From fc0714e26048764e41fab1601827959137d4033b Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 10 Apr 2024 14:22:33 -0400
Subject: [PATCH 01/57] Removing pre-existing code

---
 infrastructure/.terraform.lock.hcl            |   84 -
 infrastructure/Makefile                       |    8 -
 infrastructure/cloudops_role.tf               |    4 -
 infrastructure/customer_role.tf               |   17 -
 infrastructure/eks.tf                         |  102 -
 infrastructure/eks_nodegroups.tf              |  576 ----
 infrastructure/example.auto.tfvars            |   58 -
 infrastructure/kms.tf                         |   11 -
 infrastructure/lb.tf                          |    0
 infrastructure/local.tf                       |  160 --
 infrastructure/main.tf                        |   23 -
 infrastructure/outputs.tf                     |  254 --
 infrastructure/rds.tf                         |   48 -
 infrastructure/redis.tf                       |   41 -
 infrastructure/s3.tf                          | 2315 -----------------
 infrastructure/s3_backend_configuration.conf  |    3 -
 infrastructure/secrets.tfvars                 |    5 -
 infrastructure/security_groups.tf             |   46 -
 infrastructure/state.tf                       |    6 -
 infrastructure/variables.tf                   |  693 -----
 infrastructure/versions.tf                    |    9 -
 infrastructure/vpc.tf                         |   56 -
 kubernetes-config/.terraform.lock.hcl         |   65 -
 kubernetes-config/Makefile                    |    8 -
 kubernetes-config/eks_sigs.tf                 |  398 ---
 kubernetes-config/example.auto.tfvars         |   15 -
 .../helm-charts/aws-ebs-csi-driver-2.14.1.tgz |  Bin 11028 -> 0 bytes
 .../helm-charts/aws-efs-csi-driver-2.3.3.tgz  |  Bin 6106 -> 0 bytes
 .../aws-load-balancer-controller-1.4.6.tgz    |  Bin 21655 -> 0 bytes
 .../helm-charts/cluster-autoscaler-9.21.1.tgz |  Bin 18380 -> 0 bytes
 .../helm-charts/external-dns-1.11.0.tgz       |  Bin 6955 -> 0 bytes
 kubernetes-config/iam/aws-ebs-csi-driver.json |  133 -
 kubernetes-config/iam/aws-efs-csi-driver.json |   37 -
 .../iam/aws-load-balancer-controller.json     |  219 --
 kubernetes-config/iam/cluster-autoscaler.json |   20 -
 kubernetes-config/iam/external-dns.json       |   24 -
 kubernetes-config/local.tf                    |    3 -
 kubernetes-config/main.tf                     |   47 -
 kubernetes-config/output.tf                   |    0
 .../s3_backend_configuration.conf             |    3 -
 kubernetes-config/state.tf                    |    6 -
 kubernetes-config/variables.tf                |   91 -
 kubernetes-config/versions.tf                 |   17 -
 43 files changed, 5605 deletions(-)
 delete mode 100644 infrastructure/.terraform.lock.hcl
 delete mode 100644 infrastructure/Makefile
 delete mode 100644 infrastructure/cloudops_role.tf
 delete mode 100644 infrastructure/customer_role.tf
 delete mode 100644 infrastructure/eks.tf
 delete mode 100644 infrastructure/eks_nodegroups.tf
 delete mode 100644 infrastructure/example.auto.tfvars
 delete mode 100644 infrastructure/kms.tf
 delete mode 100644 infrastructure/lb.tf
 delete mode 100644 infrastructure/local.tf
 delete mode 100644 infrastructure/main.tf
 delete mode 100644 infrastructure/outputs.tf
 delete mode 100644 infrastructure/rds.tf
 delete mode 100644 infrastructure/redis.tf
 delete mode 100644 infrastructure/s3.tf
 delete mode 100644 infrastructure/s3_backend_configuration.conf
 delete mode 100644 infrastructure/secrets.tfvars
 delete mode 100644 infrastructure/security_groups.tf
 delete mode 100644 infrastructure/state.tf
 delete mode 100644 infrastructure/variables.tf
 delete mode 100644 infrastructure/versions.tf
 delete mode 100644 infrastructure/vpc.tf
 delete mode 100644 kubernetes-config/.terraform.lock.hcl
 delete mode 100644 kubernetes-config/Makefile
 delete mode 100644 kubernetes-config/eks_sigs.tf
 delete mode 100644 kubernetes-config/example.auto.tfvars
 delete mode 100644 kubernetes-config/helm-charts/aws-ebs-csi-driver-2.14.1.tgz
 delete mode 100644 kubernetes-config/helm-charts/aws-efs-csi-driver-2.3.3.tgz
 delete mode 100644 kubernetes-config/helm-charts/aws-load-balancer-controller-1.4.6.tgz
 delete mode 100644 kubernetes-config/helm-charts/cluster-autoscaler-9.21.1.tgz
 delete mode 100644 kubernetes-config/helm-charts/external-dns-1.11.0.tgz
 delete mode 100644 kubernetes-config/iam/aws-ebs-csi-driver.json
 delete mode 100644 kubernetes-config/iam/aws-efs-csi-driver.json
 delete mode 100644 kubernetes-config/iam/aws-load-balancer-controller.json
 delete mode 100644 kubernetes-config/iam/cluster-autoscaler.json
 delete mode 100644 kubernetes-config/iam/external-dns.json
 delete mode 100644 kubernetes-config/local.tf
 delete mode 100644 kubernetes-config/main.tf
 delete mode 100644 kubernetes-config/output.tf
 delete mode 100644 kubernetes-config/s3_backend_configuration.conf
 delete mode 100644 kubernetes-config/state.tf
 delete mode 100644 kubernetes-config/variables.tf
 delete mode 100644 kubernetes-config/versions.tf

diff --git a/infrastructure/.terraform.lock.hcl b/infrastructure/.terraform.lock.hcl
deleted file mode 100644
index 2d82e9a..0000000
--- a/infrastructure/.terraform.lock.hcl
+++ /dev/null
@@ -1,84 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "4.49.0"
-  constraints = ">= 3.0.0, >= 3.63.0, >= 3.72.0, >= 4.47.0, 4.49.0"
-  hashes = [
-    "h1:1vbzsJ8TBjjotPQKWZQUrX2AII8+te1ih4bYJYD2VS4=",
-    "zh:09803937f00fdf2873eccf685eec7854408925cbf183c9b683df7c5825be463f",
-    "zh:2af1575e538fb0b669266f8d1385b17bfdaf17c521b6b6329baa1f2971fc4a4d",
-    "zh:3f71882b438cde3108fe68cfe2637839d3eed08157a9721bd97babf3912247a8",
-    "zh:577af1b38f5da8a9f29eebe5eebec9279d26e757cd03b0c8c59311f9ce8a859b",
-    "zh:60160d39094973beefb9b10cfd6aaa5b63a2e68c32445ecffcd1b101356e6f9b",
-    "zh:762656454722548baeccf35cbaa23b887976337e1ed321682df7390419fdf22d",
-    "zh:7f6d7887821659bf3bef815949077dc91ffcdb0d911644a887b6683b264a5ca6",
-    "zh:8f16a352cc903f8951fa4619c36233b3e66e27d724817b131f2035dd8896f524",
-    "zh:8f768f65e370366c8b91c00d01c9a6264fe26ea9ae1819f14bdcd12c066272bc",
-    "zh:95ad78c689a83c08ef7c3e544c3c9aca93ed528054aa77cc968ddd9efa3a1023",
-    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:a47097ab6a4ca8302da82964303ffdd2310ed65e8f8524bfe4058816cf1addb7",
-    "zh:b66d820c70cd5fd628ffe882d2b97e76b969dca4e6827ac2ba0f8d3bc5d6e9c6",
-    "zh:b80f713a4f3e1355c3dd1600e9d08b9f15ed2370054ec792ad2c01f2541abe02",
-    "zh:ce065bc3962cb71fa7652562226b9d486f3d7fcb88285c1020ebe2f550e28641",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/cloudinit" {
-  version     = "2.2.0"
-  constraints = ">= 2.0.0"
-  hashes = [
-    "h1:Id6dDkpuSSLbGPTdbw49bVS/7XXHu/+d7CJoGDqtk5g=",
-    "zh:76825122171f9ea2287fd27e23e80a7eb482f6491a4f41a096d77b666896ee96",
-    "zh:795a36dee548e30ca9c9d474af9ad6d29290e0a9816154ad38d55381cd0ab12d",
-    "zh:9200f02cb917fb99e44b40a68936fd60d338e4d30a718b7e2e48024a795a61b9",
-    "zh:a33cf255dc670c20678063aa84218e2c1b7a67d557f480d8ec0f68bc428ed472",
-    "zh:ba3c1b2cd0879286c1f531862c027ec04783ece81de67c9a3b97076f1ce7f58f",
-    "zh:bd575456394428a1a02191d2e46af0c00e41fd4f28cfe117d57b6aeb5154a0fb",
-    "zh:c68dd1db83d8437c36c92dc3fc11d71ced9def3483dd28c45f8640cfcd59de9a",
-    "zh:cbfe34a90852ed03cc074601527bb580a648127255c08589bc3ef4bf4f2e7e0c",
-    "zh:d6ffd7398c6d1f359b96f5b757e77b99b339fbb91df1b96ac974fe71bc87695c",
-    "zh:d9c15285f847d7a52df59e044184fb3ba1b7679fd0386291ed183782683d9517",
-    "zh:f7dd02f6d36844da23c9a27bb084503812c29c1aec4aba97237fec16860fdc8c",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/random" {
-  version     = "3.4.3"
-  constraints = ">= 2.2.0"
-  hashes = [
-    "h1:saZR+mhthL0OZl4SyHXZraxyaBNVMxiZzks78nWcZ2o=",
-    "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752",
-    "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b",
-    "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3",
-    "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5",
-    "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda",
-    "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6",
-    "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1",
-    "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d",
-    "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8",
-    "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/tls" {
-  version     = "4.0.4"
-  constraints = ">= 2.2.0"
-  hashes = [
-    "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=",
-    "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
-    "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
-    "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
-    "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
-    "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
-    "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
-    "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
-    "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
-    "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
-    "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
-    "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-  ]
-}
diff --git a/infrastructure/Makefile b/infrastructure/Makefile
deleted file mode 100644
index 45bd889..0000000
--- a/infrastructure/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-init:
-	terraform init -backend-config=s3_backend_configuration.conf 
-plan:
-	terraform plan -var-file="example.auto.tfvars" -var-file="secrets.tfvars"
-apply:
-	terraform apply -var-file="example.auto.tfvars" -var-file="secrets.tfvars"
-destroy:
-	terraform destroy -var-file="example.auto.tfvars" -var-file="secrets.tfvars"
diff --git a/infrastructure/cloudops_role.tf b/infrastructure/cloudops_role.tf
deleted file mode 100644
index f0ec55c..0000000
--- a/infrastructure/cloudops_role.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-data "aws_iam_roles" "cloudops_iam_role" {
-  name_regex  = "AWSReservedSSO_AdministratorAccess_.*"
-  path_prefix = "/aws-reserved/sso.amazonaws.com/"
-}
diff --git a/infrastructure/customer_role.tf b/infrastructure/customer_role.tf
deleted file mode 100644
index 07fda19..0000000
--- a/infrastructure/customer_role.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-data "aws_iam_policy_document" "aws_cluster_access" {
-  statement {
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "AWS"
-      identifiers = ["${var.iam_role.customer_arn}"]
-    }
-  }
-}
-
-resource "aws_iam_role" "customer_iam_role" {
-  count              = "${var.iam_role.customer_arn}" != "" ? 1 : 0
-  
-  name               = "${var.deployment_id}-iam-role"
-  assume_role_policy = data.aws_iam_policy_document.aws_cluster_access.json
-}
\ No newline at end of file
diff --git a/infrastructure/eks.tf b/infrastructure/eks.tf
deleted file mode 100644
index 5553eeb..0000000
--- a/infrastructure/eks.tf
+++ /dev/null
@@ -1,102 +0,0 @@
-module "eks" {
-  source  = "terraform-aws-modules/eks/aws"
-  version = "19.5.1"
-
-  cluster_name    = local.deployment_id
-  cluster_version = var.eks_cluster_version
-
-  cluster_enabled_log_types = ["audit", "api", "authenticator", "scheduler"]
-
-  cluster_endpoint_private_access = true
-  cluster_endpoint_public_access  = true
-
-  vpc_id     = local.vpc_id
-  subnet_ids = local.subnets
-
-  enable_irsa = true
-
-  cluster_addons = {
-    coredns = {
-      most_recent = true
-    }
-    kube-proxy = {
-      most_recent = true
-    }
-    vpc-cni = {
-      most_recent = true
-    }
-  }
-
-  create_kms_key            = false
-  cluster_encryption_config = {
-    "resources"      = ["secrets"]
-    provider_key_arn = local.kms_arn
-  }
-
-  # EKS Managed Node Group(s)
-  eks_managed_node_group_defaults = {
-    vpc_security_group_ids = [
-      module.eks.cluster_security_group_id,
-      local.sig_k8s_to_dbs_id
-    ]
-  }
-
-  # aws-auth configmap
-  create_aws_auth_configmap = true
-  manage_aws_auth_configmap = true
-
-  aws_auth_roles = [
-    # {
-    #   rolearn  = "${var.iam_role.cloudops_arn}" == true ? element(tolist(data.aws_iam_roles.cloudops_iam_role.arns),0) : aws_iam_role.customer_iam_role[0].arn
-    #   username = "AWSAdministratorAccess:{{SessionName}}"
-    #   groups   = ["system:masters"]
-    # },
-    {
-      rolearn  = module.ast_default.iam_role_arn
-      username = "system:node:{{EC2PrivateDNSName}}"
-      groups   = ["system:bootstrappers", "system:nodes"]
-    },
-    {
-      rolearn  = module.ast_sast_engines.iam_role_arn
-      username = "system:node:{{EC2PrivateDNSName}}"
-      groups   = ["system:bootstrappers", "system:nodes"]
-    },
-    {
-      rolearn  = module.ast_sast_medium_engines.iam_role_arn
-      username = "system:node:{{EC2PrivateDNSName}}"
-      groups   = ["system:bootstrappers", "system:nodes"]
-    },
-    {
-      rolearn  = module.ast_sast_large_engines.iam_role_arn
-      username = "system:node:{{EC2PrivateDNSName}}"
-      groups   = ["system:bootstrappers", "system:nodes"]
-    },
-    {
-      rolearn  = module.ast_sast_extra_large_engines.iam_role_arn
-      username = "system:node:{{EC2PrivateDNSName}}"
-      groups   = ["system:bootstrappers", "system:nodes"]
-    },
-    {
-      rolearn  = module.ast_sast_xxl_engines.iam_role_arn
-      username = "system:node:{{EC2PrivateDNSName}}"
-      groups   = ["system:bootstrappers", "system:nodes"]
-    },
-    {
-      rolearn  = module.kics_nodes_engines.iam_role_arn
-      username = "system:node:{{EC2PrivateDNSName}}"
-      groups   = ["system:bootstrappers", "system:nodes"]
-    },
-    {
-      rolearn  = module.minio_gateway_nodes.iam_role_arn
-      username = "system:node:{{EC2PrivateDNSName}}"
-      groups   = ["system:bootstrappers", "system:nodes"]
-    },
-    {
-      rolearn  = module.repostore_nodes.iam_role_arn
-      username = "system:node:{{EC2PrivateDNSName}}"
-      groups   = ["system:bootstrappers", "system:nodes"]
-    },
-  ]
-
-  depends_on = [aws_kms_key.eks]
-}
\ No newline at end of file
diff --git a/infrastructure/eks_nodegroups.tf b/infrastructure/eks_nodegroups.tf
deleted file mode 100644
index f967de3..0000000
--- a/infrastructure/eks_nodegroups.tf
+++ /dev/null
@@ -1,576 +0,0 @@
-# Workaround for the issues that tags are not propagated from EKS managed node group to auto-scaling groups
-#https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1886#issuecomment-1044154307
-
-# AST Default
-module "ast_default" {
-  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-
-  name            = var.ast_nodes.name
-  cluster_name    = local.deployment_id
-  cluster_version = var.eks_cluster_version
-
-  subnet_ids = local.subnets
-
-  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
-
-  min_size     = var.ast_nodes.min_size
-  max_size     = var.ast_nodes.max_size
-  desired_size = var.ast_nodes.desired_size
-
-  instance_types = var.ast_nodes.instance_types
-  capacity_type  = var.ast_nodes.capacity_type
-
-  metadata_options = {
-    http_endpoint               = "enabled"
-    http_tokens                 = "optional"
-    instance_metadata_tags      = "disabled"
-    http_put_response_hop_limit = "2"
-  }
-
-  block_device_mappings = {
-    xvda = {
-      device_name = var.ast_nodes.device_name
-      ebs = {
-        volume_size           = var.ast_nodes.disk_size_gib
-        volume_type           = var.ast_nodes.volume_type
-        iops                  = var.ast_nodes.disk_iops
-        throughput            = var.ast_nodes.disk_throughput
-        encrypted             = true
-        delete_on_termination = true
-      }
-    }
-  }
-
-  tags = {
-    Name = "${var.ast_nodes.name}-${local.deployment_id}"
-  }
-
-}
-resource "aws_autoscaling_group_tag" "ast_default" {
-  for_each = { for k, v in local.cluster_autoscaler_ast_default_asg_tags : k => v }
-
-  autoscaling_group_name = module.ast_default.node_group_autoscaling_group_names[0]
-  tag {
-    key                 = each.value.tagKey
-    value               = each.value.tagValue
-    propagate_at_launch = false
-  }
-}
-
-# sast_nodes-m5.2xlarge
-module "ast_sast_engines" {
-  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-
-  name            = var.sast_nodes.name
-  cluster_name    = local.deployment_id
-  cluster_version = var.eks_cluster_version
-
-  subnet_ids = local.subnets
-
-  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
-  
-  min_size     = var.sast_nodes.min_size
-  max_size     = var.sast_nodes.max_size
-  desired_size = var.sast_nodes.desired_size
-
-  instance_types = var.sast_nodes.instance_types
-  capacity_type  = var.sast_nodes.capacity_type
-
-  metadata_options = {
-    http_endpoint               = "enabled"
-    http_tokens                 = "optional"
-    instance_metadata_tags      = "disabled"
-    http_put_response_hop_limit = "2"
-  }
-
-  block_device_mappings = {
-    xvda = {
-      device_name = var.sast_nodes_large.device_name
-      ebs = {
-        volume_size           = var.sast_nodes.disk_size_gib
-        volume_type           = var.sast_nodes.volume_type
-        iops                  = var.sast_nodes.disk_iops
-        throughput            = var.sast_nodes.disk_throughput
-        encrypted             = true
-        delete_on_termination = true
-      }
-    }
-  }
-
-  labels = {
-    "${var.sast_nodes.label_name}" = var.sast_nodes.label_value
-  }
-
-  taints = {
-    dedicated = {
-      key    = var.sast_nodes.key
-      value  = var.sast_nodes.value
-      effect = var.sast_nodes.effect
-    }
-  }
-
-  tags = {
-    Name = "${var.sast_nodes.name}-${local.deployment_id}"
-  }
-}
-
-resource "aws_autoscaling_group_tag" "ast_sast_engines" {
-  for_each = { for k, v in local.cluster_autoscaler_ast_sast_engines_asg_tags : k => v }
-
-  autoscaling_group_name = module.ast_sast_engines.node_group_autoscaling_group_names[0]
-  tag {
-    key                 = each.value.tagKey
-    value               = each.value.tagValue
-    propagate_at_launch = false
-  }
-}
-
-# sast_nodes_medium-m6a.xlarge 
-module "ast_sast_medium_engines" {
-  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-
-  name            = var.sast_nodes_medium.name
-  cluster_name    = local.deployment_id
-  cluster_version = var.eks_cluster_version
-
-  subnet_ids = local.subnets
-
-  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
-
-  min_size     = var.sast_nodes_medium.min_size
-  max_size     = var.sast_nodes_medium.max_size
-  desired_size = var.sast_nodes_medium.desired_size
-
-  instance_types = var.sast_nodes_medium.instance_types
-  capacity_type  = var.sast_nodes_medium.capacity_type
-
-  metadata_options = {
-    http_endpoint               = "enabled"
-    http_tokens                 = "optional"
-    instance_metadata_tags      = "disabled"
-    http_put_response_hop_limit = "2"
-  }
-
-  block_device_mappings = {
-    xvda = {
-      device_name = var.sast_nodes_medium.device_name
-      ebs = {
-        volume_size           = var.sast_nodes_medium.disk_size_gib
-        volume_type           = var.sast_nodes_medium.volume_type
-        iops                  = var.sast_nodes_medium.disk_iops
-        throughput            = var.sast_nodes_medium.disk_throughput
-        encrypted             = true
-        delete_on_termination = true
-      }
-    }
-  }
-
-  taints = {
-    dedicated = {
-      key    = var.sast_nodes_medium.key
-      value  = var.sast_nodes_medium.value
-      effect = var.sast_nodes_medium.effect
-    }
-  }
-
-  labels = {
-    "${var.sast_nodes_medium.label_name}" = var.sast_nodes_medium.label_value
-  }
-  tags = {
-    Name = "${var.sast_nodes_medium.name}-${local.deployment_id}"
-  }
-}
-
-resource "aws_autoscaling_group_tag" "ast_sast_medium_engines" {
-  for_each = { for k, v in local.cluster_autoscaler_ast_sast_medium_engines_asg_tags : k => v }
-
-  autoscaling_group_name = module.ast_sast_medium_engines.node_group_autoscaling_group_names[0]
-  tag {
-    key                 = each.value.tagKey
-    value               = each.value.tagValue
-    propagate_at_launch = false
-  }
-}
-
-# sast_nodes_large-m5.2xlarge
-module "ast_sast_large_engines" {
-  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-
-  name            = var.sast_nodes_large.name
-  cluster_name    = local.deployment_id
-  cluster_version = var.eks_cluster_version
-
-  subnet_ids = local.subnets
-
-  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
-  
-  min_size     = var.sast_nodes_large.min_size
-  max_size     = var.sast_nodes_large.max_size
-  desired_size = var.sast_nodes_large.desired_size
-
-  instance_types = var.sast_nodes_large.instance_types
-  capacity_type  = var.sast_nodes_large.capacity_type
-
-  metadata_options = {
-    http_endpoint               = "enabled"
-    http_tokens                 = "optional"
-    instance_metadata_tags      = "disabled"
-    http_put_response_hop_limit = "2"
-  }
-
-  block_device_mappings = {
-    xvda = {
-      device_name = var.sast_nodes_large.device_name
-      ebs = {
-        volume_size           = var.sast_nodes_large.disk_size_gib
-        volume_type           = var.sast_nodes_large.volume_type
-        iops                  = var.sast_nodes_large.disk_iops
-        throughput            = var.sast_nodes_large.disk_throughput
-        encrypted             = true
-        delete_on_termination = true
-      }
-    }
-  }
-
-  taints = {
-    dedicated = {
-      key    = var.sast_nodes_large.key
-      value  = var.sast_nodes_large.value
-      effect = var.sast_nodes_large.effect
-    }
-  }
-
-  labels = {
-    "${var.sast_nodes_large.label_name}" = var.sast_nodes_large.label_value
-  }
-  tags = {
-    Name = "${var.sast_nodes_large.name}-${local.deployment_id}"
-  }
-}
-
-resource "aws_autoscaling_group_tag" "ast_sast_large_engines" {
-  for_each = { for k, v in local.cluster_autoscaler_ast_sast_large_engines_asg_tags : k => v }
-
-  autoscaling_group_name = module.ast_sast_large_engines.node_group_autoscaling_group_names[0]
-  tag {
-    key                 = each.value.tagKey
-    value               = each.value.tagValue
-    propagate_at_launch = false
-  }
-}
-
-# sast_nodes_extra_large-r5.2xlarge
-module "ast_sast_extra_large_engines" {
-  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-
-  name            = var.sast_nodes_extra_large.name
-  cluster_name    = local.deployment_id
-  cluster_version = var.eks_cluster_version
-
-  subnet_ids = local.subnets
-
-  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
-
-  min_size     = var.sast_nodes_extra_large.min_size
-  max_size     = var.sast_nodes_extra_large.max_size
-  desired_size = var.sast_nodes_extra_large.desired_size
-
-  instance_types = var.sast_nodes_extra_large.instance_types
-  capacity_type  = var.sast_nodes_extra_large.capacity_type
-
-  metadata_options = {
-    http_endpoint               = "enabled"
-    http_tokens                 = "optional"
-    instance_metadata_tags      = "disabled"
-    http_put_response_hop_limit = "2"
-  }
-
-  block_device_mappings = {
-    xvda = {
-      device_name = var.sast_nodes_extra_large.device_name
-      ebs = {
-        volume_size           = var.sast_nodes_extra_large.disk_size_gib
-        volume_type           = var.sast_nodes_extra_large.volume_type
-        iops                  = var.sast_nodes_extra_large.disk_iops
-        throughput            = var.sast_nodes_extra_large.disk_throughput
-        encrypted             = true
-        delete_on_termination = true
-      }
-    }
-  }
-
-  taints = {
-    dedicated = {
-      key    = var.sast_nodes_extra_large.key
-      value  = var.sast_nodes_extra_large.value
-      effect = var.sast_nodes_extra_large.effect
-    }
-  }
-  labels = {
-    "${var.sast_nodes_extra_large.label_name}" = var.sast_nodes_extra_large.label_value
-  }
-  tags = {
-    Name = "${var.sast_nodes_extra_large.name}-${local.deployment_id}"
-  }
-}
-resource "aws_autoscaling_group_tag" "ast_sast_extra_large_engines" {
-  for_each = { for k, v in local.cluster_autoscaler_ast_sast_extra_large_engines_asg_tags : k => v }
-
-  autoscaling_group_name = module.ast_sast_extra_large_engines.node_group_autoscaling_group_names[0]
-  tag {
-    key                 = each.value.tagKey
-    value               = each.value.tagValue
-    propagate_at_launch = false
-  }
-}
-
-# sast_nodes_xxl-r5.4xlarge
-module "ast_sast_xxl_engines" {
-  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-
-  name            = var.sast_nodes_xxl.name
-  cluster_name    = local.deployment_id
-  cluster_version = var.eks_cluster_version
-
-  subnet_ids = local.subnets
-
-  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
-
-  min_size     = var.sast_nodes_xxl.min_size
-  max_size     = var.sast_nodes_xxl.max_size
-  desired_size = var.sast_nodes_xxl.desired_size
-
-  instance_types = var.sast_nodes_xxl.instance_types
-  capacity_type  = var.sast_nodes_xxl.capacity_type
-
-  metadata_options = {
-    http_endpoint               = "enabled"
-    http_tokens                 = "optional"
-    instance_metadata_tags      = "disabled"
-    http_put_response_hop_limit = "2"
-  }
-
-  block_device_mappings = {
-    xvda = {
-      device_name = var.sast_nodes_xxl.device_name
-      ebs = {
-        volume_size           = var.sast_nodes_xxl.disk_size_gib
-        volume_type           = var.sast_nodes_xxl.volume_type
-        iops                  = var.sast_nodes_xxl.disk_iops
-        throughput            = var.sast_nodes_xxl.disk_throughput
-        encrypted             = true
-        delete_on_termination = true
-      }
-    }
-  }
-
-  taints = {
-    dedicated = {
-      key    = var.sast_nodes_xxl.key
-      value  = var.sast_nodes_xxl.value
-      effect = var.sast_nodes_xxl.effect
-    }
-  }
-  labels = {
-    "${var.sast_nodes_xxl.label_name}" = var.sast_nodes_xxl.label_value
-  }
-  tags = {
-    Name = "${var.sast_nodes_xxl.name}-${local.deployment_id}"
-  }
-}
-
-resource "aws_autoscaling_group_tag" "ast_sast_xxl_engines" {
-  for_each = { for k, v in local.cluster_autoscaler_ast_sast_xxl_engines_asg_tags : k => v }
-
-  autoscaling_group_name = module.ast_sast_xxl_engines.node_group_autoscaling_group_names[0]
-  tag {
-    key                 = each.value.tagKey
-    value               = each.value.tagValue
-    propagate_at_launch = false
-  }
-}
-
-# Kics
-module "kics_nodes_engines" {
-  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-
-  name            = var.kics_nodes.name
-  cluster_name    = local.deployment_id
-  cluster_version = var.eks_cluster_version
-
-  subnet_ids = local.subnets
-
-  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
-
-  min_size     = var.kics_nodes.min_size
-  max_size     = var.kics_nodes.max_size
-  desired_size = var.kics_nodes.desired_size
-
-  instance_types = var.kics_nodes.instance_types
-  capacity_type  = var.kics_nodes.capacity_type
-
-  metadata_options = {
-    http_endpoint               = "enabled"
-    http_tokens                 = "optional"
-    instance_metadata_tags      = "disabled"
-    http_put_response_hop_limit = "2"
-  }
-
-  block_device_mappings = {
-    xvda = {
-      device_name = var.kics_nodes.device_name
-      ebs = {
-        volume_size           = var.kics_nodes.disk_size_gib
-        volume_type           = var.kics_nodes.volume_type
-        iops                  = var.kics_nodes.disk_iops
-        throughput            = var.kics_nodes.disk_throughput
-        encrypted             = true
-        delete_on_termination = true
-      }
-    }
-  }
-
-  taints = {
-    dedicated = {
-      key    = var.kics_nodes.key
-      value  = var.kics_nodes.value
-      effect = var.kics_nodes.effect
-    }
-  }
-  labels = {
-    "${var.kics_nodes.label_name}" = var.kics_nodes.label_value
-  }
-  tags = {
-    Name = "${var.kics_nodes.name}-${local.deployment_id}"
-  }
-}
-
-resource "aws_autoscaling_group_tag" "kics_nodes_engines" {
-  for_each = { for k, v in local.cluster_autoscaler_kics_nodes_engines_asg_tags : k => v }
-
-  autoscaling_group_name = module.kics_nodes_engines.node_group_autoscaling_group_names[0]
-  tag {
-    key                 = each.value.tagKey
-    value               = each.value.tagValue
-    propagate_at_launch = false
-  }
-}
-
-# MINIO GATEWAY
-module "minio_gateway_nodes" {
-  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-
-  name            = var.minio_gateway_nodes.name
-  cluster_name    = local.deployment_id
-  cluster_version = var.eks_cluster_version
-
-  subnet_ids = local.subnets
-
-  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
-
-  min_size     = var.minio_gateway_nodes.min_size
-  max_size     = var.minio_gateway_nodes.max_size
-  desired_size = var.minio_gateway_nodes.desired_size
-
-  instance_types = var.minio_gateway_nodes.instance_types
-  capacity_type  = var.minio_gateway_nodes.capacity_type
-  metadata_options = {
-    http_endpoint               = "enabled"
-    http_tokens                 = "optional"
-    instance_metadata_tags      = "disabled"
-    http_put_response_hop_limit = "2"
-  }
-
-  block_device_mappings = {
-    xvda = {
-      device_name = var.minio_gateway_nodes.device_name
-      ebs = {
-        volume_size           = var.minio_gateway_nodes.disk_size_gib
-        volume_type           = var.minio_gateway_nodes.volume_type
-        iops                  = var.minio_gateway_nodes.disk_iops
-        throughput            = var.minio_gateway_nodes.disk_throughput
-        encrypted             = true
-        delete_on_termination = true
-      }
-    }
-  }
-
-  taints = {
-    dedicated = {
-      key    = var.minio_gateway_nodes.key
-      value  = var.minio_gateway_nodes.value
-      effect = var.minio_gateway_nodes.effect
-    }
-  }
-  labels = {
-    "${var.minio_gateway_nodes.label_name}" = var.minio_gateway_nodes.label_value
-  }
-  tags = {
-    Name = "${var.minio_gateway_nodes.name}-${local.deployment_id}"
-  }
-}
-
-resource "aws_autoscaling_group_tag" "minio_gateway_nodes" {
-  for_each = { for k, v in local.cluster_autoscaler_minio_gateway_nodes_asg_tags : k => v }
-
-  autoscaling_group_name = module.minio_gateway_nodes.node_group_autoscaling_group_names[0]
-  tag {
-    key                 = each.value.tagKey
-    value               = each.value.tagValue
-    propagate_at_launch = false
-  }
-}
-
-# REPOSTORE
-module "repostore_nodes" {
-  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-
-  name            = var.repostore_nodes.name
-  cluster_name    = local.deployment_id
-  cluster_version = var.eks_cluster_version
-
-  subnet_ids = local.subnets
-
-  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
-
-  min_size     = var.repostore_nodes.min_size
-  max_size     = var.repostore_nodes.max_size
-  desired_size = var.repostore_nodes.desired_size
-
-  instance_types = var.repostore_nodes.instance_types
-  capacity_type  = var.repostore_nodes.capacity_type
-  metadata_options = {
-    http_endpoint               = "enabled"
-    http_tokens                 = "optional"
-    instance_metadata_tags      = "disabled"
-    http_put_response_hop_limit = "2"
-  }
-
-  block_device_mappings = {
-    xvda = {
-      device_name = var.repostore_nodes.device_name
-      ebs = {
-        volume_size           = var.repostore_nodes.disk_size_gib
-        volume_type           = var.repostore_nodes.volume_type
-        iops                  = var.repostore_nodes.disk_iops
-        throughput            = var.repostore_nodes.disk_throughput
-        encrypted             = true
-        delete_on_termination = true
-      }
-    }
-  }
-
-  taints = {
-    dedicated = {
-      key    = var.repostore_nodes.key
-      value  = var.repostore_nodes.value
-      effect = var.repostore_nodes.effect
-    }
-  }
-  labels = {
-    "${var.repostore_nodes.label_name}" = var.repostore_nodes.label_value
-  }
-  tags = {
-    Name = "${var.repostore_nodes.name}-${local.deployment_id}"
-  }
-}
\ No newline at end of file
diff --git a/infrastructure/example.auto.tfvars b/infrastructure/example.auto.tfvars
deleted file mode 100644
index a698a27..0000000
--- a/infrastructure/example.auto.tfvars
+++ /dev/null
@@ -1,58 +0,0 @@
-
-# METADATA
-deployment_id = ""
-environment   = ""
-owner         = ""
-aws_profile   = ""
-aws_region    = ""
-
-#VPC
-vpc_cidr = ""
-
-vpc = {
-  create                    = true
-  single_nat                = true
-  nat_per_az                = false
-  existing_vpc_id           = ""
-  existing_subnet_ids       = []
-  existing_db_subnets_group = ""
-  existing_db_subnets       = []
-}
-
-# Security
-sig = {
-  create                     = true
-  existing_sig_k8s_to_dbs_id = ""
-}
-
-# IAM-ROLE
-iam_role = {
-  cloudops_arn = true
-  customer_arn = ""
-}
-
-# KMS
-kms = {
-  create           = true
-  existing_kms_arn = ""
-}
-
-# EKS
-eks_cluster_version = "1.24"
-
-# RDS
-postgres_nodes = {
-  create              = true
-  auto_scaling_enable = false
-  count               = 1
-  max_count           = 0
-  instance_type       = "db.r6g.xlarge"
-}
-
-# REDIS
-redis_nodes = {
-  create             = true
-  instance_type      = "cache.t4g.medium"
-  number_of_shards   = 3
-  replicas_per_shard = 1
-}
diff --git a/infrastructure/kms.tf b/infrastructure/kms.tf
deleted file mode 100644
index 28ddc97..0000000
--- a/infrastructure/kms.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-resource "aws_kms_key" "eks" {
-  count                   = var.kms.create ? 1 : 0
-  description             = "EKS Secret Encryption Key"
-  deletion_window_in_days = 7
-  enable_key_rotation     = true
-}
-
-
-locals {
-  kms_arn = var.kms.create == true ? aws_kms_key.eks[0].arn : var.kms.existing_kms_arn
-}
\ No newline at end of file
diff --git a/infrastructure/lb.tf b/infrastructure/lb.tf
deleted file mode 100644
index e69de29..0000000
diff --git a/infrastructure/local.tf b/infrastructure/local.tf
deleted file mode 100644
index 97aeec4..0000000
--- a/infrastructure/local.tf
+++ /dev/null
@@ -1,160 +0,0 @@
-locals {
-  deployment_id = var.deployment_id
-
-  #ast-default
-  cluster_autoscaler_ast_default_asg_tags = [
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/enabled"
-      tagValue = "true"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/${var.deployment_id}"
-      tagValue = "owned"
-    },
-  ]
-
-  #ast_sast_engines
-  cluster_autoscaler_ast_sast_engines_asg_tags = [
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/enabled"
-      tagValue = "true"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/label/${var.sast_nodes.label_name}"
-      tagValue = var.sast_nodes.label_value
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/taint/${var.sast_nodes.key}"
-      tagValue = "${var.sast_nodes.value}:${var.sast_nodes_large.effect}"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/${var.deployment_id}"
-      tagValue = "owned"
-    },
-  ]
-
-  #sast_nodes_medium
-  cluster_autoscaler_ast_sast_medium_engines_asg_tags = [
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/enabled"
-      tagValue = "true"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/label/${var.sast_nodes_medium.label_name}"
-      tagValue = var.sast_nodes_medium.label_value
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/taint/${var.sast_nodes_medium.key}"
-      tagValue = "${var.sast_nodes_medium.value}:${var.sast_nodes_medium.effect}"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/${var.deployment_id}"
-      tagValue = "owned"
-    },
-  ]
-
-  #sast_nodes_large
-  cluster_autoscaler_ast_sast_large_engines_asg_tags = [
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/enabled"
-      tagValue = "true"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/label/${var.sast_nodes_large.label_name}"
-      tagValue = var.sast_nodes_large.label_value
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/taint/${var.sast_nodes_large.key}"
-      tagValue = "${var.sast_nodes_large.value}:${var.sast_nodes_large.effect}"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/${var.deployment_id}"
-      tagValue = "owned"
-    },
-  ]
-
-  #sast_nodes_extra_large
-  cluster_autoscaler_ast_sast_extra_large_engines_asg_tags = [
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/enabled"
-      tagValue = "true"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/label/${var.sast_nodes_extra_large.label_name}"
-      tagValue = var.sast_nodes_extra_large.label_value
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/taint/${var.sast_nodes_extra_large.key}"
-      tagValue = "${var.sast_nodes_extra_large.value}:${var.sast_nodes_extra_large.effect}"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/${var.deployment_id}"
-      tagValue = "owned"
-    },
-  ]
-
-  #sast_nodes_xxl
-  cluster_autoscaler_ast_sast_xxl_engines_asg_tags = [
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/enabled"
-      tagValue = "true"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/label/${var.sast_nodes_xxl.label_name}"
-      tagValue = var.sast_nodes_xxl.label_value
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/taint/${var.sast_nodes_xxl.key}"
-      tagValue = "${var.sast_nodes_xxl.value}:${var.sast_nodes_xxl.effect}"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/${var.deployment_id}"
-      tagValue = "owned"
-    },
-  ]
-
-  #Kics
-  cluster_autoscaler_kics_nodes_engines_asg_tags = [
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/enabled"
-      tagValue = "true"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/label/${var.kics_nodes.label_name}"
-      tagValue = var.kics_nodes.label_value
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/taint/${var.kics_nodes.key}"
-      tagValue = "${var.kics_nodes.value}:${var.kics_nodes.effect}"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/${var.deployment_id}"
-      tagValue = "owned"
-    },
-  ]
-
-  # MINIO
-  cluster_autoscaler_minio_gateway_nodes_asg_tags = [
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/enabled"
-      tagValue = "true"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/label/${var.minio_gateway_nodes.label_name}"
-      tagValue = var.minio_gateway_nodes.label_value
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/node-template/taint/${var.minio_gateway_nodes.key}"
-      tagValue = "${var.minio_gateway_nodes.value}:${var.minio_gateway_nodes.effect}"
-    },
-    {
-      tagKey   = "k8s.io/cluster-autoscaler/${var.deployment_id}"
-      tagValue = "owned"
-    },
-  ]
-
-  private_subnets  = slice(cidrsubnets(var.vpc_cidr, 2, 2, 2, 5, 5, 5, 6, 6, 6), 0, 3)
-  public_subnets   = slice(cidrsubnets(var.vpc_cidr, 2, 2, 2, 5, 5, 5, 6, 6, 6), 6, 9)
-  database_subnets = slice(cidrsubnets(var.vpc_cidr, 2, 2, 2, 5, 5, 5, 6, 6, 6), 3, 6)
-
-}
\ No newline at end of file
diff --git a/infrastructure/main.tf b/infrastructure/main.tf
deleted file mode 100644
index 39b9e21..0000000
--- a/infrastructure/main.tf
+++ /dev/null
@@ -1,23 +0,0 @@
-provider "aws" {
-  region = var.aws_region
-  profile    = var.aws_profile
-
-  default_tags {
-    tags = {
-      Terraform    = "true"
-      DeploymentID = var.deployment_id
-      Owner        = var.owner
-      Environment  = var.environment
-    }
-  }
-}
-
-provider "kubernetes" {
-  host                   = module.eks.cluster_endpoint
-  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
-  exec {
-    api_version = "client.authentication.k8s.io/v1beta1"
-    args        = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
-    command     = "aws"
-  }
-}
\ No newline at end of file
diff --git a/infrastructure/outputs.tf b/infrastructure/outputs.tf
deleted file mode 100644
index a39cd0c..0000000
--- a/infrastructure/outputs.tf
+++ /dev/null
@@ -1,254 +0,0 @@
-output "aws_region" {
-  description = "AWS Region where the infra was deployed"
-  value       = var.aws_region
-}
-output "postgres-primary-endpoint" {
-  description = "Postgres cluster primary endpoint"
-  value       = module.rds-aurora.cluster_endpoint
-}
-
-output "postgres-reader-endpoint" {
-  description = "Postgres cluster reader endpoint"
-  value       = module.rds-aurora.cluster_reader_endpoint
-}
-
-output "postgres-database-name" {
-  description = "Name of the database"
-  value       = nonsensitive(var.database_name)
-}
-
-output "redis-private-endpoint" {
-  description = "Redis cluster private endpoint"
-  value       = try(aws_elasticache_replication_group.redis[0].configuration_endpoint_address, null)
-}
-
-output "eks_cluster_id" {
-  value       = module.eks.cluster_name
-  description = "EKS Cluster ID"
-}
-
-output "eks_cluster_arn" {
-  value       = module.eks.cluster_arn
-  description = "EKS Cluster ARN"
-}
-
-output "eks_cluster_endpoint" {
-  value       = module.eks.cluster_endpoint
-  description = "EKS Cluster Endpoint"
-}
-
-output "oidc_provider_arn" {
-  value = module.eks.oidc_provider_arn
-}
-# Nodegroups
-# AST
-output "ast_default_autoscaling_group_name" {
-  value = module.ast_default.node_group_autoscaling_group_names[0]
-}
-output "ast_default_autoscaling_group_min_size" {
-  value = var.ast_nodes.min_size
-}
-output "ast_default_autoscaling_group_max_size" {
-  value = var.ast_nodes.max_size
-}
-
-# SAST
-output "ast_sast_engines_autoscaling_group_name" {
-  value = module.ast_sast_engines.node_group_autoscaling_group_names[0]
-}
-output "ast_sast_engines_autoscaling_group_min_size" {
-  value = var.sast_nodes.min_size
-}
-output "ast_sast_engines_autoscaling_group_max_size" {
-  value = var.sast_nodes.max_size
-}
-
-# SAST Medium
-output "ast_sast_medium_engines_autoscaling_group_name" {
-  value = module.ast_sast_medium_engines.node_group_autoscaling_group_names[0]
-}
-output "ast_sast_medium_engines_autoscaling_group_min_size" {
-  value = var.sast_nodes_medium.min_size
-}
-output "ast_sast_medium_engines_autoscaling_group_max_size" {
-  value = var.sast_nodes_medium.max_size
-}
-
-# SAST Large
-output "ast_sast_large_engines_autoscaling_group_name" {
-  value = module.ast_sast_large_engines.node_group_autoscaling_group_names[0]
-}
-output "ast_sast_large_engines_autoscaling_group_min_size" {
-  value = var.sast_nodes_large.min_size
-}
-output "ast_sast_large_engines_autoscaling_group_max_size" {
-  value = var.sast_nodes_large.max_size
-}
-
-# SAST ExtraLarge
-output "ast_sast_extra_large_engines_autoscaling_group_name" {
-  value = module.ast_sast_extra_large_engines.node_group_autoscaling_group_names[0]
-}
-output "ast_sast_extra_large_engines_autoscaling_group_min_size" {
-  value = var.sast_nodes_extra_large.min_size
-}
-output "ast_sast_extra_large_engines_autoscaling_group_max_size" {
-  value = var.sast_nodes_extra_large.max_size
-}
-
-# SAST XXL
-output "ast_sast_xxl_engines_autoscaling_group_name" {
-  value = module.ast_sast_xxl_engines.node_group_autoscaling_group_names[0]
-}
-output "ast_sast_xxl_engines_autoscaling_group_min_size" {
-  value = var.sast_nodes_xxl.min_size
-}
-output "ast_sast_xxl_engines_autoscaling_group_max_size" {
-  value = var.sast_nodes_xxl.max_size
-}
-
-# KICS
-output "kics_nodes_engines_autoscaling_group_name" {
-  value = module.kics_nodes_engines.node_group_autoscaling_group_names[0]
-}
-output "kics_nodes_engines_autoscaling_group_min_size" {
-  value = var.kics_nodes.min_size
-}
-output "kics_nodes_engines_autoscaling_group_max_size" {
-  value = var.kics_nodes.max_size
-}
-
-# MINIO
-output "minio_gateway_nodes_autoscaling_group_name" {
-  value = module.minio_gateway_nodes.node_group_autoscaling_group_names[0]
-}
-output "minio_gateway_nodes_autoscaling_group_min_size" {
-  value = var.minio_gateway_nodes.min_size
-}
-output "minio_gateway_nodes_autoscaling_group_max_size" {
-  value = var.minio_gateway_nodes.max_size
-}
-
-# UPLOADS BUCKET
-output "uploads_s3_bucket_name" {
-  value       = aws_s3_bucket.uploads_bucket.id
-  description = "S3 Bucket Name"
-}
-# QUERIES BUCKET
-output "queries_s3_bucket_name" {
-  value       = aws_s3_bucket.queries_bucket.id
-  description = "S3 Bucket Name"
-}
-# MISC BUCKET
-output "misc_s3_bucket_name" {
-  value       = aws_s3_bucket.misc_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# REPOSTORE BUCKET
-output "repostore_s3_bucket_name" {
-  value       = aws_s3_bucket.repostore_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# SAST-METADATA BUCKET
-output "sast_metadata_s3_bucket_name" {
-  value       = aws_s3_bucket.sast_metadata_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# SCANS BUCKET
-output "scans_s3_bucket_name" {
-  value       = aws_s3_bucket.scans_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# SAST-WORKER BUCKET
-output "sast_worker_s3_bucket_name" {
-  value       = aws_s3_bucket.sast_worker_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# KICS-WORKER BUCKET
-output "kics_worker_s3_bucket_name" {
-  value       = aws_s3_bucket.kics_worker_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# SCA-WORKER BUCKET
-output "sca_worker_s3_bucket_name" {
-  value       = aws_s3_bucket.sca_worker_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# LOGS BUCKET
-output "logs_s3_bucket_name" {
-  value       = aws_s3_bucket.logs_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# ENGINE-LOGS BUCKET
-output "engine_logs_s3_bucket_name" {
-  value       = aws_s3_bucket.engine_logs_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# REPORTS BUCKET
-output "reports_s3_bucket_name" {
-  value       = aws_s3_bucket.reports_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# REPORT-TEMPLATES BUCKET
-output "report_templates_s3_bucket_name" {
-  value       = aws_s3_bucket.report_templates_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# CONFIGURATION BUCKET
-output "configuration_s3_bucket_name" {
-  value       = aws_s3_bucket.configuration_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# IMPORTS BUCKET
-output "imports_s3_bucket_name" {
-  value       = aws_s3_bucket.imports_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# AUDIT BUCKET
-output "audit_s3_bucket_name" {
-  value       = aws_s3_bucket.audit_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# SOURCE-RESOLVER BUCKET 
-output "source_resolver_s3_bucket_name" {
-  value       = aws_s3_bucket.source_resolver_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# APISEC BUCET 
-output "apisec_s3_bucket_name" {
-  value       = aws_s3_bucket.apisec_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# KICS-MATADATA BUCKET
-output "kics_metadata_s3_bucket_name" {
-  value       = aws_s3_bucket.kics_metadata_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# REDIS-SHARED-BUCKET
-output "redis_shared_s3_bucket_name" {
-  value       = aws_s3_bucket.redis_shared_bucket.id
-  description = "S3 Bucket Name"
-}
-
-# SCAN RESULTS STORAGE BUCKET
-output "scan_results_storage_s3_bucket_name" {
-  value       = aws_s3_bucket.scan_results_storage_bucket.id
-  description = "S3 Bucket Name"
-}
diff --git a/infrastructure/rds.tf b/infrastructure/rds.tf
deleted file mode 100644
index fa2829a..0000000
--- a/infrastructure/rds.tf
+++ /dev/null
@@ -1,48 +0,0 @@
-module "rds-aurora" {
-  source         = "terraform-aws-modules/rds-aurora/aws"
-  version        = "6.1.4"
-  create_cluster = var.postgres_nodes.create
-
-  vpc_id                 = local.vpc_id
-  create_db_subnet_group = false
-  db_subnet_group_name   = local.db_subnet_group
-  vpc_security_group_ids = [
-    local.sig_k8s_to_dbs_id
-  ]
-
-  name = local.deployment_id
-
-  engine         = "aurora-postgresql"
-  engine_mode    = "provisioned"
-  engine_version = "13.8"
-
-  create_security_group = false
-  allowed_cidr_blocks   = module.vpc.private_subnets_cidr_blocks
-
-  instance_class = var.postgres_nodes.instance_type
-  instances = {
-    1 = {
-      instance_class      = var.postgres_nodes.instance_type
-      publicly_accessible = false
-    }
-  }
-
-  autoscaling_enabled      = var.postgres_nodes.auto_scaling_enable
-  autoscaling_min_capacity = var.postgres_nodes.count
-  autoscaling_max_capacity = var.postgres_nodes.max_count
-
-  storage_encrypted = true
-  kms_key_id        = local.kms_arn
-
-  apply_immediately                   = true
-  skip_final_snapshot                 = true
-  auto_minor_version_upgrade          = true
-  performance_insights_enabled        = true
-  iam_database_authentication_enabled = false
-
-  master_username        = var.database_username
-  master_password        = var.database_password
-  create_random_password = false
-  database_name          = var.database_name
-
-}
\ No newline at end of file
diff --git a/infrastructure/redis.tf b/infrastructure/redis.tf
deleted file mode 100644
index a616f4b..0000000
--- a/infrastructure/redis.tf
+++ /dev/null
@@ -1,41 +0,0 @@
-resource "aws_elasticache_subnet_group" "redis" {
-  count      = var.redis_nodes.create ? 1 : 0
-  name       = local.deployment_id
-  subnet_ids = local.db_subnets
-}
-
-# tfsec:ignore:aws-elasticache-enable-in-transit-encryption
-resource "aws_elasticache_replication_group" "redis" {
-  count                         = var.redis_nodes.create ? 1 : 0
-  replication_group_id          = local.deployment_id
-  description = "Redis cluster for AST application"
-
-  subnet_group_name = aws_elasticache_subnet_group.redis[0].name
-
-  security_group_ids = [
-    local.sig_k8s_to_dbs_id
-  ]
-
-  node_type = var.redis_nodes.instance_type
-
-  engine         = "redis"
-  engine_version = "6.x"
-
-  port                     = 6379
-  snapshot_retention_limit = 2
-
-  automatic_failover_enabled = true
-  
-  replicas_per_node_group = var.redis_nodes.replicas_per_shard
-  num_node_groups         = var.redis_nodes.number_of_shards
-
-  transit_encryption_enabled = var.redis_auth_token != "" ? true : false #BUG - AST can't work with TLS enabled
-  auth_token                 = var.redis_auth_token != "" ? var.redis_auth_token : null
-
-  kms_key_id                 = local.kms_arn
-  at_rest_encryption_enabled = true
-
-
-  apply_immediately = true
-
-}
\ No newline at end of file
diff --git a/infrastructure/s3.tf b/infrastructure/s3.tf
deleted file mode 100644
index 5fe6c13..0000000
--- a/infrastructure/s3.tf
+++ /dev/null
@@ -1,2315 +0,0 @@
-resource "random_string" "random_suffix" {
-  length  = 6
-  special = false
-  upper   = false
-}
-
-locals {
-  s3_bucket_name_suffix = "${var.deployment_id}-${random_string.random_suffix.result}"
-}
-
-# UPLOADS BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "uploads_bucket" {
-  bucket        = "uploads-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} uploads bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "uploads_ownership_controls" {
-  bucket = aws_s3_bucket.uploads_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "uploads_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.uploads_ownership_controls]
-
-  bucket = aws_s3_bucket.uploads_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "uploads_bucket_versioning" {
-  bucket = aws_s3_bucket.uploads_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "uploads_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.uploads_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "uploads_bucket_lifecycle" {
-  bucket = aws_s3_bucket.uploads_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "uploads_public_access_block" {
-  bucket                  = aws_s3_bucket.uploads_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "uploads_permissive_access" {
-  bucket = aws_s3_bucket.uploads_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.uploads_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.uploads_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# QUERIES BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "queries_bucket" {
-  bucket        = "queries-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} queries bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "queries_ownership" {
-  bucket = aws_s3_bucket.queries_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "queries_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.queries_ownership]
-
-  bucket = aws_s3_bucket.queries_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "queries_bucket_versioning" {
-  bucket = aws_s3_bucket.queries_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "queries_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.queries_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "queries_bucket_lifecycle" {
-  bucket = aws_s3_bucket.queries_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "queries_public_access_block" {
-  bucket                  = aws_s3_bucket.queries_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "queries_permissive_access" {
-  bucket = aws_s3_bucket.queries_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.queries_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.queries_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# MISC BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "misc_bucket" {
-  bucket        = "misc-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} misc bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "misc_ownership" {
-  bucket = aws_s3_bucket.misc_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "misc_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.misc_ownership]
-
-  bucket = aws_s3_bucket.misc_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "misc_bucket_versioning" {
-  bucket = aws_s3_bucket.misc_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "misc_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.misc_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "misc_bucket_lifecycle" {
-  bucket = aws_s3_bucket.misc_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "misc_public_access_block" {
-  bucket                  = aws_s3_bucket.misc_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "misc_permissive_access" {
-  bucket = aws_s3_bucket.misc_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.misc_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.misc_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# REPOSTORE BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "repostore_bucket" {
-  bucket        = "repostore-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} repostore bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "repostore_ownership_controls" {
-  bucket = aws_s3_bucket.repostore_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "repostore_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.repostore_ownership_controls]
-
-  bucket = aws_s3_bucket.repostore_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "repostore_bucket_versioning" {
-  bucket = aws_s3_bucket.repostore_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "repostore_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.repostore_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "repostore_bucket_lifecycle" {
-  bucket = aws_s3_bucket.repostore_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "repostore_public_access_block" {
-  bucket                  = aws_s3_bucket.repostore_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "repostore_permissive_access" {
-  bucket = aws_s3_bucket.repostore_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.repostore_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.repostore_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# SAST-METADATA BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "sast_metadata_bucket" {
-  bucket        = "sast-metadata-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} sast metadata bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "sast_metadata_ownership_controls" {
-  bucket = aws_s3_bucket.sast_metadata_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "sast_metadata_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.sast_metadata_ownership_controls]
-
-  bucket = aws_s3_bucket.sast_metadata_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "sast_metadata_versioning" {
-  bucket = aws_s3_bucket.sast_metadata_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "sast_metadata_encryption_configuration" {
-  bucket = aws_s3_bucket.sast_metadata_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "sast_metadata_lifecycle" {
-  bucket = aws_s3_bucket.sast_metadata_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "sast_metadata_public_access_block" {
-  bucket                  = aws_s3_bucket.sast_metadata_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "sast_metadata_permissive_access" {
-  bucket = aws_s3_bucket.sast_metadata_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.sast_metadata_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.sast_metadata_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# SCANS BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "scans_bucket" {
-  bucket        = "scans-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} scans bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "scans_ownership_controls" {
-  bucket = aws_s3_bucket.scans_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "scans_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.scans_ownership_controls]
-
-  bucket = aws_s3_bucket.scans_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "scans_bucket_versioning" {
-  bucket = aws_s3_bucket.scans_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "scans_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.scans_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "scans_bucket_lifecycle" {
-  bucket = aws_s3_bucket.scans_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "scans_public_access_block" {
-  bucket                  = aws_s3_bucket.scans_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "scans_permissive_access" {
-  bucket = aws_s3_bucket.scans_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.scans_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.scans_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# SAST-WORKER BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "sast_worker_bucket" {
-  bucket        = "sast-worker-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} sast worker bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "sast_worker_ownership_controls" {
-  bucket = aws_s3_bucket.sast_worker_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "sast_worker_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.sast_worker_ownership_controls]
-
-  bucket = aws_s3_bucket.sast_worker_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "sast_worker_bucket_versioning" {
-  bucket = aws_s3_bucket.sast_worker_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "sast_worker_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.sast_worker_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "sast_worker_bucket_lifecycle" {
-  bucket = aws_s3_bucket.sast_worker_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "sast_worker_public_access_block" {
-  bucket                  = aws_s3_bucket.sast_worker_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "sast_worker_permissive_access" {
-  bucket = aws_s3_bucket.sast_worker_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.sast_worker_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.sast_worker_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# KICS-WORKER BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "kics_worker_bucket" {
-  bucket        = "kics-worker-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} kics worker bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "kics_worker_ownership_controls" {
-  bucket = aws_s3_bucket.kics_worker_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "kics_worker_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.kics_worker_ownership_controls]
-
-  bucket = aws_s3_bucket.kics_worker_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "kics_worker_bucket_versioning" {
-  bucket = aws_s3_bucket.kics_worker_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "kics_worker_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.kics_worker_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "kics_worker_bucket_lifecycle" {
-  bucket = aws_s3_bucket.kics_worker_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "kics_worker_public_access_block" {
-  bucket                  = aws_s3_bucket.kics_worker_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "kics_worker_permissive_access" {
-  bucket = aws_s3_bucket.kics_worker_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.kics_worker_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.kics_worker_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# SCA-WORKER BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "sca_worker_bucket" {
-  bucket        = "sca-worker-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} sca worker bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "sca_worker_ownership_controls" {
-  bucket = aws_s3_bucket.sca_worker_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "sca_worker_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.sca_worker_ownership_controls]
-
-  bucket = aws_s3_bucket.sca_worker_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "sca_worker_bucket_versioning" {
-  bucket = aws_s3_bucket.sca_worker_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "sca_worker_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.sca_worker_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "sca_worker_bucket_lifecycle" {
-  bucket = aws_s3_bucket.sca_worker_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "sca_worker_public_access_block" {
-  bucket                  = aws_s3_bucket.sca_worker_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "sca_worker_permissive_access" {
-  bucket = aws_s3_bucket.sca_worker_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.sca_worker_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.sca_worker_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# LOGS BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "logs_bucket" {
-  bucket        = "logs-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} logs bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "logs_bucket_ownership_controls" {
-  bucket = aws_s3_bucket.logs_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "logs_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.logs_bucket_ownership_controls]
-
-  bucket = aws_s3_bucket.logs_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "logs_bucket_versioning" {
-  bucket = aws_s3_bucket.logs_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "logs_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.logs_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "logs_bucket_lifecycle" {
-  bucket = aws_s3_bucket.logs_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "logs_bucket_public_access_block" {
-  bucket                  = aws_s3_bucket.logs_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "logs_permissive_access" {
-  bucket = aws_s3_bucket.logs_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.logs_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.logs_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# ENGINE-LOGS BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "engine_logs_bucket" {
-  bucket        = "engine-logs-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} engine logs bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "engine_logs_ownership_controls" {
-  bucket = aws_s3_bucket.engine_logs_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "engine_logs_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.engine_logs_ownership_controls]
-
-  bucket = aws_s3_bucket.engine_logs_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "engine_logs_bucket_versioning" {
-  bucket = aws_s3_bucket.engine_logs_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "engine_logs_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.engine_logs_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "engine_logs_bucket_lifecycle" {
-  bucket = aws_s3_bucket.engine_logs_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "engine_logs_public_access_block" {
-  bucket                  = aws_s3_bucket.engine_logs_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "engine_logs_permissive_access" {
-  bucket = aws_s3_bucket.engine_logs_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.engine_logs_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.engine_logs_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# REPORTS BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "reports_bucket" {
-  bucket        = "reports-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} reports bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "reports_ownership_controls" {
-  bucket = aws_s3_bucket.reports_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "reports_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.reports_ownership_controls]
-
-  bucket = aws_s3_bucket.reports_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "reports_bucket_versioning" {
-  bucket = aws_s3_bucket.reports_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "reports_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.reports_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "reports_bucket_lifecycle" {
-  bucket = aws_s3_bucket.reports_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "reports_public_access_block" {
-  bucket                  = aws_s3_bucket.reports_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "reports_permissive_access" {
-  bucket = aws_s3_bucket.reports_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.reports_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.reports_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# REPORT-TEMPLATES BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "report_templates_bucket" {
-  bucket        = "report-templates-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} report templates bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "report_templates_ownership_controls" {
-  bucket = aws_s3_bucket.report_templates_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "report_templates_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.report_templates_ownership_controls]
-
-  bucket = aws_s3_bucket.report_templates_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "report_templates_bucket_versioning" {
-  bucket = aws_s3_bucket.report_templates_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "report_templates_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.report_templates_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "report_templates_bucket_lifecycle" {
-  bucket = aws_s3_bucket.report_templates_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "report_templates_public_access_block" {
-  bucket                  = aws_s3_bucket.report_templates_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "report_templates_permissive_access" {
-  bucket = aws_s3_bucket.report_templates_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.report_templates_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.report_templates_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# CONFIGURATION BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "configuration_bucket" {
-  bucket        = "configuration-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} configuration bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "configuration_ownership_controls" {
-  bucket = aws_s3_bucket.configuration_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "configuration_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.configuration_ownership_controls]
-
-  bucket = aws_s3_bucket.configuration_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "configuration_bucket_versioning" {
-  bucket = aws_s3_bucket.configuration_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "configuration_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.configuration_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "configuration_bucket_lifecycle" {
-  bucket = aws_s3_bucket.configuration_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "configuration_public_access_block" {
-  bucket                  = aws_s3_bucket.configuration_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "configuration_permissive_access" {
-  bucket = aws_s3_bucket.configuration_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.configuration_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.configuration_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# IMPORTS BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "imports_bucket" {
-  bucket        = "imports-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} imports bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "imports_ownership_controls" {
-  bucket = aws_s3_bucket.imports_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "imports_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.imports_ownership_controls]
-
-  bucket = aws_s3_bucket.imports_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "imports_bucket_versioning" {
-  bucket = aws_s3_bucket.imports_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "imports_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.imports_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "imports_bucket_lifecycle" {
-  bucket = aws_s3_bucket.imports_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "imports_public_access_block" {
-  bucket                  = aws_s3_bucket.imports_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "imports_permissive_access" {
-  bucket = aws_s3_bucket.imports_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.imports_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.imports_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# AUDIT BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "audit_bucket" {
-  bucket        = "audit-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} audit bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "audit_ownership_controls" {
-  bucket = aws_s3_bucket.audit_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "audit_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.audit_ownership_controls]
-
-  bucket = aws_s3_bucket.audit_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "audit_bucket_versioning" {
-  bucket = aws_s3_bucket.audit_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "audit_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.audit_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "audit_bucket_lifecycle" {
-  bucket = aws_s3_bucket.audit_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "audit_public_access_block" {
-  bucket                  = aws_s3_bucket.audit_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "audit_permissive_access" {
-  bucket = aws_s3_bucket.audit_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.audit_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.audit_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-
-
-
-
-
-
-# SOURCE-RESOLVER BUCKET 
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "source_resolver_bucket" {
-  bucket        = "source-resolver-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} source resolver bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "source_resolver_ownership_controls" {
-  bucket = aws_s3_bucket.source_resolver_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "asource_resolver_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.source_resolver_ownership_controls]
-
-  bucket = aws_s3_bucket.source_resolver_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "source_resolver_bucket_versioning" {
-  bucket = aws_s3_bucket.source_resolver_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "source_resolver_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.source_resolver_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "source_resolver_bucket_lifecycle" {
-  bucket = aws_s3_bucket.source_resolver_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "source_resolver_public_access_block" {
-  bucket                  = aws_s3_bucket.source_resolver_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "source_resolver_permissive_access" {
-  bucket = aws_s3_bucket.source_resolver_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.source_resolver_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.source_resolver_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-
-
-
-# APISEC BUCKET
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "apisec_bucket" {
-  bucket        = "apisec-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} apisec bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "apisec_ownership_controls" {
-  bucket = aws_s3_bucket.apisec_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "apisec_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.apisec_ownership_controls]
-
-  bucket = aws_s3_bucket.apisec_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "apisec_bucket_versioning" {
-  bucket = aws_s3_bucket.apisec_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "apisec_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.apisec_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "apisec_bucket_lifecycle" {
-  bucket = aws_s3_bucket.apisec_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "apisec_public_access_block" {
-  bucket                  = aws_s3_bucket.apisec_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "apisec_permissive_access" {
-  bucket = aws_s3_bucket.apisec_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.apisec_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.apisec_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# KICS-MATADATA BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "kics_metadata_bucket" {
-  bucket        = "kics-metadata-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = true
-
-  tags = {
-    Name        = "${var.deployment_id} kics metadata bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "kics_metadata_ownership_controls" {
-  bucket = aws_s3_bucket.kics_metadata_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "kics_metadata_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.kics_metadata_ownership_controls]
-
-  bucket = aws_s3_bucket.kics_metadata_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "kics_metadata_bucket_versioning" {
-  bucket = aws_s3_bucket.kics_metadata_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "kics_metadata_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.kics_metadata_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "kics_metadata_bucket_lifecycle" {
-  bucket = aws_s3_bucket.kics_metadata_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "kics_metadata_public_access_block" {
-  bucket                  = aws_s3_bucket.kics_metadata_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "kics_metadata_permissive_access" {
-  bucket = aws_s3_bucket.kics_metadata_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.kics_metadata_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.kics_metadata_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# REDIS-SHARED-BUCKET
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "redis_shared_bucket" {
-  bucket        = "redis-shared-bucket-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = false
-
-  tags = {
-    Name        = "${var.deployment_id} redis shared bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "redis_shared_bucket_ownership_controls" {
-  bucket = aws_s3_bucket.redis_shared_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "redis_shared_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.redis_shared_bucket_ownership_controls]
-
-  bucket = aws_s3_bucket.redis_shared_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "redis_shared_bucket_versioning" {
-  bucket = aws_s3_bucket.redis_shared_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "redis_shared_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.redis_shared_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "redis_shared_bucket_lifecycle" {
-  bucket = aws_s3_bucket.redis_shared_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "redis_shared_bucket_public_access_block" {
-  bucket                  = aws_s3_bucket.redis_shared_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "redis_shared_bucket_permissive_access" {
-  bucket = aws_s3_bucket.redis_shared_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.redis_shared_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.redis_shared_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# SCAN-RESULTS-STORAGE
-# S3 Bucket
-# tfsec:ignore:aws-s3-encryption-customer-key
-resource "aws_s3_bucket" "scan_results_storage_bucket" {
-  bucket        = "scan-results-storage-${lower(local.s3_bucket_name_suffix)}"
-  force_destroy = false
-
-  tags = {
-    Name        = "${var.deployment_id} scan results storage bucket"
-    Environment = "${var.deployment_id}"
-  }
-}
-
-# S3 Bucket - Ownership Control
-resource "aws_s3_bucket_ownership_controls" "scan_results_storage_bucket_ownership_controls" {
-  bucket = aws_s3_bucket.scan_results_storage_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
-
-# S3 Bucket - acl
-resource "aws_s3_bucket_acl" "scan_results_storage_bucket_acl" {
-  depends_on = [aws_s3_bucket_ownership_controls.scan_results_storage_bucket_ownership_controls]
-
-  bucket = aws_s3_bucket.scan_results_storage_bucket.id
-  acl    = "private"
-}
-
-# S3 Bucket - versioning
-resource "aws_s3_bucket_versioning" "scan_results_storage_bucket_versioning" {
-  bucket = aws_s3_bucket.scan_results_storage_bucket.id
-
-  versioning_configuration {
-    status = var.s3_bucket_versioning_status
-  }
-}
-
-# S3 Bucket - encryption configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "scan_results_storage_bucket_encryption_configuration" {
-  bucket = aws_s3_bucket.scan_results_storage_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-# S3 Bucket - lifecycle
-resource "aws_s3_bucket_lifecycle_configuration" "scan_results_storage_bucket_lifecycle" {
-  bucket = aws_s3_bucket.scan_results_storage_bucket.id
-
-  rule {
-    id     = "Transition-To-Intelligent-Tiering"
-    status = "Enabled"
-    # abort_incomplete_multipart_upload_days = 1 (not expected here)
-    transition {
-      days          = 0
-      storage_class = "INTELLIGENT_TIERING"
-    }
-  }
-  rule {
-    id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
-    status = "Enabled"
-    noncurrent_version_expiration {
-      noncurrent_days = var.s3_retention_period
-    }
-    expiration {
-      expired_object_delete_marker = true
-    }
-  }
-}
-
-# S3 Bucket - Block Public Access
-resource "aws_s3_bucket_public_access_block" "scan_results_storage_bucket_public_access_block" {
-  bucket                  = aws_s3_bucket.scan_results_storage_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# S3 Bucket Policy - Deny Non-HTTPS only
-resource "aws_s3_bucket_policy" "scan_results_storage_bucket_permissive_access" {
-  bucket = aws_s3_bucket.scan_results_storage_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Sid" : "denyInsecureTransport",
-        "Effect" : "Deny",
-        "Principal" : "*",
-        "Action" : "s3:*",
-        "Resource" : [
-          "arn:aws:s3:::${aws_s3_bucket.scan_results_storage_bucket.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.scan_results_storage_bucket.id}"
-        ],
-        "Condition" : {
-          "Bool" : {
-            "aws:SecureTransport" : "false"
-          }
-        }
-      }
-    ]
-  })
-}
-
-# Policy to Allow Minio Nodegroup to aceess the S3 Buckets
-resource "aws_iam_policy" "ast_s3_buckets_policy" {
-  name = "${local.deployment_id}-eks-ng-minio-gateway-S3-${random_string.random_suffix.result}"
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Action" : [
-          "s3:*"
-        ],
-        "Effect" : "Allow",
-        "Resource" : [
-          "arn:aws:s3:::*${lower(local.s3_bucket_name_suffix)}",
-          "arn:aws:s3:::*${lower(local.s3_bucket_name_suffix)}/*"
-        ]
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "ast_s3_buckets_policy_attachment" {
-  role       = module.minio_gateway_nodes.iam_role_name
-  policy_arn = aws_iam_policy.ast_s3_buckets_policy.arn
-}
\ No newline at end of file
diff --git a/infrastructure/s3_backend_configuration.conf b/infrastructure/s3_backend_configuration.conf
deleted file mode 100644
index b5dc95a..0000000
--- a/infrastructure/s3_backend_configuration.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-bucket=""
-region=""
-key=""
\ No newline at end of file
diff --git a/infrastructure/secrets.tfvars b/infrastructure/secrets.tfvars
deleted file mode 100644
index 4f85ea1..0000000
--- a/infrastructure/secrets.tfvars
+++ /dev/null
@@ -1,5 +0,0 @@
-database_username = ""
-database_password = ""
-database_name     = ""
-
-redis_auth_token  = ""
\ No newline at end of file
diff --git a/infrastructure/security_groups.tf b/infrastructure/security_groups.tf
deleted file mode 100644
index 3924877..0000000
--- a/infrastructure/security_groups.tf
+++ /dev/null
@@ -1,46 +0,0 @@
-# TODO - create one for Postgres and one For Redis instead of all to all
-module "internal_security_group" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "4.8.0"
-
-  name        = "internal-${local.deployment_id}-sg"
-  description = "Internal security group for AST deployment called ${local.deployment_id}."
-  vpc_id      = local.vpc_id
-
-  ingress_cidr_blocks = [
-  module.vpc.vpc_cidr_block]
-  ingress_rules = [
-  "all-all"]
-  egress_rules = [
-  "all-all"]
-
-  create = var.sig.create
-}
-
-module "external_security_group" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "4.8.0"
-
-  name        = "external-${local.deployment_id}-sg"
-  description = "External Security group for AST deployment called ${local.deployment_id}."
-  vpc_id      = local.vpc_id
-
-  ingress_cidr_blocks = [
-  "0.0.0.0/0"]
-  ingress_rules = [
-    "http-80-tcp",
-    "https-443-tcp",
-    "kubernetes-api-tcp",
-    "ssh-tcp",
-  "all-icmp"]
-  egress_rules = [
-  "all-all"]
-
-  create = var.sig.create
-}
-
-
-
-locals {
-  sig_k8s_to_dbs_id = var.sig.create == true ? module.internal_security_group.security_group_id : var.sig.existing_sig_k8s_to_dbs_id
-}
\ No newline at end of file
diff --git a/infrastructure/state.tf b/infrastructure/state.tf
deleted file mode 100644
index f5c6d7c..0000000
--- a/infrastructure/state.tf
+++ /dev/null
@@ -1,6 +0,0 @@
-
-terraform {
-  backend "s3" {
-    encrypt = true
-  }
-}
\ No newline at end of file
diff --git a/infrastructure/variables.tf b/infrastructure/variables.tf
deleted file mode 100644
index 87683a8..0000000
--- a/infrastructure/variables.tf
+++ /dev/null
@@ -1,693 +0,0 @@
-# PROVIDERS
-# AWS
-variable "aws_region" {
-  type        = string
-  description = "AWS region to use"
-}
-variable "aws_profile" {
-  description = "The aws profile used to run terraform."
-  type        = string
-  nullable    = false
-
-  validation {
-    condition     = (length(var.aws_profile) > 2)
-    error_message = "Must have at least 3 characters length."
-  }
-}
-
-# METADATA VARIABLES
-variable "deployment_id" {
-  description = "the id of the deployment. It's goint to be the EKS cluster name"
-  type        = string
-  nullable    = false
-  validation {
-    condition     = (length(var.deployment_id) > 0)
-    error_message = "The deployment_id is required."
-  }
-}
-
-#EKS
-variable "environment" {
-  description = "the name of the environment. for example: production / dev / stanging/ QA and etc."
-  type        = string
-  validation {
-    condition     = (length(var.environment) > 0)
-    error_message = "The environment variable is required."
-  }
-  nullable = false
-}
-
-variable "owner" {
-  description = "the name of the deployment owner. for example: ast-team"
-  type        = string
-  validation {
-    condition     = (length(var.owner) > 0)
-    error_message = "The owner variable is required."
-  }
-  nullable = false
-}
-
-variable "eks_cluster_version" {
-  description = "EKS Kubernetes version to be used"
-  type        = string
-  default     = "1.24"
-  nullable    = false
-}
-
-# S3
-variable "s3_retention_period" {
-  description = "S3 Retention Period"
-  type        = string
-  default     = "90"
-}
-
-# NODEGROUPS
-variable "ast_nodes" {
-  type = object({
-    instance_types  = list(string)
-    min_size        = number
-    desired_size    = number
-    max_size        = number
-    capacity_type   = string
-    disk_size_gib   = number
-    disk_iops       = number
-    disk_throughput = number
-    device_name     = string
-    volume_type     = string
-    name            = string
-  })
-  default = {
-    name            = "ast"
-    min_size        = 3
-    desired_size    = 3
-    max_size        = 10
-    instance_types  = ["c5.2xlarge"]
-    disk_size_gib   = 50
-    disk_iops       = 3000 # this should be the default
-    disk_throughput = 125  # this should be the default
-    capacity_type   = "ON_DEMAND"
-    device_name     = "/dev/xvda"
-    volume_type     = "gp3"
-  }
-  validation {
-    condition     = var.ast_nodes.desired_size >= 1
-    error_message = "You must have at least 1 instance in this node group."
-  }
-  validation {
-    condition     = var.ast_nodes.disk_size_gib >= 20
-    error_message = "You must provide at least 20 GiB per node."
-  }
-
-  validation {
-    condition     = alltrue([var.ast_nodes.disk_iops >= 3000, var.ast_nodes.disk_iops <= 16000])
-    error_message = "You must provide a value between 3000 and 16000."
-  }
-
-  validation {
-    condition     = alltrue([var.ast_nodes.disk_throughput >= 125, var.ast_nodes.disk_throughput <= 1000])
-    error_message = "You must provide a value between 125 and 1000."
-  }
-  description = "Configuration for the AST nodes"
-}
-
-variable "sast_nodes" {
-  type = object({
-    instance_types  = list(string)
-    min_size        = number
-    desired_size    = number
-    max_size        = number
-    capacity_type   = string
-    disk_size_gib   = number
-    disk_iops       = number
-    disk_throughput = number
-    device_name     = string
-    volume_type     = string
-    key             = string
-    value           = string
-    effect          = string
-    name            = string
-    label_name      = string
-    label_value     = string
-  })
-
-  default = {
-    name            = "sast-eng"
-    min_size        = 1
-    desired_size    = 1
-    max_size        = 100
-    instance_types  = ["c6i.2xlarge"]
-    disk_size_gib   = 50
-    disk_iops       = 3000 # this should be the default
-    disk_throughput = 125  # this should be the default
-    capacity_type   = "ON_DEMAND"
-    device_name     = "/dev/xvda"
-    volume_type     = "gp3"
-    key             = "sast-engine"
-    value           = "true"
-    effect          = "NO_SCHEDULE"
-    label_name      = "sast-engine"
-    label_value     = "true"
-  }
-  validation {
-    condition     = var.sast_nodes.disk_size_gib >= 8
-    error_message = "You must provide at least 8 GiB per node."
-  }
-  validation {
-    condition     = alltrue([var.sast_nodes.disk_iops >= 3000, var.sast_nodes.disk_iops <= 16000])
-    error_message = "You must provide a value between 3000 and 16000."
-  }
-
-  validation {
-    condition     = alltrue([var.sast_nodes.disk_throughput >= 125, var.sast_nodes.disk_throughput <= 1000])
-    error_message = "You must provide a value between 125 and 1000."
-  }
-  description = "Configuration for the SAST nodes"
-}
-
-# -------------------
-
-variable "sast_nodes_medium" {
-  type = object({
-    instance_types  = list(string)
-    min_size        = number
-    desired_size    = number
-    max_size        = number
-    capacity_type   = string
-    disk_size_gib   = number
-    disk_iops       = number
-    disk_throughput = number
-    device_name     = string
-    volume_type     = string
-    key             = string
-    value           = string
-    effect          = string
-    name            = string
-    label_name      = string
-    label_value     = string
-  })
-
-  default = {
-    name            = "sast-eng-m"
-    min_size        = 0
-    desired_size    = 0
-    max_size        = 100
-    instance_types  = ["m5.2xlarge"]
-    disk_size_gib   = 50
-    disk_iops       = 3000 # this should be the default
-    disk_throughput = 125  # this should be the default
-    capacity_type   = "ON_DEMAND"
-    device_name     = "/dev/xvda"
-    volume_type     = "gp3"
-    key             = "sast-engine-medium"
-    value           = "true"
-    effect          = "NO_SCHEDULE"
-    label_name      = "sast-engine-medium"
-    label_value     = "true"
-  }
-  validation {
-    condition     = var.sast_nodes_medium.disk_size_gib >= 8
-    error_message = "You must provide at least 8 GiB per node."
-  }
-  validation {
-    condition     = alltrue([var.sast_nodes_medium.disk_iops >= 3000, var.sast_nodes_medium.disk_iops <= 16000])
-    error_message = "You must provide a value between 3000 and 16000."
-  }
-
-  validation {
-    condition     = alltrue([var.sast_nodes_medium.disk_throughput >= 125, var.sast_nodes_medium.disk_throughput <= 1000])
-    error_message = "You must provide a value between 125 and 1000."
-  }
-  description = "Configuration for the SAST nodes"
-}
-
-# -------------------
-
-variable "sast_nodes_large" {
-  type = object({
-    instance_types  = list(string)
-    min_size        = number
-    desired_size    = number
-    max_size        = number
-    capacity_type   = string
-    disk_size_gib   = number
-    disk_iops       = number
-    disk_throughput = number
-    device_name     = string
-    volume_type     = string
-    key             = string
-    value           = string
-    effect          = string
-    name            = string
-    label_name      = string
-    label_value     = string
-  })
-
-  default = {
-    name            = "sast-eng-l"
-    min_size        = 0
-    desired_size    = 0
-    max_size        = 300
-    instance_types  = ["r6i.xlarge"]
-    disk_size_gib   = 50
-    disk_iops       = 3000 # this should be the default
-    disk_throughput = 125  # this should be the default
-    capacity_type   = "ON_DEMAND"
-    device_name     = "/dev/xvda"
-    volume_type     = "gp3"
-    key             = "sast-engine-large"
-    value           = "true"
-    effect          = "NO_SCHEDULE"
-    label_name      = "sast-engine-large"
-    label_value     = "true"
-  }
-  validation {
-    condition     = var.sast_nodes_large.disk_size_gib >= 8
-    error_message = "You must provide at least 8 GiB per node."
-  }
-  validation {
-    condition     = alltrue([var.sast_nodes_large.disk_iops >= 3000, var.sast_nodes_large.disk_iops <= 16000])
-    error_message = "You must provide a value between 3000 and 16000."
-  }
-
-  validation {
-    condition     = alltrue([var.sast_nodes_large.disk_throughput >= 125, var.sast_nodes_large.disk_throughput <= 1000])
-    error_message = "You must provide a value between 125 and 1000."
-  }
-  description = "Configuration for the SAST nodes"
-}
-
-variable "sast_nodes_extra_large" {
-  type = object({
-    instance_types  = list(string)
-    min_size        = number
-    desired_size    = number
-    max_size        = number
-    capacity_type   = string
-    disk_size_gib   = number
-    disk_iops       = number
-    disk_throughput = number
-    device_name     = string
-    volume_type     = string
-    key             = string
-    value           = string
-    effect          = string
-    name            = string
-    label_name      = string
-    label_value     = string
-  })
-
-  default = {
-    name            = "sast-eng-xl"
-    min_size        = 0
-    desired_size    = 0
-    max_size        = 100
-    instance_types  = ["r6i.2xlarge"]
-    disk_size_gib   = 50
-    disk_iops       = 3000 # this should be the default
-    disk_throughput = 125  # this should be the default
-    capacity_type   = "ON_DEMAND"
-    device_name     = "/dev/xvda"
-    volume_type     = "gp3"
-    key             = "sast-engine-extra-large"
-    value           = "true"
-    effect          = "NO_SCHEDULE"
-    label_name      = "sast-engine-extra-large"
-    label_value     = "true"
-  }
-  validation {
-    condition     = var.sast_nodes_extra_large.disk_size_gib >= 8
-    error_message = "You must provide at least 8 GiB per node."
-  }
-  validation {
-    condition     = alltrue([var.sast_nodes_extra_large.disk_iops >= 3000, var.sast_nodes_extra_large.disk_iops <= 16000])
-    error_message = "You must provide a value between 3000 and 16000."
-  }
-
-  validation {
-    condition     = alltrue([var.sast_nodes_extra_large.disk_throughput >= 125, var.sast_nodes_extra_large.disk_throughput <= 1000])
-    error_message = "You must provide a value between 125 and 1000."
-  }
-  description = "Configuration for the SAST nodes"
-}
-
-variable "sast_nodes_xxl" {
-  type = object({
-    instance_types  = list(string)
-    min_size        = number
-    desired_size    = number
-    max_size        = number
-    capacity_type   = string
-    disk_size_gib   = number
-    disk_iops       = number
-    disk_throughput = number
-    device_name     = string
-    volume_type     = string
-    key             = string
-    value           = string
-    effect          = string
-    name            = string
-    label_name      = string
-    label_value     = string
-  })
-
-  default = {
-    name            = "sast-eng-xxl"
-    min_size        = 0
-    desired_size    = 0
-    max_size        = 50
-    instance_types  = ["r6i.4xlarge"]
-    disk_size_gib   = 50
-    disk_iops       = 3000 # this should be the default
-    disk_throughput = 125  # this should be the default
-    capacity_type   = "ON_DEMAND"
-    device_name     = "/dev/xvda"
-    volume_type     = "gp3"
-    key             = "sast-engine-xxl"
-    value           = "true"
-    effect          = "NO_SCHEDULE"
-    label_name      = "sast-engine-xxl"
-    label_value     = "true"
-  }
-  validation {
-    condition     = var.sast_nodes_xxl.disk_size_gib >= 8
-    error_message = "You must provide at least 8 GiB per node."
-  }
-  validation {
-    condition     = alltrue([var.sast_nodes_xxl.disk_iops >= 3000, var.sast_nodes_xxl.disk_iops <= 16000])
-    error_message = "You must provide a value between 3000 and 16000."
-  }
-
-  validation {
-    condition     = alltrue([var.sast_nodes_xxl.disk_throughput >= 125, var.sast_nodes_xxl.disk_throughput <= 1000])
-    error_message = "You must provide a value between 125 and 1000."
-  }
-  description = "Configuration for the SAST nodes"
-}
-
-variable "kics_nodes" {
-  type = object({
-    name            = string
-    instance_types  = list(string)
-    min_size        = number
-    desired_size    = number
-    max_size        = number
-    capacity_type   = string
-    disk_size_gib   = number
-    disk_iops       = number
-    disk_throughput = number
-    device_name     = string
-    volume_type     = string
-    key             = string
-    value           = string
-    effect          = string
-    label_name      = string
-    label_value     = string
-  })
-
-  default = {
-    name            = "kics"
-    min_size        = 1
-    desired_size    = 1
-    max_size        = 10
-    instance_types  = ["c5.2xlarge"]
-    disk_size_gib   = 50
-    disk_iops       = 3000 # this should be the default
-    disk_throughput = 125  # this should be the default
-    capacity_type   = "ON_DEMAND"
-    device_name     = "/dev/xvda"
-    volume_type     = "gp3"
-    key             = "kics-engine"
-    value           = "true"
-    effect          = "NO_SCHEDULE"
-    label_name      = "kics-engine"
-    label_value     = "true"
-  }
-  validation {
-    condition     = var.kics_nodes.disk_size_gib >= 8
-    error_message = "You must provide at least 8 GiB per node."
-  }
-  validation {
-    condition     = alltrue([var.kics_nodes.disk_iops >= 3000, var.kics_nodes.disk_iops <= 16000])
-    error_message = "You must provide a value between 3000 and 16000."
-  }
-
-  validation {
-    condition     = alltrue([var.kics_nodes.disk_throughput >= 125, var.kics_nodes.disk_throughput <= 1000])
-    error_message = "You must provide a value between 125 and 1000."
-  }
-  description = "Configuration for the SAST nodes"
-}
-
-# MINIO
-variable "minio_gateway_nodes" {
-  type = object({
-    name            = string
-    instance_types  = list(string)
-    min_size        = number
-    desired_size    = number
-    max_size        = number
-    capacity_type   = string
-    disk_size_gib   = number
-    disk_iops       = number
-    disk_throughput = number
-    device_name     = string
-    volume_type     = string
-    key             = string
-    value           = string
-    effect          = string
-    label_name      = string
-    label_value     = string
-  })
-
-  default = {
-    name            = "minio-gateway"
-    min_size        = 1
-    desired_size    = 1
-    max_size        = 10
-    instance_types  = ["c6i.2xlarge"]
-    disk_size_gib   = 50
-    disk_iops       = 3000 # this should be the default
-    disk_throughput = 125  # this should be the default
-    capacity_type   = "ON_DEMAND"
-    device_name     = "/dev/xvda"
-    volume_type     = "gp3"
-    key             = "minio-gateway"
-    value           = "true"
-    effect          = "NO_SCHEDULE"
-    label_name      = "minio-gateway"
-    label_value     = "true"
-  }
-  validation {
-    condition     = var.minio_gateway_nodes.disk_size_gib >= 8
-    error_message = "You must provide at least 8 GiB per node."
-  }
-  validation {
-    condition     = alltrue([var.minio_gateway_nodes.disk_iops >= 3000, var.minio_gateway_nodes.disk_iops <= 16000])
-    error_message = "You must provide a value between 3000 and 16000."
-  }
-
-  validation {
-    condition     = alltrue([var.minio_gateway_nodes.disk_throughput >= 125, var.minio_gateway_nodes.disk_throughput <= 1000])
-    error_message = "You must provide a value between 125 and 1000."
-  }
-  description = "Configuration for the Minio Gateway nodes"
-}
-
-# REPOSTORE
-variable "repostore_nodes" {
-  type = object({
-    name            = string
-    instance_types  = list(string)
-    min_size        = number
-    desired_size    = number
-    max_size        = number
-    capacity_type   = string
-    disk_size_gib   = number
-    disk_iops       = number
-    disk_throughput = number
-    device_name     = string
-    volume_type     = string
-    key             = string
-    value           = string
-    effect          = string
-    label_name      = string
-    label_value     = string
-  })
-
-  default = {
-    name            = "repostore"
-    min_size        = 1
-    desired_size    = 1
-    max_size        = 10
-    instance_types  = ["c5.2xlarge"]
-    disk_size_gib   = 50
-    disk_iops       = 3000 # this should be the default
-    disk_throughput = 125  # this should be the default
-    capacity_type   = "ON_DEMAND"
-    device_name     = "/dev/xvda"
-    volume_type     = "gp3"
-    key             = "repostore"
-    value           = "true"
-    effect          = "NO_SCHEDULE"
-    label_name      = "repostore"
-    label_value     = "true"
-  }
-  validation {
-    condition     = var.repostore_nodes.disk_size_gib >= 8
-    error_message = "You must provide at least 8 GiB per node."
-  }
-  validation {
-    condition     = alltrue([var.repostore_nodes.disk_iops >= 3000, var.repostore_nodes.disk_iops <= 16000])
-    error_message = "You must provide a value between 3000 and 16000."
-  }
-
-  validation {
-    condition     = alltrue([var.repostore_nodes.disk_throughput >= 125, var.repostore_nodes.disk_throughput <= 1000])
-    error_message = "You must provide a value between 125 and 1000."
-  }
-  description = "Configuration for the Minio Gateway nodes"
-}
-
-#RDS
-variable "database_name" {
-  type = string
-  validation {
-    condition     = can(regex("^(?:[a-z]|[a-z][a-z0-9]+)$", var.database_name))
-    error_message = "The database_name is not valid."
-  }
-  sensitive   = true
-  description = "Name of the database"
-}
-
-variable "database_username" {
-  type = string
-  validation {
-    condition     = var.database_username != ""
-    error_message = "The database_username is not valid."
-  }
-  sensitive   = true
-  description = "Username of the database"
-}
-
-variable "database_password" {
-  type = string
-  validation {
-    condition     = var.database_password != ""
-    error_message = "The database_password is not valid."
-  }
-  sensitive   = true
-  description = "Password of the database"
-}
-
-variable "postgres_nodes" {
-  type = object({
-    create              = bool
-    auto_scaling_enable = bool
-    instance_type       = string
-    count               = number
-    max_count           = number
-  })
-  validation {
-    condition     = (var.postgres_nodes.create == false) || (var.postgres_nodes.create == true && var.postgres_nodes.instance_type != "" && var.postgres_nodes.count > 0)
-    error_message = "The field instance_type cannot be empty and the number of db nodes must be greater than zero."
-  }
-  description = "Configuration for the Aurora Postgres DB nodes"
-}
-
-# REDIS
-variable "redis_auth_token" {
-  type        = string
-  sensitive   = true
-  description = "Auth token for Elasticache Redis DB"
-  default     = ""
-}
-
-variable "redis_nodes" {
-  type = object({
-    create             = bool
-    instance_type      = string
-    replicas_per_shard = number
-    number_of_shards   = number
-  })
-  validation {
-    condition     = (var.redis_nodes.create == false) || (var.redis_nodes.create == true && var.redis_nodes.instance_type != "" && var.redis_nodes.number_of_shards > 0)
-    error_message = "The field instance_type cannot be empty and the number of db shards must be greater than zero."
-  }
-  description = "Configuration for the Elasticache Redis DB nodes"
-}
-
-# VPC
-variable "vpc" {
-  type = object({
-    create                    = bool
-    nat_per_az                = bool
-    single_nat                = bool
-    existing_vpc_id           = string
-    existing_subnet_ids       = list(string)
-    existing_db_subnets_group = string
-    existing_db_subnets       = list(string)
-  })
-  validation {
-    condition     = (var.vpc.create == true) || ((length(var.vpc.existing_subnet_ids) > 0) && (length(var.vpc.existing_vpc_id) > 0) && var.vpc.existing_db_subnets_group != "" && (length(var.vpc.existing_db_subnets) > 0))
-    error_message = "You must create a VPC or provide existing VPC information."
-  }
-  description = "Configuration for the VPC. If you want to use your own VPC you must follow AWS instructions for VPC-EKS"
-}
-
-variable "vpc_cidr" {
-  description = "the main cidr of the vpc"
-  type        = string
-  default     = "10.1.0.0/16"
-  validation {
-    condition     = can(regex("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))?$", var.vpc_cidr))
-    error_message = "Valid cidr is required. The subnet masking must be /21 ."
-  }
-  nullable = false
-}
-
-# Security groups
-variable "sig" {
-  type = object({
-    create                     = bool
-    existing_sig_k8s_to_dbs_id = string
-  })
-  validation {
-    condition     = (var.sig.create == true) || ((length(var.sig.existing_sig_k8s_to_dbs_id) > 0))
-    error_message = "You must create a Security groups or provide existing VPC information."
-  }
-  description = "Configuration for the Security groups."
-}
-
-# IAM-ROLE
-variable "iam_role" {
-  type = object({
-    cloudops_arn = bool
-    customer_arn = string
-  })
-  description = "CloudOps and Customer iam role"
-  validation {
-    condition     = (var.iam_role.cloudops_arn == true && length(var.iam_role.customer_arn) == 0) || (var.iam_role.cloudops_arn == false && length(var.iam_role.customer_arn) > 0 && can(regex("^arn:aws:iam::[[:digit:]]{12}:role/.+", var.iam_role.customer_arn)))
-    error_message = "Error: If cloudops_iam_role is true then customer_iam_role_arn must be an empty string. If cloudops_iam_role is false then customer_iam_role_arn must be a valid role arn string."
-  }
-}
-
-# KMS
-variable "kms" {
-  type = object({
-    create           = bool
-    existing_kms_arn = string
-  })
-  validation {
-    condition     = (var.kms.create == true) || (length(var.kms.existing_kms_arn) > 0)
-    error_message = "You must create a KMS or provide existing KMS."
-  }
-  description = "Configuration for the KMS."
-}
-
-
-# S3
-variable "s3_bucket_versioning_status" {
-  type        = string
-  description = "S3 Bucket versioning Status"
-  default     = "Disabled"
-}
\ No newline at end of file
diff --git a/infrastructure/versions.tf b/infrastructure/versions.tf
deleted file mode 100644
index cdcdc35..0000000
--- a/infrastructure/versions.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">= 1.1.0"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "4.49.0"
-    }
-  }
-}
\ No newline at end of file
diff --git a/infrastructure/vpc.tf b/infrastructure/vpc.tf
deleted file mode 100644
index 6e8ab57..0000000
--- a/infrastructure/vpc.tf
+++ /dev/null
@@ -1,56 +0,0 @@
-module "vpc" {
-  create_vpc = var.vpc.create
-
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "3.12.0"
-
-  name = local.deployment_id
-  cidr = var.vpc_cidr
-
-  azs = ["${var.aws_region}a", "${var.aws_region}b", "${var.aws_region}c"]
-
-
-  private_subnets  = local.private_subnets
-  public_subnets   = local.public_subnets
-  database_subnets = local.database_subnets
-
-  enable_nat_gateway     = true
-  single_nat_gateway     = var.vpc.single_nat
-  one_nat_gateway_per_az = var.vpc.nat_per_az
-
-  enable_dns_hostnames = true
-  enable_dns_support   = true
-
-  public_subnet_tags = {
-    "kubernetes.io/cluster/${local.deployment_id}" = "shared"
-    "kubernetes.io/role/elb"                       = "1"
-  }
-
-  private_subnet_tags = {
-    "kubernetes.io/cluster/${local.deployment_id}" = "shared"
-    "kubernetes.io/role/internal-elb"              = "1"
-  }
-
-  enable_flow_log                      = true
-  create_flow_log_cloudwatch_iam_role  = true
-  create_flow_log_cloudwatch_log_group = true
-
-}
-
-locals {
-  vpc_id          = var.vpc.create == true ? module.vpc.vpc_id : var.vpc.existing_vpc_id
-  subnets         = var.vpc.create == true ? module.vpc.private_subnets : var.vpc.existing_subnet_ids
-  db_subnets      = var.vpc.create == true ? module.vpc.database_subnets : var.vpc.existing_db_subnets
-  db_subnet_group = var.vpc.create == true ? module.vpc.database_subnet_group_name : var.vpc.existing_db_subnets_group
-}
-
-# VPC S3 Gateway Endpoints
-resource "aws_vpc_endpoint" "s3_gateway_private" {
-  vpc_endpoint_type = "Gateway"
-  service_name      = "com.amazonaws.${var.aws_region}.s3"
-  vpc_id            = local.vpc_id
-  route_table_ids   = module.vpc.private_route_table_ids
-  tags = {
-    Name = "${var.deployment_id}-s3-gateway-private"
-  }
-}
\ No newline at end of file
diff --git a/kubernetes-config/.terraform.lock.hcl b/kubernetes-config/.terraform.lock.hcl
deleted file mode 100644
index 1e1efa5..0000000
--- a/kubernetes-config/.terraform.lock.hcl
+++ /dev/null
@@ -1,65 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "4.49.0"
-  constraints = ">= 3.0.0, >= 4.0.0, 4.49.0"
-  hashes = [
-    "h1:1vbzsJ8TBjjotPQKWZQUrX2AII8+te1ih4bYJYD2VS4=",
-    "zh:09803937f00fdf2873eccf685eec7854408925cbf183c9b683df7c5825be463f",
-    "zh:2af1575e538fb0b669266f8d1385b17bfdaf17c521b6b6329baa1f2971fc4a4d",
-    "zh:3f71882b438cde3108fe68cfe2637839d3eed08157a9721bd97babf3912247a8",
-    "zh:577af1b38f5da8a9f29eebe5eebec9279d26e757cd03b0c8c59311f9ce8a859b",
-    "zh:60160d39094973beefb9b10cfd6aaa5b63a2e68c32445ecffcd1b101356e6f9b",
-    "zh:762656454722548baeccf35cbaa23b887976337e1ed321682df7390419fdf22d",
-    "zh:7f6d7887821659bf3bef815949077dc91ffcdb0d911644a887b6683b264a5ca6",
-    "zh:8f16a352cc903f8951fa4619c36233b3e66e27d724817b131f2035dd8896f524",
-    "zh:8f768f65e370366c8b91c00d01c9a6264fe26ea9ae1819f14bdcd12c066272bc",
-    "zh:95ad78c689a83c08ef7c3e544c3c9aca93ed528054aa77cc968ddd9efa3a1023",
-    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:a47097ab6a4ca8302da82964303ffdd2310ed65e8f8524bfe4058816cf1addb7",
-    "zh:b66d820c70cd5fd628ffe882d2b97e76b969dca4e6827ac2ba0f8d3bc5d6e9c6",
-    "zh:b80f713a4f3e1355c3dd1600e9d08b9f15ed2370054ec792ad2c01f2541abe02",
-    "zh:ce065bc3962cb71fa7652562226b9d486f3d7fcb88285c1020ebe2f550e28641",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/helm" {
-  version     = "2.6.0"
-  constraints = "2.6.0"
-  hashes = [
-    "h1:i+fbwv8Vk8n5kQc+spEtzvCNF4yo2exzSAZhL0ipFuo=",
-    "zh:0ac248c28acc1a4fd11bd26a85e48ab78dd6abf0f7ac842bf1cd7edd05ac6cf8",
-    "zh:3d32c8deae3740d8c5310136cc11c8afeffc350fbf88afaca0c34a223a5246f5",
-    "zh:4055a27489733d19ca7fa2dfce14d323fe99ae9dede7d0fea21ee6db0b9ca74b",
-    "zh:58a8ed39653fd4c874a2ecb128eccfa24c94266a00e349fd7fb13e22ad81f381",
-    "zh:6c81508044913f25083de132d0ff81d083732aba07c506cc2db05aa0cefcde2c",
-    "zh:7db5d18093047bfc4fe597f79610c0a281b21db0d61b0bacb3800585e976f814",
-    "zh:8269207b7422db99e7be80a5352d111966c3dfc7eb98511f11c8ff7b2e813456",
-    "zh:b1d7ababfb2374e72532308ff442cc906b79256b66b3fe7a98d42c68c4ddf9c5",
-    "zh:ca63e226cbdc964a5d63ef21189f059ce45c3fa4a5e972204d6916a9177d2b44",
-    "zh:d205a72d60e8cc362943d66f5bcdd6b6aaaa9aab2b89fd83bf6f1978ac0b1e4c",
-    "zh:db47dc579a0e68e5bfe3a61f2e950e6e2af82b1f388d1069de014a937962b56a",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/kubernetes" {
-  version     = "2.16.1"
-  constraints = "2.16.1"
-  hashes = [
-    "h1:kO/d+ZMZYM2tNMMFHZqBmVR0MeemoGnI2G2NSN92CrU=",
-    "zh:06224975f5910d41e73b35a4d5079861da2c24f9353e3ebb015fbb3b3b996b1c",
-    "zh:2bc400a8d9fe7755cca27c2551564a9e2609cfadc77f526ef855114ee02d446f",
-    "zh:3a479014187af1d0aec3a1d3d9c09551b801956fe6dd29af1186dec86712731b",
-    "zh:73fb0a69f1abdb02858b6589f7fab6d989a0f422f7ad95ed662aaa84872d3473",
-    "zh:a33852cd382cbc8e06d3f6c018b468ad809d24d912d64722e037aed1f9bf39db",
-    "zh:b533ff2214dca90296b1d22eace7eaa7e3efe5a7ae9da66a112094abc932db4f",
-    "zh:ddf74d8bb1aeb01dc2c36ef40e2b283d32b2a96db73f6daaf179fa2f10949c80",
-    "zh:e720f3a15d34e795fa9ff90bc755e838ebb4aef894aa2a423fb16dfa6d6b0667",
-    "zh:e789ae70a658800cb0a19ef7e4e9b26b5a38a92b43d1f41d64fc8bb46539cefb",
-    "zh:e8aed7dc0bd8f843d607dee5f72640dbef6835a8b1c6ea12cea5b4ec53e463f7",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:fb3ac4f43c8b0dfc0b0103dd0f062ea72b3a34518d4c8808e3a44c9a3dd5f024",
-  ]
-}
diff --git a/kubernetes-config/Makefile b/kubernetes-config/Makefile
deleted file mode 100644
index 5d0cdd3..0000000
--- a/kubernetes-config/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-init:
-	terraform init -backend-config=s3_backend_configuration.conf
-plan:
-	terraform plan -var-file="example.auto.tfvars"
-apply:
-	terraform apply -var-file="example.auto.tfvars"
-destroy:
-	terraform destroy -var-file="example.auto.tfvars"
diff --git a/kubernetes-config/eks_sigs.tf b/kubernetes-config/eks_sigs.tf
deleted file mode 100644
index 2ad761a..0000000
--- a/kubernetes-config/eks_sigs.tf
+++ /dev/null
@@ -1,398 +0,0 @@
-## AWS LOAD BALANCER CONTROLLER
-# AWS IAM POLICY FOR AWS LOAD BALANCER CONTROLLER
-resource "aws_iam_policy" "aws_load_balancer_controller" {
-  name          = "${local.deployment_id}-eks-aws-load-balancer-controller-${var.aws_region}"
-  description   = "EKS Cluster AWS Load Balancer Controller Policy for ${local.deployment_id}"
-  policy        = file("iam/aws-load-balancer-controller.json")
-}
-# AWS IAM ROLE FOR AWS LOAD BALANCER CONTROLLER
-module "load_balancer_controller_irsa" {
-  source              = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version             = "4.13.1"
-
-  role_name           = "load_balancer_controller-${var.deployment_id}"
-  role_description    = "IRSA role for cluster load balancer controller"
-
-  # setting to false because we don't want to rely on exeternal policies
-  attach_load_balancer_controller_policy = false
-  oidc_providers = {
-    main = {
-      provider_arn                = data.terraform_remote_state.infra.outputs.oidc_provider_arn
-      namespace_service_accounts = ["kube-system:aws-load-balancer-controller"]
-    }
-  }
-}
-# ATTACHE POLICY FOR AWS AIM ROLE FOR AWS LOAD BALANCER CONTROLLER
-resource "aws_iam_role_policy_attachment" "aws-load-balancer-controller-policy-attachment" {
-  role       = module.load_balancer_controller_irsa.iam_role_name
-  policy_arn = aws_iam_policy.aws_load_balancer_controller.arn
-}
-# HELM CHART AWS LOAD BALANCER CONTROLLER
-resource "helm_release" "aws-load-balancer-controller" {
-  depends_on = [
-    module.load_balancer_controller_irsa,
-    aws_iam_role_policy_attachment.aws-load-balancer-controller-policy-attachment
-  ]
-  name       = "aws-load-balancer-controller"
-  chart      = "./helm-charts/aws-load-balancer-controller-1.4.6.tgz"
-  version    = "1.4.6"
-  namespace  = "kube-system"
-
-  set {
-    name  = "clusterName"
-    value = local.deployment_id
-  }
-  set {
-    name  = "serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.load_balancer_controller_irsa.iam_role_arn
-  }
-  set {
-    name  = "serviceAccount.name"
-    value = "aws-load-balancer-controller"
-  }
-  set {
-    name  = "region"
-    value = var.aws_region
-  }
-}
-
-## CLUSTER AUTO SCALLER
-# AWS IAM POLICY FOR CLUSTER AUTOSCALER
-resource "aws_iam_policy" "cluster_autoscaler" {
-  name          = "${local.deployment_id}-eks-cluster-autoscaler-${var.aws_region}"
-  description   = "EKS Cluster Auto Scalers Policy for ${local.deployment_id}"
-  policy        = file("iam/cluster-autoscaler.json")
-}
-# AWS IAM ROLE FOR CLUTER AUTOSCALER
-module "cluster_autoscaler_irsa" {
-  source              = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version             = "4.13.1"
-
-  role_name           = "cluster-autoscaler-${var.deployment_id}"
-  role_description    = "IRSA role for cluster autoscaler"
-
-  # setting to false because we don't want to rely on exeternal policies
-  attach_cluster_autoscaler_policy = false
-  cluster_autoscaler_cluster_ids   = [data.terraform_remote_state.infra.outputs.eks_cluster_id]
-  oidc_providers = {
-    main = {
-      provider_arn               = data.terraform_remote_state.infra.outputs.oidc_provider_arn
-      namespace_service_accounts = ["kube-system:cluster-autoscaler"]
-    }
-  }
-}
-# ATTACHE POLICY FOR AWS AIM ROLE FOR CLUSTER AUTOSCALER
-resource "aws_iam_role_policy_attachment" "aws-cluster-autoscaler-policy-attachment" {
-  role       = module.cluster_autoscaler_irsa.iam_role_name
-  policy_arn = aws_iam_policy.cluster_autoscaler.arn
-}
-# HELM CLUSTER AUTOSCALER
-resource "helm_release" "cluster-autoscaler" {
-  depends_on = [
-    module.cluster_autoscaler_irsa,
-    aws_iam_role_policy_attachment.aws-cluster-autoscaler-policy-attachment
-  ]
-  count      = 1
-  name       = "cluster-autoscaler"
-  chart      = "./helm-charts/cluster-autoscaler-9.21.1.tgz"
-  version    = "9.21.1"
-  namespace  = "kube-system"
-
-  set {
-    name  = "image.tag"
-    value = "v1.23.0"
-  }
-
-  set {
-    name = "autoDiscovery.clusterName"
-    value = var.deployment_id
-  }
-  set {
-    name  = "awsRegion"
-    value = var.aws_region
-  }
-
-  set {
-    name = "rbac.create"
-    value = "true"
-  }
-  set {
-    name = "rbac.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.cluster_autoscaler_irsa.iam_role_arn
-  }
-  set {
-    name = "rbac.serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name = "rbac.serviceAccount.name"
-    value = "cluster-autoscaler"
-  }
-}
-
-## AWS EBS CSI DRIVER
-# AWS IAM POLICY FOR AWS EBS CSI DRIVER
-resource "aws_iam_policy" "aws-ebs-csi-driver-policy" {
-  name          = "${local.deployment_id}-aws-ebs-csi-driver-${var.aws_region}"
-  description   = "AWS ebs csi driver Policy for ${local.deployment_id}"
-  policy        = file("iam/aws-ebs-csi-driver.json")
-}
-# AWS EBS CSI DRIVER ROLE  
-module "aws_ebs_csi_driver_role" {
-  source              = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version             = "5.9.2"
-
-  role_name           = "aws_ebs_csi_driver_role-${var.deployment_id}"
-  role_description    = "IRSA role for ebs csi driver role"
-
-  # setting to false because we don't want to rely on exeternal policies
-  attach_ebs_csi_policy = false
-  oidc_providers = {
-    main = {
-      provider_arn               = data.terraform_remote_state.infra.outputs.oidc_provider_arn
-      namespace_service_accounts = ["kube-system:aws-ebs-csi-driver-controller", "kube-system:aws-ebs-csi-driver-node"]
-    }
-  }
-}
-# ATTACHE POLICY FOR AWS AIM ROLE FOR AWS EBS CSI DRIVER
-resource "aws_iam_role_policy_attachment" "aws-ebs-csi-driver-policy-attachment" {
-  role       = module.aws_ebs_csi_driver_role.iam_role_name
-  policy_arn = aws_iam_policy.aws-ebs-csi-driver-policy.arn
-}
-# HELM CHART EBS CSI DRIVER
-resource "helm_release" "aws_ebs_csi_driver" {
-  depends_on = [
-    module.aws_ebs_csi_driver_role,
-    aws_iam_role_policy_attachment.aws-ebs-csi-driver-policy-attachment
-  ]
-  count      = 1
-  name       = "aws-ebs-csi-driver"
-  chart      = "./helm-charts/aws-ebs-csi-driver-2.14.1.tgz"
-  version    = "2.14.1"
-  namespace  = "kube-system"
-
-  set {
-    name  = "node.tolerateAllTaints"
-    value = "true"
-  }
-  set {
-    name  = "controller.serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "controller.serviceAccount.name"
-    value = "aws-ebs-csi-driver-controller"
-  }
-  set {
-    name  = "controller.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.aws_ebs_csi_driver_role.iam_role_arn
-  }
-  set {
-    name  = "node.serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "node.serviceAccount.name"
-    value = "aws-ebs-csi-driver-node"
-  }
-  set {
-    name  = "node.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.aws_ebs_csi_driver_role.iam_role_arn
-  }
-  set {
-    name  = "enableVolumeSnapshot"
-    value = "true"
-  }
-}
-
-## AWS EFS CSI DRIVER
-# AWS IAM POLICY FOR AWS EFS CSI DRIVER
-resource "aws_iam_policy" "aws-efs-csi-driver-policy" {
-  name          = "${local.deployment_id}-aws-efs-csi-driver-${var.aws_region}"
-  description   = "AWS efs csi driver Policy for ${local.deployment_id}"
-  policy        = file("iam/aws-efs-csi-driver.json")
-}
-# AWS EFS CSI DRIVER ROLE
-module "aws_efs_csi_driver_role" {
-  source              = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version             = "5.9.2"
-
-  role_name           = "aws_efs_csi_driver_role-${var.deployment_id}"
-  role_description    = "IRSA role for efs csi driver role"
-
-  # setting to false because we don't want to rely on exeternal policies
-  attach_efs_csi_policy = false
-  oidc_providers = {
-    main = {
-      provider_arn               = data.terraform_remote_state.infra.outputs.oidc_provider_arn
-      namespace_service_accounts = ["kube-system:efs-csi-controller-sa", "kube-system:efs-csi-node-sa"]
-    }
-  }
-}
-# ATTACHE POLICY FOR AWS AIM ROLE FOR AWS EFS CSI DRIVER
-resource "aws_iam_role_policy_attachment" "aws-efs-csi-driver-policy-attachment" {
-  role       = module.aws_efs_csi_driver_role.iam_role_name
-  policy_arn = aws_iam_policy.aws-efs-csi-driver-policy.arn
-}
-# # HELM CHART EFS CSI DRIVER
-resource "helm_release" "aws_efs_csi_driver" {
-   depends_on = [
-     module.aws_ebs_csi_driver_role,
-      aws_iam_role_policy_attachment.aws-efs-csi-driver-policy-attachment
-   ]
-   count      = 1
-   name       = "aws-efs-csi-driver"
-   chart      = "./helm-charts/aws-efs-csi-driver-2.3.3.tgz"
-   version    = "2.3.3"
-   namespace  = "kube-system"
-
-  set {
-    name  = "controller.serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "controller.serviceAccount.name"
-    value = "efs-csi-controller-sa"
-  }
-  set {
-    name  = "controller.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.aws_efs_csi_driver_role.iam_role_arn
-  }
-  set {
-    name  = "node.serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "node.serviceAccount.name"
-    value = "efs-csi-node-sa"
-  }
-  set {
-    name  = "node.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.aws_efs_csi_driver_role.iam_role_arn
-  }
-  set {
-    name  = "node.tolerateAllTaints"
-    value = "true"
-  }
-  set {
-    name  = "serviceAccount.snapshot.create"
-    value = "true"
-  }
-  set {
-    name  = "serviceAccount.snapshot.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.aws_ebs_csi_driver_role.iam_role_arn
-  }
-  set {
-    name  = "serviceAccount.snapshot.name"
-    value = "aws-ebs-csi-driver"
-  }
-  set {
-    name  = "enableVolumeScheduling"
-    value = "true"
-  }
-  set {
-    name  = "enableVolumeResizing"
-    value = "true"
-  }
-  set {
-    name  = "enableVolumeSnapshot"
-    value = "true"
-  }
-}
-
-## STORAGE CLASS
-# AWS STORAGE CLASS GP3
-resource "kubernetes_storage_class" "storage_class_gp3" {
-  depends_on = [
-    helm_release.aws_ebs_csi_driver,
-    helm_release.aws_efs_csi_driver
-  ]
-  metadata {
-    name = "gp3"
-    annotations = {
-      "storageclass.kubernetes.io/is-default-class" = "true"
-    }
-  }
-  storage_provisioner    = "ebs.csi.aws.com"
-  volume_binding_mode    = "WaitForFirstConsumer"
-  allow_volume_expansion = "true"
-  parameters = {
-    type   = "gp3"
-    fstype = "xfs"
-  }
-}
-# AWS STORAGE CLASS GP2
-resource "kubernetes_annotations" "gp2" {
-  depends_on = [
-    helm_release.aws_ebs_csi_driver,
-    helm_release.aws_efs_csi_driver
-  ]
-  api_version = "storage.k8s.io/v1"
-  kind = "StorageClass"
-  metadata {
-    name = "gp2"
-  }
-  annotations = {
-    "storageclass.kubernetes.io/is-default-class" = "false"
-  }
-  force = true
-}
-
-## EXTERNAL DNS
-# AWS IAM POLICY FOR EXTERNAL DNS
-resource "aws_iam_policy" "external-dns-policy" {
-  name          = "${local.deployment_id}-external-dns-${var.aws_region}"
-  description   = "external dns Policy for ${local.deployment_id}"
-  policy        = file("iam/external-dns.json")
-}
-# AWS IAM Role FOR ExternalDNS
-module "external_dns_irsa" {
-  source              = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version             = "5.9.2"
-
-  role_name           = "external-dns-${var.deployment_id}"
-  role_description    = "IRSA role for cluster external dns controller"
-
-  # setting to false because we don't want to rely on exeternal policies
-  attach_external_dns_policy = false
-  oidc_providers = {
-    main = {
-      provider_arn               = data.terraform_remote_state.infra.outputs.oidc_provider_arn
-      namespace_service_accounts = ["kube-system:external-dns"]
-    }
-  }
-}
-# ATTACHE POLICY FOR AWS AIM ROLE FOR EXTERNAL DNS
-resource "aws_iam_role_policy_attachment" "external-dns-policy-attachment" {
-  role       = module.external_dns_irsa.iam_role_name
-  policy_arn = aws_iam_policy.external-dns-policy.arn
-}
-# HELM ExternalDNS
-resource "helm_release" "external-dns" {
-  depends_on = [
-    module.external_dns_irsa,
-    aws_iam_role_policy_attachment.external-dns-policy-attachment
-  ]
-  count      = 1
-  name       = "external-dns"
-  chart      = "./helm-charts/external-dns-1.11.0.tgz"
-  version    = "1.11.0"
-  namespace  = "kube-system"
-
-  set {
-    name  = "serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.external_dns_irsa.iam_role_arn
-  }
-  set {
-    name  = "serviceAccount.name"
-    value = "external-dns"
-  }
-}
\ No newline at end of file
diff --git a/kubernetes-config/example.auto.tfvars b/kubernetes-config/example.auto.tfvars
deleted file mode 100644
index 42af3b6..0000000
--- a/kubernetes-config/example.auto.tfvars
+++ /dev/null
@@ -1,15 +0,0 @@
-# METADATA
-deployment_id = ""
-environment   = ""
-owner         = ""
-aws_profile   = ""
-aws_region    = ""
-
-
-#Infra Backend info
-s3_backend_infra_bucket            = ""
-s3_backend_infra_remote_config_key = ""
-s3_backend_infra_bucket_region     = ""
-
-# External DNS Helm
-hosted_zone_id = ""
\ No newline at end of file
diff --git a/kubernetes-config/helm-charts/aws-ebs-csi-driver-2.14.1.tgz b/kubernetes-config/helm-charts/aws-ebs-csi-driver-2.14.1.tgz
deleted file mode 100644
index b58c262ffb5d59866c229f933560a8a8c09f172a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 11028
zcmV+vE9=xBiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PMZ_bK^GhD84`IujsFwt=RJ&Qircu)n~SzV|zA!nX5*V<ZUHe
zV~A`?Sd#!30A(wad4KyW9HdB!x_phZ5vOWwlK{HW=o3eSTuToJ(hDT@LO~}eTBl<o
zls_eL^q2d2+U<7x=-|NoY`5FhpY5aW;a@rj`-k15&T)Ic{g-y<;HbU-7iixT{H0GS
z6%l`F-x*f5bAOPBB=jc~l5*CANw-0gB>%JHcMkk^BSaYpnke(`1ir^8hCs6j47q@l
zpZjqBT^~;S7jS0yr!nR+_F$}3B73dYh^lcq@B<#VuF?Sth6<%8=}5Nbd9QJW(`zn5
z*=u+}u4Tgm9O(Z8NgKL)j@-9@f7$Un$9~&uf7^%&Wr|RS!c=5LBk)5G4Ng)u=0Y|A
zQW4z}wN}G6TZ6RZsR+=3zFn^;S+Ba9<ekQ2j{kf|CnQQy-lGCoF8|$5=lG~1|A*~^
z!>#;3#<K%wI3#JLzz(|+>UpN{8$0lEOeIhW1payQ=CwEEA|^^<2tyj7E^vlHL<GWw
z2ucPKN>CgI2nmrAL!eA?nDSJB!Z?YDLg_aeG$teLH2?%ATvElwv<FE#h-lzrAbfHy
zTNMVaksyE_csD^IXsE%C5lp+F$Ox{-Tq1<7n^eN&^Jnm_l{?Ax9enxH0A0QZ&1M52
zNu%gJk7zLM!Nu?`SMLQ%WUA5F0ndZeR4N`rL<Sg{ev;7jFh)f}qDUh!MP8c{x`Us;
z7&Nb5NRK2*ttM$m8e%|%DW3>Fp&B(5`cD94lOFu?FY|j&HvKHb)qXBg_UeW7M}hDu
zZ%I1xq~d~%u%&S*z;hKXH75Ih$8R^yyNHio;{>A~bQ`wmO!?XF=?;EO8A604M4^93
z1dK4y_QNn&1(fe<y|xwdqErHBFqmcoXUo}U&t0Lc|Hw4Eg*{LrMfYw8-Wi)kqKvZ@
z2jx(c2m>6G3FQvH!F!BA#3+rCDQT%6VhC|6mF8l~fG{9IfQi!JK+zce_e4lMO9jdL
z7ZWvW@&gWM<|ers`6KR!IB5+dGTO;%<)sZ`+1nm8JBPBFe-y~@`V2`JQHJ_syYx|s
z>3bBEhdpR!)g%U~plW)`nZg^@%h`d1?^rbbz`1%wBa~CAFfI{~L=nG!FX)6uIKp!o
zkjNo5B$3pmh*BgNKN4qVz^ZI{kg?@jOqaE?<+umqxYg?6A$d|VlE^VvDr3tXIA_if
zjj{L{oSp@oAOkuqeTUNzXA-m_V_X4cQjsXa(6l(@B0$^d4DN&Te*yEd2psuszw;DG
zAJGXil=8jc1K0U`rb7lH(Gbd1==w*QB6!?h3zYP?N78`~R=MY$nF{>6<Ii}AHvId5
zBPx|3k3$s=*Evs~$RJm_<M1iSNFx#aW~v+1+WAxd7vtIQ))juAMo}LFfl3;}>8LaF
zY<rDi8b#$djes*HcobPaBw<Lc5jqhg=}0fbt1}#=qt|>?u;9ZXWmHXVA2lIQN^i6S
zibE6v!?RRSHtGjs4AY3R(Zz`I{Pp<_25HeYdT@<&G*&(6xHnl-$bx+Q^%D~njL&Zp
zfl@nzviQw|E1dQKucS|6@*8L5TAFw|;Bk^F^wc!LLU{n5pdgBi9=zr1f|b5mgWM~<
z^I%BCh$w7iwm6FshWQYKh63CghzXC<7`0W;{a3giBZHwd#i)do$piyBq$b`mwfdG_
zPa`6wZ$Mqx<_ZysHZ&3y5EhmjLsi$zbNz+^<5}Tr8b#V;kf`OyHT+6`oF>=<yio^@
zq9pFXkJ>+ClUIVrx;y#cz$s@#I(kDAX>f6j2qX|(O3mY-+09P1WSE7RM0^@s*>$bv
zkS>NAsplp<N+zvj6667rA!L+}D1$&CQ3wM6lcLn{BqT(T7!?XbG`vxQoSIT^T=iV~
zcHmrp&4-7KY(Qq*J^dT%pW&2|m<A+@riI8VbhYfjc%El|8fZV64<E_Mu+0vDX2?#@
zvQlUEs_R~LGc*eoty<9nf6l^$Q>JWNyCEh51EMh8Go1JF^gS?C*IZm_QfYzEtR>J;
zI1xNXHO5qG;t3i^K-ZpW&J4du8SLT>i4*OcT=rhHU$igbdQ5{c1Y8J|31^`pO~Qo&
z{arh}5f4ZNV=mR6KPL%P0>+7&f>c`8pS$*ABy1iRT{@)Fc*aG7T4(u<EnRTeP)ulm
zZ#dI>zRqLomrCU7y5zOZXyauH;1&+t4xHqQGYjf<+)%-Q5B`mTHBnI>*INT&T<Kl`
zodWxtKtQDU+)S6AyuSd=hdKQ+>BSp8Fc_NRV}v2sHifd09hTGgIi-8hZ2RV4Z-2jS
ztlNxxFU~TBRhR+|qEu?fH<cKgo+&aKQ8p^c!ufZ7Cl3;KxeI0tS6sc2AIa#{HgXZ_
zZkLUzwjX^HN@)db*goOm31eItGbm>--HeF)TTpHcuGVXB%?zv6yq?3@3j|eKZcX1b
z{j{CuOcN=U=xY)i^_lBkqZ@ViUBQgJ5$9JJLYlyY5>voTUY~YnQ#KleW6QEeuub(K
zl^znQypHkyM$YO9Od=YPQ=aOf(d0;zkSOdcK@^Ury=?AB8HN0TN7{=1Xv)~;i*GV@
z6O)^MDn{6Y_Uz4%j7$iPEdN?8%0A2v{EU#w)F?WE0gq#3p&^mtj!JomJF9Kfz2Z6|
zoM@#(jS?nW-OGS-$Iii+(*Q01j5Qb(zMU5&k>o&`R^(E%+nBJx{uD|Y-NczT4peYv
z!`*AD#t>1ZB1eM^mFFPSV64Hvp^RRo13So5o<hjsny^w&3e{3(d#h@sN5`;Io1uT}
z;989_)&Lj=C?yfo=cfMxV?MDeH%LV^g@GW3HbX5s-_A(=t>uolT<Ow88RQI~F|_il
zr9RhJxm}~S8@3M`ijzu`Dy}_76ri}}Lj9MWE!CnWt)rnUXGCs=Xn!#+u{0i_(1M>$
zDbD=Dj6a?G5z&~c+^7Xf+JjEJ9cMg-v2nUP-4}1D8yJiIx;2~todkiA2csdafwv}G
zi*Z&6h%J>1sV!(#l<93rf%?$5e;CbOCZ|ycmSX&x*%=YLWHV0@PZB+RB+h+1hmV)x
zV`r|lwrn|+Y>Q-0qbVMtaBms~&-K*lt&=e1OzP;NQT0>LZ>Ut#Rl?yA1Erl;>rvyf
z;zh81476eI!G7B+ijVzMD_%UcY-Vf~NT;4bD#Cs<%FcOD)@R6HD4y_$kEZ=Z$33T<
z>8OgboC7?gny&ELYM>p9j;-^9?t1ozKU@3K!P{?~VOCzV^N&mtMdgrMZRX+&JYmyo
zGF=l?8G`m=^q6k~WpQsaAGQ({YE5Q@cP3y74;u@DN0G7<`Ia*sIu-&(^ZG}L!iZ9P
z_U<2or%B=Eu=2*)XNR2q>y2jFP4LZ~c-WPQ*=(3~d1`8Bvt={if3E?vzxuWPUKKL0
zo>b7m=xGiz?_MDSu~Mq7%K(SmdCRkYek%(-l}ei;e=*x<3&+=lD#t)}#sUVZoDTR+
zrvG>x6BhR17x-3=zkLqhdcn8Pp(!K81iI}e{HxK>O1oEzy2_D}=GzF>d!oiYXibP{
zMRd?|Z|A(Lc`s?L0A6cux^etocIG~!hzo(U_k@D>+xnbNb>c}BeRPuUxU!<ly?W(a
zuc;R*<f@0Z%0AXuE;G#~$pQ;x<Ex)33;A^+zOs>AGbT4QPUC`yU?XF*qTsYi6B4wJ
zMy^v%Orh7>SLn?<w6@2!-Ym>}vryx^HaqRVHkYX@jm<K}YP*+}$`?(vG9VHJw+`=s
zvOJ#3CI~g{T6WS9BoD68jcZv|&w|5(uAW!a6)oLf*`=qTdy`D<W-C|?S(sjO*2Toc
zrFo}9xDe4R>@{XeQ*){e8arlSW-K}jt#&G`YhD02xPh4+D;skvJr|~U=5r648rP-+
zVx5{&`&mqGn~tZRdErsn1DPf$0?s2>+qG;=$j^kTS6sZJLTY;>(-?&*W+mY}%0kLU
zZ?r~VT(;cgnO5UyJ_y}88fSCeA5agR`7)d0%1}lYh-sqqu(-Z9>|`B}LOAVT*eUkh
zw<9cLJlndN|J#8JrjUisiPlcB3AK0>YRhjU4r#-dz>EkWk<>(sNkjr`L}$R<oQK>0
zk>d<<%+n|Y5?zz2)RJd?at)K=bvEr{N4t?qd>4gzqnUJl?cFcir)K|GzB{M&_T9(x
zzOQc7-C(TR|9RYLSN4A$?YG<8{a=sqeB>}eL5EYT5a!td#zb1*8N=t=^7R_VglJtI
zs0c==jQ#Z(eEtmn2Rjk!YbRAETAO_N0$v17k|Y)Vt_{b_&!2&^AWB1oX3e%UU8V^>
zeEITxz5%0RSYR3{0fsMMnvI6$-kxz1emU)5K!3J~{;%ET`!oYdTX>^TFcK9P-}j0!
z6k(yAXtwh{93sv}DD1`!H|6XWGL)TVpl&|QRE_zBvXNGo*F=Q*{0D(Vpz+%!Rc3Y~
zmAYKEK>-XZre?|lJ3~v=)W7ZcFO~mKV~i3M(pSk{wt}vZ|HJnFaYg=*yIc8xoagiB
z)-#yUxM!x>hBQL$)xXr<GzrGogJ-QTUmChp<NPKulf>GQEzF!5mi8O2oTuF&%9cs9
zH!Eo7pxstXBe?!gcJpy@jT?T~J}L{~Xy5!w<9<3E(i>=cv&N8x=68##T`2@IThUFU
zXbS&HNo3auNRpUN_>G^@wr<KR4MTTGJ2U~&zLVr}X(7dQeMm71?GlrjP0iM9sD$0Y
z)R5)uZC{twk}4An_WZ`hFk2?FjW{1ZQwruCoy~-rl^Qb#uaS4yu0!Q)kHCyLbeI#i
zx`7}sv#`Kg)YqP0_QyA-C%u>J4{!m`oG7-HvRcn^Exp|s!9-A|hS2=0^!_TFmDViW
zO;~Qx?<H0&jIkCXx8q-ruNh~@G`5t9TGktDQ=z%AXGOx>-?QD$zvte5^Z#!`^HcLS
zQpV$$GZ%HOg|01{wYSvrXS3C>T@~#EWK6=UjM2O@d#&kj*wn?w7{$IEw+wZ9umX~!
zVG%&>?(lgBBtN%NyP^Dd_)p3eLV<R*tpq$yI76m-P}mASUoIw$j4<>D(_YEda%<ET
zI2E}sZbrACLGgc*I9gJo)K=}#=SvD3@IZB7y;`E!S%tN|!*w}hu@l*wb6?jW0-K<)
zODvb3XEuL$ij3rCHb-oh9f61u3<ZyYKunVL1lu-dCm>9lGa>v&pwwzrYgig6XeNXT
z*@WGQO0}046NHTrzPZBbbNI$grRo~_Xy=ZsU)i)$(BqsZy3S0iy!`8=X`0Mh{9Rj8
zO%;cfZ*YO%jW>}Ynju)HEa?zN3U(u8<tFx^J*U+?__bLi^UJ@=Uz<(X{Wqr!n$Mfn
z7FH|g?+FVdG#hll?7{<N6POUO9xLm5o~dU$mraI!|MBDdPwzjx`#=9|xLIt=U5@sq
zhCkZ|Skx57Ci-`5<L$eZ4P?6y>y(x5(bslQx6cDVOXEK`Stxjfv(posp9@?O|8@2c
z4$ARgw{vv7J^%YCkLP)fE6TzixXoQ3c!Z7OsbDc6fltf{TKb!r&h@WeSof#X$fn=T
zPUd_eAfG$Qn8wpA)F^M7GunTNagTDx?{{F7g~${fX#FJ82;K4=NvN6rmOc0dnoamu
zbzAo@&`fkkq(Y|h#V%WHf?{Bcj8HY7LsQ#N{qvfrV61<!i(dM-#Jn;U*Mn*{?W_r@
zw%I^Z-z|<fde;LAB-OAe8}d8BTL+dUpdD1RiR+$8c`F=RQW2Hbpppan+A{W(pSAUW
zwhVp$`oFz@)T!$K!{g(v{(p?;LG*vVW#JLjezQ5RC7kvxD+HsOw#uOLtS$e=BikFQ
zfEDuJJvgYW|8=_uhui!QkMcaM|5sp|Kd1|6H)iSILbIh~6Cbb&*6ah>+-JJAt5n=u
zb2n$SzI~k3`+!S`xSkv6R$SNef8B_>Dl2+<-{1ny)M`KY)&uB#`v(}hyN4&7i;%LS
zKB$Le=2I7g%6TM%>BOwWD~^92J#P6E#13oQe|P@;Hff<&&Ho%9RqcQ0@MvrQALV&i
z`|p_MVQjzM0GuE50{tP|l{moJX)w1D(jGN-8z0@yc#!shvuVu~${ZHTM(zY)O|-F7
zjW=8~`NvYsF{f5;??F7y+|`}@mOH~)IG=NGQ%HYQzi0s!d3XnVwzmE+Y=gV+_^*9%
zI3NFYw)+1uo`=={1*Z9$@!x$3<c>>-0SStjn&VF<YnVGJZw-b`E&x=y<EaANMp}j#
zN@sCw(N|o6%h>Q7F6U?bTSfZWik_zOrH1NqgV=@pY;$WN%SazFPXt!p+v>Yruavh!
z9>|unULIkg7YNj3rX-U7SjCaCiZK@mAu2*6S!We9x>xNY<c1Ndmhpk(vb(GH2Z;)2
z{I%L_&jO)`36(P}SJ~S?K@jvOe%7`B1A7SSR@(qpt^XX&&HwIqy9ZnQ{}@lL{dXtc
z?qeA!-vQtl=)ODvnVMs1&IzzR=$8)G7LL&twmlX0y_L`5n$3hZ39zkZPOr@G3d|0*
zG_+KFz@bK9-ho<cH$<k&mk{^CRqv+qf173CmGa-M?*G~E>~H1&QJ#mEf3plcLgT?c
z5fxzA_pyY(x)lBtWWM-pD*v}x23~FdEBXJs2kp+$R{kI3d1(1Bt^hv~`Tv?OK+S^q
z*VPD{%KvSafmX`@epUYWJKgR4-=jPaE&tgH&{p=Vi(ya06WCP#Z?g<=EBn8d|3`Tq
zTK<bO*jpV?w;=MA?f;BYcexF0x%}@Rb~|(VACC98`5zwT*@4qpN)snNP9dDl^12rl
z0Z9_MT;^wN(^yZA?n@yg7!=Ym%SBROOxJ9|Ymg>MR!!-0<~v(nmh#{g&Qe!VvQ4`a
z#E_qtw)IRV#n+`g;^tzoS~{*nnfWvGGjxvJ1!qpU9R`Ilgt?^VtI)aKP`$`BY~H}I
zj_i5T#%l5EvGuwtOQ7Xru@ZbCk>spKDTUqIXce2P#jS!_#>r4g#yJC7KE%#t4<gFa
zn-WTkIJ(&4BI>S9!m<f{dpl!Wn+LwWmAQgtBAPzuiAUzEXGv2FBU(wCx(*%Ys4$lV
zdes;dD%^Pp7IX2!+{Wd~-zXUv$;r7Q&n*xYUpHaby)LM(*-MfnO=!-mize*BUIk)M
zz@_&RA}Uq6giT*?yFS&xcxe)Zp15QM#V@-tijm1hb1kSs@aM^~w{+x}B+Fia%<tJ4
zug6@=_^6sOv>=zYHyPcEyO$wQPSQN9Q%T-@7w|z%GsV24c4ue)DNoz{`Ewz4Mb9L}
zarm18{_Kt^*v(YNZdPMbNT4%I>aqvB<u()<nc?i4`%(7xicIJbd0)8cs-V+s{n<5G
z<(fo{Dw&Vh%y3ey;z5ng&Pg0etX9|o4?dG9dOoZ7Tw9ATu#;c7V6ObJJDOsfFu2lg
zap*EUJTJSt<mETJr~Qjh=Woy6zq@$*aj&kAYa}VDKv?aH)Ff0X@?WQ0ZE`_hmdQfp
zmXta&T)mJQdVaeJ4NdmK4S>_3$sn~`N2KCKJA1Ipc&!aA-bb`ohos4Ck`Gw%rkOe<
zHy}_E@@l}F6Q)i<&h9>|gQz)0hF4yw%XkqVy)4}6wyc}Fa>Pf9OBJFJbKfQ}>;0E3
zv3p$)7TUb>t#0%ESesJFCe?iER*x2CvLab7cTCFYO|R9;bJYiuwp{k?mes%}lT6EO
zW8}frLNIUNot=Mrd-CSI4vtBYU-<ww-=3Rksr_d2=xY^ayxX_-4v2a9CqMT;ot&PY
z_xqoIIREFTi?j7{uv-~_!07@!X4k{pk~Kw4a{MctexhN`*K8YU=~}^g^!w+hAI?7(
zdhz&OAVGjqe!9Zx?YnV)+Fi<U^*so(`{~x{gpO_(b)j&7+6En1rrX?YQ**L8>+*;5
ze_XtKTQ6O=*L8E5pz4Y*F^t6|R`+fZkxlA~`*kkxngFwVG&aG(Ty%KPc$BVQsU35x
z9lel>%9zKxQswH8Me4M%UMGv#l<{2Pa94X-+sA~9MV%WXiPZSFO3!jv{XG||2Y-9f
zeo-lr2(Ea*qaJ)beZQ{rSM+NZNtnA$Z#hD9KFlhFs)oPjqT}q*g7gnmRh^XBajvIV
zVz8?FrsF3{qBD%hG`~=!(=L@!G)A7P*?l9WuZg*xdr{pXp;0RE<5-{^^C;}WVd1-u
zW$B-wpUV|`cG*RV17>^b=a}WTVzvy6MK^tvTUZ$F-wm})wkkV$HVL(}`%V1f&at`p
zdyUdM(q0){S7-j_g6uT_tsjzWKi_O}wl}uE{ATy$?CisNzrVLU9H<4pC@|2qhe%W^
z&>Inj^5sW2<y0T4EQz1X7wFbT=_X3H$5gz+wU~2UQWp&&2~l`v&Wv)ly2GaYxhw9J
zd}uNg+iR;#@_-NpWKDupMA<7wDjW$^=GC6(cL5b{4us!-w|9>CbF(BBqHTif-CHsf
zIcKSz3a%TG3ROK*!3$lDO^Lh|+<N}zI$#7cygow`MwH<ioigRU&{f#9Qzd8**(oKa
z?~SopXP``R&l;!Ad$bVLlKw21dCM+QvUi0qn3gEr8NTM6fm3$%0nP2^37&jxQ#*Rw
zDCZ%foF%JxGuLeCxO_zqt`?t#i#6~#E?jm1=~n(*e)4a%^HwSPK%QF#$|JgMIpk$N
z+dA&htf9O5LRm`>;Rvn5@{Y|sgbQ>lSR1+ui(ou}^RpJH2kXxLx;?jmvx(2M^;YVv
zP)_u%tMYVQm3&a1f}fHj^EI3lCrDh(<5fIxFytaYmtSSqKP3qn(1<FE(m#2B;kIZ<
z|9c`AX2xhuIs;Us)7-m53(dVn9##R{TRB<9-mdnu=1V`2t2GbkLA<T1%T$@)+N$<C
z!7Yx>R=YnP?Oq(0r=Z}A_<SuLza%zwr{iv=HM2vht2Ji1<O6BTGLT1%OEbXB!qTz1
z@+#X1M_DS-Lm{|$IlJ)QK3jELCq@~Kx2pE(sM>5yo`RaqaQT{Zec2`jEdm3)l}at`
zb67*M)|G!C^;!q&_Da^UXN^w!FB8T<()*LQ@(4TysVigj__9~AUpb@Oe4)i-5tT2!
zLIdUPzl+<L4SjjnU@caq7cK+j{4t7J9>O?L(=#f1@VV^9E#HK8mjg{-`#9{M?pc2R
zTT<sx-R1cA%KQ(9$8+bu4-dBIzaQl(p6veo8BCf2F|FoNZ%sPQns;_44R$5Q6BMUB
zPKZEg{{3ag@4WEaUb_k9Ikq3t0XlGgexmBjmn;KC|KiMEeqDRE+}Bo`Tx*RJ-}jMm
zJNx;;Eu7^$zY`u_upxiPjQ#CF79u%yUp!xvN_-cEc^9mH8%mSfA#-<L(Fhw)OW!S(
zf48OfZqmQT{U7^t^55-j?|*%iXWdQL=6Y+-D`kS1bQ-0sD-V|vVo@G~Onl3E6&7bL
zDC}pi-!`69cZn+^MyN`g$JI2!Jk`s^dqbA_1&sNF?{7HM!P7>o7_qHG*~kyLKyH*@
zz5-Dkj725OL*#IH{E@10k{44bDkXmSyfnK)ebu=%93`z=&o&#S<H#w~pKrsECu_o6
zM!D=1QqGe#>;|*F^<`eAOre;Ns0W=x*(h{x6Z^7M|C_|6*OZ0)`YuLbx&H4QbdD<e
zzuWE{ZT0`7JQbNVxpA%L|JjcF%so3J7<1OgP16Atx#;U81lml_+3ZyND#&Xj+$pCI
znoAf|q<baP(3}ptL+&0{JgI*hdM?Y_V~}4rUr(j*COJ+@(+*iXx69JAaTcC>_)D_M
zYz}VyR6jFeT87+XrukWwQ+ri{A3K_JseOLWCn%e8Diy|7nFN9=8jz^4gK=R3o+_WZ
zf_M@|ALr7>c)%0=m5Uyn-%zQ_G_I!1sHgjVruM0M^|Z2~WSLK3E-lJK=0fp+Ra1{_
zlw)Lm(CpOZiJ1m?O=DV{p297f+Q|Yh(#1AOQn69W2!mDqLhhZDI4oH5`1)xYp8PVf
z^N;R*>38)ikG2BQs%4(j-meoPevRnhS69Batl$Y584cBg=3CCNSqsu?l9dq4OG|Ty
zMsKEGNadB6&;%E^^Xsqvue!vqm0FX|ing6hZrr-7x3c{qjnLVijbRk(mf$?%vHCyB
zdG&fheXNzqZ19Y8Vs(!va73jN<aRrnbW3(3`9s#u8jJ9YYdz3X{9=F)vg;|+ff;Sh
zfdkF2FTdG6`*88o`G-#*&j0bL|L*jMPw!7Ye!uR%sk&}#XnL3KiCWX@)^(x2!FfIZ
ztGnL#*UCc4uYd6ER&_)3RqXE_jbVvpS2a>BT&Lu!f?82_YZ39Wb>ntVQueG?flKwp
z1F`C@nd@t82Ku9Kx2bpL$6VUcDZ54Mc=mQp>Wm6A+cTX5Sj!Td!CPcumf`VE*pwr4
z_$*O}x5Mg_YjL^}S(b+=%P?6pUa<%?n@b?q2QVALu8(HcfWA1q*${(8u}%Str?l^3
z``BmY`rlnQf2>~rJKXP7?*Hu^9UOJH>wk~&?7&+dV)f>aJFN6=SNLGb!q;|*uT*in
z#Alz4Z}ZqL@Ga!hKl}n;J<zo;dH}e+IBZuJVY|AxU0o~`|F2kG{NtQuTWgiG%Ezvf
z{#Zq$cE$5M8k!jaljZ&POP{SpbG;#IE4iX_h?BzC?TX-k*NWgG__xdETrlZ(Lu<QG
zxm~DSn!Mp2*C<QO;|~7IR%P-y2iAmLC1~7FheLV;%~o@vil4i&=*gS)$6n0*<Cyz9
znc4N1R9pW|3#ywk*hYup@7>aDmwmJ6&yb4Z7V`XuT6eA`{Cy;$xF@;$^R0_-5DVV>
z8u@x2&K*3P2VPCD#Xnz2zemL95U!1om!Vn-m**jT?RB(2>a%qHH{oGOrAW<%c!M+?
zp(>n$U3+DC)%pMS@loac=Rv!>&HwQzPi8TeA45-!Khv6YTJL#ymb1inh9%4*O>v<(
zFWo4vsnnJ*8AOU3L+k={4U~sFvi``6&vREY-@_8L8%2{)pe~bF648L1Y99=K2XpJM
z^CV(&^CKe@LL)MWum_z+bs;RK>}2-6`^3_hY@a(mOZC57?<ID<x5B;aZwy+c|M%Nf
z{l9<MKHlp8$9O)k%E^%}_S-w*OdgnJIbdAz8f{&F@6^IA1&^r5mj}}o3`un}%G^ej
z1;JYZR2~dD>f?V_-RZyM^2N|0od3{=i<37Xc!bj2|KczNC#Mp2FFy27_JB%AC5Arq
z5zX3;?6q1U52T4rNKAg?%!DX-C0j<~RV$S!Mkx)kMM>-#7~YTz&%y9A82(trk%1nf
zA~ce|#<D_-9RR$_AZ788Zqp-z^+5mkKM4`a+-?5%9wl+F_dgE8-+Q`XD;q=oN11xr
zuin-U-Qn3(|KDay=*s+mM^*jb?H+CY|3`W1c2GT_=3l;z?Ca|MI^6D2+doZxwOsyf
z!p9&Y^5OD7wcAI>`_=qU-TlL@{6EGsKjG^J-R#k{)9Ie)WujjAR#FCYsX-U0ftjq&
z#BZsL%`aLgLE|;tD%*B3lbq8Vw`j3&hvR%E($AlP$5g>?NCO2;JGcEEWg%swH$229
zG=C;kz2f2(6;hpYCes*26Mlyng(mzSG&NnC&@A-43C&D-<*06$+ijhvM*jUVMll^R
zF7RGJthWE%iv8~#wmVz<|0vH6yeCSbU=kDuJL+&fMh1hFMw*8qA;A?Hq4XO&@NrBf
z$TTtg)j*ChieMD+ft~fDZ1fxiMnusGnwk5;d&0uT4luOa@L)F)IHWfiT1ox?_I!B9
zqA74@YHE}qK>-nE=r{bc{wJ+`u(1QDJdQbopHBM_QXw1uh^m(P-=g2}2fvAy`9FIx
z9<}s;*`IR4TC;`*B)CcwFbCKg&wP2EG@khba@Ba|t2k*q`@fAH_=yP0QwbMm=d$4^
zg8v%>)$nPEq-Dzq{_loAkpT~}^@QyEs;5T&PrpBT`;YV2@BZP(;l03EasKPz;IJzH
z2M5PTTls&CX9vE=D28B6glaT)c3{%=I|qKJ@eEGF5H5=oA>q{-4${$UKDva22oj@0
zQK-~zJcIAjI04H@FtOf&RxFp3jwx}O7vG;1CrQ$BRTR%_nJW9b$}>2>Nw~yp-B_!V
z(q;rR5240bGsg}gCJ~>;+OY5bveP+exBs=9&4rAp8m9v@D=|BP<4HP_ts1#V(kN<m
z4)%}sp2IKyD`0UzCVX1kTJ~{oukj274vASFfH!=C2G4A-Ljlj?p%ThWsc}9sc2AwO
zJ?I|au?OAb)jfDkS*p^TgRbd<W`+7hyEz|N+&X`|BW|6)8Qc^X0z(?rww8U&QJW#5
zIGFUxU~`y4;nFj3`!pP)FYb!y3xnt>XN-&geY#)UT>f=$FK7I&5w2B?-}O6}g(~aF
zO4rJYVX}<DW?W^8TMu7Hav(WS1p#3&K;RP;f`-U|4k1KoZk!%WA(bfPJ;_bGy`kLb
zku4`74>%jrQFeQ?Mr;4Y9nso<(cX~ZNEn)}?WfsRZgaEt7z@Jut;`Q{S}c$6C>Hz2
zRxB=<<T0b<l!qv4n=F;c$ym@cjE8uVooQ4Yv>S#3&QH6B3*Z$Iqa5#}yHfXPGwNmx
z-<cVp%DoDgWnoVx0*^wtEEM1a?VS0A#@da>vu78vc3KHj@RlnYVDH&8>&|9EWY6YG
zGnVu1X{F3X=yVLdfnNv=(vkIEr4HJHl6^9*xceUpNZ*#8RLT^krs(0GZ}Co(ksu+$
zHH{*37y>v0yrEKQuRXB&=_L#>Aeu}XAtEIYC{Y;N6H~fV#ja8bG>%iHh0bp@el+55
z;pjFEqZcS9$2^Tf%|c#?5h@ELN1=v@yLdz5B*GqC>P`nL0#`G?Yo;1tUuOL^{bXDL
z84h(@giU9#9O<9KAXT>Htk>t?_2IOC0cW}193Z5#WpDk)UW*9BRHXvV4f-gRG*L^|
z%>ioSV5sRAO<~BRh+kVhNmw=-KD^?>=}k2zM#E~H3-p;M%kzxsfokGtXGH=5hSvpd
zpO*yFzUgb$(?sCJ#3=<Beq#;W(ed{$GdpjiJL6N?3wa^CkQY?SG_m!kOPBg1n;5w?
zq%v=_tE4ZT^6T7H`E`sEi8&wrR&O`#C!_98$7VL`vUK&zrSU;u(Fik~?&w49A0KaM
z{-42#<`*DQ1ln$>85OlkzSL}#AB;7Y?XF~dVaYa9H)(B4`a?nIw%77YI)3-EP(}MC
z7a7l1ceR=x&JGmke&l>1O#w)F*mwp%DjLz>5MnOSmd(AHY_+pgKSSnkYxziR>m$8F
zqUF2?AGGm97NCiAhII6XB=QnSAh?ter;(ybgtKkLkV>Q3+zxBUO`Yx?hpN*xL-lVQ
z43Np%#@x5rfW25}y#8kU`=c>!`DT2x7r$Jz>mL=OvloV#IhFcOB?M+wI!}P0$Hg4-
z<4l_#Gl-!{9Rd<97kBR}Xk9006OsmFepTC;`!*xZ@j9e=QRwfn>2KCep4g+IfI&CE
zqND75`kFlS#`W2@pC6=ix9OP)u&m&ih%n$GhS?rx_thbA<agFU`PhzT9~CUT#@A>%
zb5GS}p>gd28R`2^%C(O}1Wz+31#grfo+2a7_+peAQ7(Er+Nv1wPB5S(G9f7mjB_E=
zU<^dUWwY13grVRu3<Q!Z<1LI4V#4SUrGkH+ym<{|Xxz5UH5SN1G&k1FF#TI&#;%nM
z^~=;a^4mH@$_wL-xw|aNtxvi5zJE{>g}k`CueD0*1*HoHuiAd6RHOEUWmV)3OFdXB
zoreW(J@Q|yVbhPargo*W&^P;@>D<a$q32NP-@rsQl1in=-?+NxKa`xQlQ8r+n_+gm
z7G|A7UyjzQQSANU8Z{2JLzCAy&^10_tV3hGNx0NjMO$L&4mBt~8{-1Y*=;9zGy7`+
zE_SY4Vdsq73R7d+Ea?a(m(|7sLs@jp3IW|&KEai>acBabIYcYdaYc?guuwl>5|KdL
z+eBbs!UQ5laOrtgM>uU`RmEUB`(WP88e0c^aWZh<f?rW%zd+f23nSOqcK*V|Ju}K&
zdY<zfyrERn1TSG2kr7NNaZ@2#bKNx&n4#P)BOp<kFr;#<%#4-hvw|0tIZtbWEKLJh
zkf+uN7iVV6S*47#s||4dEU0wFa;4k0;_;(IH`z#%B*%lu+$%MG14TxTKP$Pc6nDm7
zqLQ<=Yh`Axmovh)t<0>b(J6>`+fvf39=W|L+1*7sLS~m;=~^Qy?In-7c+S^R97se*
z3<j9lA8pfKQ<mNUXE;NkUC=K@F*S4R-PyN-U^xbS25&h;oQ+TbWl|ZX<P=bG0J#9F
zB%FRYlcqT?MucfUnS>#A?n=hfzx?QC26TfWHKCjQ*RI+6*ZOdNa`xujkHeijuJ^Rv
z_8f)1&W)$I*S+!h&{Jdd#u&w(VGQSA>G3*PYmAI_yKuew$taJ$>zmm^@Vxp`YdWT?
zuT8IKBUt%38%V<eB4u-qLuUR~G+~H5w9tq#5CTa!&Bg`8KhV0~_Srt$XZx&r{$Bt9
O0RR6BnKvi^DgglQJj9X!

diff --git a/kubernetes-config/helm-charts/aws-efs-csi-driver-2.3.3.tgz b/kubernetes-config/helm-charts/aws-efs-csi-driver-2.3.3.tgz
deleted file mode 100644
index b814021db7983753f7cc29d775425972f41cb0e7..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6106
zcmV<07bWN)iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PKBhbK5qva6j``>?`M)CV5TjYCF+P&K%cv`*_+oo+wS{nNBB$
z$d!Z|Bv=5Ht)@P|{R{x!MP2OJ?&X*t5}8;m7JCD*SOVlqx;T-pFR2>{I!Dnynh~MA
z1qs<#_w#f*ozDJXVE*rPI`#iM`+L2wx`Y0pH|Xy75Bgtqx`X}h-dE7Mr}o!AiBv><
z)%oJK>Ye+WJS3(cQAo<8A<TOYiR1jwt~c=ZodBgTXspbuL-;qc5PYp6FyR6Ye;UEb
zw<9<jox-tEA7{ox9KuYgSPt9mDOIy%?D;%wUnXM|5h|3fq*K{mRz2qu7gt;aa_G1~
zuB77vPV~RNq>iqh)Asd$z3F=01Fz$DzIH-FBSmP0!c>fiCV(Niq|sE7m_!ahB3L6)
z6|k)Cr3k4%L$;<~4q|IG^hNSS_-H7)8#CrvXM0}X>pKr5|7H816PBR7M+dOM{txyK
z_G|XP*E#4s+5claJ8+B>k}w5U?8d5>mBMp&;KPhcpb`lD=kV<h?u3hwD1`w`C_@c!
zj6Nd*VNL`kV}=qGhcQA-q{IMdq&O^iB0ymnGony>j<KJ2a}<IGID}TqnIw!Yy>tY|
zjQZq=Cy^RL&v6oo-=3b2hA<&aqT|qzOmXM{2#mR;ii^b%NJxI?QIl~2C^8*FYi_(;
z%K?ZJ#?CpT{$dEHlQXW)1xk#R<478yPqcFZV04ZVN_j5$*fa-_x2&IX>v1w>)c4RA
z9=Vcjyp(Q0r4qbs{l28_3~8*9ricuA^Pbo9I<BtSb-S<JZa*zuNvx$I^F8qS#sP?U
zfYv#`$EhZOi2I^kqfS}siVS(J2i-64fiLN~;B%_|A>JGDc&$)Ggt>8ndx`e$m(gzZ
z@;qT|guXx}hw$?+j<d4^M?6x3Gll{Jj2T~q7^%W`9LLWAbT4;c6r)ck6eV2EP|Z*P
zDc6)Up0GgMn=g<k3^d=&uOTRrpuusLgku!O$khyi@hLEzBZE1LvF6}H>o}kOpkHb`
z)0IvqAW`iC2?B`c?Rf4(h>8S65pCfyOQtkR+X8{VB`B2yA|WP%gs4zR&jG+|CCHJ1
zdYe`+QFa&vx&f*u8iZ*9823SZAEktt(@05cwbBaRD2A?y(VPk%X(kLI7CcDbYkkzi
zXChrBQn_8z&Pk-%3v{Ag5nPc-8BP?;Hmx$rAwY%-b*ZTs6Ey=K=^2R@K$Mo#XbL2%
z(CI*0c4%In>v!)tSI1Oj?h0Ve*;`bC`tn_@PNSkA=D}eUaYZyIG6N`-s@nIT5E7XX
z#ugyZ=V6FZ01;QZ6Vm9*0)o`R=Qw~wfd*hm=DL5>2#aVQNT2dVrpWynr#|M&l1LPu
z9R&=3Xrx6hQR?|%<lFy+k|2`EFshJ?ge$6Mz^GCTbMd6)?1D`EnI_>aji|O!Pph03
zPry?N6}>4{OCsB2E5Qk8j9<}cn&M|P(m*8mHIW7))J;UFMMA`4*Kk2#$PEt={6w$?
zj0G_qnkW?Tb;0(py&P>wRVs!Z0Py2v2;EL6%-@6<8b8$Sy?RUY&RVOuO+D>fN664u
zT%>BCI75*s#?QYv0Aw<u5mk#6pxH}E6mu;};`@61Y;+YV%%KIbbk^Jlq|@VUC@pNp
zmBf^jCB+5UDcju1_aitxd~0-Sbf{+&iNwrc0WYOzhiq~s%`{nXhAt7&5cEIfN)9Or
zhr@2S+wJvwy?(#nA8MF(Mw9--0hl3SYIe?r8p7+>o!7>MrpC35lst(7>rgVQ+u4CL
z9v}n+Lmo-2_+c%F;a$Dwj7xRMs5X<D>3+)v_<~CbAJ32UB5K#De1vF>Gv-wC2)F<~
zM{y;nbwzM|Hp&Umu4v9#5~A_8>FBkSuQvkjOFagrOf?+EiENv>mue?d!?u7<CMYmc
z?mYIrnF`s?mD)EGrbJODU8ykcr>JQdGt@Sx{hp>lCetZOJq?tcC0g__;Yk$03<VBr
z1l?)@)TUA<DBHb3XUF_Zt=-)}*nc&6-5>0y*!2SRBWG}WybGu2yYSvfIxTEXq}%EC
z`h&gwgH~aFG}hMVbvs_q>*a6jLxwI1BAJc#M=X&F#kW*QWlN5DG@;X)WKXV%=92cO
z6FP;f8TDsc&!u6QUNUPt(guej^R=Z`T4y}MR`I^v#!hO4Y31T2fD7II*IsXL;MxEC
zw;fCVGM>$`-Qlr*qajYNsWhYiqq;XUxBW{ywpX3kjw2NpWQs>jud?j0U}saKQbB3(
zXY>+>&JMVx?n>X;srAyaTD1c|O6_=vDwWn|Pt?rR%*rmCYotW^y6qHG`IT2#zejnS
zN;j?On&Kg}v`kv2W~c@BE-q2!f?^hHF~Q8}&8PA-n!eSJ+w_mbX|Z0ajuuj3cp400
zB3;dHLdN5?JfOm8<>DMgsOdQ9bXsZIlm_ofG{uo3n)|J8XSwVo3Wm_?l}g4$;yF>X
zA+*}TA|fI6Kb48Ja6<EihM5aEHq%E_V*UF!Gz#(_orWO>lqkH1m{5b;%~$8`vv(g(
zMxMG>U)IK^_;0^okN@uXyS=CQ&tp6vxSqV|iM6%yC3S!qk)U~`Fxb^o`=MjJnzmqH
zF_@y#!wk3)eEtmHdt`b|;GO9~DkeU{%?-E=S|pBZR<GU9o6n#1I)WtuLaQO{q+wd%
z!OhL?G6EV&r57G=>J7uqP3wW;rT?^Nt^I$RA&d3uUBzD#3f^G<{eHJwv;Tu$r~hRC
zkMVr|+<pmj8V*6Pdi3z97BRjFHCy}{4&i0{=El)b&dGIb0tYiRGY8-kyKXkyg-#0R
z>L~z?)>*S#0GhdiXEz*;;d&qK=0iCE41eeuTI9oi-~6QED49&?HMHCU8AgHmZArCJ
zCKDgCZA=oz7Vuj_n4UZaK;qbR!gGE?i`~F0-G=UvgfaRgkqDB92;b*^$98=}kp&Wn
zKs#%;OExnTdOlv{>oh&uM^h8Jc;Pvx6A;!(StNS-OlXvbP3$|W;EFP)=dODGXyY=P
z_>|ghxSR#h3+B*C&e(c%J%?Eduod^2EHFJYJsG~)Uce<fbEa4<RkxngT6ueG0%JiV
zHG$T@r28+~s$sM3-bUqC{jR8DNygfU(!D(`UnA#KX)F{YV`SUO+Ei$*>{*%d_IJ92
z3V(pWnCbDk_5WMY`qa9MmGLm-ktJ7dMXm+4_?jmKL)dyo;LMPPo}9G}6E;>%S!HUj
zo=XguW-(AQBFn?We3QHxSH5wpQ7u*Z1Aa@m%F$|;Hev}$M5Y+H<3*LGQM%e)@A#w=
z+V${6Wqvv&v00s#Bi&>wVZz9CE8%JALKU8w%ELFns8s1&5PA&+&n|JX3(w|+>2eP$
zHQrbyH9*iBwk+Hq+9T_(SfD1e`jyiNTF_bn@@EgEf755}{I3+?EjF5NpBS)y{@3m9
z_iOwAy<WF_@HGE>jHfm|C?xKs`*}AvPGzq$bwAD}je;Q@=W5}UGl@tX%l5qMWZQ&8
zXZ7BJ1L+82gK}R!Ea>T0nh3zCPo#C9X$Q-B1R5AXW`Ri4d`Of(`=LaSp=br&_e1Y0
zJnM%f$g?O?!b_~y53BTHQ!nnXA9v}A2}6H&?IvM^DpteTC7xBHvY%a0{68dQ;K3gd
z(I~)3!K-Q$>2PZTlBu3#MI|$+Z`v0)mbUZrZfg{F{M(EL^60B($Vv(uUQ|NoIkqah
zxf}wcQF2|OZ54CN7|RrH=4S(W)iC>6-o@o+tB^*I3N*2xTu`+zv1^M(ny9Vo+btN^
z7gSN7ur0Kww6##QP}xbnwdz2&PRaLR$}-g^Vv{2BBFz~;F<s)3!fQ1w6`B6dDZ?oS
zrQL{<!WkwOll!5W+?Tb?D-vMfdA9C)p4FI_76Zjh^aVUud}QZ|Rb+}xU%V*Gxuo}5
zh`J<ITd7Ejsn#T7DyzM9!F4g+f_?Ms`O)a~)5+QK`McAz4=<Jg8J{XHRe(ZN%2p3t
zW_nm5!D7<yH^m$69Cu5kOG;6+HGk8r_1WfdQyrT#;@V6S*Ko%boGUk=LZh1z`8_Tg
zutIB9x`|oUp@@iRs^_h$W_QIK`^A|X+O!py$I7MA2Fhw_E*l7{K{wHX(Y&rr*6PY?
zQ~>~++Bk$HqSwQAyFDkO&FHx8OWKy)zeFY5)?Q=5uNV5gr{8a>Z%v5>%e=Eh9{x1?
zH2N_5^#0_#(|2cwKjajTnn})ZZ>M(!BhKC(pL{wye0$P__FKWjVXXjcOzS;PmP^ty
zyNjhqO*3X_x4e!+X@cfDPW(7J`J`bs$SvIr+{gmERrXeoCrcj3Hfp7<4XW0X*<`dG
z+^8O<sxcR<nz9?Uzt`HyhYh=f+w3HYJ>EL=%>Jh0K4(MtaCBZOYsgE@o|#hdcc|)e
zjcsq6>5L6|O=UEqiV}8=j4Vdz^C*x*=yobFiiXG&l^6G`gB=RWgH?4WgtA27hnYY*
z<184$Ua5TDIA3gWSGZQr$Nbzh%y)a$3JtoI30032%gLg!%`lxM5qs5K*5%=Qy9$a-
zw;!O_qq^O|tyw^VK%kUwo;^Q2K7M~P8Z8gocNqXDNK_)wof3ue%?BQH#;1!nwF%KW
zSKN?d+SHH%bL|4x%@$7E4($v{fWkF1<}A&~J}ZZ&luOOt?JmR7<9oU#!&{|Ok6?wF
zuXD@!@^C97thmc9Y_JLbZYJ1->FyS2MAtZ9(U8`EyV{wrFvnFx%{?iYFX>h~RAtJ8
zsgUhe!-}o3GZ@BdVRE)VZxf`*GI2}ci6S@mHVe$s&xeoyZ5#hhm+NVY-R)w)oA&<)
zgKj<kdoXy4|31pIdMvF4Xo_%f<&)8F8VDX$pc?|ew~PYaZ%BB(<<^KG^-yCaEfQ9T
z#s)=G%cktQu9NaAO(TBK8CIAn#>DqXqGnvs-%Weo<tw|RxGt35^cho@E_%Og6bZB5
z(*+XK?*va`IfS2EtzVp)gZ{Y{>t0EPkxIR83N%MCHULvptzBp_D$V~_MENuQ!z!Bo
zWy2Gu-W?h=36)#7n#2KVZY#}OO-0evayheg%YJUzC!AxXmN2eiS-cAS=3e-c>Sg`C
z(*H#Wea=Ndqp~41wP7|BRyC5dC~Ga%sY2of`+hMA=2aq~)dKsz+A6f9jp-M~S<}$m
zHvHnO@BwLV?|ry}vIiKaXzzV{EgAoczDoT-qxT26qt{PAZiq?KUQw1#>S*7V2C9}F
z>TSGZCh0Z&{-@^^te^i$n#%u+4g=Vf|Gl@jSI__48|**L{~qHhI~~2MN@Mf2@uEHN
zwi@1zQIT#7o=XhpD2{j-6M@h&XLG#rI&P;0-Vuq(m@=v;O7HvP3=c2gg}S-PeB$Ud
zJwv3?!+Cn0n|?pjG%IUm`Cv27FIz*11-fSEnXz5-M-op332+%W+j@!38oV`xF;2KZ
z*OZyjAq({6)w02$sB?)J=eY+&DdNxG<8KKS7-XLr{@KEAc-Gp#{klK<Ci2csU_<^-
ze=r!-)_<MB-qZT;QJ(a}*IHJO5%~yjo7AKA<-yW<ZkMN%l5$_m$7Vban4wdm|F4mo
zQwkDj+P2Nf$=Ati>fSC{XK5vGP?o;4E^sV;d|l4cd3L!A&*piCY7r8ou_64~+@o<d
zps4Yg32Hqgs=+Ve=El>*l&x!bZuPs$ho8;8YxwhvvXLGj7wMrgk&N{2H3umVyXGJo
z{o&GEFyAig@%cCrG@6e583qZX(e!j0@%;74HTvee_Nvg!B!4g;i`I0)c&L->SfG@}
zB&7^-iHl*wr@=lC<3ypW7BMdE#TOq%pK)~>EtT6-oR;_SU6>FtB??QXafa%Oi_1#N
zQRzGM(%Q`kDKA=+w3h+eZ`KRI;xqQUBwKCBDl?7VF`vv#aW*BBnFgNH$o`3GWJ`P1
zM%K-{)L)!>v~siVZ;(2p9Xs24M>&OVgcLj`Q(_O4Y<)xRC-)}HsnyuBwSimhG**pB
zDxz=;!bK9baUxgZv8SQfQ$04IN)Mjf7Msg(O8mtdq^SH7(q;I2%tW&DssB?sNWDto
zEmM#TzaA<1XvI-`aI55phVuZoNP$>g>u!k<tMNTZLQ>|xGS+F2<7)kT^X&QY`_qpn
z??1gi`R>!`-O=}-&JREQdqYaoU51JEX+Uc-Ic)VNDp%mDx#2XaN49HGwDs+M|Km3&
ze?lVZ=Ar0|284?I*P|$du5$ouRr)C(>Mx%UwPC=!jqN{(^8R)6rkW>(dTnVsQXO(P
z&k*&BcL>MX8B9yfHS+E@t*vx~>&SQ~Y)0u4Icr?WU5NUW;#;hxrg53rG{fCULeq42
z+pe#f4sUFC#oYL=O)t-d*HTcONN+{KpB<xr$Y=BZ&zEHW*=OVaZ||VC|I^*;KAr#b
zC{I&p|KT$K)<^0dJm;^e`G?8&`?JNm^|RLgD@QioJq2Ww{U6ltf9Q33dr$WND9`dv
zQT060B0HmeoM^=pETx64@BxLP7lygX`l=Jwm6lh^?OIM1DOxKZC911cj}|SrRkh{<
zLvi4!X|{CyXd|V)m53?_eww7V>ItCPUR-14r87Zwal=8O4M<$qE&bVO|K1E)NX-`5
z{pi@{@qhXLm)_I)pO5nFz&TM0MP$zKwNkg&8;ldmv?@VN{7W)Lnco2;lh}ltLC%md
zm@+=LyPY(e?t(x@6rH2JFrj!)qQKdK2yN&ep2q?w^cn-J)Bo><2k#=b03Ml|nk0x(
zm}C4s$2%T<(hdmCVKnC0v5!Y12&j;bH>Ij={<Y*g-uQRXHveWXX4AI*C;L;*qjrI4
zO#I6vHfJA7=cOmFV&|ndCYR1jPld7b@_(Ei_(%lhiG<VR6X|%d;J>1;9FGP_+7?dm
zUmb5QeI8)@?=$>2+5geM56`|k`QhDnUKrd<8yoC@Z*RX}zyEEo^OXPfD9=vmMmJ{%
z=Ju|!m+(yz#(EOoPEP^O4lGn0F6^C27fuG>+XjBGfbVVtKPcck+ralT_@4KA8~9!U
z|7sifZUKL=4SeS!1K-~a-uGS===ZjPKPcb_&P#jV`-f3}UIbu%62*j(sjfGn*Kqz3
zvUFD9k;xa(OS_ZrM>)1Fgx@cO-!sD3t*<-9gA2frDsyK<dS69)h=}tNel*`<z{$~j
z$l{v1q3p(`teq{Cre7#o&nV3yWBe-JL9{!h>5XJIa+C-RQtIDQDK&NJ2Q+%*38~53
zG1O-t;-uKS+sQOn;qG=a?HBNwOdD3L<%`;^FwG4_L7R*0k{tb}xXPq<Jwo2bR+8>r
zKwcpeb@S)*8C18B={m&SqO%=yAJ!ROL3#p!+zv(O!c_bwnQG-Wwaya-=`|tJ4D3K7
zu;-l8NUN7Q3Nzy%WeCrI-WeS1{qp>7SCqsFW9`Ag-iuxM`M+a|f+ciH8AjZvjW}yC
zFJ7cv=y=_w&J><`XsoxoW-!OdE-eIfclHNg)}8%<=}v%i8p)8V+3Rk%5n}~HcO~nK
zmFPFZUao2Ghnk{voVN*6)Le~X-)QNSg+UZtWKQ5>7cL5?a$)*=q3z+qen@q3aj_sF
ztK80aojo>kQ@Rz-{H@4zsOve-TRt}z*l=eXJgcsn%aXuyv}L+#cdt05YgekNla;Ga
zisZ#rbXKp0tG80S-ld+TS-WPX)>@hTO73it73h>Mq*+B_c41O2{kDXpa(B*B)5~|Y
zl>59LU+Oqat-6<SUV_PHgTwPvxS01Y;CY%7Dy{MLUpOyegbFTluBM7u+uOXzjs({W
z{}|2cpDpt9c5RAZhAZ1T)Eb^iK>scaOaEP!ZQ5{2g3XOOy3yv#1vP@|Jy%8dO0Fes
zY00^i+RK7IU~hQQoc-2#E$5~Fp=HxdLSly5ExMMu1;N8*ntwo*UrCo8S*-uQnsJ6T
zL_`R(*v$_k*Q3Ys-9i`6%lsnLLO#Iw6$%V26&HIKrgpCayrc*?N3pn?p+Iw_zOGTe
gBl6;Jv^acvo}Q=YAN~Aq00030|H<Uu#{hr;0N}eLk^lez

