From 2cc1ec693c6069db826c26adb22b515f8c130586 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20Heleno?=
 <33546359+lentidas@users.noreply.github.com>
Date: Wed, 8 Mar 2023 17:36:35 +0100
Subject: [PATCH] feat: first implementation of the EBS CSI driver (#2)

* feat(chart): add latest version of the chart

* feat(terraform): add draft version of the module

* feat: add code to conditionally create an IAM assumable role

* docs(terraform-docs): generate docs and write to README.adoc

* fix: fix condition for the creation of the iam role

* fix: hardcode the namespace kube-system

* docs(terraform-docs): generate docs and write to README.adoc

* chore: remove TODO

* fix: use empty string instead of null as default

* docs(terraform-docs): generate docs and write to README.adoc

* fix: force the use of a flag to avoid resource creation error

* docs(terraform-docs): generate docs and write to README.adoc

* fix: fix typo

* docs(terraform-docs): generate docs and write to README.adoc

* feat: use name prefix instead of full name

* feat: update chart to latest version

* docs: add documentation

* docs(terraform-docs): generate docs and write to README.adoc

* docs: rewording and formatting of variables' descriptions

* docs(terraform-docs): generate docs and write to README.adoc

* fix: change to looser versions constraints as per best practices

See documentation [here](https://developer.hashicorp.com/terraform/language/providers/requirements#version-constraints).

* docs(terraform-docs): generate docs and write to README.adoc

---------

Co-authored-by: lentidas <lentidas@users.noreply.github.com>
Release-As: v1.0.0
---
 README.adoc                                   | 349 ++++++++++++++++++
 charts/ebs-csi-driver/Chart.lock              |   6 +
 charts/ebs-csi-driver/Chart.yaml              |   8 +
 .../charts/aws-ebs-csi-driver-2.17.1.tgz      | Bin 0 -> 12573 bytes
 charts/ebs-csi-driver/values.yaml             |   1 +
 locals.tf                                     |  14 +
 main.tf                                       | 109 ++++++
 output.tf                                     |   4 +
 terraform.tf                                  |  12 +
 variables.tf                                  |  74 ++++
 10 files changed, 577 insertions(+)
 create mode 100644 charts/ebs-csi-driver/Chart.lock
 create mode 100644 charts/ebs-csi-driver/Chart.yaml
 create mode 100644 charts/ebs-csi-driver/charts/aws-ebs-csi-driver-2.17.1.tgz
 create mode 100644 charts/ebs-csi-driver/values.yaml
 create mode 100644 locals.tf
 create mode 100644 main.tf
 create mode 100644 output.tf
 create mode 100644 terraform.tf
 create mode 100644 variables.tf

diff --git a/README.adoc b/README.adoc
index 88e810a..c4270bd 100644
--- a/README.adoc
+++ b/README.adoc
@@ -1,3 +1,352 @@
 = devops-stack-module-ebs-csi-driver
+// Document attributes to replace along the document
+:chart-version: 2.17.1
+:original-repo-url: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/96b23f359d859cedc6c88d06a9b61e830f45b3db
 
