diff --git a/examples/full-setup/apps/dns.old.2/.terraform-docs.yml b/examples/full-setup/apps/dns.old.2/.terraform-docs.yml
new file mode 100644
index 0000000..8391b9d
--- /dev/null
+++ b/examples/full-setup/apps/dns.old.2/.terraform-docs.yml
@@ -0,0 +1,44 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+##  hide: []
+  show: 
+    - data-sources
+    - header
+    - footer
+    - inputs
+    - modules
+    - outputs
+    - providers
+    - requirements
+    - resources
+    
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+## output-values:
+##   enabled: false
+##   from: ""
+## 
+## sort:
+##   enabled: true
+##   by: name
+## 
+## settings:
+##   anchor: true
+##   color: true
+##   default: true
+##   description: false
+##   escape: true
+##   indent: 2
+##   required: true
+##   sensitive: true
+##   type: true
diff --git a/examples/full-setup/apps/dns.old.2/README.md b/examples/full-setup/apps/dns.old.2/README.md
new file mode 100644
index 0000000..7c83e0a
--- /dev/null
+++ b/examples/full-setup/apps/dns.old.2/README.md
@@ -0,0 +1,66 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_external"></a> [external](#provider\_external) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_route53_record.inbound_a](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.inbound_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.outbound_a](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.outbound_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_resolver_endpoint.inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource |
+| [aws_route53_resolver_endpoint.outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource |
+| [aws_route53_resolver_query_log_config.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config) | resource |
+| [aws_route53_resolver_query_log_config_association.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config_association) | resource |
+| [aws_route53_resolver_rule.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
+| [aws_route53_resolver_rule.amazon](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
+| [aws_route53_resolver_rule.reverse](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
+| [aws_route53_resolver_rule_association.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
+| [aws_route53_resolver_rule_association.amazon](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
+| [aws_route53_resolver_rule_association.reverse](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
+| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_route53_zone.ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_security_group.sg1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_subnet.endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnet_ids.endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
+| [external_external.inbound_sorted](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
+| [external_external.outbound_sorted](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_application_tags"></a> [application\_tags](#input\_application\_tags) | Default application tags to be used on non-infrastructure resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_all_zones"></a> [all\_zones](#output\_all\_zones) | DNS zone list |
+| <a name="output_domain_zone_id"></a> [domain\_zone\_id](#output\_domain\_zone\_id) | DICE development DNS Zone ID |
+| <a name="output_domain_zone_ns"></a> [domain\_zone\_ns](#output\_domain\_zone\_ns) | DICE development DNS Zone Nameservers |
+| <a name="output_inbound_dns"></a> [inbound\_dns](#output\_inbound\_dns) | DNS entries for inbound DNS resolver |
+| <a name="output_inbound_dns_map"></a> [inbound\_dns\_map](#output\_inbound\_dns\_map) | DNS entries for inbound DNS resolver name and IP only |
+| <a name="output_outbound_dns"></a> [outbound\_dns](#output\_outbound\_dns) | DNS entries for outbound DNS resolver |
