@go-to-k/cdkd 0.8.0 → 0.10.0

package/dist/cli.js

@@ -885,6 +885,40 @@ function withErrorHandling(fn) {
     }
   };
 }
+function normalizeAwsError(err, context = {}) {
+  if (!(err instanceof Error)) {
+    return new Error(String(err));
+  }
+  const isUnknown = err.name === "Unknown" || err.message === "UnknownError";
+  if (!isUnknown)
+    return err;
+  const meta = err.$metadata;
+  const status = meta?.httpStatusCode;
+  const bucket = context.bucket ?? "<unknown bucket>";
+  const operation = context.operation ?? "operation";
+  switch (status) {
+    case 301: {
+      const responseHeaders = err.$response?.headers;
+      const region = responseHeaders?.["x-amz-bucket-region"] ?? responseHeaders?.["X-Amz-Bucket-Region"];
+      const where = region ? ` (in ${region})` : "";
+      return new Error(
+        `Bucket '${bucket}'${where} is in a different region than the client. cdkd resolves this automatically; if you see this message, please report it.`
+      );
+    }
+    case 403:
+      return new Error(
+        `Access denied to bucket '${bucket}'. Verify credentials and bucket policy.`
+      );
+    case 404:
+      return new Error(`Bucket '${bucket}' does not exist.`);
+    default: {
+      const statusStr = status !== void 0 ? `HTTP ${status}` : "unknown HTTP status";
+      return new Error(
+        `S3 error during ${operation} on '${bucket}' (${statusStr}). See CloudTrail for details.`
+      );
+    }
+  }
+}
 
 // src/cli/commands/bootstrap.ts
 init_aws_clients();
@@ -995,7 +1029,7 @@ async function bootstrapCommand(options) {
       if (err.name === "NotFound" || err.name === "NoSuchBucket") {
         logger.debug(`Bucket ${bucketName} does not exist, will create`);
       } else {
-        throw error;
+        throw normalizeAwsError(error, { bucket: bucketName, operation: "HeadBucket" });
       }
     }
     if (bucketExists) {
@@ -3197,6 +3231,7 @@ var AssetPublisher = class {
 
 // src/state/s3-state-backend.ts
 import {
+  S3Client as S3Client4,
   GetObjectCommand,
   PutObjectCommand as PutObjectCommand2,
   DeleteObjectCommand,
@@ -3210,15 +3245,44 @@ import {
 var STATE_SCHEMA_VERSION_LEGACY = 1;
 var STATE_SCHEMA_VERSION_CURRENT = 2;
 
+// src/utils/aws-region-resolver.ts
+import { GetBucketLocationCommand, S3Client as S3Client3 } from "@aws-sdk/client-s3";
+var cache = /* @__PURE__ */ new Map();
+async function resolveBucketRegion(bucketName, opts = {}) {
+  const cached = cache.get(bucketName);
+  if (cached)
+    return cached;
+  const promise = (async () => {
+    const client = new S3Client3({
+      region: "us-east-1",
+      ...opts.profile && { profile: opts.profile },
+      ...opts.credentials && { credentials: opts.credentials }
+    });
+    try {
+      const response = await client.send(new GetBucketLocationCommand({ Bucket: bucketName }));
+      return response.LocationConstraint || "us-east-1";
+    } catch {
+      return opts.fallbackRegion ?? "us-east-1";
+    } finally {
+      client.destroy();
+    }
+  })();
+  cache.set(bucketName, promise);
+  return promise;
+}
+
 // src/state/s3-state-backend.ts
 var LEGACY_KEY_DEPTH = 2;
 var NEW_KEY_DEPTH = 3;
 var S3StateBackend = class {
-  constructor(s3Client, config) {
+  constructor(s3Client, config, clientOpts = {}) {
     this.s3Client = s3Client;
     this.config = config;
+    this.clientOpts = clientOpts;
   }
   logger = getLogger().child("S3StateBackend");
+  clientResolved = false;
+  resolveInFlight = null;
   /**
    * Get the new (region-scoped) S3 key for a stack's state file.
    */
@@ -3232,13 +3296,73 @@ var S3StateBackend = class {
   getLegacyStateKey(stackName) {
     return `${this.config.prefix}/${stackName}/state.json`;
   }
+  /**
+   * Resolve the state bucket's actual region and, if it differs from the
+   * client's currently-configured region, replace the S3Client with one
+   * pointed at the bucket's region.
+   *
+   * This is idempotent: subsequent calls return immediately. Concurrent
+   * callers (e.g. when several public methods race during a parallel deploy)
+   * share a single in-flight resolution promise so we never issue more than
+   * one `GetBucketLocation` per backend.
+   *
+   * Errors from `GetBucketLocation` are deliberately swallowed by
+   * `resolveBucketRegion` — the resolver returns `fallbackRegion` so the
+   * caller can surface the more actionable downstream error (e.g. the
+   * `HeadBucket` 404 routed via `normalizeAwsError`).
+   */
+  async ensureClientForBucket() {
+    if (this.clientResolved)
+      return;
+    if (this.resolveInFlight)
+      return this.resolveInFlight;
+    this.resolveInFlight = (async () => {
+      try {
+        const currentRegion = await this.s3Client.config.region();
+        const fallbackRegion = typeof currentRegion === "string" ? currentRegion : void 0;
+        const bucketRegion = await resolveBucketRegion(this.config.bucket, {
+          ...this.clientOpts.profile && { profile: this.clientOpts.profile },
+          ...this.clientOpts.credentials && { credentials: this.clientOpts.credentials },
+          ...fallbackRegion && { fallbackRegion }
+        });
+        if (bucketRegion !== currentRegion) {
+          this.logger.debug(
+            `State bucket '${this.config.bucket}' is in '${bucketRegion}' (client was '${currentRegion}'); rebuilding S3 client.`
+          );
+          const oldClient = this.s3Client;
+          this.s3Client = new S3Client4({
+            region: bucketRegion,
+            ...this.clientOpts.profile && { profile: this.clientOpts.profile },
+            ...this.clientOpts.credentials && { credentials: this.clientOpts.credentials },
+            // Suppress "Are you using a Stream of unknown length" warning,
+            // matching the suppression in AwsClients.
+            logger: { debug: () => {
+            }, info: () => {
+            }, warn: () => {
+            }, error: () => {
+            } }
+          });
+          oldClient.destroy();
+        }
+        this.clientResolved = true;
+      } finally {
+        this.resolveInFlight = null;
+      }
+    })();
+    return this.resolveInFlight;
+  }
   /**
    * Verify that the configured state bucket exists.
    *
    * Called early in deploy/destroy to fail fast before expensive work
    * (asset publishing, Docker builds) runs against a missing bucket.
+   *
+   * Errors are routed through {@link normalizeAwsError} so the AWS SDK v3
+   * synthetic `UnknownError` (e.g. cross-region HEAD) becomes a concrete
+   * "Bucket does not exist" / "Access denied" / "different region" message.
    */
   async verifyBucketExists() {
+    await this.ensureClientForBucket();
     try {
       await this.s3Client.send(new HeadBucketCommand2({ Bucket: this.config.bucket }));
     } catch (error) {
@@ -3248,9 +3372,13 @@ var S3StateBackend = class {
           `State bucket '${this.config.bucket}' does not exist. Run 'cdkd bootstrap' to create it, or specify an existing bucket via --state-bucket, CDKD_STATE_BUCKET, or cdk.json context.cdkd.stateBucket.`
         );
       }
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "HeadBucket"
+      });
       throw new StateError(
-        `Failed to verify state bucket '${this.config.bucket}': ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to verify state bucket '${this.config.bucket}': ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -3263,6 +3391,7 @@ var S3StateBackend = class {
    * state without forcing a write-through migration first.
    */
   async stateExists(stackName, region) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     if (await this.headObject(newKey)) {
       return true;
@@ -3285,6 +3414,7 @@ var S3StateBackend = class {
    * preserve the quotes — they are required for `IfMatch` conditions.
    */
   async getState(stackName, region) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     try {
       this.logger.debug(`Getting state for stack: ${stackName} (${region})`);
@@ -3344,6 +3474,7 @@ var S3StateBackend = class {
    * @returns New ETag (with quotes, e.g., `"abc123"`)
    */
   async saveState(stackName, region, state, options = {}) {
+    await this.ensureClientForBucket();
     const newKey = this.getStateKey(stackName, region);
     const { expectedEtag, migrateLegacy } = options;
     const body = {
@@ -3399,9 +3530,13 @@ var S3StateBackend = class {
           `State has been modified by another process. Expected ETag: ${expectedEtag}, but state has changed.`
         );
       }
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "PutObject"
+      });
       throw new StateError(
-        `Failed to save state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to save state for stack '${stackName}' (${region}): ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -3413,6 +3548,7 @@ var S3StateBackend = class {
    * field is left alone.
    */
   async deleteState(stackName, region) {
+    await this.ensureClientForBucket();
     try {
       this.logger.debug(`Deleting state: ${stackName} (${region})`);
       await this.s3Client.send(
@@ -3432,9 +3568,13 @@ var S3StateBackend = class {
       }
       this.logger.debug(`State deleted: ${stackName} (${region})`);
     } catch (error) {
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "DeleteObject"
+      });
       throw new StateError(
-        `Failed to delete state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+        `Failed to delete state for stack '${stackName}' (${region}): ${normalized.message}`,
+        normalized
       );
     }
   }
@@ -3453,6 +3593,7 @@ var S3StateBackend = class {
    * shows up exactly once.
