From 5e36e26b08fede0032c8a7f6289893eb2aef1c2f Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Fri, 24 Feb 2023 09:49:26 -0800 Subject: [PATCH] added support for Amazon MWAA, Amazon ECR and Amazon EKS --- .github/workflows/tfsec.yml | 6 +- README-PORTABLE.md | 3 + README-PORTABLE.pdf | Bin 523353 -> 526424 bytes README.md | 3 + examples/kms/scenario1/main.tf | 3 + examples/kms/scenario3/main.tf | 10 +-- modules/aws/kms/README.md | 12 ++++ modules/aws/kms/ecr.tf | 63 +++++++++++++++++++ modules/aws/kms/eks.tf | 61 +++++++++++++++++++ modules/aws/kms/locals.tf | 14 ++++- modules/aws/kms/logs.tf | 2 +- modules/aws/kms/mwaa.tf | 107 +++++++++++++++++++++++++++++++++ 12 files changed, 275 insertions(+), 9 deletions(-) create mode 100644 modules/aws/kms/ecr.tf create mode 100644 modules/aws/kms/eks.tf create mode 100644 modules/aws/kms/mwaa.tf diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 04e50cd..9106928 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -9,7 +9,7 @@ on: push: branches: [ "main" ] pull_request: - branches: [ "main" ] + branches: [ "main" ] schedule: - cron: '45 0 * * 3' @@ -29,10 +29,10 @@ jobs: - name: Run tfsec uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f with: - sarif_file: tfsec.sarif + sarif_file: tfsec.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository - sarif_file: tfsec.sarif + sarif_file: tfsec.sarif diff --git a/README-PORTABLE.md b/README-PORTABLE.md index 81cb5b1..4405a00 100644 --- a/README-PORTABLE.md +++ b/README-PORTABLE.md @@ -178,6 +178,9 @@ This set of modules supports creating the AMS KMS key along with key resource po - [Amazon Kinesis](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html) - [AWS Glue](https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html) - [AWS ACM](https://docs.aws.amazon.com/acm/latest/userguide/data-protection.html) +- [Amazon MWAA](https://docs.aws.amazon.com/mwaa/latest/userguide/encryption-at-rest.html) +- [Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) +- [Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html) ## Future Enhancements diff --git a/README-PORTABLE.pdf b/README-PORTABLE.pdf index c8549f1b859ffdfa54e7472ad5b08676e77318cd..8ee8ed3ac78d6c6b2bc7bdc751687c70c752a871 100644 GIT binary patch delta 33731 zcmZsCb9iK3^KG0=Y}>YN+n(4HTOFGd+xEn^jfrjBnB2_!z2C*}x&8DXeQH`au`~ahi zi-VAjne}V(zv)=HzDB={DS1kev?;lTzz7NVpswUB?Ehr?s*{zK?cX3~7N&noWo7#+ z@82N7uQ{+24!|tQ+1UTPHWoJKe`8p<82>S{5VEkd|BsknaC5RR$G=Np`Kq0Z{;M=D zR>J=i^0l?}%zvlZ(SZEVG@4DHU5_ll3@K`whSslxN zH-?ps^S=g8wuC`QQ2-kgCqF--le43#;SXr{%nO~B7_w$KpR1bEBcS+320_H!cD{=v zQqX?iR($__xqlL{=@!HwLFJXeh6k)&C5!ZuTJ?7WJ`8Cv zy8pc2Zy=bxy>u%q^I5cdVBp1ksuWAwXw&CX@yeUsDH$o)5G&8v?tO+HHV>?;wa8Hw zG}|3;TQqj=6^T)aX6m>TT!bie)`^?`tQ#dSd?9uDL0;uQC17+^8gR>)Dou<@K++^j zC7L9)=yk+iB?ws7&JYfiL946p8*a55pzk&6HvoZ#w&Y};an7bMmK7n#bzK}ug()KY zRZ&NFOJJ1uqm4i4kU!Y-BW9@&)3gk0(~CmRNQ8)v>#CozOhL(_Cc*TaXcFtWKiR)w zTjaXm(?{A5q>45Hc20F6eiT7UoIFQzZtVBeqI*f2JTm}J)x7;QPL)-sO*Oh(;Gs!! z_?2s^e9>W16HJkE}@N`qSZTcS01C zZ#;%HC%h+|1~l#`Ggb?|TqH3JoM2SoVm208NcC0@H@D^)d;z}=tr?$u-qs@Uxm}J~&1KD0`oi_k-hB6r$UxP5XpDb#{Zieri?16@cYE;G zM&Dpl;{%1Hx?^==?weWvl%_*mICV*`2+1W0lV*?aNhlGrURKLX9DcFcddY^j5Y7k&jzozqNoG?@#nPUv6iXm zy?~xVFl!z7Osv?Vgh1ePYdy(x(Dox?w_KICpO7E7F5fBR!qM^w2`GV3B`;x&DYXv! zZs?*TWh=Nfd=6#N_N_5&^b6^J{3w0ux~+!ke(ulv)l;E-Td(=rIy0Pi)S!M;(&*nR zZ><90jvuOLJOzy^Jx5F|szFkIRH)=8PyZ;xBoOM$J18C+Iv`erpgzpSBH= zd}l9D%Gh9F11bvYR}o++>G<=GF?~2Dm36rp1jj_>NNu$3*Nh=kPZX(D8Y!%b-RWGr ze{@X~;dpFenuaRT!nW`!ybJ6KnV>g&DpNavF3wApWU9dF0=aAvD;QQ>$H(mPiMrPs zvJ0zVzck2r*dYc`GSV_yuNG^jhvhtD@*XxoJis)9irD9~sOYlSrVmAuJ-~^@^EY1e#VPbit(OseOfFp6&w%rw`4Fq>anq#Rh@XCH?1Fgy;U4}DB2tw!$F>Mi{~ zcTz0kDE$LEOGn&TRG*FytTnwC0mi3QTkXIy2%$=QLG(g-prKN|LtY1$yr|y@-TTGY z6PAj=Vppo?OP-e^tisf)MIbnjB;{rcC2d4PsIWw__9p$+AZIgU&Gwv3yBEv>)7Fq~ zVwfTstiZvz1?TeR-{QH(55rpf_YJM4L@5iIL#q~an@VxS+{<JqFg&Yw z_OHfY97#%*UG5bxVzfNry3Hu=n{|`H(+doeAwAPh$CrYMR9N{YqSGea4z(c=rD3{8 zbR>|u@g+;zsi4Y&CWD`N@vw{lFfa=oWJUUd+ds5Lc-1HfZ2eeWFMqS2~`F&p6w69MTs5GK5sLpvBViN z?4l=vwr`$bHB^uSE(gKM=C!*M z+0-X;yH0%rpNPrrjJND8-e7AA)YzslGGFPuWG4PANYw>i+lj$T*16!btqPIQ0*2#tFSWXX4LAn-3RfXdi#}cCzC4mw4 zcQ~Cprr{m`Kh_H z|D*l`E1Tr!pe9$Lyz6kfLYj3WVLiUr**+u2Cdy)Vfwk#+{zt9PFXI&vp<;Z^Y1m{I ze)+}OK7n!bbPVi8r*Z?zSju$o_)ZWXGnhsg(S(3eVOAArV}mggK%xqwWy9hbN+gb( zi$S0l?uIF7#da?T&x<HsI7 zvypqBy*evRD{#Ev8EyN+-(8NEh)S)SJ%mP`7=BU&TDoZUBl5(9D8s9Y}d6pncDu z=PsffnzkCzb1eEF?;33=gZVx*gi11UG zQ#(G@Kl;CGwX`|=avC4EkJCQ&faS8vIZU&6UWd-$z}jALc!@X zZP--?66y1c8vza^Q(O5oY6`HY=V-uw``(6=t|9D9r;j1PnK0GfC|C6=GcSM zLhtPA1=BZ6VK7N^_ML*Jj9U8Sr)aydMDds3qlHRw(9V-osg!+2`TZKN+mI;Y2K2yu zo$DDT9zOu0vhMdQ=Bav{Sqzr$1xHncm-}hoS1NR0VX(Qi8x!&>t#+_+tJPi1uhdxu zO4?$~W#M*yzHC3hC=v_?CgsxOB^fIJ(G}FZI^}`#2{9JLEum=tO{LZzeiF}%EzqRj zHtB@O?WIBXIBLP%fY7snA9?MereeefMmWZPP8to+ihx`h9?T7l>r--tcd15QNUWA+ z@VXG2PbI=r*d(4wQgM0Pe4SaNPGY_@%a)sS_Y z$j9FRn|=OOJRVa(6Sys-V;mVhwRQM#arTDVmMs;{%rgd&kym%`Q=`i{@XV}gubI8a zKT8f640UCEae#OVJAcU8;k5{Lc%3kOd7YJT(|pl)JCO2G0C|OZ@4VyreUZ|>W_@6< z0)w4q5n%s(j8kBBbemHB3^yyN*0;SRsx2gLoGG3zM{LQc7R}Y|q)$W_0TeL0HN8Dl zF7vHyhLHPx0pivq;QT*@Mv*rGnw;$|(o5KBN%g}6*L zlr{5z%Ctf@;D<{4i)MYLq+$)2=P-Uo1cYxXDp}^=>#XUp3ZcRV8hB@b?!ZtwL}49X5eWo;7LFotC=X$jLIhCp=o2jMo@KlA|b?1NX#O=9}W ze%Yj2r(@4nDC~zPyz(Qff-o2)uK}MHX@!9QI;HUKs>QfAuHH~;qwVb7w}Amrrg85M z;0;oK1~!^|SBHK9M=laV_&g)}p{xG|g2&!)4MH zYF-DSGC{QG1VHa*SUM>ZP_QbgqG`3r9zV!&YJGA{-Y7j9gAo$-|0)Ii8WVv)ti@6ALKg!jaWXX}oH|zWZwa{!wlF@_ulg6BupAc5S@3 zE7yJ>=>+EzIUZ8;=lS4zx|_CJ1fyH~8Gz4(O5-NI0Eyu#fH_G2{1%&&?0Pe77fRrJ zJ8t*MXYhGG@zW@rv!^Ds(F_CQgTa{xTquaeTDS7S_GPZRzJ44fSD`;z_0*rtWG$7J$xI z&IiVI6d1=WCthhlk<}n3geHkmmDtEUG-7aFJHHKHC;v|?tBu1u8LI-@-2;k#&F0!n z#*Rr5O?j@8(M?qv_vMw`RG|rU4O9S>hldidAG$qLpClh5iG@bFKrm%rg0UER4m$ie&W?4%8?=^1mMzIwno%9RO6*j&cw_ z`(Txl9|_1qeC4Rf45U32V6H58_~_nO=K7|2(BV5CEkKA{f>DB97G=}=xK-k1?Mvoh zdiP9(wk?~0S`1p22u}hSNm;BRka(pq{mf2_kRc3*u>u7Z2N$VK5n-*~N*%>PnJll> z#<9H%<{?C=NyW0EzwNW7$rvl1_6E(i9$)~N`cC3 zFRU+C`4I&RiRdX~?^|`%?g|)JC%b%l9VL+|)f}0TE~IgZ8<~R2O(oyH3Yi1{0UAKw zf_wz_^H*U?B@s0O1zrg&^3p31W}}Gn9X#&?=gF zoGXiI97I_hst2|A17MkYK}>;-YJivx&~Rf_{!NLQENw>h;oS7rI$I@-Q~ChRfyx}t z*;9cC6^=WY(9gs@NeHUHN0k~8!r47bAXDa$6M%?rd2h=vWS>@i4_rFPPwjyiG_Mq| zfO))KvLHlhai(@^ff>T)nQ_VKblo_GJEs{S6(qfWvO^{+2AD+}>&FfE`0bbptb^JTkRsnh0cHpxVSV&R@bFYGH8enN8(RcwIKqQk zHJDp#r|uQJN#T+CI0*Z6icsa5l~D8)`W~ZugmMugDn0;-UlnAg`nS4W#z--Lu0cW# zR)(v{w+RcAqXLptbsh)2eyn*ae7;bcd!T;1diwrhZGasfdw<`aW*=fPVL#7&MCf88 zA#o78r+X;qR(_}+NT<&|qp2VU2JtJbW*E7qb_-hH;{0?TM}sJ8T>6_TCX)C z{Dxe^k7GXut3a5Fd#pmOgZkd8OaAp-$WwftxiT-ex$odnnx3d)d>#6=53sSI%?$uX zmAzGK@qO@%Kl3}Gu|1la{2!jRKgQST8I56h0|5L!T<>UVt9LJJwq%!)o`&g&Y)yw79H0#KC8DQ~|YV{+o zJ5q!6mw=KV%-L#-bP+ z)C>(FO0q;pb?3t{)`ygxk+&O)bq;QP#{%4614T@z64Vwo5K!qwqnb&}@D1P>W0*{D z(06hw78a%C4gU^vL>#8;wD?ucqO(E6vIfaJZF5-od69PEd2Xm4?~vgv(`-C(taieFPt~nKbunRDi z5>eW`QmU7*bpwbX2rkx;%Z=$j3Hm?Knm&fl!{Gy+>aT$M44B_ZMk60J2*REN8@{vK zRLrQU+7Qy~X?FDYnNBksAvYKV~d&A0k5}tL>@{I5+A=PIFK} zT6vv|w1ggai8fGBB{KmUhc*(v za5!VMs*)~FG%dL)3aW6%YXs<ZF z%_87aby8L^B2a6tbH;NM^Y#ddac40}$8@P@%H3Qg zHNqiF#|P%Ltg5UK%f{uQrQkG9ri%1`?3O~ZV6=(TRz@>334#YStE!Q?B0aST&x#rK z;8IQs{eFNzUBpvI3j-$lvx?2RXSf20-cLBOS485 zjDX8cd*8II=VbdHF^<6C4LI1Kmj1UH7+EhO%O^4FrDvnS)C;tm(&XhQU9KbF&QiBx zY2O4gyC5$2{iX^#Dx`JPBhD2>wFB=_J112%z25$GiIW`pon!!1f_8~yhg{GN&vblt z$&O2VTS`Xsvhrhk+4?@G>Y+6*$7{3mwpymsY`J}JgliCfbBDg;q?Uki4Je%L_lGObL1RhWc%v&yDqRYoZ0`#`_mO4&S`E9|)nYi_`w>m+I-@N9b!o8@oe9xGI`E;5R7T~ybS7oU2KD zbG~j_ZK;!9Znb1pt{A)(`P{BeSw3Xql62i{R#E;kj&uO*T7$M@z=L^H6rprKa^xu~Kqn`OLwnHvL5lwJt&$)sP`mG5>;*dTGTFM z6Y+a#@4&g)?^X9h-puU;cJj11EX8d2vJ}ETG-aXSF1!j0 zK1by*Sc4s@whvWx{Z3G1?moY{bM^Kn^kTiQ;fn!!N1+SGbZi+o=6PwN=Dm-pv3|l? zHAM2?f4k_~-Xg$*zr%HjN%nPG^M>5F|N(g`JJ{|7GjeV)mPmzSz1MC!p~Tv@g2O zpp9?uAG(gc4$hceF!K{qS?t$Hej$FDm*){#``M#3*-tf>Q)xXjW0gNFRPS&7wDKa% z^C>kYpP8(sS~~=A32Fy3@7qa*^s6c<0t zhnA%Wj1K^oUBzb}Z3?U~yl`;rh~;TvXDF2r9@;1>MESJbv)&@NLZ!w^wlWbv z$>|5AGhx3EVey0WdlV$BXkV;K61yw1k3NK@_PjCPK2l8$W$YJbih@M~3dKcX`N0IJ zuT+HVaV|&|MHglVAW9X|%+zkn{9~mPU*M5A<`mPy$Xx()g`$<>4D;n29a*pT#E6)t z&RQJvhzN9|BdkIFi$%X`hup;sg34%;EaO`1U(`fVZrdbp7 z7|nQ0simz;Y$t?Cn#rw?>dz~aW4GitBwn{KWqoEZ-G2JG&C**q9Tdwyd6cN{vhll0La$DCKH2!*KkhZ& zy-Mq-Bo;Ql2%VTMD}VdASw^pp0Qj6RAD}U&EDPq<-SsJQPPqW<*k>Sc3Su-gPYi7R z&=p|!36w%nRYY9~-YI?{b}MZXlvpH5%u=m((HlTu3aDk&SaPnvVvLay*O!< z`b?Xg$b^~odTmpq8N|`LF#Np+YoScw#9~`zi)!_ptT>^Q+KvceGRCC;i$8NIuk}U~jp_)|E_vY+t&w`*Y0=N4LKKkyj5Uc^+{HV`NCQb7B!`%Vdq8R)A*^On zn9ijwQLjZ+xPpvY$*uy$yY*f?qZkLFpRq!SepXK>F0^c+Y_bC`*O+8pJHKA{*@tUe zd@CSbv%nag*hRwAo$c!_l)8TZ3Uj%3o2;aO8V0<3|N3xmUS#|{e*gM*^71fd(F4H7 zr5ad6Ro(xfN)v+m(eU0Wz`}V?BF*X3MRd?Oyv?&WJ^%7%Z4oUs5lEmuYoEMsF2M$s zfczu#n~+D$vz``~%BWV&I#m0C>w>)%WR`4HQ!Em^;GW}6B@QY z#}RkVVjmZF_V{`S{A4)VPhl2w4G+LjTQ&-_>I(CBmFihtWR__G4DMJ{ERU!}x25m3 zkaL5EK`^-XsrzRZ;n*Z1%DG_N9VVjAy3%T~T6>j-h(|(%)!-m0%=E8a_<9<=kgMEJ znxdR%@wJ^H@Me^VP?nNB?nX1kx+y&65;llTE8e6QYwyTtb?