From 64ff154ba044c6fd5fa72e774fb1591744852742 Mon Sep 17 00:00:00 2001
From: James Douglas <102178210+awsjdgls@users.noreply.github.com>
Date: Tue, 20 Dec 2022 09:33:24 -0700
Subject: [PATCH 1/8] WIP: Add reverse proxy example

This is a version of `howto-alb` that assumes one of the backends runs
HTTPS.

HTTPS is not a supported listener protocol (see **Listener
configuration** in the [Virtual nodes][1] section of the user guide),
but we can work around this by using a reverse proxy to hide it behind
an HTTP endpoint exposed via an additional container within the same
task.

TODO:

* [ ] Drop the unneeded v1 backend, load balancer, etc.
* [ ] Drop the v1 backend from the readme
* [ ] Document how the reverse proxy works in the readme

[1]: https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html
---
 walkthroughs/howto-proxy/README.md            |  35 +
 walkthroughs/howto-proxy/app.yaml             | 742 ++++++++++++++++++
 walkthroughs/howto-proxy/colorapp/Dockerfile  |  17 +
 walkthroughs/howto-proxy/colorapp/app.py      |  29 +
 walkthroughs/howto-proxy/colorapp/config.py   |  12 +
 .../howto-proxy/colorapp/requirements.txt     |   3 +
 .../howto-proxy/colorappssl/Dockerfile        |  23 +
 walkthroughs/howto-proxy/colorappssl/app.py   |  29 +
 .../howto-proxy/colorappssl/config.py         |  12 +
 .../howto-proxy/colorappssl/requirements.txt  |   3 +
 .../howto-proxy/colornginx/Dockerfile         |   5 +
 .../howto-proxy/colornginx/default.conf       |  12 +
 .../howto-proxy/colorproxy/Dockerfile         |   5 +
 .../howto-proxy/colorproxy/default.conf       |  13 +
 walkthroughs/howto-proxy/deploy.sh            | 131 ++++
 walkthroughs/howto-proxy/feapp/Dockerfile     |  17 +
 walkthroughs/howto-proxy/feapp/app.py         |  28 +
 walkthroughs/howto-proxy/feapp/config.py      |  12 +
 .../howto-proxy/feapp/requirements.txt        |   4 +
 walkthroughs/howto-proxy/howto-alb.png        | Bin 0 -> 29618 bytes
 walkthroughs/howto-proxy/infra.yaml           | 289 +++++++
 21 files changed, 1421 insertions(+)
 create mode 100644 walkthroughs/howto-proxy/README.md
 create mode 100644 walkthroughs/howto-proxy/app.yaml
 create mode 100644 walkthroughs/howto-proxy/colorapp/Dockerfile
 create mode 100755 walkthroughs/howto-proxy/colorapp/app.py
 create mode 100644 walkthroughs/howto-proxy/colorapp/config.py
 create mode 100644 walkthroughs/howto-proxy/colorapp/requirements.txt
 create mode 100644 walkthroughs/howto-proxy/colorappssl/Dockerfile
 create mode 100755 walkthroughs/howto-proxy/colorappssl/app.py
 create mode 100644 walkthroughs/howto-proxy/colorappssl/config.py
 create mode 100644 walkthroughs/howto-proxy/colorappssl/requirements.txt
 create mode 100644 walkthroughs/howto-proxy/colornginx/Dockerfile
 create mode 100644 walkthroughs/howto-proxy/colornginx/default.conf
 create mode 100644 walkthroughs/howto-proxy/colorproxy/Dockerfile
 create mode 100644 walkthroughs/howto-proxy/colorproxy/default.conf
 create mode 100755 walkthroughs/howto-proxy/deploy.sh
 create mode 100644 walkthroughs/howto-proxy/feapp/Dockerfile
 create mode 100755 walkthroughs/howto-proxy/feapp/app.py
 create mode 100644 walkthroughs/howto-proxy/feapp/config.py
 create mode 100644 walkthroughs/howto-proxy/feapp/requirements.txt
 create mode 100644 walkthroughs/howto-proxy/howto-alb.png
 create mode 100644 walkthroughs/howto-proxy/infra.yaml

