diff --git a/CHANGELOG.md b/CHANGELOG.md
index e85ee5c..3d8f9fa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -115,3 +115,6 @@
 * v1.13.0 -- 202010528
   - splunk-description
     - create submodule
+
+* v1.13.1 -- 20210608
+  - add lifecycle ignore tags["boc:tf_module_version"]
diff --git a/common/version.tf b/common/version.tf
index a705fce..636499f 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.13.0"
+  _module_version = "1.13.1"
 }
diff --git a/config/role.tf b/config/role.tf
index d3d1a38..5b6f428 100644
--- a/config/role.tf
+++ b/config/role.tf
@@ -30,6 +30,9 @@ resource "aws_iam_role" "config" {
     var.tags,
     tomap({ "Name" = local.role_name }),
   )
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
 }
 
 #---
diff --git a/config/s3.tf b/config/s3.tf
index 7e58de3..b2d9a35 100644
--- a/config/s3.tf
+++ b/config/s3.tf
@@ -20,6 +20,7 @@ resource "aws_s3_bucket" "config" {
 
   lifecycle {
     prevent_destroy = true
+    ignore_changes  = [tags["boc:tf_module_version"]]
   }
 
   # probably want some migration of old data to some other location
diff --git a/config/sqs.tf b/config/sqs.tf
index e2b6429..4ebbc93 100644
--- a/config/sqs.tf
+++ b/config/sqs.tf
@@ -24,6 +24,9 @@ resource "aws_sqs_queue" "config_deadletter" {
     var.tags,
     tomap({ "Name" = format("%v-deadletter", local.name) }),
   )
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
 }
 
 resource "aws_sqs_queue_policy" "config_deadletter" {
@@ -83,6 +86,9 @@ EOP
     var.tags,
     tomap({ "Name" = local.name }),
   )
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
 }
 
 resource "aws_sqs_queue_policy" "config" {
diff --git a/iam-general-policies/main.tf b/iam-general-policies/main.tf
index e021bf0..2e82e41 100644
--- a/iam-general-policies/main.tf
+++ b/iam-general-policies/main.tf
@@ -139,5 +139,9 @@ resource "aws_iam_policy" "general" {
     lookup(var.component_tags, "policy", {}),
     map("Name", format("%vinf-%v", lookup(local._prefixes, "policy", ""), each.value["name"]))
   )
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
 }
 
diff --git a/s3-access-logs/main.tf b/s3-access-logs/main.tf
index e31aa60..9c116a5 100644
--- a/s3-access-logs/main.tf
+++ b/s3-access-logs/main.tf
@@ -81,6 +81,7 @@ resource "aws_s3_bucket" "logs" {
 
   lifecycle {
     prevent_destroy = true
+    ignore_changes  = [tags["boc:tf_module_version"]]
   }
 
   # probably want some migration of old data to some other location
diff --git a/s3-config/main.tf b/s3-config/main.tf
index 092be70..166be88 100644
--- a/s3-config/main.tf
+++ b/s3-config/main.tf
@@ -52,6 +52,7 @@ resource "aws_s3_bucket" "config" {
 
   lifecycle {
     prevent_destroy = true
+    ignore_changes  = [tags["boc:tf_module_version"]]
   }
 
   # probably want some migration of old data to some other location
diff --git a/s3-flow-logs/main.tf b/s3-flow-logs/main.tf
index 14718cb..fc8cfc8 100644
--- a/s3-flow-logs/main.tf
+++ b/s3-flow-logs/main.tf
@@ -79,6 +79,7 @@ resource "aws_s3_bucket" "flowlogs" {
 
   lifecycle {
     prevent_destroy = true
+    ignore_changes  = [tags["boc:tf_module_version"]]
   }
 
   # probably want some migration of old data to some other location
diff --git a/terraform-state/README.md b/terraform-state/README.md
index 2aa154b..1332445 100644
--- a/terraform-state/README.md
+++ b/terraform-state/README.md
@@ -7,7 +7,7 @@ This set up the needed components for the Terraform remote state:
 * DynamoDB table for locking
 * IAM Policy
 
-# Usage  
+# Usage
 Here is a simple example, the one most commonly expected to be used.
 
 ```hcl
@@ -18,8 +18,8 @@ module "tfstate" {
 }
 ```
 
