From 3562c52520156a80aa572a191350dd99d1387fe4 Mon Sep 17 00:00:00 2001
From: Aleksandr Averbukh <averbukh@google.com>
Date: Tue, 8 Nov 2022 09:34:38 +0100
Subject: [PATCH 1/8] Add support for org policy custom constraints

---
 modules/organization/README.md                | 118 ++++++++++++++++--
 modules/organization/organization-policies.tf |  46 +++++++
 modules/organization/variables.tf             |  31 ++++-
 3 files changed, 182 insertions(+), 13 deletions(-)

diff --git a/modules/organization/README.md b/modules/organization/README.md
index 84a7da84..1c7a59b1 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -6,6 +6,7 @@ This module allows managing several organization properties:
 - custom IAM roles
 - audit logging configuration for services
 - organization policies
+- organization policy custom constraints
 
 To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
 
@@ -22,7 +23,21 @@ module "org" {
     "roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
   }
 
+  org_policy_custom_constraints = {
+    "custom.gkeEnableAutoUpgrade" = {
+      resource_types = ["container.googleapis.com/NodePool"]
+      method_types   = ["CREATE"]
+      condition      = "resource.management.autoUpgrade == true"
+      action_type    = "ALLOW"
+      display_name   = "Enable node auto-upgrade"
+      description    = "All node pools must have node auto-upgrade enabled."
+    }
+  }
+
   org_policies = {
+    "custom.gkeEnableAutoUpgrade" = {
+      enforce = true
+    }
     "compute.disableGuestAttributesAccess" = {
       enforce = true
     }
@@ -61,7 +76,7 @@ module "org" {
     }
   }
 }
-# tftest modules=1 resources=10
+# tftest modules=1 resources=12
 ```
 
 ## IAM
@@ -74,15 +89,100 @@ There are several mutually exclusive ways of managing IAM in this module
 
 If you set audit policies via the `iam_audit_config_authoritative` variable, be sure to also configure IAM bindings via `iam_bindings_authoritative`, as audit policies use the underlying `google_organization_iam_policy` resource, which is also authoritative for any role.
 
-Some care must also be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
+Some care must also be taken with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
 
 ### Organization policy factory
 
 See the [organization policy factory in the project module](../project#organization-policy-factory).
 
+### Org policy custom constraints
+
+Refer to the [Creating and managing custom constraints](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints) documentation for details on usage.
+To manage organization policy custom constraints, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
+
+```hcl
+module "org" {
+  source          = "./fabric/modules/organization"
+  organization_id = var.organization_id
+  
+  org_policy_custom_constraints = {
+    "custom.gkeEnableAutoUpgrade" = {
+      resource_types = ["container.googleapis.com/NodePool"]
+      method_types   = ["CREATE"]
+      condition      = "resource.management.autoUpgrade == true"
+      action_type    = "ALLOW"
+      display_name   = "Enable node auto-upgrade"
+      description    = "All node pools must have node auto-upgrade enabled."
+    }
+  }
+
+  # not necessarily to enforce on the org level, policy may be applied on folder/project levels
+  org_policies = {
+    "custom.gkeEnableAutoUpgrade" = {
+      enforce = true
+    }
+  }
+}
+# tftest modules=1 resources=2
+```
+
+### Org policy custom constraints factory
+
+Org policy custom constraints can be loaded from a directory containing YAML files where each file defines one or more custom constraints. The structure of the YAML files is exactly the same as the `org_policy_custom_constraints` variable.
+
+The example below deploys a few org policy custom constraints split between two YAML files.
+
+```hcl
+module "org" {
+  source          = "./fabric/modules/organization"
+  organization_id = var.organization_id
+  
+  org_policy_custom_constraints_data_path = "/my/path"
+
+}
+# tftest skip
+```
+
+```yaml
+# /my/path/gke.yaml
+custom.gkeEnableLogging:
+  resource_types: 
+  - container.googleapis.com/Cluster
+  method_types:
+  - CREATE
+  - UPDATE
+  condition: resource.loggingService == "none"
+  action_type: DENY
+  display_name: Do not disable Cloud Logging
+custom.gkeEnableAutoUpgrade:
+  resource_types: 
+  - container.googleapis.com/NodePool
+  method_types:
+  - CREATE
+  condition: resource.management.autoUpgrade == true
+  action_type: ALLOW
+  display_name: Enable node auto-upgrade
+  description: All node pools must have node auto-upgrade enabled.
+```
+
+```yaml
+# /my/path/dataproc.yaml
+
+custom.dataprocNoMoreThan10Workers
+  resource_types: 
+  - dataproc.googleapis.com/Cluster
+  method_types:
+  - CREATE
+  - UPDATE
+  condition: resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10
+  action_type: DENY
+  display_name: Total number of worker instances cannot be larger than 10
+  description: Cluster cannot have more than 10 workers, including primary and secondary workers.
+```
+
 ## Hierarchical firewall policies
 
-Hirerarchical firewall policies can be managed in two ways:
+Hierarchical firewall policies can be managed in two ways:
 
 - via the `firewall_policies` variable, to directly define policies and rules in Terraform
 - via the `firewall_policy_factory` variable, to leverage external YaML files via a simple "factory" embedded in the module ([see here](../../blueprints/factories) for more context on factories)
@@ -314,7 +414,7 @@ module "org" {
 | [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_organization_iam_audit_config</code> · <code>google_organization_iam_binding</code> · <code>google_organization_iam_custom_role</code> · <code>google_organization_iam_member</code> · <code>google_organization_iam_policy</code> |
 | [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_organization_exclusion</code> · <code>google_logging_organization_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
 | [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> |
-| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
+| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_custom_constraint</code> · <code>google_org_policy_policy</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
 | [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
 | [variables.tf](./variables.tf) | Module variables. |  |
@@ -324,7 +424,7 @@ module "org" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [organization_id](variables.tf#L191) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ |  |
+| [organization_id](variables.tf#L217) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ |  |
 | [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [firewall_policies](variables.tf#L31) | Hierarchical firewall policy rules created in the organization. | <code title="map&#40;map&#40;object&#40;&#123;&#10;  action                  &#61; string&#10;  description             &#61; string&#10;  direction               &#61; string&#10;  logging                 &#61; bool&#10;  ports                   &#61; map&#40;list&#40;string&#41;&#41;&#10;  priority                &#61; number&#10;  ranges                  &#61; list&#40;string&#41;&#10;  target_resources        &#61; list&#40;string&#41;&#10;  target_service_accounts &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;&#41;">map&#40;map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
@@ -340,9 +440,11 @@ module "org" {
 | [logging_exclusions](variables.tf#L122) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [logging_sinks](variables.tf#L129) | Logging sinks to create for this organization. | <code title="map&#40;object&#40;&#123;&#10;  destination          &#61; string&#10;  type                 &#61; string&#10;  filter               &#61; string&#10;  include_children     &#61; bool&#10;  bq_partitioned_table &#61; bool&#10;  exclusions &#61; map&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [org_policies](variables.tf#L151) | Organization policies applied to this organization keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  allow &#61; optional&#40;object&#40;&#123;&#10;    all    &#61; optional&#40;bool&#41;&#10;    values &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  deny &#61; optional&#40;object&#40;&#123;&#10;    all    &#61; optional&#40;bool&#41;&#10;    values &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  enforce &#61; optional&#40;bool, true&#41; &#35; for boolean policies only.&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool, true&#41; &#35; for boolean policies only.&#10;    condition &#61; object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [org_policies_data_path](variables.tf#L200) | Path containing org policies in YAML format. | <code>string</code> |  | <code>null</code> |
-| [tag_bindings](variables.tf#L206) | Tag bindings for this organization, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
-| [tags](variables.tf#L212) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; string&#10;  iam         &#61; map&#40;list&#40;string&#41;&#41;&#10;  values &#61; map&#40;object&#40;&#123;&#10;    description &#61; string&#10;    iam         &#61; map&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |
+| [org_policies_data_path](variables.tf#L191) | Path containing org policies in YAML format. | <code>string</code> |  | <code>null</code> |
+| [org_policy_custom_constraints](variables.tf#L197) | Organization policiy custom constraints keyed by constraint name. | <code title="map&#40;object&#40;&#123;&#10;  display_name   &#61; optional&#40;string&#41;&#10;  description    &#61; optional&#40;string&#41;&#10;  action_type    &#61; string&#10;  condition      &#61; string&#10;  method_types   &#61; list&#40;string&#41;&#10;  resource_types &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [org_policy_custom_constraints_data_path](variables.tf#L211) | Path containing org policy custom constraints in YAML format. | <code>string</code> |  | <code>null</code> |
+| [tag_bindings](variables.tf#L227) | Tag bindings for this organization, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [tags](variables.tf#L233) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; string&#10;  iam         &#61; map&#40;list&#40;string&#41;&#41;&#10;  values &#61; map&#40;object&#40;&#123;&#10;    description &#61; string&#10;    iam         &#61; map&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/organization/organization-policies.tf b/modules/organization/organization-policies.tf
index fcde1658..4e82467b 100644
--- a/modules/organization/organization-policies.tf
+++ b/modules/organization/organization-policies.tf
@@ -88,6 +88,37 @@ locals {
       ]
     })
   }
+
+  _custom_constraints_factory_data_raw = (
+    var.org_policy_custom_constraints_data_path == null
+    ? tomap({})
+    : merge([
+      for f in fileset(var.org_policy_custom_constraints_data_path, "*.yaml") :
+      yamldecode(file("${var.org_policy_custom_constraints_data_path}/${f}"))
+    ]...)
+  )
+
+  _custom_constraints_factory_data = {
+    for k, v in local._custom_constraints_factory_data_raw :
+    k => {
+      display_name   = try(v.display_name, null)
+      description    = try(v.description, null)
+      action_type    = v.action_type
+      condition      = v.condition
+      method_types   = v.method_types
+      resource_types = v.resource_types
+    }
+  }
+
+  _custom_constraints = merge(local._custom_constraints_factory_data, var.org_policy_custom_constraints)
+
+  custom_constraints = {
+    for k, v in local._custom_constraints :
+    k => merge(v, {
+      name   = k
+      parent = var.organization_id
+    })
+  }
 }
 
 resource "google_org_policy_policy" "default" {
@@ -150,5 +181,20 @@ resource "google_org_policy_policy" "default" {
     google_organization_iam_custom_role.roles,
     google_organization_iam_member.additive,
     google_organization_iam_policy.authoritative,
+    google_org_policy_custom_constraint.constraint,
   ]
 }
+
+resource "google_org_policy_custom_constraint" "constraint" {
+  provider = google-beta
+
+  for_each       = local.custom_constraints
+  name           = each.value.name
+  parent         = each.value.parent
+  display_name   = each.value.display_name
+  description    = each.value.description
+  action_type    = each.value.action_type
+  condition      = each.value.condition
+  method_types   = each.value.method_types
+  resource_types = each.value.resource_types
+}
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index 7093a118..5b98a9e1 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -188,6 +188,32 @@ variable "org_policies" {
   nullable = false
 }
 
+variable "org_policies_data_path" {
+  description = "Path containing org policies in YAML format."
+  type        = string
+  default     = null
+}
+
+variable "org_policy_custom_constraints" {
+  description = "Organization policiy custom constraints keyed by constraint name."
+  type = map(object({
+    display_name   = optional(string)
+    description    = optional(string)
+    action_type    = string
+    condition      = string
+    method_types   = list(string)
+    resource_types = list(string)
+  }))
+  default  = {}
+  nullable = false
+}
+
+variable "org_policy_custom_constraints_data_path" {
+  description = "Path containing org policy custom constraints in YAML format."
+  type        = string
+  default     = null
+}
+
 variable "organization_id" {
   description = "Organization id in organizations/nnnnnn format."
   type        = string
@@ -197,11 +223,6 @@ variable "organization_id" {
   }
 }
 
-variable "org_policies_data_path" {
-  description = "Path containing org policies in YAML format."
-  type        = string
-  default     = null
-}
 
 variable "tag_bindings" {
   description = "Tag bindings for this organization, in key => tag value id format."

From aae6ab132c456381cdcfdb671d3bac0184b11710 Mon Sep 17 00:00:00 2001
From: Aleksandr Averbukh <averbukh@google.com>
Date: Tue, 8 Nov 2022 18:10:13 +0100
Subject: [PATCH 2/8] Add tests for org policy custom constraints

---
 .../org-policy-custom-constraints.tf          | 62 +++++++++++++++++++
 modules/organization/organization-policies.tf | 45 --------------
 tests/modules/organization/fixture/main.tf    | 36 ++++++-----
 .../test.orgpolicy-custom-constraints.tfvars  | 18 ++++++
 .../modules/organization/fixture/variables.tf | 10 +++
 .../organization/test_plan_org_policies.py    | 16 ++++-
 .../test_plan_org_policies_modules.py         |  8 +--
 .../modules/organization/validate_policies.py | 22 +++++++
 8 files changed, 150 insertions(+), 67 deletions(-)
 create mode 100644 modules/organization/org-policy-custom-constraints.tf
 create mode 100644 tests/modules/organization/fixture/test.orgpolicy-custom-constraints.tfvars

diff --git a/modules/organization/org-policy-custom-constraints.tf b/modules/organization/org-policy-custom-constraints.tf
new file mode 100644
index 00000000..bfc2de1b
--- /dev/null
+++ b/modules/organization/org-policy-custom-constraints.tf
@@ -0,0 +1,62 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  _custom_constraints_factory_data_raw = (
+    var.org_policy_custom_constraints_data_path == null
+    ? tomap({})
+    : tomap(merge([
+      for f in fileset(var.org_policy_custom_constraints_data_path, "*.yaml") :
+      yamldecode(file("${var.org_policy_custom_constraints_data_path}/${f}"))
+    ]...))
+  )
+
+  _custom_constraints_factory_data = {
+    for k, v in local._custom_constraints_factory_data_raw :
+    k => {
+      display_name   = try(v.display_name, null)
+      description    = try(v.description, null)
+      action_type    = v.action_type
+      condition      = v.condition
+      method_types   = v.method_types
+      resource_types = v.resource_types
+    }
+  }
+
+  _custom_constraints = merge(local._custom_constraints_factory_data, var.org_policy_custom_constraints)
+
+  custom_constraints = {
+    for k, v in local._custom_constraints :
+    k => merge(v, {
+      name   = k
+      parent = var.organization_id
+    })
+  }
+}
+
+resource "google_org_policy_custom_constraint" "constraint" {
+  provider = google-beta
+
+  for_each       = local.custom_constraints
+  name           = each.value.name
+  parent         = each.value.parent
+  display_name   = each.value.display_name
+  description    = each.value.description
+  action_type    = each.value.action_type
+  condition      = each.value.condition
+  method_types   = each.value.method_types
+  resource_types = each.value.resource_types
+}
diff --git a/modules/organization/organization-policies.tf b/modules/organization/organization-policies.tf
index 4e82467b..425e8f52 100644
--- a/modules/organization/organization-policies.tf
+++ b/modules/organization/organization-policies.tf
@@ -88,37 +88,6 @@ locals {
       ]
     })
   }
-
-  _custom_constraints_factory_data_raw = (
-    var.org_policy_custom_constraints_data_path == null
-    ? tomap({})
-    : merge([
-      for f in fileset(var.org_policy_custom_constraints_data_path, "*.yaml") :
-      yamldecode(file("${var.org_policy_custom_constraints_data_path}/${f}"))
-    ]...)
-  )
-
-  _custom_constraints_factory_data = {
-    for k, v in local._custom_constraints_factory_data_raw :
-    k => {
-      display_name   = try(v.display_name, null)
-      description    = try(v.description, null)
-      action_type    = v.action_type
-      condition      = v.condition
-      method_types   = v.method_types
-      resource_types = v.resource_types
-    }
-  }
-
-  _custom_constraints = merge(local._custom_constraints_factory_data, var.org_policy_custom_constraints)
-
-  custom_constraints = {
-    for k, v in local._custom_constraints :
-    k => merge(v, {
-      name   = k
-      parent = var.organization_id
-    })
-  }
 }
 
 resource "google_org_policy_policy" "default" {
@@ -184,17 +153,3 @@ resource "google_org_policy_policy" "default" {
     google_org_policy_custom_constraint.constraint,
   ]
 }
-
-resource "google_org_policy_custom_constraint" "constraint" {
-  provider = google-beta
-
-  for_each       = local.custom_constraints
-  name           = each.value.name
-  parent         = each.value.parent
-  display_name   = each.value.display_name
-  description    = each.value.description
-  action_type    = each.value.action_type
-  condition      = each.value.condition
-  method_types   = each.value.method_types
-  resource_types = each.value.resource_types
-}
diff --git a/tests/modules/organization/fixture/main.tf b/tests/modules/organization/fixture/main.tf
index 4f5df9e2..a620542e 100644
--- a/tests/modules/organization/fixture/main.tf
+++ b/tests/modules/organization/fixture/main.tf
@@ -15,21 +15,23 @@
  */
 
 module "test" {
-  source                      = "../../../../modules/organization"
-  organization_id             = "organizations/1234567890"
-  custom_roles                = var.custom_roles
-  firewall_policies           = var.firewall_policies
-  firewall_policy_association = var.firewall_policy_association
-  firewall_policy_factory     = var.firewall_policy_factory
-  group_iam                   = var.group_iam
-  iam                         = var.iam
-  iam_additive                = var.iam_additive
-  iam_additive_members        = var.iam_additive_members
-  iam_audit_config            = var.iam_audit_config
-  logging_sinks               = var.logging_sinks
-  logging_exclusions          = var.logging_exclusions
-  org_policies                = var.org_policies
-  org_policies_data_path      = var.org_policies_data_path
-  tag_bindings                = var.tag_bindings
-  tags                        = var.tags
+  source                                  = "../../../../modules/organization"
+  organization_id                         = "organizations/1234567890"
+  custom_roles                            = var.custom_roles
+  firewall_policies                       = var.firewall_policies
+  firewall_policy_association             = var.firewall_policy_association
+  firewall_policy_factory                 = var.firewall_policy_factory
+  group_iam                               = var.group_iam
+  iam                                     = var.iam
+  iam_additive                            = var.iam_additive
+  iam_additive_members                    = var.iam_additive_members
+  iam_audit_config                        = var.iam_audit_config
+  logging_sinks                           = var.logging_sinks
+  logging_exclusions                      = var.logging_exclusions
+  org_policies                            = var.org_policies
+  org_policies_data_path                  = var.org_policies_data_path
+  org_policy_custom_constraints           = var.org_policy_custom_constraints
+  org_policy_custom_constraints_data_path = var.org_policy_custom_constraints_data_path
+  tag_bindings                            = var.tag_bindings
+  tags                                    = var.tags
 }
diff --git a/tests/modules/organization/fixture/test.orgpolicy-custom-constraints.tfvars b/tests/modules/organization/fixture/test.orgpolicy-custom-constraints.tfvars
new file mode 100644
index 00000000..a02f97c4
--- /dev/null
+++ b/tests/modules/organization/fixture/test.orgpolicy-custom-constraints.tfvars
@@ -0,0 +1,18 @@
+org_policy_custom_constraints = {
+  "custom.gkeEnableAutoUpgrade" = {
+    resource_types = ["container.googleapis.com/NodePool"]
+    method_types   = ["CREATE"]
+    condition      = "resource.management.autoUpgrade == true"
+    action_type    = "ALLOW"
+    display_name   = "Enable node auto-upgrade"
+    description    = "All node pools must have node auto-upgrade enabled."
+  },
+  "custom.dataprocNoMoreThan10Workers" = {
+    resource_types = ["dataproc.googleapis.com/Cluster"]
+    method_types   = ["CREATE", "UPDATE"]
+    condition      = "resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10"
+    action_type    = "DENY"
+    display_name   = "Total number of worker instances cannot be larger than 10"
+    description    = "Cluster cannot have more than 10 workers, including primary and secondary workers."
+  }
+}
diff --git a/tests/modules/organization/fixture/variables.tf b/tests/modules/organization/fixture/variables.tf
index 2508fb06..c4efa8fb 100644
--- a/tests/modules/organization/fixture/variables.tf
+++ b/tests/modules/organization/fixture/variables.tf
@@ -79,6 +79,16 @@ variable "org_policies_data_path" {
   default = null
 }
 
+variable "org_policy_custom_constraints" {
+  type    = any
+  default = {}
+}
+
+variable "org_policy_custom_constraints_data_path" {
+  type    = any
+  default = null
+}
+
 variable "tag_bindings" {
   type    = any
   default = null
diff --git a/tests/modules/organization/test_plan_org_policies.py b/tests/modules/organization/test_plan_org_policies.py
index 8267106f..05550832 100644
--- a/tests/modules/organization/test_plan_org_policies.py
+++ b/tests/modules/organization/test_plan_org_policies.py
@@ -14,7 +14,7 @@
 
 import pathlib
 
-from .validate_policies import validate_policy_boolean, validate_policy_list
+from .validate_policies import validate_policy_boolean, validate_policy_list, validate_policy_custom_constraints
 
 
 def test_policy_boolean(plan_runner):
@@ -31,6 +31,13 @@ def test_policy_list(plan_runner):
   validate_policy_list(resources)
 
 
+def test_policy_custom_constraints(plan_runner):
+  "Test org policy custom constraints."
+  tfvars = 'test.orgpolicy-custom-constraints.tfvars'
+  _, resources = plan_runner(tf_var_file=tfvars)
+  validate_policy_custom_constraints(resources)
+
+
 def test_factory_policy_boolean(plan_runner, tfvars_to_yaml, tmp_path):
   dest = tmp_path / 'policies.yaml'
   tfvars_to_yaml('test.orgpolicies-boolean.tfvars', dest, 'org_policies')
@@ -43,3 +50,10 @@ def test_factory_policy_list(plan_runner, tfvars_to_yaml, tmp_path):
   tfvars_to_yaml('test.orgpolicies-list.tfvars', dest, 'org_policies')
   _, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"')
   validate_policy_list(resources)
+
+
+def test_factory_policy_custom_constraints(plan_runner, tfvars_to_yaml, tmp_path):
+  dest = tmp_path / 'constraints.yaml'
+  tfvars_to_yaml('test.orgpolicy-custom-constraints.tfvars', dest, 'org_policy_custom_constraints')
+  _, resources = plan_runner(org_policy_custom_constraints_data_path=f'"{tmp_path}"')
+  validate_policy_custom_constraints(resources)
diff --git a/tests/modules/organization/test_plan_org_policies_modules.py b/tests/modules/organization/test_plan_org_policies_modules.py
index 81030035..d2a5e097 100644
--- a/tests/modules/organization/test_plan_org_policies_modules.py
+++ b/tests/modules/organization/test_plan_org_policies_modules.py
@@ -72,11 +72,10 @@ def test_policy_implementation():
       '-      name   = "${local.folder.name}/policies/${k}"\n',
       '-      parent = local.folder.name\n',
       '+      name   = "${var.organization_id}/policies/${k}"\n',
-      '+      parent = var.organization_id\n',
-      ' \n',
+      '+      parent = var.organization_id\n', ' \n',
       '       is_boolean_policy = v.allow == null && v.deny == null\n',
       '       has_values = (\n',
-      '@@ -143,4 +143,12 @@\n',
+      '@@ -143,4 +143,13 @@\n',
       '       }\n',
       '     }\n',
       '   }\n',
@@ -87,6 +86,7 @@ def test_policy_implementation():
       '+    google_organization_iam_custom_role.roles,\n',
       '+    google_organization_iam_member.additive,\n',
       '+    google_organization_iam_policy.authoritative,\n',
+      '+    google_org_policy_custom_constraint.constraint,\n',
       '+  ]\n',
-      ' }\n',
+      ' }\n'
   ]
diff --git a/tests/modules/organization/validate_policies.py b/tests/modules/organization/validate_policies.py
index 73acb088..51844b15 100644
--- a/tests/modules/organization/validate_policies.py
+++ b/tests/modules/organization/validate_policies.py
@@ -138,3 +138,25 @@ def validate_policy_list(resources):
       'enforce': None,
       'values': []
   }
+
+def validate_policy_custom_constraints(resources):
+  assert len(resources) == 2
+  assert all(
+      r['values']['parent'] == 'organizations/1234567890' for r in resources)
+  constraints = {
+      r['index']: r['values']
+      for r in resources
+      if r['type'] == 'google_org_policy_custom_constraint'
+  }
+  assert len(constraints) == 2
+  c1 = constraints['custom.gkeEnableAutoUpgrade']
+  assert c1['resource_types'][0] == 'container.googleapis.com/NodePool'
+  assert c1['method_types'] == ['CREATE']
+  assert c1['condition'] == 'resource.management.autoUpgrade == true'
+  assert c1['action_type'] == 'ALLOW'
+  
+  c2 = constraints['custom.dataprocNoMoreThan10Workers']
+  assert c2['resource_types'][0] == 'dataproc.googleapis.com/Cluster'
+  assert c2['method_types'] == ['CREATE', 'UPDATE']
+  assert c2['condition'] == 'resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10'
+  assert c2['action_type'] == 'DENY'

From 02ca116260693a116140abba722bd856b2131b95 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Tue, 8 Nov 2022 09:38:15 +0100
Subject: [PATCH 3/8] FAST: bootstrap and extra stage CI/CD improvements and
 fixes (#956)

* add clone commands output

* always create secret key for repos, fix module source

* optional modules ref

* tfdoc

* create secrets in the right repositories

* add publick key to modules repository

* bump Terraform version in CI templates

* add template to populated files

* tfdoc

* do not error out writing ci/cd workflows when output files are disabled

* update README

* fix apply file outputs when outputs_location is changed to null
---
 fast/assets/templates/workflow-github.yaml    |  2 +-
 .../assets/templates/workflow-sourcerepo.yaml |  2 +-
 fast/extras/00-cicd-github/README.md          | 23 +++++++---
 fast/extras/00-cicd-github/main.tf            | 45 +++++++++++++------
 fast/extras/00-cicd-github/outputs.tf         | 23 ++++++++++
 fast/extras/00-cicd-github/variables.tf       |  6 +++
 fast/stages/00-bootstrap/outputs-files.tf     | 14 +++---
 7 files changed, 87 insertions(+), 28 deletions(-)
 create mode 100644 fast/extras/00-cicd-github/outputs.tf

diff --git a/fast/assets/templates/workflow-github.yaml b/fast/assets/templates/workflow-github.yaml
index 81b5f3d2..1efb9c66 100644
--- a/fast/assets/templates/workflow-github.yaml
+++ b/fast/assets/templates/workflow-github.yaml
@@ -30,7 +30,7 @@ env:
   SSH_AUTH_SOCK: /tmp/ssh_agent.sock
   TF_PROVIDERS_FILE: ${tf_providers_file}
   TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n    ", tf_var_files)}
-  TF_VERSION: 1.1.7
+  TF_VERSION: 1.3.2
 
 jobs:
   fast-pr:
diff --git a/fast/assets/templates/workflow-sourcerepo.yaml b/fast/assets/templates/workflow-sourcerepo.yaml
index 7f6f08ff..446c9c96 100644
--- a/fast/assets/templates/workflow-sourcerepo.yaml
+++ b/fast/assets/templates/workflow-sourcerepo.yaml
@@ -95,4 +95,4 @@ substitutions:
   _FAST_OUTPUTS_BUCKET: ${outputs_bucket}
   _TF_PROVIDERS_FILE: ${tf_providers_file}
   _TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n    ", tf_var_files)}
-  _TF_VERSION: 1.1.7
+  _TF_VERSION: 1.3.2
diff --git a/fast/extras/00-cicd-github/README.md b/fast/extras/00-cicd-github/README.md
index 2db9952c..52c322a3 100644
--- a/fast/extras/00-cicd-github/README.md
+++ b/fast/extras/00-cicd-github/README.md
@@ -8,11 +8,16 @@ This stage is designed for quick repository creation in a GitHub organization, a
 
 Initial file population of repositories is controlled via the `populate_from` attribute, and needs a bit of care:
 
-- never run this stage gain with the same variables used for population once the repository starts being used,  as **Terraform will manage file state and revert any changes at each apply**, which is probably not what you want.
-- be mindful when enabling initial population of the modules repository, as the number of resulting files to manage is very close to the GitHub hourly limit for their API
+- never run this stage with the same variables used for population once the repository starts being used, as **Terraform will manage file state and revert any changes at each apply**, which is probably not what you want.
+- initial population of the modules repository is discouraged, as the number of resulting files Terraform needs to manage is very close to the GitHub hourly limit for their API, it's much easier to populate modules via regular git commands
 
 The scenario for which this stage has been designed is one-shot creation and/or population of stage repositories, running it multiple times with different variables and Terraform states if incremental creation is needed for subsequent FAST stages (e.g. GKE, data platform, etc.).
 
+Once initial population is done, you need to manually push to the repository
+
+- the `.tfvars` file with custom variable values for your stages
+- the workflow configuration file generated by FAST stages
+
 ## GitHub provider credentials
 
 A [GitHub token](https://github.com/settings/tokens) is needed to authenticate against their API. The token needs organization-level permissions, like shown in this screenshot:
@@ -77,7 +82,8 @@ When initial population is configured for a repository, this stage also adds a s
 | name | description | resources |
 |---|---|---|
 | [cicd-versions.tf](./cicd-versions.tf) | Provider version. |  |
-| [main.tf](./main.tf) | Module-level locals and resources. | <code>github_actions_secret</code> · <code>github_repository</code> · <code>github_repository_file</code> · <code>tls_private_key</code> |
+| [main.tf](./main.tf) | Module-level locals and resources. | <code>github_actions_secret</code> · <code>github_repository</code> · <code>github_repository_deploy_key</code> · <code>github_repository_file</code> · <code>tls_private_key</code> |
+| [outputs.tf](./outputs.tf) | Module outputs. |  |
 | [providers.tf](./providers.tf) | Provider configuration. |  |
 | [variables.tf](./variables.tf) | Module variables. |  |
 
@@ -85,8 +91,15 @@ When initial population is configured for a repository, this stage also adds a s
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [organization](variables.tf#L28) | GitHub organization. | <code>string</code> | ✓ |  |
+| [organization](variables.tf#L34) | GitHub organization. | <code>string</code> | ✓ |  |
 | [commmit_config](variables.tf#L17) | Configure commit metadata. | <code title="object&#40;&#123;&#10;  author  &#61; optional&#40;string, &#34;FAST loader&#34;&#41;&#10;  email   &#61; optional&#40;string, &#34;fast-loader&#64;fast.gcp.tf&#34;&#41;&#10;  message &#61; optional&#40;string, &#34;FAST initial loading&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [repositories](variables.tf#L33) | Repositories to create. | <code title="map&#40;object&#40;&#123;&#10;  create_options &#61; optional&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      auto_merge   &#61; optional&#40;bool&#41;&#10;      merge_commit &#61; optional&#40;bool&#41;&#10;      rebase_merge &#61; optional&#40;bool&#41;&#10;      squash_merge &#61; optional&#40;bool&#41;&#10;    &#125;&#41;&#41;&#10;    auto_init   &#61; optional&#40;bool&#41;&#10;    description &#61; optional&#40;string&#41;&#10;    features &#61; optional&#40;object&#40;&#123;&#10;      issues   &#61; optional&#40;bool&#41;&#10;      projects &#61; optional&#40;bool&#41;&#10;      wiki     &#61; optional&#40;bool&#41;&#10;    &#125;&#41;&#41;&#10;    templates &#61; optional&#40;object&#40;&#123;&#10;      gitignore &#61; optional&#40;string, &#34;Terraform&#34;&#41;&#10;      license   &#61; optional&#40;string&#41;&#10;      repository &#61; optional&#40;object&#40;&#123;&#10;        name  &#61; string&#10;        owner &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    visibility &#61; optional&#40;string, &#34;private&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  has_modules   &#61; optional&#40;bool, false&#41;&#10;  populate_from &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [modules_ref](variables.tf#L28) | Optional git ref used in module sources. | <code>string</code> |  | <code>null</code> |
+| [repositories](variables.tf#L39) | Repositories to create. | <code title="map&#40;object&#40;&#123;&#10;  create_options &#61; optional&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      auto_merge   &#61; optional&#40;bool&#41;&#10;      merge_commit &#61; optional&#40;bool&#41;&#10;      rebase_merge &#61; optional&#40;bool&#41;&#10;      squash_merge &#61; optional&#40;bool&#41;&#10;    &#125;&#41;&#41;&#10;    auto_init   &#61; optional&#40;bool&#41;&#10;    description &#61; optional&#40;string&#41;&#10;    features &#61; optional&#40;object&#40;&#123;&#10;      issues   &#61; optional&#40;bool&#41;&#10;      projects &#61; optional&#40;bool&#41;&#10;      wiki     &#61; optional&#40;bool&#41;&#10;    &#125;&#41;&#41;&#10;    templates &#61; optional&#40;object&#40;&#123;&#10;      gitignore &#61; optional&#40;string, &#34;Terraform&#34;&#41;&#10;      license   &#61; optional&#40;string&#41;&#10;      repository &#61; optional&#40;object&#40;&#123;&#10;        name  &#61; string&#10;        owner &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    visibility &#61; optional&#40;string, &#34;private&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  has_modules   &#61; optional&#40;bool, false&#41;&#10;  populate_from &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [clone](outputs.tf#L17) | Clone repository commands. |  |
 
 <!-- END TFDOC -->
diff --git a/fast/extras/00-cicd-github/main.tf b/fast/extras/00-cicd-github/main.tf
index 140230d0..4ba49f73 100644
--- a/fast/extras/00-cicd-github/main.tf
+++ b/fast/extras/00-cicd-github/main.tf
@@ -30,6 +30,7 @@ locals {
       }
     ] if v.populate_from != null
   ])
+  modules_ref = var.modules_ref == null ? "" : "?ref=${var.modules_ref}"
   modules_repository = (
     length(local._modules_repository) > 0
     ? local._modules_repository.0
@@ -39,13 +40,24 @@ locals {
     for k, v in var.repositories :
     k => v.create_options == null ? k : github_repository.default[k].name
   }
-  repository_files = {
-    for k in local._repository_files :
-    "${k.repository}/${k.name}" => k
-    if !endswith(k.name, ".tf") || (
-      !startswith(k.name, "0") && k.name != "globals.tf"
-    )
-  }
+  repository_files = merge(
+    {
+      for k in local._repository_files :
+      "${k.repository}/${k.name}" => k
+      if !endswith(k.name, ".tf") || (
+        !startswith(k.name, "0") && k.name != "globals.tf"
+      )
+    },
+    {
+      for k, v in var.repositories :
+      "${k}/templates/providers.tf.tpl" => {
+        repository = k
+        file       = "../../assets/templates/providers.tf.tpl"
+        name       = "templates/providers.tf.tpl"
+      }
+      if v.populate_from != null
+    }
+  )
 }
 
 resource "github_repository" "default" {
@@ -88,15 +100,20 @@ resource "tls_private_key" "default" {
   algorithm = "ED25519"
 }
 
+resource "github_repository_deploy_key" "exdefaultample_repository_deploy_key" {
+  count      = local.modules_repository == null ? 0 : 1
+  title      = "Modules repository access"
+  repository = local.modules_repository
+  key        = tls_private_key.default.0.public_key_openssh
+  read_only  = true
+}
+
 resource "github_actions_secret" "default" {
   for_each = local.modules_repository == null ? {} : {
     for k, v in local.repositories :
-    k => v if(
-      k != local.modules_repository &&
-      var.repositories[k].populate_from != null
-    )
+    k => v if k != local.modules_repository
   }
-  repository      = local.repositories[local.modules_repository]
+  repository      = each.key
   secret_name     = "CICD_MODULES_KEY"
   plaintext_value = tls_private_key.default.0.private_key_openssh
 }
@@ -112,8 +129,8 @@ resource "github_repository_file" "default" {
     endswith(each.value.name, ".tf") && local.modules_repository != null
     ? replace(
       file(each.value.file),
-      "/source\\s*=\\s*\"../../../",
-      "source = \"git@github.com:${var.organization}/${local.modules_repository}.git/"
+      "/source\\s*=\\s*\"../../../modules/([^/\"]+)\"/",
+      "source = \"git@github.com:${var.organization}/${local.modules_repository}.git//$1${local.modules_ref}\"" # "
     )
     : file(each.value.file)
   )
diff --git a/fast/extras/00-cicd-github/outputs.tf b/fast/extras/00-cicd-github/outputs.tf
new file mode 100644
index 00000000..cb580e1f
--- /dev/null
+++ b/fast/extras/00-cicd-github/outputs.tf
@@ -0,0 +1,23 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "clone" {
+  description = "Clone repository commands."
+  value = {
+    for k, v in var.repositories :
+    k => "git clone git@github.com:${var.organization}/${k}.git"
+  }
+}
diff --git a/fast/extras/00-cicd-github/variables.tf b/fast/extras/00-cicd-github/variables.tf
index 29b79225..0d9cb7fd 100644
--- a/fast/extras/00-cicd-github/variables.tf
+++ b/fast/extras/00-cicd-github/variables.tf
@@ -25,6 +25,12 @@ variable "commmit_config" {
   nullable = false
 }
 
+variable "modules_ref" {
+  description = "Optional git ref used in module sources."
+  type        = string
+  default     = null
+}
+
 variable "organization" {
   description = "GitHub organization."
   type        = string
diff --git a/fast/stages/00-bootstrap/outputs-files.tf b/fast/stages/00-bootstrap/outputs-files.tf
index 3016c8e2..ded88cd5 100644
--- a/fast/stages/00-bootstrap/outputs-files.tf
+++ b/fast/stages/00-bootstrap/outputs-files.tf
@@ -19,27 +19,27 @@
 resource "local_file" "providers" {
   for_each        = var.outputs_location == null ? {} : local.providers
   file_permission = "0644"
-  filename        = "${pathexpand(var.outputs_location)}/providers/${each.key}-providers.tf"
-  content         = each.value
+  filename        = "${try(pathexpand(var.outputs_location), "")}/providers/${each.key}-providers.tf"
+  content         = try(each.value, null)
 }
 
 resource "local_file" "tfvars" {
   for_each        = var.outputs_location == null ? {} : { 1 = 1 }
   file_permission = "0644"
-  filename        = "${pathexpand(var.outputs_location)}/tfvars/00-bootstrap.auto.tfvars.json"
+  filename        = "${try(pathexpand(var.outputs_location), "")}/tfvars/00-bootstrap.auto.tfvars.json"
   content         = jsonencode(local.tfvars)
 }
 
 resource "local_file" "tfvars_globals" {
   for_each        = var.outputs_location == null ? {} : { 1 = 1 }
   file_permission = "0644"
-  filename        = "${pathexpand(var.outputs_location)}/tfvars/globals.auto.tfvars.json"
+  filename        = "${try(pathexpand(var.outputs_location), "")}/tfvars/globals.auto.tfvars.json"
   content         = jsonencode(local.tfvars_globals)
 }
 
 resource "local_file" "workflows" {
-  for_each        = local.cicd_workflows
+  for_each        = var.outputs_location == null ? {} : local.cicd_workflows
   file_permission = "0644"
-  filename        = "${pathexpand(var.outputs_location)}/workflows/${each.key}-workflow.yaml"
-  content         = each.value
+  filename        = "${try(pathexpand(var.outputs_location), "")}/workflows/${each.key}-workflow.yaml"
+  content         = try(each.value, null)
 }

From 1419a041471eebbcbe572ed4949374b55231e880 Mon Sep 17 00:00:00 2001
From: Aleksandr Averbukh <averbukh@google.com>
Date: Tue, 8 Nov 2022 18:17:05 +0100
Subject: [PATCH 4/8] Update module readme

---
 modules/organization/README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/organization/README.md b/modules/organization/README.md
index 1c7a59b1..95c4e2e8 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -414,7 +414,8 @@ module "org" {
 | [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_organization_iam_audit_config</code> · <code>google_organization_iam_binding</code> · <code>google_organization_iam_custom_role</code> · <code>google_organization_iam_member</code> · <code>google_organization_iam_policy</code> |
 | [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_organization_exclusion</code> · <code>google_logging_organization_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
 | [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> |
-| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_custom_constraint</code> · <code>google_org_policy_policy</code> |
+| [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | <code>google_org_policy_custom_constraint</code> |
+| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
 | [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
 | [variables.tf](./variables.tf) | Module variables. |  |

From 8282b6c0e2e8a4ab19e98e5153b2751742366030 Mon Sep 17 00:00:00 2001
From: Valerio Ponza <81154450+valeriobponza@users.noreply.github.com>
Date: Wed, 9 Nov 2022 00:25:34 +0100
Subject: [PATCH 5/8] Fix README typo in firewall module (#960)

* fixing readme in firewall module

* fix typo

Co-authored-by: Valerio Ponza <vponza@google.com>
Co-authored-by: Ludovico Magnocavallo <ludo@qix.it>
---
 modules/net-vpc-firewall/README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/net-vpc-firewall/README.md b/modules/net-vpc-firewall/README.md
index 7cc0d452..6b36edd9 100644
--- a/modules/net-vpc-firewall/README.md
+++ b/modules/net-vpc-firewall/README.md
@@ -138,10 +138,10 @@ module "firewall" {
   project_id       = "my-project"
   network          = "my-network"
   factories_config = {
-
+    rules_folder  = "config/firewall"
+    cidr_tpl_file = "config/cidr_template.yaml"
   }
-  data_folder        = "config/firewall"
-  cidr_template_file = "config/cidr_template.yaml"
+
 }
 # tftest skip
 ```

From ae4e0f9d44eb5b4c272cddba6539ad1d45e91c7f Mon Sep 17 00:00:00 2001
From: Ludo <ludomagno@google.com>
Date: Wed, 9 Nov 2022 07:58:39 +0100
Subject: [PATCH 6/8] update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c5989fde..6166ad9f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -62,6 +62,7 @@ All notable changes to this project will be documented in this file.
 