diff --git a/walkthroughs/howto-proxy/README.md b/walkthroughs/howto-proxy/README.md
new file mode 100644
index 00000000..907310c6
--- /dev/null
+++ b/walkthroughs/howto-proxy/README.md
@@ -0,0 +1,35 @@
+## Overview
+This example shows how services that are behind ALB can be accessed by clients using Envoy with the help of App Mesh.
+
+![System Diagram](./howto-alb.png "System Diagram")
+
+### Backend
+There are two versions of Backend, V1 that is registered behind internal ALB and V2 that is registered under a CloudMap service (backend-v2.howto-alb.pvt.local). Additionally, there is a Route53 hosted zone (howto-alb.hosted.local) with a alias target to V1 ALB's DNS name (backend.howto-alb.hosted.local).
+
+V1 is registered as a virtual-node with service-discovery set to DNS (ALB's DNS). V2 on the otherhand is registered as a virtual-node with CloudMap service-discovery. Backend is registered as a virtual-service (name: backend.howto-alb.hosted.local) with router that routes to V1 and V2.
+
+### Frontend
+Frontend app is ECS service that runs in private subnet behind internet-facing ALB. Frontend is registered with App Mesh as virtual-node with backends set to Backend's virtual-service. Frontend is deployed with Envoy sidecar that communicates with Backend.
+
+## Prerequisites
+1. Install Docker. It is needed to build the demo application images.
+
+## Setup
+
+1. Clone this repository and navigate to the walkthrough/howto-alb folder, all commands will be ran from this location
+2. **Your** account id:
+    ```
+    export AWS_ACCOUNT_ID=<your_account_id>
+    ```
+3. **Region** e.g. us-west-2
+    ```
+    export AWS_DEFAULT_REGION=us-west-2
+    ```
+4. **ENVOY_IMAGE** environment variable is not set to App Mesh Envoy, see https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy.html
+    ```
+    export ENVOY_IMAGE=...
+    ```
+5. Setup using cloudformation
+    ```
+    ./deploy.sh
+    ```
diff --git a/walkthroughs/howto-proxy/app.yaml b/walkthroughs/howto-proxy/app.yaml
new file mode 100644
index 00000000..ee0bf66a
--- /dev/null
+++ b/walkthroughs/howto-proxy/app.yaml
@@ -0,0 +1,742 @@
+Parameters:
+  ProjectName:
+    Type: String
+    Description: Project name to link stacks
+
+  AppMeshXdsEndpoint:
+    Type: String
+    Description: App Mesh XDS Endpoint Override
+    Default: ""
+
+  EnvoyImage:
+    Type: String
+    Description: Envoy container image
+
+  FrontAppImage:
+    Type: String
+    Description: Front app container image
+
+  ColorAppImage:
+    Type: String
+    Description: Color app container image
+
+  ContainerPort:
+    Type: Number
+    Description: Port number to use for applications
+    Default: 8080
+
+  ColorProxyImage:
+    Type: String
+    Description: Color proxy container image
+
+  ColorAppSslImage:
+    Type: String
+    Description: Color app ssl container image
+
+Resources:
+
+  TaskSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: "Security group for the tasks"
+      VpcId:
+        Fn::ImportValue: !Sub '${ProjectName}:VPC'
+      SecurityGroupIngress:
+        - CidrIp:
+            Fn::ImportValue: !Sub '${ProjectName}:VpcCIDR'
+          IpProtocol: -1
+
+  LogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: !Sub '${ProjectName}-log-group'
+      RetentionInDays: 30
+
+  TaskIamRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Path: /
+      AssumeRolePolicyDocument: |
+        {
+            "Statement": [{
+                "Effect": "Allow",
+                "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
+                "Action": [ "sts:AssumeRole" ]
+            }]
+        }
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/CloudWatchFullAccess
+        - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
+        - arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess
+
+  TaskExecutionIamRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Path: /
+      AssumeRolePolicyDocument: |
+        {
+            "Statement": [{
+                "Effect": "Allow",
+                "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
+                "Action": [ "sts:AssumeRole" ]
+            }]
+        }
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
+        - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
+
+  BackendRecordSet:
+    Type: AWS::Route53::RecordSet
+    DependsOn:
+      - BackendV1LoadBalancer
+    Properties:
+      AliasTarget:
+        HostedZoneId: !GetAtt 'BackendV1LoadBalancer.CanonicalHostedZoneID'
+        DNSName: !GetAtt 'BackendV1LoadBalancer.DNSName'
+      HostedZoneId:
+        Fn::ImportValue:
+          !Sub '${ProjectName}:DnsHostedZoneId'
+      Name:
+        Fn::Join:
+          - '.'
+          -
+            - backend
+            - Fn::ImportValue:
+                !Sub '${ProjectName}:DnsHostedZoneName'
+      Type: A
+
+  # Backend V1 behind ALB
+  BackendV1LoadBalancer:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Scheme: internal
+      LoadBalancerAttributes:
+        - Key: idle_timeout.timeout_seconds
+          Value: '30'
+      Subnets:
+        - Fn::ImportValue:
+            !Sub '${ProjectName}:PrivateSubnet1'
+        - Fn::ImportValue:
+            !Sub '${ProjectName}:PrivateSubnet2'
+      SecurityGroups:
+        - !Ref TaskSecurityGroup
+
+  BackendV1TargetGroup:
+    Type: AWS::ElasticLoadBalancingV2::TargetGroup
+    Properties:
+      HealthCheckIntervalSeconds: 60
+      HealthCheckPath: '/ping'
+      HealthCheckProtocol: HTTP
+      HealthCheckTimeoutSeconds: 5
+      HealthyThresholdCount: 2
+      TargetType: ip
+      Name: !Sub '${ProjectName}-backendtarget'
+      Port: !Ref ContainerPort
+      Protocol: HTTP
+      UnhealthyThresholdCount: 2
+      TargetGroupAttributes:
+        - Key: deregistration_delay.timeout_seconds
+          Value: 120
+      VpcId:
+        Fn::ImportValue:
+          !Sub "${ProjectName}:VPC"
+
+  BackendV1LoadBalancerListener:
+    DependsOn:
+      - BackendV1LoadBalancer
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      DefaultActions:
+        - TargetGroupArn: !Ref BackendV1TargetGroup
+          Type: 'forward'
+      LoadBalancerArn: !Ref BackendV1LoadBalancer
+      Port: !Ref ContainerPort
+      Protocol: HTTP
+
+  BackendV1LoadBalancerRule:
+    Type: AWS::ElasticLoadBalancingV2::ListenerRule
+    Properties:
+      Actions:
+        - TargetGroupArn: !Ref BackendV1TargetGroup
+          Type: 'forward'
+      Conditions:
+        - Field: path-pattern
+          Values:
+            - '*'
+      ListenerArn: !Ref BackendV1LoadBalancerListener
+      Priority: 1
+
+  BackendV1TaskDef:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      RequiresCompatibilities:
+        - 'FARGATE'
+      Family: 'blue'
+      NetworkMode: 'awsvpc'
+      Cpu: 256
+      Memory: 512
+      TaskRoleArn: !Ref TaskIamRole
+      ExecutionRoleArn: !Ref TaskExecutionIamRole
+      ContainerDefinitions:
+        - Name: 'app'
+          Image: !Ref ColorAppImage
+          Essential: true
+          DependsOn:
+            - ContainerName: 'xray'
+              Condition: 'START'
+          LogConfiguration:
+            LogDriver: 'awslogs'
+            Options:
+              awslogs-group: !Sub ${ProjectName}-log-group
+              awslogs-region: !Ref AWS::Region
+              awslogs-stream-prefix: 'backend-v1'
+          PortMappings:
+            - ContainerPort: !Ref ContainerPort
+              HostPort: !Ref ContainerPort
+              Protocol: 'tcp'
+          Environment:
+            - Name: COLOR
+              Value: 'blue'
+            - Name: PORT
+              Value: !Sub '${ContainerPort}'
+            - Name: XRAY_APP_NAME
+              Value:
+                Fn::Join:
+                  - ''
+                  -
+                    - Fn::ImportValue:
+                        !Sub '${ProjectName}:Mesh'
+                    - '/'
+                    - !GetAtt 'BackendV1VirtualNode.VirtualNodeName'
+        - Name: 'xray'
+          Image: "public.ecr.aws/xray/aws-xray-daemon"
+          Essential: true
+          User: '1337'
+          LogConfiguration:
+            LogDriver: 'awslogs'
+            Options:
+              awslogs-group: !Sub '${ProjectName}-log-group'
+              awslogs-region: !Ref AWS::Region
+              awslogs-stream-prefix: 'front'
+          PortMappings:
+            - ContainerPort: 2000
+              Protocol: 'udp'
+
+  BackendV1Service:
+    Type: AWS::ECS::Service
+    DependsOn:
+      - BackendV1LoadBalancerListener
+    Properties:
+      Cluster:
+        Fn::ImportValue:
+          !Sub "${ProjectName}:ECSCluster"
+      DeploymentConfiguration:
+        MaximumPercent: 200
+        MinimumHealthyPercent: 100
+      DesiredCount: 1
+      LaunchType: 'FARGATE'
+      LoadBalancers:
+        - ContainerName: app
+          ContainerPort: !Ref ContainerPort
+          TargetGroupArn: !Ref BackendV1TargetGroup
+      NetworkConfiguration:
+        AwsvpcConfiguration:
+          AssignPublicIp: DISABLED
+          SecurityGroups:
+            - !Ref TaskSecurityGroup
+          Subnets:
+            - Fn::ImportValue:
+                !Sub '${ProjectName}:PrivateSubnet1'
+            - Fn::ImportValue:
+                !Sub '${ProjectName}:PrivateSubnet2'
+      TaskDefinition: !Ref BackendV1TaskDef
+
+  # Backend V2 with CloudMap service registry
+  BackendV2ServiceRegistry:
+    Type: AWS::ServiceDiscovery::Service
+    Properties:
+      Name: 'backend-v2'
+      DnsConfig:
+        NamespaceId:
+          Fn::ImportValue:
+            !Sub '${ProjectName}:DnsNamespaceId'
+        DnsRecords:
+          - Type: A
+            TTL: 300
+      HealthCheckCustomConfig:
+        FailureThreshold: 1
+
+  BackendV2TaskDef:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      RequiresCompatibilities:
+        - 'FARGATE'
+      Family: 'green'
+      NetworkMode: 'awsvpc'
+      Cpu: 256
+      Memory: 512
+      TaskRoleArn: !Ref TaskIamRole
+      ExecutionRoleArn: !Ref TaskExecutionIamRole
+      ContainerDefinitions:
+        - Name: 'app'
+          Image: !Ref ColorProxyImage
+          Essential: true
+          DependsOn:
+            - ContainerName: 'envoy'
+              Condition: 'HEALTHY'
+          LogConfiguration:
+            LogDriver: 'awslogs'
+            Options:
+              awslogs-group: !Sub ${ProjectName}-log-group
+              awslogs-region: !Ref AWS::Region
+              awslogs-stream-prefix: 'backend-v2'
+          PortMappings:
+            - ContainerPort: !Ref ContainerPort
+              HostPort: !Ref ContainerPort
+              Protocol: 'tcp'
+          Environment:
+            - Name: COLOR
+              Value: 'green'
+            - Name: PORT
+              Value: !Sub '${ContainerPort}'
+        - Name: 'colorappssl'
+          Image: !Ref ColorAppSslImage
+          Essential: false
+          DependsOn:
+            - ContainerName: 'envoy'
+              Condition: 'HEALTHY'
+          LogConfiguration:
+            LogDriver: 'awslogs'
+            Options:
+              awslogs-group: !Sub ${ProjectName}-log-group
+              awslogs-region: !Ref AWS::Region
+              awslogs-stream-prefix: 'backend-v2'
+          PortMappings:
+            - ContainerPort: 8443
+              HostPort: 8443
+              Protocol: 'tcp'
+          Environment:
+            - Name: COLOR
+              Value: 'green'
+            - Name: PORT
+              Value: 8443
+        - Name: envoy
+          Image: !Ref EnvoyImage
+          Essential: true
+          User: '1337'
+          Ulimits:
+            - Name: "nofile"
+              HardLimit: 15000
+              SoftLimit: 15000
+          PortMappings:
+            - ContainerPort: 9901
+              Protocol: 'tcp'
+            - ContainerPort: 15000
+              Protocol: 'tcp'
+            - ContainerPort: 15001
+              Protocol: 'tcp'
+          HealthCheck:
+            Command:
+              - 'CMD-SHELL'
+              - 'curl -s http://localhost:9901/server_info | grep state | grep -q LIVE'
+            Interval: 5
+            Timeout: 10
+            Retries: 10
+          LogConfiguration:
+            LogDriver: 'awslogs'
+            Options:
+              awslogs-group: !Sub '${ProjectName}-log-group'
+              awslogs-region: !Ref AWS::Region
+              awslogs-stream-prefix: 'backend-v2'
+          Environment:
+            - Name: 'ENVOY_LOG_LEVEL'
+              Value: 'debug'
+            - Name: 'ENABLE_ENVOY_STATS_TAGS'
+              Value: '1'
+            - Name: 'APPMESH_VIRTUAL_NODE_NAME'
+              Value:
+                Fn::Join:
+                  - ''
+                  -
+                    - 'mesh/'
+                    - Fn::ImportValue:
+                        !Sub '${ProjectName}:Mesh'
+                    - '/virtualNode/'
+                    - !GetAtt 'BackendV2VirtualNode.VirtualNodeName'
+
+  BackendV2Service:
+    Type: AWS::ECS::Service
+    DependsOn:
+      - BackendV2ServiceRegistry
+    Properties:
+      Cluster:
+        Fn::ImportValue:
+          !Sub "${ProjectName}:ECSCluster"
+      DeploymentConfiguration:
+        MaximumPercent: 200
+        MinimumHealthyPercent: 100
+      DesiredCount: 1
+      LaunchType: 'FARGATE'
+      ServiceRegistries:
+        - RegistryArn: !GetAtt 'BackendV2ServiceRegistry.Arn'
+      NetworkConfiguration:
+        AwsvpcConfiguration:
+          AssignPublicIp: DISABLED
+          SecurityGroups:
+            - !Ref TaskSecurityGroup
+          Subnets:
+            - Fn::ImportValue:
+               !Sub '${ProjectName}:PrivateSubnet1'
+            - Fn::ImportValue:
+                !Sub '${ProjectName}:PrivateSubnet2'
+      TaskDefinition: !Ref BackendV2TaskDef
+
+  # Backend exposed in mesh as virtual-service
+  BackendV1VirtualNode:
+    Type: AWS::AppMesh::VirtualNode
+    Properties:
+      MeshName:
+        Fn::ImportValue:
+          !Sub '${ProjectName}:Mesh'
+      VirtualNodeName: !Sub '${ProjectName}-backend-v1-node'
+      Spec:
+        Listeners:
+          - PortMapping:
+              Port: !Ref ContainerPort