    */
   async listStacks() {
+    await this.ensureClientForBucket();
     try {
       this.logger.debug("Listing all stacks");
       const prefix = `${this.config.prefix}/`;
@@ -3503,10 +3644,11 @@ var S3StateBackend = class {
       this.logger.debug(`Found ${refs.length} stack(s) across regions`);
       return refs;
     } catch (error) {
-      throw new StateError(
-        `Failed to list stacks: ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
-      );
+      const normalized = normalizeAwsError(error, {
+        bucket: this.config.bucket,
+        operation: "ListObjectsV2"
+      });
+      throw new StateError(`Failed to list stacks: ${normalized.message}`, normalized);
     }
   }
   /**
@@ -6196,6 +6338,29 @@ var JsonPatchGenerator = class {
   }
 };
 
+// src/provisioning/region-check.ts
+function assertRegionMatch(clientRegion, expectedRegion, resourceType, logicalId, physicalId) {
+  if (!expectedRegion) {
+    return;
+  }
+  if (!clientRegion) {
+    throw new ProvisioningError(
+      `Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region is unknown but stack state expects ${expectedRegion}. The resource may exist in ${expectedRegion} and would be silently removed from state if this NotFound were trusted.`,
+      resourceType,
+      logicalId,
+      physicalId
+    );
+  }
+  if (clientRegion !== expectedRegion) {
+    throw new ProvisioningError(
+      `Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region ${clientRegion} does not match stack state region ${expectedRegion}. The resource likely still exists in ${expectedRegion}; rerun the destroy with the correct region (e.g. --region ${expectedRegion}).`,
+      resourceType,
+      logicalId,
+      physicalId
+    );
+  }
+}
+
 // src/provisioning/cloud-control-provider.ts
 var JSON_STRING_PROPERTIES = {
   "AWS::Events::Rule": /* @__PURE__ */ new Set(["EventPattern"])
@@ -6371,7 +6536,7 @@ var CloudControlProvider = class {
   /**
    * Delete a resource using Cloud Control API
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(
       `Deleting resource ${logicalId} (${resourceType}), physical ID: ${physicalId}`
     );
@@ -6398,6 +6563,14 @@ var CloudControlProvider = class {
     } catch (error) {
       const err = error;
       if (err.name === "ResourceNotFoundException" || err.message?.includes("does not exist") || err.message?.includes("not found") || err.message?.includes("NotFound")) {
+        const clientRegion = await this.cloudControlClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Resource ${logicalId} already deleted (not found), treating as success`);
         return;
       }
@@ -6773,7 +6946,7 @@ Error: ${err.message || "Unknown error"}`,
 import { InvokeCommand } from "@aws-sdk/client-lambda";
 import { PublishCommand } from "@aws-sdk/client-sns";
 import {
-  S3Client as S3Client5,
+  S3Client as S3Client6,
   PutObjectCommand as PutObjectCommand4,
   GetObjectCommand as GetObjectCommand3,
   DeleteObjectCommand as DeleteObjectCommand3
@@ -6842,7 +7015,7 @@ var CustomResourceProvider = class _CustomResourceProvider {
   setResponseBucket(bucket, bucketRegion) {
     this.responseBucket = bucket;
     if (bucketRegion) {
-      this.s3Client = new S3Client5(bucketRegion ? { region: bucketRegion } : {});
+      this.s3Client = new S3Client6(bucketRegion ? { region: bucketRegion } : {});
     }
   }
   /**
@@ -6962,7 +7135,7 @@ var CustomResourceProvider = class _CustomResourceProvider {
   /**
    * Delete a custom resource by invoking its Lambda handler
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, _context) {
     this.logger.debug(`Deleting custom resource ${logicalId}: ${physicalId} (${resourceType})`);
     if (!properties) {
       this.logger.warn(
@@ -7784,13 +7957,21 @@ var IAMRoleProvider = class {
    * 3. Remove role from all instance profiles
    * 4. Delete the role itself
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting IAM role ${logicalId}: ${physicalId}`);
     try {
       try {
         await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
       } catch (error) {
         if (error instanceof NoSuchEntityException) {
+          const clientRegion = await this.iamClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Role ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -8285,13 +8466,23 @@ var IAMPolicyProvider = class {
   /**
    * Delete an IAM inline policy
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting IAM policy ${logicalId}: ${physicalId}`);
     const policyName = physicalId.includes(":") ? physicalId.split(":")[0] : physicalId;
     if (!policyName) {
       this.logger.warn(`Invalid physical ID format: ${physicalId}, skipping deletion`);
       return;
     }
+    const onNotFound = async (target) => {
+      const clientRegion = await this.iamClient.config.region();
+      assertRegionMatch(
+        clientRegion,
+        context?.expectedRegion,
+        resourceType,
+        logicalId,
+        `${physicalId} (${target})`
+      );
+    };
     try {
       const roles = properties?.["Roles"];
       const groups = properties?.["Groups"];
@@ -8308,7 +8499,9 @@ var IAMPolicyProvider = class {
             );
             this.logger.debug(`Deleted inline policy ${policyName} from role ${firstRole}`);
           } catch (error) {
-            if (!(error instanceof NoSuchEntityException2)) {
+            if (error instanceof NoSuchEntityException2) {
+              await onNotFound(`role ${firstRole}`);
+            } else {
               throw error;
             }
           }
@@ -8325,7 +8518,9 @@ var IAMPolicyProvider = class {
             );
             this.logger.debug(`Deleted inline policy ${policyName} from role ${roleName}`);
           } catch (error) {
-            if (!(error instanceof NoSuchEntityException2)) {
+            if (error instanceof NoSuchEntityException2) {
+              await onNotFound(`role ${roleName}`);
+            } else {
               throw error;
             }
           }
@@ -8342,7 +8537,9 @@ var IAMPolicyProvider = class {
             );
             this.logger.debug(`Deleted inline policy ${policyName} from group ${groupName}`);
           } catch (error) {
-            if (!(error instanceof NoSuchEntityException2)) {
+            if (error instanceof NoSuchEntityException2) {
+              await onNotFound(`group ${groupName}`);
+            } else {
               throw error;
             }
           }
@@ -8359,7 +8556,9 @@ var IAMPolicyProvider = class {
             );
             this.logger.debug(`Deleted inline policy ${policyName} from user ${userName}`);
           } catch (error) {
-            if (!(error instanceof NoSuchEntityException2)) {
+            if (error instanceof NoSuchEntityException2) {
+              await onNotFound(`user ${userName}`);
+            } else {
               throw error;
             }
           }
@@ -8517,7 +8716,7 @@ var IAMInstanceProfileProvider = class {
    *
    * Before deleting, removes all roles from the instance profile.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting IAM instance profile ${logicalId}: ${physicalId}`);
     try {
       let roles = [];
@@ -8530,6 +8729,14 @@ var IAMInstanceProfileProvider = class {
         ) || [];
       } catch (error) {
         if (error instanceof NoSuchEntityException3) {
+          const clientRegion = await this.iamClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Instance profile ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -8556,6 +8763,14 @@ var IAMInstanceProfileProvider = class {
       this.logger.debug(`Successfully deleted IAM instance profile ${logicalId}`);
     } catch (error) {
       if (error instanceof NoSuchEntityException3) {
+        const clientRegion = await this.iamClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Instance profile ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -8675,14 +8890,20 @@ var IAMUserGroupProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::IAM::User":
-        return this.deleteUser(logicalId, physicalId, resourceType);
+        return this.deleteUser(logicalId, physicalId, resourceType, context);
       case "AWS::IAM::Group":
-        return this.deleteGroup(logicalId, physicalId, resourceType);
+        return this.deleteGroup(logicalId, physicalId, resourceType, context);
       case "AWS::IAM::UserToGroupAddition":
-        return this.deleteUserToGroupAddition(logicalId, physicalId, resourceType, properties);
+        return this.deleteUserToGroupAddition(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          context
+        );
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -8885,13 +9106,21 @@ var IAMUserGroupProvider = class {
       );
     }
   }
-  async deleteUser(logicalId, physicalId, resourceType) {
+  async deleteUser(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting IAM user ${logicalId}: ${physicalId}`);
     try {
       try {
         await this.iamClient.send(new GetUserCommand({ UserName: physicalId }));
       } catch (error) {
         if (error instanceof NoSuchEntityException4) {
+          const clientRegion = await this.iamClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`User ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -9231,7 +9460,7 @@ var IAMUserGroupProvider = class {
       );
     }
   }
-  async deleteGroup(logicalId, physicalId, resourceType) {
+  async deleteGroup(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting IAM group ${logicalId}: ${physicalId}`);
     try {
       await this.detachAllGroupPolicies(physicalId);
@@ -9241,6 +9470,14 @@ var IAMUserGroupProvider = class {
       this.logger.debug(`Successfully deleted IAM group ${logicalId}`);
     } catch (error) {
       if (error instanceof NoSuchEntityException4) {
+        const clientRegion = await this.iamClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Group ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -9515,7 +9752,7 @@ var IAMUserGroupProvider = class {
       );
     }
   }
-  async deleteUserToGroupAddition(logicalId, physicalId, resourceType, properties) {
+  async deleteUserToGroupAddition(logicalId, physicalId, resourceType, properties, _context) {
     this.logger.debug(`Deleting IAM UserToGroupAddition ${logicalId}`);
     if (!properties) {
       this.logger.debug(`No properties for UserToGroupAddition ${logicalId}, skipping deletion`);
@@ -10389,12 +10626,20 @@ var S3BucketProvider = class {
    *
    * Note: The bucket must be empty before deletion.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting S3 bucket ${logicalId}: ${physicalId}`);
     try {
       await this.deleteBucketWithEmptyRetry(logicalId, physicalId);
     } catch (error) {
       if (error instanceof NoSuchBucket) {
+        const clientRegion = await this.s3Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Bucket ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -10589,7 +10834,7 @@ var S3BucketPolicyProvider = class {
   /**
    * Delete an S3 bucket policy
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting S3 bucket policy ${logicalId}: ${physicalId}`);
     try {
       try {
@@ -10601,10 +10846,26 @@ var S3BucketPolicyProvider = class {
         this.logger.debug(`Successfully deleted S3 bucket policy ${logicalId}`);
