diff --git a/examples/full-setup-tf-upgrade/apps/dns/README.md b/examples/full-setup-tf-upgrade/apps/dns/README.md
deleted file mode 100644
index 0d006f9..0000000
--- a/examples/full-setup-tf-upgrade/apps/dns/README.md
+++ /dev/null
@@ -1,55 +0,0 @@
-<!-- BEGIN_TF_DOCS -->
-## Requirements
-
-No requirements.
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
-| <a name="provider_aws.east_main_dns"></a> [aws.east\_main\_dns](#provider\_aws.east\_main\_dns) | n/a |
-| <a name="provider_aws.west_main_dns"></a> [aws.west\_main\_dns](#provider\_aws.west\_main\_dns) | n/a |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_route53_resolver_rule_association.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource |
-| [aws_route53_vpc_association_authorization.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
-| [aws_route53_vpc_association_authorization.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
-| [aws_route53_vpc_association_authorization.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
-| [aws_route53_vpc_association_authorization.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
-| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
-| [aws_route53_zone.ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
-| [aws_route53_zone_association.east_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
-| [aws_route53_zone_association.east_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
-| [aws_route53_zone_association.west_domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
-| [aws_route53_zone_association.west_ptr_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource |
-| [aws_route53_resolver_rules.all_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_resolver_rules) | data source |
-| [aws_route53_zone.domain_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_dns_zone_create"></a> [dns\_zone\_create](#input\_dns\_zone\_create) | Flag determing to create (true) or associate (false) the main forward zone.  Used for the same VPC domain name across different regions or VPCs | `bool` | `true` | no |
-| <a name="input_dns_zone_description_prefix"></a> [dns\_zone\_description\_prefix](#input\_dns\_zone\_description\_prefix) | Zone description with the org-project-program-environment | `string` | `""` | no |
-| <a name="input_main_dns_profile"></a> [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"107742151971-do2-govcloud"` | no |
-| <a name="input_main_dns_vpcs"></a> [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | <pre>{<br>  "us-gov-east-1": "vpc-099a991da7c4eb8a5",<br>  "us-gov-west-1": "vpc-77877a12"<br>}</pre> | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| <a name="output_all_zones"></a> [all\_zones](#output\_all\_zones) | DNS zone list |
-| <a name="output_domain_zone_id"></a> [domain\_zone\_id](#output\_domain\_zone\_id) | DNS Zone ID |
-| <a name="output_domain_zone_ns"></a> [domain\_zone\_ns](#output\_domain\_zone\_ns) | DNS Zone Nameservers |
-| <a name="output_ptr_zone_id"></a> [ptr\_zone\_id](#output\_ptr\_zone\_id) | DNS PTR Zone IDs |
-| <a name="output_ptr_zone_info"></a> [ptr\_zone\_info](#output\_ptr\_zone\_info) | DNS PTR Zone Info |
-| <a name="output_ptr_zone_ns"></a> [ptr\_zone\_ns](#output\_ptr\_zone\_ns) | DNS PTR Zone Nameservers |
-<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/examples/full-setup-tf-upgrade/apps/dns/associate-route53-endpoints.tf b/examples/full-setup-tf-upgrade/apps/dns/associate-route53-endpoints.tf
new file mode 100644
index 0000000..1c2542c
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/associate-route53-endpoints.tf
@@ -0,0 +1,96 @@
+locals {
+  route53_zone_ids = compact(concat([try(aws_route53_zone.domain_zone[0].zone_id, null)], [for k, v in aws_route53_zone.ptr_zone : v.zone_id]))
+}
+
+#---
+# network prod
+#---
+provider "aws" {
+  alias  = "route53_main"
+  region = var.region_map["east"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+module "route53_main_east" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = var.route53_endpoints["route53_main"]["us-gov-east-1"]
+  zone_ids = local.route53_zone_ids
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+module "route53_main_west" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = var.route53_endpoints["route53_main"]["us-gov-west-1"]
+  zone_ids = local.route53_zone_ids
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+#---
+# do2-gov ("legacy")
+#---
+provider "aws" {
+  alias  = "route53_main_legacy"
+  region = var.region_map["east"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main_legacy"].account_id)
+    session_name = var.os_username
+  }
+}
+
+module "route53_main_legacy_east" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_legacy
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-east-1"
+  vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-east-1"]
+  zone_ids = local.route53_zone_ids
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+module "route53_main_legacy_west" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_legacy
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/zone?ref=tf-upgrade"
+  region   = "us-gov-west-1"
+  vpc_id   = var.route53_endpoints["route53_main_legacy"]["us-gov-west-1"]
+  zone_ids = local.route53_zone_ids
+
+  tags = merge(
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
diff --git a/examples/full-setup-tf-upgrade/apps/dns/associate-shared.tf b/examples/full-setup-tf-upgrade/apps/dns/associate-shared.tf
index ea9a292..6854122 100644
--- a/examples/full-setup-tf-upgrade/apps/dns/associate-shared.tf
+++ b/examples/full-setup-tf-upgrade/apps/dns/associate-shared.tf
@@ -1,15 +1,3 @@
-## locals {
-##   reverse_zones = flatten([
-##     "10.in-addr.arpa",
-##     "168.192.in-addr.arpa",
-##     "129.148.in-addr.arpa",
-##     [for x in range(16, 32) : format("%v.172.in-addr.arpa", x)],
-##   ])
-##   reverse_rules  = formatlist("reverse-%v", local.reverse_zones)
-##   forward_rules  = ["forward-all-onprem", "amazon"]
-##   all_main_rules = formatlist("resolver-%v", concat(local.forward_rules, local.reverse_rules))
-## }
-
 data "aws_route53_resolver_rules" "all_rules" {
   share_status = "SHARED_WITH_ME"
 }
diff --git a/examples/full-setup-tf-upgrade/apps/dns/locals.tf b/examples/full-setup-tf-upgrade/apps/dns/locals.tf
index 6c49d21..4d8850c 100644
--- a/examples/full-setup-tf-upgrade/apps/dns/locals.tf
+++ b/examples/full-setup-tf-upgrade/apps/dns/locals.tf
@@ -5,7 +5,7 @@ locals {
 }
 
