From 9f52a6becf44af7d8dda356997b792e92dd4c6a0 Mon Sep 17 00:00:00 2001
From: Marco Jahn <jahnmar@amazon.de>
Date: Mon, 17 Mar 2025 13:45:36 +0100
Subject: [PATCH 01/11] added apigw-secretsmanager-apikey-cdk

---
 apigw-secretsmanager-apikey-cdk/README.md     |  99 ++++++++++++++++++
 .../apigw-secretsmanager-apikey-cdk.png       | Bin 0 -> 39436 bytes
 .../bin/apigw-secrectsmanager-apikey-cdk.ts   |  12 +++
 apigw-secretsmanager-apikey-cdk/cdk.json      |  88 ++++++++++++++++
 .../create_api_key.sh                         |  21 ++++
 .../example-pattern.json                      |  65 ++++++++++++
 .../lib/apigw-secretsmanager-apikey-stack.ts  |  93 ++++++++++++++++
 .../lib/lambda/authorizer.js                  |  87 +++++++++++++++
 apigw-secretsmanager-apikey-cdk/package.json  |  26 +++++
 .../remove_secrets.sh                         |  33 ++++++
 apigw-secretsmanager-apikey-cdk/tsconfig.json |  31 ++++++
 11 files changed, 555 insertions(+)
 create mode 100644 apigw-secretsmanager-apikey-cdk/README.md
 create mode 100644 apigw-secretsmanager-apikey-cdk/apigw-secretsmanager-apikey-cdk.png
 create mode 100644 apigw-secretsmanager-apikey-cdk/bin/apigw-secrectsmanager-apikey-cdk.ts
 create mode 100644 apigw-secretsmanager-apikey-cdk/cdk.json
 create mode 100755 apigw-secretsmanager-apikey-cdk/create_api_key.sh
 create mode 100644 apigw-secretsmanager-apikey-cdk/example-pattern.json
 create mode 100644 apigw-secretsmanager-apikey-cdk/lib/apigw-secretsmanager-apikey-stack.ts
 create mode 100644 apigw-secretsmanager-apikey-cdk/lib/lambda/authorizer.js
 create mode 100644 apigw-secretsmanager-apikey-cdk/package.json
 create mode 100755 apigw-secretsmanager-apikey-cdk/remove_secrets.sh
 create mode 100644 apigw-secretsmanager-apikey-cdk/tsconfig.json

