From 396525ad041eea9a68900045b94554cf8bb43880 Mon Sep 17 00:00:00 2001 From: iru Date: Mon, 18 Jul 2022 10:28:48 +0200 Subject: [PATCH] feat!: Enable in org-ecs, cloudtrail-s3-sns-sqs ingestor (#103) --- README.md | 8 +- examples/organizational/README.md | 7 +- examples/organizational/cloudtrail.tf | 8 +- examples/organizational/main.tf | 9 +- examples/organizational/permissions.tf | 9 +- examples/organizational/variables.tf | 48 +++- examples/organizational/versions.tf | 1 + .../single-account-apprunner/cloudtrail.tf | 2 +- examples/single-account-apprunner/outputs.tf | 2 +- examples/single-account-ecs/cloudtrail.tf | 2 +- examples/single-account-ecs/main.tf | 5 +- examples/single-account-ecs/outputs.tf | 2 +- .../single-account-k8s/cloud-connector.tf | 6 +- examples/single-account-k8s/cloudtrail.tf | 2 +- modules/infrastructure/cloudtrail/README.md | 2 +- modules/infrastructure/cloudtrail/outputs.tf | 2 +- .../cloudtrail_s3-sns-sqs/main.tf | 6 +- .../permissions/org-role-ecs/README.md | 1 + .../permissions/org-role-ecs/main.tf | 89 +++--- .../sqs-sns-subscription/README.md | 2 +- .../sqs-sns-subscription/main.tf | 4 +- .../sqs-sns-subscription/variables.tf | 2 +- .../services/cloud-connector-apprunner/sqs.tf | 8 +- .../services/cloud-connector-ecs/README.md | 10 +- .../cloudconnector-config.tf | 31 ++- .../cloud-connector-ecs/permissions.tf | 55 ++-- modules/services/cloud-connector-ecs/sqs.tf | 15 +- .../services/cloud-connector-ecs/variables.tf | 27 +- .../services/cloud-connector-ecs/versions.tf | 1 + .../org-existing-cloudtrail-ecs-vpc-subnet.md | 10 +- use-cases/org-s3-k8s-filtered-account.md | 2 +- ...rg-three-cross-account-s3-event-forward.md | 256 ++++++++++++++++++ use-cases/org-three-cross-account-setup.md | 193 ------------- .../resources/org-three-way-permissions.png | Bin 0 -> 111497 bytes .../resources/org-three-way-permissions.py | 34 +++ 35 files changed, 528 insertions(+), 333 deletions(-) create mode 100644 use-cases/org-three-cross-account-s3-event-forward.md delete mode 100644 use-cases/org-three-cross-account-setup.md create mode 100644 use-cases/resources/org-three-way-permissions.png create mode 100644 use-cases/resources/org-three-way-permissions.py diff --git a/README.md b/README.md index 38d23e68..c101730f 100644 --- a/README.md +++ b/README.md @@ -142,7 +142,7 @@ Some components may vary, or may be deployed on different accounts (depending on This would be an overall schema of the **created resources**, for the default setup. - Cloudtrail / SNS / S3 / SQS -- SSM Parameter for Sysdig API Token Storage +- SSM Parameter for Sysdig API Token Storage - Sysdig Workload: ECS / AppRunner creation (EKS is pre-required, not created) - each compute solution require a role to assume for execution - CodeBuild for on-demand image scanning @@ -223,6 +223,10 @@ It may take some time, but you should see logs detecting the new image in the EC ## Troubleshooting +## Q-Networking: What's the requirements for the inbound/outbound connection? +A: Refer to [Sysdig SASS Region and IP Ranges Documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) to get Sysdig SaaS endpoint and allow both outbound (for compute vulnerability report) and inbound (for scheduled compliance checkups) +
ECS type deployment will create following [security-group setup](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/services/cloud-connector-ecs/sec-group.tf) + ## Q-General: Need to modify cloud-connector config (to troubleshoot with `debug` loglevel, modify ingestors for testing, ...) A: both in ECS and AppRunner workload types, cloud-connector configuration is passed as a base64-encoded string through the env var `CONFIG`
S: Get current value, decode it, edit the desired (ex.:`logging: debug` value), encode it again, and spin it again with this new definition. @@ -245,7 +249,7 @@ A: Need to check several steps ### Q-AWS: In the ECS compute flavor of secure for cloud, I don't see any logs in the cloud-connector component A: This may be due to the task not beinb able to start, normally due not not having enough permissions to even fetch the secure apiToken, stored in the AWS SSM service. -
S: Access the task and see if there is any value in the "Stoped Reason" field. +
S: Access the task and see if there is any value in the "Stopped Reason" field. ### Q-AWS: Getting error "Error: failed creating ECS Task Definition: ClientException: No Fargate configuration exists for given values. A: Your ECS task_size values aren't valid for Fargate. Specifically, your mem_limit value is too big for the cpu_limit you specified diff --git a/examples/organizational/README.md b/examples/organizational/README.md index 9e363e37..85b619b3 100644 --- a/examples/organizational/README.md +++ b/examples/organizational/README.md @@ -179,10 +179,8 @@ $ terraform apply |------|-------------|------|---------|:--------:| | [sysdig\_secure\_for\_cloud\_member\_account\_id](#input\_sysdig\_secure\_for\_cloud\_member\_account\_id) | organizational member account where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes | | [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | `list(string)` | `[]` | no | -| [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events. testing/economization purpose. | `bool` | `true` | no | -| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no | -| [cloudtrail\_s3\_arn](#input\_cloudtrail\_s3\_arn) | ARN of a pre-existing cloudtrail\_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail | `string` | `"create"` | no | -| [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns\_permissions.tf block | `string` | `"create"` | no | +| [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether the created cloudtrail will ingest multi-regional events. testing/economization purpose. | `bool` | `true` | no | +| [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether the created cloudtrail should deliver encrypted events to s3 | `bool` | `true` | no | | [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no | | [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no | | [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no | @@ -193,6 +191,7 @@ $ terraform apply | [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. Defaulted to be created when `ecs_cluster_name is not provided.` | `string` | `"create"` | no | | [ecs\_vpc\_region\_azs](#input\_ecs\_vpc\_region\_azs) | List of Availability Zones for ECS VPC creation. e.g.: ["apne1-az1", "apne1-az2"]. If defaulted, two of the default 'aws\_availability\_zones' datasource will be taken | `list(string)` | `[]` | no | | [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. Defaulted to be created when `ecs_cluster_name is not provided.` | `list(string)` | `[]` | no | +| [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created

If there's an existing cloudtrail, input mandatory attributes, and one of the 1, 2 or 3 grouped labeled optionals.
| 
object({
    cloudtrail_s3_arn         = optional(string)
    cloudtrail_sns_arn        = optional(string)
    cloudtrail_s3_role_arn    = optional(string)
    cloudtrail_s3_sns_sqs_arn = optional(string)
    cloudtrail_s3_sns_sqs_url = optional(string)
  })
| 
{
  "cloudtrail_s3_arn": "create",
  "cloudtrail_s3_role_arn": null,
  "cloudtrail_s3_sns_sqs_arn": null,
  "cloudtrail_s3_sns_sqs_url": null,
  "cloudtrail_sns_arn": "create"
}
| no | | [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no | | [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for management-account users to be able to admin member accounts.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no | | [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | 
{
  "product": "sysdig-secure-for-cloud"
}
| no | diff --git a/examples/organizational/cloudtrail.tf b/examples/organizational/cloudtrail.tf index 2f89c429..1dcd4fb0 100644 --- a/examples/organizational/cloudtrail.tf +++ b/examples/organizational/cloudtrail.tf @@ -1,12 +1,12 @@ locals { - cloudtrail_deploy = var.cloudtrail_sns_arn == "create" - cloudtrail_sns_arn = local.cloudtrail_deploy ? module.cloudtrail[0].sns_topic_arn : var.cloudtrail_sns_arn - cloudtrail_s3_arn = local.cloudtrail_deploy ? module.cloudtrail[0].s3_bucket_arn : var.cloudtrail_s3_arn + deploy_cloudtrail = var.existing_cloudtrail_config == null || var.existing_cloudtrail_config.cloudtrail_sns_arn == "create" || var.existing_cloudtrail_config.cloudtrail_sns_arn == null + cloudtrail_sns_arn = local.deploy_cloudtrail ? module.cloudtrail[0].cloudtrail_sns_arn : var.existing_cloudtrail_config.cloudtrail_sns_arn + cloudtrail_s3_arn = local.deploy_cloudtrail ? module.cloudtrail[0].s3_bucket_arn : var.existing_cloudtrail_config.cloudtrail_s3_arn } module "cloudtrail" { - count = local.cloudtrail_deploy ? 1 : 0 + count = local.deploy_cloudtrail ? 1 : 0 source = "../../modules/infrastructure/cloudtrail" name = var.name diff --git a/examples/organizational/main.tf b/examples/organizational/main.tf index a16cce01..52aa1521 100644 --- a/examples/organizational/main.tf +++ b/examples/organizational/main.tf @@ -69,7 +69,8 @@ module "cloud_connector" { is_organizational = true organizational_config = { - sysdig_secure_for_cloud_role_arn = module.secure_for_cloud_role.sysdig_secure_for_cloud_role_arn + # see local.deploy_org_management_sysdig_role notes + sysdig_secure_for_cloud_role_arn = local.deploy_org_management_sysdig_role ? module.secure_for_cloud_role[0].sysdig_secure_for_cloud_role_arn : var.existing_cloudtrail_config.cloudtrail_s3_role_arn organizational_role_per_account = var.organizational_member_default_admin_role connector_ecs_task_role_name = aws_iam_role.connector_ecs_task.name } @@ -77,7 +78,11 @@ module "cloud_connector" { build_project_arn = length(module.codebuild) == 1 ? module.codebuild[0].project_arn : "na" build_project_name = length(module.codebuild) == 1 ? module.codebuild[0].project_name : "na" - sns_topic_arn = local.cloudtrail_sns_arn + existing_cloudtrail_config = { + cloudtrail_sns_arn = local.cloudtrail_sns_arn + cloudtrail_s3_sns_sqs_url = var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_url + cloudtrail_s3_sns_sqs_arn = var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_arn + } ecs_cluster_name = local.ecs_cluster_name ecs_vpc_id = local.ecs_vpc_id diff --git a/examples/organizational/permissions.tf b/examples/organizational/permissions.tf index b6b26c1c..e29b3571 100644 --- a/examples/organizational/permissions.tf +++ b/examples/organizational/permissions.tf @@ -1,4 +1,11 @@ +locals { + # only deploy org-management-account lvl role if scanning is deployed and we're not overriding S3Role + # FIXME. main.tf#72 if scanning is activated, using 'cloudtrail_s3_role_arn' won't work, FR: need to provision 2 roles in cloud-connector + deploy_org_management_sysdig_role = var.deploy_image_scanning_ecs || var.deploy_image_scanning_ecr || var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_arn == null +} + module "secure_for_cloud_role" { + count = local.deploy_org_management_sysdig_role ? 1 : 0 source = "../../modules/infrastructure/permissions/org-role-ecs" providers = { aws.member = aws.member @@ -18,7 +25,7 @@ module "secure_for_cloud_role" { # secure_for_cloud_role <-> ecs_role trust relationship # note: # - definition of a ROOT lvl secure_for_cloud_connector_ecs_tas_role to avoid cyclic dependencies -# - duplicated in ../../modules/services/cloud-connector-ecs/ecs-service-security.tf +# - duplicated in ../../modules/services/cloud-connector-ecs/permissions.tf # ----------------------------------------------------------------- resource "aws_iam_role" "connector_ecs_task" { provider = aws.member diff --git a/examples/organizational/variables.tf b/examples/organizational/variables.tf index 5717c666..52f95dc6 100644 --- a/examples/organizational/variables.tf +++ b/examples/organizational/variables.tf @@ -28,31 +28,49 @@ variable "organizational_member_default_admin_role" { # # cloudtrail configuration # - -variable "cloudtrail_sns_arn" { - type = string - default = "create" - description = "ARN of a pre-existing cloudtrail_sns. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from created cloudtrail. Providing an ARN requires permission to SNS:Subscribe, check ./modules/infrastructure/cloudtrail/sns_permissions.tf block" -} - -variable "cloudtrail_s3_arn" { - type = string - default = "create" - description = "ARN of a pre-existing cloudtrail_sns s3 bucket. Used together with `cloudtrail_sns_arn`, `cloudtrail_s3_arn`. If it does not exist, it will be inferred from create cloudtrail" -} - variable "cloudtrail_is_multi_region_trail" { type = bool default = true - description = "true/false whether cloudtrail will ingest multiregional events. testing/economization purpose." + description = "true/false whether the created cloudtrail will ingest multi-regional events. testing/economization purpose." } variable "cloudtrail_kms_enable" { type = bool default = true - description = "true/false whether cloudtrail delivered events to S3 should persist encrypted" + description = "true/false whether the created cloudtrail should deliver encrypted events to s3" +} + + +variable "existing_cloudtrail_config" { + type = object({ + cloudtrail_s3_arn = optional(string) + cloudtrail_sns_arn = optional(string) + cloudtrail_s3_role_arn = optional(string) + cloudtrail_s3_sns_sqs_arn = optional(string) + cloudtrail_s3_sns_sqs_url = optional(string) + }) + default = { + cloudtrail_s3_arn = "create" + cloudtrail_sns_arn = "create" + cloudtrail_s3_role_arn = null + cloudtrail_s3_sns_sqs_arn = null + cloudtrail_s3_sns_sqs_url = null + } + + description = <<-EOT + Optional block. If not set, a new cloudtrail, sns and sqs resources will be created
+ If there's an existing cloudtrail, input mandatory attributes, and one of the 1, 2 or 3 grouped labeled optionals. + + EOT } + # # scanning configuration # diff --git a/examples/organizational/versions.tf b/examples/organizational/versions.tf index 548911d9..9ed18ad2 100644 --- a/examples/organizational/versions.tf +++ b/examples/organizational/versions.tf @@ -1,5 +1,6 @@ terraform { required_version = ">= 1.0.0" + experiments = [module_variable_optional_attrs] required_providers { aws = { version = ">= 4.0.0" diff --git a/examples/single-account-apprunner/cloudtrail.tf b/examples/single-account-apprunner/cloudtrail.tf index 30943bc3..516b38b0 100644 --- a/examples/single-account-apprunner/cloudtrail.tf +++ b/examples/single-account-apprunner/cloudtrail.tf @@ -1,6 +1,6 @@ locals { cloudtrail_deploy = var.cloudtrail_sns_arn == "create" - cloudtrail_sns_arn = local.cloudtrail_deploy ? module.cloudtrail[0].sns_topic_arn : var.cloudtrail_sns_arn + cloudtrail_sns_arn = local.cloudtrail_deploy ? module.cloudtrail[0].cloudtrail_sns_arn : var.cloudtrail_sns_arn } module "cloudtrail" { diff --git a/examples/single-account-apprunner/outputs.tf b/examples/single-account-apprunner/outputs.tf index 517bf1ac..588a0438 100644 --- a/examples/single-account-apprunner/outputs.tf +++ b/examples/single-account-apprunner/outputs.tf @@ -1,4 +1,4 @@ output "cloudtrail_sns_topic_arn" { - value = length(module.cloudtrail) > 0 ? module.cloudtrail[0].sns_topic_arn : var.cloudtrail_sns_arn + value = length(module.cloudtrail) > 0 ? module.cloudtrail[0].cloudtrail_sns_arn : var.cloudtrail_sns_arn description = "ARN of cloudtrail_sns topic" } diff --git a/examples/single-account-ecs/cloudtrail.tf b/examples/single-account-ecs/cloudtrail.tf index 3d1c1639..7540db3b 100644 --- a/examples/single-account-ecs/cloudtrail.tf +++ b/examples/single-account-ecs/cloudtrail.tf @@ -1,6 +1,6 @@ locals { cloudtrail_deploy = var.cloudtrail_sns_arn == "create" - cloudtrail_sns_arn = local.cloudtrail_deploy ? module.cloudtrail[0].sns_topic_arn : var.cloudtrail_sns_arn + cloudtrail_sns_arn = local.cloudtrail_deploy ? module.cloudtrail[0].cloudtrail_sns_arn : var.cloudtrail_sns_arn } module "cloudtrail" { diff --git a/examples/single-account-ecs/main.tf b/examples/single-account-ecs/main.tf index 89842692..1d4ebfbf 100644 --- a/examples/single-account-ecs/main.tf +++ b/examples/single-account-ecs/main.tf @@ -51,7 +51,10 @@ module "cloud_connector" { build_project_arn = length(module.codebuild) == 1 ? module.codebuild[0].project_arn : "na" build_project_name = length(module.codebuild) == 1 ? module.codebuild[0].project_name : "na" - sns_topic_arn = local.cloudtrail_sns_arn + existing_cloudtrail_config = { + cloudtrail_sns_arn = local.cloudtrail_sns_arn + } + ecs_cluster_name = local.ecs_cluster_name ecs_vpc_id = local.ecs_vpc_id diff --git a/examples/single-account-ecs/outputs.tf b/examples/single-account-ecs/outputs.tf index 517bf1ac..588a0438 100644 --- a/examples/single-account-ecs/outputs.tf +++ b/examples/single-account-ecs/outputs.tf @@ -1,4 +1,4 @@ output "cloudtrail_sns_topic_arn" { - value = length(module.cloudtrail) > 0 ? module.cloudtrail[0].sns_topic_arn : var.cloudtrail_sns_arn + value = length(module.cloudtrail) > 0 ? module.cloudtrail[0].cloudtrail_sns_arn : var.cloudtrail_sns_arn description = "ARN of cloudtrail_sns topic" } diff --git a/examples/single-account-k8s/cloud-connector.tf b/examples/single-account-k8s/cloud-connector.tf index 45e88b64..9e804ba4 100644 --- a/examples/single-account-k8s/cloud-connector.tf +++ b/examples/single-account-k8s/cloud-connector.tf @@ -8,9 +8,9 @@ locals { module "cloud_connector_sqs" { source = "../../modules/infrastructure/sqs-sns-subscription" - name = var.name - sns_topic_arn = local.cloudtrail_sns_arn - tags = var.tags + name = var.name + cloudtrail_sns_arn = local.cloudtrail_sns_arn + tags = var.tags } module "codebuild" { diff --git a/examples/single-account-k8s/cloudtrail.tf b/examples/single-account-k8s/cloudtrail.tf index 0e40c13e..0bd79c7d 100644 --- a/examples/single-account-k8s/cloudtrail.tf +++ b/examples/single-account-k8s/cloudtrail.tf @@ -1,6 +1,6 @@ locals { cloudtrail_deploy = var.cloudtrail_sns_arn == "create" - cloudtrail_sns_arn = var.cloudtrail_sns_arn == "create" ? module.cloudtrail[0].sns_topic_arn : var.cloudtrail_sns_arn + cloudtrail_sns_arn = var.cloudtrail_sns_arn == "create" ? module.cloudtrail[0].cloudtrail_sns_arn : var.cloudtrail_sns_arn } module "cloudtrail" { diff --git a/modules/infrastructure/cloudtrail/README.md b/modules/infrastructure/cloudtrail/README.md index 26dbc43d..ba921c7c 100644 --- a/modules/infrastructure/cloudtrail/README.md +++ b/modules/infrastructure/cloudtrail/README.md @@ -53,8 +53,8 @@ No modules. | Name | Description | |------|-------------| +| [cloudtrail\_sns\_arn](#output\_cloudtrail\_sns\_arn) | ARN of Cloudtrail SNS topic | | [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | ARN of Cloudtrail SNS topic | -| [sns\_topic\_arn](#output\_sns\_topic\_arn) | ARN of Cloudtrail SNS topic | ## Authors diff --git a/modules/infrastructure/cloudtrail/outputs.tf b/modules/infrastructure/cloudtrail/outputs.tf index 1e7cbe86..0a7a0764 100644 --- a/modules/infrastructure/cloudtrail/outputs.tf +++ b/modules/infrastructure/cloudtrail/outputs.tf @@ -1,4 +1,4 @@ -output "sns_topic_arn" { +output "cloudtrail_sns_arn" { value = aws_sns_topic.cloudtrail.arn description = "ARN of Cloudtrail SNS topic" } diff --git a/modules/infrastructure/cloudtrail_s3-sns-sqs/main.tf b/modules/infrastructure/cloudtrail_s3-sns-sqs/main.tf index c6adfb38..6815c858 100644 --- a/modules/infrastructure/cloudtrail_s3-sns-sqs/main.tf +++ b/modules/infrastructure/cloudtrail_s3-sns-sqs/main.tf @@ -47,9 +47,9 @@ resource "aws_s3_bucket_notification" "bucket_notification" { # sqs # -------------------- module "cloudtrail_s3_sns_sqs" { - source = "../sqs-sns-subscription" - name = "${var.name}-s3-sqs" - sns_topic_arn = aws_sns_topic.s3_sns.arn + source = "../sqs-sns-subscription" + name = "${var.name}-s3-sqs" + cloudtrail_sns_arn = aws_sns_topic.s3_sns.arn tags = var.tags } diff --git a/modules/infrastructure/permissions/org-role-ecs/README.md b/modules/infrastructure/permissions/org-role-ecs/README.md index 53612958..4261bf5b 100644 --- a/modules/infrastructure/permissions/org-role-ecs/README.md +++ b/modules/infrastructure/permissions/org-role-ecs/README.md @@ -7,6 +7,7 @@ The aim of this module is to manage the organizational **managed account** requi ## Permissions + * Threat-Detection feature * S3 Get and List permissions in order to fetch the events * SNS Subscription permissions in order to subscribe a topic to it diff --git a/modules/infrastructure/permissions/org-role-ecs/main.tf b/modules/infrastructure/permissions/org-role-ecs/main.tf index 296fead1..d8ab6233 100644 --- a/modules/infrastructure/permissions/org-role-ecs/main.tf +++ b/modules/infrastructure/permissions/org-role-ecs/main.tf @@ -1,9 +1,52 @@ +# ------------------------------------------ +# management account role +# ------------------------------------------ resource "aws_iam_role" "secure_for_cloud_role" { name = "${var.name}-SysdigSecureForCloudRole" assume_role_policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_trusted.json tags = var.tags } +# enable cloudtrail_s3 RO access +resource "aws_iam_role_policy" "sysdig_secure_for_cloud_role_s3" { + name = "${var.name}-AllowCloudtrailS3Policy" + role = aws_iam_role.secure_for_cloud_role.id + policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_s3.json +} +data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_s3" { + statement { + effect = "Allow" + actions = [ + "s3:ListBucket", + "s3:GetObject" + ] + resources = [ + var.cloudtrail_s3_arn, + "${var.cloudtrail_s3_arn}/*" + ] + } +} + + +# enable image-scanning on member-account repositories +resource "aws_iam_role_policy" "sysdig_secure_for_cloud_role_assume_role" { + name = "${var.name}-AllowAssumeRoleInChildAccounts" + role = aws_iam_role.secure_for_cloud_role.id + policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_assume_role.json +} +data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_assume_role" { + statement { + effect = "Allow" + actions = [ + "sts:AssumeRole", + ] + resources = [ + "arn:aws:iam::*:role/${var.organizational_role_per_account}" + ] + } +} + + # --------------------------------------------- # enable cloud-connector module ECS Task role to AssumeRole on this secure_for_cloud_role # required for cloudtrail_sns/s3 resource read/subscribe access @@ -45,49 +88,3 @@ data "aws_iam_policy_document" "enable_assume_secure_for_cloud_role" { resources = [aws_iam_role.secure_for_cloud_role.arn] } } - - - -# ------------------------------ -# enable cloudtrail_s3 RO access -# ------------------------------ - -resource "aws_iam_role_policy" "sysdig_secure_for_cloud_role_s3" { - name = "${var.name}-AllowCloudtrailS3Policy" - role = aws_iam_role.secure_for_cloud_role.id - policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_s3.json -} -data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_s3" { - statement { - effect = "Allow" - actions = [ - "s3:ListBucket", - "s3:GetObject" - ] - resources = [ - var.cloudtrail_s3_arn, - "${var.cloudtrail_s3_arn}/*" - ] - } -} - - -# ------------------------------ -# enable image-scanning on member-account repositories -# ------------------------------ -resource "aws_iam_role_policy" "sysdig_secure_for_cloud_role_assume_role" { - name = "${var.name}-AllowAssumeRoleInChildAccounts" - role = aws_iam_role.secure_for_cloud_role.id - policy = data.aws_iam_policy_document.sysdig_secure_for_cloud_role_assume_role.json -} -data "aws_iam_policy_document" "sysdig_secure_for_cloud_role_assume_role" { - statement { - effect = "Allow" - actions = [ - "sts:AssumeRole", - ] - resources = [ - "arn:aws:iam::*:role/${var.organizational_role_per_account}" - ] - } -} diff --git a/modules/infrastructure/sqs-sns-subscription/README.md b/modules/infrastructure/sqs-sns-subscription/README.md index d468396f..f2410e3f 100644 --- a/modules/infrastructure/sqs-sns-subscription/README.md +++ b/modules/infrastructure/sqs-sns-subscription/README.md @@ -31,8 +31,8 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | CloudTrail SNS Topic ARN to subscribe the SQS queue | `string` | n/a | yes | | [name](#input\_name) | Queue name | `string` | n/a | yes | -| [sns\_topic\_arn](#input\_sns\_topic\_arn) | CloudTrail SNS Topic ARN to subscribe the SQS queue | `string` | n/a | yes | | [tags](#input\_tags) | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | `map(string)` | 
{
  "product": "sysdig-secure-for-cloud"
}
| no | ## Outputs diff --git a/modules/infrastructure/sqs-sns-subscription/main.tf b/modules/infrastructure/sqs-sns-subscription/main.tf index 95185553..15c2bf4f 100644 --- a/modules/infrastructure/sqs-sns-subscription/main.tf +++ b/modules/infrastructure/sqs-sns-subscription/main.tf @@ -7,7 +7,7 @@ resource "aws_sns_topic_subscription" "this" { # could do a for_each if required, but 1:1 (sns:sqs) for the moment protocol = "sqs" endpoint = aws_sqs_queue.this.arn - topic_arn = var.sns_topic_arn + topic_arn = var.cloudtrail_sns_arn } resource "aws_sqs_queue_policy" "this" { @@ -26,7 +26,7 @@ data "aws_iam_policy_document" "this" { condition { test = "ArnEquals" variable = "aws:SourceArn" - values = [var.sns_topic_arn] + values = [var.cloudtrail_sns_arn] } actions = [ "sqs:SendMessage", diff --git a/modules/infrastructure/sqs-sns-subscription/variables.tf b/modules/infrastructure/sqs-sns-subscription/variables.tf index 17f6d297..f0829253 100644 --- a/modules/infrastructure/sqs-sns-subscription/variables.tf +++ b/modules/infrastructure/sqs-sns-subscription/variables.tf @@ -3,7 +3,7 @@ variable "name" { description = "Queue name" } -variable "sns_topic_arn" { +variable "cloudtrail_sns_arn" { type = string description = "CloudTrail SNS Topic ARN to subscribe the SQS queue" } diff --git a/modules/services/cloud-connector-apprunner/sqs.tf b/modules/services/cloud-connector-apprunner/sqs.tf index e608d7a5..fc23ea39 100644 --- a/modules/services/cloud-connector-apprunner/sqs.tf +++ b/modules/services/cloud-connector-apprunner/sqs.tf @@ -1,6 +1,6 @@ module "cloud_connector_sqs" { - source = "../../infrastructure/sqs-sns-subscription" - name = var.name - sns_topic_arn = var.cloudtrail_sns_arn - tags = var.tags + source = "../../infrastructure/sqs-sns-subscription" + name = var.name + cloudtrail_sns_arn = var.cloudtrail_sns_arn + tags = var.tags } diff --git a/modules/services/cloud-connector-ecs/README.md b/modules/services/cloud-connector-ecs/README.md index 9997eb7f..68b6296e 100644 --- a/modules/services/cloud-connector-ecs/README.md +++ b/modules/services/cloud-connector-ecs/README.md @@ -36,8 +36,10 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu | [aws_iam_role.task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy.ecr_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy.task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.task_definition_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.task_policy_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.task_policy_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.task_policy_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.task_read_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.trigger_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_security_group.sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | @@ -45,7 +47,9 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu | [aws_iam_policy_document.ecr_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.execution_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.iam_role_task_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.iam_role_task_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.iam_role_task_policy_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.iam_role_task_policy_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.task_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.task_definition_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.task_read_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -65,13 +69,13 @@ A task deployed on an **ECS deployment** will detect events in your infrastructu | [ecs\_vpc\_id](#input\_ecs\_vpc\_id) | ID of the VPC where the workload is to be deployed. | `string` | n/a | yes | | [ecs\_vpc\_subnets\_private\_ids](#input\_ecs\_vpc\_subnets\_private\_ids) | List of VPC subnets where workload is to be deployed. | `list(string)` | n/a | yes | | [secure\_api\_token\_secret\_name](#input\_secure\_api\_token\_secret\_name) | Sysdig Secure API token SSM parameter name | `string` | n/a | yes | -| [sns\_topic\_arn](#input\_sns\_topic\_arn) | ARN of a cloudtrail-sns topic. If specified, deployment region must match Cloudtrail S3 bucket region | `string` | n/a | yes | | [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | Days to keep logs for CloudConnector | `number` | `5` | no | | [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Default ecs cloudconnector task role name | `string` | `"ECSTaskRole"` | no | | [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no | | [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no | | [ecs\_task\_cpu](#input\_ecs\_task\_cpu) | Amount of CPU (in CPU units) to reserve for cloud-connector task | `string` | `"256"` | no | | [ecs\_task\_memory](#input\_ecs\_task\_memory) | Amount of memory (in megabytes) to reserve for cloud-connector task | `string` | `"512"` | no | +| [existing\_cloudtrail\_config](#input\_existing\_cloudtrail\_config) | Optional block. If not set, a new cloudtrail, sns and sqs resources will be created

If there's an existing cloudtrail, input mandatory attributes, and one of the 1 or 2 labeled optionals.