+              Protocol: http
+        ServiceDiscovery:
+          DNS:
+            Hostname: !GetAtt BackendV1LoadBalancer.DNSName
+
+  BackendV2VirtualNode:
+    Type: AWS::AppMesh::VirtualNode
+    Properties:
+      MeshName:
+        Fn::ImportValue:
+          !Sub '${ProjectName}:Mesh'
+      VirtualNodeName: !Sub '${ProjectName}-backend-v2-node'
+      Spec:
+        Listeners:
+          - PortMapping:
+              Port: !Ref ContainerPort
+              Protocol: http
+        ServiceDiscovery:
+          AWSCloudMap:
+            NamespaceName:
+              Fn::ImportValue:
+                !Sub '${ProjectName}:DnsNamespaceName'
+            ServiceName: !GetAtt BackendV2ServiceRegistry.Name
+            Attributes:
+              - Key: 'ECS_TASK_DEFINITION_FAMILY'
+                Value: 'green'
+
+  BackendVirtualService:
+    Type: AWS::AppMesh::VirtualService
+    DependsOn:
+      - BackendVirtualRouter
+    Properties:
+      MeshName:
+        Fn::ImportValue:
+          !Sub '${ProjectName}:Mesh'
+      VirtualServiceName: !Ref BackendRecordSet
+      Spec:
+        Provider:
+          VirtualRouter:
+            VirtualRouterName: !GetAtt BackendVirtualRouter.VirtualRouterName
+
+  BackendVirtualRouter:
+    Type: AWS::AppMesh::VirtualRouter
+    Properties:
+      MeshName:
+        Fn::ImportValue:
+          !Sub '${ProjectName}:Mesh'
+      VirtualRouterName: !Sub '${ProjectName}-backend-router'
+      Spec:
+        Listeners:
+          - PortMapping:
+              Port: !Ref ContainerPort
+              Protocol: http
+
+  BackendRoute:
+    Type: AWS::AppMesh::Route
+    DependsOn:
+      - BackendVirtualRouter
+      - BackendV1VirtualNode
+      - BackendV2VirtualNode
+    Properties:
+      MeshName:
+        Fn::ImportValue:
+          !Sub '${ProjectName}:Mesh'
+      VirtualRouterName: !GetAtt BackendVirtualRouter.VirtualRouterName
+      RouteName: !Sub '${ProjectName}-backend-route'
+      Spec:
+        HttpRoute:
+          Match:
+            Prefix: '/'
+          Action:
+            WeightedTargets:
+              - VirtualNode: !GetAtt BackendV1VirtualNode.VirtualNodeName
+                Weight: 0
+              - VirtualNode: !GetAtt BackendV2VirtualNode.VirtualNodeName
+                Weight: 100
+
+  # Frontend
+  SecurityGroupIngressFromPublicALB:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress from the public ALB
+      GroupId: !Ref TaskSecurityGroup
+      IpProtocol: -1
+      SourceSecurityGroupId: !Ref PublicLoadBalancerSecurityGroup
+
+  PublicLoadBalancerSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: 'Access to the public facing load balancer'
+      VpcId:
+        Fn::ImportValue:
+          !Sub "${ProjectName}:VPC"
+      SecurityGroupIngress:
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: tcp
+          FromPort: 80
+          ToPort: 80
+
+  PublicLoadBalancer:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Scheme: internet-facing
+      LoadBalancerAttributes:
+        - Key: idle_timeout.timeout_seconds
+          Value: '30'
+      Subnets:
+        - Fn::ImportValue:
+            !Sub '${ProjectName}:PublicSubnet1'
+        - Fn::ImportValue:
+            !Sub '${ProjectName}:PublicSubnet2'
+      SecurityGroups:
+        - !Ref PublicLoadBalancerSecurityGroup
+
+  WebTargetGroup:
+    Type: AWS::ElasticLoadBalancingV2::TargetGroup
+    Properties:
+      HealthCheckIntervalSeconds: 60
+      HealthCheckPath: '/ping'
+      HealthCheckProtocol: HTTP
+      HealthCheckTimeoutSeconds: 5
+      HealthyThresholdCount: 2
+      TargetType: ip
+      Name: !Sub '${ProjectName}-webtarget'
+      Port: 80
+      Protocol: HTTP
+      UnhealthyThresholdCount: 2
+      TargetGroupAttributes:
+        - Key: deregistration_delay.timeout_seconds
+          Value: 120
+      VpcId:
+        Fn::ImportValue:
+          !Sub "${ProjectName}:VPC"
+
+  PublicLoadBalancerListener:
+    DependsOn:
+      - PublicLoadBalancer
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      DefaultActions:
+        - TargetGroupArn: !Ref WebTargetGroup
+          Type: 'forward'
+      LoadBalancerArn: !Ref PublicLoadBalancer
+      Port: 80
+      Protocol: HTTP
+
+  WebLoadBalancerRule:
+    Type: AWS::ElasticLoadBalancingV2::ListenerRule
+    Properties:
+      Actions:
+        - TargetGroupArn: !Ref WebTargetGroup
+          Type: 'forward'
+      Conditions:
+        - Field: path-pattern
+          Values:
+            - '*'
+      ListenerArn: !Ref PublicLoadBalancerListener
+      Priority: 1
+
+  FrontVirtualNode:
+    Type: AWS::AppMesh::VirtualNode
+    DependsOn:
+      - BackendVirtualService
+    Properties:
+      MeshName:
+        Fn::ImportValue:
+          !Sub '${ProjectName}:Mesh'
+      VirtualNodeName: !Sub "${ProjectName}-front-node"
+      Spec:
+        Listeners:
+          - PortMapping:
+              Port: !Sub '${ContainerPort}'
+              Protocol: http
+        ServiceDiscovery:
+          DNS:
+            Hostname: !GetAtt PublicLoadBalancer.DNSName
+        Backends:
+          - VirtualService:
+              VirtualServiceName: !GetAtt 'BackendVirtualService.VirtualServiceName'
+
+  FrontTaskDef:
+    Type: AWS::ECS::TaskDefinition
+    DependsOn:
+      - BackendVirtualService
+      - FrontVirtualNode
+    Properties:
+      RequiresCompatibilities:
+        - 'FARGATE'
+      Family: 'front'
+      NetworkMode: 'awsvpc'
+      Cpu: 256
+      Memory: 512
+      TaskRoleArn: !Ref TaskIamRole
+      ExecutionRoleArn: !Ref TaskExecutionIamRole
+      ProxyConfiguration:
+        Type: 'APPMESH'
+        ContainerName: 'envoy'
+        ProxyConfigurationProperties:
+          - Name: 'IgnoredUID'
+            Value: '1337'
+          - Name: 'ProxyIngressPort'
+            Value: '15000'
+          - Name: 'ProxyEgressPort'
+            Value: '15001'
+          - Name: 'AppPorts'
+            Value: !Sub '${ContainerPort}'
+          - Name: 'EgressIgnoredIPs'
+            Value: '169.254.170.2,169.254.169.254'
+      ContainerDefinitions:
+        - Name: 'app'
+          Image: !Ref FrontAppImage
+          Essential: true
+          LogConfiguration:
+            LogDriver: 'awslogs'
+            Options:
+              awslogs-group: !Sub '${ProjectName}-log-group'
+              awslogs-region: !Ref AWS::Region
+              awslogs-stream-prefix: 'front'
+          PortMappings:
+            - ContainerPort: !Ref ContainerPort
+              Protocol: 'tcp'
+          DependsOn:
+            - ContainerName: 'envoy'
+              Condition: 'HEALTHY'
+            - ContainerName: 'xray'
+              Condition: 'START'
+          Environment:
+            - Name: 'COLOR_HOST'
+              Value: !Join ['', [!GetAtt 'BackendVirtualService.VirtualServiceName', ':', !Sub '${ContainerPort}']]
+            - Name: PORT
+              Value: !Sub '${ContainerPort}'
+            - Name: XRAY_APP_NAME
+              Value:
+                Fn::Join:
+                  - ''
+                  -
+                    - Fn::ImportValue:
+                        !Sub '${ProjectName}:Mesh'
+                    - '/'
+                    - !GetAtt 'FrontVirtualNode.VirtualNodeName'
+        - Name: 'xray'
+          Image: "public.ecr.aws/xray/aws-xray-daemon"
+          Essential: true
+          User: '1337'
+          LogConfiguration:
+            LogDriver: 'awslogs'
+            Options:
+              awslogs-group: !Sub '${ProjectName}-log-group'
+              awslogs-region: !Ref AWS::Region
+              awslogs-stream-prefix: 'front'
+          PortMappings:
+            - ContainerPort: 2000
+              Protocol: 'udp'
+        - Name: envoy
+          Image: !Ref EnvoyImage
+          Essential: true
+          User: '1337'
+          DependsOn:
+            - ContainerName: 'xray'
+              Condition: 'START'
+          Ulimits:
+            - Name: "nofile"
+              HardLimit: 15000
+              SoftLimit: 15000
+          PortMappings:
+            - ContainerPort: 9901
+              Protocol: 'tcp'
+            - ContainerPort: 15000
+              Protocol: 'tcp'
+            - ContainerPort: 15001
+              Protocol: 'tcp'
+          HealthCheck:
+            Command:
+              - 'CMD-SHELL'
+              - 'curl -s http://localhost:9901/server_info | grep state | grep -q LIVE'
+            Interval: 5
+            Timeout: 10
+            Retries: 10
+          LogConfiguration:
+            LogDriver: 'awslogs'
+            Options:
+              awslogs-group: !Sub '${ProjectName}-log-group'
+              awslogs-region: !Ref AWS::Region
+              awslogs-stream-prefix: 'front'
+          Environment:
+            - Name: 'ENVOY_LOG_LEVEL'
+              Value: 'debug'
+            - Name: 'ENABLE_ENVOY_XRAY_TRACING'
+              Value: '1'
+            - Name: 'ENABLE_ENVOY_STATS_TAGS'
+              Value: '1'
+            - Name: 'APPMESH_VIRTUAL_NODE_NAME'
+              Value:
+                Fn::Join:
+                  - ''
+                  -
+                    - 'mesh/'
+                    - Fn::ImportValue:
+                        !Sub '${ProjectName}:Mesh'
+                    - '/virtualNode/'
+                    - !GetAtt 'FrontVirtualNode.VirtualNodeName'
+
+  FrontService:
+    Type: AWS::ECS::Service
+    DependsOn:
+      - WebLoadBalancerRule
+    Properties:
+      Cluster:
+        Fn::ImportValue:
+          !Sub "${ProjectName}:ECSCluster"
+      DeploymentConfiguration:
+        MaximumPercent: 200
+        MinimumHealthyPercent: 100
+      DesiredCount: 1
+      LaunchType: 'FARGATE'
+      TaskDefinition: !Ref FrontTaskDef
+      LoadBalancers:
+        - ContainerName: app
+          ContainerPort: !Ref ContainerPort
+          TargetGroupArn: !Ref WebTargetGroup
+      NetworkConfiguration:
+        AwsvpcConfiguration:
+          AssignPublicIp: DISABLED
+          SecurityGroups:
+            - !Ref TaskSecurityGroup
+          Subnets:
+            - Fn::ImportValue:
+                !Sub '${ProjectName}:PrivateSubnet1'
+            - Fn::ImportValue:
+                !Sub '${ProjectName}:PrivateSubnet2'
+
+Outputs:
+  FrontEndpoint:
+    Description: 'Public endpoint for Front service'
+    Value: !Join ['', ['http://', !GetAtt 'PublicLoadBalancer.DNSName']]
+    Export:
+      Name: !Sub "${ProjectName}:FrontEndpoint"
diff --git a/walkthroughs/howto-proxy/colorapp/Dockerfile b/walkthroughs/howto-proxy/colorapp/Dockerfile
new file mode 100644
index 00000000..e25684b5
--- /dev/null
+++ b/walkthroughs/howto-proxy/colorapp/Dockerfile
@@ -0,0 +1,17 @@
+FROM public.ecr.aws/amazonlinux/amazonlinux:2
+
+COPY requirements.txt ./
+
+RUN yum update -y && \
+    yum install -y python3 && \
+    pip3 install --no-cache-dir -r requirements.txt && \
+    yum clean all && \
+    rm -rf /var/cache/yum
+
+WORKDIR /usr/src/app
+
+COPY . .
+
+ENV PORT 8080
+
+CMD ["gunicorn", "app:app", "--config=config.py"]
\ No newline at end of file
diff --git a/walkthroughs/howto-proxy/colorapp/app.py b/walkthroughs/howto-proxy/colorapp/app.py
new file mode 100755
index 00000000..e8ae3807
--- /dev/null
+++ b/walkthroughs/howto-proxy/colorapp/app.py
@@ -0,0 +1,29 @@
+import os
+import config
+from flask import Flask, request
+from aws_xray_sdk.core import patch_all, xray_recorder
+from aws_xray_sdk.ext.flask.middleware import XRayMiddleware
+
+app = Flask(__name__)
+
+xray_recorder.configure(
+    context_missing='LOG_ERROR',
+    service=config.XRAY_APP_NAME,
+)
+patch_all()
+
+XRayMiddleware(app, xray_recorder)
+
+@app.route('/ping')
+def ping():
+    return 'Pong'
+
+@app.route('/')
+def color():
+    print('----------------')
+    print(request.headers)
+    print('----------------')
+    return config.COLOR
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=config.PORT, debug=config.DEBUG_MODE)
\ No newline at end of file
diff --git a/walkthroughs/howto-proxy/colorapp/config.py b/walkthroughs/howto-proxy/colorapp/config.py
new file mode 100644
index 00000000..d8606440
--- /dev/null
+++ b/walkthroughs/howto-proxy/colorapp/config.py
@@ -0,0 +1,12 @@
+from os import environ as env
+import multiprocessing
+
+PORT = int(env.get("PORT", 8080))
+DEBUG_MODE = int(env.get("DEBUG_MODE", 0))
+XRAY_APP_NAME = env.get('XRAY_APP_NAME', 'feapp')
+COLOR = env.get('COLOR', 'n/a')
+
+# Gunicorn config
+bind = ":" + str(PORT)
+workers = multiprocessing.cpu_count() * 2 + 1
+threads = 2 * multiprocessing.cpu_count()
\ No newline at end of file
diff --git a/walkthroughs/howto-proxy/colorapp/requirements.txt b/walkthroughs/howto-proxy/colorapp/requirements.txt
new file mode 100644
index 00000000..47f05a04
--- /dev/null
+++ b/walkthroughs/howto-proxy/colorapp/requirements.txt
@@ -0,0 +1,3 @@
+flask
+aws-xray-sdk
+gunicorn==19.9.0
diff --git a/walkthroughs/howto-proxy/colorappssl/Dockerfile b/walkthroughs/howto-proxy/colorappssl/Dockerfile
new file mode 100644
index 00000000..ff8c4792
--- /dev/null
+++ b/walkthroughs/howto-proxy/colorappssl/Dockerfile
@@ -0,0 +1,23 @@
+FROM public.ecr.aws/amazonlinux/amazonlinux:2
+
+COPY requirements.txt ./
+
+RUN yum update -y && \
+    yum install -y python3 && \
+    pip3 install --no-cache-dir -r requirements.txt && \
+    yum clean all && \
+    rm -rf /var/cache/yum
+
+WORKDIR /usr/src/app
+
+RUN yum install -y openssl && \
+    openssl req -x509 -nodes -days 365 \
+    -subj  "/C=CA/ST=QC/O=Company Inc/CN=example.com" \
+     -newkey rsa:2048 -keyout key.pem \
+     -out cert.pem;
+
+COPY . .
+
+ENV PORT 8443
+
+CMD ["gunicorn", "--certfile", "cert.pem", "--keyfile", "key.pem", "app:app", "--config=config.py"]
diff --git a/walkthroughs/howto-proxy/colorappssl/app.py b/walkthroughs/howto-proxy/colorappssl/app.py
new file mode 100755
index 00000000..b28497dc
--- /dev/null
+++ b/walkthroughs/howto-proxy/colorappssl/app.py
@@ -0,0 +1,29 @@
+import os
+import config
+from flask import Flask, request
+from aws_xray_sdk.core import patch_all, xray_recorder
+from aws_xray_sdk.ext.flask.middleware import XRayMiddleware
+
+app = Flask(__name__)
+
+xray_recorder.configure(
+    context_missing='LOG_ERROR',
+    service=config.XRAY_APP_NAME,
+)
+patch_all()
+