 locals {
-  vpc_info       = data.terraform_remote_state.vpc_REGION_vpcN.outputs.vpc_info
+  vpc_info       = data.terraform_remote_state.vpc_SHORTREGION_vpcN.outputs.vpc_info
   vpc_id         = local.vpc_info["vpc_id"]
   domain_name    = local.vpc_info["vpc_domain_name"]
   dns_servers    = local.vpc_info["vpc_dns_servers"]
diff --git a/examples/full-setup-tf-upgrade/apps/dns/other-zones.name.tf.example b/examples/full-setup-tf-upgrade/apps/dns/other-zones.name.tf.example
new file mode 100644
index 0000000..8c7b170
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/other-zones.name.tf.example
@@ -0,0 +1,11 @@
+module "west_edl_zones" {
+  providers = {
+    aws.self = aws
+    aws.peer = aws.west_edl_dns
+  }
+
+  source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/vpc?ref=tf-upgrade"
+  vpc_id = local.vpc_id
+  #  zones    = [ "common.edl.census.gov" ]
+  zones = [var.vpc_domain_name]
+}
diff --git a/examples/full-setup-tf-upgrade/apps/dns/provider.main_dns.tf b/examples/full-setup-tf-upgrade/apps/dns/provider.main_dns.tf
deleted file mode 100644
index 0e693d1..0000000
--- a/examples/full-setup-tf-upgrade/apps/dns/provider.main_dns.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-provider "aws" {
-  alias   = "east_main_dns"
-  region  = var.region_map["east"]
-  profile = var.main_dns_profile
-}
-
-provider "aws" {
-  alias   = "west_main_dns"
-  region  = var.region_map["west"]
-  profile = var.main_dns_profile
-}
diff --git a/examples/full-setup-tf-upgrade/apps/dns/sort-ip.py b/examples/full-setup-tf-upgrade/apps/dns/sort-ip.py
deleted file mode 100755
index 293f723..0000000
--- a/examples/full-setup-tf-upgrade/apps/dns/sort-ip.py
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/env python
-
-import json
-import sys
-import ipaddress
-
-r=0
-outdata={'ip_addresses_sorted':''}
-try:
-  indata=json.load(sys.stdin)
-  ipa=indata['ip_addresses'].split(',')
-  ips=sorted(ipa,key=ipaddress.ip_address)
-  outdata['ip_addresses_sorted']=','.join(ips)
-  print(json.dumps(outdata))
-except:
-  sys.stderr.write("unable to parse input address\n")
-  r=1
-
-sys.exit(r)
diff --git a/examples/full-setup-tf-upgrade/apps/dns/tf-run.data b/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
index 1365909..6f23e22 100644
--- a/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
+++ b/examples/full-setup-tf-upgrade/apps/dns/tf-run.data
@@ -1,4 +1,4 @@
-VERSION 1.1.4
+VERSION 1.1.6
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
@@ -9,10 +9,14 @@ LINKTOP includes.d/variables.account_tags.auto.tfvars
 LINKTOP includes.d/variables.infrastructure_tags.tf
 LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
 LINKTOP includes.d/variables.application_tags.tf
-## LINKTOP includes.d/variables.application_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.auto.tfvars
 