| 
object({
    cloudtrail_sns_arn        = optional(string)
    cloudtrail_s3_sns_sqs_arn = optional(string)
    cloudtrail_s3_sns_sqs_url = optional(string)
  })
| 
{
  "cloudtrail_s3_sns_sqs_arn": null,
  "cloudtrail_s3_sns_sqs_url": null,
  "cloudtrail_sns_arn": "create"
}
| no | | [extra\_env\_vars](#input\_extra\_env\_vars) | Extra environment variables for the Cloud Connector deployment | `map(string)` | `{}` | no | | [image](#input\_image) | Image of the cloud connector to deploy | `string` | `"quay.io/sysdig/cloud-connector:latest"` | no | | [is\_organizational](#input\_is\_organizational) | whether secure-for-cloud should be deployed in an organizational setup | `bool` | `false` | no | diff --git a/modules/services/cloud-connector-ecs/cloudconnector-config.tf b/modules/services/cloud-connector-ecs/cloudconnector-config.tf index 78a1c3ee..40b6191f 100644 --- a/modules/services/cloud-connector-ecs/cloudconnector-config.tf +++ b/modules/services/cloud-connector-ecs/cloudconnector-config.tf @@ -3,16 +3,27 @@ locals { logging = "info" rules = [] ingestors = [ - { - cloudtrail-sns-sqs = merge( - { - queueURL = module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_url - }, - var.is_organizational ? { - assumeRole = var.organizational_config.sysdig_secure_for_cloud_role_arn - } : {} - ) - } + merge( + local.deploy_sqs ? { + cloudtrail-sns-sqs = merge( + { + queueURL = module.cloud_connector_sqs[0].cloudtrail_sns_subscribed_sqs_url + }, + var.is_organizational ? { + assumeRole = var.organizational_config.sysdig_secure_for_cloud_role_arn + } : {} + ) + } : {}, + !local.deploy_sqs && var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_url != null ? { + aws-cloudtrail-s3-sns-sqs = merge( + { + queueURL = var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_url + }, + var.is_organizational ? { + assumeRole = var.organizational_config.sysdig_secure_for_cloud_role_arn + } : {} + ) + } : {}) ] }, { diff --git a/modules/services/cloud-connector-ecs/permissions.tf b/modules/services/cloud-connector-ecs/permissions.tf index 241c6cd9..5a0d9b1a 100644 --- a/modules/services/cloud-connector-ecs/permissions.tf +++ b/modules/services/cloud-connector-ecs/permissions.tf @@ -10,8 +10,9 @@ data "aws_ssm_parameter" "sysdig_secure_api_token" { #--------------------------------- # task role -# notes -# - duplicated in /examples/organizational/credentials.tf, where root lvl role is created, to avoid cyclic dependencies +# - if organizational, role is inherited from root lvl, to avoid cyclic dependencies +# - otherwise is created in current account +# - duplicated in /examples/organizational/permissions.tf #--------------------------------- data "aws_iam_role" "task_inherited" { count = var.is_organizational ? 1 : 0 @@ -38,39 +39,59 @@ data "aws_iam_policy_document" "task_assume_role" { } } -resource "aws_iam_role_policy" "task" { - name = "${var.name}-TaskPolicy" +resource "aws_iam_role_policy" "task_policy_sqs" { + name = "${var.name}-AllowSQSUsage" role = local.ecs_task_role_id - policy = data.aws_iam_policy_document.iam_role_task_policy.json + policy = data.aws_iam_policy_document.iam_role_task_policy_sqs.json } - -data "aws_iam_policy_document" "iam_role_task_policy" { +data "aws_iam_policy_document" "iam_role_task_policy_sqs" { statement { effect = "Allow" actions = [ - "s3:GetObject", - "s3:ListBucket", + "sqs:DeleteMessage", + "sqs:DeleteMessageBatch", + "sqs:ReceiveMessage" + ] + resources = [ + local.deploy_sqs ? module.cloud_connector_sqs[0].cloudtrail_sns_subscribed_sqs_arn : var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_arn ] - resources = ["*"] - # resources = [var.cloudtrail_s3_arn # would need this as param] } +} + +resource "aws_iam_role_policy" "task_policy_s3" { + count = var.is_organizational ? 0 : 1 + name = "${var.name}-AllowS3Read" + role = local.ecs_task_role_id + policy = data.aws_iam_policy_document.iam_role_task_policy_s3[0].json +} +data "aws_iam_policy_document" "iam_role_task_policy_s3" { + count = var.is_organizational ? 0 : 1 statement { effect = "Allow" actions = [ - "sts:AssumeRole", + "s3:GetObject", + "s3:ListBucket" ] resources = ["*"] - # resources = [var.connector_ecs_task_role_name] + # resources = [var.cloudtrail_s3_arn # would need this as param] } +} +resource "aws_iam_role_policy" "task_policy_assume_role" { + count = var.is_organizational ? 1 : 0 + name = "${var.name}-AllowS3AssumeRole" + role = local.ecs_task_role_id + policy = data.aws_iam_policy_document.iam_role_task_assume_role[0].json +} + +data "aws_iam_policy_document" "iam_role_task_assume_role" { + count = var.is_organizational ? 1 : 0 statement { effect = "Allow" actions = [ - "sqs:DeleteMessage", - "sqs:DeleteMessageBatch", - "sqs:ReceiveMessage" + "sts:AssumeRole" ] - resources = [module.cloud_connector_sqs.cloudtrail_sns_subscribed_sqs_arn] + resources = [var.organizational_config.sysdig_secure_for_cloud_role_arn] } } diff --git a/modules/services/cloud-connector-ecs/sqs.tf b/modules/services/cloud-connector-ecs/sqs.tf index b1cd7f52..65ec8b84 100644 --- a/modules/services/cloud-connector-ecs/sqs.tf +++ b/modules/services/cloud-connector-ecs/sqs.tf @@ -1,6 +1,13 @@ +locals { + deploy_sqs = var.existing_cloudtrail_config.cloudtrail_s3_sns_sqs_url == null +} + + module "cloud_connector_sqs" { - source = "../../infrastructure/sqs-sns-subscription" - name = var.name - sns_topic_arn = var.sns_topic_arn - tags = var.tags + count = local.deploy_sqs ? 1 : 0 + source = "../../infrastructure/sqs-sns-subscription" + + name = var.name + cloudtrail_sns_arn = var.existing_cloudtrail_config.cloudtrail_sns_arn + tags = var.tags } diff --git a/modules/services/cloud-connector-ecs/variables.tf b/modules/services/cloud-connector-ecs/variables.tf index 67b0b7c0..3337c79e 100644 --- a/modules/services/cloud-connector-ecs/variables.tf +++ b/modules/services/cloud-connector-ecs/variables.tf @@ -34,15 +34,34 @@ variable "ecs_vpc_subnets_private_ids" { } # -# cloud-connector parametrization +# cloudtrail parametrization # -variable "sns_topic_arn" { - type = string - description = "ARN of a cloudtrail-sns topic. If specified, deployment region must match Cloudtrail S3 bucket region" +variable "existing_cloudtrail_config" { + type = object({ + cloudtrail_sns_arn = optional(string) + cloudtrail_s3_sns_sqs_arn = optional(string) + cloudtrail_s3_sns_sqs_url = optional(string) + }) + default = { + cloudtrail_sns_arn = "create" + cloudtrail_s3_sns_sqs_arn = null + cloudtrail_s3_sns_sqs_url = null + } + + description = <<-EOT + Optional block. If not set, a new cloudtrail, sns and sqs resources will be created
+ If there's an existing cloudtrail, input mandatory attributes, and one of the 1 or 2 labeled optionals. + + EOT } + #--------------------------------- # optionals - with default #--------------------------------- diff --git a/modules/services/cloud-connector-ecs/versions.tf b/modules/services/cloud-connector-ecs/versions.tf index 4b3b3abe..d50a0be1 100644 --- a/modules/services/cloud-connector-ecs/versions.tf +++ b/modules/services/cloud-connector-ecs/versions.tf @@ -1,5 +1,6 @@ terraform { required_version = ">= 1.0.0" + experiments = [module_variable_optional_attrs] required_providers { aws = { version = ">= 4.0.0" diff --git a/use-cases/org-existing-cloudtrail-ecs-vpc-subnet.md b/use-cases/org-existing-cloudtrail-ecs-vpc-subnet.md index 6b2ffbcf..141495ad 100644 --- a/use-cases/org-existing-cloudtrail-ecs-vpc-subnet.md +++ b/use-cases/org-existing-cloudtrail-ecs-vpc-subnet.md @@ -95,13 +95,13 @@ module "utils_ecs-vpc" { - This will be required for the CloudConnector SQS Topic subscription. - Use [`./modules/infrastructure/cloudtrail/sns_permissions.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/infrastructure/cloudtrail/sns_permissions.tf#L22) as guideline - - - Existing ECS Cluster Workload Setup + - Existing **ECS Cluster and networking** setup + - Create an ECS cluster and configure it with the existing VPC/Subnet/... network configuration suiting your needs. +
Refer to [Sysdig SASS Region and IP Ranges Documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) to get Sysdig SaaS endpoint and allow both outbound (for compute vulnerability report) and inbound (for scheduled compliance checkups) +
ECS type deployment will create following [security-group setup](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/services/cloud-connector-ecs/sec-group.tf) - `ECS_CLUSTER_NAME` ex.: "sfc" - - - Existing Networking Setup - `ECS_VPC_ID` ex.: "vpc-0e91bfef6693f296b" - - `ECS_VPC_SUBNET_PRIVATE_ID_X` Two subnets for the VPC. ex.: "subnet-0c7d803ecdc88437b" + - `ECS_VPC_SUBNET_PRIVATE_ID_X` Two subnets for the VPC. ex.: "subnet-0c7d803ecdc88437b"

### Terraform Manifest Snippet diff --git a/use-cases/org-s3-k8s-filtered-account.md b/use-cases/org-s3-k8s-filtered-account.md index 18ffa709..65cfeac9 100644 --- a/use-cases/org-s3-k8s-filtered-account.md +++ b/use-cases/org-s3-k8s-filtered-account.md @@ -36,7 +36,7 @@ Skip step 4 and remove `aws_access_key_id` and `aws_secret_access_key` parameter 1. Define different **AWS providers** - Populate `REGION`. Currently, same region is to be used - - Because we are going to provision resources on multiple accounts, we're gonna use **two AWS providers** + - Because we are going to provision resources on multiple accounts, we're going to use **two AWS providers** - `aws.s3` for s3-sns-sqs resources to be deployed. IAM user-credentials, to be used for k8s must also be in S3 account - `aws.sfc` for secure-for-cloud utility resources to be deployed diff --git a/use-cases/org-three-cross-account-s3-event-forward.md b/use-cases/org-three-cross-account-s3-event-forward.md new file mode 100644 index 00000000..69a20073 --- /dev/null +++ b/use-cases/org-three-cross-account-s3-event-forward.md @@ -0,0 +1,256 @@ +# OrganizationSetup - Three way Cross-Account - Cloudtrail with no SNS - Event Notification with S3-SNS-SQS + +## Use-Case explanation + +This use case will cover + +- **User Infrastructure Setup**: AWS Organization Setup with three-way account setup + 1. Management Account + - Organizational Cloudtrail with no SNS activation + 2. Log Archive Account + - Cloudtrail-S3 bucket, with event notification to an SNS > SQS + 3. Member Account + - Sysdig Secure for cloud deployment + - Existing VPC network setup. + +- Besides, we will make use of an **existing VPC/Subnet configuration**. + +- Required **Sysdig Secure For Cloud [Features](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/)** + - Threat-Detection + - Posture; Compliance + Identity Access Management + - :warning: Cloud image scanning is not supported yet +

+ + +## Suggested setup + +- Default `organizational` example is pre-configured to work with managed-account level resources (cloudtrail, s3, sns and sqs resources). + - We will make use of an alternative event ingestion vía S3 Event Notification through an SNS-SQS. + - It's important that all existing resources (cloudtrail-s3, cloudtrail-s3-sns-sqs, and sysdig workload), are **within same AWS_REGION**. Otherwise, contact us, so we can alleviate this limitation. + - We will need some permission setup, in order to let Sysdig Modules to be able to read resources from customer's infrastructure setup. +- For existing VPC/Subnet usage, we will make use of the optional variables. Right now these two fields also require an ECS cluster to be configured. + + +### Step by Step Example Guide + + + + +#### 1. Configure `AWS_PROFILE` with an organizational Administration credentials + +Module is intended to create resources on your management account, as well as member-accounts. + +Refer to [General Permissions](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud#required-permissions) to get more detail on what's required, +and [Organizational Role Summary](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/organizational#role-summary) for this specific use-case scenario. + +#### 2. Choose an Organizational **Member account for Sysdig Workload** to be deployed. + +This accountID will be required in the `SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID` parameter + +#### 3. Pre-Terraform Requirements + +#### 3.1 ECS Cluster + + - Create an ECS cluster and configure it with the existing VPC/Subnet/... network configuration suiting your needs. + - Refer to [Sysdig SASS Region and IP Ranges Documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) to get Sysdig SaaS endpoint and allow both outbound (for compute vulnerability report) and inbound (for scheduled compliance checkups) + - ECS type deployment will create following [security-group setup](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/services/cloud-connector-ecs/sec-group.tf) + +#### 3.2 Permissions - SysdigSecureForCloud-S3AccessRole + +Required action to allow AWS S3 cross-account access. + +- Create a `SysdigSecureForCloud-S3AccessRole` in the same account where the S3 bucket exists. +- Give it whatever trust-permissions you feel comfortable with, we will edit it later. +- Add permissions to be able to read from the S3 bucket (create a resource/action pinned policy if required) + ```text + { + "Sid": "AllowSysdigToRead", + "Effect": "Allow", + "Action": "s3:GetObject", + "Resource": [ + "/*" + ] + } + ``` +- Fetch the created role arn as `CLOUDTRAIL_S3_ROLE_ARN` + +#### 4. Launch Terraform + +We will use this Terraform Manifest. Get detailed explanation of each variable bellow. + +```terraform +terraform { + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + configuration_aliases = [aws.member] + } + } +} + +provider "sysdig" { + sysdig_secure_url = "" + sysdig_secure_api_token = "" +} + +# provider used to deploy RO compliance role on organizational accounts +provider "aws" { + region = "" # must match s3 AND sqs region +} + +# provider used to deploy sfc on the selected member-account +provider "aws" { + alias = "member" + region = "" # must match s3 AND sqs region + assume_role { + # 'OrganizationAccountAccessRole' is the default role created by AWS for management-account users to be able to admin member accounts. + # if this is changed, please change to the `examples/organizational` input var `organizational_member_default_admin_role` too + #
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html + role_arn = "arn:aws:iam:::role/OrganizationAccountAccessRole" + } +} + +module "sysdig-sfc" { + providers = { + aws.member = aws.member + } + + source = "sysdiglabs/secure-for-cloud/aws//examples/organizational" + name = "sysdig-sfc" + + sysdig_secure_for_cloud_member_account_id="" + + ecs_cluster_name = "" + ecs_vpc_id = "" + ecs_vpc_subnets_private_ids = ["",""] + + existing_cloudtrail_s3_config={ + cloudtrail_s3_sns_sqs_arn = "" + cloudtrail_s3_sns_sqs_url = "" + cloudtrail_s3_role_arn = "" + } +} +``` + +- We'll use the **organizational** example +- **General** parameters + - `AWS_REGION` Same region is to be used for both organizational managed account and Sysdig workload member account resources.
