terrafying-components 1.4.3 → 1.4.4

data/lib/terrafying/components/support/register-vpn

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -euo pipefail
+
+app_id="${1}"
+tenant_id="${2}"
+new_fqdn="${3}"
+
+set +u
+if [[ ! -z $AZURE_USER ]] && [[ ! -z $AZURE_PASSWORD ]]
+then
+    set -u
+    az login --service-principal \
+       --allow-no-subscriptions \
+       -t "${tenant_id}" \
+       -u "${AZURE_USER}" \
+       -p "${AZURE_PASSWORD}" >/dev/null
+
+    function finish {
+        exit_code=$?
+        az logout
+        exit $exit_code
+    }
+    trap finish EXIT
+else
+    set -u
+fi
+
+app="$(az ad app show --id ${app_id})"
+
+if [[ $? == 0 ]]
+then
+  reply_urls="$(echo ${app} | jq -r '.replyUrls | join(" ")')"
+
+  if echo "${reply_urls}" | grep "${new_fqdn}" &>/dev/null
+  then
+    echo "Already contains a reply url for '${new_fqdn}'"
+  else
+    new_reply_urls="${reply_urls} https://${new_fqdn}/oauth2/callback"
+
+    az ad app update --id ${app_id} --reply-urls ${new_reply_urls}
+  fi
+else
+  echo "App wasn't found"
+  exit 1
+fi

data/lib/terrafying/components/templates/ignition.yaml

@@ -0,0 +1,115 @@
+---
+ignition:
+  version: "2.1.0"
+
+
+passwd:
+  users:
+    - name: "admin"
+      passwordHash: "x"
+      sshAuthorizedKeys:
+        - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlIRM5H4lz/t8PfiGptR8cWqVrD8NCwROZly1XuYooWiIdTinJAvkATdR54ic6YuNenoKOeqtTj0dkytbzi5xItBti6cqzHvFAOXhKzVCsR5n/Mdt2KPbp215pFS96yfsx/24Z4cGygXe24SEXv28KdWZ1nWQyUrlne9jMaB7n3cGzNaXOPy42l03/bAaflWoyD7gyyS9XHDuZkLxVrhtlO43UtIXL4IZzKTCy1cZdaabZxRsrSzHUp+/5p3fHYgcYmwyO0Y+W3TP6LRC2ebeQe0r4Rh1o83sRvcbmuG14Wk7wDVFtu0vjtwOflCsRHGRibep/rXvtqf1/bG3brQ9tAV3oIeZ4r4yPUZenwIfM2pQH3ElD3kqw+Pdh1la1QXb4FDxeEw29nLU1eQF6ggnp3gzJJDRQWRB/I2RjKje5M1NcKjn+8ZBG1PHBikaOkjMRkXzOb8JQxKcWmeuRHo/ZTh7oUDDMObAVej9K91eCP3Dtz5QqmL1+J4+7YCjoBOBPpX3J+mrkxHRHcJYEIyJF6/mNDtov09Vji7Rdd0j1A5CJ2fvcuuUGK0LUHMSEyzLKg830E8b/kIZrufWEsljqlcHrYCJAO/LYl77PFe6B/vNfZtyw4fI6juGDlZNYWYXLJ2c+poCS8+2o1KjCli1lV2BOAjDUKEJxQ9NAw6MxPQ== tom.booth@uswitch.com"
+      groups: ["sudo", "docker"]
+
+systemd:
+  units:
+    <% if disable_update_engine %>
+    - name: update-engine.service
+      mask: true
+    - name: locksmithd.service
+      mask: true
+    <% end %>
+    <% volumes.each { |volume| %>
+    - name: "<%= volume[:mount].tr('/','-')[1..-1] %>.mount"
+      enabled: true
+      contents: |
+        [Install]
+        WantedBy=local-fs.target
+
+        [Unit]
+        Before=docker.service
+
+        [Mount]
+        What=<%= volume[:device] %>
+        Where=<%= volume[:mount] %>
+        Type=ext4
+    <% } %>
+
+    <% units.each { |unit| %>
+    - name: "<%= unit[:name] %>"
+      enabled: true<% if unit.has_key?(:contents) %>
+      contents: "<%= unit[:contents].dump[1..-2] %>"<% end %><% if unit.has_key?(:dropins) %>
+      dropins:
+        <% unit[:dropins].each { |dropin| %>
+        - contents: "<%= dropin[:contents].dump[1..-2] %>"
+          name: "<%= dropin[:name] %>"
+        <% } %><% end %>
+    <% } %>
+
+
+storage:
+  <% if volumes.count > 0 %>
+  filesystems:
+    <% volumes.each { |volume| %>
+    - name: <%= volume[:mount].tr('/','-')[1..-1] %>
+      mount:
+        device: <%= volume[:device] %>
+        format: ext4
+    <% } %>
+  <% end %>
+  files:
+    <% files.each { |file| %>
+    - filesystem: "root"
+      path: <%= file[:path] %>
+      mode: <%= file[:mode] %>
+      user: { id: 0 }
+      group: { id: 0 }
+      <% if file[:contents].is_a?(Hash) %>
+      contents:
+        source: "<%= file[:contents][:source] %>"
+      <% else %>
+      contents: "<%= file[:contents].gsub(/\n/, '\\n').gsub(/\"/, '\\"') %>"
