diff --git a/examples/full-setup-tf-upgrade/.gitignore b/examples/full-setup-tf-upgrade/.gitignore
new file mode 100644
index 0000000..efb4e2a
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/.gitignore
@@ -0,0 +1 @@
+vpn-configs
diff --git a/examples/full-setup-tf-upgrade/README.md b/examples/full-setup-tf-upgrade/README.md
new file mode 100644
index 0000000..798725e
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/README.md
@@ -0,0 +1,80 @@
+<!-- Replace all the {fields} with appropriate values -->
+# About
+
+This directory constructs the appropriate resources for the vpc2-dice-dev VPC, including:
+
+* VPC
+* Subnets
+* Route Tables
+* Network ACLs
+* VPN (CGW, VPG, VPN Connectiosn)
+* Flow Logs
+* Securtity Groups (base, others)
+
+<!-- Add additional text here -->
+
+# Application Information
+
+* Application: DICE
+* Environment: development
+* Organization: ADSD, CTO
+* Project: DICE
+* Point of Contact(s): 
+* Creation Date: 2021-05-10
+* References:
+  * Requirements: https://github.e.it.census.gov/terraform/cloud-information/blob/master/aws/projects/dice/
+  * Remedy Ticket: {number}
+  * Other: {other}
+* Related Configurations:
+  * {directory-path}
+
+# Application Requirements
+
+<!-- List functional and non-functional requirements here, without implementation details. -->
+
+# Terraform Directions
+
+<!-- Enter commands needed in markdown andor special configuration text for plan and apply of this code -->
+
+<!-- No editing needed beyond this point -->
+# Details
+
+<!-- BEGIN_TF_DOCS -->
+account_alias   = ""
+account_id      = ""
+aws_environment = ""
+census_private_cidr = [
+  "148.129.0.0/16",
+  "172.16.0.0/12",
+  "192.168.0.0/16"
+]
+census_public_cidr = [
+  "148.129.0.0/16"
+]
+kms_tfstate_key       = "k-kms-inf-tfstate"
+profile               = ""
+region                = ""
+region_map            = {}
+regions               = []
+tag_costallocation    = "csvd:infrastructure"
+tag_creator           = ""
+tfstate_bucket        = "inf-tfstate-252960665057"
+tfstate_bucket_prefix = "inf-tfstate"
+tfstate_key_prefix    = "ma6-gov"
+tfstate_key_suffix    = "terraform.tfstate"
+tfstate_region        = "us-gov-east-1"
+tfstate_table         = "tf_remote_state"
+vpc_cidr_block        = ""
+vpc_dns_servers       = []
+vpc_domain_name       = ""
+vpc_enable_awsdns     = false
+vpc_enable_igw        = false
+vpc_enable_nat        = false
+vpc_enable_vpn        = true
+vpc_environment       = ""
+vpc_full_name         = ""
+vpc_index             = ""
+vpc_name              = ""
+vpc_ntp_servers       = []
+vpc_short_name        = ""
+<!-- END_TF_DOCS -->
diff --git a/examples/full-setup-tf-upgrade/apps/.terraform-docs.yml b/examples/full-setup-tf-upgrade/apps/.terraform-docs.yml
new file mode 100644
index 0000000..8391b9d
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/.terraform-docs.yml
@@ -0,0 +1,44 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+##  hide: []
+  show: 
+    - data-sources
+    - header
+    - footer
+    - inputs
+    - modules
+    - outputs
+    - providers
+    - requirements
+    - resources
+    
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+## output-values:
+##   enabled: false
+##   from: ""
+## 
+## sort:
+##   enabled: true
+##   by: name
+## 
+## settings:
+##   anchor: true
+##   color: true
+##   default: true
+##   description: false
+##   escape: true
+##   indent: 2
+##   required: true
+##   sensitive: true
+##   type: true
diff --git a/examples/full-setup-tf-upgrade/apps/dns/.terraform-docs.yml b/examples/full-setup-tf-upgrade/apps/dns/.terraform-docs.yml
new file mode 100644
index 0000000..8391b9d
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/.terraform-docs.yml
@@ -0,0 +1,44 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+##  hide: []
+  show: 
+    - data-sources
+    - header
+    - footer
+    - inputs
+    - modules
+    - outputs
+    - providers
+    - requirements
+    - resources
+    
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+## output-values:
+##   enabled: false
+##   from: ""
+## 
+## sort:
+##   enabled: true
+##   by: name
+## 
+## settings:
+##   anchor: true
+##   color: true
+##   default: true
+##   description: false
+##   escape: true
+##   indent: 2
+##   required: true
+##   sensitive: true
+##   type: true
diff --git a/examples/full-setup-tf-upgrade/apps/dns/README.md b/examples/full-setup-tf-upgrade/apps/dns/README.md
new file mode 100644
index 0000000..0d006f9
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/README.md
@@ -0,0 +1,55 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws.east_main_dns"></a> [aws.east\_main\_dns](#provider\_aws.east\_main\_dns) | n/a |
+| <a name="provider_aws.west_main_dns"></a> [aws.west\_main\_dns](#provider\_aws.west\_main\_dns) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_resolver_rule_association.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
+| [aws_route53_vpc_association_authorization.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_vpc_association_authorization.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
+| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_route53_zone.ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_route53_zone_association.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_zone_association.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