(N0f~}@WfTI8&^TP4n zRnMtF;<|m>Q!e-X1GeHxi=xzZ#+-qz<1vc(ESW9@EV$DQD~p%KVLl`v7rgrLUo{wej7nM?3%2rUw4asokxW4*ntHBP?YvTC>#EMKNRh9qcgVLJ!1Fd zH3KGYAVKp{#_!PQR}GJ$w4W z9%=RbEM{(F|Hkb#Gc0U~sQ?YowNA9BX!rXDbB8nbpBvRTK{ z*V??-b=#^BNMwL%HtBtw9YQWp`{gij1+?nx<@5+Q`?v$NnzJ*`zrHj6Cpk+t;!piQ zv9DbOyFSW~J8f?htPg?>!3@JVO#~sf_PQqo>vSLewKKp?ha!_sIp5RGTbGVDD$d&b zK8CoilwQkYPq2Lesg2_w$COulZQ=u4s?Y7mJnZxL_9jHXnKD{0jqmU{5(q=FGHW*=k({9Jlf2<$pK%Bc&o;LLcy*oGceHZk2tnVu${L|ywU*hmx ze+wom5->*bH}Smi_8&K}%1)Aa>m;qk9osP@;^7bwSWwcoq|Q^mu;)F&1+Qc)7vtp# z7*KlI6x?|LLVn%oU{m|xh^*i=@rd`=T}=7-P;l7%90yM8tCQ>dU@LQ2?ovu9&$IDq zb3Gs$vc=06q^y!LevXUzZBVbS(=U|Zh2L+{qMJ6nme0!WYzo=s@pDE z@rf|7f2J#l?ck>)nCyQQ2X~ZSU&Brzi>!xUMkK}RF$BzJD!8r zL%+tA%{wrLg{ggz;4w)=5pG>1BIG(0WoXQ6enfFyNa{)7yrF@UNy$JYbk%}2*}QTF%l{#^ZtV^o{-R=gIX$w0HP zQ_p35^M`JOjwoHrQPMmn9$l>EPH~{kG2& zS3yf9oIeZPI+3Aj#}Fpf2LrAO;^o#YcIv=)Amw|`0%?Y;Bx2v zB>T1HOqm2ipl<&j4t(ZqV16k9#_5mf9ENh?6-<~JpCG=OncNl;A>AA#aq$eUyQdsR z8GpLucUDBUnP#{c{UbK+!+6)BRbf(*?_q*OX}4uy$~XBg!C_A1N0#BJXPgQI`h;+4 z;H##H(LuSb*#nN;s8;#0T)1)1fLx!VSqT)$@yOY=5BJKGg1DWw3=$vI`~z-yx2?rm z)QQ>2AqXl=_@_+_#)@}W_=g0PRsH=9fw`m>Og%8%VknIOmM+l%MvLfY(zf7rWHi zwae8KVC}*@pkl$bC_hzHG;&MYq~#cDG#+-Id9oeoA5Heyy%H@N38g%S3EJ)zGYTy( zBEoF~pyZ%ML^LE3aER=%XzfHN{oNP1duY+SZ}*tC3vsQKHD& z?5zlP&gya#onB75MVsfx0LALH7MpD9REYS(+~ zYXivN+QJ!>TW9KzyoW?oLm+f$2to9fEYgW4LV9U&oM|;Bg`*8AHCwE8P%Gbi*MAuh zA>G*}f{&k8-jo(i4Mzr;KI9wBF1d{dn4YN2B%*`Elu?#rK_~y7jPX>eJ^pzQmQCkV zd>6l2qyb(bMc3JQ2B6qTkB_^Y_8S#s!U3kH-&pQDHxu zE?FwA8vEsd64YF5Ci_uQwFwd^mJOzPAm!(h4c0xCu-$x1ipqd{OKQTv8h9qeA7h*! zRC{_(RLSE7rIW>n>JcjXjZQ*XcV7~7-Z+EKNb`C}(QY@)8_=U1IY88KhE?24h^!P? zaXDF&1lp@q%>DEfBC_b=+Hx z<5@cy;u=qI^79_3-S!xq;6%+ei6CQPPU=G4*G5vZ+3hT(i-d+`wCc{7MfE&neKfXf zgY}v%<)$j{6_8nQKz`X;z=_e^^4!7pk>Z)4@xVKGo7}SFR{4=BB03^18)Sq|pEGTER-X_|BOOT2`K_bPgyMl7A0r?|IEk!AMpQwMgD{T zQ}~O4xl*!Eu0dIC~gBx&q=1~MZUA+Z=P*pk^>}d{% zK0n8=nqPP903L4#Zf*HhF3d}!x^zpbN=&eEXd@z*>%qQ39p)r1oA%vulN(>*wtCH+3y(o4dtl2@1Od)##8x>3%#Jl z0Xfs29C|KY0XvL0hts!l3%-&FPftk1YVhj?g|B_l~&A}LebkM4LYxQjpw!Og2!oD`&txyS>l9o)?G z%czll$NzG=I8v-@Cn&jl@Hc{OXG%vY0L<~-xtuy#+VKwC=kPU|w+uJ75+&!s=N!Qm z3ABvcULFeN$W?P71mk+od*EpE9FLl3CwbKZHBq~z?ieWb|6pF4rSnjgftMj@9>vm1K5LvjUc@#7NPUSMK;ok*Vy^F305dtV%a92OA0O78=wa#sKT@l<#*d7> zkG7c1PV~>lhhH;XYd%-AUDP`o0;h?6@2+k$0c}2SHO*UHog2paUB4YfT&2RXqyh)z zi@J|izh~TS5R||z{}7Qgv0_)M2ZRquDy7dCHft0(nUu@^35Z3zu%C90J-*sXhu}x2 zV}%Pg27GUQ4E~d980}bNr_Qrxr~Co8#jrHacfX-obunjKFKNlrxP_k|1IfQ1vv?M& z+|it^92*^9g04^m+&F|3U}4`z6*FUwoo9xPeeZ!Ham*4u!#RkQ;~pem0QgCWCk|EU zRZJ<2$oHCg>{ly?N~9`=G(;Hj+#wq8i+5Zh02v0ajmm!>0BjlY-cvm@E!3ZnKzLT& zGQy#>l`6y?uyt{qg1P&FD)PE<%vylw%ur(_nS$Nva*wc~&FX*20NwA8 z%+6GZLud<|6hf3U5NGg7U_3(N>N(_HGnnF9!+53jIYW~D%c^^LN|xqHGKyw8gX>B* z;tonV)6HzsBPd>?HTVunEfWJ_&;!hJibSz!DyVEBtrqSCsa!G^z(mN0t-x~faK^a# z>SSOd9Len0ZooL^1?h*7TN21AN+QUh=a3aF*xRGNf$D0^OhKNd6-$`Jl@s4?Q_IJk zM)A#Tm1LnUog(u7XjG3~h2z^=;Z)F6gM?o`UmtseL}@-Bd8*auovy_dFU9JaTi}`? z&$fYH{!XZ#mA&RMfWX~#2`mOk2{R@sPa9XwD4>N&4ZGO8&uf-rvpyPQY#D*1`vb|g zbvM3`r`4gtZcAZXt<^OEwu`U(M*nCzc4)Lq@6BRK)~gz4DacI*NBl;MA2kQ5@R>HF z{f0|{o!F+|JcycqT>S=1=ze9=Tijqf0J06o@ZN@ni`)qe4BD_ROPnI=+)FibFm9-KDG-wv|0~$D}Tv+flq)>q+_mPq*M+N#Ngosi)*&I4VVkV-z;xPkiR}Kl6$rz8N!WNe&%$TcB&z zGo(d6R$lk=w$|#G%c2tMsA_F9=VY%?VXKvySeTYrWR5jq&a=phYq&-X)tnE+eO>CB zrNUOR$PQ_SrDbC3B~%5#xki|ksl=Qa>qZ?#AqCL^n*7tnB~V|zhF ze)OT2ZuV05Bf1(hQb1%ahvy|_$;bQnjx9x8kf?iXf*$wLJsDFbZ6p^E=xPoGA;!}T(k{3^tWg+QC?Mp0q zhvH8o@b&G6GiLEJl|P3wZBt-i_?|8qTHGJ?5C))|R=V^W2u8d!I_BjVheh)HLA9-N zfA{nB*JvX;A2N`K<-YryJ5%Q+9C1T(TeT&*otyOQ8@|J*raa ztahdKT;@1y4_@(;!Ul3%@Vf^R(8JXAYjl*6W zn_*}r>0(uy81>2GpQ`>qAAL%y9ACiNZ6jVeGx>2)Ujr(LS8nbIzuai*R8vDHVEU`{ z^cI$iJhF{`die{|RgVuBeiY%}RlaqhFw*cVxB=A8&>B`FA z5n&*H%&B>tA8q>=mfwo}$WjyR?BQ3^I0)^{#B?^RE3LR?s#fz5cUH@uWkZWBF{^8- z7-QkC*IZEZ7-Cl${5vkK#y?a<{hi*QMpQ3p*tMrKzkCd#tXFTZnp%L>{||u+HM*PH zi{XENWQ;}u-6KXQJVb%C6QoWOX4M*6W=55;PU@*%M!pZUkeO-a51Z*80GNktmrc)D zg{1B^?jF+Ug$ITGUeT4_zChS2-c(9pEsr=Ry=imjgI?6zu|QZVd=vY$c;<#FNvwI+ zk>m7fG@EM!?$|WQ;Rhy=VW%O@LG-ma{D5eOtpfr8nE%JQ?A!y>vstN}`?udb&(@fI zwy=i-xhM$C4VR;mnZWWZxFlBMW81=k;XmV&Ah6~~aSKr3m}}<97_6bD&W~ zz3q)Fuv*P{o*wi;!uf{IL`E!msp;A#=V6fFVRRr6fcmL)_)C2sbM2ZSFXHp3(z`_5 zp#X@+9}>wM0z=P1KP7ax-ELAb+&`=;1c2`Wz)M#ldEYKZpe}cN7%|HH5pvzW`VP!j z-_iQ&J7qoUdLORF

I^TCprcWN$K=OjDJ^ts&|CUw678iYZ;hBh>r~LBYH*FzA^u zurc?WvGe2~C={HbmKpshl#7SvH

rQ$$PO5u^j#g`sjxHM5A;?m6fVeV; z(0VF0oC^OA-|0~H6ZQjV`p=T%m|FAfWGkt;0Uc8uoUB4?lon1}j$Qdf5woHyF$Nbl zEjz!ot8|*Swu5C%<}{euweTxXwAt?_b;5(cazq{{MsYi;md7?*iBG)tMtRLEJNeRT za=5K8rlW_K`=5lH+9!WD*B!sa0QS5kli#E_X_dB>Bd(TJ_#`52Hn8b1wF|_W^u=I? z?qA^w&R*r35<6S4g-l49i<`O`TY_Lh7VUde09N z_Iikx3CHL^4OGv~OE&Z3dS^r&`u0n=d!PIN?cl_aBG&sOi}dk<0Hh=amX`hT6>Kz4 z%=s7Q0+p_bo^%G5Vo=Be>+O+_wNk9P34fBM52b#LsIe3o9_sJ-$o?4ENesrHGj-9> zxFUv}s+ChIp}@OCik6tS4(qwP_r$iWu7@V9Y5P+O@hmwvb>Gi~QXQcWKg{vWm~^cj zm~xM~ZeGw{*P2=A01MHwK}i*?kDVWKq-I+m&%VX|L9sU+d;z|9FHVfZe3Kv#neQSj z4qM}Nje9j3t?u-j-1XKjt7&=_NAitfx_oYBqlbsBDDCRgS?Vc{AG{QMt?R59rcOT3 zs)>_oQAzq0JuIDzF)p4DmU&CQco41tctxNFO4(U(Q0@~v0MM>~Hhjn_H8Am6`I$E) zHH7~8P%TaY7t`rPP2)66_aZ-z&9vQfqqF`_|&7@{owBvKr(#9 z8cHReV1^q%ZFe-ff~K}vyM=j<4didEQ?T(Ce<0uGeZvLOzdM_ujiIh7|JDC@m%epF z%)c~7{h*Hr3}BW~H>1d`#-@yPu^+)>GqS&L&3m<_nEWF%r69bl zruM0|i_gAgUQQ(ODmzW9n7eB3b{in%Pffc zR716_+pbN^3m6?;I2wVu^=d$0?w?cH_b=8Bu;}E}h_#IoWA%Wl{iooSPqi)Ala#!& zb_K@;gE#P9jX5Y>i@XlcObg|wxz55u9_6)S)Ap^%WKg@+*h_pNb~2?%sHMd3~e4WUAwFxqvOP*;bMj#Rw+!Ru}AC74wSYC?6RyIAukGtYJ zj4-xTzPzTz(}xL#62DNF-UVTK$wt5^yk@mv0rZQ!Xei9H5@7sQAES5pU}+W9;a7_m z$(9s==LI-*@fILcdBvj4+(beO;9SVTVYQ#9s9f(+xn5|5?csFmpWx0_5uZyRM_dwd zKr~JD5*d-SXSHY9Tc&jCW;Px5V~CUQiBtSz5aNk!q9FHs-Z0INr-?9k&w;+?yQWpQ zfMGsUy^XF)a3iZ*aBga8E2sLd3`F(cZ=R0Yhc=h?)?$@{ z%r$cmE%U_u=MgWnX10cTA0>9^0~^VQXYVTBcnYcRjSt7SoR_#zdRb!vVC?(+!9Y=C zyW-cmx71~__Q(6hIpXL12c;UP`+oKI!>PAjhHV459no%5L-5Sf(fwc=RA6gkXC8G~3vS!VADeHq!3kYQRJT zRD?kdU_rUk?$@{mRkg|206|6r!FYmF=40s18AwJu4IK&#MFvC z&=(F$2;&->6XP1n@eC;?pbSJ`sLoHr&(yTjAj1za6CSG9g{O^-5R3ynC>PqjF{{y! z0@)PytDfuPKY2Ql?zzA%SBx7fOh#+7=*TTTlcqJY#ItKunVJ!n0)2*4nMmCQd zp}lM>NpHyJ%Tt5PFl)R@K^eTLT2++-u=E%ol+Dx+j0RGjZ#EcCdWE>}wCzL!W zEy~7Yp~ZToEo8P0>g>32)nWstTxy{oxKnxNbRh%JI&VQ@PuSASdi5uPXFY#IwgHKt zbMp+jE=kvL_&)-;Rs53umD>2uhiv7~BV1}h=v)~4lDRd7PM^~Tw8ss=%9u5KwW&F% z3RM&4ekkjfw(b<}cELC>i?7viV$p^1?WsakXv`4pn>lCA!g8lU1x--~6s*P2=Lc3W zV;;kX%4*QZ(5Zog>J%A{r<5D)?`pK;6Z{VLtX;5&`K#+e$!H@PVU?}T*^tS zQ&#s7fQxlQOv3P{Z!i^}Rb)k+pfkNi%iiabm z3908-CvE%cq*MRxq_+wMu@uNnxC*pkV*+w~HlZ&ivn41n#W2WbTv?iajfB0aQvz~| z3|Jd7v~ck<(Tnj zwjBO!$+|M~$kolz&wSW`Ax+du%*rK9N}^4MS-h$`VEm<(^$pOrthgDAQKIgZ`m^ze z<>(~QncBzwB$uYZb81nJqqijiJj%mM&uhL0w)NT07zh>mVkiwvlcAwc%N&*qpyiif zIfTLe&R75ya&;))q;TJycFM!<8Ad`5qg2!WvMR~D(x zo-b_)**`cK{wv=%9e53NQM_u}Y6?6Lh$vwt#t!YtQVDHklR~I+YV8GdElr1f`@$gE zl_P_Sp+%qeF|PBhDz=o0%OZp z$>)XM)G4H1@#l98%q3iTbZ39AO9^JMx&vc=jY|C@JWP_4{@xn|$bk>vJZRVB*`i== z0qdq;lYxCp<#UPAxbJ7vXKEOt@hVNxMwcC?5npmQMQFF>rPEyFVJ!{lEwY%L(QYu4 ztubP5`(JH62RxPU_eNY>GO}HJb1!$06%w*S_Q;l`f%N<5Afev~CgFBt>FC(l&j8+jM(ThE7Je za%WM-Jy*Vhm->Bg3`=bsDGS_&TDVk2r7(fK#p5@Y5QrH*<8#sZHz!_WsfJq6`Q)9uOk7;CLQ-o}W9GDI== zDH$dieH0i&83CgAN_?e_tq)~Ng65^NcD9AGZ+P!33s2U}<1ZFs&mNvsGcrei(zRA3 z?pMG45Ji~6Xm&grQegZ3j%oqMVq9g@?k;L?k;=ETTA-!dph=|mfdGR{ACo;dMMG9; z6CkxD8lH~cp!$)Lm$H^cK7Bca8@J%21M`=juQ}iD3@!s&l-t|Kv4>jCJvS#Cf09_Q zjRKX8p15fB2i9|uK0}Eoq^AZAe3~U zcckECxoUZA`tu|cg6SP%e&w=pQul>44#qtsUBm#YXtZF^qc_6J81J&3NAH{ZZJnegAqmULqP2N`i z=wnmYO5K*;&!!W_L%*#^_Pb+NdLbNdDnd92zw~Q7FsOK-W^;QBa5eejzsfyePEZoG9vIcw&3>^C#8~y<(p~-ur;t#Y9CgP_qld zfsxniBCliD8e?$0A(zfx1&J_<@G8ORsk1R%^0Q({~ z;w+Al8-T-5zlSl7q@9N`hHM`5dN7&QN>Y>io15iJRgaz%z-j5z--SVD@;RvlgfR9|fum6C2^kYU3y>!s<4Lk8@ z?M*H*VFT%%vb+Rw7NpYvAiN;Ex3gxV?^M;y7j%U}RZn)%Mlyz?#0lJ{7sk2SZ}BD! zx;r*sMO&d(`C^5a%pkgr!xzJf{z{lV&a+r$74>-{1pacMEi^V^Qs*gc$w&O!LZTub z;)&pVC!XMsX_wVDLos?$VLIkfX&46WaNgZzIO{u&*jhJ5^S~@z}+nZcm6r_9?6n+(^b^)h1 zm(ctjza#gB0P3xws{k}U7Oh=mN5s&yP9Y1^;@~Q$82@ZcHgbWXbpUdqg+BhE6!9zy z9`@mp>=((B)1}Zp%2CTF>Vh!T@<*)k4J-C9!}WPVeS66b*Ml>_Rm4q7`6prdC57z4 zW@$WDzKqr8CoPv0eV<+|O}Uk+%`+O(XJ$ViBJs`PemuV;_xnZHnO#D_Q8FKyU3AKc_pW{bH!u$t?1X_+Dl38~$7 z{CW!vZmK+8Gj=quB%Exu)lQG97Ja%D7?+dxoFX_66IVc(t$txxXCTfD)Ux}W5=_4v zF>f9&!s7D{)!V}}uAZz}krVe7D-gT>uDr83uKp)%vkG+pD>9?&%E!A{`jYK@*|j#v zwj=YA5ww_|! zqI7WXs_6ARcBebD#|%UKE8(UvwH+dx{L7A>kKQZw*g(Z7Ubu!UUhgS1^!F?vR*BK%C9 zQtk;se#ukzMzgdP>JM?I6}>wF-|GoU+(1U$I{}`#mq{oa%_I!`TCNQ8zu(DuCON?W z?vd$BWRwE?{MC_1rs6r~ha)*lBYgcUBO)z5xBGU08>vrLlBj7{M-sP8x)^rk) zR4CKuK089ER;{}~7GBKzN|dBbnsWumW`_QbaUrp(hXNV3hlxZ;Q&8zoZ$^6*bM?y1 zlsdCH^)nvHOi5n;(EfIvi(~5z^`p03)O3B;KiqW?dE~NQGPwd7!GHf_$9x@xsA;O!zsYG zMVosEIWn3w(*67V&+SQNgqnytU6J!E zL#~i((PJApl6oXW3wm-*WmX0uwU@M(rsr`x--gM=mlj+q8^LDyA#vrl?qF3A#z4TT zommbDg(`R@b)~8EUHkmR^@z+%c*F$iLh3&Dp^DXP3VNJ6LSlN)!t@4lc-81^G+T}X zUPHXTdd1oUp@$b1rtOj~jCM%Pl8H=as&e`T-_67&)IKIJsVy4@bN|RlmwN~*QnMHx zO7QuJzcG)XU&|r)huS)Oi6|9Dy|#n`j$Bs&S+B?6*8ARi-bmi(>}*APaai$o{uG5b zN2u>VzasbW-uL_O+DfaI?ge1v4TK$a(Ni*bxd6_|Xh}p;N$tjM^4uQ716{KtU6r6$ z&cPv5!