 A https://devops-stack.io[DevOps Stack] module to deploy an Amazon EBS Container Storage Interface (CSI) driver.
+
+The EBS CSI Driver chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions. 
+
+[cols="1,1,1",options="autowidth,header"]
+|===
+|Current Chart Version |Original Repository |Default Values
+|*{chart-version}* |{original-repo-url}/charts/aws-ebs-csi-driver[Chart] |{original-repo-url}/charts/aws-ebs-csi-driver/values.yaml[`values.yaml`]
+|===
+
+== Usage
+
+This module can be declared by adding the following block on your Terraform configuration:
+
+[source,terraform]
+----
+module "ebs" {
+  source = "git::https://github.com/camptocamp/devops-stack-module-ebs-csi-driver.git?ref=<RELEASE>"
+
+  cluster_name            = local.cluster_name
+  argocd_namespace        = local.argocd_namespace
+  create_role             = true
+  cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url
+
+  depends_on = [
+    module.argocd_bootstrap,
+  ]
+}
+----
+
+In case you want to create an OIDC assumable IAM role on your own, you'll need to provide the ARN for that role and disable the creation of the role inside of the module as follows:
+
+[source,terraform]
+----
+module "ebs" {
+  source = "git::https://github.com/camptocamp/devops-stack-module-ebs-csi-driver.git?ref=<RELEASE>"
+
+  cluster_name     = local.cluster_name
+  argocd_namespace = local.argocd_namespace
+  create_role      = false
+  iam_role_arn     = module.iam_assumable_role_ebs.iam_role_arn
+
+  depends_on = [
+    module.argocd_bootstrap,
+  ]
+}
+----
+
+IMPORTANT: The `create_role` variable is required. If passing `iam_role_arn` it should be set as false, otherwise you will need to specify the variable `cluster_oidc_issuer_url` and set it as true.
+
+== Technical Reference
+
+=== Dependencies
+
+==== `module.argocd_bootstrap`
+
+This module must be one of the first ones to be deployed and consequently it needs to be deployed after the module `argocd_bootstrap`.
+
+// BEGIN_TF_DOCS
+=== Requirements
+
+The following requirements are needed by this module:
+
+- [[requirement_argocd]] <<requirement_argocd,argocd>> (>= 4)
+
+- [[requirement_utils]] <<requirement_utils,utils>> (>= 1)
+
+=== Providers
+
+The following providers are used by this module:
+
+- [[provider_argocd]] <<provider_argocd,argocd>> (>= 4)
+
+- [[provider_null]] <<provider_null,null>>
+
+- [[provider_utils]] <<provider_utils,utils>> (>= 1)
+
+=== Modules
+
+The following Modules are called:
+
+==== [[module_iam_assumable_role_ebs]] <<module_iam_assumable_role_ebs,iam_assumable_role_ebs>>
+
+Source: terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc
+
+Version: ~> 5.0
+
+=== Resources
+
+The following resources are used by this module:
+
+- https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/application[argocd_application.this] (resource)
+- https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/project[argocd_project.this] (resource)
+- https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.dependencies] (resource)
+- https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.this] (resource)
+- https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml[utils_deep_merge_yaml.values] (data source)
+
+=== Required Inputs
+
+The following input variables are required:
+
+==== [[input_argocd_namespace]] <<input_argocd_namespace,argocd_namespace>>
+
+Description: Namespace used by Argo CD where the Application and AppProject resources should be created.
+
+Type: `string`
+
+==== [[input_create_role]] <<input_create_role,create_role>>
+
+Description: Boolean to indicate that the OIDC assumable IAM role should be created. **If passing `iam_role_arn` this should be false, otherwise if you want to create the OIDC assumable IAM role provided by this module, you will need to specify the variable `cluster_oidc_issuer_url`.**
+
+Type: `bool`
+
+=== Optional Inputs
+
+The following input variables are optional (have default values):
+
+==== [[input_app_autosync]] <<input_app_autosync,app_autosync>>
+
+Description: Automated sync options for the Argo CD Application resource.
+
+Type:
+[source,hcl]
+----
+object({
+    allow_empty = optional(bool)
+    prune       = optional(bool)
+    self_heal   = optional(bool)
+  })
+----
+
+Default:
+[source,json]
+----
+{
+  "allow_empty": false,
+  "prune": true,
+  "self_heal": true
+}
+----
+
+==== [[input_cluster_name]] <<input_cluster_name,cluster_name>>
+
+Description: Name given to the cluster. Value used for naming some the resources created by the module.
+
+Type: `string`
+
+Default: `"cluster"`
+