 ### FAST
 
+- [[#956](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/956)] FAST: bootstrap and extra stage CI/CD improvements and fixes ([ludoo](https://github.com/ludoo)) <!-- 2022-11-08 08:38:16+00:00 -->
 - [[#949](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/949)] **incompatible change:** Refactor VPC firewall module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-11-04 12:56:08+00:00 -->
 - [[#943](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/943)] Update bootstrap README.md with unique project id requirements ([KPRepos](https://github.com/KPRepos)) <!-- 2022-11-03 22:22:22+00:00 -->
 - [[#948](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/948)] Use display_name instead of description for FAST service accounts ([juliocc](https://github.com/juliocc)) <!-- 2022-11-03 16:22:18+00:00 -->
@@ -90,6 +91,7 @@ All notable changes to this project will be documented in this file.
 
 ### MODULES
 
+- [[#960](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/960)] Fix README typo in firewall module ([valeriobponza](https://github.com/valeriobponza)) <!-- 2022-11-08 23:25:34+00:00 -->
 - [[#953](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/953)] Added IAM Additive and converted some outputs to static ([muresan](https://github.com/muresan)) <!-- 2022-11-07 13:20:17+00:00 -->
 - [[#951](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/951)] cloud-functions v2 - fix reference to bucket_name ([wiktorn](https://github.com/wiktorn)) <!-- 2022-11-06 07:32:39+00:00 -->
 - [[#949](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/949)] **incompatible change:** Refactor VPC firewall module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-11-04 12:56:08+00:00 -->

From 1b2fcb803c1add47dfed952ddc3a7ab16e1fff62 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Wed, 9 Nov 2022 08:53:11 +0100
Subject: [PATCH 7/8] remove extra file (#961)

---
 stages.png | Bin 39873 -> 0 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 stages.png