+| [aws_route53_resolver_rules.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_resolver_rules) | data source |
+| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_dns_zone_create"></a> [dns\_zone\_create](#input\_dns\_zone\_create) | Flag determing to create (true) or associate (false) the main forward zone.  Used for the same VPC domain name across different regions or VPCs | `bool` | `true` | no |
+| <a name="input_dns_zone_description_prefix"></a> [dns\_zone\_description\_prefix](#input\_dns\_zone\_description\_prefix) | Zone description with the org-project-program-environment | `string` | `""` | no |
+| <a name="input_main_dns_profile"></a> [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"107742151971-do2-govcloud"` | no |
+| <a name="input_main_dns_vpcs"></a> [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | <pre>{<br>  "us-gov-east-1": "vpc-099a991da7c4eb8a5",<br>  "us-gov-west-1": "vpc-77877a12"<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_all_zones"></a> [all\_zones](#output\_all\_zones) | DNS zone list |
+| <a name="output_domain_zone_id"></a> [domain\_zone\_id](#output\_domain\_zone\_id) | DNS Zone ID |
+| <a name="output_domain_zone_ns"></a> [domain\_zone\_ns](#output\_domain\_zone\_ns) | DNS Zone Nameservers |
+| <a name="output_ptr_zone_id"></a> [ptr\_zone\_id](#output\_ptr\_zone\_id) | DNS PTR Zone IDs |
+| <a name="output_ptr_zone_info"></a> [ptr\_zone\_info](#output\_ptr\_zone\_info) | DNS PTR Zone Info |
+| <a name="output_ptr_zone_ns"></a> [ptr\_zone\_ns](#output\_ptr\_zone\_ns) | DNS PTR Zone Nameservers |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/examples/full-setup-tf-upgrade/apps/dns/associate-shared.tf b/examples/full-setup-tf-upgrade/apps/dns/associate-shared.tf
new file mode 100644
index 0000000..acf8736
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/associate-shared.tf
@@ -0,0 +1,21 @@
+## locals {
+##   reverse_zones = flatten([
+##     "10.in-addr.arpa",
+##     "168.192.in-addr.arpa",
+##     "129.148.in-addr.arpa",
+##     [for x in range(16, 32) : format("%v.172.in-addr.arpa", x)],
+##   ])
+##   reverse_rules  = formatlist("reverse-%v", local.reverse_zones)
+##   forward_rules  = ["forward-all-onprem", "amazon"]
+##   all_main_rules = formatlist("resolver-%v", concat(local.forward_rules, local.reverse_rules))
+## }
+
+data "aws_route53_resolver_rules" "all_rules" {
+  share_status = "SHARED_WITH_ME"
+}
+
+resource "aws_route53_resolver_rule_association" "all_rules" {
+  for_each         = toset(data.aws_route53_resolver_rules.all_rules.resolver_rule_ids)
+  resolver_rule_id = each.key
+  vpc_id           = local.vpc_id
+}
diff --git a/examples/full-setup-tf-upgrade/apps/dns/locals.tf b/examples/full-setup-tf-upgrade/apps/dns/locals.tf
new file mode 100644
index 0000000..6c49d21
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/locals.tf
@@ -0,0 +1,13 @@
+locals {
+  base_tags = {
+    "boc:created_by" = "terraform"
+  }
+}
+
+locals {
+  vpc_info       = data.terraform_remote_state.vpc_REGION_vpcN.outputs.vpc_info
+  vpc_id         = local.vpc_info["vpc_id"]
+  domain_name    = local.vpc_info["vpc_domain_name"]
+  dns_servers    = local.vpc_info["vpc_dns_servers"]
+  vpc_short_name = local.vpc_info["vpc_short_name"]
+}
diff --git a/examples/full-setup-tf-upgrade/apps/dns/provider.main_dns.tf b/examples/full-setup-tf-upgrade/apps/dns/provider.main_dns.tf
new file mode 100644
index 0000000..0e693d1
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/provider.main_dns.tf
@@ -0,0 +1,11 @@
+provider "aws" {
+  alias   = "east_main_dns"
+  region  = var.region_map["east"]
+  profile = var.main_dns_profile
+}
+
+provider "aws" {
+  alias   = "west_main_dns"
+  region  = var.region_map["west"]
+  profile = var.main_dns_profile
+}
diff --git a/examples/full-setup-tf-upgrade/apps/dns/region.tf b/examples/full-setup-tf-upgrade/apps/dns/region.tf
new file mode 100644
index 0000000..f617506
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/region.tf
@@ -0,0 +1,3 @@
+locals {
+  region = var.region
+}
diff --git a/examples/full-setup-tf-upgrade/apps/dns/sort-ip.py b/examples/full-setup-tf-upgrade/apps/dns/sort-ip.py
new file mode 100755
index 0000000..293f723
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/sort-ip.py
@@ -0,0 +1,19 @@
+#!/bin/env python
+
+import json
+import sys
+import ipaddress
+
+r=0
+outdata={'ip_addresses_sorted':''}
+try:
+  indata=json.load(sys.stdin)
+  ipa=indata['ip_addresses'].split(',')
+  ips=sorted(ipa,key=ipaddress.ip_address)
+  outdata['ip_addresses_sorted']=','.join(ips)
+  print(json.dumps(outdata))
+except:
+  sys.stderr.write("unable to parse input address\n")
+  r=1
+
+sys.exit(r)
diff --git a/examples/full-setup-tf-upgrade/apps/dns/tf-run.data b/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
new file mode 100644
index 0000000..09e56f9
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
@@ -0,0 +1,11 @@
+VERSION 1.1.2
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+
+# LINKTOP includes.d/ENVIRONMENT/variables.application_tags.auto.tfvars .
+LINKTOP includes.d/variables.application_tags.tf .