+XRayMiddleware(app, xray_recorder)
+
+@app.route('/ping')
+def ping():
+    return 'Pong'
+
+@app.route('/')
+def color():
+    print('----------------')
+    print(request.headers)
+    print('----------------')
+    return config.COLOR
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=config.PORT, debug=config.DEBUG_MODE)
diff --git a/walkthroughs/howto-proxy/colorappssl/config.py b/walkthroughs/howto-proxy/colorappssl/config.py
new file mode 100644
index 00000000..68c7a81d
--- /dev/null
+++ b/walkthroughs/howto-proxy/colorappssl/config.py
@@ -0,0 +1,12 @@
+from os import environ as env
+import multiprocessing
+
+PORT = int(env.get("PORT", 8443))
+DEBUG_MODE = int(env.get("DEBUG_MODE", 0))
+XRAY_APP_NAME = env.get('XRAY_APP_NAME', 'feapp')
+COLOR = env.get('COLOR', 'n/a')
+
+# Gunicorn config
+bind = ":" + str(PORT)
+workers = multiprocessing.cpu_count() * 2 + 1
+threads = 2 * multiprocessing.cpu_count()
diff --git a/walkthroughs/howto-proxy/colorappssl/requirements.txt b/walkthroughs/howto-proxy/colorappssl/requirements.txt
new file mode 100644
index 00000000..47f05a04
--- /dev/null
+++ b/walkthroughs/howto-proxy/colorappssl/requirements.txt
@@ -0,0 +1,3 @@
+flask
+aws-xray-sdk
+gunicorn==19.9.0
diff --git a/walkthroughs/howto-proxy/colornginx/Dockerfile b/walkthroughs/howto-proxy/colornginx/Dockerfile
new file mode 100644
index 00000000..6f52e280
--- /dev/null
+++ b/walkthroughs/howto-proxy/colornginx/Dockerfile
@@ -0,0 +1,5 @@
+FROM nginx:latest
+
+EXPOSE 8081
+
+COPY default.conf /etc/nginx/conf.d/
diff --git a/walkthroughs/howto-proxy/colornginx/default.conf b/walkthroughs/howto-proxy/colornginx/default.conf
new file mode 100644
index 00000000..a58e9028
--- /dev/null
+++ b/walkthroughs/howto-proxy/colornginx/default.conf
@@ -0,0 +1,12 @@
+server {
+  listen 8081;
+  server_name colornginx;
+
+  location /ping {
+    return 200 'Pong';
+  }
+
+  location / {
+    return 200 'colornginx';
+  }
+}
diff --git a/walkthroughs/howto-proxy/colorproxy/Dockerfile b/walkthroughs/howto-proxy/colorproxy/Dockerfile
new file mode 100644
index 00000000..70144c5f
--- /dev/null
+++ b/walkthroughs/howto-proxy/colorproxy/Dockerfile
@@ -0,0 +1,5 @@
+FROM nginx:latest
+
+EXPOSE 8080
+
+COPY default.conf /etc/nginx/conf.d/
diff --git a/walkthroughs/howto-proxy/colorproxy/default.conf b/walkthroughs/howto-proxy/colorproxy/default.conf
new file mode 100644
index 00000000..e533f912
--- /dev/null
+++ b/walkthroughs/howto-proxy/colorproxy/default.conf
@@ -0,0 +1,13 @@
+server {
+  listen 8080;
+  server_name colorproxy;
+
+  location /ping {
+    return 200 'Pong';
+  }
+
+  location / {
+    # proxy_pass http://localhost:8081;
+    proxy_pass https://localhost:8443;
+  }
+}
diff --git a/walkthroughs/howto-proxy/deploy.sh b/walkthroughs/howto-proxy/deploy.sh
new file mode 100755
index 00000000..65c7d926
--- /dev/null
+++ b/walkthroughs/howto-proxy/deploy.sh
@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -z $AWS_ACCOUNT_ID ]; then
+    echo "AWS_ACCOUNT_ID environment variable is not set."
+    exit 1
+fi
+
+if [ -z $AWS_DEFAULT_REGION ]; then
+    echo "AWS_DEFAULT_REGION environment variable is not set."
+    exit 1
+fi
+
+if [ -z $ENVOY_IMAGE ]; then
+    echo "ENVOY_IMAGE environment variable is not set to App Mesh Envoy, see https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy.html"
+    exit 1
+fi
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null && pwd)"
+PROJECT_NAME="howto-proxy"
+ECR_URL="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com"
+ECR_IMAGE_PREFIX="${ECR_URL}/${PROJECT_NAME}"
+AWS_CLI_VERSION=$(aws --version 2>&1 | cut -d/ -f2 | cut -d. -f1)
+
+ecr_login() {
+    if [ $AWS_CLI_VERSION -gt 1 ]; then
+        aws ecr get-login-password --region ${AWS_DEFAULT_REGION} | \
+            docker login --username AWS --password-stdin ${ECR_URL}
+    else
+        $(aws ecr get-login --no-include-email)
+    fi
+}
+
+deploy_images() {
+    ecr_login
+    for app in colorproxy colorapp colorappssl feapp; do
+        aws ecr describe-repositories --repository-name $PROJECT_NAME/$app >/dev/null 2>&1 || aws ecr create-repository --repository-name $PROJECT_NAME/$app >/dev/null
+        docker build -t ${ECR_IMAGE_PREFIX}/${app} ${DIR}/${app}
+        docker push ${ECR_IMAGE_PREFIX}/${app}
+    done
+}
+
+deploy_infra() {
+    stack_name="${PROJECT_NAME}-infra"
+    aws cloudformation deploy \
+        --no-fail-on-empty-changeset \
+        --stack-name $stack_name\
+        --template-file "${DIR}/infra.yaml" \
+        --capabilities CAPABILITY_IAM \
+        --parameter-overrides "ProjectName=${PROJECT_NAME}"
+}
+
+deploy_app() {
+    aws cloudformation deploy \
+        --no-fail-on-empty-changeset \
+        --stack-name "${PROJECT_NAME}-app" \
+        --template-file "${DIR}/app.yaml" \
+        --capabilities CAPABILITY_IAM \
+        --parameter-overrides "ProjectName=${PROJECT_NAME}" "EnvoyImage=${ENVOY_IMAGE}" "ColorAppSslImage=${ECR_IMAGE_PREFIX}/colorappssl" "ColorAppImage=${ECR_IMAGE_PREFIX}/colorapp" "ColorProxyImage=${ECR_IMAGE_PREFIX}/colorproxy" "FrontAppImage=${ECR_IMAGE_PREFIX}/feapp"
+}
+
+delete_cfn_stack() {
+    stack_name=$1
+    aws cloudformation delete-stack --stack-name $stack_name
+    echo 'Waiting for the stack to be deleted, this may take a few minutes...'
+    aws cloudformation wait stack-delete-complete --stack-name $stack_name
+    echo 'Done'
+}
+
+confirm_service_linked_role() {
+    aws iam get-role --role-name AWSServiceRoleForAppMesh >/dev/null
+    [[ $? -eq 0 ]] ||
+        (echo "Error: no service linked role for App Mesh" && exit 1)
+}
+
+print_endpoint() {
+    echo "Public endpoint:"
+    prefix=$(aws cloudformation describe-stacks \
+        --stack-name="${PROJECT_NAME}-app" \
+        --query="Stacks[0].Outputs[?OutputKey=='FrontEndpoint'].OutputValue" \
+        --output=text)
+    echo "${prefix}/color"
+}
+
+deploy_resources() {
+
+    if [ -z $SKIP_IMAGES ]; then
+        echo "deploy images..."
+        deploy_images
+    fi
+
+    echo "deploy infra..."
+    deploy_infra
+
+    echo "deploy app..."
+    deploy_app
+
+    confirm_service_linked_role
+    print_endpoint
+}
+
+delete_images() {
+    for app in colorproxy colorapp colorappssl feapp; do
+        echo "deleting repository..."
+        aws ecr delete-repository \
+           --repository-name $PROJECT_NAME/$app \
+           --force >/dev/null
+    done
+}
+
+delete_resources() {
+    echo "delete app..."
+    delete_cfn_stack "${PROJECT_NAME}-app"
+
+    echo "delete infra..."
+    delete_cfn_stack "${PROJECT_NAME}-infra"
+
+    echo "delete images..."
+    delete_images
+
+    echo "all resources from this tutorial have been removed"
+}
+
+action=${1:-"deploy"}
+if [ "$action" == "delete" ]; then
+    delete_resources
+    exit 0
+fi
+
+deploy_resources
diff --git a/walkthroughs/howto-proxy/feapp/Dockerfile b/walkthroughs/howto-proxy/feapp/Dockerfile
new file mode 100644
index 00000000..e25684b5
--- /dev/null
+++ b/walkthroughs/howto-proxy/feapp/Dockerfile
@@ -0,0 +1,17 @@
+FROM public.ecr.aws/amazonlinux/amazonlinux:2
+
+COPY requirements.txt ./
+
+RUN yum update -y && \
+    yum install -y python3 && \
+    pip3 install --no-cache-dir -r requirements.txt && \
+    yum clean all && \
+    rm -rf /var/cache/yum
+
+WORKDIR /usr/src/app
+
+COPY . .
+
+ENV PORT 8080
+
+CMD ["gunicorn", "app:app", "--config=config.py"]
\ No newline at end of file
diff --git a/walkthroughs/howto-proxy/feapp/app.py b/walkthroughs/howto-proxy/feapp/app.py
new file mode 100755
index 00000000..b0014a3f
--- /dev/null
+++ b/walkthroughs/howto-proxy/feapp/app.py
@@ -0,0 +1,28 @@
+import os
+import requests
+import config
+from flask import Flask, request
+from aws_xray_sdk.core import xray_recorder, patch_all
+from aws_xray_sdk.ext.flask.middleware import XRayMiddleware
+
+app = Flask(__name__)
+
+xray_recorder.configure(
+    context_missing='LOG_ERROR',
+    service=config.XRAY_APP_NAME,
+)
+patch_all()
+XRayMiddleware(app, xray_recorder)
+
+@app.route('/ping')
+def ping():
+    return 'Pong'
+
+@app.route('/color')
+def color():
+    print(request.headers)
+    response = requests.get(f'http://{config.COLOR_HOST}')
+    return response.text
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=config.PORT, debug=config.DEBUG_MODE)
\ No newline at end of file
diff --git a/walkthroughs/howto-proxy/feapp/config.py b/walkthroughs/howto-proxy/feapp/config.py
new file mode 100644
index 00000000..a8018e01
--- /dev/null
+++ b/walkthroughs/howto-proxy/feapp/config.py
@@ -0,0 +1,12 @@
+from os import environ as env
+import multiprocessing
+
+PORT = int(env.get("PORT", 8080))
+DEBUG_MODE = int(env.get("DEBUG_MODE", 0))
+XRAY_APP_NAME = env.get('XRAY_APP_NAME', 'feapp')
+COLOR_HOST = env.get('COLOR_HOST')
+
+# Gunicorn config
+bind = ":" + str(PORT)
+workers = multiprocessing.cpu_count() * 2 + 1
+threads = 2 * multiprocessing.cpu_count()
\ No newline at end of file
diff --git a/walkthroughs/howto-proxy/feapp/requirements.txt b/walkthroughs/howto-proxy/feapp/requirements.txt
new file mode 100644
index 00000000..56d7f135
--- /dev/null
+++ b/walkthroughs/howto-proxy/feapp/requirements.txt
@@ -0,0 +1,4 @@
+flask
+requests
+aws-xray-sdk
+gunicorn==19.9.0
diff --git a/walkthroughs/howto-proxy/howto-alb.png b/walkthroughs/howto-proxy/howto-alb.png
new file mode 100644
index 0000000000000000000000000000000000000000..be28b9abcac3398e50893e74a56c8bf2c1fe40fe
GIT binary patch
literal 29618
zcmeFZbySpH)He)>N{Ao`NJtCPN(&MSg0zBkNyktELx-rKbb~ZX*B}i;i*(lv-60Gi
z-SD09*86_eyVm>9_uu!e$F*EubIm#XoU_l)-`-=u3ndu>JW4za3=9I<=Ta&d7+4St
z49qQ@Yv2vO-{(s352mAv%u@_lFZC+;fNTF;%MpA<g8qw%k&tu;Ou@H&rRk)ps32@?
zXTxP^VrOK^<!WOOMq^++b`=JXHl|L7bgnkmwvNKCq71)B2!m(zYi<U*-$R@rq70gf
zFX$xg98Br>x%jvqFo@yN(a}A2FfkKWk&^y19efgHuyAs+7v|=6adF{t;pMV(Fz0^w
z=+PtY2Rz(7Je*(zr=y##lc6i8ts~<<ME=r|GIca|u(Wrww6mo{(={}*gF1;aFrXLu
z_s>83bh0%2ZzWsDKgR+G<VJtP{gCSc_rJ8k)W_(z!YZbYcGgfdc{N*0Co!JKzX$)H
zum4-^pIMT2Huestj*eiO82_Is|MT7dIbPYp(iEHzy^PqyKjZ)ByZ>|i3ky3ZJHTrP
zOJiAECsPNo*q_;dH~4=a@rTx9ZZy082mAiHo8NE2<%r=u=KlAh#qj(GVN4hp5*V^l
zPhPoVt|wo8dv|32QduBz-By5#@B=muz2-Y|PRu~nG>bQK^728^Prp3>ayu|)UOlkv
zw)Wmf)yaERHQ4guOdqOFdoMlhoTq&bHYR!|Di0PNBTIQ5SJqZSlU!`NiEtz^u!!Db
zVAEk>{_o@e^5K7l;D43je=WiPTZ{NiIZbsSE*$GA2G$r+4pjLuVF`Uqa%y{BjOhxg
z0a~&Wm>Zj`Eya@jByx#9>B?mm*y#5vC4WzkS%D-*F=OIHU&Hi1j*%8smHTUr@uD$W
zwSCp8$Nc{o=`=o^*9HH79kQq}OM7|r5xO><`!ZSRjZyC#bE;qQ<|)N4({3y}TNTR*
z5dX9KolbUw??09(#JxS=I~Gf>vuJJZ>^SI{#hY3;oF9~~4rRCLkAX`dvT(#&vPr?h
z1y1hSli64u+v0k!Q-S;PeJP?;Rpk}Utl3FMRJK)L^xT$W<U>wE1gF1+iC>JW>p|5{
zw|p)kiMH@nm1e$WdadQF_++CsTlJ8YB*)O6WD(?M!{tTmySbadVy3C#zAh+dQ(|~8
zu}wVcjw-aNUW)BH#p;xpurBSf-l{vSDD4&Q;;LEa$<N7YXPsF!orWUyY<3nqocBjG
zCeDs`9YY1PfiuP;y03-h^gh;lMAaUrjK)`n)@!(8#@i!N&@Sb!+hT-()6agQ>QJyp
zS1JMP&-<HG6BSd=I;wGI9E>udWw#imM@Nf|Z4RegD#g4`K9CjX!{BVL$9qG{Ht8V(
zC4^!}jhnT*z27dUJ+@k!sI1AkbS)~UoD(;|VJiB>PDjfuhqUXiT5r#{Akt+BQRC&1
z_j_;9Zn2*X`vGG79ow6yX+Lms%2zikXDW<CAGMlP+0-8|lRb;r_||;$pwH)G=%(1w
zY`-7t6&dNN_k?11a1@h;NAx{5_*H{qZot`LRSb9BW$r?w>yDQbo9+)jqHt#~EK~W#
z@*eik?dO+|3U4}JQ1My3cz``Jh@fO>-d)X3t<bTn<ByhE82c|;>DR}etmxzrQ{vcB
zkP@pBqkQmMLbUF1+Cwre(XRfH!@|9t*iwsw^|7W6Sj{Hh9F5P}_NyP|<>dqFIyR)$
zhGdqP^{1Qo-dy!Z^U<jkyk=4{F);&I$#ugWCQPCf83bol+Cnzgi`!@h1SYJbgg06Z
z7D=u!q$-3v1a<M+PF6+hoG1agGh33Sb{@CPcG@BcT`H<$3w5Hy@SSIA{9Ha?WGsi{
zt4?nZ4yCQAs90A8RxTed*5PnIS<Tj|w4Hi4L8AQl7MyP+k}OC&eONJ%B4+I**tAdd
zFxW+sGJ*Pm<zPm%j)2HcQ7nJYV(_yCM5yS2=8zO7v`s)G($sljur-*%xN^q3W}_Ub
zZ#a=DAGa(W;Da_CJ<M;55!NQyZzU{=g-(8^#|byR27{EEA`DA`@??iDB#$bt7_TCW
z3~Cd1)s08^%r+_;&I@y?_{k`=*6?~-G`n6czrQKm&bKYGu)%kY&=)NO2(%0&JlK{@
z`+#F%t;KPEdPpd5@uO{9!1iI3Z&tBw;XR&q@1thgar%$cD%_ow)9zicx`XitS+?i<
z$RZc6xGOz;ob2qSD=8i~jXBBRegI?>6fuko$J%j#+cA-p@E^GAGHGbwwI4%3^H_*f
zDhj_$AW?f%I)pOD!LFnCBdzxxW~Lv!Pomx^#`Cnm8ZJ)y;Rwps@hD|6ORGZm52gx{
z)T19Uu<_!6*_=b%ee_X6pG0W=Tl4zaZXY2p@8y1x&lnzi0g;)CmGe&u^Q3`-Ozyn=
z{EhT5u@a<#&y+tQt*x+9p!NvdWy`i^qe5r!(K_TH$1Kx|Y{idU|Fdw>Jt-c}othRh
z9h1HEhi*mnCwY1<Q_wm2YuBmmB|2$E{*55g3UT>958M&?!ONJKAeuXtmeM5j+zQ2M
z9#ND|=2mGaw8d!^;e$!HQ{MS5)m0$J>@9OkTm3VZWG9u*RevhmPqjh(Kep$CxU(k9
zODzVzTFf^3MsO3V^ohC=tthXyEWPyR&E1*&Oe?s_U?9h|vp*9#AUIkSgcQU9@w{&=
z$?Gp^vAj&zaBg40q@cD@4}Ijg{9!B^=%7(zW`y!BWMNb5E`KVUU#&#iTijm{SZ6yK
zQA8HcuxzXf%8kVE8Q6l$-{mm#;QGF!ZzR8gmzCFk|8Js@`5fHZZAdbY<e&TjXzT;T
z|F?&vsj`wKpbtcVGYrS?dw)&S!THl;CUJkqRvC$Z{c%L&t&~*=-ou4O3J@nq$m9I#
zD!R9agO7<*#^TGBGWz{MA-oKoPAy)+3@-P~xw`XPvePC-IXhb!z0u#?CIR0V<tcVz
z`OY&-bZNgqa%aBBz^0@JT8nchi5|nZmJz(3R>P%uhk-r*9*DBX3uXe~Y4~yaOAwT|
z1Fis1A%t}Ya#h3B<PO$7`M0s<k%jJfH+=_z=BtnIE3eYOc#dtM#hx+FPy}|Ff2&aw
z!XGV#4R-kuQyVdU=fMCt=&>w@F{e1nPxlEpG%g?=j>`o`;}SJ$vir(qeImL~j8#@Z
zD*H_323Xt;+;Bo0{tOt=b}P-aaA7ox2UrDP@LHHiOcv1VVF24MwVwl=xlabR*P;>?
zeFdvU8Eo&jJp?LF_qI3|6Hf`y&?ina<>b!yQvi$Gpp8HwE{Qmxrw#TE;f(xo1u*J1
zVAQ)jE*^Z}NHn8lHN^csN~{ut?M=b67m4okp|__U5@CS$!XPdx$CG9NHf7uwgA=lW
z5zhqF;EWNh=mUKk3ZA<G>8|dp8enug@Y$qpS5+V5+`a`E5}3ooiib@XE(#W0*P0{2
zBKoNbXhS)CRDd-R{sgYzx-W|sm^g;so&XOPFtaTZVApr7B6uV~P}X0fPPwnZ3NDWi
z>m)M}omaPOU`;(XuG1rjs}Ebo*pXLpIY0X!iMDWfV_S;zqHvqqwQ)}k3R?#q1S#6i
z0trFS{waZ#?KbYHXPR_RO`00(ztpV130r+<ZzM04Z`kZ)+fMh^U)cmFd`$N%Wrg0d
zpu-iFa{ZVAA8m}r{V+<OOkCv+08}~Y>_a{#>yhh6;cYr3tGRSv`!Co{dyl)fzqeAI
z2UV0F_lKd4$e%?eXl}V8b{UK}b{}_=X#I~p<}li)*^Q98-<JA!EC%*Y*jwh?wOix7
zmnG7G>;G*W{g`Hg>%=w|3E~@xv}$ZCQ3+OYUOux>ioKpXt6zjbJU@dst~xiuaOhqb
zVKc-Lv+rDT+h!}xz3JfHy<{{b1W_Fe)|s3&OFt8k5HzE}5gmZ)#NzXR|ML+r!kGam
zlTw=Of9G3#3WS~93hi_LY-&Ra++VUp)Q!I{h}!+YMRN_~{6~2_0K5_LWv2MM6kRwz
zkP+RSTmMlmL+i6MmLku;rk{=+NPqPU#{VdTP2YiRU?-T+y~x9^7`I{{%1+?P?JY0w
zMhBDir?!cFmMS_d&(40|*ar!>#2<1Q=x1VVv`dQ9b&&mT+F_e2=0yo2*Z09?AljKo
z@z{Jc;n2mYBjP>}3<zESGTK8^KST$-bsmQmz?a@4`n{>}E12*nj&G$w2$crKO|t)v
z>wIy%G9j{6YYd{=n!C=UhV;J5;^)H$qsD|(4_?0o?spV~a<5M>PPbG8!l)k&N(bLD
zG;Rwem>X89T+7QJSJTiVJ+nBCN<Cv*XYbW>9=k^xdl$_mKfvh17gm9uPt!i(dV*z|
zUQ9rW>b{Sb5C~5816OWJWm6UrLc!bGD|)CavYHX~RAc!XmG$ePEJb|2ETv?tqPl~G
z4LAxWU_JVvW<HSJ`e*+a=i!$!V<5P*gcKC}+kmLGY0E6pCU%_LDEc<RA0hT7W+qx<
z5I-3R`^u#UmzowvNRV@C-~PIXC~Ie-lM;h*#{BR;-5@8R<h!514^i*j$S<l7WMgMf
zA5s$GteSF}@rppoIBmC(XP<R{e#m%KJ^K#--2{jW?w%ceE{{&tb&giTMT$N{+k|io
z<A3a4+AEwJ)I$9?#m|0SYZ<vQpa~L<M<UCgjprpj<^x#PKQV@WTU%R;o(N=z-GTE%
zHw#L8<*K);S5k7%6A}{oNjum3ZWB8Lp~YeW)_a!p`2qb49PC&FZ#R*pXw`)7JorNq
zmrd%k?xaUUSqkw+>_xQ>?;kjL%=wY8RUe{|Mbi(jqi;Dd0Bk8RSAZ2C8}IX5v*6aj
zIuDoK&E8;0dTvXB&*eq2M#b-ODL|$NG#+04ATf9A#o<qovY3P1;B{ShU#hscQy4m|
