Where are my secrets used in the code

Recently I had some deployment activities to do bringing together a bunch of projects and interfaces being developed to support a big release. I needed to get a handle on if all of our key vault secrets are setup and ready for go live. The challenge is that how do you know which secret us used by which logic app and if all of your secrets are used and if your key vault is missing any secrets.

Below is a script I put together which will point to your key vault and your folder with your repos in and then it will get the names of the secrets from the vault and then inspect all files looking to see where they are used. In this case I filtered to use just the .json files as our solution was using Logic Apps and ARM templates. I searched for the files, looked which secrets are used, which arent and which files/Logic Apps each secret is used in. The script will out put these. You can then go and workout which secrets are missing from the environment you are planning to deploy to.

#This script will check which logic app files and arm templates uses which key vault keys

$keyVault = '[Name of key vault]'
$rootFolder = '[Root folder with your repos in]'


$secretsUsed = New-Object "System.Collections.Generic.List[System.String]" 
$secretsNotUsed = New-Object "System.Collections.Generic.List[System.String]" 
$matches = New-Object "System.Collections.Generic.List[System.String]" 


#If you want to ignore any secrets use these
$secretsToIgnore = New-Object "System.Collections.Generic.List[System.String]" 
$secretsToIgnore.Add('username'.ToLower())

#This will let us specify some paths to ignore, will ignore bin directories to speed up and reduce the files found
$foldersToExclude = New-Object "System.Collections.Generic.List[System.String]" 
$foldersToExclude.Add('\bin\'.ToLower())

Write-Host 'Getting Secrets from KeyVault'
$secrets = Get-AzKeyVaultSecret -VaultName $keyVault

#Look for json files and process them
$jsonFiles = Get-ChildItem $rootFolder -Recurse -Filter '*.json' -File
foreach($jsonFile in $jsonFiles){

    Write-Host 'Processing File:' $jsonFile
    
    $excludeFile = $false
    foreach($excludeFolderPattern in $foldersToExclude)
    {    
        if($jsonFile.FullName.Contains($excludeFolderPattern)){
            $excludeFile = $true
        }
    }
    
    if($excludeFile -eq $false){
        foreach($secret in $secrets)
        {    
            if($secretsToIgnore.Contains($secret.Name.ToLower()) -eq $true){
                #Ignore this key, its usually the poorly named one username as every file has a username in it
                Write-Host 'Ignoring secret' $secret.Name
            }
            else{

                #Write-Host 'Processing secret' $secret.Name

                $patternToFind =  $secret.Name

                $found = Select-String -Path $jsonFile -Pattern $patternToFind
                if($found -ne $null){

                    $pathWithOutStart = $jsonFile.FullName.Replace($rootFolder, '')
                    $message = $patternToFind + ' was found in file ' + $pathWithOutStart
                    $matches.Add($message)  
                    
                    if($secretsUsed.Contains($secret.Name) -eq $false){
                        $secretsUsed.Add($secret.Name)
                    }  
                }
            }
        }    
    }        
}

foreach($secret in $secrets)
{
    if($secretsUsed.Contains($secret.Name) -eq $false){
        $secretsNotUsed.Add($secret.Name)
    }
}


Write-Host ''
Write-Host ''
Write-Host 'Secrets Used'
Write-Host '============'
$secretsUsed.Sort()
foreach($secret in $secretsUsed)
{
    Write-Host $secret
}

Write-Host ''
Write-Host ''
Write-Host 'Secrets Not Used'
Write-Host '================'
$secretsUsed.Sort()
foreach($secret in $secretsNotUsed)
{
    Write-Host $secret
}

Write-Host ''
Write-Host ''
Write-Host 'Where are keys used'
Write-Host '==================='

$matches.Sort()
foreach($match in $matches){
    Write-Host $match
}