$g9Ww1KoKh zQkmeQann{gZR$ijlIs=sR#6FIo0q70;QN6waih1I!gDm7lY}xY@N-?`Jn*GMJbk_^?Rj! z;oxzI885>!yz*QZ-&0;4{3;aR8T&+I4JK^X4VaLSdH?45st&;!MhMDYm)HviNl`#R z0Kc=B^(P&v0UTZ`wLNdt;GmlQW4Acgy4j0QSM`@UgrFsCdShlx;upxcTZS@XIH3op zQYFE|$_?IJRx6DHTjd}QMi*04${OqG;Vk50R1ov8?~V@f4u%7hTSXwi@Q^x=zIZwM z5&!AaGy3LE1-j}Hu>j|1+?^zEY+rT8cNE@#EIXNAp~2pX5c%s@zm?E^%kQ%-h(huZ>0rr9=E6tEJ$|5+%&d;hQ@FvhzFR=Y_^ek1B^+ z#>+}&!1v9aVwru&g>|oK7lIvVVmsj~kMV!$Afy(hQlI_4sng$pn0Xr52ZN-IT0@_Y zZqUYL#uLSn zPL6ObsHpdi6jyp8IJJrIO0wi5r)zi8`9Y}qd5vm%XqW= zrINBg84SW(3 ze{Li$=cBbbo8*xm0$!mtWO{_DE-80%`#^aEpbBEz*-ansBebL59%koH4RkgLbBaxYnjOX#2bUE=GL>np-KKn_32uf>*1cKq1;TFpgmGtT3s?=D~Oa znU33<8MRI`Day6}#y?W>Hbj<=9>2guidt!?z1(1y86 z{<0+~`EKasa^ig~=6mvU(e&5g;nR@aUwLFfq#7mYdR+_y63%-n3o&*woJ$n-uy@yTMW%LgBIzWr)$NB8ypD>CdbMA43CVE?<- z1TK7!jPIogWY;=jl-uNWGgid5pXd9tBp6ZOxn$9Aqe=FHNlS3U=*0HJE2N@;Vs_!@ z)kb`7IlTgJ0T{?*pjbCHs+7pw+Oz@GO>G^YxbTE<9*9*9tQearOL$P}bY)U02#AQv z!&1e33HyPzrsS=^0DH5&O=S7Z7b z)yMt_P?JBLUSm;<&}@Zmg%5%H{K-cOf|9RiQR7x^c+?Z4*e?_Ff~FB2Gn2|y2O1cc zX3OmEDo3$)R||(e-d5F^vj`?y^5F~bH85R0e9dq`uihmZf9calpYz2_)1#SNrbA6O~p!qeYxd%De|;_xO|avSZe z#J8}gZ)*{wZOVD84xd=M^pD;#@q!x|k=KN$H@uc*WF0284s$dwY&p9ZuQj zL|2CABy(C9GmUq;D9^-#?5VMPkz`!Lg}2fCb0)=Wrx8N=BAsYu`%xJT&jj8MWo0w` zBoYlvmPAK3NDl+I$!t-@EVv%z zE|G5NZk#fM+*V}exw-h*XvRxNp(xYC2dV&-f1aQY7Vu(V@Kl2zBNlMf zxt8cpTus(f)-A`oIqn;by6UQ?SGM07;&$MnE%AoJ(`G$CEcVZnn-(n&E2{+ZjO@v^X$* zfsc%$+qV(@={&Q0clsqZHHWe*vAZj{z#=9}CLQM;kgt&yVp)<#xq_QT^1y35(y!4R za+EVCJCurkd8{r+qX>FWY(4y-BP8ID9LJEzW6RXCYmTX` zj~kzJfRaJMJ0+SY484A|Bw|5rCdEj%wXfN11whYDiI&lg>EUgz4=m=U8g1@70RT2Q zr=Sh0QWW?_tK#$X=+BZrB|onwU3POi{4vA3{{bX##aeDfc#y5Xh>|_%$7@ zm?MqA!e937*8`>%`p4${UZP^}2}a>b(uhYf`KgQm7F$p5UBVfYI#Vai-CL%9b#y&S z{t*c|UG?Nx0rzWKm%QrCBf(Vfg=8FnDBpmmiDSegmz#M* zv@!t-xjKdpq*VnA1MvqC`P1t3s^>NK&^NZvOQ!!)A=uVhI)3QXGkSwF$`k^OQcpBR zJx16LpOuPs{yK(F*R-+M$3goTyO!j7lk3zv4GDn7B{Yt)Bcy=EZ@-Y&k96Psy1}Nu zb&h{=oy1u1?H~wx_^+%|NzVD}!Byx8zMJ{!ZjVS1n{s|2503Uz%o_Y>#C5qyUh?zN(^VXPi9kGzbe~WBK~|GIW67g}c>5bM&Lo-e zKzcX!^cjf$GINtA3%SS7CDIQMe^iG5igY`bkDiREHCC^ghT!Zw@>*7!>{QlwczY%+<(~MC;?ErCS)M|W>Qk^YCWg< zW(?Xt$F4_S0oXq6=denA73dWEl<+5#&(gp+&pf=7Tz?m1r%;eC?G0cqyV^3MFXD~F zzuy_B-}o~rEq=hkVN}XPx{^bFNE8kh|0o9-&_Vhz>Y0=mVNVH0e|G)O`-B02bbX2I z{N-0EUQ;%Z2VRv547jp06W0C5M8Nk|YuBmv8%lIL;=m|P$P*uOpz@bH5z`9XuzDiD z$>6iNifrnGzn6g@gad+xfssGfYCy91EdQ5>Rfv5h$UdTOg}4;=?LmC6Hf4rd@E_*7 zeTf9kj#y(WVRw$3RS#*FnCvFB$-%Q<=XVTre>2W2mC@<{oWb9S`yk0?It6&(ru)45 z&m{o*0XR{L1PE;u+7IAUFBZA5X*$Hz{P`^PA|n=s_riO<7y18B-TqbRC{=^8v*HlJ z(sP5j{?&Xx{MO(9(oO||Loz=_Q(7A;&`I@f?(gN``h6%(B+)4U>rld^SFev2l!_`o z!1W$+)iJXoak%}xsV`!B{(Z{#dx$p1Xu|(B1d_BKy}LMmcyk%f6m1Hd zP*s%QAL$tgVg{N{t2rBCbBu;#RVy~8^v?;s02HujFbh|X>EH?6u2S4cz=GGQxa^#Qqnu<$TZ+oTx`8NN1{?Ob$cx)Scdy%Zg8%bxPih~I(#8X-jW7;Tx zXx%6+NQg5lWWVlEu(^EBen6~yvx4s5%g9Y!Vf~35{M-g&lyGU62>I94{JSYDbkrwO zpr4re4j|F6>gB(t{&Ob>@blwPtdfwx!s`aA?*G}!gUtJ6F*>$~OZulKmR%t4vl&+! zJ6^Hsz@O(UaV98^GA{P_tvF(V1z+F^r(v?Ov9ULQb>N?hL;CxSeE7*<^>~WeGQhyV z_&0v_1qic@Wy|k!h8%K$fY^sgVNw=|dg^O{1Shp^txS6zb@fjm6p{gThyrfKM|yyr zF2eAZ$67J+c^5Ca4Jx1u6(G$Fl;orVjvEF7NBKi8(@pg!xfYzWm0-F?{&%>6#pN zP{5~Pe>Z&&Ir1nRI0VJLd|(sj41W98p>9gMn?A|w|K!sDIb45lIOt;wm3BV`h5yjw zOw>NRLu_Ve+lc!C|KhrRUXwF0s7d_Ax&LQtG_iL+U!fQ=?HJxAmx?+5y%+mI(C0e? zqCyW!3PBFUpZ6`e`2bAwKay3%7iRQ^Y^Ty zihc`zid^#S{=5JGfau&LdY3V~Gld^j8@9z+sK|bgg$9WW=oipx2Dg-TueLhN16S#BG`W8LUu9?=kdB zAz$B2`9BZ8a9|(>`?{9K~J&@rB?ejk#4XB)540*EBG zNA@qK=G;N$mz2E~(i^%Zl0Xv#iO3+TzBqopqsH)RkDfM6Z0t`2$7Vv|c+=RdGN4pG zFCXJ4-o&@81(G!u%FYV=$K}f{CPbxLH3^MQd;EY|Ny7udsb1vs;HY1j_KbAN4O*o?^mL6wmH2B@bL7RcL!yIQg6+7bPHyA>*-2)N)xK zBwv`HQLw1cViK0bf1G4564{<(QxPWk6(ykLy_;@6P;8NaDG=_!H}k~dYnh8_#hr+I ztAZ>U-FiFZno0_{@%=T8pMMJVp65l>7@K0ZK#EVX*Upc`?!V2>2k_oG?WmYZAkas$T{Zl;e3lGL@@^0teSLtokFAXT-R5j50As{ z98-Iy=jNu6H)_^t7Sm8QzQZ+=i4lfP*EVC193mR1$5}{VFdQ+1UJ# z#1O;}d9;t62T#vJi~}>NaBPEH=ES!?Bt3OdV|00ZX=OH-M*iTrwYLBJSRtxODJ9?C zd)Sh_UCh_`cH{PROv&lR7=e<}7()s^OT1tgLFw%hT|Ij>273C&`F;XQu>1ks^BPqX zao7MfH+8&~=j7LYi@mQ(%QuAn95Oe$K-}1a99%FJYLo5I=VlaC;}b;ZRf?jOQoYqC2|pT+Ko~# zW$GE96KPaR{GO#|5p_Q%#bvEIfbP;#%KEHRq|6xhZHo3cJ$-JE zs-X3EZcQTkFo`(GUt6l1j>+#-@eBO`e6j3m87Q(Es^l9C8mLUf&`OtFBdiy{yy$IN z|MFOSBvHx|ww@mWd!x@uWFC%o-xQ~uMLZyGx2~)@*4eCN0SY{Mb>4Jz{2x2OT8q>6 z{D+X@-No$UR%DuZQLgC2^x$TW<|0bxQznmz!DiMFCKB@Za}OlV8{LX3AitX=fi)n4 zr^ay{?7!uBG#Y6uapz!?Zv}^Oqi;Qv=;^IldVaS%SmQG9wfGdKjPKR3?g~nW!edX3 zjK=DuXo%7BSe~Lxj2umE6AhAmPXMRtcvWe|g(h7&vyt{@dV~48?X}Dh`@-t}qfGF{ z?3|}|X?a8td*bAs^jm}_BgDJ!!1f4+xj3*Fq(@3 zd2k)-D87s?&r0N&$hu^hql{o~Np&U@`6qt&(eB?6e|XEF)~I5ofyhxwS$D63)TIcu ze0CDu_BpUOM7laMZqdVO3#DpP{fB>43%ms4b5$lekTB;dDN^USeO_xGAA6SS1t{)j z!%7xi#THjN^T&i0(z#t}`$z^x(N!`Dxyb-N{Ih!Z(d-3B(#jX!OcLiST4!UmVD+VZ znGE?w`>ikFa$y$P@(j&7Yvz3BVahoBZ7DZtm##{yl!T8q9R}BQ>Owb8t$pL}*~-N; zMHWSNWCNkAuX?*s8yuh~;z+KP&1mzTf#SH8|JHAnfAI>=ahX?xZavu-=eqnCn?uZ1 z*Rw(7d+?lqM*TKUT6nEYJ)8&%AvO2Z$M`wgf;ctJJ zwLbjBg}!j2Jdyyf}%((&7ATiWGw)zxms2NN}UP5uCXjcyLqYr-}$`pc3|1k@#T z`O7W5DZ@>LJnoDqPferLzF)~38pVQ=tZCn8+Li_BZ^|T4YpJZt5#Owg^5~7Rt%bqe zV}m(lsMIeRZI!>(JW@JZstpsCA>6E}ezzpYPl<20Wdwh5aDRDzI@eLQ96WK~3u;4A z=o9TR!>sDsgalnPI*#gmt6j~!2bgY+UvwqxgrQ+ZWHKlZ&@hw_8PBV_`LKSnI;Q;6 zMehS0AdAD@M}H1wl&b0wA{WiZ#Z&ri)DIrjc)7lQS?(9a(6#Ok%;?75-f^82KACx` z#Iu{~NP70>8EtTQT!2|CtsYi)OkIA_Z@RzT_MV^eaot!1XG&A`nB8Khn65s>Pr3dC zcPrel%&NrkSiIRkA6&ugYD*?&=zqEumE^>7j3>l-iX6J&;@GL2Pu@dC5-9%urS?SA zMrYsv;7&wt7?}GL%RgqlHM*D^lV&)$-bdHwmR`}1a>-Ivo`!Rg^v52Iw+1RQqWr)# z6)%kzBFz~Dq(Wws*ei0MH#q``Eq;|;b~?x^v^3W2rrq=w%dr8Cjq?Eq9L0ry2}F{! zMipf*bG}Qz-B%W0mfz`*&M|*#B9f9jIhwD{?R(&pVo;H~Jw)X6*i336jQfttHzf%^ z=3C_`(k+h|yr}%Y^dazBzHWT8ej!zidh5C6^_JPuO;UTdZVtmBUsAn(nw;q{+mDZr zlI2C$M7xeeSM?`48rNgg_ty7F?%Mb>%(7Q?J1MrkP){^igrh4fbw_=#as~_|d4)q? zo$q01!l3w-kwO_W5FX#q^ka!5Np=PZ=oM?MAnvj?40m zWs7($qQ!L-0|KebfuIeSa{+EJn^oZ8P8I+M*l!Jv@5&3^JuEetzY>M=U(~4cj4ey( zw*6t|;QzC7rO^=&e0BA)(e3Eldj6c}(^h^pKz!z34foPNjJoQNE(UzONaQOJxp31w$`CS~|2FLCzuw#5m0$k(qip`{^Fp<&JBV2oN?d`aA+0Xh zsEu$rF8)g0449{;j5JsDJzHFHUVC343zD&r(H=2gT$2v7UWOOo1iuQ zQc`!QVO;OYS|a2oL6pBy0Nj9y}Q; zn_$vI9|+V)E4Uo0kE%|29zh28C*k?GYB^?e+syvYZR5p1&ZBNq4$|4Ni<|NEPWgE# zOVZBxU-YH~GBU}75=AP3s+Y-}H$g}!Wq)}orSChNwy2C#^#zKttxjNQ~P7> zW77Fs^+8dLLE+1uirzuAvjx6SW+KAm(`8W^Ey(8!4G)u%Ox&*_@Exko%x2bbrt7j7 zWpPx$owJW=xd}6hCS&ZB6@8xB<-P_VuR9Xv#2!M}rx#U4Lm2un`Y{p25`;ML!sA5Q zj+QJr%A~2Da4RP6tD-2T<1iTb;Bi}*8F<{L+P~9_ba?;#i$J6PIQN^&YaRCdw{>ZY zHkYMVE!l(ZFsMi_$A_Hu(c5-joF6H_a|;6!S_Zt2_LQx18diE_2%pjLat4_%064$U zVR8B{E%jn{f0jWLM|{Ta@kP@>(K`pf7d`8{o%EHtc1R0a=N$i+WZtxf6qFx3V=$}| zfZ+C5(Ez4)zJtWDHaJY?f<^C5mB4!1Nv%Si@!I~Q>N3`$el-5XgRBgmieq%eZ2amC zcPC2+j*m0wn6aGKfVnm4VBMqfOV9RM?0Z$Z>tFV%$u@K+M>|uEy7e1+$2)LD(z#Xm zhA&1c9$jLu@{9@Xd+BfQ%hCGGJIF)k3seMlz*f_UaY?D{)}~r7(i&B9-q|JK4KG zgLM@^HfEvl`% z4k7ks0`p-(d;e1$XbhZoZ~u#2>okr1#rvZhzP)mhp*V^fcH%U_52R8`UsY!LM>6TMz=Dsb4zTIRu8INutw zm5Ij5ztY>Zf9HOEs0xcrdCBEySzd;UgKfvf z&(gu4$`^fE;+fgGjT)+lJ8sactd?s3H5~}yGzVV-o`aD1^s-Cp@e@}K9PU=WU-K*oHRaLN>I0q$D3Fvf&A)q#k(< zEf4hM)KA6Tsk;zdOnl*Cc8TsayoK2H)e+C7h=lvHPkiqb$TA`Ly?*NKwbi9OlJmO&HPm(PsIFG%kn%1OKRl{nc2A%7>J>$b(q;SmpQ~ zSQI$~8xP9vhwj7sJH!{2hjFWKzx6GELvu5=Z}RzRly^3G7Hy#s_UZuLxaGt|D2Ta( zJ=5#!9cno|_>eO4dUfw?w+mHa;nxQxj8ki$K1j@2xj~_SSv2GQW6{jzbgUxbRWo@B zw-xR?uK99zf+`^%x$z0|3{bu4(|?^r={uXr&XdsRJ5BDJPFnMLFu602uXww$A*ILe z(|pxy`(XKO;Sv7CzJcwI71q>LnQ{Fz=5LE9T6?@d=e+tEq7PDpBKK{^Ojlr=fMi0c z7&@uA>doc-o#kUwBSJ=bz8N7Ns%`01p|&3~SF2t3tjx=rm!++i&{Ct5!V%dQj4;Z3 zoI|dw*Z}Q^n+xbj7i#5f=&g~o6q&OdG0Y%#KZ6R7J%ysgg_~J>(&++AydbEt#1Qf`LtH5f*g;=X>@=p!-T)fm)W}zB@%i8{&ku3yrKI3~R4tBDYEpVq?yrn^)oA?Em=T13QiD}Hw zG1!|9ewiHqWUiRFofm5?meMRKQmOu zPS9YkollyQquSF+QG9iX?pL#iLkD_x%ZtsfH6b{&j%L?tr;#?L?9bv(K14%Rt%8dx zS9K0pz3{4m@K#Z_?s^LC^q|KMgvX%y_$-@GtcuI8VvUdFNutBjnBS6D5UwTMpAS0@ zyR^N*mJPU=8#Q#Hy*$y1AUsf7R@0_RY16cA*H3$vV<8DcJ?DF5c_yskRP5|E&<~#J z3%}KL^7AhXb*5YkhlTH6I$0)7!31xg`;d2Hp3h$zU(=*)l zTP`r5_vZ2^Wd@3Q0k>4xLHgb43i%!VrIUZD?-wf#!2thGre+@EytxGd8s+K#`b2wt zbKoI%7R<9fIFa1cYIlX&KubD^Qc!op(NJRm!=Tohn;REf=$xp4YOQMV<{?U80I3Z>I~e@n8olRsH`+XZpgv zxS(0iHEQ=X%;+aFAi6&Vj$CfYw!JMbmXicLx#8DOg`9ps;sfFtz_!qgU07Rwfdr8tQNH42?pKykM!=?S?qtZ@?*@T18F==9IV+ zeN)&w2&$8cL`h{4IVC@akn4ccZm{164Vz3C&xGDS1*=P5{{NTGpd}!Regj+vXOYoS z0?>K?7&DVBqFs~vsVy2U#)J{pFIR`Goi6h&zv) zE0ypohWFYtBAUC{^Hp^zawlCsEJ z4**b~E!aCT1b(>u=62nI`cn)K+;Td$d&!Mp2aO4TJ8eZh)cX0w?WD-U;3jt4*Y2uxkI9-H5- zOc$F19X8AxbYJ=aEg#V`0b7Df*=>*)H|$RvhwbkL3lAS!qlvhj;ueMl^CS{g9(pqZ z5VwEs$I}#k8q+a|t56irKr|T>ot)A2%t9%1&S>Suqo}nCl{>BUngyHcQ##^ zhd8ZRBjaY0xb12{7z5#uR@eD6cll2cljxwMbRE?Zy?g$l889MHkK>Q*me_UBp2I&z z%I1t8vb9&vX2N3s4oe1>5J^BkIK-5^K(yICNBBJsY}mmi)4UJydq0jD$WAU-8bfwI z(TDqSik%mLakZX3PyyfoyA&?3@mK_KvD0_7^{SZs|;`k_~J1g*TR2 zNtV5+hG}NyEUFS7&8C-R z6U>6;%+yC=y$lA??o%nP9KApbF+q>( zL;RRNS`d8vTi@=wWw8U5k;2ad=pQpMRs}nntsZ3JKS2x!4VY9-krsCK) z3$G>mhpE1Hv2kEf(v#Gft0>+PhHb49L{Da86@svh@O4`OIOrIf2*vYX|L9j7 z7zobPthVKD3&Erl7Et$#VGvk`TEZSSccy5KXlZhz2*GwdedYT;lBq zioVMPGYduXHC*J>cU-}@g($ORrdP&=ygdg(2Q7+SWpSgi%ejViw%rdhqlyAYEZPq$ z{Y|}-uG{!_scjH4WUrGvVLEan$~?7v?pLPZ*@Z3PZP(kzaU--^nY!W!L{xYjsV`sA zFJW}BKzFeJvNAt4)b~K%V`BGok>7nP=+t=x62;gR3Ka#vJz@2)+=o&WX>%6ooAtAY zLgWQwSDpPWeS`e%oC=m7l_HC#>I~P130ju-2`ZHqD%T*(MJysG;&h#Dx$XMk;^6s2 z z6*;D0vWR7#J;7Zo*2xgK)PACyAFRp}_UG3?Q){pf0N3%2q>9|#!r7P>90iqt{W9q5 znWX@HWejdy35w#I|##Y(#>SMS|N=S7gia6}@leOSoJq>5KqS;FvyN^pZu> zQ87@AwT&6d6ejCUH^f$!cVTKCscMU*u~IV&bvIO%fecGN;k1lta>|)aLLX(`j;6$Q z#UuuuLD{if=wO|$Maqm?Dl3om``!4Yw|HGjl^A%eO@?ExeXh~n;5-6XB=+Uou`F~| zE$hTOu(l7q(sGN?_^!g|A*&uAE0j1<1s|QN6?$#%!?+fk0SM8E+)_M0nbOK`5sqR( z2s~rhe15aD=~AhRWv*HGbr9_1Nn!))Ub+isYEAD`nSt>P60raAzL>^m2C20OR zmV#BrXsvQUS8T;RGx8vIyi+ZqV#O-v|KkU(jo?=l)xO+#;j+QoA0wJM(AN-SU$Ha1 zLhkL#dU8Jk>Op`5mqpWMYovZCZb%f zQ-zLwHW6Y_g$8a%>nF_Lam2NQL^fp@5Q)~JfQ~LEs4LJX$YR0h5u$ILtz3V!7zWk) zC&rtKP#8-ebSI0r!tz3=cTjZrzuG)9I$2O#2`kCK$C!8v zMnXRwIGfjD(zNa_#E-Gc1_!Evt(l=*&0UJGHXM%T9gRQ^vq`5NKP%g;nB1C*Z>BIJ z)sIH)37XAq!R*YK4Nac3cr2w-D4#wCc;Mp%0X95&YS%H|&Yu`Z>kQs(+~wEp{jrX} zvh><$jMED2)WswJ(lkGt$*1XBm;$I&`nx3_OWd5q1cd-`OJs+oTA97 zKqzb1m*?h&*lLS1zeh%6#>9!EeR~E@Q$K$llh(+jgUr;1um!Pm%rzn0Qb)Yw?SVfgTwGczt;aU= z5u~y*%Mybz^--YipIKKhrTTzLDc4-z)Fg=xIzAq^dA?wxPfWat!6t)0e6&Bg{&myl z-q4hsmfYg*v=Dl@*sw$x$SQJCr!gt5LKesmsT3T5E>Y)l(~&onxJw97OkE^cC$tsl zI_AW;?NHOP&QSIC)Vmud^skN9+EF%dnS4`LQ_Ja#bC>hDT`ypY5a-{trg|Ryl6Kln z6u}u(h>j)dV+CBmMu}3zDZj5+hb`3E#75R(Q>>%PPvxCyOlvRmz%ld9{n#O1HKkxD zzdXC%j;zd&W3ga8U)4sJ*v%=5>SQF+Ib}i7@AmOM$cSKJT!4~E=U&x7C_A}sJ(WTC z*fo%;pn-Pq*bYO@TT3I{o1EkQMW@>+oJgnrc?J3os<6zEM@t_rKvq4Cg($zT?obH= zHi^C=x6yZpTG9A2a$jUNv7?*#sVNp>-j7r@AL%;uKCm~ zYD~I!O@}U2d->>K6YT>;(u5DQ3HR7)znjKO$f3HU3+WXJorQRHOs}NnKOkNb1Jp8k0kiq0bl)&DZhs2!G}OB z029h{!K6*M)m-)Keq|y3ZF@U}uQBK`w_SLSEfxw9gItk;k0Iz6xLf5u*OfOPGFUI9 zt#%*_OH`PpT~C)#>P8Be`KzJ@1L;~@2bR&uH}#lI`L(@d0Vy<}iG38GWSDPlw(u4V zi|aQvxdsxjZ=rOSc|V#D3){U3yLopTM%nQV!?p|`y_3Dd!V75b+1VaQ59?guxioJO zVZL}fFcp=iywQS>;w|8~TyiXfwU+SS{kmlRv-|v|dbR*0(qQ}tk)I}`uiGH?_OWR+ zz7jaCU@mIZnvxp3c24>j4XFk<(3tYJ-@q*UktB7FUgUZ{3tv}}9eB7poVj}tzD{T_ zWPS`z<=&FEm<{rcpIUqGwBhFiw}z1FV3_zkX;i$sARtso&1EIi(Ny2kGIshsJ$HS4 zP9um#EBFC&P2i-w)o5pax;wI0^g2L~!g-s}0{K~ZH5Ot8XE&B>tK^71kR(ii$JQ97 z4K)+?%6w?NP=&kA% zY2-n+%&ZYmL4I0Za=+So_y`A{&d)bwnRwO!v*;0@Vtom1yNmsyhX#pA!=sNOkrs3m zU$6%?SoyBAcwn1p3~`|(WhcN@$N!Q*=tVbaM`X%fr}^7Usbf#TDmVBpm|v!pBnoG~ z2H(iIX>xS;Hd)gr+rb2-`GM970rl;#QhYFnG0l;Q7ls5wF{9lv$^MhIT{yzER-QQv z(6-pjyh?fe%0|B>~TL2+$Ov^awg5FCO955e8t-Q9u(2?TeypuydPySpa15AGJ+ z-RI5CyYk}0;Ut=tiY1<>rPr(K2-f5HD%<{=+LFFl zHon4s5Z3#R$7flckmJSDx3}pQQx~{Ht(gDq4}+B}4+hCg(3&mAlXAFGj0j>3aSEI7 z-T9i_?U#ib8`naGl$f^{8wB%li|3l9Rx`famxgi!hd@>VPaj2tHdirbsI7kK6?_g? zel()1f~dzF_((d-Dt-2cXOZA8hCjwQAfyE9$f-Ze9ImX(r`XGF=JnK(dqdS~Z;8iC zev^e=M!xn+Vw<4%od*RuE9WsE(8pW&SL%% ze-S3DeDj(c&|p9Q#Vc8n)LYuXMysBz1`M@;1N%bUwZI?!@j0{rkPju1{!Vkt}TQ5dknHC-H6)XLmbq{l&I{ zba`XYM}a*h3-}q#w}sW?pA#+9;b!v;71R6E5#*Y)%(_VkN@?y9?J_MgooXJLNZ3;M z_0SDXOeDTI`uoH_Bjv%t(H7_clNr=ZpVRy8-{#s^u?0oSp_f0BjU65=4eCE_#mW0V z0-LHPjTW~!g0T*m_OyqyZb{aU@kKFLF&viB0zE#(w!Bq$%4oM});bWDjii&1ZNejN zm90T<5dqNWldxzSep?f6V?X|E|7KWa9>gccyd^J2(eka@=Bb<_uIGhBz%vk{^JJrrVa+AkGTyE%RfW}Jl%G&_bPo+nuYqXjVmyFJmHX8&}Lsa`dO5(YjMSWpzEyF0v=56@e zujp_2{n~05_WG^>gAWtzu9U% zyvm@PT(M^>7M3V%iYApg@y^iLKEg9Xs zbq*m=&?H>1hryXR^pr~EIRDWfR-)3$i^XAfr|(*K8^_z=lToH#Zf}WvzHPu>Zy`?u z!072&Z?lQzFO1xsl+#&UH#_6^IN)VFPReWd9p&^KXh$ilSI|>F<#jPHeva4~JV;P# zR}1-`^uf?i5*-|2A)jG^XZVguMK!)iK0}eTYeOY`B zy4FkzY3$a>H%s2={xSZ|;^S0`ZsW$g0e)L~3N%8R^M*Q>KLH7deDBrv?(c)bX7nm` zQHo+jBXrm-;jm;|jy7UWSFDCGATyg{F0%z)zH3$(N@4pEkbd4c4S9h9(u&YR2TtXE zKAdTAdUox_bi^0i%9l75g|9$jz6g*iw@{$_`sST)UGsJFeZ=VQp-lP0*Z9Uu`xVYR z4+fR8M5~!x;u5=Ow^DGA2v*aZ_H&SX)G7Y?iB{fxc94`f!%vq;3kuYJUEv(ui5wb_ zr@Lb%l69{f>L?;g7{HC+iv0>YUbI*zkX3{Tu1ogDlf}>2XT6>;)+Nd3r460tDpi9P zIzYCP>o{)VP))tvQ-cnCFLYg^eTh|Q779)<5sHm#D7kRD8NzIjMY^G3g~yr`OjjzG zQjbKgX<0*blXq<~NTV`~h`DCeI)m?>{q%zdo z7}4i0Dq^wKoqyT!hOir>0|2Q7sG|u{te_kHoE$j8GU=uAz2nnEH1^cXvK)*c5eudX z>#$!Mm*;Us@Zewkm~7?)eAnv=ek{jW_A$3%X6iQ#7&(A*CMI#LSZ;F$yt-yzx^x2n`(B>bq|JJ`J}L&D$oe9_ zP&b99PLMCNGxn+AUboI~mYiE&{&6nr=lQ38N>mXMcP!$-Y%?@v;E7*(D_Xg5pMjdf z#1oFnWaQK)RMB?p^*)`#k-96RzNJsoz?!ASAK0er_lcSz9NiqK39=U&xpx~JXk&_y z1%oAusq7bZ5dUuQFr|xz1RXh=QZ0@7AnQM1^BI%*?jroFrE5Ov)LTfwXX7L~HH7Cj zR6A0adoM^^*Ww2)Y?Bun({8e|XuC>0dF%3P+f_>D(!@{&2a$)Zs5nGjyqH^&poi_> zqaByDNL1HO+b0zrX2hwRTuX=SwiOK6i!8BxP8c*>NQ}#eCH-07=9_Ro>dV%Hb%dEs zl4#r%9p|%H&A$~pZHF6ZpOM;-ibfVRqHAsORUGD|Rzhhb^&vil*P6zHVK2xJzo2Q4 zhOrYTy(#6NPbE9d#!s=7GJU*_{&~6O7$eJ_x*r0LO5gvD2BCoW>nvl}eXbkgzabyq zF@e3F8&Ssfym;e;VFW*j+SCo>_(L>+3zT$m^WU&v#u>@aR~rrOQK-J{4>O=zThS5= zy89EKJy5 z^b1qR6^gzEPzOkPV_qB#=L% zQ!AERZ7kQao*Th&HU@VIiz0dbB(|Ea!x3qxG%r(s!Awq1=O|+u7JIu-0H~>3)%zT4 zMuf?b1Lb*Lyh+Vp`-x8hYUix;iY z1|%yRWP)*u_Da@+h!#vorsb0&jwf`D%ZOWvZ559C&{n;x+io41Iz@Q3bANNpgnh8- zn_=+8-(gYVD>RYKLkU9*FrF<;;xsd#x<7bgVKi(|cKAk}IK|4%q}voYg$`#hWeoNB zo$?0X^)%C(%~Iuyt5q_K8a3gKf?v!Al_=8i$u?r(_n!<4(npXYV2RO&V7`x2COoxJ zEV06C_mLdiTRQ!**1}engT?oj1KnVWen=1T-o#_r+|6~JOqKV%6?O~)pr>JCUQA1D z7F6E+K4keb(6yb9l39au-Eeq0Aq8 z9)D)Uw7zd(Z6YMbn0a3P5E6K-Aw;RWm|YW=;p5c1G6Ow$EFjdNx!MRJUcz`{7y9RH zytjJWY`i^>t!~0qjI{lbXYJ0YOi9{aTBenw>QksGwx2QwO=`z+imD-fhb5-dHw})} z-7@gOOh$gf){A3m4#7kv7N^VXerG}rIRp`RaVJ+{%BCA#KKU&EZ6jJGR@F1d zH`eJBsQS!j3Dhzpy11MJsIHSes95sLJ>pZA0)jtDyNSee?$7$$8}#6SpBEWWsEyZf zlE}pnFlDVUnfpZ6*A3xL(SX4pa}j+-aa$d(g4QlVknw&bmVX>le%dX-IO!w&l_zMW zoeP%3Wx^5>OS&>g>WddNy2mC(rHLU)*ft+Yu7B?LFJ-V&?%~IM5e`nQcny*ak11DN zdvXncI||mJqtf!h_+q(8eF~ZkLAtzN$n$jg=x% zn0H|N0Ht5|)BE!Y=$|HeK}l2Ds+C_fK9r=waV_X7PX7MB!v4*{C)*8sZ`4RQ!7#0U zuGGa4SDg43TiN^m)a}LvTpew^os?$H1`P5S*>sVFTE+yj;){q4X$CA}->=xh>=$D; zI&pmNWNk%*L4f|}A#=*y$)J{sOW1B~h+OpNbUU&2l=FA!IN)vb*xm+9ATt0T4i!ec zx>MQo{IWb?jE6o`61!@HK2g{#=z&i=P-k_0VuH>%r`2?v1i9UhZ@ z?uOrv!7+;Mo+A(=l<(lB)u}>bN;q|wISe*0m^JK2OcoED1-QR`+pl=ITM>&*s#EA( z!l7@q7W6!XWnbv}z80m+-Y26dNE00-auz?w$vDO#@{k9IhR%Gu1h zyI^XdXsejgQejGbnAD~LPde`GBU*{y4e5H z#Ud|U8?1&*;GhfEkcvEUa6k?e?mK#6*L7ZZo*~Rf5V|JEX* zWhS*Iu~aQ_L`K{nre{`^Pa6W&Ksi&xEZX?Ne%(iw!3|;ud|aNgkoXdz`pS{T0tiNg z+4I2kd^dhgakD7lEJK;NiNP;brZThfE7mOiwoT;c$Jty}O`Al$Es9pvc*|vR=eu}? zTz^ro7y}nQ+Ps)@rdkj;(3|;JEa^s-h`+%bVa~@^g+_PK02)OwRK4%z4323!Qc*1W zL)rs0+xw%In#+wUA4J!;mk@5%P>`9WXvCtU?ZkWXMgM`2bgKB!pvM3s6reYT^J@d5 zHE9qXE-is5S`?zsP!=D??aND~um|&}hbjE$(GM&d!D~-L7;Gx7EvPlib=C=1nZoU6 z*VGvsFsT&Z)LjtP9h_g|PF>r?WEcsNz@K!*(TKQyyyaK$`M4FMxm^hZVFQ)WHvKQl zL%*AOxa1=A!e@F1k^Mp*e$hR?89O;gDMZMCce+su?D(RJdJJgSzag{^4;qk_H_SMK zg}-e5wm(3p9hhJ@)gK0J7pRAVkYq8A_rt^z2B~3x?6Gk=HGC+I*@XzM4>905HhcPx z@@?6BOU>qC;Tr|am_~>nlhHUK&8He`o38W%6tK!#tJ~z+CVMG1Yesnol_yZHIPT^wF8q;-55 z8;8Qj8%Ybqs;yUcqcxhJTESw>rqO`P3pNu9{34`rG;7*zM1onalYvUWhFq^lf~Hlf zyJm7$*H?Me zOO#ClC*hcD_n8bu88bNYR+{Zq-Zu??<-mjU!-dF?yi1VmDK|}1?Q_>U;q|%5V>jc# zgfl`ab(ad=wm%K4XHGr7=ni=6{qPPB8c3EU=#oBfyDHv$yQY(s7ZIdvF%4rHFiL%h z;vL>Xk?Ou&?}aDeb2WQb)8-R)uWydQ`MxiI#(ZStVJl9+FCcKc;b}Kw2X2GPr|V1! z{*|4&hSNr?Toj}O$)Oy7qu>?JcIQ^*?ecz|6FMI`_|U3<1G+zX81@s%V9luPK)av*1gL+|~k&3*9 znW^9qe*yJRmTQCd#-8->XNJJjg9cQwI~eRp5V7zU9b}{i7-smx8KMu4R+wF*%0T4TL0W$1JR8Nd{JOx_*}i&V2l`K z=hip_M;8jMolJUydNKBwr^*6~LfJ-k59z3TAw$FSychpqJAOR-SPkMvOwa<3y|A0U z>+Qe=2rA|Jz|yP`uv)~oY*Wca;39q^lXf>@DGq6oKf#A^jHx^SO?vL9gM=#A%0x*2 z{s=em;A*akSueaxuZ;I+;22x)4-RPsPM+g1WNLP_qDBPKVrBl)tIgToSz{(Cz z7uJ~D(!vfPbuB)G*y|q~%LTcknYCS0Ij{*R`f7YMnCA3nbA-YG|8)!)+P}wM3JMPm z;`>8<-E%U}YmSoF^vkUT1f2 zs6#V^ArjFZ+!)2uAFQryL+~n_I`!(gX1B5CJ(UQ>VYB{mk>bdVf)-k`CMlRqtT7hS z1cNyzs!VZJFZr&&OnmV1hY&Xi7D7FG$bjg8lXPO1^V!8p!tCJtdZ&t|@^|Z9A1IDI zFxR;c9>$mcZc2wOT>dC{IKz!p?bkMl&b zK-g&hA*dZPY-tNM7*hmu3?AN`mA0f#8n!^dfOnt%XYZ{*OWT?PhJBQ-lCsYne;!ZJ zCF$()mGtIvnyb}3V4n5G1WxJ)U7Ya7DyHNCelE-9!q}mw^~Ap%Yfc2J9r>l<^zHdP z1aNNW8>(HJQq42XsX0+_ScffAwG|6^d^wI|mX&6C6CoKATZ}AN@O2q!^wX&X&)MYw zGN@+5uqRpuu1U@2nJ3((`Urx(xye3Gb?9ndlfMsUm4>x`Kge1&W7o2>EaG8jB;?vx z?$ZGK?Syn$%*b)x(OPg9t@;vwSe{^jn1#CI9$f%A<;uRrzA0qh47S+C;w(mU@AK@R{(;b+~ z&ZkpL`6OXDj2`$XH}jhE9^swdIL)GlqAkM5-V#Kew5JwHUi?FD8v^qS%IZBS!?^jd zj&xEFU^U_uIU_nBYz!$^73l5fU-wv}!73+2+eV*YGy(`p zS0lnabyM+1-C^n};7Png03n@xhJ<%au}hkKLZf zc>*W&%G|}>0=||Onfgif14iux-hA^f)V9EIX*gfvCn3*YMJ=MH@98L>L1niq>d)i6 zW8v;R>2jDnxN7(10X>$LC^KLSV)noYEi>M6S_(91A~Ql=G*RUi?DfXa9!W-wiQ0`2TkqSxQG@=+a z1e6hmAR^0MiFA#UfSRW0`bM9`={ARX*V~gt-;Y%&^(E$_GlC<*E-$>FAmfW`K^n)4 zVr;$)ocIiYTk&5HF7_1<1wOxaptdS@0HcG&>K49`2pB*c4Rv<;Fdg0tP94ANYZmX@ zXQIs}qAn>we&~51zc^`BwFkwS$75y}{Ag!?LCE!IDLkK7d6b|XLMhYW`_&(VU zfL0Bgbi+LW-bsTXd&FPjG#up2EP|nG{j>r%_Nr%p`#%yQ9WQSsDJE*j}IaH_PByz}cI?(TK^{Ch*N8%Vop46{xTfLc$LYk(KUH?O!huI~RD zy{UV>71gF}DZRYFIaQSA2fmGcmfMHH-_pIDb{Bx<6Z^Z{WObM=-~&k2^;x(rz<~l| z<@!V2v-vXDe;g?n^B+S9ar#-vW23mD;(2w$Q@Q4oU6wLt73+lR{jlT7d+0UFqT4`S z=B7hNs#-qCft*-{IW@q&=cLB;M?d)4WavLg`pd+6%7dZsM~#gGYfJm!1Q;lFCr2KB zJtV1AdSF_bQxqry2;-`v)W(C@g3;5Z(l*koTI|Gi>9B24wG-$`A_Ox;e0_RU2tIBdKRZCwPJ zs*kr3W!?+EET8zk|9@EgPv(sfpoIj@%v>4u*_=2i&sHJ9;Edm4S3|OxRk9aVLOU%V zP*A}t*63SFWC@($ZeUD=-iqSJ(cIJ>wbBMDH(PHAyaXgAsasv7zB2f~)BA0-uU5^1 z_`MOCl`K`57=5-n${|sNSbE19ohsfh(1!G|ExDoM?$RaOZxfNDaIQ2tsjLbve(eL@6o#eLI``^Bt_ZtdyEL9gYV zJ_abX2niw|7G#@Yo>KB8gw`2}Bf7_|Bvjo(b32?&L zkp3DUCc^9fY`Q-TBlR+3?VM9VgGg=3h&yl0oT#6$z3ElqH#1Xu2s)6{zts-(S-5Q= z?_(7QsdorDF+;LKYCzMJK;pu;a4`egNbe$_3U5F;ViccyegZ+nG=vY4J&s$=ZlY<|4G+PtG!8Uh=*;q5CP5Y9i>OGWYda z^;YdrD9643f0dwtsfi=P1C6Y#a~uBYwxa20$x_;*lqb?(;sWNVK4b8_vI;C8}UM1on-l7vVn-61=#$&~dih4N9rKPX1_oQ@`-C{{o{BSS3rMbmxHj7gPy|`NwUi;V=l&j_ya-!Go^7bmM_rtOJ+{f z`wn@$>b2$|WHv>km?hcQbp{bgHKu-WfiY+4y(pMFl%}~R1>{iwj4Jg}CXrcW*KO+N9~^f;fu@yQZShDj ztpUQoAOlnVJxh9~0aUAjpwFxTaSu3$uY<98lfKwUx4nC-!`EO zK}R;{X*WLYcoyIx?ts@eNG(9TIXQ&3*izN4ETV>ge=?^aFUT)$=V-2cYk4B*`5q0H zNgtCV>7OxOk`0)-N0&y(Mkqg5~)r1OejCX>=f^f4~L@ z23WT3r(-p2C956B&|8$~*=Z2$`(%?tm3%NV9yaUO=US%CF2GS5AN_q-mVj(+DP-Z1 zZ@buZTJo#q@NAi;;+HX(kWlZ*>_1tdN_1w_N{+I4>AVeN9Ju20>CA?oGB|BSN>zW( z6e?$t3VKUp(?k_05OGdH8c=8@z9*_zi@~pN92RaF_IAqL6@dL!y zJi9NuJa&gLA#;J<3-AB996+7T;oHV2O!yLFofJu&S)P;(2*mykESqy8!Z{1mCgKkp z4c7-aguI}XbWM2$QZ5D{Nt@k5+#*M-W5Yr9Vd39RcM#8oBwTl3^BC(heWJWzSlL_p z&s%sWV5^6yS9CgYqI<)*el|M_O*DBbU3BYsFXfk(m)h48cmuPo--p-D*5{WtaA-(c zZ~@}`)Q<*Khy<}&(r8DsMbG!=(^qpgbb5EhB71&I5%*{7KUpZHr0bEeJ`^4=R8Qxq z`O^bPa^G=*6?MHo?g8K_){^9 zw=aFI)d_DrlP94}t6Gvtj@I$*1)}SA^-iNym8WmuCyr7UZ&I7fu_OU&%lhZKuN#8j zv1!o%jN;Yq$uQ}+2>XErVh2**^+mkM*nh z;z&^*Lp9shBYz7&0VxoJm*p0L)K@DKDXhJptd|YjJnkKHi7lDdsEG5(Q*DteL*bT# zEMVcV$h?h>i}3~DZeXEFANMD-3W&I>5-j(|68SxlhizU(($r{_WZO8_34I?np|^t0 zsaIkZeo*k3k0%?%lM4CTZs6c>+3R~@&LUl1T;y&Q45~uRln%%50nB`$m(KdAwcKLT zDNv2{mo-32QjjIT_(G8zCBw|noBNKMij86ELnm;XJX5$UMJ9vO4%fm{9GS}7+q*G0MHZwbzB0qDcQ+^MiN@g-rgap&N zZXv{xchMAqdMoZy;LAZ$9Wx%E5~+|CjgY9RIORNwE+KK_-h1{5pyH4K=~1%0$iKXZ z7cQPkM!uje1=YYrZREd@NC6K`ndkuR)hcRDH@PrpwY@6VVA@_CsedMgX9-ev_(Fn9 zip7x3_>;-=wt;K8#E=9DEO^UQrd*44y3`pdczj9M+mWD}<#}s8buXkEUnoQMWxOou zMx;0QXqy@U>?QRe4uex5I6T zGVP|s-5}w7-=NUDx+fFWHhCSd%>QRm{r3go(1C&nXNPz|*#{D7Ey*G_xSo?==nn#3 zchcV~bsI}GE7KbscO)TWxyTH$oVvq?{@oQIZ=j$fe!c-+L$C@)6bZT##T|$;1VX0EdXu_ASoh{9F$oYEi z?eT)l^S-;2bnN>zq;zcX+jF(;#ZU$pM&s8FLwQo3CY2gv=yX@@4)c&c|?_QZ7i^4C2pD;Y(KS=1ToT@TxGPXQa#WEYP+u|hwy*{xO8Mw1!oq+*ES zqLJN}g*R#r;k1Q3Z~jrGRvORXLSfhF@#zhOH!Y*rs#=|`HA7r(b78Pss#^jLh4K7v z763-j_02F1sa(6?>n+~nQ}&MU=VA!%DR2LZfSn5i++4;Az2!DogDzjraqDyJR+@f7 zED<3c+`R4?>H7@1+Hq7~eXySsHcCjR++$G%vBA9A8WXW4+UxxszZnT%C4~fP#^%>g z3rP_O=r5Yf=WFd4E=M=-|4d|M>`mqpIu3yC{?YnNAAGyu z{B$+Sbild7CI#;7=%7={51uVjAR5Wwss`0k%xGjx)F|}u`El7Te>g@W3TB>nJzbvO z9qvZdU5P>4&hFFwq*M1{r)?qoq>RK1LC*iHUVFcul{`ca?{jZwRYt*0=Z5Mm+`oCB zoQNt%-CSCGAZ5QP=n z%A~XId8V?~ZvJM1C7pZ9<$nLeCCmsi_Nml8BK~D7A>6)JQf$!G?i40MG{jD^J>{)E z6#@N##vqK+rd&8*^OWmwFS^H~Xd?464`O*LYfoq;DhWlZcNcj<4HmcbUzR&s^~Lmd zHhW>Q*6TbHGB4FCbzP9eB6s#p#18K_sE1w3n>T*cKmJ$F{s&Sv=Ol#FU^J$0QsBpV|NE?sOD& zWgHHnmhEWu(Z|BM_$P$tM+(E3_tJjd=psQQWS1VP)Tx*JzWusK$T#wGRNkdtZ-Lgl z;&VN|tPYupVevNqF5uUn(G(qH<|G18rS-)osm>;5g2hYt~;&vePk#q!C2JOGQ0gMcklWd zC$ld=Qt-I~@AeQB=6W5PLc-??XGMCA=!XuG65n?A1F# z(HiIzr>i2Or~=ufGIs9=2Tb&jx((7tgv`0!nJi2|X@8#XuN%H;*Reupq9}Nu^6Qh) z1d~6>Ud&hOxhjy_2$69|lJIdh-`4|%V%`fJY0vtemMLg0iY~I74WJ&){4q0B3eu6| zt+Hb0tFrTgO&0D8Ml!e4&EI|R%o#S%KhOMhn@HeOwo%w8@oUF$P#}i86I^Mou=sB- z#t!qa;RNZ?=6TcJmQZ*;&)>k!`F>!b@cLiE29$)0Dheio60Pyyxw=Jcum(#kJDt#z z2stI#uOitl(}}z+CXTX|a`%TeN!&%rtXlPUe&l%E!HOx-W4HbQFL@P~{gjw`w@>O? zuPCQkQIy&GZMpDm48b!&5N_wAf-D%auW9Eue6{#*z+z>8mR%qmt6E$^b- z`t1)bL=7BkAeQgc6tOF53ITto^}z=f&Mp=Sn|iUHyXnVA9o6>Xf}2B-%5=WOFMgVl z<1^Qjim(Al+bsY9PmI+58i~UoTdq}|{J|L3DU%F>!GZuSW{g~j1=q&y!lB^W64r(X zA;^P@6eKcWqTHf5e4cuIscQ%jV6q{}ZHJT{X9Knjn!S<0= z#ByzTC*U%@X|V(2EV2;w8BAijUtQy@B2JbY_1Ix*_R2KMsZV?N`!06|wI7@fBjLEk zV7Km0_3|V9gWFF?(ad~zqVapHsB9#FZ58^h-z^}*!jS7J#gfss=f@L!;~E*++1ZM< zzrBkUvqF86$8xc#WR*KTU0^FzPQ#dN3gMdHek`o<%z6gUjQBf{20;Tvkb;>#t9L3q z8ZvqQV^#rB*#s{%!Qhl!EDzO@rI-I`jqt1lB)t@6=CW3GSFZoE^amhPn-V{_vLd%E z^Mm3i;DduosL%)UM5rwD(=ax{bu7v3iX~e?iVuBTh@@sy4vXDx)rAiaN&SivQ+%fz zKSeffiXkU{Q#5OBpr=O8Jn;kzPDbQinN(&>MRtE7tY~4;-2d|4e{wSSKbTWlGsdQ- zmW`|*YYT{j-HCYcWDDif;t9rJLrgjycc{}L>S|AW8PKX9EabrpnkRu_kJ%$h<-ieI zDwB*EO@uZ!zNg7-fuxh+_$B;vjdIOD1~1l)$a181DrXHgOec8$NF}K(uQ>56XO@$; z_+*hn=uI&5oIu#n7RugW?9_R(!K?WW_eoGKhb5Yp)vRcFPZp=LQWXB1QxMAm@fRX@ zrI)>ofWDW>%q6u3_e!%lZ{Gdoln*lT;dIm$m{wx6JAlX93{u@D{1gr2kea6RML#=4 zn8dLYsnd%s$_{&1kk@%9jSPhT6}n$;*9Kkptr}7f^fU@_SCF65Fb6TymNXWcdA+R~ zJ!p2gJ7N+GgAfTB=+uf#2R98Q7I$seGaCusHFbLV4T~nfQlO?o27vfH9TuCW%Q^P& zlnClw!_UQVI`_Otsq4ip;U)x4EWavvG-b}XyJa(m3z)7iz-b^V}ukE zk;rNy$G=(yR}MpzVJ7PGLZCIk4IO+H;xb?ZXXfj~6gPHU2E#tx+5fwQ>K=j#Y2ZC4 zc1MH`A}~2ALD(XJJ>-6Sp3F(J3EBD3tw${6o9Py~PyiY6qgHL$DW1@qj=05UIROaj zQYi?{7XZ>I+783`!T7Z}RxT8a3(rb%rDl`-Okg*A2y=aw!(zcY5O5CUd&Acm0F|?s?=;Cg^Zb+GeTc*#cf8 z`k4Y=q4CrT6cQJLQ7#d;{(`2R#+g*I?@~D0-7igb>Z|5eRqsFudHC$?=){X(&k^P^ z8$6E|s+pVwtmDUnOY1$H=870>x2j=uDHYP$aZP|@dLq}bZ=zF0Rd!lFO>Q$xn`I<} z-kxY3%=_OQK1|T#!_L$5*A3X{{CDpDBc!K92eHKc?45d-gRx!L&{2Z*!hfm53nsHD zlHbRC30lpMD^gs%UO}%S7jBKpnoTsQf&QC7zY84W1jGzZ`#A2G&l8y;A#jg>2t8cu zg9foqE)*L{*$ePizCmspvOi9iCNlX!e{=TEf@EZuT(zGsDF_$4b9U{P%A&nDhvC7i zn;4xWFDe;He5sJb@@P)W|41CfS{9pp@G3WIBu*|MO65r-iJXDfS|Fd-C$uNabyIqc zI(!^DTc@dG`mgFyVbNf{=5yur*-{v1j4`>mB$)_q=1)}Fel_*WIKB7%9Uj+KkUOTT zh+~KW9%yWGU(%t?w;J3=lPgcU^TJLXw4B7Mju?%)G8cElN~xKn$#3vkKZoBiSkHXE znU*45j?6#TtTRMds7el@7VZy4vs$b%$tMqBft!=;xqDezc&a#@XU1QzHT_+9w$>hb z9t>d>podHBRDun;0fc&$_wV1&Q(!gC+n`ZmYWFD(f{G^>Z!}C;EX^ySbdex63$t$Q zoX8$>jk4Lh-R<9z(&6`4GTk5qqC%CG0PjNQQY>TKF<=WM^^j{NB8H+>Wn{f*Y zy7kX69OdyLtc9|`G=qrQri~Vt=cebcu|H<#j@A~Y(l4VaOK(f&PMp^5v^yL`+Q9(s z_OojjA^M)O!=#bqra{YX1Jf>F#V6ecTL~dl0!gjKOCv~=;E9K_COi=T&rFgHq)z}< zoz}>nfSuUH(%8k#Mbn_z(1(!2wWH8(so}?RH%PMYL8sBaz~I3jBR(JgN`{YTF`M;> zyf3-d#)~K{lxRnuKK-^BH>&S;19Sc4NBb8mdG5l zoPih;hIClwfDqoGqkBko-8`jhyVPZg-Q>k>hVs1!IjX}ue=CB_Eq%|vV55UD(yo-3 zyfi!;A3&s&MKs*-ye$GG}QEYhIGrAKwTM?~!KDyjUYKezfcT`%4H zY!&{^kaQyB9kS}a;wd}t%;fZ+&L;w}kl^{g6Ou)y=_Qy-d2-sTM0(=$?3n@t%B+N= zX^CZ>Gnv+wICzdO+p_t+MDVHwavO$s)KjmxnRC9UHHA2RD8}+o zQ|U*}HmT%X9oc9FCqg<7<KI$3fbG^ zp_&Z1AygI6D7}uSeYtcy{*&Kk&UX06#?i3l@S_i(2SzlwgFk84g~Wia0z3#qR1sYz z-9h~tGfWBv6zyri8d_MuTfsy+TK0Pth$MrHa~BGL%T&65Z0r8@Q!ydbH|wgHyG#-e z4hxO&Q3%RJj9c)$=(!Ed1&27tkj#V~ARe9GSlDq(S-^g-A3RL0e2GPM3WKCiX{6(d zg+#AY7L_^vZ`%XJ#!+Et6tj!Ej4<*+#Xb~8&|Efa5FOmzla*qc+qZ2HEmfTGATE;* zId>~hCT$uTDrnuO`{&P5EeTI>?$!@BDNb2?M?hs3j2V`^Dl;SIJjrZ$5V|m`uTo8y znibD60jjN(MKgy%{~7X!IMQ34V{uZ^(FfONgNCgr$I4fX>Uu~IHt*W+$y%Qq9NpF) zx)xtpK89@F6xPaHLQA*Q8(Ks)rF0`0lNV^VwWPRSOg8=Yk>f?QU6&Ayc}a(3z2m>} z)ZmYs{)(=jgQeCfcd}X@;x>ztr*US>;BB_s$Ni&aekOf#Y~M?jLk|;@xk<{w>7nUv z?E=FLhpNn_-|Cymm3%PK9{oj?@yUEzF~Zi=6z*_j!P3L$l-%lM0jff7j23v(#zE7| z277T*9cgWmQk^HX~Cea=wqeleQDGU-J?*#5=3&ruQbt_awn&-pk0}s%W-d3njB{ zaXBtB;0`d^Wl~mdz%r(}!!2j(bA}2=)eIai!m(M1oEN9S{k&Eo<3E+~TC|6@SmCF#?(Jv@#+cTtAT-|&3FOXi>TIO*Q(UZ!3(XPI*q zv$8n031i}R&A|z}xEWS!ip-v->z~BrO1(n)4vC0L3st?Yp0X)?BX)cly$xtBTF~v^ zdQVgbK+ze^zkCI3>&=SWlj0C$_bi*&(nFt^47&Q5GFg6-im;qixLc7xvO#10s(Oz^ zXV;3eweHEuww0F(x$31r{_-p@tu*89t+$}ClMC+XPPD;}yhFrP7d$3I3j_;dUyBuD z2EKWl&Vh%o`rR_I9&SF=?=x`9S8PAg(e~9pZvPyuQ|VpehtrrB$ijm!ytBrndQAD#Dd6k+7sjUYd;(A zA1~C(t9N!e?z0H&G^X*U*(gjFR~!QQl284v#5ld2Pwyywo4plvKs4VXp`%_zrq>Xa z4v)sA5;-Njufq2;D*+Zfl!ah|)-^2D=!50Jut+#Qkb-1CXF6Ucnhq0D~_w1y`kX;ac z3X+0YWhV5CSQzI5RCP z(>@?=D}ST8-Yh$LEWfAwAw?{k*|TBGz|NhBYbPiN(#kAyb@`@xIzzz0J7(!t<1t~g z&s$xYD6>8CW;^TDKvJIvod|y66Uy{dnwbgN%>sOIw&R z{Xr#eG#xAotYq|K$aPoELJ~(LjSr~1nK|3b_pNbFS6I%vFu-Io3*kJ0@b!!O*t;&S1yu9EO>3fFxiJEj^om)Jt z1I%jkhTGj+Cun_-Zxd8SsyvJ(u~d3RM=1D(U&I|&l!(-CR>oUklb8Lq=LJ?OwVvDk zpu{-1ZKgt}$IpG`wXr(d(6qN>^LVnK$@Ng)UN%;OMh_;Op zZOQ&8_HcVrjP*k4?nLMCxT{kiSvwA6F^6Y|VXq0Dr0Fq1)O)3QBY(NEj9ePxVFfz% z`)b88c1W+Via}k6Vko$bR23OU1FvI*X+eM(cRvEIOt*s-K|=D~!}$UXh=6>G;Q1|* z&!C-0Z3GkZryPD?@ooiTy4ws=2pE!mp@b5FT|X|aO?&T6dLrZye6>3vQn~&`cEcAe zb$kh+r<({h1Q=hE%jKm9Qj()CihFuk2$x0Vh@ zV|KUjZ03$`@8WSrQi?G6+~SU>_}wnYCQ`{eJGza@<`uSm7bLhQ$7WWycq0bsnZ+L zAF=t;^ul4t6GcDnhZlau*UIsXURON6Uv5AHMz9)n>m}0T$S``x=A_M zs`5mR(FOD5=C`U&#eMpzkBs`J?-?&SF8I;o61GBjZb*^jct4*`PBGjV>T)Qkz+vLu zjb6@oRz&PQ(w{=fnc{WIfASAM6Vv~ic0cx*o4988oWKlJhJpL2V#I1O%V4+Y7J=~A z6!uE@nW{Wj6htz~{Oo*pC7{cakN*3bjVAPR;ixO|D0%c3p$gAhAHv@MA?vKeqU^dx zPctLk%?yn+(m8~rASs>F0@B?b(%m7cbf=_rOM`TGcb)O^dB5*H=lsKU0dwE8YpuQZ z+H3t*eejr|G-jwT8>@M{L|ti={6a;5_JxLJpJraM^S202i#2wSrUuKM9CBuBZ}>Yb z+3rG6j%LY^!@av|q~EI{?vO(iA;FlRC(QdPp{e2R1X4Y0?!S}t75ynX2--jC7B*({7i!zuw%# zIo5uSm2bck4^8CuF+8F>L<|?KFofK)9*Vw#>c9to1^B=DAz9tj! zRwl#ui5 z4*1!b&+e5LBnB|B*fTO!UxR`=*T7ptK{5rtzw&f@l?dzQ}k)hSc z@me5$cJ)@NJ*aa~I<_17m(Z1PC<^^mxB1vIyk}{}p%RzBt$u@({9{xnjAwV!{cUT1E6BYbU&^fGJnWH`EV@H>+0`17Dc zzIm*_YO^Zv?xoVZ8{Z9Iq@-MKFAl0k!~apEj~q7aWqLJwS$x)7JUA=JAadn6{AYSSdV$4r?hAS$3_QobY3Jp3*-Gu=4{4qMV%au}H@#P}0 z9IxBpmxC_~e0O*Ihngh6AMmpx$8B3juGW{n%R*y8AAi1fdsZvaQi57L55I#9yrD(i z{r%ED`Mb$Lt8D(5jH{E$!w(Sr-m2cB1y78j!^-BfF8pvQGwj`P=_NX8$C5#nN=iIy zIjon~cq>>}n$-FEd=JYKPICmZ=k#`s&CV~bwkDpOS@aC6m4l_2bAS@1;ei-ayXn_ zjrw>VadK=Td07cpUb{(ouK-&DQ&(!7MBUpB$(zTtV0G-Lc-xTfagh&Gu^%r;!w37M>T`@BVz6`>*O^jIgu z?R^WVbDGO7)`s7ETJ})3q(zf$1oNYP7AVswvpL85oC=b-cgi5*Hs=~^1f6)~yP%W@ zLIt{GpBcw6^TjpBbz8z`2Fzp{Yf7ylUYd8fA>l2y_>pb2+s~Osy#gs4Y|J0(T-_OB zn43}23lY3l*v_xs#%gjr;9F>Xi38vXuJ@qhlO)^)BT_(VF7X}+4rmlm ztR%T8e;WGd5u>srA-hcSDq3s=tdZ}g1si5IleEVqfn;YJyjqNe_M1ZY6E1;~NL z7e>vmDTf~g2mI011KpriH@b7 z`mQ;B{Il7!>DSa=fI_O9k7^39a#c6Rxi+vx#^=E+jqQfr`%pR9XyS0b27$2e9M3Wk z_F@8=%y_hNd8TY-n3l4>|54+>5ucp1vOp@(*-tE%rFGLrq(F1qpLxEIp?6Wt`EQJ?TBRN0%zTCw zT}5P$YtZ71<3g4v8+Pb(SquduFf5JF-DYyVt3;_6M)}~27f63~Fq5BH;wEnkg6v+h znDno9pl(##E1V|d^u94Yq{b3NBOTXX=pD;edBN{oRQGbPq&nr`yf|qJYzo;9OM5LM zJQa}H7i9*JR&2Oh7WbwIxmF?W#3kuz%RoB$?m4eL6+XnmNOGvfvalo%9+X?;3SDcvMJx zq{}?xqw{t*uz!1c(>)sw;rs?xJeq6~=nM=ixt=Xu?2p(&^MtgH&}wnK^Rg8bw7*0c zjOXF0+jt4mkhkp>aEGSEn9t$_Tahk9Yy3&Px<702UVjJw)NzlbnN9Eu67}!t`~CvX z-+8{i`0LG%L7XFR-kVwp&$4BzZ`DA!=E{F=L zJhg?}K@FN+`ErBg^J4)1+D-bG%ab^~>Untorg34HGr?Pjg_ZLNE5#T2Z=k|-@Y@OY zIT9||2CR;ncZkS<7V(~xc^zmj!^T+)p83V|#nj8q##CW2-4AsLG6!My_*>I{{IN{` zeKk2b5Qer?NbAY3z_B5v<@UKKaP zX5b0D5_BeOk#v}G=crjxORl-@EDi!24B+cC459A(&s%RxVIiZ16%K14=Mg7_%3m0m z39e5ov7f)3n;^E#69ITc=0=w5B)q+^`wJd%*LBxq_f%*xL1^RozV)#C0-H`MwFEhK zx$jeupW4*JFHaOzYxQkoxr30sMzsjWop*b!>G{_ETqC}Lk`WVGQ_?zAgOK3&;VH-j zmN7i$GNnXYtJ zJAdyr9L=#l3z^W98T1b(C5mSg7cTUQ;(TduEf>Ko@2~+PyzLf#ElM7;2b z0F8+4QuJNJUARaA=S|NSMCP2F$|k29VA*EftIpnHauXUKTgY*_+th_w`{4C{4h4t% zs3HHz6GJQ=3-f}phZ%8ao6?lsBRqErlGJPz=T{FR58N5g7nv55-;K#;6=zADE;DUE z;^@iQ#KP!>MU~1tZabJ1D-Bc+lJ@>hEmH_iL(!f*J2Edoy6}41<9YpUe>^M1qi6B^2qeu$-WVezPkmdukOT%c65|Jj`u zT*-l4`-wsN0*=bSq~KZKhrItKsL=AoARG{3i5V!8bHMX?E(jZY?PlXWr1Y+A?RS&? ztBZ|SM!OLP8^pxuY|*ePn$QH%BrATG(IG*63S?)itGiDzLPK8&tRN|=k#kM_r!9up zt_ZSK;5}9pW0<(M73E_U-k!PU(0S9NiAIuBBBlBSp{J!KP;<{0Rwx<`?+kafdbn^IsK{De*)0Ks^V$ zk9})gG6`=?pmiuftZi&^6Gg@{@xX3WCu$Rt)q3|0Wo2jYu=37}PwzpyP)^xvnBZ+C(CbBTFr(=5Kd?Cl3C2h%Z_3k<(4XaOJ%12-|wyz-?+8cRa!Y{5O6G~0To&i)I19PR@3 zVkk{4Gc)j_Cy&~*cR}ibfJLWp&J&VhR(SAprEuUknEZx(M(pFYXo%BB=Yp22UXI>@ z0~I?;Ypg!d!7_`0n^P}w2XWYb&BxIFnh!U@Eq8p>%XZ7)Gw_H}w3xl}CE1;5H9{Uo zBYVar6Ncy(ZcIY`L_5muirCt}@;TQjjEZwiw{>Oj0-LyW{Ji7ok=9aG>x9aBHe*Q& zjP~+^0u((pC@^Zn*upOK66qTg&VgPqPVAvXYtqLiADuxA%Y1hnFOI2XkSB>MI%oOF z9kWv(lRwWbFJiv$=z`Cuz&Q6;#COUmA0KaVa!|J6K2vU(wP%k-K(ZQ@gKeivu&cQ0 zz8o%uPqtXhWvs4wp+BibI&1&rzYXWyrM=hP>lUbF9XWZ*$Bls~<^@7qWHPjJhVknx zO^D%Q&Y16X`HdBQ0$`h}T705J5mcu6LieF^YX&?JLe!S?h@Xopx9sc5vXC-q-wBCw zHE+$z9a)wBL@vES$0|%=T69UglRf`4A@2o69_r*|5ug#n{<+d@rVT$k*B8j)19yBW ze&8Y~et@tYnj^X%v8rM$U>N{oW=?7#1pyeU2MVUBm@7NpWm}iW5}YMBl9iT_=hY+A z>lK)5aRYk_n>8*>w!crRw)82p*IhXu9m2}-IQf*ocy-aX=a^KRPikU0Mwr$pVd5gz z(NgI6_FGTjNsOPNCv>I1GQX3uN zU}h01Wc|SG#2fDWCejth)o(xn@yjXy7E}5JW`t7KBE|p>ph`X@pN{HKxvaRI=)b`9w$q0$m{GH#r z;t;ZeQ@&J>R@8GG?y#?K!1=?b2>JtGxx9uIxGvRTU%i)2r{(GiCu78<{nWRhx%BLX zI?qVS2@6hu$wMyW^<|dh@=FEc80lBr9^PFPS>1oDyv@XXp&sr>xF8V=*I+kv9_USp z9utu43=QGXO}H_RR}7jHOlGUUd&h;8ZssrV!S=W+NOspjFP_f+C?}Sy2N3AU5F@j@ zjd%oz6Z(7h2VC;nS-Ba^9G>OTIj#p1Yz@cio{QNghmo;em<4qNaj&+ZY$=i-F~+}N z*tus%&o?xC@b%UY?H%OjcBrwMCthgt!tjFZGVU=ly!BCq@jC}cfG&JFe*%qgEOc0H z!$vklNTj6%v_`$Rt1(#&jy57(H$SXNE@$u+c-IEGA8tJ^%<^WGx!IOEfgj--2BoM(WPK#& z*$1{k5KdDzbj*c{E-fuK3nXhY^BmCwRBv4aY~%x!BSU7RVRIb8KvBr!&o#4BG}TZS zWN~RTZB`8oOl)K6Y`yzo3FAFlnKX?Vtmhjr1_HWDg5o+sC)F=pq-%WExz_V1c}_tht)w7<1((2UV2VQ zKpvsz32)x&azjR<9Uj5L4hzDytKR43>dYthdFPmt`ofZWInSR|FcgRg(EQ9f?&a0T z3%Z`eS(W<_RM{vE8t=MjYh5c0VHrBnYfyG-j|f9BKVG{`=jQLoG4qzZ>a~DCTRk=>yFb-oiuwwmU%Lpkz37fzA%M|RKD%W(1W93umDU=p3K+Gh ztveh-71vk~jek>;c@>}!AD9D#m4|0EF?3K`lOKB`j=;M>b2cVxy!LA)0WC1GStF{* zhWuE1iF!9gn_l|97^|M|D2fPxgZImGrVv~aJ@xepE*r0A#&tq}Mb!jE$;~tc%ZVU4 z|BDVk7lG4NM6_(6*Q)xJ7|?u6KLu`OR4!HRmliYGpJL_JTZ6D z!E6bQQ0n;(YD++mCzEu?TEb(BsG2Dh!3{nHgq-+QVrR(s10SApDpD!%#GL_MxJtHx zx`}Kdj)%9vmOEN=8{apksPx9bau%0gorHaB5eXJZro6o{vO9F4z7>I|9Rr#zGrVjh zqHKmv!Cs*nd)NU+<5-MCdw+|j|rQloKR^DhRUk86UFhkbsUO6E~@PSmzI zjtfKfelt_vf#>}0fO9D!7yZLlri?<1aL63*W^bV0NR>>UlA+^+IVL8}8q>T4#CX17 zP{7nSN>?va&%Gbadi%>VW;^Mi6%slC1t-NVw-G51*USLc6dJW%6@-OW$g&<(H8lJI zn)V7TF?oC2dE~f17xf42H>6&U)d_Ykr!_+RlC=cEHmx*zD25;2f(D|8Sl}3%ogz3lp<_ofjsKyL8UmARzY=Z>{RvD2YNWNJR^{&PE zRsH6D)FgjQRAphwDg3bORG6z_sY7NO@?9M%)aqwFw;;C$&4MEvk|bJZ^7gdQ@7Q+e znGM_9z)M=l!{$p{Z4?#A>D1vPcQH~26W1plny)R1db)l)xKrYfccNM3w#mc6V;;!aci(%8P;ML z`zEt-Z$CywZfOa>;(@6rLV^}jbJn-{&^5!e_`|==__Ss0bOiN$)?TYU>*vUV^)!f`LrqrE%FzuQ-LDii$~Z=OAlO6LPm z#ZhohRLZ&WcQ5*YHYWQA919twgDS19~)Pi-=Wl{+lyT9_%?!4X}CrCuLT!N9{9*H{mIGtMpU|S6~Qdh&Ppeel{y?5Etox6@5#$jg~VI&YHL2c}% zQNaZi?I6Ji(GD4x!y+>fBKR-~10y598tk2e2=70Je1cMsMwv#o9ij?`E!qX&lF#p} zBh5aV2C2Xl^3_VP@r;N2iZIsW6!Ma?wNL`eY;%~+wK_luo(8yN zqWv|V4}3G+?o6ij85Wrui!SoeSc3(MVI-+(wpiYnaj$bC1vEpG~I zZ8{J&{0GXtB!~gC{TS6z`sGA8`Pvr@lSF%=v)nNlS1q4Fjm?v7W$ML3If`(z=Fo7p z7SG5wFr*e;5z?D`1Qj!G(3^^ktc;*9&FNZ$O@!_BHaG@BE4NEM`ip(8>{*%)+cn=B zYrjq);K*X4cg&Z4^z#H9v>K13NgQY9^}Vk?Wu>xIC*35QU9=)b@xIvm^w>BSQ}5XG zscq~y>;;q(H_$QmrKYXzqjRO)-nw8k>(4;&Gu`&)0|6>Z!erAL%RKOmH(~ffEEX`& z_Z`B@a8`rzvf|-$RrUz#dTEP1MCp`09u``bU-fwQ5^<@Ju?@&P#HKroi~YU>@2C%IqR>BX;DgK+E6Fz0=Aki z^+H_o0iBIf0{1-Cctj8`GM1b9Kk)TZ6_Nn%oYF1nK*3a-djeK!FIY`@&{NyAceVKhMt9%RHqbY0jZo-zu8n0D|(~-L0 zTu;Ct&x|+v=Af9SK)p*{ZT!xa6=4wxZ!|rfvAxsdYPwC#k9eVS<-dYdDg=;m1~piS zfKg$8VjQZ&6Lzj3^j5moRH&+CBZ4}ymJQP{en)3GNmq-#>yP#CLNW@-K{zPeDYjOP z&y>1=7K#vCL`-I&?@i0hD6NR!of_w5I-uZ=%FZwTSH#YO+pT= zr&J-oSM~^m%i~`~_zr6;H1om%H11csl<)n|3`@N64eF5v7Q|(l=e(bbt8nJG?`)KD z(SuoaTKhp>HVB${azak#E5VukqqsX0{Snc2yz)pml=*?x1|I{14Txd?!*5^jzrE1Y zwZIk7m255av-mhIXlFIHhGabp2 z>h>n4;_Zy(8K&4vsS?16NTL~13x~G?&~}9Saa;&k!F~K6czZ2AF{kTf)xrCU+$Q!f z)(Zh0#ZR>dAuLa}=7{&56=pxxZ*XK`Kq*g6vrF8HfTy7Gisa6L=@ zEiEdf&>wiO3dZq^cppX1@WU-Faz$RN{Vu?zSA&-6L3VlA5lFB3y;Mq@9wTp>W#(|S z>v1A$IyzizhJQ!F1`+JjtT9&0wH&P$?M;q^ZAz7y9VMHpaq;CNU;R0!7}Xm|5YjEO zrEFBDSBK54*DSWBBRYx{|8;(o4_1Ojkak?Sm7`Xxj4ja_rnWs zw1YXxh6IVM%*G1-sHiRZL!&86w^L;_!T!MoeZ_+xEW*b4PG!$6mY7V#QL#_y&%Q@? zI>3F%F8{8|7~<1v>$(5xxjAUIV{d*aIUK9pG5}$pcu~wv2>Fqtr3AA)uTc-e^G?W;C+|T&l`zJS~OK{{y?II52TIOp8B|(t!$_H{9fCn5Ot-y zAMrs^7to?A3Q_lCy=y6QCpD9f*M|}e2inR%#`s;Vq;P1*RI{a|MJiJ4(eXVcJ0D(2 z3IL8dw!?%kFLGH3pZjluV1qxJx`Q;c&|GmB+F79y?J_PWoiMHHUd!vLKQH_+6SZ`j zZk#k=AqTT=my4}I`$Vk$?Q}ZdiXJNKdQN~FHsxtt4C(CwaGta1`#7r){nIPjy=?*a zKfbI`FVHJ}oipn#oE8>T1}ofph<#COhL{F?#rGud4h?O^UDG^uOBn9M4aRve{80Ic z_|;oxX=&@sel7iO{NSMGg2`WT?JVO+db&{`wiVmT7rheONg`?BkEuv;;yClj)fV!y z1&MIRbGYvSVTG}_>U2v%AB7=w=q~D7s-yjUP|SU@9WA_>*GjG9C25-jX+uI};)3`h z9+*0+7X_~8AtfqX>C+3|R+M&SYk2c*BqpJ#biVG(lJY>cl8+#r;`@Q{lQ7*c%0BNE zBd8Z#MRR_0yJr>02SduE;ANjiUi5e_Dtfa>_3tYl6>xdJpNHSYqhTlsM@mbl{Z7RB z5UpvO&}J;bbziI}h?i-0>^^uJzB>mN7}2o{zn5DoYE>{uFxR5^F&M<2jiX0pjEyj+ z_>LQ49%mRMxKQR@R0-v7h3LFv;M*=v;$Biu4?eq`BA}+jAeUFhl=4>Hj z{sga31yFd9Ik9QY6w=om&`XY$j{9sNo2+(M^C7T+fkUTT2F~CZbvENRQyXn&jOqX8ZDgL6|wb!NkO((5`M7FNU{UrbCmG4L*e=OSy~2;>gwM=qun z1$rMD2D&IOu?yl0wcZcs$eiN0!=CDI>446g9}FwVe#%H5TF`%q@b}S+)gXFh^|KEn z9L&zCwk8g{ALWaP4HA!GTr+y^2J~uRRU{@8;^5l$$HS_jAjtOSFpz0(x7u&XpIO6b*i~`@c^gS0T&eaWp^3raFIf$G zQ6+*`1k{K@4S+7PT=^yLgcpEzfKkHi)86%2Yc5(VPvvyqJy8e#)4`5%v_wM)e{*S7 z`SHuI0>+F({(uZNwB~cFX?h6KgXO1=C67J^In`Cq zslB)lyFZ`J1xPmdu@mk@b6;sxPCGgB)dqQllsUchzpTo>xC^FztMa)F@U}z0xk9JQ z=+lU=u6|wJPWk)f*~|TBmi#V++`-=^P~c+rsn2BWl@P1YPR_7?gP%tbyXC}_MbiBo zuMb<#4kK#dtzZXN1meY;Wkw_2KrcT#q+U~(o#-8OiYYc)Dj&g;hR-WXCme*LS1C$J zUU{GhJZ-O+E5S?8E44OOPGFz5&0X7gO~+IFn4VMr8g7EeOW;cPLJd?Q9&-fPdVEP@ zQeQUJbhc1orP$BdyUSlljxqu-3*Q_HiTc| z3-&~Tg|OGNBn{I0VaBB;JbK0|`(^%+uDqg(4Kme4Fj5`g^&8kMNSEAubR$&azwK!dPnPFMM(9U zAsUHcdl15$xxsixXMH7oHtYHDZsG>V%v$In1;k4dU!OOM^4|UPtLJ+=y z=JnuNpHKK`&!9D?;Eu(kTK!NP~IilN*thc0qVCZ;tC&P)k_?H!u*ug5Cy%OXU>riVAl=1`*#NUrP9NC;NfM3y{# zobw2Vo6IT?xD$5+`msxs^x7^L8w6p&$?EF#akbXI!4IF{wfk5yPO2EXM)L!aBh^M(UC z%E5E4NW&~-^uXErD!S^c5MWT$Ho{DLtkeCOzNo?vd12b<*H|fZlMwSLzl=V2AC9^W z;2QkulhB8c6joFkD#c5;88seGsUxN7a({FA==4Ge-@8A05pq-h+$JL6YSESk**5ol z{y!_m<4^xvEKM6TNa8BB&E_0(p`vMjq@1-L+N1_6)qX#W-3aa3v>; z#8PqGTGl3^)+sZ?pjaLg77jbqt!I1AQ&jY}Arb%%-jr97X+O*$0TaRoP)JJ=4WTHu zs@`B0KpRO{wMb|B%!u)Tq8Kq=?C~i(16Sl#&QH{E%E`GTr#I#sTv87Peldc%qE=^H z(T)Y4!Eg)E32_3DYg?0`VK*MXVoa#wmd;^`kl2gUCYH8aj$Lh%F-v@_n;e1#W+P{A zZmTKd;4TKGIv7*StY*cI;*1HRvPB)IXOY}WL|XZHjvmu(n=uy~J!SYO7A^P9JT|)iP^jriP>|X5SbSOv0wRn z)f%cI98@bdf0ehQ;H`L=vEH@h?M0dGwtrbIBr<@~5eP!t3U_Rb0}dz#Ae4-dy4AK; z1BINvR!TynAWBSf5T*{w@Dnn;!YIhv(25YF{@(2^B#mm+@|wQrVfLbfPiOW~X}MY6 zE26ns&tUuH{mZTtU3;(2CGRxMX7ryOXq5`5!z>5naUlA&#-;k%^Rd4>?)dNK)B*Iv zXur9 zB+Arg_AlrI9AtC9VDdhPYfsG%YFOpgPM18`McivCg&Wmk&;)&oZoqoPYi!m}=yNJF zKvQ_K)a$*oL~M?Qlv@^#-UgJg9K3$EnFIK7pLN|H+tJhgrrSi4>0hS4&)U0dT!ifJ zJ)DHy1^8uoq_{pmMq;d5;o9P#k-|bX?CI|aq1iZ_RP2Q03oYIwa4}`2RF1^6(!J;StNvVugq%T2pcL6wW zFS^>)g?*5o@7+3e-U`0!&~9TD6tEnt-5xki$RdiZJ!c30+)xao6azEih)8FxqIztO z9CpE_uL3T%&~8*Cu$OI>bw zqFhL~@_zfM?_iK;WkK$_?R$lf^YFbuf&=;uLBh3I(l>P4e-@00IaN-3#n~M_CmoGZSIXcO<2sS_7|3l=tymatBS>`jdAS^jDhE}J}m5~17Q=! zKaB+(AsECoI$tCao1Rk(!?p>CJ=~gj{%N+~sVuY?YgeN~t$!uuf5amhGZb6%BfZB! zS)AdkKN2IB0E61QAlhXvh&~}IZT7d*tK6{cvW<~)41a}6#Ffeyuc}v(XwCZhjXw0D zE+kl~k_Yhz)JQ$-T({D5FRZkas0ewe45|ZN7jGoasbzFBwTfRSQ`(_6yFa|fGylOf z6(NK4&luY#!w3(-F%}*=`IRwW{bwT!gom5>D(OV{or)A3^BUT;)h&b^gD$gF9@$Ol zY-Lr}vxJxv6dTVj<6&qU34yK`H$isfxnAua8yUE`CVJ-C*%1oRo>wZsWE`*Kreu+)n63TyPQV8KE{hH8? ztR%z#-S#d-ztD^n?RT~26PM*y|5+snVB0+?ch70(z3+v+*xz@GvBI*`ge-edQQ`bQ zO~~pPQm>$|F7-vb8S{hrXI$o}FnQFNJd!tC|Bh3jGTg@mKmm_rFwOt{{r@$Pt0^KG zb5&#nF(rT7jJXd8Rid0)!X}FOufhK3fo17cD1Ykmu?NN7tUqim@*;*E1(pKS8~Aqh z)D60R3Z&O_@x4KCsZD>L1S0@E0W-vKnKA@_-~7*7_&a}om9iqJ*oIf5gROxgw-hjW z48lXL5_-0wkj(_w+uhg(RL$Pkf14}^l_kSlcGpe_HMDl{F&BsD^C1zlZfod5orSzm zi&Fv0&KTm*+|%PRlw;Gqo1H13`p{srq}=CmbBLbwJigml1^E>xff7*WrNHU=IOoG@ zf2;WE!VTqqYlkSyTzTPdi(vmutw;Nf{@Fj?m&YsV$0a4a ztnD&~h4!C`S+)K%v(_%dKCL`9zjL5R1SM!DIK5F?f@-eZ>;1_ZWNVG~QNg_TD~>sF z60eZc?N@%shBzlxiheb_Dc^KCA^+ihkwy;jKFm#GPItRJ#TrTB54t{CEMmD`x>4y1 zK_{(b+U?BKHyzENW>j~rlo;c_N)kuov{20U&K5}i_%lMrwG9ltOu9_l>8p90&-JJM z|1BQSU!W=~Mxl#Ni88JgJNN1R!0kUDNJ5}43Z%iP;9Y2N!Kkyo;uG?^5A+;LEc!?z zJ5HrW4id5ttlV#hR(1bG-exicEk}>_TInOGB4sw%$?~;iL`to}nR0ml20oAv4tX9N zuw&6*i8WO$qvFu#Gn_4zCxu?bK~Rx0HW2k+>qjiEqhz)Mu*UaQGKw^ANml<~0il7a zfzEfI6HrzDjH&?`ED3~1wV9JRZ*3E5S9!HbGo-Fu{@aZy`04q{%R z6d(Yx_ZhaC?>nxfvn9VmbHlLW9EcE)i;`LNau9$xL<-1rQhc>Ii8vlK*Ff`OHz*7c z%0ra0lgXr&_r2$Ztq5pwIZ+nVE5pLw7=)r0_n=^&%kZ5ne)$C$2Qhth7X89GyLClU zZ@zdsg{<+&gW1<^=bN}flBi$SU5v?^?Jh)Jo3o-(zoSzmx$R_efP8wSP z)|?)$t;I4?p}_@jOEy213%`r%Wt#opDLtX`Jth6>c;5CvOZAVvfj|eFDJ9lQ?H^xV z`;Te_ki#XVEw1i~Yh8h1H$@w5*95($*V18-fQ}afblE8$B;yUyuZ|E*IPDR^!;{ZG z@)TbjbN3S&#?9_7uoKQsYefi)KL(*FBCh;WWm90e_gK_#F7CnKn$U|b&tx7=rdJLn z<|(!m=DF^hNPwuLPwPbu6BT4a;K&V&vypjKe^vbB{S7)H+)vx z8cbp+Co~{uV-Yb3g-M5Vvsd0aZwqXz`~gjyY>t8eoB~f(G~eVGtY_n?8l~MVl3qA% zjE3flPYK2@b|ryZRqG@6raWy~*`8m=)24hW*Zm>O4&MORl*$^7*7U{-I2xe2Ose@! zHmEv5zyp7Oxd2D#Tmd22WA34a{QJJTwRVY}SI-uEJ74>-@{S$kbfN0W#_8}-b0A)b z(dn^S$m!^kd22W>mLZ9`dt+FpM2)F|>#Y;I(QqPj%}4DrY!4Vb7HMs6YtCesEzLIs zNo4;cpkO&H*Hd2CF8AQq(r<|V{8@yT%J&4Rbyc43KX#CWh#*btfp=A3Ck@v+w6HiY z*6Nt-(Zi*WD8sGjeIAL z{1V+8dFLma#9;lo&wVFxI{D>5y<&RMJK@3QL@!OyP>{=d*?*tM>aB|_VrzDGwiC`^ zO|DAvXU@k5ihZpU@26>QnYjGR#Y26I`-Fi@w*zj~rcWOhn!E%eUo24n&>zE->1CwQ zLCUYLl?#Rx54f!p&tP8NNcb@2lnb?~%o@^5r!wF;e=o}m!I-=mHrtDnm?}t@$%W+D*nB`X z`lj_G*aBT99%*;KPl;-8hiDQnnOw*NxiJbS44bZS`3Xs}a5#1PDs031D|?=lQoJd1 zLLWi|K(pHPgHZs%z&wW;z1EaD_oBbqNMR&NF|<~gYP}d@;v!ryscR=H=nDQriBdci zT>8F!>_OgcG?s&|CmN)`#3;z&D(Ouq@V+kcuKP=Gq8Vav{I50>i%krpgsQ`q&${Ld zn=;=a+VCSuLdb~>8$;ySM0di=YQb^Pwf7y<1S-t+3yBW@yA8VFgg#mrivj3LLldVf zm%Ug`F8}$b0=5VX@GSp=TFK(wABBi%58Y<4>`R4yO+uNIssg>^VrAN#DzAK&I>%~! zP%z!;-zAkEYR0A~G3iKq-CwI4+Raqx=6#>~rXJ00JtuN=yj0)~{~|U0h_}y%&`|=j z7NKmbLF2Nu2X)iQVyg|CjU;7O@AO;L0JEuO0Fv=C8-3qS-_OmS4~=moVC5*hz{*x- z3MlCL-@u|GvB{dlcdr_Dzt*hY{Jv1%UjHlm9YGD&*ARw~_&jgIcZjd>lxJ1)rDfcY z_XA%*gj{V_E23nHjQW1)hcD_xbiq-CJ+k)*#+=~IA$?!d7yd8x)=S?bup3zkakhCc z)EAer%n5sgzQxm3+vW115pw?Qs_F3|{G?Jcifn_E;Y)zjselAA!0 zLSH4K-v>b$KbC%8Zg;-={zls1n97GVZq7p+DF^z1}SE3qkt_DQ$vFr8*EL6={>z{$o^$r9MnumwWR~RGN z59zY5$NM$L6TYPXSf&5y<>hxBt4|~xl8)ydr?O?ikzEwrG!gMP%W6db7(gBI2&Z0{ zzgK`KylW6z>`IM2IV-9P_aU5RV!LVsR1jRNQrHQ_}-kgurl*#YD9N~Ap-p2ZW&12|1oU*_vY3v2gzSEmK^(FX3 zy_Q%-`B%~~g@ItzN#^Gj_Rpmn6zf7Et-)A2Q-*x6mkGLK?Wfqr7S8E?l?& z00ly;);7va{Jt)^-X|5K>7+MQU{EXn8i5Tc2{@Hgly*5@(8Ze#hpslMVye9S9b10C zSo4Xm6TcBrEPART^Ld6WXvE_RWusF5pIxv;=;V{8C^s>>&mEl^1SG~DPk$TzPBRA_)u9dI5I@wpi;S7xSiT&k&S{UL6*G`oO4Ioi8IcRLRtfr8TdKs*DaNzsl$1{S)YD zJh;0s`=#qAEaqi?`MDn?=~jWo>2h-9Z_bSL4m7^DbG zDj|h4FA@wn_sf^Fc=MK8I>ncm^L{mPwN##dmP{srUP(0zX){5DB@_sWEO?0`rwBB( zr&WAQCmj>>S*KmJ?qEiR53}?@1c*Tc>7u0|@UPn(Ow``0=j}I)UcFn5vRbK^$5TjS zBBIboFdmG^e(e>E`srnEBJVOGK2%)!_F}Qwje`Ob%sh|`fp|SjklcSYariV*i#76M z#NM;<8*Rov=G_9=&l5k!XU-B%4_{Jrj;1x{ku-~%gr~HKTfd$IKX>ZeWbsC(K*J^apz~S9Ilv{7sQjA3tFHp(ccg_ z)|8YZ_^ugk9(qv6JV!9-f85E|b<7l+1Dkja6}NJ^Q_H8<hk8=hhD8Tp4fS8myttw>CYu-=a?DT-X!*tk(g24P? zPrX8~$dIb<{Aol+zusak_PNWR>iz-T*v)MbTya~&@#cVw^8Ur9bZkiNui*PjLeGVw z8wBfhxj&!FT|mTh6&N2*ndO;8DBMX5v^2QlY}Cpx0_%3_pA>qVpsYb&(4j&WuU`zwSCLM! zTGt8CCl>1kuYx&BAcrvrT|}Gn(RW#VG$ZLGrosLka~iaGQg zfm;392&lA;$e4%PDA*o(FU;xO_UpUHs^y*%T0cGoy;@Q&(tCpO(w-g5q6!&oXSY~) zuWdApJ3?D;Ect6epe4wzl~C>qnRz7 zX*e_D%?@4nKUo;CV<4t?;fb8yUDW(u_YqA{i$+bGkY$Yj1T7I4XJ_+ZIB{>ghJ zQ)oKqS8feJu+8I&sI--knCmvC;>0N0dAM=l6F_k|gl8auT_}^!BkOs-F8RCa^XUr( z@8b_60-^PnP7bp-%-$$ARywJyV%!wDb)$^9%1A&VZr97cRh_7R_mfpVs5|A9bO_TD zC=(aEVR(BJU@=HNDeJz(7pF=^4xttc3@t39c#R{7Yd|gH9oT$DQhaa=zjas2*RFKK zl9?a{-%1SbSBKqdX72p{n3XXE>jXXx7I|aMtT6WlrWYeH%-`UHaGa#L(((7&`>)JP zH!T$lqHVB%g}ZY`6|sFdM3nRIaTAYYA29I9U(M!@SLoHyIs<{cR7;l*!z{krS@hYF=H z&&$`z=eDAT)Jh>P;Vom~O;iE`P}@AOS3bSOco7P=QM{RJ(BVroCv~{~Sz}ye$@k}A zivveDk13em4gzP_6eX8PhS{_ol}2E{PfPxL^Uwe=rwZhjGeE%zk5N->;xZ?A)vXOf zAqI8tnKxWoUh7O#yv+f(3>kXqwY$qh!Tq+cIlqHm3Z1DHvIGmDC;GD;PqFaNQg=uu zJYT;`Mwp)$P9Od7Q)do&-*dw4+JCp?BZA@jUIQx&-1eF-i{*=DjH_Bnj~)8aN~=@4 zI<=JQhKR@Y&wlY_QQnT0n`67@hI~^sg)HF$ny_#MB$eu z?D1YE{yyb_O|Q?}pcnQt&*$GCS(Ezz4_|Kql~vHS4b$C7cS%Vr-QArc4HAO1beA*; zNOyyDNP~1pcXu~8o!`NDAD{R8zke-Z-MG#<_spI-Gqd-;u4^}e(PwbfIFcl^E;rxN z6bC?EgD-VQ%YgXzgjzA0xcyn+iN_uZ4 z!=9nVJ-!RA)qC)6I%-)UtlhTF_nL@g9YmaN3&-^h$FbkzcQn-}1M}KHrt5ULe}ut= z$2yZi#UkKH$TMejHE1Mt{`+Kz44V~R3sREE-$!jvLV z7Djp5k`WzCa0pGc4DQLUBxF^v)86bOB9-^;1m&jKltk1u262SDdEQ+M(m~2c@Kuya|O;p{$7>a>aeqR2P=-|WWI#dA{G~%YntAj;}?>F`w)NU_L zekKUHnAUT9I+LdGI))%SDbR`pI;fTlf`?ww+Eo#9-I6SBcugD&IJZedki?lngLa0tjRR!XoJgl|6fG*Mg?n9?aGn{66W%l$4 zxrf0^1qcS^hAL$aha`4z9M0CHemY$0SQc@bA$Wzk*%!kjnV!8R|Gbv^=u>;!NTdjFJcZ-2UdIxV_dT(^S_L z%Z5BXaQih!ogo=549loTE)x+)4l&pUnZ7>xby28}#cTs4ppK-$pnB`{MAn}~71J>F z6lRS;M8RGIZEdM8+^~p-d^$hF#s2tUsSot#Nh1l__sfIDvSM0D zFr?QyJWh)1%U&zxi*8;!Bj`!&M(lj+%Y5RAEEm+=o@=p-u2bDiMvGX*Q={!-1Atx^ zdCI(D{EhOe@J(TdM#Y*+`mFc zQ-Eh`P5#_?9I@?FwJW?Eb|O@|Rn!)5*Dae!$W9O+PUQ?OcG7iRK!S_!fMKKkps#!R zVzK+o^|9N&+e4#nC5=+%{aredk@nDK>L9#0sdIB39diyRYaXXX54Sr`zlC}!v+YFf zDgJH6WIW?~u&LB{Ds3_}La48{LutgziFPCR>~3F`d$ZH?2DOXO#GPA)Q(0Ur9;`>u zl2{!Zx|qYJ85lK*+S*1N6})bZR>?!@#X_+&Z|qHr)!yA*KFCa3Ow`szK%TRB%o)ec zgZD&qN4K__ZoNaJna?}am{ADS-V5O&>z>>uNyGw4`SVAN9f;d3VbM#ff&FOqrfC z8t$^rmQI9ze|Wj#jpd3jL@<6-UZoo+U(IK6^=}vB8LceXF*Xdu+!0zHy*(58BC#2? zR!3-*3Wc?>o}PBRdI|vz3OZOpi>DE(IZ~zK_iFuLxF8?u-QSd~Vl7S?!qH3dY`O%Vz~9En#)T-aK7Nho??RtdK$S4>*l6@By6|sW4qWSe;Dqz z)@Y=sm%%2F;kibMvM%jqrhedRwpdkQ0ft~X2JyOfi(Sdtnb~YpG+hk4oP}?+SLcpx ze`uy-aUPupZaKG=F^@b!JG z+8}-$*L@r<6KU9s57Smz_>*)>ALRqX#h^b-TdTuRQuam=%~z9}<1K4b;s${itM+9< zQDABkaXYBec3FMurj9lv7zR6n#?Wqc0e!`0(lJmXBqqK*;%jo*13jcY%tO4vwh0uC zxGyxcC?gINy4-l+8E5-!ia*SV#L29xpR&uP5$yPxaxtRn3N?-G)g@=Itc7Zstkf($ z)Rjxm5TC!I=E)=ctLKf=Y-mBiY+JysfP0x9u8ESA86(7<6bur|4sMlAhk*S2Qlv0y zxxQe$T#z{)= zR|fj+j{3I#FjRUyA~{eGi$EeW2D7NBQODsHgSMKmIWBjDoo2JdBmL)SL2jqgl+Lv1 zer9j4oRu4I|M8)2bj&nj4*oDG7-Zbw8oTw5IBz$g8Ul**mtp;yTs|Kma*d&sgGF0a ztl4q{iopb~P;RH&DP1fs0MjJMNgd_itRJq6Imd|}fDtY#?O`GB0^GO^rfw6M6aI7KN7AtGffp`e5l>hiNzAKXGCi zm%*m0K&<+%kbxVCG;>d?#hje&&wJ4vE`iEe^;amn*)6UG->4HBL32YDPedn7o7oIS zFUHyrGYUUF+Rds0;|{ww zTBmpwvF{rkZ}1!a5f;0BMPWu70NZrpD$Nno&$T_Wa$M-EC)jD4)b2y zJ{YKnoEDdAEMLKhCGvuxmZn4D?o-JGUk3<=0uIBRhZXF;#wuv<<49YYrRe9Z%k(Ph zyQUiwY=C{l(|E-!Em&x6y#FoDHm&xOCH`QxvOs2*OGEl94bmJm)q03e_0HodjDYRu z!s6ry4%IaDCJp^}h_56T08gpb7LGbw2|{Z5g79Z*;3<*&$NhV>gd(8qnI9Vx+BG3+ ziSNerpRBpR;0ipD#yvU6$@`Oq^ASWB)C6N#Y;eeXTVt^!l0X0K(nm?t%rt4K+!~z2 zspV^dhPB|U5=C$iRK@CFw;hx}Riu`#?ZYpluLuXN-u$JGMVX(yudr3({J1~ay9fRHNL+WJTiXCBPb!X$?fXvaZS2wDU64}oI5d3z>EsGLA`#C z)YsR+v!n(}y-%d&S4&!a{@TJ%Z}lf|UuWd=SI@M=!K{Bdovop1gN;}cm@>Iwx%JmK zfJPE?t{hPWM6I1~8lePA6n2|Hc7(<=?JnfX&?!0KKiz+! zyC?Qy-yfFU2=m4b?``mK6ngv}@D@y{u5oDgO8=ro#5^Kbl94=yfwJ3 zmZ7KE6|y;bb2#rbauWSD1pM7jJ29k`CT+$hP~2joLPf*TIT&;#=pc{y&A78jz8WYP zl?awOngM0Qjxw2%DiD(|yY4*o0peXMmj^;nxeWG76Fqf?q<5P=<(r_KI)~j#yXYV? z@$GG!Tq0UvD;B(_@{X%{Z{&}oPoq=B36!uB4v_Knz3Ck_qKky!MYDvD&0K6DXbbfF zp5jD~8YB>65zPbUf{A9>LsN@!j$dXZfE5W2)G6spo2>0gt_Zt$ESlUmUtQa@KuY9# z@!~~WrV@r-8uthJXilV1zENGzdV3R%C6aEtlZcaQvvuJdNpyyzvLn;;gkZWJX!U7| z-Sfn%m$~IFM`oeCwp7xZ{CZOE81^(tlHduXv^B&7+MZj4Qu@cuRj#yOsB2EZ>^83i z{o!hlbE~c*vv0KY?BlabBNu?&1gU?Fyku#!wL{`ab(eJ?;K3E)bYBDlsx^A8O4__6 zw`@3f=;WfzdgCUJ9-+L{mLns9aIc}(D@W~x-!OXp%1;QB%3`8rizc)*v;Kh}!i7Uc zwRw(`fC?X`iCo?+>&*RFLUvXwd>5Q2muiesW6XC+kn-(Or2|3HpKB~L!a>WKP;e-X zM?x;CRx!lGW6*WqlCW0YWskk|te-2DS~$G}8wN@N4#T2@23!aQStAxLZAar7Qqgt? zhs#HKzLOeYEzEl|LVglc-!@qnzB&+tyfGZoZ`Am{&J zX(`z@kayj~$3Yhl9CJt|1l8m}5~&Kwdf_Gnq3q_Xe-VKXQxqM7Dn3C++1)4{-#U>y zS@O=2G%z=|o%%{YO|O1J)nplbdG8JDD_@-wtFa;yl|G1>VtMg_HwaAw&A+_C;il*m zW3kC)z%puQv8t*ekaD~iIjf5k)&pgUypH2qUhFzwfr~o5=6vTe{DRgINdbHzeS27s zMkJv`xOC~xDbRS|tVgT4R|M|MY;|hCc62$iVfZ6RJ2zev zCU|EjN|{T8AHhdM*Y~^jZ+FWgD*}GVE?cj=C>(Z(Kp2FqP=QPJ-pCr-)Y1B*1hm0L z2Y6NOdRVI1wcq($j*OWYibl$xWHEalk@LnlM!@YGO%~k$@y3~DNLQGmnR(O_6aFsp zQ4|>(L9_c6#(fyoUdxPczkh@bPiBrrt27&&b0i#a0+Yn+LdT$2F_zVoZ5zv|HkS46G{aI$?@Y>4 z`90n+wQNG0Gw#jqW^>}zPvh`FMBb=JrP~SUZhr7(5@tx#wtUF;|bb&Q}VV-NUiu? z;kT+i;^v5)HOVGEr$^yUAqW^rBtEYnhH)BT(htx6U9;O2*7v}R55?uYLU^4G7s;x1 z^v?XGSI{r^nPtTcJA~dnxswN>KJ~!l%O1!jh~deg`J$7h4W%>-YI6qpDt)O^#`T@N zX1;E#Q?3+MYNzv{>?Gzjei65tGXSq?>+XZ;M=@cvtK1bPr+E;+QPJi+Qhcmm)Y(nA zF*XimW(p zvlAt#!;!Rz$k~qqN^}&KoT3Vcu0G5}iJ0y#U^*+H00r**V;SZ3sx9(DmRp~^xt;bq zj>nNEzJKqtpPGrFzBF(cX=QM9o14jqtjRCt@1AN1b0p}l{0n7YjREpt?b{ylS^%Ew z8IQn>_L*?DIs{41diD(G<}2-BA73OCoE|u;w?rffdJ}k*0=ZQ~wQ8mz)|)I$YWYgT z3`#QaS_UCPbB1E|lJ}c(YW*?P-`@g>=6*HTwx^8lNRo6EV&0sP-0e8?i@hl&>6agd zVKurl`Its#00%GD2ka?>T!~#b4ddsB;}#FzW7%r6RYR;=cq^P&`aCEN`L}VOfZ25- z58?Ah+`o1 zT?`SKCxJN7dq62Ubt(dJ_q&fe+#`VdALk>ottB`^>`!N>u{T{JwN5RUFQwwCu7-&9 zQ)1eBVP$e6ozoH_Gwp4SWxJF&PQk_~4brC7UD;du+?tMlcE+ra`WlfGu_$MbW`5E= z)-5?3gu(?9->uE>{df18T41OeM?sygGyua%-1EHfhNAVed~b@kh};i2U;ow6_-`3x z^>#LCL37nMqv@}2dxAqSFCfe{44(;P+rydUk5sE&zo(YrQD z!)Hv(+?%A=LS0;|^K4FXxJpZxhKO({R1`Lnh2zTWigVKo!aAw)OzknC$0=e*I0LOp z^DPFIFofZEUnv5vR-7%e31m6J1og-@IA;PM1!7+JYyN7~2Fq=RY7^;_5q?>`^yftg0Jof2 zwT7`j8S_*NnWdW9l(;)Owg4rV@|$iD=NTf@p07`4W7qz$s^i57;7 z@l!X96WBcf$AwcIe24PFZyR#6Ag+8b37O>_q}K2g%WYTjzs;y#s_!Eu>w;-w)Oa2O&+So~)M^%VNH z`%_kG(DfMlP*0i=-J{tOZ1jM{j(@*U8dAA*A}dg9jU2|@+4aJ0k`9ZLQo}0uIE~U zXqpk-><5PeYm_4uMqQP4Nb8Vxow&2>_N3CW1)tKvLtz$p;pEa|KBDM^{9Y5hanQ;i z_PY>a7)AbqVbSK`+7d>N25PZ8EGEkN0U?5gwRe{Xvv7eBaOzRQ`sE3{=1nSoQ2m~x z4OqwzOSMW6Rw8d-TZ@Z@CSho`L#|F8&QIjnia5$W*_sgU&V**WeP=X2PmoM(2TAeK zs}<=JGj+o%M5mj|WBU2GXjKBSDM6szGbLIP?VIf#c*ZU*NwOeeF2|x+@E1K1w?T%i z%rNlP!D{CKJ0wNoh}hp5p-2eA>PPu%sSw0P8^r0w>1_fGd|21pn^1d27^4dh{7W-< z;F3c;Xe;V9w9iv8P&(aaQEgo3sPdOc7!6@1mp0bSuue!AW~jr+-DavG>rF}kg%f!G zgi~%>1<5+U=JhpYrJKUHS?J9NqXUj|!f>mZ`R@RUgb-s^yDD<%2A_}*@^UU7^!wCI z3dPS3fQqkYfKVF_&>c7cqq|0neoX+{88woZbqS8+*>#RHacD#~*jx&Z$ycrHt2WPs z3wi(jTM43Og>$$O8-*6TFgw*c?%0$xsk1fjidr}x+xrbg_^-u=j>)BAkRFSxo@j>T zoLFM|SNAveHD@Z33ePDye@_UXQ#6~`^xA0{Q!v39xD>w1)1!5KgFlq?>;~`Parvn5 zIliqwU?Tj$13sfA$##OEHtfehvbkceaJ@dsq;pAL zzmLFY3A;R+JuKh)gYPB!3O|e!y>QVTzONfj`s(M8Vry?C-9IQ1L0sxKmy-!3KH$Y( zFEDo16$OLOR`aHIDWX>7bKzm7k}O?75fEtJrHa;NWalhp5X6<9|e>l7*{w z&QKzL;Ith1UN%)2Kss%5%nG#ZL}1SR3Qf?kDyim!$~i6z|C|Hs`+iww!G)_v1wPkH z_DG|ShML!_`4zFOYIH^F&4D-fLqtI7Acx)Y^`s?`0O)_mh6GnP-q70{kT+8js>he18C&eWeWhzP;{DS_oKqcVkLZax<) z^`7ctS0%qdshRs+>#<2SOOmYS!E_ttO-oI&MznRG;hq|)6H1X{-iw=?MU`or7SF>Z zY|u=DBO4Y&LOKA2mG45p$#~XeTx`5VMpj&+xK{?Sw-eVaftOaTq#try#Ha)P#!TEN zM_ZcRCa^C)eO#9Bl8#mEfkjPfm-?Y;|M`ku^_wUFj#fHs9A|Rg7)VSF!R}X>q*qg% zuPqVau%EhuXlkR;?skAGJsPqWT;|_Pv&iKWCi4MB2|-Tsm1@=^Z4O4qd8WRJxxLyo z;nyH_lAkO0Oih$cJJ5n(FV?O~!v9b|Mm6EV<+|}%43C$7hfU`8^+b)mgyY~SsL~Pi z@(n+)fH)qzaXB|?c6z2;|=Kaaz4* zH^O#cA>-ih006<#uV8jkpa1js?+J;<{=5_o9IXS{+{w>Q<*W7BK|-O;QnTz#Ra{oosouUtMr1S}sSIOFXSQ zGrR_XwE&M9O+sK=JFSB_&S^V040`>JL-#%PshZE9U##Lc5LvQSBTnI zD(`g|@te?qD0&$GG{$F3cEeL}Ipi~SSo;`+0bpG#blvOBr#u>W`&Vb!#N&})L2d|fL~QRTI~peGI45hKBckWdi8?A z)q(C_3q1(ZVlj`wW46VQ4icIz44gimDLa!wT&ddZrBPr7IL%n}T_%8m1uChh7qo0Y zuuISugvQgDzp}6wsE9;08IF#rwVV@G^dvdw;3pMTF<-8%c8l+;t8j{>&52<*tea=L zw&=!{?2o10ja=RyFZKHL#WqF7^k-J(rd%Luto?VAi3%#_Gczq_>ry}fCz(qoJ+!z6-@qsC3P3Bd>$(1TYSL--9CSahgaxoOFv4RWa7oGyNx1M3u;^r;p)fay zk4p_|K>9Jh?L0IE5m@T;8MN6)-(0@+riSn2RuE~rKKc|JKmSt$9s?70awc(6#)j&zEG<|=>BHDJwGdR zWp;{DmJ3GY;7m>ExxUjsh;9**pcyFx&a>1n9>edm(>;2WJI3m9+CbQU?Vs(>v_^lQ zJGawzXe?>i;vq6XBw0z@|57M{5Y7$}0H+&7qOrn541Wgq3#934whmsaw)t_~Pvi3; zS2|vaX~W7}0#aDG=BAQ}kt^;njM9E^?Y6xqNdnqW@SlH&zmu-_G|s04PMK`T59!- z|2ZzPK?v!*Lm#r~bNH`r`wJFO1A%izuTV?W@^KEL0)yjH2f_y|A?Ax+!i>p707YS1LYY>~tT3;7!Ji1TGED=jm^{g=bQ2 z1sQR3wMa-sWRGmX#)ait2u1*d&2%e*Cm3an7h)>8))~BeU13z66oao}fEo_K6~_}s zvpK=-wTrYGQG&$Il-PsSg>=5`E<_>%N(T?8yU`2Y zip9q(_S>X-^$n=0MlLcAUIP7sQFqIW)qaq#s|lAec0vR|AR#k<6NVrZUB(6PHb0fF zGOOHG2(ZrR`Yr|uIDE%)CZ65BKL_~##cX>%qQ^eRwrN_0E(2i$xa{c6b{DO|;%K$y ziG*$MK?htDoAcIY?FvSY=zC)iJOH*W*z0NWgAxgR7SE?$=}6Ae3vu<%Cr*o;dInq` zeOd3Bw}t8@;>d5mzelFlP0Q{ll>ln2=uGlIRzDQ+ArtX_=B^^k#h@S1_89$obhoGh zpNak+-nVmF&(lQuYdDKwT7{`E1+7lE1|HSQDLVC0&^^KlijPv3dshhd686w-%@N`{ zzy0lNkDGwLsPSqSL~e%_QnJ%{3fu4LaOmVkTjbYnxx z=rS?(uqmKcwh(JB2#9pPx=yVcu9t7JqF$`>380kAJL+TR20fE30{XAWGf zUCECgfOim*PTF#Iz+8J3g^XGIg@<4O>eI4PYwcVoE@s8|ARaEBk%-2JnZ5Z`dzVVn zT=yH$_$w5Sio#kO2SvkiL&>@=u-J&eVHvP=bq=49U90;D^j9`>05Ab z#V?B)!#UsHksFIMH2+z&^Wi_|`{xG->bo(E0tmu(gGhdo!%B<6Qe#3N-j8Omx8E75BdCz>u&(LloRS)ojSeM-n@1qT-W{WF>SOf-FUE`_d9e_yI z;1VB7;}YR0)mv{OFQnDEJx2lQIe)V^mxQa60vNv^A!62mciNvDg1Km|>XrJ>1i%eu zCH);;_|H^q$N9yNc@WpkUO}?jFyS<=gMla<&tV~S>0vwzGamXP*4$*&$=VMv?RhEN z_fz9t5PizU+LHMP(s*6)YgYy=|F@x-F+b}s#r%ha_y1m409h9b;On6%-kJYlhX3bT zS8z?v7a_XMo}0QzR||252+pS?$A$lw3O{lQ%cWE){V z+>O=!ZVePAX?inwV(+glUeNiu0Vl58CQJX_0Mb}AZ=toRR33}hO5_qRn|xK4nmmb8 z24&`dU#IWq?S47uO`iYDnyazT9p4Q{{aLNoNS+DYC`6q4{M0cqRclU;AyQvCclW-GzF@7m0BpS0udm z1?v@nFwQ!4NX*4eq~ra{Dg{8E5^z}CF#jHCb1~=W+UqD1b1?foz4o!DV>N0hy)|dc z?dph6?Py}RYNB~t5Fa%DBIu%ht!u;?Re*gv`G71lM!P2*le#m|51NDgx8c!Pp*Gk! zj5%ePe*JAt25_vc>s82jhjjTGl$O($wa)jnYYEi~Gy!(kS%Z^$7SOcCDr$#nM z^?LEH!8sau|1mOp0m?i?%7>Xcc)28YKf~@Yyp^QvT8J05wh;6lEV|AHocLAYMRwB9 zhYK_d_%`ilt^!KW)!YdxzIv1a)&+o#?VS|$_Vm0Ws(sq%Q)zHMW#x0b{P~f~{iwx* z;N%YCiMPe;Nq4g2lK2Wb63()u>-Z7UkxqBPyEtX^@q&P3cdCSE>+;+Fz7Ykg$I4h1q38 z8XIb`hT;ipew%Y)!ZvniIYJ%No-UU;HKPEvAIy1CLs+Xd z7u#))K#H`XB~;w3lB?D#H{8#KE>>|tk;IAilKL37MqLO>e*Q2)isTA6ASGcgbMjwN zbvWk;Fn;Y*JbHs<-X7Jr7!bf5@W+CPZtoXuALo5svk`x|yUa`G_*h_`FP9wgwM
    60hSLMGvl9ae9$KQ-~VZ+$@C_r`WuNVay%$?AWFHBZpMaj{;?ClO zqjm5>#&}z#%BUcRKdBbPpzV|aaRZ`T?`ge5RhoL0I8pQXL?G{Ip^@F}hDrk|<#$^{ z<5HRP+H>tSVuu)zzufVHbS+E)({Ve`mWU)S{?vM8c2-%e@f~KeNJ%W<;>K~v-CpNs zvCjP0bFEc~q9#6KT)jQjLQR&ZA>N?R=oE^f@59a3^I9inMg)N%XaSR(X^w34yBgDn zZE%9X+w-R--j??at;%BD9`g|hXIGttDyBeijMg&4t7s@YvTXi)rZ6<9a2=R}S0sd> z%|S7V8y=NyIms`b65*3yS7A~aH0xs3OO`TjyGY7?$6CzSUC-})sj7Xpk%jP@+}$y3 zhjPjKqt5mZZmJKDy(S#*eQ<}9d>(RTG-z}hUO(gMwi*VL*)u}0+$ULX zb(%j>Am6nJ0JJhgq{k{RZNbF`cR3f(#_MT^Cvz(WhT-i3emM;a5Zzs!46tTM(2vW=u3hU<5IojQG$!IvE_?JCE`CW0aOBlt zqGc21q+xMoy2FUY!Z*u{=&FHT_{MZbE53Ov&EMCZ|d1=vh4wbmNkq z7~}FfRL^Y<#fh8-opH+_%&Li1IU)^Vri+nuax z;~P5AV;5-K{JeM7;dX-d_M4;<5VnY5m8O(Sl08gDoSU_s_?k+GoxeJ$|H40K?&+AH z+u;N(j!viBxo^wUk)5}Vro!-swMxlwGGw#gMy1IaKG|_2=lQ(^LY9J~p=wKtdoO_u z39WOU@K2ng0(!^V7jxaTvzTG(;C)6K;7H3H>D*Tq=|i8173si~h_P zGq(CQp6h{mST{fvB9Hx$n>G@PX2lA=p8$G^fO(Hlz*c&Y1isTCRx+JG{DwH|{uWs~ zb~WFlQGGA%$3C<;8s%8vmxV+myz|v7Axm|P4n)KKTB7%m5mmRh4TGOJ!7sNN@b}3- zedl?a%|^li%CpuuGajhhoI)&xqVaMt$F6S5rkr-V{TRIi{sAOZ2lkf=x&n4uMx~^A5Sqk*W-HlEU6ZUU*?nbvjGqjz7A$gXcE2w}nIZF8k zvG72w_~TO3p)y-LZ_N5Zdp+tOS(M+qru#b}D1Kdc54q^( z50?(r@X@Szrb>e2ZKEreTA5a;a_%qT13S0R7X)wA#e;!hVM0uO`?`qe^Kl*!fdin5 zDav`Wne9|UKioHVSmGqWiQ#IYq&GhK3mFp0}*PeViFAd*cfizWb;FG)zSlxAk+e)MiO?kcE) zu!(|~VXh91R#`OkuJ{g*?|oLkEqH+E7s_CUGtwQ_%UU=o)hz!_P+TW9OOR983vVfR z9&!BY2ZJ!7yWpLVJh!@{pV7$LUMx13b;GQXovs)B=x5tzx_nINtk*>$;gXi)L=Cub z>+kI%R;WHacvv~QTjpGfni=k0<@FO`)N91fm^CAO#3T>=3}&|B|J#0lJXtijX(-=I z64N^IE8Cap+;aF>b7sqFd|Mlnu9Ul+Bv9?dL|pDbnrFA|@nO&I775RRCI0(VMV3yf znHrkZ_jLPfD9W1JuOBqZl8`Zsy5$t(qb=R;mgm2Pa`OgCz+rfnX+BanJ3sn{ykN*f zA}sJH#8$M!)p+2xlx6(&>hcPLrJ*l-E`E)AU8gd=MAsR?m)&_u)EN5(zt1V!ALnd8 zWm(OP{D5M#tl7Brel?K%d@AY+w%@Fm;F7<%zpuoPj$XY)g&0dD=v;;V%s^C#hTPPb z5C<;E;cUX({`#e}wIHBxHtxIelUu0DasHMEj2P~O&YNI!+MdKm zB2wK76pf;q3n%&O?h5onE>`di`-O>?@D(tYn@9nqOgEn#jmhSil z{5pJ~pWH!T`KJpDk3@{SYny~G2@Y%5EYFH?WLj4wt-~C8J@Ud&C(5AhNAb8~)!ge- z**-%j%ctbCtziXdL@f2E6pjx!T*x=eU}{bWP~%PL_(ih8hIHmvfD{VDTpZ-{(k*C% zp1^j6n(H7@hwD%4TZ#UEfq!x7-l5Y7ko^Px?e8P|QjS0fpVXs}GPG)eP=s~Ti|1oJ zC#icFp-*f&l(ubqXi5P>v@f7AwNeENIR|7X@tS-^NCs^Uet28+-mgf#URld@lFt>8 zwX3E(yX!}#v%B!UShiU<* zR}Z{Hl@f&kcUmC5ceUfG;s-6}He_E`7?nn;uF4+_aP6bjsK=S{OA+uhCc$9Tbp$)+ zSbA+~s^1`BS{31d;)b^1AM19`9b>s6TGa;oUa7zV}%S~ z(v9wW^?dIMYde*AB%@Gf`?+4O1n8IGGQF)v3!>4^InxIe2}P+IE*qb`+vEk-r##5D zxQw?;`C@%~TpqfSO93rgArurtDt?T%R`;8bhPV=uQWG=rWK z-GJ2`Zff?Rl?QHs%<5>}Vm2w8+Bhux3>6->hS{5MEas;ELmT)TY}5y#vhTBzKl%#>xp=1X>3$mag$!(?7fvHIvlAEw$UL;!-)O$e6x>=@M^ zZZZ1ZIf-CLAX45-wwDrRFW^-)!6A`mFR}GLV+qmSM2|vftUq1`Hro zMV;V_!~d**=Q1w6&T&9x3&4*;wnV% zg9L9Sh`ygBeD0n7K<<1s-o>KMIj~5BgZ6t#kF^KVaCkuI*TV5@-J|nEjV)fn-qQ@^ zck3@@DZ;?T8F6vKd>`F0s4M4Dnn=EuNEU3Zug6G+6I@(?!i|qS+?-TGT$q0#8dacF z7$0C74C*@wDO>xS_^Os_s#8HuZ?5=2h(IIJq1jm9iP^KM=nU04c8>$w|F5H;e+BB< z#x5I3QMcJO_mV`w(~uvQNgbCf8cOHa&i!9!y_FIuewUMz%=K4snfmYlY7O{C`wI!1YDFWt z02xO17!?Y4aNtNLl)1S%5dWe}K%Hd>fLmp^6NWy3rmPB%y?q)I5QqZQ3cDM&LVuwl zbpB?L4s}t(an?E`h+cKLUhg~|F2bg$PR{n6!fF}|>F+j&XqIQspugyXm=QZD>lUq` zukhBV(9EXn#0Y1xD2ICUb*3#u6U|Mm98B7}@|EP`Cf^gJQyq`&Y>SHLHfT0AQG56y ztjmf$4g%b6|fPpU!5n@X$YS?yr$w37qg;RcfHud-jAJf;Ovhf zE51BjY!%tOc2c=OO0zk3Qq?1PeZr}IkTzt!!aZWN2)pNuLOndy>X>v^l$-1;^CMDI zY`!3d@7DR&NeR9Pv{2yRoh<&cb51~${cKC%PH<{Q;_>L1INw8_I zK|Ha-y0vZ-y{kY0he8ts`}0d#FT;6QY;QUqKM=~-JX|>Re*SH#h%|gQeU_@Ipzy^^ z-asvUam=@&y|$2}P6X~Q_N{N4R!$49RRTSF*{k$MZ7z!iwp8wFkF za#wSc$b4zzo)Wr%`t)rqL&yW?T`9>2wZeF4&|~~339V}LDi%{g^Q)4bL!+Cb4h^Ce zszWFyxm1UPtTn41zHilX-`av7bq+SfH)C^m9)q1wcbySR<8ml@q616AG@j zV5B3E(LczJoJqHCoGfeDsHFb_BWOtEXY$Xb|GDY;Qyi0^V%AwWmk1SNio+S{e8s%{ z(eB6)7Q1lHm*StR=+A~_)y(iqhS=K@2rq96+)RHgXHA58S|z-*nk?$)h3*mmYx_T= zppOXdi=iD=PPzz{^xE74_F^yf<78gTuO{HpWe|!Z$mY13Pkl4yB2a$dE+F~0AAr?e z;X8*i5_G2pt$uy^e}?woPo&6DaMC$K6iQiTe&Sgn|4#$K8T$gJl{FJ91%IAm8OqQWQyb|6($HHgaHNV<5bp76@NCpV|JcBX z65_m)65R03?~Xaz+lLSF9zjB(Nt%Lt1noA4`TiZXU+q!-E-3G);SHkr)y$|p2re$J zsSM8t)v}itBL6)0?*!NNj>e!}7F9+2ciR6~*L{AXkHfTB`v z2`(W0$NaNY<(?0>z0lKkH_SBuS|o}K;vUCytC~vVzuW%r^97|50bA~FW!n9F=YQMY zI0CTcPji`4sQ-84W3hXscITA1eh;j&prCzn+1uv1kdP4N40hG$L7-_Cl#7qg{P?kS zbK@laDRIeZ@p08DFHV z@b6tTxj@sDeJi-0?ICyx&n!%SH)ii&tg;v>E|rpLafx!S^aSL;MyAsQ8UgKR$NA6I z&z5{V+l>A{)qQ7JlS|jGAW;MnX`&QCdJ`;kBoygL??_WXK&n7OO=v2DQlyB26zND0 zy+%X@RC+G~ksf*tE#!NEy|>YKzvnvVy1qZhA6`7kV*37JR-?L`4D9Pvrxv&HS zzx|?17Wjp+AXTi~FDqnr0|`2IBLWHi0>VtBQ-Sc~jZd-3B|Kq`_@y;jzB!-ZXZlrp z0Ge7;`hG*Id_75gId|c`Ms(h}8T@GjU{{-SCMVoH{}Qg5GN6SC?m#u>HP)ABWC?D_I-E$%LGxJPak$6GK8lzNgf zKi*9v!zV%853j{hXRc|pyg5IAJhdp@3xLe`4FU&ZtOod_^QI%DT1#t|VIA=OM^7E6 zlH3mbw>8yLs7}AasYHP1m0AX3bp2`-TNEx2t1|cTv_oSJNDuV_6sC z2Hkkld2(Et44OZ?L{gG+1OK}!p|vH}R=~Z+$+OYO?KPrh>bhHrU|JfQL7_$`guxf2 z*Hc#;XYRsFX&f?0F$FR(7DqU z*A0$@(o`d)yIN%1`SY=jc?BG1g+=$~s%d;|e|`NM2`MS-H>x_L>WzN6Tu0#SPGPs{ z_N`%O30yJ=N*y1jQ!C>Fre$`U1 zVo1o+a%g45^TfQzOzzHKjiKyUhiuy3dOcd6nfgZRFr8<s zvdZ~y5Znn%CkklrRCLo-#fA2Gg41juB;gr>jRn2#4+4C4E;WCN#hmj2;7Rh4haa zuR`}9VI9B5Xuz`2AELv{${me|U)L-PT&SEK$q7QapoB8*JPImZD|1-&r#`9{tQB%5 zxs)>cY-nxu4KEKhMu0C58uUX(m)k=p6Q0ey+l4H2G(f)7$``!T&yR;r&jl@%^^b+S zZ}$}<%S`7LY)YN``;tX=`)|-*q!a$B@p3m2-nRpfRuurZdoPp)t0im&g#iF8`Kaxa zwnyVX++YQ#Vf?C+JqNA}^-Tp^z5P0MFT;D^>#3Ue8wSwl`?-$zEq;#Un9UbJh?i;z zNG!%sErxI=7oSiJ|(BWU*`4`mzA_& zQ`NTaSUzWE?srpYptnubF@_NTMFAd8-PN(U zgzh?yv=m!xS-;6W$KmpG7p$jp*A(&|$@E)T$@!=F6DjAPBs0TvYML(x826uL^uGPx zd}*FZps4&R`mO}#_K`1Rs%(HBQ!s|CeqDR*?wt3_H#e*=z6~T+O-Qip7?IkcyFDY8l zfk(lMizV&ImBdv=2Q))CIP2%v8S+dk`g$Fm znUr#jN}l%S-ff3OGEGXf7~~sIRm=^%OC&Wcb!F_Vg0p>C3nZlX{COQbP^?qI=~Uq!VO_7Q(aF$!wB@2;crjPb2NQZPE}LuepV(^=6jz@c=Is`RBv_FIkhkeHrj z&3`nZu!SmJHf4VIYO&mY!K%|ZYu%ox0o`lAkazRc&Zn*$!oxpKUJw&2TX65E@Y8I^ zE+#lpaA5LvZn7rW6UQH}>LUn zVGPSdNw6h$d-T$qAnzsG!O6iHb11<_hOx`$@Xat%{##SHX}Cw*9N51z)$8VPABf{8 z4Yu`QG0Cse-oeHOH)dCkg$@tJM1adaZaygwCY8=ND(MT;HhNG;F8(20d`;7Sv^EDe zKBU3QYxRmJ15wXO%WpjCHaxp`W7}w2L7wjs2QNzLDu^R6)k01+u0veQl-k6&{{EA( zjC*G`}#(@3)0 zLmr(HnZ34Ja(5cPEA&Rs+1Oy-sUEPXd z=c>_uy<{PwXqEPpm=dYCKAFAQT8(~v0wDFkRL+B5<@^%?3iPv{B zNuOom($+3L)uK#vF^kjG zgs)PKx)VIF7T&HcfhEkreSCiUfM1pmaT;CnnkZ`KATzaDWyQg}MqLS_S0u%@_uUr! zMbn_?mS8E8o8Q;B%IP5~K8n^q)5-T?Wx#5OomnX^W%l)p!+^Iqxuy#Ba`pElsy)DXG>+hgWVs=j=} zy)ykRCqePEt~De^B(;E);pUB0o?bCpJXbP@JMw}|2p0PA!S1``g*fsYVH4AE`(DlZ~l1r_M-H5NGAmNdh zr(ai-TW0b-hc0g1N(j0kQ8VYOo4PI|=R?#)Y}R{)$uux0FmUQdlwPHY$i52hldq@I z3OGAClSSKKR$hiVmYx5!{P~y_QeiBQvgF6%;4x>UslnK#LJGFxP*?u!=)Fene1kRch|oO5HB&WFPy-7m1)Ty;!MZnwThS@v znVau(5>#vN(3Ky0r}yo`tBFkBP~lEp!_}|T;;)vZC}M+TWzK;5Vww#z3hCdaMlBp{ z(X(&UEQ9-=rO(>)wv0Vd&+zYa6fvJs9D3omc-3e34edf}1;?QI62nyZVD-Q(Ti6W} zS~a9zqnh0X>Z!$!9$7j&cWhWi{DE1lltN3%rbyz$4EvdF9o^Whf(+#gW=ZQs0(c{U zI2|cHcMx$CTNuZC3~{BX5DDJ+`IFRdIr@~j_h(I!8C=4nAj;@b><15Rayrl2&E@|7 z{^fDSqTv%FOpLVDmpX0*yrNo3%yl0Hl%htBh};# z%{VozZMHrBr;5CeVXLc{+(&s<(ir!<1R?JX%%=@tYjd<ZEWT$?UkxmJ9?f3K?R@meDWB@01Af)w#KO-_J*BxzwC+jjme*P z_}V^pkzutdVpTQGEN0(SDjuPdW}T^qdpAIRXB-6_(lNI@Q(#)Lx&!P9-!R)z)a`-G zIE5uYc(GE&u^+02{D`qAGHFPeeS4;1_PIqusJC8t>{l)#cAnd@mcIgO=Eyfd@O`7i zw2J32Vhngl?diVY=bPoT2X({>%A+6m=w4q{nQ3Fh@`Pp2cD&0^4pd^SV&`rs)oia@ zLC`l8eP@5{G?~@aNi`|e`r6KN3I2hzTR$r+X;PoilHGt`trIevgXLy|-H(4R^%~7J zczu@%Qkfi%9^Jc)NHb-b0`B@4d@i7|Qp4yamuyvIFuTjoAF%2k=W~ByV&aa*=r;?$ zIM(r1&gAkqlf<5!F%&zm8Di348M>z2v}0HLRVT!t3AvP2qn#pCB_Jp+n`SL2uX&9z zit>ub@FR&ha;wu!d^^@#3{s!FF;d@MG?tJ$3mcBZ4ri%rF$ck!{t=l9+OA8t_cjm) zCgI@;3ZqV^nMS%b41_Gd@WoA}yxd%ZNEcgv+D)cGle~J z?d)3I$(>wjhk!$sn#=P4zhkZJCN3ySbvktLu5 zO$lOkGzF((4mdQxbB6RCIAWye#e46Bw^4&xd)6wC;e(O)mcXdK0!DB7B8ftLe8pc{ z0YLnkpFNmlIfBfzl`YUcbHWX3XQ*P@62%AJXochjLA+6Ykk`D1DZYeb>WS0Iq6U|r zI@e>{9`+50a{77ht@uDZ=j|RXW^pdYHXE()kyq^#(o0S+gFjGA8g-OPdZ*TvPNh?Y z7hlKRvcQaBG?2N|3qTZ{_&&f$@1JCRFxGzM5y-Lfq6sw~+cssO)Qei=z zgc&G9tL?lC7+j0Pc7{*Fy^7Qc5?7j|XWe2;FJHY|x-xTiKh~U0 zX?vtcO(=u;8Rb)ZbjnNqrUq$R;!BvG5@=JRhYu(FTA#a8gOI)MCx3Ww4cmC(4$%O~ z9WJhSR@2{5+5Q-l8_Sn~o01I-(k`4jJ1{WEXo{O{r>nZYlryt`KdicPVr zSrVGutgN;@Gv%@G)^LSlk=cXQBRi%Pp?>UF86Vy7$fV)Nxtt z7f}=rwD8`sSl6ms2a`AJTT9jZtM`^_c3aOuF|XGOxSBIkeM}l&e*D;~BMLfGZcsTw zFLOrWA~kg$@r9}rqu$8|axHD#zxQG0nI0Dn5B4_gH+BZ!H;-Hct2}A5#;38ajtvYu z8DfOR1uL;^gD{^|0h0_VBRAKJkld8v+qXqH`1`@X!@ zLn0-5CnRZ`JY4J-i?R*|4xKZ+8TVGqfy&`7MIn0?l6MWP-&9Zep10$CBDG}YWwlk^ zqWhmORB;Dx7MnFX8sBmP38n=ieZ^!&Y~h|MwP%xnqjdB^ab z*SzbwZkClY)usZ|O|z`rs0{^9bl7M`dNR!bm+DLT1Yzsp3ceZDQVl+H2+=(E?n?AV zNVrx!L>%hY-^oSpDA@$o_czmjF%V)eZA$j*cazZu7F z;y<29den(-kqm8nP1>Uw-StfRw^FvLY9*+;7lB&7p!0$3H~WE<9*uE>sn1uu4)x^<~X7xh4HGbdi&GoRBC(Mzb0iMG8(S+L^-tW^RPt@^o_gvIH0tT6dKLE#<}0wNWTl;vx%IIZ8A1vG%uE|Ivvk0DiUQ)W)iCc2)&WOQ#j9PibCHB$O3 zDFC-lB|Ia+TV?;yMC7HzMK_JHiUbd){jE|0B5gDOxrF~9D>yZ?po_d$ zhtvls>^nPNjgjhv^CYB>t<{kFuVoK=RkDDzI{eC%Sb#oK_BRasU7x=RO2Z2D(R~In zlK(>=u~As;X0l1=9b2jec6YP<;pRhL9v;F&TwO^u0Em^0Q6nbbTE?Yt-3WplLA;k; zV*8*Ja`xdJ{-fSVaU~*F(hcWTls^&ho=Q_wZ_Ij5AMH@4SFQJE7q4ml(v$!R@k@4A zHsERxX=W;-L(ako4(Et;Bg5~P^M_Q#S?UXT&bq(!=9xUBn!e;(EiWGJaI&n1v)eI{M1Ff zMy4kL#7K`l)x*bla`l~=6fke&3dysF@c*(GW_l2@ij`%qTPyzWBmFZSjrBEu*!N`1 zoTN0#(j3;L`A2L5A|7Kvhw{%|ZykSz(6v|#W*T<%cu|~i;2u0D$zK2AkfI1U%~aNo z+!jAj;I4hp8ZT6CF`oLca2!Bk?-joAW7UozqZb}{E4F^8ko~GT44d!#T(>eQs!y!D zT<4H03ByE3-JKC~cx@Nge7wZ{J*bp`>WP8vYe&!N2_LE<^9wWP)33!ta!dBNyYJNO zjh~FVI=-x8CVB0xof!q-?M{ae{7HSx!dRRI})#gky1P`~|*m=1zyfU?yCo zPFLu)q)ow84J^0jMYVM)S(WQ!>yGy6)txv~#iHH9-oVb|*x&uTPz;oORP5pqmF`RAV z(+Kwl|2Ni>a!(dSyw(&CL>r%)-Rn1j!|pAAY*fVH*G(CEsLLWj9y7InN4QnP}$dO$q<=nEac9MFJo*5>-QF>DxUv04rB|`O@Qtn8!CXL-5jd0 zpO2u$+P@(^OGdw%rG!bQJ@j!`wU_uS?pdM)+P~-F6pI-KM;L@YbAlR-$XFY`bYO=ZKsvbS2#|^q9X0yG^-7K{B^xf7z&g?o$1T*FnM+RYqtgWx3_BvlB z+-+LMy-3cP2zD);HeEe0jU?SxyZiKHRaX2SWE zifZPcInVS7xH0BN4C=JkMqcB3BsT_z^ZT-+B^NqI`!XTC^8>|oQfB8PMYmqV%Nw_b zhX63%N}xu4kN|tG;uINr&k_7~EoAxeSa+gF1PWT5s@4*Ko1dOCm~lOXhZn1%*TY_m zZbXju<>>g>Pb$cAaixU!Ye?;V+!}zv%6qa;;s7n4S%GkC1GfVH*m4AJ zfJ#F#kaDQ9bd#8YCi0Nrcy*D0ny%Y zy2@wMYj1W!11p&}wOlVUSO~7f1RMx;VogW)29hnh3oYE0Cm}jm^Td^>>vQ)cmP^y> z#K+Z`PV7&13zTo~b!A@wv4w_`EIy?$Xd+XZbw_kU$F)o6e8q8b<}gd=dZCtzUJ3wo z#-cds7b(H|9CZex&xD-V46of_sT3xp3?RZs2CU)$r(xltbHRl}XEKF^sHZbGYos?P zH{1lmq8R7%WyHzLi;VSoP}`bC1FboHQQS-Frkakf-+X@1=g(%CVGjWjI?DhbI^5m) zaRo{D`SLpR!mJ7*S=olCR1r)+;<(R0T70G@ywex~J8_#-507vN4W#fB#oWo&N_&dS zGe>_X3r*TK(EPbBAPn{9WnKfwEtqC%zsza5g88;i%(f~2Mc;68w%OaH9_k=RGic(X zxT0pNWT^@KHb1h%Ikn9NQtII<6DMU>{KzPxt~w!*a;)ZuVr?o^6FZ8t2qjmUg=xCq z3fmCH_Czm4j!I(ht0kse_@4!?U!IGL{gY>ClU&x8V!5}89#C#6gH_t<1_p{Bq9Q>A zD$E5ba&i2LERNZWO*QIJ5d2iKN4fJ&lru>n*UNH+AU59kB`z*9l+Jv_{+_ar{m+`0 zC&K&4z&Hj8=C*7`&}Hfv&*3oQj=HoPkGf7D)DM;HEgiU}?$y*{iltttP^9A>Kvnnx5vhc$NXfhKsTEg~%^~{&IHMK+8Eug{j9@fK-^K zw!cyu`|csnKnWZxGb)7|Rg4IHR)Abn=z(-wgAO|9f8WVC2*g<|K11=m@`sy_vRMK~ z>&}$|r<(1|MfEh~*_jA}v{tCS+=Y5_ZcV_o5O+X;sFsHMpEM zI34ziI4%)7A{x(9%Qv`3Yfk4pkpv&@zvm-D6C?gmr&!Q_$ci-Ut#R2;eWBTyzbS*K ze^CaLlRZ3r^$lK2mGe%?6S4sT`uWBK7^!{gJeA$*GJ3V{l9?}BBn@BkjmwMP4vF1; zEf_+T-U&~bH>}11aSI8Eo!U^R?L=&Sfk)T3MdFD1 zu3H=8Z6uQ3B8geTiI((-@G2f{(@N1LMEBHge;iAQIwA<9KC9QJd`kC_T1o5)I(69@ zySKSH1&e-c6SRP!hYgQ$TZ|R+v-?&$Pdhu<|nHB?>uDZ8Xz_rI zJmg8Wk{9C_WbE?j&Q#2F?$TN2`O2x)DbF||6F5CkQBOQ|*TasKOsdoNyV?1u4pL-@ClZr&;h#A<{ALbHx4D2jcaez%lJ`Ze-u7}gu zCHE;;kU6J(2+xevb|M8d+S4g$&eHw+vcLmNyiI@M2>n=F_>Pg8>~kfeYXnH&uI`m6bs zG%r1&I3N4&>-AqQ$ob|wKy2`4u)u`oFhZ9WBDp2LB~{;D2dgQE$Fo3g@%Y`YrMyFv zMnS_UUb?AsK8Lk}jomZ#E@O^LBr08*RVp@IL7z)z{dEl!KvXS`C;J<;5wmyeuc5oB zO@ot$lGi#pGriV=a>An+({NhBdvn=Kb<0;Iyg$6;S3t>D(X117O?Omh#mPoX(G#W_aOMvQqHbNXkxu%LRdf`W)#=K zDP-U>m6EhK{0`>5^LRictQK_+T$zfgS<$5QJXGM{?_vP63%m5jls(qcr*Y5Ql@1gwS~)y4{{!-$eI9TFPv8Az`Kn z&sb)qcW$TrqE#FU?3(!*_9bv0xr;G(rwjdR#!e-<=V^EsSX1K#?Eol}2*mp7Zu43m zhaU&TP`?(3RI9mkml0*SWu1dgUkVD0xLfNqFaDi|PZLbQF4RXg^R;oMwPMVul`bU9 zODniSLCaQ3(ymahEq=_ed5U&m_PQU2Ae^~9Fmth!YBA#~XQIoCu&Nn?nwfgPUDLzp zbh<5JCTY6h<%(uJdJfp{Ri@Yko{Ltrw}hng+93!TGp-I*FG-WN^{Iqwj1zPQ_5h8uVR8KL+FlQ-8vfcd_YcD4s(*6hB&q3T{ z_$nEBg^K^N{a-97B9r{gbhAKM(J!Ds6UzM?(BI5uAmdJn3JjzH9|HZo2~AOIUWW@YX=E;(*e`klgb5DM5W zh?9MfbdnFHlqa23-$4W7r3h~DG~x?*%|i;LB_k6cWZzf%TCK=YzV_AR0sl8xtrON; zXDQMpL0=B0>ir@arE3!Qwu%zo#IwV1ag6;-x{q;pbfm~&@7G-QSWK}?`^eshSlR8W z1#XmV>FP=NZO1&b8_`AXmtu}BvByABq`!EK1k~32Jsr0fM48gCN!+$pY_WIz5^C;} zJuZq*$0ChS{(|FBjN=&Mtw1NZ*thph{!7x`oY_=M5f4V}s){J{J4fpC$`3Le?}OB- z`Ov?z7-FY9i?_I2u#AQ0LY5{By#((kA`!3HRYQ~F`a7ns+Esp@gE)WM9e#06$+pSx zTe&DR>2DBkfFQ*)EU{UK-BKE%Bj-SgviaCIRyUQ1)2P-nr`@BYLCr|ME_qDa-jG4rUY#fM=z0nPdYg{X&AJ-sZ$rJ zyoLRju*Z5nd$`VbhMR!!koZ4p3{93Kl+RLCXm!(r6A!- z^M?p{kLk5Q!(*ITc<_9{KQt-*;E>{e0iEReL-%-(KvxC+zh#k#2BebFyBujP`#wRv zPwvIH-FPfQkI~no!X8QvQ7x^<&`i*zn>H4PyON`tDKL1W;dfirhV|&S_BX5m}k7O8}ce*Tnsv zn-Zf7SekOiz!8nWe3eMQ&@A!7W_lFx4rvbJmBfTI`OQN3cJaSTNU$$^Na?2$ zESwfj%p3_Oj7KQ5vJoq#Yb0pt;0+FK<&-Z#76@66?iKX0^wRPq4th1^Q62Qs%ISJjn}}x zMprrMwJiDaF#;2*|8DboY{1+Snj%K_--`?$=6MV+pD4h~^Y~*d2JlbHdYtG#o@4$n<>T(B0V4Hm7F%^Zp6QQr(&d1KG;c}x&mRXte+;bSz$g^3 zI9&?CEc{%pUy>aD#XNjS2kkL_*u>|+ey>YY{?JT_&a4&2 + +if [ -z "$IP" ]; then + echo "Error: Failed to resolve IP for $METASTORE_DOMAIN" >&2 + exit 1 +fi + +jq -n --arg ip "$IP" '{"ip":$ip}' \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/provider.tf b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/provider.tf new file mode 100644 index 0000000..7afdcf4 --- /dev/null +++ b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/variables.tf b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/variables.tf new file mode 100644 index 0000000..4bb8ed9 --- /dev/null +++ b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/variables.tf @@ -0,0 +1,47 @@ +variable "vpc_id" { + type = string +} + +variable "vpc_cidr_range" { + type = string +} + +variable "public_subnets_cidr" { + type = list(string) +} + +variable "private_subnets_cidr" { + type = list(string) +} + +variable "private_subnet_rt" { + type = list(string) +} + +variable "firewall_subnets_cidr" { + type = list(string) +} + +variable "firewall_allow_list" { + type = list(string) +} + +variable "hive_metastore_fqdn" { + type = string +} + +variable "availability_zones" { + type = list(string) +} + +variable "region" { + type = string +} + +variable "resource_prefix" { + type = string +} + +variable "firewall_protocol_deny_list" { + type = list(string) +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/provider.tf b/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/provider.tf new file mode 100644 index 0000000..7afdcf4 --- /dev/null +++ b/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/restrictive_root_bucket.tf b/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/restrictive_root_bucket.tf new file mode 100644 index 0000000..4e3fafc --- /dev/null +++ b/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/restrictive_root_bucket.tf @@ -0,0 +1,71 @@ +// EXPLANATION: Creates a restrictive root bucket policy + +// Restrictive Bucket Policy +resource "aws_s3_bucket_policy" "databricks_bucket_restrictive_policy" { + bucket = var.root_s3_bucket + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "Grant Databricks Read Access", + Effect = "Allow", + Principal = { + AWS = "arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:root" + }, + Action = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + Resource = [ + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}" + ] + }, + { + Sid = "Grant Databricks Write Access", + Effect = "Allow", + Principal = { + AWS = "arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:root" + }, + Action = [ + "s3:PutObject", + "s3:DeleteObject" + ], + Resource = [ + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/0_databricks_dev", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/ephemeral/${var.region_name}-prod/${var.workspace_id}/*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}.*/*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/databricks/init/*/*.sh", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/user/hive/warehouse/*.db/", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/user/hive/warehouse/*.db/*-*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/user/hive/warehouse/*__PLACEHOLDER__/", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/user/hive/warehouse/*.db/*__PLACEHOLDER__/", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/FileStore/*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/databricks/mlflow/*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/databricks/mlflow-*/*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/mlflow-*/*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/pipelines/*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/local_disk0/tmp/*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/${var.region_name}-prod/${var.workspace_id}/tmp/*" + ] + }, + { + Sid = "AllowSSLRequestsOnly", + Effect = "Deny", + Action = ["s3:*"], + Principal = "*", + Resource = [ + "arn:aws-us-gov:s3:::${var.root_s3_bucket}/*", + "arn:aws-us-gov:s3:::${var.root_s3_bucket}" + ], + Condition = { + Bool = { + "aws:SecureTransport" = "false" + } + } + } + ] + }) +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/variables.tf b/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/variables.tf new file mode 100644 index 0000000..3cdbe8c --- /dev/null +++ b/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/variables.tf @@ -0,0 +1,11 @@ +variable "region_name" { + type = string +} + +variable "root_s3_bucket" { + type = string +} + +variable "workspace_id" { + type = string +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account.tf b/aws-gov/tf/modules/sra/databricks_account.tf new file mode 100644 index 0000000..924b1ca --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account.tf @@ -0,0 +1,99 @@ +// EXPLANATION: All modules that reside at the account level + +// Billable Usage and Audit Logs +module "log_delivery" { + source = "./databricks_account/logging_configuration" + count = var.enable_logging_boolean ? 1 : 0 + providers = { + databricks = databricks.mws + } + + databricks_account_id = var.databricks_account_id + resource_prefix = var.resource_prefix +} + + +// Create Unity Catalog Metastore - No Root Storage +module "uc_init" { + count = var.metastore_exists == false ? 1 : 0 + source = "./databricks_account/uc_init" + providers = { + databricks = databricks.mws + } + + aws_account_id = var.aws_account_id + databricks_account_id = var.databricks_account_id + resource_prefix = var.resource_prefix + region = var.region + metastore_name = join("", [var.resource_prefix, "-", var.region, "-", "uc"]) +} + +// Unity Catalog Assignment +module "uc_assignment" { + source = "./databricks_account/uc_assignment" + providers = { + databricks = databricks.mws + } + + metastore_id = var.metastore_exists ? null : module.uc_init[0].metastore_id + region = var.region + workspace_id = module.databricks_mws_workspace.workspace_id + depends_on = [ + module.databricks_mws_workspace + ] +} + +// Create Databricks Workspace +module "databricks_mws_workspace" { + source = "./databricks_account/workspace" + providers = { + databricks = databricks.mws + } + + databricks_account_id = var.databricks_account_id + resource_prefix = var.resource_prefix + security_group_ids = var.custom_sg_id != null ? [var.custom_sg_id] : [aws_security_group.sg[0].id] + subnet_ids = var.custom_private_subnet_ids != null ? var.custom_private_subnet_ids : module.vpc[0].private_subnets + vpc_id = var.custom_vpc_id != null ? var.custom_vpc_id : module.vpc[0].vpc_id + cross_account_role_arn = aws_iam_role.cross_account_role.arn + bucket_name = aws_s3_bucket.root_storage_bucket.id + region = var.region + backend_rest = var.custom_workspace_vpce_id != null ? var.custom_workspace_vpce_id : aws_vpc_endpoint.backend_rest[0].id + backend_relay = var.custom_relay_vpce_id != null ? var.custom_relay_vpce_id : aws_vpc_endpoint.backend_relay[0].id + managed_storage_key = aws_kms_key.managed_storage.arn + workspace_storage_key = aws_kms_key.workspace_storage.arn + managed_storage_key_alias = aws_kms_alias.managed_storage_key_alias.name + workspace_storage_key_alias = aws_kms_alias.workspace_storage_key_alias.name +} + +// Service Principal +module "service_principal" { + source = "./databricks_account/service_principal" + providers = { + databricks = databricks.mws + } + + created_workspace_id = module.databricks_mws_workspace.workspace_id + workspace_admin_service_principal_name = var.workspace_admin_service_principal_name + + depends_on = [ + module.databricks_mws_workspace, + module.uc_assignment + ] +} + +// User Workspace Assignment (Admin) +module "user_assignment" { + source = "./databricks_account/user_assignment" + providers = { + databricks = databricks.mws + } + + created_workspace_id = module.databricks_mws_workspace.workspace_id + workspace_access = var.user_workspace_admin + + depends_on = [ + module.databricks_mws_workspace, + module.uc_assignment + ] +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf new file mode 100644 index 0000000..6b4113b --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf @@ -0,0 +1,150 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/mws_log_delivery + +// S3 Log Bucket +resource "aws_s3_bucket" "log_delivery" { + bucket = "${var.resource_prefix}-log-delivery" + force_destroy = true + tags = { + Name = "${var.resource_prefix}-log-delivery" + } +} + +// S3 Bucket Versioning +resource "aws_s3_bucket_versioning" "log_delivery" { + bucket = aws_s3_bucket.log_delivery.id + versioning_configuration { + status = "Disabled" + } +} + +// S3 Public Access Block +resource "aws_s3_bucket_public_access_block" "log_delivery" { + bucket = aws_s3_bucket.log_delivery.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + depends_on = [aws_s3_bucket.log_delivery] +} + +// S3 Policy for Log Delivery Data +data "databricks_aws_bucket_policy" "log_delivery" { + full_access_role = aws_iam_role.log_delivery.arn + bucket = aws_s3_bucket.log_delivery.bucket +} + +// S3 Policy for Log Delivery Resources +resource "aws_s3_bucket_policy" "log_delivery" { + bucket = aws_s3_bucket.log_delivery.id + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "AWS" : ["${aws_iam_role.log_delivery.arn}"] + }, + "Action" : "s3:GetBucketLocation", + "Resource" : "arn:aws-us-gov:s3:::${var.resource_prefix}-log-delivery" + }, + { + "Effect" : "Allow", + "Principal" : { + "AWS" : ["${aws_iam_role.log_delivery.arn}"] + }, + "Action" : [ + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject", + "s3:PutObjectAcl", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts" + ], + "Resource" : [ + "arn:aws-us-gov:s3:::${var.resource_prefix}-log-delivery", + "arn:aws-us-gov:s3:::${var.resource_prefix}-log-delivery/*" + ] + }, + { + "Effect" : "Allow", + "Principal" : { + "AWS" : ["${aws_iam_role.log_delivery.arn}"] + }, + "Action" : "s3:ListBucket", + "Resource" : "arn:aws-us-gov:s3:::${var.resource_prefix}-log-delivery" + } + ] + } + ) + depends_on = [ + aws_s3_bucket.log_delivery + ] +} + +// IAM Role + +// Assume Role Policy Log Delivery +data "databricks_aws_assume_role_policy" "log_delivery" { + external_id = var.databricks_account_id + for_log_delivery = true +} + + +// Log Delivery IAM Role +resource "aws_iam_role" "log_delivery" { + name = "${var.resource_prefix}-log-delivery" + description = "(${var.resource_prefix}) Log Delivery Role" + assume_role_policy = data.databricks_aws_assume_role_policy.log_delivery.json + tags = { + Name = "${var.resource_prefix}-log-delivery-role" + } +} + +// Databricks Configurations + +// Databricks Credential Configuration for Logs +resource "databricks_mws_credentials" "log_writer" { + credentials_name = "${var.resource_prefix}-log-delivery-credential" + role_arn = aws_iam_role.log_delivery.arn + depends_on = [ + aws_s3_bucket_policy.log_delivery + ] +} + +// Databricks Storage Configuration for Logs +resource "databricks_mws_storage_configurations" "log_bucket" { + account_id = var.databricks_account_id + storage_configuration_name = "${var.resource_prefix}-log-delivery-bucket" + bucket_name = aws_s3_bucket.log_delivery.bucket + depends_on = [ + aws_s3_bucket_policy.log_delivery + ] +} + +// Databricks Billable Usage Logs Configurations +resource "databricks_mws_log_delivery" "billable_usage_logs" { + account_id = var.databricks_account_id + credentials_id = databricks_mws_credentials.log_writer.credentials_id + storage_configuration_id = databricks_mws_storage_configurations.log_bucket.storage_configuration_id + delivery_path_prefix = "billable-usage-logs" + config_name = "Billable Usage Logs" + log_type = "BILLABLE_USAGE" + output_format = "CSV" + depends_on = [ + aws_s3_bucket_policy.log_delivery + ] +} + +// Databricks Audit Logs Configurations +resource "databricks_mws_log_delivery" "audit_logs" { + account_id = var.databricks_account_id + credentials_id = databricks_mws_credentials.log_writer.credentials_id + storage_configuration_id = databricks_mws_storage_configurations.log_bucket.storage_configuration_id + delivery_path_prefix = "audit-logs" + config_name = "Audit Logs" + log_type = "AUDIT_LOGS" + output_format = "JSON" + depends_on = [ + aws_s3_bucket_policy.log_delivery + ] +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/provider.tf b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/provider.tf new file mode 100644 index 0000000..bdd3474 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} diff --git a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf new file mode 100644 index 0000000..55aaac6 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf @@ -0,0 +1,7 @@ +variable "resource_prefix" { + type = string +} + +variable "databricks_account_id" { + type = string +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/service_principal/output.tf b/aws-gov/tf/modules/sra/databricks_account/service_principal/output.tf new file mode 100644 index 0000000..678c54b --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/service_principal/output.tf @@ -0,0 +1,3 @@ +output "service_principal_id" { + value = databricks_service_principal.sp.id +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/service_principal/provider.tf b/aws-gov/tf/modules/sra/databricks_account/service_principal/provider.tf new file mode 100644 index 0000000..bdd3474 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/service_principal/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} diff --git a/aws-gov/tf/modules/sra/databricks_account/service_principal/service_principal.tf b/aws-gov/tf/modules/sra/databricks_account/service_principal/service_principal.tf new file mode 100644 index 0000000..a7d25d5 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/service_principal/service_principal.tf @@ -0,0 +1,12 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/service_principal + +resource "databricks_service_principal" "sp" { + display_name = var.workspace_admin_service_principal_name + allow_cluster_create = true +} + +resource "databricks_mws_permission_assignment" "admin_sp" { + workspace_id = var.created_workspace_id + principal_id = databricks_service_principal.sp.id + permissions = ["ADMIN"] +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/service_principal/variables.tf b/aws-gov/tf/modules/sra/databricks_account/service_principal/variables.tf new file mode 100644 index 0000000..118a72b --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/service_principal/variables.tf @@ -0,0 +1,8 @@ +variable "created_workspace_id" { + type = string +} + +variable "workspace_admin_service_principal_name" { + description = "Service principal name" + type = string +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_assignment/provider.tf b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/provider.tf new file mode 100644 index 0000000..bdd3474 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf new file mode 100644 index 0000000..bae1aa0 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf @@ -0,0 +1,11 @@ +// Metastore Assignment + +data "databricks_metastore" "this" { + region = var.region +} + +resource "databricks_metastore_assignment" "default_metastore" { + workspace_id = var.workspace_id + metastore_id = var.metastore_id == null ? data.databricks_metastore.this.id : var.metastore_id + default_catalog_name = "hive_metastore" +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_assignment/variables.tf b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/variables.tf new file mode 100644 index 0000000..b97ffde --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/variables.tf @@ -0,0 +1,11 @@ +variable "metastore_id" { + type = string +} + +variable "workspace_id" { + type = string +} + +variable "region" { + type = string +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_init/outputs.tf b/aws-gov/tf/modules/sra/databricks_account/uc_init/outputs.tf new file mode 100644 index 0000000..6f7a596 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/uc_init/outputs.tf @@ -0,0 +1,3 @@ +output "metastore_id" { + value = databricks_metastore.this.id +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_init/provider.tf b/aws-gov/tf/modules/sra/databricks_account/uc_init/provider.tf new file mode 100644 index 0000000..72b6ed6 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/uc_init/provider.tf @@ -0,0 +1,10 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + aws = { + source = "hashicorp/aws" + } + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_init/uc_init.tf b/aws-gov/tf/modules/sra/databricks_account/uc_init/uc_init.tf new file mode 100644 index 0000000..a5d1102 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/uc_init/uc_init.tf @@ -0,0 +1,8 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/guides/unity-catalog + +// Metastore +resource "databricks_metastore" "this" { + name = "${var.resource_prefix}-${var.region}-unity-catalog" + region = var.region + force_destroy = true +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf b/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf new file mode 100644 index 0000000..514f460 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf @@ -0,0 +1,19 @@ +variable "aws_account_id" { + type = string +} + +variable "resource_prefix" { + type = string +} + +variable "databricks_account_id" { + type = string +} + +variable "metastore_name" { + type = string +} + +variable "region" { + type = string +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/user_assignment/provider.tf b/aws-gov/tf/modules/sra/databricks_account/user_assignment/provider.tf new file mode 100644 index 0000000..bdd3474 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/user_assignment/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} diff --git a/aws-gov/tf/modules/sra/databricks_account/user_assignment/user_assignment.tf b/aws-gov/tf/modules/sra/databricks_account/user_assignment/user_assignment.tf new file mode 100644 index 0000000..066c00f --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/user_assignment/user_assignment.tf @@ -0,0 +1,11 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/service_principal + +data "databricks_user" "workspace_access" { + user_name = var.workspace_access +} + +resource "databricks_mws_permission_assignment" "workspace_access" { + workspace_id = var.created_workspace_id + principal_id = data.databricks_user.workspace_access.id + permissions = ["ADMIN"] +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/user_assignment/variables.tf b/aws-gov/tf/modules/sra/databricks_account/user_assignment/variables.tf new file mode 100644 index 0000000..f062416 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/user_assignment/variables.tf @@ -0,0 +1,7 @@ +variable "created_workspace_id" { + type = string +} + +variable "workspace_access" { + type = string +} diff --git a/aws-gov/tf/modules/sra/databricks_account/workspace/outputs.tf b/aws-gov/tf/modules/sra/databricks_account/workspace/outputs.tf new file mode 100644 index 0000000..066bdef --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/workspace/outputs.tf @@ -0,0 +1,7 @@ +output "workspace_url" { + value = databricks_mws_workspaces.this.workspace_url +} + +output "workspace_id" { + value = databricks_mws_workspaces.this.workspace_id +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/workspace/provider.tf b/aws-gov/tf/modules/sra/databricks_account/workspace/provider.tf new file mode 100644 index 0000000..1d847d2 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/workspace/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/workspace/variables.tf b/aws-gov/tf/modules/sra/databricks_account/workspace/variables.tf new file mode 100644 index 0000000..cf1cc18 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/workspace/variables.tf @@ -0,0 +1,55 @@ +variable "bucket_name" { + type = string +} + +variable "cross_account_role_arn" { + type = string +} + +variable "databricks_account_id" { + type = string +} + +variable "resource_prefix" { + type = string +} + +variable "region" { + type = string +} + +variable "security_group_ids" { + type = list(string) +} + +variable "subnet_ids" { + type = list(string) +} + +variable "vpc_id" { + type = string +} + +variable "backend_rest" { + type = string +} + +variable "backend_relay" { + type = string +} + +variable "managed_storage_key" { + type = string +} + +variable "workspace_storage_key" { + type = string +} + +variable "managed_storage_key_alias" { + type = string +} + +variable "workspace_storage_key_alias" { + type = string +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/workspace/workspace.tf b/aws-gov/tf/modules/sra/databricks_account/workspace/workspace.tf new file mode 100644 index 0000000..185be7d --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_account/workspace/workspace.tf @@ -0,0 +1,99 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/mws_workspaces + + +// Wait on Credential Due to Race Condition +// https://kb.databricks.com/en_US/terraform/failed-credential-validation-checks-error-with-terraform +resource "null_resource" "previous" {} + +resource "time_sleep" "wait_30_seconds" { + depends_on = [null_resource.previous] + + create_duration = "30s" +} + +// Credential Configuration +resource "databricks_mws_credentials" "this" { + role_arn = var.cross_account_role_arn + credentials_name = "${var.resource_prefix}-credentials" + depends_on = [time_sleep.wait_30_seconds] +} + +// Storage Configuration +resource "databricks_mws_storage_configurations" "this" { + account_id = var.databricks_account_id + bucket_name = var.bucket_name + storage_configuration_name = "${var.resource_prefix}-storage" +} + +// Backend REST VPC Endpoint Configuration +resource "databricks_mws_vpc_endpoint" "backend_rest" { + account_id = var.databricks_account_id + aws_vpc_endpoint_id = var.backend_rest + vpc_endpoint_name = "${var.resource_prefix}-vpce-backend-${var.vpc_id}" + region = var.region +} + +// Backend Rest VPC Endpoint Configuration +resource "databricks_mws_vpc_endpoint" "backend_relay" { + account_id = var.databricks_account_id + aws_vpc_endpoint_id = var.backend_relay + vpc_endpoint_name = "${var.resource_prefix}-vpce-relay-${var.vpc_id}" + region = var.region +} + +// Network Configuration +resource "databricks_mws_networks" "this" { + account_id = var.databricks_account_id + network_name = "${var.resource_prefix}-network" + security_group_ids = var.security_group_ids + subnet_ids = var.subnet_ids + vpc_id = var.vpc_id + vpc_endpoints { + dataplane_relay = [databricks_mws_vpc_endpoint.backend_relay.vpc_endpoint_id] + rest_api = [databricks_mws_vpc_endpoint.backend_rest.vpc_endpoint_id] + } +} + +// Managed Key Configuration +resource "databricks_mws_customer_managed_keys" "managed_storage" { + account_id = var.databricks_account_id + aws_key_info { + key_arn = var.managed_storage_key + key_alias = var.managed_storage_key_alias + } + use_cases = ["MANAGED_SERVICES"] +} + +// Workspace Storage Key Configuration +resource "databricks_mws_customer_managed_keys" "workspace_storage" { + account_id = var.databricks_account_id + aws_key_info { + key_arn = var.workspace_storage_key + key_alias = var.workspace_storage_key_alias + } + use_cases = ["STORAGE"] +} + +// Private Access Setting Configuration +resource "databricks_mws_private_access_settings" "pas" { + private_access_settings_name = "${var.resource_prefix}-PAS" + region = var.region + public_access_enabled = true + private_access_level = "ACCOUNT" +} + +// Workspace Configuration +resource "databricks_mws_workspaces" "this" { + account_id = var.databricks_account_id + aws_region = var.region + workspace_name = var.resource_prefix + # deployment_name = "development-company-A" // Deployment name for the workspace URL. This is not enabled by default on an account. Please reach out to your Databricks representative for more information. + credentials_id = databricks_mws_credentials.this.credentials_id + storage_configuration_id = databricks_mws_storage_configurations.this.storage_configuration_id + network_id = databricks_mws_networks.this.network_id + private_access_settings_id = databricks_mws_private_access_settings.pas.private_access_settings_id + managed_services_customer_managed_key_id = databricks_mws_customer_managed_keys.managed_storage.customer_managed_key_id + storage_customer_managed_key_id = databricks_mws_customer_managed_keys.workspace_storage.customer_managed_key_id + pricing_tier = "ENTERPRISE" + depends_on = [databricks_mws_networks.this] +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace.tf b/aws-gov/tf/modules/sra/databricks_workspace.tf new file mode 100644 index 0000000..531354b --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace.tf @@ -0,0 +1,156 @@ +// EXPLANATION: All modules that reside at the workspace level + +// Creates a Workspace Isolated Catalog +module "uc_catalog" { + source = "./databricks_workspace/workspace_security_modules/uc_catalog" + providers = { + databricks = databricks.created_workspace + } + + databricks_account_id = var.databricks_account_id + aws_account_id = var.aws_account_id + resource_prefix = var.resource_prefix + uc_catalog_name = "${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}" + workspace_id = module.databricks_mws_workspace.workspace_id + workspace_catalog_admin = var.workspace_catalog_admin + + depends_on = [ + module.databricks_mws_workspace, module.uc_assignment + ] +} + +// Create Read-Only Storage Location for Data Bucket & External Location +module "uc_external_location" { + count = var.enable_read_only_external_location_boolean ? 1 : 0 + source = "./databricks_workspace/workspace_security_modules/uc_external_location" + providers = { + databricks = databricks.created_workspace + } + + databricks_account_id = var.databricks_account_id + aws_account_id = var.aws_account_id + resource_prefix = var.resource_prefix + read_only_data_bucket = var.read_only_data_bucket + read_only_external_location_admin = var.read_only_external_location_admin + + depends_on = [ + module.databricks_mws_workspace, module.uc_assignment + ] +} + +// Workspace Admin Configuration +module "admin_configuration" { + count = var.enable_admin_configs_boolean ? 1 : 0 + source = "./databricks_workspace/workspace_security_modules/admin_configuration" + providers = { + databricks = databricks.created_workspace + } + + depends_on = [ + module.databricks_mws_workspace + ] +} + +// Token Management +module "token_management" { + source = "./databricks_workspace/workspace_security_modules/token_management" + providers = { + databricks = databricks.created_workspace + } + + depends_on = [ + module.databricks_mws_workspace + ] +} + +// Secret Management +module "secret_management" { + source = "./databricks_workspace/workspace_security_modules/secret_management" + providers = { + databricks = databricks.created_workspace + } + + depends_on = [ + module.databricks_mws_workspace + ] +} + +// IP Access Lists - Optional +module "ip_access_list" { + source = "./databricks_workspace/workspace_security_modules/ip_access_list" + count = var.enable_ip_boolean ? 1 : 0 + providers = { + databricks = databricks.created_workspace + } + + ip_addresses = var.ip_addresses + + depends_on = [ + module.databricks_mws_workspace + ] +} + +// Create Create Cluster - Optional +module "cluster_configuration" { + source = "./databricks_workspace/workspace_security_modules/cluster_configuration" + count = var.enable_cluster_boolean ? 1 : 0 + providers = { + databricks = databricks.created_workspace + } + + compliance_security_profile_egress_ports = var.compliance_security_profile_egress_ports + secret_config_reference = module.secret_management.config_reference + resource_prefix = var.resource_prefix + depends_on = [ + module.databricks_mws_workspace, module.secret_management + ] +} + +// Public Preview - System Table Schemas - Optional +module "public_preview_system_table" { + source = "./databricks_workspace/public_preview/system_schema/" + count = var.enable_system_tables_schema_boolean ? 1 : 0 + providers = { + databricks = databricks.created_workspace + } + + depends_on = [ + module.databricks_mws_workspace + ] +} + +// SAT Implementation - Optional +module "security_analysis_tool" { + source = "./databricks_workspace/solution_accelerators/security_analysis_tool/aws" + count = var.enable_sat_boolean ? 1 : 0 + providers = { + databricks = databricks.created_workspace + } + + databricks_url = module.databricks_mws_workspace.workspace_url + workspace_PAT = module.service_principal.service_principal_id + workspace_id = module.databricks_mws_workspace.workspace_id + account_console_id = var.databricks_account_id + client_id = var.client_id + client_secret = var.client_secret + use_sp_auth = true + + depends_on = [ + module.databricks_mws_workspace, module.service_principal + ] +} + +// System Tables Schemas - Optional +module "audit_log_alerting" { + source = "./databricks_workspace/solution_accelerators/system_tables_audit_log/" + count = var.enable_audit_log_alerting ? 1 : 0 + providers = { + databricks = databricks.created_workspace + } + + alert_emails = [var.user_workspace_admin] + + depends_on = [ + module.databricks_mws_workspace, module.uc_assignment + ] +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/provider.tf new file mode 100644 index 0000000..1d847d2 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf b/aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf new file mode 100644 index 0000000..617dffb --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf @@ -0,0 +1,25 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/system_schema + +resource "databricks_system_schema" "access" { + schema = "access" +} + +resource "databricks_system_schema" "billing" { + schema = "billing" +} + +resource "databricks_system_schema" "compute" { + schema = "compute" +} + +resource "databricks_system_schema" "workflow" { + schema = "workflow" +} + +resource "databricks_system_schema" "marketplace" { + schema = "marketplace" +} + +resource "databricks_system_schema" "storage" { + schema = "storage" +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf new file mode 100644 index 0000000..a683b8d --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} + +module "common" { + source = "../common/" + account_console_id = var.account_console_id + workspace_id = var.workspace_id + sqlw_id = var.sqlw_id +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf new file mode 100644 index 0000000..21a0178 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf @@ -0,0 +1,19 @@ +### AWS Specific Secrets + +resource "databricks_secret" "use_sp_auth" { + key = "use-sp-auth" + string_value = var.use_sp_auth + scope = module.common.secret_scope_id +} + +resource "databricks_secret" "client_id" { + key = "client-id" + string_value = var.client_id + scope = module.common.secret_scope_id +} + +resource "databricks_secret" "client_secret" { + key = "client-secret" + string_value = var.client_secret + scope = module.common.secret_scope_id +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf new file mode 100644 index 0000000..a3cccad --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf @@ -0,0 +1,49 @@ +variable "databricks_url" { + description = "Should look like https://.cloud.databricks.com" + type = string +} + +variable "workspace_id" { + description = "Should be the string of numbers in the workspace URL arg (e.g. https://.cloud.databricks.com/?o=1234567890123456)" + type = string +} + +variable "workspace_PAT" { + description = "PAT should look like dapixxxxxxxxxxxxxxxxxxxx" + type = string +} + +variable "account_console_id" { + description = "Databricks Account Console ID" + type = string +} + +variable "sqlw_id" { + type = string + description = "16 character SQL Warehouse ID: Type new to have one created or enter an existing SQL Warehouse ID" + validation { + condition = can(regex("^(new|[a-f0-9]{16})$", var.sqlw_id)) + error_message = "Format 16 characters (0-9 and a-f). For more details reference: https://docs.databricks.com/administration-guide/account-api/iam-role.html." + } + default = "new" +} + +### AWS Specific Variables + +variable "use_sp_auth" { + description = "Authenticate with Service Principal OAuth tokens instead of user and password" + type = bool + default = false +} + +variable "client_id" { + description = "Service Principal Application (client) ID" + type = string + default = "value" +} + +variable "client_secret" { + description = "SP Secret" + type = string + default = "value" +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/data.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/data.tf new file mode 100644 index 0000000..6cdd79d --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/data.tf @@ -0,0 +1,13 @@ +data "databricks_current_user" "me" {} + +data "databricks_node_type" "smallest" { + local_disk = true + min_cores = 4 + gb_per_core = 8 + photon_worker_capable = true + photon_driver_capable = true +} + +data "databricks_spark_version" "latest_lts" { + long_term_support = true +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf new file mode 100644 index 0000000..047a810 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf @@ -0,0 +1,59 @@ +resource "databricks_job" "initializer" { + name = "SAT Initializer Notebook (one-time)" + new_cluster { + num_workers = 5 + spark_version = data.databricks_spark_version.latest_lts.id + node_type_id = data.databricks_node_type.smallest.id + runtime_engine = "PHOTON" + dynamic "gcp_attributes" { + for_each = var.gcp_impersonate_service_account == "" ? [] : [var.gcp_impersonate_service_account] + content { + google_service_account = var.gcp_impersonate_service_account + } + } + } + + library { + pypi { + package = "dbl-sat-sdk" + } + } + + notebook_task { + notebook_path = "${databricks_repo.security_analysis_tool.path}/notebooks/security_analysis_initializer" + } + +} + +resource "databricks_job" "driver" { + name = "SAT Driver Notebook" + new_cluster { + num_workers = 5 + spark_version = data.databricks_spark_version.latest_lts.id + node_type_id = data.databricks_node_type.smallest.id + runtime_engine = "PHOTON" + dynamic "gcp_attributes" { + for_each = var.gcp_impersonate_service_account == "" ? [] : [var.gcp_impersonate_service_account] + content { + google_service_account = var.gcp_impersonate_service_account + } + } + } + + library { + pypi { + package = "dbl-sat-sdk" + } + } + + notebook_task { + notebook_path = "${databricks_repo.security_analysis_tool.path}/notebooks/security_analysis_driver" + } + + schedule { + #E.G. At 08:00:00am, on every Monday, Wednesday and Friday, every month; For more: http://www.quartz-scheduler.org/documentation/quartz-2.3.0/tutorials/crontrigger.html + quartz_cron_expression = "0 0 8 ? * Mon,Wed,Fri" + # The system default is UTC; For more: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones + timezone_id = "America/New_York" + } +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/outputs.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/outputs.tf new file mode 100644 index 0000000..11dda97 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/outputs.tf @@ -0,0 +1,4 @@ +output "secret_scope_id" { + value = databricks_secret_scope.sat.id + description = "ID of the created secret scope to add more secrets if necessary" +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/provider.tf new file mode 100644 index 0000000..1d847d2 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf new file mode 100644 index 0000000..87c1dc5 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf @@ -0,0 +1,5 @@ +#Make sure Files in Repos option is enabled in Workspace Admin Console > Workspace Settings + +resource "databricks_repo" "security_analysis_tool" { + url = "https://github.com/databricks-industry-solutions/security-analysis-tool.git" +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf new file mode 100644 index 0000000..40ef89d --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf @@ -0,0 +1,32 @@ +resource "databricks_secret_scope" "sat" { + name = var.secret_scope_name +} + +resource "databricks_secret" "user_email" { + key = "user-email-for-alerts" + string_value = var.notification_email == "" ? data.databricks_current_user.me.user_name : var.notification_email + scope = databricks_secret_scope.sat.id +} + +resource "databricks_token" "pat" { + lifetime_seconds = 86400 * 365 + comment = "Security Analysis Tool" +} + +resource "databricks_secret" "pat" { + key = "sat-token-${var.workspace_id}" + string_value = databricks_token.pat.token_value + scope = databricks_secret_scope.sat.id +} + +resource "databricks_secret" "account_console_id" { + key = "account-console-id" + string_value = var.account_console_id + scope = databricks_secret_scope.sat.id +} + +resource "databricks_secret" "sql_warehouse_id" { + key = "sql-warehouse-id" + string_value = var.sqlw_id == "new" ? databricks_sql_endpoint.new[0].id : data.databricks_sql_warehouse.old[0].id + scope = databricks_secret_scope.sat.id +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/sql_warehouse.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/sql_warehouse.tf new file mode 100644 index 0000000..91b4dae --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/sql_warehouse.tf @@ -0,0 +1,18 @@ +resource "databricks_sql_endpoint" "new" { + count = var.sqlw_id == "new" ? 1 : 0 + name = "SAT Warehouse" + cluster_size = "Small" + max_num_clusters = 1 + + tags { + custom_tags { + key = "owner" + value = data.databricks_current_user.me.alphanumeric + } + } +} + +data "databricks_sql_warehouse" "old" { + count = var.sqlw_id == "new" ? 0 : 1 + id = var.sqlw_id +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf new file mode 100644 index 0000000..9a99283 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf @@ -0,0 +1,36 @@ +variable "account_console_id" { + type = string + description = "Databricks Account ID" +} + +variable "workspace_id" { + description = "Should be the string of numbers in the workspace URL arg (e.g. https://.azuredatabricks.net/?o=1234567890123456)" +} + +variable "sqlw_id" { + type = string + description = "16 character SQL Warehouse ID: Type new to have one created or enter an existing SQL Warehouse ID" + validation { + condition = can(regex("^(new|[a-f0-9]{16})$", var.sqlw_id)) + error_message = "Format 16 characters (0-9 and a-f). For more details reference: https://docs.databricks.com/administration-guide/account-api/iam-role.html." + } + default = "new" +} + +variable "secret_scope_name" { + description = "Name of secret scope for SAT secrets" + type = string + default = "sat_scope" +} + +variable "notification_email" { + type = string + description = "Optional user email for notifications. If not specified, current user's email will be used" + default = "" +} + +variable "gcp_impersonate_service_account" { + type = string + description = "GCP Service Account to impersonate (e.g. xyz-sa-2@project.iam.gserviceaccount.com)" + default = "" +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/job.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/job.tf new file mode 100644 index 0000000..7dee1cf --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/job.tf @@ -0,0 +1,34 @@ +resource "databricks_job" "this" { + name = "System Tables" + + dynamic "task" { + for_each = local.alerts + content { + task_key = task.value + + sql_task { + warehouse_id = local.warehouse_id + alert { + alert_id = databricks_sql_alert.alert[task.value].id + + dynamic "subscriptions" { + for_each = var.alert_emails + content { + user_name = subscriptions.value + } + } + } + } + } + } + + schedule { + quartz_cron_expression = "1 1 * * * ?" + timezone_id = "UTC" + } + + tags = { + project = "system-tables" + owner = data.databricks_current_user.me.user_name + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/main.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/main.tf new file mode 100644 index 0000000..182aa32 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/main.tf @@ -0,0 +1,14 @@ +data "databricks_current_user" "me" {} + +locals { + qa_data = jsondecode(file("${path.module}/queries_and_alerts.json"))["queries_and_alerts"] + directories = toset(compact(flatten([for k in local.qa_data : [k.parent, try(k.alert.parent, null)]]))) + queries = toset([for k in local.qa_data : k.name]) + alerts = toset([for k in local.qa_data : k.name if try(k.alert, null) != null]) + data_map = { for k in local.qa_data : k.name => k } +} + +resource "databricks_directory" "this" { + for_each = local.directories + path = "${data.databricks_current_user.me.home}/${each.value}" +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/provider.tf new file mode 100644 index 0000000..1d847d2 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/queries_and_alerts.json b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/queries_and_alerts.json new file mode 100644 index 0000000..eec87a3 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/queries_and_alerts.json @@ -0,0 +1,664 @@ +{ + "queries_and_alerts": [ + { + "name": "repeated_failed_login_attempts", + "description": "Repeated failed login attempts could indicate an attacker trying to brute force access to your lakehouse. The following query can be used to detect repeated failed login attempts over a 60 minute period within the last 24 hours.", + "query": "SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end, ifnull(user_identity.email, request_params.user) AS email, collect_set(action_name) AS action_names, collect_set(response.error_message) AS error_messages, collect_set(response.status_code) AS response_codes, count(*) AS total FROM system.access.audit WHERE action_name IN ('aadBrowserLogin', 'aadTokenLogin', 'certLogin', 'jwtLogin', 'login', 'oidcBrowserLogin', 'samlLogin', 'tokenLogin') AND response.status_code IN (401, 403) AND WINDOW(event_time, '60 minutes').end >= current_timestamp() - INTERVAL 24 HOURS GROUP BY 1, 2, 3 ORDER BY total DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "repeated_failed_login_attempts", + "options": { + "column": "total", + "custom_body": "