diff --git a/stages.png b/stages.png
deleted file mode 100644
index 83f3c7e8e3d65f48a29ad563e65dfff246ea405c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 39873
zcmce8byQSg`|S|Y-QC@(bho4;B_Le_(%s#SfHa7RfPhGsNDI>4-QCT7$M5^Cb?;jD
zzq{7Ok#T0uIrGL7``P<BMyjjIqoa_ZKp+rwMFp8x5D4r#1OoFC2?4y5gOJeyUW8gp
zORFnNOH(;GeXy{$HHSc$5`7az6*|=MLe*Xu$+85wC9Edo3q?HBz?LtU!e$B4%YTEI
zoc1W09QL`ZOT&R(;JRAJ)xmLcqWujPyuSolb{3w&=gzw%sc0fjk;NX*E3(BVOe_-f
zFS-V60bjKLYSM66{3tb9#uq!MjX;t!w;*;-N(r&_U3mRs!XU=d^Xfsj#b(eXK#eZP
zJWQ8<kt%1gj3nzSvZIWtv~#P|l))h3I&m+m|3elk2C4|J?U&bQoyI0r!|h6l)deNk
zYS{8`REmA5*M9u*jIP%DUNtFtgDNfPYo4+9Gc4g3%||N9kRTEzrot$q10iODS1uG+
z$MR%tG901$^juDCd9dg|))1e9m#S+{lX2}|F=4p0O<(qKVNE~#<U02#R(r6CyzGzg
z{k*nq6k;K!SW#EAjXhk4uCHImZ;n|%4}*}4Hj_f$r}naUEAWc<_6r-A1L}EMgY*0B
zwR0GSv9hEWzuKv}Ughn(#=9d5Z(V*+d+#T%uj7=HA>-8z_65P@rMwK}3Hm3mr8pV9
zgY2N7>kNT#&_e&hcod1dfj1Fd6jfvqH(_v)NQJ&76r(~QR1ifONllO0{RQ`Q&5Z@I
zV{fnAnMH3)V`J+eb_vZGhN!AM82niANR)0m8xuoQ&!s)|NbXNEf1|CZha>1mbW9@J
zgXD_J&wto1WiQNRFYbBz`IjmG(4GDLBlgbOK);gLc`)lC$2t8@<V<8J5t$l30{Ua6
z*{cgn1N}j8`rn^Ss2HIy|NHdc4-1f0`f$*4FE8DiZ#FX%`ZsibT46gmJL}>VJXOA*
z;*g=i9>@|*?#dg}V<YJ3=WIhOorr31-dfFa9yHd7h+97Le-f_!uoU;>2amqjPLVnb
zqgF_E0{go7<4Jtt$B$tWR9q%UH<xoC3L6_qShdQ2mDeps{rRKhbKH(75^Oc_N!0uK
z_tx88Y;?+}i+4|<x3^yNzE=zLFnnK{uUDfLUcT&zBNvuie<&DXYQ5j!G~F33s=qsI
zay)F<T5U(9T#w7+{xJ4M1$yB7ik9alN1k^Fb*3x7L;oGsg|EH*8<n$DrYUx?9%H@T
z2<xc%48zc4<(Z3%3j`u0Bs4ra3Y*p+YByJ#UtNt0!9s#RPHVe=#@TvJLqbZ5Sk|+3
zwvwuC*nWGlw{mq?<+`UOKo+-t78@I@)8xj!=zC>AhZ89|2R?J`K!1@}R)&U%Nzu93
z;+>eB9BkhIk(wg@Y`;ijVq_%Hb#HP7Okau#4;Es()Jopc(z3m~`+KtdZ8Bj+d3pK2
z3wo@fd$cUV><M}tQ$feMKV1d4u&^-Q=*mi`2n#`?K7PDAGCi2BnXa}RGOjbdIo<Hs
z&JSnMFGYyuJn<kqYPq7w@qhH(UuYtP4A0F)Kipk)Y&aQDeK)YOu~7=!yx5!icY3Su
zU7p0lX6A?0*cXcme)c-$lj~<%rTCo9$FPfDd+Z?{E0S{~i;Hm{B5{nlJ~$Ndi0^Jk
z(~gfjFd2uK3#yjK)Wo~ahQ#ClX1;)fh)`g<9WA1RmGr&4G`>1qfIt+Jj#t7dO~6pE
zuh-%cL(CPEDvdi3nos|*R?Zzv*Ssgx)6+{DYFe;wzCZ2vxR}shIq^WS3#L=#B0{@f
zylM@Xp$Yupe>XP`PQw;|-_6dgdU0_Pxw~tV|EeTp#0rljR<8MMP}pSSPb#d$>5zf@
z0{!K|93!ybP^BUqW@cuoeDw&%91kfZY8g}0!rq}FwN}5=^*-1DkINa$P%J5t^I>Tz
zjx^NhE*eNg^`Ov8_~3S!xzjE2CtU~@XWPBgX;pEqpB@B@(&spkiiG_`>&=(p9hcv>
z&rw6As99K9L;E*ybai#%29t-x?vzDt){~`5G^0{d@ba}vW##0;rt3cBVo62tzn?@Z
zdc_Pu%1~xtQ29g$iBM;vgAEKw7x!;fXTtk!#)Aw#(JI&Dw|ZM^H^%@qD{jwIvnr!@
z*h4ZB#}O;dEbqex=uoR?*vxn`JWl%<yEy%C`eC*@3S^_fUSZYL)Ig_ue(nMz;d9lr
zgfE4(;?y8xV6c!k6bn2?4T-ulnzNPZr(QW%hBCNRG;qU_g$3VnyQcHem!UJZ1W9y`
z@+0XE3$9bh5E^=VSqPT<l5d^IUU?lt7Av?u4M}X&GgJa3NZ-)Mmz*t{3Q2S(Rp~nQ
z4#uY!o}Ql2Q}mtx@`L4mZa>d7IyxEx9F8Sb$;`qc>R_&p^5niouYC1e>31Bj7DM1h
z$Zw7uNqd+4?(ASB?l)hwVYeHpi#(i<{XV*iZfzB-GU-Brk=UPacs+gKh8^A2xjRuB
z+OvjTrK7Cxu@Xwd$S4oygs-hn?IM(YJ-778(Ad<}1)MblZC%)HAIqshU*z}~oKzBB
zmFJlSu$j&Zzl&0^zrD2aU=GJlOg<1SHPH*aAsZ6@7mFT+>ZKC}#l`Z#Hx0_(wHbox
z>Aig`Yi(Tu-6!BZI4cf1AZ|o#<#?;o;UEL&;6OtN)@g7mI`(S$ZNwEZQ*9X?jEET(
z7KWgquAYFlezoM^Hf+UbvNu@{hH+9z`JljrhcYrU;y7(*LRCC6Iz63k`&E$+XEnnz
z2iw=z_xFKYbU3A-4g~8%^NAdfh&Wh|g3{8LU@Z1c2hXXK`$Fap2*mGKFhi9YaNkds
zVS^~LIw*XkjNlaBK@Eme|9HD6%SM39&dyH5%KEZQr)o7~?qc3~2pO^pLdTYB0XKD`
z0@NH^A1^ARWoW1ky>{qFW@lM|L3-S5q&<V20DonC%JqM^nCkj&&=dk3<#xLeHemXP
zd9+ToMJ$Ah!ebd`WNwa?!vEe8MgqF&G!*gCqoc35KP-x1Bf&!r^7R*GY(fyiG@L0R
zC)<Vbs`a1Z=QvomvYat?cXu87+3So3vjnZ|?ZcEAq~+ugUcG(|1EHs<S5Q-v=OXGv
zr1S{@7c?_7Guj%=-rm`f1Q}@aZ>Hnp%@#Di_xAO*WBMHjuX{HG>rS9U28$snD=Yh>
z?cgK(TLjx^xk5$11E+|w9kOGx5v%&c#=X2(CF**5QNl;fxb}6VJQ-+RU0v!Wn!|e+
zOsuTIa)pwXmW+N6d+($xrq)1$3&euW&dvsL785oQV&C@QmXelM*xE|*@*|sKYY#{W
z)FHp#Xd8q^MWH~gR)G%3%F1dPBagcXWPx`#f3%O!a-YcFym<o+-XU0(I&8fI1Mrab
ztu0zcMnn*+-`3i;m+4j;@sXTNzWpGH6!`r+hwbc7WN=FTNjGU?Mn>e_QJeS;#nb(k
zI9Sz6zXvZ(ZS6G>^n#a;D9;-ldx0B<kbY>!MkVARtE4Cxp-bzp^0{%kzZvqEGd8Av
zyq#*JA&8c&n4;z6#DpZIriKOu!9pH_FE|_4akgEAL{2(!ApwJfs?hJXsUf*qaHr(q
z<*jnsP%;Cn(Ii>>^QRHW9bZdJJN9R)p_bd}Y<_#b<FT1x>Cpa+a5=~OFvB62d##qY
zxX<i&52b&Mn%E6IG|l?mj^!5A)e)9zS5OQeAwm33qTd-UG`a%cC4}w+<-@joU#lNM
z^fNm<J1i*)hUEN)2Em4At<q<ZdH<&eCT3<B2(YB}HcUajx1HUwq}-N+WRPFbHCYxc
z7^wu&aeuCkbEeJvWVH)q2{-~a9Y~&k-UjuHB_CeMGUd}XqK_CQ0jFV>h&%*s`|Rpy
zD^j&sT2&Rp?<{i(vVBy@n%u`_+KqMyA#tW&Q}e&Yt+ii>0x5Fsq=&NSaG~ksu<3~5
zowL>a5CA_hAeX?3-^~miZ*ck($BSMP<@jFeB2gzKB?SSOhlhnBLJRBgv!8eBXBW8J
zuTIV-1<4_}b_)t1MvGo@`#<_LU(UV<A%9+x&qCz!daZsXjP!WX`)DPSG3QqpIw^t=
z2APm{t?f*Z_fZSs(&J^FBk;nt3GH`XYJR85>s|JIB(mDtgi%pZ%MJob51p9VtZDE3
zJWtOU$S^w0c+jWg90X$0484$DU0tD}0J>!3<KxTO?u+f`J7bK4Pikwf9q+sk`0?=Y
zmUEx(88-*BQG?qdnST)=eWew`hxKp(0!Z<=0P6toZ-2IiwIPSpz8(gI)L*|tQ5}28
z-Iw1k-D;gS0OP|$2!?5UdN=~9<{vNt@T~7j&<r>>bOBC&!C@Lre0$>o(B26E4r`_F
z9$3D8`{toF_EoplM{rQ&Ou5&LXCOzE6oQb&2sLv@0ANgj!$-&!0@vgsiJflq7YCaN
z$@}sJ!Fg-2>)V^sN?_q^hRsA3t+zI(qTd@fNq*MVt$}oinx)D};l0ld&3~bW6<fd;
z0R&?QhSUy4D%N9Ps99Ox4{vopTrI`Fd%B$h-_qAj34zmFgT{>Fu}IIe%@q($JL%K(
zlY9<A)RdK!gn{CzY1`*e%r*r;M!*m`WV+Ul^dp-tY^qXd^^h1T)D|ebw)5BPN@WWB
zY-$P$3SdjM%B5swpG8GS8`sSxD$pfu{Q*OKd4Kfu_~BHan+Odg1~|R?G!6q4a1}5<
zO7}%iMiAlB$kz4s^<w}YL9J-HBmpRCcz!-+qdyI^UIGD9F%|vRzTsIkA!j#jyhzZT
zeG~i53}1fCRO@q!czJ!d8FMI10C3`qS}w=s{tRsh7Bs1Vi6O_z(E`{^VO*ovHD2=i
z8AL-<la7F0j}Am$Sw0f{NExXzy&5G=P0fg%vEu05$Ma%<lz_8>1OUy4DIY(gK%@#s
zB2rnkqpbLZth{ZXXVxG8MokW0gkA<LzHq_F*W2}EH5qgBA_x_L8qlySLx+Pcg>(X}
zJhGsG#+WCgQ=Zb7&d~qC)woJ01f(&-cRp2LOG>a`rf~q&GBP$s3*A!<9UZ3D+lh*(
zO#4PfU?teGa>)<f=m^qI!-K%`TsrN9&IWk9z)t<nmZs$Z*aWPL>{m?|7zyYUK<a%5
zaGwYTAy_H`02P77=)ea{Lh}bIgodC04V&%{na^LoM74Ndp-_i-?3NS*w3Pj|yc{2F
zXF5o7KF5;OAy{*D9|!^Ngbe_0`wzU>*LnY{y}zjN$1f=<34Y{z{@e+`repD^Gx5Hs
zDQ9Qr<OT&K>ci$U)%>Zwt{7t85IV)xZqg5UkPy{kTwss5;Jj5(2`F7Y<nUU?ef|0s
z3knpN*w~c)YM}rFitPGYS5OJqunrCm!Vkm^_4TuS;sFG-{EZ&)5t+M{(FrY73S=DM
zAU!_ia|d!tN`C@+E{~St0XV@Bzi!7g;>kD$JFyBfOV<~b%p~?G2#6Tq-8`+*_*;rV
z35ZhznNW6I+BBa<y*@{}@)uK8!E^;WEHnf}A9JRVUvnSYVmCJ}=Kbytu%wJY#<jAw
zm3jaE{i$n}4jQNih>3~W1Y)fL4qtH~vZ%gEuek7P0pm&Nf4T^D0x`-Dc;QOs(mewR
zR#4=h1?(GI<9y^W5L)JyFB~~O3+OKQ5W&bDN+Zj3FS{?)Dg`JF!RHbrMFeQE!R38v
z%lG01w067#<`V$O2tRQM8E?N}_Mq9zdl}wCxSKvNVAGYhGd%0->v`Zn(iirf_cv!J
zS8Y$^JQ*>TwAcat98G8yZI430BjT+1q86ImO)qvQ>Nh^V)gco)u$`~RCe(L;IrkFX
z-P=2vvCPe{ti*a-XCK;bWE2?DIy^oe!aFDc2WIKKInch9>yHsC6&My4wjQ8vLZx=Q
z9E@4%cA$6dBL<CQpvG0ecurODNYDjEY1aVw0N7FKablwHbJE3zmR;+%KOMOAaOe&o
zO?wLS>q?MnKNlBQbICmA*VN#HWGUzD%&VlN1pNSykg%EyZCwWXV;Y`CPxZf*@c(Be
z|3B6K|Fz8j|N7zo^SBC<znCFML~Lu~N>P!-O5)%|b7S<GJAIvC0a1V;I3h4BBBDE4
zohc^xFS$dbegZRILSUf1zM;CLgaY#C;-dV5pICb3VY1XDay--_M#O*<slV~@<J+G_
z4CO#oG7vIzs)dPt|B9?Ck37<W(qddCXvE4$B_a&@E&&&N<k<3s;_tWx#5^7XN%LL{
zqFk&<N#s;+L?vk$w|y~4?G`pS^f02yEeBX7bUZ!OXzq3<*OG*FmT7X1{}~=jd=Dnm
zU$)K=l?{e^QL)Lu|BU*ZjtESKa=VoB_%W3>4S`xEmdt;5_rFh_5~|R>{_oR&J~UN}
zuYudkdAP{y5w&NexZ4qp=qg~t!G;sW#va+(o7^M#z2%zw<Kk+j%wtb&2;EDB45gsP
zQ`}?($sP7TM_q4Sc~XT)Xv?Ew>@Q$2b31s6)%6D&<bDY1w^kF|Jgavw8glc{#|V)I
zY}_LZ`((a4WJJM3B0}uEnoiMbz78(-&P^ie^ZNTB7|PEwunPuum2R~dvx7QpD7ihM
zWm!J=S3|i$i$+p>IC6Akfa3Udc#yf`CWydZ?cHPH;$9<}M0f2=ap+Kh9B{?MKvRHQ
z+g3%)l8R%Ij4f9PqZey2UbnLwz019|e>Oa}0FzdT$&mc)sm@I_MG4=~u!&^oe$!Y}
z<x^Pjox917%2L<FRK>3!{X<e*%N<eXge&j0^)aaxBV>NpKiri<Aaw@b)PG7D*W^q6
z;2`yTA6YBUzZ?}*){`y0bL3A^qNhrxrifn6XPnHh{0z(bp`OU|S&`NBIrXk(Zt(k$
z3y&43kP1@Pj|L%Utxkg9^>5jI4(54$Di<QtroMM?sx3-?P$T52KCAS;vnacrI1^X{
zqjqxOY^}TBQ&8!bky6V0T!u1N=NB}!I5z~B_;2%7wI3yr3@b2ELSb>}dLij5a!9?9
zZ8^K9A5JI^PttASbc*$tqchW|eRsXAZ0%!ek7z@WH?KciT68SV#qM!r20Ihz$A~|e
zat`LE23tPfBfokz=4f=}Hh<M(4xP5q-XQ>NJ(iR$sLY8HT-!bE55nAg12;O33!(L1
zGbn70yK<0U?+pD&o*sfTkMCS5ArN3Ai__C+4f=7}=(!hD16%FnOU>|Sob`D9t*$R%
z{f+|cJ_uEkzJK~b{4s^^eq*EfWd4Y<i`X(Z{Ec`c{)_T!PM?FQJs3#*<56~D;}L)a
z=hL<cFbRF;>AK?27z(i=!xMJFT7_Yf72#T?E0I$FOuK`fBsRaa2@&uEu&^gGWMEB{
zieN);JS#5*u_?MZMhJZ_SReuV9P+vwX4BqHBO`8D;F$RPqpPHf<UX_M){ER;PB!vN
zpNY@b5wf(~w(mjd(HvaCc8gH!dr3|5+#f!z8q;}DkTO4y@~_IBLmz&BQok=4>dE!c
zBdV%5CuDiF)ILD}v0^bl-w3kQ;)%VEBG~FVhl$yAV43Ah!NzP235fc{>~WIOgN^d6
z(tYds{cVPOQbm)=PTlc}_##;iiRI^FYVjAS_VI)iA0S>W6cDPAfbuDfUNfZd-w}*B
z0^WzpOzZpfFaOP%k)0sEu%;YWv{uZ_+&qs;oUr^L8&IxHoXj$Qh8Si%#J0YJ8VjoB
zs=4=d`W)d{uu@3MpLlSmmhLM)ZtQ(%#TC5i3ODGv4^3Msyjtu=eDZ+1dRVVhQ2hJL
zd+%NF(pGm6YMY<_T>cm-;{E*MYy@g+Ez#bRe)!d7Ti7#HPSWO>L9XQ>7>HSdBocRC
zycZ1x<pLyMlUkG=f5*B6j-pO@A);puNuH*+zfVfi(4HqozL48?u@;Var=<6fvb<8%
zGoBnR8M1Lj8JV7*Lx+`W_FQSCz=rBQ4Fip+n4frf`0FeC4ZIo&xtVAQrXx@*F_?SN
zo|P2#iJ4bjQ!i4y?b^F{<6*8$vt-%r;eFm#5SUE4c!ewzmV}`s@}PkOx0v5k#dNJT
z?PiWM%)m#!l$19soE0M3`kS%Zxst|;f}=b?Fq+Ue-n_27pSxOV&3(iW_dcHM`*^<A
z@GJfK9$WM2eKO?sZGP@k2WPig_G@;AZC4>H{!g5(idFQvuS?&gbKCK_2(e>4uQQ&a
zxb$a)ot6SIw}(m*2c!092Z&JLYe@*InQyZC%tHFi$Ozly6?OUTn=dGQ&b~Qo@LQ7z
z>0z3*hrSD+8C?=xXHD~it23y>BJ?{TnLp_W=klDj6(Db^zbAch_4NItCSKYb$<hhN
zx673GGbHn_d#TrBsBO>8cw}geMehAMDQ~2;XP&Br?Yc9r|Ijb}ia%<3_H@=e)>HFv
z^?0o~@4J`kv6gB{74mDpnjq${QNE^$k{$l6aMOtSL3ft!23*e6&QB(mUTF<Uiq)sd
zKSyVX0B+<>eDxe1v6g2D!D55M#wJ(gBk8y_@XnvI)-ce;D0=0n-+!<;1+ON9SS04#
zSvPZZCh>ub{?0yJ3Wf<!>FdNpFsd&F;p|&X8sQ2o;tWB!k2P0r(#0=+8S!0llAcQ!
zO-ht#!a!(NupknJ6X^9u)<Tu268@;y`B&%&KEqb7>P)xN9yHkU0(i>b-zw2z9eW#d
z=|X?=6jPBPODBCcTTa744v~T(irHLWRx55H{5a0{vyQCORQv(P?{3wb)^N>ZI1bMa
zzGlK)-q(N$FHE)g;K^MeM)VG&z}|^}oMj?!%1zIEcyuywexEG`51;I+O75SZ;c5xs
zbZrT{(J~67(#zgR>$&m4-N;;=J>774c{e)TU1?Jj9j{nE`66=Y{e;)%XfYo^IQ3@?
zk$CS-XzS~yTu~aj$;G|`aP8l6atDEhbl%dO{4Ap0$cSw|jI|Xc61PK1Nka^jGw1MT
z5xAS<XgOMs-6y}OAu%sPy%vhCcP{j;et(}xQ~mCw(bqZZ5X%n?zE)(0#C^AS(X|sW
z-PB~li=w^%&J6&~p$il(6^!v;cU5kjWiv6eNEoV4B9{jT`k0W~P!U3EkLFR6M*>bq
zX|C^K(qqEb^lHlsQT56RW->%RTCJ|KvC7D#&?(}$9nQqh@0a0XtjRnnA{aTT(0h5^
zEni;83CF-m*hD=mw<Di!sl$$x3F@MQ>O!BUFUhUK<O=1i9orSl<?}Tqkiv>1l_KCZ
zrT3T0Uomr+*eu7eg2CUBX2v&W&6suW6Ti+^@2z@&1VfMuT@0&Lo1=X>E<7na*Dl2h
z)-JPvh#TGUNRnPtvGl)T)SPJ_KLz3Sw|)7`m#K1md%wNEE9Rw>*st;WO`PHzd^WLv
zAgU7&31MV$CX_k(8^ZkVgN(VwXKA`11sNZ<LwH<FZy4sFf%BiZnCDVd1o6_;X{Jhc
z{CcxZ%b4)-4fFYdIZ{Z|<f?~g|JE=PAdLORxrnGACRR0{jCG5psC!aADRqjJM?5>g
zTE2%_%f`Z4g%MtDeLk-8O{4_1&i*as<)JtdWZ0VjD;uXI9gg7PhG`WM2n>Zq<-x*X
z4Df?Lq-0z^2~W>QsS5-(&h8q&s}slSd<?cbzIjk*(fq}vJR;wb)QzpyY4n^J#6Z|!
zLw6^_K&j=izv$^aB`BM?&13J`D2{R)y3AzW$TEAF{exq%FU4{x=iHBavNFc<UNNi9
z+;y%whR|vp(^_VQJ<CATizQLoI3}kx&?4PeCH$gNLhMmShojDd*W;;AKRi7i^yf6m
zc;R_LVs~L0FiLvJ{s$XbPwNq8^fgGHCX2C|QGtJQW@f0m02;N->86}pG3o)i0f>8l
z94WL>l)r6CsF6HPhi8FvCl<y~i38^Ml?j67!~%NFzA~{=I24bZ{{-Z|M11*&-o2M}
zbbK{GrIY9g(*AAxel#PFmGyyyxhHb8q-hwMgsV9*2%NMOl(Qn2P7P>@3V6b9N0v;C
zP%|UB)0-1YOw9564YwN+7CpDt)e5K5m#ZQNrxbMxmMxrM)0{{78%MZak;#A0m;*{*