^dsUck}t4UR^(`D&22f5hh#nlMUZ%sA0m4<=ee__F&S6zg&HtIPAdr*&(oY z3`86aJuCG{d`xaUSB~YbIF&LewH5EAWSo1t`@Qsp+1towm(_hq zMZ&J)QWJgd-Ezm% zDBj>2#L3SAI+M<1Pob%sX(nV2F{OjXGCk6-=)+cRHFu8fsSBjj7MJ@An$_t?idPip zarjtTEmV`!+VAHj3xhG>Kb#K(%R+R(Ed>=Feq1%c>mjpvwm#yOU;wz^ybvgyrCvVM zwzaxR*}s2XkPLSVhed;BoPM$Q2A`+t=Ok21+2^?TjlmKQ$w@rQ$NgGI z-^9Fa01qX-)?#Q>S%>!~tY>9>ae@fTk%n#3fr&pn+gPa^*>gu+JtOJZuqKC@Yyxj=f|1lqQ0tr8H{4&$FSv=6u4`^o zC9m`Di3yMOX)RO`M^-Sizan8kD=*1*O1{Jk%0(y(3)*vFsTst!aHf(`xZgFRQ7XPq z8Yl1=8AI#NY?SG(bW84uz>VvrY!M|B!wwY_0ueg*xw{+MWs?C?jAJ5=-h?Ld$0<}T zy8!r(wrFqLUfrb>`Y6=T5)MzLj@0%|x}7PLHGQ+$D6h1KCD*3&DvKIR|6~5DIs+ST zlIl;=1EEVf{LAqET8+a5D><*U^`qU=EYGp|T;W9Tn8hQ}Co+lR%VnYyT3_1S1QTof zt)+aF$M$=+Hw!wKd#kW;dz26rkMCZocx(mS;;px&Q!di_5n_$4m>lP5MMr2igm2A3 zfAf0P(^h6{j;Uvl6>zM*BUYkOLTQD?6jNNIC2AABm!23szbq*9dPCsO?8SF?%pI&K zW~ndOhr=L*foTJRT}p^pffT7OC6V~YK_Akf$}|Y?$L8z#(rk3fcJb>R?AUSa&Xy&q z0NhnkBtE{VUY4%hbgR&dhxkEY70PH-^|qp}Uaisxvsy!%5@`#A$RL5A^sot@C4Xx{ z>{F;_Hun}$k6fvMkLtrGda#9X!%Vn>WYI!j!pBAFCV9;}>_i_K#os4^o5?I8;M zhB-i1wujY`H6_Ff?+uph%ji{=i5vHxn)TdT34cw} za&^B+0!n~)mGFj(gd;w|*GJlqc;38#(5QO=>{tjtEND1BR$6SgW5VtDs8_PdWLOB- zandTs3sAy+jTZuwE)WBh^hA|M9l)fT)5Jvb^d6Ptd=6m={or$p#*ZKR1O^ZLd|L=+ zZ9|ob!_3r)jV%)hD$Mj%g2k2SJ|sG8D&OCiIBAjc;fw4NdvMXc_kc1sL`N z1*URhFW?d>-}9G?C*wf~#!aZE-ud*jqAyt?P?5)xCY1G8r(=1rQt8SrUZx?- zlo%HJz6tb?9@WJB49J68m~+24E_tL_qH7KRI%j(5%eowfT-K|qp4i$Hyhb7Qu5*;h zWqG}}E5SXSadqUVsy5_#)UFLcs_!yN7O-vOUj3r-RnF65YpDvdy3(Ut2LC0nZd-pGkuuI0M2Pv^be>P5SjJ`Nd3M8fPf2Apv7;y3IAN7TLC zJw0Kx4u^X~_|r+qcVEJ~jrFXn_@3*M5z0R-dgHWebq*Am z(5mY}D^g)>-MTN4S~3Q+N)w_nqDxENa-^fCE+Iw5-g7KA4?VpUR3{-bOH}su3GZ%` z7`v?5N!v8S$a6M=KPx1t(jgd9Bxt$(RGBiC=KW-rWOuCJXtqpXt^sRyIK8WHPV!)N z_GwWDyuFvRYL`5&mWcSHoKVr0!Ke7{xAk@2j?X`qAMnzpF6??T2Zql3?0v1!=xf)f z(b&4%Cex_PB6;H7L5qFYfc`Uqcc__!x&dGbTwiG&b$rqsHg+OBz_ zWT5l=_2JiR%bu@eWdjYK%L;$ypYclR+$ng{vwXVOKAu;w_C#l|6=1w0*p$ovQ~4$s zWVu?bF}>S^){8EgE?D0TiyYfAtBSXmymvI@5R{%FG=o2S8HK!}hDVKwk1B5LX{IV} zOiv$^+(iy9Ahpz9>y#7-dEA!yt{h#*@w#Ik_v94Uu;ItTKYkMoi7JFX6kLjcAG|u4 z8Gg%W%%&>j8rT08AfoW|oUUkbFl+1I4iix@+!TyoMT`Hv5|PE=sX{Jd+SMR(JYv6+ z&YrDZ;P7)a6cm2$ayd_00)URMvAq@yVrcMJ|jL` z0{tQelg@&XvwssusX@drHX8q?`;{~IFS@fu6d3z^Ci?%Fx?yhKgvjy!BPSdMKWBvm zc_DsDe@25w{mu&%RP3+7;NMAqCEG=xk)r=j3=IF3Z5IS$WN$&PVhC?S6fvAy5IMfz zc!DZC>)ts}k@FDWGoA=A;u!27NO_hG81v;OL>sdWQvS{oj1oRmK1eA7rqlfujC>yF z{2Sr9T9-8;(wI5ze^HAg|6%)2SK(l4<6qQ|v>>jSx?2$W-^LMr9{l`E)c?_dDSXc~ z`nROf+MuMFIuMdyLB(e&mVaN8E@n(dGuBarZ0_?eUGeYi6D6d@wldiA#KG=*cu9ib z^99#w7A5LeT}K8AUpC4tmpRO{Q=1FYt(c^B_4?Po%C7^?kdu=+G8dKYI+-8ecJ{e3 z(Z{lYaYOLDFP-yrR&n#8n{m0{kKy4>KhI-+;K`-0(b3f%m?W>eMZ(7RC)YZk)ieA& z`BGQ6-5xU|^YGBA{^8FUZt3QO`DAT1$v0ja&8yn>v!+9{@3ET-S*LLu`|I@WSp;V? zBovx{cvcDnEHRU4U>$RRm#W<1?E{s{2A_tLZ&W>vM*LY?r0=KniN*6y;ec1%V`W1r zLx3yro?yPJ-a@te?g&O(aKh)*>dNbqlZ08n3s-KW_2(^k*za7)vSncnx*rj~%piI@ zcVs=#!?ly1RPUXo$-LdSu0!?p$7LCOY6mow{W33om7jBt9@VmC#eWqV(@&oNZfdF0 z-eNr`)&9AYvEzOmTgm5|m0|Ja;S|fGg`v;D!@KKO+N54+G0}5;3grKacn4$ju6R;H zg*&|L9=41Z%KxLo+PpsTy+O=y{PEj`D-hv{+53?414i|H&w&8<#+D70dCpMl)ZC=c zAHBB_1VtY4uhdH7E*eKix+=TZ<_*^m6X!BZ;)|8k%ytf`%c#q2vxWt^iUg57#%Vz= z1MG0IWs(-6lE8}0dvCt6EVW)sz1RMjeo2@Ct>ZeMMM!lUcyP33+3@oI@eUJqeqig= zR!bINora9$Lxn@;81|)YZttU_o%xjl*rL#vsUijGWOXS&H5m`*?y=*0nG7)V^FCu3vcn*i|ecn4EJo^=HnqCf!pLqAxX=}#+c4%>>C zG_J(Yk~@UR2n;EQu_Pn>^h*?V4$O6C3seGFYz_m!gx`;3gxTo==1symhT|R6t1&fi zb>9D=c2`P^oWLg?cr8cj8Z;v&KoTmnW3D_Lx>U5%7LiRJ86kZ^U!G-j#nX7T4d8o{ z=wgBBoS4>~ys{)`wA#j}hMc0YeYvVwH&?*YszhsR+51k6*2MDq#X!qZ+R`d%5(nD@ zcKo($-;-tL{Ht7VQ7cOKXL;1LWRXji_ftqdU#Ne0H2;Mk>uNo;{ms+5?~*RN)j%vDf0ir%%^UyfRib8B16m=I%9Z2z%X~+LMJw|m5z_R0M`i%1lYA~q z&!R5<0VJIR0|){kJC-+Z?U-lJNitY+Z4`>xUXZ0#)d^W|t0zm27&c4cb(L>l^|v^= z)gDFuRB05zqiVy8Axrea5+`jZjJ%B%i*?2QOMmaa?FF`DJ?uD>qLR1zPDx51^KWpB z+zPLBHK@UfLp=DR3yr@6_$#Ghv)M5~T;;koo29jjd_RF^CbW5xPA3Y8@|-qXp_avAZo0!Of_1cf;S?NUSv zO*Nkpm%5&g>mn{s{#{vkV&-J{Weh_XWyJU5dZ9uRp2KksvrR^hF>kr2j`lvE&#H9dTna?8wYoFxC(Ea5SAE6wSlR>rDY9@8uEW20U4 zX&W)CraJaU)+#aXaDm^Yj}gKw6d?>Kf@|-0wPS``R|7-wnN{ zG%7FHyfH^p!vt-ToPdau;`*(Y{GslKqF6fPJkFPd>14?*U2Xwv$(Xwj-prZu38q}8 zbFmsUJY0>Y27a7o+!>|xoS5PzwO1CKy>5y2I$3~^4r=7AX9;&8`{qnEVn5@Ux{b}= z?|U&M4qQ>)CTn1EcBvY3lo@*xtC3ii8Za|W*wVBv^!a$d!qz5L6_D}u{xbOxuIc+@ zcyFNd*!bSF?GbiJvc!vQ51q@^m5JqJmiR2$6uX~LdehA9?`M-0Zw(kRs~k!5g*twH zreD3US-N&y$QZHuqS}UDMPN-Z2HCh+X;UYuYXm3}?!PYU%ESb&33RzWdTy*(@tECo zCpnyO&KkRl?(>c1GFGm*J_S`YiWO1ms5?i}>}p7>Zi13Z-pN<|S*R96J#1v5xtr`( z(a1Tvk=eOcwOsjhUvhL~TUvKyTRJ|UUB{t_rB$Ec$eSfPVAlGIiij=An2D|OhCiX1 zgbHA$*ULL;aOrHa-DY6kbo}{sbV%dPAn>-Y|3!OZf*rilY9PfiG8{SSZmYBZ$=#kN zs>taVB(S5#0bW`B6~EzvRc~=SM<**Mh(CLuy*$-UE!QjF{obE}eR)6cy+3`d z#x;!qinxZ;r@s9VkraG(P?;WzxaZDi=>EOOnVDf)|MPRUJPIATu`hGL;Zk+o;6*_`{osbg!u;1LmnZoQx7|tdyN{jG-RLlPmP;>b{hp2nI2_`<7p4ap$ZIzwe>tp z(4Y30*>(qSJ#nLmDKkk_%ngRG)z@z8nHBoq7aG^{W2D-t?5gT7CHywBI#f2+x!c6J zMP1gAdHj;PmtoL%qL6tVK(l;G&7Sl*9{-uTx+GJ&3A%^+%Js$`dPRAf04j+WuFZENJs3tIu7^KW=-y@v0c=ugB}^1e%5Rq8sVdTt>Dk0|76K7Fo`6Rl>gD95YZLC z%v)&^rZFv<(<;?Zxyt!1l06iRwP7c&qmDp^&J;^IZ(2kOQk$Y0DCD;o^-$ zL+y&mWh;A@NUxL3h_P@qy| z6$OE_AyrZ6jV})4-(Rul6U&&a=``47H7|LZAE?q&A+$Z7__kDt6HeT~VbhoVwzN1t zC3m&cQZW3O^>Gj&k9jLbgg=(8Vv#C}zh223-cCk)+Gd=><2=lG8A7#Qz~{V>c2KK> zrKgdEA16$@zuEM?d4?bkBA7YZd#ri`@fg|#%i(Yz>rHdwsVZiOsI}TAi9&*(_VtpK z;Yg0f8?OGRTuy-mT1Ym1oNI|W7vVATccXi*QnlS@9|x9epzIwRte$2`@s`7ku@O^_ z2N%8|%KZZFiCcIFaFG$WW%IKt4F&PYQU)ZFvMTAI`)cpI4};vesv3Ox1MyCtlZLV{?!S5#Ede9;T31y6cRZGTit@@XJ`r7x0Z>1TOb zlEEsRjux!Q{LGZ<4*w_#T~!q`B9849Y=KCFB-KbYMxFLJ7i$HHA1Vfe%+)zBiw#=h zZ4})5Dgux_M7l`+G@0Iq5Qn9vK!sg?SpmCS6*d58n2wINhqBV(Ya?aWPR?t~)*Q+G z-vOGN#>0m85#m0|P~*j31U!@@H^pf|FimgEh;bHurhZ~>{h^FIWjyK?7GfcaIqMpFQ z%#b%L!uh#aZ5DFWfrQ_+sb!kzD5aZ#g%^Qj--In>-d>X=;ZhPw343o5P(#Y4giLvw zf=q$-Sp-}&(WNP0Lie#nKavTqES;MpN+DvqM`7@D-D3%tpc9QNu#_TsW1Lnw30GN3JYfdGV& zMn&;D;ZO)mr=C`R*5So#t&$8D_#KZ{(nRB-8Py?of_G(&HB_$t&x_vl&ki5bRS zZ|wBAb=Czccyn$hkL`@dy}k0U=yho+e??TITJny|cr9bE%Xp_?A8=rtw%0s3n!&GXEYI zv#LBYwGj%VA&VrZh0L!HJSR>?cC1&nb=F+4@vlC3_iArxF`#w;NGU6x>qc+0kBvz( z?XloNPvX=8o)awS2twLG1gq%9_pXomM};rGPuRb}D)PpSO%uF&cJ=B#cL_bzbJh1n z@s%t$Mz*@N_u%?O#9W(x3_M^?cB z#k4alT_n9! z3O77iS`E|3nU_f^U^g>R<()jp@GG9{K({?>Ec~82`)FeqhJG!<(#pKBwUHKBZWRq# zHDGo;Uf(!XI9}fLToIU({t|zr!#Nb;M>UDu<^f)mtZ53^d(nKj8r)3S928( z7E>?vSGk64xvB5%##A+jbaWD}(qh}MiJ?*mLR+qh32?QVJH(e2hYA$nXAr2nvZajj z8bboaSEhMYNiJFTvWO6j@)n^;ap)!h(mMYfhH?Knk9Hy=;l|;fJboTu@dC|@6PbAPi6eHwXQZZ7s#%3TZ7y)F{v+h{lu}LAC=B#&LH^1jjd`F4 zQDOPV>w<=XK9+ynNoe@lX6`d5jTgp5A0h|+2NMOpcLQ<7M9*Kui9pd{5hFAb1G-19 zVhnX43K(Gnh#d28_-GNR2$+5C%;5wUff56KM}J{U=t8tGxQ7339SQF02J!#iwT(iZ zm5=(>I=>!7AM*pm|4nX`DCmAe{@S$;x`|NW<=@S-=|d#I_kd>`)>(fOM+EdKfr;Jz zxBDFh7Kj2loO_jy^&tpw3-}qy?>xZbQgD%9d(_W(oR_=$<-qDQfFLnzKA>~wSQUc) zjSUjq7Z0)lQ^B3>Q9q+PFYt8EhT6%?++5fZtgGejA?)dH?Plv~XJw6XQipJ2bbWtC zWx;>rk3@r+=n!W$w$58Zo^5ykOW-qa7L|g$*8krcHY(vekKFH4frYL9HO{}vZJkMV zmEOVqKdlH`JDXcLT4TtxAT*ej+P?zEps@2!fqqQUU$$`OoBJgj;@lYic7C#9>J1_C zn4uSc^$FbR|Ep*iSVK$X%)p?ch`;MwiGq!s*9<#*f6Im`GJ-JUppa*8ak((QVB{Il zo<14z!P7W8>H;3n!fyQsUg3K|74`vDd=(}4A zOj%Ywd}7(kkJ^^ z!;eQC^9ut)yQ+DTZnL|Xn=W4@Ls9q)+ex;CQgw^>{q}rm49OoSWN{XV>A`J#7gj=u zRr;$(uat_9Wo1U~rMEWp@ATTPW0S^b^47pe*h1Kwvn1iq$3ax~ zrm8B2D>Yf>hORh8H6LchTy=|vWAaS>sAMn{&`U&a$P1*sxU-!6L(oJW`I^>KXj%Iu z+Mj104hsX-qE-K;lMf?Nz$b;9^jK zF{v!>_SO4c5eOpdk&9&&G6as57dZTBNwn}(iIq8p?o4X~CQOGmz5@fd{mDCskpDif+4v4o%YLNuMrLz-QlOXp%ncNRuat z%$GLr8s#qaZmqB<5ar-h73;o1D^*r0*mmdAXJ4RoiYo#8>|KAl?F>azZ1-{k>}Mq%W>P4BO%<~PjX?99AX2jrczr&_CG0aqDR*~- zaeKvhgKh111(enKHif%kPWYP9{n_sy{@}YS_tb1d9H?b`7G3f+K1?H1(x|K{`PRDV z(mjL;g}bmiSyO9W3e${|n{QcL9DejI6&!{6|JH2olR`e}m zv1F{fH6he@-5A{*NUEoSDN3QB1W(!PJx8qj=Ff--D+wyD32^sf6XT}8z3e()jd<9= z7R~X|-2kAyOt~rk**DzF@uDJ|wZQ02*6Y)5hIMpaVeFm?jD%#axfF8|vW!KL{zuah zbMNjDbcVvHzDB}rJZK)5-PvsR=%an^3K6Ts?f8kfY!fj~t!_LUbtbQfeNGlqJkwp}%C@fAI>GKhWVz8l+Hq0;vN4tXQn%SD2{jpOi^!gam^ z!PFoU8D-Tif*LYRt_=4zxLz#S^X@{K0J~G0fR>)kAf!{^=(Rb`!xz2X2A@($s}C;X z%kAj^6UeBSUxx8y32ev($H6tzo=)mG@pkS;vB>wU+tF)looM-zYmY`v4!?nuWF~4&g-w&aAMqJ>cgF94S82`Z4rPSQP@a>LM?{HuSAU)Vms_37NELn$(GZuyJ_u z5ml@1R5n^PGIpi*YrUpgT`FE@RKq%|dd+!xZ3DGkK+Wj6idrAJi0~Y98l|?os5|4- zaUyFR$q746FTeMpDn+YLPeSKa-*A-6()HsiXVEdb855HwJ(oE3F>9MH*?AIXdfRc} z*LkP5gAQHWvHGgF^rca*=+{Em2BGa(Ec${~k#*Owv0=~D^21S!`5hA*6X{$^aGFpj z!CB=ENf2lvF(yI0rFNaKLYOqj&3l;Gbh8*a?U-Ovb&Q-mW~^=cWS&`g=3U>+q;K3T zj+!>99kfkIm3cm}qLN@B6cP(OGJw`wNzn&Z*%0WCGX;6>OW7bVbKIEOO&P)NJ1#0= zm?4SUj(pI&uN2~R`E;eyXQe7 z^LNa;l9@}r!z%1mVzPM^EMQNpq{_aR%-_kKf9xf<(u#1fI!QCF*XWW5kYIc)y>mX2 zUVr$u2?bh6WjK#mL0^O_yyZo_fh&1~0V1Z@g7##%=Ihq@)u0hPHUa&xiX|0tU8hyq zw1Yv9_)b<5ycy*VZ`f4uc)LXzn$U2lZbcb>Dp-0-dqGQwgqw~OKcx4v-rK02 zA&*s}*hHqQT2)xecG@8o_Jr{{{POzSXyH;J@>d2G;Aiq8hXSAxOVu8iuPs4l&T~!U zVhW^<|D&yDgFWb5EYTHwL>Mb6`=%!4Ru{X~gR?p9ajdVe`q;CXybk`pL49NQL{2?> zsu@P>zL|;&dl!9+?