diff --git a/kubernetes-config/helm-charts/aws-load-balancer-controller-1.4.6.tgz b/kubernetes-config/helm-charts/aws-load-balancer-controller-1.4.6.tgz
deleted file mode 100644
index 5d8405ef5032460a6d9d5e11b7667afb4399ea66..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 21655
zcmV)uK$gEBiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PMYKcicACFxa2@EAU8pCssyesbtx4*BkeYEGdajWLcw9?9(Tc
z6QM{{6(W-01Arw}+n(P(2Nw&$r50^=x*zd_ts=49i{;{OxEEiGFl9IiM>xfKOn4Zx
zTymDCg!c}nn9FF6v-EHGd3JVoc3$r7!T&ouJI(+5JKsP5TYvBQ^XD&K^uK?x`?sC`
z%a_l;{~Ox5SFdY6rI48aZRg&7HIe%_d2m7B6D}yr2WYk%;G*z;MtjkVAR!{=w2<&_
z|HBZSFr1(_X1SmPw_MQAB+XE))(jdmj(#aegy%#O5lmS|252f}AqKtPgvx0-iei@a
z@U`fXD-l915ztt5V#{%S9qF>AAY83WlFN>2y$lOUcrRhG=%sAJ)c2^!C&3k&Uo)PF
zK@cKxC4vy)bQFY0t$1Wtd=Mg<PdE|kd!CMh4AWd<niH-oW|*b}bVbFK@jw4>1&fGs
z#z~RRqY9S*p&TnTO~C-6lBb<m+Y+wrY-cAQ_r-K|<F@3I)?E=@W7!T51S@$=0L|62
zGqWqBAMHgigRi}GpPmPJmeT(jPD>*0eE=+{|GO`r@9Z_`|M&f!{uBNG63-?&Bx78r
z66whX%Drq+M8PJym{NhLKp6dV|LsXQW<0}Ek_3%uN>qVE5~r9GG{c<YQAz}o42=jX
zun;6cG?xs`S;>(kS&?E%L=*&y=Fu1*urikev>OC8!xJ(H5aOg@f=b5c1N3rdcW<ZP
z-+R9IVmC^zctm0zl_I<*LWa8$&hWojuIN7yF!<G5N&*p*c;Zewgo-jv&sa+1`2Zb{
zPnkU9M37t>c+Sc+9g>(6DF*1b-+{=!n-R`wLI!AKBN&%y+IkrX!e=xl`*95D1qf}T
zVL@U#rbM9YDUnmc5k{sQ!nz<5Q&y&l8oQViEJ+d|^Va}LUJ__%KhK%O>V$@Y#z~_7
zlT*@cE<gxZWe4cvXQ+QMC2+hTHtwpW8Y=~fpzQG&<xC<$B*J-OU{Q-fL9>mpZiosr
zAvxg+VpIy6PoQBtHg4YSxu(%5CCi}0{j+1$azb)RacUMN8XB<7AS!sUtum~Q?*+Re
zxi>&3R7iy!%plA#5_%3B<JHkcYt{pVRGXnWkrNhQ5gr75gyTi?s=gsk%xSxNQiFme
zLlT#q%DG~&$PFx+vG|FzvKXM3FJ3&~Q;VuqWD~`>z$2PcNr}*J5K1^J?B5~UKRJO-
zg_C!AIzMMj{zy|I=0cLp4H_@=eR0Zi_1V3|Y09q8IGxdyOvsUlaf&r#IL4_UfuapG
zBd8#pvIM40jcT>qP{ClV6NWIFa2%6ynIbVQWx}rWKoXwO9Gd(|eLRD9h9qWrA_l0x
zqo{=CS?uclKu{@4oThWcNzAg0<O!@%$&i4ln4`oHxoQs7;*|`g1kVVPilAXd&|;R0
zn6gsnv79os8Y~`)JBu{+!>M41=4#di5sK^0WBosuLJb~bIU@Ota+YT#mjYc=IYlXz
zGSzF+fwGN68BbOBZ)r}i$`OgwE}OGb4bwHwYnXV|%3NbB_1<D?a%et*)>E3RA~^Z8
z6!1M$9poe?LSR1M2K+h67+_COT=H~|MrzOn!edD|`nDSCZzI!aMx|R+aZ#!%*~!fB
zjATHe`@65+QiI}umqe^vBiKX*rwkT!iiJ2;ghIHzq@X<WzpGK9c|v1FfYeu-6^u(Y
z5o)j37o7+cIOB?8zH-t@M41*HVwT6GknqQtPD&07u~)Dpw19;LCnN)5sJCff#tNFC
z1^WQ$EfvOTspOL|=2X%cr$LajgbYbaV#zqH<3O^Ma7&hd`&|tN9*=2G<=h(sjN(#A
zmQ~-nx0ncQ0p0p0vM3RA-0!y=x5P@asx-oG>#XWh)hjresiRW$7p5!*gw#%eQ$@|E
z!rW}3YnrBLLL{OSCGaGO>P2r?dK=l=yhOnwoGcODM3NOOWs~`^P}J^#<w9~L+!^jg
zNX49>F~L&d%EsvGl|Zw8)c-rWp3-=V3eILUF{@9L)j5((52(T(P1!X%Q|K#xM?gOa
z$D9eFIUF<j2xlyxpfRRt$w`<nC1eV>^EsKQsozHbVrt(8n=nv9Z&L=-qKHqJkTK0k
z;t)fop(xl4Hc`enK?#wVrUFd~C+jWuYsRk>dnD9ShkrubeyA~0{E{8IUa)Xf^<pcF
z1WPiM>hPb;9hsK%f(+0(OH-OpeuXlcNce9orO5Eju;ddmK>g~?uQ{G!nyNWd?}JUt
zsQCPknim*aTxW_#M4j`*o%ArXN}MGLx+bG3V^@yvv4k&Zw{Q1TLW-2l74co!dB=XK
zY6qPS>0Sz!biF&lBa%8maFS5<9jE#|3PWW6s#qI><0)dJKS?Ytj|V4J6f~>bW{+~%
z8ZqHA%y5n;ga-uP9S|<x>Noze-(Vpt<&WI~5!y#N%R@yz=UUoOyHK4Gl#?Vd#ei}G
z#WEYmjcIN73ro0SJE2#t9&MABV>>V{9-a=(zCq7y_b^N5yi(li#mNwmS3M~CWDD9z
za&ZV12M#Mm<x)EWMvsJIeLg8F=gm40Jb@(@<9Xy5X+wXL?N-qYOGO>hG}yE)6U|4k
zQa1Xk795a_s<@huc|kz&W!}OGHGnr&%kc6HbDRlBfz_}co6jfJXF0_Zk$lW}tYihL
z2F&v4N-khyTT7oRxsd>X1F~QrcoJnBgh7{><FBy}sO_%RgEvy!cuY7PEP1WGCv+%G
z4TVxY{F9Xkr`LEcP>gdx#x66n>S&HGrzFh~&4t8idWjSd2F&D?vvM*;mtiP~yhMzf
zKSLoo%_o<pkHxHAyDLutvy9z)D25M419&~vq8cMn;JD&c%m<`brXd*S<pd-X^Fzc_
zq6b+0qQ!oasL{VrM}T=L@kGErzX0LVtut87ZYtF%s}q%ty%oNVMr5pxIyH_t(KOx6
zM{Uj4+bS5%VQ*^&$J1vVkE?B{Moo*di(9e_%t&uhp#Sg-pPRB3FQQiO{)eGC>fNc(
zCR-625-W3~Uyk?Rs->ig?NXdUJ#vGyA|+9v+Zx#B-=7_z<3rbU7Y&A{6<x}3u4N|J
zpunmWmW?Sj@i!o-rZOUNf@P(jP%<3R;+hqolqimY!A<AEtcZ^j0PH|BaSC-M)*s~w
zOoTwsOk2l?{nx*qpY*rg?_KqKcPqfxV!xoS1~jMNT}(Msl9b23#`S)rD`5$g*WZ8@
zhTA?T6LQmkt$3BesN_O=P&7*IdZo64O*;z%1iQQe*z1jtM=2JP#=gBot-jgr;G9gT
znvM(1Cq#-*hlJPPyxtq^?rbk^Ao}ige`m0_^LZnvcMC)G7T?gU%n&D%Q=`%|!y?c#
z%g^_BV1VD^n{!=m5U2-sgFfk#Z6pDnp9xOo6f_2k$_O-3B3H$~=ZdlLSSyymytsu3
z<U)Z?%v9>7=0H(fWXrG@XDm6l{rm)*N;N+4c#`3ik~C4QjoC)~CvUpj(k1=6ANGG-
zr{V`ZZq|CgyJp4NZfz3sG8++Y1k$+Voa8c{BVOjY8WB#^Ynl?2GFIrhvPY!r;rW(5
zBH!Yh1J}&Ct*dv2-r6-jGi4K$k{L-+h-f}$w#BV&l#o$5sk+!upEtIGlub@l1xHh`
zCf$|_a2i*$IHEboeUaDB;MLBnosF$Pmlbblo+#?CwV=Ami-R+yBz0)>gU5Rl-qqya
z_x7G|1%^jg?VT~M7le7Ic(sZSSkA3?MJid<lnkmGz+qs;%)(#h|0^=rREBdrSCi%r
zK_tv6C>Aw(+B`4CAlO79w24SMn(ancuSA5ewTR_*Q>b=Rs5eodPFGEK7$2bH9A0QP
zU=V2ao!OiU%qv2Qi<6<&Om>U%oG2PjZfM2VYSky8p{=!LG2u8NL9My!<hsXFw#S9P
zl+C+kOZgr>YKjGVQngkTgQQ;pgEG>u*6BMjl7{M?+!QR=%4jsg@f9177j)*qWMqBO
z-TzV5<Qv`MAxW`beOm2_urykT#;yj&Tkl9t3RaY<1C&aEKq9fyo{)?a;q9jWbSK*p
zTY;G8vF-=Dbc?sy*|nnG<`B`6JqVT_Z=rh<+i-9w;ci>WEY;4@JcVv2i30e;bqAd%
zRH!BG^G}uFYrhJkg2fZ9si`S640(*2!qB#sP|?V#fP<x-b$|o2tKeM;5>7{v1*8rh
z%zXs1%PnB*=vl+3OAm)9+D_F_lG>Rb4o^^_3m8sL&Edt#u=n%D#n}+0isQ%$7eTW@
z=;egY2pskWXCqRVzB_apL2AmMsp4R*(ChzV%88h=G#Q}X0D(g4CnB{NP+&P7pxzYt
zi+|}?inybf{qMj3JN!1H1X3^u2+^FXEdzVS*#(~O1PDo*5mw5Yu|S>RP6c1LMhZg#
zm)Qmto1)}{4+IIxSw2bUYU*QFa<C(DHsLtS)V9ZQ48pi)w4!-)FM0NW2xLuT2ogk=
z1v)+-?jy!Qx0n@}1M4AJT554HrB}p>0o&+G2?IpNRz!*dlFzjI?CA9UAALA*?XO*X
z{8pwZI$n-?Wup=jbE&21DHHOP$ZN*0P{tCX)sEI2>~tw~Y$SfC!aX=WR)-Qd(gdiF
z5~o8gQk-kma8v%!(=AD`iE`6#%<`PXPOoPePO<GvMyC4%oYI&<=S5mhD5#>3ei=p%
z<ebS0Y#4iILh|uYo$P}x8Dy-g!6@*C#8Zb2>pL<RW~YMcq#D{%7|j##!)C#F%0V}}
z8J;^y*Vfa2##5ZDv7D&w2Yd{sxf&#`*Ao%?5m-tAhLLTB6U(6m4O>i8TEYY=hKkCm
zYr_go+fc!WK<%B&8sdsoxC9l0VTJ^{X8E@g!IYJGsy4@^8;8qaQ;ojRa_*&3%>78Y
zkRPa={;Zq6RN^XGONDKC3K5!BLi0&4$wjCbE%U9n2|q&pT0s#wc!1!M8_Dr|mX;ZL
z%St7oVzXW=B`KQ0cLX+PVb+mm$b=m*<o0q73eTfoh8?1K(CSWaUTaoXo0H-!l<bP+
zRtK)iooSjm!@S4Kyl3p#J#r-)&JPCf%Ji?AuvXuSyYt|vSlbqG5&BhttyVG(2EvN|
z8NsjZFmOfkx~jtOW;Ld+X=@Nb_E>w%5;8!0yF2cK^I@|uLL@r80o-Tx;4+~kkI4WD
z*%-H4IdW4_edM`w<<-l*ot;`CeTr%DtK<0sPpTCp)ep%KE{YV6W5pq9ZICrcTcS9c
zHx<W$*P=70n0J3jJn0X#gwSt(*fk$^!M4hhLn?R)#>+QlGO0-nKzQ6|G}7M}nEJrQ
zr&ZW##jIH_K`gflCc~^c2Osbd0j-(p0q3Y6bN~q0ZZ0tXkQ+&Oj#F)nNMO9F#w0cV
z9uiNK_$Aa<tdBMjVhgbydfQ?;4>}sRc3HjMtyXH7D!Sunz||{(8lTi49-kRmLHH_7
zPZwsHHaJ17Hlg0opz2&n3?z3hBETqCWN3;x>`DDmYi0q8k*<a$$Kx@LyHyxnZ9~_i
zu1>2JWE*evOOvV_ZyDiIGV46lU2`kw>d<G<&xw$nDk@Pca$dqHbP2<zqV8CcYQ=4a
zT%Dk5ZJ5@YC~#;H_JSU`U=08UL1iRP2|s{M;j1gFv8b`uL9>n~T*gNI6Ubl2$O4K5
zZAdFH<z`W9f9;W0Hv5jwH4#!bCls6Rwd|;ib%eT@7vzND#JYQXM+X#hEBHrD(|3h)
zx(YUpSZH-2Fnm^FQvak71P$TQO`*gdFm{>~0#N+nip>9EC~l=2`N95aKUpn_b#wXw
zUi>3ynJd)iYV4eE-dmPa1I}{ayi6DDbmKD08OsWS^I6jxyTCE8%Mz>VpK+Ec5K4hW
z%yB^w%_ZS8oPs>0{~VycKDj(W-fb|yLkm33jTx*G!wqL*{M^n6&#0aalq$kCXQk&D
za{gxj02N*tt?mKMk|VRhCfe765pa##<E}F9cp?Lw6vhF>8XevpA0F7{xoymvmUdcF
z=*eE@R5jgfqif>%gIT~;d53j^I7>-S{bLj}&byWAqm2qjIIl5Jgci*tHJ%^}Y7H42
zB?XgO_)F(%RV1X~B*sQ|8kY)>C|Eekdf|bK-M;fS)W1dZ6jr!utUZ*S#A%E@#%QV~
z9mzmf-^L^*Xhf!XMj78mqf(;pPTyU8SCfOx)M}c@2^K6D)*Eo&bBA@}k8f=?ly6-#
ze$A{Mv>Q^RWX==Y;n((|{&#+s`u{uc?B40Si=$yAZ{%J2SaJVrXXnLE-T!}g=lS#J
zPyYX3;%Q&#@~DilsgvZtp7z*(=(Fbj|6@whf^ZSZ;`Ud8mhb<5zrXjgvH$zK&-b48
z|Ce|^e(ZgRW;7dUg*Z)#oEPMEriLY+k^%az_xW?6N(DzZh4yo*d-@qiLQ^h8+C>#@
zEWJde8rVQ#RR!e3NMASx$M5L9_I>iN(x6XDy2xYn@;UrTvtc<N(;KuAR*flcPyMZd
zKF}O+<;FZN6?gXEB~FdIPf-9mQSgE2)}g#qeJIof8j%<)mQ=8;=2HWMFs39mUNhhw
zZ@nO>K+i_ngYNKjsLCqNQ!zVRQE)s)oTLN`Gm;f=1m;+MgQikXfVLNICn(?zw6_~?
zd-0|kCOURQ+`O^m$}B9f);y%5YUvxmY4CdesrKM>!=qb?&h^;o$`01r+gk%zaGJ|8
z+W220{9j_D(VFh}Hj8i3-?c^Q&9>TD=6bD~X_#@dd~~T)$%MC^b*Q?r5J!Is^xx+0
zH~Iv+IweGI{GS_W<ByHI?7RxQf)iC%yVx4x4}`E_C^;<v%?%Im4J35yW6rXgP1A>&
zjvXy>tHzjgoHt(-)HL+gDkY|jOTx_-HcC$KW{q!3YLBo{W88)2oxw;{L-vh9?9_cz
zo5aVmG1~qhHOXg3V@s*%-tO9S$+C>)dJ&3SqOB|GmZv1mA~Eg3!W^KF9}&&tv`p4q
z$Pt2$*Q{h6c1{ccrnV-1dW82~xC8YK7e&Kv?{2(*{Mb?D6Z-FxNrJo~>uklSm&4Iq
zH)Lsxy=>T~$StRSjkjd~#96wc)H1^3v~hQu$>xBDo!Dxl&f2r2Po=1P<gD4UK5not
zmJ!w_i_(3c_14(?Hl@==hiSc7WHfN9AVNr?VR!4Z^~R?<xudN`o#g(2*i)_1-G=#N
zW35J39bL^4Zrq@`<<OeiW<PWuSf+?I=5DMzd_K{Qw(f>hOt>^Uw!0yAK)BROvQFHj
z+Ds3L&rjy+b?pXAO#^>tG=z6{nYlPMtlgRzG$-4`;u}54cWcle<aV2?y_B)5vOpWN
z{s!7`MSZHG73V$}-VT4Jm^8b2Do4^tdy#g2S@8af%r$_<0Trm*!iGPg(aSxO$7*xN
zDJ8jFTB*CrFJ!)`#ub^@DmW@a$H+&y?rdtuwSflB6LMoeMsQ_dBgRpzj_)@7U8Q9z
z8pSQ_i%MUS`9_QU!Q5lb3<;QhDkOSVZM#VEz_m5pUJ6@{3Xzz_cdE2bXKtXa{@&d-
z^Hy_=6)qE!AM7vR7GaDx(DRoscD%Z3Y3SNRI>|`_%j+)ZP)<{CaG@6kSz|4H6XR&r
z3I?DSm9i7B3;oiyP8T0kET5@XGhFBkKUs#6AO+SjDXz%;wKkpV+gZ1jtaR&dadE*8
z#H=EU+Lrvy6`60NZ*&KWp;zAl6Sdhse}1k0)L%b;-bQyia@#lHZiz#?0iUU<L@u)`
z{o<W3bsL?0#MjnxJw1z_HTA!hPvRY-L9K}YwDWT3MN|L#{fn1R`rj|{`0@X6QHb8G
zA6(Hq8KA?;4b|TM8@MoZYm0Z@v4KD+say_PGMzpJp;SYt>b`9cCH;6treZ@(?ymd^
z<%*xkCEBaHG$K4Q^6|h3QQ?}%rcTq)XdN!r>OfX0jj^b)Vl}ro=v~w<+_o;;-Ug($
z5~Kp{Wra96{#t<Q0UQiSHk^Z%EA1e!7)VP(3@YA2QcqgL>Y?y@g^c*?nyglmi=WUe
z(^xcBxh3s7EWxF;z7T7@=S()mZsTnf8HXXi>B2euM3nWk&(8pDNM4eS1%>pjiH(mR
z(KAt`RHBVRCFnP<;%!BL^wB4GzQ5XewSzu?-e_XBbPQYDaM?h1Z@XoqY4=OV;%tWF
zs#@s|)YSy53xd{Mwsk$XAbDMiqNr+nR{20{XJt)M6^rWt)*?=YK&SU}y|4q)?zlTh
z%@vTXVXt|Kd&RoO^<}-C#>lopmMvR4jUZ^<%crqC{YxsYOzXD7A^@8wkGs0zN>sN7
zd@9~iu+_FPWI<fn`s`QwWvkq@<AV9bTgf2`T{tOKQwb8zhi*fgTw<U^XhbUi4Hq;7
zqZv+Vg1lfW|FzK+JewdihNLD4c*PWK=35BfTd%$0SyZVtMy>8lyo5$aYHjN;uWLtX
zv+U~jAyPqC^RprjY2r8ED!RJ$MhJthesDoUd!@QIW=ra>+p&w2u%KTXB|&xjC!;yq
z*xp#9iM6_~A`5i&p5dF&1Sn|W++A;Rmx^6I7HDI{SXu$UESf+Q9$hwEcq`inaNTzA
z2Cs>2&<&q}k8NPumG0L02RvTT^EDo~yKNM|bDy)_#l6mUJNvCyS-lz?98j}A^En*R
zJPC1<aKF<fbys)1JZ!@v>Z$fdb>Tg9SIWC6>KaY226Oq9{3e*D^m<^f-}GuQ*S^T#
zgt%RCJ>c)u;T`c<5D;KZRJ;fUp@~osCaV5Qbk^v1HAXgUNE6zWO+pAj;)Bsucy$+z
z03gkttbq{ruo8z}x2+vrb=TM&E>c2kBh2$S)Uj@BOTM$h8W`3hBeW1yUqh!psiC*9
z;%$lY@<<E~h)m%+(-&59un*$e4c`yqu3!x-poZ-L<GL2;D|%Qx%dO}QP5AWpP>9sr
zQ?3ECr1t8*yRJ+&&t6j`v|cL`PednsxT3MON1_V~I|#P(HQj`oR++Az>Ml>)8~5j7
z8uvZBnHkIBhXP8q*_y?z+zqPEJEGmNnTwX870&gZXoI+_$<<Tdd55$C)M{u}wQ@%q
zvh+Ub0xDA78V$uHgqxxrv}4_tR}WzGc4$<)7}@~Rd;?MDA-2)-&hNIdsuec#znWks
zRnY~8)$ZD!TE$pgJ$)He*2+?6gKcR)R{(E<e)@`;UM;7DeimxGI`v&*p|Y#L<9Dv}
zVgLd)t!Px`$v~e!4_cokp43ov3eygCmab9d!tnc_HG)>y5%9xP$gJpHy{h|d5w2rW
z<dZNaTncYAI&`3|SQY-rEz(Vzz#X;8TdMk9Fu#g{tl_2stYhPW>NI;0o36vr#<8B2
z;{ES?d(Z1Dv*1j!n56@Bad6h^+)AlybbePOz)D!ElmN?@ausM{(IRfmVl94@U$PZg
zs;l3n{nRFRMUDwyTv}FgiLTs_?q3zF#rzLe;P7gR7P+Zuv(fQg0T=tfvzKPI#hn@-
zFpv6orw~}uF<5^j-EVzBa47)7GatgO>|s15Ntx1oa;(z<=+{R#BrbL2v#M%{t_ht?
zB_xyZ-s}EMUl)XDgW5-9Z){J3eY&C$)E^U(pxf)YRk{(%vHiIUS<vq2E*{kNHf)@J
zaHFb&J7q$8Aa|~@+M4$AQ+Qj+OIq=OE4rNp#Fgwwvf*vmc16!ce|=0B<&5y~UX%dg
zZlmxu{Xf?8|1rWcNcgw*09tYXd-r9(k^gOXclY}z|DP}Ns8!heF8D3RKxKbN`yYmW
zz!xvQ=MS%SlC)h!ZVD1ZB#$xSB#%i_3zTlt1TZf&iVfNBmxC*pr634v=Ug2hkm>lQ
zCYz}CeQdY>44jkaTee*tSPSR#ddPMi9Zz^ywfqBZVbpd6w^6*zsMaa!go-YAsG0^W
zpps-_(Cn?lRnlPh`Ew8=zq@*{;8}k}B<=?YX&Bmr5i~t(Zt0}8$P?6^Dd`=(kGdS9
z7I__Yj1L46hthS2khOe|yg%!sTZIUOA*QT1>mJ<2!@A6>{Rm^V)C6xtam&e@3LV}^
zH5%TyXC<7*E!N3FJa41gky%Yd1-e`RZpq?w<b%!lN{8Xv<%-2yWyNCIvgjA;9g&`=
z1um#bo>$vl=IfH3^%(o9dzpR>`oHG+UnHZur-5CS|GWR98UJDD`QB6fmoM^|9qRAC
zu0WB`CU8+ib~>$Yq5c-~@78)5D5L$eV?%jG^fMM{L)$cZvwrWa-O)z#<aMR1+dYd)
z=u^_$PkK{#^zs!Pnjgub_{)0=w|(?li>0c!`xl^aPtUSvP5RGAIKJ}%u!8=-c(M1q
zN&jE;pYnfyk*Dcwsph#7OME&DpKvLsjMIPV44f7FtV!)TOG!6vUDGMKPF%y3;DqoH
z2oq&_$XQCh7RBW{sB7pLNijgbZEXA=_)2l~n^ux$xDe{gjPMb>g%SPzmbL8{Kx}}1
zTYBA7kCor)gvf1Fs3T$9WbXJq2*dC$lWH@mJo4Ncr=+ho#VjS~WUSh&q=khe<V42v
zYE?e;S{J3xt)kYQ?yR2Y{0`kNxt*}ipx<EundtrxO&km{_#)f9CNj2mZQHG`WAksL
zgrr3M5BoBuqPaV_b&i}Cl~~@nFV%z8D_S%__to8at362I+zEfNUIPV7ZU;h3AF~uk
za!dTS(FVDZBnJsZ{aW3fO(wBjrBPkb=UVgEYTu-Gt`a0|yOe4xkZUS17ljgzno)$U
z5^M=nCW!EA0DPs|qE)($?lkfpJE<ommZjK+!~^b!og(+b&6IiLqhY6~djUg2pBdrv
zML@Z^0mrNrtM6Xq@ez*M`my@gI57PK;bD$}zur0d?;`ZBDgT+#xSI&L%Ko>z(~SSz
z-`#!jB>#PhN1rIG?<RLz!^|doKzenn00A}gQ9D(?F4!`JtZhJgG^L&ATo#&qcdvF{
z?bK`yoz7nRc+_5Atpasb;KS(s_AJZ)(T{KVNGqWg80<fNJ!rF3(~~G>nZA(Y+zquw
zs~!}<UcoXsOV9?SLfB}pF}uR{_MUq-%nnCJe{r=wKicB@+Vt;#`g6PU-vrRSB^$8P
z{@3p}{eNEW>^`0UU*hS$2-*?7bQ#&VT=qT8YWHNfAAvS6JW<Tp;D<X|a48u$&ksBD
z7NYiLS_i_CdR7QohC){?m39;r--Es`*?fEo@%Hcj+>ZVmcH?2`|L#r){eS)>|9z2X
zE%~oW|IIR>`6P-NCrsy?ZJr9Il?QdUSP-|sz?;{PgvP<KRvq8VWR0Vz=3oBUvce*A
zZc*uq2fz9ps=;l=hd<c}+UO3v?hVYa?SP`qm4SDUVbPiWWxZDx-|sNDI+lu9&a=O|
z(s9b9cdMg)mm_pi8LAZgb-BM&%r{x_&9_DO6dIFn6G2uN464+SY6?0p9(V`%*Cs?y
z&sTZYJpXOVlSk11_IJPEY2N?n?>?RXU*`Gv5q%?52#`MJEQ3Sh*_t%Bo)#cNTU`zU
zI59>^P9_whh;|vl-j)&)GJh~l)-obj41_uUzo~~MIDpIQIi3){KoW}ymnNVE*Lg+$
zB(V%*94e$2%ay(LwU@QT4CwRc(7);&)L4T%WJsyCT&V>gn8`2=gBi`lX?HnS;U={S
zWx8biZRU{}zbW%1HFxkKroYZ+;CPN&yia|W4Vv!u_tPBPrYa8Zn?;<6f9$HINWxh^
zELajCG{!V7Ik9)-f5bF(bC?w@iJJEb+=@RZGfJ+l_p?^UR+o8}u~01@MUQ>sPWfrG
z1&`xv`spsN(#a5dJg{Sr>bH^>2FnYYY?9-V>KsyNb7i;ILpweAqG4I*I&L?=)`aD*
zw{05&Nged433V4ozGltkeEXW9)a8N}!@VY0t-#1HJ0UWzRBCi9hYK@p8ym*@LH+Ha
zH%L&;n*ZV8{AmB;2!1r85QN|xqT~shkfZS!JOR)t%gGZR3t`uWSFePQX{yOjM-;hL
zl&)Rlu7q#dx@h0c>RckWsTJ!aM8BRLE?hJn&PLs9=uRBXdz{kbiKltuY5oedV5S%2
zgHeOo|6pqHw2H#YkyEkB#`SXHk^!E<zB~HwlFo2SJfFOoy*>O0E2!midLOo9`2unt
zs0$B~k5w{=<<x$GtrZdwK7fZ!N6i1**;v;m^FCGfiL#s*q#2S%rXsM2>5OsRJH+IN
z^FF$aVpV}Fn>nm1@QaQE=PUTvyRh0kXlMP_E!B3Bh1XTvMR8h8@oxL#>Oqyf@m{mO
z{1pG<b8k%yNiLkFAiO6@ixvSMiCO&E?MI$*sg=4<4;~ewB;2@4yJ!ROGPny_@0ikb
zEFh;}NNuwZn-|0*V1Lp5V#f1<w@Q0lztVnDpy;%X1N8C19L$&M|D!2MGYa9@?$gH#
z`~S|1myP^y{qJ{PJl+5OBF`o|!%`BSL%b$E*XVjmax^Mws@Pyu;P?td5T#87+4MzO
zfO{ztQ<A1=lCqIz@@PKUMx3Nr(is7+(R+{cB-lhbndq3=&kERQCN~ZGudN8Z%hNex
zIn-1jp@MLf(wsy=bU6HDC>bZgCNjzB-yaN7Lb(W{36(wgSA!o!qkr)p{A*uKCq4C#
z{V8U7uWD$7<EyejW112Xd>4u9BKR&E;j7@gNM`D9#_1&Z?*9um(R<7(D+M|}JQ6`v
za0Uv`h$aO0baBr945FEcSweb2%oEYODura3y$UnOS^8J<m0G(0&yV&G-yTI-a=$*7
z@Bi<2TK2#G%iW!wr~UsWo=vp>VTeu`PLK`xhN_rvLD2qMtq&8T4U$fc8Arc3em)2`
zH_^q(|2{k)1eceWVj8HE1aVR@gp&l3D}km`7Glur;cKDx?z9}K<DFcI5Ly($CORIY
zQYaF1y#E%iS?eU`&2;`I%@xAxbDFYifkK2%-(4IH(43VhCnQnSO`W84JVzrYr#6eO
zhF)6(&}FCl>uYf0xP%xv%@UA<YuO&U)R;REmlRc_(py>}3<Z&X?ylF_+@=FVVGaUS
zDCR<v%#>Y%P<M%y2<d52GVB^t^OcZSYYvv+v8tVvaHD?tQq~-%fHk2PkwQ*Yae{sj
zqWuD*9>D=tYYI+Jfh85=xwj9jQoxwBR1-Ec-CEV{aGL6{Xy*k%euPGSe&V9wtl(7f
zxSpyQM#09MH}{l9@ZEQ(Op@=uvq@e_V)jA8h=94}Bqr(%7mcb2T#m7%F;3HYg#PJm
zuMFp<dW*_p!f^tj95KqtwHj&2Z3obtaRM3Z1eGwR9=iW{jrvjl??DKws;KTW2cf1l
zv*$sG-WA%(4JD)?icyX!C|$yutN<_0oJSXWXUu>>aG|z+HS@g81!6hOyqX!pk-4BP
z7@`u;6KX-Ld6W#wsdce`@}_rs@}^oJXhv}p@CaQ@NzizSVw@vF<&<zVQe!O3!d2#O
zFV&s85#vyAL=ct|$5WCh_J_nWom;Rx@T<09)L|8<Zq(~`<3T?{Ce64i@b38V02Q3g
zXkr9ZwV~Ai<VwUcMWv*vKv)PCQ?UHvEMzo^Lt6>`zs?UXG<o{a4^_^-f7HI)P5i^0
zmAsbTuwD+<_>4G!`Vl&0*SVq?dfauSdWD{yq=g5Yk5pXp6om{aEOZ;upMvG?gyQ(x
zoKU48TrC}<XerBjl?E#mbh4a)^)gKJUczG0GX$|marTGTp^uoE4V?R!#X6be!Vs;;
z`){?LwT2$P778^JOVwal8(94cMtqINyQ(HEE;A*vDlU4^>otb52G0e)B8tekO!fw%
z{qs{Kr&uB?5GS(aIY|P4EZmxgqqwm>?5r=M@Y@h+7S_f2Dfl|U4<Si`@W@|Q-a0q;
zUntJ%7of}#xTX90hptr{dfA%%quKwu^sIFy^^UiLjd}hW^L&7>#em{$F!*8r!|;#&
zgM)X!o?iTMeE5%niHW!NT(<XCgJf9R9+<OV5GmCGxsal4n~1z>jNJ;Rin7^}uTI%t
z&rcARD5E*e$}ED@`)+#=r=uzx)opg3VHh?y(XViLDX;+2{gXHD5cim%<1xzUgoAx|
zS;1{I;W(G*x5_uWc|`pF><iMFKW6<uB>Q8w`$q*3jKEgZjeiFf_15QXH|j^vVLKAc
zQ%bmEk`|)sQq^uFl8cfPV9%#`M)WW#K4MDHZ!V+l*BmN4EFn5LKNOD384<$^C7!&Y
zg&dNmNW`2LGEh(`0-`rTc!f5Mh@(Kn*TR!?dP3q+N|poKi+LjcFHXj<Gpy*$2CUc+
z#!qntyvz~s+LrgS34hDnV5VkN4K7P9vlp|hNQorr+)Vv(RkFrOsnxDJ!koB`f7voz
z=`1amHHizRw#q{6w+f4f%5Q}pUK7T<1}qgC(*F&rDI-Mu<~LF;2+SoN<JgLkR%g{y
zgVOV>)P8K4351a`J!tNJQqqJ(K`<l|UADCPm*|;^mprJxrYy$k<(6f}a4bulqQlc6
zO0+3}!7y?w!)UCuYFJhH@&7qIMKp&^LWEji7bim)Gh+pEtlV*ZN;|pSt~u+z-m}KU
zE$F3j(?`wZ(ussQho)gA+E#d(=TMNLSS|Nh!gq830a$26u%JXpbd7=AO_*+$3V&??
z@qm-Iy2=p>iQ}s^7m8OcW?5F|RL*;y4Q~0$4=o8VTtn>{gGAk)80L#nZpWg<Ct8Hg
z!04bO@Y@ylo7w!oKikw)oNOrp4qzD(wam@rsF^M}iwQ|04~n5wgQIr8R*Gm74C+UF
zQGdI(JjjibgQ*fdgttLf2co(JSa}J;p*|XAT^y^(J;;w*>{6p);!^>y0RoCiJ{F-5
zY8=#jkvu^*OO3*#6542<&>2nChP3TixeW<YV2%|XM8Ex((%f4tjl;y#Q!S;|v)yQ~
zM{cm9ucBu<{6j<2+xk5Ug8f8qs-s_q$jjO#87!+o>pZ!G`V3f_V{d0%fQJkCN0>lU
zKzawkS313Fz%64lwh^_8z!oRof_>8{{y@t2^4aT5Z&@j%k-4n|t^{udfz|<nf*u)J
zLT_=M>P;IWpxGa;UWta7N^`T0p=_{e_M4cpGEG#6oD?aJt+fLrEqfeXy%O$7FdNiT
zL@J}8cC3f=zFM>{EupVe>p<?&REf7=1(n`$^-B2a1LxF`h8lzBDJR!HxuXK?PuG|y
z0yr`(=_u9w8w?4#p#q3<LzNhzpV>8;!MI3tP16(xCuUHgs?X9yF<Xm|5`YT0LQflN
zwuw876!YfT#m+NcV`k2bNbxD4*;8c1KNKxrGQ~-QzbH7FfpN{AJ8EMZO0?~tii^4K
zZ)|xJYZE1)-UP)&WB$4aquoMW#j0DoPCKIC+Ep7$jrD*IHqm|xxp*a=srj)|!I<WH
zZ0(R*qenH<in5u$y@B=NQe!)+4P_Io1#qEH6HW?roZ*SRi*c+oSHhF9_)5EU;0*tZ
z<x2$k!K@$kqgTNuFiHwD1F}NK11x9P53mLlw`Q1DEXa0k0I5J47X6x!aBMWTMmNhz
z#%6Wdumw>#zN2b!fqFwjq~%!0btupvIHEQ=8=a0m($?FMG>^-XV$hfL?Qy|t?ooR_
zACJB6${dIkO6V9eN=d_l!a1pys8ghEqe64O)|iKdZ~F+o(PFS&(u)D_vKTEKik+w*
z-T1r6V}O>P8X66w8_{dVvyL?R?44)_D0!eLIarAj%_-B|9t||5a&Gsr@zp}OpthB@
zDP?n*);##CGp(su&@zo@?Y(Q`W)_4~KAtZyiEKMU7pDa0WzoPmFj`y#NL!2RnI4)P
zPZbuTe(LKLxss_-J8j>|B6_3203oj3#S|IYjdoyhr&xiYrE!6#bTUPFhG~k;Y}cAW
zqq)u68U-Qnqc-(ZUS=c0)#5POSwKGCjU3f1un?D;bMf=HyzXD3af&A>(PEQcmNijU
ziQGDsHBiO~9qNUtqn0BZwR{^f>%-$sGB77NHiwfE)$*98q_Uhf5wUq35k!1;s(oKd
zWC<X5sVBzqT`{L%o4gD{G-P9`3L>0K8oGR^RM?A$&~UR+V4N=3NS%49_))b06PAA~
z-6RndgTs$Yh6+=xrQ`((R6!`d1SL!mqBEALu{J4H(8wg<IXir_g{D}WXGetO(5AN-
zkl8myigUzrCqrPVW=Tl2+r+inKWbqhvobm|x<nbi`879dG9|0m3v7V;g(qM$E1kd8
zi#?@63Ol*Fv|3|T`mVa42G;xx<!-4MsV(rAkMZU(;{&=l&u&kpAnDki*U&A`NP>Qw
z5>6gQ^w%s$ueNVRZ_~@xQ2P`z7;CW=1;HnDW^qSrJ)h7a(L`M#_o$ERN{{eEHX3{i
zZ~1&ex2<v42R%kt3T1TJ%-DXpV(6i~uPb`2=M%boxwE^s)9>#+-+QqeC09HmF^@_S
zUK1h1-AME6_*#d3^0@bfPEbC|5>J-n+CW+2$)n*~q5Q-9qx0eMyVHNH1>0JURw!3#
z^w*nZRo+^~AL;poE|15jOrCKfNG=}+Ye3o4iLBA;C*S|aa$~?`J^1qpZel%jqaMn>
zeP}5hb(@enpxT45ZEZtJ7HL|7tc^&lg05+udN7o&W7vTbS#MUYpHFB=B>1>lf3jHD
z0~Sp2Xb<*$LYE&uKiDR=jVhEKySgU%I;e45mA%2u-T#47n$eY$xJFlxg>oyQ`ih0!
zK)J!kKO}T$0powKMit6AOI&c2)nlq?N<z$KpALBfVIk-w*J`u-J&!lbUK;<kD0X9(
ztLj=()5-E51iD8<89UKyJvgkW=IGVK&1<u($3l6r^w|x^ffH!O0zrD*5_PFCMhH`N
zExP{6$i5GcvX$b81t&N;V7ZVSR%d5lpU{OVk8}m()p*#6f4o_)wB26jgM~ePLVkV(
zsjbVB)s+1Y1>NHvQY={qR|iKo$^^&Lhvh^b7iArUX-!tdL~MFgY)w~>MzI^gZC6QB
zEtGMZB9~j^0hy6UWH_s2tZSXibZjW;wsl;_c>-?F=Wq58yo(C=hVIcQ_Tm`(U7dYG
z%-#jTotwIOQ|unlJ(}=%i<thGK)!4Nw10N2CORRxq}Z^Z*xE?Y{(W)&Vzb;#IdIv8
z<Ae&SBxO%KV!gPkxmIHIeR2PUE`R&|QTB4D_so)W`MAB8!NKC;R<!Ht3(a!ATzvfG
zCeNZ~oUO%rT;y$_d$heQ3D0N_WauZ3V{%3~Wyz4lEKk}L>=U}689@aU>JlEcqbo)e
z)z-L7k(ib;Vb{0U^M6A9orl7-Y7{h_+O!TDf_3EO3-By3_as0q;9Y%uQ0Nd&M-SSf
zlcZon9(#zNo1?Y+kTUm|{E@1(K@SR@cCCHbr!~u9pc2dW^CxuND(^7<R)BtY+nMXE
zzx=g8aFuV=_Wd(;I=gzTz1)HF5~{tJVz=A5FLYmWmPJA0+stx8#xw_=wcg^|O~=??
z?~M5;^zrjOkXz8GR_abDTduFK!Es@{RLz}M>zZ)YHe%ctx<^~svm!oD);{kw%J0t(
z(D9)|x5H-h5YRmu%J^FB7xc*H;8<y`IM8}6xaNI!j9kSBhVAiDzL;_*WxA5RYoRPn
zMSFSZ;ZT26l;7f;b0Rri!$|W9y~Q^)D>KA(4Ora<|A(FF$3t0rGM%yH+=gQR30RXq
zN!($RgG0(VKW&?cr#};%$|-W8+|fiGUEs1cArk4R!o*2fiY-+%-H`$t;K^mU(QZ_a
zjq-3xNxB9V`-G05Jkk}EuxQBk{>hsMhVGG3{(#48s{0JeANGHIOnko#%Cp_IbYC9I
z?|1(_XW6h!Z}H6m%j1%BlFM`JEZL%G75S>%K4Vueojd=(%HJ|&tk6`>a%W!~<&;fM
z$c(J%mtedI>Ykt}o1j#+0U>zDOvx3a^1d!ZkB73k)%u3!$$pZoGBIoJ3nvLoS9L44
zqP8QNCm=)L8#=VHaqmW2jVhFlo4P{zjPcdJA`0b;gEL5x1~{7t`bcL<dq|WYYnBbl
z7bim#yLg4;#Kp-F9qiX!eAGU*4*t(@DOornIpGj_z}$p0(RPxpTR`{NvkWM&LfE4G
z`1pP)l&{E2UjmJC!Rbt)dqw8|#wfS*2rbZxR8et-%Q$3N$7^ymQmE@~s9L`wq_{X4
zYCFIh9Q-*cg?B|#jjyg-cTKlfZtj8mqif06vtYNZ*CRL`JpNp*7eQH061TLh&ER%A
z$H%j4+AtJffYGt2uZ!}d83tO}C6-}-FO+5bn*U!1<)a&If2TNogX1eU9v_kv&o4cc
z6MNB#jS;De!!>C(9xuYN8VZwzVj*|?h^E|m9&3}&I{W4m(q$2r=z2=yX_K`bGqBdf
zMN?9+qD<YuP$>|2^qTA7NJ#coP`-8<e-)8meFRqLK?7N6$S7fKut~{$O{2N^z70x@
ztdR3<@ab?j^#laF(d{IUh_bl|=PSP}qTFHRJJjX%M3w?iAoN51QkhMGqAg;TGsEqm
z`$8zgzEcyq0PRI6<8%~RMC<4Sm59u3-`n8+h$w68)NpvR-p!4nHgp)At!-;KJh2x!
zBm-9*wZ4D8xHuak#(`l;sgR26`})#2xq%=8sSfCsT;RzvUZja~YMeAAo+#!PVyf2S
z=jz~&YLDvZTM4oqrYkJJkLQ+=(izE#5NDi?R&#fs(1|Ip_^gqq9PhZIdQa%kGeHQt
z^rF&S-cAPSYE*01X15s1Pv|J0QO>l->kM;hHa3I%mEdx;?1J|#d<-9NVNaQmChqcD
z%0$nUtG29H{h^^lmnOLQLpBQJD;Mj~EeFR?$xOD65<XoF#s_{rp-U4V<wwfJLtZ>1
zH<IJ`EG;wgmX)i_e4o&fDvxGR0f9$dwT~bAO41{dFAwFloNs)T9|>98)nlP-PSzEN
zQw4{;vMljLdkgBYwAvrIem>b_2`-IOaZ6(Um>18gSPg4kN%DopT5to&l<4S1X#hLl
zh?wXMHrz-fs>3pr*Rjsr?y(N;%^(CzS&<W(QLQWXLML>DcZkrrrfUnrBDlaAI8V^?
zT0D4%@*~Z%7J7z~V@W1!C=(CC)5fsaP!|bP+3oBHxySK%D7RwBuAtby^|}^I7IJfm
zT1*^2ZYsp4AULtNZ6Q33O$oMbk2<j|KCM=@RZ)TNaB_PnTZfWiN|)XzZJ=DO(^3!t
zfdlI;`G{6dD{3_ypBbgeA~ECfSP>2X8ysJeJh8bbK!)sgmt2Ojm}13~xNF29I0Awr
z-9C~WkH<7#3%W;B>W<b#*1};1r-_#l8NErxrDVpvFaZKi^@=vJQ2pRGi%@=Wf?ZP)
zoD(5AjU}lge_qx#yD-b9N`0DLBtskE3#@<~=MeouHx6N3bi~b3_sBs`Scmc>E$kI3
z`&-u-tQoT&&j}<c2zqRNCG}Z7n%g0;5w?hH+mNHo=(<|aJ(?udh4SM2SocTyip)*q
zR=8q~3QTz?@{fK$rx7%J(Q5LwBG*#_5oWP7Lu4jUb`=-a>}Br|^6s(takZNV&|@y_
z2Ffe0-gVrygUlKaeN*L&*rW`~G?#?W76#1t<VQmnF~^0P8eQd~p+lGb>`S1WFIVFG
zs(YFngM~K=R5+{Dy`g*TKrQRUDQ_x*yd!Fg{d`b<Y;qe0+QeMB4a$$Tmn*pSh5pE}
z3O^~vxWif@2xxIHA%ixM-b<jmMt$qz!79<&zpha;T<I>BYqTG4FZ<UR4AMqxu#n-j
zvn;FIN!k=+1!P~TufN#9bhnu6N1EmP<bPZm%r2%q&@lah`9$2kk5&19clP?t{J+m%
zKIQ-YB2PPxIfOB%Hn7fLDOc^&^YG8A{qNbI?%c<!{lEL7wg2~CzIfXIU*g$B2ggVf
z?LTJ%r>-*U1%bZ(Hb5>WWB^z52LbXTR1VM;6;sClTpAlPKuF@r0L^xzooFZIaX&z)
z3Ya)R`{^~FizhntIM4F^&l3UvJm&s?vA6fKng9Fy7f<=Wzs!RR`d&wlA0S*%awAEu
zC8DcW;F>e*2Uj#t2IhjGz3C3t2ha)x8Id@_606<sg<%=!+^SW~;|a;Z?PpZdG|`zK
zX143uPV^$$36R!@P?lfNj0lOdVu128O#=jeUV|EQUg#^zBpuCm0bG170#T4ybq#vJ
z0jhu0tr*ZWTJ1Z`@G+%A{<5IJ2^A6w6=}(F+65GR7BrufDdr0bh?o^*V6%k;$cFF-
z@Iq8+UCub@77kciW_DadBZ+~fOJ_SWfFe-10-`4C#-D=aXIM@L2(EKSmA92CpojLS
z^LM|Vg{S*(kIZX1SMUkRX+BxhX**+&h^J&>*R_wj+u^~_NB8WK7W?{!%*DJ|)N@xE
z4Z!hPxPN$fel#407ymq40*Tk8UGq_Ez1EuE|Eb<wf~D?Tf1dS6MB=_)ENW!%z!YZ%
z$@kBW-#;JLUZeVGblktEMu7;`oE@;E;QraMYqa33AY4+rGxXz;hQJp%Yao29pfm|A
z63-%O)-p*9Vp?2=%)W&VIqZB{ac*2YBhY&iF06huX8DXj&V-mva{4dVnoGo;V#T{?
z-CK@R&B1Jg?JmP}#0faZmbur0;b_rYox*6$1}+=Rgi1^Hs`P(A!RV-zjEi1EW+d$i
zItek4r&N+ymYno(K|=sG2hta1$)<BF__j89t!1SjphZhYS&<?&x7buQN^v)sR$qR8
zG`y(%{9(Y2gRm<qs$o_`M03a>s7kujyzX+DR&Y>~OC-t>#Hw}CYbA@&0nmFdCu)R_
zb98_+k{)0|9(|D2Xo^q`-g?9AA63o5dYrru_9R&_C+$5oEJ$421PKw~LM0^D*{&BH
zHp};+dh}`5c-a6*(|x~x-(OdA^=WEfT7S$DNtw>Q=>uo;hf&c1bJT)kG2qA&yN>q_
z_#sW7p<gyZo{vGh+a)utAM3={?mhGm$YyJ;rJ$bL0kUE$j?cWZwJD)Rb(>Rtd(2rO
zd6{)#PK()I$LplTDdaX?Fe;s6oO=1i_od#$U8|rrJSUx%%s6SHV*<-oA0?|*6U~v+
z<MwcaM<vNRS91-M7WAS6be8+6ZrUv_-#rLjk$LwA)Mk#Zh|3P;An4vWE4Ge$;E-9n
zYked=Q0I$xu3D;BWZwB6K<N0gWLw*hm~-50G;iK=T(PcOw<4X#f+K3?rb<QHe7|@w
zLg~AF*88E!y)9qG=sQHm2#?e`j~GYh$Va16+AA|u8r!>Q+@85DRd2dGtU=+MRWwIq
zFAiu6zo>=|RzRj%mWwH=y@B!CKRqN#_X1nEeOo~7FX`B@T=ol0lwwsd&4pnkw-Hv$
zQS+RNm9<%|p)e<@zR6^^rYdAp7Ink6iWs2f1fhkV>eU>o8c+4Y(8}skuFjAIWOfl?
zXdQ}ywCn;Sur`QQB5=o}>OuWh=mAt~WlF&x3R?rEW#ixDlqRkTy)KUPZFI_{`tRrl
zGEAv)KV(FlG6`?)jil~=Z4`}WRV}AnlNyDC&&vx);8n|u4trc}V}nbTrPwrK)3oL+
z4`F+Ewqb^V@!AM1Y0fltp@@wBqUAQ7z}VcZ#@5@E#wa6vLQtW0_p*Uqx+iZj_RC1N
zeU_acXvrC(zuDnidUh>1PFBO`c};bL=c|5JQG=Bu)~3M5T?c4eh6}Y4KPnOii{Z1j
z_D5(R^j9gVeKQUYelw~CDv%oQ8BU1~+=_EVQcXhHxJCE3(e;!G69WOlGEspxuE>02
zyR~{Zj`NLeoA|B1UL7R{clHhVwsHHTVh!e?^P|>ftzZd25mOfdbiJ>``5QgS!cRno
zV;pxar6uc3;>jwG{{l}c4%r^~@UnGF(2rmMp39FgKI<{}7kJ`e#sH;y^Od-Hi6>u!
zkH34je*q4@vr_9NjogJ(6#TvhaH$2BlI~_fT#%L)B&BnK#RV3myG0Oblvo6$W9g-v
zMe;?ukyg3{Vd+*RF7G*K&b@ce+?hM`o8KSte4po|M6C{Z2!V9O$0{N*7%fRpuV?bC
za`*~X&@S8!3GN84L5HcDnp(Yj@-JW0HZ$sCu&(wm<zFi&UK$-&n@3vGUAIDQ=4)9F
zoKl+YmHq6~Z07MyZPQ6h7<|)xqlTVrgg5`VMbQgHhj{FZkt1l+)x7h(gk3WoB2|AL
zek6-?bt>7x&4a_L0G(h6{@UKs?_Pcq@#Tg<@JKbth;fcD7pv*J+}+N$RYbEb;`WmL
zHK=X@f9owTm#)X%b%X1sM~6#SJr+hFa+iGMg#<t9vW63VIf*T;uiD8YJ^6`wXE5#u
z^<S0DrR~K=3kft?al@DF4~d!kg10_V69+)XBXdO}(=qMZ<JB*^Ck8VwTgA?027>#P
zmtoR{&14rYXhdI_6$z+7gXYy9_SNGw-|71>5C?2pG-{$6Q`|T>59Er0JfDu7`YcfP
zQb|fEC;}jOkX@1+7;u=riJRRrC&Ss(kz##d!%va^jV^?giJ^VQ+KNrI9hZq*OxZZC
z3v-gfG_oliKg;+A=iM>4&GAf`75@~=bQx~<V!QssFu)jM`RUM%AR{!o(?w9%k03M1
zJie%9U}3!wnZ~W*Q%&?xTH=|^>n&r-eWmu8aYpXq?O%I0ETJ(yhZdMRc&*^%S4XDt
zt9jX*ipf=o4#A^pzD9i~W7)3zZqzWIe(NP>hYWLg$Kiyhl(W$-&6k?vt<`E3N9wyv
z$HMw<Q_NB~pvk7zwsWS%0oU`}RUeM(A4nz5{#SPe;<aK79sIZcRgm*So&xx42KB_t
zjb7iuO{)2i3(D?s@%H-a9@4Js3T)`p>R;yZEJ)nkPI)_BPv$nff}3`2KgCvKK0IKT
zyQ&~c?E!#BH&S)GJLyNf%#~(xeO8?xK>Y1#nqS><N=CW9{1~9u;-xf+%A0g@Qip1Y
z8*0KftTz!wY{O19pf$rZrS^*w5g~<O_XEzv;4?t&1}nI+#4V`_1q+*r>B-JN1Ykb*
z>U5@C3u(Bi6$p42!b)1K<EG7Pi;QyHtX^&xzvN$et1$DOq3E3~%*=5gbPexuL9b~Y
zw-d>A)j`YL|0<YsNoVgbZ80KHhCJt2^b+RIDj5Z)>@-G`P!Vjoq4_&<e`e9Dtdhog
z4ci}5__vZG%)+W><E2G#RZTNYRjUF_Cd^(8SGMCRT7;O&YNVK&#WYzp&k!vLZBIh;
z?f(2Mere{|axu;)_G8Y=ihtls^MpKvS%~BYS9gMY)7!FNeNdQhCgBqUHN_zXH_d{`
zx#iq>sR`@pK@?g0&GN7DQsN6~2XIJMr+sI<Z%Ih5x|XIbr%Q$Z1Fd)$3{SR4Zc(-i
zjs(bl9cY{zyA@;Dot#`MTkxt+gfB$D%~`tO35w%VY^U=k;AZIa4jvk+aG%G`y+Q8D
z1j$N&y{RISO@D(Nk<qb5-Vxd&7ZxF<$v&8Y$NtbFP2t+}lDNPEb=I8GSbe{X6A$|K
z12DKDt-XyTEP(bjRZdaMpa&;2`L;k4PNXT<CwthY8CA?AAebup#9*W{=<`f}@DwZc
z?Ggcw!_5bA_m%$2+d;NV>-YfS0sgm0Vox1F^VX?#{2wyG0e&e;x>U3XRztPAk*7*R
zzYGa7Hb|$hV{;}aHfT79XJdsS*(;?Yp#3FvrRxYr24mY1D!QjJSo37noPme(G1pqW
z8TJ&+j<UIE@6vnjYNyWU=c)Hx3u1lBX192F_TWv6^G%M&+|{6J@y+l14{#b3_fcEr
zlrmB0M}x4S`12so)ng<NKJre8RA%Y*N!UD>><P(DHFN!M_MD>Q4iNdtyS$DyD9e2-
zvUfRVN#*+R-iA1k?Y+CD_=?hqZ?!$Td-Q#}3+Qfqw-^*a;i%817TPBYD*M77Wzb77
zdlK<6X_^C9jmiveKc;?==pOxu;9B(az2V{glgjTu(_I)#C_(pNOtmsqeMNClWo8gu
zz<**u)?MbA&535rAOKlE35vqD%1w)VEz%{aMKB)kk&dcN4Uvqx@DUb`nBJPy^myuI
z3O2|>^ywvZX*F2%UYa1oE6ItJ{z$rZ4X&ORYO#5<3=s^meDv{E$=AYSpn-EpH0kd|
zmei<{sOj=nbR;k{iXT4jm2=Av?A4Ti|HrPsY%}~v;`%h7dVfvkbHgL}OB)l$6(V0{
zPq*MK#qf;hX_l#V<<HES%^GZ(O^FdY=3VRHfe%7m$N5mmO4|cfaIxs4v|;3%FP>_y
z@XlBtx<xGi-|M}nvgkrn<)?bFL^AojXr^w|I`+SX4gUWSHt7E?Y~a$yifG%3f+#(?
ztSV-dXUmQB02$<l54EA|5=;I-Td~Qg#2#*@erp)&g{DS&&8|#*xLx1eD$n^b@jN|+
z4|fa}=I{~2TJ|sA(Gv80uX3sSp8ck$iZC0^&62U3LvR-DJf^M_<#iBFp#P=WSX&R6
zBXZZOpz5JfJCFBpRovhN@F-$|uqjLn^wDU{CHaU_Z&t&E&tGVmx)nRfkXIxCPeXyo
z#Kc`ecopNHc>(%CLtt7%7LSBxe&vmo#PgLUaLjO124WBDcQZTA(>Qa;M1D~4awD!G
z@^I?#`P%RggaS2;tv-@ozv8<1CcE|?p?GpWU-ksj9{MRg|65sypiQmiYqYR($#26n
z#$-kUVM-42>>tq+iry94+_XVxgtLozKAc?JSHO*95SUUo_|~LE>-85;cFD+|kv>Jr
ztO#d-#nZ^PvA+R|)>`cuY{Bg%S=GcHEXel)-c}VmV4%-7a2tOuO@#eS$cdYEEq0Ug
zA2l*U%9Icl)udx8%MfoP)>_1EuO~-in3hY~IFNn+P8Zmv$Un|SDrC(N9Xbl9w27rm
zdKl&Kcs$9yZrQWL_F6rALV@4s7f-|fdj?J)`-Qw+JR((yK%@UtAM_zQ)?;ikY3q{(
z(Z<Wso0SY1>tD7eo*<{Q{X+{cnQl=CWzjMq^Wwvqj(IVA_xXlN)S#NeBK-z_Q~lh~
zew5SB%W>Bg*ZjxDe}=}SpQ=Hmx1C>H>em$RX6qF&$Y(fM>d`fdbW$+sRO-}@rb+a|
zRG!zjxLgoW?9F=C;#Vpi-zH4K&1Fb(hDVz$9QF}lQEF|6hkkR1fOw)|P=~?G5oc!c
zFX$VAGU7g4-)hsPg^P1?=gIcm?y0;v@$K{oT<(!9NVH9h1pVyEcQ-r&P_sn1BhGtd
zzDFrDaQC$IlcA$@5NB)Sm&EAWMhnCAMh9aKS6%M%FuA`aiT&4I>T}!Wrf;NP{{?n!
zkMNKJUN2_h_!*%0ig|XTg97yf0htVg{jvS4kwuZiby0n`kX}R^GI3EbZ&m13=d+{m
zjHd))PqY^-oSAi{js446arQ-+!1sDY|7GY((^e0J?9Lk06@Nl}EkY&i8<kG2>g6p7
za<KjM+#)~CCf#V>%SaowO;IOh&e1oTqf+eea3wKo2kROao84<?KJYa*$Nu7CxK#$W
zg5C6M3WXcJLPzOmbUP$mLxGPHN)13fLgd(9uh5%ZuS6Js<P>{}u0JGa{y0<hi$-N*
zVW6Rj?ZF@0R5QCNoy1yb%vj5u?}rspJ&l>F3Fw8>n$nWeRrBT2)v^kwuu*>&LvNP-
zq^oTKbL|ou@0p|_zCb0>eX%BwL4;p}-*xbb0H?fC$ZfZPv(Hy*R;y~2omb1uq%NV<
zdF-_ctXG?Uca^3u%DzA8rJv>$mjEY~xKUuu|2HYY8;R;nAp8lkM_2}6XX=~KphhZj
z(AZe9@U6#@(!9xZ&l`H+u2s|C6aVBSG~W;4PA9|OSZ5cEi%iWPTi%^l|Kz!GxePGA
zSzZDjp}z~1lw*zVyrwl6E7S~}W2?I4G$YhNw%w1(Fe=b@+T1@-cc#a@VS0lRXSw!C
z^XKX=c$vO5fEPR-l{gpv8ykAj5rwrmd_;V!tzljppYnbFTAyNHI~T9M1hh&o#4vvN
zD`07besBNnG680(>*2o+5K%v-x06O{2+l@MPHvd#RzLsRf~7LzVnUYSb$f1%$~Rwe
zi#>q~<@rL`T1ici<AdgP0U6R5kf4AoJ9e#ZZfm)E%{0>^#~5e&CmXS#pN%;=aD&o5
zd=@9+tWbJto~ZwaBN0CFPe-EFdLI_`O-PGSogN(S;WUZ=Pey|6e=`!k|6(LMXGQ)m
zMFQ5sq=hGeD2Lwfbta65%X|TUx1gP!@mebU6i<~V-c?3UX_+%+IfxWF-YXKJ|3i_0
z+$$0xOJd&}_FC7c9!tTS8(B;iM}eZCurk0At;uo2QR;8jHUw32tt<F|!23YaO0S^u
zjFTJ2U+7t_yoh%^w2#uge{LKS0@()SQe$h%OISP&3kF#J$}c=Tgr|pUU7sT<m3s$C
zDw|9z196n(ndJYiM(nlpTQ%ZGcBI{_5i$2_#89JJHM6~6_Ftb8Tb-(Zpy183@AJvy
zs=xcS<%*DTbMC|(+<q+MUfHH0Q;R;onraab&!+VXw7}V@yyW7+0}oAOsTaw!C79Hb
z@!5AR=-ljRH*z*&3w?dHMCQGd;#Obpq})C#l)vd8FDQGUaLLuUwmtsF6*K4(Tt2?f
zrS~AH=^*zs9EdIqBrQt}-Zw_L^ByVfIyhp871;_<f(@0*5Ydd6{6;km^`!1_U+OmS
z^RAsob-~k}<%#c>0gZ7;v9~Q}?tb}NAQI}*?47kET<VtKwasZJ^DN>3ISW`8Nhf3S
zkMNk>Ikq!T1v}ihKcV&Hr5el3LkKpp&98<Yy6L;;K|-5Kn$Qg5ao1pZ=5tCRqzK;P
z_@P!v_pj7<MFZ0Qb9c9YI-E4>X+ZIzlJW!`6&q9+(FWRbD})adML8>y#1LqyZo8y<
zrXEzrb4@y6(}+wF9W{vkE!&G1V<&1-#s;kQiDA59^@ROUfOhCrRi2x;5R0|BS0Oex
zHgw8_(_8S{#_8HKD<;txXo#dBYiLms4ZeZDau!<+qAE#3-r6~$@DbZ@=Ul;Ofp@B`
zq_CUID%rQ-1p;OP)rHpIkAzZ9Ly^Mlqc>DZwc+*=1!xs1ejqcW!wRn(nfAw-kRAjd
zmQ-PngH8<9PgCB-q-SS_8WhegjDAAHUKG-sNK5hFMgiLN12T8@SAc9<2g$tL@Ml*x
zbdvF2+~69^Me2Pc3g7jOwPq?_!g5DJU>p0fw^jF*>qx|0QSQ^y$VMuapSX)PP(Ebj
zIKnmZr}h~7{4D2~>Zc<gkK?W+?d4Dmhk~5{yORYVPl_TDLt`4MA)HWuk1E;VTO@U6
zV_qm($h>%}SPylkJ0S+I8%XFqdg2BO<prM_y2NUTlcsi}7y|Q(7BvbI|0H;_%jrtq
zK*a+~!y$DkC-X;?92HL#&l6$c(WAmE{+UOd)78{eAz}C*n41%rI_w<M6FyfoR3+(q
zeNi!pwmo7F88k@qDNGl##3ybJ%nF-5-A=W9&&JZwGS!yf=vY>%=0T(Gt1OC7Ad9i*
zZl~XpHQ$nbrLdm>o~UVM%mSBt*|=BuNs)y{7rBH`=UL#T5rU@V*(yqq<iF-qFyO>*
z5UO|L!yewFrYhf<)ZL)>Se@JJet-Iz>^K?K`i$SrTNmNO;fXSUOLU+8%uqsRC<bRN
zo1^;PINY1g?t-(3uFhBz?|AQJBw*fKyU)N~t8Hc|_f3QeZY{*bJXX;q<AQQ`@qUxy
z2j@3eyJn~Uw8SNRl7*qE@VvJM+@CVw4@CO{RXA?~LuARa)J!9?uZHKBDfW|zGq}1x
zNf}cdDL*);gHaCZ$!$N-&6{)BW*3(-ihU}>B{*;q{r>oIykGvkodi>ncjIsHZF7m)
zk=eFiWH3LkYAh?ZEE|Yfz!+EKI=&4xRI^*=Hz@vmMrEEN5Ej-|MvNi3AL}LS%AXXz
z)0x-H<c%}|Z52e3<mb}uI3DPm6(jS@UAFzFXB^P}&Krn#4*EVD{OmAwTQkEJCs#Z(
z<|~<B&1!3E809f`luB`%)8mW^$=|qiL-FNdlOS9dvTV{xtUvN(uo}RFu-rQA;&9e4
zkw-p>GbYnbKXaj~yFCc<E1rk7vCMc4`1AIFRO++*S!5AsrJfOtNf-vxQlB0r?2QWG
zm+s))b@dVw_`n+1Bh8bW_OesXD&sG3mXl7616N005bsw<WlYW)z-=Xep#hl4dOtyC
z?bAT%2VcYQ8gd>(KKK^@{s#a7<$5~0B=l)=Xotx}n?zz*_KUDt&6L@|wndq{Z>G!e
zF7{>hlk)Pipgt%{{t+I9P(R*;UY%_`-`K6B{0*^sKwZlM{M~yRzYKhHhNTcYU9n|D
zyKuW{n64)ET1Nfk>9s^qeNZs4I(BwD_+%hq4o<nBDFGh&?E|4<(h&|e=<@S38SZM`
z=*DT4`Ha|{oYd9;${r6f6`?X+ytN)9m$0gaq$?<Upz8h@)`9?!XGxl@PKFX)ZxC-d
z8qPqa9_PBcP6Mltc+;j&%%qIVIoR=dgr0ItHW~UUb$02^5|P20FS2zqZ}~HL+^N6x
zDb5il_vOFZ%QwwUAf`HT(bNxBv5vM&I(B)XdcAZnI2<~z$EBNUQA&1(Zg%-+?+0k7
zY7ZTgltrFYIu%tztHOL0S-!oJzMe<6=zN_zJ(H0o`*VGVb#IW~m0`mJAB<o<_%GRU
BHEaL?

diff --git a/kubernetes-config/helm-charts/cluster-autoscaler-9.21.1.tgz b/kubernetes-config/helm-charts/cluster-autoscaler-9.21.1.tgz
deleted file mode 100644
index 98024c9bc548def3a32dc367e1f201df5711540d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 18380
zcmV)lK%c)KiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POv1d)qj&C<@PK{t9fl_tSPpq%7ywqt)s6bvy2iPsfS3m2^+9
ztlkksLK4O#zyUxznk479p9cki1TVTcaWXw?Ngr&91PVZ*P&X6`aau@4M2HK;WsFlI
z1}6(FRJ6od`lq}393CDXK6>x~{vRG5Hvb<!di3y5!w2^tJbd{0=<wmAKOGJq9^QZO
zCv<p6?XUe5Qep9@!_RK3Ik<n556<Z?L`cfn2wfiqIM2(U!|3RKbQmN=#)9Swo{cq$
zNc3|tC4vz}B)Z|^iU`DbqJL1epbR-;qHK=lf)}}rf(6gW2rZP#<!CUNQ?)3jQOvW!
zRS9cQ5n(`M-Q4=(-dBNd1{v0rJV^PR!=ET;^B}{NDNGp=aukG!WSFKSG%uEaS0u|*
zqB#5i&pDr`@J6=~AjGil>%1xwm?!PU5=dT%m;mf;$2L%c5ZBudkZPHe5yE+%(im&B
z2iI;&{t_JxqhWA|^WU-luW?!sd4~*O{rZ1!_+a>;x&DtHJ=(4RukqR2LziS$t+a|_
zBgzK}kL4idEGD^vFEctX1Q6u_OG)P}%y|;(#Xs1?vl(SnEkn$b5Hm$X_axXu?kfsI
zbnL#*xIj5ikO7qurUF-Pgx-G)0!@`qsf_tG5zA44&>o6YUL+TSU(<vLi6;0)PWosv
zkBR<=|5*t5lHoZkvI)X0K@&^lIHwbY1wpdNb1oD~&~ypRDok7>2rHx(R3b$)0u3Jj
zIv$}hQApvrL|7uj5T_(Tlx@H0rzxMVUi1SPR&Iwiz&CPmd3yZx{4~mvy?PHrNmP*s
z(6<_XA`A8f&WJ|yDZ|s0K$&WI8s(E34xbnd>KBGrqYSHfp?UYD4qqc+65V0LcCreo
z8w2zvWJcK+#jI{~18&U_w;hE?Tw7r=#Z!_xJZ{^FA@6CS5aa0l?3u>aTmu*69|aX8
zxg9vWI=1Ss;3+ZP^`?1bmLmL)QXb>9iy&c2^@1NiGt;ZMX{L`v!H`-AUd$J0qVg0P
z&}H;0M<_&B-vI~em{0<POg5H#{~krZ7+JQOTt9w<eut>e_-v7_VRQ^0@TNz94#)-#
z$>189R}L9^<nY7|-KbPuFb(Z!peJ^`#}{YFK6UWW7g{<Mp?mAc$pp&gAO=DhVOU>Q
z0kVA@p*O$7AT`Ego^mllb3q6zAIb&R+D}YHoRVPAS0$erIt@eg6Bn8-_tCLl&FJ{&
zG2+7FIYP$@r36cbI3tLpM9URKWw}%kogv1RWjl3hpF{whyu(`a8wGpl`&^J80^K#E
z17bNJem@mxpdTWX;df*DPclMB{zJ;l!=VN+00^yt050lq8xY&DyuwEt3U}d7SH2Kr
zM&CIsK07)6(g>sT!%l<^54$jSxCUcY_Zzs=O*DbG!Fr{SHkH=cyOGCnOr-poEYF?-
z8~b&PFg!w6WQoq6qWw2?29FC#gnlUXx8(Qzub~#ebcFauhOr<CVT$5Z9vlSqj*n2U
zXNPl1=9Dux5@CMr`?K7k82~&}bA$>RYC;Kz7UG!1f~c~!29hMa1zi165!Dz#i7d@m
zPEtykGE+Y$;+n<;T?oozn&T9eZ?(;fV$PJH(?V&DmWYf>ZLn#UY#B8uqA#=vxFp7A
z1e%Tlt$(kc0ML+vT6a47XhyNFpSHx;?W<|D*54XHAQ#}^!alb0Q7u3VCr-oA%t$L4
zO6xgWccRu-trz2BTKY8X(uQtG?>V|z5J8|9u6GiQhue3g-dwFGuL#4A#!Md+Jh{Wx
zT@$r-e>s1(%t_ViFXu=ta}ovK+Y#y=|2+0-t)}Hyve(U$X0Nv*5>K7<`lcywJ36V5
zWV`UKw2mkbRee1&8sjuwB1x3C;3nrMZ@+g;#KE+hiyp)e)m!@$U{TI~nA~E3t%1~r
z`C5{5%<!BfXTX!x^7Ne|Oj;KG>w>5S5qen`l9=&-tF?5ff~c*7NLfki@*abW(Amt2
z?DO$i9}y;7G=BE9-@s`f7C-KsTVp#DWvOJ%07htrQ%Uq#jj7R~of97_7h053<`lT~
z2=)zot&~WjREO2#>F1LuXm!HPgne=RW5JS?Twt}(-Gl#%17$6^RNqQ;a*U=>rjKTV
zXJ``Ra7I%y(H%Dw$crR2>M+u8%2qw#Bh(uZ75gGC#-RZm#X>=!Y}b!3&dxOt4ntJp
zOKbZXPe>n0LcX$^&q%Bh9kv04idRo_8X6kaS|qrFv^kS<oVYSF*hAwbQ~2Eoxp#Je
zdcfg%S>1aY>=`>&56~bvtiDeAXhNCmg7@6GfAktiN$vTP7YL^}cqvg<NQE+9Fe7sG
zdJ+t$s48w(5uvakC*++H_!piQ88H%0PBaah=jR%bv<-VD<s{hC)T|p$I0L#Z9aF~_
zXFr#%8JH6dKrIT;lMrTzGKW88d&LF1(W1g~2#gqKD8@NObHa$wyw4wmZW+d!a3nck
zQ;*lpfL|0#bVJfKs8iwyRX8rcX{)W{aUXTfN8fA2FWWh(ebkz_`s!$+%;-PxO{+MV
zGCgbFuz*39gzPIku&yj;bqKKyt>;EH&!XpQv?zPhJ+dw==;`dF;b8TM9T%%g{AxR2
zm2C2~&&5X{ah5JYd$;)5JYYSxt}**#>+bmoHTfm%PSgi|qNn8K^F~`S9ryTC2fAqz
z8@+9hFq>y;CDEIT=Qx*IjL96wAR($BoYj}LBQM2~R9q1BoZy5AZRf|J18B093adg|
z#**P&25Vca=&ptM6Mv5Y<e)*kE{U9siGsL^1P`EFTpHXfCt1t7p3+xIAS4PVwc>D6
z2tk-imuB+HZ2_}MaLe5R4G^k&8wNAudWsBa_z6A~3){SR+7ke9ZRs~JbHc_7$5&R@
z>DOD=MLeRkXma=%X^R`M#O;>mn8bykYI(w$BJY3!zH!f>lzwRG-qffJ?v9Nfh2>SX
z%R^vmr>r@U7I0_*4-SG=9f8do@DSr1PiaaOHQvoVgis=Q?!JfU`1$i7NJyUYrCxmI
zMfE$vjBy3TWIV~<PsI^V5~rs<E$bjY{X2<O6d>f)HXBNNC}Hw~r!)p<#ZxlFMXCVS
z#A5y@Dx{i3=og&Q1ewiHO&23QnSPmHsapJ%OZ9>%O;fe%eKfJKjc)LQGXkc=*~}-~
zgcAu`Y(jFv61{lcdVTt0tabC4XBlA$fpKb`!E8?P3VsxnLmDB!6G5=Ihb{!=0`QMc
z-{qJkAkm2Z>b<p#t>X=q6%z!F=2*;S<O)t4aY;1EO{Jw-Slys-D$PK^7ole^FW*}P
zZQDv;S7+<Gthn7#>e#vu9h}esX!K-EZV|AsNym0=3|y-NL2#0hC`*F&035Np!X*zr
z-ex&Wwi)aMl|Z9lT|4Dsz9P%v2=!n^414a;k$ZFm9K4)5=w6ag4FjhY2SQlP3%yLG
zG4y6eHr*ATe>(m@+FrR?U=?CPLbV`ajs?z$wmiU6!KLmyE7BCDR4T-0<-+qKG4@bZ
z6&Zz`P@zdmuRO~e^e|4f&8cAb49`H?YUp|qqPOUVrYV{dMCXiaEfS|GzX26wK|pio
zGn5snqM=j*KvWni(Wx0@%IAtpl@K9DNQr_32$`R1A&6Y?G|@Wxj0Xr^kI(~{q8mXK
z35|dcO95Zj-$S)mVTO$hq$}9PLV;Q-Xb~Z35gsuAaphS_d3-fOge5trOc?<3isrCm
zBty*!LfAwMwTgo0#DnPQb%X?F354hDA?Qz-@EaD|-9WF#6sMTQB$PCxDHh(gl=Mnv
zl!byoj7=D8qiuu^o3IN-Q~FO>2BC-I!{}kNB;zb3S+1ocW(iHOBGQ4qZ{TM5o#_f_
zG7?}?jp*US>`*#@ETl{kagEav8di^8I|)hgG6Wh6agyjVEsXeO5|R={Mrb{x8K!9=
z$OzqU0V^0IBq53Gt81<?dvYli$+X5GTQfn~JT$Z)!Y<(3;mE8F^HZ-$^LkyKqY;u?
zAx>JA9Md^v*DHArVb@e}h%iCdSWrzeZgriqYsYTg?@Hyp9Yo_As%lp)RL`1iSr@{m
zG-Rt*t=I=;6YTmY!LzdMN<Y^>!1v~S2htUef@UqJo7?9tTYCeXx~1Cooiql1ZM-G0
znGHUfj*-^tm*UCeQ`bCo8YTd-c2<HF_C<+NQ46Vf=2x-o&pbDKSgU}ULIeAnDw36I
zF2p8~<p{}QdPSDyQ-pE=kS+E922NIBqc(20iC%4JN|}Z+5tgwca9Khx%SQ9c(3CPA
zK;gRQvC$FZ#@aA9wQiXj8~f&?u+<&?h0bWKxhHhW)X|#KOO`GzX9@N|aBKK4uZa-U
zI7!Dwcq$HWmx#M}9qLfz089|Xcw$AOpb6B_EX}k$f}X(FNRXUMs<;3P;!Hn7)w2M3
zKSmIpGLMBevApf<uBgwd0fpxkWQFG@FlL0VZ9r~SGB47!GG<H#{S4*sFhHm(F+yjv
z7hGKkA_)V`?xB~tnb~xSWKLo_TO!O576LD|QUZ-!6lq#6Kd9vvE;tjX1Z9{N03#Lz
zoQ~Eb&YZiz))O1z4A+~VdL$wANb9oKSdmbWIh9H*Vg2nj@Zzx-4>4vrON*J3g_J~_
zEiVnwpUKj^eStF|Io;t`Sj>sC0n$G09cz`&QJholCeev!{zg9+Q(~(|&!~ekLGgmb
zR}p$G$*f3?lY2qZtRzfr`eYeqiHw4kopAhh^`gkJP!xZ{!a)0=z`8(cyC<0vEX@=j
z1not$2itICPy;zQa$q~z1}e3~KBJ96sD&gVoEJ1915l!*^Ir|3z;COxoOrU8tweCV
z(1oL*Uc-a)luA*+O8K!!=0^5i@B}60b2Nn)0Hax2vyKeEd(H4Qrm2?RBQ$gx=yCPz
z$hP*p4DotihIMuI^|=kGGTp=_m)=z0I7jsIhFvQ->k%}ox9rapOX)W6S`UNPlM(7!
zjnI);tPR^3r@bH$Qyd$Hs=q~sYrs04p^4`3lfGpoU~_4`;_}DilWHRzViBQ$r)vVN
zT;?VOGU<dT9YEQD=!H75THpaVDc<PWF8yl2PAQRVU1?>^wBf`9&C5y$ntgVFtnFfA
zH_t6Q1;+)nJMr){G0q=uN2IG%gLT`j6;4g}$1%?hD(KABhmyu71s7>)jTn?@YDx9T
zE8IAg7}u)D*3mhaO83_>E-xst3Kun<s0>yUp>iA>>&OQFL9gqtTCTrJ5phv2wxsXo
zivVEL@3*><4(c;r;TrCp-%7vlBi!nMGx4niG@WRW=&BwtyR2SWk?EG^xK_++*s!T@
zx4ogCw*OR?q>c>~D!pw$8)0o-9!6s?^&V8}yuIGK=_nKj?XBLiSNw{Ym@@Ys_EWq-
z1R#wT&g?|30a~eh)=obG=-{@Muvl4<O^MJ5(}ri@7qcOd6%|{iT}C_T6;GrxEFq;C
z)%s0YytFFJ8>dOfd7*7!YXl>dkqp$l`-g|;)GR*>cDowE9+KPo@N=Hrt@mE8aN3K4
z9m^M-U2^WbcHr@ANd$~%SUt0$E$}d~L}P|;e{{3>iXu8zPm8@fP+RQ>*uotf06wU6
zwWO>7q?J7M>$)g`vkL>j`Vh}9Gz3AU7BN_%n+1)HliOAVPU3|At+XBsKo0g?+ab+?
z-FbZhO}0Krj*}maLrk1qz!a2ygaLyNroX{%q4k{!w67(G+x0q#!29S!vdp5pp)o9?
zOU&k^iJp_Qr<c;WKuO{PMQ_=<55CmhT|eyq3odE_ks1`}K<{!cf$4b#N9eo5?;h5`
z=<-hCf&Y35N)H%FU|Yz{VXeNh;dKyZ$7f|##Vu{ac?XEHvr_Zy0yb=p1%Xfv!?G^~
z&xl%(LZX+sX69V{|J)io=S*9fwWVgCMWm($8L?IBKwVHBq8tECS8e5@(Ta0bLNo3=
z1aEpR$XMW<$ZBJ=+WyLj5;O)P?(lln+hX0@-DZV(%~7ej5`=zG7TLp`cGo&Huqc}w
zi}a0GuQXPG8FU6FYqM+s8ndjO;gm`vYLJ(}LT<6T*YPYI9@y5kMTow57c|8SMT9))
zLaX#_G`pkd;wHk}!zz;srzzS$;exyz`x}!7=3J6o@FGn#8wb@Sj=4yz>3PwDW7eOw
z*gz4m7Uc+a456#vxs5l_T2pR=Jq)G6O0|^rAO2>mS^5%92KMa)?Za*=l}IYg5-bvp
zBkL@)g}NHQjSzA~*DZ|p(3?vFGRF8@J14yZC7sXg))-}jr#yxoBzsabr%{&dRn#BF
zTo5h+`1LTV^`MhV3@&Ur%FOQGx&P2qHsjCpbO{)MGa(X9$&3qvsOHzYLwfdG5Ut6%
zhfct!>JiOlkpkbG5_ddM7t<3D8*qC1i2eqeF4p|b>9&0&xjExz&!@nSv8@(k=54!c
zB!EkU3lu>HgrMoN@@B-~uXDK>m#|YLp~GOd$RMwc$gu7Dvrk~#bu_JD+l^MboCThB
zRUId@i<vS#T{yuCLr_JRv!J7yyXV-=7JT{hSAK)|Oc91ekyci#2^7bIcr>y<!)Yqf
z6vtO!QO{F8#c5;<P|n^uz!P`$NfLEX7gMZA)2=?5*2558!WWs7*mI?=2;05o3I~?o
zxyE(t&{61yQ3v;s;wcdozjEproJiF6feC=IrAT=ssFvs9hbL$lJvxX24_F01=P92r
z$GIRlIpItyVZeqV`i&Q`)(T0=f=EJ1ZQqndwPwVb5<Eo<exr>w6UJ|g;#hDgwQ3})
zt@@0!IkLN#VZt*A5RpZ^(0srgaFTuWPtJ(!o09=1zMVrPFKE~9#Btd*3np5FhT&fT
z4=V=kyOZ&|@fEpo9zRsJ0%wifkEpKs>+ag(Hw(gEGl><IGiv;VPx%Y3#_@tAMe2&d
ziXD6M)a?4eX;8aHz5OSg=ZzLYDzmsd!$q)%iaf!JjFqO2IqWsO@xralTO{r4?fhac
zJ`o=2Nl%H8gDUWAu;<_%1oh@CJC&zea=eDO<$fQ2H!j4SR48vcU(E)JQN1sH5O<kY
z<KO1f5klj*l^ncy`Ra5Wsdwu0+Sri)XZYap{YL(eM-O-Tf4<J={d;f@YprMFId{KA
z<4pF)k3sN?qiZ7QY-vouHf5m&22ESQsVq^jQ4k;#qOG(HFXjG|_wP%EEUGkzj~~&T
zDDd^6Fh#vKBhwIc<x=4GI<~lUp&p9R$B+HhtgzJu^zmaa2sFA#Dv25K-kp8`975>y
z^77^72;?SgvAV5U8;T0*tT~FZ^5cVBJ)c~(kBGndeI2+v9BiN!_=?|ySk8H3oPk>9
zsvLqY^v+q2CbpcK$k|!JVxx@)V?vNQvZSQ}&&e&4h}3d28T-0R7Q+0q1g8IAy>##7
zvzGtAU63><LPje8oK#Tj`Ty|n@cyF)|9|}8=y1pXzsBeN`@ubQO|ubLdNZ05tr<Ph
zj0eXHGD7zTA3p}VRAA!A%g~O-7P2iDx`6A|oHwirg1c!y7nG?P>iusS{%_eU#Z3J$
zh%w566(5vEYT*taw86|`^yof(rP;Wc&FDMS3#&HW+BG9OvAfJ=S4`y4KMI`E8P$v@
z&+Vz^Ux|SZ<&|zjk6WTCiLth9B+rO%Cjf?Kl%&>*fqf)mPb*M~_NPm8Y~jUNm(|9v
z=JN;JA=2&QRRg255-IKAC|hP_fvqs-q@Moq4GeGe<j&{N8xAA3nYtKuC7KP^3Ym(x
z9##djcN-9vrdEBg(Hg84dzzXh$Y%D_<|^#_TdFXnz^vPjAfQ5TC2}gfyYDuB2z`Lf
zRjpn1{@g>ox4lnTMwdhtf+43mnWNddE#pbrZUnA&Skd)5L$#%zeL(*xxPoL%-FhL^
zfx~&pdcDwtR2yq;ux4oXm}_EuSB>FsH*N#Sp>}Nt8z_pp$7;`QhSOyoOKvC38{UGX
zStJ)m;n|2EOJgkrd90`9Su}%E{5PDX8%nKPJQnG2=r7L&&jkfWTqZ9Ct=Ky@)<(U5
zrmU=1QS>*h&^n*JZ4=2?4sUg&V1+PAvTGtvc$RD7(EENE{Uto?b@igQq`~HqgX`gx
zD15Yzi<KqU^QqgQSKD1SWWYo)bzr$&<`0SN;o)}JE|Y6GoDXXfw*mNvVRSUy4zLXY
zt4&YG9G1lzZEq)Xww~5z%wqS%wo3gWr}ow}&_wOJX}INLa$A7d#&Cg9^yNGRb8aIg
z>akcaR;hmLBHTWjFu3>cE2V86x35&p=wK~;W>X;6kk@FbXTS8ehqMvDq9A(c-U-rW
zc~}hg1Z|qgZP4ogxFfPQuF@lG2U%)zmU&7Q?4tDgJ+xnrvKn6d1nYr6UkfZz&o$cf
zp}RsbyxT2tKk27;ZqXdScZbZkR3~vxk9~M%d$*J3)}(^1uOjc&6M(dBa?K_R=nQnM
z+c_-TNi^%d>vym1l>==+5tz*h`iAz=Hzd_GvQ;fQL*Gz?ibhA8{jl(_$g+>VxyI0h
zZmHtCWZ3}pqyz*Nwv`?K?Oa^D&zjF#|DSy+cuGDe9sGv<pN9{I!@B?P=<xp0F8}*i
z`E>A8|5Qf(S^ZQ2SfADH5l{pdYQcp)GacF7%-6%<in64PbiCv#30y?Us0y;(WdAx-
zSzDl#C4?#Tz$9=k?fbPGKb}gXtC<jq0HIK;#5O5!fb7{#8w+1WgqLr~H8F?S?N9Gm
zJ3`k)Oue!OjpffAt9a4X;;QySu(}51n!+YWvk9+(TMh!imgo6f{We?fpMaYhGF$=J
z!t;>Qb^5W@g*hC%{k-l#$VVG#H+CBI_moN%)LUHF-rCmOPNl4&x%}ZmxXTCjz=EDx
zFAAcnte2Klgei0KHcm0kR=@6?$ZDvy!B)fV7~!<6(=o`u^QrX6o3rx4owgiSi7jRK
z!su$(pF?kAa}VszswKF&O>fF1@i;(&Nyb_E=(F))2*;k_UA20v(}(8p;r4BJ;2r1r
z3M@Cq)<!@G2}H=ONV^cQVXbv^#byApvZK3GwoII2DT(VwENQje;b$V~wOdc{z}3S!
zj==@-x!qmQ54?109dlEogq2jOp+F?HFHyU(0&d=pA*~h>n}K_rdnMoAx+5+A+U33Q
zj&Oo#@91=6m9ASXVasdjX1#NSx6~k7BP=9YWv%YpzvLe)HphCEk={cGXn&pVrC)Q=
zgjP!%+v~{6Y2dD@)0L!AS2{RYH5cv<kayua(#&wYpo~;Lc)9Y$08m|j-6-A7XgWE6
zDaflu=H_Q->i+2#_TQAUgtGZ3nSq<){|=8D@gGOSM-LzG?7y$^`B&M0KN@=aBbb3a
zC6{ETJK(t6n!yAJwQbo?Y*`kNi^1BU25kKtG%&91V0Y~hltRioQL!qta>oq+M}F4w
ze{awHb8drN&;Rcq-ak5Q`u~OxcJY5-<x|Cf@83QMytS`!uqH;_h7rOgQ#N!EPx&>e
z-82Q8Q@&KGvAq>B9Khxb`>c+o)Fg|4^0Ff!WktT>rg-_+$fxbNx6BD7)p6#zDe9!R
zpFaaY)(_v-4hr2i2&o+8BUEnu*37ypsZnP%Q1!YSlBcVCKpRJr%%I!}AzQcEQlriX
z#LDS0k#4>i1c+{)ESfxu>Kdhg4%iN0Bk47&l_>bG0|f@)mQ=WUp1!MK-A(w`D#*2N
ze>PF92JUFTtC>~;s}e|8(kgGwbk*!_Ik+mvcv-^B(e1b5ms|<G%;Hjdk5HLkar?tA
zWmROd<kdUU%5C`Z<EZso;knn(64Hg2WUvj>OHx>`Yt!0|yhnOmQFnGkzepIG+jiWY
z08hL|>rR#0uzhdLR&JPsM!7AVB?t8;O>gT5n_A$y?sWK2#m+!329r*$*B%gr+-z*K
zQ)V;(`6SoH9J(aB-)a@6uyqyaC{KulPTKny9qHNY8Qo7-TfH0ly=pM4rybwOUKjYS
zB3)JttMf9{Cs@u$3eVx3TArf)zjMkU?4!FKh3E31xq?@Wveo704ILdF^)Ie!Eu_^|
zSEF7N<XTkEW70v$>qyPJxb*f!x4QEBdCKT~RMmar(O^HLtU<B;44Wbq)qV!0ZpNXx
zRpd@7*1z)Z$@Z5gZ;ejq@ksELY)krZEAlGZU%~fQjiP-I-Q5wi@44@ukk2=*ZiVZr
zL!(U!!pcy;TXLMOb|NZ~*}D}dT6NRYD!N$TpH9Ku(VwbZcW+i)wzZllaZYQ446TPz
zYya2eGl#Msw|6;~uQN-n+uy$2us&ny!?jOeNpS#9FzUFM!-hIPfrLRF??0KN-=TiB
zLSTKe2C}jj%}CjT_~E$K{WRTE#<)WJSCl1ZQZue=oYJIc;dJWu@86r)+YfM9|B}qf
zyPqgaQ1Ab~`M+;}|Fa&j9+U0KEd<#XfIo4r2)iEL+APxg@d4Uro|r0c6z_GJJ;pvg
z{&oEJ^7Pr+%NMoR$Ye99+lv*zx}n%!PxY(W*ED^6a&kHzzy102x3_0cyL#}G;Mu70
z0@*b2Ka-{17;1jtVuxeD7fDB{PjvTfn7uA+H1A<wgOTy+$>r%Q4>5O-l}2yA8fHF+
zW0xqpJbycW{p0xL^6cW(*~=GqPd4@2z`q1?{IOh~j$gjMJUM;)?DFO7i#r}l?Q-ic
zJ(6F}-@f|o;`EM(V6Hm<qJ96**O#YnPoBRXzdF5q`{MZgu7}{+G+%0|`P^pH-Q{bh
z@b&og?fLPG<7cN&-<~}^eevq-)o*W4|Mu$i#dx)V&`M2P8gxs|s;O6}FOFZly8G4Z
zZqxtL)PC~(?DR|Y|0Jd4EB4<=n=dkkvAdb+%Z&q8?u(aCProc1eZdp*#aZd?RQWBG
z=u>vR3UN+#ZM?22eWgO&ySx5)_qKgf&${O@c2HMOV+s70M{B=1u%qepZkrE~$ou!z
z9(nKF&kA-$mjBBcC{b%@pNUX+iP9ZnbJL3W_d{jfy;r{`ukp0HeXnVdHIdbjx^<|n
z=`cv`#Au1nEkJFv4YYnFRoMGE&TrM96#%zqTPeLJj7WJQ_>|P!T_}}5BdXaMo9KH%
zaH<v|+{4u@;a?8mKa|Z~%W{wQqN|D*5Z&JEuI?x)_qvBiYv*9)1>m(x&HFtX;-J}$
zl|ZXFiQ$nKD6z#H*}$TWPN9Q3<Eh^d+40KWPS|$$Rc^j6^1k*jD!dclmAfgI7m2;B
zzfM2iZHL?MthFvY+z!(l{5K`4_ZvGR$3Ma)kh&);y*TAnkz0+g4frmGxP`>36V7dg
zR(&ulWJFo0k`(2mJDSMblC@8WRzT*|^NepvlN(&-^;}>B7<yMY!Y1+2TE!iDYJ)Si
z>(p4%t>s12qMbpGevcyDlP+#umfjeu)o7-6BVyT9?e4;k=4!RJhz@Iqfq!P`IP$Z{
zclFRuF5lfj4+*O?#e2=I%B$Yl_$qi?;HuHL=1p84PFD!hc7K{MDnk9PB|2C2=ZlEU
z+eu4%ptuoKcPjz8UO4(!6jz^oYe~5ZcXurW*9pKa$FNQsb`Iln1l?L8XRL&JcV&6W
z?cEz)F2ju}0k>l}i<DPp*K65TRjcXo{0AGI8=Ka8ZDn}C)=M8*ThCiJww)l~T8M8k
zjkjs}*0^imv0RpH-WWY<k@XfpYE&Gp>{rJ*&fUqSTYuJ`|H+f-XC3^ppAF|f4<A2%
z(7yj+cmDIMeA;38?dz`B9m(007t%YMbI~sP2RQzDyW=%q?A**2^8lUgJSx#DT8XKn
z27hdx@?5|ETiIMci5qM>|NZE3^ZeiN;iKL8zpwInzcB^Jx~0D+*Kd8{JD;LC2vS@2
zpSWs2lUuk2y@xJ@N$BNWLWgoeuW3r=BtaQZw9;Qa@h{f9bWS40QEuQMqFb(RgA|;@
zU9oWG?S+GKS{ACnIgis*!E--Pu1j!n{QP;)FwH{rZRu_Q);%%0VENOTDdhu_<!bqq
zit<4&_}@vaNK!sY_zk<kB00V|)6X=B7ew7~aaDC!KRmlQsXw?ld+H6SyfGT!iXtT=
zbg3U6vn4Ro=ad!iR=q9qJSA|$UFzo?F$KRpFQkIfrqjaQ25eQuJ@gY7Q<}hCh4$ui
zJrU+Qz$kEPW=5I0D9n5^{BDFEJ$!ioVSv!gUTpnU8+8uDOU~6#G$rQPk3;Df&~w-G
ze|rWlbopt+GNsXNB*7;BfB#W4|Hu6Y!(INzukv|cCM5ouEIXoPdv5A`sFBa8Dr*W{
z7-FGB9;|mCtW35X9kg`KDs_lsa~-myBjUM5xm)Uacc6u?I)Um2&^jf&>4fk)09}n+
z4&iW=m-8}0A3`^UF2q?XLD}3-T-}^aGw<sP)H~rvXZh}|{x{ckKUP;m#;`}<Tmew6
z^ZG7?(k<jExR07z?Ka>4)vNB0^Vz`v-4(Q2{(Z75U}OHLM-Q6%|KWoj|NknV7PsoW
zkGjE?SKTD;^!*x;Ze@SVs|QxF)D`zkcbW5B)v37_Q+KO%+ZVj)B5gmVglA;TYbo<S
z4F}*}EpMM*J+ksn?6Q`<3L1u!r)Youn4t6l$hDfQd*@^QZ~0lv|35eJyZvn7|MwpZ
zA2<EKkMHmNKVRk3<^S<+jJaikzduN3_w983PtE_nKCQ3KwrlbF$%atLy*m>H*W}gb
zb${y|?V-&Ue}^O6%5ZCJ`!&#=kd$}{_B)cs-(i0{6UfpTLgXK{TY&a84ZrKMrc;6w
zB0|_j2p#Ifl*d=Sg9Fs7=BD>m=e7&8D^OV<`KM(zW?VHm&Mv$0m&tCd34b%XR}TNb
zck1z77U(VXzt2hhY(E?A|EB(Tba?de;ZFbi8lSt@|Nc0cowrm2KP~_BF7fm3^WWgJ
zmj9cb<j?j1Y~ufq?>}tV|BrY4|0{jAia9qaGY-)HmN{a$Li=#VX%Fpdb#+zZmem<d
z4h{|unqKEp%Gi_NcMwFf4SO_AYz%?-(~7u5_Koy5x`ca$KA`EN2ZY7;1hjvqePuNp
zy4$E)J38J`xAwkSxt@)rqjtSOv${)%&{5I7YF05BH##bq7j49p*)2NpQsu5{RBWB9
z@2K7?QwOqTLYXpiXgwoPE4h(R`i;)Ev*xsFH*@^7d-^HC&>Q$as1~0q05<Udqoe!H
z_}|A5j_&XH|JV4m&On(Nw<f@94h+RS7Q6xuzGbjOSG|t#g2q<er`i=OI-RabOx`H7
zrf*+78hO>!nMTeo47~DZouPD<Zn2RL=;WOug5mV+!cM67VBLiJ^;RNn)qHTA{D@P`
z;%Zp+XWe6K)!Sx(ex)%8hD(U@Yd7n^T{rZV5Z4fomt!EbSqM4?X#Zbu;hpEn1y?-g
z=?J|#ahYlq7IUInsR>%S7#v{TVwDe4`sY(WEymrN@v0^HU5olnbB6xayzzg+XB+vC
zjceh{#s9SL|9Sj)xBvT9KJRaF|6ASDw55*V99sVZci<Y&*tUMLrfal;g0<>R$61|C
zFdFeg9xv3xg3Jwdw7%k3gw^l*>1tw4<y~yg|LD&){NINAeKG$3_^@^U>u?wU^L0L&
z1-F#ob35Um7XCS|0lE9|&qgP=3jbVRr>1&uXQ4Vs+uRqoO<IQrSlLJvQ{{6oxgAXX
z59l8SSM5Q3@zbhEx0G|r+#c3S6QyoRtO#Lk489q{+DfU>D4%;dHP+KgMwFoOC4rft
ztjYr4dSRx%BV2YP#0pd1%_S|*08rn!JwJ_5o%iqCx{2{i+>yNQ;Q!Hrq#2zvF38>R
zm<{~@@L_BJ=i$-)-Tu#4`Rt(!tP~OEu&SALbh97~O$(aBImR5vS9nfj6zri_3o7Ac
zCKpN~xgcqZ<|&^V;-zffM}nkqoe3;k?>S~ku!k6#1Ghx`Ib5qm5_Ch=0{yRp2)$(K
z60Qf$O_xwk1WG9*Q4l>Hza1+sNU(=ac$RU7emNPVgbEo%bE*dL*K|LKrvDTJ`0E}l
z<^%o5{gl^iPyw3a_^Qa!jHW~e_ab?d2lt{Wz6$O|D%0P&p!49~{~PR~U$CIOkm&5`
zsSF}}ZZ?Q$Lh!&87yR!*bS-0^kiox$GTpKMFHeu3o}Wfpa#wAvU;mGe9z7g3*8hY1
zkB7VU|1~~)U7>ZsSpS#k=VD3(BZ^3L!^IU5kgiU`ilq#BH?7$tE>RHd?V(rC|KsW9
zC<rE#Nz9q#DG9zoTBsmFa*lA4psF!Q&MHTP!ByFqUdoGN8c{y*JGF<-iCXXk4N-_*
zOWkVi;wsk&=q_oBvSlcY?DU%JxLgwbR}hAhDD>^hdvU&f^1V&qk6s*~pZ?%=<_Lvo
zY?4D(ct9Cu1y0k??^CaJo!y(m-$8$UvgCybv7B2SZG8=UE!~sh;l`5YPP-?=o}NIM
z&@-k4Pl{MG?jQge5HGM$Xv(>gO5j`~+(AgFihM<!A&lNs6!rVQp7{E_Q-0u}phCJc
z^l$!3(##asbfWPY$;E+_OB&aBPK2So3qc@{f~1PbAPAAJjPCzA2z_cEM&JDz^wu{o
z(}W0gZA=?kwPHz78#Yx32fmdo2pMEp_qAjG_UtUn1C-$<tR6I7B28F=me~O&kOgZJ
zxlL|=S%4DEGz}q1vjPlqs3hYBNeW#Avjk0xxkOW<ZU|v0qY~sTNy-sH^HYLkF;yvv
zf)E}5vk(Lw|2(!iO=(<5no;O$$QmC0*+}WjACFJmZBr$_uR$aNo=-GYXbK^a4g+3H
z+Sr+x(uRf>Tq=?vtk4@hwF7wCJrmyh1GK<;;Cj^j+GOBR3%E+Wyuwzqs5s^#(Uy!E
z0MOG@k_!?WHAK-&>+NJydwWS$DRh+%BJ@JrUuuCB!e~ZrbRV=4u)x<ukB`ksQce%_
z&rS?Xp6(4#%gGvPdVSRx#Jzi*rOSKwDy_@Ion<T5{xnO*5<HSrj~d9VGTtY89qMOh
zR2~wsxYDyA(d7DQqUofZ*^-p(t?mBY>0vUiEDSmqSdjz>;~akIk<J9q&@lR&o}#}*
zfBSO-AeD}6?%gwz<KDgCH(nsQ;6<9Cc)__Ox^f{&RriM{e~AvGL)WQJDl?tTi)l)w
zUKG%i29^9rMX3&Uznq*7s38EI7;>^TG}?#J-=e>5XbWLMkRv2mLEk4tVVcSx0))Po
zMV4W){9y&=ORgKDSs~N{_$$=@e&DJGFBzhYDvDD(9eM`p)osrRnt1d*@w@32zQK9`
zTEf^Nbs}2vb*M@Tm_9|~1*0)eQA#svohFeXcs!dy1{$P=<YXBAP4~xeP&dN>tY5C5
zqiXic&XRXjDv9)h(G6;vHY<Kj=ipzp`ms=ShGVCHINQgvg0`}}3h;qmO0}uJ>>7{7
zDUh;Wn>Sb_8sVxCW}PyeY3i!g>Bja1sMb~GXvWi&-#Ag@Q7VxNJ1U(nE4bgvYAK}L
z@<*&t6a=rhTim9@7}m4XWSX7B)qn)jf=jrfeYC6=_KXUtP{EvTr1cp)_wLc^#a)}e
zKAMu5He7QeW?W=$&^~)~uo$^n!z`lU`$4%RJJ{G?qC>;RhCwh^npoJpoWr3WGW553
zr@_SBh=Hg?<XvtkU2%75fSYK*B(74O7`Z|<V>hf>kQthBQNo|}wQfLDEPy6zH#<xs
zbT$KY-(UvQaz#iEO_j4eB@3*-3Egl<r*-YDkjioZL=Ek=uUnZ!R!;<cJM@=q{l}$C
zEZawn`&yx1y0DFy0QE8s@)O<AG_91Od-tLMBm(rsUiywC&j`vWqZv-^!MDOpRUZ)w
z>{0PDZ@Y77It85zWb_zRzhpB)XV5Dx)C7rnmJybi*-AK?a<zzp;1s}vxE>RQCM)d*
zvnE}St8@X-XxS#>xe?%Wh8T&7l-LM<aqpgOLTYvygZX7fP#>`bvfzy9ab<cXR3#<a
zH;TcerS8K5Z9lFqy`CJH#c#KIF@pOro7gs-22d=Fkzo1*3mSqY9SStg?x8owzm9+3
z-@`XD3`6K!<EGP)&q9UgbCQImBifARKv#cua{BxJ-aIDotJG&TNc}y;SEk&{oUpON
z@fA9U9L&G(@9~^yfbmsm(lQ@ty4^#^zm7|rvfdS78_<;|2?fD%z2uCtM55#IGpTDx
z1ge!rjHUtDg4J^f8oe=DK%dXh6zk<}^|Fi_)iA^Fkfi@4PDzLMp~Ug{S)@6b7lZl)
z-{`qy=`sQp63<;pW2>VpvXn+5s(67WWmIYFqWMW*iv+t^M`&UX_;d(9YXukzUsLY;
z-(J4HL^bPq5`^d%BJ{EZ>3nv4jxLDEsI*3yB@K$RgN;k<$%+O{Eq9}+Ev4t#+(ufK
z**A;t01A5%x?YW+Pk%#aPk*pOZHMA|Ma_L@y2cL^y_|ji`$p@px=<_#+?t0|i4rPE
ztWv|E2u?r*u!`0MPrGfCZmV>f^66@;bO2Q2*5Ux)$jaHbXBXm)488sxba`=Z?aVOl
zhBZ@In>|;2_1qc9#BmB1vZB`{T^c$Ej>B(Q6U~3fQB)<?l3i77E3$J=o4vhtZmHl`
zsusLZbwSiG#U*A43xR?C5tD^cB7)<E(^<g#Hhu<bOCPwF=2rcZZ)v@rz&Gi!umuss
z2=^&LIL}k+EO+2meT1bfKz-9ZA+LA>SWYn)cCk1C1d8>on28bHl}JWQoTcFVN0KPD
zN>1)eLW~Y4Aq?U`OHRF>Conq`M51}r>GJ%y_WWtlSQBzV@DmpuBGU0IkTN%1T=n&A
zERDuCB~FBvJ{S;4lx+}2HwzjsJb|RCAh-*e<Q*INVPgDMMnShmg2Ho@aAMTJ40faX
z)~qz0kAmQsA@UAqc}ma~&kdC$@-8MKSB4Taq0|B=bh*Lx5U2S9AGySarYjv`5?RS!
zBIgV&clIk)5;E$RSz@)?H$orm{_&gYUW48#SlGQ$?^r8qy?*Z)G_~I7jZX}tr$okr
zPKloOu}>hq{-$zgjs{i~eU1wjFHUND>x!bU@VxnIOw>~%sUXP-&T&lDvQglbUi1tr
z;`(vMnuF;5-tW2NKD|-zUeCo$|8D<BQ51w>xN*{46Xv$guFyseP1lU-RM<VM)r^<=
zt}Le-WcG6(>?ZmjxeOtzOLp|a)&iHb8MUr^^_>id(RX1&rWCXA??g&ULYyU!9)yeQ
zEF@DI9vu$93lE3k@IioF77KI6OFW2DEan8B0~;D4C}cRz2pt+ub7q~RZb5<C1Wp1*
zjD(nMlD-`ynwX7jT3V%15UjNBlrTOc`p$F(Sk)Sl5CmgF&>N3&YeAgwxPX+!n!3M^
z-qtXkBvD0v0QMI)rl5XTfHZXM4a!8u^m%r2Y8YVUFUqmN8Bs(SvFq|ugT1>(5yxx^
z0!eGu#y$yMm!HgI^LUM|S(k2f9-07w{)Q@*c-vUgiMI*Zv|4)GORUTFjLadx{qwVD
z2MsCL_jHEej?bTO(iuD>db9S>pwr5Gf<n+NzOZ8Pbta*%VwBz4TA_9o>Zb2JCWePp
zJ28`b=O@nLsC7>C);xS$MyAx<Cg*3*to#2h<LWI;#H>iu(mkgioS!|5kk*4NyXse_
zbylQ`Y7W-)H-(^&gjzluS4N0KT_V9Ene<yPr{O#=CVh_)YI4EIbROJwjT)24vQdIe
z9(v#OB=2&qC1};zY501izR_89I6wNDzEMW9spbXF8QY;A8(X2YWj&$|_B3$|g1%+n
zYR+rivI%+DN7DIEu|kJI7$Qdvb;XofigdhG8z6+KXwLaOB{-)h{50lSUMMoS9u90=
zjvRb*aryH9IX!uG_H^)1&WId*^PewYoN8(sP+x)@HX!8So1b1ke;%HnJqvZAHZAMU
zI9mVa{P=I<v;SOG$`blF=Vvc;sZyh^_Fr$sb{qa44WpZ(HjIQhVJgfyPdmD~Vc|A-
zrf$qX!9GGgXu<|WhPj|Dra4YSoaZ4;dd({3;r12PVki}wq!V84))93xGH~@t?_Ir3
z?_|1HUcu95@B9<yrtp;v9R~#)t18_*Qr;?GW_2^`vQfP}{eJxO*n8Y{SiRj7z1r*G
zdzPr0uFfE+Q_Kh%f9IsM$RttaJ|{Cga0ZlS@2m6qu#3qsOi=jFur@C!Z9E8b)m+2(
zMT2jXvO$L5ndfj4MFwH%ie4cLI{N@^`TV;9LGYBo=EQMnFQv=AT}{=!f+N%$5Ec8n
znbBX2pP^U78p6_Oh?P{)qjfuGf!hu902p1tdUzLHswfCft*UF(0uz0RV$3wW8829Z
z-e|u0`+gJ+qG+>HXr^soMUp%KabPrrYI9EG%dq87c7n}Nw)9jP!{hh%oE;k;U!1jx
zuSx*8mH_P}^4VHNbJ9sH#_*aLt=wSl%V^)#SUe@%Iix6?*JON6oEoj%=;UUP(I-sn
z)T)VrYfPtFztH+4$X*ZglQy(TJ>%iTf6%-Du=cY1&fi**llqb|fnl#%m(ps~>vCUr
zQW4jr(?wPltx6hssRg9A(#+0w#;=J)j-tH?B`y0o10N-plE)M_6iY^AXkWuH*+PvL
zVjGHr;0JW?-Yc5lyEj75sZ`KH8GT^)&Y+_yl?wLEKy^WJN-#6cOjZuWAj+HOnghh&
zemXloHzT&OmhL_x!%bQNV&Fyv^B99i7&erNfDPs9N_p6OvU_p~$qD3UbF9e4QfO6C
z6lUYeY})yK1pl69Sz6`Q)rvgSWQ`SRxoMr!(nq=BCXRC7v`6r*gn^&<s|#HcoMc~V
z$AjW5G&ffrz|iFl)jGWOM=M-~U37%!Wq5A<6k1mUB8eK42`S>tPN+Q+h3vsgiT2Mf
z$HxZ-r9L5>hNQ7$V81BC|Ktpv{ygqm)7?O_XR@8ds2t*k9x;O+X!&O;_|5trRTxir
z4Ebgv3{3;-$(0;H1fm)gl8AXh6Ee`~0|6V(c%{$Tj>%}Dw4tjw!q=P{M-EUkM{}Xg
zl8S0oMe`=USa(pPu_R+-+i;PXO?}-)mZwxMKoVOsNv{VJQ{tRP<+e2=Hx)igzJRCv
znxKp@vpjO^NsSPCg|7&T^~_R+-gwO2P=+uu5jO5_LGwGuURVZ8g<5o6Q*r|c-E-B#
z+7bmk3nG=Eaf#W#>t0&)HpvDeN~X&W%8r8IrM6o&N+G;YS1)l_(V1_Xf&_1P>NXs8
zj(X%u{+GoPzLEb0n1YdE!Fo@yU?Y4ZM-*qH(eUX0gNKhEfA^Qe;n7H!8JsUQDVq?B
zwv%sf54{q+n5IN7IM+6&6(v>)N>e0@IMyB3wlbo2nVYRGjSev{%$}E_0lV`Qp<@X0
z%qT1La>X-^J7>oR6G$+uQk3$!L}7}0IM1KJj%tfB^-vgUq5b6HVd<YpInR+=2wuz=
z5Z+>fVN!ZUjMA2K7~xxQw&r{^91ed+7aXXcL0DH{!bKY8{_^;DRK_f2T1@B$gF?|%
z>h}-sKl~lN;3(&b^9H!P?gt1nMa!Q?Kc&o(Pah>z;%Qo|lM9m27(&KCZcu63>+IXn
z{lnkUPc&5oRv9mpi*v?$7Oj_9n-Z!IfffiuKY>r`x$|O*{D7iKVs{iKh^juyG3<uM
zDc6dwQfBG9MN-Xr!8E6toEX((5_#Ku!HJ_1IjYj@cr$C9^tP%y$=9X8yF-3q!&i!L
zWU!}cQdax75Xw>R-nxpwEuRcW!^4rWsf{J(S)K+^<=d$?@_ZPb+UgT5=OcyZPd4s1
z^taq;E8Dz&@}TmEv~PzDUM*k=5C;EdR_(~}-yunRx!>plpZk^q%pPG29(o(=<@FXU
zHD2*adQI9Yk&B53!xeNPrzfHdqtRqqHpoIiOl!O#@l{2IWjcx(Rnke~C5j8FcxDsH
z>Um7S*fEO+!s@2W%9Y%>gVRLU!Ucdf%+73?2Ehkp^1#`&c~30@^taL}f<6QvLj5s+
z-M`v5_!WFW9oN}#NK}hHpvn7>6Z8Su7s{OCQQX7?*iwERXoLWwV+L(V#}zXXu#~Zs
zbk1M}L)BI0ANqjIrDYlxqp1dVT7~j?@mShOY{yCU;YAq`VV%H}jt%H&O(()|`$oZ8
z*LNpc@LX%+Gs;Xz*B4TBb(<SDiK4AX;F<4RVb9v)+cz+eHG-yvLX4yHvu6-5paDC3
zVtY{5&$U%Qt$V10-pcfDkiPT-n!Nd4)0yYwusgk#>;DVQ<fpqEI)()U_D9t-dUp>-
zXIzJVkf|x}hS-HDAZH)oMrqOOuPNiFyj;2VK7KU)Jsv+Z%gJ@H4_2(xpe8C$y~(Y)
zDO)r9lQB8^-tj0dEJh-9tl(w=1#T)E4~1xD?n2})SI7&rExSIc?G=sC_qiZHl-Gb^
zIUjyM6=?7S^7hD&sz+|8e2BguK+VqaRNHZ#BYSpo`XvWJ=Z77G7#_AqaabEgGbL)p
z*Lyvf;9tkin7JZLboLbOzo9dDtPLp>MWjuce`SQ^fg6j7^Q#Y|kfBC-I4s8_OsRbz
z>m5?6gxXH~x&}*T?*x$b$Hi154RUih&NFf0HipV{%0{8mR+^yGLTSCBbUkSvP@bY>
z31t7RXGV^y+qyeY4l=sgzcSzQwtch}zGgqW^&(3dB`@=LPj1yfSBB*7W}LIeiVm~u
z>v_+<mDanXO={RJAxR&pWo~2Q?bgcV{N(NTYxdH9sNUM2Zs+BP$*o5ANuw$?eTPsg
z-B@nbcq^-RckBN4riW3_y<6e(R_%Mqxw~678>M&J=4(l8yv-S~1hqVUrwEgVX-+v$
zbtjCWgFc{N7sMUn0Y|6?@vXE+ClW+03`jt0fM|`+<2P^s$_TUb@mU`cCR;c?d)jYI
zvDuTtoht{1E{QX4YDvpIG{V+yiOFBiA?>ND)7W_IK!0s}z-%1CxN65}JYZ!W@){_7
zBLUhgw-Z@b^`_KwXN!W#2%Qu{5T+mtOS(i8qn1yM)iiN-%*1UagM-E2+5_~MW6GK~
zpknpFxpgB07=D6cVj-LN4)Iadj(*<U;O^I3)<qm!J-#?|_*t=eRmW9x>o=QcDy;4b
z13W@4#ZmRx%nE0W#LD`$y$;yOGElKjoRbWY3Z7T9Sp2=ZC*I{`UL#zf>ZY^m`J_3%
z@+4lB!Lm(S)jR9#xUt)QC6OzRq~e00=WtIQg8WqOw7R+f&%0x;(TU~`W2fAN7v33y
ztr6<hz3a2<@)`zIBTbK1*P^`NbxYi~^8okE)rQ@5Pn~B;nxXN;?(u$I6VhV3!#f=+
zUOmlen3dEVVwQw%4#IN3YP@6$zZ;daV~3~l5mrmVdumMg&Kb}wrW@HXiJGCOr1l)P
z;nEwtlqR|Wa-Et`IGc9dr!ylG>=99OnDrN)78x<rX-`GM^K;mYu?>4AWqG(O;Y@+*
zvTm#0L^%}F1o1IMnZq2a*13z-Gl71LGZf>TqB&s%vMTsPC=cc)97$e!NXzx?6~z+W
zkTh)&YWIf!dcFv;2cO0bS1jI7Wr<x&)GkHmoOdqZ6V4QQr#c*vZ(I?mq|4Yb7yy-_
zR7+3;8+-$W<&_+in_*$jA=Jmz97qc|w15Z3@Ts;a8d)P-u2Ju8<!RLu{M5^*1C@-R
zOPI8-?%D*}8Tg3`sbJo$hZvwv{I`<`{Q@U@Z8Q=VWK=KlD^-iXa;aVrrPpVzavx1B
zWV3W$a7N7Wb5Fx4kJA{JyB0xi4Lp4@?l;5n^^$@;Bi&U8-Hf(*PJN{krQd<t=2n$-
zb!&h&NvpLW?1ixx<^owty5{p0FrrpLcd%bmetAV~<O)t4DM~bP*V7tC)C~%!(qOIJ
z-p<SSFc;gl(Kp+<YdWmBbzpCGfp4uJV?suECgofU1J~w2K=eqIC3bS$y}PwJ>7{(G
zxKs(9+-o=!iXR8?p+lKW<#JH5mCF5)$mWDG88J3(#9U&ABDbbe&2q`D5Sq)}la-^$
z)?#OFliSXQa*1*~G_r&!k@5HZU;Llv|L#2J_4oO`{k{49KHq)iX6SNFaq)Vk@|~_<
zP}$@3vm@zi8ywO29K|DtX;mXUQ)ikGXh&(R?iWXIk{Pt7|8X%Tb?N<TRGP-cf!4)N
zB7REewoCq=hKlkJM)lT&xz&Q?%8@8j*n5B~L}&bAm8p|F!hQfvP|-f8tdM*gv|#)-
z9OK-f&HnOt44$s_xj;7Td;GJy(pr$0%=utW$u9#li}bib^*V>vLkwT=^~rn2emUt6
zCx)cRp*iwPQ8t>01MS$N%W#j0>QHEaPQy*Up;KhN0nh*PZC&|9o<&emKE7wOH#-tG
z$dCf#T)iI!Q)^*`oXL5(0y1wOiKtLknO4|UOpvlqtl#*JbK{MYw(bq&gOD1ZTgNM|
z>uu&F=I~(;nZu_vup@D8E6^E{Uv#u3bamc3Yf>u6`uXHVl~`;9e^*OcFLtA0ZrAKJ
z2Mm|SGzbDCc5bsLlUfhQBzQX->!K@IHjIkGq7-01W7SuxD}$`({@?-s1|glRt$6QZ
zS;$5ukh+B}&-M?H{f1Z5IVcEnIA)-4r#s#_l+O%%lZ_2(ke>g3d+67^rX#l1rp&j#
zV|Bd8I8Q_BK_FuJxSlElBnRU%9E@fle_lmaJTNZKLDFG)GN-E+&Jbe@4+o6Xb;(tj
zY#`D$sBO%biiVQgT1vsQ-OI;=+7zNPS03&9x?_LhY!*8q`PoS?CwNQjVL2av*;ZRl
zzk;vNjs+qhOcHmVaXsy<+&FblyO61sm){n8IUruVd3m4dtvIb1$f<Y=>g%pTwYuXZ
zYaW)HJ_#sQ2ey}H!M&BWQ(o={E!)~Me-F!Wa!LAN{mFUh%L|G;ZfQi0QV?jvKH4@{
z{ztmEaMViJ7Ap;4t7&6+F}t!h&qsCTL*!E6z)*Hb`m_e{PBJ#9MRB5J$|N__T&)j=
zT34*f(zh~?6{!`x!k<SDSQDx4tj=eR0cBI{lgNF4E@M2BQZYj#392YeAHEG^@97e8
zPsy7u>)WN@2rF5KE?~CxRspka)%A_K${=Ae*d}i}Z<g6Gyix;05<3)UcGFwwWs|1>
zYsx>whGdH~5*JZUPt94bQ%B>MLvX=sN1_E<?JZD>u=A=L{$xLQ;Y_f<Y||QVw|}5~
z5FGWC{!tdIBw*fY5&<gXPpE5h_&2cc?@CrL-V+8_dU6R#?xOBw^EBkMnU*>Gc-nEl
zPtCQx@|lk7se*;6L$y-;ZW$2nfEg~(Wc<hQ_;p57nn~M$m}fp@<r6dJ8Vk+9M}(hW
z@6P`VykVz-WwG;p(~s0884(-RrH4am80^b#qWK{YR^&<#PoKW$@%;m$VSo(fBf9S_
zOi{<NtzB9+xA^Rfp8n5@nMpkc_B-7cB~};>g~aCUvSoy|F{nNDvV*3CpWs07CG(Ig
zZ<8J`MRJ`Dr6IW<`k8J6=)_IiMIS*nd+q1diQvYfNm9hmGqlhjXvEo~)wj2FiFgYO
z)_6iaa7@+uk<iZFV|`jfr&RbzEeOX#%jyHn-$fnT6Ko*DpJQR$8^Z@*NisMVPx~c~
zx`cf*3$H+hIx(KV&V1i#k&HF%e>EPZ1xE>ry&b0EPl_f+n+Csn7ma3`j5=PGI57%F
zP@mf@8G`hw!kD`gzpqMpMV~6PigQHElwMGuz@``De-%_rtaywhezkJmdu|Qk!16qV
z#m!6pT)#jNL#qW%F(J8}sj`uH%cv{hYwefd9g?%QSeRCBv%pLDD9lsT7)eig9@U)g
zD%$(^*AFvxJE*zVk>+^nb;v5|<qs{lfoCw<e3)cfJUaE`kgjiEpmTEpWP6GY-TP!`
zSp$v*X^{5QZ4IV7tZ^y<Rp1Zx*r+Q5BA08i8k}27EG=c>c-I1@Pkg|ji&xjokMM;Q
zSNqRs-URz`m|KPy!sWgwqEb!_JD5=^C%pCZ{vu`6z<XM_qYH;EEv&h7{gn9Pm7HGc
zw3h;n7Je-ExA1~caR=~poV(R+5(bE*KYktJ(fb&x{9jN)c$ETqfr!w1m1BVa;~Snx
z<M+$Gb>odB5NjR5Y1jPrgM0a{AbU~28HI2x@-FwK!ERL*f)9y*CuK;}?}tiSA_P?n
z@vqD>U4*tQb-YhMnRx0O{L_L-7)w<)!z2<7nJFFBI{4ZAT7g${pV;t_I*5>NWiqS7
zvz!%@S3Jnuz2d3qscE6uCxf)MeX|H9mdBrNsE>Q65&QFEpR4AR`zj4+wkMgy+WH(O
z9vR!HXMZEch<d*am5kL`{?lM~qGg5kuLh&8h)3{0>)GFlF$=w4MoY$+mh4Mp((u;j
yXa64z4sS&t<Qmzvz6%(rlZn_G>`Wn*j1kw?%{Dg45<A5`+vjOUEr3i3z<&VJzA;Sz

diff --git a/kubernetes-config/helm-charts/external-dns-1.11.0.tgz b/kubernetes-config/helm-charts/external-dns-1.11.0.tgz
deleted file mode 100644
index 3feb4c53c55a7b2111dc724ad498dd81ceb01730..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6955
zcmV+`8`R_<iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PKDHbKADkXn*Ekv7d6k+c?*xB*%|N^PO*wPm;Eolct_Hr{{j-
z>4XrulF(293qW$*sP}Kbg9o1?^{^G^QK2)9OoEHWzJLX=3w*CoFp~H&lijBiB2;ig
zrpY(EEWKW@cY1tm{_XX8^?&=Pr@e3b$46(!`oEKtZ+iX5r$>*!f!<EBXel$Pi1?;=
z=eFvd`$7s~j4PrjXL8^H5TWRZL~1e{29$TB31MTD16X(f06x5<EFJ)fV~oucfEZ;Y
zXsRI$pmVO@fSjc%7YY=Ih_ewL&jdou<ONS?bOW4$njrj$$rK_jau8#h@S7<z6?C?0
zi418%)s1OsCKaDji3WH95u_4C;rONo+V-s(_`lMaD2(B`(~f7aE@6&BQjI!?c`xW6
z1xH%|d}`l8j3Y8jR1<m{@N0|&5`{s>BPspGwm5+Kkw?-r|I@baRaz)xDsNac5uDLK
zPy)VBxx^U$IUAy2s8GTsiaCu?0%0+{U}J$&qJ(RzCLVx>kP1GhF$x)Y6F$WOOq5FH
zpxYf&BN`E(cHiXyeM!f%Td^b_jWkx<ekRCucS@u}(WTRI<z0}nvG)#duDOWi!1JL1
z<oS@*j9K|F-~MU;FKw?qAE@oJHzkxQLKzAJ5T}GD1CR>m7))q-jY;zNv3{r#_W&5t
zq%iN@YtKHav?uvYL}(yxO*M6s;s8jRCNwfi>CH2y_k(^v=y|)=|4RFFlFU%<d;nNu
z|Bw5pM>YF@+&k^>?f-q02k^|9B+GmlaZ!=yz<U61CR75IK;VDQe|qVUxR?^9?c<0h
zs4G0fC?Nu2P6Q>x1f@1+Lxhw_ZF?wF9B%kbfWm2-5QQ@EJUS&~)Ps(|luN3(xEa8^
z?_@BJgdTh<qFGTffCupN9EG5<Zfb&HV1XiIxSnu{xt*mF<{v&lU}rYxxe<jw|MWoD
zA3#T2@pP6Xc61uRi_t5tE(A(s%3*miOOi`%o0S~E)vun>`wRmEVl+#VrH5X`r&G>e
zk|8E?03ZJJJZFW@qlnL#8knwJrWnx?)h2j?YJvhtX03qOiXbO^mc*K-c7)KwjQuqL
zC1z*<ofm_-W&nv}{g0+k4V)h7O9Q{gOn?7og2u=JA2ofYfz2cartXUoFs?wNGQ)_)
zMbleja|px&q7uf)P?*tlCMg>mz!|l2dC0A+rkWU%sEsnO|8f2l1Ue(T30X)SQ{7FH
zT%edzDQ%ZE7gtg2Sw2F0#bAA2Bbt};xXj&E055o~t1p3&6C&_J@Cc=RMW!fI65#+w
zB#~$uxWs5CsJeN|nZox*W=8S{!Ds0JPESrAA8V;vsv>6WT)yJ$HRmd)g?acdi6Z+_
zD<6q}X334N_dQKe-bjVh{ELXBc8*2SOb`KL!P5a;b<SVD>=+t417i9cK22tN`2L;>
zsX}cUejy2sGvh)84ytwjP1WQ_F4Zek;bHCbLkJ!05V(Nw6=xU*UOtf=cwQ<fHyuxi
zrJj`_r8&(Em46T<!V47C5Rx-JdC0WzC(g9l(fvZE?N*%8y(~5*27@+bDCQ&?KwnP@
zWF$z6Z|D^HObwvllb(lcZpAC1b7Uyxh2TSD==6Nx2UM1hDN&OFbSFp>HTlCn;zHR;
zlWB=6N|I-okedv1==Zd-s`SP_Qx=8%;fa<KLX(-mHxq$!!jpIaM;hf>q(!atwC{OZ
z3h0h;J-HLAr){V@-f6@v4rfo!o-`OV58o?6e&NY%ica54Pkzz{%{|V|iT#f87%wrw
zNQ;JfqIjZBSYbHGXr#M*lf6!P!pAq4sV3u7&h(U?=HL@Peu;BT20+<}>p#CY1Ly#>
zu6kZYq?DlJF^ZR*r$4jjb7U$v1^L8MyByhUR{zfCvtH^(uvscmD4(<BM)z(^rP5=o
zdape7Uj2N{P`rqZrl|LNq#M!q*<Y8lQTCS?b3H@;o+e7qkWF7Q$6x^DS~`NBi?MrK
z7|KiM)M#Ywq&9PHc0PmMm%Eh8BrBhtbzlAb=J{oy-m6`-v1b0?J3T(B&HqmxAD!*z
z|MyWI?WTB-@)ZcPfN;z5$lDb@0A|V$x&K^v0TmbEJWY!_0PViQi_F6q7)(EW0Lr3d
z79(^j?vn8rIuPiucGa1W$p04oe>=e>MIi%~-hC-xo&Vo^T=)M^kNQV@{lAa$;Y0V4
z_xydTeK=Kf|IFHK;63X8`KR~cgRh-x%Ifm2Kj?s8R55<HQzAVhhu{~xtW<W7VWAxi
z7QyLb^OH{P!~;5h2OKP9vHs~96rWoElH@ID7xD&vpOHj6h%t~fHOL3vztO@r^_6Zx
zcSOPvBQlc+l25U`9BR5eqL{?SL4kx$sdiV5-$o@o9Nt)u@YSWRt9@9RVssFAFGe6R
zK_VU9B5u|brCZgu9<YLInk3pqok@+S1Y(eP*si8-<|r2wrlXvo^)-i#aINn*A$lTn
zIRDFZVDPuixmw_ulfnWCURyfZZ!<hA54S`v6_lwFbpBKN|0z2)Shms4WvuyUMe<54
z)w+`H1`ui4>SV;$O0>tgj<u$0!Pk0!%A~H2TMH1FCL}`W{GSeV-gdTECbKMM(Ufb@
zw3RHL6HKOooOBK9gZ44dbuF-sw^WkO#d_%)2ujk^I0ln64T|OSfbwp`;9mM<0l&|<
z!WspZp-c%QV~qXbjRllRlG`T9zQ3kwl1qJgVbAqa@&6&yr07PQJY}xsX5_C^$#3j}
zT{~+fwY4BYbN4Beim(W)oiFQYlRDJLisq%lwVf+3hQ4aEbJc2rTWYM0I1ih<UKr5e
zpba1^_qAkVGSD6Oqq7l!7Ph}BR;f23jhjX;TZe(M4h|1fD=5~_;bBgW?2CEHniR@$
zPy?aJ_@IXNr=FSY%YBrV`F~{BVFgd{?%RQD=KrT>Cw2e-tpE6AKmWgvQZuz;NTSTZ
z+M%X6g<#&1nVN7x|1hhe!MpG5INbN_5eT<@|C%T0O;M4UC^E?RcJv_WB&^*^TW{Nr
zjdt<bpx9{KlYHv107hAiOu?}RAZ7{5K{k$X0S_lcLWl7fOGezTryjVMDUVy<IeXvw
zUe9*<O!yO}(p2#GH?1|t3FrRmDm+CdCv>EI!Dp(yQTdLhDGFO_Ech&KsA{O`14*gb
zF_Htg>U4fJbS*7=Um4O!_hOD>XdWh1s?K5Ony6^f`L#a0l_~qzCSJ<pCEAU#Al;#*
z<Vp(OE0w5Jl>1|%@S3cvHK#(&NU{#UPeOQyl<XXKki{vdOx>9gZZ~BIjQHpz(Z-OO
z{p`+RhoQRW;vHpUXO^1?Mzhmicc#)VC8()yrS2FgEgf<gY~7!%Lz|;{7c8rwZ%cfG
zE13?7lqBZDpKz%*LvxI(_^t&<4Nc3@T}5O=C27Pn75q1hl>533Q3sRm21VE3W)*G3
zGDB~Isb+b^rz=#=z`YxyVtH(BH3#kx<O&lIGr66u+(A2Csfd~_HTS5!(<=tCW(iL?
z4<t{F1|DW+A%D^|Xgd))+@*HD<817!C~X@=+T_Wck#=)x&c>79+oY<1eK$ncjZKY+
znyNwmX$xWRF7X=-h>iIDK@!4Z9&j;kMa+P^rQmN4zeV6v*TBr2FJC4=WsTALTTQ3e
zZ0Gd{`J!Xt03EfjL^b$->;3;BWw9RLZodq$ZvX%6tQP-q)H^=e@BiOR`Dp(CKdjg^
zF9Vb|JLVLxQFJz1zun2w08j8Wj!dwN)9n>q^8l7tHnv{Rkh7tl*0`fv7T{%N3EA{!
z9n_}fa<^V$KXyk)>+AUDaf>Nv(f?9F&fTK{R_lMi*YDTY|4z>y@8iGjrIZz%q^T@)
zxpV-!QHR&+tCh@6<nqo+Z9l4vo{fjLZQWYTTkA+#0`0U$rWm=1g@i^#4xsM=WP5ZL
z*i?`4FH8Md)uZK2(4zTM+q^6trL3a5)YI(L<#Hb~&2}i3_^C@$!S=TJewUe|25#i%
z<cm73WUs+-q;Chj#9v*Oczmk{Gk!NVU5^YYpe)6V+@;IQR)2;1tsEj6`p_7BP-?q5
zHbE=$mQ1PzF_gQv6uPiO>8OVX6m=US2TZq0rv^4{Wo5KM@!jg6gsq8M#M9<=ipYp{
z(A@DH6Zx1C+=qr}Mu0Lus<P9@(v@so!P@>&6~+?Qxo)k{fb#jv+E*8)ATLdy$_{uD
z0k(`prQ68n)f&j=yXzhiV_AjfgYPGN>?b(K<ZmUsv$%pPfZ_uirdRvIh8{G1l7%6Z
zKggcd>({)7<)DS822j6{OK_G*U>^&@#@OujSHap>f2#`oO7QwC8!A!mYudnkTQ`fK
zDA&%OwNM6sU#{6v?^S0VCG+r%CPdVG<#YYor*RpX_ODhDxZ0|X0%>bBHE(N8Hh;3Z
zMZ#iuSRzgVrqelqhYZVavQuoGgEqXRsZqnreYQDX8%ba#7^VpyTfrZh8e5B_i>s*!
zq<gk(HL959K{(5Rm$7KXA>~3XSsgnVxB#zmNd;Ft;>iHsJiVyB%g2?Aa%fgomIC6c
zc-7{$mD(%p=yL4ZO0d=HYwUB?^4G)1s`cmPz_OhU2+PZY*k}xkmB^hmy{hx2mgg?K
zZl|-hasXaYtrC{E)Aq7xzLNKl#rN&Boz^(P(j2ihlyJwG<N=N4wu>mo+qL$o7c=%{
z>(a9R=lsasqykyH{(t&-DgI}l|LJ~8CCyN_^yk*5zsPmJOmfNYSN&`tv)c)Haj~@W
zce`aX*IsE3)-d<7k?y6*Vb)EPXR9#bM2t~gltc4jX~tIJ|7!hrr}^(_2G;5S$x{Be
zvy-#E{@+X4DAc096IeGC*(TN&_F~0C<tMfrS>JbPKtAIs(rW#m+5{;dSO5FR%ldzM
zbh_97`zTibYbxOK;sh=!&XWE+v7l@mL|h;@@o?R`Rd7(g<XJ>Uh<Y-hY{cDq3h^5s
z8VJq7cBTGaF7GLtPG_E(zlt6ocSABi)tAjy(xv%^O&2spC1@mD_nxXWUS4Z1660*U
zH&O##$<hR+y{BsSrq)(IWBYyAQnCNR1d}NpGcItKZLFRDJ+7bsIPN{}?d|`4lm~D@
zlokP#zRmI;t|!P~IHO5S*%(q1y(42RGC{iZz7pgFlLW>IA6g?r+4v9yCPdLW8Y@tG
zPFU<c0ES~Tg@T86PXS}Ax&Ltxz|SnX0nW^q8YM_kKtdS?UhwSl?WN)Zy$9f;*ME6>
z2{9GY3&vD+&HpX>UNHPabj|;>2a|DE|1bMf&RMqrG$hfxS!!}wO7Br1uT$?)FeLB1
zM}eB^-(1kK_vrtbWOjn`nS>Y5o=Y!qr`5fH#z?xhy5PTg!CXc>#_pG3EUNjxe>{Kn
z!}FIv{}4>$9k#JX|4)wk{d)fIliuF{yO;8yk~!L><hF^EY{u$@k3H`^NkF?k!vtND
zYndlUaXOIaIEi^Qn<7&t>#MC|lf;?;c)KMHRKk!*jDa(_`X^!vq-gKghgsU>cZey8
zvgc-wiLBcXdO@#yaOl~TH6<KKJV9Y`ySl_FVTwlJCasi}085<CQ3PC!yLw{QogZnK
z!9-1ygTV8A-}k)#`VZfS2M^%tU$0(2fBF3U^7*r0y$25-fJr=Vez~OH=J)s7l$l@8
zFclb?T%`KX*Er>KJ%{%H+w(NMxy|JKEBJ8KJ38`v-}(KXR|4(%up*6mm>=>8S0_@3
ztG`caG{NK#!YHFf?@QUJ%M}jtcDG8Z4p&nW`O$=oMu^Rg6z>nb3gJ8-vP|o5OJex8
zoNN8cC0lO<y*in=ogB-qBIB-ua-hjl&fwh$wp>AzWy9?4VV2`CyaiRPVDy51AsA<V
zzwec#%k%9IJ$2_oSdq7m3Gfkwx$_W~Q?b7035M{$D}TGg+2JjyQ9`v>Mz!}{qYQ`T
zOevww18WlFCJDbbLRId9b<y1WVoUQ@Osne9hzq!KC)uEImo6tnR7^uPH%iPSEk5#{
z?B*Kir#$xaeeSL~BIl<TvY)e{djNAvOb5fpQ*@zci4nlVs|QDC{gdqlJe?&;SATkN
z09Sv%=E-O@L@{mzl)r6L!L=IL+ldDDj0Vp6ZwjNyln9iKV9OOWGcQr);!rrrHsx@e
zBOKZhs7Nv`fikI(#9Gv@2~~P_J7bC_CguK($xLe`g|ZO}WD(v<@~o1E?eRNdZb_^N
z7zucCdTR-Ia%v<%kts<enUF?6`P)K=pOjVj*zZ5Noow`XA{%`p8=4fSPi_IvlH&A9
z&yeDlM(w*AK^`yLwDK~rrogk(h^vu5K0CWD^2cXq2KgZpsraxFjC;4N#oyESHaWVM
z->@m7IRvLa#=Q$G5!@kA$-Y%U63OkQE4DW$r^mPL&B^Jp>CH5{CSpoh^C;+E9()PD
z($`ojjC=k3{Mk>>ckBGE_5Y5~j*gD&{$Kxe@BiIPsrY}McUAgpd&NJv%hf~mi-)vL
ze!-+7Ns?U~VLVgM`v;D=K)B&EhzK)-x}Gi;`4{yY<B&46c|6TE40<Y7MmIDUkC;(R
zdr(Dpvowd=7YxJDta6#$hxP*vtPBU1=Z=Opfg@Y}DiaOU^Ug;Kg~s&TIc8lzi=}C$
zwRcNM&C;<TF`6UXwr&Nx_G?rO9(oih$De18x}KjKx*NAYp;FnKR`OtV{Wv9pOwpW(
zb$I}*GX={Ims^&K>a<7mcmWp~2xuz{cvjqW)mm#`>Sd8%?X#|;xA51OP3r8+a@m+}
z3vU5oJ)>i|%vGC-yr>d<Gzt2e$^ybo?v@In#0EviOZ3md<q6>r?O4OJB*=E9%xaz@
zV~A1EImR#&d|Dc$NRfH|FT}wGgq=<sQ7aV-HWZ;*t=gcgfQ{h!3la17WdULNnzMF>
z6l^HPv#w@?w3YUJSYH+pUj4eUHk4DXH-5CpZ^g5-UHw5=&E~)RK70jbJEK%jtKXmv
zRW@WF>{+q8Y{!PiqpD#A+=~%}O3W}k%<d;7!0<Z%)*WvS_pB(Fg(KSfiVbWit&WBn
zxQ(x+-1DJS77%{;^S0Vx%}o{D<#LLCcPU9wzs<8vxv0z)YW)SDP`TmrOXcl$MyZrP
ztNEKIqofH|z1Q?hCDz9)+Zm-*TW=2BdHxpCQf57?6lMn`Gg2-W9++hKAHS!cb=l4+
zHRfQd4$+%j!24Gx`f}Nh4SDjV_Qi~s#lee$11XR9q+eCGW<!e_<lx%1Vb6>9vNaoO
z$*96Qxa_@2XMykS=^@93Lwn{hKLef5cCId#0Ixh&B+#8P>E;ut@(vP7X?NZaj*hwy
zQXXgNlpI3-yzfU`-~pUpy!c$?VgYX@Vz#$)L#D~wmWpP=+IT3c0xq8^x!bw#`vBJ`
zDhmkBjn6F-?WX&yBzUzDzb&tKzb#U>v`hBK5$n%VrneK~r6h87Ml9gMRe?y?aXyi`
z0jz9QJ{KMST*`J{*UHR#p#k@%r~+eM$6ZaoXTqwofRN3SWV@xHTJ&gG2G_JA_x3{Y
zDXIz1<lB5jD2qJ)xc&P=%9;_ORIz~#_1M+0>iiZ*u7_yWe_T*OHHdf5huf~m)x%rE
z61b}5n_yHJ3H*JAY`>4$S{4xYr?+K8CFD1RRyHVGW6y-vqS?@ET~a7l)NDXDUtM(p
zSI^m;3eHSi&726ThYz{I%$~B}Fj9U@6!A%FGIML=*0mR_`dEPVGq9!k|G^z5#?RUO
z7b12vA4WEx6H%E4yC8jY<+w{SO<3&C;7v&?gDtm^D>)ULzFNT5OIHU{UFi;<Rq;G)
z*3XkK`ce_0W~px)k$2+4#acYK@U=CpTeu?H-$Ho1q2Ex=LD{$zboDx`v**L+eAtc+
z4Y|VVn`UeGF83ouL%G#V$>cI?IoERG;$ZEO@;tO|&x4g^0pZz`vnLz6Z{-ZHEo><H
z4KDNRW=o?M>NC{L+L3{<?Z*b>=dpCuTDBXam$D2muPH6D0j4$|@$GGQsllBx$RPH4
z@Mk+V<a_b$n`W=GfK=nMNjEu5=#<`x6&cvq`1_0s)brNWv*68nl66XyK;JiWwi_GD
zS)W^s(kmWgwv3^vp7I!olyuDYo5$^CJ2sSZL${r4c~i<Mz08JoaWB5xk&qX-ejavb
zW!cUsWqHY4KUlzdmdsqDQk0FiV@CG%j#!c5``I&MTWx5`(jMmE-n3M?9b4L<?P^@e
zIwTGJD2M+E#)fScGu#C@E41Mk6hkhxI=G|P2_MTtAag<!v!!f3MIZtP5T=CDC_IEP
z#^G$Ne^55!`rm6J7-i-W3c-c`F(Qg2U**~1h3okGijEETR-yKpl6@~XVuIPvK7{Z$
z$=O#)-Hpq_5o3Kt6Qr}W!LS7G%>?tLn#TS-dvyu+F5>->)7G-xe#7!zSWCx?{yjnF
zj<jf>*?u5F%orq`r@)!p9PL`(bYo0VA=nGFfU-)?B!S~uLPXBkua%KoZi23M-ZZ#>
zekY3)*Cx5Y+XdxAiNZu|a$({{w3;AOg6`F1%N5qNIc&2G?niD3EHL6CHlsi}jYJGX
zRM&_MGEQkHJI@o*I*e!#dKj6d5{2?POK!fV(PUBW*@}vGF~i<Lw_<E~on2G+<|f55
zRkdQ|W3wHa8RzNOM9kZlg{8>`6+K(k-P6~0wh!L?-#3uo7)WDeijFAm&tI%ATOJq7
zE*)&2u)0eL6)%n{S<Yx1Wz*HT0H{)?lu41fIJDV~ga3N^>innY?z{i~+I40-HdJm@
zY~G80NvBjn%B7^n6q)O7;1AAF!te$x1hBV2?#Je=Z0AL1L+OgKp`4ist|usL%vyQW
z&hr0Sb%_u2_3vUJ$;WInf=~E$HL<Ol;1ncU&{sAU+14qj9@vm0%ErFpKJi`b*1@L`
zjRl0{dh-J^*)5*!M(Me(0z`~WhGnxKof0Xt4e3=o4Jgq}tQcbKCbl_4Wr`6U(Wrp@
zRVmVT+OT|?{*wC^Xo3ZK;$OF>QOUVgj$Ly}m<*e~%`yak3zD)3VLD3`O_SQ^DUT&g
zi8;DIN~lS%ttNmZngCamFLFAtfbfI8KrN#|%X;f#p9=CGOC=G~TbGp8XI!D&Ssuu>
x_dlN1@BcXIKi=nmyqB_1JO39>JO8PLZ(sIhUp{I1{{a91|Nnr)BjW(X002kJ&(8n=

diff --git a/kubernetes-config/iam/aws-ebs-csi-driver.json b/kubernetes-config/iam/aws-ebs-csi-driver.json
deleted file mode 100644
index c5b38f4..0000000
--- a/kubernetes-config/iam/aws-ebs-csi-driver.json
+++ /dev/null
@@ -1,133 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:CreateSnapshot",
-                "ec2:AttachVolume",
-                "ec2:DetachVolume",
-                "ec2:ModifyVolume",
-                "ec2:DescribeAvailabilityZones",
-                "ec2:DescribeInstances",
-                "ec2:DescribeSnapshots",
-                "ec2:DescribeTags",
-                "ec2:DescribeVolumes",
-                "ec2:DescribeVolumesModifications"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:CreateTags"
-            ],
-            "Resource": [
-                "arn:aws:ec2:*:*:volume/*",
-                "arn:aws:ec2:*:*:snapshot/*"
-            ],
-            "Condition": {
-                "StringEquals": {
-                    "ec2:CreateAction": [
-                        "CreateVolume",
-                        "CreateSnapshot"
-                    ]
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DeleteTags"
-            ],
-            "Resource": [
-                "arn:aws:ec2:*:*:volume/*",
-                "arn:aws:ec2:*:*:snapshot/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:CreateVolume"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringLike": {
-                    "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:CreateVolume"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringLike": {
-                    "aws:RequestTag/CSIVolumeName": "*"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DeleteVolume"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringLike": {
-                    "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DeleteVolume"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringLike": {
-                    "ec2:ResourceTag/CSIVolumeName": "*"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DeleteVolume"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringLike": {
-                    "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DeleteSnapshot"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringLike": {
-                    "ec2:ResourceTag/CSIVolumeSnapshotName": "*"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DeleteSnapshot"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringLike": {
-                    "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
-                }
-            }
-        }
-    ]
-}
\ No newline at end of file
diff --git a/kubernetes-config/iam/aws-efs-csi-driver.json b/kubernetes-config/iam/aws-efs-csi-driver.json
deleted file mode 100644
index 4ea88b6..0000000
--- a/kubernetes-config/iam/aws-efs-csi-driver.json
+++ /dev/null
@@ -1,37 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "elasticfilesystem:DescribeAccessPoints",
-                "elasticfilesystem:DescribeFileSystems",
-                "elasticfilesystem:DescribeMountTargets",
-                "ec2:DescribeAvailabilityZones"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "elasticfilesystem:CreateAccessPoint"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringLike": {
-                    "aws:RequestTag/efs.csi.aws.com/cluster": "true"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": "elasticfilesystem:DeleteAccessPoint",
-            "Resource": "*",
-            "Condition": {
-                "StringEquals": {
-                    "aws:ResourceTag/efs.csi.aws.com/cluster": "true"
-                }
-            }
-        }
-    ]
-}
\ No newline at end of file
diff --git a/kubernetes-config/iam/aws-load-balancer-controller.json b/kubernetes-config/iam/aws-load-balancer-controller.json
deleted file mode 100644
index a9061bd..0000000
--- a/kubernetes-config/iam/aws-load-balancer-controller.json
+++ /dev/null
@@ -1,219 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "iam:CreateServiceLinkedRole"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "StringEquals": {
-                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DescribeAccountAttributes",
-                "ec2:DescribeAddresses",
-                "ec2:DescribeAvailabilityZones",
-                "ec2:DescribeInternetGateways",
-                "ec2:DescribeVpcs",
-                "ec2:DescribeVpcPeeringConnections",
-                "ec2:DescribeSubnets",
-                "ec2:DescribeSecurityGroups",
-                "ec2:DescribeInstances",
-                "ec2:DescribeNetworkInterfaces",
-                "ec2:DescribeTags",
-                "ec2:GetCoipPoolUsage",
-                "ec2:DescribeCoipPools",
-                "elasticloadbalancing:DescribeLoadBalancers",
-                "elasticloadbalancing:DescribeLoadBalancerAttributes",
-                "elasticloadbalancing:DescribeListeners",
-                "elasticloadbalancing:DescribeListenerCertificates",
-                "elasticloadbalancing:DescribeSSLPolicies",
-                "elasticloadbalancing:DescribeRules",
-                "elasticloadbalancing:DescribeTargetGroups",
-                "elasticloadbalancing:DescribeTargetGroupAttributes",
-                "elasticloadbalancing:DescribeTargetHealth",
-                "elasticloadbalancing:DescribeTags"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "cognito-idp:DescribeUserPoolClient",
-                "acm:ListCertificates",
-                "acm:DescribeCertificate",
-                "iam:ListServerCertificates",
-                "iam:GetServerCertificate",
-                "waf-regional:GetWebACL",
-                "waf-regional:GetWebACLForResource",
-                "waf-regional:AssociateWebACL",
-                "waf-regional:DisassociateWebACL",
-                "wafv2:GetWebACL",
-                "wafv2:GetWebACLForResource",
-                "wafv2:AssociateWebACL",
-                "wafv2:DisassociateWebACL",
-                "shield:GetSubscriptionState",
-                "shield:DescribeProtection",
-                "shield:CreateProtection",
-                "shield:DeleteProtection"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:AuthorizeSecurityGroupIngress",
-                "ec2:RevokeSecurityGroupIngress"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:CreateSecurityGroup"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:CreateTags"
-            ],
-            "Resource": "arn:aws:ec2:*:*:security-group/*",
-            "Condition": {
-                "StringEquals": {
-                    "ec2:CreateAction": "CreateSecurityGroup"
-                },
-                "Null": {
-                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:CreateTags",
-                "ec2:DeleteTags"
-            ],
-            "Resource": "arn:aws:ec2:*:*:security-group/*",
-            "Condition": {
-                "Null": {
-                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
-                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:AuthorizeSecurityGroupIngress",
-                "ec2:RevokeSecurityGroupIngress",
-                "ec2:DeleteSecurityGroup"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "Null": {
-                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "elasticloadbalancing:CreateLoadBalancer",
-                "elasticloadbalancing:CreateTargetGroup"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "Null": {
-                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "elasticloadbalancing:CreateListener",
-                "elasticloadbalancing:DeleteListener",
-                "elasticloadbalancing:CreateRule",
-                "elasticloadbalancing:DeleteRule"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "elasticloadbalancing:AddTags",
-                "elasticloadbalancing:RemoveTags"
-            ],
-            "Resource": [
-                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
-            ],
-            "Condition": {
-                "Null": {
-                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
-                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "elasticloadbalancing:AddTags",
-                "elasticloadbalancing:RemoveTags"
-            ],
-            "Resource": [
-                "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "elasticloadbalancing:ModifyLoadBalancerAttributes",
-                "elasticloadbalancing:SetIpAddressType",
-                "elasticloadbalancing:SetSecurityGroups",
-                "elasticloadbalancing:SetSubnets",
-                "elasticloadbalancing:DeleteLoadBalancer",
-                "elasticloadbalancing:ModifyTargetGroup",
-                "elasticloadbalancing:ModifyTargetGroupAttributes",
-                "elasticloadbalancing:DeleteTargetGroup"
-            ],
-            "Resource": "*",
-            "Condition": {
-                "Null": {
-                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
-                }
-            }
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "elasticloadbalancing:RegisterTargets",
-                "elasticloadbalancing:DeregisterTargets"
-            ],
-            "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "elasticloadbalancing:SetWebAcl",
-                "elasticloadbalancing:ModifyListener",
-                "elasticloadbalancing:AddListenerCertificates",
-                "elasticloadbalancing:RemoveListenerCertificates",
-                "elasticloadbalancing:ModifyRule"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
\ No newline at end of file
diff --git a/kubernetes-config/iam/cluster-autoscaler.json b/kubernetes-config/iam/cluster-autoscaler.json
deleted file mode 100644
index 4a7fdbb..0000000
--- a/kubernetes-config/iam/cluster-autoscaler.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "autoscaling:DescribeAutoScalingGroups",
-                "autoscaling:DescribeAutoScalingInstances",
-                "autoscaling:DescribeLaunchConfigurations",
-                "autoscaling:SetDesiredCapacity",
-                "autoscaling:DescribeTags",
-                "autoscaling:TerminateInstanceInAutoScalingGroup",
-                "ec2:DescribeInstanceTypes"
-            ],
-            "Resource": [
-                "*"
-            ]
-        }
-    ]
-}
\ No newline at end of file
diff --git a/kubernetes-config/iam/external-dns.json b/kubernetes-config/iam/external-dns.json
deleted file mode 100644
index 8f4e2c8..0000000
--- a/kubernetes-config/iam/external-dns.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "route53:ChangeResourceRecordSets"
-            ],
-            "Resource": [
-                "arn:aws:route53:::hostedzone/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "route53:ListHostedZones",
-                "route53:ListResourceRecordSets"
-            ],
-            "Resource": [
-                "*"
-            ]
-        }
-    ]
-}
\ No newline at end of file
diff --git a/kubernetes-config/local.tf b/kubernetes-config/local.tf
deleted file mode 100644
index 02e04f7..0000000
--- a/kubernetes-config/local.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-locals {
-  deployment_id = var.deployment_id
-}
\ No newline at end of file
diff --git a/kubernetes-config/main.tf b/kubernetes-config/main.tf
deleted file mode 100644
index 380046c..0000000
--- a/kubernetes-config/main.tf
+++ /dev/null
@@ -1,47 +0,0 @@
-provider "aws" {
-  region     = var.aws_region
-  profile    = var.aws_profile
-
-  default_tags {
-    tags = {
-      Terraform    = "true"
-      DeploymentID = var.deployment_id
-      Owner        = var.owner
-      Environment  = var.environment
-    }
-  }
-}
-
-################################################################################
-# Kubernetes provider configuration
-################################################################################
-data "aws_eks_cluster" "cluster" {
-  name = var.deployment_id
-}
-
-data "aws_eks_cluster_auth" "cluster" {
-  name = var.deployment_id
-}
-
-provider "kubernetes" {
-  host                   = data.aws_eks_cluster.cluster.endpoint
-  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
-  token                  = data.aws_eks_cluster_auth.cluster.token
-}
-
-provider "helm" {
-  kubernetes {
-    host                   = data.aws_eks_cluster.cluster.endpoint
-    cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
-    token                  = data.aws_eks_cluster_auth.cluster.token
-  }
-}
-
-data "terraform_remote_state" "infra" {
-  backend = "s3"
-  config = {
-    bucket = var.s3_backend_infra_bucket
-    key    = var.s3_backend_infra_remote_config_key
-    region = var.s3_backend_infra_bucket_region
-  }
-}
\ No newline at end of file
diff --git a/kubernetes-config/output.tf b/kubernetes-config/output.tf
deleted file mode 100644
index e69de29..0000000
diff --git a/kubernetes-config/s3_backend_configuration.conf b/kubernetes-config/s3_backend_configuration.conf
deleted file mode 100644
index b5dc95a..0000000
--- a/kubernetes-config/s3_backend_configuration.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-bucket=""
-region=""
-key=""
\ No newline at end of file
diff --git a/kubernetes-config/state.tf b/kubernetes-config/state.tf
deleted file mode 100644
index f5c6d7c..0000000
--- a/kubernetes-config/state.tf
+++ /dev/null
@@ -1,6 +0,0 @@
-
-terraform {
-  backend "s3" {
-    encrypt = true
-  }
-}
\ No newline at end of file
diff --git a/kubernetes-config/variables.tf b/kubernetes-config/variables.tf
deleted file mode 100644
index 4c1ceaf..0000000
--- a/kubernetes-config/variables.tf
+++ /dev/null
@@ -1,91 +0,0 @@
-# BACKEND CONFIG
-variable "s3_backend_infra_bucket" {
-  type        = string
-  description = "S3 name where the infra state is stored"
-  default     = ""
-  validation {
-    condition     = (length(var.s3_backend_infra_bucket) > 0)
-    error_message = "The s3_backend_infra_bucket variable is required."
-  }
-  nullable = false
-}
-
-variable "s3_backend_infra_remote_config_key" {
-  description = "Path to the infra state file in the S3 Bucket"
-  type        = string
-  default     = ""
-  validation {
-    condition     = (length(var.s3_backend_infra_remote_config_key) > 0)
-    error_message = "The s3_backend_infra_remote_config_key variable is required."
-  }
-  nullable = false
-}
-
-variable "s3_backend_infra_bucket_region" {
-  description = "S3 backend bucket region"
-  type        = string
-  default     = ""
-  validation {
-    condition     = (length(var.s3_backend_infra_bucket_region) > 0)
-    error_message = "The s3_backend_infra_bucket_region variable is required."
-  }
-  nullable = false
-}
-
-# PROVIDERS
-# AWS
-variable "aws_region" {
-  type        = string
-  description = "AWS region to use"
-}
-variable "aws_profile" {
-  description = "The aws profile used to run terraform."
-  type        = string
-  nullable    = false
-
-  validation {
-    condition     = (length(var.aws_profile) > 2)
-    error_message = "Must have at least 3 characters length."
-  }
-}
-
-# METADATA VARIABLES
-variable "environment" {
-  description = "the name of the environment. for example: production / dev / stanging/ QA and etc."
-  type        = string
-  validation {
-    condition     = (length(var.environment) > 0)
-    error_message = "The environment variable is required."
-  }
-  nullable = false
-}
-
-variable "owner" {
-  description = "the name of the deployment owner. for example: ast-team"
-  type        = string
-  validation {
-    condition     = (length(var.owner) > 0)
-    error_message = "The owner variable is required."
-  }
-  nullable = false
-}
-
-variable "deployment_id" {
-  description = "the id of the deployment. if not set will used \"{owner}_{environment}\". must be unique per AWS account"
-  type        = string
-  nullable    = false
-  validation {
-    condition     = (length(var.deployment_id) > 0)
-    error_message = "The deployment_id is required."
-  }
-}
-
-# Helm
-
-# external_DNS
-variable "hosted_zone_id" {
-  description = "Route53 hosted Zone ID"
-  type        = string
-  default     = ""
-  nullable    = false
-}
diff --git a/kubernetes-config/versions.tf b/kubernetes-config/versions.tf
deleted file mode 100644
index 74d2805..0000000
--- a/kubernetes-config/versions.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-terraform {
-  required_version = ">= 1.1.0"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "4.49.0"
-    }
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = "2.16.1"
-    }
-    helm = {
-      source  = "hashicorp/helm"
-      version = "2.6.0"
-    }
-  }
-}
\ No newline at end of file

From 2d57888af9655aed9005cfdce674e2981e66c523 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 10 Apr 2024 14:58:08 -0400
Subject: [PATCH 02/57] simplified wip

---
 examples/full/README.md            | 136 +++++++
 examples/full/main.tf              | 235 +++++++++++
 examples/full/network.tf           |  82 ++++
 examples/full/variables-cxone.tf   | 605 +++++++++++++++++++++++++++++
 examples/full/variables-example.tf | 110 ++++++
 5 files changed, 1168 insertions(+)
 create mode 100644 examples/full/README.md
 create mode 100644 examples/full/main.tf
 create mode 100644 examples/full/network.tf
 create mode 100644 examples/full/variables-cxone.tf
 create mode 100644 examples/full/variables-example.tf

diff --git a/examples/full/README.md b/examples/full/README.md
new file mode 100644
index 0000000..25ad975
--- /dev/null
+++ b/examples/full/README.md
@@ -0,0 +1,136 @@
+# Full Example
+
+This folder contains a full example for deploying [Checkmarx One](https://checkmarx.com/product/application-security-platform/) on [AWS](https://aws.amazon.com) using [Terraform](https://www.terraform.io). 
+
+The project configures the VPC, KMS, SES, ACM, and other basic environment resources, and then invokes the `terraform-aws-cxone` module to deploy Checkmarx One infrastructure.
+
+Consult the [`example.auto.tfvars`](./example.auto.tfvars) for a full listing of what can be configured in this example, and the `terraform-aws-cxone module`.
+
+
+# Module Documentation
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_acm"></a> [acm](#module\_acm) | terraform-aws-modules/acm/aws | 5.0.1 |
+| <a name="module_checkmarx-one"></a> [checkmarx-one](#module\_checkmarx-one) | ../../ | n/a |
+| <a name="module_checkmarx-one-install"></a> [checkmarx-one-install](#module\_checkmarx-one-install) | ../../modules/cxone-install | n/a |
+| <a name="module_ses"></a> [ses](#module\_ses) | cloudposse/ses/aws | 0.24.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.7.0 |
+| <a name="module_vpc_endpoint_security_group"></a> [vpc\_endpoint\_security\_group](#module\_vpc\_endpoint\_security\_group) | terraform-aws-modules/security-group/aws | 5.1.2 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_group_policy.cxone_ses_group_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy) | resource |
+| [aws_kms_key.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_vpc_endpoint.interface](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_endpoint.s3_gateway_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [random_password.cxone_admin](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [random_password.db](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [random_password.elasticsearch](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [random_password.kots_admin](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_ebs_csi_driver_version"></a> [aws\_ebs\_csi\_driver\_version](#input\_aws\_ebs\_csi\_driver\_version) | The version of the EKS EBS CSI Addon. | `string` | n/a | yes |
+| <a name="input_coredns_version"></a> [coredns\_version](#input\_coredns\_version) | The version of the EKS Core DNS Addon. | `string` | n/a | yes |
+| <a name="input_create_s3_endpoint"></a> [create\_s3\_endpoint](#input\_create\_s3\_endpoint) | Enables creation of the s3 gateway VPC interface endpoint. | `bool` | `true` | no |
+| <a name="input_db_allow_major_version_upgrade"></a> [db\_allow\_major\_version\_upgrade](#input\_db\_allow\_major\_version\_upgrade) | Allows major version upgrades. | `bool` | `false` | no |
+| <a name="input_db_apply_immediately"></a> [db\_apply\_immediately](#input\_db\_apply\_immediately) | Determines if changes will be applied immediately or wait until the next maintenance window. | `bool` | `false` | no |
+| <a name="input_db_auto_minor_version_upgrade"></a> [db\_auto\_minor\_version\_upgrade](#input\_db\_auto\_minor\_version\_upgrade) | Automatically upgrade to latest minor version in maintenance window. | `bool` | `false` | no |
+| <a name="input_db_autoscaling_enabled"></a> [db\_autoscaling\_enabled](#input\_db\_autoscaling\_enabled) | Enables autoscaling of the aurora database. | `bool` | `true` | no |
+| <a name="input_db_autoscaling_max_capacity"></a> [db\_autoscaling\_max\_capacity](#input\_db\_autoscaling\_max\_capacity) | The maximum number of replicas via autoscaling. | `string` | `"3"` | no |
+| <a name="input_db_autoscaling_min_capacity"></a> [db\_autoscaling\_min\_capacity](#input\_db\_autoscaling\_min\_capacity) | The minimum number of replicas via autoscaling. | `string` | `"1"` | no |
+| <a name="input_db_autoscaling_scale_in_cooldown"></a> [db\_autoscaling\_scale\_in\_cooldown](#input\_db\_autoscaling\_scale\_in\_cooldown) | The database scale in cooldown period. | `number` | `300` | no |
+| <a name="input_db_autoscaling_scale_out_cooldown"></a> [db\_autoscaling\_scale\_out\_cooldown](#input\_db\_autoscaling\_scale\_out\_cooldown) | The database scale ou cooldown period. | `number` | `300` | no |
+| <a name="input_db_autoscaling_target_cpu"></a> [db\_autoscaling\_target\_cpu](#input\_db\_autoscaling\_target\_cpu) | The CPU utilization for autoscaling target tracking. | `number` | `70` | no |
+| <a name="input_db_cluster_db_instance_parameter_group_name"></a> [db\_cluster\_db\_instance\_parameter\_group\_name](#input\_db\_cluster\_db\_instance\_parameter\_group\_name) | The name of the DB Cluster parameter group to use. | `string` | `null` | no |
+| <a name="input_db_create"></a> [db\_create](#input\_db\_create) | Controls creation of the Aurora postgres database. | `bool` | `true` | no |
+| <a name="input_db_create_rds_proxy"></a> [db\_create\_rds\_proxy](#input\_db\_create\_rds\_proxy) | Enables an RDS proxy for the Aurora postgres database. | `bool` | `true` | no |
+| <a name="input_db_deletion_protection"></a> [db\_deletion\_protection](#input\_db\_deletion\_protection) | Enables deletion protection to avoid accidental database deletion. | `bool` | `true` | no |
+| <a name="input_db_engine_version"></a> [db\_engine\_version](#input\_db\_engine\_version) | The aurora postgres engine version. | `string` | `"13.8"` | no |
+| <a name="input_db_final_snapshot_identifier"></a> [db\_final\_snapshot\_identifier](#input\_db\_final\_snapshot\_identifier) | Identifer for a final DB snapshot. Required when db\_skip\_final\_snapshot is false.. | `string` | `null` | no |
+| <a name="input_db_instance_class"></a> [db\_instance\_class](#input\_db\_instance\_class) | The aurora postgres instance class. | `string` | `"db.r6g.xlarge"` | no |
+| <a name="input_db_instances"></a> [db\_instances](#input\_db\_instances) | The DB instance configuration | `map(any)` | <pre>{<br>  "replica1": {},<br>  "writer": {}<br>}</pre> | no |
+| <a name="input_db_master_user_password"></a> [db\_master\_user\_password](#input\_db\_master\_user\_password) | The master user password for RDS. Specify to explicitly set the password otherwise RDS will be allowed to manage it. | `string` | `null` | no |
+| <a name="input_db_monitoring_interval"></a> [db\_monitoring\_interval](#input\_db\_monitoring\_interval) | The aurora postgres engine version. | `string` | `"10"` | no |
+| <a name="input_db_performance_insights_enabled"></a> [db\_performance\_insights\_enabled](#input\_db\_performance\_insights\_enabled) | Enables database performance insights. | `bool` | `true` | no |
+| <a name="input_db_performance_insights_retention_period"></a> [db\_performance\_insights\_retention\_period](#input\_db\_performance\_insights\_retention\_period) | Number of days to retain performance insights data. Free tier: 7 days. | `number` | `7` | no |
+| <a name="input_db_port"></a> [db\_port](#input\_db\_port) | The port on which the DB accepts connections. | `string` | `"5432"` | no |
+| <a name="input_db_serverlessv2_scaling_configuration"></a> [db\_serverlessv2\_scaling\_configuration](#input\_db\_serverlessv2\_scaling\_configuration) | The serverless v2 scaling minimum and maximum. | <pre>object({<br>    min_capacity = number<br>    max_capacity = number<br>  })</pre> | <pre>{<br>  "max_capacity": 32,<br>  "min_capacity": 0.5<br>}</pre> | no |
+| <a name="input_db_skip_final_snapshot"></a> [db\_skip\_final\_snapshot](#input\_db\_skip\_final\_snapshot) | Enables skipping the final snapshot upon deletion. | `bool` | `false` | no |
+| <a name="input_db_snapshot_identifer"></a> [db\_snapshot\_identifer](#input\_db\_snapshot\_identifer) | The snapshot identifier to restore the database from. | `string` | `null` | no |
+| <a name="input_deployment_id"></a> [deployment\_id](#input\_deployment\_id) | The id of the deployment. Will be used to name resources like EKS cluster, etc. | `string` | n/a | yes |
+| <a name="input_ec2_key_name"></a> [ec2\_key\_name](#input\_ec2\_key\_name) | The name of the EC2 key pair to access servers. | `string` | `null` | no |
+| <a name="input_ec_auto_minor_version_upgrade"></a> [ec\_auto\_minor\_version\_upgrade](#input\_ec\_auto\_minor\_version\_upgrade) | Enables automatic minor version upgrades. Does not apply to serverless. | `bool` | `false` | no |
+| <a name="input_ec_automatic_failover_enabled"></a> [ec\_automatic\_failover\_enabled](#input\_ec\_automatic\_failover\_enabled) | Enables automatic failover. Does not apply to serverless. | `bool` | `true` | no |
+| <a name="input_ec_create"></a> [ec\_create](#input\_ec\_create) | Enables the creation of elasticache resources. | `bool` | `true` | no |
+| <a name="input_ec_enable_serverless"></a> [ec\_enable\_serverless](#input\_ec\_enable\_serverless) | Enables the use of elasticache for redis serverless. | `bool` | `false` | no |
+| <a name="input_ec_engine_version"></a> [ec\_engine\_version](#input\_ec\_engine\_version) | The version of the elasticache cluster. Does not apply to serverless. | `string` | `"6.x"` | no |
+| <a name="input_ec_multi_az_enabled"></a> [ec\_multi\_az\_enabled](#input\_ec\_multi\_az\_enabled) | Enables automatic failover. Does not apply to serverless. | `bool` | `true` | no |
+| <a name="input_ec_node_type"></a> [ec\_node\_type](#input\_ec\_node\_type) | The elasticache redis node type. Does not apply to serverless. | `string` | `"cache.m6g.large"` | no |
+| <a name="input_ec_number_of_shards"></a> [ec\_number\_of\_shards](#input\_ec\_number\_of\_shards) | The number of shards for redis. Does not apply to serverless. | `number` | `3` | no |
+| <a name="input_ec_parameter_group_name"></a> [ec\_parameter\_group\_name](#input\_ec\_parameter\_group\_name) | The elasticache parameter group name. Does not apply to serverless. | `string` | `"default.redis6.x.cluster.on"` | no |
+| <a name="input_ec_replicas_per_shard"></a> [ec\_replicas\_per\_shard](#input\_ec\_replicas\_per\_shard) | The number of replicas per shard for redis. Does not apply to serverless. | `number` | `2` | no |
+| <a name="input_ec_serverless_max_ecpu_per_second"></a> [ec\_serverless\_max\_ecpu\_per\_second](#input\_ec\_serverless\_max\_ecpu\_per\_second) | The max eCPU per second for serverless elasticache for redis. | `number` | `5000` | no |
+| <a name="input_ec_serverless_max_storage"></a> [ec\_serverless\_max\_storage](#input\_ec\_serverless\_max\_storage) | The max storage, in GB, for serverless elasticache for redis. | `number` | `5` | no |
+| <a name="input_eks_administrator_principals"></a> [eks\_administrator\_principals](#input\_eks\_administrator\_principals) | The ARNs of the IAM roles for administrator access to EKS. | <pre>list(object({<br>    name          = string<br>    principal_arn = string<br>  }))</pre> | `[]` | no |
+| <a name="input_eks_cluster_endpoint_public_access_cidrs"></a> [eks\_cluster\_endpoint\_public\_access\_cidrs](#input\_eks\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_eks_create"></a> [eks\_create](#input\_eks\_create) | Enables the EKS resource creation | `bool` | `true` | no |
+| <a name="input_eks_create_cluster_autoscaler_irsa"></a> [eks\_create\_cluster\_autoscaler\_irsa](#input\_eks\_create\_cluster\_autoscaler\_irsa) | Enables creation of cluster autoscaler IAM role. | `bool` | `true` | no |
+| <a name="input_eks_create_external_dns_irsa"></a> [eks\_create\_external\_dns\_irsa](#input\_eks\_create\_external\_dns\_irsa) | Enables creation of external dns IAM role. | `bool` | `true` | no |
+| <a name="input_eks_create_karpenter"></a> [eks\_create\_karpenter](#input\_eks\_create\_karpenter) | Enables creation of Karpenter resources. | `bool` | `false` | no |
+| <a name="input_eks_create_load_balancer_controller_irsa"></a> [eks\_create\_load\_balancer\_controller\_irsa](#input\_eks\_create\_load\_balancer\_controller\_irsa) | Enables creation of load balancer controller IAM role. | `bool` | `true` | no |
+| <a name="input_eks_node_additional_security_group_ids"></a> [eks\_node\_additional\_security\_group\_ids](#input\_eks\_node\_additional\_security\_group\_ids) | Additional security group ids to attach to EKS nodes. | `list(string)` | `[]` | no |
+| <a name="input_eks_node_groups"></a> [eks\_node\_groups](#input\_eks\_node\_groups) | n/a | <pre>list(object({<br>    name            = string<br>    min_size        = string<br>    desired_size    = string<br>    max_size        = string<br>    volume_type     = optional(string, "gp3")<br>    disk_size       = optional(number, 200)<br>    disk_iops       = optional(number, 3000)<br>    disk_throughput = optional(number, 125)<br>    device_name     = optional(string, "/dev/xvda")<br>    instance_types  = list(string)<br>    capacity_type   = optional(string, "ON_DEMAND")<br>    labels          = optional(map(string), {})<br>    taints          = optional(map(object({ key = string, value = string, effect = string })), {})<br>  }))</pre> | <pre>[<br>  {<br>    "desired_size": 3,<br>    "instance_types": [<br>      "c5.4xlarge"<br>    ],<br>    "max_size": 9,<br>    "min_size": 3,<br>    "name": "ast-app"<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-extra-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-extra-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-extra-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-xxl": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-xxl",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-xxl",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "kics-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "kics-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "kics-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "repostore": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "repostore",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "repostore",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "service": "sca-source-resolver"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sca-source-resolver",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "service",<br>        "value": "sca-source-resolver"<br>      }<br>    }<br>  }<br>]</pre> | no |
+| <a name="input_eks_private_endpoint_enabled"></a> [eks\_private\_endpoint\_enabled](#input\_eks\_private\_endpoint\_enabled) | Enables the EKS VPC private endpoint. | `bool` | `true` | no |
+| <a name="input_eks_public_endpoint_enabled"></a> [eks\_public\_endpoint\_enabled](#input\_eks\_public\_endpoint\_enabled) | Enables the EKS public endpoint. | `bool` | `false` | no |
+| <a name="input_eks_version"></a> [eks\_version](#input\_eks\_version) | The version of the EKS Cluster (e.g. 1.27) | `string` | n/a | yes |
+| <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Enables the identity used to create the EKS cluster to have administrator access to that EKS cluster. When enabled, do not specify the same principal arn for eks\_administrator\_principals. | `bool` | `true` | no |
+| <a name="input_es_create"></a> [es\_create](#input\_es\_create) | Enables creation of elasticsearch resources. | `bool` | `true` | no |
+| <a name="input_es_instance_count"></a> [es\_instance\_count](#input\_es\_instance\_count) | The number of nodes in elasticsearch cluster | `number` | `2` | no |
+| <a name="input_es_instance_type"></a> [es\_instance\_type](#input\_es\_instance\_type) | The instance type for elasticsearch nodes. | `string` | `"r6g.large.elasticsearch"` | no |
+| <a name="input_es_tls_security_policy"></a> [es\_tls\_security\_policy](#input\_es\_tls\_security\_policy) | n/a | `string` | `"Policy-Min-TLS-1-2-2019-07"` | no |
+| <a name="input_es_username"></a> [es\_username](#input\_es\_username) | The username for the elasticsearch user | `string` | `"ast"` | no |
+| <a name="input_es_volume_size"></a> [es\_volume\_size](#input\_es\_volume\_size) | The size of volumes for nodes in elasticsearch cluster | `number` | `100` | no |
+| <a name="input_fqdn"></a> [fqdn](#input\_fqdn) | The fully qualified domain name that will be used for the Checkmarx One deployment | `string` | n/a | yes |
+| <a name="input_interface_vpc_endpoints"></a> [interface\_vpc\_endpoints](#input\_interface\_vpc\_endpoints) | A list of services that vpc endpoints are created for. | `list(string)` | <pre>[<br>  "ec2",<br>  "ec2messages",<br>  "ssm",<br>  "ssmmessages",<br>  "ecr.api",<br>  "ecr.dkr",<br>  "kms",<br>  "logs",<br>  "sts",<br>  "elasticloadbalancing",<br>  "autoscaling"<br>]</pre> | no |
+| <a name="input_kots_admin_email"></a> [kots\_admin\_email](#input\_kots\_admin\_email) | The email address of the Checkmarx One first admin user. | `string` | n/a | yes |
+| <a name="input_kots_cxone_version"></a> [kots\_cxone\_version](#input\_kots\_cxone\_version) | The version of Checkmarx One to install | `string` | n/a | yes |
+| <a name="input_kots_license_file"></a> [kots\_license\_file](#input\_kots\_license\_file) | The path to the kots license file to install Checkamrx One with. | `string` | n/a | yes |
+| <a name="input_kots_release_channel"></a> [kots\_release\_channel](#input\_kots\_release\_channel) | The release channel from which to install Checkmarx One | `string` | `"beta"` | no |
+| <a name="input_kube_proxy_version"></a> [kube\_proxy\_version](#input\_kube\_proxy\_version) | The version of the EKS Kube Proxy Addon. | `string` | n/a | yes |
+| <a name="input_launch_template_tags"></a> [launch\_template\_tags](#input\_launch\_template\_tags) | Tags to associate with launch templates for node groups | `map(string)` | `null` | no |
+| <a name="input_object_storage_access_key"></a> [object\_storage\_access\_key](#input\_object\_storage\_access\_key) | The S3 access key to use to access buckets | `string` | n/a | yes |
+| <a name="input_object_storage_endpoint"></a> [object\_storage\_endpoint](#input\_object\_storage\_endpoint) | The S3 endpoint to use to access buckets | `string` | n/a | yes |
+| <a name="input_object_storage_secret_key"></a> [object\_storage\_secret\_key](#input\_object\_storage\_secret\_key) | The S3 secret key to use to access buckets | `string` | n/a | yes |
+| <a name="input_route_53_hosted_zone_id"></a> [route\_53\_hosted\_zone\_id](#input\_route\_53\_hosted\_zone\_id) | The hosted zone id for route 53 in which to create dns and certificates. | `string` | n/a | yes |
+| <a name="input_s3_retention_period"></a> [s3\_retention\_period](#input\_s3\_retention\_period) | The retention period, in days, to retain s3 objects. | `string` | `"90"` | no |
+| <a name="input_secondary_vpc_cidr"></a> [secondary\_vpc\_cidr](#input\_secondary\_vpc\_cidr) | The secondary VPC CIDR block to associate with the VPC. | `string` | `null` | no |
+| <a name="input_smtp_port"></a> [smtp\_port](#input\_smtp\_port) | The port of the SMTP server. | `number` | `587` | no |
+| <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | The primary VPC CIDR block to create the VPC with. | `string` | n/a | yes |
+| <a name="input_vpc_cni_version"></a> [vpc\_cni\_version](#input\_vpc\_cni\_version) | The version of the EKS VPC CNI Addon. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
\ No newline at end of file
diff --git a/examples/full/main.tf b/examples/full/main.tf
new file mode 100644
index 0000000..73a4eff
--- /dev/null
+++ b/examples/full/main.tf
@@ -0,0 +1,235 @@
+data "aws_region" "current" {}
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+
+resource "aws_kms_key" "main" {
+  description             = "KMS Key for the Checkmarx One deployment named ${var.deployment_id}"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  tags = {
+    Name = var.deployment_id
+  }
+}
+
+
+resource "random_password" "elasticsearch" {
+  length           = 32
+  special          = false
+  override_special = "!*-_[]{}<>"
+  min_special      = 1
+  min_upper        = 1
+  min_lower        = 1
+  min_numeric      = 1
+}
+
+resource "random_password" "db" {
+  length           = 32
+  special          = false
+  override_special = "!*-_[]{}<>"
+  min_special      = 1
+  min_upper        = 1
+  min_lower        = 1
+  min_numeric      = 1
+}
+
+resource "random_password" "kots_admin" {
+  length           = 14
+  special          = false
+  override_special = "!*-_[]{}<>"
+  min_special      = 1
+  min_upper        = 1
+  min_lower        = 1
+  min_numeric      = 1
+}
+
+resource "random_password" "cxone_admin" {
+  length           = 14
+  special          = false
+  override_special = "!*-_[]{}<>"
+  min_special      = 1
+  min_upper        = 1
+  min_lower        = 1
+  min_numeric      = 1
+}
+
+
+
+
+module "acm" {
+  source  = "terraform-aws-modules/acm/aws"
+  version = "5.0.1"
+
+  domain_name = var.fqdn
+  zone_id     = var.route_53_hosted_zone_id
+
+  validation_method      = "DNS"
+  create_certificate     = true
+  create_route53_records = true
+  validate_certificate   = true
+  wait_for_validation    = true
+}
+
+module "ses" {
+  source            = "cloudposse/ses/aws"
+  version           = "0.24.0"
+  zone_id           = var.route_53_hosted_zone_id
+  domain            = var.fqdn
+  verify_domain     = true
+  verify_dkim       = true
+  ses_group_enabled = true
+  ses_group_name    = "${var.deployment_id}-ses-group"
+  ses_user_enabled  = true
+  name              = "CxOne-${var.deployment_id}"
+  environment       = "dev"
+  enabled           = true
+
+  tags = {
+    Name = var.deployment_id
+  }
+}
+
+resource "aws_iam_group_policy" "cxone_ses_group_policy" {
+  name  = "${var.deployment_id}-ses-group-policy"
+  group = module.ses.ses_group_name
+
+  depends_on = [module.ses]
+
+  policy = jsonencode({
+    Version : "2012-10-17"
+    Statement : [
+      {
+        Effect : "Allow",
+        Action : [
+          "ses:SendEmail",
+          "ses:SendRawEmail"
+        ],
+        Resource : "*"
+      }
+    ]
+  })
+}
+
+
+module "checkmarx-one" {
+  source = "../../"
+
+  # General Configuration
+  deployment_id      = var.deployment_id
+  ec2_key_name       = var.ec2_key_name
+  vpc_id             = module.vpc.vpc_id
+  kms_key_arn        = aws_kms_key.main.arn
+  s3_allowed_origins = [var.fqdn]
+
+  # EKS Configuration
+  eks_create                               = var.eks_create
+  eks_subnets                              = module.vpc.private_subnets
+  eks_create_cluster_autoscaler_irsa       = var.eks_create_cluster_autoscaler_irsa
+  eks_create_external_dns_irsa             = var.eks_create_external_dns_irsa
+  eks_create_load_balancer_controller_irsa = var.eks_create_load_balancer_controller_irsa
+  eks_create_karpenter                     = var.eks_create_karpenter
+  eks_version                              = var.eks_version
+  coredns_version                          = var.coredns_version
+  kube_proxy_version                       = var.kube_proxy_version
+  vpc_cni_version                          = var.vpc_cni_version
+  aws_ebs_csi_driver_version               = var.aws_ebs_csi_driver_version
+  eks_private_endpoint_enabled             = var.eks_private_endpoint_enabled
+  eks_public_endpoint_enabled              = var.eks_public_endpoint_enabled
+  eks_cluster_endpoint_public_access_cidrs = var.eks_cluster_endpoint_public_access_cidrs
+  enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
+  launch_template_tags                     = var.launch_template_tags
+
+  # RDS Configuration
+  db_subnets                     = module.vpc.private_subnets
+  db_engine_version              = var.db_engine_version
+  db_allow_major_version_upgrade = var.db_allow_major_version_upgrade
+  db_auto_minor_version_upgrade  = var.db_auto_minor_version_upgrade
+  db_apply_immediately           = var.db_apply_immediately
+  db_deletion_protection         = var.db_deletion_protection
+  db_snapshot_identifer          = var.db_snapshot_identifer
+  db_skip_final_snapshot         = var.db_skip_final_snapshot
+  db_final_snapshot_identifier   = var.db_final_snapshot_identifier
+  db_instance_class              = var.db_instance_class
+  db_monitoring_interval         = var.db_monitoring_interval
+  # When enabling autoscaling, you may need to edit and save the autoscaling policy (no updates needed)
+  # to work around the issue described here: https://github.com/terraform-aws-modules/terraform-aws-rds-aurora/issues/432
+  db_autoscaling_enabled                      = var.db_autoscaling_enabled
+  db_autoscaling_min_capacity                 = var.db_autoscaling_min_capacity
+  db_autoscaling_max_capacity                 = var.db_autoscaling_max_capacity
+  db_autoscaling_target_cpu                   = var.db_autoscaling_target_cpu
+  db_autoscaling_scale_out_cooldown           = var.db_autoscaling_scale_out_cooldown
+  db_autoscaling_scale_in_cooldown            = var.db_autoscaling_scale_in_cooldown
+  db_port                                     = var.db_port
+  db_master_user_password                     = random_password.db.result
+  db_create_rds_proxy                         = var.db_create_rds_proxy
+  db_create                                   = var.db_create
+  db_performance_insights_enabled             = var.db_performance_insights_enabled
+  db_performance_insights_retention_period    = var.db_performance_insights_retention_period
+  db_cluster_db_instance_parameter_group_name = var.db_cluster_db_instance_parameter_group_name
+  # Set individual instance properties. Reference https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance
+  db_instances                          = var.db_instances
+  db_serverlessv2_scaling_configuration = var.db_serverlessv2_scaling_configuration
+
+  # Elasticache Configuration
+  ec_create                         = var.ec_create
+  ec_subnets                        = module.vpc.private_subnets
+  ec_enable_serverless              = var.ec_enable_serverless
+  ec_serverless_max_storage         = var.ec_serverless_max_storage
+  ec_serverless_max_ecpu_per_second = var.ec_serverless_max_ecpu_per_second
+  ec_engine_version                 = var.ec_engine_version
+  ec_parameter_group_name           = var.ec_parameter_group_name
+  ec_automatic_failover_enabled     = var.ec_automatic_failover_enabled
+  ec_multi_az_enabled               = var.ec_multi_az_enabled
+  ec_node_type                      = var.ec_node_type          # Production: cache.r7g.xlarge, Dev/Test: cache.r7g.large, Demo: cache.t4g.micro	
+  ec_number_of_shards               = var.ec_number_of_shards   # Production 3, Dev/Test: 1, Demo: 1
+  ec_replicas_per_shard             = var.ec_replicas_per_shard # Production 2, Dev/Test: 1, Demo: 0
+  ec_auto_minor_version_upgrade     = var.ec_auto_minor_version_upgrade
+
+  # Elasticsearch Configuration
+  es_create              = var.es_create
+  es_subnets             = module.vpc.private_subnets
+  es_instance_count      = var.es_instance_count
+  es_instance_type       = var.es_instance_type
+  es_volume_size         = var.es_volume_size
+  es_tls_security_policy = var.es_tls_security_policy
+  es_password            = random_password.elasticsearch.result
+}
+
+
+module "checkmarx-one-install" {
+  source = "../../modules/cxone-install"
+
+  cxone_version       = var.kots_cxone_version
+  release_channel     = var.kots_release_channel
+  license_file        = var.kots_license_file
+  kots_admin_password = random_password.kots_admin.result
+
+  deployment_id                         = var.deployment_id
+  region                                = data.aws_region.current.name
+  admin_email                           = var.kots_admin_email
+  admin_password                        = random_password.cxone_admin.result
+  fqdn                                  = var.fqdn
+  acm_certificate_arn                   = module.acm.acm_certificate_arn
+  bucket_suffix                         = module.checkmarx-one.s3_bucket_name_suffix
+  object_storage_endpoint               = "s3.${data.aws_region.current.name}.amazonaws.com"
+  object_storage_access_key             = var.object_storage_access_key
+  object_storage_secret_key             = var.object_storage_secret_key
+  postgres_host                         = module.checkmarx-one.db_endpoint
+  postgres_database_name                = module.checkmarx-one.db_database_name
+  postgres_user                         = module.checkmarx-one.db_master_username
+  postgres_password                     = module.checkmarx-one.db_master_password
+  redis_address                         = module.checkmarx-one.ec_endpoint
+  smtp_host                             = "email-smtp.${data.aws_region.current.name}.amazonaws.com"
+  smtp_port                             = var.smtp_port
+  smtp_password                         = module.ses.ses_smtp_password
+  smtp_user                             = module.ses.user_name
+  smtp_from_sender                      = "noreply@${var.fqdn}"
+  elasticsearch_host                    = module.checkmarx-one.es_endpoint
+  elasticsearch_password                = random_password.elasticsearch.result
+  cluster_autoscaler_iam_role_arn       = module.checkmarx-one.cluster_autoscaler_iam_role_arn
+  load_balancer_controller_iam_role_arn = module.checkmarx-one.load_balancer_controller_iam_role_arn
+  external_dns_iam_role_arn             = module.checkmarx-one.external_dns_iam_role_arn
+}
diff --git a/examples/full/network.tf b/examples/full/network.tf
new file mode 100644
index 0000000..87673a0
--- /dev/null
+++ b/examples/full/network.tf
@@ -0,0 +1,82 @@
+locals {
+  vpc_cidr_size    = parseint(basename(var.vpc_cidr), 10)
+  aws_azs          = slice(data.aws_availability_zones.available.names, 0, 3)
+  subnets_cidrs    = cidrsubnets(var.vpc_cidr, (28 - local.vpc_cidr_size), (28 - local.vpc_cidr_size), (28 - local.vpc_cidr_size))
+  private_subnets  = slice(cidrsubnets(var.vpc_cidr, 2, 2, 2, 5, 5, 5, 6, 6, 6), 0, 3) # VPC=/16: /18 16,256; 
+  public_subnets   = slice(cidrsubnets(var.vpc_cidr, 2, 2, 2, 5, 5, 5, 6, 6, 6), 6, 9) # VPC=/16: /21  2,032; 
+  database_subnets = slice(cidrsubnets(var.vpc_cidr, 2, 2, 2, 5, 5, 5, 6, 6, 6), 3, 6) # VPC=/16: /22  1,016; 
+}
+
+module "vpc" {
+
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "5.7.0"
+
+  name                  = var.deployment_id
+  cidr                  = var.vpc_cidr
+  secondary_cidr_blocks = var.secondary_vpc_cidr != null ? [var.secondary_vpc_cidr] : []
+
+  azs = local.aws_azs
+
+  private_subnets  = local.private_subnets
+  public_subnets   = local.public_subnets
+  database_subnets = local.database_subnets
+
+  enable_nat_gateway     = true
+  single_nat_gateway     = true
+  one_nat_gateway_per_az = false
+
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  public_subnet_tags = {
+    "karpenter.sh/discovery"                     = "${var.deployment_id}"
+    "kubernetes.io/cluster/${var.deployment_id}" = "shared"
+    "kubernetes.io/role/elb"                     = "1"
+  }
+
+  private_subnet_tags = {
+    "karpenter.sh/discovery"                     = "${var.deployment_id}"
+    "kubernetes.io/cluster/${var.deployment_id}" = "shared"
+    "kubernetes.io/role/internal-elb"            = "1"
+  }
+
+  enable_flow_log                      = true
+  create_flow_log_cloudwatch_iam_role  = true
+  create_flow_log_cloudwatch_log_group = true
+
+}
+
+module "vpc_endpoint_security_group" {
+  source              = "terraform-aws-modules/security-group/aws"
+  version             = "5.1.2"
+  name                = "${var.deployment_id}-vpc-endpoints"
+  description         = "VPC endpoint security group for Checkmarx One deployment named ${var.deployment_id}"
+  vpc_id              = module.vpc.vpc_id
+  ingress_cidr_blocks = concat([module.vpc.vpc_cidr_block], module.vpc.vpc_secondary_cidr_blocks)
+  ingress_rules       = ["https-443-tcp"]
+}
+
+
+resource "aws_vpc_endpoint" "interface" {
+  for_each            = toset(var.interface_vpc_endpoints)
+  vpc_id              = module.vpc.vpc_id
+  subnet_ids          = module.vpc.private_subnets
+  service_name        = "com.amazonaws.${data.aws_region.current.name}.${each.key}"
+  vpc_endpoint_type   = "Interface"
+  security_group_ids  = [module.vpc_endpoint_security_group.security_group_id]
+  private_dns_enabled = true
+  tags = {
+    Name = "${var.deployment_id}-${each.key}-vpc-endpoint"
+  }
+}
+
+resource "aws_vpc_endpoint" "s3_gateway_private" {
+  vpc_endpoint_type = "Gateway"
+  service_name      = "com.amazonaws.${data.aws_region.current.name}.s3"
+  vpc_id            = module.vpc.vpc_id
+  route_table_ids   = module.vpc.private_route_table_ids
+  tags = {
+    Name = "${var.deployment_id}-s3-vpc-endpoint"
+  }
+}
diff --git a/examples/full/variables-cxone.tf b/examples/full/variables-cxone.tf
new file mode 100644
index 0000000..7173bae
--- /dev/null
+++ b/examples/full/variables-cxone.tf
@@ -0,0 +1,605 @@
+# variables-cxone.tf contains pass thru variables defined by terraform-aws-cxone module.
+# The variable definitions are duplicated here so that the example project can be used
+# to control the module configuration.
+
+
+#******************************************************************************
+#   General Configuration
+#******************************************************************************
+
+variable "deployment_id" {
+  description = "The id of the deployment. Will be used to name resources like EKS cluster, etc."
+  type        = string
+  nullable    = false
+  validation {
+    condition     = (length(var.deployment_id) >= 3)
+    error_message = "The deployment_id must be greater than 3 characters."
+  }
+}
+
+# variable "kms_key_arn" {
+#   type        = string
+#   description = "The ARN of the KMS key to use for encryption in AWS services"
+# }
+
+# variable "vpc_id" {
+#   description = "The id of the vpc deploying into."
+#   type        = string
+# }
+
+
+#******************************************************************************
+#   S3 Configuration
+#******************************************************************************
+
+variable "s3_retention_period" {
+  description = "The retention period, in days, to retain s3 objects."
+  type        = string
+  default     = "90"
+}
+
+# variable "s3_allowed_origins" {
+#   description = "The allowed orgins for S3 CORS rules."
+#   type        = list(string)
+#   nullable    = false
+# }
+
+#******************************************************************************
+#   EKS Configuration
+#******************************************************************************
+variable "eks_create" {
+  type        = bool
+  description = "Enables the EKS resource creation"
+  default     = true
+}
+
+# variable "eks_subnets" {
+#   description = "The subnets to deploy EKS into."
+#   type        = list(string)
+# }
+
+variable "eks_create_cluster_autoscaler_irsa" {
+  type        = bool
+  description = "Enables creation of cluster autoscaler IAM role."
+  default     = true
+}
+
+variable "eks_create_external_dns_irsa" {
+  type        = bool
+  description = "Enables creation of external dns IAM role."
+  default     = true
+}
+
+variable "eks_create_load_balancer_controller_irsa" {
+  type        = bool
+  description = "Enables creation of load balancer controller IAM role."
+  default     = true
+}
+
+variable "eks_create_karpenter" {
+  type        = bool
+  description = "Enables creation of Karpenter resources."
+  default     = false
+}
+
+variable "eks_version" {
+  type        = string
+  description = "The version of the EKS Cluster (e.g. 1.27)"
+}
+
+variable "eks_private_endpoint_enabled" {
+  type        = bool
+  description = "Enables the EKS VPC private endpoint."
+  default     = true
+}
+
+variable "eks_public_endpoint_enabled" {
+  type        = bool
+  description = "Enables the EKS public endpoint."
+  default     = false
+}
+
+variable "eks_cluster_endpoint_public_access_cidrs" {
+  type        = list(string)
+  description = " List of CIDR blocks which can access the Amazon EKS public API server endpoint"
+  default     = ["0.0.0.0/0"]
+}
+
+variable "eks_node_additional_security_group_ids" {
+  description = "Additional security group ids to attach to EKS nodes."
+  type        = list(string)
+  default     = []
+}
+
+variable "coredns_version" {
+  type        = string
+  description = "The version of the EKS Core DNS Addon."
+}
+
+variable "kube_proxy_version" {
+  type        = string
+  description = "The version of the EKS Kube Proxy Addon."
+}
+
+variable "vpc_cni_version" {
+  type        = string
+  description = "The version of the EKS VPC CNI Addon."
+}
+
+variable "aws_ebs_csi_driver_version" {
+  type        = string
+  description = "The version of the EKS EBS CSI Addon."
+}
+
+variable "launch_template_tags" {
+  type        = map(string)
+  description = "Tags to associate with launch templates for node groups"
+  default     = null
+}
+
+variable "enable_cluster_creator_admin_permissions" {
+  type        = bool
+  description = "Enables the identity used to create the EKS cluster to have administrator access to that EKS cluster. When enabled, do not specify the same principal arn for eks_administrator_principals."
+  default     = true
+}
+
+variable "eks_administrator_principals" {
+  type = list(object({
+    name          = string
+    principal_arn = string
+  }))
+  description = "The ARNs of the IAM roles for administrator access to EKS."
+  default     = []
+}
+
+variable "ec2_key_name" {
+  description = "The name of the EC2 key pair to access servers."
+  type        = string
+  default     = null
+}
+
+
+variable "eks_node_groups" {
+  type = list(object({
+    name            = string
+    min_size        = string
+    desired_size    = string
+    max_size        = string
+    volume_type     = optional(string, "gp3")
+    disk_size       = optional(number, 200)
+    disk_iops       = optional(number, 3000)
+    disk_throughput = optional(number, 125)
+    device_name     = optional(string, "/dev/xvda")
+    instance_types  = list(string)
+    capacity_type   = optional(string, "ON_DEMAND")
+    labels          = optional(map(string), {})
+    taints          = optional(map(object({ key = string, value = string, effect = string })), {})
+  }))
+  default = [{
+    name           = "ast-app"
+    min_size       = 3
+    desired_size   = 3
+    max_size       = 9
+    instance_types = ["c5.4xlarge"]
+    },
+    {
+      name           = "sast-engine"
+      min_size       = 0
+      desired_size   = 0
+      max_size       = 100
+      instance_types = ["m5.2xlarge"]
+      labels = {
+        "sast-engine" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "sast-engine"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "sast-engine-large"
+      min_size       = 0
+      desired_size   = 0
+      max_size       = 100
+      instance_types = ["m5.4xlarge"]
+      labels = {
+        "sast-engine-large" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "sast-engine-large"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "sast-engine-extra-large"
+      min_size       = 0
+      desired_size   = 0
+      max_size       = 100
+      instance_types = ["r5.2xlarge"]
+      labels = {
+        "sast-engine-extra-large" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "sast-engine-extra-large"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "sast-engine-xxl"
+      min_size       = 0
+      desired_size   = 0
+      max_size       = 100
+      instance_types = ["r5.4xlarge"]
+      labels = {
+        "sast-engine-xxl" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "sast-engine-xxl"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "kics-engine"
+      min_size       = 1
+      desired_size   = 1
+      max_size       = 100
+      instance_types = ["c5.2xlarge"]
+      labels = {
+        "kics-engine" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "kics-engine"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "repostore"
+      min_size       = 1
+      desired_size   = 1
+      max_size       = 100
+      instance_types = ["c5.2xlarge"]
+      labels = {
+        "repostore" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "repostore"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "sca-source-resolver"
+      min_size       = 0
+      desired_size   = 0
+      max_size       = 100
+      instance_types = ["m5.2xlarge"]
+      labels = {
+        "service" = "sca-source-resolver"
+      }
+      taints = {
+        dedicated = {
+          key    = "service"
+          value  = "sca-source-resolver"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    }
+  ]
+}
+
+#******************************************************************************
+#   RDS Configuration
+#******************************************************************************
+
+variable "db_engine_version" {
+  description = "The aurora postgres engine version."
+  type        = string
+  default     = "13.8"
+}
+
+
+# variable "db_subnets" {
+#   description = "The subnets to deploy RDS into."
+#   type        = list(string)
+# }
+
+
+variable "db_allow_major_version_upgrade" {
+  description = "Allows major version upgrades."
+  type        = bool
+  default     = false
+}
+
+variable "db_auto_minor_version_upgrade" {
+  description = "Automatically upgrade to latest minor version in maintenance window."
+  type        = bool
+  default     = false
+}
+
+variable "db_instance_class" {
+  description = "The aurora postgres instance class."
+  type        = string
+  default     = "db.r6g.xlarge"
+}
+
+variable "db_monitoring_interval" {
+  description = "The aurora postgres engine version."
+  type        = string
+  default     = "10"
+}
+
+variable "db_autoscaling_enabled" {
+  description = "Enables autoscaling of the aurora database."
+  type        = bool
+  default     = true
+}
+
+variable "db_autoscaling_min_capacity" {
+  description = "The minimum number of replicas via autoscaling."
+  type        = string
+  default     = "1"
+}
+
+variable "db_autoscaling_max_capacity" {
+  description = "The maximum number of replicas via autoscaling."
+  type        = string
+  default     = "3"
+}
+
+variable "db_autoscaling_target_cpu" {
+  description = "The CPU utilization for autoscaling target tracking."
+  type        = number
+  default     = 70
+}
+
+variable "db_autoscaling_scale_in_cooldown" {
+  description = "The database scale in cooldown period."
+  type        = number
+  default     = 300
+}
+
+variable "db_autoscaling_scale_out_cooldown" {
+  description = "The database scale ou cooldown period."
+  type        = number
+  default     = 300
+}
+
+variable "db_snapshot_identifer" {
+  description = "The snapshot identifier to restore the database from."
+  type        = string
+  default     = null
+}
+
+variable "db_port" {
+  description = "The port on which the DB accepts connections."
+  type        = string
+  default     = "5432"
+}
+
+variable "db_master_user_password" {
+  description = "The master user password for RDS. Specify to explicitly set the password otherwise RDS will be allowed to manage it."
+  type        = string
+  default     = null
+}
+
+variable "db_create_rds_proxy" {
+  description = "Enables an RDS proxy for the Aurora postgres database."
+  type        = bool
+  default     = true
+}
+
+variable "db_create" {
+  description = "Controls creation of the Aurora postgres database."
+  type        = bool
+  default     = true
+}
+
+variable "db_skip_final_snapshot" {
+  description = "Enables skipping the final snapshot upon deletion."
+  type        = bool
+  default     = false
+}
+
+variable "db_final_snapshot_identifier" {
+  description = "Identifer for a final DB snapshot. Required when db_skip_final_snapshot is false.."
+  type        = string
+  default     = null
+}
+
+variable "db_deletion_protection" {
+  description = "Enables deletion protection to avoid accidental database deletion."
+  type        = bool
+  default     = true
+}
+
+variable "db_instances" {
+  type        = map(any)
+  description = "The DB instance configuration"
+  default = {
+    writer   = {}
+    replica1 = {}
+  }
+}
+
+variable "db_serverlessv2_scaling_configuration" {
+  description = "The serverless v2 scaling minimum and maximum."
+  type = object({
+    min_capacity = number
+    max_capacity = number
+  })
+  default = {
+    min_capacity = 0.5
+    max_capacity = 32
+  }
+}
+
+variable "db_performance_insights_enabled" {
+  type        = bool
+  default     = true
+  description = "Enables database performance insights."
+}
+
+variable "db_performance_insights_retention_period" {
+  type        = number
+  default     = 7
+  description = "Number of days to retain performance insights data. Free tier: 7 days."
+}
+
+variable "db_cluster_db_instance_parameter_group_name" {
+  type        = string
+  default     = null
+  description = "The name of the DB Cluster parameter group to use."
+}
+
+variable "db_apply_immediately" {
+  type        = bool
+  default     = false
+  description = "Determines if changes will be applied immediately or wait until the next maintenance window."
+}
+
+
+#******************************************************************************
+# Elasticache Configuration
+#******************************************************************************
+variable "ec_create" {
+  type        = bool
+  default     = true
+  description = "Enables the creation of elasticache resources."
+}
+
+# variable "ec_subnets" {
+#   description = "The subnets to deploy Elasticache into."
+#   type        = list(string)
+# }
+
+variable "ec_enable_serverless" {
+  type        = bool
+  default     = false
+  description = "Enables the use of elasticache for redis serverless."
+}
+
+variable "ec_serverless_max_storage" {
+  type        = number
+  default     = 5
+  description = "The max storage, in GB, for serverless elasticache for redis."
+}
+variable "ec_serverless_max_ecpu_per_second" {
+  type        = number
+  default     = 5000
+  description = "The max eCPU per second for serverless elasticache for redis."
+}
+
+variable "ec_engine_version" {
+  type        = string
+  description = "The version of the elasticache cluster. Does not apply to serverless."
+  default     = "6.x"
+}
+variable "ec_parameter_group_name" {
+  type        = string
+  description = "The elasticache parameter group name. Does not apply to serverless."
+  default     = "default.redis6.x.cluster.on"
+}
+
+variable "ec_node_type" {
+  type        = string
+  description = "The elasticache redis node type. Does not apply to serverless."
+  default     = "cache.m6g.large"
+}
+
+variable "ec_number_of_shards" {
+  type        = number
+  description = "The number of shards for redis. Does not apply to serverless."
+  default     = 3
+}
+
+variable "ec_replicas_per_shard" {
+  type        = number
+  description = "The number of replicas per shard for redis. Does not apply to serverless."
+  default     = 2
+}
+
+variable "ec_auto_minor_version_upgrade" {
+  type        = bool
+  description = "Enables automatic minor version upgrades. Does not apply to serverless."
+  default     = false
+}
+
+variable "ec_automatic_failover_enabled" {
+  type        = bool
+  description = "Enables automatic failover. Does not apply to serverless."
+  default     = true
+}
+
+variable "ec_multi_az_enabled" {
+  type        = bool
+  description = "Enables automatic failover. Does not apply to serverless."
+  default     = true
+}
+
+#******************************************************************************
+# Elasticsearch Configuration
+#******************************************************************************
+
+variable "es_create" {
+  type        = bool
+  description = "Enables creation of elasticsearch resources."
+  default     = true
+}
+
+# variable "es_subnets" {
+#   description = "The subnets to deploy Elasticsearch into."
+#   type        = list(string)
+# }
+
+variable "es_instance_type" {
+  type        = string
+  description = "The instance type for elasticsearch nodes."
+  default     = "r6g.large.elasticsearch"
+}
+
+variable "es_instance_count" {
+  type        = number
+  description = "The number of nodes in elasticsearch cluster"
+  default     = 2
+}
+
+variable "es_volume_size" {
+  type        = number
+  description = "The size of volumes for nodes in elasticsearch cluster"
+  default     = 100
+}
+
+variable "es_tls_security_policy" {
+  default = "Policy-Min-TLS-1-2-2019-07"
+  type    = string
+}
+
+variable "es_username" {
+  description = "The username for the elasticsearch user"
+  type        = string
+  default     = "ast"
+}
+
+# variable "es_password" {
+#   description = "The password for the elasticsearch user"
+#   type        = string
+#   sensitive   = true
+# }
+
diff --git a/examples/full/variables-example.tf b/examples/full/variables-example.tf
new file mode 100644
index 0000000..40696fe
--- /dev/null
+++ b/examples/full/variables-example.tf
@@ -0,0 +1,110 @@
+#******************************************************************************
+#   Base Infrastructure Configuration - These variables are used by the example itself
+#******************************************************************************
+
+variable "vpc_cidr" {
+  type        = string
+  description = "The primary VPC CIDR block to create the VPC with."
+}
+
+variable "secondary_vpc_cidr" {
+  type        = string
+  description = "The secondary VPC CIDR block to associate with the VPC."
+  default     = null
+}
+
+variable "interface_vpc_endpoints" {
+  type        = list(string)
+  description = "A list of services that vpc endpoints are created for."
+  default     = ["ec2", "ec2messages", "ssm", "ssmmessages", "ecr.api", "ecr.dkr", "kms", "logs", "sts", "elasticloadbalancing", "autoscaling"]
+}
+
+variable "create_s3_endpoint" {
+  type        = bool
+  description = "Enables creation of the s3 gateway VPC interface endpoint."
+  default     = true
+}
+
+variable "route_53_hosted_zone_id" {
+  type        = string
+  description = "The hosted zone id for route 53 in which to create dns and certificates."
+  nullable    = true
+}
+
+variable "fqdn" {
+  type        = string
+  description = "The fully qualified domain name that will be used for the Checkmarx One deployment"
+}
+
+
+#******************************************************************************
+#   S3 Configuration
+#******************************************************************************
+
+variable "object_storage_endpoint" {
+  type        = string
+  description = "The S3 endpoint to use to access buckets"
+}
+
+variable "object_storage_access_key" {
+  type        = string
+  description = "The S3 access key to use to access buckets"
+}
+
+variable "object_storage_secret_key" {
+  type        = string
+  description = "The S3 secret key to use to access buckets"
+}
+
+#******************************************************************************
+#   SMTP Configuration
+#******************************************************************************
+# variable "smtp_host" {
+#   description = "The hostname of the SMTP server."
+#   type        = string
+# }
+
+variable "smtp_port" {
+  description = "The port of the SMTP server."
+  type        = number
+  default     = 587
+}
+
+# variable "smtp_user" {
+#   description = "The smtp user name."
+#   type        = string
+# }
+
+# variable "smtp_password" {
+#   description = "The smtp password."
+#   type        = string
+# }
+
+# variable "smtp_from_sender" {
+#   description = "The address to use in the from field when sending emails."
+#   type        = string
+# }
+
+#******************************************************************************
+#   Kots & Installation Configuration
+#******************************************************************************
+variable "kots_cxone_version" {
+  description = "The version of Checkmarx One to install"
+  type        = string
+}
+
+variable "kots_release_channel" {
+  description = "The release channel from which to install Checkmarx One"
+  type        = string
+  default     = "beta"
+}
+
+variable "kots_license_file" {
+  description = "The path to the kots license file to install Checkamrx One with."
+  type        = string
+}
+
+variable "kots_admin_email" {
+  description = "The email address of the Checkmarx One first admin user."
+  type        = string
+}
\ No newline at end of file

From 097333d02fc97b89063354f191f6f034424ea3ff Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 10 Apr 2024 14:58:52 -0400
Subject: [PATCH 03/57] wip

