diff --git a/CHANGELOG.md b/CHANGELOG.md
index 99d23ca..fb22501 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -260,3 +260,7 @@
   - flowlogs
     - remove iam_role_arn for s3 log destinations to avoid this error:
       Error: creating Flow Log (vpc-0f791ea1e2bb46924): InvalidParameter: DeliverLogsPermissionArn is not applicable for s3 delivery
+
+* 2.6.2 -- 2023-03-20
+  - tag-shared-vpc-resources
+    - enable tgw tagging by default, which works now
diff --git a/common/version.tf b/common/version.tf
index 189778a..7a0752c 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.6.1"
+  _module_version = "2.6.2"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
diff --git a/examples/full-setup-tf-upgrade/apps/dns/tf-run.data b/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
index 09e56f9..26ec2e6 100644
--- a/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
+++ b/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
@@ -1,11 +1,13 @@
-VERSION 1.1.2
+VERSION 1.1.3
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade
 
-# LINKTOP includes.d/ENVIRONMENT/variables.application_tags.auto.tfvars .
-LINKTOP includes.d/variables.application_tags.tf .
+LINKTOP includes.d/variables.application_tags.tf 
+LINKTOP includes.d/prod/variables.application_tags.auto.tfvars 
+LINK variables.vpc.tf
+LINK variables.vpc.auto.tfvars
 
 ALL
 COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-setup-tf-upgrade/apps/dns/versions.tf b/examples/full-setup-tf-upgrade/apps/dns/versions.tf
index ec1ce3c..c791e91 100644
--- a/examples/full-setup-tf-upgrade/apps/dns/versions.tf
+++ b/examples/full-setup-tf-upgrade/apps/dns/versions.tf
@@ -1,12 +1,9 @@
 terraform {
+  required_version = ">= 1.0.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0"
-    }
-    infoblox = {
-      source  = "infobloxopen/infoblox"
-      version = ">= 2.1.0"
+      version = ">= 4.0"
     }
   }
 }
diff --git a/examples/full-setup-tf-upgrade/outputs.tf b/examples/full-setup-tf-upgrade/outputs.tf
index 1e49471..929f530 100644
--- a/examples/full-setup-tf-upgrade/outputs.tf
+++ b/examples/full-setup-tf-upgrade/outputs.tf
@@ -29,12 +29,14 @@ output "vpc_info" {
 
 output "vpn_tunnel_endpoints" {
   description = "VPN Tunnel Endpoint IP Addresses"
-  value       = module.vpn.vpn_tunnel_endpoints
+  #  value       = module.vpn.vpn_tunnel_endpoints
+  value = try(module.vpn[0].vpn_tunnel_endpoints, null)
 }
 
 output "vpn_labels" {
   description = "VPN Label for Description field of Endpoint device (Cisco ASR)"
-  value       = module.vpn.vpn_labels
+  #  value       = module.vpn.vpn_labels
+  value = try(module.vpn[0].vpn_labels, null)
 }
 
 output "security_groups" {
diff --git a/tag-shared-vpc-resources/README.md b/tag-shared-vpc-resources/README.md
index 644b4c8..7a73dd3 100644
--- a/tag-shared-vpc-resources/README.md
+++ b/tag-shared-vpc-resources/README.md
@@ -18,9 +18,6 @@ This reads tags and updates them in the local account and region from these reso
 * subnets
 * route-tables
 * network-acls
-
-These resources are not compatible for sharing.  AWS does not support remote (i.e., in a shared to account) tagging:
-
 * transit-gateway
 
