diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b348aea04..837f45982 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.2
+    rev: v1.99.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
diff --git a/CHANGELOG.md b/CHANGELOG.md
index df7c4f503..9cc64b67f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
+## [5.20.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.19.0...v5.20.0) (2025-04-21)
+
+
+### Features
+
+* Allow setting custom tags on `aws_vpc_block_public_access_exclusion` resource ([#1170](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1170)) ([0d11295](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/0d11295d8b45f1319c46bfd044030035e9e02445))
+
 ## [5.19.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.18.1...v5.19.0) (2025-02-12)
 
 
diff --git a/UPGRADE-3.0.md b/UPGRADE-3.0.md
index f1e5d24fa..f8a13c2e5 100644
--- a/UPGRADE-3.0.md
+++ b/UPGRADE-3.0.md
@@ -10,7 +10,7 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 
 Previously, VPC endpoints were configured as standalone resources with their own set of variables and attributes. Now, this functionality is provided via a module which loops over a map of maps using `for_each` to generate the desired VPC endpoints. Therefore, to maintain the existing set of functionality while upgrading, you will need to perform the following changes:
 
-1. Move the endpoint resource from the main module to the sub-module. The example state move below is valid for all endpoints you might have configured (reference [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) example for reference), where `ssmmessages` should be updated for and state move performed for each endpoint configured:
+1. Move the endpoint resource from the main module to the sub-module. The example state move below is valid for all endpoints you might have configured (reference [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete) example for reference), where `ssmmessages` should be updated for and state move performed for each endpoint configured:
 
 ```
 terraform state mv 'module.vpc.aws_vpc_endpoint.ssm[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssm"]'
diff --git a/examples/block-public-access/README.md b/examples/block-public-access/README.md
index 21c6bd116..ccfa6137f 100644
--- a/examples/block-public-access/README.md
+++ b/examples/block-public-access/README.md
@@ -30,8 +30,8 @@ Currently only `internet_gateway_block_mode` is supported, for which valid value
 
 VPC block public access exclusions can be applied at the VPC level e.g.:
 
-```
-vpc_block_public_access_exclusions = {
+```hcl
+  vpc_block_public_access_exclusions = {
     exclude_vpc = {
         exclude_vpc                     = true
         internet_gateway_exclusion_mode = "allow-bidirectional"
@@ -41,8 +41,8 @@ vpc_block_public_access_exclusions = {
 
 or at the subnet level e.g.:
 
-```
-vpc_block_public_access_exclusions = {
+```hcl
+  vpc_block_public_access_exclusions = {
     exclude_subnet_private1 = {
         exclude_subnet                  = true
         subnet_type                     = "private"
diff --git a/examples/block-public-access/main.tf b/examples/block-public-access/main.tf
index 6957610ee..a76efdff1 100644
--- a/examples/block-public-access/main.tf
+++ b/examples/block-public-access/main.tf
@@ -31,12 +31,10 @@ module "vpc" {
   azs             = local.azs
   private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
 
-  ### VPC Block Public Access Options
   vpc_block_public_access_options = {
     internet_gateway_block_mode = "block-bidirectional"
   }
 
-  ### VPC Block Public Access Exclusion at the VPC level
   vpc_block_public_access_exclusions = {
     exclude_vpc = {
       exclude_vpc                     = true
@@ -44,21 +42,5 @@ module "vpc" {
     }
   }
 
-  ### VPC Block Public Access Exclusion at the subnet level
-  # vpc_block_public_access_exclusions = {
-  #   exclude_subnet_private1 = {
-  #     exclude_subnet                  = true
-  #     subnet_type                     = "private"
-  #     subnet_index                    = 1
-  #     internet_gateway_exclusion_mode = "allow-egress"
-  #   }
-  #   exclude_subnet_private2 = {
-  #     exclude_subnet                  = true
-  #     subnet_type                     = "private"
-  #     subnet_index                    = 2
-  #     internet_gateway_exclusion_mode = "allow-egress"
-  #   }
-  # }
-
   tags = local.tags
 }
diff --git a/main.tf b/main.tf
index 82faa7eee..618aa2c10 100644
--- a/main.tf
+++ b/main.tf
@@ -68,9 +68,9 @@ resource "aws_vpc_block_public_access_options" "this" {
 resource "aws_vpc_block_public_access_exclusion" "this" {
   for_each = { for k, v in var.vpc_block_public_access_exclusions : k => v if local.create_vpc }
 
-  vpc_id = lookup(each.value, "exclude_vpc", false) ? local.vpc_id : null
+  vpc_id = try(each.value.exclude_vpc, false) ? local.vpc_id : null
 
-  subnet_id = lookup(each.value, "exclude_subnet", false) ? lookup(
+  subnet_id = try(each.value.exclude_subnet, false) ? lookup(
     {
       private     = aws_subnet.private[*].id,
       public      = aws_subnet.public[*].id,
@@ -86,7 +86,10 @@ resource "aws_vpc_block_public_access_exclusion" "this" {
 
   internet_gateway_exclusion_mode = each.value.internet_gateway_exclusion_mode
 
-  tags = var.tags
+  tags = merge(
+    var.tags,
+    try(each.value.tags, {}),
+  )
 }
 
 ################################################################################