-This one can be used if you need to customize stuff, though really, the defaults are all built  
-for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in  
+This one can be used if you need to customize stuff, though really, the defaults are all built
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
 variable file generation.
 
 ```hcl
@@ -55,50 +55,51 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| aws | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 
 ## Modules
 
-No Modules.
+No modules.
 
 ## Resources
 
-| Name |
-|------|
-| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) |
-| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
-| [aws_dynamodb_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) |
-| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
-| [aws_kms_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) |
-| [aws_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) |
-| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
-| [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) |
-| [aws_s3_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) |
+| Name | Type |
+|------|------|
+| [aws_dynamodb_table.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
+| [aws_iam_policy.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_kms_alias.tfstate_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.tfstate_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.tfstate_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| account\_alias | AWS Account Alias | `string` | `""` | no |
-| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no |
-| component\_tags | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
-| kms\_tfstate\_key | Terraform remote state KMS key alias | `string` | `"k-kms-inf-tfstate"` | no |
-| override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
-| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
-| tfstate\_bucket | Terraform remote state S3 bucket | `string` | `""` | no |
-| tfstate\_bucket\_prefix | Terraform remote state S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-tfstate"` | no |
-| tfstate\_key\_prefix | Terraform remote state S3 bucket prefix (account alias) | `string` | `""` | no |
-| tfstate\_key\_suffix | Terraform remote state S3 bucket suffix | `string` | `"terraform.tfstate"` | no |
-| tfstate\_region | Terraform remote state S3 bucket region | `string` | `""` | no |
-| tfstate\_table | Terraform remote state table | `string` | `"tf_remote_state"` | no |
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_kms_tfstate_key"></a> [kms\_tfstate\_key](#input\_kms\_tfstate\_key) | Terraform remote state KMS key alias | `string` | `"k-kms-inf-tfstate"` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_tfstate_bucket"></a> [tfstate\_bucket](#input\_tfstate\_bucket) | Terraform remote state S3 bucket | `string` | `""` | no |
+| <a name="input_tfstate_bucket_prefix"></a> [tfstate\_bucket\_prefix](#input\_tfstate\_bucket\_prefix) | Terraform remote state S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-tfstate"` | no |
+| <a name="input_tfstate_key_prefix"></a> [tfstate\_key\_prefix](#input\_tfstate\_key\_prefix) | Terraform remote state S3 bucket prefix (account alias) | `string` | `""` | no |
+| <a name="input_tfstate_key_suffix"></a> [tfstate\_key\_suffix](#input\_tfstate\_key\_suffix) | Terraform remote state S3 bucket suffix | `string` | `"terraform.tfstate"` | no |
+| <a name="input_tfstate_region"></a> [tfstate\_region](#input\_tfstate\_region) | Terraform remote state S3 bucket region | `string` | `""` | no |
+| <a name="input_tfstate_table"></a> [tfstate\_table](#input\_tfstate\_table) | Terraform remote state table | `string` | `"tf_remote_state"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| tfstate\_bucket\_arn | Terraform state S3 bucket ARN |
-| tfstate\_bucket\_id | Terraform state S3 bucket ID |
-| tfstate\_dynamodb\_arn | Terraform state DynamoDB table ARN |
-| tfstate\_key\_arn | inf-tfstate KMS key ARN |
-| tfstate\_region | Terraform state region |
+| <a name="output_tfstate_bucket_arn"></a> [tfstate\_bucket\_arn](#output\_tfstate\_bucket\_arn) | Terraform state S3 bucket ARN |
+| <a name="output_tfstate_bucket_id"></a> [tfstate\_bucket\_id](#output\_tfstate\_bucket\_id) | Terraform state S3 bucket ID |
+| <a name="output_tfstate_dynamodb_arn"></a> [tfstate\_dynamodb\_arn](#output\_tfstate\_dynamodb\_arn) | Terraform state DynamoDB table ARN |
+| <a name="output_tfstate_key_arn"></a> [tfstate\_key\_arn](#output\_tfstate\_key\_arn) | inf-tfstate KMS key ARN |
+| <a name="output_tfstate_region"></a> [tfstate\_region](#output\_tfstate\_region) | Terraform state region |
diff --git a/terraform-state/main.tf b/terraform-state/main.tf
index e48a12c..9c4b9c5 100644
--- a/terraform-state/main.tf
+++ b/terraform-state/main.tf
@@ -90,6 +90,11 @@ resource "aws_dynamodb_table" "tfstate" {
     lookup(var.component_tags, "ddb", {}),
     map("Name", var.tfstate_table),
   )
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
+
 }
 
 # create iam policy for it, to apply to roles/groups as needed
@@ -122,6 +127,7 @@ resource "aws_s3_bucket" "tfstate" {
 
   lifecycle {
     prevent_destroy = true
+    ignore_changes  = [tags["boc:tf_module_version"]]
   }
 
   tags = merge(
@@ -130,6 +136,7 @@ resource "aws_s3_bucket" "tfstate" {
     lookup(var.component_tags, "s3", {}),
     map("Name", local.tfstate_bucket),
   )
+
 }
 
 resource "aws_s3_bucket_public_access_block" "tfstate" {
@@ -153,6 +160,11 @@ resource "aws_kms_key" "tfstate_key" {
     lookup(var.component_tags, "kms", {}),
     map("Name", var.kms_tfstate_key)
   )
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
+
 }
 
 resource "aws_kms_alias" "tfstate_key" {
diff --git a/vpc-remove-defaults/main.tf b/vpc-remove-defaults/main.tf
index b4bc081..7b912a4 100644
--- a/vpc-remove-defaults/main.tf
+++ b/vpc-remove-defaults/main.tf
@@ -107,6 +107,9 @@ resource "aws_default_vpc" "default" {
     local.base_tags,
     map("Name", format("default-vpc-%s", local.vpc_title))
   )
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
 }
 
 #---
@@ -117,6 +120,9 @@ resource "aws_default_vpc_dhcp_options" "default" {
     local.base_tags,
     map("Name", format("default-dhcpopt-%s", local.vpc_title))
   )
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
 }
 
 #---
@@ -129,6 +135,10 @@ resource "aws_default_security_group" "default" {
     local.base_tags,
     map("Name", format("default-sg-%s", local.vpc_title))
   )
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
 }
 
 #---
@@ -142,6 +152,10 @@ resource "aws_default_subnet" "default" {
     local.base_tags,
     map("Name", format("default-subnet-%s-%s", local.vpc_title, each.key))
   )
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
 }
 
 
@@ -155,6 +169,11 @@ resource "aws_default_network_acl" "default" {
     local.base_tags,
     map("Name", format("default-nacl-%s", local.vpc_title))
   )
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
+
 }
 
 #---
@@ -167,6 +186,11 @@ resource "aws_default_route_table" "default" {
     local.base_tags,
     map("Name", format("default-rt-%s", local.vpc_title))
   )
+
+  lifecycle {
+    ignore_changes = [tags["boc:tf_module_version"]]
+  }
+
 }
 
 #---