diff --git a/apigw-secretsmanager-apikey-cdk/README.md b/apigw-secretsmanager-apikey-cdk/README.md
new file mode 100644
index 000000000..2ab25ef18
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/README.md
@@ -0,0 +1,99 @@
+# API Gateway with Lambda Authorizer and Secrets Manager for API Key Authentication
+
+This pattern demonstrates how to implement a secure API key-based authorization system using Amazon API Gateway, Lambda Authorizer, and AWS Secrets Manager. Each user/tenant has their own unique API key stored in Secrets Manager, which is validated by a Lambda authorizer when requests are made to protected API endpoints.
+
+Learn more about this pattern at Serverless Land Patterns: [https://serverlessland.com/patterns/apigw-secretsmanager-apikey-cdk](https://serverlessland.com/patterns/apigw-secretsmanager-apikey-cdk)
+
+Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the [AWS Pricing page](https://aws.amazon.com/pricing/) for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.
+
+## Requirements
+
+* [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
+* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured
+* [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) installed
+* [Node.js and npm](https://nodejs.org/) installed
+* [AWS CDK](https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html) installed
+
+## Deployment Instructions
+
+1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
+    ```
+    git clone git clone https://github.com/aws-samples/serverless-patterns
+    ```
+1. Change directory to the pattern directory:
+    ```
+    cd apigw-secretsmanager-apikey-cdk
+    ```
+1. From the command line, use AWS SAM to deploy the AWS resources for the pattern as specified in the template.yml file:
+    ```
+    npm install
+    ```
+1. Deploy the stack:
+    ```
+    cdk deploy
+    ```
+
+Note the outputs from the CDK deployment process. The output will include the API Gateway URL you'll need for testing.
+
+## How it works
+
+![Architecture Diagram](./apigw-secretsmanager-apikey-cdk.png)
+
+1. Client makes a request to the API with an API key in the `x-api-key` header
+2. API Gateway forwards the authorization request to the Lambda Authorizer
+  - The Lambda Authorizer checks if the API key exists in Secrets Manager
+  - If the key is valid, the associated tenant information is retrieved and included in the authorization context
+3. The API Gateway then allows or denies access to the protected endpoint based on the policy returned by the authorizer
+
+Each API key in Secrets Manager should follow the naming convention `api-key-{keyvalue}` and contain a JSON document with at least a tenantId field.
+
+## Testing
+
+1. Create a new api key, you will need the api key later on
+    ```
+    ❯ ./create_api_key.sh sample-tenant
+    API key for tenant sample-tenant created: b4037c9368990982ac5d1c670053bf76
+    ```
+1. Get the API Gateway URL from the deployment output:
+    ```bash
+    # The output will be similar to
+    ApigwSecretsmanagerApikeyCdkStack.ApiUrl = https://383rm6ue91.execute-api.us-east-1.amazonaws.com/prod/
+    ```
+1. Make a request to the protected endpoint with a valid API key:
+    ```
+    curl -H "x-api-key: CREATED_API_KEY" https://REPLACE_WITH_URL_FROM_CDK_OUTPUT.amazonaws.com/prod/protected
+    ```
+    If successful, you should receive a response like:
+    ```
+    { "message": "Access granted" }
+    ```
+1. Try with an invalid API key:
+    ```
+    curl -H "x-api-key: invalid-key" https://REPLACE_WITH_URL_FROM_CDK_OUTPUT.amazonaws.com/prod/protected
+    ```
+    You should receive an unauthorized error.
+1. Try without an API key:
+    ```
+    curl https://REPLACE_WITH_URL_FROM_CDK_OUTPUT.amazonaws.com/prod/protected
+    ```
+    You should also receive an unauthorized error.
+
+
+## Cleanup
+
+1. Delete the stack
+    ```bash
+    cdk destroy
+    ```
+1. Delete created SecretManager keys using
+    ```bash
+    ./remove_secrets.sh
+
+    # to check which keys will be removed, use the dry-run option
+    ./remove_secrets.sh --dry-run
+    ```
+
+----
+Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+SPDX-License-Identifier: MIT-0
diff --git a/apigw-secretsmanager-apikey-cdk/apigw-secretsmanager-apikey-cdk.png b/apigw-secretsmanager-apikey-cdk/apigw-secretsmanager-apikey-cdk.png
new file mode 100644
index 0000000000000000000000000000000000000000..6d167277c786854499e37451976482b7887a3f33
GIT binary patch
literal 39436
zcmZs@1yoe+7d{F|mvp0q^Z)`%cMH-vv@moJB^}Zw<sbsmf}{-HC^ayEv~&s5A<}sd
ze*W(Nu6r+Q0c*{iIp>Z2?)~h&pJ!q;)s+ZvX>d_cPzYWq%WI>cpn*|PP#v)`fmc@Z
zvjTvBs2<u%vM80qbXzDW3@9(;WprPg?Pg=VC+(x{HBVgKhc=Rl(Z!~HTiL(=F`AF1
zv~#ylMpKBBvv)6Uq}$)W&T+Lk$ieHk_NnQ2N^$*I{4g!Py(aT!J=@jxTfpV<7O8MG
z8YWi~t1;sn$F*%kRQ(Wg3k*Zl@7fIbaxh!9_r=Fk^huL>dd!}7lhZm+R)XMY<tSX8
zxaUb|$8-?HQ67%Zh9)(9{<C015AK)y_bdc4sNjQw%w`jhBSE|$UOvJFE(hKTu>oFx
zrrL`!!P%Kqq|Y(j_uuu)3Aj%ozCX)9Kwjd5Su?QrG5=jp23%i=*r!e4hg|fE|6vFJ
zH#jG*&ZHiLNF>=846rZMnskp|__gl!i@U1pg=S`04me%s=x8p2CsVTW{okqRcfJ5_
zltq>lH)qgE1ILa&S{rzTZ{U^bg})fI@@GlPwJ$fV#m$oq^oLIPwR~D}a4HV?ZH~CY
z`=_snnEjqbjo+<wVVOK^j)*2^VhCy#KK%2?!%)!`(}Bxr`iozjhseJ*dqZx4;5XE)
z+`q#OuQzG58-9}PeiZMERt{oR4P_sY3oe%0n=G2@=QJpY3CRv_s8TpTTyZ;}elcM;
zO=0|lM>ZDnLf+i(;UzJbzH4VphY+K7cl7F#gP=o{r@hWA<t3hJ|79YZ@5b>G!H>yu
z)(2tK+?f+H$zc~AAH2~%Zb|WWciVfsky8Eegs+$2AdU|F!0ix$Q@c0&80*%^8Nu>r
zDFVr^Q$dXVQl$F7U3@Qx8VT|kd}DC>jV9i%|GVE$%`kSf2Lolo1_NWuw%D1Ecio7S
zM(>PSpC@^pcEm9t@}D^#DWfX5F19Ls67Rt{)&&`(d2Y%q=D+*Byuy4f>LGr#(I4}}
zb&-KV1Lq}`2ucrb@Y_LO)qL9x{St!$e#DSbqZ7H!uyMRx%T(aHgO(H}w|T;6t0)G8
z)4|5OW#Ugm;E<)e>FADI!+2GL$^!7!N8$Q24Y^+*8IeTPO(cI88(%Mk5veKC#IK4`
z&KSp_g38j<ubsu&Gpc=CSR{i1PZO<3C*4|_l%9J3LV(zFhwxhzUR1-u;;YpX)ck>7
z=VoSbN;lPfvA}S4M>u?vw!p85KblmGqS?!ic-MPxu~9aS%cz}@V)$cpYm*eOFG=`N
zRtt7rnV$6ZYxg%%x7(ABkYNLo0?aeny4a$-yMrootLupztvXo_asOK;D)>i9|3pS9
z^>45}e<Cscm$eSsl+Vl39!$zz4!##QnYcSz=bCU_#PRra%YNiM4}UPe!6R!ZCAD_N
z6NMt_4L^Sb0S=*lr#NslGHiKTE7|H9;&MaL7PuMXvbZjTRZ$9pbq2Ul4^<?Qe)KXF
z+;i)^X5`FRr_xj%Pwf`lDHHb>LQ1sqEvBwn&I9)povv>vubbC=b}z2Xbt^P!bZmzE
zn%6z}Tt{(#AI$yWMxE3tx0DbMI5rF+l~LQL13ULxb5xGiOHnZUY6oZjxjb0;`88>>
z=u9(9IFPVSw4oPiP&L|gMl_fsNdXqHl|MzZ{$h2b{p7a>dRR4`R9a6vcgM=Y)kAjO
zW=xu?&#@u+TTdOnd9HlpgZM5ucR#QMruR@E*u*z%-*-(L$j{Z05$Ir;%<cd`lMF?m
z;&Nf5;c>>1NZ_ZnYVU?!dl`3K=jLP5YQx7;fn><wpNhwFJ^VfH$LIFCjw3WtK2?+!
zq=pQ<1MfIv=R?WA1n+RJ@FZKwt5dQV9U0fTFi({)p&5mdxfr(5Y%UaeMTeZqDQQF-
zR(3R0D9#I4%SM#9Wg0Neomr#nk|WZM*H|`V=|o8Uyj`3r;of^!lz%8Ih@L9je;r%m
zdp+?a5>&H9HZKL3;vom%TLK)K7sLz&c2g%SmfXtC8mP%U)weDaGTC(*9tM3Br8!t^
zlZ%}1dFnW(T)R0<yJIj&Dzi`SD5Uf!vTnp@(=eW9g0v_OE0&4}T7w<LzR+?<gfyt=
z3eO4Z9gJbte0F$c;qJQB6otl8hS3)cE^XgE^Fq)hF}`kcTdx||Y<6I#o4>%a?2YDu
ztACKBEFS*Y*SK;cD?L@vr-6==l6vy9J0toLHz(%l<@KlaYSLn@x**3$(3#olJk4KU
zn+JI09?EFIrG}S}oOWrCqat&Cp<mNb&PQN)=B=+|%9qk97*bgEa7PCtR1Ly^7Bs%B
z4LINICpGDC#|w5fW~sNK67mu}z4I^>HeIvpiKC_E(y!>7=BVlLqfN3XwSV)$&ZNQb
z@Tp|bb@Z-OnnHq#^=N~C%W`ms_YG@oT2(@JFi+o*u}?RYvF-)x$(nM}onReeuKh|H
z9r7|tbdn1fp$((g$dP!9TlWD6VRShsI&!DeN>TKjwm#P}=M_HKfroXt>u;RNB(p$3
zQ%BmT<13~)j9sxyClyhjuRF_gQqn*wz#Y^N6km4cWd|>3y0#M!CHcSO`hw=?=@ilY
zoYQhYY@Ld4pG}v;9Je6ql*0FvUN{_+yM@8}sBju?^Xh5VyV5bDo8|_}bvvojg{xbI
zac_w)7E|cN1=bl9+~#jWnR~4U-hZ{EKH9&*+MM;FTJ25b?nLmjmgyC@N0W15UV1v?
zp>?I`(O8V`#vsyGj3Hc_m=&2*a$U1}e2`-Zsy{l|XJ3Ly=5Q@P`D&`^2T^q$dLQI-
z+Xvytf48dA05~)!G*?b|^)NhgcBbk4V-d-nKl=yuDco3b+nPTiqjPU+v0(7RPZJtf
zuSO|wk-s#^Q8(W0)M76VgdVl}-552huBn4Xwa|szu-+2x+k8X+ty!hWQtM!JP*yoU
zw%W*1qu|z-g1a`vvM5{#t<|7FrEy-7<}*>7JtYcJ`0Te1r<&@>eC_BqFlgR=#8{-V
zt`c3O5mw&lZdoArR%W{K<WIX{4;r4uPND=pSkk}YcP9|LJLB)2nY(^#p+;U0WCofG
zdd0P72EJQ*jP#os9i59%RDFS>s2Zo0FCQ74k4{)td@U5_62na;JIDCZvb}NvTeh{)
zJ<O^mZNR<-OJy`)@uIYiR>+lE_WaQDMJnk()X)U%KL3w^*LtoK=<Qst563#+G5fIp
zQbDa8G2!9->4G>a#aaFO7pZjOHtGWLFMVKV?p;|Z$d=p^0o9k``Th@=Z~{l$qzLrG
z@vK#bx#$&wUt6s*?jNL32HuO;P2IuGLlFZ9$o#wAIUEfi+%A5_^GHk%7Kia``yXU^
zS%D%4`&`^tBi5I+KJ%xq&Gz2AhmgCe1CQT0{yCP%E=`#ZCCn=e&le)$Zt!>06Eorc
zZ$c<sxq84=6|wF?lei;2ELK=Yy;lz{Zi`g&b3$=e3pB6KR}aJv7JCxKd<bsNWWfAZ
z7QaxmHkL`*_%_dRe*4_|Oodiqwez0)cbY6c81Sjvj(U$uO%2B<N-q0S5duOmjpSiv
zagi>RA7c!}{F~o3ZaBCWJ!gB$+g}MlcRWo8&k#xLVje@x)_()j;Qe0udN;Z@lO<t*
zBN|-r%qS)%-N_@S`?VQKY+wDo=n3w~HYP9S2MB*7Z7(|m9(<EBu1#JDY!QY|6|fqv
z!_b>#J^1`v-QU$)9>P6@<_UeTT&vC?hO-j|S^OHDcHc<UaW}>Xr||N)eEd7Khnj%>
zKVa?GX<^5M({WR}@apRdgB?<j6!WcvB0+WA?vj5I!Wvg6GU8|>#NXlz8k_+Mm=`*D
z4I-jaTdo|FJ0!{n5z&4t^>-V9AnUf=;`=Mi-!ci!CK6=443Tj1TlirXKq&{4p~Nxx
z&#TbhdzCkc`EY-7V8#wGJbD@6kl8tYPSV9EfJ+8khljsuh$Iqo2zNaUj5VY(6Qxh-
zi!F3y@;38}*5}e#e)(3mdBB75@8|;bP|bLbCo|4g-H~DCBa1vwns9RGQNbRLHZtvN
z)!q0~0T+Z`6!bFi_sNI;1zF8DH^0k#8V{FQpe!+YW#W|g@$=q*s?g}p_s!Y@OP^~*
zg4Vg^{hxm7?Z2#erB3#eT<rC5-+p5_MpT$v`Od@DCD@~;n60a-)t<SBB_E#?H&duY
zxL$u--d)((tXZMkmkfU60481OuCS%jJ~E#7|4l*aW7>Od1eS4`DO^bZjr_{cdUHrT
z34bEHly6VOimw^8-(mNj3+K~8OYDyWsr>PW99q1^9U7+o;)Z``IhYHWJ+;kO)hl4{
zCqR_V{D-Dso-6|auA}1U2#p-c6#$lO*8ZvusT^JBx0t)QDycifR)oEHTl+gdx2sgA
zBxn5b0-8?VNbL<GMOaj&C@$)=f93LW0^9TtNhue}K+;wd<u8I3<H4H-AOe2Y=vZK(
z^Yu@=H;?6TpU|FCYWKy&CtHtO4fTr|dJ1C;T~aE9yI!{*tNeWR7XcGBqqUkK45EK<
z+>fx;baQ~4&Z!5&k$UCYho(#{MzYN<8QZA!&C0STezl+{>djN%@8s2K=Qk5K!ar(=
zzD1pMt>m(?i|pi7F_d+eKVZ*d<?*9@!9Bn$P8QB5#<Oxjc!2?_a7ZJ?(C+R1BXp1q
z?e^A^be?B7^GWy}@^=q43sA7y%d}$tyiU6}KP5hJVz_>di83GfBDL=u8;a1!R>k#;
zC{1ov*?5k0RA07(o*pb-xo2`;e@nsC-ez1?y)rHnU#&TNEX6pwTwyLl5jtMWiOQZW
z`4Q2uGbX2dvrbfb!o|d}lasi_Y`u$Et$F>R!9r=L6_NJzL&2-x8-EkJ*F}KuG83t2
zmtY4c71=b6&?i~br#|;Y`d$a_@l6R0C5+YF5v#`3iYssZE<0nw+&St>-)ud_=Q+le
zH|%)Y_-B^@t#|(t7tT2(7JZaKlDp;eLgB*qZm~1R_Fy&L2#f)t-_}LxZ*T1ZT*=%S
z<J<ca&7gk1T!VL^a>$7Rk%1ArQi^`Sey$FC4jH<<`Vjqgc82w_;;k34qxxd+n4bvI
zb6G=Aus;oPR|GjScu8$G&V5}VS6f;Zf6mVgCC%$4#bn*lIrm`YM~s+!CFx0X!UB`X
zbGsyD4kL1O?cYorU!W2O`1}P3RdN(P1~*AZcdnF`!rpk!K~gbY*?0_o-EMZR$5h_t
zLF_yUySJl!4L15uVu*>$)aQG<7t-A?hdp%hl^Mc*aKLu9e;RxZJ@CotP&hGv7$dH7
z(c@LataAQEkTI?^5pC^%nO36);Ka}D_dK}!!$3302nV*yakkh=zX+iNDJHKhcFQY_
zSv<$@>q<;h+g-&Pjc3=~@PwrV;|Fmud-NbujA?WKYuuG@mtUp)<h4Hj3wE790H4Wd
zPHt8VxN+@2-g#VB@T?4FTu<JoUXP(qVnPp6db?MdWe`aWG^~NXc%vE3O`yMFrM(m|
zx~uI$|KE+&@ME?8lfJ4iTl0Y?e&-}$5=Bzl6r&cyONU?D|K<9h?!%hMftiE@ILX?z
zDJg970qGNzy<h6KBx8|<5XPMs0n)XPCL8hp-Wy7`ye=!!>`}&}D@_3r@oO20W)y%>
z=P~{G`WK)1aCL?rEJ}1}EA=I@=moiC{TFkj?}KLwTW4lwItDm#k>{DLhc`T4GkNE}
z9--eUaUUN1J%8!Xm)uWwwZcS1m!%&0&e?6@?;yXR^|Ax^?cGGwy;nvBC$Xr88DwH2
z9cF*dCFnwP``(6PEz{zPf2f-l!rTti>UGfS!>B7QOJP*aR?kAdxesG-r&nR+z=wQC
z@G}a^l2r)N<X|E|Tv#zg4J%iwNf#bQh{&=NmH9d&!a?Bg7>WI>v|p`p5n&*3hanaG
z*i;1{eChd98w!MqvEmjd#MlqV4OJl2R5AXrPy+V9{n-RNQ2S718MdMT0L1YSx*SY$
zp^=Qs!r*?yND3P^)ukce3JoD1mirF`HX|eNpX3ePoYzDp0tjWQ3O`IzA{bS3%Ku*v
