From d6b402dd60bcde1777c2e9dfb17b15da101d28fe Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Wed, 14 Aug 2024 20:34:12 +0400
Subject: [PATCH 01/15] feat: Add auditPrivateSubnet option to ESLZ portal ARM
 template

---
 eslzArm/eslz-portal.json                      | 21 +++++++
 .../AUDIT-SubnetPrivatePolicyAssignment.json  | 57 +++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 5554a5377..173721b32 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -270,6 +270,26 @@
                                 ]
                             }
                         },
+                        {
+                            "name": "auditPrivateSubnet",
+                            "type": "Microsoft.Common.OptionsGroup",
+                            "label": "Audit virtual networks for private subnets",
+                            "defaultValue": "Yes (recommended)",
+                            "visible": true,
+                            "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
+                            "constraints": {
+                                "allowedValues": [
+                                    {
+                                        "label": "Yes (recommended)",
+                                        "value": "Yes"
+                                    },
+                                    {
+                                        "label": "No",
+                                        "value": "No"
+                                    }
+                                ]
+                            }
+                        },
                         {
                             "name": "cuaSection",
                             "type": "Microsoft.Common.Section",
@@ -8920,6 +8940,7 @@
                 "singlePlatformSubscriptionId": "[steps('core').singleSubscription.selector]",
                 "denyClassicResources": "[steps('core').denyClassicResources]",
                 "denyVMUnmanagedDisk": "[steps('core').denyVMUnmanagedDisk]",
+                "auditPrivateSubnet": "[steps('core').auditPrivateSubnet]",
                 "telemetryOptOut": "[steps('core').cuaSection.telemetryOptOut]",
                 "enforceKvGuardrailsPlat": "[steps('management').esPlatformMgmtGroup.enforceKvGuardrailsPlat]",
                 "enforceBackupPlat": "[steps('management').esPlatformMgmtGroup.enforceBackupPlat]",
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json
new file mode 100644
index 000000000..fabdc9013
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json
@@ -0,0 +1,57 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837"
+        },
+        "policyAssignmentNames": {
+            "privateSubnet": "Audit-Subnet-private",
+            "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement",
+            "displayName": "Subnets should be private"
+        },
+        "nonComplianceMessage": {
+            "message": "Subnets should be private {enforcementMode} be enabled.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').privateSubnet]",
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').privateSubnet]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "effect": {
+                        "value": "Audit"
+                    }
+                }
+            }
+        }
+    ],
+    "outputs": {}
+}
\ No newline at end of file

From 9ad96d9a7a258c97d627bc2c8b878bbce657187d Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Wed, 14 Aug 2024 20:37:41 +0400
Subject: [PATCH 02/15] feat: Update auditPrivateSubnet label in ESLZ portal
 ARM template

---
 eslzArm/eslz-portal.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 173721b32..787f5fb01 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -273,10 +273,10 @@
                         {
                             "name": "auditPrivateSubnet",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Audit virtual networks for private subnets",
+                            "label": "<b>*New*</b>Audit virtual networks for private subnets",
                             "defaultValue": "Yes (recommended)",
                             "visible": true,
-                            "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
+                            "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
                             "constraints": {
                                 "allowedValues": [
                                     {

From b0205abd130491cf7ef77b0bc81d0436f2748ea5 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Wed, 14 Aug 2024 20:39:19 +0400
Subject: [PATCH 03/15] .

---
 eslzArm/eslz-portal.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 787f5fb01..93be2f8b7 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -273,7 +273,7 @@
                         {
                             "name": "auditPrivateSubnet",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "<b>*New*</b>Audit virtual networks for private subnets",
+                            "label": "<b>*New*</b> Audit virtual networks for private subnets",
                             "defaultValue": "Yes (recommended)",
                             "visible": true,
                             "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",

From 678d5e7ba84f9379b1a8d52009f85a0f37870ca3 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 15 Aug 2024 13:34:14 +0400
Subject: [PATCH 04/15] feat: Update auditPrivateSubnet label to
 enablePrivateSubnet in ESLZ portal ARM template

---
 eslzArm/eslz-portal.json                      |  6 +-
 eslzArm/eslzArm.json                          | 56 +++++++++++++++++++
 ...NFORCE-SubnetPrivatePolicyAssignment.json} |  4 +-
 3 files changed, 61 insertions(+), 5 deletions(-)
 rename eslzArm/managementGroupTemplates/policyAssignments/{AUDIT-SubnetPrivatePolicyAssignment.json => ENFORCE-SubnetPrivatePolicyAssignment.json} (94%)

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 93be2f8b7..9a1ab2304 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -271,9 +271,9 @@
                             }
                         },
                         {
-                            "name": "auditPrivateSubnet",
+                            "name": "enablePrivateSubnet",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "<b>*New*</b> Audit virtual networks for private subnets",
+                            "label": "<b>*New*</b> Audit virtual networks using private subnets",
                             "defaultValue": "Yes (recommended)",
                             "visible": true,
                             "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
@@ -8940,7 +8940,7 @@
                 "singlePlatformSubscriptionId": "[steps('core').singleSubscription.selector]",
                 "denyClassicResources": "[steps('core').denyClassicResources]",
                 "denyVMUnmanagedDisk": "[steps('core').denyVMUnmanagedDisk]",
-                "auditPrivateSubnet": "[steps('core').auditPrivateSubnet]",
+                "enablePrivateSubnet": "[steps('core').enablePrivateSubnet]",
                 "telemetryOptOut": "[steps('core').cuaSection.telemetryOptOut]",
                 "enforceKvGuardrailsPlat": "[steps('management').esPlatformMgmtGroup.enforceKvGuardrailsPlat]",
                 "enforceBackupPlat": "[steps('management').esPlatformMgmtGroup.enforceBackupPlat]",
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 29f595d60..7d16fbd37 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -14,6 +14,14 @@
             "defaultValue": "",
             "maxLength": 36
         },
+        "enablePrivateSubnet": {
+            "type": "string",
+            "defaultValue": "No",
+            "allowedValues": [
+                "Yes",
+                "No"
+            ]
+        },
         "telemetryOptOut": {
             "type": "string",
             "defaultValue": "No",
@@ -1639,6 +1647,7 @@
             "resourceRgLocationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json')]",
             "VMUnmanagedDiskPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json')]",
             "diagnosticSettingsforManagementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json')]",
+            "privateSubnetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json')]",
             // references to https://github.com/Azure/azure-monitor-baseline-alerts
             "monitorPolicyDefinitions": "[uri(variables('rootUris').monitorRepo, 'patterns/alz/alzArm.json')]",
             "azureUpdateManagerPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json')]",
@@ -1770,6 +1779,7 @@
             "mdEndpointsDeploymentName": "[take(concat('alz-MDEndpoints', variables('deploymentSuffix')), 64)]",
             "mdEndpointsAMADeploymentName": "[take(concat('alz-MDEndpointsAMA', variables('deploymentSuffix')), 64)]",
             "corpConnectedLzVwanSubs": "[take(concat('alz-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]",
+            "privateSubnetDeploymentName": "[take(concat('alz-pvtSubnet', variables('deploymentSuffix')), 64)]",
             "pidCuaDeploymentName": "[take(concat('pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
             "denyClassicResourcePolicyDeploymentName": "[take(concat('alz-NoClassicResource', variables('deploymentSuffix')), 64)]",
             "costOptimizationDeploymentName": "[take(concat('alz-CostOptimization', variables('deploymentSuffix')), 64)]",
@@ -6426,6 +6436,52 @@
                 }
             }
         },
+        {
+            "condition": "[equals(parameters('enablePrivateSubnet'), 'Yes')]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2022-09-01",
+            "name": "[variables('deploymentNames').privateSubnetDeploymentName]",
+            "scope": "[variables('scopes').platformManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "policyCompletion"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').privateSubnetPolicyAssignment]"
+                },
+                "parameters": {
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    }
+                }
+            }
+        },
+        {
+            "condition": "[equals(parameters('enablePrivateSubnet'), 'Yes')]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2022-09-01",
+            "name": "[variables('deploymentNames').privateSubnetDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "policyCompletion"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').privateSubnetPolicyAssignment]"
+                },
+                "parameters": {
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    }
+                }
+            }
+        },
         {
             // Assigning deny storage without https policy to landing zones management group if condition is true
             "condition": "[or(equals(parameters('enableStorageHttps'), 'Yes'), equals(parameters('enableStorageHttps'), 'Audit'))]",
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json
similarity index 94%
rename from eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json
rename to eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json
index fabdc9013..9d33bae48 100644
--- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json
+++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json
@@ -20,12 +20,12 @@
             "privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837"
         },
         "policyAssignmentNames": {
-            "privateSubnet": "Audit-Subnet-private",
+            "privateSubnet": "Enforce-Subnet-private",
             "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement",
             "displayName": "Subnets should be private"
         },
         "nonComplianceMessage": {
-            "message": "Subnets should be private {enforcementMode} be enabled.",
+            "message": "Subnets {enforcementMode} be private.",
             "Default": "must",
             "DoNotEnforce": "should"
         }

From 836da012b6af4908a7e59ec4f4c32a4cf0fd12ba Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 15 Aug 2024 14:08:15 +0400
Subject: [PATCH 05/15] feat: Add Subnets should be private policy definition

---
 docs/wiki/ALZ-Policies.md                     |   6 ++++--
 docs/wiki/Whats-new.md                        |   1 +
 .../wiki/media/ALZ Policy Assignments v2.xlsx | Bin 53524 -> 53834 bytes
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md
index 70c76a24c..d4dfb669c 100644
--- a/docs/wiki/ALZ-Policies.md
+++ b/docs/wiki/ALZ-Policies.md
@@ -107,7 +107,7 @@ This management group contains all the platform child management groups, like ma
 | **Policy Type**           | **Count** |
 | :---                      |   :---:   |
 | `Policy Definition Sets`  | **10**     |
-| `Policy Definitions`      | **0**     |
+| `Policy Definitions`      | **2**     |
 </td></tr> </table>
 
 | Assignment Name                                                            | Definition Name                                                            | Policy Type                       | Description                                                                                                                                                               | Effect(s) |
@@ -123,6 +123,7 @@ This management group contains all the platform child management groups, like ma
 | **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\*   | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent.                                                                 | DeployIfNotExists, Disabled |
 | **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\*         | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers.                                                                                                                                                          | DeployIfNotExists, Disabled |
 | **Do not allow deletion of the User Assigned Managed Identity used by AMA**\*| **Do not allow deletion of specified resource and resource type**                              | `Policy Definition`, **Custom** | This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect.                                                                                                                                                                 | DenyAction |
+| **Subnets should be private** | **Subnets should be private** | `Policy Definition`, **Built-in** | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Audit, Deny |
 
 > \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future.
 
@@ -224,7 +225,7 @@ This is the parent management group for all the landing zone child management gr
 | **Policy Type**           | **Count** |
 | :---                      |   :---:   |
 | `Policy Definition Sets`  | **13**     |
-| `Policy Definitions`      | **14**    |
+| `Policy Definitions`      | **15**    |
 </td></tr> </table>
 
 The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Landing Zones Management Group**.
@@ -257,6 +258,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
 | **Enable ChangeTracking and Inventory for virtual machine scale sets**\*     | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent.                                                           | DeployIfNotExists, Disabled |
 | **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\*   | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent.                                                                 | DeployIfNotExists, Disabled |
 | **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\*         | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers.                                                                                                                                                         | DeployIfNotExists, Disabled |
+| **Subnets should be private** | **Subnets should be private** | `Policy Definition`, **Built-in** | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Audit, Deny |
 
 > \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future.
 
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index e9a0746f6..7771751d3 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -51,6 +51,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to the the newer version of DCSPM: [Configure Microsoft Defender CSPM plan](https://www.azadvertizer.net/azpolicyadvertizer/72f8cee7-2937-403d-84a1-a4e3e57f3c21.html)
 - Updated [Deploy-Private-DNS-Generic](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Private-DNS-Generic.html) policy to include the ability to configure the location/region.
 - Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope.
+- Added new built-in policy assignment and portal option for [Subnets should be private](https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html) assigned at Platform and Landing Zones management groups. This policy's assignment effect is fixed to "Audit" in this release, giving the community time to adopt the good practice and address subnet compliance. We will enable the "Deny" effect as part of the next Policy Refresh.
 