+| <a name="output_ptr_zone_id"></a> [ptr\_zone\_id](#output\_ptr\_zone\_id) | DICE development DNS PTR Zone IDs |
+| <a name="output_ptr_zone_info"></a> [ptr\_zone\_info](#output\_ptr\_zone\_info) | DICE development DNS PTR Zone Info |
+| <a name="output_ptr_zone_ns"></a> [ptr\_zone\_ns](#output\_ptr\_zone\_ns) | DICE development DNS PTR Zone Nameservers |
+| <a name="output_resolver_endpoint_info"></a> [resolver\_endpoint\_info](#output\_resolver\_endpoint\_info) | DNS Resolver Endpoint Information |
+| <a name="output_sg_sg1_arn"></a> [sg\_sg1\_arn](#output\_sg\_sg1\_arn) | DNS Seurity group ARN |
+| <a name="output_sg_sg1_id"></a> [sg\_sg1\_id](#output\_sg\_sg1\_id) | DNS Seurity group ID |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/examples/full-setup/apps/dns/endpoints.tf b/examples/full-setup/apps/dns.old.2/endpoints.tf
similarity index 100%
rename from examples/full-setup/apps/dns/endpoints.tf
rename to examples/full-setup/apps/dns.old.2/endpoints.tf
diff --git a/examples/full-setup/apps/dns/iam.tf b/examples/full-setup/apps/dns.old.2/iam.tf
similarity index 100%
rename from examples/full-setup/apps/dns/iam.tf
rename to examples/full-setup/apps/dns.old.2/iam.tf
diff --git a/examples/full-setup/apps/dns.old.2/locals.tf b/examples/full-setup/apps/dns.old.2/locals.tf
new file mode 100644
index 0000000..60decda
--- /dev/null
+++ b/examples/full-setup/apps/dns.old.2/locals.tf
@@ -0,0 +1,13 @@
+locals {
+  base_tags = {
+    "boc:created_by" = "terraform"
+  }
+}
+
+locals {
+  vpc_info       = data.terraform_remote_state.vpc_east_vpc4.outputs.vpc_info
+  vpc_id         = local.vpc_info["vpc_id"]
+  domain_name    = local.vpc_info["vpc_domain_name"]
+  dns_servers    = local.vpc_info["vpc_dns_servers"]
+  vpc_short_name = local.vpc_info["vpc_short_name"]
+}
diff --git a/examples/full-setup/apps/dns/logging.tf b/examples/full-setup/apps/dns.old.2/logging.tf
similarity index 100%
rename from examples/full-setup/apps/dns/logging.tf
rename to examples/full-setup/apps/dns.old.2/logging.tf
diff --git a/examples/full-setup/apps/dns/records.tf b/examples/full-setup/apps/dns.old.2/records.tf
similarity index 100%
rename from examples/full-setup/apps/dns/records.tf
rename to examples/full-setup/apps/dns.old.2/records.tf
diff --git a/examples/full-setup/apps/dns.old.2/region.tf b/examples/full-setup/apps/dns.old.2/region.tf
new file mode 100644
index 0000000..f617506
--- /dev/null
+++ b/examples/full-setup/apps/dns.old.2/region.tf
@@ -0,0 +1,3 @@
+locals {
+  region = var.region
+}
diff --git a/examples/full-setup/apps/dns/resolver.tf b/examples/full-setup/apps/dns.old.2/resolver.tf
similarity index 100%
rename from examples/full-setup/apps/dns/resolver.tf
rename to examples/full-setup/apps/dns.old.2/resolver.tf
diff --git a/examples/full-setup/apps/dns/sg-dns.tf b/examples/full-setup/apps/dns.old.2/sg-dns.tf
similarity index 100%
rename from examples/full-setup/apps/dns/sg-dns.tf
rename to examples/full-setup/apps/dns.old.2/sg-dns.tf
diff --git a/examples/full-setup/apps/dns.old.2/sort-ip.py b/examples/full-setup/apps/dns.old.2/sort-ip.py
new file mode 100755
index 0000000..293f723
--- /dev/null
+++ b/examples/full-setup/apps/dns.old.2/sort-ip.py
@@ -0,0 +1,19 @@
+#!/bin/env python
+
+import json
+import sys
+import ipaddress
+
+r=0
+outdata={'ip_addresses_sorted':''}
+try:
+  indata=json.load(sys.stdin)
+  ipa=indata['ip_addresses'].split(',')
+  ips=sorted(ipa,key=ipaddress.ip_address)
+  outdata['ip_addresses_sorted']=','.join(ips)
+  print(json.dumps(outdata))
+except:
+  sys.stderr.write("unable to parse input address\n")
+  r=1
+
+sys.exit(r)
diff --git a/examples/full-setup/apps/dns.old.2/tf-run.data b/examples/full-setup/apps/dns.old.2/tf-run.data
new file mode 100644
index 0000000..aded045
--- /dev/null
+++ b/examples/full-setup/apps/dns.old.2/tf-run.data
@@ -0,0 +1,7 @@
+COMMAND tf-directory-setup.py -l none -f
+COMMAND tf-init -upgrade
+COMMAND mv records.tf records.tf.later
+ALL
+COMMAND mv records.tf.later records.tf