---
 README.md                                     | 239 +++--
 data.tf                                       |   6 +
 eks.tf                                        | 322 +++++++
 elasticache.tf                                |  85 ++
 modules/cxone-install/install.sh.tftpl        |  30 +
 .../kots.config.aws.reference.yaml.tftpl      | 363 +++++++
 modules/cxone-install/main.tf                 |  76 ++
 modules/cxone-install/makefile.tftpl          |  79 ++
 modules/cxone-install/variables.tf            | 173 ++++
 opensearch.tf                                 |  93 ++
 outputs.tf                                    |   4 +
 rds.tf                                        | 150 +++
 results.json                                  | 888 ++++++++++++++++++
 s3.tf                                         | 162 ++++
 variables.tf                                  | 600 ++++++++++++
 15 files changed, 3188 insertions(+), 82 deletions(-)
 create mode 100644 data.tf
 create mode 100644 eks.tf
 create mode 100644 elasticache.tf
 create mode 100644 modules/cxone-install/install.sh.tftpl
 create mode 100644 modules/cxone-install/kots.config.aws.reference.yaml.tftpl
 create mode 100644 modules/cxone-install/main.tf
 create mode 100644 modules/cxone-install/makefile.tftpl
 create mode 100644 modules/cxone-install/variables.tf
 create mode 100644 opensearch.tf
 create mode 100644 outputs.tf
 create mode 100644 rds.tf
 create mode 100755 results.json
 create mode 100644 s3.tf
 create mode 100644 variables.tf

diff --git a/README.md b/README.md
index 08ca716..222f33f 100644
--- a/README.md
+++ b/README.md
@@ -1,82 +1,157 @@
-# AWS Infrastructure
-
-The terraform code present in this repo will create the infrastructure necessary to run the AST single-tenant solution.
-
-# S3 Backend configuration
-
-[Terraform documentation](https://www.terraform.io/language/settings/backends/s3)
-
- - To enable remote state storage with S3, the first step is to create an S3 bucket.
-
-The terraform state file will be saved in an S3 bucket. To be sure that the state will be saved in the desired location, please change the file `s3_backend_configuration.conf` present in both directories (infrastructure and kubernetes-config).
-
-The file structure should follow this schema
-```
-bucket="<BUCKET_NAME>"
-region="<BUCKET_REGION>"
-key="<S3_KEY>/terraform.tfstate"
-```
-
-For example:
-```
-bucket="terraform-state-bucket"
-region="eu-west-1"
-key="infra/terraform.tfstate"
-```
-
-
-## Using Makefile configuration
-When running the command `make init` on the desired directory it will use this file to pass the parameters to the terraform backend configuration.
-
-## Using terraform command line
-`terraform init -backend-config=s3_backend_configuration.conf`
-
-or you can use the full command:
-
-`terraform init -backend-config=bucket=BUCKET_NAME -backend-config=key=S3_KEY -backend-config=region=AWS_REGION`
-
-# Instalation order
-
-- The first terraform module that needs to be installed is `infrastructure`  only after the instalation is complete you should move to the second one.
-
-
-```
-cd infrastructure
-make plan
-make apply
-```
-
-
-- When the infrastructure is ready, apply the module `kubernetes-config`.
-
-```
-cd kubernetes-config
-make plan
-make apply
-```
-
-Please, take a look on the `example.auto.tfvars` file to see the parameters that you need to inform.
-
-
-
-# TF Destroy
-
-
-If you already installed the CxOne solution using Kots, before running `make destroy` it is recommended to uninstall the following HELM chart:
-- ast (helm uninstall ast -n ast)
-
-This is recommended to avoid leaving the load balancer created by the traefik service behind.
-
-## Destroy the module kubernetes-config
-
-```
-cd kubernetes-config
-make destroy
-```
-
-## Destroy the module infrastructure
-
-```
-cd infrastructure
-make destroy
-```
\ No newline at end of file
+# terraform-aws-cxone
+
+This repo contains a module for deploying [Checkmarx One](https://checkmarx.com/product/application-security-platform/) on [AWS](https://aws.amazon.com) using [Terraform](https://www.terraform.io). Checkmarx One has everything you need to embed AppSec in every stage of the SDLC, provide an excellent developer experience, integrate with the technologies you use, and build a successful AppSec program.
+
+
+# Module documentation
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cluster_autoscaler_irsa"></a> [cluster\_autoscaler\_irsa](#module\_cluster\_autoscaler\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.39.0 |
+| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.8.5 |
+| <a name="module_eks_node_iam_role"></a> [eks\_node\_iam\_role](#module\_eks\_node\_iam\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 5.37.2 |
+| <a name="module_elasticache_security_group"></a> [elasticache\_security\_group](#module\_elasticache\_security\_group) | terraform-aws-modules/security-group/aws | 5.1.2 |
+| <a name="module_elasticsearch_security_group"></a> [elasticsearch\_security\_group](#module\_elasticsearch\_security\_group) | terraform-aws-modules/security-group/aws | 5.1.2 |
+| <a name="module_external_dns_irsa"></a> [external\_dns\_irsa](#module\_external\_dns\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.39.0 |
+| <a name="module_karpenter"></a> [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | 20.8.5 |
+| <a name="module_load_balancer_controller_irsa"></a> [load\_balancer\_controller\_irsa](#module\_load\_balancer\_controller\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.39.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | 9.3.1 |
+| <a name="module_rds-proxy"></a> [rds-proxy](#module\_rds-proxy) | terraform-aws-modules/rds-proxy/aws | 3.1.0 |
+| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | 5.1.2 |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.1.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_autoscaling_group_tag.cluster_autoscaler_label](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group_tag) | resource |
+| [aws_autoscaling_group_tag.cluster_autoscaler_taint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group_tag) | resource |
+| [aws_db_subnet_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
+| [aws_elasticache_replication_group.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group) | resource |
+| [aws_elasticache_serverless_cache.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_serverless_cache) | resource |
+| [aws_elasticache_subnet_group.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource |
+| [aws_elasticsearch_domain.es](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) | resource |
+| [aws_iam_policy.s3_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [random_string.random_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_ebs_csi_driver_version"></a> [aws\_ebs\_csi\_driver\_version](#input\_aws\_ebs\_csi\_driver\_version) | The version of the EKS EBS CSI Addon. | `string` | n/a | yes |
+| <a name="input_coredns_version"></a> [coredns\_version](#input\_coredns\_version) | The version of the EKS Core DNS Addon. | `string` | n/a | yes |
+| <a name="input_db_allow_major_version_upgrade"></a> [db\_allow\_major\_version\_upgrade](#input\_db\_allow\_major\_version\_upgrade) | Allows major version upgrades. | `bool` | `false` | no |
+| <a name="input_db_apply_immediately"></a> [db\_apply\_immediately](#input\_db\_apply\_immediately) | Determines if changes will be applied immediately or wait until the next maintenance window. | `bool` | `false` | no |
+| <a name="input_db_auto_minor_version_upgrade"></a> [db\_auto\_minor\_version\_upgrade](#input\_db\_auto\_minor\_version\_upgrade) | Automatically upgrade to latest minor version in maintenance window. | `bool` | `false` | no |
+| <a name="input_db_autoscaling_enabled"></a> [db\_autoscaling\_enabled](#input\_db\_autoscaling\_enabled) | Enables autoscaling of the aurora database. | `bool` | `true` | no |
+| <a name="input_db_autoscaling_max_capacity"></a> [db\_autoscaling\_max\_capacity](#input\_db\_autoscaling\_max\_capacity) | The maximum number of replicas via autoscaling. | `string` | `"3"` | no |
+| <a name="input_db_autoscaling_min_capacity"></a> [db\_autoscaling\_min\_capacity](#input\_db\_autoscaling\_min\_capacity) | The minimum number of replicas via autoscaling. | `string` | `"1"` | no |
+| <a name="input_db_autoscaling_scale_in_cooldown"></a> [db\_autoscaling\_scale\_in\_cooldown](#input\_db\_autoscaling\_scale\_in\_cooldown) | The database scale in cooldown period. | `number` | `300` | no |
+| <a name="input_db_autoscaling_scale_out_cooldown"></a> [db\_autoscaling\_scale\_out\_cooldown](#input\_db\_autoscaling\_scale\_out\_cooldown) | The database scale ou cooldown period. | `number` | `300` | no |
+| <a name="input_db_autoscaling_target_cpu"></a> [db\_autoscaling\_target\_cpu](#input\_db\_autoscaling\_target\_cpu) | The CPU utilization for autoscaling target tracking. | `number` | `70` | no |
+| <a name="input_db_cluster_db_instance_parameter_group_name"></a> [db\_cluster\_db\_instance\_parameter\_group\_name](#input\_db\_cluster\_db\_instance\_parameter\_group\_name) | The name of the DB Cluster parameter group to use. | `string` | `null` | no |
+| <a name="input_db_create"></a> [db\_create](#input\_db\_create) | Controls creation of the Aurora postgres database. | `bool` | `true` | no |
+| <a name="input_db_create_rds_proxy"></a> [db\_create\_rds\_proxy](#input\_db\_create\_rds\_proxy) | Enables an RDS proxy for the Aurora postgres database. | `bool` | `true` | no |
+| <a name="input_db_deletion_protection"></a> [db\_deletion\_protection](#input\_db\_deletion\_protection) | Enables deletion protection to avoid accidental database deletion. | `bool` | `true` | no |
+| <a name="input_db_engine_version"></a> [db\_engine\_version](#input\_db\_engine\_version) | The aurora postgres engine version. | `string` | `"13.8"` | no |
+| <a name="input_db_final_snapshot_identifier"></a> [db\_final\_snapshot\_identifier](#input\_db\_final\_snapshot\_identifier) | Identifer for a final DB snapshot. Required when db\_skip\_final\_snapshot is false.. | `string` | `null` | no |
+| <a name="input_db_instance_class"></a> [db\_instance\_class](#input\_db\_instance\_class) | The aurora postgres instance class. | `string` | `"db.r6g.xlarge"` | no |
+| <a name="input_db_instances"></a> [db\_instances](#input\_db\_instances) | The DB instance configuration | `map(any)` | <pre>{<br>  "replica1": {},<br>  "writer": {}<br>}</pre> | no |
+| <a name="input_db_master_user_password"></a> [db\_master\_user\_password](#input\_db\_master\_user\_password) | The master user password for RDS. Specify to explicitly set the password otherwise RDS will be allowed to manage it. | `string` | `null` | no |
+| <a name="input_db_monitoring_interval"></a> [db\_monitoring\_interval](#input\_db\_monitoring\_interval) | The aurora postgres engine version. | `string` | `"10"` | no |
+| <a name="input_db_performance_insights_enabled"></a> [db\_performance\_insights\_enabled](#input\_db\_performance\_insights\_enabled) | Enables database performance insights. | `bool` | `true` | no |
+| <a name="input_db_performance_insights_retention_period"></a> [db\_performance\_insights\_retention\_period](#input\_db\_performance\_insights\_retention\_period) | Number of days to retain performance insights data. Free tier: 7 days. | `number` | `7` | no |
+| <a name="input_db_port"></a> [db\_port](#input\_db\_port) | The port on which the DB accepts connections. | `string` | `"5432"` | no |
+| <a name="input_db_serverlessv2_scaling_configuration"></a> [db\_serverlessv2\_scaling\_configuration](#input\_db\_serverlessv2\_scaling\_configuration) | The serverless v2 scaling minimum and maximum. | <pre>object({<br>    min_capacity = number<br>    max_capacity = number<br>  })</pre> | <pre>{<br>  "max_capacity": 32,<br>  "min_capacity": 0.5<br>}</pre> | no |
+| <a name="input_db_skip_final_snapshot"></a> [db\_skip\_final\_snapshot](#input\_db\_skip\_final\_snapshot) | Enables skipping the final snapshot upon deletion. | `bool` | `false` | no |
+| <a name="input_db_snapshot_identifer"></a> [db\_snapshot\_identifer](#input\_db\_snapshot\_identifer) | The snapshot identifier to restore the database from. | `string` | `null` | no |
+| <a name="input_db_subnets"></a> [db\_subnets](#input\_db\_subnets) | The subnets to deploy RDS into. | `list(string)` | n/a | yes |
+| <a name="input_deployment_id"></a> [deployment\_id](#input\_deployment\_id) | The id of the deployment. Will be used to name resources like EKS cluster, etc. | `string` | n/a | yes |
+| <a name="input_ec2_key_name"></a> [ec2\_key\_name](#input\_ec2\_key\_name) | The name of the EC2 key pair to access servers. | `string` | `null` | no |
+| <a name="input_ec_auto_minor_version_upgrade"></a> [ec\_auto\_minor\_version\_upgrade](#input\_ec\_auto\_minor\_version\_upgrade) | Enables automatic minor version upgrades. Does not apply to serverless. | `bool` | `false` | no |
+| <a name="input_ec_automatic_failover_enabled"></a> [ec\_automatic\_failover\_enabled](#input\_ec\_automatic\_failover\_enabled) | Enables automatic failover. Does not apply to serverless. | `bool` | `true` | no |
+| <a name="input_ec_create"></a> [ec\_create](#input\_ec\_create) | Enables the creation of elasticache resources. | `bool` | `true` | no |
+| <a name="input_ec_enable_serverless"></a> [ec\_enable\_serverless](#input\_ec\_enable\_serverless) | Enables the use of elasticache for redis serverless. | `bool` | `false` | no |
+| <a name="input_ec_engine_version"></a> [ec\_engine\_version](#input\_ec\_engine\_version) | The version of the elasticache cluster. Does not apply to serverless. | `string` | `"6.x"` | no |
+| <a name="input_ec_multi_az_enabled"></a> [ec\_multi\_az\_enabled](#input\_ec\_multi\_az\_enabled) | Enables automatic failover. Does not apply to serverless. | `bool` | `true` | no |
+| <a name="input_ec_node_type"></a> [ec\_node\_type](#input\_ec\_node\_type) | The elasticache redis node type. Does not apply to serverless. | `string` | `"cache.m6g.large"` | no |
+| <a name="input_ec_number_of_shards"></a> [ec\_number\_of\_shards](#input\_ec\_number\_of\_shards) | The number of shards for redis. Does not apply to serverless. | `number` | `3` | no |
+| <a name="input_ec_parameter_group_name"></a> [ec\_parameter\_group\_name](#input\_ec\_parameter\_group\_name) | The elasticache parameter group name. Does not apply to serverless. | `string` | `"default.redis6.x.cluster.on"` | no |
+| <a name="input_ec_replicas_per_shard"></a> [ec\_replicas\_per\_shard](#input\_ec\_replicas\_per\_shard) | The number of replicas per shard for redis. Does not apply to serverless. | `number` | `2` | no |
+| <a name="input_ec_serverless_max_ecpu_per_second"></a> [ec\_serverless\_max\_ecpu\_per\_second](#input\_ec\_serverless\_max\_ecpu\_per\_second) | The max eCPU per second for serverless elasticache for redis. | `number` | `5000` | no |
+| <a name="input_ec_serverless_max_storage"></a> [ec\_serverless\_max\_storage](#input\_ec\_serverless\_max\_storage) | The max storage, in GB, for serverless elasticache for redis. | `number` | `5` | no |
+| <a name="input_ec_subnets"></a> [ec\_subnets](#input\_ec\_subnets) | The subnets to deploy Elasticache into. | `list(string)` | n/a | yes |
+| <a name="input_eks_administrator_principals"></a> [eks\_administrator\_principals](#input\_eks\_administrator\_principals) | The ARNs of the IAM roles for administrator access to EKS. | <pre>list(object({<br>    name          = string<br>    principal_arn = string<br>  }))</pre> | `[]` | no |
+| <a name="input_eks_cluster_endpoint_public_access_cidrs"></a> [eks\_cluster\_endpoint\_public\_access\_cidrs](#input\_eks\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_eks_create"></a> [eks\_create](#input\_eks\_create) | Enables the EKS resource creation | `bool` | `true` | no |
+| <a name="input_eks_create_cluster_autoscaler_irsa"></a> [eks\_create\_cluster\_autoscaler\_irsa](#input\_eks\_create\_cluster\_autoscaler\_irsa) | Enables creation of cluster autoscaler IAM role. | `bool` | `true` | no |
+| <a name="input_eks_create_external_dns_irsa"></a> [eks\_create\_external\_dns\_irsa](#input\_eks\_create\_external\_dns\_irsa) | Enables creation of external dns IAM role. | `bool` | `true` | no |
+| <a name="input_eks_create_karpenter"></a> [eks\_create\_karpenter](#input\_eks\_create\_karpenter) | Enables creation of Karpenter resources. | `bool` | `false` | no |
+| <a name="input_eks_create_load_balancer_controller_irsa"></a> [eks\_create\_load\_balancer\_controller\_irsa](#input\_eks\_create\_load\_balancer\_controller\_irsa) | Enables creation of load balancer controller IAM role. | `bool` | `true` | no |
+| <a name="input_eks_node_additional_security_group_ids"></a> [eks\_node\_additional\_security\_group\_ids](#input\_eks\_node\_additional\_security\_group\_ids) | Additional security group ids to attach to EKS nodes. | `list(string)` | `[]` | no |
+| <a name="input_eks_node_groups"></a> [eks\_node\_groups](#input\_eks\_node\_groups) | n/a | <pre>list(object({<br>    name            = string<br>    min_size        = string<br>    desired_size    = string<br>    max_size        = string<br>    volume_type     = optional(string, "gp3")<br>    disk_size       = optional(number, 200)<br>    disk_iops       = optional(number, 3000)<br>    disk_throughput = optional(number, 125)<br>    device_name     = optional(string, "/dev/xvda")<br>    instance_types  = list(string)<br>    capacity_type   = optional(string, "ON_DEMAND")<br>    labels          = optional(map(string), {})<br>    taints          = optional(map(object({ key = string, value = string, effect = string })), {})<br>  }))</pre> | <pre>[<br>  {<br>    "desired_size": 3,<br>    "instance_types": [<br>      "c5.4xlarge"<br>    ],<br>    "max_size": 9,<br>    "min_size": 3,<br>    "name": "ast-app"<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-extra-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-extra-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-extra-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-xxl": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-xxl",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-xxl",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "kics-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "kics-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "kics-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "repostore": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "repostore",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "repostore",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "service": "sca-source-resolver"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "sca-source-resolver",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "service",<br>        "value": "sca-source-resolver"<br>      }<br>    }<br>  }<br>]</pre> | no |
+| <a name="input_eks_private_endpoint_enabled"></a> [eks\_private\_endpoint\_enabled](#input\_eks\_private\_endpoint\_enabled) | Enables the EKS VPC private endpoint. | `bool` | `true` | no |
+| <a name="input_eks_public_endpoint_enabled"></a> [eks\_public\_endpoint\_enabled](#input\_eks\_public\_endpoint\_enabled) | Enables the EKS public endpoint. | `bool` | `false` | no |
+| <a name="input_eks_subnets"></a> [eks\_subnets](#input\_eks\_subnets) | The subnets to deploy EKS into. | `list(string)` | n/a | yes |
+| <a name="input_eks_version"></a> [eks\_version](#input\_eks\_version) | The version of the EKS Cluster (e.g. 1.27) | `string` | n/a | yes |
+| <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Enables the identity used to create the EKS cluster to have administrator access to that EKS cluster. When enabled, do not specify the same principal arn for eks\_administrator\_principals. | `bool` | `true` | no |
+| <a name="input_es_create"></a> [es\_create](#input\_es\_create) | Enables creation of elasticsearch resources. | `bool` | `true` | no |
+| <a name="input_es_instance_count"></a> [es\_instance\_count](#input\_es\_instance\_count) | The number of nodes in elasticsearch cluster | `number` | `2` | no |
+| <a name="input_es_instance_type"></a> [es\_instance\_type](#input\_es\_instance\_type) | The instance type for elasticsearch nodes. | `string` | `"r6g.large.elasticsearch"` | no |
+| <a name="input_es_password"></a> [es\_password](#input\_es\_password) | The password for the elasticsearch user | `string` | n/a | yes |
+| <a name="input_es_subnets"></a> [es\_subnets](#input\_es\_subnets) | The subnets to deploy Elasticsearch into. | `list(string)` | n/a | yes |
+| <a name="input_es_tls_security_policy"></a> [es\_tls\_security\_policy](#input\_es\_tls\_security\_policy) | n/a | `string` | `"Policy-Min-TLS-1-2-2019-07"` | no |
+| <a name="input_es_username"></a> [es\_username](#input\_es\_username) | The username for the elasticsearch user | `string` | `"ast"` | no |
+| <a name="input_es_volume_size"></a> [es\_volume\_size](#input\_es\_volume\_size) | The size of volumes for nodes in elasticsearch cluster | `number` | `100` | no |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS key to use for encryption in AWS services | `string` | n/a | yes |
+| <a name="input_kube_proxy_version"></a> [kube\_proxy\_version](#input\_kube\_proxy\_version) | The version of the EKS Kube Proxy Addon. | `string` | n/a | yes |
+| <a name="input_launch_template_tags"></a> [launch\_template\_tags](#input\_launch\_template\_tags) | Tags to associate with launch templates for node groups | `map(string)` | `null` | no |
+| <a name="input_s3_allowed_origins"></a> [s3\_allowed\_origins](#input\_s3\_allowed\_origins) | The allowed orgins for S3 CORS rules. | `list(string)` | n/a | yes |
+| <a name="input_s3_retention_period"></a> [s3\_retention\_period](#input\_s3\_retention\_period) | The retention period, in days, to retain s3 objects. | `string` | `"90"` | no |
+| <a name="input_vpc_cni_version"></a> [vpc\_cni\_version](#input\_vpc\_cni\_version) | The version of the EKS VPC CNI Addon. | `string` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The id of the vpc deploying into. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_suffix"></a> [bucket\_suffix](#output\_bucket\_suffix) | n/a |
+| <a name="output_cluster_autoscaler_iam_role_arn"></a> [cluster\_autoscaler\_iam\_role\_arn](#output\_cluster\_autoscaler\_iam\_role\_arn) | n/a |
+| <a name="output_db_database_name"></a> [db\_database\_name](#output\_db\_database\_name) | n/a |
+| <a name="output_db_endpoint"></a> [db\_endpoint](#output\_db\_endpoint) | n/a |
+| <a name="output_db_master_password"></a> [db\_master\_password](#output\_db\_master\_password) | n/a |
+| <a name="output_db_master_username"></a> [db\_master\_username](#output\_db\_master\_username) | n/a |
+| <a name="output_db_port"></a> [db\_port](#output\_db\_port) | n/a |
+| <a name="output_db_reader_endpoint"></a> [db\_reader\_endpoint](#output\_db\_reader\_endpoint) | n/a |
+| <a name="output_ec_endpoint"></a> [ec\_endpoint](#output\_ec\_endpoint) | n/a |
+| <a name="output_ec_port"></a> [ec\_port](#output\_ec\_port) | n/a |
+| <a name="output_eks"></a> [eks](#output\_eks) | n/a |
+| <a name="output_es_endpoint"></a> [es\_endpoint](#output\_es\_endpoint) | n/a |
+| <a name="output_es_password"></a> [es\_password](#output\_es\_password) | n/a |
+| <a name="output_es_username"></a> [es\_username](#output\_es\_username) | n/a |
+| <a name="output_external_dns_iam_role_arn"></a> [external\_dns\_iam\_role\_arn](#output\_external\_dns\_iam\_role\_arn) | n/a |
+| <a name="output_karpenter_iam_role_arn"></a> [karpenter\_iam\_role\_arn](#output\_karpenter\_iam\_role\_arn) | n/a |
+| <a name="output_load_balancer_controller_iam_role_arn"></a> [load\_balancer\_controller\_iam\_role\_arn](#output\_load\_balancer\_controller\_iam\_role\_arn) | n/a |
+| <a name="output_s3_bucket_name_suffix"></a> [s3\_bucket\_name\_suffix](#output\_s3\_bucket\_name\_suffix) | n/a |
+
+
+# Regional Considerations
+
+## GovCloud
+
+* RDS Proxy is not available in AWS Gov Cloud regions, so `create_rds_proxy` must be set `false`. Monitor database for connection usage and scale accordingly.
+* RDS's `ManageMasterUserPassword` capability is not supported. Specify a password via `db_master_user_password`
+* Elasticache's `cache.r7g` instance class is not available. Consider using `cache.r6g`.
diff --git a/data.tf b/data.tf
new file mode 100644
index 0000000..99b5bab
--- /dev/null
+++ b/data.tf
@@ -0,0 +1,6 @@
+data "aws_region" "current" {}
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_vpc" "main" {
+  id = var.vpc_id
+}
\ No newline at end of file
diff --git a/eks.tf b/eks.tf
new file mode 100644
index 0000000..ebbed06
--- /dev/null
+++ b/eks.tf
@@ -0,0 +1,322 @@
+locals {
+  eks_nodegroups = { for node_group in var.eks_node_groups : node_group.name => {
+    name                 = "${var.deployment_id}-${node_group.name}"
+    launch_template_name = "${var.deployment_id}-${node_group.name}"
+    min_size             = node_group.min_size
+    max_size             = node_group.max_size
+    desired_size         = node_group.desired_size
+    instance_types       = node_group.instance_types
+    capacity_type        = node_group.capacity_type
+    block_device_mappings = {
+      xvda = {
+        device_name = node_group.device_name
+        ebs = {
+          volume_size           = node_group.disk_size
+          volume_type           = node_group.volume_type
+          iops                  = node_group.disk_iops
+          throughput            = node_group.disk_throughput
+          encrypted             = true
+          delete_on_termination = true
+        }
+      }
+    }
+    labels = node_group.labels
+    taints = node_group.taints
+    tags = {
+      Name = "${var.deployment_id}-${node_group.name}"
+    }
+    lifecycle = {
+      ignore_changes = ["desired_capacity"]
+    }
+  } }
+
+  admin_access_entries = { for entry in var.eks_administrator_principals : entry.name => {
+    principal_arn = entry.principal_arn
+    policy_associations = {
+      admin = {
+        policy_arn = "arn:${data.aws_partition.current.partition}:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+        access_scope = {
+          type = "cluster"
+        }
+      }
+    }
+  } }
+}
+
+module "eks_node_iam_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "5.37.2"
+  trusted_role_services = [
+    "ec2.amazonaws.com"
+  ]
+  create_role       = true
+  role_name         = "${var.deployment_id}-eks-nodes"
+  role_requires_mfa = false
+  custom_role_policy_arns = [
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs",
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy",
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore",
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+    aws_iam_policy.s3_bucket_access.arn
+  ]
+}
+
+resource "aws_iam_policy" "s3_bucket_access" {
+  name = "${var.deployment_id}-s3-access"
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Action" : [
+          "s3:*"
+        ],
+        "Effect" : "Allow",
+        "Resource" : [
+          "arn:${data.aws_partition.current.partition}:s3:::${var.deployment_id}*",
+          "arn:${data.aws_partition.current.partition}:s3:::${var.deployment_id}*/*"
+        ]
+      }
+    ]
+  })
+}
+
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "20.8.5"
+  create  = var.eks_create
+
+  cluster_name    = var.deployment_id
+  cluster_version = var.eks_version
+
+  cluster_enabled_log_types = ["audit", "api", "authenticator", "scheduler"]
+
+  cluster_endpoint_private_access = var.eks_private_endpoint_enabled
+  cluster_endpoint_public_access  = var.eks_public_endpoint_enabled
+
+  vpc_id     = var.vpc_id
+  subnet_ids = var.eks_subnets
+
+  create_cluster_security_group = true
+  #cluster_security_group_id     = var.cluster_security_group_id
+
+  create_node_security_group = true
+  #node_security_group_id     = module.eks_nodes_security_group.security_group_id
+
+  node_security_group_additional_rules = {
+    ingress_self_http80 = {
+      description = "Node to node ingress http/80"
+      protocol    = "tcp"
+      from_port   = 80
+      to_port     = 80
+      type        = "ingress"
+      self        = true
+    }
+    ingress_self_regosync = {
+      description = "Node to node ingress http/81 (regosync service)"
+      protocol    = "tcp"
+      from_port   = 81
+      to_port     = 81
+      type        = "ingress"
+      self        = true
+    }
+    ingress_self_feedback_kics = {
+      description = "Node to node ingress http/86-88 (feedback-mfe, kics, sast results service)"
+      protocol    = "tcp"
+      from_port   = 86
+      to_port     = 89
+      type        = "ingress"
+      self        = true
+    }
+    ingress_self_sast_audit_queries = {
+      description = "Node to node ingress http/777-778 (sast audit queries service)"
+      protocol    = "tcp"
+      from_port   = 777
+      to_port     = 778
+      type        = "ingress"
+      self        = true
+    }
+  }
+
+  enable_irsa = true
+
+  enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
+  access_entries                           = local.admin_access_entries
+
+
+  cluster_addons = {
+    coredns = {
+      addon_version = var.coredns_version
+    }
+    kube-proxy = {
+      addon_version = var.kube_proxy_version
+    }
+    vpc-cni = {
+      addon_version = var.vpc_cni_version
+      # Todo: add configuration for secondary cidr here to vpc plugin
+      #   before_compute = var.pod_custom_networking_subnets != null ? true : false
+      #   configuration_values = jsonencode({
+      #     env = {
+      #       AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = var.pod_custom_networking_subnets != null ? "true" : "false"
+      #       ENI_CONFIG_LABEL_DEF               = var.pod_custom_networking_subnets != null ? "topology.kubernetes.io/zone" : ""
+      #   } })
+
+    }
+    aws-ebs-csi-driver = {
+      addon_version = var.aws_ebs_csi_driver_version
+    }
+  }
+  create_kms_key = false
+  cluster_encryption_config = {
+    "resources"      = ["secrets"]
+    provider_key_arn = var.kms_key_arn
+  }
+  eks_managed_node_group_defaults = {
+    vpc_security_group_ids          = var.eks_node_additional_security_group_ids
+    use_name_prefix                 = false
+    iam_role_use_name_prefix        = false
+    launch_template_use_name_prefix = false
+    launch_template_tags            = var.launch_template_tags
+    cluster_name                    = var.deployment_id
+    cluster_version                 = var.eks_version
+    subnet_ids                      = var.eks_subnets
+    create_iam_role                 = false
+    iam_role_arn                    = module.eks_node_iam_role.iam_role_arn
+    key_name                        = var.ec2_key_name
+    metadata_options = {
+      http_endpoint               = "enabled"
+      http_tokens                 = "required"
+      instance_metadata_tags      = "disabled"
+      http_put_response_hop_limit = "2"
+    }
+  }
+
+  eks_managed_node_groups = local.eks_nodegroups
+}
+
+resource "aws_autoscaling_group_tag" "cluster_autoscaler_label" {
+  for_each               = { for node_group in var.eks_node_groups : node_group.name => node_group }
+  depends_on             = [module.eks]
+  autoscaling_group_name = module.eks.eks_managed_node_groups["${each.value.name}"].node_group_autoscaling_group_names[0]
+  tag {
+    key                 = "k8s.io/cluster-autoscaler/node-template/label/${each.value.name}"
+    value               = "true"
+    propagate_at_launch = true
+  }
+}
+
+resource "aws_autoscaling_group_tag" "cluster_autoscaler_taint" {
+  for_each               = { for node_group in var.eks_node_groups : node_group.name => node_group if length(node_group.taints) > 0 }
+  depends_on             = [module.eks]
+  autoscaling_group_name = module.eks.eks_managed_node_groups["${each.value.name}"].node_group_autoscaling_group_names[0]
+  tag {
+    key                 = "k8s.io/cluster-autoscaler/node-template/taint/${each.value.taints.dedicated.key}"
+    value               = "${each.value.taints.dedicated.value}:${each.value.taints.dedicated.effect}"
+    propagate_at_launch = true
+  }
+}
+
+
+module "cluster_autoscaler_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.39.0"
+  count   = var.eks_create && var.eks_create_cluster_autoscaler_irsa ? 1 : 0
+
+  role_name                        = "cluster-autoscaler-${var.deployment_id}"
+  role_description                 = "IRSA role for cluster autoscaler"
+  attach_cluster_autoscaler_policy = true
+
+  cluster_autoscaler_cluster_names = [module.eks.cluster_name]
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:cluster-autoscaler"]
+    }
+  }
+}
+
+
+module "external_dns_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.39.0"
+  count   = var.eks_create && var.eks_create_external_dns_irsa ? 1 : 0
+
+  role_name        = "external-dns-${var.deployment_id}"
+  role_description = "IRSA role for cluster external dns controller"
+  #external_dns_hosted_zone_arns = var.external_dns_hosted_zone_arns
+  # setting to false because we don't want to rely on exeternal policies
+  attach_external_dns_policy = true
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:external-dns"]
+    }
+  }
+}
+
+
+module "load_balancer_controller_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.39.0"
+  count   = var.eks_create && var.eks_create_load_balancer_controller_irsa ? 1 : 0
+
+  role_name                              = "load_balancer_controller-${var.deployment_id}"
+  role_description                       = "IRSA role for cluster load balancer controller"
+  attach_load_balancer_controller_policy = true
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-load-balancer-controller"]
+    }
+  }
+}
+
+
+module "karpenter" {
+  source  = "terraform-aws-modules/eks/aws//modules/karpenter"
+  version = "20.8.5"
+  create  = var.eks_create && var.eks_create_karpenter
+
+  cluster_name                    = var.deployment_id
+  enable_irsa                     = true
+  irsa_oidc_provider_arn          = module.eks.oidc_provider_arn
+  irsa_namespace_service_accounts = ["kube-system:karpenter"]
+  create_iam_role                 = true
+  iam_role_name                   = "KarpenterController-${var.deployment_id}"
+  iam_role_description            = "IAM role for karpenter controller created by karpenter module"
+  create_node_iam_role            = false
+  #node_iam_role_arn               = module.eks.eks_managed_node_groups.nodegroup_iam_role_arn
+  create_access_entry             = false
+  iam_policy_name                 = "KarpenterPolicy-${var.deployment_id}"
+  iam_policy_description          = "Karpenter controller IAM policy created by karpenter module"
+  iam_role_use_name_prefix = false
+  node_iam_role_additional_policies = {
+    AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
+    AmazonEBSCSIDriverPolicy     = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+  }
+  enable_spot_termination = true
+  queue_name              = "${var.deployment_id}-node-termination-handler"
+}
+
+
+
+output "cluster_autoscaler_iam_role_arn" {
+  value = var.eks_create && var.eks_create_load_balancer_controller_irsa ? module.cluster_autoscaler_irsa[0].iam_role_arn : ""
+}
+
+output "external_dns_iam_role_arn" {
+  value = var.eks_create && var.eks_create_load_balancer_controller_irsa ? module.external_dns_irsa[0].iam_role_arn : "" 
+}
+
+output "load_balancer_controller_iam_role_arn" {
+  value = var.eks_create && var.eks_create_load_balancer_controller_irsa ? module.load_balancer_controller_irsa[0].iam_role_arn : ""  
+}
+
+output "karpenter_iam_role_arn" {
+  value = var.eks_create && var.eks_create_karpenter ? module.karpenter.iam_role_arn : ""  
+}
+
+output "eks" {
+  value = module.eks.*
+}
diff --git a/elasticache.tf b/elasticache.tf
new file mode 100644
index 0000000..8e775cb
--- /dev/null
+++ b/elasticache.tf
@@ -0,0 +1,85 @@
+resource "aws_elasticache_serverless_cache" "main" {
+  engine = "redis"
+  count  = var.ec_create && var.ec_enable_serverless ? 1 : 0
+  name   = "${var.deployment_id}-redis-serverless"
+  cache_usage_limits {
+    data_storage {
+      maximum = var.ec_serverless_max_storage
+      unit    = "GB"
+    }
+    ecpu_per_second {
+      maximum = var.ec_serverless_max_ecpu_per_second
+    }
+  }
+  daily_snapshot_time      = "09:00"
+  description              = "Elasticache cluster for Checkmarx One deployment called: ${var.deployment_id}"
+  kms_key_id               = var.kms_key_arn
+  major_engine_version     = "7"
+  snapshot_retention_limit = 1
+  security_group_ids       = [module.elasticache_security_group.security_group_id]
+  subnet_ids               = var.ec_subnets
+}
+
+
+resource "aws_elasticache_subnet_group" "redis" {
+  count      = var.ec_create && var.ec_enable_serverless == false ? 1 : 0
+  name       = var.deployment_id
+  subnet_ids = var.ec_subnets
+}
+
+
+# tfsec:ignore:aws-elasticache-enable-in-transit-encryption
+resource "aws_elasticache_replication_group" "redis" {
+  count                      = var.ec_create && var.ec_enable_serverless == false ? 1 : 0
+  replication_group_id       = var.deployment_id
+  description                = "Redis cluster for AST application"
+  subnet_group_name          = aws_elasticache_subnet_group.redis[0].name
+  security_group_ids         = [module.elasticache_security_group.security_group_id]
+  node_type                  = var.ec_node_type
+  engine                     = "redis"
+  engine_version             = var.ec_engine_version
+  port                       = 6379
+  parameter_group_name       = var.ec_parameter_group_name
+  snapshot_retention_limit   = 2
+  automatic_failover_enabled = var.ec_automatic_failover_enabled
+  multi_az_enabled           = var.ec_multi_az_enabled
+  #num_cache_clusters         = 2
+  replicas_per_node_group = var.ec_replicas_per_shard
+  num_node_groups         = var.ec_number_of_shards
+
+  transit_encryption_enabled = false #var.redis_auth_token != "" ? true : false #BUG - AST can't work with TLS enabled
+  #auth_token                 = var.redis_auth_token != "" ? var.redis_auth_token : null
+
+  # Per https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html
+  # "The default (service managed) encryption is the only option available in the GovCloud (US) Regions."
+  kms_key_id                 = data.aws_partition.current.partition == "aws-us-gov" ? null : var.kms_key_arn
+  at_rest_encryption_enabled = true
+  auto_minor_version_upgrade = var.ec_auto_minor_version_upgrade
+  apply_immediately          = true
+}
+
+module "elasticache_security_group" {
+  source              = "terraform-aws-modules/security-group/aws"
+  create              = var.ec_create
+  version             = "5.1.2"
+  name                = "${var.deployment_id}-elasticache"
+  description         = "Elasticache security group for Checkmarx One deployment named ${var.deployment_id}"
+  vpc_id              = var.vpc_id
+  ingress_cidr_blocks = data.aws_vpc.main.cidr_block_associations[*].cidr_block
+  ingress_rules       = ["redis-tcp"]
+}
+
+# output "redis" {
+#   value = {
+#     address = aws_elasticache_serverless_cache.main[0].endpoint[0].address
+#     port    = aws_elasticache_serverless_cache.main[0].endpoint[0].port
+#   }
+# }
+
+output "ec_endpoint" {
+  value = var.ec_enable_serverless ? aws_elasticache_serverless_cache.main[0].endpoint[0].address : aws_elasticache_replication_group.redis[0].configuration_endpoint_address
+}
+
+output "ec_port" {
+  value = 6379
+}
diff --git a/modules/cxone-install/install.sh.tftpl b/modules/cxone-install/install.sh.tftpl
new file mode 100644
index 0000000..9ac0918
--- /dev/null
+++ b/modules/cxone-install/install.sh.tftpl
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# These environment variables are required for the kots commands that follow.
+# Consider injecting them into your environment rather than hard coding in this script.
+NAMESPACE="${namespace}"                     # The k8s namespace to deploy the application into. Suggested: ast
+KOTS_CONFIG="${kots_config_file}"            # The path to the kots configuration file
+LICENSE="${license_file}"                    # The path to the Checkmarx One license file
+SHARED_PASSWORD="${kots_admin_password}"     # The shared password value for the Kots admin console
+RELEASE_CHANNEL="${release_channel}"         # The release channel that matches your license file.
+APP_VERSION="${app_version}"                 # The application version to install
+
+# First, check if kotsadm and the ast application is installed yet. If the application is not installed, 
+# then install it and provide the license and shared password. We will *NOT* provide the configuration yet.
+if ! kubectl kots get apps -n $NAMESPACE | grep ast > /dev/null; then
+  echo "ast app not found, installing..."
+  # 
+  kubectl kots install ast/$RELEASE_CHANNEL -n $NAMESPACE --license-file $LICENSE --shared-password $SHARED_PASSWORD --app-version-label $APP_VERSION --no-port-forward
+else
+  echo "ast app is already installed."
+fi
+ 
+# Second, update the installed application with the desired kots configuration file and trigger a redeployment.
+# This will provide the log output for any missing required configuration fields, and will allow the kots
+# configuration to be version controlled and updated from time to time as needed.
+echo "Updating kots configuration..."
+kubectl kots set config ast -n $NAMESPACE --config-file $KOTS_CONFIG --deploy
+KOTS_UPDATE_EXIT=$?
+if [[ KOTS_UPDATE_EXIT -ne 0 ]]; then
+    echo "An error occurred updating the Kots configuration. Check the kots output above for clues."
+fi
diff --git a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
new file mode 100644
index 0000000..d4af69e
--- /dev/null
+++ b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
@@ -0,0 +1,363 @@
+apiVersion: kots.io/v1beta1
+kind: ConfigValues
+metadata:
+  creationTimestamp: null
+spec:
+  values:
+    #--------------------------------------------------------------------------
+    # GENERAL
+    #--------------------------------------------------------------------------
+    
+    # The default admin user is the Checkmarx One application admin user, aka root user.
+    # This user's credentials are injected into the system via Kots configuration, and then
+    # can be changed. The user will be forced to configure MFA upon first login.
+    default_admin_email:
+      value: ${admin_email}
+    # By convention, the first user is named admin
+    default_admin_user:
+      value: ${admin_username}
+    # default_admin_password must be > 14 characters in length.
+    default_admin_password:
+      value: ${admin_password}
+
+    # Enable DAST component. 
+    # bool - Valid values are "0" (false) and "1" true 
+    # Recommendation: "1" if licensed for DAST, otherwise "0"
+    enable_dast_component:
+      value: "1"
+
+    # Enable the local flow for SCA Global inventory
+    enable_sca_local_flow_for_global_inventory:
+      value: "0"
+
+    # Enables using a dedicated node group just for SCA components. 
+    # If enabled, the node group must exists with the correct labels and taint.
+    # bool - Valid values are "0" (false) and "1" true
+    # Recommended value: "0"
+    use_dedicated_sca_nodegroup:
+      value: "0"
+
+    # Configures the SCA production environment for the Checkmarx Cloud
+    # Valid values are https://api-sca-.checkmarx.net and "https://eu.api-sca.checkmarx.net"
+    # Recommended value: match the region in your kots license file for cloudIamUrl
+    sca_prod_environment:
+      value: https://api-sca.checkmarx.net
+
+    # environment_type is always production
+    environment_type:
+      value: development
+
+    # deployment_type is always cloud
+    deployment_type:
+      value: cloud
+
+    # The minimum microservice replicas. Used to control number of pods per service.
+    # Recommendation: production environments, at least 3. Non-prod can be as low as 1.
+    ms_replica_count:
+      value: "${ms_replica_count}"
+    
+    # cloud_provider is always AWS, when deploying to AWS.
+    cloud_provider:
+      value: AWS
+
+    # The protocol the system will use in its url. Valid values are http and https (recommended)
+    # When https, you must provide an SSL certificate in networking settings.
+    PROTOCOL:
+      value: https
+    
+    # The domain name for the system. Used to configure traefik for listening for incoming requests.
+    # Example: checkmarx.example.com
+    DOMAIN:
+      value: ${fqdn}
+
+    # Enable TLS for secure communication. Valid values are "0" and "1"  
+    ENABLE_TLS:
+      default: "1"
+
+    #--------------------------------------------------------------------------
+    # SCA Global Inventory & Elasticsearch
+    #--------------------------------------------------------------------------
+
+    # Enables SCA Global Inventory
+    # bool - Valid values are "0" (false) and "1" true. 
+    # When true, must provide elasticsearch configuration.
+    enable_sca_global_inventory:
+      value: "0"
+
+    # Typically ES is provided via AWS OpenSearch service (must be Elasticsearch engine v 7.10)
+    sca_global_inventory_elasticsearch_host:
+      value: ${elasticsearch_host}
+    sca_global_inventory_elasticsearch_port:
+      value: "443"
+    sca_global_inventory_elasticsearch_username:
+      value: ast
+    sca_global_inventory_elasticsearch_password:
+      value: ${elasticsearch_password}
+
+    #--------------------------------------------------------------------------
+    # S3 Bucket Names
+    #--------------------------------------------------------------------------
+
+    # These are the names of the various buckets used by Checkmarx One components.
+    # The bucket names are passed to Checkmarx One rather than hard coding them.
+
+
+    apisec_s3_bucket_name:
+      value: ${deployment_id}-apisec-${bucket_name_suffix}
+    audit_s3_bucket_name:
+      value: ${deployment_id}-audit-${bucket_name_suffix}
+    configuration_s3_bucket_name:
+      value: ${deployment_id}-configuration-${bucket_name_suffix} 
+    cxone_s3_bucket_name:
+      value: ${deployment_id}-cxone-${bucket_name_suffix}  
+    engine_logs_s3_bucket_name:
+      value: ${deployment_id}-engine-logs-${bucket_name_suffix}
+    export_s3_bucket_name:
+      value: ${deployment_id}-export-${bucket_name_suffix}
+    imports_s3_bucket_name:
+      value: ${deployment_id}-imports-${bucket_name_suffix}
+    kics_worker_s3_bucket_name:
+      value: ${deployment_id}-kics-worker-${bucket_name_suffix}
+    logs_s3_bucket_name:
+      value: ${deployment_id}-logs-${bucket_name_suffix}
+    misc_s3_bucket_name:
+      value: ${deployment_id}-misc-${bucket_name_suffix} 
+    queries_s3_bucket_name:
+      value: ${deployment_id}-queries-${bucket_name_suffix}
+    redis_shared_s3_bucket_name:
+      value: ${deployment_id}-redis-${bucket_name_suffix}
+    reports_s3_bucket_name:
+      value: ${deployment_id}-reports-${bucket_name_suffix}
+    report_templates_s3_bucket_name:
+      value: ${deployment_id}-report-templates-${bucket_name_suffix}  
+    repostore_s3_bucket_name:
+      value: ${deployment_id}-repostore-${bucket_name_suffix}
+    sast_metadata_s3_bucket_name:
+      value: ${deployment_id}-sast-metadata-${bucket_name_suffix}
+    sast_worker_s3_bucket_name:
+      value: ${deployment_id}-sast-worker-${bucket_name_suffix}        
+    scan_results_storage_s3_bucket_name:
+      value: ${deployment_id}-scan-results-storage-${bucket_name_suffix}
+    scans_s3_bucket_name:
+      value: ${deployment_id}-scans-${bucket_name_suffix} 
+    sca_worker_s3_bucket_name:
+      value: ${deployment_id}-sca-worker-${bucket_name_suffix}   
+    source_resolver_s3_bucket_name:
+      value: ${deployment_id}-source-resolver-${bucket_name_suffix}
+    uploads_s3_bucket_name:
+      value: ${deployment_id}-uploads-${bucket_name_suffix}
+    
+    #--------------------------------------------------------------------------
+    # S3 Settings
+    #--------------------------------------------------------------------------
+
+    # The aws region e.g. us-east-1 or us-west-2, etc.
+    cloud_region:
+      value: ${aws_region}
+    
+    # The s3 endpoint. Typically will match your region.
+    # Example value: s3.us-west-2.amazonaws.com
+    object_storage_url:
+      value: ${object_storage_url}
+
+    # The s3 endpoint, with scheme (protocol, aka http/https)
+    # Example value: https://s3.us-west-2.amazonaws.com
+    object_storage_schemeUrl:
+      value: https://${object_storage_url}
+
+    # An AWS IAM user, with access key, and secret key, must be created out of band
+    # so that the credentials can be configured here. The user must have access to 
+    # the s3 buckets for Checkmarx One.
+    object_storage_access_key:
+      value: ${object_storage_access_key}
+    object_storage_secret_key:
+      value: ${object_storage_secret_key}
+
+    # Configures secure connections to s3. Can be "1" (true/enabled) or "0" (false/disabled)
+    # Recommended: "1"
+    object_storage_secure:
+      value: "1"
+
+    # The SCA Host Type Settting valid values are 'ExeLocalServer' and 'S3' - controls 
+    # wether SCA uses AWS SDK or Minio Client.
+    sca_host_type_setting:
+      value: "S3"
+
+    #--------------------------------------------------------------------------
+    # Database Settings
+    #--------------------------------------------------------------------------
+    
+    # Always set to external_postgres. Other values used for development only.
+    postgres_type:
+      value: external_postgres
+
+    # The host name to connect to postgres on
+    external_postgres_host:
+      value: ${postgres_host}
+
+    # The postgres port. Typically "5432"
+    external_postgres_port:
+      value: "5432"
+
+    # The postgres username. By convention, ast. 
+    external_postgres_user:
+      value: ${postgres_user}
+
+    # The password for the external_postgres_user.
+    external_postgres_password:
+      value: ${postgres_password}
+    
+    # The name of the CxOne database. By convention, ast.
+    external_postgres_db:
+      value: ast
+
+    # Used to enforce SSL connections to postgres. Values are
+    # postgres_sslmode_require or postgres_sslmode_allow
+    external_postgres_sslmode:
+      value: postgres_sslmode_require
+
+    #--------------------------------------------------------------------------
+    # Metrics Analytics Settings
+    #--------------------------------------------------------------------------
+
+    # Enables analytics features, which requires an additional database.
+    enable_analytics:
+      value: "0"
+
+    # The analaytics database connection information. required when enable_analytics is "1"
+    analytics_postgres_host:
+      value: <enter metrics database host>
+    analytics_postgres_port:
+      value: "5432"    
+    analytics_postgres_db_name:
+      value: analytics
+    analytics_postgres_user:
+      value: <enter user name>    
+    analytics_postgres_password:
+      value: <enter password>
+    # Can be either analytics_postgres_sslmode_require or analytics_postgres_sslmode_allow
+    analytics_postgres_sslmode_value:
+      value: analytics_postgres_sslmode_require
+
+    #--------------------------------------------------------------------------
+    # Redis Settings
+    #--------------------------------------------------------------------------
+
+    # Always set to external_redis. Other values used for development only.
+    redis_type:
+      value: external_redis
+
+    # The host name to connect to redis on.  
+    external_redis_address:
+      value: ${redis_address}
+    
+    # The port to connect to redis on. Typically 6379.
+    external_redis_port:
+      value: "6379"
+    
+    external_redis_password: {}
+
+    external_redis_tls_enabled:
+      value: "0"
+
+    external_redis_cluster_mode_enabled:
+      value: "1"
+
+    external_redis_tls_skipverify:
+      value: "0"
+
+    #--------------------------------------------------------------------------
+    # SMTP Settings
+    #--------------------------------------------------------------------------
+    
+    # The settings here configure how Checkmarx One will connect to your SMTP
+    # server for sending outbound emails.
+
+    # Enables SMTP configuration. Other SMTP values are required when enabled.
+    # Valid values are "0" (false/disabled) and "1" (true/enabled)
+    enable_smtp:
+      value: "1"
+    
+    # The SMTP server host name that Checkmarx One will use for sending emails
+    smtp_host:
+      value: ${smtp_host}
+    
+    # The from address in outgoing emails
+    smtp_from_sender:
+      value: ${smtp_from_sender}
+
+    # The port to which Checkmarx One will connect on the SMTP server.
+    # Typically 587 when using tls.
+    smtp_port:
+      value: "${smtp_port}"
+
+    # Enables TLS connections to the SMTP server. When enabled, SMTP server must
+    # be configured with a TLS certificate from a well known Certificate Authority.
+    # Valid values are "0" (false/disabled) and "1" (true/enabled)
+    smtp_tls_enabled:
+      value: "1"
+
+    # The username and password that Checkmarx One will use to authenticate to 
+    # the SMTP server with, when smtp_auth_enabled = "1". Use "0" for no 
+    # authentication (which your SMTP server must allow).
+    smtp_auth_enabled:
+      value: "1"
+    smtp_user:
+      value: ${smtp_user}
+    smtp_password:
+      value: ${smtp_password}
+
+    
+    #--------------------------------------------------------------------------
+    # Prometheus Settings
+    #--------------------------------------------------------------------------
+    enable_prometheus_service_monitor_metrics:
+      value: "0"
+    prometheus_service_monitor_labels_release:
+      value: ""
+
+    #--------------------------------------------------------------------------
+    # Networking Settings
+    #--------------------------------------------------------------------------
+    
+    # Networking settings are primarily settings that will drive configuration of the
+    # AWS Load Balancer Controller. Consult the LBC documentation for additional information
+    # on these settings https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/.
+  
+    # In Checkmarx One, these configuration values are injected into the Traefik service which will
+    # be connected to the load balancer according to how you specify your networking settings here.
+
+    # Configures the type of load balancer to use. Valid values are:
+    #   networking_type_load_balancer_AWS_NLB: AWS Network Load Balancer (recommended)
+    #   networking_type_load_balancer_AWS_CLB: AWS Classic Load Balancer (not recommended)
+    # Reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html
+    networking_type_aws:
+      value: networking_type_load_balancer_AWS_NLB
+
+    # Configures the load balancer scheme. Valid values are:
+    #   internet-facing: a load balancer with public IP addresses and public dns. Recommended when deploying CxOne for interenet access.
+    #   internal: a load balancer that only has private ip addresses. Recommend when deploying CxOne privately.
+    # Reference https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html#load-balancer-scheme
+    network_load_balancer_scheme:
+      value: internet-facing
+
+    # SSL Policy Name to be applied to the AWS Network Load Balancer. Reference https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#describe-ssl-policies.
+    network_load_balancer_ssl_negotiation_policy:
+      value: "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
+
+    # Source CIDR ranges to be allowed access to the AWS Network Load Balancer. Reference https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/service/annotations/#lb-source-ranges.
+    network_load_balancer_source_ranges:
+      value: "0.0.0.0/0"
+
+    # Enable explicit NLB subnet assignments. Valid values are "0" (false) and "1" (true).
+    # Recommendation: only use when you want to explicitly control subnet placement for the NLB. Use auto discovery via tags instead.
+    network_load_balancer_subnets_enabled:
+      value: "0"
+    # When network_load_balancer_subnets_enabled is "1", uncomment this configuration item and set your subnets with list of subnet ids here
+    #network_load_balancer_subnets:
+    #  value: subnet-xxxx, subnet-123123
+    
+    # Specify the ARN to the SSL certificate in AWS ACM that will be used to configure load balancer listeners for TLS 
+    # Valid values are ARNs e.g. arn:aws:acm:us-east-1:01234567890:certificate/d3f015a6-5b08-4c1e-8458-250220bf31e2
+    nlb_tls_acm_arn:
+      value: ${nlb_tls_acm_arn}
diff --git a/modules/cxone-install/main.tf b/modules/cxone-install/main.tf
new file mode 100644
index 0000000..70673f0
--- /dev/null
+++ b/modules/cxone-install/main.tf
@@ -0,0 +1,76 @@
+# Look up the database password from secrets manager, as the Kots configuration requires it.
+# data "aws_secretsmanager_secret" "rds_secret" {
+#   arn = var.postgres_password_secret_arn
+# }
+# data "aws_secretsmanager_secret_version" "rds_secret" {
+#   secret_id = data.aws_secretsmanager_secret.rds_secret.id
+# }
+
+resource "local_file" "kots_config" {
+  content = templatefile("${path.module}/kots.config.aws.reference.yaml.tftpl", {
+    aws_region     = var.region
+    admin_email    = var.admin_email
+    admin_username = "admin"
+    admin_password = var.admin_password
+
+    ms_replica_count = var.ms_replica_count
+
+    fqdn            = var.fqdn
+    nlb_tls_acm_arn = var.acm_certificate_arn
+
+    # S3 buckets
+    bucket_name_suffix        = var.bucket_suffix
+    deployment_id             = var.deployment_id
+    object_storage_url        = var.object_storage_endpoint
+    object_storage_access_key = var.object_storage_access_key
+    object_storage_secret_key = var.object_storage_secret_key
+
+    # RDS
+    postgres_host     = var.postgres_host
+    postgres_user     = var.postgres_user
+    postgres_password = var.postgres_password #jsondecode(data.aws_secretsmanager_secret_version.rds_secret.secret_string)["password"]
+    postgres_db       = var.postgres_database_name
+
+    # Redis
+    redis_address = var.redis_address
+
+    # SMTP
+    smtp_host        = var.smtp_host
+    smtp_port        = var.smtp_port
+    smtp_user        = var.smtp_user
+    smtp_password    = var.smtp_password
+    smtp_from_sender = var.smtp_from_sender
+
+    # Elasticsearch
+    elasticsearch_host     = var.elasticsearch_host
+    elasticsearch_password = var.elasticsearch_password
+  })
+  filename = "kots.${var.deployment_id}.yaml"
+}
+
+
+resource "local_file" "makefile" {
+  content = templatefile("${path.module}/makefile.tftpl", {
+    tf_deployment_id                      = var.deployment_id
+    tf_deploy_region                      = var.region
+    tf_eks_cluster_name                   = var.deployment_id
+    tf_fqdn                               = var.fqdn
+    tf_cxone_version                      = var.cxone_version
+    tf_release_channel                    = var.release_channel
+    tf_kots_password                      = var.kots_admin_password
+    tf_namespace                          = "ast"
+    tf_license_file                       = var.license_file
+    tf_kots_config_file                   = "kots.${var.deployment_id}.yaml"
+    namespace                             = "ast"
+    kots_config_file                      = "kots.${var.deployment_id}.yaml"
+    license_file                          = var.license_file
+    release_channel                       = var.release_channel
+    app_version                           = var.cxone_version
+    cluster_autoscaler_iam_role_arn       = var.cluster_autoscaler_iam_role_arn
+    load_balancer_controller_iam_role_arn = var.load_balancer_controller_iam_role_arn
+
+
+  })
+  filename = "makefile"
+}
+
diff --git a/modules/cxone-install/makefile.tftpl b/modules/cxone-install/makefile.tftpl
new file mode 100644
index 0000000..b06c361
--- /dev/null
+++ b/modules/cxone-install/makefile.tftpl
@@ -0,0 +1,79 @@
+DEPLOYMENT_ID = ${tf_deployment_id}
+DEPLOY_REGION = ${tf_deploy_region}
+EKS_CLUSTER_NAME = ${tf_eks_cluster_name}
+FQDN = ${tf_fqdn}
+CXONE_VERSION = ${tf_cxone_version}
+RELEASE_CHANNEL = ${tf_release_channel}
+KOTS_PASSWORD = ${tf_kots_password}
+NAMESPACE = ${tf_namespace}
+LICENSE_FILE = ${tf_license_file}
+KOTS_CONFIG_FILE = ${tf_kots_config_file}
+
+.PHONY: update-kubeconfig
+update-kubeconfig:
+	aws eks update-kubeconfig --name $${EKS_CLUSTER_NAME}
+
+.PHONY: kots-install
+kots-install:
+	kubectl kots install ast/$${RELEASE_CHANNEL} -n $${NAMESPACE} --license-file $${LICENSE_FILE} --shared-password $${KOTS_PASSWORD} --config-values $${KOTS_CONFIG_FILE} --app-version-label $${CXONE_VERSION}
+
+.PHONY: kots-set-config
+kots-set-config:
+	kubectl kots set config ast -n $${NAMESPACE} --config-file $${KOTS_CONFIG_FILE} --deploy
+
+.PHONY: kots-get-config
+kots-get-config:
+	kubectl kots get config -n $${NAMESPACE} --appslug ast
+
+.PHONY: kots-admin-console
+kots-admin-console:
+	kubectl kots admin-console -n $${NAMESPACE}
+
+.PHONY: rollout-restart
+rollout-restart:
+	kubectl -n $${NAMESPACE} rollout restart deploy
+	kubectl -n $${NAMESPACE} rollout restart statefulset
+
+.PHONY: install-cluster-autoscaler
+install-cluster-autoscaler:
+	helm repo add autoscaler https://kubernetes.github.io/autoscaler; \
+	helm repo update autoscaler; \
+	helm install cluster-autoscaler autoscaler/cluster-autoscaler \
+	--version 9.21.1 \
+	-n kube-system \
+	--set awsRegion=$${DEPLOY_REGION} \
+	--set rbac.serviceAccount.create=true \
+	--set rbac.serviceAccount.name=cluster-autoscaler \
+	--set rbac.serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${cluster_autoscaler_iam_role_arn}" \
+	--set autoDiscovery.clusterName=$${EKS_CLUSTER_NAME}
+
+.PHONY: uninstall-cluster-autoscaler
+uninstall-cluster-autoscaler:
+	helm uninstall cluster-autoscaler -n kube-system
+
+.PHONY: install-load-balancer-controller
+install-load-balancer-controller:
+	helm repo add eks https://aws.github.io/eks-charts; \
+	helm repo update eks; \
+	helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
+	--version 1.7.1 \
+	-n kube-system \
+	--set region=$${DEPLOY_REGION}} \
+	--set serviceAccount.create=true \
+	--set serviceAccount.name=aws-load-balancer-controller \
+	--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${load_balancer_controller_iam_role_arn}" \
+	--set clusterName=$${EKS_CLUSTER_NAME}} \
+	--set enableShield=false \
+	--set enableWaf=false \
+	--set enableWaafv2=false
+
+
+.PHONY: uninstall-load-balancer-controller
+uninstall-load-balancer-controller:
+	helm uninstall aws-load-balancer-controller -n kube-system
+
+.PHONY: clean-kots
+clean-kots:
+	kubectl delete deployment kotsadm -n $${NAMESPACE}
+	kubectl delete statefulset kotsadm-minio -n $${NAMESPACE}
+	kubectl delete statefulset kotsadm-rqlite -n $${NAMESPACE}
diff --git a/modules/cxone-install/variables.tf b/modules/cxone-install/variables.tf
new file mode 100644
index 0000000..4dd233c
--- /dev/null
+++ b/modules/cxone-install/variables.tf
@@ -0,0 +1,173 @@
+variable "region" {
+  type        = string
+  description = "The AWS region e.g. us-east-1, us-west-2, etc."
+}
+
+variable "admin_email" {
+  type        = string
+  description = "The email of the first admin user."
+}
+
+variable "admin_password" {
+  type        = string
+  description = "The password for the first admin user. Must be > 14 characters."
+}
+
+variable "fqdn" {
+  type        = string
+  description = "The fully qualified domain name that will be used for the Checkmarx One deployment"
+}
+
+variable "acm_certificate_arn" {
+  type        = string
+  description = "The ARN for the ACM certificate to use to configure SSL with."
+}
+
+variable "deployment_id" {
+  description = "The id of the deployment. Will be used to name resources like EKS cluster, etc."
+  type        = string
+  nullable    = false
+  validation {
+    condition     = (length(var.deployment_id) >= 3)
+    error_message = "The deployment_id must be greater than 3 characters."
+  }
+}
+
+variable "bucket_suffix" {
+  description = "The id of the deployment. Will be used to name resources like EKS cluster, etc."
+  type        = string
+  nullable    = false
+  validation {
+    condition     = (length(var.bucket_suffix) > 3)
+    error_message = "The deployment_id must be greater than 3 characters."
+  }
+}
+
+variable "cxone_version" {
+  type        = string
+  description = "The version of CxOne to install"
+}
+
+variable "release_channel" {
+  type        = string
+  description = "The release channel to deploy from"
+}
+
+variable "license_file" {
+  type        = string
+  description = "The path to the license file to use"
+}
+
+variable "kots_admin_password" {
+  type        = string
+  description = "The Kots password to use"
+}
+
+variable "ms_replica_count" {
+  type        = number
+  description = "The microservices replica count (e.g. a minimum)"
+  default     = 3
+}
+
+variable "cluster_autoscaler_iam_role_arn" {
+  type     = string
+  nullable = true
+}
+
+variable "external_dns_iam_role_arn" {
+  type     = string
+  nullable = true
+}
+
+variable "load_balancer_controller_iam_role_arn" {
+  type     = string
+  nullable = true
+}
+
+#******************************************************************************
+#   S3 Access Configuration
+#******************************************************************************
+variable "object_storage_endpoint" {
+  type        = string
+  description = "The S3 endpoint to use to access buckets"
+}
+
+variable "object_storage_access_key" {
+  type        = string
+  description = "The S3 access key to use to access buckets"
+}
+variable "object_storage_secret_key" {
+  type        = string
+  description = "The S3 secret key to use to access buckets"
+}
+
+variable "postgres_host" {
+  type        = string
+  description = "The endpoint for the main RDS server."
+}
+
+variable "postgres_user" {
+  type        = string
+  description = "The user name for the main RDS server."
+  default     = "ast"
+}
+
+variable "postgres_password" {
+  type        = string
+  description = "The user name for the main RDS server."
+  default     = "ast"
+}
+
+variable "postgres_database_name" {
+  type        = string
+  description = "The name of the main database."
+  default     = "ast"
+}
+
+variable "redis_address" {
+  type        = string
+  description = "The redis endpoint."
+}
+
+
+#******************************************************************************
+#   Elasticsearch Configuration
+#******************************************************************************
+
+variable "elasticsearch_host" {
+  type    = string
+  default = "The elasticsearc host address."
+}
+
+variable "elasticsearch_password" {
+  type    = string
+  default = "The elasticsearch password."
+}
+
+#******************************************************************************
+#   SMTP Configuration
+#******************************************************************************
+variable "smtp_host" {
+  description = "The hostname of the SMTP server."
+  type        = string
+}
+
+variable "smtp_port" {
+  description = "The port of the SMTP server."
+  type        = number
+}
+
+variable "smtp_user" {
+  description = "The smtp user name."
+  type        = string
+}
+
+variable "smtp_password" {
+  description = "The smtp password."
+  type        = string
+}
+
+variable "smtp_from_sender" {
+  description = "The address to use in the from field when sending emails."
+  type        = string
+}
\ No newline at end of file
diff --git a/opensearch.tf b/opensearch.tf
new file mode 100644
index 0000000..7c28dee
--- /dev/null
+++ b/opensearch.tf
@@ -0,0 +1,93 @@
+
+
+resource "aws_elasticsearch_domain" "es" {
+  count                 = var.es_create ? 1 : 0
+  domain_name           = var.deployment_id
+  elasticsearch_version = "7.10"
+
+  cluster_config {
+    instance_type          = var.es_instance_type
+    instance_count         = var.es_instance_count
+    zone_awareness_enabled = true
+    zone_awareness_config {
+      availability_zone_count = min(length(var.es_subnets), var.es_instance_count)
+    }
+  }
+  vpc_options {
+    subnet_ids         = slice(var.es_subnets, 0, var.es_instance_count)
+    security_group_ids = [module.elasticache_security_group.security_group_id]
+  }
+  snapshot_options {
+    automated_snapshot_start_hour = 06
+  }
+  ebs_options {
+    ebs_enabled = true
+    volume_type = "gp3"
+    volume_size = var.es_volume_size
+    throughput  = 125
+    iops        = 3000
+  }
+  domain_endpoint_options {
+    enforce_https       = true
+    tls_security_policy = var.es_tls_security_policy
+  }
+  advanced_options = {
+    "rest.action.multi.allow_explicit_index" = "true"
+  }
+  encrypt_at_rest {
+    enabled = true
+  }
+  node_to_node_encryption {
+    enabled = true
+  }
+  advanced_security_options {
+    enabled                        = true
+    internal_user_database_enabled = true
+    master_user_options {
+      master_user_name     = var.es_username
+      master_user_password = var.es_password
+    }
+  }
+  access_policies = <<CONFIG
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "es:*",
+            "Principal": "*",
+            "Effect": "Allow",
+            "Resource": "arn:${data.aws_partition.current.partition}:es:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:domain/${var.deployment_id}/*"
+        }
+    ]
+}
+CONFIG
+
+  tags = {
+    Domain = var.deployment_id
+  }
+}
+
+module "elasticsearch_security_group" {
+  source              = "terraform-aws-modules/security-group/aws"
+  create              = var.es_create
+  version             = "5.1.2"
+  name                = "${var.deployment_id}-elastisearch"
+  description         = "Elasticsearch security group for Checkmarx One deployment named ${var.deployment_id}"
+  vpc_id              = var.vpc_id
+  ingress_cidr_blocks = data.aws_vpc.main.cidr_block_associations[*].cidr_block
+  ingress_rules       = ["elasticsearch-rest-tcp", "elasticsearch-java-tcp"]
+}
+
+
+output "es_endpoint" {
+  value = var.es_create ? aws_elasticsearch_domain.es[0].endpoint : ""
+}
+
+output "es_username" {
+  value = var.es_create ? var.es_username : ""
+}
+
+output "es_password" {
+  value     = var.es_create ? var.es_password : ""
+  sensitive = true
+}
\ No newline at end of file
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..0d3bc7d
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,4 @@
+
+output "bucket_suffix" {
+  value = random_string.random_suffix.result
+}
\ No newline at end of file
diff --git a/rds.tf b/rds.tf
new file mode 100644
index 0000000..2323b98
--- /dev/null
+++ b/rds.tf
@@ -0,0 +1,150 @@
+module "rds" {
+  source  = "terraform-aws-modules/rds-aurora/aws"
+  version = "9.3.1"
+  create  = var.db_create
+
+  name                                        = "${var.deployment_id}-main"
+  engine                                      = "aurora-postgresql"
+  engine_version                              = var.db_engine_version
+  allow_major_version_upgrade                 = var.db_allow_major_version_upgrade
+  engine_mode                                 = "provisioned"
+  instance_class                              = var.db_instance_class
+  autoscaling_enabled                         = var.db_autoscaling_enabled
+  autoscaling_min_capacity                    = var.db_autoscaling_min_capacity
+  autoscaling_max_capacity                    = var.db_autoscaling_max_capacity
+  autoscaling_target_cpu                      = var.db_autoscaling_target_cpu
+  autoscaling_scale_in_cooldown               = var.db_autoscaling_scale_in_cooldown
+  autoscaling_scale_out_cooldown              = var.db_autoscaling_scale_out_cooldown
+  vpc_id                                      = var.vpc_id
+  kms_key_id                                  = var.kms_key_arn
+  db_subnet_group_name                        = aws_db_subnet_group.main.name
+  storage_encrypted                           = true
+  apply_immediately                           = var.db_apply_immediately
+  skip_final_snapshot                         = var.db_skip_final_snapshot
+  final_snapshot_identifier                   = var.db_final_snapshot_identifier
+  auto_minor_version_upgrade                  = var.db_auto_minor_version_upgrade
+  iam_database_authentication_enabled         = false
+  snapshot_identifier                         = var.db_snapshot_identifer
+  monitoring_interval                         = var.db_monitoring_interval
+  performance_insights_enabled                = var.db_performance_insights_enabled
+  performance_insights_retention_period       = var.db_performance_insights_retention_period
+  db_cluster_db_instance_parameter_group_name = var.db_cluster_db_instance_parameter_group_name
+  master_username                             = "ast"
+  database_name                               = "ast"
+  master_password                             = var.db_master_user_password
+  manage_master_user_password                 = false
+  port                                        = var.db_port
+  deletion_protection                         = var.db_deletion_protection
+  enabled_cloudwatch_logs_exports             = ["postgresql"]
+  security_group_rules = {
+    ingress_from_vpc = {
+      cidr_blocks = data.aws_vpc.main.cidr_block_associations[*].cidr_block
+    }
+  }
+  serverlessv2_scaling_configuration = var.db_instance_class == "db.serverless" ? var.db_serverlessv2_scaling_configuration : {}
+  instances                          = var.db_instances
+}
+
+
+resource "aws_db_subnet_group" "main" {
+  name       = "${var.deployment_id}-rds"
+  subnet_ids = var.db_subnets
+
+  tags = {
+    Name = "${var.deployment_id}"
+  }
+}
+
+
+module "rds-proxy" {
+  source  = "terraform-aws-modules/rds-proxy/aws"
+  version = "3.1.0"
+  create  = var.db_create && var.db_create_rds_proxy
+
+  name                   = var.deployment_id
+  vpc_subnet_ids         = var.db_subnets
+  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+  endpoints = {
+    read_write = {
+      name                   = "read-write-endpoint"
+      vpc_subnet_ids         = var.db_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+    },
+    read_only = {
+      name                   = "read-only-endpoint"
+      vpc_subnet_ids         = var.db_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+      target_role            = "READ_ONLY"
+    }
+  }
+
+  auth = {
+    "root" = {
+      description = "Cluster generated master user password"
+      secret_arn  = var.db_create ? (var.db_master_user_password == null ? module.rds.cluster_master_user_secret[0].secret_arn : var.db_master_user_password) : null
+      auth_sceme  = "SECRETS"
+      iam_auth    = "DISABLED"
+    }
+  }
+
+  engine_family = "POSTGRESQL"
+  debug_logging = true
+
+  # Target Aurora cluster
+  target_db_cluster     = true
+  db_cluster_identifier = module.rds.cluster_id
+
+}
+
+module "rds_proxy_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "5.1.2"
+  create  = var.db_create && var.db_create_rds_proxy
+
+  name        = "${var.deployment_id}-proxy"
+  description = "PostgreSQL RDS Proxy security group"
+  vpc_id      = var.vpc_id
+
+  revoke_rules_on_delete = true
+
+  ingress_with_cidr_blocks = [
+    {
+      description = "Private subnet PostgreSQL access"
+      rule        = "postgresql-tcp"
+      cidr_blocks = data.aws_vpc.main.cidr_block # Todo: check this for support for secondary vpc cidr.
+    }
+  ]
+
+  egress_with_cidr_blocks = [
+    {
+      description = "Database subnet PostgreSQL access"
+      rule        = "postgresql-tcp"
+      cidr_blocks = data.aws_vpc.main.cidr_block # Todo: check this for support for secondary vpc cidr.
+    },
+  ]
+}
+
+output "db_endpoint" {
+  value = var.db_create_rds_proxy ? module.rds-proxy.db_proxy_endpoints.read_write.endpoint : module.rds.cluster_endpoint
+}
+
+output "db_port" {
+  value = module.rds.cluster_port
+}
+
+output "db_reader_endpoint" {
+  value = var.db_create_rds_proxy ? module.rds-proxy.db_proxy_endpoints.read_only.endpoint : module.rds.cluster_reader_endpoint
+}
+
+output "db_database_name" {
+  value = module.rds.cluster_database_name
+}
+
+output "db_master_username" {
+  value = module.rds.cluster_master_username
+}
+
+output "db_master_password" {
+  value     = module.rds.cluster_master_password
+  sensitive = true
+}
\ No newline at end of file
diff --git a/results.json b/results.json
new file mode 100755
index 0000000..45e975c
--- /dev/null
+++ b/results.json
@@ -0,0 +1,888 @@
+{
+	"kics_version": "v1.7.12",
+	"files_scanned": 14,
+	"lines_scanned": 2711,
+	"files_parsed": 14,
+	"lines_parsed": 2556,
+	"lines_ignored": 155,
+	"files_failed_to_scan": 0,
+	"queries_total": 1045,
+	"queries_failed_to_execute": 0,
+	"queries_failed_to_compute_similarity_id": 0,
+	"scan_id": "console",
+	"severity_counters": {
+		"HIGH": 9,
+		"INFO": 37,
+		"LOW": 1,
+		"MEDIUM": 6,
+		"TRACE": 0
+	},
+	"total_counter": 53,
+	"total_bom_resources": 0,
+	"start": "2024-04-10T18:37:51.097466179Z",
+	"end": "2024-04-10T18:38:06.898299422Z",
+	"paths": [
+		"/path"
+	],
+	"queries": [
+		{
+			"query_name": "KMS Key With Full Permissions",
+			"query_id": "7ebc9038-0bde-479a-acc4-6ed7b6758899",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key",
+			"severity": "HIGH",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Insecure Configurations",
+			"experimental": false,
+			"description": "The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege.",
+			"description_id": "32b2985e",
+			"files": [
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "24563abbc0ccbf54e3d2a6c1a94f780e558565352f320c08bfd5dfcf82328584",
+					"line": 9,
+					"resource_type": "aws_kms_key",
+					"resource_name": "cxone-dev",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_kms_key[main]",
+					"search_line": 9,
+					"search_value": "",
+					"expected_value": "aws_kms_key[main].policy should be defined and not null",
+					"actual_value": "aws_kms_key[main].policy is undefined or null"
+				}
+			]
+		},
+		{
+			"query_name": "Passwords And Secrets - Generic Password",
+			"query_id": "487f4be7-3fd9-4506-a07a-eae252180c08",
+			"query_url": "https://docs.kics.io/latest/secrets/",
+			"severity": "HIGH",
+			"platform": "Common",
+			"cloud_provider": "COMMON",
+			"category": "Secret Management",
+			"experimental": false,
+			"description": "Query to find passwords and secrets in infrastructure code.",
+			"description_id": "d69d8a89",
+			"files": [
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "f72fc3379d6ab1eb14b8a2ea58092ec97ca065a04714ce8b1538abdf4a4edb74",
+					"line": 166,
+					"issue_type": "RedundantAttribute",
+					"search_key": "",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "Hardcoded secret key should not appear in source",
+					"actual_value": "Hardcoded secret key appears in source"
+				},
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "f4e7a29c3cb6a695bf842566485d7480dd132f1a2d72f2699fa1ed6213d0be90",
+					"line": 213,
+					"issue_type": "RedundantAttribute",
+					"search_key": "",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "Hardcoded secret key should not appear in source",
+					"actual_value": "Hardcoded secret key appears in source"
+				},
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "1c6cd41f6679b87d47909406eedb016c333cebaabd9bd76239264470e1dc2a24",
+					"line": 231,
+					"issue_type": "RedundantAttribute",
+					"search_key": "",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "Hardcoded secret key should not appear in source",
+					"actual_value": "Hardcoded secret key appears in source"
+				},
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "af1d7239f08ff9764c814454a6e1c0e5953979e4ab0af6d1ce3c0264330e866f",
+					"line": 198,
+					"issue_type": "RedundantAttribute",
+					"search_key": "",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "Hardcoded secret key should not appear in source",
+					"actual_value": "Hardcoded secret key appears in source"
+				},
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "a0c1f4c1da029b30853880613f78c038488ab0e95fb7086ddd055231569abf0f",
+					"line": 227,
+					"issue_type": "RedundantAttribute",
+					"search_key": "",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "Hardcoded secret key should not appear in source",
+					"actual_value": "Hardcoded secret key appears in source"
+				},
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "3d10a469f9f54ea12c6088f6054886344a262cd96a84482d012fdb438cdf80b6",
+					"line": 223,
+					"issue_type": "RedundantAttribute",
+					"search_key": "",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "Hardcoded secret key should not appear in source",
+					"actual_value": "Hardcoded secret key appears in source"
+				},
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "b02ac5290ad70577904a3c92910c07d9e70c1f58d2d309bb693f5c8f7d74cd50",
+					"line": 208,
+					"issue_type": "RedundantAttribute",
+					"search_key": "",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "Hardcoded secret key should not appear in source",
+					"actual_value": "Hardcoded secret key appears in source"
+				},
+				{
+					"file_name": "../../path/rds.tf",
+					"similarity_id": "710e483069101cb9adafb79af914fd20620a93d3fa6895f4aa9ac3c2755af93b",
+					"line": 84,
+					"issue_type": "RedundantAttribute",
+					"search_key": "",
+					"search_line": 0,
+					"search_value": "",
+					"expected_value": "Hardcoded secret key should not appear in source",
+					"actual_value": "Hardcoded secret key appears in source"
+				}
+			]
+		},
+		{
+			"query_name": "ElastiCache Replication Group Not Encrypted At Transit",
+			"query_id": "1afbb3fa-cf6c-4a3d-b730-95e9f4df343e",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#transit_encryption_enabled",
+			"severity": "MEDIUM",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Encryption",
+			"experimental": false,
+			"description": "ElastiCache Replication Group encryption should be enabled at Transit",
+			"description_id": "40f92e86",
+			"files": [
+				{
+					"file_name": "../../path/elasticache.tf",
+					"similarity_id": "80be5892407ff8df4998788d889d0d02f0e35e26583382f8cae62bf63a3143ac",
+					"line": 50,
+					"resource_type": "aws_elasticache_replication_group",
+					"resource_name": "redis",
+					"issue_type": "IncorrectValue",
+					"search_key": "aws_elasticache_replication_group[redis].transit_encryption_enabled",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "The attribute 'transit_encryption_enabled' should be set to true",
+					"actual_value": "The attribute 'transit_encryption_enabled' is not set to true"
+				}
+			]
+		},
+		{
+			"query_name": "ElasticSearch Encryption With KMS Disabled",
+			"query_id": "7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain",
+			"severity": "MEDIUM",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Encryption",
+			"experimental": false,
+			"description": "Check if any ElasticSearch domain isn't encrypted with KMS.",
+			"description_id": "65a94cf1",
+			"files": [
+				{
+					"file_name": "../../path/opensearch.tf",
+					"similarity_id": "400893e3688477239e56b0b97d921f89c98dc3d82ab9be2d83b1ca65e80a265b",
+					"line": 37,
+					"resource_type": "aws_elasticsearch_domain",
+					"resource_name": "es",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_elasticsearch_domain[es].encrypt_at_rest",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'aws_elasticsearch_domain[es].encrypt_at_rest.kms_key_id' should be set with encryption at rest",
+					"actual_value": "'aws_elasticsearch_domain[es].encrypt_at_rest.kms_key_id' is undefined"
+				}
+			]
+		},
+		{
+			"query_name": "Elasticsearch Log Disabled",
+			"query_id": "acb6b4e2-a086-4f35-aefd-4db6ea51ada2",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options",
+			"severity": "MEDIUM",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Observability",
+			"experimental": false,
+			"description": "AWS Elasticsearch should have logs enabled",
+			"description_id": "e0526e1b",
+			"files": [
+				{
+					"file_name": "../../path/opensearch.tf",
+					"similarity_id": "faa666b9eb2884f25404b4475fff936a9b7fdf4108ff41332daac2bfb511fb3a",
+					"line": 3,
+					"resource_type": "aws_elasticsearch_domain",
+					"resource_name": "es",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_elasticsearch_domain[{{es}}]",
+					"search_line": 3,
+					"search_value": "",
+					"expected_value": "'log_publishing_options' should be defined and not null",
+					"actual_value": "'log_publishing_options' is undefined or null",
+					"remediation": "log_publishing_options {\n\t\t enabled = true \n\t}",
+					"remediation_type": "addition"
+				}
+			]
+		},
+		{
+			"query_name": "Elasticsearch Without IAM Authentication",
+			"query_id": "e7530c3c-b7cf-4149-8db9-d037a0b5268e",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain",
+			"severity": "MEDIUM",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Access Control",
+			"experimental": false,
+			"description": "AWS Elasticsearch should ensure IAM Authentication",
+			"description_id": "7677c71c",
+			"files": [
+				{
+					"file_name": "../../path/opensearch.tf",
+					"similarity_id": "67b06554cd2a0bfcccd65a6cf90797622c1d8de16e025bd32ed96feb6d39c664",
+					"line": 3,
+					"resource_type": "aws_elasticsearch_domain",
+					"resource_name": "es",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_elasticsearch_domain[es]",
+					"search_line": 3,
+					"search_value": "",
+					"expected_value": "Elasticsearch Domain has a policy associated",
+					"actual_value": "Elasticsearch Domain does not have a policy associated"
+				}
+			]
+		},
+		{
+			"query_name": "S3 Bucket Logging Disabled",
+			"query_id": "f861041c-8c9f-4156-acfc-5e6e524f5884",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket",
+			"severity": "MEDIUM",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Observability",
+			"experimental": false,
+			"description": "Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable",
+			"description_id": "fa5c7c72",
+			"files": [
+				{
+					"file_name": "../../path/s3.tf",
+					"similarity_id": "d9466bc8bd21a969cee6fa4ed571a05fcfa26b85065769a2cc3903103b7e9195",
+					"line": 103,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "module[s3_bucket]",
+					"search_line": 103,
+					"search_value": "",
+					"expected_value": "'logging' should be defined and not null",
+					"actual_value": "'logging' is undefined or null"
+				}
+			]
+		},
+		{
+			"query_name": "VPC Subnet Assigns Public IP",
+			"query_id": "52f04a44-6bfa-4c41-b1d3-4ae99a2de05c",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch",
+			"severity": "MEDIUM",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Networking and Firewall",
+			"experimental": false,
+			"description": "VPC Subnet should not assign public IP",
+			"description_id": "2b7ea60d",
+			"files": [
+				{
+					"file_name": "../../path/full/network.tf",
+					"similarity_id": "b42db2e7e4bf8fb17f70ab897f9910a551a08cf2a7d267fc54e32e562849dce2",
+					"line": 10,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "IncorrectValue",
+					"search_key": "vpc",
+					"search_line": 10,
+					"search_value": "",
+					"expected_value": "vpc.map_public_ip_on_launch should be set to false",
+					"actual_value": "vpc.map_public_ip_on_launch is set undefined",
+					"remediation": "map_public_ip_on_launch = false",
+					"remediation_type": "addition"
+				}
+			]
+		},
+		{
+			"query_name": "IAM Access Analyzer Not Enabled",
+			"query_id": "e592a0c5-5bdb-414c-9066-5dba7cdea370",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer",
+			"severity": "LOW",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Best Practices",
+			"experimental": false,
+			"description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions",
+			"description_id": "d03e85ae",
+			"files": [
+				{
+					"file_name": "../../path/eks.tf",
+					"similarity_id": "8dd5125fb1c4339e3b25d905b83b782447e10b1ef22a00ff5a6eac97d8f16ab6",
+					"line": 66,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "resource",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'aws_accessanalyzer_analyzer' should be set",
+					"actual_value": "'aws_accessanalyzer_analyzer' is undefined"
+				}
+			]
+		},
+		{
+			"query_name": "Name Is Not Snake Case",
+			"query_id": "1e434b25-8763-4b00-a5ca-ca03b7abbb66",
+			"query_url": "https://www.terraform.io/docs/extend/best-practices/naming.html#naming",
+			"severity": "INFO",
+			"platform": "Terraform",
+			"cloud_provider": "COMMON",
+			"category": "Best Practices",
+			"experimental": false,
+			"description": "All names should follow snake case pattern.",
+			"description_id": "ac707cad",
+			"files": [
+				{
+					"file_name": "../../path/rds.tf",
+					"similarity_id": "5206d72f3c1784aa777630c4953b581d2eaddd978ed7a16b82a5ef587b893a2f",
+					"line": 59,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "IncorrectValue",
+					"search_key": "module.rds-proxy",
+					"search_line": 59,
+					"search_value": "",
+					"expected_value": "All names should be on snake case pattern",
+					"actual_value": "'rds-proxy' is not in snake case"
+				},
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "46215798896bff9fb39ba5f747de1be799e97e264a169f9abdcbfd981824eef1",
+					"line": 202,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "IncorrectValue",
+					"search_key": "module.checkmarx-one-install",
+					"search_line": 202,
+					"search_value": "",
+					"expected_value": "All names should be on snake case pattern",
+					"actual_value": "'checkmarx-one-install' is not in snake case"
+				},
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "4a1b3212683dce22ba4c6134978a27ac1de043cd7acdb164be52873d2db043d2",
+					"line": 117,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "IncorrectValue",
+					"search_key": "module.checkmarx-one",
+					"search_line": 117,
+					"search_value": "",
+					"expected_value": "All names should be on snake case pattern",
+					"actual_value": "'checkmarx-one' is not in snake case"
+				}
+			]
+		},
+		{
+			"query_name": "Output Without Description",
+			"query_id": "59312e8a-a64e-41e7-a252-618533dd1ea8",
+			"query_url": "https://www.terraform.io/docs/language/values/outputs.html#description-output-value-documentation",
+			"severity": "INFO",
+			"platform": "Terraform",
+			"cloud_provider": "COMMON",
+			"category": "Best Practices",
+			"experimental": false,
+			"description": "All outputs should contain a valid description.",
+			"description_id": "81535d16",
+			"files": [
+				{
+					"file_name": "../../path/opensearch.tf",
+					"similarity_id": "0755949862cbb43a172e3588131530939213a5554c8803567f108129610a719a",
+					"line": 82,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{es_endpoint}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/rds.tf",
+					"similarity_id": "aa00c9783f2c360dad6f8ed45271ac271438fbd10621d70cc637401abfee697c",
+					"line": 127,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{db_endpoint}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/rds.tf",
+					"similarity_id": "dcb582b0c354be0fff103f57404d21081bc5114ed6c3f156ea6ced692cc85ee1",
+					"line": 147,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{db_master_password}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/opensearch.tf",
+					"similarity_id": "71ace4025b2ce9b79d4f37850836ba1e553c91d2910f19dac8abba3f1e78f36a",
+					"line": 86,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{es_username}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/eks.tf",
+					"similarity_id": "95d4571598d20dc166bee5ccfa97cf03ff60ad2a1af5de6a2200ec16af0158f2",
+					"line": 308,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{external_dns_iam_role_arn}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/s3.tf",
+					"similarity_id": "5f2ef339131791b2961e0f6184e5c28c86604ba19a2af11b9ab9ada04d447bd9",
+					"line": 160,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{s3_bucket_name_suffix}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/outputs.tf",
+					"similarity_id": "568a1684f937f9ec769ce622936d47dd7fda5121802a40523a0b0941f22d2bef",
+					"line": 2,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{bucket_suffix}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/eks.tf",
+					"similarity_id": "433fa46abd7c46919464dd9394de6aab441cf1e468a3cd5ad28141d5dfebfcf4",
+					"line": 312,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{load_balancer_controller_iam_role_arn}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/opensearch.tf",
+					"similarity_id": "68bbdb1033891bc67e7e61d476218e3ed219bf46cc4d496f8aaeac0d2defe8a7",
+					"line": 90,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{es_password}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/eks.tf",
+					"similarity_id": "edd0baaa9e6a1950b47d138af28bfac7e3c299a84583eb259451562600e7a02b",
+					"line": 304,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{cluster_autoscaler_iam_role_arn}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/rds.tf",
+					"similarity_id": "1cd6313a30cc4d4539622261a51040fe9b482eca38fa0a2774a20d0f1458d104",
+					"line": 131,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{db_port}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/rds.tf",
+					"similarity_id": "e6350fc6b83de2bf397ed5c8f62cc0ada292e3a8bafb85d40771646cd854e5f0",
+					"line": 143,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{db_master_username}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/rds.tf",
+					"similarity_id": "6baaf8e93359cc7a68d4a8999793f4d23a654135b7ccdd72df7755b747210e02",
+					"line": 139,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{db_database_name}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/elasticache.tf",
+					"similarity_id": "7383691f60cc9cb09dd5497a2215137e7ab7ddf276ee38c0e4f501f11595d8b5",
+					"line": 83,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{ec_port}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/elasticache.tf",
+					"similarity_id": "6712d3795fe452a7e90d8ffaa56ef7b506fc5997e7f988a8e510bf137dcd6bb8",
+					"line": 79,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{ec_endpoint}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/eks.tf",
+					"similarity_id": "0788cb29e4eb0a2c64418362a1fc60b1524a9c8a9d30638011e99b5962e088a6",
+					"line": 316,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{karpenter_iam_role_arn}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/rds.tf",
+					"similarity_id": "7660cc33f11142ceab63b8ab1dcba4f4d54062cc3a05608afc46dfcac9fc0b40",
+					"line": 135,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{db_reader_endpoint}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/eks.tf",
+					"similarity_id": "35c47cf6920b28faa2a0b59181b19751ea672e0374e51d88fd133cbfb6a17df4",
+					"line": 320,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "output.{{eks}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				}
+			]
+		},
+		{
+			"query_name": "Resource Not Using Tags",
+			"query_id": "e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10",
+			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging",
+			"severity": "INFO",
+			"platform": "Terraform",
+			"cloud_provider": "AWS",
+			"category": "Best Practices",
+			"experimental": false,
+			"description": "AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'",
+			"description_id": "09db2d52",
+			"files": [
+				{
+					"file_name": "../../path/full/network.tf",
+					"similarity_id": "4b48a19876bf584478ecee8c725a7243347238ca4ce3f1c70e32ddcb6de7e7d3",
+					"line": 69,
+					"resource_type": "aws_vpc_endpoint",
+					"resource_name": "cxone-dev-${each.key}-vpc-endpoint",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_vpc_endpoint[{{interface}}].tags",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "aws_vpc_endpoint[{{interface}}].tags has additional tags defined other than 'Name'",
+					"actual_value": "aws_vpc_endpoint[{{interface}}].tags does not have additional tags defined other than 'Name'"
+				},
+				{
+					"file_name": "../../path/rds.tf",
+					"similarity_id": "db250869ddbc7d207f5357bbe25f0fbabf54bb0f42de0c5c75635e466c23dc72",
+					"line": 53,
+					"resource_type": "aws_db_subnet_group",
+					"resource_name": "${var.deployment_id}-rds",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_db_subnet_group[{{main}}].tags",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "aws_db_subnet_group[{{main}}].tags has additional tags defined other than 'Name'",
+					"actual_value": "aws_db_subnet_group[{{main}}].tags does not have additional tags defined other than 'Name'"
+				},
+				{
+					"file_name": "../../path/elasticache.tf",
+					"similarity_id": "adbe4d63b22dc2918587afa2bd6b7f4c885f5bac9d8b5186236704ecb697a2cd",
+					"line": 24,
+					"resource_type": "aws_elasticache_subnet_group",
+					"resource_name": "${var.deployment_id}",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_elasticache_subnet_group[{{redis}}]",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "aws_elasticache_subnet_group[{{redis}}].tags should be defined and not null",
+					"actual_value": "aws_elasticache_subnet_group[{{redis}}].tags is undefined or null"
+				},
+				{
+					"file_name": "../../path/full/network.tf",
+					"similarity_id": "6a86b4711ba2269776821bb1f87c8d8a0dca06bc1337f4c4d0594b2592d33a9e",
+					"line": 79,
+					"resource_type": "aws_vpc_endpoint",
+					"resource_name": "cxone-dev-s3-vpc-endpoint",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_vpc_endpoint[{{s3_gateway_private}}].tags",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "aws_vpc_endpoint[{{s3_gateway_private}}].tags has additional tags defined other than 'Name'",
+					"actual_value": "aws_vpc_endpoint[{{s3_gateway_private}}].tags does not have additional tags defined other than 'Name'"
+				},
+				{
+					"file_name": "../../path/full/main.tf",
+					"similarity_id": "10df2fb205cfc71cc4891d5caa912e13e6423491f3af0b070d6a93fc19f5195c",
+					"line": 13,
+					"resource_type": "aws_kms_key",
+					"resource_name": "cxone-dev",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_kms_key[{{main}}].tags",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "aws_kms_key[{{main}}].tags has additional tags defined other than 'Name'",
+					"actual_value": "aws_kms_key[{{main}}].tags does not have additional tags defined other than 'Name'"
+				},
+				{
+					"file_name": "../../path/elasticache.tf",
+					"similarity_id": "d5229038796422b7bcebdbc1d4d30c23d948366df644a5932bd393f599acd55a",
+					"line": 32,
+					"resource_type": "aws_elasticache_replication_group",
+					"resource_name": "redis",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_elasticache_replication_group[{{redis}}]",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "aws_elasticache_replication_group[{{redis}}].tags should be defined and not null",
+					"actual_value": "aws_elasticache_replication_group[{{redis}}].tags is undefined or null"
+				},
+				{
+					"file_name": "../../path/eks.tf",
+					"similarity_id": "5896fe2cfeec46a7300910c68f4d505e36a864d5104837828e8195f041f8209b",
+					"line": 66,
+					"resource_type": "aws_iam_policy",
+					"resource_name": "${var.deployment_id}-s3-access",
+					"issue_type": "MissingAttribute",
+					"search_key": "aws_iam_policy[{{s3_bucket_access}}]",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "aws_iam_policy[{{s3_bucket_access}}].tags should be defined and not null",
+					"actual_value": "aws_iam_policy[{{s3_bucket_access}}].tags is undefined or null"
+				}
+			]
+		},
+		{
+			"query_name": "Variable Without Description",
+			"query_id": "2a153952-2544-4687-bcc9-cc8fea814a9b",
+			"query_url": "https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation",
+			"severity": "INFO",
+			"platform": "Terraform",
+			"cloud_provider": "COMMON",
+			"category": "Best Practices",
+			"experimental": false,
+			"description": "All variables should contain a valid description.",
+			"description_id": "b44986be",
+			"files": [
+				{
+					"file_name": "../../path/full/variables-cxone.tf",
+					"similarity_id": "b6ab3d5f3f69c9405e10467eae4cad30ab4dd659886862ba5f864b720ef2c86b",
+					"line": 589,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "variable.{{es_tls_security_policy}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/modules/cxone-install/variables.tf",
+					"similarity_id": "598a474d1bd509e66a1a4d3acabf12e05d074caac645960b50a8864384c295ec",
+					"line": 142,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "variable.{{elasticsearch_password}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/modules/cxone-install/variables.tf",
+					"similarity_id": "cda9ac71d27e434f0a2c615b5363f49a623152e896b96a4195b2277bb965d52c",
+					"line": 137,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "variable.{{elasticsearch_host}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/variables.tf",
+					"similarity_id": "c353b55fa302a610037ca85b555fdf4ba72fb67ed99783bd1a1f2c134cd7dcb6",
+					"line": 157,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "variable.{{eks_node_groups}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/modules/cxone-install/variables.tf",
+					"similarity_id": "67765ff0439a9dd5bbb1e14c095ad356630a5d374cf73ccf499ebd4d41308d24",
+					"line": 72,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "variable.{{cluster_autoscaler_iam_role_arn}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/full/variables-cxone.tf",
+					"similarity_id": "774cdf1929ccf10d51af2bca64c6bd21ae93940903d087d0c31d8adac2bb8659",
+					"line": 162,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "variable.{{eks_node_groups}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/variables.tf",
+					"similarity_id": "90ed3b1f1f32eedc81abc0a55cd4d61bac586a72764dae8acb0c32938df80c92",
+					"line": 584,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "variable.{{es_tls_security_policy}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/modules/cxone-install/variables.tf",
+					"similarity_id": "42f9fc98cd4bd7f2102c2e7ebb6ab42e991e70ba4d2a06e82e48ff2027bfc5d6",
+					"line": 82,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "variable.{{load_balancer_controller_iam_role_arn}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				},
+				{
+					"file_name": "../../path/modules/cxone-install/variables.tf",
+					"similarity_id": "e31f916f8da87efa5b24f519bae1c252ce6010c6b6e4c0414a8bd43ad8778ec8",
+					"line": 77,
+					"resource_type": "n/a",
+					"resource_name": "n/a",
+					"issue_type": "MissingAttribute",
+					"search_key": "variable.{{external_dns_iam_role_arn}}",
+					"search_line": -1,
+					"search_value": "",
+					"expected_value": "'description' should be defined and not null",
+					"actual_value": "'description' is undefined or null"
+				}
+			]
+		}
+	]
+}
diff --git a/s3.tf b/s3.tf
new file mode 100644
index 0000000..ac12b52
--- /dev/null
+++ b/s3.tf
@@ -0,0 +1,162 @@
+resource "random_string" "random_suffix" {
+  length  = 6
+  special = false
+  upper   = false
+}
+
+locals {
+  s3_bucket_name_suffix = random_string.random_suffix.result
+
+  buckets = {
+    api_security = {
+      name        = "apisec"
+      enable_cors = false
+    }
+    audit = {
+      name        = "audit"
+      enable_cors = false
+    }
+    configuration = {
+      name        = "configuration"
+      enable_cors = false
+    }
+    cxone = {
+      name        = "cxone"
+      enable_cors = false
+    }
+    engine_logs = {
+      name        = "engine-logs"
+      enable_cors = false
+    }
+    export = {
+      name        = "export"
+      enable_cors = false
+    }
+    imports = {
+      name        = "imports"
+      enable_cors = false
+    }
+    kics_worker = {
+      name        = "kics-worker"
+      enable_cors = false
+    }
+    logs = {
+      name        = "logs"
+      enable_cors = true
+    }
+    misc = {
+      name        = "misc"
+      enable_cors = false
+    }
+    queries = {
+      name        = "queries"
+      enable_cors = false
+    }
+    redis = {
+      name        = "redis-shared-bucket"
+      enable_cors = false
+    }
+    reports = {
+      name        = "reports"
+      enable_cors = true
+    }
+    report_templates = {
+      name        = "report-templates"
+      enable_cors = false
+    }
+    repostore = {
+      name        = "repostore"
+      enable_cors = true
+    }
+    sast_metadata = {
+      name        = "sast-metadata"
+      enable_cors = false
+    }
+    sast_worker = {
+      name        = "sast-worker"
+      enable_cors = false
+    }
+    scan_results_storage = {
+      name        = "scan-results-storage"
+      enable_cors = true
+    }
+    scans = {
+      name        = "scans"
+      enable_cors = false
+    }
+    sca_worker = {
+      name        = "sca-worker"
+      enable_cors = false
+    }
+    source_resolver = {
+      name        = "source-resolver"
+      enable_cors = false
+    }
+    uploads = {
+      name        = "uploads"
+      enable_cors = true
+    }
+  }
+}
+
+
+module "s3_bucket" {
+  for_each = local.buckets
+  source   = "terraform-aws-modules/s3-bucket/aws"
+  version  = "4.1.1"
+
+  bucket           = "${var.deployment_id}-${each.value.name}-${lower(local.s3_bucket_name_suffix)}"
+  force_destroy    = true
+  object_ownership = "BucketOwnerPreferred"
+  acl              = "private"
+  versioning = {
+    enabled = true
+  }
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+  lifecycle_rule = [
+    {
+      id     = "Transition-To-Intelligent-Tiering"
+      status = "Enabled"
+      # abort_incomplete_multipart_upload_days = 1 (not expected here)
+      transition = {
+        days          = 0
+        storage_class = "INTELLIGENT_TIERING"
+      }
+    },
+    {
+      id     = "${var.s3_retention_period}-Days-Non-Current-Expiration"
+      status = "Enabled"
+      noncurrent_version_expiration = {
+        noncurrent_days = var.s3_retention_period
+      }
+      expiration = {
+        expired_object_delete_marker = true
+      }
+    }
+  ]
+
+  cors_rule = each.value.enable_cors != true ? [] : [
+    {
+      allowed_headers = ["*"]
+      allowed_methods = ["GET", "PUT", "POST", "HEAD"]
+      allowed_origins = var.s3_allowed_origins
+    }
+  ]
+
+  control_object_ownership              = true
+  block_public_acls                     = true
+  block_public_policy                   = true
+  ignore_public_acls                    = true
+  restrict_public_buckets               = true
+  attach_deny_insecure_transport_policy = true
+}
+
+output "s3_bucket_name_suffix" {
+  value = local.s3_bucket_name_suffix
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..c0aa6cf
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,600 @@
+#******************************************************************************
+#   General Configuration
+#******************************************************************************
+
+variable "deployment_id" {
+  description = "The id of the deployment. Will be used to name resources like EKS cluster, etc."
+  type        = string
+  nullable    = false
+  validation {
+    condition     = (length(var.deployment_id) >= 3)
+    error_message = "The deployment_id must be greater than 3 characters."
+  }
+}
+
+variable "kms_key_arn" {
+  type        = string
+  description = "The ARN of the KMS key to use for encryption in AWS services"
+}
+
+variable "vpc_id" {
+  description = "The id of the vpc deploying into."
+  type        = string
+}
+
+
+#******************************************************************************
+#   S3 Configuration
+#******************************************************************************
+
+variable "s3_retention_period" {
+  description = "The retention period, in days, to retain s3 objects."
+  type        = string
+  default     = "90"
+}
+
+variable "s3_allowed_origins" {
+  description = "The allowed orgins for S3 CORS rules."
+  type        = list(string)
+  nullable    = false
+}
+
+#******************************************************************************
+#   EKS Configuration
+#******************************************************************************
+variable "eks_create" {
+  type        = bool
+  description = "Enables the EKS resource creation"
+  default     = true
+}
+
+variable "eks_subnets" {
+  description = "The subnets to deploy EKS into."
+  type        = list(string)
+}
+
+variable "eks_create_cluster_autoscaler_irsa" {
+  type        = bool
+  description = "Enables creation of cluster autoscaler IAM role."
+  default     = true
+}
+
+variable "eks_create_external_dns_irsa" {
+  type        = bool
+  description = "Enables creation of external dns IAM role."
+  default     = true
+}
+
+variable "eks_create_load_balancer_controller_irsa" {
+  type        = bool
+  description = "Enables creation of load balancer controller IAM role."
+  default     = true
+}
+
+variable "eks_create_karpenter" {
+  type        = bool
+  description = "Enables creation of Karpenter resources."
+  default     = false
+}
+
+variable "eks_version" {
+  type        = string
+  description = "The version of the EKS Cluster (e.g. 1.27)"
+}
+
+variable "eks_private_endpoint_enabled" {
+  type        = bool
+  description = "Enables the EKS VPC private endpoint."
+  default     = true
+}
+
+variable "eks_public_endpoint_enabled" {
+  type        = bool
+  description = "Enables the EKS public endpoint."
+  default     = false
+}
+
+variable "eks_cluster_endpoint_public_access_cidrs" {
+  type        = list(string)
+  description = " List of CIDR blocks which can access the Amazon EKS public API server endpoint"
+  default     = ["0.0.0.0/0"]
+}
+
+variable "eks_node_additional_security_group_ids" {
+  description = "Additional security group ids to attach to EKS nodes."
+  type        = list(string)
+  default     = []
+}
+
+variable "coredns_version" {
+  type        = string
+  description = "The version of the EKS Core DNS Addon."
+}
+
+variable "kube_proxy_version" {
+  type        = string
+  description = "The version of the EKS Kube Proxy Addon."
+}
+
+variable "vpc_cni_version" {
+  type        = string
+  description = "The version of the EKS VPC CNI Addon."
+}
+
+variable "aws_ebs_csi_driver_version" {
+  type        = string
+  description = "The version of the EKS EBS CSI Addon."
+}
+
+variable "launch_template_tags" {
+  type        = map(string)
+  description = "Tags to associate with launch templates for node groups"
+  default     = null
+}
+
+variable "enable_cluster_creator_admin_permissions" {
+  type        = bool
+  description = "Enables the identity used to create the EKS cluster to have administrator access to that EKS cluster. When enabled, do not specify the same principal arn for eks_administrator_principals."
+  default     = true
+}
+
+variable "eks_administrator_principals" {
+  type = list(object({
+    name          = string
+    principal_arn = string
+  }))
+  description = "The ARNs of the IAM roles for administrator access to EKS."
+  default     = []
+}
+
+variable "ec2_key_name" {
+  description = "The name of the EC2 key pair to access servers."
+  type        = string
+  default     = null
+}
+
+
+variable "eks_node_groups" {
+  type = list(object({
+    name            = string
+    min_size        = string
+    desired_size    = string
+    max_size        = string
+    volume_type     = optional(string, "gp3")
+    disk_size       = optional(number, 200)
+    disk_iops       = optional(number, 3000)
+    disk_throughput = optional(number, 125)
+    device_name     = optional(string, "/dev/xvda")
+    instance_types  = list(string)
+    capacity_type   = optional(string, "ON_DEMAND")
+    labels          = optional(map(string), {})
+    taints          = optional(map(object({ key = string, value = string, effect = string })), {})
+  }))
+  default = [{
+    name           = "ast-app"
+    min_size       = 3
+    desired_size   = 3
+    max_size       = 9
+    instance_types = ["c5.4xlarge"]
+    },
+    {
+      name           = "sast-engine"
+      min_size       = 0
+      desired_size   = 0
+      max_size       = 100
+      instance_types = ["m5.2xlarge"]
+      labels = {
+        "sast-engine" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "sast-engine"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "sast-engine-large"
+      min_size       = 0
+      desired_size   = 0
+      max_size       = 100
+      instance_types = ["m5.4xlarge"]
+      labels = {
+        "sast-engine-large" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "sast-engine-large"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "sast-engine-extra-large"
+      min_size       = 0
+      desired_size   = 0
+      max_size       = 100
+      instance_types = ["r5.2xlarge"]
+      labels = {
+        "sast-engine-extra-large" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "sast-engine-extra-large"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "sast-engine-xxl"
+      min_size       = 0
+      desired_size   = 0
+      max_size       = 100
+      instance_types = ["r5.4xlarge"]
+      labels = {
+        "sast-engine-xxl" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "sast-engine-xxl"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "kics-engine"
+      min_size       = 1
+      desired_size   = 1
+      max_size       = 100
+      instance_types = ["c5.2xlarge"]
+      labels = {
+        "kics-engine" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "kics-engine"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "repostore"
+      min_size       = 1
+      desired_size   = 1
+      max_size       = 100
+      instance_types = ["c5.2xlarge"]
+      labels = {
+        "repostore" = "true"
+      }
+      taints = {
+        dedicated = {
+          key    = "repostore"
+          value  = "true"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    },
+    {
+      name           = "sca-source-resolver"
+      min_size       = 1
+      desired_size   = 1
+      max_size       = 100
+      instance_types = ["m5.2xlarge"]
+      labels = {
+        "service" = "sca-source-resolver"
+      }
+      taints = {
+        dedicated = {
+          key    = "service"
+          value  = "sca-source-resolver"
+          effect = "NO_SCHEDULE"
+        }
+      }
+    }
+  ]
+}
+
+#******************************************************************************
+#   RDS Configuration
+#******************************************************************************
+
+variable "db_engine_version" {
+  description = "The aurora postgres engine version."
+  type        = string
+  default     = "13.8"
+}
+
+
+variable "db_subnets" {
+  description = "The subnets to deploy RDS into."
+  type        = list(string)
+}
+
+
+variable "db_allow_major_version_upgrade" {
+  description = "Allows major version upgrades."
+  type        = bool
+  default     = false
+}
+
+variable "db_auto_minor_version_upgrade" {
+  description = "Automatically upgrade to latest minor version in maintenance window."
+  type        = bool
+  default     = false
+}
+
+variable "db_instance_class" {
+  description = "The aurora postgres instance class."
+  type        = string
+  default     = "db.r6g.xlarge"
+}
+
+variable "db_monitoring_interval" {
+  description = "The aurora postgres engine version."
+  type        = string
+  default     = "10"
+}
+
+variable "db_autoscaling_enabled" {
+  description = "Enables autoscaling of the aurora database."
+  type        = bool
+  default     = true
+}
+
+variable "db_autoscaling_min_capacity" {
+  description = "The minimum number of replicas via autoscaling."
+  type        = string
+  default     = "1"
+}
+
+variable "db_autoscaling_max_capacity" {
+  description = "The maximum number of replicas via autoscaling."
+  type        = string
+  default     = "3"
+}
+
+variable "db_autoscaling_target_cpu" {
+  description = "The CPU utilization for autoscaling target tracking."
+  type        = number
+  default     = 70
+}
+
+variable "db_autoscaling_scale_in_cooldown" {
+  description = "The database scale in cooldown period."
+  type        = number
+  default     = 300
+}
+
+variable "db_autoscaling_scale_out_cooldown" {
+  description = "The database scale ou cooldown period."
+  type        = number
+  default     = 300
+}
+
+variable "db_snapshot_identifer" {
+  description = "The snapshot identifier to restore the database from."
+  type        = string
+  default     = null
+}
+
+variable "db_port" {
+  description = "The port on which the DB accepts connections."
+  type        = string
+  default     = "5432"
+}
+
+variable "db_master_user_password" {
+  description = "The master user password for RDS. Specify to explicitly set the password otherwise RDS will be allowed to manage it."
+  type        = string
+  default     = null
+}
+
+variable "db_create_rds_proxy" {
+  description = "Enables an RDS proxy for the Aurora postgres database."
+  type        = bool
+  default     = true
+}
+
+variable "db_create" {
+  description = "Controls creation of the Aurora postgres database."
+  type        = bool
+  default     = true
+}
+
+variable "db_skip_final_snapshot" {
+  description = "Enables skipping the final snapshot upon deletion."
+  type        = bool
+  default     = false
+}
+
+variable "db_final_snapshot_identifier" {
+  description = "Identifer for a final DB snapshot. Required when db_skip_final_snapshot is false.."
+  type        = string
+  default     = null
+}
+
+variable "db_deletion_protection" {
+  description = "Enables deletion protection to avoid accidental database deletion."
+  type        = bool
+  default     = true
+}
+
+variable "db_instances" {
+  type        = map(any)
+  description = "The DB instance configuration"
+  default = {
+    writer   = {}
+    replica1 = {}
+  }
+}
+
+variable "db_serverlessv2_scaling_configuration" {
+  description = "The serverless v2 scaling minimum and maximum."
+  type = object({
+    min_capacity = number
+    max_capacity = number
+  })
+  default = {
+    min_capacity = 0.5
+    max_capacity = 32
+  }
+}
+
+variable "db_performance_insights_enabled" {
+  type        = bool
+  default     = true
+  description = "Enables database performance insights."
+}
+
+variable "db_performance_insights_retention_period" {
+  type        = number
+  default     = 7
+  description = "Number of days to retain performance insights data. Free tier: 7 days."
+}
+
+variable "db_cluster_db_instance_parameter_group_name" {
+  type        = string
+  default     = null
+  description = "The name of the DB Cluster parameter group to use."
+}
+
+variable "db_apply_immediately" {
+  type        = bool
+  default     = false
+  description = "Determines if changes will be applied immediately or wait until the next maintenance window."
+}
+
+
+#******************************************************************************
+# Elasticache Configuration
+#******************************************************************************
+variable "ec_create" {
+  type        = bool
+  default     = true
+  description = "Enables the creation of elasticache resources."
+}
+
+variable "ec_subnets" {
+  description = "The subnets to deploy Elasticache into."
+  type        = list(string)
+}
+
+variable "ec_enable_serverless" {
+  type        = bool
+  default     = false
+  description = "Enables the use of elasticache for redis serverless."
+}
+
+variable "ec_serverless_max_storage" {
+  type        = number
+  default     = 5
+  description = "The max storage, in GB, for serverless elasticache for redis."
+}
+variable "ec_serverless_max_ecpu_per_second" {
+  type        = number
+  default     = 5000
+  description = "The max eCPU per second for serverless elasticache for redis."
+}
+
+variable "ec_engine_version" {
+  type        = string
+  description = "The version of the elasticache cluster. Does not apply to serverless."
+  default     = "6.x"
+}
+variable "ec_parameter_group_name" {
+  type        = string
+  description = "The elasticache parameter group name. Does not apply to serverless."
+  default     = "default.redis6.x.cluster.on"
+}
+
+variable "ec_node_type" {
+  type        = string
+  description = "The elasticache redis node type. Does not apply to serverless."
+  default     = "cache.m6g.large"
+}
+
+variable "ec_number_of_shards" {
+  type        = number
+  description = "The number of shards for redis. Does not apply to serverless."
+  default     = 3
+}
+
+variable "ec_replicas_per_shard" {
+  type        = number
+  description = "The number of replicas per shard for redis. Does not apply to serverless."
+  default     = 2
+}
+
+variable "ec_auto_minor_version_upgrade" {
+  type        = bool
+  description = "Enables automatic minor version upgrades. Does not apply to serverless."
+  default     = false
+}
+
+variable "ec_automatic_failover_enabled" {
+  type        = bool
+  description = "Enables automatic failover. Does not apply to serverless."
+  default     = true
+}
+
+variable "ec_multi_az_enabled" {
+  type        = bool
+  description = "Enables automatic failover. Does not apply to serverless."
+  default     = true
+}
+
+#******************************************************************************
+# Elasticsearch Configuration
+#******************************************************************************
+
+variable "es_create" {
+  type        = bool
+  description = "Enables creation of elasticsearch resources."
+  default     = true
+}
+
+variable "es_subnets" {
+  description = "The subnets to deploy Elasticsearch into."
+  type        = list(string)
+}
+
+variable "es_instance_type" {
+  type        = string
+  description = "The instance type for elasticsearch nodes."
+  default     = "r6g.large.elasticsearch"
+}
+
+variable "es_instance_count" {
+  type        = number
+  description = "The number of nodes in elasticsearch cluster"
+  default     = 2
+}
+
+variable "es_volume_size" {
+  type        = number
+  description = "The size of volumes for nodes in elasticsearch cluster"
+  default     = 100
+}
+
+variable "es_tls_security_policy" {
+  default = "Policy-Min-TLS-1-2-2019-07"
+  type    = string
+}
+
+variable "es_username" {
+  description = "The username for the elasticsearch user"
+  type        = string
+  default     = "ast"
+}
+
+variable "es_password" {
+  description = "The password for the elasticsearch user"
+  type        = string
+  sensitive   = true
+}
+

From b1ca74b6f1acda079165466197dedfb87be706e4 Mon Sep 17 00:00:00 2001
From: benjaminstokes <ben.stokes@checkmarx.com>
Date: Wed, 10 Apr 2024 15:56:15 -0400
Subject: [PATCH 04/57] Create examples.auto.tfvars

---
 examples/full/examples.auto.tfvars | 256 +++++++++++++++++++++++++++++
 1 file changed, 256 insertions(+)
 create mode 100644 examples/full/examples.auto.tfvars

diff --git a/examples/full/examples.auto.tfvars b/examples/full/examples.auto.tfvars
new file mode 100644
index 0000000..d2bdefe
--- /dev/null
+++ b/examples/full/examples.auto.tfvars
@@ -0,0 +1,256 @@
+
+#******************************************************************************
+#   Base Infrastructure Configuration
+#******************************************************************************
+vpc_cidr                = "10.77.0.0/16"
+secondary_vpc_cidr      = "100.64.0.0/16"
+interface_vpc_endpoints = ["ec2", "ec2messages", "ssm", "ssmmessages", "ecr.api", "ecr.dkr", "kms", "logs", "sts", "elasticloadbalancing", "autoscaling"]
+create_s3_endpoint      = true
+route_53_hosted_zone_id = "<enter your hosted zone id e.g. Z0962235AVF65523G11OI"
+fqdn                    = "example.checkmarx-ps.com"
+deployment_id           = "cxone-dev"
+ec2_key_name            = "<enter your ec2 key>"
+
+#******************************************************************************
+#   S3 Configuration
+#******************************************************************************
+object_storage_endpoint   = "<enter your s3 region e.g. s3.us-west-2.amazonaws.com>"
+object_storage_access_key = "<enter your AWS Access Key for the IAM user that connects to S3 buckets>"
+object_storage_secret_key = "<enter your AWS Secret Key for the IAM user that connects to S3 buckets>"
+
+#******************************************************************************
+#   Kots & Installation Configuration
+#******************************************************************************
+kots_admin_email     = "<email address of the CxOne first administrator user>"
+kots_release_channel = "beta"
+kots_cxone_version   = "3.10.5"
+kots_license_file    = "<path to your Checkmarx One license.yml file>"
+
+#******************************************************************************
+# terraform-aws-cxone module pass thru variables
+#******************************************************************************
+eks_create                               = true
+eks_create_cluster_autoscaler_irsa       = true
+eks_create_external_dns_irsa             = true
+eks_create_load_balancer_controller_irsa = true
+eks_create_karpenter                     = false
+eks_version                              = "1.27"
+coredns_version                          = "v1.10.1-eksbuild.7"
+kube_proxy_version                       = "v1.27.10-eksbuild.2"
+vpc_cni_version                          = "v1.17.1-eksbuild.1"
+aws_ebs_csi_driver_version               = "v1.27.0-eksbuild.1"
+eks_private_endpoint_enabled             = true
+eks_public_endpoint_enabled              = true
+eks_cluster_endpoint_public_access_cidrs = ["0.0.0.0/0"]
+enable_cluster_creator_admin_permissions = true
+eks_node_additional_security_group_ids   = []
+# Uncomment the eks_administrator_principals to specify additional principal ARNs that should have admin
+# access to EKS.
+# eks_administrator_principals = [
+#   {
+#     name          = "YourName1"
+#     principal_arn = "arn:aws:iam::1234567890:role/aws-reserved/sso.amazonaws.com/us-east-1/YourRoleName1"
+#   },
+#   {
+#     name          = "YourName2"
+#     principal_arn = "arn:aws:iam::1234567890:role/aws-reserved/sso.amazonaws.com/us-east-1/YourName2"
+#   }
+# ]
+launch_template_tags = {
+  CostCenter     = "12345"
+  "Custom:owner" = "foobar"
+}
+eks_node_groups = [{
+  name           = "ast-app"
+  min_size       = 3
+  desired_size   = 3
+  max_size       = 9
+  instance_types = ["c5.4xlarge"]
+  },
+  {
+    name           = "sast-engine"
+    min_size       = 0
+    desired_size   = 0
+    max_size       = 100
+    instance_types = ["m5.2xlarge"]
+    labels = {
+      "sast-engine" = "true"
+    }
+    taints = {
+      dedicated = {
+        key    = "sast-engine"
+        value  = "true"
+        effect = "NO_SCHEDULE"
+      }
+    }
+  },
+  {
+    name           = "sast-engine-large"
+    min_size       = 0
+    desired_size   = 0
+    max_size       = 100
+    instance_types = ["m5.4xlarge"]
+    labels = {
+      "sast-engine-large" = "true"
+    }
+    taints = {
+      dedicated = {
+        key    = "sast-engine-large"
+        value  = "true"
+        effect = "NO_SCHEDULE"
+      }
+    }
+  },
+  {
+    name           = "sast-engine-extra-large"
+    min_size       = 0
+    desired_size   = 0
+    max_size       = 100
+    instance_types = ["r5.2xlarge"]
+    labels = {
+      "sast-engine-extra-large" = "true"
+    }
+    taints = {
+      dedicated = {
+        key    = "sast-engine-extra-large"
+        value  = "true"
+        effect = "NO_SCHEDULE"
+      }
+    }
+  },
+  {
+    name           = "sast-engine-xxl"
+    min_size       = 0
+    desired_size   = 0
+    max_size       = 100
+    instance_types = ["r5.4xlarge"]
+    labels = {
+      "sast-engine-xxl" = "true"
+    }
+    taints = {
+      dedicated = {
+        key    = "sast-engine-xxl"
+        value  = "true"
+        effect = "NO_SCHEDULE"
+      }
+    }
+  },
+  {
+    name           = "kics-engine"
+    min_size       = 1
+    desired_size   = 1
+    max_size       = 100
+    instance_types = ["c5.2xlarge"]
+    labels = {
+      "kics-engine" = "true"
+    }
+    taints = {
+      dedicated = {
+        key    = "kics-engine"
+        value  = "true"
+        effect = "NO_SCHEDULE"
+      }
+    }
+  },
+  {
+    name           = "repostore"
+    min_size       = 1
+    desired_size   = 1
+    max_size       = 100
+    instance_types = ["c5.2xlarge"]
+    labels = {
+      "repostore" = "true"
+    }
+    taints = {
+      dedicated = {
+        key    = "repostore"
+        value  = "true"
+        effect = "NO_SCHEDULE"
+      }
+    }
+  },
+  {
+    name           = "sca-source-resolver"
+    min_size       = 1
+    desired_size   = 1
+    max_size       = 100
+    instance_types = ["m5.2xlarge"]
+    labels = {
+      "service" = "sca-source-resolver"
+    }
+    taints = {
+      dedicated = {
+        key    = "service"
+        value  = "sca-source-resolver"
+        effect = "NO_SCHEDULE"
+      }
+    }
+  }
+]
+
+
+#******************************************************************************
+# RDS Configuration
+#******************************************************************************
+db_engine_version              = "13.12"
+db_allow_major_version_upgrade = true
+db_auto_minor_version_upgrade  = true
+db_apply_immediately           = true
+db_deletion_protection         = false
+db_skip_final_snapshot         = true
+db_final_snapshot_identifier   = "your-final-snapshot-id"
+db_snapshot_identifer          = null
+db_instance_class              = "db.serverless" # "db.r6g.large"
+db_monitoring_interval         = "10"
+# When enabling autoscaling, you may need to edit and save the autoscaling policy (no updates needed)
+# to work around the issue described here: https://github.com/terraform-aws-modules/terraform-aws-rds-aurora/issues/432
+db_autoscaling_enabled                      = false # Autoscaling not supported by Checkmarx One Single Tenant, yet.
+db_autoscaling_min_capacity                 = 1
+db_autoscaling_max_capacity                 = 3
+db_autoscaling_target_cpu                   = 70
+db_autoscaling_scale_out_cooldown           = 300
+db_autoscaling_scale_in_cooldown            = 300
+db_port                                     = "5432"
+db_create_rds_proxy                         = false #true
+db_create                                   = true
+db_performance_insights_enabled             = true
+db_performance_insights_retention_period    = 7
+db_cluster_db_instance_parameter_group_name = "aurora-postgresql13-cluster"
+# Set individual instance properties. Reference https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance
+db_instances = {
+  writer = {}
+  replica1 = {
+    promotion_tier = 0
+  }
+}
+db_serverlessv2_scaling_configuration = {
+  min_capacity = 0.5
+  max_capacity = 8
+}
+
+
+#******************************************************************************
+# Elasticache Configuration
+#******************************************************************************
+ec_create                         = true
+ec_enable_serverless              = false # Serverless EC is not supported by Checkmarx One, yet.
+ec_serverless_max_storage         = 5
+ec_serverless_max_ecpu_per_second = 5000
+ec_engine_version                 = "6.x"                         # "6.x"
+ec_parameter_group_name           = "default.redis6.x.cluster.on" # "default.redis6.x.cluster.on"
+ec_automatic_failover_enabled     = true
+ec_multi_az_enabled               = true
+ec_node_type                      = "cache.r7g.large" # Production: cache.r7g.xlarge, Dev/Test: cache.t4g.medium, Demo: cache.t4g.micro. Note: Not all regions have r7 generation instances.
+ec_number_of_shards               = 1                 # Production 3, Dev/Test: 1, Demo: 1
+ec_replicas_per_shard             = 2                 # Production 2, Dev/Test: 1, Demo: 0
+ec_auto_minor_version_upgrade     = false
+
+#******************************************************************************
+# Elasticsearch Configuration
+#******************************************************************************
+es_create              = true
+es_instance_count      = 2
+es_instance_type       = "r6g.large.elasticsearch"
+es_volume_size         = 50
+es_tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
+es_username            = "ast"

From 99eb8192d0e00bdea134435636ef4e6f79d1bbe6 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Fri, 12 Apr 2024 15:59:02 -0400
Subject: [PATCH 05/57] Bugfix: cluster autoscaler and external dns were keyed
 off eks_create_load_balancer_controller_irsa erroneously.

---
 eks.tf | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/eks.tf b/eks.tf
index ebbed06..27a0eff 100644
--- a/eks.tf
+++ b/eks.tf
@@ -287,9 +287,9 @@ module "karpenter" {
   iam_role_description            = "IAM role for karpenter controller created by karpenter module"
   create_node_iam_role            = false
   #node_iam_role_arn               = module.eks.eks_managed_node_groups.nodegroup_iam_role_arn
-  create_access_entry             = false
-  iam_policy_name                 = "KarpenterPolicy-${var.deployment_id}"
-  iam_policy_description          = "Karpenter controller IAM policy created by karpenter module"
+  create_access_entry      = false
+  iam_policy_name          = "KarpenterPolicy-${var.deployment_id}"
+  iam_policy_description   = "Karpenter controller IAM policy created by karpenter module"
   iam_role_use_name_prefix = false
   node_iam_role_additional_policies = {
     AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
@@ -302,19 +302,19 @@ module "karpenter" {
 
 
 output "cluster_autoscaler_iam_role_arn" {
-  value = var.eks_create && var.eks_create_load_balancer_controller_irsa ? module.cluster_autoscaler_irsa[0].iam_role_arn : ""
+  value = var.eks_create && var.eks_create_cluster_autoscaler_irsa ? module.cluster_autoscaler_irsa[0].iam_role_arn : ""
 }
 
 output "external_dns_iam_role_arn" {
-  value = var.eks_create && var.eks_create_load_balancer_controller_irsa ? module.external_dns_irsa[0].iam_role_arn : "" 
+  value = var.eks_create && var.eks_create_external_dns_irsa ? module.external_dns_irsa[0].iam_role_arn : ""
 }
 
 output "load_balancer_controller_iam_role_arn" {
-  value = var.eks_create && var.eks_create_load_balancer_controller_irsa ? module.load_balancer_controller_irsa[0].iam_role_arn : ""  
+  value = var.eks_create && var.eks_create_load_balancer_controller_irsa ? module.load_balancer_controller_irsa[0].iam_role_arn : ""
 }
 
 output "karpenter_iam_role_arn" {
-  value = var.eks_create && var.eks_create_karpenter ? module.karpenter.iam_role_arn : ""  
+  value = var.eks_create && var.eks_create_karpenter ? module.karpenter.iam_role_arn : ""
 }
 
 output "eks" {

From 825672c2b32548a7e907f0e996503d1dc7baeb5c Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Sun, 21 Apr 2024 01:07:14 -0400
Subject: [PATCH 06/57] added inspection vpc

---
 modules/inspection-vpc/README.md         | 178 +++++++++++++++++++
 modules/inspection-vpc/docs/vpc.png      | Bin 0 -> 368489 bytes
 modules/inspection-vpc/firewall-rules.tf | 162 +++++++++++++++++
 modules/inspection-vpc/firewall.tf       |  99 +++++++++++
 modules/inspection-vpc/main.tf           | 211 +++++++++++++++++++++++
 modules/inspection-vpc/outputs.tf        |  42 +++++
 modules/inspection-vpc/variables.tf      |  97 +++++++++++
 modules/inspection-vpc/version.tf        |  10 ++
 modules/inspection-vpc/vpc-endpoints.tf  |  30 ++++
 9 files changed, 829 insertions(+)
 create mode 100644 modules/inspection-vpc/README.md
 create mode 100644 modules/inspection-vpc/docs/vpc.png
 create mode 100644 modules/inspection-vpc/firewall-rules.tf
 create mode 100644 modules/inspection-vpc/firewall.tf
 create mode 100644 modules/inspection-vpc/main.tf
 create mode 100644 modules/inspection-vpc/outputs.tf
 create mode 100644 modules/inspection-vpc/variables.tf
 create mode 100644 modules/inspection-vpc/version.tf
 create mode 100644 modules/inspection-vpc/vpc-endpoints.tf

