From 17e5b92d63cc96170cef24f39454c75860c0750d Mon Sep 17 00:00:00 2001
From: kpcraig <3031348+kpcraig@users.noreply.github.com>
Date: Fri, 8 Aug 2025 18:11:16 -0400
Subject: [PATCH] Log transit rotations (#31420)

---
 builtin/logical/transit/path_rotate.go | 14 +++++++++++++-
 changelog/31420.txt                    |  3 +++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 changelog/31420.txt

diff --git a/builtin/logical/transit/path_rotate.go b/builtin/logical/transit/path_rotate.go
index 1d7efea56d..2cf68bdaf5 100644
--- a/builtin/logical/transit/path_rotate.go
+++ b/builtin/logical/transit/path_rotate.go
@@ -56,9 +56,12 @@ func (b *backend) pathRotateWrite(ctx context.Context, req *logical.Request, d *
 		Name:    name,
 	}, b.GetRandomReader())
 	if err != nil {
+		// the error here will be something about "couldn't get policy")
+		b.Logger().Error("failed to rotate key on user request", "name", name, "error", err.Error())
 		return nil, err
 	}
 	if p == nil {
+		b.Logger().Error("failed to rotate key on user request", "name", name, "error", "key not found")
 		return logical.ErrorResponse("key not found"), logical.ErrInvalidRequest
 	}
 	if !b.System().CachingDisabled() {
@@ -70,6 +73,7 @@ func (b *backend) pathRotateWrite(ctx context.Context, req *logical.Request, d *
 		var keyId string
 		keyId, err = GetManagedKeyUUID(ctx, b, managedKeyName, managedKeyId)
 		if err != nil {
+			b.Logger().Error("failed to rotate key", "name", name, "error", err.Error())
 			return nil, err
 		}
 		err = p.RotateManagedKey(ctx, req.Storage, keyId)
@@ -79,10 +83,18 @@ func (b *backend) pathRotateWrite(ctx context.Context, req *logical.Request, d *
 	}
 
 	if err != nil {
+		b.Logger().Error("failed to rotate key on user request", "name", name, "error", err.Error())
 		return nil, err
 	}
 
-	return b.formatKeyPolicy(p, nil)
+	resp, err := b.formatKeyPolicy(p, nil)
+	if err != nil {
+		b.Logger().Error("failed to rotate key on user request", "name", name, "error", err.Error())
+	} else {
+		b.Logger().Info("succesfully rotated key on user request", "name", name)
+	}
+	// formatKeyPolicy returns a response even on error so be sure to return both.
+	return resp, err
 }
 
 const pathRotateHelpSyn = `Rotate named encryption key`
diff --git a/changelog/31420.txt b/changelog/31420.txt
new file mode 100644
index 0000000000..d139343396
--- /dev/null
+++ b/changelog/31420.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/transit: add logging on both success and failure of key rotation
+```