zOCeYMmQ-}$x1!AnJpVolqsmd3qkk*}oN)V$B`_k|bW4oaO^0!4yO6CGYT)@>y+v#H
z1JdxBN$NpHT>eT>%`ij-tHVIX)5-|kbXFo_RjL-BiK{p<wWc0muraQd`?ChP@5$kI
z{^8LgXos&)Nm@lczj+F<(ZV4(-;fdTw6joez@#+bWt~4~YQMeqc@=e=*pypX*1H{6
z34O<-z5KK9ZSGzB#V=aQIt!CJ2Zp$isN7ZkGD(*QkBZc0yO8m;pZFovJ_Jy;@(@kH
zg8JbR37+u$x*0+sJ&HzzLInd;n>F16(T!|WDkIA$%M1#j>jR9DS<Fg=FEjWtF8*w!
zv-W(}DRx^QAW!2qrl1$|md}@u87VX1wZ9piJ^VG4nf&yXETlh0L1)x+YwXoxt1sd`
zA2W>GI1>0>JzEOy%M$VU@~R6{&8r`=iw$R5AB>k5P(=3`GR^HtBEOtu*lFrihsC!{
zD9xq;hO_2{0io7oL!}L+WvOWb?}wCsl<;3YT<NmB<~47ZPv<fH;<_Yh()wC!YCQ}X
z-_P$-cVxNlC);}Ac$9=Oq-?OM#}x!Z4inhEe|{;H=~p}>mvCQ2*Z%Y}X0E~Yjm6p4
zc(EA<_(^1$Ox*Tc<-2ukqS^5~V>avl!;_WNRpyy}m=l|-J{67}>{AuiaJd3tJKPQt
zgJr^CMHz}om#xH%{vjw9<YaG-a*d9|exccm-Mn2~GT=PK=U_1}`0mya*uK@ix4gGz
zpS4-41D-ogKfOL4*TBZc4(aHSQc34YFs!zGb#r<04W~f9Q@{1K`|p|12UsJYb=XXr
zJ#nlD(!Pe{kP->lyo{$6BCN3)k_|)08Of8wf*@f8OTl*%W^H~Ei*5eQ0q2L&q-=zo
zx+M%*6`h^ZgV|z~{i$qyVHkMQ``<GJY)3w+(ayK}>Ii!jYvlCK);Y?V2%|f9MLq1R
zFm4#BG!;XYPG(Xd86GXsDmc8o@qcDNCSSX?v4I7>X!hQV-T0nU;Ih!1pF_%~-kmMx
z^Tqc2qm}ZWILd=EKIa)YhFYc|xficdEp|^VIq6OAY4FX7LEgI5-Sr#5EaHNhUxV~Y
z(@Ol8J416X?54`8Z*R`bb;}Kj322^mE`NQ45pZ+z!<>m%#%>Lfe6l3Z!?}g%*Z%OF
zq_(8;{gC4v24|fd%OTSy6tl5}*Uz$@3O+GRvSEdx%LyP1$jrA&6ei}KXJwh|gou2W
z&w!D}a-9Lo@?OM)RRso$87)w<+8Qf*|I9uGh1hR%{6P*K&wxRN(erYnI$YPKc5+R5
z3vwYB6I7CcG5vR(dYT1_1QVrtc)*P)P~?1Dd=7YWOFcG*5m_Pv`%4|XC^5@%DB&;!
zwmt=~8E9Yx`s!zILJtXD=%bS+ubrv$(>Yf@?_EPwi`rIjor7L-4r~X3p-qCSyE|R2
z&{j*PL^NLSY+Rj{&Y{DKDuxRIRzdkVy)*HMwEG>G0U>adDNj;((0wLsPIqTIXvUAX
z#<e<v0t3z#e9&n6BMRhyGE)@=CF`T>Ak%r3_UD@vq#j8IuwTj=DaBK1b*?4Q3Vrd~
z(dVm-z@v;k#SXDoFVV13bzqFU+ymKhxLJSytZh>IBT5|`yC7g{gEM8$x~w%t1J8})
zCnF-?T9f;QAf(@q=SynQI_FC3hks6-ITS&z4g)WMe55HtNo6pK*fc&yW8JOwr;fG<
z`mY!zGs`^;P+2oe07^WRJSLqrw%@~B<YGeNj;7y$(8!H$Kk!*aA~e)VQSn9W?8iTm
zFDp0`&l3lLc_=ygz_^g)E(Ic4UqnT|lvQ^$qlpkM;ZloFmD@0gF>dw=J0oRWuj*c*
zMvhr0;XBvS{D{pTAD%mg*T@f(a~F^ta)gkvzNA_a98KYTCk9=M9^y0Y2%<lQ;d%TT
zjCmY<t!1Y?OxEOCTizIW<&A2f@{*z{5{8T@M4eQPK}j4Sdh&tWJ`~iJYmHY)Mj0D2
z083qCXGKC|MroQS(2-(z@o+}fDX(rI{`o$(OJ`KQd(wgn2Q8FGnSR?m$PHy#Km|`B
zBdmJkiI-(i(w;l&|Ng?(pzuQK`tXgL*QS8cZGpUI3gEN=Kr0=JW@*pkFi}#XQ=DiB
z(;*2Z;r@<+fe}+A0!_91oDBPkz|paUmox5+7i;9>LQ@ehX!#-0Ze3)E{2(23;C0~G
zp$#As@_%d5q6?7)D+cOlm+F3&e@WJ4mzF+Op!BvoXX0*iv;f$AnBHDO|09T&`RB)L
z-o%}wM{KC9O*(*cZ@>e?LJ!b0(H#rRW>WMKV`xUF%PK?l_=yZiZKVO#m`<e^d7-eH
zkfPe6TE}`3FY90+Z~t8R_6PUh6Zdf$GRi{jf4za#n0({)OFJDEEatOMrW$}QR{QJ}
za7{Q^+h5;cv1=Db8xlTwn$OY;7$xpmoC%{*Z^614@JHIu=$6SMkLpP*H&awBjE>_W
zw~tmlMGp_)OVk=|*JP7Z<xrH6$>?UsIn0RsTlqK&HDRl@$WbWcq&*H8{Y4XW{TuKI
zg?TFOpIR?T*NY{0mpaTrJIMtKJjC4JM@d+E-j0$ymZ5FZn5%cjiv&R@oDyPsRT<=~
zttWht$3Q@eYi4(ezs!7QuU-8_*+{DclnsKO+u@|nKX;7;J<qi!;9t}K9Li<8FM%p$
zUZ1JC-IUf65Y3r@0uqphm2Ut@rpAChy`c=iPASh>6lLSevOvGB&7nk0@2*=%KU2?x
zsFS>|&)rwFwVsMJ36g256G6}RO;=2`Iz_oNh?SG@<oUpBx>^C`+&#qdBT$B~WTB*A
zDY=!jzldUZ>jbHgIm)}~H@dyj%tWUn8&r28ZPHqMueB_WO2WO8ECzfyHdTR71)cNw
zv53V3O#DtD3MvGU-n>Y%%doq6o12^^5|+LcbfqTEaFS{H9s5HGNW>1^nQU5J)xXwL
z3Hf#{NQ=Jq*-Y{GjrX+1R!j!YfWtwXMsOFvRkSU;5X8);ILh|rE#7-1U@`;~!(bBQ
z8x--etXam5c#<vk9RDt8-uksL8U>g(cGlx7-H8Fxr($<q7X0c7KG>*|WVq}F5Hr=F
z5r|zCM1JJpnoSc8;JVQ;oJpS&yBV^g@uHDHov=0SaN-!EZ?jDv?Z~V8tr2PwwXXmA
zfUdB%rui~G1;7!^w=|5h;hHTk_D07To3z)|i3^ked;*<-DL%OqtraOJGs$PaeJn-s
zRLNZ%7IP~Bw2&<0PgC0XlDm`+U#y=z@q3eM0oy)IE3|FW#Iws#z+y&?>+MdmhGnb=
zy-v6XfH3Y|4s{As3ma(7AR0K)MI7o(hJdF1AkRr<_B`IyDtwWu*c#CQU011I>+5gB
z6~+Uv-lo>R`fOBWGAcEb#PS!r%$6novDg0(UP<7<?fA)sR8M~uenbNU8D63)9Mb=6
z2~UwM*IGEXA>VY>KJ$T*_s_K;jQ9|cz#AAB3KCx(c2$-3otq!huf2#hYmFF_>W9%r
zwJ(ZKzf$lUW`2hJdpAP1P=WJsG({QMXl{`cGS{|16B$#3A1-vH%rK)4E00TMRD~T$
zj#L7MX^q$NtzX+eW7B>Pl$pv8`J8P%Y>SBz9}cpWQ5~`=G7_ZKJ7yVyFTPbhP(S$U
zC0ND12uXVfk)Wi4Lxvh3)^Y(S{zVy<=kCcQNytQ^(sy_cVA()fNT6KuvGbm^t6DR&
zmND5g4cd%LSttcu`{pWY`rQIaP%Y1B1g621N3KnQmeQY3$KR=KRqIn(xZ=Zs#Bs7G
zX9wt2s5W?hz!iO<V&hiRN)5M*!<bD8UCghEB=WmTs<+PNeiW}#dq&|LEN!eXVv}n`
z;(YtU-+%O1sS(K@i{hNz_4S|clEiGk@F8HHo~?zqDnmg=1N-~1%mmQ~$}u+aL|-rc
z636-CQhSn$)+>LtKFYg4tJZk5TM+vU3tO3fYUS}U4S(M@YB;-LcH*b%c{Q`qP=>hE
zi2Szvc$MQR#=S#zT7L&G7&d%UnSQoK)iFP?XH%JO7BV@PYKDNLgZ%eXSfpo=Ryg8`
zf?Rs13s8zA&{YxT6hsUR|A@B>@x2lX>;4TSs6ajgk)cql7RX%#6^i)B_|iZK=tXs%
z@}y$~8R*4de|i10O0P`c@*(G}aN2FQ;AP=WmC8F#7Vn^jbqFzJ^jG1U<mfA;X^S`c
z#?`3e$AMSFwJl<kN`03jl}BkM>Y}H;G|_&?n~Z|WMO}GY3=Xq{sfl%Y@*6Z`8=le6
zP7(yMiXIf(|IwcPAR7u2C5fUF6m3Z&afTTIz_WU#q@w-e;^NiW{(_~Bj<tZ6Z556{
z`VTyC?MvnU(WC5D*_qg)G14>_9OYqQt>I?yeMo%X^S_XY3{2hK%?KZs{!mkJ`~;ED
zY_)ma2IL6QYBKh;7-;yS=psOPv@CutI{)5V?JXtm$LW6Y+I3k`v80fw#Pqy%iCN`m
zI-g!zDtTkTF$rj%m@tWAB_%G4c<;Us;WCOXd{e<qx~Hgt1vV(rl#!-#j#W`w9&!0o
zi?3|G*_a6c-Pj?$tt2N=%;-){V0P-!iNEu*=Q;E~Yb(&n$ZtHH-KI@An{V=9dU!H4
zm-+~S>ztt(XXYR?)U2-B{KmN8e_VhOxY;M&x%L_t3OSfjk;r4NT<!nTNZ1wx+zj@+
zWE>wl0wy?Jn#!huYrFj|0`D8fY^{B2bSM)-o6wE5gz<eIvo8>>tsDTz%o5@>RSvdP
zItL(hT!G8xpuDI-(mb>1Y^0!Mk-Y8YsJqyj%_wVOt(aIS-K3l|*9PVou}nIzIfd<0
z65Y|^quMG;8DbHgwRkOXSgGyzkFSt0?)<wo@wT8FBa|#4GQQ?D4lF2of%a{Gp#@L5
zFnjZJpsU)jG>n;&>)B8i1`Ec>G0&OSQkHuSMD9LliGdd{)hxo??=4d9#{(h7)5#gr
zdFv+dM|3dRfxN0WkjFg8UiwjGE`=(A4)#4-!;$=wL03h>q7wZFgB+2+>?S%DX;BI!
zRcP=M9-|Kh3-kRa`Rn3nHKJa(cco(463WOoYx1MXl53j8yF_H8IcX_RUNChggl*c3
z=(so9;iP2ohw(wbmf)Ynk%&M&?F6!2sc0Y^dt;%~r<aO{B0!#m8nN~b{8$aL=Ec*(
zQ;}4}I;=AEo=oWFK}rsqGB7&<7nl>`zwG?i_Al|~`|1EorcOkbNUA0*bNxk<g3APe
zbE@q|nTVql_zYp{6ko~donBTB&(zo|;Op2SBi5dbl02ekP?Pq)yA6EiJgZBmul7_i
zQ6C663QpuAiez^RF_+TSno}{bQ|#rm2bs3RSsZj#(ZtNLav%C9^G$cQES%8z!+0H#
zBya?nd6T(>37Z+g>=QpMTl=FSj*>T)>S^f@{f?~W5;c88F35~n0C?w1d>F`f{+aE)
z2dxkoz5t_Q{VjIXe{o`q`_x6c0MZBpp}k{Lh>e!}xOHfYYs9w9m>vtm<JioCty}iS
zb7V2&@*C7dJiur-Z}C<G{q)+O2Tv${kwe{D!ylE@MHhEp?Iu<y7qP1+5pk-OS3c3o
zw^rWf;wG(kT{63-y=e-#fT9}TXKE-4iPJzn-9te*VbdOP(G6uzi0Yl`2o5Ipu&#1l
zb4yMw>UQ`2lU@J-L|P^5iaaobs(VeXsKfo)_Xy1fx!wvUi3|R%vUsyWl6N2n?DQHQ
zHR3q%O<4Xpb8JjLi>wN|)S4m&CT47Khx^aS@eNv%lF>0H5o?uvL(bsfU{tAEaXYSL
z4}~aYv03Jw)4e&%8g1M~HlH}@*u`+&F(6-c12EGQ<)q~@8>f@K;+!B7S1umo`j<xy
zi94BqgBk{nkCqH#f+yIxtx^cUl^y&}4W0kDUwWQeE*&FLq9e(MU0}Lg$LiB(132E9
zu~b+;HXOU&B)Q&YA(l}t65BQgMzD9E)nFGVEIuu?@b!5D{l*S^8FK+u%H*FLK?5tc
z>DjR&^4m9Y@@)|*zLU^7v(Nv9lNRJXQ=-{!m%gZAZPa5TvBj#U6%~#k$fshJp!F?n
zy0CwdQm>zDE&e<+KBWN0uEq3RPb@p?QURGiHTOc;wE6|t$OG_juS^C3{J7Pc9Vq-r
zP)_&rZzb#!ETjO%kXjEc2>3yaM8g1BXkg~Z=vOB#gDUd1NR=;n?#*}a{rMQ6a4@@9
zNP*C{kmrSfMPF5F4$TDF#~^_vfqzp5(7XFOG+P$HV?TM(d-9kXnfm%aX0DghuJ8W(
zWTZHpRHVQ?yyJkuPMEkzSEOd){1qk!P;8zVB!KarfKO#K0;uF*Wj4t>CqT_v=DwIU
zsSZ2Ie3LlOs+1$v{4^UU*GIQueFFe~6RWM2`XTe6S#7x&Q(uZO;K$uO;Kc7^IR1f~
z;jiT0&a~F+U`g)GQ0e_kG_9wtk>p^m|C0IrFi;V_lFPe-@ARhC!!B4WB|+;R0NPM-
zm-OMtZ3M&iIKHf7!_#W8K7&FrSd3sgDHQ@ZdkM&ybw&S^ZTI}{*G2)0PlPNJQBduT
zdRb}V^Im(?euR-1@&`LmOAP#bhJ>&Tw@f$x`-NoV^-T{Y3D2m^=eK4Ik-YOOC0y4c
zTo$+(glCTusf<tO_TmayB)M&|96~`DekE45_*6z?c;Hw8+cFm=)wlTIPmKXhq>F|B
z>|m@P-r)SEV46e2t!BFa=u^w0Sg+*{fqI=fZ1og-V<RqA0p;lOu>bq;_wt@n1#LX=
zl!Yx<?!wqBoh)`G3&?_&v6YUAsL?P!!Tx{lnwPS)eO{zM|9;V@f@t0?=_Og?FxJny
ztqD@E+icAc$|lqUje6Zx@qO)(M4k`A?)lSAIVoUE`0m$?HX))486>Rh6FEFh<goia
z=r1zgZ}tfMLLUjTVm00SRWLEz#q+A&VFE0K1S@+K0!a;X#JPtLXKtgRV!LUHwXG+z
zy3`$B{&ugr0hRMcOvErPtw^CQsmQiTs~*5r>%%S4bI`bdAR3nqNs=U6w)D;gR+IE=
z)6xn7EhGxw=fOyO&^QFwfC2U?tv<x_$B&^ON_d=>4jAV>NNU>IKl$nnOtIV?R2c$N
z;?e&S_%DwN%`a{O10C=4_2sW}-pAf~+-xdUR)v^wP&%r8jAl#&u5*EwL=prKUh8DT
z2^<_#C_eaK#WX7iqD1)48ZYrkv}SihMJSFDd9f4j=$3<K#Go2u3T1(SdzHYYM6)DC
zHA&WO@}Ct0fy9r~{gJ-(oBt-{RGV7lmBXoYk&VG(%fMZWjAT^pQtJU1aphvcOUC_H
z;S<8(Scb%5(%Sg`e13FWzhw=L5wW`a((U~TP6<N#xnkWP7=;9&4>g=t;V#Pg6Q5lK
z&;ImRk6w~O%U#69r34B%9jjr71=lVVL<2{Ys*D8nWWyW6Z71d;94y<N)aw2PyLA?!
zcIv3FNkzf>bWPe0Aw4>lHSr<kv_3gMC*DOhQXQi=JZ|kAPj~(O`zPD^MTE>TVkP;h
zI$5C#-2+q(E9Mv1C6{cGs+X;3evGPb9SeK<p#Ve3-(+inO;uQ%dmGz8MO7R|odpD^
zoDQ!x4V1sWU2v=)x~3fAUB_;{x94arD1@X&h`v7M@uq7EE#_Tfd>8EWB%bzxyOn~>
zgz^fpVEJR92pYXnwYYj)K-n00hr@#*ArFj%=)D9EwCL?Ypb-6A#5%5B1PHnQyu#()
zC<JM}YB@?+*zGZ-kkzkg{wqMO9~qDN(B3x@f~u)7z<#EnbrlbEtwiq_AI~1q(j_h5
zo$n{o6e0#4d#%wz2a-(4hFj(AXNlW3yk@~6KkqOY1B9h?xzavlb59PqD{4z~0cirY
zLj(<XQjxXyF=qP?w=E`{YMi9vFYCWd1g>zPU2@5TZEFH@&>E_LI9&V6(+Q@JnDsdl
zgt<sWb((xm5^=T+WO^X%e#`1j*BWlrGsYM!ExT~yCbOh1{SdN6K+%A26YS)UsI7@r
z8q5HLF6<*DC0xll1K-i7u9w^RAq5~?dWlGp`##Qn72XY=<yB2b|Fz)dhnhXAEgSpL
z@(L_hiyzetX^3<}oK<;`*94*iZW~_(oEC!#Bj6VW00}Y?{%4~+goiB-qJyG<H!Upc
zG&{33GDg{kdSDZJ-`t1<*;Z-uxc+T{IH~~or7az69S<!3t$;K2md)n~5cG@SqsCa=
zP}FGR=lQS3uh%Xd%NN{9ijJPxDj}chwKXtFsKXkCJZvajX|%OzGp!FyWD6$rXbr4q
z9@bfxU$M{i|Ak-H6O#ic0YyMRq(1H&*ylw>9AF=+1Q0F!sm-1!%>sFSIXciz2BVVW
z#V@N(EjG43JNp)=K%NFO1XCW}o;8ckON>G%)Li0ffN#Wan?84{@-M!C*^tz>FUsPq
z_iSeTN%?B=#>a->=^AQn4h)W~u~y13_Ie#Y!$cSU*wJS19Y#^T@7wHL!TVjf!Vkc)
znMFScpzn64T6&G&=-Z)us@M1*W~np4-WV_c&tHoHF}K<9nTQ|5(9ASvQEOYATmow%
z!_G)k%d|H;_PaQn(EtJm?k^5=?qvNd-{-{a$cLkjfKRRVjihH!y`f*v%8&`&)U6s^
z!>-NR%XC6O>+k;04g-NEPyQ?QF-nT{o*&~-^fYH_m#6}WkLdV7QF>~cC5kvnFy@mp
z%>>tDem3U=x1(zU&$4VeS8|hKB)J;}Tz0;J!rjQmt-%Dx2<RgRSsfnESN%8gGE`jS
znq0~x&<+%HEX%7#mNu0}P1Xa>PT@H9xLC8pgh!9^5Wr4P9k=bA%sOzZE&CKMIP0|F
zCgk$*R4?>=2Wl-AWNO)SVytR(xqcZ_Cxn3v&=Ld$R!f8W|Fy@mnrNDwO8%nL@qA2n
zr;{OS>HN#Ah-b|6pdI(mGi9nAq%;s`aW{g7$8BHFW^_J(m}2P|?C$*NOw8sI(4CNj
zvZ0>S8A6<@S@ptLZ=GX&kvTo-sXltzK<Y~`>fuc>Tq;y>B^q^s%~$f9)PFc7zL~S>
zW7Rz|BtT0TPkAD&CP~qYYR`rm13a#uEnQlOqsvQP@2pK=ELh&#v9ZqxU1LY2J>%Cd
zyrsxI`{*rBZ4MntSt;7_8TkaYnY0!zIAC7}L7LDkO!C@CZy*S056C@R@}8sv6aseK
z;be`YI#bw`s!h@f-Zk-I<)|LFiV@#3^bX>@j?Q1T2L8bmfo^n7A}KY+&HW$)S@dP~
z*JYPxWLGxMQlX4PN2NSn)PYK<whTz(#u4KH&)0u;y4V(Iur+RCXIf7U_C&X<VBr4+
zI{PLS;VRbuEZmTbJ)@^bn{`rI2+5Ave&$PQq=#f9^q)%EUua9HPbgd6%zLmY<|$4i
zc#zvHOwTD{wI1|xS5x!9wcCsUJ@3rl#no_V<|113>(bfTqn$W59@+)ko6iG16&^)`
z3`z#PaDk?%YzI+oNOZ-A_>gBvzXZ>k+V~-}ms7<W(tR()M%%qn)qEzlNR>uwy{W|;
zgDHn*J>|}BnTdgtx|-KZFdQpYlp?Ix^26-%;K$D)j}Y2;oM{>&2AWz*+)f-{3Ryc=
zO-6H6@|nFi1LQBqML+Ka+X)OLt!MlYJDctPm)uaWsqXCW)_<CbHU#bXB|w3w1=`Nk
zXHx|;6~ccO^U603)ID2b+=bY~28-__gG7ksjxc=~o670wI1r<7HAmsOEGAmn4v80|
z0)$9BxqsMkUB~?4K7Ba|0X<;9Tl(+_F{a%MHBoFaR9R4L0vdI&srMkinxuO~e>U%X
zdk{iEE2LAG*~15h?=yV2GvI=ZmZVwPPjtS-erm6Uh0a!=f@XR=vm?hAM*p-YIX{@q
zAl|Z-9sEYmZunhWh8t$>JuZ7n5()a=SS0~Z#|PIJ50&%4#*BeeQNW<OGZ(?q{ymzD
z^6pCITtLQ^NYKep?~J&^v_yq9XQ&VhPKKziBP&)^hJI$BdBF4BOY>1tpg%IqVS5x0
zIOGl!>*D1hnEwo<f~yEa+Npn!lM<;cq>7}X-%It{8KouDY|?;5BFA0yXW6*4cCpzn
z=nqn@!#^(SN0}k`Rj^oGRE71tO*mC^^E*g&!FQPgH=_@X{^tN~E1&Vumi`BC$|>M!
zhNV7~-pe;V*&nL%m07TYZokbxqpA`l7&9?bLsb=0)p*?T!W5BY<yE_XUTNc$cyyR}
zkVtm4_uX0!CUHXF1EH31G?Gyj1pWuro$x_E>%{^^&=AHQ$9_8c$a00XDAU?DzTzSm
z<TQwTz5Gups*KWy!<mTTL6r38MyQeHcU+|*un$5s)bRLrk|xO<ga0DqBnpNp89Mpe
zv2d!H>mz*VH<OI{Ne!hWuftu_YcJt@@9e(rrm#>}Pp_0rcZ+x@*^ZoB#T3^;t&xSb
z5hx7h!vWNEVq(FD1R3N~p2`97Hbt8o(!ZSpp7TNnPaMQ>B{G8Zrx96#)yPQq)oV4A
zjuRsKGFvY&tx5F;mxVrpzXc8~+ut7WOx4SW`;X;dSQ;N`TPiW(?1GNRt8yh;Ok5=0
zF*dIc_QhXEu4lf@Q_9X#CXp&#Iq`^CEV!o$G(rB+1a|+mEB`VDCZs7QTkqDKuYH#}
zIngmoB$1kGZ@b$K#nkh4KdvDjCuyn?5C7}}D1lp<0spHnx9>!#e*V|Kr-tjAkO{&|
zB0!wYC(8u8q7>mI7h}|`cFAw*eD6fa2Djf@Hl=LRqNE?)^Qn*38vg&e6S)|0G9}0U