    There have been the following failed login attempts within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "1" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "failed_login_attempts_last_90_days", + "description": "Repeated failed login attempts could indicate an attacker trying to brute force access to your lakehouse.", + "query": "SELECT event_date, ifnull(user_identity.email, request_params.user) AS email, workspace_id, action_name, count(*) AS num_failed_logins FROM system.access.audit WHERE event_date >= current_date() - INTERVAL 90 DAYS AND action_name IN ('aadBrowserLogin', 'aadTokenLogin', 'certLogin', 'jwtLogin', 'login', 'oidcBrowserLogin', 'samlLogin', 'tokenLogin') AND response.status_code IN (401, 403) GROUP BY 1, 2, 3, 4 ORDER BY event_date DESC", + "parent": "system_tables/audit/admin/queries/" + }, + { + "name": "changes_to_admin_users", + "description": "Databricks account and workspace admins should be limited to a few very trusted individuals responsible for managing the deployment. The granting of new admin privileges should be reviewed. The following query can be used to detect changes to admin users within the last 24 hours.", + "query": "SELECT event_time, workspace_id, user_identity.email, lower(replace(audit_level, '_LEVEL', '')) AS account_or_workspace, action_name, request_params.targetUserName, request_params.targetGroupName, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND (action_name IN ('setAccountAdmin', 'changeAccountOwner', 'setAdmin', 'removeAdmin') OR (action_name IN ('addPrincipalToGroup', 'removePrincipalFromGroup') AND request_params.targetGroupName = 'admins')) GROUP BY 1, 2, 3, 4, 5, 6, 7 ORDER BY event_time DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "changes_to_admin_users", + "options": { + "column": "total", + "custom_body": "

