diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b348aea04..837f45982 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.2
+    rev: v1.99.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
diff --git a/examples/block-public-access/README.md b/examples/block-public-access/README.md
index 21c6bd116..ccfa6137f 100644
--- a/examples/block-public-access/README.md
+++ b/examples/block-public-access/README.md
@@ -30,8 +30,8 @@ Currently only `internet_gateway_block_mode` is supported, for which valid value
 
 VPC block public access exclusions can be applied at the VPC level e.g.:
 
-```
-vpc_block_public_access_exclusions = {
+```hcl
+  vpc_block_public_access_exclusions = {
     exclude_vpc = {
         exclude_vpc                     = true
         internet_gateway_exclusion_mode = "allow-bidirectional"
@@ -41,8 +41,8 @@ vpc_block_public_access_exclusions = {
 
 or at the subnet level e.g.:
 
-```
-vpc_block_public_access_exclusions = {
+```hcl
+  vpc_block_public_access_exclusions = {
     exclude_subnet_private1 = {
         exclude_subnet                  = true
         subnet_type                     = "private"
diff --git a/examples/block-public-access/main.tf b/examples/block-public-access/main.tf
index 6957610ee..a76efdff1 100644
--- a/examples/block-public-access/main.tf
+++ b/examples/block-public-access/main.tf
@@ -31,12 +31,10 @@ module "vpc" {
   azs             = local.azs
   private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
 
-  ### VPC Block Public Access Options
   vpc_block_public_access_options = {
     internet_gateway_block_mode = "block-bidirectional"
   }
 
-  ### VPC Block Public Access Exclusion at the VPC level
   vpc_block_public_access_exclusions = {
     exclude_vpc = {
       exclude_vpc                     = true
@@ -44,21 +42,5 @@ module "vpc" {
     }
   }
 
-  ### VPC Block Public Access Exclusion at the subnet level
-  # vpc_block_public_access_exclusions = {
-  #   exclude_subnet_private1 = {
-  #     exclude_subnet                  = true
-  #     subnet_type                     = "private"
-  #     subnet_index                    = 1
-  #     internet_gateway_exclusion_mode = "allow-egress"
-  #   }
-  #   exclude_subnet_private2 = {
-  #     exclude_subnet                  = true
-  #     subnet_type                     = "private"
-  #     subnet_index                    = 2
-  #     internet_gateway_exclusion_mode = "allow-egress"
-  #   }
-  # }
-
   tags = local.tags
 }
diff --git a/main.tf b/main.tf
index 82faa7eee..618aa2c10 100644
--- a/main.tf
+++ b/main.tf
@@ -68,9 +68,9 @@ resource "aws_vpc_block_public_access_options" "this" {
 resource "aws_vpc_block_public_access_exclusion" "this" {
   for_each = { for k, v in var.vpc_block_public_access_exclusions : k => v if local.create_vpc }
 
-  vpc_id = lookup(each.value, "exclude_vpc", false) ? local.vpc_id : null
+  vpc_id = try(each.value.exclude_vpc, false) ? local.vpc_id : null
 
-  subnet_id = lookup(each.value, "exclude_subnet", false) ? lookup(
+  subnet_id = try(each.value.exclude_subnet, false) ? lookup(
     {
       private     = aws_subnet.private[*].id,
       public      = aws_subnet.public[*].id,
@@ -86,7 +86,10 @@ resource "aws_vpc_block_public_access_exclusion" "this" {
 
   internet_gateway_exclusion_mode = each.value.internet_gateway_exclusion_mode
 
-  tags = var.tags
+  tags = merge(
+    var.tags,
+    try(each.value.tags, {}),
+  )
 }
 
 ################################################################################