+==== [[input_cluster_oidc_issuer_url]] <<input_cluster_oidc_issuer_url,cluster_oidc_issuer_url>>
+
+Description: Cluster OIDC issuer URL used to create the OIDC assumable IAM role. This variable is required to create a IAM role if you set `create_role` as true.
+
+Type: `string`
+
+Default: `""`
+
+==== [[input_dependency_ids]] <<input_dependency_ids,dependency_ids>>
+
+Description: IDs of the other modules on which this module depends on.
+
+Type: `map(string)`
+
+Default: `{}`
+
+==== [[input_helm_values]] <<input_helm_values,helm_values>>
+
+Description: Helm chart value overrides. They should be passed as a list of HCL structures.
+
+Type: `any`
+
+Default: `[]`
+
+==== [[input_iam_role_arn]] <<input_iam_role_arn,iam_role_arn>>
+
+Description: ARN of an OIDC assumable IAM role that has access to the EBS volumes. When specified, this is added as an annotation to the EBS CSI driver controller ServiceAccount, to allow the driver to manage EBS access points for dynamic volumes provisioning.
+
+Type: `string`
+
+Default: `null`
+
+==== [[input_name]] <<input_name,name>>
+
+Description: Name used to override the chart name on deployment.
+
+Type: `string`
+
+Default: `"ebs-csi-driver"`
+
+==== [[input_target_revision]] <<input_target_revision,target_revision>>
+
+Description: Override of target revision of the application chart.
+
+Type: `string`
+
+Default: `"v1.0.0-alpha.1"`
+
+=== Outputs
+
+The following outputs are exported:
+
+==== [[output_id]] <<output_id,id>>
+
+Description: ID to pass other modules in order to refer to this module as a dependency.
+// END_TF_DOCS
+
+=== Reference in table format 
+
+.Show tables
+[%collapsible]
+====
+// BEGIN_TF_TABLES
+= Requirements
+
+[cols="a,a",options="header,autowidth"]
+|===
+|Name |Version
+|[[requirement_argocd]] <<requirement_argocd,argocd>> |>= 4
+|[[requirement_utils]] <<requirement_utils,utils>> |>= 1
+|===
+
+= Providers
+
+[cols="a,a",options="header,autowidth"]
+|===
+|Name |Version
+|[[provider_argocd]] <<provider_argocd,argocd>> |>= 4
+|[[provider_null]] <<provider_null,null>> |n/a
+|[[provider_utils]] <<provider_utils,utils>> |>= 1
+|===
+
+= Modules
+
+[cols="a,a,a",options="header,autowidth"]
+|===
+|Name |Source |Version
+|[[module_iam_assumable_role_ebs]] <<module_iam_assumable_role_ebs,iam_assumable_role_ebs>> |terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc |~> 5.0
+|===
+
+= Resources
+
+[cols="a,a",options="header,autowidth"]
+|===
+|Name |Type
+|https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/application[argocd_application.this] |resource
+|https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/project[argocd_project.this] |resource
+|https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.dependencies] |resource
+|https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.this] |resource
+|https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml[utils_deep_merge_yaml.values] |data source
+|===
+
+= Inputs
+
+[cols="a,a,a,a,a",options="header,autowidth"]
+|===
+|Name |Description |Type |Default |Required
+|[[input_app_autosync]] <<input_app_autosync,app_autosync>>
+|Automated sync options for the Argo CD Application resource.
+|
+
+[source]
+----
+object({
+    allow_empty = optional(bool)
+    prune       = optional(bool)
+    self_heal   = optional(bool)
+  })
+----
+
+|
+
+[source]
+----
+{
+  "allow_empty": false,
+  "prune": true,
+  "self_heal": true
+}
+----
+
+|no
+
+|[[input_argocd_namespace]] <<input_argocd_namespace,argocd_namespace>>
+|Namespace used by Argo CD where the Application and AppProject resources should be created.
+|`string`
+|n/a
+|yes
+
+|[[input_cluster_name]] <<input_cluster_name,cluster_name>>
+|Name given to the cluster. Value used for naming some the resources created by the module.
+|`string`
+|`"cluster"`
+|no
+
+|[[input_cluster_oidc_issuer_url]] <<input_cluster_oidc_issuer_url,cluster_oidc_issuer_url>>
+|Cluster OIDC issuer URL used to create the OIDC assumable IAM role. This variable is required to create a IAM role if you set `create_role` as true.
+|`string`
+|`""`
+|no
+
+|[[input_create_role]] <<input_create_role,create_role>>
+|Boolean to indicate that the OIDC assumable IAM role should be created. **If passing `iam_role_arn` this should be false, otherwise if you want to create the OIDC assumable IAM role provided by this module, you will need to specify the variable `cluster_oidc_issuer_url`.**
+|`bool`
+|n/a
+|yes
+
+|[[input_dependency_ids]] <<input_dependency_ids,dependency_ids>>
+|IDs of the other modules on which this module depends on.
+|`map(string)`
+|`{}`