 ### June 2024
 
diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx
index 8211ba8e23fd0664790d486cb5d25fed68730ceb..6a85fda88bb91b5e75c419cf24abd01196e6ac3f 100644
GIT binary patch
delta 20046
zcmX6@Q*<RvvyE-r&O|4+ZA|QBVq24QVoYqC6Wf~Dp4hgnJKuj_`f2y7+Pi9ZSFhDc
z1(0J!khRIM&?J?dV>F2wutY#x$6YC`55w}WK3mCE<rqPKP#pwg&;^Z6{V$meH^w5X
z+A!A03untv5v&W~6)_<s{08<UPQZn?)8V@Bw4l?YwZZ->=1yRJeNCad{E|$1eN+nS
z&yU#5fopd~8GQ>LOX`!eX^G=pn4V9UX47})q2)ptu;Sx0MEZ(e4oP4;88l95B?Wcm
z1U^e`FgcJ_au9xMAP`Mwzr<dLxS_XkfiM_E8q{~_nvoD*JRX=-557Y+jB)%6x=P}g
zX3=mjcA79VBjpcCXf*Z=^%wo1Q{8wNTvX~kuN3iR+kI<Wlq(d!IB47sLHHDu7zV4c
zbYoX<gc%F*S2BO|bU0v_T;D4z>@ay74Xv`qqSJV!=jQ0|hQZVG-nfT(E4ZTXw$z~g
zF3ia_mxhPFm8`@4=J@K+ic@xGjbayr@wzx?DeBQzAKXwoNkhf!ADsGgM4A^4(~s`1
zwaIsB{a`kvhY8mh@&MCfsB-(VugXfB^Vz_F@Fw^dUs>LOO>iK*D38;iHOSI5>Of5I
zwzEdM@1C1sI<*15JT1*oi|AEN=6JvwsgWlNnyp$rE75vLjm=<InvY3F>c&ku_qi7T
zGf2$&H-@>G8o}=5-5L})kff1;NWQx7PSOoNxphcc1-DFywQ}td0wXr-4R8S74!oJA
zyFYiZl5obuuLk1k4Y7&}_Dgpy<9paoD~E28;cddJg{HdH(YFO&o-r>x8J{53tYMo&
z%V%6zb!um(=3hE8U#xOt*8*Df<TOobQ8*X=dNxih|E?j7xuRDUZo%Y2(tOw@p4=~}
z;rF-X_Eb9VhrnAK(Mp_wiqtUz-eeoj!EcPzsxEV`qXPq>B)XQbJ3Kfd1!yDQ%Ph<<
zRe#%Kl`VQ!RTh6i`@O@{1)4D?ez%5sIt<_oF*28tZ0Zs2e3vI|$SRrErGxrOmt2Z)
zK@{D+dPxFT<b`NT3UA5_wtF5>W(ofRm95+m1yZ$V%O*9B;blXq#cI1UZfnw9J2y91
zl24$w1OfFgqPg%pjE;Ud`{b%DUZAIVg+i-_f)l%M9HM1)=Og`IgeC1sYzo~UMy1_>
zM^N$?7PUOw^u7`zB6jyuuiw})c$++V(<j43GvqtWXkVOM7S}WjGG}55A<F6_CJGPa
zi?<Cis5m0fJogGcd$Q~IBwoX7izoKo;E4>&u>mSSu#i0q`y<*?BCYn|Mjk-8diOiO
z!X0vx-;poKB#WhET(8se-@oS{fJt(TM(h-jG|tuT5f~=%7~)D6F3WqEe}BI7{KR;%
z_^=N=!1$)$<|&A>z_~KvKzlSfAmvt5$(<&_5I5NZY`h^Tm>!MKOkAVnjuA52&?jzt
z0#J9i^~lF;5E&vDUO#{Am}B^NMSR)CvVL*qEA}lmrIfFXnO~zOf?%;5ju0In5VGom
z9lRmIz;0j?jZnydim_{CXrWihucT<6gl7B;wu3s<wmKVnix<P`+s;v@y%6=X8V^0V
z{Hu1w`US~gcRSvP#1`5@ISU}eK0a%=5bG>sDBU#8Q-cuTr&R$2<x!i%i!q1BGZKn$
zwGdF3BzmKRq_<FHrut9UlbLKdrXby=DSIFaZFXJcTWuqde^&~zGdp@gWRA*2!nyn=
zL}k?%ujH%<v>F}+alwLy2>B%1b9QjNX(hKFq`rQMYDN`B0BOnydos<AMM*t&l+Bgm
z7>4!~aj2h{h|Gj6=<CXUwdJLzroE?dv?oG?JK3@$90&VnFxidp%K$F}6S2lcZkwOs
zBaN!PwSErhsr@L5*YT(1to}f>8T)g7rbGv5{dZPfeL+=eg+_O2MLo$9+F&LLyRz(S
zcd<U1ykA{oL`-W(F(WCHqu;zKi}5%$xbV#}MqsPE7wnJtwHR9lf}8Dx|LYB}9d#mo
zTb=zO#D|3{BC#;iX9ur8blcfa(7rQCuyQ)fnkzD!Qg8xdo|h*11loHTIz4`lQY*`#
z^4$}i-j-HcU0R)h$q59dv(skTRw^VPWBSDxc!L<)5;y`74{l_N3=FKN<zE%?6CFpP
zfmz8$j;pL#gIly0{1X1O5yW9=5@mc=O*Xz|k54N+DB6m<6I{@I7adnavY_%gsALeK
z>D?V~_ppgaLyg>(juqwiZ1VH45ll|4w#p^^*Ut-o4$+*t$|;?4oA~@7)?<s$&keiM
z`@|JE6G5^C8gW9~Olvf}Zggz+ZW{??AZ5rLcEk1e8pwI8K9{G$-$*ieF+q`|1n$A*
z-NE^hVlH(WetHqB9%xK*7NR{XBST1ykw$?PY5uERl-0js&=_^(e4SMGzx%z`Rwr9j
zVEA3J{a9bK^+NZO?gw0cRwOfwHUWOu3dIE}-Pyib$H7FA%GP`s1^02x?CLZl0|oL&
z)~I%#M<{5u@1>TX;cQ#vm0JMQGgoU=3VR*<{u0Nx4ibffE=kP0<`S}Eb7@jHunM1f
zFW*vUcK#-pO2+5w34A1>VNF;viwGAjr#INvOzz2*mwIf2|Ahyit=07kt3h_du8$U|
z$e1puMN~}zg9?k%d-+CUq8q9?2GsrDw8wmd<AAN(6~0<UF9+@_sxbcU=>p3uI$5Js
zi%CedIAvLSCi>FFPaL~CF4@;yY*2PvI&ncGjwu{-;*~I9h4)tAK^mg(sLQxeT3cvO
zRr+E=j}+Dbmhw@yIQAXh@A;l#CC54(u-4IjwoG;7oF>Jzwk)3Mkk;P<13Z7K*vpwm
zH!dUsw^0rcCzYg%Vr@$Thj&6M3yQqw!`@y-&wGR-%HcYppd|ZCo`*v5=S(8X7h)kt
z<fch4{{9~<o{<n@+WZLeG%xT~HbLV4wxmQ5^0XK9uD_&#^o3*4ylr|d<|oI7JZw1&
z`uJ4tyk^VavvN7TT!H5Sa^cPqw|ad+gMod0f&I5+WnZ|gji5^!4Hm=J!h?)f>kY7-
z?IPDpop`HPg*!5J`7`$~#3AhAU9ZSXij7vvP})Te9~Gvv!QVgM9JjhZ=#2dRUY<W|
zgum_%YfwEmHZrfiUT=q=#(^Jm24B-*9iNwzOF-b)&Cylv7x4Y;iA7lIu;uK_Zqwmv
z^Swn6`0_d~{H4|X^Xv5@c05<hF{~r@s>d+sV~@V~;A)En`0=)P`q9xN+zou<42Pv{
z&*0&iU6OD%EsIcAs<hp0z|73x;j62Pkf!zEbapW{!aRy-?eV?4k9L20;=E(@qs%-~
ze!nc(Pt3x-05b5_wA*_qZd9j6^9gT+toH|DX3O|mQ9`4|e_@gpd|8U@!#Y7p_=CrS
zMwGWX$out)UXZhB&DlTyE@ggys&p(Krw%=tyV|-Wd~oZs)4`=}&-R;xWV=;GWc?jQ
z*`<m7Bf;?;E=o?^q_L64LU75VbdZxx(V1CPA?p&b3N&amAiAhtVyf7a=t*(>6p8Y)
z986bQ%x480qEi^1p##eKu%y!F2PPIzmVQqSylYr)j90xQcympQi+(pGRC8*w`MdPc
z{sTJunEO@~rML3O`?smIz<^2%VQWU#cH)=I*f=@rU{*jzE=`e|6Xk@rsRN^o=i7Tn
z6;`Jk4)C9@KV1*o4O=SnF#F|7nJs<NRU;{B$RuXLG0-mf!Dfdb(TGWC&4t__bb*+2
zM8uwX6aH_Hx8vGGL^Y{Qh<g&HX1(NnSjKKnZUYRz0HfR<P*RMDaia3Jrp!iPuG357
zUd}mbB|NDxf5t49GFqx}ndJ8*xUF(?j1gEFfYFpR$UhQtuK%Y{(U>x(x;u8z0I#xw
zdWO96SBB=h&q_Uy5)vOJcmZYtrR__$zso>T03F5kY`ju(0A0bAwb<d_if$vnvW$A_
zC7`dn1edf%PZK82fr;{t91<I(K!Q*tPpweWPavYFdJ_*}Z{OzoVI#agDc$T}%m^$A
zU-&Cq6|t|&r5`oE$c@_oa(j(H#V<oEq9kG~nQt7*-EwPLWQ!3>$LgcpY?5(8D4UZ_
zy*mP}^2Hz3l4MkrR@?J|%~kNbfR(M;Ji){*ssHimHD3im?ms|{HlGSh<hAECs>794
zVS1xY8s^*Tp@H1=vf}|N<Rib~CxGA;G{()hUBu)ohO{*8`Pt2`;EN3D)2a6qd;m%e
zrCBcnGmk)McgqHK2!^-`9PxoPrKAaq(qL-v(N`rXVQ4q&tsI)r?j>q_5#fsRHDSm_
zpC<8flO=AZu$w=jDzy$I3T03lWa)^Kk0I>`NfW^?BZ!d@=_;5S*hw*ek1(FCghNhS
zrW5s<7TnYMw{}{a6UXqVfWA-6j~-Juybf=o&&eCL_w8eztsE&@8vy%|n%*TqrEpZ;
z8NvBN9lv>=SlpzxIg?cYc%jEye1d(YYN<?nMx;z~M`_72Z(eD>Q}c5LV<mvxFfWN^
z#DKmY)^3;;Jehe%63t9fYP3?_bL3YPL^&zCXJZbwj=eBagJz2+u=ti#Ecvk&R^GXS
z#0l4qy;fcXn(S%}lNpLeofLu`{SuvgV;#=QP*A+oLE;~COLkl7Q{uI;n32;3WyXsa
zA7>`Wdq_4uVd^xoC|$|kG%X3|#xOD|noVhAw=w}}_NQNNMFOz%`aBQG=;#R4y0<s&
zJ}J)8ej8g)eBGizvLFPJzY=I>nP+a&eBG*K2K+k)wiUQ4i;1YZa^Rf4x7{ujVr3I2
zutvY8xd?_6nNZEnbthKvqvCndD7WOmhe8F6JJYsvnihk2EV||dZA)<#zAFIYvVyE}
z)epov^V0leuLyYO&xAJfmH$y=DG5do7*(KwGarQVw0{H2#aA)YY;?gLx25GIR~{9Q
zg?k04bn7o6--VIj;p3ygmw@dJLOljVdr#T@2;~=JW`78u{mY-`%~r1GjZ$KukPIJx
z)#+;#(jny(Wo*g*U-wLY4-_fEpl%2<LTOXL8gYZbH2qPy3Dp$xTOk}5?f}slcPzaM
z>m%Qh9U6$2O1~qf!c2I(?e9h|?`&t0v8yp?PN1luM+qPTYy`2i8c<qJkYBASfDduX
z5qae4pT<J&Z3G<wd<AwVIOm-AiT*+B2>?~CHBAPT+Of84?#Gxa;3FNdwUl<fh2}n4
z2?;t+U;+06!}Jh~8$no?ym=msN|)j#X?{&Tz{Hw^d|0WH0P#Tj-c|)CpFZ=zw^=69
zcG4FI(ug|n>1ok(yIy&cV7w7;8J@~L_Xo8R4v3P5%l{m2H&Q6_8-r&45}fRegf-3s
z72KdC=ctS3j0D0a#s?A~4L{$H{z{D3Y@<J|2S-00B5E8ej7Wi|mGpw-*uT-2OzIbq
zK5g)lJgr%(=AHz`Xt+bF_xO`<5dEL%1m4WT2dGbl8<6|Aa<@DU7yqVCUdgOBDc{-G
z|0v&*v=5N)^=WM}C$RgzIFpja0HE=3;n%^^orTny2`>d=enI8RPnSzn%TWnFVk_uT
z-4X+WvTJt!>G^mXj%xp3j6UEB%siY+IVDP4C32~+W+`V{o79uf^M4ub^HWU)qjq0=
zL}%e^YRbTuiEwGbPf@1HB~8e|3qafV?}T2uJJP3l;|f*&lV}wMas?%V*{`#Dapwi&
z)6nJ<%=xl-6M?lFBTJe!dE37-rMH_ko-EbjGJCh=XmDZW(_2ItxX7^vUY(0fwMTyE
zME0%Qy@~^bpZ6<E9EJg`O$q)CJn`fcLqzD<8z4yN6Unp43ybWA^6!XCM@>&3)!Gs|
z<u!vH4&zb}pY75$?i_^l6_ehfq@JJDHMVQuO7rGiv9M>oD36E=lecdsZBpbxg=__9
zY$5^tYmf?h=UZ@KV)+YLT#NVpY~{4;Q+~tUM|@TJLdJR6f?13IW8bMY5;JY5+sDt5
zf7Ve)z^kBBD8a-MDZzr7b70A{39QHb1aC^F_#&UZtit?+WX)Do!7l^b7wg-Bv8Q59
zS5g6MQ!)0`rbQ31$#<LP%4=3J7o)N$bN>?zHZ-kZktYU>%Soq_s-iGGpP&-6!67e7
zF%%iMq=B?yl+=`vDi6l2qwy5+bYTCN?-u{|%DFLsrXc~MP&CsOspuapBRf5+=UwCA
zFn#oau`BGReaHtsZEBM$E&xG9Xoh+nR-r_QM8qQ@8RFz6LS3YZvYNIF!p4E6Y7{h*
zr2Gej2Q*tUeSFmS`6svc3l)lxF~F7>0|pA3z%DB&2sNnP8@*g`Djsr{nj}%@4X~am
zz$2O0%`-5Y{R9z(tMMlg#M3XA=?t>7mM1mL<wGpt3+|k|SOu*D;-O~+zI7|%q4gqp
zXbb!^i+*u1c);j=EsvNQeJosgKCVh}A~6mS^|(}t8}(O>k+o>l(x^*WBI!7!n9a$L
zyui55f@r+6>)wzVTAWz45j|%FD)GU87OrX)vL{sOC}1Gnt;diN>go=4Z)KD$#kkMr
z!jdKR{FbJaESD9~Yp$t*Ho_+$XQ7VujOH`*MAWjNVWa+nmakEeidSR1h$U*fF)0F+
z$u))@2^BVeM^?McaeGy&r-Z7{_|x&1=@E2TXjF>oo&B#C-~Ze8hi+>|OkY|U<dfa`
z@7@O6m!pn?Yq$S-xD6NgaD*pwR1P}*)PIWrt;%)XW}^{$F$PBaL)qU~`TRc^MZy>$
zSOy!ngyr`c-Ti|a!az5B1-L?CKl5J%eDqYKgI)P9uEyn5qd7>C$GLteb&QEps5{<1
zBFqW1Kwj!JS5|v#25ySbj^K;-fTkYYc<~Km$s`a$(VZ5d7@7SeT}(B9ESzkB07cP;
zp~!<*Dd7cpQ}OTj@VMV?{;Rz^K}xy1P-TSoCh15TaB5r0c$ksEESR7AFc2?R(gFK1
zO6X;OPhL_^mq3~h{fG=hxKEE%uP{hpiQs7~zVt(w_RtXCT~zBZ|E32L`F!(L7f7=b
z71m?~ACCi~nZ(J}ah4;k_JhnCx2kUuxK<}PAls9u?t`mZa7IxhFHJBPCd?ct>iH!e
zQu=gj_}mGf+lX>tQ=^h&AWma&th@U7ShH6^iqmdiJF-`^iCGAI+zN;g0B_EO6jf78
zwxTr6st&-!gt$<gg#W$R=-?EHvry!C^OsKkuT%-kO>vhNO_ujeRd9bOS$rqhesMaF
ziRkEk{4Yvsc24qi=EZ;PH0RqB=;s16;!ZW~9Y#N8%6Nf>w2s^}t578^Pv0<#P~)*d
z?+@dbcG~u)fDO5P^WQYkt7qQnAREpfY67rsdWv%H>WcL;0GoDFlcqN4X|XL;Z!#Iu
zcY3h44EQjp#1j;n|DvrJJ|$DCRFzyB!!+j66t$Prtk6yV82qaUwS=LM{1fQ|EWl?Y
zm=UZk1qhECl5jFlCM{>7D+Ule07i;5rT7pD<v}x%FDf!ETD3XAnKR5Y;c8(j`7NvK
zuR&>m0i>fKBH(f(W{*5#;7(`=#oE(Q%Tm;h`tWB0v#yahk`gD<2WDTZ_{o`R@pxVx
zmLZ`|vH$tonWht8u30@OQ7D51wnW5NuoF)OSXCl)Krj=Sam}=;k@%je;7l`>XxDcz
z`vA{oK?JsMN|R%mZ*D=P0wA>B>BHOj{flRONK^z-_s?*9`2nM1UX?Gi$1W5eI|}Gz
zk_T+0Ng+)nX(9^p9~~b6r;#$c<q8j+m8kr)Hg}U>F?^$9mI8PQ_a2Ch9R<vV4U-v&
zM$NtlN=Q$On}`a6YqTSRYRo%Cw9C6-w9or@n%&45`>>;+sqKN0X<?pY*anQiB<P&W
zj4CMB2SD*j=Ka_s%Y)`LGKRD_vWARaYFeNQla6H-&)bZK<Wr_BA%O;P?!?@0W%7%W
z@vljbuJfeTb4CTFAWM`xL^pP5t%?Bm+>tp0{-sVf5(NpW<f4!J9WlDVlV`4*i8T@x
z1WJhx0y!+v6#rL35yd^@qrbuKBE9z(L}=zi;3CyO{y-J{Po4P$1u{WD^nm~HIE{V*
z@NUT$oL_MZUIrC_QJ6V(Ftib^jDJny)Go=LN}pcE0Y10XBCJLR)U$?Z?3_cg5}k}f
zzQ26gGW-<&-|P5)%YdG(Bay7jJ7XZ|t|jU8Lpyh>tU8Qo>*SlZAz>?vnDFnx8#VR;
zr&eFx{;!SMB27D&46ae@?EJyNeH-4D@9FXA@hd%!H7FhRyuu3~zkU*Lbt1io3G3e6
z4jMfP>)VF{xmmt`Sx%ap@yHTm(T@sp8X}DGj$<|9@Ya6$zr3RM2*0_gJ{@IVD5o~m
zIQpOHz5n?@ov&HzA$}gm?LWNT?fkesJXqOra(?MQTk3hg9j|y?@_25$M9nlh`&?`$
zF>L8EJfGtJNS*X>U2Y7UoPM}{bnH}m*!6n~*(}BY(qA_39nM!Y^dH^n?AP6pj}$~C
zOC@5YsP82e(MS|~H5bEqa^Kd>X6Q7A`$b#5(5*S+2_jcM75VVSse4czh5dEXVY1y&
zeGi{yH7Q5ei35-)GAdFSX{&AOmLzFMZB6f{Dn|o72E_2IvMY;zyTfJJo+@aSCzo9L
ztaZcyqo0BfQNkS3iUx=%e<V|<Hc-$=j49S3h4tVy8aI?J!mIjnYRsY}Fr4ugI7r*T
z4%EQ@=&1H|iR=F;3&JX~mLq3&B~Pv-vsB1GmM~M>Oa5ied+Kd*hFRe8U9+EGwo=>~