+      <% end %>
+    <% } %>
+    <% cas.each { |ca| %>
+    - filesystem: "root"
+      path: "/etc/ssl/<%= ca.name %>/ca.cert"
+      mode: 0444
+      user: { id: 0 }
+      group: { id: 0 }
+      contents:
+        source: "<%= ca.source %>"
+    <% } %>
+    <% keypairs.each { |keypair| %>
+    <% if keypair.has_key?(:name) %>
+    - filesystem: "root"
+      path: "/etc/ssl/<%= keypair[:ca].name %>/<%= keypair[:name] %>/cert"
+      mode: 0444
+      user: { id: 0 }
+      group: { id: 0 }
+      contents:
+        source: "<%= keypair[:source][:cert] %>"
+    - filesystem: "root"
+      path: "/etc/ssl/<%= keypair[:ca].name %>/<%= keypair[:name] %>/key"
+      mode: 0444
+      user: { id: 0 }
+      group: { id: 0 }
+      contents:
+        source: "<%= keypair[:source][:key] %>"
+    <% else %>
+    - filesystem: "root"
+      path: "/etc/ssl/<%= keypair[:ca].name %>/ca.key"
+      mode: 0444
+      user: { id: 0 }
+      group: { id: 0 }
+      contents:
+        source: "<%= keypair[:source][:key] %>"
+    <% end %>
+    <% } %>
+    - filesystem: "root"
+      path:  '/etc/usersync.env'
+      mode:  0644
+      user:  { id: 0 }
+      group: { id: 0 }
+      contents: |
+        USERSYNC_SSH_GROUP="<%= ssh_group %>"

data/lib/terrafying/components/usable.rb

@@ -0,0 +1,129 @@
+
+module Terrafying
+
+  module Components
+
+    module Usable
+
+      def security_group
+        @security_group
+      end
+
+      def ingress_security_group
+        @ingress_security_group || @security_group
+      end
+
+      def egress_security_group
+        @egress_security_group || @security_group
+      end
+
+      def path_mtu_setup!
+        resource :aws_security_group_rule, "#{@name}-path-mtu", {
+                     security_group_id: self.egress_security_group,
+                     type: "ingress",
+                     protocol: 1, # icmp
+                     from_port: 3, # icmp type
+                     to_port: 4, # icmp code
+                     cidr_blocks: ["0.0.0.0/0"],
+                   }
+      end
+
+      def pingable_by_cidr(*cidrs)
+        ident = Digest::SHA2.hexdigest cidrs.to_s
+
+        resource :aws_security_group_rule, "#{@name}-to-#{ident}-ping", {
+                     security_group_id: self.ingress_security_group,
+                     type: "ingress",
+                     protocol: 1, # icmp
+                     from_port: 8, # icmp type
+                     to_port: 0, # icmp code
+                     cidr_blocks: cidrs,
+                   }
+      end
+
+      def used_by_cidr(*cidrs)
+        cidrs.map { |cidr|
+          cidr_ident = cidr.gsub(/[\.\/]/, "-")
+
+          @ports.map {|port|
+            resource :aws_security_group_rule, "#{@name}-to-#{cidr_ident}-#{port[:name]}", {
+                       security_group_id: self.ingress_security_group,
+                       type: "ingress",
+                       from_port: port[:upstream_port],
+                       to_port: port[:upstream_port],
+                       protocol: port[:type] == "udp" ? "udp" : "tcp",
+                       cidr_blocks: [cidr],
+                     }
+          }
+        }
+      end
+
+      def pingable_by(*other_resources)
+        other_resources.map { |other_resource|
+          resource :aws_security_group_rule, "#{@name}-to-#{other_resource.name}-ping", {
+                     security_group_id: self.ingress_security_group,
+                     type: "ingress",
+                     protocol: 1, # icmp
+                     from_port: 8, # icmp type
+                     to_port: 0, # icmp code
+                     source_security_group_id: other_resource.egress_security_group,
