From d6b402dd60bcde1777c2e9dfb17b15da101d28fe Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 14 Aug 2024 20:34:12 +0400 Subject: [PATCH 01/15] feat: Add auditPrivateSubnet option to ESLZ portal ARM template --- eslzArm/eslz-portal.json | 21 +++++++ .../AUDIT-SubnetPrivatePolicyAssignment.json | 57 +++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 5554a53771..173721b328 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -270,6 +270,26 @@ ] } }, + { + "name": "auditPrivateSubnet", + "type": "Microsoft.Common.OptionsGroup", + "label": "Audit virtual networks for private subnets", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, { "name": "cuaSection", "type": "Microsoft.Common.Section", @@ -8920,6 +8940,7 @@ "singlePlatformSubscriptionId": "[steps('core').singleSubscription.selector]", "denyClassicResources": "[steps('core').denyClassicResources]", "denyVMUnmanagedDisk": "[steps('core').denyVMUnmanagedDisk]", + "auditPrivateSubnet": "[steps('core').auditPrivateSubnet]", "telemetryOptOut": "[steps('core').cuaSection.telemetryOptOut]", "enforceKvGuardrailsPlat": "[steps('management').esPlatformMgmtGroup.enforceKvGuardrailsPlat]", "enforceBackupPlat": "[steps('management').esPlatformMgmtGroup.enforceBackupPlat]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json new file mode 100644 index 0000000000..fabdc9013e --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json @@ -0,0 +1,57 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "nonComplianceMessagePlaceholder": { + "type": "string", + "defaultValue": "{enforcementMode}" + } + }, + "variables": { + "policyDefinitions": { + "privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837" + }, + "policyAssignmentNames": { + "privateSubnet": "Audit-Subnet-private", + "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", + "displayName": "Subnets should be private" + }, + "nonComplianceMessage": { + "message": "Subnets should be private {enforcementMode} be enabled.", + "Default": "must", + "DoNotEnforce": "should" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "[variables('policyAssignmentNames').privateSubnet]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').privateSubnet]", + "enforcementMode": "[parameters('enforcementMode')]", + "nonComplianceMessages": [ + { + "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" + } + ], + "parameters": { + "effect": { + "value": "Audit" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file From 9ad96d9a7a258c97d627bc2c8b878bbce657187d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 14 Aug 2024 20:37:41 +0400 Subject: [PATCH 02/15] feat: Update auditPrivateSubnet label in ESLZ portal ARM template --- eslzArm/eslz-portal.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 173721b328..787f5fb017 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -273,10 +273,10 @@ { "name": "auditPrivateSubnet", "type": "Microsoft.Common.OptionsGroup", - "label": "Audit virtual networks for private subnets", + "label": "*New*Audit virtual networks for private subnets", "defaultValue": "Yes (recommended)", "visible": true, - "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", + "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", "constraints": { "allowedValues": [ { From b0205abd130491cf7ef77b0bc81d0436f2748ea5 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 14 Aug 2024 20:39:19 +0400 Subject: [PATCH 03/15] . --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 787f5fb017..93be2f8b78 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -273,7 +273,7 @@ { "name": "auditPrivateSubnet", "type": "Microsoft.Common.OptionsGroup", - "label": "*New*Audit virtual networks for private subnets", + "label": "*New* Audit virtual networks for private subnets", "defaultValue": "Yes (recommended)", "visible": true, "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", From 678d5e7ba84f9379b1a8d52009f85a0f37870ca3 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 15 Aug 2024 13:34:14 +0400 Subject: [PATCH 04/15] feat: Update auditPrivateSubnet label to enablePrivateSubnet in ESLZ portal ARM template --- eslzArm/eslz-portal.json | 6 +- eslzArm/eslzArm.json | 56 +++++++++++++++++++ ...NFORCE-SubnetPrivatePolicyAssignment.json} | 4 +- 3 files changed, 61 insertions(+), 5 deletions(-) rename eslzArm/managementGroupTemplates/policyAssignments/{AUDIT-SubnetPrivatePolicyAssignment.json => ENFORCE-SubnetPrivatePolicyAssignment.json} (94%) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 93be2f8b78..9a1ab2304f 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -271,9 +271,9 @@ } }, { - "name": "auditPrivateSubnet", + "name": "enablePrivateSubnet", "type": "Microsoft.Common.OptionsGroup", - "label": "*New* Audit virtual networks for private subnets", + "label": "*New* Audit virtual networks using private subnets", "defaultValue": "Yes (recommended)", "visible": true, "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", @@ -8940,7 +8940,7 @@ "singlePlatformSubscriptionId": "[steps('core').singleSubscription.selector]", "denyClassicResources": "[steps('core').denyClassicResources]", "denyVMUnmanagedDisk": "[steps('core').denyVMUnmanagedDisk]", - "auditPrivateSubnet": "[steps('core').auditPrivateSubnet]", + "enablePrivateSubnet": "[steps('core').enablePrivateSubnet]", "telemetryOptOut": "[steps('core').cuaSection.telemetryOptOut]", "enforceKvGuardrailsPlat": "[steps('management').esPlatformMgmtGroup.enforceKvGuardrailsPlat]", "enforceBackupPlat": "[steps('management').esPlatformMgmtGroup.enforceBackupPlat]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 29f595d609..7d16fbd37f 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -14,6 +14,14 @@ "defaultValue": "", "maxLength": 36 }, + "enablePrivateSubnet": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, "telemetryOptOut": { "type": "string", "defaultValue": "No", @@ -1639,6 +1647,7 @@ "resourceRgLocationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json')]", "VMUnmanagedDiskPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json')]", "diagnosticSettingsforManagementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json')]", + "privateSubnetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json')]", // references to https://github.com/Azure/azure-monitor-baseline-alerts "monitorPolicyDefinitions": "[uri(variables('rootUris').monitorRepo, 'patterns/alz/alzArm.json')]", "azureUpdateManagerPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json')]", @@ -1770,6 +1779,7 @@ "mdEndpointsDeploymentName": "[take(concat('alz-MDEndpoints', variables('deploymentSuffix')), 64)]", "mdEndpointsAMADeploymentName": "[take(concat('alz-MDEndpointsAMA', variables('deploymentSuffix')), 64)]", "corpConnectedLzVwanSubs": "[take(concat('alz-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]", + "privateSubnetDeploymentName": "[take(concat('alz-pvtSubnet', variables('deploymentSuffix')), 64)]", "pidCuaDeploymentName": "[take(concat('pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]", "denyClassicResourcePolicyDeploymentName": "[take(concat('alz-NoClassicResource', variables('deploymentSuffix')), 64)]", "costOptimizationDeploymentName": "[take(concat('alz-CostOptimization', variables('deploymentSuffix')), 64)]", @@ -6426,6 +6436,52 @@ } } }, + { + "condition": "[equals(parameters('enablePrivateSubnet'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[variables('deploymentNames').privateSubnetDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateSubnetPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Default', 'DoNotEnforce')]" + } + } + } + }, + { + "condition": "[equals(parameters('enablePrivateSubnet'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[variables('deploymentNames').privateSubnetDeploymentName]", + "scope": "[variables('scopes').lzsManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateSubnetPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Default', 'DoNotEnforce')]" + } + } + } + }, { // Assigning deny storage without https policy to landing zones management group if condition is true "condition": "[or(equals(parameters('enableStorageHttps'), 'Yes'), equals(parameters('enableStorageHttps'), 'Audit'))]", diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json similarity index 94% rename from eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json rename to eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json index fabdc9013e..9d33bae489 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-SubnetPrivatePolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json @@ -20,12 +20,12 @@ "privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837" }, "policyAssignmentNames": { - "privateSubnet": "Audit-Subnet-private", + "privateSubnet": "Enforce-Subnet-private", "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", "displayName": "Subnets should be private" }, "nonComplianceMessage": { - "message": "Subnets should be private {enforcementMode} be enabled.", + "message": "Subnets {enforcementMode} be private.", "Default": "must", "DoNotEnforce": "should" } From 836da012b6af4908a7e59ec4f4c32a4cf0fd12ba Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 15 Aug 2024 14:08:15 +0400 Subject: [PATCH 05/15] feat: Add Subnets should be private policy definition --- docs/wiki/ALZ-Policies.md | 6 ++++-- docs/wiki/Whats-new.md | 1 + .../wiki/media/ALZ Policy Assignments v2.xlsx | Bin 53524 -> 53834 bytes 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index 70c76a24c0..d4dfb669c5 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -107,7 +107,7 @@ This management group contains all the platform child management groups, like ma | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **10** | -| `Policy Definitions` | **0** | +| `Policy Definitions` | **2** | | Assignment Name | Definition Name | Policy Type | Description | Effect(s) | @@ -123,6 +123,7 @@ This management group contains all the platform child management groups, like ma | **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | | **Do not allow deletion of the User Assigned Managed Identity used by AMA**\*| **Do not allow deletion of specified resource and resource type** | `Policy Definition`, **Custom** | This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect. | DenyAction | +| **Subnets should be private** | **Subnets should be private** | `Policy Definition`, **Built-in** | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Audit, Deny | > \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future. @@ -224,7 +225,7 @@ This is the parent management group for all the landing zone child management gr | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **13** | -| `Policy Definitions` | **14** | +| `Policy Definitions` | **15** | The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Landing Zones Management Group**. @@ -257,6 +258,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | **Enable ChangeTracking and Inventory for virtual machine scale sets**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | +| **Subnets should be private** | **Subnets should be private** | `Policy Definition`, **Built-in** | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Audit, Deny | > \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future. diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index e9a0746f66..7771751d39 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -51,6 +51,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to the the newer version of DCSPM: [Configure Microsoft Defender CSPM plan](https://www.azadvertizer.net/azpolicyadvertizer/72f8cee7-2937-403d-84a1-a4e3e57f3c21.html) - Updated [Deploy-Private-DNS-Generic](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Private-DNS-Generic.html) policy to include the ability to configure the location/region. - Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope. +- Added new built-in policy assignment and portal option for [Subnets should be private](https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html) assigned at Platform and Landing Zones management groups. This policy's assignment effect is fixed to "Audit" in this release, giving the community time to adopt the good practice and address subnet compliance. We will enable the "Deny" effect as part of the next Policy Refresh. ### June 2024 diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx index 8211ba8e23fd0664790d486cb5d25fed68730ceb..6a85fda88bb91b5e75c419cf24abd01196e6ac3f 100644 GIT binary patch delta 20046 zcmX6@Q*F2wutY#x$6YC`55w}WK3mCE=1yRJeNCad{E|$1eN+nS z&yU#5fopd~8GQ>LOX`!eX^G=pn4V9UX47})q2)ptu;Sx0MEZ(e4oP4;88l95B?Wcm z1U^e`FgcJ_au9xMAP`Mwzr@ay74Xv`qqSJV!=jQ0|hQZVG-nfT(E4ZTXw$z~g zF3ia_mxhPFm8`@4=J@K+ic@xGjbayr@wzx?DeBQzAKXwoNkhf!ADsGgM4A^4(~s`1 zwaIsB{a`kvhY8mh@&MCfsB-(VugXfB^Vz_F@Fw^dUs>LOO>iK*D38;iHOSI5>Of5I zwzEdM@1C1sI<*15JT1*oi|AEN=6JvwsgWlNnyp$rE75vLjm=c&ku_qi7T zGf2$&H-@>G8o}=5-5L})kff1;NWQx7PSOoNxphcc1-DFywQ}td0wXr-4R8S74!oJA zyFYiZl5obuuLk1k4Y7&}_Dgpy<9paoD~E28;cddJg{HdH(YFO&o-r>x8J{53tYMo& z%V%6zb!um(=3hE8U#xOt*8*DfB)XQbJ3Kfd1!yDQ%Ph<< zRe#%Kl`VQ!RTh6i`@O@{1)4D?ez%5sIt<_oF*28tZ0Zs2e3vI|$SRrErGxrOmt2Z) zK@{D+dPxFTW(ofRm95+m1yZ$V%O*9B;blXq#cI1UZfnw9J2y91 zl24$w1OfFgqPg%pjE;Ud`{b%DUZAIVg+i-_f)l%M9HM1)=Og`IgeC1sYzo~UMy1_> zM^N$?7PUOw^u7`zB6jyuuiw})c$++V(&u>mSSu#i0q`y<*?BCYn|Mjk-8diOiO z!X0vx-;poKB#WhET(8se-@oS{fJt(TM(h-jG|tuT5f~=%7~)D6F3WqEe}BI7{KR;% z_^=N=!1$)$<|&A>z_~KvKzlSfAmvt5$(<&_5I5NZY`h^Tm>!MKOkAVnjuA52&?jzt z0#J9i^~lF;5E&vDUO#{Am}B^NMSR)CvVL*qEA}lmrIfFXnO~zOf?%;5ju0In5VGom z9lRmIz;0j?jZnydim_{CXrWihucT<6gl7B;wu3ssDBU#8Q-cuTr&R$2F}+alwLy2>B%1b9QjNX(hKFq`rQMYDN`B0BOnydos4!~aj2h{h|Gj6=8T)g7rbGv5{dZPfeL+=eg+_O2MLo$9+F&LLyRz(S zcdD?V~_ppgaLyg>(juqwiZ1VH45ll|4w#p^^*Ut-o4$+*t$|;?4oA~@7)?TX;cQ#vm0JMQGgoU=3VR*<{u0Nx4ibffE=kP0<`S}Eb7@jHunM1f zFW*vUcK#-pO2+5w34A1>VNF;viwGAjr#INvOzz2*mwIf2|Ahyit=07kt3h_du8$U| z$e1puMN~}zg9?k%d-+CUq8q9?2GsrDw8wmdp3uI$5Js zi%CedIAvLSCi>FFPaL~CF4@;yY*2PvI&ncGjwu{-;*~I9h4)tAK^mg(sLQxeT3cvO zRr+E=j}+Dbmhw@yIQAXh@A;l#CC54(u-4IjwoG;7oF>Jzwk)3Mkk;P<13Z7K*vpwm zH!dUsw^0rcCzYg%Vr@$Thj&6M3yQqw!`@y-&wGR-%HcYppd|ZCo`*v5=S(8X7h)kt zkY7- z?IPDpop`HPg*!5J`7`$~#3AhAU9ZSXij7vvP})Te9~Gvv!QVgM9JjhZ=#2dRUYd+sV~@V~;A)En`0=)P`q9xN+zou<42Pv{ z&*0&iU6OD%EsIcAs6p8Y) z986bQ%x480qEi^1p##eKu%y!F2PPIzmVQqSylYr)j90xQcympQi+(pGRC8*w`MdPc z{sTJunEO@~rML3O`?smIz<^2%VQWU#cH)=I*f=@rU{*jzE=`e|6Xk@rsRN^o=i7Tn z6;`Jk4)C9@KV1*o4O=SnF#F|7nJsx(x;u8z0I#xw zdWO96SBB=h&q_Uy5)vOJcmZYtrR__$zso>T03F5kY`ju(0A0bAwb$LgcpY?5(8D4UZ_ zy*mP}^2Hz3l4MkrR@?J|%~kNbfR(M;Ji){*ssHimHD3im?ms|{HlGSh794 zVS1xY8s^*Tp@H1=vf}|Nq_5#fsRHDSm_ zpC<8flO=AZu$w=jDzy$I3T03lWa)^Kk0I>`NfW^?BZ!d@=_;5S*hw*ek1(FCghNhS zrW5s<7TnYMw{}{a6UXqVfWA-6j~-Juybf=o&&eCL_w8eztsE&@8vy%|n%*TqrEpZ; z8NvBN9lv>=SlpzxIg?cYc%jEye1d(YYNQ}c5LV`Wdq_4uVd^xoC|$|kG%X3|#xOD|noVhAw=w}}_NQNNMFOz%`aBQG=;#R4y0nP+a&eBG*K2K+k)wiUQ4i;1YZa^Rf4x7{ujVr3I2 zutvY8xd?