+ - Region MUST match both S3 bucket, SNS and SQS + - `SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID` where Sysdig Workload is to be deployed under the pre-existing ECS

+ +- Existing **ECS Cluster and networking** setup + - `ECS_CLUSTER_NAME` ex.: "sfc" + - `ECS_VPC_ID` ex.: "vpc-0e91bfef6693f296b" + - `ECS_VPC_SUBNET_PRIVATE_ID_X` Two subnets for the VPC. ex.: "subnet-0c7d803ecdc88437b"

+ +- Existing Organizational **Cloudtrail setup** vía S3 event notification through SNS-SQS. + - `CLOUDTRAIL_S3_SNS_SQS_ARN` ARN of the queue, for us to setup ECSTaskRole to be able to access SQS + - `CLOUDTRAIL_S3_SNS_SQS_URL` URL of the queue from were to ingest events in the cloud-connector compute deployment + - `CLOUDTRAIL_S3_ROLE_ARN` ARN of the `SysdigSecureForCloud-S3AccessRole` created in step 3.2, for ECSTaskRole to assumeRole and access S3 + +#### 5. Use-Case Specific Permissions + +When applying Terraform manifest it will create resources, and we should have no errors there. +However, deployed compute will fail (can check the logs in the ECS Task) due to permissions. + +Let's fix that; we need to allow S3 and SQS resources to be accessed by the compute role, `sfc-organizational-ECSTaskRole"` (default name value). + +![organizational three-way-account permission setup](resources/org-three-way-permissions.png) + +##### 5.1 Fetch `SYSDIG_ECS_TASK_ROLE_ARN` ARN + +Get this ARN at hand, because it's what you'll use to configure your pre-existing CLOUDTRAIL_S3 and CLOUDTRAIL_S3_SNS_SQS permissions to allow SysdigWorkload to operate with it. + +Default `SYSDIG_ECS_TASK_ROLE_ARN` should be `arn:aws:iam:::role/sfc-organizational-ECSTaskRole` +but you can check its value accessing the ECS Cluster and checking deployed Task definition, or launching following CLI: +```terraform +$ terraform state list | grep aws_iam_role.connector_ecs_task + + +$ terraform state show | grep "arn" +arn = "arn:aws:iam::****:role/sfc-organizational-ECSTaskRole" +``` + +##### 5.2 Cloudtrail-S3-SNS-SQS + +We'll need to add following permissions to the `CLOUDTRAIL_S3_SNS_SQS` +```text + { + "Sid": "AllowSQSSubscribe", + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": [ + "sqs:ReceiveMessage", + "sqs:DeleteMessage" + ], + "Resource": "" + } +``` + +##### 5.3 Cloudtrail-S3 + +We'll need to add following trust policy to the `CLOUDTRAIL_S3_ROLE` +```text + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": "sts:AssumeRole" + } +] +} +``` + +We should not need to restart ECSTask as this changes will be applied on runtime. + +### 6. Check-up + +Suggested steps + +1. Access ECS logs for the SecureForCloud task + - check that there are no errors and events are being ingested +2. If logs are OK, check in Sysdig Secure + - Integrations > Data Sources - Cloud Accounts + - Posture > Identity and Access Management - Overview + - Posture > Compliance - AWS + - Insights > Cloud Activity diff --git a/use-cases/org-three-cross-account-setup.md b/use-cases/org-three-cross-account-setup.md deleted file mode 100644 index 9bb5ada9..00000000 --- a/use-cases/org-three-cross-account-setup.md +++ /dev/null @@ -1,193 +0,0 @@ -# OrganizationSetup - Existing Cloudtrail - Three-way cross-account setup - -## Use-Case explanation - -**Current User Setup** - -- AWS Organization Setup -- AWS Organizational Cloudtrail within the managed account, with Cloudtrail-SNS activation + reporting to another member-account S3 bucket - - This setup is popular with user that are under AWS Control Tower Setup -- Existing VPC network setup. - -**Sysdig Secure For Cloud [Features](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/)** - -- Threat-Detection -- Posture; Compliance + Identity Access Management -

- - -## Suggested setup - -We're going to use existing use case [/use-cases/org-existing-cloudtrail-ecs-vpc-subnet.md](./org-existing-cloudtrail-ecs-vpc-subnet.md), with some permission-related changes, due to the three-way cross-account scenario. - -Final scenario would be: - -- Management Account - - Cloudtrail-SNS -- Log-Archive Account - - Cloudtrail-S3 bucket -- Member Account - - Sysdig Secure for Cloud deployment - -It's important that all three resources (cloudtrail-sns, cloudtrail-s3 and sysdig workload), is **within same AWS_REGION**. Otherwise, contact us so we can alleviate this limitation. - -For network setup, please refer to [Sysdig SASS Region and IP Ranges Documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/). - -Before proceeding, please read the referenced use-cases and examples and check whether you comply with requirements. -Please contact us if something requires to be adjusted. - - -### Step by Step Example Guide - - - - -1. Configure `AWS_PROFILE` with an organizational Administration credentials - -2. Choose an Organizational **Member account for Sysdig Workload** to be deployed. - - - This accountID will be provided in the `SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID` parameter - -3. Permissions - SNS - - - Before running Terraform, we need to give permissions to the role of the `member`-aliased terraform aws provider, to be able to create an SQS queue - and subscribe it to the provided SNS. Otherwise, Terraform will fail with an error such as - > AuthorizationError: User: *** is not authorized to perform: SNS:Subscribe on resource : because no resource-based policy allows the SNS:Subscribe action - - We'll need to add following permissions to the SNS queue - ```text - { - "Sid": "AllowSQSSubscribe", - "Effect": "Allow", - "Principal": { - "AWS": "" - }, - "Action": "SNS:Subscribe", - "Resource": "" - } - ``` - - Check [`./modules/infrastructure/cloudtrail/sns_permissions.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/infrastructure/cloudtrail/sns_permissions.tf#L22) for more insight - -4. Use `organizational` example snippet with following parameters - - - General - - `AWS_REGION` Same region is to be used for both organizational managed account and Sysdig workload member account resources.
- - **Region MUST match both S3 bucket and SNS Cloudtrail**. - - `SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID` where Sysdig Workload is to be deployed under the pre-existing ECS - - - Existing Organizational Cloudtrail Setup - - `CLOUDTRAIL_SNS_ARN` - - `CLOUDTRAIL_S3_ARN` - - - Existing ECS Cluster Workload Setup - - `ECS_CLUSTER_NAME` ex.: "sfc" - - - Existing Networking Setup - - `ECS_VPC_ID` ex.: "vpc-0e91bfef6693f296b" - - `ECS_VPC_SUBNET_PRIVATE_ID_X` Two subnets for the VPC. ex.: "subnet-0c7d803ecdc88437b" - -5. Permissions - S3 - - Terraform should have successfully deployed everything, but still, ECS task will fail due to missing permissions on S3 access. - - We cannot prepare this beforehand, as S3 will throw following error if the referenced Role does not exist yet. - > Invalid principal in policy - - For cross-account S3 access, we will provision permissions on both management-account role and s3 bucket - - For Terraform provisioned role in the management account, ``,
in form of `arn:aws:iam:::role/sysdig-sfc-SysdigSecureForCloudRole`,
- ```text - { - "Sid": "AllowSysdigReadS3", - "Effect": "Allow", - "Action": [ - "s3:GetObject" - ], - "Resource": "/*" - } - ``` - - For the S3 bucket - ```text - { - "Sid": "AllowSysdigToRead", - "Effect": "Allow", - "Principal": { - "AWS": "" # role created by terraorm , in form of "arn:aws:iam:::role/sysdig-sfc-SysdigSecureForCloudRole" - }, - "Action": "s3:GetObject", - "Resource": [ - "", - "/*" - ] - } - ``` - - We shouldn't need to restart ECS Task for these roles to be effective and logs should show no errors at this point. - -### Permission Setup Guidance - -![organizational setup](https://github.com/sysdiglabs/aws-templates-secure-for-cloud/raw/main/use_cases/org-k8s/diagram.png) - -### Terraform Manifest Snippet - -```terraform -terraform { - required_providers { - sysdig = { - source = "sysdiglabs/sysdig" - configuration_aliases = [aws.member] - } - } -} - -provider "sysdig" { - sysdig_secure_url = "" - sysdig_secure_api_token = "" -} - -provider "aws" { - region = "" # must match s3 AND sns region -} - -# you can setup this provider as desired, just giving an example -# this assumeRole / permission setup is referenced in point #3 -provider "aws" { - alias = "member" - region = "" # must match s3 AND sns region - assume_role { - # 'OrganizationAccountAccessRole' is the default role created by AWS for management-account users to be able to admin member accounts. - # if this is changed, please change to the `examples/organizational` input var `organizational_member_default_admin_role` too - #
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html - role_arn = "arn:aws:iam:::role/OrganizationAccountAccessRole" - } -} - -module "sysdig-sfc" { - providers = { - aws.member = aws.member - } - - source = "sysdiglabs/secure-for-cloud/aws//examples/organizational" - name = "sysdig-sfc" - - sysdig_secure_for_cloud_member_account_id="" - - cloudtrail_sns_arn = "" - cloudtrail_s3_arn = "" - - ecs_cluster_name = "" - ecs_vpc_id = "" - ecs_vpc_subnets_private_ids = ["",""]} -``` diff --git a/use-cases/resources/org-three-way-permissions.png b/use-cases/resources/org-three-way-permissions.png new file mode 100644 index 0000000000000000000000000000000000000000..c25d75b5990200526948f383a40c5108af615390 GIT binary patch literal 111497 zcmeFZXH=70+b)XBS6NF1mIYA|SSpHufKo&{ii&ikN>^#pYX~iX%VkACx^$#>kPe|K zB2ptQp@pc_B#=;2AR)<~0pD@Hv&a5^oOAX#fA;%07Zq zpDp)4l>cS^uabTL{Av6*R8{D9mar_JMI|+ZZdy9- zCJ*Moz77q95%uO--^t1 z7{}FH)&<-)FSkp8c;ZLLCzA+SSyr(J#*7M#wH-7ypC37$c(m)e^UlP*)9TIvI6R|G zmV?7cImxZws)GC{2S;bj=J!t*nxT}|a(Cw-46aCgg&q% zw0j#o=N8T?p|2#It*EFM`eWi*02Jc%ai-a_#^>Re7@^cWXFWrQJg5TzFUl|2IK=Rr zs;X);WU(#S=STcXGeV6$bcNP$fe-Q1NGId~d}Pch+eKydTiubv}|zGr>L%VzBwgdiafv1@V89C)n@NSTdW5raY=2i}wNZ@HbM@@Hl)e=Huw-6= z1J_8G?VFW0g{^GxzF@_oSNGnRWvM80>FcMeKoC~3zpb2`U0ZCNkEmiebs*eb1=H3O zM4cAfc!ClyvsWxPw!30_g;nh}9x0o6*U_S)N-umwc2MturG*rA_%%M8_2@8cZFZkv zBRXw;?&3U&CnNPKPkNj>lL>8J$(42){&YamhxSo%(_TGm*x?H$D`J(WBimn%nku4g zYis-EjbMrS~V7?f_jKqb8+ zY;Hrh)^YuliWA0lyNJs2mumjLBPXx0fMLxYZtEF@JqTnGN}bS#Bo-pNHEqvJ5J=Zs+(B?O@gdi)1bOAhDPJvuJR6dfS+4TED3e$jxT5? zJ_$~3XQ?sNgn?1Ix9(?~$3vch&`XjPnzC*K4eCk_X>L-CjbKIWeB)vt(Ix@=LMSaZ zf;2D_*gv?v%7t1OwZAUPXX|U0ENPuAoxQoOw$x5)vY4N;XQ-i=IO_ICX|J!7tnFvz z_dlFtTj(en-3An-M9pZW{i86Sj$wq`k*81#xtr~Yp@f!N3<}ObT5qHp?pSBh|K?ll zE34||R3lY2ZHjEG*|W?V%0+aguQa@f{>;$V3wOXUIn z8-}hjtJFG2qArlVl`d#nS%sp0uHQsAR8BIe=yYoP=Bjo)B0J(<<<2aR-zNb~qOk3z z`Y*L;sjbcGO-Hc8$kUj?;FK_V!PV7Z7MyuiH^l?vaEmiUpXOj~x0%O9;-B%ImfRle zQBQMGC2luw;M_Nu5!-j$11BwLJ1X9uT%{$8f3v91S}DQ?1LNvjmb0)goCzc%G$3?b zLC*10qF5^Zdu{-fdgQA-h+#t7Y-hJMg&G!o^q?sFgjl`c z9uzBTKaZcD@+0u6rH^7FobSY*PS-XmoF5n6(PXYoV;s9^4U%?6?d@tN)G1|RFosjs zg~Di#K(?i$m$s!9FLDZBJFm&4al`*OF1oO!zJ0Hw3cA3XvY4aEJ*e#+9QvF~I8L>Q zkTg2Wm>nbpPd;06nQ2>AapdgIa3qB`b=Msw1aWL|&+qzh?L@YSADA7Se6kO|omCv%WOCjN90mb#IM{X`<>=n9Ag?~9QS~v&!X|ltk#KwhCeVsKtCG;wOla%Un}HT0 z!diX1%Dl=diLZUjNpY+Cbcy%GMpse;MVWT%P3D!enYOl;HDTS6w!osld#l_$2@Lz5 zgn6X_6bilbMhIQCiNoRiCVm*MqJ^%7-FnU~nCwayeEa;%msv&vbwU;-1IrdiZORl} zUVCJ6IF1;;G~G-nLOEk=x+j|+IuO^R_@oAyoM*8dbdwQ^}~E$NSq3f^0;cQI+)$8x@054AW|~F6vJ@q*s}gm~PbNWwlQ-nL9CR zN2B%iT?Lgc>n2wWY7*H&pK|u`8ogs^$g6`(#k!n zX;rgzG|tVsve64Y6%ZKUIPo$ry(9T(S7?VFszC~EYuiklwphS<+t*KiNYZiAKt2p5 z)Yb!Q^0cgNAbVm7grTqZVg(x;vF{onSS+^pWnA7h`s~-ZJXz`!&ITp#dMmUCMx(Mf zo0yg=I}35khOxtrwMrn6pYzg@HU6E|rQofTl?spM7uDxt3+f?{`P0*`O=Ge#!=j~5 z6W_}1;DH)d00O+-6+r(~^+S_`T&HJCyQw7>bkQ{>!+A^|0~fBNEvl@7BXQ;4Zb{G<6I$G zQBqZfC{2oG1R*??3L%d{)0&XO?j0fIz9WJZ9}S_IsgWggctq`^?u|Nb&(&J*zfkj$ zSWb24>aaS`;KB4v*-rPhAaw)?3phsbY})glAP&rbnRMi_Jf zfU#4mw6;uwOjag(A1fPoo0?Yeq*PYnS;Qq}Qb>}{1C!7m~7*-{M3Be;5D^sD1Z%@CV64I~x8YfHHX6OqDa|a#fyZrU%GagSe#Iv`d zQai$9H>2NImML=GjjNc$|kd57SogME)Zr;xckfK`y_{{Q+kD|58z@d4lOd z3K|w$WLz@;H7{l;wu9A?3S+@6F%44cI~byK_v;1aoepH_$F7~4$?CI^x(L4yqe6vp9i%}6%BZ?dQL${6 zFesNzwmnGCWImDg|4w@9zZi;1FtKAz4Ww>r%m&lwfm>v5<(-#d%MPq8d^ocam{M)BEXtRKHf5>jwpX$sqNa9Ju8 zh{#3>N7xLhFKsF=j6ogOzMo~-#WMek-E?uQpA%NYuk7GbSSiQt>3v~L6IND&L9q36 z72NuV>Dq()8OnfFH9DMBs-D8mt|P+UZ4v_TvedwDH|m87E?)DTd6!@i1g6)$uDDPK zMTVT2SS`0{xm-(VR_^Io*{&Bl0Hhng&JDzy6C{9aT!><=_YS1OB9s7*_MXiMqa?T# z)Yi)O>@fP>RfPb)zY@vsrV2hgk)RM7d@mdGl~0{sGLWsHKqhkmBum;^N*O|Y?lp1y z)qGcVDQmeYLg{>MqzS87Hu16YK5q$d`T7EUE8|Ikw4E*f z>V$cc<2T)yV)6-KTpptAvhKm*mPIM;X^Zg0m~@u{7l?JKfU=wFvFT#tl6*-MKGPvlZ>7Q>bxL(Vm5)?4XQbCa-kbuto| z%>_9jIeAS?uuWR5+F!0-<>VmtpwHN^zs+xPhFxRMFP3kQDY&a1+FxR&zhvuQyP>+| z@@Puz9bmT7Rm@@8j5y%77A z0cvB=f9(58ec~`Sw7gyXrytv2cc&6 zy{E(8`&E1I8>7EvQPN$;LyjC8k%#)WEJ|09Pl4BWlGvhNF>fK*zpJF590Sj5*Lxz$ z$-n=Xhe||PHS)Ys&QR!%4fr|nCMZQX0wq=zW=-%%FB$a+6D$5pd(h(lu$Ywhe%G9? zbc!dL^5cv#O4pxKQr{MeIgDI)zK=^2FsU#fZGLQ~lv2@KsHi*A9H3uni`K5U!k2(h z{@1HrU&$Z7l6yf?mNN8`4{;ZNk6sX5dSE{+=#|6va!D!2HviInR z2ix3fpxWUO%4UyQ9aSnYli@4c@t1>Ph+W#nn2<+&Wu_yoOA~r3jHWkgKT<72x}|GY z(mQkz&nZt%v)^op+kNw}+pNC_g*Ib767soS+t#U;2yOHnpjkT?ttNAhs6n-rPFCsE z*D7m|$UVH3Mm>|Bd^)s}Pn+d>W#|P?!+MyR)=O&JX4v~O@ z6GX^e&*#PL!>svxxDhoHRl4Q(nP-I-%0YmRrrN-VGvC zYCNWLwIj$--ZLUClXKSp-kmnwvR(+QjBO|J`6Cl=ds!Q4`SF+O&tC%lbjFxju$fqn ziI&3Nyv;=EHdU^?=M)0orr}~OCfqI=Mt?4PQd;9aH= z7=j-vD3hhz@{zY~2A|)nNTsDFm?-22znB#O0UDjcmW)yLVy}Y?(^J}@fGN!iD+{DL z4j)h-YEhqon-DPdk31K{zSjgu*-yj0zkW24B_#5B1$w~nIY*{kZazPwBCp9kB@3*F zGQbdhVis!U}rOTVB zh20d7CZA?zJT-Bh+R08KOFjh-;b@h8O>z#yjK8e3L}xo@0&Xa(3M^nR*rbW<&)c#Mr=;n{rtB^Y!)b%5 z8$XU4qh^|(76DNDz+zGG9mnsF_DBEwEC2_`h0-#|&;41HwZQtc3n`4&z)g|KAdIFZ zWHno65rUZgNmT~12AF@5!;jZvTwX(Ov7wIN+7pZwny}KGV`eghdA@w0^2_aOJtcwE zmCslpkO{NhE&T&-rzX>oMTAj!n=kT{M{8&}m#EH&$>0Wy>3K&GYKnUX7z%fXSTAPyYA4&!YSq?dv_qzpYYAUM+1BVh z2!WD-N4O4sh6=&SS_qIXtF8BRDL4PNjpk7WUvHl}vT+J$u$Z4+pSt^~` zUqg8gk9Q+qMPRMQlbeNUR!S!;R?rG0OHQY?@C4|WuWYS7+G&;mlYDY;Rlc2y&x&51 zlncGbRfKhCc>4QM`_*Qv{9DY+2S@rN;>3huw(z>U$1<39XgRyr3RfQ2UJ8*9V*b4=5O)?W#eA=(AT@YI7kP(!c`9NOcQ zn#gg(h+wv3CEdyPVS^s~ExvPLCVz-)Z_Zymy-9O%A+1NGeEH*iNXPh<)&lQuGq=s) zp(FK=R=bqNlk}A4cvDHUDZ3(@H0$Uq6~<&#nt9d>fM6JzHce(7IKs{|Wdb7^SF0in zE@p)2@%M0HR_Lm$nY{_$kJf09G<&QrDoZ3CnT^n)>`;%(5(cHe{*0;`EEPtRQc%Fp zJH52nv8(t!$aA$zJ(zb75vtddS_ah@^8B%Bm)nSDohb5eS)$TnxGZ- z*{Qxv**!d1D>;IWvW%c-1XS2&lT6(emN{@X?bkNd*DJ=jT-ovBNW|>f)3BXk*VGSC z;!>D7KTa06pyk9Kk6yPq`oU+xAayl1V#~q2!miDPKz980p+waaupiT?ojL#wRnCU$ z@n^dTDdr&^{*B|tH0HLBPEvnDUB1<6x6w<{s+OUQOv|;&vRYTlPkw{Or)FhX%MLL? zyn@rD8Omi+AtLF$Ax4_5MyuE~B;8=_EGHq()jlGEpo~3?wP`K=qPc&~QI7Rqbe-kB z?*ZTLqE{S~Xe}$gNCDdCegZkYW_d=~5sL~>b#t-cDk^*8CXZ+O0QXDHT=x#Xcd>n` ziM{0bBO!fTdW^C3jZQ3Ik&7msTX3#8FLvrZDx$`+Il$5x?GKHKnA`+Vy)$rA%8%pH z=%R2n+o-tZcMiO8p4a6jqALRf7e3aur-JYkMvY2|H3DJnr*3%KwlG{A?U^1zZKS0V3TZ5) z&W~hTyOOTpxLQTTp~vNd1Mal0l*pf9R~DJwY_^PJ<(4PFV5^2Kjf$R2cJ;LqQA3Oy z&za~aCGK8&@o$s}UoW$eT-eF6dvjR!sBya+CXweVvK6HTh*=o8>Q<-f$d!=CT%w@2 z2QIrc>m?IIdH2ffNw_6y<{ePny{;#_Gu{n%4>;4d2pxuV6F(Sg-i%ED+Mnup6As_ngMRL4$UKow?;7@GXJ%XX9Qp#Bz7pf{*9>WBb0lCeUDZ z40#30AMf()8E-)PuOHuRF|T*(byC;O64_S^W7eomgOoG&m&7t=>0QpMwzjplFTFu|)2Z3!2KWQ-NSs)jHgrtdTn#6jOLhf=E{u#3-%s z4K{S(HN?^%y;>4T-dT9Jq-QvqKRm5YI!W?)jKF2j#%EE6_O*FM$i49x+(j_x4?$*1 zi_%q-Dqz@^GrRDUgP-+&R_QDyYsX&wM>d)gzBPn zc7h^7AAwloJJZ0>^uE!Pn`BAH!`=9=XbH34$i;+g$zDM*e#{0`OdHh(gYG93cl8?i z^T<@_%`e%3dd3#o@nH6B#p;HX%4dOC87ZjGmUPY~fb^UZwT3!C{cUvQtd9i}BLjbK z0z~mkNSz#3oBhfo?GL&GvoUR6nx(Np9(Vv>;}yQ@vH4i z$snnWpc`B@s+uJM*dNHs4l{W!)D}T(uT1i^3}EuO)2>^CX$A`Imi!