+
+ALL
+COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-setup-tf-upgrade/apps/dns/variables.dns.tf b/examples/full-setup-tf-upgrade/apps/dns/variables.dns.tf
new file mode 100644
index 0000000..68ed443
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/variables.dns.tf
@@ -0,0 +1,27 @@
+variable "main_dns_vpcs" {
+  description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS"
+  type        = map(string)
+  default = {
+    "us-gov-west-1" = "vpc-77877a12"
+    "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+  }
+}
+
+variable "main_dns_profile" {
+  description = "Profile name for AWS for the main DNS central account"
+  type        = string
+  default     = "107742151971-do2-govcloud"
+}
+
+
+variable "dns_zone_description_prefix" {
+  description = "Zone description with the org-project-program-environment"
+  type        = string
+  default     = ""
+}
+
+variable "dns_zone_create" {
+  description = "Flag determing to create (true) or associate (false) the main forward zone.  Used for the same VPC domain name across different regions or VPCs"
+  type        = bool
+  default     = true
+}
diff --git a/examples/full-setup-tf-upgrade/apps/dns/zones.tf b/examples/full-setup-tf-upgrade/apps/dns/zones.tf
new file mode 100644
index 0000000..d58dcd4
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/zones.tf
@@ -0,0 +1,209 @@
+locals {
+  # calculate set of /24 blocks for PTR subnets from cidr bock size
+  vpc_cidr_block = local.vpc_info["vpc_cidr_block"]
+  bits           = tonumber(split("/", local.vpc_cidr_block)[1])
+  split_bits     = 24 - local.bits
+  _ptr_zones     = local.split_bits > 0 ? { for x in range(0, pow(2, local.split_bits)) : x => cidrsubnet(local.vpc_cidr_block, local.split_bits, x) } : {}
+  ptr_zones = { for x, s in local._ptr_zones : s => {
+    index    = x
+    cidr     = s
+    octets   = split(".", split("/", s)[0])
+    bits     = tonumber(split("/", s)[1])
+    ptr_zone = format("%v.in-addr.arpa", join(".", reverse(slice(split(".", split("/", s)[0]), 0, 3))))
+    }
+  }
+
+  zone_description = var.dns_zone_description_prefix == "" ? var.dns_zone_description_prefix : format("%v ", var.dns_zone_description_prefix)
+}
+
+#---
+# domain (forward) zone
+#   need to pull this ando ther forward zones up to vpc/apps/dns
+#---
+data "aws_route53_zone" "domain_zone" {
+  #  provider = aws.east
+  count        = var.dns_zone_create ? 0 : 1
+  name         = local.domain_name
+  private_zone = true
+}
+
+resource "aws_route53_zone" "domain_zone" {
+  count         = var.dns_zone_create ? 1 : 0
+  name          = local.domain_name
+  comment       = format("%vDNS Forward Zone %v", local.zone_description, local.domain_name)
+  force_destroy = false
+
+  vpc {
+    vpc_id     = local.vpc_id
+    vpc_region = local.region
+  }
+
+  lifecycle {
+    ignore_changes = [vpc]
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    tomap({ "Name" = local.domain_name }),
+  )
+}
+
+resource "aws_route53_vpc_association_authorization" "west_domain_zone" {
+  #  provider = aws.west_main_dns
+  #  for_each   = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  for_each   = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-west-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
+}
+
+resource "aws_route53_zone_association" "west_domain_zone" {
+  provider = aws.west_main_dns
+  for_each = var.dns_zone_create ? aws_route53_vpc_association_authorization.west_domain_zone : {}
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+# resource "aws_route53_zone_association" "east_domain_zone"  {
+#   for_each = tomap({"zone" = aws_route53_zone.domain_zone[0]})
+#   zone_id = each.value.zone_id
+#   vpc_region  = "us-gov-east-1"
+#   vpc_id  = var.main_dns_vpcs["us-gov-east-1"]
+# }
+
+resource "aws_route53_vpc_association_authorization" "east_domain_zone" {
+  #  provider = aws.east_main_dns
+  #  for_each = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
+  for_each = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
+
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-east-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-east-1"]
+}
+
+resource "aws_route53_zone_association" "east_domain_zone" {
+  provider   = aws.east_main_dns
+  for_each   = var.dns_zone_create ? aws_route53_vpc_association_authorization.east_domain_zone : {}
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+output "domain_zone_id" {
+  description = "DNS Zone ID"
+  #  value       = aws_route53_zone.domain_zone[0].zone_id
+  value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].zone_id : data.aws_route53_zone.domain_zone[0].zone_id
+}
+
+output "domain_zone_ns" {
+  description = "DNS Zone Nameservers"
+  #  value       = aws_route53_zone.domain_zone[0].name_servers
+  value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].name_servers : data.aws_route53_zone.domain_zone[0].name_servers
+}
+
+#---
+# ptr (reverse) zones
+#---
+resource "aws_route53_zone" "ptr_zone" {
+  for_each = local.ptr_zones
+
+  name          = each.value.ptr_zone
+  comment       = format("%vDNS PTR Zone %v (%v)", local.zone_description, each.value.ptr_zone, each.value.cidr)