_6nNZEnbthKvqvCndD7WOmhe8F6JJYsvnihk2EV||dZA)<#zAFIYvVyE} z)epov^V0leuLyYO&xAJfmH$y=DG5do7*(KwGarQVw0{H2#aA)YY;?gLx25GIR~{9Q zg?k04bn7o6--VIj;p3ygmw@dJLOljVdr#T@2;~=JW`78u{mY-`%~r1GjZ$KukPIJx z)#+;#(jny(Wo*g*U-wLY4-_fEpl%2m%Qh9U6$2O1~qf!c2I(?e9h|?`&t0v8yp?PN1luM+qPTYy`2i8c?~CHBAPT+Of84?#Gxa;3FNdwUl1ok(yIy&cV7w7;8J@~L_Xo8R4v3P5%l{m2H&Q6_8-r&45}fRegf-3s z72KdC=ctS3j0D0a#s?A~4L{$H{z{D3Y@d=enI8RPnSzn%TWnFVk_uT z-4X+WvTJt!>G^mXj%xp3j6UEB%siY+IVDP4C32~+W+`V{o79uf^M4ub^HWU)qjq0= zL}%e^YRbTuiEwGbPf@1HB~8e|3qafV?}T2uJJP3l;|f*&lV}wMas?%V*{`#Dapwi& z)6nJ<%=xl-6M?lFBTJe!dE37-rMH_ko-EbjGJCh=XmDZW(_2ItxX7^vUY(0fwMTyE zME0%Qy@~^bpZ6&3)!Gs| zoD36E=lecdsZBpbxg=__9 zY$5^tYmf?h=UZ@KV)+YLT#NVpY~{4;Q+~tUM|@TJLdJR6f?13IW8bMY5;JY5+sDt5 zf7Ve)z^kBBD8a-MDZzr7b70A{39QHb1aC^F_#&UZtit?+WX)Do!7l^b7wg-Bv8Q59 zS5g6MQ!)0`rbQ31$#?zHZ-kZktYU>%Soq_s-iGGpP&-6!67e7 zF%%iMq=B?yl+=`vDi6l2qwy5+bYTCN?-u{|%DFLsrXc~MP&CsOspuapBRf5+=UwCA zFn#oau`BGReaHtsZEBM$E&xG9Xoh+nR-r_QM8qQ@8RFz6LS3YZvYNIF!p4E6Y7{h* zr2Gej2Q*tUeSFmS`6svc3l)lxF~F7>0|pA3z%DB&2sNnP8@*g`Djsr{nj}%@4X~am zz$2O0%`-5Y{R9z(tMMlg#M3XA=?t>7mM1mLk+o>l(x^*WBI!7!n9a$L zyui55f@r+6>)wzVTAWz45j|%FD)GU87OrX)vL{sOC}1Gnt;diN>go=4Z)KD$#kkMr z!jdKR{FbJaESD9~Yp$t*Ho_+$XQ7VujOH`*MAWjNVWa+nmakEeidSR1h$U*fF)0F+ z$u))@2^BVeM^?McaeGy&r-Z7{_|x&1=@E2TXjF>oo&B#C-~Ze8hi+>|OkY|U$ zSOy!ngyr`c-Ti|a!az5B1-L?CKl5J%eDqYKgI)P9uEyn5qd7>C$GLteb&QEps5{<1 zBFqW1Kwj!JS5|v#25ySbj^K;-fTkYYc<~Km$s`a$(VZ5d7@7SeT}(B9ESzkB07cP; zp~!<*Dd7cpQ}OTj@VMV?{;Rz^K}xy1P-TSoCh15TaB5r0c$ksEESR7AFc2?R(gFK1 zO6X;OPhL_^mq3~h{fG=hxKEE%uP{hpiQs7~zVt(w_RtXCT~zBZ|E32L`F!(L7f7=b z71m?~ACCi~nZ(J}ah4;k_JhnCx2kUuxK<}PAls9u?t`mZa7IxhFHJBPCd?ct>iH!e zQu=gj_}mGf+lX>tQ=^h&AWma&th@U7ShH6^iqmdiJF-`^iCGAI+zN;g0B_EO6jf78 zwxTr6st&-!gt$vhNO_ujeRd9bOS$rqhesMaF ziRkEk{4Yvsc24qi=EZ;PH0RqB=;s16;!ZW~9Y#N8%6Nf>w2s^}t578^Pv0<#P~)*d z?+@dbcG~u)fDO5P^WQYkt7qQnAREpfY67rsdWv%H>WcL;0GoDFlcqN4X|XL;Z!#Iu zcY3h44EQjp#1j;n|DvrJJ|$DCRFzyB!!+j66t$Prtk6yV82qaUwS=LM{1fQ|EWl?Y zm=UZk1qhECl5jFlCM{>7D+Ule07i;5rT7pDm0i>fKBH(f(W{*5#;7(`=#oE(Q%Tm;h`tWB0v#yahk`gD<2WDTZ_{o`R@pxVx zmLZ`|vH$tonWht8u30@OQ7D51wnW5NuoF)OSXCl)Krj=Sam}=;k@%je;7l`>XxDcz z`vA{oK?JsMN|R%mZ*D=P0wA>B>BHOj{flRONK^z-_s?*9`2nM1UX?Gi$1W5eI|}Gz zk_T+0Ng+)nX(9^p9~~b6r;#$cF?^$9mI8PQ_a2Ch9R>;+sqKN0Xtp0{-sVf5(NpWtU8Qo>*SlZAz>?vnDFnx8#VR; zr&eFx{;!SMB27D&46ae@?EJyNeH-4D@9FXA@hd%!H7FhRyuu3~zkU*Lbt1io3G3e6 z4jMfP>)VF{xmmt`Sx%ap@yHTm(T@sp8X}DGj$<|9@Ya6$zr3RM2*0_gJ{@IVD5o~m zIQpOHz5n?@ov&HzA$}gm?LWNT?fkesJXqOra(?MQTk3hg9j|y?@_25$M9nlh`&?`$ zF>L8EJfGtJNS*X>U2Y7UoPM}{bnH}m*!6n~*(}BY(qA_39nM!Y^dH^n?AP6pj}$~C zOC@5YsP82e(MS|~H5bEqa^Kd>X6Q7A`$b#5(5*S+2_jcM75VVSse4czh5dEXVY1y& zeGi{yH7Q5ei35-)GAdFSX{&AOmLzFMZB6f{Dn|o72E_2IvMY;zyTfJJo+@aSCzo9L ztaZcyqo0BfQNkS3iUx=%eOa5ied+Kd*hFRe8U9+EGwo=>~ zo{h}xj5XnJVZ+{xbwz!>XRmyvHRy`WpA?k7#8U$H~4Te zN2bjhCIV%+6d#j>b~oq#61RX@lW^6aE6~g%Vpq>8n7ZTEmNEmQ1QLYoL5S$2rRs<^ zkY4sEcy}?vIVH6}6EaSavlCT|cqZx7%#~-&fcSViRa#`Ucrv0xLXt+L6D>nvDWY^?9_&5~tbJn0vz6CL1P=&c3_~P83hV zK)P`M_$uro@+Rv>OqX83rXMQ=20uZ8zRfxV>amvSk!a+FUcc1cohTWC@=S0f<&xTJ zYMGpqI6Mk3%KqX>GH+PoTD3YBC=&as-xMsu^gEs^%Wlvt)|=PFbz zkhrKqOw#|;6oQp^j73ZQ6N%dTWFK-V6bFciQChok8g zc*xjQlkwqQJN$^r6?^Ke7C(Y2H39ur0rB19xNYF|CsiwCD*d#~xDAIB+MEkntiNDW z_Wx*m_iv^@fOZ6-DoEV>;c!AHbFR=4v5ex6r_>otLX!)Jz}#(Wu=LV*k@hiH!1P>5 zi&o;QA$PeH_E^hqDe4IVX#!(Ce%b-=k4OykwhbGQBpmC9nmE73H*Av&;1Ie?4O@(B zC~oB2l!ilWo}w(xi(wFI=n3zxrd_ChC1h3~Z9IP;0ruGXNU923mpDx~oUJQv;g&GDlWEdpmJWNtNWNp!Dj3D4 zp@1ffL^xp#^AHT(;Dn~`qbUCe+@s$*mF8iZw$jJYvV~QNePzV?5>yY_i}fhg4C=A_ zX$XoId?Nc`$=?^yffTe1^)muUB-W3pUha4L=#0EY-B;#YYbksu{3FDTo@wqmza1X7 zhi5%LLqXGN3Jzq>NOsofUJ{!U(n^1ZW&T*?)}tWnO%V!SG3{b)Y@44cFd}6k3aLVD zV|KQKo4Ag^n_wMrCmG{3<0_mYx$o=$F~HyJHP@!u_m0xR1;VR#PM9AK-6vY#)yEn_ z6Q-SUruWeSR*}rN-;{ng$nnHhdVG8gpraRr_fIDf(U)LZnX_|-(GgB!Y)c>iI1`;* ztn&f{>H7z6b%p^uZJzqOH?oZ8NY7G%jx|%UNN{d7rV3IMNSD>7S?VBlu|K$mrtwbu zDawY^Athb_VA%T>Br5O~u^2)A>8>s_Cx2g@0`i#VJKpX?*mh|8vu zxZQ|51E(F${cm|SB^TWL&f@*ykbD*-d_xK@dW0-HkQ(+I*p`*@>JOYEX9oBNzbV&d z%A9pB%Wm0L0xsCsRkzPzHr-W2=H~1`no*iG&9R;EuIL4csc`5Eh&#FZcM+wDU&=YA z1?f4iY-Mr;W@Jd-x)Z^8SmySF+hN_Lm3+5e1>gBv!+A~T$sSdVOQ?}T8*PiiH+Aw! z!Mb=gfyz?b)|*=$%DJdlo^Sos$sd>OT^pwN@W6K~iUG=0YKr)pD!EXZt~nU66_KaG z1kuuzjYaPRMThMzs&%PAJBfYBXSn0`B%+P9b3zpb=4}EI=frVg zhZ^Ry>zW4_PiWg`z$G*4my7eV-{yOy$)$rY@N1yUR;><3L9Q=T1&NYBR!H^_c*(

B0mv`UKnN3k}*bz&YAf+x-%iWI=Dyv$zvajR?kRAh}_2>61 zz`$zt3S$NIa;Q|G5e`)~jE?~UE{>2uBU!P~J8Nq5w+NwykLk?rPj&lgR7+`ra-JO4 zU9w4pSMGP7Yd)NEy59T)7|eQDsj54QETYoy+gB}Vb*c4Lf?Qf$VJuJLF@Qd7#+gn4 z7_NOckN;)f>&Zr$_CAhf|vf>T!LuCgD{;4a^Z` z5m<8LhB-F+HxcQq@j+SeN`mV(@H*zK8u>{6ow|=i%o(MAC}$a?TXn0th+On5=!R+5?XlVYbD6TY<#hm@SzQE?o?I zMbLz2s2s*W0-_Ls%@TIa{SPG&&b|RbyL!Vq| z4l1ikdL8+Ou7pjUEOl9U!sxKWDIwy!Fe<-PJ9P5HirW)sO!Ks`%Z8~EH9Wu?T?v14 z59M8^08;CoqhG+uuHS|p6DOX1r{>c2>w~#E!+vQJ%r0)`sdUoO>!~MTl`J`zGuI3?y*8FDp z(;aL@dTGhtgAyNn{wAncNMMMfvTz|*B_-Mdpz?NB@)DiCid(S@_z30GS)e??7 zkpxAVE#q?<*t*nOh&emqYkW@MaPa$PlxK;kMm1&VXArh^iFg^MN}(8u3g{Hp%;6!^ z;c~@n2Q$;MHBP`;vs;Y1)ZVa(`>j_4YR>|!1VXRuEA$9-Xnk5Cq#_Hy-L`?mdhHqW zdNKX;BWr0v5P>;B9Qf`mqag}*M=PJ=n0I#|&--)CuFeJU^~Mym1~k9*9aSF#%g!>* zu!4eNh;zS|G3y1Fk%{|3U~m+=B)sW2V1W3wwkIEtkw(19ili z{i+KSUw02aXR(cdShNU#5X23aG)N#b(u!dh$j~Vls73JSR-t#o_evu4uUFu|jIfP; zc&ud8d7n|kC_r(e#!e9I$lyr+#=_1%iH9Due#OAew~?vuP!n}91$DjfLvEfB6rnkU zKLfJO*w|;ri|lVH9D{^TpfLm+J$iAdjiI`Aew{fI|K-8zhp4UE+s5I;)$r-7W?Dwh z68f>j>J`gHmS&fG_-b4+>~8fpIi&XG6dY1}kpISQMCyU-SW@GJx^d~W{PXjoqhS@r zUHE5MAf6|`LbOA7U#8>y)rShI7A}j&8}fSD+09U9DsCFUgy?5lX>s;ulJCd3!`J+Q zPF0xj`~UxC@dGgMAOuHE*1{2ifpxki*4mH)rBXh7zQ3UueAd}&!DC3OVI(^PB!ATx zMpD@-jOLizGA=@8V3}eVgQ?WNbKHG?ZYzgfO@WLt_sI~>3CoxfRfFV$rCv7^%huJ;9y7M`X_G~Umzgx}wKx}x@g z65AVOpPwuC3Ez6w)_!g1HO1XHv}%BV0+0(s6t1VOnsHeusk@#v%gx!g&OG?Sd=XDz zr-KQr1EKC7V_9z)u7O77m>=qnU)w9FEM{L}siUa=UuulcLS)WkV6jpEY<_3xk{z# z2Q-UDThF7h6%llHhfTsYihS<^_f8}cUpkVz>!?DSVZ4YK*i1=B;}Q{`Cfb>nMJadJ zqWaGcSVKD;=*#U00!U$$=(KlE2LYFT3%OMkD~<2$1(=^MOJeb-kxCQB3^*=8A>7d_ z4BWycS_)10W3FGG5}huNAyG>;))CmR0Y_Uen{rb(9&Se+2rP`A*e|1yOnmVUfj7Oe zVn205RVhkTTW98}^LbD$P4Pxv#CJRDT2TvQZ`9h6J4LYgG7UpVPiTdec2`$&408Ay zVY`|toGv?1U-~XSah6bj+SdO99^E!fO!;uD$VQhwq)qW-hgFPxpBhPR;3K_tp3eRTq5r> z{{S{TB`Y@%S7DvWJmv^J_ToSyFWlV>qs+=$NR-V|W^uGSF85OF_Y)J%;a-Y4LPiQ` z9YQnsSF9JOpY7>9(Cs3sJh34?+Edu0>Z_t2JroC_i0`L2=)>DE;R*+wc5HfGt!H!4 z-@ooy)F9XzLGN^)xHmcPz$g>iUj}{OXpWpma5HcUa5Yzc(GV!oYu!;DjQSaM>>fE$ z>$AolnPrc@gG0t^g4G0u-NAZ71+R<2xReB=QfR<|qTc{c*vD9A6mamQkd0X;(b!>( z)5;!DU!`P19s?t>5p11Oo5V3jIyW|FHx4*hp)3z@q5L}QJw0Uxz}LT)vQAqss$z4V zXK=;Y5=EWK#Al%e)* z?*qj0_@Y2=eR3vbdAFJz3CfQxqy4AFQ?jW=g?7|G=w~A~EKCGSgDNj#>iC+`!5RVU zo0qklEhzIo#<+g$z(`mw|8~eV?3uDt{vG8(NGzPR;AY9lA5B@3bLttd5V$G+!GKo}{dA*5th*=g-0DMm#x+}S{wZn-s} z2E!0CP%op!pcjI;X=F8NfT2F6zfs=S`z2z_CGRAzVYe&?5}@W}+Mig|r`dP-zU1G= zUHO?L)E-6+gqbOvU|bASYlBEkvbRFtDrvFA-wEx2cVJ-75z3jRBl^Yo!N0M{*6~YK z5jR7+(Msk)fh#1dk33k}8+S@;Ro6T*S9;WxpTAt^*NZdHF^Z`3k1{LLw|U+8WmN7=@XPc7hY2{RPW9;wqoN(H<= zud~N@pkQQybU65^D_yr|ayRV9XdHy?53T|A!dfMbZ+RZOrK!UFKD7-8Gj~q+&7bS- z8`?97hbZPKNN7xR4hO^v5YFY)#0so?dR^qUe*<|MzbFEztZ@{2{UuxFbcaK$IQ%Ic z7X4(O2I0s8`sN$5sLo4`j~Y9rpd^L1 z648V$Vq)zVL=|b5&F=2L9VFs`-x{>9B`JU}+ze36#D0mSZz$$@q1kWb*><(d4Sz%= z18%nmNZdkma6jX!BH#$9Kso;uf|>O<>NBAY6E{QKyWvH%5Mp~2>t*DPOahErZ%d&f zRn?c1%6frwX5GCm$|hs4ez?Lkk1_jZY7?M8b9c7$brJC{2L@sDr)bY}7X%N+7eh?a zezQS9;z;z$31uLAQy)N)wxvIbY6=w}1xj`GJOo@Y3=MYP=0Sbdz74ZtHY!=mf$>JA z53FXqDbr=>9r#n_#plCF39P`}V;N71oH2KA#Npee9iCa?#8_&vLcu2vpj0V2$^Tv{ zBUGb{-1k9K26t*e#FPqF!gry?K4LLCQL!