diff --git a/dns_zones.tf b/dns_zones.tf
index c4e0604..033de5b 100644
--- a/dns_zones.tf
+++ b/dns_zones.tf
@@ -1,19 +1,17 @@
-#-------------------------------------------------
-# DNS Zone for EKS 
-#-------------------------------------------------
 locals {
-  cluster_domain_name        = format("%v.%v", var.cluster_name, var.vpc_domain_name)
+  vpc_domain_name            = var.vpc_domain_name
+  cluster_domain_name        = format("%v.%v", var.cluster_name, local.vpc_domain_name)
   cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
-  account_environment        = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
-  region_short               = join("", [for c in split("-", var.region) : substr(c, 0, 1)])
-  zone_ids                   = compact(var.zone_ids)
+  region                     = var.region
+  zone_ids = compact(var.zone_ids)
 }
-#-------------------------------------------------
-# Providers for Cross Account DNS Action 
-#-------------------------------------------------
+
+#---
+# network prod
+#---
 provider "aws" {
-  alias  = "route53_main_east"
-  region = var.region_map["east"]
+  alias   = "route53_main_east"
+  region  = var.region_map["east"]
   assume_role {
     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
     session_name = var.os_username
@@ -21,52 +19,48 @@ provider "aws" {
 }
 
 provider "aws" {
-  alias  = "route53_main_west"
-  region = var.region_map["west"]
+  alias   = "route53_main_west"
+  region  = var.region_map["west"]
   assume_role {
     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
     session_name = var.os_username
   }
 }
 
-#-------------------------------------------------
-# network prod for shared vpcs zones
-#-------------------------------------------------
-
-## Associate between self (vpc8) and network-prod-west
-resource "aws_route53_vpc_association_authorization" "self_zone" {
-  provider   = aws.self
-  for_each   = toset(local.zone_ids)
-  zone_id    = each.key
-  vpc_region = var.region_map["west"]
-  vpc_id     = var.vpc_id
-}
-
-resource "aws_route53_zone_association" "self_zone_west" {
-  provider   = aws.route53_main_west
-  for_each   = toset(local.zone_ids)
-  zone_id    = each.key
-  vpc_id     = var.vpc_id
-  vpc_region = var.region_map["west"]
-  depends_on = [aws_route53_vpc_association_authorization.self_zone]
+provider "aws" {
+  alias = "self"
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_idgst)
+    session_name = var.os_username
+  }
 }
-
-## Associate between self (vpc8) and network-prod-east
-resource "aws_route53_vpc_association_authorization" "self_zone_east" {
+#---
+# dummy vpc, so we can associate the zone to this account
+#---
+data "aws_vpc" "dummy_vpc" {
   provider   = aws.self
-  for_each   = toset(local.zone_ids)
-  zone_id    = each.key
-  vpc_region = var.region_map["east"]
-  vpc_id     = var.vpc_id
+  depends_on = [aws_vpc.vpc]
+  count      = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  filter {
+    name   = "tag:Name"
+    values = ["vpc0-dummy"]
+  }
+  filter {
+    name   = "tag:eks-cluster-name"
+    values = [var.cluster_name]
+  }
 }
 
-resource "aws_route53_zone_association" "self_zone_east" {
-  provider   = aws.route53_main_east
-  for_each   = toset(local.zone_ids)
-  zone_id    = each.key
-  vpc_id     = var.vpc_id
-  vpc_region = var.region_map["east"]
-  depends_on = [aws_route53_vpc_association_authorization.self_zone]
+## Dummy VPC
+resource "aws_vpc" "vpc" {
+  provider   = aws.self
+  cidr_block           = "192.168.0.0/24"
+  enable_dns_support   = false
+  enable_dns_hostnames = false
+  tags = merge(
+    var.tags,
+    { "Name" = "vpc0-dummy" },
+  )
 }
 