+  force_destroy = false
+
+  vpc {
+    vpc_id     = local.vpc_id
+    vpc_region = local.region
+  }
+
+  lifecycle {
+    ignore_changes = [vpc]
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    tomap({ "Name" = each.value.ptr_zone }),
+  )
+}
+
+resource "aws_route53_vpc_association_authorization" "west_ptr_zone" {
+  #  provider = aws.west_main_dns
+  for_each = aws_route53_zone.ptr_zone
+
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-west-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
+}
+
+resource "aws_route53_zone_association" "west_ptr_zone" {
+  provider = aws.west_main_dns
+  for_each = aws_route53_vpc_association_authorization.west_ptr_zone
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+resource "aws_route53_vpc_association_authorization" "east_ptr_zone" {
+  #  provider = aws.east_main_dns
+  for_each = aws_route53_zone.ptr_zone
+
+  zone_id    = each.value.zone_id
+  vpc_region = "us-gov-east-1"
+  vpc_id     = var.main_dns_vpcs["us-gov-east-1"]
+}
+
+resource "aws_route53_zone_association" "east_ptr_zone" {
+  provider = aws.east_main_dns
+  for_each = aws_route53_vpc_association_authorization.east_ptr_zone
+
+  zone_id    = each.value.zone_id
+  vpc_id     = each.value.vpc_id
+  vpc_region = each.value.vpc_region
+}
+
+## resource "aws_route53_zone_association" "west_ptr_zone" {
+##   for_each = aws_route53_zone.ptr_zone
+##   zone_id = each.value.zone_id
+##   vpc_region  = "us-gov-west-1"
+##   vpc_id  = var.main_dns_vpcs["us-gov-west-1"]
+## }
+## 
+## resource "aws_route53_zone_association" "east_ptr_zone" {
+##   for_each = aws_route53_zone.ptr_zone
+##   zone_id = each.value.zone_id
+##   vpc_region  = "us-gov-east-1"
+##   vpc_id  = var.main_dns_vpcs["us-gov-east-1"]
+## }
+## 
+
+output "ptr_zone_id" {
+  description = "DNS PTR Zone IDs"
+  value       = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].zone_id }
+}
+
+output "ptr_zone_ns" {
+  description = "DNS PTR Zone Nameservers"
+  value       = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].name_servers }
+}
+
+output "ptr_zone_info" {
+  description = "DNS PTR Zone Info"
+  value = { for x, s in local.ptr_zones : x => {
+    cidr         = s.cidr
+    ptr_zone     = s.ptr_zone
+    zone_id      = aws_route53_zone.ptr_zone[x].zone_id
+    name_servers = aws_route53_zone.ptr_zone[x].name_servers
+  } }
+}
+
+output "all_zones" {
+  description = "DNS zone list"
+  value       = flatten(concat([local.domain_name], [for x, s in local.ptr_zones : s.ptr_zone]))
+}
diff --git a/examples/full-setup-tf-upgrade/apps/region.tf b/examples/full-setup-tf-upgrade/apps/region.tf
new file mode 100644
index 0000000..f617506
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/region.tf
@@ -0,0 +1,3 @@
+locals {
+  region = var.region
+}
diff --git a/examples/full-setup-tf-upgrade/apps/tf-run.data b/examples/full-setup-tf-upgrade/apps/tf-run.data
new file mode 100644
index 0000000..aa35574
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/tf-run.data
@@ -0,0 +1,9 @@
+VERSION 1.0.1
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+ALL
+COMMAND ln -sf ../variables.vpc.auto.tfvars .
+COMMAND ln -sf ../variables.vpc.tf .
+COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-setup-tf-upgrade/credentials.peers.tf b/examples/full-setup-tf-upgrade/credentials.peers.tf
new file mode 100644
index 0000000..b190673
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/credentials.peers.tf
@@ -0,0 +1,18 @@
+#---
+# peer to 107.. us-gov-west-1 services
+#---
+provider "aws" {
+  alias   = "peer_main_west"
+  region  = "us-gov-west-1"
+  profile = "107742151971-do2-govcloud"
+}
+
+#---
+# peer to 107.. us-gov-east-1 services
+#---
+provider "aws" {
+  alias   = "peer_main_east"
+  region  = "us-gov-east-1"
+  profile = "107742151971-do2-govcloud"
+}
+
diff --git a/examples/full-setup-tf-upgrade/data.tf b/examples/full-setup-tf-upgrade/data.tf
new file mode 100644
index 0000000..cb626c2
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/data.tf
@@ -0,0 +1,9 @@
+data "aws_availability_zones" "zones" {
+  state = "available"
+}
+
+data "aws_availability_zone" "zone" {
+  for_each = toset(data.aws_availability_zones.zones.names)
+  state    = "available"
+  name     = each.key
+}
diff --git a/examples/full-setup-tf-upgrade/flowlogs.tf b/examples/full-setup-tf-upgrade/flowlogs.tf
new file mode 100644
index 0000000..da2780d
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/flowlogs.tf
@@ -0,0 +1,14 @@
+module "flowlogs" {
+  source        = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//flowlogs?ref=tf-upgrade"
+  vpc_id        = local.vpc_id
+  vpc_full_name = var.vpc_full_name
+  account_alias = var.account_alias
+
+  flowlog_bucket_arn = data.terraform_remote_state.infrastructure_east.outputs.flowlogs_arn
+  flowlog_role_arn   = data.terraform_remote_state.common.outputs.role_flowlogs_arn
+
+  vpc_name       = var.vpc_name
+  vpc_short_name = var.vpc_short_name
+
+  tags = local.tags
+}
diff --git a/examples/full-setup-tf-upgrade/infoblox.tf.off b/examples/full-setup-tf-upgrade/infoblox.tf.off
new file mode 100644
index 0000000..6dd495a
