keyring: warn if removing a key that was used for encrypting variables

[pkazmierczak]

This PR adds an additional check in the Keyring.Delete RPC to make sure we're not trying to delete a key that's been used to encrypt a variable. It also adds a -force flag for the CLI/API to sidestep that check.

Resolves #24591
Internal ref: https://hashicorp.atlassian.net/browse/NET-11829

[jrasell]

Thanks for doing this @pkazmierczak!

I tested this locally and couldn't get a delete to work even when using the force flag. I believe we need to populate the RPC request force parameter from the HTTP request here in order for the HTTP->RPC translation to handle this new parameter.

It would also be good if we could address the following items:

• The CLI help output doesn't include the new flag option.
• It would be nice to have API and CLI tests to cover this addition as the RPC test did not catch the issue detailed above.
• Document the API and CLI changes.

[jrasell]

Is it worth expanding on this to note the variable should still exist? It immediately reads to me that the warning applies to any key used in the past.

[jrasell]

I know not many options have this, but could we add a comment to this explaining what the force boolean does? It means external tool developers have an easy time knowing and understanding.

[jrasell]

There is no formatting, so we could use the below (the suggestion won't compile as the file also needs the new import):

Suggested change

	return fmt.Errorf("root key in use, cannot delete")
	return errors.New("root key in use, cannot delete")

[pkazmierczak]

yeah force of habit I guess, but errors.New is a better choice here

[aimeeu]

Thanks for updating the docs!

[pkazmierczak]

@jrasell I addressed all your comments, thanks for the thorough review.