diff --git a/CHANGELOG.md b/CHANGELOG.md
index 16bb6dc..4b96f79 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -484,3 +484,7 @@
   - share-resources
     - remove share_explict_enabled
     - fix ram resource share to share subnets only once
+
+* 2.12.2 -- 2025-10-07
+  - route53-zone-association/terraform-role
+    - add route53profile permissions
diff --git a/common/version.tf b/common/version.tf
index 54ea97f..9f431dd 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.12.1"
+  _module_version = "2.12.2"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
diff --git a/route53-zone-association/terraform-role/README.md b/route53-zone-association/terraform-role/README.md
index eb1d332..0fa6ebb 100644
--- a/route53-zone-association/terraform-role/README.md
+++ b/route53-zone-association/terraform-role/README.md
@@ -91,11 +91,11 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
-| <a name="input_other_role_names"></a> [other\_role\_names](#input\_other\_role\_names) | List of other role names to allow to assume the role | `list(string)` | <pre>[<br>  "r-inf-terraform",<br>  "r-inf-terraform-eks"<br>]</pre> | no |
+| <a name="input_other_role_names"></a> [other\_role\_names](#input\_other\_role\_names) | List of other role names to allow to assume the role | `list(string)` | <pre>[<br/>  "r-inf-terraform",<br/>  "r-inf-terraform-eks"<br/>]</pre> | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_role_description"></a> [role\_description](#input\_role\_description) | IAM Role description | `string` | `"INF Terraform Role for Route53 actions"` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | IAM Role name (without prefix) | `string` | `"inf-terraform-route53"` | no |
-| <a name="input_sso_permissionset_names"></a> [sso\_permissionset\_names](#input\_sso\_permissionset\_names) | List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role | `list(string)` | <pre>[<br>  "inf-terraform"<br>]</pre> | no |
+| <a name="input_sso_permissionset_names"></a> [sso\_permissionset\_names](#input\_sso\_permissionset\_names) | List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role | `list(string)` | <pre>[<br/>  "inf-terraform"<br/>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
 ## Outputs
diff --git a/route53-zone-association/terraform-role/main.tf b/route53-zone-association/terraform-role/main.tf
index 9e37420..05f3ffb 100644
--- a/route53-zone-association/terraform-role/main.tf
+++ b/route53-zone-association/terraform-role/main.tf
@@ -77,6 +77,16 @@ data "aws_iam_policy_document" "policy" {
       "route53:DeleteVPCAssociationAuthorization",
       "route53:TestDNSAnswer",
       "route53:ChangeResourceRecordSets",
+
+      #      "route53profiles:AssociateProfile",
+      "route53profiles:AssociateResourceToProfile",
+      "route53profiles:Get*",
+      "route53profiles:List*",
+      "route53profiles:ListProfileResourceAssociations",
+      #      "route53profiles:TagResource",
+      #      "route53profiles:UntagResource",
+      "route53profiles:UpdateProfileResourceAssociation",
+
       "ssm:DescribeParameters",
       "ssm:GetParameter*",
     ]