|qu1pGb)#qp9-1dLJfUi8^`?iFs1=k#;d_t^`_ikk*&=r-ec! zTJk6?e8g@AK-e<#)QG)z-BG0-gbDWp_^N0I3oKMPcF@3|D|5?l4c zTmeq1MPpp6xfM;#>7$z{kcnU#awQ0C@lxuP{Q7dYF(;V1-Al<8p#9h+UyR>o#oIKP zO?HPt(bIDw-9S^OME+yBkloQW#huK+9H!;Zn0v#TO912Y37_e!pN%umQ{5kvZJ@th zELfAz@nvbAZcAM^W5~TFkgZ=8bYmy0oRi8S^Jb}`T;2!9Y<>4ylE~znr3P}9OPeA3 z$lBgms++vK)Hfd(i^_)#QZ+0Y9pr*z@L|zmZcduBZ3Ie$gZ#9BN3Z`fr!0&Clean) ztRY|^od+b6X6d{7S`2;*_gy@Ao3>0@LY$>v;cL-XcS|2BNUi>EwXiP{&<|NgS z8Y+9<5iC&Tw<|la9L!EaOy05Ry9|_moO8MJX7mB=i*DC<_H>Xfptl~8=3)Nk(gfB` z$i3qGz@-GN_O~855-|8x%?t{(y2@}7zwt{mV;3sQu}FTSm!o$bIR_;d*e2^kjZ2-z zZ>)9eUSc#-o~%f^)icWGC(vF|n;86j+v0I*m7U)D11LeHBL4>2d_%pWvAs}lVuNf+ zO0&1Hr{^5MRo=vmI{1pE4Zm&y*;cFYe$zQK4+zp|Dv`pMpuV@Q+=NZv?C0#?v6*S~ z^!ux2nmf5p{@06f4au4BCdS@1SL!*uZ_&Qrs9#%a;n1YZ;nW6* zYGIl#6TjGOPiw|lk4*Q(qnIYru<2O>ZpN0d-Z5h)5H^Uro?S}cO1%epB$(`f;bNd{ zvA-Q_(c53kjN7t?!p)kMVsYpi+*m~UlTCcjK*gth1KebjS8Sy>vy=<>*G--ac6QV% zbTT`ndi7OAza*coV>m_&YH%CK0AHW`)=U~5ei*s@?UV0IcYW8dTc&uzLjC*wGmp4S zmv7hl8?5H5$kL>^1~;FGet9@q_WI{eW~b6t&vlU@eeON=rd$nqJAgT^1Ix1{gDy}bgPr^=}>IF55ELAI;1?IcD0o8La8M}BOV8hce)k{(XTZ{X zzX4snAS`4iM8fhe&K}mz9`0bCIE=Xugo;swNcg6?8wi4;P+%o1Eoteq;G46`Rw4*Y z9EgD#xCe=r`->ykf~>Q%3rKGSJ~o2rppW3!3H|GIRt*aTil3c+XD13fXLnKb4|W*G zd~8O{QxAwPM&dr?BAzIi3SIj z3$1e&7erA|QH;iY2;Dgc&i{wQd0+k|J;uxj!b0$O+ZZ7g2>owDBVbSj>`Z7Bmm>5)bgnii3UT(|?|lQG?#~Q?1pS*dnAulg2h)8Zl%VIP+y}xWbWR2p{ne!C zub~HhK4*iCJZE6?kMt-sX2S;pr9%FS#epHf@TN2W0u*LKlmO?Wgh7q|A{Ev*Fogbt zCL(@bvKtKLg8kl{7)IY0!b0^+`$WRmK!1%p6m>pG7?~Z=C35@ zwU7ylbJ6}02@S`%Y(qHl(dVkc#J+-1*HP6$R&j99B4^GG?mDgpNIo_v`n-dndTzPs zINMpeSXo0szZuxe-km9Qm{#&XFr)~m!?WWb z9&q%T-oOL+9Via^>&}3`!N7R1KZp_Hpt}>)-M{gWpmXovFc1#~2aWLGc;Yblzwm&w zuf;_Wzohw%u{c<;{XfJ=umZ)u8U&e$fpK~Ng2CXTqJIhl!jRxB@+Te|0sI#zj{LKC zUcsvS5`?%2{Os2H7oG?VE%FBp4u`?O3FsUT_`5+6C~`Ip{7wuu zhydNo|AN8cA|U5~!@xYAqVPXD0>b{&W3WBcA6f-qpv9oh?E7Dg(PE-tF4I3@$g|nx z4?HyL4{agPVrRKY|G*O$0ll7o!Vsbe;6FgrpW}%@i;Mrq2*qG<)SnHC!9@SGeuNkd z_2-=fYC&A=Z#x41x+M`}2(kZ2Erx`HQ{lg*7DI}jO{QnZ-$REGLn6_C*arv`6ZsDe z1w;G+0}x_hw$wk>DuzP*M+;)0NB<9EkQOw#KZQYq_WvK4=zj%7Bf;DF{Qmo=C*oin z?jI8fLR?hzzqg$z68aZ%)-LL*^fBFH}k1Yw|Z{ua>quNe`X1H}KZU?dC-2mV9- zND)!=*{{m)>IY}jv%&ZiCL#jE5dVNM5P?6FS}rc&YDo+O`vGAgI;DIN C*urK2 delta 31585 zcmZs?1ymf(wl*Bx-66R9Ft}?75Zv9}-C=MK5Zv7%xVr?0;O_4368On`&bjy8e|@v2 zS9R~+Qqrrds-OKV#*!>O631#X0s$NV761^y%Fad)08oGYY2le=?2N?>oJ~k*#CU)J z;Qy-p2pytgVFG;oSlCH80RScz4sLEP5*BWbe}q61P8K#MHkJ=rvalTteS9jIAu$UR z=YQ+6edzub{9nZl2#k0&a5*wARwi~54t4+&$G;tOGO>R|1CnrXurYD}kK<%{OBl@f zHVXWBLI?*EcDBDB+1a`N2@ND+XW?K1eh4^$|F{AEt1cT5!DK+L5BKaq_J1n^fvo?o zH#;l$f9d|O`*A4b_-jZlJT@*8Hdf$2X6z)aTtE^wHjaM`l7;MG82($|?BmwIodUVI z|EV+Z9}89h+dtj)uj>4-NgcEoF*h3t$4Aru-DocM|1_GL^B)KC(lC}JK<>Yd`rp1` z`{<>=g8y_({0xj3hzkf15Fl}Kb~G`tfp^b1(_V^RYew_AsG4;0vu|b=Ld|JgOS*C3A(~& z@2BV63+lr5%S(*gyZ{Vz-`l)~_{gadxT;KD-zD1qJp^s|;&=`31TJ)DG+OhfOVHN! zH$x)2&w#=|*A3n%nvBGcb9wk=l}LzR+cq`qDil(Ut!v>d1SEBs$ed(G8{HDB9(*%5UChC?e}PZg2hl! zUk^T>Q?7RSXF^V z6dB*HW~;u4BRGD`fP9`Y!j22;A8Rf>Lgj)y z2PBR*o5-J8^Q|7UM%--P+r8g#E|DBZ!(6682ie#eH!Wl7RUV^V%QZgqPAv;SP*EYU z%4w&4z^}Duq6oumzzAt!Ty1|5AnK4o^KNd|%s5szFgPgfiW z>9Y%E`gAx$R-ytF$(OnQ+U^>Jaj4yec=_lQSSx2#(II~cTogLKQ7|Fr-(}aTxXIG? z5ThPE)aYEAfJU%9ux^!p00sB32kx4YsLV2aX*bN$v<969B?2Kf#F#{Wl0`4zrl_(5 zVe#=8q1Ia>T_X=Z7a9lXR^l{N3APQY>xp`@@n8Lk?Vyil8+DwC3LiM7O5F0NLEMiC z(U5h2a0>Rte+Tzn_J@;_aXH#}EAU8v*ga-|%otFDhT7{hCvUUUssl@}l8;>mU(7PB zLwr#g(i+eXJ||_&PzEn~lV+wQo`M=D%m1dxM<#^6ICMu?8tdOqndDZqkCX$_P1CP` zK{fO6cGkfef4apDwRq)O(ynlG(H0mW!X*CEf3vBBN1DIPZG=TR9O$)JzvX6DyUl~4 zW4=iOp03h{k)i5IEJUSMfvGu=LRU1J7EcUshtY5D(^No=>5UV}sB6|~;^vc^ zI9?yS1r#QHR4q(tkr+0E7Rf$Xd~vA@r3h^zly%{}O=K$|sJQb>*M0vm38Uw8L(U+! z>|1LZvz~GNV`{DN;0{qtwH#6Ug0bTYo)EG+GjW3v3aFLt1Tzm4MN})&aUKsx2qQ%gHi2f@d90yo z90#}&@aUEFdUg6>+ZH9+m&L|jUfO^`x zHJIXd?Wlk_G(i^t=~#QwMr3oEYPN{1i1R)3jT$)ZIAg9I^}6LhMNhWA%wxmPw##VN{8mf-4a4x+?dM0W>6?q| zJU}l!v5K@LP0_Ek^&A-*t-nqMHv*If5aI*wj=eP%VH(TBYe~y)6-UI;M%Q9BSX~}; zX?83Z#u!^oYa8JDbrS2-tE+xFD#V8J2dBw}mH1p5 zLyPVv2i|$7T4zlw^Q>#yi_H|k`pVs;uaomz?I`fkQYDVmHatBHv6rghYE77I?$vSm zFSZkIHZCTCy@Q`p#Wn4(cb28q&BP?ovQwHpzP{yvEL-y&+-jk^U9f#Gx-G!`MC9T+ zVoC@`f7&e$&Dv(ZDxL|+8JVhLR}iGnkx@m+pKGmwS7@BCvs7Hef9}~jKOUDOIbAj4 z3VEn$Kmr+WRUE$VM`>ILS6-aPld692|I^7`vb>4Gu9-!jF`v_N7)Jh$ynOtVRZvJt zN~PO8s0U4ML)`F8Lfy&BTK6k|R^eCJviDuyIBUV6Y%8jbmZj$8ROWNiisP@N(!Wm@ zJ54w>+xg>vIOjnXjzViNL<1Qi#Qw8Vix8CKYEq1d&x%f$Zx^wAu97z0) zy9=wq$?EKy15QH(lEw^sE59+ankk9;J9C(__|sCRWPT3jVUkj{JfuNh-`D3&2n2C` zCJ-2ZhqhL+hmDxD`$=6@HL{1AK*82`T|1~Nl8NmR)q`o`$;qj*@9-w`2n)ORjpe+a zjd}gtb2jY*v$0GXh*^T4T$qU}Af1j%5NEE9zzjOdCrECw?!jvGvaDT;XV0iizebq9 zHr}yW69rB#mGjiV}zi6C)v%=TuAq?^tgsCdrE{)xg z((zsERNS@O(W-FwflQ&;n=$kTl5Mgg>)~OcfBW^Id3QZk0#@4Gm8p-GLkY(vnuaAQ z>KukG-kl~9Kr75Tii3L^Ql~;zB->Fe&u#ezpsJiU2lsc~N z>x{oz4vVZ$T_fE}O~ZQJqEKaUOR#cKCY~hBkCkmQN!ie_en4D0L+6r$)hbXHEYU;_ z)SufN$*^{Q9*)%3-(tJ_gGH!!n50b_x zJm_<&248MBz$5fSVw@R@MOFZr7k@U>2@L`wlVNM>w+;m&)Rdp?l*Vuf&=_<(f7639 zr_o@GBF^!zfzVDauE>C3hvmxTu0jWA?DMclBat#Krv0hppIx*r(5m6jIDN`qJ;N}H zYX_?jE{iI5*!mXiWw7b?1hY}tS8G~Ou^!lF{p}Q8TPAxGPjtEU)B+2X@GaJU1yao>(X0%y7{I(`Z0HL8(BLce_|7BvZ6nZi_%>Y&E z;t5yqIXIw(5sZC4C(E3?n;3e-@vTs&+$YGxMxzeOu_0Qh>7@zEDYgAzaaZuxK639% z4=3w#O>p3ACZjY6k#DTmO^egV=tKmS{z8C#Ddy)2S`VVD^;(Lr*$Fy?xz3*M$^mJb za;#+@;XHSKBE=5(Pa$5+6b`Zm2c7E#lJID6{0f_BD4h|gKuD*==RJ|kOY!2kx3PU+k5R^hx*3_NoS*VtC! zl|v=p*j6z8iF(}`+Ug zn($}$sH|K$l!3IN6du+3tJ^LS`?bu;`p(K;kY7>5x~Rh%t-g*gZJ?!Oyn^iD(2~}Q zhkFJT$?*bC@&iHLAa*x$`RfIzcJXUS4+tz=$BQ+78;b|T24G|VznkNgXo@DJkInJn z!6&WxKj4sHrUPxhvh6|w-C=}~Mi35f#ITYIWOEB;XK6YRSsD+m$Ig;@$h6p$j;;=! z(-TwO*(i~%j6F@*AdY0=c9*57(owN~OoAaHfK6lhPNHVqVT)gwVf^L`x zH#RN0)F0uAdwlm~@2-2&^)-2MyNRwQ1bw+0BR4?Y-VcF-Z`WNAjT65=$IGyFPlOhl z;>0}LnY$v3;QVGl3voVrv}*hPn@H~pxJiNFinyI%|I02OWgUH26bY+F`TNeGw4VnN zsCS^>G(Cq^EBRE3_R;ufi+X^F6o`c=6N)MG1}X5HR&`B(RjEx6758S~l9>^o!6LhU zbO?PS0F%tnC^VpdHA~Dv0gM8~gv879hE62Mesf2!%e=laN!<5>`Ms)){+A`>oOEE3 zCU&wmk`&*syij6xq+gCB+%h*Z4FQE*1emO0OWP6KD5Q3lWtkQPEe@A(ryx;h5!@1{ zuwzuqG#eT9ohld)Y_PO0Ua4Y8a5$#&D>z7O!_9RGMIqK&dCeCNa&Uj>;(b|MU7*u< zN+ARe;2w=LI&24qTc!uNaNHu#p%huOBx4#ytnw0bkC=CtFMpT?fZ{&?8AB<30J~h- z5&1*~1D$uli5NjdBF-g$5tKm5fyP{}Kr5;GQ?a<>G8_3_d_z9^OwbwbPg;hgklFP) z>N;U>o9N>WR}e8LB*JIAdSo(O(l*!==@f6sPgyC_Bi~TnkEviGIb9DvxnxL}8@?o`dZOp<~|B?iLXgZ%}l=_fipHKGZ0;qgW z#IRXyG3v)HFG82IJ|wQ^0)|k<=GNbreMn$CsLz_=+BXGIp-ThriGuunlJ|u#8@*y( z`8`lQG?%d4P9hqGu|cH2mLkKN4HtpT4bYfSwVKdsmMU&bCy^-r7nz`Sk%>| z748ps7XmwLX6-Lgp=2lr6$HAFrd(cVDJ->c&&rOZu-4BN2Y#DS%yEiB`En{AXutfV z52aYbNVGYb0Yf3h)hg1Ur-@6tTQ`cd(Cu%gs#cXB0wDyZK>@Nfe8vypbpQMh;Rb)k4%V>}o1KMpuOdM}#~@*Uu%l=U;~K>v4oX4PTCg zqe6SDQ-T`^g)T5b3dI;3?+L?3vUz3;2-~Mp!GN20bBy?)2AwGUki#9?q&^U)kvK`b zF~?0~w@g1@bOT*B+!J0`fq+%S9yX#eMZj+kL`B!{ zQrBY@NcU@jm7)N^0KLM>49)Y&7iD?rD+-UHgP`SS(9c$}g{m7Z?@0XoyXQkRNDh#o zvl}h9!0PpxWhWGkQqN+4$S#$K94qEooVokSpKj{_gon}n+Hgh8Gwo!|bO9Bwb;m zmS!|K0B*n%8&MvUDi{kqL+#qTpQI>gWGN9h?v{W8IJ6>6QJfGc6uA4vYT-g^4_~m5 zFM5HI0UoeAaXqSs5%>vZrh#5_f8=KnzT zYe8F{Z{CmR80`~%S2q(dE5OZa@Sejh7l+r^ldUR1Lf75X%GC`BnOKlG$?xs+P~R_Z zxYR& zUx|i*h|xIi7+0uulcGE~??A4_bUg~>&md&!!u4~oriZ2N?Q|YZ76$dHLIb;|Ad~5( zi?eVag5Wdw2X@vSBsE06DXaQ#^Bo+70+x)M>eiohW%n9PsDEm0Zm|4`n0&c~_{uk> zXe)>`MuD%-rT|e9W>3V-Hf1H4wbbDsQd4Vu2~NQqk@F6_HUOSIdk&!;y4s0ysST1i z!yptiTXC9QuQ%I95Y&509rEFCdb`Z(y!Zp!eiwA`8fcTw*HLUv?lfP;N#ee0Fj|UB zOSf7$FC529mc2lD$#qRScs~qZ#xwx)+tRe|zc9@5?rD%xgvdr%DYM<*8GJB$VgU zKGb@PL-a3$QE-CKVXP`7S?S7j@E2hby}Skam(kzNRXvkS)J93KY9#o2%~MkX#8DSW zNsnE?4Pxvxm59IqlZr+7;YG5_p_`vXqU>lpk69t2$aLrx+(TC}LlHn_f{QB?_FMqlnB)V;+3A2-3l4l9QhmQT)DYCyA@F1yk}i6e-u)T;2v=L4 zFtmI>&PA(5_}r zYjSOgjW6a8h5e(m6U8BD?5S?d8m@pvke!)l)XyDT(TP*^4RLi?YRk4Z%J60)GhPh? z6>dROl@1>zEsKQdVx{JRUVV%Mqe6_FsT~3A0fGz+?ul`$?D3Kqal()993eI!f-2GxhO98nn&e+juN5z*SnChrxOm+!bWa|J4;I~yql|;Z z4>6qLF@1`s7~H`xklk%1M#9vvo5J4PCW)*^5^(@`0lt1GbcOSDPmYk6z_OCPiqktb#JJvzBFy_YFtx=qd4 zp~D|9{dTcCYt^we(45Rg&*01_qhF&Ieq{cTKQ)l4?lp-qEqY$2>4oR}H7nHxZyEyD z>^&~-LQX>*BiAanPdH6EE7m~fu6;@T5)#P|Bz8l#BbMo~0VPh+m@7aqJ5pp}O|Y@e9@mccJbPkoR! zeS>|xmumI=zyDF2@5a4~NvfPvt|0lXv$St5vv3@(is(hz(aBL1rc~=)<$QMN^5A^N zaIq%g(?}IDU2G{v{Q0ZH?HbvO`^}KeH)p{-PnX$HG@p1G18N)BnsdncOvk!& znSR)s1=I?;Z=gX06Btlby|W{~au$7D9{NjyF~_JbRhP!l-?STU8ak% zn>%nXEB?SDM*BTD4ZO_Go^C=g>ejbY;5(Kq1&+mgAHa&ntg|3-uiy>7LUQhGr zYRss;gwiz^JfQPsXf!OFa_J?dV}oYYX6&j!0Bi-c)(WY29o!0em_l$k0x9%IQIp?p z!USTU1f<#{Gdbi5VQTPw5U4`Mwc4%t%6HV z(c&mZ5Q0h_N&Qh8ln`xkRe6X{c*4s97N(yQC%F2-vqj%du;ZT(Zl{u|M8y{)}&4>M^I;;xD0P*y7AyYK&vs zI^~*^TFEtkcEa-27;o8B&a?`#f9tL*_FFlS+n6k;1iv6iK_`75aM{-#a2s08p1NLd zNRD{Fm5Q!|s{o`ZU^-d#B@3dFrxd0ZZi7w)b~>LvKWMPnVnHyIC$c@4e@4rk&F~Hv zcU{tkWif9Ef`6c`hFc)DDF|Yx0FjmaiQh<>m|gyYTtY#FSflk;cJA* zb&+M(t3JD2R+;fVBm6M63xE1w;c|+1A%`ge<1;F|+#FC(6*Eq*%#f(TfP~{2$^A50mF8;R z&fg~=a~ak08~jh}vML(-6M9$U)|khi7-yofjHR2krH%#K<)1xxUCTTA&zru*AoZNr zAywg8l`*q|9+oQA;7!+~&v+6SLEe3}A#{n{CpIm%bi<{39TdguOv93Ncnc5G=6!N> zSGKOkTGlPLWsRi^Wj2jPo+m}X1kXZ56Ps80;=H&H#SZo}P2?)Yj`()FtMnEZ7vaeM zzHN-s`J+=Q;Ze&>nLS#n?_4pm;GXcFO0S$`&6-3d0aaRMQUIj7i;%CLpw9=k9nY?