zDG%(ycLSfPxMRQ0x*w7_kgN6)!al^Tir=S<fs{a6@c$)M<dVZn$YV#1n*J~?wqHeq
zmM)pS#)M00i|H5M-cg1hu3T$YXgVZ*)vlnk1r{Ng0P#QKg}H#qSm?b8PIUtl)G>Pq
z;ou%UB@|1X2f*t=(wLMWNl!v(V|6}*L*XGd?bJih=|6uAT;1<R@#fp_(9^>nG5M{z
zv1c*kKtKI-ra2yZ@0xB2@I0>XsU7#-hs#Pzo+4RP^KcM3T)7{9bxwYr#1fHKKl!Y5
z*RqPWszQ9tDZBNWDBVT!>mC;G;qkh0!1Xy!P|zzP3Fzx5@uV1^N&2Lv2c~yTw#YM(
zI2hP);Vm6$kvCfA_8Tey{iOJDx?tYF9N`-W_P#ctY&qN-XA|%lJ!~I!>uPk-3Fx{)
zk^|D7kR7t5zh>y=vHj;c@^2-0P;})D*2CUhnK#|R53qtH&yxPfwcP;}FVMDL$+>%?
z%%_hgAeM^{nbwKa%Vzg_pDKV=zFsD95D9P`LE!o?v`;4I!&faiFlL6vK#Y|4v>skf
zX`nd6h{WT0R6{630m;yNNPPqMtezf9;d?O83ebt(%b@;UB%Akvyn7GiVDm9`-uG{d
zJ)Rc@-bUyEb@`8{^YFNTy<f`yk`^OqHBfwtA>+_q26~H(+bh$c1vpd&;3OVOWBg5Z
zjymIdbecgxx8TMS$Jq>EZ?a1g?rdzpwwNg$Pqrt41wuo6@F34=g<(gn>+E3ZCqNc=
z7d{0#H?bA0-y#Wip7PpSU_jWVe{2G*^(0{}wDZr6Igh1$IrlrLMhp5kc^WvtfHn4$
zE)Na)lR_k3pJV&R>dGd|Uhn}j0KIW<K)MicevT?qW8GW0<>7v{9~e(JEvE-I&M<2W
zN&plymUEBelEps<mz)5-c)8AZDdlJVOw;iB;a4ZkLsVkc6sJx`pId@YaTnV?9%88I
zcYS_fOvEUAuDN60YDsXqdq+9m`%s|uu}R(mr^U`~wumd=FCN3h2f-DD6p@wVY5l2|
zU(0b;m(1D&B0v|a_tF@4Q*ojK*1^tM0%Pfuo)~((9z06voJwb65olpm_rm{EeKdL|
zjb!!GEVKwp*XaJ$;msU4JE07FR$W@pW7Zy<@{TrIk|$H@xqJp7wy`>E5B}nEVNwWi
z`b#f`$L|2MSuOjIIb|^YEe=-IyZJ)k_iB&obxk0FWnb);W<&DN;+2yfAwZ*3!<eMd
zk^7KdBsApZ77>S~eAJ$?jax1CR;iTWtBLR}#z(>*Xs}rX<X~DVPzgWsFJ5<#B)v(V
z)71AQ5+IYFxXYR}LkU<oCn?qFmKwA|#-*YX^VP=_r|aBBZY2WfNQ;MhTJ5ctbJ$UD
zMFQw<A`=y6QWQoi0{;-1>I4y;?9St!IOt+Ff$`ES&_WmTOm|H79p06VqB~~_5m}V5
znl^f36qP<B1E0Cv5&#?;^5Ed(a~vp^K2h+QCxGBQWd2w6_{)`U7Tw9!?3o?XDu9Z-
z{K)q(drnZHqI6vW=W;dR=s4qCwxHHx>)`dpcHQ~&`L;Xk->%LdCi`}NRJk7=2S<}}
zFcH#;$A-i&S<W8@MN>12{y&sP=&g1CbVl5K`c+FbUJkn7vdm$Y1Mg+1o(71s#?yu5
zP=fmMnET|8{S5D1l+T<U2G4yNVdW-q01c=>He+>jwml<+pEFa`8tOFDPOCSNF1voj
z@&*}&2|f;?67z*^ngc2|O+e=~QKC(FuL9d+-BY0D`r#y<hDaW5x0Wk6`NIb2K&UR-
zk)c{|{8xYfEdJJ?|DB@BFm7`+Ki@ctf*oATfK69Cd`TXB-J~bpNYec_%JzE>9vjlE
zrSiRb<#@~e9<~Qw5mI+>MRHhS;!%NX0|@H(r{8e>aIw&=QU`=JZ$t8nI&MPuc3`>2
z9V^()zO<^p)Nv>rH$FaieZ7Xm3F9V~?JWE8Mzc169+V|P?CW7mnbQ{Z2U7r0TJ1TI
z6G@qw(24nC7W8U#6><IeEq6P=`J=7vTr&3{HI$jv;%XnD9CJt*30A&AyMV?8*R%#B
z-*GbKx^}_nS3f!|exbP68sSLY#OK)D#fIaouJkds5sT^Lzs#v25<7b&Egk8~S8Hxi
zsFDnl4<<(pz*v|$)45^*l}XI^VB@Rea~?(mvry33=7xECOps0oAVJ~CEk9cxMWjh`
z-vW{_N*+^%43db^DkXnnCim^Z;P<zGWKm0>eWFO%Vem-=<tM1kdB2*?!ic6~3_DjB
z_FH|%`t}jo{B3Il*Wv0qmoBF<-Ja1ivOZzMAl_j>br!%YqVl)AN;iZbTxpEz8Vc%B
zVZ(~E*ccg2{R+DTq;kIxf2S^6OJCk?@S5d2$6-<l`r&TIwfg)JG;DJr{WN%uQIR<*
z_sP?q&uLfpx3#L<)c=u$QG`tWCkWG*R%y;sAYxI0Jag1k4KZ!Ed{^zY$8@hQ1A#R^
z{6X?(NdyxcPl38mO|SSY=QTDL^DxGWUPKHBM&>(2jBSopQg1&$c(NR|Z9nxzKbrT`
z2typo;Y7xt&Bbb#FqcKyAMIV$u1MEt3hq+F_Lr%g7^3wqppaCQ6qIVWuK{+GpLtnt
zgf&4jM3B*R$IM?R)$3IftH?~ca6k~1cQ8`DInm6w*zW&utV%xlF*;<%G5wKdmLX~#
zZn*c|m^PJZM_@}G`47jBCSdoUznqDsrdw2L@0D9IB;8%hlBQp5x+pyN1YXXk_u$=y
zn9K;oJ$_!l3X%fYbe7~hF;}%fr6vC*prU(2Uw-xQ5u@v<ik)T)t_meyclm|t;dKul
zsvEr@{<nl&<IRP-3Y3DA%v+MPfC7C}x%m!2H$@pTS!1OND0LLCON^h{lC1V5Bz)TQ
zi+!wp;-D}4hp;V)%~sIee8{*~yYY8TaXcIc{LChd9pg!6!vPCJvWah4`2<I5o^=2A
zDwfXFAT^)M5vWitn<TKML2gKK&uw!PC!TiEAb^eVv4Gw&n?|J*yIJ+e^BSAUBf|!F
zT5R>ZYv=ZJMg?_hksu(FlATF?-K=g4juls%JLwGhNS`dK2R){HN&+Yvl`?HkWCM5w
zON|KtL5}-tk*5%mv}l3X9{{+4v@?Dm#Qjmy$E@3Ol(*S|zzB<%4`5gsG1Z#!%=;|6
zVGFl-UGYR7?}Rxmr4wr^bl`FjdyZ;jOv)sk{7f=KOG{(HzWk;a)U-Ey_3%UO-XoKC
zl?B*2<DJhp=YrbnGq3mJ9_@x`3<#C1r=ca^MI$i5=r&|)nd~wFBfN`%P%P#>K-E-D
zI@uZgjmTkRW3P-0+8d{Q63Qr%3&(^I1+pP7t$)1^$YCpXtAgKYQrtAxb%n|)MffYZ
zbEnOEZn51yLBN0TNPGcA(hlU<d$-v)NRslob4vYNQ37fxW!G$xhx8c>cebn1Nm(Nx
z=ia7n-Bsi{1mb74<B}AbKBD@OP=3xi>Z@$*Lj8)l=;u2P%e%ppJ$(r~lhOw~6~B=w
zOX0M&{y%Yv$*MqlV{NA8vI`bi@fOb46C!}klr}b`U8V2mxq6UMNEbBP9gBz<p|b#V
zun6R2ua5{k-!bafx6x1ao9(qPV^iyVPtd9%DpL7O^3fq#7)YGX0!d;>vY4V&A;O(0
zr0{WK@%N9EOOEK^V|qmt#hCWEO)UDRMRfg8sWk<vaAG1QsR?$))Z-_CWSh)tn^&>z
za+_CgRu|KRr^w5MET&p}rq8c<8QUo*&9D@uC@1QX>OkLFILGEb1x)TRwCm>yuI60*
zLH@N9AR<chDXxho(?STqU46IV4X#VL((uUg+)SURes->T%rj?f>N(_3b^lW@Mj3ME
z%F7(xOBauScXg-Z1kQ}}hdzg3EHuC2pQMSgMtfE80C5>;|GUQ+^d;o{E)a__PX@`;
z_}VEw1Z1SnQ2YW9IPBYiC+m3=)()}1h9woDua5J7E!_Ikoz75nx_}jH-t?R^ojl3Q
z@{YCIL?tHZ-NyG!RgmMga0#1AU<^HDagwDqHhi}ZnN)P4e>{VhxW8n@re5H1Gj;B}
zZRfcuf(-~w`~Gb3qMM97%u%dp!C7WFOM{&h$R|Eo3@Gxu6M0S6)fYra!iG})vNlaU
zq!7J(=|3?isj9C4TO!fdLoy?a>`xk0iBs8Em<{$9zBd%vZw{7P&i0vuf0vrSD`pWj
za;OOhT@r52`<J-2<6zD;ID~(bTEo-Q4=rc*7mR)^S{tBZW%|YG9ZIRSxX1sv0PP{-
zEZtQ08Oi%I7jaTzmdAkrpn3HaGFhUne_fI<&+}?j_Cl-5##-~`{2KKig~utZFXDHE
zTyPOI&!A|4ye0Hewowd!ZPs*opav><Ey%RpPeNX5t8Z?_bO$)$A8uA{5d2s8zHWCw
zw{TO&yaBBAJEF{q>&xl)3SsDOS_n=U=(4A@QLc7P`ZrEJ1M+B376ZO%@U%$=CR2pY
zhDtr22Y&Oxy!|BwcIG0`h1Sb|T>@~5EvDAAzN%787+i)G@(QY`WZ|6TFq8#+&R<P0
zGD74>y~rDT-hHH8EU4DayY7TBV9^`C@>P8*@kBMbTPiua2b%!CIizr@{Yl={VXP}8
zs7NQc|EPGv2SG*bBxb!!)UwA9@jXlr%WT=-ye+Cw7~A0FtXzlO#_$C}f=A_`udcsc
zuJotcT2h-e+1QIzXgA&UnFBIWa3epUqQ>XrHyWT7vpzN8O&NKc@QJ`7R#?H$%60U6
zs(jPgfz)ybUV0L%HFOQ6`^XVCsQ3wg3HL`jN|A20wC9$<v-8`)lkMmH8(bXoCjq{a
zVl8W(qdsJ9zU9*Tqq0kQXBmsQ*9YIMs|z)%-}wtw;a3;MvOu%~o^WfCjEuA?z9PVd
zn6|j<NKbF~)Fd$m8i7ok^o9LnQ}v4dA}nmxLdyX%d9L!sER{g*+vss7xBOdTNCK4*
z`NPK&#P05Cf@4P;xsNd*qp_&m9`#qN@e+ZTbZ7fg(vhC_z@9c=q>Rne$-!*;8$*o#
zp5gkZ7#@=Tr*t}fggB1`G2FEo_Abf)0N*0uK6v3pO)*Hvi>AM|#9@~P1ms=65pGn{
zDPv*wB!xtRQ0lKF+!>=)|I@ab2WA+`QndN0^D!ZRsgZ|Pq~$BUjV$82BdU6@10q8u
zXfkAprI1hcdrl`im8(Un5D1IeX4n1n$&f#fB}{KeFmEG7%W{iXY3d~!(WI<?oMPSR
zXEhz7!c!Vym4JR8vuc{MAFjkS$qx*xd~MeTDHy`8I=Hk)ZCYyA5HaMM1tA4jLZ-92
zxsCS}1lam#GrzA9S?Q5prTM{c3G+FsyS;u%p$gVMN9!Ryp?azv^8TbA3%6GDss92E
zImY$w;#pNR9~0$!6CP+k>{^^U<H4BK>2(oW2;#ZpLeb;Z5fZ-!@9FCwJS#za^Iu-B
zHC!jl6Uic@j=$lF7z1v4wpLzgN$!}fNu>$TfXG-g$zNekh3Lsmo3mcDP#QPm4#4>M
z%0rED-4{p6Mg>QZ8@D@1OjW(->Rl>yei)8-MgYVZQxN5BSovVaSb;;EzNHhNRd=Vw
z<;ROadiCozoXq<DZ=K1c-L#o6Zb<Pc<IKc?Z)b3Koo+R4j0ZHdvP+Cs#C(?MD-*%q
z=Tdj)x|#6-JSEPlM|==_t++o9+Cb&XejCD`L0*y}YU6eYrLZm@;tyumGX=fTE7MhM
z#Z*_dLw^F?du8s~XLQIYrBGn#k19P3J}Y^=Y7GjRsn0ccIIjyVv@YRHo%y<LQ1I`b
z7>yjjclW$VQmZ<S3IeCTbIHaoZ%1YjB+Pl@C8Fl7qsIC~)3Vivl;ak~#avd90$Mv)
zIisNZ>-3y%IQ9)^v3b1+9JBK~FFxTT5ytis;JXd%wc50)t4)+ctJXl8G!reUZgcyK
z!6BI3&C%v_X`3?A{`Sc{$FRZ*?=8Idq+H9&sL#(_qx2K_TvwnY{2fPDq1$?NPcMn(
zQGfnl?7jCtox$7hiy)%+PLL>JA&3^8AR&5PdRU0wdnbDDy+?>{MTlM!EL}wJ(R+y+
zb&q_XXP<q}59hW2fXA<xb>FjQuDQzRdQZ~(-q^XP5hNeI0`@0SJe<P4lC$)7UfGgL
z<Rolf<r_rHy&pe0Zjt9K8Hr_-Bldbl_iBiM{T<)?ab9=981V}A8p*sh$^NU<l!Hfd
zn@ypFr-{Dh$|Iul{LXiAQqEWVA_N~4ZIq{^h7~K6i#@yW=QRv)1sdHR6v%`#_=o>V
zD3tMIRV2O1E1Uk-64q0o-ezVxkk<72z4#(M06h3Q*KLBV{9{#1z52$Bd}*<iZtR^P
z3nx;{_K!ucBAAQFIcJ)pQp{&v_c%{Jy;?L?>%ox-ba#;Q=6u<Rn=~Aa{X}J!Y0U&N
zT0pun{?Wf!DrKf4p-9QF{b;3&K%zV)e1RPEF^6zxC?1)m3-Nb{JsEu9TM|)c7S;Le
zc-Q`rwPXIt`Bq2sqp08vbH9r2Nm+8ri{<WcM!MsU?>);0Iz;RiBSVuZnf#+wo}O#j
zt-@QsP1B<+wXDPh#n_CLkR790UimLSrLn1$&vU!!W_Qs4Mano4ZWO#-z$n_^xS8|K
z>A?5!#;S@l>7ef`9f4R8q>IgCYayTCe``<nQm8|FX6#v(s6xQLpAO&0mM%oT*V%RO
zMP)wd0+)9_P@8+!WjcC3pIHymYaLQY^KXF7pTIsLty?xw(H|r2%1P)~;G~#(d1$bg
z-1iSMv%&RWS^ae8ZYYBLc<P%SXct>b#~g|6Xor9Op~**#q~v7*?P;Ol<^I=c6_p`T
zxxsdC4ncw6tQ8f&Y=nj8_%++zNCbSh%cqDU`K&*!shYA;*{J|^sIJ-QhZWFrKK$_?
zs^c5;{qRB{7y5TdugT}*fAqSp0lc7px<~>t)CXGNK)c>QMfRk=+&V=Z1i>APvc3gc
zckX+TJHhYwwZ#9Waj!OJ%ynR3Xmy@@3dnzk_5}&jxhlc>P2>M0-lw`8UuuX*rKtUJ
zcz2)Svj49P*CAHVz&z-r1NG=M503wS3GfG+V1Q;9Gll0IArPXsov9rE^W6V4-~Y2t
z{%2qQk3IR{M)v>Cey8fo<%%M|>r69I2H6hkLVhhyU}t$B&rtzG4A2b!l5KNB!y$F9
zEBj7a|NkYN8xuOUh^hN>T)s`&=O}vlXu18~?{RCi*$pIMxaY+{?z5gnrgpZyG~G1i
zu!^43>K&?nTND4>7W+pu37X22VA-i^Uw{;QlGElHc@=B0bauo1jraur=aWz=qqC>?
zMaS9hr=aFB-DyjtDJ^wh)M*cR5agsIH4#H2gilUhQouBHe*l&HZ?Mt*>k@gWFSM#x
zG3P;Gx9IaK#qK8lr3LkPOPl)*atx@NVSuXHS7pn30p0uZ7$@m?;_r|sRA>-74&fbv
z^|Lr>`|$=RbM;d7XQ&?<^5y4H|MiE97K2h_=-a=oiS;$kJA$a|a=`-@L_k#+e#~F9
zvcx#Xnu7cH0pWI~tb)Y7#I1n?FCf{pFNK||Qm-MfC-(6Q5!!*ne-ki1gL&ado=oej
zr)dnxmJL#7FnswmjA(F6?f_Id2d{?njWqp;`;&icUG8f9N4Cj9q-x$3k!h;0=TPsg
z+28dK!*D2Ye{hn+-}-)z3;KH0uAz>BEgn@ufU~ogxKUN(+VciTLFP<jQowor_9<rx
zVrH;_z9w=Fji_JhzLceaiNJjF4l(*dVSn%~mv$l9W65YjD2_vQxtCJR#Gk>QkwQhq
z)F1D;U=8P<HRBneuFsKjE%=-Ee!8#j3u$fZpX?m|548~b8!nwmTaj1A+fW+Q@#}_v
zA`mN5gaR659^zUv_w*(IJ(}c`>U|9@8=|I<es_Rv^XqW(H=R01M%S8%-q$^Wi1icM
zA?I$}gZo#%F?RU-YRkI)Qb8(v+@1?8tNSOv=kHk%59m+#a0o{E*S>jS^DD33uD0cS
z?=k;Kg)450#uTI{&a@;;QKLIE-ZF9cEi?1`ord!b-@k`13>L&9$nb`dF2Yh{Io$8^
z6hu1_HKRy}Qb|)3$ZdA`{0c6K=TkoOJd7~F>3gaTq`$EdZ5zGGd;Pi7^TjbAQ~n<r
zkb;PSvk|AKn?(%rcjkO?BL@XjvT~s?(ls6m%1p+83->C;GGVSF-C`#MRQJApRbY=^
zt14owukjf4bquU2Je`{{5EY2=+DLtnyYNKr<VP6wlXUX8tK@G)+>{MQk5iQ@BjcOB
z9dXVp_oSQEO_AEd!ZPbVS;(;LG#Ftb7)mmPO<L2i<=f%>LVztuHgft`>>#Kz`eEho
zvqJt0Q7={vvdxBH%+)5d=mWWekMQ;vyH*AJl}q(BG)$A<dd2EVc4`wSvkq@?ay&@@
zE2ZGTbDIt^V`n@v%ERQA)T@ORhYZbebPN<)Z{M}iyJ-?T+@e`#9PC#%J?llWznd{=
z=R{c|qj2~&&MzHn8XW&R7=l(g=CASo%UHgK$%x-V!l#Ot0qSpvN(@-_E_WbrDMel*
zkur+JNy~?%RxV0p_NC(_#?$vdf7a5-;3kz)oSn5ao>*mUuXVQ{$?}tk-geZR)zOKR
z=Nb4g(Pnp7s@`MV)CKn3KuF<IpW_6vTR)YNReM&OO1{0>;Fa->unn~@^{5&dEZpZy
zU2c1vnFmf2#l1*WH!U0DlNuvL-%q5ZI8t2dmPF`J!j8PmbhRLaz8X~c9P2%3&HXmt
z3+9w|Q%v^_^m1pUROPVe#4h4j(GT-!Hl^U^j`9CfOOyq=Vbndl`)<;v^7B%dqz3Q%
zxo(WXu5#P@h6NWsT}AaN_4NIGb;pjhAolKI|8X&4uEY*U!UoMYTH#MV)OtzHc{3WD
zZasq61lktiRScjL8;+)@K3pJ}So`c<!rY0b+JEVY21Ojv;UzWC<j;&$dnBu0{!w%i
zO9Hl}vFP}7;J!aZNmQ_-m?MNUsKw8B%e-B#U~lcQ;aHzqxA*BP<_~#Ys`wSkHs-=~
zUVAJU0X~5dlv%{yRQ|2kK6yY2sXb5stD3~Mxwi;-@O1Aeza3D?Dv1e7<d){>Z{Ic;
zib|1k5_z7z(mBal5N~!{p#yKgWcn89i){nSUre_e1aedQTL+{Rzto{lWL%?lZd3uv
z2Es;4xbV%tIk5eFMW(sD@RtOkoEN%*8|Y=LhWy*Cs4Nyy!_%No4@%}7p^zO$$-+4{
zT^?9J*YT^7(M#9-g08u(6)sDAytnCJs2Te;emWBz&jx3#!qcZ|;*wt=<=xHIFsC-n
z0JX8l_ufZChUqyP-*1lP{p-)Cy8e_~sEzB^e3km<9(HA8qwzO-U^O|;v|qo`-Z?eC
zak{*pa#xt0-1nE*r2S6*r4Kv`-+4G*{`D&3)xCOD{}Hq{mbfD<A?5r*W$p{(b(={E
ze~s^*<Ha{^dT6edA0T!Df*mejtcNlzl*--TIR5d~UeBT}_B{3IJ&a32atF~_svxuu
zsehAE((8*&|4&D)Sw;N-L(HA|qxtl@7K<J?(6^=s`kU>6u}E^&N7k(jgjAgWymC8u
zZZTkFJ^PI`{5mlYHqBb1Q%2C~dmO#3+fQ;Hzun#PbY;BliryeW4`>&;b5p)wU_<XR
zj29tpy*qpe$NEedj!sUU^(IbR``<muoBA5|Zw&1!a}c+eK;z$tQm2Oo)lpJR<Fa_#
z9lIN==YhF2{e?L%k=Qq*iLk3*T~#E$Qb16`WyK)jXdstYkhWibeRSga&@M$Zc2TOw
z5r!1*AY+{Ao^b<JbrQV}CzWSH=Gwk?0)yanJe!ZV6sPxpw9TEp@P}G`s```Txy6X=
zINp6M6M^l_g~%R_xFX)V8izqu0k3U=GwPNQCv(LD)gwI?!y>+J1>HQ)_myEb>hs@H
zVF1~h5MIlJ4F=q4SRzEgL#W(-yqnHYQgZvkR3Q-ZG2Hlx)65T!rX9tsws5O@+5$C~
zm2-}GG$;pAzeE>kXVUSHe+2D296!_86aIz?KWQ!UIvGI*){uZ|qOu(k?(`!ee`Ylz
zk!Y-LkNs~}K)J|O>~d(rpyX?iuodk~<p|^Y{*pm%_4TN!=kYo_Df?oW&bS<%<Hs<?
zbMu`uKjnI;*j&T6>8-|+Kn*`@*%bfU*V)|R^ruiQ24D_?<G-Q8A@$aAYsMZynQL2D
zSD@r{8#9UtG4qEMzUv25;nvoGJ|3}hATrzaT+4bYv|O;&NjTon@!Rq$>Ugx*8<{6`
zJKI|>pl&Ms-f4rVm?O`<i;rA159iX^ib209G&YAp@ec#W%X4Nz=7<evKUxvr2&auI
z20L4mq3pqoHoi+2yNK=NNWpo2T@vu=&&p0!^LH6vTJg)f`qlRBY-g9sZ@h`|Mt=0w
zRbIpQ-*-2$46_JkleXuPNKvU?!$df)uYSne(W>_Bl62VgtWhO-ZgYE3TIt4^_!FG2
zmUCF#RLD@ygI(#5uL%OjS+q+9NBuHUzA&A4?Fr$H)NE+)PWfO!AB-;d(9^_;SiOvQ
zTidoF7cl;WRBM?WVSH@pXL5C!eqk};DC~KSedGCp<nN~;oftAsgM9Oiko<}Bl@Er`
z-8v|ny-z9GskEdQ_Z5^s>aqRgYmnBRRFrD|Rug#jCQj6NR}Z3BhfFbA^lG0v{l}4I