zo{h}xj5XnJVZ+{xb<KnO!WZkp_@`peo8Rmu@J!g~vKhGK-~Ie{$49cMuQh*V{+vzs
zY*}7%y|?xI^fBiPvj^&HhYj6tzXtD9;cNI|_>wz!>XRmyvHRy`WpA?k7#8U$H~4Te
zN2bjhCIV%+6d#j>b~oq#61RX@lW^6aE6~g%Vpq>8n7ZTEmNEmQ1QLYoL5S$2rRs<^
zkY4sEcy}?vIVH6}6EaSavlCT|cqZx7%#~-&fcSViRa#`Ucrv0xLXt+L6D>nvDWY<R
zd3=4OASFPJtkv=8SgBlxyLKuzW~dL6Q-F1@jln9;fPX9oIf#9W`|X30;`#XR^r!UC
zYNN4FZ36vN$M7Gvr9)AVXd2=)X=QHkKsN85EW^7`P|eb@qc{KM<Im#Gizg#yl&@yT
zmekDtkI0!Je$rx^K1uO0YNeR9&`$Q*dVRTsacD+S0ta{~zCmm3H(;v7eIB<W1cqgB
zMS|^!<Ov<?*-y<0+OBoq1LEIz=GE-|I7dDU12bwyUF3`Tr9MH%QagGq_SiXfz&F?l
zm3jb_{EDxeUC_Cc0sxQ$O_L_YfAou&ybsd>^?9_&5~tbJn0vz6CL1P=&c3_~P83hV
zK)P`M_$uro@+Rv>OqX83rXMQ=20uZ8zRfxV>amvSk!a+FUcc1cohTWC@=S0f<&xTJ
zYMGpqI6Mk3%KqX>GH+PoTD3YBC=&as-xMsu^<z5ZS1`-1gi2qAMv!AwWL*(nRMYqp
zm!s1=Rz2-xo}YWK@Dk;klxlf}dtNoPuW3Pp-}_YK$-lnnEM}>gEs^%Wlvt)|=PFbz
zkhrKqOw#|;6oQp^j73ZQ6N%dTWFK-V6bFciQChok<aA%zg-8KG6{lGSRH0SL0{>8g
zc*xjQlkwqQJN$^r6?^Ke7C(Y2H39ur0rB19xNYF|CsiwCD*d#~xDAIB+MEkntiNDW
z_Wx*m_iv^@fOZ6-DoEV>;c!AHbFR=4v5ex6r_>otLX!)Jz}#(Wu=LV*k@hiH!1P>5
zi&o;QA$PeH_E^hqDe4IVX#!(Ce%b-=k4OykwhbGQBpmC9nmE73H*Av&;1Ie?4O@(B
zC~oB2l!ilWo}w(xi(wFI=n3zxrd_ChC1h3~Z9IP;0ruGXN<eLiV+kCN)(AfxuM&_b
zU`mpOLl(W7$3P?Y&JF!w=7n-j`9)TKY5XSln{3hX_W9?U|H#@7(6nWRggMsAc3}vr
zh7LA_c`C7(EFbaPIbOb5e-p#F>U923mpDx~oUJQv;g&GDlWEdpmJWNtNWNp!Dj3D4
zp@1ffL^xp#^AHT(;Dn~`qbUCe+@s$*mF8iZw$jJYvV~QNePzV?5>yY_i}fhg4C=A_
zX$XoId?Nc`$=?^yffTe1^)muUB-W3pUha4L=#0EY-B;#YYbksu{3FDTo@wqmza1X7
zhi5%LLqXGN3Jzq>NOsofUJ{!U(n^1ZW&T*?)}tWnO%V!SG3{b)Y@44cFd}6k3aLVD
zV|KQKo4Ag^n_wMrCmG{3<0_mYx$o=$F~HyJHP@!u_m0xR1;VR#PM9AK-6vY#)yEn_
z6Q-SUruWeSR*}rN-;{ng$nnHhdVG8gpraRr_fIDf(U)LZnX_|-(GgB!Y)c>iI1`;*
ztn&f{>H7z6b%p^uZJzqOH?oZ8NY7G%jx|%UNN{d7rV3IMNSD>7S?VBlu|K$mrtwbu
zDawY^Athb_VA%T>Br5O~u^2)A>8>s_Cx2g@0`i#VJKpX?*<wK{IB1t5vo(#L!168n
zw=&m82F*0qRhS3ATSpHGd7GW_jTih!jPqbq{HAtNG4rg5H3z}aIUr$+cU#>mh|8vu
zxZQ|51E(F${cm|SB^TWL&f@*ykbD*-d_xK@dW0-HkQ(+I*p`*@>JOYEX9oBNzbV&d
z%A9pB%Wm0L0xsCsRkzPzHr-W2=H~1`no*iG&9R;EuIL4csc`5Eh&#FZcM+wDU&=YA
z1?f4iY-Mr;W@Jd-x)Z^8SmySF+hN_Lm3+5e1>gBv!+A~T$sSdVOQ?}T8*PiiH+Aw!
z!Mb=gfyz?b)|*=$%DJdlo^Sos$sd>OT^pwN@W6K~iUG=0YKr)pD!EXZt~nU66_KaG
z1kuuzjYaPRMThMzs&%PAJBfYBXSn0`B%+<Mh-yL!rp`S(-T>P9b3zpb=4}EI=frVg
zhZ^Ry>zW4_PiWg`z$G*4my7eV-{yOy$)$rY@N1yUR;><3L9Q=T1&NYBR!H^_c*(<p
zENQQWKW&Y&b7Gn`(-2BjClpZ4FCj|ok;4PW<Cj~(cj-d$uwXEEWGtlT#4&P^#E&F1
zfY3`3tBc{^7C#hXmjgq*-LS)B5M?ZeI4uVBx~`6bSD;8M#h=?9fnF5dY7zfZ2xT@E
zU=AcvJ8PqWwX82p^8lH(z6{6)I=UC4)zAx!=TJZ|$CM1T(|1gS{E|X0%y?`F`&&B8
zQ>B0mv`UKnN3k}*bz&YAf+x-%iWI=Dyv$z<K5T!3^a~82L)?P>vajR?kRAh}_2>61
zz`$zt3S$NIa;Q|G5e`)~jE?~UE{>2uBU!P~J8Nq5w+NwykLk?rPj&lgR7+`ra-JO4
zU9w4pSMGP7Yd)NEy59T)7|eQDsj54QETYoy+gB}Vb*c4Lf?Qf$VJuJLF@Qd7#+gn4
z<R#P;U+|v@JtvKlpAO6Q*}S94j>7_NOckN;)f>&Zr$_CAhf|vf>T!LuCgD{;4a^Z`
z5m<8LhB-F+HxcQq@j+SeN`mV(@H*zK8u>{6ow|=i%o(MAC}$a?TX<pQ$pswJ<M2C}
zYR%Jd{rWmr2P!V5H({8`DniB)v|%gT+Rm2#$t=^$d4BXAV6Vz{trS*bBms!rq#l9{
zb@f+gXA+=ByeUDU5vM&%OLiHkfRBcBXr|;r`K%I4jU?kaKURq42$29WNraCKr$Gev
zyCFaLM!Y$L(dy}krr`8-G9RU@Qj_>n0th+On5=!R+5?XlVYbD6TY<#hm@SzQE?o?I
zMbLz2s2s*W0-_Ls%@TIa<OX~qE1@iTe^&(`7JdiMK@kTv$`udpIn^C#;pRU;q(B5u
zII$O~!Ri<!2|H*QMNV4_iOXIhpo@biI8Il1G?k$%E8-KdSQl>{SPG&&b|RbyL!Vq|
z4l1ikdL8+Ou7pjUEOl9U!sxKWDIwy!Fe<-PJ9P5HirW)sO!Ks`%Z8~EH9Wu?T?v14
z59M8^08<lQ0EsYW9U~J+RmAsAOua<(M_-Io;<lEeCR9qwx60K60IO%lyd3g(`Rg+h
z>;CoqhG+uuHS|p6DOX1r{>c2>w~#E!+vQJ%r0)`sdUoO>!~MTl`J`zGuI3?y*8FDp
z(;aL@dT<ez>GhtgAyNn{wAncNMMMfvTz|*B_-Mdpz?NB@)DiCid(S@_z30GS)e??7
zkpxAVE#q?<*t*nOh&emqYkW@MaPa$PlxK;kMm1&VXArh^iFg^MN}(8u3g{Hp%;6!^
z;c~@n2Q$;MHBP`;vs;Y1)ZVa(`>j_4YR>|!1VXRuEA$9-Xnk5Cq#_Hy-L`?mdhHqW
zdNKX;BWr0v5P>;B9Qf`mqag}*M=PJ=n0I#|&--)CuFeJU^~Mym1~k9*9aSF#%g!>*
zu!4eNh;zS|G3y1Fk%{|3U~<S|Uyqu50jZ!DgVYP}a%ODxf)k2!9Xe2EE8J!PHuttd
z(WQiO)*P3gmj?Q&U~p%S+PgqUE{jRBEZFEek*+_$$?yo|%|;wBh{z)oVwDLf3^1q!
zI}iRoUPnE|+j<0eWAnWIS-km{H3hwgxi%oODy8^#L^PyerqbJ+HBnm%?Qt)1l<~9)
z5Bl30bmYd2oVjlNJviZ8nG4%X`y8Z1aX`PL9IL|%%6aG0X|m6iD<5vCHed3Psn~+w
zMm}t8?_&V4na{ZQf{n?*!pRkzH9r5VX6iejlh&>m+=B)sW2V1W3wwkIEtkw(19ili
z{i+KSUw02aXR(cdShNU#5X23aG)N#b(u!dh$j~Vls73JSR-t#o_evu4uUFu|jIfP;
zc&ud8d7n|kC_r(e#!e9I$lyr+#=_1%iH9Due#OAew~?vuP!n}91$DjfLvEfB6rnkU
zKLfJO*w|;ri|lVH9D{^TpfLm+J$iAdjiI`Aew{fI|K-8zhp4UE+s5I;)$r-7W?Dwh
z68f>j>J`gHmS<Yqe`?qH)jhjZ{z}#0&@Xg?oG|QAIBmpr3kWGg1cjQ^hktl4^AdG{
zv)uyiIBYXu^Ae`}HnZwAEIYchC5Y3~pc-)Vo^t4AzLED%U-LmdzFyuzd706OipQgP
zse;=IiQq!d6XW5x_I=Z;gFSTjw7J7le&#iipMWIO!YYnJXD)GN)ne0-F4-0gHTDjF
z4^8gM=}Gngw>&fG_-b4+>~8fpIi&XG6dY1}kpISQMCyU-SW@GJx^d~W{PXjoqhS@r
zUHE5MAf6|`LbOA7U#8>y)rShI7A}j&8}fSD+09U9DsCFUgy?5lX>s;ulJCd3!`J+Q
zPF0xj`~UxC@dGgMAOuHE*1{2ifpxki*4mH)rBXh7zQ3UueAd}&!DC3OVI(^PB!ATx
zMpD@-jOLizGA=@8V3}eVgQ?WNbKHG<Gk?pTkLLe3ny-vHd@2lK&7{tkP9N~&cD}!r
z4(hL$(>?ZYzgfO@WLt_sI~>3CoxfRfFV$rCv7^%huJ;9y7M`X_G~Umzgx}wKx}x@g
z65AVOpPwuC3Ez6w)_!g1HO1XHv}%BV0+0(s6t1VOnsHeusk@#v%gx!g&OG?Sd=XDz
zr-KQr1EKC7V_9z)u7O77m>=qnU)w9FEM{L}siUa<Jdc)rV$czI9e9QUJzjUa2Zp!(
z<AOeUk2A&kWv98)Hm9)uf%cIl!bZZtZ?-jAmAh2>=UuulcLS)WkV6jpEY<_3xk{z#
z2Q-UDThF7h6%llHhfTsYihS<^_f8}cUpkVz>!?DSVZ4YK*i1=B;}Q{`Cfb>nMJadJ
zqWaGcSVKD;=*#U00!U$$=(KlE2LYFT3%OMkD~<2$1(=^MOJeb-kxCQB3^*=8A>7d_
z4BWycS_)10W3FGG5}huNAyG>;))CmR0Y_Uen{rb(9&Se+2rP`A*e|1yOnmVUfj7Oe
zVn205RVhkTTW98}^LbD$P4Pxv#CJRDT2TvQZ`9h6J4LYgG7UpVPiTdec2`$&408Ay
zVY`|toGv?1U-~XSah6bj+SdO99^E!fO!;uD$VQhwq)qW-hgFPxpBhPR;3K_tp3e<r
z9U2;3o-qJX^iNmF?BJICu+Lp;@&A_6$<N2M!*({{7fg*4A<2X7(gsDG_G6+oUI%Xz
zE~4Y|$3DE1MSFrb52W&TEe=D(vCMTE(!@AZSksyp9zFc6{m@!gB)0oEAj&>RTq5r>
z{{S{TB`Y@%S7DvWJmv^J_ToSyFWlV>qs+=$NR-V|W^uGSF85OF_Y)J%;a-Y4LPiQ`
z9YQnsSF9JOpY7>9(Cs3sJh34?+Edu0>Z_t2JroC_i0`L2=)>DE;R*+wc5HfGt!H!4
z-@ooy)F9XzLGN^)xHmcPz$g>iUj}{OXpWpma5HcUa5Yzc(GV!oYu!;DjQSaM>>fE$
z>$AolnPrc@gG0t^g4G0u-NAZ71+R<2xReB=QfR<|qTc{c*vD9A6mamQkd0X;(b!>(
z)5;!DU!`P19s?t>5p11Oo5V3jIyW|FHx4*hp)3z@q5L}QJw0Uxz}LT)vQAqss$z4V
z<OXrj!w*E1on$z9Jwx&buj-@%=(d8D@RJ$dI3X3(5wEf(xF>XK=;Y5=EWK#Al%e)*
z?*qj0_@Y2=eR3vbdAFJz3CfQxqy4AFQ?jW=g?7|G=w~A~EKCGSgDNj#>iC+`!5RVU
zo0qklEhzIo#<+g$z(`mw|8~eV?3uDt{vG8(NGzPR;AY9lA5B@3bLttd5V$G+!GK<u
zUVHxgRyeHZNGzy@3CM=b*Q7GgH}%)_=hz9vYqMs4BtU=xC|5QvT^33ZRozW13wn3|
zT|qwl&584A0Lsh{$MYA@(0rULLPE-fp4Q-`&(X)A*ZciCaNggcnG2js$zUt-C%2nP
zYkZRg_rxaEm>o}{dA*5th*=g-0DMm#x+}S{wZn<JW3yf(fG!QGe0F3`ek;q4=>-s}
z2E!0CP%op!pcjI;X=F8NfT2F6zfs=S`z2z_CGRAzVYe&?5}@W}+Mig|r`dP-zU1G=
zUHO?L)E-6+gqbOvU|bASYlBEkvbRFtDrvFA-wEx2cVJ-75z3jRBl^Yo!N0M{*6~YK
z5jR7+(Msk)fh#1dk33k}8+S@;Ro6T*<PdSgiP;=t?W^$b5+ThdcFiaZoXPWRfQNWp
zHSuxtva(G|<WY!|vbUDk7~)1dRVzqX;AffI$?nB5@cdyK#eOT2J}30IUTwc2^LZvq
zE~LK)09d|QWvlhKmi_=isQwYYX#7%O6b@I5KEaiz?p3!QH4cB0iCJMqW9E_siC^YX
z(-s^Nbo>S9;WxpTAt^*NZdHF^Z`3k1{LLw|U+8WmN7=@XPc7hY2{RPW9;wqoN(H<=
zud~N@pkQQybU65^D_yr|ayRV9XdHy?53T|A!dfMbZ+RZOrK!UFKD7-8Gj~q+&7bS-
z8`?97hbZPKNN7xR4hO^v5YFY)#0so?dR^qUe*<|MzbFEztZ@{2{UuxFbcaK$IQ%Ic
z7X4(O2I0s8<k_=#jj2qywW(r@AJns}CB(b3fv8TVtSdk4N^_d?1E6JH?YRTO4Vgy4
zDqhg{Ev<bfz`pf~CEDf4r2Twy!dOSkTM|cj9oUW85b=S>`sN$5sLo4`j~Y9rpd^L1
z648V$Vq)zVL=|b5&F=2L9VFs`-x{>9B`JU}+ze36#D0mSZz$$@q1kWb*><(d4Sz%=
z18%nmNZdkma6jX!BH#$9Kso;uf|>O<>NBAY6E{QKyWvH%5Mp~2>t*DPOahErZ%d&f
zRn?c1%6frwX5GCm$|hs4ez?Lkk1_jZY7?M8b9c7$brJC{2L@sDr)bY}7X%N+7eh?a
zezQS9;z;z$31uLAQy)N)wxvIbY6=w}1xj`GJOo@Y3=MYP=0Sbdz74ZtHY!=mf$>JA
z53FXqDbr=>9r#n_#plCF39P`}V;N71oH2KA#Npee9iCa?#8_&vLcu2vpj0V2$^Tv{
zBUGb{-1k9K26t*e#FPqF!gr<T$9pabjf%E2=#-P7()=D0Pu|ivk8E7e`tI-{3TzLj
zSXg3gOYWVK^&g6^X%N3`w@JT#=YbdL1AliN+Q8=vhT!Oyzyo7>y?K4LLCQL!(QH)s
zq~*d1LfS9iu`?;btK;kAWl)2ephedJBlUV!?)^%~1S^FMFH$fUr8t%>nqW;uz3;xk
zoQs1*V|ac>33bEiKAJ>VQJHzE1LB5^Q$LHrVwx_K)_!K|eR0E`h9dSQ6wgND+xie<
zzf<<*X?AJ~3NudC#^B@Oj)F1Q))GY*SfyT+E=ow|5h@J?!vyn7HzGRso|2s4J;*oJ
zA&vcZr-U`*xP|Z^G1dez!l?(Krg7_80)^hK-zoIO8!(9dIf6G}o*i{wfl>f%v<#iV
z1&Wu>FP^1mE|HoEEkn=DNnZtQpY#~;bv@to_!>BY(N5ub9^~NO5nD?Yqs$2N%bCSI
z;rWNk&C;|e{lJ0a%k4``FIo29E_&9`hZ5hG{wDaGI<h1|SEH>27Rbb)TDU(%a?&b$
zI}AjL&=Sr^F6A92aTqvRz-UkeVpeu8Ram=#At@aSD!z$Uc+dMW-JGmioYS~5Hs+xc
zt~ERv#4S4QE1AQO#<Xg@SCwDX&~9KcVmSS5pstYTBLS%MWMaR&s=fpl+f&u;WbCHO
znQP(1Y-TC)SwrdA?a84?nV+Z^Q2kIhZ{hXGk?7M<*R+(=ew!mUz_@^~6)@77YaTWi
zoDoD#tUk~JBR|sWyP~KACBHNMhfMHOz>VR(xEH!yF?hnK2b%78WGs%*S*-F(1hE<T
z%$_hz#5N8s_8E})LpbT;!zdjV;pWJPb%JJrPy;+eN`Eqz2G|DX94D=%nRD&h#>TLB
zg8LY_*gB&!EFRhiFlyU@fZm$uQ$rHFL>)Y<BkoSgl>JC;c#LgZ!Nk)~@gV#DhzN&f
zuTiwA-eukc#<amxh{#at6i7hX%K@4Ed`MWy@4{}zNBVoElR6|Ve*M%&_!Wz(+Vki6
zMExYHz}~Mco!|miRWk~?2rZWs3SPV_h)`{U;T_mG{QlERpgi93HcOvK=?b_&LPWFB
zF^d^3!fqYGJw0wv7rIz%W5uj_kAsW2_RT38C^=Tug-k8BUj|N#`CuSd9STJa;!g+`
zeA3I_J~Y*~`md-e;$%)--wRng#BbzO*o$OZkUXVAIcz`|_7xBuiTna1{V;xTE6N<*
z{`huW(Uc+?aI)_<`<w0KuZVjjeQb2YJyopIxrA_xIa4dVpepf=ZziT35?HS1Zwmru
z?pGwrkyWhgB_E>Oe?&}m<U=QqUA_r%n*<CV2T(_=n}ecY3HT}Xa=JA6G|71@Q|YL%
z;+h80>U0|L3*5b<&f~`hGQGlgCZy8`4zQb4Ezc0Ifm|Z26)9EPVn$C=Sw#oz`l{31
z48r`O#+kvnzq#|bQM^5q-oVN<`87i5940vn8V#k7$p6$YA`mLcANnttcsEDHO|EiD
zp7KM385)k_nV|AC)rN8_NJQO43o^DI$!P%ALvy8TcQ;Mz%t9HYYj#zSt8GeFm-3sV
zYbJO+fc1Wa!-b<-*Y6zWCMrKg@c34dka#A`toPuif-AjeB)8JB03RJ(`=m~foHNsL