+|no
+
+|[[input_helm_values]] <<input_helm_values,helm_values>>
+|Helm chart value overrides. They should be passed as a list of HCL structures.
+|`any`
+|`[]`
+|no
+
+|[[input_iam_role_arn]] <<input_iam_role_arn,iam_role_arn>>
+|ARN of an OIDC assumable IAM role that has access to the EBS volumes. When specified, this is added as an annotation to the EBS CSI driver controller ServiceAccount, to allow the driver to manage EBS access points for dynamic volumes provisioning.
+|`string`
+|`null`
+|no
+
+|[[input_name]] <<input_name,name>>
+|Name used to override the chart name on deployment.
+|`string`
+|`"ebs-csi-driver"`
+|no
+
+|[[input_target_revision]] <<input_target_revision,target_revision>>
+|Override of target revision of the application chart.
+|`string`
+|`"v1.0.0-alpha.1"`
+|no
+
+|===
+
+= Outputs
+
+[cols="a,a",options="header,autowidth"]
+|===
+|Name |Description
+|[[output_id]] <<output_id,id>> |ID to pass other modules in order to refer to this module as a dependency.
+|===
+// END_TF_TABLES
+====
diff --git a/charts/ebs-csi-driver/Chart.lock b/charts/ebs-csi-driver/Chart.lock
new file mode 100644
index 0000000..8c7223d
--- /dev/null
+++ b/charts/ebs-csi-driver/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: aws-ebs-csi-driver
+  repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver/
+  version: 2.17.1
+digest: sha256:0e6596b6dedc74e7bf79c77d1f04119f10ff6af5070c53d05f06920b5c468702
+generated: "2023-02-24T14:45:37.658115395+01:00"
diff --git a/charts/ebs-csi-driver/Chart.yaml b/charts/ebs-csi-driver/Chart.yaml
new file mode 100644
index 0000000..ea64491
--- /dev/null
+++ b/charts/ebs-csi-driver/Chart.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: "v2"
+name: "aws-ebs-csi-driver"
+version: "0"
+dependencies:
+  - name: "aws-ebs-csi-driver"
+    version: "^2"
+    repository: "https://kubernetes-sigs.github.io/aws-ebs-csi-driver/"
diff --git a/charts/ebs-csi-driver/charts/aws-ebs-csi-driver-2.17.1.tgz b/charts/ebs-csi-driver/charts/aws-ebs-csi-driver-2.17.1.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..a576eedb9b3ce91c0567c127da1849ba7b14c42a
GIT binary patch
literal 12573
zcmV+&G2+f2iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PMYKbK|zsFnT`gSM-&WiamEoE#4-o*QXxG_9T8XTa6~kJvEaW
zLu5<BF-h<Mplr=@fBRclxQg1mjdLQVDr1oVy3yzrOM_eq2M5CO1a*8)C&*hTW5T67
zC1LQ7yLsB}cKcv&PygF)x2ylQ54!vR=<Mwt?jIcPwmbX(Xm|DwI{W{C_8q}r_#{FS
z{*U&pVO2Z#7kNlbe@8ATi+V8WHb@+2KRa&c!0j}A6dtFs)bEbr7Ysu16pO%+aX9{?
z4`)C1;iP{Kr<#8nV-{i$#!|+j*J_QZ947<UV`1wu86b~PqHqKqiPkLdH7;>_#kene
z4F|}TXgGia^?y&$hN_++_rpJrI&SCCZ9DBB8X=*PBs4;<D@H^i@M{JQjuSa%Tr>a@
z9^4SMR>L$~gS21?_fUhrS+6H)uez#BoyJ3s|7=GmBuG%)p#oSe|J}~s-eE=l_uB{U
zjr>2vvjwL(BuOB_47(QUS*CCsTkvj71yBJ5{&oEFg)?M4BvPUeLmHqeaEe|)IKqT*
zN(KQ6kPHS0F%bfNppj%SWeEp~VH^;N!fiBYNJiLe0C0?%ppx-v58`AHP|rn=yW~o=
zDhyg9K>%CudV-u&Ux6JX=ypMp5nPR#K=5rhsesAn&)^y>cbw@v`1-X0s(cTc%?3c6
z1i>2?P;c6U^WiHd-*6Nd$wp%f90yJkAz26k8DOCMNqpPG5GC=6Bn?j&d7(?F4u1Zs
z(Y$;n91_R1nxrA9j~?N=e9YN|D%6mxp8yz5dhq^F{dYz-^~}Z9d|pJ^OX2ubNY09S
z$`iDO*AjU|0;hn6ZO;&Cvg_`-ZAZ1xak~4C9#GlTWdb&OffEdR&}|qDQXOfipy==}
zi4X!LK63SsK)?V!Wo9%FDykGfySCN~Qz0u#1+WMP({y}IIn(T!EtHZ8BgK_|4<t{}
zzT1M=+O&}%6#&UVTGRx>0LNrPnT4<M9wQJwN<xgJFoWcy4`CvtVs;t<iGX+>#!`U;
zNkeqs5H9dE;Uw)}NMzpRTO8(ADZU)JBj)-zX$=E1+DdC>r8Q#d+a5GK`=XhB<QU=A
zDH1=R5vq^v(nrasZ;(^w_n?_p6X+$J%IOJ<Bwov2#x=x$9R<_3jLGLTKrs~(!xHgG
z5U{H^oK9$fBRmrx2`o}W5(rg_NJ+f$w`JfIhcfr>xt)33yAp4vt!^0e-WYSa7P(K>
z6%mQWm`Ry(?-raz)~t=O_!+F$2Ap67bXfWhCvQ&$D6<$b2{aOt1OfWG#UbM!nnrWD
z-%3mh9cn2CFZ?b`&Vk!?J2%z)_c>w#onVAQyy0wMX?E}AOJT+eW|>Z1_s4k}=3(i=
zQP5A{RtH-Y$^`1Thc|a1?vr2<^U(yeZ*inLM!p5{6c*Moba;wKmBk(<1sgGE*HhJ?
zvK=3@UlB|HHg5l$BnbNGag;)nRYlmT7vF0PlOQO+X?QG>oCSelX5#zQn8;&35_VvO
ze|d_7Wb}fK3Yvk9Ml>2d*XFGUs=KQGa7ZI6r>5tM+{dLi$_2+Ea*qCK!f7<>dt>yI
zfJUS9QN*&>XV>T@MSJeR71GgI_Ml_mq)lPuWjv#vkVtQQb{%sR%Fh+WZw_4Iv<G-8
zToRH`EFxDz&nS2-j1!5DoW@uv55QvNL^9rkS4^HqrEkWG=#}0%FeH3Lq-iB){&6Jf
zozXzGXWM#*JS>9NVN+lGN{p9rT11hICM1qauZvx;^t-<2s--mc%9*NAM6#F#Y&88<
zfy)KcrK~k(LMpz@N@s)JZZ}d#EDbk@nFN6vE?~wxn6MxTQMq(kj00C=j9@5qF)AR5
zM2sFCQXM+$T7Ahl8R1Dlgm5*ebJJWQxK&<;KnW!B%Z;I|Yv!qX6G6n%!dEm1l)ETU
ziHL3Zxp+5?u?Ki9_ZmetxCOr{=Qx@?=PXp+$+#R&STv-gmn0S%7c1vLJkEqrDg+ea
z&8%IDnU8V6rlC=sw$%*M`A{MCR7cwJq!mxREY{Y943ZIzz~e|H0>}R(C=@&aG2tXc
ziChy6uO%lZy3|WsJyUL5aHhUy!$U?Uw%5MC`U};+{xl*X^+*s*3qiVXYng#@97q4F
zq5ZBuydxvcg<AlMi#t8TnVtMq*S_keXcj6Ot*!LwS>(rzM$)vk?PJW*BNF``&3W%m
z-av%%it$TDDkVpXwK!@D$DD;I$CwC3JWf3UXxr1x>EY)|1lxE`!dN+`7rkfgXYC8P
z8dGl!9^)KE%pzZtCT3iM`mUm#fO#YUB_BKPj3iJ27{+o6LMnyv)V3EQiDq$8rF|-N
zSX3maiIiTN(gj}~`Gk7-l0`IAC}nrOUn-GV!;;IM)5b~F$ql^sEjZ5XQaV4Rg2oC4
zZ18XNjDHYhQ$(Qcua2X71#}ARucJVo;8Q*Ge*ESf6dz{vOQjdD)xe;yi;oe8OqpyN