    There have been the following changes to admin users within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "changes_to_workspace_configuration", + "description": "Many workspace-level configurations perform a security-enforcing function. The following SQL query can be used to detect changes in workspace configuration within the last 24 hours.", + "query": "SELECT event_time, user_identity.email, workspace_id, request_params.workspaceConfKeys, request_params.workspaceConfValues, count(*) AS total FROM system.access.audit WHERE action_name = 'workspaceConfEdit' AND event_time >= current_timestamp() - INTERVAL 24 HOURS GROUP BY 1, 2, 3, 4, 5 ORDER BY event_time DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "changes_to_workspace_configuration", + "options": { + "column": "total", + "custom_body": "

    There have been the following changes to workspace configurations within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "data_downloads_from_control_plane", + "description": "Databricks allows customers to configure whether they want users to be able to download notebook or SQL query results, but some customers might want to monitor and report rather than prevent entirely. The following query can be used to detect high numbers of downloads of results from notebooks, Databricks SQL, Unity Catalog volumes and MLflow, as well as the exporting of notebooks in formats that may contain query results within the last 24 hours.", + "query": "with downloads AS (SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end, user_identity.email, collect_set(workspace_id) AS workspace_ids, collect_set(service_name) AS service_names, collect_set(action_name) AS action_names, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND (action_name IN ('downloadPreviewResults', 'downloadLargeResults', 'filesGet', 'getModelVersionDownloadUri', 'getModelVersionSignedDownloadUri') OR (action_name = 'workspaceExport' AND request_params.workspaceExportFormat != 'SOURCE') OR (action_name = 'downloadQueryResult' AND request_params.fileType != 'arrows')) GROUP BY 1, 2, 3) SELECT * FROM downloads WHERE total > 20 ORDER BY total DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "data_downloads_from_control_plane", + "options": { + "column": "total", + "custom_body": "

    There have been the following high number of downloads from the control plane within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "20" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "data_downloads_from_control_plane_last_90_days", + "description": "Spikes in the number of downloads could indicate attempts to exfiltrate data.", + "query": "SELECT event_date, ifnull(user_identity.email, request_params.user) AS email, workspace_id, action_name, count(*) AS number_of_downloads FROM system.access.audit WHERE event_time >= current_date() - INTERVAL 90 DAYS AND (action_name IN ('downloadPreviewResults', 'downloadLargeResults', 'filesGet', 'getModelVersionDownloadUri', 'getModelVersionSignedDownloadUri') OR (action_name = 'workspaceExport' AND request_params.workspaceExportFormat != 'SOURCE') OR (action_name = 'downloadQueryResult' AND request_params.fileType != 'arrows')) GROUP BY 1, 2, 3, 4 ORDER BY event_date DESC", + "parent": "system_tables/audit/admin/queries/" + }, + { + "name": "ip_access_list_failures", + "description": "Databricks allows customers to configure IP Access Lists to restrict access to their account & workspaces. However, they may want to monitor and be alerted whenever access is attempted from an untrusted network. The following query can be used to detect all IpAccessDenied and accountIpAclsValidationFailed events within the last 24 hours.", + "query": "SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end, workspace_id, ifnull(user_identity.email, request_params.user) AS email, source_ip_address, collect_set(action_name) AS action_names, collect_set(response.error_message) AS error_messages, collect_set(request_params.path) AS urls, collect_set(response.status_code) AS status_codes, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND action_name IN ('IpAccessDenied', 'accountIpAclsValidationFailed') GROUP BY 1, 2, 3, 4, 5 ORDER BY total DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "ip_access_list_failures", + "options": { + "column": "total", + "custom_body": "

    There have been the following attempts to access the control plane from unauthorized networks within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "ip_access_list_failures_last_90_days", + "description": "Repeated IP access list failures could indicate attempts to brute force access to your lakehouse, or internal users trying to connect from untrusted networks.", + "query": "SELECT event_date, workspace_id, source_ip_address, count(*) AS number_of_failures FROM system.access.audit WHERE event_date >= current_date() - INTERVAL 90 DAYS AND action_name IN ('IpAccessDenied', 'accountIpAclsValidationFailed') GROUP BY 1, 2, 3 ORDER BY event_date DESC", + "parent": "system_tables/audit/admin/queries/" + }, + { + "name": "ip_access_list_changes", + "description": "Databricks allows customers to configure IP access lists to restrict access to their account & workspaces. However, they may want to monitor and be alerted whenever thos IP access lists change. The following query can be used to detect all createIpAccessList, deleteIpAccessList and updateIpAccessList events within the last 24 hours.", + "query": "SELECT event_time, user_identity.email, workspace_id, action_name, request_params.ipAccessListId, response.status_code, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND action_name IN ('createIpAccessList', 'deleteIpAccessList', 'updateIpAccessList') GROUP BY 1, 2, 3, 4, 5, 6 ORDER BY event_time DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "ip_access_list_changes", + "options": { + "column": "total", + "custom_body": "

