HashiCorp and Terraform licensing: the complete guide

What changed in HashiCorp and Terraform licensing

In August 2023, HashiCorp announced that its core products would move from the Mozilla Public License, a recognized open source license, to the Business Source License 1.1. The change covered Terraform, Vault, Consul, Nomad, Packer, Boundary, and Waypoint. From that point, new releases of those products carried the Business Source License rather than an open source license. This is the heart of the HashiCorp and Terraform licensing change, and it is important to be precise about it. The software did not become closed. Its source remained available to read. What changed is the legal grant attached to that source, and with it the set of things you are permitted to do.

The distinction that trips up most teams is the one between source available and open source. Under the Mozilla Public License, Terraform was open source as defined by the Open Source Initiative, meaning anyone could use, modify, and redistribute it, including for commercial purposes, with very few conditions. Under the Business Source License, the source is still published, but the license is not approved by the Open Source Initiative and it carries a use restriction. Source available describes software you can read and often run, but under terms that fall short of the open source definition. Treating the two as interchangeable is the single most common error we see in HashiCorp and Terraform licensing assessments.

How the Business Source License works

The Business Source License is a published license template with two defining features. The first is a use limitation. Each product ships with an additional use grant that permits most uses while carving out a specific restricted use. For the HashiCorp products, the restriction targets offering the software as part of a competing commercial product or service. The second feature is the change date. Every released version carries a date, commonly four years after its release, after which that version automatically converts to a more permissive open license. So the Business Source License is time limited by design. The version you run today becomes open at a known future date, while the newest releases remain under the restriction.

For a buyer, three things follow. You need to know which versions you run, because the change date is per version. You need to read the additional use grant published with your version, because that grant defines the restricted use precisely and the exact wording can shift between versions. And you need to understand that staying on an older version to reach its change date sooner is a real option, though one with security and support tradeoffs. None of this is exotic, but it requires reading the specific grant rather than relying on a general summary. For a plain definition of the surrounding terms, see our glossary entry on the source available license.

Who is affected and who is not

The practical reach of the HashiCorp and Terraform licensing change is narrower than the alarm around it suggested, but not zero. For the large majority of organizations that use Terraform to provision and manage their own infrastructure, internal production use is generally permitted. You are not offering a competing product, so the use limitation does not bite. That said, the wording governs, your use case may be unusual, and only your own counsel can confirm your exact position.

The sharper exposure sits with a smaller group. Vendors that wrap, host, or resell the HashiCorp products as part of their own offering are the clearest case. Managed service providers, platform companies, and consultancies that embed these tools in a product they sell need to look carefully at the additional use grant. So do organizations whose internal platform has effectively become a product offered to other business units or partners, where the line between internal use and a competing service can blur. Mergers and acquisitions add another wrinkle: a target's use of these tools can carry exposure that a buyer inherits. For a detailed treatment of the boundary, read our article on when you must license HashiCorp commercially.

OpenTofu and the migration question

Within weeks of the license change, the community responded with a fork. OpenTofu is a fork of Terraform maintained under an open license, governed through the Linux Foundation. It exists so that teams that want to remain on an open source license can do so while keeping their existing Terraform configurations largely intact. For many buyers, OpenTofu reframes the whole question. The choice is no longer pay the vendor or accept the restriction. There is a third path that returns you to an open license.

Migration is not free, and it should not be treated as automatic. Compatibility is strong but not perfect, provider and module ecosystems evolve separately over time, and your tooling, pipelines, and internal expertise are built around the original product. The right way to weigh OpenTofu is as one costed option among several, measured on engineering effort, license posture, and long term maintenance, rather than as a reflex. We walk through that weighting in our piece on Terraform BSL exposure and assessing your risk.

The IBM acquisition and what it means

After the license change, IBM acquired HashiCorp. For buyers, the key point is that the acquisition does not by itself reverse the move to the Business Source License. A change of ownership can shift roadmap, pricing posture, and support over time, but the governing license remains what is published with each version. The prudent stance is to treat the Business Source License terms as the operating reality and to base decisions on the written grant, not on expectations about what a new owner might do. If a vendor offers a different commitment, it should be in writing and reviewed by your own counsel before you rely on it. This is also a moment where enterprise pricing conversations tend to open, which we cover in HashiCorp enterprise license negotiation.

How to size your exposure

Sizing exposure under the HashiCorp and Terraform licensing change is a mapping exercise before it is a legal one. Start by finding every place the affected products run, including the ones nobody remembers: the build pipeline that calls Terraform, the base image with Vault baked in, the platform team's internal service, the acquired subsidiary's stack. A relicensed component is rarely a leaf in the tree. It is wired into many systems, and the exposure follows that wiring. Until you can see the full footprint, any estimate of risk is a guess.

With the footprint in hand, you can classify each use against the additional use grant, separate the clearly permitted from the genuinely uncertain, and size the cost of each path for the uncertain cases. That is the work of a relicensing exposure review, and it produces something a board and a vendor both respect: a defensible picture of what you run, under which terms, and since when. Our relicensing exposure review is built for exactly this, and the broader method sits within the discipline of relicensing exposure across vendors.

Your options: fork, pay, or remove

Once the exposure is mapped, the response usually reduces to three paths, often in combination. The first is to fork, most commonly by moving to OpenTofu, which returns you to an open license at the cost of a migration. The second is to pay, by negotiating a commercial license with the vendor, which is the right answer when your use sits inside the restriction and migration is impractical. The third is to remove, by re architecting away from the dependency, which is the heaviest path and rarely worth it unless the component was already due for replacement. A sound plan often blends these: fork the easy estates, negotiate for the hard ones, and remove only where it pays for itself.

Whichever path you take, do it from a position of measured leverage rather than under deadline pressure. A vendor quote anchored to a list price is a ceiling, not a floor, and a credible fork option is the strongest argument you can bring to the table. The aim is a decision you can defend on cost, license posture, and timeline, not the fastest way to make the question go away.

Read deeper in this cluster

This guide is the hub for our HashiCorp and Terraform coverage. To go deeper on specific decisions, continue with the articles below.

For related license families, see our pillars on the Redis and Elastic database license changes and the cross vendor pattern of relicensing exposure. To see the analysis applied, read how a manufacturer quantified its exposure before a deal in our case studies.

MORE IN THIS CLUSTER

Explore more from this guide.