+ALL
+COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-setup/apps/dns/variables.application_tags.tf b/examples/full-setup/apps/dns.old.2/variables.application_tags.tf
similarity index 100%
rename from examples/full-setup/apps/dns/variables.application_tags.tf
rename to examples/full-setup/apps/dns.old.2/variables.application_tags.tf
diff --git a/examples/full-setup/apps/dns.old.2/zones.tf b/examples/full-setup/apps/dns.old.2/zones.tf
new file mode 100644
index 0000000..85e05db
--- /dev/null
+++ b/examples/full-setup/apps/dns.old.2/zones.tf
@@ -0,0 +1,104 @@
+locals {
+  # calculate set of /24 blocks for PTR subnets from cidr bock size
+  vpc_cidr_block = local.vpc_info["vpc_cidr_block"]
+  bits           = tonumber(split("/", local.vpc_cidr_block)[1])
+  split_bits     = 24 - local.bits
+  _ptr_zones     = local.split_bits > 0 ? { for x in range(0, pow(2, local.split_bits)) : x => cidrsubnet(local.vpc_cidr_block, local.split_bits, x) } : {}
+  ptr_zones = { for x, s in local._ptr_zones : s => {
+    index    = x
+    cidr     = s
+    octets   = split(".", split("/", s)[0])
+    bits     = tonumber(split("/", s)[1])
+    ptr_zone = format("%v.in-addr.arpa", join(".", reverse(slice(split(".", split("/", s)[0]), 0, 3))))
+    }
+  }
+}
+
+#---
+# domain (forward) zone
+#---
+resource "aws_route53_zone" "domain_zone" {
+  name          = local.domain_name
+  comment       = "DICE development DNS Zone"
+  force_destroy = false
+
+  vpc {
+    vpc_id     = local.vpc_id
+    vpc_region = local.region
+  }
+
+  # lifecycle {
+  #    ignore_changes
+  # }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    tomap({ "Name" = local.domain_name }),
+  )
+}
+#resource "aws_route53_zone_association" "dns_zone" { }
+
+output "domain_zone_id" {
+  description = "DICE development DNS Zone ID"
+  value       = aws_route53_zone.domain_zone.zone_id
+}
+
+output "domain_zone_ns" {
+  description = "DICE development DNS Zone Nameservers"
+  value       = aws_route53_zone.domain_zone.name_servers
+}
+
+#---
+# ptr (reverse) zones
+#---
+resource "aws_route53_zone" "ptr_zone" {
+  for_each = local.ptr_zones
+
+  name          = each.value.ptr_zone
+  comment       = format("DICE development DNS PTR Zone %v (%v)", each.value.ptr_zone, each.value.cidr)
+  force_destroy = false
+
+  vpc {
+    vpc_id     = local.vpc_id
+    vpc_region = local.region
+  }
+
+  # lifecycle {
+  #    ignore_changes
+  # }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    tomap({ "Name" = each.value.ptr_zone }),
+  )
+}
+
+
+output "ptr_zone_id" {
+  description = "DICE development DNS PTR Zone IDs"
+  value       = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].zone_id }
+}
+
+output "ptr_zone_ns" {
+  description = "DICE development DNS PTR Zone Nameservers"
+  value       = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].name_servers }
+}
+
+output "ptr_zone_info" {
+  description = "DICE development DNS PTR Zone Info"
+  value = { for x, s in local.ptr_zones : x => {
+    cidr         = s.cidr
+    ptr_zone     = s.ptr_zone
+    zone_id      = aws_route53_zone.ptr_zone[x].zone_id
+    name_servers = aws_route53_zone.ptr_zone[x].name_servers
+  } }
+}
+
+output "all_zones" {
+  description = "DNS zone list"
+  value       = flatten(concat([local.domain_name], [for x, s in local.ptr_zones : s.ptr_zone]))
+}
diff --git a/examples/full-setup/apps/dns/README.md b/examples/full-setup/apps/dns/README.md
index 7c83e0a..0d006f9 100644
--- a/examples/full-setup/apps/dns/README.md
+++ b/examples/full-setup/apps/dns/README.md
@@ -8,7 +8,8 @@ No requirements.
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
-| <a name="provider_external"></a> [external](#provider\_external) | n/a |
+| <a name="provider_aws.east_main_dns"></a> [aws.east\_main\_dns](#provider\_aws.east\_main\_dns) | n/a |
+| <a name="provider_aws.west_main_dns"></a> [aws.west\_main\_dns](#provider\_aws.west\_main\_dns) | n/a |
 