diff --git a/modules/inspection-vpc/README.md b/modules/inspection-vpc/README.md
new file mode 100644
index 0000000..613406f
--- /dev/null
+++ b/modules/inspection-vpc/README.md
@@ -0,0 +1,178 @@
+# inspection-vpc
+
+This folder contains a [Terraform](https://www.terraform.io) module for deploying an [AWS Virtual Private Cloud (VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html). 
+
+The VPC is designed for use in development environments and is not intended to be used in production. The module is optimized to reduce costs for non-prod VPCs at the expense of high availability, while also providing use of [AWS Network Firewall](https://aws.amazon.com/network-firewall/) and [NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html. 
+
+The VPC creates "Pod Subnets" in a secondary VPC CIDR attachment as a solution for ipv4 conservation as suggested in the AWS Blog Post [*Addressing IPv4 address exhaustion in Amazon EKS clusters using private NAT gateways*.](https://aws.amazon.com/blogs/containers/addressing-ipv4-address-exhaustion-in-amazon-eks-clusters-using-private-nat-gateways/)
+
+The VPC created looks like this:
+
+![VPC Diagram](docs/vpc.png)
+
+## Examples
+
+Minimal example:
+```
+module "vpc" {
+  source                     = "../../terraform-aws-cxone/modules/inspection-vpc"
+  deployment_id              = "bos-inspection-vpc"
+  primary_cidr_block         = "10.77.0.0/16"
+}
+```
+
+Full Example:
+
+```
+locals {
+  fqdn = "bos-govcloud.checkmarx-ps.com"
+}
+
+module "vpc" {
+  source                     = "../../terraform-aws-cxone/modules/inspection-vpc"
+  deployment_id              = "bos-inspection-vpc"
+  primary_cidr_block         = "10.77.0.0/16"
+  secondary_cidr_block       = "100.64.0.0/18"
+  interface_vpc_endpoints    = ["ec2", "ec2messages", "ssm", "ssmmessages", "ecr.api", "ecr.dkr", "kms", "logs", "sts", "elasticloadbalancing", "autoscaling"]
+  create_interface_endpoints = true
+  create_s3_endpoint         = true
+  enable_firewall            = true
+  stateful_default_action    = "aws:drop_established"
+  include_sca_rules          = true
+  create_managed_rule_groups = false
+  managed_rule_groups = ["AbusedLegitMalwareDomainsStrictOrder",
+    "MalwareDomainsStrictOrder",
+    "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",
+    "BotNetCommandAndControlDomainsStrictOrder",
+    "ThreatSignaturesBotnetStrictOrder",
+    "ThreatSignaturesBotnetWebStrictOrder",
+    "ThreatSignaturesBotnetWindowsStrictOrder",
+    "ThreatSignaturesIOCStrictOrder",
+    "ThreatSignaturesDoSStrictOrder",
+    "ThreatSignaturesEmergingEventsStrictOrder",
+    "ThreatSignaturesExploitsStrictOrder",
+    "ThreatSignaturesMalwareStrictOrder",
+    "ThreatSignaturesMalwareCoinminingStrictOrder",
+    "ThreatSignaturesMalwareMobileStrictOrder",
+    "ThreatSignaturesMalwareWebStrictOrder",
+    "ThreatSignaturesScannersStrictOrder",
+    "ThreatSignaturesSuspectStrictOrder",
+    "ThreatSignaturesWebAttacksStrictOrder"
+  ]
+  additional_suricata_rules = <<EOF
+# CxOne must talk to itself when performing token exchange to validate the FQDN (cxiam makes the connection).
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"${local.fqdn}"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:1; rev:1;)
+
+# https/tls protocol example.com exactly
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:1; rev:1;)
+
+# https/tls protocol specific subdomain of example.com
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"www.example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:1; rev:1;)
+
+# https/tls protocol any subdomain of example.com 
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:".example.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:1; rev:1;)
+
+EOF
+}
+```
+
+## AWS Network Firewall
+
+This module includes an option to deploy the AWS Network Firewall. When enabled, the firewall protects the private and pod subnets. The firewall stateful rules are executed in strict order. All rules are defined in [suricata format](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html). 
+
+The firewall is enabled by the `enable_firewall` variable. When `enable_firewall` is false the VPC is deployed without the firewall components but still is a complete VPC with NAT Gateway for use with Checkmarx One deveopment/testing.
+
+The module contains default rules embedded in the module. You can view those rules in [firewall-rules.tf](./firewall-rules.tf).
+
+The embedded rules can be customized in these ways:
+
+| Approach | Instructions |
+|---|---|
+| Bring your own complete rules | Provide your rules in the `suricata_rules` variable. These rules will completely replace the embedded rules. |
+| Append some custom rules | Provide your rules in `additional_suricata_rules` variable. These rules will be injected into the default rules. They will be executed after the embedded rules but before the default drop rule. Use a sequence ID of `YYMMDDNNN` (where NNN is a 3 digit sequence) to ensure no SID conflicts with embedded rules. |
+
+# Module documentation
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.46.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.46.0 |
+| <a name="provider_template"></a> [template](#provider\_template) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_vpc_endpoint_security_group"></a> [vpc\_endpoint\_security\_group](#module\_vpc\_endpoint\_security\_group) | terraform-aws-modules/security-group/aws | 5.1.2 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.aws_nfw_alert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aws_nfw_flow](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_eip.nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
+| [aws_internet_gateway.igw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
+| [aws_nat_gateway.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
+| [aws_networkfirewall_firewall.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall) | resource |
+| [aws_networkfirewall_firewall_policy.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |
+| [aws_networkfirewall_logging_configuration.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_logging_configuration) | resource |
+| [aws_networkfirewall_rule_group.cxone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
+| [aws_route_table.firewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
+| [aws_route_table.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
+| [aws_route_table.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
+| [aws_route_table_association.firewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.pod](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_subnet.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.firewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.pod](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
+| [aws_vpc_endpoint.interface](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_endpoint.s3_gateway_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_ipv4_cidr_block_association.secondary_cidr_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipv4_cidr_block_association) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [template_file.default_suricata_rules](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_additional_suricata_rules"></a> [additional\_suricata\_rules](#input\_additional\_suricata\_rules) | Additional [suricata rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html) rules to use in the network firewall. When provided these rules will be appended to the default rules prior to the default drop rule. | `string` | `""` | no |
+| <a name="input_create_interface_endpoints"></a> [create\_interface\_endpoints](#input\_create\_interface\_endpoints) | Enables creation of the [interface endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) specified in `interface_vpc_endpoints` | `bool` | `true` | no |
+| <a name="input_create_managed_rule_groups"></a> [create\_managed\_rule\_groups](#input\_create\_managed\_rule\_groups) | Enables creation of the AWS Network Firewall [managed rule groups](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-list.html) provided in `managed_rule_groups` | `bool` | `true` | no |
+| <a name="input_create_s3_endpoint"></a> [create\_s3\_endpoint](#input\_create\_s3\_endpoint) | Enables creation of the [s3 gateway VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html) | `bool` | `true` | no |
+| <a name="input_deployment_id"></a> [deployment\_id](#input\_deployment\_id) | The deployment id for the VPC which is used to name resources | `string` | n/a | yes |
+| <a name="input_enable_firewall"></a> [enable\_firewall](#input\_enable\_firewall) | Enables the use of the [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) to protect the private and pod subnets | `bool` | `true` | no |
+| <a name="input_include_sca_rules"></a> [include\_sca\_rules](#input\_include\_sca\_rules) | Enables inclusion of AWS Network Firewall rules used in SCA scanning. These rules may be overly permissive when not using SCA, so they are optional. These rules allow connectivity to various public package manager repositories like [Maven Central](https://mvnrepository.com/repos/central) and [npm](https://docs.npmjs.com/). | `bool` | `true` | no |
+| <a name="input_interface_vpc_endpoints"></a> [interface\_vpc\_endpoints](#input\_interface\_vpc\_endpoints) | A list of AWS services to create [VPC Private Endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) for. These endpoints are used for communication direct to AWS services without requiring connectivity and are useful for private EKS clusters. | `list(string)` | <pre>[<br>  "ec2",<br>  "ec2messages",<br>  "ssm",<br>  "ssmmessages",<br>  "ecr.api",<br>  "ecr.dkr",<br>  "kms",<br>  "logs",<br>  "sts",<br>  "elasticloadbalancing",<br>  "autoscaling"<br>]</pre> | no |
+| <a name="input_managed_rule_groups"></a> [managed\_rule\_groups](#input\_managed\_rule\_groups) | The AWS Network Firewall [managed rule groups](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-list.html) to include in the firewall policy. Must be strict order groups. | `list(string)` | <pre>[<br>  "AbusedLegitMalwareDomainsStrictOrder",<br>  "MalwareDomainsStrictOrder",<br>  "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",<br>  "BotNetCommandAndControlDomainsStrictOrder",<br>  "ThreatSignaturesBotnetStrictOrder",<br>  "ThreatSignaturesBotnetWebStrictOrder",<br>  "ThreatSignaturesBotnetWindowsStrictOrder",<br>  "ThreatSignaturesIOCStrictOrder",<br>  "ThreatSignaturesDoSStrictOrder",<br>  "ThreatSignaturesEmergingEventsStrictOrder",<br>  "ThreatSignaturesExploitsStrictOrder",<br>  "ThreatSignaturesMalwareStrictOrder",<br>  "ThreatSignaturesMalwareCoinminingStrictOrder",<br>  "ThreatSignaturesMalwareMobileStrictOrder",<br>  "ThreatSignaturesMalwareWebStrictOrder",<br>  "ThreatSignaturesScannersStrictOrder",<br>  "ThreatSignaturesSuspectStrictOrder",<br>  "ThreatSignaturesWebAttacksStrictOrder"<br>]</pre> | no |
+| <a name="input_primary_cidr_block"></a> [primary\_cidr\_block](#input\_primary\_cidr\_block) | The primary VPC CIDR block for the VPC. Must be at least a /19. | `string` | n/a | yes |
+| <a name="input_secondary_cidr_block"></a> [secondary\_cidr\_block](#input\_secondary\_cidr\_block) | The secondary VPC CIDR block for the EKS Pod [Custom Networking](https://aws.github.io/aws-eks-best-practices/networking/custom-networking/) configuration. Must be at least a /18. | `string` | `"100.64.0.0/18"` | no |
+| <a name="input_stateful_default_action"></a> [stateful\_default\_action](#input\_stateful\_default\_action) | The [default action](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order) for the AWS Network Firewall stateful rule group. Choose `aws:drop_established` or `aws:alert_established` | `string` | `"aws:drop_established"` | no |
+| <a name="input_suricata_rules"></a> [suricata\_rules](#input\_suricata\_rules) | The [suricata rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html) to use for the AWS Network Firewall. When provided, this variable completely overrides the embedded rules. Use this to bring your own rules. If you only need to provide some additional rules in addition to the bundled rules, then use `additional_suricata_rules` instead of `suricata_rules`. | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_database_subnets"></a> [database\_subnets](#output\_database\_subnets) | List of database subnet IDs in the VPC |
+| <a name="output_firewall_subnets"></a> [firewall\_subnets](#output\_firewall\_subnets) | List of firewall subnet IDs in the VPC |
+| <a name="output_pod_subnet_info"></a> [pod\_subnet\_info](#output\_pod\_subnet\_info) | List of map of pod subnets including `subnet_id` and `availability_zone`. Useful for creating ENIConfigs for [EKS Custom Networking](https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html). |
+| <a name="output_pod_subnets"></a> [pod\_subnets](#output\_pod\_subnets) | List of pod subnet IDs in the VPC |
+| <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | List of private subnet IDs in the VPC |
+| <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | List of public subnet IDs in the VPC |
+| <a name="output_vpc_cidr_blocks"></a> [vpc\_cidr\_blocks](#output\_vpc\_cidr\_blocks) | The VPC CIDR blocks of the VPC |
+| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The id of the VPC |
diff --git a/modules/inspection-vpc/docs/vpc.png b/modules/inspection-vpc/docs/vpc.png
new file mode 100644
index 0000000000000000000000000000000000000000..c9f478b00d8c952c2204bdfbf68c5c89708732e6
GIT binary patch
literal 368489
zcmeFa$*${2)-G1|H4Nhd_W^9!!vg+0s090F$VL<;ks>9kAvH;`7sXcWr3WzJm+{CC
z;gR3N&)|tyXiGb_n^TpQSy^>X-JRH}BZh)xFk;18-)i}Pn9J#Z`Op8$fBw^-{`6mF
zs=WTwpZ@#*>ra3BPyhS>^glw&|Mvg=r~e!N`R|(bRQ%Kb`TzW{|L>pvhyS@~Cw7~U
zQIds!`ZFoLeETzj9m}TuGb#U>ASPMpw{=;-S7^`6Ac>MNc=?UM2<k5w^%nx)VAP*U
z0cYWZpnk$B?(ovzjl<%8A-%jNS?2zkQ0Sj9xYU2>uAdZb*&P2&if}wD+AxEEp&336
z3qEZ4AIE;i>7UvE3SWh)%EEo<Es_>pg=Bvs8EF2Gg}TwTKNAvs&yqBRf2N_ImgtnA
zc88ym61t;d-R>(L>oSK<3Qk}@VLve#&;NvDJaqo$Q5Ax__qN=~t&^wQp;-u9H-4D`
z&ZPA6=UtV_tDl$Ju^WR0TpIQ1!@5ae+HRBhxH<Zvy;R{#YY_H{fA3zwOf@gf)XN1L
z-_7nF@s}2_tb?$A=>#)K{F$8m857`==#P|w#Eok=hl9d}2fW?bgv<WretL3WwTsY@
zKl`g_rnp8joe>t{Z{J_-am{?3)^2sw%iy*)!T54ng2QeDfC;|5wBR^-Z;9*2jqdkF
z4OVh}Jj<h7mjsU|zISZPGHa9SJ`MLqzbp!%!24ZZCc>@ja(LS<Dzp3J-Ooc4`sO6m
zV11ZV)VfcC7Kjj0J4fG#huYOJiI0yv<BuoK-ACtp*XHO3<?wR;t?7ALUMBJ}opo8l
z^`2Jk`R7Nce3Zfr?S#iX-tPlM`1hatIve%tM*KaOn-=q(HG~8y|BSJwYVk&B|An|y
zZ0}~>ea?m6O)}R@vZTGhlN`$8PUlT~c~CVlolGjT5>a%4I*?)moF)w)jejOcoMI=U
z0KWuobG)$~91dV_wFxYxkR>tNVQpDKYg87kb-z69huiUIml}>q8(NhMTaT0nAaCe<
zZ1W6`(8XU!4BaBUQ~M`#cx(FW3;D}(PD5ZgZH*@4m;Li{oBQq|ADd_Rg%t4zDITB5
zkmByE=ibRbe!Vv0Ex(3DpwFGc{`&ZlG<ZjdpRfLXL|?1_`DXsO`Z#`{vVVisC-2+k
zYwN?BzWqZR=;Px5h57ec{5xZO+WAWjK{>1QiV!dwlYz7ogQSPAG5QL;hXBa-((cv2
zG=I|bTb<w<Z?5>#?|m!chEKAlDgkQVSSBt0nHFIQB<#;LNPGz${Y2338r~nXZyVsj
zpU%G>p=&%Y_|owH7_RZ$0e?Nhe!5-$xdGko`S>=#r-rvbqtT#iJT8BGyr145zYGxi
zkYd@jSyF(YePAmjF9AFT37~|B%)HCwC(-zs<h)7U7j%aMBK;tR0l&2_+zUy0BwlYT
z5!RC)?t~Tu-PtceF{qlvyFmlgQipyA__+_)Ve@iv)Cx%JhMn^f##$YJa)*ZcDXz<|
zf*<302KRz1e*E?423-!I$j`rYwr)`4K7bFn1H%MLVBo6HAO-Nqgi#m;w48515cdv9
zvM@sA-T=r*idefH$spsu4N6||4eIpIfFOT)z>9|vV()zE8G<}u$uk6b1^V9+1o<F@
z9y|t7CvXBFup7*T=5vQ2I7~5#-Tr%SdSO!15wyqLtw%V~K)4m#nV?&~@|l-wJ{a0J
zIoEHwHE=P|q5t}=zBt_%r~5Xi>nk5|;SUUrlPE<2{qYS$yL0%@)v3RmmkEN%iX7bH
zpU=x)mGe6@BR*kf^h0%eW@fLA-w`tdfP~P?6RKK=F)}6Hn!iBJ1GU{y&ws<9rhcJ{
zPd59f=;a@~**`bT{3_t`xfKDO`qvE-FY47dw5kVExif&jJdU5x4D&!d&kW$T@%v!_
zfc@X?|H%Sb!(X*3H%EB4@EY{b11-GKi4+{{*{^`*%}-y7(U)TMsy2NoMxPjH9&F;y
zN@&D)(5`u6C9gWrGb?#*{C-#o=o0T(iR`xEg8RF82>~{~FJAIuQ~6RozO8zE8ChO^
zF%Lh_dm{_;iC*%`HokLSf(#Syn8}y57nzU0ti3NTU1YiZvi5$T)?SEpdD*@H2G(Aj
z`@o3aDM+8VoxT*Jo2To`Qv^)v%Tol*;IqHaZ7c72$B(QKAvW+1#C&N)uWn<ojC{GB
zzueA$WaQg>X7VFzL<AuJcg*BVBl^;a-bSH*X++<rMnv%cJ{l3?Lhl&SJB{eeW%LWk
z`HH1OmYT0vI`@~9h?^k)?cV42yyQpLkdU|M9WVLPkbYqvUmDU^VD2BB8}tsC{LmWG
z$5@t!FZl>O_bEdE5tj>bw{cSZ<(AQfQX8=fQl?Ol%WK^3w}N!7FpJ;>-7O$>FMx0B
zFbaXiqYTS;5xnT$Z{v5XN5kfrG>`sRRhRuOOOe1Lh#!XWc2Si0C`cY1+)~IMKjkQ6
zmcY6O@;<?e0$+y&5(Np&4T7YF@I4o$^g#k3O3-|{TGX{&jYbDi>BFsWf}WrV!{GJ+
zAzT3B<{@PiQdYYdT`VteCv*)wBOLxm_*4ATb2Ho=rM=z;`^#Bxh7g4=x-ELjI?NLH
z_ADs6@a;&GBC1^oBkg?D8{K4fd+1}?L8c{i&KgLo#XK|&7X|LaFj2$NErQ#Ti!KR?
z1}`Hm(UaY>05SJ%Zr~MK;qtE$2Cqx;B8Q&h9U&nPg>L_igoF~dXO!I%GLK0Rgpd*-
z!t@nrPG8au?gH))&G7rn`;gRE!^cw?$!qlK8`tl{Rr5!Nk&r;3$~Ur6Z@;}s{C!47
zw_hKr#&3Ukv_2;wOJ#-f9&gKU0x7&tMvkZ2=u<xHokQlZHg$pc8B)1F3kAFxr@xYs
zA^Meo1j4)W`p-{B_NOLuXvyG6E_R$C(QfXkf4PqaXzFjoaH2(gmsI-c1@D%%>ItKN
z+V3BJW9rTv{@clC{B&M_r$Y3blN|rG;kchp#YcVU-#xkg(`opf6!DvLp1(ti0QDID
zo)a{_C<5l=n}46Xm7#{n%RD|pQa%aU|Fj0ecSsQ*)toO!(3d0V%Mm31GZLZy2yyj3
zaF_fs0(U>1ijVn(4{iImq$vMuv!jued9@ULmWch89sQM}@a+_ZA2U1p(_Q^L@%RV(
z)MqKv%)=D*Y@cEu`B8tQed+~G{#t9n$IOJUjOj;}o3CugU$Py4)Qss*8Nf}fKO11b
zrGb5}e!XT$|GgR0>_cz+m+XIL>Rl$IEo2K*DQ4Gpx;}(|`Dmhfpac)T+$vAqO1NNF
z2;o?Pdn?5!&Ez$xtYAw0iJ_nnC?Jcs#aCX>eNj`N91+h&fxcC_kQNw;LluNxt6}`+
z%7w3&`mFxalQ-mUmiX&_jZbOm#z22NEj=W{os_6YeY<B@2X)u>pG67&sD<_~A*D}e
z;#;{TOQ?W~TxPFH_@CsMd?m_$<(T|ZVC>r{^xrX2_S4Pudok)ezVd^FRed@YUwJ3L
zR44o@clcHA@KMegg`)m;-0}}*Fx*4meF84uVS4_j4CaBkp2~)O`5?Z05MMrsAJzx)
z8Zq{8kp93v2>iyW-}ua5GE~0wswZ6Zm6`IDnF2P3zZv!RJ7Ldz#_}WURZw&MeK5{f
zy2@9&3VO8*;w4{o<Zo}H`fIPU`COYoyXv<agmEOvP>kFiy8O_J)kp8bmtys$SbZs0
zKdfT)K3(@m4(`G~CM<j@R$q0DzFwb$UcmX!hCS~Y%MYzseT-@UQmnodt1rdsU+S@X
z&tZOO#p>IE>HmV_0FQM2=Mb@%ps{<P*h|j-3%D{%lmb69;X`N|cnNKOD+%x#nf_}F
z3_wf~dV}q)YygTbLZ$g3I^;D*?act(wsrmE%bgyheHqTZ+j0h{`(4xCY7D>|7>BY>
z;r(-{wJf3}?rIlRB7oy}4}<P~%ib?N^s+uULL;f_q<34C*?)V|2;Q5G`W;cr^C<5V
zRJ%odD-`e+fZmHJz&T4{1D`Lqu5L33!$L22hB2WLK(T-Z$}OO8s9M0wjo{h7!|DKk
zgwf<fNcL-%_meyNUsp2Vn<3eshGgEO{hqwhuR8~p`ema$y_e=~Sl#<1jt|}625o-5
z>*h7s`z!h5E9~y2#Kvzo-oDR$`#}m2eaeQu<#q-E{*PlrB=HhF{>6vB_|Si&FC+dV
z@X&iV^^eSlK6<JD062uwSWptn7a#iKLtlL8m+Dl%GhF7q&E@;zLw|53w*(c<17E%v
zg$K<ckHz|wUj;F=8hrQS;xF7B83p0sR^N?8tslYXEeY|n>TNjx$nps8!2<Ye$aP#l
zZhyydsKH9E_xn9Up5yLTr13U}d&jmcvo@)kmx0|I@79JlZEg*<7vFY^N+@vne6b3Z
zFnr%&`7V?>eBZiH0x0BoYvmr#g-%z)BtAm%!hd!3w!2ymQsR>}dQKqyB=!0}i_g(%
zzvptE$(_v2@+^>U!SAp|+=+)rb-*XH!K`Si7ZVYfgdS!B6k76>k6D#T(cTu379Xtt
zeOM*-)Bvsx>G>G6=H~`@(5IhoM?by1XBz5ye!cI_YQNt1hU$=_`mbPJ)xrpEY^YvE
zil`!qRAx|q743BL<4dxCwe#S%**>z-=Pmk+LGI&AY$^2PQveqEC>Z%<O2i-W<Zn`P
zA62;iB`LX|@`Rg2c@sJ=>@8pb%NGMTd{dG-9NY{F?7m|RO&Yd7;>T#-Kjjk7I~_y2
z95uXc{H*QHF`hfVaE<2{bfLGr<bH?ujpz>V+irJw+lY?dw%msL81<`j5{>^B0`bJ-
zZf&3Ox%X$^Zt(8xm$qNdhC7iWSnIQ-2&ESj{(X+$Z2*EK6d+>Q7)h2rZ46l^DN2HN
zC@@^6aE;e36W#uUUtZJZ(b6GbegXnlbG<M#%jQ;48E)y7Epm4J(m}|OKZTTU^`k}i
ze&mC91_~*^DIJVPdWRAaL;SLJpE;X*6FYFJC>c@Z;Ll%}0CkkhuJ*$ht0RP)HlNua
z@2;4iqX(V-%AB`Pw*xH3X8`Nha)w9B{UfR5&L^Ju0(H-Ue`X7hw(o~4eAKAFkiuh=
zzvl#Rk6)n7xA$;dy8$Y3{@9iG3Kvg>CO)e}@wfI9fN$hlMB7kCl`wAHIIJf<+zCN9
zw9WnUD>3%(PK^DX`~ZKHb9rS5A34Hzh!m#7K`$?)+hLbP9jI!r8p9{r!xvHj9QsRD
zjyt}2%MacvKQEBt7g_(L^1M6y3n{#Ct?w2o+(hJW*CGC0kiy3ZY4bI(<;$S(u$O$*
ziTkBa+`nUio_{b*pdQ@eNpbiNVZx^x)W^8Pm&mj!1iKCH<%1RBQ%(1e)=xiqKOgxM
z)Gz(HaND2b`$#`1)(XwhB&s_14G{nGY=0v({?kdjanXO6Frn^D`H6Z+a9bkt%^S7z
zuH}6{YUjsNqhG=VLj|4QW6HP3UpnXI=U+<0SvRZKUFrQ`0>dzY63`xgXEd8I3Zt;l
z{;-C9ZtVJJlwALv!sNYm`bQQf9}7l)36p0R;itmnch(zyV2``W;)fL`cZv7p?c77e
zepb2x$iXkw<V!Uf0mfCwpWH9i1k6%kA%?fdee`v{w_q}lxR57s`6_Xq(dFygg}xtn
z`AIn&A$Q>wneh0xh(UyqpCTXLI5<DmQ@-Vq`-Xz>0gb#m<ldo?SJ&RJQiO7N6DJCn
z`G8$sJ$Qf3SNFI44aj$J^FQ1p6Oe!5?wtpaMWUmlTcK#3{CP(~W>NsJH@*Ars`@k6
zU6_J%;@4HE{8ZB2Sp08Sn;tPlug3Wo9qEa(ALjcvg#GaLe@BG<i5LGt*lQWw`Co)R
z0Iz=#@=J^xFtR_4uxm(w_!koPYmDEIPuU;s%fGPf3|^s}NRYOPvKn79AJ<`kUNQYe
z@BdtS4{uB1qow#67UJjnwhaHm9YA2<ctce1ckX~kWY>4Z+wTwZq{qD50e%y@H3VXT
zRuk5Jf?mn~MgRX2`hQu7pW!X_w`KTO(m(faL;oL*!fy2!2n>S^cHsYi!6BLc9l1Y)
z>2JM3=415eZ+?T!>!m(J(ocasFXQ|h?t$NF{Cj=r%bo9i_Tn+(!Q`G%E&ct4rs5y1
ze{WYF-XZk0^4JKP7fb}nzuoaa^vZv<-MwA;4-5Zk`0=Zk<b4?KhXCG}muCDD(R+)&
zdG)&7j?gt87kp`WfBfX9K^^ed?l%|C+Xh&xHyv)#KTl`8{TYtF+(7ZCCWM>c2k>T$
zO0Rqp^8Bg4=PnffFjo%}CI1X=&)=g7@67(yR`+DV`1~!C-=PWPW8A=Oy8p1xKefXB
zDkIseE$pwa`e)JXpV+s^pCBnJtReRNZ-fg_KnmZm2L37v`PA-(l8}E-m^!>29wi|l
z;rT==KSqqe1H3%xL$?Y|?~uTkK)9vDfW(5oZ{(AFgD#&S>t~4ehloZ0G2cZDu;KS?
z>-RMs2(-iBZF2fy^nM2a3~`6r-;ddY_-OdE?pE$656$-@4jSYLc~(3jLve!91clna
zvC&=@=Wi&4p9+8%CivSuAFnSFy(0&jz7xQcIAEEFjCdv${=Nv`5vANE*^@w6=pTI^
z-w&yzIdTrXqZO9sC0NhzkX9hm_NG4}M)DvR<_9L1Pk^SNzih?tlCvZ(%EA0$$mNmu
z{7NbxgHfrwSbF9w+)egDX-wD~$ea;}WgfQZUDAl|eoaXQ=#!692#LynoiBb;eBpB*
z`_b@tdo=|b&l91%2@?1eb-u}3ewZTOHX?JtEjQ@B&ERe0&F*mP`mjWx-(Ol^TVC$)
zzVXH2@b<2^JfycB(b3zM+Xx<`e!U4A#JfD^myX{}Zqr0&QHjq_OaiY#7k{+g__vVq
zKQg!J?t%Lm#kc+JxtUv_@(J+x|2mLC(63tNof(iH#m1xQnHN0Tz9U`$djjqICycQy
z;rOLC@T3Ut8~<K=)vKWjYmCZRl;EX+11Puaq9~)^mNEG$boo0&kKV}-PNEbA%GA88
z5pXw*eRmt<HoZ^z%(ob%&!UdP*QNNClz&^;zb-J4_yI=pX?Pq*+~LHX!tsYm?ionm
zss5S7*?Ze}MB+f-??~LbG;N5gQVT(z6bVGHxh+&*Autq3+qCy`*B|N!|A!7z8`Inh
z>O}n4M>%4U&QBGIUvBj+Df)pgeq;HAasaS^c>EiJeX?J?4Y<2gclNH%#jDBhVHy0r
zg)rXjH4MW!4jExS*b%Q?9sZQvChAwQ>EBDN6i_l+;|Du_gnB;_>u2VH@6R>(uva|s
z;}0bDDc5{MDF3MSekQn&Oo{x-M+H_QD6s<N-ajCDn&2r3apK=&B>0_#LDF}udnXLy
z6LSD@SNxy37)d`&1m6)K`{+A-k-Ab=b`biH=>LiFe2Um#VeSXq`yTUtISz02Mt)d3
zF$Dkr>?6YX+0AZc$KIDrdX2<>X6pY~|KaN`-Y}<shCq1m{|9(^F#jicz<d@0%|1^2
zj<)@sJv~W;+lE)lI==&zcRT+(k`IUgA#CzK&<`Tw53~*bPDdhxkq-&*z!ab4hx{m(
z<Oj}qq9HlVk)9`1RfgpE?fou*_{q@)iERni27dfA0ZKL|-wxi<*aPt;`K`+7Yl6l%
z5#|k>imsocxP~HlREY}0$n9<n>Va9_rKi5Hr*^xc@MuL4`91_Wa9bF=@N!5f6?%h>
zl<Y)fJz$GzTng~t(%K#;+ZeuOK77cEBslP|NK0*$!52ZWm)07a33WsH%nFVt>uf*C
z^34_#7U(<yKAfNu1oWdIqL1mV9lkK=SVv9p??ez5g7nl++A)IsbS#XwO9;!AX%;W1
zWRulyO$p(JXAZN>vgcuF>6bH8k-`ket;J+!9kL>yhYpap!i}?w?w7Wp3j2A*D~H|G
zjtp3|4ZRCkeod@!tR&7WJIMD;$PmnwJ|DU|k4^+c(ki_MAMgi8Nu`73RwA#`Q_i#V
z{=nHe+hi0~9GUKf^L#~m7>Q1b$ey_te$}%WZ$g-wNRuH;0&ys0MuxzuM7BrmO6bGK
z)mB)Zu+QGUPoy}FD`-3Fy1yyRsTd8=+l~bnzbq7vzK{l8=PUI>1SwS~=mFgo6Lp;0
z^6kzfZFcnej=z9@sq|N(Qm>`#tF!sAYIm%<2P1?CHNgnJzux91UPD8?95C@bA+A_8
zhcN;*D<=A)@F{$dQ?TH|42VNEqg3|7ge1(CPta^!!Q~Xk8<%!^20c-9<<izyYOnF=
z5lZa>ZEJEvYbHy?2{hGdu2m#21%u%WaO?_~Hk$>9C|t))RSaBWIr@Y*ugqzniv#rF
zt`2dk$Tb({n=8SP%duVvgh-7n#C@Vs>2^!sX0hi11;g0IRdY_m9jvgj?zvOM(0xQ=
z@W9o9-D-SIdT14$;3{bz!o4C#+R#Aj$YP*u3Z73l?B<%L8a8UhdE*yceb`76dAv+d
z^W)}vt}b(GCznJ~!wK+L;-fMp(hkQrhU;dBY%xc}Sn@+ZJ;Cq%Oy#!<&sO~vn{ON^
zmwTI;uHlzD=EZH<YJ0n{*X&e__Rts_IgzR1(t|;<5j3#ykE4jJ%k=&-EZ4+(bL=LI
z!e(Zn3BNO**^_&gu%oltZKaUQ4;+cemYQ!iRm`E4Ucp0)s}nZ}bA`lr89Oes!sW9C
zHV-kep0a0u=Nr)kttjIt5i>zw;_+0v=ycfjcEEOLwP;J2X63wt4}pd?5Ia^d@o{$q
zwy5}L_%K|0Obuz6q~3z#uF!JCqKF;yI$I+ufj`N*9u;O=xhb=U1wHH*x;o>`)hWVb
zBj436nuoIHIBjp*&B^1hOLdf^0i7F8J9LvxTlY>)ncOnS(O}N7PZWG)&-`S`b7lia
zy^QlL6$T#XcNp7>vS`D$5EHtmFW%JW9eXTRx^7l{7W8wT?+(Mo9cMN>F;td0X*Ok`
z(U-Oiv@1rr>4)Lz+BGMQm{sd7ZR(ZhAqtYN6v%I-WG@>_JdE6FT8Kx6HOiApo-vMH
z68pe#3@P!AIX&^zZ9DiLPdYx8jE#783ilF`o^%{5nRirTlg6enFjRdpsuc`izXH8Q
z;f`anx+pAeox=z>asRTnPpd1_iQD0n<gsf?mK5X)xm_!rm-&hqw%J^ZJAV}@C-*v8
zxRYjo*^Xz6<YL-bqRqWZ54q+N!I79vv?8xJ30*svc5<ObDej1b5caCGROTsTE?|2L
z2SguLFkW3ZS-S47B2OlwhXY6N$mM?9wzI|}MCQVtwQ}7r7F`4nsF!VgFm{(%3Y_bC
z)2}IPdpsBXAzB2sv)kqeTWyW&(CxR?o|~aXq6H5GlTun;Vx4OkswlQHW)9cNB6iu5
z#skSZ2g#1Nj(a|j5FySv!r$zLnIz;iX`i#&!6a%+#5+CW)uT3<0RxzEMG*K?QK(GG
zW>+I8ITV($q)}d*-BcH-bagD|&FP3G1a_U0r(pozI^7FSr48$ic%&u`kBD46ALcpk
zP`E3HLb<_ZE<_B?u~yP5mZ?b|()Ln4@}12rW`owA)vB4d#5zx_KnSK1FXgJ&xbm6p
zYa-b=R!nOrLB26umJ?jJ7k0o!6h?%t*l^>PTx_`sQBMoQ5KcQHuYu^ryh~2I_+03h
z#K`<5KHJT$!+d$77H5^E*MLciUQ^6Eo$JO)W=}rDI}r0VTWlxIadXa^Vnyz@Hfs-1
zGtv{wus*cp{xBW<eX}3SG+hkUI%l{Q9v*fPJB0zk-;|3fWjyNCo||uHFN@V9W__6u
z%4E)+^Yn0`b#}`|z&C=W(H~^*633IXzob`9GAygT$%O>ftc^LhRx@6g<Z?qb+F_K7
zEnE;=_yG+rD<yV7hA0$y4Dp>-*G|^4E^Ksh+4AIwt&59`YmVzx^D|wC4nFndHsssZ
zSgoy5%+~sJ!XHPTv9Cym#m4HqOhw|r==cy$x5bqLE-4<4QJdGWe(TwxqgEiDmGgKq
z%;gn7<bEo_sp66;qs{r~%ch#<e5CFql_=*PqYUiPC{&RUq9wCH><OdDO=C8LK!gHj
zF7|XU+A76}n`=Iy@#O*ud~Ls%;xL@B90RPi+vL{qkSI`S@e0pj(9_&vRJXP-Lw=m9
zGuqH|ZblcnWz3TiPFGX);A$4!?5eH$aNc2D7nx^kxtK^^$2jDHq)8D|5Au45FpWsD
zrf@JpAEr#S8);Hsm#giC@8@Gi_r4^9{RzjGlAj*yN}SNvkw1*)(Q>bff-fhC1)eTs
zv**HzajK^J$(f$F8@c4O3s;S&9e2#aT3&gaG#ix5QALc{%J9p;Zwr3Di!NHG<u$Q1
z4c~(?%PzB>jOp?a6U?#`ttcn@6EL-Xx^&wGK69W?QKp@MBshfx2Arh;suBswJ!Wf|
zKyh70L+6Gjnu9I6^W;j*j_10ZItzA9I*v@}i}ft!u`y<ov(<9vtHDY8S(314*S`eL
zK2E9JZGd_e)h*V=wIzsNP%&!RRqNBJT&fe1G~P;a<^jK6U#XU8596Vc4*8H#1aL0Z
zY$-X~)9ZGzB1U?qU-wzYxN#uS?s?Yu;-)Zmq#1VC@?;l85uMgo+i+$=()Cvvn{xAl
zr5A{pC*dYVPv!3M?U|vyyo=iC+yuM&G;Qc5yFZ+1p*M>%<3u%w`B9{9<)@5T&!^Mn
z`qa7C%~fq!r4~olOL;olohj69b%d(j;_1>1SV}n31t;)j>(UyD*yUl0>D#jt%$Zel
zD%S2i9b)||`I$g;UEEolhTS&>JRL>I);7u|(_Grzj5m@7h(x%Yc1%&9$+^?H38gRK
zb_ui6h{*u*OJZYjZ%Z3>JL>SmmNa)qAm}<BT4$aCdb_NRICsw>hRxboPbJK5Ge0v8
zmXdYBRA++Wi<&Fj;*3s+U5n?Hsmu>nkaS1i3LMLqle&^NJ7-4oGo$x$ubD8L<VYPS
z)+NCPZa8~dMaagoG9*jW6%mWIu4FdNX1lNrgKSJU%FNY8ngmQ>+KgNyz%(h8%d&L}
z37^FnCwnStJov<*j{@rw5-@MX9<(i1@C<!Hl0aM}YAu9KmSA=;DT;YAXN}o0I%xCW
z-O8PiU+Q)+G-sxpak@1_LEtIDU#`N$!)WzNQOOih;YO5JK^U7_tCqo<17!qLY<C_g
zS!11Sexsl@J6qF@8|(qJ>A48dKs?S14k0z%G0Q4QeP%WswyNczai{)z!s@{1ao|v#
zsf}p&g$rgP0-O+wBZhD4%0EuwMIONMR+p9MZh3!muzP7K%yytU1YVR{;ej0)j$3XM
zd2urRtxEM1#?qttnj@1PI1+UtHb~bvMk2<N=7v|c3fh;u#biFQHFKeFmTRTfgzdD-
zxyjZbNc|ckIWk#})JF8rh{0kfXGKq?a4R$I;(!C*m#|3N2h0xiZ*eZfRzJm3jkp}+
zamI&XjQA*9EYZ21Kam2;w}X;C_3VyqkbvfoximYVIhv?c9C9+KB;wYcZ4WM2nhu^X
z%*t7|rvN7>bC+xqF{0HqSE*`+5A-&wR+V$%>&!eHi$V`Ks+0lN7Bi3RR>SU^kYizm
z8?!E4-`vCfB9<fYSg>egs9bL;Y7Jp#qr0W~jdiUOUszmLPRI%?N2})YEN<e2nQZFy
zd?)ThEo&W7l-zWIMKdyTC|zHqp5YAjp1x}1wh_0@Zr<A)oiR>H%}q-nLs4G1;{{ko
zbns@WS$JON$r#7w)NIEuFB{O}u*oHMKoF`)tZw#eTqv!6f;IbNHxQbkodSP17%|Z)
zYkXaWd@}S+A6kAc4QDPE(hyO`l%M#HjO~I=Gi+#@%neE~6n!=GoXj=I6U$KSbjHGX
z_LNI+g#|5$s$8$GhCWj`gxr!e5vmZa6nC7R^$SHE&RNy-D*`kZlbyG%IGM4HKc5l+
zw3V2_R+~K|Uh8D%ImdY;b$EJpi_D&eYcr@f2R)BR%C;y?5f3wSIwEpYD1a+?R1`p0
z`%?;XQq+!DmYFQ!lKIwTFhupW#H!V1pSOE=L<&p9ENx>p$7+PIcg1mSSQk|)tm}E&
zT@`9tZk*-zL|qgsSka{oo#woS^Qj~TJ&#RfGz)aYh1n+8W;HR{V%iA1H6<6^ff;!H
zI1UIF?srV4E%vJFGjeNQC+eBW#ymBekxv`Jn@F3mZRmC`!^?zWl=0T?=Y(8speTPx
z?G@g$@r6dLtdp0GyPe8r#l{TDd72u)Ud1Ke(i%6?W3yDVenu3OH2CL2O~vD(QXDq3
zHLa+cvmfboPtJ9n+xX|8wuO@MmPI)0K~kABKge~XCW4t01-sUo><Mj6?3Njw?KRrl
z?0R^P4Q1F8sWINZBZ|BOjisph!f>k$LyAG0Sc@~-C8d`Veuxj7A`I|`%YEQc;z8>O
zrm4M__hslz7*}!`_Uy7JjwY=g1iL3Tr+y&>`{RWjPO7vmGPMD06in^wkn3m1$2qU!
zcvk66*`Zm=zN|?diMaWx%}LNDrkgb_!z+f?3@8J^+}Mm=hYiP>>8|`LCFsBi0!iGZ
ze&MZ5Rg`(Fp5w`yn|7y^9Vx>|`;<2Neve;f%V4i29P9uQXV>w?8VCxN(h%kGpmvf;
ztXSi)rbEr!b36jZ2W>Xn8>*|2nzmmP?z-G6oidy*u|gi=!?+mPX6$CT#Gk_az?0i}
zWPE9HnhV!*zua70eKDU|{O-#2YKYLZI&PWKT(xXf?RhwM+6%9k+?BJd&=QnY?XU*n
zk!a^hY+vfJij7T@^Vi*h26QCgFj|G|Y$YBysxb#!h$aTJU@;zMF?VY4<WyTR9%7lS
zQz=lXxQg^<Djc?2B1~tdvjZSC<<}YSkB3wpqC5>{7qkwAN7GQva+14*i($K(v60yD
zMYom)ObI0DabT3fn}!yi<!7(nIbzWS)0Uo1ql6uZWL0g3`JtQ{Xm1>kC${g^MXnAu
zCLOABTevH3&f6;dxU7I<wzj%kke#BO+vVQi;0;p4<P?Q+6dBuwmQ^XKue0@0BSwT(
zCG9j(@eK}RjFAy*tsH=zTqnj^lX@HTR*S^rz=UJ9>2=LvNXxu+Ytt6MrV`Eks4?Xu
z!8H{8CQAN}o;wr2x+D`J368dOoz6J~Qg>n0pUj0VdJ#HtDye3F3C}D;bILlu9@>c6
zrE_nSr6BOK2`?&0E;+(>WAKv-JImSj5L2M#h!H=~X^+J7vcSh0$Kq`Y+)3QBN(-mB
zmucRffy#WdX&hR2lI18x`jopUy**ZAlviSVJ)fAi-WEy;Pb12k1sANBCQ_yOW$(@=
z6IeNMp-1R0Qh&s=j$G1WT%Klfc-d4(eWhf=)EsGfqM3%6m^|rnFbHM3z7}gIoB<O#
znVPdp3PN+^XtGa8mX-)>+w&f+IwkJcGP&6tv3VtoetGt_c^odlR2NA5!LqfSog6F6
zD@*sV0D&oj{Y&fxvazS+1_@_?+^E3n32bEnKG9chFE2At#EUE!5ObMz$xhZ>XJ3hP
zu+LpxkBa23pF}mDF7ORZt7=I8l^%V!#-*cO#iwR^h!+QOtfvm`F#fn*@Vf(|k>1rK
zE>&P3o>rX=5<-N(0?CYNm`L7Mpv!tyj1u3?C$TrjvQtlD>cUZG(RqQ!>ZlQA)Kl$3
zDR{v&-dR&yMh~3H($5yFQ#0BZ9aI)&zFNZAMOqVkdo2g0WeQx$jO-ZiJaRjm7x(~1
zp2R!J^K{Kwjn<9PT5~KZ)eKcl3k#8lWC}^a_@UfxR{a>~32ssZupBX!^%J>J^t=_C
zYgnJIRdo}%N6TBcjoEMamn5xY(_GYh--rDq9*5o&!gExaF@|;sE9JZ}tfd7BCjVj)
zq`ka4T`=;(bmj)&YQW2+A~exrXNc<bGOpO*v?IG5Oi=tn?x=Je{rL%*J0sGbrdh@x
z`sh?Ij((Dor*n243cYfgmgXB>v!{h-nG?!R;*)(j?|5Qywo?Zi$qVl61;UlK20Vp$
zV#euY7g~I}!jXKNgQcdyDrfEwFr`wPXI73_vC<S=i8jb#ce#LacxYsTTCEa&w@uZK
z>-?r?iwUzI;&xX#QW7}FRW{j>%9=>`8nZO^oF@`(PRFYh>{KxSta#RqgkLS$%XFLs
zB<8p|QBAK)V#gxth^Ll$-kSY1Uj;m2*4T)18^*~2+bFi$CA<e44nbS!>+BuDb^_Th
zgUs|av(So^s%+U5rtro(=wt1Kna0b*z+$J<o|OZ(HMU2Y3c$|4n4d)^r;eM`JT+UG
z*m~h|c3UdffWOw(WOB{+-d>xF%T8^Usk3P8^~G!K=mJj?UnJ4L9wxm>ca~o)uLn#|
zHwV#bn#pvwb|}{BPZ-+`l5&-9^$?X+4+9cCdhKx0G>g*7Qdcl&VopcG-<d_IG;mY|
z!*m?SC8mM-QNuR4KyIp8sTdPk=@ShJ`KE5SQDjMSxG&gab=o#olAGb;P=s+eY?pdJ
zclPT}SLej)V7X$7vH1RCM+oJ!!wNpNMKxaOHrx_3vD*Z&zGCDL(<$Da{L$qHk&4Pv
zyt=}&rLO|1PIo79hE3^RHpv^`KBhH;jPCR`#V1H?`boH5TWmkfuy$7-;+n^XRYQuq
zL)k4mn&_vyBaS#TwcKy0F!i^GZ0OG3+;O(-BE#0Zv$61)P0$zObu;JZBIf|OT1<08
zFXd~id;Ba5&dP=`(t>B>Ll8{3)y3OcmZogc6E(>$6MEVSn(dm!J3*W5m*tEYO1x|=
zWIxMSVZWQwe7)`bkrAtH=IOHMul>q!&2kzAfjXw#xudn-TVy>bQpFLm(1~iYZg;Q~
zUtjNe*KD%B(SWZi%{6i=eVAF>QiwVyDh9<8TYDb#<LEIIaDIh%YZKlr3AUXMJ`@>k
zE%;j#2gN#-mx(vcO(Z|XI*8OO4+^5R2Kxsz_<T4!v%zA};`4c~&B_SQ+xo<ETXk%G
zo{hs`H*0=2-6$h%f>ESQ+Fou{-GG-+!e+(oiz@cxb>p$)akA)~a4gaj7YrmV<yT$E
z3$@|(u?V_=+#Gsy%LK>0F`cq)7zdiK?BIUzf-HIEUsGmHu58ed;%!nK+OXl;L!(=2
zG69v_-AwnfdlfE)Rhi=w+;M0NE8gf!WWiMB0X8_(0}AU>kzvWBT4CdY>6}h#7;ml-
z_`cr{VI5D(_*|Qsx0sbzItRnq{z4POVQ6Lo1rl`2sp8RO&llZQC@IBqW!qiC{qfvo
z`svz_%O<C)nml>b;W*7b9QW;3-mHB?@s8B`uvGF`WHf7Ttwi=9@G-#T@#s_p-7>ga
zcs`hugd|#Ag<7jNe&flGLJ}hotjIH0GhA^st<zFEaVEtfIZSN)a3O;;4W;*pjFGd8
zwoBrLv?*cRRDM+ylY_%*;5z|(g3<>lj9H|ZLzEKL?y_Bm^stWwX^riNo@E*zi~#$v
zo0XSnu>ddA<``nK&+a;wke9p=??iO|<NyYW-TF**l+ZXu85z^#VHO~IDk8!s7ZiCW
zjnzoDTVpWft%qS&)=tEnp`x{ZJ<)s>Yuv`XfT^_EpNuVTSay^pG&9{5JHAhV*p=}z
znQF4MJ=BP5OQO$%)rn`jRdWoTEpwq$uy}J<!Q0UGW{9jd9yNr^Phj)h=;3&bhY9Z)
zP@`(gPW+TzZ;(P5Uezcl#&Qci9o{F8Xg`A9%*{7*`OtME6ITYdWA+5%CE|*i6Sz>>
z8@wxk#o?iSSquz@1%8p8vTJ?jy!{w;Tkyr?&cd>H#`)a(g^FW(RG!AL-;*KFl)byc
z>eGU-yhT@TV=bmOhlUZLhLa-1b9e8;;)p%Lx6G+!g>_5~*#y|JsNf87polqXmUDfc
z7T!+n`9neamwJl?;iX|tQ>x9D_9kV9)5)|Q9$ugb&XXkqIT~2aZ6(S{a+0-6$0pij
zoYF2uR?8anM~Gg><FinmE_&V>XEG5_7;c2D0rs@q-f)-A6-*?TY_FHBq8sZiU+!06
zJ(Z;B>Rn~q-E*M1WW^eDisek!ukE&xg=^EBr&hJ)aDpp?zgVdAA>dMaMZnH(Idwj!
z5v?C!Tg&Rq(ZNx>Y0Jh?34P{n2XJy#V@+KJ2TPCZei&xiUQG8_8Hh`y%V5;$eh#6<
zVaINl7%MS`e>%}tZqc!UCmERIgHTyj<K>#Gd`8XPQ=$4UJ0}1sO~`0jRJtZ#1R71x
zTv^j~S{x7y6|sx!B~rbnW6kc>^K!)0<$0L-7VEU;UOF8NyJE=F-tZV*ZYi(qvtWLX
z6$YCHv>PDKxtz$jzTkLMqQHK?!<^XJ4F_MZlq8kiYlj`ei$on<shiJ5cX`^BF1{vV
z8K+T`*kmzGae^nO`;}s2&Lr&JIr`B_T&K2L32Q8XduPpOOwH1&G#^}<^J3vNneCEn
zb}%{1<#u91O=f&Ow_!X+MYG#zb~GmrYj%#YQ$iK7MBK-5V7+8H3Lr)1C2~S(@?uMm
zLjqpbp~<tJm_?u$$4fG3{T&kYmVNB!ojubLLc6LuwJ>G+R1T_8ZJ55GB|C4@#e5U(
z4coecpQEO;+5qDn7|Yx34DB}^8C}w<q1E1Ft_NJ&&BQEa7M{6cS~pmUexf%lH71@*
z`Zk_$^HWU5-R8U}{o*XIjpj&Q63g0atYiCl(d~HSOd0rI>f@PxmWoNv5(D8MeB~Nq
z+TnC?sB-5CwE<=(vBFMzmzndG5hqC1+#becnKCu}RGJnc&rg^yyE!(UHpNm>%caK`
z+qt72j8g}zt5D~`R8$@bBXDcRNQ0=r%aL%VrPEu`H#}iQSnNrvkd{l4Be4bdI<LCM
zb#r9ekv^p2a!W;{VV|8<)-h?yN&s^QcHE~%wHUg^45CQblvtHv33>x*O9$6UJVDbA
z`niL-u0&;W#4lhh5QCISmS%+6CklW|s8b3UiZ9+ay*g5v9u=^77+Bte&l|o>TI5>9
z`oJ6_Z@b!cb07o2f~Vbi1EWw7XesqIIPNHWJhzv1&Jm?fV5`M(BMygHKh5Im9CXq8
z6zg-tSZUyj?+0eCsBthYy3#g532U6Rta_jrU-dg<kjo?|S*Ok*z$Vf9`OJ*CN}G{$
z6;0tZ-5*ZwPA0d*HlHBbBpTCn>JZ%#0)6~2SZSemU1wb39KkzOFq8H)SM^2``49{*
z9oCjTMa^pKbY*mVTQ_)UuuJg$A#H7#7h8_=otw_ox`@q2Y40Svj;tdbjwY;C@$wZ+
z3d7XdGaJfsgsEyNi6&f}Bd$+yJ+&t3-eiL-x1KE)TEqKkVuEg`Q0XO`t;cH&I7-wh
zza>p_5@!QB6|e2-GIow^CAa~L1Y1|4j_SVD)E%X|L~YN~GdRa5L=qsfYsnpUm1283
z_Z;iwZv>B8y5{9<a9~PFw{VLoY`3G?+6K(LHRCg4e;uydQrhw(c9xdO-d(Fs>rHTX
zt_7#L$0jESCP0Kv<f0V~M+)<%I!;BZPb!YyEQn#La-NZ3oMBI{^EoAwrmB|MP#D=X
zQ`E_<-f@{l^oK2w8oQ?Hdd`FOP86m!JyYm&kuHy+wkP&8Bu!g|@G@$b>&*`Et`#)A
zS1xEBaCM#RH)vJ)l}WH3(+nPKO_`*<dgFKyuRsEd&-k0m6|<3o?q5|4St^2qTJK7I
zMS@YF@233}`I#U-4R)Jyt~N_`>MO|L)RKB3V7<`ImvrDCqD<Y{9XCI&CfO>RO$87J
znW%9(zg|!-#5%MdzYJ?!j3S;ruB$n(EX#R2fM;}{LAu744T>$+nVMk}{$$-nnilKq
zBBlM!IZ3w#xpjnqsIM9}nb#XlqxrRjcHy*ijQQGA*y##1zeHq>6&Or~YERm_J*omQ
zPNhnn`6jdy&xY`|lP;7d>&K<z=t?l7Qx4gj<m5EHtdDbH#`bocf+B3s9U>8VjjSh?
zB(4TzaAKsnWaDi>9{NCH&W^kua}w0;w&l58+QTX-o-dw!LlCoQ1BRNb0P~Iqtq~7k
zx+HXQ$92S!0x#V@Tjcrz=c|g>Gz$3uVH8d|a`k4tk>!L&;*5j;_j?o}B=X(PUpT;b
z58b|D9F9{+C))I!PhMt)Q-XhDFt>XmJ|d%&irC4}Z{2)iS(!Sv3(e$?jY5uO?pl$3
zsFMV7PrjSRic9a5ZV_<W+-Sgu(XHe2s&CK|UuO$1HV>N-(D5nZ`Eov=)ZN4iXZXl_
zksC$%zPVl|X<%2`(y6v&ngf_q;^~U7)V`q)muWCi6fTWpf;ovXv<-8SXzPl$=4md`
zZLucoDR2#cx~X7>;%ZSfQk{{=jj9yWrgyNoY49|g<!Xdw#kP=CnaQrLR)B^D&#KhJ
z%Hb*nw?vkXBxZH))l{f=i(nPe8o||toPwo}qIc=VBFHSibhc*~K%_y%Ozce9U*dXk
z**U#(LL}ZV*BoGTYCEcHp|YaII0yB52=k-QIa6FK5QbI!Tts4=<pzCz3Q0CvUY&92
zG3RTLS7-`0UZ(Qy70cZGNQN?F`q#KMi4v@s$})#|CFQ{0G=_C5$jMBn3M-Bb$}@`2
z4l$h>CCr1U9pMnpJ*8-Oj$jdo8nNxVN{0;X{BpCh40YP-0$fzo60N%&i-W<a7naNC
zCW*$m0a;O2xnnUq$&U2G*c68}O*e4DH9tbwoWdS=i)lSQC3J+5UbgU;_Wb7m6M=V#
z+wEXmGw;MV6nDPh)FNyag2L;oax}mo;Ix^<_2hChF6E_m9?8O~cGq=+*nQF#&1$0o
zMqlODdMgCBeG25=rq`C&&~`X*ZQ&+%q8!a%R$kR<<<KCW<e_I<oQsukfygZf?Q!_4
zX=V(-7kTOTHC4;?A;fI(u3g)6!W}oZjs<&}ooO?Pv+=&+U>UPO=8Q7|cC}flEgZgA
z>R@L$e31c?S!3YkfScKp2`&)C;YwFoWNZsCMS)0_;~W6z!JX!PEhtNCbzbiS)>&#i
zvsv<M76!!Z*g)87ql?YbRhP{-^0;9|WhczT804EMat(xaF;QB`Dg$oXl~0|t*ke}s
zj9LfYDnhoNk(wMmJL6Z1)Ko}mAcS&SU$9;sjyuj)c&_$A8zhKOm0``43sYTU5`-b_
zPH`GbhqJsta?u>ZysoFIKd#Oty;pKivzuT5+ZI(Ds3%cOs;y^5-TI)Kod`CMcBwNJ
zCtJZ0_oe_0MPors<EExbNu3-g^W<2B)vyWKq22G!h==CN<}}Uda)woSSyRgZ+?6J~
zJFGNYLR%p_0iIWG295J^j?Z^~7MiO(=+-7q(6m>0f$3E3nm856K`BkA6jrmwR`yL*
zYB;N&%=;<uRu3tCJp|@b(g6%4;wlD2cYp|zoIhPp26c;5JkonIHcNylugReoR$F5S
zQOR&-o9Pf2>1@S{>1)vZY49%=4nOuBAMmH`>9}iPKd=OqmcW$H$haamLsAM8y*B5X
z*714(F@k4qqQFmhuuzwTW10wY9~}fYqS=C8^_F{FZy>a1GhNoq=CYFm%ikn}y?0s+
z%w-F`r>_v#2w`W9wPo1dtUl3<a@A*(MBaH8?MS#laToj;#}>9&4Rv^#LPh`cRFfD&
zhBR(?6q$6;ZR;h^GE4vg6@D-6iJgGyo351Sy}a<~TdY>-1ImrGj^ZZqbyX0F-s9I8
z%(lBTgg0>9DISIG$z4#}W9q>b*CIvA@?;5tev=@lQnFjtrco~ZB%T*aX98m09og>6
zD3ZRtwAHnk2#1PfnG$Tg<BHKrm$L|SweAs%iA9)1Wn`EYBc%O2Q`v&(VcSd6SW=uV
zyJrdukHyqkDcV`MPQXxq+-Z}s$R{a|O$~7rB}_O7)NItwCsL+0dnv5FV9+|*r4z7{
ziaY$U5?i8~8-7z9)N`8bnxHo;QH-|xWjC9ItAo9c1q3{!#l+<Dle?zv5Z^a7nf0DY
z7aPzwAf^HQ7s_EaMI2?Y49aI!Tfi?zOm}RuDM<Ik8=j_xTOpjzcl(JthZqF7D7B-q
zN&q#}kOjgYP2M48b$g)Yay!ayjqn}-%oVVb$@ZWl&$gH;5M6j|ErN4bB&KY4;u;{L
z%>odKg?%+m5Bn`3P(@}O=3F)6;9o`Sq5wgUvJmgdJ_Z@C)cvwT9B_nyN1|d6Bb)C#
zejm){x!_;SKGnn)2?bm!BeV<%G{`we17+7uNH}LwWij#$t?(ng=-rbECVOF)VfJPn
zDC&Mo8?1I}=JT1TiLz=Oj$}OFYo<I(E<^iye7;m@UlCw#Q83S0osYqiBNlZx()t-R
zT?srA?A67F!%oa9!%q2BVGj$XJi3&=lvokG*B%*7PIbTCGC1E~3gm}UPC|xnz;jy`
zmuga9=i8o}(7<@$r-j7q3}a`_(n(%lompUcgSA<1jjn}xT{5wf+w@T_@r<ykbKmN`
znTmqUSZk(tnv#R3T{wDVjtezcO?q!b2<XhJ6pk||Q(`FS^`RTj90R+9Bp}0~WF#p}
z(oK9mVF|zH%Ehi(3Drd<`5fY%<2G3Jx@?~muhD}n&}2_o)~D4vH&sos_6Km4S5@LR
z1jPBZ3yAWO)=s$+XVF4P8ELQkP2e7B{t~otY<eY9<;!AUMeB34Ne<wsEKXdp9m}~T
zEnxqiufDh^{PSjd48(Y1Q_%lV@Pw)*>|(MblB33SQ!`zIH0p$yVp{|_oS_+12oOc{
z2PXszvZumr6>Y%Qc@n7F1<RUqT`uuvu1-S(?De9jEW)s}sWSEr4+{gm+6YR&nd!<t
zmow`OFhH>=Wnw@a7U>I0LkxC;6$fRHxX8R-B^_5E^^U^(H7rv$&L^uTvedL~Yp$O$
zFGEr6rKwBn)<fKLxgnN@trTI8q;JFHyu>yO&5xDkx`L2?uB)9AnGi8Fz=Z5~g#kyy
zx?@K*CU9kE;iMfK=bc&43ss5_2{RtW?AXnU_;krmjaR!<g^74~3O+(O)gzfrhz-Kp
zcAEV;#+ePAoDGE_1(P{Mahfw{^o!}H(-hphBKHMIZca23G8A&^kb=*qC+(Ht4*=rG
zA<f1OVUy5{v<l_W$#Ppkm>%3nTzkcCoJceI;&%-v71HIB&{~w|@)j!<=e)CxL)f(n
zQ{Z8L$fyN`l)!nGb)>i4RujiyrC@W!Qj5*84ABHF^%Q3hyQFk`!)?c99~^7PTg8!r
zZ|$Zg@}N+(3yWZ|=I!=Ui(i$L7#qY0LG#KC-D8h&VVAHum3Uq$>alT6SzF20N%rdP
z(md_zrJT;2>Cj>N-t*zab7%H-Q;jk=pG|siU!|#65L?S&l+=cR30*=8)3#f8C9BOU
z&l$w)EZIVAR-6N56Be=`H!hA{uyCWSO(*5nYj8b*KY!sxs(X}$+TPWwGM!4!2Fm~q
zK$tLMg>6@KVHNQJ@rG;7j+SV5(M|!G&|l=SvdLtc<wg`0VBUg9hOC;EsdxofCDbk)
zSG1yMx7+|jotx}3jk!s`G~t!%syDa2&FK{JW;Dr}4j~L-zCNiQCY>{i*2`_eO3|ey
zS2bP1yo+tQRM)}Ws$h=s6c6EqU2ZS0oxkJGv8%y)i#fe(yIL4#jO#aRZCan?qNGhB
zngvMfUNp;HQ_R|uX3S|bDZ!xC`#j(Q*W&?fOzBI;ANvB4xvZ>bvp~}lfDOhb%&_x?
z<|dG|U>GH9wlg(dl?h?k$D~GA4zJ!4w{!$T&vTh;;oo%0#c9p<>$!F_iD3P?@n!a!
z&Z3pfA2eRlnW6}807(toa<#8~?ppL)kFyVGIxd_-vFG5#p}pt!UeRw%aU^=R_Cb^0
zTl@)DB%hq9e3ttQ73b1U*C?+FJiJt|i7rOf5o~YMiO$OGH0@-z<HCJlHae#3%Cgq4
z*ic`VJHlphD(l9Ibeae(Vxm%Ag$hC)yUBX(NP=HO=Gass=bHx1KRGCFO+XGIzEm{;
z;r$k$PDzSjMM%e4IS3vGM#n|&Hlnb|8N4CZE{UnEW`tj@-7`0YONitW{X7&eaxIj-
zoNhowD(wdC;El!9b5J!a7NUp^Jjbua>}+n#HC>I|J|A^;=gUTEAazIx0i3{8D?Q?h
zg|ibO)C#Azs-JEB`DX7!7@mh9V{=;j=jEh2;Ut|CqZw6A8L#M#b*ks?Wd&QS80K@G
z2J1OR4Gpe{GT1G(Qam+9ZZBrc)Y^^Cg`20upq!<JwZ){(p`GQSWEq6I1(}TQ0_!BM
zLZmMlq={c4(`6hY$1%tigt)Zh4$0AMr}F%D(TG(uLDq$c3QX4H<)9vq{;2`HiaOa4
zMbX9pvmlt*J#6I5dgmT2@QuWm7TzZnx_e0BD%YFRn3<Qoq#I4O9My%@(>6(RW993t
z$^y`6V>h9}Op?wf<!)MKc76<)Et%=kR+IZ9SZc)!Qj9_f#oS|ZI-9fG1|{2w(+!uo
zX1|Z-RYIVx1%JaxBkmpVmNY1n;)c11Gf2B|!o>ya$Q{#x(xRvfd?7X0<dUs~1=1?0
z>yD^Amorn3h#|IomjGyu)_6og-pNV6V7MGk_sxd14`ELw*WPZ;B-v|R*SHh9Sp>W=
zXLs|4W>(%ASRFl{T?}k`_GK0BQvgbcKQ?@;tkiIU`#U2iufbJKgHkz_OB;;#larPX
zR~X8EI@-me4Is9tfJp8FEUN8NS^6R|Aa=6x2u`fEv?7a<I!M8cIayqX?}+2vSfrQ5
zvO5^Q!R)zodVx@YKtwR~WHO$!wMiQr9CnXmq%B15ncZ#2-2#b{GY|1rXi=wK?U_@L
zn(jgfS>viS+YXaxSntI+Gi*be9?Aq56F(PL-fF#1_q|2y*}|+Hxp8du<hRkRz>Ntm
z;dAhtOw>FG!SBn@^jZp+O$6Zy(@PKpOS5+au1##dYa1yHGoow=xEB-B63kM=B-~;}
z>iNnZ4+BEQ(}7sIdNUZ})=|gB3}SiNuviugFn4a&d^WRpO0hmK2Vi6i;El=*EX3FX
zpoGXI;YDM_Q<PpUR{?F#GC=9!)j>x*3szz1*B(?XU+eX-jgHQU?&n<~os%9;4SPtJ
zEHE1|5CjNOTw3Me#DOx=7{V(K5n`MFKTFrOttt{ke@QYt5+&y(Zv+8Bf@JvmDbAg>
zoVgxFVs~|gy?3==j7*PE&uR#85H?R{U?@f2w>RmSB?t!!#dl6b#ju^~OA;#3>ib9!
zfZOpgF-rot1^_?oxU?bnhndkd+M`G5e9&DF5%pHM;06GmP2ULw9y5g5>$~3qM-VDI
z%L&TdmZ_I@8GS#lV|4rumuNrvUQ{u>X`-lPONuk5jk4?~FPYipwAiQWmbuAN6?cvh
zr3&x9I4C#nzaRRyMt<~aSKIh&Fej1^c=0P~RVU0JS&8pD?%5ZRW?scP2GugSzk9Al
zl&NOice&REI~CtKg{V<7_UQS=0U;DBZblC8khOiyVNLzh=%ptDC-Gq3IUJok{bf6U
zG)#gUlrCwTQ%>dN!Z+P?yM0_V0c<&&-&MJ)uLW{l6!EL>yA#G0x^bg_=PWEYOHm-$
zRv3_ETR`i%9BrzlfF*9p>zYr~e#z#GjmVH*`KCo-535*P--;Nmb|wrd*lO(<@{J=B
zp@DE1#*lRSlo-NH;(jB*J8WT~EdU<s+5KIlk#W4YfNgYf7&=l!m_XG|zWFNOcOof%
zNAG%9F&leJBMMOA@U1rSMUsWwH?ngT@%+(e2Lnt{83N|mnm&4&f1+iYH)8Sd8ZA(T
z<V)rN)Cjchli1Iu^6S;<60pbAU!On2JyXl%UKd%wLN+Gfu1preVli*buKBfZ1%3}j
z@03I8$9-0cBn0Yy{xAa|)Jq@A+`OvyY{|Z>wrZK?Zr5=MA2NJ|A+?&efP1<O3(m4V
z_CSoCL6{}4U6b)V_kbIMj)-y@f#rEq^EQr)5muLjUZj<7|AtmEA}lKJzV7!vEO|*?
z=uGHgw&l`i{hX^rM6;xCQL(SzTM^fs0P7`(R4Z*q5MVmuYgWaO?tyw5)kJtboO5dx
z<Tm+Nw80fwz=<?`9AdSNQfYzgc=l8}MjFQb=dYh}E0IvX$5!t*+;TIYIFp8jS6Y_Z
zZ0hpYC7M^bz)+v>Qc)++O$SS({V?VjQ^TYqXX~8{)9nBd^ydo+Cm3WN_2#oXOzt49
z7Iv~#XodC=9tx>dKVluGEPM_?S%*lAQ+j4G8`7;zk7%>DsQ}%9(Sz}&MGe5-#j{&6
z<|wQZ1)8AU^J>9D*u0GuPw-PE*W-P*-51tEX$7$3mgGcjNT*fy9dMK9(3=4z3&**H
zB?;_8PksyE)6VnCpm<!%fr^D@8g=1p{5JMpQQ=Y~%C+3@RN{?m9fu00p6F&>kEK+>
zz}Kq|aAwjHM#;0@?uD|y?_mDYFr|6-7SzHlX6mEqJX>oiA<YX(pzj`w7H)q7nF&Yc
zWrrlSy6G--W;-WUA;W^hMZ~H3%R=2FHm-UKC0dPn-gT+FM8v71wIt&7up}f|CUYS3
z9jH?%MKb+wbTtPk*T4Bh_4~%d%Z6g$DibQ=BtgesKbu|OZUSGB_>R&8KFT%0esKyN
z8XSValhGv~pea&ZBj8~%PxN`g90Z6~W(=48n-C~#Qw}V27=t{bzMwJ40R-!yxs!aZ
zH2zo}hZLGYl`CITxPlfRw73e=F4E@M#(&J}2n_E0c5}ESj=!BMjA>Mzaq~Ba&M!w@
z14+eIJ|YI-6Z{gnC<5-iMy2ckSM~qvI^eesVaJ``KfB+zu%Uu(zdR3u5BP=?zK%S7
zJW)`-jM|{P8*firm^$!(I9FL1GIh3}@#I!q9<ZQjm{iWj2L<0QQB3lh_Prk_h-EMf
z?;@LwjsBCWy1ir>zEx@xuc20&<EHaWF+LM^Ad0u|U!H2!dh+?5yp_f~uE5gTcJzBi
zsvdswEAF6{P5e!*P%Htg>9OY+^}LS-KsRUE&`?yiGvXe#H31`sXj&}jZWs9>^P4it
zfU=tS=HPeg>BRw~0rOt=)-^b_cXQAh3~?#CN-jK$kRpW(N@NoG)9=Z#8W=ow3CCCc
zxbE~5=fMA@E0Ka4_?3&2ruYeLUA-+BKnx~dX$uYFCC3nq)D9f#oA3j0NJ55~aOO5Z
zSsdHncag%?NpY*wI?WF{ytfP|6#cJcsaI*Pzr3N$Yjl{Gv?ibK7*?d%Za$>+4B@&t
z27i2#6n|=Q$f3_pxuEA=N|5jLiEZ*68`C5Sw}*J9z#U{hSMmGWb)-z(=SBZ~vi~@X
zp;+OBd6Gik?(LUgy0v4&>T8C#Tc2?6s!~dr4AM)2<Z#jHdqw$6M16&pno55!iUroG
zG@C{%06cl`^}$lCC{zM3(gfsPT<sfcL;mWVW6fiB9Cjrbir}8W%idqOTYgj`7yo=K
zds5QKyW{WABoHt^RTdC_K2Qg_I47QZ-3KQ6c4}=E462aE<m(lq2Dlh56HPhS1g>~W
z=}!_mV!FN$o9$2MT+MwvcN}OY<snYW_ms4_A~e9JIQs^?OgP%(8s6`GeXndxp;@fW
zPq9!Oxk1l;%^-Eb!5VtI120Z}$CX@;X}X(>qQ+=c;1m8v8KQxCL7znwtNh`)$!tXd
zuaq@p_n~4Ahk&e)9+OF~zAS3I#C~77VNgr<;Q)-f0SBDZJE>I@diZF7$ZA8oaxeaV
z#%4vv0gmB8rCP@WdsO3zVhh?c{2iIxqjPQmJL^B6)mMvbh>XkcH;Kv2MXOlKWMmR?
z&)JjtT*;b!+zwIpsTT1d;HN@B8QHAA?(no9cuRq=CH2CQS-EKkTrWmjt3BJ#+cT30
zQK4p(8L3S_igym)(oGEJN++99J_NV%WqVw2h;aq1;LPYLt1`hTOB1Td-*m{u?|sOx
zZw_oLXAA(LJ*i(4Wj&LUx1`i$#&4eMSX1)3N>B%jJ#^;|t6ujCp{mK%y~E*W_Tl=F
z&(5Z7Orjh5s}(L6)RU7G<!|LgI+b>=0fL`SS}%WKbGpEg_j|hJMgEPeJBsMjdtFCD
z+p#;9%rG4fF5>^{+vzAVoJ}LY{Oslf3+;%)Bpx^xI_5QNNxt8FYD($bLTO}|?!}jB
zb;^-ynJ0Cu7@=gk*qs9dM?0pW$2N5QvSs9p_{#$h*VriC_1Ra$;^GpwR}&k`lY9``
zV}@NFFJ?c38MF;_BVQ)8S={CKtklBVwStoUw$DT6%@9uyg_|<ZP;=HND9zaSLz`pg
zC_s1z-pcIx$qTF=JYQ|vT`t|_rE?aZyh}Sm_Wo7k{W=T4!iKtRqd}Fjy;_O^TvWtc
zFh9Ax7|7sc=bqdB7|I^Fy!UDJK3&^ce?DBb^z;qoS=20xU2_buA0UOaFkWCZa_p>p
zOMs-^RuW#2v77juEnd<CpahcIpRSr%t*wXAtSE8%mB7RfGMu!xObH{&#RuG95|VUX
z^(?_rSK;hoKLaHK;QX1ZriNC6+>by_@=IC}{eJYm!h&;o3z`af!~+2gq2D2TTkPID
za@$wIdv*6MtyD<azswZWV1D0$MIZOY&c&TA<su!`F#;f-UC<rxd$!}`6(Km}9dSrQ
zaaX3AXToo0E@Zk=ZoY}C=&zdNN)O9SQ_DeYl}ck4qIp7LQ#}ykB5TXTz~9RVrd2-|
zHUv<7v7QPDy^tx26aX@XbF9$%Aja>DChpUL*B$c&F9!w7BduP2pB-ZscQupheJmS@
zJ@c6@-%f6MrSZ&z*B;}*YT*`R3&;3~?}R>_{gQ%iQmblyVnz9Igw!J9jnq{9*#Wur
zb8xwxJ*tj+Wl0y0Yp5-mmJc*kMshPNHz30Z4{u@wx~|<6v|sn7{)11MESUkW`4r4M
zw6ETGup%3^78wgZ4b%d&oIA-U-uz4eO2Qwe4Cs>+mOYRS@riqoI5cVBGK^9YpO^<9
z40D9k_>2)qKmF0$0e1VM$;aCwQ?ZgEkDmmC;zSc&;@V@&kKz0bi4K^KAXENsT2jJp
zrX1>5%V;ZC<vtUTuF7X$#n%nwXE>C61H<)^h^6e6&&(^#9^6DpdL&vF6p}*%+_hyt
z2V|zC_HDD66t#e2Td!$o=>pmMt=$u(=RT_+gK4>@#eT<*$I-UBm`_)mA)tuX48Wi4
zO0fFOu0u#1_?RyRP^&<7VrK~kWS+uEd!K;iiDzp$4-f%zsHdeLwevG7T4xUuDGP5*
z^`qVOmSQuEZ*8CY(kwxvvR4l}*DA*<f{$>!T<jv=ka`Y+FAfzkrPz!E5ZFK_d-_z1
z<ekHuNm6wFc~(QZLxq0tvzbDBnbK|a+27<d2}n9?{)A_d@|$(+VwDf;RMdL+>r}S}
zL>9To>TT^zSh|98lhU4b`VYx$x_8CghYIAkR|~=Q9boWEGZ2PmNPu*wk`s%&f(*jj
z=-yYr-%Fv!GnDR;e#L}SSs6Hj#$+qi4qT07O7*lC3L|Rwk|-bzI)Kk`y?wpZ<?LKg
z*7xouFOW)0e9xeL6C@z@l0HWFNj_!xO(Okpt>&0(wV}#S69|6~PYID(3KBy;#`Zcd
zZwVv{fI{v>#Q|*GJ9oL|qSS@g3~?ZolI6gvMz{E8Kqy<mwTzev5wn2@NcXb2wtJ7^
zxnX7S9zcESd;wr@;LQR1Ng7ai?|Ezl5ff34$@TYHAv?|*-D_su9jjR5%gW5{K&o4X
zD=`T<+k%+`OHZB(>dj@IuS44y_x$jYssh(1B87_5V*{D&cBH6jZ~7;_^wEqnMsj;+
z$7gBQ-!uO9<#`W>NrwDP3*_o)+7bLd-6u0EVYbmOtRtaUJS2FOf?Q;qut~T`X`n0B
z=0Mpx7Bnpg#7f)Sg1aL^V*urku60P&{yB+~F?{fj_^wRHBk)KbxU~h_L!X7mbYJNg
zBDj}f#plw62G%^p#I*kMWx@k6WRRd<Otx+wb$q>*TvA^25t(ep3ibFIe6wedqOtrM
zXdecERU?OIvWtu8#ARRS<63oDNRs5EVu9$U3DS;npS)q#9olH0&u~HwN!d#DO<c+;
zim5VWZ`zIWYFy#mE|A6IJw^DwF2A(j)2EEIl10c={WV?h`4|1Ene#SB`eM~vvI#)-
zG2rf6Pa#&OnU3O`skLmaj&GH#dke)?4y$0H0YRCsdk-UUh$Oyb*Vy=jXrv7>WQG}6
zP`K{AJk+w{D#dh}$MM>z%x?Dr{F<lp+_4`QrM9Ma`=cZTeVR24c87Ske=25F!<{L4
z(1Q}fr+LJPfCeZmjvNI}ffI)6b(#`qeGjTu*Ih?)szF68u6N!zcp=SHz3gU;_zQBi
zZbO0ATH$o3P0{9~P(ra)sVDGzK2Team+{UAiw!9tynn};k^nWl3&4w6$+@@xXeb8`
z@^+7aZ4O4K)L150{||&TC?;bj2|?`X6dvWp7heGI(EYFj=iaQ+(O72v3D{LLZO-}<
zKm-J976s@RVu1Xj49|Z90&zAR^k%5R)PYi*j9I^BBZ75*rI)Gd^UD=3#&lIoX0RUL
zHyRRP&IH9biZ$?|h;TYtME%LEe-&f%xgfP`ytO4FvZxwhF-7OTqB$CoA4}Egkr}S5
zJ^t#Nf*h9v%kDj+plcH(WZq>^IM^E%*30w2E0AV(+ondIYAKQK(_|WwMHg#s40>*C
z_OL>9yTG}s>eNk(ZZ0VGGJ>ikH$|PcYVa)(8iC(!&nbb>m$14Psz7wB9&eITK>J3Z
z>WFNG-_yn1$KHCk8>3`K{0#sy-DmCIO-B4qvGyg+Zn)zfYD!CQ;RST`3n%FmK+fkI
zTc*f1p9hF$oNO#L-_TR@I&mVXZ-)^;KH-bpE(dR(Jc?yY6<h`h4J}lOw-Dfd@K^qW
zl9AlOU63Gx1;o>9|Kn~IftGc`qAVASVzg6y6A)sHkIRrFU@#&4c(fAlBWV<B0sJ;x
zez9Z?#!m*xwWrBX8#-LP;IL0~*1w$)R_491_%?&MC;C@89#^*ZLG&hq&u5#F$4Q6b
zcaMeA@vyG<HEdKXrG8CI0@7mdF$~8Gw9O!&mt`%r_uW8*HlxN{akg1Q^sB8h`aLyF
z>|P91D~5%ibN6g8Y&b^_-L%i(b+<F7ZP*&6(>?hlBQhSe_EWI=o)8Nt-b1_zU~R}G
zNrO7yjOMzTe?s4|z@`5%6qA740O_@0g+j}wiOyi)xBmkIBk=!GEY&cDlKZ@MBKLFH
z#pWS%?DmkaK(_QVLYiH8?(bhKd#OU^F}8#2CxyPa%rM%cJ3XKUD_0^0pr(iX17J*q
zdK@Q11D%K(9G_Ua-0)iZgGXHb_`Ye)M$0Eqph#uLwC@QXlH~m<l_(l45>O&~d`CaN
zM|(TpH$r;dCrWQL5r<0|-`g-KF>R4me$|I${b-sQSc(y+{skKzNJnjK*}i^DYE4-9
z<!)2q%sqjz7D8%<aTNii#GzO^jkNw~=JQe07~!8ZNcO`mP0=#m?9GY*jDFhB<TKC%
zXkfrsQ=z_UGu36c2DA!W02$;ha4$YZ1_Dre!(#xwJmNHpiUx})i9<=|Ca)qIO=xx0
zrniQMB#G>3R3FN@9;8LhC-D%5SK;l&B|Tbpr;xbR>SftS%LGM>hL89jDmCc^0$j88
zlB;3-A;ZvE)E!`f*aTei4Q-XU10t87romeeP`lz^lpE!rf&v}48f81U*C0b$h4+;t
zv5khHaD%`B4f|8NzJ!6u+)ie{SM&V1QOA8*wJC;a&v0z+fQ3lor1xf>QB#|&0`l6|
zfD#<nj<}WX5HeHm<+jSj_~w6Cso)-1EGhVYzv7DX8>AGXx4o`+8s#d0Eyz<22_)lu
zYB5aRFdXpki(cbpO~xi@w9x?o{2GpXJ$HtMs(mH-CSA0qEIyX0hy(Xq&IE6Zu5K2d
zBoxZN+#bziAD<{7u+R*-KsSg<o~r{IXec81e>cj)w5=T#U5;Ig*Ja`uiLXeJVT_85
z2N~tYD>sU-u=kD?d(;Sb^Cxcm0}p79?WUiZ=eN0Ak$t7Nl-pB`^i&<t_ih%i>IN5=
ze<l_D<_ZTbhwFAdI{T|A175>hAaTsQ3alRkOoeR+b&UfUx!U(vhMM9r@Q8q->$%0+
z`Vo*#i!-(PG_+v(A*d<ZU-LFMoMvAGg+G|z5h1Dhn1rtnp1_7!BLJSh_>QE+EBsR#
zEi1g@J8xKu2&UmU{>4DSy>>I0yyKF|e^e=@?i_R~_dy6+Ak#M-%~w{&kF$F+2Ydss
zsu*Rmy9lsv$jf39@9hkiG=V+lxC(culn}0dfwD>ECjCVn{!=dZBCA?+6Lh)|rC56f
zb$U<E!dyEKBYzhDhNJ-Za{ZStI|=iG(#@?FTD*0QQ><c9cMH(JEfLMJ?xj!eyhknO
z0frq?XJqbiI-6%TXfJ4$J{}O|q4WmY0Ta)icvxx1QGn!AkHPbk)Gp24)9KA42gTC!
z+PP>;&motAzWL(A$0IXyC?tPQ$SIf0#3^P(MfK*Pt<dra0f>IFDL!X6KuzW;$Dg2U
zbdYVV2%sly-VSN(6ZD^`?3Ra=e#BG77&G>sFMKrSQ@rl=#*7p1^^-yVw5Y~P*2Sjr
zrMsV%1mzIRd#C=Fc;eYxJwf`!Tg04v+y=y`c~*cbidPLT12sBTS;HAQ&hw{(HQ?2D
z{&m?d!2EN$4i-z!S^$l=9M-Xvm$N-*kV1~K<CWPM|Au8KS6)xA=p3yC)EDshh*zX?
zpo0U#v2T`mra0xpPC!(P!+}_L;Cr@Y%O?p`ABL~Qf?(vanA}I!88(xRCh61t6`a2S
z*tmXy_O|i^N+F2L<p8=4#=PC(SFl6pY`-{f01@Ll07on+FNNo)NO|J6&ZvNtfo(t`
z%n53{{!<f!C4qaJpSj&YuyE}+dfoJA*95=`z+7)Xff6hPilsup3xYh@`@<<R@NMlJ
z1%TW8F%a8}%?0^3jg*@}#KN^YvytEC34qP#Jq{^N$yhJoI(XlUsdsiptu~PZR9%cN
zC8_vrhDA{Rf!-#&K2j*Rg}ebH`boV3#-TYp>jRlV=)+P0z5}L`?gz9r73Ajv8y@KV
z&!w7QNLrc=H&O49OkuW*aC;?u1g_`LAuHVaj9ICqpJpiEJ++_P?WgOVKt<V7@5ILi
z(Z8)1a5si4fe5D{SVl+e(x8u4Z$ENzPtHhR`pFzkoZf;HWR)M}_W?W|T}I?JdtH6C
zrj)!=_k~(DJVQv@Jga`4_V{3ZR#{@uDHy#$&b}t9UAHah!i0{_Cz?xETvU>#O`oyN
z+fZ=gtmz+#iuLc``}Lj*y*Bgh9`&t9sm8m1zNI&JXc{d<9+YDD*9<f)+ThHS>ds<d
z0plbmH2;I2Kt`@!{WD-;h52Og_sBmgO9WwVQ0C@TSCsChUjVgEkg>Zu-09)T)`hC6
zAX8^TEGA)DxH~P@lH}vQt)spO(c>$E&RJD`kByPL-FTRW?pWAue4E=kKR%)FMDPY)
zL_5cE<qyK@J^FC_YBlAHq4(5B#ZGpRt!906jou>2Z##Nf+N2u)-jKY$al(=|n7$^8
zjygP3Kx8a{&;a5wIC!4_#sp5@8*)nUE&SCT$Vvw>h~k+P(pcJqV#YXFSzP@Te^ne3
zYV6Gfsh-M@dyiq}mVb3VK+0Z;_NrVOeV`yj#O{KKg6tM<wgx>&k~+|8DeYffp`YTF
zWj3lhDhgUquNU_bJ~U7Obn=DQWh#;O_xCy*KFrWhTb=~eqP{r{OIz>3#?l)E=%w+P
zNhJTRpeBt-CghDM`YTTsF+V-uj%+p_O+{nOhJ~%6G$PJ=0qR{#tiN-$Sa+X+8?2dk
zpKj1UD9f5Q)8{0F@e%q~9)5k&N*H()0w0c`;BC)v2O-=eVDq{I1z3q3`6VU?(1o*r
zi)cJVNv7&}fk(zEwqGZndJ@IG`A>}zg~{uwCO5_gBI;s+Wc6LbhC1N`m#16%)n0!L
zM9E-%K;9gnoA+t0I;s-HZE@pgyiXRbI>0zT4Nkaup4|_oIfwHr8{*>A$*_pSDEIdJ
zx!P)g+o@85*MWHCvyBBSs!ZG56Wkiv;yV>eI&*#kdbksRF;FLOmtU7J?HYXviy0%R
z3MnK|osZ@HNjNzOKpC+kb`Mf}UkY+d{6RmDrhZpjID`JmeN1xgDsz^Z^W$0wm%d&i
zu*6QqxjjA@eO&Yd$ycK*7P-7P4-EjXx8$qjwtKPhbuY%WU!5ZDV36{Td`&0<Rh3hI
z!>8Lz8*p7)3Z&IZ`fDSG%0D?t!P6-XxR=CBbG6&MOl6*+KL$?J$K8nJFJ~K~L+yps
z?-#&Wgxj_Xa;1cMN_wq?-D1X<`N}Uz2kHEb%H%?UoaDBCTsWogot}q+AFsv^0<wfX
z$qj%*Ksw3!?kRVH6zct~p}xuu1ey>)rrLGph&9NtE5--YUPlCl8w5p*Zv_An+kwDB
z4V|YS(nTMF7~X8%Rbp4qfzu!SloDdbX7S)7>ZN6L=itP{YI$AxH4<$SB)^eZ1HfF2
zw*8}RFNkk!e)tgVCmwZxIkQ&auD<X(g7=S`WpG*}#4LH@?K}ZB`^(*u)ydx-1%ItU
z0)>jndVN5;xwr!v0P)3Exb-x+YZ6yd>r_wkQ>lCR>~kxSYwwvMT6BE@eiBH~$>0;r
zKx8=Kmj)7!jZLti7d%#srm$*GqK(=^dZjH=FsAJ{go&txza+b{Oqb%6)UL}r8q>Fx
z1NrV%R_4H_L-~P<-T)Az`jdU3Jo?BI;BwG+kooz#e9PhNNaBBPvqOme1g2l=@^VlB
zw}cieT`>)-0iNxe7}Bs~h7(A@dj%8*$^2zVl|D<`clx?rWKct6LXddqK`YUQ;>ggm
z!PIr&jWR>QVPo@)PHwGC5M6ze=w^7=v`^-mowp%a8V@Q{#x|En|EACQP+ky{%PBU^
zhsGkaK3z|K_FFvj_uwI;vOA>r=tFa=QJ{ue{Q4D=wr~lMN(2l)DA;@o0}^QBw@M)2
zUJnW;S;{lyAAkmuip@8KM%1jYJ_f`EAiy8$yA!l(gL5&oK&tcGUbr9n0zukX1YOt}
zJG;J&=&=HBe@LXxC#^6e+8;v$<h-|A=%Y}O=P9)WJv@`%7lqfG5%uQOK>D**Ifw)9
z73W@D;hzK~V#x#azc264BWDAp)L9!}T}v0u%KkxGIcSUzY`r`sP!04zOM3LL)qv=U
zJ3rE+ev8_+v1<2p0Qpz9$`d?wDSvw_wny4BmyAdMvicqnqKMRYg_F|*160b4J!~Il
z(op;KU|BwhTJ*l|HNuD60$%4K(&&X41h8ku-FdF{hb#&Q+U-S0_z>>F%>%L+wEH)!
zY_34^v3rmw!LyINl6QjO1Fa<ic;DWZ=xU+J;c`k~Mp=_x0A6I&lflaUB6tgQC_(Z3
zSEe*5kKJiXX_P`42}p)Z#5C=IEM5Z56&!60S#gauF(o`>vFBz#11t)$oO>dlYHGv7
zw_mV$^_O!GZccY<tF67FpDu=D&h6MeUPWEc>-AAw!n4b80eF}9`N8He1c8NK6N1{~
zpo(ogZ3N5)sAT|Q!v>pjKREk<hauId`vMg9v9APFdiFV<0a?3wz@Q6Cbi5s`=S4H@
z_mE_L5rG~FrKa#U*P1-iANtR`O9+r)90fF-GXK@}60E6uL4)2nah2g0LygC>j3CMK
z?Y4;Y0EB<5c!MVCdwqLdvYlvb!9waoZIZs40dwP>h#=v|<?9z@;Fs4FO16Pe=8E1v
z6@ifME3dmb1rEVx-s!Y5Snrx$^ngXmA6)ZipWlP}WJ??|B}jUFnB0orFZi)h-pYIQ
zr6wd$HjL?!Nf+*~wLyM%a-m?@aHt9qp}!DXiWjlxJq9f2i0bk7gpGiONg``Kl8H>y
z0Nzp~dc{E*a@h$Ow3hnB*>D%!INe0R7JtB<df{IS&4Gmqzx>WtZ}eH$I604FEcGY=
z^cwM*o_m8yf4YG(meuh>m*#=$Q5nfw(t&a^1jwEYps1gdz)p_dud4av9|lxfrMyrk
zWrbbCd8a>u=e&HIoHACvpkoBW<cAnTCmSt3-!6~fcb)>K82+ek_xAbSiRbH)KbjGO
z2}yJV<h<VdN3fwQfc3zmb9z?;b$QO~Mz>4vb=6^keW}k6r0IHP&n-HWGAK#BBE|rf
z4{9c3B*kP8;iNw<%ZD*QbMCR9vW}sx5|y8sK+JcQ?TvzhLIp^m8oDHDV1h-FRc3?&
zuk0Dz;Tl{A(5U|yz}cFdpe67^!_opB@QYhPz%>AsH;&2V&+lt_<tIF$N@<%Q{1ELd
z{tH;^84d(9aQJKnU@@d$Zm-iUe(ceLwO*^vtKOe|*0XdfSaLb%{Tftltw`msj=S{0
zHCd=*kihGoI7nnSAeS9iOD31peXA|Oj%L2y21qrZ+*5qNCGryojyC1W(Bo~I%K^$~
z`Q>ddXk4+*Fh8z3Ba>^ovi8;xm1?9I76S9EO@JMKo$0!MjLUlC^Ug#PHWz}5Ob=jT
zhJ+<lO6mCyg)uVNpGq$vBgiq?ij+GVpH(29^8)Fhy@VV=o^1OUV7aj$rq{S}h7G-m
z?=ImSm^o>Jk(s&Is>&F)UX7mk`6yR>4kCogq*8d=zdDW0cTn8e3!!)pK;YK+=7nTH
zVWWdj3#97`;6;(6&9hyIj>X@*P0*#pXz80V;NC_4jNW<XQDE<~sl>@L)xJTX-LsJ%
z5*9am9)R9a6%5u2@nXD=XmP%MOBj~Os#OCV&vwP92t0ku4rQQ~bYGmzALkNrS_Kvc
z*#LDDJCME8^(;Up$IKQ$gbAc9G&mgjdgH<R`}j3A1i4+i15c5T^@f;90abZfQ|08<
z&wA#XOy{_&$Z|<pJYt{-s;GByV*#b`D3SybxhQBpH$3l9EW`3}p~CRa@E{sV4VP2w
z&IHxWXONemKE|oh2jzo8z3&L1JKkHimGu`IhtMRWe~71euqyEgChZ5<01zfa|Hwkc
zYb4~jC4y7~CM&lIaa)k3)9s32f|torpZ6Q2S4F5;ZGnH#pw0Ra^d3!II%!AX5w>rV
zGo?0DA*iB_5r&h*z+x|vNx&Y=N6jA3(YZhn+3@(dxFWvzod9RoI_IGzkG+IV7vDf!
zPlznQ1uvHXgYJ0$K4oSe(!GF^^x1Nms_Nw^aULj1<hHA_#5-X@Rq(D-9iaE<+4HEH
z#-zL<4c(Ov^RbGU?GVQRemi8xUKaiPb#g*7Db4))Uy-9h)<kFB?f98I8HIizF_ljG
zD*-J9W>LP4>wyOgR$C(B7-k$CrDol!d8X5#I}89mwwsM7y-`Cz-?yi1Zkj*;K0v%#
zfvJ#}Y7v8M9T;`#cbO}LGnrz5s&~y9R0r(*C<b_WGox4T)Uj;X^(0&PvDlI)&D8S*
z;6=|;_AeJ)uONW<v_s=0x(Cr~iMx>fXYo`(<t@~z0f+s&?Luhupn&|l2Y@ZcDlp@=
z4a$DtX837TV++h=&X(;jGO%l~?a5VDO`$=O6M+gM4g=F;hQmd8DFacT*kgSK2*f4O
zH@W^McS+XO#*$ih?*m#3IAt)iJ<AAF;J1mo8PfgKC&#WZU<nujzuL*SLzm+BOw;vj
zninqB7{S%p5xwqvl6(T{@kkUUzg;jWtT89gFhLt^oVVFO6W>5lB<=6H+^WFZuJ1Kj
zQ#U~N(bq3QOrs=UHl#8eABLLyl24b?)`x{^go5}t#Y>uHMWHL*dS0^7w|~nBIFQ05
zC_fQqs>F*gUHYX`hk@jLrE8~kU6u8fpwEl{cn?mT1K=BpQTfs#^Ujr`FMhXA@ds5a
zkuHm_f}*rBuI{ptV3i~FURw_UK1pRoQB!Vab$}eB2uOSD3vf9CHnUXTy0uZrueN35
zj4A5z;*L)z00w1pU;|ma?=@XltmWjSeARP_|6Y9tYE54N-G<}+7!x4^q~3Q}UhJp-
z#h?X3pWwrlNV(1|S!_ciY`~vznfo#yzf?vvL0n3-eAAF(mJ0s}ED#s@aX+9+%Nsgb
z!lR=yM2Ym`4Jylv`?FzibG&;BJWE#Z_-!k3Lft>6M!ib8a7lasIq0&c<ezdd5|ZRi
zF8C0ad!K&}<?r`uf!oKC#(-J#JwVOxfe$KW0&(9(bZ8^hIQ|AD0=O@nB~JtV&NglI
z(Gg>BYbiBvV2OX`EZ9|KL*3$jru2gT%1q4V(t5d|?Ke7Zpkw%Rcly)=LObA&PsGbp
z$lQlkY<PN$>l1$T(B_5KOmB;BlhO=t!*W8(DVZmfsI8w!@<EL}UyvL|288KEx7R_s
zSRV|z&Hy3XW;;14QV3Oh0e2FZVw_{qpWE4GjMG|I!0$a}&GZ3E2MY|xH57+EKoG@E
zz${Y-3L<AZD$MYepY)ahIz0rfNFeCfxDdM99wBFrO0s}R-Pr3duVw)sXx>1~3w^=Q
zq%5;CFh*Piv_F;Evc%Q~#n&L&ATC?TD^&F=WKPMD*u*mRdFFE4{^99BwCLk_b62>$
zai3cAQdANouTdTYua&Dt2sXG+AG=hWgR=n)&(vM~F@79t6~KYZFDTX|Vx=wcN06OU
ziiGQ=q0<EXtO5EHh$%+tHGzZ7udfy&u1ajP1<jAOZePOKo{&)fys6W6zh9_WP%qkm
z&P1om$!?^~pepx(H1T+h(I@=m)yfNI69i!*vxm+QfSiqN;&wic=GFZ?`}?JUoCK<*
z)f=K@uHU#XG*ptw2Z*~>U-G`BV=TaAOD~ghk~65Vn~w$Uio{V$i1w6Y!v9+7<KbFR
ze#N~8CjS|RkB?e<Unmk-%qqOGn(}an!>bSS$a61xl*<|j_HRSoGJbIzcK!yAl)KId
z-jNl7z(D#Dw~-}Z8HRPk<f72*29ElJcx7>06y%}eQZVo2hG0*UPrj|f=s^~pF{$Z}
z_K^`9iMZ@RT>S{f7(Qu4V*5agCQ^G!V3+&aqR9FaTCH$x)$Df`4VnoeR2VKGqwoe`
zF4|4+HuO{|PffoJzmC_;9)gDH!wJ;7v%Dy&Ia25mIEfe8#|KhRXVpCLRkXVVl;>4a
z(?L2MS}4+N2dqwz*n*5ti0%8ZRgAvS(4bE^@H-%^473;>=Lx;n?f_$E^`e|cY--0g
z0HMPMHc)4f3!3t&sUfcAAiGIZmD^_uH8yx$!K7=1<q(4NRDiejaJs&$sW_3kBL65p
z90KWF{D|8}eefJfR6{7^RMMjeqy<MO!k6cp%M*|>u9*h5UYo?lMRnE>P;Ucdx>Q~b
zFhu{7cOW&re|kLpa4jVIL8md$bEQPI>#V&bKpV-9%*IqDp!5nq=y?P^hM*P${fgXT
zouqJGHmVU)Pna$6-P=s;_UGu@-}MLeaX7TSd@K#@ivTnRXi516sMc%>RX`E?BSqW(
zX+NJ1=u-iH)NZPn0yU;NH<sHVCT$-ZXJKKd{M&aGtvEn~X2xzZax&wP;^3x6Jemyp
z<(buaEH10FgmSvSOR8M`(c-DqHfT${p?}@W%xP`MMQB~*dNz;HD5XC(Jt>aunLO@1
zNuUR%H&qGfxMPBifmbdWw;mQpd~9;lB53^b<_zwu3aKQ&M@ZqniibWt5bQnd#a}+;
zr)&1{xV5{X`wl}4l0U@jpfa@B)kth@{O?%b$ZjwIFb>ia6;IHTXD7s7YDm+740C}9
z_SG{bG(i0M3rD9qaP&p*n6^-cs?$V!M$M*creCr>rTB~jVLLIhsBVknUW0uLluF^m
zW#)~6^_5f<>&z8W*$<)G;d^_9rdZD(Xjiu-2I`gL?*lT@{i6Uq7lh1)9f9hC6+;uK
zN>=f<W$BFtHJ6+LHRq`aj*eUbtI*Jo&l^gwQV$bNW7m_#U)e?-*^<fzo!O8vdl@Lm
zCv``w<`l57v@dQ})Y?+m4!B?O0|ENL?G&gZ6KfD<uA|=O6N5ASgk}28BP#EaI-4L}
z3SK9Ce5ZWG{uI<t_e(A<r|%D=1|{wU^{kV6TP2|SWU&*MnGcjWbloXf%%X-5xj^Wx
zje;J?Tp{RZ2HI$R)`>-FvEN8$>pr|)dA{Ge$LxOk8f45R;2Qy)s1$Kfda}XSfb0=8
zkfT1QNkQXVm{QVH{~8)d0Yk@=w+H=h=;v-f^%hZ2<wJs`2!O(~iBT!+{7fsz5?h7K
zYQ~Sn0R5>g%bj?J4tq{p+ykwM@3pUVfpbA;9nYzd`E5h!J{Cbz))mA%SH<#&eb$Z}
z!<Oo$l0kljwe><tFb5JbJ!t;W8-R7a5dl8n)|D2@>R!F1lX_IWe3GAFI63G=8GN9B
zig;RVpF#M|QSGg%B$4XbmGCEMTVr!^UMzxJ!uZY>x{z@hyEpk5;+3B$!-UWH2Q%#C
z^?QOu-+Btw%1CjPhOKyej?f}3MSC^=09EkWlpOk;B7f7G{Gr6BINB=5^xYo;9}Y<{
zyz~Jkx~C9Aa9+?B4X3U|-HagAqm+gX+7zmlH460vdiT?hgddWoZc$Ab>js9CCk*lV
zXvYT%oZtvc-!0+n)(Pk&IBFDjDN<kHIHB2&DUT9h5o6b=BqYS3HRV$6W0^yo72ato
zPuv3jdgm$RmLqR|ux}Xzg`PYvLpzjv6mBA)li7Q~mbXxi`XqnIXa4p6@WTc{hCdJ-
z29YA>hnZW0KTGI`)nX3cT6+z6D@e{s5Tr`>PWy7?!%gKL{n}5)2vY2I)Qw@gc7Ewu
zHb}4gACT4;>8_tU)`o5+yVaJQ`2%)nv@z7u6MHQhEoD0|&6=Mz`*IPrXTj^ib^&E<
z*|=kl`{Li233Cg0Tg>L)*KjH_gqIG$$#daeUctkZW^-3`VYIp8yoWdaDt<xu=OWoa
z8y!U6MwAB{0s0-;w({NrgKo3%FC5_8anVRd7D;bq5P*)Pcl#8#0TS(n+3a#2LBPMn
zmr}h%=#Tt;j5wI4+e5kKR&U$4M|#Ds9T527k4Fz}IHC2Kmd(HOj$wNdi1zX>NkH&{
zR!}s+N*jtmKEcBSI%?T?AhKxt=zV8bS|>MR=n`msmt>H3jWVoCh4To4={_rXJsR}E
z>3HOzg$P1z;4p&C@|tDff(jLMXr}CB1}EL+KbSil;_|e^p#%DX#7_{#P)0$AVbVe6
z&#nL$mc~wKck89P^BSZp_`WTJ8jw?a8@*k99+d|4On{S|CQMAOW4~*qd(8)}okeXQ
z6lXK(yMjjrx)DFDh`@o65*T)t$Pm;$Sh)7ga0qK8Qi@&PXI|Z@;q!qi?~ewXHu!8S
zLTcJ)5JoFhK;akibFFF~RHbdQg()tb(8wi-(cR1KWOc$7K7y_0m4CI8@jfURD}Wkm
z3**ms&%!IwPRI`M04SLj)682zI`K|0q4CZ-w)bT`31E85vSm!=Rv6w71RA*F^;KV5
z=c;&3N8?UwCrEF5#LXgshBXW{TO-dT?KH4J0cw?>dZC|JE6$4u3YcHpNI!S|OnM2n
z_uSrn@8e4aVlWFRHF2-AB7!G09*|As94b9{^+vHO9K(V1p%H?C<ggy(=}5=|gOWK2
zKZn1E3D~d|k)U1cI|&$N@AighG2W^(U`mU&#72>TkG!%4x%IIKXh{;vd8a@3>y?b4
zXz(-LLcBBbX#(P7d>{x1LCQ#e%*W$XUoVaEE1=t@(ly1v@v=Lx$JVb%+8@m&&^Gqv
znpu=AW(&G3c%f4F(L+p&GUy6xpoYCmhd^~8)kyjGu!k2sd@fvD9MWAEPXs_J5U<7Y
z8M+CK5nxL3Dn%GpYP<ssQP7gAz8}+!xaOLl4SEItrujW9Re=8Sa(9t0D9(fDY!%gc
z0vI@epTP)`u8s<AN{o%@yfY$yD&3NC&+8J}w>Y_&173q^{H<>L1}&*WUxo_0_F^Jn
z*qjoBHUhWMe#5Z1^a9To90J#F^?J}|<DEkf+i{Qjh4Or+S1~8+qkZ|kx%58tkH(}Y
z=);d+@Cbm5PrU7TGb6(es}#M~@4B0r|I1E71C2YywjT4)d_fKtrEDCDlhYH$x~VL8
z3Yh!UN!uKrGC<MMSx<pQmNYU@^58x`p$8_LoT2`%^>V#ji^^&R#9woEr5y0F`4lEN
z$3jou!-amR;b>4VbkY224SpLmqehd44YIEgfw$+rDIfaBxHB+d6fgQ~7_5Wb3NGHY
zgQF`K^l1IKG1p!eK!zGosG@AB=4I&nq~D9Z2f8H}aG7!Rl&7ak#L{431y=HWJ^X-R
z?tpHqHGocpU_+Yb+sX#F02UuttDb*0GI2w&L~$^YgLp9_(B&0SCbd*Ca@23nti2a;
zw4o(n98cAWfx6*y8uqeue_nQ$x3CPJEf-a|ZX)l))nshB4eR5pLi0IH8r}Fag)<+n
zNY!pB>&_t7Qt>7OJ&dQg2u|qRqEYgfen|y>mZaspAp!8TQ2+BMLkGL+p&K1_FC7<1
zDF6W*e{3Kw`0DY#>GgPe;(0mJowp52@BFO~zrcME&`feyp<~tq|BIY@x%1Yc!PbSM
zLJZ_#tK<~-yR!4w{<}Fgp=7rjc6iR6_{n|Q0}V0agoyQmo1``HEcn|e%%UPhu`&0N
z-pE9)GT4aKK`BmMl@BpPdi0XkK7tGv_exAzVgA-f_6h4V)GZ?zuFOY5>&J`G4P_;;
zwL15QAeGSV3ATV&aIYm_k?nSn`-8XeYQWI|;xhd2%qgFWXBu5?=mpS;ho$-Zvl94E
zl0mYPu8VE)cBLWBd-Xjl%J|bgdTs?(U_jT-0qBhq&<FV_A%Khy`7nM}F@cYK6DzoM
zhlV2wf=9>`G*HfyitmM<vZn=*#}z)u#o<FUr%wL@NSg!Y`ZxX_<n?~uO^KB~iBfdE
z+XE#}@!=1Z?7;bqbhAU7l&!jNK@0@w2ee3^<6%x!%iZ9!?YTk&?7)O3s0~F83&a~z
z-D<QBXqn1+SA=x=a|RVNEa3>*^pHV^j;6jnCiLg+l2Wp0Y(J48bAjAmr^ZtTAAN71
z>jiC_KB)UCLG3*jp}}zTd8;Far@t*r!w`dfo{w#VZQJ^01<l+1Es!nGn}NT>PX&0*
z?OiR!Kyokn8TcJ_;_#mf;;KlI+R=zUt=Ia54o@H-x2VRa|CAJK3W|mguwA=y2)pta
zb8GnkrUrIJOkZ39To^MmocXfOQU`(gV*qDY(%m-YA3e0QlH;aF=K!I4A%cd#_t3|i
zO5`C%sCxT_$G|mIahoXU=IaCMn03GY!<22Krk52IvA~soDAGf0AkKT)_Xs*be2dqL
zH`IJh=K*A-Z+Qq`_5$4u%7JqO2|o&u<J1#$6(G(O`j@*OU*8itOV>(mIYGy@>h248
zZFd+5po%a9DKYwBp*Lr37a)dF5ce9}DvzIwRmpw(ap)?JYWe(asGQINHD~?yR}><b
z-_9~&Js|OrrKvQP9guMyCdN^aE$jd4=jqlhc{1r#%_jC~V|YEbSAtE2e^N}X+yn}4
zPB6PZT{zI!dV<71C|T&B`Qurin!Iw!a}hEi-YMKZ?j7LbBqSNv<8gZCIAC%>7b2xx
zG}w2NJwb?GG2Uu*yk2Eq0104QsiNwYH$dk=9u#VZCyN@@?JIHhXo3J#cLcECxCF{>
z<`^;X+asWk^U}RObiKMO-N`V$i%<9A|42SXzg^>P4Y)rg0QeK$KdyUj+c5V**KT2E
zyKK3NOEEiA0gEB*#*3|kta9NYNkbO`bnB=H*Vc7@z;5gC?mZI)mL32W?~$s2Ov&@0
z?wI#|ABtV+o)dl#lDs`wcxgtCy6D})6i(|&`$qv#6?iL946EOxl!36~ecmDc*?pXE
zoVEE|MUMxJw%F-l4_GexGyTjV8w-^(VjC0gwlxnJUx3l{^$L0<JgZNEZSEfELpINA
zxT~cPSyI?3BsKY#B^?l*RB#452zln0q@t<3Cp~;mBpY~K5(N@9?1f0dF9OLb==Tg?
zJ)RLyb{?FX^jb#)S6m*@=K!RvLW0ZK9L`3Mv6Wbfq;Pw$?NxX}5)C!>BPkl5t3VLS
zpB^fp(K2q~Qn;0|4`}2Vwz9iV$JR+SJ?}8#ueI*GN^6GvqP2PHWEZ2K5}F;j`Pw*T
zq*O0fol-IGUTGb^)$gOTX{RwT;0(M(7r@qj&fQ>cFbQs=@`8w+lcYc++tGv^jLPn;
zU(k{$zcbAIiu?Nwn%WPQdCC_?P0-PC3>JFz=?&z{?y!oD<oU-5*?N39`VXq524WA*
zuy5}j`mG+mew3y%fdUzN8z}2$_;S^9K~K&qq)mk^ErehS4f2!?ExMo0x|{KE2FQm#
zkLqUjN*f}%S``FM7P6-XboSjoaDj29=@mnUCUtSv9ShbGODf?{DTAMP^lh3-RVi*8
zf~!^v<jVW;<;Y~9>m!Qxa%P%HEzd{rgHC^i2fg&}W>I7_-1)89Zf5A>RG2mTNSkW>
z#33mELC?sNp7iaFJiVD8cvypOvn#znwS|@pVA8wbWkXBIzue9b{3MQnqPsuO3?Mu~
zqKFZ0!n<D_XOjlAZSvCnb7(ZNzZf!bxegab2gF^zV=pyb_xl78C1x!3qm4`QPRGw1
zEI1W+zO4-V;p0~aK{clE6vbOFi6hjOJ>1d<8p(YZZ?Bk&7pD{rpZ*9hUbnVW+&~IQ
zk{W1o4E+zH>MR~5Jj&a663_~W17T<Q>qS5XuWK6>+Mu*75|q%!;$i$Ws&9J@mJk@e
zJW$`d$$<w79a$r9_rJQJCj+RCei-^P1ADE<0mO0cYM$*1ggv_ywk<=xzbS1<a;>A9
z^T)K;eQ5RKDLU4UX4i#?XhEa`tOoaE0ohi~e~NQApjoo968lnrXUlz<4V1;dWtkk~
zJ%dN}UhYNNohsr%zn_jfp4cme^#;19XsGpZpf5Z8R-$r#0(cT=sAsBzEEtPN_o5Ki
z^L0}<B`<3*Rh>8Jr{@S5XgRaL`xF&*rfg-je*nTQ5e`}EvgT*_g8o8#!+-|JEqf?}
zRTW<e*k#bu8cqiinKbeu&^R6C(lei>09_^kH++CP#N7}ARPa^{z@9DVl3?||us;s!
zS8%jj983byXwY~u0o~-YYGAvWSX}O7C9NkGr#tIG2jwS3zW3Bp>cV=WpiFv^_SGm!
zUH5*A6#a~LLWV1L&K}Rq0<m;k`RF9<d;cAw_#tH@QW%5kRbV26$j<xmr{esjQl-ir
zFVU^?K|7FPY=0p49+(&Iywr(jRUeMYs6RIjYX9Q=JIsOArAar427w+kf?Of-xUT`g
zbSUn!Kj$x*1pN@zd&uZE&>t<(4vZ2pv7d<ewWD|BgJyPW^Lk(B*X9e^U$_GYTHqIE
zbV$8G2QD!!A~~D{NTa9rO5NE&4m>Q#T3Hg4ubE&JKjed!-1O<JA`LAspQ(*b6blUz
z5Dk+-^w!Yklg~zfx#tLLu^`i-he9t$hPkK4JJOK{WH=|-bN8NdK0%E19$kUUchIP0
z`S5Hhe4u*3-;#aDj*Npv0H+y#Ad%=0exM28?*53!Z?tOh^mNel!AhEMwu||KZ_f=|
zHiP+)pg9&~kGvS+Ea`W`7hL<2<vTe~&ug(goPiH<%eYr$_-tGLTp9Qy!eLa@0l<aZ
z?4Vl5sAgzD*+Dlo6!ay7>Gn5|1d;G=HGYL23@HRKAeipW;V%SOklyNm)M`arc7gu@
zI~+h2;YIx|{QwHT^8C7&>2rkiA+M{@#ekp_rnGirlohO{9~&`MM&F*Nu#0b5hZfCn
z_Mn!(-QvoB3+BIn@U6V=g$#pUMu6tS?jVBEL7j7zHM!ndv!fmgMRLbNk6V6qfF_rp
zD3^hBUD?g@903gwA@s~%M&<*{Jcr339h43+^%!2Ze?Jsl%-+hP_Re!_!c0I(FBUQo
zK0xGYg(aFdd}wQ2787Cu4hpv4Aqx|DV*CN6Id_VFtewgQd%QoviV92!T{ZQ^nP&ZG
zO<|ud?x8&GSxfTe!Ks^gCmgs2IY>y9zIYI=zr*3%zn8MK-|vd91kFu@`yv0Fmc=#y
z2XC>1oA1Reh3wg*&taC~kiz2nM+z+p{>%?%uMStDw*gR5-66Sp{+`5g8QVwMp)CsX
zY?>{jA*&tI{FvGb-hV;8fjA|=FWv-CuEn8)9&t}ZbI72Po*`O{Qug>pKfg0+lvArh
zK}u?&J;r}5o!OSENDxJTiFtTr5EVq`@eL7CKm<XiukS<MUaPwLmII<DnUN7E_6hG%
zk9<XZ79u7MS|9oToVir9jkNOpl$25WM_T~sYYgoA__<~2eGA^N?}bsF4RTOpU;RC^
zeVnm=#w-9K(ewPN`Wd!qh?uY)!moW8K=k-ExJBMRRAIWmH5;mBW`uzn_7uVXAZ$72
zdw9d~_PFtoM1;AKNqjyA`;gina<-Po@q6x8-Za3oEd5S+psf<gcA2z*H0G4Q13j(3
zgM4P0xbY+avhdnScF)yYymkjh8h=ZWAKx`fa8s`yRd$}Ry^(ucdqV!vu=<dszm*tf
zrTxUGXTg|B3rQs&B0{-ifE~Q$-*%(^aThN8$?}tClauov9`!OWk1_bWYRrO+1#S;}
zr+}tx+TH*4*Fd5Fh=#SPZ&CZ0UdPAjc^3f1geqoRqnv|=|DoEo<yo|uvv^@7U_~y@
z{rqcb-%-PB$}CmizEw$;KT%;!s<{L7c1UvCE2@W<$@k6QBUVRS7P7d|oJ=(++rr+j
zWr2H%yA?|vdaEfj+^tb$_=h65@k^k@J_@B-)boe6yotiPe{}ZdF73D1L3Yvd(YDz|
z6edR4Z{A^D^0eLXUia~xGW)sh|7gT=KY;~ak@%BO7jS2eZ$IJFo8QvEX@30JE-T4>
z$t?`|@w-;_;M@+Xv-oc`q1hSnk#_K;rnaQ^c1niWXO_hIPA8w0wv9t0zGvK^c?!?G
zio{S1b->0kHmBHPSvUtl3|_N7M)k&WRBJ?K^FSTO+fI~v_0PFkOUi|s8P0#4wS~GR
z(sd~m=1k-r+9bea!mDvGt(Vu+8#=h@!N2<+)D!u|^4^Q%GvtWgC@-Yv{CC|P2V1Q0
zx*k8r;wk!d_4Xc4JIZzmtM&Eez#GF)UOUE9Mz^+$Ee*PIsF%to*c3u-yAIa^94Wcs
zoaTCEr4$5~z})mlTmP=IHAO_t`P@5OC!l8T?dog2X?#W4<>83dO}Pxchps^2uzt<S
z?h=WVc<5KVNrGc%_=nuN1$5!eKsSn&f&K=r&D%`6qu!L@Wd8lANfed)M7A#lu<IL@
z`w4DLL+tztGiTB(H@CC_k-$<N_ixvNh5)bMo5Lfan3K1wK~aLTZ?dezm(kPF3LPXf
zL4==Yrw+gCC(=m?P^mJ$dc5T(qgK+@y=6bw^OLCG>_PTaoQ~WY=4k&eN1lb%29>uf
zkr1->6gW4=RV2Hb(=w?j-pw9v74x~HIUr<^A<`;ghS>!6jr@VLE0H=+tr@dNYuZ0?
zB?07ug#lDN$0Uu9Ak|m;0d-1gdauhe^ghhvG>R?))kx0MY1_v@LOs#~^k=;6v|sG_
zF&>l>@7J}rKrbyfaowFRZIQ;~%I0<ck*^`Vi!(5=Jhz%pFTe?q#K+@B2u9Okn*KUY
zaX{5Mf2Cy~<j0|z$iK#S0gj)ys)PjB_=Wy#=2tZ`6^}W-&>B3Yf89Wipo1P#FMPhQ
z&NvYNpu_*;;eB1=r^j#Np=lMfu#TCV?F+b71X))O1Y`1##1DCY|Ix~dirtR%%e|BL
zwlOxc_^by-gOU}wud)-$$@^v335LH(FG51FtM;(x(w~j+YcEc0_Rosu_G?o%Lpy|x
ztDC?g(LpuHoWNFv`q-EH-lRS85Q<Z8*I(-9ov(av7RpG&pF)51YdxVAmyAKfZe-(b
zQK-{qj6xy@Hg+d!^<u9h;(Gb)Y5`47=rlZfqj)l37U}pWqI?AvU819|JXGkJU(hKc
zF~g`NvY;BR&7zhdrEg>lztY6i>Fp;Q&S1PXSkcl?CtUYH3kMb$UAR@!`W2<OAMRgE
z??30)>i}HhF>alHTi<ty*Q+x_su%m=nTZ)Cn7QG-+<}zwX%ubb6;d3&LdW_MMV4-+
z8kC4c+a8<mR~B5kYb8dvCCNdfwxh2!kV4KAEMVp?nNMHex*2u&D3o823S&MB1belk
zYM(jiIGl*zH$O~y|NPYRZ&Wwq3j-BeHYo6X0<IhNJdQK-3noXzw*2XioeQ419+Vy`
zcp_MTH`K#RVqdp^T+U6;7q%17`=e>lC#bfN8a!NWt_>P(%`BqdewB_n+O-I0c`ztb
zg0KhjdcNmtNMU>fqE1}y@9Z@0HX_<9>-cxl@k}4U853pC#unK8d#N5O?maBIaaT(d
z9YF!QSH<lD6ONm#5jK2M@wz_M@9P16dV2Ne!sadymZX~t7&Axe4%Ni*Cf*o(ygUS{
z`V$FXpsd`_IOht^BB+#rfJLgtLwr*kCgachcAwh{JS4D`Lj2KjJz*Y&Lz}EfcKoyd
zz23>zSb=F^8V$cjEH1x2V*pcKPFs`Wu*5P$7RUQA*Qd=O_U{5(&il#!JmFnBKOqm>
zFK?o|1CfJ&I28P9F4;a+onQ32r)-#|F#KyrgRBIiRk1|SMO+i)x*yYA=6QSPZ^`%e
zUHas~?{gKKN`1Xg!#KvC#n>D!jfvJi@%SKtxs~&al|nJkNo^t&O~#9*L|JWaHv^_c
zJfs;*(?tu<xw~}45oaZr@CTRPtH93d11&zd<sf#%;nGvyVdx*T2Yc%hp=2o;99B`h
zsF9N7{FWRz<RO&pawq!+=Bcv~ltSY5E3N%qOA}!~(eF>^>))5`L~E*A6#Kl=GI|mi
zGgeOa^~y8@p~I}}eEWJn-jPfQVnq!4)(!`|C5Qkw&HWl_hdmo9hbnIf5e^SFlA;19
zM}MYTem*)5cU}xue3{H2lz1kGtiD*_Auwk^B+k&ulqBp!n@MfEo_(9YjKQVVC>iw2
zlqvPW@r=Xz^MIw{udVz2Jh%4{*(cb6y3>fw7`%$aNLE1S$)W-N10!wuNe<b;<D3)#
ziQy`taZpIst5GJl#!#lWq%;ea!A_^?R(x;rhslqSzzYT1WpgQr(oasnF0}HdCtAxV
zr#_|K9zj+6!0)%^3AKsnGA(z>h(9R#_`PA))~59aLdeK{H{j4v8;sE*G)=}eqJ=@d
z7vGdEEEO(M?LNhq7Y=4?4^}*%{UpwY<+W6U{rwcb&N@Xu4iMnD->MXf1<7ZA=+>y^
z;;p?CaK9k7xcj|b9V=xC?B^LpH*CcZTh=7S8W<s+nR`lCPSloOj5#IXjkSPEAmX;6
z{{_JPKDJB!t@pLyAuOEBvpy4hh!8Y#s<H1StLY-B{@5&k+%%mzKv3~gvGGugU^_Z>
zm{Jf+Zg(>Ou_xw{?VBq2SZyD+*yG9#tNDm<a=#`XF(<!u;st-PXx^77{LJ`IB!Bo#
z?eiNup7NNpU!TZ!tm<!j%h70Z#$8P<>_gY`DSqFp;|JR(+#<h!%K3DQBTIeFr_YrC
zVgyQcybKXE+lbHqJs80NjO9+;3Vq4HTg3gSz=RcI1>?~4Nb@A82&F(hgEtk+{ysMn
zy4rNv`(8f;+oCNR*W~_A@OuxUTtw0ueKgul6Zc7LBp(a<mNtG&+Qd`~3ds-IpRw^#
zd0yf=Q+zGX1=hE$lDFw0vVcEvWFgrvEqgQI)O(biEQ*p<-X-{ZP#zovBuO;O^F$iL
zn|+GgUujM~X5DAVn;71e4L8YLWj`+-VR=r|B>8lu4%x*Tc@j_21||A^BH4=FP6!OW
z%Zcui!k<PV#`myU5<Gjn^TUgktf+e*;)J1=ck@obip%|Xbx)6*v%mQQ+XZPZ%<6M%
z#*f+`4s3aQKnmx<QvKZSMJHi7%ldJ)9w+9TwCK{k;B@!r66iJFkjydcex~OS5M-3_
zY+E6Ekm{=L+fFj}+<N^^+dCQ;sgQxepB{`*jv?-(Hr`Od@1p=wc?@pWbX_3a&SeM^
zXN0cLGrzg}aH`1)u9)E6ix-`4+M6B)Sjn|M{Sma$?lLBAzevTAIYgKIi?JsUJk8Uz
z9klmLwp(txQ0p;v<)0E&&D0H=h4Xnk>PHEt(B*RU%Ja8YG|GLVcSAa)>za46uGES2
zedUL4Z8Kv{82Pv?6*_tW&^eB`Z^Y@30H1Co>~p0^|4kGkiHh9rP9^i=Mu|<wX8YIe
z-$a^k`QvFE@As@AyOxh>>W~1E_8WlZne{hUtnxa4kok+CSaoOJ*<<O$qc|&*vyCe4
zLJC2@1N|8Gsw&psfT?e?#r`to4#;$3;^DF(=8=B<@`wBNT0d`1PBEFolL5;eWg37U
zFl2ZFc;sL#fZPQ|vU*BFLEb1Ab*0}Oi43<*c=as*NgHv%&wJi44*WE$g~Cw?EwueY
zE$Nm^uFPNbDRa`^L+kq<s=A|7efdFkOCs0vw{(F-_85ZEj6B_bWoM4?RTwq_62=2?
z<33p5TslH{1@3sLaq*xZdGT&zH>?%H%b$!T8y^i9OwH|rJw4JaxJO*Ms%@Pp*iTAN
z3LisJ7Th9VWbcE6DtkN^%zXqG3MVsij}2(Cc^VWg!-6W{O7$)ORsm~MvzWee@}X|S
z5sd7yZ2g%f7#eBYk65U5?%yufDit{)eRdFmre1l>Z4+#gpND8f#s*n)$?sH{!VrG{
z=nj`J@q>ngNnzveoms{@wdM3{4$sG#jI8PR7)=6X#7nR<(Dvz|xOv#1(}zeR@BEU!
z(SBmR_bZ(G-L#7lDyhf}5Bn(t+!O@+)mTQJPDI^#CPH6i+Ji^7eZ1bEa_&F%Cq5L}
z*7Ax?+Vr@8THNO~QxnS-U|CUuH)=5ayEn!)Q5b!b0ONzK70=P)#CVnu<CUm2kaM^t
zxWfLX^DMvkRc2Rw-sAlYD((4Oc!ky<(|MKP6Ml4XDax12m4OFw!=~5K{xkCXcE#oj
zHGA7<GL%JUwddRWxnI?sQjV*<#bKOG;aU7xL2kItkSDIK#S>gmHqoO_&Xb+#Q`wgO
zIt8vqy&(&6l*merSA4X*${@Td#@p+X@OM37g2%sKIwKmPnxzzcLHMg#gh5I$rEceP
z`^zWia}v7&SZ)y=^JI-2Mn}rOv9Z(jlMJs?00wTW9MZd7mV<Vwcsq$L*t#4|=r|Yl
zr<q;y5ufk4sbM@O7y|vw6}mSZ{xld=C=RdR(SU_^!j=!Hkkpkz*8Y}=Jn6H(y2Z6A
z6G=)`IfoOM73E%F%I^tdwAH$rgIn=BaKE$JpuS^mZ}nRM7}U2b%x@0)qj?ZD?;2mn
z0pMd_YD@K5m~o~SzxRoRI^)DFC$SXuEg6;SN*i=8rfDKH&fPkD`%L0LVAzMnp3RS1
zlwm^w*VTQ^!(BaRaIV!y3I0^YPDW>*U3%VSUuoYYcQ4xY{>{0MU#3>;cbzq_<foTI
z>@usWgDY?Osm#XYn#1{zV@HN0?Yq|PM-$s-Ab^xFw#k;@1WWisJF|{_rOOKeN>kV)
zZBNoxQ6o%U7LT!ozAf}1U0dMD-@!H=g}Nv&7_`YZ{Q!yZ9C3&RR!sR1dh6?(5y11X
z=n|>ya#G%7d>z;?Ra{!uczGShgm3|C-o>-zI5Y&nM%<P59WB6`{)Jj_zYq&gX>JkZ
z9du^~NLPPa&U<3%k?;G-2cK7sZpmTLvK*_^o-DNsg!gEZa}%!7J@Ps^`O4~9`>>_m
z9{svXGY3uUofZU-C9FWoLBSpT)j;_ob74%Ax+(Xnl>R)<U}qC^vqJ@i<r69oI73lQ
z@<vr9|7mhLZ$qbCw5NG&Y7R}>jSjh1Q$N@+e7vsayvG$1{8P|oDUzN;(7Xnh%sdZV
z@_-jhGA>H#AE7oB*Qogorwx?YQ_jM-wqKhfOnl@YX;q%k9IY1xHg73?9SAapqwZTa
zO)7^^SDuad90nQbiQQOyb~mvT!gMQAU*vg(fh;T7`%Y_*O%Do%tJqCzXP?K*;kAa!
zz}(vY8fh0+>!9p!R$U~y!u?Trg!8NJ2?QMbG@d3fhF8AAH(6jqy<$FTN8=QJ-ps{1
zr<Nx}06Vc>_#(Ff6_I!?H8^Vtcc#oK*7^Bkc^umxtS}&?mCxqkizU^4So@~GI}GXR
zbU)SBecu`gD)xe=AQ3EQkd5;|cQ*gmGnP;hzeQGAg-@{w%DX(JcaUvWJZFWCaw;J+
zNQ2?V!Ay%m_s@FCNG4>_#J$g>_%<}C>X`mE6*c%lHSrkeFOya8(9!7hCgjOUxk}V;
z@5Gb&xZf8$`TP9cb6NF*C)E>V(rqW#=qRG=&h=dt9R(MrR!R!b20#$>2lEDGgoEs>
z<C$J|=rI@fNC$<D>dD5X{JY}tj3uu&#1i(LPig$ia^uBJe7nu$<1s8^)pyC|O>?Pf
z``*3)wyPK!op?MZvdFcG1D^`T)$8D>%MES9E0^{<h<`du`8eJBG&<}8<fV8J*w@9v
zsZO(f&s=;Ie^3)AI}FXMJIZXHJS`zto(4>6Gi0-xj%xB0ULSa{PnS-1a^Gb<zR8iz
zVfiOO1L@s9!@=>4%PSji7egbPwsX||8}Q;=zx9#e(-*UZ-z!vr8vg<oeCC#<#wV8<
zt@w7kG|ZZ}+dL1yV*!*JkEgQifLFYT=IM2B0N-o;{Nrny+@$%QhMZfS`0E*No_dq&
zyx!EU1+fR71Ihw7l9d`Sm4DWez#u(j{+XpQ>31e+$Ac=zu$stgj?IuXLcwzqGHzYe
z;RW8a@i5s>YdxvfJ=G?17l8d1zK)*r*ZKE!E^L3S*y}htSr5?v{zYsqEOxy7bEk4q
z+hP<~D;>eKRwHx=^(5Zlf-tvhLca|(G|Q&*M&_zw(}S`|EF#X~v2U&wr<$IpcNEMN
zX<yhtNdnD{-^AokH^aWaS#a92JI8kHSz_MyM`Ewk>3p5ufsJ$<S>BiVD#eW=oll2q
zM(>-8SP4XQ&>xZe^-M_P*c1XDC`*3Dvy0f_Y(8$Q2G<8>&7!M#{1Qgk)UJPXi$)I(
zjXt04OZjWcm5_hg6OPY!?0oTt!>8UFo0WRR!P3wI2TRZI#pW!<yfknWRVv;ffjU0-
zU$6bXMzjg7kxL~Gd?!k!cht&fpO}Ynq$;?+Ey_tCO1mdsL7p+e$e%*&Lx$r?e*Y`}
z;DUcE)K7G*s5ejgpM76*wmq%5n4;wfjCNOmp$EexnPdCCx&UJYVTf?K!t)<DI^3Ew
z_2m*E7I4GqU~k`{FONiWS<q+Jkyd$BZ;+M<FJv$b>HhkIyPb6JE@@JoboI(hJ_=Mh
zlfB_&<y{z<eGNu(WPW22Mn{M(w&AwyF--%QvcHWBBTMo71Jj5h+q5T|+4pIKZE;O#
zm0AVH;k9AYp*`TL<0PU{GhNucq9<{4o{&c%pp=hM>iy!Qo<7dK6uu-p+UVZ<0UjsY
zn~9gZC{AGuhvcR6Q~P7~O-z|Q*Rjx4d|~lLeBYW|9@;{Ddtsw2n;VmVFx1e3j^@_K
z!xLJ;`qP+5P7)CJjq&OlC}N`nw^hqXdpJG}pb@U3$GR}R**CuOf-<q0T~gx%bib;q
z^Tj{@;+i?0pnw<WA3Vvah&9js-2?o0qnFA<qQ(Bfx1kp3nLA_YoPw`+Uo7^}pC0yA
zjMkvIU~;%TWB>j~3_AgviXO+fI}HnqX2$Ex<on|EB+|Jrz|9+Aopj6`k{n#O{PYz_
zqO0&~(JP@EpVv0B8tq(&fOx7}XJQFr%u=GCN)mSWHGm!M8+Eez;%cYm1)<fgLI`>`
zlF>;z$f@^1@`P2bd$G?~8_L=$L7R1L#fnt7Z(hZo=ysDY7;De#(p|&b)2q(U`W=v3
zHo#?#=GwJ-?wf){|3q+l4=;`M3y*hzzICo3_C*%}G~9o1vd5`fd}2NB-`=;9JIon!
zM%*6PZ<xSE<ty%!h~d%AA*_hA-yCl9ZJJGVi5$Dsd!6%u!9K$u>G^j^&No2LpUSaG
zy$wkg5EWsm@Vb1^O?Wola35A1929P6QfyLr-59|12Ui8!mp}E`p93E_5B0C~?`O|E
zt^J&j)W{nvDEoP`2VV32opMkm%$0Sp@7?X#ZK8FeQmQ$^(sXO{tt8#$=5zEHGqGIR
zKS2oYtZ#n7w}PACpWFuSoo@3Xllpk3o6l^~IsbIb<@<v#xAlX0W?%Y`qPy<v6@Eg~
z9oqQvVn$I%5E0VeY4V&->bjG|_CQ+v<kP@-jp+HcB`RFtuctCQ2LqJ&zqf;e77w#<
z_WC9ckh5MdckjdVU=K8;?SP8T7GIF8ec64Z%^?Aveua20$s)-5oW?r}=cWf*=7~PR
zg!Y+(n0`2h#!3RaHJlv6O4*QESW>k7jh<LawN)Z|u8yK=SxwEonM|qM*ba-f8Gib4
zw{G&fj=zkrp*^aJ+d(p|`7OhBI-BVJf>u!DVCyI9@@ZqD``%50oeK2;1Z@FJvmRy_
z;~|u}fJx#vk40II>%txGZ0v9l=0T_ZT&W|B!*EXr<{0}^mN(11#&0Q8mUoBq4|aeW
zO_*X`w*U|S%0A+=t8r>HkfX@M#kqMYH```zjNWydf%fx5JVWIq!ECmDB2n`PW5KWB
z^u<mv?Qp{TB{M>!!{3QhNo)jWXBBj`guC>0dY~yQqT;oh>w_8}{Ox^@CpX9}PM7v*
zxNL4cpq>f}FWGtF&rMsLZxH=fA<`RJ^;}Nf6fMmY5`>IA84=jiSL4H`_H;GJao-Tl
z*zKK`e0~X_w>25{dZpIUR;nl5Gf?IAU*3ai)xt$%kMo3>eucXpa6m`%aQdFX-YZtP
z_}=aThZ@wgISNI^V2_k^m-9&no0W`>se-yFSE!MV<nXL{<0b$sOXQj|1^0{8&+^fB
z)KpJy1-vxjaDFy0SmL{L-Pa&_|9m{A&-qkHy*YnWv6>@Dlr`fOJ^UjsElr0>(8L)1
zQrsy;Vc&bbQ`UC9OSrGO=HZ4OPCC7Wqx}$1+Qs)#Gm-)4rqkyJlEXd{Uvo1UA2q%6
z)e`_7dyj4-aX0~!($Jvc_6(d#Fhm6M0NKV{8S|4K8zmDVvnnCvlZ~4h)l&}kKHR;W
z%P8ePUfR7eK+6ZtSMgzklEb|1xeNd?G~KWv{0bf0p3ksSjdeQ5LkaDZi&9?BtD54e
z@^f+a$uKzHW^>Ofp<$)@yaF}N9~QT-DX1yo{@;-+l<SQ`)*7})&{cOLk2nz&HDCyJ
z`po}a<MGP7m&P1f%6M`a&mVLhQsdYyoGg6OMDMKjwr%RqZ71tnbu2H4=B{+U6BZ1@
z#}|8V@-Hufg>L+|h!8LkvDc8x$3rE7C0sAge6Qy4M$AO^4B8eAg-;8Z4LCh~!4z}Y
zf&pJjC|x`WeoOOq&9h2BT<iTCJVg<FZqM%J^Lj?hA~IJha1nZx!*`#IQ?W?Cs@bX>
zq5Ib*GmncMK;IgZCGEe43;Yry>?w}!2<IHX>f)-G3wpTiE*#o%4~flfyOofp-HMar
z8(8>V6G``X?9bm@d=%RfZWqdI{3_49_COy!1biKG(mUYxT`gR>$P3CHl^>{oQ>&Jo
zEer1P^+;;plfkcvGq_9)fqAc*CENCS1C(+1c2PgIyQ+z=Kk_E9*6DYBKJG`FMD|J>
zkQ9O2=N@x^kV)>Y)BHxm+^^o{#M<W;nw@bXE-mkT0ap}_O6bW48?dMW#)ro(u#Wl(
zqcaFD=B7qxX1<<;@R$ejH#_QpZWa2r)a?8&wUay4mNpI#?faFmQA=)T%kkSy(X(+4
z^qVnP%SILP^`0s83-9NU-eT&}6|S`QjCWisz&saLKWU$9>G|IZ$pSP=Uv#2>-!uMa
zzqNL=*!WetwvSH=^c?u&CHv^l#npNHZ#eU2hKK6%K8!u~_=pA_2!N$S?h`trF5<wj
z-iVJ6<03unPsx0w3u;}^HQ?vcMK(28AGU$GDJu2Gir8Wo`35K!O<B@m9nQbODrE&-
zg`p|ePGbSMt#k8gmgto?qznI(Kx?_$!Fc|HkoEeK^VP4y#b?)n9}k9K_D^a)9i{u|
z8cjWfRMf+d^p(E#y>hv~UG>=-F{E+C<MGP&fz_~;bbP$6LxKjP*Y{~Wy_}Gn4JJsp
zy+$M_vrI`RFR#pGX4~j&->;waRiAw%EM?|;S^vaJWR`!rW9TdCEu3a%{AtaF6)l>U
z>~tS&;`gK|0H?oxaF=sAZxP;Z8f2qV{5i3-Z5=d|9)8r0y>Gg&9@cXH^Ojh=b~?#2
z_qYnDt~TG}Y*}CZHFpZqDd*?~kMOh3EbB3kd~>?)E!u^$@RrnFf8_xX{x#S4G_3C1
zt%pKB^Qc8fVBy&M+|I>$DL~@+2pM3HI7|IwPv`w~xnL;m_S^luiW(SdMkEZ)eGt-X
z^HDh##RTfCDt$=y%^srsxl2aJIg7IL>t65c{pO(^9ZkTzw3|lAG*YsM;4@#V2ZM`7
z7PtqzxrJ~)v)dRZBM6fotfB2SIl@(Tzu4(<N#F-lM*aI7+81~ECagUdPN@&Xz6g7C
zF1+*C`kE-|(<iv4KLGqjx9~2V(F=_!XWzzXNGi*nwBD3Gqo%(e&H5>>AzE*O`?vCd
z*FGNBQQ{suR#J}dkFF6<H85&tRJEmm8>$1Is6}K#;A_7ex`llg+)oE$!;~3F4bMOG
zvfVSUCDeAck)csduK#kev&SaNwWO!xSHHE#zQ6c)*q`LTWci~}`czlOE7}7<J>pNt
zMVn_niv<1vn>pCJ?K^0~aAybFiNPyO%&=(n1`9e5wpz*={K*euzlQFD=JrCdmiuMt
zZQi(cRkGm8o_XJWH-XGD0gqSRQ+wh-s)(Myr3?&;{jwy=S2tHU&(M=gz^%K8HJxMX
z&_M88`e&WLN#Fo4(~kyZwj^G0eOvDH+rSA8!$m_&VBXpK$E$P1SW})WniAXdZGO90
zyft3LGhFft-#B`*->8(~#?WY$9^FP?b&g;B##$H4SD%xM2}dJYxNzBc65Td$y7D0U
zQwdcuT$4XAPjkDqzI||>CY+Iq{r#)niTIfv#q=A0F>3|#BHznC3&Mam{X?Ug;LE9n
zK2N=)guZB;1KAfj@^*kPHS#Z<ZZ9t|$JSNO&p3_T*{%15P27J8)8Q0_y08x;=*#7A
ziyO~D>>xgw59Vtx+PI`2bD|+jr?0m3s2K@t_G>>-QeDAc0jN{m$Zt&V!O!Vt-MKnq
z+I`MB8jpT1J2{PnYjtjAi6*cLgLxXT-_NC)Yh-?a|3!y{<-fQ7UhU((o#RpQ!zs9`
z-q3MaG1uy*ir-f;viNlLs}c=Oowxn@U`Rl?+E@&5P{ni4y8C)7_4n{0o?nmCLZ#Hk
zrx!|}l3d&xgc>&p5K~j=oBKpx+i)cUOVrv-bM$uEdXv<1@LF%yC>iN7gSYd~ta?S`
zp?DN{uKU}WhD~`vLlDToqM=jdL54MLH}eu>Te%_rmW3u0)%vq759Mh%H0sYlD}{29
zxoFhZ$E}9x*)1NfH`K`Sc2%kT29~Uzxw_AlE}??OezQlat9163nteEK+eep!x}d0v
z)oqr8O$_`d-Z{Gv-Jb2vKp0&w&t=mc;0IuuJx1VOLHHZ7XXM!fen+jzInx&(t|u>-
z>iv`_y`~eTD(s?@-{$FbZkuXwe{N`c(AW8}<hX9H$$gX;hUjnAaS@%vRKYc59<9*-
znrGx#o9ZVf862G6%|75)^7yz)FF4w=C%ZQVAMJfJa~rbp(+AGibI0u^gs{ZryRa*h
za+(2qJHD7EL@0V69H8Et1=TSJ<{F5e!v=}%dAK<1F(L25p!cw5x<k$BnM4<$m}SYq
zkJnPNQM%wOqgNoI^lDs0b((%xLOk6j@LYR#L8ddEWD)|@Y$mA{?PXPUgyDoLg5U7r
ziaovUEGNs5Q5E~C)0zJ0lpc(YM8pv7U;ZqY3ukgr5lAtQ%W=n_^G}WdNIssM_sVS(
zHGae?dY=-))$;|ko}zd;QM`XU=s0<8c6;6U>A4U^dwF1wgDF#+eF4$3Y-g+Y1KT4x
z=yQ2O@pIB8OvG}d<hR1-9umWRd~dNK<w|Gr%s$uO{nH*Osqk*pK8JYz{C*-GmY)2{
z8twYStKTQn-7^RW@7Cp5#da&suV;Gy-kz@hrVe=0AYD(LeUe|?qy+D&0`-li{0fv3
zXHNF$aSzVVH^%XaC`jO<Bwwm&?t!kObhLp&pH~Xe84%Ynk5&EcR<Q!4>e{sNjPdAx
zykmXij(=$I7E|QDc0#gSTyGbc_sUL5kmd1)VX1-m_jqpFL%iHVM>KDl{8>c(njVGs
z`fY_E>*)7G?Dm=JtHPliPcaf)-SYgZIR2Y-#^=O9hIMZ@-OzUEnI>}k*QAj>D)3j9
zg0ro2d)5ru5qh7!Ae=ICXFZ>>hX`?*f$J#l8gYA{_sA)cY0V=~Ru(C~V{&J0^|~j(
zA_&15$NDhvDu)H<dIzSLocwQe8<ZX|rh9t(x^>k~%F{|9cEMwEzO(&v`r9iMXW(C>
z9xBh<+C<fhjPJ~^7Q@qNJ#?L}vuGA2<ApwNVo^7NeGV@_N-U`c)(I=UiTlKpor`Y&
zy3=g`OT?ZP4rPa5nsFs|p4xX0`trq7PboetU?;EibDUi77v3|s9}}|+H?{vgmv`xM
z7e~E6*j=V5XEI<{TA>^AWG1jq>`1m-2d!8V`+`Ht-6gi2>zN7wi<-a#xUBw>77#~t
zaKXm?l{&M5rj<%~X<;oBDYa|smUoi_ux=`j2#iFu;jW&wKTq9yGRbnd9n^;Vl0!Y4
ziR-$N*^v-#>|$;~V8F5d4TGt49pidW9CIY{JJ0VnUu|`pFYESTUg}@o)YT)|s|`ii
zc-Lk=BFsVY#u;CP4b0=$-q#!ZKDBA8WzzFp$o?@9zIqK?R5b8yV8C}WZE>XVdvxLg
zlbQrM(0!hC^BUHixeXNIC}V=wR$SpP^>UMNE%0oPc52}lJt<L8kn_Z{t)q|=CDf~7
zlTE)&zwh~J1z6_f-+unbdARlA0cKJI-<o<(f;>?F2<dw3Zq@Xe^nerIch89NN@d7b
z+c*+ui*Nf05*{5rt5!3?8Xl>IY!R|TRtWWcpF@=9p$cnT!?U-;U%?%<fEi8ktu|x7
zuvAF-ebB3L{~8#V=a@dz5nYZ)?wxMRt@%drB?YQRa<=Zg!Jv8{Gj(IVO<1sY3Z1-Y
zT5Mw;322A6Qp<KotdeC|zSM3)X5yyo5(YYP5njwotdWkE%C9NbODu2P$}@&}+$TS2
zyjUn^fO<*aA1kxEX0i(O*;j<P{n9g#Y?A{d=|?n<s(!Uj@A!VaHSr_Kj0H7bK`IGI
z^;;g%w_voOYroeO#IyPX9FLluSIADig)NMy`Y}i<`+lBJJtOyU%+UW@tP?Pr?lg5P
z;8Ls@i{@ODxQXWGQFG|N4!7r2^a7mCC-_RZspQclxz}hwDFA41TatagSrdL*{mjxs
zGz@Hr!xI*3pRVx7A7}n5Hv{^&lMjbA`x7GL8Qle4URP)NoYM8)Gy7+?%+*$b)i|)J
zxjNd2v5thDp8=6ngJ=~4CeoaNBLY9H^Xv7`lZ0XRbpnnwU25#d5Y*2@!-QRoyo3_g
zMIIb$3BIR%gmKxz6@EpNwe`zllhXtDv~7eHxe2>(&utV(-DL2G$rg^qt@${&{_--f
z!L7fS+m6<z_t?vk2zTXc7T&#+Z#>W*CcpMY25ROb+<(2h?zl);|AHwsPxhAF_r=py
z2|VI>;)#g;b;WUoo&807M4p%Cjq%fc*k?_52wc~RzE39|1q5%L=a&fryB(7=j6tBo
zI~7%@xM5{ofCJ=Kf0Dt2PVzzR&IPXJ0*ew5mPZ@mJ%LOB{vw`k(?5eR|Bjbl>O3iW
zf79cKI>9;pv3aWT9g$sJ;M-W8uOan@)+C^pP8=jJdEvatx{2P`eM1EWrW&I38r>TO
z_@<8(h-%!-)l<IkvoUe|V-Cs)N;vig+Vj^>nVwS4>B+zhMLlr`+D$(*qsI1!+(Ou!
z6M=3jsL$pk*!(|OY9~vAt}#8~#&jDsR|<{iT`XA`VVWQ`1EOxRm+sIN-!ghQZu`9{
z%N}Y7-jR8y@D3LFoM_PIH$#s~ZCr1xiZV=}nI{g&F^9i5T|dgNd0DBTus;?Upu)b)
zqw$yS_prQ_Ap7*HgQz4^_hOZg{6!_ofG2&YjrEv&1m<t-=q*W+sPKGisS7o7+e@qW
zLevaEb5gc@xQeZInf$R-@CSbO?E!xJ)ZiQq+fvNl(tY373SW2LmID3v^4b(9tPNCD
z_x%{_1w6`-vNY2wyl${7(HD+oQU>z{TByjw$k5JqlIg7Uuc&kToEjx%&byBDX-n=)
z-e3Hr-W`~RbF>r)&d)G3x60)Zo@bl`6mcKOX+Mm@at$Tu117V}B6yW-ct_#)P<h#j
z8$yMVPm^?akfT~=ymD#SFRFdtl^<jz&?G?f1q7mXKU|j8HZXUglc{;~&W?YOjVaZ@
z&AoPHy}%FZWDZ$*JPa8RN7P|-R#c4yGgseuDAnN?pr}5>M^fShTwy<-UsQ{6vmn#z
z74<MIJ;Y<XBcp_uW~|_oa3U{lzEfP{f=Yl>?VH2rTQx_C8e(#=RT!K5GGI>E%xGeV
zJwFZs12c+8a6Z9=4Mo|TUonyu-5Nb&m#@y4K&O88_4?7dJnpz|6nFmo35R=%ACfg2
ziDW3}y65?#*@p7L_^yX)r`v`qy>+&8>DIb4?H@ZLd31`M5q{}^Tx51dgPyt4ih!sG
zZvfr(vCxAqzrS3PtP{eSQI~u0c8lQYregUVXlphUNGsn2DXVqX$3hLsZcPPQF&1w0
zK-b^JJgk@I&#2MC<q1<-{?As!mErU)F!8Alz%@rpoCN_G)mnKTF>=*De0foK=9)$H
zxIWTwbG&+TO(Zowkf+{$@7pvoa}1aCUJ<&2Q@%laxufLpdBDsB=N}+hFTDWIx0p)Q
z+uPL(Ni9yhydx~>y@bQjzhcfa=KgH5-Q@;#cf4N(9bA@rAW(giSQCrw%3+`wQGp@d
zTqavDc#9gV?`<TiZ-1eQ=Q9*uIC0R+o>z8;Uy2W#61q0aI*7%WJUyR}$_VdaEZ+S3
zN+ALi8iJr7SHMujCYitMT(TjQl=zs7@AA1b%tpBckOT>HtK<u1S^Ps3SX#|4BTMF}
zKgZ|8LA<OWJ0B`~pVU?}94wr~S^2Ye3y}wieuR82&*Ue3{^dSqWV5kP(ax3)yuZ2+
zY7NCP)iX;iyA^Vpzc?XKUSA8l7I14YtKRlG19rCnYF!3Wdf!+n5&npC#26$EZ%Ub!
z(-VVDi5vCIn`VqupmYSpF|#f+f<q7e-Tfb%R3#Aqx~}Oo<mm2ct}E=P)-JFfEnH4r
z2ezsRQ?*0!T4VnCG78LysZ*-ubY;?2m@|;gvPzk|-#!iEQLS)$-h5<LG^m{5+=wq9
zO;83e%|iIj0yg=4<`;4wj8BHqYt$5$c@PH}zT@c?tYM(PKBtkn<>+_W3w(=@Lh<WC
zUxFV1f_vz3p5EchhgqJtkOy}=&g?ju$FI0oeo;d{@dMS8Q%8PD_WXmx<uLVvgpYWi
zPD?V}w@cM!yi%g}7-AjW{?Yw56km$IugC4>ID>=9Ljwu(wtc<&c(i&kZP%luV(+oH
zQ2`vpA*pv^nueNO7PyrDdyFjR_rQ1;-ktjXjwAQ}EQh&;-P}+PA(PbWW@snrR7!*S
z2IHq3x`G`R@B4Wjg+^~r@M&?7vxGgkV{;TCJZ;Yd(-A2>>E<=?EXlDb0Z^r}MN1%Y
zdiDbQ0*B$qt6?gAnv;EaypTzP^OdA{>9v1(#u09w4Zpu*i4VphZF3cTbx+E>62J;m
zwys=u?%;TMMk%<ioWm7qB^j-^_lqMQGROSZ^{ZA^wAgs$XM}eA67WaYv6yXtIgLDE
z^Jd+xpWB!<l7x}jXwIn$Mv*+i0c`TDKOv#@gIqj5Ey2hqc72U8+VAJzpSk&SEPiYc
zhtnw-K|&ayf|EbDS6Q8VWSWk)dOW<fCpV6{66x1y+i0ZNuUg<@U$&>fteZHnnsoQj
zBCZ@`_{;sim`U+29@+2m%O$E~Hrtk^_c>p`cl+?ZQ;%DN+_HEjtp(Y`tm36Ay&>|D
zZ(hZ0-^kK__NfT2{8kfqn=r|A5c>EcR5?TY_K$Gcqw&&Sg}&OuWKQR6TCXrMhz>vA
z6daFqg~o&58$0O$GVXB(N`82PT~2=}A7cmdq18}<Ut{yWUZQev$a{DtfH;g0qweff
zjpwO6wOJ6+E{&?7=@l6RIp7E&wDXc?08v7E@<ldoAAL@QV2%g5CEfd1`h4<d!xICF
z)u&Jok|9JWe%Y^1IOZycv8ndi6lwfA|5;~9(g31c9eRyWLDX7?S6YKC8t~wc_jqQS
zyJLyM{nGlxkO;<Oe;;>!Z7^-UfSOCp^>D?RX?N^5hyAJt+lgTc!c{Wk4(5;eL%Qsv
zoVMj-`iu0rUpdxol6wCH%=<^BtKc05`|eB+F0HkAS1CJw6(kz@DBUwX1I=jWeU0DR
zrF^`Wh6vvB2}Xg1(4T;aVUCraUr{|xg;gv0I*}zZTkfFjdh*RC)GMw992~FKPge8g
zgxT`oI{1rP0S#RO^jdDwLt>yjBFPgnE#ru&xWkMnva3BlXeF3~I5+Zoj)rnOIfQvn
z3#CLlqTFgw0XU{|L+|r&J`E%s<*2${pSqZ!Ws(tBfRiz&%C|kTQ!ps^^9bGy*oroK
zSmL;jGY@dDp?n>cm0Ps|R2AN_p>?$d>_}u~u%}Z?j!o|k$b5BL4HJxh6K4<6r}jBq
zg?_5k0emw?A#(Y6$t`WAt|{l9?|i;xe#X^ql$qiKN{~c!ASbXyOIW*Z1#CK)0+fc4
zlNi}LdtjQEPhthaOIR_~a!`b#m1q!+E{vgl`814_FJ4rwEbXQ|AaYUII)H=v13Z(9
zb)_EPw&9<@hRpn26gq~f9%dU@sAt5_(O-HvOZgM^I!2z|=_i#sLn@Eq=<|<*9zWGM
zVXZM=55}A<?gtqpA&$Q!k#RP8fI{ispGjJ3?vRX({Ri6pQSO3to4@zx^<+tx>%-M7
z<(Bl{3=C%d^xDCOn&qxZ*pq6yr(!r|2J<*C$12X6#}}@r`_4;7Jm0GK8I!vvR;Ob6
z*^b{i2cP~FXWmbVMOm{DA9kAWK-)_gELkI2YhD;vp*jxP@IAnh%u2t5s~z{&;A6=b
zUI&%0zpvAW_j%eU)l(}Hm?t;exerOZ2Rr8LGrFI!xQw%Sy|h>F#|H28Be+euy<74$
z?gRI6tI(%Zd~)<A_fbvU;bsr`Sgbd(x6JqX+@eq0y<$gz-GKm_iGk8V!|QY=<e>y3
z4Gn|pRo}zJ#<x`H{?FAPT%R;?I#WhB9*8aq-yEqjuwb1@4iOsGNo_l*a8$ie4fRle
ztf-#hsTn?79teGwA=2pf9WW$R=r&+Y`fOiPc5|2nurdtyeULlS2LMcioDTtxsJ)g{
zAo9dE3wVyeSeb(U)zHkB@Mb>S<xTvBvhNFvfST%LMZTX~_bgDbN8E8*fvH<|VcQjf
z4)0-$N$2}pPWK<hAE#WKgS*v0h}J<hg2vb)a9G2Tp+)@}VJkiED9n4_d*n3Oh{Be|
z+(I9O-Y!e|s4lin6{mEfJ#7Nj(QpEDi42B(PU!9{wov^z?#%Ae6WHUzXXaKq&y%08
z=9g>xr^HSC>pgSN5MI}4j;~LUVlY5JUm3T&VylEs2C-Dd=m_bDg0DzMAEle}SI2bo
zk7C}yY3!Glcehv|2!W-Rcp~-uhumFZ5(a<XW-1)CT<?q9pN`)Iq~B^e>kXH$zlo)V
z@M;g77KbP(>0Di&6?Rt74Um+FyI;^*P)L3pFcD}P&HX+Ke&Jk;>U|+g^V<V;06~L(
zK0V-3`B(tpshV>R8}VZScLoR(v!|mT-gy#QuJI{7_w!yCFz>xv$Q1CA&6RN7lW=Y@
zCq|>Z>p}Cr0_%xP4yE1D9d9UD`XXsB`<UP_M@G+j>SC$quaeMzl}Q>lI6^FwqR%(B
zM#Swi=+VEYyZPXgwSjVq3a{oGab*(pSYH4(Ob2v0#ErX|$cxDPl`X*#<HBpKa)_}V
z)UW~h;C~13lm15E?F|Uga77Emsg^`^CpPc8HI;j!ziwi=2<Ck-n}S`(gY#`Qdd~{U
zlHX80hTQ0;>5CiSn`<1@-+7;QbpQ~8iGFhQOU=KZlhuNdEoC4sPZm6@@MM3fn%8Ip
zag(n6`1oM+Ym|d->DN2rUE@YEOmy%PHlPMHYga9E{Crio(Kk0BUV^UCtUD$$mC1s)
zIaf8qMp<$EsSBn>tIXEL4IENG&)%jo@e}I=nwT<>?o_Sk-=T`7swqv<f$W@>!P9~k
zp=L_d>-UjT&hW0#C82r;MbO$GU3pQNDI1V5ANP3baCgD%@OQwh@O!aY$sNlifAhm<
z5|z@-J(wDP=w`7Y==cF_b20?wq)DOvP31jt&bjT?#IQ+(ZwsS>Y*lCt_9*%h?Z-eU
z+ZSk<Uv>0A-t~S6<Oj=`n)8M`gn=(pE3;qBsXG5kVBzB4>c?OA9JxqqV7`H*ycJIv
zalH)x-uKcO?Q;TlS(;zK)8ai)&zk7)K<Z2A$j@nVCRKgHa-K;siA;zR!kSHdJ)|VN
zMX+%wQ~gT@TbLvasA6{fs1s6x9YGT$`odlZe?ApY`sbzucE)%guMccpwY%4?QQF&1
zO2H$TypXCit_*SqRL7m5Nw=hPJ)iKIow1jIvEFe>>5B~xx4Cs}$^cQfXJWL2g>OR}
z4XZ|<h@u=wZ)46_Vs^=b21Fk^?&XcPmK0ll`SMr*&N++C;`i?DqJ@^Ivinwuw&x=g
zQsO=K51S0@6-Ma8%BVi)@<D-(-0ojFP)o$I3`5k|iu#hj;|M)BVS?gH^0PSfXW!Te
z8VjcVFznkW9&XF1K>XmDI2FiCtLt-nx<TWkJBK;2PWN?_BJ@@54NK-?-*r*>v!<S%
z#XbFFu_?5Vw(o<KlA{pz;GrNHsP*sh^~!I&HPl6#6XN^^i>ZT#=29hDL$wFAB*HxD
z+dbfYnQ~b+Rn0*dk*N>5lK~O+g^0<#rP-T_B4)DYg!OG9dVpOKc&$R-uP2zpm=U6{
z*8zOxr@2qsXq=Il`7#jkvg-FY62BE{x7%`xzxozkyA$$i=eWDWB>Q$otn-7rtt&97
z5fGmuy{4bz7y8(B45#l8qZ?iMRdx?pZ=BX=j8=@Pwx>_e#M<F?kv~$^tcn4zW?+N&
zaKfHC-*&_%<|Pw;EKb&}QXU=dBCPqYZD*~wr}~|2Sbt$*qK9Rl%GMq^II|k|X?2=e
z0zSgeN{9OA#6;W5Ha<Gk`&3-aw|MGkJjjm6ga3Tru7~(H!lk<?_qq1K^6zdJyva)C
zLtKEC&erbSb>pn)2V3z5#GuM@^aY2|dbh)eB~wKX65c%&LNwJraQmhw3x)^o(p2L*
zJkhCA1$z_=>(VX#B||dgUo_SgC%QfD<F;~C{GKRU^taiHuf}siLtMaU%LxW_l%*;|
zaOKXi5|q($HL_^6Mz`XAB`5Zb8m4I^lVz(*uvl9!o)uS_F{+=aY8-CfC-y54350DS
zy}-SheFp&sLh&e{$+NAWcbT*Sw;|W|2nvzY-?2X9At8B>uw+!jvYTNYpAVNS9Ms(c
zi5Pw9lt`zWGS8)Vy2`z;)ZG0kFg;#Nu%qZsK%XO;4WKcvPQAD{QC$Z{(2DQ+XeS+j
zAI>ju9l{s6y<6!q$4taRS13l8tiH3Ai6$tY1*!D06L@6xPn>dn!jJuWB~0Br!qx+#
z20~}ao+M#!wHx1CY0ghXM2K*d_6=Cgs*T#K4QoCky~FCFwb$l4$`1f7b3P)X56oyF
zf=Gdg7Jh(%OrRG%L-(=vts@P1*%ZXki$=r0UQu5M)gX!Q3r17oVvVYEbk)_T|6&C$
zLEnkz>(1fRsIw>fX2hS;MTXNr-KU4A9<PnnstGK)7p=>F>b3RO=t>oTJZ+D_kdeQZ
zetQb_c8boV;RvLDI<vxG>Em;xf5&Q5p5Y&;?(yP5ul@+!h8}5R%Oa+m-iGDBfE?O8
zx>1KA>Ke^f+`cYwsFuyw<B#Gl#@xCf$f9Egampi6qu=>rz<9_&#p&+ujxO54bFfp9
zpL#wV$ovpAJTP46l^g@HwsA*RT(J|1dXgXjz8aWUT@zpL_~!>qoX$0EDsV8|vpuRT
zTwzHy>fx!EkLhRAlwMhy?JD0%q42+-9_Kc`>t|A*JfR99Y!q1tfozjUPFqM6N~ps<
z7MZ#9)#8BNPvATRA`w_`mxsM49dz@Q4Um$yE4AX0sz}-2Rf{aMX)i5$*X7T~YCqB)
zf6#dxsc`vakB`#RmqX3A>xV|JT~uj!BAvfX$fI<8NNOmCFGW~mqAZbqfS)WP%{Sq4
zLXPfodrl`QbjLht#It96jLS&?l81zQ9CHSHT%1%}U*haxs6c-PYfn*5vsZNF_#joP
zC9SZ=LQ|X#10>vv6$-RoOm0Zbjzt3!(lJ2S!>Qb-1gIh*0DzX8Y<>I7iV(0o8b2zb
zyx6a@ItkIHP3_k*z%W~VFZRzs_{vy7Zn$ymR+haT+{<rd=c9=pCr|h}ia2=B)V!aS
zpl+N`EbGCE^@~#=ef=hNptl_tG<c%y4{9imx9pSFzMv_zp7h(yo$gB7TjK7Pc05<*
z0Gdl&Ck$eO)zFY#+;H*IFr=<r)RNPEPt=C15zzU)RYHC7+;858xD}?r@uW$Ceiicc
zo(&UwyB;(0;Rt!=PGyjs;2M82r6k<Hd?^^eB5cGt_*s_C@}e&2aMsn1s9vjDIdF1!
zGuIu>9F!*Gfwt6qqQ&3Ops%Hv<$c{9Iq8uQLye|d{s#(p*jpC4z@5|0PKEYHH%SO5
z?Vk7T;mNr0(<45!S*Y)YM|WC7=cK!WVDR*MVZk6ZpnsNDq?aH2PzT)yzge_{&-L9R
zm8oFRXY#dp?;KU_!i&mP1yapR<imBARYmu|h|8QyHTb{f(oUtJpxqIq=rJMl=l2P|
zI<^pyd9toAR~$NSZqHQxd7Imk)`Qik?qU622l~!X9HJ)eGz{%Wn;N?a-qi}i9e==H
z#!=ywv-a{2nZ#z+(hC{L;F0r(>ET}r>%z>*jry7fvh_i;FL%jba{SmODf-y%+%J{D
zPj@c1CrWqP%UCBlO)aN5^E?mxP}_CQLGn3;$EW@!nj_p7u5gTxpnYRuN3soe{F=Yv
z3(75rOV)ZfE{s2ELMY;yka=^F)hp-zUMfWX^GpYK<w~J^J;*7{!Icy%)z~TK3j3|)
z+wu#7f4u1B4Ymfa0jXJ;?OP29mF(e_Ti%EGuzZF>`HUw5jbIx~XF-3&lCq$z5<xpr
z{XClWfD7JJZTUtrt>3!%=N63{R5bERGF%*2H;vMtkh)m8FN)2+X(2v9Z~yYwkt4j}
zno~!=BbgNLn`d^Lx7YEdnN@AB%gOI~@ACqB2Txk_yi?K7gnz0+Xo}~otWEwY7t!@`
zOu>W09qmV$n>niH*Z#0~Jv*;9x=z|&$N0RL5`Jy(gwL#~d|q$mepC*Q+Ej>s+-^TH
z=#fKv4<ez<%MjhVOVGW%AKH@~6e3a$^|k+4x~?rnu_*dWAV_!=1rbz0$!}yqvXcDz
z*|&Pus+qPdM8q3T*a7t4Zhz^pbSuy2yl8)da#8?^JhFt?GY|#RTX=!~>Z$R;bY(+m
zpV9LpYQ{Xs3Um)(cFYE$Eh0=GLsH&{W%_g-Q~mp*6)$1a3AY|n1^`-q6gbv=PXa@M
zIcEhAtE}%A;dFWd&gZhIm7U_0=4pC+YDxEl)Vh3p3fUNxFFM$ohQsy2$2oW&ZSy)Z
z1AHwnkjc(g<Qz}4{3`;|CJ;L7X<jw-mEq(wnkc2>np~v>I#ZG;FV)t!&-KyT0VBiv
z=e|p?@68hfRKCx10f?UJ75sk3JFmHnjqRD2Cc8{`6yV=q+zv$vxo)(Vrx4QokG3d?
ziOd{u5ao5;-FJc-z$|IL&XAj=n6G>Et@I15Sth1?P;=Ao$3Wd{f%Ck&BLQN4+cQ;r
z{3Y7;yn8_xXi{kEA}(hjtf<xQkGOd31j=?#r!0ueK-`Rltay#qtPeLkKcPjl$b}^y
zFVH&DXzN`*w_<?YbpxwGXXa(R4V;WzOXi>grB=lt=+C<7`#?B<#B%JoAYrpeOZM<T
zgmE_GH?PxAJ9}@|TKA&lp#-;6C3h(bJAzBeqdvsv%j?lt8v+-Z`5t~r>duSjls>&l
zFMIcxZtuiswjXTPlBeh|T>{xm82%j|g&e+jhtb_5XGpL}z{d`@G9_F5XfkweU!gY*
zl)VzuXKeawL|+na{3ITFKj+RG<gy=C$Rpu|iCV8DFjCS7Rh>0j_{t_cKa|fD$_uG8
zh><c(pG%M?U_{+V#(cj4^6FH^I{3Z)LiX_dv;!<ByiZg0sh&b0vH5U4%`eZ{sUsIA
z1l1tN6mRgZ-+-+#H;<#A`MyZ!q3sNbxD+W<4krK{4!mx;rk5R4`nHkQrkjynk+LVY
zV7hZ3zh9p7luU3P@VpX+LVDOsZ1=FoQ#4U`4OoK98$I`@wf8RdVT}%Fow_R|!P_8=
z?|+#(tuyvjK7T6&?eH{22=NYT3&a)4WWjKL?sYk*!z}916~_?^(ON>PDfurkeY`o`
zlP~uMSin+^+6R^fYSbrc_)L#$#4_peVk7K{vOX*?+@p?RH3<k$N4e+xgDqJppzLC(
zC-4tw=LT9udcG{#ro!kRa<x*iKYqdw5^(5wy`eh$*T%B;pl7X_{S=(O9VvQ86*SB2
za#v8A7Kny5Up%Y?OwsxQUU?&{&H<7+zXvq(PmWNL1!&(x@jkhe`{rLdC5<3Og-A-N
zQUtixXuB0UBvnRd;1H5dOI0ES_Jf~q>e}0s-}jWQ4rcK!riatzJo;lP<rMY_669zM
zoIlSW)CK_^+5d(B<ePd>%c)T|P&_cp-F+x{j>Z1i&u#Q?%XEw?=%ruw&If9xulHBI
z!FQ)1wIa~ezufapAG55GM{6uk<legl--B+qAB2<4oi};9?G85-YMRrVtj+J_V5}58
zi;qeL$Hykovr9i*0380}que9UHr`$9Nr=9s>HHE`7|HF+FzD;1O;9p0RqQ>-cj?GF
z1&3sm6L#iXRDH$(o`os~TF94irokre0#Y5(<CpGFU~ON7K0oW%b*`%H_A|e*DJ8o$
zX#KYqnP%-S{<92ETSjJJfcq+Spo`gLtB|W-W^MEXd=@s}3BPUvkq&ARHHSZne0YiX
z;V!$pmDT=*P&>1CT#1DY#DdI^VS)J3%H&yJpV88+6T}X<dK3FLxlldcWqFzFF8Hw2
z_??LzI2g!f5Br{eHFl15hO`6RYl4Sl)k-P_M)Ns1$R3=jKSZL{rw^P0P_(>Zo#GO_
z11KJ(<@FKzyB^N1Ggn&6OF4a$pQt>5H7hV4XuM><-rMmsH4c~v+~Y^Y`<26C_k0!b
zjsLUxg49bRpO(tg-RBoIZ1h6*%=(DT{-vO#psaOdAfRo9%W*(M?~SaXbOJ0y%5Ek1
zrAQlf^v3b!(Qao{C2HdO>*6&BPm(DT=wl0G2co}?`rxN|Smu$kUeJMm$IQZ4w$qax
z{<vMIPuR7u^Dc;~seLK0lM%QtSc&LvG)TGHy%_)OCqPmz-3l>dSf{!lk-kkqC;whX
z6{n5y%D!V6^IY~Fezyy&ofX(V94_Swh%6$D2d66Y`jsl`k3vxA6PcHdKj0Q9*JZz#
z83^fH_YF=a*D*XDcRdXnGF@pvM_20xVH@n5#UyO^=fNHG+MxULbeRo)l8n!R1;9Rt
zPL&>KqkaUp@DAWIQaS1LL5=#Zg5^o!{WMm+mVtB}G)B3OxAPCSh1AXDPBe(*AMcsi
zpiNlslg^&`<-+fQr#%hMyhVK@^nL0v&zBHF178<PUDTCKZEs{gih9H(W9({NM2tKn
zUf|5jdDx%5j@Hh){XuF5b*;uJ$Tn;23n(VOIIl$_rM#9~dl5uyX?*tHmLA8smUG`*
zEm-v*wXdioRXef-UJ?<9<3V5TLZLp*W)0wh2=?N%HK(VT*t?31)Nk6o+cyV9dY3@x
z%dx0<6Fx8z!QWOon4p;PW5F()9m{Y?6=0EG*1m3!!O%WFHG_@0gxJq<p<y8`&R8fu
zZ-jk*k8jCL?6CaZ!`=dSaml{<H+n0_bMXSkeWN8gF$=BSC5;6sd7U~vz@F$-o4M_k
zLQ`m;en7bk?^qokryv1Z9`d;77^QvrEhG>aUMKH&H<{&D1|N?8z#hcfjf4LsssSKo
zh|lwDuSqZ^>&PY@!>TQ)|83Vr?%1_$o_6<%X}m(!>oBsJB+<MVDn#ciII?9J(J+3}
zTvwI+^SK)D;e&H|>{yLZw1&CVKnYT~@i?`S*U+Z8WOX5dR)EzC<Q*di_n;Cphs^D_
z*0b<Y_AJBDJjR*0E5D%+wkQ)HZRPN4X0m?@&=YOBfnl%g?=B}ExAW``>Y3;4A<x;9
zmYV`GpUA)%(Es)w4J9yaijt3pwszl)+*)dsmV^gEOqYDz4<7^Ky7$6{*zr60B3t!i
zSauCBKf7)Htij9hMyCC{hda!z|LM(YeYhVlR7^j8pCGQ!8y9ZU>;!RroP6DUzKh(I
zqv4mtMRF;p_)j}BYERp-f$NGlAGQjLJx6?<`{8}a(&E0~Z_}dl_3au5FRRiWwwTe5
z+iMi|6GdSTHcv{U^iEDPXeM-{yFDIv--+U%^KQqbhLuVG?v>x}df}NJXsUJIeN$(;
z*>R?`rG8%B`&$`r{;RkMh02_TrHcWUhe8ZWpj?werKz#{n2Ayd3IksbS%u37<<jb=
z*YbyiH@d%C5O3nHt9tIh0<+^8>il`|Yt7S?E?@VpmM7}ypWq@XzV%xajDTX5tP3{E
z76WqChtWJf^TPv?P+dxDL;;?G6Cc+sX;Mm1Qt0*t#M4018$Ta!LskGEdO8esuF;Km
z({EjbRGw*%Rhg_HwLE|G)ds4X_oTg8)7e|gvvZxNdu9j!C!Ct}b8x!SHOJZ-^?0UG
zC4m1CtUC58_*q}IzIskb=FfDvPjduJ6cQrrDw3sNw&+#L)*QOSpbNSj|7rhH<qAFZ
z1x#sSs;zwzQJAcT-XWAe)E|w9%JcDhHeDgP!-M%}+u@7(_WG|pnzDC+2H-?Z?2PM5
zYO1|C3VnSHSVko@uaAicapv;`(rX5KoFS7~d+Mk$bP-*|kjl>8I_h9996qmosoy~q
zn|@zZs@`@7b8lz(z59b6JPuLESh@Nm-bhGK%SwpssnOXiWMB)0p3PQ?miu&bQ$+GI
zhLd<BaZ6dYHp+61^gf5YXeZb1A1XW;Dbh&|T$!R-Z_tOgHv7>&IRvA})TU;q-U!*>
z(0;3c{gEAFU8IVipQ525_F<)mSo~yEa&|NykSt`Pp`(YjXfmJN`^{u1ipbw*+XZQ@
z(!>rYmCg_C@$L)Ry_XO=h9xcgeZ7zAOX<8PlthpB1g7)1Ht-LmE1^S)e~0?$ev)bS
z;vk?|j%%kx0W35~4bFo{n|ElUdT%AO2QaE}awbyqfqSnFsXZhrLjF9!E7{Bda_*r{
zG=4PNPU6~{o@nNI=VWwn{1i1w?g+yT^TWt5g~p$Lr$qhg^m#H{*+*>4#sUCnG3@#x
z7}z)>iRKLGdi-j~`>{)&9Jb&dt*C;)79Czwg~_xmC@gDEb{aC@-6peuJ-I4MkJbct
zIddLN=?*XK_z-*epo1KQo++@ZF(J1*c+W26k$k_nf18=&6CWVyh?D=m6YxwqikOX0
zDuA50CfDK-jBsva@H;pjzk_fG7>8*-A(|ILOcqPV`4(gkzWVTD$rJtJWMFf+cK&)~
z3}nK^vrqw5kj2)cd@qIYx<l*cM;F3yvE!o!pe>0I=PKM1tI|+E8m~?UO{B*BY0bfP
zk3_6o`jA+BjcB7+u2<Rd|567Dm7+T}Fg~vC_~=gOsN!y2>U^LPn8BuUQ-gAMK8RuO
zy#i{HQ%&x>^Au`I^60_mzTX-*0wQ*GNlNmta?%|Bf%h_EbZ}A!TH5<A^&w<|C)w^I
zx~8BuF&$|6lfrhj{l*t8vo9Y(oHXg)XYViSPksRpd`7uSJuQf;`AMu~81HxnQuM&!
zDRoKgBMb=skfKu0Q-*JtyDuzNm5;P-C8Rhs8^G=QinHE&;cD!7E^HO*+p2Ta_pfKW
z`gOQo#79UX`23Fl?UK3pi+L$Yuj?t%_5SBRn;oD1oL74pTw&k-FnDBX$LDL+N-g@Q
z_7NcXk03k>&=%o$<qwLBwy!vPu4KPbW^(dJcoFR1ZGffJuwhyN^q)z;74=DgM@Yh|
z<xG2sqU6Mfy__eiwQ#g?J?+@nA#*#HT{|!7=e^fGZ}wf2yEE$NT7#s1g`3XKe{&Ix
zm`)Y!JE3YBj%Q|G7`J-H50i^Nl$GdUVA995)pm<%xh))(qleRupD0bZEzvRXloMEG
zxCQz#3JP&Xez9kFJCPHksdCkZT4pkP@WT;_U1?7qDyNffU~m+**cW8E^2Hg7n371R
zwYlH-79foF@SaYZwTK286})S3`ITpCe@2nwFQ?sl2sa=r3XoZ%05f&pY;7$bT}!@9
zFA#SAi)7ZzpPw+L+UxB$x@_{zelwwDOFVN)In9j$3hWoh**S@nlG0Eh`nudI@|h|X
z<@lSfLHj*N@<q6bDLrP|Do2xBkBCCM$9z)w<8vsE=cg-8N$=9RmelkET+_;W$Y203
z0gRjP^sI-sOg_dWD#FJ({>&mu%M^E7{<uIduzHj^bqZG3qfj};_<-2ST&^yd{$x!8
zm?f7(qQfkgXnulkj<uEzo~mth^{a!_vw0XG+}$s5N4vkUTmVY3h3_PK`H-5BQRIbc
zUj`fHe!mmr(|dbdJO@nfX4?O4;>v4<b;?PPnU{Wc5fJBVvwH(Kk<Aw^c9&B&z9YQx
z@BQGDlkST>zZjWlUNqNkJTwjFD<E%Y+4r-0Jii5Kg8fnVHDjxv@2h^EYsuFFvW#CL
zA8MP&&wf8$cPS$6DY)C&GvX^4+&K${?MlA0Jka);&<5h+auCFiYbEEoi(j|v9>j|E
z4kZgacseRugWU2~=e2pecdSFwf}yMr<Bbki*w_4plgl#e^k?^D#dFX@3;27GX8+(k
zn(^_p@RBgWGR_OdbbC0}YyOtqTav#{M?W_hLW5bb1C~K7MaZou?C12=VBkV|?ZHdM
zUqn?$Mf$?lVE?SETQaCe-Xc6~c;Q%@9rq4cEo`)dn&C~K3rQ7#mfzT~9=es9!Vt0e
z8;dWhG?Ce%p=h*!T1&S;(1udJ2Dd}e==#b}nZS3R>Nz?!T6D)$>V53rR-(4A8uf@^
zP<J$>UtT+UA62r<<_}SQ*$ygmb1UtitI8y22G;bLWtwa^rx{9HdEyoHqK!3W!5Cw`
zMvAFJpT=z-rtp^E2iG_PTlQ66FY0hke(#e}mx*vfLpBr7S&nvYbk8M~QuBk&EzmPL
ztits0)Qj2r@mGhb&Nna&N8vDVo?IO(7GI32G>t2)PJ~1zXe>pa2KEfW!f|}6tzDI_
zb8TQ5<0q|2kH7Q1e?{T(OR;;N!oFvHnLW6FOkR)spWsC#e-qTSUqJk*Mxx85Byhio
ztorgiLuh4Mz#_|nNfD0Wkpp?tvtP4_u!mq%Pl2fx&nWy3DUrgLgs*gg?o$h0fY<V8
zL-Ig<F8x&~L_Z4DI0v%i#`d|F!_Yc>fo#qNRRb_UyYl`?IlSzwkiPt728KIDFH(?N
z_<0}rb~+{HqurN#TG!$4wA`-uxTZ7%pDcQ^vdgo_jNLi@t5s7+?2$|gEs*Tfd)6O5
z)9R-esr8hTy67~pd9P{F)X+`(FpQZ#_dAfCxm0eDnJE%<3j2Gbj2m!WGUJi1hcUE!
zd3>&J^-?`;oK%6=q{Cq*e`52_XG{p4@LOq==kTYZ`q6|nL~KLh<nrGK(?fAX)UI+c
z!1lg*44ZywpaH&e@?mYjHEYuwU>(1<Kc|)zX%-q!mT7>Zk-Wvw(mpC`3TJqzUy=ta
z8_3wEuXfG=g1?7en@4}O_pF#un?)B8dS0$`I^Wax%}z1}G%pVVqCtIIizv4J26m)`
zyPrreX!XjLe<ChS*j(h7iab?9)cAP7Tcmz93sW1elI$VQj^^7u(yy%T9t;P-BL6Al
zd{Mx_Wp3P)t-+m8pT_7*yV2V-7UY-EJ&s%}(<^oP@~sH-bWquG{>UcVk#c4bzrms{
z+UmQyAEz%2ASCsoT#{k*O4!G)BIH3R!1oJT^aQ-*bOQJl9#83<FG&ol@lGWhV~kBv
zi3<I^<m`Gsec)*kJ~!ugdL2yt4qE^mGmat`z3Kh?75);id~Cs00`QKhhd8|MvQ!U$
z1YC;pFKN-u{gMpcO;X*LdIYdUf+ur!uHro)d?nQ|_xnWN*n-To7weQj+<T-*wb2DW
zlkEwp-I8CHb(h5UZR5TY)<|W!bXE{KBvce0(C^sI&Wj7m<|8RRH>!78d5V|84@=#3
z`O=V&8Gzzsn&AcLnCI`~?P<l`SO<3FDA6RDaH16M?tD@q1Z%US_xo;0s;=90eW~YJ
zdoJW|uRvGd<|*J+jedL%Fp(aCLjPvvrL+}jH+6;rc^_)-t#(FYumCR^k1(5M&Z_}D
zFMVE15}ei+KA3{a6a=+Isf3Z=O<k?(IGN|4pWV|hI1@WY=|#@cPt#FgQ^3GIx!noO
zRSeGuc3?SxeE7Tl;Nq-@xytUI>#VnuWYF|QDcZXb7tNTdWWv1+$TCF_xuXc5es^uK
z{DF%09ZXK~y_BUQ;l}nSq|7pnI0QR4w6w2~%_h5seXYgo(snR2q?*^`tdLBATGSAn
zFtGOJS1W#1-#jMtWo4YR#n2iVh{k$hKd*Oyhb}Bg(~$k1(b#eC(BK%}7wFk?+t+^g
zvH;N*J(e?rI)v{M>6XNPI5KaddZ__WbUu=1(?f7qb(Sk-_L_bXbGl{{jUTu@a_s!j
zihIU!`_JpIAv(UKpkwAL{&Y_t<4Qrl!{&Tx1O+%fS$2iD1`|)Iu50jBFS4}*Otpi3
zdF0|<IpxCe)rTGR;=O+x#`|XCS!+*{>1^!f3kaew!wl792oMw1J#FWqoAq(u!&(y6
zwrgnXsmARcbnk((ECh&@#{&m5-%m_ke{H<%2V-Gzw$HiVHu~D2?Io*nCpVtukIyHH
zB@&#I+ca&hLTw_&e+47=+{1b1sWH#lo7<tcKALyRA#6SPs`k59>v^$YA?Iv`{1qAr
z5Xs%yU%hEJLD<@bZsr(k(UmqMX}7{&WLn|E)C8Z#efDQFsWrLgQ(zzOv}wD`3a)T|
zal4Lq4Zp9K{9QlUp{a_Jh1en1HsxaFr^ue0`yhJmA=Q9DK!RE>daFCW;>_3GaX$1K
zaHf9k_Itf)ZbxUeAJ-zemygZgKz<$Qqc1=D9ursz$=4L$$p0sBoA=w_4SJ)40EyZ9
zcZ8^u279)bB*J9m(d8ms6!hE-5{HcB53L+iq0LCrbrBl;Kj+pGLKbZdK6&LSN7r4@
z&o*#+j%rra51Yolq;3oU**MEi-X8GCos<3rw(CucPAtl~k?$yQwG*pQ1jBMZxg`A>
zKTjbhF?ssf;s5<CzU|!}j~-e&DzOZ4z3QRgY;Sj?;x`*m@N49fYvNt@k5=cfL>}aE
z7xjcxBi(2AVefAmNoSSg`=+@CB6_A{)5BY+SvAkW+PogG;7=eP!9l;H%aQnk54jlZ
zDvd_)0~h&cN-Css**1Gy98lqC`!8Flw`0N@^gZ*=aUnpM;-x?Ruwj*Zsa2k%?Tnq?
z2#3LIfWXL*w-ho&e~lDaXPhl~7!#n)do>W(3$|{u+dIUgUTR-Q(<j;+%B%+S>1n-2
zN`Qh*-Fa9Vq@5>lXyW|cq=%zw_=c2{sgC}k7ME3x2EjQA`}*$u#_zVw{&iY@y})~u
zHvf)kiDYHfshAaM`G<d~E#1GxBl*y~tB_xq{U_jEE1WOS!nM2PIJ(uxJ@nphyxwBi
z!@>ce{=sKOanLu(k6jL>&^;;g%!|;cw|>RtaO~9<DU}ZC;`ej{#Wfe3wb#!u-g6qZ
zmVtj7J4dqK3<+PN>E={~cP1sD&-yWV`5vZ%jr7fQ+mOmG9U95M+r-|W3Q(c04Wf5g
z?ryJdt)}2@)My>V+|CiFV?q30gF}7WA)Mo_dDN0&$GlHp7&bk+!09f(A}qYNXx(p6
z6nD(>#DElY4NNg+WGQOwKHurm05NmqVn3K$fF|r7qx;ta$Em54?!c?-gGEVRtOrAQ
z!*p(UpbO1-vkr~LSmB5H8ZHjdj(ux3cfY+o&X3;?`tmz6pi2Pd)f+R4ZW$v67>uc?
zxb(??F!+_;!bY)Alc6bp(<Ow$T0B?4Xml~yJGB&WcA5=?s$-En81H+qI1gsn<|RnK
zyXS3-uv4H<m=&e|Hx&=RETH|#@=c??6f+c!uP;5&!U;u)T}ZcCIVQ#)%F8gU*oW!a
zHbQ7#jQ9JthlgaY3QNWTV%DW2b8+weg|5~2Tn@HA9a+=7gqO~x<!t}w6Q=y&;mciC
z^YpS^FzwtK2!ag2nVO&d*JJ9fUvSYE$_g*hQ>?Xqg!oH&tIiYcJ@=h^A2pBj9-Azu
zVN=e>&H0RoNc_ft-r_8a@Pl(;lmr|I3?vu(2wvD*%Y5q?9xjR3hsaR7RU0n3GtICc
zias~hpD*9JujJ$T@YrM3QqH}vQg0FoxnD!RzJvpfR2S;sm&uD)vKQkAvPk&<!JM~M
z)+J74wJ_@3oflF#KuOg*Sp}V@=+<Wp<@NeC-ha*dT)thme*L0LLX2sNXl_U|uphaK
zFyFKuT;j`G7?8c)U%UIwfkTk#uFjJK4o92Yh<%fwt49NLcER!>5n5gA_GzOWq~{Ob
zDEyBf!ePZR<BiQ`C{1{GpB0BQw(Zp7rTtsrDXOX3@_EF@z*CQ4y3)xS+M0iaB>W@9
zDeopE!#?_c$Ea13vc1BcU-p4qYz%Ljg3X{3gq;{Xv2v`qhg`&&OVWwX;eZ1PPf^ZB
zTP)4Ghc#Kz?^GXehpVC99?EbCzGPwRDHBGzIHNgvns>gQpFs6`15`tbaPl~S@2!fz
z+Vr2}h<JR!y~EAv00POTwd@{;Q;WFrwT`;{)=9LYK96w$1vpWjgCl}Vh1x?4><see
zH@rqIjoT(Yn6`}C-zq`Ho=sc|Z1my5FARY89n*jY@`iqcu_VrsweHuD_ODQ8xk2Is
zaw!L8(ZT|AlLW3PrOu)h3uE1AsOve@{xu&-snS?Gea-K@n{p?Sx2){hO-`Mhac}Y0
zR2uixCqK8x+wJMJbli}ejZ?bPN9g!*ZM64o+P#@#5spg(<qERAUn8)LsfvS!cV3Q6
z{5c~VTt#ZQX3>pp{>%}wZ;X;0T1xtYtmVWs>^Be_Epl?>xWnwiY3LX098rTP)Vz*I
zt|YFG(lG3-xapPf`yLLb*}-wUn-*#}tZFwjHt_pzXe5U}@|q4%EUxdEcai&aAcMcM
zckg&RjgJ)+$-@v4me_^;((P*4ojSZBB0W>*u8_|8qd_<9t-t%7UuLs+VGbdieckd;
z7o^B%_!mBoP%&4kXC1he<iVAh2c;`~Ty}Qp%3h%G4+!f&RlmDjKGSNea962N4=7Am
z#o(XMz$5~ZAi{;}<*IOvD&e=P+_UL$Svv!E6rf4b&`&bV`Xy50ymU1W3k}sD$|V}Z
zOgwBXruuY`%XIP+4owHT+=oW0k<rDc?=~<NuDXlxSo#LQtw3(0^?$`2xtA$wvp#|c
zWenLk440`|w5!j@=%eWf!n!(Pd;yKp(^kwTzjuuj1xIF_)&rRF=J^No_h3V2-w)cp
z%$83^BH-HqW>|d%4EadLZuRh*_`R>21m6jW?rpQxBnEV4GmEJ}^Y5O1v@RK=u-miz
z$>EQaE?;u6s&b&BK_U|Zo8$Kv2g$HjtP6SHfmxMkR%%eB9!eVc^Rj^aczH}i@g>=j
z(tB8?ly$lucl&J?j2*q4IQ{r@@;qhba-bggyEGi3B4`JdsQae_d4Y8pjm1tE0pGgG
zzBgfdpVy=hpqVK+6zj?h6uA2~gUrl{V*yIa5wHs1i<U*)tA?+R<qlV9yQEoATfk#H
zpJs6o3hDG4cNCDo#sPZdLk<?<Hs4bWZV1?1B~c_xkV&_19&Q${@G!8rKc7%2_;%pz
z5QRJu3ySHAlIR-Ck>uX$brsC}Uxy8PeG7jkfC7a}CX%7rcW8p{J*X%B-uDt3t<Llu
z7$AIgd=n5ZKo9U?1~<?!FEK*FC)wBaU9vqGSETgcVFU{(37#L4V%`t0@Oq3>g)tMd
zI<5FS)mF)6yJ0jZmp8Av3BE09|9O5Iv%%z4j>U*p!EyWo7jYop2gS0lWY4!NZTyS^
zjno02##Wm!=9d;yWe&@|xc6VwUR+QMmX2Gt%n$v1VC+TgKI2Vk%k9NzzXzO&^K6G`
zPN~86(8Wthh3p&9d4EeGETXiCq0e>Iy_Oezer=BqrNdRMcNgVxRWy(ST}!~Hf-G>L
z293NeZdExE<6Lq`e~ITbeDPn{>Y&vDwcj9?CTQXb7k3V~*X`7O1vn!BL-=Px0UyU~
zfX~{;;5x&6H=X&CSz5lG7L!SytKnHaQZl)BE`Cjsoj2a})CXGtdRI%Id~IoX%+)n9
zH}|et+4pyXhH~hkJUtb29o8=xRq)+jQWf6T=Bo$j3PQ$JJ{MPM%5vjzk|BwK&NJVC
zi6{MSarZK6B0)p$c)yvGf8x2lzu%e9hKA%mS+XhE4o&qwJwd`6?1np@0%tVX_Uk4?
zPTQ}cuM>RHKDbZN2=>=dfyfscJpD2FPM={NK7BnJ=MQv+nT_lztdz{t1y#a?i=mei
zWHAW=aN3;Arw{Y;Va5{>dwAs=jxQyM%F7Iii3^MnNJz-nkhj+J@g?xq0Td0h;NuM$
zvqD79l*)q*!TaIZS{PoR@Nfwq6_Y)%AC6HRMOSj5;0H-9KcCU?8Mt}P<{Ar>ve#fY
z%35dV=$w6_Chw1n+I6Z-kLpO54u#g+#p+=kZfe{Q%I4dXEyRk6d)9z{S7(ON&3ThO
zj*K==?S&El3dgK3=^JpR{75VC`Akjw{N?r~`?o8>a#X}P;@y*Q3z>VKnoZI!CS?P>
zbJkX9-+isaY5CcpVB>6w&XJoa`5R688#NyWgFeY6T4$(=yh)Ix7*!yt^}`&w?C;}p
zW6z!G+&lXd5=4j)UDb-*svjlZN#PAYfGmb7&L>_{aPQ70{|#M=uZN<&#ZL)ZtC{J}
za0vR5X`5u&CY0_)<~oeS??}aRVVfF{jG}Jr1p{Z7s)9K%?utjmu}R5+LRuJ+fwQdI
zX{i~G{`iJ=b2s?#PE6pfD2f@tyCO;6-j{s7jVn(o&31FdIr8%B|6b%omtk&74;q`{
zh0VzU0w-)tbJV`V<|xqdxxR^MmI4XdVlpKGFWwB&I?m?)L;e7=u<)aw3Ax(!X`_Mh
z*=@k9y`e^`UhD|4@y;vT4bDT;mRzn?_1fdsohuq@DP?t7scu_u<pYh%+j7r#&KW+v
zwYjCH^nSZzyex(+7_0Yybw)3WADFpr0mOF}<0HA$r~dW9kY2uk3giilybkd8qU~k<
z8qiFiSyq2qRhF)uU-s^)*oTR+9DWC@NSgP3I?@(QsbnBikFiBCE^ggPEpd`iZdM!y
zaB@;z>9|CC;|Y7|l6l8Wt9F6pvy9!a*-p*XLGGa4ncpCNbiSH!$$Kvt`alA?sv}zA
zS}(X|I3Y~1G^2R&iTt74^pru*HA;gf4mwkW68H~?Oef^gO7fjjo@$<KsS2u5$b+Sn
zTV8oqgEJ}Lr6a@T@_e#@ejQJ#d_$P}qxa|P``$&bs)<c$$5rqSt>VK06?wUqE!Tei
zAjp`X1NCfKyJJrrO9DoSU|aFN&WrQSZ;u_99^hU=4<E<qleSt5C~jxIW~tf)Uf&%B
z;;tXdBMbxg@N>k+I+UO%1k}^N84-ScB)iiY5V$YYBIM`v{gUy)F}=?6{P^Q<VZ^f}
zs)yQ5m&d^T;57n#x}L2f7Gy0V|LxOxL(dkv>(w|@<Qe>gn8##M!NA-PJCGPE(bd=3
zLZW?B%o`bx(Vd|!gf)`3?r6}@3@`cjV(HkZ4bPuakyYT|si<IqG9qhqaSmw5`N8fd
zybAVRhRAGp_um@=%6L4ed`}htzK1o`-_z1X?Qf&DI+N&Kww6y7ul!gPJuBCc%E$O*
zJ=B;PW9T;jJAOa4WV+!O7R`9s9(T<|7VX%F&oE6bKDk5M*nP?57ZdCTO2~{`%uvj8
zu*4KjJ@>#oMsZW|C$B#Txo!8e4QMRRYLFLSQsL|8B2Decu-H!=oKLVQOCQxFcV+pI
zXYqU9kX7V_--L^3{vrJK6@{nBd;TSp@s-@+!nD5k%k<k2M<vpuC=MJC;ppwuy{(9R
zdF9WpCgQqsXMQVLLH^RL@Nk+K$aPOl%5j7fr`*)moBZg-o!KtJO;EU&tmEWTW-xKh
z-&-UX2&K7i;yYCE_IB`e`bg<(Sej`1p7Xv@`wInQsB`$9ti(!$?Xuf{-TeL=m{a_k
zTdj>GGI4Oy^sq{w`DXMRnj)k)aVGWN66r|--s{FLk`2RgnrhCJq`aI1V3^P2`BWE?
zDBhvwcZ_v=w>|Kh>obR4*6DXSyA^L&6gX#dyc-}VZ~&LvdSHD0xTl|1S?1OjG!EAL
zomp1r^fIhGjDiGC?VW3_&a(bWhd#r>oTVY+QGcRCu@9E~^B0k^ccX+&MNl4iS%)J2
z4X$X(O(#1@7Nc~tL40g2xU^ly<Xn*<iXUxh%}usg$BfjE2J*Ks-`~{;olU&#17DbY
z>hb7OQ3ikCjU-!s;${9{VRnb~A$?bZGcntPa`>-m*vK|2Zhm7My~+%?>Zm6-Kq3qd
z8XFQ1e$}@x3%g#rA4ndwx$~>~MICveZAcLJO$><Qx`9MX3HB`kC;_;<nkSl4c@#Dd
z`la(kX&u4{O{lD>^aV1(2a^83zY4xJrDiR6^dcl&Dt#-q0t}yF5a0L5?eebP54S$I
zB2T?~K`4?X&K6QSkg|Z~evC<d$%@^0mnJ{^rDAE^{l2qrweGUlcvHQyFS&{}*;Qlk
zk#T5#LI5FgzCd<S>BWAPXYU=cl(0`IjJzi@jHaUg>_)?wY5W2JpATt$JaYQ&Diwy!
zSKDVi`2$fUMS3fVLYBUsna<?dtD<P~EmX)e$v(QbyeF6q)GngI50vHh+N<h)3$(4h
z4cGjWFwp&hr6yFQ=GWf9%#^N%sbcC#t%uhi68{HZn0B5KUlNB*a=*wIdJAauXp26q
zj}=y3<)~eAN%C&8|7wsVZ05Xt{nXSU@|XW14Y7fB6Pj&t9-~b2t5Xz=+L_$EnfY?~
zM;Aqx4`^OKn#n7DJevv^amZ$QD?#2FHZIv|%>XUZ-`NCJ6JHRR3LFEr@95;$)9N3_
z4zaDmuNUOYumFk^7`{=BPWj^9MOjva<iUxo?oyWRdabG^#bdA*QtN?X6lQm8$~T|t
zupW87MJT!3aZzaYF1j3+T_s%OF24Df*S!kti#S0heA@hbrH7FJR@j8SfIGE(!4i2z
z8g%pR$7}yl?v~NY!DP2C1i||)CXv>~BGc$*L(u`EnCf(a&ck>E_+9u3=c@(|>xWSj
zlzxf4#NF)BUn1WGiIb%J)}-Dqe&tZIKlP{ReB5<pIqac{9I=a=&%2BN!tH=jUn+sy
zp6eu5ikJ_%nWt(aX_;Dh%Cw3{28N@M;TN4T=w9Pq;qJAs*MVUjI}W<f_(THJJ<8V}
z-hS}{sTULC8dFn2ALcQhv0?+<bgEQy+ruRmIKT_e?OIS|&)({BC3_Ws?l|gvzXEvl
zR%@8U!AlA)zEgFf*qm%gX>~=90tbC+Ah%8|iR8NtUG|V&m#I#k3C;S)EY}{&@#Fr)
zr)u&1W*v}d<g(EU<8JOgu6&e~!JW4Iz#9QI?(OIuU9*)Q<KLei!q7+babmy=Ih@wg
zRqG@FY?5yOa(Jh7r^7cFb?+(i_Vl+?L8-d^k%|X|5=cw3tmNqR15^jsiPGY-7Soej
z(&=^)L5bBx3$?c*K2ie^61kYXQHL1n)ci7#J>AKqX#g#}51Bl>s~D-&cJK7Z<{Dku
zf4_!9hcD}{q`YiGgpe1hX}X#D`n|G)I4;I_SBckM!@$`i>r(1ZrI^K@g)NHH(!Cj8
zgSonY`bAu8_wZI@F2)<p*cWYVV*WYInUQPAJk$G<`CNZ2r$TQngwh(GTZN@u5Gz4j
zB{i_`D0WdLFoeMQ<z29GG!7z5{xl7rHG3E`AKoYViF{Juk=2aXux!x55i*)Iak-Ve
zOpU6wV*=xfevYZsYLWW6u&>CSmFURWyA(Bc>&O)k2VUZ(oVCEJg=6qJ2cYI<VLcWw
z{0e4`n`HgSqCdD6=>U@s-#HlW!c=n*%~F#cDP?Tv!T{*s=?vsil4tKXPzI3*c{Q%B
zgGqNP?HuZ@$w#eg=ly#rQ|kzMwhQuy>UJ*Et$_@kgD%stQVoZvuHU+6L#>3hYGiEI
zq#W8^uxr0hhjaS<`Up>)t9zQu+|dd-BgX|J<i7V9$Q6y(1Z3|mnRV?594(2Z(tERr
z+oOll3x0!e?R8)v5Zf25?%udNEA03YDq~;E8%f-xl2Gw`aV2Vh51`vc*^PPIG1Sg$
z`4H&C?ZYr#2RQTg+HfQUvV?ah6D`D9&TXfYAvUR(rFLvgK|dcKA*k~EM<9wXmcHEi
zlH##Gl5f*p;TnK5eBf$nUaBXeH-2}?>84sC3{1ZAVPOCpv1_uw7LHk5#?B%k<A&>$
zboBCF_XMwubki&81CQG*zCHXr3W9T`oY`ttCkk@QBpbue_{S;*ZA*#g25xf~#1#4t
zS!)B&tnqB|6IlT+>^!YH;<K{4?&AJ=_GppbeV-w{da!^i$NT6+>@>0Ke&L6X?moAc
zN<i=tk%8JgLInl*(Ue4z_(A<k`tg65%m5G<Jkug<`d*SY+ko~>U5AnV!T2Cpq(JI9
zuCKb~`5^nV;C;`TQL^ol-10&cbbt&-*bt>ROC@n0L(cs~qGu*oiB30#wu^akO&bfK
zRGy$QM5Q(C7n$o@9;2{KP;0g$hskF0{StvyMNlZxCR0SlqWAolxr-!IC)Z6D#a2DB
zE*V=?%b2Ei_Lq;JcYJ=Q;=cIe>rr~wcW+Qo{uh#6$&8P{nEboC7nkZ}85L0djg~6p
z$I~N+Sf0&P)zv;#__94So4BDeJu>PhngrnF75E|F*yKD`H#^29*{!aUx>%|_of>RH
zQbIQB)-7N1_rl!hWZ{i;)P{XfU*%Qk6<?`PvgqS@R}JZO__$Ym3|P(@+_p5&6Inph
z&kRGwx*D^Zs)KPyq9NfxuKX{EM*UE0lc(n=qUpfL1|5)PN@H)?j+*RSQTs5~k`y=R
z59D|3_83d>VLO*unH(!$+@?L(InJMkmc(9!FnJ6XiqJI!((Y4x7q_}W*A2#EhLuF-
zM%&<dS@h#_kPw&KufKTk{ip`&2QlzhRCc~|)w1Au=Pglq-_Ir)UjmwME}V+VMZafM
zqG8sWf=^9-8Bui9MnWRlrx2(}M$vipw*8ep?>k9--UWubV$kQ}0BO7(R0f}?2m0UF
z*a~%!nP*1N+gk&<&tddc>j-%J@JWyX;I*(v84NjOw{CtJ`(eld-`E=<-L8|7RWJ68
z*{$?JYI0(y@&fVv27!lsu~En&^smJ2@MBM(hHWz%BzYu_5Xm6l$!M98*N<^l55K;X
zNr)to-CX|x`m&<))t%)7+)7)YmZ!FMG{7%?fjdkq_z)YHPiOEDolrZK@QNN_zM^WB
zk>~eV{3=Q3S<LQ2KK4QPNMxzdZ`2<FL;_o2j#KxSUbC@_Jt0s2oFSP6deFXn=HZK7
zr!5Qf2Q))}yEAq@WfaX9nE?@pETw+F3{ZtY)aV4dcj4M7AFp4wB5A`9hT&vQ;9%q4
zd)kVJ!a<wuoIg4w5lkuyo1(<zvLtRir8sIi@?>BIGiST2z=Vl#kDiHq-;>3b$b2dM
zK{Uv_OKr@xd*jXrc+z8wdt7b16V;Q|vefx?y2U-2P52>c22*l$<X;6CTH^rmZ+6~K
z6itSbxTCz^iB^0R;3{E5D-qR1a5owOEx*yz$Y<7DESo$KBm#$Zpf&j|SEciZdoG7E
z+UEqsD!nk*NF?}Y&7fQn2XgssH(ArjrXR?1HeaR`MwguKm6vd1;W#@aH}Xx^#!pNA
zK~{x=F<GzLO$y=!GQ9C)o%2IGlMClBpU>~;2=*su*n$#HLL{1yDI5VW0!4S0oDs%P
zO?HKXSiI*->d+)e+)q*RZpvU<!EdyUCp06+p*t<qd4Q7JuZ2RYkt_An!g~OwdvgQ9
z`@rbWdf)18nY1|B|70zKAYXU58$Su1S@-e?j`sy-j*eeHxd6eV)9HD7p#MIMj9j%$
zzMvpK{lg=1hc~L{TMY;YOb;B}lCKx8wBct}U-<hAP93_$4uN23n%L38tv`Ds)}2hi
zuw&Ji2Fp`;rv%KQ1B>X~@(GZWIfDTuvGeWD3kDt??$(hG=9j|`;kxh_D2ai6%`~G@
z(nym5Qg-m^0<N{O(n;IZhUuhN!Y}@`bGUqgAD0B=Mac?%EY|TCuo|1;Hm-j@_XlYC
zb%tkugi+`oY#pK0`0kuT!GU3Qb2lPD31y)f8zCOt(GIqC>z^vlLC|*JYxc~@?8{yV
z{^9!U8BYiv9mphqADxg97Y+|o8}<Xi%_$L})^3KbyJS%g0|jm8b;?Vz;dO_D;3mAQ
z?Q3qoy_J)il>`%c9d??@%*=<J=c6$V1U~us_>DP%(U!Yp_v&qbvbS;^p`wgqj4Q$+
zIChh1C>^sa3nA*B019b!7T5zbEDx!d=t_ig8P|M1qcAQ>k{DdrBm^#{+zl9f<pSf|
z@4snz=YiDdF&QP#67217+83uEzeI(x+3|2FMoRVZ!sgg@7+-H2QbzbyKnN?XpkCph
zuf*?gaSGVy?>hhbfK!|znY@UDd9l&skT=y4g=7eyyX4YQAV^c{5xY_?{6ATwDwS~n
zBH(o@Ylz|norZxElMPxF={<anFPxYX8iN8#H#vF6OD<dgNx1A{I9_2+N<i@nKdvL6
z19O_(<m%+jp<lttf&6`$?f*-AWC0Q$^!Vk_OTX0o<pmy&>jnuV7=_o=*BvlmCzgMi
zj85(xH~d_nTFE0DD>?q%GIM`q3VV*(=$khbLq;~4_rf;*6r)RSW(|mNyAg#!rCsKv
z+S>i*r>FbmFW23b9PYVUl)gmzw@(9m-@$7+%ok(J?w?qRe(oqC1EU!Fw<{SEs4vW6
zy~8T|@;oW`7N(gFf7r#?47d{I?RwMcb*<9$Anno0rl0^nT@^k0Yi7KvTGBrH!o1>Z
zLiQ*TesOw}sIh1c4}*j<w_MYnP7$Z4P`o=0)KcAPcNPFzb?$x#hu-I1nUBTc{1ZVH
zgKb-zC;KS70ONQF3c4H;`mH>R_}RSDB}76g;G{JI0+eL7J3H)95K(*SFhlv1{+ydE
zBnKSal=3y90}|jod*GZ@4RgWfD`}MQ*D=)@V3J*2@p?Rq;O&CInEBfgaBdHZZi?B@
zftz<9=f~DEfQ9~OsO5ZNX&X5BQ5MJ$+SYjcUdNa9<0{O0l!hLsbvftrsTTBb?tJ0V
z#)7nesXC`6EZJ?orl@jUn?Xv3?~e5nH1*q{s+N+%>4B;H!9sbV+Y)uIT?{GpQ6HN3
zn3f)xUzFoLT>8HCWu8-!yZ2Jic6B!Q^Sz&ma8U5|V@5sCoYaOtS^j*Vv9Ts)4;U;@
zKIl<Q$8>$-5f2k5Obi8`ueUm^W7_XXA}j4+ce@*t4|U!+4;}i}#*+zVr6MfwO6K30
zGvPQzf<+<zseC!47qQ`Db8frC_Po3h^GN8=%Vg^MfNtX-+U5}JtXEnm<+EQWt)yN@
z&XO87CwK0Vc@`y{=<yVw7RFu1#Ex^}jj5$bW?N4(iCQyqE@4eOhJT2=QQPz0)eB5$
zW;sdq*ws&y#c7|lAwSNYDC`(?tbi#b6ZWzP`{6J9`J!_+<2*c>uNwtsZs(9>Tspbm
z?(3U?-Hi$PUEl-Ah~OYPp4m+P;3@uzqK&evxR}gWww`}3Fn6GMUV?n(isp`Oo?$DB
zBdZC)t11S(qxe&GZuY6Lkqe2;+2?aAyFVRtxnaJj+1m}02}Ty2c7Y$~zxcN$kS5!G
zJaU;@2i>gsviHdu3v?0%b^KerhNiVG<_qt6C36RIGhYp>-pV4|n^7cF#ad{0rGqoa
z{C2=0IPo=HWcZ0L$vTUl9C|1C2dteI*iAJ`Pi{|&QI0QJpZnW7e$G+^EZGkLSM%lD
zW+ry}@T1R<2X&qOb72pVYEXLh`f~XKDlzXeK7@W`p<1B0Yuv63I@X4dg11n(U&pQL
zw?fx)<_y8g=oZOdN^*~8-jbO535K{m2-~Y%!6UW`{PjWC;^EmZ)8oJ<00~;QYq{Zj
zF>5(KsGt)>c4=vB%G(GUM9BJmJJzMd^S9IFAEc|%`@aAjy{viuj*a*Cy-=@p#XBYt
z#lqYKS*fd3M&8Sj0<nc<tRZ^hoVe@uxQ5S0)dx=Kp7h;F&*_$Q*JISihl|=?!rkVP
zs9|;#h<~J)Lvm5e<HK@*S>*s`yVk23gA1${%&w!YU2`ppw}ub`y>!_dAvgaL%2{#8
ze%Uz?LPL-%)e)I6p&R@tq}&~?NKl>nTpxfq`>L4$tzsN<>ywNZtUJ<@>_w5mZXs!B
zzEkl9ZUMy2*{kM_-G&nh9%Py?!t~S0SA%h>@cz@N-f%2`E<<iSe`N}CsE6sTjQ5rN
z^ZW92{l$ZZ2{&-Wp5aGNVBUG&nFmL@e#&2KEa0bFgbgYwoX71AJ)3!NL`CtZTyN)H
zF6S7uWH6#GMuKVlLM~U9)oV10yWcA6WR5N|pm(o<m(-MfkTUA#+vAAi0fFMkt_bv7
zBaYcAIf@HQs`Sv+n{Nyh!!G%h7~5_7Ji^s{oWUDsiU;*0;|1P44kXd=%_uCn3FJDc
zNA_IcO402E>hY6ZR(nXV_Q=E<EbiwSyOYvpJouIn=T0Z16V-I9d1*yw(pYbz4s{dy
zRHE1P14I0S^+@{0)Mmx~-{~cfJkz!P%`2yI6Dj^=@FaHG_Fpw78pFzBX4xwW7<JEo
z$Rz%e50jg-L4Lu*OTr|^OAciPC_b0|Y3{MkT?_H&0yZLxGx<yi2k-2!H)k`#?zGXQ
zl!ezWQd>g{jofn7GvVD%jS2oz9=}{n#zqPfP&4?t22E-(fpGMBf^ROm%I*!vF=DrT
z+&mMmQ{C@x!gvzX$k2^FZ|Xlt@BGRvW8A_D*qi=T=$lPxci>EqJoei2R`dn!qn*p9
zGTh9eh-q{~h1M_(#o6={53$Qc&M{m9HXQb@exwJWdPkWeYIu^>xr`fgr|$z!e9>H6
z7gxP;50Bi|GgZ88DS2I1ziol_iZ_oMo3qWF&q3_9#(5<eKgkZk{(>!0rO-wjrYPDS
zAFmJB30Hkub2wPCH&b3Vlh3Ot;iey;MKD;gz7}@^P@osfq){{qGA7izsmta3-aTgp
zSVHroSLKX5(ABz0>3Y4L3hnKKW^OMh@d$O}^-9TiNdRBaW_0=0a{zza%g_Vz6SyA;
zKk6qKMYO>myK;^PW&<M=dH{FuU<U7Vs863c*+U~>W0t3r$9i(LMz|rJf4Oq)FC729
z?DJrDTIRJ4hZ{7<VQO_suah2qHT_a_a9MrA0#~%*`);@-etUoR$%V;0lMLu^FU>&K
zWWccpaZ0u-&-8>%=m#>@I1a@yY*5mG5h!`)shzB5s>*TyU52|FtETYlXDfyOxl)g1
z+cCdCTE01G2PS&m9S!a$TuP?#?mP6c$5YmlE6W{b@{U2nGvd8Nx`vKkDZJX}u?nH+
zSR8U=sAOu#x?S?Afxi;Yj6GG9Fhh0pe4D;CEd#3#GYf30zKLq%-2fN^#i_2$w;S~2
zG^$eek<5}dHZZ?inw#Yb`gWf=HscGmklocb)9>(UFS>DfV~i*dQNt|9A7Fa9CsXyW
zXrOel!c^fCxqGpRFWku1hg=BSo!FC<nx3<ok#g~i)D?E+fUmdta<->Esm<ZX?nq8c
zRW#+T@LC07Phc?q+j-{!BZEH)SeZLct!A>AvN2#3*FTeMZ9gMsfE(cXW{MnNLHN~X
z=gjkQWeUaJW{#YA=9#_EAN|i@pF}#2DVBj!J^t`lR4i#mn*J_hZnT-%(-2w2WquMq
zWry!iV8^QXYwJp^H9W5%_y4M#<OxC&97%e!E+IMDLwy3?X%SfmAnvu(d%bM{1c$E+
zgzdaO*cSo*lBm*<M7lF97sUlqf`84sTZiICx|hJ%t(^O77z_5}eYolZzXy^jp5(`n
z?anTyvci?#@)kD9aWHz@^)Bbm&o3MB$@fY960GZv48+qRFBxF+&HCX5^mB08vc5uy
zK%?m6j+%-yEPrRn&^{Yp=*Hr1DjI*G4|PEqW<#@SsLnqN=i%b&gg1qAqB*UPYG(xt
zo-HjMwR5E9>|>rFxS0ua+%H5DRVi=G%%AhEbRjFN&Xsm!9`a-In;h+I)vvtspSZ`j
z(tj5j$~v{(r5~JfLnmFO$)k(}vi#1PsS%1AZ6>~b@d~No$jY`wc<<)YyAb$>w0E$u
z&If)ix%ytB{#E%~A?(ML5g&WDg7Z(Zv+YS^&T{%|Aq@!)qQ*3pqW8{SS~^dDuRY@p
zLO99cI7%qnIqS3?ym7z9mnV$H6f~*<)Wusp@ySA5mvZCWdvJfheCT*0+LgBBns+hl
zkZ~*(fnRvTB3?f&y&gZ!E@dQan9@*vcji5U+ZJ5`G>>O+G&_OZ%DbPnsU<Q-?GWhp
zvSu=yM_?|kBb=&!Otmgz+X0C4@Bl+yzS$i@yEH9mwHNO)=ClB^pv8B<AD&SG9H-{-
zpBm|#h*Qw=YkflzJ6O;{rD1%u_qDqOA4iHN^PM$kvTcyJ7HxVu`c!oJREZ;i;JuQG
zeN(ZTq5&`)=i4ghZ-j*H_P#$AhyTI8X#8A|k@d?aK3)aXkR$o<;vl|Z0KbKkawOA`
z81^0llE@3d8UQB@d3E1_FvQC3I2^-|76Cs?+v)QmcUMRlcgvGR+?eT?3YT6WYp+0-
zTl|ck_p{RJgYm7De7W~caR)e+Zb3M?E4pKNKhg$_sPAgqj`=4vFW(5JFns*T`1l+D
zN7HpJsftC>UlI_IM-c(ZNcN4Wk|c|K{Ve*{)O5}5HXy<YJFHM}p-%zU@M3}b`y7E&
z^$l>(Oizcm-ickdagV`bHO&{=^{@E-aiC5&d{~C`LW)dvgLRmtX9o-ac`@^|iPM#d
z-;Q98{nb5(nh(>Fx9VI#y%w{H4fF5Kr?gI$by@vEq5%iv1?~Y`AT|oryB9#~Ux+D?
zI^P&k;^m<0tsu$J3cKbfE`G}vy_|_?@SDHgWrTSON+h;;dE~#b1X1l-D|9TsA@O_E
zxyDjFU=fWgTylYjX0O2;JR4Ql->m@~E1+c07P~K0Z}Owe-U%lo0{sUEH9MVUvU<%x
zcriq<G*BMFtmh$~Rss!17aMtR{C%an9uJ9Bslurb5CBulpVbPN{m!JToo8<V7lk%@
zsr^GM;q{-qt*9k4_Nl^wBmFsNM|w4_>ju`-R@`qeT$!yZgsCqf<`3vl54?UnI>e=A
zzT9+J23P3+-h3Zz`UvTW+uNa69F1v$`~k!G;e8JwuJWV7d34?lj5FT4eS+a2nuJpt
zK*t&{R<R`W_739W<3y!)olp$v=xY{cll_>>>DI{dJ^<Z7JG_Y?41G(^KNs>#?kf_W
zsOBL#zxHK-CZSs)!ze`>!zdqaMyF5$ylep^(;QrePzm1k{5a0bO|xe%{X?k0L*c7@
zNR)?S(NHq-qAw;1VYm~9yZC!U6+(Lb_Jww?=6h;ilw7mVB{kUd19b-kH14{9-}BoS
z3h6OWB6&yUg#s6;g7_=7XuA>pV-Oh6ve>LRhDQ%x;9GTmc&?h%>2ht)^AWv}_?Nfj
z{xzno`oLUivqA664*`n>jOX*@4+%>TBOJHiPFqy_T-z_(_DngZpgs(j;4l5JRF23;
z?6Dn)cUIa<g?M67foVM^g#_a2lg{<XiGd<*Pi-#|EX^|erNj?vCqG<nzL&ER$|sL&
z5$5M4vlb>f=4hSyPFwE_1kaV0{K!*#UFBAtvz^cw>E&1Yxw7NmwRRgjyiByg5-HF5
z!z0}>wDjAhl?pg*e@P3<3SG%%$5V3kex392PcXs2o_eUHQ1@uf$Gf-1FZ3(yTyu_D
zuA?fY$7k_{5w(8)tH!zClD>HN7hcL0ZU>!yoS6iV!o%m)M*u1U`0YP`=K*?<S4$It
z&_tO?4p+ZNMNwfGur~KE8<B=BeW4S5F84qnZoq%F$n(n&Mz6gsnM(%GBYPT@U-$F(
z#Z&k`uPn72w8>WVm6Pq_;!*9(cU<caXbjxU?hVgjXJXTLtX}-!d3lW1ubraqZ9*e!
zFMY1qL4~*^wG`fAZ0@#H>C(>_E*1~Iq28qY9ENH(>ijsa;Mbxu`8D7Zc1#8zCRTe4
zpikdKX~d6fyOO*f_Uo{xhVs?_5s;&|UgS{9%=(J0@7^WA)0eA@^o0J{Ewi4h2@_kX
zs#5k&vZKE;R8E*9=CIfw)9VF}ynmv9O#@BGoBH~x&H>CKM_J9n`YuHSD&(BFplI&-
z)!$e|E9*SHA7QbNz<nIi8xX&l^Z}fC^GboS4(DHRt|AYdgbROu-p;nI`0Crd+5D=1
zP$@o|_C16|LZnsZ<NLI~+6tx3S%^dl24GK>2ZDlMt+TDSpxGSaxO$wUE&3ixYO&04
zX|chI^TO^S56hJ-+qP4SXrHZ^A)%>_W#IbD<pccS@+GV}s^G|OBF}sPg;8c)3M$A>
zc@^dxf%C_-<~Qh?!q!jWB2lhRP(h0|fqHP<anVlfGd)mx-dLj>#@o9-3}1~39yL6J
z<faiaYZiworxRPKft$c7K{Gen&Wb@AbVdD42&vQE%F7k(q1;<de<5L9n%j}3r8K{O
z4z0nGNIpd5tsnT+;5Y4KQ}ATyY@RdQ#_7D;DkdPf@KnIQ^ElsEqPa7AMVEe=Q6-mq
zbG^U*THJT-7e);Oukja$O-58r@Ax3)4*6-qemjrk9?%{~M>Xn|N{~?jVtxe2Ntg6j
zoVYzSIh7!JrP*Pe^lg53`$fi&CDT)OB5}dQVm%C&z>1uSFOR<i;dM0z@WE2(8s52U
zSsp(bRmkDkL}UViUFQ+PUeRRMHEoo~zO*d<ws5Qehfw5fmKu6QL!zZ^N}ikp%Q`m0
zN?v<qAfJLdp4~rrl9A}=Z6L0@ejG^CJqi@MBh3Aa^Eu-OU)wH|nDXNnKkK2EimWDD
zAx5NpuA4wT{~kJP>)7{H;yf2B&jGCmH^s`Lk8Cyk&a~4!u8jogX*j_9;7A5p2!eIr
zxs#(F=Z{=3Ps6*n=axP+jrK6@1dG*LLaj93yRu34IK%oYhZw;WU#8>hNaxB7F?|=^
zV-jkt#$KA|Ulcart3C?e<*cpJWkPsQm3=Bf$PdIHu$AGfb=bGV-(BiX@bv8vhVg55
zJxBlrQCBhkRnA-DpX*TazoB(hNZr3>FZKgzUl|A#G7_uuq3$}VF4}LeUwg&j=+E8g
zyGc9Q%0;-acjp=6<eN}QOg$ujuy#1FHJ$DyQ@){pm-r;t!EhIQ`rGH*?V_=DqU&6$
z?6sO2J=(`8=3bfv#|B*qNn!TA9#6%%mtO{<@1a?QN9Bt0X@eaj3h>`w_2U@_%<B|}
z5ce)Oe;O!S-5@S+18;_nSMtrF3N-wbuQrrLIN8o#Cr?U$-Ju&iLR+4H(~f-`^wZ^Z
zSw(~KPdA<En$@u2>b0HwPqma=WXEt_M5T0hp5>`LekBF_r`X88vR~kXX8dTX;xOwi
z#B<d}(VHJc+R9ki$9m$D&<AwdtK@L7*QMP{sX?gr8{)aQsa}U7SYMD-h@gaO>u<%8
zA4$Hl#+ipNLl-_-26PL1?43h|?<Jb-u>+XfYwwHpJyAu086Y0*+vRN^A8Arlvxk#Z
zpwE2TsZ*k=zzO60UfHMd0yPdjU_5APND;q>BKSbkD3fCHOg<00@5;U(x*}_29ZN{j
zx_c);#{^P8)VMVt`Gi&hgueSnnA_!Cw9v6<)@na3{5*sknYa7bl560U@GrgZIYzbz
zDT|}J6>3%8^;}592B8uV7O^uTaXNj%+T&f&-_otUm~`wz{D9vyym#MR@nZ|jRWi>@
zz8)Q+L+yDmNr)WnN%VfgRT9?CN&3lCb1R<9VGWs!@CucKdYGnlv8@cMLEYOJv+%A<
zF8s<GIubA1>$~oLFm^J5`~)j1FloP+)|id)V)m!OJ2a<ydh3ne9O9sjnNW8AjBAt&
zTg>ew2j3B>`(K<U3exiH0;{VCP!qd#=XzMm^*-vQd(uO~PowMo#=`646xY|;xs937
z&;F_Mda`}`+M%-nRNZ)|n(JRkTUX+8d|dWoWr9nzf5j)XE-w%GyFK`PajU7N*3g$(
zW6SRxfl&GBMDOT&x}(s1AkD-izRqLTx++Z6@_b}fENGCx0xCw9Pw6?WNq5C4idf}X
zw8vfkNSwi}wDlw90qv+jCmcRavPR9a1|_yVoHckplQr%LvCl2r?~A<8A9oABlnuDz
zAA8{wZ$R+eBBMAl0|172fyx9<?AH$nUPzn?lrVBG^$AkaeuVo55snlG<4aFvnQ;dW
z^Yl3ZdYv$6tR3JGI`9l=AePz0iqd+_8(O-Yg*rRL>2fF~KR96PD9?NYYU#WT1>3}w
z0eGDz>ns&nawGhxW~gVuiAEW_qSsb(=)r@O>iKQ(54?6Yk7Fqm+`B2LWQMMBTfgBz
z?Hx1u1k)%fXPsynQgkHw=@7-J!I-z30Ca2Nwq+-^snyyGEFWIOU<9(wC{an`YYa~o
zHx8qh59_7v8k;g;{dk5#8sIAT`QhCUlEo}gbN?`K1jg&EyA^AAtJt~5<F)UUd~0X>
z7?*^wj579^rUN7lXPcd(vg^Q7G<OXa@pWO@eGbMYCesm7apA{~6~cwu`Q2_7ELxUg
zsb1!d{3JQ6CoDH-i$@jG(tXa*-N0MbC$mg@{DokSCzYg1xl(vOEr3*#TkM@zXhz@}
zbE~hQ#_ylSabkE<ZlQEIWAlUT$}>i5al0gNJd%+Ay3;fyzc=Uksc>)PxH91V1(Uu9
zrt#;N9{&8TZ(^69k8vSOfQ4bwti7AFkf6Vu>7QxnV5S?vv8taa!!uyTt0f@IFir|&
z;uF6a6xmh=nx?PK26DF#c%dzoJ@~o*sSTz?-dzt`d$skk;d}C&37#dDdMrLywT=tP
z%}&q8vWe?n&EtjDe6?OS`}{dQWR!%S6SX8fSuiXM_#G`>WQP6J=s|R;@w!L%KU}<j
z`(Buv|2^~OMYs+SOpZCpWqkUR9vq-g;1@S!pdCuc0LJNF!2-8vI}kc6_Pm5`!Pn$v
z18a@hZzPp~KEnx>$if)7u(YpeoILwwJli&iZmf8OYcjB-YPqO+n!izk*K;i(kH9XK
zkOrk<s8_-oEjw;kJtdx~DvgQ;<I?Kc$T0ruHKG&30|LPP4hGE;X{KdzWJV*dV&nOu
z-QUi>>VS|lNvBmV6#srODa3c&oqf?{qA`KS!l>~_p63IHR}#%e^!vWyT{Hc2y+RTc
zk6z4Dhx8lRm@go$Eke&$fSGJKlr`t8pLy?}b-5+M9(hF_t4!g^22@u1;&0n_@|>G~
zJjDL_k5|&tOB3K@b)D83)s@u9G-bMfN9q6z08(MjkNYZdaxn&EpNL8~A0N=1D}BIJ
zMWAojuYY{Pohiw&P5!aA*7#ZLdvcQ*UkOS-SlWF)EWR1|1GWtB2zh*Fryl+wfc*c)
zUowNVfVzcf<}6N-|L$Q?xgVetg6$nWUwJa(Y5Xkvg#c7vq9M5bgav!fH>cQ#I_ED@
z1j&DdZ>V)Jtoi$C(aLW9fo7H?JZJ1B{h>}SfJC)KRzYRt>EkV-H~rovxoEE`gn29d
z+t(8)fTSIvz%il=P<#%}jPC8?eOw;JLqTXHu9Gxb!KF>St0&;*HNPgzz{Uu*!_e2O
z@qwFHT}x(A=O^s!cZ!ax_x!kAAjcYOms&(uQK6o{YbOTY)&vJzbB#!S$NV9ye6?2x
zR9t-L8k3y!s?gekQMlGTC&xdt@o40J%S<<eIbCDzntFZ)%i8RHiX{J#Y@|SPFdI2{
zQYrb-dPZDyI1SckxH6ZdybqTqim|!o9*YK=OwkAbugicnX<tXrO0V{ArFi=D8%U2Z
z8iX;L)=w_Io~wU(bFzJunx7!Q9|m(}Tlj?>O!?;jVZf1nT>Sg@5<sx{GpP)Fjxlhq
zb|>$Nc;J(4Xhn^CCkh6g@v#V5VlVM6TV_Z?bSttU&qie!1iF82OLa-dy8x&~n=*|c
zg_ZofN8j!#V=A4q=~`F~Sp6T#m2}8b^ECvukKnk9UI6It(bUMBU|-5pHGU#3zr+PV
zF7-5}5MUkQm3`1n>sB$B662ou&F#}(xhmp3Yl9EsLm4$lynU!w3B`k8bZho}o4#r8
zAZQaRlAxq|L6H~|WDg!zvj<RBK-ufjN%^aa>X0ZDkKsW*t!rQg)pF0X_gkC)&~}r<
z=htRQgOF`CED}7e)Z8BkQ`-}Ct7Z`6j`t}~4T{}6@_5O7uJ_phAa(t^2o^Uj4a`W1
zZst`3RUKb+(uG`1MyHG0hE*5u5`cN=i`SZO;*bZb{FC652Xg%7nTPvErWv<vF}W=F
zn;w!%Z+sFDAS)c$0>LQ&yT#v50@<VsvV!syq~Q^#$0u#w7QY-yoYi?>TV8^tQqQ!z
z4<1$ihL}lrgb3)tyy4gE!IGXqEj-W9B7UTEd}=S*azDBCt~4Y%38PSb0;^Z@2wMxl
zH`=5HD75Z2!izS0em@m$_<bzteXzbK_;P(6v@9iQUT@PRoZYl)i)Wt$Q3`nI-v(3c
zyNqj^j)v_jZh|wGsz%`2rfS3u$jALEDyVke_<OIHH9Q<3@6JNeKR;Xoze??xxhlj9
zx(hAU7VU(li9TYGimmOOV9?cUuBt8tjuQMlM>(qRtMP`>SdoshfP#6AI_Ht_i-{t-
zY+2+QtJ=P#+~)Gkx=g3qhUc35_1Dq5j-5`tq85d}`AyeFj$!WJ_v~A63VWVEW#Prk
z*u?$yM_!8VdL2-Tm+5-T)M0Z7<?#A|q5y3&T@v5to7yrj5nD5&*Gs0R7ybSX(V1cP
z-P&!3B&&jEE80Ag;n)Gqk#C>UYAyl^pdRuAgABl_kAj$8qT#B0)^6^JV5EYvIu5`m
zb}?NALu%a#f<!2rfw*Eo4&-u<P}?>n@~B#uF#3x7LS1t}a+H+|mmC}fIA$*olF3@6
zKkq6=rg%1SnUiH=b$);l%;h>$y?`mCi51K1zl+AtC=5X1<!4adJw7&5yy4jVFKD>@
zd8_wM2)TmtE0thhwZ(RVRKR{^=_dN9&ChoT$J3o=d6&iO2TpSJ(5@&`;BC&HUhDCZ
z8$)&Y4OVJpbxAfwn`Y}x&>%^(GQT`?C)VL%rS?~3!P~ZR+mC-TALm+Qo>60t&LgE8
z%maS0{86X$o$ksXHdH<}P=|*<8y3e^Wx2gaA6Qxh)^NHV#50PUM%a+Oh2{C0t%~qG
z3fb$?J9$hJ?=SSPi$P+UV$V&)A~8O&v!$Rfp4;)W!ABH*&|a-Wz^~Uiw?t^j&}I%H
z00DZycn9M@YSe}gc%h=hRuaH7!l3dB2_rua4+`t?zN~C8vfg6}GHlK!`6N()_vdMD
z9NH(%LqXZbhuCLKcv%XmPE!BJXr3#476P|blw2^HhvAAf0m^XkX1w3o=mqG^eYguM
z+`Pz=_`fC!nsnBBB6wbZ$=kA_`HOcCwQ!l4qL9F&ZkfU`)LZhEp%lP>%3EweB4s_3
zFqMlr@vt%wXeeBDg4|fGBCrJmZ!KY*tsJD*ODAXwce`E7E68pUbS5BGpp#5qUR*Q&
zR%2WsCuqlnnPv+DfY!@6J5QA}L#gGrQ)}N(L={xs#M9Iy9fJE|kI#hAi>^Mu`R!fL
z%crhvac-(-dmnZ{E@5xt;O4ztt9`KEM)V&xQ@F`>MmkUM`S76f`Of`j$o&1cyNdDl
z$?`kFsHN(|oMA?=q9Q~<;Zd|7uU3lx(0aN_`qNM|2S8_W5(H`N-AznRcyX{z!8iUP
zJMU}U4OlhZergNSF?WE8JX1x3#_?Z}a<bL>ym5cU-hue)yWiI@p@Xl;=gTy?g+ijK
z<7fkKB}*<T$XE*=MY4&y<wo!kMGxqUw@$MQ^&r`7F3=;w3m@BwZT6G$y}j<B{J39j
zwGiO@LrnjbF88pl-^UjH>C)`GaL@A+(K972k`H$ihIX-(i8)(bw2`MJE18Wwse(Tn
z0xqD4_u#aKMGpIA$n)5TR}`a&`)6N6{K{2P-Z^aVW-&bd>Pw31^S~&ctmvI1kwb+t
zQj9M}^-fj@3Ho{IB{=O{R0Q_DB}>xo$^6J*e_1mvne2Ukahcgj3}MIg2n2VQmCnBO
zcv$2$kQ0M}sH@j$bO-(x6Z=k_x9&o$uijugIB{|v92SU;f^h{DaB&9TrDK1hh|$ec
zi@6l<mv)Vl4k@}gE{dJ0$1;OYxAw$~#XURcIeKAVQfwsoHL4+hmq_RB&ECN*fL0lS
zE6Mjf0HzU`7yHz`KGiK86_d;)C#rb+CG#pR$=3y5Zu^Ja9HTG7^`*`nOfiLhs9NoE
zjla*Hl*XunH}RCqqV7dG@TscFK!BVH-Y$0@E9n)~A29n3^HIYMJOIg|A3yuJJ*t09
z^Nz><&II`ZcGd8r>px#5skh-|X<p?ds~zX4E6(|0PCgz)=x^h93y~ajpZCHE3erd^
z&UKGphNg_yiW`m9fXU>{9P-kJA~o;f8<;`zwaU6Hlqc&Kwe>8M`1F13%f9m(W1EEd
zLufA4_oPiw$?SjES~b&@YFjojy)f8mRi}@bQ!Z-Xlqu}RIb7Zc0ef(0oJ>NP0(n_k
zg!9-QLRgU)9s78NMP)nJ?j5R;-+ggnH;fM8t3sgmyd!=sZXADU<r{=`?q13)P3W>f
z$+XP;N=IEcS&h=c&`zJ(>&U=ny8Rs@S2cz|Rs*A1gQJXQavqv$VGpD4*0n2#w6DeE
zdRWE*c@I8y6shfxFmVk1azm$LQpU-UV8ql9=dQ)pBF^TK*>6cUFUh_#pMMuwckZn9
zZmE1~w}<@H_Mj1d>qGoJXUhlN6V6U2Etu5OaZ#y>ro@D*qoLoXKBwgapQOKSeB>GT
z4dO*1*dqCr;TO^lCl~_0LbM^DMPVB-=AiSk^WWdBP=bYDCU+sBd9DWqv7Q!afM0~q
z_Xh^<{iG-2ezpWnjOf5H-ja2f*K$9yH}fjn^6|BQUB;B^y2F{gR^z=Sf##&IuNz+N
z!d^*mN$`?dvK~|}eg$V(c+?K@&>Q0f!icBB5Qz!(L;vRlot%{6qDbfD<d8-XtQW4y
z_`9^{id^`JZud`s&|KSGNHhQg_=a8^l#rG(`cotkZv=V?`yc~V#WHdf^~oSl{Wq8n
zdBoax|ND4WFMmAshV!9ag+D&|0&a{O?+F+6B)MCDk=i@FIEAJ}fW|)J10O9^cLqlG
z;oe*m=<8;f{o}O_A1_n>wC`@MPa_k;6bk5I!q5U(PB~(6uf4Fkrcg_won#jJoR}q;
z58Y3e=<JixAy2pnS4PaqXLTcgNIU!pHa+YI6wImpj`OK2b16ZI^sAgg(8r#zKI&Og
z!P@Iu>V#vApk6y?H=K$A94Y%=3)EVDR`jcf*&t#kc0*vL-{VF@wJZf}{yXP{3bBV=
