Comment 2 for bug 1700434

I believe this happened because we currently do not check whether a credential is in use before removing it with RevokeCredential. I've confirmed that RevokeCredential is used in the GUI to remove credentials directly. This can easily put affected models in a "stuck dying" state.

An incremental improvement here would be to add a "force" flag to RevokeCredential. If not set, the method will return an error if the credential is in use by any models, which can then be relayed back to the user as a prompt to clean up models.

Forcing a revoke would still leave models in a stuck-dying state, so we'll still want to explore the other possible improvements above. Updating credentials such that the provider loses access to the required resources could also leave a model in such a state.