zOXG{qbf?sxpZZy-UpmS}nRb>`UWnRhQVTm$KItC%eh}Ghv_7{8n5!Hdh7Hdyb9i(;
zueqJ7->;0N%WsaDL~Yu&WE459UI>B`B*mM=rx><vchy_ue3#~NSNwJ}bi^EKSWkKe
zzYln{{ob2BFVQU|4#9g*C8=AHngu+dQ@!VNz1;n(`D;IPUs~mmA}Os*c^;y>(qKu3
zdvC?jDZZ$fJkk35|MLCTDCN^AlR=1U{f;-Th^%q|8#>gP!bTT)`Ek6r)Ub%9peKqk
zaDK7XC&(YBg3oCAg1X`G^{GgYVv6PGU9%S`@XBlhPVuGrrgH)N!>6p1TOmcqGI=t|
z%Luh^^nkk=LYqx#JUis~-16F6xUrQ6fI6fC#~4vxuMH=XMC;&m&U@h<ZEZ=MPzs=(
zKNjxJ`g|kZwsn^);urqe#A~V|cCHAMx5;R5)Zv@sDXES#c}Rud+nyEXVP&|g5VEwX
zJgGSF>jS@DtPJay%+@~ky|q9Zx^+W)5Hc*Dy<PO&Z3gLMujZq4o=*g}bDwOkxGZJ}
z^#tlDdz1_?3^<;OQ*&GLp`TlXM{TL)+e|+GS?A$`y*W<3s=S8Cpe5-e{;?U}wtV2H
zv^3C>j53w<%7;Vk>jTP(XQ6z9WsybSD}9)ZR`XmDS<j;17pu(wA)l%Gx*wi`25l7D
zg-Lv;?|&;F9KmOXDpqkU6EiVdv4Nk)maN95Lmc$=-ks-288XF9;pPh|kNaYcqwQHI
z^}I0A)Q8=Qrnrnw-s-Jpri@0l%ZkpJ?Gzya!>b?H(8Q5EsMiS<pTy~29~ZQ=$nhBr
zs-@WO;C?QdCG14dfH~2#mS`2v05t{(>qn1%CH<&9YC(;|p%Hmld<*4>;M8tJ#?isX
zAc1F$RT<T{0@+r9%y)ySvmR&SYte^_xh+qri!cZ}XZ1O(=RKZ|eo_qK*xQZ}O)6V>
z#8n_GeKTXK+$i@@xTOILRJBQSrIqyXd6>_on*k|SeBw<1VU5*_b$s#gQm*~!4Eyg1
z(*b>)^D1j1<@4cuH5A+m`p7<Q4l-Y|DI~_oHLQ?Q!M5`5C6zDsHv{PNM1yffx{bqV
zgBVaV-Oe#KuCDk0-}p-7r>;`Z9hT&Uy>E#o3va@Y*wV)Gg{c3e5)r)xgCZ7*N+R|}
z0|Ct9DWh7Z&9xS+EjSjO4VduSR(<!s%YrY;)MzKG3<&iV;xBav48D=}s(n)N!8)7`
z{x_K_Z#6%L5de73!|Sg*hGRg6FTWmxFK>q`I$?47VZnGhy6-K;)n9?fj-G!=Y^;gk
zjVH9R{C11<)#8dxr@VIR6biGr9h{MqkDgoVRiVh>+J;V6EzW>WjZwr`hS12-LoO$@
zEP{^;IW;fHk+!~|FlIzB4*Fx~(lB9qGc)hZoX)24`{c1G^(S}svKf*S`RM>0G+Bfn
zvwmmS&<Z{rW0iD(HX_0lE8KC`^*YFyWClawgz4XzWmJ-AI&s1L<xKuS+H-SG-&)N3
zfs$dX6zkp8YjS?{<?e{UlK9R@P68dc`|URSzL;l#?s@K#<A~I&SZdsW=|u8Y1*!KY
zpi{@w#ifo~O7k@uiL5*+Y)eG&_r%~19T|hl@<)L9{^bn4KQ9z$4g&{dAY?i{u(j*_
z9BrolROU$S(k7pGJO$EMyBGvNo+@Qv+=M8S$%kO(0r;;Jgom|1*lk}F`?g$lukuid
z+OR#e<&p)L4RA`s@ad^HaoSzyWlXg1CQ5W_O7szO*+mSEbydtM+bmxX_$Y~47U6G5
zep`w(wn};TBt9Vf-iFUtnGpf{tV8|p%jZF<yd;QHXpulh{bN$S+ljra*Vi`BLgO^P
zS<9=JX%pM%j^W>=i<&b6=5cs**{99c(feHXy$pOlHR3w(|58k9>rh!v@(zLdIjl<X
zzJY!x=0IldXY)$aF>50V93$ereBgpU)f0n0V`HIE+zQKg{bvtQ3>0a#WBl-PB}4a3
z?3dfQpN5e=R1Y!E#ejbrGzf4|BaKL7^~{XTixv+v&fOiacj-aCZt!@VGC&1lVU+$_
zV!Pe(Dh>3S1X5BPv%Wai4@RrrKWF3meJO&$shnq@o??6z{+9>+(Q_)Ea-s~r5|&H-
zFYh>oo9pyZf9k%3*3ns=jNrb`tl&0N+z!gnkk32M`;3xi%}zEtrSqbaq1|@$gi*V8
zR|%3WM)-!Xhm1or88a9Z7HR&oFJHEMLKP=&wI`&iUEwf0w%;Fq;6{$>YP{<d7+6oi
z{<i}M6jK_qAluRWSy@Xdnd7gbL1ReO{=U?Yu-`$l<K^?py9;ip=6E+DYi)KC72Q68
zVpLp!v&yL>x%1PHkm<Ts+gnCrIW#sKC=vF$ZM+SeAK9YLlh`d3z1`<T>F}eRB<lB_
zwf-XN*y>19$_$uI^eqbCT&Gcg#E|GiPWNuErnF`S;=aFF?U_zHI<^aY%*i+U$$U!R
z=)bi9imb-92>n8S>Rz0}MwZQ-z?ElA1CF^69gf-%NMKJgmW;_(-ypf5FKtY&FsA_$
z9Sw{9f~OcHVx@o|Gxd%eQ*3oOCLwt?oIA;J0}<xJ#uU-IrEs6(xz97SXkn&0-81+=
zOA4q<;K7@JucC(XXQZ0iqr=DKj)3&6W-!2S**%Pe$1}|M<m@q8hhZb(hh}L?w4TR5
z3E|pi^2B)W%6)rh%3}Fwi#$uBKRlA`9!Yp&HqRG8*77%vNrRApPRULH9riZbmS#Ir
zRCN(!Mz!c<vNrzN*VD<Npb~Wse9*Utglq(lGCkV=jqH7_FjWOBWR!DUOgc>L*9v;o
z?yY)<Y8b6wu`VYHc$QytW!BE$Ah;vHn~goq_(}`TA|8`fNBS<oXW=MY$#=zk<#*XB
zdkLuCx06)N$ZKJ=vL4S~=O#Fo$4u<JJ#)+-HN21C%Jy?|7HI&%?+GS({RarIY1W{W
zt=jo5QI{h%GKtNvYQNd*suYs1by6JqpAJe_nzE3M?bv6UBC`Y>zt3fp!?Tp<%8}R2
z^t+uUEn`_&|K&9Ho#7Bpr2cx6<a)d<r!{Y>es&T_&<M?%#>}BJ;?GGUk?^t^e|4f+
zKzU~U{=4Y|-I0ch+lwa^@HpMNcgF?<=F%KwXgfsM6!DdMP2pm<bJ192Rgr^QJL3?O
zUtQb<6(igCjfpu}Aupj%%PIJ8Yd=7g=Ay>N$y&;`L5Zl6GPclj9)ODESLIX++Sn9H
zk&_dMdm^ZxbtR7`q=IJf)vY*blf%_SB5HlNg|h}IUH_~zZ@>G0><VxI99NXSAVpJj
z3`5A8*{(X`NL2Noq+*ez_Gui;Du047dp>~0E9Q7Q29~W)m7j9MZv4y;(*^w9HeCwo
zF1OUDpxHHE5?8c-L0|t28qj)TmY=9*?(Xo<b9ODhC!!oUp8iNAI*A^0lJ`J?{UpVx
zeN1l?ZIr$_*TJ(<Y1FYxAMzHd#q_l~{wRU)Lc;x%Z3O-XAki^|>lXo9`GtyS|0Ww7
zN?*nM1+`Uo5jn@zF|b)kTd_X}3F_=hkCqrqv+(T0>ptAQNZ&g52VIW<BsmLz_^C8b
zD1<UKeGbAydu)=>;O4<k4tH;eTW*ByUF>h7oF{>4iT*w->V^i$V6S?XM%MGqhxBE>
zr##?t(NpqH<smW~He@{OD3FSsw4Gw)+ivz<;fo;d1GgS{MflXLv+G6nYuQDJl-x5B
ze?(BQlf&QReNLf~HL_n!xi}xOs0k95ApQF5zg%wWPT_azT1RG&8E1I2`S^<-q{|cc
zMydqOhSRKCc-U{oI#s)O$<$zp+{`8x54SnO5z>V%<z_=yIKVBHou@2%?k%oc(<0fS
zIyeG<qY;(ch*4$OM&RYoYo-0Bw#o67?}X+L5v`a9?hKmm$w-W`7}v}GYTd=~0x`zO
zbrPRwBB2m@4t79^lt(WtP)!w2fzCm!$oez+={2|}ZHMoJwCPR&lL<*Q?Vsj8?tNt2
z=D^6miHRuqp7Ss|Ej+Sk5~IZO=Q{xz9NXBOY^nnFwKL<plE6iC*-r<SVS7ZD8f^4N
zp>--#Ef%;kQQ4usQpNeOpWX%7d#Fl^q}fVoP0Bvb2UAElUVK=hR&hg*-zHWNa+|*m
z5}nToyRM~q0LVL6MvQ~Xqz^p#q;lqvH+eRhVSRCwL^3V}R3UYn&#{B9>Ih}8<4j~W
zaCJDzM#&q`(*5IuX2R?7EPBpmT>7!{A`<eDS``xCW_7%#in+bsp&VH+2a;Ub^=4i!
zkGF0$y%s&RCepc)WJ8f3EadWh`ZJaxKYkMVb^S8u48%+4yL9}|p5q9B@O*<(N1C2g
z<hR_LqL$+BBqPKhkQ(B>GJ7f5kyiH0$<hIcbkK9&@FaCq9B2Nh+%F!|lPvh)fY$sf
zEK_M0Rq3Ii-J%QrRsA55arVstCiiM7`b%rijs%=#|8?CB{)l79BVXXwLU0Y4WW(Bn
z6X1H<ZLSnam7~Z?cKd`vwQ2?5Q_L0j*~D#n_Jc}P^D*}4{XWnanyny?oTk3~HGlD*
z3+ZUNyYm}CwsbnHi`b+U4s;QXPrTRo?}sZHiy_W3aPI*mOX#}Ezr1Z?Q2cjb!;hiE
zF%Ftssg=S(MK_x)_P!Ctqtzu5pEJF0mXnHAWQybs&@CrT5*?^rp5+gX`@#c=-LU~K
zE|jS!TjDUK|HBwxleWwp?aa0j@H0|(>#>r_pY{8E-5o692krcO+iP=hVo=ZisXe+@
z!Z37eHS0qBDf%GzK2|zNX(*X4A*;-t_Rom+{4S;<9QAlw8vACvj6W=E$%}gKD-u=x
zE}jAU$6<g&Iy9AYu3NgB5yILmNnpgjgX~kz`8c?N9~{!Td3r2VH!R!^8q(0NdAE1*
zUF=WW3F)e<57cWC`5*E04#4(LUY`mc2)jDkE$+8n4c&YywH<fO{oFxUrhep&ZOT7X
ziI)&Bw-r}ZB7cQW&hPO^w+<r^LGz|k0`O4^ikxKsIE;N7&<jsAue=4eX0A`#q(Pkb
zYmn@aqke}!Sq}yLwz(ON;#cu<n{=2OQmRsU2P&uCQ$^xjcD>8!2<2gei#vzyTi3l>
zJoC(YS0V(wpn%@wi!}-A<3Eik+M0UmJdLVo(9(g<Guz%##>XTGZWE&Zd_FC4Hbg;M
zp{$aD(Qqq~`|$-vf@x_WH{-F>E`h}4w>R?ke`nY$k7c7Vc{f;RP;(8ke<Y=s`T9fP
z&hd=lG4u$AsZl7r<Qq3h&Y7R{2l-#uR|jojnFTM-Y}2F3I1Rr9M=Y@`4MDW4or!vk
z2w((ZDg;|O`Wb)75fxikmxFk58g-t`FG}=j=jW)79MpHymz(*j(g)&P4rW|G$|nkw
z!+tJ)CS95MYH<CxA(H>-q8ICSck)58J#1L=HcJjuzs)0chgkI)jTJx0>ufjVr8COc
zKd(b)*EJlTp&CiQRQvbVrS$SzqM@TgAFMB-i>Jp1@h%E&V=?=}H88<n*_+x<KQZBF
zv;w^x!mKg7U#uCL)>$+o^&E)LUsbDoDiw0I%LpfwKDI{^ZXkJ-C)vtda_9Okw?nPw
z-43$rxI$)2$UE!lYn9h&pQv?*X6j3$Z$gLj9CjoQz1-8-^@y2W)>d^c{<f`g5e&p-
zCPb)J>C{t+_A@g)Kg8-A-yG=pLq8wPvtH3<nJc1QZ_S{}q%@#e?)kN^v&BZFFz$3M
z*H5|9(|mVYIP$>}+xULSem0d8dv~9Uu)XuJB=JBhO`>^udzLiSH}|ike;d>#Qc9b|
zoe<osd>?ytW?kNIzN~|1eby27YOCatn23KOYY!N3QPhH?CA+Nj@{bF!p{3Xjn5Pn~
ztAZ%dGha8s^^3O+v9*Ea=g5!og`m#{jwr(_X{e01`u5&0+F%=q34B03TB-i}8G4mZ
z?XBpb4w$6hV@`iv;QWaDTZI8<dBd{STd>@30UsC7-Dk&Vbo`hn40R%{43%wrGe_2d
z_F2)WDdns9nx~xRe*2O37=m(5@LoJf-Z}9cg$ae%a-1!7ss7G+f_J`D%<qUYdB@X#
z!TO_&W^p#vrze`_<mmK~{xN!fdri?@@NuCF>c)x7wVXLIw4c9b!^Q}k7~5xxR{rkE
zv1f><pqElUV7F>Gl5CYO$qXb8oG{`V+*BojS(uV4rgG5SUhZ&4QS$cDS$_^JuSSYY
z8AvM|nQB0RnprywjzQ2m8^J_C)E>UUf2Ev6uis~{>$ti13bRoumjliCRV?WXRFuZ1
z^T$tYwpYDz<bHv7g}sWUO<vUb*cKoBhU|si``x7O-?u@`)@bs{438dGWR4nKwV0AI
zwXBsaVq6+DpR8zepm0`Xup&mc8}L&UGj!q351ymzoVdxq>nGP!$(^W63TFIxeItto
zzF18wiMCDv&7vCfc|8SKUZ0RsxU}+Z8A2}c5u=u5Z`$6?%YwD8`C9k>uS=g3W=f>k
zPD?&`;&?#95x3EHw}w+UifVCpU_x<nr+X(ZAD}R6vzE~!L<RfFy6qdhQ&oanXN?0z
zm26}f%18T>NqAU^r_-3mVP2-cnc<f2GxW0d>NQ=z=;VM-A;=A<B;=nEQND+IdZ5(O
zX3zTH8upu&zR~RG5|CS@a7^u-XX~*RoAW#k7|gWxogXJUSef3cm8r7YBgS>6r@^2I
zDz7fr?k<NW70qkLoeEB?V5b{)ukSFD)heOc?%RIIl}A<LG0J_CtO70YXGJ)Ay5;A0
zRg+qWpY|nGRNe@dLZCVs!8j6itn#D*%G&#qYK|u1P0CkZ5|#LR0VDfQzy?3JRRK0Y
z{cA&09FtsSYx;5OQC4)r%>c;<@tvkJ6<zt1h84%Pm24ciOe}3Q;3%&QX7V?epW!D;
zuVCQRb~=*CEj6(%=3B1QPWU{HGres@MfdHVv|9{Bo6KB{v>5_Z|Jt19ErA{st2_!v
z1ENdGUJzj0=KVJi5s$-M4lIyPdaz4d>)zg8XI!2%mj-=>-ep6Lb3Zv{)|;iKy?uJE
zCROe8c<~eup+HC5Q`*(wXDeO~IS{Gn1?{M;yyvNSeF@K^J;<v6{4AxDFWZpR{xkIh
z7;0VRMNDbUXC`|CfBTsNGUTRa8eQ17Cn~6{G5`Kq`(6(HqFk<BQ#~R5rR`w09`8*e
zlQbxh4>ZaQ=ZM5Zpxn;;a}=VYqMKu%i42<EJA8ibAVR=G<hC+qqJ7)e`gz(a2SW3{
zXaIQ=Wm3U`M2=gPh~J;uj06ps2UPe#Vg|fT>$7qcmKK%OOGE)>NK%-(>HXV=#DDly
z{3(uvRBtP<Z`9uf9!6lVQfNhC#cC8uX9d8?-`tNF@OA*PdGl8>o??!0IOqmoon5h+
zsg(faX7ZE)3p`q3qezm$Afu!CCN~Z==%@FlJM~z-IwU$+{Tk#m4aU9Prd?~~?8Ma%
z5e1DO<h5+ShsNfPe75ny-dn^i9x_<@nBVv^Sl!xVCTl#4C5bL%n?Thg^VOr3eECrH
zLwh^eiPLCwLZE8MIS^^*Nhex@^!|g5ff@LUm*xdls;_J|rRnooE4t+$F&2kTa_%o-
zC)6L6GEowHPJevaXg%~h<`2PnKP)fB`{)6RXo1~1sdX<Q;?kfJk)l9^812%daKs8p
z`9$ALgom|l{YV!TDiw;`1;DX^pT0V6D2|mwi45C((Hf>h@E*r}wVGrAptI|PmoD2&
zd$aYMGhf+osRjJ|lG#?)`cu=mOwa+VITp|oYZ#*_|MAXL0F2q)%j^5EUqpA;$9RB(
z9SQ)lPIoPyr=5UPt&%T^cCtU8dG&s=RRjpDV}P3Ycw-E~02qRd)MCEWV4fwz2^pW8
z4Unr>8Dz8bL%*1H0ZQ*Z_xzr?y)l$6wKwy%#;60O4yLj=W|;B9qS|bb5;l+)f2CpC
zt7=MG$Bf`Ut&lW1&l1;kZ;M{_mM2lhftn8)ZY=+to$&Zw^>BD;!Gs!jH|?R^@|(L)
z#-n4dH=fiYmrC99WwX^rTV^MZ`Dm<KnC;OoKrmx})9&+7iRwCQn^v=I@c~Gu_6(>0
z0_kX#&8bEX^8z<{tpJ`Hz>|LH6RIe+W5zpDYT*);J6Wzn=#p_}LcTLmL;sy({H30-
zmq2Vh_b)Z$af-GRCl7?`sb2L<7{vn`-6HM0Xlaw@>#DUR??K;-{5>MJdD^hWvrAcW
z31GsXmh0BX{0>J7&np7(O6%VYEDY@oX@c&DbaV6b)0D0|6YO9^p)|SqwRHe}cBo7=
zWxo5-G9pJr2#iDon1ej89Pq}@0r>4NIF$0GLPy}H^2Ds_7$Tl07^L#ajPj%d={ygA
z7D!9=CNNT*Y__Qt$#vP+!+Hr_$q1v8pQ)jPRCG6xumsVSd7bZX&en52ARSa<gnj15
zntcLGSH+$g`K}DO#;@XzJInkn5i`|mNR(e`KLiP_=L26;Z@HUY#apk{b(RH2!uku7
zw>0TTm;{Z-<#DRDWL^1|xb$ZnA4RlcqNXmqKzi1r<NjLHsWu;u)Xj8WQ>2*}Rmfs@
zZWk9^aXcMVms!hYavED<F*e%;riqr=8Ys};^8phgi=}ZSaDgwjC3Ps7aib*z7)o){
zOJg735YduCOD3ueV*#T*(EmfZCQJoDk@;-r1m0!|5FBp|_xK|}PzLP!gXGzj?zIe$
zZo0@NKwLM)HW{n4nGFH>?PEWH+a{-_rNx#3>mCrmxr_$%Uso!ilmnLgGQgk<cwanc
z@r_*W$r1A#(&P#(2YAivC614(Jg_bX{3mozl!+0SM>1bsbIPmdf`9)l#YbSqdOF&=
z6N9CxUKwIZ$zk{<v45u4Mg@yV)@y0=D6)gjYPPa4Z+QgP8<E&dJjrCOect3IJ{jec
z!)Pcn*LwVXs>Zp(O)0j+YJxR{$5Oq?KEwPmh!$ryH}WM&qd5<c$!cK1=29WYdS&7%
z6JH;F7nH5DrihpxCA`IMzycJ$0r6KHKLD?jr<@paamSDalVBjDh35R(7#{u=L&O{-
zfnZ3bMJ9$eund)feJH_Qq?AjmQL5fiB%k_?GcX5W8kcvczsS%>=0)hGph90LI!d{2
zjiQ0D+>ES<<8U4ywuQ22VG9#f!};gr!+J3fM4rTv7@)2FXIJ9Uib##IsNnNj!l(tj
zQzC_9sTR<lsXdj*94b6q-WSc8DMu4c6E(+?A`MWynOPh8(tn<oJ2;C+?^6146SV7f
z3^$!;MvXH5L4&ql-z@(A+drw-A2%1R9(lN$UPdnX4*4!~E+RzKumv`UmjWpj+Y~wQ
zqQ82naK#|~=LfjBR9%Fu69?Lj)V*N&aE7uLTY?n&5z!^frM#-z<a5QRTZsV!=B{U7
zJi<aQjt;rUDO=QsQaX~<G>##XL;~+-c6b;MRh4)+na@Ti2GBXTiJR^afzkncx3{-p
zgp8QFT?j&HO_oO7hLb<5z28SZE`t92-|Oq$kAF6-Za?iO?uu8jP7#HHiwMH?6I)wb
zI~F)<$q?|9ev#&lM=&%kWim1uQvP|W*pL^WM#Y`WU#R%sFPeMDJjaK*X2MGt2;GCZ
z$6wY2mpUJLBlOFk#q2}Ftf9XOoi*INFNqOx(#X4I6MNmC#uM@J4<89)@^|jZXVy3!
zI0WTZX*Xf*@E`Q-EAUL~tS^`dH=$mgTL*J%%sc#D)xkAmMid}jfVwx;wf9EI7Fd(}
z1vu761?1d;@M}h0`>fO-FyzwC*PUq4koK;W8m$y>MhZs@%XdGyQK4E@2BugO2W@vl
zq^uEM3<3p9u8utbJsv$Dh^he2`jxHtotSo3sSs>zJ$}1|SL*}mg5uc_B|y)1SL8Av
zej@#uf<-hEWxSVFhC>pCA)>25y8=u-S6F;-WVyy=^kspJt-^K{Al<v)-HHHoLN7p)
zzHXcVmsCUnnU&G^5F8Y!CkiI)5e)h#`{@R%mN+jgp0PxHixl))Gd@tRq)xA%H>Yg-
zE!(kug_rw#xIdXA%!+^iIjqHdEwuF1b7?tQ?7~i@iLYzwoqm+>?fTwg$)Yh5E{#Y}
zB4-*W6)13g04=MI!sK1SjIQ$j?hYm$UJES5Y+3!A8!%}nJ6$q%O0DnTdxlk-jfH5v
z`iR5hITSEg2XeSD;Cg~eDc>bh=*j4jNukxdEfj%L8Y%pN^e9Z8-<8``j0B;%2vup0
zZ_OUZj!~q@P(XO~jZ1^aC89-OR&7&ukRa2b6{=mQR;qYw1N%P}{Qk|=*&bD~W1gs_
z)gRY)_AXDE`VVah<Wm^k@{e;0DdDf7eR;kIRm|5RhNDj(1%=;ScUe6Rd;CzP;5zL?
z`ceqWjMVMm$i|6}Vr6f8J0~KGi?^-(qt(gZjbTFpQu#KDE4@4NOW#lGxV?!DXgj|Q
zT%$^bp}1=tFHp60w1aBrh|f@U@&^+a_J2vFq<FsnS<ecNxkzaUw8Jg_8`jrvWm#=X
zUjC2`E$BS928aYGbXPeB(u&oqk6uz5ZJ|FVtlj-d=(hahkt=d{42|wMZOug^3e>ol
zfi3w54C;;5uo{j69ctM{fxauRdg320sQUsIl_C<DB6wU=Yyw7P{Zh@&4o$j~OYM{p
zOMcKoQexFOd@5GhMsX>;YVM4SOvo$cf~PQT4m>q!MnR^JDEH$r-$x}IfzT9)tV2zD