z$r1-DEc};{n@iRtd;WsEJYL8w2Sz$%GlDc9rfD6*77jy|rqu$rs7b7sIz9JC9a!S&
z*q?5%Z66<$2qFH(BP{2u`YZHg+T4@2&0k}jrf60T8Moo`cF2%4gBifa=I!kF6dIqM
zIjT^jwmuv+PQ+}Q^ER@tCwZEbOTBLxjB=5F_}9i7z{i<uT7gp^La^9=z}UiUoU|ce
ze%!ZNe(Z_VNT;z;f*-niB*&t_1Y6#VO08SXpf5VKa{AL`*#aI0cGvB#`6%X?cjtS5
zF5dzey_q7t8m>rh%{1MPr^hD596RsjKI}OAWzsw0BU%oq$pA0nVJ=Rf|FXft-k{>Y
z$m}ybq&W38c9vgHs}t0r`C}6@cjBt}@I<_C(#)Lm(YXOB&Y^q4EPCf41{1P;cU8_{
z)gV0~-g7yyia^|Hl!ltuTTmzA`y0nEv=IogX@b1~S$+Amy4t@>5@%}Uf0x#%((qe<
zj<6@L?4imfK|T8=g!mNJIv;7cUoPjKJNK>qNP-dybUqG)FIMN*zj!BT)?Rj@VY|p#
z-PS5wFwmJ^_W*NCi{eKpymWPpH|Gc0<vz^_!ujCtybd1R25{Ygo90N!Fx$51BNp@W
zD39y2x&72MzGS^AkQBzkr#dRHlBH&)heHgBn(YcykOWKCX-z}+32cHFTDNl*R#NJI
zF<W@z0m<M33k?r{9Kr>t?;#wcR52m#Ic_Y5&W&;^M65Uq0!9VeHXBr$!R=2nPQAQ6
zfc@n^iLWVaav5(O|LrwaMv7q~r*(fnXn?(tPNc7v*|%XDC|{&2@1@dn9n??evQg9$
zl4OEs0f#`5_6ak0TBC+#iRb*djw|)Cx@>c50b+$~3oV0m?Lro|muW$onaicNynL7*
z<`vB$eQQ~Tz(GHzWma$Ey~%r3K3$GQJQLUQuKApKsg<-Wo9kZjq~odW2wK^H|0DxV
zWv2rcJ5&fnyPKp?#263j;&No0JXlHTJ(JJIz8c*>VQ}Y*R34as=dZHfm|3Ea`@Tn)
zT2c2C0*J4WLS%!aB4Sl`5dz*p`TGW~jsq}Iyg3D`VO#J7QNDFz!Us*+3-N;G;<8fu
z;b2kqLkt0MzDP{&&cA!k8M5!*ieT8ZaeDU#!Jz-pt-n`cSKR6ND6G(lPRF)Q-DAlg
zK80W|&00EP@yKsyhWgz$w(rrl$Z`V~J<-3@^&Jvm+~YVh{vO|tZ8!<rvASk4YgKP*
zBXiB!xCF67L8yB$qAEqT0vOuOw~sFI^5tsUbOA@G+m>ZjQA^FT8s)3JJzt6P#dnh1
z`Bi&zMPD>qTm+Q=(Bn}|YMb_SU}x6BORoVS>^5<F^c-JeY#}Ha#s$KQm}J&lXINWP
zxTEf{3aJJ&e|=9^*pD$P%B9hP(&SfhY7y(U<`V6fx@pLiHd;+Yyt2#G$qoIS6*~L5
zK58whH<3{c333R*-Jq$D*p|;kUHb5@P-*+hcRSWnctmaiVx%8qmKw^_s#}mas5j5(
zP2oB?aO_VEZ{+u3`-Zwh2)RVkgJmisTpA$ITLD%B)!geun-QgX4Sye!(|M84uMBB~
zxvoEzl^MFUj?*<#*VUO%CjHL-Kp}U#<lD;l!nt_QNCN}>;rm<TdgEeO?mD|B2j+Me
zx(AUXs?*saI=fjPw<*tWf9f*z$vf)w3g=C~Ie-k3K4{2|J}%w&Sh{%$iHw#y!)k*y
zY<!a<1WfMzDT0UtoR|%y3mie%nfgLn+Ghm3qIt>S9edF?Ikf?>i1z<^a|*M=0xvL#
zHJuKVG`nclEkE(nw!iP11)eWoSrq=~+5P1G$Glx*<)|ytQA0-|Qg|9sx$z>MJtbKm
zUb=BFO!of5xtzdi4~88M6J%^5Ni(Ne`+nH3u-g-L{s+68vHbpZeSh>B<iFMwp=V?h
zO4WMD_@;cV^iOiFjVU9;JB~)v?V}?#h5?RFCF#v76#VfBA8}L}GJ9;*Yo*g6qT+v$
z%zBWGw+~^>><FyF_-*UkX5FPIK^II#D<EIaL;Nz`1cOlY0-wXi7)Yu@P@kJ?1nntz
z`d+3pF%ILiYZ(M{*?asQhF5%H$LIwEJL}Z$A?pba=PfDYH(25z6;R=lgVW)`oKlZQ
zsQsbj=l5rZdtRx$`iGuv&&!b;l#iKBhllRN<NQ9oFEf;zj4WH1iD@@<Dsd2XdmKMe
zJF=N8`33!~DvdH*34ZR-2AI8b_`(zrJ^OPxcx4#eUC1k@s@~6O3W136_|D{OA-1#H
zl!G(t+U?vFUzm$Q;nbN<dHIpeV7y26nU6&AuS<~!^L==AaeC92=yms*{u%Yu9=_bM
zA*|4if%i=lX+i_}_8Kzj_}&TrNnQh*FK9}L;LXnRbHtu3Lc68)N=ZzIeSPhQ{?=ae
z8tWHy9$NQ<({eQG1uRPONI&^QxpVpjjJx0J{qb??w_2!5jJJ~12-!ubOD3;pzpbl3
z)4O*Y=|%ztFXm;>JtOx8uK0Lot9WwWH+7k!W&c!2p<Kr5#fS{4iQEIKTtGlc)>Wg)
z16;eMZ-Nwuruw`Gmv11_WK1-;f%)D?xeX1s&bK}9>{wLb^Tt()k2+SzrK2S(z6ZPP
z-3*z1yn;BTKD>}sm%oCxv!78vbVK0udvxL`jC@+Bk9(1BdjR3*$h}j_G>kS8Ita8t
z5pj5K(R12ky}mzlaLt)E40^FL*N$M<ei24bck3ryqo1Ki$4Rep)1HgJKj-H1-MJ^?
z{XS%pnUE$Yo}5u~&R+-%%{mTgBG=_HRe7@HJ28gkaha&f*-wujmQszku?sth&oL%x
z{hcx~rX64-X$f5U`*(1L_1ds42yc=24Gow^rN2X4-NTC`I_$n1&@W3k+u@QxLc7-!
zYzBwJseB$l2<=+KJb&rSIVlelS-g&Tc_^b=J<;uNk<;s+9<@GGM(b6_@GiY?8u2Uv
z<xD@2H{Q2-X=_0K7#$ddoGyn*ynW}lCkto!_i$&2)~#v?8S(x+2<7+8oK75brMxOR
z0t3xOu00oVPptmu{1Swp>{TK9?Vv5`7e`=3DCIyl=L#Fbb%|LoRJ~`1%JP>x7w10e
zUgM>@FFnsdL}OS!H&`v1M$5sEPWR^%(15AZe*L=y^Y_yO5`+|SL9Ic^%+FxHA>th;
zw}yC2+HVLytQBVal7Sz{d)=ueLPGFS&cEkAjji*i<t!fcH<4}93+5cZ)aGNfDGe1X
zLa51KeN3Eem~%P;+y8uny8~YQLEkPYs(84`M?egc$I}xKzHD$cx4aYjT<j~Lj5u7L
z)+Zyjt^D-}d@hOpa6U{Y>YD2|UwAga*7*U!;sl@j6W3-7^~0Zmk@g5tv0TAw%J*HF
zsi!|0-rpyGunOJ196FNwS&ybCRD%8qNk`%O<OIvswVNt`ADY7-YuF_Wb#@UcKK{~u
zt7!3QB=_5g8x)Lb!aF6nushgX9D|3lkl}5SOzKe9#mmW>J8IHHqbIFu)7pLW)=or_
zN^+F+h!!m~B|APZ=jXTV;a~#o$kuoZ%F-~(H35<UE)r4Py75z(ro%t&z#EcAYzokn
zNc0AUm*n-U1~UQ%93c}wJ?{j{`Wvrq1u}haFJ8{>7M`}fCSjmJEuZKkK$o}<+8q5j
zuRIv0mtSwS_-H>yeb44fJ0uX%>}06UJ#oKyr$4cLasa_-9}9M@1tOtDEax}-CL(<7
z!&8u(Kqgtwr?WnAt{*5ZZ2<|su9Cq~RXX3OhsF?|4Hx(ft*hg*#`%8D@P6rcf;u;f
zp{FX3G+!+U@gc`20}yA;IGe$mZJl@lx~=UFg?Al=Z!dT`)CJ0)wfzp(T@m7o3<gcw
z0;+-X+9N*E-SA-hlzYYP8U8a3LBP$AlJwFs&ph*G1DQPnyZ35J_)$QmafNb<*?iV^
z-*_{u)#|OJggLw&6Kp9r)~dBv=t#zmc)qC2j36oL)Ai?cx2>}OmdYIs`YSZ<Z*Wv}
zT`W|p)Sj=SdF>VouxDM>21U~$X4BZ!4*>U#_!%I2q^`E>Jc)=F>3lljHxlA!Y)COF
zj12f(EBD3qQXma34|;O^v@&@hB{x4^Y)4YL(ib2Hp*0~VKg<1Ic-swD*Rcc$-Xy+Z
zIw$<7>39#UG(YVlw(Y3X#;4b0TC7V^e4dY7gK_0$8lV=7ZlxD@%2TLe$U^yM^d0u;
z19iMbdw$tGCD?LzKomJP`aYXCksR7j_G<5we}w-shtDte7y$py?Q1JQM00Nal+^P5
z_lLN+xZxfYJtTqP!(=FY!Pvk3`JOMy<;c8{i$8)f2={WiCBiNJbyt&zHQ)C%1})hW
z4UXgO!B+ilq$2*w@FdkzPvd=F@;LE3=9@JS+{67GLO0qE<nB`dkrf^i!FSkGCy;0U
z{1;v)pv%ENz07!U5a4eAB|flhK%;K>#c-5mX7b1b!J6=Bc_L!<Z^jBvXUkFBerfo_
z!PlKoQC{dpK^fvSOtp#4Q_Q;61iX{!{o<y^3ItnGK?x07Q0j;3Hp9pa7pKg5YQRBI
zlMm7jro^d!xy7F<;fK@ff>!s;Yp+FtuQT!>bz;@^TB2fPgSU#0P}KusNIveMYZ%kF
z<8?dB@q2lmDT2D1Ah`S?*Rme#G|xuG)Et@V2gQ-%wx`*(QRY*Xd@0hAf1RhW6V2|^
z@kV*s@!Mz7I=_<MWJ7eL%KlpTxRL<!*Ov1uLH<61k7mR3lB{2f6DwyTwv{U+sjy!V
zLFU#TjMpPr!%LjBBrB+K9hm>(CBVCCr-7{xXz0un{-sqd-HnE0C*A$tt6y`S>nkn2
zhtJD_=tJCGKVhOMk~4N^`F-6WBJfBO<T)|(HhCy3mg&+F^?K{?YL$|wc3+$ks+?>0
z1T)rOzMAjti!|cW+E?}CH-!FDWBZw%_i@*`m)ql^*G0$jPh>W?pJ15M%ll|O{-3EQ
zuZd+RYAr@#SgMWMQ19B{xnx>%YJ`e10Gw}wpogtYMk64(D2G<!zgGA;?g32fmeLC;
zJe?5u3u<YR9Pp7@_so~Lev#};LHG)8V<JJP@G~-}&^piLK_n%@ducybzGL%U2jDw;
z@FT>8n7a5G19qZ2P%lhkCqGiLmp(kM<hBEV4)W*og2L_c=vK!(#@Rj>tB@GYFwFe#
zt|^AbO9~G;;q(avi{f_$A|8k`I_KhZ2a!_x==oY=5u|kgZmRQpJfFSQ99?yv_04Cw
zw53;x+-kp_?=3nMw;~j`?pKE^l!Od*Qj})^$-^3XSdfkTj^pKN8Q(d|$}rSLTI}dC
zhx7O+ab<DeObTe#e9vdZ^UD1ydi0@uq3BXrCHylro`sSETt|TMEb`}(CJoIMcY7Z(
zhR7Yxt%{W#wa+_0l&9;R(waxRuUI8RKGe-@$nE_|8eudtqYnjSIcPgz>*U39L!Vxc
zf={la6gqAv0~E}CseN+OTs<yVBP!F^yoZT=*TV)D2TiqY=vXrB#>Sv0no@H8qS5n<
z*+o#$4=5M<3josMC!n7%TfFbad44CuJs7{MUvk>F(o=3>{_%bd$&%O8RO0E*D2)fO
z*<K6)Vf*H6w-fV7AOf4n)3n9D0!=*JBlN-;_V5E=$>g{Cd^^I`)FNO*9Xry=lIy;z
zS6b%G#d1n>uu374Wumaz1<3sIsHF!8BIpYWQ?U7b8$UaEf0l26FII&|q&BB084j1k
zjnwlYCf^@PGQQ2Zhy8?q8;I=b+MwkGwFHZ&Z+toIm$B*v-HTy|*utJ-ocEMs^*roZ
zcZgscKG>ZWWsF<3F;sKv{e8*>EFWcK)MU(*B=iXUONOB57w-4;6%ns$YEaw6f!>dq
zC-3;>@ZzW6$NYgKaBxSpM`7Z8aD$^ahK8wX>DTr-kOvC$SPD0eV_d3|ZWsMJ=HCgE
z^DyWaP!^u!Aq0>zy1uP#9BB5w(dTn%I|CPW6D?|4Y)e_5F6T(-xi~r>D_F@;EY51Z
zyLNK@X)VQ0Ex(d<`8=_dUT830^I;_MIt2!JAln^H$_@3A&{BpA;Lz>_j}^S%Ly)y?
z8FwFr@ohjS<;J|gwEUcu-`GLHy8t9Q+6E}dB`b(4+Dp+x>_bSmq5$q7<nlnfoqf8c
zcpgbXxS!VCN@qO~t{Lwah?rlm(qx;i-QZY&9s=s51d%-RUVofPqTK7=c4g8*!ahg8
z+q(Nf55YY7`C6n13mn`mNs2`j)!y&D@wP|$ccisGwG#DglYVmjtn7~&hrqfxk#7|z
zXzCEIagEdWu5rV2n{|27^<rad7r~o2(al3=($e1`XmdYbyz0imzL==EE0dqg-`7h@
z8$i{7g2GT(9rE{x);>0AG46%I$mLMI-BZJk-$$teUehu5ykg}}>`(qs@jjdS)5T#J
z85%<CQ*u$b?V&u+&4C&|iU=~b+OfIOR!=VR0m=@WrnAFD=uz`I<rfa?+CBq~b5lvg
z>%lzRx8f7t(K%SQ!8+pb5wTv2j|W~f-dN^YIm*E{9z`EcCo_|yLq#Lw;hA?5c0>n}
z#GE3@OWiKda@J)n^VH`>(<J&8L?4_>bic^hptSWa5{qRwV(@J5C1GE$Iiy74*YZ2J
zkqU`Z#q63S6`bvpxp(7pfq_DEHZDEo1r`_I{CHVkfWC&6ezwW%CJB{VV<A`Dr+Z56
ziGM<zgnU2vA{<eL)c4h9U-JDI*|xl(rV6X83N$i9afh;rn8D&(&fy*bEdqaEt4Aa*
zbb%5mo~i!2fAngjgvHPfRGK4O?QG8&)Yd$xx)4D&DT<xL;SvAJ<9+5rFKZ40BWtzv
z0#<&HHbKADf#rxdk)5+TC7hDAAJ-hE&opKC{OhTxD_Wo*^g`i5*Ja?;TCskrs*p|@
z0K_BAgsd<jbeF}Cue%IMcqH~!0aTV5v!4ap&3|Tr5r_^DS+_QQTx4oSxT1A&@ChhE
z!AS>G;f;5gxW@J=2l;$Do($DXPLDSH0{?2YFd{s&bZ)N?g7`=wQYqqSg~D&LrUQC&
z=E%|gntVRc8JN<8;W}pIU53gm*_2Pd^+329X5;Y@iR-#+mGX;?73c}`z#PL>%-uh8
z?*;8-;DJ)XE30C}t9av8mjDTBX^gf#U=y9&XxM7_u<JbbXFB2Bgep+r(DB1z=2PQ*
zkL;$ozxyH)8R)IrmtdpX!jmUJSq~0sw<Zr+WCi|r@0yM2t4C=na_iHpTDI3~nDo;G
zSKW|i`t*}t$qy?jE@D4?C@kyK9uf$D0|Q5_8u|M<l{b@wbne$U=4e1o1qFNg^bPmf
z$hj3J?3(B6>yW&sVR`jB)PJ<)zLJng26XT=5vlVWQKbcc&;8c>cNi)X%DaByQ)rXy
zJ+yUthH`rz4+X?Ort}WN%Q+tI{+S^+uQvIRI4xvfA2R8yvl_3$Aq8#UK7K`YJ)~?M
zK(3B_@~`~a;qaDxyt8)sJEXPCY^r*Wg?1lj`xWZ43z+{;^o0fg4tkCxuCEMEA$<-)
z{A#U6=DkQ<hr2Jpr1<#;ddqeV=5}k_XL(1vc}n=uOU~bThMLt$lBs=dP43VQ(1E#W
z)24ReO(z3I*wQ+lYCPcCY+D`sSBDB)I`q%6;I6%>0(LlSMx{2#4{9)PL<V~Z5r2>T
z!5mZK5#g_+_W8(r48dRYuNfJ@dS#{Fzlw1`_A!SjhLtmNBVOznH92&5qg1_aC<S6a
ze+Fpn!I-s1O-^+%pZ8^bYxM^T&xx6J+geVrM=37%8H%j8BbsLuIyQ$GK5n_I_Q~=2
z)Q_);c!bcXnRHv}JjuH?t+8nZr$DS*+%Go{+E}lTg~1GVa0eLgexU={TD`jC1r{`M
zznn*K#_{O5=WqnlTcWl)Slq+@9S#5rQ~BGm-_9S9Tw}c>vpAqaKW?KM=-^@X-eAds
zVdoM4?U>H5qbp@DtVos8$X|>VKz|H%)%Ub8>W}mcl3dQe`@pa#8oC38-vJbSh~~H5
z)nAhZS^sF}DTofufvjZ<eoM|T+l2k}3vnlu@`FcXPZK-y&3?A)WYMC2QBL$PUUpkC
zF}xO#N;v;g;&-syUtpSQ%*~|y_1N@sIn@oDd_$I8z(8nmA+`Nj^)cnk3*U6WdF_kh
z@Li<)saXb+D*gTW0CXp+9y*O{K7MQ|8Jxh|We$}Ujkucjgw}ppw5@oxeK|bt*J6G0
zXzE;ru?y6jF&*HlY){j^Up=+>>2S($3(T;2Zqg*mw+*T6>HcL{BH#kv{hSL-(K+ze
zy0Ib#3tE4lT*1$8{l4_b2O;3DivFUWUY(Vf{!s#a&(awp63`N!funn!*?C^{Df%L7
zFOYh=!dg!pwnsTR4KG<l_hh^DAu(ZaviiWiIZ<g9AW*jY(t{*)Sf5iOZ%{EZmX}o>
zunWs#5Swm$KD{Pm-{7&^`y1O5_1So*H9VU)u$~@`W3;QU=P-%PnivM@ZaLN_t0*cM
zoBkQJ+?@CZ4g;I=^bZn;tIH^)oQ}>LB@bO7N{G^ZpVJM9F3m1_Z~RS21O5uhhexq>
zH<r6CgV&7f4&vl<lU|>2G(DTw>z{ysvsc3JhnFCq^efAK-;-OeomcX#uB(scK{Oa8
z{P#`Xma{<@4@=jGNcImu#{-imysJEnUtTxz72U|~_+I!nY%iyG-pye8$ncO=AXj^B
zC*1v3JI+@L;_^i1<#e-rgy;C}O{z|Er!$8!Wqu!^9x@7zEL!9aIqQ#4+;BGd5SBXh
zkgQkti2VJ?VXvd;-;;TdCkR$O=rKH0-{a@|QBjQN&l%mUC%D`lYW<|z!;l?*92I9H
z?s5*<5i(H`<iLUZY_`s<XuQtSM_(>FEqDftq@&rBbw6=x8=t*8YI8Si+S-GU@FxED
z{K8g#OmcM<2rc5TRG3zH)7w|kdEH_k<wxbs+%WW@dsnK;u^uV&3S5h?eD;&W<9q2L
zBd;28@lxu^AHBRgK6slkJECZe7l7`E!7obu+k_n{bQh@ogYd4qr9OBhyRdHsRwB@k
zvR0wH-M|>riu^Fqp#(9=ki$E0IjjT~D2$>vVvR`{HWP8APM5Lf#wj2e`aY45Ovmni
zm*2C&FqF+bEg388{yBTKn4ZhEoZ0D}4~Ia8;cEUq^^mlod?NXLjRw9sULXieyY?-2
zu!G*S#$zbpo!P=(tiawhz!Y#W)H=xeK^S|OV@ev7zTXnl73y5x!h8gE0%FThDHi0H
zos^gPi5^R62=jLyNTMsdk$#9JUorb7*ae2L^a+QLJu-!4MCg1)QcORk*QX<Ru3J5q
zCeQEgBn4&W`|kU^n(+#`wgNsWAjUw;<q*nT#n_Ui3J!|aNf7G?t)jWV^@g%3{)emq
z7eSQF@szy%;<3)hf_{yM5*plp^W`#6un&8!@Jl>{wK@**=RgjZlr3*(h}Ii9@5I7}
z+BFLOMqqrxq8sKt9R>xBQF_i_KJZUBwa=uT#k)E9u&5+!4gwtn93Nx0pP#$IMmyi%
z&^UwSas>!AKrz2!d<#u7>Z$!~tIb}YW)u}`GhxRsJ(7AsugQrYbH0t?cBRuOq-%17
z3nBBlTN0FJ)FX<3!K%~PO(8z`#s3Y8x-@@gK~hdl`=0gyYF0Nl^b9SKw>Z*Wf(kXs
zMzF}JoR;)VeTwp%277;zx42u*XB~Z|S_gk>X%_iEd~d~wfA?P;j_|aF+KOe@uld#)
z^fi-Tj?Y9dpZ42`P94Tve?PhAtf?pIfOf8xAVKr~B59w)kl!ic2X<2R$Q>`(_>NLf
z2f0qe&-YC;fDJ^0dm)&8h5f4r8SL`gA$lTry+uQ~ggxmL_;Z(ngn^SWXT{9~0gumZ
z@c>==ai7k*g%!)|Wz<bR@$p=NBI7<<N1J3GT|e@TuC`|$K@hs3Ci{Hvb3@qkjU^fO
zsDwXQ!_cTYp=^_f&xT@GkqGzsD8HX2wy1p*8r=O|1o7NwcR$-FJeGj;61yII+MQWN
zWxsmJoCRuGm_HRRZ;~M&hNmq5m-sc=7MaNt%d4Vov1`xfBO~x62SvAi)7>*ys2SoQ
zY4<w6-o^IE?<-Jr0(-H@?32w0$BVxXRDM#|y8m$PlL}C)iWukyX(Ey8Jr3cnFEc7~
zql@_W;uIBu<P`xY@4n%>dkd65wjZQh_ELs;`+4nbto9ydR;t>a|8gvVE3}qjj-zs>
zMOt0nC$+l-%B4cogs@FqubOSVPrgyPg{tj$;BphjYm+md>+R>lYrEV=e43*p9_7&_
zpYE*Ube3X(ai{On1H5+0g+N>9IX$CCd_qT!s2bP|)&_w>=HpQ;zcNT1TxOAh-wjwV
zYnj|pc)NU{$#V2}*kk!fbMs-`n}vmkMicwjYJQ+6w&tK0@UUS;O;uaG<e17n`<BHH
z1_-&_zW*{HD;7oRRl8@R10f&6EObTEmka#1&$t+S)!85hA)oDI_9V}dCrqb0ge@c7
zc-@k1b#4#7=$`v6k-f0Q@wgADwu8bW`5ake;wm~n3PvC~g?c{*f6kWkQQ||Zmn<Ec
z6gT3f4?$Ehham{4y;A~h5@il(J(#T5?7cyAc0u1~bZ3vz%*BCX&prQ2fIWeCl)K!c
z%+^r5vYSdA-zNgXaLs-G{lPDpPyBl@gFx-O-X28;c7e!UbezFHwSOv!IcTt-{4MUK
zjN_8ThmeU)S$QfT;WQH*F3fem`U`)}Lnr%Si1K6$EZ?too=Muj^7CQ3Kbz06f+Rfk
z^lXQMY&}0qVA~hFS<I~!_s!@dnt$JpX@Ev9hc>}uPy;ykroRtYkva_;t_0XR@n)an
zAAKMsV)tVaX<a;_Q~4|;#<$`F5DC!8Fk4k}VQ?^=!}>~K&cIj$uT{Ta>i!zs^4&cC
z+_N;Ab)Z`bMBYBRKEsK53YQJ>>y=t{^-$jeIFE8iA_E~t2OMiu?AB%_l-`qN#!>g_
zjvwm9qx8f5DJBs8^*%td0h*b1L{DbIq3fbT%$D6c?rx4=Nf4UkLLfS<zOd4|GOrhe
zd;XkWJ+s;RSQo&Cz@)RkmfQ1C)=bKo>Qk>Ev|-YIH!)AKng2;=a)>119RkD#*g9|P
z;1?lrsD@6lGS;Q94ENmjU5<IWO!CO%$K@VU9v_iVBrO?+=z3@TgtILG9qPQC#8gxl
z3^o;<g4{zfC=!05{9rP+y%5<xA)QL4lnVUmUFAWU<lLLg-06YEhWo)j+aB_aEIy9i
zyJzErJGvg&>o0zYL)^Q|_Et8o{uoD;Vu=;4bqzWPL$ma6+?F;o&aqD|^TqnT1nz!2
zJopmaI=G|_PzM)`3sxA=rUzeU%1j|H))r5~fvHXXJ{*edj=9BufO?<c$`gIs9WxW0
z;~Rh(I;ULuF96y~^s9fQ`KnHjJ^sN@d=5zafXa(}X}3k@QEg05+89IDo3NJtocKTP
z`6)QS{2vc6$5%R4(vG;h3HB{>bLW&S4HUw{;b;tB_edr0t(O8jj&Sg*s$C!)WhXWG
zGi&wfxwYww8FXXqeS=fli}fuEiCzp*T_ajbIV??`nkYpdge$5z#jgFp)8g_s$Z$QO
z8-(e=+u#17vaq<h?6SOk{-MsM5}=xJWKMA|`McztXnl2qHl}l#e2DTVN^s`RO`xir
zchO$1v!(VhreW`_*{9a+-HOogJya0ZhB#%rzHw@Ne(Ayf4f<XdnCx*m%nwCkq>&T0
zYR{KnR|tYjz4$(YkwvHaaQ1u`{(w!KaKD`cC}y!-esy|t;=SbXdiNL6m4v4(DIt|0
zOTXnzyw7xOkuP4T7ln7wyCpd#l9|dl+#Vlz#$Fv*$Uh)8bA7}4b$me1DOk2@(u$2f
z@jzhGl{y=CpQK4BtGjP1U%%^$z;(f|NwApF2B(|bha~n%4(i_15lI$7`00o0q3FH$
zeeIHOE!*b(z8F<;5Zr(Hbw6o#=U4C>9C^KIHUf)E)6+%O|LVSL7a0coXZZ@Wd*d=z
z*rzhYbCmUCgpW=;>Wu4kq8Ag*Vz2O=&@30j^5we}u}1@s<Yb-XPdp|*ImogI=G}z?
zvCf9tk&ne*w9~OQ<o*CD*ka!$JxMc!;<+}4e3`}hw_e0(1st(y@01KV|Jt_S)vt}p
zx*<;O8jfAm4PHBi;6jZ1junzpwu}9XV(?v-{`l#?&b^j|4l&0*Vnry7`o}Mco3D~5
z1LFKY<|xf1+?YE`wB15RD*s5cPw55X2WtzT@kAPr`89ixRDqDD1Qp#-oKlTqy=bqb
zHz2T9;%*WsM{m{d0vlW6{dzv(A#Zz)zbF~*e#d3axtmy5-7_cPeNAz`f5PhzpHOh+
zv!ARnObjx;|Lt6o`Cduu&uTg#;OC_h!*IG1c=6|%L{JQeV@vQ%#;j7{AH0?b4tdGZ
zd#MPxXEkzD@hwGB%fozLuROzx;}Ggr?gwizI``$yF6r24wD{W-n+(j|%oX(~_u}J7
zsF^d)3bK>;&!GdcZn%NceF*|jb3V?#BfZ+<;hr_^R$b`djpnnDl1oqOmLX=I699ku
z@T5r!jtr&kwyXyDd#6_XP41QKWQap=NcA4<t9feUx^aA@5Al}feWSf$CUc`q=<0)!
z9-1dZaA8sS=|IDJrZIMK(YWbCuF@&=MC%oQ&-O_9^|M!@eYN+hY`DB%7)^JUNBxxN
zSb%AGPD$pT8HmRY$$t}bcK3pS39hC{!<PvxQNNH*l6f*ouD(<8e4O(07tc->A`Dul
zc2=|aqfnICXB_g?Jw4<bYyf;XqaFrXER1%Zsku`@Lzgb+qp^Xaa+SlX6_juZHh5+l
zC6xOo+^JcG$&L&p$gaOD#De}50%|_HZ}S(-|6ZZECpRL`+L!Q`Ifc=B9G3U8(2SL2
ztOm;kJg3|Hc#aLO|5H;*vyt0c%RJsY6x#5e@sihL{fnfrn8wV1Bwg3GqDm0`B_#7G
zB0&Vn=?z2y1<4A0{cO&xb?%)Rk0PPFy1HtI&*Agz`70<#-s?aL<Ke5C?{1&`7^ZLg
zOJ|m;GiEoh7P%AT7v20t;)6-=FVK@e-AmmUNLW%k*)~PQ_$?Rgql2#yDmg=@&?FDg
z`gv{9Gc3^O?a9g*uj9QG(F!dp?RVI3qJF?&5vuslE>--&`diOFeuUJ%VA<y$`ak<q
zF5&l=9tD4P@Q-s|w1>rS-%JE-r*7Zsi|wB7OS#EP9}MN~M<?ZDBEK>zgvJB5#Qx?S
z4JjpG<>lNnf4&g<MbP6{_#RKi>qg7Y3P(P9kBf4{K4`Ru@J0BS{WkThP{A*y0HvU>
zJP>F19`GRsob(4X(|f(g^ZWtvu=8k%E2J4eUBrHXn65#FvhVC|m09eU$Kuv*$5~b5
z_X5n+9!Z2!jm49Bs{3B~TCYZxm(GE`#DXm|s%iNoKF``~sotb?zEE|};G4wCJO{9$
zPN~mOlFzHfKef0*PY}ffC35$}j=wL3a2YHW10dz$k|fU6yVHr{z)Z*btcZqU#(CRt
zgC0aucIw&&+WR<DzECofv~a+VqII;wIQ4}hc(<T_u|hbTOlk7wn{iGj9Dfii$N{7i
z6kc&SDNBRh`VW$o%N=4CzgHt1lY|Z++<)+l`E}E=)Sq5)?~ppL>Ie7R9{y(0cRut4
zyvQu-$2HCG0537}`LJB)03Gp0ns+4yc`P_VIXqE#32pW(|2k(?A+!6!;Qb@6?Qsyv
z7&eXHcysoNLU!m~(bq%H@WXf5rw4vM)5nn3_B;hKniTS;sQmRF4zvh)NavYC{?+pZ
znUmQ#@K$Q6A!F06yJ)oB>#2`AIuw0)b8I#ajD0?jS%JhzeTpscz@)*je^PXK7ZzG-
z|H=fDNq*G{SPOC*|8`erG1}Ae>QfO#R>#o21A=pn<<S)w?RpE>H>CV{C@@plQQg$9
zykGt5DsiFj^EVLT?4|Ud+AyU2&Xey{vy89EqSw3ogUZJ6-7sfRA>Wf%S%#<h_t`=1
z+PbD-kl|n=C>!TSrYslv)3~QB!k-}TXa-vL&Q)`<W;dVv8uTFSEB9t2hn)SkPX};{
z850c+o(P8E2=$B%O+Lf$APsqK&zCF4mHaB%DXj0ny7$$7_0@=dskXAK3onu!CW9Wd
z^sf6o+MgNB40A#=Y@cD3Szr`D`KFsw|FnIr*r+&xMg1bc8M3%utJ8i5SR?cQ`#Er2
zK6**rK^@@@f9{Ns_&B2Z_M~gQ;Gf`X>WFHzZPGT8SDNl<g;LHT8I+|EN{ZktlpQ}r
zQh_dYzh7M;Ed=8LpUno^#Ww}{z12M_2{mM?(AeSh-|3`;NO*6SRBu<%&1X}#*C+Xv
zvKnY!7-ocrMY!5AL>8ZS2+16D?92}Nfnrkjbohc|@>G`>Yy%{Fe@L}rS{-PI#+|-H
z5mlk&)q{2$G#yYPC>1yQ1zN}`UmBh=Zt)u((z!<#58Np}jHOKsSfhObk*=J){XsUb
z_Cj<U7Ek5uvrBl{x;cYx?5u<e6k?=B^zfmN=_?BHvD!@9XY<2oi>Ko<Uyw2RTlA)d
zD^V!q>3QYRTw>kpH%{15=EsKB*u)Yxg$TY6_S^3ZAM?4G9-F4B)o?`=OkVL-?pNJE
zWFSOtwaPSNY5V)PR_k^u+!G%gx1Vu@GUy{Cf^$Zw7w|hYq-^Z3Y>|=cP%(Mz)1*jo
zMZECjk^n&RKg)Z(s{g$zaqE1N-VaL)-BJ=4o{`giD>UqDuC%Yj*2Yj-7tY*X<Y!C_
zDCbYkB;y}n3oiv7T5_)#(8s*i+73`!1<DZsHDRq0_nF)M#iqwXWSZ%xscv2`k_IF;
z*PXu>giJTDdhOw^xLQ<7Gx*zm2?hr7t0<XAjU|r?PbMeqOWd#ZXe$JeH_z@LCp7yu
za|`yq`=YJ_%|F(3pD5d-8TOU#qqeW^<lp5J4oXxoMxqz&#`k3#zs3KbDi&`*ej(&@
z`#iSqob3_iE{*D32^`WlnU9o_^6BErZ{HILU^od_DkMDu^&SP^J#pc_lV$OO#v4Q+
zQ&*<VLCu4g#ri}4B`=9*<<q&Feb-nogndUXR^wYMRp4rw$S_}UcULs*9MDRCHV14R
zDdwtV^~=z$O9Waz^M|@N_G`HB&p^6T?N=`XW`H;X!d03MKswN?LF=B2ov!ku$CfFE
z_~V?<6c8V!=a<~7jSLsPflRu<<AeAdfAD+TKs=`~%<|H1>gKLEvZBGAoK)U_h_Z##
zA~U*6aGFpy<4r-%IX%%;)pa^(ptcY`H*X(cY3w*pZ?8LK#9cBxaw0@x5D0kD*{29z
zz-6O^pF8!)zeW2h<_2x(<W>k3eYCqU_Fx<uK7MboVIJHKDuaRiG6!S(USt@Q?>i(J
z=cG5k8_Df+wQx;1sb|4$0PYUjPkG~|<C{r~`!f#ChkeQV?MyoHPFD2>1`@Xg>Hu06
zpaaGwvc(fQ0#u@$f2z_2&LrE8*alvKVke);w<uxLYw-TmFyk<+7P9*O{&b8=C9|Qt
z@?HwR`lrzhsN3dc^@5CA(T-(*ROJlL67}uQ%x`|$M&d!=zgX9G+}N5<(13XJaqWC$
z0LSI#vVPrtVbR5ax3QB@zjb+FjB!r^{LhWLhS&Xj<%`<0<C`$sBb6-E7tFxv@J8a$
z?7xKhOE&XZ#CRV@wlcin^Wd3L4eP;hcb_mjG+9(Y4MmkmA>RoSV(BB9^q*l^-|D`~
z0ObySwPW*5$r);45>~oPMXA5yd0(05^Xu~2#d?gm9}!@#=5!(+E*xy=eJ$tA7f;>Y
z{hQ7awU33*-_+<fj;j9jbp8Z7_=|4LPq59r%W3&_;{l6=sPE;>;wb$d9Q~XF`~yGx
zoU^<y1qacp+QHp2QbI9~k*kV*`u@Fx_Elvo44bRdC3#+y>zR56*0-5R4#5$A22Kyz
zB{4z)b-%k0`x?D;t|4o)<9{=GQLKf}?*b$epYv;&X-=X5V#LvteM%qpzz}iW^<jd$
zM<ZLk-jR2oVgRPr^T_m7O>37-^PwK0^U|BYX$J&J8JZ<dBYa38Nx@(S`3<k_uWz>r
zhfZCJ=OH|CC#7+{XRLl83-9779%sZxNfXY~@KyM^qFZ(PO5GK=Q{3Wx%TAI9ZvJ_G
z+=u>TP#keIKScK2gEMKsZA%y9wYv@{8Z{enxt$8gk`t9${qWtjHb~h}>t90rn(@p-
zHeUJajx^ZdQZlt0?$=81TQ?{6j^BIgTrvQKp6XcVia5t=+U6I|3-YsGo3Ji3jgG!i
z@dJzCB)9A59)JVx1_}z~k;PmG;H8x+Kt&$WzZTERJ8A**jiBCoYglG&P6supLNGeG
zGk1qaSe>712f#w^M_;$)p5Dm6s~F!f7#|<;T}?_!#>ErP!boZ9U7r0F_FcHp5eO*!
z5p$>vFOyp=0Dp)j1^}Rf1PM!tP`{RtM97Ru_<oZWE1Q(GxKN?qpdlutkdzRo#&gG~
zW>^H<jxbe*?bMTpJ*Q=TTL)dTqQ0lzNw5WlfiCS)DD%*sBS0<W<?+1G>`#5hu&}b{
zva+*b>ksoNwGB7E%qNEd8MKX?=KGjBr(@;GX=~`5fQglao-Vx_rDDy16^vu9YqaW{
zaAA)MIq%sXup^1y+*V%ldlZ4_Q|=RmpI~34*dR-J-MNI158V0s;kQs-1N7ZQf*o2N
zNuwyPWxKLXJ*auwz}`lF+w~R@Y}mxR2eJ4Zv6K75JZ3}!{7!#k34k=b!z+;>z_D#!
zJ{YJ7XWWXJCsPxdM^FAqZRh=#v$rrvzSqHOUeVJsspMppBe}0>{*QH{?@&RqZwi&p
zhV@1jEUymKq5H<B9s_F_=&QT5+5N7?AME5Wf@D-S;qx*TJMC)S>+mL({$rrJ?=fYG
zXS8R{`{k?D2LF%S{#9D>jHD7zvGN0nPtN!?Uj5uQn7;3LW_e@xtoZ(;nU(4|^c>C)
z4h2LJo~5+^iG0I9aQnr5g#VqtA7)e+>8AA+50RT4vZe-3VLvMvwnY5Q?MsmQO{ywb
z$K}kG=noLZW1odasAh$mC59eIHgvf&<R4;yO>^+mbLJ&|Rw!+0QJklQ6nysN#6MdC
zlf8t#vbfWYblEUb<ko8UYuNH<UEX77YO9&A#%B<G7akH~TC-&?ESGqibjupHQjcN}
zSw~e74RiK{)?4bx&Z}iA^==4!LvD2g>!A21_q5?yza0^a8@GwUHMk2<gSiE)qJ5Ji
zm<?BJPFD^|k$g?Bo@(~#C7=BU{KLYywpYU-BKw+ooBsNh>lBx>c(cEf_0V347k38=
zUSSFBYd;WhF&Kh2Hj|6Me#mMM0U7?YMGQyi9CmNyC{k7TiuIRmVBs_at28obsfHK9
z{ZRc@+F^R1OjfdwU-**Z!|}*4dT^Sq^zTxwp>}v(Nde9ukNxVicAY%x5|8r?aUWC?
zj+R>P{Z0|8GNxSQHHl@jardnb8e(6c*yHMHh`bMHa3L(FPJDkiofWSduHaea1Asr%
zj|EePCj0xI!lz0+@58_bx%vv`Vh9hzpY=JwvF-LfZAn8FvE9XgM(l;7TRIN)a$suy
zyEoVcpH&8mj3Ew?0Z)J1OK2h#>QGo4eh|?#-0WIkFg{REm2NOmRM1T`l=w>;>i*u{
z*i_gG%Q1foKMHDq*hD>bcQL#MYJTtCNKYI)Rk!s!ADsVa<S+ohg1p{qNTUxo`Zrk0
zO^F^vSgL;9z~jEMY9oYtE{?y8>SNT&1E=qMC>$&xw_Q<6rkP;I>NglW+eYRqv^|0}
zCkz4$BS;NhZ9T&9#F>$gX>mH``4hKRcCr*9*w8<R0v4|&65$;EsWYiC45WC}V@}y@
ztG2Mobl8r1_OW{SGQ!pwjcIY@95)K$#Gbd+e-lm;IlqJUh>1g|!clz!h5p1G4Xy8D
zNvHDQOFG#cgj(+<5XmgKhA4tJEz+a=IobQ&?Yom3fZ-f>m-eJEJBei|U1%}Cd_RAr
zK0))k5TZ?oncs)o^|Ox!_Q{&`n{Xm4c_KW!Q9#)JHS>3jmYk)p(=RS*{_1?;#oGH<
zLD>@_Mb1_xXp_(}_T7dY6WljJ`cRK)UVR`5@^j$MMP}a~V?<s@-?QLA@)~%4j?R%(
z>rlBjBDN~hlaY)k7bZ`^^?r<QpLPZeyEfl*YOHXHxtz}c*{6!EE*;<!FIZsQ@Rh&i
zMtraJ_&B;=Q@!T$<*=r8WaSD*rMZsX?i7V!oytD_{8BIB^42fpdvC0Zk#c3Fu7<PR
z{BW=4(iPiKZ&GpsmY_}B=+@v(wVSTn^!>00nC1}P9{T1uXn*^k_qb;n{+C(cyQ$~=
z1m~tt(DGXgD;PLosAg00+eY7{Nkmk;TM6I?j87%cxA_T^;1be`H$2AkhHy4Xt3T7O
zVO}Z#-T8cnLCLLCCQv{VXq6g4(R=09_a@T^?6F_JF&5t8B+A0teI7wex}cXcLo{E`
zcH9|`USmTk_c0}X2AJd0mt<_Z-6%o6z6y&qAxm(+Gf(0ETiX}R`!4W2foRpP1&;R|
zN!ZkAk4dv>R%t&9o9jf1rs2N4$fA68Iqmt<XNBW0TWDP0K$v#^?XF<t$w_$4E;e;0
z{Ia<Jx|nbD>=$OKurDUtg*$m%!BEyMUHRo#LbW68X$E+heYHmuq$#)&e_{2%_cQ5N
zsXy6dzJ1n__qYm1c**PPHXwUbFeUel6U;{={e5}IzqtWH?Q>UvG-Ncup1dEsr=*wu
z*MP*9)73q<PyK%KOO1uHC-@`lpwqrNI!^lB?mdj6?meunE)~=ZucYm>FYd&!f3-M+
z>tyvY642*f#H1FO>+gFwNT8b26-WQv9wq}iIloG!FxS82dT&^XS@hh`@`)|#mX3SK
zkvHP4KeO#q=Dl^3`3s9Uf&obm&%L=83(f(wvMILQAeys+IZ;aLCHq_+Mef}kA}p(#
zd{4e63#&|2ZP*$$b9ah2ax~n>l>~TwFDUR?v=OX8k8|^T!d~a&Qz^^OGkyhycg#pJ
z7%Ig(0%C@|Ky;&{MY3NF2AeA&c=h>ge#(;4F%vyW`xtZN$mzjay08wvstS~9yC>`Q
z<5xfc5@(kzW7z%D?ZVuHV@n_)?|44B5-LZ{;19`ss+)i<jeNNTKO^Pzef5R#_B(-g
zatcsFaW~uVCBZ?Vl{CCO-M_Rn(FTsc*3|n6so^v|mG@cnXHY7GCImj~tY;@gbP@Jq
zjxjhEot;(K*m!KRy&$fPxDLr`1})8fhu8WEhidsdfgFR8W`vWH=Sx{CH!lI&89S9o
zKzG@JM3w8@+f+GEWEu!e2*uT!HKXqht_*^Tq^!)W_&uHARfIibt$ht}cHlRN{fJC_
zv^liALH$v}%kWL_e(x$Dy{gVs_eqdz`IDj>!S@pHK{bs=AE}s09*@iG5$uD%c$`;Y
zAn~`QCc&qC{Y2726c!&rL8owI6JUm9p`oGE==r&S_^F4l*&x!819!O0%Gu2CHh)-0
zF*pwiQElS6JM<?8>{iky)Az;&%@ygs9feqzFQ>!4y*NWS<d?YiD40_LmEsDKJ)Aab
zPo)m~+&daSV8~leFxn4>ew#(FnYQ14#r$rS2&+)1j6^CvL$X-~p{eBm)L+3)3D4XU
z>XURd_DBG&AZ+IeKyRu5d=mT?9J&+*?tFv#%V!5fDBRuuWRJpqKR{^tJ_N4bnZ8IP
zMJjiKM4euT6O`Y7zwSJr_Zc-7?CmW|Nu2K>QBmXe$1ZRju1mgc!?u{n=dsuOG8x+o
z#tkf6E0ZS}=x$hwXhA**$-tH#gHOvdz&(Guu3!Bd-E$+k2qzbAlrEZ>V2<4Kf+hBE
z5nDZZ@QF(Gd)k5@iFDqi^9j%C_tA7L^?GU|6!q|%&jDmvtQztz7trYa0o{%Dtyv6V
z=XUY)-p`q^Xo|}JJk4@kN2SYBLU)=K6y$Tzf?fY#R!DpOz()vwJ=13Py3HO28@&r2
z?ceWO+R34&Bzlgj{z_5*Nj(7)XM02(Q{@QP@!obyVHKpP)3;!c=WXe!#F`wB`_Mc~
z;d{A6i<5sJX1pcSVjMYBp&ExdnK$u8S&z<!O!VnPvxf(mR6qU;VvKrn>Z8MQ`XxGF
z2U9y~MSRts=XRZ!FBraOuR2G*4&~JSu1%$6*V*ByrQut7ZY_Tl9y#wv*9S)WK|G$h
z#r}Q5YykZ!DdyaI9wm_fv$OLVPa@sJbw#NokLA3%ME+2Y+YulXRvMw#lo06~lxc!!
zyVng1%v$?nSY@|c@3nqvN(;8D$&>l)Y)`rTJ*K0xQ(L>=ITxO7Ty873wSBjImePsX
zb&~(GoS|<6MQOBi27x8_+A8$97WC;|_Rr);6iz8N!w|V(;`e*I1E%L6CUB*?A!Mi|
zCO_T%un?6ck>trmskCRhD$Eb;z=BNa24NQai+NP*^<%e7J+j&+EMQ?B**iD(WFW*y
z$ADJX3hMgB_KJ6zSZX%)%xH7=;~UT8vBj%WBv;F?%F#Z+U|!_<?Sf;8`ar0Y;Z{T?
z<8y6(hOrzF^(f!MGe)|($C5!M6psZzfdEh29i0uSApGxT@<JnXuvb9$q~YOi*mkJz
zmEB=z5>{`bXG9CCC3Bs6md8#5rMHkjuB_5mIM6%8G|UIjjU#n=+$#YRjCY569Ye?*
z`{or=pZJRH#q^MbzfVdXCt*N*UGVn)tXPf``L6Z!#q*UVj^pL!qXUSZU*?~-=lA06
zsm4V>a2yU`Hm9Fd*GTZ`X8ojk%YvDsARFB6TI6@(<j-uj{zM7#eZ}$Q>7ef`*X?(6
zo@@6mNOl#MY9Ktr9Mltrx%E7Z;CxQsCpm2=9l;@4?|ZI%cQR+6?bvD@(#-t6p_}-K
zI}3WpcojcshN3w4+n!hKB!A|{(y)`l>*OPbx+vrf6!N@**P5kRqYUvp4a2V^)#)_8
zZW+{p(0P^rPiL`C9yMx^uq<Za7<R0hq0i~td^o`D<US43t$s~&%~;cPWi>iH3b2FY
zNmvQjPmvFAP_DDWE6jd~D17NRO0mTUjq4YyjEreyCNgYOUN>r=_{CL79K##T{i&$m
z!+m<j%!`0iao`Xt<gxKGs^YeJ&=v^})je@wf9wjr=J5KiE_y2BnH51>gewIGkPN{<
zmUkZJ!0s7Plclxn)M#b<L9{2BdwOfW-#T-;e2xMb3P=EZ9(|f!K2qi?UIe`k4rBXa
zPtQpj#w%|DtkIP$R}XK`wg<a#gBy*~4sN<=!^7Y>tgl7ATMvel_SK5IJ+}!!GxoC6
zanS`n0gGs*O#R8r+ZCWyVB52AmF(Mf+58FT@ZpMh#IkX3X}FwI&NoJFUwp`%f(I!6
zmEa)CyQRs%58x8)8PDum2^bvsn`>dZ!RFi@jaJ#pyYzUOyO!(Q1i>NmQmuL&i}z-l
zichR~KO}g0ihVl#mv>PIJWIpt^Eq`K{n{T9OsBR^M|OeE@HLzGKMd@b%jgyD#`i7l
z>f>JL(9-_4)JuHfWQJ#n843p;oEKff`AV&j12yIqd?hZOYS2XgrI)v~BKyNUT`K)V
z?P?y*+`nuVy^sq^NTM0#>vP%871S3Vj?X@C5E1#AunHy@Vut2LOEq_bDPI9&4`s5k
zD7#|APXb?d(?I5XS(fDPxnzx0pgUo+5?A?2g-_cgR(T}d)Sr?taPzghG#&=pj<SH?
z=(eg<DDx#vpEC>)aPP50+0aoZ3*w8v(bI6UUAK=M#nYKHG~icoWCr>6=gcdj{f4jn
z8J`HUk3j2z((M<1-a9|wgQcmAcRd2=3yVuX4A)rE^<j^9@qjdn<fb+`7f>|7(T6Oo
zjW@t3DlF(e(YtwjkY<{l>sk0YmkS6tjeCIN%3|1udxdT2YMvb+7;v!cq{!Avh3`$+
zzf5lTNq>=mqZo$ne2|>;o^Jzy@~CXvx{R+~Dov`i&n3(ym$#2AgN7rv8oN&lilyY^
zYwx)bzb+9R#Ph;>CkrIPA6s$W3m6tTu)>~N;5|8cZ=IA1l}8M4Gkg9qu4L!&I+LlB
zJ9rOwXTjZlNk(4m(uJbYgV6JJbB&jvoh#gr&~Abx=Xbv=`<Ta1@P^+w#qXn0*4yuM
zgiK!Q?wd4na;jk%)hcWh`=bR-PODKF&CteBrtzflv8zC-{OFQQb9ax|tYWyqc#-f&
z(BTV3K}_OvAqTTuVYi37E)stz=D-fdTkoGw@zg(O+;7Aj`O|2(MC>7G(bkhw_gi$~
zKXtECj_Z;K|K$!%s!@mF);2g0)klq6aMK=MM(P(p693`0(8g5Y{U?@zGe5?O@Aha_
zqbw?k;;-AI)wEtqDsVHCa>Hp=biZ~;A7YC)LqzB3bf(~`ICR?75&?i^=A#9&zEPd!
zH$rhyMOULcxI}+Ch%ww$-Q8M8Y`*7cyNnm$Ysy*C81y@7;;Sar>2HUPcSst%<3<KW
z1!o-@Uo4E*+r~)31C@WIbc_uZ>tefc#Rt-#DrD{<uhL7}5c>Ng-G#vo>YWE5fK=fC
zHvxfvRXp91i}8bs)DZ%3`*oJL=#!B7JF*YAcCLmhI|r7Bk}iIUyijB!2j&LJ4RR76
zD*jcvfFc{3hQ&zUsAvk$naRn;B9)Zbe}fC6y<ILO;Ia11V0jg9Y7SY{oV}LWkT_;^
zNQ7%oa<cA)>ROD??s!`WDvpF6)Y<wIYu+(r<@o>=tXVQD^Uf>t<qx3y1<v`h5WUL5
z_)UDZPqEtaJN%k3EbeS}T*3}6Y_pye{auoR+23;j{YJ#bpH<3D9nWACS$Cp-XyNJE
zqfYDRg3)pNR+yOf3wBh+0dg0+co!U~!36tvyYg*h>Ay$OOeeSc%;Vil&l(6OOFoBn
z;t)WOKm%B2-hR%8bkaID;B!$Yov#pXcMr|)HMLjoxD>gcrS06>fLdKEyU4QS%REMS
zTy1JRTsG&DkX;>8og{I~G(RriuWSZKbH9uCL;dylhtKZ+17FXIeJ(kD#*I)v*{MM*
z2%_4kTKKI7=xF(^7!YS%M;+<MK83h_-NZsJGJsJXPdvQ_BXKNIqJu@=JE0lIiCRK}
zNIH;Yt)6<75(v-Vp(*^)v}F+;VdnJS((_X~mOtqG;Dehwp(Kyva<J!R9y4ZtG}tzr
zEfQ)EJYKeM?q$|Iz(1uIMN1CWbpD}nQ=c50;tF)cd#j_D&cIX_w|!bnhnCoK=Bg(o
zZFB%Pt6WOE>7!DgY|~5W`4^KA5g9)deNUx`R?}YV7!T~}=S7@BRe0SZXqLI4&tDE=
zV-}?KrTxQ<-V&P7(pDSfk-eTf``{0XEX(_ragU-nQNK!Si~;!@(TZyu!>ZW#D<P71
zfQ6-GNzV=_j@|*FGFWr!DvGi9iOKFX?>OWWs%ZOdz9?K0`{F5dcrnVeiaL$b`F#cq
z#z{P7Z4AFMx=<ND?_>*<I?(HlC12_6s7+ol=~0@#B8WKY^Eo8vuN=+(O!VQN4luIc
zcRZ~9(r=eQ_qBcH>*slQa!TgF7L}jW*xf)=cJEGvMB-b(J)j?6Cq5kBJ)~h?a%8?#
zw>d0F9PMn|5?LR)ed~TP3L-C7<8)ddtJ;4XIF)PQJ6LpL-d1B)U3uG=epGAE+<)gY
zsQD@DbUO}Rw(OG!N6aSjr@SOJE=V6Wyg=Pb*HPZk^}Q*8aDY3o80=xt1*pCDqC&6k
ziwttg0KF$6ZxF`{zgTJ&Fo6&HiMIA2XX9xl_nu6n_1bK?d$WTAK!W?8eqk|K(iX_0
zjXjWW_U?pA_K0PSa<M~ApMm0BtqQ^U6+m(%e-!3iTBk?r&=95Ap32eBPM!g}lJat)
zzU6C(n4*jSc<Ut|`uF|gzM_+X^Y3a!D@YIPRWUu+==$ldFQ&ZJT=oKIb9=rnd1b9v
zA54bNp?ynzo-PL`|GhI_>lfaFkUlQ+IlkL+pbqWv{NmndF<*>xLP7!jkf?`?uT<dp
zCbruVd#)YPA@oO~ud`lYXvw!wV8M7XPnzxkS^+^TE_m25soEGOc4|TFA4zn$nvQA#
z@P{%nUzPXt5wkaFjs;2F0`&YgE+TxqUpeE6&8h*T?bw<+w#6<f2ft;$|GqmP{G7{t
zr;K8l<Wk8K7TQzL_ryC+<ev8*Z-IYAEkFv72{;?+B^0#%j$1&K5w~gpybo_ZJkZLM
z=4~1ALD{<@hA_lC__%upCGuyX66ftCK?*oC`cIMhH!3)i;RXJgFSUVSehCIbN!#5e
z^&ZnwU%p<R>QQ6&FZjQA^<{X!5q@NC$vx;zm|8GK;_P_nKC2NBu}#h+Dc$@h3>_+&
zUMc-6<#9905|MKWgDwD+p_^v%56=s~&LIcYF_>}|{=GZ{v48ew2?o0qbE|?xP#tfw
z3XePUud5(4uO45#Dh0}Y(!&(Ex6Cew`<`hxMF06IjLrI|-d>`6c3ql*1I>&pdpBB_
z!Y3ga64?3e&Q@so{qY50X141xJ@Ug_A+StTmwWaR%Ur2OoP^;cCl}l2H11VHZ}5NL
zztU{*yiu3V*{8@UZeVzsmnjeab@auQqw6IDhI;-npy;^+8dkFktY-bOUbaG@P9MN&
zix7-RnI0o^0yEW7yCk{MkqgN6gGj*Z)PBkRM#2np&m$kt#dNtxvVt~>>r?`X%?_I}
z<+KsKoZpdC&WGC(Uc1o4+0^6HmQi+x0CGWwgtats1lc}(4z;a4YczoFToT^XZ=Vxa
z9jf)P-%<R;jwW9>Cfmp3+ox<MwNXTiN697Aw1?HJm>|b$sKfDObS<*s3;m(q5F;{-
z{Vaz<?V%Cydn|_2exj4wug-plL`p>^Ri=t2Sx!$)<<U-|{?u?r{UG}HK%`z*eUD*x
ze$on<5ry=l9Al0>E~l!_%B5SbuYTSed1!(UZ4jKXPRZ^8|8_nPNB}}gb}=EDP`N}F
zn}6=49^(wLHyNEwlD_YpydjmYJ#|{bR8(ru#)N}rExE>f871uPGM=uP@V3A>P*1Fa
zrY%%P76E)tE4lzodq2Oy;zjS6d8}n?J`~JRo!%A+HbRCF3T4MEW1*%Ax*u@Pvm%C}
zkK?hWz`!WtF(A+TP8rA{78)uz`_tZUu#OZO-R2Me0ZjaXTHB}cz!YnX2f4tp2_Hb5
z$`Jeo1-mD?v}yg)v0+vMC`U%Q>!T(K$Y%1Z-J=_&nxtvw9zr>-i!`8-2Eo)U<Sz1e
z-!$Kq)2r;Kbz&}$vA+J?&W-M+3uuWq2XiW%f!M!&xY-R)74z9<!fyIPsefcei{E|&
zZym1GNoKkgd?oX+W7y+9o>udz?6w_&F#E29shj8Gg;p}#gm4eC)*uKkSFOA+WC5Lq
zBLuNf>k_B9;Vda?r(Zru=f|6Dd&z_X=wPw8+rB<7Yo~^WU*-Y{qhjRkCPBxkdSx%+
za=i}f)dO5|lKsYa)5E?YvPB64Sv<WpcpUI8!~&*ln5E<6`TObJ;=$u`?{k2c`77e;
z>;^M^ty2BOPu$f&$K+DnGGjbk&!gNYd!E*7(OG@Z5q*_J(!9N%(?>OaliEz&=>G21
z2*sND8ZKK!e9JPsS9h9vHBaNceVLfsAM#Q^TILYQ?-9VFc_@MO82Rq&ua~)q_o?x@
zHrhP9_4}7ycP|&wuF;>7256Mh=iE|gg*{!Yh<^MSXpiEE2l|iSc|1SvSeLm8xNDlr
zmI6*tDg?1!cQACe_X>%LP!QC5mi^j*?v}1D95}IN^MoP^t=43f<$U(J>K_WUmPxWn
zFw;8h&*aKD^09-hAGsc11?<_)J&)Yi#ADc-=c6>sE(P)IOI{l*^Z?HfrSUN#K|B^b
zX!AP3Ndx-j+(9P++90q6VG_Wx>nb!ut#<k1^?aO6buhj-<X7%CfkFg3{1n1^shOh5
z8hHHMI-U+M^cCX=`8nSbDtw)WY0(l>+Q1>RVKJh^P+7CnAINmXsaPx?dS{)?dN7CY
zFUf(n37DF%=eFo95}^2p9oF_Gxd#w`+;<tSSFb?J7xHuxu4bxwvFxLcet{TKh_X7c
z)7Zthu-1NrJ#)RD?mySJ3(HU$w@cUg9$x1<6&eN&p*<vn1ZNs0Icuw9zEJ`B1~vn0
z3?Dq~n7Vl}Li+F-pK%He{J@)S-*&XDYo?<RNEUH9lP2vPKtD_puAcVVghc3*mJ%%#
z2Ayw8pQnd4e6H=129Mtp5E<m7BDfTEjLaS!YTa$L?3K*UZ@9x{<k@m|0cnXYsoTxw
zJI&SjeTsxuJv^@M2+x|}w7p&95_)hd&bN;ZSo1H@N0zOzD+mEX7okJ_K2i1$IRq>c
zCg-KwNc1WH<L`86nJcF^i(ggV``#R<#?qCgFe4&5MT_!#!Sm`uVKYg^Su8yu+5Ku<
z3>A2e24mX1L-@w0En?~C)uztiZ3g6c*;{p${lR8a<YSpq$(q!j8nL^G6kVUUlw3fF
zB7!|~UR8%^;UoT&UvznKpjaF|q^YJ;LpxGXZRH>gKZp<5bOe!-O)J_81^u&1_4Z|J
zLh!;|P1f@n6~|=XA%&0pVnRK91qMvrjx@nus)k1~AgoHX|Lc7j7A<Wr`l4C!d1NTs
zLkWz=+}bk!&;5C?eDNQtcJ@$9ed)gaI7c=W$Io8P`^0Zeu^^NA2wU~uv+<Qe)^mGQ
z&vnyx4Q_E?fl*%Wk6Y}i-(n1xyT2q!!H+L@Or5d@*?r}I9dvIY9H_0&Ly9XSF1cT@
z*Pww~USn^VRKQU=TZ1zdC*nr(LQEGcjUslg!?XwTu2~$=R5VW}JznL$RKKR7|MD=L
z7%0~64-~u~k1gqK-@2D{t&>H@DContfdmVmyL}>$UvHg7aA4niV^D^TRd-aJdw%(Z
zPk-${`Kp~^9{&4$KbF|c9~@M3N8V4g6IpR-pqg;!3|_~RJ>^N&*}xk`d%%rZ|2h1I
z-)HC_3)cr?ySA)-vaXN8nH3khj_&nmoDX9tL=IUg2>0?$3mv8kX6@XQtF1sT#Jc6S
z1j!2^nX2gmGTs$5;@%iR>b*6?xoiHweev@IACitHH20lDAb=&iR~19`6B4TR=}>ay
zLp1iRsjxBH#mP8|Av+7&lNM9QnUD9-XR~)C{0WUmnU4*J7s>upZhcg`gW)2Yc?Nmd
zbU2wmV(A_`BS>^osKjz%BD@}{^WDz%7s%}TQlkYx-$0{csM_9F`Yqz<eH=+;@e1k)
zSf1Ic_aGdSs(?3$k}LaSDl7xEiV3&=F3vuNUgP5<&lu3+Oin^PABDL-A{$xW#6Zs(
zp(AX_V5^3Tu$6-7oO_Wwc4}d8QZM&ZmMMp*&UN>2g~{IKR+$Q%I^WmdyEnl2^H+#5
zzRS!ZDY8MJ)6~w#MahpgOG}p0fnG=po@gL%4Aorez;v{XQZC3>P<60ki>CkT3%|Nl
zJ~ojp?{{vSXFt%a!tNe%cK^Zn23Us3-(X#}t?M0T08?IcyqbZS+0<6p>Syp;?{y?+
z!#?3OfoxzN%oF`D&8nK<^<O+W{ciWM-@f)^xKtOQ9$z-m>g5^k2MRseb?znHq|Y@V
zdF#DRHzX>@4;Pl7W&+;ra7Q-_<paL>v0wWR4Fsu;Z-j?bop|p&3{jU>gS>IKTv^J?
zyI_=l)KuwOza>aN8bR0A=Y}`0F9FW8{(ZQQuV&L!oDqfP<nZAqfM?HY{)msZaz6@u
zetf?&#q1x(4KSwL6_M)ZevAW<04_|pCM~pRGyJV&IpcZuq;|?W@k&N&b2mD#eckVG
z5KW(MS&p7Fyspb-q+#L3KYYrVj$O7+*KQvm+HZ37<U^(&)S)1z@;J1+bD*p!W51ig
zH(*yt1SbW<BiQlYr;i!ed{=xQo6}2};TaC{QVqR5KsM1-PR3wV(Fs-O@{ZXyL;u|%
zXw#<h!DDwnTG?%`CM#!iWPGy^bk8(y`Ib#4cbAWO%Igm5Nc`=0eP1<*5%}3u0$?J%
zXrNoIJ!Y(p6gI1>UWk4+gs!>qdg4NtKLF@kphL@&wFups_v@F%u>D?6M?7~}RY;lj
zW?vhNE&TQ#MvEdhOVcjh32}=MU#M5S7?aAO%ObwpTbH*Fmo50e&VH$Rka|>YzJ?g-
z^Y}YiGI_g`xR!DSR93wY>>bUj;&@Y&z4Fd}U^h0RqA5`ISKfm~1v!RwyMJ#Vi>TnR
z`OO6LC=W|Fj{=A8y$bu?F#!h}?=7hJrn1fYw*#Z?L?W=$gE-tLIWHyEB=;^l1rO8a
zl6uWUtVbI>o|tbNV8<($LO~Bz<#by7zIpC_KHRnX<G!<+CWT^lW=<;P+i?Ry<8xzw
z*6{_!DIX#kr(>$Zn6@$Iq<RC<I~J(RAK*=W6o|9<%H!LfO4AD`x{Y@|1-SY>)$c~X
zJZkem`6rJinfvj=ShS?fFlckp{{3}$Ph}_byUgieU(n1YFJ%&@O<sIas?v2;k!ktm
zJyACKWJDSQ?PoAwN`^>RDZHT`N`8V!(g=;c9fgpB5O-1>L>|Wthi~e0GX~&(;BRKs
zGyk%%QO57~)%lbzJYrclQLJpmoaZv(FN^Y?phJ?njNWwkXbWM)`p1T|P2#+vp)B6>
ziSG0lpPKBmgC-A6shck~f&D$RSHe<V7{F;0VZLr{6x~_2E7t6Kka}i4T3vt=pDF38
zN5x%BxgT{j;3)sd_s6>YIl9QNUo?Dfp>TVgZ!N^$5;Q)z*<;yv^MQu>2WpkY@pwKS
zUC<bVb3(%=`N#+R<`8Pj3@~Ai^^Ux?&mBCLVJ&4}%CA4jg1K`{EAbFQA;Ax9&w|Q2
zjO0Mi?5>Mq)la=w^2_amy%5o}m3XHDA|4=fxsCJ^gAu8SwO%^s>6F~-uW@^XL_&ly
z33I{$*d-RmU{Pi<O&*S*xi%QLIwi!i+3xqhW2`Up<)P#j15o|gcWWJJH7OETd62JD
zZ`#1Of&Vuqugvx?h_&)jaV?L3s{|A}E>j}rIqiS#w~Ss!C~<j`$Vew)w3dHDuFy-K
zDXxYI>9Z@s7MPTu9?zini?en9q-yn`yU7lJ9q$D+6kte|*tAgS7^LS%(iZg42MmHL
zDtMaY{L@`vrHMQ0-YPGCfU;S9*~Nw}GY;MFt185?-=*nB)cs~3g(Rw(kN>^+>^=Q_
z*C+JzP={rt<te6EL~pmlpdB6HX>-*HdDVYn^O9tj=<ujb3vNie<+kXDw-cfRNV}wO
z!!SAT6tzCA8=0=!Bh{hxsr@9#+GXGuU7in{BX0%Ei&b^Gm~K40TGrGV1_)q7yu`XR
z`E}~uPw_*eDdAni%y^;eq1F47(nOP;6c^2<lJo7eUDQ^45!ma8$46rS;B0a_ykq*O
zZ;;pb-vj@fFkR$0tKA%Bux;OT`#4eAaZg00BxBWKjyTD_To@1aym_}cs>1%6K8o|C
z1TBoVsG)c)V`urk`+?w!_l_U}#6new|LGvn<Wlu0*k)jkZKS5p{M~<FgIJt)b#swC
zO&T#qF`-n2CZJ+bH;T&=+-*gN^7YQwYx`lhdgzy`+mUar(=YcqM|XDg^Ta(Ux)%vz
z2N=GJO^W`_FT!5@+l!;7I}vpLcr35|<R|qD<9Vd+ReRs-P%`ANb$;Wevg*8ZOcR~7
z?#1^<c{G*gb<OE73bJ-6G~Q>yP}(E8ah|Bsy}_g)*uKs2HO63>i%%R4K)?I??NCo<
zwsXV0k2GhE<Dt)=_VK>Z8(|5}-c6aQ^%?k!x-b61jG~<h1lk8y4X97wJ6ad5T5rNL
z#dx~oKN~8#0+4_3>IAr{&r0rT3MB1gIi3HA(I)`Vjy`dEx#Ay*>;U{>oK7<Xgh6S(
zE^zPDo>P!-_h>)=dQ)yiu#IzK`qc$C@OwcxKoAM?XCC1Vej^BnBfRTOXfz~;nuDe(
zUf(b9%mzcsSMeN8XOuGf`|p#mXW-8x?w5uxyc}JAW*U{_N54Q)N67wl^}c(CV9Jo>
zvm~uP1mLF~mvwTOxDkU(_TlVV{$=~!xVRRk|55ia`gU?1Tu^|L<qx!$g1<Ok5BI%x
z!oCNz%bQd2aHVicSfC3_={Xd^T%vlc)Y|#by-`$W{mZQh6=QmJrFK_>AkMGU6UOy+
zg~GwQJ|H&Cs_z1Af<q@BZjk1Xt%Oz621d`rlTXHX9`D1(>7Fq~mIV_AKhJBgIcdM>
zJ35p|nSf&l$c=R{Y~<$p++p!wFywfC#4@I=5StK)7!?r0a>MqG$Re8Ha>dpoXShxh
zFYghu;F%(q&7HeU{M&+*SjOENIj?TLOgOowv3_X{DkW8}gOv@+G!T~s6m2np4AYB`
z#x=$sPS5#U{ccX79%4mKwcMh)lM_6qi(2$aC}L05jwb`9UIlj-IQSQ=xaJT^8moPq
zeS>i7jS5O*4tyN|R^fWZuUqNNhu7AIL1Ri~oXy<#hP`tFEM6eSmwi&fL%Alyd<iEA
z-|u^go0E$Ri$dM&P<dSfj}@SrO~{YXO<A@J(~Z0iePgY@?KADJTP8^{aOfJD3z!8e
zSmF&Y{UE}%?-9eK)RsL&+`~7_sjr8A9=%$!Rs~8Uwo|bi@j6?vttizkK4ntW93N^L
zZ2IJGXW>JwKZ4oEcPjT%0gyPKCy)U^NL#)a^0ysjvw!>Xjaq)Qki5Am4l;l$Zlh$q
zh7Pdtn17AH%ao-vB#BhLcv3Ut3lTCE@?a^t`jp%fYMDTciaf;hVYe*&sJ~;|o$LWI
zUoN~afAxYhB@c#eB;l%lGxlicJ4^yHT_|)P54aiDa;UC#G`5LNKUT=7d(vkD9-}Gv
zR>Nm;$`!Ye$2#qR{Qvw++m|?hsI=+xcrVVyhLP?##?#~1Rwx(US>Jp?|CQXg!&hzX
z72u&p$huvW#&y4CI8?~Xuw4wGxd<<T_y9i$;g9_4B_lXp`5Ikb29DOp((!VR%nLdM
z#~T5BW6s?NjhfajrK-J60D*saW8lxr9#D0)v+MbhKr)P|WCyP>7_)n#$TLeKqJ^h*
z+iD+J=tXFPQQ#rNOpi`FQ-i<{JbOV!-(WZM*cPg6TaE&R^R=N%Lf%C4Vl>V22p*&t
z9#1dFyj?`2p#%-<Aak;*7fk~xeAlPvG0b0!Si!3Y{BFH8onvs_#wohdxkh>KC1<Ti
zwrU)(6OZ3Rc<!->hP4mtKB?c{#e#p}uPw$m0=gdw<vc*gfFUpDfn;`7PO;syv2T7l
z1OU1P+GzsM2CM{uf^ggVb3VC9vUGj1;IdIkZ{uV}o-ThhV{d9d+B4L6(AD{(HqcpP
z4=X&V*FU-tT5+$%Xnk|PUq3mbs-gSblB+EGriJ?EEYWPMz{6^v5oK4-vX!xL%}&1)
zX6<jU%8C=8b?}s|Tyy!!01_Qn$piA+X6@w_D5%Erlq>b>qEoob?jv7qdQaBq<Y2v>
zJurxl_w)N5F{Emgg8WScPk@(Tl2N;f4l9DmpHqCohj#>nDvG$LcyP&5Z^*1HV6pNy
zn@eIut-eY1Mo(N%Udp27W4IE0Jvf2Y?x>Ws+V|@G9&be3D}lllu^*H7G$8=;91gLe
z3ENB<r@<eZyNNxd|GEnL2{bu0_jrE<Fl^ITqyVQPzdLulK+l0t%f#>n|L>)bfe#Bc
zwWv|3y}Xp)s#*xj0z5xk7H^7w=`FHDCHnpLu^WtQSR^L^Mkj3-KisKYp?)J{lHU<~
zveNQj*agU((?!IExArv{dROQDdwVai{HB8e%<rH;Gx)6TWwK9Lv-stA-X}UtW@)W6
zl=WeXfuZ+wbWl+Y`WQu9L1>CUv4LWnaP>Lr&r8#1egc`ekuc|jsu4IEG7Hyp&?4@y
zwy+S1^0=fVB%96jjl#$N4O07VRk8s8{)Ms!G_h;==0aS|)UB8NI**B7i6AP_w2rhH
zr&lh|C9OJm4qXYozJ4z76A`v>oJ)W^Z;r;JRCc!oct&5A?ud~}D&q^tgUqm5$R^$$
zdmSgQ?<jZAqW%6iU-zQ$SRW6^GJOThhrmCNREAFcmw+Ps%D5yXDGr=hK*R}W(6qjM
zU*MK&m_KJKBYwd~1D^>$9CHc))#0hn*>qRpv=UFbXdnfd-@ePjLGbu=yXC!hir+;r
zS$}kt%FUH8apf`@ZW59Vv|)I1iNi^0yYkx|pMXWix(&hXC&TXx0xTV^@a;j)Ch*OG
zIV2Tnn&#`%6<z}B9`PD8nijm2uKSC7p_@}R!7J{k1dg{|$n8~c-P;z+Q+Pd_ziF(<
z_cOhI5+k}QGLNE23Qts5n#*G*#XPQxnXNutGFnXd`w<i|&Am;!7HStqzchSw@Q|&G
zFd7bQB7Xz9@&-KoeQ>f?tB#KDZR*lX0t}1L1$rL7eDal8?2HR}xF@bIh<cnGq<=hB
zm*Bpef8z?@hqQXOUv!8>EC61<FyE`V$LsT7w%}3g+PBsZ)N?o>jG-OfIacB6nT8Zn
z{O2WxgTz6RO;K^GIArq<`wA$Q*()GXtuKTazUd=N;%)G;MH>gw8)C$Qy4Jzz`Gejo
zdtVeDDja7YwvQ}a{-n<-t=mX!+5(!@ziHlP&iho$N@Ncy86+F0XTB}*nuJMudvEY5
z`Do5Y&eDkjOHO}(_<7RQG(LaaJw5o=-5&Hbb%nwr=e<!&O8rX?qr)?wH$#I4hy2<X
zp~{rL4fVbr@S*<Hb-|Za7bnOtSXK>$>uyAcu|2MCaz29d_9_-c^8MDKt5C|3(v9{(
zwT53aPoYU)rkBTsKk-;ylC+LJT8%w|<-i?y=)S145OowG(q)hLKkl8yO#5<iY6Mj;
zv+Zy6zpWGk5&NkL2^a{Cw*=6;8`DEscajI!zV`k+(}IbX)rrd-<LRHYp99x7e1i5Q
zh4o792hFG%uJ;F8c5!@Vo}fnUIj~oaAkV`*YduUHw@)A@)WRXd?^hyz{`!^Hlov@9
zYf15RLlGAnxc^r>K5z`reeiQLejg=~Ur)T?m3<7r;F^gr$n`vM$cQqaf&Id1tfwAD
z%aug<vTlwCWz+`?^~nCS_*Z6&^xz9kAYjm+Xv1NHC=wnzYS#|mlCfd?gSyn2axsD@
z2Hrn9>Xj-3W#Ml5ku)NwOwS#2rNfT~Rc(Es&i%$`F%aqd?`{!i^M=T>XpO6<rw<iM
zy!uI7Py`{I`t<WGGwwkqecu7s(iU-oem~m-hme|t_ow`!^<7T>m=^5!l|Lii%q2g2
z#yA%T=KdxwRQx1*-B@p{mX}%f`KZ%_@0>DE@;`n8=#7ta_P!Um3$6)?r!Drs6__3*
z3>erPY>lsRz1<fZY&cTsX^osj2pe3VQf}ywF_EQrp*+`S;vvGIpp`K7(&g;rbl<K1
z_pXUD9XQ3dUOVz&p04`?PUHduMnpNP&#WJ;d%e*IszouX;fvSbSMI{k_?vvJ70R85
zM&7(T2ifje=yi^}3cFFL{Ae~R+}Evgzmr6G{-baj*Bo3uqFR+Lm%AfP$Ic+VU)~VH
zmFylL6nPen!z5w+5c|W&=M8<kSCu?O$N0DQvIt2B`^M^Du16nn<$L(v`A@^Ll+`S+
zbGbpS`pR(@x%f=<tzP$&8cwHF_Sw*jQFWc<!;j7m&3b`d`nh{_4&=>XZhX_oc23ZC
zk!7eg^1BL+c(;T^jH#Ta_O&d;QX`-H@USJLDw~zF7jd3I{6^tEHqjISt-2;Pjj864
zHO0<#07G4GL1rq~WMzNZ9PT%EgTGT?hU`O1h3=x$E_Be_#e0IaaQ~pL92y)BjKW<2
z;s#b_d9>|(pq#^#6DYr!dzaLukvPQpPY!MOEb&DrpF76RX8-$?1Ep_N0vVtzHa8_p
zd1CGCOV5AZ3AyO3cxW8zZ5Thr5$~BvC4kH8JobAx5@vL-`qjh{s-5<ICdeMiKt{d0
zpQ@rkIqAw68~pEb*DBY3Q3qcc-_3L(4o5es9vgQoL1j8Aj`9ebB;8kmyTbR9lSS@R
zlSi-pU7Ocs<tlmZWKMha3tHLY;xWL4NH%bOuaB<+@m837VyHRp@%AN(@QWp7bF*f6
z4Xr~W!8V%fgP5$ofJ3?DmjV%v9G6`j|0O_KsK30SRN*c*bQ)O@o~w6#%WUhHQI>=q
zyDXM%oeN4h9AHR!zH*0i4JJOwO?^bAT80M+Kk-)+K6P&xXPijMXyTzBhQ*=pza@cQ
z%=y9sp+&;R@}PS47rRB0yF(6vfR^SUft`|mK2q{Nr2;>9_GeFcgKLv3@x4k_DIGlF
zYn=91$qBN%b71dV1C^TK!scZ63AUmSg40eRL@?SFQU>qrQl}~)n7<uziyuT$xv;LB
zJ-!Q(dTaLa-5!5XcCnBK$WwiI)nABfA5X_kD(I@?K4y=}GL8MP9^}tM6-*deLdp$*
ziv_Dx+dr4vx{1cX)0Gb4yJk+j<`xr_yr548m&sL8$ESV@!noHTlg%sd)3Ls&kh;FJ
z^Y>mH_Xz+v|3_LsX>`>+TGL^C<GE<M&Z>y*4pL_%ci=JI(cKHvW}j@V{Ot|6Qi`8y
zqw|}##TPivoH^{(6xo#y><YKd$IW;k^8N{@;g2mhITai+e0)DB{;;l;I!A-GPn;Sy
zJI3dBTlRY@4u>tRm-BIdm%UnNO8orry?;E0fel_v0L!aVx<J9pzr;_f=O`iJh+7>E
zjx7bgOi0YQu9QR(g=#;qYU~%|Ka#GqT{$=oe<j&oW`{y4<6Tw=mCdJrZs)nKvl^$w
zfBeQh5Jaj6z7r0-7CgmtLCfsn;SB`-GBV$La#2uJQgd7?(Img;j0<?X;DvVp=F`dG
z<q%>-ulmqG^3syTxe=P_FDB7Rnsgt4omwmKuyp_p_S1f$%Npr^aO9pv@Nlf5;#UeP
zT}^HhyvsTp^jS&&yD|HC^1eSh$8ZqR;dMvV*v&%kPey#No}Zl!i%_W1d2{ktD7Gu>
z2*e@|UA&nu?5ebOaG&gfplcMFmhFx;s6-C+R<<aYfK%(zXCA;K<0QYMWUP33Z~i;(
zicAa56}(I;$Oc&o>Ouz0A<!Rp>+Y0KII4a-y#LFmI#|ReN=8U~Mt%xk+M|n-gm#3E
zK&+ne7dQ!hBW__s2Frs#OoMDeBv*Z|)2{d?hSwGBj6G!P4vHDM+`udB+#Dvev3lUE
z{82Z23GP&>Ry^kWNwJ`8dV=`QqkrHXooAc-(v{~NByD(+M%beDd0WSq80za|Pf;K4
znX!(+dazK-EFHKA)HEF5DC-6}Ygb@ssG=J0{hZz1>HcCk->cK05UQX=ZYd^W!=xFQ
z;kKDsKJ}r#`RgI*XRIUYo|a>z>~@~b@wFm8?I`Yc(#eTJjfqornCc{B{G_*T&ld4j
zzu&q!9i8e{E>_^$3GP=(svP3q{&6&=xQ54YG>Lo$d&IL(%V0n_;CqQhNH5}b>zC=C
z7&fT7QqDHFa<@WS(bPU|SKpOJ=`|EE$`iNKR)Y$9E#55~l?$8^v_-Z3vaAzhJ=nn#
zw-7OS{TQfBaFC5kH3t>y%o&w>(8%yCFOhb?4TI;+vp{svHsbk{qf(7!!O@I2k|fSA
z%|0QZakBZmJx!?&C1ZtJ<1<PbtWy<dGB)mzqB`YJM}mSB>+^KJe@f2BycP`v6Ke4B
z_l3YeOh@SUzaV6vWct!-XR_&o_WkGF;Wu8VQC~t}2>CDg*q|NI4E^kV_U%`7f^A<X
z=Icmle4LfTEx=9C!Jr~@U77wD{7~C^yBys^p5xKyzbR*IAPv6`-xbwf?#mI8($1kT
z;-M8j8OhweANO*}`jx~61YvzuN~sR>QJrnUfp|$IKo4+V6g2uJ+cOU1H@j~Tx_QDy
z1b_zy{k^FuIx(ruF-Ryxr@Ee3i7p^oH9Ndp-d9U<KABT8u>#g+l(DDA4Ph0CT=={P
z)d64ubvmLJ4I`di8CLw|)o2&p0VUKJ2E%iCs~LG~N$-xZ1&_zCz*C5Q5j`#0nam-w
z-ukU)(u<%sv+uc`ib1Gm-}kY%IbWO{-^j`4@do>Nu0b9=cWMdcq?-7)k~2}{o&O>8
z*lay)c@4g52->If`IwUj+xdGR`6w~Whj_PSV;r}eK$E6}L|%SHFE3-y-?v$A5Esh}
zLlyv78D6Hg6Z-)F<u2nfd{p^|?TG0G!%>wwj;9lppI~DdlQ_&T5-X@$t~s7B9`8)4
zR&HXFU?8BFtey>9s-pGAc+6MKFswB_bQR6@#9Yo^d!c2%MdvEL1kmCudhnVbDL}H`
z+Xob2AB7W`-}o(le<$*G0?dP&C!)J|_93?Sq7oQ(*1jslFqGHs(_I6GtkKRRpqbqp
z5S{%JY2%BzTY0G83`awyl(g8{3Lk12M#wCu#s_HV<qPZ9==nS-^r?Co@MGvL`IsE9
zG?m|!mkVscL^}=Cp{sGe`gm(jPEOvgw<My+P(o=4rqb>n-LdYO8?f{4m)JPolwby^
zi?2SS^I>ZFVu(3BDHi+JFH~&@QX#>V={Nge*i(MVjA&FG->00n8YA?XV`k>OOno|z
za-e>Xu28cT`-?Nq90kNe-6toiyxF3?T?I`2#`~4P*KQ!7a?62XlbCOVnzF)YQz?>w
z_JX2zD|bSegy-40t)>oFGj$T{7ua}yOTtb}>Uqu0W8^^D5U-O`y!L@ZWcZWVbau<t
zIjNAV3N1;N;o6q-3zuIuGspN=<LXsdPSC9xv8U)WxCP!Iiu9ZIhfaap?Sz@Ae&TAy
zqJnb-<NI-Qeyfu^EdS^1#AtSokbr+l-grGS%)-FC%8|5-tla#S8HvKN&pJA+8Nb9a
zJ`ljM-=1<aUtOc(K78mkQeoddKI)&Fym_1nNEiqp<_-HvvG+7pX)e|euEptH$JXN9
zjBvR?PaGTOKKTgCa<cj8sKT#Z7s@;BW0AjSmHrN(3f~Ys55G~KRqa%Gi$Geu+JpGJ
zm0vYv3;kkz4?q!C;8E|3uK=%?5#hNr8Tvb4Sm=_ynefM>A1LYD`*=YgBDir!4=Cvg
z{b~wo4<kbO@xC`X!76e<O5HD2>t$hUT|{@a_tKA=*IEMmz>!()`!qBvD0Sw^ZnaHY
z#`Zn;rVjro@lpK>(xZd0N9rUFF)Fk9-BkoQ-CU&>^&h5c>kCw^g4feEHBgFnMPYS-
zg7Ut0p8Vg_gn;|)#S63c{aa9yS9TCp^*KPn&e)%0EKl?$8tp^bw}q2Pt0F1ue$e+R
z`aWfAa^`-)R#20#zB+~^8`_`dYPwwZiIiW3*t(-m_QRGSrup(9ct{Pzdir}3HKadb
z+Y{lsS^<#y`zu~b;yKGyMucxzDw2f2L6L4};EKCa9>m(oAOJ{<o0^m;5?g<6wj~tt
z9NyoJt+>y-IY2&R-n{nFHq5a3^cKOZ;<CXU%7b-;f6?F0Y<RlFQC8}-W|>^9cl~DK
z=#iF2=U=t!AU&*Tm~Q9ycbmkdfA#BJWgHN7{PDJD(c-bo@8u*MObE?ZpBly}aUd6`
z4bnV#6pjK~Aeo1cK7k62efXpSYtI><6L+5&_xxf#%oRLQNF-`z_rUG1c~QWcy@~;)
z7h<v%wtWf-*|lKs%yF-<$>)Mki}qF5>?zE%#3-}O-51&^5?0<!$;q%}I(ZlR_K7?N
zfiPa-ukPYaul+B0JP{2~8*c9zJvz@(W}T8Pk9h`SMun+oml2}0dL=j~0aCYUsQHdP
zre;pk`$8=IP?^V706&%d(|wWQlz^L|a0nZcQ~nf~wbsJ{?{gnt6TYv(?X%F$u5+(m
z{G6W40#KrStzdQx$5<z8FYeH!qK3viLks7jErGvo8Ob35IO5qqM`^r!tGelm{uqZv
z_4W;ZQqx0GdDIIIyp3sK+hI6+Tsg%l-slN{F1)B02d0nE=A)EL?C}kAp00NvN}F7b
z`LZ8i374vss)>6<DYrim3EPx1RT@Qd#KZh`IZfR7jj*h!zv?YFN1=k0&izU{B@ETw
zl0vS-&}Kq*F9*?r`YsEx!lZTL=nF@%6d{WU+5St7^mDpt#)w3yd<?I>HjujKoLOt)
zX&j1g^g|_h0OU)3hg5O-XzY1A%{lNR%Lm=47;*}q0YE(%$|FktK9!itUaC1c`Z+Y7
z)QC?5keB=_)W^Pl+=|kCzy*HDFOs=dj9%3X0PK17vl2C9wS>RP%}MW+^p~~yrLR6v
ze1*sA{FaqzDEG>Y=-2e&7OEc9y1C)I57YBgbf?5XpZZmF@yUrn)R;lPfxX)I!SB!b
zDbJtecNCO`TRJWT88Ea1vwzx{dU*i_TZWDcvoFtl+@;=nJU}(?rSk0uY);6RS;xxU
zjdp4@>2g5%RZVK@L=jreK(5P>sZA9o4S0DMJiL!J+=t>9&@K!BGLQ5E`8CU4Z4-!h
zlf7E<5;WZdFFv>c^Z(Y;1Vhi34_8*-#0-UY+Oh7x$tZa0SVY&R3GET~)i8k44v(gm
zy<v>*!h4oC*hVN1p!vSe;k8cuU<S@vE%6SJ|N5!joCDGD6%;LYrtSRcP5WN-1_a&X
z;LY5^my(i40SBahWoO?xA5k?10laSG2!i3?QI@ejLaz<yUCi+phi`ldf@21@xW~PC
z0IC3|PO838|9iEnG+M+h2$O|}>TYw{glvrTcPbzVl=M}<kNqSrx6S0rmDVhogW_zi
z#NL?FMM@I!d_%DLC=z-{ANfP#USZ;!1-e^54!>*f`hM{VdUq<+6uhj!+QKaP>aGoa
z$PA8{$H|GeH#pTew3MPImP53(A0#z6U5r1S18!V+N#i-Y*f$#v*jxv{*}vzZ1De1D
z?!DO(k2_}dvMK43NpJ_RQYhQfW9e9CC_rvaZ7+ufxLh4j&YMevc01$L<%KRJ24X;!
zSfXs-*zpz2X`!GzdznITo8rFyMBfx4rQeC)E{N`&Q1=DAo^WVn=9UV9MEa;uX$zo_
z(k8K(O4jKZNp>EsU3tyw4V_lW-=S5d43>1Pfzg6YR+o3v26290owbQp{CR?`%ok4K
zi1i%aues?`$C~bznSB|@DwJl$VLnfu7Pb4~CLe(~wF0B<M^rDql=Il5I!h|Yn|-=q
zaCawzb=7%kYswI!c+bw6z4V)|sRzW%JixD{K66Q*-+caJ_d{p1vai5Oi!21=cCo^7
z5!t^P0P4Y&VC{Q5&mB^Q+r_L-bl3>Wa`D^zoM!&rw89Jges%*rHJ*%F9E0`#JTu)P
zJ3S@%S{^abRVbiR9eGUF%O}lfTln|~`md_U3^ge;If@qLbX>mk8I1`+wrRg{#@z!$
zG-qm8JX5b3r5s^)^O4wnJ*A()uv~TYzm)#4WWKf!eks5114n+5pDjm74bzU&=kmW`
z>oW@S0B$TyWIV6Uw-Aulnho{qvpMKyM&=FbD_V*)m8tZ*v2`@Wj~rih`oYzn3v@`X
z=_7bo%uT79qaBLCB=u9X$6>MG|7B*btVADrx^=l!5!Il_RV}#Q>jr(_UsIj*_BF2C
zH*ly|Rdis^9oMwKaiPGvM+F9&MpFME)qR;QE0c-l7=T)c$g{w>7oi7ueF%JF{9v2b
zf4|*zk9UNMy+a31w6r^yxzN{uj!z3seJMdXAWDV@7~@S5G6<LV&_YjyvESe-buzk`
zU;ZqPBDl}*QQdw@*~G>fSBW0ag$v&F%`arT2Vw<teb+h7X~B(8t$0J+TflzQ`-oZo
zCEdKncDGL=&?oyGDhNzs6*jRgC+-Kql|}#BlrW*Oz3*rDcea=6#Xp$HqkTm;A6mTN
zztH`Gc`QS$Fea5yr#&>;=LTNZ3leyzd{FG#>#}MjB1RDNq|?<V*Qt-aH=$MYhrCO0
z_GhfwpTItzgd7L@YRT*djFjZR@*64N1)J8QH=InySI4oWZiSETv592;d!l;1dboIr
zdI}E!jhK^O9D4V@-qkw%)#`E%4ucA^#8_TYz1Wwm@;W=w#W~RDAwJMgD72JVfAE;x
zAK7Cc%dqHZw|M}UUsaQW3GOnV*eiR`uZLlpsRmle0cpO`YJHuamO;PT&-NJ0^A9Td
z{Igr<gB0}k<6I6JAaAdux%^C-st@y*np0iA=6v=WLN(+e*&E)r71~`tN{Bu03$ex<
z$?HLPBw3!l57u6AfoRZ>Y^gc9!3nD}kv|rXugz+8=%4x+g(onmpMG^y6N)K~ema8G
z)=angBcNJf5AeA~Wy{;o_$wEV9A}hv6F%H0lo~fs+iNqV#Ap6CPXo<Mke*sBGYD&M
ze$)w(L1mTq*WV483j(ql@uNK7>hyxs1rsX#aP|ZiaP(ESvAQ_q`>~Li?U3Bik5}>w
z!h6QNEn~Wu5I}eZ{Aqk5w}n|ZZC-z2`}vG)q{ZAj*T1w7kYVq#;&sRm>Nr6O6iOX9
zp^%6_z(WKDLD)=QL?~5_hlrV`zD+fn(K46z4(}GQk(q0W?k$qtCPPz?Hpb`FLTvxd
zJvYG{r!s6u&b_hT$B3UW!49;r_Wd_SWx8|*PEB*(aX(LFMV$G!iclAs_bMiNlLfD(
zmwms!UQHJscftU7$tMkvN2bvJSzW)5AC@PPqi@G7JMVEg-@XpPzRW-Crv{erd{|~1
z_-uv7eL!|4>rl}W;J#kQ&^hiK7;3yyWOt~bPN?bFe~5i*Q(%AKVU?eHelOs8!*@-x
zT+h~3$j=Gj2j8#jl$d+!)*>*(@5>%dtdwxkfWh8p*Itcu7h|y%9u>tjfEeb3`wG}h
zMP`6R{vo#!eCsRBT1Ys{`OF@>^UUzq4#1x`d^;5yg8RqO-Tm^?@UTrUWf}rTUJ(|x
z4te6hvvEJv*Ibm!UQjx<`d)4=Z^wrL%<cP_`SHc;kNrn|92CfsPQxAs(L%u&`v>R%
zTcgk9Z?xoSmqt(@4Us7ai)uHbeSK#bl``r`dDU9M-8Lx%J-#khABw+(`w7CUe~H&v
zb@ijetk7|QzvT9H-W-EHUV(?@UJy9E>qo^Nwbg>*UGrGC>$1Eg*NQMh|1SbVZ4fu6
zxj_1LyYvBxy`T7{LnED`D{Qa^c*ymWEL3?;l@0yc$T@YQ^S+Qa60Efhp+WgVi2D*^
z_bz1(&A=@TA7$eS@Z5k+ILFU~4tUw*$l5_T;d#F^yRig=Dg<%}eP5&ql{J)o{4pU_
zMFY=5#7rhb&7<I4pXGxd@t}OUQ13_j>&L$(&S9|jGY|H2bo7*GxwLcEGCqP}CR;jb
zcMd{pQ4Lg}=dqJ)-<Cd=*==^UvMC<M^~dzBS9=9C1|K)=p_l7jn|)@_EIyOvV!sNE
z=mq=vvEVe}(IICz!~e)`MVC7OXrT_x`DrP2Px5_UA=kwnEcYGQ<R!?kDL8GV|E_Xa
z&B(%JZPcW}`GP(!2fMPuq0inBkz-+|W_7%N`OxPX9<mL0`GJAF?<gIlFYnpClYjiy
z&m3?oP+&b1uSlg1{dXMhP~{{y)Qlr$-eb=t7$9lFKoW7+u2msvYY;&b-1=5MU*yv(
ziks*roP;I(y42NjIdr8Wm*5~;;J?6Su*+F^Ys-aYfTr{KRMTz+;P<O}(na-oS3bjM
z*=l837C`RR@_Eq@_m}4DSYz(iVQ$*Z`xW+GL0R~9naA9GPfyh5sFO!RSYwZ_)RTB=
z2qn()qjd!0m@#9j3LN6H?FBcm@4=VGb~5&deTLu^;O7&b38fq{j8_KETl_1+Yg%qI
zhPZYRi%WTEoGx8kBIJhfMSkL};MPFo;&94mhzvcs#7b-<%gKb=0^&JII}=F+bQyh<
zeEj3*IN^2PBl}~YkNYyh*gBgFo$kf&wV||qp`y3I;n`e2%o*&P?><dNwN@9>w`ciI
zecL>Z`fm=soHZA1?|XY*Z_$+11-(waoUaJ?_RkXq$@&45?hJ-N5~Sz*D_?1VX)-Ub
zT*rj(JKLsKHSB?dOu+Av{6ikvA(qfxj!EQ~QIkOFk4YJ>CL+~&%H7A(IO^f%CbcLT
z+?Ezc$~-qW3&sAd*ZrS!hUom;)nT_w&(`Gui_NH5FU0qCxH8H@g1r8+ys%9otTPbW
z{uKw0{ob(fske{JeoC7}JORP=6Zet|N+-FqwU}=Bn4nd4B)BFt`S(3%PovH?_X}a!
zfCqoa&%8;CaLzCS%=^B$zNYb%6epsyHr3tFb2M?_Pn<aTeFMbpN<3qx;G`h^S`M52
zqt@Srvl7Q`@$r&d3G5Z9+|>2sY33myLN?ZwHCl>Gp9wBu9g~WUH~vJDDXgLZLh7la
zG<f^RNY_IrKzXb-I~jDzZdKJ101^chuJ4cW3~U_J_EBa{*S7268COhX_nG;1w`U99
z>yTWPlhN|V2ZaXsegdPpm#SIc_{Abrp&^5ZXozyPTWy`p`19Wr`pi-}zZpIy^!&h7
zSEx|EmTJ@>I-E=}Rimek6Ws0b+9z+>+9MT&D*zz+>AP~x!rn;0O>xb;hIGeg1N+Vc
z1?Uyf59y(>rh=?dki36fM}{{?e)tp8z|$KhN9a?_Z@`hIC|vfnKsSu|U5xtK3bQ}+
zywS=T^~hd+Kgnaw1n>U&B3tmx{FO@fQ9T-d)qACpJ-tG^CsB$*v>?Z{8OHt3;2&4o
z*2i#rL&}te%S!tW7v)B~ui>zl{L<WPElZckaf7I-@!LZK+j(7#G(DOh8zxRIq)Njd
zdVUX{{;Q}tfrD(C*|Vd4H+5;d@c4LsIWbol%>JUF*igqgv6ej@F2eSv2~a`T8tSx1
z2+R^@6uazsclxBV<JmR%X>V@8!7OLtSDv%j>YyuJK{O-`sma_gE$_5k@n=i1|6e9R
z&?{<*FU>c0<()XkQsgNMWWL>F?HkR{g1NZBkHG?xgSE0CPstBT^$(le3uTnKuPiO-
zBJ17y9eYP=J~_HbBIFF^Jx1a8$Hn(6$JzA-qyG&%@QoMl&+C1XLxt%(i`Bf-UJ?4t
zV<{)Yz#Fe<j^NIxhq$bcbA+<uU8xJ;z|3G@Qx=)J)L)5N+`^^^=KX1yhcmBkai(9F
zDV>1QLzXN<2OlAzcr~rPD4%M6jjmlyEF2BVsQuGZ+rzyM1hbNtZ@qku_PxAKe-+&Q
zqAausDO1K9-o9?vWeUI8XYyi(YnIB5c?Ku~RIW<_vR5HS(|NBYilBd#QVcxZ{7_d0
z$)f#^hX)?mMip_EG}XDzUL@miuOEv58*U*uS*V@We0&{74|LWK;%t%B-*6J#&m*<&
z*1~FA4Jz{?#{+zn=poRH>oiC$1q;H~aF}ANU)D=z4?p@oqk+XNtA<qy|0lEWWA6Om
zF_xz1m>E2DUbQh1!}!xVcpUF=7kh&{K}UbiPswyI?3Y2v%^pU0wZ@rzpSbdO&qGy7
zaJ0i9lFjmwpDs9H6hm>MH-bUw(p-L2nd_lwiKfT@9&XBguN#&pjlSfCDj0hr`g;hE
z*ay{R4@txQgK?R94s@i9kxTvId>Xpf_|1aL_B?FAKfx8Oj6oNcuSsO4ih6Ao7w$9M
zVi9cE1piqG`NSGduSatpHpaHnY!tkvYe6@srF!x>WT+>;=~1!<(%`=9QmV=QLBvqR
zdV#Dd`kT}dP%^a6WO`oF%w`UV-3B`$9uE^l;E@a&XEWfJDZPY9wb3}B^XzdE+<`QI
z9fdvp_}kuOFwid@#)9<uIwF=9xgX&z;U6y<JQt_)9j@Z`yuj77_cTG)xCl7as~_C!
zAWx90kaIBg_Gx3nwh!Gj2cJ{?P_4i%#X#-*2X61{@R|mr#N`|fao7`Ji(tVMkKeo}
z80r;#wf2a5E*vnr6!AggwHvjsxUc)`D|EbbzBqflPEjxaxNRnnzXyuqmopRq$=4B*
z|HAFBoGCqh@x#7Gc66`zJmN_Ga3=lhOaxjGhqTET`vLVAYIK8-v1Ei95tnq+?dl6M
zs>FC%G}urI^}s0@Co7K9VS4)einaO$=f1<f9}jyKEYXktB_iNKpaPJ~eB=ed9?`pS
z#8h*4HgyB_bo8%a(Ye_|t9<3b@>+iR8E~2luarN$q>V*!51+X1CgHHupfu;bRIyRC
z3>P67O^mWJpF8huV0@LiIruHw=lchEU%|%384{UV7rlyJUn+64?VEa)G%vj!L^?t8
zVzi_1O_NC1VJ-<-jOzoH9#K1=9z6L`g-^&`-5@;;1s@Eec~^MBZjGC05=^X{;4>wX
zY3>(POU0OO9+L1mH)9PvH;58R3uhKE$i`535;2{Z;;p;UXMWVOGvz@Y;Kw+Gg-^9F
zCd;TNPdKu$TF$9?Ti)bpiRhX2kVaFv!|g^HVh*c6rxyvhjTHh$`-yN9qRiCRljm9F
zY1ZCK;D>vT;LDOXI)(GDYfHt?NnkCxa=yAO7v$x}NFg+laui%@*B&9ie%c(P@EkO8
zvDo{>MdU+Cc&bSSyw}atl6@&(c-e03l>ca6Zao`58?Ri9`#~6xwEA_?T43Rr6h<M5
z(=FCZ1@W~@`QlA<T`1garw_?I%BW-TUKp?5@vDuU2p@tEUUp(9r~=(8g!3o+vO_vl
zU!vk3#sBIIe}LEKyiT9i<T9f}EfwbioSsu(?rCi?jqT_6rs4WN`<*6!XwP8lYgBz9
ztS9ZUN5!z`W2HVQ;`fwCNNA&geuycFV2AkiiMX{`Klhcr!6^_`zx=LQk`j&Sg?-Ay
zW7h8F_F|1Vnvo=}vG6-OcC~#}juz`MU*XNPUcN7wUGw|$Yu8lYPFM#;XhZyvpxQE6
zn~*iZJ%27vqPNKz$+vws!FMVujCtU7j^p;ILB-DKP5Y>YsV>h%92AChkv8ED$G+@H
zF9YP}BIK6v)Egjo8`NT*PcQ?I;q7z&57sLExc&@&AfBT=#2fzy2e^|j7v39;?d=Cr
zFUzzKTkvQ1oHaVM5o8*r&w6eclY~MftW8NpUvtH4F>6(H74zwH(vNa^wW@>O#HY89
zZXk#i+Z+b|+L5l*WR;sXjs#QkraPZ$nA6-<;7IMmaD;Gqb;_tG*&55CP%G|?jfjvu
zP)6(XgC@`00OB2(VFr*#)8u}u-tPkNN5=5GeQp~{g$3Af_T|Z+-=*-7e#ZxRh|K$!
zmLv-;czl?rAQ$q?nl`6EwQCCn{zxbR@w!_kd3doUmB2xkR8Xk6d~K(2e|gqP(q5|F
zie??Du`@2YV8OZ^au8cGs$2*vl<Q*9(tJ3a+0~);Hqw6XFPAZrI{CaW-0yWJwTVRr
z*!n*A(GJa>ipAbjS@S`bVu@iK7Ard$hYwsyz8me|^i>fCr%BIWzFubs;-ZJGk)Om}
z%by>}ONHCfW_~DN4a}NQim5a{$o=rq#o7tUFW`y7VV2&X)`qA;$fr0eU84POiakJN
z^cACZ3HOn&c3<Cdb3oY?A-$i~a6(n|2RWoib1?k(adS|;!lo{Q%~2W}9KF)%Al;wh
z&qbs~!xzGi!Rg-vm>__3z{AzMM%r}$E09cd*2oWEdXp@N6*QrkdD47|;Sq#^B#tu^
z`uK4vEe9x`v^eR)00?HwH)GN-EEoqHg!tb*_@~46hEXXATel?vrenMy))q%|h8Rga
zLTBSEsx2)m$M#YtXGerWGG16W`~RXm`gNeWbM*i*e^6S@dciLPBE_h4Un279q|;bc
z-%T!k2(AQ~BsKOBMlm13fz}|cyo+HAZbORjX572F<xwiSLEj5U@Y}ah2KmOmf0NsH
zzlkq;pXbKnOr=Jhc!ZszKg>6{^@MT!#OD^H{K|c80omd{*}f~a&qWK~@A$=#fAf5Q
z#Wnq6I;;G?j|=hC<ol}eM>Tty_-n5<5L)K&@6qWw&#o>Jbkqfi7G8*8@6CxBo6k~~
z2YBM>QPdX~EG65CWFVu`Wc&3mnXj)NK7Kc>?T!G1A^GuwxDJ1LOs8%Swy4<Y$w26x
zLD{L8R{qQ}F|)rv?_y(8Q5}2{j61tmM)*4_{}(4$1A(l%f`0PRwBw{Z)Jj88$m_&$
zHcn=Oj|j$i>Sz9X^4e==-5+}9Q9C(a%~Loom9r#5oKil7$32LgHsa9^nr?H!3gsJl
zkM>=0)U*c-t}yuakc0_R@<*Li{X37#xr4s~WE$v2Btk>^K|32Xwuh=v9N3r$08tbZ
zg}~Em?NLBzE&D~Q$wCwQo?e}}C8VDdim*=H!r4z3R12ZGWm_<C$zPxAcxHQXhr;jj
z2I_u^ym6~>8{`mjMKI&QKIV}b+tJbT2h?D;?d2XHYaH0Xog8{4%$lM45n`=4NRWle
zd>0K%8bNjH>11Tc?MI*CQmxSMyWZZSmTnbytlH(MZ*^r7+<1(areRLN6ZXOpnx_Mq
zsRSF}P4>WQ->1ec-p%4cKrR<^$FZoDMmxuM|AF9^MdCOT$g$4C7nv8fqv8Y<_d+-U
zq<ljvE)Ql;A1VftUY##ozGgxV8UDiOB}>p1rccrs<!c}5tDgvaSc$KOeW?IEp$>62
z^Y+uhQ7IGScwZ1n!WOLOy#(U#Pp(|v!#_tHJ|HU9o=%<_zz*&~BtoRtJHryRUA0T)
zdv>}%F$O+$77~RMqo#+;QQeF`<(?dJ>5{1N!m~>?0Z6&8AJRxy#UZtP`2O(O>255s
z@#x$8`puW277j0ztZWDD$8Q~pr>NVc99Ot9%<7IcEel+bkoMqEJ_;v$ERC-}e{}8v
zFG@L-0$~gJ&%{8tb{JI04&zQaS+9d0^A@5sh=|5S>+O@$H#zUv{DIV-RlnG@MF_W3
z0*=JlQ~oB21ci#_!!$}u0TJ<pQi{GW0sFMWD<um{>=910IlQ*eZ*@#AkK%}Wxo$AU
zDeiZuoXS?dvM(m|_~(-}XUPwjNUgKOzN*$;qUTW+aD*oC>*3gpZvsL9x6l{1?AFU7
zKc(+|WaRix&yb_TCZQT*n)BuQfO~6pa;G69>FcjJCgPetgnfCa4ypc9M~mD4&A9}B
z0;s@l&FTOlgsSlE3=VR?+u^t*H7J1r!{0kaf9NreH1hd1hIJ4m(DL$gp}Zc^u(XCk
zdz<3ZchQ$lu*O`2LZ#byD;#2d{vn)M-ulcA%U%b2eT!?P<+=$Gvipp(A0-@Mbi1!R
z%u(fU+wUd(Ayi(Jd3r<k`MdANYRzOWOk%Fhtc`AWBQNnyhBmsYd*Uu#jjlqTjXz7V
zJL}bXlbAoh__qvxX^X`mN*S-il+VFs7ByG_B=VOy&gcBuZ>J;IPp=Vg4^#E#s7Y7p
zz}Ct~v-&QP4{q><5|$e-LOenws2-$uXDQ0;{p@N2q`_xM`=_-|cH?d~fIR8MamSaf
z)ck2xoHTsd5A)NXK56Zl$5-pQ%ZY;Jz|>mZ<I<Vtdz(+c#E4UOp<NsV4x0YR@51fs
z^Wm7=Z^v<}nwTl4EuOjab+bJ({)!_Q*bcB5MzQ5cex7gqW7{pif|it&aWL->hc98U
z5Ix22r5X?n9*N*BfByCbP^hF9btahY?xWp|Cy3_s0Z7}VF<)gRe!f>LWc&C;z3qL7
z`I+}bZ~fXH`xYDcv?6lP+9zZ$^xyIKaqU`v>KM`@xk-9XQ=+-Dv7d|kcIN;+FtMm8
zVSyP)^yfi|{(L(&@}hGdrQaJKfkz{3%^H8|?z!$KEOrr*Eyn}H^!Eu_^!JF&-qVDm
ze@1GaZ=hv*J>=L(6crxQZ2_bt+5<J^zR%<N2hXHl^0#k#aC-J3DM@~%kf%T@a{j$j
z0@=utu&Eei-%nBAKMcG!m_}tYU@8Xe#_veE+52vQJ~ek^W(`B0dFErsjrRS`oStYg
z;c_w(Y|K92<w!n~hx1zT*5=ZdiuL_v62Uwf#qk^X^<91pxL5N=7(}O&aqGj?SI>%3
z!4+30``M^L+M5<}N}6b2HSi^$eFVI!$NfbP(e(Rem$`@ltzI2~eeSuup+|UKgi#rN
zzkIK0i-Dnv^*Q&ceH68)pXl8Gus+O*kv0KD7Tm3+=f^I&E#`b+*Wu`Inadmln!r#K
z^86B8(vg1b;f5ToHeVk=kJhNyO)iIT!<w|Du2(xhN_#wdTg;R*75L=9FyN0asEX8U
zya%@0)g&`p+Gl~1@5{&5=i2T`)Z$B(wi1(MlfUmd65##|DfQhaC<sNL&3Yd~Q42dT
z;m(S~E#_#04WBR-hd2oy!uU60Q2S_9X>b$GW%L-|@T7ADWpLpmQG_g{PdVi?UFLl{
zQRV4QUya9~OVN6<R1&yIExZ9|d9{o2?U0~@?PR=HKV18bN5jJ7)Zus-5dey83nd-*
zrz~ee!rFxeP%SWyMW?{HR-Zs+t~pA$`(j;yzSg_DWGz(L@M8e==H~Trg44yEyJ3dS
z(RgQ3=M^D4%;a2sGwj#4_x(YlVu|~58!Fg%FYt!74St8+s9`b7J5C)>K^%9Yd2jrn
zJ+MbCK84aMy!UG8jMC6@NkBX<+hMJ9>tx|}0qZ9Z074yV!9RJiT>EpaPz>$xS_fJ2
zx)T$y7t*+k#*>v&60G#BzwWUcltg7LN_O@oI6a=D9P%Csrj`iQa~smPYjE0YVFqxt
zA6)bY-y9%FBwsIwR{sk>@n9Z_`!swUra=jqOAJ#S+-zZdyZ?HnK{;V^iOp@Hx%**w
z($cO8rHT;@rQ=(mZFkfdmfGD<PD?*(xYNUkg2xUZ+E)EqhoZ{mR&O768dz}g!qd*@
zad<XqNN4IyXvT59gy%Og{rH3M^wSng)Z+v~q4J8O=C<chswM8nFdwE?^pw>P{feJ`
zt9E}IeK$i+cs}Yz|MUm>##EOtbXBG_c*MI*n;1Wiej`AB9iWSAqo5|Ev{^7lz$Te$
z6%X=a9zX)bo7{i*deCj+E!;TDe3sWgJ*H^~7-N!({S}+|8CepZ`nx*YPvuAG58;su
zlA-JB%;q_y)RG9RN<PAX^F`nPFA(DGO8z;zFWD62R5=RyUwZ-*XpcYIuMR7k)$~f3
zXABW#N)QCnOxkL5o(;(TS(`7su}AJ}#frhMuCJWSx3jnEFa9qZLMy6{=q|1T8n~Du
z&;^(%E@K|)6)b)c*Qt7!O!$Sbqwqv#p^hIO7elR^@CN~-3+m6}J^o09dA|GCj5vs}
zKD<=-W<8pTtGf-veB2gNGqJ)$Uq=>rPQ9FZ1Srt#lDi`Lbv6Bn3MVIA(a$O3p_uX!
zaJy+jhwNZmA2cOR8}xNylb5R)atmAv-}C+QsWxDwV1kh&S2E5-vL7v<SgTf))tT{!
z=CI$T46@I5f_JQk@dNo!N`NNTU`|Uy=sVKW=QD`eJPkHRp{RG&cQ9X$xd?RY485*?
zI5F}A`g`g^ka4N)TilXP$&=h})M3nH4IVHQni(d<^PsE*4RM^132!X+<yzEfEz+M4
z8DO#Q_p!)d{xlb<XM166Ft%~m`Ij7ySLV27&pHBWV+<<>s-wO>|DZODC&*>#IT2R)
zeb8*E3S5qvNFSc<TEQ4=-I3~G`z{Ywl!1l1QT_9+AEy_nlhXi#=K&@v>bpDfeFwZ2
zj28}Uv0u^)b8ZfKbu?85uiFL!=CjH_KAc9ksa{%Trdv9FTa`#udRy<}JDyg}t%;pO
zJo5(#%<e0gIOiHOUID<y-PsD~-14lTi3HV}<`-HC#=VFGSF1Kc*NmBE%nMNAtG6G4
z(opEun>rOgJjuC3!B)xJpzHP+_F4jgY)kv9f?C=cydzp)$e(w1l!kjCU=i2$aL*y_
z9QyGY#VjkyLtBj;$Vi3hclqvXX#92kQyhaE0FyY}&b&qO1!>_Mf8kCcivGiI{?wbx
zbf@}yI_v$nG{|ebFKwpkxz2AA)?<qNn$d7TP)1&V67YJ&+c|5Ag2JR->caye@bQ)-
z12=!R6^3hMCHM6?5LTzupZ+oVTe1n`%EL4$<b$Fm4VoSGV|#@E_)(GQr8An-=YI-V
zUTyLF-rzYE?ic^r2{3Fg0JP94Wv5PyDf`<lIuLS`?7QsJ?1tW@tNmaio)zsRIA4C^
z^?hBnnxm30Im*vDS}c_l0>=YIIaW)d>=*#WDcPN@nKOeeOJ&ONuV_(6B#5ftCe0^+
zXF-N-ja3d=*m_WHr7xg*1kp9M4Vc5cKS0-AIHpHteuY0u3g`vxg93Oi{9FnTLiQ<w
zptDEu?Ul!B!c|tYdv@&H73MLyF)n1s740Joruk1P-SJUZzQpD93EBfh`NC1YTnVz#
z@M%;4^$94<_?UvCWLhPO<1q;O$Q)Y<o<gHZLZs@fAyFsetafv7l&kI35-j>G`D<g!
z<F}FoYUV#p>@CKzjbmOXg6u|tK<QO2SD)P>%Yp-hvXxf9%Iu#A3N;i0p!V4~NbW&3
zGskaDNcoofH#xtf^Z^?fyF-h^WH0l&xbb5jcijVS>p#RLv%=~y`rKReq8-9;5j|+d
z(8hT`6~HfK*oE*=2Y&XMA;$-t@JeX>jc0k{?$P%P|BcMALPH9Eiukqq1DOA9dDvIr
zA-(d(!Wihdp!!Nfh-lw>k9<|%$G0hcXIOS4`TzjSZLZoAHALy!K_eNA+kJT|ByF;O
z?wvgBvr}bLolb1zM=C_20;o`QS)4kyf*1_U<$W}LjoV@e8sU0aJw$~!diEL48*0>K
z^%`ffW>@pGv6+^fZwmWH*hZwEmsXkGPAlrdx11vb1dL62t5I&ib>VYtDU+p8F?sAk
z6|}?XG=qZ~5G7<Unct4UCsL;wF!JcDdq?pu{C>}i53V(_kZ!3WDnmONteMw*fO;Yc
zzLdPjkU~NX^D99GM~V#?0cKekEDN)hMg9;hr6g37r>o=Y)#RO#Uc~+(7w@$}vXgLS
zVJ?$Fm9DSImlb$g<0}7#AEdSMtf%@_*dHe({G+<ss9+BK7=H=nyuIWj^)n0eA{xCr
z-yZNlUCb;PWC5z=$=xCRi%M$Q5+5G|%9Kt26V~A=Y<3MkKUIr?z7nS&afCP3wMSjK
zeFaa~UX<zmajXS&Su2J6#*MMyR1?oi*9R2b{j$owyO!gEO@PG@A05Z|!m=!$`YbgU
z7_Q2*LF<>>iM(jwi8`Fj2tp&w-Be`<4;W+gJud;gr$DSPa2~|GqW1PSUgz?L1XKoo
zPk=^l2dULbt%jdxllqAVhjqVXIlk$7ze;%?$M}UW%46{}1^yl{V{U6rXUCx9pcX_K
zPdEO~_j1vs{6d5OvoXR+k+u)*o8cKe2yui3-ch>T_ma}rwWIznYzoUJH}6G9wR$Pe
zBY)%iXAD=fw0`YFH~1~RYLeTwx%D?D!Y43+Ul~OV(U-!Fh(P5J=$=Axf*e!tNGT`{
zT#3Fj&^)^V696v-`LRL>1d)<j&#!)y&Qxp0ds2#JT_xz)`Fs-=mLfV#)0<3sVPN((
zK;*wKXSgJ1)7;i>{tAy-D}9}t=NGBEn9#rn-T7{GgpZy3H8{kX?#|CsZz!^sGnNm=
z`$)dXhu80M0Nx!x<D$VjMUc2f_QY<BD!$m%)|jKEaLkkLZ-cr;Fxxol5CBKV&zwKE
zycJfLDYVS)!Hy&y#?AEJxAhl7m~jV<gQ<A5=+jMiypT>o_gao7MZ%=sR4z}gU2bPD
zKQ;7gvcrvb=;6U~R$qlp{YLg_q5FjPMqr+n-#+!Z1y}R^?5~s7qds6kI&~L2+&=@A
zuO&h8rLgrdonI2L)}>8Ta_V?yC_BxNo2Y=4PgFu$)TbZdCEqNtGM!GBr}84oV!0fK
zV3wXaV!{ooJlDF*_+Iy5-hqD|cDzCgJrMN1t?4Qp3JGtzACqN@SJEbnXQ*GI+p+|)
zRM9U#nZn8Jp;A-~Ma*gZIh2j2O(3|iFM)$){a$}jS>6%|mfz#m9O;@VP_`<Mo3_5m
zuP@@0CRxKBsy!6JRn4!@?4ydJciIQ(1ttW!I&#uC&dh-k>*t}I*c0bz(W?T)lvSQ%
z__!pHWxSs(B72oDTDaZ6#u7c>m8|Nlzi;zJ{5V-pLAsno>-93ZSm&ww2U8gKD2w(b
zYZ%JCPqnQoOmb_uN`nE%&5kxDs-9BwH6YKkJfft7BqRgWr5;G6=?;F}kIcR+_|mJ^
z84Izgy5|9Zf!iYLWys<Ls%v%eY_Yp-jl0Kq&+D$<4fhD0zdNTt{PLfOczT%<n4=94
zyV>9lgc7V;`B)Mny9TWq9KZeL_d9dyuWh-96R5Qdculp5u`P-md7aGQQ04iqb;8c6
z@M#y+$&Vs*ylcgMxI!Mv<ey1Bo*sKNqK#~iAXONgYn+?r79hb%ccs$nWPHZpz(mt@
zv4p;%@b2Pju|K&t+xNlU|EvCXEm0q`U%wUaIVa8}KVbD;GAv9fN8q?t>-<Cna~Xg3
zun&o((JW(y?Te&7#1v#!e}f+4A_ja|#L+z>?)0nKe!lfOj-xasvu_F}<d(*gi30yd
z9N$(9iJj`_l=J}M*x7DsuN_#3*?_4y*U#lqa(PA6+ktefpAV*1gZ@W(WytfMFvej)
zNEe2)W+5yS=jY`e=9StbF{+)XVF^;_Iky7nk(T}_(Zbm9;XJ^aJZae#?i>CQ`*y#_
z&-YS(3~wX1FZ&432|{`D_UA(xw)K41DFH3cMJrdR!1zZ74b%BKbgfLhClna>eHxxi
zlTqIGvs%xZ?ZC#5ePvs9NhCfEZ^!Q;ExGY>cpOx%cmgREU5jVdawQ!-S`xgejA`J9
z%W|kjiYEz?%=%=9Ej+xNecqVW^o7d$T-Bg#5rD!HLk!*c;R%->yt{cfP;|&D)R^S(
zoK)dfvQ(W_>Lrs^=e_r>h)ZT4`P?_7-9b(CcQadO@KD~q6ILc2tj|?#=M!eFdR4Yt
zrApR1e7lBVzCeXYfPn2MJi#_5?$8_ON9!MwkFIg`z(`Qxg!*tf7;=5p-#B~96vISj
ze{w=Cb*1eCoj8nCT^_zDmZ;Co`+D22NDkF0;2+`-iW<)Fxi|S9Tof5#PBM}f6`lYp
zyfpFG<5~W0nhs>LwLu8KzW{xjJk9S@EWA261(Qm@uF7XA(L!)Obt{2{elpJU%ZGR_
z%whJB(xjoc&3}eqD4npHaIsXuiQ=n1f(qSUui}3B4%ZVd=q_KRz5%9t@^^YX-sQ_4
z)ZxBRDVcZMBb<3B@5M6;+jJEmxAxcC4ic;pBHmi1iFyER*nR@{Tz!J`pOhH$jBx7J
zIds18ZYi!Ka29S=A4kezwwDOJM9a=+r+0dJ0~4+9NE3rmwaN`|%|NR^!!4Q!?Tv)X
zL!8_g3J9nXcS`h=37iSr+!@k6P$Cc?u#D8tjc{8UuKO}fK4%ao{(yrNK$I^YpCopS
z?xqv$o37<?`9)g=^Ji!LAu=p}k}N`vv(v!XLtRO{a_lYJhj~v-Da0eX^UV5yng;70
z10n31ZPN9QKeD(-Pf|E4r=&IvJd~EN&JILcNN-2+V*-q9ePj_<E8r+IB!4e^aL|v3
z7eIu{3CO&M)>-S4xP@{pDfMC}gTBV{K4Rb^fu<}+RjR?ltMd7<Qj|SzmPUNdcc(J#
zJBZ=oP`K=2t{1NrZ<}<Gvwb<o*Co7qZ>g50%R|%*Fh-gWDKl3t4M(AKv)f^`)GsI-
zP{ao%X(@F?SctU#1gKX3J~gyq>Y&uSo5B&WAuTpP0oM<&Jh?GNL%6xi8dO*ff@2Q0
zfBms97OgJ*9U^{*&705%kL<uRDW!{6Zz=u@T6iC7Bmmra3{vl9W1_13`-J}02OtuB
zU^Wy4$nTScsK01$;wq!K@?Qw4=o=Y667t~Wu!5i@84!yKzKKlrK2zJG+kL0gR6{>2
zQs?=f@Bv%qM2@fy?OHme?qTa38|)Ai9~HcVl4x&@nY=xIkHgTN)&zCXiv*ig{ycq8
z`p_25z}+ma)tt^PWkGOj5RznWp4bvwv1*<5ZjvaNeqNVfysr`UKGhD!bF;AB0Y~^a
zKNHx4{t@gI31UK(M*$I$Qe@jYP@pVsV<USVwiI69$JpVy2QQs2B|myPd&Coc(&P#>
z8&SGRwEV^~c-INi4~ud^8OcA!xtw0t=jAx>duKd9fU_Wx_rhWFXY1Q)TxQ!w;05ww
zoO7@VgH=`lN&KgkM8|im!kVr<!&dA8Ar|WZ^nnOY6n|D)^ZnlQqvS?Hym8Vo{2$JD
zQ;oEG<lm@K&d^3&_Tgn_d^U8s9BfQN!H#))OznZ&nlR3BG4Ht+i(LAQGNqc~0EHuK
z%IN~s(|(K;epGDs*tdW5sKN8dB&aA@-SrH^IJ~$Mk<$|3QF<waS={$sg~g9?U&qn=
zjOPv9e5|$VxIyVt>1riV=;q$L<vs;-a_>xJxvhauJ6p%-<n0JDHB(0ZF+dCXs3%%A
z9!!IVQb8G2M11npFUj8dXamEH1oN(v7R&y@t(V{*1%1ln`jo?i*80#QDU&*PkzY^m
z<&BbJnDPfLm(Q*4lofR$Xq;-_6-CLR`0Q0E-buCnBEvjtNkW^4+<+vVhGY!I`=NN+
zRtfp;QIl&Hd+)O8pD=p!>z=sKY+XnC=DJk!b`ZA3iEDsSbLWL>GW`eqXgu}dUmR#r
zz}}KO6%^oVLH$@o*`mcamQ@$tyxGqz-wQp@3@Y6Xe+YqPS5qMTQp~M`u6~=1Um!tv
zEor{}rOS=ro@{L?!GUY|sU6#WExyBt?#wH#9o&BVwotZu=XS*QJG<c~p->p<*5(=N
zdmEJ1{qc}jDi3V>gBHX+-Sb8DB7BEe@R3a9hN_MoUPZfD9(>qlB}IgewzE<%-Qj+d
zX??r-4v<D19T^`_#QVMGtd>vvkvt4mckvrne9wK}f5^WOO=n<VHS)gH=EK<ow_Akr
z>11E34`9;gH-D)a<K)QGqqrK?^NWQG5W(xUY(*fvA-b<z+4BrZ0~56_1nJ6l0EA;)
zIl5Xm3?8xIVf@EjEHId`^8xi2A1V<l<x!Q`AGkt?_LFbY%i#w-XdTF-GFfpH^7Fo4
zEvh@?Z=0qV1@2w=v%mc+V)_rOuzEd?4m^iITjU!MH|B=$Rxa;vG#!c9bo=9t;!ZF;
zzs1l32EoY^ZAie_MB$ywD6jOmj}T5Zs}G2S_6&#e{yZFqx0g!4K|D=$f(TJ;e{aJf
zXxOr+o_jeV<Ql5XM=GWTN~1>#9qYs%f7mbUmYZp@n8tdg&hD&tLz5W57qa6MKD=+e
z9pK6(^M&^9%zc3O^dD`P234@b>{Z`UyH5jzA#ePmrD^b-0t$ikh4~)TiK6Pr01zLK
zwM%@*nE~@34Et^CLPt*?x5!X`UG{ABYuM($eFTVfki8yVI<fsn+k|T6u!-UB%Eh9D
z9MbrrGGI=a#}5ZwjqTT2-Vi<8K3SISEO#@Pp=-s#k?zvIVP{Fdv0$q|SBp-`e#9#p
z2+cLW_LK91pMipUWBip42ejNDzb!0=^|X|yn+pN-;37NTzPtz^L?a3M!Tt=lSRou7
zAm7+IrvUcpks`be#eyX913n#q9h24zE?weW5;fgw#OJ%O`0WpMx#D*B6YXNH?AudF
zyWfKCORjG{mk-~igv5Ot=20IU#VtHVf3_9E8lA1$3YiO-R$si1BAnpJRX?ER>`?lA
zKLfc+=nr+1l=}g#lqf$3-ldc>@9cd|5%@f&h^o{9<;j?I#f7^?yx!93nvAATe*hi7
zURd7Dy0{<yG{Mh(42z`zvZmEmPXH4uY;`LF3tnohbST%a@%{J@PTOMP1EvKIsk^Ib
zEj)vkDVwD9K!*eXX2rpZ{PTORoeY}7+3rf|1@IhuD)szpWY;)Va>D=-HR%twEEVqq
zcOmVDd9Oy_xSyU_7DX7D%ER_0_*l6M;l|d3QM5{z%@IF*D~-9e%x$TmwD!y3d_=*%
z<?*bBt0pJo+px!L05YI++{6CYx}n)50v>=Hr}LqA4pnf>c}TJVM)_IgDg#OEJdxHX
zcnd$r8-m{7p;jK0dXX%mmGW8AFb#RQiM=c=JK~*~KHaIYqc;AfW=6QumoA1_XX6g#
z2^~5|a+jgD%?};q&d?IZ|MUcz<n~RJ*^_oeaI-3_ExKl1&2kgL$$>ozuJMG<)#q{S
zv@^!T`c=}CuYW$<3Bs)wFWTQdi)!EJd!lt0LhPnXe|IEv79$;cxG^?a&vxKR@;0#;
zi+-rN)HCc0DAU=bbOuK4sBn(dFG_D*0%NkpIN<}Yl^GPuZpVHkkOww81^twL>g?fZ
zqB|3Q**ak2BCKO*aU4^~2cEmTlz$-%^U2#K3Z7G6ihI5}ExWm&+7g18zJ$y0;3~`b
z5mkjASPR{J)jHHfa~UBO4DnXOYKcWQ-$#gPj5uQMcvKSx|KErqF?gx~2iWH1+3*0&
zP3En>=lxjPajby~B`)VL_%18$#PB`e%xr|f)TO5_uBmBLR+I$#G4p0qKkTQfpC|28
zUBi1o6m2Ls${W(1>ov3p7F;t+&8x2xbUpbLrQ-q9R^+3oEykx$=+O`%;DAg$pf6W9
zW^YF<s<Zp62O3PXgcu_%#D1DbXuDx)$p!Tb{_l9*Qr9jLiXFmyI6VK6bY5GEa$6LB
zB}9^!0wPKhCErO-0+R9Rds00{pZ`?br6R)KE6nvxu-DGB${MPa#do<Q?2vtT#%=5X
zQYu{LJ)Mb@^l1Biz>g<v`YcRc3*BpPLNRa#At>q_zjR_UON-9_shikRN+#2nbPu<R
zgB{&I>5v`nJYYc&NBjPmi!>)>i9pYEq-18`rpa0PMxrVWG$2UrL8o%Z3)8`)`K{Kq
z;eg>zd%u&Y_pc){&p#g}Qh5`iQ=_!pfF)2$i`6+veY|w>_ZO%21CP0e-rRRXAKoqB
z1i%Adk_<Lo9@UBo4#z{z>%aokMX2$o)6K_dnCf-M!B19ZyksouE9r;B9R6u~Rp~<8
zpyU;n4w3gmDE7qi%0{2TQ5#vpUedo(aGZ!ZZJGli?wd508|ljhEPvv?{=H9QXH-NW
zH-Dyd0h^8iXdoDogkz7JLwj>|J6f2K`i=c8t!4KnKdu0QAw`ebcx>uAxi#=WYzHfz
zzHeuYtmK3aSmHr&ECsJ{pqppj^d6^_=NbbmCrc2wc=gZslDI$%YmJm<1a6{4B1MGC
z&lG<z^%Mn9=73NbI677sP(iF0M%=FCYmj96?5fmv`?<|M_-tCYYbc~NDqx^BeXJLp
z8sz$3p;=i%cz#3GPo;jNnUm?lcO#aA5uJC5^leKLYWmcrePLw<%4q1(595yc0W8Yi
zcj=29=KDT|KeYWmg<~3U$sM$2Jh1Ml7wLy4;r`~|d4O!rPiOI$G9ZDYVTpEvw6>><
zvZ&l2v1<_I5k(RuTC?{??SVWlb#r2ig<u1^zPRSPe_(i`Mc}-=hqr`8dA!_)2E!RZ
zgkq8`bZr$Bd9E<{AN{G~r!$y2SZM&(MJ(EZ@cV1e^{I&jNg%+*)W($ZO6Qi|lZQ1#
z?4f`jb}r9uNWZv9PngO%dv*>ppmGl>RZ09&IE4Cx<&1ywB0Ps1jh1ifzK%xU+bPme
zcKO?HmNz|+en1n~;C{AmY0#R@=c7sRV}DDAvX^{<P+mfZNs5ZV8pX?EVc9|d((1*v
z)AM1be-1n+2f;eSiMi2!SG9v4f%9=BP(S7u>LIjLo93F%o`{G+q0R1&$#anv_4dv4
zM88p8sJt&u)5Y^5@9`*zTS?I}`=^i!69^Pzc&;+fMWe{_eN5_&Z^qMI&{0C+gSR+T
zwQ{TnH=+}u#U!IYq!x1Qh~GnTqSs@$(Vya8*s`WX(E*wKS>F3y%3H0ssKEemmTr9V
z-tNU}5x+5#9G^Z2>Au;UmUv>x9MErg&R?`1fi_X54M>HXKEoNg=xU{%;p_C&72>H|
z9>*Lq>6ssW;Cc4|><Q4jeM+=H;?F5>48H;82BzLn!QPwC`zHAiBNr+B@$#22a^n0T
zs+4J|sei<a-l0@8YP7w4zLE8I^5Wdgi>I}Gib2PZXj}U+N~!1^R@7YI>#IMN<@-=x
zC}2Tg302l!;_DG9-sb1w@hasvq|(1q?$hIgZI+3-3>3TXVK*^99m%bgezUSkS6$m2
zC_un$GtM`i5V$0G`=IE8@|+zxd!%B&-M3rC)6dhKZ*lOERCWQ@R2932%0$x8K7~8b
zsXagRaMoC394c0v<W&&Xa+=SvAzzxC_ZH&r>=0o<f5=_g$HTZCl3x74zsBAh!Xqh4
z=fmN+x1p{NA1-ChI|Y@pOnz-&Y&Yic*dVkvQ8Vmt&N3<Fx2S@*6OCmWgK%k+bH%hL
z+GepXFn7a;1$~~K#c~h6*c?4_Vmb#RiX?kG;?$519+zDP&NtjuE}3E+`l|ed;95BF
zulUSr;q2F`{bBKo3k%$Or*C2H2D?Kd?`(-NrjmZ0xZ6#|62#Zv18B&<_XU!kA2TRQ
zX>dU%ww;l@9Fu142W$!Q_aQPq7MC*=<$+z@!<LA@A8LkZZ<ZnoS;7|l2ZUjGGdNru
z8k0K<w|i`jLkh1e3rrfpLUr_>=f_w4Lm_IZcs)P6BiZeDZuy8J*gJLZevEV6cyq6-
z&osX988CVnk<kS19t^*6dOg|GlRVfr*j#~d*h^{k`?lNTVBD=Q7G%<miu|&_X792j
z#I6+Z4a9p8LC@;ix5}R$wfhW;cw-Gln2k{k@Vg?$&i0dWh_*01_@CV11ac2CE)sXM
zKe0I$a+x35b&Ai!eNTWr<)YoT7r{+V6Yk&Db^cyJ$Xa-kQo{IBVSwFq<s)H~uZ1KY
zrat@B?>nvXDPi+vQmFhLpipLHbNenS<4N$ZAwjK3Lh1kpaf1X7&zQcAe%tg7cL55s
zGA8klXtS%c*uU9U;$oSue}C4OEczii-*c~1rjAekdNL*N0|^9KrV}b7vv9el+7`gt
z<L6h4x;^ogDU`o&J}3z9i&0PHQ$3&3=9WsQt9N(hEs<D_J5I^N;7%AOq4#up-@PcZ
zic;v2w>pcBT7YXza#WLjS$)8q`buZ+eu}_`zD7e1gd80#BL=}CD5K^42a)x3;KO)p
zuXJ@hW$+WeSf|NWUaH$EVftMHtxcL7AaaAQ(5S2T_nozm1x)iNeJn51TkFbRBB_m~
z72oFq_dE`Rrq*1Gu(YnNs)2efCVSi<=a(gr+zRhb0>>0wyMhXDJ)ks?yJxkHtq$a2
ztP_4JvQbAkqtvqg5yq5#+#weQn{z<tUC|vAU=ke0H+6@?xn>wBYUzy@fGdiYn?Qj4
zr5i=V5*TL03_5Yp$pP1h>OVLtOCK3r3{g}vjhB5UvCZ8+um<8LX$}1SR5ira7p(Aa
zQLyr9g~nTc7rm4`Zd9ZQ0&Pgi_OjOFVg3nW`PHsJg3XA2&t?y|3uoN37`iUuuXm8c
zkZ;ONDWN&u->Z}QkC}Y;2V*wxRgwxMJP10&kLDQ2G|ks?YHlQKIrnv~STusD%<ym|
z_=XVzVYzZ{glb%3up*>9j61fGhZ)kq2h!VbEjz5^yQhR}>*)7w%@tTcr%8<d!WUQ$
z)#~3zWNO9@!v$ligg2CVB#EHKJZX-3C_#c9#u=_DX*Dm)9URt+8A(<8AU0Ub)UbdA
zz$(-MV;pn<+`88uz?8UUrQv(AB=#zZa1}wQ+@cGKkM&Be)Q2GV>a3aaE7}v>0auhU
z8m!QUNC)CZ+57xvhbo(ZqE{Mu7D85x?M36zrXirOtw(GNJ4ev)JrMBCt5q3Y$T5P@
zjSmom?A4RM<&C)l333})6V`&NI$yr0?{xt^Y@Tm?k($4KDHq9;eYc<e0PpDm2W}on
zs#K0Y2m!6n0~!t>dTC%-q&)p-dweuH>2p*Vk4+wRZj|vPnJ!GDk4K!NRd2`%1)4JP
z@KR7LB<iD{ko^~jZP+>D@UM~PjJr=Klgu0^M%Tnhp4n*>=%P?8PG1{nKYcyS;D{4W
z<Z&x*;MMFqCFbkih~&XcLBIWBIPYri!Fjp95M%N;xU_kqTEsX&{PialI9bQBf6Qup
z@=*4~XeI-?j-L2Fy{^f?^_8_&d-dz89xqk_8V+1UyJuKuqzi%}qG_IgAD&^jUk$aM
zr)AULLj0^f02Nv@2)C1bjfJylm=BG-`i3^DS$u|!TO}Q^R(~*N;3>-+4Gf;zqfRpV
zS-E0X*vR=x-awk!?!pd6kv@BZnpv;SY*FsKiYh#MqjQR(`cxQU>0`g&5Y25vb)?Q}
zgI4W(Q_ov9L;23RI#Vp~g9tZ`NWG}>%aN{UGV(mE_q+;Y9wx)>#s2^?`JBo=esPX*
zxm;fr%Xv?m?QwTKYEbz6)+`Zjfe*xIAH!W25h)4|D=0bPVjgB6YK)xR?$+;GJB7In
z_o|ZVEo1cJ?jFeHx>qYG63U(NgDD&Qg@wHV>(mtMsE>_KzCOpu_HDI~(@{6lKXE49
z=<-!-o<!4K)TyM?2*`_+X0KhhYH8-anM!L92|C^Ifg%DD4lmgEQYX{!J@avePLbTG
z07M~JpfAC-nG-H}e1j`Pg)CM^3=WU17bxb*rBgRe7?r*WMZlg_kblkK;HB-Eg};+>
zbDkKO;GG;(&lY`4?f&fZGq!VI=7SdN*9Y8x*aLCXs*jmJdwXcRC*{u=#pOAtC}IF_
z1Z8#}PE^UY3-oY&ErN4=WNoHRR=+F+_5o;t5?DCS*^AidR?ptT(iJ(%qWa^xT*CP9
z{K<AG`s2BpWd#h0a5U=X9qeN`{Mr~NYE20M*dK_$9IW$)Y7l`M-cl*<v&)`@b)x!|
zhv`=;TT3LKTR8k_zCB5_zt<54H_eOH*X^lzjNA(-K)31ljH>34U?88wo4_Y0hA1hm
zT}<JT4SVt1kyHz_b207=!3pv30~BuYPOAqJrsBA<BelmpoGVVrhXHVmE2#G)auypz
zxNjl0F}F5Hwk}o^zl0|qzw2s6Z@-%W75@#wGi6@J`~#(x4QKD^904JB*f-|Gsz?ZN
zBTBcQ6VVg@JQ=ohpTUgs`@2~}X;{$T%eTwr@%_?JUeh12B>T+*+1nuve@qe|;c7@v
zFaVx=<6?ZLLe&@x@gjhESc$W}UMu~CfvRIIWRzgc51XexqjHhtHmLkpIp`Te8m0?s
zuK3}qmf#seMM>_zBMTCWt75V|@%*$fHNUru^&%>a{enhwCO-isK>azeaA;Z>c!cNs
z>Uy++rI+CNfm@zmlt}gAnCP#u?01J*g8l1t?Xz0H=q_Cg+I&pi5A2+bJH&)m-&~)b
zQjTwH>a;;@MTDbd<r&9i_?(;9eoLtGcr2`MMwy?eM!hf43UQot>`WdJK8goM<tyss
zF#RO#b#6Wxi$Xsk;l+}HTMqpge>8QgfWef-neWpoK@0n0rAlj-4j@)xkZ(f&3v8y|
zzs&o1PvP+?Xs3Jhh#uTgYDThGZpRpd4@Xin<5mH5Z@o({R`Yem95`WhD4)M(3{_C+
zjusCE@mpjj9MnV9w%+?S7>kzkI>PC}R+Kn04pucar}U@^-p72wl6-L17!4Se02$fD
zc*?|XO4%CV2i@VK7I4cmXvo9b#37c$7B9&Eh})y_*B~}hj6Ft4B=(M43iLg?Ppygk
zkbl6Yn7+)7(otj~9sPO7fT5VPMipX4bm}IJd*_%^cQxj(c7_ZQj~{R4h^u0sQU|5R
z2V5@xTAv2a7Jz04k2gl&;&1*7eq&DTm(RDs)L(ZHH2Zi$W?1zYA>5Ls*Mov??NiGS
zDJn94w{c?%RP;xB@~L^dy{~)VLtW#ko7^4-Q#TmN9>(WJV3`fB?^4?E;$V|T(LR{F
zI}M)(b(<D)S4mu!w`Zks@+^Bz&aT5*0;W_<YB{IeeUwgm-8{3sA|nVGiT;UxC@1^E
zino*^n2GI?_mH6=dn@Hg8DMEGOr`}VSQcn7&w|NS0>{%wKT|~?K0_`!^};)_iug82
zzqhmNHh5v7Z%RIRm>VR+cW+N&_9E|3;ub(6SUdbvqa;jIYMAYs)dA|v`ZmfhyUNu)
z#W}Ey6WrzNSy#;PbC;hJfM7q`ZjZrLfpJwqysk`tBh|%Cx2qty(%yT=V9DKtg)*jj
zYkz?IBwILJ2V2t#UV~=-`l|U~qnV7af=2>o)OmLnOs$dnbc|RqUm<5DuBegtXWAg(
z6!XSs*xs6<rbRr;=(ciF+cOGG-C}rT=kA`O<8Yrc%FE-11RGev>=XA*otxsqZ9>RK
zLW%tV*G(m>jSh%qUCVPWQaPbs@LawkIITR4u7`2UPNw{QVuqKj_mOfo&CXGz%+Gy5
zcN6n-`wU7$3?+VU&+p{8$I;*Rb!D*MkCzQW&E@W;5EwV974Z%~Ti-j2_FuMC_B<u!
z8Kvz#QwpbBR(sK7GI3+QS<uo2-btI~ge-Cbo(?kd^Hg-;88J8OFt`<=+C)W$`+8<S
zk<WTHNxd%*5J2KFI(oX!_`ZGWNp0JAB+Q?!gS;Na9;}+H>{8E=MO=a~-06e)b^FbW
z8iN9Yk`r+~^gu2-@|AgZAs8W0FP(g%q<`m%d}*#otoOHfk}O9OPwmH&ig~>c3)MbZ
z97}>8=;4aMQ~K*xk`W)*l-MTs_0MgDQ8HhBChM!vNb;UaACdV@W#7mmVd3sV_mSbF
zm?l&$epOy_V72Umg0J*Fyl(iYl2u)mRr<b8Qxk$pm3~#=Xz;eMKvKa0e^uf0+JYLb
zHP~f2TCeiU<?}lKOzolX;rn_v%}IYG_vwzRdMA=k|DImPnLMFEq?~7Lq0*Yhp&3jQ
zVPW+6LE;LdpKmq+XOfAc*HGE(C%w%ECnXC^v3Nuw{7f^4^BZVz`b^YU@a;~)@35F^
z1~v)GwR*Z*hKrYe*;4KW=Xc1{>eoUCB4Y^)8vCzeAJ7f9U&pudj=9#y+I3)orN?kt
zGwa-m{nm<C0-+#ws_m&CC{9o@KK82HbFgI{VZvU-YfohdEj!7a;|teCbIV={?$_-&
z0pr`q7}j&=NdJLPE;}enqw#H$$3x2|T^gIW!`h!qvWe4Dkw}z8qnqqKdj$*79?Taz
zu+Ze0<6FN;R}7=@3mCfU0A4TY#g=eu5{n6?u-=5TdNXVF1Q>{Fe<aF46YRwI@O`JL
zp>AmEazDJM{@C>sC`?AH4lCZGD1K)c(Br!~WTtJV(lH9>-@_asXCfSo@?O2;>t|e3
zb!l|6r^4i2S%+@}4rc^x2s_d6wuPgwD*Z5r$TatQTh%JR3rpm8DFP%bf@~XuGsm;F
z%s-bXzg>-e&zqSmYVp(0v9&G~zZBz6vv20B>^O80O~by$o_<w$deX81^W6uqcqzJb
zuVBpX?Dfb!lU~0G-lOl;Gl=K=Rcg*le=fKoUQ`ND<^Jg%3br+*caNc$`L-Nr7rC^4
zgjmysCvmapM(~0(ehsB+b*B&v#xsd8;%rYV<|g{myigMPmnh}?z@;SJ%fNJ$2_PAy
z>9lv!#O+>%8i@i3-{oI9o(KfL_R>bpk5V^#*taf^29Gva7;KkjcHDfCXsY{o&B@u2
zmU*96k__!Eup~Jhee~$mcnYDNc$M#CTX60XFEKc$%X8WyQm)sne_P)dEiSFwmG6x<
zH^;it-}RnS(5k|y0arZFmf3c{&_NZ^9JTM#M5BC}qJ0`#vlhS4>kXb4hLN|yD<ND6
z|FGD8N5}NBoZ)DVN{93$?;j2812=c!58nmy^1T+vioj)-1E%Bhw!$#%)=mdJT(tb2
z;~KWiYq9nF-5n;n2^59FOwHM6b%V_DSphTEToarziC}<g#Lq>huPQM!M(-tS7e3z>
zf)<H-=>Q>@cD8STKbK|%f6i>UxSq)tabyh7()fOMrshJ#3jD-3Q~q4V{adi#=qyN!
z(q4I*%o4jW1z*1VIoWf|s)-L#ApOf%Zv@P!xYlIIQZXbZ^O|nTh49i3e<+FytIqs#
zy5@}8aN3nUW$8~`$!{;cHDz2_MoMbe&eYB8>6*iW`Cx#pW=Ob1_<?gTd(rMKv%mH$
z<#wsWmHM!&`eUmY;7#8&A${L!o`K-{fY*zAwG%bwS#$kLDD9`5b4ih~%#37p#47(4
z%IzOK+~->unABtWpr8MhO`USrvD31EdwAP-zAV#`M8bc+AGO(WzdjttCO)E-`?qpu
zi+l-(krM(h@4~TkkNIAsAY<u4VifSXZ{1)ZUeWb*Nk~TT$zQ%wJ_C-Ma8qK=fhq7M
zOYk;jUZ1^CcWMCW_eW`PH)8veru(WHn|@r&GJ3<tq<JURy>k3K&5b){ciA^-yG()t
z4BG*JP)kPJ7jOXX*POsY#EUcjWAlUyrH~PTmU&2|?52vIpOP>MleEu`@?fMr)cYl2
zGZVL+WT(IoIW>F}X|Fg56vXk3Jiu&2<^279h-?ki(;LRj+2iIM4SR1>qcG$@lFt*-
zw$zvK{O}F9LIM+b+^MRPaiLbZ>=(`lhv9_>@TZVK0$ibRQ*sIP^tosOhhNp0xm%Pc
z+=GswSUL{hn)XZRJ&Fgw#q0QT%}S?G74<mbF~>J&ZUH7=hl(-jzSc%|a6L=I6$wH7
zhms%;;ZK$-oXQH%L~#`_3!~QP<}Dt7?-_Hnj+TF%&Mt@0fF1H0bI~@lFHIPTuL-}d
z0=2D9$ACTjsN^t1aqXUsw-iTWm|UOmd_LtD-MZG-3N-&=Zr&$cYx`O0l(V77CODgj
ze>yh_4#KTnGnMzKkj(1&#SwDSS*&dx+je?Ky-415hDT!N$;)t@&nhXp6XonxTq%pj
zY$rWJ#+x{l-40AAqF8+Rj&l!G`(@xwlcNQP!yA{m@bY2Nw<IF}X^!6Wiv>?=I502o
z8>JmS1UO{FlTNNE|IW1o1VVGASNWC2O@Os!Xj=LDM}!wmA7pFb7?=mMw<~Rp5e#m<
zlCjX~Pu?Ja@l6`ICL4mD%je_XP{3@9Qaql<F_yc1zh#W00onn37QR1<Cm1g8O;H(6
z$IW~gwIiY{K?E}dh)3e9@eU4^9}aV|R4~AtcpsL4>Q*#9@r6_bQlM6&Zv<;gZ-L1Q
zA543t*3_QR@wA5t9dFeD>MEC`c7BLA@zz{|tnK#O>nN$JL=^RK88sa%aZ|naN-<8?
z7i;n!@flA)zfDfBkNwz+56m|hl_I-z*2S;iDLOnWNu{^1vd2F<zrmGFmfEN;pM+?=
zpSo0@XteK2IHdPtms1OssIbu#{8n-9<p-we()NLg&(mdx-^D)vb!;HueTp4-T&3lQ
zm@11+p7>L&fz%2hn`S5&kuaQG7Ht=STA_xhJ5&@T6AR$61YSC6^+(fRpqju(*!PR~
zi|Kl@jo9~!w7fpeiHzaT?R3hulOkRn=`(q9*<l<>6p$+A{cYXRjC=R?o$#gojA$bk
zw9Ht7C$aqM<SZs;MIM$YLXo4BUoCr1ty4zG@_uFNyzi!$;ND=+IGVNm-KaqDH;r|D
z{?w&)WK#SJv|B#j7DY%PQmP(vIF!Bdc_9)G$wyXU#=N*?_x<YeEu~GBVXp{5LLo%&
zzezw&LUwZtn;#4RA4UH(_VB)`aDkdxw>vOea+L}ScS=b5Uh|nwEp86?0NclSOm6j`
zck#X$ZV%6SDFVz+r%VvyBJH!^c}rvav;+uDII+V7@pxi7h{{i`SrCjTbk+Tk5>0;0
zfp+ln_4eGekf)pKCxCu<t_A?7Am5xzPa`tr2xZKRdbTC$x>z~QhorG-(2SUV$VWml
zPR=UdGZDn6FfDA8lus?-b<4=eg{D<9j1=IjM%FbOXVnFBlfRDxk#0Qyl#_6DzrTyt
z(KZ<#>BFAgCFE!)U)zS<J9V!oa;W1eSqTmKOdmR0n5_a2+jE<Y;P6Zf!(ApW!!1+X
z<HzaLdu)CO2cmV0kG8$-{dKuzigKtzjcfnQaw7P>U20oqrMr=_G6dgyV`@Vl$Hssc
z{i`DICtJt-&9tJdC|w^Na(n3$8ARenKY0(ig>y9BuJH8xYC*kq`_5F*(es!ab*PM(
zbx55T5pp4PMJ91O*M}MnGOWL7(fwNGEQ>LP4Rg4V0Vuk)+Kc6@W11$A=Iisr0)L;5
zU>pkAHp^G~MB0NXV7B8G4NHRbeUw+gt1jzcHT2=DnBrrt_ZmEk@g=*SGZmJLsp&*o
zcb2p*xq~#4(0-Jd6V!NaHF}La-v;BsB$i95?-Xepxlaqy)ue&JA|o)7zIeGH8ny?F
z?8BC!@X!s=3FnN#2!FB{b3nuSz>IRNN$`?x<cGuv8LiLcr|Q%8_j(Mg@W=`UQxZn+
zv)8H|FF8b5*TU-9Pm28m9U;8x!24WMO9y6d5V8FYS$iNxup3+bth%vC^P-Z&<5J`k
zmmf=p^iab-dx4aX-qmPDyUhRGf`~Cdtls2JsnprqV6SI@>&7mdLp_S4@$&4Wqx%x5
zeo%Ey4px{^HNp<6+P5|Szy@ZE0jj;*agbzZh}4N&i%a<hb-6rOO{&<2vQURMeCP~x
z5Xs&$$Zhml8>1dN^WC0|r;GgrLWx=pniy!s?BFkW;Lld%e2+oRBf441PPbGeaKrH@
z-6)};Pe%5P{kejMpOx5UBam@l$q<$S;>bPY@V=^O(hXn?RF>2mXTi<aa=byy@wD}+
z$8COy88scwx}IMlrAup)&DulQ!Q_TmhGxz(wq=x~1a>X}hiP_04Dy1`^C6Nm*F0sE
zWYHbP0U0nDU`fqVE7uyl-?)5Cun4M&dXtwdcn9FpAHPqg#;;EBJ>|U&C6a-79t(Ae
zDx2fVE~w14S+juuEbqB2ypRYh=H&J^Nl6;!!tvDSc?bIPPyg{ST)0qvj>H}`-V5@#
z+TFp#&&J`Qlkah4w$u>CX0ZY8aWP8G&dS2E`-WhV+zsw0ln%bt*~u~{Rh+VyzTx}O
z;RTc)XP$3m4LNMZ8|d4H<newj)f3c%JYl?p&Lqd?&v2Wzh>SVi^n@bn=*y6L+{r?v
zh_o`Eud#xnQdE0S%q-t4BwEKvKkm6$o2laM><8|BRZz&AHnLa`8j+m+DswD{ed!{|
z4(6$G5dGYjV!t%D59kb>py-FxDRXB6(q(GP<9-Q(0gD)PQcnvlN%oS#X$hVwL(IT}
zLOhT%!B!Z^<v)~1ukZP|_rxU2Zs^WydeA9$A~GK1FBuFLdsbz*uX&V$!7?t0l-~(#
zC$h^e6J<AzNs+n#-jau3pLf}WRPCV@6o!{@tEb-y5w|piAlF<k2r*$r;>(wE4=cKN
zF{t?RC2HAA#>5kf7s(`{!c+rBPJK?9FqUzEq5w(D&HU&$+YNL&B*Zrr3y#B$uer0y
zHlY*8Ka(%=kUvBY#J4jEd?6*}V86Jqsxim*&F@<`{#d57G@&6Ue}j&-di4~(;t|XP
zx=@+VJz|dfTgY=?mHe}GJbv~Mh7P9gL6Qwe^InCS_?f4^0W}B@h<D_i@YX~6`<;Ks
zJKEI0lkImOceqU9jRVPB(TM|*;xgpr*lNBHpb^9qSPpw8Qn==~c`T<`X4}8%p+gH|
zqY+j_{FZkHi1KJ11k-S+?K29-l!hh<!K^1H5KU3LK3apia)J}oT5=m6MS_A*#N`{z
z)L(Z1HtHpUOR^Q8uF+BQo=qZrwDKW2>6_OM!4v-1+wq;L57JFK->s#`6EFz-PK=im
zTG#NJ2(#E0%h8wR^Ep<h{x>N2k`7|MmRk;B3ZK8&jM89`w47~aQssOPPMOXn+wf;0
ztgQBX^YY47xT7XEFu_`;%IPNGy)&)U^Ru1uR^NAr{#$2fSR;tgCw<;5vTq3fW(>qU
zYN{q^bYUy>14nLe1K)3}AC_U@HHt<Y5omZpy*y!M6{Jilc9Hu<`Yy4?nO$jD>^^&P
zbaJjnm|N7#t=YP?*n97jnq8yTD}64PSJPW}j@Od<lDtvGp7$L}yrJ>(TRw^@pHy=H
z&ErRG@25k5S(h{FLoPwjFf`}dO5VeGFN*u0b@8LoP=EV?-`*lnki*1^8k!RGzT{!^
zb_DG7f1p@a|4=fl*I@WnZW+9OC%E>-v$Zc-INipma)Td~M*7I52Y?2BY>{DIDZ^7*
zUA3SrH6y=rmNW_zllv{Kp;^$(g+9}q=O5Jlb+pTcnQqPG+h?!stpNtX6W6P6OY?s{
zcY#R;-M~f@M<1Ipryhzp{WZ)-^KQO6MEj@u9-JqD5zs4R-)s*R>Ar5F!4rt}0bqhL
z5VUFQd91(e_GN70oRM$y3$ugKJqGoQJ}^Fo^6`*-(N=Pjadq`J`J~_PfTV(6;Loa7
zJd9n?wL3WD=_SJSS-xm5ymR;#JzPH09XHG6%6;d$3sl2W#lwfP4RdOgYZh63=hF)s
zvu@c`D~1w2`WL0`^CSYG0>(|t=#Ye;ei{3mZB&4Wa~hw<vj`4Yd}$AlGg~ib;XqOT
zJCnDF(qP(>R`MMU=*iJwQ?H39r(RUUpg?9ipP18|6RKP(ygkPuZ;JLl6Aoso^(5z*
z;e1c8%nHa`mKAUDressVSxhuvOjHnftrLjsWgjdm;VLN2mhAJ+vwE0cs%*n92emZF
z7I%OP#!TgHQw((8&xX5Mm;oGF-wpQjfj^Jsb{YYJ=7<af75yul`#UP^Otu2II(lE$
zx~Z?Twa0fYGcR28H}-|NHYTQO-|%qD?XM$!ndR<u(n9e=NMtbz;}{XVTH|>QhZuTI
zV21RLKVEap^IT9&^k?}Vf9h){RKcrMWU(>WjV6!BKw593mDu}&9*Vf2&@6vcg3VqU
zs7%}9SHItw3{g|VL|cxhz?FGC<xia%b{!n=XU31!@o?6&6i<bsAutI1V7S&bLvY7M
z`^AjX`emvz?RQrnRpqI#xTC2b(R#KHzjlLU0(&1%;g8Ip<Ac*JJ##zQp-q&Rq~sX0
zl$jVU-NOK1>f5UNXsZGs{eaP!hXJK>s(mh;G=Ni6a!F9^xoim!eKY&R1ZXbpE5PcZ
z-HIdQ|66yqDGbP4x>Trfbd1mY(Dv^?%9;X~o8eom;`{vv88e1&{rC`{hw4T$+O89%
zTuDCXHEJwHzb{azD)Zja7^XSMz^aMznZ3PM=RSS1M+I(r%eDQXef*H;r}x5^!I!vl
zAMxus<+)U2`eTOW>(!slW2e4?K{VgSV6)M-kyJ$-_N(vlV#Nws*q1jJ@vIp7D~=9$
zJm^<oaf|5NG8j1!zX%H_nSW@bE|PD6qLeS^nJQD&;H9L=K#mo9BZ2Gm8sX*SL7boK
z<w%=<(@$5eByJeX;+5da=DRrx|K%-<ELULzi|;03hU$GfQ{eEhC)BQlaWHAe>D=R!
zA+uNJ9)}J*AoN9aSK`C!b8kiB@=DT}zjgAl2@*I3U7R^l&qWwKYjA-wc$cC6e4jR0
z7G|)-db!e9qwaTdD}j`BSWmt`KN8Q~%hPBp@J)C>dJh~#LVbGZlJ241Cdr=+R-cOb
z@#?BweT>i8H{zZ_2Zd%m504W$GXV41GT~#zDu(^wGz_n@-y3Ut{UaX6>uDkBC`$1}
zO+2Y-#yx_mw1S|9hf8sK#^}Ixk)UR?`Ax~=S8;sZhasExyP>=Ld~BPZWe(j~U8#DV
z&(YQUKD<$%uS@p?Stp{2>|MXkb<i7^pF<ue=dz|hgA}vZ7tZ9nF$CZE$xC({V5ct%
z%tZoW?*!w25(wtRw|=5nErkK6vk8xy2WPG(X%~^O(ai1hUZnTD7bto6^){UFtsBep
zaq3P?q>0IUyzg7gLz^q4$otFWN+^o`detbQYY(@@Z#Sl_v#RQ!wN$iy^E@B+w=QkD
zMX$rVu4Ca&&}#&{{0h++CYjGl5PS&|9eaXa0M)0}0RV0cQ=m93xhSrzknhbI{UaGH
z0DOSc`|BK1C@s1Ug-%wo?`Z(=)``52>!dR!M)Mwi-q3dQWa6QITq25!4Svld0~|0@
z=q2}Y&H}iJqVtaY+)t}pbNH0}<qm=1fsng<xmQ_Ao~RxD^D>?t_cm?gRasa08*spy
zlx%b8%#FWT3#Yol%Dauak?3D>{znWE!(*g7<uGU`T->lx&!CuS!o|6nm>K_^l-|AY
zqw!3b@}34c*g7Wv!LTsi6I1szWLNLGg)78w^xEt;!W8ESyYBL{%*zL}HbDmOoo`qQ
zcdaS<2XpmiUJO2a5gEXhkH^Zt2YvtLQM-)7=B8z~H2y=7#d8vWZVWRjS7ROnTm^BY
z?mNMUy^Be?z24E_GkfclS}Kx)-E(l3h4#hbS9alr^f;Mb{zW|;DvA3eig^f{IjG}N
zm_51(pf=OCqB7S%>w9`pgJyk5_3J?e`sfeBU|>2%0un&d8m;uUP_0{a{-7PJul|EN
zV<>@R67)a`JA+e1ZQY$0ICSi%-;<-t;l%qXN+aAlK4t$H@w{K`OPw8tMplVV*m8`E
zJr02uhQ{*C5Fr{c(KT6;DB0@)IM;jHe1*fbd7rwRts%ddxKkjzKV!Itbe-eJ8q2l4
zFClyMa+HZmRj5W5wi))mp=`U>_7HC$u6wzwe7@+c0&$++i!VpjCCiuCs;BL1l>i74
z(FaX-t|(SNLwT(Cnq$p9FrykOHykPRdQdSeS2F8Yd-K3==XzQ=5d~XHb(uJ_GluFC
zadG{DYV_|Zsa@l!1T3sHv$AGfO9uK!y2Z9*oR9*)?p2~#*OHAe+})rL)rKgi%-=1G
z;H62yZeWj7np#fJ#doL_q-u3Cyt7kxeb86I<ZO}ET6g8JW@T8eF^g6{t^KUqydB4o
z8f`u}ZEziNG5`1mn8?As$$Kl+Fm<&D7|Qbd++Xz98j3bRlxa)Cu@oP3Jp35g*^^q2
z3;krjLb7Fp@nL9cW2_jaf`n`oGg_kz@h<<yZKlh~b64-2S)6d>ja)mJ-JRHA=}pR3
z?j(kIoA#T#QY9Exe$>o}U3$j(m97^GZpNz|+lv<)=bG<NLO`(aF_zK3p|!Jv55zzG
zXRY~)d^sF{I{g=dyNEXU<@jSAT1ynEa38l|bFMM^ValmRzqphjF>D@5fPq51(cH#c
zV3F7~d_VV$?_-UfiN52g_+ig4J?ArFV1wJ4prDPt56c}LaKFMFT5%w@(qp8hO3qAk
zp~bTk8=rDdvvJq=pKcrc@N)GlI%^1BF$(fgzWKAY9-8rY?ta;xTcbLRavCqz3h(cc
zmK#0?%j$oLFnltY%wqw&1E~BwC}7KG#}Zx6(-9!5XC`)nPTndd)y!_0rc^F!R@C?X
z*=y+(G=|dDGfdLsfmd-Dvm6Y-$17N*?=L!;aX7)-IoL0Y4i1S_Ph$YnuAlaiR$;Ty
z9mLzCwRCY11LA#OPWN=S!z$yr2apgPWkVfLk{so<MOZkVjTL8zR@b-{C#L<LM3Ld!
zMRS~$E5}gcxJ2{wt8zUyi|#RSgF7n)(0{8CzlKRVoW1as1Y&ds(7<efr|M_~yYj0S
z)&iPJk3F=GGT-N;-(`?(USc?k?`f-lE&vT5sF2CZk#U|+tJuPKc>pyXcLP3nB<X*U
zZ}%14{EXUM6nN!}pqlRLTzXn*vdH;xy1=Ix#3GLJQ`!p#{&R9q`AfwRTHM_XWW83%
zl55~-6m@e~tZ*zCRb=kzjxCt=1*Cd#`xKY{m7Z>YO&J1)S<o|a@uXvZKDFEUH_U6L
zu%wpiM|YgM=dalQ_}Qt<N(-%0?N;7i*5y(r1rSEZ3vAE6r(${-&7N#A0iXtbe7%|a
z=~KR*1I0XkIe49)$4q96P9FSQ!Zp$9tV^;92I0$x<tI)NJ`U4f8FkH8EO>YzR&T#>
zDw<l~m7~(OD*H8Xd23(;+<WQJK(BSy$4R1&&S@hA89-?Lx9a6RVpy=d7>)kkR4hTf
za5TusGPYl03l8l%Sy$}&F(>YKfILDA%m~j07M2$grMu2M(QTxX?<dq{NFcmYeU&-B
z+kRt6b~Fy&y{%Xio#Xpil77SBJwA_w`pzIDvPU#*_qa>-lDF|TwXA)-M9VF$Y|H84
zm~^W9ld8*iO1|N@-k#h9z`fFD=&vst4vN<`moI+Bep_oscX)~Dl-%7kbUZ8{<$dHZ
z{73eFY3P%-tmF@ap+T_@2lMsb<$qhvWo&tKKj`$F!yLQG-Eq+z1E)+w+$Xk*%rPC)
z+AI{5WA+*CX}Th;9F*jE(F@mV97ta8Ch^;#JLCIC`q3&T;YIBhoiU+dt@4O1nTJ5a
zPM&{SDI0D_o$Kjs+I~i8?y_b22*LtwAiyFEd_B@)7??xNo%cwAbi+qBEY;iiRRzzm
z6cuxHe~6r&E-Z}{d4%5<qC+e>Sl8s{<L8-Ie{0j$1nnw2t_%n~@IG48!pQ5C<4M(z
zBMXpiqV@g5sBSFDm1t3o?InG4c^>u6)QJME^2haEeC8D{i1i(rx261II7Le>vbhZo
z#+x#qBE3xR`S5sgxSC_DBBaY}>#+|@E=z&O4o@0S`~vKI*E05fw(YiiQ4y|C8JLT)
z6mxSa+~?R!BBrfC596k0s@Tk3SWbuX8i;*QL@gr=K#8qw@UFXOo(j_-(rZn((j#eQ
zxuk5Kt+*WVKad0ooVgA0a!X=}G@LzR$7C`qiTFtpW5zKPTE0)O6B>0bwmGC$R#;Ha
zeTB}1@tkYbjo9i>kS>jI8h=2xJCBm4U~O4uBseZ_qiDas!|9nATDWn*Qbkz57P5i%
z6tYEtqMLD`iQdz#ICDabe7NMktxqe~-+c{IzG4ve^bDHor>ni!JU}mSLkw1x>)US_
zbNl1_&HH+f(Kus%*BEr9!53&)Xy)VId^GN{_Kg*n2pE$KP3vC*dH~uS)#Gq-ThGh>
zTUChf$zsUolRCkieUIX=dya%om7$(0{jeR{4~!efVtY=fS9WAKfFU<erVmF|hAH%w
z#W3W0ZR!~wnk$@0zc?gx3nW3pWEORC;|>oTYz`m*<KX8lE-rrb--%E;jzfOeh1**!
zh49?JnsUCJpr#VWwuYrQ9?<eBH)lue?zclHzN-eHGeFdteRJ-<6pYfcGW!(|@$Qqd
z+Eo@)-O-$V3Gnd6K_u$(ZEFHQWi|;b+sc51JLS5amcS<{ht5<*K@QGBWj^{5P~}ig
zn4i|_e50Tk&skCX%bR^2Erl0seLg1lE`n{D^7mEKFCQ0jV&`_-bt0i~&D4$zh^U>A
z{#w_(xw*-L@q^;4uIvioHvZxKTdYjN;D~-4o#1)G6Q3}QeaeR?)!EE=T1x2%X|#XU
zU|$fdpr}|LAdl4C-aq!TJ+^4vM&4cre*FC|k1yu9`F=##U?3s3|46%uC=42tXq~jw
z_+G}2ZnMI(Mt`XFpc7crX)F+?kyw2AYm$#_)D|aFSp>hh+lY_boDX%Iv74(|%S6;g
zLC@2Fd|7OKf}lKZt6s-r|ElckugO)*>#KVke0~QfN!OJzF6OmPUtPG?!aJ+F%5O68
zkXWcp_iuE&QOER*`;uK2K-TK#VmV&O<SSGQPwjN{`qv#sVPX#J=C6P9(I{hK$tgM(
zRcan-1qa3a`m{sE&oWjjAeiP0*a$IRdjH0UX80KiH=S?e(xxZZy1XhaA-l(;#UR22
z^BI`iT+&i->KtkTU@-9{`@JqL3S{_Eo?;Ar8g#ZDbNyWuU;6iZoCbK*i>D8JNrOdA
zp~oj5)>nr0anG~Aa=(}+z-d2Gh#@+BaowE#!e}`ei*xN{POzB}!srsV>q%rDE1DFk
zlgaLJcVQbM-gRZ6Ouu0`98xUV6zpdczNYs3LL@NR`{nx;*6}9JsUdt!Xgy^`UZ~lo
z4*Xh0BB)pTsA7P3UqgzheZloA{%+9U6ClHo@cCk!!nq*(4fsJ2Z+l5jxvN2@h}|YU
z1D(-UXDW`#r5heMT|Nz~43EaaCr<cil7NY;cu<X19F+*QlC#UdW-q3`d(-Mhy<aD{
zEWd6~#t|b-t7^?q@gah}|N4jBJm`$LV0J+8Soq^!RF;OcQF|Us6iGDoGJlK14+EqX
zD@`JUwsWueCv4Uy8f{P)Mr5HG6HGlFFWQ^8b9Q+@io^1*?l=A%q!;m${EfE`PUHh@
zXQr(xOlQiE-J28HaESaq!7g>d6Z&Fo8Yi536gIFSVLzU{3kqXDct<|0?tDRxP3(7L
z`xCX|`HI-|lh+MoaH!X>Su6oTcBU!$Nq~Kp#`}u!^-~RH6Z*t3cJ^{L*^*t$!jcTT
z0_#KR!XN<e_v*u%B)*5W%*-k*FyJX#KXy@%#`jNes`vUNT83_1J}G*hnO=~?UfpX}
zJ%u=HMjQ!0+xwGa>bq25I}Hx^8C;gjeXTyF3HdJXRXl=B<vvifVDad{!7)RhUdI`d
zbU}3AJ=u@P`iC)W_v!F_i-L%h6~fKGJU?58H%m@X_8Fd)++o*}HuA^NWE;EwYUlDx
z6c|Byu0-C+r|zfTaitJcU2(UUv%Q5MI)~<!;;O<tpf2t3aLzuEr^lr>jNwSu3RJOg
z;w6$z-C)dlkV<2UJ<7kF0U}xyV)zJhytWI2B*TI5@p`OxAaW|mi+6k|JxpKr!>v%V
zY#(Kq{kn|(n4hIpPeeYisy?st9BxEPMILLjFmtL1Tt+K=HO}x7Z~WU80qfZl-dn;R
z9?ED1-YW~=rUN0>PL-5m`<pGWTlF6{{)V&hsxY)V;Ae-0_>%DH*KjPnY^Rm(V-XVi
zx_gw1!BCwGbxf_`Io!PwxnI;?KEq4d_dnA1zZ3@0-w6O+?S1y3t_VRjDwi{?l7P6_
z&--xZf(vU*UvTk=ZAF50Q1AVLK>*rDcV(1+$EgSG0}O~yFgjS0E_)Em61OTby4S9U
z0BwNy?h9*r`4$7%J(o*e{>44d$e_I^7lifo`iQNJb4ez9a=VCOb|N+Q_37ySIUh2>
z5;$M5@MQ9?0FwAOsd1Fn<>|Z4bB*nYzh(5^&&6wSS<HR87ynoe%MaBr>d<IiAB#G#
ze_&maj#arq#WkO0)@M<5>MuF_rVc=W;`t1$9PjtrBumf7L5X-#3=FA0Kg)pUuZsdo
zNq4v=?e)~{%VGoiYsQ-y+c|EiLj2eB@?Kawp*YD?W0Zb+_}LM9UXvG!J%13wyj9YB
z<hS^xiKI2tpx^6m=+|V%BD^|c!r^tjO$pJOpYu1~zx}=nbCHf<@Y9wBJa$9#cZc1}
z6Su>$)EMP)r5~YQ6K#NRm4|Qn^>R+u(n<l(lFU6V2{v@6UZ<F?_yCi@&bewWcRx&h
z1mBzMiehN@ezlk%<(j~Cu*dobMSghc?db~xxPJ80+ryt5g9CDfXl%Gi6N(3@1{stp
zigxq{ORQ5wol4I%%tMoN+}$H6hZiB}oCBWw)f7CLUKz2RSrNL&X~tq(l;p^_^M?Fj
z{&n{17ajm^S9na8-MKFt#L$|uCCB*_bH^e!h>HVYsF6YYP2*OO-qn6c2kNt$;N1@4
zTp)<M14gPvd1|@K85yU3e_kL;pb@wt`^0~MX`9Yih|nL4Yq!{!r0=!z%7cY1?@!>o
z!>2G1^OG)*LwpJ_EfjHXxtJTFgm~Vh;`iVH{>0DQ5sygkaGnf{Lzerbi&)aR?y00N
zwA)J$D)#PV{^DVw!~A^jwIU{#Br|I6)t<CMp_W7Ubi0pWROM|ihnE$<C%v~W1r<q?
zXZtu~h2hnso*mwoeaEA(qe?@}WO|0uTUk2P^M2oh-_I&E+j67fG#Pksn;^1nYaf|5
zLLa(88}?+6%QvbFULElSDvlpl5MT!sByTfavwX77a7M5{mdaWy2xSSd5yQeT2(XG5
zT_w&H;+synJKGOZl$vK=gcFRC|7FlnGv|O-+E<0DvvI@Pyk`n~fd>#U2k#bMloC)h
zcnY0;>axJBhc^kgP1yd=dp_sttcf05Itp^VM+$F0%;fK1o5xHlm59B%h)p5;7Cg0y
zcb#_M3W<S@&#AalE8fS(o!O7&Lsym2i#{x`(677DI2{W<k96g8%pp3ylP<1^`S0U7
zQL5|raEVxqCRtBoxN7qK>Xeo9qV7h?1*`Ni%Nb$qnd*%fN8gTf6kI0}EnpLNMUSsC
zmf3xNXX9d#J&nm6o*m8?uy{iyITOoaY8GPVjWdukhG7cMm!?j~H7Mo%tQ^uf1Bz*|
z9`JmB?DyR5R;P(l@8@c|qKUYd2G~4%6^YdywTlvPw|>fgW!CHrO{nQxyCgLHHs%0U
zRENhb2HE;fLb)&Bm-t2E1tbz>5^!@w%{wyNejPQOP?(g~+Qm)3fx>?hhPoCT*E(u(
zgk6O{FJ=DA9gC2Akp65TW_wE>b9=+9>$u&(N;cDEy<OK5Yc=c&yTs^Qm?JO{gIs15
z8CeiO@h|vQ;I8psHX$nIct<kuvw<ysk1kC=$&&#Kq^Owg?HtqF;`8FZcl1JHZf7|o
zGetE`3K#GS?>?e4UiViBdC9Wfc;E?B0%z>6e6Z(lDSpnyusH6g%>Eg#+x@~iC3;{!
z<&5oBe?pK7&?WD~8hK!E3_yC<^9tt#sJ5oxqzBVN6L7bAjb1*Ozos@t;-MYd+o!pH
z@$bA8(oGK+O=+9`-!TgsQNINJ)EE$2<PQ+m;YD*_<#Z2*rFUGBN@s-{W=o^@16v=L
z?fV4|uHds<mgV9HwGhAg%daMMCyn*H+iVuJm%XUVan|;wg#mzfGz!>vE--ig<{TBq
zF2$&4UCY9Rl0V4_)xQIFE$n2hr`Er7^xTsS_XAbc9w2nk7Rll(AI|aM@;7u9$hUNJ
zQcBTgU>lCuVEC=|nN?BUeBbc51K%{~{ox}C(E>Qdw?ot%!p}2UANH{{eqat9VVmGH
z4{OaXVz!D;%hp<<qJxAxyUBAkK4cIY=g&q!1R>z1bRfg<f9<pOH|gQ17oyXA`B4s`
zc_n>@<%^?syTod)2s|1dv<HL4<Kf+Epi3f+kMzY8_jUWV+*>eG-HYJoJWezZkzotU
zh>zirdVizkL>SKN#-em@i5YO4{`I<;zf&4L*H2F0&rkC)2f-FK?*4i?&v(x06!0Bg
z!9S$X@mS#J%Id-;5hImZx!bGqr7D+pd@GX|{@qB@@%;2075pGb2*gw5Jf|B5ZO<1;
z6u+qJMHEUrK#{npdCTF!Cj5BBKmx1X&N30-kEh=V=+1Yq<(Li6Le^Hq;H$*fWvB~-
zX}pVVKUgKC@e5=Bg#zMs@f-_x*nZQ`Xrcf>=Y^%YiUEf~Kv|x9zi(czZm-yXjYjP@
zL%<36eUIWbmk-Tteq)Jw5)`IB9?bhw#^>0rnbjqKEUHpXPbf9AMGFo9Zk=Z5c#niE
zY~c;9?p!yA_mA3<|E*x|WlZ*6n+G{G!rlLa%YN?O+jEcp%DqeYbjkQ4q-lcEMDRfn
z!y&h+>x|RU&Tg_>%khAGe&2l4!w13sHDJntTo4<;<=MjQxw!3>H-xP4Sg_G8ZAaZW
zJIW!1QS{G4S)l!tGgr=M^dI?&C{Ia8CMOt1gkTA!7y2iSlc&NdGpG0Ocoov9<Q=y$
zqvrWtw1(kKj6b}RElJ)mGrdh@@L<!L&pOEyD(|AFf%5J4xQUVAAmJ?fUjLzxOY#dU
zXBlqoRXm<kA*OE2*Ll0^EUE5Ad>=6Qj9*HL^7kVT{NYG9Dpek{Lo@MrNR$atc;ME)
zOX|lW76L$z0W1ApDEiqRBQ|5T1S%_d>3uHi;>tdID8r2@b$F6J6X70zaR^f+@iSVU
za6-%|0TWL5+_a!$mzyb)Kt-)fVkG5_T!rgdy#l53<?g?)c@K_!zC5zet6!Rhcg<YB
z%SMZ-eWhMZd_t)><@ftw^#@Rf)2$Wc>q5XENKiq@mGj6<r})cN#HyChhSi*l_`M-r
zC%=(DRa>EUyalUf|BP!C#Z|2(@&v3*3mhz5=)B59y<Ke^r&z8Dzh!n@wHr7XYXwHe
z<><~z{DjK-LGU>`{+F!)E#7!mK&Qg7m9NVLrA@wOE&Hb!Dz&_=v-7DaaF46)AA4^C
z@5))%jkkR(0t(imh~iR8%ci%^WM-0yigYH)WG35WCX-|)B9P3M$u`L>nI!OPTPTZy
zf*^}n-U=$Hpt8P*;EM_r7qGI6fPf;1iYNjq@bUkBa?ZIu_ukWmQkME}Kd0xOOlE!N
zd4Buv`(2?Pr9TWho}@4ILJqjCgJKbNYv!8kb*yTxU;}_^?GFb7MJ)g}rM%t@1Fu|N
zFVK+6*k(>;xa}m_=Naa1eVm~+gC~-Dth#wYDq6bD+5=<ZM}a7rOsVf0nm<7A0~&P}
zLd1I6wrF=ZnzNHd)-JXI^Q8F8ZiUEuwj5}?{?bB?h7#=Js$j?hu$HQe5l~{qotcT!
zY-aa?zqpC3?Mb@<lz}<ARq9-03?TjPB97`a8a?;bmPuAfLLwTj){3WM7l8sh<dSAQ
zK~a-cR6q#sp?a@|+OQ#;2&+6Q9Sd-{${>tECmJX+(5le{dv2ZD$>1wASrCU50nwiM
zsO2xX-31df<1&EiCSeu@8>$Px4$REMy4fKr)+`fi0!-*+8IL<;>UI}J{I<4yu@w*2
zr5(l6+p4K9K?m-3{OZU9K-;2jwfIt}8;A8pZL~%r1%zQfn^SmY(nZ#RNleLUwW*LR
zazOAeYp_d2ZceW!Aj1*SS6eL>HsfACoe$PF*A{z7GV}^#3)L)EBSi|VKPFx=?ocX5
z*<|2SNr_$IQxdi{M%9>IgUj?j*FecokTK=r)Un2eg0-Fu6?ZLFT19@))l1csoW(<>
zd=?bea*-G|&Jx(qxEn$3dMos9_9CJHdO#<4^4S_FPF%tXt0<1wHCiFOXHvNy`N&h1
z(IzJ}^HJWL7yNlCb}0Z9d9<gCUcNb41yW(xV(T<L&086QypYsrfJL7)73Bdo434_#
zsL-DKd@Gu=sHzbh&)dVF*Zp|__MV(=`CTXCC(3LBECUsNdfQCjW0%jTNX#;7KFYD;
zSSeHMK+dMLQ3WJM%TU4wVWgW12v|w8!LUS4HhG`XsSe7%0~G!x%OMpNM;h@Z(sYp<
zbh8v>Awi%b$-AgFHDBvH`mC|6jg}(6Fg&;hVABM441(e7xC~m`hDc}ia+Bi=R6?AX
zAjhvz3V^Um4R}YTcDdM%m061?R!Vs-g+jlxnr?H>ctqf0XS<e*NL<lt>k_}B{Hezf
zJ93-v#U)4NCukdQZ&lM=*W2YXn2tAfqvWL(Wivp{kl&bURX0lL=G?7KVZ1almRXPT
zrKT#-hSdb3c(np*qIt~CI_9Ed2f8vDEJK)fY+LRu=m7jZYzhc3L=+W6QP4{w40ob5
zpq&;qu8yYT9sE8qkES}K+~Vi?dEQzTDPk<S0z7)o=(p*b-^WZ4rL2ssPO|KvyU%Em
z*+izO*xYI}zOhG4tA$9IE1RhWQma|JIJV_(xt(;Q#dZ@5WxMILgJv&>PP84H-?@$E
zM3aCyKM?|O;3dS&9p`z(V#eJ<Zw+WK3KiKyBZ$Vm2}Mk!MssepBDje93J!2ww6peL
zT;z-tnW(wC&G9pR=?vRE_(b4AF(3e>)d94lskIV^$eMvzR8~%>y44CQ@2lpBZo82=
z%ln2?7R>n&<vIFLBM*gfCcoF{S%L*6=3%<RRKu?U(CUcCv93r<wjFyppt0s#l|?ot
z%SsVi=s(E}qgbnh{937aYV4*(%kgAO_VlTda2fLI`>1z*zCz5tfu^@k!ZO48%3S9J
zp}pL*lX79C`6jYSE!ZowQWpgSyLcYAfm=|E1y~bA$7bwmly=u*hg#;H&PHrTdTt6|
zWfaUAwnfxSF!ZLQxRIanWc*+~1E$8$Ck-HhrV|v9gXz1WgX&<6Nc$|T)yY}6flkeg
zp_aA{*RQBjGH#8jf>7O#ZC8Q&QUWGmv%=N$Gh#@BdIi7vlBM?fq|wQm)q?0pjgC93
z*G#RSBq$P|l+}XaC6X=F#U4^>+Pd0UIa+ZXqDhTwth1CGBgrI9ZBQwW#7s*O={712
zSaVu{bTzt~7cT4&$!qloTZ>Zn!kZc}n!8oyQP4CY{?Pz8w-k0#MHL*nb?Q2JN`;&U
zNb{LFZ;f=lV*tZ=2Ox2eSq;@~Yfy&y;5C63H}>4FtO2Q@PzI{KjCLyn-9jK>cP$Y>
zu?jKx0GWv!z)!og-T^JnS-^t>6OPVSbWKCzqow!Px{IdAQq`bA(OY%^`khLG*F>j;
zo$o~6WY!MZN|~D~l|mO1f3jx6mS;LBUr%GEnD>3XJzY%qRGGLUjhb9}S^>=TY>VDB
z%b8njLYIdWP+b7ZOjrhK-7XE=-G~~@4Gs`lxe<u0%U}=HB3Rf-2f__Fs=5a<VXIP6
z`{+0gT6Lj>DvUu7F*{^@vKk6wa$CMh1*%TF^(9K;__{g*gE=>$5KJ9{ZLy>6?Q}dn
zlWp>$$IQG<gXd#(V-<S~S)DG!poMN7+us6rFsah3ExmKffOSCiKsziI4FywzEG!8i
z8M0iLyk_Fe6Mmjl*=eh;54);9K^Q4F3R`JAX>37j-}e@qwms_uwZ`VbchjSaV=l;#
zYkjFj6jP2bE~f?E>mbwH3brIz5}4AI8<IvnZ$Md5GHjsBMmAfk+>QeB685k|#xCgK
zJz!dmnpqYHhTB*WBo$F(d3wsF#eHrl6rAd)D#K4;wUJ;ItcGvzWdL@RIlfY&Xro|A
z6_E-H?LM+B4CXeIwLF)WD=LJASP$ggFeySyn>(_qq6(T;LvIR%;d+8c8VAV~{x1+2
z*(wUo7G3l$wkvT_(__Y|m)pFyMyXr5Wf+b&8V><ZW~|+1>Q+6sX-vXmc>?C@*4U2*
zX>JLW4~J)Y4a6{wD4l8m)&hS_-%z^{akGp8uj5*<D(x^otXBn}m<63`G<B6k<SRZs
z;flWGY&<`!=i$gKH;am>^fYC;^7+MlS}~^#Q}vB_S_rh746xH&b6f&@YSo&^;~e78
zqZHWLWO1yfBKj2phF&$AI&!`uRrP#EW=o}LgOW4ifz<g%Wi+;?y{=d@<(yj|Erp~K
zYcZGv7>Kr@7?};Z1m{{xG^tmLEJ0hRvteLr)p0n;*rB>2eld9lRKS;K)e%TEmiCNZ
z&F7M5bv=Kmv^&WVB{0ph?0b6-vyfj;3@Z>@-6-m;DNXO7sKTmDceC!WgY4>T4RTBy
zb{e9lVO(-6Cb&j;2|@?lDJ*bB=B1U}*|m`m?W;Z~4jX6(pCD?+ut2CP@<bH!q=-Xw
z#ax|534XrRXSJ}wuQ&$P?dUGkH$5q(OZ7Pl(o`etGvKe#3oULRUP0(*kpw7S81@wd
zjcSu6!*p0r02WY>Ekz_Q3|e=6+A3Ja#8_-9)%kd*S&<Yl?MAqoIPxmr_Z3B)RDcr`
zv~wMV<0P^smexX?4XA3A5^rnK$|GgfnTig+7VM>%j#~qss0vr*3c$_O*U1=+(*QFg
zd($+aaq&k$?KIXz*_Q(j$%-6g)efkhK*@o#;HS{WKD9|x)SA%-l=F(kr@B7x$)i3w
zH6-+iHw)F=8vLZII<w8Ux8jPM8HPB)-i0ZNjA|?08!tmZk`Cvk&Ui5Dw+u8O%_66V
zKtFgZl~jQCu)GqeNA#Mf+ihm4$pDG(XRaGgKz>kye*!{7p+!Pw(rlUQx1D*vqKsRq
zvThbib9u{jp}9A_VP+JTSidYUsB)^d;@Sr39zAZ?8d1lg(Cgb-r|_dUWU1IqF7v>=
zY4>fR>mklup4S9BAEwRT+HUk$&ZJYC7cDK{ED5}@X>=HXHfaMUn5N`5@PA`7nW4kC
z3=;(*+zQ_h<~|9`s7$91Qis~0>GyUMOAdGdDJzPi^BxHp@Nhg47pzh+9dmP9>o<B{
zLg_QL)*Y!@ybeGj1IDYO3^wKb0I^t3Yc0178nCvzEuT(Vfk@nBOXD{&^SKTn0mRt`
zR!c<?)||-=M`O2;SA=PS8x#;+*t+s&go~zZR%^RJer)d$z{Q4Q$sOm>4Xc4lQyq{v
zr8r)8V=$WmL4MWQmD!Cz*GyN@?6hoE(V$Tph5|Yl#qD~m%DoEMRP@q(XywbLWLKZh
z^g5V%z`uao+Afjl0|LjOpVL)}w-=0SP!=QB=}pNk<_!SD!Io{VCo1Qt>u%ay0#*&A
z<m$NNDnYqxh$wvB8Yry-_=K?Y<)l_&l0ibX451#CWjTyYP0p3(R@~2*szZeV!nW79
zM|wJ*1{JPHAsoR2Y<;_q;)+8_0F#}w)tysRN_~Cb7rg1CRiu;_mg90IucyIoy4ZM#
zY0Wwna}jVQzEskIg%6=6`f0zO=Xn7Q$FpVt426=w8t#%Tr;wxSe12z8{kSC+%T*Sv
zJU;l#gIp4*{Fa)tSRw61n3RZt*G9#KN?yiTpJq$nN9}ntS^{^i#5(o}Se5vySoY@V
zeB7-33P@}l8L^=!z`9D9c5WUjN}sp3C_xHTd&Lx5uo_eo10HKtUYDEUj?OXh#*U37
zQh~|rGH9vh=0x%?>M*I-4Zr~w#b$xm3LdI&!3iLEwpA~wA=@+Zpyd!frLg2m29Ycs
zzF7=B$xd57s0+F>5=)9Flv^XjWM)9=13-?{iQ7Fgr(={RRcG6TiM9oO&NoG0?IU_L
z7aF3l*$Ugd&u(mGTW1*yB|8AkUQ(#UXM977Q4m_6&?Yry6<4k|1@M4N?KF$iG+S=y
za=t2PT-OG~9Ln}r;xZQnS!@VwtA$<*&=QIb;-zI>v#y8n2>d_Ewh&i$X;Fs-TWA9O
z!%XF6qtE~*!nO<)24On`f&y8{d7I+Fs|uj)sa4rR^kN$~0B&DHT<aPuG%K@O4r#od
zXJ^x*#)i8D)H~zdA}+^luc!OIrkWvazeJmMT~)RtQ|T`zV;RB|IJHJc8w0|K)IA}F
znmB$1<<Gvk^?d->EtY^_5I5yQbzJkkZ6(vXE?1&eRg_(x!H61c2EMBhxMZUZGu=cA
z&@G)+em6Dc%|hqg2z+aTvgy>C-KGibT{Wi5T_rR?bvQFuHAx$mhK1FxIz+0kSM-Cp
z6zH>^R1hWwaX4Jl>=L++t4%N8&Mg#uSOc=~cG({QzfWh)<wWajCv(b=!&(_p8uX=;
z3{K!@{3?`^QfjQosF(ERE*54~Czn7tCZS*sSBo0hD3)LtRHk66vB53EfGe<(O-GXj
z+X6J`XjxHZeY3Dkz?QG$q*@2VySx?SK~5fXAbIum%$rum!mj34K%!Fe1$)R417V!o
z&4+qX8LSE_0M3&dZP%dRl$Fba%5OB-menP*aQf!J%7S7;jVLCs&bzunQL(%8n#vSs
zksvhph(vjHS;NQma$uCH5t|LrGF4~+x7FVi$B0hr=?rlv6nL))%&zF{y9_4~P;Jd<
zhy$gNk^m0o1%89%k(WhgJ=>=zuz@rUh*JcRC0_=V=Bg+pnpuxT;3B6BsYI3+LdNXU
z+w2J|D@Ho$bJKPM+q;PQrf@f!(G;a`MCmWg)jaJsi3stB3l=tuNuj~1CKhT3Ikpmt
zi$P7(Dw&*E1;Ac}Jv};vLxh`y8n5<qF_4XiM0uc!aObpyO(I6ZJb-VEDgoqaleCcs
zzv(Wte3c$YU9KuJ`>dU|LGea8o=>uM1+=3sMY~!t8+ul{2$48cx`|cxO)AYzhoebE
z23Q_~^wd)L9>_6EVz$Un=Y<rc171;alxk!kazEV%vMQ$AN;W-5>~R=MVpH3VjS`9U
zxR1;^NV*9skrZ?dmFP}~YTHT}s?J6pb^+GeUDr_95^mA_NY+bnU{@g1Eq>^<`%YjL
zTbm*u)=NSlg3ooW^>^q}78!1cdJqO-o9&dcHse|1L}1uv=Vc~T1-0DRsZxko5n>CH
zqzaWBN+3F=%vu&ulY^ds<+ef@1))>*fXHInxNbfLll6Q_(gNx*XB0LiyT#}8D$8e!
zo#v}#pADc=IJr94<z?h8=S_WS5K=(Nq46uSOU(ukjwC6M>VYX!2JZw5HUPUk6kH>z
z<r_<L5?7#A21b_z`1x@c5Zeq_S=H^8A%^HwL6^(`P>mijO?JTSltEJ(bhg=C5UZ9D
zwvtLO8=!oro}c^LW;D(=>c}efWwBDK;x*QLGlbQgQdUEi#%NWfmorp{RuMwM<v{re
zBD!^|$y;H=^3~~ThuNI#i<>^IV+k=Vc{h@o^~6Q+9Q)UD^So{j%4;@Bn-O|%*}V~t
zVj{q<*id81-19Mtt&oD>nl<CrU`FT?(55$tC+mL0UaI3QxC+Q@osOBH13=M*35w>B
z3%DxQtjJ<sAX8+)2AvvnI_JbQ-T@a$xm_dJ4c3fzA?Bz82b*aKV18Bs)#Oq`M-edQ
z<XAO%05*85$}XFYqLtKJZg;Yo&FT{~kfpk`sFjTMW;;q7oKtG#Q8eUk`U6~2ObuTv
zfw*AOH#=U3TgXd?DVkf2Dx(<{e5&j&+iVS487<5Ct}B^pnV-lZS-1^tmn&CFA)cvg
zO_2_=&{}C$R_m3g4dNJGBpbKU8WpsxJS#2eY}s86DlIf}hNdDhVOQU5#=^u|=B!fC
zUC3U=5SCLI8EqN-J40o?4`G>IrZ=6X^Q5Cs%ao(kSB*wF?l&sdpdlAGHHY;PdQoVn
zAtDJpUqlhL66_KH;z#K81(S_p&ZPc^<pykfH}olDd>B<@W_gk{pmym@0z4F+fZ2Ac
zBiV17U~)zIW@9-K(k4~v*BOI|)MW3e?EL21suAT^+q%dXs4->EfEHah6Q5!yfXIMY
zl|Vw^I<5%h%Z|<4%9=630z00h!x7C_fW{Ojo>BtsZB&veH7m6dvjZY%j}z0dBM8HM
z&6Lmxx!D0F#zSB9Y+p@42E4Y04<hd9sb=6`B0Pagx2&RyWsTHEM+tNNW&-|}n2`Z`
z3YH3IWq`|JHUa`2y(xf$ou-&#X!c=I8>0cJZi*`n<%3>z&`BB9AJ&TchyvhB6qgb1
zBDP!XH`cR`T%8o@O=C9Az|zp?qrld|qQ=`pZS9-g^1Lhda+?*eq_rZBDYmLj#c^t2
zYL*KFBM$_70D-`R@7T$Jm)oV{pp3GzRy-c`MkCl+;Gy3^SEqKAqNh!FCTzXc0&7WL
zR~zj@WN+9CsMmD}=t>uSq3BCrGD(qR%E=5czl%CRvWiP!i&^Drbu&Pw5WP%94B=j^
zb*)y0UKhDSl1`u%T&~;Xiu0rmnm}qqi9WT#b4nEwGY?aMQCj#z@pBZ#1=}>Bnk6~j
zv4YqwjK=_#?y#6ZK$XuJBoPGK3;hMj5J<Bv2d*!WpQ`JoR5hHIOh*Pf!Ej}S-}|dE
z%?%xYuB^J_L`LWZ?J(H{UoNED*s|?(nT;*Mh!`2kEQv!KFmYZ4HkeFG-ApQXgWPfk
z;{yklbCgV?y>L|8Lc0f*zUp<jc<G><VE~;2LVIx>inuo=kGKQF%F9(U4cJCSsFccU
z%CToLQo{3%qa|vtn2_iJU8qt$)rL_V7sh0!P3Jr!rqa?71lFGDxo(6w=(5;iTDIRP
zabS21TZV3fn4@FP%vq^CvVGv?6?9`rGu4r)HZ(=`h#A*NB7IDBUOuLP`pq(IdF6-o
zzPXi~id4|>jZF<b2PpF5%q^0kX*P0AYU5{$u7YblAM-OqwdlEkmaY<(RS=+!an%zl
zm8P4Uk92Op2SH99G%}${k6Ui1tK}(S#SU<)8qh=Lc2AyARuyIXgKpW~l!6ufFqgtQ
z>%{$mUjyyLqH3{xg$fGlq+JxI8#&B`9^aDud>yPS{Y_Kog3n;aDLaNi2YpUJlNN|R
zMzy&o`XgUJFM4hjhdxsW?Dm4Ex7M&s@)J@S=-?e56gd%Ln-=FKK>M3HB}U{t7CnBj
zEMQu*9oL_gvUPdhGE^_n$_g6aOJR{#?W|g=hdUT2?lzETqwNlSS4=G`2YR2F`<_AN
zfIlQ!fS@cGWI|bCBPb6GF~^lE699j%yDMUuO(RV}>LDFK1BorZuaf!YXWdD&o~y^k
zc$16r?e=bsa~9<Wpb@a93R*iHH>+-nG#n_}GjrY8x@@!MwSjNqSREpaU_fp7Y6Nh1
z*y_|0JUzrvo8^`DcI|1#5>(?us;ryiVVbvLc^gj65SW!voslre0@kFsQwB3;xn#Xf
zI3gA}e$=p1n31T)48?`{bkRnuX?ryWK@b|{XP_#8UtjLf10|#z^F=AlRm`l7;#RR+
zGwID-$fYYhAE3U19zay|q?40r8t!bp*f00WvvfECVZA;nc-SeN!SfHhW(~L(^$8_$
zA|F<ArB;BHx)pfybujDgP!N|*gW<XpfZUk22E>TiX^m+|6p<rCVlI-vx4}eOYtr`F
zk*`F~WDgjQB_@mkYS{tC3<nW8(fTPN%9a=w<ioWh!)30Vq8)!VB*Bj+GXpAD8wuN@
zjVKc+UWsrqqn?o8)(rSW^*ooR{gvFP7e%QNv1MB55^10TJ1h2DWX_Mm@rD8(Em*FQ
zKpp@uaJHL=WIPZEQPQ@>OesAsi;F(gD7UD)OMfyz`OJDkPbN~*0Ip0r%oHFj?}lbN
zkuV?2bJ>g9V4W^<E`Unww4i1{bjg-Ut+DehYd#m&ZLK1Ql?tlv5Tx4fCJdY+B#^T~
ze#dr1#E^4SH`F3yQ6r<S=@#$rxp#8522AoiwgEufVx-BWo~_KJQm==c<n%ywG-<`V
zD)61`K-#qcJtgx^VA7F#U&$QpMw8;I6tAi<n9<QSuh*MgTuLV`ztt<O@t&lCF4e=B
z2BbtVnuP71+U=!4Ab0$9RkXlN(c#Ftaq6HrqZo$)W5NW;dctfoo&blkY@lpzY|WSe
zsHmM5?}~adHfIGFlu%W%j_xxYOtfAEo`=jay@J#y@0Sj2<h{#Ljx19L1rohfqb0g3
z5Jj^v0&b@i);W{7pz3y7pDdB*p2__N#IZDPl~Zj-ml5I1Ay@%s(-Bc;UJdz>G<Ir>
z+;mCvGnB8$^OBxA=}>QTF6^Pr(pk6rljfk2-+^4K(gOE5Nr7hlRbv`aBu2)PGZl&@
zcr_wu^-K`51Updl(M!*jnnWB+M!jPqYDS@NU!jm{ngj^&NMTRqyS}%8C)$-&wKZ6E
zdn2_<HT!~Y7bIg09PU^Xt4xs1la|ovPK}1a5VNV$Vx;k6Jqo*>epwHZNp?_Gw~3o|
zVb)EM4qouZl9^!7o(!(2X}p>4!7`j$5itDV-Cdh2${g<SGGwkv_UqIH%aLi$raeg9
z{Myb<L&S_gP2HcTQ}jRQvVt*1S9fW^bhgWBiT9x>hd~|{qV%?{cNdA0+1ZM#a%HK$
z0r}vzv_p)qk*-mIVWQuwxG(p$Csrk=)#enDMfe$Vlg(&e-K1GHZN{`q#dWzP@fBPf
z^BcdU6-a9gx?6Y3a+$m|aU!8yNN&^GC~H@jHPb?{fd>8!zDm8$7OpyY86kv=C6!nn
zdOQ>qU1VK?rNxnX<<PwbqH|3K+OO>^^;Tt8Eh)Vzqi#r2lP!6PTW#&E&7QHBz|Kld
zE19~%$_1e#RpcT+2gt+T06^?DqSV`ct{aUEfv+tEy1$Hf7BBlrab$@QB+{z4X{Mm<
z)f@xZu-QIBuja7U#7Zhv0RY!YQ{)we(mLuaiApPEAW+AQ7xj%Y+5jVDI}5^14w25T
zlWXj3(8yGEKSG%{gEV@v(gUkXWw@M+HM_&vOTLJ%r>NR>xG~*9OBg?sv~HitTapnc
zirv+5X1~o3ea%}f=>CcUQhu#YryyrdD+x#hAV|v74KNeY^#k!I4q7W^*UAB!rcr1w
z)RG=n5b4d=vxO=%i0jiCm1}hig%P>uZFOrq#KVjAY^qo6Ih&8#QlF{SI*hzkdv<v)
zZdHKX%@I0VLDRbR1&MYl3usDF&vZ8Sp%2SK%j6al@ak|}b<vP@J1Dg2u1wE%(Zco>
z#w!zLNvADN9#(Vc3?}ay^?N!v2v@zWz)5~>8}*WX%c<>*hs9nSVeAcWn{|2BGk5j6
zUe^np?X0FVS=ril)V0mPG@BN9_=YQwFH0^4c$sZWn{mEctuRWjvrg*cv}l6xZ?^L_
z6c-mkp#+G%y#ZRVRd2?OB-|JhSXH!2qJy<nAIS7_j)GX=+V28zlProk$Z1h=Lc3{i
zv2Rn>wzZhz>K<6UDmAY$%?iRwp8-0+z%yEFWTi@*u<do+%3RHWh=r|l)OLYKEh@U2
zX*UN0u~9G7!d)Y;uxRp_HVf$P+=;c!YXVAt0>0Fm&Mitz$PLlt)$fePT{nk*sbWuw
z1l_T7%N7UJaCQPzeSIu9wrIBFw&6IxiiiXYvcAnwOk)6&2*ief-#6Nd-K9HNRDowy
zaOXpJy+&9>N$ZXk+oQ7F-S*0ZsNM672H!|mm4e)v3mtdoW^5CfgPE}veY+aRk|9cB
zwYTyCs%Pj#yCB50gK0DZM&t%BRb0s2wAFVsd)<jzn%{Jb6nYGEy_U!fOn*`vg5r8)
zSEQQS7Ok9~n?(LRbjirgnO1q+>NH8@#||^L?^t5PN?BY)nZyN0>`H1bS<4zHYyc5C
zv#l*6R;{_x$jSkBpQr0p&7{<}J1fD<iE6?&P;=dcL!gBRU~#IfMln5^1FC;Qlv0=S
zy0#ScN7Jq`N13K))kY)M-awp&ZAlgLMdH2ShxS(@h$HjEe8|keA(aBYb2`fp(k5CQ
zDn+JLm`gy%ZKl+!otZ?xp%rdwr>nVNSa;US*dSEZqR=Q&@*=Dk`8p9N_}Pq55h&-!
z0a*=G-r#ogF`&!H8IVSDrij8Ab!b|pS=vxQ80a}bbYnvw0D_GwQpu`0uvdfOTpb!d
zQt19PZPnn+iLj!Frreuxo3$_VVJF-YB1C|0rKG57TyG=4<Tq^;zsz>3N`wA{>(OXY
zC(e5!uR!_c?O8r)3pHR1*3@@}s=5eR-|sLevzDzz%|tzTL2Lw@(KN_p*Z>lU{Loa@
ztLEcjsoSCk#<H2#*KIWSk=!YQe~T619ammaHMQofo`o$E@fqmEOW2yeVr&838U~qT
z)OKxZRuYY+q3PV5LVG@Tu^MX)c9%uXVi<~|9v650n$$&VWNdZU+kF-f-S6Wrc&X-w
zHrSZ#HsHIm02<EGxFZq`rXv<BF<Q53wzfV!?d!4CY_hsGS?W$+@->z*+F0UvHB!n~
z2>OQYReP!~mhx$mbGrGgVz~kOD}#|asib5QskNFQ_l9OqD`dXX*1b{*Xj&@FIdQ)3
z1!64EKnsGtCquN_!m`N%OM4|sNNRH^9iG<^zvu^IU1}&`k<<<Fg{doY3$d0<?N$Ou
z(Wyi}QFNOK*sJ*0tch-#uO{(o2Xr)kR~BdORR`SQ00FFGq{O@?i4mn(DC)>{2XZ^F
zMBZ+0(_t~}sO2PqNdYw0P~>A2Nx?o5)3R!|8yz3228&`2PUjAkJ-W!JG+nbYsy583
zL~(XfRuB?o!X^NI$>QDGoGyi|hTD~<sB$K+6C4D+xfUw3WWx^<uF$De+;u4dEJzQ~
zP4zbLNhjSfQ|M@eifV9T8k3SrP4Y$`^H!=^Ed$k@^ERax273maso(OOfrUCxaf;$W
zqN$=`Eumn~5pyFpd!j&frmF=Ef#J|F9WKvsqe;3|sU<Nn5V*0DD!|2bn><~!?8JWP
z4JUfFOh=J0s}G1V-mQ~y8!OEgXtttg%B}UNfVO0&N2Xc;*bk@0tXC{(Di&<7#dub8
zWB{1U_sz|834=`RkBakowLV|$ih0zw<UD0M8Lernh_er7W?|YuIS5(xTw(>iolr)_
z2}rssgTSh_YegXOWC7T6N>Ty9abWy&LSHSf5J~S>-RTH*9_|pJgPT$hxTLgS@qKST
z8LtN26<|wX+-E_eDp<YZHjO$R4m-D4Dq5lWlZXRQckVJ(i0vI}7PpN#$V)inE0t=k
zYVc}_7SU9#gHAR95b?N~rIixXv379-&Qeg?%1Pa;)ipOQk4uFRd{z>kyoP!+xhsb7
z93<En4jxVF+x?tf24%-O+D1vsceiy-ta05bI1DFEM#*jAh)W1@V&Lj)X0FpqI$ed}
zrY+ed0%_=J!LYQ&a9b!re!`Z9jcHT?q*yZasK$>gYovMFHO9iuB<&-15Sw4b@xmV!
z;ma#T(Spy&vXCEMBaGQ2=2=*`gvG8FM~>GWb!7AdWc0|;wk^L?2Y9jUcd~%BdD*i8
zsI3l=bSa^9Ei1E3Z(C>%r2yRK6y}bY8`MjAzE*X;U|j1U&*zSeZk4zcD^eHgsuC}c
z)MgG;le$?Pm+MVb{|F)7t95p)7uL}=(cg3doHWR(qzbX=*W05Q)fbix&S;spo0?oN
z&gnRA>gCpY>_jaT0#`z*rl9KAZ0Hhe*9voDqk78-mAYz1yBIgIFz0;)V_HV$<#g9T
z*3sru05w8&!UF{JGOB1%zVB8-C8#@~K(_hixL}gmxIppsf~z2vqdBT$CiZTkm5WN|
zG)1DH7=2@K!C=N(W*eT;4oF(_Ito69LQmV|^X|CcBB?TQ)pO)wF*39%Sw~f(Yhs4h
z>Nz_s&#WDVY!tsCQf=EW@_KQ-Rcz0x)@uFjpatPu=~@6$_Ebk`x$7!WAiH5Z)>_0q
z72COWp3zcjEFr^%4M`&}BP1X?lS*+r)2Cd9>Q51#KB!)FbbPiwK;_hEAz$xCp^2*T
zMUBJ+=5}2cahKL+V)nynbwibA#jd%tsR{~ZJVe8aYQ66BN(Q@<>T%-@O5T!9u0E<~
zq<wx{ugZIn21bb(AKIss)r*9PSCr|-s=9T0abdWsJ18vD++Lyto95UjLnG??z-Y7G
zO{SF~vBY(E7tld-?)S)0xhVM@j|MJC=xsOx{<vM-0@EdImnSS&ZL!U+AQU2w*@v*i
z21iFy9jK9YeZ<XIQ)k<xa$yP{ca`fbtjt(xY|0_n4oaCc?V-qRJM~Fepr31xEgFAV
zC@}z|^Ddod8igb{6^iAWYw`01670o_Cad}ws1hT85~I+l;IClGO$VA5*=W~J46Z@c
z1yvpH#!PP7_GBIKK{zd5X=~J(GaH3k^c!2YF<&-v)EGq=)65)9z-ccp#89nF1yvt_
zwzP;gJSxvsC)%u#C)N(mN+Mygo%WRm>WX1a^4pnR14EEr?^nx6n&eO|0!kv($eUq_
z*DC!c;!O5(uw>Un$WBQ|nH0;Ow$cKFTcX1&zs35O;!3wTsc;2Kq`drQ+(9x}3jm<e
zDXB(ln}uauH=KL%SVw#Upu_sOF_)R0Rx^?r3P|S8X37K4uCdwGK>bSj3`oj>3ly*9
ztdQt^G||F^XV<(msOh;REQm~hQzwZ)x#X;S<6O77mS=TV<x{1McDqr>NR;*zI(efh
zd}XC))pb!yER}OdIB1@fNdnFhq-ragalkKLcyMF|slg}X{;<&84Y`5@t_Hi!u7>Eo
zD9jT&*jSAys1Da?6&02qSHjAXLKt0A>;TYf4J3<2T{lMMzNHd9&N~?gkllsOY)GLa
zw(JyhQ0z`X#1ltZy~<0l^5;YXG?!~YDeM41%PrS^VjohI8SD-jNNPQzQR|GgpvSYW
znYdX$ZcdV#49Hb{v0}5GowTBD2dyD%R#CEML5OIU+sPojjYF$ujsYOK%F;H7O+-B>
zXO_}ea>Xp}X{zh?4IQ{-DIH;PR@JKQiEK0sIMqhl5=9ZXxAwrX1ex4r4Euk+-L&en
z0WIib;xS-rPK^{~PqbPO7AG*d38ON3SP-kV*uh{9)O5Cn*(W+3y}HxVg;OfcMm0Sw
z873#&OQ~S>oH6RM^$u$Blw#1O!6NDkUSkKqn2jViEjEDTBIQs`%~hQ>vxtD@*pZ6G
zLT=QifJRhVJ0L?aKt2%L&BBr}#sNs6>QF%H0Jh6GZ*9AJLC(@zgUJG7Px6_SmDWVV
zRZA-<>)KMu1NN|(7wq~<F>_{Vvm5YnpBhEDb3{G*gM6`5t;pJPk}ziKBK))-Pe?>>
z$}~`Jf-|kRTWzq7G-T4IX&cz|9bfen&1z|CEtpuDf&n9q-=eVWPwR>-@1_hy{D#{^
za@Ov!UEtxac&5!nRuGRft6oV2w6>3$$!@toZ?C?aaDC7;?9nsxMqEgV*|eOa_l%_m
zqt$Yl&iFm&88%NA`TiOZcbSh6lv^Hd*hX$br3nZ!IWgB&P%2pP%;HLKFgbFXMD4mj
zhm@Mr)dZDLv$8Z8ZF*Ur$|+UGDT>`VvO*H$quq`jV&FvEjJTS-#$OS))OlcCdXvo0
z$!cLf*l>#xy=t19LUXb-^QCoh83OfCu8+&vj>B1&RB8t62BZSvJk=;ZZ(Hac8S>g{
zNBO<1q>fwSu;<Jo8v#zKxMcEa*b`!C$+8#KM+EvsY@%mcrb|L6%Wnor0nQ(~tx)2=
zCT;61<+-|p2zeeIll=@;I^}7%J_Z8wpkj<io!BA~2^x}Cnu+0%sWhs)&0^)P!*($v
z7?)y^CK@pF^XtH}B?SpSYXM@DhzJle!8OQy5y1b|TA`&_W3c)K9MQ==eKWJbZ=#QF
zU8hi7SSg{>eo&z|v!<C$rYoUQ?=~PC3P3^7`dwz2H321$Bd1;PZ4}*5$(5<$0wwY_
za6$FD3qJ~1?xvbd*BP0zz#`I7c(;r5jaq&e%Vl#x=Ja|v6;P)a?^3rz?4?S3rVK{#
zrbjy#wM5>MtmZL6wkxeHEjAb1u~96xU@nM&-)Rfp)M%sf2n%e@F3p`~)rK8C6eOoY
zZ#Pp;Y<OEOzw~y~4iS7}ZX_vFAZeSqN!7Bl7**>+5V>1m{V(TbX}3lj4I699sIr)>
z70@F#1#e8NSsVIV8kvZGbi<}oamwg1-frul3-o9Gb-q{v_y&iD=**9s<Skbhf)+G~
z%Zjfx`}H|hrPgq|0jVxi;M-~AWaxB6(Og?^n}~Ci-Gwm$R;NG&b8g0Vcyz$pTCXh+
z1Gg(}I$Ia4vThft?_zGp^C);=@I2rL?zd|oj4^}~TZ8!>c$n83JKYL>wF*4=p1~9s
z-F|gFuU4Xgq}tMm$lt6g1hMJsroAk!ifp-++f}=5r{+!8W~Y(Y^g%SxX7#qQ5QB68
zfQX_?ULjkg!A6kIv{AW>i$`Q-@gW7ma<UjVRK9DIkbO33i~Xiy8a2aTc@uT0OI^gn
z@_C@+b(fKxAIikOsVL>z3cGg|ClUA+fFudvqsU>FiY?ee*?M6Er;E-PwYWFpTdg_}
zxa6><bv+;xW!P)E8VM>z3q3eo#%$K$XJslU(5-Y0D*@OWJkD<04Zq(Td08j`Op9KQ
znv*TS`gVXaqIyh02SblBX}cOx3N5e3_Z48|Mreyu3O=K;jxWvpl&e^<-kNI4Md(^(
z0I*LtdqEqtg0n6VEWvN7PBq%B128<^_+TTdXSx0c<#R2uT<9)s@andwxB!L5LpZF&
zW8gvGi=`-S`Tj1gmi2jcF7-_`e}d|Y3<IUH00^wkDiX4NWn1kwRcC8<#sy?Tj1{y_
zwb$x-V@fk8>$(vMAQheW%2)|4PhGg1fmLgnVBuZW`21kG-mX?9ATG1*Hn^Ud+Nxl-
zvSNcbl0mP#F8cz^yU`{qqH(4nYn5rqw;6O~T57Fbh8oc-1JkJF+DLG+vubOy=>hkI
z^8+U5WhPabwraTvM|TV$XQeqMUtJiBzS03GC*=$}fMFUqeUv#QG><F?w?HRhH{P`q
zDNwKu&~P=i3(fIn)EY>Of;?h|A=}MSneBs2&MGw*W#U6m<_U$Uqt2Kk6UJS?P0VXy
z7~4qgO#0}nuG1oL9NPUX9Zk^*(ukHTw}|oW1t`MuQ4bZ&%DMKa7%Yn5Ja)+98O#|W
z=hpN>J+_@u0W%6b;sRCB)T%Fw(~1n4FHR7|ATu&y`&oI9kIMR>{woH2E#kNp%Oy*`
z(&!HP?#c!fRJ|J0>I(E+fD>6;cAN*TLAO-~bn_}`Cp<V7m{KrM+V%NxhRH83pjprf
zuS@ebSSw4NW+AVW*I!?wqb4ZEbIWVXj?8dH1tA`*(RWN|oU3R_GM!cHac>~NX55He
zk4raOsg&DsNH3})5~rPxoGZ9n7~^;@!`;-WQAQ9xq#{{5=sL)c6^#*uS!eAna@?{Y
z(`%$kP;E9^t-9)90<?EqT`cqd0QHfBO~J2HLpE4Umd&-<>&=onx{=z=+7h*;5W;l2
zPGz={n1J<ZHKRhpY+25nY&;%>UuKc!j2c*8%5*;vBDvxOy$0<ExEp<CF5u}aplh~S
z0ko*oc1>G$*@+p4<(87H+6qK3Iwvetq+428n=QKv__qeFp$sVbtg%MIFs@8sJbCMi
zyGv_@9xED_Ef-3Kj%6lN8D%8E$jT~qSOw{?3bv@gLa<Ndw`6AROuJI-Z>U<qmxdmn
zjrG2i3KKMCY}9qyOARSSPZAnAigBf6`(*(J5iqRUhPAAzyAaS0#bqp4d|qZ1H8(>l
zv7S<NP;W>f=wa!YDa;$*qB2#h-~n2ZfS9<=%FT8|W_PeALFAQJkkoLpJzNNl?(J!Q
zx2e+Q1rjF1T_x=h=Vge__&Qr_$YQ<W>Kw7I*ZNKvr$Nn&JB#wZFeLz>rjgmfJlC%<
zdRXLiIYzplnmE%9N^q5C4ls6AtvshDah9b{XsM~xmQsBgH$fy}IN_2W=TaRUl^#e0
zF!THTY)5cw!Pbd}XhE+@mR)OuAdKEt?9s~H<;IhKY9Y^E<8~`fsG~@<%Q+}WDr5_a
z#9YcfhE2B45a(!tVS~<!-ED4NGt#LUnR8pD9kn#{7U0^ODD55&DAs|5oe|O9BbH2i
z+7ku{s?~-F5VjbI1$d;$AP7CQ6^=SYg7~w}2ry-aGy#p{Qkz!lZP)8<X^LwpqgaJo
z#=~TTFCewSJLjP_a0&tkHgeQm!SbBI2%15Dv&~}%a+kpRvK!pooRBC|NHr;~RV{at
zRTV{v13IpQXabB7%5;-221%{nGP5#bEQ1{7c2lRF%K?ucr<v(2NCrzlFCC)j&VpVS
zM-T^`Vq+<r*kOgpIH-xlvMvDdr?Xyl$zkioUO^KzYW7`lDH(|VG@6}=Hh8BcM%Bq2
z6mBa9y~|UPmXTMWr>${+(iM0>zJ)Ft5GSKW*h6hShESaFn-(UyRI{CO)f32nVomRI
z6@X9rzJEDW-v3~1ASI|Z`jp)b*^<lA2b-3|$Xz7IHZhgUDVPv=o}2$+O7jgskLGR?
zVY-83c7H~m!V%;$+k?+6;VUJdGmzSk4==$$W|M7WH}J=Y*JZgY3fM+A595RV{L^PA
zTk(LG-|~Hta&l>oW|Z0NR`=}2ZlsPTF6kwsX2TIs9`^S?PLd@qPwXfB*kjk8&WF(^
zT)3x3VSH-1JQas&GIob?a*95M1Ftx}&#7g6g-z&$aU{9nS+JPi;U^88gHw*${G@HP
zRsu6z6nhlNcf`RdX8%5Kd5{j?D0zANaRS6vvYojHC&j$L+YmD}J-SG3g9MZ*XAug_
znLBvy+;kJ?&Y&Fml8oQs45E)dADcnU(X2XS1|1%Ed#BIQP2KiMgguYVqgx(#rgUuA
zTbOc_;VC~HCMQj+zB{Vot6QF3xApj2o=6z~+^wvkqv867ok#_?cm<5RV^fJ`&lN@p
zP#o-YXP8QR2^WPSR_Qqs`cV2+v0eeH=@5Z-Y@hwNPB8SN;ry&Gj<)8gqdC!hwAXI7
z=njvrOR6$o#9**E7^KB;ekd#2L*G5co;*$Vs^O;l$WhLrcF5%zC@k_uoTJrE9c=-~
z&7o{N)JkMSC)gccj}#J<1N}5`+(QL%xMLEAvm_v5`<PC%!^MI~_v71!Q50rp?&gKF
zGq1YDbDePz+0e0vM>6uX%Jkj-O)8D&4sVa_Egw^BG<~EH=fflYceraj9y(!maIO8O
z<L~QWbsep-n|bAD?sR$~9*yJSb%;W`xl<oq;GAPmKjuxA!B=uR(0CMQ6^`n=b&+dT
z`o(2oc<RXf0783uIOdn<@-w1>oB;k&-Y0)9qcFjXbm7cVaXMPKNqn>yp6u9;2lL~Y
zI`e|rtQ5||2xE+X7+gY(lPH|JM;kBCF_J{#KXS!kJjOMcGK~+!MhfuGg;{`F3{=^N
zL<ge%Kj|E5OL7SLeC$*nxZ!9P+fUM;<77@O407^=`~2#fVKj62wvNoOqxpGEiLwN2
zge<A!l8-q$@b+raFUJTwXV#rKP3Xemh#j9M<i5YmSIr6e5}(Hl_{v}P=~I0pyy~M@
zd-$sJWKEOdIsU4T-s<sJO&=Zjb$Qjr(xf*Bd~DaQo+|p|{CL6jPaR5~V*;Ta1?ypg
zoYmplKU(_7);&#KQ7BwNT|vA_B2o?{$gRi*AfYTENT3}!5kDBR5_LHT{ZS&HuE@b~
zIAg=vp9^Phz-5o^zW+qdadg6i4QGGGIgal@pZ<ggBBwvT;q1@*8$7ndnY)v_A?G+c
z{r>S_44wJ;;0Cdc5#iIoU4dXcQkq1*!B%hrIEF_u?ofsv6J;k&|GktvP}?+Y$aAD7
z6mv4fwTM(E;&A^aT;Q(YO5}x*E8F30HeANRXs>n2mdLf!C=S-H?#2fvCtIOHmqc^S
zH@Mg3_=;f`vsWM`kuLG2A1S!jiQhgtCZ`LM?W1qnxwBUdhc|GJo}eg!6^QUSu2i5u
zDtRd{6|ntel`%Y2ATvOBlKX{I6)gP5{!<x?@*E{XvxSN%VEbtyMRxj{sEop)+&EGh
zN9y629HCD#mQU-NZyY%S@kb=!?UN%ki4ol-NJyIXz!JGjv>Xb`yF|-fq6N$AgrAdx
zg6xq=@;^YdAf0!%XbFjH(%HKv_~Wz%a)yaQU6E&DqhQP=8qv?YY?K3&<SrZKE*s^`
z5G3?jHcI};uelT2DErvinKsIqf&^mboL~r|Nkot^xw9n6T}H|o?$TZU51fX({GXF7
z6iA!fW~AJiWecJOXBjEwVKN*IV-iTY6-$K#Q*y9Xh!b>L1l=WH?vgKe#aFN%ZaI;1
zV9J~<U(U8&3Z%J|tkOH7?Scr&ZICagrN<eb&|bdqcgdG?BDQBnbMK1Z-etdhMfS^=
zAzu#7g>Rhr?YSAhb~>5`=ykmHG|=8~!3pjPv0x<bN(0@oZcsrGXygaZNdrkhcdPK&
zeg~z2axCa>NiD(GJq>g^yK}2%%296U>mo)@tQ>#=a+aCW5)8<YDl*F15LK(>+hbJ(
zCuTv<cmqeTw?QgK+hH6e!9K+}3X=q-pSSk@ZR9vf;!`}9Lp>pf$y~8s+K&cT<)i(>
zJ3V*8aXiP6334+@+QTQm<yzkpbMSlFd;85?jytR9jynu=9h*P76Y76S2LpK>Uzgc)
z;y@f$svS!rDvNlDQY7-qb5yU5a^n*MbO*%<`-Y4hPH~qSx=Rh+RgG|BjQ`8=mYJh6
z%41^W8?YMTL^X77q#x9CkRUBL$-)RNgOr5s)NF{hg>wZ;W#Q~AWRAYNmAa;Q>Lxbn
zvmj+7C+f4asupt$0Ff#;uSm|ScPW<{mMvlTGb>~cOM|}Jy7Ja)i-vpojHma44Jqb4
zr?`j|9G#$W*(*?1O5Vkzy~8*0X!mg3QId4q%5QF7hunT;il&%D-|Q%JetN^Pb#PKU
z&C#~6i#k1V6`ZS1_p1P$z(hPQMlt#4XqF#~7~T9T`Er)RiS>TRYxYjp{GGXx)ZOhB
z*iE%_2gP}3Zak>}JLAxOeCLcU2UUd!yPmGZBQF@0erN7@SpIi>BiZGw-N-@bR4VQ_
z9^CcmYwWk}&v{dg<NjP{AAPX#%%cys-E{QL*9+d9WVvl31jTgT{y$8EZ#X$}qRfa~
z^nyiTTill!qC_!1DVcw^WVx;K1mpgdgqu$h?Me*lL&?G94uiJG1V`a;O&+fbKHBz;
zBRJ@DCCA?OrjAtO>3)D?QsYRF+<M~b925SwA9|Mi_|?|Ee2JAL^m6=9)4gA|s=b4k
z275v#=4cswgD;IkNBWqLdNg~Ftp(S{L_OILz1hi+N@e2Y-V_|kuTs)>22K%sN{Xfz
z&M8!BlinKAC>$&h2^pfpg=p}@J@MDRfhUg96MOpd2PZzWp!Rkw(inAk2j{#4@AT-D
zC*IFVH-5GS^0gRF*N(0jE`h3WM-M4Eu``X1o%q-sI@)?{({z4X@ZRQeIB{f;o%29t
z-8AcRhb_s+;$>%*)E`CU&TQ2>sWD+cY4<H&#5X#)5;^*-*9?E^C?tBQgYzdiu_tvh
z=f19;IVW20N7lrxN}9PF$LN9l@~6ffxQ-!lPPmPe7Vxdl$FIqfo&ioEuxH`W84YK{
z1?dsNf;-VO!csfwL2mO3yaR`Mm?mM2F3E$t-S=(Y%-!9NVUBNV^Sm8L&qDuZXW&^@
z+nrj%9Cbzi4-hbTE#%FdAz;pWRWK9<(!z}ZkBuc0BOy$T;bD}VyZM;LI8*Q=1ru#e
zoPxxH_8%+~E`uL___0iy)rpGOe_19&yZ^Ka5^~t#p7^vsj_ilOZ#sy4I6CIwkzD7T
zmhzjrs`s`m46VH<iPPhdlLheMj(A$%g&{_EyhB4y$Na)0^>f_#J=zwzvtfchyn{P9
zys49%#oH3~x+wzOCjFRr{bcO%WMB+E7&|hO<nz%)Kf2PvcpV-^rU@j^Z7R;X`AZ%>
z;o&7uBi9^V@?hk@f=gnOlBDD56xU%)>NdLh2RDARx6hna8qeer#<@KMgMmD_(cAI@
zk3c7mka}+Um^;2VoV3B7B{gp97(T5+4-_dzzP+!oKa3vu2-rYLP!JD$bb)g;eKN*Z
zKF}|zTZ`A9t$ojyTMz*Ij4_18F}ZYP$)3&%pKZ&|1IHm9uq3n;?1ndW!ye8YEDh4V
zOd5C(hv8gv7O^RUgK>B;b~{{H$1$Hy7C3l_uOtA4W+#R^^iRJwLgUDdKU~1{;oLY{
zzoF;FkepxEqWHScZ|3mD-U9Z)H-uK)E7K#LNW#i@yjuL9tL@H~-MQjfQ}>S7cFd7N
zJzOlgqt8dH<xZyUn8Stg<(UDuS(~07o-gnGd+~86(x&IubsrQ=E#1fqqxl|#X9%{n
z2s-g7Q;I)>V|6j-YEjTkP)leqH-go8+S1KY1Q_;o4C|I+K*WB&^Qq7MguG>Y=%(p+
zE({*jXTEqisgKs^fiC#kC{vo+>;KdFqr;NiBk^#jRHo;a6(5Y~v3TPhqfDU)PkWfB
zmEtYyMB+rY-6#N_<{ld5v;(^LIf*(Yeyas{=+<4;gQvPf+|I+?+g)Dg-VMFu^>F^I
z5HWM)g&r-m+pUMc?xyRxY1`xVlm8=Jq_416_7rsm=ui%Ay+a{?DDuBHLjF)79$xws
z@S67C(b3$yQwsT;Pl=NH6c`|fX-kBaZpu`myl{^Lcx=-_it<>MFHFCKGn|>cJi~H1
zuxD=1g^p0nNFeJBgpiZ2iG9wv>{*NH%<#Zn;Aa0n12;qS00K8>Rf(Xy>U90c@q(<w
z%FVMwPX~yXM-i&q3||K1@q)<X;%8KF9Y~e0a<26#k$Nc1_(NHCEUdk!b0tgVcwC!5
zs`NM#dS6Y{@!JM?c>v>mMk+*D4+DUW2Qy&S;Q>I630LZ@Re!=;J+nv`Q{Y^9ITE-z
z`Q;PA)46%L)6=IqDc621%6Xe!{>c%@y(qu^E);!MK=3H^d2C9Y_Uq4>5=W>q-#}C1
za5f*yj@>mSpek?v=j0~*(@C8}DRF0>5_onZ0gg?Hb40=&;>{kM^%lL!J9haVTc1bX
z(DCJYwC!tSBA=!jIGiy@X|^NTaL2oZ>`^H8tT}pg#XGG>cod^OW5ynf7oJdUc&x-Q
z@<$IL0v%m<6ivao-2cI_4}}85CZerQdBb@y!?2N(MA@CKU4r6$?E3@gSn@5MTO!qb
z`oO~o5cy_-K<8m4<H1SS!zdWy<bZM=CMg1$2j{=p{cIrD-pnr9Au>F<4!egP#~(8{
zLCEJ63Ul^#Kl__Me)2F{j)#lGQxd}t$B?3xQ^CSPQ0U-N)Y0SYzeyq-Kq9tB_pt{*
z$8lI%djx!P1Ba(V+lzDN#ZRB>ROW)*Jvp^M=YcJ8>Tq$A6P(^}ZvpJjfn?>`V|a4G
zD0!R6>L0wt<9{5!&iy4F*A6388-$Bf$vCj53zD!sr{45nFplke>}4LWOFd`5W0ULn
zem8lAhxMzti-j}Xv)sV6#)I2|6XBmUCS`7zFr-qJWRdqt)*Mx;o;nDd>k?@ZJ)?{(
z&lNFs_pxt^ym6Ruw<!ir#sjbZR&1>!d;N4q`RiwVod%LWlw$cKo`+-7{Y2~QG-1M#
zy!-ka<cC!*Hz&6arinsYyV2}%b1(FmpgTC=bQk(<ngA#E@}1#j9a-^T?cQ`0>g*r%
ztK6KvAN1RA{4?kD&K)_3$0p!Wm)vplf;}{~znar;ADg`yQjep!?M?hC#|L5m?Ga<k
z!54=I!2N^tC6q7!^xqf1?7Z_XIZr7I#^zD~blo?-)_C(5Zg}*E-|@i@{>rP87hm#_
zi!Z&`r7x5pcE5)_`JPX{=K9Ax{hCW3AlLryvyz{=CV5g)`}lwV=e_^?mH+Pz&-vhE
z3*P5{`Qcx<?&BZ%$SZ!-|NHCy;=;fA!V5BQ^zhxkf8rU`GtRrm)A4gv<?cVmzvgYj
zKl$Uo{rR8%x$9o`g#Y@{*5_{cX@-1#6?3)u9k2S{i!QtJ0{nOvQy2czmtJkZ$@=rx
zz49I}%&%Yb(To4@JD%_T(%W9ATy^0Om9M(yJ>qpjN51Mp`I2A0`<1WXJ#6&B)l+`r
zH?I4)54|J4f9ruynqPkPgYVJ4F*3+?&%4Kk*S+x#+>1W;p<klk|H*5A_t$Rd-M@9;
z@&ym5UUg0W?_T%RyFC*-UHOTNuj+s9?Z0~O^QTvS@!2o>#LMn=zn{Es<AV2Gex)$|
z;2->oOK$8jKX}2__kHEverPwHbF=r|@8VBC`Mhs>S@pTkeaeO8PTu$f7rd_Yt)o|5
z`@;N##4o<!!hfpZHXrq+KY7po**|vo3;&F{|EoXpt&jNK545irF1v`j;5%M*e(BGy
z!2{vwD?jZ0xBlx_%m4nD_kHIly*J}(fB3*Fh5P^5dtSOf`5*n<RWJUPyYatr-tdCA
zD>uCSQT*G#<pqNWU3|&;kG;?J*S|XZ?^mSz`}>~r)i=HL2On_%cR%K*uRT@zw#NN0
zc<FO5yhg%fj$dMZI~j>5eAm^_z3^qPeD0f{_o~<a{d->f&_93eL;moue*crxPh9YZ
zSAB&0)cfB5>C1507kugMz5SqEd5<?;=3Q5L(3^hf-+sUT#3#M`)9?DINBRHyk4oti
zzxLTDT>Kd_Y}a3ZuMhsgi$1o$0qX+#9)r?j-g24uw7b3TuRrjyfB4M5zhkg|$&J*-
zH;PwX)B6_bz9M<QmwmW#$?HCSp1=Bs;C@%f8}VJgd!br6rT*B5?|1q6U%&}p9sbQL
z4o3W*S3mdluYBV5pZ(n922UP*{KgCYXZ+(+DDQn&KlG2U{>5LovVHgVjd%Md<_8~e
z{>7JE{pkl>^vvr&oBzNiKN3Chz3+bJGcUT|`l27VpML6IkHAQO<h>uC(fg_JtT$e#
zeBbxJ_&duld+T4-KN-B_%H%E5XJ04vAM{Q0D}VpGYoB@5Z(R70ar4c8@u%d)yz!?l
z{J=d19~|BH@1FX%Z@BbfuZh3-Pggwa>TBNfQ})wNU3&iG&-<oRH(YQqw|f`-_D8M%
z{j}$Q_AQk9a~J&WTd45KxgWmA6YhQfJ>P%hKm6dJMjrbC!W)0_dhYeF{L5<}_=)i&
z8~1<nL&j;_`|isg^KjhZd;al0gYtf_=7<08hBsf<ec_YkIrW5JeejFF{XhQtKR)rv
z7heC_=UnlB9(?}v;wOJL{ZjSkUmASR%Pz%ppMUY)D;G4srE=d_{o&mU%fELvkAKn6
ze7s)xmp^;gPyX~1FV)}QxZtvj?sfI&y`R0Xa^th757PhOyT5SFe!gDvy>~a?UHTT`
z`5%k#`Tpho9zV1H<D&b0;L0allYiWQJ^$3@WJs_7_W$_&lk&gt(T_gj8J}cEKaqa#
zyT9`%OHbWB^15Vsc`E$LyMF4CH}b!GDRz7#rs2JQ%zn>)^$wNCy!X9tyX?ImEIs4>
zpL*N{S3meUmu$Y}-XFW+?LG0My~&HeKYjIoKJ}XS{KRkmxq88S9*pJnr5}IcwPaFU
z^a~gEKEG9JZ~oE$e8NA!{lORA@6qB1{_FWqedYLR(Fd;k)#YW?hd=avAHB~{|JL7r
z27BN4(htA<`nL__3+dmLe&pr<_^;~ye|__z?|I9OySM*Lk-WJ}-gS>({_B^EpL+Y|
zU!L;Jd*67)lhu#cFG^m+y>5B8H~qz<PTlzQYkCh}KD%<keJ}a&Gp@h(xo^|o`s&TK
z^22|x{-%pw`<JhN$~Et~;Nh+N>;=q|FYK+~`or!kE`Q2v-tv+cbRYe;&%Ei+9{b@x
znm_bMoEQI2_tQnZf}g$k)AEh^|9qtL{u@5^6IcDqGe-aRe*MNl@*Ow+(Ej~gbbdDc
z=JS8^inoludvVbNFZC|D`stUEt6uc9D_(Wp_dl|9qx9gPdi>?%@I$YE=nX&jeb0PV
z@Xp#Vv4Qvsd(4u_^}egm`=fie)K5HY`_9X#HxxhpcIjEOKU)5;cRu!-yFLA?pSpm)
z=O7gC`ItvFK5~ywz5Q4I`F$^c(d<L7w_Y><+1Jz83y;5B^o7sOpT|v~eOc{U54rei
z{nu*B@2~&)T|e-vfA*Xou0QGC-{-vlRl(0a?$wib|H8}d8*0Dac;3Ii(|!th8&_UH
zUwqYb@}K|Gi>?5D`Qyya-QM!{$pwEhlHd5k3t#x1ue#`!7ro>!uf6~M{yF!Am&QN(
zqFwr;&)oRikNiFTH~YVH#W#Q3_dn|czZd`3=(ivBhKD^=|JA4e>)+l`f06XG%T^zK
zQ!e||BOluN^{0N|_cQhH|NMCmyzWP{XFvS0pL=UZefZ_w-!z`_q;LCyKYhYI?sHlH
zw;%b6@Na&6`=!sm_hWzf_-}s2@Q?5Iv+MKUwx98jz0Xz8`P~1}uCt%|YxlbB+U5<v
zQ-9r`p8CXf_qxn^cJqP<UA+9k@zd^euhEaZ`Hj|FFa4d*D0kNiKU;b5_+S3!|NZdu
z82{Pd_J}XGKlHyp|C84`pM2MEyyK-7^ReyIzUzlyaPh0A@BQsxyytg5>?Qy5fJZ%G
z^UdFSze}#Y=Xd_XZ+3s{Pe1gA$Nu7LxpzF`zrXmvM||<qkN?xhfBbo5W?XgQHR^ef
zdjEI4_ujvB@$QZ7$A9?qh3REiKjuD9?%fChcwOapRxkao{1b(@e$;rvOFs0$=Z?k?
z@ILYzl~0_nKl4G&%X%+0Ywx@Ciu+!Z{M9R5{SO|u{cQMz2fY42|Ni-}c<kpF)*E)O
z{`XIP@F(8>f`{LK_QaR|{DFS?Ul%Zgk9V)hKlfiT`v39H@gJT4Z9nAP7pt#*`G;}I
z<Q3<C&+JX_{hsH)<*6@v!!Q4Tth{wlmfhMmE-4|6Al`^{hoCglozmSY-Cfd%fV4;|
zCEeXEjY!^fsdR(%w{F<)e%|@b>^;A4=9_t(dH%S#?rW`e#&I6!c`N}pO!Y9SQQO59
zU2yPZ5>dp8kcL=FDe_A5k;IFWEndXpmw%i$#`<{onkYb;enT?tu-cRV0s)p)z<*mf
zf`8hdi$EXBjXyQ2IcyY=Y%nj-#zFyM4|i0&tvJ(#zrIb^W_TG%ybkV$qXWC?Wb`XZ
z5W4f`xKxGt2y?M^ZKBifVW|K_RN{csDSf}k*2p6LiA*V7kr4H3KGS~uw+l`6I!*41
zz$DjSoI|Uv*gTId-p<z8WRFzim<Zk5APL@Ib4P)hN_XKlv0^f_qbb{=I?ZUWP$DT(
zXVfl`zbu}1prqmnqr;O~T%PT*9Q_)KYw|cMzz&R|kSMT>{D|=TiI%z7&BYdr$FF4b
zwc17BxFkK#zJtdcVJADY>X^h_q`>eo=hMI5XD~eYkZ*Enw8EF-tf^)XSiKH@`Ft^-
zq(%rCB89_3>2kLw?0?Zz-Hu(wwf?|}0QI11`p<fJrWi@r+{!eIyF&y%9l3UmbqtTo
zrev${bvCdmk|hIhNU(5ffc>Ha>rGNgomMA91RI@M;E#x+K*S=EHVUDwVI6fE;=d3_
z{|4zK=3-{?zh{enRPw1@1sB@2w)svL^Bxv44<Q}))J%L$;+~f~wd(^ct?|H9v_g59
zVEGRY_YLAByJ9ly<!ZSE+74r$VG>QgE^LJ8AFLFp)9?Kk0|*Qsq6pYWePQPaCQ9jg
zWW;KN_EU_&p~`$XH71qYiQj=Ju!Khg^FE*P!w+{%V%LgqVAqQa)575f6&<|1N#jr_
z>swr6vb`CbqGAk36n^ioA3(s={T2ngvWHa{Jbw7gDEQ-7apQYb126ob<Fw;u$MMEK
zJ`%!g`BIdzWrYqIZUd7*8lFs~%}yvHk;e}6r54GF5)ws5W1*c$$P<j}$M1v+F$dHc
zu<|)vN<VA!e@m3P9vta=x7yz5aUe9&Yuux&Rc)DY(LYVN+$S8srJa4$IF;Y}lfd0O
zA2T)?K5+|S>R}1iLNV6vO-AI~`F)eL7l#%&RpN%M&rTi}eMGQ(@WRd=ugy=EhepNy
zr^!}lf*^EZV9k5+v%;%I>~by^ZxDwM|NNlPCS7STjIcGKkfmO-o!_5eEDqqHrl7Sj
zChyt{loLD)LaVt3?pY+*=0U<8F`Xq5-Jigq9v{x_xb`OL*EE^Ke3=MK1%?^k=<8@k
z8jAx6pFDkALJikWn`G<lO{47RS5mtR%?y!G+21=)7RBV5kEA=^T%FTgd=rZxVDmU!
zqv0=A%nEsBHOV;kJBdX<Q87!rF9ZXUE%*-p@aA$)2IPr!caB_deZT8!ojQA=v@-u7
zF<%f^*_{8pk<esNEBeT4-17~O*mAOn?ir7>ed?ycsUUjNg^R*B`{f?jSOC0*7_ekE
zG<qk7BKNx*q<t=q6{q56|M~Q`2E(B9jk0c~0N3^aBsRYrZz@_sW*yoQf!iiais886
zx}C9{h<GM#H6GV(S`Z{Fo30KAVxBB*&K9bd^6+a{S;QQo$fj_}p-NNC*E>n@U+s$|
zb2)sivYhBY;O=_W-$jK{_W^EX4_Yl_PgUyR{e;acwp6Fyk<ETdurGljX)ujf9T|&+
z5u}ngzt_l@B`XG#Uk>DD_|l&ruH)&@zH1P;+<y7&x}S}YGSf@gLxZU@#-9n*U_MBl
zz{+9VB*`A3Dq<^yDU=2Bcm<IhRZBgk(YXeTwWfsm?Tbx+b%FqV_;JnA77!(*->jf%
zXP+&2DR{sovgq$l@)6IfR#_;*A~N6g@z0n;q6lWuawi_|zh!H~Y1&NR>pTg2{n~jO
z&4!-lYm|Sbu#!EO&)_dE*>85<h%I>Tx;NjbPEJlv96*o`%~#GVaB_+9JzpoBU{1{$
zxWjv2WFKG#Sxyw>>#yKA8symrzS$*&%EP--V@r*;aLzuJlS^bw#`OvbB`~UxOW`=|
zf!NU^EVp+T7XIndZ}vQi|M={c#hYw#q6Iy7$(Lq>Pd0c_OmtGbcA)INzsuGy_gd9Y
zAauFj*!_N22cd`L5LETQH-A^7F@-L>3H84>xNODSO9V))R!`|ENBAAC^%eiXsk(!R
ze56ZFQvKMKbsIQe3Hs!hk^dFSuu%Ri=n&xsZ~$9jvz~tOcCM~mIA}D8P~ZE<PSi{!
zgcD8goFbjW@@fm6rHPbEI{wYnvbY>}W|+r(tzE_{!<x-(O|kRt+{}Td>^W)ffovc$
z#vGcKyY<oUky26S4qR;ca*zhO9ae%&`eM5SzqB#(p!`XH!((kkM2T&Q_~Db1Icvmf
z{rkrZW`#d7KKL#-;8;?`pK8VU?`j->#I8a?X#2(3HB2s-!LN&|KtaN8DN$`bqtv|l
zl;7JuyOi_^IsqdsjY7K0L80Q$csk{AvsdO=Ou`RC9ubkdY>qpaL^JCr(5q6u9m_6w
zbY+wMjYP{EQ}KF2T|b`@1Husx0L?()Lo7<y?P)b)ubL{Uv!Dv9><6zlm$M`e_hTeQ
zw>98s)5MTd9{l=oZ0V37L6EMwTBM1hV~u}#G$Igaqa?Vs+JN(>$rk;0gCXXb;6#BJ
zNpMi6&*_YL4p_2f++$phH_y22Nyiv`5V+(CBvUwwJ=64Cyw4@C_uC&nr?qPz%aPGN
z#ahv1P%X$d(pS!vrQ@_)i0=x=8vuAo)w($5>p-ZS30M7tl-X2e6`=?&-LM66vG=qJ
zFXaUV-MfAbr691oYLuYEH_)hj6Vj{LYpVL(Byuq^O!KVY^lat|goVCvhFa4<GDtbg
zbvB2NF^|S7{>HVwdir<}>LKns=PgXoq_-K)vvpM^rbm~q`SkG+Ez#u-Gh~6DC9h;Y
z2J@wBe>zsd_sKZ*_2o_pB_3_G=<U~@8;S83yADO3<HyQz<VvLmp3(h=)MtpB$3zV1
zmn|exgXEmVh#EiV(!7_RU{#vsSC4w6Vc^>}wFj<d3J2fnjxE{f>TuTC+RyL1PVyz|
zpZ)3wC%#{`BFXHov8)RKmXQUHa)idLY%&`i+51=K!^9rz3F<10mMRJ~O_gapF7NUA
z?Qd^<9uND!cvqxZDGhL7f&?6iVV93#CBcdf8PDs!P$XjEr;wSicvTUEENZMB(@n?_
z?8XR+E*NsWl|Yr*|Kz`my6(_T(D(PEs@1f+JtCG#3|@0SKXpXyS*y3qE}uIs!0T!O
zHHOQN#tMS$0$hJ@+*0bsy2tW3@KISzwW{ikQAg1{WLb!h)r^(dqq<x_y$)q7lV2N3
z-~G^fyC0)d=fF8OHUDcn5kTDU4b1D5$`y$GwJBKq{IM?z%qN!u*q`S0FNr4q!R6TZ
zy*lWPDytB5?1n~V;byh8ALYuIKw$gi{?a%gj*}8`r`hXlT=-%6`=AWJ>l1aCLpY8P
z%h3)C4Dx7#kE~U&@*Rxenvim&uSXbyf|(S*ibg3v-ft-KJlQND33_Dklc4{M^7)GE
z@{E`_qiBs&hj<MDPCR^NAYUpFn*X=~fJLd**C(0PID`lFT{vQZ(9+nD*Wq}ZDqD+(
zqQ}WptBFn0;h_q&>+qzY)A8igXT4es>b2X@^!oC7@<Kxpaih0#%lT@UHJ_{4dsBI8
zJM}>_)5^Sfsab`-`YpHhw0>?1RA{S$zEkpZ5@>rNmdp>?K9l8zBPCKF-17!o-@Xjy
zaPK;U((&&p;sxtcJJ?m6yZj&RZn?-KBh2END{mBCzc9z&TBpAnYnom?=U5-{TaTtl
zG7;?*w#DgCLxB>NCVr%^SIV#Pt+Fqzpm6zGH&(4A?~x;FR_}ECW&ByAm>yHIn0Sdm
zuBdaZH1{)MpUeEhF|R&2ZujL7m615DiwR$8C93z34<(hd&whk!KG|TjICyDfSw7s(
z{Ucin@BDPuE@5>EgaCD~hh+j^9M}6dxkQ2z$()P4&UQDGeB4#bd&rL;{r2ume%Fk)
zGh3@}Xjp5vs1}7~eDs0?>U%WA>3DtN;=;E|li^JcL%ZtwKB@;>6NO1UEirw(@OLN9
zX%vt&8yhgGd!&%YlOt*k!Wz6ZN)qRiMG2qBp(w+P*F%J9<=9YKn$2)@I2%%Q8aSNf
zx}Er|x{bQSL4ID#xN%>eV&~G&G6dV)G&Z?cRJ{Tv%&4n9iXBc9Uu4)yZKUWfuX*x6
zzD&UN#?BeQ()q}qHZYK>8j7d~UB*Bc!>!sq99eJ?Uq~%i4yJxZ8!r@6@|vE|Zcg=U
z!_A0xj_SdnbkkE3sNb!?nt^I>#hBFrf4$f3m*e6Dh1_i}CaY*2#~@~~;i~k%rE{Rm
z^zE10KI7sWsua<<d6Lh}cH^Jrl}Kf1ov;0xe>mpbBcD9kP!~UxC|u#wBJ7waPl>R}
z$K>RirrL46Ml;f1J$shZre3%n$)>6L9e(?EZy2GQRwuUd(>&vhjvm<#qs8(QLE0xx
z)hHO9DKEIN%T5g|nS-boGKGqS2g$o08S4KfKHvAAt8+-mg40uL!sx8z>V@=@uGIBr
z_+ChHKmYjLbS3DibxSuYTV2^hKaf*%n|i)IwBn0%L%fSrwq122#a>RPlBim`*qWHA
zPY|6IzP%y8yaLQa>l@F<yu8-)ibRzMLEG-Nv2!iAf~fU$#qawnJ$_1d8*b$opKsGs
z6Oh-4x4a4{)`>VxPm*ulQG(x_WtY%F({ei}+~v+g+*yt;kQ)1oQ*pWNlFw!o_&#Ze
z$GlcsDB_9M?~e!~nY+7sVn*G#eF7HMxPSKlip#0n&d1SHa7ZtIkTMlM`ije|#(2Ir
z?9(^lmxEh2;h5)&GS_uLzIFsX#}C!Ck(TUE&0o7nyNs>8m3|CgzS1T}RDSbmCD?O0
zhl$g<`RZr$d$go7ulJkDE`-WYRY&>H=A8O3-v<pil1j()qHwpZv)OBL>3jZcaIsp?
z4<;lCAkfnx&a&8cXwzm6;#-m<jMAK|G><lD6>V_d7^h>Cbmv8W_o3EJOBhq_nJeAW
z&cdF>^C^rHNJCHku7)$3mhS6LN8wlyh#%8qW9m22nYQTDyv6N}>pEEZ-kow5Z=gL_
zQWgI_R%hY!bu?vI7}K)>Q}y%Hvv2ftcs&W_DGJ}!3o#2njc?Q8^_LIS0$OADP-HY}
z!Ci--+RM9{eMM(Evb&W`0~B9bXj**QhqKj(z6m<G3}B;vMR!&l?9gyt8o0e`8pa-O
zt!1I0!{x`s5abfeS%#P_hN?bWhDT5*!9`hTjYMY<YOJ?H>Px1N>5o2uXE|V*U7qJZ
z5Our#QJ;#IQs(6N*la03GuWMd__##3v1YtjTYcy43q&Rk%X*%7$jhj87XU#nqwP05
z4IqF7VJI;4JmAPAyS=%-q;LszxcGo6G~g1rg*=6EtIj=t6c#Xf%WsHECJQT39^;3_
z1&3BE6gOeUT{3c$t~+I`lvhsEPM+85j^%s1&bS^He6Uhe`S24yq*+DsDZVsIDD#4f
zo~j#(mOHycgMZ-_c9lM(0Ihc8>y~$W-*ZxwE*f3v2fzFX+R;PRLfKBsE2WFJiuoY5
zK2NU@0`YD={dTPFDyZg6TgX=>-r%xV&Iz3<jEHm$+p$rnF1)bSu6-ZNWZEGa;JUl(
zRB^b3lzaqT#SZksBB67*lKo|Z%M#@iJ?}*La?3VOMFq<S@KnT8k&U=jD0q^wl;I7`
z#Cfx%%htB;HV(5-5SjSO>R$B%(1$gUd~{%CAOeU8;x88Nfh_thMI1{jIu2-Bi|TYG
zkmwnQ`F)>9+yePtPE<(6>Ar?^WYVx5LVC2XMgXZ$TPTSa(PK%QFl6J)MNlJ-MR;A%
zpCv(lj$ERoH=B_{kU)r@jb|ND!0uVO?cG|DE&W8@lX0$a#hy%<>`7M7D8cuST{bt}
zUL%Dc5v(N(Q(q<=UtVXnS@AWyIJB4R{_wCMla1D`rxM^`{%XDGblRXoQZ97eR3hWi
zm&D<aZ98qhT`>-6RPAnTQ6fLgp-PVJR);KrghG=s(N8nAw~&O^$?<)ggGz;a7jdT^
z;+E4Fw8K^lqH!W!J=)CQw@0YmJtgK_Jymdn6VqoZqrw*CR}UafWd{s^lsN3f68MH^
z21<<_4rfDzPkF$SMm{i%FDHx5pyE-hq=b7N|G8s|Qu@8+{spmIP7!yx(V%VRrhSwK
zQt;aHIx&R4b6>mEL$VK^agcjIDBUw}(Gs>P+N`%P^(?lv#ti&!!+oxxS#ulUnd?(;
z&33f+Qi;lq{zUr5B;LtF8-HM%!>`!;Z9*tP9wDhWnbZ|ZGPK|mk2XiHlZB#Rgp?os
zJD#QBUI{nDBh3m#oQmTiHiZ|xMD_bC4bmtKZ3nz^e&@>JZj@bUSS2a?yZr8dlt!N}
z%qb*otLHr@C37}*UhPn#GpCn1t#1`SCpS~138Lh9OGZtQ(lF;?A#m}Bg6M^TKkk>h
zL1e<2r7&?y;<qRVsCx{EO!6^8ByJ?o)|(3%RHLp{@)iPAnpwfM6{po)skz~>Arskj
zoTY{X0eKxxKFG`VVKE_y^$IBeg;U$|3u{&RY`(fXjQ>#M8m9MvKkFS5OM1SrvYKQk
z^J@*2(w2C{4x`ho<gbH~OjB5I>6wEx0%D1ScT#QG56qy~*)q6`g;}-sYzR%&^-5H+
ze{by~YF)Hnx6&A?_5PC9v54dIaD1%iZ;ava1)~GYyBUqxJoGuQt8AKue;hVxSY(il
z%}Q@{>CFqI&<9hIw+@)0E}e0TImYw$C7}V6c$<U9+5qUs+X!h^8FGc5CfVefECAoT
zPJ6%kiIv(1kq@Wx8`GT8k9ylb5M#6WE|<<nn+lWpUh|+EBi=fO76+@psM#s33%m1?