z?(c8!vE*ks)sNTjxFD*e#dHLu8w+RwfxzLpEF}H7)h8iiY7~_WFXRq-c0g00+Go^k
z3RPOFYcN5h3YRlSjlfUxuPE_Knw{7UF62;b;QVYPOJWO3PxLnGpGMm!)hXetAE%k`
z6*dquX2t~NnTs<j(e^AxJwH7I<7Qr1l+x2QQyGwz=XCG_-X~E54v}edCw}g>5~_bi
zz<KND#jO-jOZ@`rh%3O0dJ`8;&SBB5aJ!Z7=ci~ckTj6DB<{VPu#OW<JKo%4n-UUY
z0v`$IXbB#N>k^wXsd!=SriF$J$a8n?oxD9vfhbsRvp3Gfso4-QrC7GyvD1Gg@|DnZ
zzEWgVbQ>hwWqgbPUSTSkIy6lP-T}hpus1okPy~t}fmHM9yPZtYqr*fWNBW*fO5Cm=
zP)r4dY;;M6q53nX*_{f$wd>}R_2zQQ!2abbeav7tetV|Ga(N3o@=%9;W?pqu2Z$&0
z%B8x`%-NMD*J3GAJ4blS6^R4!o;TLcb^f0%PoJl16HfA12mL8_4IaT9JDztXQf}z}
zerXcjmY2=;=TAXm_L}*B4mjs<F6rxU-}|p0eua)8nR$iaZXW;CN>@!qW?K#q0G<!C
zsS-r<G!v2heLMUN%5o?TU;gA1jdFknGLCx%LRXJ`&`DkKs4S$A)P4q9r`lEMJlg<8
zjHx=8G^xk7G;?ht1fo;xaxTTW%&B>4m1Sb_gAE6ZEH-1<`7wVGH3bqKKI;O|PjEik
zrEbg5=|97h?j%atjtT8PrTP;tfPo0yy<!jNbh;42L35F9OK}lO3Ll@lG;~pxp8Msd
z9%lTgpqlB3lsD^9>}09ckVZ$ekwAgTJ8yx&Qc+Xf5NqhERL^|W@=dzthweyh#UH^#
z@7cDAty%Nhxprl0YW;x;O5S2h&%1E>@b#*H0cyAUP=75VyXNi6J9de*fvB`fPBLZP
zNc+CBg4Oherb+lLeej``UC9~@-|4~&2M_=ezc{SghB6%JyDqE@Sc`b?9pc!ym}HV&
z)9I)w4z*XH&>4!x{x<SBFAdto>*wbH{G)xw?hP18Y+1d{`zpsP#x=og@iq6XRP7=g
zwY#b|L^uBZRhLe(EIHPh1pa=jVI;PAxw@LGY)mm-c7qBCPB$JGTfOaYt59r=6R`#c
zpzF!WAt1I;TvK|QnN)QX8We*cNMBDDqIUDyk2y@LG7EHZDm%2)4X-?SC~P(_F{on>
zs||Q#t6$>89itz(=2>ttd0R~`TYMyaa9U97daX#<>M1<6&*ow)0twqrPrR7=dhVUj
zN_5stBe9UC>=6f<MxS1b+I55K{qG()NnJiKlY1JUbhsSWNEl}kGMnLd_c(AqZB+S!
z8`C;@!Bbcjf)Rf^4w7oQV@(vTq4U}wQVKSR%u=!9j<IVekfS?40BQ6lRYk;SF?9r1
zQJr41+Vprb^QXwbf!{`(dii&$)b#nl1U;aY>Dwev-;k`Ag8Q<w4B~dglG)2PK?FYv
zJ$Y8$BKKk|n9x9)tAe-Bmoir`eU3D|;eWF*^LA(iI7r=6`oFq4awY?+4MaE7@&*^i
zapl?9Fze~q0Uq`%A<;f6uF$1<KYFNfeY)N{p-t1ty@sNzfO)Bd&qKIT8M{t;C{G&9
z1%qSwy2cTD3_WZP!Vl2pCSaU>_i1e3QasXW-m%UNAaCtpMo1i+bt~=UzxrSC%J$Qk
zmI49a+JAD57{frecx_n=htoW*(JU8ccI(F~aTl@SR5f!vj`?<!V7Z&C#AAyELbb_y
zqf2E`Q>QD)12NyNCwUjZCFN%akrn7R*?o%H4<-RT8-&5KwxV{Cg}?e@e(&2vgk_8+
zyQKTWgdrVWuQur<AIg2f<+8L@#pJY1&Z;tOE?)00vX0mNy&~6(kq*{fQqNH0o-7`=
zQ2O|7fS6&=9Vi9cDSPZ$%8@O&WuN0>(B;g3fK-m=2-Jk5bR7o+WWv=kp=jSzw@phl
zOj{jiKMq^*?J80?;D|S3n+n;aLVK4}D{Z#-<$V2BVKX?NSFJ5m&oz&*5D9JLo&~WB
zL}t~U3^^5+R?>z}&eIRt<uHBwD6e*ixIn~hx$khtjhK9D?gfRcAoK|B=;O2FSd97m
z{_&Qx02-N8Q<U20F!!G!pb@gue}bTTVMMHn3Q9P}5tf|UY^;Mh_=uGPB!5U<qrFlF
zJn3Idp%qhaq~UmVK4*qo=gnolcI^-m$Fqj}SIm*n4E@?)STq_UL`ZHP>DpPDSKa2~
ztS;%gKpN{dq<6uj--Z$_)!GXQ|3WubGKAm?0WJ%M_fi#nIzWw5{Dn_Tm3YIt_{w`y
zR1KTjDls(>SF7~z-tEb_P%h)oU18PNis~w1RI=8Y>3Izi*vd^@t-l0lfD@JDGYw)<
zOpC+A;jfIzWJK1klr-iU&Fx9w=+YzSL%&mFSQ0fbk+r77=C42bW}ld|rtxK$`<~yU
z0%KvO%zr;-Z~B+6J;Xe2P+l1$TFOE9w$qPOR;<!g1DeLlzy5|_tc97oho~JQ0Zw~E
z8>$QcZU-wPqbVMEMYj%ZN}1v(7p>tJw4WKlFru=A>fzN&iV!$z!pD^cFrn2w&H}5d
z2u)$WsV6i2;KhKnuy;<wTzc@Z%T23Z0&3+D_07#*zuHJ&1N{X*jz(W5kMEc68pbn$
zpFZw)r|;+cOBJ4_SJO(uMbqp0IbA~h#2<YAzW%O1A0O4q1~wKw&pN&xp@>Leoiop+
zq;%BY&YGflEt5cquCLF5$MP_9wyZPGOwxbwPBJlV$=j$SVARO2zpYBR4$RIL0X;iw
ze3X{>ue1DzFL;AC%}<F)T7y1!ijGLeau%@<%5WgQ9ZLkByGj&UlCLt<DrVV|xXFpF
zM8MqbE+!PP94vn?PP8Bfe`S~#(Qt<e>b|F$J9&KUQ0f8lIPFU)W(E1ToXH(rc=|vR
zl5HdCd+8cH9-M?_NQd7pe4o6L0~Y_jG-xQHY0!?8Ws-Go=INM+CvVO|kw)PyZ9eD|
z#YkI#33|&xZ?$27IrelDy|rw)=II++V8Z;EBy&VpoI{g1E-2|;Ai&zUUTtgGlpPN)
zKe=tWhEARbE8?#5xvp^`%tWP68d(YjP!M>P&|Fb6&^`{d>F3W<b7mDK02xo;QkL{a
zGk*U)-Mo(qpFLHK0=BP={@ME?#~tsP?U|zM9BR7H@E!H{`h+R=HLzjDL%_l116NU^
z`*bqUjj@LQK6$KoFYapS@~fE((nRmFD%r&tZEDmAk~1S)-QiM>IQ`rg>{K9?0efvz
z*n|sWq96LQQfwMxS33c%2xw9vi^8<zzvhgfgBwfijMt{LYWl||xwvH5T$pe>vR0to
zVvroMe7LEBK84W-L_UWi_k+FL;Dq9+U;2$zt2CrYE%na1{OJ_ZVf4>E#r~ZAUz^F5
zZ?Sn|D?NqcB_FspGzi&tVOWqrl=<Snp<arF6F1K%Qt~UjdL|o@48VaulLg&r6+M0<
zoJgPHeJ#8P>t$3po4u=9>T+!_aobEVRMCG@_e|5;1;SON%q5*^w_V@Y|7vtpJxWh&
z+r8=?@b)RBJ~EXR>z<%AHdb<YH%u)qtQ)rkPUhQgXLW?mRDiq=QFHS_c<NL2#3J>b
z{Jhl+4sc{NUJfND4?vVmuyzkzhLmrUy^=q*75V*|HY^1-+OV(i3;>@HNpzdwV#BJ^
zF++f?#h218;YF>}W{C6d0wfOGsj9bi45xfvUR&Mc1l2;qIkh0WQ>ns+<TiTUmRP7?
z-;@64xe8^CZ_&_|jFQ_2)S<a`jE>>iuW)o}>mjNuc?E~(tpj;b2(pjmrJ2w8m7WW9
znJ`GoiloGdwuH3P4jlk2g+~zXG6gU@=AQ*UTt?bs(cwhd?a1O7@ImXFahb;Z2ElHc
zayn$S6mO?`EHWQGXxIb}hhMoHdRCJBj4n)f#i`LghL}sP%I+Hl4S~oFlsb;wVh~jJ
zc%vCeZMlAeGe8T{mdWL^5&wf=WdQGsv{=-Umsly&9$$V)_hnAuvoG~bt~I4{buC9U
z*Dom+-gqmx5a#(8T%CG?uJgb-$*{OxePgLh=Fn)~wS}d&9e#q~KgrOuZ-}+og27rp
zUv3;@F8JPD7EV4wG*$FG5RW`h)G5pR#Ws@d0;J6^QGm*D9OFXh0Kl+gljVG$mzOJe
zVBymya*IUExbP>XqB59d&gr>tS6?@Kd?edN3_Bi?dsboJj+>Lf1!=`)KD5d`)F%{<
z>w0omzx7eCDkj7-ZEsD?Q-{dP|8;TY(NMQ-cuY+SS;sn-WF1R{L1Zi0cS4MPi^f(;
z5kC<U#_|)gy!Jg=CJeHbrLhcUmwhQikt|tazWF-eIi2@={<_X}uIIU*bDsN;`#k5q
zuOsbG>td7ZJUeX!=jSkbtl!bkQrU@3<(_C3*fcN)i^rB21p=Q`)&gtZVZVlEyH##G
zsaHkVx2gI0+hliab&`x3nuv~52*rq{<E87Hx2JYTT2-bF6#3E;DiaiSjFq&bXOQYv
z_m}DDKOz~@*O&Lz4V8L&qoP~;mAjRSsX@|$|J;4F6|WOd%Rdo*hJz%6Pu2JhzhbrO
z*umBCU@Qo41E@aDTe*yF6b_Sk_#R<DuZMXi%(M!uJP9by)*V+#$49rk9^hZTJCES!
zv2Hq$FuUn9Sy(aAaV34}EIyceeCo<7o!|$7BjRcH9+DA5O0eHV&LZW@sz*J33_W$e
zPIvw8K)H^&4{lW|cx4yu?Z6?XzcJDh-aFn>J?tKW1ZFMYN64NIOJ8jVwPyns1LzqT
zvRkLs{FWVqAi^6Pfe9lc2y0UkA=M%x@A`01ic6nGm|Ls2>*EkbHc~Wot!3OYV2X2A
z6uSN8I&x#yD6hk%=>Ee<v~<)~-m4vLYYq4>`NC;rV<g%>!R+D*J)-&mbAd&(ow}~H
zj7z%=h;^8)ImV3TR7mcTV;%%gDijCYLvL&ptD4e>ypK*QrJ>7tH59papkQj?u>DFa
zPU-W{hUC>#UN1+dvy{}65%n8)bsgSc`yP$8%UNSZ_f2Lnt~7YE(wlqC-xux~ej>Yz
zRW3wfoy<#LFYOB7oyrWj>g!k_ORl-*Mhi4O0h(>hRQYUQk<xm9q8s;{*RqSFX#wgW
z>wQ<}V_afaUc(~`;B}3>eNmvQS)jq!{2)xkIx4`}efuL-GP2l1hFxSWA$x(GAMo^b
z%iict)mdBqfEz<X>=-#<M6*A!6H2f<+0P)Q<zREEpD{KK#ZTNhJ?elexR!78_|5M+
z)YHceh5RC~xp(M;q!B^Yi%rriSmluP)|pFjF|+fIL&~)^iw5!K!mp5+x%t*_c?K)d
zWEl8_8jiD#8aYEVc)X^NM-72I&;)y9`M}ve8qhiZ>gjR@yIn9pUIUQRQ{(NwRN{Gj
z{8+VEA06cn)OG)3kF0Rw6h3@_Pp`Tjgt+8)i9>dKVSxkZ(T2FUsmRwKwItDx+1%aD
zC_bUg@)QM}ORyw)#T@Uvxbh`U?o;*ZVT0Ulj!S+`JP!(EL&+z{q5B*%$CryY1n7@c
zjJALHx7Y-bn%0}k3W9*Sh5ZACFH*r`lKk8!I|yzk8_BezwBft{3VQ^xVYjy5(hEb;
zU6_-2=%Z#>ew|Q_XrA>>Zt??0mbAqDQD)qAx9WV?G8@r@j(AsL>*(+&X%_j5ga~#S
zjTp-eiR`mtRwHGa%?*2gHMhPV!?-=B#AgER%yYaORHee@B0Yh2oj~(0j`n*R>sFJA
zurtWIa?x8X>h(0*_NCS)XDEFrCUlaDpzP{${y4`=ZFBQlpN8eQxZ#s!#`kA(<J{)C
zLu!cdudzQxz4YX3FNZNJQD^F(c8{ZC#YfFQFV2*}S6kP{)+~<6*8qI;KbZE${T{HA
zRwIGH;gvP7@Eo8gHp9Gb2Gti!C&bS1(mN4Jpfj3;62Cg)HT%LVO4AiIQh28g!n3%u
z=M(Q;P&6}m(qIOubS##W@m`dKstqa@pUO90m!4PazDZ82Mw9P9aZ{S`Yu!?Qw4eR(
zMvg<l?VTm%<h@55<e>{Y@8qrgHhyu2U}pVgzYp1=PX>W6D+=4H$x?^i)ubO{fh<|{
zGtJTq#+{W3hg%BFv@Qb|eZuL~tUHNJ<f8a<=TxYCU76n|aXtUhp&$EB*7B6Gq4a!J
z1=nK7%f`YE*Mj!jV25ad0zj2g@2VA79<`&O5!H4TV{|EXnB<kN^$_(c)o<FjlgkLT
zTlXMciRBrv#db<n+NP=V>9gNrv{~9d&VE`)X4el9?(M(wzjT#vUQV*Fg3F&bxBrqw
z^Kv;Z5j|An#r^ad(;McCu>LFp*I{mE?pp`#LIJdt<+$Jem(%uW=b$6^Y*K026$iP=
zTa~>Ek}vMYbkg2a4HvTs6aT~{wLI%;tEpvQ<6wB_Eilv#&l+LAmS|Cu>#SlfI2idu
zSGOel4N9i&vdywd{=#y05+JPp%)smXJ*vvs0&_X9s$IjE$^~to(H&QAwHg}&4H;I`
zgGY*ocev{HZ@3x+W%BE4^<ph$EB$$Lt3{Ks1RYac#3PnCvh9$;^Wz<{WZh7%cawdp
zRaSP!?f`iy-fuQT++a+KQ-=ucsJ*Dpc9!WfIIf9!8FTy5<QDzx7aGc!SD^??wJou^
z0~_xbS{UX%!TJl?n}P`wRq&9WWQRXgWGIaww!#r11CxSW^1Xaf)*kSkuF+_&-QlNV
z4|6vR7SXPe>Ue$Si8D{z;nZ{&kFw0_d&fs6fod6i8z@CQu@v~mWeGvoGG~jo_jb#o
zQp2;txdlBsUr89t&t2PE%GE(hP$$!*UNI^zi_sC<*8CVHbs@i6Gvi9597;aUN6~oB
z)ZN2IfNj=IhBY=KS>^K&P2&bOm@DV?q@<N^US<`-Y}@Z4j-O=$*&!Hz*jFEFs&@Hp
zAe5e$m)fSu31$%>(Oq#G2~)cNGDW>wQsWGN(S=0I*JnyHV_gUgBAMZioFqZBn8gXa
zhNssR9ZdyMUk}unnD4;Fl74KVMAv$Ur<uB*?O9RIv$d&0Yz3}m{HAYF6<Hz?_L!#7
z$NcJAl^rD)!-V*68uhXQwqJ>fUYX*GK!b6Dh3%j%>&+9s#1+1(cZtzMl3M#B_GEFi
zWcj<CsK#w?)uZAzuFK@-OKZ<<*m~G2{14q!?)Pmh86rI5;a=%i=XCQ*8k@_Vh;Iw%
zMQ5tN;tNz2whK!>1zkYEqh+(??NXO`x|GwuZw|IS{NA^D5c=)Vx1LskyDhYr1gO@9
zw|^Y;F!_8opG&y$7jj#7wJa@U_>MhjRadN6X&%KC0UJPHxXA_AltHM&<8=`?OJnMV
z0nEfkNRwmZ!pdRU2e80OD(vv0p4G7Nq|LL(!^ogaWuBa|r-p_m!_n?By`tAr!zBEZ
zQ$}PsWn%QRU&N<qe2}=qtHD^Q3wVf>ZHt;nnGqfjvwE?Z!2dxyE!;p-nr~4d2l=S&
zJEzh)bj3mbYqy&|4kkh1)@(Z+9|g^qwg_YLi`cttqtfJQ(*mrIqTsYCM~AKc`J4@^
z(~~wL+lHRT;~V8%8;<p<i@{jtQj!=*n=PowNxLf}vWQRlk$K?`NAP<C;DL6fb}?lt
zso+(|n{K+m5vfVEXcGcDEuDauMLO(x;_Z#AqK6Xf;$O7e3LJDe@yi<zz7aB3S<8SZ
z>I4OSRPNzsnVj(ZtW}4*>PC6cG~=8S463U9TgXaf3^#8;;bRGt1RVe6wAC1kL7k7D
z0wgA|)8#<WCNM42+aD&<th3)x_S=0nW7<HT&gR#bublLot8L!DdEPrW{XQj+BF_M{
zkM<n?Sj~J(abpD8iS*!nEhFe#Bnk51{sFmL1i+zc$pTCZ6=+(-3;w8;#AOvR(c+qM
z5>zm}_U4Cd+_yKfR6w%Z?Z{48Q(nn^jzl<5(6Fey=^g#3&XKJ-<9Zg6Td^~msz0~3
zVq!BxZo2z&<nQ_rmNl#CcpkdUxD$BC0uNaGE_!+dka#ZLicOk<=cq~MTF#$3p=s?_
zXLCtSM_ZUkO{SJwW@%427cB|i#Gh6@GV#=Nn)qS!zGC)54h^vN!b)fA_NTW3{p(3d
zJfi30Qg$z;s63&<3R$j--o29a+d`kCeBbGMLe@>o)G4L!0g1sxZ%0VaTF4t0r(rqJ
zeXLLCP>38tb{Vb8upNH{`|v!H>PD)b1l#W&gDU*dcDVZWAUb9U73#p`l^o{&o;mgU
zUdSfXsszwgztsVBj)XE5g+?%iS0Y1})kBkXMvJfkIiY)#`HkM>m)pFX-LS{F88^Bm
zqogOZeHyYE5{(6Cq!K<Xef#`tmq)zVS!tlCzY8N-lri`MAG%iGw7NOX#XPDpN9Jr>
zUKC5)u7m68pfYnV^PYQtqK;bVj((8H;4(7zx**`H_@_6t%J_395hDkY>;ToD^5|`Y
zBMhvp768>+Byq>pqf|IdD>cpkJjfn?Fr%6R`#wl=|Fsr^KsYG#O@EgTJ(x>i1(5_+
z?!V48|1bK*^he}NkfJ&Qa|kz};|70-BZ3q(*bbEFRfAf)g5JIAP*xAHs+W)ZZ~GSn
z0{<I~f`smXYZRSBG$_%h3GIvniLpZ9^L|F|zcn5NBJi&*vRH};L8<!WpscBXpj5vc
zv@Yup45L8*Jg~lB4~oeLP4keT_<$JnULgevg24l<lvL+B6;uoX9gE<gRv#m1H^>Eb
zDFNFCSt%J01F4COVB!GRDO@Q8T&RVEIz%xj!yAx*Lx2fHM(#hUPX&QoqWCf~{p(iB
zbzn151<HU24~bWybj_gRpb+?RfD7u|^5<~178n>nU<3;&@lx6-lqU3Q2WUFP1|o*!
dpx540pdM7W>kosYFeW`9X-Mb{AK|}I{sR`kNfQ77