       } catch (error) {
         if (error instanceof NoSuchBucket2) {
+          const clientRegion = await this.s3Client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Bucket ${physicalId} does not exist, skipping policy deletion`);
           return;
         }
         if (error instanceof Error && (error.name === "NoSuchBucketPolicy" || error.message.includes("does not have"))) {
+          const clientRegion = await this.s3Client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Bucket policy for ${physicalId} does not exist, skipping`);
           return;
         }
@@ -10794,13 +11055,21 @@ var SQSQueueProvider = class {
   /**
    * Delete an SQS queue
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SQS queue ${logicalId}: ${physicalId}`);
     try {
       await this.sqsClient.send(new DeleteQueueCommand({ QueueUrl: physicalId }));
       this.logger.debug(`Successfully deleted SQS queue ${logicalId}`);
     } catch (error) {
       if (error instanceof QueueDoesNotExist) {
+        const clientRegion = await this.sqsClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`SQS queue ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -10949,7 +11218,7 @@ var SQSQueuePolicyProvider = class {
   /**
    * Delete an SQS queue policy
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SQS queue policy ${logicalId}: ${physicalId}`);
     try {
       await this.sqsClient.send(
@@ -10963,6 +11232,14 @@ var SQSQueuePolicyProvider = class {
       this.logger.debug(`Successfully deleted SQS queue policy ${logicalId}`);
     } catch (error) {
       if (error instanceof Error && (error.name === "QueueDoesNotExist" || error.message.includes("does not exist"))) {
+        const clientRegion = await this.sqsClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Queue ${physicalId} does not exist, skipping policy deletion`);
         return;
       }
@@ -11243,13 +11520,21 @@ var SNSTopicProvider = class {
   /**
    * Delete an SNS topic
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SNS topic ${logicalId}: ${physicalId}`);
     try {
       await this.snsClient.send(new DeleteTopicCommand({ TopicArn: physicalId }));
       this.logger.debug(`Successfully deleted SNS topic ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException) {
+        const clientRegion = await this.snsClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`SNS topic ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -11368,7 +11653,7 @@ var SNSSubscriptionProvider = class {
   /**
    * Delete an SNS subscription
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SNS subscription ${logicalId}: ${physicalId}`);
     try {
       await this.snsClient.send(
@@ -11379,6 +11664,14 @@ var SNSSubscriptionProvider = class {
       this.logger.debug(`Successfully deleted SNS subscription ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException2) {
+        const clientRegion = await this.snsClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Subscription ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -11499,7 +11792,7 @@ var SNSTopicPolicyProvider = class {
    *
    * Removes the policy from each topic by setting an empty policy.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SNS topic policy ${logicalId}: ${physicalId}`);
     const topicArns = physicalId.split(",");
     for (const topicArn of topicArns) {
@@ -11508,6 +11801,14 @@ var SNSTopicPolicyProvider = class {
         this.logger.debug(`Removed policy from topic ${topicArn}`);
       } catch (error) {
         if (error instanceof Error && (error.name === "NotFoundException" || error.name === "NotFound" || error.message.includes("not found") || error.message.includes("does not exist") || error.message.includes("Invalid parameter"))) {
+          const clientRegion = await getAwsClients().sns.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            topicArn
+          );
           this.logger.debug(`Topic ${topicArn} not found or policy already removed, skipping`);
           continue;
         }
@@ -11772,7 +12073,7 @@ var LambdaFunctionProvider = class {
    * security groups, we poll DescribeNetworkInterfaces for the function's
    * managed ENIs and only return once they are gone (or the timeout elapses).
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Lambda function ${logicalId}: ${physicalId}`);
     const hasVpcConfig = this.hasVpcConfig(properties?.["VpcConfig"]);
     if (hasVpcConfig) {
@@ -11786,6 +12087,14 @@ var LambdaFunctionProvider = class {
         this.logger.debug(`Detached VPC config from Lambda ${physicalId} before deletion`);
       } catch (error) {
         if (error instanceof ResourceNotFoundException) {
+          const clientRegion = await this.lambdaClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           return;
         }
         this.logger.warn(
@@ -11799,6 +12108,14 @@ var LambdaFunctionProvider = class {
       this.logger.debug(`Successfully deleted Lambda function ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException) {
+        const clientRegion = await this.lambdaClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Lambda function ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12265,7 +12582,7 @@ var LambdaPermissionProvider = class {
   /**
    * Delete a Lambda permission
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Lambda permission ${logicalId}: ${physicalId}`);
     const functionName = properties?.["FunctionName"];
     if (!functionName) {
@@ -12288,6 +12605,14 @@ var LambdaPermissionProvider = class {
       this.logger.debug(`Successfully deleted Lambda permission ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException2) {
+        const clientRegion = await this.lambdaClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Lambda permission ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12404,7 +12729,7 @@ var LambdaUrlProvider = class {
   /**
    * Delete a Lambda Function URL
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Lambda URL ${logicalId}: ${physicalId}`);
     try {
       await this.lambdaClient.send(
@@ -12413,6 +12738,14 @@ var LambdaUrlProvider = class {
       this.logger.debug(`Successfully deleted Lambda URL ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException3) {
+        const clientRegion = await this.lambdaClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Lambda URL ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12623,13 +12956,21 @@ var LambdaEventSourceMappingProvider = class {
   /**
    * Delete a Lambda Event Source Mapping
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting event source mapping ${logicalId}: ${physicalId}`);
     try {
       try {
         await this.lambdaClient.send(new GetEventSourceMappingCommand({ UUID: physicalId }));
       } catch (error) {
         if (error instanceof ResourceNotFoundException4) {
+          const clientRegion = await this.lambdaClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Event source mapping ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -12639,6 +12980,14 @@ var LambdaEventSourceMappingProvider = class {
       this.logger.debug(`Successfully deleted event source mapping ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException4) {
+        const clientRegion = await this.lambdaClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Event source mapping ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12752,7 +13101,7 @@ var LambdaLayerVersionProvider = class {
   /**
    * Delete a Lambda layer version
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Lambda layer version ${logicalId}: ${physicalId}`);
     const arnParts = physicalId.split(":");
     if (arnParts.length < 8) {
@@ -12775,6 +13124,14 @@ var LambdaLayerVersionProvider = class {
       this.logger.debug(`Successfully deleted Lambda layer version ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException5) {
+        const clientRegion = await this.lambdaClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Lambda layer version ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12951,13 +13308,21 @@ var DynamoDBTableProvider = class {
   /**
    * Delete a DynamoDB table
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting DynamoDB table ${logicalId}: ${physicalId}`);
     try {
       await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: physicalId }));
       this.logger.debug(`Successfully deleted DynamoDB table ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException6) {
+        const clientRegion = await this.dynamoDBClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`DynamoDB table ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -13186,13 +13551,21 @@ var LogsLogGroupProvider = class {
   /**
    * Delete a CloudWatch Logs log group
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting log group ${logicalId}: ${physicalId}`);
     try {
       await this.logsClient.send(new DeleteLogGroupCommand({ logGroupName: physicalId }));
       this.logger.debug(`Successfully deleted log group ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException7) {
+        const clientRegion = await this.logsClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Log group ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -13323,7 +13696,7 @@ var CloudWatchAlarmProvider = class {
   /**
    * Delete a CloudWatch alarm
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting CloudWatch alarm ${logicalId}: ${physicalId}`);
     try {
       await this.cloudWatchClient.send(
@@ -13334,6 +13707,14 @@ var CloudWatchAlarmProvider = class {
       this.logger.debug(`Successfully deleted CloudWatch alarm ${logicalId}`);
     } catch (error) {
       if (error instanceof Error && error.name === "ResourceNotFound") {
+        const clientRegion = await this.cloudWatchClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Alarm ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -13627,7 +14008,7 @@ var SecretsManagerSecretProvider = class {
   /**
    * Delete a Secrets Manager secret
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting secret ${logicalId}: ${physicalId}`);
     try {
       await this.smClient.send(
@@ -13639,6 +14020,14 @@ var SecretsManagerSecretProvider = class {
       this.logger.debug(`Successfully deleted secret ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException8) {
+        const clientRegion = await this.smClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Secret ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -13883,7 +14272,7 @@ var SSMParameterProvider = class {
   /**
    * Delete an SSM parameter
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SSM parameter ${logicalId}: ${physicalId}`);
     try {
       await this.ssmClient.send(
@@ -13894,6 +14283,14 @@ var SSMParameterProvider = class {
       this.logger.debug(`Successfully deleted SSM parameter ${logicalId}`);
     } catch (error) {
       if (error instanceof ParameterNotFound) {
+        const clientRegion = await this.ssmClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Parameter ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -14112,7 +14509,7 @@ var EventBridgeRuleProvider = class {
    *
    * Before deleting, removes all targets (required by EventBridge API).