zjm)r|yvZotgJ#>+|Mhlv+nr{Kd(Tf(g;khM_ku*Is3#HV>z+xXt!qgZ&VK4!c@VJ8
zY$U6>;_{hzM@A>6k#oP-sQN0(5NEc*u)Q`-5tG`>5cx|xxn_TJ%CtYD^x7*uS#LD2
zV=;C-PNkAt-8V%)<yNss5h)SqDiUk;ndx1v8&&sh!IZoKW0&Yd62pWNT|lpcoOJWq
zKLx_FWmzMbrh1SF2Z@kQM|<caYdSf`0rkiUOVrRPawM@&B=#jI5=Yi5ORbIHvOwA4
z-*f@v<Q3nf3>A{=-y$+0G%&1c6i$5;TeD4UnI`%PA7KyL`J0(Wa~IQkoJIwwczAK5
zY-E_Cg`xI`_u4P15d#|1nbI@GyZZ;ayru22=V?-zAx+-`F|V@$GgiT{>y#x*;tRs$
zLf`z*Qmj6zGFK#$mNm?@HM@$;)QD-V;1Zjqp;?E*5k!9{Gt4VlfZV=m6g-;~%c94=
z&my7x@J7|aIlHDp3R?+>L-eF__>2dJi;5S)_R&*1ya&6f*U~>x`a_OcA~j2EwFJUS
zA_z&MPnxf-p)}?pdy#rf{a8g1CoEF&3XNoH^Bm1Zmw1(OVAab?f4F6L>l2GGEw5ap
z-y%UI6+>zm&-$Zy98IstbVX2e9lDjF%<paLu2jM+Wgit)bLLPAtT87H<4JTZUa?38
zVFf<ZuYVKBwP>{ScRzEM#D$l`${VYSEpq19OC=%e;G6ktuq_bNSubPVYHFvmV!4~Q
z(}4U}zqa4Yg3sl_y9zi?GLTvK3eKikl~PX50Ef&vMtMJf5QUx!Nw_r5c0Jpt%gtAW
zO3OfIW&j3>m=4&red)0<B$3~P_wa)l|L_!kaJ(O$LQ@2YF?8Ea__NVarmt6Wu**)c
z;@be_8zRR&XiW%j1$5A|Z|BCjW%D{~CRYlDl{TkqM}cK)uEM}VAm%)x@b{)phgGO}
z90c#I{99hFXn3byCD-fkxoY|wo7knMPtRG+HG0N-|AR(8yDE6^CQfLE<eG*_2vHIa
zkSoX2#9ex^!YZ&P#K`qvWoqnL7kZ(3*1HdPso80N-&~|26*h}>x#?b7DqD|H`iBVM
zjA<`pK%>lCPiOlS?OJ9A5Cros(K1chI^>~8!92{`hKgZmFYVG}Q1@}F>C?rrhA2#4
zSc9e`uF|YVE+-JsOYAjrJ*_xZc#SPRFgc6nj{8=Hb@dAX3)j<gFJ=FM3daVyj{e+(
zroy#pffzrk)P5TAnWn?3qhB~w^gtvra*wgV*0wEctMvz=@;T$rDHqDbi6lg>iy2Ay
ziAFw+MlY2SnP0Zt<f*b8s6TMkIU1(Z*l$q{oc@weprj~c<nd`N)v(yUHq2BI3w$`~
zpPSk9%$+1r%6O)AJ-f68=aIz7w{E#|vsHQ3gmN}a%%-AuBEi!m0!Rc6raDL>p0V3G
zFdI?ZjVc+=AjT{Sd?3LUnF=L&#>-bQBfLt3dNbOMMBwYd&l*jo>sxQrxwofg|5vs<
zr}gUfyR*J4ujTDvEZhHi*lAbxe;w?0x|{u95AnQXFhNd-QzK`y>;PjTj2DdlQ)N(k
z4Xv4#3iM<EBb3^#IT3vR4DMSqd*v#}Qp8F~zkUTLfF_CKirQ5A_~`Rzpph3OK0>o*
z+nFlU1Q))3eLCBKmfXnGjg$bx*RRb+Lve3U+urvl{d4H&>)C&9FW#p)Z(V$+7!8rg
zH?xC!jv-<YuxNzbY_+iSgm(5>nprd|?8aGDHDnVSjg%I;BHYg=DhR|JwXZFx)XN2l
zQ03As1)x#UHIv9Q(`r;s-J6d8LiztV#vn#6Tp8bHE9esW-*4|$_kSLCH}d~5&*#sr
zCorL5PtS)9X@JUEK2lC9@y6JLC#|nv8>&>}>^fGAtNlYIWOim)v$Wf=<s9W*&}fk~
zJ9$C9FkrW0YQc4XH=B=(>%Q<sxqguc2fO-D8upXnkX}R6$s5DS*MA#S&GHVAd>JkY
zf+_qbA%U6LC2_1f;Wqw2)4DD%6%5rO<tKPVxg>&xrP*)Y^&!Q;H|qjAq)I2+setXl
zRFmcORbQ1=k}6{KcHGAKFrC{sjab(>RSNnY&8IB&^g0nhH1ZbPRj8b<o9D!#!;G-i
zMfI%A+yX06UpZ9ikMDF(dPl1dZ~@PZD5jONTF-DTy<Ho@nA1oOq4~XVz8B3(YX<H*
zEI04(5-S$QSP7Bc@vp{LkF#YOQ%VN|tBtj;(45<|BH_*7>2BvQnG@aof1A+!*u069
zu`pzj4Q5tC*Az|LTWI;ydFL0lit+(cCW)$y(Y(}qt?4Ihs$yddLRXAinmRpL0?E>_
z2%vU%_^bnxo!hA0Q2qt}lQ4-;pj~Y%9t&d@VI+G{*a|*dE+i2dq3;Z)y^^bC7ZxjU
zDso@kjBY-IWd9;zu%JY#t=gf_76;bgf$G3IwL~$&`pVwns+=+3iR{g|uPYECnjkle
zB^QpPSL_{0M&cr!?S(*5f$$LwISYY6NaEE5+cak4dfjF&gx_%#O06mlOFaqAm{2a7
zupLk#cd}xfL?eXnE^+!4zSGm6szx^2nIr2~b{Z7)IAgJ@lWUcu?<Y;&WZL2vWl0rP
zEK;t<1-@u+B1JSsuufUhA&ew!2N;!`*n#$pR&(G(vq<Kn@5P5^6Sn`&Xavot&1wtF
zmGdto@&nYnDnRc{1B@mxA$&DfR`ncR&vY)GWBTRYyEh--ynX%u{i|VTo(*?d+Upu_
zzBR6>DT+<>Z`sDH*Gn5ncjVP6E7hZK?VfI)dwv$ie|8RzvjFq+4(p!_ToV6vcK7zm
z@n5%d*xsD~eUQg-oW>=M{2tgHId55jjpC_bJ|Lb;^a)z}NzanHm(Ps*(`lr$+In|y
zHorb|^u|#v)F|(C(%OH4aSt-b?+ZjU@-dRIr}Ps~0<=qNB&K>+S@hsNG@I~eb*uAx
zXvV4|LSiJdH6&APf_z|#j8Hb8LQ~mK_3sst-dO!%){@j;v3{j1t_C$?{>qSQoAm^B
z?V5w7cRe6aPz8%dLv|~8tH3e@G=r*78Qn1{Z-hfjNFtLOR5C!{TE-spv$FnAS9kAT
z|F?G!I#vCD(CKXS|3f_YqW`m<01u${o6T7*VYP2rA!yaKQ3jP~W%)0j#a>edERp~2
z-d<(>uiM=_INZqpLp=BE{}q_#FX{rC{Z8sHU+<Jy#|Nx})!Qr9_nB_&Diyb^+|C)T
zZyzW1KHvf(uI2{X71x#gUpu0<%938*H8_t&a=9OT;{mk3{XGob?ZXqsxKE>^KB$MJ
z=Tql{%6KG&X~nF>E0%vAJZ||L#11Rle|v)aCTXFT&Ho%8RPBFf|8QgfALO}T`)`@%
zer&(lSDT$|1N9-@>^DG2B9Dbi+U@>Ab3WAWC$ziSL6}pix;0%Wby#RLvd6Y+qK&O;
zykVQkK9*vR8MShA58`3wu5RVG+#1f@`J6kOLi(%vMRTag{9D+wmGysN8{A#Tf9<{f
z+4ygFqyHb`xnKQXV480k|J{{9ZrLmb5F-z%KC-0qeA(m8#$cEe;XtK5N6Nu&q>T`L
zVJ(g+`kZmF$LycN#q5lKt4Kdn(NR>sP*80`2eWXWZf-54hUg<^sk_R1TV1>Bm9m!4
zJkhe&%OR2PcpMd(DG7u-mSLc+V#qjxkCM<p)LF%p?p3=8nPG&gWxVIO?DnetUZTRB
zzm}WrJP^8{P&vhNnZ5lR1VMk}XI1+@FlUQyv<+a{`p?14{O@je_h4iHAL6OC|Mno+
zT`U7-I{+*L-IWI*5`EgsIsv8!{nB~W!s*n)wx`0rxAO5;y_wJ?0XEh2>6O`Cf$5=^
zhLVc6I8+GCI#4U^hDcTU0^;7g>Rng<Z?X)$RQ|iw{Xe^%y^Z`o$aCNFua|*Gs6E(6
zq5?GgK9ulRm%<-|%om?^<^Lwjz{~CbK}G)e+Pj<l{}1xqxBM4ZfFFtce@hpjW<mVh
zYJ_#=|0c^oOXYvJD*wBk-Oc>pgFN>w|LF?QM)s?VVUNQTSXcgUvJ7w&``_Kj|ARdD
zE&s(C?2QhnTM&87_CKf8ZEgcwEdRR)?RNG4zr(}L{NKYoTX2%6G_lfS6~bwrjJv1^
zNF0mBGG9ulzKR^(l|qQoE9B4>^Q69*W7mLJAa(Akn$qQja;Cf}rI%B+)5FwNoXl5y
zgcz~|)25<MfB2%5{aN1(Ha9c<GSbW*n$OWWus57p>9!aY1`%dbQ7=R1W@Gg%Rk2wE
z!#cWWnHH<XtLN71sw{w(jm1*%h3t=cjZ$j3mC-6TRf}5%vy_#gl0h>ESw6+iL=OTQ
zCD$dC=CO3K#d*|SnS^B<`s!xZwl;freJe8s%S6<D&N7e8R!=jX7Dlv^>2wu3%urz_
zpYyUYC{(!h5X|S|xoL{amA{k1dr`cTBTp_+x~iiI+xB%qb>%Nf95<mkt1g<b13MLn
zUICZh5d>7oatV{a;AVZQfpMf0Zywuh1;sDhA@Y$<MsvlfL~v)xv9oaG7v#O3gUpw7
zj8|i>MSN7v#95Hb+UtF8#NCS!DCb+w>s0bE-v+!_(@Zg+r`g(>eabR0fBsy^UGcr>
zeXn>m)eX&N)*D^i&7jyzpQbyN0{JaYc`Mr~fJq_YPM!p22e!*?NHWr+-`AI5?CcbI