(QH)s zq~*d1LfS9iu`?;btK;kAWl)2ephedJBlUV!?)^%~1S^FMFH$fUr8t%>nqW;uz3;xk zoQs1*V|ac>33bEiKAJ>VQJHzE1LB5^Q$LHrVwx_K)_!K|eR0E`h9dSQ6wgND+xie< zzf<<*X?AJ~3NudC#^B@Oj)F1Q))GY*SfyT+E=ow|5h@J?!vyn7HzGRso|2s4J;*oJ zA&vcZr-U`*xP|Z^G1dez!l?(Krg7_80)^hK-zoIO8!(9dIf6G}o*i{wfl>f%v<#iV z1&Wu>FP^1mE|HoEEkn=DNnZtQpY#~;bv@to_!>BY(N5ub9^~NO5nD?Yqs$2N%bCSI z;rWNk&C;|e{lJ0a%k4``FIo29E_&9`hZ5hG{wDaGI27Rbb)TDU(%a?&b$ zI}AjL&=Sr^F6A92aTqvRz-UkeVpeu8Ram=#At@aSD!z$Uc+dMW-JGmioYS~5Hs+xc zt~ERv#4S4QE1AQO#VR(xEH!yF?hnK2b%78WGs%*S*-F(1hETLB zg8LY_*gB&!EFRhiFlyU@fZm$uQ$rHFL>)YJC;c#LgZ!Nk)~@gV#DhzN&f zuTiwA-eukc#Oe?&}mU0|L3*5b<&f~`hGQGlgCZy8`4zQb4Ezc0Ifm|Z26)9EPVn$C=Sw#oz`l{31 z48r`O#+kvnzq#|bQM^5q-oVN<`87i5940vn8V#k7$p6$YA`mLcANnttcsEDHO|EiD zp7KM385)k_nV|AC)rN8_NJQO43o^DI$!P%ALvy8TcQ;Mz%t9HYYj#zSt8GeFm-3sV zYbJO+fc1Wa!-b<-*Y6zWCMrKg@c34dka#A`toPuif-AjeB)8JB03RJ(`=m~foHNsL z?(c8!vE*ks)sNTjxFD*e#dHLu8w+RwfxzLpEF}H7)h8iiY7~_WFXRq-c0g00+Go^k z3RPOFYcN5h3YRlSjlfUxuPE_Knw{7UF62;b;QVYPOJWO3PxLnGpGMm!)hXetAE%k` z6*dquX2t~NnTs5~_bi zzk^wXsd!=SriF$J$a8n?oxD9vfhbsRvp3Gfso4-QrC7GyvD1Gg@|DnZ zzEWgVbQ>hwWqgbPUSTSkIy6lP-T}hpus1okPy~t}fmHM9yPZtYqr*fWNBW*fO5Cm= zP)r4dY;;M6q53nX*_{f$wd>}R_2zQQ!2abbeav7tetV|Ga(N3o@=%9;W?pqu2Z$&0 z%B8x`%-NMD*J3GAJ4blS6^R4!o;TLcb^f0%PoJl16HfA12mL8_4IaT9JDztXQf}z} zerXcjmY2=;=TAXm_L}*B4mjs@!qW?K#q0G4m1Sb_gAE6ZEH-1<`7wVGH3bqKKI;O|PjEik zrEbg5=|97h?j%atjtT8PrTP;tfPo0yy}09ckVZ$ekwAgTJ8yx&Qc+Xf5NqhERL^|W@=dzthweyh#UH^# z@7cDAty%Nhxprl0YW;x;O5S2h&%1E>@b#*H0cyAUP=75VyXNi6J9de*fvB`fPBLZP zNc+CBg4Oherb+lLeej``UC9~@-|4~&2M_=ezc{SghB6%JyDqE@Sc`b?9pc!ym}HV& z)9I)w4z*XH&>4!x{x*wbH{G)xw?hP18Y+1d{`zpsP#x=og@iq6XRP7=g zwY#b|L^uBZRhLe(EIHPh1pa=jVI;PAxw@LGY)mm-c7qBCPB$JGTfOaYt59r=6R`#c zpzF!WAt1I;TvK|QnN)QX8We*cNMBDDqIUDyk2y@LG7EHZDm%2)4X-?SC~P(_F{on> zs||Q#t6$>89itz(=2>ttd0R~`TYMyaa9U97daX#<>M1<6&*ow)0twqrPrR7=dhVUj zN_5stBe9UC>=6fDwev-;k`Ag8Q_i1e3QasXW-m%UNAaCtpMo1i+bt~=UzxrSC%J$Qk zmI49a+JAD57{frecx_n=htoW*(JU8ccI(F~aTl@SR5f!vj`?QD)12NyNCwUjZCFN%akrn7R*?o%H4<-RT8-&5KwxV{Cg}?e@e(&2vgk_8+ zyQKTWgdrVWuQur(B;g3fK-m=2-Jk5bR7o+WWv=kp=jSzw@phl zOj{jiKMq^*?J80?;D|S3n+n;aLVK4}D{Z#-<$V2BVKX?NSFJ5m&oz&*5D9JLo&~WB zL}t~U3^^5+R?>z}&eIRtDpPDSKa2~ ztS;%gKpN{dq<6uj--Z$_)!GXQ|3WubGKAm?0WJ%M_fi#nIzWw5{Dn_Tm3YIt_{w`y zR1KTjDls(>SF7~z-tEb_P%h)oU18PNis~w1RI=8Y>3Izi*vd^@t-l0lfD@JDGYw)< zOpC+A;jfIzWJK1klr-iU&Fx9w=+YzSL%&mFSQ0fbk+r77=C42bW}ld|rtxK$`<~yU z0%KvO%zr;-Z~B+6J;Xe2P+l1$TFOE9w$qPOR;$QcZU-wPqbVMEMYj%ZN}1v(7p>tJw4WKlFru=A>fzN&iV!$z!pD^cFrn2w&H}5d z2u)$WsV6i2;KhKnuy;Leoiop+ zq;%BY&YGflEt5cquCLF5$MP_9wyZPGOwxbwPBJlV$=j$SVARO2zpYBR4$RIL0X;iw ze3X{>ue1DzFL;AC%}b|F$J9&KUQ0f8lIPFU)W(E1ToXH(rc=|vR zl5HdCd+8cH9-M?_NQd7pe4o6L0~Y_jG-xQHY0!?8Ws-Go=INM+CvVO|kw)PyZ9eD| z#YkI#33|&xZ?$27IrelDy|rw)=II++V8Z;EBy&VpoI{g1E-2|;Ai&zUUTtgGlpPN) zKe=tWhEARbE8?#5xvp^`%tWP68d(YjP!M>P&|Fb6&^`{d>F3WIQ`rg>{K9?0efvz z*n|sWq96LQQfwMxS33c%2xw9vi^8vR0to zVvroMe7LEBK84W-L_UWi_k+FL;Dq9+U;2$zt2CrYE%na1{OJ_ZVf4>E#r~ZAUz^F5 zZ?Sn|D?NqcB_FspGzi&tVOWqrl=t$3po4u=9>T+!_aobEVRMCG@_e|5;1;SON%q5*^w_V@Y|7vtpJxWh& z+r8=?@b)RBJ~EXR>z<%AHdbb z{Jhl+4sc{NUJfND4?vVmuyzkzhLmrUy^=q*75V*|HY^1-+OV(i3;>@HNpzdwV#BJ^ zF++f?#h218;YF>}W{C6d0wfOGsj9bi45xfvUR&Mc1l2;qIkh0WQ>ns+>iuW)o}>mjNuc?E~(tpj;b2(pjmrJ2w8m7WW9 znJ`GoiloGdwuH3P4jlk2g+~zXG6gU@=AQ*UTt?bs(cwhd?a1O7@ImXFahb;Z2ElHc zayn$S6mO?`EHWQGXxIb}hhMoHdRCJBj4n)f#i`LghL}sP%I+Hl4S~oFlsb;wVh~jJ zc%vCeZMlAeGe8T{mdWL^5&wf=WdQGsv{=-Umsly&9$$V)_hnAuvoG~bt~I4{buC9U z*Dom+-gqmx5a#(8T%CG?uJgb-$*{OxePgLh=Fn)~wS}d&9e#q~KgrOuZ-}+og27rp zUv3;@F8JPD7EV4wG*$FG5RW`h)G5pR#Ws@d0;J6^QGm*D9OFXh0Kl+gljVG$mzOJe zVBymya*IUExbP>XqB59d&gr>tS6?@Kd?edN3_Bi?dsboJj+>Lf1!=`)KD5d`)F%{< z>w0omzx7eCDkj7-ZEsD?Q-{dP|8;TY(NMQ-cuY+SS;sn-WF1R{L1Zi0cS4MPi^f(; z5kCtd7ZJUeX!=jSkbtl!bkQrU@3<(_C3*fcN)i^rB21p=Q`)>ZVZVlEyH##G zsaHkVx2gI0+hliab&`x3nuv~52*rq{J?tKW1ZFMYN64NIOJ8jVwPyns1LzqT zvRkLs{FWVqAi^6Pfe9lc2y0UkA=M%x@A`01ic6nGm|Ls2>*EkbHc~Wot!3OYV2X2A z6uSN8I&x#yD6hk%=>Ee`NC;rV!R+D*J)-&mbAd&(ow}~H zj7z%=h;^8)ImV3TR7mcTV;%%gDijCYLvL&ptD4e>ypK*QrJ>7tH59papkQj?u>DFa zPU-W{hUC>#UN1+dvy{}65%n8)bsgSc`yP$8%UNSZ_f2Lnt~7YE(wlqC-xux~ej>Yz zRW3wfoy<#LFYOB7oyrWj>g!k_ORl-*Mhi4O0h(>hRQYUQkwQ<}V_afaUc(~`;B}3>eNmvQS)jq!{2)xkIx4`}efuL-GP2l1hFxSWA$x(GAMo^b z%iict)mdBqfEz=-#gjR@yIn9pUIUQRQ{(NwRN{Gj z{8+VEA06cn)OG)3kF0Rw6h3@_Pp`Tjgt+8)i9>dKVSxkZ(T2FUsmRwKwItDx+1%aD zC_bUg@)QM}ORyw)#T@Uvxbh`U?o;*ZVT0Ulj!S+`JP!(EL&+z{q5B*%$CryY1n7@c zjJALHx7Y-bn%0}k3W9*Sh5ZACFH*r`lKk8!I|yzk8_BezwBft{3VQ^xVYjy5(hEb; zU6_-2=%Z#>ew|Q_XrA>>Zt??0mbAqDQD)qAx9WV?G8@r@j(AsL>*(+&X%_j5ga~#S zjTp-eiR`mtRwHGa%?*2gHMhPV!?-=B#AgER%yYaORHee@B0Yh2oj~(0j`n*R>sFJA zurtWIa?x8X>h(0*_NCS)XDEFrCUlaDpzP{${y4`=ZFBQlpN8eQxZ#s!#`kA({Y@8qrgHhyu2U}pVgzYp1=PX>W6D+=4H$x?^i)ubO{fh<|{ zGtJTq#+{W3hg%BFv@Qb|eZuL~tUHNJ9gNrv{~9d&VE`)X4el9?(M(wzjT#vUQV*Fg3F&bxBrqw z^Kv;Z5j|An#r^ad(;McCu>LFp*I{mE?pp`#LIJdt<+$Jem(%uW=b$6^Y*K026$iP= zTa~>Ek}vMYbkg2a4HvTs6aT~{wLI%;tEpvQ<6wB_Eilv#&l+LAmS|Cu>#SlfI2idu zSGOel4N9i&vdywd{=#y05+JPp%)smXJ*vvs0&_X9s$IjE$^~to(H&QAwHg}&4H;I` zgGY*ocev{HZ@3x+W%BE4^Ue$Si8D{z;nZ{&kFw0_d&fs6fod6i8z@CQu@v~mWeGvoGG~jo_jb#o zQp2;txdlBsUr89t&t2PE%GE(hP$$!*UNI^zi_sC<*8CVHbs@i6Gvi9597;aUN6~oB z)ZN2IfNj=IhBY=KS>^K&P2&bOm@DV?q@(Oq#G2~)cNGDW>wQsWGN(S=0I*JnyHV_gUgBAMZioFqZBn8gXa zhNssR9ZdyMUk}unnD4;Fl74KVMAv$UrfUYX*GK!b6Dh3%j%>&+9s#1+1(cZtzMl3M#B_GEFi zWcj1zkYEqh+(??NXO`x|GwuZw|IS{NA^D5c=)Vx1LskyDhYr1gO@9 zw|^Y;F!_8opG&y$7jj#7wJa@U_>MhjRadN6X&%KC0UJPHxXA_AltHM&<8=`?OJnMV z0nEfkNRwmZ!pdRU2e80OD(vv0p4G7Nq|LL(!^ogaWuBa|r-p_m!_n?By`tAr!zBEZ zQ$}PsWn%QRU&NZHt;nnGqfjvwE?Z!2dxyE!;p-nr~4d2l=S& zJEzh)bj3mbYqy&|4kkh1)@(Z+9|g^qwg_YLi`cttqtfJQ(*mrIqTsYCM~AKc`J4@^ z(~~wL+lHRT;~V8%8;I4OSRPNzsnVj(ZtW}4*>PC6cG~=8S463U9TgXaf3^#8;;bRGt1RVe6wAC1kL7k7D z0wgA|)8#zm}_U4Cd+_yKfR6w%Z?Z{48Q(nn^jzl<5(6Fey=^g#3&XKJ-<9Zg6Td^~msz0~3 zVq!BxZo2z&o)G4L!0g1sxZ%0VaTF4t0r(rqJ zeXLLCP>38tb{Vb8upNH{`|v!H>PD)b1l#W&gDU*dcDVZWAUb9U73#p`l^o{&o;mgU zUdSfXsszwgztsVBj)XE5g+?%iS0Y1})kBkXMvJfkIiY)#`HkM>m)pFX-LS{F88^Bm zqogOZeHyYE5{(6Cq!K zUKC5)u7m68pfYnV^PYQtqK;bVj((8H;4(7zx**`H_@_6t%J_395hDkY>;ToD^5|`Y zBMhvp768>+Byq>pqf|IdD>cpkJjfn?Fr%6R`#wl=|Fsr^KsYG#O@EgTJ(x>i1(5_+ z?!V48|1bK*^he}NkfJ&Qa|kz};|70-BZ3q(*bbEFRfAf)g5JIAP*xAHs+W)ZZ~GSn z0{Eb zDFNFCSt%J01F4COVB!GRDO@Q8T&RVEIz%xj!yAx*Lx2fHM(#hUPX&QoqWCf~{p(iB zbzn151nU<3;&@lx6-lqU3Q2WUFP1|o*! dpx540pdM7W>kosYFeW`9X-Mb{AK|}I{sR`kNfQ77 delta 19797 zcmYJZb8s%a7d2Yjwr$(CZQJ%!p4#@)_SCkGQyZtY?Ni_P_uV_+{U@18vUc{YwI|6= zGWi=ktr)x^9U3z5Yu%hOH3ymi;OJZ;h4O7w`4b|Ze1jfxJcBdJYYMKod^Fp%^jlju zX0;(f8#Lpl&Rlxo>vcAC7wuKasV<|pfjQ_TJKGv+R;YGT%%99aMeEta!|oifk}YHD zqNx1GH5D(U4mP@)0K0}v@GBeUYw4}NKaUX?kjM5?0V+c2_iixB$Dx=En30VhrLC5Q z4R#0^hb!VlP$cV7j&v4Gj((;Q%c`#@B>mbFB*6g5~BG*QehoJ)&$Xed| z7nr`z>Oy&v7`rj9qYFNghNU6I4eZjg+CLT_4n3QO5@Q zcg5v@_K&#fn6Z{nE3>oW?2$ZaDKri!K=lYtLU9feuq{%W6%;a_l9l9A)CJa;sD&7Q z{Qy<+DnYVQ(lUJff4D>j3M26`kto;pzS;Uh72@vEk06_n5ptV)!w1Mu`zC#&Zj2fF zmlUC#)zRfgd|gdvp?G-FnnGDQG(R*VI8Ix zH>!3UG%EIWdMh$N@K5*DKo~-OPF+kZl5ug%2;&nO-&TN7*SkD^Q>fLP9tA{Tg@!Wb z1|(iU>$V^Y%stkK5ZZ_v$jCal>MPm>EM4IVZ-`Xus7FvR@6ia)fZ9=C*fE#hwgfdb zyI!(^CsY(*WygWA@k3KJz5JC{bA`w}x?Bfkg#}nVmWv}+?o1nI_xzZ+8?7h*a2T0- z1`$EsUkGG(pWEq-C5k`gb zCEH69R$t<29r*mh_i!Y4A>732Xw3J?r%-w?pi>4sW1)N#&kdEK{>oj0A9YLU?Ahn> z4?p21YZf|^DHY?S-0N0uyM+v#0*!HsQ5%*tq$%yY#WTv|GlCus8!;S)8d!@^sdRJ z;*QJX+>zP8&2}!