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting EventBridge rule ${logicalId}: ${physicalId}`);
     const ruleName = this.extractRuleNameFromArn(physicalId);
     try {
@@ -14124,6 +14521,14 @@ var EventBridgeRuleProvider = class {
         targetIds = (targetsResponse.Targets || []).map((t) => t.Id).filter((id) => id !== void 0);
       } catch (error) {
         if (error instanceof ResourceNotFoundException9) {
+          const clientRegion = await this.eventBridgeClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Rule ${ruleName} does not exist, skipping deletion`);
           return;
         }
@@ -14142,6 +14547,14 @@ var EventBridgeRuleProvider = class {
       this.logger.debug(`Successfully deleted EventBridge rule ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException9) {
+        const clientRegion = await this.eventBridgeClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Rule ${ruleName} does not exist, skipping deletion`);
         return;
       }
@@ -14327,7 +14740,7 @@ var EventBridgeBusProvider = class {
     }
     return { physicalId, wasReplaced: false, attributes: {} };
   }
-  async delete(logicalId, physicalId, resourceType) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting EventBus ${logicalId}: ${physicalId}`);
     try {
       await this.cleanupRulesOnBus(physicalId);
@@ -14335,11 +14748,27 @@ var EventBridgeBusProvider = class {
       this.logger.debug(`Successfully deleted EventBus ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException10) {
+        const clientRegion = await this.eventBridgeClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`EventBus ${physicalId} does not exist, skipping`);
         return;
       }
       const msg = error instanceof Error ? error.message : String(error);
       if (msg.includes("does not exist")) {
+        const clientRegion = await this.eventBridgeClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`EventBus ${physicalId} does not exist, skipping`);
         return;
       }
@@ -14639,32 +15068,38 @@ var EC2Provider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::EC2::VPC":
-        return this.deleteVpc(logicalId, physicalId, resourceType);
+        return this.deleteVpc(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::Subnet":
-        return this.deleteSubnet(logicalId, physicalId, resourceType);
+        return this.deleteSubnet(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::InternetGateway":
-        return this.deleteInternetGateway(logicalId, physicalId, resourceType);
+        return this.deleteInternetGateway(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::VPCGatewayAttachment":
-        return this.deleteVpcGatewayAttachment(logicalId, physicalId, resourceType);
+        return this.deleteVpcGatewayAttachment(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::RouteTable":
-        return this.deleteRouteTable(logicalId, physicalId, resourceType);
+        return this.deleteRouteTable(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::Route":
-        return this.deleteRoute(logicalId, physicalId, resourceType);
+        return this.deleteRoute(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::SubnetRouteTableAssociation":
-        return this.deleteSubnetRouteTableAssociation(logicalId, physicalId, resourceType);
+        return this.deleteSubnetRouteTableAssociation(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::SecurityGroup":
-        return this.deleteSecurityGroup(logicalId, physicalId, resourceType);
+        return this.deleteSecurityGroup(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::SecurityGroupIngress":
-        return this.deleteSecurityGroupIngress(logicalId, physicalId, resourceType, properties);
+        return this.deleteSecurityGroupIngress(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          context
+        );
       case "AWS::EC2::Instance":
-        return this.deleteInstance(logicalId, physicalId, resourceType);
+        return this.deleteInstance(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::NetworkAcl":
-        return this.deleteNetworkAcl(logicalId, physicalId, resourceType);
+        return this.deleteNetworkAcl(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::NetworkAclEntry":
-        return this.deleteNetworkAclEntry(logicalId, physicalId, resourceType);
+        return this.deleteNetworkAclEntry(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::SubnetNetworkAclAssociation":
         this.logger.debug(`SubnetNetworkAclAssociation ${logicalId} delete is a no-op`);
         return;
@@ -14805,7 +15240,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteVpc(logicalId, physicalId, resourceType) {
+  async deleteVpc(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting VPC ${logicalId}: ${physicalId}`);
     const maxAttempts = 10;
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
@@ -14815,6 +15250,14 @@ var EC2Provider = class {
         return;
       } catch (error) {
         if (this.isNotFoundError(error)) {
+          const clientRegion = await this.ec2Client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`VPC ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -14920,7 +15363,7 @@ var EC2Provider = class {
     this.logger.debug(`Updating Subnet ${logicalId}: ${physicalId} (no-op, immutable properties)`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async deleteSubnet(logicalId, physicalId, resourceType) {
+  async deleteSubnet(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Subnet ${logicalId}: ${physicalId}`);
     const maxAttempts = 10;
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
@@ -14930,6 +15373,14 @@ var EC2Provider = class {
         return;
       } catch (error) {
         if (this.isNotFoundError(error)) {
+          const clientRegion = await this.ec2Client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Subnet ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -15048,7 +15499,7 @@ var EC2Provider = class {
     this.logger.debug(`Updating InternetGateway ${logicalId}: ${physicalId} (no-op)`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async deleteInternetGateway(logicalId, physicalId, resourceType) {
+  async deleteInternetGateway(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting InternetGateway ${logicalId}: ${physicalId}`);
     try {
       await this.ec2Client.send(
@@ -15057,6 +15508,14 @@ var EC2Provider = class {
       this.logger.debug(`Successfully deleted InternetGateway ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`InternetGateway ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -15110,7 +15569,7 @@ var EC2Provider = class {
     this.logger.debug(`Updating VPCGatewayAttachment ${logicalId}: ${physicalId} (no-op)`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async deleteVpcGatewayAttachment(logicalId, physicalId, resourceType) {
+  async deleteVpcGatewayAttachment(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting VPCGatewayAttachment ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length !== 2) {
@@ -15132,6 +15591,14 @@ var EC2Provider = class {
       this.logger.debug(`Successfully deleted VPCGatewayAttachment ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`VPCGatewayAttachment ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -15182,13 +15649,21 @@ var EC2Provider = class {
     this.logger.debug(`Updating RouteTable ${logicalId}: ${physicalId} (no-op)`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async deleteRouteTable(logicalId, physicalId, resourceType) {
+  async deleteRouteTable(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting RouteTable ${logicalId}: ${physicalId}`);
     try {
       await this.ec2Client.send(new DeleteRouteTableCommand({ RouteTableId: physicalId }));
       this.logger.debug(`Successfully deleted RouteTable ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`RouteTable ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -15268,7 +15743,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteRoute(logicalId, physicalId, resourceType) {
+  async deleteRoute(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Route ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length !== 2) {
@@ -15291,6 +15766,14 @@ var EC2Provider = class {
       this.logger.debug(`Successfully deleted Route ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Route ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -15348,13 +15831,21 @@ var EC2Provider = class {
     );
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async deleteSubnetRouteTableAssociation(logicalId, physicalId, resourceType) {
+  async deleteSubnetRouteTableAssociation(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting SubnetRouteTableAssociation ${logicalId}: ${physicalId}`);
     try {
       await this.ec2Client.send(new DisassociateRouteTableCommand({ AssociationId: physicalId }));
       this.logger.debug(`Successfully deleted SubnetRouteTableAssociation ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `SubnetRouteTableAssociation ${physicalId} does not exist, skipping deletion`
         );
@@ -15485,7 +15976,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteSecurityGroup(logicalId, physicalId, resourceType) {
+  async deleteSecurityGroup(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting SecurityGroup ${logicalId}: ${physicalId}`);
     const maxAttempts = 10;
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
@@ -15495,6 +15986,14 @@ var EC2Provider = class {
         return;
       } catch (error) {
         if (this.isNotFoundError(error)) {
+          const clientRegion = await this.ec2Client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`SecurityGroup ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -15652,7 +16151,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteSecurityGroupIngress(logicalId, physicalId, resourceType, properties) {
+  async deleteSecurityGroupIngress(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting SecurityGroupIngress ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length !== 4) {
@@ -15679,6 +16178,14 @@ var EC2Provider = class {
       this.logger.debug(`Successfully deleted SecurityGroupIngress ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`SecurityGroupIngress ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -15795,7 +16302,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteInstance(logicalId, physicalId, resourceType) {
+  async deleteInstance(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Terminating EC2 Instance ${logicalId}: ${physicalId}`);
     try {
       await this.ec2Client.send(new TerminateInstancesCommand({ InstanceIds: [physicalId] }));
@@ -15807,6 +16314,14 @@ var EC2Provider = class {
       this.logger.debug(`EC2 Instance ${logicalId} terminated: ${physicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `EC2 Instance ${physicalId} already terminated (not found), treating as success`
         );
@@ -16042,13 +16557,21 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteNetworkAcl(logicalId, physicalId, resourceType) {
+  async deleteNetworkAcl(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting NetworkAcl ${logicalId}: ${physicalId}`);
     try {
       await this.ec2Client.send(new DeleteNetworkAclCommand({ NetworkAclId: physicalId }));
       this.logger.debug(`Successfully deleted NetworkAcl ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`NetworkAcl ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -16118,7 +16641,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteNetworkAclEntry(logicalId, physicalId, resourceType) {
+  async deleteNetworkAclEntry(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting NetworkAclEntry ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length < 3) {
@@ -16139,6 +16662,14 @@ var EC2Provider = class {
       this.logger.debug(`Successfully deleted NetworkAclEntry ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`NetworkAclEntry ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -16381,20 +16912,20 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
   /**
    * Delete a resource
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::ApiGateway::Account":
         return this.deleteAccount(logicalId, physicalId, resourceType);
       case "AWS::ApiGateway::Authorizer":
-        return this.deleteAuthorizer(logicalId, physicalId, resourceType, properties);
+        return this.deleteAuthorizer(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGateway::Resource":
-        return this.deleteResource(logicalId, physicalId, resourceType, properties);
+        return this.deleteResource(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGateway::Deployment":
-        return this.deleteDeployment(logicalId, physicalId, resourceType, properties);
+        return this.deleteDeployment(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGateway::Stage":
-        return this.deleteStage(logicalId, physicalId, resourceType, properties);
+        return this.deleteStage(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGateway::Method":
-        return this.deleteMethod(logicalId, physicalId, resourceType);
+        return this.deleteMethod(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -16616,7 +17147,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
   /**
    * Delete an API Gateway Authorizer
    */
-  async deleteAuthorizer(logicalId, physicalId, resourceType, properties) {
+  async deleteAuthorizer(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway Authorizer ${logicalId}: ${physicalId}`);
     const restApiId = properties?.["RestApiId"];
     if (!restApiId) {
@@ -16637,6 +17168,14 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
       this.logger.debug(`Successfully deleted API Gateway Authorizer ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException3) {
+        const clientRegion = await this.apiGatewayClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway Authorizer ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -16741,7 +17280,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
   /**
    * Delete an API Gateway Resource
    */
-  async deleteResource(logicalId, physicalId, resourceType, properties) {
+  async deleteResource(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway Resource ${logicalId}: ${physicalId}`);
     const restApiId = properties?.["RestApiId"];
     if (!restApiId) {
@@ -16762,6 +17301,14 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
       this.logger.debug(`Successfully deleted API Gateway Resource ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException3) {
+        const clientRegion = await this.apiGatewayClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway Resource ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -16845,7 +17392,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
   /**
    * Delete an API Gateway Deployment
    */
-  async deleteDeployment(logicalId, physicalId, resourceType, properties) {
+  async deleteDeployment(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway Deployment ${logicalId}: ${physicalId}`);
     const restApiId = properties?.["RestApiId"];
     if (!restApiId) {
@@ -16866,6 +17413,14 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
       this.logger.debug(`Successfully deleted API Gateway Deployment ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException3) {
+        const clientRegion = await this.apiGatewayClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway Deployment ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17003,7 +17558,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
   /**
    * Delete an API Gateway Stage
    */
-  async deleteStage(logicalId, physicalId, resourceType, properties) {
+  async deleteStage(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway Stage ${logicalId}: ${physicalId}`);
     const restApiId = properties?.["RestApiId"];
     if (!restApiId) {
@@ -17024,6 +17579,14 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
       this.logger.debug(`Successfully deleted API Gateway Stage ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException3) {
+        const clientRegion = await this.apiGatewayClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway Stage ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17143,7 +17706,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
    * Parses the composite physicalId (`restApiId|resourceId|httpMethod`) and
    * calls DeleteMethodCommand. Handles NotFoundException gracefully.