#`()Y6{2l_cz zLIemI@Nowu=Bi64!9o_2bR=}~N$N%%iXAeAXE7#&xtrl{$0|THDxbwq=N6bSJ@BFJBGijJ@zZ6zr7ZK~Un##w1lPG= z%C3~0H%Pz9$F;_285bD6HATH?+mx)rA&C5 zS4WdmeaN1f_>;wv`G$i+`6{kHPfM0RMGL9XW86XlqA zO!TLP36T-x)dwy!kCZ_pw#>c@|NHSlC||S9e?}Jx$1pqGKV(tl5qhihv za=7dKL%#o%St%v z=O*NYzr=1C>Gx|!Wv9bb<`sNjW=zXBKu*~Fc1PH7JL3AA+}$J36Ib^v&rLNiJ7q`x zjCghmp&oL=^gIf0E%7~SXoWG#4(Je-73=IM91%j2YPEj9Y3P22zx zuZVKQ2UNfP_~7l;F+=W;?Hget=2EDJI*7>b`@DO)*H8p{`%0~N5-(!1vyWG_aQgbu z%g%3Yyj@-JY_gXlQYUxMlX-o-&>C)@d%tpwao@3K>+jbUS^NLZ6DKD6h{>g)C<7fG zm4~%Q1W>F3f~~Tv`%JQK%j`x2T8OecSZCm`VfyL=)^9?HQ`)^n22)DxWAGd~Cw=Q6 zyVKEF9dFZ;h7gDQkym$r2>eI+e-Rmsq75?jM*gABA{j7(5h5Lqi{qrZ{z%C#tIo;! z^np%Y9d?&iDPzq9Mup7Im}v^(supxlreGByBSGZWX7^MIB!c;#JKRn%AT|JHP5#qk~@Ov~y=kBk z4egum1^}CT@zXQxr?$mjP#EgiY&i6`}D-A6Xi?x z!J1?N1@pd=1grWTWzXnX6S%~5Hgtsv3nh&?#EKW**458YvYl0Hrv;De=x1#`G03?4 zE$4l#h4^R|8cy07JwNu|K{T31@^5Z#cE>6lu78A8D4=l(U9&m+{$ZNT`u;)dt%~2C z{@tJHP3uV*tAugtXVagBvsU@EjeCY{>-@-8+VPVf=2ljv;a1Hz=f1?mrN4O5Vq?-U zv8$I(%b6#;>1o{Y%UG^%~l*UM2O(K^FspLxOP47Ob-BwcodC+t?>ho;vj@n7OrA zzr2f{VO$Fi2^MQuT6IbmIC5~C&bdqoC0gJcESBj7y5jZhy*3Vw)sKJ$0hf{fwMx3~ zYNdy?y}EkYm()S$ZtvNA?o9aCE_B{lje8~hhD5T|a6{AJA*_%)qt*Hvb_(zHwzk&4 z#3{21TN;gL)wro?x0LpeJ59ZgimKnjOOxe;Ux z`?Ph&W?^Ab{I4rtaUZsWgJn|nHmE$8Y6lP)`}oATIIoX-i~cg1sVEepLl3brb@}N1 zAuyRSdkyc$X057!%qH$~pW^O)Y)h<7Q&L zMdI?v$w^CB*Al1Xf}#TL_^_}r-6<6n6|)C2CDl0^F$M+~R(p$ds;0+R2U@WUL)Hz0 z$6{ifI?S1MxKLYvG#PhtI?pup(Wh5B6@c#oGK248Zcut3Joxm6pc2G<=1cU2+gk2l z8oWZEHF(VA%w)_M_cI%57N?`{)O(Cp=1Z#l9B{DY5mquPCAQSN_YF*!>MMKBHr+T- zI6`c-fiF^J6m8HmA|-nEy4Mwx!*8vAWY7cFI@QXScI|#l?bo`}RCbmf{QP`}`}6L& z^&o>57Uyvj!(D0X>snK-zFh};xKELa^|rV9H>aYM!bvY>WDW7tx9!~*YP=y@*`X(n z@mq~FZpx#2r>C_>3-v}y60~)6b;pZji+TsqZ3C@5N6zGrrWVNu4&Xr)djEzbH<&JK zVlZUjM7uLyC9Q4MNHOF+dE$O6IEOh;Ck*m+ep^z^uXq7#dq@YhZvcIRB& z_A9!||G{+_mG4?RmhtG!2eSS_Pu6p+E5)gG?AW^ zlVopVJ(zV|QiI)5aqWe%mtSw)5tbij&v$b`eHB=N{yf&+2s?DR(s? zWrxywNBjGczEak@eA1@W%FM(toMT0wk3aQ(b7;_V6k^e)2Eqn78lHD{A)!VzwVy{K zDLzc6k&N>MGcczLwXp-xW(s#h3x`xf#ZVwyPS37v7h zmppnJOAA<(^W1W;7#TI@J#{8GCKFzaVes@#Pxs*Tk_Vt_c;=2~Roj|guM3}r#qHbU z7FEi`5q-2nKS>=TqrIt~S)h+ciK(jUKYaM3WuYOfWo}5#FTihvB$iOO+>f}R%^)AwHIlI@QM||a3+vsPMGAKO1s0eyWkV<%Yd72VbOmg4Tr7Uu zf?0<5YMK05&g=9xf8In?9*PX`yiZM$ks0AVbt+%L3tLGS3c3pdQ-R;g1b@|O6H#~8 zEP7*|Jemokl^V2#ED#J?of_jM0tFq+EnC%4*3#ef-MH@KyXSMo!+{=Xac#GmI&3gK z?AqM%`p2UNwdyP#tyrPqQz=H zy~owRy*mB}zZ_}(P;D!HQ9wsWZ_M3c_FiT&O-Ea;fSvV)+wCjigk}^@4>1oC~n zfUA!eshupZt21TP`91p*EqGpmhX>MJ=&p_VeEg4)M_>OsaPR<-z^oDDOLUSSF5g^| zWneuwH%92A@T+(<-MrZ)=k${^t#NHyrW@lASst@w?t5ZY|Hw7G)&E$@6bt@bU}2M`6M(!1<|BfJ4Z$)~xa2E>7}B1V#!AccDtDvPi!}mM66H z)EG8iUIZ)J;LVErw87xU67AYWt6G``FCSn3y*HPe96#g;N6?Dcf(J<($^DWp_cSm_zTOw!15Bd?{X&g`rj4!tA< zV3%%GhgDAg=g)^~J))<}rBF6y&!h7eR#wVE&PMy9&?@}2-V;-##OlNTJCM*cWji@r3dvmf{yirh-s9F~@1B$vZ!?mWkXazlqU$Tn%;*md z4Vk;Ny`3B_`f6&Fqc9t8p`V-HJ3gpiF>U+4CoAlZyE&_{1L`4-RsQdwL?)CO8L0tM zG%n!I^X^o(U^tL-Y@!M97gpxx$s)buXhthc$!@%PY>CFjucPF@^zeSrKLgISKNY-< zUkusK{~+8eCCa1FIlQ_lkF95%pCxWCj~j1Zb1UcVZ#R43Q>_$$%l-cLn~qCOV7oui zf%`hjei8=K>+4OvNjA!qSSo4f{#x|GIP?-I(j)yhN>&uC0;;Z@0@GepVsfK`Y>qF8QV zdtuqNN>@Tch_b@pHb1Kg=TW`3$#Dp}wMdjr`SqW^^48z>t*IHYXtA`wd zR;B_U?#-=|`-xo|dvD^hy|vZ%SPs`AtzN_kr6!X4`v=WH68-JBr{Xhe?$5ODl$xan zTGjuA$N#q2$J;+vtX;={&Fv8cdAJv}^fIVKR&HlMsv;VXcwI|(x|V*SWPYf(bw;*l z8bGE2m4*6DkS-;)H%J>bmv*_A9KU}DhMPA(iD;LUh`la0X`E3z`1Hr${%oxDe}_mz z&1F?8H$I*XAtWi7nwsW6rBhuQQ|hGd9Ymcs)vHa}x5g~BJdg>BPk!Qykt(;+yZ=g1Ckhmn+=z=l;K~*d- zu4;t61f$F?UFZ_G=VaXt$?3ZK<(U4`j4G3qGBVv;-F=h> z>FXaHr)*u<4`K<{d!P&TFfW8*dInNbA;DvJS3y3R$*>Vr4!JL@#=M)Z;B^VhXV%d! z;)5^yG~smOjp%(u#2!vO)cUT5-PENTzup^C#|$!9)yG6p`cFA5?dSPj)KQUX{g^$m==R9r{ImuU3_4@i$D&GDTVXeh3 zFMLk#Q8Hsj+;{TM-FzCbaVr-PO2tm`$B!?}FBiY<dyk&`pL9Q4nTgIm{U8))&zov>CjQI%U-JZFr2eLqyp zaTFhj5mXX+`Z4DsSDuF;+o?O9UhmenMqTxfr;MImOo$Oydjx6&DSwb(bad_-MJ*rn z^9!hhoMCsJBDPD8X>cv!e&(Lk7r=cUKCh$No#(jEH1;=>c8V9~y+(xnc=Ye}zuNDS zX`N0v;ppGxiv`{@;4E|VMOW*deL%xf;v-qB%JcKfIWeBrUmskVP-1UYMfRWCO=sU_ zhHEU(AE485#ER*}tTZ?Lbq=ZH2MWVhU&mV92+vZopVTohP*GwN3=UW$qlrQFe%xRF! zHB&g32(@ERpecVZyQPQ$ql2`SX2x6;aiuc5ralDM+Su4Gtl}l0JUoim6?;E^wZ0HJ zHQ{mv350h(kc;)DfWDL^!bXyIV)Q-zelxp`V|hnbG}AwUfva zpoD_tv~a8Vy6}E(0nvR%CZ~?XC*4?!TxiEmHN_lRgm zrz$U!@^eWw3j zQRdH|k1D2HZADE+$D4xR>^yD4v&~(DEW;oDy4=DLK#Qpky0_EPe5nKc6jQDaq!mCZ&P=!`~GJLzaMn+bbHovsM&TAo$mj5ERlMkY&;VAsnRbvPhqAV|VV<`*$R0kF`%DAmOwO0RjkxbMaanOCnV~$TUR}>OxYimWXU6{Y zcMi){cJOY197(TfgjKtBLqnX#Ox%v4^@R1a^R}Z>N)T;Se0o*;w^l`29U6lBj(1 z%lqRTGw)t6biOJnhg(4L{&~vOEk=`*;y(1IWa^}F6-WmB*J6;JS}#hS@C{}yLfSg| z2FRul4t1XH8Gy$er&orK(FyHIL$bk07up&FdZNQA!3%e?4AgmrGmN?octP6Q>~y?H z-f(ee&Vzb4^qu_&dF~nc+)X7TGUaWjf6kfSH_9ozdNpJ@?xEWm^jN8yZ@PjTq5Sj| ze92o;@p|d)^aj8JTpcg5uF6Ni^XyT>c`pD~S}{I-M|J%j!1Sc4cTinVqG zRcx~6!i9^);dx*9*T-rLzSuk#wpq^jK-#&#Ht7M|-nNmn+>Yv|OG-$XJUsftX^OG4 z!#ll6IUEDIk`X+S7!_4^8(+Fit8uosSPWvd;zFZCsgh*jE7kemtcS@q=p{+uwN@Y- zxzQH~mD1kkgO~yAr1QKZJILDz1rpWS`KCEE#A*z4xz<@PE1$XlpxZ18BVK4G(Z(FP z)a^N2tRBuX^M+lyVd8>7m6#OC1%IL!d=Z-HurTBnxNM=I0F#3?EK1uIN+{bE@MVSH z42806o$!jv;eDTZ#)wQ#@^)?ku)e2hSIOsLEOaAK9H2W|@LBXapGlr2Njn|mU+h|i zO`CatIL$T>!_W{D6AK}4yMRK>bi^Bzg=YJt_6S{Af4tRuNQL0P-56DYJKh+aXBS5M zLp~-3nIV1Bb%dlSv#^9Oc^HdxH2xXvZ}-yDS)bwaH(_PeFk9NHRGH9XZ6X?tsuY|S z(bjw(Yl@)@C&FL2^fs8A9sRni8{*Rn-*ov!a!LRhf^whz7d^Qo#31+ZFF3j+y~*5O*E+<_ zJzOi@UI_S>;NW0<`@a3-<-vzx%*k?bYsBQbLSU4cUKw&@jWklB>V+CaJIF&RZ{p9z z)dzdEZkyLXM&IF%Nmftn0T}cinSXgb4zc{537cw!LVIhl!iL5g58m2^IlRH$8Bc(x z!>8rt3yI)hevlP z^>C(e(pAvAyvNurM9ite8w@&*(Wr%gK}^Auuy6e6>Wr;F(IK`jsyjS8if^x-KprPzAxf}j2h;I^kn0wUekmSp?iy?q9me;y_>mM1}+N5OPDdfFK z{wI4WhM)Mk_XH^F`?~u3e_jRKE`X`Jw=oH(XJO5}D3;<+rym#FI0eK-JzpXI3yZ1;yn8Fn%HP`a_5iK+_V+ z0p&idyT(s?^Q9Lf3bllrEZV%=ZlK|TBV7z)oXCZXB8j9)P;`Qdv~qyPQZ>8{)4P~J zS(z${$!tkf;#o%uU;D)|9qu0=pv@uux(@3#sgTY zz||SM#hpK5%k$R0DxF0514EAA%&P%gd|)d=G)=`JriHpJW)j|BXmF&_R`?4=V^sTRtFEf-gy$D_# zn^bA^BJQGg-;k2Oi=(r7;p;<(>(`>Tt+u*%WH$MaJQue_SONr5a40i=o{ng^D4Ly^ z{sL|mtfJaBKfhvAXdhe{p`zWvAmwGju=3q?9%2emo`OOVd^?L|{P5m;5itp6-P^Zs zZ*1~hC#swz_x70r<$*-ne|dBB@VEE-ImHLuuci0b1=F_@#s1X{554r^*nt5+9HJ7s z4yL$SH-~sO!z3pcWgJR_gdLr;%%Aj%Wcw{{k~eFwqqc`m>kh?6jaT~u;wmOt#3{cB zyIpi=84akQ*<9}h!lGSi)$n7}AjkZy;B~Xr7NQp@zD1K_vRGhRFzkKPEnWMI$VT#Csg9oiMdxl^4d|^^H4RMon zb+-t!qWA`XOxH5@hZrX(XF)+0OQBa1H;26dQYeX3C(}PNYO=7fYO*moII7vK*z80r z$QS7!Eh8x#Ne8l6)}!xEE=k_c0@+PUw(vFeNlHp%Mn)#2rFDB`1SH0X_bN9tWs@_6 z&3b!KhJev@!{x6lg{ahkkCmc!%=mJL-EinBsOSt0Au3S``- zA%0cC4tcn$&C=Mhk+SQuQE>Q+_+x#{j?y<+AQb;sNToHW@Clz zCLHX~mcd}a`vp){65|a&s?-;R|15r6UG3KIa4kJ4JKJJ$2#yJ7ei(BRb#Y;bKzFdk z-AX)CmmgbOTbm~5UdiRox;&nh8f>N9;BC@>%~N;k)2C064aeLKKUPO^qR+~^W5;8x z>!V$oTUtu1t85n z-9Z+)&dwraKcB$(-p?JF$P2%?&ULV0r}9tAtKu79=gtT0OdO3CWTeHMQ4;}<9V4h( z?%mEb9xV*JUw~(Ct{9djyZ1B%fehlhu;E1WT{uLJSo;wVZzw$<3rIpbw}or>$b~7e zVNz2oLq^Bn*4ZwKBzZr5!EK?lA=XBo(p3tXf9vPxe*&c9i>=fKGnmk+t(V+F6Get< zX*pn11Yo^N=xoq!ZtfV|XjO!E2i~jI68K=6D#HP!G~Bl*j5K-A8vbiu#wDH=$IT22 zcfz{8Cv6IDKll~8XzFrzl^Z?BXDmk{O6P60xP?bV6Vy%fB82*_CSeZ-x5587R7tZt zF9f@fM=?tPHIq4X7sZ2-M#bN@XY=Un(+1ijP0-n~Ds@Iqg7zymNC1f~1RtG}6c-0} zp2C_wk?;G#EL*B7RA;YNSh){`9(4D*GQ_dHi)Pj$b|SO@n82N@HW} zK{XlE4{d~EiV7PPiyiNA9XlQink`QWc#nMhalU@B(O#GAJ|=>Fs zOA()^tg>=WhAY}<4`vhs*7nfvhs-w@CFO#@6qO2?RsCDW68^2}jgJc&)!r4SWCa_0 zw^MTMLSS#Ye@U4mQuWF^76Z9U{S`lH-)36Kdm(L@A8+jLpt`*^lZbdL0>OtzMJI3+ za~T_Ejm+9AkJFKOuvJ|hx_ht|;9K_fzv&R+^Sr%N5THj5$n*zT(KYWGu;*tplAP@w zFEW@ZYY0vY#IxD4YpYY2lv-Zt`+-7iuRa3rxIIyVoU5au#uua{E?v4rR+JN&H@*d0 zEPdRA;-HNUr4<$iPWD`SdSq$U;mX}7H=Y3hZ2qSg&=k#kz71Lx^X8`C(fx9m_X?NW zlpO8YMbOE@uT!AFJk1}^(YG(&RHhD0A-wy@8=jo3=iJ`8)zG3im6d#_NTx1gFUcE`1@cuz#9+Zv1#qJB?#QS>5u1eBocvtMTUIn_p?6k+7Yyg$S*Uyd(IX;cXdo98zl)~8Qgc@pJ#Egdo+lpDCBmh-6A@_iiS#0h?J5UZ`V_DAv~Y;4Nw5>I4a z57Fyjez-@*|5Ij}K=TXqtAWU|7a(uib%zUx9@DQT+5f=k>2tD2JUEoZPM%G_A2{&L zO1M$8$av($F`>$@A>{e*U!4wcm~}sp1JuJ^=8YRV20A0d`#A$tu!)s!sGH3H!Q5L% zRn>NHqjXAax{(H@HjT9GO{a8smvlEsgMh#mL`p)sJEcQ9MWmGOZqCBzeZSxHo%-*L zaU9Drz_DF1=e%cJ*LAPmF8UYhfy+j5@$gVxDr$b^auo?=Tn1T`JPG%_ouS^|nZ9ix z?&wJ!DB+5}R=c{?`Rp@Vm|MOqFwleY+Cq-;;EGj^Wg>OmtvUFWIm&d13(c64>?whp z0(NoE&^JeoJQ8p)$Zl{u0G<~G#C|VU?T;tz-Bc7>>VeL^8j$f75mHc4%+NDRNq|;= z;5Mj5#54W}03|C5xc6~+d-G@n@qEi!Y}m$}@dudo@>M&LO4U_Vit5N4h6Z~zzUwxm zCfCFOI$-fKfQu!V$-&L^0XH z!x?j2X^~cjEZEQ9uq|4=V11*|q6zQ}^RFhM9|1vIz_m#}5vz{lE_2Zrtlin2-LcJ` zfmO*D1NK^kbP$m1)xaYO-;HD7A@t6e)#}e_g~{pevviXUuu)y z2z&r`cJHBzMWK|w1tLc&zu?LG2d!bf8zWZ`Km#(pMkuDa-CCmQS9omJzg6ygFjJIf zlvY@n##e4sm>@<`_&ZsajLXmb>%-J0yGmyB`KZwHWG^P~lLD}DU8#-RF$w4aQc_ck zjRLg4I-4zjsELVrW#sCR;wY)8V$hGHktg9+>*2VNdqwFx-Q;fv047gS9txR_`;c7Y zI=BohpL;;ytX))DsUmbqp<)d|I&2Ly(Efh_Xsl-RTRiNire)V>E`gD{v$Km~zl$bk z$M-SR))(sg=g%Jv9gpl{k~pauyJ;DrwKcaj^J-uzJNzfGOaO{dpxOC#pbVirBuErA6+h|0CkV;H(w|DSEo=KPG;>g-G+&vE=d9c ziZ_<`u2zb3^;ZIb{0iuUW2t=1VPw+$b;Zg*H{#NT?0^lh*Lq6W@wO8MWhhwwrPG;F zhw%XhfZ$^m&|b+~kev6J0c&O)5OJ{8wPpFeGQ$7ms|OH(?;|1#Z_airo&bR)9>A+? zI#((5UjZFz(wCsl=iiNLYk&Hi#+8;TghRv9Y%YN?v>#h6OW)l^KK;FMkkfvT`k_U* z*;^spRek26WB#=HxA3RqZR9aK`FK}o|5(y4!pzuIzjSa{*NV-V;7IXGE6Y_?`T` z|FC1H42RKrXYcxz`_2bOWv`CudBoexok5dOfH*ElC>Wc)>m7Ep=r1|@Hl=KRc+gQ| zFJjfN{P8OIX6Z3o)CiEMP$U5wYK{w)V;ca8+KKX1QTW zO39qtj}ZK*YwNpT<1-f0c?*RRT}@k?KM-%HutW`TY3S+%+A}(XM2{aVRz%8 zDqYA|N)|NnLzw@UUkR{~%$%#Vl7OsDpivP_MSUHMeXv{zNCMMXGaioVk&#fgd-?l{ z9MwgdTAE4#j`jR^5pmfLw^bigbn&t{fK+|x2n+(|!}D*uc@{4?w}CKZ9rZc5FbtIE zf0|hi9)J3i0vZhJ4kN>_*QNijPzg?ZM^>}vzWT|geHWNXNFGqmVLZbqcS|k)^_aHS z+O9pTPh1qh?&x@Od^$4`mi&)wEgJ=VcM7l^^TZgiAmk*a{GqAgmfyVxshnhSwo4b$ zNn?Q2_~hh7bDdG~&(?4CNh;OCa-cH0bFly$n*hAEku75;M~zreK;T1qjYUTNk1BV& zl+sOBplQ0Gtavdq+pb2O&&c$0y9d4Gl;jzT!9tE%_^osjh61BM_>o)Wrn7Cwe;4Zs zQKdQvOrU20)8u>^12}&J|9y9h*~dfg7dvKLA8P>#g8SZdzIqGLYn$rUPS3KXw8TvO zUxAT002_|WxQk*OgXJBF_zVI4$yfaT?VJGrvpH(Jp|dPePl-W;u$NjDGd&4b9}ZLo z`yDm=A1V$`Z%lQ34OS+P&T&-UaQy?hKZPCTVJ8yn`_x1h9BS&nz{Uq}_|}Y;jJvyg z`G%%u*`(^4(Vr5jA5*^OetXS!XWC8_0PYxR-E3bhtKJnHUh1w?v9UNr( zv$5)^L8YwB5rf$_CHDEta=?x1So>MJsc!v;jFyNuYDw@3dHQaH?MCy!@qjSi^YZ9J1Tb+cGiuB?2+veK zmfW^tC&UUn&7Q=cHkGz1Ioo*o_?Bd6s|YrEyLh_(hr0HjAFm+*F0lE!*-(3ezH}dE&J+fGD{(jT>AMVnY6L{N_c6N51J$wB2m&pl;Qk-jghdDa+rGy8Y2HzrIE-&2E~lK0>PFq!nO90dnrkbxf+JZFwNM zkV%pzyI%3al-O)k*!l~0c1_jHOqgPlROA1!u;KFdCBfEvc*KiaB) zPXB+iH!x^;XvL)4+mH3XH(>k^`|{7P|6gt&JPO(~T^>U{7+FyJ%q_${COGD_`Ah;A>7Qf5gX|$#+E52T}v?fCwyt9KPKWeM2Ccxr{s4?O!T0iM50GkxYqu zCoFO46BMivHN?QL*1<4T$owXzd)tz`b#p9e!|nC{jC4{4a2t^klDtBz$8{?)aTVe- z>LyeVsT_@3m`g~3(rGv7qrA+y2|B1F=?o>BNkt@A9bUIZ%ZUpd4dAs)UK^GIDders z3&h>gOf*boxF6#kQSzUjE!XTd0^|RB40%ZrgwsvQ+Z9CX{QN{WgCms+jB0qR)hE6jf8aa7`ytjKv<_=%S?usGW)Z4csJXw4z z`+bn?e?13!jfs@qe)D45`%t2!_;*$r+Si0Gv2>;UShS2pg;yZ8sWV#3MmV)MmtN2! zhBz!sxk*X%pZH|CZkhh7S(V$lqFh+=Q|>LQ_vTZQ4qN-Fm#X+tFtThG-QPk}aE%6) z{x!I>e}-4c#o&L*vxoo4Bi2iLa!+opBfqHbDeLUM4q93TDFQ!!CT&v$VtRq|8kwG< zCU%{6Jker983V| zp6(>n{6fLv{hoj2H>IXsZ^y1gb)@#`)s-zw(emkWA<_{@3jYl`G`O7`YFw`i9c#PU zu&Mb@D^3u-DVIN3!ATl~uTPCkTY$h^PBhgKtuY-oCoc1L1+)m$nIL3s8`;%H{m3wgcxis>rOUJVkCi$g%$#ePBE`?&*I6 zN8|@-gBr4Sy@xOO9Pmh?vEx?=x@Xi_6FNK+j0RX_$&zL#uG^|?&IK})ylgvDB-`no zma5G~2@2hlZW2ae+hiGZ)l9o|sJEF=hZl9cZ-uX!DV*9-iq5;%PaRa^8vwj zn|^A-?MlDJ^7&-^tJ}{F2%>BFV)nO~XwJiaPj%*LX zfg1@(joFMW5(Z}sC02*4@T7?C?TNvZMlsDKT=;ZxRYs==XK%ZZ@wfq6ge4SLJuhbmjH^ z(KOQTIjANk3dZ)?r?q|$yU{<+kKrlXOu+w7I*R-N!9-eVyLGgV!@9GgHx1dB(ZUDw zYJ}hSTA2XV`=2`$P_Myv@_T%)&emAU7X_oid;|G=hqFTqXhrbtcu#&4==+~_1Chh? z`a@VGpN8-rSzWegZ-=(vYcs}ZKXvfhX_Oou@I*Fu@Eo6Yu861kwCJCg2SY~K8BHBu z8oWEK?-xy6Vgh9&=#~utAoJb7aO`-Q-8rr;X-z*0+#Xi z*q7mgF2VGs?^tC(AlK`1Z|mdP(5Gm6g-34;T=40PNQo{;v*qEMI)nMikzXrlH6RMR zmoX3q;8V>!FFn{fk3=XHdZy=!h81Wx5@TRMtnQWT_Y*Td1*I9<|D@_K6v3C9$dVq; zNH^v-^rje|uks^pbgG`oIg}Lv*MX#cDbL3%@nm~;;D!QHGuxlEVg#KIKu0uMHcyeC zo@tHbU#XHMTvHRp{qkT1ux!!0=FvCGJ179x9%u;dQ1$S=925zPZn~H{dZ`5yPVO|C;RV7n9aDBKROKJsj@%a z(_l1Z*6xLD57H(vWZ%;r6 zPTw0uns|sp-bG7wq|UPbsMSAKM*5eP8R<=39KJL^ErCQ^U?tENWZOIi#1`(qB5jBU zgFq@trYH8}uR-XDSIErM>B$%TQy?QUz^(s%C{~*PRemE0AowU4?paBZHlKb)K@~(R zn1g}RRU%2t7zImm{#&!%;QqJjn-@)VQ)oS&EpDTzHg8Wxptw54ixr*QqY#Q>E!T+b ze=E03jTLE2XDUUXJc^`<_@Rhm6+uDPAn-LCG@7h10igI-$9_Cvhi{IUukvW@{_bgFs!)E zOau%-dnAhv#&pTdb*fRt8P_Vi3zQFFM36uZ&NS#gXF*nqCejSv!28L%PsbO)RYOy1 zkRJ2U9pE3nhD-;(kNh}E%a}+py@PTkW`MOUv@F3^vEB>rx_aY=jVfkb-X;Sd5KAf= zNWYnUBncg2ziOyWnZia@+nLxv$MUWqJq-lb>Q|BA*6?Pj8xpsPO8SCvo>} zAOASER>Tx!eZ&i*uw6&YGL8b`{tzd~(PNsw^(j@~3Ox!IYfW+>ul_;|4mt@{n1B{6 zVqMJEdW(I^xTNE3ME%L1g;S>Gc_9u$no#;zEJo*`Bf#iQ3;qe&Xg4Tm%0@A?dnath zG-4_pJ2|)0#QojS3l#!rt!UR(>^IU+DG zt^?H0`rYnm+KN#F<`ME3X{Pu<0>UDzDOZXNRKX)F1#2B2+&ic9nwGJJ10UQqPqKNP z$qG{QBtYKY*pGPcaXWnUS%|E?L}?R;Kmu3xU*-J`9v)b>=YzT&u(IB`NrAZe%gCE8 zh-f+5gqp30ayUzvFlyx9XQoCx^ChB4%?|o#DIbvw3qfFHqTW76^*cflK0mk7luvHdi7J%AY2g<=tEm)UiWKqQ zVE_&?Mr(}{vI65e3VMhD?Y}A_GU#q61ES#VQylrU-dW_NiNG~eC*YzLfoH4&*!L|s z(5$=Q0hbNH{NF5{JHOCNi&w(RfCGH$edp-q$IjzR?%e1|eWB^p-@ZdRuh)i^e}0Rr zg7_T7?LJPHKH;LK(i$uO+`QfOxaQ*>40yXAGuOdZG;H!VbmU;GIY+GD49Jok-Y?1W z=u|<;Rk}0AzP?~MtY126aQFtoNE3$tjuOCOQ84>upb)%4^j4wnSMRA!FB^~@?sjIN z16PkhD2%u;7@GWzHAh;-M5N}~uz|x|&{g%*5_#UO!aEeK^n%>p#jyQ9dWVy7rxd3%GR`49>rbNvP0jc5MZ)ak zawUj_ED18FRa-udW87a;UM4l<9t$KVJ}N!iK&7!iWDO4drc#6$ecg;6B7^a-8v4e% z>=BBrAk#w+0%jW8nJs48f*E_Lvj<1)fe`xoZPvSWIjJracgAVrgk`L>22#f?OsWpd z^K#urzwbph#bF#PlA$FiUHry~Y`-jPy~yF22jma2lTEP~Q!-OgOBUWelO~$9Cmm4S zMQQ1UkC;Jk;l)z2OFxQIM#doMjeX|JCv`50oad8;09WM5-oMdpS7m$1Kd)O)#mh$6 zwO%e3Nh#HX6a_J-W~sKBVN-0 zzUwi2X+r*Ct9BME{2py$A+z4?%OY2z$=K@xZdBxt3|lF4)FQ68Ilh+Y%~k|-OP^V4 z`Ni6BlTkB62SZ1t6kQo+srBP~g+#kHCV7ug{V0KzwkBQX7_@m_0dMsDtgQ!kZ^8qF zpGced-2)H2@R}=Ft0%hG_VQU^-leGsmAV$G{KU?p; z9DGp}Q5-6?dI&wE9O&)xf+}oZFJjXcbPZKBM?;1i80&wt)x_2YN3xJ{RIjhn;eo?5 zQ8-NH>}y#UQI^C1sN50)PxSj=o!D3Chc{4Qr7V0P0za+JaIasWH2c5q1zr)8J9U3*=J=bI=(`X>6V155A#p6q+ zsu_rDcft0q*F1bGJ$_wY%0yvV4P1Q5G9bHKpyx4bS#PF&%>0anEZ!g`Oj>&Ed0Sl- zIp|cM7a66!iSCrAUHW?pzd@DJH2Q{?ibHBMHO@qEc%2Xobw>kQ^R@3siqyk(lDIvI zPrWV0OFwqw%ZAPehRzF)oN4>@Q|51qqlYh6tqC&NZS-vJ^PFv}7HyYIfBar|4|&Bq z0i(edx~`UT2=|2cL(L1B4OBF3?v=q^{*#L0K44+VieSsJWVaw|eqpMjms+oHO(<*g zhqL#WF|*HwrZWY;x!rq~abDw|Tf|J#39Y$my=V6+l$*B7wTpk5gT`ul%dE>M`+n3) z4QV@iD}kQlxBs&=90wSI7keY_z;MK6Y)!UBlLD0&wi2}qJVv!oSPV>&NP*M^9>qM+338FBu!sPdvWZp|1s?g=7uf=ZtR(P|1fRNqo$nYPGBU#Xp{oWl$ zrL4&QWTIE*{$e}|c0w%%Ox`&dcy-Af!>9u!Lc!zD6T}L>UFNuUiMHE&tsoG_p93#) z-y{DVwAn+xN-B)0OZF)LhIY`aO(l&Z;-+tRoX>tduuloC@suODlO2DMP!SEEv{fFl zC1(uM!T0;!PHs>|m$|rBrin5C4q6mKd(xoKUDxjHNls3CahK?$zc{=-wLje98RkkR z7on~ayRSJg#KmKOWj4j2AYZ?E-nPuNhl;dKo5d){^i;>zipC9T3zl|zvc`OI@llj! zX8xS}9_`mFgPqRh=k@9k;n_N`v6m=h$KxkNTJxe{Wqg$7ixCZ4VsRV|tr1fZBb^IO z`tR<}Lf(Eh^hSI;TpPGL5gypLFQ^=QjiZ=6J|eD)3Lu*?J1eJiy>bqD#zF|B!xA5;`nu3 zW8F0@qqukbSSKZGu6u@U-yG_iodn-j^E%Qs(usNk8(c>b4!9?H`%}h|h^qVvNa*D@ zYivT?6wjoSh)+b{4e!Qj6u&SD-1avA8Gvb@*XLhjLX>Z*wtBN{fmV=QsLE(Fc#Qi^d~x3>U`S4BYSlU+*M7oPWxm z0%Ws4#)sRlvj`uQ8@kf4?(Y{^9wU-bKbPOy8=Wit1Yf3kUDb3LYxQa(O$X7ZcKW`~ z5li~n-7A{L#+Jb^#YL`=;D&BG)f4cwpb77=%pbdz2LQk6Ah$QaPp(6X60(bt%B{O>)DXHJ7! z_!=vmapb}$6IPR9_Wti2>Sn(NVZK5S@GojGl1THy<1ViJYQjMw?-c4j7GeGQf{g8D zhWVYc7}oi{x45JvCyk%dK&oxjO&pcy19Wm*R-vl`)?~E0vuK@|08+WXa_iO?K0m)dLi)MtCv~{8o33ms^`pY3yfbE5EX<;%y+={)5NIHs z;KUO?wKu-)89O?uj*xsaI1z}K92so>FuG|r3NM?jcth{%Wpu|w*K!gu@a*DK`_NB)W!~o8$l+{wz)wls<)Srj)aV> z69!vlL03}J;5BA&n6Xfne~PCHJ<=yD;DPC+WeAQ^6lRlYO>gcwD~uvy1p}c|pE@Mv z<*gF10X*m=>JKU`qn%l$D+*@GUCrK(d(FR$q(*fAoX$qyok7^hKYWAfbC~Y(^Jjj8 z2&TaN`FDsG*GI%d-wVwkfu@OA9O=B(1vdT_7p%3-aI9bVCUjCC(NIXiiSf(ug7D$$ zQ_H&jvwnu52Hd>h+S7pxO1{kspVJbi@_VHgRsDuDQK0}B41$aw*nP3!UgAclP9}UJ zR$W(`@EquEMWQX>SwXX*U;vX#vN63d-TBTLn?MrZ;_i=5$+jx;9G)Ec5~F@9@esnr z9~mEqhm=TQjjj`7tvn4^>vR}#vD5*lh*eNUmfq7qIrYaJ-?qeEo>M%z7JorKti7#< zooO-ps~<0ys3;DjQ(2KEt>Kd~KTE9i62tL&-M^Lh4I4w(dDTFtFc&ySmW=Z=t<0I6 z<|RE7J{!