zleAP|N}<mBKz98^PZ?0+Y?zk&=}M;DlAjR8Y|CwpEaH$vOw_XmyOi%!qCiVsldKFT
z3FsmnL4OkY5pyy0DJ#w^Q=eK};1z3-hePAmAhw-xnF!^m>FoZV+661c#Wr!xLvZ)x
zQj>VfuSHP~AqlTwNa?fJc9dqXQxnwKggq{~Sxmg#$s$o^hI86FJ~OcJYaQc$5B%eh
zK3jh)FesQxSbTf7W4t<)KArVzKva{iKMY1+p*>`_=fK3zl8netc$rk8-=@-sA?H5>
zZZr8}hb^zD{4eQHR}0%JR|f#|XB)4%Rn^oJOlp<e4d^2sVK_UBITDDOxUVL|Tql&9
zU0ZZ4ZQ~VUkMmx4WRdoki77h0w0FJtTb}nOm?9K5qf&C>Y^5|TXa*X%uxY&ZW_T6X
z@VUEC7<m{G+fzqgKI|2lU;&ttk|Ho$3!gH{?+6VDUe%+)RNhd_&AfT8_F0d>J?3m_
zVDml-zsqdnvKIFubvx@k#lW}-17ZGi+fl+Hku?!FVqYPb@Wc<@Q4}<?zD@qu9&qEe
zf|}Q9bQ~;QQo{ji7sqpg+`m(~MB@0}NV8h(gR0U+tUMt)t!UvyjO|&UAH)NkhI+|#
zu$qkW#D#><j8P}Cowb1o#cC%NNPDfbFNFPXAN($7*uEf@U-Peb6;yuBjVX2~ScQlT
zmC8IA9$amGimRA%2@24)?^SWWKXf*#Upmcn^T>+LZ5B^NPv+`&BH+l?Ua3uiXt+g6
z$E{gwLb5OD=R<TJcBpYHu|lQ7CE9#%BEZEO#y`RcvR<jTsiae~x=4k;dB$_S+!ZM(
z!IC_b&yV-)SSWcTfAwRMQkla_cNSO9?We^PdaHpnu5V5oxaKa!u;L`_<jX3}3QA__
zA}eLliW-w1N3tifF|V#Kj{XX$Wr}Os7nN^u5X+~0Zc>hMdVvONXnkVI+Z)^DT-6US
z$p!-G3)ktchAF<u<kg_`i@fCj{pus2BrIWXtE-0Q!CtqyA~M;qJn_yXi|bCgYW;+W
zIc6zAuC?3Wpu*vB6Y8!AguAk#4!6q(CE86Oz=K3q(ok~a-+=3PrkYGi%?9)%x11)8
zhu6~&kG;rNIrOTXc`orXW4<mBO?8gLS1{(9>aqhqOIB2B3plYX_e4gARG`1RJ?Y2_
zH}K2a;8<9_`veyjGgl0))0fRR*=f`pVwS3$$qFs=DVxcIfIe(P0>tQ&*&`x&*1Q6_
zs+z9OmrXK^aW;s03BIV`Z4_{E>;ueiJ~|t=djI|-@DP`JX(fZ-E(RRvg}U{&S-d%N
z3-~1jVFctVK9VN;l7W!GY7p`{`dytLY!HejDfk{Pb+8yT3tXNb4EHL6D=zxmrHkB4
z7~iJFVacfV(yIN}@|I80hQDp$Ulmxve2)Y5y*;pBtv@c&Dx)^|d&vXQZ}i0KIcMj>
zggP~&JHDauar@oz#QZO{C8~KWZ5zl%4XWg+%g?p7X7AvucK-ZG!Dg~QCZSglO1E=h
z-h<C(hP^9dPYC2V%LOBs`;s?l<&vg4`7+4~61=z@oYNn`QQrZ)>$-0sm+~Msw^bZe
zaHcbO9jm>n9VRU2LK6!)azwIv8l2Z$ueog~N~o3An@<n7Z;|Wb^cx+)9d>+fmiN0F
z_@oY1vojge6HiOgUVBt;E++lW_7Cmb#@A!l`-UG&E3(Y+6J}8W7pTzr+IexbLIFS9
zpYN~Ha^~rYrXmA0b6G&V7G#Pv+6EU62}`klKJMpidmg1S;qLfs9T6WC`8p9R-jYSN
z5H8|8095>OObV3yp?R@#M<W*}$j{3k2D2hCt@Lzm^y%b5LZM|%?#2=anlzZLXAcv(
zyt;Yliu~zK@&Fy|ltP#!Ah)d@|DI2T-M=2YT$KLY^x2T%C5-}=`uZP!`q^fSpm;8y
zQX}L&b)*crrR%HxW)(z%z-LA$8GGt9-zRxgFU@c@D`y8yy-QB_7M33(`Vy*WZ5KVr
zclBQSW|$kk&1j{r=dfLG`#GBszf9%`ries_kO{Wcrm|TM>^c7j_6m@YQa=k>ia-j5
z$gJKL5(=sxHb?}aV++AL803kdi7Z&nxbTv*cOVLzCM4yxRCm4MwHW>II}Boqsy{}_
zXN{;th}~WU?ckuJqS`Zgup-TuLwVdiJ<)sd*>zsjT201uL`6W=<kPtso9G5DP@o;-
zgl_r2=bxCm3^bHw-Dv~K&O&S1WV6`NW8H9J!7oM~qYBzz-r3>9RQ4nfJf1)|fvf8q
zJI-y?JL=b@{1BQwJ1M*NlGfeV{IPM*Ev^{<-M1cmx3!tv-Ab>ME8E*SK-F*jKwLcj
zMP5zR{P;}jbvElW&8yumu$8NAr&0Ga+hdGdBz52sDRz<n{O->G^1I!y&P4hqcLO<n
z%>_gw7i`~VwtNDK&U&qqxHZd4$?VoTxETTJeJsf+m(&i@2@N6iB<2%#u+IgZgT#-e
z(eerxbTE;SC{o_Ml2G4rhpTVVMYewi>4>RX3nG@G?LTY%hz#Dcj(RK?E-1JJO8W9-
zYg$gT$<@XcFGt8N21{u;jq3p*$iEu_5f>RF?{?}CSMldSh=$oaHFoI7e2(-IUj`Mm
z+VQnI_(mG!=GCVYyWR`izP>)Lm%u!hfBvFn(i>s(&C!wl`g+mvop~v*`*t4xI>$_V
z$JRsFffe$Sd#4whRD$$o79_!)Ewv6p!PCS^bE(>Hu^RpPmXjyI!OEmx_>NOg>`Tth
zBg&w1{We<Jrb<wRo}k4|n=G==^FP(taW(n1{RSLzAE<+=exDT$Zi>8T1tggms2aMx
z$~N%6f0pU;L{ZELP6>p@W`>?-o|~M1O1D08Jm8`QY3;5*e+%PTY&_nQuLZcWTh;WR
zq+0Z6Q^G+o18xM5^Qg%>ik37nw7HysRG=)iG&etY+t+iQCwQd-Aql{P7C5s%e;zj<
z0Cq;X263!3os6w$L{$O9sCs$&(D~7k#CWMjbT@3P*dA~W(1eAB?E$?%=0Rb*>vk?>
zm(|+9-<#8Sfe=hMAjecsD<OjtM<0Y5NRf)AN63CrFTu4Cn2$8+H)LnXt$?3(HQ~5T
z1g5um*dQOahD#kQU6JYa1Xt1Uxd}$8I;0zvH#Xne{&2QXr87T^!iGx84FBf8oZvkF
zak_Yb-k&HPCtdx;VeRRK^-L&}O(<%`&kynQ&%fE}4*8j4!{5L4kbfZybf3?Atd#NZ
z9rqsm*FHo~Pj_dCO+sBdTBVAA=5-;pqIa2t_VBF54<G9v`0yRzQJQx-2CKAnAyL2d
zjEQCcKb-kP-`Ly4zsJkcjw{=zV$&J24ehnorGH=+g2f}3e3(%B3c<={*0FF?`PBSp
zk#~o`rJgF~WL4;|%6+^j19_L<;JykF8lyK+^|rjXC`9s#_*+2d-WXDu4DR$pHD9%T
zQU3@=p&6x0^>G0C1H?^AHWW?o3>BImKmx6L&oR~spLhgI_c9keKhlvR{VdB>?sg!y
zzU1tf+TwFgtHK~_#x@MFBvac-!s)YkTqWRI806h|rk;2ghXm($o)N^o^MDdXok$ur
z%IkeiOipZ4<VPs+7_B<7OJS0wZg<Pc5KwiZdftqr(fR7pX5I=|RIcJ;V_ydjP^dl3
zOgz}(7d}6+P)j4Rvl{&nMg27HH1~PsHtX0PmaP9<AcR8{w0l_9gKUsfBRU+eqL<2u
zRE!B%PY?bMhf(M}aSD*<g@L5=$ya;?{A_+_>Sh`RPOVGdL)&s64(L6%?8STptz2b&
z0UI3cGbPWNU7M;gVNuRQ(uJ4LFSPl^g6r9WAW&juyEh<jn-VonxuJ~$y__6pJb3Yf
zRNqIEBu@Is5LGLr-0me?vTui_(^p~yw-(oir~zGn@8tQ#(`&u)p7lg^5*cG+xZY7k
zXIvTWsOe@z9z~9j1YJM(DaQK~c9{^*8q*~&#E$NRa*(#3Ua$}TLYqa4S)YVP@Whr?
zE3Hy~@aX%jto!K&^(Zlg-Lc0k2~04sY=D%FSoNVS`xg_e3T%BTlKUK3=wyQFYbld<
zQ!50VPx}$<b0gc{T_c_%UZ`&0HK<;-shh<f3c>WnGZ+@x!l&S$Jvqp0VZqKMjjVbY
zu;2sId)M5z<~=g>k}dB6$0ek;{<O2+@=i>bjFXgBEAN>Jfm{AF)`lUj*7`{lL+^MN
zmqV2E%0mC+p|SJdkLVm3p7zZRcra5Kn=whGur>9b%zru~Pc<DD(xB_l(dzN-W{NWv
zvwDa3<nNLjQI&0lcm_2%*{tzaQn|>r`~w%}xp`j|MB(VkFa?x9PtgGs6fcQ?Z)RoF
z3-@N+y?Pq}xiWZ6Qs`yxNj|4ail3T~dBoeuq+7$#C0zii;BA!LoG%4$^#P*$bXmOs
zjz&hp4#D4RQv;#Z+7sNxbQEaH7IU0wy6uqn#KT24_tOoX8Z*J43|FF}c&{QtU!_yB
zr6+^Z(EaD@g3rGKUzFpX-WK>^EghR*8*<2pTq{qd3)H3GioJ=cl}Gb_oQ=YeKvGr&
zKbmHTJyZLE%L(CvuCqt{C*+V%@wk$5s})Z%ZEWa-CJoV>?LK{-)cB3<?IZ|%Y&-qi
z3|ZdH=5dyQz)wP66Oj?D*zku`u`k&W<+&F3ebtsMQaq(WX!Yvo{?XSd&2O+Gh9fAL
z8?<Yw?K^q{Ne=hZ9oto(>8I^WCI@|~w`$V4=|0@%yiafGuXqPQCbc&X2S(2)<d$@i
z4)?xjf9-toF?wjtTRT?q0RaPBZ@6ipMTT>_a{qSPSWqOj`ZsafxF+R{EzFXCN0#nt
zCAYp$&&vcy$2UZ1l4|YeN{^RjnVTEyscb*Xqqcakr2ig2pbBKQe7qp~s=cXL{KISe
z{waJe!Zl5?Z+9|z+YLs<@Ld@Sim>mjd6;l&&F2)~Sm-c6eD*)cj&85##5e>XAS%&|
z#Ye}~g5tVp#y^Hp=}?TB213XmIX#gHw4N~-30%+!j>mvOtF;{?EHE)(>7Np*88O39
z3jA5}DnRT!v(47RrY!z%sj$Uqb3FUc?~DRbN^`J)?SJR6ir-KCpVh7XDIx2>{&%Sy
zj3v0!H`CFK3f~14cnmNg9r)iqVtj-uQ_HcT_P-&8?jriIrIA&{iS6H_fzu5YPVLkt
z@S_Ao`ch#}f{4*x-T$sS9R=i|P~p~fKPuhm10WmPPK%Sb7uRb%3Cs%1)I<r;`v>lS
zw!|Iha&kdYdrs~zlp2e!3p>vVif7W0!`_=5Tq9kCGM9rJ2YIoSvR;zOYhD=jX9OeC
z*(1M0`mMzLh&i+#uE~*o@1!6K>h}3FfL6Ob#ylmwndZt)ng6<@+5OKhnw*x+2OnK6
z27r_l8#wP=v)bghMgdJ2eSVP?Jm@;S6`=<Dvrm?l#DYtQ*UI>hPG_}NhZBFjb506~
z01tS~YP97<-yAVDm*8?yueLem69+07T0_V~TEGfk8~@$N^^0qBR?z$k4VodJYWnhk
z<=Q6<&}6zkQec719<n)}omAk((Zw;5IY*vLv8aHH5ti@eGZazZ>kopFnoA=!Y61;@
zL^&<)AYVvH^`ZPB(58A1nr*K9M7Gg=v3fg{)7B{#w;8HDOByXX9_oMkt5`gWc69c?
zpOD4K25pxR?%U?`@R+o!^Cyvc+{(rPxllRh-RSL~HLOp=`VsS2v2=>N+Mqb{$Wr}T
zY}I0G{=0sT_Y)<!q(BM$_g4=nN+(TB$X)WNA<G6r;MKU~Tm(KMFWaroj6>qUxe4?K
zJQ;O6F*@U{#w&I6fE9_}=w=xmJ$tq^HXX^L!}3^I7VlMUiHgI@`D|J}jATf^IYMvx
z3y>x70M!B3O7TEPu)J2#XMS6EF<5UF@^NZ;=S=kM(OSQlcXaE#kiB7$tdited3v?^
z9l>0~Inp?5a#uC-JdRGBCI4QSjEj}gy0_iQ{sgVUwqK|;4Q#&Eom}k3+~acPOn>bC
z7_QJHr*yeCSG1&N+q;#cnFE~W4MkkOeVeAU-+$!|oh@gh#EOsX=D$7$zN>V4f;3l&
z5*g?-LAeQ4T55CK8%c<rul2!e*0K?A4~;ERYhe(c(_Q(og>`7q5>R!tH_QLxU?h?E
z{Y)Nd<$N<*RXSFUb!)1GK9BiZ5D8xfI1i*G!xbJBikQ<WloG%H)f|v6q=8HJZ!b{Y
ze?OG9+ku?`u%z0M0EUeB%je8k3-9G2eQt!aJN@Xf7}_7QzuR3r%5-*$uwKKMc?udG
z-rt<lQ#Hnxg=r_2aFkNIe!?&Ixg93I*HiHIXX?cRMtN%-f4@L4iOm(IH;?Z_q=~Y7
zx>`hPi0ay}Uz@(D)OuhlPa?fxAjP$k8ed}2K+QT~i(Kk3{moZlcg_nR)z*uT{d-Xv
zzc`18Wn}8rQmoj4@m-yUfcGvjll!2=9qm3MflI^_k0SE&YbiGiuk8x5<D^IQW6U;w
zJ1*Zp)(bmhZN5!jcgU=hHeIBU%K(Spe_SpgnKan&%AC1K3^8f{+&f*!i9vMB!<gTz
z0fX)UdISQ#h8K3~%oy5;(Q}Z8c5DM}8sZ;c$J_4=d+o+hixoUx?vBBUy?yfcp-PV4
zG)Ol=yl=13g05V<4Do2cpjiXXJ|a#O2R$Y&toziG+d8@8Cvn@}yg%M!u|L9cq-;M%
zzP5Yed><cpQy8^9Q|+Ra#Hxv*{_O@-eGwYvawCoD&2QGk@6FdEG>8X>wiJ02V5BXx
zCvoy$o^6H!u;}jvLp(tlCZ|^T^~h)a7Q*3dUz<c}tM_7fA?1eM*vp|wFRt$GYr4=C
zDDTO(CX5Fe*I-~IFu8ueAh-#lv+4@`%%UkER<}RbbG6?WE`ohZET1OSGrT!bLlUF`
zRv$hxf&CJ~;e_TTE&tH2>{yA4`|BRXEa@iOn;Po{;v^Ow{L>6K;}W`(f;!)0#R0u)
z>>j^)P&Md@8;_!-ktZ#cIkiO1q=mZLEnFs=)Ue=2_~ubh?*#!8FFF+5n2pE~eBkM3
z6Z^+BV&&-91}FzjDBk%Nq;b-)sQT4&&~}5l{Jq!I7B6JZC+v5GIe!&xWThE9WRrKm
z@idx{DJ(Yp$-_fsKI{4D-~}u47h498r^<L19(uR;xnxq5+v*E^z@2|sb6WW>+fv3w
zzs-~xKw?8$GE+_NelH66?k?A4TL&aD{X2PDQBpp{YfDLFN~P>efW8$`*T_vB`SS%9
zO%}06=l95%Q+p!r5WmlfvqfGTe7i57Y1Z80Iep?>wjc`Sf!#EkqH%weH^I^Wh{wjV
z1OQ=`Z4ysJ;#o}{b9m7_iNv!7Ym+PZVZATEncy@PAbj{ua`?rjKD!)<5vFs0G^x&;
zD!CVOv=+6NJf?xE#Cd#0x0&ivsN}Y6h}2qpj6>3wv~)LtR{Bex9u*qBt$}y>bEMA7
zFNsqho1JnJM~A{Ok*rJ^FBj#3Aa3N`7OGH?r<+9RghC))WVhlH8JFs-kFU?}_)(>T
zAaGF0up1aT2sl;(nGi9<*5$b(HgbW^MEadIc|-R>gC9$8JXNd~;YWCJ(mwNkhb&Vu
z1uKu#dlWNzl~2yEkXHMXY1GWvI|H|fTE8z>y1Y(jNLSInS!|XL@56DoS?ACRC+8|K
zS<TDQoN5>i2FJ5NCJM&`=t)1n-)G9HT1!z~B<E;afyAEw)zg*7L%DwOs8J?2u4~JZ
z5i%HSh+mX3=-NlNnWC`_rHPoxkCCN9E0Z#om=r!_Y%?g!$8xVUwjv=yxXlzrscR`e
z>i4`eujapb-}9bxo^#Igyytt~XW50#m9~p`|AtgZnt1$q;^b=Ij}C66|F{lMk64h%
zme<SAa8r-jegXTkdgU{{UV8W7#y7^D+Az5zxfx(y$19Apkx%H$Vw=ixS;Dbv2B%+^
zsJ?Si;*Mxs#7u6TQXmgMJR#0MZN|59o_51y*=}H8`B}v;Z@Ha+=Q6R8UNV<F>jQI9
z5qnt@#P%*fd-`xiKqZP*38n!))?CIij0%=R{>R+f5XBe672XH9zXcqrv8-q!_TIoR
zn3b1ML~sz*y@+wEZfuBJ5DQs1zBc2cYQC&T{Lg9|H_^KhY%%;c>obMd#XzK`GoQ?-
z^v?WTQIYHa%F8jM?my~0GE+eLviQQIs3|jr9#u|wv@Jx>H@$PemAheL_>o2{az03I
z{BelB3;G1gDYM7q7wvP|VIMrZjlkkw+jQmKZ&)KiBNzGWC3zZbB_yLVWsa$i2h$r8
z@L;!AiBidM5n?miM-tK88qe>QwBaD>P9QlxcKq+S4Uj6HOJG|je3b|;KQLn*AxiTr
zBCxt{sRs;>{<RP5Jtqw?uHDI9IT`W?^zCV`Y5ngC8qTlzI4|X04{KiS;L^;%Hpac#
z;AnHRk+6y6h33_B&OU=0;mT8<5977#!rlykgBYj3wf#)U81s0#?dIKyFqs`~luHNV
zH`bvg#qBX3YS&L3dN@{QHAPxFua?|jMUo7d;1MSfSnu~t+~}a~h<a0a?Jld>`Ie?f
zZ@+aPabre057${Z)zGE_Fu7LZMnU%60V5Ak@$zitMpqr<obg)=lQ;YPEvxd{Q2)S>
zJq^^2n4+emXp!VOaB%aOibG^bKnbJf%_jy^kpJyCE}}`dt4@nqR8ZjA6dDjjt9tlO
zU#`sER7WnA7`ReX@O}2RsrA^i_R+J4=ze>L(1y&`C)!fks9r+ry_#UUI`{+vzTk*f
z90;F$_657<B2Tl6AQi_?;`NANbz)i?O}AlHLBi49<|Zn+!m$&{??`Xio=DGbFUS9|
zJT+dg`k8W?r&ua)d1@*xxO))6>t|Xjdg(C4Kir$RtI0C4EovHeN1fFdI}k*d^=4M6
z&~^omHfXQ^BW^1Cml19)LRk@POt)WtpmJ)*52Z%kZlp`3*TE5k8QPtr^>t^CW&}NN
zT2^^}Ht54Ui*brGp6ZcD34DAx$28W2OY$y%nHgQEN;FZ$HOU#|t9oeddart1#(tpD
z@7&VInW|1R#vwrxT|)qdDp6X{B^^#+p`&|v5{_#N&&Ffc?FzJUul<uNcs<`g&iwJ@
z#_t7fOC@8~AQ5oNBIbBs^c@9-f9%ri3-b-!^!xsGYAV}4(u?e(&LVO&t|m4}dRFUC
zo+aP9_PdoLnCQ3`U{0RdJK%83QafX^|L1T2JiXZ=SF$Q1az)w#`M~ySUyUt(_4~gk
z!BpCw`B=r5S*=>LVFO#oeVks)4d1n^GC+>9Apqg1)|>tcml}eArVYxb>id}|iMH*r
z6pQOHq!xGOE4k$fK*LiRL#-Q6@^p}7qKC_zZVtdD9JM;nq!ZGMtBJh^inDLRhrY%Q
zK8A*{DsVHs`Mfbz9fnzBo6uwBVG@9X1kU`q!{(i3&=)}x#+7}_SRA~*r9g7U(nisP
zO|?sk=m5KPGoee+i#-^zjpG};Y|3mF;LZ_(>)Z(ey?eWj5VBx=4K4J}fF^j4s^3-@
zJSBzjbrA6i&=4h7)%BjS^hw4j?bOfyL&(ywEXkU2MxxY12&)cGiuPO<%94f{KFQ>3
zD0S^Ay$?z*8-Z-DDc$HQgvU_GG7oE%Q^AUBVsJ91loXg-D6q~0Yc!<r%7C-5P*;&l
zA7sOK8f5T-y8kOqclUj5020Ywuzt287Z9Eh^y@w}<Sdemc~+d2E{Gv1L?7N7)hof~
z;khvIJNUG`3oS%xR<MR~v}Ymvy#+;$QD;IUT_`UJhepx)QoX#KOW@?^zUbTT*M*uB
zjsOuKXVEPRFw5S3uzhRXghu@36^|=gw>R(Q32|S=qsxQte*!;{-2})Kg&e&E+`LkQ
zG!|n)&=-`ZDs`Aq!W04RZz@zWxL)&4`g~_5g!JdPz+QH@CIMB(B=fWjdon?18OwC!
z!q_wfC?A|kpq9l#p>v_uaDz59OtD;aZ=?p2pDVAQ{q7q@-$1RV#7j23TTO~}<1DJ^
z(Pa;9@aFLl1m>V&Mh}v#AXbvB>Ea-%F6v-PRw(SjoMPa52jgxm10uM3nwkz9t`;&J
zMmIF=Ur<x)u)C!OKQIdU=B~p+oV+wR(ZV!)H*C;#K`VaC12J2YTes=&q^%H}E!TNv
zIAH&wtlN>B_QwG>lrr=M1y2w{W~s1LU0p!l!>ax=f#8_P5t@V;L#BoTY&{<rt4xak
zov9_kI8JE1<V7G3Zm(2V=7O5A7%<%f;;-@R2a07(GUg_N@d=Kj`C~w6^NBs&J^9v*
zpz3=!;C_RO2lOdm+1l}m6wdZv@puV};-?^r+2qiDl~EX&`4({5qJ6K$2Pp(cIhs$N
zfQ>u?MX92WqpJP0;uw8Z+2~)4vOybrHM1wpZp%3_!lD?g&7diTf~Ha5)kp{QAA)`E
zW!MZUKm-w;pD*_a5Cl*(j=&F?SA+l0n;-R@+($2o7bkClMI&WF5d+;?O9FMYF(1M^
zEupGXd4QaA*aYgO`$J2D;E3A}DJmk@?Vg6F^UHL#-pUDwftpl6K7w~&gU17y+{YV`
zXZeucHtr;cVrrrcgv|Y40VT(lznZU1gCYrSgS-SQGXuow#;<jc-3Pwc9LK?9Qx?#X
z${&99-%p}M#hsW*I1onbfzb0Umg!dJuYCu9nasy~I`M{zOKoXXTjUn-bFg!@t+MgI
F_<!5d-+ll9