    */
-  async deleteMethod(logicalId, physicalId, resourceType) {
+  async deleteMethod(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting API Gateway Method ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length !== 3) {
@@ -17166,6 +17729,14 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
       this.logger.debug(`Successfully deleted API Gateway Method ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException3) {
+        const clientRegion = await this.apiGatewayClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway Method ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17306,18 +17877,18 @@ var ApiGatewayV2Provider = class {
       attributes: {}
     });
   }
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::ApiGatewayV2::Api":
-        return this.deleteApi(logicalId, physicalId, resourceType);
+        return this.deleteApi(logicalId, physicalId, resourceType, context);
       case "AWS::ApiGatewayV2::Stage":
-        return this.deleteStage(logicalId, physicalId, resourceType, properties);
+        return this.deleteStage(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGatewayV2::Integration":
-        return this.deleteIntegration(logicalId, physicalId, resourceType, properties);
+        return this.deleteIntegration(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGatewayV2::Route":
-        return this.deleteRoute(logicalId, physicalId, resourceType, properties);
+        return this.deleteRoute(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGatewayV2::Authorizer":
-        return this.deleteAuthorizer(logicalId, physicalId, resourceType, properties);
+        return this.deleteAuthorizer(logicalId, physicalId, resourceType, properties, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -17388,13 +17959,21 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
-  async deleteApi(logicalId, physicalId, resourceType) {
+  async deleteApi(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting API Gateway V2 Api ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteApiCommand({ ApiId: physicalId }));
       this.logger.debug(`Successfully deleted API Gateway V2 Api ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException4) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway V2 Api ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17451,7 +18030,7 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
-  async deleteStage(logicalId, physicalId, resourceType, properties) {
+  async deleteStage(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway V2 Stage ${logicalId}: ${physicalId}`);
     const apiId = properties?.["ApiId"];
     if (!apiId) {
@@ -17467,6 +18046,14 @@ var ApiGatewayV2Provider = class {
       this.logger.debug(`Successfully deleted API Gateway V2 Stage ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException4) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway V2 Stage ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17528,7 +18115,7 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
-  async deleteIntegration(logicalId, physicalId, resourceType, properties) {
+  async deleteIntegration(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway V2 Integration ${logicalId}: ${physicalId}`);
     const apiId = properties?.["ApiId"];
     if (!apiId) {
@@ -17546,6 +18133,14 @@ var ApiGatewayV2Provider = class {
       this.logger.debug(`Successfully deleted API Gateway V2 Integration ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException4) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `API Gateway V2 Integration ${physicalId} does not exist, skipping deletion`
         );
@@ -17607,7 +18202,7 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
-  async deleteRoute(logicalId, physicalId, resourceType, properties) {
+  async deleteRoute(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway V2 Route ${logicalId}: ${physicalId}`);
     const apiId = properties?.["ApiId"];
     if (!apiId) {
@@ -17623,6 +18218,14 @@ var ApiGatewayV2Provider = class {
       this.logger.debug(`Successfully deleted API Gateway V2 Route ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException4) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway V2 Route ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17687,7 +18290,7 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
-  async deleteAuthorizer(logicalId, physicalId, resourceType, properties) {
+  async deleteAuthorizer(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway V2 Authorizer ${logicalId}: ${physicalId}`);
     const apiId = properties?.["ApiId"];
     if (!apiId) {
@@ -17705,6 +18308,14 @@ var ApiGatewayV2Provider = class {
       this.logger.debug(`Successfully deleted API Gateway V2 Authorizer ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException4) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `API Gateway V2 Authorizer ${physicalId} does not exist, skipping deletion`
         );
@@ -17812,7 +18423,7 @@ var CloudFrontOAIProvider = class {
    *
    * Requires fetching the ETag first, then passing it as IfMatch for deletion.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting CloudFront OAI ${logicalId}: ${physicalId}`);
     try {
       let etag;
@@ -17823,6 +18434,14 @@ var CloudFrontOAIProvider = class {
         etag = getResponse.ETag;
       } catch (error) {
         if (error instanceof NoSuchCloudFrontOriginAccessIdentity) {
+          const clientRegion = await this.cloudFrontClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`OAI ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -17837,6 +18456,14 @@ var CloudFrontOAIProvider = class {
       this.logger.debug(`Successfully deleted CloudFront OAI ${logicalId}`);
     } catch (error) {
       if (error instanceof NoSuchCloudFrontOriginAccessIdentity) {
+        const clientRegion = await this.cloudFrontClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`OAI ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -18010,7 +18637,7 @@ var CloudFrontDistributionProvider = class {
    * 2. If Enabled, update to Enabled=false and wait
    * 3. Delete with the latest ETag
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting CloudFront Distribution ${logicalId}: ${physicalId}`);
     try {
       let etag;
@@ -18023,6 +18650,14 @@ var CloudFrontDistributionProvider = class {
         config = getConfigResponse.DistributionConfig;
       } catch (error) {
         if (error instanceof NoSuchDistribution) {
+          const clientRegion = await this.cloudFrontClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Distribution ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -18054,6 +18689,14 @@ var CloudFrontDistributionProvider = class {
       this.logger.debug(`Successfully deleted CloudFront Distribution ${logicalId}`);
     } catch (error) {
       if (error instanceof NoSuchDistribution) {
+        const clientRegion = await this.cloudFrontClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Distribution ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -18473,7 +19116,7 @@ var AgentCoreRuntimeProvider = class {
   /**
    * Delete a BedrockAgentCore Runtime
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting BedrockAgentCore Runtime ${logicalId}: ${physicalId}`);
     try {
       await this.client.send(
@@ -18484,6 +19127,14 @@ var AgentCoreRuntimeProvider = class {
       this.logger.debug(`Successfully deleted BedrockAgentCore Runtime ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException11) {
+        const clientRegion = await this.client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Runtime ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -18679,13 +19330,21 @@ var StepFunctionsProvider = class {
   /**
    * Delete a Step Functions state machine
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Step Functions state machine ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteStateMachineCommand({ stateMachineArn: physicalId }));
       this.logger.debug(`Successfully deleted Step Functions state machine ${logicalId}`);
     } catch (error) {
       if (error instanceof StateMachineDoesNotExist) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `Step Functions state machine ${physicalId} does not exist, skipping deletion`
         );
@@ -18852,14 +19511,14 @@ var ECSProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::ECS::Cluster":
-        return this.deleteCluster(logicalId, physicalId, resourceType);
+        return this.deleteCluster(logicalId, physicalId, resourceType, context);
       case "AWS::ECS::TaskDefinition":
-        return this.deleteTaskDefinition(logicalId, physicalId, resourceType);
+        return this.deleteTaskDefinition(logicalId, physicalId, resourceType, context);
       case "AWS::ECS::Service":
-        return this.deleteService(logicalId, physicalId, resourceType, properties);
+        return this.deleteService(logicalId, physicalId, resourceType, properties, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -18960,7 +19619,7 @@ var ECSProvider = class {
       );
     }
   }
-  async deleteCluster(logicalId, physicalId, resourceType) {
+  async deleteCluster(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting ECS cluster ${logicalId}: ${physicalId}`);
     const client = this.getClient();
     try {
@@ -18968,6 +19627,14 @@ var ECSProvider = class {
       this.logger.debug(`Successfully deleted ECS cluster ${logicalId}`);
     } catch (error) {
       if (this.isClusterNotFoundException(error)) {
