diff --git a/subnet_tags/README.md b/subnet_tags/README.md
index 3839f2a..ff2bb18 100644
--- a/subnet_tags/README.md
+++ b/subnet_tags/README.md
@@ -88,12 +88,16 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_ec2_tag.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source |
 | [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
 | [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 | [aws_subnets.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 
diff --git a/subnet_tags/main.tf b/subnet_tags/main.tf
index 880b343..b76f8c9 100644
--- a/subnet_tags/main.tf
+++ b/subnet_tags/main.tf
@@ -101,8 +101,10 @@ locals {
 }
 
 
+# only get subnets where we want to add a tag
+# note this will NOT override an existing tag
 data "aws_subnets" "public" {
-  for_each = { for subnet in local.public_map : subnet.label => subnet }
+  for_each = { for subnet in local.public_map : subnet.label => subnet && length(subnet.tags) > 0 }
   filter {
     name   = "vpc-id"
     values = [var.vpc_id]
@@ -113,6 +115,24 @@ data "aws_subnets" "public" {
   }
 }
 
+locals {
+  public_ids      = merge([for k, v in data.aws_subnets.public : { for i in v.ids : format("%v:%v", k, i) => { item = format("%v:%v", k, i), label = k, subnet_id = i } }]...)
+  public_tag_keys = { for p in local.public_ids : p => keys(local.public_subnets[p.label].tags) }
+  public_tags     = merge([for p, v in local.public_ids : { for t in v : format("%v_%v", p, t) => { tag_label = format("%v_%v", p, t), id_label = p, subnet_id = local.public_ids[p].subnet_id, tag_key = t, tag_value = local.public_subnets[p].tags[t] } }]...)
+}
+
+data "aws_subnet" "public" {
+  for_each = local.public_ids
+  id       = each.value.subnet_id
+}
+
+resource "aws_ec2_tag" "public" {
+  for_each    = local.public_tags
+  resource_id = each.value.subnet_id
+  key         = each.value.tag_key
+  value       = each.value.tag_value
+}
+
 #--- 
 # private subnets
 #---
@@ -135,7 +155,7 @@ locals {
 
 # ignore attachment, as it is not shared
 data "aws_subnets" "private" {
-  for_each = { for subnet in local.private_map : subnet.label => subnet if subnet.label != "attachment" }
+  for_each = { for subnet in local.private_map : subnet.label => subnet if subnet.label != "attachment" && length(subnet.tags) > 0 }
   filter {
     name   = "vpc-id"
     values = [var.vpc_id]
@@ -145,3 +165,21 @@ data "aws_subnets" "private" {
     values = [format("*-%v-*", each.key)]
   }
 }
+
+locals {
+  private_ids      = merge([for k, v in data.aws_subnets.private : { for i in v.ids : format("%v:%v", k, i) => { item = format("%v:%v", k, i), label = k, subnet_id = i } }]...)
+  private_tag_keys = { for p in local.private_ids : p => keys(local.private_subnets[p.label].tags) }
+  private_tags     = merge([for p, v in local.private_ids : { for t in v : format("%v_%v", p, t) => { tag_label = format("%v_%v", p, t), id_label = p, subnet_id = local.private_ids[p].subnet_id, tag_key = t, tag_value = local.private_subnets[p].tags[t] } }]...)
+}
+
+data "aws_subnet" "private" {
+  for_each = local.private_ids
+  id       = each.value.subnet_id
+}
+
+resource "aws_ec2_tag" "private" {
+  for_each    = local.private_tags
+  resource_id = each.value.subnet_id
+  key         = each.value.tag_key
+  value       = each.value.tag_value
+}