Terraform BSL Exposure: Assessing Your Risk

The license change prompted a wave of worry, much of it broader than the facts justify. The Business Source License is permissive in most respects and narrow in its single restriction, so the work of assessing Terraform BSL exposure is largely the work of separating the small set of uses that carry real risk from the large set that do not. Done well, the assessment prevents both complacency and an expensive migration no one needed. The general mechanics of the change sit on the HashiCorp and Terraform pillar, and this article turns those mechanics into a practical risk method.

What Terraform BSL exposure actually means

Terraform BSL exposure is the risk that your specific use falls inside the competitive restriction of the Business Source License. The license grants broad rights to use, copy, modify, and run Terraform, then carves out production use that competes with HashiCorp's commercial offerings. After a delay, commonly four years, each version converts to an open license. Source available is not open source, and the Business Source License is not approved by the Open Source Initiative, but neither point widens the restriction. Exposure is therefore not a function of whether Terraform is in your stack. It is a function of whether what you do with it competes with what HashiCorp sells.

Why most internal use carries little exposure

An enterprise that uses Terraform to provision and manage its own infrastructure is doing exactly what the license was written to permit. Running pipelines, managing state, and deploying your own systems are internal uses, not competing offerings. For the large majority of Terraform users, this is the whole assessment, and the right response to the change is to confirm that posture and move on. Treating all use as exposed produces a migration program with real cost and disruption and no risk reduction to show for it. Whether your Terraform use crosses into the competitive zone is examined directly in is your Terraform use competitive under the BSL.

Where Terraform BSL exposure concentrates

The real exposure sits in a smaller set of patterns where Terraform functionality is offered to others. A software vendor that embeds Terraform inside a product it sells, a platform that offers Terraform capability to its customers as a managed service, and a service that wraps Terraform and resells the result are the patterns most likely to fall inside the competitive carveout. Multicloud estates and managed service providers face this most directly because their business often involves operating infrastructure tooling on behalf of others. The vendor and provider angles are covered in HashiCorp BSL for software vendors and ISVs and HashiCorp BSL and managed service providers.

Version timing and the upgrade trap

Timing matters as much as use. Terraform releases published before August 2023 generally remain under their prior open source license, so versions you already run from before the change keep those terms. The Business Source License attaches to releases from the change forward. The practical consequence is that exposure often arrives not on the announcement date but later, when a team upgrades to a post change version without noticing the license moved. An honest assessment pins the version of every Terraform deployment and flags the ones that have crossed into the new terms, so an upgrade is a deliberate decision rather than an accident.

A method to assess your own risk

The assessment has four steps. First, inventory every Terraform deployment and pin its exact version, marking which predate the change. Second, classify each use as internal infrastructure, embedded in a product you ship, or offered to others as a service. Third, test the offered patterns against the competitive restriction and flag the ambiguous ones for your counsel. Fourth, for any exposed pattern, size the cost to cure across the options, including migrating to the OpenTofu fork, which continues Terraform under open terms. The fork path is examined in the OpenTofu and Valkey fork story. A relicensing exposure review runs this method end to end and produces a ranked, board ready picture.

We are independent and buyer side. We take no vendor fees and resell no software, so our read of your Terraform BSL exposure reflects your risk and nothing else, including when the honest finding is that your use is permitted and needs no change. This is commercial and licensing risk advisory, not legal advice. For interpretation of the Business Source License and your Terraform compliance position, engage your own counsel.