+        const clientRegion = await client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`ECS cluster ${physicalId} not found, skipping deletion`);
         return;
       }
@@ -19067,7 +19734,7 @@ var ECSProvider = class {
       attributes: result.attributes ?? {}
     };
   }
-  async deleteTaskDefinition(logicalId, physicalId, resourceType) {
+  async deleteTaskDefinition(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting ECS task definition ${logicalId}: ${physicalId}`);
     const client = this.getClient();
     try {
@@ -19075,6 +19742,14 @@ var ECSProvider = class {
       this.logger.debug(`Successfully deregistered ECS task definition ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundException(error)) {
+        const clientRegion = await client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`ECS task definition ${physicalId} not found, skipping deletion`);
         return;
       }
@@ -19213,7 +19888,7 @@ var ECSProvider = class {
       );
     }
   }
-  async deleteService(logicalId, physicalId, resourceType, properties) {
+  async deleteService(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting ECS service ${logicalId}: ${physicalId}`);
     const client = this.getClient();
     const cluster = properties?.["Cluster"];
@@ -19229,6 +19904,14 @@ var ECSProvider = class {
         this.logger.debug(`Scaled down ECS service ${physicalId} to 0`);
       } catch (error) {
         if (this.isServiceNotFoundException(error)) {
+          const clientRegion = await client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(
             `ECS service ${physicalId} not found during scale down, skipping deletion`
           );
@@ -19246,6 +19929,14 @@ var ECSProvider = class {
       this.logger.debug(`Successfully deleted ECS service ${logicalId}`);
     } catch (error) {
       if (this.isServiceNotFoundException(error)) {
+        const clientRegion = await client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`ECS service ${physicalId} not found, skipping deletion`);
         return;
       }
@@ -19544,14 +20235,14 @@ var ELBv2Provider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::ElasticLoadBalancingV2::LoadBalancer":
-        return this.deleteLoadBalancer(logicalId, physicalId, resourceType);
+        return this.deleteLoadBalancer(logicalId, physicalId, resourceType, context);
       case "AWS::ElasticLoadBalancingV2::TargetGroup":
-        return this.deleteTargetGroup(logicalId, physicalId, resourceType);
+        return this.deleteTargetGroup(logicalId, physicalId, resourceType, context);
       case "AWS::ElasticLoadBalancingV2::Listener":
-        return this.deleteListener(logicalId, physicalId, resourceType);
+        return this.deleteListener(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -19652,13 +20343,21 @@ var ELBv2Provider = class {
       );
     }
   }
-  async deleteLoadBalancer(logicalId, physicalId, resourceType) {
+  async deleteLoadBalancer(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting LoadBalancer ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteLoadBalancerCommand({ LoadBalancerArn: physicalId }));
       this.logger.debug(`Successfully deleted LoadBalancer ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`LoadBalancer ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -19768,13 +20467,21 @@ var ELBv2Provider = class {
       );
     }
   }
-  async deleteTargetGroup(logicalId, physicalId, resourceType) {
+  async deleteTargetGroup(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting TargetGroup ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteTargetGroupCommand({ TargetGroupArn: physicalId }));
       this.logger.debug(`Successfully deleted TargetGroup ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`TargetGroup ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -19870,13 +20577,21 @@ var ELBv2Provider = class {
       );
     }
   }
-  async deleteListener(logicalId, physicalId, resourceType) {
+  async deleteListener(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Listener ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteListenerCommand({ ListenerArn: physicalId }));
       this.logger.debug(`Successfully deleted Listener ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Listener ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -20026,14 +20741,14 @@ var RDSProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::RDS::DBSubnetGroup":
-        return this.deleteDBSubnetGroup(logicalId, physicalId, resourceType);
+        return this.deleteDBSubnetGroup(logicalId, physicalId, resourceType, context);
       case "AWS::RDS::DBCluster":
-        return this.deleteDBCluster(logicalId, physicalId, resourceType);
+        return this.deleteDBCluster(logicalId, physicalId, resourceType, context);
       case "AWS::RDS::DBInstance":
-        return this.deleteDBInstance(logicalId, physicalId, resourceType);
+        return this.deleteDBInstance(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -20104,7 +20819,7 @@ var RDSProvider = class {
       );
     }
   }
-  async deleteDBSubnetGroup(logicalId, physicalId, resourceType) {
+  async deleteDBSubnetGroup(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting DBSubnetGroup ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -20115,6 +20830,14 @@ var RDSProvider = class {
       this.logger.debug(`Successfully deleted DBSubnetGroup ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error, "DBSubnetGroupNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`DBSubnetGroup ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -20237,7 +20960,7 @@ var RDSProvider = class {
       );
     }
   }
-  async deleteDBCluster(logicalId, physicalId, resourceType) {
+  async deleteDBCluster(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting DBCluster ${logicalId}: ${physicalId}`);
     try {
       try {
@@ -20264,6 +20987,14 @@ var RDSProvider = class {
       await this.waitForClusterDeleted(physicalId);
     } catch (error) {
       if (this.isNotFoundError(error, "DBClusterNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`DBCluster ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -20357,7 +21088,7 @@ var RDSProvider = class {
       );
     }
   }
-  async deleteDBInstance(logicalId, physicalId, resourceType) {
+  async deleteDBInstance(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting DBInstance ${logicalId}: ${physicalId}`);
     try {
       try {
@@ -20385,6 +21116,14 @@ var RDSProvider = class {
       await this.waitForInstanceDeleted(physicalId);
     } catch (error) {
       if (this.isNotFoundError(error, "DBInstanceNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`DBInstance ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -20598,12 +21337,12 @@ var Route53Provider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::Route53::HostedZone":
-        return this.deleteHostedZone(logicalId, physicalId, resourceType);
+        return this.deleteHostedZone(logicalId, physicalId, resourceType, context);
       case "AWS::Route53::RecordSet":
-        return this.deleteRecordSet(logicalId, physicalId, resourceType, properties);
+        return this.deleteRecordSet(logicalId, physicalId, resourceType, properties, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -20737,7 +21476,7 @@ var Route53Provider = class {
       );
     }
   }
-  async deleteHostedZone(logicalId, physicalId, resourceType) {
+  async deleteHostedZone(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Route 53 hosted zone ${logicalId}: ${physicalId}`);
     try {
       await this.deleteQueryLoggingConfigForZone(physicalId, logicalId);
@@ -20745,6 +21484,14 @@ var Route53Provider = class {
       this.logger.debug(`Successfully deleted hosted zone ${logicalId}`);
     } catch (error) {
       if (error instanceof Error && error.name === "NoSuchHostedZone") {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Hosted zone ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -20857,7 +21604,7 @@ var Route53Provider = class {
       );
     }
   }
-  async deleteRecordSet(logicalId, physicalId, resourceType, properties) {
+  async deleteRecordSet(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Route 53 record set ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length !== 3) {
@@ -20895,6 +21642,14 @@ var Route53Provider = class {
       this.logger.debug(`Successfully deleted record set ${logicalId}`);
     } catch (error) {
       if (error instanceof Error && (error.name === "InvalidChangeBatch" || error.message.includes("it was not found"))) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Record set ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -21335,7 +22090,7 @@ var WAFv2WebACLProvider = class {
    * DeleteWebACL requires LockToken obtained from GetWebACL.
    * WAFNonexistentItemException is treated as success (idempotent delete).
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting WAFv2 WebACL ${logicalId}: ${physicalId}`);
     try {
       const { id, name, scope } = parseWebACLArn(physicalId);
@@ -21361,6 +22116,14 @@ var WAFv2WebACLProvider = class {
       this.logger.debug(`Successfully deleted WAFv2 WebACL ${logicalId}`);
     } catch (error) {
       if (error instanceof WAFNonexistentItemException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`WAFv2 WebACL ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -21645,7 +22408,7 @@ var CognitoUserPoolProvider = class {
    *
    * If DeletionProtection is ACTIVE, it is automatically disabled before deletion.
