Insurer Avoids USD 1.4M HashiCorp Commercial Surprise

Situation

A mid sized insurer ran Terraform across roughly thirty engineering teams to manage cloud infrastructure for its policy, claims, and customer platforms. The tooling had grown organically over years. No single owner could say which versions ran where, and the infrastructure as code estate was treated as settled plumbing rather than a licensed dependency. Terraform was simply how the teams shipped.

The exposure and the trigger

As of August 2023, HashiCorp moved Terraform and related tools to the Business Source License 1.1, which restricts competitive production use and converts to an open license after a delay, commonly four years. Some time later a vendor outreach reached the insurer and raised the prospect of a commercial license to cover its broad Terraform footprint. An internal estimate, built from list pricing applied to the full deployment, put the annual exposure at about USD 1.4M. The number landed at the board, and the pressure was to sign quickly to remove the uncertainty.

Approach

We were engaged from the buyer side to map the real position before any commitment. The work began with an open source license risk assessment that resolved every copy of Terraform across the estate and recorded the version and license state of each. We then ran a focused relicensing exposure review to size what the Business Source License actually meant for this insurer, given how it used the tool.

Two facts changed the picture. First, most of the footprint ran versions released before the license change, which remained under the prior open license and were never in scope for the new terms. Second, the insurer used Terraform to manage its own internal infrastructure, not to offer a competing product, so the competitive use restriction at the heart of the Business Source License did not bite on the bulk of its estate. The assumed exposure rested on a list price applied to a footprint that was largely not subject to the new license at all.

Outcome

The dependency map and the dated license verdicts reframed the conversation. With evidence that most use sat under the prior open license and was not competitive, the insurer did not sign the broad commercial agreement. The roughly USD 1.4M annual surprise was removed from the board's view, replaced by a measured plan: hold steady on the pre change versions where appropriate, adopt the OpenTofu community fork over time for components that needed newer features, and reserve a narrow commercial license only for the small set of cases that genuinely warranted it. The insurer kept its leverage and avoided both a rushed payment and a rushed migration.

Lessons for buyers

A commercial license demand built on list pricing is a starting position, not a measured exposure. The version you run matters, because releases before a relicense usually remain under the prior terms. How you use the tool matters, because a competitive use restriction does not bite on ordinary internal infrastructure. And a dependency map produced from your own systems is the evidence that turns an open ended demand into a bounded, negotiable question. The cheapest moment to establish that evidence is before you sign, not after.

For the full mechanics of the HashiCorp change, see the HashiCorp and Terraform BSL pillar, and browse more open source risk case studies.