{U%maN;0p8L>Cyr zl=_AjZECsb*!OAAcf*eaTOfUHDj~ecsehv8nOU_HgVn7BN5v-%6x``xvd(LHWRD%Q<j&N9Xk#LGc-PQy|53>8-Tv~g`8&~{SnO&j`6w{`$S}J^OBvvtuhq{49_@X+_5(984LKv(j&KeefZfJa5cEZebeKQU`KLX9PC2KYygiS5T}mSy+`_+5e0xlrP-f_) zcl(6msK%FmaY5Ev47<0S;%)Er1hQ|+J=d(|;UmMu&n|3adEr6i)cOJxTbcED1{7#D z6%n_pG=ch~w);j^)g*Akt}5yazyub}Oco1WxH0S$N4uRYq+%aQ#IrT~g^LiaW_cG* z&AD8!5sPgwGg>;+7o?b;97SU7cnuF-(QSSOnny1oT~v$_H7qr>mPhz#eRw=FOShq27pi1J&~B+|##T9U zNfg74G(`ck)VhGIG=*FV1F7o+k~Cm`rUqr+R6o7kC%c4S;4A4DO-D8_cp!E_wencO z^P$?LHUB+~ub4Hn$Gs;+ zx-_NV=g{pTW>^o!Jo|^~hJ^4*U2N~VP^pnHY-LFkQa5+7c^@U_UFJp7p{X&V* zJ+(QYhQ(E0gg|sJJbn?xu5M-g^)G2W+ga}l+kl-1QKf}=GfhEjAkw)W>qR3h`+RoP z@lS#paip%p`Uc>tw%-(S)8=om5dRG?A!yqqD#=SY&%+@PoH>EvBnUDO)QG60S3X?D z-~T!w2#C1Pi^W80#6<`s!q=j4ULm3cL-y?3$*yrxBE{+)U_R-(`ACrHq6*7w6_}ju zR@q6A5bowY6-Vy?3%>AB;*814FjV{hM(`STe;ToccmN&*$_d+oyr7XM8{o%RU)UfZ zKR+P5$`JhTxZ^V3JYyL z|JMTe{`g1~2K;=U8utUmfjKAOdAFe;voB?^?zRzAAAOF5D zdH)I*faiUGeViNre0TW$+}tMK?gkN{{<%lfGP)%7Y>+;{p#d-;C9JNdOmgzG^p>w4x~3! zVpYie{=N<@DVWV^$9{WSA8(ZGW%Ddl86G{~*RS{ngy zjPgRVx^^wucrSXnw(uLb*Ce2S(e!^N;JnSmu;*8an_5hhO9ZV7TBv!_#IZz1XIC#J zR?UulYFJ+#YXwCJTxJ#l>FPOYJM=g&F9WulLY1EEeUk`TO5zGfan)IpR<4vc;NqO5 zgFXa*tHF}S#hpaLR$>^yyXR$H!Yu-}`#!g|;0pNQ>j%G!c-`~s^|j`sO-t1?*?XsH zMp4mGiqAk`qh1JuZ4N=BkP^|^3cLJj`(bSp67*G0f*xOm|>p`>);|4xj$htlGk_B%_{r!!g)bhTU(_UV}igO+)_31dbW3Km_+& zo>HM~7*7OW^*$QR(V^4-8(=HEH6z^?R7zhKwY(}@8-1k5We~TtqK(}g?D0O*ji3Ru zh?;=2WUF^L=iIeo?(O66Mf&*>!BttGouSG{Y*;HQ}h_uR`JW}>XB}_+!t9x|TvGNawb~Uflf?~>8#gdvSP|I00 zs}H3FTLe;v5`*!zI?tht?_Q>G0Si}_xBEd>{947QOgFh1Bc~z|i%hl!vQ%IzMA)!n zuHZeVXtQCDldv%$@!5)~D(GkkYZLEngd;AvnNtlImwmJOclUYPQ=4!o0Pe3$FJ1}v z1Z!U;pA&UDeul^Vd3aOJPT6fk+IuAkmx-BwJrTVw{$8`Gkd9k1G-0(21gmyCDo?Dg zR;W`LDoXyI+*Vh=!kK?m;nDwG!PLq|;ifr;chio!0^MX)5Gj@SK^@UaR%N?fCVU_( z5xI~aA&hS(tGvtgDu;SLFmNyKQx1Qvn^PqBe6_@_K+eq2KCT z>najybCwTjiHH)>tmm#U#ZYNpyQHTk3!l8I`X~-+3-RP-z4wVW1jO=gZuYbAn;mJ> z4*Uhf#-XR0EMx4QZ^o)SkNgW-v?)s1nVq^(QUGiMA3k(OJ0I z6%{lU$`(diII9q%@VlUm!@H$svmQ6vv%%u*AROWRXkcS4`J*{ThK94)9){rTiae5y3PFepSINA@ z69YBh7XNPz%2F86c@^nw@h6e$hBj--3e~+L3bmb87^d%yobqIh-zuCZU*?Y?KhXmn z<9sj(@*}vB?uH(>Ooy0uz`s4HBnZv6_h8l|4g=WQOYDee^7QciyV#TxFuAeR_&-X; zLO2Dt`J~B5@|ze?%z4(I5|b%WrVvrXl`*2dA!QHFuD$&i3a=MY$c|+ohj_jO%oO9L z2|PzlTzNOT`Ku-;c!FnTek_jhW)}awbXu z8+;`0Cz5H>EMIJ)8ixV-4J7b&q-ds3H$!{1hvT=fTO=~eUk4v0@kh?O(J*}XxI3GOdA#CHsaM z^eC)=dWk(UGRmDUGqXej?+iypzg!zo;DHnHd|g76_p2ehat34km@Wk0#GL3aIv?CE zZMM@Yn0apN;B@r_mwlM6vZ94Ro?Y`7ob`||&H$oL<#SR9oJbuyp+M3jO_st8ba2m1 ziFC8j+;-&bY`k<^o0^5Nh0!TN0O-v#MC?;KrUn>Y(oFh;$j+rITP_go8+;3((%$6c z45y)};^ihl#+i;c0g!3&|4(U02$p0?#2Y7bsUDy4^FrN_09N!b8|*({>0bVIHoX03Y*OL014B zgQqhU70EL#o#7E_YblLfYtIhNR+b)?Yqtlto07niC@Tm+47%7mR#zhzwZpUoh9(85 z#o*A>bdl>4UXdoX`(ViAyo*Cr=?et%vjG32UyOpG7ZvNN4ueo`-q}TkB2ci}gin*s z6#^_(mbsaF{1-q-&Pse2LR0P>bkW?xo?cQ(qO8n>@Pz0^%KtjWB@6rMMd0A8FWWR|2;zDC6 z8o0UIeB~e9a~pPQeECZXqUu8^w>*WKbTu6vRgTi`!VQq$BV#3p+Ok?7{J&_Wg^UA8 zP8t`Tt@?o=faxmk8(wOYg7L+NFk5wY`h#-X+tnIJ=zPK~L|_Fzt@%KV3oT}t$c4V8 znFvv51%~>{u|z_+Ba|^J9t%pKQeO3N{)01;Fo8zUlK5|R;rqeR9|{2SbQP?VQ$Rk1 zCwcjU0#*+5o%W!XGpg7q#HvoFLhN-uz28r8MYe&=rWQc4q<7yD8*QaHq+I{tfEMs- z%QSvI37}qirhb*MzRo%#w?ITm=C5cJd!}( zN{}Nvsx4%NvhI(x>E&<>uN^M16+1b8PXrrLMHx>`#U>dxd#H981I0Urr(C~oPLX#p zS`K^)8_#~W|3H9?Ssf90JFzNzJEw6eTPAuY?TJ?gk37h-wY6Mt zi1QOA(D9bvA{(=4CC<24wApsiAh6{~8Ay3ihm@^YS<@|=3JCzi!*+(9S9bm&<- zJ4llv5l!dZ7Boqfu=V95mHr-pzsj>B>XYAUf=qkRDQ@x8?i zlvrGz^fUNjmg)c7)(;eX*#F}Lidry-h`m(g)sKb=sHYg{&jy6#+}G}@qI%=bKJb7Z z_Uh-}dpLU!$6-eTabrb4m8HqXg-)B6(o?n?6CJ5+O%wU^|0#A%uLx8;n1*GsA^=&+ zbp=VX&t?hve@6pao-FM8h{%*`OYxvV8Es$_JvFDab3}4SDlts_*pXn^4nat;+4sRz z+1Qb2vZG-qrg@@7rp847BW=e7+;NsFEQpVTeX@&pzk~q?$BMwfNhBfe+&d0lq>jp> z84Kn=@BYVk$o~%$tEz5&lf$<;JPEIs1#l%1#Yc$r;zEOT=D^~^q*l6$OeiQeg*-tf zz_d6JK(qi)5V_`0(z)i3yT+3B{;yBk?55zRY@GiyF3XjK2aRg8&I4m3I)m>3L|hkf zJRGQntyf?Rd0MHG_rtZ`<^ihnnzgHw;9F00FVqi-lJL*SPCT_f0>niS4}n5d?0=Kpav%~VEQkx}wxjz0Kb`kN)!Bz_U$h6Da z#_*T7bSglvY2v(5R%r^F5sN~5YNBp3E-q^N+ta;wH*ICK&&k;F^6q82`8LS;Y`wbQ zvA^5s*?I0e(^67$J`U!XGC7nNEpLzFltE1+##;I3_G-pCDDeBZ%86O)lGrP?-WhPt zAM|4PvHkC|?bgrhrONoajwy%Pd2aUgqk7xhc?a`6oRdU(8Fs+xL%?18e_GR)>zkjwA#eDWrA!Nx^|k*>Z41r2e0e-vS} zJ)mhS5tk@Ib>yvc~lp!%o2If ziu_VrK4$M3vGg_M8fltX)_BCY1y7?MHX48tnGcfMQK4DY-Qv;Esv5nxO;ck=Pt+#% z;Gjo(Y&D2P4sjJBusTnTTlJ@{zWc_py|c%z?b*9~=6yG3sv6K=G5me4$oVDr&-gwR zaAF51{9RggbNdFklfNS_KpUif$vK$&2iOX@@_K&zG=Av(ym6<7WQtGk>X0$G;{nwD zKGWGu0I~=m57EtjebyGy-8dnxeD}ZsK*TPYkA^+rv;1E7UDa@BOHO6z{&3m}J&M(! zg;wOL^w6nFJqGy5{O-P+uG|moaSACrVy^yrJMmNg?%)TJqf$_src#pt8*#6TGN(f= z$(|vDRy`6>d7xF>P`6usY4HrB6bIY}<00YLIv)SVc4Uvrc-(4ozc(s$dj-{AVk zf3wEB`s*-8WkVM`f-LV|*4G4KBHOjw}mYAl*hnWBuy zL7atevZ?h zt%~>r{1I2M+w$6scXM9jZ6Vr=s~f3pp#H@@oDToSTF(Eo(pAnJy8tMo4!V)~E7iqS zq}U^I9QRDI9&Z0QA-*6hrQxxV`8ym_x(?Cch$uqYw3~VVOqci47ea=lR;4JTgh%i_ zALJs!ELGV~XtV4qAz$n@uPV@R;(oBpg*l^!yH5Cdou&)zub4lK1sB%E|*webBQHp@ek^2Ne*%c~Ff(q<7&GBrbX zy}+qk4#i&bTf({>Wp@?y1t~+7t$ZB-52r*1xz_8PI5wj|M{eufI*MVMz4Q#NB!Haf&kJ`XHvL=ha>Jne;3CP zUqZ51hy##Hp&auakcPCjY*;AKyio?3$;veR-YiRjE`Hz7B3q#oPe7|~?Q1vq244E= zj%-S=1h(}A3NsKM;R>hD%tS8Zt)iSTT38?ZQ{4J~*z4K6xt`+dp8W07$`HBur3$A+ zL_NOEq*j+Y6hQ21)^QZ`k&^Cr6c_Z2O$^bSM5q^!3&e)NRUkx^vV@hBNUGzMTi(&C zybK{o6|$%jkU&z=mBJ)-E2eja>GuJ>y$S((1r+gT5xT$|u+4 ztnwZ<(esucpjM!QmLWjY&+*4f=3YRf-!rFhYLeG|1BfIZ&4f|&NOJ2e=xn@t2V@EBu-VlTMsaH`hg5PoD)h2lhc=tR^Oyrofs_-TZyM#aC#P zzFe?1pR8*w#irE1c>g1zsu_+av88SMaAY5~IBIYX4S|-5(#8TOR~$oh0pj1j-Hu<9 zy61G^41naca1Z--U$`#UvENY(oB!eC{djKXc{BtxT8L-CXNTTU&a)Zh24%$mlxFbc{8U6-a{|JvTGu-0i}@!A*IX#=`bDdg6pb|ukr#<2PJqG>KpsamW&0J?Dj3W~3Q|^n zt~%1YNa;Loh4?GlE2(`*rc^d@d&r2WlZ>+EhA=;rcz&1t^}8pcr=oh9iOlf z3sB_PW*zg_jUK{*5ifvZCxwI5#oy`fyYwSR7AUa!{lI0GfCFas3TdS`WFoUp;^VRE z!fEVxSh-UUY$#Y$<3G zXcuz^0w3pX9a!e=u;8eyJm%GT^ga}5696?Cd5;`;DaH~`FV$6t%ITf4@CHGo*!VZNEd`fa`LR>xYZb_Y;@vwy=NwMHAKfnR! zztriSFbT^v^F^jk3Rbs*we}L;0KfzMs~EBHuQ2cg1~`O#80NjzMU$aJ-l1dE3}ka6 zulWGTCg=gzn2-mwJ(Y;!V_5OD5)*lhl(Bb+ii~-f<*>^)atB*F+YwqQFdU+|SyA*g zl_P7&ZF|vY7<0xn8W^A(bePL^Jir>^k;8;^Y(9-ld~XK*iV!F9kjv-So9I6cq9|+c zp;TTqsBjx7!ZLQA4v6m}7@o2axpy2I_SI?npM~*W<+BKi-~Bk+VylG{f4aV0S5|&% zW=6k1gQ+p6(4+_?7DB%fg^_v^q|_+(=2_xl*OOH*Ia;MJ&0vkZvDshLRspTUCzEzR z$FAe56dh)eIocKjgnxAXjd4t&2-4{?!SmbMr3XE|r^$F;+tLQnxxom-gD2ERDQ1!rcoc0qlMH(J54{D=@_CJODVn!TKd7mJ`Ju38$$cY~ zpUaVrj6~;AOZ(vl736H9k$}~Wka^Rsp9LGIYZcL7I8yq(rupa2rx@ymI}b2F;J?7a zILRuLC_oTkspvu6>Ivo^f~%z;z7m=L+Nf}w)}(=lEk#1{?Wpyze?u1N=j z))%BWzP6RreUNwQGlDWT1KgaJa5Ho zTuf+u9gPzZQgs#*Q#H}WP=p})9XWCS%Dy5AX-={v4N!s6yc^FoO%K*v!*0_ z#$y+QU7+qPK_m_=iH~AKJk3@BK26pqND!-;%tcX2-+@oqzn z4}J-5W?~SYn&a64&W*C;M$Sw0>jl~=S{6)=5UYsk5ZGiQO-}Jovjj7wloGu9MFv+u zCtAOvhz>Mpo7Ay_FtAP3)P~=rd64hK!x?Hv`=uj^T^VV!5D;yFoBRc}i86nGN7gc# z{IF+`^SZu_5wk3Iz2XXcg@G8LjWiXnRfBWUM=er}Rx0b9w# zcyrBVFeO3X2dL9f>PD@@W&a0FgGv-yMGFXN$0)b;3pGTRIAjTM##>1WY3m822SN&u zlV!rwKy0;v!3i8-SHbv$(U6?k7VJ%R`Z6r4kFoRV!`~o(-0r6O7KFGTx{bG3SigrFyW+4xlIx|s-aefah z3@~Ltdks}t{zWrK*m5uUI)i@eQ@IV4Jq^8&b~Gb#OgjAL4P!;;fWyg3rG04`NH}4Y zR`$OI{Ef;Sf6eq@g3L8A*9@mnRXGlL@{9nFf?@02OwaW$R*cm;5zyubA^8`557MyT)z&t$RvGaH11z!{8Fi zx=k1oReUO?ZE}h;jj$|Wi_f_H0aW%2k$8?jZ*F)n(Tc@nIo_hG!vy*^#>d%ZZpOkjWagZRl^qjT!tajx4*Fy24k zm*#QaRgAO5;t$2=jzNxCV2 ztse7k-}!7=|8C%~_x#E22Tu)w#z^g&L}|ul$K!#EC>8{k6n~(oU!JN%MKLzN2)Ttx|;V8`SadX8n1^-ug*_q7p$6 zSEA_sX1!Og;OpxH@YC*`N&&$1;a2GL_ew3RcJ}f{f0bgiY(lTqi0Yp%@u5}!WH-8^ zs@9QZ?o_2SgzEk>x;62p{kqF`De=rQ+u0BL$<~SdcDDDd0pMLd7X71FpKH<0mC6ND25^Q12TT8%u9!->zP zO2ZnX^2cv%ng@m$oF~~8nkd_`?z{0N6glN!`r1X2`z{m*JW;DeXGF7KqkI{TQ^J&d z`^@cx7?t&Be-X;iNC9CYzq#e|l#PgEB}##tWWKa1t^VW|O}>isHS@@VKdY~+Yy+G3 zwYPLVHCvun<*zMg8eOzw;KFdvwwR-pS$`JPlryCc81$lCX~I61z0qB@!vOx?e{JuRn7*kOS?TVgaWQ&C_#!)Ec&7<G=EGGnQTA6%CThiC@JMwjOegUJr(E_L>?%Ph?cwYh`Hw0ijY824E(DFVVV zv1BDUu-#h02(v7wI~sLycA}!XZ!E50U98$tNc4iKU3BEr$2=%}6n>o?Ck$`c3dY4j zjB=$qDvieQVF94s&?a?3UJ_g+i*cqA6J~53{yyQj$&Di3TObVyJi)2GSkWGiJzLox za*WPkI%#@kJ+n4MU5&-)h^|uUgbGOt85BBEDTOep5I{!XWmbzM3zQNbz0zwrwT#pg z5xasp1&?bOO<_H*#BK^1syqw-kWnUyz>g=oS!Z8O&H-?