    There have been the following attempts to change the IP access list settings of a workspace within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "databricks_access_to_customer_workspaces", + "description": "This query can be used to detect logins to your workspace via the Databricks support process. This access is tied to a support ticket while also complying with your workspace configuration that may disable such access. The following query can be used to detect Databricks access to your workspaces within the last 24 hours.", + "query": "SELECT event_time, workspace_id, request_params.user, request_params.approver, request_params.duration, request_params.reason, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND action_name = 'databricksAccess' GROUP BY 1, 2, 3, 4, 5, 6 ORDER BY event_time DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "databricks_access_to_customer_workspaces", + "options": { + "column": "total", + "custom_body": "

    There have been the following logins to your workspaces from Databricks employees within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "databricks_access_to_customer_workspaces_last_90_days", + "description": "All logins to your workspace via the Databricks support process. This access is tied to a support ticket while also complying with your workspace configuration that may disable such access.", + "query": "SELECT event_time, workspace_id, request_params.user, request_params.approver, request_params.duration, request_params.reason, count(*) AS total FROM system.access.audit WHERE event_time >= current_date() - INTERVAL 90 DAYS AND action_name = 'databricksAccess' GROUP BY 1, 2, 3, 4, 5, 6 ORDER BY event_time DESC", + "parent": "system_tables/audit/admin/queries/" + }, + { + "name": "terms_of_service_changes", + "description": "As Databricks rolls out new products and features, customers may occassionally have to agree to changes in our Terms of Service before they can opt-in to the new feature. Some customers might want to monitor when an account admin accepts such terms of service changes. The following SQL query can be used to detect any acceptance or sending of Terms of Service changes within the last 24 hours", + "query": "SELECT event_time, user_identity.email, request_params.account_id, if(isnotnull(request_params.workspace_id), request_params.workspace_id, workspace_id) AS workspace_id, action_name, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND action_name IN ('acceptTos', 'sendTos') GROUP BY 1, 2, 3, 4, 5 ORDER BY event_time DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "terms_of_service_changes", + "options": { + "column": "total", + "custom_body": "

    There have been the following Terms of Service changes detected within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "account_settings_changes", + "description": "Many account-level settings perform a security-enforcing function. The following SQL query can be used to detect changes in account level settings within the last 24 hours.", + "query": "SELECT event_time, user_identity.email, account_id, request_params.settingTypeName AS setting_name, request_params.settingValueForAudit AS setting_value, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND audit_level = 'ACCOUNT_LEVEL' AND service_name = 'accounts' AND action_name = 'setSetting' GROUP BY 1, 2, 3, 4, 5 ORDER BY event_time DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "account_settings_changes", + "options": { + "column": "total", + "custom_body": "

    There have been the following account settings changes detected within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "global_init_script_changes", + "description": "Global init scripts run arbitrary code that is executed on every cluster. This can be a very powerful capability but with great power comes great responsibility. The following SQL query can be used to detect the creation, update and deletion of global init scripts within the last 24 hours.", + "query": "SELECT event_time, workspace_id, user_identity.email, source_ip_address, action_name, request_params.name, request_params.script_id, request_params.enabled, request_params.`script-SHA256`, response.status_code, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND service_name = 'globalInitScripts' GROUP BY 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ORDER BY event_time DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "global_init_script_changes", + "options": { + "column": "total", + "custom_body": "

    There have been the following changes to global init scripts within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "install_library_on_all_clusters", + "description": "Installing libraries on all clusters is an anti-pattern. Customers should use cluster-scoped or notebook-scoped libraries for many different reasons including but not limited to transparency, recreatability, reliability and security. The following SQL query can be used to detect any attempts to install libraries on all clusters within the last 24 hours.", + "query": "SELECT event_time, workspace_id, user_identity.email, request_params.library, response.status_code, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND service_name = 'clusterLibraries' AND action_name = 'installLibraryOnAllClusters' GROUP BY 1, 2, 3, 4, 5 ORDER BY event_time DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "install_library_on_all_clusters", + "options": { + "column": "total", + "custom_body": "

    There have been the following attempts to install libraries on all clusters detected within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "mount_point_creation", + "description": "Mount points are considered an anti-pattern because mount points do not have the same strong data governance features as external locations or volumes in Unity Catalog. The following query can be used to detect new mount points created or changed within the last 24 hours", + "query": "SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end, user_identity.email, collect_set(workspace_id) AS workspace_ids, collect_set(request_params.mountPoint) AS mount_points, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND action_name = 'mount' GROUP BY 1, 2, 3 ORDER BY total DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "mount_point_creation", + "options": { + "column": "total", + "custom_body": "

    There have been the following mount points created within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "long_lifetime_token_generation", + "description": "Personal access tokens should be treated like a credential and protected at all times. As well as being managed by the Token Management API and secured with additional protections like IP Access Lists, they should only be generated with a short lifetime. The following SQL query can be used to detect the generation of PAT tokens with a lifetime of greater than 72 hours.", + "query": "SELECT event_time, workspace_id, user_identity.email, timestamp_millis(cast(request_params.tokenExpirationTime AS BIGINT)) AS token_expiration, timestampdiff(HOUR, event_time, timestamp_millis(cast(request_params.tokenExpirationTime AS BIGINT))) AS token_duration_in_hours, request_params.tokenHash, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND action_name = 'generateDbToken' AND timestampdiff(HOUR, event_time, timestamp_millis(cast(request_params.tokenExpirationTime AS BIGINT))) > 72 GROUP BY 1, 2, 3, 4, 5, 6 ORDER BY event_time DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "long_lifetime_token_generation", + "options": { + "column": "total", + "custom_body": "

    There have been the following tokens generated with a lifetime of >72 hours within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "destructive_activities", + "description": "A high number of destructive activities (such as delete* events) may indicate a malicious attempt to cause disruption and harm. The following SQL query can be used to detect users who have attempted a high number (>50) destructive activities within the last 24 hours. This query filters out activities from Databricks System-Users, although you could optionally add them back in.", + "query": "SELECT * FROM (SELECT event_date, user_identity.email, collect_set(if(isnotnull(request_params.workspace_id), request_params.workspace_id, workspace_id)) AS workspace_ids, collect_set(service_name) AS service_names, size(collect_set(service_name)) AS num_services, collect_set(action_name) AS action_names, size(collect_set(action_name)) AS num_actions, count(*) AS num_destructive_activities FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND user_identity.email NOT IN ('System-User') AND (startswith(action_name, 'delete') OR contains(lower(action_name), 'delete') OR contains(lower(action_name), 'trash')) GROUP BY 1, 2) WHERE num_destructive_activities > 50 ORDER BY num_destructive_activities DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "destructive_activities", + "options": { + "column": "num_destructive_activities", + "custom_body": "

    There have been the following high numbers of destructive activities detected within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">=", + "value": "50" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "destructive_activities_last_90_days", + "description": "A spike in the number of destructive activities (such as delete* events) may indicate a malicious attempt to cause disruption and harm.", + "query": "SELECT event_date, user_identity.email, if(isnotnull(request_params.workspace_id), request_params.workspace_id, workspace_id) AS workspace_id, service_name, action_name, count(*) AS num_destructive_activities FROM system.access.audit WHERE event_date >= current_date() - INTERVAL 90 DAYS AND user_identity.email NOT IN ('System-User') AND (startswith(action_name, 'delete') OR contains(lower(action_name), 'delete') OR contains(lower(action_name), 'trash')) GROUP BY 1, 2, 3, 4, 5 ORDER BY event_date DESC", + "parent": "system_tables/audit/admin/queries/" + }, + { + "name": "potential_privilege_escalation", + "description": "A high number of permission changes could indicate privelege escalation. The following SQL query can be used to detect users who have made a high number (>25) within an hour period over the last 24 hours. This query filters out changes made by Databricks System-Users, although you could optionally add them back in.", + "query": "SELECT * FROM (SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end, user_identity.email, collect_set(if(isnotnull(request_params.workspace_id), request_params.workspace_id, workspace_id)) AS workspace_ids, collect_set(service_name) AS service_names, size(collect_set(service_name)) AS num_services, collect_set(action_name) AS action_names, size(collect_set(action_name)) AS num_actions, count(*) AS num_permissions_changes FROM system.access.audit WHERE action_name IN ('addPrincipalToGroup', 'changeDatabricksSqlAcl', 'changeDatabricksWorkspaceAcl', 'changeDbTokenAcl', 'changePasswordAcl', 'changeServicePrincipalAcls', 'generateDbToken', 'setAdmin', 'changeClusterAcl', 'changeClusterPolicyAcl', 'changeWarehouseAcls', 'changePermissions', 'transferObjectOwnership', 'changePipelineAcls', 'changeFeatureTableAcl', 'addPrincipalToGroup', 'changeIamRoleAcl', 'changeInstancePoolAcl', 'changeJobAcl', 'resetJobAcl', 'changeRegisteredModelAcl', 'changeInferenceEndpointAcl', 'putAcl', 'changeSecurableOwner', 'grantPermission', 'changeWorkspaceAcl', 'updateRoleAssignment', 'setAccountAdmin', 'changeAccountOwner', 'updatePermissions', 'updateSharePermissions') AND event_time >= current_timestamp() - INTERVAL 24 HOURS AND user_identity.email NOT IN ('System-User') GROUP BY 1, 2, 3) WHERE num_permissions_changes > 25 ORDER BY num_permissions_changes DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "potential_privilege_escalation", + "options": { + "column": "num_permissions_changes", + "custom_body": "

    There have been the following high numbers of permissions changes detected within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">=", + "value": "25" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "potential_privilege_escalation_last_90_days", + "description": "A spike in the number of permission changes could indicate privilege escalation.", + "query": "SELECT event_date, user_identity.email, if(isnotnull(request_params.workspace_id), request_params.workspace_id, workspace_id) AS workspace_id, service_name, action_name, count(*) AS num_permissions_changes FROM system.access.audit WHERE action_name IN ('addPrincipalToGroup', 'changeDatabricksSqlAcl', 'changeDatabricksWorkspaceAcl', 'changeDbTokenAcl', 'changePasswordAcl', 'changeServicePrincipalAcls', 'generateDbToken', 'setAdmin', 'changeClusterAcl', 'changeClusterPolicyAcl', 'changeWarehouseAcls', 'changePermissions', 'transferObjectOwnership', 'changePipelineAcls', 'changeFeatureTableAcl', 'addPrincipalToGroup', 'changeIamRoleAcl', 'changeInstancePoolAcl', 'changeJobAcl', 'resetJobAcl', 'changeRegisteredModelAcl', 'changeInferenceEndpointAcl', 'putAcl', 'changeSecurableOwner', 'grantPermission', 'changeWorkspaceAcl', 'updateRoleAssignment', 'setAccountAdmin', 'changeAccountOwner', 'updatePermissions', 'updateSharePermissions') AND event_date >= current_date() - INTERVAL 90 DAYS AND user_identity.email NOT IN ('System-User') GROUP BY 1, 2, 3, 4, 5 ORDER BY event_date DESC", + "parent": "system_tables/audit/admin/queries/" + }, + { + "name": "repeated_access_to_secrets", + "description": "Repeated attempts to access secrets could indicate an attempt to steal credentials. The following SQL query can be used to detect users who have attempted a high number (>10) of attempts to access secrets within an hour period over the last 24 hours. This query filters out requests from Databricks System-Users, although you could optionally add them back in.", + "query": "SELECT * FROM (SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end, user_identity.email, collect_set(workspace_id) AS workspace_ids, size(collect_set(request_params.scope)) AS num_scopes_accessed, collect_set(request_params.scope) AS secret_scopes, size(collect_set(request_params.key)) AS num_keys_accessed, collect_set(request_params.key) AS secret_keys, count(*) AS num_requests FROM system.access.audit WHERE action_name = 'getSecret' AND event_time >= current_timestamp() - INTERVAL 24 HOURS AND user_identity.email NOT IN ('System-User') GROUP BY 1, 2, 3) WHERE num_keys_accessed >= 10 ORDER BY num_keys_accessed DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "repeated_access_to_secrets", + "options": { + "column": "num_keys_accessed", + "custom_body": "

    There have been the repeated attempts to access secrets within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">=", + "value": "10" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "access_to_secrets_last_90_days", + "description": "A spike in the number of requests to access secrets could indicate attempts to steal credentials.", + "query": "SELECT event_date, user_identity.email, if(isnotnull(request_params.workspace_id), request_params.workspace_id, workspace_id) AS workspace_id, concat(request_params.scope, '/', request_params.key) AS secret, count(*) AS num_requests FROM system.access.audit WHERE action_name = 'getSecret' AND event_date >= current_date() - INTERVAL 90 DAYS AND user_identity.email NOT IN ('System-User') GROUP BY 1, 2, 3, 4 ORDER BY event_date DESC", + "parent": "system_tables/audit/admin/queries/" + }, + { + "name": "access_to_multiple_workspaces", + "description": "The same user accessing multiple workspaces within a short time frame could indicate lateral movement, or malicious attempts to increase the blast radius of an attack. The following SQL query can be used to detect users who have accessed a high number (>5) of different workspaces within the last 24 hours. This query filters out requests from unknown and Databricks System-Users, although you could optionally add them back in.", + "query": "SELECT * FROM (SELECT event_date, user_identity.email, collect_set(workspace_id) AS workspace_ids, count(distinct workspace_id) AS num_workspaces_accessed FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND user_identity.email NOT IN ('System-User', 'unknown') GROUP BY 1, 2) WHERE num_workspaces_accessed >= 5 ORDER BY num_workspaces_accessed DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "access_to_multiple_workspaces", + "options": { + "column": "num_workspaces_accessed", + "custom_body": "

    There have been the following attempts to access multiple workspaces within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">=", + "value": "5" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "use_of_print_statements", + "description": "Databricks supports verbose audit logging, which can be useful in highly regulated environments in which all commands run interactively by a user must be recorded. Verbose audit logs can also be useful for monitoring compliance with coding standards. For example, let's suppose your organization has a policy that print() statements should not be used, the following SQL query could be used to monitor compliance with such a policy by detecting uses of the print() statement within the last 24 hours.", + "query": "SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end, user_identity.email, collect_set(workspace_id) AS workspace_ids, collect_set(service_name) AS service_names, collect_set(request_params.commandLanguage) AS command_languages, collect_set(request_params.commandText) AS commands, collect_set(request_params.status) AS statuses, collect_set(request_params.notebookId) AS notebook_ids, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND action_name = 'runCommand' AND request_params.commandText rlike 'print[/s]?(?! e)(.)+' GROUP BY 1, 2, 3 ORDER BY total DESC", + "parent": "system_tables/audit/admin/queries/", + "alert": { + "name": "use_of_print_statements", + "options": { + "column": "total", + "custom_body": "

    There have been the following use of print statements within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/admin/alerts/" + } + }, + { + "name": "ip_addresses_used_to_access_databricks", + "description": "The following SQL query will show you which IP addresses and the number of requests for each have been used to access your workspace or account over the last 90 days.", + "query": "SELECT regexp_replace(source_ip_address, '(:\\\\d*)', '') AS source_ip_address, CASE WHEN audit_level = 'ACCOUNT_LEVEL' AND service_name != 'unityCatalog' THEN 'account' WHEN audit_level = 'ACCOUNT_LEVEL' AND service_name = 'unityCatalog' THEN 'unity_catalog' WHEN audit_level = 'WORKSPACE_LEVEL' THEN 'workspace' ELSE NULL END AS service, count(*) AS total_requests FROM system.access.audit WHERE event_date >= current_date() - INTERVAL 90 DAYS AND source_ip_address NOT IN ('', '0.0.0.0', '127.0.0.1') GROUP BY 1, 2 ORDER BY total_requests DESC", + "parent": "system_tables/audit/admin/queries/" + }, + { + "name": "ip_address_ranges_used_to_access_databricks", + "description": "The following SQL query will show you which IP address ranges and the number of requests for each have been used to access your workspaces or account over the last 90 days.", + "query": "SELECT concat(substring_index(source_ip_address, '.', 3), '.0/24') AS source_ip_range, CASE WHEN audit_level = 'ACCOUNT_LEVEL' AND service_name != 'unityCatalog' THEN 'account' WHEN audit_level = 'ACCOUNT_LEVEL' AND service_name = 'unityCatalog' THEN 'unity_catalog' WHEN audit_level = 'WORKSPACE_LEVEL' THEN 'workspace' ELSE NULL END AS service, count(*) AS total_requests FROM system.access.audit WHERE event_date >= current_date() - INTERVAL 90 DAYS AND source_ip_address NOT IN ('', '0.0.0.0', '127.0.0.1') GROUP BY concat(substring_index(source_ip_address, '.', 3), '.0/24'), 2 ORDER BY total_requests DESC", + "parent": "system_tables/audit/admin/queries/" + }, + { + "name": "repeated_unauthorized_uc_requests", + "description": "Repeated unauthorized UC requests could indicate privilege escalation, data exfiltration attempts or an attacker trying to brute force access to your data. The following query can be used to detect repeated unauthorized UC requests over a 60 minute period within the last 24 hours.", + "query": "WITH failed_requests AS (SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end, user_identity.email, request_params.metastore_id, if(isnotnull(request_params.workspace_id), request_params.workspace_id, workspace_id) AS workspace_id, action_name, response.error_message FROM system.access.audit WHERE service_name = 'unityCatalog' AND response.status_code IN (401, 403) AND WINDOW(event_time, '60 minutes').end >= current_timestamp() - INTERVAL 24 HOURS), failed_requests_agg AS (SELECT window_start, window_end, email, metastore_id, collect_set(workspace_id) AS workspace_ids,collect_set(action_name) AS action_names, collect_set(error_message) AS error_messages, count(*) AS total FROM failed_requests GROUP BY 1, 2, 3, 4) SELECT * FROM failed_requests_agg WHERE total > 25 ORDER BY total DESC", + "parent": "system_tables/audit/unity_catalog/queries/", + "alert": { + "name": "repeated_unauthorized_uc_requests", + "options": { + "column": "total", + "custom_body": "

    There have been the following unauthorized UC requests within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "25" + }, + "rearm": "3600", + "parent": "system_tables/audit/unity_catalog/alerts/" + } + }, + { + "name": "repeated_unauthorized_uc_data_requests", + "description": "Repeated unauthorized UC data requests could indicate privilege escalation, data exfiltration attempts or an attacker trying to brute force access to your data. The following query can be used to detect repeated unauthorized UC data access ('generateTemporaryTableCredential', 'generateTemporaryPathCredential', 'generateTemporaryVolumeCredential', 'deltaSharingQueryTable', 'deltaSharingQueryTableChanges') requests over a 60 minute period within the last 24 hours.", + "query": "WITH failed_data_access AS (SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end,user_identity.email, request_params.metastore_id, if(isnotnull(request_params.workspace_id), request_params.workspace_id, workspace_id) AS workspace_id, action_name, CASE WHEN isnotnull(request_params.table_full_name) THEN request_params.table_full_name WHEN isnotnull(request_params.volume_full_name) THEN request_params.volume_full_name WHEN isnotnull(request_params.name) THEN request_params.name WHEN isnotnull(request_params.url) THEN request_params.url WHEN isnotnull(request_params.table_url) THEN request_params.table_url WHEN isnotnull(request_params.table_id) THEN request_params.table_id WHEN isnotnull(request_params.volume_id) THEN request_params.volume_id ELSE NULL END AS securable, response.error_message FROM system.access.audit WHERE action_name IN ('generateTemporaryTableCredential', 'generateTemporaryPathCredential', 'generateTemporaryVolumeCredential', 'deltaSharingQueryTable', 'deltaSharingQueryTableChanges') AND response.status_code IN (401, 403) AND WINDOW(event_time, '60 minutes').end >= current_timestamp() - INTERVAL 24 HOURS), failed_data_access_agg AS (SELECT window_start, window_end, email, metastore_id, collect_set(workspace_id) AS workspace_ids, collect_set(action_name) AS action_names, collect_set(securable) AS securables, collect_set(error_message) AS errors, count(*) AS total FROM failed_data_access GROUP BY 1, 2, 3, 4) SELECT * FROM failed_data_access_agg WHERE total > 15 ORDER BY total DESC", + "parent": "system_tables/audit/unity_catalog/queries/", + "alert": { + "name": "repeated_unauthorized_uc_data_requests", + "options": { + "column": "total", + "custom_body": "

    There have been the following unauthorized UC data requests within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "15" + }, + "rearm": "3600", + "parent": "system_tables/audit/unity_catalog/alerts/" + } + }, + { + "name": "unauthorized_uc_data_requests_last_90_days", + "description": "Repeated unauthorized UC data requests could indicate privilege escalation, data exfiltration attempts or an attacker trying to brute force access to your data.", + "query": "SELECT event_date, ifnull(user_identity.email, request_params.user) AS email, request_params.workspace_id, action_name, count(*) AS total FROM system.access.audit WHERE action_name IN ('generateTemporaryTableCredential', 'generateTemporaryPathCredential', 'generateTemporaryVolumeCredential', 'deltaSharingQueryTable', 'deltaSharingQueryTableChanges') AND response.status_code IN (401, 403) AND event_date >= current_date() - INTERVAL 90 DAYS GROUP BY 1, 2, 3, 4 ORDER BY event_date DESC", + "parent": "system_tables/audit/unity_catalog/queries/" + }, + { + "name": "high_number_of_read_writes", + "description": "A high number of read/writes, particularly where the writes are to different locations could indicate data exfiltration attempts. The following query can be used to detect a high number of read/writes of UC securables (>20) within an hour window over the last 24 hours, particularly where the user is writing to different locations to the reads.", + "query": "WITH read_writes AS (SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end, user_identity.email, request_params.metastore_id, if(isnotnull(request_params.workspace_id), request_params.workspace_id, workspace_id) AS workspace_id, CASE WHEN contains(request_params.operation, 'CREATE') THEN 'WRITE' WHEN contains(request_params.operation, 'WRITE') THEN 'WRITE' WHEN contains(request_params.operation, 'READ') THEN 'READ' ELSE NULL END AS operation, request_params.operation AS full_operation, CASE WHEN isnotnull(request_params.table_full_name) THEN request_params.table_full_name WHEN isnotnull(request_params.volume_full_name) THEN request_params.volume_full_name WHEN isnotnull(request_params.url) THEN request_params.url WHEN isnotnull(request_params.table_url) THEN request_params.table_url WHEN isnotnull(request_params.table_id) THEN request_params.table_id WHEN isnotnull(request_params.volume_id) THEN request_params.volume_id ELSE NULL END AS securable FROM system.access.audit WHERE action_name IN ('generateTemporaryTableCredential', 'generateTemporaryPathCredential', 'generateTemporaryVolumeCredential') AND WINDOW(event_time, '60 minutes').end >= current_timestamp() - INTERVAL 24 HOURS), read_writes_agg AS (SELECT window_start, window_end, email, metastore_id, collect_set(workspace_id) AS workspace_ids,collect_set(operation) AS operations, collect_set(securable) FILTER(WHERE operation = 'READ') AS read_securables, collect_set(securable) FILTER(WHERE operation = 'WRITE') AS write_securables, count(distinct securable) FILTER(WHERE operation = 'READ') AS num_reads, count(distinct securable) FILTER(WHERE operation = 'WRITE') AS num_writes, count(distinct operation, securable) AS total_read_writes FROM read_writes GROUP BY 1, 2, 3, 4 ORDER BY total_read_writes DESC), read_writes_high AS (SELECT window_start, window_end, email, metastore_id, workspace_ids, operations, read_securables, write_securables, array_except(write_securables, read_securables) AS writes_to_different_locations, num_reads, num_writes, size(array_except(write_securables, read_securables)) AS num_writes_to_different_locations, total_read_writes FROM read_writes_agg) SELECT * FROM read_writes_high WHERE num_reads > 20 AND num_writes > 20 AND num_writes_to_different_locations > 0 ORDER BY num_writes_to_different_locations DESC", + "parent": "system_tables/audit/unity_catalog/queries/", + "alert": { + "name": "high_number_of_read_writes", + "options": { + "column": "num_writes_to_different_locations", + "custom_body": "

    There have been the following high number of reads/writes to UC securables within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/unity_catalog/alerts/" + } + }, + { + "name": "read_writes_last_90_days", + "description": "A spike in the number of read/writes (particularly writes) could indicate attempts to exfiltrate data.", + "query": "SELECT event_date, user_identity.email, if(isnotnull(request_params.workspace_id), request_params.workspace_id, workspace_id) AS workspace_id, CASE WHEN contains(request_params.operation, 'CREATE') THEN 'WRITE' WHEN contains(request_params.operation, 'WRITE') THEN 'WRITE' WHEN contains(request_params.operation, 'READ') THEN 'READ' ELSE NULL END AS operation, request_params.operation AS full_operation, CASE WHEN isnotnull(request_params.table_full_name) THEN request_params.table_full_name WHEN isnotnull(request_params.volume_full_name) THEN request_params.volume_full_name WHEN isnotnull(request_params.url) THEN request_params.url WHEN isnotnull(request_params.table_url) THEN request_params.table_url WHEN isnotnull(request_params.table_id) THEN request_params.table_id WHEN isnotnull(request_params.volume_id) THEN request_params.volume_id ELSE NULL END AS securable, COUNT(*) AS number_of_read_writes FROM system.access.audit WHERE action_name IN ('generateTemporaryTableCredential', 'generateTemporaryPathCredential', 'generateTemporaryVolumeCredential') AND event_date >= current_date() - INTERVAL 90 DAYS GROUP BY 1, 2, 3, 4, 5, 6 ORDER BY event_date DESC", + "parent": "system_tables/audit/admin/queries/" + }, + { + "name": "delta_sharing_recipients_without_ip_acls", + "description": "If you’re sharing personal data, delta sharing recipients should always be secured with IP access lists. The following SQL query can be used to detect the creation or update of delta sharing recipients which do not have IP access lists defined within the last 24 hours.", + "query": "SELECT event_time, user_identity.email, CASE WHEN request_params.name IS NOT NULL THEN request_params.name WHEN request_params.name_arg IS NOT NULL THEN request_params.name_arg ELSE NULL END AS delta_share, request_params.ip_access_list, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND action_name IN ('createRecipient') AND request_params.ip_access_list IS NULL GROUP BY 1, 2, 3, 4 ORDER BY event_time DESC", + "parent": "system_tables/audit/unity_catalog/queries/", + "alert": { + "name": "delta_sharing_recipients_without_ip_acls", + "options": { + "column": "total", + "custom_body": "

    There have been the following Delta Sharing recipients created without IP ACLs within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/unity_catalog/alerts/" + } + }, + { + "name": "delta_sharing_ip_access_list_failures", + "description": "If you’re sharing personal data, delta sharing recipients should always be secured with IP access lists. The following SQL query can be used to detect Delta Sharing data access requests ('deltaSharingQueryTable', 'deltaSharingQueryTableChanges') which have failed IP access list checks within the last 24 hours.", + "query": "SELECT WINDOW(event_time, '60 minutes').start AS window_start, WINDOW(event_time, '60 minutes').end AS window_end, source_ip_address, request_params.metastore_id, collect_set(request_params.name) AS share_names, collect_set(request_params.share) AS shares, collect_set(request_params.recipient_name) AS recipient_names, collect_set(request_params.recipient_authentication_type) AS authentication_types, COUNT(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND service_name = 'unityCatalog' AND action_name IN ('deltaSharingQueryTable', 'deltaSharingQueryTableChanges') AND request_params.is_ip_access_denied = 'true' GROUP BY 1, 2, 3, 4 ORDER BY total DESC", + "parent": "system_tables/audit/unity_catalog/queries/", + "alert": { + "name": "delta_sharing_ip_access_list_failures", + "options": { + "column": "total", + "custom_body": "

    There have been the following Delta Sharing data access requests which have failed IP access list rules within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/unity_catalog/alerts/" + } + }, + { + "name": "delta_sharing_recipient_token_lifetime_change", + "description": "Delta Sharing recipient tokens are valid for the lifetime that you specify. As well as protecting Delta Shares via IP access lists, you should also ensure that the lifetime of a recipient token is set to a value that is suitable for the data within the metastore it is accessing. Once you have set a token lifetime, you may want to monitor whether an account admin ever changes that value. The following SQL can be used to detect changes to the Delta Sharing recipient token lifetime for a metastore within the last 24 hours.", + "query": "SELECT event_time, user_identity.email, account_id, request_params.metastore_id, request_params.delta_sharing_recipient_token_lifetime_in_seconds, response.status_code, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND action_name = 'updateMetastore' AND request_params.delta_sharing_recipient_token_lifetime_in_seconds IS NOT NULL GROUP BY 1, 2, 3, 4, 5, 6 ORDER BY total DESC", + "parent": "system_tables/audit/unity_catalog/queries/", + "alert": { + "name": "delta_sharing_recipient_token_lifetime_change", + "options": { + "column": "total", + "custom_body": "

    There have been the following changes to a Delta Sharing recipient token lifetime within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/unity_catalog/alerts/" + } + }, + { + "name": "most_popular_data_products_last_90_days", + "description": "Databricks Unity Catalog is the industry’s first unified governance solution for data and AI on the lakehouse. The main benefit of this unification is that you can define once and secure everywhere, but it also means that appropriately privileged users can report on the most popular data products across an organisation. The following SQL query will show you the most popular data assets by number of requests over the last 90 days.", + "query": "SELECT * FROM (SELECT CASE WHEN isnotnull(request_params.table_full_name) THEN request_params.table_full_name WHEN isnotnull(request_params.volume_full_name) THEN request_params.volume_full_name WHEN isnotnull(request_params.name) THEN request_params.name WHEN isnotnull(request_params.url) THEN request_params.url WHEN isnotnull(request_params.table_url) THEN request_params.table_url WHEN isnotnull(request_params.table_id) THEN request_params.table_id WHEN isnotnull(request_params.volume_id) THEN request_params.volume_id ELSE NULL END AS securable, CASE WHEN isnotnull(request_params.table_full_name) THEN 'TABLE' WHEN isnotnull(request_params.volume_full_name) THEN 'VOLUME' WHEN isnotnull(request_params.share) THEN 'DELTA_SHARE' WHEN isnotnull(request_params.url) THEN 'EXTERNAL_LOCATION' WHEN isnotnull(request_params.table_url) THEN 'TABLE' WHEN isnotnull(request_params.table_id) THEN 'TABLE' WHEN isnotnull(request_params.volume_id) THEN 'VOLUME' ELSE NULL END AS securable_type, count(*) AS total_requests FROM system.access.audit WHERE action_name IN ('generateTemporaryTableCredential', 'generateTemporaryPathCredential', 'generateTemporaryVolumeCredential', 'deltaSharingQueryTable', 'deltaSharingQueryTableChanges') AND response.status_code = 200 AND event_date >= current_date() - INTERVAL 90 DAYS GROUP BY 1, 2) WHERE NOT startswith(securable, '__databricks_internal.') ORDER BY total_requests DESC LIMIT 500", + "parent": "system_tables/audit/unity_catalog/queries/" + }, + { + "name": "most_privileged_users", + "description": "Identifying our most privileged users can help us to take a risk based approach to security. The following SQL query will provide a relatively simple view of our most privileged users, by showing those with the highest number of different grants to each securable type.", + "query": "WITH catalog_privileges AS (SELECT grantee, 'catalog' AS securable_type, count(*) AS total FROM system.information_schema.catalog_privileges GROUP BY 1, 2), external_location_privileges AS (SELECT grantee, 'external_location' AS securable_type, count(*) AS total FROM system.information_schema.external_location_privileges GROUP BY 1, 2), metastore_privileges AS (SELECT grantee, 'metastore' AS securable_type, count(*) AS total FROM system.information_schema.metastore_privileges GROUP BY 1, 2), routine_privileges AS (SELECT grantee, 'function' AS securable_type, count(*) AS total FROM system.information_schema.routine_privileges GROUP BY 1, 2), schema_privileges AS (SELECT grantee, 'schema' AS securable_type, count(*) AS total FROM system.information_schema.schema_privileges GROUP BY 1, 2), storage_credential_privileges AS (SELECT grantee, 'storage_credential' AS securable_type, count(*) AS total FROM system.information_schema.storage_credential_privileges GROUP BY 1, 2), table_privileges AS (SELECT grantee, 'table' AS securable_type, count(*) AS total FROM system.information_schema.table_privileges GROUP BY 1, 2), volume_privileges AS (SELECT grantee, 'volume' AS securable_type, count(*) AS total FROM system.information_schema.volume_privileges GROUP BY 1, 2) SELECT grantee, securable_type, SUM(totaL) AS number_of_grants FROM (SELECT * FROM catalog_privileges UNION ALL SELECT * FROM external_location_privileges UNION ALL SELECT * FROM metastore_privileges UNION ALL SELECT * FROM routine_privileges UNION ALL SELECT * FROM schema_privileges UNION ALL SELECT * FROM storage_credential_privileges UNION ALL SELECT * FROM table_privileges UNION ALL SELECT * FROM volume_privileges) GROUP BY 1, 2 ORDER BY number_of_grants DESC", + "parent": "system_tables/audit/unity_catalog/queries/" + }, + { + "name": "ip_addresses_used_to_access_uc_data", + "description": "The following SQL query will show you the IP addresses used to access Unity Catalog securables ('generateTemporaryTableCredential', 'generateTemporaryPathCredential', 'generateTemporaryVolumeCredential', 'deltaSharingQueryTable', 'deltaSharingQueryTableChanges') actions over the last 90 days.", + "query": "SELECT regexp_replace(source_ip_address, '(:\\\\d*)', '') AS source_ip_address, CASE WHEN isnotnull(request_params.table_full_name) THEN 'TABLE' WHEN isnotnull(request_params.volume_full_name) THEN 'VOLUME' WHEN isnotnull(request_params.url) THEN 'EXTERNAL_LOCATION' WHEN isnotnull(request_params.table_url) THEN 'TABLE' WHEN isnotnull(request_params.table_id) THEN 'TABLE' WHEN isnotnull(request_params.volume_id) THEN 'VOLUME' WHEN isnotnull(request_params.share) THEN 'DELTA_SHARE' ELSE NULL END AS securable_type, count(*) AS total_requests FROM system.access.audit WHERE event_date >= current_date() - INTERVAL 90 DAYS AND source_ip_address NOT IN ('', '0.0.0.0', '127.0.0.1') AND action_name IN ('generateTemporaryTableCredential', 'generateTemporaryPathCredential', 'generateTemporaryVolumeCredential', 'deltaSharingQueryTable', 'deltaSharingQueryTableChanges') GROUP BY 1, 2 ORDER BY total_requests DESC", + "parent": "system_tables/audit/unity_catalog/queries/" + }, + { + "name": "ip_address_ranges_used_to_access_uc_data", + "description": "The following SQL query will show you the IP addresse ranges used to access Unity Catalog securables ('generateTemporaryTableCredential', 'generateTemporaryPathCredential', 'generateTemporaryVolumeCredential', 'deltaSharingQueryTable', 'deltaSharingQueryTableChanges') actions over the last 90 days.", + "query": "SELECT concat(substring_index(source_ip_address, '.', 3), '.0/24') AS source_ip_range, CASE WHEN isnotnull(request_params.table_full_name) THEN 'TABLE' WHEN isnotnull(request_params.volume_full_name) THEN 'VOLUME' WHEN isnotnull(request_params.url) THEN 'EXTERNAL_LOCATION' WHEN isnotnull(request_params.table_url) THEN 'TABLE' WHEN isnotnull(request_params.table_id) THEN 'TABLE' WHEN isnotnull(request_params.volume_id) THEN 'VOLUME' WHEN isnotnull(request_params.share) THEN 'DELTA_SHARE' ELSE NULL END AS securable_type, count(*) AS total_requests FROM system.access.audit WHERE event_date >= current_date() - INTERVAL 90 DAYS AND source_ip_address NOT IN ('', '0.0.0.0', '127.0.0.1') AND action_name IN ('generateTemporaryTableCredential', 'generateTemporaryPathCredential', 'generateTemporaryVolumeCredential', 'deltaSharingQueryTable', 'deltaSharingQueryTableChanges') GROUP BY 1, 2 ORDER BY total_requests DESC", + "parent": "system_tables/audit/unity_catalog/queries/" + }, + { + "name": "clam_av_infected_files_detected", + "description": "Customers using one of our compliance security profile offerings have additional monitoring agents including antivirus installed on their data plane hosts. The following query can be used to detect all antivirus scan events during which infected files have been detected within the last 24 hours. Note that this SQL query/alert will trigger when the ClamAV scan has completed, which may be several hours after the infected file has been found. See clam_av_infected_files_found for a query/alert that will trigger as soon as an infected file has been found.", + "query": "SELECT event_time, workspace_id, request_params.instanceId, regexp_extract(response.result, ('Infected files: (\\\\d+)')) AS infected_files FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND service_name = 'clamAVScanService-dataplane' AND startswith(response.result, 'Infected files:') AND regexp_extract(response.result, ('Infected files: (\\\\d+)')) > 0 ORDER BY event_time DESC", + "parent": "system_tables/audit/compliance_security_profile/queries/", + "alert": { + "name": "clam_av_infected_files_detected", + "options": { + "column": "infected_files", + "custom_body": "

    There have been the following infected files detected by ClamAV within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/compliance_security_profile/alerts/" + } + }, + { + "name": "clam_av_infected_files_found", + "description": "Customers using one of our compliance security profile offerings have additional monitoring agents including antivirus installed on their data plane hosts. The following query can be used to detect all antivirus scan events during which infected files have been found within the last 24 hours. Note, that this query/alert will detect infected files as soon as they have been found, rather than when the ClamAV scan finishes.", + "query": "SELECT event_time, workspace_id, request_params.instanceId, regexp_extract(response.result, ': (.*) FOUND') AS signature, regexp_extract(response.result, '(.*):') AS file_path FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND service_name = 'clamAVScanService-dataplane' AND contains(response.result, 'FOUND') ORDER BY event_time DESC", + "parent": "system_tables/audit/compliance_security_profile/queries/", + "alert": { + "name": "clam_av_infected_files_found", + "options": { + "column": "infected_files", + "custom_body": "

    There have been the following infected files found by ClamAV within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/compliance_security_profile/alerts/" + } + }, + { + "name": "capsule8_container_breakout_events", + "description": "User code runs in low-privileged containers. A container escape could compromise the security of the cluster especially when running with user isolation for Unity Catalog or Table ACLs. Capsule8 provides a few alerts related to container isolation issues that should be investigated if triggered. The following query can be used to detect all container breakout events within the last 24 hours.", + "query": "SELECT event_time, workspace_id, request_params.instanceId, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND service_name = 'capsule8-alerts-dataplane' AND action_name in ('Container Escape via Kernel Exploitation', 'Userland Container Escape', 'New File Executed in Container', 'Privileged Container Launched') GROUP BY 1, 2, 3 ORDER BY event_time DESC", + "parent": "system_tables/audit/compliance_security_profile/queries/", + "alert": { + "name": "capsule8_container_breakout_events", + "options": { + "column": "total", + "custom_body": "

    There have been the following container breakout events detected by Capsule8 within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/compliance_security_profile/alerts/" + } + }, + { + "name": "capsule8_changes_to_host_security_settings", + "description": "No untrusted code or end-user commands should be running on the host OS. There should be no process making changes to security configurations of the host VM. The following SQL query can be used to help us identify suspicious changes within the last 24 hours.", + "query": "SELECT event_time, workspace_id, request_params.instanceId, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND service_name = 'capsule8-alerts-dataplane' AND action_name in ('Processor-Level Protections Disabled', 'AppArmor Disabled In Kernel', 'AppArmor Profile Modified', 'Boot Files Modified', 'Root Certificate Store Modified') GROUP BY 1, 2, 3 ORDER BY event_time DESC", + "parent": "system_tables/audit/compliance_security_profile/queries/", + "alert": { + "name": "capsule8_changes_to_host_security_settings", + "options": { + "column": "total", + "custom_body": "

    There have been the following changes to host security settings detected by Capsule8 within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/compliance_security_profile/alerts/" + } + }, + { + "name": "capsule8_kernel_related_events", + "description": "Kernel related events could be another indicator of malicious code running on the host. In particular there should be no kernel modules loaded or internal kernel functions being called by user code. The following SQL query can be used to detect any kernel related events within the last 24 hours.", + "query": "SELECT event_time, workspace_id, request_params.instanceId, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND service_name = 'capsule8-alerts-dataplane' AND action_name in ('BPF Program Executed', 'Kernel Module Loaded', 'Kernel Exploit') GROUP BY 1, 2, 3 ORDER BY event_time DESC", + "parent": "system_tables/audit/compliance_security_profile/queries/", + "alert": { + "name": "capsule8_kernel_related_events", + "options": { + "column": "total", + "custom_body": "

    There have been the following kernel related events detected by Capsule8 within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/compliance_security_profile/alerts/" + } + }, + { + "name": "capsule8_suspicious_host_activity", + "description": "Given the architecture of the Databricks containerized runtime and host OS model, only trusted code should be making changes or executing on the host EC2. Changes to containers, evasive actions, or interactive shells could be due to suspicious activity on the host and should be reviewed. The following SQL query can be used to detect suspicious host activity within the last 24 hours.", + "query": "SELECT event_time, workspace_id, request_params.instanceId, count(*) AS total FROM system.access.audit WHERE event_time >= current_timestamp() - INTERVAL 24 HOURS AND service_name = 'capsule8-alerts-dataplane' AND action_name in ('New File Executed in Container', 'Suspicious Interactive Shell', 'User Command Logging Evasion', 'Privileged Container Launched') GROUP BY 1, 2, 3 ORDER BY event_time DESC", + "parent": "system_tables/audit/compliance_security_profile/queries/", + "alert": { + "name": "capsule8_suspicious_host_activity", + "options": { + "column": "total", + "custom_body": "

    There have been the following suspicious host activity events detected by Capsule8 within the last 24 hours:


    {{QUERY_RESULT_TABLE}}
    Link to query
    Link to alert", + "custom_subject": "Alert {{ALERT_NAME}} changed status to {{ALERT_STATUS}} because the number of unexpected events is {{ALERT_CONDITION}} than {{ALERT_THRESHOLD}}", + "muted": false, + "op": ">", + "value": "0" + }, + "rearm": "3600", + "parent": "system_tables/audit/compliance_security_profile/alerts/" + } + } + ] + } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/sql.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/sql.tf new file mode 100644 index 0000000..18eb393 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/sql.tf @@ -0,0 +1,48 @@ +locals { + warehouse_id = var.warehouse_id == "" ? databricks_sql_endpoint.this[0].id : data.databricks_sql_warehouse.this[0].id + data_source_id = var.warehouse_id == "" ? databricks_sql_endpoint.this[0].data_source_id : data.databricks_sql_warehouse.this[0].data_source_id +} + +resource "databricks_sql_endpoint" "this" { + count = var.warehouse_id == "" ? 1 : 0 + warehouse_type = "PRO" + name = "System Tables" + cluster_size = "Small" + max_num_clusters = 1 + auto_stop_mins = 10 +} + +data "databricks_sql_warehouse" "this" { + count = var.warehouse_id == "" ? 0 : 1 + id = var.warehouse_id +} + +resource "databricks_sql_query" "query" { + for_each = local.queries + data_source_id = local.data_source_id + name = local.data_map[each.value].name + query = local.data_map[each.value].query + description = local.data_map[each.value].description + parent = "folders/${databricks_directory.this[local.data_map[each.value].parent].object_id}" + + tags = [ + "system-tables", + ] +} + +resource "databricks_sql_alert" "alert" { + for_each = local.alerts + query_id = databricks_sql_query.query[each.value].id + name = local.data_map[each.value].alert.name + parent = "folders/${databricks_directory.this[local.data_map[each.value].alert.parent].object_id}" + rearm = local.data_map[each.value].alert.rearm + + options { + column = local.data_map[each.value].alert.options.column + op = local.data_map[each.value].alert.options.op + value = local.data_map[each.value].alert.options.value + muted = local.data_map[each.value].alert.options.muted + custom_body = local.data_map[each.value].alert.options.custom_body + custom_subject = local.data_map[each.value].alert.options.custom_subject + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf new file mode 100644 index 0000000..046e2d2 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf @@ -0,0 +1,10 @@ +variable "warehouse_id" { + type = string + default = "" + description = "Optional Warehouse ID to run queries on. If not provided, new SQL Warehouse is created" +} + +variable "alert_emails" { + type = list(string) + description = "List of emails to notify when alerts are fired" +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/admin_configuration/admin_configuration.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/admin_configuration/admin_configuration.tf new file mode 100644 index 0000000..72e6bd1 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/admin_configuration/admin_configuration.tf @@ -0,0 +1,14 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/workspace_conf + +resource "databricks_workspace_conf" "just_config_map" { + custom_config = { + "enableResultsDownloading" = "false", // https://docs.databricks.com/en/notebooks/notebook-outputs.html#download-results + "enableNotebookTableClipboard" = "false", // https://docs.databricks.com/en/administration-guide/workspace-settings/notebooks.html#enable-users-to-copy-data-to-the-clipboard-from-notebooks + "enableVerboseAuditLogs" = "true", // https://docs.databricks.com/en/administration-guide/account-settings/verbose-logs.html + "enableDbfsFileBrowser" = "false", // https://docs.databricks.com/en/administration-guide/workspace-settings/dbfs-browser.html + "enableExportNotebook" = "false", // https://docs.databricks.com/en/administration-guide/workspace-settings/notebooks.html#enable-users-to-export-notebooks + "enforceUserIsolation" = "true", // https://docs.databricks.com/en/administration-guide/workspace-settings/enforce-user-isolation.html + "storeInteractiveNotebookResultsInCustomerAccount" = "true", // https://docs.databricks.com/en/administration-guide/workspace-settings/notebooks.html#manage-where-notebook-results-are-stored + "enableUploadDataUis" = "false" // https://docs.databricks.com/en/ingestion/add-data/index.html + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/admin_configuration/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/admin_configuration/provider.tf new file mode 100644 index 0000000..bdd3474 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/admin_configuration/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf new file mode 100644 index 0000000..87b71b9 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf @@ -0,0 +1,53 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/cluster + +// Cluster Version +data "databricks_spark_version" "latest_lts" { + long_term_support = true +} + +// Example Cluster Policy +locals { + default_policy = { + "dbus_per_hour" : { + "type" : "range", + "maxValue" : 10 + }, + "autotermination_minutes" : { + "type" : "fixed", + "value" : 60, + "hidden" : true + }, + "custom_tags.Example" : { + "type" : "fixed", + "value" : var.resource_prefix + } + } +} + +resource "databricks_cluster_policy" "example" { + name = "Example Cluster Policy" + definition = jsonencode(local.default_policy) +} + +// Cluster Creation +resource "databricks_cluster" "example" { + cluster_name = "Shared Cluster" + data_security_mode = "USER_ISOLATION" + spark_version = data.databricks_spark_version.latest_lts.id + node_type_id = var.compliance_security_profile_egress_ports ? "i3en.xlarge" : "i3.xlarge" + policy_id = databricks_cluster_policy.example.id + + autoscale { + min_workers = 1 + max_workers = 2 + } + + spark_conf = { + # Add additional spark configurations here + "secret.example" = var.secret_config_reference + } + + depends_on = [ + databricks_cluster_policy.example + ] +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/provider.tf new file mode 100644 index 0000000..bdd3474 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf new file mode 100644 index 0000000..615c442 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf @@ -0,0 +1,13 @@ +variable "resource_prefix" { + type = string +} + +variable "secret_config_reference" { + type = string +} + +variable "compliance_security_profile_egress_ports" { + type = bool + description = "Add 2443 to security group configuration or nitro instance" + nullable = false +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/ip_access_list.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/ip_access_list.tf new file mode 100644 index 0000000..658fd89 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/ip_access_list.tf @@ -0,0 +1,14 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/ip_access_list + +resource "databricks_workspace_conf" "this" { + custom_config = { + "enableIpAccessLists" = true + } +} + +resource "databricks_ip_access_list" "allowed-list" { + label = "allow_in" + list_type = "ALLOW" + ip_addresses = var.ip_addresses + depends_on = [databricks_workspace_conf.this] +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/provider.tf new file mode 100644 index 0000000..bdd3474 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/variables.tf new file mode 100644 index 0000000..4e1d552 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/ip_access_list/variables.tf @@ -0,0 +1,3 @@ +variable "ip_addresses" { + type = list(string) +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf new file mode 100644 index 0000000..ca80979 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf @@ -0,0 +1,3 @@ +output "config_reference" { + value = databricks_secret.example_app_secret.config_reference +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf new file mode 100644 index 0000000..bdd3474 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf new file mode 100644 index 0000000..65f0be9 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf @@ -0,0 +1,11 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret + +resource "databricks_secret_scope" "app" { + name = "application-secret-scope" +} + +resource "databricks_secret" "example_app_secret" { + key = "example_api_secret" + string_value = "value that should be hidden from Terraform!" + scope = databricks_secret_scope.app.id +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf new file mode 100644 index 0000000..bdd3474 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf new file mode 100644 index 0000000..980ab4e --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf @@ -0,0 +1,7 @@ +// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token + +resource "databricks_token" "pat" { + comment = "Terraform Provisioning" + // 30 day token + lifetime_seconds = 2592000 +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/provider.tf new file mode 100644 index 0000000..1d847d2 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf new file mode 100644 index 0000000..625fb1c --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf @@ -0,0 +1,164 @@ +resource "null_resource" "previous" {} + +resource "time_sleep" "wait_30_seconds" { + depends_on = [null_resource.previous] + + create_duration = "30s" +} + + +// Unity Catalog Trust Policy +data "aws_iam_policy_document" "passrole_for_unity_catalog_catalog" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + identifiers = ["arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:role/unity-catalog-prod-UCMasterRole-${var.uc_master_role_id[var.databricks_gov_shard]}"] + type = "AWS" + } + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [var.databricks_account_id] + } + } + statement { + sid = "ExplicitSelfRoleAssumption" + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = ["arn:aws-us-gov:iam::${var.aws_account_id}:root"] + } + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:aws-us-gov:iam::${var.aws_account_id}:role/${var.resource_prefix}-unity-catalog-${var.workspace_id}"] + } + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [var.databricks_account_id] + } + } +} + +// Unity Catalog Role +resource "aws_iam_role" "unity_catalog_role" { + name = "${var.resource_prefix}-unity-catalog-${var.workspace_id}" + assume_role_policy = data.aws_iam_policy_document.passrole_for_unity_catalog_catalog.json + tags = { + Name = "${var.resource_prefix}-unity-catalog" + } +} + +// Unity Catalog IAM Policy +data "aws_iam_policy_document" "unity_catalog_iam_policy" { + statement { + actions = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ] + + resources = [ + "arn:aws-us-gov:s3:::${var.uc_catalog_name}/*", + "arn:aws-us-gov:s3:::${var.uc_catalog_name}" + ] + + effect = "Allow" + } + + statement { + actions = ["sts:AssumeRole"] + resources = ["arn:aws-us-gov:iam::${var.aws_account_id}:role/${var.resource_prefix}-unity-catalog-${var.workspace_id}"] + effect = "Allow" + } +} + +// Unity Catalog Policy +resource "aws_iam_role_policy" "unity_catalog" { + name = "${var.resource_prefix}-unity-catalog-policy-${var.workspace_id}" + role = aws_iam_role.unity_catalog_role.id + policy = data.aws_iam_policy_document.unity_catalog_iam_policy.json +} + + +// Unity Catalog S3 +resource "aws_s3_bucket" "unity_catalog_bucket" { + bucket = var.uc_catalog_name + force_destroy = true + tags = { + Name = var.uc_catalog_name + } +} + +resource "aws_s3_bucket_versioning" "unity_catalog_versioning" { + bucket = aws_s3_bucket.unity_catalog_bucket.id + versioning_configuration { + status = "Disabled" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "unity_catalog" { + bucket = aws_s3_bucket.unity_catalog_bucket.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_public_access_block" "unity_catalog" { + bucket = aws_s3_bucket.unity_catalog_bucket.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + depends_on = [aws_s3_bucket.unity_catalog_bucket] +} + +// Storage Credential +resource "databricks_storage_credential" "workspace_catalog_storage_credential" { + name = aws_iam_role.unity_catalog_role.name + aws_iam_role { + role_arn = aws_iam_role.unity_catalog_role.arn + } + depends_on = [aws_iam_role.unity_catalog_role, time_sleep.wait_30_seconds] +} + +// External Location +resource "databricks_external_location" "workspace_catalog_external_location" { + name = var.uc_catalog_name + url = "s3://${var.uc_catalog_name}/catalog/" + credential_name = databricks_storage_credential.workspace_catalog_storage_credential.id + skip_validation = true + read_only = false + comment = "Managed by TF" +} + + +// Workspace Catalog +resource "databricks_catalog" "workspace_catalog" { + name = var.uc_catalog_name + comment = "This catalog is for workspace - ${var.workspace_id}" + isolation_mode = "ISOLATED" + storage_root = "s3://${var.uc_catalog_name}/catalog/" + properties = { + purpose = "Catalog for workspace - ${var.workspace_id}" + } + depends_on = [databricks_external_location.workspace_catalog_external_location] +} + +// Grant Admin Catalog Perms +resource "databricks_grant" "workspace_catalog" { + catalog = databricks_catalog.workspace_catalog.name + + principal = var.workspace_catalog_admin + privileges = ["ALL_PRIVILEGES"] +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf new file mode 100644 index 0000000..6420927 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf @@ -0,0 +1,23 @@ +variable "aws_account_id" { + type = string +} + +variable "resource_prefix" { + type = string +} + +variable "databricks_account_id" { + type = string +} + +variable "workspace_id" { + type = string +} + +variable "uc_catalog_name" { + type = string +} + +variable "workspace_catalog_admin" { + type = string +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/provider.tf new file mode 100644 index 0000000..1d847d2 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/provider.tf @@ -0,0 +1,7 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + } + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf new file mode 100644 index 0000000..cb25c81 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf @@ -0,0 +1,114 @@ +resource "null_resource" "previous" {} + +resource "time_sleep" "wait_30_seconds" { + depends_on = [null_resource.previous] + + create_duration = "30s" +} + +// Storage Credential Trust Policy +data "aws_iam_policy_document" "passrole_for_storage_credential" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + identifiers = ["arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:role/unity-catalog-prod-UCMasterRole-${var.uc_master_role_id[var.databricks_gov_shard]}"] + type = "AWS" + } + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [var.databricks_account_id] + } + } + statement { + sid = "ExplicitSelfRoleAssumption" + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "AWS" + identifiers = ["arn:aws-us-gov:iam::${var.aws_account_id}:root"] + } + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:aws-us-gov:iam::${var.aws_account_id}:role/${var.resource_prefix}-storage-credential"] + } + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [var.databricks_account_id] + } + } +} + +// Storage Credential Role +resource "aws_iam_role" "storage_credential_role" { + name = "${var.resource_prefix}-storage-credential" + assume_role_policy = data.aws_iam_policy_document.passrole_for_storage_credential.json + tags = { + Name = "${var.resource_prefix}-storage_credential_role" + } +} + + +// Storage Credential Policy +resource "aws_iam_role_policy" "storage_credential_policy" { + name = "${var.resource_prefix}-storage-credential-policy" + role = aws_iam_role.storage_credential_role.id + policy = jsonencode({ Version : "2012-10-17", + Statement : [ + { + "Action" : [ + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:GetLifecycleConfiguration", + ], + "Resource" : [ + "arn:aws-us-gov:s3:::${var.read_only_data_bucket}/*", + "arn:aws-us-gov:s3:::${var.read_only_data_bucket}" + ], + "Effect" : "Allow" + }, + { + "Action" : [ + "sts:AssumeRole" + ], + "Resource" : [ + "arn:aws-us-gov:iam::${var.aws_account_id}:role/${var.resource_prefix}-storage-credential" + ], + "Effect" : "Allow" + } + ] + } + ) +} + +// Storage Credential +resource "databricks_storage_credential" "external" { + name = aws_iam_role.storage_credential_role.name + aws_iam_role { + role_arn = aws_iam_role.storage_credential_role.arn + } + depends_on = [aws_iam_role.storage_credential_role, time_sleep.wait_30_seconds] +} + +// External Location +resource "databricks_external_location" "data_example" { + name = "external-location-example" + url = "s3://${var.read_only_data_bucket}/" + credential_name = databricks_storage_credential.external.id + skip_validation = true + read_only = true + comment = "Managed by TF" +} + +// External Location Grant +resource "databricks_grants" "data_example" { + external_location = databricks_external_location.data_example.id + grant { + principal = var.read_only_external_location_admin + privileges = ["ALL_PRIVILEGES"] + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf new file mode 100644 index 0000000..3a838a6 --- /dev/null +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf @@ -0,0 +1,19 @@ +variable "databricks_account_id" { + type = string +} + +variable "aws_account_id" { + type = string +} + +variable "resource_prefix" { + type = string +} + +variable "read_only_data_bucket" { + type = string +} + +variable "read_only_external_location_admin" { + type = string +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/network.tf b/aws-gov/tf/modules/sra/network.tf new file mode 100644 index 0000000..cf13eb3 --- /dev/null +++ b/aws-gov/tf/modules/sra/network.tf @@ -0,0 +1,85 @@ +// EXPLANATION: Create the customer managed-vpc and security group rules + +// VPC and other assets - skipped entirely in custom mode, some assets skipped for firewall and isolated +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "5.1.1" + + count = var.operation_mode != "custom" ? 1 : 0 + + name = "${var.resource_prefix}-classic-compute-plane-vpc" + cidr = var.vpc_cidr_range + azs = var.availability_zones + + enable_dns_hostnames = true + enable_nat_gateway = var.operation_mode == "firewall" || var.operation_mode == "isolated" ? false : true + single_nat_gateway = false + one_nat_gateway_per_az = var.operation_mode == "firewall" || var.operation_mode == "isolated" ? false : true + create_igw = var.operation_mode == "firewall" || var.operation_mode == "isolated" ? false : true + + public_subnet_names = var.operation_mode == "firewall" || var.operation_mode == "isolated" ? [] : [for az in var.availability_zones : format("%s-public-%s", var.resource_prefix, az)] + public_subnets = var.operation_mode == "firewall" || var.operation_mode == "isolated" ? [] : var.public_subnets_cidr + + private_subnet_names = [for az in var.availability_zones : format("%s-private-%s", var.resource_prefix, az)] + private_subnets = var.private_subnets_cidr + + intra_subnet_names = [for az in var.availability_zones : format("%s-privatelink-%s", var.resource_prefix, az)] + intra_subnets = var.privatelink_subnets_cidr +} + + +// Security group - skipped in custom mode +resource "aws_security_group" "sg" { + count = var.operation_mode != "custom" ? 1 : 0 + + vpc_id = module.vpc[0].vpc_id + depends_on = [module.vpc] + + dynamic "ingress" { + for_each = var.sg_ingress_protocol + content { + description = "Databricks - Workspace SG - Internode Communication" + from_port = 0 + to_port = 65535 + protocol = ingress.value + self = true + } + } + + dynamic "egress" { + for_each = var.sg_egress_protocol + content { + description = "Databricks - Workspace SG - Internode Communication" + from_port = 0 + to_port = 65535 + protocol = egress.value + self = true + } + } + + dynamic "egress" { + for_each = var.sg_egress_ports + content { + description = "Databricks - Workspace SG - REST (443), Secure Cluster Connectivity (6666), Future Extendability (8443-8451)" + from_port = egress.value + to_port = egress.value + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + } + + dynamic "egress" { + for_each = var.compliance_security_profile_egress_ports ? [2443] : [] + + content { + description = "Databricks - Workspace Security Group - FIPS encryption" + from_port = 2443 + to_port = 2443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + } + tags = { + Name = "${var.resource_prefix}-workspace-sg" + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/outputs.tf b/aws-gov/tf/modules/sra/outputs.tf new file mode 100644 index 0000000..0ac5ce9 --- /dev/null +++ b/aws-gov/tf/modules/sra/outputs.tf @@ -0,0 +1,3 @@ +output "databricks_host" { + value = module.databricks_mws_workspace.workspace_url +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/privatelink.tf b/aws-gov/tf/modules/sra/privatelink.tf new file mode 100644 index 0000000..d769f37 --- /dev/null +++ b/aws-gov/tf/modules/sra/privatelink.tf @@ -0,0 +1,321 @@ +// Security group for privatelink - skipped in custom operation mode +resource "aws_security_group" "privatelink" { + count = var.operation_mode != "custom" ? 1 : 0 + + vpc_id = module.vpc[0].vpc_id + + ingress { + description = "Databricks - PrivateLink Endpoint SG - REST API" + from_port = 443 + to_port = 443 + protocol = "tcp" + security_groups = [aws_security_group.sg[0].id] + } + + ingress { + description = "Databricks - PrivateLink Endpoint SG - Secure Cluster Connectivity" + from_port = 6666 + to_port = 6666 + protocol = "tcp" + security_groups = [aws_security_group.sg[0].id] + } + + ingress { + description = "Databricks - PrivateLink Endpoint SG - Future Extendability" + from_port = 8443 + to_port = 8451 + protocol = "tcp" + security_groups = [aws_security_group.sg[0].id] + } + + dynamic "ingress" { + for_each = var.compliance_security_profile_egress_ports ? [2443] : [] + + content { + description = "Databricks - PrivateLink Endpoint SG - FIPS encryption" + from_port = 2443 + to_port = 2443 + protocol = "tcp" + security_groups = [aws_security_group.sg[0].id] + } + } + + tags = { + Name = "${var.resource_prefix}-private-link-sg" + } +} + +// EXPLANATION: VPC Gateway Endpoint for S3, Interface Endpoint for Kinesis, and Interface Endpoint for STS + + +// Restrictive S3 endpoint policy - only used if restrictive S3 endpoint policy is enabled +data "aws_iam_policy_document" "s3_vpc_endpoint_policy" { + count = var.enable_restrictive_s3_endpoint_boolean ? 1 : 0 + + statement { + sid = "Grant access to Databricks Root Bucket" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:PutObject", + "s3:DeleteObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ] + + principals { + type = "AWS" + identifiers = ["*"] + } + + resources = [ + "arn:aws-us-gov:s3:::${var.resource_prefix}-workspace-root-storage/*", + "arn:aws-us-gov:s3:::${var.resource_prefix}-workspace-root-storage" + ] + + condition { + test = "StringEquals" + variable = "aws:PrincipalAccount" + values = ["${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}"] + } + + condition { + test = "StringEqualsIfExists" + variable = "aws:SourceVpc" + values = [ + module.vpc[0].vpc_id + ] + } + } + + statement { + sid = "Grant access to Databricks Unity Catalog Metastore Bucket" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:PutObject", + "s3:DeleteObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ] + + principals { + type = "AWS" + identifiers = ["*"] + } + + resources = [ + "arn:aws-us-gov:s3:::${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}/*", + "arn:aws-us-gov:s3:::${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}" + ] + } + + statement { + sid = "Grant read-only access to Data Bucket" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket", + "s3:GetBucketLocation" + ] + + principals { + type = "AWS" + identifiers = ["*"] + } + + resources = [ + "arn:aws-us-gov:s3:::${var.read_only_data_bucket}/*", + "arn:aws-us-gov:s3:::${var.read_only_data_bucket}" + ] + } + + statement { + sid = "Grant Databricks Read Access to Artifact and Data Buckets" + effect = "Allow" + actions = [ + "s3:ListBucket", + "s3:GetObjectVersion", + "s3:GetObject", + "s3:GetBucketLocation" + ] + + principals { + type = "AWS" + identifiers = ["*"] + } + + resources = [ + "arn:aws-us-gov:s3:::databricks-prod-artifacts-${var.region}/*", + "arn:aws-us-gov:s3:::databricks-prod-artifacts-${var.region}", + "arn:aws-us-gov:s3:::databricks-datasets-${var.region_name}/*", + "arn:aws-us-gov:s3:::databricks-datasets-${var.region_name}" + ] + } + + statement { + sid = "Grant access to Databricks Log Bucket" + effect = "Allow" + actions = [ + "s3:PutObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ] + + principals { + type = "AWS" + identifiers = ["*"] + } + + resources = [ + "arn:aws-us-gov:s3:::databricks-prod-storage-${var.region_name}/*", + "arn:aws-us-gov:s3:::databricks-prod-storage-${var.region_name}" + ] + + condition { + test = "StringEquals" + variable = "aws:PrincipalAccount" + values = ["${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}"] + } + } + depends_on = [module.databricks_mws_workspace] +} + +// Restrictive STS endpoint policy - only used if restrictive STS endpoint policy is enabled +data "aws_iam_policy_document" "sts_vpc_endpoint_policy" { + count = var.enable_restrictive_sts_endpoint_boolean ? 1 : 0 + + statement { + actions = [ + "sts:AssumeRole", + "sts:GetAccessKeyInfo", + "sts:GetSessionToken", + "sts:DecodeAuthorizationMessage", + "sts:TagSession" + ] + effect = "Allow" + resources = ["*"] + + principals { + type = "AWS" + identifiers = ["${var.aws_account_id}"] + } + } + + statement { + actions = [ + "sts:AssumeRole", + "sts:GetSessionToken", + "sts:TagSession" + ] + effect = "Allow" + resources = ["*"] + + principals { + type = "AWS" + identifiers = [ + "arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:user/databricks-datasets-readonly-user", + "${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}" + ] + } + } +} + +// Restrictive Kinesis endpoint policy - only used if restrictive Kinesis endpoint policy is enabled +data "aws_iam_policy_document" "kinesis_vpc_endpoint_policy" { + count = var.enable_restrictive_kinesis_endpoint_boolean ? 1 : 0 + + statement { + actions = [ + "kinesis:PutRecord", + "kinesis:PutRecords", + "kinesis:DescribeStream" + ] + effect = "Allow" + resources = ["arn:aws-us-gov:kinesis:${var.region}:${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:stream/*"] + + principals { + type = "AWS" + identifiers = ["${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}"] + } + } +} + +// VPC endpoint creation - Skipped in custom operation mode +module "vpc_endpoints" { + count = var.operation_mode != "custom" ? 1 : 0 + + source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" + version = "3.11.0" + + vpc_id = module.vpc[0].vpc_id + security_group_ids = [aws_security_group.privatelink[0].id] + + endpoints = { + s3 = { + service = "s3" + service_type = "Gateway" + route_table_ids = module.vpc[0].private_route_table_ids + policy = var.enable_restrictive_s3_endpoint_boolean ? data.aws_iam_policy_document.s3_vpc_endpoint_policy[0].json : null + tags = { + Name = "${var.resource_prefix}-s3-vpc-endpoint" + } + }, + sts = { + service = "sts" + private_dns_enabled = true + subnet_ids = module.vpc[0].intra_subnets + policy = var.enable_restrictive_sts_endpoint_boolean ? data.aws_iam_policy_document.sts_vpc_endpoint_policy[0].json : null + tags = { + Name = "${var.resource_prefix}-sts-vpc-endpoint" + } + }, + kinesis-streams = { + service = "kinesis-streams" + private_dns_enabled = true + subnet_ids = module.vpc[0].intra_subnets + policy = var.enable_restrictive_kinesis_endpoint_boolean ? data.aws_iam_policy_document.kinesis_vpc_endpoint_policy[0].json : null + tags = { + Name = "${var.resource_prefix}-kinesis-vpc-endpoint" + } + } + } + depends_on = [ + module.vpc, module.databricks_mws_workspace + ] +} + +// Databricks REST endpoint - skipped in custom operation mode +resource "aws_vpc_endpoint" "backend_rest" { + count = var.operation_mode != "custom" ? 1 : 0 + + vpc_id = module.vpc[0].vpc_id + service_name = var.workspace_vpce_service + vpc_endpoint_type = "Interface" + security_group_ids = [aws_security_group.privatelink[0].id] + subnet_ids = module.vpc[0].intra_subnets + private_dns_enabled = true + depends_on = [module.vpc.vpc_id] + tags = { + Name = "${var.resource_prefix}-databricks-backend-rest" + } +} + +// Databricks SCC endpoint - skipped in custom operation mode +resource "aws_vpc_endpoint" "backend_relay" { + count = var.operation_mode != "custom" ? 1 : 0 + + vpc_id = module.vpc[0].vpc_id + service_name = var.relay_vpce_service + vpc_endpoint_type = "Interface" + security_group_ids = [aws_security_group.privatelink[0].id] + subnet_ids = module.vpc[0].intra_subnets + private_dns_enabled = true + depends_on = [module.vpc.vpc_id] + tags = { + Name = "${var.resource_prefix}-databricks-backend-relay" + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/provider.tf b/aws-gov/tf/modules/sra/provider.tf new file mode 100644 index 0000000..ebaeb4f --- /dev/null +++ b/aws-gov/tf/modules/sra/provider.tf @@ -0,0 +1,21 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + configuration_aliases = [ + databricks.mws + ] + } + aws = { + source = "hashicorp/aws" + } + } +} + +provider "databricks" { + alias = "created_workspace" + host = module.databricks_mws_workspace.workspace_url + account_id = var.databricks_account_id + client_id = var.client_id + client_secret = var.client_secret +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/root_s3_bucket.tf b/aws-gov/tf/modules/sra/root_s3_bucket.tf new file mode 100644 index 0000000..521910a --- /dev/null +++ b/aws-gov/tf/modules/sra/root_s3_bucket.tf @@ -0,0 +1,65 @@ +// EXPLANATION: Create the workspace root bucket + +resource "aws_s3_bucket" "root_storage_bucket" { + bucket = "${var.resource_prefix}-workspace-root-storage" + force_destroy = true + tags = { + Name = var.resource_prefix + } +} + +resource "aws_s3_bucket_versioning" "root_bucket_versioning" { + bucket = aws_s3_bucket.root_storage_bucket.id + versioning_configuration { + status = "Disabled" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "root_storage_bucket" { + bucket = aws_s3_bucket.root_storage_bucket.bucket + + rule { + bucket_key_enabled = true + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + kms_master_key_id = aws_kms_key.workspace_storage.arn + } + } + depends_on = [aws_kms_alias.workspace_storage_key_alias] +} + +resource "aws_s3_bucket_public_access_block" "root_storage_bucket" { + bucket = aws_s3_bucket.root_storage_bucket.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + depends_on = [aws_s3_bucket.root_storage_bucket] +} + +data "databricks_aws_bucket_policy" "this" { + databricks_e2_account_id = var.databricks_account_id + bucket = aws_s3_bucket.root_storage_bucket.bucket +} + +# Bucket policy to use if the restrictive root bucket is set to false +resource "aws_s3_bucket_policy" "root_bucket_policy" { + count = var.enable_restrictive_root_bucket_boolean ? 0 : 1 + + bucket = aws_s3_bucket.root_storage_bucket.id + policy = data.databricks_aws_bucket_policy.this.json + depends_on = [aws_s3_bucket_public_access_block.root_storage_bucket] +} + +# Bucket policy to use if the restrictive root bucket is set to true +resource "aws_s3_bucket_policy" "root_bucket_policy_ignore" { + count = var.enable_restrictive_root_bucket_boolean ? 1 : 0 + + bucket = aws_s3_bucket.root_storage_bucket.id + policy = data.databricks_aws_bucket_policy.this.json + depends_on = [aws_s3_bucket_public_access_block.root_storage_bucket] + + lifecycle { + ignore_changes = [policy] + } +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/variables.tf b/aws-gov/tf/modules/sra/variables.tf new file mode 100644 index 0000000..05f87ca --- /dev/null +++ b/aws-gov/tf/modules/sra/variables.tf @@ -0,0 +1,273 @@ +variable "availability_zones" { + description = "List of AWS availability zones." + type = list(string) +} + +variable "aws_account_id" { + description = "ID of the AWS account." + type = string + sensitive = true +} + +variable "cmk_admin_arn" { + description = "Amazon Resource Name (ARN) of the CMK admin." + type = string +} + +variable "client_id" { + description = "Client ID for Databricks authentication." + type = string + sensitive = true +} + +variable "client_secret" { + description = "Secret key for the Databricks client ID." + type = string + sensitive = true +} + +variable "custom_private_subnet_ids" { + type = list(string) + description = "List of custom private subnet IDs" +} + +variable "custom_relay_vpce_id" { + type = string + description = "Custom Relay VPC Endpoint ID" +} + + +variable "custom_sg_id" { + type = string + description = "Custom security group ID" +} + +variable "custom_vpc_id" { + type = string + description = "Custom VPC ID" +} + +variable "custom_workspace_vpce_id" { + type = string + description = "Custom Workspace VPC Endpoint ID" +} + + +variable "databricks_account_id" { + description = "ID of the Databricks account." + type = string + sensitive = true +} + +variable "read_only_data_bucket" { + description = "S3 bucket for data storage." + type = string +} + +variable "enable_audit_log_alerting" { + description = "Flag to audit log alerting." + type = bool + sensitive = true + default = false +} + +variable "enable_cluster_boolean" { + description = "Flag to enable cluster." + type = bool + sensitive = true + default = false +} + +variable "enable_read_only_external_location_boolean" { + description = "Flag to enable read only external location" + type = bool + sensitive = true + default = false +} + +variable "enable_ip_boolean" { + description = "Flag to enable IP-related configurations." + type = bool + sensitive = true + default = false +} + +variable "enable_logging_boolean" { + description = "Flag to enable logging." + type = bool + sensitive = true + default = false +} + +variable "enable_restrictive_root_bucket_boolean" { + description = "Flag to enable restrictive root bucket settings." + type = bool + sensitive = true + default = false +} + +variable "enable_restrictive_kinesis_endpoint_boolean" { + type = bool + description = "Enable restrictive Kinesis endpoint boolean flag" + default = false +} + +variable "enable_restrictive_s3_endpoint_boolean" { + type = bool + description = "Enable restrictive S3 endpoint boolean flag" + default = false +} + +variable "enable_restrictive_sts_endpoint_boolean" { + type = bool + description = "Enable restrictive STS endpoint boolean flag" + default = false +} + + +variable "enable_sat_boolean" { + description = "Flag for a specific SAT (Service Access Token) configuration." + type = bool + sensitive = true + default = false +} + +variable "enable_system_tables_schema_boolean" { + description = "Flag for enabling public preview system schema access" + type = bool + sensitive = true + default = false +} + +variable "firewall_allow_list" { + description = "List of allowed firewall rules." + type = list(string) +} + +variable "firewall_protocol_deny_list" { + description = "Protocol list that the firewall should deny." + type = string +} + +variable "firewall_subnets_cidr" { + description = "CIDR blocks for firewall subnets." + type = list(string) +} + +variable "hive_metastore_fqdn" { + type = string +} + +variable "ip_addresses" { + description = "List of IP addresses to allow list." + type = list(string) +} + +variable "metastore_exists" { + description = "If a metastore exists" + type = bool +} + +variable "operation_mode" { + type = string + description = "The type of Operation Mode for the workspace network configuration." + nullable = false + + validation { + condition = contains(["sandbox", "firewall", "custom", "isolated"], var.operation_mode) + error_message = "Invalid operation mode. Allowed values are: sandbox, firewall, custom, isolated." + } +} + +variable "compliance_security_profile_egress_ports" { + type = bool + description = "Add 2443 to security group configuration or nitro instance" + nullable = false +} + +variable "enable_admin_configs_boolean" { + type = bool + description = "Enable workspace configs" + nullable = false +} + +variable "private_subnets_cidr" { + description = "CIDR blocks for private subnets." + type = list(string) +} + +variable "privatelink_subnets_cidr" { + description = "CIDR blocks for private link subnets." + type = list(string) +} + +variable "public_subnets_cidr" { + description = "CIDR blocks for public subnets." + type = list(string) +} + +variable "region" { + description = "AWS region code." + type = string +} + +variable "region_name" { + description = "Name of the AWS region." + type = string +} + +variable "relay_vpce_service" { + description = "VPCE service for the secure cluster connectivity relay." + type = string +} + +variable "resource_prefix" { + description = "Prefix for the resource names." + type = string +} + +variable "sg_egress_ports" { + description = "List of egress ports for security groups." + type = list(string) +} + +variable "sg_egress_protocol" { + description = "List of egress protocols for security groups." + type = list(string) +} + +variable "sg_ingress_protocol" { + description = "List of ingress protocols for security groups." + type = list(string) +} + +variable "user_workspace_admin" { + description = "User to grant admin workspace access." + type = string + nullable = false +} + +variable "read_only_external_location_admin" { + description = "User to grant external location admin." + type = string +} + +variable "vpc_cidr_range" { + description = "CIDR range for the VPC." + type = string +} + +variable "workspace_catalog_admin" { + description = "Admin for the workspace catalog" + type = string +} + +variable "workspace_vpce_service" { + description = "VPCE service for the workspace REST API endpoint." + type = string +} + +variable "workspace_admin_service_principal_name" { + description = "Service principal name" + type = string +} \ No newline at end of file diff --git a/aws-gov/tf/provider.tf b/aws-gov/tf/provider.tf new file mode 100644 index 0000000..b6cd9fe --- /dev/null +++ b/aws-gov/tf/provider.tf @@ -0,0 +1,28 @@ +terraform { + required_providers { + databricks = { + source = "databricks/databricks" + version = "~> 1.46.0" + } + aws = { + source = "hashicorp/aws" + } + } +} + +provider "aws" { + region = var.region + default_tags { + tags = { + Resource = var.resource_prefix + } + } +} + +provider "databricks" { + alias = "mws" + host = var.account_console[var.databricks_gov_shard] + account_id = var.databricks_account_id + client_id = var.client_id + client_secret = var.client_secret +} \ No newline at end of file diff --git a/aws-gov/tf/sra.tf b/aws-gov/tf/sra.tf new file mode 100644 index 0000000..b334375 --- /dev/null +++ b/aws-gov/tf/sra.tf @@ -0,0 +1,77 @@ +module "SRA" { + source = "./modules/sra" + providers = { + databricks.mws = databricks.mws + aws = aws + } + + // Common Authentication Variables + databricks_account_id = var.databricks_account_id + client_id = var.client_id + client_secret = var.client_secret + aws_account_id = var.aws_account_id + region = var.region + region_name = var.region_name[var.databricks_gov_shard] + + // Naming and Tagging Variables: + resource_prefix = var.resource_prefix + + // Required Variables: + workspace_catalog_admin = null // Workspace catalog admin email. + user_workspace_admin = null // Workspace admin user email. + operation_mode = "sandbox" // Operation mode (sandbox, custom, firewall, isolated). + workspace_admin_service_principal_name = "sra-example-sp" // Creates an example admin SP for automation use cases. + metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". + + // AWS Specific Variables: + cmk_admin_arn = null // CMK admin ARN, defaults to the AWS account root user. + vpc_cidr_range = "10.0.0.0/18" // Please re-define the subsequent subnet ranges if the VPC CIDR range is updated. + private_subnets_cidr = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"] + privatelink_subnets_cidr = ["10.0.28.0/26", "10.0.28.64/26", "10.0.28.128/26"] + availability_zones = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1], data.aws_availability_zones.available.names[2]] + sg_egress_ports = [443, 3306, 6666, 8443, 8444, 8445, 8446, 8447, 8448, 8449, 8450, 8451] + compliance_security_profile_egress_ports = true // Set to true to enable compliance security profile related egress ports (2443) + sg_ingress_protocol = ["tcp", "udp"] + sg_egress_protocol = ["tcp", "udp"] + relay_vpce_service = var.scc_relay[var.databricks_gov_shard] + workspace_vpce_service = var.workspace[var.databricks_gov_shard] + + // Operation Mode Specific Variables: + // Sandbox and Firewall Modes + public_subnets_cidr = ["10.0.29.0/26", "10.0.29.64/26", "10.0.29.128/26"] + + // Firewall Mode Specific: + firewall_subnets_cidr = ["10.0.33.0/26", "10.0.33.64/26", "10.0.33.128/26"] + firewall_allow_list = [".pypi.org", ".cran.r-project.org", ".pythonhosted.org", ".spark-packages.org", ".maven.org", "maven.apache.org", ".storage-download.googleapis.com"] + firewall_protocol_deny_list = "IP" + hive_metastore_fqdn = var.hms_fqdn[var.databricks_gov_shard] // https://docs.databricks.com/en/resources/supported-regions.html#rds-addresses-for-legacy-hive-metastore + + // Custom Mode Specific: + custom_vpc_id = null + custom_private_subnet_ids = null // List of custom private subnet IDs required. + custom_sg_id = null + custom_relay_vpce_id = null + custom_workspace_vpce_id = null + + // Optional Features: + enable_read_only_external_location_boolean = false // Set to true to enable a read-only external location. + read_only_data_bucket = null // S3 bucket name for read-only data. + read_only_external_location_admin = null // Admin for the external location. + + enable_cluster_boolean = false // Set to true to create a default Databricks clusters. + enable_admin_configs_boolean = false // Set to true to enable optional admin configurations. + enable_logging_boolean = false // Set to true to enable log delivery and creation of related assets (e.g. S3 bucket and IAM role) + + enable_restrictive_root_bucket_boolean = false + enable_restrictive_s3_endpoint_boolean = false + enable_restrictive_sts_endpoint_boolean = false + enable_restrictive_kinesis_endpoint_boolean = false + + enable_ip_boolean = false // Set to true to enable IP access list. + ip_addresses = ["X.X.X.X", "X.X.X.X/XX", "X.X.X.X/XX"] // Specify IP addresses for access. + + enable_system_tables_schema_boolean = false // Set to true to enable system table schemas (Public Preview). + + enable_sat_boolean = false // Set to true to enable Security Analysis Tool. https://github.com/databricks-industry-solutions/security-analysis-tool + enable_audit_log_alerting = false // Set to true to create 40+ queries for audit log alerting based on user activity. https://github.com/andyweaves/system-tables-audit-logs +} \ No newline at end of file diff --git a/aws-gov/tf/template.tfvars.example b/aws-gov/tf/template.tfvars.example new file mode 100644 index 0000000..88e026d --- /dev/null +++ b/aws-gov/tf/template.tfvars.example @@ -0,0 +1,8 @@ +# Configuration Variables for AWS and Databricks + +aws_account_id = "" // AWS account ID where resources will be deployed. +client_id = "" // Service principal ID for Databricks with admin permissions. +client_secret = "" // Secret for the corresponding service principal. +databricks_account_id = "" // Databricks account ID. +databricks_gov_shard = "" // (civilian or dod) +resource_prefix = "" // Prefix used for naming and tagging resources (e.g., S3 buckets, IAM roles). diff --git a/aws-gov/tf/variables.tf b/aws-gov/tf/variables.tf new file mode 100644 index 0000000..c493915 --- /dev/null +++ b/aws-gov/tf/variables.tf @@ -0,0 +1,105 @@ +variable "aws_account_id" { + description = "ID of the AWS account." + type = string +} + +variable "client_id" { + description = "Client ID for authentication." + type = string + sensitive = true +} + +variable "client_secret" { + description = "Secret key for the client ID." + type = string + sensitive = true +} + +variable "databricks_account_id" { + description = "ID of the Databricks account." + type = string + sensitive = true +} + +variable "account_console" { + type = map(string) + default = { + "civilian" = "https://accounts.cloud.databricks.us/" + "dod" = "https://accounts-dod.cloud.databricks.us/" + } +} + +variable "region" { + description = "Databricks only operates in AWS Gov West (us-gov-west-1)" + default = "us-gov-west-1" + validation { + condition = contains(["us-gov-west-1"], var.region) + error_message = "Valid value for var: region is (us-gov-west-1)." + } +} + +variable "databricks_prod_aws_account_id" { + type = map(string) + default = { + "civilian" = "044793339203" + "dod" = "170661010020" + } +} + +variable "uc_master_role_id" { + type = map(string) + default = { + "civilian" = "1QRFA8SGY15OJ" + "dod" = "1DI6DL6ZP26AS" + } +} + +variable "databricks_gov_shard" { + description = "pick shard: civilian, dod" + validation { + condition = contains(["civilian", "dod"], var.databricks_gov_shard) + error_message = "Valid values for var: databricks_gov_shard are (civilian, dod)." + } +} + +variable "region_name" { + description = "Name of the AWS region. (e.g. pendleton)" + type = map(string) + default = { + "civilian" = "pendleton" + "dod" = "pendleton-dod" + } +} + +variable "resource_prefix" { + description = "Prefix for the resource names." + type = string +} + +data "aws_availability_zones" "available" { + state = "available" +} + +variable "workspace" { + type = map(string) + default = { + "civilian" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-0f25e28401cbc9418" + "dod" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-05c210a2feea23ad7" + } +} + +variable "scc_relay" { + type = map(string) + default = { + "civilian" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-05f27abef1a1a3faa" + "dod" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-08fddf710780b2a54" + } +} + +variable "hms_fqdn" { + type = map(string) + default = { + "civilian" = "discovery-search-rds-prod-dbdiscoverysearch-uus7j2cyyu1m.c40ji7ukhesx.us-gov-west-1.rds.amazonaws.com" + "dod" = "lineage-usgovwest1dod-prod.cpnejponioft.us-gov-west-1.rds.amazonaws.com" + } +} \ No newline at end of file diff --git a/aws/README.md b/aws/README.md index 9900fec..7501c5c 100644 --- a/aws/README.md +++ b/aws/README.md @@ -51,7 +51,7 @@ See the below networking diagrams for more information. - **Token Management**: [Personal access tokens](https://docs.databricks.com/dev-tools/api/latest/authentication.html) are used to access Databricks REST APIs in-lieu of passwords. In this template we create an example token and set its time-to-live. This can be set at an administrative level for all users. -- **Secret Management** Integrating with heterogenous systems requires managing a potentially large set of credentials and safely distributing them across an organization. Instead of directly entering your credentials into a notebook, use [Databricks secrets](https://docs.databricks.com/security/secrets/index.html) to store your credentials and reference them in notebooks and jobs. In this template, we create an example secret. +- **Secret Management** Integrating with heterogeneous systems requires managing a potentially large set of credentials and safely distributing them across an organization. Instead of directly entering your credentials into a notebook, use [Databricks secrets](https://docs.databricks.com/security/secrets/index.html) to store your credentials and reference them in notebooks and jobs. In this template, we create an example secret. ## Optional Deployment Configurations @@ -89,7 +89,7 @@ See the below networking diagrams for more information. In this section, we break down additional security recommendations and opportunities to maintain a strong security posture that either cannot be configured into this Terraform script or is very specific to individual customers (e.g. SCIM, SSO, Front-End PrivateLink, etc.) -- **Segement Workspaces for Various Levels of Data Seperation**: While Databricks has numerous capabilities for isolating different workloads, such as table ACLs and IAM passthrough for very sensitive workloads, the primary isolation method is to move sensitive workloads to a different workspace. This sometimes happens when a customer has very different teams (for example, a security team and a marketing team) who must both analyze different data in Databricks. +- **Segment Workspaces for Various Levels of Data Separation**: While Databricks has numerous capabilities for isolating different workloads, such as table ACLs and IAM passthrough for very sensitive workloads, the primary isolation method is to move sensitive workloads to a different workspace. This sometimes happens when a customer has very different teams (for example, a security team and a marketing team) who must both analyze different data in Databricks. - **Avoid Storing Production Datasets in Databricks File Store**: Because the DBFS root is accessible to all users in a workspace, all users can access any data stored here. It is important to instruct users to avoid using this location for storing sensitive data. The default location for managed tables in the Hive metastore on Databricks is the DBFS root; to prevent end users who create managed tables from writing to the DBFS root, declare a location on external storage when creating databases in the Hive metastore. diff --git a/aws/tf/sra.tf b/aws/tf/sra.tf index c07cf69..561caf0 100644 --- a/aws/tf/sra.tf +++ b/aws/tf/sra.tf @@ -44,7 +44,7 @@ module "SRA" { firewall_subnets_cidr = ["10.0.33.0/26", "10.0.33.64/26", "10.0.33.128/26"] firewall_allow_list = [".pypi.org", ".cran.r-project.org", ".pythonhosted.org", ".spark-packages.org", ".maven.org", "maven.apache.org", ".storage-download.googleapis.com"] firewall_protocol_deny_list = "IP" - hive_metastore_fqdn = "mdb7sywh50xhpr.chkweekm4xjq.us-east-1.rds.amazonaws.com" // https://docs.databricks.com/en/resources/supported-regions.html#rds-addresses-for-legacy-hive-metastore + hive_metastore_fqdn = var.hms_fqdn[var.region] // https://docs.databricks.com/en/resources/supported-regions.html#rds-addresses-for-legacy-hive-metastore // Custom Mode Specific: custom_vpc_id = null diff --git a/aws/tf/variables.tf b/aws/tf/variables.tf index 62897ec..55b73a5 100644 --- a/aws/tf/variables.tf +++ b/aws/tf/variables.tf @@ -101,4 +101,25 @@ variable "scc_relay" { "us-west-2" = "com.amazonaws.vpce.us-west-2.vpce-svc-0158114c0c730c3bb" #"us-west-1" = "" } +} + +variable "hms_fqdn" { + type = map(string) + default = { + "ap-northeast-1" = "mddx5a4bpbpm05.cfrfsun7mryq.ap-northeast-1.rds.amazonaws.com" + "ap-northeast-2" = "md1915a81ruxky5.cfomhrbro6gt.ap-northeast-2.rds.amazonaws.com" + "ap-south-1" = "mdjanpojt83v6j.c5jml0fhgver.ap-south-1.rds.amazonaws.com" + "ap-southeast-1" = "md1n4trqmokgnhr.csnrqwqko4ho.ap-southeast-1.rds.amazonaws.com" + "ap-southeast-2" = "mdnrak3rme5y1c.c5f38tyb1fdu.ap-southeast-2.rds.amazonaws.com" + "ca-central-1" = "md1w81rjeh9i4n5.co1tih5pqdrl.ca-central-1.rds.amazonaws.com" + "eu-central-1" = "mdv2llxgl8lou0.ceptxxgorjrc.eu-central-1.rds.amazonaws.com" + "eu-west-1" = "md15cf9e1wmjgny.cxg30ia2wqgj.eu-west-1.rds.amazonaws.com" + "eu-west-2" = "mdio2468d9025m.c6fvhwk6cqca.eu-west-2.rds.amazonaws.com" + "eu-west-3" = "metastorerds-dbconsolidationmetastore-asda4em2u6eg.c2ybp3dss6ua.eu-west-3.rds.amazonaws.com" + "sa-east-1" = "metastorerds-dbconsolidationmetastore-fqekf3pck8yw.cog1aduyg4im.sa-east-1.rds.amazonaws.com" + "us-east-1" = "mdb7sywh50xhpr.chkweekm4xjq.us-east-1.rds.amazonaws.com" + "us-east-2" = "md7wf1g369xf22.cluz8hwxjhb6.us-east-2.rds.amazonaws.com" + "us-west-2" = "mdpartyyphlhsp.caj77bnxuhme.us-west-2.rds.amazonaws.com" + "us-west-1" = "mdzsbtnvk0rnce.c13weuwubexq.us-west-1.rds.amazonaws.com" + } } \ No newline at end of file From 9e9bd32ef64950cf2a74f9fd9204b95d12d1cd41 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Wed, 17 Jul 2024 22:59:38 -0400 Subject: [PATCH 03/24] Added Govcloud Variables --- .../tf/modules/sra/data_plane_hardening.tf | 8 +++++--- .../restrictive_root_bucket/variables.tf | 7 +++++++ .../tf/modules/sra/databricks_workspace.tf | 18 ++++++++++++------ .../uc_catalog/variables.tf | 12 ++++++++++++ .../uc_external_location/variables.tf | 14 +++++++++++++- aws-gov/tf/modules/sra/variables.tf | 15 +++++++++++++++ aws-gov/tf/sra.tf | 19 +++++++++++-------- 7 files changed, 75 insertions(+), 18 deletions(-) diff --git a/aws-gov/tf/modules/sra/data_plane_hardening.tf b/aws-gov/tf/modules/sra/data_plane_hardening.tf index 65655f0..62a5a05 100644 --- a/aws-gov/tf/modules/sra/data_plane_hardening.tf +++ b/aws-gov/tf/modules/sra/data_plane_hardening.tf @@ -33,9 +33,11 @@ module "restrictive_root_bucket" { aws = aws } - workspace_id = module.databricks_mws_workspace.workspace_id - region_name = var.region_name - root_s3_bucket = "${var.resource_prefix}-workspace-root-storage" + workspace_id = module.databricks_mws_workspace.workspace_id + region_name = var.region_name + root_s3_bucket = "${var.resource_prefix}-workspace-root-storage" + databricks_gov_shard = var.databricks_gov_shard + databricks_prod_aws_account_id = var.databricks_prod_aws_account_id depends_on = [module.databricks_mws_workspace] } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/variables.tf b/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/variables.tf index 3cdbe8c..a48b064 100644 --- a/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/variables.tf +++ b/aws-gov/tf/modules/sra/data_plane_hardening/restrictive_root_bucket/variables.tf @@ -8,4 +8,11 @@ variable "root_s3_bucket" { variable "workspace_id" { type = string +} + +variable "databricks_gov_shard" { + type = string +} +variable "databricks_prod_aws_account_id" { + type = map(string) } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace.tf b/aws-gov/tf/modules/sra/databricks_workspace.tf index 531354b..e344ca1 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace.tf @@ -7,12 +7,15 @@ module "uc_catalog" { databricks = databricks.created_workspace } - databricks_account_id = var.databricks_account_id - aws_account_id = var.aws_account_id - resource_prefix = var.resource_prefix - uc_catalog_name = "${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}" - workspace_id = module.databricks_mws_workspace.workspace_id - workspace_catalog_admin = var.workspace_catalog_admin + databricks_account_id = var.databricks_account_id + aws_account_id = var.aws_account_id + resource_prefix = var.resource_prefix + uc_catalog_name = "${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}" + workspace_id = module.databricks_mws_workspace.workspace_id + workspace_catalog_admin = var.workspace_catalog_admin + databricks_gov_shard = var.databricks_gov_shard + databricks_prod_aws_account_id = var.databricks_prod_aws_account_id + uc_master_role_id = var.uc_master_role_id depends_on = [ module.databricks_mws_workspace, module.uc_assignment @@ -32,6 +35,9 @@ module "uc_external_location" { resource_prefix = var.resource_prefix read_only_data_bucket = var.read_only_data_bucket read_only_external_location_admin = var.read_only_external_location_admin + databricks_gov_shard = var.databricks_gov_shard + databricks_prod_aws_account_id = var.databricks_prod_aws_account_id + uc_master_role_id = var.uc_master_role_id depends_on = [ module.databricks_mws_workspace, module.uc_assignment diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf index 6420927..99fc773 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf @@ -20,4 +20,16 @@ variable "uc_catalog_name" { variable "workspace_catalog_admin" { type = string +} + +variable "databricks_gov_shard" { + type = string +} + +variable "databricks_prod_aws_account_id" { + type = map(string) +} + +variable "uc_master_role_id" { + type = map(string) } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf index 3a838a6..c1ae578 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf @@ -16,4 +16,16 @@ variable "read_only_data_bucket" { variable "read_only_external_location_admin" { type = string -} \ No newline at end of file +} + +variable "databricks_gov_shard" { + type = string +} + +variable "databricks_prod_aws_account_id" { + type = map(string) +} + +variable "uc_master_role_id" { + type = map(string) +} diff --git a/aws-gov/tf/modules/sra/variables.tf b/aws-gov/tf/modules/sra/variables.tf index 05f87ca..7556441 100644 --- a/aws-gov/tf/modules/sra/variables.tf +++ b/aws-gov/tf/modules/sra/variables.tf @@ -270,4 +270,19 @@ variable "workspace_vpce_service" { variable "workspace_admin_service_principal_name" { description = "Service principal name" type = string +} + +variable "databricks_gov_shard" { + description = "Gov Shard civilian or dod" + type = string +} + +variable "databricks_prod_aws_account_id" { + description = "Databricks Prod AWS Account Id" + type = map(string) +} + +variable "uc_master_role_id" { + description = "UC Master Role ID" + type = map(string) } \ No newline at end of file diff --git a/aws-gov/tf/sra.tf b/aws-gov/tf/sra.tf index b334375..7c5d698 100644 --- a/aws-gov/tf/sra.tf +++ b/aws-gov/tf/sra.tf @@ -6,19 +6,22 @@ module "SRA" { } // Common Authentication Variables - databricks_account_id = var.databricks_account_id - client_id = var.client_id - client_secret = var.client_secret - aws_account_id = var.aws_account_id - region = var.region - region_name = var.region_name[var.databricks_gov_shard] + databricks_account_id = var.databricks_account_id + client_id = var.client_id + client_secret = var.client_secret + aws_account_id = var.aws_account_id + region = var.region + region_name = var.region_name[var.databricks_gov_shard] + databricks_gov_shard = var.databricks_gov_shard + databricks_prod_aws_account_id = var.databricks_prod_aws_account_id + uc_master_role_id = var.uc_master_role_id // Naming and Tagging Variables: resource_prefix = var.resource_prefix // Required Variables: - workspace_catalog_admin = null // Workspace catalog admin email. - user_workspace_admin = null // Workspace admin user email. + workspace_catalog_admin = null // Workspace catalog admin email. + user_workspace_admin = null // Workspace admin user email. operation_mode = "sandbox" // Operation mode (sandbox, custom, firewall, isolated). workspace_admin_service_principal_name = "sra-example-sp" // Creates an example admin SP for automation use cases. metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". From ea582710b5d1ff379b9830920c0d89cf62d62255 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Wed, 17 Jul 2024 23:43:04 -0400 Subject: [PATCH 04/24] Update root_s3_bucket.tf --- aws-gov/tf/modules/sra/root_s3_bucket.tf | 33 ++++++++++++++++++++---- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/aws-gov/tf/modules/sra/root_s3_bucket.tf b/aws-gov/tf/modules/sra/root_s3_bucket.tf index 521910a..cd0c430 100644 --- a/aws-gov/tf/modules/sra/root_s3_bucket.tf +++ b/aws-gov/tf/modules/sra/root_s3_bucket.tf @@ -37,9 +37,32 @@ resource "aws_s3_bucket_public_access_block" "root_storage_bucket" { depends_on = [aws_s3_bucket.root_storage_bucket] } -data "databricks_aws_bucket_policy" "this" { - databricks_e2_account_id = var.databricks_account_id - bucket = aws_s3_bucket.root_storage_bucket.bucket +data "aws_iam_policy_document" "this" { + statement { + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:PutObject", + "s3:DeleteObject"] + resources = [ + "${aws_s3_bucket.root_storage_bucket.arn}/*", + aws_s3_bucket.root_storage_bucket.arn] + principals { + identifiers = ["arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:root"] + type = "AWS" + } + condition { + test = "StringEquals" + variable = "aws:PrincipalTag/DatabricksAccountId" + + values = [ + var.databricks_account_id + ] + } + } } # Bucket policy to use if the restrictive root bucket is set to false @@ -47,7 +70,7 @@ resource "aws_s3_bucket_policy" "root_bucket_policy" { count = var.enable_restrictive_root_bucket_boolean ? 0 : 1 bucket = aws_s3_bucket.root_storage_bucket.id - policy = data.databricks_aws_bucket_policy.this.json + policy = data.aws_iam_policy_document.this.json depends_on = [aws_s3_bucket_public_access_block.root_storage_bucket] } @@ -56,7 +79,7 @@ resource "aws_s3_bucket_policy" "root_bucket_policy_ignore" { count = var.enable_restrictive_root_bucket_boolean ? 1 : 0 bucket = aws_s3_bucket.root_storage_bucket.id - policy = data.databricks_aws_bucket_policy.this.json + policy = data.aws_iam_policy_document.this.json depends_on = [aws_s3_bucket_public_access_block.root_storage_bucket] lifecycle { From 1ad5b5e21f5daa99d0d9cbe0735d293430e43a29 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Fri, 19 Jul 2024 22:10:10 -0400 Subject: [PATCH 05/24] Updated Cross-Account Role --- aws-gov/tf/modules/sra/credential.tf | 23 +++++++++++++++---- .../uc_external_location.tf | 3 ++- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/aws-gov/tf/modules/sra/credential.tf b/aws-gov/tf/modules/sra/credential.tf index d0a34f6..170fab8 100644 --- a/aws-gov/tf/modules/sra/credential.tf +++ b/aws-gov/tf/modules/sra/credential.tf @@ -1,13 +1,26 @@ // EXPLANATION: The cross-account role for the Databricks workspace -// Cross Account Role -data "databricks_aws_assume_role_policy" "this" { - external_id = var.databricks_account_id +// Cross Account Trust Policy +data "aws_iam_policy_document" "passrole_for_cross_account_credential" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + identifiers = ["arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:root"] + type = "AWS" + } + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [var.databricks_account_id] + } + } } +// Cross Account Role resource "aws_iam_role" "cross_account_role" { name = "${var.resource_prefix}-crossaccount" - assume_role_policy = data.databricks_aws_assume_role_policy.this.json + assume_role_policy = data.aws_iam_policy_document.passrole_for_cross_account_credential.json tags = { Name = "${var.resource_prefix}-crossaccount-role" } @@ -113,7 +126,7 @@ resource "aws_iam_role_policy" "cross_account" { ], "Condition" : { "StringNotEquals" : { - "ec2:Owner" : "601306020600" + "ec2:Owner" : "044732911619" } } }, diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf index cb25c81..244dfc8 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf @@ -56,7 +56,8 @@ resource "aws_iam_role" "storage_credential_role" { resource "aws_iam_role_policy" "storage_credential_policy" { name = "${var.resource_prefix}-storage-credential-policy" role = aws_iam_role.storage_credential_role.id - policy = jsonencode({ Version : "2012-10-17", + policy = jsonencode({ + Version : "2012-10-17", Statement : [ { "Action" : [ From eeeccc1361f8e1d6b3d7ce0aa66fde6067ab3dca Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Fri, 16 Aug 2024 15:37:02 -0400 Subject: [PATCH 06/24] Update for Log Delivery --- .../logging_configuration.tf | 20 ++++++++++++++----- .../logging_configuration/variables.tf | 12 +++++++++++ aws-gov/tf/modules/sra/variables.tf | 7 ++++++- aws-gov/tf/variables.tf | 8 ++++++++ 4 files changed, 41 insertions(+), 6 deletions(-) diff --git a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf index 6b4113b..2f59c0f 100644 --- a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf +++ b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf @@ -84,17 +84,27 @@ resource "aws_s3_bucket_policy" "log_delivery" { // IAM Role // Assume Role Policy Log Delivery -data "databricks_aws_assume_role_policy" "log_delivery" { - external_id = var.databricks_account_id - for_log_delivery = true +data "aws_iam_policy_document" "passrole_for_log_delivery" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + identifiers = ["arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:${var.log_delivery_role_name[var.databricks_gov_shard]}"] + type = "AWS" + } + condition { + test = "StringEquals" + variable = "sts:ExternalId" + values = [var.databricks_account_id] + } + } } - // Log Delivery IAM Role resource "aws_iam_role" "log_delivery" { name = "${var.resource_prefix}-log-delivery" description = "(${var.resource_prefix}) Log Delivery Role" - assume_role_policy = data.databricks_aws_assume_role_policy.log_delivery.json + assume_role_policy = data.aws_iam_policy_document.passrole_for_log_delivery.json tags = { Name = "${var.resource_prefix}-log-delivery-role" } diff --git a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf index 55aaac6..ea2ce1c 100644 --- a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf @@ -4,4 +4,16 @@ variable "resource_prefix" { variable "databricks_account_id" { type = string +} + +variable "databricks_gov_shard" { + type = string +} + +variable "log_delivery_role_name" { + type = map(string) +} + +variable "databricks_prod_aws_account_id" { + type = map(string) } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/variables.tf b/aws-gov/tf/modules/sra/variables.tf index 7556441..efe5b9d 100644 --- a/aws-gov/tf/modules/sra/variables.tf +++ b/aws-gov/tf/modules/sra/variables.tf @@ -285,4 +285,9 @@ variable "databricks_prod_aws_account_id" { variable "uc_master_role_id" { description = "UC Master Role ID" type = map(string) -} \ No newline at end of file +} + +variable "log_delivery_role_name" { + description = "Log Delivery Role Name" + type = map(string) +} diff --git a/aws-gov/tf/variables.tf b/aws-gov/tf/variables.tf index c493915..59f797d 100644 --- a/aws-gov/tf/variables.tf +++ b/aws-gov/tf/variables.tf @@ -54,6 +54,14 @@ variable "uc_master_role_id" { } } +variable "log_delivery_role_name" { + type = map(string) + default = { + "civilian" = "SaasUsageDeliveryRole-prod-aws-gov-IAMRole-L4QM0RCHYQ1G" + "dod" = "SaasUsageDeliveryRole-prod-aws-gov-dod-IAMRole-1DMEHBYR8VC5P" + } +} + variable "databricks_gov_shard" { description = "pick shard: civilian, dod" validation { From aaa04ec15dcb8b673f04c5468081dd318a6b4afa Mon Sep 17 00:00:00 2001 From: jdbraun Date: Tue, 27 Aug 2024 13:16:10 -0500 Subject: [PATCH 07/24] updates: tags, firewall, isolation, data sources, bug fixes --- aws/tf/modules/sra/cmk.tf | 6 +- aws/tf/modules/sra/credential.tf | 5 +- .../data_plane_hardening/firewall/firewall.tf | 75 ++++++--- .../logging_configuration.tf | 6 +- aws/tf/modules/sra/databricks_workspace.tf | 2 + .../cluster_configuration.tf | 50 ++++-- .../cluster_configuration/variables.tf | 4 + .../uc_catalog/uc_catalog.tf | 146 +++++++++--------- .../uc_catalog/variables.tf | 4 + .../uc_external_location.tf | 54 ++----- aws/tf/modules/sra/network.tf | 7 +- aws/tf/modules/sra/privatelink.tf | 20 ++- aws/tf/modules/sra/root_s3_bucket.tf | 4 +- aws/tf/provider.tf | 2 +- aws/tf/sra.tf | 16 +- 15 files changed, 224 insertions(+), 177 deletions(-) diff --git a/aws/tf/modules/sra/cmk.tf b/aws/tf/modules/sra/cmk.tf index b1f0312..dd45769 100644 --- a/aws/tf/modules/sra/cmk.tf +++ b/aws/tf/modules/sra/cmk.tf @@ -63,7 +63,8 @@ resource "aws_kms_key" "workspace_storage" { depends_on = [aws_iam_role.cross_account_role] tags = { - Resource = var.resource_prefix + Name = "${var.resource_prefix}-workspace-storage-key" + Project = var.resource_prefix } } @@ -111,7 +112,8 @@ resource "aws_kms_key" "managed_storage" { ) tags = { - Resource = var.resource_prefix + Project = var.resource_prefix + Name = "${var.resource_prefix}-managed-storage-key" } } diff --git a/aws/tf/modules/sra/credential.tf b/aws/tf/modules/sra/credential.tf index c2d7a8b..aeb6237 100644 --- a/aws/tf/modules/sra/credential.tf +++ b/aws/tf/modules/sra/credential.tf @@ -6,10 +6,11 @@ data "databricks_aws_assume_role_policy" "this" { } resource "aws_iam_role" "cross_account_role" { - name = "${var.resource_prefix}-crossaccount" + name = "${var.resource_prefix}-cross-account" assume_role_policy = data.databricks_aws_assume_role_policy.this.json tags = { - Name = "${var.resource_prefix}-crossaccount-role" + Name = "${var.resource_prefix}-cross-account" + Project = var.resource_prefix } } diff --git a/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf b/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf index f2e6878..f733823 100644 --- a/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf +++ b/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf @@ -8,7 +8,8 @@ resource "aws_subnet" "public" { availability_zone = element(var.availability_zones, count.index) map_public_ip_on_launch = true tags = { - Name = "${var.resource_prefix}-public-${element(var.availability_zones, count.index)}" + Name = "${var.resource_prefix}-public-${element(var.availability_zones, count.index)}" + Project = var.resource_prefix } } @@ -25,7 +26,8 @@ resource "aws_nat_gateway" "ngw" { subnet_id = element(aws_subnet.public.*.id, count.index) depends_on = [aws_internet_gateway.igw] tags = { - Name = "${var.resource_prefix}-ngw-${element(var.availability_zones, count.index)}" + Name = "${var.resource_prefix}-ngw-${element(var.availability_zones, count.index)}" + Project = var.resource_prefix } } @@ -37,13 +39,13 @@ resource "aws_route" "private" { nat_gateway_id = element(aws_nat_gateway.ngw.*.id, count.index) } - // Public RT resource "aws_route_table" "public_rt" { count = length(var.public_subnets_cidr) vpc_id = var.vpc_id tags = { - Name = "${var.resource_prefix}-public-rt-${element(var.availability_zones, count.index)}" + Name = "${var.resource_prefix}-public-rt-${element(var.availability_zones, count.index)}" + Project = var.resource_prefix } } @@ -63,7 +65,8 @@ resource "aws_subnet" "firewall" { availability_zone = element(var.availability_zones, count.index) map_public_ip_on_launch = false tags = { - Name = "${var.resource_prefix}-firewall-${element(var.availability_zones, count.index)}" + Name = "${var.resource_prefix}-firewall-${element(var.availability_zones, count.index)}" + Project = var.resource_prefix } } @@ -72,7 +75,8 @@ resource "aws_route_table" "firewall_rt" { count = length(var.firewall_subnets_cidr) vpc_id = var.vpc_id tags = { - Name = "${var.resource_prefix}-firewall-rt-${element(var.availability_zones, count.index)}" + Name = "${var.resource_prefix}-firewall-rt-${element(var.availability_zones, count.index)}" + Project = var.resource_prefix } } @@ -87,7 +91,8 @@ resource "aws_route_table_association" "firewall" { resource "aws_internet_gateway" "igw" { vpc_id = var.vpc_id tags = { - Name = "${var.resource_prefix}-igw" + Name = "${var.resource_prefix}-igw" + Project = var.resource_prefix } } @@ -95,7 +100,8 @@ resource "aws_internet_gateway" "igw" { resource "aws_route_table" "igw_rt" { vpc_id = var.vpc_id tags = { - Name = "${var.resource_prefix}-igw-rt" + Name = "${var.resource_prefix}-igw-rt" + Project = var.resource_prefix } } @@ -105,16 +111,34 @@ resource "aws_route_table_association" "igw" { route_table_id = aws_route_table.igw_rt.id } +// Local Map for Availability Zone to Index +locals { + az_to_index_map = { + for idx, az in var.availability_zones : + az => idx + } + + firewall_endpoints_by_az = { + for sync_state in aws_networkfirewall_firewall.nfw.firewall_status[0].sync_states : + sync_state.availability_zone => sync_state.attachment[0].endpoint_id + } + + az_to_endpoint_map = { + for az in var.availability_zones : + az => lookup(local.firewall_endpoints_by_az, az, null) + } +} + // Public Route resource "aws_route" "public" { - count = length(var.public_subnets_cidr) - route_table_id = element(aws_route_table.public_rt.*.id, count.index) + for_each = local.az_to_endpoint_map + route_table_id = aws_route_table.public_rt[local.az_to_index_map[each.key]].id destination_cidr_block = "0.0.0.0/0" - vpc_endpoint_id = tolist(aws_networkfirewall_firewall.nfw.firewall_status[0].sync_states)[count.index].attachment[0].endpoint_id + vpc_endpoint_id = each.value depends_on = [aws_networkfirewall_firewall.nfw] } -// Firewall Route +// Firewall Outbound Route resource "aws_route" "firewall_outbound" { count = length(var.firewall_subnets_cidr) route_table_id = element(aws_route_table.firewall_rt.*.id, count.index) @@ -122,12 +146,12 @@ resource "aws_route" "firewall_outbound" { gateway_id = aws_internet_gateway.igw.id } -// Add a route back to FW +// Firewall Inbound Route resource "aws_route" "firewall_inbound" { - count = length(var.public_subnets_cidr) + for_each = local.az_to_endpoint_map route_table_id = aws_route_table.igw_rt.id - destination_cidr_block = element(var.public_subnets_cidr, count.index) - vpc_endpoint_id = tolist(aws_networkfirewall_firewall.nfw.firewall_status[0].sync_states)[count.index].attachment[0].endpoint_id + destination_cidr_block = element(var.public_subnets_cidr, index(var.availability_zones, each.key)) + vpc_endpoint_id = each.value depends_on = [aws_networkfirewall_firewall.nfw] } @@ -157,7 +181,8 @@ resource "aws_networkfirewall_rule_group" "databricks_fqdn_allowlist" { } } tags = { - Name = "${var.resource_prefix}-${var.region}-databricks-fqdn-allowlist" + Name = "${var.resource_prefix}-${var.region}-databricks-fqdn-allowlist" + Project = var.resource_prefix } } @@ -170,7 +195,6 @@ data "external" "metastore_ip" { } } - // JDBC Firewall group IP allow list resource "aws_networkfirewall_rule_group" "databricks_metastore_allowlist" { capacity = 100 @@ -199,11 +223,12 @@ resource "aws_networkfirewall_rule_group" "databricks_metastore_allowlist" { } } tags = { - Name = "${var.resource_prefix}-${var.region}-databricks-metastore-allowlist" + Name = "${var.resource_prefix}-${var.region}-databricks-metastore-allowlist" + Project = var.resource_prefix } } -# Firewall policy +// Firewall policy resource "aws_networkfirewall_firewall_policy" "databricks_nfw_policy" { name = "${var.resource_prefix}-firewall-policy" @@ -225,15 +250,14 @@ resource "aws_networkfirewall_firewall_policy" "databricks_nfw_policy" { priority = 2 resource_arn = aws_networkfirewall_rule_group.databricks_metastore_allowlist.arn } - } tags = { - Name = "${var.resource_prefix}-firewall-policy" + Name = "${var.resource_prefix}-firewall-policy" + Project = var.resource_prefix } } - // Firewall resource "aws_networkfirewall_firewall" "nfw" { name = "${var.resource_prefix}-nfw" @@ -246,6 +270,7 @@ resource "aws_networkfirewall_firewall" "nfw" { } } tags = { - Name = "${var.resource_prefix}-${var.region}-databricks-nfw" + Name = "${var.resource_prefix}-${var.region}-databricks-nfw" + Project = var.resource_prefix } -} \ No newline at end of file +} diff --git a/aws/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf b/aws/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf index 4c6b391..9ad0a67 100644 --- a/aws/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf +++ b/aws/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf @@ -5,7 +5,8 @@ resource "aws_s3_bucket" "log_delivery" { bucket = "${var.resource_prefix}-log-delivery" force_destroy = true tags = { - Name = "${var.resource_prefix}-log-delivery" + Name = "${var.resource_prefix}-log-delivery" + Project = var.resource_prefix } } @@ -96,7 +97,8 @@ resource "aws_iam_role" "log_delivery" { description = "(${var.resource_prefix}) Log Delivery Role" assume_role_policy = data.databricks_aws_assume_role_policy.log_delivery.json tags = { - Name = "${var.resource_prefix}-log-delivery-role" + Name = "${var.resource_prefix}-log-delivery-role" + Project = var.resource_prefix } } diff --git a/aws/tf/modules/sra/databricks_workspace.tf b/aws/tf/modules/sra/databricks_workspace.tf index 531354b..f0673e7 100644 --- a/aws/tf/modules/sra/databricks_workspace.tf +++ b/aws/tf/modules/sra/databricks_workspace.tf @@ -11,6 +11,7 @@ module "uc_catalog" { aws_account_id = var.aws_account_id resource_prefix = var.resource_prefix uc_catalog_name = "${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}" + cmk_admin_arn = var.cmk_admin_arn == null ? "arn:aws:iam::${var.aws_account_id}:root" : var.cmk_admin_arn workspace_id = module.databricks_mws_workspace.workspace_id workspace_catalog_admin = var.workspace_catalog_admin @@ -101,6 +102,7 @@ module "cluster_configuration" { compliance_security_profile_egress_ports = var.compliance_security_profile_egress_ports secret_config_reference = module.secret_management.config_reference resource_prefix = var.resource_prefix + operation_mode = var.operation_mode depends_on = [ module.databricks_mws_workspace, module.secret_management ] diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf index 87b71b9..ac294fd 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf @@ -14,28 +14,59 @@ locals { }, "autotermination_minutes" : { "type" : "fixed", - "value" : 60, + "value" : 10, "hidden" : true }, - "custom_tags.Example" : { + "custom_tags.Project" : { "type" : "fixed", "value" : var.resource_prefix - } + }, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionURL" : null, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionDriverName" : null, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionUserName" : null, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionPassword" : null } + + isolated_policy = merge( + local.default_policy, + { + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionURL" : { + "type" : "fixed", + "value" : "jdbc:derby:memory:myInMemDB;create=true" + }, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionDriverName" : { + "type" : "fixed", + "value" : "org.apache.derby.jdbc.EmbeddedDriver" + }, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionUserName" : { + "type" : "fixed", + "value" : "" + }, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionPassword" : { + "type" : "fixed", + "value" : "" + } + } + ) + + selected_policy = var.operation_mode == "Isolated" ? local.default_policy : local.isolated_policy + + final_policy = { for k, v in local.selected_policy : k => v if v != null } } resource "databricks_cluster_policy" "example" { name = "Example Cluster Policy" - definition = jsonencode(local.default_policy) + definition = jsonencode(local.final_policy) } // Cluster Creation resource "databricks_cluster" "example" { - cluster_name = "Shared Cluster" - data_security_mode = "USER_ISOLATION" - spark_version = data.databricks_spark_version.latest_lts.id - node_type_id = var.compliance_security_profile_egress_ports ? "i3en.xlarge" : "i3.xlarge" - policy_id = databricks_cluster_policy.example.id + cluster_name = "Shared Cluster" + data_security_mode = "USER_ISOLATION" + spark_version = data.databricks_spark_version.latest_lts.id + node_type_id = var.compliance_security_profile_egress_ports ? "i3en.xlarge" : "i3.xlarge" + policy_id = databricks_cluster_policy.example.id + autotermination_minutes = 10 autoscale { min_workers = 1 @@ -43,7 +74,6 @@ resource "databricks_cluster" "example" { } spark_conf = { - # Add additional spark configurations here "secret.example" = var.secret_config_reference } diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf index 615c442..d436deb 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf @@ -6,6 +6,10 @@ variable "secret_config_reference" { type = string } +variable "operation_mode" { + type = string +} + variable "compliance_security_profile_egress_ports" { type = bool description = "Add 2443 to security group configuration or nitro instance" diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf index 69249c1..319ca1c 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf @@ -1,90 +1,82 @@ resource "null_resource" "previous" {} resource "time_sleep" "wait_30_seconds" { - depends_on = [null_resource.previous] - + depends_on = [null_resource.previous] create_duration = "30s" } - -// Unity Catalog Trust Policy -data "aws_iam_policy_document" "passrole_for_unity_catalog_catalog" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - principals { - identifiers = ["arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"] - type = "AWS" - } - condition { - test = "StringEquals" - variable = "sts:ExternalId" - values = [var.databricks_account_id] - } - } - statement { - sid = "ExplicitSelfRoleAssumption" - effect = "Allow" - actions = ["sts:AssumeRole"] - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.aws_account_id}:root"] - } - condition { - test = "ArnLike" - variable = "aws:PrincipalArn" - values = ["arn:aws:iam::${var.aws_account_id}:role/${var.resource_prefix}-unity-catalog-${var.workspace_id}"] - } - condition { - test = "StringEquals" - variable = "sts:ExternalId" - values = [var.databricks_account_id] - } - } +// Unity Catalog Trust Policy - Data Source +data "databricks_aws_unity_catalog_assume_role_policy" "unity_catalog" { + aws_account_id = var.aws_account_id + role_name = "${var.resource_prefix}-catalog-${var.workspace_id}" + external_id = var.databricks_account_id } // Unity Catalog Role resource "aws_iam_role" "unity_catalog_role" { - name = "${var.resource_prefix}-unity-catalog-${var.workspace_id}" - assume_role_policy = data.aws_iam_policy_document.passrole_for_unity_catalog_catalog.json + name = "${var.resource_prefix}-catalog-${var.workspace_id}" + assume_role_policy = data.databricks_aws_unity_catalog_assume_role_policy.unity_catalog.json tags = { - Name = "${var.resource_prefix}-unity-catalog" + Name = "${var.resource_prefix}-catalog-${var.workspace_id}" + Project = var.resource_prefix } } -// Unity Catalog IAM Policy -data "aws_iam_policy_document" "unity_catalog_iam_policy" { - statement { - actions = [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject", - "s3:ListBucket", - "s3:GetBucketLocation" - ] - - resources = [ - "arn:aws:s3:::${var.uc_catalog_name}/*", - "arn:aws:s3:::${var.uc_catalog_name}" - ] - - effect = "Allow" - } - - statement { - actions = ["sts:AssumeRole"] - resources = ["arn:aws:iam::${var.aws_account_id}:role/${var.resource_prefix}-unity-catalog-${var.workspace_id}"] - effect = "Allow" - } +// Unity Catalog Policy - Data Source +data "databricks_aws_unity_catalog_policy" "unity_catalog_iam_policy" { + aws_account_id = var.aws_account_id + bucket_name = var.uc_catalog_name + role_name = "${var.resource_prefix}-catalog-${var.workspace_id}" + kms_name = aws_kms_alias.catalog_storage_key_alias.arn } // Unity Catalog Policy resource "aws_iam_role_policy" "unity_catalog" { - name = "${var.resource_prefix}-unity-catalog-policy-${var.workspace_id}" + name = "${var.resource_prefix}-catalog-policy-${var.workspace_id}" role = aws_iam_role.unity_catalog_role.id - policy = data.aws_iam_policy_document.unity_catalog_iam_policy.json + policy = data.databricks_aws_unity_catalog_policy.unity_catalog_iam_policy.json +} + +// Unity Catalog KMS +resource "aws_kms_key" "catalog_storage" { + description = "KMS key for Databricks catalog storage ${var.workspace_id}" + policy = jsonencode({ + Version : "2012-10-17", + "Id" : "key-policy-catalog-storage-${var.workspace_id}", + Statement : [ + { + "Sid" : "Enable IAM User Permissions", + "Effect" : "Allow", + "Principal" : { + "AWS" : [var.cmk_admin_arn] + }, + "Action" : "kms:*", + "Resource" : "*" + }, + { + "Sid" : "Allow IAM Role to use the key", + "Effect" : "Allow", + "Principal" : { + "AWS" : "arn:aws:iam::${var.aws_account_id}:role/${var.resource_prefix}-catalog-${var.workspace_id}" + }, + "Action" : [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey*" + ], + "Resource" : "*" + } + ] + }) + tags = { + Name = "${var.resource_prefix}-catalog-storage-${var.workspace_id}-key" + Project = var.resource_prefix + } +} + +resource "aws_kms_alias" "catalog_storage_key_alias" { + name = "alias/${var.resource_prefix}-catalog-storage-${var.workspace_id}-key" + target_key_id = aws_kms_key.catalog_storage.id } @@ -93,7 +85,8 @@ resource "aws_s3_bucket" "unity_catalog_bucket" { bucket = var.uc_catalog_name force_destroy = true tags = { - Name = var.uc_catalog_name + Name = var.uc_catalog_name + Project = var.resource_prefix } } @@ -106,12 +99,14 @@ resource "aws_s3_bucket_versioning" "unity_catalog_versioning" { resource "aws_s3_bucket_server_side_encryption_configuration" "unity_catalog" { bucket = aws_s3_bucket.unity_catalog_bucket.bucket - rule { + bucket_key_enabled = true apply_server_side_encryption_by_default { - sse_algorithm = "AES256" + sse_algorithm = "aws:kms" + kms_master_key_id = aws_kms_key.catalog_storage.arn } } + depends_on = [aws_kms_alias.catalog_storage_key_alias] } resource "aws_s3_bucket_public_access_block" "unity_catalog" { @@ -129,7 +124,8 @@ resource "databricks_storage_credential" "workspace_catalog_storage_credential" aws_iam_role { role_arn = aws_iam_role.unity_catalog_role.arn } - depends_on = [aws_iam_role.unity_catalog_role, time_sleep.wait_30_seconds] + depends_on = [aws_iam_role.unity_catalog_role, time_sleep.wait_30_seconds] + isolation_mode = "ISOLATION_MODE_ISOLATED" } // External Location @@ -137,12 +133,10 @@ resource "databricks_external_location" "workspace_catalog_external_location" { name = var.uc_catalog_name url = "s3://${var.uc_catalog_name}/catalog/" credential_name = databricks_storage_credential.workspace_catalog_storage_credential.id - skip_validation = true - read_only = false - comment = "Managed by TF" + comment = "External location for catalog ${var.uc_catalog_name}" + isolation_mode = "ISOLATION_MODE_ISOLATED" } - // Workspace Catalog resource "databricks_catalog" "workspace_catalog" { name = var.uc_catalog_name diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf index 6420927..dc6a227 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf @@ -2,6 +2,10 @@ variable "aws_account_id" { type = string } +variable "cmk_admin_arn" { + type = string +} + variable "resource_prefix" { type = string } diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf index 54fc08c..267f589 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf @@ -7,54 +7,25 @@ resource "time_sleep" "wait_30_seconds" { } // Storage Credential Trust Policy -data "aws_iam_policy_document" "passrole_for_storage_credential" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - principals { - identifiers = ["arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"] - type = "AWS" - } - condition { - test = "StringEquals" - variable = "sts:ExternalId" - values = [var.databricks_account_id] - } - } - statement { - sid = "ExplicitSelfRoleAssumption" - effect = "Allow" - actions = ["sts:AssumeRole"] - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.aws_account_id}:root"] - } - condition { - test = "ArnLike" - variable = "aws:PrincipalArn" - values = ["arn:aws:iam::${var.aws_account_id}:role/${var.resource_prefix}-storage-credential"] - } - condition { - test = "StringEquals" - variable = "sts:ExternalId" - values = [var.databricks_account_id] - } - } +data "databricks_aws_unity_catalog_assume_role_policy" "external_location_example" { + aws_account_id = var.aws_account_id + role_name = "${var.resource_prefix}-storage-credential-example" + external_id = var.databricks_account_id } // Storage Credential Role resource "aws_iam_role" "storage_credential_role" { - name = "${var.resource_prefix}-storage-credential" - assume_role_policy = data.aws_iam_policy_document.passrole_for_storage_credential.json + name = "${var.resource_prefix}-storage-credential-example" + assume_role_policy = data.databricks_aws_unity_catalog_assume_role_policy.external_location_example.json tags = { - Name = "${var.resource_prefix}-storage_credential_role" + Name = "${var.resource_prefix}-storage-credential-example" + Project = var.resource_prefix } } - // Storage Credential Policy resource "aws_iam_role_policy" "storage_credential_policy" { - name = "${var.resource_prefix}-storage-credential-policy" + name = "${var.resource_prefix}-storage-credential-policy-example" role = aws_iam_role.storage_credential_role.id policy = jsonencode({ Version : "2012-10-17", Statement : [ @@ -91,7 +62,8 @@ resource "databricks_storage_credential" "external" { aws_iam_role { role_arn = aws_iam_role.storage_credential_role.arn } - depends_on = [aws_iam_role.storage_credential_role, time_sleep.wait_30_seconds] + isolation_mode = "ISOLATION_MODE_ISOLATED" + depends_on = [aws_iam_role.storage_credential_role, time_sleep.wait_30_seconds] } // External Location @@ -99,9 +71,9 @@ resource "databricks_external_location" "data_example" { name = "external-location-example" url = "s3://${var.read_only_data_bucket}/" credential_name = databricks_storage_credential.external.id - skip_validation = true read_only = true - comment = "Managed by TF" + comment = "Read only external location for ${var.read_only_data_bucket}" + isolation_mode = "ISOLATION_MODE_ISOLATED" } // External Location Grant diff --git a/aws/tf/modules/sra/network.tf b/aws/tf/modules/sra/network.tf index cf13eb3..152b4ed 100644 --- a/aws/tf/modules/sra/network.tf +++ b/aws/tf/modules/sra/network.tf @@ -25,6 +25,10 @@ module "vpc" { intra_subnet_names = [for az in var.availability_zones : format("%s-privatelink-%s", var.resource_prefix, az)] intra_subnets = var.privatelink_subnets_cidr + + tags = { + Project = var.resource_prefix + } } @@ -80,6 +84,7 @@ resource "aws_security_group" "sg" { } } tags = { - Name = "${var.resource_prefix}-workspace-sg" + Name = "${var.resource_prefix}-workspace-sg" + Project = var.resource_prefix } } \ No newline at end of file diff --git a/aws/tf/modules/sra/privatelink.tf b/aws/tf/modules/sra/privatelink.tf index 5fc3ef4..7d13859 100644 --- a/aws/tf/modules/sra/privatelink.tf +++ b/aws/tf/modules/sra/privatelink.tf @@ -41,7 +41,8 @@ resource "aws_security_group" "privatelink" { } tags = { - Name = "${var.resource_prefix}-private-link-sg" + Name = "${var.resource_prefix}-private-link-sg", + Project = var.resource_prefix } } @@ -217,7 +218,7 @@ data "aws_iam_policy_document" "sts_vpc_endpoint_policy" { principals { type = "AWS" identifiers = [ - "arn:aws:iam::414351767826:user/databricks-datasets-readonly-user", + "arn:aws:iam::414351767826:user/databricks-datasets-readonly-user-prod", "414351767826" ] } @@ -261,7 +262,8 @@ module "vpc_endpoints" { route_table_ids = module.vpc[0].private_route_table_ids policy = var.enable_restrictive_s3_endpoint_boolean ? data.aws_iam_policy_document.s3_vpc_endpoint_policy[0].json : null tags = { - Name = "${var.resource_prefix}-s3-vpc-endpoint" + Name = "${var.resource_prefix}-s3-vpc-endpoint" + Project = var.resource_prefix } }, sts = { @@ -270,7 +272,8 @@ module "vpc_endpoints" { subnet_ids = module.vpc[0].intra_subnets policy = var.enable_restrictive_sts_endpoint_boolean ? data.aws_iam_policy_document.sts_vpc_endpoint_policy[0].json : null tags = { - Name = "${var.resource_prefix}-sts-vpc-endpoint" + Name = "${var.resource_prefix}-sts-vpc-endpoint" + Project = var.resource_prefix } }, kinesis-streams = { @@ -279,7 +282,8 @@ module "vpc_endpoints" { subnet_ids = module.vpc[0].intra_subnets policy = var.enable_restrictive_kinesis_endpoint_boolean ? data.aws_iam_policy_document.kinesis_vpc_endpoint_policy[0].json : null tags = { - Name = "${var.resource_prefix}-kinesis-vpc-endpoint" + Name = "${var.resource_prefix}-kinesis-vpc-endpoint" + Project = var.resource_prefix } } } @@ -300,7 +304,8 @@ resource "aws_vpc_endpoint" "backend_rest" { private_dns_enabled = true depends_on = [module.vpc.vpc_id] tags = { - Name = "${var.resource_prefix}-databricks-backend-rest" + Name = "${var.resource_prefix}-databricks-backend-rest" + Project = var.resource_prefix } } @@ -316,6 +321,7 @@ resource "aws_vpc_endpoint" "backend_relay" { private_dns_enabled = true depends_on = [module.vpc.vpc_id] tags = { - Name = "${var.resource_prefix}-databricks-backend-relay" + Name = "${var.resource_prefix}-databricks-backend-relay" + Project = var.resource_prefix } } \ No newline at end of file diff --git a/aws/tf/modules/sra/root_s3_bucket.tf b/aws/tf/modules/sra/root_s3_bucket.tf index 521910a..4c45c42 100644 --- a/aws/tf/modules/sra/root_s3_bucket.tf +++ b/aws/tf/modules/sra/root_s3_bucket.tf @@ -4,7 +4,8 @@ resource "aws_s3_bucket" "root_storage_bucket" { bucket = "${var.resource_prefix}-workspace-root-storage" force_destroy = true tags = { - Name = var.resource_prefix + Name = "${var.resource_prefix}-workspace-root-storage" + Project = var.resource_prefix } } @@ -17,7 +18,6 @@ resource "aws_s3_bucket_versioning" "root_bucket_versioning" { resource "aws_s3_bucket_server_side_encryption_configuration" "root_storage_bucket" { bucket = aws_s3_bucket.root_storage_bucket.bucket - rule { bucket_key_enabled = true apply_server_side_encryption_by_default { diff --git a/aws/tf/provider.tf b/aws/tf/provider.tf index 0c7c62d..dbfc9a3 100644 --- a/aws/tf/provider.tf +++ b/aws/tf/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { databricks = { source = "databricks/databricks" - version = "~> 1.46.0" + version = " 1.50.0" } aws = { source = "hashicorp/aws" diff --git a/aws/tf/sra.tf b/aws/tf/sra.tf index 561caf0..1e402bc 100644 --- a/aws/tf/sra.tf +++ b/aws/tf/sra.tf @@ -17,14 +17,14 @@ module "SRA" { resource_prefix = var.resource_prefix // Required Variables: - workspace_catalog_admin = null // Workspace catalog admin email. - user_workspace_admin = null // Workspace admin user email. - operation_mode = "sandbox" // Operation mode (sandbox, custom, firewall, isolated). + workspace_catalog_admin = "" // Workspace catalog admin email. + user_workspace_admin = "" // Workspace admin user email. + operation_mode = "isolated" // Operation mode (sandbox, custom, firewall, isolated), see README.md for more information. workspace_admin_service_principal_name = "sra-example-sp" // Creates an example admin SP for automation use cases. metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". // AWS Specific Variables: - cmk_admin_arn = null // CMK admin ARN, defaults to the AWS account root user. + cmk_admin_arn = null // CMK admin ARN, defaults to the AWS account root user. vpc_cidr_range = "10.0.0.0/18" // Please re-define the subsequent subnet ranges if the VPC CIDR range is updated. private_subnets_cidr = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"] privatelink_subnets_cidr = ["10.0.28.0/26", "10.0.28.64/26", "10.0.28.128/26"] @@ -62,10 +62,10 @@ module "SRA" { enable_admin_configs_boolean = false // Set to true to enable optional admin configurations. enable_logging_boolean = false // Set to true to enable log delivery and creation of related assets (e.g. S3 bucket and IAM role) - enable_restrictive_root_bucket_boolean = false - enable_restrictive_s3_endpoint_boolean = false - enable_restrictive_sts_endpoint_boolean = false - enable_restrictive_kinesis_endpoint_boolean = false + enable_restrictive_root_bucket_boolean = false // Set to true to enable a restrictive root bucket policy, this is subject to change and may cause unexpected issues in the event of a change. + enable_restrictive_s3_endpoint_boolean = false // Set to true to enable a restrictive S3 endpoint policy, this is subject to change and may cause unexpected issues in the event of a change. + enable_restrictive_sts_endpoint_boolean = false // Set to true to enable a restrictive STS endpoint policy, this is subject to change and may cause unexpected issues in the event of a change. + enable_restrictive_kinesis_endpoint_boolean = false // Set to true to enable a restrictive Kinesis endpoint policy, this is subject to change and may cause unexpected issues in the event of a change. enable_ip_boolean = false // Set to true to enable IP access list. ip_addresses = ["X.X.X.X", "X.X.X.X/XX", "X.X.X.X/XX"] // Specify IP addresses for access. From e3e2704be8267ad6e6af622a1ec5fc7c65b9abc5 Mon Sep 17 00:00:00 2001 From: jdbraun Date: Tue, 27 Aug 2024 13:21:11 -0500 Subject: [PATCH 08/24] update appropriate null variables --- aws/tf/sra.