zqqmpFE6raf!(Vxc(YLFGf!!v@<F9W>loH?KWra&MblC>cIYPMq1H>mr7bEAh*sS<$
zz$CJz@+Gvi5XwYbf^&oubv;2^Rf<LhtD>X-&rGTq$>Q?rh5`$Iix32N#{@OoPG^6Y
zH1-*rJV3%+36p$crieH7H|53IZ<T^#az3q}KivzcI1z19qq_3AJMyMXwH|(zV3_j|
z^YD%i&n~+D-h0E83ixMXw*zUKc6HT%XZ@i`WZK7I1VKU<jl|h3ydnC%u_VRqK88%e
z2<}_PfKR(9+doNsTAhayEbXaDn44e1VUJiBw2Vc8Xtp?#(9IS<g;*|^OtzHwiX|~O
z6Ru4hNo6)N)-wU-YY9tu%^X65$$qUg0}k?HpBve0CcN;LuOf$Qnhr;}*eV`X9%Q+;
zHou5@izWNpv-sr51*TzZ^jv2LASnuT!;>S=-n(<&HN?A1QFWQf=~`ne%XK6WTJj=;
zA>{SX2A9R~g*lRpIsM?RvV6D3jJ}Sn_<KwEGOzImo?Ni;xZjkHNSs~nQ4k0pp4QYu
ze;rkm;Poju#g-ZnCsNIO|0qz7p6*Ml%J8j-Gts%|d8_OE%6MaCE9_FpQZXdH>_`ny
zlBpM7^fFwEL*CerLu{#v(ATZ!>%;du48C@&;lg^VG-Dswgnn}cwVJ%<&sgAXOiwo|
zU{D3f-|L283fm#UhCL?3>Dq=`XrU&{WUGM7f0V##>A=gY<{9HIx5pvLoLhGBl)HCF
zlc#ZLYU%wuxQvl&<f4bpGs?F8WA<M(e<xHf%G5h#Ol_s#tE?ux-(?EIdSjVr$E6rU
zAxw3#nygKfXQ#h>#S~_thX1Qzi1j`XF}j0yGjxZ~yAa!k;;q=i&d2e9A=Sj3Yld`a
zT*Cz#zb#fOQVuhz>p`vSc|p&kTlhb{05okcMJOoG*&!-WynEu21ubN6UEMD7s5ryf
z9r?c3&r|&T>5Ac@%#dt+JFZ8hIwGMAL{sl07&2S?;7(#Ss}QKgtEgA$kO7}=5Y%Nu
zh-DQjCootLy&j^@63Qkh-W}y(=YM87kQL@Y7xWihnD~#ijN_~{Sh;V-b(q9ECF&<~
z5`2SJH6&l(uz0kH=?r{<0n!juO}#iCQZ4|Y-~1K+eIV7kQ?2f3@5+dr44<Uy)j4&1
z`5K?9`RC&HLkD!P`GZTNp6|ZJ=Pj`azNbqd!&%u_%kz<}sph{9`^z9BgPSn5Cry(m
z5!E$dGF-2znSeTDtXJ~-H5-7%$2V|{F7loEfBFVxyo>R3?H<T<Gj^C*If9h<-Bw=<
zkae?GGzY1PKi~nPiPvJ_R}%e8Bc2QY>R}+FL&XI^=&5p4JFdyOxVf#8E?pxS`d++o
zal_cJ@CPa~Eu*D}rG<@+&F{f%VaFNsG<2^)o0`>|t=ygkpl8lf9NAJc(tHX4A)>e6
zd`}?u9T1D7XkAGA{tkxJ6uZmRN|$OBertwzwwRDEoRrAFo_bDRI-ySzMoLVsA}@~!
zRE7X3=M7XrF+kUb1L~hmrxKFLX|FssIvNDTUb-}EE302G+HO<;^$vP_fJ#6n;&GfZ
z<@ogY0HwenR77adk;|P5hIa(AzpbUSWYGO#h78*wkU4nb1=QUW&@&M~cry4pC&J1^
zQ31#6Ky@ISKej8+k&_}``i63i%Bi{<xH5miT)tL``m2=OdqJE?ld;-^;XN0HmnxDV
z=`()}d{~$hZXBMO2wp9KUEi`m_ij7S{Lo4~W$4YWRi=~ZW80TRU#V9PsOVtBrJ0#X
z&_h80C9?rlmgD0yQXnhvbbl6q<LB2#2|5(Me)|>#n3cJMunCZGJa3Gbj;!un*1BW+
za`$$3EA1B=*M|WAM#g7n1jHl2+5?FkksK4Sp3gJU@$vBiqu<xl)Y!Ou;iaLa_1x+X
zqwWB7QWQQXrw3%l2)t>XurW7jzSf!BJYQ?Wydhs*t*OOB3QYWaJ{!$9DRH~C)_gWu
zyzT`0_MH0mnEM!(JPC+F)Bpt3FHp#sa`Qc}$*U^C-zl-sOu-y-d%?%|%f4={cFvyk
zT;I@eF|P*<2}&)`0}-QsyC6F3+z={w-QM0-I&Z0dov^un@SAs?GVr)w2?yLX7$#Kz
z0kXHrWSOqj`}Z$7yn*bs3aCZj)2+ipdwrJ?S)@>@bZ%3G*0b!R<+AF*-$1H~RmpsA
z45)YLM=w55d~dnb`}d6pwR6M6!vXvIwm?k~0s08wnn8z(eqdG>neALHI?&(#+o3XG
z!TXW(U0nIwx`LlS@l;e)t~)3n0|cEnmv8qf!rP4`q^02iU#ZVQ2vzu2wcBp-4LvvT
z!3^$C;{7{;kn}IYbzYp$CT6GhNe$Oqa+6{sAz;oa`LWQ`AxC<Esv9;^1{Oq;$WB6W
zM#^|vf~Tn=DFv(PDyTG>M28hChyC*2o3$dKV<XVCe{0xkoGZud=?bvr1+A@qzeEwV
zDhy+-_&(j=sMjTcCJ{i>BLgAt8VpFx%AoDKi}U#YYzPhl+A*qZCca5l%(VInKewHR
zWUGdEMH8+;2MziJkibi*)d7O`*74cH{Jg#oSbgZqfKCVq)r`4ZzPiy|tsP*;p_(ux
zx+`d+RGStH3EF@X3Pk-z*F6W&^Rot3`vM*(PvXTNi2$_?c=itHN1%IQ^|YU}2XvCW
z1>!*S!{waEav<U{P<hUuC}+lkp~r)GT({`O3bahY`*lWfNg%SRsG!@o-fUuvPZ9&P
z%aEYMh7dm$&Ya8w68hD;lOUS~FEBxX0T4x(MkgbK?z7f%W_d|ssY#-#Nn(M`P@i@!
zfv}or#ded91*JEjBnOn|I2HFh^j9vPxD@}Q2}Dn62I<q^lKBayTZa!w@X~O#?Y2DB
z!o1`h@mrs5Ou2}bukPZn??LZ_BamAm5U?s?(HxCPP>B;NN<%lC3~PNz{K;n^of{64
zH@1V()CxL11a9U(D<-RJYp2~e0A5^FRJ3@VNT<zD6hepS)4k@%$HzzKe+5D<&kVlR
z?sy3Z0||X*;GqKo(Y>EI3kwTqj!M$s+DLnsv;T?5bypKe9dWl+gMg#t3!L^M?^RIS
zuxqgX4YH@K0FLOsbGs2zi!TO<GjQ7<W-vm3BZYQ6_%l9{OA6owDwTvNl?Ta{hv`9o
z2WgcC&X|SB6^7{*1?d%rIi(Ng>af8OLtu#UoCLppQ%cNCMSfp*@OjF2QrB`tc<BZM
zcxgh$%v0<%P)<<t+9s|?<S9WA65Mwa1_Hxz)6xS5ODYNw!aG0lzjqi@c|kw*Mq4`^
z2w&tE59eMF0jNb!_qs@ce|^3krj)O~{n<|q^eEL-_@aYWDpfHza0)2ZF=oF@6B47N
zqhGIJ`bU7Ct^BWFk@lu4)DZ4y**l>0Y{wUnNzLg)+2B=(Jl};J_!DBtgOY?gxgS)c
z$Zspi^VNv}0t0zjC>sI%mJ6oHAhsU1t{JxBr=@5e%n^pmwVg$Xl?w)CPu>XHQhnUO
zfHG7xt_R}q$@ptE`n%XBeGayFtxzj|iJ>*n*QXdZ4DG^t_pqxC?R_iw_RU7ee+hIN
zb((Mk$tVv<7QjiQ<>h<wrb;wfWC}H)y-X|DOS$es*`W0Rnykd`kEQ25)?(FJQm3m-
z5rMeemfza?7%?|8F#+vj7@wSkg@Bfq`1f~jSnxq`file5^?+#ySYjLxHChr^iiVmR
z3+?w2<}XSlh9@RGCn9tNB6J~zSFkspf(qQ3Vf@EA5gsCeA8RpE(g-9u(xic^Z}0S%
zIg|6@Zs|#E+=d^TGC}K+RgE6dmQg`7MLTHtbDuW<R$A%^<kc0REfYY81_ROht}jSM
z1Z{yy7joSlmM(e~iO;IF%=+#I1$2-spLnPn8j1mSCmUlc+nr)i^h$r;=j?B=g@-Qa
zV&rH!f2HqxG4Zbt5UQaM@D9lUr-lmr@)VxyU+185{QW9n+b?Jc)?o{~zrSCbef;NJ
ziypL#pe?ES>G6)%Yri){pexx72YV#K%6d;iB<DZ1&srQ7te8K9q5=~<{QM!H@bPNF
z0D}SL+m1Ce7YRDtZOomI9}(KEM%#q1)Gp<?^>dOqLAV%z-kZike>d+NHxgkQ59Npg
z89H6WlV`x<tj&O~6B{Gkn2!W;e0J^Rml+Q=9t!#=6Of=Wh-64H!a)a668mA#Z9`QR
zHqdziJdzL~1LO#3n*&$jBD&>NrBjr8{Tdg9-Tbi~(9eiq>keLmZmfh)pHTArDVzb~
zV1E6D?j0c#JkSD@Uz5wxU?WlIP1s<^_f)wb88W3R0od|u@8Y*f6%`heMA0jH%ls%A
znglxL8OlY_{&wJ2SXQ>*c_l9p6!)ECAmhyta0{2l8y9CdhAB<Z&Gv(cZ}S3E;*t@r
zeuy%_us9UdYcsY%eOAzagKnSPj!2GD^b6PI?)|RLxP?2=Eyq>z?LNJN@=!w6v_BHw
z$xWA<<`bmZkP^ZbGnS4YDYxR{x$Ne>d~%Bw+XXO!F?XiAo<5|y&!e-ww}b%oa$gup
z5vezR81sHO@ApW80-X`hu7=*g38{+-G!-%g<QNJ&{Sdqoh$Tl>44OL#?LP?X*nkFl
z0F<nm3GnbYL6^*$$6EEPk^sqy;Hf=Imlw(qKwC&Mkx|qf>H&~wPA@yZ1Lc@p8gZoZ
zrVfc*UPu=tZk{26Qe)YrVddh+n1>_*@E(e9Hn=ik1Trr7f||*C<12$e66dpBij6wO
zi7_L+$<Kt80Pe>JT96851Ds>U|1j2!9eduD*Rv;`yAUbXgbONZ>k?+BfgxxSqO;W@
zKKnw#E1STk28AM?keT2t;^7f7a}LzC8X8(6pEvMOy7F!stydH1tb2RJpkPX1>b*M^
zD{ppa9yZ#F-}x;0_JOlRktTSH+%>sWZRXsshgO&s?oq;_6SiS)Ewp2!J1gTt+Hlf}
zk7}5VY{KuzW%v4CGCf=%Cma+iR$1Y+O$(8_V|zMiLgsYT%MOjhb6Wu&JF1HgmRb*Z
zfOEl~!vMh#A(%q0V>z=AaKW)wqL(k87k(?iQ`#7Ad&cF%oobrf5nC3cNnwPmz(x?h
zu=6{{IvJW@RS5ytB$VwYBaNLcCSphl*emGeNAl#|ED%`wmE_8Yeu`tsaN!BrQc)`M
zK+KC|p*7oz>$sM-QU8`OwIZ^a`DbYk%a=DETW5&F#x?n$zd{fmhT}8_p_ORdf$%U8
z|Koq(>k|Zrfov68UWd6L+5*xYl-X8w+e{}a1ba9F3i{5;9vwD}T=9UP<0p=FvkH7s
z-NEG!_4>dEjp!)bOil#wP@b{$M<qJK652p(36kOvtZiojjaT}BvQPxwe3cioBX)bz
zOk{Fk^bBg>NG8Nq!cDm|SI&-r$`jtgYbm8<bk!;cpzJ2|UM6{@O#aB%aB~Ba8j{yG
zrC4foSQw%01fwS}i!^h_U!+3o&9#)VjX+?RS{;WhE+(*nRE>>x;A;|-Oym?b#71Ae
z?%tP>4wZs(YXYP0cMsL**2_-bYKp9$A{0Ge?1UY<V@f&*{=i6-sQ(h^=J2yJgO-x9
zuUmZG%*-9!@JUE^q62?TQjp#UVmVdwa(i!%J31S?ml22l;29fv@1B(;u{bgjJ8(X3
zjK20ymt0H1f^{p7c1QfYMt~tdJh2dbm?K6M>$SeMNkuE_`dg(bEjt6IxL<UCFSciG
z`{yjzd!Y}%WTBIR|Fz--n3U?GxVXN(v%<nLl;XKyKzt08<-%s$-!IB20WNRe8S=V#
zoXidDGvFEQRVORkKCn^9gUSB)BI6Zx@h{*CXmKI>9GF5)jVqW4fGCOG{lmkQy7pxH
zjw6j04}}^FDQ^2bT&VnGHSs_0?IM{D*)1G(qiFxTRB(JO-~fe$%0WV8V(XPQkedzJ
z`v_WEK_hZJQEw>Lbj=pz%edBwYC6>GWjcm-oI1?-BnmCu@psbzlVV+yU)YaQ-52ud
z+bMQa=)D!lfXgo43At&`(_4TcDySmL;=mjod!>5&a7k$^=Vw3obtxeN8j!4FjNI{W
zuc+(~c4Xg%<69KMjD1liadr;RMFC(zLA0BVCEVhz;EV(XSlhWR30YlaOo4w4)*}Zp
zMlmV=1{z{<wGLaH>iZXf$52qIGU^`J+rDTVV{B$h?b*l7P0fg#yi`TfaC^0&1&#m|
zNYE<Ri~rmKAcQWMWuLB$05|}GH9qv!gKRAwZ`<Ahg`TpV*ZE_o-Rj|m8l~Lc-9M8L
zr5E43=e2(S_^jx)5<|#xwq9gJcjSUMY2qgnIYayB(T*gMj5yodKMTeHb2Q+BM@S&y
z{YlN!`k<DYEV7{N^KnY68V$8%zR{jQw%$K?VZ=#-5ATot6NLl5e0FQno^)2IOra{B
ztF+Z#e~4Nv>!%*Nt?%VpW4cD~2IKszL9TzKTFSaZBj8zQ3^w?vkOOma3;{Fu+l(u(
z)gH(4`Wh1`$ztyyQW1q=2L|4kg;bn`fbEcOC5n<M7(Rpjx9HnggWq{hkRi2;VtjRO
zzpRE$XH!T3f+5&+fRQT+(JKUecGwCNoF4Dk*vQ-#krUNXwXpGC4fHUAOz5_KZL1mF
zIn8S<i0Mkt1AF^PZ<Z>#PyMX{cm5VOB}cWTvgqbMqi%+^m5m*6^#n}gFL-Z1P&)nK
z(KY+Gdw#(92&%DJ@So;#tYF)zK7E?QMhjKfde!+sGHlu73yo%pCfElMI|OZB-nK<|
znH+mO0518HECZBK-L>31kOn~ol{+w`0~^%G9UGSgpX(v6f)mYu?~o&UaMfAx<$eEt
z{&q@T&PxzoSkDy?CuH4utUyacvIaueJO$|Q9My?Irb<-ED=8w+Bz2Q09y31N2Yze8
z8<Pv6h8KIZWyOi?to*KBF_mA>mHX@qb_W6A-nhTlO~sx6!~-471g0Y4@{s3mDZ%`W
z!Nz&tYFc@|&P}FC?la=s28j?Dhv4q}7BO*fA?|nb|J*0|{Crm9Rp(^m$-u^CUR47+
zsM0{VGvdzFNijCzCXHuJkT1}1al0Tpa|MzrfY2E`_i|CtWk-5=h>_0c0%1-k#*v8#
zrLduf+^~WYfbibF%`);1%HF@n9xXjS23~qBK-iE2)yS@aYWc!*9f1z?e=ISzXp1k1
z^p;Pnjtms>h2<Sl_HQ`>J*xq>?lbe%_BD_m$fvGR8kEBT{W<M*z{D{iy#GD~%b|WA
zkm44`kx;e{<C&ANO)0BRgrgKv;9(9RC|qf1MezaM)-7BbM;-diQ=S~M>jadx9RRI#
z+5Y3Ol2%ekK<+0nC39#Lv9h%Zl`C8=Ka|&@BMHS4u+heY4DbDv_g%Ca&i_`B@{In!
z`&>iI80{P%@A@bKiB++S=r#c&g@yl<#<1z0G#i2V&UXfznood~W0}s6jj%$)k@_`h
zDgXS#f~ZB8i6fbn4bZ?YFWuELxKoXNQqol(c+1I-{N{ezA;R~|nIgRftJ+Of+z(f-
z<vma_ZN09T1XZYhy6XYLAhMylnDR_D(Zwc1Sq=zKNYrtH5WS*TQV72eF459qtL7%d
z73lsj%l%uFTU`)3*6=({RX^mysj%B|ZC|AG10>AOncgjvuECU$krM^Fye1sc3jY4>
z3j!3I1XZ1I7O-+l?td2uu;N2Vn~PS=GB6(iQW128=-?UNXj6rrX~qlI@Tc}X%x0CL
zxwyDW<G?y)ph+Rs&l_rLf2>OQXIBsJvMnt>OO_bDh!`P=lNp(x#YmeA9tDKgrbRIC
zZ?%BqLQRvy{hdDF9iWbmSqsY2$C6}V1+9^QKB9!7TA#R2-<%c=eevjVkiq;%tPdm&
zRi6WaB7gbWX!?>RKqkbD9{qPRH0{31g<;iYSlF@Dz(50Hz``O?51ZGlB>zQ^kSR##
zt)|#0l0~yw>pb*D<W6yu10ceP2@Nve!}o34JQVEG&d*CKan8(8qG!Hth`@RBCu~~l
ztKtJ?iRA&P_({SK+dk~Ll+w3x`D+U^@5_&vz$`iZe|r_7z=x97A4~=!SOLJrwRTIf
zo0F=VDQVEyZ0wW8LmYcdzU8wHNk~h6*3=O?<bG&+Vx?IX3b0!Ypu7{ZQ`_6KXz7U1
z@*B$Gfb#%twD)hH&?ea=UoB|Ylztv!Tn9idC|FURT?s>-Ci{|(+UTIl*vo)D+A%7$
z0~;D}R~+)|nJ8-}@DuuPLQiB85<d#9n};N*dQdSz6YL25=+qVf(BUfrcdettvV|Hy
zYu(#{W%}7;991fUHt&3OD$caE=T<KNXlZVvvs!W{R%R(LJ(Otf0T7`;Du-@?g`Ciz
zDAar{=hmIbZ#|QU(OqcSTD<EHgB&mU^q`VG-ybs77a>?^YaMJ9YI%jF{v0P|187;?
z&Ln&`{HVO`4f7NVQW9y&{GT`6_7}qof<!)l(b19l2f7!2y1GC^TPP6&V8F-?7PfZ}
zCFS&3EYxyQ4zS+7w7!Qf=gk8oj=VRU1M?LdL+^$Y0GJ?d{E<*C3@X%#h>%O1+LEWk
zk<_vfigp~86bS=0uTSHKa|kW=Kv_k{=UtSrlQH&$Otj-0SP+>+5`PVf-UV_tmaLmu
z(h#AwZ(&wO@U8xvNfc1YG;|VrT1y!LcjP-lV=oP^YB7|KQXXdTT6Ipso{#EEps^J2
z_30`Iy=?+lK-P*vIbA+OG~#ih@cK6=b`M{_>tIRcl5!JnRS7C0Dfwc2UkpY-6LYz1
zi6Xwo0i@Mwyy+xfT@PaPjL33T&^;MJ0yMg+GODm20PT61Y+8EV$$NNl20eEv9+WPC
zaVBTM7az2;;v?aY$+AfKcl41uaimN_W_F(m86q`2*aW>fVeIH0jfAw|##t7_fnj4$
zUq6qQ$HH0<%5wacmNAs*8Tja#P7@rceaK9VkH(EANnMhQhXI)VUX8P{YysR<#l+4b
zaf>`3o2V+jP`ikG7*z18WEdPuJjPJ{&(Ha|gQY0p1Hc{=tRaCCp|R}wbT)_CmtxQl
zfQ~pj;>b&Kj)WkcK(|x5R3KnL!IX-UuF~DXk(-<v2qN3`Em`j-ngTRp@Ktr<B7@vn
z2s%A%Nhz5U6@E>=m$$4#e?=1rghb7cX_fv0=oz2~$FL$;981J@`w*CimfS5iTmz_H
zU1gbp=Mwi?%k+j|1({RPkPrh`rlvy%;ul*tp^un2kQP9-Ma4f6bU$yqm=&t}X=*Q6
zwODxn*+NgQeb>M(b5B;GAyT`&IUh~f_&%ssK~<|$<ET`mDOF<ja;$_#5vO2;2;L)B
zn1Xpd>b018&Jv}>hg@=Ji^<%}3k>;!%8Sc<;1tyGPCu%-!p8_kxp*jzB`iQ)gSA?3
zPsE>OERv`YVE1|LnpY-Ypk!^MepENU9Mg`R94XvXomH^Fw>gTQ?&}*RJiK*kan7`N
zX_&ZmJ<(r2x?SG~KH|Qr{IPZ#go0xR+xz#gl(i!as4pwuRUXXvW8oKd726S_DJB`Y
z*Mn3P+_NPOk}gaC%fyd=CLKrwL3~c#pznE_A&y@&awfH5=?@dlV+4`a&848JiSQ%@
z-j6F@jpy7yGs%Rzu=(e8NOu!ib^o8hZUzs1)s*6XqY>_yc=y)I5Q}2?n#GvD8h(*0
zwWOM2OqIWOT-IZGuSu>aHU-iYI#;3_srpRP1$|L8JFa6#+c&jBeq)bMXyv+5&+nXq
zY#83LBNx>b1JrHM73%OuN@#<`ZNL2|Ge4tm*}-%Rrd%)#KoA|Zb^vO;6<<Qm&<kQV
zcvkdjtHXnVj%qu$-7-G^%MUVLVrf!uhw+vVd(|BWPDXk;S;js=T-F=upNeJpwxunL
zQ=bVUx2qE&X6hx{_l6ppn-S$g@KESqxn!tI1^eD*hS{}%bWtmY2o^&vTBsWrdHQyL
zy5<TZcI$#F)Ofq)BIbPQqMWTCJMd3=%`oMr2nTkzbD{hVXuZXR_VMoEhJ&NPVD(-2
zSI+!sYq$Z*7(}l$6*$LDmI4_<XcMW~{l_<R<1STGiu&>sc&(Jb1|vwwhM_ezmVwH~
zR8m!4UK{h=hBw9O(lgtG@VoW4V;wb4q*S3s?sy|m+%NavcLL0ayzqveAi874B_GJF