 LINK variables.vpc.tf
 LINK variables.vpc.auto.tfvars
 
+aws_route53_zone.domain_zone aws_route53_zone.ptr_zone
+aws_route53_resolver_rule_association.all_rules
+
 ALL
 COMMAND tf-directory-setup.py -l s3
+
diff --git a/examples/full-setup-tf-upgrade/apps/dns/variables.dns.auto.tfvars b/examples/full-setup-tf-upgrade/apps/dns/variables.dns.auto.tfvars
index 649480f..db77639 100644
--- a/examples/full-setup-tf-upgrade/apps/dns/variables.dns.auto.tfvars
+++ b/examples/full-setup-tf-upgrade/apps/dns/variables.dns.auto.tfvars
@@ -1,2 +1,3 @@
-dns_zone_description_prefix = "{project} {environment}"
-dns_zone_create             = true
+#dns_zone_description_prefix = "EDL-MultiAccount core-shared ugw1"
+dns_zone_description_prefix = "{org} {vpc_name} {compressed_region}"
+dns_zone_create             = false
diff --git a/examples/full-setup-tf-upgrade/apps/dns/variables.dns.tf b/examples/full-setup-tf-upgrade/apps/dns/variables.dns.tf
index 68ed443..a3783bc 100644
--- a/examples/full-setup-tf-upgrade/apps/dns/variables.dns.tf
+++ b/examples/full-setup-tf-upgrade/apps/dns/variables.dns.tf
@@ -1,11 +1,14 @@
-variable "main_dns_vpcs" {
-  description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS"
-  type        = map(string)
-  default = {
-    "us-gov-west-1" = "vpc-77877a12"
-    "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
-  }
-}
+## variable "main_dns_vpcs" {
+##   description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS"
+##   type        = map(string)
+##   default = {
+##     "us-gov-west-1" = "vpc-77877a12"
+##     "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+##   }
+## }
+
+# need this to trigger the shared RAM sttings
+# will need to change it when moving the RAM settings
 
 variable "main_dns_profile" {
   description = "Profile name for AWS for the main DNS central account"
@@ -13,7 +16,6 @@ variable "main_dns_profile" {
   default     = "107742151971-do2-govcloud"
 }
 
-
 variable "dns_zone_description_prefix" {
   description = "Zone description with the org-project-program-environment"
   type        = string
diff --git a/examples/full-setup-tf-upgrade/apps/dns/variables.route53.tf b/examples/full-setup-tf-upgrade/apps/dns/variables.route53.tf
new file mode 100644
index 0000000..140e7f2
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/variables.route53.tf
@@ -0,0 +1,16 @@
+variable "route53_endpoints" {
+  description = "Map of target route53 endpoints (for inbound) central VPCs"
+  type        = map(map(string))
+  default = {
+    route53_main = {
+      "account_id"    = "057405694017"
+      "us-gov-east-1" = "vpc-0871ba8a6040d623a"
+      "us-gov-west-1" = "vpc-0f03ea065333f72c5"
+    }
+    route53_main_legacy = {
+      "account_id"    = "107742151971"
+      "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+      "us-gov-west-1" = "vpc-77877a12"
+    }
+  }
+}
diff --git a/examples/full-setup-tf-upgrade/apps/dns/variables.username.tf b/examples/full-setup-tf-upgrade/apps/dns/variables.username.tf
new file mode 100644
index 0000000..46f8f47
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/apps/dns/variables.username.tf
@@ -0,0 +1,5 @@
+variable "os_username" {
+  description = "OS username from environment variable, ideally as $USER"
+  type        = string
+  default     = null
+}
diff --git a/examples/full-setup-tf-upgrade/apps/dns/zones.tf b/examples/full-setup-tf-upgrade/apps/dns/zones.tf
index d58dcd4..09b4df6 100644
--- a/examples/full-setup-tf-upgrade/apps/dns/zones.tf
+++ b/examples/full-setup-tf-upgrade/apps/dns/zones.tf
@@ -22,7 +22,8 @@ locals {
 #---
 data "aws_route53_zone" "domain_zone" {
   #  provider = aws.east
-  count        = var.dns_zone_create ? 0 : 1
+  #  count        = var.dns_zone_create ? 0 : 1
+  count        = var.dns_zone_create ? 0 : 0
   name         = local.domain_name
   private_zone = true
 }
@@ -50,59 +51,18 @@ resource "aws_route53_zone" "domain_zone" {
   )
 }
 
