Bank Maps Terraform BSL Exposure Across 40 Teams

Situation

A retail and commercial bank operating across several markets had adopted Terraform years earlier as its standard for infrastructure as code. Adoption was organic. Over time, roughly 40 engineering teams came to rely on it, each with its own modules, providers, and pipelines. No central group owned the dependency. It was simply part of how the bank shipped infrastructure, treated as a permanently open tool that needed no license attention.

The trigger

When HashiCorp moved Terraform to the Business Source License as of August 2023, the bank's general counsel asked a simple question that no one could answer with confidence. Did the bank's use count as competitive production use under the new terms, and if a commercial license were required, what would it cost across 40 teams. The license restricts competitive production use and converts to an open license after a delay, commonly four years, but the bank had no map of how deeply Terraform ran or which teams were affected. The exposure was real and unquantified, and a procurement conversation with the vendor was approaching.

Approach

We began with a complete map of Terraform usage across all 40 teams. For each, we recorded the version in use, the modules and providers relied on, the deployment pattern, and whether the usage sat anywhere near the competitive use boundary the license describes. That gave the bank, for the first time, a single picture of its dependency rather than 40 separate assumptions.

We then sized two numbers side by side. The first was the potential cost of a commercial license at the bank's measured footprint, separated from the inflated footprint a list price would assume. The second was the cost to migrate to OpenTofu, the community fork of Terraform, including the engineering effort and the retraining each team would need. We were careful to frame the legal question as the bank's own, pointing general counsel to interpret whether the use was competitive while we supplied the usage facts and the cost model.

Outcome

The map changed the conversation. It showed that a large share of the 40 teams used Terraform in ways that sat well inside the open use the license still permitted, which materially shrank the population that might need a commercial license. For the teams that remained, the bank now held a measured usage baseline and a costed migration alternative, which together gave it a credible walk away position before any vendor discussion began.

The bank chose a mixed path. It moved a set of teams to OpenTofu where migration was cheap and the open posture was valued, and it scoped a far smaller commercial conversation for the remainder. The exposure that had been unbounded at the start of the engagement became a defined, defensible figure the bank could take to its board, with the relicensing risk contained rather than merely acknowledged.

Lessons for buyers

Three lessons carry across to any organization in a similar position. First, the map comes before the negotiation. A bank that walks into a vendor conversation without knowing its own footprint pays for the footprint the vendor assumes. Second, a costed alternative is leverage. The OpenTofu migration estimate did more to bound the commercial conversation than any argument about price. Third, the legal question and the commercial question are separate. We sized the exposure and built the position. The bank's own counsel interpreted the terms. Keeping those roles distinct kept the work fast and the advice clean.

This work was delivered through our relicensing exposure review, which traces the blast radius of a license change, and our open source license risk assessment, which produced the underlying dependency map. For the wider context, see the HashiCorp and Terraform pillar and the relicensing exposure pillar.