zK*6k@i2$ttnyG0&-U-B#RQDlO4CQ92$RY*$B7RbT4Up4^2*4EDu)H*OuTL=H&OLVv
zrNypaFf`NNu1{tlN|nR#jl#*Eq|i(u$n~Kjl=?-9Moll@v8yV9P(${LCd`TtrAF^>
zP!=S<2QfRz_Z{P=Y$=*v5r$zdWyYtUxQ6j`iqloz;-_a$fL7tjx1obv`}zs!QwSK?
zU&Bd$F49ZL&W`L$W(jY>6dOS{&?iMdzP|6veF&s#ZvBPqIyIo6CN1YRTWOm%wHMx<
zxBj9OH>Eo-U~YqWlt&(IJu(EoK_7vF75AD&m0F%H2Xb~DsYth)!0Vzsug;-OMG>Dn
zE_6v@6=YZ;?P&ZM@>LNySpP=Y7<e26>J`c9eS6jwdZVDiT}_G-D+pA~UWKQrYy*IM
z2Q1bUE3VAiM5BAwmUnm@`|x=>*CJPtLG|mh3gmBW40$eJn}hlXa+4|n5iv^rcRz#V
zO&y_A0t8ajkEG<oL1~w74_lgTpl9?Wt#Y^kp7$lCOjK9M=qfJddLJ?d6gzF>2@Q{<
z0Ab>mIl22ysUsCpP|x1W$4Ed0W-5bm71n;ikt+=3<sGTlO2|e1%jLr^((nZ*_h=qY
zF-cu4#P9dNTD}-46n7+<*eIdgzBcSBru8phi%^6E?yhG~4Z$H*3He_H4*~26(Yes2
zW07M;Q8^r7+n;#~GV+O^uYgu2<=p4QbMA+s3p-LEk)o<V>-<7?AW05A1_LQSUF!vM
z6!$0(M~DOyS>O_7fH)R-gaA%QgdiM{A2ViBhV}#uZ&IC~<9$l_NrJB5Az-jV%~FKJ
z`$c7Q8d=B}_C}ag?C}YDKfS*B&GE_6xtQ>rcSRpV=3)W?{O2@@03;2YYi8IeDyHAj
zR8&#VWT~h^IH+JzzG^Z{QQ5t&Gxt7nwJ6T@e3~}vP0HD~cYATQ)#zmRC5zYcP|$Ky
zY{)a`4sd{uqg7`cxVTa=!r2B3DRvbMg4{VVKT~K&zX93)*rT~#lmcNPC%<!U=Qsbh
zT*Z`eO?s6c8(nvgam^=g;@H#n$ikq%7DcU98Qq&&0E$E+JJQx38YG{vMLK~0^Wi`L
zFTmg-#W>5w=XB4@Dshqa8Nw_@r`_!oxy5E<)T8DLu^tYwFxejVglv}ry7gS2Dwx6%
zu2tllT<w;aKC9(F=3576o)s+*Fh!~S^L}d+KYEb3F&^%}XV#nTxTk9gI4i#ccd)&B
z^H$BjExDlNW?J5;a=H~B|5@E!@Z1{l<J3Xd-kI_69(M*>y0V<D7HZ^4l@7ZFvm{fT
z4M8<>#gx3ZJEkJ?N#UgsNzJFEQ>B7Jnm#2p*@`J(Az#1SQHk;sm%Eveg+~=sT0dCC
z3Hq&2Gp={Ne{p(pmwVcgYuGktYR7(1c75rp{}9}ddD8^48uOFS1-t!S7kg3yB{JNg
zq*9%Ba^fc${efe>JaPk3%_;t*)Ep^Wmv#I8R87sq6fAk0(cyN1?MroosfaGKg5rwY
zUh>e#Ca>GC-|VP3g~`Jg!g}@!zn6p_OkA9wU*H;7uU>kL?76zQTyQOu(TNL_`&0eu
zF5j3gBRKsr3U2NVk)poM=Ag0FQeydrj1a8M+M6hrfvfCl2N#D#niv<M@vwi3cw4D^
zFg~tjQVqIoVi~cHUu(6ZSI<akSsYewz2KW1nVRZI39`20dq@7~;h{xyN-HrdUCP$>
zK2C-s!rK9>bfR`{@8-cTNC}Ic=yPlS$L3~ct8tP>??x-DGFp1U*zK?B$4+;%3`8u5
zJ0~9CR`-+?J9=j7jP!JYW<ySM{5b_xWom}aQUaE?B{l0Ct%5=m1!aY9{_ReSnl(4f
zf{ESjy`!RrqQsJCW5YJCKWq8NCMG0R-C)3-c*V{Ef4(`*3ePz<Wa+R?a$j>ejZDug
zS!%yvR*b}3w<sJTyEWf4Qg7coTRFQqz6skzJU+bMJG(pa3V%d^l~k6aWk`mp?u(eP
zWq2-xk~|VIVwG@2Kz#``0LT4;2A@_7X^)`15v-jEqxLM~@yQoe799)(e=}9QEg4<W
zRrsFQC8Q?GDZTprm9jXhK>dw|N=S$5{M2^@rYNb4OOmA5$y^yKAcWhL?p5lr(-qOd
zN|!&zi(M5P_g`F|kB*Kj$!Q5OoE`VY2njcC?{3qu)AHZzxNBn;z3soO_nmv5#${(g
zt^Kt8=h&B{IJ)tZSJEpSM<2Vvu*2^Zvv21V`xUxux#5PV=7wrj=$p!$YQJH~YV;2D
zO|uV@+mT;C1Rmd|gxq75FKPb%&C5Y6Oq=SOsZ@V~sO_-Ezl5;782<R1w$$(omw33{
zMyh_(z0~3TNe!g=_{#qz+1qa@WuC28d&>Fr1XbrIQ`lo!t<+<4<Ap})oBM;mS4<B}
zdu2X{Zw~#pnNd)G%rut=$x~bt|Ft6*IWB(V;VUNgt|?J%QKt*@=$aowSz)LqY0uza
ze`mo_ziaU-85eXGS@DxBdhTE&EKo!daGH<I69c<mb3rc{v$@%-#>B?mNchl)Tu@Y=
zecNrJ2|~*WHywSaagC1Ly=$xItxw!jx5*@-e_uv1=St8S$I8?9cd8~*JaBLi(+Aih
zw>_34q-giYoA1Atmv&=gE6Q66tBIeyz*$Z9c&t!6?ftWqm?j*0@Ma^+bJp|z{9_X{
z>r%IxpBwpywnyvh3j+W57?h9R<R2dH_{HwG$ysXCjJb%e_jo^?)=e2MZ)oS5DoIk$
zDb*e?Y_Qhfp6-1uDPNzZWMibJ#s;@mPS|WziHn8L+`kc-B&=A`##{^qT_nX5Rn}(+
z_6<9#hCZJ7+#`;*Gg<>j6dp0A@wx+-e|Ww>w3~Oz^xz=D_x|}~KDK$$e07<2zq&Z5
zE`_pzPrvQzHGe3{(Xicgf00^TrDt2Ouljg7<$gV)_Pyw{EvoyXFYnnF+p2q;p<qGo
zOLYwpzy%NycMf(6i|gXmnPl{B(Rkg_=Fe|@;YB5-sF4tY;e#ZD0`uDfB?2U<>Zk5}
z{U}2uJ`9@<?+x#rZ(j(3whIh-cp$|DOH#JJLvlO@c%MbH(D2*q(ut(xR8<Qv6q49a
zA15!56|XLL^=x)Yn0o(Gq)z!=9b9={o@^15xtLbzeXS_5JSky3eWIw({`5z$^(uQW
zGA8PCNq)xLqg(FCKIHlPmRuZsTt#hp!cf`QH-BlbOl#8x-A_X2ufm&{v$#{`{htK<
zeQ(WwIPsKxFI(BVdPsRaBtk5!QGd4CbaTHp@%eMHdP_@~xBn9=2rO;&7l!(9s;W8e
zLjHc6)ThOp|BI%xfU2r#|2BvZDS{vf(p}Qs3epIYDy4L%gf!BPlyrAVOM?o6NK1E%
zNO!|`AK(AyS}sM;*=L{GGjr$sF67;lw$`sZUT0`JN)H$Ygwrl=P8BRlEY4<IaH9En
zqyBF3K5Dw8ZuK6ng^hFj;tZwvW(P;EPd2YOJ6YKKh`ZMWU%X{c>D>K7&~<KI<a7e1
zgQ3H|U4x%<P}~RfFUm9z3N+dnM7bk+`dd<S<7lC^U(KYSb;&<AYPmW}^I*-C{1zmX
z?3Q}f-W|=h#U!UwW1L-Ev6dM1dFxRMarx$tIseXZW-1_U^Z9tJr02CvCNJihhMp3C
zjr^c1&E-EV6J-W|mNaeeGc+;pjaR?a@b=JdrFwsVCbECXa=FAXPlJ2s4PVMPT@`Y-
zOR04C(*)8wJ3j3mW@Lej5qzYHiiWuOwua@BvF_h|7UNe~etOEbH%Q7?*KComdC+`T
z#p}~F*suJ;2CfLfLU~y3QGe3)qCygHUgp2tY!%--^>ZQJOGNdh8Y8e3EY=={{0;MH
zt2Q6Xd!*28pKNH=l{ZvlaZZW<z_qVow7iUe_Gi`riLK>Q=XxiZqH1ME0a}D+Jf=_H
z?XSxS92_2;I&7JiUf17_&}uKp@C+V$W1!tlpYHZsWzOviKbtyd@13ZQ*U^8?M?2%)
zKYJ(FHf$z8M~~~dMa8Y~j9H)h^3Qn$@ZVg&-gHLOolTp$*%02nxSDZ2VbyUTJ<_qe
z9_-%j6TcGkc0C`M*}clRqy75T8Q=9@9nOzFriJ)6@d4eo=6LVsbE<~Pv*zo81lQw$
zHoHyEu!gIft6-8(7Z_`4p7)Sk=1+$8H_R<87HSjbp+(NFd!PGkpviWBpv~J~x@@tE
zrGGj0#`6n)RP&F#gp3~S`5O$Z-`<8DVps^9CPk1(pyBS({3$D>F)&{@dC~dI7G1)F
zw=x+Mz34H4>U&J}VzMawhf_D|lDutK*GLN=H|2u$=ZBM{&(c(jUbW=EQ>>faIPh|!
zx&8j}hq62ZqC0LizoT!qSoP{c3iR~4eGS)^$sMaNFIij<c5Jz=rKxH)oOHZ<P6REx
ziJ?_YDajkv+hf13H(fmJIb+9wZDW}D<zIa-=YbdVYb0a$56%^C7Rr?8zL4wZWIGD?
z3^c_UM!x=`U4E5vK81Q+ef|t~ffPQg-w_G(D>tHc!Ve<?U!=Ro$FpC$P8{o2Y>H5m
zI_r5Z@{+q>>mwbal9gYsNvRI2{n^=CJ2V_H?xtI-JU(!;nyU!#_B>Wrq^BXsn|3{~
zG;P?)azBN&e(=MVV!44|6WMN5YTTi-p}_w8Nh`{i687fKzWJtzwyQNMq(-5}Q>zW{
zp}#ftXtS5=<57b%6N;+xcsFj#;=Q^87s2$)_{>yoj@`shcZe9HQ*pb_3Nkvp#k8JD
zs$sqGx)7mu)(Nbdexy^o>2ZD5-=&xm(=J$$E_)u?gAetxjq+yyd6E4){5maGb>pY~
zQl@Vwo$9JLFNXy-;+6%Szm~Sx4D9Eb23RKjt<jqEIKj7RSi^xd_XsmV?NQ&C=kv8C
zAJZuGw$Dov?7z9bhzv`#;9<^JPV=2~JiNP&d7D6j$~a?SvcjGvlq>FO(lcq*82pg1
z5R<LIKAKk12fB8|NNfqQN8exL5fJosWq5InsLubAHGP3Lue~R^|F*!P+t_r!Os#*Z
zMs48hV(>~pLi$oFH#;RW*F&V7uRp57*w(IaZu&w?KFzOfkXP^CR*e}(I{g!SB6u^S
zP%$0!Y3ZrV_uYkZa$~!}?^8!5A;EUL-KIDHW!Bb)eE$4#b}S)2Nzz6M8ENuWgOTZK
zOiCKgV-xASX}V+rX((|TR?FeGp1gs}(+^&Mg|$l5>iLs@;Bn5_=1WsH*9Nt3b==%l
z>wo_ewWLWF(69(570RMPpU7G!TEW{wkxadE1|hDP!XLqQCpBr+Ra;gVFMNMK4|~Vq
zBhE2GXI5zJ@y@a#oAHm6mZO`fTbgsBlMerg)~Dfh=b5pr;f?1C3HR;Qy_C@~0`8V0
zcPt;Ns%m!kW`E<H{5=?nzt=bY)2?A=QCP!*pj&S5r6PTDW3tSp(;8c9yD!=DmZAxM
z4_jLz&iq-hIX9;LQz3za%i$orlUkDQpM6Hhmsuh*d8(C5=PV7E-z)>^Rw!CdFi>;e
zqwSo{vhA>Tj73bJ?xx-B&k`hL%|~PPCF*vBPfDS+^nqRUK0l%v(HM{Zkm}QIl$-S_
z8fX40xaZS3Up|?j{9K&Qw)>y-*^e$bjguA5G*NA*KVF2~)D5h;oQOTOd^<g8yRnZo
z__t=UUgzC9-t{?b;-_okE32m0ol)Li%hBR{sXx%x`%w<<a7NN>nyxX~1U6Ed&$by#
z>(9vh&&Dt=E!ZhyoD#&;T|{<G-Q3XL-NeT;QU#FMc)vN7I}^CNr-A%1!lW*#H?sI+
z0?NA$z7&F#QF#N8N76a^>UCWPp94?K)0DbGS!^GdU0d96rm&jvXr-U^%)felNw?#D
zYWvaag2(IPi{Zs}sRnbLuGS$aXSC{S**roU{0{~V()kU?#Uw7%`Q_Xxy-k~@%!<;(
zHeG&NWzs5f`dzjh0v^R~%b$9RG}>);6#ZpbDbVhq(l|Gf3FFrFoG2;VibwR7LBjk)
zbh3nl>LnG$T4*-3mVu{!9*TAgxmk?DkDR^r`hC{*vY0q|`2*-7>lWZK8#dxG;CcvW
z?_aX!??z?g#_qVE?|SEeJ0F^zsZt_y^b#XLf~T%VZG57mc~XkD<GZTHu#bEmG;;-}
z_Bz68xIR|v9Q=}U?3fX=k;NUauu;<MbXDK4v+~u&ybpc9E)KV#`C(SC4J>8%u%XYp
z?Cs~}8s}#*X5Ay^@H(QKU%v6G@on<DdaISJ)o>oO17RXMDgh4~2d<_{T$(sryO-(6
zL+ntlL$61#Nrdgz<9q6NwR;5CYrek|N#B+0jpor0H5EJgs|^)~TM+McSl*m}P*Z;S
zBZ+}xK#jfi$-ED~Pb)Hmx9gr$ztGV;B~kl(Hy$T679@fF5?Ak$yxsoh+40|RQG&qL
z_FX~K@ke*N3F{fhEn|_Rpr&^lEy_qxm4d)<+i5ykTUfwm@sX7#w^l@8nel7gC1>nL
z*VCeeZ*>$NE5xl%OPu@I!td`B5JKUK>u>jI1-@8Ggn0n>WK~(>w<2!FR3X2k@0NwO
zg?Wu8!Z_E9<iGp%ekj{Eq~tx&=`_vo?!f5sjP-85V%D9N><XD){{21S#a<tNo0N{C
z2y5B1!xNmXuASB!KCukjsB+J5_VX*F<9g`j1?A-lDYh5n7PW!I!)q1hJ?Hw<>Mvfu
zmE9S#`pi*n#>U>-%zT-5zQP?vs<mG_JTyGb%g0c~OrR2d54xAQOU#&cMMX<zD~QJz
zvYdETN=Ate-5|E-9Ezsx=!!{CR@8Gw9nN3jH2uv(*q8BrX_=7AyZ;W9rh}(A{}eUV
zMHMFtwZ5#2R(?@#th-0}Io`S;|I_>9el`e4lG3$Fk0id_w7!h$6B;RVs=0Hw@zsmw
z0Qld~{NFjl7IM#&XxaEe|9fl7LB~##X5&cmWz3^BvW%n-dsReCyu5Yy;k<zUkj+2}
zuPwdt^iQTq)rYM+lU*5W9cqyj$IXThDB7n+H)Q1$^6fg+@zn5KxAOQoh>l3>PKnZA
zoslBnJeQQW)*w6CA~Gx(UjMVTJ-c&^dWj4{pWs=|_e55cxDOIC7lZKw%Y+o|Z@pdb
zmAe$~6*g1`G<og!l(!zZl+GK}au{nNdwcKI?z-JvMY-5LmHrS{wZ_beA-DHP#F?DG
ztUh2z=k5Bbz+NgN+Q?=$6RG!hyiqQFrMb3Xot`({aKQ?fC*~v3HT8T_cd=nihY2ms
z?$Dl(cIR@Eo^m^FSEz((XJnWM)suR<151W$_Ok>JP$aL~m9>vO5f)Nj+%qk;mj~g~
zR_810U**T_ei^hSuk*>c`KyoFYEN$4cDidb?c6>(Z!&o^+nKWCC8429qxP1&JxXws
zPwaC3p&nRw0bReuKKePg?WlchrsIv)*O%#*-W93**Jqd(5vUpCJ%%{qGXA15p<Bj}
z8cy$1)8rHul`Msb-^8bGihO!`?Vaj$y|=RV%-CH+upq<ju4#rVGIM-rwUT(o+l2I|
z@(x0pVZ1Z7s~f-jUUmGp#=4w}rIbtQ{V-l*_0i3-2GJeV?W^xQ^~Y#EXI&}Yk|o27
z_D!yvi)(kUMCY#1T3y;5u8*e<80CWl4x&VJk5Zk^@wV$P2(S0XN)SP4*CuyWVqb3}
zU%=SsyL?tt^3qzEMcq04zVpzK!Sg4iqjlQQ%bQXM)qZd*zpN#e*;G`ljUsH)f7D`9
zCCuZ`{E&ySBB?Ga8rqP>$Wx)scP*_d?qmg)A67cv#o#RmrP(Q`#PFN!@Vdy~g{LNr
zA%~%ETdv=kx{k0ae~UK)y<J|hitO%s>QrxDtPrdW4von@%}tZZAk)(|9<s-J>G3xt
z)#)2vsL8V&BL(6I-fI%z?<MFpgdbV*Ih^zNQ`J!h^?lcFpVc+#O;>W)Ml&UI5j(lO
zW;5wat6Za1FIfG#^SYnTl$C*jJ>^rsP1W0Kq?c8j9%G)B?}wuVgM7bv@IA0y&7Tf(
zV^vJk^BLG!?p^L*M#OLz6pbl2+FqitV1%^NJ|2%ble;?4H;hU3B<xShln7pY<L>(I
zRgAf{nrusnyK=xjz8}#`<4ruWwFd>W-3ycpR`<lDkImDD!ad~lon0{>Q!AzoJyB3{
zHwApAgc^%%EvOi{d37-FeOW#l8XJ<*a=7JZg9As0T9o*$NEBF#yA_o?t+=uosZu{Z
z*^d+qO5ayzVk)ODWLz%ZTx<-a9L`s6->=1!Uiwn1rxvbD5v0V;70-@HoM~CL(<h@d
zKl#ZbKWOf>Vzh=c?P9S}Y}Ygkf6tjVem$c$*{++g=hlLld|xJ`Mh&nML}zNXF>u-3
z6O&`a9=Xns^L>3`jN|f=VrJO7ZaQMr!Vq4ENuWDRCP1BCSo~?h#k)Cb?M2J`X++m7
z_G>+7_ZhR1<d(VZ^(|D&U-x*aGi1sOVn;?2QPQ6p4Q}acoBu~x9l~_Bye5Ey>bE#4
z7-X_Rdfui~@ZF*kSHBKVzfQmIm2u}2PNv$=PJ^Sv3i?mBgUj7bU+?*i&is-#G{ukf
zkM60Q^Sto<=h1te<5)4xh0^?b;;c6oxq}?=WSo-kV)qk?-=`<?pX2nawcF#L`{-+E
zB7rS5FSMql5%#Q84RsoIs;PDUz)xrTvRfjmOTkc=CTWtmy)pgvC9;Ru>w5pi{v&>V
zJ~bXoA+ZdcoFO8;eDIz=b`m;ZIs{MUmDY}L<Yj%1KJ4XjbR+wk`R((wX>?}HVblA8
z7vW8*phGBmdaM+6wTK~NGeB;cN5R(iLO+xD$G3)R`WF&nDo&0^{`mWQvUvM@@gFE6
zw$E3~9GzV34sg69hXubNqCUDcR>MiDdC{e5=L!tLJ5EiLT8(7roYwMl^-6ZLHaI9s
z4?M3>4zUI78+2YiB7`g|HMP~#3G2o88xo2}8oWoK7xqiK{`#<gS(H;Oa3b-Kee8!F
zq58e&b86kcRX@FS!?yLh6oRcb)*)l}%p<jNK~e8|9IJz&Gvf3dhmI=2@?*}A%<;E#
z<_vO_{u5ytS1aV#mlJ-7_!t~9o%)quc6mu5vSpgwo)+W~LRw8}$*bsptxuyHHsUhi
zA`S_QxO;<pf+MiLL6KQo=C{Aa3ui*9Hzi{Yqy(uu9Z3UlY3PKxSw)cG_*&+u`4E{&
zLRn^Zg|W6E9BNAZQ)s^@hL5+LRQ={yzYGqT*zF8ZEKHG<r`L1~Jf0kLV7u=Br6Sjf
z6JPUz;(Knu<*qE&*@`nG>xwXlf&TpbV)@{Vk@-<#MeQ}(Ecy948VLO4HPzviNh_!u
z-ByXdOHFoc?_NdKF$bCkc<U7uzwBE|Sm{<F=ZCppg|mK29zp29=_QNRfGZIW#g$NB
zNH$urn7TWWxlR(}?|VXQ)k{wUsd^-VG`2>!b2BR&eeFqSF!6BlY-*Z{$x_*PN6tCO
z^Giss-XLu{vv{KPw=4aq=K95v5-xMp;bvg8#Y;8+s)_6VL(M4_MQUWa8tpz+`vo2g
zY^wVh9kc|PWG}I2Jn2>g)Er*b*|R{&l~&oerwt_eN=7BzEbyL4W!2SXq|fQe_po5x
z_U-6+dXI!mDz}|2B$VjE)U@#W`i7~+^`O;vNP7JKc-*eHv#9q9T8d?#{gS)9$nyWj
z@IEN*Ly0<buL+GO`F}xjtuGl;p3DzU*!jU>0W#*MK3~f>xGmD>qe_kJYF|j~46C(p
zE@bKoIWmq&>Y&0BQZY?Ggi)0IhY@W^<*q|jAoDXPXD2na@h_iM`J<!nbv%{ABf+QB
z)$X{*z2K-{treK2{xBlwxM_S`{4rEDUJ;wqI5=#O-ND6N&l`G+x8Hbwb1c|T%Oqpn
z-NJ#3cNSA#R%w}DyGmu0jN17A1|0>qDx{dt&M}ygF*=Pd?wuUIse8p4@r6=4cIZc3
zvz7c$W(*H&!shM{Bc2b*sXyRMccQo{Y9zWat2LR&@v7VBkD7yXLr0_GZW7_q*T@XV
zx+do8CF<Z`k{-JGJ_-1>FTeRYTCnJI;<LnOCOWfTXCLU3GR6H%#+84L|Fojelt@p+
z4eGWqRS5f*`66b&`^y$iWi2nd7QT5=H{OSK^Tmq9Zdrx=p3(3waYp2%I}9aRlvn9&
z&7mwFA?~zKWdwu6!{4}TY=L69-xFnd)mzn}`Bi3fR@pRU&;+qJ`Cx;oq%ga#{IxS5
