Terraform BSL Exposure Assessment

As of August 2023, HashiCorp moved Terraform, Vault, Consul, Nomad, Packer, and others from an open source license to the Business Source License 1.1. The license restricts competitive production use and converts to an open license after a delay, commonly four years. IBM later acquired HashiCorp. For most enterprises the change landed quietly, because Terraform was already woven through their infrastructure pipelines. The exposure was created the day the license changed, whether or not anyone noticed.

What the Terraform BSL exposure assessment covers

We start by finding every copy of Terraform and the related HashiCorp tools in your estate, across CI pipelines, developer machines, modules, and managed wrappers. We then confirm which versions carry the Business Source License, since releases before the change remain under the prior open license. The result is a clear line between what is governed by the old terms and what is governed by the new ones, mapped to the systems that depend on each.

The core question the Business Source License raises is competitive use. The license restricts production use that competes with the vendor offering. For most enterprises running Terraform to manage their own infrastructure, that restriction does not bite, but the line is not always obvious, and managed service patterns can complicate it. We map where your use sits relative to that line and flag the cases that warrant your counsel's view.

Your options after the license change

Three paths are usually on the table. You can stay on Terraform and accept the Business Source License terms, which may be fine if your use is plainly not competitive. You can move to OpenTofu, the community fork created after the change, which carries an open source license. Or you can take a commercial license from the vendor. The assessment weighs each on engineering cost, license posture, provider and module compatibility, and timeline, so the path you pick holds up and does not simply move the exposure elsewhere.

For the full picture of the HashiCorp change and the fork, see the HashiCorp and Terraform BSL pillar. To size exposure beyond Terraform across other relicensed projects, see the relicensing exposure review service, and to map your whole estate first, the open source license risk assessment.

Why act now

The cost to cure rises with every release you adopt under the new terms and every team that builds more on top. Mapping the exposure early keeps your options open and your leverage intact, whether the answer is to fork, to negotiate, or to stay put with eyes open. We are independent and buyer side. We take no vendor fees and resell no software, so the recommendation reflects your risk and nothing else.