}^VktlPmqPV4W)}u3>12Y7Kwp+5|0y7-Y5TN6>fWWAR7?bsvoS(0u`f6Vm+^&5yW8%A*sJ%^cJE9vsj;@VKq>I@I!MRk8BuAYM%Na(QE$8#Tz zYL}e2w!_82&1&)cYqh!o#(VwZ&b}fHi*;xJV3K3J)m2&J!9{_-l=KI&91$P_ah@WO za$<;I;`U&<%OOetE%M%l^PVIIR=tydksP`3WTU-ZD$tBvPgJv+5CTWr0Dx1Hn!PsR zv;oT%BA(D z;6Nx~XK90DyHpAiAU9RrheNQ=9!zGS)VqZ+zKCjh15xdMeJB6jwM@ z)BME{r)ZStD{0hfruotg%s=~^-3$QuZmeYM0%=>72xAiV!rdXVhFj##8QaTk8=00H zIRTC)0hl>o_p1O_zYIS3$cx@s<>dSrKe8-HBe(#x!^T4^r|$LF2vi0415&r_O!7UFrKce+1@x}Q9-dk)_7hRn;D@&RM&5C>C9i`c=N|7rnh5?fHMb9R2ze=0p| ziN7)38ls832nOf|Yo^*mDtNNt*FuplBlM=x`FAR|Gj7w3<`4UggDlhH_-&&{ul ze9()E5uSfG$C!d9!yEW`&2tDmu01o10KP$h#nbtHB&jqt1HJ%r(As79LznOsqf$s} z@-P)CFe1@O1u92R;c)W%d+2}BW>qPjeOnes?T2)DLD}q~(^c&bp?QWDbC-o6I!+)b zJx|5ROfci~CEhxZB&&e)y6J2so`{7^$Y5g^X?x zAum7)unA32P3=QA`)*7^*`; z`wyksO8A;dxDV}>LCG>CgP*jhvfj7iPg*~GcZh~6m?T1=3bP)eULPIpSsRIZs}dph zAEIEn?GQ@o!K%bw;VVCSQ#^=t&{MEpWZUCcS_F$K#{43Hl<9gh{5pWKGnFt*YVH#8 zhip&^Y8BEB5F}*!>EzXaYmqh))KTj;oNwr$DNcN!y+4n=zX-kI8I%3h< zEUK9|`l576omRwOxJ4CRTjt-`7ceJ>FWWvdl3ry5MpEL3hnFYPd+qjypoNzeVm*II z#a4KP{d!9pFFs_bz%*D{hR3iV?UHMjXGF(Sv`zOv3EuEI#hUZMsJ8JS1s@fOKFym^ zJb29_HeSaDK41J;IQ(Y9iv*sxlW3jK>yfqIh{uYM(&{AAnf6t~{ON0+Il_GTF*Sdh zZBLTJCcDZ{_6p?P*Jt_AymGJ9WW}FSs`~U7BuQez$BQH*Or%=Xx7C=5K*+p%icHj6 z;2RFS$&jfbP99t!?woqv2ALitxZ&V%6$C@oxUitkX6kHSOoVoN)9SvHZg-E$(LmN# z7-X9g+EZJqhuM3$X%El>G8jqOQVL?7KhLnb33Hv}%qu0HXrOtM=d#qYPvcaiBCRRP zm9GygsHSzbl2h43m#X~pnUJv0AH7DCA&0GHe>5$=MwX0C$g`wI(t7U18?%KmMH-9K zJ{ilZ$mwC_&;o9M8;40i}aL6jsZZ+Qk_|*~Rd|igzf7S-lrA8>P8| zBp{|-SNXH>sB)Hru-FHDcN8!a>`drGW{W+3^{%116qj;>1zi?VF+==r4BH5mUi(*V zGa1FVkMA?Ls;{szS~$MLF>Ca|qDHjp1}L;lq8K-k>J2UC+%JbOC>koT;` zW>S;uDD=^K)v(ygNFeqIMgi#Cw-iXj_h?hy|766x6;r(Y;Z#i!yHz(Y!;sy$^n_;t z{KoliHqW%=@UT?^+Eaow=HZL_yLeScUK5Y61k4e3RN&u;VNG5VZQmi@#^=y&J;mK4 z&})Ce`h|lwDR~h^`}$Q3#NXUMoi+2+=Ba#!xeZEHC72v;OAQZd@@sVNdv@6gQ34$KI7We&fH5 zS2H>PPW2gd+NdcmBoYMz#=X8~Y2lArqt#c3aQ6M_zdi1=`F$xE6$eyWLZH&p4qE4v zXH)7DFKoIaSZ2=;LKGau&8Ic(GBMopj8}U?>x?9{@W2ikSrNV?1_<3z*3%A)*^Ud( z#6{;BK{e|!us(0B8|Ir)p3a+It0VmY249}12@-d~pL?f9`>FrHl+woQz`dRxpZloD zx%sE-M+L{8WJKp1eI(dxc;zgdhwg~grFz8nw%hF48M-^Wx3gkyE+93u-Q6Tc(NPMxHZ9M1~V_#qvV>hyP&2ZB+wj3DAY0j0qEfsKPfT=4awid#I{50b)2n<1sp zIxT+fXcrTf!O(nW)QwgJ*eO@G_Q+2#x;npjnNx5_D^>8M?iG#(or-3RxQ3baryuRK z1@T7~9Hgg=xP?(#z_O&hegeG*`0c*(2?1h6ha%rP*IF_?)>t25ey*eq#@=rO#iXBxaSmcJyBEMU`TXqg_=E|fK;6L z29$e6*qdU+yXoEiaau}On>|Cis6O0bpW^skz%Q})0L8~nZUk7`&BPQF*}CShr5na5 ze`(FYJ)HJZw03Op>I>}1#cl^;R8t5xb6F;nN=7U7ywAmVzP{R>*t2~}A?D`1#M{^{RQUuy7ib)7}!gA%mvcw@Dir#TYqZk$wD^OR&)Wx38jLKY9BV&E`AHixT#)=ox)^ ze!MXKA!-13SrIr)h5XbQgkT}i)P7V4sl}K_YW37&kp=x+zDKc1W|F8nIqbnRVR`Yo z4@&&}ey?WyWM;0&f6WGI=%v@=_(!M$X=w!@clgU7M6wWATPH_uAGfG3sR!roQNabV zTCr1TGVxLAhf?EINM_wVz<9P;KM5OSyd%g$i;2QfEm-8{tTZM;A$m47qjy*g%`3sK zW1C?vTTB@0*z1n#7Dd`&+0L4PK>}V8JmcKi`=70c4 zU~xYEr^H&A^{jB81Mp%}Q6!5mG919oyLun3Yk9DyRz`k>D{y0)RHBNFt&#pF=*X$C zeK8PCEgiX5*|k^M^(hN|@whF~dz;?ckXqQzBk#{H))DLCJ8=j6Y+D!d@MGdG?Lt$8!!GBo+Q=vPo-^Vs&2TbkAzvAN4)h*NQ4XeR4e>t5!gpwTx_cRM`^F@M^saZ z5#)*Z*$sTrca|Bp?i(96mCDY$=;)mNyoLn%WA9I^fEgSBU>5Jh>DUQ1I;YD;7OZOL;39p_BpN=tD@976{?`1b_>g3J6c0(Y` z?EWLw;xK=1mjOV}_)3 zzXm}KdVO&3fN&ry*C-jhya{%i(L6MbxVRtn`#K^*@q;8Zc+doSPZLJL*GVssqkusW zffX++xeDVUunomLV91y_d%(D=rwZFRAMQ2gw3)1;bwz@7$#r>&u{<@ee~DFV={K)? zeupvU)$8u6XU7~l|MkkNmPpy22zvx5ZNb)0dCI47&ux<_h_v~MYYgzjSDgRZJ99#QF~<~s-RQj@4wzQFPKY7Sb{Iq9dYK0ZG!qY z`+gMz>}DO}VYv^;BZd-4cAd^5Ql{F+Z=W%fMDNw=156_fS=mO)46GBP?85cR%tTYR zH6s7JbvlYuCt}ueXlR{pWsM7FeVRjOLd0Bla}z=_5ghLR=9y>%r(9>LO?lYjW^{4J zW#K+h!Y0CQ>yd!7$Uw2WD8u95$A0DC;Zc;aFMOc>O}$Fv0w z1IBJy{)I}d>Uz54SHJwG+paJWQZ(Q?uU{Q*lv(>-ip;;mmKu%gcz5~%U1h`)E~qJ6 z=;ZMJ-J`so}Xud+kOZW?VzO=NKI`=dNSRyXBm2A61 zw&@rRW8qk+nkL=B8bP_8UtlWlH9~%Q-%oH?aNM|&2YqhxPfSw{;?a8ru%!Sv6n5Hm z(OGe`dcv0nu)~a=B0#xX72kKd1(lU#)Oe`4z5+ z=_AhVWLoRg6Mj~_1r^zZZCtp_3FDTkrIo|k8gS2fCodtm1~8W1W30kB3F4DcyMHu@ z8>M_l=)dZ!Odx|BYhJSUJ9z0ecbL-m^6Zkq^4Z|$N7eh}IQ%@E5QU!KE*KDiZcM@f z$cIFG2z;tKF4!c5r3P0;L4_PU;vIToYqSVuG#kFHJTK3TG%X{Il-<2D&z1dmfLqUM z1G+a|W<}9$t}QwPDWD;w#3~JyO^sx+Qw+3=^`hxDmH1Ur5h2LI@ktC=cE!F2lBfJJ zaJ<#RX#;aM=_rS@`$et$O6HGiy5>fg+{~%jkv98t#2?d)qMMmMzt%>Jy}-$Y_7G62 zBr1nK2Nv5?73(!VY|8az@U=_O>R~MrL(|YO;X=NDBdf%*+7tPb+#(c%(Bd5Ri3=>b z@FV8yF>$9|{20S3jm<@&Gcd+1ZYbqxF6i?9&xnMQuBbhc(B%F{m27})>oSQe)qMVq z{OH@dtHg|YtylWWam&O?G1NhxcSoPM$e~=^K%SRu>D>D59FQ4t6sN?(iGC4W^EhG< z{T!0t#RkA0;9DEtpm!{zYCeBOM$7oUZH9tu6oGggC~E0g z^%4v+LQXuBqZCxNUwI9UdAq@mxO?5V-_Cn|c!bYM5qRSgyYVD@e&e_RG&{j^%%(2p z27Z4IFxpW8geAoHIT?wE325rW621+-Q^w!SUkX;v5i15JIdz3~!1d6kZ6s^F#D1cYHg*D-?=&>AoqwpK` zOI#EJOoGFlT9^drOr%_Vg^QXGX?WP~q$un^M8e*-s6KXVnz+15bU!aWvig|zK!C;3 zhEP`(#Y>&3+w)8#(G75LWEkxBg52w1u>W{8B8&Fr;uWQBmj4~i!|B-V@yX(;igr&& z$9sVv1BXlhM1gcqsWo$W@mEe7W@94DCzc#FP0ivyLOl@oma1V48CcuV?Rh zw|b2H*1rvuF4o!0FmLuUI_hmIW?xipl_-ExPk^69S3fXKI=|XQ!J=o-`-@5v`L-`P zBho_PKjAxu{B_`dw^i2oWa4txVTqIxG~t4{rc1KtD*t^`ISU%O3-pb z?{YvWhv+?8i^oCO@-9@u89WN};A3yJX0-RX_U+StF*MBi*ydSj*^8mB{^7L-?{ClD zc*8bdvmw$cPMZ@O^qIM#h|`U=LFvc1xs8Az$0f`#Z|uG0m?o$8c~JrQqmZb6Z-e0NmPI6`HZq1*yn4Vq;QGJK%;o)}5s z^EwI7mb5kw&Mk5gQR3`M&FD3h#1Nk}`V&A2h;k?vE7>zL#vIm5;q7eY-A%J3Ay7=q zIKc-w#t8UL^220fKZ)z7xC~bZaTILh8R|(u0HaI!XN2Ubch(3qaYb1T&(59Lq_SUJ zxzV{!%CC`09pkG8{^6@HD2Zd|X>TI=o>eMw)07wb+OooN)n{a>=DqLOpUSwMgm;Bv z5xR3Dy$sJ1%C^#9B#Pmx?R^7#}xNGYwQXIA|O+)hu-v?k=RJ377xpF zQ1ZTc1TlC$o#aUZ-J_aq02$f3ao2e3X)2Cre}4--xxKgcJ4C#%u0p?hr8otbfEst$ zp71jxkXWhVY!?%P3G+FfAcZP;;|_Js_0j-9pPo*ei{Na9Ug&Ve11ZWgim;$!({0a~ zqbs_{o*Q?&qXty!_>#|r@*Vw%fi2{rC^)@X{7bPkk`do*Yu1mt5U);Zl#dQkAL4g* zUW~NbYwiug&PID3lurxXT1*qId<4#D=?~M z?1=f^APWG0W$V+exvPB}IAau8gK{ECRql(dnV}V}*%dEGUc3W__PN8vTbzx0*1v%O z0P`u;A&KME;TSIcIhoLr+&x3p^J3-_v1~hew@-_Tfb2)o?V&ePYpWx0p*1r>ajV^T z@J{r`uaamp_wB_WnJiA8I|v<|wV@c9m{G)!&5kfnWp4q4tJ5Ee@wDv z{n%8FIl9x6!GT75JOW>tX?_-&EHKq9jfl$S%I%SZ$UrZHDYf3Qfc|Bzb!!#IM4gnf z2_B^7Nt;oNm@D!1;8f|Q=?hNcXOex>LMGH6qQ<6S^0Gp&36MAL;0Ic-kgxjhF}@q! zkv??W!Ov8bt&U4?2MM)uvMbRp$C}9fZ_c_)?JDGbZhIz}HrmJ|*{s7n zVj&}lyuRNMEP>MfNs}pEWa6+Ef4=i)YChkV<7Fn$5Dc)Q&rPg308^rl>?$vp<=X`%G}1}v)os~2=njGArF#s*#|k7tA^F#G4e7Bkv~A6 z&zz%R!hjCEnFLb;*WoWV%S68(HL#hf(8FUvK`Xt(uk?9juwZD3=@1D2SF87d1Ua=7(vO_IAlA!M<=Ia#xo}tMI~ht z4I!^%vjot!^zXUNEiA}WdG%OT2*UMF&iAGmSH6Jqj>hvIu?pKx`$~=)ml{_aI?_b{ z2mo*4dqyD)Nz>HO3Dz?5A}Y~jmG<|iY(+ z{E_>c#bMwTIF>?$$aUF|(l7zFN7L}Ahot@DOGCf7v z@3t8#wadV_vRmL*&zftvV+y8PI(+c(4&87L02$@(eJ-+%zGC@`HR7OS8+zceEC?Oh zV&cqbi?eo{lQ*N;XEPw~ApU$3eFtY;(!979Z3N2xE` z;?ODLU6tbmPf(Fl)bz{fuSa=$+k!7+vgmJWi#SJfijN$BMhqE=#g!TpvCY4;nSJ2F7gAU&y$&2MA?)v^7TOOAU=UK)_vw3Hh*paxl5;=xK^<~Vch z`f}x$xpORYGlD9b_Z>%XW&)x>x(_7qu%L(sQPe*c7BK&1#I2b^>f(|YRi@jQS8G$q zlll63=^2$S3tWEZ*M%_e>lARf5}bCM3v#sY8ANvMv-6^+q2{}cz?_PP)dre%9(wNKXfWeUSrI9!AD z_?*5)s+zfFiQG=FlL$E?l;8JOyuBKyxw{SSSXbu1M^SFOdcnmF6$?@v34mjMDH6N< zc$2m@+Xffd?u!k4O-0zw5Qbm-ikZFkBcfCsDS1s6l5*>%qbAAt=DX>Bit?q3MUK(^ zaK(t(J}bm^oG*M^dpty7HbzXPJwcTFW~_I^b0HeO?UL?l&|5&pOP$Bna8S6&{eRGO zl~GZ((R%3a&Y?k3y1PSKk!}!By1TneU?e03q!FaM1*E&XW9T04@w@l_IIJ~m)-dzq zJ!kLz)J{5xTn6j4s#sr4E1i%~?QO?EWNh;-XO8c!uI%A7mJd+VQf3GxGzcx8Ef}It zo8XIL2NRU0zjj<faGNA8F1<{!40FhyaAJwlsyE!8Ec66&rN2Me|Qqj!G< zLBVQKtDKJxjT?))keAb?#)syk6tfo>HF3DAxwuEzJt`2|1_%1w_PCkeai3l1-wm=a z$GLB#7*ALrz~#i5J6zkF=Wa;QLHxSVd57>5s~Hw4I}%)uzw8F1C)E=XG00h(3*PJS zAq7_i5J=SF;=dYvh-?G|qCVWA-S5)4Nys$H3_kLvb&){n4Ak*4Xz^<4ae2!u$HaG) zxP7@u5=WP0Rer&n_UrZto=+MZMO-|tN>1eiUYCc+^wu5Q_%%5VT6f>KA`u^RKW)e% z4jm?X0Da*V8e3eM&d4C_*;PVgTqNL=dM_c0G-FM&fQ)iwjB`!$CJEw%|34n!B+OME zezePj1@D7~$>>Q)>`#wQ&L?~pOV$+Qunt>-jP_=d?^MQcrQ+cNEY!I7WgdA4TbUb1 zkLZ(Q%_Os8DRgu{&4PbGWh_R0iP}ZifL~#IH_QjhSZtD2reo5(lDi6hmp+R5s_86D zMp;Z4m`)^d-{gZz{L|5NBPX}6@5AA92CL24%@!lD(Av*LUdQ0K{iyzoyL)ZF3cs=< zS}L9f^UD*+QU_VvlRWv{9AYNLe{Mny!U1M!4IzR;dQ`k;WbAHcuwS4(5)vuDDLy)S zOrckR-xL^nlnD!LUeqf$XeU$?y>Xxv@&vh@zNBwl|0ENEd#ZYT39k}+WM~!NZrnQG z{{So}1J;WLClw5Y_jPFLdw`x`35O_kXBwXYj%h^v0*(QR03Q8T_eoup_XbA>i8%V)AxYl7o~s>N)J6}lO4!Tz zm+1~?v14X~;JObEVNFYkksC}H6dZWao&R!d>5+dQ86D}QY$jPM4Kyg(ge+Y(gpUr{<8KoV`_q|XEA%SG zb2BL*ucQ%?Kur`Y-Pom#(_bpkG?%z!=!&@MZ!5ZKe3YCC}%k>BhBm92wD)BYY0a}?hnGMGwe2= zB93kjE(dqhO{bFImPE$#oJ8IR0RAYM{{GHc5 z`qnU*6XKVf3-}T|&R<_ZguI}!@P_rJ-?;HLa}lcvWM0})W=`Flu!d?ZQE=s_gsxhc zoAq}ftc7%0Q-aQtIaD+i3ng`f_6J9!5?#^y@=@=9k`y0W^uR-pYY$C&ys2vcqB!Wu z+IV$6pdX`M+OZlgVGDI$Bs)SY=ah6l4?q}3eoSkq(f8>vSwoqZ3Hpa}%h zKFoH0ot@7fRhjJ7+j;I!ypX4z@H^6ga*v@Kkds(4e(Icn3r=hRoSO6DIKf7-br)vJ z@fNagvvK#$PU7%B7VtekfTx`AAZhcyCEC?(@+F(h`b_Fh`66Rwr-H@IHaj~_!>SKE z9g{h35T>jarYx!4L^8@hsRO*3SC5=BSbz~FI{f|B$Poqzptvd;Hdvw{jDl^Z@!q_n zli3)Yzi$6HE(VLw3c5iTbbdW!0Bo1s>)gn&SfFFY;EL(F*Hn@HWd76Dh{07GP$4h? zys`LkmKKktl1}f}_)k}BH9vfaqhI`q%4L(7C;fi#3iuwyKu_OB++`>R$3+1eW=OP& z0aG;AV1H;(w72Hk1OCO!v&(!q(sN<5rTl5uu!dL92k2QD4-h(`R3PP+Ppd{7fj_E-_xB<}=R!5gqgI$2cTzS3>(?LwWBWs@f; zjCl$iOoPTVonurep5yRYs98DtvqkM2W@)U+w&(F0isf$AVob`4seDysi--(buFMMpQH0lmP4cNOs~I8&&-nV@*XmG5!}En>lil_t69Yi`eq{EX@Z9ial%r5 zWeX0v?uXe;xH0^e#8+Fl9lw^B2GD8Ex6bxC%K`6nS`h=EV&O$x50oIHTTWTyE|_nM z20tWi=-o>*HW>5p?;OLwbAAlHZS%(|&3x^8FXO_MRA%AVG?+7#KxM^<#|)e{5t;1{ zo{1#Ou}`NW7(ZC}Fwh;EP)7;q_ToF5@gmNAi7Hhdo0|MY_@ZxQ_ulB!im&45SS;WF zu|+dSpzLxHP+y76=x9fK$vcEH7iGC_FFSE6e^X^+>Wc5_Q#n6C-awC9L6odRxkCJh zW;nIkyic^(6kAaHuP9xo_^eZM5=6%tQY(jaeBmb-e_?Ia7Y~_zfcG-Y4i;mAw=qAe zETUC!!iu|e2=qA_RuFf=ek0lsdbfW|98H!+Z4OYqnb6Za!nek22*163ET%iDtdOX7 z6qV^z3)NmB^Y1H;Onc#f$VmsNgg?M>fvP#}dtCD~>k3UN+$D_Q48E&ruT)Vpi$09M zR2<28d_n7*eDJ@REj8!q{FWPvAe+zpnf$vK_3rqT?ia(iz3pAq+-Ale3~E4IE-fuB z3gdia8)>|Ik4Y^=sH?j$-{yicTcI09ARmiqtoHIe)-hh}ApUPEUcra~%1i`fOncuE zdq?0o0rN&-Qi1FBcfUo%EFQD3r)Zj^B)74<2_taUI<&4Qs*1%Z~I9IMkR4OL1*29;RJSUX7a>Ii{Vt zw4gv>S;N1sNI&|3n=QES3)b9JnTPSR_nxiDRe~VoGJVPMdaO$RKX`3Eu&U#Ul3n}- zlPO1xsJ8OH2`T^t4S_K_o-hfRz6VeCL_nbkFB0}fVwNMV)6hF6Ga#+$?k!)rengA? zBZ9xn6nH#f-9%Gcd%ZS6yt|}ki}TCKJmi_7w{Fk*S5P3B2n

i76SfG!)}vZik+co8YjFtJcEm5fJDbRw37VUYHRGs7K?nMmoVo6=RI#5I)ed7u za#UoW1H^-hzSw!BvjaP!H>KZ2n>4Y$J69j<)G%tq*Y+e;>+M$~_| zk;|WpyW1Xg8?~QE^vr**LqLE~j{!eWMp;B2_nu+aTw3Vw^RRe2WdQu$(c8p3@H4|F~sukxct}Wqaf!5)}Q58y4f`z|H$vV z%~8(#^cr2H?E3;>&{njKe|*AjTMRSxJu^84#dw8}hw^u4 zc&VAMDI=(MGNA|kO*+j-tblowX7Mu=UKxO%deXwP>IQM}m&HiF=$D3`)1B_e_>yc5 z%bvvS#x?h3N&)Dq*~}0xDUT=a!_5&w3?q!g3)(m|I)I4OUBdqUWrf?E46FKjNV@B6 zEW#}QO{vcFq||gkvk-nbezt`C7jw;K+g8etG?I8zopK@b5mr57)8gl7&h{^_2xG`N zUMY0kS$NJK2m2go0ncm0s%2CBgf3mY4*@HT0``okbf*8E@zHC}w6~Kuz77vxUK2^_~cOQ}&(HYgZWad|g`m7t>zHSw64|M5%>Eb*jXBi!| zkgoaEEqI<#jn#&G%81j|axZGVYAKnG9^VAWIKn2j`MpDAMy7E&^dczP^#O9lD<+GvR$M_KF9Y*eXf?6?s^6z~YVv2dYn*lZ8+?cyaE;}xY_bn(qp><$ z=lM71%o|2E(cB*%R7b2|XfW&g4vrAxrWus%nZ&UoWbTnfr{5@Qj zZ-5}$tp@%Vw2ruf!I?S3gtDp@qX(}Xv1i9&Dv!REn~`Bl)7?+CAQ1oahSu^`g#H%G zkB)i#nhpT%4tR30eKfnSEz7<4Ez!SYJS6rX7syO3eAgrP}Sin!$1 zRe6{J=0uXwVixr1T6*z2fegCcMZaOk;iWl~!|DUlaX%LFWjCG19djV>#cZ;Z+i?{- zoS36gQtRe85k;!wDZ)m5>Ehes2G>4+Mg5vwDGBpGO(XN`c8vv3(o%BV2R1)_E>0vV zV^z8$Qr=v%u~X6c79X4uV(teV(m+XRwo4_Rn8Os-$*+u|n}bWJ6gVm$O1tp5`ca z$pkEf75&XCA*86g)`v5r9Y)gX(~gk8iiTH}ok48>wm!RJM_0Jd5bdl)WyczJXb&J? zSbN+009^uS6206#0&v~_umDrAKas)O3eMW9Y*+jKu{JQK>~&gSP_#+XSswlua&Qtf zxJFtO0kjCkK#E15y>yqceaN4Kue(8i5FZmIFUFQ4oAkv-R<2kbwx16yDKi9FcT*q} z2SP87JhIA?IReJX40s}MczA6E1)?{GVgS4>wUCo!zd%aIuJ zhH-sMVm&D0t?|z@ExA%VeenXa$`K!55dZNi@0`60>P|sC?yq}Q5-iNnL)%4+@VJR4 zKzD#dbGZgXxZWC&`ko5 zi|t!v_+C4@QH*j}%?a^9D(03Dpvk+TqlyfKuO=j} zTNxD?^>a$%BUENW;{&s{>^k?fxRM#1jfCkLuC)I*&~i;&WtMkvDw80V=}pPrmdzSO z!<(O9u$aHYfO(6rdYIK0fm!iV_+{3Wl4;H4HWq&)0Ea^U`l$&zGcCcHnTI4LDTU9D zMn{`LPEm9GcsAa!1`?PO8f~jC%R>sjW%}KO#+&n2;#&UF^v_@E)uyQ=;S)-WSaO1F z3TM1(EIKBd?17p3f3X08K*R$mSD={0LD)uGSS$(+1UEB=DoRdn@Eg)`^YM+&3!f^5 zGxjK05CZ`tyo>ySwhO2|}bSO71UJqKKZo=k3;x06HN7ob6#dyj4asUx)##_~NN=%O8tEq*Pv;q=K-v5V< z)1PYtpo^xhYGJ~+uotVd)}BI^3x1gU?RNG8rLHqF5d#J)3+n6Kd`REgx9btX?A3#V zZ!WW!BV@8%a$mD#WP=eUb>_3IteDkq&l0{J9H{ehw+LgzOz(M_6qm93mI-Oj+@2h| zD>oBJdFPE1Pb@|5&Ny`bKK4=&vwC;JAbHZg0~aXOE3^5lFcAzhT%&>Rap{B`A|IVM z1bYzv!4oLJ+La{f=2=(v)E2=$>wl5Dm}UK?fss_xOtARjQ?XdZswDC=X#@}}CNIpX z6cqVK_?X4>n0B5iwt&)F&ZgS^4Ea)#VB={(9B;Y3;8{i)c?*}*>QqDonj;ULd1~6% zEcDRhz&2Od%B+uue05g9u|O#+#S>63O;BswNm^ET+cRCpeCHamDifSC<2y1D*qNgA zQBbj`L(1(M^>j_mwd6vJHP(-wRjHs#a%!8oNfhSubtcD)%p4k;fRgC#Js1P=-{@uMmgetIBQ-GJUy;mbgl>ZQKKc9%&0A-lEl`I&P|4Q?e6TREDNm)3yeG3 z_ouX<>oHeKmAZZTPMeBHV(4%!M@g|`)aXgpL zoTNX)(IA*|!V(1CKu*CnBEd*oy!^vjwaId)*K*RTq-|R*Kau z*@Iv>Iathdt^@t$=Ds?D$AefYNXZy@5#^Wxm9_Iy7@ZDUCmLp^aV{9}jH z-Qkjh(_Y&xExjn!+FM=3+CN_fCX5puI*g;2PTS>IcfF{|$jC^6W7D`B&C1~@@gi+a zRY0HbFu~wStUMl9cif$biq7Rj-qJJoViTx&oH+67pX8eJE z*($4)jrLD!ntqXL{wZtwy*r_iKd)QBfs0z+X28{r>4EM;kLWXGxT^oj!C%B;=OuMY zJK%;B2qP`yrd%SJ7@IV30|HZb@`8B@& za|(?Dn7a@`0pk%^K51L&em3L60U%XDOQ!ytZ?Twt9;|S=KK5XPWFKxz%qG%~Q{#vq z9b*Fyk8?dFSN%ksitv_SMda~-6ljk46KBd*!)JrSifJMn9J~(~6wslVs`n>C_)(Q3 zu6#l@rq62g)i7p@zxyGQWy6Udi2O5kx#)^uR?hHwwER>Hdjq~?$?Sop=_K^i+h`6A zIy9OxQ;TuiGRkJZ^QT9li%r4bdFiZ?N7BTq8IDn|o|OAopBvI3wPE{OMxr zftS){Qi#uF!bN)0+eOT&B8#vA@nkKR&p{rwo=81fYrs}n6UANw57R^iO)o7F*U>R4 zf*9;WPe`(V06i4;UHwS7+mj*3brvG3oM3$768L87C8o1|2l^%eu?yjdMsZV;gp({P zNwecUvl)6AQni{eV;Ub}aKNK#=$9khmwg$Rm_AxRR_@ONCrmpnU;k`NE6(R%3!>#G zd&pDnTXJJQKL*DLG+?#)bn!SN`YHv0@^^n|_F9ZXxIM%!0Ob9nVcc0dEbwP>mT!rQ zP@%|qPK49Y*FUJpA@l7n%%=fRS_9{q8OZa- zLQn{2yL}?)&obB)vsr6*nzB?A#;S*t*SM{{dLybdHaVpL<|cN-*z1cUU~JA`o-AN? zwjAk=2@s18=V{YP#K$90w|hho(-bzZYOW)#7@YFJPW~rW7D7Bq{4| zU*w`-z7fZ=l%6j(UypgZ7b-Rj!| z$1G2R;{tXRhvCUoqAzbEE+3iK?{~Nr+Kc9~4|7XX-M?(&PW2bW(J>9c0Y`4*;h2u} z@jLnw+O6c^hw^&7SdN=4MCo&dy9QtMu_0y}Ask9gyp)Oez=0&ca5e=tKHnKCwafkO z0Eg|nBScavC6g*RZ60rLBkR}Y`&6p;a1W!2b=q{5^V293T zyuN)uFaL6+;N|XC8bzh}v?ZqyA-W_7kQCNN=`7HpWiBeAG+({=@1Z;rMEI^!!YC!Y7@RA4iutCpwFJ zG#P0se1IA$_hdjoMF*nkOK>T%vI<#|WBoOC0kSQQW~Wl=4P~H3#G6ssxpVx>3TfL2 zAe}H5DZ&v0BM4&!^^rc-mq~KuE4ix~h&*@$J}+`x_7|+R7cm_16T={654*e6>a0K! zd1cTw^0MdoBg%PSe}hwBqcBJ7qX23v9Hqe3s5ttI$O+Mt%j!&t+sFE{NHj^ADzP?4 z2KA2`Xyrf7_K@JrSP(P+Mz8vL7Z|_z560XP4P{pyj0)2%7S*|Mdf{=Cr!;&^@>^}x z@l=rctG_0R9%lTZe0G9oF3DF2chnAhu+16$7n>L!$RtOAbjPCu<2KxoCLtk(fb(~1 zQ52+gCAgfTi1xW0=z@CqPFXY!V07?|ycw72JpBc+k1}|bUPmUGVwh6ycPVITH3&3> zpXfEU4sQiy)m0#_L1uRh_x(8qkLs?C!d?*BL zl;?LwuptqK*ybxP$(In|&H-q^1d$GA z-V!obvSsmbj(@AlG(7Cy5~|t(Hy`{w-J}WV3B^@)IhMOgLO%WVw~OYfY_4Pq+WOjl z#NxS620ek<%w2|@oE$o7Q)S*)Is>S!q$MTcm|}&gwT;|gadC4&uP)iwS8&7-LCW9V zGqO(O(v5qa=;fJ|!Joz>HAux=SysIbUtSlp?~aD7*bhv9Pz_%&>u-DU1u;J2&bI_q<0 zI+0vOqliB$UB^t@9T%Ac8pZDu|m zTw%WVU`AU19Kf2$9sOGytW$Lol5bNfe_177aC+2NVl03oSxk^+5=i*&bmkW(a)?uP z)M^1@3)Mm~;2rqPZ35Ujugr$h7C4s*3QYKz&y(Gz4 zR1&?hqe)MaV6Bq};xc!?82_*Vlg+>>j^ETNDxcu*q`p^HojW#a^nMccbUlBICp<$m z^;>Mh-%q#}MQ#Qvf}==i%JXf!#lhj~XpST-J37*ysu_&+mY7p=K8=RfPR9Y_Lp*5u z-T1cidD#B&F8nlQJk*5}6Y1MU5v@2v_V*@A-YPb^t>c+Qc-m~0KY)JLk1q*JIzeQ6 zm6u=^&krQl8c|Ey^+We7+0m%+p^X<2qLR&qZavlwcTdg?zB6UDst|eQZTi5!JG3wg z^3c2w+?*jv&i`r+CF1+nX3mr&qH^??UjsUqZOX;Qa&g)XhsPWD{qKd-1G&ZsV<4?? zMW^N_gC_-Qq>5!!nvloum}@s-65~n=AmD$cK8Ny6ER0EB@OIT6lHJw&!!6ylmY)HB>_4ozV`;_1J9!D-;j-jY)8O87Ac*Bc&Ur7L(_p}O~ zsDHI4S(jv^KGR;NIG^s2pM&6sS}032q`{F^HHVLgI0oqhlS((im`DUrdp35Ds%)He z?S4n}UskmSZwYue@=zjYqpsp951X!sbY%2R5G8@)+h0mmn?Ah#_ zPxS=tbiI(+nz!G(va$7JjERJOUuiMFOslvXK)^8@%L&;0HUL)Afvx&IfBdpCAt)O?4KEQRBg$_KS`iaO?g_EKrf$pvNl%$puaC`K83;YhCI!lofKHRP zFun?vFYy6xsRWP3`^M?{mPHVI)>K;kY7v9wc_|h3m{pPvF9rE$m5bjsmKP%viZjlz z>`MtNEgUXIwzW~644Gnf$VCMLp}fF?y>re4U;xv9`#r*M-*G+yTRwg1EXd{h-85T9 zLimq0sf))hCrXB-X)qTlX1}BiZf6voKn&3WP!r2P7x!?Q5ei7=GEJa?FWR`jqs~9f z{YjfSlUKl$T<_s?8#;W4i-66J$2}Au{dZosi7dz76Jfwz5Ssu+d0--2zVl1n&*Qob zTcAwB%UwZ0>0?nmDblOj6Ql&52xcG*e!tl0euPGw!zpJmdLLzp^m1yJpKH=rar=5X z)*bEH34jr1%Tog1l!J7<)`R`(WR0XRJEn_yf<><;nfSXxZ()Vyh>%tJ;rg^Ml%7V; z&pX3OSt>`S98-}{L)?dGQtlSz47G}ym}@FAU{6^e9S!s%6p zcEBx9e>C)JeadbKbKR((2)45G^@v?n_{%dze&}u(MWXu$~C){jQ$ohjX);d}* za4%K8N@kbYX`7fQT>*u3DR3%xT5!BqnfCfYAjvXXMjQ> zPq5FP4Sq_o1o|3B~xIA5(v@FVS#6cXfBcMwW6(6I!rumrJ$z43P~il zB@?