delta 19797
zcmYJZb8s%a7d2Yjwr$(CZQJ%!p4#@)_SCkGQyZtY?Ni_P_uV_+{U@18vUc{YwI|6=
zGWi=ktr)x^9U3z5Yu%hOH3ymi;OJZ;h4O7w`4b|Ze1jfxJcBdJYYMKod^Fp%^jlju
zX0;(f8#Lpl&Rlxo>vcAC7wuKasV<|pfjQ_TJKGv+R;YGT%%99aMeEta!|oifk}YHD
zqNx1GH5D(U4mP@)0K0}v@GBeUYw4}NKaUX?kjM5?0V+c2_iixB$Dx=En30VhrLC5Q
z<Yym~XE2>4R#0^hb!VlP$cV7j&v4Gj((;Q%c`#@B>mbFB*6g5~BG*QehoJ)&$Xed|
z7nr`z>Oy&v7`rj9qYFNghNU6I4eZjg+CLT_<tf10dx7)ah#6jsByKWk;Lb3)9MF(u
zpM}VsP!HzPUxfZ9pOQEOXu@bkvhpBJaPs;V(?#lQZ2_q10kOxo14++IHZZ?eY$(I`
zdeLV#-I|{tn{gS(9qA1b*Pg8nsuVE0v`k1-^W;)qpO6&RQ+o9FV!Qf*kXIY|1C1V!
z0raP&k+4TXbQJrT85RR{uxk41Kf1b{f5UjeQSHeeUPIl$TEWo(VBRJpx>4n3QO5@Q
zcg5v@_K&#fn6Z{nE3>oW?2$ZaDKri!K=lYtLU9feuq{%W6%;a_l9l9A)CJa;sD&7Q
z{Qy<+DnYVQ(lUJff4D>j3M26`kto;pzS;Uh72@vEk06_n5ptV)!w1Mu`zC#&Zj2fF
zmlUC#)<l$&aOxrfVB}E_yA9^_Fi=i-l!hPpJi}is=02pSmud881vg?r$Zd7^cFkcm
zE~1Zw@!0lXtjo_c4eK9e1X?rK87ZZIqs0|lR|sp}+OE!_nt;4Q{RK?9GyFMIyefCs
zOc<)&UZQ8i1UQ=ou^N`H`mC4d%ppsPU*qwJ_>zRfgd|gdvp?G-FnnGDQG(R*VI8Ix
zH>!3UG%EIWdMh$N@K5*DKo~-OPF+kZl5ug%2;&nO-&TN7*SkD^Q>fLP9tA{Tg@!Wb
z1|(iU>$V^Y%stkK5ZZ_v$jCal>MPm>EM4IVZ-`Xus7FvR@6ia)fZ9=C*fE#hwgfdb
zyI!(^CsY(*WygWA@k3KJz5JC{bA`w}x?Bfkg#}nVmWv}+?o1nI_xzZ+8?7h*a2T0-
z1`$EsUkGG(pWEq<FDZ#@r`^Q8)p4%5bq|pV_Fqr3zgWaD$JX@%l1Xbl$c>-C5k`gb
zCEH69R$t<29r*mh_i!Y4A>732Xw3J?r%-w?pi>4sW1)N#&kdEK{>oj0A9YLU?Ahn>
z4?p21YZf|^DHY?S-0N0uyM+v#0*!HsQ5%*tq$%yY#WTv|GlCus8<F?6NdIW|7K#RI
ze&Zf=17$SuytN{#Vl}LH!nVF1((|a-bLNRjC%**zobBQCFpnokE^U${BMBMr8W8)w
z&~;LD_RA*<5*WT7p8b1Vu)zrImHpnzV)@|&Iu5P;9beuWKl&t26-B~qK7)4xg9FE~
zh)Mtl0ilFWH9;Z)=*DicU_|V~e<6$A8Xa~Jp<9oKp7*5J&BX)|#>!;S)8d!@^sdRJ
z;*QJX+>zP8&2}!{U%maN;0<mRd&N{7%0fHqbdu<=JxjdxR8cV_yu_#SM8*^hE1i2x
zB({=v^lAflfq?C;wK?5VkxD)$q_Gkg6iFnn<%;3`<k%bsAVKLIV$<T5y5>p8L>Cyr
zl=_AjZECsb*!OAAcf*eaTOfUHDj~ecsehv8nOU_HgVn7BN5v-%<qM{vjZS4c)+27p
z)O@5_#HFSV(vSMPrQd&f%gMQv)H)eP9i1J#^?jC~(VBfqb=CinDx^q4A(;sbXluL+
z$xl3u$r+mhQoV;B@Ex|8)Ndr!7lb|4)?$^P$#hmm`NmTMa2ZxpHIo!$EOLJPCSzar
zdkEP>6x``xvd(LHWRD%Q<<Hv)J;J`z?%C|NM4RV2lZ5b#q=%=l0`Y6T4@a=CVv=pY
z!jmUD(4log(#ZLSlYYLLQ{&MV6b~Igs<b~;0Ia{ILNcyPKdKT7MIHDfhjgP@3S*jh
z>j&N9Xk#LGc-PQy|53>8-Tv~g`8&~{SnO&j`6w{`$S}J^OBvvtuhq{49_@X+_5<F`
zgt7(-7q`Hp$VdVL0^a<ew738^CLc$KymUk74Hk@Fx763d5`EOs=#eNAdY<!kD`k}%
zr>(984LKv(j&KeefZfJa5cEZebeKQU`KLX9PC2KYygiS5T}mSy+`_+5e0xlrP-f_)
zcl(6msK%FmaY5Ev47<0S;%)Er1hQ|+J=d(|;UmMu&n|3adEr6i)cOJxTbcED1{7#D
z6%n_pG=ch~w);j^)g*Akt}5yazyub}Oco1WxH0S$N4uRYq+%aQ#IrT~g^LiaW_cG*
z&AD8!5sPgwGg>;+7o?b;97SU7cnuF-(QSSOnny1<Ayk9=q%lF^DGm6t-x;O%Ap{;d
zb5nDn48SW9zWN_B1S&wt0rL>oT~v$_H7qr>mPhz#eRw=FOShq27pi1J&~B+|##T9U
zNfg74G(`ck)VhGIG=*FV1F7o+k~Cm`rUqr+R6o7kC%c4S;4A4DO-D8_cp!E_wencO
z^P$?LHUB+~ub4<n%l^){JiH;KGx^;33pw*lo;D^(k=SIM&ptr8fk9f{Hm>Hn$Gs;+
zx-_NV=g{pTW>^o!Jo|^~hJ^4*U2N~VP^pnHY-<nr>LFkQa5+7c^@U_UFJp7p{X&V*
zJ+(QYhQ(E0gg|sJJbn?xu5M-g^)G2W+ga}l+kl-1QKf}=GfhEjAkw)W>qR3h`+RoP
z@lS#paip%p`Uc>tw%-(S)8=om5dRG?A!yqqD#=SY&%+@PoH>EvBnUDO)QG60S3X?D
z-~T!w2#C1Pi^W80#6<`s!q=j4ULm3cL-y?3$*yrxBE{+)U_R-(`ACrHq6*7w6_}ju
zR@q6A5bowY6-Vy?3%>AB;*814FjV{hM(`STe;ToccmN&*$_d+oyr7XM8{o%RU)UfZ
zKR+P<EAsNMo$x16C5=bt!T;tVrz{R}p)@+iY?ZSRfPYwfhqX4#?g&woGbrx*^B6AI
zQ;cO-;TmarKVKJ2eBAa2e!P?fyxkuke)NBT&gJ$CZFzb-_x)T>5$`JhTxZ^V3JYyL
z|JMTe{`g1~2K;=U8utU<Tup=cfBw8*pWMs<y6>mfjKAOdAFe;voB?^?zRzAAAOF5D
zdH)I*faiUGeViNre0TW$+}tMK?gk<rEJW8)c_}?{s^;O?9i*b0D+YL(8KV1Bb8+4u
zjkHlADQ&HdxRMdw><IjrZ4Zmje8TmQzaImlck|N%G9G^$Ql9FzKettGzBR?p&Uur*
z-knKMFWzj(fJz+wKt!GW;G(>N{{<%lfGP)%7Y>+;{p#d-;C9JNdOmgzG^p>w4x~3!
zVpYie{=N<@DVWV<ygZO-Pp95SB~R1~R<$HJZ>^$9{WSA8(ZGW%Ddl86G{~*RS{ngy
zjPgRVx^^wucrSXnw(uLb*Ce2S(e!^N;JnSmu;*8an_5hhO9ZV7TBv!_#IZz1XIC#J
zR?UulYFJ+#YXwCJTxJ#l>FPOYJM=g&F9WulLY1EEeUk`TO5zGfan)IpR<4vc;NqO5
zgFXa*tHF}S#hpaLR$>^yyXR$H!Yu-}`#!g|;0pNQ>j%G!c-`~s^|j`sO-t1?*?XsH
zMp4mGiqAk`qh1JuZ4N=BkP^|^3cLJj`(bSp67*G0f*xO<G8=h#3Yhh=#-f$}1RI9Z
z4xH_sMQLJLrWiXQ$7x}agk`Lb<OO|a7Sw0nAMmg$x+)=tr_Z!;I_ER%WsCu$o#urE
z2QmJmMOp!Gl0tBw2q*p5kW4x;RoMj{RP=vdmT{C9d~??Rduy_E&BO7K0+XPokd}Jm
z|2m421y_~W>m|>p`>);|4xj$htlGk_B%_{r!!g)bhTU(_UV}igO+)_31dbW3Km_+&
zo>HM~7*7OW^*$QR(V^4-8(=HEH6z^?R7zhKwY(}@8-1k5We~TtqK(}g?D0O*ji3Ru
zh?;=2WUF^L=iIe<h9j*^C3zR_&4@+-R^_pH{K*PzQ##^}6L)`JZdHU9@$;1S0`bJZ
z-T`^=lhZ-YQowf!?kONym->o?(O66Mf&*>!BttG<r}uD#2TO7)0kEq<(Lv~PhVYuK
zKuk*owF^>ouSG{Y*;HQ}h_uR`JW}>XB}_+!t9x|TvGNawb~Uflf?~>8#gdvSP|I00
zs}H3FTLe;v5`*!zI?tht?_Q>G0Si}_xBEd>{947QOgFh1Bc~z|i%hl!vQ%IzMA)!n
zuHZeVXtQCDldv%$@!5)~D(GkkYZLEngd;AvnNtlImwmJOclUYPQ=4!o0Pe3$FJ1}v
z1Z!U;pA&UDeul^Vd3aOJPT6fk+IuAkmx-BwJrTVw{$8`Gkd9k1G-0(21gmyCDo?Dg
zR;W`LDoXyI+*Vh=!kK?m;nDwG!PLq|;ifr;chio!0^MX)5Gj@SK^@UaR%N?fCVU_(
z5xI~aA&hS(tG<pjUA<VX0%&}TS1b~}n$R*u{QLzqKQzjv#gJx%F_{hn@^EnvevJoz
zL%6m;AP-Il!qg6!v&{VJsgH|Np;@>vtgDu;SLFmNyKQx1Qvn^PqBe6_@_K+eq2KCT
z>najybCwTjiHH)>tmm#U#ZYNpyQHTk3!l8I`X~-+3-RP-z4wVW1jO=gZuYbAn;mJ>
z4*Uhf#-XR0EM<gXu{u{JxF!j$jFE*(F=x3pt1^hfkC|B8uS;g{y+OWyhtL3dFq_N^
z23k<5pP)cMG=0T%Ty|wGV<MlGW*Mc`C|783jUbA><rs0B5&N51Sp22T0*k{|ABqg-
z!Oz}*8L?58j%)K61Wd=u8aDi&85E)dq}M*wwmCzOKUb~FAT&sFt06)htcoqXfa9c(
zPkX<*YR@?!tG3DTpQ$PsHIBu$NYa>x4QZ^o)SkNgW-v?)s1nVq^(QUGiMA3k(OJ0I
z6%{lU$`(diII9q%@VlUm!@H$svmQ6vv%%u*A<BY@oPhv?i*B&P?XXj}P0oX9&PCTF
z90h%HHhi|)4(2vPa-IO7<651v2qeiZ5t<b^)snei+O(c)hrJ-ROO%M`D@lYuLdAAW
z>ROWRXkcS4`J*{<oC0_^gnF=R_CS1tFYJwUd(K(VQF|cS7*r3fwx$Bt-pcIoN^_kc
zFEZ@ujT^wQ7sD-nk0Znz`M==hB7PuAs+5?h@pl>ThK94)9){rTiae5y3PFepSINA@
z69YBh7XNPz%2F86c@^nw@h6e$hBj--3e~+L3bmb87^d%yobqIh-zuCZU*?Y?KhXmn
z<9sj(@*}vB?uH(>Ooy0uz`s4HBnZv6_h8l|4g=WQOYDee^7QciyV#TxFuAeR_&-X;
zLO2Dt`J~B5@|ze?%z4(I5|b%WrVvrXl`*2dA!QHFuD$&i3a=MY$c|+ohj_jO%oO9L
z2|PzlTzNOT`Ku-;c!FnTek_jh<K8lPoJ0YxH+a14H8n|SDj^PaXn76|a>W)}awbXu
z8+;`0Cz5H>EMIJ)8ixV-4J7b&q-ds3H$!{1hvT=f<xivo0hwM*6NA!`1?Wl3R*08~
zXoya}?VDJON3#nDV=mySUCuSb>TO=~eUk4v0@kh?O(J*}XxI3<B@is>GOdA#CHsaM
z^eC)=dWk(UGRmDUGqXej?+iypzg!zo;DHnHd|g76_p2ehat34km@Wk0#GL3aIv?CE
zZMM@Yn0apN;B@r_mwlM6vZ94Ro?Y`7ob`||&H$oL<#SR9oJbuyp+M3jO_st8ba2m1
ziFC8j+;-&bY`k<^o0^5Nh0!TN0O-v#MC?;KrUn>Y(oFh;$j+rITP_go8+;3((%$6c
z45y)};^ihl#+i;c0g!3&|4(U02$p<B72FCCi~lqiGiA#Mf;6QJiEPM1Xuy~Hw}G}s
zkfD<`df}Oh*5^a81Yt3QV}?F45V2mIp_*IYqo_5*khVU7Rr$eQzJb}%OKM3-RfeOp
zrtky#+y66qblXgwAZo%!51?hiYvKJPqNSz|T-WXCxGJa9o;!%Ie<EU9YlY%7zVv?i
z#RtLm9|GKPC~&~y;t<q=nu0c|ppXYbga5#9ksf&RvM2*3Q5Jv(HA3mdXyts%Z~Y(d
znaKa3xaLD-i=3nX<1rl>0?#2Y7bsUDy4^FrN_09N!b8|*({>0bVIHoX03Y*OL014B
zgQqhU70EL#o#7E_YblLfYtIhNR+b)?Yqtlto07niC@Tm+47%7mR#zhzwZpUoh9(85
z#o*A>bdl>4UXdoX`(ViAyo*Cr=?et%vjG32UyOpG7ZvNN4ueo`-q}TkB2ci}gin*s
z6#^_(mbsaF{1-q-&Pse2LR0P>bkW?xo?cQ(qO8n>@<tAnqe@-~?YHw5*io4AQ1pOB
zmpgpY8pd|3)3y}w?QHE_p7u}hhMcC-h%KW>Pz0^%KtjWB@6rMMd0A8FWWR|2;zDC6
z8o0UIeB~e9a~pPQeECZXqUu8^w>*WKbTu6vRgTi`!VQq$BV#3p+Ok?7{J&_Wg^UA8
zP8t`Tt@?o=faxmk8(wOYg7L+NFk5wY`h#-X+tnIJ=zPK~L|_Fzt@%KV3oT}t$c4V8
znFvv51%~>{u|z_+Ba|^J9t%pKQeO3N{)01;Fo8zUlK5|R;rqeR9|{2SbQP?VQ$Rk1
zCwcjU0#*+5o%W!XGpg7q#HvoFLhN-uz28r8MYe&=rWQc4q<7yD8*QaHq+I{tfEMs-
z%QSvI37}qirhb*MzRo%#w?<rj`}NE^XU&8nl!?{tg0YeuCd|<@Scu1E;(xpRA3~b!
zwylAzbrglt(1K_ls3(Wr^UJ9IMMmQ<2+Ly`z!tC+AEd67{av$Z8!ryxOGF)Xyj6h*
zEloj~zq{O`j8Y)`<p{NWRgJ$l7^@}xPgj+trT%{)=1oI+o~eemAqW}9iYBU5k=3CA
zA8we5wyvRK3o0szE^bch3N3ZVf$=sV)mO}#)cWK`ho~YCHfiE#$1iqdJJnkhv<Y~C
zh*3^7I#!xPH4z3SJ11#2(+U!5h1OD63hiQOPSS;)qt?qGM7#HgU3>ITm=C5cJd!}(
zN{}Nvsx4%NvhI(x>E&<>uN^M16+1b8PXrrLMHx>`#U>dxd#H981I0Urr(C~oPLX#p
zS<vwn1s;kl1@AGM>`K^)8_#~W|3H9?Ssf90JFzNzJEw6eTPAuY?TJ?gk37h-wY6Mt
zi1QOA(D9bvA{(=4CC<24wApsiA<N>h6{~8Ay3ihm@^YS<@|=3JCzi!*+(9S9bm&<-
zJ4llv5l!dZ7Boqfu=V9<A0+;8zi-V1NPow^1>5mHr-pzsj>B>XYAUf=qkRDQ@x8?i
zlvrGz^fUNjmg)c7)(;eX*#F}Lidry-h`m(g)sKb=sHYg{&jy6#+}G}@qI%=bKJb7Z
z_Uh-}dpLU!$6-eTabrb4m8HqXg-)B6(o?n?6CJ5+O%wU^|0#A%uLx8;n1*GsA^=&+
zbp=VX&t?hve@6pao-FM8h{%*`OYxvV8Es$_JvFDab3}4SDlts_*pXn^4nat;+4sRz
z+1Qb2vZG-qrg@@7rp847BW=e7+;NsFEQpVTeX@&pzk~q?$BMwfNhBfe+&d0lq>jp>
z84Kn=@BYVk$o~%$tEz5&lf$<;JPEIs1#l%1#Yc$r;zEOT=D^~^q*l6$OeiQeg*-tf
zz_d6JK(qi)5V_`0(z)i3yT+3B{;yBk?55zRY@GiyF3XjK2aRg8&I4m3I)m>3L|hkf
zJRGQntyf?Rd0MHG_rtZ`<^ihnnzgHw;9F00FVqi-lJL*SPCT_f0>niS4}n5d?0=<j
zO1rpbohBgUYB-qJIO))F^d)ZocdnyL#o0C}vuIm{kP+tok_d4q#hrhUV+UTQ%T_AP
zcr*VPH~v8X-?Vl_-`<&EBKeaZ40N|W<>Kpav%~VEQkx}wxjz0Kb`kN)!Bz_U$h6Da
z#_*T7bSglvY2v(5R%r^F5sN~5YNBp3E-q^N+ta;wH*ICK&&k;F^6q82`8LS;Y`wbQ
zvA^5s*?I0e(^67$J`U!XGC7nNEpLzFltE1+##;I3_G-pCDDeBZ%86O)lGrP?-WhPt
zAM|4PvHkC|?bgrhrONoajwy%Pd2aUgqk7xhc?a<Mw4_|0TbTR(r)#@DsBUxZvJ0^E
z8PM9P<7upQxe~N;r7gU={k7|pda*Kk0`FTWN8#E`q*Z8Kc+1R8mHcO~2U`+VFO)0=
zUn(>`6oR<aVm)o>dU(8Fs+xL%?18e_GR)>zkjwA#eDWrA!Nx^|k*>Z41r2e0e-vS}
z<um|3n$L-ZU12mMDXO+j$}A2YWnuiT;sN$tJiu+lz^=5WLPE<Nl|%jaiX&zGyy0f{
zY@3G<0Y@{Bha#lxvKm=D$H)l-?6JVH3c~3A9Mnvi>J)mhS5tk@Ib>yvc~lp!%o2If
ziu_VrK4$M3vGg_M8fltX)_BCY1y7?MHX48tnGcfMQK4DY-Qv;Esv5nxO;ck=Pt+#%
z;Gjo(Y&D2P4sjJBusTnTTlJ@{zWc_py|c%z?b*9~=6yG3sv6K=G5me4$oVDr&-gwR
zaAF51{9RggbNdFklfNS_KpUif$vK$&2iOX@@_K&zG=Av(ym6<7WQtGk>X0$G;{nwD
zKGWGu0I~=m57EtjebyGy-8dnxeD}ZsK*TPYkA^+rv;1E7UDa@BOHO6z{&3m}J&M(!
zg;wOL^w6nFJqGy5{O-P+uG|moaSACrVy^yrJMmNg?%)TJqf$_src#pt8*#6TGN(f=
z$(|vDRy`6>d7xF>P`6usY4HrB6bIY}<00YLIv)SVc4Uvrc<Ei)<@(r0C;MlSIrmK+
zSeHBXtpip!1u53dYHlv&f5(P$?U`2fFDoxsnR#p3&=1rz^UT>-(4ozc(s$dj-{AVk
zf3wEB`s*-8WkVM`f-LV|<hNp+jun`zmbAD#t?V>*4G4KBHOjw}mYA<oN>l*hnWBuy
zL7a<aQ^;Q$hWllnOiEALnO7rLN0_U11M5)6Rj-QZK2k%^oN+9{6<Y{)mo*+!I`1?g
zA(NOC%pLrceDOc4<4E$5lpCtbyqY$r4qVhD;J;oR7TIC-)f({aaBXYAvSch})KS6K
zqPmduVg?0~HnFa8EF)-W?<)WyatGjS6z6JgFr*=Z(~*LZZeDO}whn|)w1eY(&`qU$
zpgHU<GK%nI!~TwVkB+Ekw5S1SQ{?lhLfW&WNwVv#PUM5wz7!QEifnuO<mL>tevZ?h
zt%~>r{1I2M+w$6scXM9jZ6Vr=s~f3pp#H@@oDToSTF(Eo(pAnJy8tMo4!V)~E7iqS
zq}U^I9QRDI9&Z0QA-*6hrQxxV`8ym_x(?Cch$uqYw3~VVOqci47ea=lR;4JTgh%i_
zALJs!ELGV~XtV4qAz$n@uPV@<mpl+zlN8i*1b5!EmNUIdtyKRl-gfdoNj;RYv8LL}
z1>R;(oBpg*l^!yH5Cdou&)zub4lK1sB%E|*webBQHp@ek^2Ne*%c~Ff(q<7&GBrbX
zy}+qk4#i&bTf({>Wp@?y1t~+7t$ZB-52r*1xz<Vx2olJ;`x{`2BY1ZxSh3M`CFV=M
zRaC?(t?Ck>_8PI5wj|M<Rkipoj>{eufI*MVMz4Q#NB!Haf&kJ`XHvL=ha>Jne;3CP
zUqZ51hy##Hp&auakcPCjY*;AKyio?3$;veR-YiRjE`Hz7B3q#oPe7|~?Q1vq244E=
zj%-S=1h(}A3NsKM;R>hD%tS8Zt)iSTT38?ZQ{4J~*z4K6xt`+dp8W07$`HBur3$A+
zL_NOEq*j+Y6hQ21)^QZ`k&^Cr6c_Z2O$^bSM5q^!3&e)NRUkx^vV@hBNUGzMTi(&C
zybK{o6|$%jkU&z=mBJ)-E2e<Ti5w!Ixrx%|cB}{>ja>GuJ>y$S((1r+gT5xT$|u+4
ztnwZ<(esucpjM!QmLWjY&+*4f=3YRf-!rFhYLeG|1BfIZ&4f|&NOJ2e=xn<no`%M!
zf&7E0uao|Z;1+5>@t2V@EBu-VlTMsaH`hg5PoD)h2lhc=tR^Oyrofs_-TZyM#aC#P
zzFe?1pR8*w#irE1c>g1zsu_+av88SMaAY5~IBIYX4S|-5(#8TOR~$oh0pj1j-Hu<9
zy61G^41naca1Z--U$`#UvENY(oB!eC{djKXc{Btx<VLe)HY$5)J3Wo{U_TAz29CZF
zhR5xZy1wk)r=>T8L-CXNTTU&a)Zh24%$mlxFbc{8U6<y-vtp%q3^dq6;F2eo){ZXj
zt$AWeSm=y(Cvm3BnH#__;)ZH+&jb3E;5r(g3?M?7R7<ZY;s_08<xf091`~?lqG62O
zDE?>-a{|JvTGu-0i}@!A*IX#=`bDdg6pb|ukr#<2PJqG>KpsamW&0J?Dj3W~3Q|^n
zt~<IP<o>%1YNa;Loh4?GlE2(`*rc^d@d&r2WlZ>+EhA=;rcz&1t^}8pcr=oh9iOlf
z3sB_PW*zg_jUK{*5ifvZCxwI5#oy`fyYwSR7AUa!{lI0GfCFas3TdS`WFoUp;^VRE
z!fEVxSh-U<yI{mW^Wp#V=JsRSynQRP?!+|F%_&uQ_Xn9ujDby+4DD^K>UY$#Y$<3G
zXcuz^0w3pX9a!e=u;8eyJm%GT^ga}5696?Cd5;`;DaH~`FV$6t%ITf4@CHGo*!<yA
zxD9(6a=?|@Z)|*P_hanY-ua8OCpLHcTUq;K<@mxH!JYf^5A}_M%%}|uEv&PcTHF=E
zJH<X0OYNAFA4KjtM(!xB6WU7r;NK85>VZNEd`fa`LR>xYZb_Y;@vwy=NwMHAKfnR!
zztriSFbT^v^F^jk3Rbs*we}L;0KfzMs~EBHuQ2cg1~`O#80NjzMU$aJ-l1dE3}ka6
zulWGTCg=gzn2-mwJ(Y;!V_5OD5)*lhl(Bb+ii~-f<*>^)atB*F+YwqQFdU+|SyA*g
zl_P7&ZF|vY7<0xn8W^A(bePL^Jir>^k;8;^Y(9-ld~XK*iV!F9kjv-So9I6cq9|+c
zp;TTqsBjx7!ZLQA4v6m}7@o2axpy2I_SI?npM~*W<+BKi-~Bk+VylG{f4aV0S5|&%
zW=6k1gQ+p6(4+_?7DB%fg^_v^q|_+(=2_xl*OOH*Ia;MJ&0vkZvDshLRspTUCzEzR
z$FAe56dh)eIocKjgnxAXjd4t&2-4{?!SmbMr3XE|r^$<qIF4Rty50<!FW-~+`G-A4
zp`>F;+tLQnxxom-gD2ERDQ1!rcoc0qlMH(J54{D=@_CJODVn!TKd7mJ`Ju38$$cY~
zpUaVrj6~;AOZ(vl736H9k$}~Wka^Rsp9LGIYZcL7I8yq(rupa2rx@ymI}b2F;J?7a
zILRuLC_oTkspvu6>Ivo^<!P7r(%>f~%z;z7m=L+Nf}w)}(=lEk#1{?Wpyze?u1N=j
z<h1kC$qT_E6Cgl3`xKU-aVb{VYoU6hGTc5D>))%BWzP6RreUNwQGlDWT1KgaJa5Ho
zTuf+u9gPzZQgs<ouSA>#*Q#H}WP=p})9XWCS%Dy5AX-={v4N!s6yc^FoO%K*v!*0_
z#$y+QU7+qPK_m_=iH~AKJ<m{t82+p|IthdwS**vZ#RF&A(zwq+8*H?s1anUZV9bE}
z0D4PDylZfjm0eE38bAuh(<H-%J{Cib^mXBhlKl>k3@BK26pqND!-;%tcX2-+@oqzn
z4}J-5W?~SYn&a64&W*C;M$Sw0>jl~=S{6)=5UYsk5ZGiQO-}Jovjj7wloGu9MFv+u
zCtAOvhz>Mpo7Ay_FtAP3)P~=rd64hK!x?Hv`=uj^T^VV!5D;yFoBRc}i86nGN7gc#
z{IF+`^SZu_5wk3Iz2XXcg@G8LjWiXnRfBWUM=er}<zAK1<);E2<6B|1-#}<Sc(vW(
zixvz{3+rJNQ$UhnvCx8F5z%!G+*9OPPp-31LdE#Pm=Q%;a3ST<12u>Rx0b9<Gl>w#
zcyrBVFeO3X2dL9f>PD@@W&a0FgGv-yMGFXN$0)b;3pGTRIAjTM##>1WY3m822SN&u
zlV!rwKy0;v!3i8-SHbv$(U6?k7VJ%R`Z6r4kFoRV!`~o(-0r6O7<Ci(^<V725NCZV
zHKehLP?u*(;e~|2Sr7^=p1Fd6p;;72ok8aol~*hRT&I%3cto8T5g6A7=D~JQgeo@T
zov?$ST-#vEQwF*iEof+{Oo-Lj1UA4~IAfH>KFGTx{bG3SigrFyW+4xlIx|s-aefah
z3@~Ltdks}t{zWrK*m5uUI)i@eQ@IV4Jq^8&b~Gb#OgjAL4P!;;fWyg3rG04`NH}4Y
zR`$OI{Ef;Sf6eq@g3L8A*9@mnRXGlL@{9nFf<ufn#;(6k=FfWBX+&kdhhRQ8z%i@T
z2ptTk3D_=zP8@g%VVg7`xMpF@w{}rCR$yHAH(u<N`}G=*$TKiIE{g7l^HL?SfHm^R
z9rYNMx30X`o8q_p)?h53whF35PRiLmR0xL-0Q??TJ5*66T3hx`F08N+_RRK{@c!wi
z+FcfTX;@4?W_kdCg8>?@02OwaW$R*cm;5zyubA^8`557MyT)z&t$RvGaH11z!{8Fi
zx=k1oReUO?ZE}h;jj$|Wi_f_H0aW%2k$8?jZ<K_^32|QCd&iIEM3QX;ak!ZOFPDJ?
zq#HHZ!+U|3E93DX%oZWKRN!1S=%Ew$J3o0=F%er#$vP(qc;W}XHzlJ_NNa*{V5CZ3
z%?;0*{zZ&Rwyd>*F)n(Tc@nIo_hG!vy*^#>d%ZZpOkjWagZRl^qjT!tajx4*Fy24k
zm<j6d{5<Y{+<5Zj4~nG6<HDb2b?P5v?AAHF{nB||)2`>*#QaRgAO5;t$2=jzNxCV2
ztse7k-}!7=|8C%~_x#E22Tu)w#z^g&L}|ul$K!#EC<CJm!v_Ijbx#$vCkBkAeD`a9
