diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3ebed36..0aabcf9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -345,3 +345,7 @@
 * 2.9.7 -- 2023-09-28
   - route53-zone-association/terraform-role
     - add `sso_permissionset_names` for use of assume role by SSO roles
+
+* 2.9.8 -- 2023-09-28
+  - vpc-interface-endpoint
+    - add lab-gov-network-nonprod to allow to create dns zones
diff --git a/common/version.tf b/common/version.tf
index 6c5b89c..eb3755e 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.9.7"
+  _module_version = "2.9.8"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
diff --git a/vpc-interface-endpoint/route53.tf b/vpc-interface-endpoint/route53.tf
index 1b49a4b..d9cd399 100644
--- a/vpc-interface-endpoint/route53.tf
+++ b/vpc-interface-endpoint/route53.tf
@@ -8,15 +8,7 @@
 #   https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-access-to-vpc-private-endpoints.html
 # 
 
-# allow only network-prod, network-sa accounts to run this
-
 locals {
-  permitted_accounts = [
-    # ent-gov-network-prod
-    "057405694017",
-    # ent-gov-network-sa
-    "057445207498",
-  ]
   endpoint_exists      = fileexists(format("%v/setup/.vpce.%v", path.root, data.aws_vpc_endpoint_service.interface_endpoint.service))
   service_domain_parts = split(".", data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name)
   is_wildcard          = local.service_domain_parts[0] == "*"
diff --git a/vpc-interface-endpoint/route53_permitted_accounts.tf b/vpc-interface-endpoint/route53_permitted_accounts.tf
new file mode 100644
index 0000000..ff2ac21
--- /dev/null
+++ b/vpc-interface-endpoint/route53_permitted_accounts.tf
@@ -0,0 +1,12 @@
+# allow only network-centric accounts to run this
+
+locals {
+  permitted_accounts = [
+    # ent-gov-network-prod
+    "057405694017",
+    # ent-gov-network-sa
+    "057445207498",
+    # lab-gov-network-nonprod
+    "269244441389",
+  ]
+}