<;oj-2QkHIC<@EwQPbh&ZZKj6-ud-Tk2AxhlySimIa$6%=6!7!w=jJ@$nR!*`% z1)0`A<-4b&ig)Ej@IGX-Gy_otepjA!Ojz%Lz2|1`BL0hwcqGQ2a1XZ_9XDkzPMmB) zFRfpTU+fU>Tiy(7S4z3LVU5O=lk$+q2^_^vaeBbum!Y>dG%S=_f4wq0T`yFOCg*bB|%YVu%TeT33y1&j*rYicTtG*kdJ3iqaiMThY(+pVImhium82QP!_;jm>QMnKi}&5rW{287b=*3;jT=8d1V$x zndx|z)&n=qJNGZt!W6Azp+KOFb-G6K#2gz15V;3F?22YIHgL&NUQV z5>~@O&_&Lik>)UiW>=`3g2$OTXDfdn0xsC!&|QDK@rcX}t)`m8SrKc;QdxsVhpTCK z-9Gw9{xy=-a*|QDTk*sW?|w7Sj4kybXl|nEJIo#Ju>~&iv*2SeR$mLfxL2}~ZwsKW zwiAC69ySqcW|f+WgF3u|v%;n6uCg(<3ty~PdDlB#WX?hQD(oL76rJ={+?5X1OJW`$ zZ)*Beq-rZB@5lUu0h0074e7{JZ$Sg?wAW*^K$&`rQ9q$gZ#TWOPUVeK6_D^SgBgS% zj*yJ1E3l2laVtzzWN*H{aD}$a`aP_~b5Z^C2Yn-E3hb{yS7WmF4pCf?q$r5ngerhP z^mw%fF&M93thl>&S1=p*TZzha3Zk1HU*Kn~B`=G@W0l(~CxY@3O&SicPOS~2PuPcre z%QkZ%TY?r@eoPmqZ3I~ps7HgQ9PS5{Mq#hQvef{}aQwYcWu)S70fXdIT=ni0T+WoR zhJ{2?H=$p}s`4c@a9In<0(c<+&_Zgn=1*GZONFSfw>ijwx~b(;(QE5E*K=Z%hBVS0 ztIB~YhbRrV@&t1v<`l$64Top>xfGY|R<&`NvnqAFEJiwaYeBhY#dR?y+|_v`&TqoK zz}bHGlXUHt5K#&)(hL=!fs_X)bojHPUxq!p+=0uE(1EP-PsZ#GQ&me$r_JX%B@cmx3c7bS@u%-QxM+RI&>}0?? z@>faPUSH5Y3Ts@RsnPO1T4YAfbrk*HjDoyZ2)&GR=v+{SJ~xvjf4IEQwRnCvT|c8! zFvtpPOzkqML;eqv0;#wn?2AN(!nk+aj!$PGA?(wBjr_@-F2SY^o6sF=F(@p2@Y)vYP`3GY$TJme4ZlI zjVsho)wY81RJ=l3$qbUwo?7JO6mC1B{|AUc?|pSz{6$Zn=R!O;53Ha=mt%lH&a=(v z?#X|9cYA+QuIG?~yyW_Gg<))b)U58$W`dM{Q=mUjaWv~aIKq^bbuQUUSAmwlpyA3Y z(5+{6km{yCWA(FTcj=eo{`v)YurB)E_m@Thsn4JJ0dS=rnUxj=;5Cu;Q zcK>MKS6NyCfb^I9`i?x|9^i;q^4Vb`-3S{XlmZiYR17!-TJd^q+sOshi#Ud3;LJ1n zI!qW7f1qgBR|{B6@eY-2POEeJxo61mW_mm5vPA_%C&rxI@e|mja|nsS{{p+kn(W63 z{b4*}%-nOyaeIL1lA}7Ul1G zm2gjFm~LxD4MOxDG5ZyUbrx=z1a*{X_0jG=_l=SLH)g#157HtyVKn>V z#O8z66~2Ec>-PYdpn;)cR65cBqQm5n*T|uvgY3IX?S|e1sZ`t#JSDSFig_Rr@c_iL z*|6$_7PQ%|N_dAjL2pkVILfJGIOguD$RH@TTzlXpr&HCit{+?tbEOx*`4Ck$S#Ihy!>4;Bgjvg)tVg6??FL z;%XI?SAv_iA)VwuagRDP)5B{;ogwx}nOFLy%{-mwKy9{$^<`W|&5cC9B@)7;>HgvH zjs%wz0|Om8Fa09NLfAcO7+`Wgl#-^9M)L^PF#Xi zeLq{#VlVu4mYz;91=)|P6!;pH7Q_gItS($wJU2+}EmoFbtC>Wyj6zsTys9*1A;Ixbb$UgOu34JiXRFvw0~%XBHgCaXc~qTJ_w<0OL81Q4jwSy zd5ZkQ(>dZ<_BXXkWk+&JrDV-td6R_htsl%P3zU-qIROWI0!ctZMI@OLDZcbwn=e6q zx`PxDnx-ncODPEKaDcNY-szIL7g4JyL%;O*!wJx|qhACL_P%A5%;TSv5d~1*inZAf z`W#H!;qC^m8m^}SfaKgq?JLz9>v1pUNUB~YiI+?c2Ki~MR z2)dawI);V?IF||?Trw0h|M;{8NlS9ZOVL4<@cF_<%qSwbKEfn0Dn_8IZHP_F+#>6S z_p3J1sgF@1)0^us#}DuHhd6v*Vz>RuaWddP0W3E3sPM>FXAyAEk9n>6@Gc~8zEZu? zvbm$)yM5G8{T|Aoc;^g*kEP9T%O;mc?We@N|*`PXGP_)z^vTffpL{vAkCR{vW(PM{;-LZu~hVx0lj z7x_hHjoK@w8#5~f_|e0h=`8Dha@o~11o3!LoR2llNvtDn3r8pJ?T6a>u*C+W*>_-k z!g{Q(HRA?U!aZm#Tlo24I%Qvzi74j%Hx8VAN@6&qYyJ7; zFLVx|u0y#-?Pu(za|DxPO6rz(LAd0r&v41iTxz>Kb7X(qlM^J3>1a?nuGxa^7CCeV zumkgIH~$JJhpxAidulyn-{!}mo>m|;Xk^o$d*>UPU;S>xM5gDhdm8OA;lMAL{Iicv z{Pz{RVrXR*61MMqZ!=v6Vfu|$MuZzQe%jj%#_G6cO=crxAnOfwd8GcbdJjF*r(l&x zWo{}rnQ`YCX~)L`8^=og5%Q`Af!2{ADBr_Jlt{Y7c1)oM*_sE6YuvHg#JS}@_|oXv z&jvB^RGNP!REHJf9VyCiBAW#nC&4paibD>R3yN_zJT!ap`iU+B6*A{sn%X#PX?9T9 z1#4@^6Ts$X=&;IFtl^F>V%j|TVw=1&^D5b40#^+ z8weLU3#OAyaNo8vhKf*sWzzxO!k&SZq;k^c^p&kQ-v7FT($cbx+s7I&ppQ1}pzevl zN~L0H^SMR@y)kY=hwFP+YB7b-nTuE8xG)ot-Y{3W7C8Bfi&8w}jR`p>ax6I~yvrVY zAWO7jYHGP?imC|SH!?EM!+Vl{&+)}(q1LO#qv{1)8U4kf3jS5#+&iuOZCKwk_Lr?) ziUZ#N_ni%^Ui|fE^GTXw{7=v1jRtJ3*QY)g^?0aUj zNP7hzG@i}^iiX(amKGknP@q~`^n@}Qx}>S zDM_Fu%*_GIS^JHthIF!>%R*n*yN{|+9hFT{mn<=#?FmxLely%0+p@?+bwOTf&Ecz3 z==YDtDt+k9%nTNgr@N6)s;2IE|9WB?k#S6Vm;k%j2sRembA8aMao#8mh&oQ%y`Dq$E z%1O`rF}`e>ydIT2{lT0!MsiE@^6+{6g!tm_Yn@6{cy|lko{GB6^8l;nql^QHF})+Q z%}O--m;OscGk=HV<>3kRtWqMkl^Pgmdo9^z8gTN$EfH<9P`_&Sw0r_*Vaygh{9)Jd z?o(p-Uo&Pn8dbnaiE%_4(zrI2JV5X`aHA+EZwmH7DeD@3yBZb!Y!X@vYKF4{S7)ZJ|fO!Y_zK$;vV-b)a{%GtvwaJg}ltx1F`Q17_`lpq|lMO>=r`B z_xz)cwckYSUz#2>=XB2gP@42&P_mRmu53Mi?|ZRe`>)F%-*?TY5y$zUDukwO0QeVQP2}=TQ8vIGd3iNnOe#5!XvlArIkekJ$0Q$UYKE$bd*V1e zoxNRttU~!mm6w+*U!AO=0E0Kv!_7g8rr1CnWz;{6w?Iw2r~GnkAQ1KpU42;vxR8!` z44C^XUomjA`$2GveGAcEw&-Q@Vw8T+XJx;~iSwTbIe5 z_-Qy*`isFwR75|EN5vCLKkIBRHrjhR{F|l;!`MOvSO0$FC^EDy!EGa7x@dbbgy5BA z&8F7BvB5UQ-F%HG@6P z63K#^wR{kY1E-Yj&B0Q-<61I9r${chGj%Jd|2yZJnTS9P-pyrv#6d}A$;;RtDomGb zILVtmzpaRWIT|Qd*Bo#u0GgWYF8vC-NUAqhyP9o{I1(a)V?LoVC~ys@^N@uKJ#?T} zlmxfxlXTwCgrLr(OXyBn82Km>5Xt^K(9BjA>LTI5NfRs02? z;B9IZ-qk$~AAiBYu$Q&b1@CdOn*1!*T;Le08oWRX+P67lgf)lEjkSlCexM8c6%qs4 zwo_4hPel(58;lyEHe1NkZ;b*Us)!{Wo5pkRIrJ2%5{q485EEPCJ0zKXBHTGCm5}u0nyUFoypq_>vR2+%`zE ze6ZOBZYd2t?Nzb=!&H6tsGLqRL_X(_A~QO)KSY1=k$Ca0eOHiwO35P?j_<3 z*&z}DD&%1Mp|izzeuAu5PojnD1q4`U0ih2KYa!b)0)ce8sASmNFGpgAy1V{<1Q1dJ z&ayKf5J%`h$TW$$Q>dR)23_;;i;r!pvsA?EYhJpHuZ8Avj^qSAM1E8NSVZZh-hT*W zFKF?l(UPJM!dp6NHH2O^deY%dg!f4Fj?|J!t(&tg0L$MH`)F2R7E8K#-?k|f=l8hu za5kO_A0N8K;>&;1tNYH4K%P zOE8E{&V*r1?5KEBLxlEn@BS!l7_{QKf!|_u1ZyQp1c#brW1Je_&^&L`fG9TN&|E$NNZT({T**9`wFxKQnP zr-l(lXVhU1WA7yJ^`B2v_4e2l1LqCmiex>yYtQ}WnV%7g+COxnO>~jrm>1IyHoL;L zX6|*i0YRx{0SWt2@5}L$->@>7m8#6}=8XDd+u?JPDdvkOeV{c<9@0=@=NYx3T?r~5 zW{0!l8G6;4=`THFcS}>^Wk`GC6P7<0Q?y`AQ|-ZiK^;IUrFyr7;j2f^Rn-pvk$(-3 zSn{L$k!3oSe(yB%+#DnRD!@yHSlzNs2ecvbx>(Yy>%yth>QQ5!CwG~+axkDxq;9C# zXytvLL6_j5@f*?E&hjVbV*Xy(oKpsFR1f{#5J@)h)JSLfk+&3R{%;hSJLi9*N;ImK z`W^gsG>A({<^CU{zB;PP@A;Z;>6Gpg>2A2BbR*r}otNg)jYyYtw}3QK0#edl(v39l z!{@tx>;2cY@L@6M%$eDH&+IG{Q43dWcu6m_gy@X%_1F9urNbl0`q3_f8M)GZqs z3`jvjewuxT^u4?{aRTMr3H$?`z;b-{%IsaFFc>!C{>pKb=@?_oSfps^GS}yrm<%8E z<{;g*vX|pQN<8+1Q~C((K6V6mLxdl!)FI!svD$^WKG7OJ{F~3ePMX}%@4`zKWhmW1 z6N(MjW$3(jH&-Ht{&*Sm)$CYo$H0SwDetQc$&Az_teGlLdsiUoFJV*@;R<4?L@5P! zxPMEe4M8Kiv2|z+5mqyKqsQ0WbB4s3s3DDd#)nvXctjOmy{$#D{yC^Z4Yk5}U%x28 zc%$DdKfTlR>LSKxZ$2UB_ws3k=Eumc#b%{7f>O+@5}S!+rVvPT`h`t_Yu@K_fh?OP zLXyq6^76AQC(&ibefIeXhXOZxaTZ`04TR97{d&5B0Z|eTwgt7t`hY@Vl{f4jG35WW z00*?l8y^np5*`IFYYl)^i${PXP@N_3VRsvHvr``I`sr?>sQoIoAnlfNPR>+QZ}hnJ zoj3k_(R)$2(Lhy#pTs6a{$w1idLd0w|3X`LLvEuZ?kti{v~3IAAHU<13VsVsO@dQv zV!2@{L7gXMjk>0v=tUly&ST!h97{AaIb7CT!>gzfzY!&u$S(|WMNb?{qCsAJN38mo zN3YQWNGl^Kx5EA`SBttdZQ6FwDhhcRTyNIDYglA?qAL;kzP2~4oFla)fQ<%xcT8UO z;t%lxhX;1cct&*eYge?Gg%r^IvJjz3!!hCl=`t|{noqlSAkS+h%xDOGDDU4&{7>>P z6489Lkbm5RKh)Prllr&+@nX|vW2U$l(Zwll(bFyDFt9K}^w};RO^YAo+R3yu({W=! zY@yThs+ZH>Xh=Cnp%VW5SAQo3or)+DRn9o2VN)ukwC;(Vx%2kyx{aFf$NOizOLDp& z{5oXgbQ1Z<%YHQ@I8vzsojKJ}ozm`c6N@BqB#k;jrYa6MsU97^TE(dm2do zj+IrqtP5F9HZ>+Ggc6V~sJ<=`l!0x@XpE|A{-hxE3Uz9CX64p6cnswk$f8M)nlJ-^ zj7AX=pKYEe>Z^SoK+ZK-AB11S?7W;vX0)S+-U@yxtVJHLTo1F`t;Eb?G8NQN=4$Ct z(p)|89JLvw@b6{?8K24PM7)qs$9E%lN?rsg=%G*3tsr0Z%uF?H;KSY4P_$S*HC(sI zY-4r97Bu8Z+GzpG;mF%m(=091LzE=1kS6RI0oOKLv9l*vk*AJ-VoKuP^XLw=B{Xu* ztj}0$H=?~9OqZ(?;z1U7DsAYghxRD1Q(6+_fizVE*D;i{ZCR?^S6ppgj)+cN5@?{@ z-%1iqD;FznY!+5H|8|u#f<9X1DJtqU+Y{Y_U-&&l0aaz=H7RcZu8&2_P+WU0L6PI8 z5Me`uv6p#opB$T9ewB*K$`2%16bHVOE?L*0Lo@5V>G`mfpLE5uqk&?{n6~bRTURzb z&Iq9*!ZybXAzkqcuW}SM$x}BN(H!o=_}@-dUol;1-!Tj+@G2FBa{{ekQmAJ$p+i+} zMOp?G4Y1o<%tV?UiegAJyLkI`pTF&}^K?-1;Y^?USmAmwmxw>j%K zVlD2IC0x?)myJmtXJ`xE(<&HT851utXGiR-IzQ?{@y!Nw>fb2-GB&`GxcTVAT~zMZ z<*1bROJ3m{P_v>r?=57hJPD4vI}nclejLjy^Rqy1aLW8x%f*dxN@f`4Gx>-#$EP_j zV#VDX_>(~l>Cv&+7zsFk!G61Esed3-LS8IkB#0a}xm1z-mT{3zCrS;>TNvjP7D#z)R!~_FVL?Nj6|&DMlFRwK#+>Y zJfQ~VChU|XAx5L9@`Qqi0%7g2&Xt9d^@P2%blXdc9ESYb0bHpz{10m37vK4plDR#P zmoKwhXVpa43?ABkdtOh$NXmuVRT zhU`%druPxr{H_R%OhPK{$Z;{`L0+X2#Zyai!;J>orqZ6#6C8X5D=?F++2xrO2fz1g(Btv9npXC*#W8~)K6-?Kr45G=yJg7F?dMQG7@xt6HEtuJ#J6?+y z3c;7U%>vb7skFC%dq;%`P<6jT;(x5gQ(2T^L2S!6#NtJddqT!Z6g82koNjniXM?S0WH!+dC~#q{fPLcA=H_`qcn8~b zJwD3-OrquQ6x}W%?(&Zcjp2IJ+*;|~R`jROZE$V80PoXKvC?tl#V_P2n%{nq^3&2K zH(O@xq5W1rs{B)BO-SH>xnn+js_#FrRjg~A47mCh9<)q2(T(k9ln?MD)ta&1}wl@aVLy%+h8r1-aDW+A)XD*P^>FKR%4^7wclZp#$6GB#iX4L zXd+3ZfjF{)yzDQatayT2GcZv=Qsd?|cx9)|67iCNXpsWi1}8qm!TogsUCJ=Khg#z( zHY$(AnCK7jeS#s$3!UW;RBZa**;>ME+Lrdl`(-0aAAelpo33|L2N70__=FwGsYiB) z>qNN~)f6?>-vq@eT^jaN0lFLWKN1(&W}^(%DIBsm3LKb2&T5}CC#1P&BKk>5M$-sn zk_AWv#)Q=EoM?{<7bK&$LO4lZmz~dA*i>Oa=(-p*Fl$i}UGN}|%PvU?cXSvvv6{~3 zDcRg?uE(GRn{!?&_{uO57D{V6{l%nIV;~ma{!k;fZ>&aQ(?Ywq(U0J;+b|@PzY(jf zN>=`tIdFFovMHbnk&qCI6NqB6XC@`~22y&6;wrq`b9dP=*~iZA5c7{*lm8-aEfPfi zu9s3sUTqSveGmW&fdAsG&1IomxaJ0Xh60jOZNN> z^>AbaewMG8AA$*5*a?S2PVW^?bm?s?c7R9JiMWxtRh&_MK2wHP4JqKebx<534+Hy^ zPb7n=N?!lL*1yX|B*)Tk-d=B;#|8*m-v8K1-s0e*k54L)jLZ|2AbtE1C5c?bPXnnT zBCD0=&G!|@Gz7#}`V-||*z{zdANkp^IJsq^>NnK@W8Wph3i9MzW3_GR{uH-k`9j%W zyty-C^iKy9qS2h2#*mB)*=9(2?@}d3)%>ma6!$zZmI-@^¬9fRrmJtG5CuH3g}HFg#mL|ULYPj zV)zY9Mgu}B9oiN$^VzuqF&fY5uD<60CCOQ}SeI$Kog!~V6jJDViv6kVV{}a z^x+=KrmE(LS@Hw(YUoU&iWXQ*Q(D!MAiPa7uXLb=F@X46!qlSJVWTWO_DShN{$cCZ z&AeC%3nGttX6KJ?M~v^H)5AJy)mFt4a z?9yijldD(RCI54wlf3h2E>0mX_7kVcDSU>8qPz*+A8?9MJCi(SG6e#o2Xu4AB%{3U zG>Lf&s^LRMQF0+n=yVLsWRd;yzwYqFK*|bR9t{G5MYnFh<5d>qe}#swR52Pv$uWP> zlCIJ>xJBvj6SQ&Bdr(wxB}(#d!axOaUH&?%L9pT|Pj(qKLXM8gU5jJwL|e5Wxi{%P z7drp$12B0F*yDKtH5|z;*eTv=CDyc-9L@-^#YKokLsh7%83$s6UhBPTIvM^50AE*U zwqf8^;CyMWgMxCtn@rwQT1u}}9CnLR##1$*VNvu;Idr=i$K-H{)<+NdpJaf_Q&x$O z7}$WYJf75r*3!R&`sDzA@M+uOT$#5+BsAu2HR%n^>JQ|dF%~37qqC)*mouf_8 z19f>-#?aJ;Xe=()Yn$#ZT$yZ`Rqit7SPZzPA~&zP_|*=W(?oD-D$aIIxy>|okR0H| zBS0Y$+0?x|hItLn)De0A8sT|E;nW(@?MC$O0)B(F8lEQqX@phfew4~5&!5Z{Sb?%R z+-=hS^iBZ^DRq9kr}|Ygzfgn(7zGYB{gJ`|O{wao{M+zb@m%555mhlJ5%lo-Ko!`E z@%?_4>M~Jp;*r=(f1~knGBNWEIcOCXb@TI63dtU8dHmcQMUPOMAYkUA5+L#5hl_Ys zziNghK^3xl^IHNS9Xc@B31d_H;D8#&V1o))UXktXO)8Dam?~?p70SqWz!3SHl z#Xu#}6fUUg#oBD|@+)&13>!6uvl+C#^37CeJFeHZ6r-h!X@OeJs6y4h@dj#v?ITts zrOfR@*I~IN`Jl*6RaPk*3KC%BLN9 znO*U08|GAR(0Jk0syCm<%bRdSDN{DJC$X zqd}a8>~R8EEYnfjG*P9KAgBy|!KP{ZV=wcvP8W>h?F^I9sY~DY-M{j1IpqSRFmzXB zOo}O(u%h<~(;f*d!>w}!bEvP<=R(3!8Yi~4uB;jL<)z_s>dHAnC-89bT%t3>MQX-V zw|64(3m^KySX3za?N)nwlu@!i^_UDFNDm*NFPC9{4!1{iJ zpyW^sK7C1Rm>*Fag$*)BQlt3IA-SBC!E!Ay{lM?T%GgN?5a<(lhE%bj{ z3nKOyuTS$Tc1?X(<+M+8C@Wjloa25>G=e3v*A&IR==A$~=HuP1=E&6X(2eA274imG ztrqPMr9ZR$1UaVydb<@BudZ=@WY6$l***9KL|xgvKOHM7y)+1<>c0wf>V4ASdCzfz zIc=6_f&|j0wmm~my%#!2YYm8cjA-C$5MjK9SDamD9ceVy`LF z|9S-jo9?s>n$Jyr>?7AeDxyQ8vMwww!fq+WoeV@@!jiWG8Y1j`BFfS6rJrdT53c!q zyu-?q$;m3(8-J<75L=7q7`c)SqrOtjdJe_XD{tD=#?dz6I?$?{8&v{7N(jhdr#x5~ z^`hkHb}sTSNA?rl4hEA-*D+RqC|=&HT>U~_ng{}5uX^kh9aMg`zO;;>n%bi30iXtq zrH=Bh75FwGBWvc-NAk4=8z)iavvy%a5nm&*ZDxfjKQ^82p`SniS!q)@@DsRv(BWTm zcCQV)5pQa24G8>(-+uKXhfjw-Wj030NIX16htJ>s`o6+LO#;`+z1;$V&$%oR%m^|{ z)X6w0tND95{MtLqc>Db6Y=VO;@HvLA#n<1Gc$PGq|8{9h%tu(>(VKM5;Zc(ZCa9hP zRYF?f_ti-`#UI`8)ud9k+NKCcnE-SlIgHjVCy!5$EP@M+!~ERJ*2!QETG}Vbce!P1 zK<>rNCTEHC0Fi%>k8d0jyM+IJ{*yORC{U_h$9BR|YOlGp&vUxIzOys1O~jzwQ7(== z%$KEp-Ukr(Ap9rp0hS5?Q13yD`cKr$eEBOy1yee%$FC5d-?HZ@_yHQv$P%d911c6| zwP+Ua=dQJnI<<%@Ws^*?u6pEV`gjf-;^6;AQxC>fL1Gt4IlCS%?M#)y@>3WKGu;7l zWk>ChgT}#=~@2<65Ud?P%{lt zC@3fPf|(r7Bz7MpTTz4fJ)>7p{vUuR32FAi;wT}BsRH_|;fAqA$hZiJ_g|c_&cI3Vv(WAPvpS&AURh=433@#*9lD^RXJK=GKaA)zb?LwOKxE3O{ zRSgR}()q=o@!1qtFMF+)D0tdD=o`JpL^M{O$)a<+aI;5%knR;-G-_@-xg?7`_e1C2 zbZmU?#ER!kK%JM{NMb*N%Sbpt*hd`OSZyON9D_v;N^}hOIEE@V;v*}08LVi?5;25+ zo!~H_ZjpUE?2M6b(s951E3mr|R^zvWS3v8tqF{aNrqWDi67m!Ds|D-kneHJzj43XR z2a>TVPVdy%r;10z1A~l|Ue(8kTLZ*_N1wZ1&Hw9!eEd*GYmD zfn+H?VVFSQ!ffgI>-|U1bf$ifeI}Q4@~@uWKMu#lTqwx|{)_xlq(*ecz>}G(>2g>| z`6k>xE4RMadNE&Gxsujuj!wLDnUn&HfR`ugQ5i-;1lt?-HUvzhe>%FY9A%w2tzi1} zBG>U&qo6{V1O+1?Hk{um`|-1I(zzM53T^jg!``yzNxV9(DaYp!Aj}UOv-<@PchPH5 zw=35O51l^L_A-$HFxfr*BAvX)l78aX@D%Wpz?J1C>LHr@=s!guwwPkn)9i@2LtV+g zUib~DCr8P@#u;l;XQn#@TV071uE%kr$PzEoYeg(0p2e%lH>VJ=OC^x!R@2s@9il@4 zb2D{h%Q!XUyhjr!IygLA@y$P*;jv{3qhhXv|`v&vjC(Q3osi*Bp+dg5XTa8 z*)R^#N490k+OYt3{5$%&mbyZ5+|F|6julte58Pzg^VOd?>~kf-v zN^aXs!A(WiET-rTJI#8Jk8op$KpLgq zahJSA>~#S)MWUPMh@x-sIU|tW%7t!xZlU!Dy5nCrg1y!A%d*5VpA1EroC0yadyR)V zTpE98;SWZ%Y7J`DgE%nWhdPfNB}D8KNL)%A@_xGT!mOpe9pDa~I(;MUtr3Tnz)&YZ z!>UE1ppy{KWLi;}#GDcfky9vTiLn+fw z_F>zMMOY}!35n2Nmp$}oICKv0(DizuJy=KsV`jr<#z-a)TX{@ViJ2P#6!{k zZ2$Q5@X{j$^Y1^$VJS~(LbN* z0{mVQT(LR@Fn&*Y_E#DaleNehMNgm$Qr>I`<5HK0^1llJd3cfX0<{39Pg0t6xAj8> zE+g}pS*sL+X~O~Ux%D@nG(TT|!DokuPOmSTQysvx$X;j{sQ4ceD6z~M-VcBj*9byo zHWkTl!ycyRBp9mL2V3t?)~Y`?04wyviE?(m3uy`q3sSc}@wrpc9iiw+ulO*Z2+i8Z zIEq%RJ(JyB%~PK&L4p|4skJeV(yJ#Nt$%@)f4XR>Hr7Sf-Guf;F*HaMSaj=X_j$lbw50 z?FBz0Zd^Sua2rF3p${D`6U#A&>QA+khDPsYR?FkE0@oJV zZvQIrsB_-`YCrIGw!{%5Svyh$8mx#tS|c1O1xaxc5&|PoB|yn)7$VQhCi zgrwvi1QI~(Km%wRT9hiP$Y!dPP!whlFpiU^Xc5*DL*&i?Qjkvm`y`XVIv zhgSweek%YU@|%pJeUjP-OWo(GagrRv%p{$O-tDXqp9h6VX~X0&y%u>V(Pz_}i)9UB z>_I&zt=9HO2Grgq`EK0#wGRH2yd?<0PKd&tX~00If?F>RCYXxqWx-?L?l1(1Tju|C z6J&{Db-2+PE-{Xw5V;0Q!v{%PQ?+r&a>&;pjhGBOty(D$O>RQ>32bjd@l3IzRgeNp zm&3B^>#2QkpZ*+buez9|ee#%*i~?9l}dU!meeq_BbWK=chbbYO@} z^+l;@X~xSXJ34(vkJzG%0pC&h2LoF@oL^)U#Ok)@l7Q;VeoFCphQ+tC|3~x zVZxgz;b5I8qVNNf4So=Pp3cugdvhaxc+IjHr>_6g0we@r>1t*QVBu)N^2JB)TmTOa z<$Wj$ImSU(Iu$Ty#>_z&`={p(jrd^=j0}G*)MGTI!&VTCh7cw2#AMKH#bn2KmD>HB5nLf6 zSNtgr@>VOC(|TITl|vZi%6u=lGyHBq55+jiB>rs4v^uI$ONcM9QwM6-Q~zC$*gyF= zV$RM|zb+p#f^4v3hZR}FG};-<=d;P;nc3qIs4q$D@f;M_5Ze5ept!_oEq{yS0aQhS z@KXgRd;IT`2@q!sjlOzGp?&eYqwp$5NlIUThWnvM6Bl(QCBfI>c&Tb~iQ&3}8CU|b zI=!2{aM0ZggUrmdqI2~U`q`fV%pbw$O6cu&GPIbkB(Z~wb-@2}%_wO?x^&RZ6E44$aB|9j#S$@yVl4+Rnj7s3CLlD z0M?4?4b(0sl3{UwOiiz*|WsFo|7NbC>oS`ac zfZYvTDAGHOTERqddtPJmOO5nWq9Ig}N+ZE8 z>xZE3D)hshYj&1{GU;c`&fV8V!LvJtispn@OFiFOOfg?gU#wy?aX3{Ft7jF%?Thb? zuLBa#2VB)zyILgKp%5wq0VcJy_Y&CCDT*!Qk3)`@UK81zf?3BBVf&Bw3>}lXm%o0M zPqK2FN!>mdVXarPq=-q+{pnUYU;9_~;DNES>-kM(wF~EO2O3{Ow%9=u4uf73Rtvta zY*!(9^2d`R-_jCucIvCB%8id7A_I<$6#C(N?20n$#R441>s2AdzUWm}7JYv{A|ije z5kGzB)RU(DfuwPvnfhP6mQvo#fB;emlHi+n5*#M7Ar%%iV2qsu$`(^5nH5?PtNy`l zkChTx@{0|U0rmQX`uwFQR~DQ7Nb(M((6Tw~x*=ht-<=C#l#-!-4)#m*ze!81(xTN? z$TO5}cSTd` zcT|R__|-bXSz+t89{3#Kgt8eyI?or3Qcb#b!Q6x1iYS#A5MDUhbxDhY^uT5(mTPc7 zj8-PmQ7lKSD8bzIPh@6|k+fB!qg-1!0 z`!U&Vt}JjZ^J*I&M8X+N8^VVZRlnb`O7(CJNl{y9IFW$;zAoXkU~t-fHq?iQQhViw zDt~>S?>kUgS%)^Xt`A9;BHk>on7S(yHUui9%Sq}YOEB4`QEp^1zg?2g`ZoyqAKm-a zFU}i+p)mG9E{5GS?+#T`0W4qbwJq_;BJLEdmGH>3% zAod(vM5L{2Nr@9GY4JV(*(zjODSDOOon87QE}OLVYq)L-kArV%-@W4Cnbo(J!hPUx zkfu^cCW();A-SJxy_B9TY+>!1o-nZXKyKGEd5V9Q_&goHLht3vS*(ddnbR2YqBHX9 z7h$v7B^4GW-44S-hy@5MVC!^@?dB0$S`J?oT4mt_htcV;@?gmjhfX~o zZRbhg%ylDn z1{)D)3vy=eJg2hhno#jG^gApasIE?+J<6VO$cwyljvmuGN_KvEgdk@Ma+a0weg%_B zibw;to1Cb(2_pA?Y&qXSd&N`5>Is9iX;KW;Oj>~_o?1==Quk-SOiN*Og*V)uaL?4e zujr3No#LnNda@cpB5ZP#j??Nl&(;^>6Hm3gMxh-t)9o~&ZWaDE??{U1;CrR40!nQy zGH;n|LmNsIVZ?g1D=9iwqWQPmDcPj#%rG-We&LoJ%vd5{?0W>6^Dy3MI<7@N&v!)^ z)@t>uYxdu$TFjjMTf(6l;~)X=ZvO2*+rC3}+bFM6P1b2pHy%;i{6cL00qJ->c`$Zh zY%<)O-Os@hg9+auY-o4-j^X2{eIZvt$gmP7i0{q8lu8;{kAvj_7|Ft4RPLrPvw;+Z zMUPla4_WrYUs52t+IIm(FH|LK_q8z)8zm*_!)jhe#tN^eh)$V2u@_EOfHI_j5^Kmv z@*S#9G%ZXcjpOHrSKJRQxMyv*BOrafTeCYB$U=M-4N(-uQ9vpSW0CF<-1Y;Ei^VbD zkxjKpQ_=BqZs*+*4j$>R*RF7X`{O+d0t}ELoT-4D)!vugO|eap-7o21PuNTr`s;KH z0TaQS#%&?1OLmUhh8G$60sGuFgjS3|P@2_HQXGuv&7Pg}KiN%ucI42%RcCNxa*8CO z1}Sy-6|WPLi-$SUBYzm+N4{K}y8W?4tbKM_2|vEgcfZ&2KITp|a7_KM27$$~%-`#A zaU#YdLv2KuJ^A+}VP1+lm{$!t-6rqVR6!Z$u)QS-zj6+4`GNADL(k}>wQRzQvc$@6 z@Ki`2QqkOT_pGO<+ap?d#emOTPL2gK&zBj-2DK#xyxx<2+YO)*?{PXdtA?>R3=vh* z(&v69jfa9u@R;RC7~gKa6Um+)8o7+wPc6^W*3fBNkCGz{UFYq);?wO%A2udiEaE~D zgDLFr2Mrc_u!wJYymciEQ@aT*%A|&lL5#qK1+-*b+L8 zw9{U}{Sia8LCKpLc-nd-Vyb+vBDerAQ2f#dPL*FJqyK~nhlSj<{r+`IuTZ8Bd5ASv zI3K-4piJ8I)OTt@fB&`O7GgL5^(eNRH5nW``e8s%uC;HIGGSP8; z?V+I&Y&h|3#`6e~@gj!a3GH8olAO5`ZR958^hd58=Qj}vzrX1!>x}bc(BRY@a*`Qj z-Sl;ccE`Va)GGL?S#)ugcd4Y1VlFMOFCgvlOz`veeL`Cq9PLTo_vMSBB$kj)@rnA$ z0$EX|^xu)K5j(ZpaF0$V#2Q9=i<{EDrJ|JeV3{+6@Z_+nELO1*FTG91T9_FQoii@G z9x?Km{aVSJwIa4bP;b{Zl+av!5ccd5_aB)lYNzIB!`XBTjjDxUN$_rOW=ce6PUObN z>g#8!i$_?e4=BeZTBymj#AuA86?eKkPQpUFo*uarBDSXVnUZ^h0{;Am_?MJO5{T`v zz@-Z3u*nG%WY@Hif1h=kH36!)kJ>M-)6cCdG?HsO9pD-)>B;`1hKwCOhUP;1ku&h{ zh)cnsInVmW2)J+53JEE5_#YJdSTqq7TrQ&L>aAF_eTLF-=ep0rI?9lsD88~J78XiY zYyFK4BlOYs2Yt-jK4_qmbH&&b-v}domvX^Oyu+56uY!>VLhn%-}&ks}e`y#zK?Zn(|w9vNIzX~&5G_)PUmAvvHqie@aJiXr`c_hL9 zAh!