( z(DX3G-eP&k-_PSH1XQ3k$I+j#fJqkX^y;muBG{VczwmY-E9XDLk0b+5!2dJJ;Edd! z@FTn6Bgue`>tBdG7YQpTHwilc_^%9ze=-dI1L=EGvatN4%<=)ve}v%TU?Bkl*gwqw zCNi*aa{Z0L#qrlhCcc}EG~SC6A^sJLlZ1_(?Y{!Be`FZ^tt-d>g!xDVpaKW7CFk11 zP=PpE09^m)YlhBBv^BS)PgT{BS;6p9=L)*WvC^7ZmVeTtpFdcxEk($Ca@Zwf65;O= zzT^<$v7^$`kp^buK@;xJ_v;=_m9wCx$hVg@LIG2|^ZtZ5JJ9RhnczlL_=CiITt_PA zInJLtPOCl_r}-eSdeYT5&?~du`z>eFdrsZj+9at!@CAMLCR11bx9!Z!Zln}~_XiYE zbA#a9Yn5Hsdtlq26Hv$1-LP(xdEOrM+pR0}a0tPhpiYr+YjDT8zcJhWz17Q#{7jSH zquoTu7-H-x3$NP_M&8YDw#lb$^uQWz*9;F2x5O3VC+H;#j1$5?ApRCyglsLTks<>D z@zzB40!1qwn4=5&>${McrcpvYEVAr0?N+7*p;nLzpvl6?f@Ijx@+D~xp)~uOBkwuQ z!>{7io^-;{qX_ls$4dlIGq2ezU%WpqliH;(Vv#IeK`{}Alg8-^xlunljWiM`s@+)B*_5G%3y5S!^f^7-D!lrb?HqX^ zDxzFn+wA%!h@r(wa7+8{v{Ve>oGYT{eNUA8MQnVWyF_jei!o}&u+@f<{ zBYq(M+%hPRh^s%R8nDJ~W7lf)HJs7ne0$rI@fMTCHj7J-0BsoDZ0C_3I`1tJUU{58 zL`9bp!;vZE{~|cn5>a9xXJNojaDU%f>0(jZ)p{Yu`1RPP7-?qtM9=@4Nc1L!@~(HZ zMZEEr_2w0~c$uqwgD+(@&w9fB;CY`0c9pucZo_g~z&=PCfOhD%pO^j){Gp6Cor#nR z9wZOHvnoH50g~EZ94nCf#;BT5p&xNjnLb8jn_tBRw*(6z5Yxe)z*eW89RUkWmesiwye-holRTGB^&xxrM^X( zp|6lb1Iaq|;s}u*=F+@X$dbOjwo-nYwhLF7D@PdSQHP>~&IZHjn}RUv6(!E(B+A zFYE;0!;3szvMg+~yd;|bJS{YJ6&9^Fy}quU9e_YDM+cnnjQ9`|ZG1i^KQ39}oRfl9 zw{5`*L?Fqin@_1*J;HByjzU8k(3cOSK?m-sml%JFoE*&s`)_Y5J#~5CEV4e(Z!gcz z2N32X6k}Gft5{x(HXo*3t_;o2KnznJX6S%=Q`y^2WLa*Q=zA?9JLIzsqKYqps6Tf0 z$!f~UiL~ze4>q(R5y!Z8uiV&^450?QrKtQm3VX3y?d^xJfLdUh5HzrmAmZGz z)xUhoX;8Gk+x`HX5hh@3R{_5Q$-6xA8dNPb(C8&s7Fj!6c)R{OyLzjDB2a_0L9Bhy zX60t1?AE!@K0YV-aI$`IbtiCv4)1*K=5Qx;gBg!Q-?^{C#_2I!PQ&cAE$NaqNdtcI z9DvBCNMz!^Otojtw#{)6oZdcZ9KCjv#V%ZfpRPMdIoXX6pJG?_dt06;VMcE@4uqlu zJSjJR@})HE*rW1&J0Kvm7o3!{j%W~c`Ex&!rM(8Tw+uiEN*K=8|-a2E?j1R$$sCCh5MVjOPHzTpg>=xdvo8$dx7{ z=1@sGa;J{?o1?8R0(aqH-OKh|31l@rc>gdti(2Y?j&FoC=X5hE+vjrxD)#O2)!~fK zEk$@@n$Xd$otfT>?g$iV-EN+Hj{l-55L&3N8S{`pW5wTeF2X;mplOo=Xr&{z$p9q4?=y%DEbRGP73}x`>rr|`R5CCY0!*L)U82R zXyFD&_zDui4;`46nPhFy(T zR?y3B>N)G=k>$}uX(uikU%m3bGtaEUqCL+s2K^~rfAV;2%Xs1EQx0}Iw^0T6v{f-1 zOO689!`%3`OLA9WMatKBzy|^yo)A_NK&C%m5vyu{S<0yrt|y-+;TgDOTZ#Dd>@Y$6 z%&u#0Z{ZX=8cjRX6PEZro`r?G4lqZBhvV+&6^1tGDND9}`yJzoT9O5R)a}!G2#d)dd)^T}{Io zY~|sJ@w2X5Sl2{p==#GW<##!?rA5cp(n;W~dGC59tWHF>SBv5{B)QjwvLppmeP>AK zEX@tZiS*Wg3JfRQ`GVJbJl@PF3nI{U){Iul_Lv&p^pRk1KLlaUV|(lYa`n%3&5>v7 zm-gHqW|K3jv(L|0;^Jw3P07#BXNWnphfKB7!n;0{S8;{Yp7t2qrX*Bq#3&_Oc{vgf z>fA48l@r>Yg=@17y0C1>duz3|-_OiUNOGM9#Zkem7C6G=Z~Ls!Zvrt=MWz z8I}FEY${pf>;fWi2ytL<{azo4%s~Op`B^c)OX_{HE|dxY9?}a?6>Gp%>4QAdFJma$ z?SL}N3Lj&&n4PtTqzaY(69|VVvo4r|*1<-6BP1at=9Txd7EhQs)5nH!v!#KgeE#ynI<>WThjL+nVB#LIxQ)5I7>9-R6dPh?MbuN;dfv{Ge zPeTDXc1q`}8rN1Veuv6) zsO{NZ7&}&oKaf2V4eQpA9VxLtRt~ztP!F%V(-2e!9E|T%-s5_Ejfqhx{;?+yi#Max zrr4EsZo{MQ0o3+5kPLCnLR3@W8&27m6nD!iFm=l^mbjt_oRtvCGmbhxn>xUo5gR^~ zO~As)Lma3OqaCCa-xEL|Uo=GVM3YVt<{|kUz@KT%%1)L*5kW8(438axp|lt{yb3t# zO#mUDN#j-i(&1Rtot7RZf%1hcLTuk77jL?a17xnSj^M}?8T(zdA13|1YCX6QLK2;~ zNi{#DCsP`k+hm_aeq2b9ShbfzdV~K1F_@Ls{RtPoPhK*Ow*S+SehEX!YYJ^(DrL~3 zh7D%KbJ?JA=?@>XM?|QqE03c0i;i6{5L~`Abl~-dRrn#l$*~#&Uah3Lpu+g+iSTPnLzkE-sm_)kOf9jG)H2XCqT#l3I>@6rVuk z8du{j`24`$xuUjg?6#vBTQWuw0(%r4lbfmow{Y4h+^VB)$bCjKi%zkDvO-H82qBTT zN#ThPnF4qL;S9luteO@8=7RL(zmt19wBj9(NUiY?FBKJ;6vX7k&IyIs6RYshSYoHI|@K{0;-^^{9U`dio~{q zl`QSm4v8P{W+5Nnm2t)3ORzzPmT4q}(uw^Ea?Pv#YAvr{Q{-3P)4gSvWLAjdq zb#Cc01Vk15TxA~g@BUCWiVQ?6))z{zgAl5oR5IAkMcX{7PkvG8>3;w4*#Gekawhz$ z_>(l$_go~N3}0)m6Q&9?@}4}isr^J|WF-!(>(Jjq z4N;=X`p%FWc}vx~16S+wm6mgd`v{7)Jo4RkDGEt)DX4K+cu$!bTXZq7XBBWb;_+o6 zQgrF0KkBpNK_2`-uDguqo-)AHnHHBdMCmN-p!q-AUxxrcpo2QxeB<*OnMGRpv}2YVZOH z(pl>3@QiqZjhxNuBH+@$v|+jIHUIjt`jre>>(rk%K=M}hiE^waJ07J-Ac$SeCQwJd zqgTWb)(enA0Ijnam76)9C;8ze56A`Ggvf*s(wQ-lj>pSKNM)(6@?|Mf>%v`A>w+b4 zWz&*rA_7-SQ45?A;@#9$B6H}aWp}5)MOj@wOsk|pgxHgx!Gb6V{5xiF$r|tA$v$)9 z9gH{2oZP-_-`)<7LMb6uO=k!=JyZ&f!@hUg$5-{Ubd{`TmnB5i?%~*8tJ+W-NymfY zn=FUJYkWQq2wo4J;waxzCGoB~+C47FkOdbhYX`AqOvGLX*H7RJ#PErE=p+H9t;0BP z%B7e_i-A+Cfa4K4T{XI=nyv5I+T54%^by$^Ov*slP3k5rI=sbr#sTNr{=+P5G!BNN zMiCQ!$lsgJx#%lkFivIiw2Fa!BB1x~hD;{qh+YzPu{u;0*#+8uc@4y;pzPO@iY1gr z7eP(hZ2EbW>x`~X(PbCv>f8||iGp8>E%l=ax#)Pt6{f7Bx08RvjDC@dsqE5D#Jz>gi^f z!MxW8a!R)XG41YG@gg?TYk-)fo&rOM9K^c|Rx}Z0(l|Z1I%KA%yY57H^wJFzdU;7nc++O;S zcXI1*S>$|XqO;z8kVng+CqS{=)fFd?AFW|H;qe{wToEv`ToDL#p5j3m^V|?Hff4MJ&KwW#PcFxBl@UB~XUDNPQyJi93#zU&)Z< zLMgc45jPR`yRLS*iMVdPX=2g;*R|@fna~ehgHR9sMo*%Yv-(}tVNg}*Bwj@pj0o?c zepwu|Vt!v1-BTVMB3OqVF!J;- zuF3Ji*@i)BhZ@@(AXg5|Z#3)7R(%oNt#K|L;S=SJDg1V^Ybvd_kGJN*pi>5%h?VNc zT~%TkxL1y1kui!o2eGNLv$e2q;C%MNnAP z$5O7Yj!EeylHL!I#KAT)pXi^)Y9x$^g0!2FGK$h%K(C_p`6-d!kY2pZmyhtBrFsU} zC~W|D&4NM4SJSb4d_nXO(UX<4F%Y@P@`j9^=d_fA`D2`LLGXR*Xmf_jPz_%d{>}o# zH|oIqFGO08aNNeA&mJJ*g z=pBl)@j3k$CuGm5R~Yxk)D06uyJ!-;N)*m>cgbn>tM>hpt##xKK)RerYo0r z1WN<^_nyp8cq?$RHDeb`TClNG{8$w!0DX>y5kE)m0J(E=g9yfZbL<|9-9iwA2=e00 zFj*ctDS^V;CWUg1eKKwzQPh5j0uHjV`9b&C(@w8{6b-VmefpHCl)*h7qmifh=wTc@ zu(~)P$^zNg`9P>QgtDsIQJ+8PH!3EK;m4C~AP4ou(s|K7Wh#OS0GXFI6=2FzmbWd$ zqKqx-JLdmdG{Fkvitm`PxDVQu5dMmNY_TAb<9=gpR)l-}g7H&3%qzW$|pZKu`nW0xIo*j{E*R4(sg*r3DF6VdMJKK-fgP%h|&+Q<=Lxx1O1b58!Xx(pQ3ol+SLY^^%j z-Be~wU{OIZv0p*$o79Cjk+!=qQbzh5)zgjk%3(jY)2)6Z&}}ohozqQ=d$}7+42$(l zJI0Fz4#|(j>G2s8(OXc)0ENn_ui&IvI2NC?w;_fg=}E7mhi7C*Z`n*EVKgmR>U z%h3;`w2$dDJL>b+)HifqK_|;JnWCf39$}OgFb(jaBF|jO^!{X$kBqf={E-G3yF;P+tYn^ z)YeBkZ|E;fHl7lzA-d387tC3^#9V($0}ALc5X*jL01{I$TqVZf*61*>z&&Lg@)tZl zZ+osn!+u&O;A80r2c~XAoCygAXNL&*^%pHut@wNTV-=I0_UPNVh!vJT13bvAf!GbbX+x*aesfbi~>ouh{&&C#xfdW9JT3=q;0lotUM*;X(?*1>Yufz%jrk2ZPFpjR z(=BotdT!GiN-k|5fUSjUcKHK{@T0{m-paf%7*SVEQ-{^c$kmk~L>%2sT(pE2*+)K5Inf5<(J_`HY; ztK$G0ElaN>c0n}KO>?-nPN^&2;s#ftd%gx<4Z@?3WO+hp6YxgjXXzVH`nE2_N7bVD zC(WH#4}-ZW)8%`oEysp+f*xfdv#(6Mk?0(AIV#JgzwpKe9nY^4yHCDUR0TQ24iB}E zT;~rxkJlwa0e0JsM#Dcq@6Fg>n(vLtN*wv5xd)nh{y6cyHVaK>^tN8GtP9{16o)fv zzk?tSHGhKfop+sG&<_-92&_|)t~j2?yJ1F`Y7RY^hnaMKGZU18H1=a31AE;w+rnN> zz83(*nB9yq3r?Dh*gYip{CF|IL#>P3Nsr^@;K1tLe%4m~{bKx6Oa;-%Ji7vG-LZu+ zA5cV$Y~-vbPCHd7YQ-Kn1Zo-SXa8g=GP8<0uVa6E?yw!Ip6fj(y$sH=GH4)FLBI(Ag%DU73^I7{ zuK6g#djZN!9bsh95-_4BEW3m84ZtpDW8cxieuJC3 z-A2~Tn=G!l7><)hBD!?$ly+Er+{o5!7ZB}GjL4p&twGd;pBl$P(X&b*7v0Ki$7o2wIai7EL=)8zU0K78ORTn1*z3CZLt)6bB|(bi^P==1UK*m`3Ft;_y<*6 z4F3#LL&;^u<);z)yA%qd{<{>Ca{s#&(&>d5H&oW(r!g+sL=qLi!`xrM;a@X)8mVKf z?wTg<6fyL57B;FWVp3EZNyZBP6Fbj61LRw+S zZ;caNBBI{k_;Gl)wl3yfXlq;V7jY+xsPhJ#1DM1If0#~!`jtr$A-@(UGUd6Ii{Kt2 z?tH0_{J~xki#$JKIG#*ra1M;&5b{+fNMk3JDBN#Ett*r)Ei`8BSZ)kYC+;%)eY_ZU z$E%fVrFOoto!;f{F+Y%1y?v(Ku-_(0Je2EQVVW_Hw}4ap^i6%^CAk&a*Z+KG{V?+) zdY_DosviNKNa4{W_Z zJHD1(l!k?a{XYOGC)d9j)g(YxmVX1FoZQ_11!#WIx6$H5*csykI7Enn+<*`6G$+Tu zNY-2*bY$+o*IfVNSpS>vy#av|ugbv?FUu+V8Nl{m+N>-eMDG8$HhMfKCw4p&7h-a` zB@8DCEAaouVP*e|&i?;Q{{^+)b8;tp1i+vr+e^a$i2)?6A8_n{DAfPqV6%R3!T*Oh z{ugeAPmZkwqfB<_hoMd$w1+_j?P+Pme58T&_FY%0QZZ4xN^WSOwEdji(5d?)Togyfmo4OJovd@bb3P_fA~k z+!hGZwV7Vg=@x9DHR&%(tZ!3tec2lf1-;q4FneoUpo?D;G+V#?!hWIy;WIyM5;8G! zzFrV-*gkC~XA=u}mp5gDe7cWx!^b6y?f+z>f7w*Kf$*LSl8HQYYxD62_{v?kNyBR% zBUvnKq<3PwS_F$}qE3BDv>4!N^NFd`kr#fFzLWj(T7)GPay#CP@Dpn~;f83R0-rCG zk3hU(SS+O;FL@qz&#Sr-B#Li;BVvXxoMxyvHLTK#1TU#rF@=iETmD&>#2E6c*m%g)yv?Ok-pr}W z!n+xy5}tyiTH4aq_{U+eGHnw~9&11}m~GUk48NNgmyS*JjUeyg=xnR6e63(<-8Y~_ zE{B|xdb0TL{{CtUWJT(X+RHz;-h-K*lH7_YN)i?&I|` z(Ko8qix{hR5<&0;p+8u|my@tYmd8>$Yov=;s2~?y$EdB71Z#n9P9-_f@(|`Srs4tS z_!MoWsk5hYwWKU70qWEdw15Fl^jw71A}0$>S!Ws1gBDytdV4({it{>og@sY%@Z=U^ z2Bp7(dL_~oa7#D0vhu5y(fKpH*yA>rTu7qC^tZX;$&uzc__AVES!%uzDGKW%_lExx zQZFS6T5(4JX%=lk9;j^=gwFwr!#5_wFXHv1Zl}5{OMe=YsoC}YHidQ32k0Oz8vx?O z5tD$3xKWrOE1>}7pdUPb)d{}f1_k3JQOYU1ut7fn0f1@auo@VHf`E#Mz-qBMQ&Fjn z!0Its(MqAZ)ER)lScgR3elP{QlUk$T{z3uV{(AucoA&=J>?^>c+M-730i>lvQji`d zVCYgnq>&Km?rxN!Lqd=kqy&)`L{hp#O1cCI0ciz9K%L|9fw~Z@zQRK5MVo zYwbOI&)REkr7E7h9<1}0``OR;@bNL%C>ppGq$A8|Xs4pf@O*Zp)}P35e{ZcC6&r3! zJFg3pN=G6y_~(OC`=bQa<@n=oi4h>!6L9yejMCB6ypjC&IxvckC)aI_Xn7^H*H^2 zx1s;h(XL5z(DV*w3fl|j*3|%1Kne8i(raXz^Ta}A2iq-h+3u1iGGK2hX}vuF(fbCX5t~QR(BiEh=$+u6^|yCt#}aL+(gQkyBM^ z6IC*WQlHu};bytL4Ll;cd?x;cf{-0WET5kv!LK)bFMd_LqH5!Wany38T-5c>5gi@! zqLOmZ$6UnEJlk3Q`q@u%$kSst!YY_5Phk}pAd#Sp`Jq-H@A-xmK|tY_e@ z=e$%suG51iUc(PCtvRY|7^~l?cfiolHeYE4bizn_2}s&%No-my(aXSAA=gR=z!o@r z2Wb7U_B`}!{kd2=PS8C8stVNGh%OjXmg0t>A|gz175h=YV^F+`po@hC(K|D+$8d{K zD9B!P=006hd15bDyz}6gww<6wV|-HigvhQ1r(FX?!@$Uv(<#!VM*f?S*%ICXpYo9| zPI~MoJ@)ZU)56?$8svqqUB2NvchMy)>MMFwT<`#Ud2uu?TOLY>P!ZD(J>arIE*ePR zM$eXG6`Lwkdz|t9o&_1R8UA!~uU;a~M3B<0&!Q-niF_B?}Wx*^vKPhv4UBcTO5Pt*L5l%v7tA5Aqg zd$l*Z8Lv6br_B~Hc<-5iP%15M>0yH$kW0@@pNVcckf>}^7FRxC__UggUE_oB!|3-J z(jkeA*v8KlUTkkp{MdACq_>2ehz&2tN)}mA6VzsohiNl2Bs(ibH&h2z*5XIre>#bJ zt%vzd;_{Uib36jL3Vupuc4&gjZm5MSz0wYKm;0gBBlu~&N;O3;E*J- zMR$fMC_vCKgvp@^S9$|iTE&AT5i?a79s~XIrmyUl$*CoaWb$yrDFc zu@=c%t~S2$_W9WS;KPlq0z=gd_m>3Mtm_V3CCaP(C2`x6OVHZ_VA8rnqgs3;L`3R9 z%9J;*t(f_;1ig*RB`jO8 z6m__z25&11BA1VABk#`&SIQ<*$}7I>hl@FaWg<;9Ag}P8nIM8S1Y6+6%K%R_6RB-x z0^I8%=-X&*0V2}6B<2bNQq)8)Mo1E92=fb?w({EyA@O6gMxCS~@$BAcJv42pmOe`F zk4f%?;Sa>=Fh!Rts7OZfo z^(vno@xDG5pXTo)L`|67uMDkVScwwT{wTk z@!d3ag*lhwyX~b|sNp{3J!zf&+@NcIZo}0lN!-}HuvlDgpGS7mn`GvXcbyUN?RhOi znD%GYxTWphG^gD!Z3RLH?j;V&%IjQO9)<63pKBnU9_CgpbWDlQyvw^&oPC?