z*5du9aF<j;1)BQ#MN{RPgpVrOjaSTwQmo=Y?Oix_L;``;3R~d7XA%TY^LkH}arp{c
z_7(+`*U0XG3QgYLO1s68PVsP@^nQw?@3v3+=O52roxXW}{_5RMT_0CSYEpr)+;gc(
zz*1z_PPf|RoW3j)oyt`hb!51FCKUAS3JdD%Y=>(Ar$e1_YP*g|#oJVNU^`;9CbM|y
z%uXGWIuA-VV8!c1>X2N6Kt;&Q0k2P(I(?eoA65rZaf<LS9bc7k0ya7-+>3V8ZkE!v
z*Fm)f?48T&bX3)z9MyYLX<qocrsi7T@}+CD;8w;Bqe(R#yV2-HajyuiO=FWp^t#t-
zWeM;-L0dLIcFWiToz$kKcT_U(axR!xuTRfDzB+z+RtHDt-LHHAllsq2`qX|i$@!J`
z(|-1=;!R;i_{V?rKOUc)ob~%3e?9xx$Me(GaWK0of5qt>Jo20BP05-fI=B8MPCrt=
z=4-m6wRG#>Ec*SklecH@3cYyvE)dT{AwFK>^yb|-JLxWDxcVM=>HTJ_bV9}1^SV&D
ze`}2nEYc_TwxSu?%)9*d?C0~>uj-}i=4x~%DOFwZ1va;sPwUQ&Ek={N;%=QYz9PW%
za*lOy&==+1F&?G+Tx!SMXh+AVyfWsYs#Lj8WS%;0tk%gQHf22Lxc=2%*7h-Gd|v0q
zNCG+jROwmf&c9(?_Ta~7?Prw|F=vu_Ea<_zlQ*mSl|`3no`l)k*cKx+;~p(TsOnSH
zTz8y4N|1g=S=C9g8RvR>#Tu)+Zz__bBsj%@Otbq)I_**!Nke3b%&#jceU0_i-t+1X
z2@MjC@5UU(m<4_h_6y%tR89W|{amcj)9Wls98kFprr6R=#cUB4^X~E}w=j3!;dZE{
zvQ^nsbdN!Qdf|y%-19aw6R<*Q74t6*^Q%*qGvWRUfL5OzP+@`Io^37&J^F6@`1JJc
zS--!tIC`iBJ}-_?wTDP#!qFKKiQ?#;ohz#knifRz<@;J|=L>YaZVuQug<BYBn5r(k
zLgFKL^kg4p(ee)K@@KZVwF$n?scbIE(rFKT<d8NALK1229H}rcP?1%8nq3Z5xSSBa
zd@+}hxHI!L6{4+!>+M_8Q%a|anZvFPTFX>*bOpz^HP$8aLU60Or>lVB7~$0^5<j33
zuFxr6-tldPbvsppcAuS+eELS)rd0+?7k7*;TfawhK`rRdoQaF{RwZ*a^_*FZ(iPP!
zPBB<zS0De}Y+B*bheEZZw+V{wBPd$1{Fr-k3&-UfI()VG%w1)Ihw=E*qf-yz?qx?D
zm-~8^qW9$JRiHeemzP0a<l?R3J>?DE)^$o-x(~l;8J4$f<~}^88^K!BvzQ0t9(<*h
zK;2t+?$%4X0i1PQq>Xb^XS6b+Z#<jF<Jn|`@)+Ej44H4?(^x@bd={_b$%-N49@<1Q
z+wKX8$$$n_QWWm-n{&IjM7X~YF*gNBYtk8@B%S8YEm~;q%yY;J*gk|$RwT}Hw`{ib
zJ$YucfbPXPt9n?K*|Uu$sFU;J*ldi!<1q%sad`~(poq`6G6@SJUwdlsA(U)-ws*OL
zEtk9}<yr>vfKhJ>cu~+h);EWx`vYl|2y~Eh#*gyr_|3D?&UI3k(s-kpACG2E$K)|+
z<rJ51Iq{fouuvi}z=zPlr7ayR=;6BZ_oR*MK;2v?Yi_PlVgF^a>j`>y;#nSn#~`F-
zj2>Q8E9Nd^bd#mEcowDdrB`U6ywiDp8~M<eH%QiEReE9bZqA-vspTOIV>vygya%7l
zPU7PIcDFf2_N@;gZ=P@VEI$7)sPzPIbNqj4{*V2`!|M6}{r&Fd{QpBd#gqM?KZ8zF
z!Kc+c`mIT)S@X_JFv7OLaDx1Vg)!j>&3_(s+|Dz%?X;Uvo_hQ>8K4E{W+&vneoZrw
z^v_St<>$4z1zhDXkSnG8!n;lxU?zp%+V#Y2yM4_3^JvIkN7@tUK^ogx!&5vjl?Z$t
z_*oZ>rX32M+9P$mp3?vuk4y6|lz+RA`F7I3!u>D1GxFc<ZtnkmkZ0AM?)rLj$0=n3
znRFVZtULFY5@cQ)id1~dX*K32ttcEKsNbs}SGVR%!bd1eJND%?#w^v(`5R4^*>#=S
zyaz8?q{6th7I#8ZhejjUV;q@Qe%ZoIaWLkUEDw>z;o(QB#$BIJp`eua<MYDg8ue9Y
zvapo2Zav$qm5n8%On<fwO`fy~XA$MnqhA?M*03Ao2O7$}N+XGULV_N2_C=%6y>;x%
zLjA83*Iv=cXIHl|0*m#3XK#PEdjD^`bGXU>`XEn5CUtIPqxt_Z<DR=`rvyV5^>N*F
zP(?2KHVL8Dlk+IgQm_p23i+1G>7&vPRTY}1dnMD<j1Id+>ZYiedEqAXT$Hp)Bfo08
zrb^*;Qrwg#K+<+@mZWLzBuw@27bFu}AKdDho^oMYgxo`Bd0LiJeOZ1dGnzA*oxWsK
zrA;vv5<{a*JWeI`NKn|=IXC}Ol}~L!JPv|)Gg*TiV6pnjcn{95sgPwFS5u(W)BP?p
zJJr1UODDrg6W_p0R-F4xh2ua}%{;SKikaClHgm4Wde-0t4QXxG4!byP<`$el6<aq)
z$t>iD%oUOXtXT!Wb@q-q3qapKKgXkAL$^NKov)iOU-MFyC|I`Wb<+DVA^bx?2On(t
z+OnL*WTdrZ51Ox7gw0xzMw=~#SYBwGIW2rWb$lu=otVZrznu>s+z+b6hf1wUXGz;u
z(ARF=)?3>CkOpY&-`X$=bxUv_FrUKTBvC=Vpgz<(Z8~_`K{C3>;l_582iZNQ0Gqk*
zw<*{ab}-DZbx->k<^#N!9cHP@Oou`r9Z~Fk^xgL9+w<Sg-hO<0_VdU7>yuwUzBzvP
z%c^_S>bkL}rCzxIY(*no*M<59XU)O~dn5OU%G%C{zxdX+x}o_d=K7Ylv&6E?8Yvd8
z(}`6<t?0&;i1^T|bhH2K-u8bjR4@0$**E6JZ?W;}ufDaZK2#VpVMeFybgdFMm{qq^
z%JqEKbOvB8ORNWPo<UlK$7^m<)6C$rKzrT{tB<zD=~`r28~`oCWW{L6Akb_sfLtFQ
ztqHq6R$2l2{NQO#4CX~r1uP!Z&W_cdrR#sU-Tbk9{crzZzgyY=aj@Us?EiR>XA532
zAFDUN++w9~v%&`p7QQx1e5Hz;B|h`4eVNN<fp0FC{^b|=>Vd9&&j-NG#bL9$xLIA?
ztS)X=7ys6$a#vdAtn#s~q&`;Bs9o{=iTXNb*XjLlzVz9eH+k!$veZi|`#33l-K+@y
zcdZD{gMYI$-UYYfc4%!DDmM$2ceqe_mur+IUb9ISM5{6zoB?aXw&XPIC&MAVhGwfd
z*CNbZn)T?tfQMep{OfoJx3bEsFR8Zvn-)~pWw5m}3Ea71+ARBS(tg~f`2VHWoofky
z7YRS^NKF5J>*8xfns>fNzM4aH3rFalSJP|p&lb|}5b+s=Yvb=ls8)jUSqS&D{<m=b
zH)g(11yA%XgoDH%p)8z&U3q1A+4=wW;X&p6=U#hvlmFvEo>ZSMK87A^Yu}o5T5p(t
znz6)BnkDoiO>v<(E8QrrsnnLx8AOWPCd>kK4V3#kvi`t}&oftS-@y{J9Yvi`pf0Ca
z98iy(C=Ug`fWF1q+S!m?{}z!6p#d2L*n>`^x)2u9=s5r0eProNHqR}eh5FyF_Y$+-
zTjAc-HwG=!|GVv~{@>m2b~gI|A)e36a&n}L{pMypod;%74j5a!MqAh4-Zghi!2{~?
z#i3>eLsH$0GP4n7PH0mAm4ynH`uLx62cdbH2+2bF3GEJuEt@Zf4&m(AKAa!F1kM5!
z`dS=|Ay_#Tuzmivf4l=!KqAn0p^vE7RYb4V@|h>J=T1WMiACCh$4k-D5-(ecKt4*S
zk1a|<N5gQ2j5`*FlfrPvG7L0yA0?rIa21vnT5JK}WeO>c7F3%K;ZYCN|Nc)*xYQTQ
z|FcI)*z5ft3*nzVRj`$gq54s#UizoAu|v0b*46(v*%G=m|KCAX|988G8~^`7p1K`W
z_o(?7ZzKD*I=>FLJJj}%Q(rBXf0OXh3y8SC{7>!n!QpN-|5JDGa3lW@@yt$#+CkTQ
zG|gnQ<2b3P7rvF0!Axq<Icgx6^<4ZG%Gm6bzT`Aq!L2fF7c<FOy>WvU3pZiTW+MIk
z8CXaqZ2Q!c&@?l@Khemi(dZ@fu?fvT2$jzne@?lOCoB?4h`b43AVjVRzXMH0mnJj|
zJ#RuYRbCmYYvy)a<yk2I$|Dr5F$STd{=8`(;3eljcK7!7D)Qgy>~HeFJ;<{xr{{dD
zUgjFjAa(Y!so2LA<JOq5%VrO3xylE}#{eZdW@50}g8>d1M@N6t4hUt@Q~gUMo`>k8
zZ+;F54bU&>D4Uq`tqK^5J>vu7xg?Qe#_1>B-a>8lxVp!az^o=YKw_$s3X2}Rhh`K0
z)Zk{80Uf{zM%n&$vq?Gs6*E8oVJ8R`5_#a8e=dgs`FoE=LplmcTxeENTS$zgT>+c>
z#R~`x&F2a7f$2>^g)}`{qn{SNc|Fy?T6%ZP?a-VdoBGiT*r?J8Jte+oA2QGPmZYr5
z5wFp!AZeWX$AM>#l@XJ*v090@%+ag$+tvh(#~30fL4G`<(t1p!H@+$BE|aVr%+-7_
zB#y-bP*%nT7Qp!WoL}~86*(+BdW*VNh#j!n{vz(X4FpX)L30JLf>hp3j}~$6oclEw