 ## How it works
@@ -51,7 +48,7 @@ module "tag_shared" {
   ###  tag_enabled_route_tables = true
   ###  tag_enabled_subnets = true
   ###  tag_enabled_network_acls = true
-  ###  tag_enabled_transit_gateway = false
+  ###  tag_enabled_transit_gateway = true
 }
 ```
 
@@ -190,7 +187,7 @@ No modules.
 | <a name="input_tag_enabled_network_acls"></a> [tag\_enabled\_network\_acls](#input\_tag\_enabled\_network\_acls) | Flag to tag or not tag shared Network ACLs | `bool` | `true` | no |
 | <a name="input_tag_enabled_route_tables"></a> [tag\_enabled\_route\_tables](#input\_tag\_enabled\_route\_tables) | Flag to tag or not tag shared VPC route tables | `bool` | `true` | no |
 | <a name="input_tag_enabled_subnets"></a> [tag\_enabled\_subnets](#input\_tag\_enabled\_subnets) | Flag to tag or not tag shared VPC subnets | `bool` | `true` | no |
-| <a name="input_tag_enabled_transit_gateway"></a> [tag\_enabled\_transit\_gateway](#input\_tag\_enabled\_transit\_gateway) | Flag to tag or not tag shared VPC Transit Gateway (not currently possible in AWS; this has no effect) | `bool` | `false` | no |
+| <a name="input_tag_enabled_transit_gateway"></a> [tag\_enabled\_transit\_gateway](#input\_tag\_enabled\_transit\_gateway) | Flag to tag or not tag shared VPC Transit Gateway (not currently possible in AWS; this has no effect) | `bool` | `true` | no |
 | <a name="input_tag_enabled_vpcs"></a> [tag\_enabled\_vpcs](#input\_tag\_enabled\_vpcs) | Flag to tag or not tag shared VPCs | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
diff --git a/tag-shared-vpc-resources/main.tf b/tag-shared-vpc-resources/main.tf
index 6a16e29..47f0f1a 100644
--- a/tag-shared-vpc-resources/main.tf
+++ b/tag-shared-vpc-resources/main.tf
@@ -19,9 +19,6 @@
 * * subnets
 * * route-tables
 * * network-acls
-* 
-* These resources are not compatible for sharing.  AWS does not support remote (i.e., in a shared to account) tagging:
-* 
 * * transit-gateway
 * 
 * ## How it works
@@ -52,7 +49,7 @@
 *   ###  tag_enabled_route_tables = true
 *   ###  tag_enabled_subnets = true
 *   ###  tag_enabled_network_acls = true
-*   ###  tag_enabled_transit_gateway = false
+*   ###  tag_enabled_transit_gateway = true
 * }
 * ```
 * 
diff --git a/tag-shared-vpc-resources/tag-transit-gateway.tf b/tag-shared-vpc-resources/tag-transit-gateway.tf
index 46c5687..2e0d9e3 100644
--- a/tag-shared-vpc-resources/tag-transit-gateway.tf
+++ b/tag-shared-vpc-resources/tag-transit-gateway.tf
@@ -12,7 +12,7 @@ data "aws_ec2_transit_gateway" "transit_gateway" {
 ## }
 
 locals {
-  _tgw_enabled             = var.tag_enabled_transit_gateway ? false : false
+  _tgw_enabled             = var.tag_enabled_transit_gateway
   _transit_gateway_tags    = local._tgw_enabled ? { format("%v", data.aws_ec2_transit_gateway.transit_gateway[0].id) = data.aws_ec2_transit_gateway.transit_gateway[0] } : {}
   transit_gateway_tags     = { for k, v in local._transit_gateway_tags : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) }
   transit_gateway_tags_map = flatten([for k, v in local.transit_gateway_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), transit_gateway_id = k, key = tk, value = tv }]])
@@ -20,7 +20,7 @@ locals {
 
 resource "aws_ec2_tag" "transit_gateway" {
   provider = aws
-  for_each = false ? { for t in local.transit_gateway_tags_map : t.label => t } : {}
+  for_each = { for t in local.transit_gateway_tags_map : t.label => t }
 
   resource_id = each.value.transit_gateway_id
   key         = each.value.key
@@ -35,4 +35,5 @@ resource "aws_ec2_tag" "transit_gateway" {
 ##   on tag-transit-gateway.tf line 19, in resource "aws_ec2_tag" "transit_gateway":
 ##   19: resource "aws_ec2_tag" "transit_gateway" {
 ## 
-## 
+## 20230320
+## this works now!!
diff --git a/tag-shared-vpc-resources/variables.tf b/tag-shared-vpc-resources/variables.tf
index d9b6dc0..58a8722 100644
--- a/tag-shared-vpc-resources/variables.tf
+++ b/tag-shared-vpc-resources/variables.tf
@@ -36,5 +36,5 @@ variable "tag_enabled_network_acls" {
 variable "tag_enabled_transit_gateway" {
   description = "Flag to tag or not tag shared VPC Transit Gateway (not currently possible in AWS; this has no effect)"
   type        = bool
-  default     = false
+  default     = true
 }