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/tf/sra.tf b/aws/tf/sra.tf index 1e402bc..b59731f 100644 --- a/aws/tf/sra.tf +++ b/aws/tf/sra.tf @@ -17,8 +17,8 @@ module "SRA" { resource_prefix = var.resource_prefix // Required Variables: - workspace_catalog_admin = "" // Workspace catalog admin email. - user_workspace_admin = "" // Workspace admin user email. + workspace_catalog_admin = null // Workspace catalog admin email. + user_workspace_admin = null // Workspace admin user email. operation_mode = "isolated" // Operation mode (sandbox, custom, firewall, isolated), see README.md for more information. workspace_admin_service_principal_name = "sra-example-sp" // Creates an example admin SP for automation use cases. metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". From 87c6117baa0c9547e6c0677914719f3035c94b19 Mon Sep 17 00:00:00 2001 From: jdbraun Date: Tue, 27 Aug 2024 13:48:05 -0500 Subject: [PATCH 09/24] missed -example on the policy --- .../uc_external_location/uc_external_location.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf index 267f589..735357b 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf @@ -47,7 +47,7 @@ resource "aws_iam_role_policy" "storage_credential_policy" { "sts:AssumeRole" ], "Resource" : [ - "arn:aws:iam::${var.aws_account_id}:role/${var.resource_prefix}-storage-credential" + "arn:aws:iam::${var.aws_account_id}:role/${var.resource_prefix}-storage-credential-example" ], "Effect" : "Allow" } From ab9836a922c623b4a5ccba8179f8e90df8189017 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Tue, 27 Aug 2024 18:42:44 -0400 Subject: [PATCH 10/24] Added changes for aws-gov --- aws-gov/tf/modules/sra/cmk.tf | 6 +- aws-gov/tf/modules/sra/credential.tf | 5 +- .../data_plane_hardening/firewall/firewall.tf | 72 +++++++++++++------ .../logging_configuration.tf | 7 +- .../tf/modules/sra/databricks_workspace.tf | 2 + .../cluster_configuration.tf | 50 ++++++++++--- .../cluster_configuration/variables.tf | 4 ++ .../uc_catalog/uc_catalog.tf | 66 ++++++++++++++--- .../uc_catalog/variables.tf | 4 ++ .../uc_external_location.tf | 17 ++--- aws-gov/tf/modules/sra/network.tf | 8 ++- aws-gov/tf/modules/sra/privatelink.tf | 20 ++++-- aws-gov/tf/modules/sra/root_s3_bucket.tf | 3 +- aws-gov/tf/provider.tf | 2 +- aws-gov/tf/sra.tf | 23 +++--- 15 files changed, 210 insertions(+), 79 deletions(-) diff --git a/aws-gov/tf/modules/sra/cmk.tf b/aws-gov/tf/modules/sra/cmk.tf index d7a1eef..6405a36 100644 --- a/aws-gov/tf/modules/sra/cmk.tf +++ b/aws-gov/tf/modules/sra/cmk.tf @@ -63,7 +63,8 @@ resource "aws_kms_key" "workspace_storage" { depends_on = [aws_iam_role.cross_account_role] tags = { - Resource = var.resource_prefix + Name = "${var.resource_prefix}-workspace-storage-key" + Project = var.resource_prefix } } @@ -111,7 +112,8 @@ resource "aws_kms_key" "managed_storage" { ) tags = { - Resource = var.resource_prefix + Project = var.resource_prefix + Name = "${var.resource_prefix}-managed-storage-key" } } diff --git a/aws-gov/tf/modules/sra/credential.tf b/aws-gov/tf/modules/sra/credential.tf index 170fab8..476a0be 100644 --- a/aws-gov/tf/modules/sra/credential.tf +++ b/aws-gov/tf/modules/sra/credential.tf @@ -19,10 +19,11 @@ data "aws_iam_policy_document" "passrole_for_cross_account_credential" { // Cross Account Role resource "aws_iam_role" "cross_account_role" { - name = "${var.resource_prefix}-crossaccount" + name = "${var.resource_prefix}-cross-account" assume_role_policy = data.aws_iam_policy_document.passrole_for_cross_account_credential.json tags = { - Name = "${var.resource_prefix}-crossaccount-role" + Name = "${var.resource_prefix}-cross-account" + Project = var.resource_prefix } } diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf index f2e6878..f6b5ff9 100644 --- a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf +++ b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf @@ -8,7 +8,8 @@ resource "aws_subnet" "public" { availability_zone = element(var.availability_zones, count.index) map_public_ip_on_launch = true tags = { - Name = "${var.resource_prefix}-public-${element(var.availability_zones, count.index)}" + Name = "${var.resource_prefix}-public-${element(var.availability_zones, count.index)}" + Project = var.resource_prefix } } @@ -25,7 +26,8 @@ resource "aws_nat_gateway" "ngw" { subnet_id = element(aws_subnet.public.*.id, count.index) depends_on = [aws_internet_gateway.igw] tags = { - Name = "${var.resource_prefix}-ngw-${element(var.availability_zones, count.index)}" + Name = "${var.resource_prefix}-ngw-${element(var.availability_zones, count.index)}" + Project = var.resource_prefix } } @@ -37,13 +39,13 @@ resource "aws_route" "private" { nat_gateway_id = element(aws_nat_gateway.ngw.*.id, count.index) } - // Public RT resource "aws_route_table" "public_rt" { count = length(var.public_subnets_cidr) vpc_id = var.vpc_id tags = { - Name = "${var.resource_prefix}-public-rt-${element(var.availability_zones, count.index)}" + Name = "${var.resource_prefix}-public-rt-${element(var.availability_zones, count.index)}" + Project = var.resource_prefix } } @@ -63,7 +65,8 @@ resource "aws_subnet" "firewall" { availability_zone = element(var.availability_zones, count.index) map_public_ip_on_launch = false tags = { - Name = "${var.resource_prefix}-firewall-${element(var.availability_zones, count.index)}" + Name = "${var.resource_prefix}-firewall-${element(var.availability_zones, count.index)}" + Project = var.resource_prefix } } @@ -72,7 +75,8 @@ resource "aws_route_table" "firewall_rt" { count = length(var.firewall_subnets_cidr) vpc_id = var.vpc_id tags = { - Name = "${var.resource_prefix}-firewall-rt-${element(var.availability_zones, count.index)}" + Name = "${var.resource_prefix}-firewall-rt-${element(var.availability_zones, count.index)}" + Project = var.resource_prefix } } @@ -87,7 +91,8 @@ resource "aws_route_table_association" "firewall" { resource "aws_internet_gateway" "igw" { vpc_id = var.vpc_id tags = { - Name = "${var.resource_prefix}-igw" + Name = "${var.resource_prefix}-igw" + Project = var.resource_prefix } } @@ -95,7 +100,8 @@ resource "aws_internet_gateway" "igw" { resource "aws_route_table" "igw_rt" { vpc_id = var.vpc_id tags = { - Name = "${var.resource_prefix}-igw-rt" + Name = "${var.resource_prefix}-igw-rt" + Project = var.resource_prefix } } @@ -105,16 +111,34 @@ resource "aws_route_table_association" "igw" { route_table_id = aws_route_table.igw_rt.id } +// Local Map for Availability Zone to Index +locals { + az_to_index_map = { + for idx, az in var.availability_zones : + az => idx + } + + firewall_endpoints_by_az = { + for sync_state in aws_networkfirewall_firewall.nfw.firewall_status[0].sync_states : + sync_state.availability_zone => sync_state.attachment[0].endpoint_id + } + + az_to_endpoint_map = { + for az in var.availability_zones : + az => lookup(local.firewall_endpoints_by_az, az, null) + } +} + // Public Route resource "aws_route" "public" { - count = length(var.public_subnets_cidr) - route_table_id = element(aws_route_table.public_rt.*.id, count.index) + for_each = local.az_to_endpoint_map + route_table_id = aws_route_table.public_rt[local.az_to_index_map[each.key]].id destination_cidr_block = "0.0.0.0/0" - vpc_endpoint_id = tolist(aws_networkfirewall_firewall.nfw.firewall_status[0].sync_states)[count.index].attachment[0].endpoint_id + vpc_endpoint_id = each.value depends_on = [aws_networkfirewall_firewall.nfw] } -// Firewall Route +// Firewall Outbound Route resource "aws_route" "firewall_outbound" { count = length(var.firewall_subnets_cidr) route_table_id = element(aws_route_table.firewall_rt.*.id, count.index) @@ -122,12 +146,12 @@ resource "aws_route" "firewall_outbound" { gateway_id = aws_internet_gateway.igw.id } -// Add a route back to FW +// Firewall Inbound Route resource "aws_route" "firewall_inbound" { - count = length(var.public_subnets_cidr) + for_each = local.az_to_endpoint_map route_table_id = aws_route_table.igw_rt.id - destination_cidr_block = element(var.public_subnets_cidr, count.index) - vpc_endpoint_id = tolist(aws_networkfirewall_firewall.nfw.firewall_status[0].sync_states)[count.index].attachment[0].endpoint_id + destination_cidr_block = element(var.public_subnets_cidr, index(var.availability_zones, each.key)) + vpc_endpoint_id = each.value depends_on = [aws_networkfirewall_firewall.nfw] } @@ -157,7 +181,8 @@ resource "aws_networkfirewall_rule_group" "databricks_fqdn_allowlist" { } } tags = { - Name = "${var.resource_prefix}-${var.region}-databricks-fqdn-allowlist" + Name = "${var.resource_prefix}-${var.region}-databricks-fqdn-allowlist" + Project = var.resource_prefix } } @@ -170,7 +195,6 @@ data "external" "metastore_ip" { } } - // JDBC Firewall group IP allow list resource "aws_networkfirewall_rule_group" "databricks_metastore_allowlist" { capacity = 100 @@ -199,11 +223,12 @@ resource "aws_networkfirewall_rule_group" "databricks_metastore_allowlist" { } } tags = { - Name = "${var.resource_prefix}-${var.region}-databricks-metastore-allowlist" + Name = "${var.resource_prefix}-${var.region}-databricks-metastore-allowlist" + Project = var.resource_prefix } } -# Firewall policy +// Firewall policy resource "aws_networkfirewall_firewall_policy" "databricks_nfw_policy" { name = "${var.resource_prefix}-firewall-policy" @@ -229,11 +254,11 @@ resource "aws_networkfirewall_firewall_policy" "databricks_nfw_policy" { } tags = { - Name = "${var.resource_prefix}-firewall-policy" + Name = "${var.resource_prefix}-firewall-policy" + Project = var.resource_prefix } } - // Firewall resource "aws_networkfirewall_firewall" "nfw" { name = "${var.resource_prefix}-nfw" @@ -246,6 +271,7 @@ resource "aws_networkfirewall_firewall" "nfw" { } } tags = { - Name = "${var.resource_prefix}-${var.region}-databricks-nfw" + Name = "${var.resource_prefix}-${var.region}-databricks-nfw" + Project = var.resource_prefix } } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf index 2f59c0f..cea829f 100644 --- a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf +++ b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/logging_configuration.tf @@ -5,7 +5,8 @@ resource "aws_s3_bucket" "log_delivery" { bucket = "${var.resource_prefix}-log-delivery" force_destroy = true tags = { - Name = "${var.resource_prefix}-log-delivery" + Name = "${var.resource_prefix}-log-delivery" + Project = var.resource_prefix } } @@ -106,7 +107,8 @@ resource "aws_iam_role" "log_delivery" { description = "(${var.resource_prefix}) Log Delivery Role" assume_role_policy = data.aws_iam_policy_document.passrole_for_log_delivery.json tags = { - Name = "${var.resource_prefix}-log-delivery-role" + Name = "${var.resource_prefix}-log-delivery-role" + Project = var.resource_prefix } } @@ -114,6 +116,7 @@ resource "aws_iam_role" "log_delivery" { // Databricks Credential Configuration for Logs resource "databricks_mws_credentials" "log_writer" { + account_id = var.databricks_account_id credentials_name = "${var.resource_prefix}-log-delivery-credential" role_arn = aws_iam_role.log_delivery.arn depends_on = [ diff --git a/aws-gov/tf/modules/sra/databricks_workspace.tf b/aws-gov/tf/modules/sra/databricks_workspace.tf index e344ca1..9aaf145 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace.tf @@ -11,6 +11,7 @@ module "uc_catalog" { aws_account_id = var.aws_account_id resource_prefix = var.resource_prefix uc_catalog_name = "${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}" + cmk_admin_arn = var.cmk_admin_arn == null ? "arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:root" : var.cmk_admin_arn workspace_id = module.databricks_mws_workspace.workspace_id workspace_catalog_admin = var.workspace_catalog_admin databricks_gov_shard = var.databricks_gov_shard @@ -107,6 +108,7 @@ module "cluster_configuration" { compliance_security_profile_egress_ports = var.compliance_security_profile_egress_ports secret_config_reference = module.secret_management.config_reference resource_prefix = var.resource_prefix + operation_mode = var.operation_mode depends_on = [ module.databricks_mws_workspace, module.secret_management ] diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf index 87b71b9..ac294fd 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf @@ -14,28 +14,59 @@ locals { }, "autotermination_minutes" : { "type" : "fixed", - "value" : 60, + "value" : 10, "hidden" : true }, - "custom_tags.Example" : { + "custom_tags.Project" : { "type" : "fixed", "value" : var.resource_prefix - } + }, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionURL" : null, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionDriverName" : null, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionUserName" : null, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionPassword" : null } + + isolated_policy = merge( + local.default_policy, + { + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionURL" : { + "type" : "fixed", + "value" : "jdbc:derby:memory:myInMemDB;create=true" + }, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionDriverName" : { + "type" : "fixed", + "value" : "org.apache.derby.jdbc.EmbeddedDriver" + }, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionUserName" : { + "type" : "fixed", + "value" : "" + }, + "spark_conf.spark.hadoop.javax.jdo.option.ConnectionPassword" : { + "type" : "fixed", + "value" : "" + } + } + ) + + selected_policy = var.operation_mode == "Isolated" ? local.default_policy : local.isolated_policy + + final_policy = { for k, v in local.selected_policy : k => v if v != null } } resource "databricks_cluster_policy" "example" { name = "Example Cluster Policy" - definition = jsonencode(local.default_policy) + definition = jsonencode(local.final_policy) } // Cluster Creation resource "databricks_cluster" "example" { - cluster_name = "Shared Cluster" - data_security_mode = "USER_ISOLATION" - spark_version = data.databricks_spark_version.latest_lts.id - node_type_id = var.compliance_security_profile_egress_ports ? "i3en.xlarge" : "i3.xlarge" - policy_id = databricks_cluster_policy.example.id + cluster_name = "Shared Cluster" + data_security_mode = "USER_ISOLATION" + spark_version = data.databricks_spark_version.latest_lts.id + node_type_id = var.compliance_security_profile_egress_ports ? "i3en.xlarge" : "i3.xlarge" + policy_id = databricks_cluster_policy.example.id + autotermination_minutes = 10 autoscale { min_workers = 1 @@ -43,7 +74,6 @@ resource "databricks_cluster" "example" { } spark_conf = { - # Add additional spark configurations here "secret.example" = var.secret_config_reference } diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf index 615c442..d436deb 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf @@ -6,6 +6,10 @@ variable "secret_config_reference" { type = string } +variable "operation_mode" { + type = string +} + variable "compliance_security_profile_egress_ports" { type = bool description = "Add 2443 to security group configuration or nitro instance" diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf index 625fb1c..c74bf12 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf @@ -6,8 +6,7 @@ resource "time_sleep" "wait_30_seconds" { create_duration = "30s" } - -// Unity Catalog Trust Policy +// Unity Catalog Trust Policy - Data Source data "aws_iam_policy_document" "passrole_for_unity_catalog_catalog" { statement { effect = "Allow" @@ -45,10 +44,11 @@ data "aws_iam_policy_document" "passrole_for_unity_catalog_catalog" { // Unity Catalog Role resource "aws_iam_role" "unity_catalog_role" { - name = "${var.resource_prefix}-unity-catalog-${var.workspace_id}" + name = "${var.resource_prefix}-catalog-${var.workspace_id}" assume_role_policy = data.aws_iam_policy_document.passrole_for_unity_catalog_catalog.json tags = { - Name = "${var.resource_prefix}-unity-catalog" + Name = "${var.resource_prefix}-catalog-${var.workspace_id}" + Project = var.resource_prefix } } @@ -82,18 +82,60 @@ data "aws_iam_policy_document" "unity_catalog_iam_policy" { // Unity Catalog Policy resource "aws_iam_role_policy" "unity_catalog" { - name = "${var.resource_prefix}-unity-catalog-policy-${var.workspace_id}" + name = "${var.resource_prefix}-catalog-policy-${var.workspace_id}" role = aws_iam_role.unity_catalog_role.id policy = data.aws_iam_policy_document.unity_catalog_iam_policy.json } +// Unity Catalog KMS +resource "aws_kms_key" "catalog_storage" { + description = "KMS key for Databricks catalog storage ${var.workspace_id}" + policy = jsonencode({ + Version : "2012-10-17", + "Id" : "key-policy-catalog-storage-${var.workspace_id}", + Statement : [ + { + "Sid" : "Enable IAM User Permissions", + "Effect" : "Allow", + "Principal" : { + "AWS" : [var.cmk_admin_arn] + }, + "Action" : "kms:*", + "Resource" : "*" + }, + { + "Sid" : "Allow IAM Role to use the key", + "Effect" : "Allow", + "Principal" : { + "AWS" : "arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:role/${var.resource_prefix}-catalog-${var.workspace_id}" + }, + "Action" : [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey*" + ], + "Resource" : "*" + } + ] + }) + tags = { + Name = "${var.resource_prefix}-catalog-storage-${var.workspace_id}-key" + Project = var.resource_prefix + } +} + +resource "aws_kms_alias" "catalog_storage_key_alias" { + name = "alias/${var.resource_prefix}-catalog-storage-${var.workspace_id}-key" + target_key_id = aws_kms_key.catalog_storage.id +} // Unity Catalog S3 resource "aws_s3_bucket" "unity_catalog_bucket" { bucket = var.uc_catalog_name force_destroy = true tags = { - Name = var.uc_catalog_name + Name = var.uc_catalog_name + Project = var.resource_prefix } } @@ -108,10 +150,13 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "unity_catalog" { bucket = aws_s3_bucket.unity_catalog_bucket.bucket rule { + bucket_key_enabled = true apply_server_side_encryption_by_default { - sse_algorithm = "AES256" + sse_algorithm = "aws:kms" + kms_master_key_id = aws_kms_key.catalog_storage.arn } } + depends_on = [aws_kms_alias.catalog_storage_key_alias] } resource "aws_s3_bucket_public_access_block" "unity_catalog" { @@ -129,7 +174,8 @@ resource "databricks_storage_credential" "workspace_catalog_storage_credential" aws_iam_role { role_arn = aws_iam_role.unity_catalog_role.arn } - depends_on = [aws_iam_role.unity_catalog_role, time_sleep.wait_30_seconds] + depends_on = [aws_iam_role.unity_catalog_role, time_sleep.wait_30_seconds] + isolation_mode = "ISOLATION_MODE_ISOLATED" } // External Location @@ -139,10 +185,10 @@ resource "databricks_external_location" "workspace_catalog_external_location" { credential_name = databricks_storage_credential.workspace_catalog_storage_credential.id skip_validation = true read_only = false - comment = "Managed by TF" + comment = "External location for catalog ${var.uc_catalog_name}" + isolation_mode = "ISOLATION_MODE_ISOLATED" } - // Workspace Catalog resource "databricks_catalog" "workspace_catalog" { name = var.uc_catalog_name diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf index 99fc773..1e18138 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf @@ -2,6 +2,10 @@ variable "aws_account_id" { type = string } +variable "cmk_admin_arn" { + type = string +} + variable "resource_prefix" { type = string } diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf index 244dfc8..3404dab 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/uc_external_location.tf @@ -44,17 +44,17 @@ data "aws_iam_policy_document" "passrole_for_storage_credential" { // Storage Credential Role resource "aws_iam_role" "storage_credential_role" { - name = "${var.resource_prefix}-storage-credential" + name = "${var.resource_prefix}-storage-credential-example" assume_role_policy = data.aws_iam_policy_document.passrole_for_storage_credential.json tags = { - Name = "${var.resource_prefix}-storage_credential_role" + Name = "${var.resource_prefix}-storage-credential-example" + Project = var.resource_prefix } } - // Storage Credential Policy resource "aws_iam_role_policy" "storage_credential_policy" { - name = "${var.resource_prefix}-storage-credential-policy" + name = "${var.resource_prefix}-storage-credential-policy-example" role = aws_iam_role.storage_credential_role.id policy = jsonencode({ Version : "2012-10-17", @@ -77,7 +77,7 @@ resource "aws_iam_role_policy" "storage_credential_policy" { "sts:AssumeRole" ], "Resource" : [ - "arn:aws-us-gov:iam::${var.aws_account_id}:role/${var.resource_prefix}-storage-credential" + "arn:aws-us-gov:iam::${var.aws_account_id}:role/${var.resource_prefix}-storage-credential-example" ], "Effect" : "Allow" } @@ -92,7 +92,8 @@ resource "databricks_storage_credential" "external" { aws_iam_role { role_arn = aws_iam_role.storage_credential_role.arn } - depends_on = [aws_iam_role.storage_credential_role, time_sleep.wait_30_seconds] + isolation_mode = "ISOLATION_MODE_ISOLATED" + depends_on = [aws_iam_role.storage_credential_role, time_sleep.wait_30_seconds] } // External Location @@ -100,9 +101,9 @@ resource "databricks_external_location" "data_example" { name = "external-location-example" url = "s3://${var.read_only_data_bucket}/" credential_name = databricks_storage_credential.external.id - skip_validation = true read_only = true - comment = "Managed by TF" + comment = "Read only external location for ${var.read_only_data_bucket}" + isolation_mode = "ISOLATION_MODE_ISOLATED" } // External Location Grant diff --git a/aws-gov/tf/modules/sra/network.tf b/aws-gov/tf/modules/sra/network.tf index cf13eb3..5f38f7a 100644 --- a/aws-gov/tf/modules/sra/network.tf +++ b/aws-gov/tf/modules/sra/network.tf @@ -25,8 +25,11 @@ module "vpc" { intra_subnet_names = [for az in var.availability_zones : format("%s-privatelink-%s", var.resource_prefix, az)] intra_subnets = var.privatelink_subnets_cidr -} + tags = { + Project = var.resource_prefix + } +} // Security group - skipped in custom mode resource "aws_security_group" "sg" { @@ -80,6 +83,7 @@ resource "aws_security_group" "sg" { } } tags = { - Name = "${var.resource_prefix}-workspace-sg" + Name = "${var.resource_prefix}-workspace-sg" + Project = var.resource_prefix } } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/privatelink.tf b/aws-gov/tf/modules/sra/privatelink.tf index d769f37..c8f7f10 100644 --- a/aws-gov/tf/modules/sra/privatelink.tf +++ b/aws-gov/tf/modules/sra/privatelink.tf @@ -41,7 +41,8 @@ resource "aws_security_group" "privatelink" { } tags = { - Name = "${var.resource_prefix}-private-link-sg" + Name = "${var.resource_prefix}-private-link-sg", + Project = var.resource_prefix } } @@ -217,7 +218,7 @@ data "aws_iam_policy_document" "sts_vpc_endpoint_policy" { principals { type = "AWS" identifiers = [ - "arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:user/databricks-datasets-readonly-user", + "arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:user/databricks-datasets-readonly-user-prod", "${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}" ] } @@ -261,7 +262,8 @@ module "vpc_endpoints" { route_table_ids = module.vpc[0].private_route_table_ids policy = var.enable_restrictive_s3_endpoint_boolean ? data.aws_iam_policy_document.s3_vpc_endpoint_policy[0].json : null tags = { - Name = "${var.resource_prefix}-s3-vpc-endpoint" + Name = "${var.resource_prefix}-s3-vpc-endpoint" + Project = var.resource_prefix } }, sts = { @@ -270,7 +272,8 @@ module "vpc_endpoints" { subnet_ids = module.vpc[0].intra_subnets policy = var.enable_restrictive_sts_endpoint_boolean ? data.aws_iam_policy_document.sts_vpc_endpoint_policy[0].json : null tags = { - Name = "${var.resource_prefix}-sts-vpc-endpoint" + Name = "${var.resource_prefix}-sts-vpc-endpoint" + Project = var.resource_prefix } }, kinesis-streams = { @@ -279,7 +282,8 @@ module "vpc_endpoints" { subnet_ids = module.vpc[0].intra_subnets policy = var.enable_restrictive_kinesis_endpoint_boolean ? data.aws_iam_policy_document.kinesis_vpc_endpoint_policy[0].json : null tags = { - Name = "${var.resource_prefix}-kinesis-vpc-endpoint" + Name = "${var.resource_prefix}-kinesis-vpc-endpoint" + Project = var.resource_prefix } } } @@ -300,7 +304,8 @@ resource "aws_vpc_endpoint" "backend_rest" { private_dns_enabled = true depends_on = [module.vpc.vpc_id] tags = { - Name = "${var.resource_prefix}-databricks-backend-rest" + Name = "${var.resource_prefix}-databricks-backend-rest" + Project = var.resource_prefix } } @@ -316,6 +321,7 @@ resource "aws_vpc_endpoint" "backend_relay" { private_dns_enabled = true depends_on = [module.vpc.vpc_id] tags = { - Name = "${var.resource_prefix}-databricks-backend-relay" + Name = "${var.resource_prefix}-databricks-backend-relay" + Project = var.resource_prefix } } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/root_s3_bucket.tf b/aws-gov/tf/modules/sra/root_s3_bucket.tf index cd0c430..6c1d617 100644 --- a/aws-gov/tf/modules/sra/root_s3_bucket.tf +++ b/aws-gov/tf/modules/sra/root_s3_bucket.tf @@ -4,7 +4,8 @@ resource "aws_s3_bucket" "root_storage_bucket" { bucket = "${var.resource_prefix}-workspace-root-storage" force_destroy = true tags = { - Name = var.resource_prefix + Name = "${var.resource_prefix}-workspace-root-storage" + Project = var.resource_prefix } } diff --git a/aws-gov/tf/provider.tf b/aws-gov/tf/provider.tf index b6cd9fe..66469b3 100644 --- a/aws-gov/tf/provider.tf +++ b/aws-gov/tf/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { databricks = { source = "databricks/databricks" - version = "~> 1.46.0" + version = " 1.50.0" } aws = { source = "hashicorp/aws" diff --git a/aws-gov/tf/sra.tf b/aws-gov/tf/sra.tf index 7c5d698..defb469 100644 --- a/aws-gov/tf/sra.tf +++ b/aws-gov/tf/sra.tf @@ -11,23 +11,24 @@ module "SRA" { client_secret = var.client_secret aws_account_id = var.aws_account_id region = var.region - region_name = var.region_name[var.databricks_gov_shard] databricks_gov_shard = var.databricks_gov_shard - databricks_prod_aws_account_id = var.databricks_prod_aws_account_id - uc_master_role_id = var.uc_master_role_id + region_name = var.region_name[var.databricks_gov_shard] + databricks_prod_aws_account_id = var.databricks_prod_aws_account_id[var.databricks_gov_shard] + uc_master_role_id = var.uc_master_role_id[var.databricks_gov_shard] + log_delivery_role_name = var.log_delivery_role_name[var.databricks_gov_shard] // Naming and Tagging Variables: resource_prefix = var.resource_prefix // Required Variables: - workspace_catalog_admin = null // Workspace catalog admin email. - user_workspace_admin = null // Workspace admin user email. - operation_mode = "sandbox" // Operation mode (sandbox, custom, firewall, isolated). + workspace_catalog_admin = null // Workspace catalog admin email. + user_workspace_admin = null // Workspace admin user email. + operation_mode = "isolated" // Operation mode (sandbox, custom, firewall, isolated), see README.md for more information. workspace_admin_service_principal_name = "sra-example-sp" // Creates an example admin SP for automation use cases. metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". // AWS Specific Variables: - cmk_admin_arn = null // CMK admin ARN, defaults to the AWS account root user. + cmk_admin_arn = null // CMK admin ARN, defaults to the AWS account root user. vpc_cidr_range = "10.0.0.0/18" // Please re-define the subsequent subnet ranges if the VPC CIDR range is updated. private_subnets_cidr = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"] privatelink_subnets_cidr = ["10.0.28.0/26", "10.0.28.64/26", "10.0.28.128/26"] @@ -65,10 +66,10 @@ module "SRA" { enable_admin_configs_boolean = false // Set to true to enable optional admin configurations. enable_logging_boolean = false // Set to true to enable log delivery and creation of related assets (e.g. S3 bucket and IAM role) - enable_restrictive_root_bucket_boolean = false - enable_restrictive_s3_endpoint_boolean = false - enable_restrictive_sts_endpoint_boolean = false - enable_restrictive_kinesis_endpoint_boolean = false + enable_restrictive_root_bucket_boolean = false // Set to true to enable a restrictive root bucket policy, this is subject to change and may cause unexpected issues in the event of a change. + enable_restrictive_s3_endpoint_boolean = false // Set to true to enable a restrictive S3 endpoint policy, this is subject to change and may cause unexpected issues in the event of a change. + enable_restrictive_sts_endpoint_boolean = false // Set to true to enable a restrictive STS endpoint policy, this is subject to change and may cause unexpected issues in the event of a change. + enable_restrictive_kinesis_endpoint_boolean = false // Set to true to enable a restrictive Kinesis endpoint policy, this is subject to change and may cause unexpected issues in the event of a change. enable_ip_boolean = false // Set to true to enable IP access list. ip_addresses = ["X.X.X.X", "X.X.X.X/XX", "X.X.X.X/XX"] // Specify IP addresses for access. From 8e5d727d6a7f58479ecb7405f84c116f84312633 Mon Sep 17 00:00:00 2001 From: jdbraun Date: Tue, 27 Aug 2024 18:31:04 -0500 Subject: [PATCH 11/24] remove unneeded variables and organize variables --- aws/tf/modules/sra/data_plane_hardening.tf | 23 ++- .../firewall/variables.tf | 32 ++-- .../logging_configuration/variables.tf | 4 +- .../uc_assignment/variables.tf | 4 +- .../databricks_account/uc_init/variables.tf | 8 +- .../databricks_account/workspace/variables.tf | 34 ++-- aws/tf/modules/sra/databricks_workspace.tf | 14 +- .../system_tables_audit_log/variables.tf | 10 +- .../cluster_configuration/variables.tf | 17 +- .../uc_catalog/uc_catalog.tf | 2 +- .../uc_catalog/variables.tf | 10 +- .../uc_external_location/variables.tf | 10 +- aws/tf/modules/sra/network.tf | 4 +- aws/tf/modules/sra/privatelink.tf | 4 +- aws/tf/modules/sra/variables.tf | 160 +++++++++++------- aws/tf/sra.tf | 32 ++-- aws/tf/variables.tf | 71 +------- 17 files changed, 197 insertions(+), 242 deletions(-) diff --git a/aws/tf/modules/sra/data_plane_hardening.tf b/aws/tf/modules/sra/data_plane_hardening.tf index 65655f0..6f7924b 100644 --- a/aws/tf/modules/sra/data_plane_hardening.tf +++ b/aws/tf/modules/sra/data_plane_hardening.tf @@ -8,18 +8,17 @@ module "harden_firewall" { aws = aws } - vpc_id = module.vpc[0].vpc_id - vpc_cidr_range = var.vpc_cidr_range - public_subnets_cidr = var.public_subnets_cidr - private_subnets_cidr = module.vpc[0].private_subnets_cidr_blocks - private_subnet_rt = module.vpc[0].private_route_table_ids - firewall_subnets_cidr = var.firewall_subnets_cidr - firewall_allow_list = var.firewall_allow_list - firewall_protocol_deny_list = split(",", var.firewall_protocol_deny_list) - hive_metastore_fqdn = var.hive_metastore_fqdn - availability_zones = var.availability_zones - region = var.region - resource_prefix = var.resource_prefix + vpc_id = module.vpc[0].vpc_id + vpc_cidr_range = var.vpc_cidr_range + public_subnets_cidr = var.public_subnets_cidr + private_subnets_cidr = module.vpc[0].private_subnets_cidr_blocks + private_subnet_rt = module.vpc[0].private_route_table_ids + firewall_subnets_cidr = var.firewall_subnets_cidr + firewall_allow_list = var.firewall_allow_list + hive_metastore_fqdn = var.hms_fqdn[var.region] + availability_zones = var.availability_zones + region = var.region + resource_prefix = var.resource_prefix depends_on = [module.databricks_mws_workspace] } diff --git a/aws/tf/modules/sra/data_plane_hardening/firewall/variables.tf b/aws/tf/modules/sra/data_plane_hardening/firewall/variables.tf index 4bb8ed9..852e484 100644 --- a/aws/tf/modules/sra/data_plane_hardening/firewall/variables.tf +++ b/aws/tf/modules/sra/data_plane_hardening/firewall/variables.tf @@ -1,47 +1,43 @@ -variable "vpc_id" { - type = string +variable "availability_zones" { + type = list(string) } -variable "vpc_cidr_range" { - type = string +variable "firewall_allow_list" { + type = list(string) } -variable "public_subnets_cidr" { +variable "firewall_subnets_cidr" { type = list(string) } -variable "private_subnets_cidr" { - type = list(string) +variable "hive_metastore_fqdn" { + type = string } variable "private_subnet_rt" { type = list(string) } -variable "firewall_subnets_cidr" { +variable "private_subnets_cidr" { type = list(string) } -variable "firewall_allow_list" { +variable "public_subnets_cidr" { type = list(string) } -variable "hive_metastore_fqdn" { +variable "region" { type = string } -variable "availability_zones" { - type = list(string) +variable "resource_prefix" { + type = string } -variable "region" { +variable "vpc_cidr_range" { type = string } -variable "resource_prefix" { +variable "vpc_id" { type = string } - -variable "firewall_protocol_deny_list" { - type = list(string) -} \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_account/logging_configuration/variables.tf b/aws/tf/modules/sra/databricks_account/logging_configuration/variables.tf index 55aaac6..53cfbc5 100644 --- a/aws/tf/modules/sra/databricks_account/logging_configuration/variables.tf +++ b/aws/tf/modules/sra/databricks_account/logging_configuration/variables.tf @@ -1,7 +1,7 @@ -variable "resource_prefix" { +variable "databricks_account_id" { type = string } -variable "databricks_account_id" { +variable "resource_prefix" { type = string } \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_account/uc_assignment/variables.tf b/aws/tf/modules/sra/databricks_account/uc_assignment/variables.tf index b97ffde..8c922ed 100644 --- a/aws/tf/modules/sra/databricks_account/uc_assignment/variables.tf +++ b/aws/tf/modules/sra/databricks_account/uc_assignment/variables.tf @@ -2,10 +2,10 @@ variable "metastore_id" { type = string } -variable "workspace_id" { +variable "region" { type = string } -variable "region" { +variable "workspace_id" { type = string } \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_account/uc_init/variables.tf b/aws/tf/modules/sra/databricks_account/uc_init/variables.tf index 514f460..c2aaf1b 100644 --- a/aws/tf/modules/sra/databricks_account/uc_init/variables.tf +++ b/aws/tf/modules/sra/databricks_account/uc_init/variables.tf @@ -2,10 +2,6 @@ variable "aws_account_id" { type = string } -variable "resource_prefix" { - type = string -} - variable "databricks_account_id" { type = string } @@ -16,4 +12,8 @@ variable "metastore_name" { variable "region" { type = string +} + +variable "resource_prefix" { + type = string } \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_account/workspace/variables.tf b/aws/tf/modules/sra/databricks_account/workspace/variables.tf index cf1cc18..07748d4 100644 --- a/aws/tf/modules/sra/databricks_account/workspace/variables.tf +++ b/aws/tf/modules/sra/databricks_account/workspace/variables.tf @@ -1,52 +1,52 @@ -variable "bucket_name" { +variable "backend_relay" { type = string } -variable "cross_account_role_arn" { +variable "backend_rest" { type = string } -variable "databricks_account_id" { +variable "bucket_name" { type = string } -variable "resource_prefix" { +variable "cross_account_role_arn" { type = string } -variable "region" { +variable "databricks_account_id" { type = string } -variable "security_group_ids" { - type = list(string) +variable "managed_storage_key" { + type = string } -variable "subnet_ids" { - type = list(string) +variable "managed_storage_key_alias" { + type = string } -variable "vpc_id" { +variable "region" { type = string } -variable "backend_rest" { +variable "resource_prefix" { type = string } -variable "backend_relay" { - type = string +variable "security_group_ids" { + type = list(string) } -variable "managed_storage_key" { - type = string +variable "subnet_ids" { + type = list(string) } -variable "workspace_storage_key" { +variable "vpc_id" { type = string } -variable "managed_storage_key_alias" { +variable "workspace_storage_key" { type = string } diff --git a/aws/tf/modules/sra/databricks_workspace.tf b/aws/tf/modules/sra/databricks_workspace.tf index f0673e7..3425c42 100644 --- a/aws/tf/modules/sra/databricks_workspace.tf +++ b/aws/tf/modules/sra/databricks_workspace.tf @@ -7,13 +7,13 @@ module "uc_catalog" { databricks = databricks.created_workspace } - databricks_account_id = var.databricks_account_id - aws_account_id = var.aws_account_id - resource_prefix = var.resource_prefix - uc_catalog_name = "${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}" - cmk_admin_arn = var.cmk_admin_arn == null ? "arn:aws:iam::${var.aws_account_id}:root" : var.cmk_admin_arn - workspace_id = module.databricks_mws_workspace.workspace_id - workspace_catalog_admin = var.workspace_catalog_admin + databricks_account_id = var.databricks_account_id + aws_account_id = var.aws_account_id + resource_prefix = var.resource_prefix + uc_catalog_name = "${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}" + cmk_admin_arn = var.cmk_admin_arn == null ? "arn:aws:iam::${var.aws_account_id}:root" : var.cmk_admin_arn + workspace_id = module.databricks_mws_workspace.workspace_id + user_workspace_catalog_admin = var.user_workspace_catalog_admin depends_on = [ module.databricks_mws_workspace, module.uc_assignment diff --git a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf index 046e2d2..f684f88 100644 --- a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf +++ b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf @@ -1,10 +1,10 @@ +variable "alert_emails" { + type = list(string) + description = "List of emails to notify when alerts are fired" +} + variable "warehouse_id" { type = string default = "" description = "Optional Warehouse ID to run queries on. If not provided, new SQL Warehouse is created" -} - -variable "alert_emails" { - type = list(string) - description = "List of emails to notify when alerts are fired" } \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf index d436deb..b48f472 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf @@ -1,17 +1,16 @@ -variable "resource_prefix" { - type = string +variable "compliance_security_profile_egress_ports" { + type = bool + nullable = false } -variable "secret_config_reference" { +variable "operation_mode" { type = string } -variable "operation_mode" { +variable "resource_prefix" { type = string } -variable "compliance_security_profile_egress_ports" { - type = bool - description = "Add 2443 to security group configuration or nitro instance" - nullable = false -} \ No newline at end of file +variable "secret_config_reference" { + type = string +} diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf index 319ca1c..108992f 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf @@ -153,6 +153,6 @@ resource "databricks_catalog" "workspace_catalog" { resource "databricks_grant" "workspace_catalog" { catalog = databricks_catalog.workspace_catalog.name - principal = var.workspace_catalog_admin + principal = var.user_workspace_catalog_admin privileges = ["ALL_PRIVILEGES"] } diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf index dc6a227..b029f1e 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf @@ -6,22 +6,22 @@ variable "cmk_admin_arn" { type = string } -variable "resource_prefix" { +variable "databricks_account_id" { type = string } -variable "databricks_account_id" { +variable "resource_prefix" { type = string } -variable "workspace_id" { +variable "uc_catalog_name" { type = string } -variable "uc_catalog_name" { +variable "user_workspace_catalog_admin" { type = string } -variable "workspace_catalog_admin" { +variable "workspace_id" { type = string } \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf index 3a838a6..47bdf84 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf @@ -1,12 +1,8 @@ -variable "databricks_account_id" { - type = string -} - variable "aws_account_id" { type = string } -variable "resource_prefix" { +variable "databricks_account_id" { type = string } @@ -16,4 +12,8 @@ variable "read_only_data_bucket" { variable "read_only_external_location_admin" { type = string +} + +variable "resource_prefix" { + type = string } \ No newline at end of file diff --git a/aws/tf/modules/sra/network.tf b/aws/tf/modules/sra/network.tf index 152b4ed..06d9448 100644 --- a/aws/tf/modules/sra/network.tf +++ b/aws/tf/modules/sra/network.tf @@ -40,7 +40,7 @@ resource "aws_security_group" "sg" { depends_on = [module.vpc] dynamic "ingress" { - for_each = var.sg_ingress_protocol + for_each = ["tcp", "udp"] content { description = "Databricks - Workspace SG - Internode Communication" from_port = 0 @@ -51,7 +51,7 @@ resource "aws_security_group" "sg" { } dynamic "egress" { - for_each = var.sg_egress_protocol + for_each = ["tcp", "udp"] content { description = "Databricks - Workspace SG - Internode Communication" from_port = 0 diff --git a/aws/tf/modules/sra/privatelink.tf b/aws/tf/modules/sra/privatelink.tf index 7d13859..0b6047f 100644 --- a/aws/tf/modules/sra/privatelink.tf +++ b/aws/tf/modules/sra/privatelink.tf @@ -297,7 +297,7 @@ resource "aws_vpc_endpoint" "backend_rest" { count = var.operation_mode != "custom" ? 1 : 0 vpc_id = module.vpc[0].vpc_id - service_name = var.workspace_vpce_service + service_name = var.workspace[var.region] vpc_endpoint_type = "Interface" security_group_ids = [aws_security_group.privatelink[0].id] subnet_ids = module.vpc[0].intra_subnets @@ -314,7 +314,7 @@ resource "aws_vpc_endpoint" "backend_relay" { count = var.operation_mode != "custom" ? 1 : 0 vpc_id = module.vpc[0].vpc_id - service_name = var.relay_vpce_service + service_name = var.scc_relay[var.region] vpc_endpoint_type = "Interface" security_group_ids = [aws_security_group.privatelink[0].id] subnet_ids = module.vpc[0].intra_subnets diff --git a/aws/tf/modules/sra/variables.tf b/aws/tf/modules/sra/variables.tf index 82cece4..7b171a1 100644 --- a/aws/tf/modules/sra/variables.tf +++ b/aws/tf/modules/sra/variables.tf @@ -9,11 +9,6 @@ variable "aws_account_id" { sensitive = true } -variable "cmk_admin_arn" { - description = "Amazon Resource Name (ARN) of the CMK admin." - type = string -} - variable "client_id" { description = "Client ID for Databricks authentication." type = string @@ -26,6 +21,17 @@ variable "client_secret" { sensitive = true } +variable "cmk_admin_arn" { + description = "Amazon Resource Name (ARN) of the CMK admin." + type = string +} + +variable "compliance_security_profile_egress_ports" { + type = bool + description = "Add 2443 to security group configuration or nitro instance" + nullable = false +} + variable "custom_private_subnet_ids" { type = list(string) description = "List of custom private subnet IDs" @@ -36,7 +42,6 @@ variable "custom_relay_vpce_id" { description = "Custom Relay VPC Endpoint ID" } - variable "custom_sg_id" { type = string description = "Custom security group ID" @@ -52,16 +57,16 @@ variable "custom_workspace_vpce_id" { description = "Custom Workspace VPC Endpoint ID" } - variable "databricks_account_id" { description = "ID of the Databricks account." type = string sensitive = true } -variable "read_only_data_bucket" { - description = "S3 bucket for data storage." - type = string +variable "enable_admin_configs_boolean" { + type = bool + description = "Enable workspace configs" + nullable = false } variable "enable_audit_log_alerting" { @@ -78,13 +83,6 @@ variable "enable_cluster_boolean" { default = false } -variable "enable_read_only_external_location_boolean" { - description = "Flag to enable read only external location" - type = bool - sensitive = true - default = false -} - variable "enable_ip_boolean" { description = "Flag to enable IP-related configurations." type = bool @@ -99,8 +97,8 @@ variable "enable_logging_boolean" { default = false } -variable "enable_restrictive_root_bucket_boolean" { - description = "Flag to enable restrictive root bucket settings." +variable "enable_read_only_external_location_boolean" { + description = "Flag to enable read only external location" type = bool sensitive = true default = false @@ -112,6 +110,13 @@ variable "enable_restrictive_kinesis_endpoint_boolean" { default = false } +variable "enable_restrictive_root_bucket_boolean" { + description = "Flag to enable restrictive root bucket settings." + type = bool + sensitive = true + default = false +} + variable "enable_restrictive_s3_endpoint_boolean" { type = bool description = "Enable restrictive S3 endpoint boolean flag" @@ -124,7 +129,6 @@ variable "enable_restrictive_sts_endpoint_boolean" { default = false } - variable "enable_sat_boolean" { description = "Flag for a specific SAT (Service Access Token) configuration." type = bool @@ -144,18 +148,30 @@ variable "firewall_allow_list" { type = list(string) } -variable "firewall_protocol_deny_list" { - description = "Protocol list that the firewall should deny." - type = string -} - variable "firewall_subnets_cidr" { description = "CIDR blocks for firewall subnets." type = list(string) } -variable "hive_metastore_fqdn" { - type = string +variable "hms_fqdn" { + type = map(string) + default = { + "ap-northeast-1" = "mddx5a4bpbpm05.cfrfsun7mryq.ap-northeast-1.rds.amazonaws.com" + "ap-northeast-2" = "md1915a81ruxky5.cfomhrbro6gt.ap-northeast-2.rds.amazonaws.com" + "ap-south-1" = "mdjanpojt83v6j.c5jml0fhgver.ap-south-1.rds.amazonaws.com" + "ap-southeast-1" = "md1n4trqmokgnhr.csnrqwqko4ho.ap-southeast-1.rds.amazonaws.com" + "ap-southeast-2" = "mdnrak3rme5y1c.c5f38tyb1fdu.ap-southeast-2.rds.amazonaws.com" + "ca-central-1" = "md1w81rjeh9i4n5.co1tih5pqdrl.ca-central-1.rds.amazonaws.com" + "eu-central-1" = "mdv2llxgl8lou0.ceptxxgorjrc.eu-central-1.rds.amazonaws.com" + "eu-west-1" = "md15cf9e1wmjgny.cxg30ia2wqgj.eu-west-1.rds.amazonaws.com" + "eu-west-2" = "mdio2468d9025m.c6fvhwk6cqca.eu-west-2.rds.amazonaws.com" + "eu-west-3" = "metastorerds-dbconsolidationmetastore-asda4em2u6eg.c2ybp3dss6ua.eu-west-3.rds.amazonaws.com" + "sa-east-1" = "metastorerds-dbconsolidationmetastore-fqekf3pck8yw.cog1aduyg4im.sa-east-1.rds.amazonaws.com" + "us-east-1" = "mdb7sywh50xhpr.chkweekm4xjq.us-east-1.rds.amazonaws.com" + "us-east-2" = "md7wf1g369xf22.cluz8hwxjhb6.us-east-2.rds.amazonaws.com" + "us-west-1" = "mdzsbtnvk0rnce.c13weuwubexq.us-west-1.rds.amazonaws.com" + "us-west-2" = "mdpartyyphlhsp.caj77bnxuhme.us-west-2.rds.amazonaws.com" + } } variable "ip_addresses" { @@ -179,18 +195,6 @@ variable "operation_mode" { } } -variable "compliance_security_profile_egress_ports" { - type = bool - description = "Add 2443 to security group configuration or nitro instance" - nullable = false -} - -variable "enable_admin_configs_boolean" { - type = bool - description = "Enable workspace configs" - nullable = false -} - variable "private_subnets_cidr" { description = "CIDR blocks for private subnets." type = list(string) @@ -206,6 +210,16 @@ variable "public_subnets_cidr" { type = list(string) } +variable "read_only_data_bucket" { + description = "S3 bucket for data storage." + type = string +} + +variable "read_only_external_location_admin" { + description = "User to grant external location admin." + type = string +} + variable "region" { description = "AWS region code." type = string @@ -216,28 +230,33 @@ variable "region_name" { type = string } -variable "relay_vpce_service" { - description = "VPCE service for the secure cluster connectivity relay." - type = string -} - variable "resource_prefix" { description = "Prefix for the resource names." type = string } -variable "sg_egress_ports" { - description = "List of egress ports for security groups." - type = list(string) -} - -variable "sg_egress_protocol" { - description = "List of egress protocols for security groups." - type = list(string) +variable "scc_relay" { + type = map(string) + default = { + "ap-northeast-1" = "com.amazonaws.vpce.ap-northeast-1.vpce-svc-02aa633bda3edbec0" + "ap-northeast-2" = "com.amazonaws.vpce.ap-northeast-2.vpce-svc-0dc0e98a5800db5c4" + "ap-south-1" = "com.amazonaws.vpce.ap-south-1.vpce-svc-03fd4d9b61414f3de" + "ap-southeast-1" = "com.amazonaws.vpce.ap-southeast-1.vpce-svc-0557367c6fc1a0c5c" + "ap-southeast-2" = "com.amazonaws.vpce.ap-southeast-2.vpce-svc-0b4a72e8f825495f6" + "ca-central-1" = "com.amazonaws.vpce.ca-central-1.vpce-svc-0c4e25bdbcbfbb684" + "eu-central-1" = "com.amazonaws.vpce.eu-central-1.vpce-svc-08e5dfca9572c85c4" + "eu-west-1" = "com.amazonaws.vpce.eu-west-1.vpce-svc-09b4eb2bc775f4e8c" + "eu-west-2" = "com.amazonaws.vpce.eu-west-2.vpce-svc-05279412bf5353a45" + "eu-west-3" = "com.amazonaws.vpce.eu-west-3.vpce-svc-005b039dd0b5f857d" + "sa-east-1" = "com.amazonaws.vpce.sa-east-1.vpce-svc-0e61564963be1b43f" + "us-east-1" = "com.amazonaws.vpce.us-east-1.vpce-svc-00018a8c3ff62ffdf" + "us-east-2" = "com.amazonaws.vpce.us-east-2.vpce-svc-090a8fab0d73e39a6" + "us-west-2" = "com.amazonaws.vpce.us-west-2.vpce-svc-0158114c0c730c3bb" + } } -variable "sg_ingress_protocol" { - description = "List of ingress protocols for security groups." +variable "sg_egress_ports" { + description = "List of egress ports for security groups." type = list(string) } @@ -247,8 +266,8 @@ variable "user_workspace_admin" { nullable = false } -variable "read_only_external_location_admin" { - description = "User to grant external location admin." +variable "user_workspace_catalog_admin" { + description = "Admin for the workspace catalog" type = string } @@ -257,17 +276,28 @@ variable "vpc_cidr_range" { type = string } -variable "workspace_catalog_admin" { - description = "Admin for the workspace catalog" - type = string -} - -variable "workspace_vpce_service" { - description = "VPCE service for the workspace REST API endpoint." - type = string +variable "workspace" { + type = map(string) + default = { + "ap-northeast-1" = "com.amazonaws.vpce.ap-northeast-1.vpce-svc-02691fd610d24fd64" + "ap-northeast-2" = "com.amazonaws.vpce.ap-northeast-2.vpce-svc-0babb9bde64f34d7e" + "ap-south-1" = "com.amazonaws.vpce.ap-south-1.vpce-svc-0dbfe5d9ee18d6411" + "ap-southeast-1" = "com.amazonaws.vpce.ap-southeast-1.vpce-svc-02535b257fc253ff4" + "ap-southeast-2" = "com.amazonaws.vpce.ap-southeast-2.vpce-svc-0b87155ddd6954974" + "ca-central-1" = "com.amazonaws.vpce.ca-central-1.vpce-svc-0205f197ec0e28d65" + "eu-central-1" = "com.amazonaws.vpce.eu-central-1.vpce-svc-081f78503812597f7" + "eu-west-1" = "com.amazonaws.vpce.eu-west-1.vpce-svc-0da6ebf1461278016" + "eu-west-2" = "com.amazonaws.vpce.eu-west-2.vpce-svc-01148c7cdc1d1326c" + "eu-west-3" = "com.amazonaws.vpce.eu-west-3.vpce-svc-008b9368d1d011f37" + "sa-east-1" = "com.amazonaws.vpce.sa-east-1.vpce-svc-0bafcea8cdfe11b66" + "us-east-1" = "com.amazonaws.vpce.us-east-1.vpce-svc-09143d1e626de2f04" + "us-east-2" = "com.amazonaws.vpce.us-east-2.vpce-svc-041dc2b4d7796b8d3" + "us-west-2" = "com.amazonaws.vpce.us-west-2.vpce-svc-0129f463fcfbc46c5" + #"us-west-1" = "" + } } variable "workspace_admin_service_principal_name" { description = "Service principle name" type = string -} \ No newline at end of file +} diff --git a/aws/tf/sra.tf b/aws/tf/sra.tf index b59731f..f7200f3 100644 --- a/aws/tf/sra.tf +++ b/aws/tf/sra.tf @@ -5,7 +5,7 @@ module "SRA" { aws = aws } - // Common Authentication Variables + // REQUIRED - Authentication: databricks_account_id = var.databricks_account_id client_id = var.client_id client_secret = var.client_secret @@ -13,17 +13,17 @@ module "SRA" { region = var.region region_name = var.region_name[var.region] - // Naming and Tagging Variables: + // REQUIRED - Naming and Tagging: resource_prefix = var.resource_prefix - // Required Variables: - workspace_catalog_admin = null // Workspace catalog admin email. - user_workspace_admin = null // Workspace admin user email. + // REQUIRED - Workspace and Unity Catalog: + user_workspace_admin = null // Workspace admin user email. + user_workspace_catalog_admin = null // Workspace catalog admin email. operation_mode = "isolated" // Operation mode (sandbox, custom, firewall, isolated), see README.md for more information. workspace_admin_service_principal_name = "sra-example-sp" // Creates an example admin SP for automation use cases. metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". - // AWS Specific Variables: + // REQUIRED - AWS Infrastructure: cmk_admin_arn = null // CMK admin ARN, defaults to the AWS account root user. vpc_cidr_range = "10.0.0.0/18" // Please re-define the subsequent subnet ranges if the VPC CIDR range is updated. private_subnets_cidr = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"] @@ -31,29 +31,23 @@ module "SRA" { availability_zones = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1], data.aws_availability_zones.available.names[2]] sg_egress_ports = [443, 3306, 6666, 8443, 8444, 8445, 8446, 8447, 8448, 8449, 8450, 8451] compliance_security_profile_egress_ports = false // Set to true to enable compliance security profile related egress ports (2443) - sg_ingress_protocol = ["tcp", "udp"] - sg_egress_protocol = ["tcp", "udp"] - relay_vpce_service = var.scc_relay[var.region] - workspace_vpce_service = var.workspace[var.region] - // Operation Mode Specific Variables: - // Sandbox and Firewall Modes + // Operation Mode Specific: + // Sandbox and Firewall Operation Mode: public_subnets_cidr = ["10.0.29.0/26", "10.0.29.64/26", "10.0.29.128/26"] - // Firewall Mode Specific: - firewall_subnets_cidr = ["10.0.33.0/26", "10.0.33.64/26", "10.0.33.128/26"] - firewall_allow_list = [".pypi.org", ".cran.r-project.org", ".pythonhosted.org", ".spark-packages.org", ".maven.org", "maven.apache.org", ".storage-download.googleapis.com"] - firewall_protocol_deny_list = "IP" - hive_metastore_fqdn = var.hms_fqdn[var.region] // https://docs.databricks.com/en/resources/supported-regions.html#rds-addresses-for-legacy-hive-metastore + // Firewall Operation Mode: + firewall_subnets_cidr = ["10.0.33.0/26", "10.0.33.64/26", "10.0.33.128/26"] + firewall_allow_list = [".pypi.org", ".cran.r-project.org", ".pythonhosted.org", ".spark-packages.org", ".maven.org", "maven.apache.org", ".storage-download.googleapis.com"] - // Custom Mode Specific: + // Custom Operation Mode: custom_vpc_id = null custom_private_subnet_ids = null // List of custom private subnet IDs required. custom_sg_id = null custom_relay_vpce_id = null custom_workspace_vpce_id = null - // Optional Features: + // OPTIONAL - Examples, Workspace Hardening, Public Previews, and Solution Accelerators: enable_read_only_external_location_boolean = false // Set to true to enable a read-only external location. read_only_data_bucket = null // S3 bucket name for read-only data. read_only_external_location_admin = null // Admin for the external location. diff --git a/aws/tf/variables.tf b/aws/tf/variables.tf index 55b73a5..4b0e753 100644 --- a/aws/tf/variables.tf +++ b/aws/tf/variables.tf @@ -1,3 +1,7 @@ +data "aws_availability_zones" "available" { + state = "available" +} + variable "aws_account_id" { description = "ID of the AWS account." type = string @@ -55,71 +59,4 @@ variable "region_name" { variable "resource_prefix" { description = "Prefix for the resource names." type = string -} - -data "aws_availability_zones" "available" { - state = "available" -} - -variable "workspace" { - type = map(string) - default = { - "ap-northeast-1" = "com.amazonaws.vpce.ap-northeast-1.vpce-svc-02691fd610d24fd64" - "ap-northeast-2" = "com.amazonaws.vpce.ap-northeast-2.vpce-svc-0babb9bde64f34d7e" - "ap-south-1" = "com.amazonaws.vpce.ap-south-1.vpce-svc-0dbfe5d9ee18d6411" - "ap-southeast-1" = "com.amazonaws.vpce.ap-southeast-1.vpce-svc-02535b257fc253ff4" - "ap-southeast-2" = "com.amazonaws.vpce.ap-southeast-2.vpce-svc-0b87155ddd6954974" - "ca-central-1" = "com.amazonaws.vpce.ca-central-1.vpce-svc-0205f197ec0e28d65" - "eu-central-1" = "com.amazonaws.vpce.eu-central-1.vpce-svc-081f78503812597f7" - "eu-west-1" = "com.amazonaws.vpce.eu-west-1.vpce-svc-0da6ebf1461278016" - "eu-west-2" = "com.amazonaws.vpce.eu-west-2.vpce-svc-01148c7cdc1d1326c" - "eu-west-3" = "com.amazonaws.vpce.eu-west-3.vpce-svc-008b9368d1d011f37" - "sa-east-1" = "com.amazonaws.vpce.sa-east-1.vpce-svc-0bafcea8cdfe11b66" - "us-east-1" = "com.amazonaws.vpce.us-east-1.vpce-svc-09143d1e626de2f04" - "us-east-2" = "com.amazonaws.vpce.us-east-2.vpce-svc-041dc2b4d7796b8d3" - "us-west-2" = "com.amazonaws.vpce.us-west-2.vpce-svc-0129f463fcfbc46c5" - #"us-west-1" = "" - } -} - -variable "scc_relay" { - type = map(string) - default = { - "ap-northeast-1" = "com.amazonaws.vpce.ap-northeast-1.vpce-svc-02aa633bda3edbec0" - "ap-northeast-2" = "com.amazonaws.vpce.ap-northeast-2.vpce-svc-0dc0e98a5800db5c4" - "ap-south-1" = "com.amazonaws.vpce.ap-south-1.vpce-svc-03fd4d9b61414f3de" - "ap-southeast-1" = "com.amazonaws.vpce.ap-southeast-1.vpce-svc-0557367c6fc1a0c5c" - "ap-southeast-2" = "com.amazonaws.vpce.ap-southeast-2.vpce-svc-0b4a72e8f825495f6" - "ca-central-1" = "com.amazonaws.vpce.ca-central-1.vpce-svc-0c4e25bdbcbfbb684" - "eu-central-1" = "com.amazonaws.vpce.eu-central-1.vpce-svc-08e5dfca9572c85c4" - "eu-west-1" = "com.amazonaws.vpce.eu-west-1.vpce-svc-09b4eb2bc775f4e8c" - "eu-west-2" = "com.amazonaws.vpce.eu-west-2.vpce-svc-05279412bf5353a45" - "eu-west-3" = "com.amazonaws.vpce.eu-west-3.vpce-svc-005b039dd0b5f857d" - "sa-east-1" = "com.amazonaws.vpce.sa-east-1.vpce-svc-0e61564963be1b43f" - "us-east-1" = "com.amazonaws.vpce.us-east-1.vpce-svc-00018a8c3ff62ffdf" - "us-east-2" = "com.amazonaws.vpce.us-east-2.vpce-svc-090a8fab0d73e39a6" - "us-west-2" = "com.amazonaws.vpce.us-west-2.vpce-svc-0158114c0c730c3bb" - #"us-west-1" = "" - } -} - -variable "hms_fqdn" { - type = map(string) - default = { - "ap-northeast-1" = "mddx5a4bpbpm05.cfrfsun7mryq.ap-northeast-1.rds.amazonaws.com" - "ap-northeast-2" = "md1915a81ruxky5.cfomhrbro6gt.ap-northeast-2.rds.amazonaws.com" - "ap-south-1" = "mdjanpojt83v6j.c5jml0fhgver.ap-south-1.rds.amazonaws.com" - "ap-southeast-1" = "md1n4trqmokgnhr.csnrqwqko4ho.ap-southeast-1.rds.amazonaws.com" - "ap-southeast-2" = "mdnrak3rme5y1c.c5f38tyb1fdu.ap-southeast-2.rds.amazonaws.com" - "ca-central-1" = "md1w81rjeh9i4n5.co1tih5pqdrl.ca-central-1.rds.amazonaws.com" - "eu-central-1" = "mdv2llxgl8lou0.ceptxxgorjrc.eu-central-1.rds.amazonaws.com" - "eu-west-1" = "md15cf9e1wmjgny.cxg30ia2wqgj.eu-west-1.rds.amazonaws.com" - "eu-west-2" = "mdio2468d9025m.c6fvhwk6cqca.eu-west-2.rds.amazonaws.com" - "eu-west-3" = "metastorerds-dbconsolidationmetastore-asda4em2u6eg.c2ybp3dss6ua.eu-west-3.rds.amazonaws.com" - "sa-east-1" = "metastorerds-dbconsolidationmetastore-fqekf3pck8yw.cog1aduyg4im.sa-east-1.rds.amazonaws.com" - "us-east-1" = "mdb7sywh50xhpr.chkweekm4xjq.us-east-1.rds.amazonaws.com" - "us-east-2" = "md7wf1g369xf22.cluz8hwxjhb6.us-east-2.rds.amazonaws.com" - "us-west-2" = "mdpartyyphlhsp.caj77bnxuhme.us-west-2.rds.amazonaws.com" - "us-west-1" = "mdzsbtnvk0rnce.c13weuwubexq.us-west-1.rds.amazonaws.com" - } } \ No newline at end of file From e8726b6b8400dee7cb7ba6cef833bdd3398dfbc8 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Tue, 27 Aug 2024 22:54:13 -0400 Subject: [PATCH 12/24] Updated aws-gov variables --- .../tf/modules/sra/data_plane_hardening.tf | 23 ++-- .../firewall/variables.tf | 32 ++--- .../logging_configuration/variables.tf | 12 +- .../uc_assignment/variables.tf | 4 +- .../databricks_account/uc_init/variables.tf | 8 +- .../databricks_account/workspace/variables.tf | 34 ++--- .../tf/modules/sra/databricks_workspace.tf | 2 +- .../system_tables_audit_log/variables.tf | 10 +- .../cluster_configuration/variables.tf | 15 +- .../uc_catalog/uc_catalog.tf | 2 +- .../uc_catalog/variables.tf | 24 ++-- .../uc_external_location/variables.tf | 16 +-- aws-gov/tf/modules/sra/network.tf | 4 +- aws-gov/tf/modules/sra/privatelink.tf | 4 +- aws-gov/tf/modules/sra/variables.tf | 130 +++++++++--------- aws-gov/tf/sra.tf | 28 ++-- aws-gov/tf/variables.tf | 73 ++++------ 17 files changed, 190 insertions(+), 231 deletions(-) diff --git a/aws-gov/tf/modules/sra/data_plane_hardening.tf b/aws-gov/tf/modules/sra/data_plane_hardening.tf index 62a5a05..cbb2cda 100644 --- a/aws-gov/tf/modules/sra/data_plane_hardening.tf +++ b/aws-gov/tf/modules/sra/data_plane_hardening.tf @@ -8,18 +8,17 @@ module "harden_firewall" { aws = aws } - vpc_id = module.vpc[0].vpc_id - vpc_cidr_range = var.vpc_cidr_range - public_subnets_cidr = var.public_subnets_cidr - private_subnets_cidr = module.vpc[0].private_subnets_cidr_blocks - private_subnet_rt = module.vpc[0].private_route_table_ids - firewall_subnets_cidr = var.firewall_subnets_cidr - firewall_allow_list = var.firewall_allow_list - firewall_protocol_deny_list = split(",", var.firewall_protocol_deny_list) - hive_metastore_fqdn = var.hive_metastore_fqdn - availability_zones = var.availability_zones - region = var.region - resource_prefix = var.resource_prefix + vpc_id = module.vpc[0].vpc_id + vpc_cidr_range = var.vpc_cidr_range + public_subnets_cidr = var.public_subnets_cidr + private_subnets_cidr = module.vpc[0].private_subnets_cidr_blocks + private_subnet_rt = module.vpc[0].private_route_table_ids + firewall_subnets_cidr = var.firewall_subnets_cidr + firewall_allow_list = var.firewall_allow_list + hive_metastore_fqdn = var.hms_fqdn[var.databricks_gov_shard] + availability_zones = var.availability_zones + region = var.region + resource_prefix = var.resource_prefix depends_on = [module.databricks_mws_workspace] } diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/variables.tf b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/variables.tf index 4bb8ed9..2d8b5b8 100644 --- a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/variables.tf +++ b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/variables.tf @@ -1,47 +1,43 @@ -variable "vpc_id" { - type = string +variable "availability_zones" { + type = list(string) } -variable "vpc_cidr_range" { - type = string +variable "firewall_allow_list" { + type = list(string) } -variable "public_subnets_cidr" { +variable "firewall_subnets_cidr" { type = list(string) } -variable "private_subnets_cidr" { - type = list(string) +variable "hive_metastore_fqdn" { + type = string } variable "private_subnet_rt" { type = list(string) } -variable "firewall_subnets_cidr" { +variable "private_subnets_cidr" { type = list(string) } -variable "firewall_allow_list" { +variable "public_subnets_cidr" { type = list(string) } -variable "hive_metastore_fqdn" { +variable "region" { type = string } -variable "availability_zones" { - type = list(string) -} - -variable "region" { +variable "resource_prefix" { type = string } -variable "resource_prefix" { +variable "vpc_cidr_range" { type = string } -variable "firewall_protocol_deny_list" { - type = list(string) +variable "vpc_id" { + type = string } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf index ea2ce1c..ed32d78 100644 --- a/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_account/logging_configuration/variables.tf @@ -1,7 +1,3 @@ -variable "resource_prefix" { - type = string -} - variable "databricks_account_id" { type = string } @@ -10,10 +6,14 @@ variable "databricks_gov_shard" { type = string } -variable "log_delivery_role_name" { +variable "databricks_prod_aws_account_id" { type = map(string) } -variable "databricks_prod_aws_account_id" { +variable "log_delivery_role_name" { type = map(string) +} + +variable "resource_prefix" { + type = string } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_assignment/variables.tf b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/variables.tf index b97ffde..8c922ed 100644 --- a/aws-gov/tf/modules/sra/databricks_account/uc_assignment/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/variables.tf @@ -2,10 +2,10 @@ variable "metastore_id" { type = string } -variable "workspace_id" { +variable "region" { type = string } -variable "region" { +variable "workspace_id" { type = string } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf b/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf index 514f460..c2aaf1b 100644 --- a/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf @@ -2,10 +2,6 @@ variable "aws_account_id" { type = string } -variable "resource_prefix" { - type = string -} - variable "databricks_account_id" { type = string } @@ -16,4 +12,8 @@ variable "metastore_name" { variable "region" { type = string +} + +variable "resource_prefix" { + type = string } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/workspace/variables.tf b/aws-gov/tf/modules/sra/databricks_account/workspace/variables.tf index cf1cc18..07748d4 100644 --- a/aws-gov/tf/modules/sra/databricks_account/workspace/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_account/workspace/variables.tf @@ -1,52 +1,52 @@ -variable "bucket_name" { +variable "backend_relay" { type = string } -variable "cross_account_role_arn" { +variable "backend_rest" { type = string } -variable "databricks_account_id" { +variable "bucket_name" { type = string } -variable "resource_prefix" { +variable "cross_account_role_arn" { type = string } -variable "region" { +variable "databricks_account_id" { type = string } -variable "security_group_ids" { - type = list(string) +variable "managed_storage_key" { + type = string } -variable "subnet_ids" { - type = list(string) +variable "managed_storage_key_alias" { + type = string } -variable "vpc_id" { +variable "region" { type = string } -variable "backend_rest" { +variable "resource_prefix" { type = string } -variable "backend_relay" { - type = string +variable "security_group_ids" { + type = list(string) } -variable "managed_storage_key" { - type = string +variable "subnet_ids" { + type = list(string) } -variable "workspace_storage_key" { +variable "vpc_id" { type = string } -variable "managed_storage_key_alias" { +variable "workspace_storage_key" { type = string } diff --git a/aws-gov/tf/modules/sra/databricks_workspace.tf b/aws-gov/tf/modules/sra/databricks_workspace.tf index 9aaf145..9b9f55e 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace.tf @@ -13,7 +13,7 @@ module "uc_catalog" { uc_catalog_name = "${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}" cmk_admin_arn = var.cmk_admin_arn == null ? "arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:root" : var.cmk_admin_arn workspace_id = module.databricks_mws_workspace.workspace_id - workspace_catalog_admin = var.workspace_catalog_admin + user_workspace_catalog_admin = var.workspace_catalog_admin databricks_gov_shard = var.databricks_gov_shard databricks_prod_aws_account_id = var.databricks_prod_aws_account_id uc_master_role_id = var.uc_master_role_id diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf index 046e2d2..f684f88 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/system_tables_audit_log/variables.tf @@ -1,10 +1,10 @@ +variable "alert_emails" { + type = list(string) + description = "List of emails to notify when alerts are fired" +} + variable "warehouse_id" { type = string default = "" description = "Optional Warehouse ID to run queries on. If not provided, new SQL Warehouse is created" -} - -variable "alert_emails" { - type = list(string) - description = "List of emails to notify when alerts are fired" } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf index d436deb..744ce90 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf @@ -1,17 +1,16 @@ -variable "resource_prefix" { - type = string +variable "compliance_security_profile_egress_ports" { + type = bool + nullable = false } -variable "secret_config_reference" { +variable "operation_mode" { type = string } -variable "operation_mode" { +variable "resource_prefix" { type = string } -variable "compliance_security_profile_egress_ports" { - type = bool - description = "Add 2443 to security group configuration or nitro instance" - nullable = false +variable "secret_config_reference" { + type = string } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf index c74bf12..c160f8f 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf @@ -205,6 +205,6 @@ resource "databricks_catalog" "workspace_catalog" { resource "databricks_grant" "workspace_catalog" { catalog = databricks_catalog.workspace_catalog.name - principal = var.workspace_catalog_admin + principal = var.user_workspace_catalog_admin privileges = ["ALL_PRIVILEGES"] } diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf index 1e18138..411a886 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/variables.tf @@ -6,34 +6,34 @@ variable "cmk_admin_arn" { type = string } -variable "resource_prefix" { - type = string -} - variable "databricks_account_id" { type = string } -variable "workspace_id" { +variable "databricks_gov_shard" { type = string } -variable "uc_catalog_name" { - type = string +variable "databricks_prod_aws_account_id" { + type = map(string) } -variable "workspace_catalog_admin" { +variable "resource_prefix" { type = string } -variable "databricks_gov_shard" { +variable "uc_catalog_name" { type = string } -variable "databricks_prod_aws_account_id" { +variable "uc_master_role_id" { type = map(string) } -variable "uc_master_role_id" { - type = map(string) +variable "user_workspace_catalog_admin" { + type = string +} + +variable "workspace_id" { + type = string } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf index c1ae578..fa0b336 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_external_location/variables.tf @@ -1,15 +1,19 @@ -variable "databricks_account_id" { +variable "aws_account_id" { type = string } -variable "aws_account_id" { +variable "databricks_account_id" { type = string } -variable "resource_prefix" { +variable "databricks_gov_shard" { type = string } +variable "databricks_prod_aws_account_id" { + type = map(string) +} + variable "read_only_data_bucket" { type = string } @@ -18,14 +22,10 @@ variable "read_only_external_location_admin" { type = string } -variable "databricks_gov_shard" { +variable "resource_prefix" { type = string } -variable "databricks_prod_aws_account_id" { - type = map(string) -} - variable "uc_master_role_id" { type = map(string) } diff --git a/aws-gov/tf/modules/sra/network.tf b/aws-gov/tf/modules/sra/network.tf index 5f38f7a..b4333ca 100644 --- a/aws-gov/tf/modules/sra/network.tf +++ b/aws-gov/tf/modules/sra/network.tf @@ -39,7 +39,7 @@ resource "aws_security_group" "sg" { depends_on = [module.vpc] dynamic "ingress" { - for_each = var.sg_ingress_protocol + for_each = ["tcp", "udp"] content { description = "Databricks - Workspace SG - Internode Communication" from_port = 0 @@ -50,7 +50,7 @@ resource "aws_security_group" "sg" { } dynamic "egress" { - for_each = var.sg_egress_protocol + for_each = ["tcp", "udp"] content { description = "Databricks - Workspace SG - Internode Communication" from_port = 0 diff --git a/aws-gov/tf/modules/sra/privatelink.tf b/aws-gov/tf/modules/sra/privatelink.tf index c8f7f10..ee32db7 100644 --- a/aws-gov/tf/modules/sra/privatelink.tf +++ b/aws-gov/tf/modules/sra/privatelink.tf @@ -297,7 +297,7 @@ resource "aws_vpc_endpoint" "backend_rest" { count = var.operation_mode != "custom" ? 1 : 0 vpc_id = module.vpc[0].vpc_id - service_name = var.workspace_vpce_service + service_name = var.workspace[var.databricks_gov_shard] vpc_endpoint_type = "Interface" security_group_ids = [aws_security_group.privatelink[0].id] subnet_ids = module.vpc[0].intra_subnets @@ -314,7 +314,7 @@ resource "aws_vpc_endpoint" "backend_relay" { count = var.operation_mode != "custom" ? 1 : 0 vpc_id = module.vpc[0].vpc_id - service_name = var.relay_vpce_service + service_name = var.scc_relay[var.databricks_gov_shard] vpc_endpoint_type = "Interface" security_group_ids = [aws_security_group.privatelink[0].id] subnet_ids = module.vpc[0].intra_subnets diff --git a/aws-gov/tf/modules/sra/variables.tf b/aws-gov/tf/modules/sra/variables.tf index efe5b9d..6517d80 100644 --- a/aws-gov/tf/modules/sra/variables.tf +++ b/aws-gov/tf/modules/sra/variables.tf @@ -9,11 +9,6 @@ variable "aws_account_id" { sensitive = true } -variable "cmk_admin_arn" { - description = "Amazon Resource Name (ARN) of the CMK admin." - type = string -} - variable "client_id" { description = "Client ID for Databricks authentication." type = string @@ -26,6 +21,17 @@ variable "client_secret" { sensitive = true } +variable "cmk_admin_arn" { + description = "Amazon Resource Name (ARN) of the CMK admin." + type = string +} + +variable "compliance_security_profile_egress_ports" { + type = bool + description = "Add 2443 to security group configuration or nitro instance" + nullable = false +} + variable "custom_private_subnet_ids" { type = list(string) description = "List of custom private subnet IDs" @@ -36,7 +42,6 @@ variable "custom_relay_vpce_id" { description = "Custom Relay VPC Endpoint ID" } - variable "custom_sg_id" { type = string description = "Custom security group ID" @@ -52,16 +57,16 @@ variable "custom_workspace_vpce_id" { description = "Custom Workspace VPC Endpoint ID" } - variable "databricks_account_id" { description = "ID of the Databricks account." type = string sensitive = true } -variable "read_only_data_bucket" { - description = "S3 bucket for data storage." - type = string +variable "enable_admin_configs_boolean" { + type = bool + description = "Enable workspace configs" + nullable = false } variable "enable_audit_log_alerting" { @@ -78,13 +83,6 @@ variable "enable_cluster_boolean" { default = false } -variable "enable_read_only_external_location_boolean" { - description = "Flag to enable read only external location" - type = bool - sensitive = true - default = false -} - variable "enable_ip_boolean" { description = "Flag to enable IP-related configurations." type = bool @@ -99,8 +97,8 @@ variable "enable_logging_boolean" { default = false } -variable "enable_restrictive_root_bucket_boolean" { - description = "Flag to enable restrictive root bucket settings." +variable "enable_read_only_external_location_boolean" { + description = "Flag to enable read only external location" type = bool sensitive = true default = false @@ -112,6 +110,13 @@ variable "enable_restrictive_kinesis_endpoint_boolean" { default = false } +variable "enable_restrictive_root_bucket_boolean" { + description = "Flag to enable restrictive root bucket settings." + type = bool + sensitive = true + default = false +} + variable "enable_restrictive_s3_endpoint_boolean" { type = bool description = "Enable restrictive S3 endpoint boolean flag" @@ -124,7 +129,6 @@ variable "enable_restrictive_sts_endpoint_boolean" { default = false } - variable "enable_sat_boolean" { description = "Flag for a specific SAT (Service Access Token) configuration." type = bool @@ -144,18 +148,17 @@ variable "firewall_allow_list" { type = list(string) } -variable "firewall_protocol_deny_list" { - description = "Protocol list that the firewall should deny." - type = string -} - variable "firewall_subnets_cidr" { description = "CIDR blocks for firewall subnets." type = list(string) } -variable "hive_metastore_fqdn" { - type = string +variable "hms_fqdn" { + type = map(string) + default = { + "civilian" = "discovery-search-rds-prod-dbdiscoverysearch-uus7j2cyyu1m.c40ji7ukhesx.us-gov-west-1.rds.amazonaws.com" + "dod" = "lineage-usgovwest1dod-prod.cpnejponioft.us-gov-west-1.rds.amazonaws.com" + } } variable "ip_addresses" { @@ -179,18 +182,6 @@ variable "operation_mode" { } } -variable "compliance_security_profile_egress_ports" { - type = bool - description = "Add 2443 to security group configuration or nitro instance" - nullable = false -} - -variable "enable_admin_configs_boolean" { - type = bool - description = "Enable workspace configs" - nullable = false -} - variable "private_subnets_cidr" { description = "CIDR blocks for private subnets." type = list(string) @@ -206,6 +197,16 @@ variable "public_subnets_cidr" { type = list(string) } +variable "read_only_data_bucket" { + description = "S3 bucket for data storage." + type = string +} + +variable "read_only_external_location_admin" { + description = "User to grant external location admin." + type = string +} + variable "region" { description = "AWS region code." type = string @@ -216,28 +217,21 @@ variable "region_name" { type = string } -variable "relay_vpce_service" { - description = "VPCE service for the secure cluster connectivity relay." - type = string -} - variable "resource_prefix" { description = "Prefix for the resource names." type = string } -variable "sg_egress_ports" { - description = "List of egress ports for security groups." - type = list(string) -} - -variable "sg_egress_protocol" { - description = "List of egress protocols for security groups." - type = list(string) +variable "scc_relay" { + type = map(string) + default = { + "civilian" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-05f27abef1a1a3faa" + "dod" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-08fddf710780b2a54" + } } -variable "sg_ingress_protocol" { - description = "List of ingress protocols for security groups." +variable "sg_egress_ports" { + description = "List of egress ports for security groups." type = list(string) } @@ -247,8 +241,8 @@ variable "user_workspace_admin" { nullable = false } -variable "read_only_external_location_admin" { - description = "User to grant external location admin." +variable "user_workspace_catalog_admin" { + description = "Admin for the workspace catalog" type = string } @@ -257,14 +251,12 @@ variable "vpc_cidr_range" { type = string } -variable "workspace_catalog_admin" { - description = "Admin for the workspace catalog" - type = string -} - -variable "workspace_vpce_service" { - description = "VPCE service for the workspace REST API endpoint." - type = string +variable "workspace" { + type = map(string) + default = { + "civilian" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-0f25e28401cbc9418" + "dod" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-05c210a2feea23ad7" + } } variable "workspace_admin_service_principal_name" { @@ -272,6 +264,7 @@ variable "workspace_admin_service_principal_name" { type = string } +// AWS Gov Only Variables variable "databricks_gov_shard" { description = "Gov Shard civilian or dod" type = string @@ -282,12 +275,13 @@ variable "databricks_prod_aws_account_id" { type = map(string) } -variable "uc_master_role_id" { - description = "UC Master Role ID" +variable "log_delivery_role_name" { + description = "Log Delivery Role Name" type = map(string) } -variable "log_delivery_role_name" { - description = "Log Delivery Role Name" +variable "uc_master_role_id" { + description = "UC Master Role ID" type = map(string) } + diff --git a/aws-gov/tf/sra.tf b/aws-gov/tf/sra.tf index defb469..062bce3 100644 --- a/aws-gov/tf/sra.tf +++ b/aws-gov/tf/sra.tf @@ -5,7 +5,7 @@ module "SRA" { aws = aws } - // Common Authentication Variables + // REQUIRED - Authentication: databricks_account_id = var.databricks_account_id client_id = var.client_id client_secret = var.client_secret @@ -17,47 +17,41 @@ module "SRA" { uc_master_role_id = var.uc_master_role_id[var.databricks_gov_shard] log_delivery_role_name = var.log_delivery_role_name[var.databricks_gov_shard] - // Naming and Tagging Variables: + // REQUIRED - Naming and Tagging: resource_prefix = var.resource_prefix - // Required Variables: - workspace_catalog_admin = null // Workspace catalog admin email. + // REQUIRED - Workspace and Unity Catalog: user_workspace_admin = null // Workspace admin user email. + user_workspace_catalog_admin = null // Workspace catalog admin email. operation_mode = "isolated" // Operation mode (sandbox, custom, firewall, isolated), see README.md for more information. workspace_admin_service_principal_name = "sra-example-sp" // Creates an example admin SP for automation use cases. metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". - // AWS Specific Variables: + // REQUIRED - AWS Infrastructure: cmk_admin_arn = null // CMK admin ARN, defaults to the AWS account root user. vpc_cidr_range = "10.0.0.0/18" // Please re-define the subsequent subnet ranges if the VPC CIDR range is updated. private_subnets_cidr = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"] privatelink_subnets_cidr = ["10.0.28.0/26", "10.0.28.64/26", "10.0.28.128/26"] availability_zones = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1], data.aws_availability_zones.available.names[2]] - sg_egress_ports = [443, 3306, 6666, 8443, 8444, 8445, 8446, 8447, 8448, 8449, 8450, 8451] + sg_egress_ports = [443, 3306, 8443, 8444, 8445, 8446, 8447, 8448, 8449, 8450, 8451] compliance_security_profile_egress_ports = true // Set to true to enable compliance security profile related egress ports (2443) - sg_ingress_protocol = ["tcp", "udp"] - sg_egress_protocol = ["tcp", "udp"] - relay_vpce_service = var.scc_relay[var.databricks_gov_shard] - workspace_vpce_service = var.workspace[var.databricks_gov_shard] - // Operation Mode Specific Variables: - // Sandbox and Firewall Modes + // Operation Mode Specific: + // Sandbox and Firewall Operation Mode: public_subnets_cidr = ["10.0.29.0/26", "10.0.29.64/26", "10.0.29.128/26"] - // Firewall Mode Specific: + // Firewall Operation Mode: firewall_subnets_cidr = ["10.0.33.0/26", "10.0.33.64/26", "10.0.33.128/26"] firewall_allow_list = [".pypi.org", ".cran.r-project.org", ".pythonhosted.org", ".spark-packages.org", ".maven.org", "maven.apache.org", ".storage-download.googleapis.com"] - firewall_protocol_deny_list = "IP" - hive_metastore_fqdn = var.hms_fqdn[var.databricks_gov_shard] // https://docs.databricks.com/en/resources/supported-regions.html#rds-addresses-for-legacy-hive-metastore - // Custom Mode Specific: + // Custom Operation Mode: custom_vpc_id = null custom_private_subnet_ids = null // List of custom private subnet IDs required. custom_sg_id = null custom_relay_vpce_id = null custom_workspace_vpce_id = null - // Optional Features: + // OPTIONAL - Examples, Workspace Hardening, Public Previews, and Solution Accelerators: enable_read_only_external_location_boolean = false // Set to true to enable a read-only external location. read_only_data_bucket = null // S3 bucket name for read-only data. read_only_external_location_admin = null // Admin for the external location. diff --git a/aws-gov/tf/variables.tf b/aws-gov/tf/variables.tf index 59f797d..71a5bd5 100644 --- a/aws-gov/tf/variables.tf +++ b/aws-gov/tf/variables.tf @@ -1,3 +1,7 @@ +data "aws_availability_zones" "available" { + state = "available" +} + variable "aws_account_id" { description = "ID of the AWS account." type = string @@ -21,14 +25,6 @@ variable "databricks_account_id" { sensitive = true } -variable "account_console" { - type = map(string) - default = { - "civilian" = "https://accounts.cloud.databricks.us/" - "dod" = "https://accounts-dod.cloud.databricks.us/" - } -} - variable "region" { description = "Databricks only operates in AWS Gov West (us-gov-west-1)" default = "us-gov-west-1" @@ -38,27 +34,26 @@ variable "region" { } } -variable "databricks_prod_aws_account_id" { - type = map(string) +variable "region_name" { + description = "Name of the AWS region. (e.g. pendleton)" + type = map(string) default = { - "civilian" = "044793339203" - "dod" = "170661010020" + "civilian" = "pendleton" + "dod" = "pendleton-dod" } } -variable "uc_master_role_id" { - type = map(string) - default = { - "civilian" = "1QRFA8SGY15OJ" - "dod" = "1DI6DL6ZP26AS" - } +variable "resource_prefix" { + description = "Prefix for the resource names." + type = string } -variable "log_delivery_role_name" { +// AWS Gov Only Variables +variable "account_console" { type = map(string) default = { - "civilian" = "SaasUsageDeliveryRole-prod-aws-gov-IAMRole-L4QM0RCHYQ1G" - "dod" = "SaasUsageDeliveryRole-prod-aws-gov-dod-IAMRole-1DMEHBYR8VC5P" + "civilian" = "https://accounts.cloud.databricks.us/" + "dod" = "https://accounts-dod.cloud.databricks.us/" } } @@ -70,44 +65,26 @@ variable "databricks_gov_shard" { } } -variable "region_name" { - description = "Name of the AWS region. (e.g. pendleton)" - type = map(string) - default = { - "civilian" = "pendleton" - "dod" = "pendleton-dod" - } -} - -variable "resource_prefix" { - description = "Prefix for the resource names." - type = string -} - -data "aws_availability_zones" "available" { - state = "available" -} - -variable "workspace" { +variable "databricks_prod_aws_account_id" { type = map(string) default = { - "civilian" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-0f25e28401cbc9418" - "dod" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-05c210a2feea23ad7" + "civilian" = "044793339203" + "dod" = "170661010020" } } -variable "scc_relay" { +variable "log_delivery_role_name" { type = map(string) default = { - "civilian" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-05f27abef1a1a3faa" - "dod" = "com.amazonaws.vpce.us-gov-west-1.vpce-svc-08fddf710780b2a54" + "civilian" = "SaasUsageDeliveryRole-prod-aws-gov-IAMRole-L4QM0RCHYQ1G" + "dod" = "SaasUsageDeliveryRole-prod-aws-gov-dod-IAMRole-1DMEHBYR8VC5P" } } -variable "hms_fqdn" { +variable "uc_master_role_id" { type = map(string) default = { - "civilian" = "discovery-search-rds-prod-dbdiscoverysearch-uus7j2cyyu1m.c40ji7ukhesx.us-gov-west-1.rds.amazonaws.com" - "dod" = "lineage-usgovwest1dod-prod.cpnejponioft.us-gov-west-1.rds.amazonaws.com" + "civilian" = "1QRFA8SGY15OJ" + "dod" = "1DI6DL6ZP26AS" } } \ No newline at end of file From fd6df95d897209d94b1b4539c5517a4e4e3cecf0 Mon Sep 17 00:00:00 2001 From: jdbraun Date: Tue, 27 Aug 2024 23:22:26 -0500 Subject: [PATCH 13/24] updating fw rule and README.md --- aws/README.md | 2 +- .../data_plane_hardening/firewall/firewall.tf | 17 ++++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/aws/README.md b/aws/README.md index 7501c5c..6bb2610 100644 --- a/aws/README.md +++ b/aws/README.md @@ -21,7 +21,7 @@ There are four separate operation modes you can choose for the underlying networ - **Sandbox**: Sandbox or open egress. Selecting 'sandbox' as the operation mode allows traffic to flow freely to the public internet. This mode is suitable for sandbox or development scenarios where data exfiltration protection is of minimal concern, and developers need to access public APIs, packages, and more. -- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. **NOTE**: Due to a limitation in the AWS Network Firewall's ability to use fully qualified domain names for non-HTTP/HTTPS traffic, an external data source is required for the external Hive metastore. For production scenarios, we recommend using Unity Catalog or self-hosted Hive metastores. +- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. **NOTE**: Due to a limitation in the AWS Network Firewall's ability to use fully qualified domain names for non-HTTP/HTTPS traffic, an external data source is required for the external Hive metastore. For sensitive production workloads, it is recommended to use isolated operation mode and Unity Catalog, a self-hosted Hive metastore, or to explore other firewall services to address AWS Network Firewall's limitations. - **Isolated**: Isolated or no egress. Opting for 'isolated' as the operation mode prevents any traffic to the public internet. Traffic is limited to AWS private endpoints, either to AWS services or the Databricks control plane. This mode should be used in cases where access to the public internet is completely unsupported. **NOTE**: Apache Derby Metastore will be required for clusters and non-serverless SQL Warehouses. For more information, please view this [knowledge article](https://kb.databricks.com/metastore/set-up-embedded-metastore). diff --git a/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf b/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf index f733823..9606ee8 100644 --- a/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf +++ b/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf @@ -179,7 +179,7 @@ resource "aws_networkfirewall_rule_group" "databricks_fqdn_allowlist" { } } } - } + } tags = { Name = "${var.resource_prefix}-${var.region}-databricks-fqdn-allowlist" Project = var.resource_prefix @@ -220,6 +220,21 @@ resource "aws_networkfirewall_rule_group" "databricks_metastore_allowlist" { settings = ["1"] } } + stateful_rule { + action = "DROP" + header { + destination = "0.0.0.0/0" + destination_port = 3306 + direction = "FORWARD" + protocol = "TCP" + source = "ANY" + source_port = "ANY" + } + rule_option { + keyword = "sid" + settings = ["2"] + } + } } } tags = { From 03d6ff3f41b9c32fd47039b19e8e3196724079b2 Mon Sep 17 00:00:00 2001 From: jdbraun Date: Tue, 27 Aug 2024 23:57:48 -0500 Subject: [PATCH 14/24] updating readme title --- aws/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/README.md b/aws/README.md index 6bb2610..0ff26cb 100644 --- a/aws/README.md +++ b/aws/README.md @@ -1,4 +1,4 @@ -# Security Reference Architecture Template +# Security Reference Architectures (SRA) - Terraform Templates ## Introduction From ed5455814b4ecc9ce43aa27a5bc159695127e6a2 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Wed, 28 Aug 2024 15:03:44 -0400 Subject: [PATCH 15/24] update 3306 drop fw rule and README on aws-gov --- aws-gov/README.md | 4 ++-- .../sra/data_plane_hardening/firewall/firewall.tf | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/aws-gov/README.md b/aws-gov/README.md index b25be1a..e7ef45e 100644 --- a/aws-gov/README.md +++ b/aws-gov/README.md @@ -1,4 +1,4 @@ -# Security Reference Architecture Template +# Security Reference Architectures (SRA) - Terraform Templates ## Introduction @@ -21,7 +21,7 @@ There are four separate operation modes you can choose for the underlying networ - **Sandbox**: Sandbox or open egress. Selecting 'sandbox' as the operation mode allows traffic to flow freely to the public internet. This mode is suitable for sandbox or development scenarios where data exfiltration protection is of minimal concern, and developers need to access public APIs, packages, and more. -- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. **NOTE**: Due to a limitation in the AWS Network Firewall's ability to use fully qualified domain names for non-HTTP/HTTPS traffic, an external data source is required for the external Hive metastore. For production scenarios, we recommend using Unity Catalog or self-hosted Hive metastores. +- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. **NOTE**: Due to a limitation in the AWS Network Firewall's ability to use fully qualified domain names for non-HTTP/HTTPS traffic, an external data source is required for the external Hive metastore. For sensitive production workloads, it is recommended to use isolated operation mode and Unity Catalog, a self-hosted Hive metastore, or to explore other firewall services to address AWS Network Firewall's limitations. - **Isolated**: Isolated or no egress. Opting for 'isolated' as the operation mode prevents any traffic to the public internet. Traffic is limited to AWS private endpoints, either to AWS services or the Databricks control plane. This mode should be used in cases where access to the public internet is completely unsupported. **NOTE**: Apache Derby Metastore will be required for clusters and non-serverless SQL Warehouses. For more information, please view this [knowledge article](https://kb.databricks.com/metastore/set-up-embedded-metastore). diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf index f6b5ff9..68280ea 100644 --- a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf +++ b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf @@ -220,6 +220,21 @@ resource "aws_networkfirewall_rule_group" "databricks_metastore_allowlist" { settings = ["1"] } } + stateful_rule { + action = "DROP" + header { + destination = "0.0.0.0/0" + destination_port = 3306 + direction = "FORWARD" + protocol = "TCP" + source = "ANY" + source_port = "ANY" + } + rule_option { + keyword = "sid" + settings = ["2"] + } + } } } tags = { From 290b0fca61fb21e901aea4ebf5b911f973746527 Mon Sep 17 00:00:00 2001 From: elghali97 Date: Mon, 2 Sep 2024 15:31:08 +0200 Subject: [PATCH 16/24] Enhancement - AWS - Implement dynamic way to load IP of the metastore --- .../data_plane_hardening/firewall/firewall.tf | 39 +++++++++--------- .../firewall/metastore_ip.sh | 13 ------ .../data_plane_hardening/firewall/provider.tf | 3 ++ .../data_plane_hardening/firewall/firewall.tf | 40 +++++++++---------- .../firewall/metastore_ip.sh | 13 ------ .../data_plane_hardening/firewall/provider.tf | 3 ++ 6 files changed, 43 insertions(+), 68 deletions(-) delete mode 100755 aws-gov/tf/modules/sra/data_plane_hardening/firewall/metastore_ip.sh delete mode 100755 aws/tf/modules/sra/data_plane_hardening/firewall/metastore_ip.sh diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf index 68280ea..18536c0 100644 --- a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf +++ b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/firewall.tf @@ -186,13 +186,8 @@ resource "aws_networkfirewall_rule_group" "databricks_fqdn_allowlist" { } } -// Data for IP allow list -data "external" "metastore_ip" { - program = ["sh", "${path.module}/metastore_ip.sh"] - - query = { - metastore_domain = var.hive_metastore_fqdn - } +data "dns_a_record_set" "metastore_dns" { + host = var.hive_metastore_fqdn } // JDBC Firewall group IP allow list @@ -205,19 +200,22 @@ resource "aws_networkfirewall_rule_group" "databricks_metastore_allowlist" { rule_order = "STRICT_ORDER" } rules_source { - stateful_rule { - action = "PASS" - header { - destination = data.external.metastore_ip.result["ip"] - destination_port = 3306 - direction = "FORWARD" - protocol = "TCP" - source = "ANY" - source_port = "ANY" - } - rule_option { - keyword = "sid" - settings = ["1"] + dynamic "stateful_rule" { + for_each = toset(data.dns_a_record_set.metastore_dns.addrs) + content { + action = "PASS" + header { + destination = stateful_rule.value + destination_port = 3306 + direction = "FORWARD" + protocol = "TCP" + source = "ANY" + source_port = "ANY" + } + rule_option { + keyword = "sid" + settings = ["1"] + } } } stateful_rule { @@ -265,7 +263,6 @@ resource "aws_networkfirewall_firewall_policy" "databricks_nfw_policy" { priority = 2 resource_arn = aws_networkfirewall_rule_group.databricks_metastore_allowlist.arn } - } tags = { diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/metastore_ip.sh b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/metastore_ip.sh deleted file mode 100755 index 6062790..0000000 --- a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/metastore_ip.