zAgO;h+H2#YNvffxrygN2PA1T$)R@b?$o_X5D{dk~3Iz%ULOG@EUSL`1(0_xw1!`9@
zuH^MdO{+d&;OF=L@C>>8{k6n~(oU!JN%MKLzN2)Ttx|;V8`SadX8n1^-ug*_q7p$6
zSEA_sX1!Og;OpxH@YC*`N&&$1;a2GL_ew3RcJ}f{f0bgiY(lTqi0Yp%@u5}!WH-8^
zs@9QZ?o_2SgzEk>x;62p{kqF`De=rQ+u0BL$<~SdcDDDd0pMLd7X<z|9sqtE-@kZd
zKP5XfOzFy)eqqne?e_fh;{N*HH1q@B&qo+ky%$p3-9!e(IL5RI8w0lM@#+ccQ#tf*
z`t&|TFCu3^(Yar=In2J4sUJJtmfq`~Kc6C>71FpKH<0mC6ND25^Q12TT8%u9!->zP
zO2ZnX^2cv%ng@m$oF~~8nkd_`?z{0N6glN!`r1X2`z{m*JW;DeXGF7KqkI{TQ^J&d
z`^@cx7?t&Be-X;iNC9CYzq#e|l#PgEB}##tWWKa1t^VW|O}>isHS@@VKdY~+Yy+G3
zwYPLVHCvun<*zMg8eOzw;KFdvwwR-pS$`JPlryCc81$lCX~I61z0qB<M~PF@J@kD-
zXgv7(qZU(@gHovCn+1D$Ty2p3>@!vOx?e{JuRn7*kOS?TVgaWQ&C_#!)Ec&7<<D8O
z{OJ;xe>G=EGGnQTA6%CThiC@JMwjOegUJr(E_L>?%Ph?cwYh`Hw0ijY824E(DFVVV
zv1BDUu-#h02(v7wI~sLycA}!XZ!E50U98$tNc4iKU3BEr$2=%}6n>o?Ck$`c3dY4j
zjB=$qDvieQVF94s&?a?3UJ_g+i*cqA6J~53{yyQj$&Di3TObVyJi)2GSkWGiJzLox
za*WPkI%#@kJ+n4MU5&-)h^|uUgbGOt85BBEDTOep5I{!XWmbzM3zQNbz0zwrwT#pg
z5xasp1&?bOO<_H*#BK^1syqw-kWnUyz>g=oS!Z8O&H-?|+O|-q&Ddnf`sQ0udK)&3
zI2LT=I*}IRsAB`KqY8^#T?PdT5<SZX1)<1lL5v`gv61^QP~7BkCnL~=qEyI1xNfHA
zHG%4((IgZB2=lJL5VZ*E1%(4?{{blP@6{AO!*Pb~kGJptd&sEwBDx(89l9$e8g!wK
z{dhf%mj~>=F~HvF3oFUKGnK+O?R6BGhhvX`J*`=k8USv>sL^U8Ig51JnGbAw$y9}>
zp2-L$smLIHz94bLf<_t$GYdP+Db3GrGw6Spnnv6_r`nYMd^{fX=@E`(>&d(t@tC3O
zUYANvRpQVU+S3hJB`47(ZEg~-e$1NkAz$S=O99>n%9OoL_`&cr1Ia%-J0gd`Qs>)b
z8f&y;b^PSijrWEY6IGyekUFj@1)0Pk`^X?cIo;>3%7jYkD5lbasJ_V`!9KHYk;0};
zu=lLdEUeH(=Y}!1QOk>Xg!os`4w&?y3$je(<_^5FDSYtUltdR(d@rkh8{YN^7b+DN
z_yfA;W>%?!M{F<rn{LOL5V)H%&VH@uN^~Mxrzr>_RJ+8b{$|<F<S-+JV3=VHytwv?
z)q<i-C1uCc^*hf^tuNJ)(w!73P13<ym$NK)8T^p1?W8xGgk7$MgZKuoU1u6ZRBbe+
z2YpCeZb@R#3{jZauB!hs^EUXQ_4mM*M*tK_XKP;|Te?9~(QeL@bxt_V(TyQ`t8Zx-
z2m}hG%5q?4zI%67t9xM|{$k=tv{^_x&klg=3>JqeeBgpx-O#g0jW~(jqCsJcxc*VS
zyo9FOL9L&FiZc24UgRa-SeH5P7+uK4fH@btSMX4GmxkS`DC>d*@Ch<5Uwqq~I0sx7
z5^VHgstX`$wwpw5i~Vgk7J~k~I{H>C*I%oxF;$=B46wLHm&x4rO+jU<Q)2+<X?)jf
zLQcY;A!Jfm(U`v>Lg1HqQL+bx4?g>W@d}vc+mIBZnzC&=cHC{5{lnmrJ1q1(UZ9Nc
zz^7WYTE+yyb4cuRtaXWN!0YO#D-4Kfl8yqMaHr|_&hCZ&nn(h(x8xdOFKLj~U;w%v
zP-6@8`ZX-A{C#wJYWv<Q+t!(fKS8oULO@|$bUI>G0CO#(BvfEI)bAy=Uk&AH`C$v8
zu*Fgs2$F13;{WrjmLrhdNu#0o!we#6pfr2Vl_jMCpCRSX;(Mj6c5%_pEHr?JHS3D3
zQC)d+ejxOBL|d+?M7_2}Fy|-CLo<gU7D$Fkkt~-o#dIG(53Cc!{G||hAe!rx6G<-w
zoL2A9du3iyT%@!$6*YO()yNneuz{mb6iw1=HoKGWPL!k@VN3L(nyMg<SU<OHDkfkw
zZCx!d0Mkv6;10J<S>gj1#Rae=LiPrhgZ~*z0|`$=6WYO-8*0;EyWfyHT*Ml6{)7O-
zUWnsQx|a?nIhl1t;c@8yOKW{Ok+LTkYS#DpqGJ|r`<oYBUo*2;o<R}j6W`dVz(9e(
zVQ?^pP`>7zUUleToGs)89g7nhDo0*GSsXLz3)d{Nq&3ZBOmDd8s06UH{cpev^U%!5
zQw0q0_scvBR<E3mGMHdY0nKsdiyC7l-c1;7eq05dyubn653a$g!V`PfX&iw|A=a}6
z{?C#;PH4ESS)>+q2jz;xG9oR8q?@3^2}s9!M6{V$d0b~2F+za4_?T83lQAV3T6NXp
zc#{6cITVX7UQqcPi6KA&_53n@N5<rgLO6AGZJpHHuvN}CC=UX-hw{yPc!NMF28w4)
z1{Z?;<>Kkd3pwkaPoqcmgN`pR0`;)$(#E15r<1==fJqB}l8QqYj4bd$z4x;P8@vQ6
zp;p#Jf%-(oW(9L3*z5cm&Ts@04ky$XMw(xG>kA472gfITe*my)1v5S~5d-@GU+s54
z{DBkQb|ckkYSCj=S9C531(4t@$E;nPT94wcvVtFy;SNAzWt6C5TsM7n6jb7P3`b|p
z2fKhvbfZAm+$JZe_Ald10c-TQ-B_f^nfD?ItROo=Sup<v`!>73oE{RFGe2;)&@bFe
zi~n^D{z)hmmH|M)i?Pcm=}{EE5?kZ#LY<|5Oy)W@`zBV3F)y(O`{OgSKVXJYXTMsb
zm4~3<_+BGi*s~{36L#S}S$7pYf21WP%O~M%6K;JGFxx_R5W~fp_O9<-yEukgGr(BR
zZE15KO${88Fod#1PNH)7bRhjX0#)7W6uS^&k%5Gtl?DuqP|h+brHC66)gxm>M#eSJ
zj~KgpV4PFX%5+$ED8aaw$F_i>fWAec_hNIi8O^RC1Xdi!fboGylg94j4D5(~vPXgV
zA4Bg3**E+i%JIYSv6N(_=lGnnD36tuXjxkz_i2tMQ`;5gA7l~z6e@EFa~olY{G1qP
zFXV2*vjCg{xCWp(1eD_PARj_8C0R(GtB}ID0PIPd<4Oi{!dMH2Ha*y1C`RFGwjsa!
ziNdwC!71ZSIV7p7hhRL0PHy)`#F!xMK=E8Ei0(_ugt8?LLb%}oIlt3wW*tIfR$M3{
zF-2a}JZA3CHLh--ykA@jEb`rgQC=sPK%pdr%>f;`QgV2a!s@D}=Nd4lOb0!wBh#IW
zjcy1XDt`%$)qUx|f`^AJ^4co2w463(MI2sMBZsGCz7o|Tvao<?y8&UIf1I2Yu*F+*
z+kd0Dr|27AOBWW8K077k>$i=DoCc_}#HwIW*(pj?-pLKBQ9vJhj-$w5@_d4@nd@wS
z5dok!e&ku^WrIKxEsATA-(MTiA@6k%-_v3TcVLR7H&$$#jfvgFb?z@vg3}XKT}jvy
zhh<>2>yD<8X~3XqLHEUCASORuAHdM=DkaBO6DEJf_TE#pL1v(&#Na1YgXXal&t(Zm
zWIKpJBvM|KrY#YOZ9&+kJy^QPsGU+Jod8VUlrlI!MkV~9>Ly|8?`bC0ZDl23ZDBd$
z23L!mv{+d6$YLO00?i5<ySx*rN40RAHor++Oi3DRD2J`wSTPGX8wT8-22#dw*+j;`
z<MUH%$Bn89s*?y-<uTFV#y8BO{?@D`EOZJ;y~tP|C<=_YoRlaWT*P!$G(SW7-~-6A
zR>rkzfc4$zN{bJ;bv7sXnuYmd4Ku~c&$%jYkv;m8fgl>ygjH%7?fZDDdi5obD5mRn
z5s2lK-oiNz0-F-!R@XUXkNILC%=H$b4bXXdI>X2c5^?wGg7h7ya?5O6V};ZW2Rmks
z>c8ly>r-Tp>hQ}pGK<>c>!*3Vx&VH;6shajcb^;<rYeCVID8uj2s~32=Laye;SN6Y
zmb=*)Y+v21N5n2Ki1Twvp6~j1f08`mwfzHL*hSDLFQy@W`7}cj5e=K$Dnl{JUh@+-
zph43p_WasTgUr@5r38%G$fHeHgA_qArYRE4R4W-z3Lm0W%l<QOR}3>f_5idzOdZt@
zJCpwlW4Rs+OdCAiHV8}wXexu)A}Wx3HWT65HC&Hgw%;b8qVavKSE4Ols9EmI^1+iQ
z^}mzO_bgncb}AEin_mc{k}At#u<5sq*r2l5N7Ith)SI{X=73RtNHL`ga4g1jnR6X^
zxdjO0TdnN9F&gzrI2;a!e*rR{qBFi+uPhF!WM@G)o97yBCdz&Ajq->#3&9}`Jpv5=
zSe^zS(vEI09yBAWR-j98^;4>)tvVz#rEF&s?2s;7CCk^U8SN!r81<A3glMVvQ%rc2
z@i@zyKfp@=@U9VtEzN8Rh(?~-Ai`N@7NNB0P%|$PF>vc9Gh{a{u>id2*C0r@mGq}9
zE>dvyV~X%Q<!94i6!r?@o~c#=g1o(MOe+)$SB(1txfOnA?Zji)-PE^UyT(RQkWT0M
zJ-aE6TnR~(pF%yAu!iBpH`a}}+1-x#A74O~T+J#M-}sgY{+JqpAC{o6VoJ7Q9Ha9H
zZogemt7S`Z1THg@4}hyeniP2gVPxcUU*`wO=_V~%TYmy-iT?2JBzu8L2)&!|<N`ku
zhG!|XL!Ze8<)$50-v%)XPV`NSX7oe*bGa0m@};Fi*+&whuKX-5+9Ens(Hd-JcKg!S
ztOTxf2}vYxU$TNkmt=okasZvboDkWuz=|!xJ5+A}LW4y&5HN(;pu)}{lQA#{Y$3bT
zV_S%>+$}VYEWN)<5Ky0XGCKvmd*)qr6Q=JhUX<xhdf^1qO)8fZN|e6ikhv;msU3NH
z;Cdik(I0Kw(e5m+jG52scXvd~bjQ0)MbwnD(@|TbRUU^mCLrYy<(kx!k}HTE*br;<
z&SCbH&I7&N2aLcX!E$DX1Ta_r;k49<V>_he8BA*BPLV5>gLF;P5v6j?h9X?kSz;_{
zC#;qK#SyuK$Tn66S?R`vUMevHMxRS67NN2J3yb=O&zNCJep#KWUR61}*M8KTkt&fP
z+f&kW9nXYu*p7fvP9Yhqx;>uXMvqYAF6v<#LC{{u6Y%3%In40$rI?Yvs)~>sPm;uf
z?xZWDADHRX8jXcUbIr_ZCM_##yRQWibmYWPv*MjP#Q^+->GORWTq~dXTPrvjQQm$s
zan1F@)4h{0(fy)lZFis(!&8qwxebOUSQLP?JZ(jZoR7O%Q~1zNRU;wKoNMD4dA`H(
z{#a~F4$u}Ptf%~!NrY6wV6Q)&96H$PnA}17wv(r!ZLhNG+}QUb&a~6}r2Qf^6}H*-
zN3Lb4%rW#IPkd>=kromuJ(aU^FeL)|e(1aY#2-&|NcM9t38maOnK=ek4%q342Lvq(
znGu7p!YM6xjCqwO38KUo@jM~xn~Yhj8g>~Fd4L<^oxCdnJriLtQFnNG+78KcU`UJo
z&|ZS_+=NTfB(8?DNPN=*e}RBU%u?bdBTBH+hTy|LC)wM#{dy|is8s_L;4#%!JF!Q>
z@J}CG!Ayvgf#^aOaCn&>OP+lby@`R{&FlJaM7*C$NT~XJ<8BOm?|R@4SmQLRz~R{H
zJYdQ#;LtlRXWvC1=~aWNcytn1&m>x(wx88W_!-jH1O##LDT|dM!z-EcGwsR{{6PRA
zNpQ!ZRcAfpJMx)TWr9_|j?z-c>%$>wkO1oDuCF-=#qp+Hu|b+Uurnu5AZbjeZKLTg
z{q1#(+H$g}q!tV;+7T6|B#vxBngtu9BH*r^{Zs`SgHaNjo2AHS?kIgWjeBa(!x@FD
z8nTf#feD)bBBh#~$c|3C%JQ9;fDLJ{)xMc-D*YQ&$k<PvxYs7Pq(q~q`u?rjwZOb~
zSG<iN5vH}SoFm_9Lq2gP?_IMSi(}IXA|A;nb^cb#lFz@--)B<sd2Bn4{kK?;E`T&{
znh|{5fo!Brz+^r1NC^E}sHDhymAK?OikL3D6{olw<x#bpVM3nKHD(p@<+D8`X5FkX
zA=EPeokE@ioNf9G1(9dCWEvNF8^`G>?RBKVm#-virn$6Kcx9!wA@KY_E2#a3?EbEo
zk=4YuZLwaNM|(D|H2Yz<z@;E&9iW|4J#CAuoO$R;85N(60T2N*fd_KLtElH#M_hK`
zv~q~y<s+336tj{0z<ebS_}6)1MJ=W{O~VNoeJWCLs2nSP?eK_5Qy>)YR<%aT-jVTo
z&Sc*I5-VkNbM|?0!01q{tv+|+4{NH|j@goc;}M-ZU-3ab06=7=W(F&g0=$sPSfVTX
z@kN`WJi$&V7lfoggwF!imx~_TD|ObAFshMPKed~`a6M1i@qb;$G;({4Rx-f9Yxk=h
zeYmUX?->4~3pQ^BmS%|^k)#ACCD+FNuEfc8l!t%k<qyKB*IY#58!#qwon_qw3q^h;
zN&DCVau>!+xtDW$C+6)B0`|wVXI2WruwuXZygN>b{66$~)af8r6?KVxSGZi$D>Y|7
z+qE2ag(#}&)7-3+RH3=@JPBK&r~~YRZRq~sk8r+lp-oj#Y|o;s82-5F_y!2=3<WcS
zFZwhq1(P8<L`StIe%l*vqqv)7S2@s5CF8I-#}4OpRJNPHj(GI;0q%}qGL*)&GnpZO
zZZlH>M1_XRN<qB*y&d1D%$aNTvr378&H(R+@24a2m+9xx^UI~w3Ff7C>ox6iXXbFZ
zZNk9zz6tjm5Q&lfSvGsyPH=i+#*^U4YciCP8Aigps6#dPscp3Fyvf4mt;LJp-(006
z_rFGZnH4#t35aH)0Mh<;dr!TAbGR>CA?$e5C$ocn{CGsuP&Xk2I)<tVcBBKLN)+Ql
z(h`2CMYUj?BM~Q}<rHc8HZ07#^)&Bl@rEmWwp^${W;R3#O=k`~IcKW;Z<G34gh*&|
z>DlG!b>f$gI*lD8XO<>VFs8u>>Ss&iyZ{@Ya2jPpZi0FRK-I+#C%zrqRB6_7iiUM;
zGk-ps+0?nqQIflzJ}Lo4h^!+^$1QG1b(vXkkTf<0z!f|Z-9cfSZDAMT0c(K*QB;D-
z4o;y~RJOn>pFcOhMIkGP2>@-Z!iy;4w^RlFQ`Oe^mLwV-;7CJW9AS<3AXMgNrkppy
ziD#%bEKAo3DDHEX>`iy5u&cdMoQr~}-5GiMbD8Pu^C^7f_RRghMjNr#kzwS{ypBA#
z3-qX0MuZ|CJP@M>nZz9>uA`e`tp#4-_ErYb>`{8#*t4Uw9q;JSLPPE69dN3YZ1WzU
z)Ga4Z^g#n>-7D1_FTc#K$Oi-r_GamxI4BY*VMXx(Z3Rd3uGj5^<!PSxe^LK5URp3x
zF=*@B`YF6LgVw=JmDp<$HKqA&@#MO77DMBZT>>>Y54+Qu+=K#Jklj7?WT-rOi8KA`
zcMdZc6q&`CwykPc3uYc*=rq3g`7Aa7l~%>e6J83ecc(0dc#curErWSVg-$JT`Hz@f
zwH0arhAoB*Z};b0VmI(GVY53&rA`*Q=m=sH$64CatpJ%jB=8ie{V7+WSpy;o8uO;&
z4)i<Rpc}iYZOxAoYX<JG+Q&STvZ;404z*ejXgxixjGpx)J3FTa_2H9wPL{no(kD8S
zg1v8c3>5Q8-!^a=Ef4BHnxlxIBM@^l95q3J398__?T8pkd3Fy~;?;R1V~1B?WKE}0
ze#y+Zeh|t@@8EgY<>Zn^1Z&Ul^H=5P^sZWv?s^*VnOyfvp>_xZ8>QJ?tS*b?vtKRC
zB)MG+XAYK5F{{L6gJy)*oM(B+rw{G0leTU$`X&qz+fEN`Qu<soOslIyY3M|xWHj7>
zgfOW;?~BP(?+NIA6<V?3&~%l_D1X|KvC2Agr>D+3MF>+WM0v9N&+2EeGu+6{q|2R#
zlO%>n+PROYa3rxw^V8KZVQR+v{;kTZ{V+>JWaPg6SifTFEzHJjjR&k-mK3awJa4HR
zwx89Q4qwS|ZN?{oOyEg1QHkGB8zZ*>*8e!NbI~;!^X{iAD19fR9D*pHwOATZx6H3?
zyJG<AA>P^Tk0vlP$`-8F&nT(U5R2w5yZ({M8<k`lt8|^AsO7;=k8i(qa9ZcS^R)*^
zhpBW_k@x|S+L|NpE|`VCXDSV?jT88Kh1cNhrkwUanF8%7+;u9tQyA}}rnm0_tRYr!
z)M8X8|7u?x_;3>I=R{qecDhe8&b;3K0Dhmt0>{;R1)W(o+^y7D%eLL6N`?#EdHAvt
z6HbQ7SA-itVhRQd2h0-Q-CS61ulenyKt2%utt=Q3(|p{i_ytlzhkfm9>nd~(45Hqs
z5WPtGi=UpElm&m>b^;d`w$A4O?~%hoT7Mt6n44=9g%HkKg>jIinUt!z`Eq!N--32=
zXQ0WgJzBgy_6TP`3O1Uh`H4>t9~u!+p>btS?|{P4XH`h~3!r?*pzisE*VVfJeQ3Cw
zzkN(-OnCct2y)@@AY4n2{C~Q*@@S~nH$KL0Y-MRM_QpjR>rmOV#Spr#T*|(UWwM81
z+`5b~qHnfH*#_Cl7Q)bweGm#+rYxx#d$!^?x8Luae!t)Q*XMcO&wHLfp7WgdIp=-e
z&$S*Gs)Uo;O_o|c=+3D;q14rnYAw|Kg|kZ-TwMMBM0SJT*IgD<eEtG=l*_bq#EMxn
z;!z~#ZN#28t@8;cge@MnZ*In#8K|55dzK^evwZkX?qw||+8ntd{9Cj%`&Ms(8o4{@
za64v+CeHb(Y59)>73(6dtZ#o!7h5)ag%y`SbJ)phONy$lMsV7}BbIL%EPcH(=}_0s
ziNp9&JI{mlQT6M6moT~^QLL=26l>br#bEV$R=&NxLp+*Bs4Uy@ut0Z=r2FdhKlhaH
zP@PArw(G)@SILZ#=S;RpWezHNr`5L$_#@Um%RAkx!fp|qloK`!DpyUf8Sw8Ri?I$t
zkmgpg5~J^;NSEyceVN2K`Y7{NjZ|A)7OB<!XsS}r-f{JWZ|&O_2K9NlX=c_krVw_R
z$s=te0M&IUfJ`J~3bWgnBMH#3#w84Vlyy9~qFE;_?yRQ&>_k#~Li{w3=u6$vb4~Y?
zxg`5*#^hl{O7GX9)MaUJn&_^XAFPvT9n&K+xQJE$8adZ%;(hE+=odT=WmJl2D8}kG
zUaLc72s8)xY3^RM<jFeb-g&mu*R|{|IdBQHU3To`?%R5O+yr|<`uP_;06)&c@kWlQ
ziKP#)5)A>xOmP66YQj{(ZTADHPc^`WX2fb|U$+`NJUYOlvYI#-j?o02HrqeQs;Hf{
zn<~!u9i$W0N!e?eO!gbh|3P~g-E-iAgn7GqMc354Q{NGH#@d-@ZTMtVXHH&m7IKfh
zY%eT${UlRKI02Fuh`9Ksc%FnKiR&hya4F?SiR9ROW7=4!8o}!=w8OwJWw^Nrt=MD2
z!9c#b1sh)P2a9R;9|KFrOZ84O*N;3he5Vn5D6Jh=m0Vnr{#@W+J^_~%%w+|2%8Et1
zy5Pk=4PC3&LY1-(PX*0mpQQ~leYIBJxNrWucI1YkjO?g6P{L=hlyo7(C&HKKOm57a
zb4L&{x+J&S?@Qg<+fT-6L}eTo)K|kUg+cpFJuZXG!6nVMBI&*cgGa^9#rPy<PmrGx
zL-)vSwexqZl%fdfk?I=oui+MyUai^3Ft<t2gXf%iMToaKAF(!K#+H31NEU0uPc9*M
zJ5p4hfZy>tjn?<xh9tvZLeFJ3-aXo5;1+kqae3RPr{36)(7aw<Ewhh{Y%M!)_kOmn
zwbwd$Gi{0`=l&q|fg%;lonTR~(3F%E$!GMr)9v));tCT!kFhh|jiWUK?8B;7lJ3ig
zIkg}8T1AvM=1)AsiAwb$>F=e(8i>MJXTmmNzK^`#b?)%HuyK+2e0u$``w3pj5aF+O
zCxkS-;=Y}l>x!p++`{3IN+hAZbnK{Rf+gO*IhPu`G8fN|lM0L(zeh^H2K7S*@p<fb
z%7mxxBWAPHM))>NWI9F43)sY4>t(gwH8#eX7>`??N{Z#>SO}w#94Sbl6xFEhGy1+3
zUR`BqGaUW&0C{=Q?fj$a1mC~y$!PYTA10L_e!uGMhc8$A3kSuhP#KG=EKrHPHMJd)
zi!v<U^$3k(k}C@qfxc0BD8~1B*W7hXdC8Mfo_3kS*2gSb@!B8}YH&`{wqr1-vVf<B
zz5gi8=)$XAw=ga|#){evC%(YE%}IUuaN8JoH1QNWW-FIv)~ftTx~!17NlJ9nkY?Fv
z?6Ih^Ri)B`qgoe!Sd>ezIjf(Dl4l8Fs7fvxgQIJ9Epsjw#lIh<=2ecA65|~S=V(1K
zFhzB)_lZ)fGHpX?XQjIrfZM#Gajy!^F33n54^fsal|Nt%1m&j2D$JHQec8MbN3A!)
zbaJToG!rBJ0_7YEJu0;zO!i4}<`PC-C^632UX&4TU?6p!8sK&F_`oVk)%C?vlgR2M
zTfZsC%Y<3C$Au{R^H6XIGQF}?q9amYH1u1^<Vpa66FsRP3#H}RfCTNu(Z3t;`5*lC
zMdfZtx&Zit(rhPEf{Cc*!aMcpL9Jaok&+;^{lmOn>&THn_01Lv=`#<l2AvZ@j9%l=
z;t0m2<(;al)t<say6@eQnozd1lE1dBm2+1{Dr1n(;kZ36@s+$mQr41iw4r96+Pdt3
zYSk&ox@t~9w?SWiz^%g45@QC3*VY~$=U+ZlFTFeTeFQq+I5;b`;5bN~S?hq#d(8|d
zd|%MF(5#G0O6|UtAyJ}Vssx;7YlQbo6!SCT-t<pULqk;H2VK*bZ+jL4X7D7r1(p)I
zq$@_6vUo3zOli!}1)@T7u|hYc)7Mtt+>uRIh^^KME?DGIE@{)M0m=F8&JF(-SFEJI
zNmXa5R2*E=&Z=Jk=lF?|hRzkrdtYk$w5q2nY2%ouck7<LYwx8MLFw;&H75eqf_4Qs
zGxE#<@&$IxnUIa^4hl1_!Y(9FX#J?oZ}HsQB(^;_;m|<kuNRMuRaT?3)z-_@%rsZe
z)5=aP)M5KE<_WqQ;vJ*I-q!D<o(L1~?KLl7UMY``8k=<jm>P(Cl~)r^X)+BtNwl5e
zH@d$mk@UKlAV1#dU{mTlX%^EWTlWFCc39pE6xk!<?(e^u2;FFSO9>y#y_LHHd;GRb
z%QCGUkNmq|)-W?pA?UQ<c<~w4KIEee!Xj-z!SCUmv0vf%<u76E<3DUw=XWHhnfO(`
z`;~6lm_xfGEq`nB8Tw-yBx7P*;Gx0$Fz|uzSrBt3bIeWkzVRmS+6IvzQ}zTjE_-V2
zsYdaK{Qy&>9!BwAbW3K$)Sv6CmcCcsxs(gjavCyk2c@1adn5;ta?ffBLBfV*J~lmg
zlq=x}jV7bQO)YhZt_{u7XXdr#)SP(6z5gZ)S>^T|y?)8L<kCpeJNejvAbmP|{*|<w
zhYoT55V+z;R-jT^qo+zgMCr7N;SBY{HB3MlLLn<YzDY}mF++P--S76W#Ajd4byx_>
z!<`%uJxU2qpqGf!V_ok_w3FQwU%w+Dt4;4bY@W<HU$Rvg<x9y=7aKEqBh7xdXX|n>
zP3g+C8_P?x_7~;fy=ES2Uq*8Nx%YNSh<km7r1o8u?AG#~QAzz|7MFDk{LT62Jt>{(
z$qRIri2+2SVjXAsDF_hLCJj6&RjeCon_vJEiDJNfnIbSo%&!xzS72biDIl+%UuV^z
z#(>KsuB3D^Hx`tJLDTp}!pCHhqiBoUUE`bcR~q?#n@XBB(%stJygP7o>8f`Pv@j^V
zdlB`FQ&B5mHM~0?$#Wn&ASG8}x28~i4WB-1zdo<nnMDQ1LMZMMcT_A;$V{rezv-d{
zMSAs_O;D!1Klt%=AN~?$|7QD*!p2^RBrY)WPI0|dcl4{7D=DjH<*tQ0N7nSufLd=S
zpOo}2p|(O4U41_0axn(mOhLb3r$5W?-FGCjSxw-5h_4z0yw|X4={pw33!4K`*EBR6
z_c+q*EV$r8PoMv}wXN3n@%SBvNqFpP8i=i|Hy&N(Qd(Oh4~>RKUD3xJK*Fma7jVRH
z6|%d2DZDAAJL%E~c2ail<loSTmc8#By6?Tq!)?Yob=Z$Nzt*C`e4(u{jUvkZi%Tm@
z><79hJCWNRPYwBvl{}S}MdSv$3;D%kzd2st-3uh#T`pTcNzrU>8i=1sG(JyKOwNV8
z<}=WMl}XLCj1ab5lM>!HJV^DnOoDtf)$D9bZ)x55!t*ngqD?N$0P8R}fGZUMp0p_z
zb(S&!QzP7U&qxRC|IyQ`?z3f>0vP%gVZU^8Kp-exw&K?^<p$FF1pw!M0oX6amH#I}
zPSZ(7;6T-%+^_uzusP}{R2e{kX-<IKfF5|j9Vi;m=S=hhfo}ODLP8_`Jpq+L0obqU
zDiDbOS6n*EMgs<Zf&g+*9&DKaMB{}4EFIP+11gy!z)=bZFf_;u`_<KfK+^wnT$1pU
zh)(4I#D?U-a}Vey9Kg_FY%VaG2M0Rn@WK;-P#^(tQsluJ1;D-Hvw#x?0oE>}Lph+4
z!V6dq3xh9}03RuE02mQweEbXqJSXu3TEhbLa^U9q?}%NsAYi17ABY{62Upbr=jug(
z?qOco&mv&}ft2VvM5q3n51Oh6Hivb<)h__$5p8fq3lKO0r{_$Vk-P2RQJ%Ch1AQa%
zj5pf<v4sGhQF$ho4iE@%A@c))og9E8-NE_lr$Y=Vr5k)*|JjZ1=Ab)x0me7NVByz*
N_!~IO=bnF}{|k*iq@n--


