Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods write java.io.File java.lang.String

jenkins groovy jenkins-pipeline jenkins-groovy hashicorp-vault

24,392

Generally, we choose pipeline to execute in Groovy sandbox which has restriction in some aspects for security considering. Like using new keyword, using static method.

But you need Jenkins admin to add the restriction to whitelist in jenkins > Manage jenkins > In-process Script Approval

To write file, Jenkins pipeline supply alternative writeFile which has no such restriction.

writeFile file: '<file path>',  text: """
    vault_token              =  "${vault_token}"
    """

24,392

Author by

Murodbey

Updated on July 09, 2022

Comments

Murodbey almost 2 years

I'm trying to create vault-deployment using Jenkins. Here's a link to my repo.

When running the script I'm getting

"Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods write java.io.File java.lang.String. Administrators can decide whether to approve or reject this signature." issue.

I got this issue after adding a stage "Generate Vars". If I remove this stage in the code the other stages works, but they don't complete the job. This is because it needs to get token for vault deployment and it needs to get it from .tfvars file.

It's not a good idea to share my variables on GitHub, that's why I`m trying to create vault.tfvars through Jenkins and provide any token before running a pipeline job.

Does anyone know how to fix this??? If some part is not clear please feel free to ask questions!

If I find the solution for this issue I will share it here with the link to my GitHub. Thanks

Here is my code Jenkinsfile.groovy

node('master') {
  properties([parameters([
    string(defaultValue: 'plan', description: 'Please provide what action you want? (plan,apply,destroy)', name: 'terraformPlan', trim: true), 
    string(defaultValue: 'default_token_add_here', description: 'Please provide a token for vault', name: 'vault_token', trim: true)
    ]
    )])
    checkout scm
    stage('Generate Vars') {
        def file = new File("${WORKSPACE}/vaultDeployment/vault.tfvars")
        file.write """
        vault_token              =  "${vault_token}"
        """
      }
    stage("Terraform init") {
      dir("${workspace}/vaultDeployment/") {
        sh 'ls'
        sh 'pwd'
        sh "terraform init"
      }
    stage("Terraform Plan/Apply/Destroy"){
      if (params.terraformPlan.toLowerCase() == 'plan') {
        dir("${workspace}/vaultDeployment/") {
          sh "terraform plan -var-file=variables.tfvars"
        }
      } 
      if (params.terraformPlan.toLowerCase() == 'apply') {
          dir("${workspace}/vaultDeployment/") {
            sh "terraform apply --auto-approve"
          }
        } 

      if (params.terraformPlan.toLowerCase() == 'destroy') {
         dir("${workspace}/vaultDeployment/") {
            sh "terraform destroy --auto-approve"
          }
      }
    }
  }
}

Murodbey about 5 years

Thanks, yong! I added those restrictions into the whitelist and it did work for me!
张馆长 almost 2 years

url path is /scriptApproval/