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -eval "$(jq -r '@sh "METASTORE_DOMAIN=\(.metastore_domain)"')" - -IP=$(dig +short $METASTORE_DOMAIN | tail -n1) -echo "Resolved IP: $IP" >&2 - -if [ -z "$IP" ]; then - echo "Error: Failed to resolve IP for $METASTORE_DOMAIN" >&2 - exit 1 -fi - -jq -n --arg ip "$IP" '{"ip":$ip}' \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/provider.tf b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/provider.tf index 7afdcf4..7617f6b 100644 --- a/aws-gov/tf/modules/sra/data_plane_hardening/firewall/provider.tf +++ b/aws-gov/tf/modules/sra/data_plane_hardening/firewall/provider.tf @@ -3,5 +3,8 @@ terraform { aws = { source = "hashicorp/aws" } + dns = { + source = "hashicorp/dns" + } } } \ No newline at end of file diff --git a/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf b/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf index 9606ee8..c32a665 100644 --- a/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf +++ b/aws/tf/modules/sra/data_plane_hardening/firewall/firewall.tf @@ -186,13 +186,8 @@ resource "aws_networkfirewall_rule_group" "databricks_fqdn_allowlist" { } } -// Data for IP allow list -data "external" "metastore_ip" { - program = ["sh", "${path.module}/metastore_ip.sh"] - - query = { - metastore_domain = var.hive_metastore_fqdn - } +data "dns_a_record_set" "metastore_dns" { + host = var.hive_metastore_fqdn } // JDBC Firewall group IP allow list @@ -205,19 +200,22 @@ resource "aws_networkfirewall_rule_group" "databricks_metastore_allowlist" { rule_order = "STRICT_ORDER" } rules_source { - stateful_rule { - action = "PASS" - header { - destination = data.external.metastore_ip.result["ip"] - destination_port = 3306 - direction = "FORWARD" - protocol = "TCP" - source = "ANY" - source_port = "ANY" - } - rule_option { - keyword = "sid" - settings = ["1"] + dynamic "stateful_rule" { + for_each = toset(data.dns_a_record_set.metastore_dns.addrs) + content { + action = "PASS" + header { + destination = stateful_rule.value + destination_port = 3306 + direction = "FORWARD" + protocol = "TCP" + source = "ANY" + source_port = "ANY" + } + rule_option { + keyword = "sid" + settings = ["1"] + } } } stateful_rule { @@ -288,4 +286,4 @@ resource "aws_networkfirewall_firewall" "nfw" { Name = "${var.resource_prefix}-${var.region}-databricks-nfw" Project = var.resource_prefix } -} +} \ No newline at end of file diff --git a/aws/tf/modules/sra/data_plane_hardening/firewall/metastore_ip.sh b/aws/tf/modules/sra/data_plane_hardening/firewall/metastore_ip.sh deleted file mode 100755 index 6062790..0000000 --- a/aws/tf/modules/sra/data_plane_hardening/firewall/metastore_ip.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -eval "$(jq -r '@sh "METASTORE_DOMAIN=\(.metastore_domain)"')" - -IP=$(dig +short $METASTORE_DOMAIN | tail -n1) -echo "Resolved IP: $IP" >&2 - -if [ -z "$IP" ]; then - echo "Error: Failed to resolve IP for $METASTORE_DOMAIN" >&2 - exit 1 -fi - -jq -n --arg ip "$IP" '{"ip":$ip}' \ No newline at end of file diff --git a/aws/tf/modules/sra/data_plane_hardening/firewall/provider.tf b/aws/tf/modules/sra/data_plane_hardening/firewall/provider.tf index 7afdcf4..7617f6b 100644 --- a/aws/tf/modules/sra/data_plane_hardening/firewall/provider.tf +++ b/aws/tf/modules/sra/data_plane_hardening/firewall/provider.tf @@ -3,5 +3,8 @@ terraform { aws = { source = "hashicorp/aws" } + dns = { + source = "hashicorp/dns" + } } } \ No newline at end of file From 535c18bdc850857085ab42bb3e380517f614a5fa Mon Sep 17 00:00:00 2001 From: jdbraun Date: Tue, 10 Sep 2024 05:26:01 -0500 Subject: [PATCH 17/24] removing modules, updating explicit depends on, updating SRA, and more --- aws/README.md | 29 +++---- aws/tf/modules/sra/databricks_account.tf | 30 +------- .../service_principal/output.tf | 3 - .../service_principal/provider.tf | 7 -- .../service_principal/service_principal.tf | 12 --- .../service_principal/variables.tf | 8 -- .../uc_assignment/uc_assignment.tf | 6 +- .../sra/databricks_account/uc_init/outputs.tf | 2 +- .../sra/databricks_account/uc_init/uc_init.tf | 8 +- .../databricks_account/uc_init/variables.tf | 4 + aws/tf/modules/sra/databricks_workspace.tf | 76 ++++-------------- .../security_analysis_tool/aws/provider.tf | 10 ++- .../security_analysis_tool/aws/secrets.tf | 12 +++ .../security_analysis_tool/aws/variables.tf | 29 +++++-- .../security_analysis_tool/common/jobs.tf | 77 +++++++++++-------- .../security_analysis_tool/common/provider.tf | 3 +- .../security_analysis_tool/common/repo.tf | 4 +- .../security_analysis_tool/common/secrets.tf | 24 +++--- .../common/variables.tf | 10 +++ .../cluster_configuration.tf | 6 +- .../cluster_configuration/variables.tf | 6 +- .../secret_management/output.tf | 3 - .../secret_management/provider.tf | 7 -- .../secret_management/secret_management.tf | 11 --- .../system_schema/provider.tf | 0 .../system_schema/system_schema.tf | 4 +- .../token_management/provider.tf | 7 -- .../token_management/token_management.tf | 7 -- aws/tf/modules/sra/privatelink.tf | 3 - aws/tf/modules/sra/variables.tf | 5 -- aws/tf/sra.tf | 13 ++-- 31 files changed, 164 insertions(+), 262 deletions(-) delete mode 100644 aws/tf/modules/sra/databricks_account/service_principal/output.tf delete mode 100644 aws/tf/modules/sra/databricks_account/service_principal/provider.tf delete mode 100644 aws/tf/modules/sra/databricks_account/service_principal/service_principal.tf delete mode 100644 aws/tf/modules/sra/databricks_account/service_principal/variables.tf delete mode 100644 aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf delete mode 100644 aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf delete mode 100644 aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf rename aws/tf/modules/sra/databricks_workspace/{public_preview => workspace_security_modules}/system_schema/provider.tf (100%) rename aws/tf/modules/sra/databricks_workspace/{public_preview => workspace_security_modules}/system_schema/system_schema.tf (87%) delete mode 100644 aws/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf delete mode 100644 aws/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf diff --git a/aws/README.md b/aws/README.md index 0ff26cb..dddb2b7 100644 --- a/aws/README.md +++ b/aws/README.md @@ -21,7 +21,8 @@ There are four separate operation modes you can choose for the underlying networ - **Sandbox**: Sandbox or open egress. Selecting 'sandbox' as the operation mode allows traffic to flow freely to the public internet. This mode is suitable for sandbox or development scenarios where data exfiltration protection is of minimal concern, and developers need to access public APIs, packages, and more. -- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. **NOTE**: Due to a limitation in the AWS Network Firewall's ability to use fully qualified domain names for non-HTTP/HTTPS traffic, an external data source is required for the external Hive metastore. For sensitive production workloads, it is recommended to use isolated operation mode and Unity Catalog, a self-hosted Hive metastore, or to explore other firewall services to address AWS Network Firewall's limitations. +- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. + - **WARNING**: Due to a limitation in AWS Network Firewall's support for fully qualified domain names (FQDNs) in non-HTTP/HTTPS traffic, an IP address is required to allow communication with the Hive Metastore. This dependency on a static IP introduces the potential for downtime if the Hive Metastore's IP changes. For sensitive production workloads, it is recommended to explore the isolated operation mode or consider alternative firewall solutions that provide better handling of dynamic IPs or FQDNs. - **Isolated**: Isolated or no egress. Opting for 'isolated' as the operation mode prevents any traffic to the public internet. Traffic is limited to AWS private endpoints, either to AWS services or the Databricks control plane. This mode should be used in cases where access to the public internet is completely unsupported. **NOTE**: Apache Derby Metastore will be required for clusters and non-serverless SQL Warehouses. For more information, please view this [knowledge article](https://kb.databricks.com/metastore/set-up-embedded-metastore). @@ -45,18 +46,10 @@ See the below networking diagrams for more information. - **Unity Catalog**: [Unity Catalog](https://docs.databricks.com/data-governance/unity-catalog/index.html) is a unified governance solution for all data and AI assets including files, tables, and machine learning models. Unity Catalog provides a modern approach to granular access controls with centralized policy, auditing, and lineage tracking - all integrated into your Databricks workflow. **NOTE**: SRA creates a workspace specific catalog that is isolated to that individual workspace. To change these settings please update uc_catalog.tf under the workspace_security_modules. -## Post Workspace Deployment - -- **Service Principals**: A [Service principal](https://docs.databricks.com/administration-guide/users-groups/service-principals.html) is an identity that you create in Databricks for use with automated tools, jobs, and applications. It's against best practice to tie production workloads to individual user accounts, and so we recommend configuring these service principals within Databricks. In this template, we create an example service principal. - -- **Token Management**: [Personal access tokens](https://docs.databricks.com/dev-tools/api/latest/authentication.html) are used to access Databricks REST APIs in-lieu of passwords. In this template we create an example token and set its time-to-live. This can be set at an administrative level for all users. - -- **Secret Management** Integrating with heterogeneous systems requires managing a potentially large set of credentials and safely distributing them across an organization. Instead of directly entering your credentials into a notebook, use [Databricks secrets](https://docs.databricks.com/security/secrets/index.html) to store your credentials and reference them in notebooks and jobs. In this template, we create an example secret. - - ## Optional Deployment Configurations - **Audit and Billable Usage Logs**: Databricks delivers logs to your S3 buckets. [Audit logs](https://docs.databricks.com/administration-guide/account-settings/audit-logs.html) contain two levels of events: workspace-level audit logs with workspace-level events and account-level audit logs with account-level events. In addition to these logs, you can generate additional events by enabling verbose audit logs. [Billable usage logs](https://docs.databricks.com/administration-guide/account-settings/billable-usage-delivery.html) are delivered daily to an AWS S3 storage bucket. There will be a separate CSV file for each workspace. This file contains historical data about the workspace's cluster usage in Databricks Units (DBUs). +- **System Tables Schemas**: System Tables provide visiblity into access, billing, compute, Lakeflow, and storage logs. These tables can be found within the system catalog in Unity Catalog. - **Cluster Example**: An example of a cluster and a cluster policy has been included. **NOTE:** Please be aware this will create a cluster within your Databricks workspace including the underlying EC2 instance. @@ -80,11 +73,6 @@ See the below networking diagrams for more information. - **Audit Log Alerting**: Audit Log Alerting, based on this [blog post](https://www.databricks.com/blog/improve-lakehouse-security-monitoring-using-system-tables-databricks-unity-catalog), creates 40+ SQL alerts to monitor for incidents based on a Zero Trust Architecture (ZTA) model. **NOTE:** Please be aware this creates a cluster, a job, and queries within your environment. -## Public Preview Features - -- **System Tables Schemas**: System Table schemas are currently in private preview. System Tables provide visiblity into access, billing, compute, and storage logs. In this deployment the metastore admin, service principle, owns the table. Additional grant statements will be needed. **NOTE:** Please note this is currently in public preview. - - ## Additional Security Recommendations and Opportunities In this section, we break down additional security recommendations and opportunities to maintain a strong security posture that either cannot be configured into this Terraform script or is very specific to individual customers (e.g. SCIM, SSO, Front-End PrivateLink, etc.) @@ -109,11 +97,12 @@ In this section, we break down additional security recommendations and opportuni 3. Decide which [operation](https://github.com/databricks/terraform-databricks-sra/tree/main/aws/tf#operation-mode) mode you'd like to use. 4. Fill out `sra.tf` in place 5. Fill out `template.tfvars.example` remove the .example part of the file name -6. CD into `tf` -7. Run `terraform init` -8. Run `terraform validate` -9. From `tf` directory, run `terraform plan -var-file ../example.tfvars` -10. Run `terraform apply -var-file ../example.tfvars` +6. Configure the [AWS](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) and [Databricks](https://registry.terraform.io/providers/databricks/databricks/latest/docs#authentication) provider authentication +7. CD into `tf` +8. Run `terraform init` +9. Run `terraform validate` +10. From `tf` directory, run `terraform plan -var-file ../example.tfvars` +11. Run `terraform apply -var-file ../example.tfvars` ## Network Diagram - Sandbox diff --git a/aws/tf/modules/sra/databricks_account.tf b/aws/tf/modules/sra/databricks_account.tf index 924b1ca..9469d2e 100644 --- a/aws/tf/modules/sra/databricks_account.tf +++ b/aws/tf/modules/sra/databricks_account.tf @@ -15,7 +15,6 @@ module "log_delivery" { // Create Unity Catalog Metastore - No Root Storage module "uc_init" { - count = var.metastore_exists == false ? 1 : 0 source = "./databricks_account/uc_init" providers = { databricks = databricks.mws @@ -26,6 +25,7 @@ module "uc_init" { resource_prefix = var.resource_prefix region = var.region metastore_name = join("", [var.resource_prefix, "-", var.region, "-", "uc"]) + metastore_exists = var.metastore_exists } // Unity Catalog Assignment @@ -35,12 +35,10 @@ module "uc_assignment" { databricks = databricks.mws } - metastore_id = var.metastore_exists ? null : module.uc_init[0].metastore_id + metastore_id = module.uc_init.metastore_id region = var.region workspace_id = module.databricks_mws_workspace.workspace_id - depends_on = [ - module.databricks_mws_workspace - ] + depends_on = [module.databricks_mws_workspace, module.uc_init] } // Create Databricks Workspace @@ -66,22 +64,6 @@ module "databricks_mws_workspace" { workspace_storage_key_alias = aws_kms_alias.workspace_storage_key_alias.name } -// Service Principal -module "service_principal" { - source = "./databricks_account/service_principal" - providers = { - databricks = databricks.mws - } - - created_workspace_id = module.databricks_mws_workspace.workspace_id - workspace_admin_service_principal_name = var.workspace_admin_service_principal_name - - depends_on = [ - module.databricks_mws_workspace, - module.uc_assignment - ] -} - // User Workspace Assignment (Admin) module "user_assignment" { source = "./databricks_account/user_assignment" @@ -91,9 +73,5 @@ module "user_assignment" { created_workspace_id = module.databricks_mws_workspace.workspace_id workspace_access = var.user_workspace_admin - - depends_on = [ - module.databricks_mws_workspace, - module.uc_assignment - ] + depends_on = [module.uc_assignment, module.databricks_mws_workspace] } \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_account/service_principal/output.tf b/aws/tf/modules/sra/databricks_account/service_principal/output.tf deleted file mode 100644 index 678c54b..0000000 --- a/aws/tf/modules/sra/databricks_account/service_principal/output.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "service_principal_id" { - value = databricks_service_principal.sp.id -} \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_account/service_principal/provider.tf b/aws/tf/modules/sra/databricks_account/service_principal/provider.tf deleted file mode 100644 index bdd3474..0000000 --- a/aws/tf/modules/sra/databricks_account/service_principal/provider.tf +++ /dev/null @@ -1,7 +0,0 @@ -terraform { - required_providers { - databricks = { - source = "databricks/databricks" - } - } -} diff --git a/aws/tf/modules/sra/databricks_account/service_principal/service_principal.tf b/aws/tf/modules/sra/databricks_account/service_principal/service_principal.tf deleted file mode 100644 index a7d25d5..0000000 --- a/aws/tf/modules/sra/databricks_account/service_principal/service_principal.tf +++ /dev/null @@ -1,12 +0,0 @@ -// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/service_principal - -resource "databricks_service_principal" "sp" { - display_name = var.workspace_admin_service_principal_name - allow_cluster_create = true -} - -resource "databricks_mws_permission_assignment" "admin_sp" { - workspace_id = var.created_workspace_id - principal_id = databricks_service_principal.sp.id - permissions = ["ADMIN"] -} \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_account/service_principal/variables.tf b/aws/tf/modules/sra/databricks_account/service_principal/variables.tf deleted file mode 100644 index 118a72b..0000000 --- a/aws/tf/modules/sra/databricks_account/service_principal/variables.tf +++ /dev/null @@ -1,8 +0,0 @@ -variable "created_workspace_id" { - type = string -} - -variable "workspace_admin_service_principal_name" { - description = "Service principal name" - type = string -} \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf b/aws/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf index bae1aa0..39721dd 100644 --- a/aws/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf +++ b/aws/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf @@ -1,11 +1,7 @@ // Metastore Assignment -data "databricks_metastore" "this" { - region = var.region -} - resource "databricks_metastore_assignment" "default_metastore" { workspace_id = var.workspace_id - metastore_id = var.metastore_id == null ? data.databricks_metastore.this.id : var.metastore_id + metastore_id = var.metastore_id default_catalog_name = "hive_metastore" } \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_account/uc_init/outputs.tf b/aws/tf/modules/sra/databricks_account/uc_init/outputs.tf index 6f7a596..c122a8c 100644 --- a/aws/tf/modules/sra/databricks_account/uc_init/outputs.tf +++ b/aws/tf/modules/sra/databricks_account/uc_init/outputs.tf @@ -1,3 +1,3 @@ output "metastore_id" { - value = databricks_metastore.this.id + value = var.metastore_exists ? data.databricks_metastore.this[0].id : databricks_metastore.this[0].id } \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_account/uc_init/uc_init.tf b/aws/tf/modules/sra/databricks_account/uc_init/uc_init.tf index a5d1102..34df58d 100644 --- a/aws/tf/modules/sra/databricks_account/uc_init/uc_init.tf +++ b/aws/tf/modules/sra/databricks_account/uc_init/uc_init.tf @@ -1,7 +1,13 @@ // Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/guides/unity-catalog -// Metastore +// Optional data source - only run if the metastore exists +data "databricks_metastore" "this" { + count = var.metastore_exists ? 1 : 0 + region = var.region +} + resource "databricks_metastore" "this" { + count = var.metastore_exists ? 0 : 1 name = "${var.resource_prefix}-${var.region}-unity-catalog" region = var.region force_destroy = true diff --git a/aws/tf/modules/sra/databricks_account/uc_init/variables.tf b/aws/tf/modules/sra/databricks_account/uc_init/variables.tf index c2aaf1b..ec1a35d 100644 --- a/aws/tf/modules/sra/databricks_account/uc_init/variables.tf +++ b/aws/tf/modules/sra/databricks_account/uc_init/variables.tf @@ -6,6 +6,10 @@ variable "databricks_account_id" { type = string } +variable "metastore_exists" { + type = string +} + variable "metastore_name" { type = string } diff --git a/aws/tf/modules/sra/databricks_workspace.tf b/aws/tf/modules/sra/databricks_workspace.tf index 3425c42..ed6c09d 100644 --- a/aws/tf/modules/sra/databricks_workspace.tf +++ b/aws/tf/modules/sra/databricks_workspace.tf @@ -15,9 +15,7 @@ module "uc_catalog" { workspace_id = module.databricks_mws_workspace.workspace_id user_workspace_catalog_admin = var.user_workspace_catalog_admin - depends_on = [ - module.databricks_mws_workspace, module.uc_assignment - ] + depends_on = [module.databricks_mws_workspace, module.uc_assignment] } // Create Read-Only Storage Location for Data Bucket & External Location @@ -33,10 +31,6 @@ module "uc_external_location" { resource_prefix = var.resource_prefix read_only_data_bucket = var.read_only_data_bucket read_only_external_location_admin = var.read_only_external_location_admin - - depends_on = [ - module.databricks_mws_workspace, module.uc_assignment - ] } // Workspace Admin Configuration @@ -46,34 +40,6 @@ module "admin_configuration" { providers = { databricks = databricks.created_workspace } - - depends_on = [ - module.databricks_mws_workspace - ] -} - -// Token Management -module "token_management" { - source = "./databricks_workspace/workspace_security_modules/token_management" - providers = { - databricks = databricks.created_workspace - } - - depends_on = [ - module.databricks_mws_workspace - ] -} - -// Secret Management -module "secret_management" { - source = "./databricks_workspace/workspace_security_modules/secret_management" - providers = { - databricks = databricks.created_workspace - } - - depends_on = [ - module.databricks_mws_workspace - ] } // IP Access Lists - Optional @@ -85,10 +51,6 @@ module "ip_access_list" { } ip_addresses = var.ip_addresses - - depends_on = [ - module.databricks_mws_workspace - ] } // Create Create Cluster - Optional @@ -100,25 +62,17 @@ module "cluster_configuration" { } compliance_security_profile_egress_ports = var.compliance_security_profile_egress_ports - secret_config_reference = module.secret_management.config_reference resource_prefix = var.resource_prefix operation_mode = var.operation_mode - depends_on = [ - module.databricks_mws_workspace, module.secret_management - ] } -// Public Preview - System Table Schemas - Optional -module "public_preview_system_table" { - source = "./databricks_workspace/public_preview/system_schema/" +// System Table Schemas Enablement - Optional +module "system_table" { + source = "./databricks_workspace/workspace_security_modules/system_schema/" count = var.enable_system_tables_schema_boolean ? 1 : 0 providers = { databricks = databricks.created_workspace } - - depends_on = [ - module.databricks_mws_workspace - ] } // SAT Implementation - Optional @@ -129,16 +83,18 @@ module "security_analysis_tool" { databricks = databricks.created_workspace } - databricks_url = module.databricks_mws_workspace.workspace_url - workspace_PAT = module.service_principal.service_principal_id - workspace_id = module.databricks_mws_workspace.workspace_id - account_console_id = var.databricks_account_id - client_id = var.client_id - client_secret = var.client_secret - use_sp_auth = true + databricks_url = module.databricks_mws_workspace.workspace_url + workspace_id = module.databricks_mws_workspace.workspace_id + account_console_id = var.databricks_account_id + client_id = var.client_id + client_secret = var.client_secret + use_sp_auth = true + proxies = {} + analysis_schema_name = "SAT" + depends_on = [ - module.databricks_mws_workspace, module.service_principal + module.databricks_mws_workspace ] } @@ -151,8 +107,4 @@ module "audit_log_alerting" { } alert_emails = [var.user_workspace_admin] - - depends_on = [ - module.databricks_mws_workspace, module.uc_assignment - ] } \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf index a683b8d..b055acf 100644 --- a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf +++ b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf @@ -7,8 +7,10 @@ terraform { } module "common" { - source = "../common/" - account_console_id = var.account_console_id - workspace_id = var.workspace_id - sqlw_id = var.sqlw_id + source = "../common/" + account_console_id = var.account_console_id + workspace_id = var.workspace_id + sqlw_id = var.sqlw_id + analysis_schema_name = var.analysis_schema_name + proxies = var.proxies } diff --git a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf index 21a0178..db695c4 100644 --- a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf +++ b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf @@ -1,5 +1,17 @@ ### AWS Specific Secrets +resource "databricks_secret" "user" { + key = "user" + string_value = var.account_user + scope = module.common.secret_scope_id +} + +resource "databricks_secret" "pass" { + key = "pass" + string_value = var.account_pass + scope = module.common.secret_scope_id +} + resource "databricks_secret" "use_sp_auth" { key = "use-sp-auth" string_value = var.use_sp_auth diff --git a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf index a3cccad..84420a8 100644 --- a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf +++ b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf @@ -8,11 +8,6 @@ variable "workspace_id" { type = string } -variable "workspace_PAT" { - description = "PAT should look like dapixxxxxxxxxxxxxxxxxxxx" - type = string -} - variable "account_console_id" { description = "Databricks Account Console ID" type = string @@ -30,10 +25,22 @@ variable "sqlw_id" { ### AWS Specific Variables +variable "account_user" { + description = "Account Console Username" + type = string + default = " " +} + +variable "account_pass" { + description = "Account Console Password" + type = string + default = " " +} + variable "use_sp_auth" { description = "Authenticate with Service Principal OAuth tokens instead of user and password" type = bool - default = false + default = true } variable "client_id" { @@ -47,3 +54,13 @@ variable "client_secret" { type = string default = "value" } + +variable "analysis_schema_name" { + type = string + description = "Name of the schema to be used for analysis" +} + +variable "proxies" { + type = map(any) + description = "Proxies to be used for Databricks API calls" +} diff --git a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf index 047a810..7e46fa1 100644 --- a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf +++ b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf @@ -1,53 +1,66 @@ resource "databricks_job" "initializer" { name = "SAT Initializer Notebook (one-time)" - new_cluster { - num_workers = 5 - spark_version = data.databricks_spark_version.latest_lts.id - node_type_id = data.databricks_node_type.smallest.id - runtime_engine = "PHOTON" - dynamic "gcp_attributes" { - for_each = var.gcp_impersonate_service_account == "" ? [] : [var.gcp_impersonate_service_account] - content { - google_service_account = var.gcp_impersonate_service_account + job_cluster { + job_cluster_key = "job_cluster" + new_cluster { + num_workers = 5 + spark_version = data.databricks_spark_version.latest_lts.id + node_type_id = data.databricks_node_type.smallest.id + runtime_engine = "PHOTON" + dynamic "gcp_attributes" { + for_each = var.gcp_impersonate_service_account == "" ? [] : [var.gcp_impersonate_service_account] + content { + google_service_account = var.gcp_impersonate_service_account + } } } } - library { - pypi { - package = "dbl-sat-sdk" + task { + task_key = "Initializer" + job_cluster_key = "job_cluster" + library { + pypi { + package = "dbl-sat-sdk" + } + } + notebook_task { + notebook_path = "${databricks_repo.security_analysis_tool.workspace_path}/notebooks/security_analysis_initializer" } - } - - notebook_task { - notebook_path = "${databricks_repo.security_analysis_tool.path}/notebooks/security_analysis_initializer" } } resource "databricks_job" "driver" { name = "SAT Driver Notebook" - new_cluster { - num_workers = 5 - spark_version = data.databricks_spark_version.latest_lts.id - node_type_id = data.databricks_node_type.smallest.id - runtime_engine = "PHOTON" - dynamic "gcp_attributes" { - for_each = var.gcp_impersonate_service_account == "" ? [] : [var.gcp_impersonate_service_account] - content { - google_service_account = var.gcp_impersonate_service_account + job_cluster { + job_cluster_key = "job_cluster" + new_cluster { + num_workers = 5 + spark_version = data.databricks_spark_version.latest_lts.id + node_type_id = data.databricks_node_type.smallest.id + runtime_engine = "PHOTON" + dynamic "gcp_attributes" { + for_each = var.gcp_impersonate_service_account == "" ? [] : [var.gcp_impersonate_service_account] + content { + google_service_account = var.gcp_impersonate_service_account + } } } } - library { - pypi { - package = "dbl-sat-sdk" - } - } - notebook_task { - notebook_path = "${databricks_repo.security_analysis_tool.path}/notebooks/security_analysis_driver" + task { + task_key = "Driver" + job_cluster_key = "job_cluster" + library { + pypi { + package = "dbl-sat-sdk" + } + } + notebook_task { + notebook_path = "${databricks_repo.security_analysis_tool.workspace_path}/notebooks/security_analysis_driver" + } } schedule { diff --git a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/provider.tf b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/provider.tf index 1d847d2..e5c4d7f 100644 --- a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/provider.tf +++ b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/provider.tf @@ -4,4 +4,5 @@ terraform { source = "databricks/databricks" } } -} \ No newline at end of file +} + diff --git a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf index 87c1dc5..7b21149 100644 --- a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf +++ b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf @@ -1,5 +1,7 @@ #Make sure Files in Repos option is enabled in Workspace Admin Console > Workspace Settings resource "databricks_repo" "security_analysis_tool" { - url = "https://github.com/databricks-industry-solutions/security-analysis-tool.git" + url = "https://github.com/databricks-industry-solutions/security-analysis-tool.git" + branch = "main" + path = "/Workspace/Applications/SAT_TF" } diff --git a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf index 40ef89d..30a35f6 100644 --- a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf +++ b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf @@ -8,17 +8,6 @@ resource "databricks_secret" "user_email" { scope = databricks_secret_scope.sat.id } -resource "databricks_token" "pat" { - lifetime_seconds = 86400 * 365 - comment = "Security Analysis Tool" -} - -resource "databricks_secret" "pat" { - key = "sat-token-${var.workspace_id}" - string_value = databricks_token.pat.token_value - scope = databricks_secret_scope.sat.id -} - resource "databricks_secret" "account_console_id" { key = "account-console-id" string_value = var.account_console_id @@ -30,3 +19,16 @@ resource "databricks_secret" "sql_warehouse_id" { string_value = var.sqlw_id == "new" ? databricks_sql_endpoint.new[0].id : data.databricks_sql_warehouse.old[0].id scope = databricks_secret_scope.sat.id } + +resource "databricks_secret" "analysis_schema_name" { + key = "analysis_schema_name" + string_value = var.analysis_schema_name + scope = databricks_secret_scope.sat.id +} + +resource "databricks_secret" "proxies" { + key = "proxies" + string_value = jsonencode(var.proxies) + scope = databricks_secret_scope.sat.id +} + diff --git a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf index 9a99283..150ac5a 100644 --- a/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf +++ b/aws/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf @@ -34,3 +34,13 @@ variable "gcp_impersonate_service_account" { description = "GCP Service Account to impersonate (e.g. xyz-sa-2@project.iam.gserviceaccount.com)" default = "" } + +variable "analysis_schema_name" { + type = string + description = "Name of the schema to be used for analysis" +} + +variable "proxies" { + type = map(any) + description = "Proxies to be used for Databricks API calls" +} diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf index ac294fd..ed3d319 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf @@ -49,7 +49,7 @@ locals { } ) - selected_policy = var.operation_mode == "Isolated" ? local.default_policy : local.isolated_policy + selected_policy = var.operation_mode == "isolated" ? local.isolated_policy : local.default_policy final_policy = { for k, v in local.selected_policy : k => v if v != null } } @@ -73,10 +73,6 @@ resource "databricks_cluster" "example" { max_workers = 2 } - spark_conf = { - "secret.example" = var.secret_config_reference - } - depends_on = [ databricks_cluster_policy.example ] diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf index b48f472..69f9a6a 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf @@ -9,8 +9,4 @@ variable "operation_mode" { variable "resource_prefix" { type = string -} - -variable "secret_config_reference" { - type = string -} +} \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf deleted file mode 100644 index ca80979..0000000 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "config_reference" { - value = databricks_secret.example_app_secret.config_reference -} \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf deleted file mode 100644 index bdd3474..0000000 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf +++ /dev/null @@ -1,7 +0,0 @@ -terraform { - required_providers { - databricks = { - source = "databricks/databricks" - } - } -} diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf deleted file mode 100644 index 65f0be9..0000000 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf +++ /dev/null @@ -1,11 +0,0 @@ -// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret - -resource "databricks_secret_scope" "app" { - name = "application-secret-scope" -} - -resource "databricks_secret" "example_app_secret" { - key = "example_api_secret" - string_value = "value that should be hidden from Terraform!" - scope = databricks_secret_scope.app.id -} \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_workspace/public_preview/system_schema/provider.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/system_schema/provider.tf similarity index 100% rename from aws/tf/modules/sra/databricks_workspace/public_preview/system_schema/provider.tf rename to aws/tf/modules/sra/databricks_workspace/workspace_security_modules/system_schema/provider.tf diff --git a/aws/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/system_schema/system_schema.tf similarity index 87% rename from aws/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf rename to aws/tf/modules/sra/databricks_workspace/workspace_security_modules/system_schema/system_schema.tf index 617dffb..180bf9f 100644 --- a/aws/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/system_schema/system_schema.tf @@ -12,8 +12,8 @@ resource "databricks_system_schema" "compute" { schema = "compute" } -resource "databricks_system_schema" "workflow" { - schema = "workflow" +resource "databricks_system_schema" "lakeflow" { + schema = "lakeflow" } resource "databricks_system_schema" "marketplace" { diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf deleted file mode 100644 index bdd3474..0000000 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf +++ /dev/null @@ -1,7 +0,0 @@ -terraform { - required_providers { - databricks = { - source = "databricks/databricks" - } - } -} diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf deleted file mode 100644 index 980ab4e..0000000 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf +++ /dev/null @@ -1,7 +0,0 @@ -// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token - -resource "databricks_token" "pat" { - comment = "Terraform Provisioning" - // 30 day token - lifetime_seconds = 2592000 -} \ No newline at end of file diff --git a/aws/tf/modules/sra/privatelink.tf b/aws/tf/modules/sra/privatelink.tf index 0b6047f..a16d738 100644 --- a/aws/tf/modules/sra/privatelink.tf +++ b/aws/tf/modules/sra/privatelink.tf @@ -287,9 +287,6 @@ module "vpc_endpoints" { } } } - depends_on = [ - module.vpc, module.databricks_mws_workspace - ] } // Databricks REST endpoint - skipped in custom operation mode diff --git a/aws/tf/modules/sra/variables.tf b/aws/tf/modules/sra/variables.tf index 7b171a1..86d5058 100644 --- a/aws/tf/modules/sra/variables.tf +++ b/aws/tf/modules/sra/variables.tf @@ -296,8 +296,3 @@ variable "workspace" { #"us-west-1" = "" } } - -variable "workspace_admin_service_principal_name" { - description = "Service principle name" - type = string -} diff --git a/aws/tf/sra.tf b/aws/tf/sra.tf index f7200f3..e094ffa 100644 --- a/aws/tf/sra.tf +++ b/aws/tf/sra.tf @@ -17,11 +17,10 @@ module "SRA" { resource_prefix = var.resource_prefix // REQUIRED - Workspace and Unity Catalog: - user_workspace_admin = null // Workspace admin user email. - user_workspace_catalog_admin = null // Workspace catalog admin email. - operation_mode = "isolated" // Operation mode (sandbox, custom, firewall, isolated), see README.md for more information. - workspace_admin_service_principal_name = "sra-example-sp" // Creates an example admin SP for automation use cases. - metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". + user_workspace_admin = null // Workspace admin user email. + user_workspace_catalog_admin = null // Workspace catalog admin email. + operation_mode = "isolated" // Operation mode (sandbox, custom, firewall, isolated), see README.md for more information. + metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". // REQUIRED - AWS Infrastructure: cmk_admin_arn = null // CMK admin ARN, defaults to the AWS account root user. @@ -47,7 +46,7 @@ module "SRA" { custom_relay_vpce_id = null custom_workspace_vpce_id = null - // OPTIONAL - Examples, Workspace Hardening, Public Previews, and Solution Accelerators: + // OPTIONAL - Examples, Workspace Hardening, and Solution Accelerators: enable_read_only_external_location_boolean = false // Set to true to enable a read-only external location. read_only_data_bucket = null // S3 bucket name for read-only data. read_only_external_location_admin = null // Admin for the external location. @@ -64,7 +63,7 @@ module "SRA" { enable_ip_boolean = false // Set to true to enable IP access list. ip_addresses = ["X.X.X.X", "X.X.X.X/XX", "X.X.X.X/XX"] // Specify IP addresses for access. - enable_system_tables_schema_boolean = false // Set to true to enable system table schemas (Public Preview). + enable_system_tables_schema_boolean = false // Set to true to enable system table schemas enable_sat_boolean = false // Set to true to enable Security Analysis Tool. https://github.com/databricks-industry-solutions/security-analysis-tool enable_audit_log_alerting = false // Set to true to create 40+ queries for audit log alerting based on user activity. https://github.com/andyweaves/system-tables-audit-logs From 1a72311f5937a63eeeed4552a2ec591c536a8d22 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Fri, 13 Sep 2024 12:04:54 -0400 Subject: [PATCH 18/24] AWS Gov: Updating SAT, removing modules, removing explicit dependencies, etc. #94 --- aws-gov/README.md | 29 +++---- aws-gov/tf/modules/sra/databricks_account.tf | 37 +++------ .../service_principal/output.tf | 3 - .../service_principal/provider.tf | 7 -- .../service_principal/service_principal.tf | 12 --- .../service_principal/variables.tf | 8 -- .../uc_assignment/uc_assignment.tf | 6 +- .../sra/databricks_account/uc_init/outputs.tf | 2 +- .../sra/databricks_account/uc_init/uc_init.tf | 8 +- .../databricks_account/uc_init/variables.tf | 4 + .../tf/modules/sra/databricks_workspace.tf | 75 ++++-------------- .../security_analysis_tool/aws/provider.tf | 10 ++- .../security_analysis_tool/aws/secrets.tf | 12 +++ .../security_analysis_tool/aws/variables.tf | 29 +++++-- .../security_analysis_tool/common/jobs.tf | 78 +++++++++++-------- .../security_analysis_tool/common/repo.tf | 4 +- .../security_analysis_tool/common/secrets.tf | 23 +++--- .../common/variables.tf | 10 +++ .../cluster_configuration.tf | 6 +- .../cluster_configuration/variables.tf | 4 - .../secret_management/output.tf | 3 - .../secret_management/provider.tf | 7 -- .../secret_management/secret_management.tf | 11 --- .../system_schema/provider.tf | 0 .../system_schema/system_schema.tf | 4 +- .../token_management/provider.tf | 7 -- .../token_management/token_management.tf | 7 -- aws-gov/tf/modules/sra/privatelink.tf | 3 - aws-gov/tf/modules/sra/variables.tf | 5 -- aws-gov/tf/sra.tf | 13 ++-- 30 files changed, 164 insertions(+), 263 deletions(-) delete mode 100644 aws-gov/tf/modules/sra/databricks_account/service_principal/output.tf delete mode 100644 aws-gov/tf/modules/sra/databricks_account/service_principal/provider.tf delete mode 100644 aws-gov/tf/modules/sra/databricks_account/service_principal/service_principal.tf delete mode 100644 aws-gov/tf/modules/sra/databricks_account/service_principal/variables.tf delete mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf delete mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf delete mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf rename aws-gov/tf/modules/sra/databricks_workspace/{public_preview => workspace_security_modules}/system_schema/provider.tf (100%) rename aws-gov/tf/modules/sra/databricks_workspace/{public_preview => workspace_security_modules}/system_schema/system_schema.tf (87%) delete mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf delete mode 100644 aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf diff --git a/aws-gov/README.md b/aws-gov/README.md index e7ef45e..ed34ca2 100644 --- a/aws-gov/README.md +++ b/aws-gov/README.md @@ -21,7 +21,8 @@ There are four separate operation modes you can choose for the underlying networ - **Sandbox**: Sandbox or open egress. Selecting 'sandbox' as the operation mode allows traffic to flow freely to the public internet. This mode is suitable for sandbox or development scenarios where data exfiltration protection is of minimal concern, and developers need to access public APIs, packages, and more. -- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. **NOTE**: Due to a limitation in the AWS Network Firewall's ability to use fully qualified domain names for non-HTTP/HTTPS traffic, an external data source is required for the external Hive metastore. For sensitive production workloads, it is recommended to use isolated operation mode and Unity Catalog, a self-hosted Hive metastore, or to explore other firewall services to address AWS Network Firewall's limitations. +- **Firewall**: Firewall or limited egress. Choosing 'firewall' as the operation mode permits traffic flow only to a selected list of public addresses. This mode is applicable in situations where open internet access is necessary for certain tasks, but unfiltered traffic is not an option due to the sensitivity of the workloads or data. + - **WARNING**: Due to a limitation in AWS Network Firewall's support for fully qualified domain names (FQDNs) in non-HTTP/HTTPS traffic, an IP address is required to allow communication with the Hive Metastore. This dependency on a static IP introduces the potential for downtime if the Hive Metastore's IP changes. For sensitive production workloads, it is recommended to explore the isolated operation mode or consider alternative firewall solutions that provide better handling of dynamic IPs or FQDNs. - **Isolated**: Isolated or no egress. Opting for 'isolated' as the operation mode prevents any traffic to the public internet. Traffic is limited to AWS private endpoints, either to AWS services or the Databricks control plane. This mode should be used in cases where access to the public internet is completely unsupported. **NOTE**: Apache Derby Metastore will be required for clusters and non-serverless SQL Warehouses. For more information, please view this [knowledge article](https://kb.databricks.com/metastore/set-up-embedded-metastore). @@ -45,18 +46,10 @@ See the below networking diagrams for more information. - **Unity Catalog**: [Unity Catalog](https://docs.databricks.com/data-governance/unity-catalog/index.html) is a unified governance solution for all data and AI assets including files, tables, and machine learning models. Unity Catalog provides a modern approach to granular access controls with centralized policy, auditing, and lineage tracking - all integrated into your Databricks workflow. **NOTE**: SRA creates a workspace specific catalog that is isolated to that individual workspace. To change these settings please update uc_catalog.tf under the workspace_security_modules. -## Post Workspace Deployment - -- **Service Principals**: A [Service principal](https://docs.databricks.com/administration-guide/users-groups/service-principals.html) is an identity that you create in Databricks for use with automated tools, jobs, and applications. It's against best practice to tie production workloads to individual user accounts, and so we recommend configuring these service principals within Databricks. In this template, we create an example service principal. - -- **Token Management**: [Personal access tokens](https://docs.databricks.com/dev-tools/api/latest/authentication.html) are used to access Databricks REST APIs in-lieu of passwords. In this template we create an example token and set its time-to-live. This can be set at an administrative level for all users. - -- **Secret Management** Integrating with heterogeneous systems requires managing a potentially large set of credentials and safely distributing them across an organization. Instead of directly entering your credentials into a notebook, use [Databricks secrets](https://docs.databricks.com/security/secrets/index.html) to store your credentials and reference them in notebooks and jobs. In this template, we create an example secret. - - ## Optional Deployment Configurations - **Audit and Billable Usage Logs**: Databricks delivers logs to your S3 buckets. [Audit logs](https://docs.databricks.com/administration-guide/account-settings/audit-logs.html) contain two levels of events: workspace-level audit logs with workspace-level events and account-level audit logs with account-level events. In addition to these logs, you can generate additional events by enabling verbose audit logs. [Billable usage logs](https://docs.databricks.com/administration-guide/account-settings/billable-usage-delivery.html) are delivered daily to an AWS S3 storage bucket. There will be a separate CSV file for each workspace. This file contains historical data about the workspace's cluster usage in Databricks Units (DBUs). +- **System Tables Schemas**: System Tables provide visiblity into access, billing, compute, Lakeflow, and storage logs. These tables can be found within the system catalog in Unity Catalog. - **Cluster Example**: An example of a cluster and a cluster policy has been included. **NOTE:** Please be aware this will create a cluster within your Databricks workspace including the underlying EC2 instance. @@ -80,11 +73,6 @@ See the below networking diagrams for more information. - **Audit Log Alerting**: Audit Log Alerting, based on this [blog post](https://www.databricks.com/blog/improve-lakehouse-security-monitoring-using-system-tables-databricks-unity-catalog), creates 40+ SQL alerts to monitor for incidents based on a Zero Trust Architecture (ZTA) model. **NOTE:** Please be aware this creates a cluster, a job, and queries within your environment. -## Public Preview Features - -- **System Tables Schemas**: System Table schemas are currently in private preview. System Tables provide visiblity into access, billing, compute, and storage logs. In this deployment the metastore admin, service principle, owns the table. Additional grant statements will be needed. **NOTE:** Please note this is currently in public preview. - - ## Additional Security Recommendations and Opportunities In this section, we break down additional security recommendations and opportunities to maintain a strong security posture that either cannot be configured into this Terraform script or is very specific to individual customers (e.g. SCIM, SSO, Front-End PrivateLink, etc.) @@ -109,11 +97,12 @@ In this section, we break down additional security recommendations and opportuni 3. Decide which [operation](https://github.com/databricks/terraform-databricks-sra/tree/main/aws-gov/tf#operation-mode) mode you'd like to use. 4. Fill out `sra.tf` in place 5. Fill out `template.tfvars.example` remove the .example part of the file name -6. CD into `tf` -7. Run `terraform init` -8. Run `terraform validate` -9. From `tf` directory, run `terraform plan -var-file ../example.tfvars` -10. Run `terraform apply -var-file ../example.tfvars` +6. Configure the [AWS](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) and [Databricks](https://registry.terraform.io/providers/databricks/databricks/latest/docs#authentication) provider authentication +7. CD into `tf` +8. Run `terraform init` +9. Run `terraform validate` +10. From `tf` directory, run `terraform plan -var-file ../example.tfvars` +11. Run `terraform apply -var-file ../example.tfvars` ## Network Diagram - Sandbox diff --git a/aws-gov/tf/modules/sra/databricks_account.tf b/aws-gov/tf/modules/sra/databricks_account.tf index 924b1ca..26b859a 100644 --- a/aws-gov/tf/modules/sra/databricks_account.tf +++ b/aws-gov/tf/modules/sra/databricks_account.tf @@ -8,14 +8,16 @@ module "log_delivery" { databricks = databricks.mws } - databricks_account_id = var.databricks_account_id - resource_prefix = var.resource_prefix + databricks_account_id = var.databricks_account_id + resource_prefix = var.resource_prefix + databricks_gov_shard = var.databricks_gov_shard + databricks_prod_aws_account_id = var.databricks_prod_aws_account_id[var.databricks_gov_shard] + log_delivery_role_name = var.log_delivery_role_name[var.databricks_gov_shard] } // Create Unity Catalog Metastore - No Root Storage module "uc_init" { - count = var.metastore_exists == false ? 1 : 0 source = "./databricks_account/uc_init" providers = { databricks = databricks.mws @@ -26,6 +28,7 @@ module "uc_init" { resource_prefix = var.resource_prefix region = var.region metastore_name = join("", [var.resource_prefix, "-", var.region, "-", "uc"]) + metastore_exists = var.metastore_exists } // Unity Catalog Assignment @@ -35,12 +38,10 @@ module "uc_assignment" { databricks = databricks.mws } - metastore_id = var.metastore_exists ? null : module.uc_init[0].metastore_id + metastore_id = module.uc_init.metastore_id region = var.region workspace_id = module.databricks_mws_workspace.workspace_id - depends_on = [ - module.databricks_mws_workspace - ] + depends_on = [module.databricks_mws_workspace, module.uc_init] } // Create Databricks Workspace @@ -66,22 +67,6 @@ module "databricks_mws_workspace" { workspace_storage_key_alias = aws_kms_alias.workspace_storage_key_alias.name } -// Service Principal -module "service_principal" { - source = "./databricks_account/service_principal" - providers = { - databricks = databricks.mws - } - - created_workspace_id = module.databricks_mws_workspace.workspace_id - workspace_admin_service_principal_name = var.workspace_admin_service_principal_name - - depends_on = [ - module.databricks_mws_workspace, - module.uc_assignment - ] -} - // User Workspace Assignment (Admin) module "user_assignment" { source = "./databricks_account/user_assignment" @@ -91,9 +76,5 @@ module "user_assignment" { created_workspace_id = module.databricks_mws_workspace.workspace_id workspace_access = var.user_workspace_admin - - depends_on = [ - module.databricks_mws_workspace, - module.uc_assignment - ] + depends_on = [module.uc_assignment, module.databricks_mws_workspace] } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/service_principal/output.tf b/aws-gov/tf/modules/sra/databricks_account/service_principal/output.tf deleted file mode 100644 index 678c54b..0000000 --- a/aws-gov/tf/modules/sra/databricks_account/service_principal/output.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "service_principal_id" { - value = databricks_service_principal.sp.id -} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/service_principal/provider.tf b/aws-gov/tf/modules/sra/databricks_account/service_principal/provider.tf deleted file mode 100644 index bdd3474..0000000 --- a/aws-gov/tf/modules/sra/databricks_account/service_principal/provider.tf +++ /dev/null @@ -1,7 +0,0 @@ -terraform { - required_providers { - databricks = { - source = "databricks/databricks" - } - } -} diff --git a/aws-gov/tf/modules/sra/databricks_account/service_principal/service_principal.tf b/aws-gov/tf/modules/sra/databricks_account/service_principal/service_principal.tf deleted file mode 100644 index a7d25d5..0000000 --- a/aws-gov/tf/modules/sra/databricks_account/service_principal/service_principal.tf +++ /dev/null @@ -1,12 +0,0 @@ -// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/service_principal - -resource "databricks_service_principal" "sp" { - display_name = var.workspace_admin_service_principal_name - allow_cluster_create = true -} - -resource "databricks_mws_permission_assignment" "admin_sp" { - workspace_id = var.created_workspace_id - principal_id = databricks_service_principal.sp.id - permissions = ["ADMIN"] -} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/service_principal/variables.tf b/aws-gov/tf/modules/sra/databricks_account/service_principal/variables.tf deleted file mode 100644 index 118a72b..0000000 --- a/aws-gov/tf/modules/sra/databricks_account/service_principal/variables.tf +++ /dev/null @@ -1,8 +0,0 @@ -variable "created_workspace_id" { - type = string -} - -variable "workspace_admin_service_principal_name" { - description = "Service principal name" - type = string -} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf index bae1aa0..39721dd 100644 --- a/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf +++ b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf @@ -1,11 +1,7 @@ // Metastore Assignment -data "databricks_metastore" "this" { - region = var.region -} - resource "databricks_metastore_assignment" "default_metastore" { workspace_id = var.workspace_id - metastore_id = var.metastore_id == null ? data.databricks_metastore.this.id : var.metastore_id + metastore_id = var.metastore_id default_catalog_name = "hive_metastore" } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_init/outputs.tf b/aws-gov/tf/modules/sra/databricks_account/uc_init/outputs.tf index 6f7a596..c122a8c 100644 --- a/aws-gov/tf/modules/sra/databricks_account/uc_init/outputs.tf +++ b/aws-gov/tf/modules/sra/databricks_account/uc_init/outputs.tf @@ -1,3 +1,3 @@ output "metastore_id" { - value = databricks_metastore.this.id + value = var.metastore_exists ? data.databricks_metastore.this[0].id : databricks_metastore.this[0].id } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_init/uc_init.tf b/aws-gov/tf/modules/sra/databricks_account/uc_init/uc_init.tf index a5d1102..34df58d 100644 --- a/aws-gov/tf/modules/sra/databricks_account/uc_init/uc_init.tf +++ b/aws-gov/tf/modules/sra/databricks_account/uc_init/uc_init.tf @@ -1,7 +1,13 @@ // Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/guides/unity-catalog -// Metastore +// Optional data source - only run if the metastore exists +data "databricks_metastore" "this" { + count = var.metastore_exists ? 1 : 0 + region = var.region +} + resource "databricks_metastore" "this" { + count = var.metastore_exists ? 0 : 1 name = "${var.resource_prefix}-${var.region}-unity-catalog" region = var.region force_destroy = true diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf b/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf index c2aaf1b..ec1a35d 100644 --- a/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_account/uc_init/variables.tf @@ -6,6 +6,10 @@ variable "databricks_account_id" { type = string } +variable "metastore_exists" { + type = string +} + variable "metastore_name" { type = string } diff --git a/aws-gov/tf/modules/sra/databricks_workspace.tf b/aws-gov/tf/modules/sra/databricks_workspace.tf index 9b9f55e..b72573d 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace.tf @@ -18,9 +18,7 @@ module "uc_catalog" { databricks_prod_aws_account_id = var.databricks_prod_aws_account_id uc_master_role_id = var.uc_master_role_id - depends_on = [ - module.databricks_mws_workspace, module.uc_assignment - ] + depends_on = [module.databricks_mws_workspace, module.uc_assignment] } // Create Read-Only Storage Location for Data Bucket & External Location @@ -39,10 +37,6 @@ module "uc_external_location" { databricks_gov_shard = var.databricks_gov_shard databricks_prod_aws_account_id = var.databricks_prod_aws_account_id uc_master_role_id = var.uc_master_role_id - - depends_on = [ - module.databricks_mws_workspace, module.uc_assignment - ] } // Workspace Admin Configuration @@ -52,34 +46,6 @@ module "admin_configuration" { providers = { databricks = databricks.created_workspace } - - depends_on = [ - module.databricks_mws_workspace - ] -} - -// Token Management -module "token_management" { - source = "./databricks_workspace/workspace_security_modules/token_management" - providers = { - databricks = databricks.created_workspace - } - - depends_on = [ - module.databricks_mws_workspace - ] -} - -// Secret Management -module "secret_management" { - source = "./databricks_workspace/workspace_security_modules/secret_management" - providers = { - databricks = databricks.created_workspace - } - - depends_on = [ - module.databricks_mws_workspace - ] } // IP Access Lists - Optional @@ -91,10 +57,6 @@ module "ip_access_list" { } ip_addresses = var.ip_addresses - - depends_on = [ - module.databricks_mws_workspace - ] } // Create Create Cluster - Optional @@ -106,25 +68,17 @@ module "cluster_configuration" { } compliance_security_profile_egress_ports = var.compliance_security_profile_egress_ports - secret_config_reference = module.secret_management.config_reference resource_prefix = var.resource_prefix operation_mode = var.operation_mode - depends_on = [ - module.databricks_mws_workspace, module.secret_management - ] } -// Public Preview - System Table Schemas - Optional -module "public_preview_system_table" { - source = "./databricks_workspace/public_preview/system_schema/" +// System Table Schemas Enablement - Optional +module "system_table" { + source = "./databricks_workspace/workspace_security_modules/system_schema/" count = var.enable_system_tables_schema_boolean ? 1 : 0 providers = { databricks = databricks.created_workspace } - - depends_on = [ - module.databricks_mws_workspace - ] } // SAT Implementation - Optional @@ -135,16 +89,17 @@ module "security_analysis_tool" { databricks = databricks.created_workspace } - databricks_url = module.databricks_mws_workspace.workspace_url - workspace_PAT = module.service_principal.service_principal_id - workspace_id = module.databricks_mws_workspace.workspace_id - account_console_id = var.databricks_account_id - client_id = var.client_id - client_secret = var.client_secret - use_sp_auth = true + databricks_url = module.databricks_mws_workspace.workspace_url + workspace_id = module.databricks_mws_workspace.workspace_id + account_console_id = var.databricks_account_id + client_id = var.client_id + client_secret = var.client_secret + use_sp_auth = true + proxies = {} + analysis_schema_name = "SAT" depends_on = [ - module.databricks_mws_workspace, module.service_principal + module.databricks_mws_workspace ] } @@ -157,8 +112,4 @@ module "audit_log_alerting" { } alert_emails = [var.user_workspace_admin] - - depends_on = [ - module.databricks_mws_workspace, module.uc_assignment - ] } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf index a683b8d..b055acf 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/provider.tf @@ -7,8 +7,10 @@ terraform { } module "common" { - source = "../common/" - account_console_id = var.account_console_id - workspace_id = var.workspace_id - sqlw_id = var.sqlw_id + source = "../common/" + account_console_id = var.account_console_id + workspace_id = var.workspace_id + sqlw_id = var.sqlw_id + analysis_schema_name = var.analysis_schema_name + proxies = var.proxies } diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf index 21a0178..db695c4 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/secrets.tf @@ -1,5 +1,17 @@ ### AWS Specific Secrets +resource "databricks_secret" "user" { + key = "user" + string_value = var.account_user + scope = module.common.secret_scope_id +} + +resource "databricks_secret" "pass" { + key = "pass" + string_value = var.account_pass + scope = module.common.secret_scope_id +} + resource "databricks_secret" "use_sp_auth" { key = "use-sp-auth" string_value = var.use_sp_auth diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf index a3cccad..bb190f7 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/aws/variables.tf @@ -8,11 +8,6 @@ variable "workspace_id" { type = string } -variable "workspace_PAT" { - description = "PAT should look like dapixxxxxxxxxxxxxxxxxxxx" - type = string -} - variable "account_console_id" { description = "Databricks Account Console ID" type = string @@ -30,10 +25,22 @@ variable "sqlw_id" { ### AWS Specific Variables +variable "account_user" { + description = "Account Console Username" + type = string + default = " " +} + +variable "account_pass" { + description = "Account Console Password" + type = string + default = " " +} + variable "use_sp_auth" { description = "Authenticate with Service Principal OAuth tokens instead of user and password" type = bool - default = false + default = true } variable "client_id" { @@ -47,3 +54,13 @@ variable "client_secret" { type = string default = "value" } + +variable "analysis_schema_name" { + type = string + description = "Name of the schema to be used for analysis" +} + +variable "proxies" { + type = map(any) + description = "Proxies to be used for Databricks API calls" +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf index 047a810..4fdfe04 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/jobs.tf @@ -1,53 +1,65 @@ resource "databricks_job" "initializer" { name = "SAT Initializer Notebook (one-time)" - new_cluster { - num_workers = 5 - spark_version = data.databricks_spark_version.latest_lts.id - node_type_id = data.databricks_node_type.smallest.id - runtime_engine = "PHOTON" - dynamic "gcp_attributes" { - for_each = var.gcp_impersonate_service_account == "" ? [] : [var.gcp_impersonate_service_account] - content { - google_service_account = var.gcp_impersonate_service_account + job_cluster { + job_cluster_key = "job_cluster" + new_cluster { + num_workers = 5 + spark_version = data.databricks_spark_version.latest_lts.id + node_type_id = data.databricks_node_type.smallest.id + runtime_engine = "PHOTON" + dynamic "gcp_attributes" { + for_each = var.gcp_impersonate_service_account == "" ? [] : [var.gcp_impersonate_service_account] + content { + google_service_account = var.gcp_impersonate_service_account + } } } } - library { - pypi { - package = "dbl-sat-sdk" + task { + task_key = "Initializer" + job_cluster_key = "job_cluster" + library { + pypi { + package = "dbl-sat-sdk" + } + } + notebook_task { + notebook_path = "${databricks_repo.security_analysis_tool.workspace_path}/notebooks/security_analysis_initializer" } } - - notebook_task { - notebook_path = "${databricks_repo.security_analysis_tool.path}/notebooks/security_analysis_initializer" - } - } resource "databricks_job" "driver" { name = "SAT Driver Notebook" - new_cluster { - num_workers = 5 - spark_version = data.databricks_spark_version.latest_lts.id - node_type_id = data.databricks_node_type.smallest.id - runtime_engine = "PHOTON" - dynamic "gcp_attributes" { - for_each = var.gcp_impersonate_service_account == "" ? [] : [var.gcp_impersonate_service_account] - content { - google_service_account = var.gcp_impersonate_service_account + job_cluster { + job_cluster_key = "job_cluster" + new_cluster { + num_workers = 5 + spark_version = data.databricks_spark_version.latest_lts.id + node_type_id = data.databricks_node_type.smallest.id + runtime_engine = "PHOTON" + dynamic "gcp_attributes" { + for_each = var.gcp_impersonate_service_account == "" ? [] : [var.gcp_impersonate_service_account] + content { + google_service_account = var.gcp_impersonate_service_account + } } } } - library { - pypi { - package = "dbl-sat-sdk" - } - } - notebook_task { - notebook_path = "${databricks_repo.security_analysis_tool.path}/notebooks/security_analysis_driver" + task { + task_key = "Driver" + job_cluster_key = "job_cluster" + library { + pypi { + package = "dbl-sat-sdk" + } + } + notebook_task { + notebook_path = "${databricks_repo.security_analysis_tool.workspace_path}/notebooks/security_analysis_driver" + } } schedule { diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf index 87c1dc5..7b21149 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/repo.tf @@ -1,5 +1,7 @@ #Make sure Files in Repos option is enabled in Workspace Admin Console > Workspace Settings resource "databricks_repo" "security_analysis_tool" { - url = "https://github.com/databricks-industry-solutions/security-analysis-tool.git" + url = "https://github.com/databricks-industry-solutions/security-analysis-tool.git" + branch = "main" + path = "/Workspace/Applications/SAT_TF" } diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf index 40ef89d..c905f1c 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/secrets.tf @@ -8,17 +8,6 @@ resource "databricks_secret" "user_email" { scope = databricks_secret_scope.sat.id } -resource "databricks_token" "pat" { - lifetime_seconds = 86400 * 365 - comment = "Security Analysis Tool" -} - -resource "databricks_secret" "pat" { - key = "sat-token-${var.workspace_id}" - string_value = databricks_token.pat.token_value - scope = databricks_secret_scope.sat.id -} - resource "databricks_secret" "account_console_id" { key = "account-console-id" string_value = var.account_console_id @@ -30,3 +19,15 @@ resource "databricks_secret" "sql_warehouse_id" { string_value = var.sqlw_id == "new" ? databricks_sql_endpoint.new[0].id : data.databricks_sql_warehouse.old[0].id scope = databricks_secret_scope.sat.id } + +resource "databricks_secret" "analysis_schema_name" { + key = "analysis_schema_name" + string_value = var.analysis_schema_name + scope = databricks_secret_scope.sat.id +} + +resource "databricks_secret" "proxies" { + key = "proxies" + string_value = jsonencode(var.proxies) + scope = databricks_secret_scope.sat.id +} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf index 9a99283..150ac5a 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/solution_accelerators/security_analysis_tool/common/variables.tf @@ -34,3 +34,13 @@ variable "gcp_impersonate_service_account" { description = "GCP Service Account to impersonate (e.g. xyz-sa-2@project.iam.gserviceaccount.com)" default = "" } + +variable "analysis_schema_name" { + type = string + description = "Name of the schema to be used for analysis" +} + +variable "proxies" { + type = map(any) + description = "Proxies to be used for Databricks API calls" +} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf index ac294fd..ed3d319 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/cluster_configuration.tf @@ -49,7 +49,7 @@ locals { } ) - selected_policy = var.operation_mode == "Isolated" ? local.default_policy : local.isolated_policy + selected_policy = var.operation_mode == "isolated" ? local.isolated_policy : local.default_policy final_policy = { for k, v in local.selected_policy : k => v if v != null } } @@ -73,10 +73,6 @@ resource "databricks_cluster" "example" { max_workers = 2 } - spark_conf = { - "secret.example" = var.secret_config_reference - } - depends_on = [ databricks_cluster_policy.example ] diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf index 744ce90..29344f3 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/cluster_configuration/variables.tf @@ -9,8 +9,4 @@ variable "operation_mode" { variable "resource_prefix" { type = string -} - -variable "secret_config_reference" { - type = string } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf deleted file mode 100644 index ca80979..0000000 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/output.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "config_reference" { - value = databricks_secret.example_app_secret.config_reference -} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf deleted file mode 100644 index bdd3474..0000000 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/provider.tf +++ /dev/null @@ -1,7 +0,0 @@ -terraform { - required_providers { - databricks = { - source = "databricks/databricks" - } - } -} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf deleted file mode 100644 index 65f0be9..0000000 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/secret_management/secret_management.tf +++ /dev/null @@ -1,11 +0,0 @@ -// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/secret - -resource "databricks_secret_scope" "app" { - name = "application-secret-scope" -} - -resource "databricks_secret" "example_app_secret" { - key = "example_api_secret" - string_value = "value that should be hidden from Terraform!" - scope = databricks_secret_scope.app.id -} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/system_schema/provider.tf similarity index 100% rename from aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/provider.tf rename to aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/system_schema/provider.tf diff --git a/aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/system_schema/system_schema.tf similarity index 87% rename from aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf rename to aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/system_schema/system_schema.tf index 617dffb..180bf9f 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/public_preview/system_schema/system_schema.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/system_schema/system_schema.tf @@ -12,8 +12,8 @@ resource "databricks_system_schema" "compute" { schema = "compute" } -resource "databricks_system_schema" "workflow" { - schema = "workflow" +resource "databricks_system_schema" "lakeflow" { + schema = "lakeflow" } resource "databricks_system_schema" "marketplace" { diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf deleted file mode 100644 index bdd3474..0000000 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/provider.tf +++ /dev/null @@ -1,7 +0,0 @@ -terraform { - required_providers { - databricks = { - source = "databricks/databricks" - } - } -} diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf deleted file mode 100644 index 980ab4e..0000000 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/token_management/token_management.tf +++ /dev/null @@ -1,7 +0,0 @@ -// Terraform Documentation: https://registry.terraform.io/providers/databricks/databricks/latest/docs/resources/token - -resource "databricks_token" "pat" { - comment = "Terraform Provisioning" - // 30 day token - lifetime_seconds = 2592000 -} \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/privatelink.tf b/aws-gov/tf/modules/sra/privatelink.tf index ee32db7..d85dff3 100644 --- a/aws-gov/tf/modules/sra/privatelink.tf +++ b/aws-gov/tf/modules/sra/privatelink.tf @@ -287,9 +287,6 @@ module "vpc_endpoints" { } } } - depends_on = [ - module.vpc, module.databricks_mws_workspace - ] } // Databricks REST endpoint - skipped in custom operation mode diff --git a/aws-gov/tf/modules/sra/variables.tf b/aws-gov/tf/modules/sra/variables.tf index 6517d80..4de4e29 100644 --- a/aws-gov/tf/modules/sra/variables.tf +++ b/aws-gov/tf/modules/sra/variables.tf @@ -259,11 +259,6 @@ variable "workspace" { } } -variable "workspace_admin_service_principal_name" { - description = "Service principal name" - type = string -} - // AWS Gov Only Variables variable "databricks_gov_shard" { description = "Gov Shard civilian or dod" diff --git a/aws-gov/tf/sra.tf b/aws-gov/tf/sra.tf index 062bce3..2698530 100644 --- a/aws-gov/tf/sra.tf +++ b/aws-gov/tf/sra.tf @@ -21,11 +21,10 @@ module "SRA" { resource_prefix = var.resource_prefix // REQUIRED - Workspace and Unity Catalog: - user_workspace_admin = null // Workspace admin user email. - user_workspace_catalog_admin = null // Workspace catalog admin email. - operation_mode = "isolated" // Operation mode (sandbox, custom, firewall, isolated), see README.md for more information. - workspace_admin_service_principal_name = "sra-example-sp" // Creates an example admin SP for automation use cases. - metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". + user_workspace_admin = null // Workspace admin user email. + user_workspace_catalog_admin = null // Workspace catalog admin email. + operation_mode = "isolated" // Operation mode (sandbox, custom, firewall, isolated), see README.md for more information. + metastore_exists = false // If a regional metastore exists set to true. If there are multiple regional metastores, you can comment out "uc_init" and add the metastore ID directly in to the module call for "uc_assignment". // REQUIRED - AWS Infrastructure: cmk_admin_arn = null // CMK admin ARN, defaults to the AWS account root user. @@ -51,7 +50,7 @@ module "SRA" { custom_relay_vpce_id = null custom_workspace_vpce_id = null - // OPTIONAL - Examples, Workspace Hardening, Public Previews, and Solution Accelerators: + // OPTIONAL - Examples, Workspace Hardening, and Solution Accelerators: enable_read_only_external_location_boolean = false // Set to true to enable a read-only external location. read_only_data_bucket = null // S3 bucket name for read-only data. read_only_external_location_admin = null // Admin for the external location. @@ -68,7 +67,7 @@ module "SRA" { enable_ip_boolean = false // Set to true to enable IP access list. ip_addresses = ["X.X.X.X", "X.X.X.X/XX", "X.X.X.X/XX"] // Specify IP addresses for access. - enable_system_tables_schema_boolean = false // Set to true to enable system table schemas (Public Preview). + enable_system_tables_schema_boolean = false // Set to true to enable system table schemas enable_sat_boolean = false // Set to true to enable Security Analysis Tool. https://github.com/databricks-industry-solutions/security-analysis-tool enable_audit_log_alerting = false // Set to true to create 40+ queries for audit log alerting based on user activity. https://github.com/andyweaves/system-tables-audit-logs From 9f3237f7346126764cd7fac07ff837aad247efd8 Mon Sep 17 00:00:00 2001 From: Andrew Tolbert Date: Fri, 13 Sep 2024 13:25:20 -0400 Subject: [PATCH 19/24] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index b5ce12d..094d60f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ # Security Reference Architectures (SRA) - Terraform Templates +![image](https://i.ibb.co/RbSwKxK/Screenshot-2024-09-13-at-1-20-12-PM.png) + ## Project Overview From c574034e11d594eae2e13c514fc7a674f4e4c1b0 Mon Sep 17 00:00:00 2001 From: jdbraun Date: Fri, 13 Sep 2024 12:44:28 -0500 Subject: [PATCH 20/24] adding explicit depends on for uc_assignment to system tables and adding default catalog as the sra catalog, not hive --- .../databricks_account/uc_assignment/uc_assignment.tf | 1 - aws/tf/modules/sra/databricks_workspace.tf | 1 + .../workspace_security_modules/uc_catalog/uc_catalog.tf | 9 ++++++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/aws/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf b/aws/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf index 39721dd..5ead29d 100644 --- a/aws/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf +++ b/aws/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf @@ -3,5 +3,4 @@ resource "databricks_metastore_assignment" "default_metastore" { workspace_id = var.workspace_id metastore_id = var.metastore_id - default_catalog_name = "hive_metastore" } \ No newline at end of file diff --git a/aws/tf/modules/sra/databricks_workspace.tf b/aws/tf/modules/sra/databricks_workspace.tf index ed6c09d..f25d0af 100644 --- a/aws/tf/modules/sra/databricks_workspace.tf +++ b/aws/tf/modules/sra/databricks_workspace.tf @@ -73,6 +73,7 @@ module "system_table" { providers = { databricks = databricks.created_workspace } + depends_on = [ module.uc_assignment ] } // SAT Implementation - Optional diff --git a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf index 108992f..6595b61 100644 --- a/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf +++ b/aws/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf @@ -139,7 +139,7 @@ resource "databricks_external_location" "workspace_catalog_external_location" { // Workspace Catalog resource "databricks_catalog" "workspace_catalog" { - name = var.uc_catalog_name + name = replace(var.uc_catalog_name, "-", "_") comment = "This catalog is for workspace - ${var.workspace_id}" isolation_mode = "ISOLATED" storage_root = "s3://${var.uc_catalog_name}/catalog/" @@ -149,6 +149,13 @@ resource "databricks_catalog" "workspace_catalog" { depends_on = [databricks_external_location.workspace_catalog_external_location] } +// Set Workspace Catalog as Default +resource "databricks_default_namespace_setting" "this" { + namespace { + value = replace(var.uc_catalog_name, "-", "_") + } +} + // Grant Admin Catalog Perms resource "databricks_grant" "workspace_catalog" { catalog = databricks_catalog.workspace_catalog.name From 8e869d594c7d58e25529e28051c127125b03f7c2 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Fri, 13 Sep 2024 15:53:32 -0400 Subject: [PATCH 21/24] AWS Gov: adding explicit depends on for uc_assignment to system tables and adding default catalog as the sra catalog, not hive --- .../databricks_account/uc_assignment/uc_assignment.tf | 1 - aws-gov/tf/modules/sra/databricks_workspace.tf | 3 ++- .../workspace_security_modules/uc_catalog/uc_catalog.tf | 9 ++++++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf index 39721dd..5ead29d 100644 --- a/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf +++ b/aws-gov/tf/modules/sra/databricks_account/uc_assignment/uc_assignment.tf @@ -3,5 +3,4 @@ resource "databricks_metastore_assignment" "default_metastore" { workspace_id = var.workspace_id metastore_id = var.metastore_id - default_catalog_name = "hive_metastore" } \ No newline at end of file diff --git a/aws-gov/tf/modules/sra/databricks_workspace.tf b/aws-gov/tf/modules/sra/databricks_workspace.tf index b72573d..bc22223 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace.tf @@ -13,7 +13,7 @@ module "uc_catalog" { uc_catalog_name = "${var.resource_prefix}-catalog-${module.databricks_mws_workspace.workspace_id}" cmk_admin_arn = var.cmk_admin_arn == null ? "arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:root" : var.cmk_admin_arn workspace_id = module.databricks_mws_workspace.workspace_id - user_workspace_catalog_admin = var.workspace_catalog_admin + user_workspace_catalog_admin = var.user_workspace_catalog_admin databricks_gov_shard = var.databricks_gov_shard databricks_prod_aws_account_id = var.databricks_prod_aws_account_id uc_master_role_id = var.uc_master_role_id @@ -79,6 +79,7 @@ module "system_table" { providers = { databricks = databricks.created_workspace } + depends_on = [ module.uc_assignment ] } // SAT Implementation - Optional diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf index c160f8f..a3f49cf 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf @@ -191,7 +191,7 @@ resource "databricks_external_location" "workspace_catalog_external_location" { // Workspace Catalog resource "databricks_catalog" "workspace_catalog" { - name = var.uc_catalog_name + name = replace(var.uc_catalog_name, "-", "_") comment = "This catalog is for workspace - ${var.workspace_id}" isolation_mode = "ISOLATED" storage_root = "s3://${var.uc_catalog_name}/catalog/" @@ -201,6 +201,13 @@ resource "databricks_catalog" "workspace_catalog" { depends_on = [databricks_external_location.workspace_catalog_external_location] } +// Set Workspace Catalog as Default +resource "databricks_default_namespace_setting" "this" { + namespace { + value = replace(var.uc_catalog_name, "-", "_") + } +} + // Grant Admin Catalog Perms resource "databricks_grant" "workspace_catalog" { catalog = databricks_catalog.workspace_catalog.name From b2a579e372be3372442e378ef8480527ed259806 Mon Sep 17 00:00:00 2001 From: Andrew Tolbert Date: Tue, 17 Sep 2024 13:05:50 -0400 Subject: [PATCH 22/24] Update README.md added centering and SRA icon --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 094d60f..967c638 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Security Reference Architectures (SRA) - Terraform Templates -![image](https://i.ibb.co/RbSwKxK/Screenshot-2024-09-13-at-1-20-12-PM.png) - +