|+O|-q&Ddnf`sQ0udK)&3 zI2LT=I*}IRsAB`KqY8^#T?PdT5=F~HvF3oFUKGnK+O?R6BGhhvX`J*`=k8USv>sL^U8Ig51JnGbAw$y9}> zp2-L$smLIHz94bLf<_t$GYdP+Db3GrGw6Spnnv6_r`nYMd^{fX=@E`(>&d(t@tC3O zUYANvRpQVU+S3hJB`47(ZEg~-e$1NkAz$S=O99>n%9OoL_`&cr1Ia%-J0gd`Qs>)b z8f&y;b^PSijrWEY6IGyekUFj@1)0Pk`^X?cIo;>3%7jYkD5lbasJ_V`!9KHYk;0}; zu=lLdEUeH(=Y}!1QOk>Xg!os`4w&?y3$je(<_^5FDSYtUltdR(d@rkh8{YN^7b+DN z_yfA;W>%?!M{F_RJ+8b{$|JqeeBgpx-O#g0jW~(jqCsJcxc*VS zyo9FOL9L&FiZc24UgRa-SeH5P7+uK4fH@btSMX4GmxkS`DC>d*@Ch<5Uwqq~I0sx7 z5^VHgstX`$wwpw5i~Vgk7J~k~I{H>C*I%oxF;$=B46wLHm&x4rO+jULg1HqQL+bx4?g>W@d}vc+mIBZnzC&=cHC{5{lnmrJ1q1(UZ9Nc zz^7WYTE+yyb4cuRtaXWN!0YO#D-4Kfl8yqMaHr|_&hCZ&nn(h(x8xdOFKLj~U;w%v zP-6@8`ZX-A{C#wJYWvG0CO#(BvfEI)bAy=Uk&AH`C$v8 zu*Fgs2$F13;{WrjmLrhdNu#0o!we#6pfr2Vl_jMCpCRSX;(Mj6c5%_pEHr?JHS3D3 zQC)d+ejxOBL|d+?M7_2}Fy|-CLogj1#Rae=LiPrhgZ~*z0|`$=6WYO-8*0;EyWfyHT*Ml6{)7O- zUWnsQx|a?nIhl1t;c@8yOKW{Ok+LTkYS#DpqGJ|r`7zUUleToGs)89g7nhDo0*GSsXLz3)d{Nq&3ZBOmDd8s06UH{cpev^U%!5 zQw0q0_scvBR+q2jz;xG9oR8q?@3^2}s9!M6{V$d0b~2F+za4_?T83lQAV3T6NXp zc#{6cITVX7UQqcPi6KA&_53n@N5Kkd3pwkaPoqcmgN`pR0`;)$(#E15r<1==fJqB}l8QqYj4bd$z4x;P8@vQ6 zp;p#Jf%-(oW(9L3*z5cm&Ts@04ky$XMw(xG>kA472gfITe*my)1v5S~5d-@GU+s54 z{DBkQb|ckkYSCj=S9C531(4t@$E;nPT94wcvVtFy;SNAzWt6C5TsM7n6jb7P3`b|p z2fKhvbfZAm+$JZe_Ald10c-TQ-B_f^nfD?ItROo=Sup73oE{RFGe2;)&@bFe zi~n^D{z)hmmH|M)i?Pcm=}{EE5?kZ#LY<|5Oy)W@`zBV3F)y(O`{OgSKVXJYXTMsb zm4~3<_+BGi*s~{36L#S}S$7pYf21WP%O~M%6K;JGFxx_R5W~fp_O9<-yEukgGr(BR zZE15KO${88Fod#1PNH)7bRhjX0#)7W6uS^&k%5Gtl?DuqP|h+brHC66)gxm>M#eSJ zj~KgpV4PFX%5+$ED8aaw$F_i>fWAec_hNIi8O^RC1Xdi!fboGylg94j4D5(~vPXgV zA4Bg3**E+i%JIYSv6N(_=lGnnD36tuXjxkz_i2tMQ`;5gA7l~z6e@EFa~olY{G1qP zFXV2*vjCg{xCWp(1eD_PARj_8C0R(GtB}ID0PIPd<4Oi{!dMH2Ha*y1C`RFGwjsa! ziNdwC!71ZSIV7p7hhRL0PHy)`#F!xMK=E8Ei0(_ugt8?LLb%}oIlt3wW*tIfR$M3{ zF-2a}JZA3CHLh--ykA@jEb`rgQC=sPK%pdr%>f;`QgV2a!s@D}=Nd4lOb0!wBh#IW zjcy1XDt`%$)qUx|f`^AJ^4co2w463(MI2sMBZsGCz7o|Tvao$i=DoCc_}#HwIW*(pj?-pLKBQ9vJhj-$w5@_d4@nd@wS z5dok!e&ku^WrIKxEsATA-(MTiA@6k%-_v3TcVLR7H&$$#jfvgFb?z@vg3}XKT}jvy zhh<>2>yD<8X~3XqLHEUCASORuAHdM=DkaBO6DEJf_TE#pL1v(&#Na1YgXXal&t(Zm zWIKpJBvM|KrY#YOZ9&+kJy^QPsGU+Jod8VUlrlI!MkV~9>Ly|8?`bC0ZDl23ZDBd$ z23L!mv{+d6$YLO00?i5rkzfc4$zN{bJ;bv7sXnuYmd4Ku~c&$%jYkv;m8fgl>ygjH%7?fZDDdi5obD5mRn z5s2lK-oiNz0-F-!R@XUXkNILC%=H$b4bXXdI>X2c5^?wGg7h7ya?5O6V};ZW2Rmks z>c8ly>r-Tp>hQ}pGK<>c>!*3Vx&VH;6shajcb^;f_5idzOdZt@ zJCpwlW4Rs+OdCAiHV8}wXexu)A}Wx3HWT65HC&Hgw%;b8qVavKSE4Ols9EmI^1+iQ z^}mzO_bgncb}AEin_mc{k}At#u<5sq*r2l5N7Ith)SI{X=73RtNHL`ga4g1jnR6X^ zxdjO0TdnN9F&gzrI2;a!e*rR{qBFi+uPhF!WM@G)o97yBCdz&Ajq->#3&9}`Jpv5= zSe^zS(vEI09yBAWR-j98^;4>)tvVz#rEF&s?2s;7CCk^U8SN!r81vc9Gh{a{u>id2*C0r@mGq}9 zE>dvyV~X%Q+$}VYEWN)<5Ky0XGCKvmd*)qr6Q=JhUX_he8BA*BPLV5>gLF;P5v6j?h9X?kSz;_{ zC#;qK#SyuK$Tn66S?R`vUMevHMxRS67NN2J3yb=O&zNCJep#KWUR61}*M8KTkt&fP z+f&kW9nXYu*p7fvP9Yhqx;>uXMvqYAF6v<#LC{{u6Y%3%In40$rI?Yvs)~>sPm;uf z?xZWDADHRX8jXcUbIr_ZCM_##yRQWibmYWPv*MjP#Q^+->GORWTq~dXTPrvjQQm$s zan1F@)4h{0(fy)lZFis(!&8qwxebOUSQLP?JZ(jZoR7O%Q~1zNRU;wKoNMD4dA`H( z{#a~F4$u}Ptf%~!NrY6wV6Q)&96H$PnA}17wv(r!ZLhNG+}QUb&a~6}r2Qf^6}H*- zN3Lb4%rW#IPkd>=kromuJ(aU^FeL)|e(1aY#2-&|NcM9t38maOnK=ek4%q342Lvq( znGu7p!YM6xjCqwO38KUo@jM~xn~Yhj8g>~Fd4L<^oxCdnJriLtQFnNG+78KcU`UJo z&|ZS_+=NTfB(8?DNPN=*e}RBU%u?bdBTBH+hTy|LC)wM#{dy|is8s_L;4#%!JF!Q> z@J}CG!Ayvgf#^aOaCn&>OP+lby@`R{&FlJaM7*C$NT~XJ<8BOm?|R@4SmQLRz~R{H zJYdQ#;LtlRXWvC1=~aWNcytn1&m>x(wx88W_!-jH1O##LDT|dM!z-EcGwsR{{6PRA zNpQ!ZRcAfpJMx)TWr9_|j?z-c>%$>wkO1oDuCF-=#qp+Hu|b+Uurnu5AZbjeZKLTg z{q1#(+H$g}q!tV;+7T6|B#vxBngtu9BH*r^{Zs`SgHaNjo2AHS?kIgWjeBa(!x@FD z8nTf#feD)bBBh#~$c|3C%JQ9;fDLJ{)xMc-D*YQ&$k?RBKVm#-virn$6Kcx9!wA@KY_E2#a3?EbEo zk=4YuZLwaNM|(D|H2Yz)YR<%aT-jVTo z&Sc*I5-VkNbM|?0!01q{tv+|+4{NH|j@goc;}M-ZU-3ab06=7=W(F&g0=$sPSfVTX z@kN`WJi$&V7lfoggwF!imx~_TD|ObAFshMPKed~`a6M1i@qb;$G;({4Rx-f9Yxk=h zeYmUX?->4~3pQ^BmS%|^k)#ACCD+FNuEfc8l!t%k!+xtDW$C+6)B0`|wVXI2WruwuXZygN>b{66$~)af8r6?KVxSGZi$D>Y|7 z+qE2ag(#}&)7-3+RH3=@JPBK&r~~YRZRq~sk8r+lp-oj#Y|o;s82-5F_y!2=3M1_XRNox6iXXbFZ zZNk9zz6tjm5Q&lfSvGsyPH=i+#*^U4YciCP8Aigps6#dPscp3Fyvf4mt;LJp-(006 z_rFGZnH4#t35aH)0Mh<;dr!TAbGR>CA?$e5C$ocn{CGsuP&Xk2I)DlG!b>f$gI*lD8XO<>VFs8u>>Ss&iyZ{@Ya2jPpZi0FRK-I+#C%zrqRB6_7iiUM; zGk-ps+0?nqQIflzJ}Lo4h^!+^$1QG1b(vXkkTf<0z!f|Z-9cfSZDAMT0c(K*QB;D- z4o;y~RJOn>pFcOhMIkGP2>@-Z!iy;4w^RlFQ`Oe^mLwV-;7CJW9AS<3AXMgNrkppy ziD#%bEKAo3DDHEX>`iy5u&cdMoQr~}-5GiMbD8Pu^C^7f_RRghMjNr#kzwS{ypBA# z3-qX0MuZ|CJP@M>nZz9>uA`e`tp#4-_ErYb>`{8#*t4Uw9q;JSLPPE69dN3YZ1WzU z)Ga4Z^g#n>-7D1_FTc#K$Oi-r_GamxI4BY*VMXx(Z3Rd3uGj5^>>Y54+Qu+=K#Jklj7?WT-rOi8KA` zcMdZc6q&`CwykPc3uYc*=rq3g`7Aa7l~%>e6J83ecc(0dc#curErWSVg-$JT`Hz@f zwH0arhAoB*Z};b0VmI(GVY53&rA`*Q=m=sH$64CatpJ%jB=8ie{V7+WSpy;o8uO;& z4)i5Q8-!^a=Ef4BHnxlxIBM@^l95q3J398__?T8pkd3Fy~;?;R1V~1B?WKE}0 ze#y+Zeh|t@@8EgY<>Zn^1Z&Ul^H=5P^sZWv?s^*VnOyfvp>_xZ8>QJ?tS*b?vtKRC zB)MG+XAYK5F{{L6gJy)*oM(B+rw{G0leTU$`X&qz+fEN`Qu zgfOW;?~BP(?+NIA6D+3MF>+WM0v9N&+2EeGu+6{q|2R# zlO%>n+PROYa3rxw^V8KZVQR+v{;kTZ{V+>JWaPg6SifTFEzHJjjR&k-mK3awJa4HR zwx89Q4qwS|ZN?{oOyEg1QHkGB8zZ*>*8e!NbI~;!^X{iAD19fR9D*pHwOATZx6H3? zyJGP^Tk0vlP$`-8F&nT(U5R2w5yZ({M8I=R{qecDhe8&b;3K0Dhmt0>{;R1)W(o+^y7D%eLL6N`?#EdHAvt z6HbQ7SA-itVhRQd2h0-Q-CS61ulenyKt2%utt=Q3(|p{i_ytlzhkfm9>nd~(45Hqs z5WPtGi=UpElm&m>b^;d`w$A4O?~%hoT7Mt6n44=9g%HkKg>jIinUt!z`Eq!N--32= zXQ0WgJzBgy_6TP`3O1Uh`H4>t9~u!+p>btS?|{P4XH`h~3!r?*pzisE*VVfJeQ3Cw zzkN(-OnCct2y)@@AY4n2{C~Q*@@S~nH$KL0Y-MRM_QpjR>rmOV#Spr#T*|(UWwM81 z+`5b~qHnfH*#_Cl7Q)bweGm#+rYxx#d$!^?x8Luae!t)Q*XMcO&wHLfp7WgdIp=-e z&$S*Gs)Uo;O_o|c=+3D;q14rnYAw|Kg|kZ-TwMMBM0SJT*IgD73(6dtZ#o!7h5)ag%y`SbJ)phONy$lMsV7}BbIL%EPcH(=}_0s ziNp9&JI{mlQT6M6moT~^QLL=26l>br#bEV$R=&NxLp+*Bs4Uy@ut0Z=r2FdhKlhaH zP@PArw(G)@SILZ#=S;RpWezHNr`5L$_#@Um%RAkx!fp|qloK`!DpyUf8Sw8Ri?I$t zkmgpg5~J^;NSEyceVN2K`Y7{NjZ|A)7OB_k#~Li{w3=u6$vb4~Y? zxg`5*#^hl{O7GX9)MaUJn&_^XAFPvT9n&K+xQJE$8adZ%;(hE+=odT=WmJl2D8}kG zUaLc72s8)xY3^RMxOmP66YQj{(ZTADHPc^`WX2fb|U$+`NJUYOlvYI#-j?o02HrqeQs;Hf{ zn<~!u9i$W0N!e?eO!gbh|3P~g-E-iAgn7GqMc354Q{NGH#@d-@ZTMtVXHH&m7IKfh zY%eT${UlRKI02Fuh`9Ksc%FnKiR&hya4F?SiR9ROW7=4!8o}!=w8OwJWw^Nrt=MD2 z!9c#b1sh)P2a9R;9|KFrOZ84O*N;3he5Vn5D6Jh=m0Vnr{#@W+J^_~%%w+|2%8Et1 zy5Pk=4PC3&LY1-(PX*0mpQQ~leYIBJxNrWucI1YkjO?g6P{L=hlyo7(C&HKKOm57a zb4L&{x+J&S?@Qg<+fT-6L}eTo)K|kUg+cpFJuZXG!6nVMBI&*cgGa^9#rPytjn?F=e(8i>MJXTmmNzK^`#b?)%HuyK+2e0u$``w3pj5aF+O zCxkS-;=Y}l>x!p++`{3IN+hAZbnK{Rf+gO*IhPu`G8fN|lM0L(zeh^H2K7S*@pNWI9F43)sY4>t(gwH8#eX7>`??N{Z#>SO}w#94Sbl6xFEhGy1+3 zUR`BqGaUW&0C{=Q?fj$a1mC~y$!PYTA10L_e!uGMhc8$A3kSuhP#KG=EKrHPHMJd) zi!vezIjf(Dl4l8Fs7fvxgQIJ9Epsjw#lIh<=2ecA65|~S=V(1K zFhzB)_lZ)fGHpX?XQjIrfZM#Gajy!^F33n54^fsal|Nt%1m&j2D$JHQec8MbN3A!) zbaJToG!rBJ0_7YEJu0;zO!i4}<`PC-C^632UX&4TU?6p!8sK&F_`oVk)%C?vlgR2M zTfZsC%Y<3C$Au{R^H6XIGQF}?q9amYH1u1^&THn_01Lv=`#uRIh^^KME?DGIE@{)M0m=F8&JF(-SFEJI zNmXa5R2*E=&Z=Jk=lF?|hRzkrdtYk$w5q2nY2%ouck7P(Cl~)r^X)+BtNwl5e zH@d$mk@UKlAV1#dU{mTlX%^EWTlWFCc39pE6xk!y#y_LHHd;GRb z%QCGUkNmq|)-W?pA?UQ9!BwAbW3K$)Sv6CmcCcsxs(gjavCyk2c@1adn5;ta?ffBLBfV*J~lmg zlq=x}jV7bQO)YhZt_{u7XXdr#)SP(6z5gZ)S>^T|y?)8L z!<`%uJxU2qpqGf!V_ok_w3FQwU%w+Dt4;4bY@W zP3g+C8_P?x_7~;fy=ES2Uq*8Nx%YNSh{( z$qRIri2+2SVjXAsDF_hLCJj6&RjeCon_vJEiDJNfnIbSo%&!xzS72biDIl+%UuV^z z#(>KsuB3D^Hx`tJLDTp}!pCHhqiBoUUE`bcR~q?#n@XBB(%stJygP7o>8f`Pv@j^V zdlB`FQ&B5mHM~0?$#Wn&ASG8}x28~i4WB-1zdoRKUD3xJK*Fma7jVRH z6|%d2DZDAAJL%E~c2ail<79hJCWNRPYwBvl{}S}MdSv$3;D%kzd2st-3uh#T`pTcNzrU>8i=1sG(JyKOwNV8 z<}=WMl}XLCj1ab5lM>!HJV^DnOoDtf)$D9bZ)x55!t*ngqD?N$0P8R}fGZUMp0p_z zb(S&!QzP7U&qxRC|IyQ`?z3f>0vP%gVZU^8Kp-exw&K?