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Cognito User Pool ${logicalId}: ${physicalId}`);
     try {
       const deletionProtection = properties?.["DeletionProtection"];
@@ -21677,6 +22440,14 @@ var CognitoUserPoolProvider = class {
           }
         } catch (descError) {
           if (descError instanceof ResourceNotFoundException12) {
+            const clientRegion = await this.getClient().config.region();
+            assertRegionMatch(
+              clientRegion,
+              context?.expectedRegion,
+              resourceType,
+              logicalId,
+              physicalId
+            );
             this.logger.debug(`Cognito User Pool ${physicalId} does not exist, skipping deletion`);
             return;
           }
@@ -21689,6 +22460,14 @@ var CognitoUserPoolProvider = class {
       this.logger.debug(`Successfully deleted Cognito User Pool ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException12) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Cognito User Pool ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -21791,12 +22570,12 @@ var ElastiCacheProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::ElastiCache::SubnetGroup":
-        return this.deleteSubnetGroup(logicalId, physicalId, resourceType);
+        return this.deleteSubnetGroup(logicalId, physicalId, resourceType, context);
       case "AWS::ElastiCache::CacheCluster":
-        return this.deleteCacheCluster(logicalId, physicalId, resourceType);
+        return this.deleteCacheCluster(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -21867,7 +22646,7 @@ var ElastiCacheProvider = class {
       );
     }
   }
-  async deleteSubnetGroup(logicalId, physicalId, resourceType) {
+  async deleteSubnetGroup(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting CacheSubnetGroup ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -21878,6 +22657,14 @@ var ElastiCacheProvider = class {
       this.logger.debug(`Successfully deleted CacheSubnetGroup ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error, "CacheSubnetGroupNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`CacheSubnetGroup ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22011,7 +22798,7 @@ var ElastiCacheProvider = class {
       );
     }
   }
-  async deleteCacheCluster(logicalId, physicalId, resourceType) {
+  async deleteCacheCluster(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting CacheCluster ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -22023,6 +22810,14 @@ var ElastiCacheProvider = class {
       await this.waitForClusterDeleted(physicalId);
     } catch (error) {
       if (this.isNotFoundError(error, "CacheClusterNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`CacheCluster ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22181,12 +22976,12 @@ var ServiceDiscoveryProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::ServiceDiscovery::PrivateDnsNamespace":
-        return this.deleteNamespace(logicalId, physicalId, resourceType);
+        return this.deleteNamespace(logicalId, physicalId, resourceType, context);
       case "AWS::ServiceDiscovery::Service":
-        return this.deleteService(logicalId, physicalId, resourceType);
+        return this.deleteService(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -22264,7 +23059,7 @@ var ServiceDiscoveryProvider = class {
       }
     });
   }
-  async deleteNamespace(logicalId, physicalId, resourceType) {
+  async deleteNamespace(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting private DNS namespace ${logicalId}: ${physicalId}`);
     const client = this.getClient();
     try {
@@ -22276,6 +23071,14 @@ var ServiceDiscoveryProvider = class {
       this.logger.debug(`Successfully deleted private DNS namespace ${logicalId}`);
     } catch (error) {
       if (error instanceof NamespaceNotFound) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Namespace ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22359,7 +23162,7 @@ var ServiceDiscoveryProvider = class {
       }
     });
   }
-  async deleteService(logicalId, physicalId, resourceType) {
+  async deleteService(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting service discovery service ${logicalId}: ${physicalId}`);
     const client = this.getClient();
     try {
@@ -22367,6 +23170,14 @@ var ServiceDiscoveryProvider = class {
       this.logger.debug(`Successfully deleted service discovery service ${logicalId}`);
     } catch (error) {
       if (error instanceof ServiceNotFound) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Service ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22513,19 +23324,19 @@ var AppSyncProvider = class {
     this.logger.debug(`Update for ${resourceType} ${logicalId} (${physicalId}) - no-op, immutable`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::AppSync::GraphQLApi":
-        return this.deleteGraphQLApi(logicalId, physicalId, resourceType);
+        return this.deleteGraphQLApi(logicalId, physicalId, resourceType, context);
       case "AWS::AppSync::GraphQLSchema":
         this.logger.debug(`Schema ${logicalId} is deleted with its API, skipping`);
         return;
       case "AWS::AppSync::DataSource":
-        return this.deleteDataSource(logicalId, physicalId, resourceType);
+        return this.deleteDataSource(logicalId, physicalId, resourceType, context);
       case "AWS::AppSync::Resolver":
-        return this.deleteResolver(logicalId, physicalId, resourceType);
+        return this.deleteResolver(logicalId, physicalId, resourceType, context);
       case "AWS::AppSync::ApiKey":
-        return this.deleteApiKey(logicalId, physicalId, resourceType);
+        return this.deleteApiKey(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -22599,13 +23410,21 @@ var AppSyncProvider = class {
       );
     }
   }
-  async deleteGraphQLApi(logicalId, physicalId, resourceType) {
+  async deleteGraphQLApi(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting GraphQL API ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteGraphqlApiCommand({ apiId: physicalId }));
       this.logger.debug(`Successfully deleted GraphQL API ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`GraphQL API ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22725,7 +23544,7 @@ var AppSyncProvider = class {
       );
     }
   }
-  async deleteDataSource(logicalId, physicalId, resourceType) {
+  async deleteDataSource(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting DataSource ${logicalId}: ${physicalId}`);
     const [apiId, name] = physicalId.split("|");
     if (!apiId || !name) {
@@ -22737,6 +23556,14 @@ var AppSyncProvider = class {
       this.logger.debug(`Successfully deleted DataSource ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`DataSource ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22817,7 +23644,7 @@ var AppSyncProvider = class {
       );
     }
   }
-  async deleteResolver(logicalId, physicalId, resourceType) {
+  async deleteResolver(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Resolver ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length < 3) {
@@ -22830,6 +23657,14 @@ var AppSyncProvider = class {
       this.logger.debug(`Successfully deleted Resolver ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Resolver ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22883,7 +23718,7 @@ var AppSyncProvider = class {
       );
     }
   }
-  async deleteApiKey(logicalId, physicalId, resourceType) {
+  async deleteApiKey(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting ApiKey ${logicalId}: ${physicalId}`);
     const [apiId, apiKeyId] = physicalId.split("|");
     if (!apiId || !apiKeyId) {
@@ -22895,6 +23730,14 @@ var AppSyncProvider = class {
       this.logger.debug(`Successfully deleted ApiKey ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`ApiKey ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22975,12 +23818,12 @@ var GlueProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::Glue::Database":
-        return this.deleteDatabase(logicalId, physicalId, resourceType);
+        return this.deleteDatabase(logicalId, physicalId, resourceType, properties, context);
       case "AWS::Glue::Table":
-        return this.deleteTable(logicalId, physicalId, resourceType);
+        return this.deleteTable(logicalId, physicalId, resourceType, properties, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -23038,7 +23881,7 @@ var GlueProvider = class {
       );
     }
   }
-  async deleteDatabase(logicalId, physicalId, resourceType, properties) {
+  async deleteDatabase(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Glue Database ${logicalId}: ${physicalId}`);
     try {
       const catalogId = properties?.["CatalogId"];
@@ -23051,6 +23894,14 @@ var GlueProvider = class {
       this.logger.debug(`Successfully deleted Glue Database ${logicalId}`);
     } catch (error) {
       if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Glue Database ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -23162,7 +24013,7 @@ var GlueProvider = class {
       );
     }
   }
-  async deleteTable(logicalId, physicalId, resourceType) {
+  async deleteTable(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Glue Table ${logicalId}: ${physicalId}`);
     const [databaseName, tableName] = physicalId.split("|");
     if (!databaseName || !tableName) {
@@ -23179,6 +24030,14 @@ var GlueProvider = class {
       this.logger.debug(`Successfully deleted Glue Table ${logicalId}`);
     } catch (error) {
       if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Glue Table ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -23364,12 +24223,12 @@ var KMSProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::KMS::Key":
-        return this.deleteKey(logicalId, physicalId, resourceType, _properties);
+        return this.deleteKey(logicalId, physicalId, resourceType, _properties, context);
       case "AWS::KMS::Alias":
-        return this.deleteAlias(logicalId, physicalId, resourceType);
+        return this.deleteAlias(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -23533,7 +24392,7 @@ var KMSProvider = class {
       );
     }
   }
-  async deleteKey(logicalId, physicalId, resourceType, properties) {
+  async deleteKey(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Scheduling deletion for KMS Key ${logicalId}: ${physicalId}`);
     const pendingWindowInDays = properties?.["PendingWindowInDays"] ?? 7;
     try {
@@ -23546,6 +24405,14 @@ var KMSProvider = class {
       this.logger.debug(`Successfully scheduled deletion for KMS Key ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException5) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`KMS Key ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -23632,7 +24499,7 @@ var KMSProvider = class {
       );
     }
   }
-  async deleteAlias(logicalId, physicalId, resourceType) {
+  async deleteAlias(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting KMS Alias ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -23643,6 +24510,14 @@ var KMSProvider = class {
       this.logger.debug(`Successfully deleted KMS Alias ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException5) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`KMS Alias ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -23889,7 +24764,7 @@ var KinesisStreamProvider = class {
   /**
    * Delete a Kinesis stream
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Kinesis stream ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -23901,6 +24776,14 @@ var KinesisStreamProvider = class {
       this.logger.debug(`Successfully deleted Kinesis stream ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException13) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Kinesis stream ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -24017,14 +24900,14 @@ var EFSProvider = class {
     }
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::EFS::FileSystem":
-        return this.deleteFileSystem(logicalId, physicalId, resourceType);
+        return this.deleteFileSystem(logicalId, physicalId, resourceType, context);
       case "AWS::EFS::MountTarget":
-        return this.deleteMountTarget(logicalId, physicalId, resourceType);
+        return this.deleteMountTarget(logicalId, physicalId, resourceType, context);
       case "AWS::EFS::AccessPoint":
-        return this.deleteAccessPoint(logicalId, physicalId, resourceType);
+        return this.deleteAccessPoint(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -24073,7 +24956,7 @@ var EFSProvider = class {
       );
     }
   }
-  async deleteFileSystem(logicalId, physicalId, resourceType) {
+  async deleteFileSystem(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting EFS FileSystem ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -24084,6 +24967,14 @@ var EFSProvider = class {
       this.logger.debug(`Successfully deleted EFS FileSystem ${logicalId}`);
     } catch (error) {
       if (error instanceof FileSystemNotFound) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`EFS FileSystem ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -24199,7 +25090,7 @@ var EFSProvider = class {
       mountTargetId
     );
   }
-  async deleteMountTarget(logicalId, physicalId, resourceType) {
+  async deleteMountTarget(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting EFS MountTarget ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -24211,6 +25102,14 @@ var EFSProvider = class {
       this.logger.debug(`Successfully deleted EFS MountTarget ${logicalId}`);