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/infoblox.tf.off
@@ -0,0 +1,33 @@
+resource "infoblox_ipv4_network_container" "vpc" {
+  network_view = "default"
+  cidr         = var.vpc_cidr_block
+  comment      = format("%v %v %v %v", "AWS", var.account_alias, local.region, var.vpc_full_name)
+}
+
+resource "infoblox_ipv4_network_container" "vpc_public" {
+  for_each = { for sn in var.public_subnets: sn.label => sn }
+  network_view = "default"
+  cidr         = each.value.base_cidr
+  comment      = format("%v %v %v %v %v", "AWS", var.account_alias, local.region, var.vpc_full_name,each.value.label)
+}
+
+resource "infoblox_ipv4_network_container" "vpc_private" {
+  for_each = { for sn in var.private_subnets: sn.label => sn }
+  network_view = "default"
+  cidr         = each.value.base_cidr
+  comment      = format("%v %v %v %v %v", "AWS", var.account_alias, local.region, var.vpc_full_name,each.value.label)
+}
+
+resource "infoblox_ipv4_network" "vpc_public_subnets" {
+  for_each = { for sn in module.subnets.public_subnets_ids: sn.subnet => sn }
+  network_view = "default"
+  cidr         = each.value.subnet
+  comment      = format("%v %v %v %v %v", "AWS", var.account_alias, local.region, var.vpc_full_name,each.value.label)
+}
+
+resource "infoblox_ipv4_network" "vpc_private_subnets" {
+  for_each = { for sn in module.subnets.private_subnets_ids: sn.subnet => sn }
+  network_view = "default"
+  cidr         = each.value.subnet
+  comment      = format("%v %v %v %v %v", "AWS", var.account_alias, local.region, var.vpc_full_name,each.value.label)
+}
diff --git a/examples/full-setup-tf-upgrade/nacls.tf b/examples/full-setup-tf-upgrade/nacls.tf
new file mode 100644
index 0000000..26f7622
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/nacls.tf
@@ -0,0 +1,87 @@
+module "nacls" {
+  source              = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacls?ref=tf-upgrade"
+  vpc_id              = module.vpc.vpc_id
+  public_subnets_ids  = module.subnets.public_subnets_ids
+  private_subnets_ids = module.subnets.private_subnets_ids
+  vpc_full_name       = var.vpc_full_name
+  vpc_name            = var.vpc_name
+  vpc_short_name      = var.vpc_short_name
+  tags                = local.tags
+}
+
+module "nacls_enterprise" {
+  source         = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules?ref=tf-upgrade"
+  network_acl_id = module.nacls.private_network_acl_id
+
+  rule_description  = "Enterprise plus VPC"
+  rule_definitions  = {}
+  named_cidr_blocks = ["enterprise", "vpc", "other"]
+  merge_cidr_blocks = {
+    "vpc"   = [var.vpc_cidr_block],
+    "other" = []
+  }
+  rules          = ["all_inbound", "all_outbound"]
+  rule_number    = 1000
+  rule_increment = 10
+
+  tags = local.tags
+}
+
+#---
+# endpoints
+#---
+module "nacls_endpoints" {
+  source         = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules?ref=tf-upgrade"
+  network_acl_id = module.nacls.private_network_acl_id
+
+  rule_description  = "VPC Gateway Endpoints"
+  rule_definitions  = {}
+  named_cidr_blocks = ["other"]
+  merge_cidr_blocks = {
+    "other" = concat(module.routing.vpc_endpoint_s3_cidr_blocks, module.routing.vpc_endpoint_dynamodb_cidr_blocks)
+  }
+  rules          = ["ephemeral_inbound", "https_outbound"]
+  rule_number    = 4000
+  rule_increment = 5
+
+  tags = local.tags
+}
+
+#---
+# public
+#---
+module "nacls_public_vpc" {
+  source         = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules?ref=tf-upgrade"
+  network_acl_id = module.nacls.public_network_acl_id
+
+  rule_description  = "Public subnet VPC Rules"
+  rule_definitions  = {}
+  named_cidr_blocks = var.vpc_enable_igw && var.vpc_enable_nat ? ["vpc"] : []
+  merge_cidr_blocks = { "vpc" = [var.vpc_cidr_block] }
+  rules             = var.vpc_enable_igw && var.vpc_enable_nat ? ["http_inbound", "https_inbound", "ephemeral_outbound"] : []
+  rule_number       = 3000
+  rule_increment    = 10
+
+  tags = local.tags
+}
+
+## output "nacls_public_vpc_info" {
+##   description = "NACLs info for public VPC access"
+##   value = module.nacls_public_vpc.info
+## #  value = local.enable_igw && local.enable_nat ? module.nacls_public_vpc.info : {}
+## }
+
+module "nacls_public_nat" {
+  source         = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules?ref=tf-upgrade"
+  network_acl_id = module.nacls.public_network_acl_id
+
+  rule_description  = "Public subnet NAT Rules"
+  rule_definitions  = {}
+  named_cidr_blocks = var.vpc_enable_igw && var.vpc_enable_nat ? ["all"] : []
+  merge_cidr_blocks = {}
+  rules             = var.vpc_enable_igw && var.vpc_enable_nat ? ["http_outbound", "https_outbound", "ephemeral_inbound"] : []
+  rule_number       = module.nacls_public_vpc.info.next_rule_number
+  rule_increment    = 10
+
+  tags = local.tags
+}
diff --git a/examples/full-setup-tf-upgrade/outputs.subnets.tf b/examples/full-setup-tf-upgrade/outputs.subnets.tf
new file mode 100644
index 0000000..c1f4a43
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/outputs.subnets.tf
@@ -0,0 +1,9 @@
+output "public_subnets_ids" {
+  description = "Resulting public subnets list of objects: subnet, label, availability_zone, id"
