diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/eks/terragrunt.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/eks/terragrunt.hcl
index 79966ad..b59e198 100644
--- a/lab/us-gov-east-1/vpc/_mcmCluster/eks/terragrunt.hcl
+++ b/lab/us-gov-east-1/vpc/_mcmCluster/eks/terragrunt.hcl
@@ -34,7 +34,7 @@ locals {
 }
 
 terraform {
-  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git"
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=dnsv2"
   extra_arguments "retry_lock" {
     commands  = get_terraform_commands_that_need_locking()
     arguments = ["-lock-timeout=20m"]
diff --git a/lab/us-gov-east-1/vpc/_mcmCluster/terragrunt.hcl b/lab/us-gov-east-1/vpc/_mcmCluster/terragrunt.hcl
index 2886607..8b7f067 100644
--- a/lab/us-gov-east-1/vpc/_mcmCluster/terragrunt.hcl
+++ b/lab/us-gov-east-1/vpc/_mcmCluster/terragrunt.hcl
@@ -75,14 +75,17 @@ remote_state {
     if_exists = "overwrite_terragrunt"
   }
   config = {
-    bucket                   = "${local.state_bucket_prefix}-${local.account_id}"
-    dynamodb_table           = "${local.state_table_name}"
-    key                      = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}"
-    profile                  = "${local.profile}"
-    region                   = "${local.region}"
-    skip_bucket_enforced_tls = true
-    skip_bucket_root_access  = true
-    skip_bucket_ssencryption = true
+    bucket                             = "${local.state_bucket_prefix}-${local.account_id}"
+    dynamodb_table                     = "${local.state_table_name}"
+    key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), "apps/tg"), "/")}/terraform.tfstate"
+    profile                            = "${local.profile}"
+    region                             = "${local.region}"
+    skip_bucket_enforced_tls           = true # use only if you need to access the S3 bucket without TLS being enforced
+    skip_bucket_public_access_blocking = true
+    skip_bucket_root_access            = true  # use only if the AWS account root user should not have access to the remote state bucket for some reason
+    skip_bucket_ssencryption           = true # use only if non-encrypted OpenTofu/Terraform State is required and/or the object store does not support server-side encryption
+    skip_bucket_versioning             = false # use only if the object store does not support versioning
+    enable_lock_table_ssencryption     = false # use only if non-encrypted DynamoDB Lock Table for the OpenTofu/Terraform State is required and/or the NoSQL database service does not support server-side encryption
   }
 }