z+Mj#`DAK*?1`-um?aWFANH(Tko~`sxxt(pdO&o16*zElrI4Dg$?`{pDGG|HkbU@q-
zYOA%34+C*HH_G1i1DGGq4d(A;GPhp`w8GvZq(DeDv3_~6b*Vsdn@?S_6``suN*cSG
zvr-*!rLgXI67pyz$ruQxBZ=6ft3bo)#Bt9qb2X3S#T~%MMMBI%*8%$K<IS3_g0Ek{
zM=p$yi!efYHQdZ91YHM#76e}>B*z3RbNb%oMU?cs);Vd`gvi5x5Mbi)J$q~0pY_xJ
z=D$YI=>bsPn=p(>aHD^$f+E^i2Hsrx*K$c*Cu!6~&EnCy{c8jI(T?f=LP&y@$aU8D
zx<V;y;vhd#xAfV4efQN&q6V_Q-^L#}f3Zb<g>qRfy6|jlfhi|dkG%mI)#{q1Se^B(
zL|Yz;H+pa<+|3i3`~TVeK)*&|{csoE%W(Cyw)3M1zRIXGP46g04RS<vi-FY4m(3%(
z83AT(^Fp=7Zr;A(HF$&%s#I-Wm5ICl$mr8<7k7hoxlq(C)`pO`tDoQ&Ozc9yUAH_3
z>@X@&>wJZWomUr*g5Q*5FSt=MXKA~`*f2%BDY-To%Lj?y&lA~<`!xis;Wh6q199>=
zS~5Xyn2)v*7bnODL|1cWoW2!EHuKcf)%|y~Q{3}L5D3I>)Z?l-e=6&R5W$<NIdbsI
z9q)mWXY9N5!hab#9w1TjCHL8Byf)$hXkU)qO#OhCc{1sg*WuK_Eg9-t+MP7sM|0r_
zkec6tZcaWD-Y6UT>akTPXx-J-m5$F{`yff#PHWc|F?-p`US$1Jf1$CrsyMdX`MdIe
z);P@)t9WW~-UeQrwb@T2>MrGTIx(}>QrFGXC3S&$Fzb9Y_fbaD|3<FMv<~7cNNbs^
z?uC?3*foeo(z}2R9l1Lbc}3=ZF=B7O34{RuxE$fn67tr`?uJ7l<?bx!vuHzd0g{Vn
zrlzI?AZevh%FpcXq6K-f_keMjC|OSef4=^=QO%mgNcnePoEtH(4~xtUUdfzlI+LaO
zR~-3d(=rc~*gTnyH%2rJLY!y34s*==QeLX5sg;3*Sq2z&B?<`M*<r(_sJ3a0+Pi_}
zh4HVcXNxQY04umX9}>b3jS0Q;kRdN8=My?<k}J&=QMzVa*wOVq3dCGGw_d+{q7!jX
zAE*@s%fRQn+y*ElqEJWBV<|?XTc>CJcqLVkwwVl}6vTKkwdHM|>UE&izuPO)H|@GW
zFaa_mG&oR9z6<O7rttjo;vAj#%U75F=P(14CFH5HRpy3t5Vims=+{PHZ01>aJTJ>m
zIr3}6*%EitMn;rUAXmfL&am6Yk#!%DQWx|GCuDo@Zo-FIQet#Ewf}w5J*_IR?j0*F
zP~}u~+}7t#uR(O56>EBmqVu%j^1N^Ic_|vL@w86pNfDi3R!Xu6BICs4v^GzA<1cz~
zv>@QJsq5I>>$#r5S`d5uJWljrwAp#WMo?t?2Z_!154fw@kN$#c03VW}LrUjfn;X<Y
zOx_9Nqi+<KA=PfSva<Rb#09^<14Vw{F07oUto9|l3$)vC=WP_hX0ty*kaQ?D#XJzf
zsC1Vie?;~9;Y`C5ngrB~II{sYwyPj~-$|9oKI>z61gzoChqvpA0zIA4tg6-^cmI;9
zFmo%$^K_$9z@k5Gc$B}qB7{n?cQUOM^UAd{OYg`C<kClTGh)0`aC0?8vrR)>pJlND
zl9kpIQtp}cp*Xg$TymQ3#U%EfQuWDw`PIJ`>%KjRHLmLWn$Z6Bi}TDc^e0==odBU?
zqJE3&ali5k*H(rgGp>q~%_a5e^hsf;DW6R7@WUlw^?883`x7Qh;tV4)^Q15DMNu%g
zBnVoj^qgDQa~@fwaJqU_^qf1vpj6tXBaCpJr7Re`npQlOO+<%%K7miqPobaTY)mgf
zxG{qJE2?ZHf|wpVFjhiD;X!!uvUHpP@8t7St1mqc3)W4$_%^*Br8XBo;sqM4U_GeX
z{=95x$#jfffl;AcsSR79RibHudkl@bzSgpIVxrB<sfEIr6bFR|_s3BQ@1D?Y;g$^=
zb8L0VUIW2*EQy7xF{hIw7p&aRn0$P3#caIWoJ{+e{NfX3WxH9=XItLuJ!Rwcyd2u4
z-OGoX*2&@qCj7MAC7Y@4_&P|re9g*Ewu()|5pkN=dLQ?`Da90?x&jAsd{ycO;GQkE
z_Mv604h;@)MYpf{3h*O_Hy+uwVo|xA^CfzyvLtRyr3AtI%1TD+P>%c6W{?r>eK}I~
z(x=Mo`D^QX>7_O&IkIGR0uyXAKTSkiH8c<Ncu;UPZd3(|4pm~S%x+MTPi0fcJATEu
z@Bx>K1Fo+TQ@^lsu@RGGJO~g37-qeaz61@{h@7u{)gI=9TNhX6aegl8Cu<mLS@sg^
z%j!LAwK`R-T;qpphuuBZoGCxiRurdARo6027LFU6Um_nJCOsJ|`$A&9Mj2(jIk9Wg
zdp)RND@qJ=u1?EL2U=-+{bog{p;w_Jx$^xpzNJG;DmAtN0H)fYGk$_OVt$~H0dK=t
z^GlOWgk{N<^{h+9QXx_L$ws@=d1Ze1D`WHZs)e3S*7<IQVf*V-EmrOxF6Kp>>eHD)
zTIPZ~@aPF1(ilX#hBE45PO2icK$BTWg3+!)lHC<)u96)cul|W}Hg?*{X5mAixQtaG
zJ0!Y~gBIwQiYCNZZcij;HoJ2z*QypmOXaz$nQlMjv>a3l>L&ACSs0M+Eq_$RQL?(F
zRNkS=qElIPMxye*2W~slQ!uVGA*O9nN_#fVmYQlla57cku;Q&=twoDk>~eNmog5QB
zC8mjqAw}dHa3}IxXDLz$jFEYZH^J+~`h-Jv$SUITIoH&_SmIZF$7BD{r?K>0bxazq
zab+UDNi?+^De}ZX#qko}5;}|Y;(z<0ttvaY9>2Yzo9Kz;NQCZUC6X$ZyS>kzcsIRU
z*oM!pJ<`dq{^o}+JMCJjL_>m^qyA@WwJoj^+nJLaz)2N4Oo*u$Pe`Cjq(h#Kn5r);
z^LSO1Ra77vIEA~+bbl4^S6K#*Rfrazl$95B_0xR8EsBC_H*NIT;ZrilgJ?!B6y(77
zG?s4P!Mdy1Sjc9Vrt`q~i{iO`MGs1NMtDPL#{Kf!c-%xzaW6@Y7CCJk!hFmMC05o=
zc5~BC_2WUgWjgbChH}<;nG4HU$zfkfg5_?(M3H(~AisxOTuzufYEe2d%rt*}c`Aop
z%_C^SDL?sJzi`hs6glsW4CNAD1rY{OyDtbeZ}#JWP^Rp|TbJitdF4A}rs`tZ-R>}b
z8?TBjQ#A;*+%Jl3BA7C@X;t+mTWwJ3S9y*6g1nN>FH;3=JayLN392?H;kfEz&TuHD
z=#=%2C+)9g=Y(K>gBu#CeCU3$HK{0Dp=vdid%C$>(r#fb0;#7;$mNC0nJe@iNbX&9
zn)kjjiUV6Nrg5Gk$Y!(6(WdpvP{BdSv3i|z2sD4c*dm#&z%eGwko{0u?zp>O+m0Y=
zTWwidJq{+uSXSxcgK&jR7zr+4<NBslO0HAp8gV-0d4<BNq{VajN&FV~L`#i~*JWZ$
zJ$3tIREb4#Ox$U9t{kcG5^ykh34jGpG-%^LO3V>yE_OL|pH7n3db#H*db#EGP>8n)
zyTz^4k}r?y+R>n@waTG-uyHcw0s)lTa$N!pni?D#p|;$nrpI1Tp+T6q>_|w~cR-P9
zJACXaBslEJmv9-?l=T8p`F+`WYn{_oY}YAJu#R(&H%7j@`a8X}5<L)64v-$V#-L^O
zkuSwecSY`DcS$_s%4oDj$(Vak!EWo4`e}3+Zz9Q9SpuuTZt}MJMOEe3x|%?>5e`Uc
zs^%Rt5A|bVNb;l*exZ@A9du(8RY365Y*+lV?G*E{c6=XO3<a~+phH${m90R2mr-KF
z>sU1(-l4B<w%<lv<#m$7X5+=tnFrnnzzg43x5qw6(35<A<Q%K$>E++ED%_ms0{dnv
zK=XRHA<XmpTV-PV<~*w+xx~swan}7o?8Kb`a>N3a-J??tah=&#y?v$Kf>UQwgz1vQ
z<)*ng`ytmrNqtPk>v1fd$IiY*moJeC%a9GOlr6mi12_4p=7j>IGPrnG;qKE^li5<K
zI!RL1!f<Yeotq$G1R2-&807)_ep~G2lRLb22YLGGov||o4g31V*^2Sv6U;6NcBJK`
zhz0}k(xubUL$Tb~^YU8>g+yatl^ksjSf;Fd$zuf0{diDy<{@f!Kcy4J=$9zMhOY{1
z1eI4C2u_lDuA<88#7D>;KkN{$<8L8TN-;0h2q|!X9zWs~(0w`d4Pi^F^b~j(2tc+V
ziU~h}b1`9hk>7MKCQ=Gf%!KA|XFfV($4>UTp}i8=JIxPogcE34)HxTGO<y@3b6_7C
zJ*y8Ybk^FUJfCbJIZ=q;cQ?{1?IWA$R%AfcsdDQ)?g-)A8Y{bcF?VRUGSPjQH9C2{
zzH+B;dHm~^XL9)kugxZz7?qQ;G9+0ph;6dAS+h%1PzdPGu`&QnE>WMTpQZ`n9Ia8B
zE{T~+u#du*hRY4i^H08veF!tt+~5>De*G#&t&mJB)v~U@Q}I%2_@KUGe7V%R^H+z!
zehhBKY={-gSy_<XqluvU(Qd)+;Yh`-+a<gSlIr2|Q#Vn>xT0rO97$$dI!b0Y*=&VC
znV)N{*?7fm*y-i7aqMV)-TvS=k0Hkje4q*tW_31x#Ygo01K7(>CF28Pl8&|J8QFd7
z>q8^%HX}V|>I&sreJ4zBD{FKP$=M1}H!j_q@<a<<`b-P^zL^&E&58-YE;SPcAO(u<
zZ+!QUtBUpoFVj5u`pIgk#tKrVBL!TudS(zTR5!NF>JaOYI*nEHx|4%480m%03%e0~
zuWxttya&-KV>ly71gV>D-2kR8MZ!&-cCw+BA#uA?m&)-a3#xKN7ghWwX8-PJ7yLXY
zD8%3~qMmBE(Cc#SMt;1iahKQ&TYPfGG8&x|qiRQCogT&ux4a^=v0*jliHwUOYk$s#
zRD%70Yjsl?)SELn`$czdXl7RKQ}=hl4;_sA8c4OLwZa6;=jnf|Rw7U>LnLkWM~Npy
zIW)sl?ia50oa+lSSG-)l_S9ESTBSJORp02cu6nYMxM6peVCY!supuzhmJy><wBkAV
zwvVnbsiAQ>4g@bDRs}Qewx0+#Y)6)+@2=&~#cH^eZ+7kD7zpNU&Mgde*7z6OubHW3
zXDje`m%po$YG(rA6E<K4^Q=7{K<MsbO?larl^9-ZL+uO`OU7>`9*;XEo(*^=UIcTu
z%?(LG;`aCZD^QS;{2OH@G<t>3U;FO58p9NiP5i?gceyDGCPq%Ih1=Z;Hca`uj$8#&
z`K=;cJYu2SeezJ~`=TK3uQfk}hOnwt3~p9(?S6(7ss{Z4KE?^1mxnSa!-?+GW6hzi
z*nWc+t{IJZL99C)<r0f~`4U$kUpNoQO4h#ACw-)H965LY03BZL*=ce7s8mrs)5}-6
zT+kOjjWB=F@F42dRN|aSD)g+3>64$bYObh_to(Q+q1wYQX&<;A2IBdCMH`Rd5&1bZ
z%wZ*YXriU1k-z%Vc1pdd<SP4KsT);~#+7)rgI{6gr@=itTvm5?chzFlhe|(kYB!sE
zJLi=L;@OGrE{W|W_uspl^rj}BtOok#@ZN^Gy!KG6r?(ufOST%P0SsdY696AdKoeb@
zKY$>kgqg0{GGKMMx}X%gIsV8=&lxo!T9v=V$(mfZU*MQ2o{~4LU6E18AyBi%-4Jo1
z_HH!JC}?6V@?j}JSS8Ya0i>K%KRLn}=k`_1azD!?t#lO^He24)%Zu0~3kDNC4{fh2
zzb-$T1F-e2gyAiVH8%~-d-Rpy!!+@yug?`N>Ud0l^-B`!t%5?b=*~E#NE8AR#rWh7
zWdU1&(H(#46TkG_9Y~i+HBehpbci>t4RaZ)B>b;{i{Z<G<K!rwTD=+JH)CD<crHb$
z<4<+uPktS%G>doWFf>?ax?z0va24NYR9ov~BjaC`2JA%|OQ!}^38Scy;q`Ct-F|U+
zki~B7P`cp9{WnLa>whZ|QscP<H-67sxG+nbQ!=E@!e;az0-Px`E6lx9Zlk&Wgr*WM
ziL`9y`$YL~Hh%k_Z*uJ`W8FB85`^=!Ge4R0P)J;b{JYO+pZa^75^rw(+-RXdouoUn
zA>OC-Qfx$%b^JL1FjenZ?1SQFOPo1c98wU6FjS>+0uvh2`UgS4i)>UDMW*Xg=@nOm
z$nEon9eQcNB`0tmpu=snO4GeK!ani1#av}O_~hAfYPN^-^-RSQ^f%g4Z~GL>acF&a
z{oeZYJ~!9^k*F`$z1dXE1+Q0WP??H}6bu7lTaVU^zdHpOIgr*^USV{1%5UNrz7+s&
zL>vUmV*Y#LMFk*a=1$mX=<c7HHoyTCZcs#F{e3~y9uEvn?@t_@e-AQ_#uF!anXmpm
z8C^Ip(8HvGTSWg-E<;yVD$Et|?mnLd@Q6TR`6KVMBZ0maP-BOH9t^|8>>*981^}Vh
zpb9H(*UQviy&By|8qEAWt`L3*GWnX*%^I7*3|X5PsrRl!sILGja&95j;QLj{_wm5!
zV9Y#q>^<RH;x1=g8;u8t?k)+7QuiG#;l$vS@y6oxL7VqqiSA*KCxe~VFtR+si6+CO
zumnI-r58ZoGSz;WMIZQHr}-vHC|X8A{|gVa;t+!ktK`{qg6Dtkx(NV->{V=x&DBIl
z2NQNS*~!i&pv_`50RpqkPW6VPA+I1gy$=BEt^k0I*4A{LB&2__BTCiVtS`l;;e5l+
zCPq!Y7$8uiWIEP{py9%L&GV%9yC42WT*F!B258M7Yvc8~@D!Q*K=PFO{WXFTG~y}%
z`VC&aSVD3890yJLT%K2~W+nPNfxZM@kCkK>74Nd$wfv%SfNYqHdK{F+sB3p{RWC-m
zuTY7+pa>P3|I}z0ZyH-HdGpZ^v)&}FzEc36n=wiU<5(5}oc93K{d?w>i`b?@1jgIN
z&VDt&`dqUKXRoT;Zlz+aG*5AB6_|E4t~r_y+F%hsmbDiL#dPa9J!jeD-+d)vq6gmq
zTroP^^nPRZJz>RG!=)IsJ~tWQUK8GD3$z~{a_Xa5pl*Wq^0pSj#HamlP!JDJ0$9m<
zeY9BdD(*^btMzoP8~wClv%eq8Y{I6JKSrDtjapXegSxz;UWvy>d7KwO;hMUXeNI$s
z)=Rpq0fO>{I!@o+lI<tDT_DlABw&ASq|15ojf}@)gpA5c8L!Pa-|0w^w<)^XT}9?3
z%9^q)rwXNM+XoiQ52AIfk-R!Cdy~68Q)#~Hcdrn-?AiZulD7i@(wT&{G8Ya3llFnO
zpq1w*8m;Q=>S}&Nz1%CZb>pIzoo$C)V{svoL9kuLn~YnZ`dFTK4K!0Mw#qwAL6OgF
z3!b6-NkC<V>g)0OmJhAXx29``J_BE$MYx<lvn6^4xa6Iruy{><vGu7FIGfDn#bHBw
zIYOJAQq0qp&+BAwb|vlo&A_uv+QRyiwSgE7eTp6WOIteW&i9KzD+pK78;hX&96=>D
zu+zm&do0g4Zk1p7E>*z??z}<CSvlztL8UODC^&VydXBhbBh2T_xbt)=&VWX!YVNjB
zlIwhcZwwW7Qy3Lj1eHt#)yLci^K7l4FT=J|@lBB5(d8VW56;RG_szo&mQ?I|6s*Q}
zHmwBq?K|EVYSnBd#g-_`wi-1_(HyZK+Xx-IkV(y;N&Ao=dXWYAcWWYOV3@S3cg}ZH
zFN0qx2|C0jOb>pp#=HZ2zd2PS<8zKONdMiX!^pEXS?#!}mnbK^Q*0d38&m`1%`7U5
zG4GfG{AedAZYQYz3E=Et8la@J-aY)t4=0a6MdYd8&+%Umog%2-&DCDs`E=Iytg4l(
z_Sg5HplJdJ83(&E@{y{($>1c_NkBf|(GSUAz;i_S@u$J%iH1|}qZO$u*KY=U|9Vf0
zy<9yk>s~K6`|#N<v`LQ^@ZG!a<4H{gna(2-@hc2|Us6)?6G-jNHuqa=&r+h(LxtHQ
zAJT6l(tlxj9xuhI>YKdoz!BQ4T6m{(MjZVT3UL2x3ynHyDi>Se@?V>T(1;2zEf>-?
z{i*^bvv(km0bM#jgShLTA4mAEmQ%IN0ky4s-R%~n)Y-R^>O&Kpmq`H;Kbs>|H7r};
z)X8<oe?0w;<a}AMA$LWlz%x?1^ZtHp$#cpsaM@(XKm6Nuh>Wv;5g(F$w?6}N@$pRj
zaMCe%7hsA8i=06N1zM#lw$p>RkCH%_5^JS`2>4bRG+S|#+0EUs45s8~6Ka9pO4ShU
zxU;AJW0Y0JoyXh6m5-SRkzhn-K#p!SW5c7c&$~`BH6B*<gkr4NmHqXDi-oiH*;qr`
zu3!q@ciV-u1hQkmEM0+Acg!N7bA`#Q+&t>0FFHi2j5#NSHM|PpYk3jMWU`r1&<f}8
zgsz6%j}w-C_Nr2KT={|A?~nu=Cqw*bVL^dgE_p~^rVzp-HP})U`;{fdmEn$*`<xuQ
zxb|yD@sQn^Q9#IqE+>=T)^f0mgLT@EGFW_zD>xF~d{ab9MV2}JrF4LXAr7Os)pig8
z{oS^&h<LzJz*_HhQR_ZoR6+k>_IpsQ;>lRhgYBQWB5fYfnZ9_AZc_@sPI1kOUxhs~
zn6%uw<3$W6o1~^`v<VNw<nj5cvJc)$l+Q5b>QqD1YLDPd@CA_W;h~ITI%Rw^4jkzW
zZLF4`py3V2ke32t^-?iT^l*|_1>e+|!MKps49;cpBclrx188=3!DK0TiplM~t7=Qz
zFr?Gg7bu@)K}&14iwB}cefS-7vsPi4)m8PR)vsha#qF({T@}4*2Gh?{Q(oOqT%%(h
zL&)+3AISd}+HhXqog_(OBCM-Y5)1Ii`Kh=HU>~zu2`m-HfJeOB8feKe(EmlU5Hy@E
zbEgm~*si|$`Jt8W-m?W~zD>D>uV?q{rt!>dtFXBZypJ>8;w)R2L~BL(NJCu8vksy}
z+*93x<X?nr%aJej>BJ5uqwZ$66`Cr}A7*ske>ojBe=W#O5E2;Enr1nfNTrHK`o{o^
zNn&rjS?H;)>8`!{AlTBOnV&+@%D{M$4`v053`*54BEL(Q-@mj%0t{97loX*W*V3zB
z61VPHKGujd81!*ycxaYanw7z7X51QVSw<bGx*|B^=}7g+A)~tZj+rO?3Du6rT5fhi
zWwfcnxQ_b!npQ0{;t*0t$p^vv^5Uth!it9^wC1WS7sgD(8d<LVW<0UFYfLx0$Uth6
zfI)I2VYzvXfj-=_zx<lHN6?e|UtD%af#)|7BkSQy(|tb^^?q(&CGtx&R|0h!=&cOw
z(|Pvp;Wj8ReRi>H&3^YLM;4caS-~O=FDhhsco^HbMMs^|Rl`l2q4;H_r6^x@%ZgV)
z<gshngS45N#_x@8cA0!zTxCEA#csgjp0G$hh&me0e&OFbxH{9|gX28ywsKWcrPZW>
z=bPzmYGCUQf(*_W6o|s#B=ukiDReJpbud*2?u=_bx^3RA5XJebP5V><(!1&|Jp1-a
zca1+UbD@KriKjVSzm~s`?@2~6k7+R9d*h^r*3PuugvL3&T>|E>KaPi>agbz_c4Bn%
z%{2h1Ql!nk^28n_r&dFS1oM>RSqh{QjtguFm)cZ}G2bC(AgZ*rFyMVY5*f{R!Z)GH
zZAd{{oU{J~Ad_|tb;niwyRiD<V99bm%fg4{t*g(d@?D-KgdGQ@TR5;^v8dZe@D_H(
z-0tDo=PJxlEj{$|)VH{*V1DoY(?Y`p3d%0fmq{61?i!muY5J*CbErTe*-l}eCnGzZ
z$Mw*$&WWex3q?c%E6Ny;Q(!$38p9eqIXI+>A2+C4?MV9YCB$g*DQR1JnMrtV=8IDh
z8rlinYktA|WQqBTMk$0hU}tfvt4TAch{VS9m!&{)FRP7SRL9tlKzVWDk{IhXUCYAa
zR!Uzr9(_G>2Mx#@7&J0C%<FfYci#bPdMEPb{6h%kO6D6WO65$<G0NLT+hUX$Tq6pC
z1Qmyy{p~fMf0u=VTLP~)LC(U?EV5E7;m;`BFKTAaxsC#^yJm+)?Qng6@Y)CT;u5+I
zy>_t6{WKXKz;{z|)q?u7S+tdPl$0?dT3Q9HvyA~ISUy+_RuVg2d~hLq{N@T>FiB8b
zL9W6DLul<jD``xtf#qXWm0FZww?gog=jz7?2i-Mv&8|#}c>UI|1aDwvkIsM|SyD4U
zwk@{o9|Y6wArb90Vd<dX?}z>s)g=wf7GCoyO<dD{g_nW?3|kC0OU?N&dI-i}jVg%L
zn@HUWF50%F{Itb>AT!-UF+Zd!DeJCh(H+w|V9E2TwLj!QmL{-`pzT%4?Xb_5(&ilU
z##zEpMz-$tVNG#8@r0>dS%!qWYy+dBnd$K<)9*-Ig{+pdKHpaiFe`866<vTlS@^}r
z`g8%a?kcA>f1+SYFtM`z05*<+I%6>HaJN!sVb#Jzi0!1GLrdGLbxE#cNVzHnpSSY1
zMM0w3f)%2qHD^hM<;!e<c#1jp?}Q>SUSdApz)nyAvB$Fq%lt(=B(Ec_c&73SgVT3T
zFL<u@#x)A@1iCcx=xbl(`ACL!M&HqzQ`{(`va5ZVG?cm*mo{1JasTKL#(mcx^OttX
zlWn;=Q!csIh>+qe*D|M1m28<iC_SqP{Y_b8MYrMZM$K3=*Y?z4j-GchO_{&kw;>0)
zE-fts85P=GOpmJc4P&GovMkoekbL;9pMqyJ%cKHheO?HwQ1nkb+)lN1VqbXW9W_^*
z$=A&llNej}ya=BHqV3O=!piE?*$~{SIWLP@zpS->yR($<iiUqpkvw_ulNJ=Gm7#ww
zv(AsNC}n^5B=a74NXVn(h+?)_xWIX-0{v%Zm<6%#4I{s(xhz^7HUkbGP1ENn?MT`;
z12<GQ+FIj_7RW*u0tkMyl;X1fLg#4vR@@V$t+nQg3d<Xc`NFm!kl2I}wLi|uxYZ{l
zNoRoj)3>3l_86aq|47u!=<WABkyk+(R>j%`MsY{@+)n0h`7%NX+K_>PBYqz@0bwro
zrRs>g1mg%n-UZuQ=~~Vat%areH_znvCvOlMEpfic+P1WP%g<=CTW1yd?nuCV{d1m<
zDUyjO#(*JZZ9FuLsw-en)zvQ3s#{)Z({}H}Hbgs3Aj$&EAI6<o2vJyQEV%_m=H;s*
zb&S74RH6)r)e`bebXMkJrz|vE6xql~;g{65_B&#Mh9!Oyl$f@me00=g%$PneIYu<u
zyCWkY=pR%Bmk;Kc%f(Y+GT&Kj4SDfT?hA6dG(B{~Aif##e{euG$nd&CsJ{Fyq@v5N
z0Ffo{X8Nxc!vWn-NG13bU6(@V=%CdM-M9I>H2atKqBKaO1#Lfo^6$T-z+*o>cI@FR
z7C3B(K9^kjt6EA=pPmbM@Oq^D-^4jEppiuXvpA`$?|2SJqFe2P-f6|lGbzwq`Uf+h
zBog|rr|-BiIeX(~JdW;qXr-yJFV(-RSlD2(dwht})v(+66eJ|(CFLBAQVyyL{;xyo
zF<n}RbYBfk;&nIHG7jrCii=)o2l)~{=iwsx-vhm)`*po<={ZvAYQ)4@*Wz(XrpPY0
z&La4E!aoN#qWk7g{&Xr;GVsfTyRZE5ln;%OULyCsBK`iHH|;sD1w#`G_L1E3c)V1T
z%FT#GH_oz8N*4bwiFs!GJo2sWc`l=x*iBvKjTC3ah#!A>bzd6`<=#<tw2}6e)9{qM
zAfM&<3kq{16&R7fz=#62$*bBGcl(E=Y|5QGSNhrxVOMsT#7#hB>_2<NV)~`gx9fHF
z^VZXjow1aGOHw(r4wk=+I({Z`Wo~4rS>mW7KaPuL{}d(;sbTtr?&$q}rAACdMO6(h
z56QUtI?Ga4WQ?)mx=KAGez&)whwOZAyq6+aZ#w2p>g3O||N8WvjNCs{L0Oo`ms50i
zLDz%afgX=zYwf1j#C|wdm*CjH+)2iDI^3&wn#xQby7#CQN{uC-VSn$>1=IC2`9jXt
z8xr@LIx3icnTMSXR4BZy`inT-*TtIfKr}dSysUb5|0pTW19#d<v}{)XDdu11S*T%&
zidNX^Ra%Z{25^vLLEPw|A7SD0um5e1e368Gfog%52nDH!X9~ACo=ZJhPEtTu>(Gbq
zU&D4jyd&<ifmnM;VhF<)_Gm=v5q9xoeg7-*FQ~Ck+#l9EP8A3Rs=ms+vz!^fC|s2z
z_ssC$J&^f|OdVeB!Sh`?V6u;7If#a2A1FlsZi_~rvz-v@)I&hbp|Cw{Jv`_JcIV`V
z8j_JWsTue01u!r_Xza?O_$YpVo`+0+K>hGtj)>Fq;@h7b{_^RY6Bc209B=F<0j=B9
zS=YX{Qkc`nWm&&)&?k*Pii8gFQH;z*Y<|5=!0l_8(2w;$-JJ|g;&lJYP&hj#XIUN>
zKWA;=Z8Bdq(VD!PFMcsL4u6$Rq5^x^FDu^9r&|EyVkfk5OH_ut3bd%Ws7d<&IVdNK
zeYDJWU_N{}{5umJ<Axj37@zla@h^ht+lo^#&jN_R_%goX=1@h$Io5@l4*$rQJNA6j
zYTK~mQd&6fSugKpBzs|opKj3N-G6xSLS|NKMr@%|D0{w|=~Y}G+)9@4AMb~T`j{U~
z?!vfu>$$ZWV@97NG#m~)VA_1-e@$5$25z)R%8b)F6mvP5!(2up^~+#JMDLhe8~MK~
zAT{gM*UfkwO}{g^hCO^YZ%K2n$>qNl7{1l7?0X=6uST1fBvAR1ihhPmeq16;`p1BV
zZ(+B(UrXH0ukAd)1hpU<(t>JJ3l3D=aeyE(%RUyz4~l3#(HYt*n&|uZH7$y>54fjM
zFq@IP<NAl+&Gh}-p`Rc!?a-7Q=7q9X!}GaN0vUMd8?Q;I3^L2aMLf3z$+wgn(rdE;
zG9>9Y=79orDMfFTwZ*@sGbQe1H_(o=7xlO|JQS_1%ga0;8n|93ZX;d7Gq~w6(g<Y|
z$4y!tQ%RnVOdVs?u#uQerCE8UQLi*`&EE0T&Qn6i08|t#Aw;x!|0PmSclYJRay;8o
zap5ynZ-Q6Sfl+V0BN$sGU#oI=a_b?vQW#!Fa^O<0T}(UF&8TtaKW`)Yxz$0l;a-Bu
zglhE@PR8l(S3fwHkf!TrMt6pj6u8}5ZB7YFMJ_FJ%;c$=32O8_7%F-q`g(qOd*<Zg
zJ&gD~Qd!JNecQN>sZ8OA2rRqW*&(KVRD-<7A9k{zRdr}THMsu_`2=?9m^^<HpFb!Y
z*lMt<k=xq`RnwiQ63`f~`{jbP(<86)UUJWasD6c98X*T@Gu6|pd1uS%IYB4P8a+fw
zpTj7alx^f@slxO)A%gI=6o^g7vi?yF%SnCyrfT_K$MaQG!fnwj`q1R1JhE95-34>M
zErD<YcozgV!Q8u!It?^VKpDeCs#_yB98F0G(_)KOVaB?bvk4(dt0|jZvoG~>gawDo
z^Yc?Ii*r0w{r5VHB}sJ7``vq?p^&VVIjc?B-u~m0PPM}`9$2IjEWzF(_~u$hoZWtR
z^!6Qj^BK1$wLa}+oi1o9{2c1Zp6fJHx@D{}k~u#$&QH~`q?PY_=;Sq|2IU!qk|VRE
zOi$t<#&b@zk5MNg$c*+h^=iU`2{SgIL7%L1>tl`$cY_&5yO2YjtjF`}QrMB_bAle#
zVh-m&_U|Lp^%|T;u1FHD+2}%d*P0ybP;X$7^e}e|ka@IRnj_<3aaD4Avnro=bxkqW
zo|LAbHevXB`$R+4snu&=V`d0+@45FYJ9)M2;~=l-?$4^byU#w4G}WAsJl@*aeB7bt
zzo-w>s9`HSdg2qm)i6idWimstm6v!T2y@2>bv|z`kAu{AETzzo(5sAN(`?V9DD4!%
zb&O7s44*TloBC*oif7fVY2E4ysAm*MR;_s>or_Vqu*e==sH&a=F$Ts%KJ@<upx<{p
z;EcmzWcPk-vzK{2sv0IIgFJhTEY!U>_E=-D`3(%^2y1YP`I2?2-S^R4H<4IWBwB_-
zvG}Lkw??%aWevHIYKY2S^WH#)<aqr~p=(=}z`<kPslI?!5m<u*X<U(BR9}Y3`O!V3
z=ANf&t$S~4Nx)XSjWKdakMv>$e!k>2(E-iKPg(GB5N%gO#;nb=z~rMcMIl3|W6H1>
z>nw1#y7zh`cfOVFmEa!w(1f|(TOtzwyp)IHP(7Zi_SIeH+CHV%5tFZ(*4aHr&@~I)
zCil(wlKwG;Mu?py&^2ufm8GBCYvTuB;6#O%zZ9Apl^q)*bV}z$QBpyMJbkJl9NW#Z
zgq@mJo-%|l^%jX+(v3wkjE*C=?kjIM^Jw{xDxavk^-FFpmXVO033<O{vXgcj!j~ib
zzA2m&Md~He$A6Qg#%0f$y|1wnRwp9Nm@zYlea-FW-k?r4sbgeMUD`?`%F<GQwQW17
z<l~kyv`(m}uh5&r_(`N^z!s_vhy^1jnJDd^iny?I&cyWcL^kT6)D3plckVr}{gPZd
z@e53Di{dUHeT=tKUt|=q_rakTg@77v<sz&z%^YDX+g5gNy~EiodFTdZC`gfYmrhYz