+                   }
+
+          resource :aws_security_group_rule, "#{@name}-to-#{other_resource.name}-pingv6", {
+                     security_group_id: self.ingress_security_group,
+                     type: "ingress",
+                     protocol: 58, # icmpv6
+                     from_port: 128, # icmp type
+                     to_port: 0, # icmp code
+                     source_security_group_id: other_resource.egress_security_group,
+                   }
+
+          resource :aws_security_group_rule, "#{other_resource.name}-to-#{@name}-ping", {
+                     security_group_id: other_resource.egress_security_group,
+                     type: "egress",
+                     protocol: 1, # icmp
+                     from_port: 8, # icmp type
+                     to_port: 0, # icmp code
+                     source_security_group_id: self.ingress_security_group,
+                   }
+
+          resource :aws_security_group_rule, "#{other_resource.name}-to-#{@name}-pingv6", {
+                     security_group_id: other_resource.egress_security_group,
+                     type: "egress",
+                     protocol: 58, # icmpv6
+                     from_port: 128, # icmp type
+                     to_port: 0, # icmp code
+                     source_security_group_id: self.ingress_security_group,
+                   }
+        }
+      end
+
+      def used_by(*other_resources)
+        other_resources.map { |other_resource|
+          @ports.map {|port|
+            resource :aws_security_group_rule, "#{@name}-to-#{other_resource.name}-#{port[:name]}", {
+                       security_group_id: self.ingress_security_group,
+                       type: "ingress",
+                       from_port: port[:upstream_port],
+                       to_port: port[:upstream_port],
+                       protocol: port[:type] == "udp" ? "udp" : "tcp",
+                       source_security_group_id: other_resource.egress_security_group,
+                     }
+
+            resource :aws_security_group_rule, "#{other_resource.name}-to-#{@name}-#{port[:name]}", {
+                       security_group_id: other_resource.egress_security_group,
+                       type: "egress",
+                       from_port: port[:downstream_port],
+                       to_port: port[:downstream_port],
+                       protocol: port[:type] == "udp" ? "udp" : "tcp",
+                       source_security_group_id: self.ingress_security_group,
+                     }
+          }
+        }
+      end
+
+    end
+
+  end
+
+end

data/lib/terrafying/components/version.rb

@@ -0,0 +1,5 @@
+module Terrafying
+  module Components
+    VERSION = "1.4.4"
+  end
+end

data/lib/terrafying/components/vpc.rb

@@ -0,0 +1,417 @@
+
+require 'netaddr'
+
+require 'terrafying/components/subnet'
+require 'terrafying/components/zone'
+require 'terrafying/generator'
+
+module Terrafying
+
+  module Components
+    DEFAULT_SSH_GROUP = 'cloud-team'
+    DEFAULT_ZONE = "vpc.usw.co"
+
+    class VPC < Terrafying::Context
+
+      attr_reader :id, :name, :cidr, :zone, :azs, :subnets, :internal_ssh_security_group, :ssh_group
+
+      def self.find(name)
+        VPC.new.find name
+      end
+
+      def self.create(name, cidr, options={})
+        VPC.new.create name, cidr, options
+      end
+
+      def initialize()
+        super
+      end
+
+
+      def find(name)
+        vpc = aws.vpc(name)
+
+        @name = name
+        @id = vpc.vpc_id
+        @cidr = vpc.cidr_block
+        @zone = Terrafying::Components::Zone.find_by_tag({vpc: @id})
+        if @zone.nil?