zr*xMiddYW(iH)MdVhE}!O%jAAf=W2V6TZ$Np`?jPID8UfdZ&vlL?U98n-86PI2MyF
zny)Z+dLJ7aavw!JD@4y4{!tqr!kp=kew&I{FdF&=*Ovt)gqqw7ON-l~*?0Jdz<S7K
zJK6Kg4r!U#lr+vIH64g8EcvadS-2zW{Yqbnn0u9ah)oGMnptmr**U?dc%Wb)L244K
z;{2G?<nkKn3I*k<4B1NuGIZ2Q&BioyH3ymIi}>-iob0MV=*g>bTc6^M{?89nE8=5w
zX}BbFK*PMh#|xXNgvXEB29(vcB2aUNC__#e_s%@tc{-fgXRDTsg0zB4T5mzQw@(=z
z!J|a}gF=euTaFEI2br}kSUE$FAx6Zo=lnIV6E0NO)e{(@eb)I+aM>gUS~$t;WIA1y
z-UyW)SNygRDD>9>RoX=uQi*>FVYaVt{``FEqD;YBwsm-TeDA@7XATCpG{au`(%cQR
zw6in&c_^B?a<voY)SIF~8-U$WpY;(Jt}xNvuUJsqf>NN+N%rNrR5?ue;r!o~Z?+Y~
zQBhLr;wzooO_H^z0{_Zl*`v$%l-O;p3RF**9%A3w<j-QC)1iKUKjs4#Rfkc|usKYR
ztn4aj-#uQpmdL{qBdFL&L7sXmZPw#@6_vSU1G3_Hl=ffZo}-U1P-<?ZqdC&kb!3fi
zxqn;@{i(HNkWHItp!frwhsvMGusdWALdl`YQSNLF5_+t7c_~H5`<z26kXM7Yn3vkk
zNwPAx&6(ude@<XjGO&$Pf(THbUZ?-2?Vzsd3mmVujNFcQ82LmgJEH57Z2q{0<<%uY
z#Zzv-2a>4N`YC+gaL8)AGaN<qLDLabMM9#&qM!UVi2ApoZZXho4gS0s8{;>q*1B7d
z7l!-qJKnDKTGmvJ!3&1hz9G$ow7!ffKU@J6IaSqSWW%G#M*j*JI9OQkd@<m|N$FNY
zmxJ!^CC1_DaphN11X#cO<37$whR!2lNA$q}!ZMbXSM`m1b|0;@IG?;$3kIwBwj`<j
zuUtxhT$x~+Z;@Z$fQ6CtwU^zi=4|1}cqJ83kNR&gi!J^dw}$7WW;52fI6}t%-aWqa
z^Pm@6=GHrzwYrfqR2Z<mlWK7NQZ2MJ`-t)6uHSbn0}HRaZ%rTEQ@^iS&YGWHOqiiK
z;-v1-h+1T6Hg$uMHY*Kf+%&TPBpzGq(n$ODlCscJJ%C1M`P}wMrGmWbYHeS8sN<r5
znSeR;R95BGVOAP$WcMQP`=uEd$HF&fr1*C=TC8WTlZ*b%In`KYnqf5G=%4&=h78fO
z(yjYw9d^9ue25KQz?={j-g*+iK1KlB>SIdWxCK&djD}&?FDSgrhB@shzS>&TI1S8U
zxIqf2PMB030=uh?5i6@k_tq;EIHVK1Hu65VhV=K_#KbPiJ(HVScKmDLU}j-M_v_yK
zNh_hkRo_rJMEsE}R|3z0%3nZ>x9;=s<m9uVnp+s1jP~x$BfLB?xt>`#P#1NFsIu)b
zKEMo^Xf6xS{&uU#kv5X?j2=%S*q)M#Ef5j{el}6J4dW8SQ868=p%aK1TojK=8yb*1
z;mSN_%vUXfq8jx2$#eMAu1KKUk9ZT8j6%um*UT^auSCY0VM%b+{Ab<JPn^cP!AJf)
zNrdzI=<s-Gdfa=kOHZLBPUznl`6I>P<C~dVG7zcL5*dE6spfK*h8%ekR6tdm8~l+A
z6mD_92mg_DL?a(`pu4t^*IWKQBy?oS(I?cKd{agSF`NVh#9tx(((zronj(r$_y6|-
zxLOiV|NOkX_l}MOf6!;x=?j5oAl|7GX(W0+;fnn3zdNT2%%!Cpq@C65Oog-!bR+~E
znCSB*Ay!*)GFTC&cmWkeeZR|Z)Ie;(81$cCtusMd93%6?zy0U~q#xhEdETf*3Jr$I
zy@&T<wY?X|eRGs-@Gx2HgRjx@YsUN3?7|0`#d!kMn=f5z3VTc+MVjUK#EIUQ2;PH7
zdaryy*-I(^_A)w&U1MSCr|)YAu~6@FRL{L_jQ5wqPW6>;*CufQ-W~g=|MOwEL-y=z
z>Rj;DjqKK<O{%pLHF$V-tE(C#Bedo18c^Ze>TncRe13=ZGt#ivq83iy?4sSmBmK8R
z&^d?>C${*6a_`UA--BVh6yy#L3(0?{z+^mKvUhfcmuR1xU4`0q^9Aqkair26H_vwl
zjJ5Jo{<Dxo%ebv7D*-!;fvl<lX<ykEUa<YsJk{tpq5<CqZaB12`l=04d9Y(C5peMR
zN(puvPA{Rjc`0b4$zj;HZ-+%XEI9rg#rbz9!DI&6)b`kS<<DB|WeY}Q(vmtiiHC{o
z8edj>#VS5>^v4#^eaZS8<>BD^2^ut^gS`!$&4`J6tSMc5Ta7dc--~#J$sc!F?d;eh
zTpDE^Y<9SPX;VSe&%auZLS%xk*3mT3w8O(215My`dc!0!+TrDMM#tx)Fa7^Lx=7U)
zPn0;@a)YlkN$^g#+cmXL&tIuU(R`Cu(iD>Rdvc3gdd3Ea>WdW@`Is9hRYR;?-A((1
zz)-%i6zqt=YH&ps1aqpf9y4ml7<-kElKHWq8*>Vqt8(xqC}g6=g}XP4K}$<Z#_bcF
z=dCSTx0n(83;JICX+072cGBVEcMNt&6!oTvqLdGGJ=oxb<rAnAN>1_cVT!rs&cw#D
zN+ddJsvnw8nbiO7tRHY6NNT$m^im6aCBk;g|GfsyPGT_7r7Uw2wy)c6o7{JFI(e?E
z-8R1#-~&mdrDcPY^!r7lPX(#}Y;H$?!9;A(5_dRLo<Ye~?l(PSQ{PYUtYnqtvU8hb
z`m}rO+(qyb?~P24M`^X(I0T7`wh$ejUpZULDF#cjqKE|`mOGVmJT3*xtR{VZ{e&4|
zf12D={|Kk=+J%M1bhsa`S81}!=R;;qX1%}VXvRi=z6q5Aj}mT#w&LH;g!>vy4?rPO
zG8G?lS9;rxTKrOreZ^sl`t{8R_A%?+qP%B~G-QELKk^w4nEiaC8Vf!j*g-rVPByto
zNh<$DBt9D^I!>y{(+M+-PFl_dN0nE)LE~#Q!rT!r<p^;?x|YA2kxt^p+SCPY&xyt0
zFVlT7uu__!yDfpvdA&tC!$gmhGWxAFyJ*GOR8@PN5k(wl=soRn{HW8N##yv<Qu7h@
z@v)pA8chG2sA&d<*?+b+61=)%pF_lPVDcdPW6V=?R|1l{xCKXS`8U$Cl(?A<dDty_
z-d}nkIao@_tt;As_xOKrhm8SM#y_q9lMUP~!2^;$SS-PzjurNAF^mZ`-ZkrC^ol`t
zG3o19&pHnmM`wKE^~WVcq$7>X%Le9_u_dbi8?`2S^vWTyeR7oa2T@g8&$Q(6u-5vX
zmX9MG7Up7$y|YWa)N*LQxzi|`c&yf0(Newfp;Hew#n_L@wC@QK2HpQuUeS@Z<?8Ab
zg)3~qs9@Bh`=_ko;>;_v5sOxxHhV_S69t1-wHqJ&lu=&`ao%<;hw6}!NRd-0zzAkK
zgi8Ed{xYB#ESXE=+s~FHwQH6IZcx9X;q@l5|NQ{=aqHatPtlK`cjDFSY@^60Vxx*$
z9Ay;<tA;Cu|HtIc=#Pspt1a^Y>_~5-CgoQF%mz_Ci;agcH>v2D-p8#xb=2BYA%O;h
zngPQ7#~kklJ-ga$j;0Ju2nY;#{ura(&ym)G8EkM1ZY#Ik8>#JeV;N}#*l4x=w~72E
z=-!k+9$1FC9CDtJ#qUkL;MzVxd)Z>ru3u*-BO_#HZk>>({J$+MSh|d!nalTX(PsyB
zZZOZrrX04%caR`Y8&b73`mRMr#(?||^93vN)X=0<Tzlob*zb$j)VRmhy@mf<#g!!j
zMW3mi>3^e&f`9NRRT!mAx-a=iGUV)99$CqeOjj3r+@{vvf~H(B$@?U0RulYt&Lp4Y
z$kqNgE&OoF2;^X-+tg=ph5sD6LB9B<fGs_0OFDK+T_xBq(U#b^zXw`dk*PO7w}_Er
z20V|$9a4$B=h|Yfc2J?!Ta^={LgOcd7>p@!*JXp!5dL4_M8rQANo9O6T)vE&RWSOr
zKCykfl~d27!3JLq%c0^G>%M-N+>`$eV`x}Jev4XTS#Zl`Jy`ILE-vrwJ5^k&=H`~B
zV8i~Bq%d6iyrH`fK6kilSS|P<;GQ|N{ol-nb&ZOu!=(~F!9akEPtaYOEs_7=H#F8%
zxmk14t;Qc7;VAZYNaY#y_nNy~Z=IZ7Ifj4hF4oF3aX%W;9+D2<uVmKM1cPG0%rvd^
z)IZH={WJAl2}<1DmYmqYd`-%y5+0AhFE(S46Fq>gKUCCI#qI&(J*O9%<9L`)Y@7o(
zWetp!PiYY=n^Ufqz#cFh*m5Czj}nF9+@s<-nhxaB6kUyZQIy8(=da-)<$bBijpZ#e
z8Z}*G<zK2X;68p?i)B$W@Q+f!c#kWgs0cB?{Lhlza}T0JuCPpjI8R33!XM~RA%Zx=
zinZ)<nQAO9g`|Yeqd<E;;k;}{D<-D3iGa5!r}YDC?YsiAM!AOSdaujJ;gBECq1$Y5
z`SjWWzPfLfn$lxv>}*jA((?SXHS^0@3Z06+0$Kn!`B<3bF!1hhQlqA_X-x^4?fij=
zH-?Bp!9(Xxa(k+;7cGQ0YP#A3uumT+j~pML;6K0@r7|Exzg<*jo7qr{5|7Da5wYom
z|2!BM<fohZ<Ta(I#1tIl5w<$^Im8CwviGK|Fn-0Qkyp9j*ys+&?Q`qOGZG7BmzJ_a
z9G;SDDl9A(7Fj-4kuWmNC)+zcJjPxKt{~grho}Pb0|tC4!BG(s<-^@d{9mII=DZld
z`oogJqj>Q4d5=N@0c^@&va?C!G}V`m&O3EaZgEx?jatCI84?lFxq}0GI&zYR+;qnA
zPi3TWN${UJ#u+MV_hY+>j@dtV7a>w-WSZ_D@g*g_cPyzT1C0!PB>}nqFDEDIyZ7)`
zD-8LFnaWE$ZR+3{_}zCPjRj6R#;2NQyp&N1d57%VlHo$$l#gG$z}X_xJv=@#tkVvO
z45bz0Gf_X+q$vFTk?(nttb8y@?D)ptZGCqQ)`PWPfj=y$5V<;iPf1EnaO(KP7d$i!
zl81V>lng9aJ_*r;;6f)ZEE(iLs1W0?6ONIlsQ_~k%sjL)H8#5a`SUkF{}VFYfO@VU
z_<))v0hOr_Y8uM?N)Jak-CO<?$|h@1!<*^3MOQOFZc*47)F#pqXXHXwX)8?>tu`EC
zNIAbsNeeMDCD^bSY?|{v1RDvF))STca7z2n_IggPm9Uuio5IjA8s9?MF8!Spvb0&E
z2vjTgKUGV6@9djIAxUp|etqzk3xgSLeu$C?Jv{75m4PD!c(>mBrQCag2m}%rpmCs*
za|pckn2#~E$oFJS#MMg>10=-kz$kZo{x6+Yknl5E=upVBzBhZ;M$!ciDUI^;#l}~z
z5$?hn4;Y6NA@?=2A%zANPF03FyjyVHQ@kaE!ot#c7#$L6zw{1&0X+OAbmV?y23=84
z9-i94*NtS57xAAZyf)=aId1%vnGM!*yEauv-ho<v_s8h&-P?XOHJ@XdXFLBFMI1Uj
zoxr$_0%aIzn#BkvdZF&qXY$>o`c^kIO6mCd9Ufs14o@pvd*Z);<Aa`p-836W^DS`H
z;7JMD-!Z_Z1cB3GnPEvlI>bf^vU10fY#_G+iK+efSpVWuGXe?{@SYgP6y?x61e6Cg
zm`e$<G{XW`$R0RBw;3W0dxY~`LoI5UH(0OWy8$Pt#MlXJA`Gfxr@o&Qq#r@iEz#u#
z@y8D(qmXE-@EX?Sd58_Z=RVc{eMB5CMNcOyoe@-VW9))4ppW?;3BHt-qWY;AGzr6n
zhgZL?I|3Hw{lHF_0Us~}Dqi-EjPX8y`9UF<W+|9{RVeM_q?B4w=_eVLI6KQ$aAw}&
z9u>+A1CHd0o10LzN#Dcjah+-tY!C%X^*o+LtJSf$=LBX0GibDk{4r*rE~*1KL9G9G
zD~SR)ZadBX6*tzm+lZErKD75xJzu%cbm;OGX_MVuaEhUax3S3`s@UKO|6U##tALFg
z+!|HASI;~Rx#0j;y^bGaD3>$?fg1!(cQ&-tn)Cdv^9XL=`btAS0OIjcK=|6?zt;*}
z6`4)mu&}T*;8C2Mk=9N3nHQuHw$4sZ_W+_pPEPLYq8%y0MPm&jc|sfW&yVd&Oz_4x
zfH~lTdxx2pp%X>Y^SjI4+gm#nl-#26BP&lOvT(P_R&i#@aln_GYrQ6`YXOC|Lm^N@
z@S1qtqSv;Zao0~TN}AijIzGd*0l9oU2uxH{U52?@pw@mD02uILloV6=tn0dd_Vnz%
z69GEM8xA7q-m3ZhSyfL@$<~$~;9O;z3f|u0prl1hOZy?F%DvAis>@G44}eK(@ERC(
zPEPl9q1LRd_mPoz9UL40v<02FE-w6VWdw?a$U<Y_$B#FYRmO>Zl7<Fw+j)6;kR<^?
z0HN5ry-*ragfs}iVBEfyo0|*rS3?^|R+Ci$ATzVHw6yz91XQXbYHD~447=tx3;(5F
zXkl+{PuSp#PKafSjSQB{YRO4Ct^Xs+z^TQ$S1B2i0e5G`Wxz*#a;lRt5H+yVzHzj8
zfVS)A3DfoP5PJd9hkSL~EcP6`*3pvpA!I2aK^LJ}z5E%WkfT(BJzp@nr(81RgE_+N
zBv3SNQTwh%PXhClK>T}(f?RmiSDWfcxlIHd2|+Ex#KJPSwPj$oC=`DF`ZWcRB{-D|
zVoy)sF|)9^uID9~nVT=>r`W()B*ZESg#gJy^~H;>t-5(76_tA$8XBpNzvM(t7yR1w
z*50F$XBHQSR#kCTRaG&vvHgbkElpXLV~aD~$3#$B4!RjKp1*u43$q$W?3D80cOODy
zrep2E{+ApBvLx$o;krf8fWvNRXaFgn)aQ(Ve*hHQ-e&bcOhQ6em2ppSSlBY)Lk#Dd
zU4hf&+qB&XC^BEA0>i8GBLoHyfOp<hY;2KBO9ts4`*KPmdr$wxMd66a)Mo(-+CdYE
zW*EVVgYYC<Jg*eHd#09`5iw*lTZ<l?UTe3g+&pl7{{}Z>KpB`yJ2*ghz_{&q8%5F^
zdK7J<_&tP)?!cS|V}brYoAI_ECMKr*?uM?h1PBoh&Q8~LVMI#*0<k+=v75`ct(W@>
zj|j0~n1H2`h#;1fjQ)JaKik1nkm@U+X8@#^OHltZfj>)i8e$NDmFA-{Z6pEGy9hNM
zn2)<|Eu`+7l~!}jNq|VvFRueE1b`hx@$m7@;mLI1E3f$DE1`>jQZ1@q@Wn!KV>lm1
z0HGlo@H?pyB>ekuFHz0SA_yI^FTiH|2}my%#Kn<7&r1X})A~Vw4f_kIT73&8U_sCq
ze6lq65p=&Hv(v+2<w-y>QFvc+{`cR12xb#PbjbtM_JGNB0Gz;G0ADHm%N#h;b$kbL
zPbQ3p#9hcdLiyy6V`HU4IM2hHd=&PqKMx&;ho=Ekb?3zk`$klA3-dgPC41JXJD!_M
z$4)+VHhJikk<q`MuHs1n>^S5EU1#EtWDJy(lan4B+Vi&p8?Q#j$KQ4mo5K8;m6OY=
zth8rm;Bwn;yYZ4&PzVVNlgt?c>8?6$iB>>c;Nb`Ttze+1cK~eN0Z<P!XN_+aKBoKv
zQ|QmuR$gYNPkw&>)$tAmDX9@mo#ykuC5sn;+4u?6AL6;+z`wA1IoSil29NjK&A`9_
zgSfc&A6hp4gwLNp+t-!%94UgKG%_&ESzm|V6dYNO4u3-ZIyeh-ZF6#Q=~ZmG5%uRY
zFcex}YWL=|=7HsFZ~O_yZ~tvoaHM0VYKg2;_%aFBT7})VqCrj$)JY_=2K6Z15Bm6B
zL9OZ?4Ds1`+x7R#F7l@Fwb%CF33`*bg8+Jx5d_$rOr=O?T~ljoR*-)pbD4E|fPfeR
z)kyFwN@B11>m5Uep7Bp^o0~3oC0P&XW6dYFppc1h8I0hZ5VW_zzKpnI$o6p%IcKD|
z)|Nq@LOg#un-LS7;YC8-7Co88IFZO#94WptrJ{P#^2!RoPi-Gjiu04S=)nt{0MC)`
z_P1#Fad%7%-kj@NTGnapXH{6+Q2RmkLkKkbCk$^Kf!<`GZCy<b0_Op_8}g{2#>Pg`
z);R<S$;Q>j+IkhV$qWESwb&&rEF2OUnGf1wuxEo+Ips`KlA*+X1HYoWK^w68Rjq}_
zY3mC;*MQU0Q_;H|X%+L+4)tJjR$}4ki>q;j;wmeBX=Zk&X3_CP_T;ZAr6+pFiB>X{
zM7c!`@qzh-;E=1R+`S_lvvGBVGEV+=QgQ%rN@C}KXh5LyF<^^yb#)(U)u8*l9S}``
zrIJji@NsZ<wht&!?LA;Z0JW0HZF;xutk1R{;GcpZ^q9nF{Sc66?xkb5U}O6MhEW=9
zigumNDq_#9sQ3V?m)=MSA}C-6l>}GshfC8WB_%D6Is1M6LTsA)m9vYq9oAhUC>2&X
z-K;BnF9DX1Z$R_}L7I909vKAo8oHhKiG@B`B13+LJ{1xvMizQ}&P~sJ;isu{X()(o
zmiLKFLuP*R*aDI^g7niWy4q1)%QT{_7(HydRCi_GDv+ejissUPk2(i^A--R8b4vR9
z`tQC``+a@PL6qCvOxiT7WMDw;=jS(JB{@$3!NJFmgfX$PLuNdOhlkJA)Y@yzhtY4}
zGOL}^XT3&96+-Wv4$M3tyy390LX@j=pKb<H1o^1t;|eg8EiEmJLd$?x1RxG<T;Iy}
zG&f$1n%$SmDlH9vO!*i-zJ8#7c)jBdhkxt^Ku@hEuV%@y!E=Y`kdU-Pj2V&kS5$>F
zGWE0RoR)I;4QR_Cmol??hxA^%<zJRiIJP%!>DnH>aCCk=p<$96ZY&{2=uE!?vV<j@
z^+Aar6etigJ{NC!*=%Q1Ec3mZL^y*m!*Iw%`zTqhmZ(K{J;ZqB#m4RVWrloBYepQP
z*O#xDMEzdi&aWUSNzpUGDuA>QB;g>HEc>{_fAOJXEbfCQ?HhYI?d=sOPkD?Zz{FJ2
zVFCxnoud^?op50bVSXZ@SXGAsuFyxwX&S19-Ih>fgpRYOXXp60#%yPP`V8|jm#?2(
zKyoFgg7QI{<`m2Ki5O8O_(V<_f4DVCsC~g3@NhZxom@^bN6n-i1AAazPY&UclMx7-
z>`3JdZR!&$bG`xx&MG?_g^Cpsa&+g>ejlEgVSbN`FQIHpVH0Iq2U_IQvczAx(ru!G
zAdd%U_Q?)T%&K46-Mvfg#7kdrjXeJ3MID4e@YxNgr!UXXFQA?PA?vn=`smWp-Hb!9
z+*!jGAyE<JmAT$mon^VS^tfcJL~s?pq>9A88W-mtG_mee4=)Hl<>W-_F@^r;<P@ls
z$SH*vWL3WMrRwA@7?uKKdXKZ&NhME}vzF5IDXJE8sDzX;D+qwlQhcrQQ#*M3=kGem
zh^sMEJ-bB}sMX10NdodC?N)qbBm1g|=Mi~JtSy6m%*JSOCJAz!5Jn_GA?|sJ2FMIV
z*zDiO+_Fa<q_Nl0)ExaaISY=EWSM5S62}u)Pq90wD1u4rL5`zR|0*c*;1f$13`fUD
zGk?WhR(;{ZZc>dAJA~U>-dahFDCYXb2sbu{goKhl2ss^R3iX{{j-Oh?Pkd4?UfOxL
zsEQhDS|K$fv~Y-lPLy{&lLZN#ldyHJiU=K1fHIgX&2HDSb+Q(Ps7_$h*|Bji;T(iU
zAE8Ztf1=3tZ*E26(dR@n%G{3Vvxd>80vT33GU5>X1i}M94GlHu$z%s%9Fm0Y`u~;d
zROq>BU<Wg~#TBd=P6Hk@cFJe$CUyX0!Y(K6_LHi7oC2NW&oMMT7Sk>p=){Vx;D-ZB
z3o3(9e+w#wh#D%gCXI)550=}Hi?u*ha5AYK?JaXCwc12j&bQo|9<sY=*4FLp-5|X?
zshA<=S+@oN<9>nV@Y!v4c6OOE&9@*K8g+Ku_5J(M;9$i?l$kk`bCYM?2_NA#Q0U%*
zj&RRCnhsiM0hKp=%OckH+LtO)KuX2TdWX^#$0-Gem)O?AJQg`d0y=8)Yir{{^*56d
z({lXN?ABhb<@okTB=MsWHGrJjABpYn@4o|y!;q+`1ko4h_CKHuuvf`B!p|ee(Qyy@