-resource "aws_route53_vpc_association_authorization" "west_domain_zone" {
-  #  provider = aws.west_main_dns
-  #  for_each   = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
-  for_each   = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
-  zone_id    = each.value.zone_id
-  vpc_region = "us-gov-west-1"
-  vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
-}
-
-resource "aws_route53_zone_association" "west_domain_zone" {
-  provider = aws.west_main_dns
-  for_each = var.dns_zone_create ? aws_route53_vpc_association_authorization.west_domain_zone : {}
-
-  zone_id    = each.value.zone_id
-  vpc_id     = each.value.vpc_id
-  vpc_region = each.value.vpc_region
-}
-
-# resource "aws_route53_zone_association" "east_domain_zone"  {
-#   for_each = tomap({"zone" = aws_route53_zone.domain_zone[0]})
-#   zone_id = each.value.zone_id
-#   vpc_region  = "us-gov-east-1"
-#   vpc_id  = var.main_dns_vpcs["us-gov-east-1"]
-# }
-
-resource "aws_route53_vpc_association_authorization" "east_domain_zone" {
-  #  provider = aws.east_main_dns
-  #  for_each = tomap({ "zone" = var.dns_zone_create ? aws_route53_zone.domain_zone[0] : data.aws_route53_zone.domain_zone[0] })
-  for_each = var.dns_zone_create ? { "zone" = aws_route53_zone.domain_zone[0] } : {}
-
-  zone_id    = each.value.zone_id
-  vpc_region = "us-gov-east-1"
-  vpc_id     = var.main_dns_vpcs["us-gov-east-1"]
-}
-
-resource "aws_route53_zone_association" "east_domain_zone" {
-  provider   = aws.east_main_dns
-  for_each   = var.dns_zone_create ? aws_route53_vpc_association_authorization.east_domain_zone : {}
-  zone_id    = each.value.zone_id
-  vpc_id     = each.value.vpc_id
-  vpc_region = each.value.vpc_region
-}
-
 output "domain_zone_id" {
   description = "DNS Zone ID"
   #  value       = aws_route53_zone.domain_zone[0].zone_id
-  value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].zone_id : data.aws_route53_zone.domain_zone[0].zone_id
+  #  value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].zone_id : data.aws_route53_zone.domain_zone[0].zone_id
+  value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].zone_id : null
 }
 
 output "domain_zone_ns" {
   description = "DNS Zone Nameservers"
   #  value       = aws_route53_zone.domain_zone[0].name_servers
-  value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].name_servers : data.aws_route53_zone.domain_zone[0].name_servers
+  #  value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].name_servers : data.aws_route53_zone.domain_zone[0].name_servers
+  value = var.dns_zone_create ? aws_route53_zone.domain_zone[0].name_servers : null
 }
 
 #---
@@ -132,57 +92,6 @@ resource "aws_route53_zone" "ptr_zone" {
   )
 }
 
-resource "aws_route53_vpc_association_authorization" "west_ptr_zone" {
-  #  provider = aws.west_main_dns
-  for_each = aws_route53_zone.ptr_zone
-
-  zone_id    = each.value.zone_id
-  vpc_region = "us-gov-west-1"
-  vpc_id     = var.main_dns_vpcs["us-gov-west-1"]
-}
-
-resource "aws_route53_zone_association" "west_ptr_zone" {
-  provider = aws.west_main_dns
-  for_each = aws_route53_vpc_association_authorization.west_ptr_zone
-
-  zone_id    = each.value.zone_id
-  vpc_id     = each.value.vpc_id
-  vpc_region = each.value.vpc_region
-}
-
-resource "aws_route53_vpc_association_authorization" "east_ptr_zone" {
-  #  provider = aws.east_main_dns
-  for_each = aws_route53_zone.ptr_zone
-
-  zone_id    = each.value.zone_id
-  vpc_region = "us-gov-east-1"
-  vpc_id     = var.main_dns_vpcs["us-gov-east-1"]
-}
-
-resource "aws_route53_zone_association" "east_ptr_zone" {
-  provider = aws.east_main_dns
-  for_each = aws_route53_vpc_association_authorization.east_ptr_zone
-
-  zone_id    = each.value.zone_id
-  vpc_id     = each.value.vpc_id
-  vpc_region = each.value.vpc_region
-}
-
-## resource "aws_route53_zone_association" "west_ptr_zone" {
-##   for_each = aws_route53_zone.ptr_zone
-##   zone_id = each.value.zone_id
-##   vpc_region  = "us-gov-west-1"
-##   vpc_id  = var.main_dns_vpcs["us-gov-west-1"]
-## }
-## 
-## resource "aws_route53_zone_association" "east_ptr_zone" {
-##   for_each = aws_route53_zone.ptr_zone
-##   zone_id = each.value.zone_id
-##   vpc_region  = "us-gov-east-1"
-##   vpc_id  = var.main_dns_vpcs["us-gov-east-1"]
-## }
-## 
-
 output "ptr_zone_id" {
   description = "DNS PTR Zone IDs"
   value       = { for x, s in local.ptr_zones : x => aws_route53_zone.ptr_zone[x].zone_id }