^}Lph+4 z!V6dq3xh9}03RuE02mQweEbXqJSXu3TEhbLa^U9q?}%NsAYi17ABY{62Upbr=jug( z?qOco&mv&}ft2VvM5q3n51Oh6Hivb<)h__$5p8fq3lKO0r{_$Vk-P2RQJ%Ch1AQa% zj5pf Date: Thu, 15 Aug 2024 14:20:12 +0400 Subject: [PATCH 06/15] . --- eslzArm/eslz-portal.json | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 9a1ab2304f..ebfc5a38ff 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -273,16 +273,20 @@ { "name": "enablePrivateSubnet", "type": "Microsoft.Common.OptionsGroup", - "label": "*New* Audit virtual networks using private subnets", - "defaultValue": "Yes (recommended)", + "label": "*New* Deny virtual networks not using private subnets", + "defaultValue": "Audit only (recommended)", "visible": true, - "toolTip": "If 'Yes' is selected then Azure Policy will audit whether virtual network subnets are private.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", + "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private. Warning Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", "constraints": { "allowedValues": [ { - "label": "Yes (recommended)", + "label": "Yes", "value": "Yes" }, + { + "label": "Audit only (recommended)", + "value": "Audit" + }, { "label": "No", "value": "No" From b08b6290daa2e7bf1039aa4b8463d1c208e6254a Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 15 Aug 2024 14:32:14 +0400 Subject: [PATCH 07/15] feat: Update Subnets should be private policy assignment effect to default to "Audit" --- docs/wiki/Whats-new.md | 2 +- eslzArm/eslz-portal.json | 2 +- eslzArm/eslzArm.json | 17 ++++++++++++----- .../ENFORCE-SubnetPrivatePolicyAssignment.json | 11 ++++++++++- 4 files changed, 24 insertions(+), 8 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 7771751d39..fa78e958d4 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -51,7 +51,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to the the newer version of DCSPM: [Configure Microsoft Defender CSPM plan](https://www.azadvertizer.net/azpolicyadvertizer/72f8cee7-2937-403d-84a1-a4e3e57f3c21.html) - Updated [Deploy-Private-DNS-Generic](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Private-DNS-Generic.html) policy to include the ability to configure the location/region. - Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope. -- Added new built-in policy assignment and portal option for [Subnets should be private](https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html) assigned at Platform and Landing Zones management groups. This policy's assignment effect is fixed to "Audit" in this release, giving the community time to adopt the good practice and address subnet compliance. We will enable the "Deny" effect as part of the next Policy Refresh. +- Added new built-in policy assignment and portal option for [Subnets should be private](https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html) assigned at Platform and Landing Zones management groups. This policy's assignment effect is defaulted to "Audit" in this release, giving the community time to adopt the good practice and address subnet compliance. We will default to the "Deny" effect as part of the next Policy Refresh. ### June 2024 diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index ebfc5a38ff..8c9b043d9b 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -276,7 +276,7 @@ "label": "*New* Deny virtual networks not using private subnets", "defaultValue": "Audit only (recommended)", "visible": true, - "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private. Warning Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", + "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. Warning Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", "constraints": { "allowedValues": [ { diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 7d16fbd37f..0a554c401d 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -16,10 +16,11 @@ }, "enablePrivateSubnet": { "type": "string", - "defaultValue": "No", + "defaultValue": "Audit", "allowedValues": [ - "Yes", - "No" + "Audit", + "Deny", + "Disabled" ] }, "telemetryOptOut": { @@ -6437,7 +6438,7 @@ } }, { - "condition": "[equals(parameters('enablePrivateSubnet'), 'Yes')]", + "condition": "[or(equals(parameters('enablePrivateSubnet'), 'Yes'), equals(parameters('enablePrivateSubnet'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[variables('deploymentNames').privateSubnetDeploymentName]", @@ -6455,12 +6456,15 @@ "parameters": { "enforcementMode": { "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "effect": { + "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Deny', 'Audit')]" } } } }, { - "condition": "[equals(parameters('enablePrivateSubnet'), 'Yes')]", + "condition": "[or(equals(parameters('enablePrivateSubnet'), 'Yes'), equals(parameters('enablePrivateSubnet'), 'Audit'))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[variables('deploymentNames').privateSubnetDeploymentName]", @@ -6478,6 +6482,9 @@ "parameters": { "enforcementMode": { "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Default', 'DoNotEnforce')]" + }, + "effect": { + "value": "[if(equals(parameters('enablePrivateSubnet'), 'Yes'), 'Deny', 'Audit')]" } } } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json index 9d33bae489..edb0fe9b6c 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json @@ -2,6 +2,15 @@ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { + "effect": { + "type": "string", + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, "enforcementMode": { "type": "string", "allowedValues": [ @@ -47,7 +56,7 @@ ], "parameters": { "effect": { - "value": "Audit" + "value": "[parameters('effect')]" } } } From 46a485e6356df41254bf04904dd52260492b5a78 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 15 Aug 2024 16:27:19 +0400 Subject: [PATCH 08/15] . --- eslzArm/eslz-portal.json | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 8c9b043d9b..ac6946935e 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -279,18 +279,19 @@ "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. Warning Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", "constraints": { "allowedValues": [ - { - "label": "Yes", - "value": "Yes" - }, + // { + // "label": "Yes", + // "value": "Yes" + // }, { "label": "Audit only (recommended)", "value": "Audit" - }, - { - "label": "No", - "value": "No" } + // }, + // { + // "label": "No", + // "value": "No" + // } ] } }, From 5fbe2eb54d33543e64edbe1f3b40dc25093bf5ce Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 15 Aug 2024 16:28:44 +0400 Subject: [PATCH 09/15] . --- eslzArm/eslz-portal.json | 9 --------- 1 file changed, 9 deletions(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index ac6946935e..5f85ee9b93 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -279,19 +279,10 @@ "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. Warning Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", "constraints": { "allowedValues": [ - // { - // "label": "Yes", - // "value": "Yes" - // }, { "label": "Audit only (recommended)", "value": "Audit" } - // }, - // { - // "label": "No", - // "value": "No" - // } ] } }, From 814188f345728d0f09e02d883bb7f38b48914cd4 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 15 Aug 2024 16:30:54 +0400 Subject: [PATCH 10/15] . --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 5f85ee9b93..143144b73f 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -276,7 +276,7 @@ "label": "*New* Deny virtual networks not using private subnets", "defaultValue": "Audit only (recommended)", "visible": true, - "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. Warning Be careful with selecting Deny as this will block the creation of any virtual network without private subnets.