Bank Negotiates HashiCorp Enterprise Terms After IBM Deal

Situation

A national bank had standardized on HashiCorp products across its platform. Vault held secrets for nearly every production system, and Terraform provisioned infrastructure across many teams. The dependency had grown over years and was treated as settled. Both tools were load bearing, and Vault in particular sat so deep that few people inside the bank could describe how a move away from it would even work. The estate was extensive, central, and largely unmapped from a licensing point of view.

The trigger

Two events landed in sequence. First, HashiCorp moved Terraform, Vault, and its companion products to the Business Source License as of August 2023, which restricts competitive production use and converts to an open license after a delay, commonly four years. Then IBM acquired HashiCorp. The acquisition did not change the license terms, but it sharpened the bank's attention. A larger owner can revisit commercial strategy over time, and the bank faced a renewal window in which it would need to commit to enterprise terms or chart an alternative. Procurement and the office of the CISO wanted to know the size of the exposure before they sat down with the vendor, and no one could yet state it.

Approach

We built the map the bank lacked. For every HashiCorp product in the estate, we recorded the version in use, where it sat relative to the August 2023 change, the systems that depended on it, and whether the usage sat anywhere near the competitive use boundary the license describes. Vault and Terraform were handled separately, because their migration profiles differ sharply. Terraform has the OpenTofu fork as an openly licensed path, while Vault is deeper and harder to replace, which changes the leverage on each.

We then sized two numbers for each product. The first was the cost of enterprise terms at the bank's measured footprint, stripped of the inflated assumptions a list price would carry. The second was the cost and timeline of the credible alternative, OpenTofu for Terraform and a harder, more deliberate migration path for Vault. Throughout, we framed the question of whether any use was competitive as the bank's own, supplying the usage facts and the cost model while its general counsel held the interpretation of the terms.

Outcome

The map reset the negotiation before it began. It showed that much of the Terraform footprint sat inside permitted use and that a real OpenTofu path existed for the teams where migration was cheap, which gave the bank a genuine walk away position on the Terraform side. Vault was the harder case, and the bank accepted that enterprise terms were the realistic answer there. But it now entered that conversation with a measured footprint rather than a vendor estimate, and with a documented alternative on the table.

The bank negotiated enterprise terms scoped to its actual Vault usage, with the Terraform leverage and the costed alternatives bounding the overall figure well below the opening position. The exposure that had been unbounded and anxious at the start became a defined commercial commitment the CISO and procurement could defend to the board, with the relicensing risk contained rather than simply absorbed.

Lessons for buyers

Three lessons travel beyond this engagement. First, handle each product on its own terms. Terraform and Vault carry the same license but very different leverage, and treating them as one number weakens your position on both. Second, an acquisition is a prompt, not a panic. The IBM deal changed no license text, but it was the right moment to size the dependency and decide on a path with the facts in hand. Third, separate the legal question from the commercial one. We sized the exposure and built the position. The bank's own counsel interpreted whether any use was competitive. Keeping those roles distinct kept the work fast and the advice clean.

This work was delivered through our open source commercial license negotiation and our relicensing exposure review, which traced the blast radius of the license change. For the wider context, see the HashiCorp and Terraform pillar and the related study on how a bank maps Terraform BSL exposure across 40 teams.