+  value       = module.subnets.public_subnets_ids
+}
+
+output "private_subnets_ids" {
+  description = "Resulting private subnets list of objects: subnet, label, availability_zone, id"
+  value       = module.subnets.private_subnets_ids
+}
diff --git a/examples/full-setup-tf-upgrade/outputs.tf b/examples/full-setup-tf-upgrade/outputs.tf
new file mode 100644
index 0000000..1e49471
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/outputs.tf
@@ -0,0 +1,43 @@
+output "vpc_id" {
+  description = "VPC ID"
+  value       = module.vpc.vpc_id
+}
+
+output "vpc_arn" {
+  description = "VPC ARN"
+  value       = module.vpc.vpc_arn
+}
+
+output "vpc_info" {
+  description = "VPC info"
+  value = {
+    "vpc_id"                        = module.vpc.vpc_id
+    "vpc_cidr_block"                = var.vpc_cidr_block
+    "vpc_arn"                       = module.vpc.vpc_arn
+    "vpc_name"                      = var.vpc_name
+    "vpc_short_name"                = var.vpc_short_name
+    "vpc_full_name"                 = var.vpc_full_name
+    "vpc_environment"               = var.vpc_environment
+    "vpc_domain_name"               = var.vpc_domain_name
+    "vpc_dns_servers"               = var.vpc_dns_servers
+    "s3_endpoint_id"                = module.routing.vpc_endpoint_s3_id
+    "dynamodb_endpoint_id"          = module.routing.vpc_endpoint_dynamodb_id
+    "s3_endpoint_cidr_blocks"       = module.routing.vpc_endpoint_s3_cidr_blocks
+    "dynamodb_endpoint_cidr_blocks" = module.routing.vpc_endpoint_dynamodb_cidr_blocks
+  }
+}
+
+output "vpn_tunnel_endpoints" {
+  description = "VPN Tunnel Endpoint IP Addresses"
+  value       = module.vpn.vpn_tunnel_endpoints
+}
+
+output "vpn_labels" {
+  description = "VPN Label for Description field of Endpoint device (Cisco ASR)"
+  value       = module.vpn.vpn_labels
+}
+
+output "security_groups" {
+  description = "Security Group map(object{name, id, arn})"
+  value       = module.base-security-groups.security_groups
+}
diff --git a/examples/full-setup-tf-upgrade/peers.tf b/examples/full-setup-tf-upgrade/peers.tf
new file mode 100644
index 0000000..e4b3602
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/peers.tf
@@ -0,0 +1,76 @@
+#---
+# us-gov-west-1
+#---
+data "aws_vpc" "service_main_west" {
+  provider = aws.peer_main_west
+  filter {
+    name = "tag:Name"
+    #    values = [local.peer_name]
+    values = [var.services_peer_settings["west"].peer_name]
+  }
+}
+
+module "peer_services_main_west" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer?ref=tf-upgrade"
+  providers = {
+    aws.self = aws
+    aws.peer = aws.peer_main_west
+  }
+
+  ## self
+  vpc_id          = local.vpc_id
+  vpc_name        = var.vpc_name
+  vpc_cidr_block  = var.vpc_cidr_block
+  vpc_index       = var.vpc_index
+  vpc_short_name  = var.vpc_short_name
+  vpc_full_name   = var.vpc_full_name
+  vpc_environment = var.vpc_environment
+  rule_number     = var.services_peer_settings["west"].rule_number + var.vpc_index - 1
+  tags            = {}
+
+  ## peer
+  peer_vpc_id         = data.aws_vpc.service_main_west.id
+  peer_vpc_name       = "services"
+  peer_vpc_index      = 1
+  peer_vpc_short_name = "vpc1"
+  peer_vpc_full_name  = var.services_peer_settings["west"].peer_name
+  peer_rule_number    = var.services_peer_settings["west"].rule_number + var.vpc_index - 1
+}
+
+#---
+# us-gov-east-1
+#---
+data "aws_vpc" "service_main_east" {
+  provider = aws.peer_main_east
+  filter {
+    name   = "tag:Name"
+    values = [var.services_peer_settings["east"].peer_name]
+  }
+}
+
+module "peer_services_main_east" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//peer?ref=tf-upgrade"
+  providers = {
+    aws.self = aws
+    aws.peer = aws.peer_main_east
+  }
+
+  ## self
+  vpc_id          = local.vpc_id
+  vpc_name        = var.vpc_name
+  vpc_cidr_block  = var.vpc_cidr_block
+  vpc_index       = var.vpc_index
+  vpc_short_name  = var.vpc_short_name
+  vpc_full_name   = var.vpc_full_name
+  vpc_environment = var.vpc_environment
+  rule_number     = var.services_peer_settings["east"].rule_number + var.vpc_index - 1
+  tags            = {}
+
+  ## peer
+  peer_vpc_id         = data.aws_vpc.service_main_east.id
+  peer_vpc_name       = "services"
+  peer_vpc_index      = 1
+  peer_vpc_short_name = "vpc1"
+  peer_vpc_full_name  = var.services_peer_settings["west"].peer_name
+  peer_rule_number    = var.services_peer_settings["east"].rule_number + var.vpc_index - 1
+}
diff --git a/examples/full-setup-tf-upgrade/region.tf b/examples/full-setup-tf-upgrade/region.tf
new file mode 100644
index 0000000..b7b1696
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/region.tf
@@ -0,0 +1,4 @@
+locals {
+  region = var.region
+}
+
diff --git a/examples/full-setup-tf-upgrade/sg-rds-mariadb.tf b/examples/full-setup-tf-upgrade/sg-rds-mariadb.tf
new file mode 100644
index 0000000..533da01
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/sg-rds-mariadb.tf
@@ -0,0 +1,9 @@
+module "maria" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-maria?ref=tf-upgrade"
+  vpc_id = module.vpc.vpc_id
+}
+
+output "sg_maria_id" {
+  description = "Common MariaDB security group"
