Why does Terraform plan mark the entire metadata blob to be removed?

I’m bumping our cert_manager Helm chart to a patch version and noticed in the plan output that the entire metadata blob is marked as being removed. Why is that?

Terraform will perform the following actions:
  # helm_release.cert_manager will be updated in-place
  ~ resource "helm_release" "cert_manager" {
        id                         = "cert-manager"
      ~ metadata                   = [
          - {
              - app_version = "v1.14.1"
              - chart       = "cert-manager"
              - name        = "cert-manager"
              - namespace   = "cert-manager"
              - revision    = 13
              - values      = jsonencode(
                    {
                      - cainjector     = {
                          - resources = {
                              - limits   = {
                                  - cpu               = "250m"
                                  - ephemeral-storage = "10Mi"
                                  - memory            = "512Mi"
                                }
                              - requests = {
                                  - cpu               = "250m"
                                  - ephemeral-storage = "10Mi"
                                  - memory            = "512Mi"
                                }
                            }
                        }
                      - global         = {
                          - leaderElection = {
                              - namespace = "cert-manager"
                            }
                        }
                      - installCRDs    = true
                      - resources      = {
                          - limits   = {
                              - cpu               = "250m"
                              - ephemeral-storage = "10Mi"
                              - memory            = "512Mi"
                            }
                          - requests = {
                              - cpu               = "250m"
                              - ephemeral-storage = "10Mi"
                              - memory            = "512Mi"
                            }
                        }
                      - serviceAccount = {
                          - create = false
                          - name   = "cert-manager"
                        }
                      - webhook        = {
                          - resources = {
                              - limits   = {
                                  - cpu               = "250m"
                                  - ephemeral-storage = "10Mi"
                                  - memory            = "512Mi"
                                }
                              - requests = {
                                  - cpu               = "250m"
                                  - ephemeral-storage = "10Mi"
                                  - memory            = "512Mi"
                                }
                            }
                        }
                    }
                )
              - version     = "v1.14.1"
            },
        ] -> (known after apply)
        name                       = "cert-manager"
      ~ version                    = "v1.14.1" -> "v1.14.5"
        # (26 unchanged attributes hidden)
        # (4 unchanged blocks hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.

The metadata is not being removed, rather it’s going to be updated and the value is not yet known, signified by -> (known after apply) . As for why it’s unknown, we can’t tell without a more complete example, but in general that means the value depends on change to a managed resource which can’t be determined until it’s applied.

Aha, I see. I suppose the values are unknown because I’m referencing them from a common module. Anyway, thanks for clarification!