zxX=lI&m8_DY3^)OW`#rrByNQ)loM=^)!8DZ)NNfjk5Hg#SsgPJzX%7h*;MJJ1{10U
z)l%dqvF_y>srOqUlgm9F9r6CVE`b3YvJY`nu3=zWtb`JK6S3)W<t{WL0uxZ5g;BE=
zvk412oWefwKYe*&eIeu03ON`txP$=r%!uH3&&vB5Dw#wsMhj4Z@`Ny$_Q(Iw3YODJ
z;j|-IGr!}C?LdpjQzXLUuA7sKc!g8hLrs@T`zBiwhfb%i%=`BGESBHL^Za*)-}n!0
zBy<85LTb?@P#n?BH@L)!gksLbv!#fE-XHd8bA4<;qA^1eD%c4_jJQZFP57HI%~#Mc
zx@WwuMY!2qA{?3(CYU5C95%6lOYH+(V_{T3w8f|KcyCdEvPd&)IP7}A6Kmo?huv}<
zd+sXurHO+rqwU!yw7Rg3UniOu#&>*T%^ELMSIAY!V4kToPl8bq*b6TJHR>X&K2e}*
z3JUZB-&8wZuT$&36wcBHM?%8ak4X45CRn}y+M6ye`rQ`u>(^K(^KcBtfm6hj9u$H9
zfj9arLSAS9hj0>xJIX@(dO|7T{JM)OGlTz%PCpQ(#2t?F`Mdum5S>}P&7-XD30w!>
z7gSJF#sD5F{|$n>3z_G^o>BLEsbn@&O0oC&hoA=iez-mWV<GW%jM1_70S=`C^n@xo
zegJ`y>(*p(0E0`+?=-gs#SWqo;@6%kdLHYKxm`Bnw*k#F&mU50;Se!xp5a3+lf;}*
zZ8haN=Lg(My!!*?QlkH^hp5m%JHbC+OAI^jNDdAu(0G00A-)_b=DAZnMJ%woxc_~n
z=SA2wp`N=?_$;^6FWT~ONcR%B?f|pKW|kUQhsxBrkuedo^!JZsfghf*3j5w(ySZ3R
zYuh#F^ot1B!9x++c?>%cU1XlvA`g6KFWg>e)_zaOQX=Y*Bb`7A*Z?-)D|ZQ6(ci;q
zIm&tRBxeAEL@NSPwT>zimPeQ#YHI*~?~8NioS$Vq@#|VexAK_&ftZq_HObqxgmSpz
z_~3^h1e?MrNfL@>26@y^K@m_`Xd3xs8W7}kdvsm&O$8yD!L$JFmo8lb-YXy5|62e7
z8Is)RR~}!PC?uld0a2g-yU}g0q^S@TU1}t{)}mHFz6JvZO*&lL{R57Yzddr0kl?6V
zsh)1Q`uN#F?{k@SK9Bg{9N-K|9GnRDNd($H0MCH~4L68=SCK!WH%-~`2#d+d@SYD#
zTObXCgZY!m|Ct3K_(S^`-SwE1rcxtK@TxAn8&3#=!ivrjW^A+A(u~II?=~*!o`y9-
zi^ybTKt{ey7Hlxz>eu={I+EUkOa<quKbKYzGHLtI_jQ^m)34r+efx<G_{aPxq!iGI
zIvf+O>xe@ywFRV)iX>bI0rqGAHz+7t?sf;ddkf8`fd8y;T$e6%W7?sB!wq`}nyjHH
zs2ZO@uRWNzHz3!8+ya5jEK*JhMt1<-S~?t;%4GbTqO|jh2?B})iaH9^{a_`3TEkuJ
zVDq^lf^pA>7zn2=t>H|KjrPer;AbgqpjGs01nK%g6it6uBIvUp&``%S>uS|l&ye%F
z?W#bAfMwGlq2a&Dqn~T>(e`lgyV#(qZhu6Eg5oDgH0>TTy`Yk>#LW>$mY4+k^Q3i%
z&UPi)nHaXW<s1<>Fk9dp(H2T!vY|8WI5^Vg;|M0vidNL*H<k_Hz&0XylWHuDa|wmP
zU^%e>w`%oLJ?SFf!#)~VA1GhDwggR1P<W70p2~kT$X)Eu1HOXG)15d#9!gi54H3^d
zunCW(zn*BlJl>!X33;U0L0De5-@ihMkQ(Iw%AoCmOF!JEMB4slhw_IZ14-;Y5X2JD
z37KgPcjPKA8kXg>KP4d!l4tS~qy<bCrJFP-k^<6n!!{n^fv>N$8)6-==G06B4vwJn
z6vnT@131J*$>PX(gdnu65Y^F@#p$+_z1G`;7XhHf$Iwp1z6_7-E`>)UU&L4N7l90Y
zk1qXX$D^hC?w&Hh()PNuij4Cx>o!oH?anLzUhbgo+FmiwCVA~i3t4VH;n4J%->-QM
zI>BbxfFh^082TeN`IZQlsdhuaL6b?we0{I(mLX9c6QJf+nyjAAD+G~bjhNK(amsOu
zZp-4e7$seA?=IKdNAXH2YO!^nCHX}I_Y&og9_Rn(W%QthVx+BdEk#}G`C6+IwBFA?
zd#u;vR)LX@U)7VfpK%=bhd39%l|3Y0UzdSxluXLsN2ozOpo9NrPY7yf1)FW?8Z?v9
zK1AIsf<rPo`Fmdcqi0-c6l#tl_P7ea@^nMHCJ2~=CurvrlTjKN!hd13c+T(XEuylm
zQ7%Vi{g^iZu3d8!S$WVgPUVGXlFLW`=KD|GVdtNI$^y$QdTP&&T`Q4xioI&HJHGeQ
z&^)0N8T&9+CF$f*Ejnwl<7X$NE|o;t?5(k$C3#N5=S`Xu@;D)%$u~}UN?tlzY~IxP
zw+(B>K6@Z9uQ$_PSHfz=&bZp!H)UT+#Spi-MPR@Fm35gw+497N!T{j|Qk=gye8Ut5
znpR|5=U3rqkco3r{CR~UrZp(Yw%g*28|>i&3N>c`2xHnVG}1kmNK9n0!~mR?bYJts
zGm{@JNNnDnXKXp$vVBRv=xXJnq()cHtHOWwwMSg$s3f+{tK@2re!WIeJB<_IK|Dp~
z)bGJX+_|XM&H+7~%}+(3!Fr+eVQNIfhs0w(^9cz`?dj&P-a|=J>{b-zQAeF%cDTaZ
zUi`Go$hVd1<54cPLW6ihyiM&EbV<cc^th$_1CLm!cLtneJBZ$YFFRT6>&jIgcY{Qg
zCb6c7_fPlWAqgM$7c)3+{1W5#*a?dNt|N^+ej^>*t&q!C1!IWxlJ+JsVjLoAQ2A>0
zuMcttZ+>%1;j)y!qJ!!zFkY`=m@O7RW2|%=iS@$Tl@1JG8SqLF_&7wv;b|k$QHPqd
z+|@AFWFbS;YEv}lW3RqIJ1?X~XqN?rXW9NeaQS`XR$eB2kZP^+H}ZEsx0|?0<&?gY
z#;Nt>58W!f#qk`)i_Gj+P1q`|5vQTE)O3ZV5VfaqRl$gJIHS$BV1%g%Y`{F8G^cDK
z3bfs&C5~;TzpvPf)AT02UOMOo>K#Jd>L`10a}!>)Q>V%9vvJdXc>bQh-wRc!@o?0U
z>PcnZAeqRdH`8NBm3W~MEC&>*Uul|S5b;&hi3Cx(!#D4PIl+3z%L?!MP4x4fg!5Pm
zQ_P2x#Wb~&N!-s&EUs}1Y}bfR#uTJqd09!c{zj(Vb2>z%TZ=Ql{GK{rX)+WuQPJ{K
zt={$W^EipNZu)?__U5lr77C6>2`O%N{n@{Mu7%1`m~85|_J0czpjWg?sQMLsqLk;_
znHiy3SS9euRl{c<g&KWQ3|@^441*-3XFj7`3h?I)Ao%hSB%wD+40UKs`@JGt)>=(m
z2RWKQevK8cTvlwi#aaZf-5hzD>ZMR^9%R&fNK{M-8R(Ip)kT96`j*hCI;kdM74Ws7
zT5eCW0@g7vNBC4aYSaAsrSb*S9@FCFGwSt9_4wxBXOd9Sx9fW^{XA@XH%}q)nb#$|
z_WALZ?+;tl&cCD{60-=@$x>f)3r#xDQI=CC5;wUEewOu=BB<77o>j16XJ0dDBh;4}
z(c6=F$`tZR_w-UY|6uzlRR#uBv0cG5QD@1(%+ee3rAW{;|2mN1ej+jItJ7SIKcFJ~
zWgwQXuqzTz{hC;HlzEO<zeVSyzEdQH-q3PG^;$WBa2X}dyp=A6=QdxMfRs4xbrp)p
zAJt;Fs+3~v-Tl)!`HGuqt#CZvsPXSdsosay`kHRea+E?_;m`KT)k##<%&I<9)GMv4
zaS+_LeEeX?CgpqX6kw@6ek@a&@3?)asElM2T*1CJAe14M(;qD&_=vU9;J{94b>=fJ
z3%S&2C>N&`(lc%b%6A`WGGVm<#yMF#@?Q~9G#~a7sE>FuSYV7;NB8&*B>jvKr5}4P
zv_&kkr9&&aNFyWQn5yJIb+B*!l<eX62z#XLK3?CL4L=1%__44rE(BF9a_)+j>t1?1
z@jFF_BeO3hDkw)*u*d#BqIuL65yo<`+7+i7s$TFhFv^ryCf6jnxdvewVSkh-l>G^e
zH{h<=oqlS{fXmUj!+#bH+*--QZfFiakx>zuPAB_g(d=I@N>=oDkok$)hTdE!kAFqH
zk3K^cQi6nV^IOPB#U<&6++<Q<F=H6*fG4}C%wgDI+a|>haGjb-8}qbuBGU59=1b#f
zeU&!;#-@Y~ap$>&T3`IHmsEPG?qjC55AzcX8=6#ao+SkkI20V64kjvM_{D0w*-1yx
z$(d*kXvWgG=slcNgoF+hbTXKX%LqtUAoi`Vho5AhDziui6DKs)tPZiI&7nb$IEM!=
z(HrtzACIUgg_PW?`OdP7OuEb!A@1Z2c=kb~QYgt?gLavtYxsg7OIWyk6=BKUiy^g%
z0UTWOh9H!4;cK9y{*@3s;{%gor2>DQ!|p)o>c03WJu75r$gl-PYn50F)VG&ddomIF
zkisX*K@Zjx)Zawu@oZyPc@6I*zPwFS(-@<aXTVFjD!6fV!Q45A{Enx6?R8y5Unul0
z>De+G@|4rmh*W1d3tAMO2#LFypY2ry4|lsZZ!ERsFQrj=i;F^hX?+cTO{g*fAchLW
z=k_xRk!99XRo9RGZu@2MHqqpzG|qo%&Fhlbcmy9N#jf_sOCI9)t#2k2#&j`~ypkCW
zxsQWF&*F<dAbNwAE-<{4a*Ds7Uc-vehWx+e7KVX^PH%m1s?uv7lD{(Ti0{XPu+O*n
zX%FiOP|PTqs6&d3r1MJBVnHHmU_>8T@UfSO(%~Ve!_AF9mKu|wm(P1f`?n+V$Z@xa
z`>}BfDfzoBW)zRG>+FNLo^j&hMT$96OUs#pe3OB6RU7=5GNYC@CMfu3V4o4O$3$^Q
z<-s%~uM&YI`~^zT`^<?cqr|l+f2TU3alWwpZgJL1j^Oes*o;t{HNXO9XAib$-dUiy
zGgxE=5=mk)@v`nCey~Rv5BeBrJySuC6Jg@|hzWRF%dI8?>U88?VLWL|5wvsg9;D-S
z)pZh+DEZNqCQUn~?to_*T;~r)B;1rgajw6#GeCWk2N8W-K3x6zu_LxEYmS;eCp<5%
zCJ*W#vb&9&_{qXZB??0p4Xkx|Rnu4NGLDb6WrViS`<4U(kIXO>iW;GG7J)xmz+VQ4
zysQ4`?}vC-!QWm4Dui;~B_B+;05$X1=_pW%L&=7rE%M@s*4$wucHF4Z&-G3Xb6)NW
zn|!+Jy5JCeYOa*)-H%rAGFo-Ml@HFbUx$w{{4OGAA+*HZIAW+}9vGSRRjPGfep1T3
z-YC5(dOyF=Iq643Xs7p4Z^CO}A7gPKcNIeEbjWz9)Si^1bBe}xQrfo(ANFmdI@V5O
z^Rsp#D%5_K()7ed<o88eg(T@4MCVcne$~58x<m*rC~;}$BWnUObu0X07+;rZsF7$f
zBV;^hWIviz8VaiOHa3Ht?BOQM^r`zj`lwKF7UPMe_ddw*Fe=<}=d@aq{7D|pqhe0s
zNfO=FzgNS7yllR+8s}yG5@S^s=)J$Of0oMGQH8RQC<(iEe_40@J4U8C=UU$t^?0_>
z+og9RmSloIaS@9#LF|%1ItABe;y|B*6Em)K%e%0D*2^|JYmg!ds}R!ZYr`+1+i7)T
zk{CL<spC9r4p!slrAdMs1P_Cpf2g2OY7kE|w3tKXZxxP_;1QXP!kB}W)6VVsPIzzo
zYLvA>H>|{oS899OVJ(F)l)lp5c5C6t%fxeF#&#&^W3j*uQu3&C#hT2KO13wG`dLz(
zy8O3+N2x!53`k@H)WVi`BHZ_xJmv6o@~Zs3=xYdPuDAIuF9l0fDHVjrCJri~nl!xL
zNI$};G`mqM`PDt#RO4DPs=#5$HcNj~CXRe4Tk}WaJHgUsSv0L3Nlj8PMID9>azsqj
z*W_iXrQPc-$KMMWGOtLI$c{_dzb}6&7Fb4l{B*Rz9b&pTU2JS}oU0gRWv@$g-9K)&
zDLd7|-WqmXy}YA)4Bd<6f4f$xhBG<pv&>tOGoT-3ZZN?6xKSp;T#K7Og6?_A+Pu4W
zAnu^HylrgW*e`WLwk5O5%`67A4m3TMliVymcbnh4=~U=?+5~-g*5SkU#zC3^i7DAd
zeDoF&RE@ZMANzbQTNoe;O8_=C2}m|G%T(DC6MAEr1|k#ILDa`ObGkLH%>z^+Of;M_
zmy6K;3Qo1xIJfV$ThMY@uDXT{Xi<cZdzrE*=KD{srp<E<zx0fiI6suoWnB;aWUG}O
z-1Mn6eU&JPx$UR-O%Iahv}<y<^e1T_x7A&Ye4d7;LrL`!T@klh<RZRGM4P(qcrAd1
zrXLu$Q)Yrm2EdM~8UHT(HcA1j&!`Pdg|t0XG(D=jwhle>T?=L^Z_nj?r(c0yh3+n{
zNT{YAZS<c^!Vu955<@iXs-sy(MfDkRxz?S}%m`{eBz+><HqK%jnkU8{%=$JGr+*Gr
zzbh)zN76GC&f3|}?FLUTl-@p}HLXaDyQzMdpECR*NMpfawg>szQroW=3#qsj@wL~&
z=2nP#u>mvgi=;b_#>&>O!Zq$LxTF}H3eCDJA*`$JC}(9@o_=K4?~9QM%?Nwf?Z%~<
z`72u0bWO%M-rrfiIq4+!^>5dKs>Dj2mCk$w7{FnG7AsE8FEqI+(?>Bfz0@8`NX>WT
zP7h~(-k(ur93X4SA-5iC@T_LJQIZUQI6>e{ncZVKp9cm78ya6_t|wDjblSwlPfSJn
zW3my*!+*XntJqy0MWD*T%1K)^HG(Pu+jAkXW5Q;&dbGECyi|LGTjX|$8`(ydejwYj
zQ4Wy;NT?!7u$#ux?6*e+P}jLApJgO#!bCpu@G=4x3IE3*DH8oh3KKDdeHD`DF;qys
z-Y(2js>sE=ECZN~2`6ba-@y<VU;o2dX)`*e(ks6v7DQHgbBlvPhA3tkT!C;C+0RnU
zb6hOgRjVnou$pCacg#Q0JTVi)B8yR@Zej`pojgm565Af+4LFHGG|4tMc<|+CBy(|7
z<}LJ%!&k*mH5ipqiH;6Oq|1ytH4bE{vd?b4>>S|XS5z^u@`bv%%9nbRdZirlj%@7a
z8>t?PCpxAUl>Pc{xxrIf>G`PF+DG3mJAOb-kFQUi+Den|Wz(lYFPCx?$<K=RWAH}y
zS=7_F%2@{$_KV)<?owDYbEcu9T~YhZN3!mqr;PZgC>G>3T!3qteqg)`K-9r2i_LVI
zlGq>a34cbm5tof+!MXAZo_HvMSCxdya-K@z2x(j+4vkZ0)G;nz>e;ZR6loCZU4bs*
z{$kYm7G^#-+W7TBZ?LNxW(N<wX$-)2)P7O|wNOhmDZdoZLfnH-y~T2Bblf|B1@Hl!
zie5<)LXgy(>Wc;(Vzi=Q#4GR|iQ?$R)N^m1t~;xAcr&_5ZMk<ih+74y=YC+m%@W+&
z=7jeZZ{vqYHJvmt^H2~MJ;FvRw*7j_Ji;hsWmlk3GrYMaUU%|vRtBC_P-wsbjGR-0
z`eb>yJo7Dn6~Q+CXE42mjSr4VsC`gcvW*k`UyB3!R37-LIm*W+6j3|WaEtfr^w~q_
ze~WNuhLreK4dKwnfBe1djMjW>TUhX{K}g6dDW=`^FDxD%_JvuHe9fGY8(&yg97WFa
zD{iqx428EMgS!P7NCLm==Hy`pro-JUiT~FtZDIj)VYsI_JUJ75AL5uP0(bUdJp6hb
z&hhAG4?)eHvtR&Ii?rXus!2i=^bbf}1+p4he-bTpw<sjJtjubIyirP+000)w(ah9@
z;ahM328-0L<2OyrT&K>rf97D#iTYRm?z6YN^!KG8fWZ0UO!4LZn_>RQlso?aXTPHX
zg1xr-F9<gCpI6?wIEGiWW6d!0ead$wBC-xufTjG551FBAoHb=k-~b`EZD7NKwEfDO
zDIb7?A$|yBV~$6)>YNxYo+1?^@di@^*%4y!10<U_FDh|y_agzlXgAk!LRX0hkXZ0m
zm~o>NaJ@TXWbraU0qPGUMj)vFwh_oZ*4lpEKf}`qnggI#hnkv{J>!S*f8K25pF;t~
zgjen6fnU|Wp$|;C{Y#scWSand!*3j<V!!M5JdxD9S3dk-uLSw2#dg{&zS70@9=%l$
zd^h0rCI<=N+ywD;6^UVli(_6t;a1mb>vL14ZTDTp#M|p_MMI7ulf=wwI{DfmaQ-;9
z*X^gV4?yR`k@%y3FzToX1Fl!6NqDt`V^y;W0CDSDl3WqmXj<qBW}n4@6~BQ6o9=-Q
zDe!sAj25qPDoXzF)6WW%Bw8&$|BLMdWfU5aQzGLru;4)bBzbSDM&=ckM|VD^jUNSy
zb)@pVvt!75XAeThu(s8|9oScagg_8p2vCf$>QOka9Bu2)foosQAr>>US{;kjg=?W{
z&A%LV@%S$QG|C>gs-fGO>%A5%QQlek7q4eV9+cQ9cV`3@JjNXWQ!aPJVQ5^Y*e5tq
zn>lH_{?66ewf1rws6D^Cc}q=2k<LfWfXRMYc*7K6|AJM?rm_ALKq;ox9BQGjfrmmU
zWEH0A><ScMl=7#zj^;`aZN75oaJ*L>4LNaa?}-!CfGJ(JcFk9d<w=PVZN}dqfOfMT
zspWy4!q1_boH;X$P<QZ+z=k|{gp<MKe%t-h*Qe2}?!5KWGO0ycbLB7z)XS>pJCLQR
zq6o{<0fk$CAtWsm;~`72W&p>Wku<R1u2=ehU!!WgyLV)?W@(7*9Tc#Y<U)aREjB$t
zh458iMcb(xP5wmu0jX7Lv_N9&ukd1ILMqOq=xOx^8+v8+EQ9*p(mlHx_|vYa`|BM(
z9;#~0baAPG<11dUMLAL#h0e>|9h#gH_#@|15yoglc%i$KhJ@)EC6mEQ{;_%cMs(=6
zW#pE_2tcQX8=-0GqaJaa!-GGW)~3Xcf^i+?Q!~Fll3@drSQ$^TM{v$%5Q-QL{zgN^
z*RP~e#ywcl$B0#|>rtT#=#eiXK$_-!@jfwx3=a0@gUUZft15w)R=w`To=fthUz@&t
zog8+kGDFp}jYaG14ws{b6Sxnl*W1|qB+$F1yy{RLB{ylq&RQUzU5{#YFoJK%%ba*E
zE!J@#fo@35!YMN|?g5qG^YSiim_KdUdUBy_g}s@3LZDclCZUnlGxYT96Ug9F4m&PT
z^>H=#o1A#8sT%WrC$`-=d4O8^(SPc`E-G#G$C`#k)SQ&ad8C~Q7E74|QJk2v4Xzq=
zBZ76&$CXL83rTCu1Y5h*1M%is-`o2;4~43A5|^<pM1X%IHe54iAUfYS6xAe3%RYPr
zoh0E6WSpn~wcc`FS_;=1Tm@_9)!Y~J6tDOODuG9*H+QIo@`Ad+{yCg=YYytP?x^1R
zxvrFtY3riT(gAlB-+G(fB;%bbrAQJ858pQnr${c{qE73LG80kcyN!g8FY@qJ?IMrf
zgjvU47UR@B)6WeiF5+Q)u7Z*A5n&dSl;Z<p0C4VK(r8dpSCYaC5?JZyhQ7mWfhBh<
zf0(92fSTe^@a{;w<WrsJ=9lI-m3i5WDrC7U!lz#Uz}Fc#+0IT-w!(V5MIl%aNW$Gt
zmCYkDxj)-g6*<h6S`vIHWaa+WfuNWskN64A)46T^ej7sKI(uzLpM%C-<_Z-LR#eb8
zy`=X7Q*p%;wuK`U#gPg7yt%TR0*Mmv|MIB1|K(9xo-j55`Rq?q1H>*bN$IuU*t}RG
z{YYA7@W-8>dC?UoKe8mCHkh?{_Fd)n0-f^RgZrqBoEfKK^5-sl)$#$CR$(b->2>Yy
zdbThVKXeJ@nS1c)E1H%$Sqixr+QwvYitC=W?Do#zW&qWA+00WUNvT2fWW`xIqck9Y
zXOC00Kh^_fRR|{eTS3Rzz}zuYd1-83)9f~>Im&~sY0mL(fA}-kYYldo%z_IRqF=y5
zbWlX57$M_ZeZ_t=nZqtI^c!adu5e9zXq9i{c+o+Cz;|y?4#foZwO^az{I9q6MDRCm
zaMz9~4KU&6QyAzhhBhQ7EphImpILBRW^<EOnl;JA7Y@aU7YJ8$*OP*?p--Qz4x@0}
zuYVbep$H}Bb`(9sR$Whito#&c1pK=YdlCBp-jO{$^1>~Hzh}oDdnRyv62J5Nk0AUS
zn1^Wvk#J>rFELHo<5wEs>po&?(XV&RQ7P7%&`xFj#c4$X(*BU8-G^uGk0`N)@4N+y
zz3KhA05~6N&TNN0URB7q*Iaf*T|91*;ZT)ua=sokvWORf5uAIW3FaIHp&axtI*lQ;
zAPA;p(^|Yve>x}$pLmb{s&xo|W*Xcjk6DtafJuX}NTY{-8O-^3Vq8ttC0)g229d2t
z;}(oyE@oo>F_~gI&F@jQd?hMUJ*}4yz?XrD`soK@Q5@nR49K}+mHFa^g$RNmU~b3c
z+v4n;5r{9!+*CG9ml|v>OQO{%&sK?eAE~hWL1YuDKeK4uK@9?NbJqaqtTx8di#K~!
z&SeT(cf8YzIRp8qv5GlOJ>sT{<dpEM7LIX`V*RV{>yYA!)+*}nchTyX^1l(OS@+kJ
zyU+Sh8DI1jmg4=>w1A*#{V(|u6Qoel9o=-0+`zA!dB7I?pWX^^L_>M7jR%OTmHzi1
z@M+?C5oihm?XMNJ&!ikYD|TjRqDU76SoXrGkseSN@dEr;t!!7pR0DL$R*lRU7J&fh
zn%Ts%4TwNS<xQ3;v8nG7nIW6~v@8gffP_h<yN5uqUow&&!mR=;_%DE|Lvs{J?G)sR
z1<1gdL3~g+?xwiaz#(ky#s6*Xpff@jmp71N*F;6(_g7x4Wo-P%;FSIrC6Ly|EcggG
zdQTRb>l0nfOKLW|hT}8nshACaqA0Dl-NTg|`du(EI1@+V<F@sS>AYw!iOu^DR@6vD
zlDl|FBr!RV0EQ790Fk08G(LIkn?qn3emiV698$^aUqIdQpFxPW*ys(<+s{>YXEl^k
zpG94FX2|oEa#ZAkGlxF2S00}iC0(3>iEK)*#H;95udM3h%N6B%m#rGm{}=P&u-#@k
z+*;eHSUcn1Tm)(Zw|LXCt+5T=nWndeABcE$-s96z(nMv%D+uh;$Rw3~6p?U~>Ig!e
zGXe^M_a-A(RolE(B5Y=ZnT@=R`Y@|td;vZipir}uhg(!|F9GEFES2FBC-?}lh|;3<
z>2X@NRGbzX!63_`x4`IwS1!;0XBHqQQ@6%B*xBN&#v59j=RN7=kDG{tgA=6|^@KyK
z=lUwbdf_y5Ao2OMpQJROvQT2F7HN)jlKon}^G3z-)=^H?-rokkG=Yq(YU4cb*ME35
zTWz!2ye@~m?4-`oOta;8LMlK*s6UR^ZQ0plf9aj~-<#fO0S2Wv{Fhh8bXrwquk6Oe
zwW@8YUG$2WUgi$P#!&diBSrYdA)>CxOfk>r^f*mq3wJw?o&CIF^IIVAOQT6Tlx>CP
z<{a`rf9)uX?01<{VK-GWKbEuF$mZ7mN(#tn@{K<SOsZTJr2>2=3XGh(!+e4g8xM{F
z6>1mqD6V`}Lh5{M;#t7Uf>46n;g4j^O;gu4eKAz6gW6mo1uDgV$}`h=&EHj7-Zbbm
zJ7_KWc!A-Wxz^jZ1MgI>a+q#UsmTH<UnRe(>MdXbWHXos5}A|awABat*9&umn$6hW
z_G@^QsA1%*W~Eaq#OO3M|I}0~)uIq-A)%*{-;0a(JdSa9Sfw+>OvzKYmP;)DL^FcV
zK>t?REG|-8y>CQ7PNk#Xu2s+RY8v(JnI|FD=-E}J`ozKBOklt9wdrkph0(dCW`nn_
z>^#x_9`L+>dFp<Y2@)kX^1nRwg~hb!*`22r6;oR*YwnyI+G#dBMqZWs=A((c5XOWF
zcr{=0uZN}i)C-~arE<r43tU-6BklZAG&WuGCv*HW&3y6!XVU<G|7}M4;mt$cgs@`O
zElny<!a@C_u3z;sy=#-j+EE_^E6s<c*3m}tvBRxrD#1`?G^IjR2isaB%lbm|<=E{}
zsmUd9ShrK*SUM;1w_{ab;+fR7KC}C(Vv@|$`4#EqK@+)U%w`(hGF0f*l~JAD18~$1
zIzR2@*ftYpJBRm=mH24CJu`#M&+ob1MYjKmH%%m5-u{TP_n3kG3!Y|<%Uu^i+e}Od
zrjepkt84Q9`@^f^?J7ZN=Cx@D{>J#1l(p~4x`u659_}yFR`rb0xIex0YH1o<!I)|G
zYXtfnsghea-QkSZ%zmqxqT*N9D*C8U)~w#XBz^DV77?Fs3<a6<b%qg5(1Lk9UHH=N
z2$zhcChmyu1?&+y4xMUawTr#dPm&n)wNCd0XgkFpDH@`os0&I8{Td`%AJ6}Z8GY2K
z>-D{OwstKLYcb|)aK9F{SyF)7*&}D&bWpb}y)j^-TzU?7H|X1Xv-Fb;6yiZ+k)7`Y
z2y8^>HfHTy)XNL@HH?%sc0Qj_DJ;y5)k%p2FSlP`ZcbdS<qI&th2zI%&NrI39=b<8
z<5YUe?$P(|sMYGWPuU})uW_%LiiNYFRFsl0o26MtACrVHyMq*fAc|KH7ACW$V!u_K
z?#{DlR+=i7x4Ba<Dtl1Miw1d*Z~5e_EOXPTmsC|*OsG6<I{u39*^oV+f7#@HwGkT2
z=fT#ON>+Ns<C2Q@MWflW_>~=0+|&0sol&n!wtG>F42B+{l%_B~d@JN}54jELyHEG|
z)0ljC&jzNq9K#qW2p}lk%kV3CSEOGnwcvBh<WaoCpj0RLR<qSZEIX^Z?3`Y&sgCU?
ziIoIZ%OoK5w6xW=|8IC!&YNZU3d3u&^WBu?01R^!?r&<%6)J^SO^5Gur4ytZS}$Xu
z7OtlqIQ3q8C1_sLRW{YxGD&KVW=y0RXSXUm&XzO`>P2b`8s13)x5{I+Zhk~p6KBz@
z7K`qx!6a>~=x`r~bn7b!<CiH~V=gc@zn8}4%JiP<nhsyREw};VWSN>l1qLiOVR~rO
zq_o@Ar3x%A(-^b!!Af_KO5m6xz|8=#Yd;)y#REIT{Z)~eE)33go0V!zRH-cDXcU<7
zXs!y3l+xlHe0TC+KBRnGk<IF9aj-p8`8#`7`}sHQ2Ndi!3zCk%21}yOg?;4oe8mzO
zZ*+a;^9NEamDMLU6V~%GB)&V1OvXh*I2hW|+jqQ?nTH3uL)f!b8Kxwgc_N>Y6aU`c
zooQB|EYi<y37ro9BQ`CX%$5VBZW=&@Z&pq8DF4!{c`Y<XpzlYVS2~yHU=gddkQIT)
zqzssn<bXrds`T<di4%N<SVRuSd9oSQOZqo{no|PZfByi4J&o_YG+R1Z7?(<(5(ryj
zc-?Fn3?qZgm9yQij)owd>wn5uH+xuDUn<N7I@vhXFgG>tOLqoFWW;#-9oDDv`>2WE
za*h97flr6=bd%I{m3&ojdy;B`@P>l-<tlPuh@7(m%vOeYQUSM;*wEkk7IP7ksD!W1
zii1)4H&lxXW@+!~*kwim;a=A7p8bpx``I1nW$OK(VZLk_>vVfqCS)@``g|>zr#k!3
z%SoI{3nHZA+v_bUQ~*f$-Xa`*^q;w}3M;+hPf}ph<YV(s{x87TKM)TFrxfo$=|!P{
z1`FyZDNx7BUKFJu8o?MyvK0)lxpo$;Ea1AFG*CG}^Eqb-W?{HYHwn2)=-;pe!-A&5
z9v21go)~#S#ATg(PdyC(n<y;SWX-w91E(bG)@i!;Ube%=HjSA9i;nz6I71@;dKwM7
zbX@vhf)40Xz?fJ-VY6Gs#cPtlP{x0Hs}L5L5I5Am10+lT36T8xvW|Ta0{A%2Dln-g
z*(MLb_s)2Vb;J&A(IqknP*MQQL4h!MIEq|_r^$sHgnD;)HlH35bNsv?mofieXYff0
zJP*pX|HK=H{UW=6ngq$l{$dK$LH4v|1i1TP77EOvZt45&Z(xJ*2jPt#A)&&QZ_NXs
zAN;vmsvi&;|K+X!u#r{-_V*u9c@cOL>z@qPGn75jAVrD{C`rdKcff*7LbL{9{zC)6
zi0h_YO*d?A#AYf7&IZO;-9vf=XgFgkVn@(@Z7qw8nX>WuuC{*pZwApyO*S7q|NoeF
z{U<2@C-Qt$q!6M#4Qpetqu1SkfaZ0(r&OCPSdZD5`8*{y0-UD>w`dcX@!7&)`US3+
zDZ>Ni%zHvTYs3p4s@WRz=lK4QOYew+E{@?nEe@eZ2pw|13;#pO|5zJC?l^e<#HDi~
zE48>1{k~|`6-S<3#skbnKMloKkFfvMC77tU)oJn8RLYelBJNDHgkjAk!hq>=V=tYv
zldUN#p#Vf&9GvBYm%D76j01MY8vb;M&chV1z~RK(n&hYfLKculg#YaIBz68DzAA8G
zMO-YEOh4zMHw73OcXH-S=eA$+U+asL@Nqp{lj;K_#Z8yHjco4w2InVJ`Z-{tn)zWr
zxSoO%T*~p)c-|dck;Qj=1^PJxx8K9@Xae|O{8#{0fK(E*E|~nR9N~`xRnY+WXSxHe
z9?KL$kV@mJmKYHqGKsG?A0g?>5NOqDaHd=O+9Dc`dpPg5*f&wAZVJYoE4<GSCCy%+
zj4K}k#i0xk%llZywPFDoy8>pe+3bp)HlL3ktnaWz=kcqO>aNpI`H$Z)7NnzSO#_KD
zYah6`gAH$Fd$Cpj@Yhh`&1*1qNo8U;-#|skqKA(H!nW<Vz0aI>%#Z0+?892X+8LsA
zqg+-&Vu~dbL8dAL8${q7w1B1+#)#4ZuKJL<INnGgWmNh0QNfirsoHdafKILG6G5q+
zbC2MtFSy;p5g@Z9AekLbi+yP>F9k$D3O0vlWajsuJ?NPZDw;!3vhsn*xCKXP<^UQM
z*NX=Jp*3Ktuz$;Cz5j7C80EzSEac;KEfgpKp#$Uj$_Z2Bk|&!JarCMM-@W#l&$?(+
zUVGIHrf@0%%{~)0scxfd0vOxZUg?g=<MYw?J<pkI_0xye*f4-QYVezkV3#q#q*;kf
z+PQl3t9zf>t@^>*)*@J1K7J7irH`5YBJ%LW98`F)q49c;qg<1bbX^bD=;s2=Ky;gw
zD&VI#6YMI4&tU^qL6t{wRX@ps%kaCYrys#SV`;rQ#3O+&`d-SlTx>FMgDVD9z&tll
z_DXa=T$lleDFqV%9RK;z-`M!}Cw0BoS&1d5HIr7=w+c8t^=aigdqY$7!yKtNan@H&
zm9$pix`uuTxFw<$oi85yeE;V3&kqqW*?uEhFA+_W03<)OEEhoOkONj-Vex~!FP<(A
z7m8hE5cT`^?<&^1O*ac881;|&gvhkL0|ch2yl(On4&XW=%_jG9J|OOUPt?J<wDIuy
z@hZ4PCTrnArd~W&igW@!RfhLrIPM>}-8n^p)g##KdPZb9a5RYt*XbbNjF;w76+aE2
z^-kud=oeSTwF|f(s)3Tf;KC5gy}p7KToPp1{8VW)#O18=Kn-?5)CoyNqR)ML>t6d3
zocY@M&qvth3*oWgDi^xgP}l2=6X}m_FVV{%Ec3n{ql`w}`NV3x2BvxAfhQCm>box^
zQ5h{)GisD&;%bFt!U#dw;CC#&Dm_s6hkGCYkdPkb2Yyi?Kdk{Y%v9gVu)&QQE~XE+
zJDhwjPgOI7j)9t7EFn_hx!+YeZqj;xg7V72QhT8Eo5q6Y<OD7Xu<I>MrqSVch#l?s
z7G9t5Au4Z-<>Z(SBq|lEF?j&7g338|8n)qIDg&SdDOiwC<Dt`=Z*)_yX|r|jBHJZJ
z!#RXAwC<Y!YMaFvR#oS)THp#Ur+HItx6&0Jpic=d&FG}*pD!~EM8kTQ^teXk_{-~W
z=wETapf9P`JDQ%L_W=EMX&1k!g>1m2`;Z@~B;JkovY_oxuMno<P>9ni@N{wW>(|+T
z!QI7P+%K8RSC*Iw^xQ{((8Y0q>aqXGx{XElkNFjD6_~y6cI^2;RL~5R8LBQsvaHM>
zevgiHhF~bSz7YH-GQRp!ons{_=Z!S1IR<^R=>siDyW{r+{~bHjBxLhhUay7&dCB>D
zl72iVUU?-71Qe7@bRx2}O*Ysv*xA^hz6Y)ii$u6ktiM}lbNVH_-Yo*IXQ;cnK3kL?
zje>B>hwD<hFD?lMP2mNc0$oeO2cnnsBh37vNlyX@g=_q7Z#Idh;q0jR-l1SjgL@?|
zh{-X|#iNMxMe$mCb1S$UR=7kjfpcwC__|Ayl>u3ol`28d^Dgi4Ct6)c!r7f7=sz&Y
zkXgtPpEpJBr#>z1Js?`KFr<J69V(Kf+l+sUIh0-9`_@Ohm294_SOWpN7Qznf4xR=_
zGGA~#RHi5?qB~%i5+s9AuE0cm{BOvLFAy(Cs{|&1=~dPm>_SN(G*Ap6^6QVM%Yr^+
z*#NPe0jL#}0tk#BEEpV9^$Y{8XS^G?VMkDZRwUvcmvzXWUKVm%g#Sa>d&g59{(s}n
zu~#-Bd+(K*bnKO#b!?J7%ibcgD-J3gB*HOrjO@%pNE|CGN%qPt{H{}<&-eb`|NQR9
zqxHu*d5`P5Uh6rS4>A}WujPkurF2t*VfJp!Kysu?m(<m|vi_{p-OWeFW7v7)BjcSf
zW?O&jcLL-8_6aX1J2XB(@KCjo3Lp|Q;6$WMD)Bg2J6MF{cE)1J!`-;VWc^Xcxt|3q
zW&3x#Dw5(>*^`#q;#Ma^oEU9+RLPV_RVv?G0p2<}1%Dg|VDz77Hd4h-gy7NuqGcwy
z&-VQ@X%Ecpkn;>OvFnP7RqF+cA#eA;GUbny?Y-y6{dTqb9bgo0iYq3RVcYMC@rI8m
zWh04U@-?J|v_z1yJ8z!$gJYS})||*XXr;^Q@l_Yq@$MTWR!e!FfW}1~p>@JYwx^rW
z2<X9PDfryMeN-wq9LaX{yYh;)l;8LnWQrHw(|36Gq_f#I_$*Y#iTB)!t9jB1jUX|o
z<cO~QOxg7{3)#zzpXgsq*6J5+*cTk=;>3^gZN9uLL6Voum!f9=&MnFRrug&Nad?2|
z)BO?`MId428BES`mcj1Y=sj1iSp4XirhrSIHecR}u=NH7io<p3=EDSr>Q5YtlsXwQ
zUT~gRc7JeL^}FmUi_J9X#3ym9w2s6tzEEDl@nP+$2DjiiZF){wKsi^2yO)>f5KkF!
zG}`rrC?<V!qXu_g9X$xH)We5JCYXXMip1y&$N7Lz^@r`bmMr@N)6pWauUVu<j|~YE
zZxZPedB3~^*&_k1YVG%H#KB(ab~vLH3gDd_^RwBS#PLM)#mVZooq*UrA;w5Kl1MdQ
z>y+S_>L=qq&Ywl$z>pZ$%a-U6XTF$CvCO~`+(!NyD9UgUUtQkSdMMzS=|I?5%7TZ&
zj%_g6rkNvCkFZ;sne6|hJM<GE5X5oV&M_0uTLvprg+@;qw93dRB0fCKfFu&M297-C
zNhXnxE|XF$)sVN4HD<N0>LG3Qr;JLRy)Ki_5eJdTJh@i=EHxNT1aCzoApMR;znR`p
zOfF-q9$E^BlZz#kD@Upe3wQCcf8gK-P-k#TgjKEguaWIu@&4Lm^psbxTrmj+ucuy}
z9H(riETYtNW%%YoRZK!fi~wt1u_+N>ea`-IsxD>Llp(%>cxy+Wgk|Eh)aONyuEA0`
zhoH8$e~hE?{5H$2cX2hpYqEW#Q%qCp<`w5w#C^fx`Pp_Vg_1JS-ym%()&fiE+fU(a
z+v{T<P)&ZjOE@1sg|n1qm$+CM-=xm=jRE51#G#^V&xR-6#IC`-Owj==y!O3U>{bnV
zzLm>s`$xOPp3v(m^o9hA$0s}_D)U*Xh4lXa5Se<JD^CFFf)>r>@JQJR-~%@9_GCL2
zUvcEzD`ze0lUJtwcE45sh<iy|QpRK{D`5PsVu+GEtNG!r@Dsz`B<2-n2l}dkK5Y`B
zkI{_`UgBv&Qu|$InLFVec#dX!GuFqo=IxoJMkIxgWjGZfTR7%XG;zYM9YjLP;lkAG
z%E6@TU2X)s12_1Htj5!KQsSm8{}kc(eU|7A+8tZof=($U1f0y$-%v78_UN~De&MN#
z6N`9^*UCXD#(A>p`n>+#SY?IJXEwlDGtU$VC%zhsk(-nY*A8Cr|BI?Vj_Bm`#DZAf
zQZdQI<0<mmn+Z2t#?o(S47ToN9gj^8;wwHHOhNEQ8xp?MWX|iK9U~Y2Ecf@jkMlm3
zf5O&UxeJ_dAcD$gk5QBa)z-xP;;}GL*Xso63P2OWoirDg$HP{t9HV!iYe8p-bLs&*
z(=5#VEsUCo>0dQC+MGsb32=18&b=~Yywo*95HOdYByUOMZxG4^4e&?)JD&rw!f8ZK
zP>@~Beeff92b{F=EsNXlxuR#se1}DcD|)G{nkwIGHO1i;Fw3^%j|gJE3xT@D?&BU-
z_!0b4@2vck6-b5dGkyEjp8hK_zH+jZgP(>lo=DnJ7hS!aAT|wKe`))YA%&|h=NHXi
zq{#XX7vd@ykQtOwx-01MK)mpVlGFh}YTa7aw-(nswd=46ut<#=*cQLxy*vP;(69jQ
z*n^PjpVz+@#gj7oy5Ur*pMQU5Furuz<XY&v)U|FHnHir<!H)4w695#>_ZL{%MW6#z
zad4mGm0y-SP+uJ1a^NR){x)>y4_UQD;2uaxZEddMP)H8X_oh0^4bnSO6j92WFLmLV
z2gp-Mnje0Pg;+nrK88Y^fleNpGTb8npQDB4MAqIAA9s+HupBKup9e&)vO&5GhHUvo
zD8BWTn4|u?20&|w3#6jB)Wb>mLCZyWUeDt3<^OdU<eR#%B`Y09eEOsYWJ1_?yY49#
z$0=%;1E_%t7XpCuxIQ5p*(c=l^&SSyN3@(syGR=!D{n4g_^lthTknK|1eC|xZ$i-f
z`}%ZU>76n|<tzw<G=}VR*isk%`@&1g=BBImy-9TIydsH9B32DrfQy>N-lq<wjKrpL
z=Ih@EEWhT*o9}UHq!^m7eKQlW7P?k18fSdfZL-QnbR#~xPtP5j?Km<*4}X3xmIMMq
z0eZp%n(k9Ih0O?t#+UN54>ufuK&3z#=`Dkoaz-|G*Ph+vmnui%Q=q9DUo9bItgVuh
z8H2ga?GZA02SoJ7qXe%DEZh^ZLuQp%)7PKjp{d0|vxEgtM4<}^V{92w##5GRHC@z$
zRD9jtd=*cbl!90BNmD(ktd_F4is!eGU~4}cuf1=*S^TOqZDEbn9sH!(II!<sxXBw{
zMz<pSw#@rXD}oP|0RL~LBrb@S)q*=XaH$?BpiOSJUtatkXxS_mwdU}|DiXe{WU#fg
zUL~oPqHe9*ZR&E`)E`xteJGT$r<niHobKALY-_#I?6zk*5UsfTk@_$hk6Lk&NIse&
zM?n1F<RE5^55dIwcm2A_eBy>!QHp~XX)8;n+!C;1w&EPuPvZvaEWw5^Sx9WoN-Jz(
z7(zq!`(4EEz!mv(K!7a)vXA8{^dfLM+rr{jJYs4sP)LK`x5+x)EydzsQwomM$y3S_
zA_sBmf%no)Se_%49%R(Ig1>MMRn_uAEfOL%H?g8PYCS>fBjG8%jxs|%CwZ6%7^vYb
z57vql(Zfg4EUmMTn))Z&7bo62>t=feHSjfO;9A|z5cj~t_sR*7djWbbFlZnL031$y
zq9`K!2J+A$cU)>U#*0Ta-9ezPNWR0Phz24rZ}!uMU&@;(0in5R5Lov`nPQJXQMqmz
zNAZ0y+aR8Xy^6MaoJvsKYv%gn#6&{}V#-9y7|``KxBUbpq{=h!gSAFp%F}4Wx+r_r
zRl+B$?d&2}t3=~yt`Zkbnzm66{OpgxB@`6%|6HVQ`bXR|zLZ{tg_FtFK9d2!TZFm5
zOiA!c$oAKF`&bpSU1D=^H-v#;Jk0v>2SQWXLo^DbkG&ZV1K29BfRFu@`e@e+IiGn&
zy1FDiZOX@#-fmxBo6Z~bOeydY!9535{)ot!GBRiHK4<Boo4@@EEB^}Uw^<Af#LhQC
zDFhY!336@`%es4})#Ds^OK$P9SM$yPq>!5?_Qn%VPID#sv$s=)k=8!`<hs2cdpw~f
zC*Nt>MtJ3#Z=5{RHZdrUl3fkLK~DLO@;l|iR2e<E3tA{2T{Lbm5Qx(cDYL1cn`TuV
zRbZQ4X%!fH;rF4n{U7D+3_}q<0EWp1{4eYsq_jGPp#KKt0oBZj597_p<UZkaZ379@
zr(Bv>9<$syqKSYk#iv?NRmRZ}f9p%#Xy{<)_8Wl6Xe-k)5vx!iI?z17-_^(eUG?2O
zZ%}}I_Hw!HvV3p}6@@3aFN8GMs#rHM7c{wn_ARILK@Y3X?1w*R|BkD}LvmdbWdN(V
zL&S;v$h{~Fsr&H++mAb9VsQo!aodp-h_C*|oIYCDLe9al5ec5+$iYqN2q?i%_tB?I
zg06lt!rz=jUS^hZ#h+IG2R+wo`&v&K3+BTA<ZA|iq(~W>rTPaoG?S_JG%gX`lu`id
zlfx)M_)m-zpE!rdRU|Q%_X%tYi$D9#0mH$v%djJ$7q1lSAH`x!jE6L#nExOpY}vjP
zv15@Ev91agoRC3EaUuFSfZ+@1mQ+oD6es>KJ`zz7Jm0>BZIwkOTR@59SpVnl9?gG1
z_Hr-g|Ks6*{$D(N5eOK412EiHhEuoKzlOWVL*@6pSR`oN{v0&`>vAuG4`BnXPgv5a
zHv2AUWa5tGNCUVF_=Oi84d87!dJa#(^+y6pheH~6Ha-wXV|+oV=M}&LoI*UK`2U5;
zNBgeGtw=17>5ohzeg=$)`oA~Ag-0l$*KqA$&u^tUhXBx6L0q{#Yso-t5g%=NfNdq3
zg`vh4&=0XtD{Rsb@QY-S$P)WDKg1%JxEBfk-OJf$xA087+q{2sGwFA#mTm8_Ywx~Q
z_l!1sD-n3|@4VwC<(xcJf!?>5>n|D<H#Y85C#rOUN16uyRl^E0f{jCBpp8oyqkfr>
zkX{|e&(tb;u=dKh84W=_j3-QoJxxqpG(EbM&aKx@ik10k^NB<o#{BR48>$?X3&Fww
z6N|-SmZ*=>QGpwxGR7f0D^c+I!Gc@JfSTP!N-ZW?l_5&>|A0pDT+p@un$*~w{eMjX
z|I?8Fe?p@H9ci#sulTk_)J1In>rvGW3Bf@ZK)?Dwt?faIJ4`oQbNBv>1<-<W7GZIm
zD>eUxUgd+9-k87J*uW#w)hyz^k%z~dsh_z?X0B4j-zLCz>7&6|1B^<B)+xYz=pK0C
z($ADOcw?>-1^+L0Hwxg&mAW&)9}yoBV3h;|Wq!;J+aW!uG7nHi3Rr!dXY}Ujb$A^w
z`~{#Y&6Ge;L;vqqu{^JGa?UikIK`zr>CI@1Io~A}v_w4^YlMAj#UjG*^=3Z*2Mdyg
zT1pWI{|C)1ANB*y@wXYuiEU`$+Rbl;QLHR@H1e1hH9h5Y_}Xdy^A0W;75G{Ky2cfJ
zj0*JPUs`&;L7~L*4ZC{g<SN-+J+3SW=LtGzXD7XyoKvhGv}(UB`mUR8@%FVAJJ%%Z
zGZXWj532$DAvXHsgi3b)hJpDP2Co|g=+`Q$q=E+Xep9TpWRq&Wsh(6nt1|3+weSC#
zY=2*haeQ^sdm%eAnPT8+Te|EIj;xVf<Fkp6d~VNr4rVnBNI)q5Kd;cBkL2Hs3d@hW
zcg(*b`xlSbBC!p$8=P2*1iYBi)7H9(iK-mEz??f8xn&{o;=1seMN@7rQ|g?k4`PIO
z<Yu0RzRf$4AU4I!mv3lJy~chxnSW2U3mS;MQj%$*(Hyzjo_TriVffxR6XSz7*NsDW
z6&PpAkhH^@ceZZ@a|=;eXNn<MGv&8*w9>{Of3Me$8UzS{I~T$N)E_?UHoiLUI^SPh
z;yNukl!~1FsSN?yxPd3B8tdPwNh+-7UM{zN0H~MDb~t8$gb7e(l<+!AA{m||kTAga
z%8OmgboKakn;^GoC3D}p-AJ@T^=H~#u<^a~2#wu=Hosc3v8r&H>F{4k!ZY`6srynz
zk^>8}zq(O><f}i>NxMUw6>>i?-_&`o^*78`I7ffR`~$C_WB*g!RUe|(*S|;RGIZXV
zXlD;hJ8uu)mkd4k(=NE)z8`uKcGzIu>Sr*MH6oY*WE{m1*D~i^s)S-@&!?@8g>@yT
z1I}(ScC2N7*MFgPZ(EM*4RwE(?a0a#&fKROUAUi5H*5698a&P1Y!vFwy!Y}C_TRs3
zds}5C|CpJtff~JRMQ6Igc{7~bc<IIASiSp|kI#5((RqIwha&1;6?=WS|FcUk_hQv8
zi_hV!9E5G~KYS4Y<ktbar-((hP74PM?y=*~(0|;#`G#6&<oP@2wRzJ0Sv!}zgTLuA
zcf&pUZtX`D$LhEq**t*tT^AGPtNv<ML|MJEL8l|;B%7ZxRqOc1{KSL84x#@gP&@tk
zJ0A0Owf&E==Yk6!&Tq9)R4+<&^6waT_=cW_e9_j<lgmd7JX2q(HkWI=E|hP?>vL|d
zZ__5yRxlzIpy8F(>P90#)waFsoQpop+;8Zrk}ciLbU7$NyzZ5HBaR<@*jF#S--Gk}
z-UQXO|7Q8^$irIM!}IAdZbZ-1Y9>XLn!=1yv!z1_?|sR45tlK-3qeL_qDt&_vsoFa
z{_255>HfPDv(9=fP5-*Z0HY;c|IAXJc<SHK4Cr`2{Im=BmBcGA=(Y>?HAcVnJPaxr
zt`;@-rGqb4CtxViw`9bGOX^B9n1k4~-f?V92pxlEAP7m^(YdQvrT9#MrZ>xruS!t4
zr9KS*F#})2%XfjA`OLMJG9Bj1%_Gyraqb1H2ZA_t7fKa)I|<VMLQ6@CAT2Q~#Fq+u
zX=JMpr1*%mz+7d*Z$@-_*E>Y}+D<J4ZD0iaM)g}rY~XUs3Xf5%oX%#K{`b`9M=#%r
z>h+%sB;P<7k7O~n+7j=$hnN8E_5-P@UxzwtL;IoAmHW$&Xa;5#cRoFBPKY+gwzK|c
zw!P~<DlSEw1B!7hyTn-YE!^WD&~<=Wc_UmcTWGIbcXZgt&iHLf_%%tx?}O5kZC-vW
zEawlFAh|6EmDE|}Nw2c2O#KJSA2MW3z4+YFG>|^|YlO_Y*ik3!(*j?==v-19*+{$9
z&C=Ub;R7Xd4|rS)K0du2;^ER})MbRJ==f9e&Gz7xp76~d+X2D)K`)zmQG6FXQO75C
zWN+&r0h&Ih^9v~-sri2|`lYf_&2qRBPDH^;?uB2g%8;-Of1Jpod+r&>SGi`U|CBG$
zmp0^l7&o_e8Qps4y6UTufOMK-MUolVlT_=f|DO?cw-vw}-@EiWd3yKE%Z&T}1L7HV
z79H&$mkV;vL^H4UxVUZAgjeFhC@$%jU8v!F`Ab#m{&cQ~=GUG$=jjSrrCGNM9QJ!Y
zi)YahD72Kc@?SILXgRx5iU%ZG&As}%2vE0fm6d&S8?oyU8a%Sepy!c%_iNO#4xYVs
z`Jp*z;EnGiO*tF;521|H=nU#2B4_dSbnQ`<@M;BLqj*#HABW5EkW4R)4>9-2P*Ptb
zR=u^BYiCzpJi@;d{P4+-ErrsqYd;#rcrL3W0w|tn{e8p##mQ*E2pNHVr{2H1?770D
z-Z<XBu?yb^Uu0b@n-?`$^AJWd1GdM9=c?KGtV7&;T;l`+FV&(a_le}MetwmaIrQAR
z-6lXSL@GN-fC~gBb4}}|8^QOef=GS%^@+>=%n^i?!u9Ebejg@v`~SXB4NzoIfz}A1
z_M{k1hXhrwoV8~d2u8FhhXgWTu!XHcSWWlp_p&oa!*&Gujq#pvwjJ}fY0+fNCu^Cw
z710{Oo<De{Yfec=iwDUP)T$i~qsrjqApUsVM&o_);uG)mr{V26{~sa2(VJfdb~4Xb
zzDl_y-Ro|@A0%;iS^Lj*r0|j5$s`A|&3BcGDLfEHz8ou~ZX{>`Z;3|a{v7C3bsJxd
z9|A&x>k+?f?_0CDdRR&BBXcXBS;98fBYVx-!QX4YA6YJQ940~U39`dHUY{8^@>8Zm
z({MzRlQw>cn?pqAh$UZ>sciIW`kr4n;g_b+4dOcf9-e;;otV9hFDJrZX8vxj)O7r?
zTimx>Tl_9P&2qE8o3UZrfQuTGwMjB^xQrkrL;Sq|{y_XvaUcHP@u!3)e=*4`Tji?e
zyYGWaP3L}X@qCx`7De@@S-4u-z2MOtf8W4%hA^YI<JEXze{E(;7(H|_(oLB%f5s5`
z=Xc<ES%XL}E^fJEDQu2KI~v0xsLN6m&A<4VglIJMTbb4iwU|;8Zaml1pYtyo9bIz_
zfiIBwRT`j3Fvd-)_WJVHX0Muu@VP^FK(M7vY=)HATi5FOHCEq4yS`_shSjHBdlHg+
z(wFD`4icg~C$e&6Z=Ug{#p-e0g5<*Tglzl+a)v4&92=F9@b$Gfx3JuUpez$!4ZR(G
zF5URb)~GX^cC^ihX!LAsGoxLuGI|?-#TWNmNau@ajF~wZQd-4f4Wl`bTor8z^FSE9
z`S%JcNsT(0|9vmCyG)na<~8_UNlRfG)XVy?Wk$uL!u!$Aw-tgEKB13?;5M6WoiK~w
z)rH;3fU7}P!8g<JT=SSILS_c(M%$1NfWFzN<a{NUoA3Kr2~M`%(-Uu!`>(Ei^r(XV
z&*g@mwL5GJXU?cYe*gQ)Go>xx_l@u$i1E)!_7b2K|72y{9c(m<mf_F|{UL?@o_h{H
zI=|f~N1D~Rn&1946pFrAE*6js-Q%ZZ9$lv$W<{<ni9DKc{2;8sB~D#T<S8GCTWG*(
zSO<IUDq)eT_$4sEJ5RGv;<<IB;XTirR9^<He@s6pGZDX!{*z+#yLYMLWNZH>-B$GE
z;%i-2+Tx-6jcg9n7lZ4*@HZ}FMc(g+K0J}h9q512X~x!G?k!Y-xK-R793vac__*;|
zz33C%Toc~M(hKu-LE~8+91crm7mmCE$vHQ^4bI${hoX-Jc}~?JMxB$il*q$+s;rBX
zOlUq1x<!AXud2gG2zhsCiX`NVQ0f}<Af<VA_J^1vdE@1CpG$&nkBMN3=EEHGuKl-o
zToSe-%l(qS=$9v%1h|Ev1)GY=6in@j1o3rh=P$)?x}Fp7?#J5F6}&en-C5kRqS#X}
zH7`<EAR<jS+;e55u8dp~o(la&u&qea{jEWLVuftN<xf#`i+7>$RPZmRZ6%V2eio@)
zLdPGK0+v+U<bQkpSS}&EX?~g3=<!`uO%0DXDoUewi04|EjwGq;Cj|f#jK`StS<P^e
z1lK{EkI5l$pM3JMz*6i=c<G&C3bCrT?meEYS`(FlhqNYgh%ylLJ&d6I!@W+8hwG{t
zan1*YQajwqW4II2inBC+n2>WB`ov;(@I~iyF}XN(ujFs<QUr=tmeom9E_L`DZlfEh
zB|Fwm1^r*?kv!@xzrMA4Rl*_NE-ZSIfi11sVRN@6Y>}?1HSMS~K1yOGL5jp8_o8*r
za8BW#^>WL3y4Aqg*Ts^`+8<Vzv(ghC@+ezl=U;X~(CIPm-reV?)(T2#wBGci&sR*`
z=|{mLUHb6yNo!HGCCSfu*;WGAogo_s#1C6LpEGZ-)^>`j^}jnMkD{x~_tvi{jNaVJ
z4P)Es^kYZ=<ya$nco%0e!|u8zuk-u42-X|FvmVz^wR@xsWw6{ieCHZM<{{=oIrvgg
z@)7Duq<jzqE~cQfU3sM_vaf-xB3BIl3lHw!-Obe*-1I=~#B)Slk&L+e?Umll_@f2Q
z!eFKQI;I3mne=8|-u5ugl&^mX2NYkhJ_t$_S*R5{rei<&QN2r4);{cIqjqyy0Gw1e
zxt9L#P1{NW?#F8FWoYEdgR`n?)o7Wcm`SjI4I~T*W(2=P^(DebDuldqe?A{|`Q&$v
z#q9HIGR^9*nk^&g_U4z85`XO0I^g_P?)b?Vx8=_p7P|-P;S;F4<C?9|Y}uH4(R?nA
z3zJDU<VsQZ`s#y(;FeHZ?#T6@OsrHf6A4w{y1hy#MrN}H-u#IQnGi+QGZxqqIS8>u
z_{@r(>)FhA_E>!kzJJw6{UGx$cp(8=1Hz=J(jDe}NwyM}BA7Myjo`UPgtrrq_TB7k
zX2{%L`~DH8D~rQA?0%{fIN`;L;0&(XK1tGJd=zm?Xw0XZ@}xdL{Yc(vLMAtgayBem
z12O&?RX6lukTID3)0oPv?>2<&O+G``zH^P`<g;C(O{ECtb4;G$HaU-fDLw__vr72I
z5m$h;_sS|)!OBF7R8WDr?*Oe;d!tN#4=SNBXS%3Hfk@`=vH&-QPRhqr(x0qHc-b!W
zqr6S;^_5)zt*2L&`%V0dS=eZ?QZv2a3W5Kw-|u;uPlmQJV^v++d?Q|?^Xhl!p9lsz
zVfgRPeW~u9!-FHSVvFJHpI==B_gnt)JLgdHU|D<No=0XkRX~twI=Q~D^VPg`^F4yK
zB;$t7T|8XgSg{C)kg1f%qC_kC&AfL;3W(>-SWG5Ar<MO!H0B{s2~Ddav^3#UPcXm#
z?fo)e?T-ri19P-kmdT3KjPEan*ISCrrOELvt9PtnE%#UT!Ni{cxI(=zGb;W%cRhO?
z+*9)_DdRGJb`rUgXdINue#k{P6rF!d!>@kySxn$Wp^&{+RjQ5d;@LSR*}O0HO`-2b
zO7(Gr!f&1;gSXM;VK*+$2)WwNaKi`?$y7g*Fw<teb(;6tknsU4?}f_tRWt&2lRlFY
zJ@d&Nj-S4j*Z*U|XEC9@go-MrEW9$o%n2%js-C@QDp`M(+?_8KbcdDz?(qztC+(?X
z*vu<e@l~83ZMJwL_q3|6JenTp?{<BNDY#=lyuaox{%g?W!wUiY`Etah6K}2vlBWj@
zHK_mw>^&GV*g)&<u{@<l9_GB^Bd5Z@W(GTM=YVbOQU*`rLeYNd*&r~61qMrwO5UdD
zK-3JV+0AIDl9U<36%`M4s;*z%9S<EOB3iu&iDMKY(R}uy=Bs2l!a01l-(iXW@N<5d
zxWfZdK#F}V{&CkqctL@UOS19?H6tCTdGlQ(Q7W2-yuPG|=8j||nSJ;Y5tHxuFTYOh
zqqeNCX+v>oH{Xifeh?JgqG9`8yTJOmhObFc7s>O1+Wt$4ZbC~C*X*VsQhKm-To`%y
zD}w7ijTS2{{@1eT?FiLqOzJ}y4O4If6;)x%YphNN(3z>Tz~x9HC^Y)E0mYp)OecSO
zLZj$h#4DUJx$n*uRoL{Zsj&*Gry}PtKXI;?n1(kau-xB|V~J2V$GvzgWLjk{&oNQd
zn`T(~hUuV)G>jy<TF)=b;qNMUNZ)>{Nh@vz`f6Iym`$nxzjG)WiWbdxG;SpnuqQ@0
zJXa_6vVI)dK&&kw*w`O+OH}Vev6gF|hI8xpt~u>vhT4`{vBSsEd}Q=?cNSP#;^m^A
z4{^M{ep|OSY)%+s7DhM!7GB}8hFFObB1(YU8ken*SC_|e0pHDth24TD8Tm=jOA}bM
zO#XC6tJ*KCbXJy>U&{vwZrFwhmvc)V6g_`4a@#w?Gog!Y(6iRD*Z0KtZi=loNaff`
zPM(6~LPp~m<%_C~jddCir1V=F&xaJ}R}4Dd-;Tz#WLMyzg3=3Gtk}$_M3*yigeuYg
zS_5-jBH)VWtN%T5NBvz55hxOM*W#WRq{{DME?*Z4Tz|6daqL)IFVX0_*?8k%-Kr!0
zS*5~#%0Wcz#SfEpa6bEt_^;(v^CQC+D3KBF@g?e*Xj5F<onfoTQ`TfD8+Sz@IrbZF
zhC(oAFu?_fwa;}Zx|!~9Ykw00H|Jkm+t3OsI7f9fA3obxg9swSSWa(_!mXTXpd|=r
z?(ZSy`d$z?_~fvdz-%3@IH~LTRz~KwnB&NE^)V)+&YRd%^$(M)h;k-ks!90m9(lF&
zRl6+-PO}Z~aObr@*3mMo*$-J<b^}dE-mQIXu6Hb)c*hjpAzT-YInGL*SDmx#xp-ah
z%beCX9vVrCuBs_#O87`N8821B)a*EPP0%D7!|_g0v<?T=PySd_7Oalq1WhJBl0>NJ
zoldbBL}zZqFrkjwoG29G{AFEN7nKVl*X_f+YO82W2>JONyt-(!E83@DgrBu1K|`^r
z;|b3w6UNdUQYsWP{n?Eh#@y%#f<f^zja?*U=7jd?hzK3_Hb0e)e>o<%q$`S+#Xj8K
z8_4<x(!M3S(atv!7wEXTyJp$aO_Gwa;2jOZvG3^df8G%dGGOEcn+dSey`nejl*fNi
z&DDVqpQ|Ehc$DQ$j%Tslnd|H-zVWBZJsk&ygSu~(rnsd?0+Q8>KrJ1xl4U<hxK;2Y
zbs=-VA1y$<=Fjck)cVrF;8)Nk8!;;*B2Ke#+wsLD84$;o{n?GKJlN8M4-nr9zgCz$
zsg~7y$t<v#)wNy#=_TRttL+lMs4j726X*fEoa%IQ`w@6|EkcMCux=?Uppp3KN6gVe
zof0zf<U%61(nYT42yu#D-IAbjy>)To1SEe+0Y>z?GcoI}$ZG)9sR|}*wUOtcz}bmm
zA^ad!z)Rb;<YLj^9#+ZI3Re}r^w~J*)EB|?7U9jt@lr8=u84h8^HtGy5ELYP8xJ1F
zp&(OW<-(UU4IA{30l-OJmzF2URRBj#0nT%dVD{K_fAvb0T}K)epM<+ixQ=z-8Cg$Y
z3Af&=ZGR+srb4bcRdi|TkMGIlQf3Jg0;S9h2eyt01No!R3EgP(m$^>=B*sYep56`J
z0xO%Pc13(wFq2OL7CQC-hDk(9+6|0@Mw|Sc@Lw+Xr}qP-;pb8VHh|8=1qe<NEQ0f}
z&Z$4G5a85)PFAx4@4Z+6D8<JmAnOD+gof3&H^YJCt5&vX-diXItKwDg8wO^epX*!<
zz)%~K&U&+Jcd6S5z?D6xY9L=q4f+9A({vuF02isH?^!4z8OKTu(x+ywE;PN{zi)>R
zS9t?@g*S~%6QTaDVo%<PH;dF4v61IywP^t5mXA_Nb4TLMP-E?7H3)+Mb|vZ}4>PS=
zD_0Yj?pH{?%qhj$0x;G@05f#}D7G9~pL~CaT<|Wt<lPU*3!5@S4gloD2NU@|prAX7
zvXcD+JfzkcV>f^YonfQ5&0!SO9UzP)?tY-W`{_9yn4>BK5TU7jWhpSBJo#Ciz6&I_
z9l;G+)H=rdOWU`D(R^7ea3j?C_>{-Up%=e3Z#_|P(2P0i_m(V!i1Y8HLv>`t*C@0<
zn=ip#)I=S@_g7yuX8CH;SE#|xh+e<o3^b@H0Xw4(TL}Ika226&eJ5$1E%l|B&g&O9
zl1I&~!i+rX@?6#y;6K&W)c8+c@iYK2+%n*=;7`oHTV>TKI<OD`%+lmSf0ezRrx&xe
zjuH3*AlS4$kr$_{R}~)cM*^pu!~0ObBDKevC6m7L_DV|q;dqW*Vhnc>^|-JoD<}#j
zqagKqSZPBS=CS6uD5zTwX^3-<iUZtQ%)%AzHE@}M1sSXA5T85$V!A^etkEit4<hou
z4m{BTn`nd?bgMgoA}f6>Xd!~|tQGvs$)*Qu)L3v^xLq!<L4FDVE))W>XxA^VQ{Q5k
z1c1yq5fPE0nFZp#T9oB$AiLd*16S$@+=8zJc8-VbQB29d^PwG`aWBp_>B){hGAg0h
z(J_BtDWQKsRu4+rT#ufV=71=w7oQ2=n9%M@<A<}lx*ej^F4y1C!}UdRT~i<T;d+vc
z{ixC!{d#a0*%tA;A#^Khu@kb=t#fOdR=}8lDgtPG`>u}*;NjyJ-uv|Ys)Qq+`*>NQ
zHQCY5Li(T611DfCI#7y;L<1FbbL2~a;szFR^lXtQg>T2l8WB-sq`)>#_lby=%*&f$
zX6K(2EPnvdYi2yCyp_KQ&nJ+{;+l6?cBq2j)oNlSnFuY4P8VGK0`p*$k6zYX7++NF
z=qE`axZRgMl661E>mFw!{B@khJ#l8&)Eb*O^{(#~)$Qf>lE74TKt-1!TKgHVfH{<v
zzPRFj8p{oFz-Eeziz`#L0WM$0X4Y^=;Aoc!%=O-k<hXuZaj0|Xe&hf!E*}7-ZNI*x
zKKr7YPROhW_^BGAT|bxA*eFu=WjF#wW(}}<Oc_UR9>0XbfxgyCaKCwjn1w5O@|!ks
zkGNHTnc>P74u$sG2mPzyxnFzg-~Uqwv~7I;Za_<9J>Nye;do6$n&4pBGkRl}*99U?
z0l#1`a$z1m3vSvxNPst}Tc<i31ulVB5dJwr*NFPtg@uJi-lQ=xF-B|>?#kdQ>B^Ya
z07rPe0NiA%Ssxg$-%*Q`UgZ);yDNpgSU(D%zk-f4iRCfbx49&(qkEBoIL+<1B}zjn
z;<~RHYzVWrMC{TS7XHsEK_foCpUA&>h>gkN)UGt4M#`SDVT^UWg=WSsE_wAO(^O@L
z1ju?!KMuV8A}C-CqyvqUvoRQ>4dFv6_VLlNTwGfM_8TUTwj~0bL!juYJI7JZVgGk1
zE5MzJ>#CFx#*7@SBC0Qm>)#Wm3moGI@#$97wMBN$6QP0Mp&4Qt>(;qKy#cZ>=FLyA
z4gMjf!d799Oa>8gTa*-R-N5WW8!hCly)caJDM&ud|HfH)<OCH@CkCGoV`eN>S&yK<
z8@6$*feh&FdW^a~N2(JvdyelaVnhD(o;`8xu!hJkpAgCtRuMKI78(M&J;BY9V@gJy
zbR;LVqi~hdHu~FEMSb)X7zM}JHp4gf7q4v<<Dm2p=j;%&xG1XELLBXNcV@-}J=~n7
zmG0lYp0c{-mdv#h3b%#84VbCi(m{6Dqzfs)gR>yrEZn?KD-<>`i<^r~X0Bo3ZuqWw
zrn6sH+ZbJ0QqAmfY6_cHV#IZYDvYYQ2-~iCCBG}q-<|mch0Aki?Mgi3Q-?&Eg0p1F
z1Xj^K*O_C{@b!u?UtX>uv)yb_eci@}coEMO{5sG*H@bC?UpVSENK3ew0CL2{W`{ZZ
zXr2t6=K8)B4-R)G@37n;BE)oVq}ZW~y$%q6_8_PVOiRaU=JR(x!GqSBfl1K4ze`mc
zSwHAMjY?J6q_Y~b#I-n;AFRs~F2v+3EHhh&-D)iL(y*+xbUp2r34L%^j;HV8;pD3@
zW%+Wh<pnHMCpBKA<}eT`EnIPAVM2~f-5P)o{v?dEM6lSsOB>($IThk~F%^xO*qGZ4
z_`Y4c+j!AzW%p*}7WQNhCvbH-2ut;XTd?grD(RZzhZTON@_17v;QmWmbSjP9RitAI
zoFoYlT!Ir+0D@`F)-Wwi0);lMFiQ;`V)6t}6-5z>AK=bdp?IXGW*-958}>4%?{v+0
zUr)Y`Gp$HQh3{@)FCo$c=$M5bH>w)n1LeNl@hiQe=;FVLDZQ&xvb+Zj)dushOlzq`
zr(GkH5=JBJJQ2@^3s80A%Ez((50s@k97^iLF*sH}_;B4E>90hU^%6LfOyOIf#s7RD
zb}p12kQw0Yg!5_K7Jpi;ih`iu&Tr+a6OSwt|JLZT5;I7Gw!euU!4XO5f6{G?IenJJ
zPfh28X<|tccO8L91zEXm#d{s?1+O>;dky?<mk&Efn%ns-q&cn(gxMIN#58NRqn9q-
z-IN1fKO-oE|DNtMtCk7~*{{<)+E#93l2&~8cxLv;PDiE(!yOV@{MI{=0_aQ=C(RTS
z8&^lYDMqsTCX6{d3nP~i;Id8PWzs{1OdV7ithfi%<||M(#)e%Vvh%F|iv^(7%H%gn
zA&mH_GC2HMx>J%z)Xc)tT*PT;Upyz^Z9`Ar(K`sbK^U#U7>+3rL04JtfCBg13>8vu
zs-4T=G4!4gHU|Ogs=qN4*KP2vdk8bb!PJI^J$ZjP#x$YNbAoQR2dzYV?_AIyxUrTQ
zmn2Oe%%IN##P~IDbnWFR1PFpdv4ZtbmTl%F+$D9y3D+p>)-hp@Gu!fh;mT?ieCHlm
z$M|UQF4MN9p4!pws^LG_VOGLN6W_dgkG%8I29z(ljp6!~LYXsp|FCT~bNJ67X};8o
z;4L?+aHA{MZuNUT_;=@c=ST-WD=}j%qf-4B-H}=RgioZ#PSi1`8*`Nb*bdQzo#rva
zM=_G%w}5f^!~h~fIQ+x{UE9_yyEx7ogzNNnD%MR`93%0DsHZaF<9tJJP%X6Mr=WS&
zW}_J#{O3>n8u)n28d*u|%n9d|&_|e!iqp-<svAj%-WU!62;463<Cs{KA$G^#hi!cD
zh|~->+RC*?B#a4D<TA3m_q5iR3J)rNOzNP;f7>^*RXfat`Pw9E=8G0-N7#Xq0+o(E
zqvF{`^->J2F(KbtrU%asrW_}kR{G5IxBa9lT2G=em4WZdZ9&cgiWT!Uk(DH9er5Cs
zM5MPtc0C$`K7!v^X4b-WMTxv2$e7tk_pnJ17_!!!VJ?W5X;=EV`a^K>6O4I5o!C!+
zd7*AE!rP{S>YV+w>N0*;GU%?2Ned3j<3X0OI_N_m(1EvJvWckv?Su=PgL!O8d5mwk
z{)%sk#!%(Zk)l?`I#1v~KfyfWwso}b#+*b;w~vSfq>dQKwoB~39s$Q--4*Rz=fcC+
z@*G}t_==|3`ep>=VaYT^4?z%7PZd#q_R&Zy#mnEKS^R5Wqp?kehnqwoM#aPD7s24s
z<9M0vl1k8yn3rp1bWO#z)EKhVL`y_ZnDL7tx(BH@MP%Exh|<u5Uk<RV=d|d>-}Zm-
znPS$_V<<L>TdIS3+-9&c{|eVHiGw*>n>=CnV)+Eij+X%!giH-v#ttKVOu#`q&RJ+S
zb0Vr`KfPxYHmG=UH_tf=-!-5bHoF4i)&H*S3JBo?Ue}U}#44U#OQl~Nsv#a#D9-mN
zn83zX42Z3aLMXosAsIcl!c?)-<ekdGhhUTf)<>N%b~w?~DEj@rQ76sc!W4fLPVus2
z0yFOl876DTK}oH@JF>)vJdZXO*H7rDXD<RUw@FdkAwE7KAS(gA&7*ZbFe9)t29+@8
z$%_U@=FJmp#;?-a-*El?<b5Z#nqITo;lKr*npmfnd6BBxQE`?KIE$3#042T}#K#o-
zHA!1f6`!5AX|DDdyu=-3E)L3)tGLwG4gxQCXuSxM9*5gv7B?K4D_wHkL<w(<EN%&g
z9NrEk)R7oe*?`g9<n?fM<&TYxMK`Vj+;UUoxdJfZC~fn!6B;#jT0|+VDOs-t!8U##
zHr49U>Izjmf5!{sL-_4MW1dq{UDMNuBY?m)vy$_{g7>eImMA#lK}w4nEiP2W!g24d
z*)fmT#wW!s8hjM~+pDrg@_6RS-{*A~9Iv#b0Z8CPKUL26!oVeqh=L-)Poy4o>g2It
zQDYBblJ!mjZOECMD<@>tZNmk(Zv7Z3NMFql6YZ-58Hxrly)Qa%1qu4Pf|J#$mucj|
z4?Um|fe$oNjMxf5?7JBS7?iEQ#x94m0iBPfx^<s~;L5eDE^Ws<3xJ1rv&ONP<duFN
z6UdYMU-+~?2K>Vt8Z?!MvXVWeb#p4uGxl0`+D-14xPC4QobdJ_+YB8|kXpm`plReR
zUj|r-cPel^A)UG#h8l7#Obv?;5G%veFSTGh01rUHt%+^-vbhsOjo2bzEeWesEL4QR
zXNzIT=W>3W>ljorfCf_lQjZcSHqt;Ds~N^FEKHU_!KMMkYQA05xB9IC=xTd_lBM~u
zyNM(O$ehH&FtWgp8b3bHYU3`>R&O%H6JVeOd{US}MW+S`QG39BW>$L3@!=c51uWD^
zWeNsN%RBM}qik}%u=h;L3Jsye6Ts=Z7uY0rw%4(>nuQD^M9M&2hz>Nm1hmBHLrY$z
zRn!|$J@cEqPKgZ-dy3<AJL^HzCCTWF6phz+5JZr^tVcQ6X<=A95qkW?m`JqYAno{@
zlJ0%W*h+m^U=s)HK6cm$c8I1h8dT4kpye>3Mb(bA_F2q;83O|-VK|xybRWn8zcU%Q
z`XX)HLf0?jhJkB!5vW;7ETT@92p?RENJD?1RqNd+GMxi9r)qPqyHNuYY%;c%=iuPL
zmiB==^QqZ(k&Itn>!|{;fAOcMi;MQ$2Km>puH2yw1_es4;2~DR!d8b_fTV<e#Kl@^
zfg=EOW6Nt9pZOH9;FkgE=jVJ|%iBuoaDXX~0d(Kxu6WWi(+YY}V$gh28T6+YwJw8Q
zrr)|STp4~LOTiZL>&aOMWUOKRe7&MN0~A<TmnAosSD*nB+d+FB7&8-$Mgl`&l6=&c
zkI(o%SD1?dS~1pD$Y|?ge^6}iBVPf3C-z#z!DsIdzhnfx2}49+8u_hK*2?>TPWIeW
z$~gL^*x6w#HXV^|<<FjH3R_CTCjbQ}i76;;8W5JRscNQiZ4?dP1~Lyl056;h+AaJZ
z*ZX}yD}W!+dq3?pxR5E{-4HKf#Lnnu@U9f&ctPV2YWlGQ*SP~zWQl&<XFkoe3SH_H
zwI)65O5c}NP=X#N=Utzu0EwD>A8<hZJ*dENUO5Xf3F>+C_a30=c|X|)jHPjwo<`rn
z@?NvPSL}i;uo!R_e*%%Vw@7M5;%2}bR!+yC6@R1dhTj1^rZh_R^Ts#ABJ~FaAgOME
zA)Rw0s46xexK0a=zP%0ha4*>DFb_5dNpW#;GvrFeIk5Q=7<~zpOPT|>%5hReuYiVy
zStq6=Dr(d@`p^soH+^@d<{Ypqx`6pL6|O6B1*7EMPC)La4L+Dw2v{#$B}dkqiv6|#
zUQ)p}QYpiuD!Rz1AGt0?XPOZ=9{h}+v<)N2vPs1Ox5rnS7r5kfj~1%Z{S>olzOw>+
zM?=7aH2v*5$HQHBj%TjI)1OQ^66u#h+;>g(LPc4;;WlDfKUs3H4zmZi<(eSLFMhCW
z@wt3t-?cFEaKfDK!+ttyPv)!aHzwS$)#mTXc90HSxQ^q_##z&M8f0pezxI_?x?N|a
z^mt)C;v=<Z>WFZJy;pAuT}G->Kc1^swLFwg1cer)W+G<7D?__|5k&IvO9NQ>de)5?
zMD)ARLwDyap3b&IjMX}0d+a6H`&lI!Aw<q-N+wZ4vG$Xq*def)-YB@$zFNsR6^XDd
zy`38iD(51Vc#;7@?HtZOWBcy8WHql2pC&XD)nhHh*gpl<YyrAvMd)3CNGEyV#(0m}
zd#<_U;>RkUmM$B-_zGOm%@2^vOWnoZ-!RBmG=h0l*djD*Ud^fjVXUJ1>;Q}3Y$j1>
z3|8>_r&21{`=b*|<V3@cHjTVF2u8<l#$jB$i}Z!0Xbw4h{DocRO9K$gFuf^;;*Rk=
zj9Xe`zzvc9JSR`xexHtW3@`9tA<M>vyL+V`1CIB&6;4=R=cx~gKnw}C1uXvD@Y0lo
z4<<zVfraD*cND(v+Ua%jgl4@TLFqx<coDofn16Z?J4kFAqasC>491io@R(zHP!A9Z
zU9Kx!Wt+2&2Fjm7(Z2ihGncdTD`x~u(}Pna7y;AeAIcP<Q94<~#rM!~pKGpv%Uf<Y
z-_=EHeE=vrbW{UG2I!{!tPT-mefXhIxc&)XkD&Z-*mEw9Dcqjonz|YJ$HFp`I2x@q
z3x%Jxj&*4zmqB)g2N8oYMq>5sopqna`?MaAFFMqMhNQ*@?$QKe@I43yRqT^EaQLm$
z!G{nu;77mz@Py0s60~!Q|M;e2PXOTDZmBFSQhSYbT{&5}Fo$v|%7hfYO#V|gzwz4f
z)B`jD9Ns(~q>J<d9%Y~QUiZH2P@9q>II8rr8!G<Wc$}bG>!ePip)P?HT?_8p9|uX!
z@xVf~S!3jdSw0pbBGxPv0~+z6A90OSnWT*gYkryx;#%%_Dx@ft)KyGwr{vh<h(NN;
z<l7ro>mH~hCo-!`iL*fe!_;ISoOQwA*vnE!?Dnqytk5n)$2FXEj^X&S4u9hijTKP7
z4~%?~B{@$hr>>lx?014$TuA{x<mCl2&aFYZJ@iz*Fh8;y&pr0mx#1i9%Z4Kc-cjRQ
z&B_+M&Gx(E*9xD}Tf?>2<{ik<f7D~oXRyX+MDNWnDicD8)2?xyk=I?Kd&ZLVGF*D%
z0og`i@Zi?vADTl_{8{@A21XB-Q^msPi=UKsv#&NYQo71F0IHISH*0OGY?NiK3ox56
zkUXpS`;ba<hT#@GS5Q8}${=}b6#UP;1#HT6F$Zo@QW41G>I+nNAS3eQWdE<FSM{kE
z`3y|AVQ=H}CWO4tUXL+-(1Ium2b}$K`vVRKWYlJfZg!@6dSuzJe)R1MGn8>V@^+jU
zoHHcD4TS9hmvJpWOP$;VGn+2X_ZftxSKDH$$k7dBf<wMGWP`oko(<6m=h2(7N<F{C
zcsr+Y(RgYqEWd}E-EvFl5En%lfrc6z;fM6T?wX&7qW`>DhBcMOzgU{c364&sH-^g5
z{MO#6TJjjQ<90p0H;#YN)!A(yXLXU1;mx8P3-d?`vsM_Zw+GGOfyU>U5DcghT8Mw^
z2#L?Sd9<=H;x5eRdLHW^A6G9xQ6*VN!>w6OQbF;m2Onv?N$UEYRk{LuZ&rd%hw8Hr
zX+uzSU?R6=5q8e>Nx|B!I^OJ<cB$R(aISn{=UEjF9#cd769QL(>(mB4U;K5F3sGuz
zHgL-O-#;wfp&|a%x)^O{H~7%SlY(PnUmRgVHyxZ~s6%eih*I_Po6zk1Q78s?Auf2p
zf-Df8BlP5H<{f3ojrO!;5b4FUX?U-NXQ^Qr3>wH;htv7AFVZ%-lo!q%N!$l(OLTFc
zq4om%uTFiDHTb&~tdJ{<a1}QdBqlUgZeswsT=P8O1)l4&Z66j`pr;D9L{U4Cbp%_Y
z{9memFI7`zeZ}Frh9!IOn1UVyfz{F=wQ+;uvK`5Z^r(NChz;S(c(^W1$wV;pno`*7
zEF9EL!BcZq2>g=C$0bY%wow_o-`YZl<jGR1X?>UC&GPF!i<^X74bnjf_s~W8(TQ9(
z$bOc@jvyBoG^mmF<~KhwWP`z^<gIH)ogjVQ@GY^Vhimq!?I(eztQWSZhN2Au8jc?G
zj1sV&-85T(<JzK>&A`ACQH4#>j{mcAhd}8T{uvZ-1`D#`VF=xwaCL0$hJ)%IVt>W7
zgs$XEDe1+GQG0xs!pTvpxb0YYn8s5IDz)wUmKdM_u=7Th=Z(p%QcqD!lySZ-J^+7B
zJ|j%8q`0)mF2BD}Q>wHYcGy83y!(;JtEA3aK$q6{4kT|QF@SWmPZD~hAyM<dC_~jD
zP2c6<0NYRuyGt<|=(&JvUTxj|!v|9)_H7|O4>sbBTf3he{~_x}sry*m9-GtP51(4E
z{%kFTuq6Gx>g|UaVheRw{{-H;HWhVM2oVu;-oa{IKqmmdx}|_tdADEU^kA(%6qTW<
z?k{X3VII%ys1S9*Ia9wK>(k%^0}iD=SKbOQp6u{V1mp_axrCl9a;%SgCRKM>G4Q2`
zz3iY(rWZ~&3iy2mWz>3CB85d7Vi(y4clq*7*kkQ!mR!&_r$(#PRa3$7?)?eU3_gP@
zyh)$GI2E0Qctq(aqwO0Ynrr0H;z;V_OqNm=(M?1{Zx>NHNd&0}q9Jsc<jKSRUrOEP
zd%VKDkBS^y%^p2<gxB384}L~xuq=hXsv5opT7?mP8BSzY&RcZ@ZyA>lL8h0|d^MJ%
z4Xe#^wJ}HCYPLUJ=++cqVetiDz;AtUC1^c~$yS@v(a@6G7@4x|%XI!@X?wId&~qf=
z$>hUacLo2)Kxjmv=im3uQr86l3LZ7_KB)QvQ~<yDjifY0Z_T#tmIO5IWVg>WT}?hQ
zj25Jbn*ECHpewnx)-e(b8@#?(TuTCDY=0fP@+dfHe74NAv^nYKbXlYa@FHX|xs?}9
z&BL|qhAG=;(nw`_L_#-McyD5Iw8DVly4wsT$gTR%0_+@5$HY9LoFKdetQ`@|{~Xtt
zh`9KQj}B||XocN4`0_6Jj~w2^`E?q*NtUy(I5Q#(RqD^Lzj2BPeBU}khfZgrIoB1P
zFiHLuf52dLQWAS*V(a#g5r*oXcXg{0`)wQ~uGy&P=`Q&n^A<TjL1*w}r#=z};E1S-
zNIVjFcsfg((|kl8wo!bWY~Fw$W&Q4LQp8}7RWneei3^$!;Va+z^UjZFt1|}I)S?DV
z+RBrebFvKw#m!S<27za&RbNUW`>14tu+ukcvfLBdjf+1ABTg(5psUo>hUa7R7&drh
zX*X`4>4UQclB^8iyjbSW$Z!lshwBXCE~-VnlMDb>;GLJeBY$e$0d_T$bUhy2C5a9h
zpmB2{R7MGzC*=VFvJ^4g%F0B<<h?&@yR&c}5~ipPTTj!;<;zFV`=B>s&dA-lA|5^X
zIbU}_lP+kk&w2gbq}78iG~+YF)}F!j5a`a^5%XfBXJ;QW1)Q!M5u;axGT;BGZhv21
zpZrA1<>)FbY`=$%z13DOintmf5Yv7hw%EwkFCMvh*VHT_&1?7f4xeF1q}QFYJM^=S
zTb(mvG7e`$z`)@~$hYg6q9(@mF6;euHNX4Yw6c|0X6k+7AEmAf3i+gqo_}s~Q?0bF
zCD=)0N|L>CL=c1U<8b+ulQ4VvwJ$MfA&I{FDNI*rum6iuiiDAV-X9v>?8>ea;+>`C
z^n3g@U+X=@)-e^2*QLwt-?#Ei?R9&<(#fLsnrVO?J~xGtdT43!&u`8syLDcWhgVRL
z(1%jldCeqkO#1NeUb;;xRl?tytr?X+ApZ4pf)S)uv0yO2VM;i<|ATKH);rr7EP=BO
z3=l!*pz2%WzA>Jyekbf46rVl7t#+KQu9ao;i@`0^Q{cp1c(Gf42YMxHxQCQ9IE>y0
zx7ax=8}HTaTw|MWFq~r3DYFPN2j^T-+tx(Iko~fKH%n>nw&y^L<1N`fft2kyY>}HA
z%TBI81_~@@vX*;LJdEm;q-Zb_|JnIsF9ZSBN^sRCZgsK<fLL8e@{j>#Z=gt1vG2CR
zBezd4GXJxelz^!4*7>hz@UTrGAHm`k1OwOTj84<Nc95=?j}VW<-H(-;9dU89be^@O
z?~jRCw4nNciosy&JAv=4k!+4MV8hN#`Td!XIJUt*y=H##!p}G4TwKg;k?uofa<<9U
zY-dnXtInPDMt(W_bhOI=wZ%rLuS}RzG#IZ)7xXpgnf>7@)!`Xk*8z}^l2`I8J^1KW
z@>1<?nX3wp>`-d_#jVEq)VCR95%wFCvo#NT6)Uakv@LlyFxBzuqzK2oG5Hh6LxRJD
z2@i$}tAH7FC{57LSM@f6dZQvWiPk?lPb}=_Xj~J>Hqy5iwmOR!?QfsCT4Nu_7tXJh
z>RfkFW>kaO5iysn7YP!}8jfe<(<I2S<E=-|mlWyB$}s~gG1X^{5skQYtC6t`q^;5J
zSxojH_ebvJo0MJ{W1QL@Sq|p$Zs(psbTWls3qKby=I-C{vO?OP!(A~=dHyZz+}kG(
z3_phQl7ua#G@0d~TgS6eYOA7KMUnYLk7-|yZFTv||6B;-zrrFHJIOTJz2Ws-D41{P
zX!DRamhG0=qC&)vyI-3kX-FA_O%<r^`Sfy<Sli~+W{*TB#OUaRvQ0X)u6vBrv)pJ@
zFYLk>4;tnK;!RRNZy*y!K$9-v)dL(6AILIYL+eB`>>dtpO!BT;)Ay`OP{<li&Qt5W
zyGPWC*4R%avfH4EJ{`z2bZgz`yS>MF@oB@^&2nX-RR&?^0DX-*<JEgk>orep2!IS_
z`K1$2w*Xx`8S1CPdhXi-s%P5}nn1S@XI9(&&KHeS38x3E6^eKUw#rs0xb%dNyDK?*
zlNnXe8jyTQ?M+T9vfL+0^)om??Dwa^D<?i(oKX<_6BO7`oM8A(LK$|rUUC7tYu@<L
zcxv$bE<-tmojJQYTfr|Feh&}Q6JdlCR`w3CrqFYv&eo2dGFRzmhVyPzH0PuUg%fu_
zkY5xdM>zF^Pc9|Xix{5;{2W!D+t$c=ZF|iQ@kG|g_VE7tQ0=!~I*_~9HFJPP>Qo*v
z{yZCI(R?j29&@py^EZ&4&xASaLuQ&1^gx^aruH`|96I&E!HKr#v!gacY>*~}I%;Mj
zlkTnNBxI@?5Y;**S8UZ&nX*13y>&fjT6HXMekn0vK3u;%+PZNPxDgos`_nO!8P{YG
zqemA^@c;4k)?rabeb=aTNvAZ@ZPDE&-9rk3LnGZK-Hn2Dch}G$jWBeVh;(;<_vrIJ
z?{}_quJbQ2!+r0)f4$b)h&tZuLP!hnNT<0LxeY@(a#jWF4x&cOnyfPcGe$nThE4Wp
zHhOKvyZKzx_I%eqi%M)?I|x{{IG@q*IVQg^(k&$oCtwd;w~Ofu=OoIp{aJu+Y{YIL
zULV#e_hbOdK&v|!qAw!jK#5A5>UUjz^b5)y(@Hkolgu(`wdZrtyDnx>BG2kvB?SZb
z4(AMEW5<YYo;v5~^XmM$Gi78}uwQgxPeR^bEc<q5e>vj*aU>CLLxeoYGHI7Ja}K~Z
z{5sCgEz-{yJY0Dojv!|1$@I<WD;pEOe33Q1slK~?I}Qwp^s!L2>$=%>szl*Po)`$m
z`Q>CwL_FXOvG}5}g|9`q+yPbVp&A{ClSP`SLMVOF3m#+d>-7)-u>l4Kv$Ksp54TLr
z+ixVP^Mew!v;$}#d@OoDKG$xDm|ehA*}0RqqGyjplzmj(tB9M^zJ*SdC`53u$6L3s
zXW7hFq(j1!pAB>4fQu2zGwKA@QD#;F2oF+S-6hbwU`z4)_Rd1>;sso?_f~zElRx$E
z3B>?gg7<Z!HI(qQAC{`@@mJ8|@1?#RgS~aefQs4F;>O%0y^dcGq5QQ=T_2tf+L<Lg
z&|BrD4Agy86ynvIitpIRF~8cM&n=tT-+%#4Q1Kz|%bdOpKx2C-YNQedzEhmzb^ECf
zU?#DXV4zPEz~2Ry*fsjZkSli`0P@jH>J0=8zW2i75<LVeieCkhdx9go<INmnc~%{F
z>jjNcCgXXne^Uc~OHTJI`16~Jkk*GW3a^Vzt&z+YL@FiHC?GGAe(Lr_uOnnl>M0@I
zoBHtP_Q=JvHnRq2EUgxGZ^q|^1Ug8+(e{P|9jvRIi(LNNb-j>;|JuN8eyPoqGn~j9
z?c9uB#TC4$2<N#_7k4#`FZ*<RRu=%?bc8riX1H@J6F^CmM)j_l(FsQE@WG~zd{xK`
zq+BITSHXIXkE+S`dm7~)^pWnqc{R3^0q=Q&x+HE{+AJ)5j?zzbIxL!NGT3$N;H|Xm
zI(?sn)YdZC^|atXm=V32qE_S+IYvyCrd)o>rh~KFOFY4aLIs`C7C=qk1gJ|q&)VE`
zf~SH@tQ^Jk)r4^4uwi19J9{UK0=OwdBtR!acLb(s;rx@uKW4_ra9CcJzO^Q*uhgZ&
z0>t$#MN1BWVBS1g!HV5GWXI8x4n%2@oj*N4&?9_o{G$9T5bp#l@3_=pk|IjTP(0%s
zmP~uOMpTGCjt*MBH3D{pDhA~3t8tT&*&9UArP=R+xZSONs>N<2mTN%+e71zYC%(*o
zhC~1&hocq+(WQh-<3OJBpE15&o_M1ens3z&D9mLqF@U2AtkB9E5l!JhTSV1|N5C9q
ztFLDxlPK##F^isLx?+U{0r{%WaqN$3x}fJFe1X!pFhxBr8j0ZZA*A({jw><f=GgV7
zi0h~cIlr5vuDylkNbKu2k91+z%N&xzI}3N~<pMrXgC!m-6z}^gc$NZ~KlD^~kgJHc
zINXrl-=4v}&%B89IF!>N0fa9?;E{}eEb(FFQlM}6bAw!ONUI%FF43DJ+VAmpr%H?O
zo!oVzIPh*Ve3g<eRt8Rn=(C;E%*U}*Ul1+aM3@_23^}vx!e`H%8hRpx9w05GJ{<)^
z*XkjtJ_M1e)1<{lSZ-O-JAF}UCHp{+n#t$`gz~=CPNczh(XS5^w2|~nDvrU16sf7j
zXX#5^PhWtICylSL^+J_Yv-Wj-kk%~F<>%2b5FMVKuj5{UI4d+in?tDM^bwJ625`Z$
znJS>Guc(G~`?&UK!iYJ*e_#gZ&?mo=QD8OdSVXAvGE?esP#~da!pB4NLDXuW;4$2*
z#dLBs4n%-3LB|rP<#6bkcr5UmGu(UGL~<iyamxcm8WBN{nH9uNnBdj+wi;pl3cY&E
z{IU*2!^iJh3YQ7O)%QJb0I5T#D;nz>?E8E_90i59zPM|1<4FNycyG`i5Y4QzHs99y
z;Co<Rp_yg?)GZ5dGsF-+$3IL4;Cb_o?TW6?bctsyh7iIkyI{h!3JRzBHLBeKqgRMv
z3WMtLvpv`h2%ta3_=5bn4{2a19OY1eHn!@0CRFhLQG+5Nr#Cdrem+ad@qB+7DJqRy
z#hAzRR^PcOEF||U7A0>aoOejE_MzAGnA71tQk~r-;REuyN=O-MO5h~TmzAzMWyTVF
zt>nSu?EIkQ9cb4ov}0^>cNGx?zp)0)#X4#J2Ma*^%JfoZNFL&F11dARqv!Ujhd&e6
zD-(|#uNjn#HN3rH*_2Umg`*7!003km(bAAQi}6Au9<ya@K)Qaj<@O%K-3Ffh!j1f1
zrx}jK4AdZ0A@N~`2!sH>5nSe}G5=ZS6=JvC8YPAhoNHRxFw}pUl8L=m?oazc#~O2(
zuY4ehB}IFq(})!HPb76$tCutXrxlIN&wNm!qXTwjAo<2bQXbzL`KB&rtS_pty?IOW
zw9ITxu_)DyiDQXsan3_OkOX)bF%STJoL<Pwk0*K$VkuP4tXK)fvBx0hDDyEd748uq
zo;~tP8r5F$GO)`7bW!{(=XW*+Av(#pqY>`gRPr4Yz~rdp^xHMxo`COT>#c|Z;k8G)
zF}aO*$7O1b@TogP0E2|*Yby4cKpk-o@8}nk$-)(a;JzxuK$mV7?+<9x?*lC%Jg=~q
zQRb*_t4S;Gb&=VZoW!UFCr%Yav>1k~3=p@0r(sg4i~EHD0)YUnoq}7-ND2dN)Tg`4
z1NDQ($UmY67TNTHZ>g|<jW3KeOz;mIX<bL4Uhw+dH}TWSLX)cuE-Q3q{{Z0P^7euh
z4pFOH9NuZaIlp9-Xos!QYyi{}c4EF$E5ApjeBgSp#FKjT$^O{X>>_VEDI`8paxL{*
z>|-b;Lpzb(L>Uc9<}|-90=ozgmh+3xV6+KDzJl|e$>MDc#0_sxAI;<q^PfiQHayQ3
ztGe-!cS0b>C+{!zt8@DapW&H*BYjtvn-x#=Zn&v@<}>(3wm&YaR;6B!mrm3V-nz(1
zE7l>g=UL^Nn$!J~9lvP4takk*Yn*yQD=}T6%JvH)f`Fz;Svw3ZrKwB^udXamUqjf=
z4`1t0Kuj$c?zsrXOa`EjyId8VKeC-I;{{Htu(Hf9&czr7CpZ^Ye(=fi{<d<yO&|>u
zVPqP|v!Vl$?3h4X-5oD-8&^COybpItiW_dlRW>*^f{~_I9zk2VWC$PT)!xDj;d6y?
zjwAU!*0c3Yc+<3RIe9BlH2J*P>0J3?WH=`SYMJ+`@CGH)y9Wcsb;fHf4y&MN<->W-
z3SB2b2NUzC-G@L`Kg}*aUo+n^*gu0z>G$iy+xFx}ul$?ibzj+dI;NGyuaOQG;}EZ%
z5{H;qUKY-miz_wTpS*S^2=in!^x-;a!(tt8PBj5(Sxwz*)HQ!Ge;4l)0ks(2&#-Q1
zF$S1ooR`Mkf+CNw9vG^kyX<5Revz6<A*IW+c9$kN*8116Tj9sww{8Sr=i&fj$^|Q8
zd4374&V@(*jYk=bE_v8PafxmXaELyxuI;%<GZ<g<LFjcr_6G-*zwwd0<Y1jUZMbqy
z%shd+ZYwYPd4RG4KurLEy{(jY3ovEAimU{X1&69)mbggY)kUxPPf4?!mAKtO01q*V
zZ|x3-R5z!ncsDFwdKWQw^{L=og&?%}FNs0R{F@N~4-(rUnxtZ{JJ(c9WTNg1!h+Oa
z^q#_+h;{EUzyRIim6ae2vi%-t1pd@8+9g8zrP>L=^+UCcO9h_KCNZl^xAc2V32dA=
zRKH{)6%|(lns?CSdj4JH>bZ$}D<1pPAI#3xft>UJ#)edJCj!PQ$^lqKw3c$f*ZxFz
z!+^f|J>BWkbKDD|e@!ry%B~QJf%PkXTsP}sZ>&ReNzPD=OmE?Aa_p<HGnQ7R!Tujy
zXB%g8I2&;Q_^Z+l@W!GW6kg=`b-=Jr0Q>Ul#pc!nj65;CV<Xz)x!TB0KUen|!*=-|
z1&|Z#c{IW*S!|bX=aK9U-P}1+E*Mce`C!DNhRS2NB$-q~s9Ntq-zs22&Z1fD7q!Pz
z>fqi5>o;mHLGu-~{5OMxg0syJEVpNJbJ4%_0^%;o-h}k>gc6yQUrs;?w=4{{K<{F~
z6`XH-M+&w33K1)Jm_~Pd`r_)0oo2E54Tg1r;iX_yS8lj`6V*<*e+LCClvCGR84fms
z5MM#A%k9I8V1PSH+~TTg&9*w}-gK+ALJ_>PrbJ42V&0x>W-oZ38vO;uSE66Z#{L?r
z>RdY0+11vSHsH3Q-4$>%UTUX(e>+SAROzY)I#tfY+#_Eff#L9eSw%0!TTA%e>B=CE
z<&|d!SZ*}p^`uGD^mwg=Hl109b0-fRnwPVy6}^2?dR6Ar$X@4zZohp`+?RXIK>*0~
zFm46FE?pH-*N4K70-!|-071h;d0Ln9_ar6vEc(rmV!`s2TkQQ}zsuw7RUm2+(BoFN
zwz(YeuTTgPMC~^AE%u;fiTBp5`B!<=r!uPmS*G?6BA?<c2t}E5gc8ZgsPV{mVPc?V
zRs1a3;w(k4+P>>e*=n62GE^z;HCnGiYnd%ssX^Q8WS|GAK+G92?B6$N`Cph0m>k3`
zPhkJ;A7M2GQ}bh2R}9q#(AuUg{lbIM+@z~^ul|>d-0eXI?fc^(n$_m>P!OP6u&L0|
z8MaXfZPWf#XLG^8ZDW{k3vWvLW}70B{mPO6YWrxeIEDG)z6@NQQe{2J(kfud#G=7c
z3V5LWY9A|%gCVYnDI2r*gu^p^Ib)wTZZCkQJ%q6o4Yu*HEq_Izmd|7i0h|_h@LCAf
zRgT`%I?0Weos;FP+UE9@73!N$BYtul!KF_|O>Rijr0vmS-jFQql*`>uo<4k`JP_>e
zL!gKLq?~d2qJ0Ts@Nn1s$syN$!()3zj)U)&_l&11f)^TiM?%2qM<-ZRK?DR+BxcKa
zaj~0ei+r%q7!JR{wI?Feu&<jG)Swi_usvVM>ND4_elt%RhqG<k;yEk){u{qAGW0YH
zbV)vs2yO$fEG}vQh_#hVIbl^%0{cwZv)3I8d?au=cpz+cH1GezNmN4aNW{@!Gfj3p
z*=RNWG;2K<ux`qbEm{3ir_C++c0RIMp~`Yun`LaEI^pwEmqaU1od_T_8bAdknq9R0
zrt2evMH-KqS5Z|{zX59@gK`-1GX}3TJ8X3V9nMl9O%WCF>GmYy{zx#9Cl}R@;ITHa
zo=fuD>HRyZg-Z(1#!p*{<A;WH5*~9rVIyH;luN4a20P!*?a#Eaz=bx?_jxoZD6Qs8
z!VE+`&-&QCczw`G)Yt$GY(pU#HZr?pY*>c|pqrZS%FEoV{2P}{(?RZzgc8e^aB4-|
zsf1A4zu3)icAdFr_GYj8$PDv%m>xAa55)7~qqYGYk)Bgd?qASDcG(2}q?%uN0sYbB
zffLiDxdx>S+lxXI{V`$g812`B;T`w!R7wV8`!%qUO$tC9|J<8R|NC&MS^ycEA$SuK
z{>uKmaWyFo&RZXV(*Re<)#hp)SOR3@+s((D{#DtymwZ4o9oc4~{>Opup)u5No%i8N
zm!1zhTJifEB_X>X+2tUiQ<bmvLCFVlX&jjRuG>Kx#p)k=cab0=KkNQFb}#vV)1mii
zernZBYkvRig!M$bay2r)bcS`<I(N1u$7Az!dlqnVH|pEdq+j1U3zlfHMf?KVZu70h
zB=5Y)gP)$zc83V%H+u1=U)lU(nyNHV)CKF#SUFo|nKWywo+iB<c$kVA^FK*0<M<o4
zmi6u6K%ed?fCTiW9>CjB0O<M>UXbdJ&+*TO3%BFrZ1j`fDt&2_ZH{0#40Lo!;0`IV
zrq6UI&lWcNY0wkB>CvE&Pjo;`vX4Pmi(p#&4ugU|E1!0IcLc@1u+r3QuRTjH`w>sL
zm#ECv!M3`8#*N+@i(Ox$DH-w<W9JT@HGlt|ALYY`58(McIMTX(a<i^Y;?2}3z2k$c
zma3y!iIQY=GkKHUAF8q`+)<9Tq8T%P)e_1-C}W%wXVvHH0X|^W51=G%C(kerzx^*q
z9`K2o-<KwsGl38cP)e;{ON|;d1(H_QOZ7e9Nt*t1ncm`deJoO@$4|yd%p7>5p!H!f
zI#Z?I<OR9N1+j3tAhLkVQO{i1<an*4-pIyQTJpM_8!x4xTWFnyTImE85{l_vw2<4@
zLkzUU0wI!QX>p68pwUGZmJECmL0~t);V!#FXV>G=)Y6eVVKpX#_N~5|{S8cJVXGCj
zpjN`PHV?3pL6KvHne1Jc=^`KIIx|#7(vJtNTR}Nr!`+S-j~K_x46q3}zEaufy%QfU
zz?|x;)MlBIsLlyesk4W3M%^E2#weO@5^}LNeDU+AU&z2?vp0%kq4)NDtvG1wHTv~i
zsK*Gko2mrNZB*qI1FW?yO*puPLWc>eO10(W?eXSv{t>gh-r?C_3Az}Go^U<LgiN{y
z-scb6tjF&UzwfS=^IvuW4&jyK5bsolp<FX{V&ydXrb0^RoGUVo=1}7G-3Xu40S~z%
z>6DgmbG#&+Cy?jV%g_&+G6C=W9~$`xFU(OH{x#!+$=B7<CdSXFdlj@*>bv%??`vaJ
zE1b{>GcSJ>cjR=t0+m9`q&epgP7!O3L-hAD(HWhcxEq~Ym`@%2)2yaT0$<|j<YLd>
zipfKBU~&NYszgEm;SR#K|CE{Q?;0N;=yJ535&nzi9N%9EN_p=LaRKZX>Q%=vYHI4v
zpnAD+G*uvblb0p?<sto_k@K^1&%W9JzkvFG&8Ghw->xs&QdVxl|Cz1Pw-*yJh(IJ3
zqc6h!EJ!C>s;9aNT(6zQrJ(r_Xk6PTu}g?Fq9F>STISoTQd0t{oLTt)CSjrk$MnFD
zye;14a|#y%so5B2v4X(=(()BhRMCl%?j>Oh+7EBDV;MEQiM(2-7XaL5SF|qVeF<;L
zV-Z8^*{+pcWug%I>X_~xO`d=?#~DQO`V;oy0=ctAKskEBm~P;XBT@f#QGeP&EFBY0
z3Wrfo-shhB2KI{X1y{17iZz>C5QVeQkt<os%cENNC9MudZGhjfa|jS}|E9aZ`><uI
z{d=p`jLiuFBVa+>*T+SN6;P2ceel~_T-?y>wp3f>Lfrf>dtyHMyY|Gqc&)P6L?-IF
z)?fLnwLO`p)#Ye0rkJXoxcm_iLS27+Kyf3-3-=mp#%4mR!`#!5sg-sng!;66DAwDX
z<ws4$m~6{>$AkS}T*&g<b|8{B$siR=5!fpM9O!{u{|3;egHG)S44-RD`qST|{*#|_
z5e^`njV9wYTyEE^wC^g6@Vy~z{ztw`5j00WSsFgMif`}hTt$Q*z-$iYW8v5ZBO2QC
z(Y|)5;^N}t1qvca=>R6E4{!)m^$kFHQBPq#4hI>2Sj_QOuCtieG4K@F{1OMAg0P|j
z4x$j=4i_j>8)_PmkspsNmEaH7SEEf&zB9j;PJ3v+8M8UxouJGWzLpF+TWB!lN#!p4
zg6v%KVYe*k+G9~k(`S|klq;6L`&G#Ig}Ar`wBysK{H|D6;m)FUgyT~Mq-u``bNyxy
z1OKP*NW)d1hq+(r>m-Gny|z|Sro%$@duFpAp#<Q8ZQc95K>rJ+`2RYtF~|#7s}zxy
z4L&h4F#)fSCeg<IF4xvqPs}qLr!{MDPKCc@A9;srDU#)A)*`$4P86c+gkT>AH5lBM
zmRj%4Rs@?6?lNZyHTw!gr(Ywadti2DFYCSf_}lHm_s`vt>MLX{s)*iN5%GEL2-XM&
zPU-E5Y_3$El8A6;5K~q<pB*#M>+<JPFsJcsU>pBK?C)~MBa&qlqogXLoQR69bTi*O
ztbH<mM@tAkyt}{w@mPg&*wtwrD}AL{=n$Yp645el_j-J%-{yia`G-wSdk4>0COSQm
z=Ak9mvyi(4o2yhy<&cm9$kMK_R>T*kipM_<Fgb@wlv@%afj4v>U~rSDU{O{%0((h+
z4WbTxfz$6ifBxe^`l=JTBj86_)=otA@>Jk7ik8W1g?)_L7<lxtkfYp;mWM9ZiyD)V
zt+;)nnj^G~7Yod)ocP@A?)y=nzmLSK<Wbk2dh;{=k;aG59?|#F8#y-wTeSN0f}m52
zNl)He7<|pU*`bhv1b^_Ox(B*n4|%1JwNM8RR5Y^d(Jm!o8m@MJS$BF_wUseQaiI!;
zKTm$%4v_V-`E$!Ol$CfHwxxBrX}*6Uf)}+rt2WklG3sVkd@xfTHDSDZiTRb+nfsC7
z8%y_%*^jcA{%qr7(jms=+0#eQBVj`hHPqRPRms)H6?H9;VJ#~W=u=9VASXaJ&L{%l
z!+T*MKv)URSG#k=zrlPuT<7@4a>Srj%^zIrB9w@2lfb?F`SQLOydk5oYv<V@jj&+X
zu^OZ-qE}|PI$6m@t@;d|&<(ET>Y)Tn{$$lT%~?Zh*2!YB=oB@*U-=<uo~q+%YU|u_
zlhpWGx#~_Zp`&UZG=kfon>z);Dl30F`4E%Gc1657^`}XqW~G+q`^<NwTx9j?M88$3
zd;+Rzk&9W~I&|LPKdexeSFGm~x(-FU&o$k&6qUNHTCd6j1XS&&b0Y%#FYtfGC7gTK
z<N+Rf1dJr$h6D``4$d(=QyNHm3q<$_O*otW47+TnFq7@c2Tb~lHcxE(vl$V$VrT?l
z35Ok5Dm4xgQ{}o+y2cjF4~HQJ*X#Xlb7#x^fU8B98k*_@lI<MPN3W8yb_wZX2Z$4x
z@Bk+Xu8vH5q_;cYXzjciL#N~Z?Pj6nw_m5(^~fN~8O!-Pe}_^gwFd4#N_RMB3dGvI
zxN7q&pB%O{ynj9UE}dau9jye^aHZxr4VuVia$xpFk_4V4d|ErM-uTM>x$czMoXT+E
z>iaVrK@3&E%*P=qCQ@)QTAhDgvDPJKOh)tsFXvxROei{BedGT0p>B^~6cgXyW#yOV
z^=%7<&MQ+q;6|wEI8zbvnvZg?ox4513Ld<@0A(gC78KaDY;2#XUwa&w(8=M!a;9D&
z$=2j}_Ff1%QWAjGy*9D8+cec{u|Q$V<RL^d@>*elPNWVqp*tav2sq$u2duF{PjCKE
zcm!~u9(CL$*UaH9xI?3a8(J>!!$;dfI;-X;DEw!1ASO`d2CLN%=+`osdode~Pm*Z>
zj-l8F<N5Zqu0GZ;oh86LQ}$^m-m8k1!kd@V0)eLN(URgF^Lv6<x-ds?<(CYZY`hpQ
zUnGPEhsb1It+`HTvlIYg@y30L)##|M`zwXdD!um#(2q%oUAiVX6U`FHjKA$F0@lXw
z<|&GOu@59S(B`W}bn|bZcg2-iz+G75zZyXO+3B_ReCC`w1z1+E`2*r~R<mh479$-*
zF%C9aXEi?}(h9Tfnetz3Svc(oXxwzZ!PP+9jLbS-^^H-f)2G;+U2HHj-Fz$Pb^e1%
zJ1q0^K<23NWlvx=yCzFw*M#QY$uu#>ahJ?ndMq0@4DG9cH}1Z%yHarK1h4jD6Q7kc
z_pm30!-M{wST^WFE)ll4LAwV90KDIQM#RHIE97>KBNq_Q6j3GwP+)QNo16g9g<0g=
zzA_;*zJw5(Mj+XZOk|Fy)tec?BJ3T&s@wlF5~pbK`EJx8Pce-lSRqg%=+?~~pkeiI
z#vg{kQ|1F^&w3XuqljP;$&^KK3^2Z4696n1AaOf3LIS!^Pn!B39O!Npu=bt+_rx3E
z7dS|*;&1>f2@UGedmbwt4$lo!5kQ3wNuF83s`(Bgb^fD9^sk!{fW*^K`+B3g0e^++
zzhbVhD=w!M)?FF8BZwseyezBn3_ncbYPa%?mYyDPM7h9)Z-9IVpD8Q*Ycbd#26D(I
z<@oKOH|@nv0T&&;0(jR&k068tV8E@KFHe}VM{^fEOrMN?FZ%CaP`xMJG1*7oHdM)}
zhw)IA;NTAc&6#Pc0DyytI1k8<=X~Di8~2;lWRLUi(HxR*&Jpb<1SXM9E~k0G2VmUm
zG{UOqV*@1-gsi~;5q%wCD;P7$z*I}tGJ)j%cB@ID5+HYp5<m<51hC~^Xo2?n$h7oq
z(&GbQ+GF`J79}FsfL~v&sSwtWarf}e_s;QSC9rQ)F0M~X_I4<A1`Jkv<R$auDr~ob
z?_7Ky|0oSqEdhA$0OM7o6FBAz@_V*>Wi5AmF^=-L`**-A$-vjOi+sup`3#VL#lq%t
z{6tuc`)HUISjz><Ysrn~dG0?aD`YzVYrstliK}I3!!lBL&8__E96w@KV~Uf`bOYeE
z(=8PYa{Ro3msu!G_>K3U9e;&10@3N}`55~LScGTK;6UGyAIm$R`s?qXvXbLSkL_r|
zE%$<I_~T+uRi*~-N!xJjV%#SW_Q0Q}ONwe73m5m2oKMajFy^T~`c|3xhT61k3+pqB
z?yd4}U9|z7z<Wa#+)hryW1dVk;87h?6$-ij^QeNNYTsS|KC1RnetnJ~CDOeO#f_ft
z#Rwj=6hUak-$TLrcBB#}cy<qZztg(PvSt^O_i^=jv6zEm_MZTc*2bEw>Plf}9t*|s
z<>**j<@$sPuuHEL;Q+yu0%u7UA|x+aI5-d$>H8gdc!1Lxs{NdPP0U>qIMaX6JPwke
z6!3fH7ibnCeCWrC6}a=A--%?)bNpsmsYCKweNgiea{K_V1KTo)H)_7PvKp{ur+Mvi
zdXjLi%xi$~M2%gOmARZyJ0J@P(*#QS6miaO2-roD8*Ae896xLp;{|?nY?PPX{y+Rj
zOG$~)5s~LLqb(llOP%B82#&E}$|rE3BNA7Od|2$t(w}<ItVM7PMq==GC;9S)<K^e&
zS-h#y&|zX+pYy7ov5<0|NJfzZ$qC&Ee2vNzl^^x2ZW`-mdAvSovZ?P@YWC-OGQ1j*
z;E>R1RWm+quqy-V0*}CY!32LEc_Z@1RMBM<5xxPBc7`r^v#u8yNf!270E@1uDo_}J
zS}vSPkuPPv3Gl#nA(_CZ%MzpmEX3iWd<0HJ8^E()-yj|z9m?E0V#M4zi5r(AqZ(Ap
zhQ)on)}gD=!dPdFrg56-M|EpP%&-Q1`IzSWBjKn+Z2R{W?&pg)@IzXX@#FY@Rj&{m
z?ZQJNw&I$U5a`mYQP(>t#0LUZLwV15@U+W<vt0XVR3Xnh6J7<5-jjS7CZ<unjYPFx
z#0@K*sd>6NwhtWr8c<a^Lqq+^mTo8&6Zh(<zX~dS?@63J$+$lF2eTw2t8rE8mt{R}
zgEidC#|L7uHk9J_VD|Kw(5FWU<J><(;$%}->^Sjp4D9i(7g%_+wpq7$5Mv^ELngnf
zX@xi@QwF*hZ*k#z<)xFWZ3(-HeoFu72|=}9f*12frggggI6Wpg??65HV+Yl3$1Lpt
zxS5)<jTq^ig_;P|<{@vfQs5`acie!RaA~R0={8NNa!yG1f}2#?<w$gH>n!emEfZD5
z3#Y4+M>1#Yl%~jv3Xy;_XpNr`XRcTPp6s2f@r%z#Ms#|0$oS^Al27#;u}<rjz?)LU
z3=xPMhj5^l-I0oK`Gkj}T*X;$YNP5kBWB}E(+*BGhc>wq(|qxyx#97|X?U;-WWQxw
z*+MI#p+%tqcdAGNWwFyKFI|PE2r@KyG&Ag2NaQ8>SXOZU0zq8l@fov{zVvooSZLD&
zcDxs_X7RulEg;*XGWLiLE|yTK^mnT{utF*sbfpx(zIp3*FYTzQY`mz1{vH=6>-Ow-
z|Ix|y&l%a%l@Qs)Bc#CR2O*tW2XRe4rWa?O1?9MN6>qy|%IoGS>Ev=gzsqM*?Q9`{
zdN-*7K<YjtP$>}TG2|W3@_1qXlteVm`d~&j!c-EGQj;|(FF_b7Ru<0Y^vG8#=TnBn
zw#>%K@2$+v*7xg$PvZ6m4zlfguWGzp@Q7V7wK-4_)j{tPj)dXq<O7f2`qDOO>C&yb
zlE<_(suSsg#FLyIdrc5qk6*q#T#azh4c)tehMD?3e-Zcbht9?Qh9SlD>Wpw5O>XeZ
z`vEw*Z-NrKT0Pj0;eOpxxcnQry#Cxf@%6I$?Qd`>qh%_8OF#vVXjP;2(ZTBELMVB%
z#n0S-jYN@Dd+<}bS`k}Rd!rA0u+pM-I&`92y?o1NfMsHZ9na{xb1lD~<HyKq9K#8r
zJs{3<mSi8?bA$ykVa8aefkMJpe%v?yA}<Z#QN!#Sq(zJ0$m-`jr*w6v81xk&yE*eQ
zNW9=09QYiUiion&k>Wr*-*+$o`6EpL4UT+KVYsPR_|fR7dxPjA_G5P)iBEpAaNUWp
z$Y*}MS&O1@?c_O$J5va`eoH|ALkml+V&dHkMCU{Q&P#)r>@`G03$Z6h@H8~4L<<D{
zqX>iQl9!F97>J3bd7``@Rj}!vHb2r0P%Xrir5*nI^EK5?qxSjB(TwPsX-Q^v=AUf-
z$^46!G0MsuJKtflvycve6KpngQx6Yhc}5Y;=~w(nIeso%G;~8r0u$nTY@7kX(Q3(x
z3R(He;OjxtAsH?IWhzEo{f>B#B$3baO6Pj~;<{i7ksFm}4m!Pdxy=Yv45=TPg*Ym8
zBmn~NB#aM&QTOK*y)S<+{v3iQ{e0$;7{oogwa6uAyezFcHu*sPYxICbl<aX!4)M2-
zwD;x5J08>*0_213%U>Axv}u3MVA6e)#dvqzB!hyq6Fe+-n(3qNQ~5qdo>($|=PW4(
zj4qe=KUjcQ258scxS+^9l@UMkhiQtG^LoG865#UKF=gs1WJQ$=!QGsCE`N_hj(~>{
zRBhSk(>eo#nw;d{7ko%`L;gU6$7ui#>3J6B?(1h_2q7;cg-ZZyou66mTy7cn<G#OE
z6||j1l_M?_7ag2Hec1L6d~!#Z+v4a+pjgCtQ$`hkBoxee=d$s+KUucnQ~{B|9Vz?F
zyr@U#KJu~o1KBL~&PZ>l+c{2`GwaKnOCubg%R19B<;<AS*nYRA3N(26#AqNXn)ZVa
znu24$9S~;uMm5-e54Rq2MeFp)MyCg%6yzmZD&mJ<bcu#v$g=gueP>M4-L7A_(DTYr
z8S9=L0W9L>3nyKXnY$*mzo#hMU`!bMCh7D@s^+6Czq9Sf`Emj3;|m@F-bG7g(d?I4
zk;xwkktF?_U}Mpn^;KBtd7|_cIr5&$uIiQ&Gv3@g?OgdHT7@BU9N{1WRL0;oZ^0_h
zkH7sAi(hux96BJj>XYO0RM0ei&?Kbrd(5SwY7MChs!f6n^*inA({bqGvXqE#X+4#e
zn(`oGlG{F=@l<Sl4lxHn1K64_ze>0?mvnk8t)DY`d!x0Kq>pG<#+^DwH94SlvG09(
zD4^$7JrqP8Fk(Un<EL=MFm~*#j=c(yFmB;F`8XEy+K;=*OepXAu7IC_c%mgCz>R^D
zMS<TmyM}*qi`QvXgYLlzE>`%<&&%tZ^Mu0)co2|SPO}se{Bef8X(ibkiz;EH9DOXT
zOyt8=iJa%(2#WfWP%G;^kOj}Ir!Wn6?ag`xLs7A!17vSYPA_~q-@2RXYi0SpF=e10
z_?7sS@aitZ7ccnuY)fN+13|~8J|&LuC5J(z^_F^vP7<e}elsuKP`n}qs8;E@Tr!gl
zzw@(^3IbgJ(BYKCUf#84ukoSCCQp<wwL&;NMy)tX>xTXcdAbCqHBa<y;Y4=PJx@nT
zkKe!~f;bUDQ$b6$(+M!n%Yhek@=5$%2PZs6PV+o?f||d@RH^0vrQ7d0I$%SEQ>)kc
zXNHBMKYCD5^%_*9;6lyWovRoh8=~*aJFt{c2075@^8aRWRw?`OgW9k>&P$VVCk5y~
z!b6l<Js}G<c5b(*a(Asj)(@k}@I*rD#?4^MmLkWB6ag<>>IbN>WfIEsGoUxA0$CbQ
zIJ>5M7Chc&CjyF8Dl9GeD=Wxb0CY}GJ>+bS)M5F_La4m&dlgYYM1dNj!Hn+K{I6Zh
znTa#u1rt@y`fe2^$d2w-2oFdDvfKr`j;dSKe*#ib*a*AqBx$Az7Kw&_{!H1Ggo{z>
zT%C#QxR|A7`1Y>*Kbp+mw&AiN<gk{qL!Rv*EBbXfJWP}B64U5g^91(Wf5~DhU#eQ;
z4(x3vLqtib(cRJkPZ-*!^vt4)Y0V#|Q@WNVn*az&O7hv~&Z#B+rx0OUBLzCb2Dzn)
zyTCKLC4MQ_t}wZZBID4kHA!YG`buA`uov6CTqs)7DSD-OS;xRfxB2~d&1m}M7*!^>
zY5LxbE^H1`>KT|PSP4s2Czfw;Wqf)<`jxj~Qo&y^h&tB-kPJW}1c#JJYA8tEk(~U#
zXUx-Wb_4vbW4Fgipb^j(<YE$*@a|I5FprhO*38M(uzlN!b$4;|+lAB?poVx=w0Brp
z=D1Az8~9QEsB>uvY$E-Ce_&;t6XNjgZ85`soBQx#0RStuEfy5c)irYZE8y2ov$wR7
zk}SgoEpx8WL;QOJ4sqj8Tjk-DV;qc+h$*t`tP4iwT=xnlR<ExT6AFJ(V8boA(VwP1
zZ$AZ|Az<(EWwP_(4(*}tL4vcbrywF&$SOnLYN^~WM24?wD<WES=p$xj^}`a#1P<h?
z%s)HLXyjBeIg>;`%<q~HY1eKjbA$t}rcF=K0vzFECX`E`@m}*V1HI~(sYfdmg-Y;s
zqsp|(%w1)i{L3MEf>O$^^%679Es2+a@D8v>)4&>q0@OQHId?<gqyuBcvlH*}@lOrb
z1@B*%)k+JXmfqPehffx2`DtAhebdeWULE2s|5F{>p6Yx=Rx^4qY2YBm0@TB^<sGon
z;s5bfr&5J_;{&JN-LyC)u>)K|X*wmq=QG-)ov_0WABXs7g~V${4RVWC)SO}EL)!*z
zzB@2@2l||cX%A9Yylmw8!VCE2dYop;QRbYVBx+6OO`NW_0GavyVfDHB%J%_z*N<bq
zu_6lczm-zh#KsoSpci*Bs*Zmu=bp6O=`f#HZN<5rk+(TeDR<Kz11hX1f1J&b0iDPz
z8fI<Fyj&R9smzfg7q9KP?$#~Wv_TH+9k~5zoldTvguwR#R|;_=Zy%M6$4|eK5gyMl
zp`1r?;VonBqfPdrqBeNhY&h_tVqx}|s$Z^6{s~g0ld%jG3hRvSc<j19dh9Expg-2{
zBN&(7GqfieUG@nCbh{bB1ZkXtfwr5cSz7)B$EFps71udwr#-reAwpdPps|*mL6;N@
zpoCc#r5Y@{i{RzXN^;IPMx)&mTwieCOMtICi6sBvyjn8w9$+sY`Qh6-3Lz~!lplD@
zpEfJPaYi{9kA2{@!Zh{lqs%gxINW5~Gj&5$c}!^AHrmuB82*Orcx9;ZtmWn!GqN~^
z>g>v}vnuuGmHmTUWN9YV%^NB4qu)nk)Ox9TU?UdBKSwR0?EQ8{+E0M=ap#)l*oT=z
zjIRJ)u%<w%B!l(Ln%|n=g+k%VsLz*18JcBJ<iweY5>~E{ggRd9%O6wDX#3JToceju
zDLIQsCR{0&0h|ae_1khmH>4Qx9@P$ebF=INRblLQUN6Gp1f(3_%}=Tuz3;CdcD>nd
zHs73@Dfv6gRM1EaQ6m*2XDwQejds{=r2q6S;)f&;e;GA%Xa=S}+H|5;spm?X<iyZE
z*CO?q<}$}ZhD>ZBHc>0CugG<HCiw7GCqJWVl(V(gxP|kV&YM%D`RsY1F!}2)*7DfZ
zrxWZxuQOt97k2-ar=XmT(_A+O2?r;ZbPT=;h6o2f@S7*<UE<LI4l~CM)ouL5j2dE$
z1p+C^Z~tw`DG9($gR_W7GC2-TaBCdJK=<+lkY0wY@r30OpZbrqsfwQPqtDFW`@1&Y
z7cY^c<|JF3aHfcAhxjCA_5$+6$2%2{ysz>E%@2fQT4K6iK@Krk?xxZ|oxJ)TW{K^e
zT!C*eyxE8C`<UB#la`ThzpnHOQqCW|d-FC&^Mo8d5uaW@uosX*FMR82-4Jp}oY0Ud
zHjrSC^v8XI(RK27lx`FtnRXYOXaS$9QC;|~yv$K|>rnr1JXt8r{iI`J09ReDh|}Z2
zYQHy1Pte8zR4}f}<Tp9FdtF)ZNYk6>4f+`0tD&GvR*7)xI$tiv6}AMj5RS)EKNrWV
zc=X?F-eBT;FWl91NYFHekt&q;GOgoSVs&DO-alC#BviSK(WOVGoMY1dd|Q_W8z>%b
zD}<sWnG+=8c7k(ftB<!Lu1oX=!EYuX{DsRlEHFpE<H>L=OLUbLzxt%SBs$D#2lB^^
zIE&qNCyd1h`%-FPF~`$s`Hfs2kZE9juJ2zpz;e1v+%=Se3<J(=fIr3gaDbd^k62q~
z0jz8Y82Bo}!HVXSBXg+Lv*#T;J>H!Y%E?dMqI0C7oDa5{`6<bIaC)A}ek+22<5`)3
zi}o7V4c@LnsvLcGkSC3#!t0r5WPSNgF83uO4%oAjufi{85D(0`<Q|BeNzvJ`QfYD<
zvlYvyiMNSmf3RX|CiSp;MJD@=uG*ubr?lDRnN3eKiv8ndE;#;8hib|RocHF+iW7PW
z=dwhF(_o@P&mO%4&>IEdyByecIiy4jM#w1=r&$BHEtR(hT{d0T#W@s~0uDEn{A>@H
zG9j9h`UkjK%fV@;mb)2`lzJI}!-Ac783sVV$)^6E2z*dIfTw|$%8%ua`~BN<-=#T*
zO22a2;f0%4NXOUjcB<!i<PSM-*=n^@xy7O{$Z`n(JcojAp&%ks;A#fgEf>(We73Ju
z2k+Xq&(YC8DhA1|W_FDaU%e_;75golrlBi(W+wjv0let#gGhgtClzx#R>Wd4-FEQ`
zF{ma#e5SI)PFQl(X^^1xw3Bo%N8m?Ff5k>-NcIp_O7Rl}e;}S;jsS{Rw^KQ+VRk$A
zb*U*UTtjpg*{AO#S{-aV{b9}-5Qlbk2joa}w`xWyzU8(91Jo<b4upkkQ7y(FecWOj
zU-V9Doj+O#q|Bz}lIu_ry{>?;r!m(mHX^(QfU?!XOD>?BInoMv?-_FKXZ)?^!rxmj
zpQUS)OSP!+jko-I3$DL@l}bDuOw?Or+E;OQeL1B#VtEr^^E-O}HU+&_%BtGzWzm}{
zV(iFqnTB6e-sl;=EnZX#K5c>S<q=FI=JVy@pJLz_l*}B8`8$Mt@Q=J73eh*DSnaGu
z$+SJenC)IyuNiovSGc##3pbSShKSQQgj|pCf%J(233RCi+p?=skFm<1m44hDSMarL
zxfyc|W0?)4dfTR|Sic~AYyc4CM|RXtafN5UyVwCKYx4XwY;hIuKF*=(PTq%(t9=S*
zoX9X$v~3ZEV}r?N-gY5(bt%#7qR(Q9-rN+(w!C3RW2>6(?x9xl2?0Z!U2jg#I9Ow(
znmMO9zUtmA8@65PG-E&kBh?W<$M~i$31?F*Xi@#t-BD76TYsAEd_q2C_L4iRjf$Me
z%F`vi9W#L6fC6>b9DrihCc0J_%J?O74f3OWOh@78*?Ej<D}9z$;;|y(>dG^*Odooj
zfW!P+g@B+6iH)E|ikXlQm#|k{US3oTl6a_Ou`~MgB$Vm8Y&ZXKd3d;=;dnIaPDyEe
zwSs@N#CLYM#P^n?RlpYYV4L`%zowgZaYykX9#hg<@mnSkL*F5!nDO~#OPr;oaFdIZ
z(NAfz?X9a5GyBfe1$r0&GI2R<J8EjD9|yO8+zcl&E23W<Sv^s$LY{uOL)<n~Pfw9c
z4xDeh2^U;{2@(z^&)^eBG;egy#!V74YZpxU97zdszF}W`_BB0u%Ij6g6mx>=E`eY#
z>HbLn6{$gB@?ES3ua)bm&^iui{Orj|>wM{(vIqbq@DPu{L5S5|C5nIs*i%-E{vgUr
zqfO@d&ewcHX&dybZ>T&tnv8LW6Alje5`ls#CwGS<vYf2~g{88aoe4)<f+j%L4Ifk(
z-y?c9LrB#1fRi>w)hPbCl3hb0W$K#29o+mm{xJ~Rclu&&g-3GClv!vihCXnn<GFzX
z_#v(v>}IwO*P!P7xnLRH$xTs~{mA@>%~!WiDNYL<ztb@Dg)|%Xoxfq*`>G{%i|-g!
zOvm_fNc4Nl%8SIyjrn=5%7#P3GtwU4{qXUDoPYPsU%CrsMYExPGfc>urcr=s+r4AQ
zzGP}IlBcvgR;-IvrZcZneMzjx8py3d@Uv}&J$O_<5Z}DdCKLe|H10T=i70f2FBF51
zZSxMzxGK?T1;?>qCHzn7c~P!dF8{k>IK}`MRCX*08XF=tOPWQ$=~zPJA&7(%0DQ63
zVkl&Jv9}mJvLe?%Y5+MrBieKruiUG=dXwAP#r~98+}T2NFtbf~XED9Xs2R3&XGNS>
zwxeb+%UHwme$oCb(E+dYG`d-K@}@)au923+x226Oj`5AC@ChD;rvedID(%$`NJ&tQ
z8&)(Dh?DVfd|TnU!8?^GpG<#L_N@Wi2}g{Sqm+YO;G#73yCHWW6&me}uSqD|V+Q@q
zc7NWnq-VPFS$;HYuJ!O4N}}O<s59wcId@RsA)ne0{?4)&J{_IWCdsL^B8jk=lv`JP
zPH}#I^*l7AA1?dC^%<L*ojDU7H}ntw4mq?^M2!`tm!!cn#GKDqr@1h~I2en$_>Zkn
z2`arqH#bv;;&O}26SF2STycp?-{sF8Jx$y%X?C&$b;k8ZGvs-b#2lWFB6f?fZ|{D%
zC#CLHE~7Cw0|3Z&=`ZF-S&epW{-BhxgB$YSHDgT|bvw`(9(f;dQ#%ewY=j)7H&dk;
z5RZbxjRru_8ZV9{BbWa1+IJ8uF8RkJGp1;0i`?tf#selr9q(AkEUP4QJY#O-C+pm?
z!y?g(aI;*|z0DtjAn%<wPD>$qIYBYS52>Qy^t`PBqc-FI*P8w~JI~^Xa4>^ZRUoA0
zj#2RMoF8cT9sb~XFE_{EKEG3G6N>=vN^li#e)27$T4NvDEI=#8F6w4mUDXa6HG;?k
zaYQ^}hCD|~AZEOK#hKZZv{vmS%u*iKS9tUZ9sGLT8f8QCC|>SSBv=&&+U6PR`I-uH
z`QPD2R6aHlhLg1!T^$sDL&36lP18|!_@m~|j!-{aV3R$$Rp}N^t`m5fRGh}_e){oz
zh&_L*oN8o2i3~d<oAa=Qq>9r`nLk=b$;i1vvezL`*=f1(%(Zk%Ps@yRZ@8_0jCJGf
z!8)j<hD5L|DwvI7b*X6pU(fgWCFyj2_{%xqTMCqn%Co-3Olz6BuD98o-59;=&^Fk;
z-gNM262rALWcaY`-Djs#+_GY=nF?RdQzCA>tDlm+5zTBCKx?^d4|5EXE*IqDQY*Wg
zo=PP=Y&NW$Cpe(rdD7WQe9AMbJ7-ml_YFI!%UZ8vZr5+`3TStu)b`Nb!JTCX;d41Q
z!cNi$XbGM(Di%+-PwfVTrnur{T!d;Ajz?q_G<EIn<~=mEF0yQau~X|c#+sdF{j}e2
z)(uyk<ueur2%`0}U#9)MaLsJ@`le)XJJvF|?922pP0^&16jG0R;GL_*Eb*c3P@Qtg
zy#;)U?+ov9cm35leBja|eoeJHb@QNppzz97!G*HWaAU?ZoM%m7B;T$U&(iA%8T;U7
zSX-lcdC&^GxKh+>d@atPVJq<ENa<C2&M&?R^}ct^8cm3(XJ4E#iselxDK2#Fm~?g^
zTBtVGv0E^&7bZULs4&EoW^nv8Y^X=M@VOKV8W|;1^giQx$u3oRgK<nJHmJ@gfk!nx
zXCC!~BIBq*PJHv5qOs4bcW)afTMeC=H#;gF8_0zvD5Tklv26%6!}VhH#lYS|DcSLY
z0+QU{pQDYRE;z(qF$w2J@22WyHxb*_WLw>@n|Nfq%f+NjmL%6h>?Ar~`APmtdRk)K
z(<gokZ)$LGe>-j(6|V2f8M+<X>nWJ;_!(|!uAwwhM)T^_)(t64-jpdR;!P9vVi9RD
z@|)!fHA6zqPxZ_FqvIF}+{{N%P9aN`<hrLe&^i6_QcaY!F9enSil!KB+%wMzv_m{H
zj=xM+WT3pPOMcvtaa}f<Ph@P=sCfP^PlE5Fr+z$EY6v5ZRsz1O&EtUdq0Xy=W$eLv
z@>dCB<8&a@!7}ox9f&Xe_zU)?3J0+|q15Cr_gMLDE6Y1{K7<uwD&M>xb1<&S{-TW^
zQp>NYcx>7I7XHim<b&n|dhXE=#YAQs^xfIkk2yz;6nqK??K;vOBA_&fPx7zctzd?<
z+Ef2zsf;+XeYofJD6sf!sqwO9OKq>7CQ>^=jZb4xKk)~}l_;0<ap`DhPziRd!Mh)q
zIV0@9oYxPe_RC%I#mO?1dV36(f_2WnPkm4l@Hl+%y72&`jID?najYmPWRw(&qcl(o
zOB~3sY1>5|A7!7pxUbAn=RFf~aHSBEsjO#H<Vn7_<Ln|42d5VfR?ybD7;d7ReGm9S
zR2D00{zY>OoeSHhs`><VUiS-UG3GSuL8}ax{9A6pVgJEktdG@R?U7S=s|YWSBfEL8
z`#QxPw3haGuCxkRklrxj{pl2OffjuE1fEMLyhndgiG{o3H>Vw|M7~hOWelh2Uc^8+
zbZdnCWpEFR*=}!Wi_{G(qATKlO0icH+%*Tpjg7_O($~j!Kkhw3RIaf&0=eb+8J7)1
z{I>auao_|zG6=GRWQYPU8)dADhadSI<5IoqBo7EhI2L8x-{fa=)T84JX>1(p__JB;
zBoWa+P~PH+?+HpdzstU$4{-^lmi+DMHiDOCU{@w(a^*p&S#?__0L*<GTn3Bnw*B2K
zdQ?PvYRSJ^Z~N%C$Hc~4iC^tH9ZyMlSl%N8?&!lsD%DEz(hK#{DP6Fy^^Hv2Po%az
z_cvHN69KM7)uk)z2)yObH>R32u#!9q*Vm++?0&*K865<i@7x=(2)oQ|)bA|R2O_*|
z!peK0ODtNXmo!#xa!N_rrse(#2;pK$7#}Zx+;NjZ5<y90QZ}p)DTgQ-daN@_4^@dI
zphfgvZ`q;CPL5`k^QHC-TJsspcFF~cr|<cT!JN5Q3yG?B7RR)n>(Qp?%ifwrH_-fd
z_Z8t9?>zaPUp?2=wddusDGB7^2J<?F_k0A4gL5nOfy^Zrt(^09z2~o0BW}c&l{qPq
zN9`AE%%4Nz$Elb0k$&Yz>902tvYfu4KkWJ_;d-;nC1oO}H6Hsq>&eC}(Ul-0xdiF0
zCze$w8RRU}krKPOUVhjy!ijI?#)ebBU7kxsXH5>@JP3PD7)Ln|TjHsGw#zT-_RLNk
zYjA%@eH_6VLv@SvruZ>S>Rq)Arj$;c#d<+ZvOXir2vzY9K@p`O=z`DpW>a|^?6Mtk
zpn^LWq@l<%5NiDKI1(7Ot1_1m72%N)X!mrlM{!(p87_7(T->%+j7BE-8E7jtM8)>Z
zG)C=cMagd|@iLhQv9j$OD7US@F5U@G+Uf&RIeWHj%vk{pe>eOE;}vLLYqd*|Rln8V
zo=v^N=%(LS1Lo_F|MBr@AGhJl51_>niGqBpqrTW6dsE|!5D5y;m`ruKiMRkpl@^aE
z@a%Z42AwBl?{rGq%C_LVbQt=rLT2f7-LP`|#uu-qbW3iKfCec<*(eKMchW<!Vrk58
z^wDXD?<%$VVxT&ZTmPucK%8th`}N*!9%4q~EVsV+UJK>@D#wdIKD_C3ur$|n4N;=M
z&3uQ`3(@HX|DlB1IxS9`K=T#m_}SdRPxjnxAn@M<E=&e*LAJHF3$>i$C0UeUT^tU`
zNRTdhrhP#!8R1T6FzFBN8j-{&{t3XDpqB68@mTrfY&~wS%Zihs-6(`Zk%vW%ub^L%
zoU0yN!#>r`d`u=K<s}<*FwRo>D8K%aI+#QM_xTEApcdz&5}CpIl2qV~z*47@SIN-?
zLND|-UVe#~CF}ylF)I>z<)kGJ4>ah8^Cy{37pogl$rc#48w5uK&6cn^X-6gCEQVFw
z-Ol81Ey)6@e)Jhsn$$KnF@&2a59;|`NqjHuM6?@gznHR7e4cFjQPX65-;`b(50+28
z&Mz2_2b%dpJO;nae=4VBIOcY?+3{vTgB_m@MTc<fTz;`fB4Za%BT&V5tvIp&yMPQp
zeWB`lRrqgn)V6@l;cE<BTF&GU+LBJviy@Z*(_->e?PWW^%#M0z?SJ>dS=@ICy|>N$
zwbN24q($W4v+t<=f(2T|lqTJ?N#NO;fNUiCWgYoCvVI^@<@J}O-V4Tium_lapW4Ye
zfej_wl)?3DgrDB?^k!7Xk;p|HjBKvIPkp}BAxN$W?m^>Oqpl-j#$;6DN)6;LuK$)F
zjr>!(hMa`%`8WAI)X?k*0x_X0jO^(zE$T9aLauPxn3Bj6-b}P%*-__fI(2C5#M0R&
zyK{T=!~UjHjQAat|5jO}br8r4TIB?5E_Nr*2F$%5mSL7JSVw+R8|MLj$iGDIRVPyr
zkEjpc>;2<nuXqpx1oK(u|1Q(#{=`%cdYJhwIfbQhi5Pf{M!{dT<E8`><xN;3vEl&t
zxUKt!jxV=xudl9T-l4z7QzNqx-y{3P7RYTu_*;v~Hi%fFKdPwZZqjV~{Vc6*v16t7
z`FB0>!^6LOHdHS2Sq{t>h{sV(C_d~jY(xbtH&1O~#t-Oc+TFv)e+RulA?*LX)xpr)
zj5X{+agxSY-8A*%40Z84)bE%Tk^y#PeCbc=PN3YfP6QTY=k)X4z2w+~!d!LW4390L
zq>_x@Ic?n0oLuh|diFF;K3!iT8%i*mWC1=Jyvg=UG3C{^U)j?kZTK=oLaw~o7g3lO
z^il1rdp@!Vy%oSG*k5Fx0N?uoK5j=c;9rHvg7^HpTO|&NQC@NNyE9<b;ec88yMez@
zxV(viBA-r3r$K-DZww)KJshY0HRejy=M+3SuvLKNv|I-Az{YGh|FuS-wj@J3^zL~b
z$gN{tWDz(+fL)GO-M1v)IS)I<qnO@d*&EVR%MXAZ6zt(PPBqW6dW^Eu00&!PtXXw)
zhISSQ1Q0-@X9SSG(p!gRZ~E-#&cZ%Art!c3RJhz4k_dPUpb(|Eow)~G5f3`>45g^-
zJab*QZ(k3KRq1RPTZK0s(GQEY$}KJLIsYH_zB4GwZQGV8O>QLTCMY?mWXaG(K{ApR
zMOu&yl5-OT2`Whxu*n$_kPM0-NukL~&N)XVzSZu1_CELCed@h>Rqx;X;Sa0muKvEY
z)?9OrImR5(s2kvS{@18Mrx?BRnu?Ku>{S~Bu<K^zAO6l?C308n#llA{whpQqC{(FE
z?7`y`kX@TKq{*f(*FsInag5-?NN%b^c_b8Dq=0JCU6lO(`HKY@33{GJp8{>OTtlw@
zD$1#H@d{GRw4<)V3bXI70tDd>d5Jg$DfPTsL-vf%!xG6$yVnU)_4DmP4ULF&;WI#F
z5j2~USU5kMkGg<jzURJ%Rx%GJH*~CP{g(RsoCkyGPlZ}w_ixG`>{5gBzr;bV_&Vtk
zeDn+3(iCgF0ad>5(BEm1|1U1U^Z0;Gf{{T?z2uu_y<9`#;Tc#*lD6X0D&Vns5S8wx
z*#VXU#9o8nk(}n^C5;$rl6`rCJU;*qC?cNs>U8igCL|mUj=3=sQi$^ONTe{``k9V7
zX`FwbG}af_|7jEGB8OuMhRCMX4=6i)*T%}I1MO|4*HW|9_y{Ppx^S7gq~}&lJ6)l-
z`=4BxPFOGBN~Wr2qfxZ~{kY4uf!-2PXlp{I^sm{{<>uKxXg9Mva<@`uXq4iA{ty;p
z2A{lyaE&eiG3JKhb@g6NNXd<bT>Ih7B|)~zCo=h;SSquvjU?47wti0f&)(c}CKP1v
znpq$Xf4$a}%ui5C`AAww4QydqPHLy?REmsFm*XBc*6mBbH?ay72MZ=aE|5$hS^zRv
zAX`3YSLhFo`E&-W%aOz2J@CJG<9|2;J4mr{TmyBA`%_!6Rvq#nlaQm4<gI&RWWBt}
z$;l_dqK%j@vMi&Ma#WrGVO+_!j>SbY&9^agY5cM)SSN6l3>{@$nNav|nOL;;Um75S
zg%n7VB~E&V#ATDZD;Q#g2{$7~T7R!@%wMa^3;@=FoL12JOMflsQnC2^U;#{tNgYv3
zri<Urvv%U2pFP}jrrtI@>hD#fRz9&a?w<BQ()p!`jez4d_gu{v|1Hd`Bm5hSeg;ZN
zJ_=n(JD?TB(ldL9quY2BS8lq-sV`3X=UDx(Z~<ouT{6ALNp)YG!3lze-|g1vQ;{dJ
zsHBM1z5usnXpxyOi2wAc7$dbHp_P4AJM1fp1Za8Zop$!J^GN>EJ=)N21?5_`ax-eV
z<vPx81)a!woF&-XZnO*Q3s<sP=^G%-hTd=3&jg`jX8}CX8Vdj2C&f$aL9Aajqh)cP
zo8CMlV6QM&P6(wMvxs0Un*%ZY*}p~O6up0ZF<OX?c-@;g?=%Jd%ZP`?rK`8+XPved
z%QBo5udesp{4PEB%NMiedVj6?4U4#%oSsI@J~v0gT5z?3BhFjRBAJSI^?uYBSC)4}
zr%EthO$14UXBP~f>}Y9&H1B#!ya~(DtPyv*$=OKsU#ku<x-NGfm;V74wo{sxzA2x9
zYK`A->oK*wW93wQgbVGVJ7<BF2Gp=>a~*P-kiFp+edPwj8^@d-;s17a($Ur?<^-*$
zVK~S+nF9h*+o?~kW2rel;k}sKSrGQhk{g^HVtfI&Qffu}SpGM{lzncrl&1XOw0n$i
zlH0wN_~HE2;VqRVYO%6vu?If6ahHO2L@g<_2I|(pulL8n5!!t}%!3r0<Yf8b<FVrX
zprYyA5rltg7E|J@^)Bx|Azuv62yMArEVqld!tNXkj#COsE=t{^d3?6BFN4Vox&DqK
z|9oH1@G5rGn=#m_;MRvMa#ozXj*X^8m?sBefltrz{`F~0#`-^#B6BzbTg<k&aA?Z1
z?6cJjkx0Q;f=|cumiq5@W><c%srFxM3gUpxKiw*85C;*pk|C~hZC;DyvUeP8<wjOb
z<)3~^n+pjYeO?Yf=j;w<%;vU#2X)3=GMWGFlF?9Pj2v`@-Xd1nO0XEVo!qHZ&)IsP
z#Sl#PlJHeks3ipRN}(TLXlkj-gUEb&S5A(tvM1qnsY!HtJ3UC2?9!%ZNDS<ZJ04Sg
zAO|rIUnfV?0<!!Ymvf)Vvo~j}tc&+ttii+!0r2jtSWKO6^IDFbh*5UlgO%|w3KD#*
zG2}sEqD^|v-}{bP-|inDm$2jtR$zJlRd0LTZ$jgKRpaF8W+#}F^ycrAG;k1UwmQB>
zEwhvq57Hx$N9Mb(>5fB9A?$Yoe)xF0M)P?EUhU!eSv=u}4;G4p<FADRXZfEl3yxAq
z3EXbS^X+4NqZuUP#aOl?v9Ng0XZvyTw`0d35p{ft@GENviIF>xE2A}A<!@yDY5GaB
z>Ntfd@uiz#loFi|!k77!jRwNmOvpsAg+8m`VqbIblNUYqCql)@esN?_*f)oiSmCWh
z&7vOz=%9v}Pn7ojgT~}6(b^Pu$Mo4nHdR-vlAYry7EUSrJyUB~%AC#fIua033%s5u
zS820V?p)pJ7%tN6<#>H?;0fS1mo?Nu7)@(Z7W*A;oMd!}4mzr*3Z#KDntx~Am~Oy7
z9B{VE08TvDXc`Se;rfsdYW$^fl|Mr!t}WDkggEn2i4Xr3(Es_mR)aV|2~Flf@l^sh
zrO<=nC7Cg^Z-E?`Jwtbv<?p2ewbnnSpb!+PzM|0^;BsO6V@x=YvpOs|=z$~zSERP>
z4kn&F!~Z$;)aAdt=m@B3MY{egtzwFJeu8op^DoitAm_}4I8xQqC^EvGExuP_G9+5r
z;rH2*n7^S=;$}_>{UgilVp6_;gOaVX{L_!WtGykxtESqq8x;<wPVxFbcw^(2Uz{_A
zVUE6#<zEN)pMx<WY9T3pe~B9pll$!a^)mm{?Fdk`KYj{G{&Z(wbY4=xB;oD~ZvQv0
zAnfA~CD%$uRy(&<`gnq@e_g)ZDwr>V0=6W&yYrn{vPmS+OE~{0Nh1VE+=e}MqhC8^
z+xp7Pf7$~U3kF#(j6RjVw1qk!L_Ai0a8V44Puz*Cn;3YyI#^sNJ5}e;B{Q@oU|M~z
zVyW(Ab5p+e$QubXR<D*P!!(mDMlw7;wM>1{+ccMS=stLAYn5X<#5W-0Sy|y9cNFG1
zenID9Hx(sS`G{isy!nVVd&pi~C;DN`X9kXRCvbZ?^0)n6-u#CPRRJN#Aoe1FLHy~W
z)`^Mt%|04_6P2Tbb)|}{XY#&>8^#xw`zKx+>C*IRH$BtC$u7blezQ=9z2&-{miwh-
zGy6kH>cGJ5{kQuo{r!bijQMLEy*eX3)%s<sbyr@z96DO(k+bA#21c1WQP75x=a)wh
z7^`)9-u&S4>|w&r$T4xF>1W&uR1Um#9(>~M=8q|ZNmKrceE%WO!b44bxKDdlW<kqv
zG$CAQ(DbZjKe3vizb?iM@l`y-r(<JrA<)Zm!)d%B#?*6F<)vz%dUJ33ZMoPqWmx{?
z<Q=~zk1=hZ<zU~_%cCWHOFt8*$nRh6|D>df=$$%wbe<_!pjg|#f6geRbNJYV+B;xl
zg00eT$h6R?7Kd5FOU+w*XQ@2TDtA$fvF|7=Q1?vsVvxgKKg-8`Vb$>XaVxiCbF!dC
zu9(2<KK(d3wMPTlDC0>M<rv0cluuRRfW-t$UcJ-@6vb3*E-|f8|K|xQ{l?LumC1B}
zMDL`(d-pf-{&v;|?HdojWj&vYLsc<~=~rAOT^?HU)%`+3Uy}hh-fu6_8Gjr3SAhl^
zKev)E|IZ2p4}~9DJu#HVFkDg~T^y-dGMq0eGqT23cXBu;jeK&@@+g7d`?{3RI-dXe
zkf+GTQElb+k;`EH)>?v~gQ?HfLDPr%d)^3w#y!`}HMgZMg(`ak6kA4s`Zj~yFK2OH
z!v;v>ZqHq6y=|}FljVi#OZ}NS-7DoR7Kj}yzLljNeJWH#tqZQ*c5`f0{L#jq@Hex4
zF8{sH5~gCdmt)c-VkTLH6Vkmi2_|&jOB@8ukWyQtPx=TTYy{QS_VAMP5hU;MFIH+k
zy-3TI6HcvHI}xkCKi+iie@?MlF53EnPF6b6Klk&_e>f+$-*-}`3+7QQr(r7<oRw7T
zRQuliVd~pp0WhIit=Ub>GJuQ#Ohv3!5%C*Sp_DliB5#L|mNhdfS^4c{5#9W0|I4m!
zEtm_@SxlI~;VVXtI<T~U)qf@bh=W{b;LE|vc|>~V<+f<FX0PnMwSr2B!>{)_lonQ5
zcJLtr$i}RkF`C>eAiL>eI%}rVX$qTR`!L!d@6k=4lLgzs8k(I;x>XPX=`KUw#4O-;
z(5F>BsdZ+xrnyCOiewlr%7O5YF1x&3`Fzi6;B@6az|OP6$&Fk-+4j82={hh&@9#|Y
zmrnS~uo0Y)F=eY%yX$4sX8-)z`O^LT6rb0!@?A+)`ve?>s!iq1Mf_-#TdsQ;T1wxs
z?xBFsrn6$S@#(>9&$m_qblQ};rz$r+H&8RIjYUQ_6zEqkoAMqcJk!g*rGUS?uv1KD
zsgJ~hoqnvJdHelEvytACwgaWV;{h%AJQniF)VUH%+}69YraVLYVZJSwy$?r)cP7mx
zD~e=Uz1B_a`rnmCpwC5ZFWY>3@ng^8TVdkzfKYQ5w$p+B$Xk<$e&MFF2pW5Sz5JlM
z(g%r*kNTG>Dg!T2%GWA6ntrK22Y!$fTd&&l5i=om?!D_S00Q~3`}{{3@=pjP8(u#R
zatcAHHA(VYP+cT<06gxC5;1IRqwh7ZF@K(ARrCJ(+~9Fi?o&vKCrOF;c2)qx?XspD
zDKx!r<R#r6?D-vxcW>zx8t|-qOHL<yg=Ud(M^1V#n0REs5frM#Wjt!t3ls2^Pf8O~
zzL1Ue0y*7Jr{0MXA2dRfcpqDL?VIp^8SX-EPb^y*jBgodGz2oE;7rb+aDL%jHqE|r
z(`7e7L-W#Q^4*v~a=)c3o3?$_XD%R3;Qsq&^So8?AJDz~T<01v6rzacRD=F{b~POF
z{NSz0m~Z~$l^3gq(k)b1Z@*UWZ621R_*IFt@dnMZx}Qym=OH5N-CG^3sIv#tuLtKk
zmw4<KzjpD}x&P4csX2;%YK?HgDmmhq82qWmak%!q?9r!L8xfaPCz1I^V{WH(b6y)d
zvN$%}(6WeOR+NnMw(x=ff=pr`cErqPz_xno=>UY+K)9K`(tgD0(5s@BRW0ub6Mww^
zjz9kl5UEm_da)FV+i6u-*_B%MnSJwtvvw#&uMHPZDf_1fhCW#zovS4;FHIY*Zqim!
zUqIn^rpdbXcp#sAtBc|N{LzYUIA0jIwI)P@mN(^g4snGwVx|@@Xddq}kKS;(uyFs`
zp}TtAF%b1Eb7q>Zg~z!Wtdh+hQt4h3l4h?nU4VGPr#&=5QeWkGBUyL<=Z!LSS@Soe
zqq!SQ;YwfdAB}K)1dl-%{l5*PRHzuLTMdh<{F}dsY4df0{Stt+wOakY??vt2lHoIl
z=Ze2%9<@xv;Xgk`{nB3<Tp8ePqwRM!AuXssJa4oLlZPpP?5ei+43P*5|7?{s!q7&e
z<ELnC`%*>cJ=1spmU$^I*l)Ca_`jAU6vjxSC5}fFqlv`18rpZ#LbjRB-ZQ0elD^VJ
zV(?n1yjC^9Yw;SCBB*6(6^jn~;E<O5KFa(tnQHw)gM!K)_@yI7`S(m6bJOg9!uf)i
zpO)l6P*wOZ&G&_HKq+E|1pqlOMC}#MGf5(B4A9Z=*9F}EA4(6XsUx9!V60*grYkG-
zSH<wprQKf%+keX)0Y3jvr$F&vKc&-kn%kxGLFn&SQ}?!(v>a;s8$|>#Yqt`l#H6?2
z>(yZhD9Y||2+qMNKnbCXCmv-%jEZ5e5nMOLln}(M_9l9*n7@f+OCbBIApg4<wjs+b
zfAthP`h9vmNf(1j2K@h5@c&=I|MOk&>`En=k$xkF{zf>kLR9pe@Sv@F{Nn{E6xw5K
z2T$C(r83D9a<MUG5dGhm#eV<^pK(?K;{eofiJ5+etbe{~mEArtsvAi2oK$yeJfIOz
z*WKt9Sc~LUOTFo-n1uTc+PO`p1iRmrK=!(PFSpwvQUQ@eh=YQ`d;(-lud!7EH@KX<
zjDS=zhf(E=lc@^?`mI6&hbmc}->>V9zZPHb1M@pQFy44&CW1A$oyGT=&(Wq9t&n9l
zF#0N_pW7O-3QQwok*14k_))fC+74_n@_|YCV6B_&G5B3P;I~Fq1_GNk5nzZ|x03sM
zaA{i&xEuzh`|YZy%J_;ImYTns^xcvvG_5K$Wjv2r>q(c<l<_^x24l;0-#_TY2{`W-
zYDNcP<0deriaTj<HJu1jbL+@^f0_z7abOU&qXKhjlkA3z)p_)?-!}Q5gp11F-0oXP
zZ}SuMnb++LKp;3FK`<Dk20u8T(lj27Fx~5)i<8r4zWF5k{Oknd`}YW#!ePt+eSquS
zas+F@TVSi$*LXCkIackI2ekZ{{IcNgrw}4rzkrz*d<GexO0jXt5saUlemDtzKA4ug
z4-5wTxib7RA@;yTr2sf94}NekI|g2Fz+*()p#F(NSE?wV4Dc!!aa+6vR}7|Bd-Ph&
z0mA9A)RQ)trAmGb3?xAx-#$RDOfQFsn%6*$!gl{x3$c(6u(unEi^jOKyUJL%LPl#`
zvg#H$>$i;X#0PimhYEAFRPK>J_DTwUH_Rzch;vOP2v8)S<q3Tz1P^`*ujVKwpK=uV
zC-Rj|gP8=0M^NSBTd%Hz<SPK)09rXXVZaG2gXaao))m0WZXuJeq~X6Kf3P|<faTp1
z|7Hyf=z{UF9Y!m8{DHI0V2&njm8F+`FmdEPU<;5Byelj3x0CUjR_3!8{dB>?@jF;G
zgnKEt29E&e8y-+oiv*tgHD~0hzf^g?c(^e(F!MPgvE3I~dae3+ebG$h&3UI1dJ8Oc
z<~i%?Pw=b*SF@ZiEgI!JFT#!>INGW~7<5MZ!IZFt;&nML80f<)r=eSJoPbwr6|s>j
zYEPwrZ_;>nI97JT@?b5=%u&~J6l@ah=XcX$+?XL0Sg48jHpGeiCNG?wNzz9>)`knN
zgye(S?yhlxCt^s%$JZwxammrZ!Ht@5bF_-Daj)kl-t6j@8xjg@xDOl<-B$;B!t9^3
z!>Lf;UUJ0|Sp<2~k(PJCI<~1IqymojS3IJ4=F4lTdFKf`NJD~%p^@S;QPl@^(-etU
z=pwPIS>S2tru}|R5&vWN1!m=X_m#^f7WGDLk0$;0z73+32&g%t#2m*Zc+G3xMKJ?w
zO2HXRFG7Vc?&3WjcaStQ)Zkqat0981tz$u&+8=c(laM`1R^D=lAl<T+CG;J;*znX+
zq;9z9VOjGzyH_N|CdQ1EPthz>nb2poAaD7(DvR#@paxbMp9HXNn&R6D`kv?kypXHJ
zVv!f(%=Xb=Ey~`qZ&md$2EoR6_JtB>{6uAta056!Qt_mM0p0B7!1At1YX0D8DsVuR
z)jxYy1o%yBf(iu%b}AY;=M0HPE-=aZ)u?`eRc$|9wR^MHks;T-i@wBB87F(3PsD-6
za$9-_53G_CFB6s=MBX~^?7)~h@Y#0Iml#IA+v188r~a|5m$$>qOsh1W8zOH2zt>b6
z0n=>hy6u#U{ej!7^}sv>T~a++*ieg#CBMF&{m>@~m+Kyn8#Uf6KDMJ0lTb~k6n-#*
z9qOSN-TC=M+<98QDi*jN@m&soc^W~+tk-G>wpSM};q47Zrv?S_apzF>50j)*9A6A<
z=S&HtOFuybI%KS)6|O&j|JANTW&3omx9Aypq!Vy_DQhX!%h3>VnN?oEK05jZoH+{a
zeGcahpdo!gPw;iR0N)#aOTapXjkR@Pmi)aSQYzqZ{f9>s_kKC(Z!V{FGXD-im`HRF
z(uzb|e}n14?rp!%1zwI6BrqG8-Zow8q<b;$q&*XfQdG&~AMd?kii-qZ-aGVU(Ix`u
zB?$xIek11bk>92(!F{%sFibK)2lf)@L8x=s$yT$KclUEUQh~u8t>k-|zW@_M^{M7n
z`>QyvYF)Q#JBsnJUs8bnlC=s#>yqf?QaIH;wTxllbt(l$UK5GRbK{WZ);7BEC5-L7
zI3UD1helSXfLR;L<aogyn9m{6DuR^lM?p1XAeI5C@%ACR!yT|GnVSV~5>FfD_rx{N
z(SPud4j)9>;2vC*>n{z|SS=L<b}xm5j-^LLB)!S{TqYX*dP#b6nD69{-}=~-$5)p`
z#}ADm0(tJ)LhWoIABTaV?E4LK&hdoAIL~2FFs1_pF12^bzWCUA?BLKtP#&u<VS5i1
zf^K$WOFJcrhuVbnKLv4}E&{8XP0TU)I;uwT?)c!Z!Sku=r`nb^pkJ<edyz#FgW|c8
z<Pa#xL!o$h*zN4oN#fCp2<8(=SE~sWfS~-s8eBUuK};{AoPKq$ro{vaDt0$IfmLcc
zn)EHK<SjHiSpV@7L^D<3yvGrkaq(*@qj1&`M97tBp(dR+I_Kl_Fj`9;Fc0`H*3lZG
z?@l|o+8xShN7xgG!3rCcM*(|J-B>2cWsFCPyWo53x9oJg-R#wm-}VMGcg<(!w=Hxh
z8+MveImz!3B~0Oe=}7eLl{tcHK*{NZgTN6}M#YvXsi0yzOLQE)Jt%o&UH$zypib8S
zNnFKGPUgMO1Z0^gac)vPQyY=YZ<49~?E+lBm2OMgt9@A!g|1<5^3P>ecaRUir53!X
z@f>%F;9ZHrAqgcQH@Z$xJ5gavPR)NuIJZ~6ayU2&@nrZlF90j-X%cIso~)~#og5j5
zU0v)+(`5DA4sO{8XE5{8KyDv+cs1_qAdSc1tNVx&m@z(EhDNvsbV|BmPc}w%foE$0
zNKZ7x=<Wj}-^zQRFWoL3)A^#RZ8pGIt+;ZWV=vWnUCt8}W2(7X)J|)n7A)80Y}vto
zb-8{gOdhL)PapQYQ3v*xnFnhlMXrUwhW6-0QW^>KQd<PskB?yzHH*4=+`is6d*(C2
z<0zZxVJYDDgs^Yq4#2v-g1PQI8B@T-&+x;osj|YNU@x!=dJC}@@9qY(=X40HZS4U=
zP@XM^jnOK@oNG{1uSdZiwXO@x;5I0n#*uzsa|ubKEIGKtCWraWgcxSc^=8DswkM)P
z`IrjtmMWlpMM|L>T^FL*HDG4kec&25KB!}yycw7wWL^_5<+)j07=`-85m{*D)fk&3
z>Gm*H_+AKa8e=z2X;D!3zqkM;9zoe-CR;yu=2k$0(&X4_KU}P9*rdZktNg)hXLhjO
z(`n(yC6j|AN$GLO*iR5k6K|n)hG~ylD4QPtxPCz2LNQH$3B@esj_8<c*OQ%zy#jbq
zaP3V>yjfaIgltyp>e7<`D1dSWZ+QDsNW(0-Wnd_RP3434-eQ29kWq08dn3$(28Cb1
zAmRMhNRbizB=o4s7Hi<C0+?uP+(wQDc4^80#WKA11;U2qcyYQHN3<bN!Y@4on*sYE
zA6vRQvQ|JZJ90PSa|Lmn6G(;<k7&}Jy#m47l|eQ<r~GMmf7)~>i7FVsOb>k^DQu;3
zUFnar8Jy3CIh)|Oac3Q`l{NR1%bm&tFC!GVB8rU1VXo)01cdLEwyif%F~d^pmrcDi
zU7#d0G_Z1sR{XLR;H_L@ZO3O=s4UdDe>qLcLxY)0DYC`Bta0(k&72@Jn$FCe;1x`)
z7Nooe00v?Zdz=zw6#!f)S1^WRNE#FwD%J|PSm*P=%-X|kC4YKM1*Cc|L&sdtJO+h5
z9qm$X8XL67_uP+={{lSQ#J@Llbg~t6z-VRSNSeJGUhDUIP?&D|bF6}|!WFd})G2G;
z@nLMmSTT2fUfyzp7T-nESayJWtaYD0c35f}UR7_2#J`ii3T~+)Rzld}_T;P+pC1;B
z@q<Xn{x8h^OQ@nG?FPKR4JAHxCGt^w!__)ghl&!Hp6oC8ReG!$@#<zGi8LWLrzu3-
zUq68o;$-L>F`seY&9&i(S}EUZpgJLuS-^9uYg}kOFnpz#!>O%gOZ(L;ng_J!m3ud2
zAGtC^r-$7@+p@*Y10=VjP5$*u*$rS0aIey`RBm$WyV%bW<V8PcUtH1D0}i(`YpP#x
zA3Vp}`5Morgzha*0-n&ieVOnfwj2A=%`@1JV;@S0j6X_*5z`vU$wJ$o(X9TwMy*2^
z3R+d0R(00PEl@kAsTPOjb;ZsS)hF#k9?VBR@Lmt~{#SFWfag+KbHKgIV(N&M-Mq{e
z^zKq?|8SvU^y)}inJa;D@tx-?&*&%`6-1A|mgv+GIy9O~QfCsAvzEscdm$W@Y)-@K
zNGuwdUjPc7;+4wGr7uO+23+|7FQje5Tp^(0^!X$-*%Qp6=KYFw?HzaNU2j|FCXwa=
zahdL53nc<QQ*m2CQ}_9Irg;Zj*o<PAs9!@z-$Er9ajNO02C$dJTK`lGxvWWg=D!iF
zM50#}Ex(B3VgrWn_iOI3Y(&$%D0->sBVggp>CUI%SEJ@qUhY#cVfXD#({)l`fV*yK
z+=<4cQv*^WIB#Qq11bzi&=yLx9h5h7?<uWHI9a~9^Y@1<ZgPSC;FETbZja0*$L9|o
z4}U6I!Z6dD*pOmky%~L3uqQP4@FgJO;Y^h~{l7PWmatO9ow_<nH_N58s(FI<bs(H^
z-nR=w*DXC-5_5m@d?uEs>Sk%_+HZoE#S8bvnsFaN6EeDV-0V0-{A+J&nirDH3{trb
zaNJCNLDFwn$7e7}RCRBI+cYT3649aa&Ze6tvF)Rk65%u%vy>NaL6}tf)&X}<P^i^N
zsYMnjp;CYWyk=R$Zq$Zj?b3bHXY5Rq)Ps+2bGH)Ll3qI!vJj`QD;iOgu?3<QV(uJV
zF3@rzDd6^qn*YG*4d}ocuapBnNV)XE$HRLBMaF#|c$!;`xBzmW^dt4CbgnO|fRee!
zSk3Zi4_$hvJfzUDD7Vm56oC%1^gl36{CWZW{1(6PubyE{w+pY+Mn1~NjB_i5;t+8L
z-3o!R%Q=C({p<<GrQ2?(keW@4Ry8^S?b_RJN?Di)Y8}w1EBIXgHOSu?WJQpTux{gm
zMFQf>GsbLIS66i;g*@_Kh;#mUW?7zr(K>~WCf9E^u_kY2Wh8CoIjHs&Zlxx4DKs+B
z=2%Ofu3?u-dadG!0s{8AU!81@`lC23g4f%t{&~w?L-qz$Z!cJfM<SQ2tg3a|dA$iG
zQilKJCC;qgWCiR<aTK-8#qAbGvNyRIM(bRsHBANXWOh%Kw7ZgI6LsUV0loARpq)h$
zqWrfSj|_<NfdRW-Z@Nr@Rdaxd*Y@4SpR8~ibo^J=oIA!Prfo6wW`Tbe{iYNG2HzM&
z5b^9;lSrB{w&`;GJ|%eBQo3&}2#)!S)8qtH%JPzCRBuwGJa{KOMlAM0WugBm1pm?3
zlxsvqbHL&B{S<I|Ki=z=lR?t3;d~@bYy=l@zI1AeW}W+r0scGrJ^AJuauhxt>)w0m
zO70Bb>5tfk4`znVoDA`4-`jNOcC9vTw-AfmYr!+rT0cM8$|GR)(<vEveK%_g00|T=
zblZ}=srQ)7ql*dY80T3hy`*t}_Do4BR9?FPBl!vrg15K6mxoRdm032{?XG8W<3(=0
zye+FvOvC>cBwvNKnY$*SP<`Av0Yr09Mte~t^LO=uFcQeQwZlsyNr}J}-XVr}L9(lN
z(s>tqm6OZNv*bRUDmi`ouF>pXmd-h|Pc08qthe4$uX7sYJ)Q;J_eLF>QP-a&{?eYb
z%rd@Do0`is<Rw)?(PSxAp*>bjif5@-7vT>!KV*q`uIaW&$*vd#Gf?$DT%(U(fCKhc
zc`N^$@)}YXm?EDKOB!ow@c!xcO7!6V+?Byfu&}y<;z02g6q`~1W?q)6XOD74X56QT
znU{9uxTR5U75M~Yp@X?vjEWvY*+`Jy5zKg8Z-|HKstv{!8i0(ojJ+Pzfj%|%Pgni9
zuVay~f?T4s@NuwtizY}!#+8wW;f#(t$U<O&8}&A;L8ybi<DDFnypckz!nn>E3G(sY
z;x}FrToe{-z)uu=Jj{XH#4KBlf;<>g-xW^cUw&$@fKU*b@|q(h5+P4`2fv2z^+kas
z!+Vil%6&OL0v!PG1dU7FG0{x`J}K*(n)QjF2iLxFC&eyK=lBPQ*S4}Cu|d6dYI-Gm
zaq3n@mLQ=L2of-TORsosqz#j#D-vK#B?0L9udfESq=Kt})C>ywN|@u<oyez(DJPF{
zon!;<%3u1pxReoSbcRa{MVNg<nUJkB9qw8LzV%&)jy^v!IP?;rkkSc6EBd^5(XFd6
z4M=TVU}d;&o41P?<b9E7iLeaWeW0OK<M=&f0;7%V%8(RT=t)S`wyN<<i#SXcC0NPf
zdHpD$tS&*)K@mF+qls8yj6*9O5K}f(bM;!~vK$Z<Z3W!<5C=q(8YNvzdMu{qxG!Gu
zIB59ne#vy-Bb9u#ajq}o+Bs#wZtTNQzZ*n!A4|O?LGDvg)V1cbJtryO9il41jMqNH
zLbocaS#oH(ob;wV%ZyX%hImpSEq{vT(EBkFK(U}FSlc0pqfRk;H$n>D`)l8CaWN31
zHxoHPr4kK)i|Em57fK$OPZ!O1{^0(kjs9S*hEU+>bz43z^llIa`Xcd~`!k)^o0Rk#
z-d*U<%f;KpWiKKbBA4^BR`<ZZj4=12Bp{)ahavOx@r4{-UAIA8oSzkL2T{9XU5?fR
z`7kF->lR2?c&m%#n7}nUM=05mDq0kU!Uq}}Mm*>PQc^h_VX=;q1qwJeUi>}i9g&23
z{FSi^+c@@t^F{1u<uu)tWaRv6bqlC4+b1A#C~Uqh`wMw|xKR{&QfyLTF!W9_jHsZB
z-5l?_Rw8ert!yMmczY!%C<+I!K?D|w6p0kafDO@YHNwSMR&iMC`S8>7210?3vM_w<
zHsGSE$HtQXEWE0PF*fQUs8`8i&_L~~P)xY7<Y|-*^hA7H3tzP^pdAy)&7qZ1(aa}S
z{8_$sG;e8a+<0(&S6gh3kJGzE{6F72@Hu}T4qxt1v={L@BwP5kO)B}_f1Rm{<&c)T
zGd&iFX-XO@fw*S3wQp9|OWo2zS3@TG=f$gN<K<6vVN|HLqKnM~qQ2s97u=ar8#Aeu
zC*QqScjg#GCz*$K2Y{fFC+)P(?MiC%8J)~^AAti0qmZa2wXzP87A~kt-^I~}`%agk
z&uXqUHtC&-VB(dt4>oN|YgHz$fS=`X5qIc!3$UF^m$uRA5}r>r7B%ueNIDK-`vfjN
zNgXLF)h$1EWUKrQ<Oo<s%WZ$eU8Qyb6q9_Aymw_SGjl}g;5G2J^DW-6?ZJD-8grQY
z!r%ht4-0G}wN!^10}(Y|h(XJmNrRV*;VvzbrnQ%qY^gWnNE2b@w*&7=yD9F!->3RC
zd_SNq4%dBKZSu*O!zu&xmY14>Htsjv^!rfTA}cR6MV=k#2Hp|~A;F+l+t|;Dg|0QM
zKq9d29bBn|^+TS2d;<gT*IPglG+?DW5E6Ki@t5Ka0@wCsslrbb7MqV(`8<RaIfb_{
zUY8W6t!$q;o`t`|MLK*xK)do$9TmOSAz@Y|KThB&isJi8ED+hMv~~u4csnC%v&1ln
zC0{>M_D#jhq)jR9tU6BQrH>UpW7{?&XU|RdcgE9r57$>-M-^@P#F>?yAJQsCfB&&l
zM2_AkRW*40IDC+2Ic)LD$}mwab+A?xx&<=AlWORVoRJIw8oREHD<$le(I<mh`vv;w
zkd5}`6+%XYZidf3&|)TVDA|!KurwdT{A<0)wN`aQUl2*Y6NW1Ko@sY7>leC}Ro@W%
zP1{IHw`zQ%)wbWfHzwxu;gQQh=tTAxEd*$PYpt}ryd=bV9+WM8`2GI=;%leEVk~?j
zDjg(&!$h5j0ZI{{n(L|YY_4cSe>z|=MR~$Q#i1y?Z4!2EDxef;d!B|h&pdg@%aqT!
zv=}0wNOL+9^bCI(CG12lAYI_q7MEfu(%KWE9O7)sVv6L3onn_w^+6f1TxHys(LsAy
z^sT|tU<oC4Nx!mJ8p-`U0VSDHy0w=o+e?5&6^dG?gW62j-^&+4q4Lga$9mx!9Dye+
z&tnmdmfc4y+3`CmMt?UCT*G5KJVdiMV6z~c6p8i7TuGg7SjYE4?Sh4g>XAufP`Bnf
z!Zx&b-tw-hB?nvOnG>JV!i5Z8qL3RyT=ncLLPkSwY&FhQkDB@RlcIjysj}P=v!vXI
zHkZ400vaC(l^mbUdw}OXd;aUA)OUQ>lOLxOt3&7OT&rkt&7-UAmD?#FqwTyA$<l^#
z{W%(Hq9c3lRZ-(f-(EjI)*jE_R5kl`q`tbl!D~8E%{FoT%c^p1xmMYX1R~N=3LV{k
zV(BPD<U~_mAC2LCFD^^Ayxz{D^=-8m&>V=lQqjKo>AmD-aa5Hg|B21G50wY`2B?b+
zn0O!zYS3BD9bSfP$SYF$d?+npOQeMUnuqvJSBfW*pVhn?<!pPH$e-f7;Pv6C<DtR`
zD9grn=+$@|>LQnrBlLkMpRw5pw*^C(I2?ySp5ii#lzJED3mpv_IanrVQIAIBm`xMl
z5Ly##@mpK24HeNkv!rkx<L|)7Hzqu%w3^QjUq_%b<)F8qhR`ldy9gvm3AEHGYS{FY
z-(Jja<(zE1yS;1;jXhSMGHbl(CO%<!-UurS-x5UB13ZpOh%I*C7i{4UEc=!QMWFLA
z;+{Yb?|$91pNid$W6W4Ch(n@%+R;9q$G=)8DtD&o8NQbmAJY-kNj<xx9VnxpQFrk!
zJT<vfJ<XoeOB|Z(e7c^q2H5~=Tirsc&V-$JqfL}cD@nI6IH7a&jN}7ywt{_(C6}85
zUDti!nF5L@V_8)OUj<F)$Z3n5u^#Zsb7ME{U8y|st9W5Y)uTv0B$U|{iha{{kv*~d
zwJyXV<%AQ^K!x)tD#ieGs6$w??CrjPx*x{3`c3;!=_b$pRAfrPK&lz0fTHkFB<|%T
z3;I+KDPxp=)bTjTOAM;)#nOi<Hl?d!3b|rlFA2z)@^cA72wsp~e+Y;QeV^_3K~F2+
zUVbsY97~z<=+|d9-^2BETz#`@N5gc(c@(?`N0Dm!3S6l<OEoUH`TSV3?F)M;^$$o8
zTMHI?S|A<Rk4Nc}iI5|4Ke_>U?T!a|3$;9+0Qm+;hNZ6u7lWiVcQ%dUYRGrP4k%L6
zdv~6<jqdu5JA2qG5$$xOZXcH*1M=pA4ISqY0oSQxGp=LpDD-Tt!V|pdU{;lnOfHSU
zmeJ@Qxka6O`2n4zWOwk^J&K}1hlw|}r{T=Xp=kCtt?Dh{%cQ5~A^PA@d(>zCSyxn$
zlJUzC=FB4}zAV7DC~p&OVk3yu_dOU9;O$n3X)#&Z9V*&im~GteY_RCEm-60VW2ki(
zB5kh7WY6&QYYf@UPwG`d)DQEh#fkAN>W?tzCg(XCJ!*)TWP_sMm+;r_(n?oE?uB{M
zSt5|)r~aonjZ<Q%H}9ISvJreR=pLeVVVu<=6!-`T%OiU{Yh-<|2devx)A)2p1E-F$
z)=o|OzxTv2M-ybcM!QCIwc+3f-Un?UYn?aWRrz_OpG!14R$;6qzpF9LcY@A?Ac-Oa
ztqHw+zk>8YuGZR-W$O#j^BIexGdT@bm4cEj<3$t{OXzHA?`W_TlsGpxhtt_0A7Lpm
zeQzPhFTzhHXj09^`8s9BGVGrs)N#G#Qp1T-F|VQkh8qeIo<;6BZH0?&j#c0G)^-uv
z#-aIC7>93W3uB96m9spf3prx7v|&p990&0Va1aI4Qq&4v??@nriP#`ugIEqP1^iGO
z5MwfODT9TxPFY$q54K<vd)+JsvU80Gd0^s+Z$oXm|MaLRby0YVXc60k>F1Z=gKJG^
zTtfNI*sa4Ylx8q{Q{F_r#t8H<|C_M$aeu{$C=%k1hId{|J3+|9!C&2jzNeR{Pol$X
z$q>d#P>tY0^SHBy*v-Q9jC3cXmMsoW<Z#l%PB<G3N`!(}XD;>i?Rf@{sZ0rtd8W;O
zaW7KIapPj5x`A?`G~E=Bt`m+TL=9C*(2tx!K7Ni4_1<1=DI$&&utwri=hl!>{QE>0
z`y)aeZ}?)cqRGJ3LcDO}3*Xp`Jac+|zLwVpp-0rHOA=_CoUP-y{maaf{?A=)G_=lF
zpRw7{ZGOTQzDcU=cky%&WIm#a7N6>GH$1tOcKwwu3;j*|7Eyo&Y}NqE<9h5`(pn1}
zfOkIS2>GxuahRi`(Lmv;h}h^fE4@yI-O9j$#AkzS_he$>w<xTO0dh-##~c*^zMN_W
z>mbYQl|bRy2j|(H{H<^8u(^C&#(Aywfn;P}p6c+bDP9c*qnOYkwa^QR%8eMVB9Ht`
z^94Xwf*EFU>#;>^QW$C0+KcQP?L&ZBk8oLg{%=H@s4FOV(+{0deVcB}<X>1vT!uXS
z3Fix@XMaip_BmedlYj`74JiSdyxU6aOBex=aTn-0;G^1jyqH4XU%%u`e5K&r8A131
zC*F~dhSVintt2eeUTTCny2|z0%pgC3QSsw^x}VV{)QXI}QHz#aKy)kELU?0NtTp(L
z?+r=+^#@4BVh}kSf@UYi(w^eTurFpL;(NPF>$>$N)7$v+K<(z8;zSz~%=i<NljgMV
zY?Tt`!TUzcMe~Lx*u~+Ganw9QE6usz2I*BGB&J1u+5!yKP|7{~?tvR238EH-Yq|aa
zu3@NfmHRf~V_-<F)MGjydf<37E<FnrGnuF~UNBT)WGSrm=)N%vECCG<_)%Z9blY9{
z+bZ985AFzG+k;c&W0LdX=-w|S(()D6=UHTL&&nPPdX%WgjG<puii!7Lfua`7D+Uhy
zfCyd0<r|x!L5{-C<H3eof?X+BXQ0bq{={-M_}5isKlt8U(C!X<eV$IVczEz3pLysr
z!H)Yeyb<WFEL))hf7`qDt_fm>u0y0zAN{I8^6<kmDr!MZb%S?d=*3x(S#RwWzpHFD
zYM+`?F*=0sw%nNrK!em5w3q=(!Ydv0qOe0In#edmD2#F~pELY&9_&81PW*Kn4GfrU
ztEKimuAvO(*inBx?$)dOIh@px-e^7yUdT_yAYUHdD|>RwFji3kD;uR4(67d@TSZ1E
zEMI~fMmFhxWMQ~Lf=?6wgt(QO6d17G!j{x6m!%^7n5y%G_?LNkdNi$2;mcp#zg`Pk
zNQH16eI}RVoDYV>1^0vdKS+EcH;=cc!6(s4qT%_BGc&D)DDmJ3bj(tT$+zuI=VcY_
zca;H9eY&0L+?SZWuef3KI!1?p^$~@~yEMLr<|lZAMR3Di%?7`PFeJ*aLij4e{wO1}
zUbWPKr<8Z0H+xq+^QXc9qpMzq%i5y>)Qx?$&+H<BW7iU2KXD%^Oc>`YVLJZlelD0=
zc?gvme+$`=35b<VYkp00Sh}W;Aj|X{>7cIsg{DtE@N($-b#cYMkumZHkt9{`^K{3u
z)Z}oXQKccGhq+6R+NUa<-#zk#%yWH0Y5Mx}RtNeg+RsX9FYT4kn+>JvFi=W*KHn^|
zEXR|+g}}svR3PU3!8{@`@=6||HM|!?a9cmG%t!~L{<r(YZ#VUkyendr_Aq;NO|J+m
z@!QMi;XPyU>V$9b+v6!Uvxv86tBZ{1-$*Lv=wj|vMubmV1_w;}A+MH5Dn~zI(X3=;
zYlIb&O<EPf93;F_0|4F^uwto1?eo-TZrBaXk^0^EX)AJ?mx3qqaZYSaH8=AT343mu
z!`F3ksg$XZP{WG&G8%7X1u}&Ig*ys(C6_{?W{E*Z*|?QDu~Nr|7;n9_ep4@lqd@kH
z!fs%KEquig`hZFnQXL$`-n#~<FU78JGCQ!k>O$TeZHy&@{?#ncx2TH@DUYahuUSGv
z^XaCO%`8<GZ{_Dk@tX0b1}iwI#*6b4!?0^q?D8{s^O<d;!!jNC(M0AoWLKWJgs@(@
zi#rn(k6YxLT;&M$g`R<CWf89>9l-<IE8Yrq*TlA4;)uR7XDF%cp#SJ6l${(7d<6~|
zyhNOc+p9xYdHvF41KaeUePpjJyESnO5NNWD9eHvVk3JP|6xw|+6421??mf?bL_VTN
z*cq2mul##PkNF3qSTpFvb??g!@3~up8r~Z%l#ws38>Ab1-94o+jlXAp-w^LLfM|TI
zLH>73pp594^vT55>sapFH=<<mOoez8CgN{~vR5LwF9laVFv73MC+d8-1UA9qyH>zg
z{EZM}M0)CLl2Mf~ClR6#Z~e;=ab5l~r|-^e9rHAeOZA!;uMBz02~Oo{*qYgtmDqBk
z1HwWC5giKAQ~|J>v%sm+$?M*frl&QIA`hOAa_CqxIz3J$w<wI<E1_Pu9iH)eSbJa&
zxSI)G)1N{UjVbY|;t{NqS`Ehl1(mCMG@$ZaG+tQ*D&%D}V}q=|JQ9@PBOZSzUU?rs
zjz>)xLKn#g5on0xZjZ{u!8AzH^%CGQ3FyrHkLy1w3?G?L5z9*&&)>ukCQ$~I*8?)i
ze8Zw7_Lc4Tyg8?{#6BBUBM1P#7Di%sT#e-W(vm8_S#DH}?QIBRi`<1d#jLyp%-;~E
zcoT4~4(6~PFiuX9GK%H%T7p2JNBsp2<NL~E2@$AfTRhM4J>IpE@>qGV<q*AT(}a(|
z$ygQTSd<bmYOKwjlqp@a_oUC)p-ZRCWz8^AsAy)g>6=FWT1hxGNG#(b2eRE-6+vaP
zuJfze*o!*}i$i3+Cu(rDLhcMS<?Nm?%iP}jP^;ikf3Qt&Cuc3GwP_McWUIME4?_Og
zRi{iTc*T|Lx0=@cw<AQmZpLgAR?_A@Hp&SItZTM&4<<)>Ix5+EA{=Gj|87zM{dsz2
zx)r`}wmmNimXp1X;K^a(FM}|7Do2Io-~$f2DK`F@&<}(QH6=8NW}F@Pg}8rZO4EiO
ze4$^ZqRY$7=^196Rn;Z_x4IUE`Qm!RGGLk$$}%RpZC`f~+~3jj!&&*hh?!SyYi?8F
z#w*+?qT47ZKOW1^Wme7U;CR)qZJx}(yiGNun8=$Dfxl7#5r~`wJ%>S=e8uop0{}1U
zS&pj_3RpW+$O=E`fWjdZDp;3S<IsmI1FCK7$Cpjx)e_R-wI(7+^|$<jg^s~$?EJW-
zNUC%zs16b`ts3M+j8xJ?(p>SNC=Ci{#e-G+oWbhlSCdQi?7%ttY;O$&GSs(`G&>K4
zM1<78b#penuPA)nIQd>A=1xPz)r0&Q3dyda-@}e}-ZNOwvK&7ui7JOb-efh4?XNq_
zL-f4#fPl6g?PPq*kAA(EaY;V``jVLsYL<f#<D5^^@O`&xyC|5MK*1Wc6swn5&6%t$
z{*skq^yS8F61F$kEGXGIah*@aj~;=EVKLs79=}I~e8FP4%MK{CoycK4Fg!*0;R3dg
z|0vCYRYIW(B6vs#itqIFZQj(l*{edTjyGyP!NcWXa+7J`w8*_Ux{JFWy)uBXZMC0P
z^He*%S$SfOI@iWmJHJ{ft#C1m_9FSN@%<sp5R>CSC~V1=K2LLj<9x$w1b12#6uY%K
z<m-&GtYvK$TN0(Eq4`!E8Z;lZDBeHkP}R%RPD217y9*b<Pe`GUH=;kd%&G92ec+#A
zF=yogRT@@9MZU5j@B*S13`Rqu(d?BtF7FYM!By7wjWU(nvFz)!eX6X6BWzFTEFVHW
zk>;@MdowLzyvjHi0o$Jl0F%*CFNH0M?uredLKQW92zCYo{6bD?`I5FZ``Ih+5VTx@
zh6jl~{7Sb9itlkRgx2o?PfB;N8xp^x`=B&f>|<3=6g+~yjw$)BEd}=7(83d!75Wz!
zAeu``*@ogS9~HJs!2y9lrsr6KE<xD`R>>l1VORky4tF%kFrvxX>#JSl7+fuMAx5F?
zeJ-mI3cqnx?`j$D19gjtI})uE_gE&sC8IMhk1`H?=pQ_YND$9gY<kwEc>_$X+Vq!Q
zKL<j>mP;@daiG}j+si%}H!J>Gegf+G)%F}}QzV_)sYK69Nzz8&HBtk9)#J5vr2Gl>
z<U79)cf~F0RrZ}jThdQJ@LmgA1?{ZCneX$Rk){dVIb;=I-v3TM&H2l>S@=NH;>$Do
zRne0-l5SK_;Y{4p$r9UP#_L`aq%XopRsq>jhm(4~i@j1p;u5(~3#EJmv^mPxC7)z+
z3a|x>e02qg*a!fPG6(Rsbi=S=r8Fb6)PdPZnshy{mowNZYVzO+as#?Z7cPktk92YK
z#d$q@?og4j@wJLOT;~&jUg-fNp0tQJMiPJgOsq)$;u)@4Byo5<m8C7zl!*-YQ*}dL
zWC8rKK*!BvG9>OMF_r6d9D4R0J>;<R(ZJyM8rt-6FG5M!A7h-hiJJbHS2f}wEL<O(
zuFnSXY7_?p<~&Tl`xuHZpi<LEyjNA1nh9i_3ni=;MeM9_b~bj(j&SKOqvHv&&srFx
zye3BB6+VZ;&wh>Na-@%(^BtyVPtFZn(aI$cdTjNMmqK{S5;@@rmk!dk&exJLyou4c
z>?`^?Z@Cz`Wc@PjZ?xBphifmH&OUmKSvMxBs8HjhAq~ipLW)AYP*PuIgnfUlrtu0W
z_Vjv>!xG6(Sfs1cv%u<EPxsNDANEYoY9c5O-aS4dq~6M4(;})OxZB*q$hc;%P@Hb!
zD6<q$LC44B*Zx!r)fNP^h9MCWgGi;j+tTchv09;Ahc|4xvZbqF86DO^KeZdu34)bQ
zxg%Evs>c<pCw=&|UR{SDfcG!7a0UNb>k=%sgDxmQfeu7i30Ne+=%cvF1sbwCa)W-F
zh{Vf3kPM2T+$*$dmfe`BH;y3|;wJMCM$c~3DYD7;yU2COsBtntWUY;Z38i}gk-Fm8
zbGX<fv6_~R9=3ib*+a&4rDcx^LhwL2h=3M3Xetg7Cky)pVy;^&Kd#eP>Y952k)+}6
zl7gu-CS<q7+$H>iU!GIe8Rv!O3HIyHiF1>yzK-(F|F_9ntIE6cRS^aqSPd{a{xQ`U
z%>^CK%a)W#{*RQ=DL>lVi?h5NSFdXHdd!~M3}tw5Kc0F@EMmV$QI};JFuK!gf*CY;
zydF!$>pru<W0pWbd#&n8sc+sl($%}|+x5J9ed`x(<Fh}G4$!j)?EU9{o>tV<41H%2
zqWizns0*ymFZxqfhUqbvpv=F@T`+m?MZX&p)@Rv}YH<h!gOpRAMp~Gc5!3AWPOl_&
zw3DcpHic5$GrW`A<~o*x@+XER>?YJ~=?7lS3occua^wQ<>p<5lEWM_j4zw5L!<b-|
zT_+AY{ORhBG9z$A?NLk$5Qoz#Lpce{x&USZsr$eX35#TsPJhDCLiFCYw^WUREO>@o
z`Wfuoc1mU>j#|!E@b#PiTppy>78ETyl?YvG9B05x6t#^<w64!W&CXAM4XuHhgK>^Y
z{3Zsswi5Y_6RPQs*or@%n8rIk(C0Q>m1|R$0|koVeZYU)wi~fKcgCV8%VCqH-E&00
z4NfHvP!95&BT$wW`CY-^2lMfks5lSf1TOMb@mr}}9Jb@9m9I;)Bk1+=bXJ-QX}%V_
z$_$_04dyzdEmb<iYUok@JQL;Uak)X*XiwA~GZAr9u5>4RKp_P;Qj|fPC(!M-4cu<S
zJOUb)clEIv)s}tCnkM481CW%QXumOz(08u;1$sHp^e8cl;Q~;DKL{&e<V%1I>R{Lk
zc?gE!6;z|&B})(I=XXWo2=Po#dx@`0LcDPZ(;E-+eL^V_&Bxwt*rVsYCbyZIhT=Rv
zy5HOK0q$CEA6N`m2*IK?-ZCDQb(8@UPwJk$z?z#Cl?BM&q((&?R)?q}Y5Y~v8Pe@x
z%%#KYi+L4FU(Ym0IF)FZy(QdN+1coyI>p|}u2pa}@zT)qs+aYXdSBX|crB*g8F{?U
z7RRra>-i8j(Eod*V8IS(+@=fw41Cp5Zw?SaM!x(T11D7Ta`xfJ&b<U)xNBEpU;19R
zRax+1(ew?q8l1h4ab^#c)a<M(#;hbpR{Hmx7gGm8Tbk+yxqvvd>5OfW<^j#4vh1*M
zEV37Dlz7sgAbs+EkzS8L+7gEpvrMPvD%Sr)f+IBy5(Y{z8tnShyx((op8*U8j1+Qw
zo74PL9%z<YBi_u}Bx0tVbVvU+<s=SN=1L3hs4GY#+TH7=^g!8zdt)9}aaSQ|3|)Rp
zLy9me2t(BA#J7YvuSp)ghFi3_N~7SWLQLovS0TtSjC7t@thVzOz;@Cm3_%YKB$sBT
zl!|LK>R%o*kNcGVhLB>pD)XDdR*lq(!p19%a^8KH20g<Nw(51DuPEq`R(GSpDB;gm
zRY=k*(zzxo7BFw|^S@Ugb(||-U49n{bh}K;S1Z*z!`R7zPkVwz{~Mr-$E4nT;XNk3
zFE@X<GD_92%?xwY&#l(QV!8{zKMMvtiJO8~O9_rFx%Aoo0P;<q+PEA74TIxQ2ySEg
zK$qXC(T8PX#mO9|@bU(^>%pEvxa4<micpUQiG*RE0u7mf0Z>=?Zear@6L2cwvC<Ex
zzWUJ%=tGhUi^B>ZJoj>*0+I`iK*LZB%itUU-Wgp)LGPOqc@4pIVjUt3ykL;nq=Q3i
z*dt$;^Xe%O^aJvve$UQzzCWjw?E;Dw5}o?*^J@V4RQDE}(_};8EeDVk6$D<K7e)<%
zW-+y{KTuW}EC?q&gKz2^R45(@&BO8O{Woiu@`0{_g-J63<lN-aph;PnupWX>e3@bt
zlt+ap^6c$#z<t~s*m$h;=M3EeJ;1wnu7kGIQ{LtiP#fpBkmgU~;}GvY+tJCT$*z?T
z#wiq5`0)6LL6}HF@dltQ-nrkU)u#%!l``vndbTH!nl^MBS^2igZ$0qmmr4zjZGex3
za;=-c?4fuQuw@v8?_zCCHkuh`h9rLgI*CFlYKZmPaLEdw6dA2utXK3J@EEnWwsb$W
zZz%G2`0*Z2p>Mz(s!Dssw8*e%k*#ujGh{pDL5qD<iqSs4VzjSr4*z)g`%3QHH-YeD
zh;?^zu`4n9kIs2ed#&1YcF;y;E%2*>sLHQQGCJ0<jo({nLU6!L$TDNz?XxO@4QoM?
z$1<Wsh>Ee_iD>Zp<8s~&NpS?E(=c0_vI+k&AcHVa`xr^Vu?$$DxA#RA@#N`TzIWBn
zn0k3BMD^*Y(6A92btnKL;m{Iy7BP-}+sFsIAr0>^jz@IFmNS@)`On_)e$UOV{P*>f
z*D7IKkTUttHITAx0UO3n>3PeCc%0qXH{SNAY5zV%RnGt65CH-whJmS-A#34%s}DmM
zjSMX@skl1vFTDe0boj_2rv4o{;i#;5_$?Dd)RC2c;JGmhhey)@?`AJJ1xIw#R?Qrl
zVG9^lL#7yAJ{{A>ie&i6`0S_E*D3bOpJXV?Fd}Mpq-?`(7vJhsQ>(OCT*EVK0*sU~
zz=I>aCzfh~ff&$UZD~z5Q}q5gWMHJ<$Q5<l*zS@gFh*k0P5Ay766*U>pc4ld0sK*a
z1}XP^DUh1(N#u)y-i(ynB8edoeu_Cw7F+8GC`OO`+}>uFMgc7l@8I-C^;E9oL|p;y
zJ&F7UUv3hYQi*tcS6^@k(kMoIStLZj8=Sz^mk(%4T@}x2tXjK6vN^(NW!wFtXoX6_
z@a+h#bm<>gO<hfjDW=6*$D7^3<~)AteCUN?y)pb7>&-lwGflD-Ge<DmEG}~sg^wk{
zBntEmVfZcB@<h*>r_m^-!Av-@X_H^APYn5QfddM%7Ea2zJm%DFcr8CN4Dez9S9@<A
zRps8Tfzlx$B_Q2hN_VGph|-F5N`rJGjg&Nt5CQ2$r_#OX7HN=_ZtlC#y|-tdZ=dts
z@%?khxX1rwt+C!;%=ye`=37{gPjmK`K10=OywosLtJI*F1I?GhV;yAkwXv>OW*=w{
z!I8kG!r*URtOgpZK5pN8&s;&In8p_in15vqA}-aC(MKT$O>eN5Y|00LT8+X843y#+
zQ#t?>fkEhs{9S#YewD8Eg##n?e$5GkF8gPF8X^i`H==rIfHqJ*t`vwSM}_hNsI#+K
zbYAJkUUd&5cz`@$H2%#`8Xw8cIJWL{1LYV@W)7v$;!;OAjvz7fXQ@X~K#U$nsBWC^
zZUPGYgqg%&owIjUQu%1b@3D3C(c<k9{b-;gP7Zu)Q2-%Wr!tQ)2*c9J>3B7_QhS_s
zIgriP`e*SbFn=<b#2B9i<uw4waZA9QAy>T`J^H{2)^`yD0=36_1R$VX7MT6Mb{?mO
zE)8veHJk^AnjL+9?4$z?LvjGaM0f5I1Hd%HyW3)`$xujyHxohTuo9=hhMNn1f0<PB
zP{93#B-CV0lcxSdCP8gX7%b<!n(pOG9P|7*MDboXe|Uh+$Xvi31UnB^F19E994(~S
zmGR#W88~wd2|Yw2>-+Rc9VoCsRWEgx$@}-vR$2nwGOCAxP>UJ~V1pZTO@?Dg?<S7C
zBI?eM<*ovtB#?=n`2dnVqV-2-gET=*+cC7W!Ne-osv4*!yhrdr<qT>x45l-LJqm|j
zC6}N%?$d!80>Ue5fM~bIW*tysrpPb}4N~jW*rumk0&mXU$ne+&;W2Ar^)6-`y+_@G
z9A^;<mH?ICT3j6E5J2*sKtp1?D9Ess;KeNbmeXJM``ueYkTm0SP4vDreokm!4Z9uM
zzA$;lpaB#jF@PTdU>$_my#uU7vm8znRr0tLm{p=4O(v|lISuq3bUfg+lMwVgd;OFJ
zF1OmKBP<M(z0DRTp$Rk`LhD7>=77RQokq8ECLF)UI=WBPAF}vgJ_4GL5g2<&Y^Yjo
zHmvU}{6W71A@$Pl%C(VeGPZ!^(WQ(c&?;p47KavvY-YOBtf<$JB98*h;2wSpEwlk#
zM!KiRTR@#Q&@X=PDI3A#B0&4HlR3@Qfk2$5{2b6PsMhRxZgjYEB^bsFLQF>DNA{Br
z2sy8sG{^w}Pz`87KnWsOr7;4m9<+B*+I;ep_N#UQqkAdvNI>V-?lWGa4U&B<LM~}2
zF}3)en3gEK8zf269Rf;72G(IhzNo&z#~5$LQifq?1*TA>PEZzgk^7_pa4#Q#grPpU
zl!A&&2Z`kU`muW#=z4hCGYzzGG7T}vy=F<}1$E4+CZ1N$+G=RPOg97FpqoI|o*LO2
zP`_U=#BSKESfHM#9$2kepf2-?I`KXKOO`u!`V2iCH-pM?ts6+0l|=lLpeqW2-AG$3
z$C>cx!}tAvmiNSH1mb1+0dW)z623>+fOX?lO5ysBx$9R$P+kK>&DT45dTts~ZQ|&Z
zJ_1deM;kfOg&rc;M;drIe#b8i7y{5R4}qpmMxUFjFbGxiM4)r~11@Cr&SF)d<A=hD
zKt=5*3#|_YYM+0NsQUHt2dMwUY(pStI9qLlS0~;0i4>TfalC(Uv)_gpPpg1$Iam95
z-urSV45q8X9e0LOG8h6>HOh+KoKXYKGpg=pK((U^(7mUX@tg!7-rfi3E5MsZ1f>I|
zIoMmFw5G}r6)H&h#Gi1;Hb7a(w0<d2fDP?!|5bnulz8T&jlajyVW|MRF_?5e7nL>>
z#Y6mIsOhSpU6!tU26zst1?sdZeD+i(Kz;9r_mtHHAY6Kt3{66GEXjs9$Clj4ZW+M;
zKS?l&Ibh@X?O|OCzBw|Vsdr{J>3=^Q3Ox*ZbUI)v9R+Q2juO<054>EhK*7e6Ag1)S
zcM$|Ip+$R)HVUW~j0)1PeeG9mx1c;-VUhzh%{n*{+LO!8R{`Cg&Sz+hbulvNASA$e
zs~ebmMxTBA5`;FIr;w!SS@w1-^dU;VD?nh<*u;}t2mtIGWcxF3`!`JrrUpjKlf`z+
zex@t~3KEOrjet&{XLXLT6ISh^*s-o`!cstU-%pFq#$@DblMnqh)qfCp&dh+1Lqv5B
z^hznYU(gG+iVMS-TLqa1psXKSb^h4NRD}1#U>E?v`t&tq)1=QPouNb0?l=K3G^}oT
zX@dH<nOA^SQ(JPKH~ty!{D2nxF95fXm2z`P4eF3Uo9>7aV4<A?hyymEK|k4X*H3;4
z!I3CJb0?fc2S}73p+k&z83h0_&*^B>5v0XXY@m}A*%5vjrk6mjJ*Y9l3Oa$R6`jAE
z<vA9Bk}mYnN!`1(wsp!V#kw?vsm`yr>h5~gP=NQ;9Mb1J41><yYN^MTG}{PxwE>2D
zIwlTX@iTYZgie5ElNWH*yYn;$J?|S&_={2fc`yg9!TvBcph`iW|2voeI~PDL{!d>1
zPmlf&U;ba>?$>}g=BG~%>1a7|5J>!67Zs97IW!#ed+sWF>nakHQQ@kwzlqF!zE*gK
zQf#Bvxh+ADH3OXrHf}Y^Abqg%xJ|lC449gb_keM(NrtrcO*Cpm9KDKi=-?9Yas_JH
z*i?v&NY4J7Z`CbJAPklJ4oM1F-?SKj$yn}>-aQ8bYdb3o1fyZjvm1Hzf`U2}>+E{D
z8D1ff*&*jVICn=noxUhx<c)E^g^_OYA-*?}^>m`QLsgoMuSI$@>1E$(xNV$c7OV>w
zf3!Tud0V2}U_p;@V<hDD!+S3#ks^?XruNEU8(*Ric;z~Z&B{>X(YF^+dlnFsZ}DBi
z{1vj0(0~=sZth42n(7Q!K@fyP;&z2OQ}q%bW1~|b;R`TJif1=Vysc|E2|nYVg_eZ5
zq(3tq@H#F{wgbH2$pE0<_H|stoIen)dmT>ms`|c9pv!ED7uTB+y_t$-yWVt8X5lx6
z#7yy`1p3XMK{8S2kvDo($s>76N;WCud3482MRi}=&Ng}DHoJ#$HS68P>uV%6R)glQ
zPbn`}QstdCy6t;YXsMkWmVGoAgR{Z*vt&fKTX5rhjd@m#UiDmKIgScUx)qQ7&LW9K
z!|~Y{#I!lha<{cPN2VPK;zRHqFDyn#X6n`{@Vb)%1gfp&@cJI)6bqgXN8_3ml@nam
zB_6ExDvvWI=HAXfmmIL`oHGGC%=5fCSyU#omW@o6&mYRj581WI6Pc|$rSLjiMR-#v
zi+t?5Q)pto=AZDr!DE&;Phh;a&}T@$LS_I+I4W31An!E>0SQfKQt{&s_~*@2w^ncJ
z*LUKXW%0*{&MeRvfOwc@vlI5QkDGb^(0TZM5&@Z85>a_Zjod8y`l{ojCfh@{3-?~V
zH&v%i-#Ojz=@kv-*hTDl(*?W|%RZP`RWqH>&F|6`Uhbup-!O6}L4v}Q3Ji`N#_Fz>
zm;&K526|f9)eabS3m*xOtZMbfh}dLTDQ46K-tfP9cb|-3Cbi~P>HN?*Uqo0yeWIW6
z%ezw7^=1d+gBfbD`ShC$?=R#|YuoNjIt-Y?o_odjN)1g}vN_F$hUabU)b(G?6R;U%
zJFc@s$kCn^kfXW<7d~SF-WS4=ihot598~!2e8b*V0Xm8Dv!rf;^<%iGn1x7ZX0`Qd
z-r@QIL0s$^F}HK34_GtZHB7dc(0-ThXAcc9CCuB}ly)7^pbQFd;->|!uxIiYuJo|`
zF1UM{M_%uKL3~rJLO}FmnM>Mq&vsS{8#N|hWL{8p`d!dQtT(wv-AGV@cAF*F$>e!F
ztp?JY?Hit>sc=a~mBCMAn-j#FrQ@j<yGz_$`>PpXuOV0>4kMuimXu5#?&4w;6z}M!
z(=P#GX`X^7u9nV@HqzPogF1yJ@F1_Fj_A$cCB#jiNGnKMN0G%qFzM0aR`ke>lHf+b
z%U2Aqf}O_dEo`KlC+vVJftSJ`%RF~?*gr}n8-=~s!7#QxJ8c;$bIsH=HXl1nE)>O5
zei1{hYg)f|VhZ*g&`PN>#_;;uLa;OK`aB2;+>j@N*PR;Bd~?owyq8L>d3@yYV~MuK
zO~}*E3eRDGqEesnY2kyTZCyjv^g@%5#^rEFqwV}on+GP+=HhE&mT2okz+1t2vX~4?
zyOK)ga#wu$b6B;@W1ESD14KO5Q30V6(rNN;xOn_y@;hrGW}}2*xeGA{DZknPt|*1b
ztt}Jxr>B0lHd-MWZs)ki)YKZCM_dQ%ghxI*Uar2H(g!|%D<nziRD|LWU}+i2{C%}G
z_uJjV-lKldP!Ssn%>Ky0KsUx2{_rujvKWnABKng-{wG)0B2A}jf|Y^|+x=t8ryhr!
zKJDqJ-=BIF7F`~Gf9jg)Ec0q}CeKFd)?<A%(|CJDyR&AzC>QmnMZZrYcUIc0YjxrE
zVs}LFW%0{-qJ!>AY7A_<$%?n0`>Sr#Ew@>l1a{s>>Dx1vDi?E3$=I+YC**t#1g_SM
z(Je=QU<>bxa*Nrh`Gd1?@`nu&@_h$~>jctVr9+uu$QRLhHcR?h*WJX&%lUm6&s?~g
zPdLD>d_)GqUoN7|;8AUsB%i9H6rW^U<IJ>Q;?tfzgx&ESxp8Wfe!1&hVjhSe=bfIC
zuo}!f6z4Cbbmsj>Edb&{-}mEGjJJ)=dzB7Kla7)rJIRZg@2w3gHNF$UeZy`$POa{F
z|6^3q)Ousqu(ynUmxJ&*nD`PSkxYL!wVxSfXP<tLXS#jU5kD23UF2MX4dro#jd^s_
zKKY>`mQKt(e*Off_JE=37294E5i@nhE^GL+PmkL--d@^qN#Q1o&hZ+z7W*HIx?(=0
zyS_Yn<eX@5XsHwH7u+v+dtBjUu^^GcU1Ei@b6w*c7wjDK7{BiLGl9~HL+4yah1)ri
zWEsSC(9pCZHGL+}%zs!&A|4yl7++W-Jc1%rfa9IHo4r`|1T}b>ZYU8u;0>{0o32YB
z{&VVvsEFOSPnlCbQ5zs+yji6V$d^TENqr>Qe6jg#bD<$*?(z&p(kZq_CiwIlNK(B@
z{ai5+zd|T=;o{6=8tj~ZRs1xr_KG+X^2R&B+E^vit2V#Rdc0ogpwvvJmlJc|+9^uL
z{KwJ*0|(zyxQ5eRUUrkznw^+@!}I6LR+_Vo{aJPaEX&e}J8zRjVm!~4V+Pl`FtKM~
zhgyj7N|SEAWIw>rfs{NIN9n+Gs}%N`s&Lq4Q7{BS+OB?k4?<<k#YYSX&l7qcQaO(A
ze5u5E{QYvHD0#ccuqcJgR&~_4o<sTUO!N9WknmvSRZYk)r*_YW<JERcyaCQeX+E^X
zPx1L7Ue+k2a(l;sC{0Un8IuvP>YAYJB#GWI8QwhV*wCs~6+f(-rUnyQQHUF`ZOzTZ
zNMLoE2O95NWj?v_JXgG4l??dGQNN_Yg|ZVK{na!SgQy}HV{7bD9v*EN!DEw$+T2s5
z7?{yw)RLDs8}@4^t#Os+)0XZBtC*63`0UuHAqld9ajX02JM5hJ-GZ6d#vI_(nq4k-
z_-<u*;+SoPK`WDr8IP0QXjOt$Bscf7qtv&-4B3l^Hv`X{V+#|g2tH9#qZv(=uCJ~M
z#OtzXmv_dryIrNmLV_=MdO+k)Hq|>MO(@QAAcr@U2axn<$s_TvB?PaU>=cnisX-lR
zNKam=MlJ3{*eh>oNCuvKC=y6cdc@^P2;<j$@TF2BkVmkQ<037P=Le-qDuk{?%@YT_
zZfI)0d<egH4+U-pHcvmi9lh9tl$9EUsHRtE8aGy`))T`!_H0o9ECii!O2O90{Nqvm
znm^>8Jr=_l?NZASQ1F$7gkZFFq95!@K@7}1QaiZd^cryPcDh;4`0Oymngr0Dkd^V%
zW>hZ$OnNXy6RV2d3yu(T$**T~#+bLmO>tL;1-yuv-a{fe<)5a@q>)5!4H5(Kr)NdA
zig^R^Pu!}K77fHq&w!suh%)2m);5SSoq`9n!MNifPx4Iw$=+1eGp$cL?9oTNFWV_}
z(JDfQrVS*EZMlTR9yOuwoH05^*k+J;jv(6~ae$|>b>h+8*x@L?ch~wuz8EHq^mdob
zU#=uA;J=U9dv&Tu&)&>EW6WII%++-AU<E&Ol{ucB)#HRL2JAq)dfLIf8o=JE08G2(
zz_!>3dSk%ewuL<tE?6Db*8==B)-_%c&-;`YTz03(Q)t4#<W5|wiRk<8D!uVcv2P*w
zeNL^ks~ytkX1DGYsFr|xzGxM_!>0nzvkT0|b7n0DAx&~wxT%Li-q7+A{*dtEK`p*{
zi2p#MPyhbWB@*q2M{t1V1f`SbZw{mEu%5QOsOI^S&0uU5(tI4$c+j4Hu+M3yFs)9z
zGDyspSS;v5oc&rYgmYls(s-C{XKrRp+y6DGkkj)w3r+<`jdr1W6M2#6xtFtZd2khv
zja12#D_=_kC(m6Q_hEpy{S>lDeXvLHHHqly=t>ycAdd0AYCt&4W*>FSJMF_HLiLCa
zBSKCv86g}Oh0Dj={;B)q{6<bf4o4p;94D)#mw`T(^o^<{*O(u1W~n2=e%B@3Rc$IQ
zSFuMs)8k_~*%{Ru4Qmcxr}IOksI4AiU>f5HOEkFN!crrz!g3cqix+PbiRIqnB?pGk
zD+aVv>)ul=>qdVF1UtWte^md>a`uHvAYRq?p^^Oq%goqSU{Y=tWi8^tI`45^>*0?}
zyGK$F1MSZXoj(`|Gy?Yd)?N0r_9~SW6hscf-S1cu9~&r<n0LsuQgk6RAz~nfWxPEN
z-%~iGJ4OfXaK5eu+c~BbWbWS13BJ?f@p_y?kJ&(;)eob6iPI6*?b|%roms^Do+H7#
zMvqN4nhfJOvqtoslF0yb?rUTq&!9bB!z>uJ*rh;^?R^?`Y(HcTh0fr?bA;MH@fZ53
zy1~-S{13TJ-)XBwsr-1q5u4ojZH`mP6z4ef%qc3E10ja!Q~Ryy9M}0-(QQggj^g63
zj~)|uVQ%sP43?&`tvFF>{Taz2BZ(A$5jtx{$Tf1yD-rgbMGZbD_l?1pKHv3)$ATnT
zAbgzg%<pNM(u23UXzsgJLmV~@fkRy%;gL`W3qdyoRRsnEMM)r5jl$X<V+q%dh#;FO
zzr{N2%;ZnpMBN(!HLgS8K5;IgGQPpt5d6zLBT8Hp0wRv?zGo$XUM8!vh@dURejX)7
zh8N;EBbD?95tM1y*r!s04NRvl`=ivcjGv0%WIVh8eVQ+$UCBhY-7<A4YgIty7;UY2
z@%ie5@<Ty3l4yv8UCgT66)_vJ3GAY`B>wH@Gm&>eeOiQ<uTj1TH?a}KS7*h4GaQQI
zy2cDYE9;Y}>a_@lWS_WviLY~bRims9mJ`<)^bek=Cz=!;K0A&5`mB$$O*G+MM|gMe
z!0f=@^FSAsp}v7bA>oQP=2zrKJ>pB$aXg^$n~L|fK|kavK#`cdU-2G5??zQ9nM<%@
zCIsIYNB8ykM;*$gKsGF3UVDw)qCet*){{jHDfnb@tk1wKpfdMa<v7It+FMJlVE?O<
z*|PDNS9apbuB@RL9N?HBysd7eSKJ=p;C|BXk2PM;lzop;c9^3VEUKfJw6i}_b}ZVg
z?=~SNeaZ;8s{BH&cR%#0-_<$COBW$wad50fyZ?uMBri2dv@ax4+@VxA-e>zS3)IU!
z+vT;-E<uvA9OHvzD#&}MZdV>c(+s-ehW@0B`T2`Ma4iX}`W&Mch8vX~VGnp#SsBu&
zD{PXcn=$sz8Sr2Y&M+`0v)Pl_v{?$7rWf(N;elk9ko(m_fP{G!fk_;MtYvRM42C+3
zRCOlP_POMi!TMp_=X*c0g3*^;Z__Cqy$vZPZ@oOC-g0H&DVuZd_7Fw0HPY9j#6akF
zb#0(Hg>#BZiv_!d@>=b^Gr^g%Ulxu|ylnsbN~u8$XUh+Y2S3sR`zf?;TzBT^G?0$m
zP7hAUBzyyT?0u|oXWF^LRQyk_`p|7Wy}#+hii-(mfvsZSgPcoq5ECHvAza+|sNiV8
zZ#}pf0uviZXuc9K_@M-1ePcu3MlYv&5eLbRvhNxcR&TaubgY%=41UuSsq6B7q4D~~
ztE!>Zt!T5BzIu%sCj>cj+&$EpK&=K%HhZ+?xK`kKwLeO-C|dRJ`!Dt6PQMI*l;}0|
zY#W9JDH*h3m+>0TcWl4+MdV+&cCGh37#}h<L*OEL0J+X~S?eA*#}LHq*Dj+PJ<;RK
zh4olpqIp!>baGR};eN4q@C`81xR5ddvZ9q7?(MPt4dKZk?=OX(BnDVt%gzebu5nk_
ziUd-1^hstfM{~84+r?eenq7o0IlqQ#484wEbrJdaG^c|9&BLlDK5R5WxxgCcLD4>z
z-7gk4nV#2`1;`~H>Ueb@U-dy0V5>P(ADKj5)tTmi`Kp@1f`<>N*<ZCqp--Vb4F6un
z`v^bU9mB<_^u-xXKHBxWiGsK@3V>LDo}dHI7~<pBJQ6{r0smO+Z1DGoapgw|qmMI{
ztw3dULEhkeQOjkcCu>_<kwYmNo>-drxzwBKs{x22fFh_yFTI&yH^b|4U=emIV2m0>
z2>S);eCkQjlMV;}xY|bCSDZLHb_?2b3kOHR4u=bZsZA#KnoKkA?MICdA`lPuE=zcC
zGes9rv8P`GC8P{m+sd!EeNu0i9~xqbS}O#5>8`WsU<<&sj#fR7m2fzkDqo%<w<VUl
z6^?GA%g@kLNZ~25kz+bB=vc%NRZg=A-Q~X(q-m{0ZBTsCP*I52CtqYr-*?7XX|mAV
zvQpr4)3)9Cx~olcHBCz?_f5h*j*H74^-`@WNRQs)5E7^<SA%(TuB46<jPYGFPGQK(
z#u}*(X>Fd}*34UFTt*_bcKr`sq5E3H@VN`c96A0ZpLhaNKUw!q$$a6`^OItlfT4l+
z)&020W1^_n(w*1{n;$$fdFfqWE<7uxw7MM37k!eR@-+8pWpJ`DLfx0xs%}$*(PKTy
zDF_FS&bDk=0Qu{WFj|r=7f18hv+rJFe*MwX|CX<W_v$4X$ZKcwE4Hrt{B8S|dVz%Y
z=5@3J2B_m}N%U>>gOG(x+)L^ba&Dd_V~!Vr*T&+V;urS!h`Mdu+U{fWIl;_EQ67d_
z@4%}xQ>uu(&iSO>B3-t(OFVSMjrR5R$iq;3@GCz~oS6@imc+Mi7(-%*%Et#cA{G~(
zj$cTspINEq*H6!$KtOG4=7x<~5$Qs+dT$0yc2@g8VDz^v-m-h2Nmtu0*l_gnx(KTD
zCNNrX9PRmtDBoOe32D6XZ^M0^#y*27dP}zuk<R2pD#TK(Y-fHye*ff~l2&dkgf0rq
z16pN6etQ{+6YA@XP|MI?kLH;#2FReYACoGD;fL)!<hhe{kK9w=m%%iCjoFJUtfhXf
zz>DI(Uy}w_o5y}puQJjmyuN-w$dQ#aP0d3M@_IAXWx6+POOV0pDtr)j)Vx^%QEQG#
z(2xj6XT49=YVZLqsRSqfaaJ0P2_gkp!;GCHciPJRaOH7VG1<^f1gSZsEILo~t&x8}
zPZ|GZe<xjBWIvDfbgg>>Fn6VWyC!UODyApBW&_g^4nHcq!w;3B6;tFok)Ize-wx0f
zc*NI_IssQRPw6mjKtZfCF&46v70f(n2MlH*i_7yVNgyz|)vM1~m>{uS<laEl6PF7o
zV5XuLJr^Go$SF^A?qpo!d%4XVf!km@s7r^NKNvTObc~<tY41N7L^>FMQB_2ERrr+2
z?1^+Unc&lXqsX|e7-{6UvL6Tujj$Z!rM|WEH0FYBh8b|{hIV{uKuRPpZ2%#b`5_O<
z@JR+m4q-MjQ$S_dg%yVryz2}$#+?a4YO;}AFP=1bh=*?coZMqk^q~Ek_x*vNGjUC?
zXyzMEC)S(bg~U=l`b*5*%;#E_I?{wUUnc>h90-%Sp+<}*@jw|Er4J+0;bDRnEhMPk
z8_)K#qR^m^5j5~oh-b&A<d!v9%s(bFU5I%Jf`~PfMAo1mW#%JO=SA){PD0~L^g;-J
z`W2Qa7C#A*A3XV>-NKi6U5ZO|JzcH>v#75&_Bz5Aqm8lr18DRwLGAF#^Yp>qFO+o;
zmF*f%4jl8mwnn2A%-gKY?d>b+oL4WH1)lsUlVpuaXgd9YEh9=|TJA9<!tb^b^MFOQ
z6>H|wZi^0MOOw}mq(<Z{yXWf?xUvrI*+YGMm@hse<jl;I*6+kI=V{8wlV7r<T_3Bo
zq^Q4DTTtT2qu@iuz@TNEvSiiyz|Wf#1z0gB037Q2#FxDMa6-jUV0Rr_2eFvpdg#FH
z&HOVl!vsiQ@j*=ZPhP4KR0L62QaoWG7DF1NR?q2F<Us(2hD^GJ_wMdE2NlpFf_BE2
zJ+;BsRp*V@r46M#vJG#-zq}r}%;`!+G&R4(yfTrSFQebPmw>qv4@n`Kfjb`<Zmsk-
zG?imPp{^*KP9Px}x(OFZBlJVt4s0$X#0b1k3)hN?(4-221C3zBv@qfIrEH&;R^s=}
zlHb0tmf~^wQ8B*uehHvneP#>F4>qDzF7|vLD|afTuu^Ai#%(%!b)vI!)Dxt61P{Y&
zFGtYVx`+8(3`j|`4U1{nH5Z0|CI~#~khMb_r&$ilewj`*a(u;ekU7-VGt@H3NsH7i
z67b0%vJ|vZ&n%GA@8s4Nj=GI$x4)ViaM?iwhpMk4k&5NHW@;l*q|cNDWo9pec|_*i
zo~c3&y!a2}k!?91(DhOX<67lS3~Y@IiD1|}SYzJ3#zma-F5!TI{KE#@MjAL|PaawL
zy0+Mw=P!bgDgyQI3rU2x`0<tK)W}!cERa%xKROn_*XoQ>=JG7`*(_$yU0-OB+ghVf
zZCQ<nn0^8w{%Dur9Sbs*HID{FGBvgssqXM5>SC-$^k&%DgMR2tUx&vAYX$_fihh<G
zt&dd}C%$~atwiT^IXJ(D2*X{)5II$D6^*{_QC#jia4|q<6)|+im%`UbS{lrwLoeO)
zIim@grdUt@-0R1a^Kaol=+L~E6V?eOE{_6u<pGyA(qRA4Bwbgb;9ZAt`{k<@kYMS%
z8G5b9CP+}XED&ErGM$y9*}RN=wlUJ}R@Xwcp<d5xbD@7h-1djR#%XS$d^o94C?Jfr
zRj9=$NgeI15h`$~f1^0D))L`QPh3yQ>F`FMD3p>BJX9C-?j<?j4@U*nYkN|4xoCcD
zLrDId{b8?DC5e%fAcX^gU6=6wyJwOBa;DUz!f|+iB$ZC5#g{qW8<kWpG+=bv%8~ra
zNvIr8Nh4uSiR}DIxODd&D`?>D^`c8;a!j)qVMP&z!%)*nLC>47uTAJTg}>nyXjB%K
zV`grPe~&Hh)OzK5wPkX6szEfyb)2W`y3Ii|(U*}eLzqWI?#VB1+OM6)`076C5+(R~
z43g3H*){J&e{_cy&vAje<@#_8kaXmaU+!jKLr!OJtM_EDonzAb;?ezg0XRW^z~Y=o
zhD7E@kKki;<C$O@ZUPn_H$1=MviP8wS=k=*jVkC~Z@67#BHa05AAF6gg3fjf<hvN@
z1Bs$0hSWf<d>^$i6>P|Th8-2&PXH%<MVktNgWZPlMYlYof3<BECaq*XrGpmkBj(Vk
z)od-l>EyymC~9ImHV+S&^|{l5T8o1p&u+Qf?-TZA<`4F1zIr=!x)(`AJcCV<PdJ0E
za>_%CY~XQotY#V#1d5)g+>5-B$7hXh?h{wu#@wTQjunDv@X=4YO`=BjjUg*uZ$je2
z8Y{Oko)jj=O4X2(J}oev&wu`b>JwkB+SlTQQ>R24M!r_D37xhW=2J^(+JmO~V*_LS
z%amX&e-6yEhlH*yX_D#II@9XGkR|u-+-xD3*|eARXk#eU3K5?KbyD%^Q}r=Q8o#kv
z%x@b@zHagu6sRm`loelaH`)j>{Y*^6F^V}ip)}H)@We9av1BUW+{_&>-^G1G0XKpD
zE&I_H+kQG64+^W;7y5P9S(g;y7tBu?aGe`yV@fenYZT5oXmf0@_5{n?9t;9va^eSp
z#WWT!AC+{|ZFpG}&tgDhgiYj)EI!w0lT=VNFy(uh$l^WPisw88%%^@FB9yi0i;Sfc
zFT6ePD)uCifv9|ka9_-es~0;ay@Pv73w@R5>vi|qvYkPju-hQe8kP5?;{enI^o<M^
zpySM>Q6(HZ&j5-NxfGWre9Iw8oJsEXObiQp#X2;m=JQ+T)hNXta;iCVQWR+r8Nmb=
z-pusW3VCx}S>Au;frv>EGaEIEkRhDx-1cpILaH27Ls_hZD)j0@fT!4*<Ld0F*WIZj
z=ii7nGOEo;)>;5uC=3wwRv!N+Ms6X?wylz^p;|@oZ0)E{ye=wF8URLzZ4}@|$Yi{7
z=5eF9XAfk5$!OXJ$qrvsVV>~t>X_n=&QY4k<b?CgGSc!~BK`Hb-VWb78}iLI@>mKA
z@S-wdY%8DoMX9d)#At9cxcbVO#iX+QUM0m_;2o2+*@IlsOe^NWs^O6+YE$znVJY`!
z3BWm%Gxu7(X=Svs${sZ+-mZTI?!v&)nH1hl^sZjgBSze@4+zwnm5g6!Mz|{L^DBkP
ztC+xMNMz4+CiO4zJ&{6}=#xP(5*OnftWsDtDwjOe!O>CTV(jxl;cM>myM@W?l=4Nv
zf~ERKj{t6AnW;z*oWMWuEFr%8n3zHhjVeYMZYDf8loy)<u1B&J|JNZ*nw`-g1BdW2
z%d_4d@>H|uB?8#$2`SI`#}C4`wYKcXXgtt3+SE;+GowGS4(lx?Ug<e$PEu(x!6*`L
z&Rng+>8*OvkC~#_5a@odr!hZP;Q--LX^EnhhhabPpbypKHSm~wJ#X+`7Qq1?7P?g)
z-bSh9X7Scz{rjHqG<dXdjDf(9r%6DDHIcDVo)nOv76+t<GtpuLv>-;R?3{s03?UQ-
z`!$ANmZvri$hp`|Epvqm@Il{&^Je19A=Jt-#n|Sl0ZU|+C=#}ffqak)$x9yowXv5z
zlyKz~F_zqUGs`k8&kuE|vLXSu4I&eN5bBGF0H!x;+|1UWs4I5b8R@(t4(Ry!828+D
z32W-cmygI>W-)$qy}*>ctNdH^I{pX4VJI1_T9g(UB}4$j_Y$^!M8TG$f-9(&3tN`K
z5hNhTdyW9T-I-PwJfcKg1h6ZAcMqpK25|5<GGZQ7C%i;s87Q@WFsQ}E-dXt7P?KF9
zv+np72KWYWiytY)B#Mw|5zlde&3{v<QM0JQ`bNcAb0uyQ>PwCVfeP>SH|Ou~tpF~n
zS;F|_vsCL#1oh$%@yo$&>9K|9NOwm(!CR7_UFYZPBDNYF6)%sVCrdHD#4x_?+;poZ
z>O+-9DoX=~inI<YkSS7E4>t<+Eya?nl2#|-^&A&2_>_ZU9!*RGjuJ?*q(z2a14-KX
z11c;U;JB73UP|hQ`mzGS0UOGp^?E<xFkiP}j`>3+5V$BYIB1XqhRhBF25zx|<l6!~
zQZ8}O?a5x|jonQ;Uzw;eF+spZ3*{+BZR~a6b>K4ndN@fmJoa)hTsj5lDNHQYRXEHu
z=F3Ufu{qLTI}`MZPB|m^xw958zZ7N)An<aJNeuyepA@bDU$(%sbWeZ=?*tKU#$HNd
z3#~?@XAY`&4hky0v~X<HF_z)Ee73c7#09B_zs_*U{d+R=-5D~-gMfqQ3xesw$e$B8
z3H25C4NN5U`?a0Bdug2n_H;4hrI`W!>kD#Nws#eK@Rni-SHZp~wc-+6HDqF5PoZ$~
zbd@0j<qW}3vxsrEb}=qWo;w}5_BjfW^US;^TMbku=O&U4-ui~4<m!;*r8Kdf@PA+N
zK>#m@22R|1`Qy|00+&Xcb<d6#u34I59ADmkZr|ov-qL-_EU0J;tmqZK^8`fi$*lk5
zt%<&NrBrZ-Ot)2PBAv}>@A`L61|fHp2YpHG?wAV0^cK;?3nlvOaXg%Z8eqW=6P{%u
zPHP&ly)*4sDTH?ctpSzm-El4K-Qyw0R;q><+~zSwLs|PP6skf#B8yT<B%io5zwk{;
zah_E?Tp#vQlpwxpRzdTMfT0&47aa2cUQH*!_U=jlbi`r%zCu-lO-CKiAb^{w#nmAU
zL(ibjQuU8=WvAlaBu=KQ3U`I5r!Rwfx>WgnK*ev_#x0*zbzyYY9fDTl{h=_3@EZ(5
z_ji`2>_m~r+Lw^TsLMl)*XV<3P`gpf6bm6Epjyy-VU_JD90ex*Xv4m&H!Jx$(F}lH
zwecuw932}>wTx1zak5!<<QVpg$u^-W)xH+aiJ}3|7*x^^O-SW8$@P-?^LtdB)PCk0
zBHV3cB8AnpFNth{US`n_W$z&XU9fpJp33y~pE$}ht8JK*RMOrT>-_u$b_U#ZVFbq$
zV_?Ph8Ju(OPs>n>t3~C_tFZHgsIo#^f6xhx^;fezW7BY%(10~|?oDK!o)~)vVG`)C
zV8GGoyB~V^BjS+HPhof#I9O7E&}YMnS6=&x6)HM~0RFD0`{8rP-e7$n`Q+^LyjE0q
z$K1BqoGu!Gw-~7`Z&=QxY=8;mSG!SR>qG4`NX$3};{qI&Gqa%*vi88;fIto^A;dJZ
zxbxLsA-VJ6Ei&(cT!4Mu2Y0;9x&5<{#}WD!PrrY_OR&tlXM#G=IqxGMl9b<b<e{VR
z*^{3-UWd<z&oSMT%dv@Np<*ahC|_B7bADH<K)YJ5I(mb{vmSjzPgZA)Auqdk&ba}R
z<{Vr|o82o&M+M)-lF+A8%+M-YWEu{!oQyB@O$nC(5V6ypO+Z2F3TqvWcRM!Pw3r}f
zw`H7_ne=-?+=%pnEMlitnw5t<R8z)JuvX9SK{MDqB1LcSSCtz`PKzs7Z+^LtGHhv6
z$;>}hf0~tcIHKu(UD&DK;Hjovx$Nu7Z<pgKWYr|(;;mm-Yae8-)O<CNJW~18dGoob
zmteX106r+a$}~yu^ef4$+0F4My(0r2CL2S{h%`6XTgpmIAX1@SO#atrp+aNjE+5u!
z8a-358m&`5UnMXT%csUYiGx@o>qH#f?IhxU=%RyY`}vwMa^5whV5HerdvorQlFZON
zh2RPKpaTgNDDo?;ocSvhbORzG05j=q0xMECqH3m?bJ(<5vHDO!*DIYL)Y*&8<!C||
z2o8CAqibp&`FMEsTAr_+D*2E2Raz#*dixYHmMZGemR?spVS2!B-o2MhpBVOr6v@%p
z+@q?*R!;Ya#QDl@rAoZxR$kn<9||?S-4<4>L&cZ5PX|Uu8uXRqnGM8TNcmXW=!)YX
zqw%CFBHehq>~O4+ZJg{LRaLx0GKTx37GUoicHOrXuDU#DXMRdadH9m^NnQnG^}R&(
zY}E_<av$q?`UUnGBPVe!<RKVJ*~@P=&K0*1wYneuh5qQQ+i6!_F4JD$%ABlpv~4Z)
zmGG^nsHyWy5_DF>yUi+r1Q1fpm<Ch6+0&d&?w8X%?q^#aYp1EYPk9g8W?T0Xdo$o=
zS1zSf(`mr~WdJYB>1IGxQ)P#*E9ukcWv%X-rj*o@dgD<8agJ|Wx+(I<BSD<b3t3n?
zcc9^sn<HdM2@S?~HV6zW>DEcwUcAV-8p%)iwBRged-EdWXiu*TtIa!;J>JK;kh-cD
zFLqWWgPnl8gknBb3kPe`e3H9RvmZ;x^GQqHQ*Oc<<04A$h4~r1UIJzYQiBYprWwto
z&IE<-aNHX%;~&i@^gXj0lij60yD<%eB5HJ{Q*7+lSNZ+5HC2kbb)!P3e)p?Zax0|K
zEq2~mN=vG@%@*!luKGVSlZ)gCTD^)JRZOgwPgnv8%uwRqJkrLA$In{4Jtb2d%JzrY
zF1U6Jz3TfKaPTEi)CAIToTs^XHFDVIPB#ko4(&@iy$YH8<#!F^k+2=L<L@)M+2|J*
zK_o&BV~r?Msjd50i9^>^LwX~vJ?O<QEw1{19^_Q5<1OVO9=gp~8pc8Y6dp&pYu`sJ
zG=CtYv78pDMXc6K4Ht&e&M^!+%CfsgT6-O2o`;x1I3rDb+MQrG@D9~Aoe>akj$}n+
zO5SY&hSLZG1{<q{SlwAoUTvh(l@}coUTUQcpX3oG%?-D{P8r)rli^xiU$HybUB=~l
zH92s2t=^9-Mg-<PyC-~`ruN{9?ecj}_fgpE>Z)G7$Wtx3$ux=UqpITWwGk+uRfj@K
zN;I=U?dz3umFIY+Hr-H`%gJFK@ycb8E<zrrG+G)3rpqT*0-h(F2t0xkXgHo8vqUm<
z)}8(wF|JrMhL_dvs1TJONfEawZO%T~y*fH&Iqof4Y1K#x)OuV-g4@AomX@PHChXEb
zb|iYf>~J{pHOD>Sqi{kX&l{LHhyYKS8YvZ4lo$)H{u#dhaCZ?MNSY7^pV1FugbiPj
zV>qy2j6yk6#ad`e1=iMI$DS#;){$Sl+B{u2SoD;%Ewwe!Hb`yMx#4_O+!K}U33BN1
z4~F>rem(7=5|7jyR}bo!s47w}Wg%$hk<_xCB_EE>B9Jq2ljMi%#cB*Pr>JS8FXqTR
zc{wRKIw6InW2_h>ear#I%zQQ*FO~&bG3qQ#ceo~ey6VSHkbF68S~^cV*(@l#CIaEn
zZMsqhvQ+YUGYqZ3CaD>HlMEvC;Ty&<5>%wagMKLu&$x{83^9}<TC@>wNv)fhPU^c9
zXp$Yf2MVMF;%j$F%0~5|=@a*6l`|Xf&ggS&EFlG3FV*O*hW*;H&e*blS@ugaL{Eb*
ziUqSVxbyvs(OmDK?1P?97zaE4O2H7e*~Vvu@l3{Y^e879qHIaSyqRp#o|RH5PuUrp
zbn?wqDB(?DF_`hgTbDnV;w#+X9=z{qv)XbYi&1X-kh*?dW?pGM@6kPWn>~L$4X4qt
z1r#L+I9bLtkHYs7W%U(2ee&MNqpD*uu)0gIvU03%56D%0&=iaUuL9I3;&3eLP}qm`
zv7t+0JPXaW;AEl^;;7X{rKLC}_>QNX$jSb6(7=(=&e?5;x{1u>RofKU5|>vd7)nYk
z6)7M0zAP0-mxwA6X|m9{dLA@TI^J%pDwG}fNA3-AXZG&%H_y&i_G@W8OVeTO+u9d=
za^IG(vaoJ_c7eB#dV%fntlQ!t@e??art*Sqq1VrCuictghEip}Hk@cmJ}Reui0?`1
zG3(O(;QTCjbS1w-R}$@GOtLf`q4x8!+F;(P$1nQTEBnMNzvr#&59b`Lm0GPNyk%D6
zIo&!>HC_R8b7XtGk_>yPQ1c-{BCy)C9L_Wr-$l0eIOm+>lP)#?>kV_DP62JRF-V{A
zSi-$+hSaBrGfC?E!;;cITI7<hSQkCZ*}glR^`G(aX;J)IfAN6vsHIeMqf!n_YL++^
z&;}{M_C-5Ey;G<qTYi<ivA?~od_Oz{A_Jtmi!K{74fw%)n@P7VBjjkGA!V~L-_6RY
zVO(U+ycbOm`ERBbh~&!s>7|-%-D)~VwsPD@8sEq#H(Tb%9=_<(8ELXGsf<C_wE_Vz
zz4Gx`o*X}r%NI~@a-yt!G{Ef0w|8r%Q0|M?aR2Ds6ZB${hzLIwqZ#a{$rPJ$eN6Oy
zT(t;kWSbl7Xm)1oQRd~u-bG(LS{4{K`Blt`z-o9PijB?>e-20I`euEi4?W8SW84>J
z37`RGcI$y40{D2vZygjmj>!;9_IH5GZsQJh`-Q5ONeq*|-rDGYuni+{Zv>lJ|0{tp
z%MQ3de3BO#0$Cd)8%wnP>ZQt*#AK{I1P9Bi&6l|{5Z7g_6;2@Z`AV>1YoBFo+9)4^
z<>LX-eZ1#QUM=S&At{r9a3)^SuW)NW^DLB17ONTwk~prZ#XSAA;4TIfz?!-|?%tJR
zH#Vfqap;i%?KIp(AB9;@JF4~)uwy+%vKI7Q`KY~}5SN&4P?jgwEW|HT%rbN6&oR7;
zppZHVcyJMiNAFG2);~St9L!mkl1Qz*X)6l##Y4E_7}kaj!Njm$qZ`))uAe)a-jp4c
z71hQ_IMfvv77e9cVAv$z$kx=HRjf@`M!fZoGBb^*{rYZcF`tU!R==xNG;u$~(j)Z1
zGYE<!#F_I_A=jp_EUt;Ty1|FAyF<IVWzSa*buLk+0LE(dWQRJr3F$7f;vC(Oms!j=
zDI@+bC|`KXlEtv4mAv_~IKa}Zm7D-Ut*(IvSgbr4rVgwDKcf)p=>5*rwQ$qd933Rg
z%U{6H8omr?-6s0RO(Go5YF0*X6LPWIA6rUD92GR*Eb5iyzdup;(w(r9!ZDE$naS<4
z;mzc$SV9+t=ZzMn{Mq=Y8PDksA`V4sc9KF`3|QC=r{$jD_clgTd*520AbpOlnaV%e
z%YVib-rpF!>`?9@d7h29lB2yf09W;k(Q-EMW&zL@epPE8PQve^SkJ{`=i;<~-xP8r
z-&g_c2jDnMRifIbcOd07WJ0h$MTWWD@lMHOHBG<-u_5KfdVEBrea0sSxhsAsQrRqt
zfDp*<$_-R&9}T}$D9B8*;q(|XS{Ub{&&!PB_PMq_zwDkiEn+0`2={tmj{+N2fMI9Y
zKWpwnw?EUqI%~2s2ye<<N?0^fGXcyaID0Q7x`^q%^yQ7i=N=1ejxywJz`^L3*PGfp
zncuV;;9n=RM+7xnuCQ=UM>ZUyGbX*9gxxlV97iTQs83TlbXee-w8xK+fGtt$Zs(3z
zE3yoW*7Kn>O(AJ<6yx#UPd@zOzOCDBy++5Z&ejb6(|+s*b`?E~P~Q8`U*}CzflH<`
zS%mKxb^Urp*dgHcbk|Ad-!sAtseZB5Y&!lVWx2eKcv(mr``enMoca6_S``%>k{{IX
zox&h?z{4PEkI_eM`^6t6Lg3s2t8Z%*pl;Ggiw0@VLM6Z)vm-qQfEPJ(r%gGZ6LStA
zEphkZzpb^N%6)2j$+Bn6wkK=HK3DFVM#<L?bJ<nx?Hwir0VV3q)%w?Mcii4saFlju
z$xws&5(y^V=-rf_*FW98u=Z2jn$)?sI>ao>`qhYIfPkxzBA~1IQ9C{c!ubKOS?^>G
zR~)8UNs{EP;01n*7vM|rGffJv@jOe9mt3R)^CR?@_ciM`7<Aegr!5Dzn%hU&{Mbia
zt?`(BKYCqe#(YwLQ)pI+qQWsqx-})Q1w=)Ad=KrVDDV+ZNJLl~Fs}_=I1@dpN(XAo
zMehs2fEqu^OCK`CeNM0C(De_g>=ie@%+TPJ5N4m<QZii>U2>|RO+8I{Wios-Rj<NE
z_9K;F7(F#=`4N1~*0ToQ#KRDk=qKhON;-_pHKZ~5Y=vgV-=^mJzRJ-Tjw=u(hBO<n
zm}NZIQQa*AC}e@Yh!>}08r=!NA?b)CI46F*9Tm(VkX<)2)HhDiw*W%HCsd5j_7xM!
zLhak@(FQvBx<GW@km}NB%E~3r`_nc;s4MMk;=CKHCLgY|9c86$-Gw&RNIVP(#qJze
zsw7m_3PvcsBi+hRdgzw9vJUVXCUnQiokX&|{>02Z5sfE!%BAwhL>24+eMk}<3`@)6
zxF<2N3vbBA;oK-$$~R3S?=ft}i6DEpv{L41kV2FI@h@BQblQ8sHaBV7{lGDWuor9a
z&C4*#ny;{^-EhkYkJD&e3@_vQ)tU|3U{Shd0=AnSmEy35Cr-SC4y>_tc2Y*%tX0;8
zXO@He0w;p_ZnyT;9D6A`AEu#)=9FYMmSv=6g1Fw=XY>PVtNq{9R?%F|DlBD!S*6Ih
zzjNJttlG=z+CuH6+qb?B^+pKl+Q!s=wP&A5-O=&FO8)Fn40vf+WlrLHTSGLDTq8VX
zoOtk~CB74g#Hb_D%K_lJ!E-0qo*?w*TtDrjRo0a+m8uI3uWmuAJb1F-tH}kP(w*8e
zqVeuNJ}v{O_G3%&`y4&p-S@ZECrJXfssK_iR~o&h5QKxcT7b4?!juX*@%eNB_^i?_
z&09cVCJD6|%|5Eu=PJbH;M#^YSK<d8$5PVx!O0jmM}cb}F!v$i@a&?pxZy5xl}LZC
zM}HS`$<d<&^Ljl}Q7+L`yZ|e(lee-VQ1}sAz4$@gy`s&2MZ}$RK6fT+{G+q!!17c^
z`wKEhqjjHwq+FXT@54u?1^wC$eRHm78;=jK3iIwI*MH?yX2E-hJnya7NGnxsRy<AX
zCByn?6`O%kj1U$-jpA|!@Ql{p&)=k5rG6@z6l;uq*$nuwj;v7!&cy)6KqJs?+&LmY
zFD-$u3w!L0DIho<ecuGBYB$ui^zop6beh~XG-#{ibDlZF1V!22@5%K7&#cVL8Sd#i
zL^hv0P1jy#ozu8krGEeL;iMrbmA3dftc6Z-uAlMMNU?v)XpfhU{FJix8n3Zg19veE
z;8foK91_8T?*%T>n84}+*ldqu5)aCF_0ks(=>vtgWjl2)WPB_(A&RI8B%fx_lOl90
zr0cnht-srr*IK#N$fy_TVY{!S=FtUQu1Fu}F87TZw?B=<Q0x5i$k@Hiyjb<-b{6L&
z;8c9L`W9V$X(G0MB>mdF43WFGgiAMY0`D>|FXW_lkptvRIS9B>;z-e#ZH+P6&7|$l
z+wWLEL}dWh#bECS3ah8s+=?#|fP3o>^>6q8lnqLB0lZEO*be{l(Za--ueW_)v)7J*
zu!1BZ{!pI58vd+N(4Jj*O5NI!GS6%vDW6k&JdUw7gFX!QiH?kf;PDWt!(qtbN|Fex
z(g(a%EQ)XD+`SJHUEgqF$CDiqH$4LDTojNerQ(ed64NQ`g`mH7lN4TvZ!S*T1kr#8
zYpLj@fyJ=3^W$fVoLsAaW<xT^V8V}U7!py_8E0XQIDB8Plf_O4!T@_%q%B~-ehV=T
zTKzDOOlxP*13oPZpL*4zZ4JMsuJsg`UN=z7BQ~Cn&O2rm2jt8@_#?Z){?xE5(y+6R
z{7qBnUGNsOMWas-8ZHKpAHjphtCJ6wWT82d62?e!zm>THVcRo52pzJv2rWIzRM=tK
z27Vv+op!Tq9L}`fg&kmGA(qrc*6u(=baGj4c5CM39l(qJfvX6i7V~5S0ZV8$h-S4u
z=}z?iWi|*J26Y1hno<F*(3s<v!3Z?|uYX#rd+~TM=Q1F0qS*V1O{f?GQ0%vjRZh|R
zmJJ^~SC<$#L27s=j@!wPT1<Yy=u89s7~Y;5h?xRU#N&k#X^IV;$d9Vbtp+F<&ohs?
z7s0>sPj^oQGFR9b)k3<s=`KnIzdv+3%+cn--Ex16u|mV1Kfk?YpS$C1;{p6Z_yKSh
zKuq`P4j<L;0lf?$&M^F<uabM%g8iMtyaMzXi?_&J6-1%oSO33-Uw<7GLHyf6XLf)q
z(SS=l=2)+Rkm)rLbJr5h<B_6(gT>Kt2?hGtr3lb;cJ&k_wxZatvQUAD#subdyZ{dH
z@rhq8cG=w%!-!!rzsgB$X>@6;&jJC*R3KgSNb)xtDZ~k$2}RP)D1NKl@L}xtheAo`
zy}RZ97TgBH!9Tw}c+59)QeWK!{DJHqaB{$A3SCG5q4<j%t4I_@nwPCk--T}Lc4?u3
ztBHT4!M_d)tygOOcL9kw+_(X92}POe#8g;75{Xq%3YaaE9gfKAT0#qQ?jrDp1llW0
zY=w9~A$<#cd?_|}N4*K;J1~4z>}Wv81<Nc2HbAI+0LX*B|1VcVcqeDj=(xVd_un7-
z_Z;PKQVD!}{SAqQhyJVqH13WFoE*UEp9)6F{gwO#N794FWw-#|en))uPT$>WU47U5
z$PjP`Id{hYzaJE$Nw(wf0@CU3<P!s_A6F^Bzz!9Irf8_}5%`8X{1XKy-$Ck^(L~L^
z@X>>gB}Mb1q=1jTC~OgaQEjBweBO7Ei!uAev1+{anKjG5xh+HJe=1}Nqx0_%{U4+f
zP+w>QqN&7&9h&g)XT94@AvCi#LzewVI1+H3f8oN8w0g<U0Jrn}vhC(wy5cUK_h**)
z&w~OyxZeeYd|9Yo6u{~4`D4LA3R+B}?>;sfT-t__cwai;B+dT_BIkOU76-WiWva_k
z0UwKC@xlQ}1U%6m{@W<Ayt&tRJ_XBJKzSVj%l=zl8XRdB{HH=r#@GLwQVFPU9hvNm
z!DMw3G;jS6xtG6i0ic7EO}WtIME$OP%~2(A2Ml-l#s7X#;>jDo3rMs***rN7*!Eb%
zQWAj*ivna45{d|`>{On$I#@*m-aY$*neu2*-uxP(Qb3Ijd`uon3=81a2~|NY?EYpX
z4OqlEjkXHNOjXwb$_r@sUsuB^`KLl!J<<O+r4mqIy=ZEiQma`7!2JXPPzG$~qh%NN
ze@S}%i3`er@%c9av@uK3>30F?;)~wJ#L=m_V638q!v^w?6_V}#F!c4$Ar9+6{@>Me
z5n1WsIt|!+BY!Lw`Y~pEq%VM59<iEpFlR?HI69dEgYRYl<(<_7um;fXztUpKe<>t)
z-tQ0npQQ4aA3j;NLkr-BDgb4GKxtM1iOb(@$4_hZE64V40;qv1U^bxw@@Vj1*|xNe
zDM}-8UtE0_^EyY?<+=aJwkbRP9pEDz|JnBb`RzXdKEm-IQEpu-|L*{Azx$6UH}qB+
zY6<@Y_|CdJGx#@@!zKL<;7!sR{v(w8`9!Gg{X^CN_x1gz>h>l7DDP<-;9nHr4^{tl
zlmC)1@DE!+G4T&o|IFtK1;oF}`|Ipizo~kJ<9{UYzn%!i#1!@4CGCG&-(OsgWAL8|
z4Q~41x!kXt{FkPKUf{oQxrgijiqI%K{m$j=cmE?o^Ye+nTlN2aeZN`t&bogzZI0Qa
zf3xbpZt`D($S>{q)2c7eLAlT0Ok3;QsNbwQ$KZct+J4i=U-<rStnV*;@8g^NN09py
z7XHNdUpM(LS>jLa_!Hk>q%}aT;Hxy*Q)JX)-Rt-nEI$;0$&~+w@11pm&HDj#5so-I
zqDLCv<$z+FY2+oDUvXGl7|%D<sKqLzX7V<GnAwy7xl;7si!T1s$3F=C|Gqvb-Ty`4
z3D^IT#r}e=-wFKBoBWr-+>D>v@h5@*1+{-;vGfAJ5%@kn*Z+vc{-uw9P`UqoeZNt;
z|Dl%THxT(n<$m4dzvMH&wBt`I_Y-RW#%I0(b%cLWIl}e-h|m0{kH3uizp=hQjXE{<
zxfBcxBB8vLxaR*9XczhmP=F$uI|Ki}8_@sn8hAw~YiLw8Y_*S|Z<T4Xo=lcWCKz@2
z4`M4TK|J3=1OB{w3f|>IF;`JUNJGh`x+`n!QoSqdf|@P@pz`^S-2%>u(mQC47fsPn
z7dB8S2K%#S%^%n6svF3=+7QG5{=gG=px*4RSk4IWV|b9t+zJ5tw&ME|sGftCo7MUH
z0{m4^b=V@72CUrB#lH&8(L;%Q`c|PPLo&2#jl+4pGSn9+U;|9K(KD?#0G-ym+636f
z=uqd9%HN%ILqZjkx4t;PO6AmfK@S1%(HH8VRs`g60i{j}BQHkI;-$r)bXCj&DA$x6
z8^Ziq1L(ak;M~s*gk_l~ALP9ND*V#KeV2ndOR}h>C<37#C_J#_KQ;uE5dtjyxa#tw
z5cIFDBG9AS)|J8lHr8$Pvodn-<l(AdB#<xSw_!=3hN}w{D;$q^nCk}IwsOXxyL!4*
z_4$xaQz;nOAQ!s^9ft*e`edJ16>m(h9PTOz+p!2zkzM4HVS|^Ey5t851P(u}0fk$s
z9FmVPX#ZM^*dt&q7#|ER@P1pNIub0-OuRk!|9$cQx5pDo0shPts|D!iFNFi77lG8z
vJ4gC}L=YIx48h3r`ct5x3i(<3+bt|%-nJb#)_^Pw@K0V^S*k?hh5!Ep!}GSq