     } catch (error) {
       if (error instanceof MountTargetNotFound) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`EFS MountTarget ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -24309,7 +25208,7 @@ var EFSProvider = class {
       );
     }
   }
-  async deleteAccessPoint(logicalId, physicalId, resourceType) {
+  async deleteAccessPoint(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting EFS AccessPoint ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -24320,6 +25219,14 @@ var EFSProvider = class {
       this.logger.debug(`Successfully deleted EFS AccessPoint ${logicalId}`);
     } catch (error) {
       if (error instanceof AccessPointNotFound) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`EFS AccessPoint ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -24557,7 +25464,7 @@ var FirehoseProvider = class {
   /**
    * Delete a Firehose delivery stream
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Firehose delivery stream ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -24568,6 +25475,14 @@ var FirehoseProvider = class {
       this.logger.debug(`Successfully deleted Firehose delivery stream ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException14) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `Firehose delivery stream ${physicalId} does not exist, skipping deletion`
         );
@@ -24899,7 +25814,7 @@ var CloudTrailProvider = class {
       );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting CloudTrail Trail ${logicalId}: ${physicalId}`);
     try {
       try {
@@ -24910,6 +25825,14 @@ var CloudTrailProvider = class {
       this.logger.debug(`Successfully deleted CloudTrail Trail ${logicalId}`);
     } catch (error) {
       if (error instanceof TrailNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`CloudTrail Trail ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25017,7 +25940,7 @@ var CodeBuildProvider = class {
     const tags = properties["Tags"];
     const envVars = environment?.["EnvironmentVariables"];
     const cfnCache = properties["Cache"];
-    const cache = cfnCache ? {
+    const cache2 = cfnCache ? {
       type: cfnCache["Type"],
       location: cfnCache["Location"],
       modes: cfnCache["Modes"]
@@ -25104,7 +26027,7 @@ var CodeBuildProvider = class {
       timeoutInMinutes: properties["TimeoutInMinutes"],
       queuedTimeoutInMinutes: properties["QueuedTimeoutInMinutes"],
       encryptionKey: properties["EncryptionKey"],
-      cache,
+      cache: cache2,
       vpcConfig,
       logsConfig,
       concurrentBuildLimit: properties["ConcurrentBuildLimit"],
@@ -25161,13 +26084,21 @@ var CodeBuildProvider = class {
       );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting CodeBuild Project ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteProjectCommand({ name: physicalId }));
       this.logger.debug(`Successfully deleted CodeBuild Project ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException15) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`CodeBuild Project ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25233,10 +26164,10 @@ var S3VectorsProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::S3Vectors::VectorBucket":
-        return this.deleteVectorBucket(logicalId, physicalId, resourceType);
+        return this.deleteVectorBucket(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -25287,7 +26218,7 @@ var S3VectorsProvider = class {
       );
     }
   }
-  async deleteVectorBucket(logicalId, physicalId, resourceType) {
+  async deleteVectorBucket(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting S3 VectorBucket ${logicalId}: ${physicalId}`);
     try {
       await this.emptyVectorBucket(logicalId, physicalId);
@@ -25299,6 +26230,14 @@ var S3VectorsProvider = class {
       this.logger.debug(`Successfully deleted S3 VectorBucket ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`S3 VectorBucket ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25495,7 +26434,7 @@ var S3DirectoryBucketProvider = class {
    * Must empty the bucket before deletion. Directory buckets do not support
    * versioning, so only current objects need to be deleted.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting S3 Express Directory Bucket ${logicalId}: ${physicalId}`);
     try {
       await this.emptyBucket(physicalId);
@@ -25507,6 +26446,14 @@ var S3DirectoryBucketProvider = class {
       this.logger.debug(`Successfully deleted S3 Express Directory Bucket ${logicalId}`);
     } catch (error) {
       if (error instanceof Error && (error.name === "NoSuchBucket" || error.name === "BucketNotFound")) {
+        const clientRegion = await this.s3Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Bucket ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25601,14 +26548,14 @@ var S3TablesProvider = class {
     this.logger.debug(`Update is no-op for ${resourceType} ${logicalId}`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::S3Tables::TableBucket":
-        return this.deleteTableBucket(logicalId, physicalId, resourceType);
+        return this.deleteTableBucket(logicalId, physicalId, resourceType, context);
       case "AWS::S3Tables::Namespace":
-        return this.deleteNamespace(logicalId, physicalId, resourceType);
+        return this.deleteNamespace(logicalId, physicalId, resourceType, context);
       case "AWS::S3Tables::Table":
-        return this.deleteTable(logicalId, physicalId, resourceType);
+        return this.deleteTable(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -25654,7 +26601,7 @@ var S3TablesProvider = class {
       );
     }
   }
-  async deleteTableBucket(logicalId, physicalId, resourceType) {
+  async deleteTableBucket(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting S3 Table Bucket ${logicalId}: ${physicalId}`);
     try {
       await this.emptyTableBucket(physicalId);
@@ -25666,6 +26613,14 @@ var S3TablesProvider = class {
       this.logger.debug(`Successfully deleted S3 Table Bucket ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException6) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`S3 Table Bucket ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25789,7 +26744,7 @@ var S3TablesProvider = class {
       );
     }
   }
-  async deleteNamespace(logicalId, physicalId, resourceType) {
+  async deleteNamespace(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting S3 Tables Namespace ${logicalId}: ${physicalId}`);
     const [tableBucketARN, namespaceName] = physicalId.split("|");
     if (!tableBucketARN || !namespaceName) {
@@ -25810,6 +26765,14 @@ var S3TablesProvider = class {
       this.logger.debug(`Successfully deleted S3 Tables Namespace ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException6) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`S3 Tables Namespace ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25884,7 +26847,7 @@ var S3TablesProvider = class {
       );
     }
   }
-  async deleteTable(logicalId, physicalId, resourceType) {
+  async deleteTable(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting S3 Tables Table ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length < 3) {
@@ -25909,6 +26872,14 @@ var S3TablesProvider = class {
       this.logger.debug(`Successfully deleted S3 Tables Table ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException6) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`S3 Tables Table ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -26135,7 +27106,7 @@ var ECRProvider = class {
    * Uses `force: true` to delete the repository even if it contains images.
    * This supports CDK's `emptyOnDelete: true` / `removalPolicy: DESTROY` pattern.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting ECR Repository ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -26147,6 +27118,14 @@ var ECRProvider = class {
       this.logger.debug(`Successfully deleted ECR Repository ${logicalId}`);
     } catch (error) {
       if (error instanceof RepositoryNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`ECR Repository ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -27051,7 +28030,9 @@ var DeployEngine = class {
             `  Rollback: Deleting created resource ${op.logicalId} (${op.resourceType})`
           );
           const provider = this.providerRegistry.getProvider(op.resourceType);
-          await provider.delete(op.logicalId, op.physicalId, op.resourceType, op.properties);
+          await provider.delete(op.logicalId, op.physicalId, op.resourceType, op.properties, {
+            expectedRegion: this.stackRegion
+          });
           delete stateResources[op.logicalId];
           this.logger.info(`  Rollback: ${op.logicalId} deleted successfully`);
           break;
@@ -27193,7 +28174,8 @@ var DeployEngine = class {
                   logicalId,
                   currentResource.physicalId,
                   resourceType,
-                  currentResource.properties
+                  currentResource.properties,
+                  { expectedRegion: this.stackRegion }
                 );
                 this.logger.info(`  \u2713 Old resource deleted`);
               } catch (deleteError) {
@@ -27242,7 +28224,8 @@ var DeployEngine = class {
                     logicalId,
                     currentResource.physicalId,
                     resourceType,
-                    currentProps
+                    currentProps,
+                    { expectedRegion: this.stackRegion }
                   );
                 } catch (deleteError) {
                   const deleteMsg = deleteError instanceof Error ? deleteError.message : String(deleteError);
@@ -27313,7 +28296,8 @@ var DeployEngine = class {
                 logicalId,
                 currentResource.physicalId,
                 resourceType,
-                currentResource.properties
+                currentResource.properties,
+                { expectedRegion: this.stackRegion }
               ),
               logicalId,
               3,
@@ -27587,10 +28571,17 @@ async function deployCommand(stacks, options) {
     ...options.profile && { profile: options.profile }
   });
   setAwsClients(awsClients);
-  const preflightStateBackend = new S3StateBackend(awsClients.s3, {
-    bucket: stateBucket,
-    prefix: options.statePrefix
-  });
+  const preflightStateBackend = new S3StateBackend(
+    awsClients.s3,
+    {
+      bucket: stateBucket,
+      prefix: options.statePrefix
+    },
+    {
+      region,
+      ...options.profile && { profile: options.profile }
+    }
+  );
   await preflightStateBackend.verifyBucketExists();
   let deployInterrupted = false;
   const topLevelSigintHandler = () => {
@@ -27741,7 +28732,10 @@ Deploying stack: ${stackInfo.stackName}${stackRegion !== baseRegion ? ` (region:
             region: baseRegion,
             ...options.profile && { profile: options.profile }
           });
-          const stackStateBackend = new S3StateBackend(stateS3Client.s3, stateConfig);
+          const stackStateBackend = new S3StateBackend(stateS3Client.s3, stateConfig, {
+            region: baseRegion,
+            ...options.profile && { profile: options.profile }
+          });
           const stackLockManager = new LockManager(stateS3Client.s3, stateConfig);
           const stackProviderRegistry = new ProviderRegistry();
           registerAllProviders(stackProviderRegistry);
@@ -27922,7 +28916,10 @@ async function diffCommand(stacks, options) {
       bucket: stateBucket,
       prefix: options.statePrefix
     };
-    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      region,
+      ...options.profile && { profile: options.profile }
+    });
     const diffCalculator = new DiffCalculator();
     const intrinsicResolver = new IntrinsicFunctionResolver(region);
     for (const stackInfo of targetStacks) {
@@ -28042,7 +29039,10 @@ async function destroyCommand(stackArgs, options) {
       bucket: stateBucket,
       prefix: options.statePrefix
     };
-    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...options.region && { region: options.region },
+      ...options.profile && { profile: options.profile }
+    });
     await stateBackend.verifyBucketExists();
     const lockManager = new LockManager(awsClients.s3, stateConfig);
     const dagBuilder = new DagBuilder();
@@ -28268,7 +29268,8 @@ Acquiring lock for stack ${stackName}...`);
                     logicalId,
                     resource.physicalId,
                     resource.resourceType,
-                    resource.properties
+                    resource.properties,
+                    { expectedRegion: currentState.region }
                   );
                   lastDeleteError = null;
                   break;
@@ -28490,7 +29491,10 @@ async function setupStateBackend(options) {
   const bucket = await resolveStateBucketWithDefault(options.stateBucket, region);
   const prefix = options.statePrefix;
   const stateConfig = { bucket, prefix };
-  const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
+  const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+    region,
+    ...options.profile && { profile: options.profile }
+  });
   const lockManager = new LockManager(awsClients.s3, stateConfig);
   await stateBackend.verifyBucketExists();
   return {
@@ -28894,7 +29898,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command10();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.8.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.10.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());