HashiCorp license change advisory.

If your platform teams build on HashiCorp tools, the August 2023 license change reached into your production estate whether or not anyone flagged it. A HashiCorp license change advisory exists to find that exposure, size it, and give you options before a vendor conversation or a renewal forces the question for you.

What the HashiCorp license change advisory delivers

You receive a map of every place HashiCorp software runs across your estate, direct and embedded, with the version and license state of each instance. You receive a plain reading of how the Business Source License terms apply to your specific deployment patterns. And you receive a containment plan that weighs three real paths against each other: migrate to an open alternative such as OpenTofu, negotiate a commercial license, or stay put with documented justification.

Every option carries an engineering cost, a license posture, and a timeline. We attach all three to each path so the decision your board signs off on holds under scrutiny rather than simply moving the problem.

What actually changed at HashiCorp

As of August 2023, HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer from the Mozilla Public License to the Business Source License 1.1. The Business Source License restricts using the software to provide a competing product or service, and converts to an open license after a delay that is commonly four years per release. IBM later acquired HashiCorp. In response to the change, the community created OpenTofu, an open source fork of Terraform now under independent stewardship.

The Business Source License is source available, not open source. It is not approved by the Open Source Initiative. The practical risk is that software you adopted under a permissive license now sits under terms a vendor may read as requiring a commercial agreement, and that reading can apply to code already running in production.

Who this advisory is for

The buyers who reach for this engagement are CISOs, general counsel, procurement leaders, and platform engineering directors who carry the risk but have never mapped it. If Terraform underpins your infrastructure as code, if Vault holds your secrets, or if Consul wires your service mesh, you have exposure worth measuring. The advisory turns a vague worry into a sized, ranked, and actionable picture.

This advisory sits alongside our broader work. It draws on the same exposure model as our relicensing exposure review service and feeds the full picture covered in our HashiCorp and Terraform pillar. For the wider context, see our guide to open source license risk.