literal 0
HcmV?d00001

diff --git a/apigw-secretsmanager-apikey-cdk/bin/apigw-secrectsmanager-apikey-cdk.ts b/apigw-secretsmanager-apikey-cdk/bin/apigw-secrectsmanager-apikey-cdk.ts
new file mode 100644
index 000000000..4d1d19f9d
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/bin/apigw-secrectsmanager-apikey-cdk.ts
@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+import * as cdk from "aws-cdk-lib";
+import { ApigwSecretsmanagerApikeyStack } from "../lib/apigw-secretsmanager-apikey-stack";
+
+const app = new cdk.App();
+// amazonq-ignore-next-line
+new ApigwSecretsmanagerApikeyStack(app, "ApigwSecretsmanagerApikeyCdkStack", {
+  env: {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION,
+  },
+});
diff --git a/apigw-secretsmanager-apikey-cdk/cdk.json b/apigw-secretsmanager-apikey-cdk/cdk.json
new file mode 100644
index 000000000..30908c28d
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/cdk.json
@@ -0,0 +1,88 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/apigw-secrectsmanager-apikey-cdk.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
+    "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false,
+    "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true,
+    "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
+    "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
+    "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
+    "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
+    "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": true,
+    "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
+    "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true,
+    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
+    "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true,
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true,
+    "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true,
+    "@aws-cdk/core:enableAdditionalMetadataCollection": true,
+    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true
+  }
+}
diff --git a/apigw-secretsmanager-apikey-cdk/create_api_key.sh b/apigw-secretsmanager-apikey-cdk/create_api_key.sh
new file mode 100755
index 000000000..7247dcd3f
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/create_api_key.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Create/update API key for a tenant
+# Usage: ./create-api-key tenant-1
+
+tenant_id=$1
+if [ -z "$tenant_id" ]; then
+  echo "Error: Tenant ID is required"
+  exit 1
+fi
+
+# Generate random 32-character API key
+api_key=$(openssl rand -hex 16)
+
+# Store the secret with the API key as the identifier
+aws secretsmanager create-secret \
+  --name "api-key-${api_key}" \
+  --secret-string "{\"tenantId\":\"${tenant_id}\"}" \
+  --no-cli-pager
+
+echo "API key for tenant ${tenant_id} created: ${api_key}"
diff --git a/apigw-secretsmanager-apikey-cdk/example-pattern.json b/apigw-secretsmanager-apikey-cdk/example-pattern.json
new file mode 100644
index 000000000..d1ec3627b
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/example-pattern.json
@@ -0,0 +1,65 @@
+{
+  "title": "API Gateway with Lambda Authorizer and Secrets Manager for API Key Authentication",
+  "description": "Implement a secure API key-based authorization system using Amazon API Gateway, Lambda Authorizer, and AWS Secrets Manager.",
+
+  "language": "TypeScript",
+  "level": "200",
+  "framework": "AWS CDK",
+  "introBox": {
+    "headline": "How it works",
+    "text": [
+      "This pattern demonstrates how to implement a secure API key-based authorization system using Amazon API Gateway, Lambda Authorizer, and AWS Secrets Manager.",
+      "Each user/tenant has their own unique API key stored in Secrets Manager, which is validated by a Lambda authorizer when requests are made to protected API endpoints.",
+      "The Lambda authorizer checks if the API key exists in Secrets Manager. If the key is valid, the associated tenant information is retrieved and included in the authorization context.",
+      "The API Gateway then allows or denies access to the protected endpoint based on the policy returned by the authorizer."
+    ]
+  },
+  "gitHub": {
+    "template": {
+      "repoURL": "https://github.com/aws-samples/serverless-patterns/tree/main/apigw-secretsmanager-apikey-cdk",
+      "templateURL": "serverless-patterns/apigw-secretsmanager-apikey-cdk",
+      "projectFolder": "apigw-secretsmanager-apikey-cdk",
+      "templateFile": "lib/apigw-secretsmanager-apikey-stack.ts"
+    }
+  },
+  "resources": {
+    "bullets": [
+      {
+        "text": "Lambda Authorizers for Amazon API Gateway",
+        "link": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html"
+      },
+      {
+        "text": "AWS Secrets Manager User Guide",
+        "link": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html"
+      },
+      {
+        "text": "Amazon API Gateway - REST APIs",
+        "link": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-rest-api.html"
+      }
+    ]
+  },
+  "deploy": {
+    "text": ["npm install", "cdk deploy"]
+  },
+  "testing": {
+    "text": [
+      "Create an API key using the provided script: './create_api_key.sh sample-tenant'",
+      "Make a request to the protected endpoint using the valid API key: 'curl -H \"x-api-key: CREATED_API_KEY\" https://REPLACE_WITH_CREATED_API_URL.amazonaws.com/prod/protected'",
+      "If successful, you should receive a response: { \"message\": \"Access granted\" }"
+    ]
+  },
+  "cleanup": {
+    "text": [
+      "Delete the CDK stack: 'cdk destroy'",
+      "Delete created SecretManager keys using the provided script: './remove_secrets.sh'"
+    ]
+  },
+  "authors": [
+    {
+      "name": "Marco Jahn",
+      "image": "https://sessionize.com/image/e99b-400o400o2-pqR4BacUSzHrq4fgZ4wwEQ.png",
+      "bio": "Senior Solutions Architect - ISV, Amazon Web Services",
+      "linkedin": "https://www.linkedin.com/in/marcojahn/"
+    }
+  ]
+}
diff --git a/apigw-secretsmanager-apikey-cdk/lib/apigw-secretsmanager-apikey-stack.ts b/apigw-secretsmanager-apikey-cdk/lib/apigw-secretsmanager-apikey-stack.ts
new file mode 100644
index 000000000..e59b0547b
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/lib/apigw-secretsmanager-apikey-stack.ts
@@ -0,0 +1,93 @@
+import * as cdk from "aws-cdk-lib";
+import * as apigateway from "aws-cdk-lib/aws-apigateway";
+import * as lambda from "aws-cdk-lib/aws-lambda-nodejs";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import * as iam from "aws-cdk-lib/aws-iam";
+import * as path from "path";
+import { Construct } from "constructs";
+
+export class ApigwSecretsmanagerApikeyStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create IAM role for the authorizer Lambda
+    const authorizerRole = new iam.Role(this, "AuthorizerRole", {
+      assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"),
+      managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole")],
+    });
+
+    // Add more specific permission to access only relevant Secrets Manager secrets
+    authorizerRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
+        resources: [`arn:aws:secretsmanager:${this.region}:${this.account}:secret:api-key-*`],
+      }),
+    );
+
+    // Create a dedicated logGroup for ApiKeyAuthorizer
+    const authorizerLogGroup = new cdk.aws_logs.LogGroup(this, "AuthorizerLogGroup", {
+      retention: cdk.aws_logs.RetentionDays.ONE_WEEK,
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+    });
+
+    // Create Lambda authorizer
+    const authorizer = new lambda.NodejsFunction(this, "ApiKeyAuthorizer", {
+      runtime: Runtime.NODEJS_22_X,
+      entry: path.join(__dirname, "lambda/authorizer.js"),
+      role: authorizerRole,
+      timeout: cdk.Duration.seconds(10),
+      environment: {
+        SECRET_PREFIX: "api-key-",
+      },
+      bundling: {
+        externalModules: [
+          "@aws-sdk/*", // AWS SDK v3 modules
+        ],
+      },
+      logGroup: authorizerLogGroup,
+    });
+
+    // Create API Gateway
+    const api = new apigateway.RestApi(this, "ApiGateway", {
+      restApiName: "API Key Protected Service",
+      description: "API protected with API key authorization",
+    });
+
+    // Create Lambda authorizer
+    const lambdaAuthorizer = new apigateway.TokenAuthorizer(this, "TokenAuthorizer", {
+      handler: authorizer,
+      identitySource: "method.request.header.x-api-key",
+    });
+
+    // Sample protected endpoint
+    const protectedResource = api.root.addResource("protected");
+
+    // Mock integration for demo purposes
+    const integration = new apigateway.MockIntegration({
+      integrationResponses: [
+        {
+          statusCode: "200",
+          responseTemplates: {
+            "application/json": '{ "message": "Access granted" }',
+          },
+        },
+      ],
+      passthroughBehavior: apigateway.PassthroughBehavior.NEVER,
+      requestTemplates: {
+        "application/json": '{ "statusCode": 200 }',
+      },
+    });
+
+    // Add method with authorizer
+    protectedResource.addMethod("GET", integration, {
+      authorizer: lambdaAuthorizer,
+      methodResponses: [{ statusCode: "200" }],
+    });
+
+    // Output the API URL
+    new cdk.CfnOutput(this, "ApiUrl", {
+      value: api.url,
+      description: "URL of the API Gateway",
+    });
+  }
+}
diff --git a/apigw-secretsmanager-apikey-cdk/lib/lambda/authorizer.js b/apigw-secretsmanager-apikey-cdk/lib/lambda/authorizer.js
new file mode 100644
index 000000000..3a40d0725
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/lib/lambda/authorizer.js
@@ -0,0 +1,87 @@
+import { GetSecretValueCommand, SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+const client = new SecretsManagerClient();
+
+const SECRET_PREFIX = process.env.SECRET_PREFIX || "api-key-";
+
+exports.handler = async (event) => {
+  // Get API key from request headers
+  const apiKey = event.authorizationToken;
+
+  if (!apiKey) {
+    throw new Error("Unauthorized: No API key provided");
+  }
+
+  try {
+    // Validate API key by directly accessing the specific secret
+    const tenantData = await validateApiKey(apiKey, event);
+
+    if (tenantData) {
+      return generatePolicy(tenantData.tenantId, "Allow", event.methodArn, tenantData.tenantId);
+    } else {
+      throw new Error("Unauthorized: Invalid API key");
+    }
+  } catch (error) {
+    console.error("Authorization error:", error.message);
+    throw new Error("Unauthorized");
+  }
+};
+
+async function validateApiKey(apiKey, event) {
+  try {
+    // Get the secret directly using the API key's secret name
+    const secretId = `${SECRET_PREFIX}${apiKey}`;
+
+    const secretData = await client.send(
+      new GetSecretValueCommand({
+        SecretId: secretId,
+      }),
+    );
+
+    if (secretData.SecretString) {
+      const secret = JSON.parse(secretData.SecretString);
+      return {
+        tenantId: secret.tenantId,
+        valid: true,
+      };
+    }
+  } catch (error) {
+    // Secret not found or other error - API key is invalid
+    if (error.code === "ResourceNotFoundException") {
+      console.log("API key not found");
+    } else {
+      console.error("Error fetching API key secret:", error);
+    }
+    return null;
+  }
+
+  return null;
+}
+
+// Helper function to generate IAM policy
+function generatePolicy(principalId, effect, resource, tenantId) {
+  const authResponse = {
+    principalId: principalId,
+  };
+
+  if (effect && resource) {
+    const policyDocument = {
+      Version: "2012-10-17",
+      Statement: [
+        {
+          Effect: effect,
+          Resource: resource,
+          Action: "execute-api:Invoke",
+        },
+      ],
+    };
+
+    authResponse.policyDocument = policyDocument;
+
+    // Add context with tenant ID for downstream Lambda functions
+    authResponse.context = {
+      tenantId: tenantId,
+    };
+  }
+
+  return authResponse;
+}
diff --git a/apigw-secretsmanager-apikey-cdk/package.json b/apigw-secretsmanager-apikey-cdk/package.json
new file mode 100644
index 000000000..97b35e2da
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/package.json
@@ -0,0 +1,26 @@
+{
+  "name": "apigw-secrectsmanager-apikey-cdk",
+  "version": "0.1.0",
+  "bin": {
+    "apigw-secrectsmanager-apikey-cdk": "bin/apigw-secrectsmanager-apikey-cdk.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "watch": "tsc -w",
+    "cdk": "cdk"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.14",
+    "@types/node": "22.7.9",
+    "aws-cdk": "2.1003.0",
+    "esbuild": "^0.25.1",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.2.5",
+    "ts-node": "^10.9.2",
+    "typescript": "~5.6.3"
+  },
+  "dependencies": {
+    "aws-cdk-lib": "2.181.1",
+    "constructs": "^10.0.0"
+  }
+}
diff --git a/apigw-secretsmanager-apikey-cdk/remove_secrets.sh b/apigw-secretsmanager-apikey-cdk/remove_secrets.sh
new file mode 100755
index 000000000..6f3c8ea3d
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/remove_secrets.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Define the prefix
+PREFIX="api-key-"
+
+# Add a dry run flag
+DRY_RUN=false
+
+# Parse command line arguments
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        --dry-run) DRY_RUN=true ;;
+        *) echo "Unknown parameter passed: $1"; exit 1 ;;
+    esac
+    shift
+done
+
+# List secrets with the prefix and store them in an array
+secrets=($(aws secretsmanager list-secrets --query 'SecretList[?starts_with(Name, `'"$PREFIX"'`)].Name' --output text))
+
+# Loop through each secret
+for secret in "${secrets[@]}"; do
+    if $DRY_RUN; then
+        echo "Would delete secret: $secret"
+    else
+        aws secretsmanager delete-secret --secret-id "$secret" --recovery-window-in-days 7 --no-cli-pager
+        echo "Deleted secret: $secret"
+    fi
+done
+
+if $DRY_RUN; then
+    echo "Dry run completed. No secrets were actually deleted."
+fi
diff --git a/apigw-secretsmanager-apikey-cdk/tsconfig.json b/apigw-secretsmanager-apikey-cdk/tsconfig.json
new file mode 100644
index 000000000..aaa7dc510
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/tsconfig.json
@@ -0,0 +1,31 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "lib": [
+      "es2020",
+      "dom"
+    ],
+    "declaration": true,
+    "strict": true,
+    "noImplicitAny": true,
+    "strictNullChecks": true,
+    "noImplicitThis": true,
+    "alwaysStrict": true,
+    "noUnusedLocals": false,
+    "noUnusedParameters": false,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": false,
+    "inlineSourceMap": true,
+    "inlineSources": true,
+    "experimentalDecorators": true,
+    "strictPropertyInitialization": false,
+    "typeRoots": [
+      "./node_modules/@types"
+    ]
+  },
+  "exclude": [
+    "node_modules",
+    "cdk.out"
+  ]
+}