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", + "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy is DENY is selected currently.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", "constraints": { "allowedValues": [ { From f5b14fa2e191b904f83b6c54ca04ab33c79484d1 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 15 Aug 2024 16:50:37 +0400 Subject: [PATCH 11/15] . --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 143144b73f..4a417ed58a 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -276,7 +276,7 @@ "label": "*New* Deny virtual networks not using private subnets", "defaultValue": "Audit only (recommended)", "visible": true, - "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy is DENY is selected currently.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", + "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy if DENY is selected currently.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", "constraints": { "allowedValues": [ { From 33306fdbfff0d7c18fe9a8510339b6ce36bc0114 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 15 Aug 2024 12:56:03 +0000 Subject: [PATCH 12/15] Auto-update Portal experience [Springstone/f1554a8f] --- .../policyDefinitions/initiatives.json | 4 ++-- .../policyDefinitions/policies.json | 6 +++--- .../roleDefinitions/customRoleDefinitions.json | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index e6225372d5..ab9cbd9da1 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "9203697895916455860" + "version": "0.29.47.4906", + "templateHash": "14175278704503096" } }, "parameters": { diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 89e201baad..02faa4153a 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "2449863039247600800" + "version": "0.29.47.4906", + "templateHash": "1206003654465253802" } }, "parameters": { @@ -124,7 +124,7 @@ "$fxv#139": "{\n \"name\": \"Modify-NSG\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of Network Security Groups (NSG)\",\n \"description\": \"This policy enforces the configuration of Network Security Groups (NSG).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"nsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"nsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"nsgRuleDirection\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Inbound\",\n \"Outbound\"\n ],\n \"defaultValue\": \"Outbound\"\n },\n \"nsgRuleAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"nsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"value\": {\n \"name\": \"[[parameters('nsgRuleName')]\",\n \"properties\": {\n \"description\": \"[[parameters('nsgRuleDescription')]\",\n \"protocol\": \"[[parameters('nsgRuleProtocol')]\",\n \"sourcePortRange\": \"[[parameters('nsgRuleSourcePortRange')]\",\n \"destinationPortRange\": \"[[parameters('nsgRuleDestinationPortRange')]\",\n \"sourceAddressPrefix\": \"[[parameters('nsgRuleSourceAddressPrefix')]\",\n \"destinationAddressPrefix\": \"[[parameters('nsgRuleDestinationAddressPrefix')]\",\n \"access\": \"[[parameters('nsgRuleAccess')]\",\n \"priority\": \"[[parameters('nsgRulePriority')]\",\n \"direction\": \"[[parameters('nsgRuleDirection')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#140": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", - "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for PaaS services\",\n \"description\": \"The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n },\n \"location\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Location (Specify the Private Endpoint location)\",\n \"description\": \"Specify the Private Endpoint location\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": \"uksouth\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('location')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for PaaS services\",\n \"description\": \"The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n },\n \"location\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Location (Specify the Private Endpoint location)\",\n \"description\": \"Specify the Private Endpoint location\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": \"northeurope\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('location')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", diff --git a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json index 385dcbebdf..6c8ce646a2 100644 --- a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json +++ b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "7289710698265093596" + "version": "0.29.47.4906", + "templateHash": "12429908550017328445" } }, "variables": { From 46954e4d7712eec09d8f5c9ca779b33bd36dba29 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 15 Aug 2024 18:30:04 +0400 Subject: [PATCH 13/15] feat: Update label for subnets should be private policy in eslz-portal.json --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 5f34cbcba4..5e15f14973 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -273,7 +273,7 @@ { "name": "enablePrivateSubnet", "type": "Microsoft.Common.OptionsGroup", - "label": "*New* Deny virtual networks not using private subnets", + "label": "*New* Enforce subnets should be private", "defaultValue": "Audit only (recommended)", "visible": true, "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy if DENY is selected currently.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", From fd57bf35c68ceaacd24be607898293bf21243a58 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 15 Aug 2024 18:42:21 +0400 Subject: [PATCH 14/15] . --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 5e15f14973..1f5e6446ee 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -276,7 +276,7 @@ "label": "*New* Enforce subnets should be private", "defaultValue": "Audit only (recommended)", "visible": true, - "toolTip": "If 'Audit' is selected then Azure Policy will audit whether virtual network subnets are private in the Platform and Landing Zones management groups. We are only enabling AUDIT at this time, as ALZ will not deploy if DENY is selected currently.
Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", + "toolTip": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement.
Uses the policy Subnets should be private.", "constraints": { "allowedValues": [ { From 0204f02e1ccc97fe025504a5bdd08fb6288569eb Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 19 Aug 2024 15:07:00 +0400 Subject: [PATCH 15/15] Update eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- .../ENFORCE-SubnetPrivatePolicyAssignment.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json index edb0fe9b6c..c1092bb317 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json @@ -29,7 +29,7 @@ "privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837" }, "policyAssignmentNames": { - "privateSubnet": "Enforce-Subnet-private", + "privateSubnet": "Enforce-Subnet-Private", "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", "displayName": "Subnets should be private" },