literal 0
HcmV?d00001

diff --git a/modules/inspection-vpc/firewall-rules.tf b/modules/inspection-vpc/firewall-rules.tf
new file mode 100644
index 0000000..d6429fe
--- /dev/null
+++ b/modules/inspection-vpc/firewall-rules.tf
@@ -0,0 +1,162 @@
+
+locals {
+  sca_scanning_rules = var.include_sca_rules == false ? "" : <<EOF
+# These rules are used in SCA scaning, and will vary wildly based on what language/package manager/package repositories are used by the application being scanned with SCA         
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"github.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420065; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"repo.maven.apache.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420066; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.npmjs.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420067; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"lscr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420068; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"index.docker.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420069; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"toolbox-data.anchore.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420070; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.hub.docker.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420071; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"hub.docker.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420072; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"ghcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420073; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"proxy.golang.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420074; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"sum.golang.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420075; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"pkg-containers.githubusercontent.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420076; rev:1;)
+
+EOF
+}
+
+data "template_file" "default_suricata_rules" {
+  count    = var.enable_firewall ? 1 : 0
+  template = <<EOF
+
+reject tls any any -> any any (msg:"TLS 1.0 or 1.1"; ssl_version:tls1.0,tls1.1; sid:2023070518;)
+drop ip $HOME_NET any -> $EXTERNAL_NET [1389,53,4444,445,135,139,389,3389] (msg:"Deny List High Risk Destination Ports"; sid:278670;)
+
+# Amazon Services - these must be allowed, or can be replaced by private VPC Endpoints (which have a charge https://aws.amazon.com/privatelink/pricing/)
+# Note that these are AWS Region Dependent
+# Reference https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html, https://eksctl.io/usage/eks-private-cluster/
+# These rules do not imply support for completely private clusters, but do help with private cluster deployments. 
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"ssm.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190000; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"ec2.${data.aws_region.current.name}.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190001; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"eks.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190002; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.ecr.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190003; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"dkr.ecr.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190004; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"ssmmessages.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190005; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"ec2messages.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190006; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"sts.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190007; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"logs.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190008; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"route53.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190009; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cloudformation.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190010; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"elasticloadbalancing.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190011; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"autoscaling.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190012; rev:1;)
+
+
+# Installation media for kube-system services pods like coredns, aws-node, ebs-csi-controller, ebs-csi-node, kube-proxy
+#  The *.dkr.ecr.*.amazonaws.com URLs are typically metadata repos that redirect to prod-$REGION-starport-layer-bucket.s3.$REGION.amazonaws.com to download packages
+# References:
+#   1. https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html
+#   2. https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-s3-gateway
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"877085696533.dkr.ecr.af-south-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420000; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"800184023465.dkr.ecr.ap-east-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420001; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.ap-northeast-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420002; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.ap-northeast-2.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420003; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.ap-northeast-3.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420004; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.ap-south-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420005; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"900889452093.dkr.ecr.ap-south-2.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420006; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.ap-southeast-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420007; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.ap-southeast-2.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420008; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"296578399912.dkr.ecr.ap-southeast-3.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420009; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"491585149902.dkr.ecr.ap-southeast-4.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420010; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.ca-central-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420011; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"761377655185.dkr.ecr.ca-west-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420012; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.eu-central-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420013; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"900612956339.dkr.ecr.eu-central-2.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420014; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.eu-north-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420015; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"590381155156.dkr.ecr.eu-south-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420016; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"455263428931.dkr.ecr.eu-south-2.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420017; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.eu-west-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420018; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.eu-west-2.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420019; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.eu-west-3.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420020; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"066635153087.dkr.ecr.il-central-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420021; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"558608220178.dkr.ecr.me-south-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420022; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"759879836304.dkr.ecr.me-central-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420023; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.sa-east-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420024; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.us-east-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420025; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.us-east-2.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420026; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"151742754352.dkr.ecr.us-gov-east-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420027; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"01004608.dkr.ecr.us-gov-west-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420028; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.us-west-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420029; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.ecr.us-west-2.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420030; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"prod-${data.aws_region.current.name}-starport-layer-bucket.s3.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420031; rev:1;)
+
+
+# Amazon Linux 2 managed node group updates - region dependent
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"amazonlinux-2-repos-${data.aws_region.current.name}.s3.dualstack.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420032; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"al2023-repos-${data.aws_region.current.name}-de612dc2.s3.dualstack.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420033; rev:1;)
+
+
+# AWS Load Balancer Controller - public.ecr.aws (metadata) redirects to cloudfront (download)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"public.ecr.aws"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420034; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"d5l0dvt14r5h8.cloudfront.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420035; rev:1;)
+
+# Cluster Autoscaler - k8s.gcr.io (metadata) redirects to storage.googleapis.com (download)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"k8s.gcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420036; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"storage.googleapis.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420037; rev:1;)
+
+# Kotsadm tools (minio, rqlite) come from docker.io and docker.com
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry-1.docker.io"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420038; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"auth.docker.io"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420039; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"production.cloudflare.docker.com"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420040; rev:1;)
+
+# Replicated APIs - used for license checking
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"replicated.app"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420041; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"proxy.replicated.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420042; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"proxy-auth.replicated.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420043; rev:1;)
+
+# Used by cxone images, and kube-rbac-proxy in CxOne operator
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"gcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240419044; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"checkmarx.jfrog.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420044; rev:1;)
+
+# Liquibase schema files required for database migration execution
+pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; content:"www.liquibase.org"; startswith; endswith; msg:"Match liquidbase.com allowed"; flow:to_server, established; sid:240420062; rev:1;)
+
+# Feature Flags via Split.io
+# Reference https://help.split.io/hc/en-us/articles/360006954331-How-do-I-allow-Split-to-work-in-my-environment
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"sdk.split.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420045; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"auth.split.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420046; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"telemetry.split.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420047; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"events.split.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420048; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"streaming.split.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420049; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cdn.split.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420050; rev:1;)
+# Fastly (a CDN), which is used for sdk.split.io https://api.fastly.com/public-ip-list. These are used sometimes w/o host name, so SNI cannot be used to filter.
+pass tls $HOME_NET any -> [23.235.32.0/20,43.249.72.0/22,103.244.50.0/24,103.245.222.0/23,103.245.224.0/24,104.156.80.0/20,140.248.64.0/18,140.248.128.0/17,146.75.0.0/17,151.101.0.0/16,157.52.64.0/18,167.82.0.0/17,167.82.128.0/20,167.82.160.0/20,167.82.224.0/20,172.111.64.0/18,185.31.16.0/22,199.27.72.0/21,199.232.0.0/16] 443 (msg:"Fastly CDN"; flow:to_server, established; sid:240420051; rev:1;)
+
+# Allow access to s3 buckets for Checkmarx One. Buckets are typically created with a prefix of the deployment id which allows for regex matching
+# Example bucket name and suffix: scan-results-bos-ap-southeast-1-lab-19205
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^${var.deployment_id}.*?\.s3\.dualstack\.${data.aws_region.current.name}\.amazonaws\.com$/i" msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420052; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^${var.deployment_id}.*?\.s3\.${data.aws_region.current.name}\.amazonaws\.com$/i" msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420053; rev:1;)
+
+# Checkmarx One Scans will upload source to scan-results bucket with url path patterns like "https://s3.${data.aws_region.current.name}.amazonaws.com/scan-results-0aa15147e5f3/source-code/....." 
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"s3.dualstack.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420054; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"s3.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420055; rev:1;)
+
+# These are the checkmarx services for SCA scanning, cloud IAM (for Authentication to SCA), and codebashing
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"iam.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420056; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api-sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420057; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"eu.iam.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420058; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"eu.api-sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420059; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"uploads.sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420060; rev:1;)
+# Scan results buckets are used for SCA scan result syncing, and vary by the connected SCA region (e.g. NA, or EU)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"microservice-scanresults-prod-storage-1an26shc41yi3.s3.amazonaws.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240420061; rev:1;)
+
+# These URLs are randomly generated, and used to discover the correct s3 API signature version to use when communicating with S3 buckets.
+# They take two forms, where the long alphanumeric string is randomly generated. The buckets do not exist, but allow minio client
+# to attempt to connect to S3 to discover the s3 signature version to use in subsequent requests to the actual buckets
+#   1. probe-bucket-sign-vie4gezw1j6w.s3.dualstack.${data.aws_region.current.name}.amazonaws.com
+#   2. probe-bsign-jmcvig40f29rwikvncljjtvohv4i4h.s3.dualstack.${data.aws_region.current.name}.amazonaws.com
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^probe-bucket-sign-[A-z0-9]{12}\.s3\.dualstack\.${data.aws_region.current.name}\.amazonaws\.com$/i"; flow: to_server; msg:"Minio client s3 signature version determination"; sid:240420063;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^probe-bsign-[A-z0-9]{30}\.s3\.dualstack\.${data.aws_region.current.name}\.amazonaws\.com$/i"; flow: to_server; msg:"Minio client s3 signature version determination"; sid:240420064;)
+
+${local.sca_scanning_rules}
+
+${var.additional_suricata_rules}
+
+# Drop other traffic
+drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;)
+reject tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"blocked uknown tcp"; flow:to_server, established; sid:4; rev:1;)
+
+EOF
+}
diff --git a/modules/inspection-vpc/firewall.tf b/modules/inspection-vpc/firewall.tf
new file mode 100644
index 0000000..7284212
--- /dev/null
+++ b/modules/inspection-vpc/firewall.tf
@@ -0,0 +1,99 @@
+#******************************************************************************
+#   Network Firewall
+#******************************************************************************
+
+resource "aws_networkfirewall_firewall" "main" {
+  count               = var.enable_firewall ? 1 : 0
+  name                = "${var.deployment_id}-checkmarxone"
+  firewall_policy_arn = aws_networkfirewall_firewall_policy.main[0].arn
+  vpc_id              = aws_vpc.main.id
+  timeouts {
+    create = "40m"
+    update = "50m"
+    delete = "1h"
+  }
+  subnet_mapping {
+    subnet_id = aws_subnet.firewall[0].id
+  }
+}
+
+resource "aws_networkfirewall_rule_group" "cxone" {
+  count    = var.enable_firewall ? 1 : 0
+  capacity = 200
+  name     = "${var.deployment_id}-cxone"
+  type     = "STATEFUL"
+  rule_group {
+    rules_source {
+      rules_string = var.suricata_rules != null ? var.suricata_rules : data.template_file.default_suricata_rules[0].rendered
+    }
+    stateful_rule_options {
+      rule_order = "STRICT_ORDER"
+    }
+  }
+}
+
+resource "aws_networkfirewall_firewall_policy" "main" {
+  count = var.enable_firewall ? 1 : 0
+  name  = var.deployment_id
+  firewall_policy {
+    stateless_default_actions          = ["aws:forward_to_sfe"]
+    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
+    stateful_default_actions           = [var.stateful_default_action]
+    stateful_engine_options {
+      rule_order = "STRICT_ORDER"
+    }
+    stateful_rule_group_reference {
+      priority     = 1
+      resource_arn = aws_networkfirewall_rule_group.cxone[0].arn
+    }
+
+    dynamic "stateful_rule_group_reference" {
+      for_each = { for idx, rg in var.managed_rule_groups : rg => idx if var.create_managed_rule_groups }
+      content {
+        priority     = stateful_rule_group_reference.value + 2
+        resource_arn = "arn:${data.aws_partition.current.id}:network-firewall:${data.aws_region.current.name}:aws-managed:stateful-rulegroup/${stateful_rule_group_reference.key}"
+      }
+    }
+
+    policy_variables {
+      rule_variables {
+        key = "HOME_NET"
+        ip_set { definition = [var.primary_cidr_block, var.secondary_cidr_block] }
+      }
+    }
+  }
+}
+
+resource "aws_cloudwatch_log_group" "aws_nfw_alert" {
+  count             = var.enable_firewall ? 1 : 0
+  name              = "${var.deployment_id}-aws-nfw-alert"
+  retention_in_days = 14
+}
+
+resource "aws_cloudwatch_log_group" "aws_nfw_flow" {
+  count             = var.enable_firewall ? 1 : 0
+  name              = "${var.deployment_id}-aws-nfw-flow"
+  retention_in_days = 14
+}
+
+
+resource "aws_networkfirewall_logging_configuration" "main" {
+  count        = var.enable_firewall ? 1 : 0
+  firewall_arn = aws_networkfirewall_firewall.main[0].arn
+  logging_configuration {
+    log_destination_config {
+      log_destination = {
+        logGroup = aws_cloudwatch_log_group.aws_nfw_alert[0].name
+      }
+      log_destination_type = "CloudWatchLogs"
+      log_type             = "ALERT"
+    }
+    log_destination_config {
+      log_destination = {
+        logGroup = aws_cloudwatch_log_group.aws_nfw_flow[0].name
+      }
+      log_destination_type = "CloudWatchLogs"
+      log_type             = "FLOW"
+    }
+  }
+}
diff --git a/modules/inspection-vpc/main.tf b/modules/inspection-vpc/main.tf
new file mode 100644
index 0000000..2ef0da7
--- /dev/null
+++ b/modules/inspection-vpc/main.tf
@@ -0,0 +1,211 @@
+data "aws_partition" "current" {}
+data "aws_region" "current" {}
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+locals {
+  azs             = slice(data.aws_availability_zones.available.names, 0, 2)
+  vpc_cidr_blocks = [var.primary_cidr_block, var.secondary_cidr_block]
+
+  # Here we are calculating the CIDRs for the subnets from the given primary VPC CIDR block. 
+  # This VPC should not be used for production. It is optimized to reduce AWS costs at the expense of availability.
+  # It is intended for dev/test workloads only. 
+  # Cost optimizations: Single AZ NAT Gateway and AWS Network Firewall Endpoint for entire VPC
+  #                     Only two AZs for private and database subnets to reduce cross AZ data transfer
+  # Network Topology:
+  #   Public Subnet:    /27  (single AZ) - contains NLB, NAT Gateway
+  #   Firewall Subnet:  /28  (single AZ) - contains firewall endpoint
+  #   Private Subnets:  /21 /21 (two AZ) - for EKS deployment
+  #   Database Subnets: /22 /22 (two AZ) - for RDS, Elasticache, Opensearch deployment
+  # Note about cidrsubnets newbits arguments:
+  #   Subtracting the primary cidr size from the desired subnet size produces the 'newbits' value for the cidrsubnets 
+  #   function to consistently create subnets of the desired size, regardless of the user provided 
+  #   var.primary_cidr_block value. The primary_cidr_block must be at least a /19.
+  primary_cidr_size = split("/", var.primary_cidr_block)[1]
+  subnet_cidrs = cidrsubnets(var.primary_cidr_block,
+    (27 - local.primary_cidr_size), # Public Subnet
+    (28 - local.primary_cidr_size), # Firewall Subnet
+    (21 - local.primary_cidr_size), # Private Subnet 1
+    (21 - local.primary_cidr_size), # Private Subnet 2
+    (22 - local.primary_cidr_size), # Database Subnet 1
+  (22 - local.primary_cidr_size))   # Database Subnet 2
+  public_subnet_cidr    = slice(local.subnet_cidrs, 0, 1)[0]
+  firewall_subnet_cidr  = slice(local.subnet_cidrs, 1, 2)[0]
+  private_subnet_cidrs  = slice(local.subnet_cidrs, 2, 4)
+  database_subnet_cidrs = slice(local.subnet_cidrs, 4, 6)
+
+  # Calculate 2 /19s for the secondary cidr to use for pod custom networking. The secondary_cidr_block must be at least a /18.
+  secondary_cidr_size = split("/", var.secondary_cidr_block)[1]
+  pod_subnet_cidrs    = cidrsubnets(var.secondary_cidr_block, (19 - local.secondary_cidr_size), (19 - local.secondary_cidr_size))
+}
+
+#******************************************************************************
+#   VPC & Subnets
+#******************************************************************************
+resource "aws_vpc" "main" {
+  cidr_block           = var.primary_cidr_block
+  enable_dns_hostnames = true # Required for EKS
+  enable_dns_support   = true # Required for EKS
+
+  tags = { Name = "${var.deployment_id}" }
+}
+
+resource "aws_vpc_ipv4_cidr_block_association" "secondary_cidr_block" {
+  vpc_id     = aws_vpc.main.id
+  cidr_block = var.secondary_cidr_block
+}
+
+resource "aws_subnet" "public" {
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = local.public_subnet_cidr
+  availability_zone = local.azs[0]
+  tags = {
+    Name                                         = "${var.deployment_id} - public subnet ${local.azs[0]}"
+    "kubernetes.io/cluster/${var.deployment_id}" = "shared"
+    "kubernetes.io/role/elb"                     = "1"
+    "karpenter.sh/discovery"                     = "${var.deployment_id}"
+  }
+}
+
+resource "aws_subnet" "firewall" {
+  count             = var.enable_firewall ? 1 : 0
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = local.firewall_subnet_cidr
+  availability_zone = local.azs[0]
+  tags              = { Name = "${var.deployment_id} - firewall subnet ${local.azs[0]}" }
+}
+
+resource "aws_subnet" "private" {
+  for_each          = { for idx, az in local.azs : az => idx }
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = local.private_subnet_cidrs[each.value]
+  availability_zone = each.key
+  tags = {
+    Name                                         = "${var.deployment_id} - private subnet ${each.key}"
+    "kubernetes.io/cluster/${var.deployment_id}" = "shared"
+    "kubernetes.io/role/internal-elb"            = "1"
+    "karpenter.sh/discovery"                     = "${var.deployment_id}"
+  }
+}
+
+resource "aws_subnet" "database" {
+  for_each          = { for idx, az in local.azs : az => idx }
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = local.database_subnet_cidrs[each.value]
+  availability_zone = each.key
+  tags              = { Name = "${var.deployment_id} - database subnet ${each.key}" }
+}
+
+resource "aws_subnet" "pod" {
+  for_each          = { for idx, az in local.azs : az => idx if var.secondary_cidr_block != null }
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = local.pod_subnet_cidrs[each.value]
+  availability_zone = each.key
+  tags = {
+    Name                                         = "${var.deployment_id} - pod subnet ${each.key}"
+    "kubernetes.io/cluster/${var.deployment_id}" = "shared"
+  }
+  depends_on = [aws_vpc_ipv4_cidr_block_association.secondary_cidr_block]
+}
+
+#******************************************************************************
+#   IGW & NAT Gateway
+#******************************************************************************
+
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.main.id
+  tags = {
+    Name = "${var.deployment_id}"
+  }
+}
+
+resource "aws_eip" "nat" {
+  domain     = "vpc"
+  depends_on = [aws_internet_gateway.igw]
+}
+
+resource "aws_nat_gateway" "public" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = aws_subnet.public.id
+  tags          = { Name = "NAT Gateway - ${var.deployment_id}" }
+  depends_on    = [aws_internet_gateway.igw]
+}
+
+#******************************************************************************
+#   Route Tables
+#******************************************************************************
+
+# Public Subnet Routing
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+  tags   = { "Name" = "${var.deployment_id}-public" }
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.igw.id
+  }
+
+  dynamic "route" {
+    for_each = { for idx, az in local.azs : az => idx if var.enable_firewall }
+    content {
+      cidr_block      = local.private_subnet_cidrs[route.value]
+      vpc_endpoint_id = [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0]
+    }
+  }
+
+  dynamic "route" {
+    for_each = { for idx, az in local.azs : az => idx if var.enable_firewall }
+    content {
+      cidr_block      = local.pod_subnet_cidrs[route.value]
+      vpc_endpoint_id = [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0]
+    }
+  }
+}
+
+resource "aws_route_table_association" "public" {
+  subnet_id      = aws_subnet.public.id
+  route_table_id = aws_route_table.public.id
+}
+
+
+# Firewall Subnet Routing
+resource "aws_route_table" "firewall" {
+  count  = var.enable_firewall ? 1 : 0
+  vpc_id = aws_vpc.main.id
+  tags   = { "Name" = "${var.deployment_id}-firewall" }
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.public.id
+  }
+}
+
+resource "aws_route_table_association" "firewall" {
+  count          = var.enable_firewall ? 1 : 0
+  subnet_id      = aws_subnet.firewall[0].id
+  route_table_id = aws_route_table.firewall[0].id
+}
+
+# Private Subnets Routing
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.main.id
+  tags   = { "Name" = "${var.deployment_id}-private" }
+  route {
+    cidr_block      = "0.0.0.0/0"
+    vpc_endpoint_id = var.enable_firewall ? [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0] : null
+    nat_gateway_id  = var.enable_firewall ? null : aws_nat_gateway.public.id
+  }
+}
+
+resource "aws_route_table_association" "private" {
+  for_each       = { for idx, az in local.azs : az => idx }
+  subnet_id      = aws_subnet.private[each.key].id
+  route_table_id = aws_route_table.private.id
+}
+
+resource "aws_route_table_association" "pod" {
+  for_each       = { for idx, az in local.azs : az => idx }
+  subnet_id      = aws_subnet.pod[each.key].id
+  route_table_id = aws_route_table.private.id
+}
diff --git a/modules/inspection-vpc/outputs.tf b/modules/inspection-vpc/outputs.tf
new file mode 100644
index 0000000..86d633f
--- /dev/null
+++ b/modules/inspection-vpc/outputs.tf
@@ -0,0 +1,42 @@
+output "vpc_id" {
+  description = "The id of the VPC"
+  value       = aws_vpc.main.id
+}
+
+output "vpc_cidr_blocks" {
+  description = "The VPC CIDR blocks of the VPC"
+  value       = local.vpc_cidr_blocks
+}
+
+output "public_subnets" {
+  description = "List of public subnet IDs in the VPC"
+  value       = [aws_subnet.public.id]
+}
+
+output "firewall_subnets" {
+  description = "List of firewall subnet IDs in the VPC"
+  value       = var.enable_firewall ? aws_subnet.firewall[0].id : null
+}
+
+output "private_subnets" {
+  description = "List of private subnet IDs in the VPC"
+  value       = [for s in aws_subnet.private : s.id]
+}
+
+output "pod_subnets" {
+  description = "List of pod subnet IDs in the VPC"
+  value       = [for s in aws_subnet.pod : s.id]
+}
+
+output "database_subnets" {
+  description = "List of database subnet IDs in the VPC"
+  value       = [for s in aws_subnet.database : s.id]
+}
+
+output "pod_subnet_info" {
+  description = "List of map of pod subnets including `subnet_id` and `availability_zone`. Useful for creating ENIConfigs for [EKS Custom Networking](https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html)."
+  value = [for s in aws_subnet.pod : {
+    subnet_id         = s.id
+    availability_zone = s.availability_zone
+  }]
+}
diff --git a/modules/inspection-vpc/variables.tf b/modules/inspection-vpc/variables.tf
new file mode 100644
index 0000000..a600977
--- /dev/null
+++ b/modules/inspection-vpc/variables.tf
@@ -0,0 +1,97 @@
+variable "deployment_id" {
+  description = "The deployment id for the VPC which is used to name resources"
+  type        = string
+  nullable    = false
+}
+
+variable "primary_cidr_block" {
+  description = "The primary VPC CIDR block for the VPC. Must be at least a /19."
+  type        = string
+  nullable    = false
+}
+
+variable "secondary_cidr_block" {
+  description = "The secondary VPC CIDR block for the EKS Pod [Custom Networking](https://aws.github.io/aws-eks-best-practices/networking/custom-networking/) configuration. Must be at least a /18."
+  type        = string
+  default     = "100.64.0.0/18"
+  nullable    = false
+}
+
+variable "interface_vpc_endpoints" {
+  type        = list(string)
+  description = "A list of AWS services to create [VPC Private Endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) for. These endpoints are used for communication direct to AWS services without requiring connectivity and are useful for private EKS clusters."
+  default     = ["ec2", "ec2messages", "ssm", "ssmmessages", "ecr.api", "ecr.dkr", "kms", "logs", "sts", "elasticloadbalancing", "autoscaling"]
+}
+
+variable "create_interface_endpoints" {
+  type        = bool
+  description = "Enables creation of the [interface endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) specified in `interface_vpc_endpoints`"
+  default     = true
+}
+
+variable "create_s3_endpoint" {
+  type        = bool
+  description = "Enables creation of the [s3 gateway VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html)"
+  default     = true
+}
+
+variable "enable_firewall" {
+  description = "Enables the use of the [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) to protect the private and pod subnets"
+  type        = bool
+  default     = true
+}
+
+variable "stateful_default_action" {
+  description = "The [default action](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order) for the AWS Network Firewall stateful rule group. Choose `aws:drop_established` or `aws:alert_established`"
+  type        = string
+  default     = "aws:drop_established"
+}
+
+variable "suricata_rules" {
+  description = "The [suricata rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html) to use for the AWS Network Firewall. When provided, this variable completely overrides the embedded rules. Use this to bring your own rules. If you only need to provide some additional rules in addition to the bundled rules, then use `additional_suricata_rules` instead of `suricata_rules`."
+  type        = string
+  default     = null
+}
+
+variable "include_sca_rules" {
+  description = "Enables inclusion of AWS Network Firewall rules used in SCA scanning. These rules may be overly permissive when not using SCA, so they are optional. These rules allow connectivity to various public package manager repositories like [Maven Central](https://mvnrepository.com/repos/central) and [npm](https://docs.npmjs.com/)."
+  type        = bool
+  default     = true
+}
+
+variable "additional_suricata_rules" {
+  description = "Additional [suricata rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html) rules to use in the network firewall. When provided these rules will be appended to the default rules prior to the default drop rule."
+  type        = string
+  default     = ""
+}
+
+variable "create_managed_rule_groups" {
+  type        = bool
+  description = "Enables creation of the AWS Network Firewall [managed rule groups](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-list.html) provided in `managed_rule_groups`"
+  default     = true
+}
+
+variable "managed_rule_groups" {
+  description = "The AWS Network Firewall [managed rule groups](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-list.html) to include in the firewall policy. Must be strict order groups. "
+  type        = list(string)
+  # ThreatSignaturesFUPStrictOrder and ThreatSignaturesPhishingStrictOrder are not included by default, as you can only have 20 stateful rule groups per FW policy.
+  default = ["AbusedLegitMalwareDomainsStrictOrder",
+    "MalwareDomainsStrictOrder",
+    "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",
+    "BotNetCommandAndControlDomainsStrictOrder",
+    "ThreatSignaturesBotnetStrictOrder",
+    "ThreatSignaturesBotnetWebStrictOrder",
+    "ThreatSignaturesBotnetWindowsStrictOrder",
+    "ThreatSignaturesIOCStrictOrder",
+    "ThreatSignaturesDoSStrictOrder",
+    "ThreatSignaturesEmergingEventsStrictOrder",
+    "ThreatSignaturesExploitsStrictOrder",
+    "ThreatSignaturesMalwareStrictOrder",
+    "ThreatSignaturesMalwareCoinminingStrictOrder",
+    "ThreatSignaturesMalwareMobileStrictOrder",
+    "ThreatSignaturesMalwareWebStrictOrder",
+    "ThreatSignaturesScannersStrictOrder",
+    "ThreatSignaturesSuspectStrictOrder",
+    "ThreatSignaturesWebAttacksStrictOrder"
+  ]
+}
diff --git a/modules/inspection-vpc/version.tf b/modules/inspection-vpc/version.tf
new file mode 100644
index 0000000..6e9b717
--- /dev/null
+++ b/modules/inspection-vpc/version.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.46.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/modules/inspection-vpc/vpc-endpoints.tf b/modules/inspection-vpc/vpc-endpoints.tf
new file mode 100644
index 0000000..bec503f
--- /dev/null
+++ b/modules/inspection-vpc/vpc-endpoints.tf
@@ -0,0 +1,30 @@
+module "vpc_endpoint_security_group" {
+  create              = var.create_interface_endpoints
+  source              = "terraform-aws-modules/security-group/aws"
+  version             = "5.1.2"
+  name                = "${var.deployment_id}-vpc-endpoints"
+  description         = "VPC endpoint security group for Checkmarx One deployment named ${var.deployment_id}"
+  vpc_id              = aws_vpc.main.id
+  ingress_cidr_blocks = local.vpc_cidr_blocks
+  ingress_rules       = ["https-443-tcp"]
+}
+
+resource "aws_vpc_endpoint" "interface" {
+  for_each            = { for idx, endpoint in var.interface_vpc_endpoints : endpoint => idx if var.create_interface_endpoints }
+  vpc_id              = aws_vpc.main.id
+  subnet_ids          = [for s in aws_subnet.private : s.id]
+  service_name        = "com.amazonaws.${data.aws_region.current.name}.${each.key}"
+  vpc_endpoint_type   = "Interface"
+  security_group_ids  = [module.vpc_endpoint_security_group.security_group_id]
+  private_dns_enabled = true
+  tags                = { Name = "${var.deployment_id}-${each.key}-vpc-endpoint" }
+}
+
+resource "aws_vpc_endpoint" "s3_gateway_private" {
+  count             = var.create_s3_endpoint ? 1 : 0
+  vpc_endpoint_type = "Gateway"
+  service_name      = "com.amazonaws.${data.aws_region.current.name}.s3"
+  vpc_id            = aws_vpc.main.id
+  route_table_ids   = [aws_route_table.private.id, aws_route_table.public.id]
+  tags              = { Name = "${var.deployment_id}-s3-vpc-endpoint" }
+}

From 50d24341b0b32cda30a13211a9c731dffc821cfe Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Sun, 21 Apr 2024 01:25:25 -0400
Subject: [PATCH 07/57] doc fix, add azs output

---
 modules/inspection-vpc/README.md  | 2 +-
 modules/inspection-vpc/outputs.tf | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/inspection-vpc/README.md b/modules/inspection-vpc/README.md
index 613406f..ee20208 100644
--- a/modules/inspection-vpc/README.md
+++ b/modules/inspection-vpc/README.md
@@ -2,7 +2,7 @@
 
 This folder contains a [Terraform](https://www.terraform.io) module for deploying an [AWS Virtual Private Cloud (VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html). 
 
-The VPC is designed for use in development environments and is not intended to be used in production. The module is optimized to reduce costs for non-prod VPCs at the expense of high availability, while also providing use of [AWS Network Firewall](https://aws.amazon.com/network-firewall/) and [NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html. 
+The VPC is designed for use in development environments and is not intended to be used in production. The module is optimized to reduce costs for non-prod VPCs at the expense of high availability, while also providing use of [AWS Network Firewall](https://aws.amazon.com/network-firewall/) and [NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html). 
 
 The VPC creates "Pod Subnets" in a secondary VPC CIDR attachment as a solution for ipv4 conservation as suggested in the AWS Blog Post [*Addressing IPv4 address exhaustion in Amazon EKS clusters using private NAT gateways*.](https://aws.amazon.com/blogs/containers/addressing-ipv4-address-exhaustion-in-amazon-eks-clusters-using-private-nat-gateways/)
 
diff --git a/modules/inspection-vpc/outputs.tf b/modules/inspection-vpc/outputs.tf
index 86d633f..3589fd6 100644
--- a/modules/inspection-vpc/outputs.tf
+++ b/modules/inspection-vpc/outputs.tf
@@ -40,3 +40,8 @@ output "pod_subnet_info" {
     availability_zone = s.availability_zone
   }]
 }
+
+output "azs" {
+  description = "The Availability Zones deployed into"
+  value       = local.azs
+}

From 25d9c5968903bb2720f87b023d28bd60450519bc Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 23 Apr 2024 00:10:51 -0400
Subject: [PATCH 08/57] CxOne 3.10.22

---
 README.md                                     |  12 +-
 eks.tf                                        | 119 ++-
 examples/full/README.md                       |  73 +-
 examples/full/examples.auto.tfvars            | 126 ++-
 examples/full/main.tf                         | 112 +--
 .../full/{network.tf => network.tfignore}     |   2 +-
 examples/full/variables-cxone.tf              |  12 +
 examples/full/variables-example.tf            |  66 +-
 examples/full/variables-vpc.tf                |  92 ++
 .../apply-storageclass-config.sh.tftpl        |  20 +
 .../karpenter.reference.yaml.tftpl            | 165 ++++
 .../kots.config.aws.reference.yaml.tftpl      |  14 +-
 modules/cxone-install/main.tf                 |  31 +-
 modules/cxone-install/makefile.tftpl          |  63 +-
 modules/cxone-install/variables.tf            |  31 +
 modules/inspection-vpc/firewall-rules.tf      |   7 +-
 modules/inspection-vpc/firewall.tf            |   7 +-
 modules/inspection-vpc/main.tf                |  13 +
 modules/inspection-vpc/outputs.tf             |  14 +
 results.json                                  | 888 ------------------
 variables.tf                                  |  18 +
 21 files changed, 827 insertions(+), 1058 deletions(-)
 rename examples/full/{network.tf => network.tfignore} (97%)
 create mode 100644 examples/full/variables-vpc.tf
 create mode 100644 modules/cxone-install/apply-storageclass-config.sh.tftpl
 create mode 100644 modules/cxone-install/karpenter.reference.yaml.tftpl
 delete mode 100755 results.json

diff --git a/README.md b/README.md
index 222f33f..41d5af5 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,9 @@ This repo contains a module for deploying [Checkmarx One](https://checkmarx.com/
 
 
 # Module documentation
+## Requirements
+
+No requirements.
 
 ## Providers
 
@@ -43,6 +46,7 @@ This repo contains a module for deploying [Checkmarx One](https://checkmarx.com/
 | [aws_iam_policy.s3_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [random_string.random_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_role.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
@@ -101,8 +105,11 @@ This repo contains a module for deploying [Checkmarx One](https://checkmarx.com/
 | <a name="input_eks_create_external_dns_irsa"></a> [eks\_create\_external\_dns\_irsa](#input\_eks\_create\_external\_dns\_irsa) | Enables creation of external dns IAM role. | `bool` | `true` | no |
 | <a name="input_eks_create_karpenter"></a> [eks\_create\_karpenter](#input\_eks\_create\_karpenter) | Enables creation of Karpenter resources. | `bool` | `false` | no |
 | <a name="input_eks_create_load_balancer_controller_irsa"></a> [eks\_create\_load\_balancer\_controller\_irsa](#input\_eks\_create\_load\_balancer\_controller\_irsa) | Enables creation of load balancer controller IAM role. | `bool` | `true` | no |
+| <a name="input_eks_enable_externalsnat"></a> [eks\_enable\_externalsnat](#input\_eks\_enable\_externalsnat) | Enables [External SNAT](https://docs.aws.amazon.com/eks/latest/userguide/external-snat.html) for the EKS VPC CNI. When true, the EKS pods must have a route to a NAT Gateway for outbound communication. | `bool` | `false` | no |
+| <a name="input_eks_enable_fargate"></a> [eks\_enable\_fargate](#input\_eks\_enable\_fargate) | Enables Fargate profiles for the karpenter and kube-system namespaces. | `bool` | `false` | no |
 | <a name="input_eks_node_additional_security_group_ids"></a> [eks\_node\_additional\_security\_group\_ids](#input\_eks\_node\_additional\_security\_group\_ids) | Additional security group ids to attach to EKS nodes. | `list(string)` | `[]` | no |
 | <a name="input_eks_node_groups"></a> [eks\_node\_groups](#input\_eks\_node\_groups) | n/a | <pre>list(object({<br>    name            = string<br>    min_size        = string<br>    desired_size    = string<br>    max_size        = string<br>    volume_type     = optional(string, "gp3")<br>    disk_size       = optional(number, 200)<br>    disk_iops       = optional(number, 3000)<br>    disk_throughput = optional(number, 125)<br>    device_name     = optional(string, "/dev/xvda")<br>    instance_types  = list(string)<br>    capacity_type   = optional(string, "ON_DEMAND")<br>    labels          = optional(map(string), {})<br>    taints          = optional(map(object({ key = string, value = string, effect = string })), {})<br>  }))</pre> | <pre>[<br>  {<br>    "desired_size": 3,<br>    "instance_types": [<br>      "c5.4xlarge"<br>    ],<br>    "max_size": 9,<br>    "min_size": 3,<br>    "name": "ast-app"<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-extra-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-extra-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-extra-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-xxl": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-xxl",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-xxl",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "kics-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "kics-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "kics-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "repostore": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "repostore",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "repostore",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "service": "sca-source-resolver"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "sca-source-resolver",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "service",<br>        "value": "sca-source-resolver"<br>      }<br>    }<br>  }<br>]</pre> | no |
+| <a name="input_eks_pod_subnets"></a> [eks\_pod\_subnets](#input\_eks\_pod\_subnets) | The subnets to use for EKS pods. When specified, custom networking configuration is applied to the EKS cluster. | `list(string)` | n/a | yes |
 | <a name="input_eks_private_endpoint_enabled"></a> [eks\_private\_endpoint\_enabled](#input\_eks\_private\_endpoint\_enabled) | Enables the EKS VPC private endpoint. | `bool` | `true` | no |
 | <a name="input_eks_public_endpoint_enabled"></a> [eks\_public\_endpoint\_enabled](#input\_eks\_public\_endpoint\_enabled) | Enables the EKS public endpoint. | `bool` | `false` | no |
 | <a name="input_eks_subnets"></a> [eks\_subnets](#input\_eks\_subnets) | The subnets to deploy EKS into. | `list(string)` | n/a | yes |
@@ -130,6 +137,7 @@ This repo contains a module for deploying [Checkmarx One](https://checkmarx.com/
 |------|-------------|
 | <a name="output_bucket_suffix"></a> [bucket\_suffix](#output\_bucket\_suffix) | n/a |
 | <a name="output_cluster_autoscaler_iam_role_arn"></a> [cluster\_autoscaler\_iam\_role\_arn](#output\_cluster\_autoscaler\_iam\_role\_arn) | n/a |
+| <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | n/a |
 | <a name="output_db_database_name"></a> [db\_database\_name](#output\_db\_database\_name) | n/a |
 | <a name="output_db_endpoint"></a> [db\_endpoint](#output\_db\_endpoint) | n/a |
 | <a name="output_db_master_password"></a> [db\_master\_password](#output\_db\_master\_password) | n/a |
@@ -145,13 +153,13 @@ This repo contains a module for deploying [Checkmarx One](https://checkmarx.com/
 | <a name="output_external_dns_iam_role_arn"></a> [external\_dns\_iam\_role\_arn](#output\_external\_dns\_iam\_role\_arn) | n/a |
 | <a name="output_karpenter_iam_role_arn"></a> [karpenter\_iam\_role\_arn](#output\_karpenter\_iam\_role\_arn) | n/a |
 | <a name="output_load_balancer_controller_iam_role_arn"></a> [load\_balancer\_controller\_iam\_role\_arn](#output\_load\_balancer\_controller\_iam\_role\_arn) | n/a |
+| <a name="output_nodegroup_iam_role_name"></a> [nodegroup\_iam\_role\_name](#output\_nodegroup\_iam\_role\_name) | n/a |
 | <a name="output_s3_bucket_name_suffix"></a> [s3\_bucket\_name\_suffix](#output\_s3\_bucket\_name\_suffix) | n/a |
 
-
 # Regional Considerations
 
 ## GovCloud
 
 * RDS Proxy is not available in AWS Gov Cloud regions, so `create_rds_proxy` must be set `false`. Monitor database for connection usage and scale accordingly.
 * RDS's `ManageMasterUserPassword` capability is not supported. Specify a password via `db_master_user_password`
-* Elasticache's `cache.r7g` instance class is not available. Consider using `cache.r6g`.
+* Elasticache's `cache.r7g` and `cache.tg4` instance class is not available. Consider using `cache.r6g` and `cache.t3`
diff --git a/eks.tf b/eks.tf
index 27a0eff..7124de3 100644
--- a/eks.tf
+++ b/eks.tf
@@ -1,4 +1,63 @@
 locals {
+  fargate_profiles = {
+    karpenter = {
+      selectors = [
+        { namespace = "karpenter" }
+      ]
+    }
+    kube-system = {
+      selectors = [
+        { namespace = "kube-system" }
+      ]
+    }
+  }
+  core_dns_fargate_configuration_values = jsonencode({
+    computeType = "Fargate"
+    # Ensure that we fully utilize the minimum amount of resources that are supplied by
+    # Fargate https://docs.aws.amazon.com/eks/latest/userguide/fargate-pod-configuration.html
+    # Fargate adds 256 MB to each pod's memory reservation for the required Kubernetes
+    # components (kubelet, kube-proxy, and containerd). Fargate rounds up to the following
+    # compute configuration that most closely matches the sum of vCPU and memory requests in
+    # order to ensure pods always have the resources that they need to run.
+    resources = {
+      limits = {
+        cpu = "0.25"
+        # We are targeting the smallest Task size of 512Mb, so we subtract 256Mb from the
+        # request/limit to ensure we can fit within that task
+        memory = "256M"
+      }
+      requests = {
+        cpu = "0.25"
+        # We are targeting the smallest Task size of 512Mb, so we subtract 256Mb from the
+        # request/limit to ensure we can fit within that task
+        memory = "256M"
+      }
+    }
+  })
+
+  # The EBS CSI Add On Controller pods can run on Fargate, but we must add a toleration to eks.amazonaws.com/compute-type=fargate
+  # in addition to the existing tolerations. Documentation for EBS CSI Driver configuration schema can be obtained from AWS CLI
+  # example: aws eks describe-addon-configuration --addon-name aws-ebs-csi-driver --addon-version v1.28.0-eksbuild.1 --query configurationSchema --output text
+  ebs_csi_fargate_configuration_values = jsonencode({
+    controller = {
+      batching = false
+      tolerations = [
+        {
+          key      = "CriticalAddonsOnly"
+          operator = "Exists"
+        },
+        {
+          effect            = "NoExecute"
+          operator          = "Exists"
+          tolerationSeconds = 300
+        },
+        {
+          key      = "eks.amazonaws.com/compute-type"
+          operator = "Equal"
+          value    = "fargate"
+          effect   = "NoSchedule"
+  }] } })
+
   eks_nodegroups = { for node_group in var.eks_node_groups : node_group.name => {
     name                 = "${var.deployment_id}-${node_group.name}"
     launch_template_name = "${var.deployment_id}-${node_group.name}"
@@ -104,6 +163,7 @@ module "eks" {
   create_node_security_group = true
   #node_security_group_id     = module.eks_nodes_security_group.security_group_id
 
+
   node_security_group_additional_rules = {
     ingress_self_http80 = {
       description = "Node to node ingress http/80"
@@ -144,27 +204,35 @@ module "eks" {
   enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
   access_entries                           = local.admin_access_entries
 
+  tags = {
+    # NOTE - if creating multiple security groups with this module, only tag the
+    # security group that Karpenter should utilize with the following tag
+    # (i.e. - at most, only one security group should have this tag in your account)
+    "karpenter.sh/discovery" = var.deployment_id
+  }
 
   cluster_addons = {
     coredns = {
-      addon_version = var.coredns_version
+      addon_version        = var.coredns_version
+      configuration_values = var.eks_enable_fargate ? local.core_dns_fargate_configuration_values : null
     }
     kube-proxy = {
       addon_version = var.kube_proxy_version
     }
     vpc-cni = {
-      addon_version = var.vpc_cni_version
-      # Todo: add configuration for secondary cidr here to vpc plugin
-      #   before_compute = var.pod_custom_networking_subnets != null ? true : false
-      #   configuration_values = jsonencode({
-      #     env = {
-      #       AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = var.pod_custom_networking_subnets != null ? "true" : "false"
-      #       ENI_CONFIG_LABEL_DEF               = var.pod_custom_networking_subnets != null ? "topology.kubernetes.io/zone" : ""
-      #   } })
-
+      addon_version  = var.vpc_cni_version
+      before_compute = var.eks_pod_subnets != null ? true : false
+      configuration_values = jsonencode({
+        env = {
+          #AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = var.eks_pod_subnets != null ? "true" : "false"
+          #ENI_CONFIG_LABEL_DEF               = var.eks_pod_subnets != null ? "topology.kubernetes.io/zone" : ""
+          AWS_VPC_K8S_CNI_EXTERNALSNAT = var.eks_enable_externalsnat ? "true" : "false"
+        }
+      })
     }
     aws-ebs-csi-driver = {
-      addon_version = var.aws_ebs_csi_driver_version
+      addon_version        = var.aws_ebs_csi_driver_version
+      configuration_values = var.eks_enable_fargate ? local.ebs_csi_fargate_configuration_values : null
     }
   }
   create_kms_key = false
@@ -193,6 +261,11 @@ module "eks" {
   }
 
   eks_managed_node_groups = local.eks_nodegroups
+
+  fargate_profile_defaults = {
+    subnet_ids = var.eks_pod_subnets != null ? var.eks_pod_subnets : null
+  }
+  fargate_profiles = var.eks_enable_fargate ? local.fargate_profiles : {}
 }
 
 resource "aws_autoscaling_group_tag" "cluster_autoscaler_label" {
@@ -272,6 +345,10 @@ module "load_balancer_controller_irsa" {
   }
 }
 
+data "aws_iam_role" "karpenter" {
+  name       = "${var.deployment_id}-eks-nodes"
+  depends_on = [module.eks]
+}
 
 module "karpenter" {
   source  = "terraform-aws-modules/eks/aws//modules/karpenter"
@@ -286,11 +363,11 @@ module "karpenter" {
   iam_role_name                   = "KarpenterController-${var.deployment_id}"
   iam_role_description            = "IAM role for karpenter controller created by karpenter module"
   create_node_iam_role            = false
-  #node_iam_role_arn               = module.eks.eks_managed_node_groups.nodegroup_iam_role_arn
-  create_access_entry      = false
-  iam_policy_name          = "KarpenterPolicy-${var.deployment_id}"
-  iam_policy_description   = "Karpenter controller IAM policy created by karpenter module"
-  iam_role_use_name_prefix = false
+  node_iam_role_arn               = data.aws_iam_role.karpenter.arn
+  create_access_entry             = false
+  iam_policy_name                 = "KarpenterPolicy-${var.deployment_id}"
+  iam_policy_description          = "Karpenter controller IAM policy created by karpenter module"
+  iam_role_use_name_prefix        = false
   node_iam_role_additional_policies = {
     AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
     AmazonEBSCSIDriverPolicy     = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
@@ -317,6 +394,14 @@ output "karpenter_iam_role_arn" {
   value = var.eks_create && var.eks_create_karpenter ? module.karpenter.iam_role_arn : ""
 }
 
+output "cluster_endpoint" {
+  value = module.eks.cluster_endpoint
+}
+
+output "nodegroup_iam_role_name" {
+  value = data.aws_iam_role.karpenter.name
+}
+
 output "eks" {
-  value = module.eks.*
+  value = module.eks
 }
diff --git a/examples/full/README.md b/examples/full/README.md
index 25ad975..8929673 100644
--- a/examples/full/README.md
+++ b/examples/full/README.md
@@ -2,13 +2,47 @@
 
 This folder contains a full example for deploying [Checkmarx One](https://checkmarx.com/product/application-security-platform/) on [AWS](https://aws.amazon.com) using [Terraform](https://www.terraform.io). 
 
-The project configures the VPC, KMS, SES, ACM, and other basic environment resources, and then invokes the `terraform-aws-cxone` module to deploy Checkmarx One infrastructure.
+The project configures the VPC, KMS, ACM, and other basic environment resources, and then invokes the `terraform-aws-cxone` module to deploy Checkmarx One infrastructure. The [`cxone-install`](../../modules/cxone-install) module is used to generate installation scripts for the application after Terraform deploys the infrastructure.
 
 Consult the [`example.auto.tfvars`](./example.auto.tfvars) for a full listing of what can be configured in this example, and the `terraform-aws-cxone module`.
 
+# Installation
+This example generates a Makefile in the project folder after Terraform finishes running. The Makefile has several targets that can help bootstrap your environment with the CxOne application. 
 
-# Module Documentation
+The `kots.$DEPLOYMENT_ID.yaml` file is also automatically generated and can be reviewed & modified after Terraform finishes.
+
+Run these commands to bootstrap your cluster.
+
+Update your kubectl context:
+
+```sh
+make update-kubeconfig
+```
+
+Update the EKS storage configuration to default to gp3:
+
+```sh
+make apply-storageclass-config
+```
 
+Install the cluster autoscaler:
+```sh
+make install-cluster-autoscaler
+```
+
+Install the load balancer controller (wait approx 1 minute after cluster autoscaler to avoid webhook issues):
+```sh
+make install-load-balancer-controller
+```
+
+Install the Checkmarx One application:
+```sh
+make kots-install
+```
+
+You can also build your own bootstrapping process using the Makefile as a reference.
+
+# Module Documentation
 ## Requirements
 
 No requirements.
@@ -27,18 +61,13 @@ No requirements.
 | <a name="module_acm"></a> [acm](#module\_acm) | terraform-aws-modules/acm/aws | 5.0.1 |
 | <a name="module_checkmarx-one"></a> [checkmarx-one](#module\_checkmarx-one) | ../../ | n/a |
 | <a name="module_checkmarx-one-install"></a> [checkmarx-one-install](#module\_checkmarx-one-install) | ../../modules/cxone-install | n/a |
-| <a name="module_ses"></a> [ses](#module\_ses) | cloudposse/ses/aws | 0.24.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.7.0 |
-| <a name="module_vpc_endpoint_security_group"></a> [vpc\_endpoint\_security\_group](#module\_vpc\_endpoint\_security\_group) | terraform-aws-modules/security-group/aws | 5.1.2 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../modules/inspection-vpc | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_iam_group_policy.cxone_ses_group_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy) | resource |
 | [aws_kms_key.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_vpc_endpoint.interface](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
-| [aws_vpc_endpoint.s3_gateway_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
 | [random_password.cxone_admin](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_password.db](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_password.elasticsearch](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
@@ -52,9 +81,13 @@ No requirements.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_acm_certificate_arn"></a> [acm\_certificate\_arn](#input\_acm\_certificate\_arn) | The ARN to the SSL certificate in AWS ACM to use for securing the load balancer | `string` | `null` | no |
+| <a name="input_additional_suricata_rules"></a> [additional\_suricata\_rules](#input\_additional\_suricata\_rules) | Additional [suricata rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html) rules to use in the network firewall. When provided these rules will be appended to the default rules prior to the default drop rule. | `string` | `""` | no |
 | <a name="input_aws_ebs_csi_driver_version"></a> [aws\_ebs\_csi\_driver\_version](#input\_aws\_ebs\_csi\_driver\_version) | The version of the EKS EBS CSI Addon. | `string` | n/a | yes |
 | <a name="input_coredns_version"></a> [coredns\_version](#input\_coredns\_version) | The version of the EKS Core DNS Addon. | `string` | n/a | yes |
-| <a name="input_create_s3_endpoint"></a> [create\_s3\_endpoint](#input\_create\_s3\_endpoint) | Enables creation of the s3 gateway VPC interface endpoint. | `bool` | `true` | no |
+| <a name="input_create_interface_endpoints"></a> [create\_interface\_endpoints](#input\_create\_interface\_endpoints) | Enables creation of the [interface endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) specified in `interface_vpc_endpoints` | `bool` | `true` | no |
+| <a name="input_create_managed_rule_groups"></a> [create\_managed\_rule\_groups](#input\_create\_managed\_rule\_groups) | Enables creation of the AWS Network Firewall [managed rule groups](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-list.html) provided in `managed_rule_groups` | `bool` | `true` | no |
+| <a name="input_create_s3_endpoint"></a> [create\_s3\_endpoint](#input\_create\_s3\_endpoint) | Enables creation of the [s3 gateway VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html) | `bool` | `true` | no |
 | <a name="input_db_allow_major_version_upgrade"></a> [db\_allow\_major\_version\_upgrade](#input\_db\_allow\_major\_version\_upgrade) | Allows major version upgrades. | `bool` | `false` | no |
 | <a name="input_db_apply_immediately"></a> [db\_apply\_immediately](#input\_db\_apply\_immediately) | Determines if changes will be applied immediately or wait until the next maintenance window. | `bool` | `false` | no |
 | <a name="input_db_auto_minor_version_upgrade"></a> [db\_auto\_minor\_version\_upgrade](#input\_db\_auto\_minor\_version\_upgrade) | Automatically upgrade to latest minor version in maintenance window. | `bool` | `false` | no |
@@ -101,12 +134,15 @@ No requirements.
 | <a name="input_eks_create_external_dns_irsa"></a> [eks\_create\_external\_dns\_irsa](#input\_eks\_create\_external\_dns\_irsa) | Enables creation of external dns IAM role. | `bool` | `true` | no |
 | <a name="input_eks_create_karpenter"></a> [eks\_create\_karpenter](#input\_eks\_create\_karpenter) | Enables creation of Karpenter resources. | `bool` | `false` | no |
 | <a name="input_eks_create_load_balancer_controller_irsa"></a> [eks\_create\_load\_balancer\_controller\_irsa](#input\_eks\_create\_load\_balancer\_controller\_irsa) | Enables creation of load balancer controller IAM role. | `bool` | `true` | no |
+| <a name="input_eks_enable_externalsnat"></a> [eks\_enable\_externalsnat](#input\_eks\_enable\_externalsnat) | Enables [External SNAT](https://docs.aws.amazon.com/eks/latest/userguide/external-snat.html) for the EKS VPC CNI. When true, the EKS pods must have a route to a NAT Gateway for outbound communication. | `bool` | `false` | no |
+| <a name="input_eks_enable_fargate"></a> [eks\_enable\_fargate](#input\_eks\_enable\_fargate) | Enables Fargate profiles for the karpenter and kube-system namespaces. | `bool` | `false` | no |
 | <a name="input_eks_node_additional_security_group_ids"></a> [eks\_node\_additional\_security\_group\_ids](#input\_eks\_node\_additional\_security\_group\_ids) | Additional security group ids to attach to EKS nodes. | `list(string)` | `[]` | no |
 | <a name="input_eks_node_groups"></a> [eks\_node\_groups](#input\_eks\_node\_groups) | n/a | <pre>list(object({<br>    name            = string<br>    min_size        = string<br>    desired_size    = string<br>    max_size        = string<br>    volume_type     = optional(string, "gp3")<br>    disk_size       = optional(number, 200)<br>    disk_iops       = optional(number, 3000)<br>    disk_throughput = optional(number, 125)<br>    device_name     = optional(string, "/dev/xvda")<br>    instance_types  = list(string)<br>    capacity_type   = optional(string, "ON_DEMAND")<br>    labels          = optional(map(string), {})<br>    taints          = optional(map(object({ key = string, value = string, effect = string })), {})<br>  }))</pre> | <pre>[<br>  {<br>    "desired_size": 3,<br>    "instance_types": [<br>      "c5.4xlarge"<br>    ],<br>    "max_size": 9,<br>    "min_size": 3,<br>    "name": "ast-app"<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-extra-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-extra-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-extra-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-xxl": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-xxl",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-xxl",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "kics-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "kics-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "kics-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "repostore": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "repostore",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "repostore",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "service": "sca-source-resolver"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sca-source-resolver",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "service",<br>        "value": "sca-source-resolver"<br>      }<br>    }<br>  }<br>]</pre> | no |
 | <a name="input_eks_private_endpoint_enabled"></a> [eks\_private\_endpoint\_enabled](#input\_eks\_private\_endpoint\_enabled) | Enables the EKS VPC private endpoint. | `bool` | `true` | no |
 | <a name="input_eks_public_endpoint_enabled"></a> [eks\_public\_endpoint\_enabled](#input\_eks\_public\_endpoint\_enabled) | Enables the EKS public endpoint. | `bool` | `false` | no |
 | <a name="input_eks_version"></a> [eks\_version](#input\_eks\_version) | The version of the EKS Cluster (e.g. 1.27) | `string` | n/a | yes |
 | <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Enables the identity used to create the EKS cluster to have administrator access to that EKS cluster. When enabled, do not specify the same principal arn for eks\_administrator\_principals. | `bool` | `true` | no |
+| <a name="input_enable_firewall"></a> [enable\_firewall](#input\_enable\_firewall) | Enables the use of the [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) to protect the private and pod subnets | `bool` | `true` | no |
 | <a name="input_es_create"></a> [es\_create](#input\_es\_create) | Enables creation of elasticsearch resources. | `bool` | `true` | no |
 | <a name="input_es_instance_count"></a> [es\_instance\_count](#input\_es\_instance\_count) | The number of nodes in elasticsearch cluster | `number` | `2` | no |
 | <a name="input_es_instance_type"></a> [es\_instance\_type](#input\_es\_instance\_type) | The instance type for elasticsearch nodes. | `string` | `"r6g.large.elasticsearch"` | no |
@@ -114,23 +150,34 @@ No requirements.
 | <a name="input_es_username"></a> [es\_username](#input\_es\_username) | The username for the elasticsearch user | `string` | `"ast"` | no |
 | <a name="input_es_volume_size"></a> [es\_volume\_size](#input\_es\_volume\_size) | The size of volumes for nodes in elasticsearch cluster | `number` | `100` | no |
 | <a name="input_fqdn"></a> [fqdn](#input\_fqdn) | The fully qualified domain name that will be used for the Checkmarx One deployment | `string` | n/a | yes |
-| <a name="input_interface_vpc_endpoints"></a> [interface\_vpc\_endpoints](#input\_interface\_vpc\_endpoints) | A list of services that vpc endpoints are created for. | `list(string)` | <pre>[<br>  "ec2",<br>  "ec2messages",<br>  "ssm",<br>  "ssmmessages",<br>  "ecr.api",<br>  "ecr.dkr",<br>  "kms",<br>  "logs",<br>  "sts",<br>  "elasticloadbalancing",<br>  "autoscaling"<br>]</pre> | no |
+| <a name="input_include_sca_rules"></a> [include\_sca\_rules](#input\_include\_sca\_rules) | Enables inclusion of AWS Network Firewall rules used in SCA scanning. These rules may be overly permissive when not using SCA, so they are optional. These rules allow connectivity to various public package manager repositories like [Maven Central](https://mvnrepository.com/repos/central) and [npm](https://docs.npmjs.com/). | `bool` | `true` | no |
+| <a name="input_interface_vpc_endpoints"></a> [interface\_vpc\_endpoints](#input\_interface\_vpc\_endpoints) | A list of AWS services to create [VPC Private Endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) for. These endpoints are used for communication direct to AWS services without requiring connectivity and are useful for private EKS clusters. | `list(string)` | <pre>[<br>  "ec2",<br>  "ec2messages",<br>  "ssm",<br>  "ssmmessages",<br>  "ecr.api",<br>  "ecr.dkr",<br>  "kms",<br>  "logs",<br>  "sts",<br>  "elasticloadbalancing",<br>  "autoscaling"<br>]</pre> | no |
 | <a name="input_kots_admin_email"></a> [kots\_admin\_email](#input\_kots\_admin\_email) | The email address of the Checkmarx One first admin user. | `string` | n/a | yes |
 | <a name="input_kots_cxone_version"></a> [kots\_cxone\_version](#input\_kots\_cxone\_version) | The version of Checkmarx One to install | `string` | n/a | yes |
 | <a name="input_kots_license_file"></a> [kots\_license\_file](#input\_kots\_license\_file) | The path to the kots license file to install Checkamrx One with. | `string` | n/a | yes |
 | <a name="input_kots_release_channel"></a> [kots\_release\_channel](#input\_kots\_release\_channel) | The release channel from which to install Checkmarx One | `string` | `"beta"` | no |
 | <a name="input_kube_proxy_version"></a> [kube\_proxy\_version](#input\_kube\_proxy\_version) | The version of the EKS Kube Proxy Addon. | `string` | n/a | yes |
 | <a name="input_launch_template_tags"></a> [launch\_template\_tags](#input\_launch\_template\_tags) | Tags to associate with launch templates for node groups | `map(string)` | `null` | no |
+| <a name="input_managed_rule_groups"></a> [managed\_rule\_groups](#input\_managed\_rule\_groups) | The AWS Network Firewall [managed rule groups](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-list.html) to include in the firewall policy. Must be strict order groups. | `list(string)` | <pre>[<br>  "AbusedLegitMalwareDomainsStrictOrder",<br>  "MalwareDomainsStrictOrder",<br>  "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",<br>  "BotNetCommandAndControlDomainsStrictOrder",<br>  "ThreatSignaturesBotnetStrictOrder",<br>  "ThreatSignaturesBotnetWebStrictOrder",<br>  "ThreatSignaturesBotnetWindowsStrictOrder",<br>  "ThreatSignaturesIOCStrictOrder",<br>  "ThreatSignaturesDoSStrictOrder",<br>  "ThreatSignaturesEmergingEventsStrictOrder",<br>  "ThreatSignaturesExploitsStrictOrder",<br>  "ThreatSignaturesMalwareStrictOrder",<br>  "ThreatSignaturesMalwareCoinminingStrictOrder",<br>  "ThreatSignaturesMalwareMobileStrictOrder",<br>  "ThreatSignaturesMalwareWebStrictOrder",<br>  "ThreatSignaturesScannersStrictOrder",<br>  "ThreatSignaturesSuspectStrictOrder",<br>  "ThreatSignaturesWebAttacksStrictOrder"<br>]</pre> | no |
+| <a name="input_ms_replica_count"></a> [ms\_replica\_count](#input\_ms\_replica\_count) | The microservices replica count (e.g. a minimum) | `number` | `3` | no |
 | <a name="input_object_storage_access_key"></a> [object\_storage\_access\_key](#input\_object\_storage\_access\_key) | The S3 access key to use to access buckets | `string` | n/a | yes |
 | <a name="input_object_storage_endpoint"></a> [object\_storage\_endpoint](#input\_object\_storage\_endpoint) | The S3 endpoint to use to access buckets | `string` | n/a | yes |
 | <a name="input_object_storage_secret_key"></a> [object\_storage\_secret\_key](#input\_object\_storage\_secret\_key) | The S3 secret key to use to access buckets | `string` | n/a | yes |
+| <a name="input_primary_cidr_block"></a> [primary\_cidr\_block](#input\_primary\_cidr\_block) | The primary VPC CIDR block for the VPC. Must be at least a /19. | `string` | n/a | yes |
 | <a name="input_route_53_hosted_zone_id"></a> [route\_53\_hosted\_zone\_id](#input\_route\_53\_hosted\_zone\_id) | The hosted zone id for route 53 in which to create dns and certificates. | `string` | n/a | yes |
 | <a name="input_s3_retention_period"></a> [s3\_retention\_period](#input\_s3\_retention\_period) | The retention period, in days, to retain s3 objects. | `string` | `"90"` | no |
-| <a name="input_secondary_vpc_cidr"></a> [secondary\_vpc\_cidr](#input\_secondary\_vpc\_cidr) | The secondary VPC CIDR block to associate with the VPC. | `string` | `null` | no |
+| <a name="input_secondary_cidr_block"></a> [secondary\_cidr\_block](#input\_secondary\_cidr\_block) | The secondary VPC CIDR block for the EKS Pod [Custom Networking](https://aws.github.io/aws-eks-best-practices/networking/custom-networking/) configuration. Must be at least a /18. | `string` | `"100.64.0.0/18"` | no |
+| <a name="input_smtp_from_sender"></a> [smtp\_from\_sender](#input\_smtp\_from\_sender) | The address to use in the from field when sending emails. | `string` | n/a | yes |
+| <a name="input_smtp_host"></a> [smtp\_host](#input\_smtp\_host) | The hostname of the SMTP server. | `string` | n/a | yes |
+| <a name="input_smtp_password"></a> [smtp\_password](#input\_smtp\_password) | The smtp password. | `string` | n/a | yes |
 | <a name="input_smtp_port"></a> [smtp\_port](#input\_smtp\_port) | The port of the SMTP server. | `number` | `587` | no |
-| <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | The primary VPC CIDR block to create the VPC with. | `string` | n/a | yes |
+| <a name="input_smtp_user"></a> [smtp\_user](#input\_smtp\_user) | The smtp user name. | `string` | n/a | yes |
+| <a name="input_stateful_default_action"></a> [stateful\_default\_action](#input\_stateful\_default\_action) | The [default action](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order) for the AWS Network Firewall stateful rule group. Choose `aws:drop_established` or `aws:alert_established` | `string` | `"aws:drop_established"` | no |
+| <a name="input_suricata_rules"></a> [suricata\_rules](#input\_suricata\_rules) | The [suricata rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html) to use for the AWS Network Firewall. When provided, this variable completely overrides the embedded rules. Use this to bring your own rules. If you only need to provide some additional rules in addition to the bundled rules, then use `additional_suricata_rules` instead of `suricata_rules`. | `string` | `null` | no |
 | <a name="input_vpc_cni_version"></a> [vpc\_cni\_version](#input\_vpc\_cni\_version) | The version of the EKS VPC CNI Addon. | `string` | n/a | yes |
 
 ## Outputs
 
-No outputs.
\ No newline at end of file
+| Name | Description |
+|------|-------------|
+| <a name="output_cxone1"></a> [cxone1](#output\_cxone1) | n/a |
\ No newline at end of file
diff --git a/examples/full/examples.auto.tfvars b/examples/full/examples.auto.tfvars
index d2bdefe..5cd6102 100644
--- a/examples/full/examples.auto.tfvars
+++ b/examples/full/examples.auto.tfvars
@@ -2,18 +2,85 @@
 #******************************************************************************
 #   Base Infrastructure Configuration
 #******************************************************************************
-vpc_cidr                = "10.77.0.0/16"
-secondary_vpc_cidr      = "100.64.0.0/16"
-interface_vpc_endpoints = ["ec2", "ec2messages", "ssm", "ssmmessages", "ecr.api", "ecr.dkr", "kms", "logs", "sts", "elasticloadbalancing", "autoscaling"]
-create_s3_endpoint      = true
+# Provide your hosted zone ID that corresponds to the domain used in the fqdn variable.
+# The hosted zone is used for validating SSL certificates in ACM and for external DNS.
+# If you are not using route 53 for DNS, then route_53_hosted_zone_id is not used, but you must
+# also set eks_create_external_dns_irsa = false and provide your SSL certificate ARN in acm_certificate_arn.
 route_53_hosted_zone_id = "<enter your hosted zone id e.g. Z0962235AVF65523G11OI"
-fqdn                    = "example.checkmarx-ps.com"
-deployment_id           = "cxone-dev"
-ec2_key_name            = "<enter your ec2 key>"
+
+# FQDN is used for creating DNS and SSL records, and for configuring Traefik host header listeners
+fqdn = "example.checkmarx-ps.com"
+
+# Deployment ID is used to name resources. Use something short and can be part of a url (e.g. alphanumberic with hypens)
+deployment_id = "cxone-dev"
+
+# Enter the key you want to use for SSH access to EC2 instances launched by EKS. Leave null to access only via SSM.
+ec2_key_name = null
+
+# Enter the number of baseline replicas each pod should have in Checkmarx One. Recommend 1 for non-prod environments, 3 or more for production
+ms_replica_count = 1
+
+# The ARN to your SSL certificate in ACM. Required when route_53_hosted_zone_id is not provided.
+acm_certificate_arn = null
+
+#******************************************************************************
+#   VPC Configuration
+#******************************************************************************
+# Set to your primary VPC CIDR range. Recommend at least a /17 for Checkmarx One.
+primary_cidr_block = "10.77.0.0/16"
+
+# The secondary CIDR. Used as described at https://aws.amazon.com/blogs/containers/addressing-ipv4-address-exhaustion-in-amazon-eks-clusters-using-private-nat-gateways/
+secondary_cidr_block = "100.64.0.0/18"
+
+# The interface endpoints to create. These have a charge, but are needed if running EKS privately.
+interface_vpc_endpoints    = ["ec2", "ec2messages", "ssm", "ssmmessages", "ecr.api", "ecr.dkr", "kms", "logs", "sts", "elasticloadbalancing", "autoscaling"]
+create_interface_endpoints = true
+create_s3_endpoint         = true
+
+# Firewall only current works for egress filtering, and breaks ingress. Do not enable.
+enable_firewall            = false
+stateful_default_action    = "aws:drop_established"
+include_sca_rules          = true
+create_managed_rule_groups = false
+managed_rule_groups = ["AbusedLegitMalwareDomainsStrictOrder",
+  "MalwareDomainsStrictOrder",
+  "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",
+  "BotNetCommandAndControlDomainsStrictOrder",
+  "ThreatSignaturesBotnetStrictOrder",
+  "ThreatSignaturesBotnetWebStrictOrder",
+  "ThreatSignaturesBotnetWindowsStrictOrder",
+  "ThreatSignaturesIOCStrictOrder",
+  "ThreatSignaturesDoSStrictOrder",
+  "ThreatSignaturesEmergingEventsStrictOrder",
+  "ThreatSignaturesExploitsStrictOrder",
+  "ThreatSignaturesMalwareStrictOrder",
+  "ThreatSignaturesMalwareCoinminingStrictOrder",
+  "ThreatSignaturesMalwareMobileStrictOrder",
+  "ThreatSignaturesMalwareWebStrictOrder",
+  "ThreatSignaturesScannersStrictOrder",
+  "ThreatSignaturesSuspectStrictOrder",
+  "ThreatSignaturesWebAttacksStrictOrder"
+]
+additional_suricata_rules = <<EOF
+# CxOne must talk to itself when performing token exchange to validate the FQDN (cxiam makes the connection).
+#pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"www.example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240331001; rev:1;)
+EOF
+
+#******************************************************************************
+#   SMTP Configuration
+#******************************************************************************
+# Enter your SMTP server information here
+smtp_host        = "smtp.example.com"
+smtp_port        = 587
+smtp_user        = "<user name>"
+smtp_password    = "???"
+smtp_from_sender = "noreply@example.com"
 
 #******************************************************************************
 #   S3 Configuration
 #******************************************************************************
+# Checkmarx One requires an IAM user with S3 access for connectivity to S3 buckets.
+# Create the IAM user with S3 access policies, and enter the credentials here.
 object_storage_endpoint   = "<enter your s3 region e.g. s3.us-west-2.amazonaws.com>"
 object_storage_access_key = "<enter your AWS Access Key for the IAM user that connects to S3 buckets>"
 object_storage_secret_key = "<enter your AWS Secret Key for the IAM user that connects to S3 buckets>"
@@ -21,29 +88,35 @@ object_storage_secret_key = "<enter your AWS Secret Key for the IAM user that co
 #******************************************************************************
 #   Kots & Installation Configuration
 #******************************************************************************
+# This information is only passed to the install module to generate installation scripts.
 kots_admin_email     = "<email address of the CxOne first administrator user>"
 kots_release_channel = "beta"
-kots_cxone_version   = "3.10.5"
+kots_cxone_version   = "3.10.22"
 kots_license_file    = "<path to your Checkmarx One license.yml file>"
 
 #******************************************************************************
-# terraform-aws-cxone module pass thru variables
+# terraform-aws-cxone module pass thru variables. all further variables are
+# for the top level terraform-aws-cxone module and not this example.
 #******************************************************************************
 eks_create                               = true
 eks_create_cluster_autoscaler_irsa       = true
-eks_create_external_dns_irsa             = true
+eks_create_external_dns_irsa             = false # must be false in govcloud
 eks_create_load_balancer_controller_irsa = true
-eks_create_karpenter                     = false
-eks_version                              = "1.27"
+eks_create_karpenter                     = false # karpenter not yet working, do not enable
+eks_version                              = "1.28"
 coredns_version                          = "v1.10.1-eksbuild.7"
-kube_proxy_version                       = "v1.27.10-eksbuild.2"
-vpc_cni_version                          = "v1.17.1-eksbuild.1"
-aws_ebs_csi_driver_version               = "v1.27.0-eksbuild.1"
+kube_proxy_version                       = "v1.28.8-eksbuild.2"
+vpc_cni_version                          = "v1.18.0-eksbuild.1"
+aws_ebs_csi_driver_version               = "v1.28.0-eksbuild.1"
+eks_enable_fargate                       = false # not yet working, do not enable
+eks_enable_externalsnat                  = false # leave false, unless working with external nat gateway
 eks_private_endpoint_enabled             = true
+# When eks_public_endpoint_enabled = false, installation and management commands after Terraform must be run
+# from a system with connectivity to the private EKS endpoint, such as a bastion host.
 eks_public_endpoint_enabled              = true
-eks_cluster_endpoint_public_access_cidrs = ["0.0.0.0/0"]
-enable_cluster_creator_admin_permissions = true
-eks_node_additional_security_group_ids   = []
+eks_cluster_endpoint_public_access_cidrs = ["0.0.0.0/0"] # Use to lock down access to the public endpoint, when the public endpoint is enabled
+enable_cluster_creator_admin_permissions = true          # the principal used to execute this terraform will be granted access to EKS
+eks_node_additional_security_group_ids   = []            # pass arbitrary additional security groups to EKS nodes
 # Uncomment the eks_administrator_principals to specify additional principal ARNs that should have admin
 # access to EKS.
 # eks_administrator_principals = [
@@ -56,10 +129,12 @@ eks_node_additional_security_group_ids   = []
 #     principal_arn = "arn:aws:iam::1234567890:role/aws-reserved/sso.amazonaws.com/us-east-1/YourName2"
 #   }
 # ]
+# Tags will be applied to EKS nodes created via launch template
 launch_template_tags = {
   CostCenter     = "12345"
   "Custom:owner" = "foobar"
 }
+# EKS node groups, these are required.
 eks_node_groups = [{
   name           = "ast-app"
   min_size       = 3
@@ -211,7 +286,7 @@ db_autoscaling_target_cpu                   = 70
 db_autoscaling_scale_out_cooldown           = 300
 db_autoscaling_scale_in_cooldown            = 300
 db_port                                     = "5432"
-db_create_rds_proxy                         = false #true
+db_create_rds_proxy                         = false
 db_create                                   = true
 db_performance_insights_enabled             = true
 db_performance_insights_retention_period    = 7
@@ -219,9 +294,10 @@ db_cluster_db_instance_parameter_group_name = "aurora-postgresql13-cluster"
 # Set individual instance properties. Reference https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance
 db_instances = {
   writer = {}
-  replica1 = {
-    promotion_tier = 0
-  }
+  # Create replicas for production, but not for non-prod envs
+  #replica1 = {
+  #  promotion_tier = 0
+  #}
 }
 db_serverlessv2_scaling_configuration = {
   min_capacity = 0.5
@@ -236,11 +312,11 @@ ec_create                         = true
 ec_enable_serverless              = false # Serverless EC is not supported by Checkmarx One, yet.
 ec_serverless_max_storage         = 5
 ec_serverless_max_ecpu_per_second = 5000
-ec_engine_version                 = "6.x"                         # "6.x"
-ec_parameter_group_name           = "default.redis6.x.cluster.on" # "default.redis6.x.cluster.on"
+ec_engine_version                 = "6.x"
+ec_parameter_group_name           = "default.redis6.x.cluster.on"
 ec_automatic_failover_enabled     = true
 ec_multi_az_enabled               = true
-ec_node_type                      = "cache.r7g.large" # Production: cache.r7g.xlarge, Dev/Test: cache.t4g.medium, Demo: cache.t4g.micro. Note: Not all regions have r7 generation instances.
+ec_node_type                      = "cache.t3.medium" # Production: cache.r7g.xlarge, Dev/Test: cache.t4g.medium, Demo: cache.t4g.micro. Note: Not all regions have r7 generation instances.
 ec_number_of_shards               = 1                 # Production 3, Dev/Test: 1, Demo: 1
 ec_replicas_per_shard             = 2                 # Production 2, Dev/Test: 1, Demo: 0
 ec_auto_minor_version_upgrade     = false
diff --git a/examples/full/main.tf b/examples/full/main.tf
index 73a4eff..b1da625 100644
--- a/examples/full/main.tf
+++ b/examples/full/main.tf
@@ -5,6 +5,34 @@ data "aws_availability_zones" "available" {
   state = "available"
 }
 
+locals {
+  # Add the fqdn to the firewall rules
+  additional_suricata_rules = <<EOF
+# CxOne must talk to itself when performing token exchange to validate the FQDN (cxiam makes the connection).
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"${var.fqdn}"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240401001; rev:1;)
+
+${var.additional_suricata_rules}
+
+EOF
+}
+
+module "vpc" {
+  source                     = "../../modules/inspection-vpc"
+  deployment_id              = var.deployment_id
+  primary_cidr_block         = var.primary_cidr_block
+  secondary_cidr_block       = var.secondary_cidr_block
+  interface_vpc_endpoints    = var.interface_vpc_endpoints
+  create_interface_endpoints = var.create_interface_endpoints
+  create_s3_endpoint         = var.create_s3_endpoint
+  enable_firewall            = var.enable_firewall
+  stateful_default_action    = var.stateful_default_action
+  suricata_rules             = var.suricata_rules
+  include_sca_rules          = var.include_sca_rules
+  additional_suricata_rules  = local.additional_suricata_rules
+  create_managed_rule_groups = var.create_managed_rule_groups
+  managed_rule_groups        = var.managed_rule_groups
+}
+
 
 resource "aws_kms_key" "main" {
   description             = "KMS Key for the Checkmarx One deployment named ${var.deployment_id}"
@@ -19,7 +47,7 @@ resource "aws_kms_key" "main" {
 resource "random_password" "elasticsearch" {
   length           = 32
   special          = false
-  override_special = "!*-_[]{}<>"
+  override_special = "!-_"
   min_special      = 1
   min_upper        = 1
   min_lower        = 1
@@ -29,7 +57,7 @@ resource "random_password" "elasticsearch" {
 resource "random_password" "db" {
   length           = 32
   special          = false
-  override_special = "!*-_[]{}<>"
+  override_special = "!-_"
   min_special      = 1
   min_upper        = 1
   min_lower        = 1
@@ -39,7 +67,7 @@ resource "random_password" "db" {
 resource "random_password" "kots_admin" {
   length           = 14
   special          = false
-  override_special = "!*-_[]{}<>"
+  override_special = "!-_"
   min_special      = 1
   min_upper        = 1
   min_lower        = 1
@@ -49,19 +77,17 @@ resource "random_password" "kots_admin" {
 resource "random_password" "cxone_admin" {
   length           = 14
   special          = false
-  override_special = "!*-_[]{}<>"
+  override_special = "!-_"
   min_special      = 1
   min_upper        = 1
   min_lower        = 1
   min_numeric      = 1
 }
 
-
-
-
 module "acm" {
   source  = "terraform-aws-modules/acm/aws"
   version = "5.0.1"
+  count   = var.acm_certificate_arn != null ? 0 : 1
 
   domain_name = var.fqdn
   zone_id     = var.route_53_hosted_zone_id
@@ -73,46 +99,6 @@ module "acm" {
   wait_for_validation    = true
 }
 
-module "ses" {
-  source            = "cloudposse/ses/aws"
-  version           = "0.24.0"
-  zone_id           = var.route_53_hosted_zone_id
-  domain            = var.fqdn
-  verify_domain     = true
-  verify_dkim       = true
-  ses_group_enabled = true
-  ses_group_name    = "${var.deployment_id}-ses-group"
-  ses_user_enabled  = true
-  name              = "CxOne-${var.deployment_id}"
-  environment       = "dev"
-  enabled           = true
-
-  tags = {
-    Name = var.deployment_id
-  }
-}
-
-resource "aws_iam_group_policy" "cxone_ses_group_policy" {
-  name  = "${var.deployment_id}-ses-group-policy"
-  group = module.ses.ses_group_name
-
-  depends_on = [module.ses]
-
-  policy = jsonencode({
-    Version : "2012-10-17"
-    Statement : [
-      {
-        Effect : "Allow",
-        Action : [
-          "ses:SendEmail",
-          "ses:SendRawEmail"
-        ],
-        Resource : "*"
-      }
-    ]
-  })
-}
-
 
 module "checkmarx-one" {
   source = "../../"
@@ -127,6 +113,9 @@ module "checkmarx-one" {
   # EKS Configuration
   eks_create                               = var.eks_create
   eks_subnets                              = module.vpc.private_subnets
+  eks_pod_subnets                          = module.vpc.pod_subnets
+  eks_enable_externalsnat                  = var.eks_enable_externalsnat
+  eks_enable_fargate                       = var.eks_enable_fargate
   eks_create_cluster_autoscaler_irsa       = var.eks_create_cluster_autoscaler_irsa
   eks_create_external_dns_irsa             = var.eks_create_external_dns_irsa
   eks_create_load_balancer_controller_irsa = var.eks_create_load_balancer_controller_irsa
@@ -141,9 +130,10 @@ module "checkmarx-one" {
   eks_cluster_endpoint_public_access_cidrs = var.eks_cluster_endpoint_public_access_cidrs
   enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
   launch_template_tags                     = var.launch_template_tags
+  eks_node_groups                          = var.eks_node_groups
 
   # RDS Configuration
-  db_subnets                     = module.vpc.private_subnets
+  db_subnets                     = module.vpc.database_subnets
   db_engine_version              = var.db_engine_version
   db_allow_major_version_upgrade = var.db_allow_major_version_upgrade
   db_auto_minor_version_upgrade  = var.db_auto_minor_version_upgrade
@@ -175,7 +165,7 @@ module "checkmarx-one" {
 
   # Elasticache Configuration
   ec_create                         = var.ec_create
-  ec_subnets                        = module.vpc.private_subnets
+  ec_subnets                        = module.vpc.database_subnets
   ec_enable_serverless              = var.ec_enable_serverless
   ec_serverless_max_storage         = var.ec_serverless_max_storage
   ec_serverless_max_ecpu_per_second = var.ec_serverless_max_ecpu_per_second
@@ -190,7 +180,7 @@ module "checkmarx-one" {
 
   # Elasticsearch Configuration
   es_create              = var.es_create
-  es_subnets             = module.vpc.private_subnets
+  es_subnets             = module.vpc.database_subnets
   es_instance_count      = var.es_instance_count
   es_instance_type       = var.es_instance_type
   es_volume_size         = var.es_volume_size
@@ -212,8 +202,9 @@ module "checkmarx-one-install" {
   admin_email                           = var.kots_admin_email
   admin_password                        = random_password.cxone_admin.result
   fqdn                                  = var.fqdn
-  acm_certificate_arn                   = module.acm.acm_certificate_arn
+  acm_certificate_arn                   = var.acm_certificate_arn != null ? var.acm_certificate_arn : module.acm[0].acm_certificate_arn
   bucket_suffix                         = module.checkmarx-one.s3_bucket_name_suffix
+  ms_replica_count                      = var.ms_replica_count
   object_storage_endpoint               = "s3.${data.aws_region.current.name}.amazonaws.com"
   object_storage_access_key             = var.object_storage_access_key
   object_storage_secret_key             = var.object_storage_secret_key
@@ -222,14 +213,25 @@ module "checkmarx-one-install" {
   postgres_user                         = module.checkmarx-one.db_master_username
   postgres_password                     = module.checkmarx-one.db_master_password
   redis_address                         = module.checkmarx-one.ec_endpoint
-  smtp_host                             = "email-smtp.${data.aws_region.current.name}.amazonaws.com"
+  smtp_host                             = var.smtp_host
   smtp_port                             = var.smtp_port
-  smtp_password                         = module.ses.ses_smtp_password
-  smtp_user                             = module.ses.user_name
-  smtp_from_sender                      = "noreply@${var.fqdn}"
+  smtp_password                         = var.smtp_password
+  smtp_user                             = var.smtp_user
+  smtp_from_sender                      = var.smtp_from_sender
   elasticsearch_host                    = module.checkmarx-one.es_endpoint
   elasticsearch_password                = random_password.elasticsearch.result
   cluster_autoscaler_iam_role_arn       = module.checkmarx-one.cluster_autoscaler_iam_role_arn
   load_balancer_controller_iam_role_arn = module.checkmarx-one.load_balancer_controller_iam_role_arn
   external_dns_iam_role_arn             = module.checkmarx-one.external_dns_iam_role_arn
+  karpenter_iam_role_arn                = module.checkmarx-one.karpenter_iam_role_arn
+  cluster_endpoint                      = module.checkmarx-one.cluster_endpoint
+  nodegroup_iam_role_name               = module.checkmarx-one.nodegroup_iam_role_name
+  availability_zones                    = module.vpc.azs
+  pod_eniconfig                         = module.vpc.ENIConfig
+  vpc_id                                = module.vpc.vpc_id
 }
+
+
+output "cxone1" {
+  value = module.checkmarx-one.eks
+}
\ No newline at end of file
diff --git a/examples/full/network.tf b/examples/full/network.tfignore
similarity index 97%
rename from examples/full/network.tf
rename to examples/full/network.tfignore
index 87673a0..b7fd5f0 100644
--- a/examples/full/network.tf
+++ b/examples/full/network.tfignore
@@ -30,7 +30,7 @@ module "vpc" {
   enable_dns_support   = true
 
   public_subnet_tags = {
-    "karpenter.sh/discovery"                     = "${var.deployment_id}"
+    # "karpenter.sh/discovery"                     = "${var.deployment_id}"
     "kubernetes.io/cluster/${var.deployment_id}" = "shared"
     "kubernetes.io/role/elb"                     = "1"
   }
diff --git a/examples/full/variables-cxone.tf b/examples/full/variables-cxone.tf
index 7173bae..ac304dd 100644
--- a/examples/full/variables-cxone.tf
+++ b/examples/full/variables-cxone.tf
@@ -58,6 +58,18 @@ variable "eks_create" {
 #   type        = list(string)
 # }
 
+variable "eks_enable_externalsnat" {
+  type        = bool
+  description = "Enables [External SNAT](https://docs.aws.amazon.com/eks/latest/userguide/external-snat.html) for the EKS VPC CNI. When true, the EKS pods must have a route to a NAT Gateway for outbound communication."
+  default     = false
+}
+
+variable "eks_enable_fargate" {
+  type        = bool
+  description = "Enables Fargate profiles for the karpenter and kube-system namespaces."
+  default     = false
+}
+
 variable "eks_create_cluster_autoscaler_irsa" {
   type        = bool
   description = "Enables creation of cluster autoscaler IAM role."
diff --git a/examples/full/variables-example.tf b/examples/full/variables-example.tf
index 40696fe..6bcbd8e 100644
--- a/examples/full/variables-example.tf
+++ b/examples/full/variables-example.tf
@@ -2,29 +2,6 @@
 #   Base Infrastructure Configuration - These variables are used by the example itself
 #******************************************************************************
 
-variable "vpc_cidr" {
-  type        = string
-  description = "The primary VPC CIDR block to create the VPC with."
-}
-
-variable "secondary_vpc_cidr" {
-  type        = string
-  description = "The secondary VPC CIDR block to associate with the VPC."
-  default     = null
-}
-
-variable "interface_vpc_endpoints" {
-  type        = list(string)
-  description = "A list of services that vpc endpoints are created for."
-  default     = ["ec2", "ec2messages", "ssm", "ssmmessages", "ecr.api", "ecr.dkr", "kms", "logs", "sts", "elasticloadbalancing", "autoscaling"]
-}
-
-variable "create_s3_endpoint" {
-  type        = bool
-  description = "Enables creation of the s3 gateway VPC interface endpoint."
-  default     = true
-}
-
 variable "route_53_hosted_zone_id" {
   type        = string
   description = "The hosted zone id for route 53 in which to create dns and certificates."
@@ -36,6 +13,17 @@ variable "fqdn" {
   description = "The fully qualified domain name that will be used for the Checkmarx One deployment"
 }
 
+variable "acm_certificate_arn" {
+  type        = string
+  description = "The ARN to the SSL certificate in AWS ACM to use for securing the load balancer"
+  default     = null
+}
+
+variable "ms_replica_count" {
+  type        = number
+  description = "The microservices replica count (e.g. a minimum)"
+  default     = 3
+}
 
 #******************************************************************************
 #   S3 Configuration
@@ -59,10 +47,10 @@ variable "object_storage_secret_key" {
 #******************************************************************************
 #   SMTP Configuration
 #******************************************************************************
-# variable "smtp_host" {
-#   description = "The hostname of the SMTP server."
-#   type        = string
-# }
+variable "smtp_host" {
+  description = "The hostname of the SMTP server."
+  type        = string
+}
 
 variable "smtp_port" {
   description = "The port of the SMTP server."
@@ -70,20 +58,20 @@ variable "smtp_port" {
   default     = 587
 }
 
-# variable "smtp_user" {
-#   description = "The smtp user name."
-#   type        = string
-# }
+variable "smtp_user" {
+  description = "The smtp user name."
+  type        = string
+}
 
-# variable "smtp_password" {
-#   description = "The smtp password."
-#   type        = string
-# }
+variable "smtp_password" {
+  description = "The smtp password."
+  type        = string
+}
 
-# variable "smtp_from_sender" {
-#   description = "The address to use in the from field when sending emails."
-#   type        = string
-# }
+variable "smtp_from_sender" {
+  description = "The address to use in the from field when sending emails."
+  type        = string
+}
 
 #******************************************************************************
 #   Kots & Installation Configuration
diff --git a/examples/full/variables-vpc.tf b/examples/full/variables-vpc.tf
new file mode 100644
index 0000000..5fea44c
--- /dev/null
+++ b/examples/full/variables-vpc.tf
@@ -0,0 +1,92 @@
+
+variable "primary_cidr_block" {
+  description = "The primary VPC CIDR block for the VPC. Must be at least a /19."
+  type        = string
+  nullable    = false
+}
+
+variable "secondary_cidr_block" {
+  description = "The secondary VPC CIDR block for the EKS Pod [Custom Networking](https://aws.github.io/aws-eks-best-practices/networking/custom-networking/) configuration. Must be at least a /18."
+  type        = string
+  default     = "100.64.0.0/18"
+  nullable    = false
+}
+
+variable "interface_vpc_endpoints" {
+  type        = list(string)
+  description = "A list of AWS services to create [VPC Private Endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) for. These endpoints are used for communication direct to AWS services without requiring connectivity and are useful for private EKS clusters."
+  default     = ["ec2", "ec2messages", "ssm", "ssmmessages", "ecr.api", "ecr.dkr", "kms", "logs", "sts", "elasticloadbalancing", "autoscaling"]
+}
+
+variable "create_interface_endpoints" {
+  type        = bool
+  description = "Enables creation of the [interface endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) specified in `interface_vpc_endpoints`"
+  default     = true
+}
+
+variable "create_s3_endpoint" {
+  type        = bool
+  description = "Enables creation of the [s3 gateway VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html)"
+  default     = true
+}
+
+variable "enable_firewall" {
+  description = "Enables the use of the [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) to protect the private and pod subnets"
+  type        = bool
+  default     = true
+}
+
+variable "stateful_default_action" {
+  description = "The [default action](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order) for the AWS Network Firewall stateful rule group. Choose `aws:drop_established` or `aws:alert_established`"
+  type        = string
+  default     = "aws:drop_established"
+}
+
+variable "suricata_rules" {
+  description = "The [suricata rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html) to use for the AWS Network Firewall. When provided, this variable completely overrides the embedded rules. Use this to bring your own rules. If you only need to provide some additional rules in addition to the bundled rules, then use `additional_suricata_rules` instead of `suricata_rules`."
+  type        = string
+  default     = null
+}
+
+variable "include_sca_rules" {
+  description = "Enables inclusion of AWS Network Firewall rules used in SCA scanning. These rules may be overly permissive when not using SCA, so they are optional. These rules allow connectivity to various public package manager repositories like [Maven Central](https://mvnrepository.com/repos/central) and [npm](https://docs.npmjs.com/)."
+  type        = bool
+  default     = true
+}
+
+variable "additional_suricata_rules" {
+  description = "Additional [suricata rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html) rules to use in the network firewall. When provided these rules will be appended to the default rules prior to the default drop rule."
+  type        = string
+  default     = ""
+}
+
+variable "create_managed_rule_groups" {
+  type        = bool
+  description = "Enables creation of the AWS Network Firewall [managed rule groups](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-list.html) provided in `managed_rule_groups`"
+  default     = true
+}
+
+variable "managed_rule_groups" {
+  description = "The AWS Network Firewall [managed rule groups](https://docs.aws.amazon.com/network-firewall/latest/developerguide/aws-managed-rule-groups-list.html) to include in the firewall policy. Must be strict order groups. "
+  type        = list(string)
+  # ThreatSignaturesFUPStrictOrder and ThreatSignaturesPhishingStrictOrder are not included by default, as you can only have 20 stateful rule groups per FW policy.
+  default = ["AbusedLegitMalwareDomainsStrictOrder",
+    "MalwareDomainsStrictOrder",
+    "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",
+    "BotNetCommandAndControlDomainsStrictOrder",
+    "ThreatSignaturesBotnetStrictOrder",
+    "ThreatSignaturesBotnetWebStrictOrder",
+    "ThreatSignaturesBotnetWindowsStrictOrder",
+    "ThreatSignaturesIOCStrictOrder",
+    "ThreatSignaturesDoSStrictOrder",
+    "ThreatSignaturesEmergingEventsStrictOrder",
+    "ThreatSignaturesExploitsStrictOrder",
+    "ThreatSignaturesMalwareStrictOrder",
+    "ThreatSignaturesMalwareCoinminingStrictOrder",
+    "ThreatSignaturesMalwareMobileStrictOrder",
+    "ThreatSignaturesMalwareWebStrictOrder",
+    "ThreatSignaturesScannersStrictOrder",
+    "ThreatSignaturesSuspectStrictOrder",
+    "ThreatSignaturesWebAttacksStrictOrder"
+  ]
+}
diff --git a/modules/cxone-install/apply-storageclass-config.sh.tftpl b/modules/cxone-install/apply-storageclass-config.sh.tftpl
new file mode 100644
index 0000000..456f669
--- /dev/null
+++ b/modules/cxone-install/apply-storageclass-config.sh.tftpl
@@ -0,0 +1,20 @@
+
+# Remove gp2 as the default storage class
+kubectl patch storageclass gp2 -p '{"metadata":{"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+
+# Add gp3 as the default storage class
+cat <<EOF | kubectl apply -f -
+  allowVolumeExpansion: true
+  apiVersion: storage.k8s.io/v1
+  kind: StorageClass
+  metadata:
+    annotations:
+      storageclass.kubernetes.io/is-default-class: "true"
+    name: gp3
+  parameters:
+    fstype: xfs
+    type: gp3
+  provisioner: ebs.csi.aws.com
+  reclaimPolicy: Delete
+  volumeBindingMode: WaitForFirstConsumer
+EOF
\ No newline at end of file
diff --git a/modules/cxone-install/karpenter.reference.yaml.tftpl b/modules/cxone-install/karpenter.reference.yaml.tftpl
new file mode 100644
index 0000000..63fa3cd
--- /dev/null
+++ b/modules/cxone-install/karpenter.reference.yaml.tftpl
@@ -0,0 +1,165 @@
+# This karpenter creates the following configuration:
+# EC2NodeClass "default" - a general purpose EC2NodeClass for all NodePools to use.
+# NodePool "default" - a general on-demand nodepool with the default EC2NodeClass. Consolidates WhenUnderutilized.
+# NodePool "spottable" - a general spot nodepool with the default EC2NodeClass. Used for CheckmarxOne services that easily tolerate spot interruptions. Consolidates WhenUnderutilized.
+# NodePool "sast" - a compute prioiritized nodepool with the default EC2NodeClass. On-demand, and compute instance family optimized for producing faster SAST scans. Consolidates WhenEmpty.
+---
+apiVersion: karpenter.k8s.aws/v1beta1
+kind: EC2NodeClass
+metadata:
+  name: default
+spec:
+  amiFamily: AL2 # Amazon Linux 2
+  role: ${nodegroup_iam_role_name}
+  metadataOptions:
+    httpEndpoint: enabled
+    httpPutResponseHopLimit: 2
+    httpTokens: required
+  blockDeviceMappings:
+  - deviceName: /dev/xvda
+    ebs:
+      deleteOnTermination: true
+      encrypted: true
+      volumeSize: 200Gi
+      volumeType: gp3
+  subnetSelectorTerms:
+    - tags:
+        karpenter.sh/discovery: ${deployment_id}
+  securityGroupSelectorTerms:
+    - tags:
+        karpenter.sh/discovery: ${deployment_id}
+  tags:
+    karpenter.sh/discovery: ${deployment_id}
+  userData: |
+    #!/bin/bash
+    echo "Hello, world!"
+---
+apiVersion: karpenter.sh/v1beta1
+kind: NodePool
+metadata:
+  name: default
+spec:
+  template:
+    metadata:
+      labels:
+        ast-app: "true"
+        sca: "true"
+        dast: "true"
+        kics-engine: "true"
+        minio-gateway: "true"
+        service: "sca-source-resolver"
+    spec:
+      requirements:
+        - key: kubernetes.io/arch
+          operator: In
+          values: ["amd64"]
+        - key: kubernetes.io/os
+          operator: In
+          values: ["linux"]
+        - key: karpenter.sh/capacity-type
+          operator: In
+          values: ["on-demand"]
+        - key: karpenter.k8s.aws/instance-category
+          operator: NotIn
+          values: ["t"]
+        - key: karpenter.k8s.aws/instance-cpu	
+          operator: Gt
+          values: ["3"]
+        - key: karpenter.k8s.aws/instance-memory	
+          operator: Gt
+          values: ["7"]      
+        - key: karpenter.k8s.aws/instance-hypervisor
+          operator: In
+          values: ["nitro"]
+        - key: "topology.kubernetes.io/zone"
+          operator: In
+          values: ${availability_zones}
+      nodeClassRef:
+        name: default
+  limits:
+    cpu: 1000
+  disruption:
+    consolidationPolicy: WhenUnderutilized
+---
+apiVersion: karpenter.sh/v1beta1
+kind: NodePool
+metadata:
+  name: spottable
+spec:
+  template:
+    metadata:
+      labels:
+        infra-tools: "true"
+        reports: "true"
+        repostore: "true"
+        sast-rm: "true"
+    spec:
+      requirements:
+        - key: kubernetes.io/arch
+          operator: In
+          values: ["amd64"]
+        - key: kubernetes.io/os
+          operator: In
+          values: ["linux"]
+        - key: karpenter.sh/capacity-type
+          operator: In
+          values: ["spot", "on-demand"]
+        - key: karpenter.k8s.aws/instance-category
+          operator: NotIn
+          values: ["t"]
+        - key: karpenter.k8s.aws/instance-hypervisor
+          operator: In
+          values: ["nitro"]
+        - key: "topology.kubernetes.io/zone"
+          operator: In
+          values: ${availability_zones}
+      nodeClassRef:
+        name: default
+  limits:
+    cpu: 1000
+  disruption:
+    consolidationPolicy: WhenUnderutilized
+---
+apiVersion: karpenter.sh/v1beta1
+kind: NodePool
+metadata:
+  name: sast
+spec:
+  template:
+    metadata:
+      labels:
+        sast-engines: "true"
+        sast-engine-medium: "true"
+        sast-engine-large: "true"
+        sast-engine-extra-large: "true"
+        sast-engine-xxl: "true"
+    spec:
+      requirements:
+        - key: kubernetes.io/arch
+          operator: In
+          values: ["amd64"]
+        - key: kubernetes.io/os
+          operator: In
+          values: ["linux"]
+        - key: karpenter.sh/capacity-type
+          operator: In
+          values: ["on-demand"]
+        - key: karpenter.k8s.aws/instance-family
+          operator: In
+          values: ["c5", "c5d", "c5n", "c6i", "c6id", "c6in", "c7a", "c7i", "m5zn", "z1d", "x2iezn", "r7iz"]
+        - key: karpenter.k8s.aws/instance-cpu	
+          operator: Gt
+          values: ["7"]
+        - key: karpenter.k8s.aws/instance-hypervisor
+          operator: In
+          values: ["nitro"]
+        - key: "topology.kubernetes.io/zone"
+          operator: In
+          values: ${availability_zones}
+      nodeClassRef:
+        name: default
+  limits:
+    cpu: 1000
+  disruption:
+    consolidationPolicy: WhenEmpty
+    consolidateAfter: 30s    
diff --git a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
index d4af69e..313ce90 100644
--- a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
+++ b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
@@ -18,7 +18,7 @@ spec:
       value: ${admin_username}
     # default_admin_password must be > 14 characters in length.
     default_admin_password:
-      value: ${admin_password}
+      value: "${admin_password}"
 
     # Enable DAST component. 
     # bool - Valid values are "0" (false) and "1" true 
@@ -92,7 +92,7 @@ spec:
     sca_global_inventory_elasticsearch_username:
       value: ast
     sca_global_inventory_elasticsearch_password:
-      value: ${elasticsearch_password}
+      value: "${elasticsearch_password}"
 
     #--------------------------------------------------------------------------
     # S3 Bucket Names
@@ -169,9 +169,9 @@ spec:
     # so that the credentials can be configured here. The user must have access to 
     # the s3 buckets for Checkmarx One.
     object_storage_access_key:
-      value: ${object_storage_access_key}
+      value: "${object_storage_access_key}"
     object_storage_secret_key:
-      value: ${object_storage_secret_key}
+      value: "${object_storage_secret_key}"
 
     # Configures secure connections to s3. Can be "1" (true/enabled) or "0" (false/disabled)
     # Recommended: "1"
@@ -205,7 +205,7 @@ spec:
 
     # The password for the external_postgres_user.
     external_postgres_password:
-      value: ${postgres_password}
+      value: "${postgres_password}"
     
     # The name of the CxOne database. By convention, ast.
     external_postgres_db:
@@ -234,7 +234,7 @@ spec:
     analytics_postgres_user:
       value: <enter user name>    
     analytics_postgres_password:
-      value: <enter password>
+      value: "<enter password>"
     # Can be either analytics_postgres_sslmode_require or analytics_postgres_sslmode_allow
     analytics_postgres_sslmode_value:
       value: analytics_postgres_sslmode_require
@@ -305,7 +305,7 @@ spec:
     smtp_user:
       value: ${smtp_user}
     smtp_password:
-      value: ${smtp_password}
+      value: "${smtp_password}"
 
     
     #--------------------------------------------------------------------------
diff --git a/modules/cxone-install/main.tf b/modules/cxone-install/main.tf
index 70673f0..4500261 100644
--- a/modules/cxone-install/main.tf
+++ b/modules/cxone-install/main.tf
@@ -50,7 +50,7 @@ resource "local_file" "kots_config" {
 
 
 resource "local_file" "makefile" {
-  content = templatefile("${path.module}/makefile.tftpl", {
+  content = templatefile("${path.module}/Makefile.tftpl", {
     tf_deployment_id                      = var.deployment_id
     tf_deploy_region                      = var.region
     tf_eks_cluster_name                   = var.deployment_id
@@ -68,9 +68,36 @@ resource "local_file" "makefile" {
     app_version                           = var.cxone_version
     cluster_autoscaler_iam_role_arn       = var.cluster_autoscaler_iam_role_arn
     load_balancer_controller_iam_role_arn = var.load_balancer_controller_iam_role_arn
+    external_dns_iam_role_arn             = var.external_dns_iam_role_arn
+    karpenter_iam_role_arn                = var.karpenter_iam_role_arn
+    cluster_endpoint                      = var.cluster_endpoint
+    vpc_id                                = var.vpc_id
+  })
+  filename = "Makefile"
+}
 
+resource "local_file" "karpenter" {
+  content = templatefile("${path.module}/karpenter.reference.yaml.tftpl", {
+    deployment_id           = var.deployment_id
+    nodegroup_iam_role_name = var.nodegroup_iam_role_name
+    availability_zones      = jsonencode(var.availability_zones)
 
   })
-  filename = "makefile"
+  filename = "karpenter.${var.deployment_id}.yaml"
 }
 
+resource "local_file" "storage_class" {
+  content = templatefile("${path.module}/apply-storageclass-config.sh.tftpl", {
+    deployment_id           = var.deployment_id
+    nodegroup_iam_role_name = var.nodegroup_iam_role_name
+    availability_zones      = jsonencode(var.availability_zones)
+    karpenter_iam_role_arn  = var.karpenter_iam_role_arn
+
+  })
+  filename = "apply-storageclass-config.${var.deployment_id}.sh"
+}
+
+resource "local_file" "ENIConfig" {
+  content  = var.pod_eniconfig
+  filename = "custom-networking-config.${var.deployment_id}.yaml"
+}
diff --git a/modules/cxone-install/makefile.tftpl b/modules/cxone-install/makefile.tftpl
index b06c361..2b25302 100644
--- a/modules/cxone-install/makefile.tftpl
+++ b/modules/cxone-install/makefile.tftpl
@@ -8,6 +8,7 @@ KOTS_PASSWORD = ${tf_kots_password}
 NAMESPACE = ${tf_namespace}
 LICENSE_FILE = ${tf_license_file}
 KOTS_CONFIG_FILE = ${tf_kots_config_file}
+TOTP = 123
 
 .PHONY: update-kubeconfig
 update-kubeconfig:
@@ -17,9 +18,9 @@ update-kubeconfig:
 kots-install:
 	kubectl kots install ast/$${RELEASE_CHANNEL} -n $${NAMESPACE} --license-file $${LICENSE_FILE} --shared-password $${KOTS_PASSWORD} --config-values $${KOTS_CONFIG_FILE} --app-version-label $${CXONE_VERSION}
 
-.PHONY: kots-set-config
-kots-set-config:
-	kubectl kots set config ast -n $${NAMESPACE} --config-file $${KOTS_CONFIG_FILE} --deploy
+#.PHONY: kots-set-config
+#kots-set-config:
+#	kubectl kots set config ast -n $${NAMESPACE} --config-file $${KOTS_CONFIG_FILE} --deploy
 
 .PHONY: kots-get-config
 kots-get-config:
@@ -51,6 +52,21 @@ install-cluster-autoscaler:
 uninstall-cluster-autoscaler:
 	helm uninstall cluster-autoscaler -n kube-system
 
+.PHONY: install-external-dns
+install-external-dns:
+	helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/; \
+	helm upgrade --install external-dns external-dns/external-dns \
+	-n kube-system \
+	--version 1.11.0 \
+	--set serviceAccount.create=true \
+	--set serviceAccount.name=external-dns \
+	--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${external_dns_iam_role_arn}"
+
+.PHONY: uninstall-external-dns
+uninstall-external-dns:
+	helm uninstall external-dns -n kube-system
+
+
 .PHONY: install-load-balancer-controller
 install-load-balancer-controller:
 	helm repo add eks https://aws.github.io/eks-charts; \
@@ -58,11 +74,12 @@ install-load-balancer-controller:
 	helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
 	--version 1.7.1 \
 	-n kube-system \
-	--set region=$${DEPLOY_REGION}} \
+	--set vpcId=${vpc_id} \
+	--set region=$${DEPLOY_REGION} \
 	--set serviceAccount.create=true \
 	--set serviceAccount.name=aws-load-balancer-controller \
 	--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${load_balancer_controller_iam_role_arn}" \
-	--set clusterName=$${EKS_CLUSTER_NAME}} \
+	--set clusterName=$${EKS_CLUSTER_NAME} \
 	--set enableShield=false \
 	--set enableWaf=false \
 	--set enableWaafv2=false
@@ -72,8 +89,44 @@ install-load-balancer-controller:
 uninstall-load-balancer-controller:
 	helm uninstall aws-load-balancer-controller -n kube-system
 
+.PHONY: install-karpenter
+install-karpenter:
+	helm install karpenter oci://public.ecr.aws/karpenter/karpenter \
+	--version 0.36.0 \
+	-n kube-system \
+	--create-namespace \
+	--set serviceAccount.create=true \
+	--set serviceAccount.name=karpenter \
+	--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${karpenter_iam_role_arn}" \
+	--set settings.clusterName=$${EKS_CLUSTER_NAME} \
+	--set settings.clusterEndpoint=${cluster_endpoint} \
+	--set settings.featureGates.spotToSpotConsolidation=true \
+	--set settings.interruptionQueue=$${EKS_CLUSTER_NAME}-node-termination-handler \
+	--set controller.resources.requests.cpu=1 \
+	--set controller.resources.requests.memory=1Gi \
+	--set controller.resources.limits.cpu=1 \
+	--set controller.resources.limits.memory=1Gi
+	kubectl apply -f karpenter.$${DEPLOYMENT_ID}.yaml 
+
+.PHONY: uninstall-karpenter
+uninstall-karpenter:
+	helm uninstall karpenter -n kube-system
+
+.PHONY: view-firewall-logs
+view-firewall-logs:
+	aws logs filter-log-events --start-time 1713475743 --log-group-name /aws/vendedlogs/$${DEPLOYMENT_ID}-aws-nfw-alert | jq -r ' .events[].message' |  jq ' (.event.timestamp + " " + .event.alert.action + ": " + .event.src_ip + ":" + (.event.src_port|tostring) + " -> " + .event.proto + "/" + .event.app_proto + " "  + .event.dest_ip + ":" + (.event.dest_port|tostring) + " " + .event.tls.sni + .event.http.hostname) + " " + .event.http.http_user_agent + " " + .event.http.http_method + " " + .event.http.url'
+
+
+.PHONY: apply-storageclass-config
+apply-storageclass-config:
+	./apply-storageclass-config.$${DEPLOYMENT_ID}.sh
+
 .PHONY: clean-kots
 clean-kots:
 	kubectl delete deployment kotsadm -n $${NAMESPACE}
 	kubectl delete statefulset kotsadm-minio -n $${NAMESPACE}
 	kubectl delete statefulset kotsadm-rqlite -n $${NAMESPACE}
+
+.PHONY: totp
+totp:
+	echo "${TOTP}" | totp-cli instant
diff --git a/modules/cxone-install/variables.tf b/modules/cxone-install/variables.tf
index 4dd233c..5234afc 100644
--- a/modules/cxone-install/variables.tf
+++ b/modules/cxone-install/variables.tf
@@ -33,6 +33,11 @@ variable "deployment_id" {
   }
 }
 
+variable "vpc_id" {
+  description = "The VPC Id Checkmarx One is deployed into."
+  type        = string
+}
+
 variable "bucket_suffix" {
   description = "The id of the deployment. Will be used to name resources like EKS cluster, etc."
   type        = string
@@ -84,6 +89,32 @@ variable "load_balancer_controller_iam_role_arn" {
   nullable = true
 }
 
+variable "karpenter_iam_role_arn" {
+  type     = string
+  nullable = true
+}
+
+variable "cluster_endpoint" {
+  type     = string
+  nullable = true
+}
+
+variable "nodegroup_iam_role_name" {
+  type     = string
+  nullable = true
+}
+
+variable "availability_zones" {
+  type     = list(string)
+  nullable = false
+}
+
+variable "pod_eniconfig" {
+  description = "The ENIConfigs for EKS custom networking configuration."
+  type        = string
+  nullable    = true
+}
+
 #******************************************************************************
 #   S3 Access Configuration
 #******************************************************************************
diff --git a/modules/inspection-vpc/firewall-rules.tf b/modules/inspection-vpc/firewall-rules.tf
index d6429fe..f988bee 100644
--- a/modules/inspection-vpc/firewall-rules.tf
+++ b/modules/inspection-vpc/firewall-rules.tf
@@ -141,6 +141,9 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"eu.api-sca.checkm
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"uploads.sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420060; rev:1;)
 # Scan results buckets are used for SCA scan result syncing, and vary by the connected SCA region (e.g. NA, or EU)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"microservice-scanresults-prod-storage-1an26shc41yi3.s3.amazonaws.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240420061; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.stagecodebashing.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240422001; rev:1;)
+
+
 
 # These URLs are randomly generated, and used to discover the correct s3 API signature version to use when communicating with S3 buckets.
 # They take two forms, where the long alphanumeric string is randomly generated. The buckets do not exist, but allow minio client
@@ -155,8 +158,8 @@ ${local.sca_scanning_rules}
 ${var.additional_suricata_rules}
 
 # Drop other traffic
-drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;)
-reject tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"blocked uknown tcp"; flow:to_server, established; sid:4; rev:1;)
+#drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;)
+#reject tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"blocked uknown tcp"; flow:to_server, established; sid:4; rev:1;)
 
 EOF
 }
diff --git a/modules/inspection-vpc/firewall.tf b/modules/inspection-vpc/firewall.tf
index 7284212..c9511ae 100644
--- a/modules/inspection-vpc/firewall.tf
+++ b/modules/inspection-vpc/firewall.tf
@@ -64,15 +64,18 @@ resource "aws_networkfirewall_firewall_policy" "main" {
   }
 }
 
