HashiCorp BSL and CI CD pipelines.

HashiCorp BSL and CI CD pipelines are an overlooked pairing, because most license reviews focus on the software an enterprise ships and skip the machinery that builds and deploys it. That machinery is exactly where HashiCorp tools tend to live. Terraform provisions the environments, Packer bakes the images, Vault manages the secrets, and all of them are invoked from pipelines that run hundreds of times a day. When HashiCorp moved these products to the Business Source License as of August 2023, the license moved into the pipeline with them. The exposure is easy to miss precisely because pipeline tooling feels like plumbing rather than product, but the license does not draw that distinction.

This article is part of the pillar for HashiCorp and Terraform license risk, and for the change itself see HashiCorp BSL: what changed and what it means.

Where the license lives in your pipelines

The Business Source License enters pipelines in several quiet ways. Build runners and container images often bundle a HashiCorp binary so that jobs can call it without installing it each time. Scripts download a specific Terraform or Packer version and invoke it as part of a deploy stage. Shared pipeline templates, copied from team to team, carry the dependency along with them, so a single template can spread a relicensed tool across an organization without anyone making a fresh decision. None of these appear in the product's own dependency manifest, which is why a review scoped to the shipped artifact misses them. To see HashiCorp BSL and CI CD pipelines clearly, you have to inventory the build infrastructure itself, not just the thing it builds. The general principle that license risk hides in build tooling is set out in license risk in your CI CD and build tooling.

Does pipeline use count as competitive use

The next question is whether the way you use these tools in pipelines is the kind of use the Business Source License restricts. The license targets competitive production use, the offering of a product or service that competes with HashiCorp. For an enterprise that uses Terraform in pipelines to provision its own infrastructure, that is generally not competitive use, and the exposure is correspondingly low. The picture changes if the pipeline is itself part of a product you sell, or if you operate a platform for customers where HashiCorp tooling does the provisioning. In those cases the pipeline use sits closer to the line, and the analysis deserves real care. Whether your use is competitive is the central judgment, explored in is your Terraform use competitive under the BSL.

Because the answer can differ team by team, the exposure has to be assessed across the whole estate rather than judged once, as covered in assessing Terraform exposure across teams.

Keeping pipelines clean

Once you know where the tools live and how exposed your use is, the cleanup is methodical. Inventory every pipeline that calls a HashiCorp tool and record the version and license state of each. For pipelines where your use is clearly permitted, document the position and move on. For those near the competitive line, decide whether to pin a pre change version that retains its prior license, migrate the provisioning step to an openly licensed fork such as OpenTofu, or negotiate a commercial license. The migration of a pipeline step is often straightforward because the tool is called in a contained way, which makes the pipeline a good early target for a fork. The step by step mechanics are in migrating from Terraform to OpenTofu step by step.

Finish by adding an intake control so the next relicensed tool is caught at the pipeline rather than in an audit. A check that flags the license state of any binary a pipeline pulls in turns HashiCorp BSL and CI CD pipelines from a recurring surprise into a managed part of your governance. This article is commercial and licensing risk advisory, not legal advice. For interpretation of the Business Source License against your pipeline use, your own counsel is the right place to turn.