From 298b1bfaf4882ba35c2798145166f9f406672e0e Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 15 Aug 2024 14:20:12 +0400
Subject: [PATCH 06/15] .

---
 eslzArm/eslz-portal.json | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 9a1ab2304..ebfc5a38f 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -273,16 +273,20 @@
                         {
                             "name": "enablePrivateSubnet",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "<b>*New*</b> Audit virtual networks using private subnets",
-                            "defaultValue": "Yes (recommended)",
+                            "label": "<b>*New*</b> Deny virtual networks not using private subnets",
+                            "defaultValue": "Audit only (recommended)",
                             "visible": true,
-                            "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
+                            "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private. <b>Warning</b> Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
                             "constraints": {
                                 "allowedValues": [
                                     {
-                                        "label": "Yes (recommended)",
+                                        "label": "Yes",
                                         "value": "Yes"
                                     },
+                                    {
+                                        "label": "Audit only (recommended)",
+                                        "value": "Audit"
+                                    },
                                     {
                                         "label": "No",
                                         "value": "No"

From b08b6290daa2e7bf1039aa4b8463d1c208e6254a Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 15 Aug 2024 14:32:14 +0400
Subject: [PATCH 07/15] feat: Update Subnets should be private policy
 assignment effect to default to "Audit"

---
 docs/wiki/Whats-new.md                          |  2 +-
 eslzArm/eslz-portal.json                        |  2 +-
 eslzArm/eslzArm.json                            | 17 ++++++++++++-----
 .../ENFORCE-SubnetPrivatePolicyAssignment.json  | 11 ++++++++++-
 4 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index 7771751d3..fa78e958d 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -51,7 +51,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to the the newer version of DCSPM: [Configure Microsoft Defender CSPM plan](https://www.azadvertizer.net/azpolicyadvertizer/72f8cee7-2937-403d-84a1-a4e3e57f3c21.html)
 - Updated [Deploy-Private-DNS-Generic](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Private-DNS-Generic.html) policy to include the ability to configure the location/region.
 - Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope.
-- Added new built-in policy assignment and portal option for [Subnets should be private](https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html) assigned at Platform and Landing Zones management groups. This policy's assignment effect is fixed to "Audit" in this release, giving the community time to adopt the good practice and address subnet compliance. We will enable the "Deny" effect as part of the next Policy Refresh.
+- Added new built-in policy assignment and portal option for [Subnets should be private](https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html) assigned at Platform and Landing Zones management groups. This policy's assignment effect is defaulted to "Audit" in this release, giving the community time to adopt the good practice and address subnet compliance. We will default to the "Deny" effect as part of the next Policy Refresh.
 
