10

I'm trying to create vault-deployment using Jenkins. Here's a link to my repo.

When running the script I'm getting

"Scripts not permitted to use staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods write java.io.File java.lang.String. Administrators can decide whether to approve or reject this signature." issue.

I got this issue after adding a stage "Generate Vars". If I remove this stage in the code the other stages works, but they don't complete the job. This is because it needs to get token for vault deployment and it needs to get it from .tfvars file.

It's not a good idea to share my variables on GitHub, that's why I`m trying to create vault.tfvars through Jenkins and provide any token before running a pipeline job.

Does anyone know how to fix this??? If some part is not clear please feel free to ask questions!

If I find the solution for this issue I will share it here with the link to my GitHub. Thanks

Here is my code Jenkinsfile.groovy

node('master') {
  properties([parameters([
    string(defaultValue: 'plan', description: 'Please provide what action you want? (plan,apply,destroy)', name: 'terraformPlan', trim: true), 
    string(defaultValue: 'default_token_add_here', description: 'Please provide a token for vault', name: 'vault_token', trim: true)
    ]
    )])
    checkout scm
    stage('Generate Vars') {
        def file = new File("${WORKSPACE}/vaultDeployment/vault.tfvars")
        file.write """
        vault_token              =  "${vault_token}"
        """
      }
    stage("Terraform init") {
      dir("${workspace}/vaultDeployment/") {
        sh 'ls'
        sh 'pwd'
        sh "terraform init"
      }
    stage("Terraform Plan/Apply/Destroy"){
      if (params.terraformPlan.toLowerCase() == 'plan') {
        dir("${workspace}/vaultDeployment/") {
          sh "terraform plan -var-file=variables.tfvars"
        }
      } 
      if (params.terraformPlan.toLowerCase() == 'apply') {
          dir("${workspace}/vaultDeployment/") {
            sh "terraform apply --auto-approve"
          }
        } 

      if (params.terraformPlan.toLowerCase() == 'destroy') {
         dir("${workspace}/vaultDeployment/") {
            sh "terraform destroy --auto-approve"
          }
      }
    }
  }
}
Tamir Klein
  • 3,514
  • 1
  • 20
  • 38
Murodbey
  • 103
  • 1
  • 1
  • 5
  • First result in Google for that error https://stackoverflow.com/questions/38276341/jenkins-ci-pipeline-scripts-not-permitted-to-use-method-groovy-lang-groovyobject – tim_yates Apr 21 '19 at 18:51
  • I was able to create Vault-deployment using jenkins. I added those restrictions into the whitelist and my code did work! Here is the [link](https://github.com/Murodbey/Jenkins-project/tree/master/vaultDeployment) for updated code – Murodbey Apr 22 '19 at 05:21

2 Answers2

13

Generally, we choose pipeline to execute in Groovy sandbox which has restriction in some aspects for security considering. Like using new keyword, using static method.

But you need Jenkins admin to add the restriction to whitelist in jenkins > Manage jenkins > In-process Script Approval

To write file, Jenkins pipeline supply alternative writeFile which has no such restriction.

writeFile file: '<file path>',  text: """
    vault_token              =  "${vault_token}"
    """
Neuron
  • 5,141
  • 5
  • 38
  • 59
yong
  • 13,357
  • 1
  • 16
  • 27
0

As yong already pointed out the right way to achieve this and avoid eventual restrictions in environments where we don't have admin control is to use writeFile

i.e.:

writeFile file: 'tmp/query.sql', text: "SELECT * FROM table"

Advantage of this is that migrating from fully managed to restricted environment will be painless. Subfolders, like 'tmp' in example, will be automatically created and code itself is pretty verbose

Neuron
  • 5,141
  • 5
  • 38
  • 59
Ewoks
  • 12,285
  • 8
  • 58
  • 67