`R697& zHm_Gv*=%LMsx;hH8QJ&sI#z=SO@tNSjI|vZJds7g;Wo`jvVqe4Z5+Z%9PAJ)^RIHsD6{8wubPYKLUCpH{%-t|@nw$|| zU1_%X3bW$Vva;G9`bwzX4Ap(#GLdM(`&d2_^Nn6eZO-C)(Q`YiWHUKqj0}hu?qt7s zL3L`4or`gN`fSkItZ5O~+syJDgCr`V&``Z#kD;80A$CnJC9tF-zHyElenvDov4`o8 z55Li&=*+l*r7NlV?`&1S*RD|5)!H>2Si1sWj2f#N%$*{XXE2B~Ji`tP_+r;&*x|G; zpag5s$^K{M2P{kfv+@I$rvF{}QIJCTIVFJ4<*NB|tqc|VwVxIOh5jo#cwFyc@vI<; z|Gd%S7a4}TIm6hB%wN8P)V-l>`cSz(A8Z;{I84>^uD~`_5r0&A#Hb#lv&Yo)yqhyKsNS>n zr^)P2tK4_Jh_|A8V6E`F%-rQY4c;kW7nEp45pg}pOzNp;n_~{Ko(PubkfBxh{cfZ> zmRWVVD7EKGi)A33e3i{yO;*vZ%LO9LIkAEee9(75|1cf3X)6qwYGtpIhddvZNsV-W zZI(I95G2NVT<%SHw>&Dxjq?U`*VgO}Y;!HmW#39YCQ>&hzbws>@AnHTEJnV2nEPtQ z+@{nnv8eMrF*nsw?ZGG@O2{1%H%%W+_Q!NmX|=Y`+YFKC={;6Di5md*ksR%rfofmyOy&wqTP7 zn-3)VO1tkG-rCRXJ$UMVuC^-X`TQ=bh%wnN`}LXbM8%}}<9hK6e;?mL`_<2Z$N^lD zvIlDQ)dED!EYXh&IRse~A)N&FlrW1YG}F;wkqOo`(w=DUiWnv;gvlL4GEW)HkU{gV zI3}ouC0m6cUvI$^(gXI1VvFf9vZ{wwRCoAZZ`lvcGArcNmbgSYzgftl#C0PB7oaoL zMl+RrXF(V(xmcGKEU+{zaPC@s0y0;Db?;8$C6Ov7xaUJKA`n{(dTlBN(LMa+QshWH2hxDAUg4H?ZDqd#kp`8k-WQXtKB*c@3 zzR%Rq`hrbB^RoKOiyEif$FkX?c{h>@g9=}b;Et-lj4R7}mr%Qo)LA3wJ3uxqsQ3J2 zDH!4u*JPGWG}qI})?Aeejb;$?j2^tdM((`r_uMd=LC}+6kWRE~HHN`Vp3mHUsSV46 z&%Kh7_FdW2LlJvZ-`3s(MFX!Y-(9Z*QDp^Dx)<)@?lbGL#anC)vkzW}x21;=*eZY^ z=GLF4)VY-GdvNuFSs5TAU$>B^Vk68Z9PSEh?cT$g99> zcr4THO>u9p^RXo!F!T()>kaNw7PFp}3UsJmkb0}K(vlau&{9;DC1qle-?EA$4IeOw zc^2{z+oK9CB|%D>a9JS`OZh}vFOr8yh0kh`I<uJ!3fB>S0$bLC;!C06{-N&s01* zO$N=-E<=8Y+EaqHJ#l2YRe%IIOJCkHDU+tmjyK`{3$XEFh?1Y1xzwWG14TI2Id$O> zrcW@MG7lE6#5lCvfse%4bcPxv&IYY zoQeF$r&I*^ZB(Aw_08+vm9{$WbQ!0H4~`Z4)hAQtBL>UXU%-*K7sY$JCo-JYHmlx0 z>s}ImR(#;$Kxjv|!Ao2A=_Lc!PHpeQ%9uHFY%QL?>?i08u`ZIwNB(b_Al!b5#q8Pe zkBJe^Zw=Du=V01{>XsLZRK`)~$KciUY@M+YnjNp3{Vwr;nX z)-^khUOikx^7qJR!P=O1nC)$`xq*G&4YRRT*B{e3Cp!Po6g#k#PU#Co<+te-Tfnpn z%M2fBrS_qh^rFpFP9qK}eu|Erb-ZSY6@QArI%|840c0L}l*+J~`uOcf)P^Zf6o=TX ziz+|Pry7^HZyOg+UJKP6NUU{=aflmRQ~8C1B#c^ia$-%8?JiWp%%7wKE;@PbZMvyE zE2IiO!58Kj(rZ6m=f}K7sM9*jtjM*(n(p_QDSPE?rEA}zX!Sg~FVgD6&+Q#Yfx)&J$w!OxYs}2NAaS{?Ra+HFvh^ID6_I$rwK8n*O13;L^j4x^6d4` zWdoz;T37uQWK-=N4WIUC@Ozb)yR&O{4k7i?d|xr`+VjE+)jG$G!zWssSBs|mvj;Rk z-i{K~AZ*a8&*uUbQQz>o{V)vA;w2o~aqGK(*gQmY+8%n z=%dN7)cSGRZb|9UP1Uy9*$hcIh#h+_gUY z!u%W`Tyq`{{7SZt{iM?Cvkx`fH1d{NZO(Xj5o~9nJY9RhFGJyb>&=hz_#fy-vtAAv zX!8c==-w?yPJcTgP_`i;+P@}dfxru{wMsn3J8I^tqhW(1uDP*hX#QER|TLt>=L_>(BGk4sA^RZ z6vdNG&Imkk9K7Wj(>6aWVz+5T)Oel38d z0!@%C!zH-TRn*(xihv@nBHsSRPpu`;R$=#l2>}IS>wXI%1pjR$P#}5lzsXRb60AUX zF4cX-6inc^3=p^=6BPc-%>HgC3Y5JKhzZ4Q4Ow~el=dJ&)O%}?EW04& zDm^gZUlaJPNT@Ji^q1-f`pPe5LWM8wI1bfr1CqS~1q%SyekCygc`58=-eBkzPrm?l zP*Khxa&$OKzzmB6DF_jQ{4=z0#bCOWO~@5UlvH4ashKc)w*@?8Tl{4@3=P>bl@o|g zQ+9e0zzRtq4JX~Ix1r%D!x|UwS9dHTIuGPnEb#X;l;r(N$cHCC^0sO!Q9`OkDgS&c;9Fz-)|^p9e*I1G!pZ_f)+4ngd);qMTmf`+m<4 zF(g?P8Ks?Fl|J?3(#dIgMNT7QVHuz0eU_Yg&`2ky*_eUoNa!$lu++wQr6=3q7U5C+ zhh3DKlXZ04luyZEexg-@culUjq~DEP>~~83$>~e7!S^GkevvMzyQs?_fbH*F|EA4H4bGzABAL z9r5d~uS7(|lhsnJ%!aHbsSVw3lZ3jBQJ0EH5^UMvDFxVol_=o6?Bnjz`-g&q~+BEPQQ)jH*;hjoipB$JUz)T4px8)19zLjw62n| zd!Z?8!_v>s9lr~mJ;&o-Y`cbjlkCTVNaowzjKTNwHgt>+C5*Pe9P~XVGHN!w$mssQ zNiA_*PE< zit?dbrGlEOyn*#wkHOA{qtr5eMR=uxb#XRtSmQ_$R%#9^23`i%Bdc-p3)9 zY}TamZ!BglQD@+WTR_enSB4&gHJ7}11O(nv>}b*GP%T^11T@UZ^^n4rjuxc#QuI3) zy;K#0$atnyw+AV2wKCmW&NpId@T&S1xEsvm+9HI*Oyp$NUuE?x1YAD8ePSZV$7&0# zcOy9-3Uo~M%0%y*N7HU&e=bHCCJLA}Y;1wcqrTh`pjuU&+kJ`1a-bg{kAFjAruvn+ z%l&%KU9J~_Ydiw@CZ|Mfcu4avrDrj_=V7l9VXSw8>`N3Ty{cHunzYTwCZ6o#mTH^# z$Fl?{lhahZ>d}?-HMkqEuF0Jl=W6<@&TsLy!=!# z(0EGgs6kGvTd4Hgvbb-OE#Go+zZV%Y6ivuVW=-P)`w$W0K#hzaN+QK`j#iioBgLzV zM$DMs{#glO5khAjOb8^+rZT=w^Az$jnueOx5)^&Q6HSiX4V|^fAdsZ<)ZuepspF&P zB%jqCWt6u2H{0BbgB7iqJ09ui3uPS=a$kYJ-oNbJsqW) zqerSzutU{qveY)}u|vTe65usT^0wKaHhr0P@HPBwPiYfe%0&HvAeQa2tp2{1AdIsC z>^ouD*PakCQj(|S^W8Ef(N*hkF3$=GG?6CN>4@nYabGV-W`WH+Ku_+lN`RN{*~<+C zkv%YkUc)!@mo`aM(bx?{XZiM)R>-~sBv*1Im4bl0=I)&i$tFoZ3OF^EM` z3kOa0!5ee@-j9#4-#i@%nrwXCk@E1{PZe#`F+T6d>PbuBqG#2ZtzA+ z^;AjDnRVt7(#95~?eFoiaKe%l^?wa$n?U^n@_LFS>gm_sbCHVX*PE9PG737@>Xr_c zbQ%mjkwC6F|IW>&_m1~-EAY&+k0^+LwjOagb|$EsHSCz*tirMkKqU=Trf3;zYv_1* ztZ?7^bo8-Lu{j{_Tz>Y{ekIo(;SYzc9s>7+w zKq^FZZ#4TF9AdtMJu*Ddh{l>pLj&(mA>!u~SY^BosS}GZZ+UVr+Q-s-48m$M`ZQb} zHOL-;B}`|E^D}TwB)#EPPMC4%v9vCup`k{w^veJn=G+eK0l%VRRwH&fNXvz|&pJ{R zIeH!j(Nt`H(f{2?At1a6BTESMruv;B;$O81JCP^ z-yRqI@HKP~d+#!z@kk35?p^!czW#!bni75Xa3vM#eR#&R!VoXKxd4XI*+9np)9TVb zHm+CmlN7!ogi}+g$2%D$M(R3I4H$meMjA9=wqteNYt`P^l#ahg&Uez49?+!XNptw+ z^Lf1i>m8jzw`MqIElo*H%+I$?CnTi=bD!qF>?5B!?w%Yt_2Ii>(hqn@&Oe@;oQEi) z%cZVs6VR#FKhoMXn^zf4>E5nPAc(fLh;ZX^`exmy$(Qmd3QNP-Gg%eXZ?0#rhlk|x zsxUV8sfuxKc!BfbyCD{45sSTYe_TmqpSr$se~L~IO|F)Y4{x)QAIa#EqaG*?h}`>Fbt9qAdNJ&5?jVEcUX&C=Q*snSwUB$9NzcD%(en8d zoC#O$--F>jt^T;eCw=kJhAqelzop(R&L{7SOK(~B_hCo#xuRog^BMP3bw4tfq(b(kWkX zF@Tq=h#)XO7sOULh#4a2Z~00{_!d~AyV30MIM-WeMs6`cPPK}PD^f3dGG9aqA+0k#!mCI1k{i5p$W1HZGa@9;)RI)&;pje#9LhQ2aD^HP9T z=(|(hdJ}xdAO&Px1+!%qV+0>fJWh5r?MsSPkPB~ez!6ojbY6i4Fk+w&oD>$*N%mha zXLj9&H$0$=pUs&`*!^~+@H-^U7!<-m0llTJZecNeVSg#~cP z35YRolf2xAkn|1B6Zp_jE{75@LU30L3)yi3qsiOvE+K;gnOi$4Tt1h>4C?l}~O79Fzr!-l&mO7johnJP$(aCJ%8)2~z7O|4gEKBaHJMp4s9zCG<1nM+~u? z=3~@vx=Zs&?iu4?8EFRC2owjs;q1^dFgP|Tr9R_@->I+ER6lgWPT$ovTzyKL-t<0h z zg2j+*8AW8YkN<@euK;IQOsjq1ksPMor(*7zWKBf$mS^eq?Tl`hF5wP{&ibd9gGw*~>GeBHoXnRtjF9wG;teFCeE6di#7| znzgP{;qnH-uBMKVf1;?Z*r$DWgum7vf^j{aIM;~z>2io_7`@M{)%UDb3|AMQ#RLJJ zN8q&{*0*ic$wFb&`$C-2GyLnB)MfIJ-u!CW*^&aqdosi1C(L(OWuQqy#_0p7&TO&p#XkarO1}&Vl(GF{@G}{U2@{Bh5k0G|j z#BCi3awh=))D1r(&x`|vw>9Ns(CbGf#>rAJ3{SB7OtpQsH5q_OCnI~@Df@0ko9y&S zpySU+;t}FKU*OSb{FZ~^>spMC-6vbf{m>H~N3RG6hR@{u*%J`4&xvn+#@Y(Z(tW+V z3cJHxico4aZYzr7o-2wTWE*(si}zWxZAEYUdXRDb5Q66W;%S8wN8;{}MNv@%9G=^A?Idv|z^C7KVP3sYMfX<^?k z)X7~CqAX9Dla;AVf)6}Q5r^ow;1|WxwgKHCkQbO*S!X(pm8WPLN@>Y^cr1q>=QZ7t zTJgOZIvE;2lM&DxN19+M<1^RNqG$-|D zhT*x9+3l0$Z9a;nh0?H_n9 zbC0t%fcGZ#KJtERK`#EKK_SG`z?2QnPcD0Ob>h(F^eaU3a{5K3GJHAxLTFu1zvOFQ zGMpJK$p`98HNW@@YL;Od=FBG$#)vc&w&;&yjGlQIPub|&o5BsIcE=(E?xw<|Og)ym zBhiCzvu4?QZA)lmq$&Rzd6%E_wTbnAJtyO7yT&~7A*+jN0 z?-XZ1%1z?dDn}_BJ$qA-3VmyPF`PK|Z(FCrq+cS1D?4vx!j{&jLs}P%h&uhjE$O~R zIb8uUY2lT&cuMGRGGE#Vlr;EqT`qKquPgYXd_|17y7`F~sPIQ#YwyUz_Tb1DIyXL4 zZjoz;Z3#y33K``tR~Kuz?rSOTG%3D+teI>6rVO&G5M~tb>I=$=HQ#$#R&7tN?GU~; zXlT-T!>Z2w!nIHZt(@4h$cBqO(4KPi?nH28AVUX@%jZg1M%^=|ANY2C+9np}?T}hT z^84uurB8QXNAuOd2!JP_{SaiB`hG|l)9x#E-4E;pVfHVEjQOdJRE)=gb>t3~b`_?j z)Gj?{SSN5~L$L@jb(BjLQu}vTsAUYR`F| zBE#$9Hw&on39Ux1he%D%dPJ)KTg7Jj?}V|%Dx(%X6dL1pb#S-QzinzS>oRb+jsuHeGWu2VcH9HtK?i9^akD+hJu@e~!6^-8I!@ohI?h#R zZMcxTL1Eybn@VJGT;hADMyq%YvP5ox!`nE%v0k$CDbm6{w?_YOkUis+DQV2kB0G>k^X?sB~6;CG#*08$6N!aHaAO~ZVmVf-d3LH z91vk4YzF|-8E<xg(QLv`(a{$0u`pgv&%*dr!X224Byl zDPK_`K94a#c0H?A9>iZ=m5#bANtEjf?>9v4W ze?2ezG;Cs%x%Lg7 zOKXeHPs?cbfvKFln}r`;a#f zkA&VuKe@`weIu}X_r8v*f1-%5_lup=V}GB#X8*LYgwZsbate7>Lnll7cDnbQ1L8i7 z&jmivow^SHluBbhkxCOVat7NnS|7r^+?Q0jEu61+6s8lBK0XMx2qOZOo5j+O+;V_f z!ZBYVEy`)3sTAd6J~0m%E(hFd1r@WM_qP4f-Us38Zhm74lPNU&7C1Tgo&y6Gl=@@Y zojqDNRrN>Ku+<7Y))u?|DPp;#(G-s{>R0tb?&D%@ko%ip zYqiA!;bOJ+Hw(F+#|gs)Pky?eg~qxddmLrT)B0zpEqCa@Gt6>pHBzOCUNZ<1+R20j zeKbmEez+OEa7bm~u9K=5GD^mk#3FB(!0v1vbIKU@KSv*RCE z;f_enf!Hcrre~Nprb@qG6r`G^nX`mb#ESg-S)m#2gjV{ zI@(O&b1uoqy8&Gt?lNA+rdfAfRsZZ*W^qgrYNO`&0GuGhM^LSfQ4l#jh zlgUJadiIOp_-LQjbamF0>uj;GW-1>+6CSn`F%rMlZ?2M5g=SsO%A$@GqQ)5JUWd4z zo$0+htLk%O<1ufX?TDHK9wJpK)8<(XY+LJbSE%0MIPLEB)lAWKZomH!ms7cPxNK!F zYt#Alz2uYm1mp_=BevwlCml;Q%U1o87iME?CLCBH+5^d_Gepnt&nBPhAh}-{wChE6 z3j6l#mrutV4WKuuZ^fQk8)juMc`fUN=dKSW4Jx{Inif{;@{BvVw`NVR1uYFuKFPKJ zlx^zn6aECq&V3r zS^62eJ3o6vviaojX$tYN2Lm;ZV={N_EYH&36n<<{w?4b_{L*XZ9=YYUz2{04o!d^L zT+68HN6E%q;Y~?cX*f<#J#qpPpW9e`vMz7!ud&QW%}6GpF}EJBG!J(x?ZOwfsw8Ox zB2NjsmIBjFwD@y(e!9{l{hbsnwBua28Tcj5HqtjIg`0stPF^A}=$zmAE~A9~K~>k` z!hq`xE-Wm_gaBMczczv$_=8+A;KC>yB&hs<1z-sP@mvC^1^izC@B%@M6hOcf6PQWE z0H0sh$kkgE$yFAT&&_)m%9DEL!MAo|NT$3k6%f$-1;QF!4X1}69w7QlIV*{0B|HZ}Nr2cRGrbw3=$ zBn1PU$nak$b^;&(H8&4uXD3&83v(kk3s+AYGYdd5ziKn_>psu}9IZ@(0>9jlK+77S z7##rOAHzY!?253|8N;K4k1BkMQJOU&yj3Ed`8MK0?Nw38F2PZJpd>4ok zWzYs924HF&+dvqYs29$lTQw=2pnP-+!7B{{tlf9ga(+|HHQOieeD9_{KhMU!n*)fpl~BVK**glh@ocX0(6efBlxRb z{)PLuA^)XXZ&wRTd@ykED~cEcmk%3(fC~$tWH4|M)Ph2nR(bhha%954yuu*@LNEyG z83ryp5(Y4G`T6S|a4QG_8s(2N1d#vqk1_!O@IPfhDB^$0;9!9Lf8!Gnf&&@{KFEI% z7C;~Xq5cgB0So-WAPj&4|Em0tx^Uq?iNFxT0{;vg`ki5DW$g!!E~&f0ls-5CEBfmjNDPClKfsFs{69nxfV=+RbpZy2{$d*Wm)->chxng>5QHF*8269L0Dr*#fqyXr z69PKtA4~&VIKbflz#%Sk=KixT5)1?4R4>QU%g68H}|1aS27A2tIR3=E1w$HBdh6#A1-1o(fk zPXU2HI~5Ee@V{tF01g~#{BIc%0z$yK#DA1Q0Qy&De|IVv(6;|+NTB;5{;*>}TQFdY z!@m&f!