 #---
@@ -80,54 +74,163 @@ data "aws_route53_zone" "zones" {
 }
 
 resource "aws_route53_zone" "cluster_domain" {
+  provider   = aws.self
   name          = local.cluster_domain_name
   comment       = local.cluster_domain_description
   force_destroy = false
-  depends_on = [
-    data.aws_vpc.dummy_vpc
-  ]
+
   vpc {
-    vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, data.aws_vpc.eks_vpc.id) : data.aws_vpc.eks_vpc.id
-    vpc_region = var.region
+    vpc_id     = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
+    vpc_region = local.region
   }
 
   lifecycle {
     ignore_changes = [vpc]
+    precondition {
+      condition     = (var.shared_vpc_label == null || var.shared_vpc_label == "") || (!(var.shared_vpc_label == null || var.shared_vpc_label == "") && !(var.vpc_domain_name == null || var.vpc_domain_name == ""))
+      error_message = "var.vpc_domain_name must be provided when shared VPCs are in use."
+    }
   }
 
   tags = merge(
-    local.base_tags,
-    local.common_tags,
     var.tags,
-    var.application_tags,
     { "Name" = local.cluster_domain_name },
   )
 }
 
-## Dummy VPC
-
 #---
-# dummy vpc, so we can associate the zone to this account
+# need to also associate with network-prod account and this vpc
 #---
-data "aws_vpc" "dummy_vpc" {
-  depends_on = [aws_vpc.vpc]
-  count      = !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
-  filter {
-    name   = "tag:Name"
-    values = ["vpc0-dummy"]
+module "route53_cluster_domain_east" {
+
+  count = local.region == "us-gov-east-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_east
   }
-  filter {
-    name   = "tag:eks-cluster-name"
-    values = [var.cluster_name]
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = data.aws_vpc.eks_vpc.id
+  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+  tags = var.tags
+}
+
+module "route53_cluster_domain_west" {
+
+  count = local.region == "us-gov-west-1" && !(var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_west
   }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = data.aws_vpc.eks_vpc.id
+  zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+  tags = var.tags
 }
 
-resource "aws_vpc" "vpc" {
-  cidr_block           = "192.168.0.0/24"
-  enable_dns_support   = false
-  enable_dns_hostnames = false
-  tags = merge(
-    local.base_tags,
-    { "Name" = "vpc0-dummy" },
-  )
+output "cluster_domain_name" {
+  description = "DNS Zone Name"
+  value       = local.cluster_domain_name
+}
+
+output "cluster_domain_id" {
+  description = "DNS Zone ID"
+  value       = aws_route53_zone.cluster_domain.zone_id
+}
+
+output "cluster_domain_ns" {
+  description = "DNS Zone Nameservers"
+  value       = aws_route53_zone.cluster_domain.name_servers
 }
+
+#---
+# associate to main do2-govcloud vpc1-services east and west for inbound resolution
+# and to vpc7-endpoints in network prod
+#---
+
+# #---
+# # network prod
+# #---
+# provider "aws" {
+#   alias   = "route53_main"
+#   region  = var.region_map["east"]
+#   profile = var.profile
+#   assume_role {
+#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+#     session_name = var.os_username
+#   }
+# }
+
+# module "route53_main_east" {
+#   providers = {
+#     aws.self = aws
+#     aws.peer = aws.route53_main
+#   }
+
+#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+#   region   = "us-gov-east-1"
+#   vpc_id   = var.route53_endpoints["route53_main"]["us-gov-east-1"]
+#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+#   tags = var.tags
+# }
+
+# module "route53_main_west" {
+#   providers = {
+#     aws.self = aws
+#     aws.peer = aws.route53_main
+#   }
+
+#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+#   region   = "us-gov-west-1"
+#   vpc_id   = var.route53_endpoints["route53_main"]["us-gov-west-1"]
+#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+#   tags = var.tags
+# }
+
+#---
+# do2-gov ("legacy")
+#---
+# provider "aws" {
+#   alias   = "route53_main_legacy"
+#   region  = var.region_map["east"]
+#   profile = var.profile
+#   assume_role {
+#     role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id)
+#     session_name = var.os_username
+#   }
+# }
+
+# module "route53_main_legacy_east" {
+#   providers = {
+#     aws.self = aws
+#     aws.peer = aws.route53_main_legacy
+#   }
+
+#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+#   region   = "us-gov-east-1"
+#   vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"]
+#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+#   tags = var.tags
+# }
+
+# module "route53_main_legacy_west" {
+#   providers = {
+#     aws.self = aws
+#     aws.peer = aws.route53_main_legacy
+#   }
+
+#   source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+#   region   = "us-gov-west-1"
+#   vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"]
+#   zone_ids = [aws_route53_zone.cluster_domain.zone_id]
+
+#   tags = var.tags
+# }