zIdGiGquzEzS<jGDQMBY;2}pTQ>tA=zM}IqHjV(6yBy^|7YkgLS;=WNj?cTVZLWvuK
z8Kt$YyO6h6G4v!k`dIxqv?z5{w7Q2m=`;H#eZbqpqk34p=3p0X4NGOmp`?K44|hxC
zY073c|Fm7MXKePtD62EpmOEyH!tI?NxYs$>ohW<d&CS{Cf^ge#`)Eux6g)q_SJu{H
zBqW9FkeS--<iZ?wzBcK^<&ELIeQpT*h)5oK13zoLi%@c`oeEp2K2WGC`gz(}IXKXq
z`EY<hl>N;PWX5My&G2$<{FS>mTu+K{=@Nc1u10u0qYU@wv`CZM;gmGY{Y|Am$A<oq
z7Q?M6h@1|$f#`K6;msxYx|_s1_%mCvLWoTo7<m=2ZsZOe@R>c1L0*RA+5tzo3sN5r
zcjq6G7rJAe%DQWLWN^*;U&-0J>}%A~y~=9`3qASuy8-$0p}RSbJUAv8Yb}YlMRoR)
zUU(%fxi_E&GjcucwtQQRof(KlqiCE)s)zLUJtH5Mn@(Ne%&d*o1m*{4$mmr%do`9n
ze5q@6CiVUOjg)-7{l|9~^GXC-v$Io!OrOnkENh93pNmpl-?1q~HR#$w^;&`3R46I4
zXWM$EF@ns5<ryrk&>?m2QHkYyEW&Aul;xS+>hfXvYrQVp8xN3K({@mOs+rdX{JmMD
zy$V(t67XZ*fE#`nur{P6Jk=NXBO&o=$5iWJ@HzFS2>dP5F?o4h^Raj50rWiGnfPlW
zGzHZP^KqE!R3m&TI=hcw&3eq%-0^U;!aLbRb=4GSoLMQ(wIHk}F9`=*YPJD(T9vZq
z?hk>q4{lzi5X`Rbw5M2STQCpJ-{cRNWLn+kaH`xp{q@vE71E{;%dhrcW21nZ4E;3f
z>l#T$W)-glYCq0cJ$~`|A<Vr)PTk==45AWx@Lm}ledJuAQEhd7(fu1l#sAdzjB_h*
z<-?6W>x^Pgr0c90%)soElx-rin*FQ`Hc_=!owhP<2xHV+T3Ll}Xw};&sPB-3WTrn5
z<~H6Chsg#U-|s=VBiOw4L_#PaAtS~-lcL^4RFL_S_VRmuT``Z(29HcU>I7HLmpcSF
zO%+p@t#L{ExgW0vz`D%(<tI7G&f%7@pHDApP(FIstGO0Vt|MC)O~eOS6<Ln917Rm4
zkK3TC$W53|m6CIaE>+Ytg;F~wm%K6H8G>0!{6N#iNff4N#4`Al`4?5+nVlZeF7qi6
z)vBqXv6g)#Yy`$rLgNr(>OK`39Gdad6^iV|ZDaH@KpsdTeV8Yq-13X!L%YkR_7$t*
zyytt5kqS#M<)3rdohY4@E_TAB++*+C)l}QA=9z!Gk*+E5E16uc0eW}YJsTo#8Y`3L
zdDul1F&UkzN%QM2#XS_f*ZzDGZF}8#GWMuF$IwEF<`xeQ)j|}iRNdbK{sYQ)?_6qL
zDAArLL8dBCA&<A*;+~G$`8Tadf>dkRVYBGSa_vlPf^2YkCIg!mq5Jc?4R~n2_wkRs
z>sui(o^RR=B5tqGzh8WWoIMEi(Gz6R7tJt9ySs7{04apTpfHeGi!7EbYOoEx8AZpf
zPm-eT7aJ#zNUggOn1kIAtOZe*6T@^`VLcuCY{e=37@A82EUrdugDw4OWUYp{?))n|
z>gc44Wj4vDhbA1#C!w&_bUmL%_ndsG!zm-=h~9#ENQF+d{$ie^Jc(%O^qVRE9%DaR
zySQb<=$FCjX0<|o_v4ubc%#}^^B+C1FgRPtQT0*{XQa@~>VBFhDn4Vyo&(_ZIjrX^
zDC!nX|AgRK8QrMb^KU8lVdZ+)k&b$U8;_=@>J=Q7X>8}NPw9m@+Vqw>a~`Iqr0nGF
z)jQiL0Jl|e9Rd9cCyu&wv<Wb2W=TZVl>?hu5}gTbCKRg_g<-v_LtzoQt4HW0I<3~=
z4Bge;$Rq!89~s;Jim>4NZUT%SCQ_xp&L->Z#_`7TtY|)BeRI4A`WdwWWaeD2OOH2z
z#x|}BHVcnLL19<)xS@IpNwYM2D*ck&u~07=TlesLOSs~$LaX714RJMv(e_C0k{aDq
z`Kn@kUnWcnf^<D)d7%rs;+dqWtj(+CD&23U5Ne!vPi|$bG)==qb)l)NE$87VKiE$8
z>1G`4W7YI5Wp!4U*QR|#{`a3_JB9h$vKMn~SDqbysEDhs2aUEjU2N&dtGd)-KA<V4
zHZOmEV<Vw(a+yXgG!@QlaN&+wG?%w)RQKfR5=~I&UTD6M3HwS_TaVuUjp1FpPx)(_
zrb2!Ev0+{^*G2|leaJ_FmkLNmJ=z?{Ai+{E^D2}yEHB>&uH;xZq}InVvbv>9=tx>~
z6&BJl3@52Mt$5U@eYIu+>ZOtC@(FbdrcuS^w6VyhfB8l+F6(<o(G6A6t;<F2xszy!
z%3#;bD{Z_uv_QKQYfnKHk(5Z?89SQWz@Hh{y=568RS`UAw7iP&%eX%4k9#QM>64OA
zlT=JSFG8Zbq|xwc3p#T3{^}arp%*lqXsX)*`79y&@ND)>_`0Z+>93B|SEp9J>f^#(
zE{d^DguHU*E+fsFf`#9E?7?LdV%?>k&AWa<1uIrKxGVZu-zkQ6RS;HFWyZ*}bK7j_
z!%ENEB$q;!rArd(Ctu}W^Xb%+?Yo=sY?L`n4g91sfq{;3#Y02y<2JvW|CXRkNj15N
z>uUWVKfHb476~q{Z)$;Ubs;Y<OaGu)yzXc(IQ+-q$KY_yJxN*VRvYNek@}IatZG=G
zWFeQ2%Sfq2WRK&si<?l=I3ZehvB{q&!4QG3<R^DDL=X2o1D333UM9uwm5)Z*?Mupg
zUqe)zCT^WiHKe$`Idf;e$l(fIWQL)jB%ygE#aj{fL!0z4RbA5THHnf06h16SZ;5MR
z;}tTKfBKW3roeuIV$lj@vLU6^{TjQEobuK!QI-XFQoHId1CFr|LFa32{@)GmiZE4t
zJn}9%iyxHp5jSZz2Qf!piY=sehWMEwIo8;%J3pt{N_P{=xu=BK;Ro^`!XqLdD<xSu
zXbASn!2)?>m%Lcqs6ohb<?MBJhNQ?AyU)o!x%iK)lZ%Rtr0bFFx>ybS1zocP_%D$C
zGO%hn)x&q2=U-qQ=8Zhwx)HIO8shqo-g_ieG83BKZV!j#-Vc3xHjwUap(OtrmIQZ`
z5cNr9uNH&Ucszys$C}+{6X!vsAVcLHzjNXa2>X=I4Gr(Z%sn7=Guqiw=#H{Qh1WKO
zkDArEwR63_)|P5g*|9)c@3c)qUe(zjrXxI$$|fR+ZtV>4uq1v?3CWbDD;yrvtg?I}
z1bS$+BN}6A;<Sm42IMsxm@c`UU*r4Uz;+5b16JcAs<6%R%vDw6-;`UO;a7MYNoAg8
z{=+A0gM*qP*jORA`dw3_^uTXvmTM*qDDgjtfEL=ft;QA78m_*#<E#Oeajf(jZvH?3
zVUkgY5@wp=RlL~oZzO!oG6Qd2pn-DMMG96kGX8-auvpS4B)1#wp$5qt3G2k1zvd&(
zof*<#{fW8@5ZO}J>d<jqv48rPB;Jq+4F_d+U@zzivTlA=fjiTsnHtP@uu+vsx-)@(
zG&IO^-yQ3^8}5wL$m=)QScOkshs*GcL6Z@mf`$GfLBHX&|EIaLj*7B-`#m5j4=o}f
zEhVL-bg2lEf*`Fl4BZ_fAqdi)(lz8rcZ1{*(p^&0AocFCp5J-T`RlCpu5(zkW-)Nj
z9sAyUU)SFI`~BQt<JZin5y}m*i_vg=lL+rI*F{$|LZ#;9k=G6}C#I=pOIO_?T;nE|
z)0i(`qdHgLe&x4f<46}P)K94nVfO)qoFyOQ$9ByttEuOV7?xTY{9<&^#0lrs?8H^c
z<Nug=fDaRpab)C_<^Rl<-i!cppZ~u$(cCk1EhzfT=^?<7M@&o%h%Sl<ZH;Dq6Ob(x
zS^&RX5vA2<0)Q@oL&3WFhuLur2-}qNQV3UyW}S2C(eB(Fg0O<V#y4R=R11t*<W);R
zCU&*=(QBlZ&ptIOHg<}$msKAq08-^rMe1K-#}AxH72J;MqE@6v?ZLj6YEX`f`45%I
zG(se#B5mBCMEc<)k^Cc?x+qRkCgy=B73ByL41n&K0=F+r+!uY6Wda!OUPm&>-Q-w5
zZ3DQP?P9OX0<dBZ$@a)}#+n8W<grStImM>`6C`Jm?Ge4N*n40pV%fu{P7Ru?b+VeW
z>7>{++{h8V%&R{fetz6^1JA%*E`P2187^2u))id(z}3=w(na^NP%R&5w8mYJz8MN`
zl}K98fkU-oy8-jm(S;3|$NW6&3ef~om=}Ii|3TEjkkl?30`_%9chq%swgv&Ve8MM6
z2E(40KeBqVZdd*{3*(~-)-0jZ{;i4fpA3|uvYz`0_|24FFxwVbLzi>St8BDhkT_rA
z@G?c%Qk~B>GBxr>@^c=Iv>X8uz%;PG#@?))FiM=T8xTeqVatl@_IuKgcEcobAFgmP
z$Le}k7Xhi2>dTjg2x-SQkm1OuSeA$aceAElAI~;G(Lk)_E#0<CrI;$^DIG?Xvf0Z3
zdnnIG_pXeucTI;w$fi!%a_^-LK*vn!UhT(z&(Md<@!`0P2!k51J5mt0I!kqgV)sk3
z*GD_g`*LSLgX)rr?4jP{dQ1k{IQ(R<tF!RNceH##FV^Z-nD?P+>%fK_1f1tP>%gEK
zD3mkQiYI#a;<T4#e@`=<+<9p3>bP<pn6QI^wg*_G>2`T<dU{@;&q<M+mxzDWtuRrl
z07hRakt;^m>&p}64Rheh9txw8q_u(tUIEdQlt>KgK6J9H69Y}OXB>EpNw&*+f!gT#
z&|W7M)&7r8(W{5V0gWXRv(vdjmSDZOs}tqP?AtpI8^iRrbSx_z9-Xz~zNx10>@0ck
zUridQ6s60(m6&OQ8!H*G$9p`RH=FF9V{)rosOh*E=DJ;%hV8Furw$<u#XEk8f@VH(
zuNK7>SWoNna()a9ny#4_x;E{^3!eK_qTxGA($Etrtyj>Y7%kg(U~XO}T<qfFiz$n~
z9Qqe;<Qs1Ruc<5??-MRZ?q+eL2ysrO<CEDS{0}8j8M|GB`=x@-8$Z!Pb!aRrPta9?
zG5^z2s33b)dq;u}83v{E>t_d`KxNNPZWq3u{;31vHSCFcjr60<d!9kRPqXL68f>XZ
zCtN`b({fgr_@$bf)U1HozyN^E+}R(GDm?~{PBc-@?|S^e@+v`ENBqDszw#&;SHH-5
zx6aie9x)QC>0fetEGnY1Cb(Up+~X!PL&Z5}uiypz>v<PvakXK_Giq$rqKlX>uUd+1
zZE=0JupSt(xv8F->!Sb-R0TLcq3EC*8sGyx8XV2>uoB1C7VeI>Lij=v2Ff>s_2^p9
zQ=AvEl+`}f=;$f&g<mkVQ=J}f>RwMyQ*(x(!BGQV-O8!Ne8;X7f)%uaA$lslp7NnH
zBJVjTvp})<9N~)gOzAf=xt=!x6h=VIqc@z_+^}D)o(}5K^_KSyT+Fpmw3=}pH$Qc6
z9F%!QLR4JgL&bu;JS@Yaq9WKs{f@5)(F_#ZVw5;R;iMB(M{<A6w&<mzi8pE|Be_Z$
zwhf|-r(Y%h^!+4a{5<H}QOfeBVag%B`>OPj;mWG2w~d4WDxvzg@S`~36p?txv;?kz
z`cMY6lFTBq7WL6Au;QPJ#fIxEw*#pB!Hz1BWz9%j2%Lbnik`s&->2mKq$eGk6`2^L
z5=Ovu2K1k;s`}p|Xj_Lg&m!bWPk4srfh6Fj;l*mA)t6e6&AynvJD8oH7}81;y0Osj
z7goNGXQ2E5FbV+JHB|>rx@Smuc=((yG?)!l#s_FpWYS}>>plQooQnznfo0F2KsLz>
zK#AG{(!Wyma-)fZ0a2<LuCVlb;R`XQj+qP?UF+|kphy1G0OY2;ZP8jMUuxg9W};H@
z8E@o2m<Sw`jFe3lfTcLW0y7mPa@W###GX6n-UWyUdy_L|cUNXQ{AYxNX&#q>Lk1);
z%GjREaDyfh)F6aFwshQ@AWA_yf)K{k^&ry6aU&~sk_=Kvpz}gQ{~OS?J&#u5VxDt9
zkUMy2#LU-sJR(sJgs3__az$1e_D&%3@KIG7dHsN=woDrBr|rm6@fn$gz*{m(e`KQ9
z0*&Dd8*W$zJ9YhID);ZruCtVGTMv~zV;Jtw0U<d>jrJ&7zM-su(@tH*>m-hcC<-EH
znHv~lc{5b>s(rUA+W@#F`V=ipp<N9->Yw;mhG{1JA;6f-W`C61s{|>P=8l2%C-EPH
zP9^|NkB8TMvF-gTmtgBx-l84oPCAHfUqmhsl@BIto72wQIXuHlyEHzi`G?hL(Kr4W
zEtZJQ?g%zD5BVT|wx^!HdZUJ`BYY=!N1=$l7^)rJZtUnkh8I#FtceV7&7>+|QPHIz
zw51BdX0|{X5IT_kcI6D@#I1|nWNUd;L^Z0<x38GC3w(wVi)$t#KF)7d<u&`zkM3>e
z8Tq>Qs>R7|_^Su1^_rhPXXa5J!O)ZvfwJtE3elJgxxL^LulHjkPL0{C0!mzEmtbSx
z?7QxrwUWMGY#6j>Kx_L6D0Z1Lv+A6Cwdx;nldC*;y|=PeJ`h^h&c3qz)L?nD+%G=s
zeyUNxtaU5So2L-va`7chpfQOIW9&ov5GxoskYz<I`rL{8x}`4?e`8dA_fZN?zJPpw
zOv#>~4c)ak;l&#KGJPUV6l52h(R2+d9{Y0ERvVW}owN%1Vdi3K+nB7R%W%g%BD)Rz
z!Pd$dnF4nCkhK?^FQ;X)kb5=ictuo=MiS_~SPDxdgilrtRA!*x%tAWTco@yM)Mir1
zxN_WcAr<(Up>zX*$9aXS^<FY7SMy{Rslkyd0x3v%i=oB7dfnm$4dy{;GBmNiByVcR
zC{Gk{tE!&@mPy##dy02N_pk}s{-%HcaD&ja+xoZtt9zgP0IGCiI=$YXtdM%p7O0=t
zjGqBR@1F(hK7<y4RD+iN77DPBKaFE{1&|BAuCg&pIQ1%^C)71pe{GJP$Mjt0P%S#h
zh80)vYV2!<*xdPy-xb{ik|k0omxn4_q{$4AN4w-4eDog+?NpGNWSvEDeg@LScMg-B
zevyeBT#+^YOAvmKg7YkTTfmpo$R4PI-IH&TNc)Na61m|hH!xtW8?HhkCxF7!2*`M!
zzf!5}Mv_ZXab{DwKN_&`k$*L=#Cf+FgKGLQll%&ekAslHZq*eHo7In~4mwjy#<S83
zXuNe}Nxwz+Nyit*TtN}01;#aP4}aNDelhSTx}1Y=5z6FRguwniW6GV|?`DCmf2#$X
zgWDr^Y+R%~fYOyo*yK^n^(ony>hmS@nvLwE>6^>0mfHd&Jy`i`*QkmYh=oSQG}MYi
zvF7()7XqxVn{%W%n%CSa^_-^xv#qq5Kq0O!e6lQF_d2gQBgP*09K=qbl1|{W(($!B
z+nFDKbIz6&t4nf;x7p)qqw%@phmEUUOoCRsX~w&`+Hccfth%k~baDPJ^>D^W8&~7|
zL?h7@^%szc;zQN6J8K+a*5zI<bSncP)m<UQU81Eiwh%MpBG_0ELQ$Jt$9=Aqjh2^4
zA+7B#0Nr49n4WZC(w8&WRawSFolHdFq2!Vd_k)_eKqUI!d@RR1(RL_qPEnbCs)iu}
z@o(hT<kDC)(?sELJ9OpGISIzIt!y@x?nR268z<Uv8?O#2u&d43soHBed^~UNctpy1
zovyTdUU@TTjMu|fW+qwJeb0~WRS9)PS-VaCbLF}EOCZzM&oQ!^0|1&qf$<y#s)GD{
z&g-54;mbpKo->0&iusSi#M|Lxl@6mTXCNca?9bUXX*TgtwFI3jub&0I>9#;rdbTU&
zkjxn!876lysMdhBRUL=9UV!>z$LOL@t{w>?EQj;SXx^WVxUKX0>WoFXGF&GD6ICPF
zyGG(jvPpCB+mpPV69fvO#(qN&uymfDW^Vy7&8vX{1PrL4uuMj{(j3n~wi|yWRvZE7
zslEEK*$S&i1nCPVN>UxrgBB(O9_K>mN0A4OAO#HAJ<JBOy}N*maQwX$Zwg=(!I2B?
zIqv?{6o|19cEK1kT3gQUly`~FQp&|Wpjmzc)c@gLH}8WXPQeQoGkLyT1*X7590gN=
z&sY!L|JabTc)x<8kyiyh(*u+Hd|#1d1w`=pn<oHA6aeY(OvsuZc7g(F{CsC8EGxCg
zIcXNh6`&K}K{V%1KeXeN<FA3_;B91O)lZ(DyTJZfy-6_J=fFkoB}+w*%`qI9b)!4r
zelTD6P3+|_fIepv^f_^2E*Loq`}pe*P`>R?1HMp8p`4)};O>0}^o@WqZ@P~{WfNxt
zhl7%RqO4RcrfDZ}5B0Y|GQbBDFew<r1*706Vr<Q3^)IkXYv@Mvvt#l=9`RY6@Efl1
z(TMUkND<253ZgUacQtN^PCTlzxicK8>!9liI-6qv92G<zEj4HhBzS{v2136C%ddcF
z-r8LwY8f^G23-*4-tv86_tWporpG@eA!#9)+-n#%0p~{_8v<0hVVTtg(Jv?jQ@eB}
zXg>Cts`qj?&x76xYfl*T`xH8>t43mXC)YJ-CjC(pG=&$)UQ)EPse=60^DuGlB3oR@
z45k6-8+3fjp9FWRGMdk_?*bsk@(HlGymwF1s4{lf(uiA6a|dx7gXTWfQ~Wc$*sfSS
ztnr46)3QfHN&I##F0jJ05^ocrj{k`8dN2s(MzfJ9)!-;C0@@uNf{a<9EE9$1gKz*;
z*t^8$oSFB#=JO0&*6nq$>Z#X|$Z1&L7(}FNS#BK|s0rd?`okk;Sy=)Vs|n~=ol6``
zCbRAbeS^a*{z@ij!LgTt1AI=vBQib-5@rep{L>QT11hf7a=FbX@B%ds;APpAh1>$1
z&)_$8lL$=BEKkCIPB#|Wc=o9~!{-f=$3N#P(zdad_gkx4TbwJOFV94h!cQD>TZ%m|
zC#_6-6N-(AHAo_s<~bP>0zy5z2hE0#Pvnv$<kgxGBI~@BZvfI5%57u|3?6yT6}#x#
z71vkiQW|A+B+>v*b2Qa*T5g~P%2lnZW3((=l_zzSv^qTQkkE7s!M(zt1|rZ>j1bL(
zg&W}-wTUcR8G9?OpTB}+z33|>Zl8zxdk4AIR{(f1xcUSJins{SqzS(>P(Yi5ff2T+
zyO={q^qiWu!>G#L*_HT&zEutiH{dFf#P)44NP9$pS;318i%JF-fHzwS#~v-R_uqq|
zRGa-w3K$d~1N%nSG%SOjXM}THYp9Hxqw%85Wjx<BChvHO!|MZ;=&bu?W!NefW76wc
zZL-^=qgA|T<E+E7pJMp?(1pL{W^l3}CNlqH`7@Y?k^8J(G3`9KZakmaZE;TMxSfAA
zAn8YHg+XDjm~Yq@{%*|oa2pVwh}we}vs2-B(gE#-=LaCv3KkZ!NmoII8pJ1k#QI;t
z`UN)Mfs}<aa(_+qntzFB(-2F)Kf;rI3cyz2ur1y5XYB<ZY;A%7oie`~`46ow*}dUY
z{w%uD4-mFOK`_(`lXdM)xLYsCeOeFn!Q{O%Pfu#N-F?N<s<28<m2JkY++yVM;K#Bb
zD<<Q_W+ttL=qBUrv=7njuGdAbK^8AtE_{BpNm5o!npbW-AWzY&q(4?+ls={&Y%Dz<
z4IAav$|&-W2;5Hsd5TbR8cL5&bDjCkK+^!DXppBYu3dE_^NpJT_Q8uV)HocCu+gX4
ze^p$>AOXpG0gnQl!JjFJ&)a*zO8WnHlk%6CNiM7LMTB_azcp56^i6BoW%PcHSp>Nb
zcv=e2GgMx!9hIti4#E_YZLXI);vw9>RgQ`ysHYkpN@^T_2o7DC7wYL~(l6-ZZ|R~~
z5C~T{(f*~QQeT6VYehFXjP7q<76zDoF%r$Ve<VuyU810z&eRzHN)M4SGr_mA6ifc)
z4efsfJH8sl;{R7{$qc^5d~55EQtW?WK>p94j+o1p;rqJ)OM_Xs&L7cH<}%Yi-Vjau
z`$qH94d(UfG3a65!t?10=InIvfjEt;Lu;H|$1FU2|DH0!%IpIXTJVE%PU?;BiE95R
z<Pn#lq#>txtm3O8+%bC-@4o{evk(BtkbYmG@Lz^ZCS;T^=xhj{XOYA_6=iTok#xoA
z!+#a6)M1RMF?;S`>|Smrd=>ys(%)qSWR8JN@DvhK$iT8vO4rT5x5ZnG!l&N7KoyoM
z@q6+b@R$WE)g&@+_|Q^6=;%$0fn8Uz+x{o)^3PtG3{l*h)1n}vUcEY->PwU6o|n0!
zA4zBX)}CS_DuRogH;JB(nnJe`yDjrX%bLb_F#EgxML3y7?56;+OBv<j<^Vj1M)Pm-
zE(Q>DRk(i+;4Mapz!xp`&_MoffutV-0VA;A+5YlFpa~X&-YrA_d!b+l=>HQth{uvm
zdNg!snw1$79jz`W7h+M?&2S7dL1WywjLqj9^|yw}gk9}JA6Bq_MNq<q)vABpXeMEl
zl`J&_87)>+VBy4^0{@h-F@r!XrmJim!Tin?uHe>d&cYu@n`*32vhM!8G{qKB5HeN!
z*!AlOM&dRg<QxS(bU(F5V8{_unJ~bNtexfmQ&fHk{F_7}&;B%%&y(QWes<leus^m<
zO)#HTn4jOnJ844a24)>M+xLKRaso^?ntPld!w`;7z<AbM>ik%|#^?gZmwaDAj51dc
zK2qs93l-eKoGGbyJ-YdH8DvZm0(`d1&&VI@y$hib978b8!eRkDauhMY9YwW$(Rkd?
z&6{HxytHXX%u_GXr?01~<xcZ1aMl0uKLiI+Vc*mJ&&642jr4NwBt}uM2E}1L3}&YB
z$Cn^@96q8_VRj6y9UHdWaiKi4;9oRNy_QcAaeL*K>fu=%-3ZH3E7lnbB%sT6+@4fv
zaCaf&HNRtMWQ6{e8X1Ke>G#Vk0cnjmMZ}|LSX`&fK-zl(1{r^aN&+06slcFPWeBi{
z#srqEkcmh1^nS|9%Ia-o!T5Rvjz$?rz>3<s7{2tfKy?qyAXkH#>ggH>NIAdTaiK6U
z0J|AA+AKW{4Gf%LUN$&6V^J-f&&_2@;Wj0-nke(bz@z*^FB3HnyvlKXz#GZW$r+&u
zGiwK*4J;(<-j40G2b1)z!gCa+>s;)hTGgD4^z@~e5~0Dt`UGJ{IlIYfiVR+^^WWX^
zk&u7Be7;kM#WK8+DvV}P3vI_XqS`ZxPg5c|{=OhtdDWjRSZ&Z9krWfNy4rm!Z(_E_
zp?Cks$?m}7%A(WmY&CDK<2EPxgjSPI>1T&cRU+;C7fE5!(S~o$Cdv%uV?6NgJn#k}
zN^=`x2&X+O<eL_GQI3aZ$!njLJa6U1gSCNL-up~1ADfA^X*gf(FR_Uup^8z*A&nKH
z5sB9f;;(-#%_vf^6DU*;qz!t8O1S;C)K{azL>xfv7zo}N(WbD}xEwGPsh4-iL6*D1
z>9~!)+#y^rIQt>V$8O>_G&E$t(1O-G{+Wn~C=a;5GZV>^tk3ohUH2BzHY!$uu`<cr
z44xe_0TGlRym}<=RBT4EccmT!Er;_s3Dkc>-J2f*dzE&|r1eI^1h03D$bqo$cTZ^d
z#yFom163K%IW|u@=Y_d>VG&wno-~VQwQUww1&bOq49W<%Wvp{K=oou9TBJGNZQJP3
z7sq$+-aW;s&lb{k4)*8A7G_^d(uwEl-NqYg9X3~aoR(%`R<kgBsJP{0p|>hI^2zh&
zKXm3A9!j7i4(=@$PVbF_{>0Iw^`KoQmR+ul{fndTePm)Yu<DYv&>Aqc=ov4Q3EE|~
zwSB8NfbKC13QqOe(Q?Xx43?2iIo1CAym-+2_vuO*Px&WQvSf&Z3oauW6&lWRPgq68
z$MT1IV>uchUh2&9J?;8cJDAE)smFr02L0E9JuXg%-X)mhKR~LXQ?7rrx3|Yo#tq+l
zXR4J$dW4CeeDla3><h%z0<{_Qqvh_Ws2UCK{HE1h$&+P<&mmIn2{+l-GT;fo23Nva
z87@S7pVNWt<v{R(KY+r!MF#r*EMdfTHc>IovzJ`!v`xIG-t2fKq`f26M&z_U*nE3w
z^Q|Y2Eo#6vw9fNV0DP#%@ixpKGJl*F-&f<X`N~pq{_J3FiuNi)>f_|j5WpFh1~!5+
zQx*3F<WXN1mE0y$QqmY6u!IJES#X<5#67N^$Y^df|D`^ELTgVl4*Dd9)!<BO8E$`>
zPNQd^Z5?JMWIS|*i6Dj?+j(O+i#0{m{K4r`W5oL3v-OVkRvU09a%xLZc|fq_zNti7
zmYcd#$5k0x$fmEZxjJczAQ@_9JjLmSFL5p(-_WUZekdp?0~1zX9^kW_E^(}@6;Jku
z!{OUicr$x>;$sb^=BOnz$r`$TiRK!wEp#P4+Y%=8az~bgRfNn0Cv|5G^KG`!iEm;e
zdLw*))GK2D-4ANG9w_;m?weVkvw}|?jC0DHbe#fMmzS$d*WQ@rY|b7c&7@-KHn^9X
z$`U|Cm1l}F1fMy`sO6{}kRL)-uuc>EIUaoVLDVuD8gH+!*xh1&>U<u=kcAdpJvObU
zWV=}4SeB?I&D7IR@9tv%=?N8cF~tgr^A{wH5l#2!t0e@fO`|I0(JaaDKZvC%5_rF2
zQEBz-fBUD{-jRcrWKC{U$MLgjBaWL+i&Uzb>%aNY;W$j_?DZg==$^+Dk?Tg2$o08u
zm+PaiSB!jC)|M$dVq>nGw(!P7dgJu)owr(5)(cKk;WsRc+(GY&yfO~eE+@x1bpAl)
z2jY&pw#Btns!?CUWv*+({?S`Ui}S0?^Ru#RG&<2v#oF+DR1}?e<fwl&?+X!>s;<kE
zQZ^a30@^ddbw9IbHCgVTgwG6Z4;p5V4q@}f({(bGf<>`Q(%1Ij$rss~Z>4dQVFk%=
z$-#p!NH+Yov}+w5f)524t1rD%M7`u)lGn1wRW`KK<iFOraDh-9uF|&Q@rms4N1g=X
z1!b%2{;WW#uJ|oN%you81>r4<dYA-r4*(A(u`AVUf5onZmz%*yv@VBc`@VK1RnRH)
z$#i^?J=_w_`TEL3EV+)5%jipq0I1Aey@g_ibF~!dVmQtp?B=>t3B*`_MJyUgBzPJP
z*RA!g0mAk1VygEKGUoI8u}RnmK_@2N%QFJiPGpcvcnrwEIi>oYS6fRc-wch7H8pu4
zW0@fQM7T+rf+=!jUfXD59+N?DnHW~n70}#2U!mV|A%u)W>8p2wLMa4SyPw?pbJvkj
zB?7!Vb)y<h%*|Orun=x~^)6of12nc2Bfw(n^Vy<05lt5{i|TSbm+?OM?kkR1k`M0l
zO~`J`{y5~1XldW($i}yD(nIFL!^4xJq6}7=Q+VQyc+QuXm*?59^)*t-1tbGge%(6o
ze#;Q$no0I8j(yMzAvMSJ8s)Jn8~s|X8ELo1OMHj`g$7iMKSj_9T4@?{F6081%VYRl
z4^5yT+KW{?k2!-hDQ1lr0&LHQ#J0@L%*e-Qa$Ov#Z5m2f1x>YxmVv0Gm;_zLA~xHW
zvvsDFMcY%AnkkVY_UmDgrI1savAS*3i)LSpI<wLHnnZjK-&9ys72>T|K!qzmUg=BZ
zLms_b`q^ZNmdFgOrTxRi@k}C>NJ2jl`tK#YK|vd0f?6D`_PKP0(Zr})sb$GTpMq#^
zS<SZ?`%2L3O6X*3BGRyvIrjd`AVK@}CgS@lucZn%xMDeU`;Ruq`Gy!aC(UbAL+_UE
zJkpcPk(sKr8bBlr;JRFD6LzaEL_m985WQJP2Cn9munFDwJH<Ke$tq|oS)e0^uMMP1
zf81J!=iqf$ELyn@93I+#8_vRhA|(~M#ZAALFa)Zl^jOKnglWHT=Lb?rr=9820TAcb
z7u$nxk&sA%F2+XoS+>Y_Tv%M(9WoxXsKk$$f2uZ!ptL^jZjp8VrlzK=^${~EtQdX!
zdrO`5?Z`HwLXbpWi?TIC1MrBLMvwEDl`WnWUW<ekdIpC5;jHH~wjo`X3I&Lo<R}Co
z8&6BbHxP3M6ptA8F1#X=Am8^QzwXin8M5=3X9$&90KN|h0pYTKlM7X4U8w>N-wrk1
z7~#odS1H17&mNO?3-Cw4Ors(rCBfr;xbRYE<*C=2hCn3Un5lKT*Ai;5O=hYsyh``z
z@Y`sx>*2aM78cgMwGK2AI-EcK9})_Ucp5cs7Sa@0af>&;FCrpBE&6C7z*sI@Q=Jbr
zmqa1g2Bbpj(0V=o*1qAqygXKv5DXkLgG7vxr=oHR+zWt>p&t8I7?QvYFIY_mAayb8
z$^+T8&m6ix`**;ZeeXRB4@5#qe=7DwI`?QJ;IjM6m(0RK)`O@#M!8lH>YiCDSdT;V
zD&>l+3B{#AVtM&Sv++gPx%q|M_07j4Xduz^!M_K3bxCW*LHhc#^6!B#MN$sL8`j|s
zM0>rU_vV3I?LUV6O>n8_S&##HbZtI8{F5jm<A0AuYD;Jo8Uj`4Pd|PtgQVA|mSpnJ
zzpeg)9;tMdL!kow-!f_-^nP_f%t&_QSIUWa_rek@JnJPY`rWX={=ADpuHoMPzT;OI
zLA*EVqTv7Ur#1b0o<*K}mB^<ti{ira_T6lqbMI?!;v{mjzo+$o_Y0=aHS(6!F!k8d
S4O1lWBmG4FF;wF9+y4Sj35_iP