+  value       = module.maria.this_security_group_id
+}
diff --git a/examples/full-setup-tf-upgrade/sg-rds-mssql.tf b/examples/full-setup-tf-upgrade/sg-rds-mssql.tf
new file mode 100644
index 0000000..0997439
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/sg-rds-mssql.tf
@@ -0,0 +1,11 @@
+module "rds-mssql" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-mssql?ref=tf-upgrade"
+  vpc_id = module.vpc.vpc_id
+  #vpc_full_name = var.vpc_full_name
+}
+
+output "sg_rds-mssql_id" {
+  description = "RDS MSSQL security group id"
+  value       = module.rds-mssql.this_security_group_id
+}
+
diff --git a/examples/full-setup-tf-upgrade/sg-rds-mysql.tf b/examples/full-setup-tf-upgrade/sg-rds-mysql.tf
new file mode 100644
index 0000000..32fd4fe
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/sg-rds-mysql.tf
@@ -0,0 +1,9 @@
+module "sg_mysql" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-mysql?ref=tf-upgrade"
+  vpc_id = module.vpc.vpc_id
+}
+
+output "sg_mysql_id" {
+  description = "Common MySQL security group"
+  value       = module.sg_mysql.this_security_group_id
+}
diff --git a/examples/full-setup-tf-upgrade/sg-rds-postgres.tf b/examples/full-setup-tf-upgrade/sg-rds-postgres.tf
new file mode 100644
index 0000000..c628822
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/sg-rds-postgres.tf
@@ -0,0 +1,9 @@
+module "sg_postgres" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-postgres?ref=tf-upgrade"
+  vpc_id = module.vpc.vpc_id
+}
+
+output "sg_postgres_id" {
+  description = "Common Postgres security group"
+  value       = module.sg_postgres.this_security_group_id
+}
diff --git a/examples/full-setup-tf-upgrade/sg-web.tf b/examples/full-setup-tf-upgrade/sg-web.tf
new file mode 100644
index 0000000..766dca0
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/sg-web.tf
@@ -0,0 +1,9 @@
+module "sg_web" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//web?ref=tf-upgrade"
+  vpc_id = module.vpc.vpc_id
+}
+
+output "sg_web_id" {
+  description = "Common Web security group"
+  value       = module.sg_web.this_security_group_id
+}
diff --git a/examples/full-setup-tf-upgrade/tf-run.data b/examples/full-setup-tf-upgrade/tf-run.data
new file mode 100644
index 0000000..b1b7891
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/tf-run.data
@@ -0,0 +1,24 @@
+VERSION 1.1.3
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+# LINKTOP provider_configs.d/provider.infoblox.auto.tfvars
+# LINKTOP provider_configs.d/provider.infoblox.tf
+# LINKTOP provider_configs.d/provider.infoblox.variables.tf
+LINKTOP common/remote_state.common.tf
+LINKTOP infrastructure/%%REGION_SHORT%%/remote_state.infrastructure_%%REGION_SHORT%%.tf
+module.vpc module.subnets
+COMMAND tf-directory-setup.py -l s3
+
+module.routing
+module.vpn
+module.flowlogs
+module.base-security-groups
+module.sg_web
+module.nacls module.nacls_enterprise module.nacls_endpoints module.nacls_public_vpc module.nacls_public_nat
+# STOP make sure peer configurations are setup properly
+module.peer_services_main_west module.peer_services_main_east
+ALL
+ALL
+
diff --git a/examples/full-setup-tf-upgrade/variables.nacls.tf b/examples/full-setup-tf-upgrade/variables.nacls.tf
new file mode 100644
index 0000000..dcfc3a9
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/variables.nacls.tf
@@ -0,0 +1,13 @@
+variable "nacl_additional_cidr_blocks_enterprise" {
+  description = "Additional CIDR blocks for enterprise"
+  type        = map(list(string))
+
+  default = {
+    other = []
+  }
+}
+
+# define later when needed
+# _endpoints
+# _public_vpc
+# _public_nat
diff --git a/examples/full-setup-tf-upgrade/variables.subnets.tf b/examples/full-setup-tf-upgrade/variables.subnets.tf
new file mode 100644
index 0000000..bca5c2f
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/variables.subnets.tf
@@ -0,0 +1,30 @@
+# from aws-vpc-setup/subnets
+variable "public_subnets" {
+  description = "List of objects with public subnet information to be created"
+  type = list(object({
+    base_cidr = string
+    label     = string
+    bits      = number
+    private   = bool
+    tags      = map(string)
+    #      subnets     = list(string)
+    #      labels      = list(string)
+    #      availability_zones = list(string)
+  }))
+  default = []
+}
+
+variable "private_subnets" {
+  description = "List of objects with private subnet information to be created"
+  type = list(object({
+    base_cidr = string
+    label     = string
+    bits      = number
+    private   = bool
+    tags      = map(string)
+    #      subnets     = list(string)
+    #      labels      = list(string)
+    #      availability_zones = list(string)
+  }))
+  default = []
+}
diff --git a/examples/full-setup-tf-upgrade/variables.vpc.tf b/examples/full-setup-tf-upgrade/variables.vpc.tf
new file mode 100644
index 0000000..2750e8b
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/variables.vpc.tf
@@ -0,0 +1,88 @@
+variable "vpc_name" {
+  description = "VPC Name including environment (if necessary), excluding vpc{N}"
+  type        = string
+}
+
+variable "vpc_index" {
+  description = "VPC index number. This used for NACL rule number caculations."