    + +

    ## Project Overview From 6e1a1484ea7aa124e79791c3cffc4c621c08f332 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry Date: Sun, 22 Sep 2024 14:08:22 -0400 Subject: [PATCH 23/24] Fixing AWS Gov only variables --- aws-gov/tf/modules/sra/databricks_account.tf | 4 ++-- aws-gov/tf/modules/sra/variables.tf | 14 +++++++++++- aws-gov/tf/sra.tf | 3 --- aws-gov/tf/variables.tf | 24 -------------------- 4 files changed, 15 insertions(+), 30 deletions(-) diff --git a/aws-gov/tf/modules/sra/databricks_account.tf b/aws-gov/tf/modules/sra/databricks_account.tf index 26b859a..bc03e38 100644 --- a/aws-gov/tf/modules/sra/databricks_account.tf +++ b/aws-gov/tf/modules/sra/databricks_account.tf @@ -11,8 +11,8 @@ module "log_delivery" { databricks_account_id = var.databricks_account_id resource_prefix = var.resource_prefix databricks_gov_shard = var.databricks_gov_shard - databricks_prod_aws_account_id = var.databricks_prod_aws_account_id[var.databricks_gov_shard] - log_delivery_role_name = var.log_delivery_role_name[var.databricks_gov_shard] + databricks_prod_aws_account_id = var.databricks_prod_aws_account_id + log_delivery_role_name = var.log_delivery_role_name } diff --git a/aws-gov/tf/modules/sra/variables.tf b/aws-gov/tf/modules/sra/variables.tf index 4de4e29..c235c3b 100644 --- a/aws-gov/tf/modules/sra/variables.tf +++ b/aws-gov/tf/modules/sra/variables.tf @@ -265,18 +265,30 @@ variable "databricks_gov_shard" { type = string } + variable "databricks_prod_aws_account_id" { description = "Databricks Prod AWS Account Id" type = map(string) + default = { + "civilian" = "044793339203" + "dod" = "170661010020" + } } variable "log_delivery_role_name" { description = "Log Delivery Role Name" type = map(string) + default = { + "civilian" = "SaasUsageDeliveryRole-prod-aws-gov-IAMRole-L4QM0RCHYQ1G" + "dod" = "SaasUsageDeliveryRole-prod-aws-gov-dod-IAMRole-1DMEHBYR8VC5P" + } } variable "uc_master_role_id" { description = "UC Master Role ID" type = map(string) + default = { + "civilian" = "1QRFA8SGY15OJ" + "dod" = "1DI6DL6ZP26AS" + } } - diff --git a/aws-gov/tf/sra.tf b/aws-gov/tf/sra.tf index 2698530..90af84e 100644 --- a/aws-gov/tf/sra.tf +++ b/aws-gov/tf/sra.tf @@ -13,9 +13,6 @@ module "SRA" { region = var.region databricks_gov_shard = var.databricks_gov_shard region_name = var.region_name[var.databricks_gov_shard] - databricks_prod_aws_account_id = var.databricks_prod_aws_account_id[var.databricks_gov_shard] - uc_master_role_id = var.uc_master_role_id[var.databricks_gov_shard] - log_delivery_role_name = var.log_delivery_role_name[var.databricks_gov_shard] // REQUIRED - Naming and Tagging: resource_prefix = var.resource_prefix diff --git a/aws-gov/tf/variables.tf b/aws-gov/tf/variables.tf index 71a5bd5..638e1ab 100644 --- a/aws-gov/tf/variables.tf +++ b/aws-gov/tf/variables.tf @@ -63,28 +63,4 @@ variable "databricks_gov_shard" { condition = contains(["civilian", "dod"], var.databricks_gov_shard) error_message = "Valid values for var: databricks_gov_shard are (civilian, dod)." } -} - -variable "databricks_prod_aws_account_id" { - type = map(string) - default = { - "civilian" = "044793339203" - "dod" = "170661010020" - } -} - -variable "log_delivery_role_name" { - type = map(string) - default = { - "civilian" = "SaasUsageDeliveryRole-prod-aws-gov-IAMRole-L4QM0RCHYQ1G" - "dod" = "SaasUsageDeliveryRole-prod-aws-gov-dod-IAMRole-1DMEHBYR8VC5P" - } -} - -variable "uc_master_role_id" { - type = map(string) - default = { - "civilian" = "1QRFA8SGY15OJ" - "dod" = "1DI6DL6ZP26AS" - } } \ No newline at end of file From b98beea14242fc1baa907c7f34000dc478fee1e2 Mon Sep 17 00:00:00 2001 From: Antonio Irizarry <55394816+airizarryDB@users.noreply.github.com> Date: Thu, 3 Oct 2024 14:41:29 -0400 Subject: [PATCH 24/24] Update uc_catalog.tf for aws-gov Fixed arn for aws gov --- .../workspace_security_modules/uc_catalog/uc_catalog.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf index a3f49cf..b2491d6 100644 --- a/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf +++ b/aws-gov/tf/modules/sra/databricks_workspace/workspace_security_modules/uc_catalog/uc_catalog.tf @@ -107,7 +107,7 @@ resource "aws_kms_key" "catalog_storage" { "Sid" : "Allow IAM Role to use the key", "Effect" : "Allow", "Principal" : { - "AWS" : "arn:aws-us-gov:iam::${var.databricks_prod_aws_account_id[var.databricks_gov_shard]}:role/${var.resource_prefix}-catalog-${var.workspace_id}" + "AWS" : "arn:aws-us-gov:iam::${var.aws_account_id}:role/${var.resource_prefix}-catalog-${var.workspace_id}" }, "Action" : [ "kms:Decrypt",