From f8670f5cfe84f6ece11769bea42cf0bdb5a9c50c Mon Sep 17 00:00:00 2001
From: Marco <marco.jahn@gmail.com>
Date: Tue, 25 Mar 2025 14:45:11 +0100
Subject: [PATCH 02/11] Update apigw-secretsmanager-apikey-cdk/README.md

Co-authored-by: Ben <9841563+bfreiberg@users.noreply.github.com>
---
 apigw-secretsmanager-apikey-cdk/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apigw-secretsmanager-apikey-cdk/README.md b/apigw-secretsmanager-apikey-cdk/README.md
index 2ab25ef18..7c309b09b 100644
--- a/apigw-secretsmanager-apikey-cdk/README.md
+++ b/apigw-secretsmanager-apikey-cdk/README.md
@@ -1,4 +1,4 @@
-# API Gateway with Lambda Authorizer and Secrets Manager for API Key Authentication
+# Amazon API Gateway with AWS Lambda Authorizer and AWS Secrets Manager for API Key Authentication
 
 This pattern demonstrates how to implement a secure API key-based authorization system using Amazon API Gateway, Lambda Authorizer, and AWS Secrets Manager. Each user/tenant has their own unique API key stored in Secrets Manager, which is validated by a Lambda authorizer when requests are made to protected API endpoints.
 

From 1b436d002864fee554c9afdefe16f8a4bef22759 Mon Sep 17 00:00:00 2001
From: Marco <marco.jahn@gmail.com>
Date: Tue, 25 Mar 2025 14:45:18 +0100
Subject: [PATCH 03/11] Update apigw-secretsmanager-apikey-cdk/README.md

Co-authored-by: Ben <9841563+bfreiberg@users.noreply.github.com>
---
 apigw-secretsmanager-apikey-cdk/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apigw-secretsmanager-apikey-cdk/README.md b/apigw-secretsmanager-apikey-cdk/README.md
index 7c309b09b..85bc1a617 100644
--- a/apigw-secretsmanager-apikey-cdk/README.md
+++ b/apigw-secretsmanager-apikey-cdk/README.md
@@ -1,6 +1,6 @@
 # Amazon API Gateway with AWS Lambda Authorizer and AWS Secrets Manager for API Key Authentication
 
-This pattern demonstrates how to implement a secure API key-based authorization system using Amazon API Gateway, Lambda Authorizer, and AWS Secrets Manager. Each user/tenant has their own unique API key stored in Secrets Manager, which is validated by a Lambda authorizer when requests are made to protected API endpoints.
+This pattern demonstrates how to implement a secure API key-based authorization system using Amazon API Gateway, AWS Lambda Authorizer, and AWS Secrets Manager. Each user/tenant has their own unique API key stored in Secrets Manager, which is validated by a Lambda authorizer when requests are made to protected API endpoints.
 
 Learn more about this pattern at Serverless Land Patterns: [https://serverlessland.com/patterns/apigw-secretsmanager-apikey-cdk](https://serverlessland.com/patterns/apigw-secretsmanager-apikey-cdk)
 

From 776cc17e3a527861c9dd25f7b4c06e50c7220270 Mon Sep 17 00:00:00 2001
From: Marco <marco.jahn@gmail.com>
Date: Tue, 25 Mar 2025 14:45:27 +0100
Subject: [PATCH 04/11] Update apigw-secretsmanager-apikey-cdk/README.md

Co-authored-by: Ben <9841563+bfreiberg@users.noreply.github.com>
---
 apigw-secretsmanager-apikey-cdk/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apigw-secretsmanager-apikey-cdk/README.md b/apigw-secretsmanager-apikey-cdk/README.md
index 85bc1a617..d2487920e 100644
--- a/apigw-secretsmanager-apikey-cdk/README.md
+++ b/apigw-secretsmanager-apikey-cdk/README.md
@@ -18,7 +18,7 @@ Important: this application uses various AWS services and there are costs associ
 
 1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
     ```
-    git clone git clone https://github.com/aws-samples/serverless-patterns
+    git clone https://github.com/aws-samples/serverless-patterns
     ```
 1. Change directory to the pattern directory:
     ```

From a2dbe7ebe8d587cdf8bc3db1e2c54a277639b863 Mon Sep 17 00:00:00 2001
From: Marco <marco.jahn@gmail.com>
Date: Tue, 25 Mar 2025 14:45:34 +0100
Subject: [PATCH 05/11] Update apigw-secretsmanager-apikey-cdk/README.md

Co-authored-by: Ben <9841563+bfreiberg@users.noreply.github.com>
---
 apigw-secretsmanager-apikey-cdk/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apigw-secretsmanager-apikey-cdk/README.md b/apigw-secretsmanager-apikey-cdk/README.md
index d2487920e..ce687740f 100644
--- a/apigw-secretsmanager-apikey-cdk/README.md
+++ b/apigw-secretsmanager-apikey-cdk/README.md
@@ -61,7 +61,7 @@ Each API key in Secrets Manager should follow the naming convention `api-key-{ke
     ```
 1. Make a request to the protected endpoint with a valid API key:
     ```
-    curl -H "x-api-key: CREATED_API_KEY" https://REPLACE_WITH_URL_FROM_CDK_OUTPUT.amazonaws.com/prod/protected
+    curl -H "x-api-key: CREATED_API_KEY" https://REPLACE_WITH_URL_FROM_CDK_OUTPUT/protected
     ```
     If successful, you should receive a response like:
     ```

From f65751b00245bf1080eb9a220244ff7850b0dc5f Mon Sep 17 00:00:00 2001
From: Marco <marco.jahn@gmail.com>
Date: Tue, 25 Mar 2025 14:45:44 +0100
Subject: [PATCH 06/11] Update apigw-secretsmanager-apikey-cdk/README.md

Co-authored-by: Ben <9841563+bfreiberg@users.noreply.github.com>
---
 apigw-secretsmanager-apikey-cdk/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apigw-secretsmanager-apikey-cdk/README.md b/apigw-secretsmanager-apikey-cdk/README.md
index ce687740f..3e1917452 100644
--- a/apigw-secretsmanager-apikey-cdk/README.md
+++ b/apigw-secretsmanager-apikey-cdk/README.md
@@ -69,7 +69,7 @@ Each API key in Secrets Manager should follow the naming convention `api-key-{ke
     ```
 1. Try with an invalid API key:
     ```
-    curl -H "x-api-key: invalid-key" https://REPLACE_WITH_URL_FROM_CDK_OUTPUT.amazonaws.com/prod/protected
+    curl -H "x-api-key: invalid-key" https://REPLACE_WITH_URL_FROM_CDK_OUTPUT/protected
     ```
     You should receive an unauthorized error.
 1. Try without an API key:

From e01f25cf2df944f2ee4a2a6c2138a1b6b38e36fa Mon Sep 17 00:00:00 2001
From: Marco <marco.jahn@gmail.com>
Date: Tue, 25 Mar 2025 14:45:51 +0100
Subject: [PATCH 07/11] Update apigw-secretsmanager-apikey-cdk/README.md

Co-authored-by: Ben <9841563+bfreiberg@users.noreply.github.com>
---
 apigw-secretsmanager-apikey-cdk/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apigw-secretsmanager-apikey-cdk/README.md b/apigw-secretsmanager-apikey-cdk/README.md
index 3e1917452..bfe4ed1fc 100644
--- a/apigw-secretsmanager-apikey-cdk/README.md
+++ b/apigw-secretsmanager-apikey-cdk/README.md
@@ -94,6 +94,6 @@ Each API key in Secrets Manager should follow the naming convention `api-key-{ke
     ```
 
 ----
-Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 
 SPDX-License-Identifier: MIT-0

From 62f81f74e436194cfbf7f1a37f0269f60e354d00 Mon Sep 17 00:00:00 2001
From: Marco <marco.jahn@gmail.com>
Date: Tue, 25 Mar 2025 14:46:21 +0100
Subject: [PATCH 08/11] Update
 apigw-secretsmanager-apikey-cdk/example-pattern.json

Co-authored-by: Ben <9841563+bfreiberg@users.noreply.github.com>
---
 apigw-secretsmanager-apikey-cdk/example-pattern.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apigw-secretsmanager-apikey-cdk/example-pattern.json b/apigw-secretsmanager-apikey-cdk/example-pattern.json
index d1ec3627b..906958c5a 100644
--- a/apigw-secretsmanager-apikey-cdk/example-pattern.json
+++ b/apigw-secretsmanager-apikey-cdk/example-pattern.json
@@ -59,7 +59,7 @@
       "name": "Marco Jahn",
       "image": "https://sessionize.com/image/e99b-400o400o2-pqR4BacUSzHrq4fgZ4wwEQ.png",
       "bio": "Senior Solutions Architect - ISV, Amazon Web Services",
-      "linkedin": "https://www.linkedin.com/in/marcojahn/"
+      "linkedin": "marcojahn"
     }
   ]
 }

From 96a60215c2f2c7c7f0fb7483fb987cee0ffb90c7 Mon Sep 17 00:00:00 2001
From: Marco Jahn <jahnmar@amazon.de>
Date: Tue, 25 Mar 2025 15:33:04 +0100
Subject: [PATCH 09/11] fixed reviewer requested changes

---
 .../example-pattern.json                           | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/apigw-secretsmanager-apikey-cdk/example-pattern.json b/apigw-secretsmanager-apikey-cdk/example-pattern.json
index 906958c5a..2a5b08f40 100644
--- a/apigw-secretsmanager-apikey-cdk/example-pattern.json
+++ b/apigw-secretsmanager-apikey-cdk/example-pattern.json
@@ -1,10 +1,10 @@
 {
-  "title": "API Gateway with Lambda Authorizer and Secrets Manager for API Key Authentication",
+  "title": "API Gateway, Lambda Authorizer & Secrets Manager for API Key Authentication",
   "description": "Implement a secure API key-based authorization system using Amazon API Gateway, Lambda Authorizer, and AWS Secrets Manager.",
 
   "language": "TypeScript",
   "level": "200",
-  "framework": "AWS CDK",
+  "framework": "CDK",
   "introBox": {
     "headline": "How it works",
     "text": [
@@ -43,15 +43,15 @@
   },
   "testing": {
     "text": [
-      "Create an API key using the provided script: './create_api_key.sh sample-tenant'",
-      "Make a request to the protected endpoint using the valid API key: 'curl -H \"x-api-key: CREATED_API_KEY\" https://REPLACE_WITH_CREATED_API_URL.amazonaws.com/prod/protected'",
-      "If successful, you should receive a response: { \"message\": \"Access granted\" }"
+      "Create an API key using the provided script: <code>./create_api_key.sh sample-tenant</code>",
+      "Make a request to the protected endpoint using the valid API key: <code>curl -H \"x-api-key: CREATED_API_KEY\" https://REPLACE_WITH_CREATED_API_URL.amazonaws.com/prod/protected</code>",
+      "If successful, you should receive a response: <code>{ \"message\": \"Access granted\" }</code>"
     ]
   },
   "cleanup": {
     "text": [
-      "Delete the CDK stack: 'cdk destroy'",
-      "Delete created SecretManager keys using the provided script: './remove_secrets.sh'"
+      "Delete the CDK stack: <code>cdk destroy</code>",
+      "Delete created SecretManager keys using the provided script: <code>./remove_secrets.sh</code>"
     ]
   },
   "authors": [

From b71e550af73bc97b9777fc4f239db882771de53f Mon Sep 17 00:00:00 2001
From: Marco <marco.jahn@gmail.com>
Date: Tue, 25 Mar 2025 15:36:18 +0100
Subject: [PATCH 10/11] Update apigw-secretsmanager-apikey-cdk/README.md

Co-authored-by: Ben <9841563+bfreiberg@users.noreply.github.com>
---
 apigw-secretsmanager-apikey-cdk/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apigw-secretsmanager-apikey-cdk/README.md b/apigw-secretsmanager-apikey-cdk/README.md
index bfe4ed1fc..421956949 100644
--- a/apigw-secretsmanager-apikey-cdk/README.md
+++ b/apigw-secretsmanager-apikey-cdk/README.md
@@ -74,7 +74,7 @@ Each API key in Secrets Manager should follow the naming convention `api-key-{ke
     You should receive an unauthorized error.
 1. Try without an API key:
     ```
-    curl https://REPLACE_WITH_URL_FROM_CDK_OUTPUT.amazonaws.com/prod/protected
+    curl https://REPLACE_WITH_URL_FROM_CDK_OUTPUT/protected
     ```
     You should also receive an unauthorized error.
 

From 943b7ddef55a2bcae35365364861438230af271d Mon Sep 17 00:00:00 2001
From: Ben <9841563+bfreiberg@users.noreply.github.com>
Date: Fri, 4 Apr 2025 18:07:59 +0200
Subject: [PATCH 11/11] Add final pattern.json file

---
 .../apigws-secretsmanager-apikey-cdk.json     | 97 +++++++++++++++++++
 1 file changed, 97 insertions(+)
 create mode 100644 apigw-secretsmanager-apikey-cdk/apigws-secretsmanager-apikey-cdk.json

diff --git a/apigw-secretsmanager-apikey-cdk/apigws-secretsmanager-apikey-cdk.json b/apigw-secretsmanager-apikey-cdk/apigws-secretsmanager-apikey-cdk.json
new file mode 100644
index 000000000..d81e104ef
--- /dev/null
+++ b/apigw-secretsmanager-apikey-cdk/apigws-secretsmanager-apikey-cdk.json
@@ -0,0 +1,97 @@
+{
+    "title": "API Gateway, Lambda Authorizer & Secrets Manager for API Key Authentication",
+    "description": "Implement a secure API key-based authorization system using Amazon API Gateway, Lambda Authorizer, and AWS Secrets Manager.",
+    "language": "TypeScript",
+    "level": "200",
+    "framework": "CDK",
+    "introBox": {
+        "headline": "How it works",
+        "text": [
+            "This pattern demonstrates how to implement a secure API key-based authorization system using Amazon API Gateway, Lambda Authorizer, and AWS Secrets Manager.",
+            "Each user/tenant has their own unique API key stored in Secrets Manager, which is validated by a Lambda authorizer when requests are made to protected API endpoints.",
+            "The Lambda authorizer checks if the API key exists in Secrets Manager. If the key is valid, the associated tenant information is retrieved and included in the authorization context.",
+            "The API Gateway then allows or denies access to the protected endpoint based on the policy returned by the authorizer."
+        ]
+    },
+    "gitHub": {
+        "template": {
+            "repoURL": "https://github.com/aws-samples/serverless-patterns/tree/main/apigw-secretsmanager-apikey-cdk",
+            "templateURL": "serverless-patterns/apigw-secretsmanager-apikey-cdk",
+            "projectFolder": "apigw-secretsmanager-apikey-cdk",
+            "templateFile": "lib/apigw-secretsmanager-apikey-stack.ts"
+        }
+    },
+    "resources": {
+        "bullets": [
+            {
+                "text": "Lambda Authorizers for Amazon API Gateway",
+                "link": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html"
+            },
+            {
+                "text": "AWS Secrets Manager User Guide",
+                "link": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html"
+            },
+            {
+                "text": "Amazon API Gateway - REST APIs",
+                "link": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-rest-api.html"
+            }
+        ]
+    },
+    "deploy": {
+        "text": [
+            "npm install",
+            "cdk deploy"
+        ]
+    },
+    "testing": {
+        "text": [
+            "Create an API key using the provided script: <code>./create_api_key.sh sample-tenant</code>",
+            "Make a request to the protected endpoint using the valid API key: <code>curl -H \"x-api-key: CREATED_API_KEY\" https://REPLACE_WITH_CREATED_API_URL.amazonaws.com/prod/protected</code>",
+            "If successful, you should receive a response: <code>{ \"message\": \"Access granted\" }</code>"
+        ]
+    },
+    "cleanup": {
+        "text": [
+            "Delete the CDK stack: <code>cdk destroy</code>",
+            "Delete created SecretManager keys using the provided script: <code>./remove_secrets.sh</code>"
+        ]
+    },
+    "authors": [
+        {
+            "name": "Marco Jahn",
+            "image": "https://sessionize.com/image/e99b-400o400o2-pqR4BacUSzHrq4fgZ4wwEQ.png",
+            "bio": "Senior Solutions Architect - ISV, Amazon Web Services",
+            "linkedin": "marcojahn"
+        }
+    ],
+    "patternArch": {
+        "icon1": {
+            "x": 20,
+            "y": 50,
+            "service": "apigw",
+            "label": "API Gateway REST API"
+        },
+        "icon2": {
+            "x": 50,
+            "y": 50,
+            "service": "lambda",
+            "label": "AWS Lambda Authorizer"
+        },
+        "icon3": {
+            "x": 80,
+            "y": 50,
+            "service": "secretsmanager",
+            "label": "AWS Secrets Manager"
+        },
+        "line1": {
+            "from": "icon1",
+            "to": "icon2",
+            "label": "Authorizer"
+        },
+        "line2": {
+            "from": "icon2",
+            "to": "icon3",
+            "label": "Request secret"
+        }
+    }
+}