@go-to-k/cdkd 0.8.0 → 0.9.0

package/dist/index.js

@@ -5652,6 +5652,29 @@ var JsonPatchGenerator = class {
   }
 };
 
+// src/provisioning/region-check.ts
+function assertRegionMatch(clientRegion, expectedRegion, resourceType, logicalId, physicalId) {
+  if (!expectedRegion) {
+    return;
+  }
+  if (!clientRegion) {
+    throw new ProvisioningError(
+      `Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region is unknown but stack state expects ${expectedRegion}. The resource may exist in ${expectedRegion} and would be silently removed from state if this NotFound were trusted.`,
+      resourceType,
+      logicalId,
+      physicalId
+    );
+  }
+  if (clientRegion !== expectedRegion) {
+    throw new ProvisioningError(
+      `Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region ${clientRegion} does not match stack state region ${expectedRegion}. The resource likely still exists in ${expectedRegion}; rerun the destroy with the correct region (e.g. --region ${expectedRegion}).`,
+      resourceType,
+      logicalId,
+      physicalId
+    );
+  }
+}
+
 // src/provisioning/cloud-control-provider.ts
 var JSON_STRING_PROPERTIES = {
   "AWS::Events::Rule": /* @__PURE__ */ new Set(["EventPattern"])
@@ -5827,7 +5850,7 @@ var CloudControlProvider = class {
   /**
    * Delete a resource using Cloud Control API
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(
       `Deleting resource ${logicalId} (${resourceType}), physical ID: ${physicalId}`
     );
@@ -5854,6 +5877,14 @@ var CloudControlProvider = class {
     } catch (error) {
       const err = error;
       if (err.name === "ResourceNotFoundException" || err.message?.includes("does not exist") || err.message?.includes("not found") || err.message?.includes("NotFound")) {
+        const clientRegion = await this.cloudControlClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Resource ${logicalId} already deleted (not found), treating as success`);
         return;
       }
@@ -6418,7 +6449,7 @@ var CustomResourceProvider = class _CustomResourceProvider {
   /**
    * Delete a custom resource by invoking its Lambda handler
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, _context) {
     this.logger.debug(`Deleting custom resource ${logicalId}: ${physicalId} (${resourceType})`);
     if (!properties) {
       this.logger.warn(
@@ -7240,13 +7271,21 @@ var IAMRoleProvider = class {
    * 3. Remove role from all instance profiles
    * 4. Delete the role itself
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting IAM role ${logicalId}: ${physicalId}`);
     try {
       try {
         await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
       } catch (error) {
         if (error instanceof NoSuchEntityException) {
+          const clientRegion = await this.iamClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Role ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -8273,7 +8312,9 @@ var DeployEngine = class {
             `  Rollback: Deleting created resource ${op.logicalId} (${op.resourceType})`
           );
           const provider = this.providerRegistry.getProvider(op.resourceType);
-          await provider.delete(op.logicalId, op.physicalId, op.resourceType, op.properties);
+          await provider.delete(op.logicalId, op.physicalId, op.resourceType, op.properties, {
+            expectedRegion: this.stackRegion
+          });
           delete stateResources[op.logicalId];
           this.logger.info(`  Rollback: ${op.logicalId} deleted successfully`);
           break;
@@ -8415,7 +8456,8 @@ var DeployEngine = class {
                   logicalId,
                   currentResource.physicalId,
                   resourceType,
-                  currentResource.properties
+                  currentResource.properties,
+                  { expectedRegion: this.stackRegion }
                 );
                 this.logger.info(`  \u2713 Old resource deleted`);
               } catch (deleteError) {
@@ -8464,7 +8506,8 @@ var DeployEngine = class {
                     logicalId,
                     currentResource.physicalId,
                     resourceType,
-                    currentProps
+                    currentProps,
+                    { expectedRegion: this.stackRegion }
                   );
                 } catch (deleteError) {
                   const deleteMsg = deleteError instanceof Error ? deleteError.message : String(deleteError);
@@ -8535,7 +8578,8 @@ var DeployEngine = class {
                 logicalId,
                 currentResource.physicalId,
                 resourceType,
-                currentResource.properties
+                currentResource.properties,
+                { expectedRegion: this.stackRegion }
               ),
               logicalId,
               3,