+
+# Reference the policy document length of 5120 characters described at https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-CWL
+# and explains the solution of using /aws/vendedlogs prefix in log group names.
 resource "aws_cloudwatch_log_group" "aws_nfw_alert" {
   count             = var.enable_firewall ? 1 : 0
-  name              = "${var.deployment_id}-aws-nfw-alert"
+  name              = "/aws/vendedlogs/${var.deployment_id}-aws-nfw-alert"
   retention_in_days = 14
 }
 
 resource "aws_cloudwatch_log_group" "aws_nfw_flow" {
   count             = var.enable_firewall ? 1 : 0
-  name              = "${var.deployment_id}-aws-nfw-flow"
+  name              = "/aws/vendedlogs/${var.deployment_id}-aws-nfw-flow"
   retention_in_days = 14
 }
 
diff --git a/modules/inspection-vpc/main.tf b/modules/inspection-vpc/main.tf
index 2ef0da7..67d92d5 100644
--- a/modules/inspection-vpc/main.tf
+++ b/modules/inspection-vpc/main.tf
@@ -105,6 +105,7 @@ resource "aws_subnet" "pod" {
   tags = {
     Name                                         = "${var.deployment_id} - pod subnet ${each.key}"
     "kubernetes.io/cluster/${var.deployment_id}" = "shared"
+    "kubernetes.io/role/cni"                     = "1"
   }
   depends_on = [aws_vpc_ipv4_cidr_block_association.secondary_cidr_block]
 }
@@ -161,6 +162,7 @@ resource "aws_route_table" "public" {
       vpc_endpoint_id = [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0]
     }
   }
+  depends_on = [aws_networkfirewall_firewall.main]
 }
 
 resource "aws_route_table_association" "public" {
@@ -196,6 +198,17 @@ resource "aws_route_table" "private" {
     vpc_endpoint_id = var.enable_firewall ? [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0] : null
     nat_gateway_id  = var.enable_firewall ? null : aws_nat_gateway.public.id
   }
+
+  dynamic "route" {
+    # Route the traffic to public subnet, such as traffic from the load balancer, back through the firewall when firewall is enabled to preserve symetric routing.
+    for_each = var.enable_firewall ? ["apply"] : []
+    content {
+      cidr_block      = local.public_subnet_cidr
+      vpc_endpoint_id = [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0]
+    }
+  }
+
+  depends_on = [aws_networkfirewall_firewall.main]
 }
 
 resource "aws_route_table_association" "private" {
diff --git a/modules/inspection-vpc/outputs.tf b/modules/inspection-vpc/outputs.tf
index 3589fd6..9d7827b 100644
--- a/modules/inspection-vpc/outputs.tf
+++ b/modules/inspection-vpc/outputs.tf
@@ -45,3 +45,17 @@ output "azs" {
   description = "The Availability Zones deployed into"
   value       = local.azs
 }
+
+output "ENIConfig" {
+  description = "List of map of pod subnets including `subnet_id` and `availability_zone`. Useful for creating ENIConfigs for [EKS Custom Networking](https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html)."
+  value = join("", [for s in aws_subnet.pod : <<EOF
+---
+apiVersion: crd.k8s.amazonaws.com/v1alpha1
+kind: ENIConfig
+metadata:
+  name: ${s.availability_zone}
+spec:
+  subnet: ${s.id}
+EOF
+  ])
+}
\ No newline at end of file
diff --git a/results.json b/results.json
deleted file mode 100755
index 45e975c..0000000
--- a/results.json
+++ /dev/null
@@ -1,888 +0,0 @@
-{
-	"kics_version": "v1.7.12",
-	"files_scanned": 14,
-	"lines_scanned": 2711,
-	"files_parsed": 14,
-	"lines_parsed": 2556,
-	"lines_ignored": 155,
-	"files_failed_to_scan": 0,
-	"queries_total": 1045,
-	"queries_failed_to_execute": 0,
-	"queries_failed_to_compute_similarity_id": 0,
-	"scan_id": "console",
-	"severity_counters": {
-		"HIGH": 9,
-		"INFO": 37,
-		"LOW": 1,
-		"MEDIUM": 6,
-		"TRACE": 0
-	},
-	"total_counter": 53,
-	"total_bom_resources": 0,
-	"start": "2024-04-10T18:37:51.097466179Z",
-	"end": "2024-04-10T18:38:06.898299422Z",
-	"paths": [
-		"/path"
-	],
-	"queries": [
-		{
-			"query_name": "KMS Key With Full Permissions",
-			"query_id": "7ebc9038-0bde-479a-acc4-6ed7b6758899",
-			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key",
-			"severity": "HIGH",
-			"platform": "Terraform",
-			"cloud_provider": "AWS",
-			"category": "Insecure Configurations",
-			"experimental": false,
-			"description": "The KMS key has a policy that is too permissive, as it provides the AWS account owner with access to all AWS KMS operations, therefore violating the principle of least privilege.",
-			"description_id": "32b2985e",
-			"files": [
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "24563abbc0ccbf54e3d2a6c1a94f780e558565352f320c08bfd5dfcf82328584",
-					"line": 9,
-					"resource_type": "aws_kms_key",
-					"resource_name": "cxone-dev",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_kms_key[main]",
-					"search_line": 9,
-					"search_value": "",
-					"expected_value": "aws_kms_key[main].policy should be defined and not null",
-					"actual_value": "aws_kms_key[main].policy is undefined or null"
-				}
-			]
-		},
-		{
-			"query_name": "Passwords And Secrets - Generic Password",
-			"query_id": "487f4be7-3fd9-4506-a07a-eae252180c08",
-			"query_url": "https://docs.kics.io/latest/secrets/",
-			"severity": "HIGH",
-			"platform": "Common",
-			"cloud_provider": "COMMON",
-			"category": "Secret Management",
-			"experimental": false,
-			"description": "Query to find passwords and secrets in infrastructure code.",
-			"description_id": "d69d8a89",
-			"files": [
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "f72fc3379d6ab1eb14b8a2ea58092ec97ca065a04714ce8b1538abdf4a4edb74",
-					"line": 166,
-					"issue_type": "RedundantAttribute",
-					"search_key": "",
-					"search_line": 0,
-					"search_value": "",
-					"expected_value": "Hardcoded secret key should not appear in source",
-					"actual_value": "Hardcoded secret key appears in source"
-				},
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "f4e7a29c3cb6a695bf842566485d7480dd132f1a2d72f2699fa1ed6213d0be90",
-					"line": 213,
-					"issue_type": "RedundantAttribute",
-					"search_key": "",
-					"search_line": 0,
-					"search_value": "",
-					"expected_value": "Hardcoded secret key should not appear in source",
-					"actual_value": "Hardcoded secret key appears in source"
-				},
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "1c6cd41f6679b87d47909406eedb016c333cebaabd9bd76239264470e1dc2a24",
-					"line": 231,
-					"issue_type": "RedundantAttribute",
-					"search_key": "",
-					"search_line": 0,
-					"search_value": "",
-					"expected_value": "Hardcoded secret key should not appear in source",
-					"actual_value": "Hardcoded secret key appears in source"
-				},
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "af1d7239f08ff9764c814454a6e1c0e5953979e4ab0af6d1ce3c0264330e866f",
-					"line": 198,
-					"issue_type": "RedundantAttribute",
-					"search_key": "",
-					"search_line": 0,
-					"search_value": "",
-					"expected_value": "Hardcoded secret key should not appear in source",
-					"actual_value": "Hardcoded secret key appears in source"
-				},
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "a0c1f4c1da029b30853880613f78c038488ab0e95fb7086ddd055231569abf0f",
-					"line": 227,
-					"issue_type": "RedundantAttribute",
-					"search_key": "",
-					"search_line": 0,
-					"search_value": "",
-					"expected_value": "Hardcoded secret key should not appear in source",
-					"actual_value": "Hardcoded secret key appears in source"
-				},
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "3d10a469f9f54ea12c6088f6054886344a262cd96a84482d012fdb438cdf80b6",
-					"line": 223,
-					"issue_type": "RedundantAttribute",
-					"search_key": "",
-					"search_line": 0,
-					"search_value": "",
-					"expected_value": "Hardcoded secret key should not appear in source",
-					"actual_value": "Hardcoded secret key appears in source"
-				},
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "b02ac5290ad70577904a3c92910c07d9e70c1f58d2d309bb693f5c8f7d74cd50",
-					"line": 208,
-					"issue_type": "RedundantAttribute",
-					"search_key": "",
-					"search_line": 0,
-					"search_value": "",
-					"expected_value": "Hardcoded secret key should not appear in source",
-					"actual_value": "Hardcoded secret key appears in source"
-				},
-				{
-					"file_name": "../../path/rds.tf",
-					"similarity_id": "710e483069101cb9adafb79af914fd20620a93d3fa6895f4aa9ac3c2755af93b",
-					"line": 84,
-					"issue_type": "RedundantAttribute",
-					"search_key": "",
-					"search_line": 0,
-					"search_value": "",
-					"expected_value": "Hardcoded secret key should not appear in source",
-					"actual_value": "Hardcoded secret key appears in source"
-				}
-			]
-		},
-		{
-			"query_name": "ElastiCache Replication Group Not Encrypted At Transit",
-			"query_id": "1afbb3fa-cf6c-4a3d-b730-95e9f4df343e",
-			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#transit_encryption_enabled",
-			"severity": "MEDIUM",
-			"platform": "Terraform",
-			"cloud_provider": "AWS",
-			"category": "Encryption",
-			"experimental": false,
-			"description": "ElastiCache Replication Group encryption should be enabled at Transit",
-			"description_id": "40f92e86",
-			"files": [
-				{
-					"file_name": "../../path/elasticache.tf",
-					"similarity_id": "80be5892407ff8df4998788d889d0d02f0e35e26583382f8cae62bf63a3143ac",
-					"line": 50,
-					"resource_type": "aws_elasticache_replication_group",
-					"resource_name": "redis",
-					"issue_type": "IncorrectValue",
-					"search_key": "aws_elasticache_replication_group[redis].transit_encryption_enabled",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "The attribute 'transit_encryption_enabled' should be set to true",
-					"actual_value": "The attribute 'transit_encryption_enabled' is not set to true"
-				}
-			]
-		},
-		{
-			"query_name": "ElasticSearch Encryption With KMS Disabled",
-			"query_id": "7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2",
-			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain",
-			"severity": "MEDIUM",
-			"platform": "Terraform",
-			"cloud_provider": "AWS",
-			"category": "Encryption",
-			"experimental": false,
-			"description": "Check if any ElasticSearch domain isn't encrypted with KMS.",
-			"description_id": "65a94cf1",
-			"files": [
-				{
-					"file_name": "../../path/opensearch.tf",
-					"similarity_id": "400893e3688477239e56b0b97d921f89c98dc3d82ab9be2d83b1ca65e80a265b",
-					"line": 37,
-					"resource_type": "aws_elasticsearch_domain",
-					"resource_name": "es",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_elasticsearch_domain[es].encrypt_at_rest",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'aws_elasticsearch_domain[es].encrypt_at_rest.kms_key_id' should be set with encryption at rest",
-					"actual_value": "'aws_elasticsearch_domain[es].encrypt_at_rest.kms_key_id' is undefined"
-				}
-			]
-		},
-		{
-			"query_name": "Elasticsearch Log Disabled",
-			"query_id": "acb6b4e2-a086-4f35-aefd-4db6ea51ada2",
-			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options",
-			"severity": "MEDIUM",
-			"platform": "Terraform",
-			"cloud_provider": "AWS",
-			"category": "Observability",
-			"experimental": false,
-			"description": "AWS Elasticsearch should have logs enabled",
-			"description_id": "e0526e1b",
-			"files": [
-				{
-					"file_name": "../../path/opensearch.tf",
-					"similarity_id": "faa666b9eb2884f25404b4475fff936a9b7fdf4108ff41332daac2bfb511fb3a",
-					"line": 3,
-					"resource_type": "aws_elasticsearch_domain",
-					"resource_name": "es",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_elasticsearch_domain[{{es}}]",
-					"search_line": 3,
-					"search_value": "",
-					"expected_value": "'log_publishing_options' should be defined and not null",
-					"actual_value": "'log_publishing_options' is undefined or null",
-					"remediation": "log_publishing_options {\n\t\t enabled = true \n\t}",
-					"remediation_type": "addition"
-				}
-			]
-		},
-		{
-			"query_name": "Elasticsearch Without IAM Authentication",
-			"query_id": "e7530c3c-b7cf-4149-8db9-d037a0b5268e",
-			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain",
-			"severity": "MEDIUM",
-			"platform": "Terraform",
-			"cloud_provider": "AWS",
-			"category": "Access Control",
-			"experimental": false,
-			"description": "AWS Elasticsearch should ensure IAM Authentication",
-			"description_id": "7677c71c",
-			"files": [
-				{
-					"file_name": "../../path/opensearch.tf",
-					"similarity_id": "67b06554cd2a0bfcccd65a6cf90797622c1d8de16e025bd32ed96feb6d39c664",
-					"line": 3,
-					"resource_type": "aws_elasticsearch_domain",
-					"resource_name": "es",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_elasticsearch_domain[es]",
-					"search_line": 3,
-					"search_value": "",
-					"expected_value": "Elasticsearch Domain has a policy associated",
-					"actual_value": "Elasticsearch Domain does not have a policy associated"
-				}
-			]
-		},
-		{
-			"query_name": "S3 Bucket Logging Disabled",
-			"query_id": "f861041c-8c9f-4156-acfc-5e6e524f5884",
-			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket",
-			"severity": "MEDIUM",
-			"platform": "Terraform",
-			"cloud_provider": "AWS",
-			"category": "Observability",
-			"experimental": false,
-			"description": "Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable",
-			"description_id": "fa5c7c72",
-			"files": [
-				{
-					"file_name": "../../path/s3.tf",
-					"similarity_id": "d9466bc8bd21a969cee6fa4ed571a05fcfa26b85065769a2cc3903103b7e9195",
-					"line": 103,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "module[s3_bucket]",
-					"search_line": 103,
-					"search_value": "",
-					"expected_value": "'logging' should be defined and not null",
-					"actual_value": "'logging' is undefined or null"
-				}
-			]
-		},
-		{
-			"query_name": "VPC Subnet Assigns Public IP",
-			"query_id": "52f04a44-6bfa-4c41-b1d3-4ae99a2de05c",
-			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch",
-			"severity": "MEDIUM",
-			"platform": "Terraform",
-			"cloud_provider": "AWS",
-			"category": "Networking and Firewall",
-			"experimental": false,
-			"description": "VPC Subnet should not assign public IP",
-			"description_id": "2b7ea60d",
-			"files": [
-				{
-					"file_name": "../../path/full/network.tf",
-					"similarity_id": "b42db2e7e4bf8fb17f70ab897f9910a551a08cf2a7d267fc54e32e562849dce2",
-					"line": 10,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "IncorrectValue",
-					"search_key": "vpc",
-					"search_line": 10,
-					"search_value": "",
-					"expected_value": "vpc.map_public_ip_on_launch should be set to false",
-					"actual_value": "vpc.map_public_ip_on_launch is set undefined",
-					"remediation": "map_public_ip_on_launch = false",
-					"remediation_type": "addition"
-				}
-			]
-		},
-		{
-			"query_name": "IAM Access Analyzer Not Enabled",
-			"query_id": "e592a0c5-5bdb-414c-9066-5dba7cdea370",
-			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer",
-			"severity": "LOW",
-			"platform": "Terraform",
-			"cloud_provider": "AWS",
-			"category": "Best Practices",
-			"experimental": false,
-			"description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions",
-			"description_id": "d03e85ae",
-			"files": [
-				{
-					"file_name": "../../path/eks.tf",
-					"similarity_id": "8dd5125fb1c4339e3b25d905b83b782447e10b1ef22a00ff5a6eac97d8f16ab6",
-					"line": 66,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "resource",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'aws_accessanalyzer_analyzer' should be set",
-					"actual_value": "'aws_accessanalyzer_analyzer' is undefined"
-				}
-			]
-		},
-		{
-			"query_name": "Name Is Not Snake Case",
-			"query_id": "1e434b25-8763-4b00-a5ca-ca03b7abbb66",
-			"query_url": "https://www.terraform.io/docs/extend/best-practices/naming.html#naming",
-			"severity": "INFO",
-			"platform": "Terraform",
-			"cloud_provider": "COMMON",
-			"category": "Best Practices",
-			"experimental": false,
-			"description": "All names should follow snake case pattern.",
-			"description_id": "ac707cad",
-			"files": [
-				{
-					"file_name": "../../path/rds.tf",
-					"similarity_id": "5206d72f3c1784aa777630c4953b581d2eaddd978ed7a16b82a5ef587b893a2f",
-					"line": 59,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "IncorrectValue",
-					"search_key": "module.rds-proxy",
-					"search_line": 59,
-					"search_value": "",
-					"expected_value": "All names should be on snake case pattern",
-					"actual_value": "'rds-proxy' is not in snake case"
-				},
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "46215798896bff9fb39ba5f747de1be799e97e264a169f9abdcbfd981824eef1",
-					"line": 202,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "IncorrectValue",
-					"search_key": "module.checkmarx-one-install",
-					"search_line": 202,
-					"search_value": "",
-					"expected_value": "All names should be on snake case pattern",
-					"actual_value": "'checkmarx-one-install' is not in snake case"
-				},
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "4a1b3212683dce22ba4c6134978a27ac1de043cd7acdb164be52873d2db043d2",
-					"line": 117,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "IncorrectValue",
-					"search_key": "module.checkmarx-one",
-					"search_line": 117,
-					"search_value": "",
-					"expected_value": "All names should be on snake case pattern",
-					"actual_value": "'checkmarx-one' is not in snake case"
-				}
-			]
-		},
-		{
-			"query_name": "Output Without Description",
-			"query_id": "59312e8a-a64e-41e7-a252-618533dd1ea8",
-			"query_url": "https://www.terraform.io/docs/language/values/outputs.html#description-output-value-documentation",
-			"severity": "INFO",
-			"platform": "Terraform",
-			"cloud_provider": "COMMON",
-			"category": "Best Practices",
-			"experimental": false,
-			"description": "All outputs should contain a valid description.",
-			"description_id": "81535d16",
-			"files": [
-				{
-					"file_name": "../../path/opensearch.tf",
-					"similarity_id": "0755949862cbb43a172e3588131530939213a5554c8803567f108129610a719a",
-					"line": 82,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{es_endpoint}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/rds.tf",
-					"similarity_id": "aa00c9783f2c360dad6f8ed45271ac271438fbd10621d70cc637401abfee697c",
-					"line": 127,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{db_endpoint}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/rds.tf",
-					"similarity_id": "dcb582b0c354be0fff103f57404d21081bc5114ed6c3f156ea6ced692cc85ee1",
-					"line": 147,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{db_master_password}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/opensearch.tf",
-					"similarity_id": "71ace4025b2ce9b79d4f37850836ba1e553c91d2910f19dac8abba3f1e78f36a",
-					"line": 86,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{es_username}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/eks.tf",
-					"similarity_id": "95d4571598d20dc166bee5ccfa97cf03ff60ad2a1af5de6a2200ec16af0158f2",
-					"line": 308,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{external_dns_iam_role_arn}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/s3.tf",
-					"similarity_id": "5f2ef339131791b2961e0f6184e5c28c86604ba19a2af11b9ab9ada04d447bd9",
-					"line": 160,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{s3_bucket_name_suffix}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/outputs.tf",
-					"similarity_id": "568a1684f937f9ec769ce622936d47dd7fda5121802a40523a0b0941f22d2bef",
-					"line": 2,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{bucket_suffix}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/eks.tf",
-					"similarity_id": "433fa46abd7c46919464dd9394de6aab441cf1e468a3cd5ad28141d5dfebfcf4",
-					"line": 312,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{load_balancer_controller_iam_role_arn}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/opensearch.tf",
-					"similarity_id": "68bbdb1033891bc67e7e61d476218e3ed219bf46cc4d496f8aaeac0d2defe8a7",
-					"line": 90,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{es_password}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/eks.tf",
-					"similarity_id": "edd0baaa9e6a1950b47d138af28bfac7e3c299a84583eb259451562600e7a02b",
-					"line": 304,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{cluster_autoscaler_iam_role_arn}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/rds.tf",
-					"similarity_id": "1cd6313a30cc4d4539622261a51040fe9b482eca38fa0a2774a20d0f1458d104",
-					"line": 131,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{db_port}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/rds.tf",
-					"similarity_id": "e6350fc6b83de2bf397ed5c8f62cc0ada292e3a8bafb85d40771646cd854e5f0",
-					"line": 143,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{db_master_username}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/rds.tf",
-					"similarity_id": "6baaf8e93359cc7a68d4a8999793f4d23a654135b7ccdd72df7755b747210e02",
-					"line": 139,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{db_database_name}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/elasticache.tf",
-					"similarity_id": "7383691f60cc9cb09dd5497a2215137e7ab7ddf276ee38c0e4f501f11595d8b5",
-					"line": 83,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{ec_port}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/elasticache.tf",
-					"similarity_id": "6712d3795fe452a7e90d8ffaa56ef7b506fc5997e7f988a8e510bf137dcd6bb8",
-					"line": 79,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{ec_endpoint}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/eks.tf",
-					"similarity_id": "0788cb29e4eb0a2c64418362a1fc60b1524a9c8a9d30638011e99b5962e088a6",
-					"line": 316,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{karpenter_iam_role_arn}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/rds.tf",
-					"similarity_id": "7660cc33f11142ceab63b8ab1dcba4f4d54062cc3a05608afc46dfcac9fc0b40",
-					"line": 135,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{db_reader_endpoint}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/eks.tf",
-					"similarity_id": "35c47cf6920b28faa2a0b59181b19751ea672e0374e51d88fd133cbfb6a17df4",
-					"line": 320,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "output.{{eks}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				}
-			]
-		},
-		{
-			"query_name": "Resource Not Using Tags",
-			"query_id": "e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10",
-			"query_url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging",
-			"severity": "INFO",
-			"platform": "Terraform",
-			"cloud_provider": "AWS",
-			"category": "Best Practices",
-			"experimental": false,
-			"description": "AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'",
-			"description_id": "09db2d52",
-			"files": [
-				{
-					"file_name": "../../path/full/network.tf",
-					"similarity_id": "4b48a19876bf584478ecee8c725a7243347238ca4ce3f1c70e32ddcb6de7e7d3",
-					"line": 69,
-					"resource_type": "aws_vpc_endpoint",
-					"resource_name": "cxone-dev-${each.key}-vpc-endpoint",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_vpc_endpoint[{{interface}}].tags",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "aws_vpc_endpoint[{{interface}}].tags has additional tags defined other than 'Name'",
-					"actual_value": "aws_vpc_endpoint[{{interface}}].tags does not have additional tags defined other than 'Name'"
-				},
-				{
-					"file_name": "../../path/rds.tf",
-					"similarity_id": "db250869ddbc7d207f5357bbe25f0fbabf54bb0f42de0c5c75635e466c23dc72",
-					"line": 53,
-					"resource_type": "aws_db_subnet_group",
-					"resource_name": "${var.deployment_id}-rds",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_db_subnet_group[{{main}}].tags",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "aws_db_subnet_group[{{main}}].tags has additional tags defined other than 'Name'",
-					"actual_value": "aws_db_subnet_group[{{main}}].tags does not have additional tags defined other than 'Name'"
-				},
-				{
-					"file_name": "../../path/elasticache.tf",
-					"similarity_id": "adbe4d63b22dc2918587afa2bd6b7f4c885f5bac9d8b5186236704ecb697a2cd",
-					"line": 24,
-					"resource_type": "aws_elasticache_subnet_group",
-					"resource_name": "${var.deployment_id}",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_elasticache_subnet_group[{{redis}}]",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "aws_elasticache_subnet_group[{{redis}}].tags should be defined and not null",
-					"actual_value": "aws_elasticache_subnet_group[{{redis}}].tags is undefined or null"
-				},
-				{
-					"file_name": "../../path/full/network.tf",
-					"similarity_id": "6a86b4711ba2269776821bb1f87c8d8a0dca06bc1337f4c4d0594b2592d33a9e",
-					"line": 79,
-					"resource_type": "aws_vpc_endpoint",
-					"resource_name": "cxone-dev-s3-vpc-endpoint",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_vpc_endpoint[{{s3_gateway_private}}].tags",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "aws_vpc_endpoint[{{s3_gateway_private}}].tags has additional tags defined other than 'Name'",
-					"actual_value": "aws_vpc_endpoint[{{s3_gateway_private}}].tags does not have additional tags defined other than 'Name'"
-				},
-				{
-					"file_name": "../../path/full/main.tf",
-					"similarity_id": "10df2fb205cfc71cc4891d5caa912e13e6423491f3af0b070d6a93fc19f5195c",
-					"line": 13,
-					"resource_type": "aws_kms_key",
-					"resource_name": "cxone-dev",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_kms_key[{{main}}].tags",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "aws_kms_key[{{main}}].tags has additional tags defined other than 'Name'",
-					"actual_value": "aws_kms_key[{{main}}].tags does not have additional tags defined other than 'Name'"
-				},
-				{
-					"file_name": "../../path/elasticache.tf",
-					"similarity_id": "d5229038796422b7bcebdbc1d4d30c23d948366df644a5932bd393f599acd55a",
-					"line": 32,
-					"resource_type": "aws_elasticache_replication_group",
-					"resource_name": "redis",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_elasticache_replication_group[{{redis}}]",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "aws_elasticache_replication_group[{{redis}}].tags should be defined and not null",
-					"actual_value": "aws_elasticache_replication_group[{{redis}}].tags is undefined or null"
-				},
-				{
-					"file_name": "../../path/eks.tf",
-					"similarity_id": "5896fe2cfeec46a7300910c68f4d505e36a864d5104837828e8195f041f8209b",
-					"line": 66,
-					"resource_type": "aws_iam_policy",
-					"resource_name": "${var.deployment_id}-s3-access",
-					"issue_type": "MissingAttribute",
-					"search_key": "aws_iam_policy[{{s3_bucket_access}}]",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "aws_iam_policy[{{s3_bucket_access}}].tags should be defined and not null",
-					"actual_value": "aws_iam_policy[{{s3_bucket_access}}].tags is undefined or null"
-				}
-			]
-		},
-		{
-			"query_name": "Variable Without Description",
-			"query_id": "2a153952-2544-4687-bcc9-cc8fea814a9b",
-			"query_url": "https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation",
-			"severity": "INFO",
-			"platform": "Terraform",
-			"cloud_provider": "COMMON",
-			"category": "Best Practices",
-			"experimental": false,
-			"description": "All variables should contain a valid description.",
-			"description_id": "b44986be",
-			"files": [
-				{
-					"file_name": "../../path/full/variables-cxone.tf",
-					"similarity_id": "b6ab3d5f3f69c9405e10467eae4cad30ab4dd659886862ba5f864b720ef2c86b",
-					"line": 589,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "variable.{{es_tls_security_policy}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/modules/cxone-install/variables.tf",
-					"similarity_id": "598a474d1bd509e66a1a4d3acabf12e05d074caac645960b50a8864384c295ec",
-					"line": 142,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "variable.{{elasticsearch_password}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/modules/cxone-install/variables.tf",
-					"similarity_id": "cda9ac71d27e434f0a2c615b5363f49a623152e896b96a4195b2277bb965d52c",
-					"line": 137,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "variable.{{elasticsearch_host}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/variables.tf",
-					"similarity_id": "c353b55fa302a610037ca85b555fdf4ba72fb67ed99783bd1a1f2c134cd7dcb6",
-					"line": 157,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "variable.{{eks_node_groups}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/modules/cxone-install/variables.tf",
-					"similarity_id": "67765ff0439a9dd5bbb1e14c095ad356630a5d374cf73ccf499ebd4d41308d24",
-					"line": 72,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "variable.{{cluster_autoscaler_iam_role_arn}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/full/variables-cxone.tf",
-					"similarity_id": "774cdf1929ccf10d51af2bca64c6bd21ae93940903d087d0c31d8adac2bb8659",
-					"line": 162,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "variable.{{eks_node_groups}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/variables.tf",
-					"similarity_id": "90ed3b1f1f32eedc81abc0a55cd4d61bac586a72764dae8acb0c32938df80c92",
-					"line": 584,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "variable.{{es_tls_security_policy}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/modules/cxone-install/variables.tf",
-					"similarity_id": "42f9fc98cd4bd7f2102c2e7ebb6ab42e991e70ba4d2a06e82e48ff2027bfc5d6",
-					"line": 82,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "variable.{{load_balancer_controller_iam_role_arn}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				},
-				{
-					"file_name": "../../path/modules/cxone-install/variables.tf",
-					"similarity_id": "e31f916f8da87efa5b24f519bae1c252ce6010c6b6e4c0414a8bd43ad8778ec8",
-					"line": 77,
-					"resource_type": "n/a",
-					"resource_name": "n/a",
-					"issue_type": "MissingAttribute",
-					"search_key": "variable.{{external_dns_iam_role_arn}}",
-					"search_line": -1,
-					"search_value": "",
-					"expected_value": "'description' should be defined and not null",
-					"actual_value": "'description' is undefined or null"
-				}
-			]
-		}
-	]
-}
diff --git a/variables.tf b/variables.tf
index c0aa6cf..2d65791 100644
--- a/variables.tf
+++ b/variables.tf
@@ -53,6 +53,24 @@ variable "eks_subnets" {
   type        = list(string)
 }
 
+variable "eks_pod_subnets" {
+  description = "The subnets to use for EKS pods. When specified, custom networking configuration is applied to the EKS cluster."
+  type        = list(string)
+  nullable    = true
+}
+
+variable "eks_enable_externalsnat" {
+  type        = bool
+  description = "Enables [External SNAT](https://docs.aws.amazon.com/eks/latest/userguide/external-snat.html) for the EKS VPC CNI. When true, the EKS pods must have a route to a NAT Gateway for outbound communication."
+  default     = false
+}
+
+variable "eks_enable_fargate" {
+  type        = bool
+  description = "Enables Fargate profiles for the karpenter and kube-system namespaces."
+  default     = false
+}
+
 variable "eks_create_cluster_autoscaler_irsa" {
   type        = bool
   description = "Enables creation of cluster autoscaler IAM role."

From 5c1e41d0bcccd495124fbea3be9dd5309152f0ec Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 23 Apr 2024 00:20:10 -0400
Subject: [PATCH 09/57] Make totp a make var, not terraform.

---
 modules/cxone-install/makefile.tftpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/cxone-install/makefile.tftpl b/modules/cxone-install/makefile.tftpl
index 2b25302..4757819 100644
--- a/modules/cxone-install/makefile.tftpl
+++ b/modules/cxone-install/makefile.tftpl
@@ -129,4 +129,4 @@ clean-kots:
 
 .PHONY: totp
 totp:
-	echo "${TOTP}" | totp-cli instant
+	echo "$${TOTP}" | totp-cli instant

From 8b22b7a3414d59924cc30ab3e0af849ed0b6f01a Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 23 Apr 2024 01:23:50 -0400
Subject: [PATCH 10/57] Removing deprecated template_file

---
 modules/inspection-vpc/firewall-rules.tf | 28 +++++++++++++++---------
 modules/inspection-vpc/firewall.tf       |  2 +-
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/modules/inspection-vpc/firewall-rules.tf b/modules/inspection-vpc/firewall-rules.tf
index f988bee..9c71a21 100644
--- a/modules/inspection-vpc/firewall-rules.tf
+++ b/modules/inspection-vpc/firewall-rules.tf
@@ -16,14 +16,9 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"sum.golang.org";
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"pkg-containers.githubusercontent.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420076; rev:1;)
 
 EOF
-}
 
-data "template_file" "default_suricata_rules" {
-  count    = var.enable_firewall ? 1 : 0
-  template = <<EOF
+  default_suricata_rules = <<EOF
 
-reject tls any any -> any any (msg:"TLS 1.0 or 1.1"; ssl_version:tls1.0,tls1.1; sid:2023070518;)
-drop ip $HOME_NET any -> $EXTERNAL_NET [1389,53,4444,445,135,139,389,3389] (msg:"Deny List High Risk Destination Ports"; sid:278670;)
 
 # Amazon Services - these must be allowed, or can be replaced by private VPC Endpoints (which have a charge https://aws.amazon.com/privatelink/pricing/)
 # Note that these are AWS Region Dependent
@@ -157,9 +152,22 @@ ${local.sca_scanning_rules}
 
 ${var.additional_suricata_rules}
 
-# Drop other traffic
-#drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;)
-#reject tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"blocked uknown tcp"; flow:to_server, established; sid:4; rev:1;)
-
 EOF
 }
+
+
+
+# data "template_file" "default_suricata_rules" {
+#   count    = var.enable_firewall ? 1 : 0
+#   template = <<EOF
+
+# reject tls any any -> any any (msg:"TLS 1.0 or 1.1"; ssl_version:tls1.0,tls1.1; sid:2023070518;)
+# drop ip $HOME_NET any -> $EXTERNAL_NET [1389,53,4444,445,135,139,389,3389] (msg:"Deny List High Risk Destination Ports"; sid:278670;)
+
+
+# # Drop other traffic
+# #drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;)
+# #reject tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"blocked uknown tcp"; flow:to_server, established; sid:4; rev:1;)
+
+# EOF
+# }
diff --git a/modules/inspection-vpc/firewall.tf b/modules/inspection-vpc/firewall.tf
index c9511ae..7a348a2 100644
--- a/modules/inspection-vpc/firewall.tf
+++ b/modules/inspection-vpc/firewall.tf
@@ -24,7 +24,7 @@ resource "aws_networkfirewall_rule_group" "cxone" {
   type     = "STATEFUL"
   rule_group {
     rules_source {
-      rules_string = var.suricata_rules != null ? var.suricata_rules : data.template_file.default_suricata_rules[0].rendered
+      rules_string = var.suricata_rules != null ? var.suricata_rules : local.default_suricata_rules
     }
     stateful_rule_options {
       rule_order = "STRICT_ORDER"

From fd0fc6a5df456a0a2531ca3cce5868c7f233f9e3 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 24 Apr 2024 23:21:22 -0400
Subject: [PATCH 11/57] userdata and cluster sg rule for vpc

---
 eks.tf                             |  2 ++
 examples/full/examples.auto.tfvars |  2 ++
 examples/full/main.tf              | 12 ++++++++++++
 examples/full/variables-cxone.tf   | 12 ++++++++++++
 variables.tf                       | 20 ++++++++++++++++++++
 5 files changed, 48 insertions(+)

diff --git a/eks.tf b/eks.tf
index 7124de3..6ca3e14 100644
--- a/eks.tf
+++ b/eks.tf
@@ -252,6 +252,8 @@ module "eks" {
     create_iam_role                 = false
     iam_role_arn                    = module.eks_node_iam_role.iam_role_arn
     key_name                        = var.ec2_key_name
+    post_bootstrap_user_data        = var.eks_post_bootstrap_user_data
+    pre_bootstrap_user_data         = var.eks_pre_bootstrap_user_data
     metadata_options = {
       http_endpoint               = "enabled"
       http_tokens                 = "required"
diff --git a/examples/full/examples.auto.tfvars b/examples/full/examples.auto.tfvars
index 5cd6102..d0f6163 100644
--- a/examples/full/examples.auto.tfvars
+++ b/examples/full/examples.auto.tfvars
@@ -117,6 +117,8 @@ eks_public_endpoint_enabled              = true
 eks_cluster_endpoint_public_access_cidrs = ["0.0.0.0/0"] # Use to lock down access to the public endpoint, when the public endpoint is enabled
 enable_cluster_creator_admin_permissions = true          # the principal used to execute this terraform will be granted access to EKS
 eks_node_additional_security_group_ids   = []            # pass arbitrary additional security groups to EKS nodes
+eks_post_bootstrap_user_data             = null
+eks_pre_bootstrap_user_data              = null
 # Uncomment the eks_administrator_principals to specify additional principal ARNs that should have admin
 # access to EKS.
 # eks_administrator_principals = [
diff --git a/examples/full/main.tf b/examples/full/main.tf
index b1da625..f407667 100644
--- a/examples/full/main.tf
+++ b/examples/full/main.tf
@@ -120,6 +120,18 @@ module "checkmarx-one" {
   eks_create_external_dns_irsa             = var.eks_create_external_dns_irsa
   eks_create_load_balancer_controller_irsa = var.eks_create_load_balancer_controller_irsa
   eks_create_karpenter                     = var.eks_create_karpenter
+  eks_pre_bootstrap_user_data              = var.eks_pre_bootstrap_user_data
+  eks_post_bootstrap_user_data             = var.eks_post_bootstrap_user_data
+  eks_cluster_security_group_additional_rules = {
+    egress_nodes_ephemeral_ports_tcp = {
+      description = "Ingress from VPC (management hosts)"
+      protocol    = "tcp"
+      from_port   = 443
+      to_port     = 443
+      type        = "ingress"
+      cidr_blocks = module.vpc.vpc_cidr_blocks
+    }
+  }
   eks_version                              = var.eks_version
   coredns_version                          = var.coredns_version
   kube_proxy_version                       = var.kube_proxy_version
diff --git a/examples/full/variables-cxone.tf b/examples/full/variables-cxone.tf
index ac304dd..50c51c2 100644
--- a/examples/full/variables-cxone.tf
+++ b/examples/full/variables-cxone.tf
@@ -123,6 +123,18 @@ variable "eks_node_additional_security_group_ids" {
   default     = []
 }
 
+variable "eks_post_bootstrap_user_data" {
+  type        = string
+  description = "User data to insert after bootstrapping script."
+  default     = ""
+}
+
+variable "eks_pre_bootstrap_user_data" {
+  type        = string
+  description = "User data to insert before bootstrapping script."
+  default     = ""
+}
+
 variable "coredns_version" {
   type        = string
   description = "The version of the EKS Core DNS Addon."
diff --git a/variables.tf b/variables.tf
index 2d65791..e1a7c9b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -124,6 +124,26 @@ variable "eks_node_additional_security_group_ids" {
   default     = []
 }
 
+variable "eks_cluster_security_group_additional_rules" {
+  description = "Additional security group rules for the EKS cluster"
+  type        = any
+  default     = {}
+
+}
+
+variable "eks_post_bootstrap_user_data" {
+  type        = string
+  description = "User data to insert after bootstrapping script."
+  default     = ""
+}
+
+variable "eks_pre_bootstrap_user_data" {
+  type        = string
+  description = "User data to insert before bootstrapping script."
+  default     = ""
+}
+
+
 variable "coredns_version" {
   type        = string
   description = "The version of the EKS Core DNS Addon."

From ed2fb47efe58ca1c13f7304b6a7456a5b7c66c9f Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 24 Apr 2024 23:21:53 -0400
Subject: [PATCH 12/57] quote password and clean up load balancer controller
 resdources target

---
 modules/cxone-install/makefile.tftpl | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/cxone-install/makefile.tftpl b/modules/cxone-install/makefile.tftpl
index 4757819..c8d371e 100644
--- a/modules/cxone-install/makefile.tftpl
+++ b/modules/cxone-install/makefile.tftpl
@@ -16,7 +16,7 @@ update-kubeconfig:
 
 .PHONY: kots-install
 kots-install:
-	kubectl kots install ast/$${RELEASE_CHANNEL} -n $${NAMESPACE} --license-file $${LICENSE_FILE} --shared-password $${KOTS_PASSWORD} --config-values $${KOTS_CONFIG_FILE} --app-version-label $${CXONE_VERSION}
+	kubectl kots install ast/$${RELEASE_CHANNEL} -n $${NAMESPACE} --license-file $${LICENSE_FILE} --shared-password '$${KOTS_PASSWORD}' --config-values $${KOTS_CONFIG_FILE} --app-version-label $${CXONE_VERSION}
 
 #.PHONY: kots-set-config
 #kots-set-config:
@@ -127,6 +127,13 @@ clean-kots:
 	kubectl delete statefulset kotsadm-minio -n $${NAMESPACE}
 	kubectl delete statefulset kotsadm-rqlite -n $${NAMESPACE}
 
+.PHONY: destroy-load-balancer-controller
+destroy-load-balancer-controller:
+	ELB_NAME=$(kubectl describe service ast-platform-traefik -n ast | grep "LoadBalancer Ingress" | awk '{print $3}' | cut -c 1-16); \
+	aws elbv2 describe-load-balancers --query "LoadBalancers[?starts_with(LoadBalancerName,'$ELB_NAME')].LoadBalancerArn" --output text | tr "\t" "\n" | xargs -I{} aws elbv2 delete-load-balancer --load-balancer-arn {}; \
+	aws ec2 describe-security-groups --filters Name=tag:elbv2.k8s.aws/cluster,Values=$${DEPLOYMENT_ID} --query "SecurityGroups[*].GroupId" --output text | tr "\t" "\n" | xargs -I{} aws ec2 delete-security-group --group-id {};
+
+
 .PHONY: totp
 totp:
 	echo "$${TOTP}" | totp-cli instant

From 18d300282592ee07a1f4121ea40310ad50a5f43c Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 24 Apr 2024 23:22:16 -0400
Subject: [PATCH 13/57] fixing ingress

---
 modules/inspection-vpc/main.tf | 60 ++++++++++++++++++++++------------
 1 file changed, 40 insertions(+), 20 deletions(-)

diff --git a/modules/inspection-vpc/main.tf b/modules/inspection-vpc/main.tf
index 67d92d5..6f97680 100644
--- a/modules/inspection-vpc/main.tf
+++ b/modules/inspection-vpc/main.tf
@@ -137,14 +137,16 @@ resource "aws_nat_gateway" "public" {
 #   Route Tables
 #******************************************************************************
 
-# Public Subnet Routing
-resource "aws_route_table" "public" {
+resource "aws_route_table" "igw" {
   vpc_id = aws_vpc.main.id
-  tags   = { "Name" = "${var.deployment_id}-public" }
+  tags   = { "Name" = "${var.deployment_id}-igw" }
 
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.igw.id
+  dynamic "route" {
+    for_each = var.enable_firewall ? ["apply"] : []
+    content {
+      cidr_block      = local.public_subnet_cidr
+      vpc_endpoint_id = [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0]
+    }
   }
 
   dynamic "route" {
@@ -162,6 +164,34 @@ resource "aws_route_table" "public" {
       vpc_endpoint_id = [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0]
     }
   }
+
+  dynamic "route" {
+    for_each = { for idx, az in local.azs : az => idx if var.enable_firewall }
+    content {
+      cidr_block      = local.database_subnet_cidrs[route.value]
+      vpc_endpoint_id = [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0]
+    }
+  }
+
+}
+
+resource "aws_route_table_association" "igw" {
+  gateway_id     = aws_internet_gateway.igw.id
+  route_table_id = aws_route_table.igw.id
+}
+
+
+# Public Subnet Routing
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+  tags   = { "Name" = "${var.deployment_id}-public" }
+
+  route {
+    cidr_block      = "0.0.0.0/0"
+    gateway_id      = var.enable_firewall ? null : aws_internet_gateway.igw.id
+    vpc_endpoint_id = var.enable_firewall ? [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0] : null
+  }
+
   depends_on = [aws_networkfirewall_firewall.main]
 }
 
@@ -178,8 +208,8 @@ resource "aws_route_table" "firewall" {
   tags   = { "Name" = "${var.deployment_id}-firewall" }
 
   route {
-    cidr_block     = "0.0.0.0/0"
-    nat_gateway_id = aws_nat_gateway.public.id
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.igw.id
   }
 }
 
@@ -194,18 +224,8 @@ resource "aws_route_table" "private" {
   vpc_id = aws_vpc.main.id
   tags   = { "Name" = "${var.deployment_id}-private" }
   route {
-    cidr_block      = "0.0.0.0/0"
-    vpc_endpoint_id = var.enable_firewall ? [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0] : null
-    nat_gateway_id  = var.enable_firewall ? null : aws_nat_gateway.public.id
-  }
-
-  dynamic "route" {
-    # Route the traffic to public subnet, such as traffic from the load balancer, back through the firewall when firewall is enabled to preserve symetric routing.
-    for_each = var.enable_firewall ? ["apply"] : []
-    content {
-      cidr_block      = local.public_subnet_cidr
-      vpc_endpoint_id = [for ss in aws_networkfirewall_firewall.main[0].firewall_status[0].sync_states : ss.attachment[0].endpoint_id][0]
-    }
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.public.id
   }
 
   depends_on = [aws_networkfirewall_firewall.main]

From ccd35197832cb0ee75253fffbbd0c61682ad6f26 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 25 Apr 2024 00:04:33 -0400
Subject: [PATCH 14/57] karpenter firewall and nodepool updates

---
 modules/cxone-install/karpenter.reference.yaml.tftpl | 6 ++++++
 modules/inspection-vpc/firewall-rules.tf             | 1 +
 2 files changed, 7 insertions(+)

diff --git a/modules/cxone-install/karpenter.reference.yaml.tftpl b/modules/cxone-install/karpenter.reference.yaml.tftpl
index 63fa3cd..6c28b02 100644
--- a/modules/cxone-install/karpenter.reference.yaml.tftpl
+++ b/modules/cxone-install/karpenter.reference.yaml.tftpl
@@ -107,6 +107,12 @@ spec:
         - key: karpenter.k8s.aws/instance-category
           operator: NotIn
           values: ["t"]
+        - key: karpenter.k8s.aws/instance-cpu	
+          operator: Gt
+          values: ["3"]
+        - key: karpenter.k8s.aws/instance-memory	
+          operator: Gt
+          values: ["7"]  
         - key: karpenter.k8s.aws/instance-hypervisor
           operator: In
           values: ["nitro"]
diff --git a/modules/inspection-vpc/firewall-rules.tf b/modules/inspection-vpc/firewall-rules.tf
index 9c71a21..ebc9ea9 100644
--- a/modules/inspection-vpc/firewall-rules.tf
+++ b/modules/inspection-vpc/firewall-rules.tf
@@ -37,6 +37,7 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"route53.amazonaws
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cloudformation.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190010; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"elasticloadbalancing.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190011; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"autoscaling.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190012; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"sqs.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24240001; rev:1;)
 
 
 # Installation media for kube-system services pods like coredns, aws-node, ebs-csi-controller, ebs-csi-node, kube-proxy

From ea1c6d7b30e4e153b74d8060732a713904a505dc Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Mon, 29 Apr 2024 15:53:20 -0400
Subject: [PATCH 15/57] custom-networking

---
 eks.tf                                   |  6 ++--
 modules/cxone-install/main.tf            |  2 +-
 modules/cxone-install/makefile.tftpl     |  6 ++--
 modules/inspection-vpc/firewall-rules.tf | 39 +++++++++++-------------
 4 files changed, 25 insertions(+), 28 deletions(-)

diff --git a/eks.tf b/eks.tf
index 6ca3e14..4753978 100644
--- a/eks.tf
+++ b/eks.tf
@@ -224,9 +224,9 @@ module "eks" {
       before_compute = var.eks_pod_subnets != null ? true : false
       configuration_values = jsonencode({
         env = {
-          #AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = var.eks_pod_subnets != null ? "true" : "false"
-          #ENI_CONFIG_LABEL_DEF               = var.eks_pod_subnets != null ? "topology.kubernetes.io/zone" : ""
-          AWS_VPC_K8S_CNI_EXTERNALSNAT = var.eks_enable_externalsnat ? "true" : "false"
+          AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = var.eks_pod_subnets != null ? "true" : "false"
+          ENI_CONFIG_LABEL_DEF               = var.eks_pod_subnets != null ? "topology.kubernetes.io/zone" : ""
+          AWS_VPC_K8S_CNI_EXTERNALSNAT       = var.eks_enable_externalsnat ? "true" : "false"
         }
       })
     }
diff --git a/modules/cxone-install/main.tf b/modules/cxone-install/main.tf
index 4500261..2ec9ca5 100644
--- a/modules/cxone-install/main.tf
+++ b/modules/cxone-install/main.tf
@@ -76,7 +76,7 @@ resource "local_file" "makefile" {
   filename = "Makefile"
 }
 
-resource "local_file" "karpenter" {
+resource "local_file" "karpenter_configuration" {
   content = templatefile("${path.module}/karpenter.reference.yaml.tftpl", {
     deployment_id           = var.deployment_id
     nodegroup_iam_role_name = var.nodegroup_iam_role_name
diff --git a/modules/cxone-install/makefile.tftpl b/modules/cxone-install/makefile.tftpl
index c8d371e..4ce7068 100644
--- a/modules/cxone-install/makefile.tftpl
+++ b/modules/cxone-install/makefile.tftpl
@@ -18,9 +18,9 @@ update-kubeconfig:
 kots-install:
 	kubectl kots install ast/$${RELEASE_CHANNEL} -n $${NAMESPACE} --license-file $${LICENSE_FILE} --shared-password '$${KOTS_PASSWORD}' --config-values $${KOTS_CONFIG_FILE} --app-version-label $${CXONE_VERSION}
 
-#.PHONY: kots-set-config
-#kots-set-config:
-#	kubectl kots set config ast -n $${NAMESPACE} --config-file $${KOTS_CONFIG_FILE} --deploy
+.PHONY: kots-set-config
+kots-set-config:
+	kubectl kots set config ast -n $${NAMESPACE} --config-file $${KOTS_CONFIG_FILE} --deploy
 
 .PHONY: kots-get-config
 kots-get-config:
diff --git a/modules/inspection-vpc/firewall-rules.tf b/modules/inspection-vpc/firewall-rules.tf
index ebc9ea9..873e24e 100644
--- a/modules/inspection-vpc/firewall-rules.tf
+++ b/modules/inspection-vpc/firewall-rules.tf
@@ -18,8 +18,6 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"pkg-containers.gi
 EOF
 
   default_suricata_rules = <<EOF
-
-
 # Amazon Services - these must be allowed, or can be replaced by private VPC Endpoints (which have a charge https://aws.amazon.com/privatelink/pricing/)
 # Note that these are AWS Region Dependent
 # Reference https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html, https://eksctl.io/usage/eks-private-cluster/
@@ -37,6 +35,11 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"route53.amazonaws
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cloudformation.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190010; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"elasticloadbalancing.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190011; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"autoscaling.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24190012; rev:1;)
+
+
+# Karpenter
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"iam.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24250001; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.pricing.us-east-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24250002; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"sqs.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24240001; rev:1;)
 
 
@@ -84,31 +87,38 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"amazonlinux-2-rep
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"al2023-repos-${data.aws_region.current.name}-de612dc2.s3.dualstack.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420033; rev:1;)
 
 
-# AWS Load Balancer Controller - public.ecr.aws (metadata) redirects to cloudfront (download)
+# AWS Load Balancer Controller & Karpenter - public.ecr.aws (metadata) redirects to cloudfront (download)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"public.ecr.aws"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420034; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"d5l0dvt14r5h8.cloudfront.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420035; rev:1;)
 
+
 # Cluster Autoscaler - k8s.gcr.io (metadata) redirects to storage.googleapis.com (download)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"k8s.gcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420036; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"storage.googleapis.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420037; rev:1;)
 
+
 # Kotsadm tools (minio, rqlite) come from docker.io and docker.com
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry-1.docker.io"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420038; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"auth.docker.io"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420039; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"production.cloudflare.docker.com"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420040; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"subnet.min.io"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24250010; rev:1;)
+
 
 # Replicated APIs - used for license checking
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"replicated.app"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420041; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"proxy.replicated.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420042; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"proxy-auth.replicated.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420043; rev:1;)
 
+
 # Used by cxone images, and kube-rbac-proxy in CxOne operator
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"gcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240419044; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"checkmarx.jfrog.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420044; rev:1;)
 
+
 # Liquibase schema files required for database migration execution
 pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; content:"www.liquibase.org"; startswith; endswith; msg:"Match liquidbase.com allowed"; flow:to_server, established; sid:240420062; rev:1;)
 
+
 # Feature Flags via Split.io
 # Reference https://help.split.io/hc/en-us/articles/360006954331-How-do-I-allow-Split-to-work-in-my-environment
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"sdk.split.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420045; rev:1;)
@@ -120,15 +130,18 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cdn.split.io"; st
 # Fastly (a CDN), which is used for sdk.split.io https://api.fastly.com/public-ip-list. These are used sometimes w/o host name, so SNI cannot be used to filter.
 pass tls $HOME_NET any -> [23.235.32.0/20,43.249.72.0/22,103.244.50.0/24,103.245.222.0/23,103.245.224.0/24,104.156.80.0/20,140.248.64.0/18,140.248.128.0/17,146.75.0.0/17,151.101.0.0/16,157.52.64.0/18,167.82.0.0/17,167.82.128.0/20,167.82.160.0/20,167.82.224.0/20,172.111.64.0/18,185.31.16.0/22,199.27.72.0/21,199.232.0.0/16] 443 (msg:"Fastly CDN"; flow:to_server, established; sid:240420051; rev:1;)
 
+
 # Allow access to s3 buckets for Checkmarx One. Buckets are typically created with a prefix of the deployment id which allows for regex matching
 # Example bucket name and suffix: scan-results-bos-ap-southeast-1-lab-19205
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^${var.deployment_id}.*?\.s3\.dualstack\.${data.aws_region.current.name}\.amazonaws\.com$/i" msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420052; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^${var.deployment_id}.*?\.s3\.${data.aws_region.current.name}\.amazonaws\.com$/i" msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420053; rev:1;)
 
+
 # Checkmarx One Scans will upload source to scan-results bucket with url path patterns like "https://s3.${data.aws_region.current.name}.amazonaws.com/scan-results-0aa15147e5f3/source-code/....." 
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"s3.dualstack.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420054; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"s3.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420055; rev:1;)
 
+
 # These are the checkmarx services for SCA scanning, cloud IAM (for Authentication to SCA), and codebashing
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"iam.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420056; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api-sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420057; rev:1;)
@@ -138,7 +151,8 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"uploads.sca.check
 # Scan results buckets are used for SCA scan result syncing, and vary by the connected SCA region (e.g. NA, or EU)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"microservice-scanresults-prod-storage-1an26shc41yi3.s3.amazonaws.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240420061; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.stagecodebashing.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240422001; rev:1;)
-
+# upcoming features                                             
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cx-sca-containers.es.us-east-1.aws.found.io"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:204290001; rev:1;)
 
 
 # These URLs are randomly generated, and used to discover the correct s3 API signature version to use when communicating with S3 buckets.
@@ -155,20 +169,3 @@ ${var.additional_suricata_rules}
 
 EOF
 }
-
-
-
-# data "template_file" "default_suricata_rules" {
-#   count    = var.enable_firewall ? 1 : 0
-#   template = <<EOF
-
-# reject tls any any -> any any (msg:"TLS 1.0 or 1.1"; ssl_version:tls1.0,tls1.1; sid:2023070518;)
-# drop ip $HOME_NET any -> $EXTERNAL_NET [1389,53,4444,445,135,139,389,3389] (msg:"Deny List High Risk Destination Ports"; sid:278670;)
-
-
-# # Drop other traffic
-# #drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;)
-# #reject tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"blocked uknown tcp"; flow:to_server, established; sid:4; rev:1;)
-
-# EOF
-# }

From 130fbfa855dff55accd4147ba800b63c3abe033a Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 30 Apr 2024 14:39:42 -0400
Subject: [PATCH 16/57] adding cluster security group rules

---
 eks.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/eks.tf b/eks.tf
index 4753978..4085ba4 100644
--- a/eks.tf
+++ b/eks.tf
@@ -262,7 +262,8 @@ module "eks" {
     }
   }
 
-  eks_managed_node_groups = local.eks_nodegroups
+  cluster_security_group_additional_rules = var.eks_cluster_security_group_additional_rules
+  eks_managed_node_groups                 = local.eks_nodegroups
 
   fargate_profile_defaults = {
     subnet_ids = var.eks_pod_subnets != null ? var.eks_pod_subnets : null

From 54d3ae1f723b54b5fac2c76a557b5859e6ddb54d Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 30 Apr 2024 22:51:01 -0400
Subject: [PATCH 17/57] Adding explicit config for custom networking

---
 eks.tf                             | 8 ++++----
 examples/full/examples.auto.tfvars | 1 +
 examples/full/variables-cxone.tf   | 6 ++++++
 variables.tf                       | 7 +++++++
 4 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/eks.tf b/eks.tf
index 4085ba4..f466f0e 100644
--- a/eks.tf
+++ b/eks.tf
@@ -221,11 +221,11 @@ module "eks" {
     }
     vpc-cni = {
       addon_version  = var.vpc_cni_version
-      before_compute = var.eks_pod_subnets != null ? true : false
+      before_compute = var.eks_enable_custom_networking
       configuration_values = jsonencode({
         env = {
-          AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = var.eks_pod_subnets != null ? "true" : "false"
-          ENI_CONFIG_LABEL_DEF               = var.eks_pod_subnets != null ? "topology.kubernetes.io/zone" : ""
+          AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = tostring(var.eks_enable_custom_networking)
+          ENI_CONFIG_LABEL_DEF               = var.eks_enable_custom_networking ? "topology.kubernetes.io/zone" : ""
           AWS_VPC_K8S_CNI_EXTERNALSNAT       = var.eks_enable_externalsnat ? "true" : "false"
         }
       })
@@ -266,7 +266,7 @@ module "eks" {
   eks_managed_node_groups                 = local.eks_nodegroups
 
   fargate_profile_defaults = {
-    subnet_ids = var.eks_pod_subnets != null ? var.eks_pod_subnets : null
+    subnet_ids = var.eks_enable_custom_networking ? var.eks_pod_subnets : null
   }
   fargate_profiles = var.eks_enable_fargate ? local.fargate_profiles : {}
 }
diff --git a/examples/full/examples.auto.tfvars b/examples/full/examples.auto.tfvars
index d0f6163..043a704 100644
--- a/examples/full/examples.auto.tfvars
+++ b/examples/full/examples.auto.tfvars
@@ -110,6 +110,7 @@ vpc_cni_version                          = "v1.18.0-eksbuild.1"
 aws_ebs_csi_driver_version               = "v1.28.0-eksbuild.1"
 eks_enable_fargate                       = false # not yet working, do not enable
 eks_enable_externalsnat                  = false # leave false, unless working with external nat gateway
+eks_enable_custom_networking             = false
 eks_private_endpoint_enabled             = true
 # When eks_public_endpoint_enabled = false, installation and management commands after Terraform must be run
 # from a system with connectivity to the private EKS endpoint, such as a bastion host.
diff --git a/examples/full/variables-cxone.tf b/examples/full/variables-cxone.tf
index 50c51c2..001b96d 100644
--- a/examples/full/variables-cxone.tf
+++ b/examples/full/variables-cxone.tf
@@ -64,6 +64,12 @@ variable "eks_enable_externalsnat" {
   default     = false
 }
 
+variable "eks_enable_custom_networking" {
+  type        = bool
+  description = "Enables custom networking for the EKS VPC CNI. When true, custom networking is enabled with `ENI_CONFIG_LABEL_DEF` = `topology.kubernetes.io/zone` and ENIConfig resources must be created."
+  default     = false
+}
+
 variable "eks_enable_fargate" {
   type        = bool
   description = "Enables Fargate profiles for the karpenter and kube-system namespaces."
diff --git a/variables.tf b/variables.tf
index e1a7c9b..735bffa 100644
--- a/variables.tf
+++ b/variables.tf
@@ -53,6 +53,13 @@ variable "eks_subnets" {
   type        = list(string)
 }
 
+
+variable "eks_enable_custom_networking" {
+  type        = bool
+  description = "Enables custom networking for the EKS VPC CNI. When true, custom networking is enabled with `ENI_CONFIG_LABEL_DEF` = `topology.kubernetes.io/zone` and ENIConfig resources must be created."
+  default     = false
+}
+
 variable "eks_pod_subnets" {
   description = "The subnets to use for EKS pods. When specified, custom networking configuration is applied to the EKS cluster."
   type        = list(string)

From 3e0ce8caa29f00c972854fcc77f836a582f14233 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 8 May 2024 21:59:10 -0400
Subject: [PATCH 18/57] added https protocol to s3 allowed origins

---
 examples/full/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/full/main.tf b/examples/full/main.tf
index f407667..fb1840b 100644
--- a/examples/full/main.tf
+++ b/examples/full/main.tf
@@ -108,7 +108,7 @@ module "checkmarx-one" {
   ec2_key_name       = var.ec2_key_name
   vpc_id             = module.vpc.vpc_id
   kms_key_arn        = aws_kms_key.main.arn
-  s3_allowed_origins = [var.fqdn]
+  s3_allowed_origins = [var.fqdn, "https://${var.fqdn}"]
 
   # EKS Configuration
   eks_create                               = var.eks_create

From edfa802c093d43ef2d22081ef9201d75d0b99495 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 14 May 2024 11:08:39 -0400
Subject: [PATCH 19/57] add airgap install stub to makefile

---
 modules/cxone-install/makefile.tftpl | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/cxone-install/makefile.tftpl b/modules/cxone-install/makefile.tftpl
index 4ce7068..965ef56 100644
--- a/modules/cxone-install/makefile.tftpl
+++ b/modules/cxone-install/makefile.tftpl
@@ -8,6 +8,10 @@ KOTS_PASSWORD = ${tf_kots_password}
 NAMESPACE = ${tf_namespace}
 LICENSE_FILE = ${tf_license_file}
 KOTS_CONFIG_FILE = ${tf_kots_config_file}
+AIRGAP_BUNDLE = ???
+KOTS_REGISTRY = ???
+REGISTRY_USERNAME = ???
+REGISTRY_PASSWORD = ???
 TOTP = 123
 
 .PHONY: update-kubeconfig
@@ -18,6 +22,11 @@ update-kubeconfig:
 kots-install:
 	kubectl kots install ast/$${RELEASE_CHANNEL} -n $${NAMESPACE} --license-file $${LICENSE_FILE} --shared-password '$${KOTS_PASSWORD}' --config-values $${KOTS_CONFIG_FILE} --app-version-label $${CXONE_VERSION}
 
+.PHONY: kots-install-from-airgap
+kots-install-from-airgap:
+	kubectl kots install ast/$${RELEASE_CHANNEL} -n $${NAMESPACE} --license-file $${LICENSE_FILE} --shared-password '$${KOTS_PASSWORD}' --config-values $${KOTS_CONFIG_FILE} \
+	--airgap --airgap-bundle $${AIRGAP_BUNDLE} --kotsadm-registry $${KOTS_REGISTRY} --registry-username $${REGISTRY_USERNAME} --registry-password '$${REGISTRY_PASSWORD}'
+
 .PHONY: kots-set-config
 kots-set-config:
 	kubectl kots set config ast -n $${NAMESPACE} --config-file $${KOTS_CONFIG_FILE} --deploy

From 4236ccec37c44a9c05468a810c5fe1bfd129c73e Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 14 May 2024 13:03:04 -0400
Subject: [PATCH 20/57] add destroy make target

---
 .../destroy-load-balancer.sh.tftpl            | 23 ++++++++++++++++++
 modules/cxone-install/main.tf                 |  7 ++++++
 modules/cxone-install/makefile.tftpl          | 24 +++++++++++++++----
 3 files changed, 49 insertions(+), 5 deletions(-)
 create mode 100644 modules/cxone-install/destroy-load-balancer.sh.tftpl

diff --git a/modules/cxone-install/destroy-load-balancer.sh.tftpl b/modules/cxone-install/destroy-load-balancer.sh.tftpl
new file mode 100644
index 0000000..84a0e2e
--- /dev/null
+++ b/modules/cxone-install/destroy-load-balancer.sh.tftpl
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# The AWS Load Balancer Controller creates Load Balancers, Target Groups, and Security Groups outside
+# of the Terraform project's scope. These resources will prevent terraform destroy from running successfully.
+# This script should be run before terraform destroy to ensure these external resources are cleaned up and 
+# allows terraform to run successfully.
+
+
+DEPLOYMENT_ID=${deployment_id}
+# Clean up load balancer
+ELB_ARN=$(aws elbv2 describe-load-balancers | jq -r '.LoadBalancers[].LoadBalancerArn' | xargs -I {} aws elbv2 describe-tags --resource-arns {} --query "TagDescriptions[?Tags[?Key=='elbv2.k8s.aws/cluster' &&Value=='$${DEPLOYMENT_ID}']].ResourceArn" --output text)
+aws elbv2 delete-load-balancer --load-balancer-arn $${ELB_ARN}
+
+# Clean up target groups
+aws elbv2 describe-target-groups | jq -r '.TargetGroups[].TargetGroupArn' | xargs -I {} aws elbv2 describe-tags --resource-arns {} --query "TagDescriptions[?Tags[?Key=='elbv2.k8s.aws/cluster' &&Value=='$${DEPLOYMENT_ID}']].ResourceArn" --output text | xargs -I {} aws elbv2 delete-target-group --target-group-arn {}
+
+# Clean up security groups
+# The "Node" security group will have references to the ELB security groups, so remove all the rules to allow groups to be deleted successfully
+NODE_SG_ID=$(aws ec2 describe-security-groups --filters Name=tag:Name,Values=$${DEPLOYMENT_ID}-node --query "SecurityGroups[*].GroupId" --output text | tr "\t" "\n")
+aws ec2 revoke-security-group-ingress --group-id $${NODE_SG_ID} --ip-permissions "`aws ec2 describe-security-groups --output json --group-ids $${NODE_SG_ID} --query "SecurityGroups[0].IpPermissions"`"
+
+# Delete the ELB security groups
+aws ec2 describe-security-groups --filters Name=tag:elbv2.k8s.aws/cluster,Values=$${DEPLOYMENT_ID} --query "SecurityGroups[*].GroupId" --output text | tr "\t" "\n" | xargs -I {} aws ec2 delete-security-group --group-id {} 
diff --git a/modules/cxone-install/main.tf b/modules/cxone-install/main.tf
index 2ec9ca5..96c7e98 100644
--- a/modules/cxone-install/main.tf
+++ b/modules/cxone-install/main.tf
@@ -101,3 +101,10 @@ resource "local_file" "ENIConfig" {
   content  = var.pod_eniconfig
   filename = "custom-networking-config.${var.deployment_id}.yaml"
 }
+
+resource "local_file" "destroy_load_balancer" {
+  content = templatefile("${path.module}/destroy-load-balancer.sh.tftpl", {
+    deployment_id = var.deployment_id
+  })
+  filename = "destroy-load-balancer.${var.deployment_id}.sh"
+}
diff --git a/modules/cxone-install/makefile.tftpl b/modules/cxone-install/makefile.tftpl
index 965ef56..07c5f01 100644
--- a/modules/cxone-install/makefile.tftpl
+++ b/modules/cxone-install/makefile.tftpl
@@ -14,36 +14,44 @@ REGISTRY_USERNAME = ???
 REGISTRY_PASSWORD = ???
 TOTP = 123
 
+
 .PHONY: update-kubeconfig
 update-kubeconfig:
 	aws eks update-kubeconfig --name $${EKS_CLUSTER_NAME}
 
+
 .PHONY: kots-install
 kots-install:
 	kubectl kots install ast/$${RELEASE_CHANNEL} -n $${NAMESPACE} --license-file $${LICENSE_FILE} --shared-password '$${KOTS_PASSWORD}' --config-values $${KOTS_CONFIG_FILE} --app-version-label $${CXONE_VERSION}
 
+
 .PHONY: kots-install-from-airgap
 kots-install-from-airgap:
 	kubectl kots install ast/$${RELEASE_CHANNEL} -n $${NAMESPACE} --license-file $${LICENSE_FILE} --shared-password '$${KOTS_PASSWORD}' --config-values $${KOTS_CONFIG_FILE} \
 	--airgap --airgap-bundle $${AIRGAP_BUNDLE} --kotsadm-registry $${KOTS_REGISTRY} --registry-username $${REGISTRY_USERNAME} --registry-password '$${REGISTRY_PASSWORD}'
 
+
 .PHONY: kots-set-config
 kots-set-config:
 	kubectl kots set config ast -n $${NAMESPACE} --config-file $${KOTS_CONFIG_FILE} --deploy
 
+
 .PHONY: kots-get-config
 kots-get-config:
 	kubectl kots get config -n $${NAMESPACE} --appslug ast
 
+
 .PHONY: kots-admin-console
 kots-admin-console:
 	kubectl kots admin-console -n $${NAMESPACE}
 
+
 .PHONY: rollout-restart
 rollout-restart:
 	kubectl -n $${NAMESPACE} rollout restart deploy
 	kubectl -n $${NAMESPACE} rollout restart statefulset
 
+
 .PHONY: install-cluster-autoscaler
 install-cluster-autoscaler:
 	helm repo add autoscaler https://kubernetes.github.io/autoscaler; \
@@ -57,10 +65,12 @@ install-cluster-autoscaler:
 	--set rbac.serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${cluster_autoscaler_iam_role_arn}" \
 	--set autoDiscovery.clusterName=$${EKS_CLUSTER_NAME}
 
+
 .PHONY: uninstall-cluster-autoscaler
 uninstall-cluster-autoscaler:
 	helm uninstall cluster-autoscaler -n kube-system
 
+
 .PHONY: install-external-dns
 install-external-dns:
 	helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/; \
@@ -71,6 +81,7 @@ install-external-dns:
 	--set serviceAccount.name=external-dns \
 	--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${external_dns_iam_role_arn}"
 
+
 .PHONY: uninstall-external-dns
 uninstall-external-dns:
 	helm uninstall external-dns -n kube-system
@@ -98,6 +109,7 @@ install-load-balancer-controller:
 uninstall-load-balancer-controller:
 	helm uninstall aws-load-balancer-controller -n kube-system
 
+
 .PHONY: install-karpenter
 install-karpenter:
 	helm install karpenter oci://public.ecr.aws/karpenter/karpenter \
@@ -117,10 +129,12 @@ install-karpenter:
 	--set controller.resources.limits.memory=1Gi
 	kubectl apply -f karpenter.$${DEPLOYMENT_ID}.yaml 
 
+
 .PHONY: uninstall-karpenter
 uninstall-karpenter:
 	helm uninstall karpenter -n kube-system
 
+
 .PHONY: view-firewall-logs
 view-firewall-logs:
 	aws logs filter-log-events --start-time 1713475743 --log-group-name /aws/vendedlogs/$${DEPLOYMENT_ID}-aws-nfw-alert | jq -r ' .events[].message' |  jq ' (.event.timestamp + " " + .event.alert.action + ": " + .event.src_ip + ":" + (.event.src_port|tostring) + " -> " + .event.proto + "/" + .event.app_proto + " "  + .event.dest_ip + ":" + (.event.dest_port|tostring) + " " + .event.tls.sni + .event.http.hostname) + " " + .event.http.http_user_agent + " " + .event.http.http_method + " " + .event.http.url'
@@ -130,17 +144,17 @@ view-firewall-logs:
 apply-storageclass-config:
 	./apply-storageclass-config.$${DEPLOYMENT_ID}.sh
 
+
 .PHONY: clean-kots
 clean-kots:
 	kubectl delete deployment kotsadm -n $${NAMESPACE}
 	kubectl delete statefulset kotsadm-minio -n $${NAMESPACE}
 	kubectl delete statefulset kotsadm-rqlite -n $${NAMESPACE}
 
-.PHONY: destroy-load-balancer-controller
-destroy-load-balancer-controller:
-	ELB_NAME=$(kubectl describe service ast-platform-traefik -n ast | grep "LoadBalancer Ingress" | awk '{print $3}' | cut -c 1-16); \
-	aws elbv2 describe-load-balancers --query "LoadBalancers[?starts_with(LoadBalancerName,'$ELB_NAME')].LoadBalancerArn" --output text | tr "\t" "\n" | xargs -I{} aws elbv2 delete-load-balancer --load-balancer-arn {}; \
-	aws ec2 describe-security-groups --filters Name=tag:elbv2.k8s.aws/cluster,Values=$${DEPLOYMENT_ID} --query "SecurityGroups[*].GroupId" --output text | tr "\t" "\n" | xargs -I{} aws ec2 delete-security-group --group-id {};
+
+.PHONY: destroy-load-balancer
+destroy-load-balancer:
+	./destroy-load-balancer.$${DEPLOYMENT_ID}.sh
 
 
 .PHONY: totp

From 76d90d6af3560e3fe1cd1fc428dcc18e1262c1e9 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 16 May 2024 08:57:29 -0400
Subject: [PATCH 21/57] enable analytics, sca inventory, document type

---
 .../kots.config.aws.reference.yaml.tftpl      | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
index 313ce90..f379356 100644
--- a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
+++ b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
@@ -43,9 +43,11 @@ spec:
     sca_prod_environment:
       value: https://api-sca.checkmarx.net
 
-    # environment_type is always production
+    # environment_type is either "production" or "development"
+    # This controls how strict the KOTS preflight checks are for memory, cpu, etc
+    # Recommended value: production
     environment_type:
-      value: development
+      value: production
 
     # deployment_type is always cloud
     deployment_type:
@@ -82,7 +84,7 @@ spec:
     # bool - Valid values are "0" (false) and "1" true. 
     # When true, must provide elasticsearch configuration.
     enable_sca_global_inventory:
-      value: "0"
+      value: "1"
 
     # Typically ES is provided via AWS OpenSearch service (must be Elasticsearch engine v 7.10)
     sca_global_inventory_elasticsearch_host:
@@ -209,7 +211,7 @@ spec:
     
     # The name of the CxOne database. By convention, ast.
     external_postgres_db:
-      value: ast
+      value: ${postgres_db}
 
     # Used to enforce SSL connections to postgres. Values are
     # postgres_sslmode_require or postgres_sslmode_allow
@@ -222,19 +224,19 @@ spec:
 
     # Enables analytics features, which requires an additional database.
     enable_analytics:
-      value: "0"
+      value: "1"
 
     # The analaytics database connection information. required when enable_analytics is "1"
     analytics_postgres_host:
-      value: <enter metrics database host>
+      value: ${analytics_postgres_host}
     analytics_postgres_port:
       value: "5432"    
     analytics_postgres_db_name:
-      value: analytics
+      value: ${analytics_postgres_db_name}
     analytics_postgres_user:
-      value: <enter user name>    
+      value: ${analytics_postgres_user} 
     analytics_postgres_password:
-      value: "<enter password>"
+      value: "${analytics_postgres_password}"
     # Can be either analytics_postgres_sslmode_require or analytics_postgres_sslmode_allow
     analytics_postgres_sslmode_value:
       value: analytics_postgres_sslmode_require

From ef1f8cc32b3357bea4130cc42997a34bb8288cc0 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 16 May 2024 09:00:20 -0400
Subject: [PATCH 22/57] Adding analytics database/enablement, and byor db
 management for v3.12

---
 eks.tf                                        |   8 ++
 examples/full/examples.auto.tfvars            |  16 +++
 examples/full/main.tf                         |  44 +++++++
 examples/full/variables-cxone.tf              |  58 ++++++++++
 helm/database-preparation/.helmignore         |  23 ++++
 helm/database-preparation/Chart.yaml          |   6 +
 .../templates/_helpers.tpl                    |  62 ++++++++++
 .../analytics-database-preparation.yaml       |  37 ++++++
 .../templates/byor-database-preparation.yaml  |  37 ++++++
 helm/database-preparation/values.yaml         |  20 ++++
 modules/cxone-install/main.tf                 |   6 +
 modules/cxone-install/variables.tf            |  21 ++++
 rds-analytics.tf                              | 107 ++++++++++++++++++
 rds-databases.tf                              |  53 +++++++++
 variables.tf                                  |  56 +++++++++
 15 files changed, 554 insertions(+)
 create mode 100644 helm/database-preparation/.helmignore
 create mode 100644 helm/database-preparation/Chart.yaml
 create mode 100644 helm/database-preparation/templates/_helpers.tpl
 create mode 100644 helm/database-preparation/templates/analytics-database-preparation.yaml
 create mode 100644 helm/database-preparation/templates/byor-database-preparation.yaml
 create mode 100644 helm/database-preparation/values.yaml
 create mode 100644 rds-analytics.tf
 create mode 100644 rds-databases.tf

diff --git a/eks.tf b/eks.tf
index f466f0e..635c478 100644
--- a/eks.tf
+++ b/eks.tf
@@ -401,6 +401,14 @@ output "cluster_endpoint" {
   value = module.eks.cluster_endpoint
 }
 
+output "cluster_name" {
+  value = module.eks.cluster_name
+}
+
+output "cluster_certificate_authority_data" {
+  value = module.eks.cluster_certificate_authority_data
+}
+
 output "nodegroup_iam_role_name" {
   value = data.aws_iam_role.karpenter.name
 }
diff --git a/examples/full/examples.auto.tfvars b/examples/full/examples.auto.tfvars
index 043a704..d6e4b5e 100644
--- a/examples/full/examples.auto.tfvars
+++ b/examples/full/examples.auto.tfvars
@@ -308,6 +308,22 @@ db_serverlessv2_scaling_configuration = {
 }
 
 
+#******************************************************************************
+#   RDS - Analytics - Configuration
+#******************************************************************************
+analytics_db_instance_class                           = "db.serverless"
+analytics_db_final_snapshot_identifier                = "your-final-analytics-snapshot-id"
+analytics_db_snapshot_identifer                       = null
+analytics_db_cluster_db_instance_parameter_group_name = "aurora-postgresql13-cluster-analytics"
+analytics_db_instances = {
+  writer = {}
+}
+analytics_db_serverlessv2_scaling_configuration = {
+  min_capacity = 0.5
+  max_capacity = 8
+}
+
+
 #******************************************************************************
 # Elasticache Configuration
 #******************************************************************************
diff --git a/examples/full/main.tf b/examples/full/main.tf
index fb1840b..935e319 100644
--- a/examples/full/main.tf
+++ b/examples/full/main.tf
@@ -64,6 +64,16 @@ resource "random_password" "db" {
   min_numeric      = 1
 }
 
+resource "random_password" "analytics_db" {
+  length           = 32
+  special          = false
+  override_special = "!-_"
+  min_special      = 1
+  min_upper        = 1
+  min_lower        = 1
+  min_numeric      = 1
+}
+
 resource "random_password" "kots_admin" {
   length           = 14
   special          = false
@@ -175,6 +185,14 @@ module "checkmarx-one" {
   db_instances                          = var.db_instances
   db_serverlessv2_scaling_configuration = var.db_serverlessv2_scaling_configuration
 
+  analytics_db_instance_class                           = var.analytics_db_instance_class
+  analytics_db_final_snapshot_identifier                = var.analytics_db_final_snapshot_identifier
+  analytics_db_snapshot_identifer                       = var.analytics_db_snapshot_identifer
+  analytics_db_cluster_db_instance_parameter_group_name = var.analytics_db_cluster_db_instance_parameter_group_name
+  analytics_db_instances                                = var.analytics_db_instances
+  analytics_db_serverlessv2_scaling_configuration       = var.analytics_db_serverlessv2_scaling_configuration
+  analytics_db_master_user_password                     = random_password.analytics_db.result
+
   # Elasticache Configuration
   ec_create                         = var.ec_create
   ec_subnets                        = module.vpc.database_subnets
@@ -224,6 +242,10 @@ module "checkmarx-one-install" {
   postgres_database_name                = module.checkmarx-one.db_database_name
   postgres_user                         = module.checkmarx-one.db_master_username
   postgres_password                     = module.checkmarx-one.db_master_password
+  analytics_postgres_host               = module.checkmarx-one.analytics_db_endpoint
+  analytics_postgres_database_name      = module.checkmarx-one.analytics_db_database_name
+  analytics_postgres_user               = module.checkmarx-one.analytics_db_master_username
+  analytics_postgres_password           = module.checkmarx-one.analytics_db_master_password
   redis_address                         = module.checkmarx-one.ec_endpoint
   smtp_host                             = var.smtp_host
   smtp_port                             = var.smtp_port
@@ -243,6 +265,28 @@ module "checkmarx-one-install" {
   vpc_id                                = module.vpc.vpc_id
 }
 
+provider "kubernetes" {
+  host                   = module.checkmarx-one.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.checkmarx-one.cluster_certificate_authority_data)
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    args        = ["eks", "get-token", "--cluster-name", module.checkmarx-one.cluster_name]
+    command     = "aws"
+  }
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = module.checkmarx-one.cluster_endpoint
+    cluster_ca_certificate = base64decode(module.checkmarx-one.cluster_certificate_authority_data)
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      args        = ["eks", "get-token", "--cluster-name", module.checkmarx-one.cluster_name]
+      command     = "aws"
+    }
+  }
+}
+
 
 output "cxone1" {
   value = module.checkmarx-one.eks
diff --git a/examples/full/variables-cxone.tf b/examples/full/variables-cxone.tf
index 001b96d..c22d282 100644
--- a/examples/full/variables-cxone.tf
+++ b/examples/full/variables-cxone.tf
@@ -505,6 +505,64 @@ variable "db_apply_immediately" {
 }
 
 
+#******************************************************************************
+#   RDS - Analytics - Configuration
+#******************************************************************************
+
+variable "analytics_db_instance_class" {
+  description = "The aurora postgres instance class."
+  type        = string
+  default     = "db.r6g.xlarge"
+}
+
+variable "analytics_db_final_snapshot_identifier" {
+  description = "Identifer for a final DB snapshot for the analytics database. Required when db_skip_final_snapshot is false.."
+  type        = string
+  default     = null
+}
+
+variable "analytics_db_snapshot_identifer" {
+  description = "The snapshot identifier to restore the anatlytics database from."
+  type        = string
+  default     = null
+}
+
+variable "analytics_db_cluster_db_instance_parameter_group_name" {
+  type        = string
+  default     = null
+  description = "The name of the DB Cluster parameter group to use."
+}
+
+variable "analytics_db_master_user_password" {
+  description = "The master user password for RDS. Specify to explicitly set the password otherwise RDS will be allowed to manage it."
+  type        = string
+  default     = null
+}
+
+variable "analytics_db_instances" {
+  type        = map(any)
+  description = "The DB instance configuration"
+  default = {
+    writer   = {}
+    replica1 = {}
+  }
+}
+
+variable "analytics_db_serverlessv2_scaling_configuration" {
+  description = "The serverless v2 scaling minimum and maximum."
+  type = object({
+    min_capacity = number
+    max_capacity = number
+  })
+  default = {
+    min_capacity = 0.5
+    max_capacity = 32
+  }
+}
+
+
+
+
 #******************************************************************************
 # Elasticache Configuration
 #******************************************************************************
diff --git a/helm/database-preparation/.helmignore b/helm/database-preparation/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/helm/database-preparation/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/helm/database-preparation/Chart.yaml b/helm/database-preparation/Chart.yaml
new file mode 100644
index 0000000..d3d76b7
--- /dev/null
+++ b/helm/database-preparation/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: database-preparation
+description: A Helm chart for Kubernetes to prepare Analytics database
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
diff --git a/helm/database-preparation/templates/_helpers.tpl b/helm/database-preparation/templates/_helpers.tpl
new file mode 100644
index 0000000..d7de703
--- /dev/null
+++ b/helm/database-preparation/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "database-preparation.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "database-preparation.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "database-preparation.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "database-preparation.labels" -}}
+helm.sh/chart: {{ include "database-preparation.chart" . }}
+{{ include "database-preparation.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "database-preparation.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "database-preparation.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "database-preparation.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "database-preparation.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/helm/database-preparation/templates/analytics-database-preparation.yaml b/helm/database-preparation/templates/analytics-database-preparation.yaml
new file mode 100644
index 0000000..b378e56
--- /dev/null
+++ b/helm/database-preparation/templates/analytics-database-preparation.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.rds.analytics_enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ttlSecondsAfterFinished: 100
+  backoffLimit: 3
+  template:
+    spec:
+      containers:
+      - name: analytics-database-preparation
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command: ["/bin/bash", "-c"]
+        args:
+          - >
+            echo Creating analytics database...;
+            export PGPASSWORD={{ .Values.rds.masterPassword | quote }};
+            echo "SELECT 'CREATE DATABASE $rds_analytics_db_name' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$rds_analytics_db_name')\gexec" | psql -h $rds_writer -d postgres -U $rds_master_username
+        env:
+          - name: rds_writer
+            value: {{ .Values.rds.writer_endpoint }}
+          - name: rds_master_username
+            value: {{ .Values.rds.masterUsername }}
+          - name: rds_app_user_password
+            value: {{ .Values.rds.appUserPassword | quote }}
+          - name: rds_analytics_db_name
+            value: {{ .Values.rds.analytics_db_name | quote }}
+          
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecrets }}
+      {{- end }}
+      restartPolicy: Never
+{{- end }}
\ No newline at end of file
diff --git a/helm/database-preparation/templates/byor-database-preparation.yaml b/helm/database-preparation/templates/byor-database-preparation.yaml
new file mode 100644
index 0000000..0653638
--- /dev/null
+++ b/helm/database-preparation/templates/byor-database-preparation.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.rds.byor_enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ttlSecondsAfterFinished: 100
+  backoffLimit: 3
+  template:
+    spec:
+      containers:
+      - name: byor-database-preparation
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command: ["/bin/bash", "-c"]
+        args:
+          - >
+            echo Creating byor database...;
+            export PGPASSWORD={{ .Values.rds.masterPassword | quote }};
+            echo "SELECT 'CREATE DATABASE $rds_byor_db_name' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$rds_byor_db_name')\gexec" | psql -h $rds_writer -d postgres -U $rds_master_username
+        env:
+          - name: rds_writer
+            value: {{ .Values.rds.writer_endpoint }}
+          - name: rds_master_username
+            value: {{ .Values.rds.masterUsername }}
+          - name: rds_app_user_password
+            value: {{ .Values.rds.appUserPassword | quote }}
+          - name: rds_byor_db_name
+            value: {{ .Values.rds.byor_db_name | quote }}
+          
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecrets }}
+      {{- end }}
+      restartPolicy: Never
+{{- end }}
diff --git a/helm/database-preparation/values.yaml b/helm/database-preparation/values.yaml
new file mode 100644
index 0000000..4938899
--- /dev/null
+++ b/helm/database-preparation/values.yaml
@@ -0,0 +1,20 @@
+# Default values for database-preparation.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: postgres
+  pullPolicy: Always
+  tag: latest
+  imagePullSecrets: ""
+
+rds:
+  analytics_enabled: false
+  byor_enabled: false
+  writer_endpoint: ""
+  masterUsername: ""
+  masterPassword: ""
+  analytics_db_name: "analytics"
+  byor_db_name: "byor"
diff --git a/modules/cxone-install/main.tf b/modules/cxone-install/main.tf
index 96c7e98..0050c0f 100644
--- a/modules/cxone-install/main.tf
+++ b/modules/cxone-install/main.tf
@@ -31,6 +31,12 @@ resource "local_file" "kots_config" {
     postgres_password = var.postgres_password #jsondecode(data.aws_secretsmanager_secret_version.rds_secret.secret_string)["password"]
     postgres_db       = var.postgres_database_name
 
+    # RDS - Analytics
+    analytics_postgres_host     = var.analytics_postgres_host
+    analytics_postgres_user     = var.analytics_postgres_user
+    analytics_postgres_password = var.analytics_postgres_password #jsondecode(data.aws_secretsmanager_secret_version.rds_secret.secret_string)["password"]
+    analytics_postgres_db_name  = var.analytics_postgres_database_name
+
     # Redis
     redis_address = var.redis_address
 
diff --git a/modules/cxone-install/variables.tf b/modules/cxone-install/variables.tf
index 5234afc..39f4a73 100644
--- a/modules/cxone-install/variables.tf
+++ b/modules/cxone-install/variables.tf
@@ -155,6 +155,27 @@ variable "postgres_database_name" {
   default     = "ast"
 }
 
+variable "analytics_postgres_host" {
+  type        = string
+  description = "The endpoint for the analytics RDS server."
+}
+
+variable "analytics_postgres_database_name" {
+  type        = string
+  description = "The name of the analytics database."
+}
+
+variable "analytics_postgres_user" {
+  type        = string
+  description = "The user name for the analytics RDS server."
+  default     = "ast"
+}
+
+variable "analytics_postgres_password" {
+  type        = string
+  description = "The user name for the analytics RDS server."
+}
+
 variable "redis_address" {
   type        = string
   description = "The redis endpoint."
diff --git a/rds-analytics.tf b/rds-analytics.tf
new file mode 100644
index 0000000..09386ce
--- /dev/null
+++ b/rds-analytics.tf
@@ -0,0 +1,107 @@
+module "rds-analytics" {
+  source  = "terraform-aws-modules/rds-aurora/aws"
+  version = "9.3.1"
+  create  = var.db_create
+
+  name                                        = "${var.deployment_id}-analytics"
+  engine                                      = "aurora-postgresql"
+  engine_version                              = var.db_engine_version
+  allow_major_version_upgrade                 = var.db_allow_major_version_upgrade
+  engine_mode                                 = "provisioned"
+  instance_class                              = var.analytics_db_instance_class
+  vpc_id                                      = var.vpc_id
+  kms_key_id                                  = var.kms_key_arn
+  db_subnet_group_name                        = aws_db_subnet_group.main.name
+  storage_encrypted                           = true
+  apply_immediately                           = var.db_apply_immediately
+  skip_final_snapshot                         = var.db_skip_final_snapshot
+  final_snapshot_identifier                   = var.analytics_db_final_snapshot_identifier
+  auto_minor_version_upgrade                  = var.db_auto_minor_version_upgrade
+  iam_database_authentication_enabled         = false
+  snapshot_identifier                         = var.analytics_db_snapshot_identifer
+  monitoring_interval                         = var.db_monitoring_interval
+  performance_insights_enabled                = var.db_performance_insights_enabled
+  performance_insights_retention_period       = var.db_performance_insights_retention_period
+  db_cluster_db_instance_parameter_group_name = var.analytics_db_cluster_db_instance_parameter_group_name
+  master_username                             = "analytics"
+  database_name                               = "analytics"
+  master_password                             = var.analytics_db_master_user_password
+  manage_master_user_password                 = false
+  port                                        = var.db_port
+  deletion_protection                         = var.db_deletion_protection
+  enabled_cloudwatch_logs_exports             = ["postgresql"]
+  security_group_rules = {
+    ingress_from_vpc = {
+      cidr_blocks = data.aws_vpc.main.cidr_block_associations[*].cidr_block
+    }
+  }
+  serverlessv2_scaling_configuration = var.analytics_db_instance_class == "db.serverless" ? var.analytics_db_serverlessv2_scaling_configuration : {}
+  instances                          = var.analytics_db_instances
+}
+
+
+module "rds-proxy-analytics" {
+  source  = "terraform-aws-modules/rds-proxy/aws"
+  version = "3.1.0"
+  create  = var.db_create && var.db_create_rds_proxy
+
+  name                   = var.deployment_id
+  vpc_subnet_ids         = var.db_subnets
+  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+  endpoints = {
+    read_write = {
+      name                   = "read-write-endpoint"
+      vpc_subnet_ids         = var.db_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+    },
+    read_only = {
+      name                   = "read-only-endpoint"
+      vpc_subnet_ids         = var.db_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+      target_role            = "READ_ONLY"
+    }
+  }
+
+  auth = {
+    "root" = {
+      description = "Cluster generated master user password"
+      secret_arn  = var.db_create ? (var.analytics_db_master_user_password == null ? module.rds-analytics.cluster_master_user_secret[0].secret_arn : var.analytics_db_master_user_password) : null
+      auth_sceme  = "SECRETS"
+      iam_auth    = "DISABLED"
+    }
+  }
+
+  engine_family = "POSTGRESQL"
+  debug_logging = true
+
+  # Target Aurora cluster
+  target_db_cluster     = true
+  db_cluster_identifier = module.rds-analytics.cluster_id
+
+}
+
+
+output "analytics_db_endpoint" {
+  value = var.db_create_rds_proxy ? module.rds-proxy-analytics.db_proxy_endpoints.read_write.endpoint : module.rds-analytics.cluster_endpoint
+}
+
+output "analytics_db_port" {
+  value = module.rds-analytics.cluster_port
+}
+
+output "analytics_db_reader_endpoint" {
+  value = var.db_create_rds_proxy ? module.rds-proxy-analytics.db_proxy_endpoints.read_only.endpoint : module.rds-analytics.cluster_reader_endpoint
+}
+
+output "analytics_db_database_name" {
+  value = module.rds-analytics.cluster_database_name
+}
+
+output "analytics_db_master_username" {
+  value = module.rds-analytics.cluster_master_username
+}
+
+output "analytics_db_master_password" {
+  value     = module.rds-analytics.cluster_master_password
+  sensitive = true
+}
\ No newline at end of file
diff --git a/rds-databases.tf b/rds-databases.tf
new file mode 100644
index 0000000..b5e5028
--- /dev/null
+++ b/rds-databases.tf
@@ -0,0 +1,53 @@
+resource "helm_release" "analytics-rds-database-preparation" {
+
+  depends_on = [
+    module.rds,
+    module.rds-analytics,
+    module.eks
+  ]
+
+  name    = "database-preparation"
+  chart   = "${path.module}/helm/database-preparation"
+  version = "0.1.0"
+
+  # Set the namespace to install the release into
+  namespace        = "ast"
+  create_namespace = true
+  set {
+    name  = "rds.analytics_enabled"
+    value = "false"
+  }
+
+  set {
+    name  = "rds.byor_enabled"
+    value = "true"
+  }
+
+  set {
+    name  = "rds.writer_endpoint"
+    value = module.rds.cluster_endpoint
+  }
+
+  set {
+    name  = "rds.masterUsername"
+    value = "ast"
+  }
+
+  set {
+    name  = "rds.masterPassword"
+    value = var.db_master_user_password
+  }
+
+  set {
+    name  = "rds.analytics_db_name"
+    value = "analytics"
+  }
+
+  set {
+    name  = "rds.byor_db_name"
+    value = "byor"
+  }
+
+  # Wait for the release to be deployed
+  wait = true
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 735bffa..dadb850 100644
--- a/variables.tf
+++ b/variables.tf
@@ -515,6 +515,62 @@ variable "db_apply_immediately" {
 }
 
 
+#******************************************************************************
+#   RDS - Analytics - Configuration
+#******************************************************************************
+
+variable "analytics_db_instance_class" {
+  description = "The aurora postgres instance class."
+  type        = string
+  default     = "db.r6g.xlarge"
+}
+
+variable "analytics_db_final_snapshot_identifier" {
+  description = "Identifer for a final DB snapshot for the analytics database. Required when db_skip_final_snapshot is false.."
+  type        = string
+  default     = null
+}
+
+variable "analytics_db_snapshot_identifer" {
+  description = "The snapshot identifier to restore the anatlytics database from."
+  type        = string
+  default     = null
+}
+
+variable "analytics_db_cluster_db_instance_parameter_group_name" {
+  type        = string
+  default     = null
+  description = "The name of the DB Cluster parameter group to use."
+}
+
+variable "analytics_db_master_user_password" {
+  description = "The master user password for RDS. Specify to explicitly set the password otherwise RDS will be allowed to manage it."
+  type        = string
+  default     = null
+}
+
+variable "analytics_db_instances" {
+  type        = map(any)
+  description = "The DB instance configuration"
+  default = {
+    writer   = {}
+    replica1 = {}
+  }
+}
+
+variable "analytics_db_serverlessv2_scaling_configuration" {
+  description = "The serverless v2 scaling minimum and maximum."
+  type = object({
+    min_capacity = number
+    max_capacity = number
+  })
+  default = {
+    min_capacity = 0.5
+    max_capacity = 32
+  }
+}
+
+
 #******************************************************************************
 # Elasticache Configuration
 #******************************************************************************

From 3fc09270a38f1c2238d190b1b3890380aae66502 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 16 May 2024 09:33:11 -0400
Subject: [PATCH 23/57] doc updates for 3.12

---
 README.md               | 29 +++++++++++++++++++++++++++--
 examples/full/README.md | 29 +++++++++++++++++++++++++----
 examples/full/main.tf   | 13 +++++++++++++
 main.tf                 | 12 ++++++++++++
 4 files changed, 77 insertions(+), 6 deletions(-)
 create mode 100644 main.tf

diff --git a/README.md b/README.md
index 41d5af5..63c6163 100644
--- a/README.md
+++ b/README.md
@@ -6,13 +6,17 @@ This repo contains a module for deploying [Checkmarx One](https://checkmarx.com/
 # Module documentation
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.13.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.30.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | ~> 2.13.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
@@ -28,7 +32,9 @@ No requirements.
 | <a name="module_karpenter"></a> [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | 20.8.5 |
 | <a name="module_load_balancer_controller_irsa"></a> [load\_balancer\_controller\_irsa](#module\_load\_balancer\_controller\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.39.0 |
 | <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | 9.3.1 |
+| <a name="module_rds-analytics"></a> [rds-analytics](#module\_rds-analytics) | terraform-aws-modules/rds-aurora/aws | 9.3.1 |
 | <a name="module_rds-proxy"></a> [rds-proxy](#module\_rds-proxy) | terraform-aws-modules/rds-proxy/aws | 3.1.0 |
+| <a name="module_rds-proxy-analytics"></a> [rds-proxy-analytics](#module\_rds-proxy-analytics) | terraform-aws-modules/rds-proxy/aws | 3.1.0 |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | 5.1.2 |
 | <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.1.1 |
 
@@ -44,6 +50,7 @@ No requirements.
 | [aws_elasticache_subnet_group.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource |
 | [aws_elasticsearch_domain.es](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) | resource |
 | [aws_iam_policy.s3_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| helm_release.analytics-rds-database-preparation | resource |
 | [random_string.random_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_role.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
@@ -55,6 +62,13 @@ No requirements.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_analytics_db_cluster_db_instance_parameter_group_name"></a> [analytics\_db\_cluster\_db\_instance\_parameter\_group\_name](#input\_analytics\_db\_cluster\_db\_instance\_parameter\_group\_name) | The name of the DB Cluster parameter group to use. | `string` | `null` | no |
+| <a name="input_analytics_db_final_snapshot_identifier"></a> [analytics\_db\_final\_snapshot\_identifier](#input\_analytics\_db\_final\_snapshot\_identifier) | Identifer for a final DB snapshot for the analytics database. Required when db\_skip\_final\_snapshot is false.. | `string` | `null` | no |
+| <a name="input_analytics_db_instance_class"></a> [analytics\_db\_instance\_class](#input\_analytics\_db\_instance\_class) | The aurora postgres instance class. | `string` | `"db.r6g.xlarge"` | no |
+| <a name="input_analytics_db_instances"></a> [analytics\_db\_instances](#input\_analytics\_db\_instances) | The DB instance configuration | `map(any)` | <pre>{<br>  "replica1": {},<br>  "writer": {}<br>}</pre> | no |
+| <a name="input_analytics_db_master_user_password"></a> [analytics\_db\_master\_user\_password](#input\_analytics\_db\_master\_user\_password) | The master user password for RDS. Specify to explicitly set the password otherwise RDS will be allowed to manage it. | `string` | `null` | no |
+| <a name="input_analytics_db_serverlessv2_scaling_configuration"></a> [analytics\_db\_serverlessv2\_scaling\_configuration](#input\_analytics\_db\_serverlessv2\_scaling\_configuration) | The serverless v2 scaling minimum and maximum. | <pre>object({<br>    min_capacity = number<br>    max_capacity = number<br>  })</pre> | <pre>{<br>  "max_capacity": 32,<br>  "min_capacity": 0.5<br>}</pre> | no |
+| <a name="input_analytics_db_snapshot_identifer"></a> [analytics\_db\_snapshot\_identifer](#input\_analytics\_db\_snapshot\_identifer) | The snapshot identifier to restore the anatlytics database from. | `string` | `null` | no |
 | <a name="input_aws_ebs_csi_driver_version"></a> [aws\_ebs\_csi\_driver\_version](#input\_aws\_ebs\_csi\_driver\_version) | The version of the EKS EBS CSI Addon. | `string` | n/a | yes |
 | <a name="input_coredns_version"></a> [coredns\_version](#input\_coredns\_version) | The version of the EKS Core DNS Addon. | `string` | n/a | yes |
 | <a name="input_db_allow_major_version_upgrade"></a> [db\_allow\_major\_version\_upgrade](#input\_db\_allow\_major\_version\_upgrade) | Allows major version upgrades. | `bool` | `false` | no |
@@ -100,16 +114,20 @@ No requirements.
 | <a name="input_ec_subnets"></a> [ec\_subnets](#input\_ec\_subnets) | The subnets to deploy Elasticache into. | `list(string)` | n/a | yes |
 | <a name="input_eks_administrator_principals"></a> [eks\_administrator\_principals](#input\_eks\_administrator\_principals) | The ARNs of the IAM roles for administrator access to EKS. | <pre>list(object({<br>    name          = string<br>    principal_arn = string<br>  }))</pre> | `[]` | no |
 | <a name="input_eks_cluster_endpoint_public_access_cidrs"></a> [eks\_cluster\_endpoint\_public\_access\_cidrs](#input\_eks\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_eks_cluster_security_group_additional_rules"></a> [eks\_cluster\_security\_group\_additional\_rules](#input\_eks\_cluster\_security\_group\_additional\_rules) | Additional security group rules for the EKS cluster | `any` | `{}` | no |
 | <a name="input_eks_create"></a> [eks\_create](#input\_eks\_create) | Enables the EKS resource creation | `bool` | `true` | no |
 | <a name="input_eks_create_cluster_autoscaler_irsa"></a> [eks\_create\_cluster\_autoscaler\_irsa](#input\_eks\_create\_cluster\_autoscaler\_irsa) | Enables creation of cluster autoscaler IAM role. | `bool` | `true` | no |
 | <a name="input_eks_create_external_dns_irsa"></a> [eks\_create\_external\_dns\_irsa](#input\_eks\_create\_external\_dns\_irsa) | Enables creation of external dns IAM role. | `bool` | `true` | no |
 | <a name="input_eks_create_karpenter"></a> [eks\_create\_karpenter](#input\_eks\_create\_karpenter) | Enables creation of Karpenter resources. | `bool` | `false` | no |
 | <a name="input_eks_create_load_balancer_controller_irsa"></a> [eks\_create\_load\_balancer\_controller\_irsa](#input\_eks\_create\_load\_balancer\_controller\_irsa) | Enables creation of load balancer controller IAM role. | `bool` | `true` | no |
+| <a name="input_eks_enable_custom_networking"></a> [eks\_enable\_custom\_networking](#input\_eks\_enable\_custom\_networking) | Enables custom networking for the EKS VPC CNI. When true, custom networking is enabled with `ENI_CONFIG_LABEL_DEF` = `topology.kubernetes.io/zone` and ENIConfig resources must be created. | `bool` | `false` | no |
 | <a name="input_eks_enable_externalsnat"></a> [eks\_enable\_externalsnat](#input\_eks\_enable\_externalsnat) | Enables [External SNAT](https://docs.aws.amazon.com/eks/latest/userguide/external-snat.html) for the EKS VPC CNI. When true, the EKS pods must have a route to a NAT Gateway for outbound communication. | `bool` | `false` | no |
 | <a name="input_eks_enable_fargate"></a> [eks\_enable\_fargate](#input\_eks\_enable\_fargate) | Enables Fargate profiles for the karpenter and kube-system namespaces. | `bool` | `false` | no |
 | <a name="input_eks_node_additional_security_group_ids"></a> [eks\_node\_additional\_security\_group\_ids](#input\_eks\_node\_additional\_security\_group\_ids) | Additional security group ids to attach to EKS nodes. | `list(string)` | `[]` | no |
 | <a name="input_eks_node_groups"></a> [eks\_node\_groups](#input\_eks\_node\_groups) | n/a | <pre>list(object({<br>    name            = string<br>    min_size        = string<br>    desired_size    = string<br>    max_size        = string<br>    volume_type     = optional(string, "gp3")<br>    disk_size       = optional(number, 200)<br>    disk_iops       = optional(number, 3000)<br>    disk_throughput = optional(number, 125)<br>    device_name     = optional(string, "/dev/xvda")<br>    instance_types  = list(string)<br>    capacity_type   = optional(string, "ON_DEMAND")<br>    labels          = optional(map(string), {})<br>    taints          = optional(map(object({ key = string, value = string, effect = string })), {})<br>  }))</pre> | <pre>[<br>  {<br>    "desired_size": 3,<br>    "instance_types": [<br>      "c5.4xlarge"<br>    ],<br>    "max_size": 9,<br>    "min_size": 3,<br>    "name": "ast-app"<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-extra-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-extra-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-extra-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-xxl": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-xxl",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-xxl",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "kics-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "kics-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "kics-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "repostore": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "repostore",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "repostore",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "service": "sca-source-resolver"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "sca-source-resolver",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "service",<br>        "value": "sca-source-resolver"<br>      }<br>    }<br>  }<br>]</pre> | no |
 | <a name="input_eks_pod_subnets"></a> [eks\_pod\_subnets](#input\_eks\_pod\_subnets) | The subnets to use for EKS pods. When specified, custom networking configuration is applied to the EKS cluster. | `list(string)` | n/a | yes |
+| <a name="input_eks_post_bootstrap_user_data"></a> [eks\_post\_bootstrap\_user\_data](#input\_eks\_post\_bootstrap\_user\_data) | User data to insert after bootstrapping script. | `string` | `""` | no |
+| <a name="input_eks_pre_bootstrap_user_data"></a> [eks\_pre\_bootstrap\_user\_data](#input\_eks\_pre\_bootstrap\_user\_data) | User data to insert before bootstrapping script. | `string` | `""` | no |
 | <a name="input_eks_private_endpoint_enabled"></a> [eks\_private\_endpoint\_enabled](#input\_eks\_private\_endpoint\_enabled) | Enables the EKS VPC private endpoint. | `bool` | `true` | no |
 | <a name="input_eks_public_endpoint_enabled"></a> [eks\_public\_endpoint\_enabled](#input\_eks\_public\_endpoint\_enabled) | Enables the EKS public endpoint. | `bool` | `false` | no |
 | <a name="input_eks_subnets"></a> [eks\_subnets](#input\_eks\_subnets) | The subnets to deploy EKS into. | `list(string)` | n/a | yes |
@@ -135,9 +153,17 @@ No requirements.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_analytics_db_database_name"></a> [analytics\_db\_database\_name](#output\_analytics\_db\_database\_name) | n/a |
+| <a name="output_analytics_db_endpoint"></a> [analytics\_db\_endpoint](#output\_analytics\_db\_endpoint) | n/a |
+| <a name="output_analytics_db_master_password"></a> [analytics\_db\_master\_password](#output\_analytics\_db\_master\_password) | n/a |
+| <a name="output_analytics_db_master_username"></a> [analytics\_db\_master\_username](#output\_analytics\_db\_master\_username) | n/a |
+| <a name="output_analytics_db_port"></a> [analytics\_db\_port](#output\_analytics\_db\_port) | n/a |
+| <a name="output_analytics_db_reader_endpoint"></a> [analytics\_db\_reader\_endpoint](#output\_analytics\_db\_reader\_endpoint) | n/a |
 | <a name="output_bucket_suffix"></a> [bucket\_suffix](#output\_bucket\_suffix) | n/a |
 | <a name="output_cluster_autoscaler_iam_role_arn"></a> [cluster\_autoscaler\_iam\_role\_arn](#output\_cluster\_autoscaler\_iam\_role\_arn) | n/a |
+| <a name="output_cluster_certificate_authority_data"></a> [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | n/a |
 | <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | n/a |
+| <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | n/a |
 | <a name="output_db_database_name"></a> [db\_database\_name](#output\_db\_database\_name) | n/a |
 | <a name="output_db_endpoint"></a> [db\_endpoint](#output\_db\_endpoint) | n/a |
 | <a name="output_db_master_password"></a> [db\_master\_password](#output\_db\_master\_password) | n/a |
@@ -155,7 +181,6 @@ No requirements.
 | <a name="output_load_balancer_controller_iam_role_arn"></a> [load\_balancer\_controller\_iam\_role\_arn](#output\_load\_balancer\_controller\_iam\_role\_arn) | n/a |
 | <a name="output_nodegroup_iam_role_name"></a> [nodegroup\_iam\_role\_name](#output\_nodegroup\_iam\_role\_name) | n/a |
 | <a name="output_s3_bucket_name_suffix"></a> [s3\_bucket\_name\_suffix](#output\_s3\_bucket\_name\_suffix) | n/a |
-
 # Regional Considerations
 
 ## GovCloud
diff --git a/examples/full/README.md b/examples/full/README.md
index 8929673..0a9df38 100644
--- a/examples/full/README.md
+++ b/examples/full/README.md
@@ -7,11 +7,11 @@ The project configures the VPC, KMS, ACM, and other basic environment resources,
 Consult the [`example.auto.tfvars`](./example.auto.tfvars) for a full listing of what can be configured in this example, and the `terraform-aws-cxone module`.
 
 # Installation
-This example generates a Makefile in the project folder after Terraform finishes running. The Makefile has several targets that can help bootstrap your environment with the CxOne application. 
+This example generates a `Makefile` in the project folder after Terraform finishes running. The Makefile has several targets that can help bootstrap your environment with the CxOne application. 
 
 The `kots.$DEPLOYMENT_ID.yaml` file is also automatically generated and can be reviewed & modified after Terraform finishes.
 
-Run these commands to bootstrap your cluster.
+Run these commands to bootstrap your cluster using the generated files.
 
 Update your kubectl context:
 
@@ -35,17 +35,27 @@ Install the load balancer controller (wait approx 1 minute after cluster autosca
 make install-load-balancer-controller
 ```
 
+Install the external dns if you're using it (wait approx 1 minute after cluster autoscaler to avoid webhook issues):
+```sh
+make install-external-dns
+```
+
+Manually review your kots configuration file and make any adjustments, if needed.
+
 Install the Checkmarx One application:
 ```sh
 make kots-install
 ```
 
-You can also build your own bootstrapping process using the Makefile as a reference.
+You can also build your own installation process using your organization's tooling and techniques using the Makefile as a reference.
 
 # Module Documentation
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.13.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.30.0 |
 
 ## Providers
 
@@ -68,6 +78,7 @@ No requirements.
 | Name | Type |
 |------|------|
 | [aws_kms_key.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [random_password.analytics_db](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_password.cxone_admin](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_password.db](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_password.elasticsearch](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
@@ -83,6 +94,13 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | <a name="input_acm_certificate_arn"></a> [acm\_certificate\_arn](#input\_acm\_certificate\_arn) | The ARN to the SSL certificate in AWS ACM to use for securing the load balancer | `string` | `null` | no |
 | <a name="input_additional_suricata_rules"></a> [additional\_suricata\_rules](#input\_additional\_suricata\_rules) | Additional [suricata rules](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html) rules to use in the network firewall. When provided these rules will be appended to the default rules prior to the default drop rule. | `string` | `""` | no |
+| <a name="input_analytics_db_cluster_db_instance_parameter_group_name"></a> [analytics\_db\_cluster\_db\_instance\_parameter\_group\_name](#input\_analytics\_db\_cluster\_db\_instance\_parameter\_group\_name) | The name of the DB Cluster parameter group to use. | `string` | `null` | no |
+| <a name="input_analytics_db_final_snapshot_identifier"></a> [analytics\_db\_final\_snapshot\_identifier](#input\_analytics\_db\_final\_snapshot\_identifier) | Identifer for a final DB snapshot for the analytics database. Required when db\_skip\_final\_snapshot is false.. | `string` | `null` | no |
+| <a name="input_analytics_db_instance_class"></a> [analytics\_db\_instance\_class](#input\_analytics\_db\_instance\_class) | The aurora postgres instance class. | `string` | `"db.r6g.xlarge"` | no |
+| <a name="input_analytics_db_instances"></a> [analytics\_db\_instances](#input\_analytics\_db\_instances) | The DB instance configuration | `map(any)` | <pre>{<br>  "replica1": {},<br>  "writer": {}<br>}</pre> | no |
+| <a name="input_analytics_db_master_user_password"></a> [analytics\_db\_master\_user\_password](#input\_analytics\_db\_master\_user\_password) | The master user password for RDS. Specify to explicitly set the password otherwise RDS will be allowed to manage it. | `string` | `null` | no |
+| <a name="input_analytics_db_serverlessv2_scaling_configuration"></a> [analytics\_db\_serverlessv2\_scaling\_configuration](#input\_analytics\_db\_serverlessv2\_scaling\_configuration) | The serverless v2 scaling minimum and maximum. | <pre>object({<br>    min_capacity = number<br>    max_capacity = number<br>  })</pre> | <pre>{<br>  "max_capacity": 32,<br>  "min_capacity": 0.5<br>}</pre> | no |
+| <a name="input_analytics_db_snapshot_identifer"></a> [analytics\_db\_snapshot\_identifer](#input\_analytics\_db\_snapshot\_identifer) | The snapshot identifier to restore the anatlytics database from. | `string` | `null` | no |
 | <a name="input_aws_ebs_csi_driver_version"></a> [aws\_ebs\_csi\_driver\_version](#input\_aws\_ebs\_csi\_driver\_version) | The version of the EKS EBS CSI Addon. | `string` | n/a | yes |
 | <a name="input_coredns_version"></a> [coredns\_version](#input\_coredns\_version) | The version of the EKS Core DNS Addon. | `string` | n/a | yes |
 | <a name="input_create_interface_endpoints"></a> [create\_interface\_endpoints](#input\_create\_interface\_endpoints) | Enables creation of the [interface endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html) specified in `interface_vpc_endpoints` | `bool` | `true` | no |
@@ -134,10 +152,13 @@ No requirements.
 | <a name="input_eks_create_external_dns_irsa"></a> [eks\_create\_external\_dns\_irsa](#input\_eks\_create\_external\_dns\_irsa) | Enables creation of external dns IAM role. | `bool` | `true` | no |
 | <a name="input_eks_create_karpenter"></a> [eks\_create\_karpenter](#input\_eks\_create\_karpenter) | Enables creation of Karpenter resources. | `bool` | `false` | no |
 | <a name="input_eks_create_load_balancer_controller_irsa"></a> [eks\_create\_load\_balancer\_controller\_irsa](#input\_eks\_create\_load\_balancer\_controller\_irsa) | Enables creation of load balancer controller IAM role. | `bool` | `true` | no |
+| <a name="input_eks_enable_custom_networking"></a> [eks\_enable\_custom\_networking](#input\_eks\_enable\_custom\_networking) | Enables custom networking for the EKS VPC CNI. When true, custom networking is enabled with `ENI_CONFIG_LABEL_DEF` = `topology.kubernetes.io/zone` and ENIConfig resources must be created. | `bool` | `false` | no |
 | <a name="input_eks_enable_externalsnat"></a> [eks\_enable\_externalsnat](#input\_eks\_enable\_externalsnat) | Enables [External SNAT](https://docs.aws.amazon.com/eks/latest/userguide/external-snat.html) for the EKS VPC CNI. When true, the EKS pods must have a route to a NAT Gateway for outbound communication. | `bool` | `false` | no |
 | <a name="input_eks_enable_fargate"></a> [eks\_enable\_fargate](#input\_eks\_enable\_fargate) | Enables Fargate profiles for the karpenter and kube-system namespaces. | `bool` | `false` | no |
 | <a name="input_eks_node_additional_security_group_ids"></a> [eks\_node\_additional\_security\_group\_ids](#input\_eks\_node\_additional\_security\_group\_ids) | Additional security group ids to attach to EKS nodes. | `list(string)` | `[]` | no |
 | <a name="input_eks_node_groups"></a> [eks\_node\_groups](#input\_eks\_node\_groups) | n/a | <pre>list(object({<br>    name            = string<br>    min_size        = string<br>    desired_size    = string<br>    max_size        = string<br>    volume_type     = optional(string, "gp3")<br>    disk_size       = optional(number, 200)<br>    disk_iops       = optional(number, 3000)<br>    disk_throughput = optional(number, 125)<br>    device_name     = optional(string, "/dev/xvda")<br>    instance_types  = list(string)<br>    capacity_type   = optional(string, "ON_DEMAND")<br>    labels          = optional(map(string), {})<br>    taints          = optional(map(object({ key = string, value = string, effect = string })), {})<br>  }))</pre> | <pre>[<br>  {<br>    "desired_size": 3,<br>    "instance_types": [<br>      "c5.4xlarge"<br>    ],<br>    "max_size": 9,<br>    "min_size": 3,<br>    "name": "ast-app"<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.2xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-extra-large": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-extra-large",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-extra-large",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "r5.4xlarge"<br>    ],<br>    "labels": {<br>      "sast-engine-xxl": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sast-engine-xxl",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "sast-engine-xxl",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "kics-engine": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "kics-engine",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "kics-engine",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 1,<br>    "instance_types": [<br>      "c5.2xlarge"<br>    ],<br>    "labels": {<br>      "repostore": "true"<br>    },<br>    "max_size": 100,<br>    "min_size": 1,<br>    "name": "repostore",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "repostore",<br>        "value": "true"<br>      }<br>    }<br>  },<br>  {<br>    "desired_size": 0,<br>    "instance_types": [<br>      "m5.2xlarge"<br>    ],<br>    "labels": {<br>      "service": "sca-source-resolver"<br>    },<br>    "max_size": 100,<br>    "min_size": 0,<br>    "name": "sca-source-resolver",<br>    "taints": {<br>      "dedicated": {<br>        "effect": "NO_SCHEDULE",<br>        "key": "service",<br>        "value": "sca-source-resolver"<br>      }<br>    }<br>  }<br>]</pre> | no |
+| <a name="input_eks_post_bootstrap_user_data"></a> [eks\_post\_bootstrap\_user\_data](#input\_eks\_post\_bootstrap\_user\_data) | User data to insert after bootstrapping script. | `string` | `""` | no |
+| <a name="input_eks_pre_bootstrap_user_data"></a> [eks\_pre\_bootstrap\_user\_data](#input\_eks\_pre\_bootstrap\_user\_data) | User data to insert before bootstrapping script. | `string` | `""` | no |
 | <a name="input_eks_private_endpoint_enabled"></a> [eks\_private\_endpoint\_enabled](#input\_eks\_private\_endpoint\_enabled) | Enables the EKS VPC private endpoint. | `bool` | `true` | no |
 | <a name="input_eks_public_endpoint_enabled"></a> [eks\_public\_endpoint\_enabled](#input\_eks\_public\_endpoint\_enabled) | Enables the EKS public endpoint. | `bool` | `false` | no |
 | <a name="input_eks_version"></a> [eks\_version](#input\_eks\_version) | The version of the EKS Cluster (e.g. 1.27) | `string` | n/a | yes |
diff --git a/examples/full/main.tf b/examples/full/main.tf
index 935e319..8ac2494 100644
--- a/examples/full/main.tf
+++ b/examples/full/main.tf
@@ -265,6 +265,19 @@ module "checkmarx-one-install" {
   vpc_id                                = module.vpc.vpc_id
 }
 
+terraform {
+  required_providers {
+    helm = {
+      source  = "registry.terraform.io/hashicorp/helm"
+      version = "~> 2.13.0"
+    }
+    kubernetes = {
+      source  = "registry.terraform.io/hashicorp/kubernetes"
+      version = "~> 2.30.0"
+    }
+  }
+}
+
 provider "kubernetes" {
   host                   = module.checkmarx-one.cluster_endpoint
   cluster_ca_certificate = base64decode(module.checkmarx-one.cluster_certificate_authority_data)
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..c2d3065
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "registry.terraform.io/hashicorp/helm"
+      version = "~> 2.13.0"
+    }
+    kubernetes = {
+      source  = "registry.terraform.io/hashicorp/kubernetes"
+      version = "~> 2.30.0"
+    }
+  }
+}
\ No newline at end of file

From f519de19dd192645cd6be8d350bb5f4fe59c2870 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 6 Jun 2024 01:00:07 -0400
Subject: [PATCH 24/57] Fix SCA results processor errors

---
 modules/cxone-install/kots.config.aws.reference.yaml.tftpl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
index f379356..c8325e4 100644
--- a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
+++ b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
@@ -27,8 +27,9 @@ spec:
       value: "1"
 
     # Enable the local flow for SCA Global inventory
+    # Should always be "1", don't change unless advised by Cx
     enable_sca_local_flow_for_global_inventory:
-      value: "0"
+      value: "1"
 
     # Enables using a dedicated node group just for SCA components. 
     # If enabled, the node group must exists with the correct labels and taint.

From 4a84fd197e853b6f606370fc0d4e9174e911a609 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 6 Jun 2024 01:38:05 -0400
Subject: [PATCH 25/57] fix template names

---
 .../templates/analytics-database-preparation.yaml               | 2 +-
 .../templates/byor-database-preparation.yaml                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/helm/database-preparation/templates/analytics-database-preparation.yaml b/helm/database-preparation/templates/analytics-database-preparation.yaml
index b378e56..85bead9 100644
--- a/helm/database-preparation/templates/analytics-database-preparation.yaml
+++ b/helm/database-preparation/templates/analytics-database-preparation.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ .Release.Name }}
+  name: {{ printf "%s-%s" .Release.Name "analytics" }}
   namespace: {{ .Release.Namespace }}
 spec:
   ttlSecondsAfterFinished: 100
diff --git a/helm/database-preparation/templates/byor-database-preparation.yaml b/helm/database-preparation/templates/byor-database-preparation.yaml
index 0653638..0ea8dfb 100644
--- a/helm/database-preparation/templates/byor-database-preparation.yaml
+++ b/helm/database-preparation/templates/byor-database-preparation.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ .Release.Name }}
+  name: {{ printf "%s-%s" .Release.Name "byor" }}
   namespace: {{ .Release.Namespace }}
 spec:
   ttlSecondsAfterFinished: 100

From 0b669309680502993f5c42ba4d5ffa41bd08320c Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 6 Jun 2024 01:38:22 -0400
Subject: [PATCH 26/57] increase stability of destroying env

---
 modules/cxone-install/destroy-load-balancer.sh.tftpl | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/cxone-install/destroy-load-balancer.sh.tftpl b/modules/cxone-install/destroy-load-balancer.sh.tftpl
index 84a0e2e..0ae9b62 100644
--- a/modules/cxone-install/destroy-load-balancer.sh.tftpl
+++ b/modules/cxone-install/destroy-load-balancer.sh.tftpl
@@ -10,14 +10,18 @@ DEPLOYMENT_ID=${deployment_id}
 # Clean up load balancer
 ELB_ARN=$(aws elbv2 describe-load-balancers | jq -r '.LoadBalancers[].LoadBalancerArn' | xargs -I {} aws elbv2 describe-tags --resource-arns {} --query "TagDescriptions[?Tags[?Key=='elbv2.k8s.aws/cluster' &&Value=='$${DEPLOYMENT_ID}']].ResourceArn" --output text)
 aws elbv2 delete-load-balancer --load-balancer-arn $${ELB_ARN}
+sleep 10
 
 # Clean up target groups
 aws elbv2 describe-target-groups | jq -r '.TargetGroups[].TargetGroupArn' | xargs -I {} aws elbv2 describe-tags --resource-arns {} --query "TagDescriptions[?Tags[?Key=='elbv2.k8s.aws/cluster' &&Value=='$${DEPLOYMENT_ID}']].ResourceArn" --output text | xargs -I {} aws elbv2 delete-target-group --target-group-arn {}
+sleep 10
 
 # Clean up security groups
 # The "Node" security group will have references to the ELB security groups, so remove all the rules to allow groups to be deleted successfully
 NODE_SG_ID=$(aws ec2 describe-security-groups --filters Name=tag:Name,Values=$${DEPLOYMENT_ID}-node --query "SecurityGroups[*].GroupId" --output text | tr "\t" "\n")
 aws ec2 revoke-security-group-ingress --group-id $${NODE_SG_ID} --ip-permissions "`aws ec2 describe-security-groups --output json --group-ids $${NODE_SG_ID} --query "SecurityGroups[0].IpPermissions"`"
+sleep 10
 
 # Delete the ELB security groups
 aws ec2 describe-security-groups --filters Name=tag:elbv2.k8s.aws/cluster,Values=$${DEPLOYMENT_ID} --query "SecurityGroups[*].GroupId" --output text | tr "\t" "\n" | xargs -I {} aws ec2 delete-security-group --group-id {} 
+sleep 10
\ No newline at end of file

From 6b8242ebefe14def154cd77efc3938677adf0385 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 6 Jun 2024 02:06:07 -0400
Subject: [PATCH 27/57] external config of keys and encrypted ebs pvc support

---
 examples/full/main.tf                         |  1 +
 .../apply-storageclass-config.sh.tftpl        |  2 +
 modules/cxone-install/keys.tf                 | 66 +++++++++++++++++++
 .../kots.config.aws.reference.yaml.tftpl      | 24 +++++++
 modules/cxone-install/main.tf                 | 21 ++++++
 modules/cxone-install/variables.tf            | 52 ++++++++++++++-
 6 files changed, 165 insertions(+), 1 deletion(-)
 create mode 100644 modules/cxone-install/keys.tf

diff --git a/examples/full/main.tf b/examples/full/main.tf
index 8ac2494..f16ecc9 100644
--- a/examples/full/main.tf
+++ b/examples/full/main.tf
@@ -263,6 +263,7 @@ module "checkmarx-one-install" {
   availability_zones                    = module.vpc.azs
   pod_eniconfig                         = module.vpc.ENIConfig
   vpc_id                                = module.vpc.vpc_id
+  kms_key_arn                           = aws_kms_key.main.arn
 }
 
 terraform {
diff --git a/modules/cxone-install/apply-storageclass-config.sh.tftpl b/modules/cxone-install/apply-storageclass-config.sh.tftpl
index 456f669..696dd1a 100644
--- a/modules/cxone-install/apply-storageclass-config.sh.tftpl
+++ b/modules/cxone-install/apply-storageclass-config.sh.tftpl
@@ -14,6 +14,8 @@ cat <<EOF | kubectl apply -f -
   parameters:
     fstype: xfs
     type: gp3
+    encrypted: "true"
+    kmsKeyId: ${kmsKeyArn}
   provisioner: ebs.csi.aws.com
   reclaimPolicy: Delete
   volumeBindingMode: WaitForFirstConsumer
diff --git a/modules/cxone-install/keys.tf b/modules/cxone-install/keys.tf
new file mode 100644
index 0000000..8ed2496
--- /dev/null
+++ b/modules/cxone-install/keys.tf
@@ -0,0 +1,66 @@
+resource "random_password" "core_configuration_encryption_key" {
+  count       = var.core_configuration_encryption_key == null ? 1 : 0
+  length      = 64
+  special     = false
+  min_special = 0
+  min_upper   = 1
+  min_lower   = 1
+  min_numeric = 1
+}
+
+resource "random_password" "sca_client_secret" {
+  count       = var.sca_client_secret == null ? 1 : 0
+  length      = 16
+  special     = false
+  min_special = 0
+  min_upper   = 1
+  min_lower   = 1
+  min_numeric = 1
+}
+
+resource "random_password" "integration_encryption_key" {
+  count       = var.integration_encryption_key == null ? 1 : 0
+  length      = 24
+  special     = false
+  min_special = 0
+  min_upper   = 1
+  min_lower   = 1
+  min_numeric = 1
+}
+
+resource "random_password" "integrations_repos_manager_azure_tenant_key" {
+  count       = var.integrations_repos_manager_azure_tenant_key == null ? 1 : 0
+  length      = 8
+  special     = false
+  min_special = 0
+  min_upper   = 1
+  min_lower   = 1
+  min_numeric = 1
+}
+resource "random_password" "integrations_repos_manager_bitbucket_tenant_key" {
+  count       = var.integrations_repos_manager_bitbucket_tenant_key == null ? 1 : 0
+  length      = 8
+  special     = false
+  min_special = 0
+  min_upper   = 1
+  min_lower   = 1
+  min_numeric = 1
+}
+resource "random_password" "integrations_repos_manager_github_tenant_key" {
+  count       = var.integrations_repos_manager_github_tenant_key == null ? 1 : 0
+  length      = 8
+  special     = false
+  min_special = 0
+  min_upper   = 1
+  min_lower   = 1
+  min_numeric = 1
+}
+resource "random_password" "integrations_repos_manager_gitlab_tenant_key" {
+  count       = var.integrations_repos_manager_gitlab_tenant_key == null ? 1 : 0
+  length      = 32
+  special     = false
+  min_special = 0
+  min_upper   = 1
+  min_lower   = 1
+  min_numeric = 1
+}
diff --git a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
index c8325e4..ac44b74 100644
--- a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
+++ b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
@@ -77,6 +77,30 @@ spec:
     ENABLE_TLS:
       default: "1"
 
+    #--------------------------------------------------------------------------
+    #  Keys
+    #--------------------------------------------------------------------------
+    core_configuration_encryption_key:
+      value: ${core_configuration_encryption_key}
+
+    sca_client_secret:
+      value: ${sca_client_secret}
+
+    integration_encryption_key:
+      value: ${integration_encryption_key}
+
+    integrations_repos_manager_azure_tenant_key:
+      value: ${integrations_repos_manager_azure_tenant_key}
+
+    integrations_repos_manager_bitbucket_tenant_key:
+      value: ${integrations_repos_manager_bitbucket_tenant_key}
+
+    integrations_repos_manager_github_tenant_key:
+      value: ${integrations_repos_manager_github_tenant_key}
+
+    integrations_repos_manager_gitlab_tenant_key:
+      value: ${integrations_repos_manager_gitlab_tenant_key}
+
     #--------------------------------------------------------------------------
     # SCA Global Inventory & Elasticsearch
     #--------------------------------------------------------------------------
diff --git a/modules/cxone-install/main.tf b/modules/cxone-install/main.tf
index 0050c0f..5d6037c 100644
--- a/modules/cxone-install/main.tf
+++ b/modules/cxone-install/main.tf
@@ -6,6 +6,16 @@
 #   secret_id = data.aws_secretsmanager_secret.rds_secret.id
 # }
 
+locals {
+  core_configuration_encryption_key               = var.core_configuration_encryption_key == null ? random_password.core_configuration_encryption_key[0].result : var.core_configuration_encryption_key
+  sca_client_secret                               = var.sca_client_secret == null ? random_password.sca_client_secret[0].result : var.sca_client_secret
+  integration_encryption_key                      = var.integration_encryption_key == null ? random_password.integration_encryption_key[0].result : var.integration_encryption_key
+  integrations_repos_manager_azure_tenant_key     = var.integrations_repos_manager_azure_tenant_key == null ? random_password.integrations_repos_manager_azure_tenant_key[0].result : var.integrations_repos_manager_azure_tenant_key
+  integrations_repos_manager_bitbucket_tenant_key = var.integrations_repos_manager_bitbucket_tenant_key == null ? random_password.integrations_repos_manager_bitbucket_tenant_key[0].result : var.integrations_repos_manager_bitbucket_tenant_key
+  integrations_repos_manager_github_tenant_key    = var.integrations_repos_manager_github_tenant_key == null ? random_password.integrations_repos_manager_github_tenant_key[0].result : var.integrations_repos_manager_github_tenant_key
+  integrations_repos_manager_gitlab_tenant_key    = var.integrations_repos_manager_gitlab_tenant_key == null ? random_password.integrations_repos_manager_gitlab_tenant_key[0].result : var.integrations_repos_manager_gitlab_tenant_key
+}
+
 resource "local_file" "kots_config" {
   content = templatefile("${path.module}/kots.config.aws.reference.yaml.tftpl", {
     aws_region     = var.region
@@ -50,6 +60,16 @@ resource "local_file" "kots_config" {
     # Elasticsearch
     elasticsearch_host     = var.elasticsearch_host
     elasticsearch_password = var.elasticsearch_password
+
+    # Keys
+    core_configuration_encryption_key               = local.core_configuration_encryption_key
+    sca_client_secret                               = local.sca_client_secret
+    integration_encryption_key                      = local.integration_encryption_key
+    integrations_repos_manager_azure_tenant_key     = local.integrations_repos_manager_azure_tenant_key
+    integrations_repos_manager_bitbucket_tenant_key = local.integrations_repos_manager_bitbucket_tenant_key
+    integrations_repos_manager_github_tenant_key    = local.integrations_repos_manager_github_tenant_key
+    integrations_repos_manager_gitlab_tenant_key    = local.integrations_repos_manager_gitlab_tenant_key
+
   })
   filename = "kots.${var.deployment_id}.yaml"
 }
@@ -98,6 +118,7 @@ resource "local_file" "storage_class" {
     nodegroup_iam_role_name = var.nodegroup_iam_role_name
     availability_zones      = jsonencode(var.availability_zones)
     karpenter_iam_role_arn  = var.karpenter_iam_role_arn
+    kmsKeyArn               = var.kms_key_arn
 
   })
   filename = "apply-storageclass-config.${var.deployment_id}.sh"
diff --git a/modules/cxone-install/variables.tf b/modules/cxone-install/variables.tf
index 39f4a73..4c6c168 100644
--- a/modules/cxone-install/variables.tf
+++ b/modules/cxone-install/variables.tf
@@ -222,4 +222,54 @@ variable "smtp_password" {
 variable "smtp_from_sender" {
   description = "The address to use in the from field when sending emails."
   type        = string
-}
\ No newline at end of file
+}
+
+#******************************************************************************
+#   Keys
+#******************************************************************************
+variable "core_configuration_encryption_key" {
+  description = "The core configuraiton key for the system. Autogenerated if left unspecified."
+  type        = string
+  default     = null
+}
+
+variable "sca_client_secret" {
+  description = "The SCA client secret for the system. Autogenerated if left unspecified."
+  type        = string
+  default     = null
+}
+
+variable "integration_encryption_key" {
+  description = "The integrations encryption key for the system. Autogenerated if left unspecified."
+  type        = string
+  default     = null
+}
+
+variable "integrations_repos_manager_azure_tenant_key" {
+  description = "The integrations Azure tenant key. Autogenerated if left unspecified."
+  type        = string
+  default     = null
+}
+
+variable "integrations_repos_manager_bitbucket_tenant_key" {
+  description = "The integrations bitbucket tenant key. Autogenerated if left unspecified."
+  type        = string
+  default     = null
+}
+
+variable "integrations_repos_manager_github_tenant_key" {
+  description = "The integrations github tenant key. Autogenerated if left unspecified."
+  type        = string
+  default     = null
+}
+
+variable "integrations_repos_manager_gitlab_tenant_key" {
+  description = "The integrations gitlab tenant key. Autogenerated if left unspecified."
+  type        = string
+  default     = null
+}
+
+variable "kms_key_arn" {
+  description = "The ARN to the KMS key of the system."
+  type        = string
+}

From 66e3cd252df87955e2bf5f16100ec371083af8fa Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 6 Jun 2024 14:02:01 -0400
Subject: [PATCH 28/57] Move CSI Driver to IRSA

---
 eks.tf | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/eks.tf b/eks.tf
index 635c478..fba4f74 100644
--- a/eks.tf
+++ b/eks.tf
@@ -112,7 +112,6 @@ module "eks_node_iam_role" {
   role_name         = "${var.deployment_id}-eks-nodes"
   role_requires_mfa = false
   custom_role_policy_arns = [
-    "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy",
     "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs",
     "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy",
     "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy",
@@ -141,6 +140,7 @@ resource "aws_iam_policy" "s3_bucket_access" {
   })
 }
 
+
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "20.8.5"
@@ -231,8 +231,9 @@ module "eks" {
       })
     }
     aws-ebs-csi-driver = {
-      addon_version        = var.aws_ebs_csi_driver_version
-      configuration_values = var.eks_enable_fargate ? local.ebs_csi_fargate_configuration_values : null
+      addon_version            = var.aws_ebs_csi_driver_version
+      configuration_values     = var.eks_enable_fargate ? local.ebs_csi_fargate_configuration_values : null
+      service_account_role_arn = module.ebs_csi_irsa[0].iam_role_arn
     }
   }
   create_kms_key = false
@@ -294,6 +295,24 @@ resource "aws_autoscaling_group_tag" "cluster_autoscaler_taint" {
 }
 
 
+module "ebs_csi_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.39.0"
+  count   = var.eks_create ? 1 : 0
+
+  role_name             = "ebs-csi-${var.deployment_id}"
+  role_description      = "IRSA role for EBS CSI Driver"
+  attach_ebs_csi_policy = true
+  ebs_csi_kms_cmk_ids   = [var.kms_key_arn]
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+    }
+  }
+}
+
+
 module "cluster_autoscaler_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
   version = "5.39.0"

From 8e1d0bacdcd1fd156ad5a406066fda12fd6906dc Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 6 Jun 2024 17:18:36 -0400
Subject: [PATCH 29/57] fix key generation

---
 modules/cxone-install/keys.tf | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/modules/cxone-install/keys.tf b/modules/cxone-install/keys.tf
index 8ed2496..9bd70f9 100644
--- a/modules/cxone-install/keys.tf
+++ b/modules/cxone-install/keys.tf
@@ -1,11 +1,13 @@
+# core_configuration_encryption_key is 64 character hex value
 resource "random_password" "core_configuration_encryption_key" {
-  count       = var.core_configuration_encryption_key == null ? 1 : 0
-  length      = 64
-  special     = false
-  min_special = 0
-  min_upper   = 1
-  min_lower   = 1
-  min_numeric = 1
+  count            = var.core_configuration_encryption_key == null ? 1 : 0
+  length           = 64
+  special          = true
+  override_special = "abcdef0123456789"
+  min_special      = 64
+  min_upper        = 0
+  min_lower        = 0
+  min_numeric      = 0
 }
 
 resource "random_password" "sca_client_secret" {
@@ -57,7 +59,7 @@ resource "random_password" "integrations_repos_manager_github_tenant_key" {
 }
 resource "random_password" "integrations_repos_manager_gitlab_tenant_key" {
   count       = var.integrations_repos_manager_gitlab_tenant_key == null ? 1 : 0
-  length      = 32
+  length      = 8
   special     = false
   min_special = 0
   min_upper   = 1

From acd5eff3567f8ff13b8624da229503af4b185cd6 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 11 Jun 2024 12:38:17 -0400
Subject: [PATCH 30/57] Update firewall rules for SCA EU region

---
 modules/inspection-vpc/firewall-rules.tf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/inspection-vpc/firewall-rules.tf b/modules/inspection-vpc/firewall-rules.tf
index 873e24e..42bd103 100644
--- a/modules/inspection-vpc/firewall-rules.tf
+++ b/modules/inspection-vpc/firewall-rules.tf
@@ -148,10 +148,13 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api-sca.checkmarx
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"eu.iam.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420058; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"eu.api-sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420059; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"uploads.sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420060; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"uploads.eu.sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240611001; rev:1;)
 # Scan results buckets are used for SCA scan result syncing, and vary by the connected SCA region (e.g. NA, or EU)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"microservice-scanresults-prod-storage-1an26shc41yi3.s3.amazonaws.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240420061; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"microservice-scanresults-prodeu-storage-1c25a060x93rl.s3.amazonaws.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240611002; rev:1;)
+# Codebashing
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.stagecodebashing.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240422001; rev:1;)
-# upcoming features                                             
+# Upcoming features                                             
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cx-sca-containers.es.us-east-1.aws.found.io"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:204290001; rev:1;)
 
 

From 6cf863131c38503ef2786498b89d0851234caea9 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 11 Jun 2024 15:37:20 -0400
Subject: [PATCH 31/57] Temp rename file to fix case

---
 modules/cxone-install/{makefile.tftpl => Makefile2.tftpl} | 1 +
 1 file changed, 1 insertion(+)
 rename modules/cxone-install/{makefile.tftpl => Makefile2.tftpl} (99%)

diff --git a/modules/cxone-install/makefile.tftpl b/modules/cxone-install/Makefile2.tftpl
similarity index 99%
rename from modules/cxone-install/makefile.tftpl
rename to modules/cxone-install/Makefile2.tftpl
index 07c5f01..e6b759a 100644
--- a/modules/cxone-install/makefile.tftpl
+++ b/modules/cxone-install/Makefile2.tftpl
@@ -15,6 +15,7 @@ REGISTRY_PASSWORD = ???
 TOTP = 123
 
 
+
 .PHONY: update-kubeconfig
 update-kubeconfig:
 	aws eks update-kubeconfig --name $${EKS_CLUSTER_NAME}

From 3797aa1f72d952aa372f8cd066397ccab651f1da Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 11 Jun 2024 15:38:05 -0400
Subject: [PATCH 32/57] Fix Makefile init casing

---
 modules/cxone-install/{Makefile2.tftpl => Makefile.tftpl} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename modules/cxone-install/{Makefile2.tftpl => Makefile.tftpl} (100%)

diff --git a/modules/cxone-install/Makefile2.tftpl b/modules/cxone-install/Makefile.tftpl
similarity index 100%
rename from modules/cxone-install/Makefile2.tftpl
rename to modules/cxone-install/Makefile.tftpl

From 9694b3c7862d74d2fbd447a7e63379541f111c10 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Fri, 14 Jun 2024 12:08:47 -0400
Subject: [PATCH 33/57] set config on current version to avoid inadvertent
 upgrades.

---
 modules/cxone-install/Makefile.tftpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/cxone-install/Makefile.tftpl b/modules/cxone-install/Makefile.tftpl
index e6b759a..f01dd91 100644
--- a/modules/cxone-install/Makefile.tftpl
+++ b/modules/cxone-install/Makefile.tftpl
@@ -34,7 +34,7 @@ kots-install-from-airgap:
 
 .PHONY: kots-set-config
 kots-set-config:
-	kubectl kots set config ast -n $${NAMESPACE} --config-file $${KOTS_CONFIG_FILE} --deploy
+	kubectl kots set config ast -n $${NAMESPACE} --config-file $${KOTS_CONFIG_FILE} --deploy --current	
 
 
 .PHONY: kots-get-config

From 6c0c4e20bba8d04ead8e2e5462d1c5570021006c Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Fri, 14 Jun 2024 12:09:17 -0400
Subject: [PATCH 34/57] use single quotes on db password to avoid shell
 expansion on special characters

---
 .../templates/analytics-database-preparation.yaml               | 2 +-
 .../templates/byor-database-preparation.yaml                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/helm/database-preparation/templates/analytics-database-preparation.yaml b/helm/database-preparation/templates/analytics-database-preparation.yaml
index 85bead9..3a2b2b1 100644
--- a/helm/database-preparation/templates/analytics-database-preparation.yaml
+++ b/helm/database-preparation/templates/analytics-database-preparation.yaml
@@ -17,7 +17,7 @@ spec:
         args:
           - >
             echo Creating analytics database...;
-            export PGPASSWORD={{ .Values.rds.masterPassword | quote }};
+            export PGPASSWORD={{ .Values.rds.masterPassword | squote }};
             echo "SELECT 'CREATE DATABASE $rds_analytics_db_name' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$rds_analytics_db_name')\gexec" | psql -h $rds_writer -d postgres -U $rds_master_username
         env:
           - name: rds_writer
diff --git a/helm/database-preparation/templates/byor-database-preparation.yaml b/helm/database-preparation/templates/byor-database-preparation.yaml
index 0ea8dfb..9fab220 100644
--- a/helm/database-preparation/templates/byor-database-preparation.yaml
+++ b/helm/database-preparation/templates/byor-database-preparation.yaml
@@ -17,7 +17,7 @@ spec:
         args:
           - >
             echo Creating byor database...;
-            export PGPASSWORD={{ .Values.rds.masterPassword | quote }};
+            export PGPASSWORD={{ .Values.rds.masterPassword | squote }};
             echo "SELECT 'CREATE DATABASE $rds_byor_db_name' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$rds_byor_db_name')\gexec" | psql -h $rds_writer -d postgres -U $rds_master_username
         env:
           - name: rds_writer

From acbeab966f231728c2ef0a06f03af22193069a99 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 27 Jun 2024 09:51:32 -0400
Subject: [PATCH 35/57] Update default instance config

Increased volume size to pass preflight checks.
Increased instance size for repostore to ensure pod scheduling.
---
 variables.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/variables.tf b/variables.tf
index dadb850..a26a1ef 100644
--- a/variables.tf
+++ b/variables.tf
@@ -206,7 +206,7 @@ variable "eks_node_groups" {
     desired_size    = string
     max_size        = string
     volume_type     = optional(string, "gp3")
-    disk_size       = optional(number, 200)
+    disk_size       = optional(number, 225)
     disk_iops       = optional(number, 3000)
     disk_throughput = optional(number, 125)
     device_name     = optional(string, "/dev/xvda")
@@ -312,7 +312,7 @@ variable "eks_node_groups" {
       min_size       = 1
       desired_size   = 1
       max_size       = 100
-      instance_types = ["c5.2xlarge"]
+      instance_types = ["m5.2xlarge"]
       labels = {
         "repostore" = "true"
       }

From 09490c7fc6d33d0b142bddfc2c796c893ff37392 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 27 Jun 2024 14:54:14 -0400
Subject: [PATCH 36/57] bump disk to 225gb to pass preflight checks

---
 examples/full/variables-cxone.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/full/variables-cxone.tf b/examples/full/variables-cxone.tf
index c22d282..e4e9a59 100644
--- a/examples/full/variables-cxone.tf
+++ b/examples/full/variables-cxone.tf
@@ -196,7 +196,7 @@ variable "eks_node_groups" {
     desired_size    = string
     max_size        = string
     volume_type     = optional(string, "gp3")
-    disk_size       = optional(number, 200)
+    disk_size       = optional(number, 225)
     disk_iops       = optional(number, 3000)
     disk_throughput = optional(number, 125)
     device_name     = optional(string, "/dev/xvda")

From ecc3d2cb1e2154d6bbede00b364503eb33523fc7 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Thu, 27 Jun 2024 14:55:05 -0400
Subject: [PATCH 37/57] Run VPC CNI with IRSA, remove

---
 eks.tf | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/eks.tf b/eks.tf
index fba4f74..c1949d6 100644
--- a/eks.tf
+++ b/eks.tf
@@ -113,7 +113,6 @@ module "eks_node_iam_role" {
   role_requires_mfa = false
   custom_role_policy_arns = [
     "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs",
-    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy",
     "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy",
     "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore",
     "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
@@ -220,8 +219,9 @@ module "eks" {
       addon_version = var.kube_proxy_version
     }
     vpc-cni = {
-      addon_version  = var.vpc_cni_version
-      before_compute = var.eks_enable_custom_networking
+      addon_version            = var.vpc_cni_version
+      before_compute           = var.eks_enable_custom_networking
+      service_account_role_arn = module.vpc_cni_irsa[0].iam_role_arn
       configuration_values = jsonencode({
         env = {
           AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = tostring(var.eks_enable_custom_networking)
@@ -312,6 +312,23 @@ module "ebs_csi_irsa" {
   }
 }
 
+module "vpc_cni_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.39.0"
+  count   = var.eks_create ? 1 : 0
+
+  role_name             = "vpc-cni-${var.deployment_id}"
+  role_description      = "IRSA role for VPC CNI"
+  attach_vpc_cni_policy = true
+  vpc_cni_enable_ipv4   = true
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-node"]
+    }
+  }
+}
+
 
 module "cluster_autoscaler_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"

From d73a588af8c41d376c59edfa1e63a9a840d003bd Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 6 Aug 2024 16:50:46 -0400
Subject: [PATCH 38/57] deprecate ENABLE_TLS

---
 modules/cxone-install/kots.config.aws.reference.yaml.tftpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
index ac44b74..a618a55 100644
--- a/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
+++ b/modules/cxone-install/kots.config.aws.reference.yaml.tftpl
@@ -73,9 +73,9 @@ spec:
     DOMAIN:
       value: ${fqdn}
 
-    # Enable TLS for secure communication. Valid values are "0" and "1"  
+    # Enable http to https redirect middleware in Traefik. Deprecated, should always be "0", and handle these redirects if needed outside of Traefik.
     ENABLE_TLS:
-      default: "1"
+      value: "0"
 
     #--------------------------------------------------------------------------
     #  Keys

From 8b180e9649c410423be2220d501c7782e02785aa Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 14 Aug 2024 15:24:38 -0400
Subject: [PATCH 39/57] Added owner to external dns install to support multiple
 external dns usage in same domain or account

---
 modules/cxone-install/Makefile.tftpl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/cxone-install/Makefile.tftpl b/modules/cxone-install/Makefile.tftpl
index f01dd91..4eb3431 100644
--- a/modules/cxone-install/Makefile.tftpl
+++ b/modules/cxone-install/Makefile.tftpl
@@ -80,7 +80,8 @@ install-external-dns:
 	--version 1.11.0 \
 	--set serviceAccount.create=true \
 	--set serviceAccount.name=external-dns \
-	--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${external_dns_iam_role_arn}"
+	--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${external_dns_iam_role_arn}" \
+	--set txtOwnerId=${EKS_CLUSTER_NAME}
 
 
 .PHONY: uninstall-external-dns

From 28d24be682d83f99ea652e5941e73d7e738e379f Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Fri, 16 Aug 2024 11:01:52 -0400
Subject: [PATCH 40/57] fix make file var syntax

---
 modules/cxone-install/Makefile.tftpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/cxone-install/Makefile.tftpl b/modules/cxone-install/Makefile.tftpl
index 4eb3431..e1f90df 100644
--- a/modules/cxone-install/Makefile.tftpl
+++ b/modules/cxone-install/Makefile.tftpl
@@ -81,7 +81,7 @@ install-external-dns:
 	--set serviceAccount.create=true \
 	--set serviceAccount.name=external-dns \
 	--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${external_dns_iam_role_arn}" \
-	--set txtOwnerId=${EKS_CLUSTER_NAME}
+	--set txtOwnerId=$${EKS_CLUSTER_NAME}
 
 
 .PHONY: uninstall-external-dns

From ec0fe83993dbb7dccd92b4187d9c9eded096060d Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Mon, 19 Aug 2024 12:04:22 -0400
Subject: [PATCH 41/57] exposing db back retention period

---
 examples/full/examples.auto.tfvars | 1 +
 examples/full/variables-cxone.tf   | 6 ++++++
 rds-analytics.tf                   | 1 +
 rds.tf                             | 1 +
 variables.tf                       | 7 +++++++
 5 files changed, 16 insertions(+)

diff --git a/examples/full/examples.auto.tfvars b/examples/full/examples.auto.tfvars
index d6e4b5e..e5b3885 100644
--- a/examples/full/examples.auto.tfvars
+++ b/examples/full/examples.auto.tfvars
@@ -306,6 +306,7 @@ db_serverlessv2_scaling_configuration = {
   min_capacity = 0.5
   max_capacity = 8
 }
+db_backup_retention_period = 7
 
 
 #******************************************************************************
diff --git a/examples/full/variables-cxone.tf b/examples/full/variables-cxone.tf
index e4e9a59..e7cc066 100644
--- a/examples/full/variables-cxone.tf
+++ b/examples/full/variables-cxone.tf
@@ -504,6 +504,12 @@ variable "db_apply_immediately" {
   description = "Determines if changes will be applied immediately or wait until the next maintenance window."
 }
 
+variable "db_backup_retention_period" {
+  type        = number
+  default     = null
+  description = "The number of  days to retain database backups for"
+}
+
 
 #******************************************************************************
 #   RDS - Analytics - Configuration
diff --git a/rds-analytics.tf b/rds-analytics.tf
index 09386ce..b083113 100644
--- a/rds-analytics.tf
+++ b/rds-analytics.tf
@@ -29,6 +29,7 @@ module "rds-analytics" {
   manage_master_user_password                 = false
   port                                        = var.db_port
   deletion_protection                         = var.db_deletion_protection
+  backup_retention_period                     = var.db_backup_retention_period
   enabled_cloudwatch_logs_exports             = ["postgresql"]
   security_group_rules = {
     ingress_from_vpc = {
diff --git a/rds.tf b/rds.tf
index 2323b98..cd40e81 100644
--- a/rds.tf
+++ b/rds.tf
@@ -35,6 +35,7 @@ module "rds" {
   manage_master_user_password                 = false
   port                                        = var.db_port
   deletion_protection                         = var.db_deletion_protection
+  backup_retention_period                     = var.db_backup_retention_period
   enabled_cloudwatch_logs_exports             = ["postgresql"]
   security_group_rules = {
     ingress_from_vpc = {
diff --git a/variables.tf b/variables.tf
index a26a1ef..6707814 100644
--- a/variables.tf
+++ b/variables.tf
@@ -514,6 +514,13 @@ variable "db_apply_immediately" {
   description = "Determines if changes will be applied immediately or wait until the next maintenance window."
 }
 
+variable "db_backup_retention_period" {
+  type        = number
+  default     = null
+  description = "The number of  days to retain database backups for"
+}
+
+
 
 #******************************************************************************
 #   RDS - Analytics - Configuration

From 61041156e6804491c8670055e595a96b21712867 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Mon, 19 Aug 2024 12:09:01 -0400
Subject: [PATCH 42/57] bump aurora module verions

---
 rds-analytics.tf | 2 +-
 rds.tf           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rds-analytics.tf b/rds-analytics.tf
index b083113..68dbe04 100644
--- a/rds-analytics.tf
+++ b/rds-analytics.tf
@@ -1,6 +1,6 @@
 module "rds-analytics" {
   source  = "terraform-aws-modules/rds-aurora/aws"
-  version = "9.3.1"
+  version = "9.9.0"
   create  = var.db_create
 
   name                                        = "${var.deployment_id}-analytics"
diff --git a/rds.tf b/rds.tf
index cd40e81..39fd57f 100644
--- a/rds.tf
+++ b/rds.tf
@@ -1,6 +1,6 @@
 module "rds" {
   source  = "terraform-aws-modules/rds-aurora/aws"
-  version = "9.3.1"
+  version = "9.9.0"
   create  = var.db_create
 
   name                                        = "${var.deployment_id}-main"

From 5a014b813147d0293b8a734998802badc7cfdcc1 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Mon, 19 Aug 2024 12:12:22 -0400
Subject: [PATCH 43/57] bump eks module version

---
 eks.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eks.tf b/eks.tf
index c1949d6..9f3c9b5 100644
--- a/eks.tf
+++ b/eks.tf
@@ -142,7 +142,7 @@ resource "aws_iam_policy" "s3_bucket_access" {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "20.8.5"
+  version = "20.23.0"
   create  = var.eks_create
 
   cluster_name    = var.deployment_id

From 0b046f342ae18dc9c9f3e1c952bd0506a6b39881 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Mon, 19 Aug 2024 12:13:03 -0400
Subject: [PATCH 44/57] bump irsa module version

---
 eks.tf | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/eks.tf b/eks.tf
index 9f3c9b5..22d0ba5 100644
--- a/eks.tf
+++ b/eks.tf
@@ -297,7 +297,7 @@ resource "aws_autoscaling_group_tag" "cluster_autoscaler_taint" {
 
 module "ebs_csi_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.39.0"
+  version = "5.44.0"
   count   = var.eks_create ? 1 : 0
 
   role_name             = "ebs-csi-${var.deployment_id}"
@@ -314,7 +314,7 @@ module "ebs_csi_irsa" {
 
 module "vpc_cni_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.39.0"
+  version = "5.44.0"
   count   = var.eks_create ? 1 : 0
 
   role_name             = "vpc-cni-${var.deployment_id}"
@@ -332,7 +332,7 @@ module "vpc_cni_irsa" {
 
 module "cluster_autoscaler_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.39.0"
+  version = "5.44.0"
   count   = var.eks_create && var.eks_create_cluster_autoscaler_irsa ? 1 : 0
 
   role_name                        = "cluster-autoscaler-${var.deployment_id}"
@@ -351,7 +351,7 @@ module "cluster_autoscaler_irsa" {
 
 module "external_dns_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.39.0"
+  version = "5.44.0"
   count   = var.eks_create && var.eks_create_external_dns_irsa ? 1 : 0
 
   role_name        = "external-dns-${var.deployment_id}"
@@ -370,7 +370,7 @@ module "external_dns_irsa" {
 
 module "load_balancer_controller_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.39.0"
+  version = "5.44.0"
   count   = var.eks_create && var.eks_create_load_balancer_controller_irsa ? 1 : 0
 
   role_name                              = "load_balancer_controller-${var.deployment_id}"

From 29123ee8c4bee996bc517d33bce25949fa2a71f4 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Mon, 19 Aug 2024 12:15:49 -0400
Subject: [PATCH 45/57] bump s3 module version

---
 s3.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/s3.tf b/s3.tf
index ac12b52..59cbb8b 100644
--- a/s3.tf
+++ b/s3.tf
@@ -103,7 +103,7 @@ locals {
 module "s3_bucket" {
   for_each = local.buckets
   source   = "terraform-aws-modules/s3-bucket/aws"
-  version  = "4.1.1"
+  version  = "4.1.2"
 
   bucket           = "${var.deployment_id}-${each.value.name}-${lower(local.s3_bucket_name_suffix)}"
   force_destroy    = true

From 63305935bff5029c1f73a51e8c8978ded72060e3 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 20 Aug 2024 10:55:20 -0400
Subject: [PATCH 46/57] Revert VPC CNI via IRSA

---
 eks.tf | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/eks.tf b/eks.tf
index 22d0ba5..22ff30b 100644
--- a/eks.tf
+++ b/eks.tf
@@ -112,6 +112,7 @@ module "eks_node_iam_role" {
   role_name         = "${var.deployment_id}-eks-nodes"
   role_requires_mfa = false
   custom_role_policy_arns = [
+    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy",
     "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs",
     "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy",
     "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore",
@@ -142,7 +143,7 @@ resource "aws_iam_policy" "s3_bucket_access" {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "20.23.0"
+  version = "20.8.5" #"20.23.0" #
   create  = var.eks_create
 
   cluster_name    = var.deployment_id
@@ -219,9 +220,9 @@ module "eks" {
       addon_version = var.kube_proxy_version
     }
     vpc-cni = {
-      addon_version            = var.vpc_cni_version
-      before_compute           = var.eks_enable_custom_networking
-      service_account_role_arn = module.vpc_cni_irsa[0].iam_role_arn
+      addon_version  = var.vpc_cni_version
+      before_compute = var.eks_enable_custom_networking
+      #service_account_role_arn = var.eks_create ? module.vpc_cni_irsa[0].iam_role_arn : null
       configuration_values = jsonencode({
         env = {
           AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG = tostring(var.eks_enable_custom_networking)
@@ -233,7 +234,7 @@ module "eks" {
     aws-ebs-csi-driver = {
       addon_version            = var.aws_ebs_csi_driver_version
       configuration_values     = var.eks_enable_fargate ? local.ebs_csi_fargate_configuration_values : null
-      service_account_role_arn = module.ebs_csi_irsa[0].iam_role_arn
+      service_account_role_arn = var.eks_create ? module.ebs_csi_irsa[0].iam_role_arn : null
     }
   }
   create_kms_key = false

From ee7e444e402ed752255d034d5faf989147289cc2 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 21 Aug 2024 20:31:55 -0400
Subject: [PATCH 47/57] Adding cloudwatch observibility addon

---
 eks.tf                           | 25 +++++++++++++++++++++++++
 examples/full/main.tf            |  1 +
 examples/full/variables-cxone.tf |  5 +++++
 variables.tf                     |  5 +++++
 4 files changed, 36 insertions(+)

diff --git a/eks.tf b/eks.tf
index 22ff30b..1d56c47 100644
--- a/eks.tf
+++ b/eks.tf
@@ -273,6 +273,14 @@ module "eks" {
   fargate_profiles = var.eks_enable_fargate ? local.fargate_profiles : {}
 }
 
+resource "aws_eks_addon" "amzn_cloudwatch_observability" {
+  count         = var.aws_cloudwatch_observability_version != null ? 1 : 0
+  cluster_name  = module.eks.cluster_name
+  addon_name    = "amazon-cloudwatch-observability"
+  addon_version = var.aws_cloudwatch_observability_version
+}
+
+
 resource "aws_autoscaling_group_tag" "cluster_autoscaler_label" {
   for_each               = { for node_group in var.eks_node_groups : node_group.name => node_group }
   depends_on             = [module.eks]
@@ -385,6 +393,23 @@ module "load_balancer_controller_irsa" {
   }
 }
 
+module "aws_cloudwatch_observability_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.44.0"
+  count   = var.eks_create && var.aws_cloudwatch_observability_version != null ? 1 : 0
+
+  role_name                              = "aws-cloudwatch-observability-${var.deployment_id}"
+  role_description                       = "IRSA role for AWS Cloudwatch Observability"
+  attach_cloudwatch_observability_policy = true
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["amazon-cloudwatch:cloudwatch-agent"]
+    }
+  }
+}
+
+
 data "aws_iam_role" "karpenter" {
   name       = "${var.deployment_id}-eks-nodes"
   depends_on = [module.eks]
diff --git a/examples/full/main.tf b/examples/full/main.tf
index f16ecc9..cda149c 100644
--- a/examples/full/main.tf
+++ b/examples/full/main.tf
@@ -147,6 +147,7 @@ module "checkmarx-one" {
   kube_proxy_version                       = var.kube_proxy_version
   vpc_cni_version                          = var.vpc_cni_version
   aws_ebs_csi_driver_version               = var.aws_ebs_csi_driver_version
+  aws_cloudwatch_observability_version     = var.aws_cloudwatch_observability_version
   eks_private_endpoint_enabled             = var.eks_private_endpoint_enabled
   eks_public_endpoint_enabled              = var.eks_public_endpoint_enabled
   eks_cluster_endpoint_public_access_cidrs = var.eks_cluster_endpoint_public_access_cidrs
diff --git a/examples/full/variables-cxone.tf b/examples/full/variables-cxone.tf
index e7cc066..78fb2da 100644
--- a/examples/full/variables-cxone.tf
+++ b/examples/full/variables-cxone.tf
@@ -161,6 +161,11 @@ variable "aws_ebs_csi_driver_version" {
   description = "The version of the EKS EBS CSI Addon."
 }
 
+variable "aws_cloudwatch_observability_version" {
+  type        = string
+  description = "The version of the AWS Cloudwatch Observability Addon. Specify a version to enable the addon, or leave blank to disable the addon."
+}
+
 variable "launch_template_tags" {
   type        = map(string)
   description = "Tags to associate with launch templates for node groups"
diff --git a/variables.tf b/variables.tf
index 6707814..ceb61ad 100644
--- a/variables.tf
+++ b/variables.tf
@@ -171,6 +171,11 @@ variable "aws_ebs_csi_driver_version" {
   description = "The version of the EKS EBS CSI Addon."
 }
 
+variable "aws_cloudwatch_observability_version" {
+  type        = string
+  description = "The version of the AWS Cloudwatch Observability Addon. Specify a version to enable the addon, or leave blank to disable the addon."
+}
+
 variable "launch_template_tags" {
   type        = map(string)
   description = "Tags to associate with launch templates for node groups"

From cc23a19d2f25e27d3d37485837afca01e5e7b479 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 21 Aug 2024 20:37:56 -0400
Subject: [PATCH 48/57] Updating observability to use irsa

---
 eks.tf | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/eks.tf b/eks.tf
index 1d56c47..c3ad18d 100644
--- a/eks.tf
+++ b/eks.tf
@@ -274,10 +274,11 @@ module "eks" {
 }
 
 resource "aws_eks_addon" "amzn_cloudwatch_observability" {
-  count         = var.aws_cloudwatch_observability_version != null ? 1 : 0
-  cluster_name  = module.eks.cluster_name
-  addon_name    = "amazon-cloudwatch-observability"
-  addon_version = var.aws_cloudwatch_observability_version
+  count                    = var.aws_cloudwatch_observability_version != null ? 1 : 0
+  cluster_name             = module.eks.cluster_name
+  addon_name               = "amazon-cloudwatch-observability"
+  addon_version            = var.aws_cloudwatch_observability_version
+  service_account_role_arn = module.aws_cloudwatch_observability_irsa[0].iam_role_arn
 }
 
 

From 18760ef46aa16dee4f80dfc96952340aac67f851 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Wed, 21 Aug 2024 20:38:09 -0400
Subject: [PATCH 49/57] Added metrics server

---
 modules/cxone-install/Makefile.tftpl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/cxone-install/Makefile.tftpl b/modules/cxone-install/Makefile.tftpl
index e1f90df..bab1987 100644
--- a/modules/cxone-install/Makefile.tftpl
+++ b/modules/cxone-install/Makefile.tftpl
@@ -147,6 +147,11 @@ apply-storageclass-config:
 	./apply-storageclass-config.$${DEPLOYMENT_ID}.sh
 
 
+.PHONY: install-metrics-server
+install-metrics-server:
+	kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+
+
 .PHONY: clean-kots
 clean-kots:
 	kubectl delete deployment kotsadm -n $${NAMESPACE}

From 685c9920d821615fdd60b95dd37c04919de7468c Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Mon, 9 Sep 2024 16:18:47 -0400
Subject: [PATCH 50/57] increased destroy-load-balancer.sh reliability

---
 modules/cxone-install/destroy-load-balancer.sh.tftpl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/cxone-install/destroy-load-balancer.sh.tftpl b/modules/cxone-install/destroy-load-balancer.sh.tftpl
index 0ae9b62..e883329 100644
--- a/modules/cxone-install/destroy-load-balancer.sh.tftpl
+++ b/modules/cxone-install/destroy-load-balancer.sh.tftpl
@@ -20,7 +20,8 @@ sleep 10
 # The "Node" security group will have references to the ELB security groups, so remove all the rules to allow groups to be deleted successfully
 NODE_SG_ID=$(aws ec2 describe-security-groups --filters Name=tag:Name,Values=$${DEPLOYMENT_ID}-node --query "SecurityGroups[*].GroupId" --output text | tr "\t" "\n")
 aws ec2 revoke-security-group-ingress --group-id $${NODE_SG_ID} --ip-permissions "`aws ec2 describe-security-groups --output json --group-ids $${NODE_SG_ID} --query "SecurityGroups[0].IpPermissions"`"
-sleep 10
+echo "Waiting for rules to delete"
+sleep 20
 
 # Delete the ELB security groups
 aws ec2 describe-security-groups --filters Name=tag:elbv2.k8s.aws/cluster,Values=$${DEPLOYMENT_ID} --query "SecurityGroups[*].GroupId" --output text | tr "\t" "\n" | xargs -I {} aws ec2 delete-security-group --group-id {} 

From fbf46cefb1961aceadc094fd8524b567f95e0c20 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Mon, 9 Sep 2024 16:36:57 -0400
Subject: [PATCH 51/57] added bastion host

---
 examples/full/bastion-host.tf      | 89 ++++++++++++++++++++++++++++++
 examples/full/variables-example.tf | 33 +++++++++++
 2 files changed, 122 insertions(+)
 create mode 100644 examples/full/bastion-host.tf

diff --git a/examples/full/bastion-host.tf b/examples/full/bastion-host.tf
new file mode 100644
index 0000000..6844fe0
--- /dev/null
+++ b/examples/full/bastion-host.tf
@@ -0,0 +1,89 @@
+
+
+locals {
+  bastion_host_user_data_default = <<-EOT
+    #!/bin/bash
+    # Install kubectl
+    sudo curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.6/2024-07-12/bin/linux/amd64/kubectl
+    sudo curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.6/2024-07-12/bin/linux/amd64/kubectl.sha256
+    #sha256sum -c kubectl.sha256 || exit 1
+    sudo chmod +x ./kubectl
+    sudo cp ./kubectl /usr/local/bin/kubectl
+
+    # Set kubecontext
+    aws eks update-kubeconfig --name ${var.deployment_id}
+    
+    #Install git
+    sudo dnf install git -y
+
+    # Install kots
+    export REPL_USE_SUDO=y
+    export REPL_INSTALL_PATH=/usr/local/bin
+    sudo curl https://kots.io/install | bash
+    
+    # Install eksctl
+    ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')"
+    PLATFORM=$(uname -s)_$ARCH
+    sudo curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
+    tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm -f eksctl_$PLATFORM.tar.gz
+    sudo mv /tmp/eksctl /usr/local/bin
+
+    # Install k9s
+    curl -sLO "https://github.com/derailed/k9s/releases/download/v0.32.5/k9s_linux_amd64.rpm"
+    sudo dnf install k9s_linux_amd64.rpm
+  EOT
+}
+
+data "aws_ami" "amazon_linux_23" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["al2023-ami-2023*-x86_64"]
+  }
+}
+
+module "ec2_instance" {
+  source = "terraform-aws-modules/ec2-instance/aws"
+  count  = var.bastion_host_enabled ? 1 : 0
+
+  name                        = "${var.deployment_id}-bastion"
+  ami                         = data.aws_ami.amazon_linux_23.id
+  ignore_ami_changes          = true
+  instance_type               = var.bastion_host_instance_type
+  key_name                    = var.bastion_host_key_name
+  monitoring                  = false
+  vpc_security_group_ids      = [module.bastion_security_group[0].security_group_id]
+  subnet_id                   = module.vpc.public_subnets[0]
+  associate_public_ip_address = true
+  user_data                   = var.bastion_host_user_data != null ? var.bastion_host_user_data : local.bastion_host_user_data_default
+
+  create_iam_instance_profile = true
+  iam_role_description        = "IAM role for EC2 instance"
+  iam_role_policies = {
+    AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
+    AdministratorAccess          = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AdministratorAccess"
+  }
+
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
+
+
+module "bastion_security_group" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 4.0"
+  count   = var.bastion_host_enabled ? 1 : 0
+
+  name        = "Bastion host for deployment ${var.deployment_id}"
+  description = "Security group for bastion host for deployment ${var.deployment_id}"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress_cidr_blocks = concat(var.bastion_host_remote_management_cidrs, module.vpc.vpc_cidr_blocks)
+  ingress_rules       = ["http-80-tcp", "all-icmp", "ssh-tcp"]
+  egress_rules        = ["all-all"]
+
+}
diff --git a/examples/full/variables-example.tf b/examples/full/variables-example.tf
index 6bcbd8e..bcff8b0 100644
--- a/examples/full/variables-example.tf
+++ b/examples/full/variables-example.tf
@@ -95,4 +95,37 @@ variable "kots_license_file" {
 variable "kots_admin_email" {
   description = "The email address of the Checkmarx One first admin user."
   type        = string
+}
+
+#******************************************************************************
+#   Bastion Host Configuration
+#******************************************************************************
+variable "bastion_host_enabled" {
+  description = "Controls deployment of a bastion host to the VPC."
+  type        = bool
+  default     = false
+}
+
+variable "bastion_host_instance_type" {
+  description = "The ec2 instance type for the bastion host."
+  type        = string
+  default     = "t3.large"
+}
+
+variable "bastion_host_key_name" {
+  description = "The ec2 keypair name for the bastion host."
+  type        = string
+  default     = null
+}
+
+variable "bastion_host_user_data" {
+  description = "User data for the bastion host. Default behavior is to install some basic tools."
+  type        = string
+  default     = null
+}
+
+variable "bastion_host_remote_management_cidrs" {
+  description = "The list of CIDRs that need access to the bastion host"
+  type        = list(string)
+  default     = null
 }
\ No newline at end of file

From 5a30c08444787c0cddf0ed264784112044f20882 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 10 Sep 2024 10:31:23 -0400
Subject: [PATCH 52/57] adding multiple stateful action support

---
 examples/full/main.tf                    | 2 +-
 examples/full/variables-vpc.tf           | 6 +++---
 modules/inspection-vpc/firewall-rules.tf | 6 +++---
 modules/inspection-vpc/firewall.tf       | 2 +-
 modules/inspection-vpc/variables.tf      | 6 +++---
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/examples/full/main.tf b/examples/full/main.tf
index cda149c..eddfb65 100644
--- a/examples/full/main.tf
+++ b/examples/full/main.tf
@@ -25,7 +25,7 @@ module "vpc" {
   create_interface_endpoints = var.create_interface_endpoints
   create_s3_endpoint         = var.create_s3_endpoint
   enable_firewall            = var.enable_firewall
-  stateful_default_action    = var.stateful_default_action
+  stateful_default_actions   = var.stateful_default_actions
   suricata_rules             = var.suricata_rules
   include_sca_rules          = var.include_sca_rules
   additional_suricata_rules  = local.additional_suricata_rules
diff --git a/examples/full/variables-vpc.tf b/examples/full/variables-vpc.tf
index 5fea44c..e2eaea4 100644
--- a/examples/full/variables-vpc.tf
+++ b/examples/full/variables-vpc.tf
@@ -36,10 +36,10 @@ variable "enable_firewall" {
   default     = true
 }
 
-variable "stateful_default_action" {
+variable "stateful_default_actions" {
   description = "The [default action](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order) for the AWS Network Firewall stateful rule group. Choose `aws:drop_established` or `aws:alert_established`"
-  type        = string
-  default     = "aws:drop_established"
+  type        = list(string)
+  default     = ["aws:drop_established", "aws:alert_established"]
 }
 
 variable "suricata_rules" {
diff --git a/modules/inspection-vpc/firewall-rules.tf b/modules/inspection-vpc/firewall-rules.tf
index 42bd103..2b3723e 100644
--- a/modules/inspection-vpc/firewall-rules.tf
+++ b/modules/inspection-vpc/firewall-rules.tf
@@ -82,7 +82,7 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"602401143452.dkr.
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"prod-${data.aws_region.current.name}-starport-layer-bucket.s3.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420031; rev:1;)
 
 
-# Amazon Linux 2 managed node group updates - region dependent
+# Amazon Linux 2/2023 managed node group updates - region dependent
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"amazonlinux-2-repos-${data.aws_region.current.name}.s3.dualstack.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420032; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"al2023-repos-${data.aws_region.current.name}-de612dc2.s3.dualstack.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420033; rev:1;)
 
@@ -112,7 +112,7 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"proxy-auth.replic
 
 # Used by cxone images, and kube-rbac-proxy in CxOne operator
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"gcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240419044; rev:1;)
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"checkmarx.jfrog.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420044; rev:1;)
+#pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"checkmarx.jfrog.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420044; rev:1;)
 
 
 # Liquibase schema files required for database migration execution
@@ -155,7 +155,7 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"microservice-scan
 # Codebashing
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.stagecodebashing.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240422001; rev:1;)
 # Upcoming features                                             
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cx-sca-containers.es.us-east-1.aws.found.io"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:204290001; rev:1;)
+#pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cx-sca-containers.es.us-east-1.aws.found.io"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:204290001; rev:1;)
 
 
 # These URLs are randomly generated, and used to discover the correct s3 API signature version to use when communicating with S3 buckets.
diff --git a/modules/inspection-vpc/firewall.tf b/modules/inspection-vpc/firewall.tf
index 7a348a2..c1f1359 100644
--- a/modules/inspection-vpc/firewall.tf
+++ b/modules/inspection-vpc/firewall.tf
@@ -38,7 +38,7 @@ resource "aws_networkfirewall_firewall_policy" "main" {
   firewall_policy {
     stateless_default_actions          = ["aws:forward_to_sfe"]
     stateless_fragment_default_actions = ["aws:forward_to_sfe"]
-    stateful_default_actions           = [var.stateful_default_action]
+    stateful_default_actions           = var.stateful_default_actions
     stateful_engine_options {
       rule_order = "STRICT_ORDER"
     }
diff --git a/modules/inspection-vpc/variables.tf b/modules/inspection-vpc/variables.tf
index a600977..aa6555e 100644
--- a/modules/inspection-vpc/variables.tf
+++ b/modules/inspection-vpc/variables.tf
@@ -41,10 +41,10 @@ variable "enable_firewall" {
   default     = true
 }
 
-variable "stateful_default_action" {
+variable "stateful_default_actions" {
   description = "The [default action](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order) for the AWS Network Firewall stateful rule group. Choose `aws:drop_established` or `aws:alert_established`"
-  type        = string
-  default     = "aws:drop_established"
+  type        = list(string)
+  default     = ["aws:drop_established", "aws:alert_established"]
 }
 
 variable "suricata_rules" {

From 3ea00793411f88d9f7dfa367e67172b0b286ebd2 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Tue, 17 Sep 2024 10:03:07 -0400
Subject: [PATCH 53/57] 3.20 updates

---
 eks.tf                                   |   3 +-
 examples/full/main.tf                    |   2 +-
 modules/cxone-install/Makefile.tftpl     |  15 +--
 modules/inspection-vpc/firewall-rules.tf | 115 +++++++++++++++++++----
 4 files changed, 108 insertions(+), 27 deletions(-)

diff --git a/eks.tf b/eks.tf
index c3ad18d..505421e 100644
--- a/eks.tf
+++ b/eks.tf
@@ -157,7 +157,8 @@ module "eks" {
   vpc_id     = var.vpc_id
   subnet_ids = var.eks_subnets
 
-  create_cluster_security_group = true
+  create_cluster_primary_security_group_tags = false
+  create_cluster_security_group              = true
   #cluster_security_group_id     = var.cluster_security_group_id
 
   create_node_security_group = true
diff --git a/examples/full/main.tf b/examples/full/main.tf
index eddfb65..2b50e40 100644
--- a/examples/full/main.tf
+++ b/examples/full/main.tf
@@ -8,7 +8,7 @@ data "aws_availability_zones" "available" {
 locals {
   # Add the fqdn to the firewall rules
   additional_suricata_rules = <<EOF
-# CxOne must talk to itself when performing token exchange to validate the FQDN (cxiam makes the connection).
+# CxOne must talk to itself when performing token exchange to validate the FQDN (cxiam makes the connection) and for CxIAM to function overall.
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"${var.fqdn}"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240401001; rev:1;)
 
 ${var.additional_suricata_rules}
diff --git a/modules/cxone-install/Makefile.tftpl b/modules/cxone-install/Makefile.tftpl
index bab1987..406c99c 100644
--- a/modules/cxone-install/Makefile.tftpl
+++ b/modules/cxone-install/Makefile.tftpl
@@ -57,7 +57,7 @@ rollout-restart:
 install-cluster-autoscaler:
 	helm repo add autoscaler https://kubernetes.github.io/autoscaler; \
 	helm repo update autoscaler; \
-	helm install cluster-autoscaler autoscaler/cluster-autoscaler \
+	helm upgrade --install cluster-autoscaler autoscaler/cluster-autoscaler \
 	--version 9.21.1 \
 	-n kube-system \
 	--set awsRegion=$${DEPLOY_REGION} \
@@ -93,7 +93,7 @@ uninstall-external-dns:
 install-load-balancer-controller:
 	helm repo add eks https://aws.github.io/eks-charts; \
 	helm repo update eks; \
-	helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
+	helm upgrade --install aws-load-balancer-controller eks/aws-load-balancer-controller \
 	--version 1.7.1 \
 	-n kube-system \
 	--set vpcId=${vpc_id} \
@@ -114,15 +114,14 @@ uninstall-load-balancer-controller:
 
 .PHONY: install-karpenter
 install-karpenter:
-	helm install karpenter oci://public.ecr.aws/karpenter/karpenter \
-	--version 0.36.0 \
+	helm upgrade --install karpenter oci://public.ecr.aws/karpenter/karpenter \
+	--version 1.0.1 \
 	-n kube-system \
 	--create-namespace \
 	--set serviceAccount.create=true \
 	--set serviceAccount.name=karpenter \
 	--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${karpenter_iam_role_arn}" \
 	--set settings.clusterName=$${EKS_CLUSTER_NAME} \
-	--set settings.clusterEndpoint=${cluster_endpoint} \
 	--set settings.featureGates.spotToSpotConsolidation=true \
 	--set settings.interruptionQueue=$${EKS_CLUSTER_NAME}-node-termination-handler \
 	--set controller.resources.requests.cpu=1 \
@@ -131,6 +130,8 @@ install-karpenter:
 	--set controller.resources.limits.memory=1Gi
 	kubectl apply -f karpenter.$${DEPLOYMENT_ID}.yaml 
 
+	#	--set settings.clusterEndpoint=${cluster_endpoint} \
+
 
 .PHONY: uninstall-karpenter
 uninstall-karpenter:
@@ -154,9 +155,11 @@ install-metrics-server:
 
 .PHONY: clean-kots
 clean-kots:
+	kubectl delete statefulset kotsadm-rqlite -n $${NAMESPACE}
 	kubectl delete deployment kotsadm -n $${NAMESPACE}
 	kubectl delete statefulset kotsadm-minio -n $${NAMESPACE}
-	kubectl delete statefulset kotsadm-rqlite -n $${NAMESPACE}
+	
+
 
 
 .PHONY: destroy-load-balancer
diff --git a/modules/inspection-vpc/firewall-rules.tf b/modules/inspection-vpc/firewall-rules.tf
index 2b3723e..abb3bf3 100644
--- a/modules/inspection-vpc/firewall-rules.tf
+++ b/modules/inspection-vpc/firewall-rules.tf
@@ -1,19 +1,68 @@
 
 locals {
   sca_scanning_rules = var.include_sca_rules == false ? "" : <<EOF
-# These rules are used in SCA scaning, and will vary wildly based on what language/package manager/package repositories are used by the application being scanned with SCA         
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"github.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420065; rev:1;)
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"repo.maven.apache.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420066; rev:1;)
+# These rules are used in SCA scaning for common dependency locations.
+# These rules will vary based on what language/package manager/package repositories are used by the application being scanned with SCA. 
+# This list is non-exhaustive, and will vary depending on your usage. 
+# SCA scans will appear to hang for long periods of time when dependency resolution is blocked by a firewall. 
+# Firewalls should be monitored for dependency resolution connectivity needs of your organization and updated to allow scanning.
+
+# npm
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.npmjs.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420067; rev:1;)
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"lscr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420068; rev:1;)
+
+# Yarn
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.yarnpkg.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910030; rev:1;)
+
+# Bower
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.bower.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910031; rev:1;)
+
+# PHP
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.github.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910032; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"codeload.github.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910035; rev:1;)
+
+# Android and others
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"dl.google.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910039; rev:1;)
+
+# Go
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"proxy.golang.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910033; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"sum.golang.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420075; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"github.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420065; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"objects.githubusercontent.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910050; rev:1;)
+
+# Docker
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.hub.docker.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910034; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"index.docker.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420069; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"toolbox-data.anchore.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420070; rev:1;)
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.hub.docker.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420071; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"hub.docker.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420072; rev:1;)
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"ghcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420073; rev:1;)
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"proxy.golang.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420074; rev:1;)
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"sum.golang.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420075; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"pkg-containers.githubusercontent.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420076; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"ghcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420073; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"lscr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420068; rev:1;)
+
+# Gradle
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"services.gradle.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910036; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"plugins.gradle.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910037; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"jcenter.bintray.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910038; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"repo.spring.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910040; rev:1;)
+
+# Maven
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"maven-central.storage-download.googleapis.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240912001; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"repository.apache.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240912150; rev:1;)
+
+# Nuget
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.nuget.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910041; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"pkgs.dev.azure.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910045; rev:1;)
+
+# SBT/Scala
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"repo.scala-sbt.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910042; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"repo.typesafe.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910043; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"scala.jfrog.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910044; rev:1;)
+
+# CRLs
+pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; pcre:"/^crl\d\.digicert\.com$/i"; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240912200; rev:1;)
+pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; content:"ocsp.digicert.com"; startswith; endswith; msg:"Match liquidbase.com allowed"; flow:to_server, established; sid:240912205; rev:1;)
+pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; content:"ts-crl.ws.symantec.com"; startswith; endswith; msg:"Match liquidbase.com allowed"; flow:to_server, established; sid:240912201; rev:1;)
+pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; content:"s.symcb.com"; startswith; endswith; msg:"Match liquidbase.com allowed"; flow:to_server, established; sid:240912202; rev:1;)
+
 
 EOF
 
@@ -95,24 +144,43 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"d5l0dvt14r5h8.clo
 # Cluster Autoscaler - k8s.gcr.io (metadata) redirects to storage.googleapis.com (download)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"k8s.gcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420036; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"storage.googleapis.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420037; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.k8s.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910001; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"us-west1-docker.pkg.dev"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910002; rev:1;)
+
+# External DNS
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"k8s.gcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910003; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"us-west1-docker.pkg.dev"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240911001; rev:1;)
 
+# Metrics Server
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.k8s.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910004; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"us-west1-docker.pkg.dev"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240911002; rev:1;)
 
-# Kotsadm tools (minio, rqlite) come from docker.io and docker.com
+# Kotsadm tools (minio, rqlite) come from docker.io and docker.com.
+# Postgres:latest (for database preparation) also comes from dockerhub.
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry-1.docker.io"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420038; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"auth.docker.io"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420039; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"production.cloudflare.docker.com"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420040; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"subnet.min.io"; nocase; startswith; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:24250010; rev:1;)
 
-
-# Replicated APIs - used for license checking
+# Replicated APIs - used for license and updates checking
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"replicated.app"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420041; rev:1;)
+
+# Replicated Image Proxy - used for image pulls for CxOne online installations
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"proxy.replicated.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420042; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"proxy-auth.replicated.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420043; rev:1;)
 
+# kube-rbac-proxy in the CxOne operator comes from gcr.io and storage.googleapis.com
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"gcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240911010; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"storage.googleapis.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240911011; rev:1;)
 
 # Used by cxone images, and kube-rbac-proxy in CxOne operator
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"gcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240419044; rev:1;)
-#pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"checkmarx.jfrog.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420044; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"checkmarx.jfrog.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420044; rev:1;)
+
+# Unknown
+#pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"accounts.google.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910005; rev:1;)
+#pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"kics.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910021; rev:1;)
+#pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"raw.githubusercontent.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240911012; rev:1;)
 
 
 # Liquibase schema files required for database migration execution
@@ -131,12 +199,6 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cdn.split.io"; st
 pass tls $HOME_NET any -> [23.235.32.0/20,43.249.72.0/22,103.244.50.0/24,103.245.222.0/23,103.245.224.0/24,104.156.80.0/20,140.248.64.0/18,140.248.128.0/17,146.75.0.0/17,151.101.0.0/16,157.52.64.0/18,167.82.0.0/17,167.82.128.0/20,167.82.160.0/20,167.82.224.0/20,172.111.64.0/18,185.31.16.0/22,199.27.72.0/21,199.232.0.0/16] 443 (msg:"Fastly CDN"; flow:to_server, established; sid:240420051; rev:1;)
 
 
-# Allow access to s3 buckets for Checkmarx One. Buckets are typically created with a prefix of the deployment id which allows for regex matching
-# Example bucket name and suffix: scan-results-bos-ap-southeast-1-lab-19205
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^${var.deployment_id}.*?\.s3\.dualstack\.${data.aws_region.current.name}\.amazonaws\.com$/i" msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420052; rev:1;)
-pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^${var.deployment_id}.*?\.s3\.${data.aws_region.current.name}\.amazonaws\.com$/i" msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420053; rev:1;)
-
-
 # Checkmarx One Scans will upload source to scan-results bucket with url path patterns like "https://s3.${data.aws_region.current.name}.amazonaws.com/scan-results-0aa15147e5f3/source-code/....." 
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"s3.dualstack.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420054; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"s3.${data.aws_region.current.name}.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420055; rev:1;)
@@ -149,13 +211,21 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"eu.iam.checkmarx.
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"eu.api-sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420059; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"uploads.sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420060; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"uploads.eu.sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240611001; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.dusti.co"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910020; rev:1;)
 # Scan results buckets are used for SCA scan result syncing, and vary by the connected SCA region (e.g. NA, or EU)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"microservice-scanresults-prod-storage-1an26shc41yi3.s3.amazonaws.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240420061; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"microservice-scanresults-prodeu-storage-1c25a060x93rl.s3.amazonaws.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240611002; rev:1;)
 # Codebashing
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.stagecodebashing.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240422001; rev:1;)
 # Upcoming features                                             
-#pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cx-sca-containers.es.us-east-1.aws.found.io"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:204290001; rev:1;)
+###pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"cx-sca-containers.es.us-east-1.aws.found.io"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:204290001; rev:1;)
+
+
+# Allow access to s3 buckets for Checkmarx One. Buckets are typically created with a prefix of the deployment id which allows for regex matching
+# Example bucket name and suffix: scan-results-bos-ap-southeast-1-lab-19205
+# These rules are required when using minio gateway, and may be otherwise required depending on your object storage configuration.
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^${var.deployment_id}.*?\.s3\.dualstack\.${data.aws_region.current.name}\.amazonaws\.com$/i" msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420052; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^${var.deployment_id}.*?\.s3\.${data.aws_region.current.name}\.amazonaws\.com$/i" msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420053; rev:1;)
 
 
 # These URLs are randomly generated, and used to discover the correct s3 API signature version to use when communicating with S3 buckets.
@@ -163,9 +233,16 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.stagecodebash
 # to attempt to connect to S3 to discover the s3 signature version to use in subsequent requests to the actual buckets
 #   1. probe-bucket-sign-vie4gezw1j6w.s3.dualstack.${data.aws_region.current.name}.amazonaws.com
 #   2. probe-bsign-jmcvig40f29rwikvncljjtvohv4i4h.s3.dualstack.${data.aws_region.current.name}.amazonaws.com
+# These rules are required when using minio gateway, and may be otherwise required depending on your object storage configuration.
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^probe-bucket-sign-[A-z0-9]{12}\.s3\.dualstack\.${data.aws_region.current.name}\.amazonaws\.com$/i"; flow: to_server; msg:"Minio client s3 signature version determination"; sid:240420063;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^probe-bsign-[A-z0-9]{30}\.s3\.dualstack\.${data.aws_region.current.name}\.amazonaws\.com$/i"; flow: to_server; msg:"Minio client s3 signature version determination"; sid:240420064;)
 
+# Allow NTP
+pass ntp $HOME_NET any -> $EXTERNAL_NET 123 (msg:"Allow ntp"; sid:240910006; rev:1;)
+
+# Allow incoming https
+pass tls $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Allow incoming https"; sid:240910008; rev:1;)
+
 ${local.sca_scanning_rules}
 
 ${var.additional_suricata_rules}

From b166f19f1730d3aaac65ee63009a3b7746e061da Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Sun, 20 Oct 2024 13:29:33 -0400
Subject: [PATCH 54/57] Add docker install to bastion server

---
 examples/full/bastion-host.tf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/examples/full/bastion-host.tf b/examples/full/bastion-host.tf
index 6844fe0..2ede7bd 100644
--- a/examples/full/bastion-host.tf
+++ b/examples/full/bastion-host.tf
@@ -16,6 +16,12 @@ locals {
     #Install git
     sudo dnf install git -y
 
+    # Set up docker
+    sudo dnf install docker -y
+    sudo systemctl start docker
+    sudo systemctl enable docker
+    sudo usermod -a -G docker $(whoami)
+
     # Install kots
     export REPL_USE_SUDO=y
     export REPL_INSTALL_PATH=/usr/local/bin

From 4c260a4b2509a1bd619625513035c35ff0a40f7c Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Sun, 20 Oct 2024 13:30:25 -0400
Subject: [PATCH 55/57] fix karpenter engines

---
 modules/cxone-install/karpenter.reference.yaml.tftpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/cxone-install/karpenter.reference.yaml.tftpl b/modules/cxone-install/karpenter.reference.yaml.tftpl
index 6c28b02..33abd53 100644
--- a/modules/cxone-install/karpenter.reference.yaml.tftpl
+++ b/modules/cxone-install/karpenter.reference.yaml.tftpl
@@ -134,7 +134,7 @@ spec:
   template:
     metadata:
       labels:
-        sast-engines: "true"
+        sast-engine: "true"
         sast-engine-medium: "true"
         sast-engine-large: "true"
         sast-engine-extra-large: "true"

From 6c94ddbc3d538ef20e34dba25c08dcaf4c2b9526 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Sun, 20 Oct 2024 13:30:44 -0400
Subject: [PATCH 56/57] fix firewall default actions

---
 examples/full/examples.auto.tfvars | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/full/examples.auto.tfvars b/examples/full/examples.auto.tfvars
index e5b3885..a39c46c 100644
--- a/examples/full/examples.auto.tfvars
+++ b/examples/full/examples.auto.tfvars
@@ -39,7 +39,7 @@ create_s3_endpoint         = true
 
 # Firewall only current works for egress filtering, and breaks ingress. Do not enable.
 enable_firewall            = false
-stateful_default_action    = "aws:drop_established"
+stateful_default_actions   = ["aws:drop_established", "aws:alert_established"]
 include_sca_rules          = true
 create_managed_rule_groups = false
 managed_rule_groups = ["AbusedLegitMalwareDomainsStrictOrder",

From ba3f877273f7cbcd7f0b049d57418710999ea8c2 Mon Sep 17 00:00:00 2001
From: benjaminstokes <stokesbo@gmail.com>
Date: Sun, 20 Oct 2024 13:31:59 -0400
Subject: [PATCH 57/57] updates to firewall rules

---
 modules/inspection-vpc/firewall-rules.tf | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/modules/inspection-vpc/firewall-rules.tf b/modules/inspection-vpc/firewall-rules.tf
index abb3bf3..0aabf85 100644
--- a/modules/inspection-vpc/firewall-rules.tf
+++ b/modules/inspection-vpc/firewall-rules.tf
@@ -19,6 +19,7 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.bower.io
 # PHP
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.github.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910032; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"codeload.github.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910035; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"packagist.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240919001; rev:1;)
 
 # Android and others
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"dl.google.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910039; rev:1;)
@@ -29,7 +30,7 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"sum.golang.org";
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"github.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420065; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"objects.githubusercontent.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910050; rev:1;)
 
-# Docker
+# Docker - also used by container scanning.
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"registry.hub.docker.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910034; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"index.docker.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420069; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"toolbox-data.anchore.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420070; rev:1;)
@@ -49,8 +50,11 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"maven-central.sto
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"repository.apache.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240912150; rev:1;)
 
 # Nuget
+# See https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops&tabs=IP-V4 for additional common domains used with Nuget and Azure DevOps
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.nuget.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910041; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"pkgs.dev.azure.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910045; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:".vsassets.io"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240919002; rev:1;)
+
 
 # SBT/Scala
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"repo.scala-sbt.org"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910042; rev:1;)
@@ -63,7 +67,6 @@ pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; content:"ocsp.digicert.c
 pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; content:"ts-crl.ws.symantec.com"; startswith; endswith; msg:"Match liquidbase.com allowed"; flow:to_server, established; sid:240912201; rev:1;)
 pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; content:"s.symcb.com"; startswith; endswith; msg:"Match liquidbase.com allowed"; flow:to_server, established; sid:240912202; rev:1;)
 
-
 EOF
 
   default_suricata_rules = <<EOF
@@ -176,6 +179,7 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"storage.googleapi
 # Used by cxone images, and kube-rbac-proxy in CxOne operator
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"gcr.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240419044; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"checkmarx.jfrog.io"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420044; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"jfrog-prod-euw1-shared-ireland-main.s3.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240925001; rev:1;)
 
 # Unknown
 #pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"accounts.google.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910005; rev:1;)
@@ -212,6 +216,8 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"eu.api-sca.checkm
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"uploads.sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240420060; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"uploads.eu.sca.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240611001; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"api.dusti.co"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:240910020; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"us.iam.checkmarx.net"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:241015001; rev:1;)
+
 # Scan results buckets are used for SCA scan result syncing, and vary by the connected SCA region (e.g. NA, or EU)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"microservice-scanresults-prod-storage-1an26shc41yi3.s3.amazonaws.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240420061; rev:1;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"microservice-scanresults-prodeu-storage-1c25a060x93rl.s3.amazonaws.com"; startswith; nocase; endswith; msg:"SCA NA region result sync bucket"; flow:to_server, established; sid:240611002; rev:1;)
@@ -229,13 +235,19 @@ pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^${var.deployment_i
 
 
 # These URLs are randomly generated, and used to discover the correct s3 API signature version to use when communicating with S3 buckets.
-# They take two forms, where the long alphanumeric string is randomly generated. The buckets do not exist, but allow minio client
+# They take three forms, where the long alphanumeric string is randomly generated. The buckets do not exist, but allow minio client
 # to attempt to connect to S3 to discover the s3 signature version to use in subsequent requests to the actual buckets
 #   1. probe-bucket-sign-vie4gezw1j6w.s3.dualstack.${data.aws_region.current.name}.amazonaws.com
 #   2. probe-bsign-jmcvig40f29rwikvncljjtvohv4i4h.s3.dualstack.${data.aws_region.current.name}.amazonaws.com
+#   3. s3.amazonaws.com/probe-bucket-sign-6n4nhxx1jt1j
 # These rules are required when using minio gateway, and may be otherwise required depending on your object storage configuration.
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^probe-bucket-sign-[A-z0-9]{12}\.s3\.dualstack\.${data.aws_region.current.name}\.amazonaws\.com$/i"; flow: to_server; msg:"Minio client s3 signature version determination"; sid:240420063;)
 pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; pcre:"/^probe-bsign-[A-z0-9]{30}\.s3\.dualstack\.${data.aws_region.current.name}\.amazonaws\.com$/i"; flow: to_server; msg:"Minio client s3 signature version determination"; sid:240420064;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"s3.amazonaws.com"; startswith; nocase; endswith; msg:"Minio signature"; flow:to_server, established; sid:241015004; rev:1;)
+pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"s3.dualstack.us-east-1.amazonaws.com"; startswith; nocase; endswith; msg:"Minio signature"; flow:to_server, established; sid:241015005; rev:1;)
+
+
+
 
 # Allow NTP
 pass ntp $HOME_NET any -> $EXTERNAL_NET 123 (msg:"Allow ntp"; sid:240910006; rev:1;)