literal 0
HcmV?d00001

diff --git a/walkthroughs/howto-proxy/infra.yaml b/walkthroughs/howto-proxy/infra.yaml
new file mode 100644
index 00000000..72f9a16d
--- /dev/null
+++ b/walkthroughs/howto-proxy/infra.yaml
@@ -0,0 +1,289 @@
+Parameters:
+  ProjectName:
+    Type: String
+    Description: Project name to link stacks
+
+  VpcCIDR:
+    Description: Please enter the IP range (CIDR notation) for this VPC
+    Type: String
+    Default: 10.0.0.0/16
+
+  PublicSubnet1CIDR:
+    Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone
+    Type: String
+    Default: 10.0.0.0/19
+
+  PublicSubnet2CIDR:
+    Description: Please enter the IP range (CIDR notation) for the public subnet in the second Availability Zone
+    Type: String
+    Default: 10.0.32.0/19
+
+  PrivateSubnet1CIDR:
+    Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone
+    Type: String
+    Default: 10.0.64.0/19
+
+  PrivateSubnet2CIDR:
+    Description: Please enter the IP range (CIDR notation) for the private subnet in the second Availability Zone
+    Type: String
+    Default: 10.0.96.0/19
+
+Resources:
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: !Ref VpcCIDR
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref ProjectName
+
+  InternetGateway:
+    Type: AWS::EC2::InternetGateway
+    Properties:
+      Tags:
+        - Key: Name
+          Value: !Ref ProjectName
+
+  InternetGatewayAttachment:
+    Type: AWS::EC2::VPCGatewayAttachment
+    Properties:
+      InternetGatewayId: !Ref InternetGateway
+      VpcId: !Ref VPC
+
+  PublicSubnet1:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      AvailabilityZone: !Select [ 0, !GetAZs '' ]
+      CidrBlock: !Ref PublicSubnet1CIDR
+      MapPublicIpOnLaunch: true
+      Tags:
+        - Key: Name
+          Value: !Sub '${ProjectName} Public Subnet (AZ1)'
+
+  PublicSubnet2:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      AvailabilityZone: !Select [ 1, !GetAZs '' ]
+      CidrBlock: !Ref PublicSubnet2CIDR
+      MapPublicIpOnLaunch: true
+      Tags:
+        - Key: Name
+          Value: !Sub '${ProjectName} Public Subnet (AZ2)'
+
+  PrivateSubnet1:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      AvailabilityZone: !Select [ 0, !GetAZs '' ]
+      CidrBlock: !Ref PrivateSubnet1CIDR
+      MapPublicIpOnLaunch: false
+      Tags:
+        - Key: Name
+          Value: !Sub '${ProjectName} Private Subnet (AZ1)'
+
+  PrivateSubnet2:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId: !Ref VPC
+      AvailabilityZone: !Select [ 1, !GetAZs '' ]
+      CidrBlock: !Ref PrivateSubnet2CIDR
+      MapPublicIpOnLaunch: false
+      Tags:
+        - Key: Name
+          Value: !Sub '${ProjectName} Private Subnet (AZ2)'
+
+  NatGateway1EIP:
+    Type: AWS::EC2::EIP
+    DependsOn: InternetGatewayAttachment
+    Properties:
+      Domain: vpc
+
+  NatGateway2EIP:
+    Type: AWS::EC2::EIP
+    DependsOn: InternetGatewayAttachment
+    Properties:
+      Domain: vpc
+
+  NatGateway1:
+    Type: AWS::EC2::NatGateway
+    Properties:
+      AllocationId: !GetAtt NatGateway1EIP.AllocationId
+      SubnetId: !Ref PublicSubnet1
+
+  NatGateway2:
+    Type: AWS::EC2::NatGateway
+    Properties:
+      AllocationId: !GetAtt NatGateway2EIP.AllocationId
+      SubnetId: !Ref PublicSubnet2
+
+  PublicRouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: !Sub '${ProjectName} Public Routes'
+
+  DefaultPublicRoute:
+    Type: AWS::EC2::Route
+    DependsOn: InternetGatewayAttachment
+    Properties:
+      RouteTableId: !Ref PublicRouteTable
+      DestinationCidrBlock: 0.0.0.0/0
+      GatewayId: !Ref InternetGateway
+
+  PublicSubnet1RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref PublicRouteTable
+      SubnetId: !Ref PublicSubnet1
+
+  PublicSubnet2RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref PublicRouteTable
+      SubnetId: !Ref PublicSubnet2
+
+  PrivateRouteTable1:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: !Sub '${ProjectName} Private Routes (AZ1)'
+
+  DefaultPrivateRoute1:
+    Type: AWS::EC2::Route
+    Properties:
+      RouteTableId: !Ref PrivateRouteTable1
+      DestinationCidrBlock: 0.0.0.0/0
+      NatGatewayId: !Ref NatGateway1
+
+  PrivateSubnet1RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref PrivateRouteTable1
+      SubnetId: !Ref PrivateSubnet1
+
+  PrivateRouteTable2:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref VPC
+      Tags:
+        - Key: Name
+          Value: !Sub '${ProjectName} Private Routes (AZ2)'
+
+  DefaultPrivateRoute2:
+    Type: AWS::EC2::Route
+    Properties:
+      RouteTableId: !Ref PrivateRouteTable2
+      DestinationCidrBlock: 0.0.0.0/0
+      NatGatewayId: !Ref NatGateway2
+
+  PrivateSubnet2RouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId: !Ref PrivateRouteTable2
+      SubnetId: !Ref PrivateSubnet2
+
+  Mesh:
+    Type: AWS::AppMesh::Mesh
+    Properties:
+      MeshName: !Ref ProjectName
+
+  ECSCluster:
+    Type: AWS::ECS::Cluster
+    Properties:
+      ClusterName: !Ref ProjectName
+
+  DnsNamespace:
+    Type: AWS::ServiceDiscovery::PrivateDnsNamespace
+    Properties:
+      Name: !Sub '${ProjectName}.pvt.local'
+      Vpc: !Ref VPC
+
+  DnsHostedZone:
+    Type: AWS::Route53::HostedZone
+    Properties:
+      Name: !Sub '${ProjectName}.hosted.local'
+      HostedZoneConfig:
+        Comment: Private hosted zone
+      VPCs:
+        - VPCId: !Ref VPC
+          VPCRegion: !Ref 'AWS::Region'
+
+Outputs:
+  VPC:
+    Description: A reference to the created VPC
+    Value: !Ref VPC
+    Export:
+      Name: !Sub '${ProjectName}:VPC'
+
+  PublicSubnet1:
+    Description: A reference to the public subnet in the 1st Availability Zone
+    Value: !Ref PublicSubnet1
+    Export:
+      Name: !Sub '${ProjectName}:PublicSubnet1'
+
+  PublicSubnet2:
+    Description: A reference to the public subnet in the 2nd Availability Zone
+    Value: !Ref PublicSubnet2
+    Export:
+      Name: !Sub '${ProjectName}:PublicSubnet2'
+
+  PrivateSubnet1:
+    Description: A reference to the private subnet in the 1st Availability Zone
+    Value: !Ref PrivateSubnet1
+    Export:
+      Name: !Sub '${ProjectName}:PrivateSubnet1'
+
+  PrivateSubnet2:
+    Description: A reference to the private subnet in the 2nd Availability Zone
+    Value: !Ref PrivateSubnet2
+    Export:
+      Name: !Sub '${ProjectName}:PrivateSubnet2'
+
+  VpcCIDR:
+    Description: VPC CIDR
+    Value: !Ref VpcCIDR
+    Export:
+      Name: !Sub '${ProjectName}:VpcCIDR'
+
+  Mesh:
+    Description: A reference to the App Mesh mesh
+    Value: !GetAtt Mesh.MeshName
+    Export:
+      Name: !Sub "${ProjectName}:Mesh"
+
+  Cluster:
+    Description: A reference to the ECS cluster
+    Value: !Ref ECSCluster
+    Export:
+      Name: !Sub "${ProjectName}:ECSCluster"
+
+  DnsNamespaceName:
+    Description: Dns Namespace
+    Value: !Sub '${ProjectName}.pvt.local'
+    Export:
+      Name: !Sub "${ProjectName}:DnsNamespaceName"
+
+  DnsNamespaceId:
+    Description: Dns Namespace
+    Value: !GetAtt DnsNamespace.Id
+    Export:
+      Name: !Sub "${ProjectName}:DnsNamespaceId"
+
+  DnsHostedZoneId:
+    Description: Dns Namespace
+    Value: !Ref DnsHostedZone
+    Export:
+      Name: !Sub "${ProjectName}:DnsHostedZoneId"
+
+  DnsHostedZoneName:
+    Description: Dns Namespace
+    Value: !Sub '${ProjectName}.hosted.local'
+    Export:
+      Name: !Sub "${ProjectName}:DnsHostedZoneName"
\ No newline at end of file

From 6cae37ded71e626a3fe7b45a3597fc9697f9ea9e Mon Sep 17 00:00:00 2001
From: James Douglas <102178210+awsjdgls@users.noreply.github.com>
Date: Tue, 20 Dec 2022 18:52:45 +0000
Subject: [PATCH 2/8] Drop backend v1 VN, VS, and task definition

---
 walkthroughs/howto-proxy/app.yaml | 105 ------------------------------
 1 file changed, 105 deletions(-)

diff --git a/walkthroughs/howto-proxy/app.yaml b/walkthroughs/howto-proxy/app.yaml
index ee0bf66a..b329216f 100644
--- a/walkthroughs/howto-proxy/app.yaml
+++ b/walkthroughs/howto-proxy/app.yaml
@@ -166,91 +166,6 @@ Resources:
       ListenerArn: !Ref BackendV1LoadBalancerListener
       Priority: 1
 