 ## Modules
 
@@ -18,49 +19,37 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [aws_cloudwatch_log_group.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_route53_record.inbound_a](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
-| [aws_route53_record.inbound_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
-| [aws_route53_record.outbound_a](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
-| [aws_route53_record.outbound_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
-| [aws_route53_resolver_endpoint.inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource |
-| [aws_route53_resolver_endpoint.outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource |
-| [aws_route53_resolver_query_log_config.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config) | resource |
-| [aws_route53_resolver_query_log_config_association.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config_association) | resource |
-| [aws_route53_resolver_rule.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
-| [aws_route53_resolver_rule.amazon](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
-| [aws_route53_resolver_rule.reverse](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
-| [aws_route53_resolver_rule_association.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
-| [aws_route53_resolver_rule_association.amazon](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
-| [aws_route53_resolver_rule_association.reverse](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
+| [aws_route53_resolver_rule_association.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
+| [aws_route53_vpc_association_authorization.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
 | [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
 | [aws_route53_zone.ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
-| [aws_security_group.sg1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
-| [aws_subnet.endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
-| [aws_subnet_ids.endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [external_external.inbound_sorted](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
-| [external_external.outbound_sorted](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
+| [aws_route53_zone_association.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_resolver_rules.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_resolver_rules) | data source |
+| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_application_tags"></a> [application\_tags](#input\_application\_tags) | Default application tags to be used on non-infrastructure resources | `map(string)` | `{}` | no |
+| <a name="input_dns_zone_create"></a> [dns\_zone\_create](#input\_dns\_zone\_create) | Flag determing to create (true) or associate (false) the main forward zone.  Used for the same VPC domain name across different regions or VPCs | `bool` | `true` | no |
+| <a name="input_dns_zone_description_prefix"></a> [dns\_zone\_description\_prefix](#input\_dns\_zone\_description\_prefix) | Zone description with the org-project-program-environment | `string` | `""` | no |
+| <a name="input_main_dns_profile"></a> [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"107742151971-do2-govcloud"` | no |
+| <a name="input_main_dns_vpcs"></a> [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | <pre>{<br>  "us-gov-east-1": "vpc-099a991da7c4eb8a5",<br>  "us-gov-west-1": "vpc-77877a12"<br>}</pre> | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_all_zones"></a> [all\_zones](#output\_all\_zones) | DNS zone list |
-| <a name="output_domain_zone_id"></a> [domain\_zone\_id](#output\_domain\_zone\_id) | DICE development DNS Zone ID |
-| <a name="output_domain_zone_ns"></a> [domain\_zone\_ns](#output\_domain\_zone\_ns) | DICE development DNS Zone Nameservers |
-| <a name="output_inbound_dns"></a> [inbound\_dns](#output\_inbound\_dns) | DNS entries for inbound DNS resolver |
-| <a name="output_inbound_dns_map"></a> [inbound\_dns\_map](#output\_inbound\_dns\_map) | DNS entries for inbound DNS resolver name and IP only |
-| <a name="output_outbound_dns"></a> [outbound\_dns](#output\_outbound\_dns) | DNS entries for outbound DNS resolver |
-| <a name="output_ptr_zone_id"></a> [ptr\_zone\_id](#output\_ptr\_zone\_id) | DICE development DNS PTR Zone IDs |
-| <a name="output_ptr_zone_info"></a> [ptr\_zone\_info](#output\_ptr\_zone\_info) | DICE development DNS PTR Zone Info |
-| <a name="output_ptr_zone_ns"></a> [ptr\_zone\_ns](#output\_ptr\_zone\_ns) | DICE development DNS PTR Zone Nameservers |
-| <a name="output_resolver_endpoint_info"></a> [resolver\_endpoint\_info](#output\_resolver\_endpoint\_info) | DNS Resolver Endpoint Information |
-| <a name="output_sg_sg1_arn"></a> [sg\_sg1\_arn](#output\_sg\_sg1\_arn) | DNS Seurity group ARN |
-| <a name="output_sg_sg1_id"></a> [sg\_sg1\_id](#output\_sg\_sg1\_id) | DNS Seurity group ID |
+| <a name="output_domain_zone_id"></a> [domain\_zone\_id](#output\_domain\_zone\_id) | DNS Zone ID |
+| <a name="output_domain_zone_ns"></a> [domain\_zone\_ns](#output\_domain\_zone\_ns) | DNS Zone Nameservers |
+| <a name="output_ptr_zone_id"></a> [ptr\_zone\_id](#output\_ptr\_zone\_id) | DNS PTR Zone IDs |
+| <a name="output_ptr_zone_info"></a> [ptr\_zone\_info](#output\_ptr\_zone\_info) | DNS PTR Zone Info |
+| <a name="output_ptr_zone_ns"></a> [ptr\_zone\_ns](#output\_ptr\_zone\_ns) | DNS PTR Zone Nameservers |
 <!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/examples/full-setup/apps/dns/associate-shared.tf b/examples/full-setup/apps/dns/associate-shared.tf
new file mode 100644
index 0000000..a36617b
--- /dev/null
+++ b/examples/full-setup/apps/dns/associate-shared.tf
@@ -0,0 +1,25 @@
+## locals {
+##   reverse_zones = flatten([
+##     "10.in-addr.arpa",
+##     "168.192.in-addr.arpa",
+##     "129.148.in-addr.arpa",
+##     [for x in range(16, 32) : format("%v.172.in-addr.arpa", x)],
+##   ])
+##   reverse_rules  = formatlist("reverse-%v", local.reverse_zones)
+##   forward_rules  = ["forward-all-onprem", "amazon"]
+##   all_main_rules = formatlist("resolver-%v", concat(local.forward_rules, local.reverse_rules))
+## }
+
+data "aws_route53_resolver_rules" "all_rules" {
+  share_status = "SHARED_WITH_ME"
+}
+
+data "aws_route53_resolver_rules" "all_rules_me" {
+  share_status = "SHARED_BY_ME"
+}
+
+resource "aws_route53_resolver_rule_association" "all_rules" {
+  for_each         = length(data.aws_route53_resolver_rules.all_rules.resolver_rule_ids) > 0 ? toset(data.aws_route53_resolver_rules.all_rules.resolver_rule_ids) : toset(data.aws_route53_resolver_rules.all_rules_me.resolver_rule_ids)
+  resolver_rule_id = each.key
+  vpc_id           = local.vpc_id
+}
diff --git a/examples/full-setup/apps/dns/locals.tf b/examples/full-setup/apps/dns/locals.tf
index 60decda..6c49d21 100644
--- a/examples/full-setup/apps/dns/locals.tf
+++ b/examples/full-setup/apps/dns/locals.tf
@@ -5,7 +5,7 @@ locals {
 }
 