z5`1W=4PJ`xfm)M?*gREPIn=Q~jyd0#5<-G(dRIIUr_!<5>U|I{kVc8-*6}F>Dz4}2
z1?_c!!vf(?5df#n?lgLeQQ(Lk;y%!IyoWHPfYL;&pS1z=OD=Y?iO`b;7pYm2@jil=
zi%_n;{39ctT~iYWywP`28)e1C2H!&o5S}WI_$9|o=q^a#24+;757UEE@K*$8je9@@
zKi&5PP=yO{FDrmFTS4FviSF!!-&F0mu8Mdeh;IhA-o7|Th^(Fh9=gXkLAMiuh0JC|
z01tH>y6F(UE-)5xrayuI?Eru|2heX^aui|$CmSwKbeswhvq(^R?HQu$5cn9KE}@{!
z@aah%lweh&p(>`_hc)lqfLc^qESkITPY}<0M?kmtQF5pzOT0fs=*vHW5qR3~(%O#r
zXkaMvi;xdgbh*&~6=t_>0sYte1O(ABRXgu#VM7O_SmAbL(RwkvgK)~hrSAo@Cj?*!
z0_Ejtm-z2Q!$=4T5xmmfr7(5}2qL(E7zyydZ{WH&bvfPa28pkLPj3QtKh^vC3_)8w
zxo`#76?vlGo(3$hP#7UAf*gk!c!XPz)C|B~#1o*Ur$>A!kk<NOKzjiu`W=*sy9C!#
zC11TFMnOTD0Se^hrm6UH{c>cxNwxh}?f5>Z52smvY6z4HBeVxK;wt-PX(R+p50GJ}
z*C%ZQAbMNBo}cpL$BzY2KF$HA7*fG-ca+y54QN2F{J}FI9o}#>%B53Nc|`;Jg}jso
zYtlN?A4jwo!-BYXvi&7`Q^o!(i#xiH-;0bb=-i09{&$=BC_+w7o@j5X9w@6+M0cv}
z7A25C$g>NAeZ<tj^HKsU3B+ZDc5f<p)Cd$Z0t;&eyw8k{YY+l1Dlaz$rRYU38_kk<
z_*w}FIa7$fVNywYd5J-k2710}#l_6jG&IO?3=bj*hp3HKm<b4yB=RZ3eKgJR>;y6J
zZ&5d(54sviVzU4!RFnk}f?Y*~4w1s!NDC05t-|-l688r6YDByWz*B%bc6whQP_O~m
z5-5e`&HI>u-~$2N-2w0G*yQAgptp>4ur|QJ!V(4`=Wvi?1-Fz6$-vMMp~@W{9sNlA
zGlKr<3wTUF2r8r1lttrLR*VE2{fX9~@c@7bnK{*A|AH|h;A8|tH4myq-^v!jQGxh6
z1`nszGG8+%i;`dA77M+t1f<E)Z%em59Wy&T)~dB2fM=cR@RJD%Bv`9JELk5z@C)y_
zPJ67fST``@5YcDtxZbp_gr17Z*O`X5LD)jCD&9P)Czv+liOI;oc?`%ndwcsuBhojW
z;l%E`C!eAwx149T7Zc)HSXh|Y+1LDV#L(yYUAA?gZPrEm8X=Yp$YUDQG$%rvx|F(k
zuau2XO?Q0?3mG99(Z2EM(W5&I%SZtM0gE>e2ne?9Q*7!NQI*8bj1ZAFg0Tq_s`mt|
zpva}pOyDX=jOb}2SSK3o_JvRs@D_BmC|mT@wek^q<s?I|*t8L?VOumbTP3KekaOJB
z>_Kje%w|*{=lc+yPF=QSu+Ol<SMp!VDA(d#YS%IXxxNS#L@d4(R*zjhAm_ou^2b;4
z!D4Uzpl#a{KYw$50$bIk4_mykk<l*1d3T#^K`a-@N&()R&hm<ixn*S$b8~aMZ-&xz
zpBx`cHn77ZPqptP*6})9{qo$>{a;4KsczL9Fok=Ak~j!i-CK6Bytnt9ehm-9piyXQ
z?cLP5tl6uKZlH9Dx8J$=v~;TqD?2fUJ|7xb>iu)6k<D$)k}s|rvh>*5&JOa8n9sR;
zbhr{qd3r{w5{l|gQR}hTd~V%Z{K5C-&gC^F{hEQ4xo+OtRRVw?FC0+Q4@3t}qFZ&T
zk&uWZ<eolJKbvcG3WIEn=8eR4z|b~)fzz|Idn6=bAt52x*8aFld#0wAl76VpI&w`<
zSZoJmT5o=-Vi%2bomOTd1*nGH3g9`%FAQZaW_IGS8uTID?#JO(QSL*T>N`~QxL!_I
zL!zgrcbW=PDxg{YW*i<7p(1bobk7C-M~1qv%XY4Alk?%u{QR4<FYi$%Ve<mu;Sf7F
zKR<(rNGgz2?O_Acx(JPk$a__7qL?b6()Ngh1J}^d5ZJt3fOwRB_RM&y#vHK;)KXZK
zmJtg%GG=9E0T(gl^3r1t*!HBPq}PMB&(cMb5R6)GZf*}xPq2#x_4SEl!p<TbZ>~YB
zdv9+~AB6G|2zv^O46TfV-Q7$;zdn_g#v>t7(9<I~?21HiU7dt7GBY!UJT=kx-tFz%
zEgzo9&2;w^?9nLdGCg{<wArA**hgacdm-$bEWL?qwuXgD!ixQ0E6lA7i-1u{#}VVT
z6$3z%r<GwNxt{&U7%x3BJvnB60ZPbTvJJrz5xjG(Gpn4+B71SLw(O6#va71AG49@_
zXJQIz^}JYGH$T0-y|g5urS%XQ85wZN!%Z%>uo}q8$pr)i{v1?=g@&3<)i8;PiJgyp
z`10lPl~;IpcyMs=0?=2RAtwoJ>k6=%w@^@uii@e)*#|N^UG3~36bXcc#X6cexwu#A
zVtWut>T4hti@G0o%*>GbG`Z|7ZEZzVS93#N>2PcMfvKtK<<-?B;ExfBjjgF#8Zj|)
zcqaP?2j=swqL4H}rDS9bhA~5k+5f80mqb{L)YR17!^5X#n)rBl+2YPGUlNU%zc%el
z=GAF_7af50U>~+@HC0t#2nWRoz`G>Qy#<k8rRRk+B0Ls9s;$Fa8sg?sePe0Z7tmwQ
zW4*a6+u9x<AD?=*D8kHQs!oWl!kCM85K_P)VQ%mrCccBsd~So<uz2b>19N>P6n9~D
zW;)~5RoaZUr`7ZkoV;b)JM|J-Uw-^RcS-n-7an%LcNCK(v|+M6(*X15BFm&(2Z+I7
zPTB_saD3nnW8&ixFyQpl<0M{7!jB(6-o%H*`Qt`)9;Fb^XgpXtQ7;MVC+P3)qd79U
z+xeL_SAQdGzv+ef`gX8n4k}J<2H2W@`q!E7TUc$_`n(Sggwm9RJfF7E?%-?`=I1W7
zo6Xd7wzwS`eDOgBw&;h{)Lz&oFFNX;L8_31&x(?XNzUdzRr(v7PyM;6Z5^v6;})yO
z*LoIC_X@3YRW_^--}LD^E$-a?F?xc@$;I_6N`a-mq;q0|=taUj8@I=nG-`m9)T!vG
z*3|0};a`&14|>34gE05R^fW#$Zl<z=YYYJ)p#!kv(SGM)QKdhE7@Au=wY}0DKUtXf
zs{KOHn+e+~Nst+fso*7rxx#)0H%pFFPh$e{$X~})u~>f>ES!gYg%^qwba@Zi^pvEE
z)R#7v11c*I=`b-6?G+<$A3h^C^%4krfmJ6i@<Z*G1ICXVwVwejiHU_~li&PQBT(OR
zR|{DuIE#`&hB{f8FFx?W(Z}#A!1?Nb>FvGW_PMMf+1amjQ}`F<QWn9ChMJ~kU_ubd
zt4SAu6i4#3?SwV{2Jf_jrm)+~61O0J#q}2dNcdZ1_A~Fetx1e4i^9XFBKO^ewWsP1
z=vWvMHrA6)YmYn^78J{rWTuWBl~S*f%QRWA8E8Q}2z~FwMBk==c*~=^KCLf)WJ6u^
z=cAOR6Q=UQ!JDSiX5U`z$r{^@umIOB$N17z9i>z;1y`y625P*4uk7$W;5I~+RJVVd
z<e%2rhG~|-ZUGv_39>mN{%O;5%bV*RZQpB6jOQ1ds+rEw1mAM2T?*ImCaxY_2Z_KB
z={6e*EVjyu8v@z|xOo416tqD$w&vLUeONWVX)L?lmUN(4S6yMff4KH5b$L%8p@w+-
zG>QWUq*J#687mJ{xt69*&^>2+-O?EmKFw26O(S~n*$a3@nb{KBX)@^^@83S~PA8u3
zA465ZdfOn^F(1>6gC~Km!qAs2@W$4(r<P=$RNRS>p^F|k2CC(=D<+++&7!mBo4ZEp
z8bzh0w96*U#>uK$H6EBWIT;rPP^s_kYltXtvFv3nwfJwu1#5qI*CL|9)roaW!U=io
z^YQsW-2Ddz7Mf%)Kbp&P@^P+Cjbhci))=jvzG94L{@KH0G%L@*EgAu@HX-~NmtbB|
zbKc<W?&?Y`WGz+p_T9|t%}bwiJt}DDV=gwEnpkYLEMDkvF*Sc<8>CiE&*SzZB*4Fr
zJ$Ew;S0Z@6tVUh(yzG&K!~WoUjXJVC4NY%fpV|8AliypyQPz`^&&)B@q}%-Sb8pk+
z-Gc;G=~Vp#OA_Iw2bX>wey^8)ueXmXba$}5{Qh>}B)?g)J(a24;b6*`G^NRY)d0_4
zVSIQ_+=s2KRKU3sJ+G=U%F<CCr&BSqUAAbYj6YvBpGm5u?9K1X+sE7IxNWAOdKI@j
z_cH*YL%&H<wb?R2B*^%I>_V-=_9fYu{)~HmDFry?k?H3XwffH{C6)OZ_Py2BGBt;P
zc46gYkUN8kfD@DwYMPPx>g{jSGM=0bODcno;#ZUpxDsxN<#mY+*`gY&MJ0QC442W9
z=gbk0voc|R^t>p~;^IRkA2{^G>Ym>-w7ENdqA|ecv68|LfD}@(UBPZs<qFRooW#Ur
z`@I?B{0{%h3%iFY<E)ZJs+CRyCqzu~9^QY^=gGun-EVwei;l%(iSK%+wEbR>)J2|X
z+K@z|4s2G^&>&bJFXz~L-Ghw&SM-A}MVaC0MAH3YELo9Lx>(bevxzyBNkKuQHT8md
zkaSH=;cxH!iAh64^N_EiYoz10f&$hf)?Vyeb{L%jAAAr^%``?928z}BcPFMM-dG!l
z<mLS*jrrdidtMfkyU0MpsM?kaaSDgCEXP0_uJrSA<V5Y4_M5w2FpWB%Q54-+$;ok!
zm+LJ|WO*tkUbhilsTY^Gcq46Hp$x8jweVz=G}Va_-LR^(({q>`F~Z3IOixQ$C;vr3
zGTp_Wmt()&S+lq2vFju(+?^na{%-@jB=FF76}Ml5gAm{Ib-T{CPwPA`j!f@tk4F=1
zoFEMfa`-Q_`W<F?I*r^cEbaA-7d}Q-FVG)}8y$<g)(PqS_N%dfZT0uMpL>`l>A4%f
za9#Pb_X{i6(&-`DtPkuyxKV#EXrEF3HGqN{7;BLjPxD$W@C_SW59qy*a8V(pYhl5B
zc6R3NN@6on@g5?Ah9v(}cHs=iWNgd1T($A^-o(0?we+37B>bR1q(r?gT{ypHM)5QF
zwkm6Ff0zo78Cn=fuYJMgE7O%<RUS3&XGk*{{Ur!bc!J+?;cwpG9p|a|x4F84uL}-1
zI63ncx<vepVTks}NYu<{I_}|=kL|bPA@<f{Pe`@{rkxxp33+*RF55&(c`df{V&GsQ
zn+;|EhZ%4yK;lV`bVMSbb#kkS7EBKy)PL*ii&$8A<956m5)_06F5u<pGUP-!Eyo^R
z-Bedq**Q6_Lg;{0tWbqb#F07X+}+&`ljZjS#2oVSnBbrK2L>)JFSi5c{CXGViJTmU
zOceQ*?lh0(Sol{zw41+<LlVK_8DUKiy6$e#{9d&QC&N?RKVd*jNgL6N#qmlO_7jV)
zxI_+VDd&Q`oniRucS6q4<nuz`v!8OoOc?Hx8mv^nK?;mY`nnQ*mB`V|Zrl4X%(REk
zNhnH5*M0x0sQr$|*M!aKQ8M!Df&a49i{H8ad3W{%V~?L&L$kxy4XP$d!Y*u{=ZA}V
z33}ADwEmTbU4O@Mh`DaRe*M~{KUEF_^iv4ocaM(fxVd9@ckT4N&Ws^@`mOEyi2ZnL
zx(j06z5V@L3oG5Rk8~U3z&{hUd$^kH)7;#g3W2zas;Wet%`7@LwlVlCNJJzghNh-n
z4R6=Xe&vREHOa-&??Ksy!*$>2cYm6~^XIrIsCVAX)Z0TQ;vPA9KcviekFT%FXV_o2
zD$cih$~}7qLwK}49E7M3z;7v=M=IrMZE?pFny-r1DeKeSqQQI75p7l}3P0M|-!_Vl
zjSqn_9^-RHogR&Y!s`C_-WiED5eAl6ii5XilRu-Xs#FyfOH8vL4aYsqEsOg|n4?|{
zGitP){l`FFQ7je`F~90r#yDz)^$t$d(Lz@;GfSDa+mAlB4w~oe?mwVn{;K&MrynY|
z!Tw4&+`44jHn_3j4|zj>{E(gVzVW<zq>pewWg<zb`1n4C;4|DB6@?Xk{1C!tn3vb@
zTZ+JoP8D_k7)>Kn<$7R(K-oyEtKaA3<V+QElE0aR<<l8SrU3tx;dNf*)u2^o^40f0
z|DYgl&vQqBOa1rQ#DpIFer|y|h=G|{Sy#bZ+MH`iS?x){CnM_vG*SKAwYxxbp@(<{
zY7ie1P7X>2x2Egx2?)Obh^7&A-Csc&Scj<E_059o#j&;9$u{<5M@OFNI$M6T4FJQ7
zb9{l~q+pIr)NgqG3<P8T{<m9Cm#{oJ?hY2IF#x=MFYN2-6_k^Sxs1@Qr)m~6ZY~SH
zf@QViv!2R*oj+s-QjH{wi;L&RC)=~_las_q5Q4)TI!XEZ4nhTddPShP`vS-Wh#TEM
zeo%^ur9*H8v#@)z+7wy9@eeMIbU3AuP%^7FdFq9r+o74?!F`F#1h<^~m?F(u%j;W~
zxZx-~7BhF|oyjc!TSijq-#-1kWrp}i^RZM-YoRx}>IOFYz($fNQXl<E#m`?ig0_s5
zZ}R*64e6Vn^HqNwa+-Kq{|`Qw-TA}o=olDOyu9&y%OKMKM|S*^Zuh`|>CRls)2B}t
zc6OBEX~5{10$T{l<7_qI&O;v1ta+c2K>^twe}8|(OB5CFfRj3W@?&lXD(MhlqKb=)
zC-YhVgj`K<RFvtT!K}kSLw<vU&y~_ey3>SR&@nNyA)ssC|H;yu!XE|C9g<h*=;)N}
z>`{q{M2}cm*Jm2I>ul%gg@sd~N;tpp4jwx|N5Z*H`*HE{+mpCW;pG6m`M{>z_{PYn
z!yf~mk(D(M_8xV0bzBOH0r+Slh(4b@dEy@sV87IX0X&qWHJ*37Z(#3IR#lDpx)(_*
zC;^X1<&x(e0}oH!|7+>W<DuTyur2D6y+NU*(5fWc!PJzcZjw`p;SxoOY{gMDmk6h2
z)KSOMMs^uXrHHX)Bo#^a$dnSvn#s(_%z1w9_1Djg`Iz~B-|zdp@AE$MdonXu`S%yz
zIdc+^ng4jbg}-fvhE^=WlD`lir;7h=-TCO~puj+G9r=A%mlI&XxgwMyh&Um$+_E=~
z5jxsq^|kr-V!H9MX7yMZwP!@Up??n0)JIB*j1;M4GSz+yUGIL5v*gJ0%e8H7%IMtC
zflp3M)VzFo(cY35<53s;7Coe-oaUa02=f3Y$B}XFCswX5PEK1tJ4U`#Nb^~v|8C+_
zq*kjc<yTW%-pkz%L5p}~(vUE~%V&F?<j?>1JdK;g3>@As1n2Car+j*(<BEz~m?$Qa
z5OEOhbG5a#A`((k1H;3OpkYN9N=qLBSH>3^=XAPve$^>*ei%y-uw`XsRAxC+BQmB0
zpzi3=RZ_C*HSO(7A~F6`R8(|ALh$nPDtr1=QC0N?ET<OM5Zvk1lqYZMo7p4uPWLi1
zW5Dqm1hQ+~nU2Qzf~$XTJSBaFmR1zFyuTMnlSEn=F2>EbOrx(|Q-H6ZH~Rjvii#2O
zCcNyy(MCncmNstONPGsg+#P1tp`k`}I(>#SmaIe~AzS>GZ0Mu7oW|AK5vwYg9BRL>
zg82J9IM|wFzZ@oZ&G60gX<;WMjpq+D_4V}FU@9b;-$iINnv;u5VsbJO@Xk;CHTGxk
z+5F;%thBWD>eUxO<`Y~mXm%B&fDf0;dC|VBi`<y0IONzHnHuou(NCTj2UPKN6ciK)
zdBWQa8*zDLayYLIbuexUA~adgpGzt!DPiKSnQsvz&q??_@6+8&{WoIeDPmJn_w(~1
zRqdNmcIV|3hN~Vba;xv}?@yEB4CmaHWWT(zjypTMOd^TMFL)Osk9<3u50epI11;%0
z_+A2m0LbCt>+2i%I&~C{e)%8cn(wmhwm1pl9`*6_XBPG$#qyk)nwlC|6N0VX=w9U)
zxOZzqo?0>2x2M!Mr@C2KX%s1|VRkhsDGr$yyrJX>$eZYl3~i`|Jn=h99(e_Y+Iv=)
zii^3tgWsbigRE_AlvGq~kTO9?f!u9BJO?f}E-6VxR#w)@<xq7Yqj7^U0}~nDy|>tq
zh#Z?>*MjEu^z-AUo@vW<C~$cqtE;P9=*HY_YirAhO2Y19N*#}*B2OY&Qz#V1-Ojn0
z8l?0;<KtWOM_RL_Pn7ai#w(W2kXgM&4<0B&76jGOub=2bwRZN22m7x3cL8I)@Ii=N
zU3+_}V>=zu>FVlAlrDgY)1y?2UD1yBzhE81!VbvoE+@zT5fqe;RKa4ghQ#yEpFdAU
zMt|S^{{0aTk6LiW(|L-}hw#&|>V-1uCRafRThrAWfzpAePTgN(m<?^z*cd$}MXkQR
zp8v(v)KpSfEsVgt9fSV7kUj*c6O~Fp++1V>=;wlhf@#sg#zfu5*RPLa4G0f9$t8Bw
z$9|1teHDv;E>l)!fjuL9*YvBn_XPYCh5;X3`?I%VHB`wo^YEFm_OBV8CL!OHL6Q~R
zhz+g=Ei^DV_?$aAzynbOE;y>{?CvXIZ&6=dVlXx!V;F}e!dGdyznbhGF}Z+5A~`uZ
z$tx;?uIka(d{<w80r0!@^Zl=bgP+)JV!b&7a$^C))U-;S<H9$yU!Gl%HZe8zK!IBg
zRwVntn!Hw9t8_lR+2TreuUU+C;P>(17vY?5R-o?_b?jDx7K8EOTc9KaQ;-1Y0LR#v
zkqqEn%4nJ=<FK|uu|l0q!I3Q~Dfz#$%+u3zx|XNE*~rNI7k6@cq%%R=h8{RQ<RB&{
z)&;rFu{U?JcEri5n*^fTGSAP?FD@=#VPNnVFq#PLDxn}8PJ~T3lXdt<lhf0gfCY@;
zg89=vZsDV)ROYj-gh41o7j>WNFJX&5LZxvJi;C7yXHW9BYTBGh1b0&dT|;}*rmN6;
zT)lpM=j_i>9=sNTg`Icb&7GYd+8!Ki0QnACn0|0ABJ=QYYgTFNLE4{rd23+2c7!|e
z@pbCfOZY-GjufjbXaHGN+rr|ulJ4FXq;#0+(I(Sv()Sh9=FY-Qa{tJ7kO3C~iH;0v
zeY}FUOh<Q5PiwA&Hh*UP4R*J?{FLsxLxrmVOjA?A2m~2Pwit@+SZvh8&{1mhUGf`<
z7=}8FmP3za=--<Rlzs?$4uHtQ6Y+GqH!8^pU;rRH9tt=B;P3}#Mb*+*n8xivp8aB+
zkUR6eU_)NM-e0k~MWSb{P`FKH+sE5veQ0XK?cH9YfOjqn)I!Np)7_miH#_sLz<CSi
zGbN87dxL1i6c~`0VivM?-|bVQgM-=q_BnfR6EZ9363+$1qzLPYJl<jU0pTqZd{qU)
z6zD<;Q%q!Of)+-^igYks8j$f&PY{Rl@-kyM)bE0P12WO0s5Jox=xqAg!_F2OlZF4O
z;9>yQL`c8Lf=M~l-zZ|!5qDkPbFQK_wY5=*iz$pIH~IIPL_|cGgiWmQ_Vy;q4AANZ
zuzUmL;?AzC&CHhOHhb9H+NJ@ca16K5Dm_MBz(@mBUcn>PXOnFZ&MIOA&5_Rp4^{5>
z(dFi(Gz?pBS)NP9coLZ~$NleHw=PFViz6eUD9&&UiNgM;wF}HGN)r>62%2#7=4%9+
zI%HT6KS?nOS_yiXzdaiVxsA+12F1uyg0z7e!(>`4TC@n_9KswADczUT0-_~|T_Z}2
z8qt58!LYCE;W0Tha^d0OmRz>DCGWG6x`u|@W={ztBO?sVkQ#R!Kdy(E%fwt4>k1ke
z_nsPr?=4X(Pu;X>3zxmJG?;VN?CAr__3Vz;6`Xj-Q*vux1s>NMI2;ppAXB!SYlo@N
z>F-_FP!0>zQ~N?n(M9gDvqSLAx}QCVl*ejlAQxY3&M<_;#Lv%9Fg>tvvP`cmJmLC}
zL;I*(cX++sM{cSNGeBV8TgOv4xr;Q~^N7`9t@#Kwr|Yk*wi6ujA78Ed!0~wa`@7|&
zj!@ce&Q^gL$unNFek~=-Q1XJr7yILebjL$cS4x*`a4GZf@z{8BWz0N>cV`uqL9%l$
zZ)3xhdBFv-E&G)Yti53v`#)Mv9*kM_i{46rLySDdb{oE1KwQqhlDM2F4)DM{r7{1U
mD5N>WAJ4OT#HC=BP%ighr~Cb5$74nCv&(Al&O*xJ^Zx+oftxD;