^D@r8ThW+h&HOUMQ;(_+<{vPf>o1er)iK}E9 zCwxKC?>aW?1@E4-!8%K~rORhh4!RNBVj@iQPsm1Sxax&UIpgn+TdiwK=r=5rB6kmEv zW0t)g%i%UZZl?Jkaih(go8=6c4@BvL?9jl-tv5YgK|+Ik8eBk8yq75oGb$Cw*v4AU z79+Fvhn7Fp#v`(kN8Tb(6cv(!8S0&9j)?|J-W4bEin*64xI%*b`C@00#db9z)tX~L zp9j23i-jL3XtES7_E&QlK`2i$Ikm0_u6)4G?gBw)ThVjlT3x==0UDrwqKCeUJ52GC zxLDRyj~Pb4xRV0D{^$FH+bZJ^9KdLO3vF9tE$Sdi*gIhH>U@|i_Vj{PXM8Ono<{EP zY%#L{_d#^urT?)|JE`5jmoS5&!2YB{*s`*Z|Gtb*e94ZZ5qt;C!g-Q$`qGz-V~3ZN zv;3y(p!RM4o1nzMnwYZ!5)_4IV3_QmwNN(EKJ~1}sMzMe_cB$xqvBfNrg1tc`pjs< z3S*U5Z7AwnVe9+^7NzL&W0uuIHBL_SnYm{$Y)76jlQKrNcx0V4TWu+kuLjeXR6HMO zlzY+BQCtjB<|cGDQ=4b}!Y^L;Dt}%50wpi{2%p=)B(~e={XE=(lk!~ny(n#)7bw}n zfvw^Yu2CTZX{;1RLp=gag@K*)L7Y49K-YlX{e&>c0ppl@z?VX7Owl_NP@WqRQ(z$8 zT=zIUiDn4L5u<4|hSU%kxd{~sny0RE;R*SW#dI_{#&@lG3gdXm>j^>GhhG61xsGQ< zyhyt=|E^!zI66l1uzK4>{`w`n`s!Sj4}(n2|90Vo;koZ0!B6>RsI3TeHROy@Rag9d zKPcHOM1-a2&}PEkFp zNcZ!nrjgSy`~!!?^u(yUGSF({kHFW-jGLJlKKCuw*&0xoNL^tZu$6Z2T?a&tP^>e8 zi^=q`McndPr`;5BRO<{hoj3snrMIoY6}Z7c^7Jn`v;jiXsfxCS@RHNS}RrSO;Jd|wb14mr3zgT#x6m; zu0e}{w`VZo-7ymnI79`cV8R_j&JC^~w#Qu^9Axl4lPq2b^FmRS$nXwa|1J60enD$0aU_p;vihlS&=lVlChJ4=$udWCa+9r2hLbE2VTUVEnC7Dce=AspiJ%SA@zfW zF7oQvPJ(C+ANmhGdv-kw3rk>pzR4sS`J&xh45{cOB_vmv;%ejfoz@ibDQCD3c zI`c<;cfm^D2+#MyUDb%xoQ%Y(>DFE>B7@#eiS76utMO>aku}KH_}atm~=A|^eZJHaQ$~pfCi(F9ro$xDW}SZX9^S% zy{O~mNLVPEN+QL)_V;PaFA>{1s(@ST%WC10$Jg_uafxnzJI*zo{A`qGZr)bWVQdAt z`eAQ-v|n=d^4w|6p82l3XVCLu2ihLD>^2H- zz3SNSOM&?TYT3dyp1F)>KQ=opa@|iTGJ*|HZ?Gr7%JU=4?C}ekOMsKqQ;?sD{IFVd zS`|Cw)Rney$tX5DP2FVuPDCh;9<7>A0-N0g=;J^fAyR)Zj+t6|u5Sp~!`Ikio_oS8 zha874tc=9&r+2M|9GHH|t;rzp-@b;MVLX!qRp-s))}!&rs8~#1x*hXY*D>XJB^cHv zf8Cgl`IV5{6M3oU&+9G?xq1@A3v zgbNp{T&0XWma{u2x*#`XW!&GzSAsjiv4Dilcr5rGBraNV`8fWsua;BxOp{<{36G4W z8ugh$N-1GS5ehxiWs;F6n%`yM(8S8gLS8rOciKpe3*u91hp$(^viiUOFY{H`LV(E; z1I(LuCt0+bjFPzQ&>IWagR<|ZiP#-F6FxOt(r#A~44J)FJN0clyGT-aV6pe!PxvX9 z)U0<3Wpn4RS9S0Gi50}hnLZ;6{yQ)i`^GZ&>yL zn0hx;d{e&!8HLg$=P&yOmtS~Q+>C!{|AM0sJSn@gcwYg|OStRBpe`9pODx=aw)((C zhD;z5o>8M+;JT}!@%qAIuAO#E((v)(3GG~yrUgNe9)xLb&1+z9tX+SPlg)&MLxxeo zV;@%9poYbkBjcvpXqUiSy(f&%c8cNDNb$+IsIss-b#5U5)eS0S(8s|8yHpW1WL~11 zo6_Wj8&&nKY=O|wm~wcId$VRBD#^S>bW0(Glw8U!)6`5_Q8-wV(`xpQg~C8pv*w(J z>2hz}f~PaJLULGG22Jsh6%{i-;`oeSf$nEibNYP>+K=xT>uqGCK1rr(`n6gH0L6=> zss$y=Si-iq?niX|)1lyyAADNAaD!>|DuxCy3CF6_c6%SJ_hrTWa(&#|JYN#3AadXU z()WGb<~=u-+jteJgC5$p6zoN zsA+jyH&wTeswbphyYjmJ-+#6s{4Fy|UXj|KM%Om~l*@s3p+ zI-=2w++UvSoStDWB*~;Tjtazj9yvaIJxOvO)B~2!;W2>&iQ+?#LUN{l1Bs?Ue@efQ*_y49)oOh+$s%>}lZqv< zZ3N!0-tlY_3Myt1t#T2eau6YFF+xX=L~Uz2DK{gkI0F}?XO@Wl1*LMaWWW@=2*-p+ zPgTuFf^q%8v#_`U(^CddzVefbhAO0R6lQ@m&AE-lxy^Rtny<+XZFWCe&`MlT=5nG@ z#a>l$3Jae-DiO1~7KR|%6ifYCD$2w;oafA=dgYckzU!7HQ^W<2CWa`H#$2D1aH12N z1nk9c-dc)IRpPns2&}FT0ID4hWVBex7qzWOPwAhbMVhr&j5&??yPtR~)f+b7sggii z197t>jYY8Gunc7ZWA7ADKMuQvhNBVEr#uOx``)Jl=Hiyw?G*5Qch*xUvSy8Jcx7XY0A;)k(l}!M*fW_C^DUM*Qg0VbXEM$ z+aVLN-SZh2>{@;HobejYU!5k}I1*dNv)})x3Znv?g~})(r^%g=NJc-V7lS;3Y!bv4 zo#E?I$7l|=$Sl6WV;8=)O%3Falw+iHQ~~QWG{W64ZrcEYXtY00bZrIvxtRaKDQtzY z+Q3V@%)R}?n2fLbe-I0%WUvq1LWWOrs}U2(~PNe7o-fl?#nM{6zwIe+6S4RZ1u4(RC+ zX^@lWVx|8XpjfH$EB(^lwgVSdj@tQUa}&cX=_a?8jd*$J29^q7s5Z864JN_zfs-y$zaZ#eUMLA3Jw^88Ll}@JiH|L zW5ZGp;V);$X7$FcUwwridEd{kMbt2aJYpZp$n!1=$e|0T+C@)~1S&t=*v+-ynd`!2 zduqJ$U~qSI%RKe?VJ&;XDAbqBv#V*qnEI}j@jI>j3$%UG*uVIwj~1N)`WyCXU}r6y zDA7o-x}aO9%D_1W#fo4!_tKRF?3-*Ente5aCfzeD`13bRhknNdf^uJuBHm-DQ6KOq#WvFE>&I#wP1McWJ`c6Qh~jYMjb;2)LK-frF5 z3sJ-Jf!n7L?jN)qHDJWAUjCtF>CYMomfUJzOt%<>8_;CgM`Q`zF&a)^;aviLx($9( zmVzEl7Y^-fmFej+%hi@mqtW45qS`(Dm*hJ`vM?b)!1guG*IWjE6zmNhK7-iTb+10m zjhCH*w=(n@81J2Z!EqLm+7Bxu?&@Z{25Z02|0Q<)9Y~m==xqZZZhg$50_-Lq_PZq7 z5xz%@7JbmzO{tnF+veTQIAwo`PhOt93%5Ov22*wH#nj~Fp&PSCoM$2Wg13tP zsJB19M=#=_i zAKCZMOdo7mG;i8sFbd624HzE&GR+>p5}mg-$0Pe|EK3pDz9w<;>`|LQo!&?1L&}e0 z@-hDywpbI%cjd-R*X|d(&V7dCLis5(u_xJTa6nq*NqJf;UFQq{3gy)RGR?_=QcLu@ z_13n6K$~$>hqVYlxqD$CAcZ>mIKSBTqZQ0Ofw#*^ArT2usDEvLVQq>md$ zeA)f|)hIOE%*gQK`^=auVQ6bSb}c#l*oW?5hX!9@Vu|*4?OLGXg|9e+HVd9V!7w-* zY=o??-vqQ~+{B-)Q2v<5=G;ul=1ncYipXnms@0OmN~buftoj@X7>2Awii(Y&t_0ar z-j&VNrU{Ar!$JlO+7Q)%1tR6BiGB2@Fo`+bWeY-xLnU#bi)qGl4ZKIY z#-9`~E5wN&|EOqkz@iGO7ZFD&RWs=`L^ktaNR!=qC`&0SeNt>@w^q@4s0+i(o(Lc6 z?LFA7L*>VjAa0l7dsl_tODj{t3k#Wqxm0vi97B#T8ps%|NrRmuhRcqLiqQ{nN6`NDWkD~X{2@D zUJg|Iew^xc80HFoUl_qWY=ZyO0)SVAQPTupw0aGtg#-cE05qYtYcQ+ZpYWA;aj==0;Vv zD}RkDAJm4K$3P`FH8UE+YolUi{ot}&Y8bLC=wa@(vZYH#rA{}jQE)bz*M&GAhLgmu zGOHc0?xuJ42UXra7E_ebElN3Tni#1Y@(=j3_-@V}i*}*OKdTnLiFGViF@*+{D_8>& zh~i_UDhaBK`HwCI;ra(#22ud4+WA^F{=6vT{nwPK0QkuNxUSa&YE$e2)9ZxXMLQN9 zOPf*CTH&+gMGTUm7eT8+`*9^OjGV;u?+NS2gML|(l|=$C%<3EObt#d{dGjYTth@0e z&fx7JxB+*E;1bSLvCFi5XgaX|WW6Yc%$Xm-9GE2JFc$tob*}{W`l0zRVdyP)2t{86 z?SJn~p{H~zR4pc>ouOr|{723u_$+NRZL{cT)c?oTUq;2%HC>=+li&ntB)B`l-QAMl zP6+O93GVJrXgolI2e;tv?(XjHayEJ1@7^;`4}L&12EAFU)~u>ovsT?wwLQeSM9D8E zS-{OxmRj{slMmQ!pNO?d)soe3{guXj;?GWTIz#*s2W_dQWfbuOf35vNq27bl0>u`_ zC_0x>8Svx{(Guf<(QRpvApz`+eliuSThNwJ6UyIumDQHbBxhq#+&gD;#!uM%L4~?P zqU&AqyeqNDq(&bZV5==MWO_5EBlXbUNwyh^B;L;|JBF~2#wA}C~ z%3+df9oWNapch+bSBum(Zgf(PC|y zURmZxPz6)i(M{Klp0(t)@DC?xp(Z0b;Z+0obX#*NzjC%B_!QV}2_1CP;neK|`{iX< zjHfFat8r~*sSb6?T3k(qVSmwl7`JUeGv|62NGpivtMXJ2*OT#xIlM?VWcvI z;rHGmj7ZIRI5W^lNc9*PhaWeHa+bdm?eYCbn?Ng*EQR(Z@64Tiqo#s7`o6goN;}YY zA2?iO3kj#Tif#@w0v$W>J$vm65M*3ZE^a-mQzmCyOSib8@zT4(?rp%fW9E6`rF2U< z+1m6Xc)b`P84nZ=kxOXCGXG-xGUQ2siy@WY`T1{mXm+%Bdu+pU5L<1?0r^W#&D)S3 zpV9m3LV8NVSHZ<=oX+-m$L2wnd+1aUr^)t(^5oyZ6a3)U{@m3LTCYcyLsE2 zTkwK4;rSMpe`>4$B#r?E;Vl)(!7-&YfeW>jYy;`her=5XMP3MR5%rBcJ7I9`&r|;c zyY-8OHU8`1LPnsX`uY*=&kt|XT%6hafAB*&-`RK7&N|vk%pVP)xgY;|mYTuirq=P^ zr!_zi0!BjhhCwp+Ex4n%aGhD(>!P+TxY(Xc;hiG>@xIX1&-IpxBlppeb(mZWW#&vj zXs=tR7GLbIle54HQV!+}=_~yg*_rxYV+sR@N7Kr*T(a%a zs10^6ut7u!1gfP_2b zG_mNp#FD;T2*MzWeZxe_khlS*<<1|3w*zrjYMrRNAtr28Kl@T^+os7rt7cqiusFOt zu|&17W81jPN(<7dbr=f6Kc#S~g)$0=pncEHT6PjedoeRIBlcg%B0G5Do-0iMuu9h# zNcp#1D7`NN;`DZ`PC`Dx_U^qzcy6nz2eiI-nw3v<$vQcW&Luq^mv`hQSe~S2LL%RD z<`?A^{jab0{6=|%N-F#}8cW8mG!JW7DmKrE8T+iDY^l-RyAeS-&YzEk1}eoVC=Vw{ zV4+>F&g*)jxH(wIPiz!X9^j0yHvlR1XU%c_Dla2Cp7LE=%kh;*S}{rn9vq5nBXM7j zq|3@jbF?R^LmadcO6yPZk#B$NdK^8W+kud8>?<1M59EIVIJd1)b?uV_euRPoAWu6M z9i3#(DuxgR#JfQy43tj!4I;`bH=4#=eQ+;bdt54rsXzSw<@ZWVky0{tJczJGJq)%B z__kLr7LZdrY-xp?It#ew)(oEug5*P^UHMzTc;WvvS8u=0 z!>;rnCYSe|QTd_R?1g>3%#AhY93kBO-CsYfg6_HVySeZC398oT9?~>OEehp8ZL4de zxH4|T4`VHkQsT42;^-I(NW1}frG;Fn2U%Dq>3vF`VV@jV{|{S{wumk}BDzaF|0t2~ zE}MV$UA_%7Frk`8egaCm|3W-y?<_@c@PwudT5txwPeM4c__*s#2WEUeMWR)?H2;l7 zr!!&Tx^Zdtw;?GY;FFT+3^?>9zd_w>@fI+cN0IFBeQEvSh(eMKickKa<7PppaCbmW z^Yo16LWh*>Q2j>VQ(Q(9c9Bv_Z{?BJYRIi^zOM3yKiRtMS2f~YT8IbcJ#I|qap$|p zcrpXnuUZe+D|#!>sij2)mI}@GjAaxBN+CxnK0cifQmVmjZA*aomw~R-52iHPaBTkV zXG);HNn9hBuE)1SFljYkj6Zui4@`890i|)$SlAKi!Fn#UWB`+W+1=RT0SXvX@)8(s z|8$91w^5CX&eHXOx%}8SZ1@69agx}cwp5xM~BbCYP z$C*h@jUaL+kI?n4)Yywr9EwYuoXyxls!k`Hs9DEh(d$kyjn*CCr{;yQFrc@mpb)BM z>Fx_=Y2@D3$rs`ws?P70p`B|>vCMUB#gR%R$E+XtbZv34&`y!4&LULGqpKdF+5lYbgn8r|0{+t;)$W5#GBrjM!*VA)Y$~!vJNV zSb8GgJ{tk!^h9+8Gd=tLO@jzm3luS4c1WN9l2M@4Kc0_?B}dW?MurpAfn)$marF_G z>1Iqhm|a9x>14m!N2Z|k{dZ;nMr26~x%0erS4s%P^NaSocAS(N zw2F|vgx{4VhBq^Qk|mn9Q{B==(Gg*h?&Z#pDioP3SdmmZe!De1UTX?*dPCBp^RpK* zZmzm@14sE9El67jPFd?SO?I0ZpfsCa#@brJT>v$u-?LGq!c1RMbUImv-a0OjW_e3N zls8B<2h-x|I$Rr}sh3}%C>^I;m5(l8C<+$JVp&3t1nWgDh4WSeNdt^wC{FKb!s5`N z71dv}R_RtG%!1~C9s3FnsTbkphFSpD6n;gzU@8vPLmS2ESuR2)a}A5PAL}YqZBkAW z%;IEc`sjl(d=85x=lYZL@2y$TgJr}$N{jTvm}|?TW+Y#rkIcvx>6O-(cbTj zZAlI-f5r5!eE&O~vt3*5_a0M7dP-l zT{4>b{O{bbO`{N^d9K0ar|^wf>iK&RfH77FQ5#!npf^(JiiW>B*M~wRx1mhXHwX=X ziOUq&8$uYf8{~j!`hvS<088WcAedXtL%Q+xFj4h*Lub7Go^{ASJt{G1!w{5Z{>2>) z7F;|vYnk5?G_K2cK4aTv2w$9O716ozEz7J87L#ek@AmjljGH+z#q|limK@%V0)sh1 z*)K|x5-H1$ydL-xjII3nM%1p0nH+~Fn_j2j73*bk%{i~mgO||^M|~l9bgr{)j2rV~ zh&Y<~>_6{#7VRFL2_u!T96k#pi z7{-=@0f+glyVPifAqdg~6@DL~E!g??QBcB)9dBVKovqpS_tEv@*N1@S0lwY<&M2VwL)isg_jcL;W3 zYDW0e2HX+gdE`u$HrQBdRtQ}z=e*Y(___|9h$#%hZfG0t;?sNZ3PX|!QhgN#Y~F&& zV$p%t@a!j!RHZ5>qk-#ciAiq7W*hAOnUf$6a)dJhEpqc-o{*EJ_W;*4osM2? zYul6NWsgh6W*%v#+@RMcT1ma^dHsnN=+A?sw4hAW@`(c_w2)rWH&i0xDL+Lu0EKif z>sQJih107Inw3*ZB`JZZS*N$8npVxw=!2n}(k%w)=nvY_7%PIv4<(5)+8nTt#aOaN zUait<@a=#|cRfYoz19R9%P4*f?ZoPBK8orj5YQs^5tvw+_r55V}>+H|X zEexzPWAUFaq)$(Cy~M7`E4{E>yK*v1hM4mlZHE3AAdH_|gofM_G6Qw?%+Z8MuhP!M zG0*OtGJ5RH(v*^x|MxNAU(3%5g`j>te~(953#|x8Mhe6lrWu2|mmJIP_9*hc1%+cBJ9+N9r6r;Cm7)r87fFMhn5ZFNKl;mfcx(02Yl!| z?Ca2`8lr%^P~PUxUvpVp6Z+?6<5l$J7=a&#_Lv%3d?sF8Ev;>YR{!7vrCS=QXw*HoE`da^~Ce2UQ)<3$=g|aMVSe_@SGqSi|00GN7~I zzgc#~u>ntLs|ERKo@Dh6#OsAcg+Xpi=_?}of3LKaJ0?->f*JoSna}cm6K-F^P!#mc zT`?o6TYF-uYo*4U0RSr*4gz90!Ra71Na1w~xT`+^X3W^h9P-vjiVwEl z&)vl(XHI7Re11j+vq)W~`Izh-2?qq-r<}hP(#K-q@Pr2HYCTfcc;B@WmRJ|DoMxQ~ zeLZKuU5uJTWgMRZ8Tep+REcYhuahPZ6>cPg>f{pIw7Ef z8wN(axOkdMl}&S23{wNoj)(GE2d|603!eq>*pGhn939)-)lUG@n{oZ?)gnO zM_GwwuPsGdFYBF9`tpuaNG`bH(BoHHWV$9T(lH*rwh;v(_TjN_aUR%h$D0!TA zS$jgT{xkh>=_0X!5`h3RB<-;(DEy}1v=PR|!_hTnRg&gSrrB3=u(BzU-kYjM!{X== z^Zi-ywE2WjoeLTubKRrpq}b>>(_Jk`?T!uUn;scX8hq@$$mH_I1M|z}hM336;LI7m z>Aq}6qWZ`n4u)MVHgsV@C=cn&ojAbo0Q#mvxH9vXSPmpbgbX~PKy!PNLs@UQQLyt5 z_YDzfBoNC&?rS)WNWLz>VzIay`wFZ)R_8nue`sI*dv%{536Bn~sQWL#A^F_=6A|CY z&ux8Twu8ywjZZ@beAkMsSl4u*G~pTix_gvj6Y&H=lHaC21_0uiVLzH9!eoKcH{bWi zPM`!mRKO6!zfRkkCh#VX@=JNcKy;4P9fgW@`rElR_pkH^)Omw|9vfW}Y~6mz)z&61 zQ@6x@HaA1_V$6Wfga>PxV+G1Cp@Mnn4YsE&$S3U{$JF!u%Loz4g1{I>u%19*4bkEjCh(&%(T_m~-R=qIQme)!cn7y@#f zA=()HoPdxH%(=`GL~k%}#r*vM_TU$`bmOaLl7x{CtZeg0FyieBS3~?2E^mNTr}hD; zm2C*U8S$+j{h9r4Bp5yff}q%k<1{=~mp#%%vLAe(5=3TTfz8-%_L?;4=HsOJe`FgLzay@JsFc z3yxU$Fh7>YYx8Awwr0ul9r~g|TuexTt!a;Y4uH)18-zKEU}cL%oNddJz^#4&^`J$} zLZju{6Yzz4YVieI)2b`&if?0FmX7_!WybhNG69nB&?p?jP|3S-tsfr~KaVHwdCEm| z#evmHF}oqol#E+~7}7N%vYa1+cQ?BwB`)j;^}11@zZ= z62bjV_1~MQ9*=b}uL7sTSAkRPueMOga`cq9wdnC>x%BRLthkXDq?$v{!m#X=?-JLY zOp4{MjIZ$@n|G;m+aLp*16i(7xP;ZrKrHv6mj>JXZG63jLeqm(0;A{q;YJ~>2DQQU z+rHV3HR=`_py>#vk`DD|!)T6|`$6#Z{qnO__nQW<_!@t+LtfvdpQ$T8sD)b|qlTDF zy{@T7CECD|2gi($1D;W2m#u!p<=rm(8zHL~*o&E#V88LNc0HD_F~#;B2~a*7=?#Y* z;oY=`*wp?U(0tNoSrDE?{cU|AE@RhxQ9?|uM)H+!zj#lDRt%`6oPn){Sog`@odB_x z#K{@^ZcZ*LE`fKICxOd&&JL`!6R$$eF^0;~BUI?yZgTTghW#7E6#Cco zG+02D*ekqIsJR!Y8$g0F4$|$6uvjAgh%Fej`@_?BzCqj=H>yKR;l86NfB8vZ)d{*Z ze23bwG&=LqGA}*}KFkeF`^9SC*6(8{#j88Y)|s^m`FrXij(QlquWG4qaR576tbwqj z`v7&?BRj?~Oh#o0v<JS}taUz-3#s4BitLtC91Yxo|6isLJAfu|)we*;*vF{=R5?|VY4+a&w>|ShLfLK@2 zJ?hrd04OY=A^_8hOpI{TrV0asXbePQzy5Zm`SM6c$2lyrpHGbj#JeQP3G0Ihd(us} zV2VqE@b#12Y>y4~7=9bM)93ufOCEsI6fEKt z3WemsU7;M_0}LacfaFnb+lemF1_sm+x{P{=Swy^(T^#heida}awWY^|Y(dX;; ztK7|~t|u#DIkr(ES8WVFhiBA3WXeoxM7OIaMsG9jLM+CRn3H*4I~hi$x{iko!#;|S z!=UDj`F{Yf99T#+CRoxbHoI{~H7%lU6)hv6F-_h1Pj_9!Z&)%5bs3)@wKoQUG#^6u zKozS-7o`n@C%nZ#W6AfXXQoCk8b`Y8otbHRB;Lwy#>xVtWuZdeDz9L-h-QMt=YbO( zyoUA6-jcia>Y}GyYtSn?{rej88MU(HaW_w%^ZsB0Ts9sb7l{#KK+)dBalpvr)%w8b zczsFW4I$%MdE2OX*Bi}O7FA{sMJ`CURWxq@`Q33&zLkxY>bGqKzkH@wScgUneT)31 z6B-nae=SgCcUi4Sb9=7Hjf7e_kRTIc?n#8V(g4EU(DCQUq0Aculs$cTk&xk>*r!%` zX`(X6o9OgjBJ$L2!Twr zcU362oD^sqD(5Lutl#&}f3&8J3zic%XgSae`v|Bz=@q4S-3bl&w0*`iO|qPm7*lOMe?vYe@N zd1&Fx)f)qf`L;=NHv+?4_DZ;Y*8}CrZM&saY*OLowwUeY-pIW800k1m(R9c@Y!`#- zQ*~e1#^o?&8_fNX7$JV(M>R~x0Ng{;KJtj-V@!O3oF;q-8 zjIOX1bR*W?@Fq%9G)ND39t&C|0Q=Qppr7u@ z9NlkZk{O8l9Xk9xzuDsEH%5~ibVn>1=l_maiN$ghOtMp+DBbYrs-cu}yB|lQnT_Ut z-DUQ;dL!LnfCwa_%NC1rDkob0hPFBp?IS0?2c04(ekB>}Bmn%OQWzBCW7euT4SA%5 z0sK}P|8%id@Nm<;-o`dVnDz0a?bu&+;!PqxCqx1A_O1#EBxVl(P$f&J; z-YXD;S9E-Yz02kP~Dov?AN z2}Msm3?)VnwDNSucP=Bp-$^aoyq2}-YKH-p?{s5jS@TJXRm=&XdGEmL-%W?ypL7No zY))leJrLi^$@p;(-FfcFHNLb--ENEsDFTy&ii_#L2|idwG(EC@J8^P*q&!Ksi|{Re zzN6-US@CxCwwx#t$Zfi4DVs@lrpLZ$etwhc{e%Sr(*p=AW0DgC<+JLy+?1r>-cLlA19L7CFtJGm*pLW$zqNPeNNyZ5K3{J*{Vm(y$vj;e51ehWCH{&6 z$BNIgKZ^R~YKp4!Av_0H5$feUo?bs~gCb?bUls7#2y_vjS%&G+?Cfhoui16Nh zZXO>S0+c(?;Fp(Eu&Gy@{Ks2<@0|QprFA{AHZp|cCx&r%voDr;NryCYhfO0`(`PdZ zx}j=43ChS4h;EXXe$9xE(X)s}ru`t{&I)WH_J4pL4$2D#ZeQ>z+C@Wb@xsJPZ4v1| z4F)gRDEJ5?Xec?vaGJ!ar&V>)ImsJ?`==YDD-vxxv=w`uznrCu53-@ZeM1}yN#pD~ zPL|^Xq8vG0FU=;{8^KFvSmfR4y;50;%3N8y+g@_vY zBui3ciQ}_(JBwskPo^7+e^5H{ncH-!W+d&1K%mnR-)crMkwohC5osU#_2GQzh~P6Z zQKRLXZ6+B02+p0|*n;L~tNrLvC5MjBP`kbvKa&@%{i#hqF(wHCghVEMXo zZ{}*Y`8!*;wh+;uFSWi48*THtY6kO`Ook8BLoUZ%1&h2t7{2&aUA{}Bp>Ivm_3Dnf zVB${>b{Q|QPO?ctdbmDno9v4}J#BI}*lr*u%QLT3J|Y5WWucTca;C1+*d)oSsQO`N zahEb93i7pVBAN%MbUUVlE?b}*xPY!BQZ7dJ z+4zR&R!ty{4lm5`qbG>}UXbp30w`Dbk^3_}LQxpN0&V{WFFddMRqk}xmz-!cd<=he zsuobu6e7rMsSryi<&vK_)00zXT%hsy1spzLYdn2 zH^MtMOJ{q*Cz+zC2R-VU-Vu;p9R9OQ3Js5=JlAkFm&byg(Psbpr^~$=V$b_4^(|t- zbEU_-9$SrOBQPS;IfwJ&CgDI=4MVEkO2mXlKpXc8`Ia7#PCOPT^Yso$cmPtnHPx0PiTemmfN3_}2h1Oi4J z4(?zQ{rC|fcf<|9Xu4RHXolBJ*n83GLRMPtlhV2MQVpTolNrQBw8}_O|wdu?^c9xGej7`Md}!mpxI1o~zJRRTIr7x#6&NSP_#V|0;nS zOk~}W!?6c@+E3IA&uugsU|&2R^&5Gu-}8PyeglGBY?-<^Z?k(`4~cqQOzmi#EwLsf zCK>>ZwjiH&KM#+`XDh44GNRwVDW&B{T1Np4oX59O+D8g}dbnQAxiQ(eAzWCqnU1!cko0?7MtHp`iBPmtpT6cKdt6 zz@$uX*uPRyKkehGQmSC?dS1=e@S+r7K}jh>G7`^nUW;Zgq9(6m9Npt~nQykvEBzdP z=@mStW}>AG4C2<<$s9a-zG%dhR^VG>khL%A0zMQ6hj7Cst^cpd^`QCf_5dK=pNYH@ z(lj`qj9H|cd+iTgqjn1z$ZYY z+jJKN&t&ht4a2Y}O01<#Y}FTT0Gp{j z>S$rK$&^W~r`_;cYhtuX-FEQ#7U}W4@@A~4=i=P%g|L>S!5$?e;}JcD!!l~g`?zy} zi9fsp?xj0^L=L4O>eV#c8mN9w%)ag&b5Z_n ztQNKyXhk3e=|<%5n!O`n$F!Aqe>?D= zsdWg0s&IT807y^g#jwi=na36H43Th7YrAX`-HGLhT%_LuO_z^s+!;y1FLEhS`&r`WKhY@=3MQx3YFsc2MAV4c=v2ae`WNhf?jIIMj1I8=OEsR6IO&PHFdY)wq?*BBCDrxiW5Yea3uksJU^k)9+}Ofr$x9GrA>($(L6P?h1TskFn5hCrE{dAV^VL|lK|b_ksp8va+5rA0 zDYEI4YDO$O{c9j~bKHHnXG6u)wF*9t95 zdZuOZ%fGcfmLWp2B6cKq_{dnrtIho)s7oc5J=sVGd|8CABn9$A5QcsL^+06;VnwG# z5pkKPSzi|LL|Js2hAf4I3^Hjr#Df@29Jy;+3O9Jk`wkE{PBy@k#W6?6t9p;t&TLP0 z9vL6^_%I3nm8D)~vfMW~-=F$Tt3Lk2v{(LiOG(blCiyhX|9in_CU3hJ$`Wmex&o>q zSL2bUd$w_IR?$NK;ID~a=wF?aSH5ew3llyzlR7?-o@hMY`4i`i{(spTukQb`HNyo7 zBywWt7#OG5m*%(E2Tb-eN42B^0)$9O^j#cW%K@P`0zQRw4RP1!V@YKFCLQW4gQ`}# zBk6F_J^m~?Pwiq0HP+0g%N`y)rYKQcTju)-#<=)g)}k$r4>aq>3}SF_sI7e!5ksl9 ztBZn7iNg8}{%|PyGb|-vs}Y;rzNvQ(e7V0oUmhzrA9&wY<95WGw$Q+(q^#_BPe8Ym zF{5j^Q0Bx@|Lq_*gr)l1(J}_8%z>Swpi~=)PhWVwZf$UnQ|*wRFLwRQ;Home9M|nY(QExh(H+$FgClZ(^NN`h zFJ9t~%|94ZqDz+C3y*aO?f1557#P~_tBX|4xvVv!Z3NtCq1?fe6M^FyU#e{UDUn*b zvhP+%Ug~P(@nw|De^n3PVG zke2#&)TniSKigQLGDL|KSn6$%uS0ZBXQ8zIa{i(@k2Rf%o-z|7^n>^>|21wINQ1l` z87}yQDew1A`lEe_*O>{4prjV32%5hC@vA1s5q2dMcTv8S+eLCI^dq#$=zC#j13(cA zZGS%j;NVutC(!MR6!Av2`2@>Fy7TGj(+w0TE^5(Z!^f!v#^?3<9&MZ3n@|OUmOURxX=!n( z;t@s!?{Kb9mX!0{!~<9}X0m~~nz7VJz8^ri+$@HI7vXL>CG*;q?k*zqe%{n3r#Qa6 zf!A^}_Me&>7;#hegmg3cSgMKdSm5-3pb@(koooN4G9WgVj#)QE6ENo=6qvV5BZDVP z``7a>{DC_zg!Vcf7?Bxy%R)+FkkJQRsF4;L(elhY=wZrPW3`l9q3gM&LI1T8`tuJ4 zDGv{RL_{R}g(0qjaU)Y>{eH)h_9G|5k!8^OgA9e40X zm_WNzJ74Lw8quUsiACimOu#o?yLS;$XFs&s8Pu&Um$MVkZCG+52%Q-OpH~`g4Ii$5 znrl_rAcJ}bhE%NvlIX=PzVHerU;LqZin7)^^G02a^n2Xs?Hv?V`NsYluV*W?GzG>n zCR``PCI|LBU%Xqi;d)+fK?Pi&Ka=1S{Dad;_h;Kd=Cq)$_gH~~Pxl)ca71khI~nbb zr7f*MTsQsKbNcEQ-tX2_?^^`MmcZ02RyZD^4kQ`0u9DW7bxJ1+Fx_aR?*kaI5A1z= z>Pbj1d9tju`zfLZAm2Z&=CRvJ+U;x=#b(irXjE6a>s&YhDq72in)1FOecqdYIJbX> z5<_35k{g`M>7#)s7ArZjZSbKSXMO;6`15~M_aHz1$~=Icpqod{w5R9jrhcd(G+r~R^dIdD&dzF{OJv&--GlvxX||Xr`-|Bg;M#` zN?*Pp26y4REdk0mJbNpvYebIeVt*F|1^*aIDLB-kf1mToSp6N*DDj^ZE-`VHgvV%j{{6|exr?lrPrnhZ zqcXWQ^#=V&e##L#ry(Irn3&|Ymt*9~eVCg076rWB>@AQc;7vqJTL9C2YAhg>hT7y4 z0KFx?zd(@gAQ()%*ixk6^<3;wd>6TMbPya;rqC!oB*ZEEP^8&_Le{}ZW9{p<-)SEr zPBxjpRidbyUhfo~(Jc6b2}RP$sb<_hStcmbQtiDaeM(6l3A|m=R#ZqCQt#jeKc9R3 z>W*d!$3Rm4A{8eGC2q13ZG>!uYL(Kri+c``aB{^KXtTI)Obl*yOQ zX~LM1u7MtGMScBqrg>FbnI>mf!O$)PmHf>xo2G{>#f{uL2ii}2Y^w3Rt{i5I&?Txx z`V;rn(z3FyCp)H!Ejl6jE~A$Ma@q^)r<#U(kjf>)<@%J-DaFO?>*e%?I_DdwtcS75 zhQ`dDr^cLUDYS6CqEoKwSA@QWM_O1# z1-lPNF9i>B3@3)j-kCEl16rypS(rEh_a~&w$0~o3wq{j5AL47P^{io^NdM^7+0n!& zi4%h{AmTueS<|1wOj#Xl=FkGcVf2j7;(47bC?