 locals {
-  vpc_info       = data.terraform_remote_state.vpc_east_vpc4.outputs.vpc_info
+  vpc_info       = data.terraform_remote_state.vpc_REGION_vpcN.outputs.vpc_info
   vpc_id         = local.vpc_info["vpc_id"]
   domain_name    = local.vpc_info["vpc_domain_name"]
   dns_servers    = local.vpc_info["vpc_dns_servers"]
diff --git a/examples/full-setup/apps/dns/provider.main_dns.tf b/examples/full-setup/apps/dns/provider.main_dns.tf
new file mode 100644
index 0000000..0e693d1
--- /dev/null
+++ b/examples/full-setup/apps/dns/provider.main_dns.tf
@@ -0,0 +1,11 @@
+provider "aws" {
+  alias   = "east_main_dns"
+  region  = var.region_map["east"]
+  profile = var.main_dns_profile
+}
+
+provider "aws" {
+  alias   = "west_main_dns"
+  region  = var.region_map["west"]
+  profile = var.main_dns_profile
+}
diff --git a/examples/full-setup/apps/dns/tf-run.data b/examples/full-setup/apps/dns/tf-run.data
index aded045..09e56f9 100644
--- a/examples/full-setup/apps/dns/tf-run.data
+++ b/examples/full-setup/apps/dns/tf-run.data
@@ -1,7 +1,11 @@
+VERSION 1.1.2
+REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade
-COMMAND mv records.tf records.tf.later
-ALL
-COMMAND mv records.tf.later records.tf
+
+# LINKTOP includes.d/ENVIRONMENT/variables.application_tags.auto.tfvars .
+LINKTOP includes.d/variables.application_tags.tf .
+
 ALL
 COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-setup/apps/dns/variables.dns.tf b/examples/full-setup/apps/dns/variables.dns.tf
new file mode 100644
index 0000000..68ed443
--- /dev/null
+++ b/examples/full-setup/apps/dns/variables.dns.tf
@@ -0,0 +1,27 @@
+variable "main_dns_vpcs" {
+  description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS"
+  type        = map(string)
+  default = {
+    "us-gov-west-1" = "vpc-77877a12"
+    "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+  }
+}
+
+variable "main_dns_profile" {
+  description = "Profile name for AWS for the main DNS central account"
+  type        = string
+  default     = "107742151971-do2-govcloud"
+}
+
+
+variable "dns_zone_description_prefix" {
+  description = "Zone description with the org-project-program-environment"
+  type        = string
+  default     = ""
+}
+
+variable "dns_zone_create" {
+  description = "Flag determing to create (true) or associate (false) the main forward zone.  Used for the same VPC domain name across different regions or VPCs"
+  type        = bool
+  default     = true
+}
diff --git a/examples/full-setup/apps/dns/versions.tf b/examples/full-setup/apps/dns/versions.tf
new file mode 100644
index 0000000..ec1ce3c
--- /dev/null
+++ b/examples/full-setup/apps/dns/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.0"
+    }
+    infoblox = {
+      source  = "infobloxopen/infoblox"
+      version = ">= 2.1.0"
+    }
+  }
+}
diff --git a/examples/full-setup/apps/dns/zones.tf b/examples/full-setup/apps/dns/zones.tf
index 85e05db..d58dcd4 100644
--- a/examples/full-setup/apps/dns/zones.tf
+++ b/examples/full-setup/apps/dns/zones.tf
@@ -12,14 +12,25 @@ locals {
     ptr_zone = format("%v.in-addr.arpa", join(".", reverse(slice(split(".", split("/", s)[0]), 0, 3))))
     }
   }
+
+  zone_description = var.dns_zone_description_prefix == "" ? var.dns_zone_description_prefix : format("%v ", var.dns_zone_description_prefix)
 }
 