From 2bded25f359f89145a810af0bd55f087b3152464 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Wed, 9 Nov 2022 11:17:46 +0100
Subject: [PATCH 8/8] update changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6166ad9f..1d058a00 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -52,6 +52,7 @@ All notable changes to this project will be documented in this file.
 
 ### DOCUMENTATION
 
+- [[#961](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/961)] Remove extra file from root ([ludoo](https://github.com/ludoo)) <!-- 2022-11-09 07:53:11+00:00 -->
 - [[#943](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/943)] Update bootstrap README.md with unique project id requirements ([KPRepos](https://github.com/KPRepos)) <!-- 2022-11-03 22:22:22+00:00 -->
 - [[#937](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/937)] Fix typos in blueprints README.md ([kumar-dhanagopal](https://github.com/kumar-dhanagopal)) <!-- 2022-11-02 07:39:26+00:00 -->
 - [[#921](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/921)] Align documentation, move glb blueprint ([ludoo](https://github.com/ludoo)) <!-- 2022-10-26 12:31:04+00:00 -->
@@ -91,6 +92,7 @@ All notable changes to this project will be documented in this file.
 
 ### MODULES
 
+- [[#958](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/958)] Add support for org policy custom constraints ([averbuks](https://github.com/averbuks)) <!-- 2022-11-09 09:07:46+00:00 -->
 - [[#960](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/960)] Fix README typo in firewall module ([valeriobponza](https://github.com/valeriobponza)) <!-- 2022-11-08 23:25:34+00:00 -->
 - [[#953](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/953)] Added IAM Additive and converted some outputs to static ([muresan](https://github.com/muresan)) <!-- 2022-11-07 13:20:17+00:00 -->
 - [[#951](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/951)] cloud-functions v2 - fix reference to bucket_name ([wiktorn](https://github.com/wiktorn)) <!-- 2022-11-06 07:32:39+00:00 -->