 ### June 2024
 
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index ebfc5a38f..8c9b043d9 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -276,7 +276,7 @@
                             "label": "<b>*New*</b> Deny virtual networks not using private subnets",
                             "defaultValue": "Audit only (recommended)",
                             "visible": true,
-                            "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private. <b>Warning</b> Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
+                            "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. <b>Warning</b> Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
                             "constraints": {
                                 "allowedValues": [
                                     {
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 7d16fbd37..0a554c401 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -16,10 +16,11 @@
         },
         "enablePrivateSubnet": {
             "type": "string",
-            "defaultValue": "No",
+            "defaultValue": "Audit",
             "allowedValues": [
-                "Yes",
-                "No"
+                "Audit",
+                "Deny",
+                "Disabled"
             ]
         },
         "telemetryOptOut": {
@@ -6437,7 +6438,7 @@
             }
         },
         {
-            "condition": "[equals(parameters('enablePrivateSubnet'), 'Yes')]",
+            "condition": "[or(equals(parameters('enablePrivateSubnet'), 'Yes'), equals(parameters('enablePrivateSubnet'), 'Audit'))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2022-09-01",
             "name": "[variables('deploymentNames').privateSubnetDeploymentName]",
@@ -6455,12 +6456,15 @@
                 "parameters": {
                     "enforcementMode": {
                         "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "effect": {
+                        "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Deny', 'Audit')]"
                     }
                 }
             }
         },
         {
-            "condition": "[equals(parameters('enablePrivateSubnet'), 'Yes')]",
+            "condition": "[or(equals(parameters('enablePrivateSubnet'), 'Yes'), equals(parameters('enablePrivateSubnet'), 'Audit'))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2022-09-01",
             "name": "[variables('deploymentNames').privateSubnetDeploymentName]",
@@ -6478,6 +6482,9 @@
                 "parameters": {
                     "enforcementMode": {
                         "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "effect": {
+                        "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Deny', 'Audit')]"
                     }
                 }
             }
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json
index 9d33bae48..edb0fe9b6 100644
--- a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json
+++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json
@@ -2,6 +2,15 @@
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "parameters": {
+        "effect": {
+            "type": "string",
+            "allowedValues": [
+                "Deny",
+                "Audit",
+                "Disabled"
+            ],
+            "defaultValue": "Audit"
+        },
         "enforcementMode": {
             "type": "string",
             "allowedValues": [
@@ -47,7 +56,7 @@
                 ],
                 "parameters": {
                     "effect": {
-                        "value": "Audit"
+                        "value": "[parameters('effect')]"
                     }
                 }
             }

From 46a485e6356df41254bf04904dd52260492b5a78 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 15 Aug 2024 16:27:19 +0400
Subject: [PATCH 08/15] .

---
 eslzArm/eslz-portal.json | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 8c9b043d9..ac6946935 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -279,18 +279,19 @@
                             "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. <b>Warning</b> Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
                             "constraints": {
                                 "allowedValues": [
-                                    {
-                                        "label": "Yes",
-                                        "value": "Yes"
-                                    },
+                                    // {
+                                    //     "label": "Yes",
+                                    //     "value": "Yes"
+                                    // },
                                     {
                                         "label": "Audit only (recommended)",
                                         "value": "Audit"
-                                    },
-                                    {
-                                        "label": "No",
-                                        "value": "No"
                                     }
+                                    // },
+                                    // {
+                                    //     "label": "No",
+                                    //     "value": "No"
+                                    // }
                                 ]
                             }
                         },

From 5fbe2eb54d33543e64edbe1f3b40dc25093bf5ce Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 15 Aug 2024 16:28:44 +0400
Subject: [PATCH 09/15] .

---
 eslzArm/eslz-portal.json | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index ac6946935..5f85ee9b9 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -279,19 +279,10 @@
                             "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. <b>Warning</b> Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
                             "constraints": {
                                 "allowedValues": [
-                                    // {
-                                    //     "label": "Yes",
-                                    //     "value": "Yes"
-                                    // },
                                     {
                                         "label": "Audit only (recommended)",
                                         "value": "Audit"
                                     }
-                                    // },
-                                    // {
-                                    //     "label": "No",
-                                    //     "value": "No"
-                                    // }
                                 ]
                             }
                         },

From 814188f345728d0f09e02d883bb7f38b48914cd4 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 15 Aug 2024 16:30:54 +0400
Subject: [PATCH 10/15] .

---
 eslzArm/eslz-portal.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 5f85ee9b9..143144b73 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -276,7 +276,7 @@
                             "label": "<b>*New*</b> Deny virtual networks not using private subnets",
                             "defaultValue": "Audit only (recommended)",
                             "visible": true,
-                            "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. <b>Warning</b> Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
+                            "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy is DENY is selected currently.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
                             "constraints": {
                                 "allowedValues": [
                                     {

From f5b14fa2e191b904f83b6c54ca04ab33c79484d1 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 15 Aug 2024 16:50:37 +0400
Subject: [PATCH 11/15] .

---
 eslzArm/eslz-portal.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 143144b73..4a417ed58 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -276,7 +276,7 @@
                             "label": "<b>*New*</b> Deny virtual networks not using private subnets",
                             "defaultValue": "Audit only (recommended)",
                             "visible": true,
-                            "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy is DENY is selected currently.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
+                            "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy if DENY is selected currently.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
                             "constraints": {
                                 "allowedValues": [
                                     {

From 33306fdbfff0d7c18fe9a8510339b6ce36bc0114 Mon Sep 17 00:00:00 2001
From: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 15 Aug 2024 12:56:03 +0000
Subject: [PATCH 12/15] Auto-update Portal experience [Springstone/f1554a8f]

---
 .../policyDefinitions/initiatives.json                      | 4 ++--
 .../policyDefinitions/policies.json                         | 6 +++---
 .../roleDefinitions/customRoleDefinitions.json              | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json
index e6225372d..ab9cbd9da 100644
--- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json
+++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "9203697895916455860"
+      "version": "0.29.47.4906",
+      "templateHash": "14175278704503096"
     }
   },
   "parameters": {
diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
index 89e201baa..02faa4153 100644
--- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
+++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "2449863039247600800"
+      "version": "0.29.47.4906",
+      "templateHash": "1206003654465253802"
     }
   },
   "parameters": {
@@ -124,7 +124,7 @@
     "$fxv#139": "{\n    \"name\": \"Modify-NSG\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"All\",\n        \"displayName\": \"Enforce specific configuration of Network Security Groups (NSG)\",\n        \"description\": \"This policy enforces the configuration of Network Security Groups (NSG).\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Network\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effect\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"Modify\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Modify\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"nsgRuleName\": {\n                \"type\": \"string\",\n                \"defaultValue\": \"DenyAnyInternetOutbound\"\n            },\n            \"nsgRulePriority\": {\n                \"type\": \"integer\",\n                \"defaultValue\": 1000\n            },\n            \"nsgRuleDirection\": {\n                \"type\": \"string\",\n                \"allowedValues\": [\n                    \"Inbound\",\n                    \"Outbound\"\n                ],\n                \"defaultValue\": \"Outbound\"\n            },\n            \"nsgRuleAccess\": {\n                \"type\": \"string\",\n                \"allowedValues\": [\n                    \"Allow\",\n                    \"Deny\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"nsgRuleProtocol\": {\n                \"type\": \"string\",\n                \"defaultValue\": \"*\"\n            },\n            \"nsgRuleSourceAddressPrefix\": {\n                \"type\": \"string\",\n                \"defaultValue\": \"*\"\n            },\n            \"nsgRuleSourcePortRange\": {\n                \"type\": \"string\",\n                \"defaultValue\": \"*\"\n            },\n            \"nsgRuleDestinationAddressPrefix\": {\n                \"type\": \"string\",\n                \"defaultValue\": \"Internet\"\n            },\n            \"nsgRuleDestinationPortRange\": {\n                \"type\": \"string\",\n                \"defaultValue\": \"*\"\n            },\n            \"nsgRuleDescription\": {\n                \"type\": \"string\",\n                \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"allOf\": [\n                    {\n                        \"field\": \"type\",\n                        \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n                    },\n                    {\n                        \"count\": {\n                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\"\n                        },\n                        \"equals\": 0\n                    }\n                ]\n            },\n            \"then\": {\n                \"effect\": \"[[parameters('effect')]\",\n                \"details\": {\n                    \"roleDefinitionIds\": [\n                        \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n                    ],\n                    \"conflictEffect\": \"audit\",\n                    \"operations\": [\n                        {\n                            \"operation\": \"add\",\n                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n                            \"value\": {\n                                \"name\": \"[[parameters('nsgRuleName')]\",\n                                \"properties\": {\n                                    \"description\": \"[[parameters('nsgRuleDescription')]\",\n                                    \"protocol\": \"[[parameters('nsgRuleProtocol')]\",\n                                    \"sourcePortRange\": \"[[parameters('nsgRuleSourcePortRange')]\",\n                                    \"destinationPortRange\": \"[[parameters('nsgRuleDestinationPortRange')]\",\n                                    \"sourceAddressPrefix\": \"[[parameters('nsgRuleSourceAddressPrefix')]\",\n                                    \"destinationAddressPrefix\": \"[[parameters('nsgRuleDestinationAddressPrefix')]\",\n                                    \"access\": \"[[parameters('nsgRuleAccess')]\",\n                                    \"priority\": \"[[parameters('nsgRulePriority')]\",\n                                    \"direction\": \"[[parameters('nsgRuleDirection')]\"\n                                }\n                            }\n                        }\n                    ]\n                }\n            }\n        }\n    }\n}",
     "$fxv#14": "{\n  \"name\": \"Deny-PostgreSql-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n    \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"minimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for PostgreSQL server to enforce\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n                \"exists\": \"false\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n                \"notEquals\": \"Enabled\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n                \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#140": "{\n    \"name\": \"Modify-UDR\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"All\",\n        \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n        \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Network\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effect\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"Modify\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Modify\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"addressPrefix\": {\n                \"type\": \"string\",\n                \"metadata\": {\n                    \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n                    \"displayName\": \"Address Prefix\"\n                }\n            },\n            \"nextHopType\": {\n                \"type\": \"string\",\n                \"metadata\": {\n                    \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n                    \"displayName\": \"Next Hop Type\"\n                },\n                \"allowedValues\": [\n                    \"VnetLocal\",\n                    \"VirtualNetworkGateway\",\n                    \"Internet\",\n                    \"VirtualAppliance\",\n                    \"None\"\n                ]\n            },\n            \"nextHopIpAddress\": {\n                \"type\": \"string\",\n                \"metadata\": {\n                    \"description\": \"The IP address packets should be forwarded to.\",\n                    \"displayName\": \"Next Hop IP Address\"\n                }\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"allOf\": [\n                    {\n                        \"field\": \"type\",\n                        \"equals\": \"Microsoft.Network/routeTables\"\n                    },\n                    {\n                        \"count\": {\n                            \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n                        },\n                        \"equals\": 0\n                    }\n                ]\n            },\n            \"then\": {\n                \"effect\": \"[[parameters('effect')]\",\n                \"details\": {\n                    \"roleDefinitionIds\": [\n                        \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n                    ],\n                    \"conflictEffect\": \"audit\",\n                    \"operations\": [\n                        {\n                            \"operation\": \"add\",\n                            \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n                            \"value\": {\n                                \"name\": \"default\",\n                                \"properties\": {\n                                    \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n                                    \"nextHopType\": \"[[parameters('nextHopType')]\",\n                                    \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n                                }\n                            }\n                        }\n                    ]\n                }\n            }\n        }\n    }\n}",
-    "$fxv#141": "{\n    \"name\": \"Deploy-Private-DNS-Generic\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"All\",\n        \"displayName\": \"Deploy-Private-DNS-Generic\",\n        \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n        \"metadata\": {\n            \"version\": \"2.0.0\",\n            \"category\": \"Networking\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n        \t\"AzureChinaCloud\",\n       \t\t\"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\"\n            },\n            \"privateDnsZoneId\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Private DNS Zone ID for PaaS services\",\n                    \"description\": \"The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.\",\n                    \"strongType\": \"Microsoft.Network/privateDnsZones\",\n                    \"assignPermissions\": true\n                }\n            },\n            \"resourceType\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"PaaS private endpoint resource type\",\n                    \"description\": \"The PaaS endpoint resource type.\"\n                }\n            },\n            \"groupId\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n                    \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n                }\n            },\n            \"evaluationDelay\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Evaluation Delay\",\n                    \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n                },\n                \"defaultValue\": \"PT10M\"\n            },\n            \"location\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                  \"displayName\": \"Location (Specify the Private Endpoint location)\",\n                  \"description\": \"Specify the Private Endpoint location\",\n                  \"strongType\": \"location\"\n                },\n                \"defaultValue\": \"uksouth\"\n              }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"allOf\": [\n                    {\n                        \"field\": \"location\",\n                        \"equals\": \"[[parameters('location')]\"\n                    },\n                    {\n                        \"field\": \"type\",\n                        \"equals\": \"Microsoft.Network/privateEndpoints\"\n                    },\n                    {\n                        \"count\": {\n                            \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n                            \"where\": {\n                                \"allOf\": [\n                                    {\n                                        \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n                                        \"contains\": \"[[parameters('resourceType')]\"\n                                    },\n                                    {\n                                        \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                                        \"equals\": \"[[parameters('groupId')]\"\n                                    }\n                                ]\n                            }\n                        },\n                        \"greaterOrEquals\": 1\n                    }\n                ]\n            },\n            \"then\": {\n                \"effect\": \"[[parameters('effect')]\",\n                \"details\": {\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n                    \"roleDefinitionIds\": [\n                        \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n                    ],\n                    \"deployment\": {\n                        \"properties\": {\n                            \"mode\": \"incremental\",\n                            \"template\": {\n                                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                                \"contentVersion\": \"1.0.0.0\",\n                                \"parameters\": {\n                                    \"privateDnsZoneId\": {\n                                        \"type\": \"string\"\n                                    },\n                                    \"privateEndpointName\": {\n                                        \"type\": \"string\"\n                                    },\n                                    \"location\": {\n                                        \"type\": \"string\"\n                                    }\n                                },\n                                \"resources\": [\n                                    {\n                                        \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                                        \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                                        \"apiVersion\": \"2020-03-01\",\n                                        \"location\": \"[[parameters('location')]\",\n                                        \"properties\": {\n                                            \"privateDnsZoneConfigs\": [\n                                                {\n                                                    \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n                                                    \"properties\": {\n                                                        \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                                                    }\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            },\n                            \"parameters\": {\n                                \"privateDnsZoneId\": {\n                                    \"value\": \"[[parameters('privateDnsZoneId')]\"\n                                },\n                                \"privateEndpointName\": {\n                                    \"value\": \"[[field('name')]\"\n                                },\n                                \"location\": {\n                                    \"value\": \"[[field('location')]\"\n                                }\n                            }\n                        }\n                    }\n                }\n            }\n        }\n    }\n}\n",
+    "$fxv#141": "{\n    \"name\": \"Deploy-Private-DNS-Generic\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"All\",\n        \"displayName\": \"Deploy-Private-DNS-Generic\",\n        \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n        \"metadata\": {\n            \"version\": \"2.0.0\",\n            \"category\": \"Networking\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n        \t\"AzureChinaCloud\",\n       \t\t\"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\"\n            },\n            \"privateDnsZoneId\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Private DNS Zone ID for PaaS services\",\n                    \"description\": \"The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.\",\n                    \"strongType\": \"Microsoft.Network/privateDnsZones\",\n                    \"assignPermissions\": true\n                }\n            },\n            \"resourceType\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"PaaS private endpoint resource type\",\n                    \"description\": \"The PaaS endpoint resource type.\"\n                }\n            },\n            \"groupId\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n                    \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n                }\n            },\n            \"evaluationDelay\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Evaluation Delay\",\n                    \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n                },\n                \"defaultValue\": \"PT10M\"\n            },\n            \"location\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                  \"displayName\": \"Location (Specify the Private Endpoint location)\",\n                  \"description\": \"Specify the Private Endpoint location\",\n                  \"strongType\": \"location\"\n                },\n                \"defaultValue\": \"northeurope\"\n              }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"allOf\": [\n                    {\n                        \"field\": \"location\",\n                        \"equals\": \"[[parameters('location')]\"\n                    },\n                    {\n                        \"field\": \"type\",\n                        \"equals\": \"Microsoft.Network/privateEndpoints\"\n                    },\n                    {\n                        \"count\": {\n                            \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n                            \"where\": {\n                                \"allOf\": [\n                                    {\n                                        \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n                                        \"contains\": \"[[parameters('resourceType')]\"\n                                    },\n                                    {\n                                        \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                                        \"equals\": \"[[parameters('groupId')]\"\n                                    }\n                                ]\n                            }\n                        },\n                        \"greaterOrEquals\": 1\n                    }\n                ]\n            },\n            \"then\": {\n                \"effect\": \"[[parameters('effect')]\",\n                \"details\": {\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n                    \"roleDefinitionIds\": [\n                        \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n                    ],\n                    \"deployment\": {\n                        \"properties\": {\n                            \"mode\": \"incremental\",\n                            \"template\": {\n                                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                                \"contentVersion\": \"1.0.0.0\",\n                                \"parameters\": {\n                                    \"privateDnsZoneId\": {\n                                        \"type\": \"string\"\n                                    },\n                                    \"privateEndpointName\": {\n                                        \"type\": \"string\"\n                                    },\n                                    \"location\": {\n                                        \"type\": \"string\"\n                                    }\n                                },\n                                \"resources\": [\n                                    {\n                                        \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                                        \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                                        \"apiVersion\": \"2020-03-01\",\n                                        \"location\": \"[[parameters('location')]\",\n                                        \"properties\": {\n                                            \"privateDnsZoneConfigs\": [\n                                                {\n                                                    \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n                                                    \"properties\": {\n                                                        \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                                                    }\n                                                }\n                                            ]\n                                        }\n                                    }\n                                ]\n                            },\n                            \"parameters\": {\n                                \"privateDnsZoneId\": {\n                                    \"value\": \"[[parameters('privateDnsZoneId')]\"\n                                },\n                                \"privateEndpointName\": {\n                                    \"value\": \"[[field('name')]\"\n                                },\n                                \"location\": {\n                                    \"value\": \"[[field('location')]\"\n                                }\n                            }\n                        }\n                    }\n                }\n            }\n        }\n    }\n}\n",
     "$fxv#142": "{\n  \"name\": \"DenyAction-DeleteResources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n    \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"General\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n          \"AzureCloud\",\n          \"AzureChinaCloud\",\n          \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"resourceName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Name\",\n          \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n        }\n      },\n      \"resourceType\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Type\",\n          \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DenyAction\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DenyAction\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"[[parameters('resourceType')]\"\n          },\n          {\n            \"field\": \"name\",\n            \"like\": \"[[parameters('resourceName')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"actionNames\": [\n            \"delete\"\n          ]\n        }\n      }\n    }\n  }\n}\n",
     "$fxv#143": "{\n  \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n    \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n            \"equals\": \"Approved\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n                \"notEquals\": \"[[subscription().subscriptionId]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#144": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
diff --git a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json
index 385dcbebd..6c8ce646a 100644
--- a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json
+++ b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.28.1.47646",
-      "templateHash": "7289710698265093596"
+      "version": "0.29.47.4906",
+      "templateHash": "12429908550017328445"
     }
   },
   "variables": {

From 46954e4d7712eec09d8f5c9ca779b33bd36dba29 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 15 Aug 2024 18:30:04 +0400
Subject: [PATCH 13/15] feat: Update label for subnets should be private policy
 in eslz-portal.json

---
 eslzArm/eslz-portal.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 5f34cbcba..5e15f1497 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -273,7 +273,7 @@
                         {
                             "name": "enablePrivateSubnet",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "<b>*New*</b> Deny virtual networks not using private subnets",
+                            "label": "<b>*New*</b> Enforce subnets should be private",
                             "defaultValue": "Audit only (recommended)",
                             "visible": true,
                             "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy if DENY is selected currently.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",

From fd57bf35c68ceaacd24be607898293bf21243a58 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 15 Aug 2024 18:42:21 +0400
Subject: [PATCH 14/15] .

---
 eslzArm/eslz-portal.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 5e15f1497..1f5e6446e 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -276,7 +276,7 @@
                             "label": "<b>*New*</b> Enforce subnets should be private",
                             "defaultValue": "Audit only (recommended)",
                             "visible": true,
-                            "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy if DENY is selected currently.<br>Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
+                            "toolTip": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to <a href=\"https://aka.ms/defaultoutboundaccessretirement\">https://aka.ms/defaultoutboundaccessretirement</a>.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html\">Subnets should be private</a>.",
                             "constraints": {
                                 "allowedValues": [
                                     {

From 0204f02e1ccc97fe025504a5bdd08fb6288569eb Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Mon, 19 Aug 2024 15:07:00 +0400
Subject: [PATCH 15/15] Update
 eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
---
 .../ENFORCE-SubnetPrivatePolicyAssignment.json                  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json
index edb0fe9b6..c1092bb31 100644
--- a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json
+++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json
@@ -29,7 +29,7 @@
             "privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837"
         },
         "policyAssignmentNames": {
-            "privateSubnet": "Enforce-Subnet-private",
+            "privateSubnet": "Enforce-Subnet-Private",
             "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement",
             "displayName": "Subnets should be private"
         },