 #---
 # domain (forward) zone
+#   need to pull this ando ther forward zones up to vpc/apps/dns
 #---
+data "aws_route53_zone" "domain_zone" {
+  #  provider = aws.east
+  count        = var.dns_zone_create ? 0 : 1
+  name         = local.domain_name
+  private_zone = true
+}
+
 resource "aws_route53_zone" "domain_zone" {
+  count         = var.dns_zone_create ? 1 : 0
   name          = local.domain_name
-  comment       = "DICE development DNS Zone"
+  comment       = format("%vDNS Forward Zone %v", local.zone_description, local.domain_name)
   force_destroy = false
 
   vpc {
@@ -27,9 +38,9 @@ resource "aws_route53_zone" "domain_zone" {
     vpc_region = local.region
   }
 
-  # lifecycle {
-  #    ignore_changes
-  # }
+  lifecycle {
+    ignore_changes = [vpc]
+  }
 
   tags = merge(
     local.base_tags,
@@ -38,16 +49,60 @@ resource "aws_route53_zone" "domain_zone" {
     tomap({ "Name" = local.domain_name }),
   )
 }
-#resource "aws_route53_zone_association" "dns_zone" { }
+
+resource "aws_route53_vpc_association_authorization" "west_domain_zone" {
+  #  provider = aws.west_main_dns
+  #  for_each   = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  for_each   = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-west-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
+}
+
+resource "aws_route53_zone_association" "west_domain_zone" {
+  provider = aws.west_main_dns
+  for_each = var.dns_zone_create ? aws_route53_vpc_association_authorization.west_domain_zone : {}
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+# resource "aws_route53_zone_association" "east_domain_zone"  {
+#   for_each = tomap({"zone" = aws_route53_zone.domain_zone[0]})
+#   zone_id = each.value.zone_id
+#   vpc_region  = "us-gov-east-1"
+#   vpc_id  = var.main_dns_vpcs["us-gov-east-1"]
+# }
+
+resource "aws_route53_vpc_association_authorization" "east_domain_zone" {
+  #  provider = aws.east_main_dns
+  #  for_each = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  for_each = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
+
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-east-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-east-1"]
+}
+
+resource "aws_route53_zone_association" "east_domain_zone" {
+  provider   = aws.east_main_dns
+  for_each   = var.dns_zone_create ? aws_route53_vpc_association_authorization.east_domain_zone : {}
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
 