+          raise "Failed to find zone"
+        end
+
+        @subnets = aws.subnets_for_vpc(vpc.vpc_id).each_with_object({}) { |subnet, subnets|
+          subnet_inst = Subnet.find(subnet.subnet_id)
+
+          subnet_name_tag = subnet.tags.detect { |tag| tag.key == "subnet_name" }
+
+          if subnet_name_tag
+            key = subnet_name_tag.value.to_sym
+          else
+            key = subnet_inst.public ? :public : :private
+          end
+
+          if subnets.has_key?(key)
+            subnets[key] << subnet_inst
+          else
+            subnets[key] = [ subnet_inst ]
+          end
+        }
+
+        # need to sort subnets so they are in az order
+        @subnets.each { |_, s| s.sort! { |a, b| a.az <=> b.az } }
+
+        tags = vpc.tags.select { |tag| tag.key == "ssh_group"}
+        if tags.count > 0
+          @ssh_group = tags[0].value
+        else
+          @ssh_group = DEFAULT_SSH_GROUP
+        end
+
+        @internal_ssh_security_group = aws.security_group("#{tf_safe(name)}-internal-ssh")
+        self
+      end
+
+      def create(name, raw_cidr, options={})
+        options = {
+          subnet_size: 24,
+          internet_access: true,
+          nat_eips: [],
+          azs: aws.availability_zones,
+          tags: {},
+          ssh_group: DEFAULT_SSH_GROUP,
+        }.merge(options)
+
+        if options[:parent_zone].nil?
+          options[:parent_zone] = Zone.find(DEFAULT_ZONE)
+        end
+
+        if options[:subnets].nil?
+          if options[:internet_access]
+            options[:subnets] = {
+              public: { public: true },
+              private: { internet: true },
+            }
+          else
+            options[:subnets] = {
+              private: { },
+            }
+          end
+        end
+
+        @name = name
+        @cidr = raw_cidr
+        @azs = options[:azs]
+        @tags = options[:tags]
+        @ssh_group = options[:ssh_group]
+
+        cidr = NetAddr::CIDR.create(raw_cidr)
+
+        @remaining_ip_space = NetAddr::Tree.new
+        @remaining_ip_space.add! cidr
+        @subnet_size = options[:subnet_size]
+        @subnets = {}
+
+        per_az_subnet_size = options[:subnets].values.reduce(0) { |memo, s|
+          memo + (1 << (32 - s.fetch(:bit_size, @subnet_size)))
+        }
+        total_subnet_size = per_az_subnet_size * @azs.count
+
+        if total_subnet_size > cidr.size
+          raise "Not enough space for subnets in CIDR"
+        end
+
+        @id = resource :aws_vpc, name, {
+                         cidr_block: cidr.to_s,
+                         enable_dns_hostnames: true,
+                         tags: { Name: name, ssh_group: @ssh_group }.merge(@tags),
+                       }
+
+        @zone = add! Terrafying::Components::Zone.create("#{name}.#{options[:parent_zone].fqdn}", {
+                                                           parent_zone: options[:parent_zone],
+                                                           tags: { vpc: @id }.merge(@tags),
+                                                         })
+
+        dhcp = resource :aws_vpc_dhcp_options, name, {
+                          domain_name: @zone.fqdn,
+                          domain_name_servers: ["AmazonProvidedDNS"],
+                          tags: { Name: name }.merge(@tags),
+                        }
+
+        resource :aws_vpc_dhcp_options_association, name, {
+                   vpc_id: @id,
+                   dhcp_options_id: dhcp,
+                 }
+
+
+        if options[:internet_access]
+
+          if options[:nat_eips].size == 0
+            options[:nat_eips] = @azs.map{ |az| resource :aws_eip, "#{name}-nat-gateway-#{az}", { vpc: true } }
+          elsif options[:nat_eips].size != @azs.count
+            raise "The nubmer of nat eips has to match the number of AZs"
+          end
+
+          @internet_gateway = resource :aws_internet_gateway, name, {
+                                         vpc_id: @id,
+                                         tags: {
+                                           Name: name,
+                                         }.merge(@tags)
+                                       }
+          allocate_subnets!(:nat_gateway, { bit_size: 28, public: true })
+
+          @nat_gateways = @azs.zip(@subnets[:nat_gateway], options[:nat_eips]).map { |az, subnet, eip|
+            resource :aws_nat_gateway, "#{name}-#{az}", {
+                       allocation_id: eip,
+                       subnet_id: subnet.id,
+                     }
+          }
+
+        end
+
+        options[:subnets].each { |key, config| allocate_subnets! key, config }
+
+        @internal_ssh_security_group = resource :aws_security_group, "#{name}-internal-ssh", {
