HashiCorp BSL compliance obligations.

Compliance under the HashiCorp Business Source License is narrower than it first appears and easier to get wrong than it should be. Most enterprises are not building a competing product, so most uses are fine. The risk lives in the edge cases and in the failure to document the ordinary ones. A clear obligation, well evidenced, is what separates a calm response to a vendor question from an anxious one.

What the HashiCorp BSL compliance obligations actually are

As of August 2023, HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1. Under the BSL you may read, copy, modify, and use the software in production, with one carve out: you may not use it to offer a product or service that competes with HashiCorp, except as the additional use grant permits. The compliance obligation is therefore to stay inside that grant. It is not a reporting duty or a fee in the ordinary case. It is a boundary on a class of use. Meeting it means three things: knowing which version you run, confirming your use falls inside the grant, and keeping evidence of both. The Business Source License is source available, not open source, and is not approved by the Open Source Initiative.

Where the competitive use line falls

The additional use grant is where the rule lives, and it is broad in your favor. HashiCorp's grant permits production use except where you provide a competing offering. For most enterprises, running Terraform to manage their own infrastructure, or Vault to manage their own secrets, sits well inside the grant. The line is approached when the software becomes part of something you sell that competes with HashiCorp, for example a managed service that offers the same capability to your customers. Because the boundary turns on what your offering is and does, two companies can read the same grant and reach opposite conclusions. Where your use sits relative to that line is a question for your own counsel, and it deserves a deliberate answer rather than an assumption.

Why your installed version decides which terms apply

The BSL applies to releases published under it. Releases published before the August 2023 change keep their original open license. So your obligation depends on the version you run. A team pinned to a pre change release carries the old, unrestricted terms for that version. A team that upgraded to a BSL release carries the BSL obligations. The trap is the routine upgrade that crosses the boundary without anyone framing it as a licensing decision. This is why version tracking is the first compliance control, not an afterthought. You cannot state your obligation until you know your version.

The compliance record that keeps you defensible

A defensible record has four parts for each HashiCorp tool you run: the version in use, the license that version carries, how you use the tool, and the reason that use sits inside the additional use grant. Keep it current as teams upgrade, because the record is only as good as its last update. When a vendor reaches out, this record lets you answer with evidence rather than reconstruct your estate under pressure. It also surfaces the genuine edge cases early, while you still have the option to migrate to OpenTofu, remove the dependency, or negotiate a commercial license on your terms. The record is cheap to keep and expensive to lack.

Options when your use sits near the line

If a product team has built a HashiCorp tool into an offering that edges toward competitive use, you have choices. You can re architect so the tool is not the competitive surface. You can move to OpenTofu or another alternative where one is mature enough. You can stay on a pre change release under the old license, accepting older code. Or you can negotiate a commercial license sized to your actual usage. The point of the compliance record is that it lets you spot the near the line cases early and choose deliberately, rather than discovering them when a vendor does.

From obligation to a contained position

Documenting your BSL obligations is part of our relicensing exposure review. For the full picture, read our pillar on the HashiCorp and Terraform license change. To extend the view across the suite, read Consul, Nomad and Packer under the BSL, and for a complex estate, read Terraform exposure in a multicloud estate. For the license mechanics, read the Business Source License explained.