&ng!rzZCG6t-n$)C+8rH$RQ&D{E&W^RYqJB^j;Pq0Vvn{L%w?@V92pNK%!XHbNZ#0(w2Vw=9M*@d zyu2dz47wF$qJUq&j2>A5ef(3{lqJdg&=t!lp?AcvvC;vyQW4_fMwmLezt>zv-wX!^ ztp~FRt#uEjp4XEHd%_8LdU{+u-MHMY3XV@qoZXJSE&f^o57x)tyz+R$Z=IZcH-HUC zeym9kgmYy!Qw}(IxaRCLU*86Kz==?_2bAa7Z5d#WQ>e*Wm=9;`3wjM`2i>msxj?i9v=9z!bOXce*tCR@NK17Q^^P4}P};){ zd(h=kkWe&%_$LSSaZ2>XIyV?)stA7)_}$s9p$lpw5fYTcxlrn8B2l_TGQnfq>%-Zg zm6<<5wWY+17CRn1M7Tsjklnn~Q>CV+3=Ju`>V22hXfe3Wk898VErBJ?g5A-$p+!lI zqH$D;cODZ}8Mz~Q2?<7z><&1?8G?a3XZF1bpX@K@RmFpJg(JUIlfwH+en%WPZPokL z?2$CH$*5Q>{d*Uo=01+O))=}(F7$08C{rY=koe-FChk30p8b3{IOUxGP zv7YaDhy%sV^tX3+SAG8A&luhnPTjh$Q}Bm}`v(T{(5dE!3)j|!z!Az-Nj+mvExLQfq_LU{G={;s=Pfy$6B7v@lA{4`dlh5b7_9eJHQA+heB+aO+q9nuF z)#sQ`Y^$3pcw#}3;s@7+NK;Aj0^ao6mEeY2TM>m-na-|mVRb2N&g<*^Z8Z$BW_(4X za!eC}52^)0d%j3z7IOygc5y*$Y>rhYi!i`vv?eR3Xb18btC2kOy5YcGA9shv=rwxW zy)k+JKL1NK?;HQ5pB7hKBbkg#?)obwgb-FQg6vGepePNv-`ZbCy-#b+CYo~|*>+BS z1<*pp?QTvL_)4U-i67nfq1&0#g7a!o4+#mtjUF7FC7Pk;@!jMc957K)!=FaDWDm^m zJyH9&Fn>7_%1;6VL7EzBa>Vi&Po5s> z_h*p6Sg0w@Jq1bxf|g%Ds7u@|Kb2Wuz|x~4h&nlOnha`%%zx*AWUQH)hKXLSeG8l|Sjfj@N;D}@KlSi${1%&_he6-1^fraX=nqq!Ts?R zo37a(1f>G`uM#W@cup*i#bRq8|FEdEaH_oM{jp%QoyX>vs^0qanL7VoO8?zf9TH!U z$8d5AcA1i^jmJIg=v+C5Ut(gvlWV$={TrR?!nVFPwVZqL%)-M%D|YiGShspN?kZFD z^7}Z8fonpDpgRi6$r3WPR8KUgjlQ=IIoa#$eil8WYpvyAW;9De%sN<9b@CXUbn{QP0Y3E9)}ox6M5gfBlH7DPWqeYg-r^t2VQqqhbUX)0H zA13zEp(G9&T&bsi7Z0I>rKK5;i| z*5q>b21x6J3e0IAPb`nTx*yrs)Ws#WI|r)R`Mu7eE4PQm%rv-zP>AxU>O%f|?M`$< zQ;orq;Apk34hV(?$`};l{QAlLSr~ny043mDw*VzU1wA>n*~#$>zj*sZj$?jw`Co&kaBPL3zQbciQ$o&V59!-So1 zVqVauaaXO*^P`a4aX^;P*NN08s@cIOfhnHUKL$(`b-6+9fC%gqtVphhw*)Ror0Zip zt=oj}y5r>^hrrzZ{*`ZZ%HQP&8@FsDv+k>7FFy4@@TzbmaUCIL*87sM}L~MsUGn%9`B&hsl@~7aCtHggOH5@-iU`!*kd~{sp=6EVZU1=HlYaH#0iA zri0|4nUQ6q2dV3!dy@D8Fm)dc3Ni_UJJ&g)VA=u3KyP&BIaB76_>EfOL8tZ?`sa8c z@bZ=+rl77JeFz60d`Q*PM^c@ZPEg9&b)Ocs7Z}L=qFl$b?KrH$P$CU|wk9H7`hQx0 zvNg0sM@2!&|5=x~I3>}meZ}aR!A`Ulk>F_35b2>Scagw!-Gx%JJV`-K@#dq1v6Dek z+Aa1BLI#IcFj+(IG$~lRnjVA~t3n+l{(Jt{qe9Q@`|;9uul_!3@+Vd!y0S>0oB^V4 zl;7wo^;DZe7S8Q`tAjmrY3E}^9AsV4laz>C;qROOOkfPoZnIU8z4XL?7Gn0N3+=rd z%Fw~Xs*=j46ruXmVt9ue8W>6jSRl;$5-(=LdKBKoM@&>8C^d-jTc_{-IH+`uHV;TR znNiR}RpCSfO;!)y9;kl!d7^bAOBxTMWC}I6Mo!P{7BL+K60K(!(f|Jc%vyk2{^{yT z+}R^A;Y4#nc`)_i(eY6Jk>7&5zREJRRExcv>&eZa=f?`^Q17Udi?~X}o*5q~dnC{X z#ukFI;&&+|8sp`_P!Vt7fYJ+sKlfgaLGU4QZwOPO{J!9=o*(%j%_ z<}vjvX9sFT%(BuFejF@X5h=Le&G?8LL`$az6Ym=rt6(&viP=JFZC}hOSzyS?L-05Q zY-(-L=vdF>|Jy$mbk~Pz|5{stzzX2O*6*hVxZQR^>l+zu^WAEn$H0pA0HDRbhwpyR zY{f}%|Gj~PZw=v>dKBr0YbQbEWs1egO-#qA0$vE0W?o@f3Y@6O+d?bq4|Vd1Mun&r zqns<;QwckBmudwW^|w&MXrUzMcd)DihVV72lka4R!+IA9a>asM>y)L81UwP@R$f-8 zmiTO^6a@GD?!`)Vx$c@PmJ9Prn)=67Fp&aXtn&qLO&ITL6sCk#xnUxUo0UbD^sgMD zK_c`)Hp1$?5${Ovvl|PCL;pkLF!9AojmKsij&`vTa#~t23QCmOd?E6@^Wi%}?In+e z<-eXt2kL)X6F*~kiPBu%>pxv>8^hS^F#=v~-9t^%3 zoA&;$w%IC2At#%Kh?W;_KOhYtczmexSp0eq3rnLl4P(vcBnl{+u)291^oZXNCi{NZ za&8-5&RT^TBB$g*I8bBg33N1#O@M$bwfI~f?z1dM1erNF25SERiH9GFu)J=Iba!lN z-|^eoCTpZ;ZV$A*J@nTgYAvUmj^g7AwTYV`RJ3?zvpm=G*V4?)H6ZjpJ1z=AhKvC{c}~R01db5f8F1Vu!V`;(o;U_tz#uK_ zEcK!vHDX!Ltuv_q;g6>@%b5JxQw$Uk%yr3QP<8w^kl>GY56Xc)Vsz?)FOFXrdpkSMP(s1=VJIhLh*S3;pky#J@Yw+ySY>)J+_ zprBGB5`usrg3{8BfgmB>-Q5j~QlzAmZUjWSySuxag>?6#7woz8e%}4O-~PULAN$|_ z@mvQetFLR!F~>N^InFs3Hj@>3kV?fpUti(L3Me}E&P<-P)xw}oVTn`Y;*YAyO1*+< zx<^X%_k3$I2o=pIKZoC3VL|p!;4R|omuV0(%2Uo<97y@maMOP8_t&Y-`H;se>8|Mjb?h_dO{yU${!?oYYsz#h`=!c zP8Xfx%HWhcRf-i##@{-6u=Ie-oz}1)$D^PUV?=S}2onOz>o1_ZzI#6bi;$48wXN-U zYu3nQ$qnSpM7XKf=)SbK zw?F6^eay_kf(Ef)pS=@GHs6tN5kK_n9nIv_3?a`itQ^J0*2&v?o{1>@{QQvD1s|A1j`^;~!SNjEkV?h;ufPyRY|a9p1o-5g zCYN#vjaI&Im(@xj4hNuk$M0yEx6 zf5YEJXLEnDca2{LpUZi9ZfP_Ga<2CwYVRHy+`^s` zQnNRI9`#-7K?`0M%~P+xhT{^r=1U`Pz1C=O6*HKcnwl(g#|XKxc@#=6C?xD!eHD{d zVwciU>A8pPd%Te%&EX>awALN5Ae%yoy#vEAQ&V$3KWiG7beDDNEc{NyVonwI5D(XN z7c+`JA&@4NT<0+8_1(|X`b*9ea0Tb>!;2Gk;MObmdOu%4la=p7ljsz({Yh(1!F(am z8qY!ZbNUd37b#C^f&LoAQ+a)=hkSze4~%M@I+E+_JG()``v)c*e@_>u`Vjp=+rT32 zuyT17OZ{S)#7P9p`?`$ozS6n=&y07pkCYigxw%EXU+BB&c5h6~Hp^!H z%4YefoD&1fPNz^Val1F|G56T4V!JhE>1MGrpkyC@^H8Ngvu=cIGbou4%b~Wm$aO>a z_(BW)_}&>YPzeZ$i4{+CtP&6yPp9I$o;>y+EHPpen7#Zt z*WNXfQ3STRRIl+s&534sY0W6~{4oG|LPEz~-wh0Yue5#OgH@2+^E-JLm4xjt^q{!d zHpGlu;IE?(0~y@H%2MFI-P*T^m`qy|6-eV2i~W0ra5XnR?Y{0n@m(8vigh+DF6bn>(DtTxLLAX3mN@XQ1%Vu$L9d7|5)gCsjdAz+5 zE|&6`h!_RJl0Mx0k<2SUWN|zlTy1+@4cH;qNNK&Eje;OhCMArHR^GO)WRmF0=Ip6H zi%NZ0Yy3pPEl76+!|9ujb7{oNL^<=?`ObB=yyN@G?tK4{fTkn_`n;K?(DPdr-=3%9 zEMCv?5*;C=?ai<8<0ejgW= zLJcL`($NGer)ubu_ND^N18#$8Ts+a>Owc|Z+|bfDLLw>}XMQ7h?6@<9!6{|M7tF}L z_BUZ?a;*!VsjY8r>0QNquXNp@q%wKP=Wz_7i>7bRBjJqLT)UQxg)iRe78ZOT8e=Rp zdfE)vYJV!g_Xz4_+3_6#9jdn@oUC(5eyeqZ2J&OeVOx_wlpwIR^>(gW*%M!3VKKeq z|2-)vrIcl86u()QJT3>2eO;XYO3)0BY! ziO5?CsQ7m06IY=TO%k8$-7NX9XO%{iC3++tS{20e^&ZwaJDOBWj~r(AkjWzKP&Z9O)hhYNHT9j~q0sqJ0o<8Z3_#C^l7|-a56FnWR#qze zxA7E~mAqrGh%+85=dXXEC8K$|8f-RseTg<(?Sd*AaIdhu>|G@7*kI~MUiktQj4-x) zJf+4zZOt!pm8^R@Ut5@Ea)tS40r& zjYIrgSgELo#Dm*Em6e;@>NtEciM+BEXxC=0-8+;f<~yficczkd6r5dF9{!X{%H+3{ zuR}XdoJ>OA`_E53RmB84a}HE0f#;g=v*+VLnvI8CJUnS8J&G@G-rt#3oFVa=IQ`1j z+1VKAUh}=&ic4+hgXX_c~k@jOZ8 zGS#xg*d=h(y%c%~^j;4@Vq#;{+}9Y5r^>yD$#ZK!;@hpe)R|euQYL%&1rQ#+F%=KW zwwzZ9xzVslZhcn{YTS@}DjMBbCZ-VdgdaPeGnZjl(3<0aBDY-X{wGRJ?~^Fc$Bvhq zm9UJwUu#pdy_l$%@U|$6nO7F$=0H-?*guZ;k%Y6ovEKbYKWA!~FF4mbh?X11Xc)!0_pl#Ds(64L$SuLIOeT8?<;wasVkJ zhY`;WC6c_>M6gps%h*|VVd2pjK9$2Pn;qn1WI60+iuD$IH`lymJChWiv+M&l@gDB4 zwqPaetj5gcH}$s+dLp_i>begcB5u0NnRkMD9CV@OMo|1k0F#gSdB@0@I2{b@wY-Y> zXG;F-$Gyu$3;%Ub7OT$KwVBIQV5fDN`$}YuPl`+R?Xx51UH-r~8?OXgCU^SqgU4n~ zb$=g@iCHMji45gM@qUiV9nG{H@IW0ZfxS*Yl+>tBk&CvZU1DcpYu=a9d*wE&>~m;? zmq9zG0CyMGsb9)enIUDzsQf%U-A;f&!+8(HcI=x+8XYnf)RBO<&I9e!Iw^Xu&7&s- zu98_v(ITYIE~73P%KlYl$IAnzGOuC`V%sqGCk zT(@T?x9gmg!Uk(i@LbMg?bcrDPg)=EjNyT%kCHZ@%g%HOVfe3)9pBxd3+vx*xG7VC z@R1#v_=ZQpsLXETOKbDLQ6envl^}{>L=7C@(H_fYIL5FU5KgV|@kweq8+taBvG??f zxwN6Yg@X3P`3^NMz8Gl1jOVF_V663bSA04?fxnwba@RIB^}SP)vDDdwfOy@pGt_QM zcwAUm*t*J(ehXqVpnGsxJ$4s|KlJBMAucYiRFfPIV^~p%tZv#*I&3o+P-^6Am7ypx zYJ8E8yG64$Y&??xOtnmD7TW-bsFbU?h~gc0JNhl+4^GKNzJ-Mad3&zSe!G^HzpV&V ziO`B0@7St4JdW6}H*8m!J&r&0Vyj|SsFvM=tPNZR1}x31<7QZCdlegK43_KBuvyN_ z!eeT1v`@5K?6M)rRw5C3otR!Aguz>U(y~+;|yN_J>sAF zLSJA1hk5Mq`XPMcOe>>6!6A+6WQvtuv;0ZMK*D=n*@xy9=7ZG+7?`^-oa*E$=<`3| zZ>WQ6ef{kTEnan$VxjTSeS(i_jjeOUmHPI7EX1&$wO<7lpjPW>59Es} zVYPzOc8Wk+0P@AQ*xyCx}kB z9uW}}FD}f_ag|zC$U?2O1kcM!|96$7l4*&@3X6QfN(g&=`R}1LzZf2mCnyMn4EcH%70-1}%_;^UVZQ(9sKXdZ+n3$)?1_^r&WjjR*d?~M@lOG+wp zF+I?Vp!4fd%3q8Y4YxU+=kJYYm-CMNi+3qM-qR)REY^IZZ;lcu9IP`{jw(^-?sa;G zi1hcL#{sxm{zY^uGIee7dCi549k8$pHGZ_P>lrhTJu`+u#0X~V5fK$SdO%I%dvGU;@GJtV#92p4gD z@5z%ywm36kR~~8v8}Yq+1FxPj-z6Z3+ItfEYu>;egLfh|E_Ms- zj9-1Pt}m^AU-6NV6==S(U!v77*bAR(Y#^hpS*>kPNK6>ye~rLT76~P7ISU9MDizg} zxL8?pE3kKiZ{l0d)&?}5zX5FlpMsf&Di%)XgNN&zo4UKXvCOafxlj44(H7(5F|B$POQ8)F#-7lbJ{%>`@de48a^Pii5 z>32UAaQ%!T@0%NbD;+Mc#8+Q)d9G^t6a(b7JzamNNM<_YvGky(^-k~X#6~5Z7 z3tB$M^He^sgdAyhQEfvbBfW7eJe#dmhaghH$73+D+B$K*I8exs>F4j^*?9~EsNb1G zJ<_mDw2;ky^lL!FUj%1wNml6g?tG26p68RMi!r)|jUDe~nvdQo-&2I$S2%An`uj5x zeb%EFscib+b+|a7*eBaFIBG^TZYl*y%?e>IdFnOTB%D@FoT%v9`w;kP3ei!IbI`d# z?Nw1(B>s4w`Yof3grjHST@PF-Ftsiw!fBZ7*w3?Z%lD>(3-_%{E#|~_h-f4e-)b;1 zr9*99p{wdDqy)H4e`pk3+#%=#dk39s1w7?)W7LuhED9FpLB|itUoM^Yv~32}XX{Gr+NENh#s%ga>hdgCtb64A@Y zdOGbq^mh97KCRbjP=1p7pXGWGWMQalV`Hn>urJ>QG!R%Xb1q{qg_fdZ+O za8EIG{2JwV`*&|v_&TdLGclXx;rxN|qQ(S>fgYJL?9T}TbxaI`EBQ{{Muj$5R-~&X zxX+h%;yHD}X8=(@inlNJL?+J1RVEI0AGy~MRd#d#8v-BgH`aH5^~Ismh={n26#{g% zlUB;UUGMFuZD0~>rHczOl)A*~i|2SFER2R!udD@xzk=@a(POJZij;$nkL~q8q!*UU z3Y=CM1c-L82}BD~zEO?44Rka@3|8bWRT9+UG@;>P;q0n(f5V(?Uu88(H6fqT=llTC0VFdKA>s>iW1|xVvuu9=8lp(!7Js z@`4AS%kcxr^qyKf!9_KaF|5`pF1(#M1D)z z7H6UB)I*=@p3j83y-Z6(IXACC*WFjV%J#fHrJx}6;`*9M&=IpeB-slqo+C|afQ*@$ z*{eQ@EQ#ht^5rZGhTV!?a!+F;p0tp`IHqCoxzL=Yg3;{+3Pwnd7|oLe%yyo*xn=7x(;KrOW(jct*e{`796<7LL(C zvWS>iw(zS5f3OvGC7W)ltSU;R}A)W_$!az59)RHxS*yd6Lj^86epmd+-??$dw(GPWW4y)tLdAe zzV>u$^1<@ZJFwzFd#`_otJsri+G!W1#%-4{b5N?`(+5$>_Jj>NuzE6h`KOTiR3U-x z_rs5S?pK??mjyj3_>TF2m`c5h$mh-{R+*)|OIZS+b(+vudff#tVs z`UGVBOUoqIrK<4N)E!2%iqlqQuM%|WK$}Y0yx$Z0%=#tmLvXHu1yT>X+aV>0*%Fc$ zzYHG$#q7Ha$ChLfY)a4_*?4%*QoZi;OT2cl$AkU$@W-Vh_C(MBNf@_c*4x~S0;s)D z;#I}#g3BadM1)NrjTBn>F0=&_D%V-oUD*h`q6s6|uyM!)glxs`b6CvzCf1z(5Sf5* z@hp4pdJ+j>QhvV+3n2>d?|e}!A>MNI#>>PfG-+XN#Je8rjz^wU~bWJG869Tsbfb3$cIrzMmYCBzRQdhHNkY&?xZ*ix*q<`<*euODBtt)N?x^ zc}FoLAvxnbyRQK~VJxhx^M3X@x}Y7*u2&Yr&cOQ`hlU=1R4e~HBO+1%2)#{*few(F zwcl2h8(g`4v37B?*ia=U(?Nauq0|y4vs5LYEsHgR>Ro86au@9w)2r%l`L?v0x4)N# zH#p{gB*SVvdDp*H_qJp*ifA>^k7nyGuiH%4>M-c)&0EckSG2VXJ=36ULO`7ciwyA6 zm;Nc%e7<&+*(%uY&Ed>&ST!5>RsH|*%MwFpa87+ zLte8%MlUFyOW}GlBS|nSf69MursC-fYwAT^y&pMg7$i`ryj@NJ1uXd6L?R2_1JDc$ zLWMf%z5l?hS?_j>6$3*)PnGmjlelzQb$t7Q36G~8D=X&q1fg2FMMo)EtCtXl!mCEY zW-&{IdU+x<(-2VfD(VhXE3$^~EZlqLw2JAbGQb3j*>rVj>Pf>!Ix*R;TbZ&`_@M16 z)LCq>K3&7a!oni`%ibi26pmVLe^K4Y&BMc`z10p^t~X`(NaDITu(+tLqZ1;APn!y4 zbeZx+sqI_;fJSl=a|ujg%ncl<2#rMCD-wh5h?c&s38b!#&(#`dDWewx0Sy;W01=De z?06U4MBjIR!e2>Foi5e{V2ID=k;Rr0<2$(Ou5yV92^qhuf7Vh5h4qDeZvr_cgow+Y zXnULVz5`A#uAWEx#H~5zLL;RhB7W>XwTejc8oNsZu*EiWwnD+DAL(@3riLL6A!Khp z45|x>2)21y)yr*K{d>JP0JEmmKr44Vxr@Q?R}fbQfdJtpva!GdM6*?HGS>)kA>|je ziuovd;j$12vi#ez1+W#QW9#is3Q+Q3`L?(39~EdVoI$Js%)DYV<*Kc9XEvOp28E*z zY?l-ij!vJp-U*TWKJBqeeoKi0+2(acF`!fU9GsX~{*K~8e;ZbZM}dJ-Y%&U!Zu-FEmXzGP|&}YzV+^a2!95=8K7uKRpLDH1p?!4@o#HMEijl;7 zTV2YBNrHZ$H+z9|PVjhR6- zWA02jiL0xXr3NeDTfP9UX!}Q-b&i5sT3NSLa|zd#6M`5p(P#7SxRLg=Z=*h-@>ExM z4r}*(pmbe24rly?{8npyqoUmfY^K)Id-!DR#umCcfS4(#2>Q;;)KHlo-5SqBMsp` za*vF?=M>5bc8LMO0uljCocz5s z+5`f@!+XXc@-KBxxP8EFkU)`o<0vfHtgjGtIE52xYs9j?OI2D4>#S+j(s~N&`r(CX z*E7EpB;<-HklskV=ru4gNZ+3v*PhEOu1n=GeUZLF5m@!Z~ zY5~su9o0jf?z5uGBN#)Z%^InoMi?uO9fo*%b#}M^`Vs&)A5axn4J&V`glBXf;Hzn| zn|%W5^Y?Dz3|IzXZSyh|Ft@25Y3j!x3rX!^aB)28wgXjp;w9R!t-&oE!Iz97rD-ZzMlrL{PZt{<@Fn?rZ_yO`JT~9P1 z00JrDQwl}#3JI}QZ3c3M6*|SYXFf-RBO`w4k?h@75q?1W3u`nFH9gbu7QiQn&lN9}3N+Jiz^azbhaBG`*$U zr`{lMBaa~?nPGs|US}qrw7b?~mEw1)~mXNxZS79i14N5NVf}!g$*qi1qdMV*u>kD(*Fm|GzC3Xm_uIx>A6Ka(d>6(St(| zxm^W9pq9S{DdXqIpFaCPwfKDEM1Zj3TUgv@l@V$R4r<~q(SXTHM|^vDWe?u>^8Nb~ zlvq_!Oo9926TcU>F`waqmfSlbp#m^weAQ4w5XYI>UyVC*{o{v^i-Bw4I#1s%$(#-t^)^l1AqTDG^qDC4zeKCoO2Fen^r#V;HGuP_5Wg&aBT?aPkK0 zbwFllUq_@2`k~((pKTWMaaP?HM4E|2k4u0TJ<`*-7agLF$d%u*uT?tD(E@L%r(KYUNy zD|T?gDHI37P3AY+NT$Hy5XVaQB_7RRzl_0aQU_!e$LVIPZSlW#EiC;;D*`0IH~$Yk z=JX8T!Xj>~IF^Il{wLSSQug!u?BYx-}OoZcRI@y2STU_iz@)XHk#uM{# zCAUnr-Yv^k{9Kk^RsQZ-s_ypUn40qwJakSbDbTz|;v?iCV5g!|VEytKC1J-xxQ~(O8T}&7<4v~=x}zul2@uDzuGXj6i%ER%`S(-{**HhQ{mG92)r!2(%vP5t zq=6VR6ASX?^a(wY$Or!91kI4k!pYq|ZJu7%E z1%nvS$-jQdYB}>aj*$zS+5)zw9?L|Sr`Al#FF4Yt{2k?m{;N-awf4`ad)V%!=Fc~m zoZVKQnQqQ9=O!Y0Y|2ajXKv6^43AJbA1(+iCi8pel|46A$hoa|-T&rT6F4>U8L0zr zk4v1@t360eOdiI>#Wyu~6I1{C#mvn1<&VnIm{;iU8?6FVUaVR7wwelyNmlmz86Vk8 z(Jp2dmM?0N_d!w}ck~x}j)M0W1RPI&>(ciRhK2yo!zD@f>g`nmV}~@Xzkm!F$ilMn z*Cry+$tmT-P|AR>5B}?AV&OlR4B~Fb#uhw9_59P}1ij9C4}Rq2pgwztYKbR)eCuD= z{nt7|LT$cC_6ljl|2kHHg!j*f{p+8vSpSUczwXGKL^3%4e*EVtNNfDNT{6E+ml-k5 z^3@%%@qjpJj5Xl}p0PfXmbL@=m*oVWdtSpi0c9h3txWZ>skaxC-AumY+bvY-GBE=N zVI?<-WPbGTGK59$BkgWmD;iRyq@*!1F+a>VhW9gWLE05#OT*l5f0TU4IqoN3qOdya!wJTu}YftA+-3{~~bTs}G2fl;o{f`H> zX@Z5L9`W25ebc4h8OegGPTOC&j|iW>YIgIkjAEYP0bU~{+_!$_9+R+Bk0FyC0yzLeHfW@W-zQj zTjzvxWY`xm;eL4hvKqdD&a0-@dtpIK3xuCW14%lk^$1}5FQFAmDVM!lJ+2;wMdj_g z?w5m^Z`^(KYEF0jz#5Q-`WvM8`nB!zRuXUJB6 zW5WiV5T$~6>=xvR0PWecXQbkUXiZ?vC1gQ1|A_~YfP_wM^KopnGQIH3cwV6)0J zqosYC7_z_EhVcaKokluS7FnR7(_ZC@;Hf^@OtX~$1MSnH=Rp)erh$52eWGG&YI^Y` zk=Oa)@VP`#Fw6|=K5xa_41{1h3y^CDqVJv1nr6ep54P`MMf(r zDTs7s!O{k+k<3Jocv7u=2D5wiaEgT*lAwcq@;)qnClW&W>=`QQbQwdj&DStY76`Xm zH^F=J_v{smrGJ+5Jiqrx-1;XM>00gfK2|P#aT};$nJvbjaB=f2=J;YU|F9yDiI06l zDJtSCf1gfVJiR=-`~IdBUP%VRclBfZQ}79Z$Uiu0?TX=dA|pU&@KUDt{qMac-dG8= zSb7?YXz0Ml03j6cqec?%)?qS1buWJfpSPz4OimgBwfN_v??cdnH!`_8GAE!A5fbYDC#iz8syi^> zj}2JnH;Re`mIx;j8mZ*=?y@cGoeQj7&GOs6zG#CJBS`-G@3j;#AH(4?Fc|q#M@ZA; z0bZfbh~e?Z6e=2MT1`xdgbN2VyLbO|yF|8mK7G2C)YgWtEHxr zSNF5ogw;ZHQCgr|LMjL*k9X%9a6AQJlmU5Qm1@E`ayn=J{0&h5-{ZLJL0}t_nDj|RfuS_4xjkZ3V znJ%Qbd$&`J{>A%8L_+en+dkjAbL(X)3U-6wx1sMG-Y=Z`mTa)s8te9;4di>#=iW!h z^Sru3tG%%`!+M}|RXoGUYt&jYV6fV&LYJ7c!>wePOuil49!!#<1gm$+w1Tl^Y6+rm z*X$ABBrusBEViA4FN~oUmE0J&2+qyR@8C2YeIXik4poRSyA9d@NTrPefk1ptuD7SS z5eek00Zmc{)5jYsh1zd4iB5HsTu!F!Hz!jr>ipM|TwDzYV#BqrHp3)hdDu$~`?|3> zVPO~WhBDPP@vw5EZf8QgCgS zPr%vw`jSvk>iwmonYo1nx5rT*$Hy=}c70<4M)k^RP?7&Q;d@H}uKz_T*0`2nMzXE# zF7$^8;|+qG1=^orUOVJFWmHgSd(lOsFkn%!Q+|F4%kR^=zNmOIyOPN^rR{Cce-iV= zr@}UXTKQ(-SvFhL2f4jHj?~)xmVB1Ip?b8;nI~J%i-=C$2Rp; z&3v9(gbZx`W<2uiViM@TR_l4K2Cz8i5|XbMqhtAvBsomxc>Kslxf6Nhcb+#~d{sOhBRL%w z=iY4%AF;gLv74}{pfB-U`0=J{Kbnw6^!oI-fXPs;OE3b1fWEUIdi69g922@&G+Ll_ zv!#4;zwT(arfTgPo#iSP_k3+MOQll#4cM_TYPFBEpOJSb0&zOUo2Oc?o?~`JJL`H$ zTD4le6;6d9-;DjJTA|rP2d2*1#3D8@gcrMhd|tVjib`7T*%T*4O4wYC?S34$&6*q_>#e%-(~vIZw=c^4X3rp06bQ!`C7MH?Ki(9661y<^=x+> zCe}tv`ZdAFX7llBHySnU32HwNzu}pWyK)4ZjU)^ zZ{Zz_!6vVZ+k%%{jY^5ZNoX?j?=9tdrTo%Tww;;szCt5m{cVh;!$eY^u}Q(~VwM^6 zIt5M7r9QAVD0Si~%rh1tI-I5FS76cC!)iVF<7$&L`nhO*!%RN+?s{5rpQ2iZP79ig zReNtO@6H_NV-CK7hW%z$jWs2mS#c(V;VrA5@7`YqK@ZZ8cLbjrCEK`)iHVJ$41>YE zHndPv z^YfiOk7O$DrBS)VmXiM5q6UM&RgEZh>g9v=mz!63UI>o4-e0jhD)T9gNQX^JtbqqT;ZDrJscLpaImImA_*#=e3>5Iu@+-VV|c3J z)TecG)v=PF13ZVt;^LT(kY6;VeeGv!%xKeE2)lztkp{ zil=_XkGohZfG8RBDHK}_aRD#s*sV#|taEkI-Iv>#DY&_hx;jbNzS0lf67ry9{!{L-zh+O- z3VN^-eUygb5jJC4OFSWAw!)Cd(1GcSQFPFc=a932m) zAfr6Tv~>${2OqDk{CpfAx5yLMb+ILbuplCC7SZ8zFI2^?qAa>gfor!NEjthgCMHid z%?eiHw(npS5j)yBO|=KfavxFP-zKk#I!>t6yK{43~&a65`Bd8Is@ZQc8skMVosE1oO^;}y~kt)7*2>;ynTATBwp%xZlNb-{XvggyG@mHw~M>W!Da9&@)oqYgFHN zogWE)2+LJdEbpFLQ5iZtkcRn%Q)MJfGGrv#>%vbEr*kw01_tLtcLYVjc6heaT{P~F z`4@1zi5uZk%nTaf*O&5rJ1@&^uXlz8o$!T!b(RUCuRzG0yGP z2p+BW^;B==$9KOP$oP}3-3g><8W4__HB0#*i0J?N7#{^7MCO6Zo@Bft;t~zMwKnL@ zvvyKbV>HP+pdXzWm0MudaE(OnA^eA(D;o6%5s`WER7jsx?eiQ0ULURX7$noPMuW7) z-J0Dn@RrNTa=-LKkP$+mgf3V})OZkX5E z^j5*zI-aD&z(_prY%^LDt5T=t}dqnzCA|+vmB>~?o@TqP9##r zms&ZtbmV!j`Fxav60m?b}P zp2R&LVV_v7d(4_0nzJ*TeSF@$q!+E~Dq;xEmW*uw1N?+LS)jf`A&?-4&q>2@%Qdk+ zXzbht6(BgCN+g0i6U_T*e}1E7=(5x<8g}DeDW%G0Ro{Iy>fo_$_e`;}K&Qob$~A}K zsJW7mRcEm^C_7gI_+!bCZ}R&r?Bsb9ZjiU+U@C_$i9Gh1^EZM{^O4~ESAL+LNL2t_ z<&dLjGFqqu_W3*l2>}R9<~yc9B-lQl+cVrBdB=jNI|b>X%LNh4iL4NQY1U06j;uN) z6Op-O#Ix}kchQ#3Sg1i>9=o7bfI%Q-I%(1aKMd z7s?ax?jBZy&Cx5n%~A6c@|&VzGuc1B<1nsbTSo}$wchOx3qCnjM(MZ>QeJa0~c>3TDV z#9^N2Dvb$z=Q~tgK7v(G)yhr69eTR6VP@x}-zey=X7xh&D3jd|MKAbfnfS>!!@)Vw zXkZKGj&BLvSA6b*71DkQ>=cK~>Hm%<^9LV`Voo~Ryo`ps$s zgAM5+0VMvB+;DvROTwMzoiCQwP8E~td|cF8Fefb6gL8Sff$3CWP%pA$%mCyAle$BA z7*&B}TveGlQi$V6t!DtHL5T^o6R z_m_YI!|N-YBT&t|Y^)qqotNKqg?b*2j3sGBrr#>LbU!s}`h16d-m^;H?_}q2xM%4I zeB<6ruw$bKxn5YQanW*qFNszC^O1~(Xk@+8s-)HPK3Y94!xvNI_u6jtQ9lxVldVtD zd6Plup&p*6#7-Xh-QYT_&ejO2MJ+2gRugVYFjyC>)>xc&XX(`|ndM+EGn@jvVVatV#}2W1TMpByeXAyeKi(t}v#{~I z@<&wJtr-G-Wn-j3%ftN~zwFvWG2JAb8rZ1|V@b1DEu5yHi1|JQQpoowp1D1MuvYZ%##YRMhH1Kl(4Lh7}mQGI%+oA9<2lL5+Z@?Y4}_xND#I zPQ#u+?9J~h^#eb_Rgh4TNtMYd-yl#y(9|g_1RsB699}s)g-BAjn}b)aj=&klQc~R| zd48X53QENtyMkn{vRj4Z7+^4q3ZA~aP9*FEQEWKXn-#GoNGzY{qhxOxno#KI7O-!C7DWM(xeD*)l5@4&MrH6X~O zW>sdeyEnv&rrEAW7Qi+;KNZcXMYHX$nLPg7+@J7uRr}sQVS%y;59B5!#~yG(K#c?u`b-JH-n0Tr$`&2fH2(1 z*;t2j+!?8aD7qM+NwjtY12nPt6+EsD|5N(Io^BOXXr4@Mp`ZU&G0NXb2M;xx9w0F; z^7z60PZ5H=@y8dCe|R-N0ABH*zy4!`|M> cloudtrail_s3 + cloudtrail_s3 >> cloudtrail_sns_sqs + + ecs_role >> Edge(color=color_event, style="dashed", label="sts:AssumeRole") << org_role + ecs_role >> Edge(color=color_event, style="dashed", label="sqs:Receive+Delete") << cloudtrail_sns_sqs + org_role >> Edge(color=color_event, style="dashed", label="s3:GetObject") << cloudtrail_s3