+                                                  name: "#{name}-internal-ssh",
+                                                  description: "Allows SSH between machines inside the VPC CIDR",
+                                                  tags: @tags,
+                                                  vpc_id: @id,
+                                                  ingress: [
+                                                    {
+                                                      from_port: 22,
+                                                      to_port: 22,
+                                                      protocol: "tcp",
+                                                      cidr_blocks: [@cidr],
+                                                    },
+                                                  ],
+                                                  egress: [
+                                                    {
+                                                      from_port: 22,
+                                                      to_port: 22,
+                                                      protocol: "tcp",
+                                                      cidr_blocks: [@cidr],
+                                                    },
+                                                  ],
+                                                }
+        self
+      end
+
+      def peer_with_external(account_id, vpc_id, cidrs, options={})
+        options = {
+          region: "eu-west-1",
+          subnets: @subnets.values.flatten,
+        }.merge(options)
+
+        peering_connection = resource :aws_vpc_peering_connection, "#{@name}-to-#{account_id}-#{vpc_id}", {
+                                        peer_owner_id: account_id,
+                                        peer_vpc_id: vpc_id,
+                                        peer_region: options[:region],
+                                        vpc_id: @id,
+                                        auto_accept: false,
+                                        tags: { Name: "#{@name} to #{account_id}.#{vpc_id}" }.merge(@tags),
+                                      }
+
+        our_route_tables = options[:subnets].map(&:route_table).sort.uniq
+
+        our_route_tables.product(cidrs).each { |route_table, cidr|
+          hash = Digest::SHA2.hexdigest "#{route_table}-#{tf_safe(cidr)}"
+
+          resource :aws_route, "#{@name}-to-#{account_id}-#{vpc_id}-peer-#{hash}", {
+                     route_table_id: route_table,
+                     destination_cidr_block: cidr,
+                     vpc_peering_connection_id: peering_connection,
+                   }
+        }
+      end
+
+      def peer_with_vpn(ip_address, cidrs, options={})
+        options = {
+          bgp_asn: 65000,
+          type: "ipsec.1",
+          tunnels: [],
+          static_routes_only: true,
+          subnets: @subnets.values.flatten,
+        }.merge(options)
+
+        ident = tf_safe(ip_address)
+
+        if options[:tunnels].count > 2
+          raise "You can only define a max of two tunnels"
+        end
+
+        customer_gateway = resource :aws_customer_gateway, ident, {
+                                      bgp_asn: options[:bgp_asn],
+                                      ip_address: ip_address,
+                                      type: options[:type],
+                                      tags: {
+                                        Name: "Connection to #{ip_address}"
+                                      }.merge(@tags),
+                                    }
+
+        vpn_gateway = resource :aws_vpn_gateway, ident, {
+                                 vpc_id: @id,
+                                 tags: {
+                                   Name: "Connection to #{ip_address}"
+                                 }.merge(@tags),
+                               }
+
+        connection_config = {
+          vpn_gateway_id: vpn_gateway,
+          customer_gateway_id: customer_gateway,
+          type: options[:type],
+          static_routes_only: options[:static_routes_only],
+          tags: {
+            Name: "Connection to #{ip_address}"
+          }.merge(@tags),
+        }
+
+        options[:tunnels].each.with_index { |tunnel, i|
+          connection_config["tunnel#{i+1}_inside_cidr"] = tunnel[:cidr]
+
+          if tunnel.has_key?(:key)
+            connection_config["tunnel#{i+1}_preshared_key"] = tunnel[:key]
+          end
+        }
+
+        connection = resource :aws_vpn_connection, ident, connection_config
+
+        cidrs.each { |cidr|
+          resource :aws_vpn_connection_route, "#{ident}-#{tf_safe(cidr)}", {
+                     destination_cidr_block: cidr,