zfU=Tg>xnt<t39uLWs%Gbz>1`QOo+}Ouv=m|2i_w6@Tds0h}G)+n*~^U##hqQyeq4K
zHDQQk@Ne`a@jMiQ<AmbXIy^boZM*Ak-4f8iM11qRR_meKIPt&7QMIFOebw4fLIGWb
zdTAc;G8v#_j)pcAneExDSyz7vIqXm`pzi$Z4NkN*eo5j+O8JmPbf|)39T4~6i$=RY
zX55~f#erdj;)F@cHqSW=pVI()Ff+eq>R9ogsbreYF8?*VX3wJ`OAEc4b5)9NHHl-!
zCHj5(3Ez@vR5*9@l14q~{G4xEd`Yf*&^dTVtCgRNchk5~^Li*s_f+Av+$+4u>gg?&
zul070ys}TZm_}Zq{5ux2fQ_cV;#7%GQ`+Bdb<5c&7Gd*GTdTNtC2u`*3cVuH)MIaD
zsk|Ko%)6|-Q;u`xRjQm%i6nik4=M%XiC6qqz78}@0!fuiS*etVU1!%Zi3|glN+_RZ
z-Zx`5^hwcb!zl%`*E2kqa&OHHALzX+i)Q(tCQHG*3w!i&u=(?7c}EJ9XFaH!JA3q6
zaIPwO!~92&e7dcvdKA34g;jy>+VQsA;zu4=OmX>4I6@MANLZC}Xf))cr7B(0NI2NV
z-lW^^cH0NtJ*Ptsc89+I<FM<5MC6yrdn^ozBG`Lqwgxn6iE;BOG#xKB#?{^Cj^$!o
zJ%$!auVvz>*>wzPT`_*CP0Z}aLOUY{G!l{o0SG!0DdT4pXt}QYKW62;P)mLGWMHE>
z5GWn%D5MSpIC?=H`BAzoU&sKFZWDJL54og6>Jf>KHCb|cq;G`fNz@W%zjCXbJ)#^_
zwmjl`d>M9j19#Rh1>0bHWdB{#07oAqNl73;5O5sHE-^a#ZrdXg*27oV+*u#rL?AyB
zWPZg&;B3W8ano4DSPYKClgOd|(GS=~Cr9}Q)jJgOXhfsS5d+7uFPxZomt=&_#7MpB
zeZqrm<3*}GM~saEBr!FXEN|K2X1%kO{wpLI1n6|!?!GIp<&NT-OBy>IM|geo!-x0j
z9?1!Q`18w$_kHA)1RwrXC=QvIh_vL{wZ7LaaIJP%1!BTU5MXfB-A_B9B<kn~Cq-1f
zGaBirC`@JF=Z8ko1eH%tWVyI>MQ6ft(JG#n$lGqzry;3VkEJd4b3u8j@0P2IMLL(G
zkc7+h$jmF8Ab&)wwRiv2tpB*mn$S_iINlA6rTag+mHi)`{dRY=|KmZPEqFtu(hdS7
z12gJyHO2@A2@RAR23D^Lx3LB9##DeXUcCS@#vp)Ezy@a5GmS=1fnz|FO48>V3hzne
zH?|-`lL7&@V~#_5jlNl_{eN~`cpU{(V3Dq=P*N^D1T;do;hy$CD&>WZEjVFe$Rhat
zq^~20hC8CNrT=fxZ@7a`yruu2z8H^M>VN4^F^O7vLj&SnCNb#revK!txQZK3+yS|4
zJaJ_hH=g|ejV<_{aLN(^=ci|);l`Y)Ah+RCA4$uU<LuuJcOpFIW9u)ZF>2)h<d@@D
zKcBsL{j(eTcLHO{`tRZ4UN!&U-hOAZ|Mx+jE%*h45WF$rveDSuf=Soy9J-yx6Zk0!
zV=z1c)~8WA;$qTqI|pv(qENiOw0QfX@dS>2KUE%j>*)XXU%vvIQ3$r*Z*}$#4*%Rv
z9i|bL<77~El9V6bs^Qu=34)etVCN~k{~yUXN1q0@t)(A#jGOrcE~<HrE?^jt5sZm|
z0b&Hi_t96q5hy{9Q6UYcs0+W7fchqdfB?b~E|iaXp%flm{9CZ-!i9HZ%#MHRl0bzm
z=a!I=Oh_L&zfc8yj5#Xr-%ks@V9`iLK1qm?6j0Wo7tV!-A2A46G(w&d8-1;QAxwmX
z0nSu&E?judIN&u2;{czkS2gLSE_5)2#0NHni`o)y<B9HTdSVpDWP*l<W`5l_w21I3
zWfD!Z)Qhv(R`Xeci^;CLr?@BoZUCB(dv2%vF`b@~=KF!$Rh(+Rr>9r-xo-8f>;71-
z%~8-#re?=I%)iy<DlskSQkf_mEER=)BMK*Dz3D3DiHu&7!P&2U=hTS9;r=bf;c#Dz
z!wHKb#{c(Zx3;<L>sq374+FisXrS9m2D-oqH3R)@!9X9ZG|&fbH&=Q4Rzr@4^tuOc
zxZZ1_<TYSZC7Mb?R7jx|TYhlcPjq&=NGXmWomnvM&|s>RjQV;}oXjzkJQszzAh&>n
z;<Y|X5EuzM2y%8xK?2ABBzhB<7Eh7t;A(j@WFTx_Qd>-?-jwt>&44LbVV+VijB8Dz
z^o%z~KM552ECPWlxRhwNUH~0J%!CGL8_s5y(sR92P&Go7$g}S4x!onAv{y7jdwN7v
z>lekt8~)`f4wBIeHoB;Vu}oaG?n#U9=EX@Iw`>*3vRb;zu95Jw>zD~l!&I$*i$StB
zfXbB2o(nAUkyZok_AS-G?tvC<FA6;}Vbj{y(vMoSISz?F(g-iv1T~&1uN3esCc>nV
zE;Y`)iPR$M9&~SO*Sm+yd+>rriA=8dy1EO7(d#Y;&iKIK*7@<4xOIM9Q*mnH%8-x@
z^p((H?p=j~W=qwpMfBNi5q-9nHQ31*zneRR3mCs!l*jH$veGrOqM0mZu$-%OakDE~
z&)NzGRDwq$<;1WFa!!4Wl!Eb5P>#M*qlrK+?nrLh?KR~_jcobibTa{!*bXVQcAwo6
zt=(tsH5rchzD|XAk||!vw7BNN{Da7nPa7-`Zz&eLhej;UBf-Lmk`v}5uWhnaA|qo#
z&nP>RSs}?%t8;eJ)m#A22_I#6AKaF@2kTKcW%y2RfD(bP1OKFdZkA{-%EF!q1Qz&k
zQ7FLls<~Tetlelld2${q_nkx%UNK2M>^*s6reIPbGKO2|v7BvBDP_iet7GUjyeBY7
zM#k+I%AfE`_DQ#5S4Rs--;|zIhy;bA=>Cpt@J`|pCqBXz4Fa7!QTYpaO^v5y*BVsN
z<q<_Dg%A;fc~p6nCc~=gRI#g601d-L&y~B4#&25u4II^`X7mEZ#F!<4uUN<~lo=zO
zqEJJ`Z5tN#;38d8ur)nFtzN4vW?rQI)%}c^1Tq||wn#M1VOi2Yg+U@s$-LKRKlS0H
ze{L7~RWAkzNq$scy&03p4-kflOnC0<nNZJmbAXCC=qvgKQy8)!U{^*@k|-Sw6Z{#y
zDaS->ScP+eKC@(bnle35MH~~467BEj+&(J_x_#Z(w5Ku0iJn_4z;GKY*p807TQ{i?
zAW<BzlO|{zl0=Hw>eEFf>aa0-G1j=S%CB=<<=4?lBxG##sorjwPg>pCU@#Ruv-)tM
zebDDLz!axj`cS)vhijVuCvdFz1xOHpvKum|qEg8hijA`D+}g6;mTb=q*+%j@sclJp
zDCpewN`6VF7`e5zUvi%EY&B1n?qOk<Z|X<R7E%;YK~Uof{3dBYKOuySqbZwtGwBKK
zQvDQ}A6N2`+QvtEjzr0M58f){hmnUm(lM)B;sS`rnGkk|Nq~j0GZ9*|*_>&Xn>yWF
z4ppbChw9%r7+@r78?)c?0eiN}c>QSl`<sbLOR;>pXxBvUS=;R*mF(6d@bpRg?9v7`
zE;=bNi<IfngJ`xv>$yEen(l1{t!o8sLK1JxE^8aJ-*VC%u0on;h5njZ*R-1~HmRfm
zy)LAw=gZEgtH?vIZJ$m1*&GK5=3S!Hi#BP&G2y<)eDu?-W%jE@;K1#yfbyXk%|1$N
zuhMx#8YKc9<ecd`7kZ=AMWJ!!0cq*`Pr{_0T4hP<q~NvW#F1pA7~f8Zmb{(VPRWQE
zJxT%{k`hll7b5Y-Km=Sgd(8_Nau&jXBe~Sx!Wgs7eekd2moI<}wcD1u#vCIbIgLgI
zGW^)c*|jn?Ri?&)+g2e`Rv7KNd}e*h#qG@JY;ik#RVDSD(glN8ZNF2hQ9Jon6}kOV
z4;D)2et}yL+-ED;bUnvrOQoT2`aRXTm1Ln$q0+yBj%w_A5aa5e{aSLSj(y)@QI6T+
zN|<#DeK}aEMzQz%E7aIm4oy~LPt|yfp$d)hI%Yyy6}=P5rYV#xAL9bcnN%5BGrKDR
zE_SY4Vds?F3R7dsEU5@3lhwu?Ls@jp3IW||Ho=v)v9AN38AL17aYc^WGf>}R91sr+
zYb8n{z=h)&9bvVNQ5Az}{z1RV8(Rf@aWZh%fL~H$w?Nrl10&PeX8uCQJvn7A9LIVN
z&QQo{jCLt%LW!LUNt^4gh(L~Vw~T;5sl$*;qF6mviq8sOQ0hFb1hO;@WI&!6BV3%B
zE#HK7kuI*)&w{2C)0xt38}ax}pq*?aah%~nMCO(1zJVko%b%6|w<If`fy&yhm6@4d
z=7en<nORb!QxNaAp`_mNVDoGIK_j1Ci5wxF8A#71rJtxUyLdD4oUJ1nkbsUN7+`9D
zludg<qvRS`ggFB3f_^EAsa_B6=HCi}Wf|}ZyvkM>v+a>q0Tl<3aiCJb$=g$*n`3-L
zBIPF&->24HNqPGHZ+2!tHOLbkx`{uxb-JR~+q2`-muGJ1Z)I`4qwIFN)z0Z$JCZrw
zYljUTIYvhxS=WqV{VO$Idn=8Rwr=OPSHElJQQDCIwEEH<(y6}Iz0OCl@-ZJs%>g`#
zW*mpq{4Hrh6M1N$5p5ti5`UVG3;KVdy(pV!^K71neg1C%00960=jZMi089Y@h{w5S