_fXKQ1mKK49N){F^uLsLK5x DE@J;& diff --git a/README.md b/README.md index ff95a25..bfb9b5c 100644 --- a/README.md +++ b/README.md @@ -178,6 +178,9 @@ This set of modules supports creating the AMS KMS key along with key resource po - [Amazon Kinesis](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html) - [AWS Glue](https://docs.aws.amazon.com/glue/latest/dg/encryption-at-rest.html) - [AWS ACM](https://docs.aws.amazon.com/acm/latest/userguide/data-protection.html) +- [Amazon MWAA](https://docs.aws.amazon.com/mwaa/latest/userguide/encryption-at-rest.html) +- [Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) +- [Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html) ## Future Enhancements diff --git a/examples/kms/scenario1/main.tf b/examples/kms/scenario1/main.tf index e35b498..b4eff31 100644 --- a/examples/kms/scenario1/main.tf +++ b/examples/kms/scenario1/main.tf @@ -25,4 +25,7 @@ module "kms_keys" { enable_kms_kinesis = true enable_kms_glue = true enable_kms_acm = true + enable_kms_mwaa = true + enable_kms_ecr = true + enable_kms_eks = true } diff --git a/examples/kms/scenario3/main.tf b/examples/kms/scenario3/main.tf index 16d0b33..6e451af 100644 --- a/examples/kms/scenario3/main.tf +++ b/examples/kms/scenario3/main.tf @@ -26,8 +26,10 @@ module "kms_keys" { # enable_kms_ssm = true enable_kms_secretsmanager = true enable_kms_session = true - # enable_kms_kinesis = true - # enable_kms_glue = true - # enable_kms_acm = true - + # enable_kms_kinesis = true + # enable_kms_glue = true + # enable_kms_acm = true + # enable_kms_mwaa = true + # enable_kms_ecr = true + # enable_kms_eks = true } diff --git a/modules/aws/kms/README.md b/modules/aws/kms/README.md index 8087e45..e2ff9a6 100644 --- a/modules/aws/kms/README.md +++ b/modules/aws/kms/README.md @@ -36,11 +36,14 @@ No modules. | [enable\_key\_rotation\_backup](#input\_enable\_key\_rotation\_backup) | Enable key rotation for AWS Backup CMK | `bool` | `true` | no | | [enable\_key\_rotation\_dynamodb](#input\_enable\_key\_rotation\_dynamodb) | Enable key rotation for Amazon DynamoDB CMK | `bool` | `true` | no | | [enable\_key\_rotation\_ebs](#input\_enable\_key\_rotation\_ebs) | Enable key rotation for Amazon EBS CMK | `bool` | `true` | no | +| [enable\_key\_rotation\_ecr](#input\_enable\_key\_rotation\_ecr) | Enable key rotation for Amazon ECR CMK | `bool` | `true` | no | | [enable\_key\_rotation\_efs](#input\_enable\_key\_rotation\_efs) | Enable key rotation for Amazon EFS CMK | `bool` | `true` | no | +| [enable\_key\_rotation\_eks](#input\_enable\_key\_rotation\_eks) | Enable key rotation for Amazon EKS CMK | `bool` | `true` | no | | [enable\_key\_rotation\_glue](#input\_enable\_key\_rotation\_glue) | Enable key rotation for AWS Glue CMK | `bool` | `true` | no | | [enable\_key\_rotation\_kinesis](#input\_enable\_key\_rotation\_kinesis) | Enable key rotation for Amazon Kinesis CMK | `bool` | `true` | no | | [enable\_key\_rotation\_lambda](#input\_enable\_key\_rotation\_lambda) | Enable key rotation for AWS Lambda CMK | `bool` | `true` | no | | [enable\_key\_rotation\_logs](#input\_enable\_key\_rotation\_logs) | Enable key rotation for Amazon CloudWatch Log CMK | `bool` | `true` | no | +| [enable\_key\_rotation\_mwaa](#input\_enable\_key\_rotation\_mwaa) | Enable key rotation for Amazon MWAA CMK | `bool` | `true` | no | | [enable\_key\_rotation\_rds](#input\_enable\_key\_rotation\_rds) | Enable key rotation for Amazon RDS CMK | `bool` | `true` | no | | [enable\_key\_rotation\_s3](#input\_enable\_key\_rotation\_s3) | Enable key rotation for Amazon S3 CMK | `bool` | `true` | no | | [enable\_key\_rotation\_secretsmanager](#input\_enable\_key\_rotation\_secretsmanager) | Enable key rotation for AWS Secrets Manager CMK | `bool` | `true` | no | @@ -52,11 +55,14 @@ No modules. | [enable\_kms\_backup](#input\_enable\_kms\_backup) | Enable customer managed key that can be used to encrypt/decrypt AWS Backup | `bool` | `false` | no | | [enable\_kms\_dynamodb](#input\_enable\_kms\_dynamodb) | Enable customer managed key that can be used to encrypt/decrypt Amazon DynamoDB | `bool` | `false` | no | | [enable\_kms\_ebs](#input\_enable\_kms\_ebs) | Enable customer managed key that can be used to encrypt/decrypt Amazon EBS | `bool` | `false` | no | +| [enable\_kms\_ecr](#input\_enable\_kms\_ecr) | Enable customer managed key that can be used to encrypt/decrypt Amazon ECR | `bool` | `false` | no | | [enable\_kms\_efs](#input\_enable\_kms\_efs) | Enable customer managed key that can be used to encrypt/decrypt Amazon EFS | `bool` | `false` | no | +| [enable\_kms\_eks](#input\_enable\_kms\_eks) | Enable customer managed key that can be used to encrypt/decrypt Amazon EKS | `bool` | `false` | no | | [enable\_kms\_glue](#input\_enable\_kms\_glue) | Enable customer managed key that can be used to encrypt/decrypt AWS Glue | `bool` | `false` | no | | [enable\_kms\_kinesis](#input\_enable\_kms\_kinesis) | Enable customer managed key that can be used to encrypt/decrypt Amazon Kinesis | `bool` | `false` | no | | [enable\_kms\_lambda](#input\_enable\_kms\_lambda) | Enable customer managed key that can be used to encrypt/decrypt AWS Lambda | `bool` | `false` | no | | [enable\_kms\_logs](#input\_enable\_kms\_logs) | Enable customer managed key that can be used to encrypt/decrypt Amazon CloudWatch Log | `bool` | `false` | no | +| [enable\_kms\_mwaa](#input\_enable\_kms\_mwaa) | Enable customer managed key that can be used to encrypt/decrypt Amazon MWAA | `bool` | `false` | no | | [enable\_kms\_rds](#input\_enable\_kms\_rds) | Enable customer managed key that can be used to encrypt/decrypt Amazon RDS | `bool` | `false` | no | | [enable\_kms\_s3](#input\_enable\_kms\_s3) | Enable customer managed key that can be used to encrypt/decrypt Amazon S3 | `bool` | `false` | no | | [enable\_kms\_secretsmanager](#input\_enable\_kms\_secretsmanager) | Enable customer managed key that can be used to encrypt/decrypt AWS Secrets Manager | `bool` | `false` | no | @@ -68,11 +74,14 @@ No modules. | [enable\_multi\_region\_backup](#input\_enable\_multi\_region\_backup) | Enable multi-region for AWS Backup CMK | `bool` | `false` | no | | [enable\_multi\_region\_dynamodb](#input\_enable\_multi\_region\_dynamodb) | Enable multi-region for Amazon DynamoDB CMK | `bool` | `false` | no | | [enable\_multi\_region\_ebs](#input\_enable\_multi\_region\_ebs) | Enable multi-region for Amazon EBS CMK | `bool` | `false` | no | +| [enable\_multi\_region\_ecr](#input\_enable\_multi\_region\_ecr) | Enable multi-region for Amazon ECR CMK | `bool` | `false` | no | | [enable\_multi\_region\_efs](#input\_enable\_multi\_region\_efs) | Enable multi-region for Amazon EFS CMK | `bool` | `false` | no | +| [enable\_multi\_region\_eks](#input\_enable\_multi\_region\_eks) | Enable multi-region for Amazon EKS CMK | `bool` | `false` | no | | [enable\_multi\_region\_glue](#input\_enable\_multi\_region\_glue) | Enable multi-region for AWS Glues CMK | `bool` | `false` | no | | [enable\_multi\_region\_kinesis](#input\_enable\_multi\_region\_kinesis) | Enable multi-region for Amazon Kinesis CMK | `bool` | `false` | no | | [enable\_multi\_region\_lambda](#input\_enable\_multi\_region\_lambda) | Enable multi-region for AWS Lambda CMK | `bool` | `false` | no | | [enable\_multi\_region\_logs](#input\_enable\_multi\_region\_logs) | Enable multi-region for Amazon CloudWatch Log CMK | `bool` | `false` | no | +| [enable\_multi\_region\_mwaa](#input\_enable\_multi\_region\_mwaa) | Enable multi-region for Amazon MWAA CMK | `bool` | `false` | no | | [enable\_multi\_region\_rds](#input\_enable\_multi\_region\_rds) | Enable multi-region for Amazon RDS CMK | `bool` | `false` | no | | [enable\_multi\_region\_s3](#input\_enable\_multi\_region\_s3) | Enable multi-region for Amazon S3 CMK | `bool` | `false` | no | | [enable\_multi\_region\_secretsmanager](#input\_enable\_multi\_region\_secretsmanager) | Enable multi-region for AWS Secrets Manager CMK | `bool` | `false` | no | @@ -87,11 +96,14 @@ No modules. | [override\_policy\_backup](#input\_override\_policy\_backup) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | | [override\_policy\_dynamodb](#input\_override\_policy\_dynamodb) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | | [override\_policy\_ebs](#input\_override\_policy\_ebs) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | +| [override\_policy\_ecr](#input\_override\_policy\_ecr) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | | [override\_policy\_efs](#input\_override\_policy\_efs) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | +| [override\_policy\_eks](#input\_override\_policy\_eks) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | | [override\_policy\_glue](#input\_override\_policy\_glue) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | | [override\_policy\_kinesis](#input\_override\_policy\_kinesis) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | | [override\_policy\_lambda](#input\_override\_policy\_lambda) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | | [override\_policy\_logs](#input\_override\_policy\_logs) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | +| [override\_policy\_mwaa](#input\_override\_policy\_mwaa) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | | [override\_policy\_rds](#input\_override\_policy\_rds) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | | [override\_policy\_s3](#input\_override\_policy\_s3) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | | [override\_policy\_secretsmanager](#input\_override\_policy\_secretsmanager) | A