 output "domain_zone_id" {
-  description = "DICE development DNS Zone ID"
-  value       = aws_route53_zone.domain_zone.zone_id
+  description = "DNS Zone ID"
+  #  value       = aws_route53_zone.domain_zone[0].zone_id
+  value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].zone_id : data.aws_route53_zone.domain_zone[0].zone_id
 }
 
 output "domain_zone_ns" {
-  description = "DICE development DNS Zone Nameservers"
-  value       = aws_route53_zone.domain_zone.name_servers
+  description = "DNS Zone Nameservers"
+  #  value       = aws_route53_zone.domain_zone[0].name_servers
+  value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].name_servers : data.aws_route53_zone.domain_zone[0].name_servers
 }
 
 #---
@@ -57,7 +112,7 @@ resource "aws_route53_zone" "ptr_zone" {
   for_each = local.ptr_zones
 
   name          = each.value.ptr_zone
-  comment       = format("DICE development DNS PTR Zone %v (%v)", each.value.ptr_zone, each.value.cidr)
+  comment       = format("%vDNS PTR Zone %v (%v)", local.zone_description, each.value.ptr_zone, each.value.cidr)
   force_destroy = false
 
   vpc {
@@ -65,9 +120,9 @@ resource "aws_route53_zone" "ptr_zone" {
     vpc_region = local.region
   }
 
-  # lifecycle {
-  #    ignore_changes
-  # }
+  lifecycle {
+    ignore_changes = [vpc]
+  }
 
   tags = merge(
     local.base_tags,
@@ -77,19 +132,69 @@ resource "aws_route53_zone" "ptr_zone" {
   )
 }
 
+resource "aws_route53_vpc_association_authorization" "west_ptr_zone" {
+  #  provider = aws.west_main_dns
+  for_each = aws_route53_zone.ptr_zone
+
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-west-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
+}
+
+resource "aws_route53_zone_association" "west_ptr_zone" {
+  provider = aws.west_main_dns
+  for_each = aws_route53_vpc_association_authorization.west_ptr_zone
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+resource "aws_route53_vpc_association_authorization" "east_ptr_zone" {
+  #  provider = aws.east_main_dns
+  for_each = aws_route53_zone.ptr_zone
+
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-east-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-east-1"]
+}
+
+resource "aws_route53_zone_association" "east_ptr_zone" {
+  provider = aws.east_main_dns
+  for_each = aws_route53_vpc_association_authorization.east_ptr_zone
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+## resource "aws_route53_zone_association" "west_ptr_zone" {
+##   for_each = aws_route53_zone.ptr_zone
+##   zone_id = each.value.zone_id
+##   vpc_region  = "us-gov-west-1"
+##   vpc_id  = var.main_dns_vpcs["us-gov-west-1"]
+## }
+## 
+## resource "aws_route53_zone_association" "east_ptr_zone" {
+##   for_each = aws_route53_zone.ptr_zone
+##   zone_id = each.value.zone_id
+##   vpc_region  = "us-gov-east-1"
+##   vpc_id  = var.main_dns_vpcs["us-gov-east-1"]
+## }
+## 
 
 output "ptr_zone_id" {
-  description = "DICE development DNS PTR Zone IDs"
+  description = "DNS PTR Zone IDs"
   value       = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].zone_id }
 }
 
 output "ptr_zone_ns" {
-  description = "DICE development DNS PTR Zone Nameservers"
+  description = "DNS PTR Zone Nameservers"
   value       = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].name_servers }
 }
 
 output "ptr_zone_info" {
-  description = "DICE development DNS PTR Zone Info"
+  description = "DNS PTR Zone Info"
   value = { for x, s in local.ptr_zones : x => {
     cidr         = s.cidr
     ptr_zone     = s.ptr_zone