literal 0
HcmV?d00001

diff --git a/charts/ebs-csi-driver/values.yaml b/charts/ebs-csi-driver/values.yaml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/charts/ebs-csi-driver/values.yaml
@@ -0,0 +1 @@
+---
diff --git a/locals.tf b/locals.tf
new file mode 100644
index 0000000..f1a877f
--- /dev/null
+++ b/locals.tf
@@ -0,0 +1,14 @@
+locals {
+  helm_values = [{
+    "aws-ebs-csi-driver" = {
+      nameOverride = var.name
+      controller = {
+        serviceAccount = {
+          annotations = {
+            "eks.amazonaws.com/role-arn" = var.iam_role_arn != null ? var.iam_role_arn : module.iam_assumable_role_ebs.iam_role_arn
+          }
+        }
+      }
+    }
+  }]
+}
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..04bd751
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,109 @@
+resource "null_resource" "dependencies" {
+  triggers = var.dependency_ids
+}
+
+resource "argocd_project" "this" {
+  metadata {
+    name      = "ebs-csi-driver"
+    namespace = var.argocd_namespace
+    annotations = {
+      "devops-stack.io/argocd_namespace" = var.argocd_namespace
+    }
+  }
+
+  spec {
+    description  = "ebs-csi-driver application project"
+    source_repos = ["https://github.com/camptocamp/devops-stack-module-ebs-csi-driver.git"]
+
+    destination {
+      name      = "in-cluster"
+      namespace = "kube-system"
+    }
+
+    orphaned_resources {
+      warn = true
+    }
+
+    cluster_resource_whitelist {
+      group = "*"
+      kind  = "*"
+    }
+  }
+}
+
+data "utils_deep_merge_yaml" "values" {
+  input = [for i in concat(local.helm_values, var.helm_values) : yamlencode(i)]
+}
+
+module "iam_assumable_role_ebs" {
+  source                     = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                    = "~> 5.0"
+  create_role                = var.create_role
+  number_of_role_policy_arns = 1
+  role_name_prefix           = format("ebs-csi-driver-%s-", var.cluster_name)
+  provider_url               = replace(var.cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns           = ["arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"] # Use the default IAM policy provided by AWS
+
+  # List of ServiceAccounts that have permission to attach to this IAM role
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:kube-system:ebs-csi-controller-sa",
+  ]
+}
+
+resource "argocd_application" "this" {
+  metadata {
+    name      = "ebs-csi-driver"
+    namespace = var.argocd_namespace
+  }
+
+  timeouts {
+    create = "15m"
+    delete = "15m"
+  }
+
+  wait = var.app_autosync == { "allow_empty" = tobool(null), "prune" = tobool(null), "self_heal" = tobool(null) } ? false : true
+
+  spec {
+    project = argocd_project.this.metadata.0.name
+
+    source {
+      repo_url        = "https://github.com/camptocamp/devops-stack-module-ebs-csi-driver.git"
+      path            = "charts/ebs-csi-driver"
+      target_revision = var.target_revision
+      helm {
+        values = data.utils_deep_merge_yaml.values.output
+      }
+    }
+
+    destination {
+      name      = "in-cluster"
+      namespace = "kube-system"
+    }
+
+    sync_policy {
+      automated = var.app_autosync
+
+      retry {
+        backoff = {
+          duration     = ""
+          max_duration = ""
+        }
+        limit = "0"
+      }
+
+      sync_options = [
+        "CreateNamespace=true"
+      ]
+    }
+  }
+
+  depends_on = [
+    resource.null_resource.dependencies,
+  ]
+}
+
+resource "null_resource" "this" {
+  depends_on = [
+    resource.argocd_application.this,
+  ]
+}
diff --git a/output.tf b/output.tf
new file mode 100644
index 0000000..c9048fe
--- /dev/null
+++ b/output.tf
@@ -0,0 +1,4 @@
+output "id" {
+  description = "ID to pass other modules in order to refer to this module as a dependency."
+  value       = resource.null_resource.this.id
+}
diff --git a/terraform.tf b/terraform.tf
new file mode 100644
index 0000000..73dcaea
--- /dev/null
+++ b/terraform.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    argocd = {
+      source  = "oboukili/argocd"
+      version = ">= 4"
+    }
+    utils = {
+      source  = "cloudposse/utils"
+      version = ">= 1"
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..2580dd2
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,74 @@
+#######################
+## Standard variables
+#######################
+
+variable "cluster_name" {
+  description = "Name given to the cluster. Value used for naming some the resources created by the module."
+  type        = string
+  default     = "cluster"
+}
+
+variable "argocd_namespace" {
+  description = "Namespace used by Argo CD where the Application and AppProject resources should be created."
+  type        = string
+}
+
+variable "target_revision" {
+  description = "Override of target revision of the application chart."
+  type        = string
+  default     = "v1.0.0-alpha.1" # x-release-please-version
+}
+
+variable "helm_values" {
+  description = "Helm chart value overrides. They should be passed as a list of HCL structures."
+  type        = any
+  default     = []
+}
+
+variable "app_autosync" {
+  description = "Automated sync options for the Argo CD Application resource."
+  type = object({
+    allow_empty = optional(bool)
+    prune       = optional(bool)
+    self_heal   = optional(bool)
+  })
+  default = {
+    allow_empty = false
+    prune       = true
+    self_heal   = true
+  }
+}
+
+variable "dependency_ids" {
+  description = "IDs of the other modules on which this module depends on."
+  type        = map(string)
+  default     = {}
+}
+
+#######################
+## Module variables
+#######################
+
+variable "name" {
+  description = "Name used to override the chart name on deployment."
+  type        = string
+  default     = "ebs-csi-driver"
+}
+
+variable "create_role" {
+  description = "Boolean to indicate that the OIDC assumable IAM role should be created. **If passing `iam_role_arn` this should be false, otherwise if you want to create the OIDC assumable IAM role provided by this module, you will need to specify the variable `cluster_oidc_issuer_url`.**"
+  type        = bool
+}
+
+variable "iam_role_arn" {
+  description = "ARN of an OIDC assumable IAM role that has access to the EBS volumes. When specified, this is added as an annotation to the EBS CSI driver controller ServiceAccount, to allow the driver to manage EBS access points for dynamic volumes provisioning."
+  type        = string
+  default     = null
+}
+
+variable "cluster_oidc_issuer_url" {
+  description = "Cluster OIDC issuer URL used to create the OIDC assumable IAM role. This variable is required to create a IAM role if you set `create_role` as true."
+  type        = string
+  default     = "" # Use empty string instead of null because of the replace() that uses this variable.
+}
+