-  BackendV1TaskDef:
-    Type: AWS::ECS::TaskDefinition
-    Properties:
-      RequiresCompatibilities:
-        - 'FARGATE'
-      Family: 'blue'
-      NetworkMode: 'awsvpc'
-      Cpu: 256
-      Memory: 512
-      TaskRoleArn: !Ref TaskIamRole
-      ExecutionRoleArn: !Ref TaskExecutionIamRole
-      ContainerDefinitions:
-        - Name: 'app'
-          Image: !Ref ColorAppImage
-          Essential: true
-          DependsOn:
-            - ContainerName: 'xray'
-              Condition: 'START'
-          LogConfiguration:
-            LogDriver: 'awslogs'
-            Options:
-              awslogs-group: !Sub ${ProjectName}-log-group
-              awslogs-region: !Ref AWS::Region
-              awslogs-stream-prefix: 'backend-v1'
-          PortMappings:
-            - ContainerPort: !Ref ContainerPort
-              HostPort: !Ref ContainerPort
-              Protocol: 'tcp'
-          Environment:
-            - Name: COLOR
-              Value: 'blue'
-            - Name: PORT
-              Value: !Sub '${ContainerPort}'
-            - Name: XRAY_APP_NAME
-              Value:
-                Fn::Join:
-                  - ''
-                  -
-                    - Fn::ImportValue:
-                        !Sub '${ProjectName}:Mesh'
-                    - '/'
-                    - !GetAtt 'BackendV1VirtualNode.VirtualNodeName'
-        - Name: 'xray'
-          Image: "public.ecr.aws/xray/aws-xray-daemon"
-          Essential: true
-          User: '1337'
-          LogConfiguration:
-            LogDriver: 'awslogs'
-            Options:
-              awslogs-group: !Sub '${ProjectName}-log-group'
-              awslogs-region: !Ref AWS::Region
-              awslogs-stream-prefix: 'front'
-          PortMappings:
-            - ContainerPort: 2000
-              Protocol: 'udp'
-
-  BackendV1Service:
-    Type: AWS::ECS::Service
-    DependsOn:
-      - BackendV1LoadBalancerListener
-    Properties:
-      Cluster:
-        Fn::ImportValue:
-          !Sub "${ProjectName}:ECSCluster"
-      DeploymentConfiguration:
-        MaximumPercent: 200
-        MinimumHealthyPercent: 100
-      DesiredCount: 1
-      LaunchType: 'FARGATE'
-      LoadBalancers:
-        - ContainerName: app
-          ContainerPort: !Ref ContainerPort
-          TargetGroupArn: !Ref BackendV1TargetGroup
-      NetworkConfiguration:
-        AwsvpcConfiguration:
-          AssignPublicIp: DISABLED
-          SecurityGroups:
-            - !Ref TaskSecurityGroup
-          Subnets:
-            - Fn::ImportValue:
-                !Sub '${ProjectName}:PrivateSubnet1'
-            - Fn::ImportValue:
-                !Sub '${ProjectName}:PrivateSubnet2'
-      TaskDefinition: !Ref BackendV1TaskDef
-
   # Backend V2 with CloudMap service registry
   BackendV2ServiceRegistry:
     Type: AWS::ServiceDiscovery::Service
@@ -391,23 +306,6 @@ Resources:
                 !Sub '${ProjectName}:PrivateSubnet2'
       TaskDefinition: !Ref BackendV2TaskDef
 
-  # Backend exposed in mesh as virtual-service
-  BackendV1VirtualNode:
-    Type: AWS::AppMesh::VirtualNode
-    Properties:
-      MeshName:
-        Fn::ImportValue:
-          !Sub '${ProjectName}:Mesh'
-      VirtualNodeName: !Sub '${ProjectName}-backend-v1-node'
-      Spec:
-        Listeners:
-          - PortMapping:
-              Port: !Ref ContainerPort
-              Protocol: http
-        ServiceDiscovery:
-          DNS:
-            Hostname: !GetAtt BackendV1LoadBalancer.DNSName
-
   BackendV2VirtualNode:
     Type: AWS::AppMesh::VirtualNode
     Properties:
@@ -461,7 +359,6 @@ Resources:
     Type: AWS::AppMesh::Route
     DependsOn:
       - BackendVirtualRouter
-      - BackendV1VirtualNode
       - BackendV2VirtualNode
     Properties:
       MeshName:
@@ -475,8 +372,6 @@ Resources:
             Prefix: '/'
           Action:
             WeightedTargets:
-              - VirtualNode: !GetAtt BackendV1VirtualNode.VirtualNodeName
-                Weight: 0
               - VirtualNode: !GetAtt BackendV2VirtualNode.VirtualNodeName
                 Weight: 100
 

From 51ac4291d8d056d686482ddd61934625f5a4ff50 Mon Sep 17 00:00:00 2001
From: James Douglas <102178210+awsjdgls@users.noreply.github.com>
Date: Tue, 20 Dec 2022 18:58:12 +0000
Subject: [PATCH 3/8] Change backend from VR to VN

---
 walkthroughs/howto-proxy/app.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/walkthroughs/howto-proxy/app.yaml b/walkthroughs/howto-proxy/app.yaml
index b329216f..8c1bf5bf 100644
--- a/walkthroughs/howto-proxy/app.yaml
+++ b/walkthroughs/howto-proxy/app.yaml
@@ -339,8 +339,8 @@ Resources:
       VirtualServiceName: !Ref BackendRecordSet
       Spec:
         Provider:
-          VirtualRouter:
-            VirtualRouterName: !GetAtt BackendVirtualRouter.VirtualRouterName
+          VirtualNode:
+            VirtualNodeName: !GetAtt BackendV2VirtualNode.VirtualNodeName
 
   BackendVirtualRouter:
     Type: AWS::AppMesh::VirtualRouter

From b86a8fcb399d84d58b7792582581407d0a27bb48 Mon Sep 17 00:00:00 2001
From: James Douglas <102178210+awsjdgls@users.noreply.github.com>
Date: Tue, 20 Dec 2022 19:01:20 +0000
Subject: [PATCH 4/8] Drop backend VR and route

---
 walkthroughs/howto-proxy/app.yaml | 35 -------------------------------
 1 file changed, 35 deletions(-)

diff --git a/walkthroughs/howto-proxy/app.yaml b/walkthroughs/howto-proxy/app.yaml
index 8c1bf5bf..1fd03ae2 100644
--- a/walkthroughs/howto-proxy/app.yaml
+++ b/walkthroughs/howto-proxy/app.yaml
@@ -330,8 +330,6 @@ Resources:
 
   BackendVirtualService:
     Type: AWS::AppMesh::VirtualService
-    DependsOn:
-      - BackendVirtualRouter
     Properties:
       MeshName:
         Fn::ImportValue:
@@ -342,39 +340,6 @@ Resources:
           VirtualNode:
             VirtualNodeName: !GetAtt BackendV2VirtualNode.VirtualNodeName
 
-  BackendVirtualRouter:
-    Type: AWS::AppMesh::VirtualRouter
-    Properties:
-      MeshName:
-        Fn::ImportValue:
-          !Sub '${ProjectName}:Mesh'
-      VirtualRouterName: !Sub '${ProjectName}-backend-router'
-      Spec:
-        Listeners:
-          - PortMapping:
-              Port: !Ref ContainerPort
-              Protocol: http
-
-  BackendRoute:
-    Type: AWS::AppMesh::Route
-    DependsOn:
-      - BackendVirtualRouter
-      - BackendV2VirtualNode
-    Properties:
-      MeshName:
-        Fn::ImportValue:
-          !Sub '${ProjectName}:Mesh'
-      VirtualRouterName: !GetAtt BackendVirtualRouter.VirtualRouterName
-      RouteName: !Sub '${ProjectName}-backend-route'
-      Spec:
-        HttpRoute:
-          Match:
-            Prefix: '/'
-          Action:
-            WeightedTargets:
-              - VirtualNode: !GetAtt BackendV2VirtualNode.VirtualNodeName
-                Weight: 100
-
   # Frontend
   SecurityGroupIngressFromPublicALB:
     Type: AWS::EC2::SecurityGroupIngress

From 25e622c38b7c91e154c978678313ebf81d58d7d9 Mon Sep 17 00:00:00 2001
From: James Douglas <102178210+awsjdgls@users.noreply.github.com>
Date: Tue, 20 Dec 2022 20:02:13 +0000
Subject: [PATCH 5/8] Drop LB TG, listener, and rule

---
 walkthroughs/howto-proxy/app.yaml | 45 -------------------------------
 1 file changed, 45 deletions(-)

diff --git a/walkthroughs/howto-proxy/app.yaml b/walkthroughs/howto-proxy/app.yaml
index 1fd03ae2..bad058e1 100644
--- a/walkthroughs/howto-proxy/app.yaml
+++ b/walkthroughs/howto-proxy/app.yaml
@@ -121,51 +121,6 @@ Resources:
       SecurityGroups:
         - !Ref TaskSecurityGroup
 
-  BackendV1TargetGroup:
-    Type: AWS::ElasticLoadBalancingV2::TargetGroup
-    Properties:
-      HealthCheckIntervalSeconds: 60
-      HealthCheckPath: '/ping'
-      HealthCheckProtocol: HTTP
-      HealthCheckTimeoutSeconds: 5
-      HealthyThresholdCount: 2
-      TargetType: ip
-      Name: !Sub '${ProjectName}-backendtarget'
-      Port: !Ref ContainerPort
-      Protocol: HTTP
-      UnhealthyThresholdCount: 2
-      TargetGroupAttributes:
-        - Key: deregistration_delay.timeout_seconds
-          Value: 120
-      VpcId:
-        Fn::ImportValue:
-          !Sub "${ProjectName}:VPC"
-
-  BackendV1LoadBalancerListener:
-    DependsOn:
-      - BackendV1LoadBalancer
-    Type: AWS::ElasticLoadBalancingV2::Listener
-    Properties:
-      DefaultActions:
-        - TargetGroupArn: !Ref BackendV1TargetGroup
-          Type: 'forward'
-      LoadBalancerArn: !Ref BackendV1LoadBalancer
-      Port: !Ref ContainerPort
-      Protocol: HTTP
-
-  BackendV1LoadBalancerRule:
-    Type: AWS::ElasticLoadBalancingV2::ListenerRule
-    Properties:
-      Actions:
-        - TargetGroupArn: !Ref BackendV1TargetGroup
-          Type: 'forward'
-      Conditions:
-        - Field: path-pattern
-          Values:
-            - '*'
-      ListenerArn: !Ref BackendV1LoadBalancerListener
-      Priority: 1
-
   # Backend V2 with CloudMap service registry
   BackendV2ServiceRegistry:
     Type: AWS::ServiceDiscovery::Service

From 0e00b543d18cd59e824642d80f2033d3c5fe778c Mon Sep 17 00:00:00 2001
From: James Douglas <102178210+awsjdgls@users.noreply.github.com>
Date: Wed, 21 Dec 2022 17:17:45 +0000
Subject: [PATCH 6/8] Drop unused colornginx image

---
 walkthroughs/howto-proxy/colornginx/Dockerfile   |  5 -----
 walkthroughs/howto-proxy/colornginx/default.conf | 12 ------------
 2 files changed, 17 deletions(-)
 delete mode 100644 walkthroughs/howto-proxy/colornginx/Dockerfile
 delete mode 100644 walkthroughs/howto-proxy/colornginx/default.conf

diff --git a/walkthroughs/howto-proxy/colornginx/Dockerfile b/walkthroughs/howto-proxy/colornginx/Dockerfile
deleted file mode 100644
index 6f52e280..00000000
--- a/walkthroughs/howto-proxy/colornginx/Dockerfile
+++ /dev/null
@@ -1,5 +0,0 @@
-FROM nginx:latest
-
-EXPOSE 8081
-
-COPY default.conf /etc/nginx/conf.d/
diff --git a/walkthroughs/howto-proxy/colornginx/default.conf b/walkthroughs/howto-proxy/colornginx/default.conf
deleted file mode 100644
index a58e9028..00000000
--- a/walkthroughs/howto-proxy/colornginx/default.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-server {
-  listen 8081;
-  server_name colornginx;
-
-  location /ping {
-    return 200 'Pong';
-  }
-
-  location / {
-    return 200 'colornginx';
-  }
-}

From d3bbc16b18cbeb21cef124600de93e12cd0a3fc9 Mon Sep 17 00:00:00 2001
From: James Douglas <102178210+awsjdgls@users.noreply.github.com>
Date: Wed, 21 Dec 2022 17:18:23 +0000
Subject: [PATCH 7/8] Clean up unneeded config

---
 walkthroughs/howto-proxy/colorproxy/default.conf | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/walkthroughs/howto-proxy/colorproxy/default.conf b/walkthroughs/howto-proxy/colorproxy/default.conf
index e533f912..43fb151c 100644
--- a/walkthroughs/howto-proxy/colorproxy/default.conf
+++ b/walkthroughs/howto-proxy/colorproxy/default.conf
@@ -1,13 +1,7 @@
 server {
   listen 8080;
   server_name colorproxy;
-
-  location /ping {
-    return 200 'Pong';
-  }
-
   location / {
-    # proxy_pass http://localhost:8081;
     proxy_pass https://localhost:8443;
   }
 }

From 41ed8afd1655ddc92f6e3d5c830d4d97e5e52bd0 Mon Sep 17 00:00:00 2001
From: James Douglas <102178210+awsjdgls@users.noreply.github.com>
Date: Wed, 21 Dec 2022 17:28:35 +0000
Subject: [PATCH 8/8] Drop unused colorapp image

---
 walkthroughs/howto-proxy/app.yaml             |  4 ---
 walkthroughs/howto-proxy/colorapp/Dockerfile  | 17 -----------
 walkthroughs/howto-proxy/colorapp/app.py      | 29 -------------------
 walkthroughs/howto-proxy/colorapp/config.py   | 12 --------
 .../howto-proxy/colorapp/requirements.txt     |  3 --
 walkthroughs/howto-proxy/deploy.sh            |  6 ++--
 6 files changed, 3 insertions(+), 68 deletions(-)
 delete mode 100644 walkthroughs/howto-proxy/colorapp/Dockerfile
 delete mode 100755 walkthroughs/howto-proxy/colorapp/app.py
 delete mode 100644 walkthroughs/howto-proxy/colorapp/config.py
 delete mode 100644 walkthroughs/howto-proxy/colorapp/requirements.txt

diff --git a/walkthroughs/howto-proxy/app.yaml b/walkthroughs/howto-proxy/app.yaml
index bad058e1..d454b93b 100644
--- a/walkthroughs/howto-proxy/app.yaml
+++ b/walkthroughs/howto-proxy/app.yaml
@@ -16,10 +16,6 @@ Parameters:
     Type: String
     Description: Front app container image
 
-  ColorAppImage:
-    Type: String
-    Description: Color app container image
-
   ContainerPort:
     Type: Number
     Description: Port number to use for applications
diff --git a/walkthroughs/howto-proxy/colorapp/Dockerfile b/walkthroughs/howto-proxy/colorapp/Dockerfile
deleted file mode 100644
index e25684b5..00000000
--- a/walkthroughs/howto-proxy/colorapp/Dockerfile
+++ /dev/null
@@ -1,17 +0,0 @@
-FROM public.ecr.aws/amazonlinux/amazonlinux:2
-
-COPY requirements.txt ./
-
-RUN yum update -y && \
-    yum install -y python3 && \
-    pip3 install --no-cache-dir -r requirements.txt && \
-    yum clean all && \
-    rm -rf /var/cache/yum
-
-WORKDIR /usr/src/app
-
-COPY . .
-
-ENV PORT 8080
-
-CMD ["gunicorn", "app:app", "--config=config.py"]
\ No newline at end of file
diff --git a/walkthroughs/howto-proxy/colorapp/app.py b/walkthroughs/howto-proxy/colorapp/app.py
deleted file mode 100755
index e8ae3807..00000000
--- a/walkthroughs/howto-proxy/colorapp/app.py
+++ /dev/null
@@ -1,29 +0,0 @@
-import os
-import config
-from flask import Flask, request
-from aws_xray_sdk.core import patch_all, xray_recorder
-from aws_xray_sdk.ext.flask.middleware import XRayMiddleware
-
-app = Flask(__name__)
-
-xray_recorder.configure(
-    context_missing='LOG_ERROR',
-    service=config.XRAY_APP_NAME,
-)
-patch_all()
-
-XRayMiddleware(app, xray_recorder)
-
-@app.route('/ping')
-def ping():
-    return 'Pong'
-
-@app.route('/')
-def color():
-    print('----------------')
-    print(request.headers)
-    print('----------------')
-    return config.COLOR
-
-if __name__ == '__main__':
-    app.run(host='0.0.0.0', port=config.PORT, debug=config.DEBUG_MODE)
\ No newline at end of file
diff --git a/walkthroughs/howto-proxy/colorapp/config.py b/walkthroughs/howto-proxy/colorapp/config.py
deleted file mode 100644
index d8606440..00000000
--- a/walkthroughs/howto-proxy/colorapp/config.py
+++ /dev/null
@@ -1,12 +0,0 @@
-from os import environ as env
-import multiprocessing
-
-PORT = int(env.get("PORT", 8080))
-DEBUG_MODE = int(env.get("DEBUG_MODE", 0))
-XRAY_APP_NAME = env.get('XRAY_APP_NAME', 'feapp')
-COLOR = env.get('COLOR', 'n/a')
-
-# Gunicorn config
-bind = ":" + str(PORT)
-workers = multiprocessing.cpu_count() * 2 + 1
-threads = 2 * multiprocessing.cpu_count()
\ No newline at end of file
diff --git a/walkthroughs/howto-proxy/colorapp/requirements.txt b/walkthroughs/howto-proxy/colorapp/requirements.txt
deleted file mode 100644
index 47f05a04..00000000
--- a/walkthroughs/howto-proxy/colorapp/requirements.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-flask
-aws-xray-sdk
-gunicorn==19.9.0
diff --git a/walkthroughs/howto-proxy/deploy.sh b/walkthroughs/howto-proxy/deploy.sh
index 65c7d926..d60f8e7c 100755
--- a/walkthroughs/howto-proxy/deploy.sh
+++ b/walkthroughs/howto-proxy/deploy.sh
@@ -34,7 +34,7 @@ ecr_login() {
 
 deploy_images() {
     ecr_login
-    for app in colorproxy colorapp colorappssl feapp; do
+    for app in colorproxy colorappssl feapp; do
         aws ecr describe-repositories --repository-name $PROJECT_NAME/$app >/dev/null 2>&1 || aws ecr create-repository --repository-name $PROJECT_NAME/$app >/dev/null
         docker build -t ${ECR_IMAGE_PREFIX}/${app} ${DIR}/${app}
         docker push ${ECR_IMAGE_PREFIX}/${app}
@@ -57,7 +57,7 @@ deploy_app() {
         --stack-name "${PROJECT_NAME}-app" \
         --template-file "${DIR}/app.yaml" \
         --capabilities CAPABILITY_IAM \
-        --parameter-overrides "ProjectName=${PROJECT_NAME}" "EnvoyImage=${ENVOY_IMAGE}" "ColorAppSslImage=${ECR_IMAGE_PREFIX}/colorappssl" "ColorAppImage=${ECR_IMAGE_PREFIX}/colorapp" "ColorProxyImage=${ECR_IMAGE_PREFIX}/colorproxy" "FrontAppImage=${ECR_IMAGE_PREFIX}/feapp"
+        --parameter-overrides "ProjectName=${PROJECT_NAME}" "EnvoyImage=${ENVOY_IMAGE}" "ColorAppSslImage=${ECR_IMAGE_PREFIX}/colorappssl" "ColorProxyImage=${ECR_IMAGE_PREFIX}/colorproxy" "FrontAppImage=${ECR_IMAGE_PREFIX}/feapp"
 }
 
 delete_cfn_stack() {
@@ -101,7 +101,7 @@ deploy_resources() {
 }
 
 delete_images() {
-    for app in colorproxy colorapp colorappssl feapp; do
+    for app in colorproxy colorappssl feapp; do
         echo "deleting repository..."
         aws ecr delete-repository \
            --repository-name $PROJECT_NAME/$app \