+                     vpn_connection_id: connection,
+                   }
+        }
+
+        route_tables = options[:subnets].map(&:route_table).sort.uniq
+        route_tables.product(cidrs).each { |route_table, cidr|
+          hash = Digest::SHA2.hexdigest "#{route_table}-#{tf_safe(cidr)}"
+
+          resource :aws_route, "#{@name}-to-#{ident}-peer-#{hash}", {
+                     route_table_id: route_table,
+                     destination_cidr_block: cidr,
+                     gateway_id: vpn_gateway,
+                   }
+        }
+
+      end
+
+      def peer_with(other_vpc, options={})
+        options = {
+          complete: false,
+          peerings: [
+            { from: @subnets.values.flatten, to: other_vpc.subnets.values.flatten },
+            { from: other_vpc.subnets.values.flatten, to: @subnets.values.flatten },
+          ],
+        }.merge(options)
+
+        other_vpc_ident = tf_safe(other_vpc.name)
+
+        our_cidr = NetAddr::CIDR.create(@cidr)
+        other_cidr = NetAddr::CIDR.create(other_vpc.cidr)
+        if our_cidr.contains? other_cidr[0] or our_cidr.contains? other_cidr.last
+          raise "VPCs to be peered have overlapping CIDRs"
+        end
+
+        peering_connection = resource :aws_vpc_peering_connection, "#{@name}-to-#{other_vpc_ident}", {
+                                        peer_vpc_id: other_vpc.id,
+                                        vpc_id: @id,
+                                        auto_accept: true,
+                                        tags: { Name: "#{@name} to #{other_vpc.name}" }.merge(@tags),
+                                      }
+
+        if options[:complete]
+          our_route_tables = @subnets.values.flatten.map(&:route_table).sort.uniq
+          their_route_tables = other_vpc.subnets.values.flatten.map(&:route_table).sort.uniq
+
+          (our_route_tables.product([other_vpc.cidr]) + their_route_tables.product([@cidr])).each { |route_table, cidr|
+            hash = Digest::SHA2.hexdigest "#{route_table}-#{tf_safe(cidr)}"
+
+            resource :aws_route, "#{@name}-#{other_vpc_ident}-peer-#{hash}", {
+              route_table_id: route_table,
+              destination_cidr_block: cidr,
+              vpc_peering_connection_id: peering_connection,
+            }
+          }
+        else
+          options[:peerings].each.with_index { |peering, i|
+            route_tables = peering[:from].map(&:route_table).sort.uniq
+            cidrs = peering[:to].map(&:cidr).sort.uniq
+
+            route_tables.product(cidrs).each { |route_table, cidr|
+
+              hash = Digest::SHA2.hexdigest "#{route_table}-#{tf_safe(cidr)}"
+
+              resource :aws_route, "#{@name}-#{other_vpc_ident}-peer-#{hash}", {
+                route_table_id: route_table,
+                destination_cidr_block: cidr,
+                vpc_peering_connection_id: peering_connection,
+              }
+            }
+          }
+        end
+      end
+
+      def extract_subnet!(bit_size)
+        if bit_size > 28  # aws can't have smaller
+          bit_size = 28
+        end
+
+        targets = @remaining_ip_space.find_space({ Subnet: bit_size })
+
+        if targets.count == 0
+          raise "Run out of ip space to allocate a /#{bit_size}"
+        end
+
+        target = targets[0]
+
+        @remaining_ip_space.delete!(target)
+
+        if target.bits == bit_size
+          new_subnet = target
+        else
+          new_subnet = target.subnet({ Bits: bit_size, Objectify: true })[0]
+
+          target.remainder(new_subnet).each { |rem|
+            @remaining_ip_space.add!(rem)
+          }
+        end
+
+        return new_subnet.to_s
+      end
+
+      def allocate_subnets!(name, options = {})
+        options = {
+          public: false,
+          bit_size: @subnet_size,
+          internet: true,
+          tags: {},
+        }.merge(options)
+
+        if options[:public]
+          gateways = [@internet_gateway] * @azs.count
+        elsif options[:internet] && @nat_gateways != nil
+          gateways = @nat_gateways
+        else
+          gateways = [nil] * @azs.count
+        end
+
+        @subnets[name] = @azs.zip(gateways).map { |az, gateway|
+          subnet_options = { tags: { subnet_name: name }.merge(options[:tags]).merge(@tags) }
+          if gateway != nil
+            if options[:public]
+              subnet_options[:gateway] = gateway
+            elsif options[:internet]
+              subnet_options[:nat_gateway] = gateway
+            end
+          end
+
+          add! Terrafying::Components::Subnet.create_in(
+                 self, name, az, extract_subnet!(options[:bit_size]), subnet_options
+               )
+        }
+      end
+
+    end
+
+  end
+
+end