+  type        = number
+}
+
+variable "vpc_cidr_block" {
+  description = "VPC CIDR Block"
+  type        = string
+}
+
+variable "vpc_short_name" {
+  description = "VPC short name component, vpc{index}"
+  type        = string
+}
+
+variable "vpc_environment" {
+  description = "VPC environment purpose (common, shared, dev, stage, ite, prod)"
+  type        = string
+  default     = ""
+}
+
+variable "vpc_enable_igw" {
+  description = "Enable AWS Internet Gateway (IGW) on the VPC (true | false[x])"
+  type        = bool
+  default     = false
+}
+
+variable "vpc_enable_nat" {
+  description = "Enable AWS NAT Gateway on the VPC (true | false[x])"
+  type        = bool
+  default     = false
+}
+
+variable "vpc_enable_vpn" {
+  description = "Enable AWS VPN Configuration on the VPC (true[x] | false)"
+  type        = bool
+  default     = true
+}
+
+variable "vpc_enable_awsdns" {
+  description = "Enable AWS DNS on the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "vpn_settings" {
+  description = "VPN Connection details array of site, bgp_asn_id and ip_address"
+  type = list(object(
+    {
+      site       = string
+      bgp_asn_id = number
+      ip_address = string
+    }
+  ))
+  default = []
+}
+
+variable "services_peer_settings" {
+  description = "VPC Peering NACL settings to main enterprise govcloud"
+  type = map(object(
+    {
+      peer_name   = string
+      region      = string
+      rule_number = number
+    }
+  ))
+  default = {}
+}
+
+variable "peer_settings" {
+  description = "VPC Peering NACL settings to additional VPCs"
+  type = map(object(
+    {
+      peer_name      = string
+      region         = string
+      vpc_index      = number
+      vpc_name       = string
+      vpc_short_name = string
+      rule_number    = number
+    }
+  ))
+  default = {}
+}
diff --git a/examples/full-setup-tf-upgrade/versions.tf b/examples/full-setup-tf-upgrade/versions.tf
new file mode 100644
index 0000000..e52cfe4
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/versions.tf
@@ -0,0 +1,12 @@
+#terraform {
+#  experiments = [module_variable_optional_attrs]
+#}
+
+terraform {
+  required_providers {
+    infoblox = {
+      source  = "infobloxopen/infoblox"
+      version = ">= 2.1.0"
+    }
+  }
+}
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints.tf b/examples/full-setup-tf-upgrade/vpc-endpoints.tf
new file mode 100644
index 0000000..6df0783
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints.tf
@@ -0,0 +1,63 @@
+# dynamodb and s3 gateway endpoints defined in vpc module
+
+# select here where label starts with app-
+#   private_subnets_ids = data.terraform_remote_state.vpc_east_vpc3.outputs.private_subnets_ids
+# or use data
+
+# some help from here: https://dev.to/danquack/private-fargate-deployment-with-vpc-endpoints-1h0p
+
+locals {
+  security_group_ids = [module.sg_web.this_security_group_id]
+
+  # currently this list doesn't do anything, but it's mostly to track what is in place here. A future
+  # revision of the vpc endpoints module will allow this as a for_each (tf 0.13+)
+  # keep in alphabetical order in the list and the file
+
+  # disable by setting to null
+  # enable by setting to "", or if it require a different service name, set that
+  vpc_endpoints = {
+    "autoscaling"          = ""
+    "ec2"                  = ""
+    "ec2messages"          = ""
+    "ecr.api"              = ""
+    "ecr.dkr"              = ""
+    "ecs"                  = ""
+    "elasticfilesystem"    = ""
+    "elasticloadbalancing" = ""
+    "kms"                  = ""
+    "logs"                 = ""
+    "secretsmanager"       = ""
+    "ssm"                  = ""
+    "ssmmessages"          = ""
+    "sts"                  = ""
+  }
+}
+
+data "aws_subnets" "endpoint_subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [local.vpc_id]
+  }
+  filter {
+    name   = "tag:Name"
+    values = ["*-endpoints-*"]
+  }
+}
+
+module "vpce" {
+  for_each = { for k, v in local.vpc_endpoints : k => v if v != null }
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint?ref=tf-upgrade"
+
+  service            = each.value == "" ? each.key : each.value
+  subnet_ids         = tolist(data.aws_subnets.endpoint_subnets.ids)
+  security_group_ids = local.security_group_ids
+
+  vpc_id          = local.vpc_id
+  vpc_full_name   = var.vpc_full_name
+  vpc_environment = var.vpc_environment
+
+  tags = merge(
+    local.common_tags,
+    local.tags,
+  )
+}
diff --git a/examples/full-setup-tf-upgrade/vpc.tf b/examples/full-setup-tf-upgrade/vpc.tf
new file mode 100644
index 0000000..78bc9eb
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc.tf
@@ -0,0 +1,78 @@
+locals {
+  vpc_id = module.vpc.vpc_id
+
+  tags = {
+    CostAllocation = "csvd:infrastructure"
+    Environment    = var.vpc_environment
+  }
+}
+
+module "vpc" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc?ref=tf-upgrade"
+
+  vpc_name        = var.vpc_name
+  vpc_cidr_block  = var.vpc_cidr_block
+  vpc_index       = var.vpc_index
+  vpc_short_name  = var.vpc_short_name
+  vpc_full_name   = var.vpc_full_name
+  vpc_environment = var.vpc_environment
+  vpc_domain_name = var.vpc_domain_name
+  vpc_dns_servers = var.vpc_dns_servers
+  vpc_ntp_servers = var.vpc_ntp_servers
+  enable_aws_dns  = var.vpc_enable_awsdns
+
+  tags = local.tags
+}
+
+module "subnets" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//subnets?ref=tf-upgrade"
+
+  vpc_id             = local.vpc_id
+  vpc_full_name      = var.vpc_full_name
+  availability_zones = []
+  public_subnets     = var.public_subnets
+  private_subnets    = var.private_subnets
+  tags               = local.tags
+}
+
+module "routing" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//routing?ref=tf-upgrade"
+  vpc_id = local.vpc_id
+
+  vpc_full_name       = var.vpc_full_name
+  availability_zones  = []
+  private_subnets_ids = module.subnets.private_subnets_ids
+  public_subnets_ids  = module.subnets.public_subnets_ids
+  enable_igw          = var.vpc_enable_igw
+  enable_nat          = var.vpc_enable_nat
+
+  vpc_name        = var.vpc_name
+  vpc_short_name  = var.vpc_short_name
+  vpc_cidr_block  = var.vpc_cidr_block
+  vpc_index       = var.vpc_index
+  vpc_environment = var.vpc_environment
+
+  tags = local.tags
+}
+
+module "vpn" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpn?ref=tf-upgrade"
+  vpc_id = local.vpc_id
+
+  create          = var.vpc_enable_vpn
+  profile         = var.profile
+  vpc_full_name   = var.vpc_full_name
+  vpc_environment = var.vpc_environment
+  vpn_settings    = var.vpn_settings
+  route_table_ids = values(module.routing.private_route_table_ids)
+  tags            = local.tags
+}
+
+module "base-security-groups" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//security-groups?ref=tf-upgrade"
+  vpc_id = local.vpc_id
+
+  vpc_full_name   = var.vpc_full_name
+  vpc_environment = var.vpc_environment
+  tags            = local.tags
+}