valid KMS key policy JSON document. If not specified, a canonical key policy will be used. | `string` | `null` | no | diff --git a/modules/aws/kms/ecr.tf b/modules/aws/kms/ecr.tf new file mode 100644 index 0000000..b2ed76c --- /dev/null +++ b/modules/aws/kms/ecr.tf @@ -0,0 +1,63 @@ +# tflint-ignore: terraform_standard_module_structure +variable "enable_kms_ecr" { + description = "Enable customer managed key that can be used to encrypt/decrypt Amazon ECR" + type = bool + default = false +} + +# tflint-ignore: terraform_standard_module_structure +variable "enable_key_rotation_ecr" { + description = "Enable key rotation for Amazon ECR CMK" + type = bool + default = true +} + +# tflint-ignore: terraform_standard_module_structure +variable "enable_multi_region_ecr" { + description = "Enable multi-region for Amazon ECR CMK" + type = bool + default = false +} + +# tflint-ignore: terraform_standard_module_structure +variable "override_policy_ecr" { + description = "A valid KMS key policy JSON document. If not specified, a canonical key policy will be used." + type = string + default = null +} + +data "aws_iam_policy_document" "ecr" { + # checkov:skip=CKV_AWS_109: Not applicable, using condition + # checkov:skip=CKV_AWS_111: Not applicable, using condition + source_policy_documents = [data.aws_iam_policy_document.admin_kms_policy.json] + + statement { + sid = "Allow access through Amazon ECR for all principals in the account that are authorized to use Amazon ECR" + principals { + type = "AWS" + identifiers = ["*"] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + "kms:CreateGrant", + "kms:RetireGrant" + ] + resources = ["*"] + condition { + test = "StringEquals" + variable = "kms:ViaService" + values = [ + "ecr.${var.region}.amazonaws.com" + ] + } + condition { + test = "StringEquals" + variable = "kms:CallerAccount" + values = local.allowed_accounts_via_service + } + } +} diff --git a/modules/aws/kms/eks.tf b/modules/aws/kms/eks.tf new file mode 100644 index 0000000..11fd4f1 --- /dev/null +++ b/modules/aws/kms/eks.tf @@ -0,0 +1,61 @@ +# tflint-ignore: terraform_standard_module_structure +variable "enable_kms_eks" { + description = "Enable customer managed key that can be used to encrypt/decrypt Amazon EKS" + type = bool + default = false +} + +# tflint-ignore: terraform_standard_module_structure +variable "enable_key_rotation_eks" { + description = "Enable key rotation for Amazon EKS CMK" + type = bool + default = true +} + +# tflint-ignore: terraform_standard_module_structure +variable "enable_multi_region_eks" { + description = "Enable multi-region for Amazon EKS CMK" + type = bool + default = false +} + +# tflint-ignore: terraform_standard_module_structure +variable "override_policy_eks" { + description = "A valid KMS key policy JSON document. If not specified, a canonical key policy will be used." + type = string + default = null +} + +data "aws_iam_policy_document" "eks" { + # checkov:skip=CKV_AWS_109: Not applicable, using condition + # checkov:skip=CKV_AWS_111: Not applicable, using condition + source_policy_documents = [data.aws_iam_policy_document.admin_kms_policy.json] + + statement { + sid = "Allow access through Amazon EKS for all principals in the account that are authorized to use Amazon EKS" + principals { + type = "AWS" + identifiers = ["*"] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = ["*"] + condition { + test = "StringEquals" + variable = "kms:ViaService" + values = [ + "eks.${var.region}.amazonaws.com" + ] + } + condition { + test = "StringEquals" + variable = "kms:CallerAccount" + values = local.allowed_accounts_via_service + } + } +} diff --git a/modules/aws/kms/locals.tf b/modules/aws/kms/locals.tf index 8c30746..350481d 100644 --- a/modules/aws/kms/locals.tf +++ b/modules/aws/kms/locals.tf @@ -24,6 +24,9 @@ locals { kinesis = try(length(var.override_policy_kinesis), 0) == 0 ? data.aws_iam_policy_document.kinesis.json : var.override_policy_kinesis glue = try(length(var.override_policy_glue), 0) == 0 ? data.aws_iam_policy_document.glue.json : var.override_policy_glue acm = try(length(var.override_policy_acm), 0) == 0 ? data.aws_iam_policy_document.acm.json : var.override_policy_acm + mwaa = try(length(var.override_policy_mwaa), 0) == 0 ? data.aws_iam_policy_document.mwaa.json : var.override_policy_mwaa + ecr = try(length(var.override_policy_ecr), 0) == 0 ? data.aws_iam_policy_document.ecr.json : var.override_policy_ecr + eks = try(length(var.override_policy_eks), 0) == 0 ? data.aws_iam_policy_document.eks.json : var.override_policy_eks } enable_key_rotation = { s3 = var.enable_key_rotation_s3 @@ -42,6 +45,9 @@ locals { kinesis = var.enable_key_rotation_kinesis glue = var.enable_key_rotation_glue acm = var.enable_key_rotation_acm + mwaa = var.enable_key_rotation_mwaa + ecr = var.enable_key_rotation_ecr + eks = var.enable_key_rotation_eks } multi_region = { s3 = var.enable_multi_region_s3 @@ -60,6 +66,9 @@ locals { kinesis = var.enable_multi_region_kinesis glue = var.enable_multi_region_glue acm = var.enable_multi_region_acm + mwaa = var.enable_multi_region_mwaa + ecr = var.enable_multi_region_ecr + eks = var.enable_multi_region_eks } } @@ -80,6 +89,9 @@ locals { var.enable_kms_session ? "session" : "", var.enable_kms_kinesis ? "kinesis" : "", var.enable_kms_glue ? "glue" : "", - var.enable_kms_acm ? "acm" : "" + var.enable_kms_acm ? "acm" : "", + var.enable_kms_mwaa ? "mwaa" : "", + var.enable_kms_ecr ? "ecr" : "", + var.enable_kms_eks ? "eks" : "" ]) } diff --git a/modules/aws/kms/logs.tf b/modules/aws/kms/logs.tf index 1933b28..8e4202d 100644 --- a/modules/aws/kms/logs.tf +++ b/modules/aws/kms/logs.tf @@ -45,7 +45,7 @@ data "aws_iam_policy_document" "logs" { ] resources = ["*"] condition { - test = "ArnEquals" + test = "ArnLike" variable = "kms:EncryptionContext:aws:logs:arn" values = [ "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:*" diff --git a/modules/aws/kms/mwaa.tf b/modules/aws/kms/mwaa.tf new file mode 100644 index 0000000..b0c671c --- /dev/null +++ b/modules/aws/kms/mwaa.tf @@ -0,0 +1,107 @@ +# tflint-ignore: terraform_standard_module_structure +variable "enable_kms_mwaa" { + description = "Enable customer managed key that can be used to encrypt/decrypt Amazon MWAA" + type = bool + default = false +} + +# tflint-ignore: terraform_standard_module_structure +variable "enable_key_rotation_mwaa" { + description = "Enable key rotation for Amazon MWAA CMK" + type = bool + default = true +} + +# tflint-ignore: terraform_standard_module_structure +variable "enable_multi_region_mwaa" { + description = "Enable multi-region for Amazon MWAA CMK" + type = bool + default = false +} + +# tflint-ignore: terraform_standard_module_structure +variable "override_policy_mwaa" { + description = "A valid KMS key policy JSON document. If not specified, a canonical key policy will be used." + type = string + default = null +} + +data "aws_iam_policy_document" "mwaa" { + # checkov:skip=CKV_AWS_111: Not applicable, using condition + source_policy_documents = [data.aws_iam_policy_document.admin_kms_policy.json] + + statement { + sid = "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3" + principals { + type = "AWS" + identifiers = ["*"] + } + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = ["*"] + condition { + test = "StringEquals" + variable = "kms:ViaService" + values = [ + "s3.${var.region}.amazonaws.com" + ] + } + condition { + test = "StringEquals" + variable = "kms:CallerAccount" + values = local.allowed_accounts_via_service + } + } + + statement { + sid = "Allow access to CloudWatch Logs" + principals { + type = "Service" + identifiers = ["logs.${var.region}.amazonaws.com"] + } + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + condition { + test = "ArnLike" + variable = "kms:EncryptionContext:aws:logs:arn" + values = [ + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:*" + ] + } + } + + statement { + sid = "Allow access to MWAA SQS" + principals { + type = "AWS" + identifiers = ["*"] + } + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + resources = ["*"] + condition { + test = "ArnLike" + variable = "kms:EncryptionContext:aws:sqs:arn" + #SQS is in the Amazon owned account + values = [ + "arn:aws:sqs:${var.region}:*:airflow-celery-*" + ] + } + } +}