OpenSource Risk Experts
Map your blast radius

HASHICORP AND TERRAFORM

Terraform Modules and Provider Licensing

By OpenSource Risk Experts  ·  May 22, 2026

Terraform modules and provider licensing is the question many teams skipped when the headline broke that Terraform had relicensed. The license change applied to the Terraform engine, the CLI itself, when HashiCorp moved it to the Business Source License as of August 2023. But a Terraform deployment is not just the engine. It is the engine plus the providers that talk to your infrastructure and the modules that package your configuration. Each of those carries its own license, set by its own author, and they do not automatically follow the engine. This article separates the three layers so you know what actually changed.

We write from the buyer side, as an independent advisory paid only by the buyer. This is not legal advice. For interpretation of the Business Source License or any provider license, we point you to your own counsel. The aim is to stop a single headline from being read as a blanket change across everything you run.

Three layers, three separate license questions

A Terraform setup has three distinct layers, and the relicensing touched only one of them directly. The first layer is the engine, the Terraform CLI, which now carries the Business Source License. The second layer is the set of providers, the plugins that let Terraform manage a given platform, each a separate codebase with its own license. The third layer is your modules and configuration, the code you and others write to describe infrastructure. The mistake to avoid is collapsing these into one. The engine relicensing does not reach up into the providers or your modules by itself.

This layering is why two teams using Terraform can have very different license pictures. The engine change is the same for everyone, but the providers and modules they depend on vary, and so does the license posture of those pieces. The base mechanics of the engine change are set out in HashiCorp BSL what changed and what it means.

What stays open and what to verify

Providers are the layer most worth checking, because they are numerous and their licenses vary. Many official and community providers remain under permissive open licenses such as the Mozilla Public License or Apache 2.0, set by the provider author rather than the engine vendor. That said, you should confirm the license of each provider you depend on rather than assume it stayed open. A provider maintained by a single commercial vendor can carry its own relicensing risk, independent of the engine. The registry that distributes providers also has its own terms governing access and redistribution.

Your own modules are simpler. Modules you write are your work, under whatever license you choose, and the Business Source License on the engine does not reach into them. Third party modules you consume carry the license their authors set, which is usually permissive but should still be verified for anything load bearing. The practical task is an inventory of every provider and external module with its current license, the same discipline that surfaces engine exposure across teams in Terraform exposure in a multicloud estate.

ENGINE

The Terraform CLI moved to the Business Source License as of August 2023. This is the layer that changed.

PROVIDERS

Each carries its own license, often permissive. Verify rather than assume, and watch single vendor providers.

MODULES

Your own code under your own license. Third party modules carry the author's license, usually permissive.

How OpenTofu changes the picture

OpenTofu is the openly licensed fork of the Terraform engine, created in response to the relicensing and built to stay compatible with the same providers and modules. For teams whose only concern is the engine license, OpenTofu lets them keep most of their existing providers and modules while moving the engine back to an open license. OpenTofu maintains its own registry for providers and modules, and the compatibility with existing ones is strong, though it should be tested for your specific dependencies rather than taken on faith. The migration discipline is set out in migrating from Terraform to OpenTofu step by step.

The key insight is that moving the engine to OpenTofu addresses the layer that changed without forcing a wholesale rebuild of your providers and modules. Most continue to work. The exception is any provider that has its own restrictive license or registry terms, which deserves its own assessment regardless of which engine you run.

Mapping the full Terraform license picture

The right response is an inventory that captures all three layers. Record the engine license, the license of every provider you depend on, and the license of every external module, then flag any single vendor provider that could relicense the way the engine did. With that map, the engine decision and the provider decisions are separate and clear, rather than tangled into one anxious reaction to a headline. Whether your use of the engine is even competitive under the BSL is treated in is your Terraform use competitive under the BSL, and the obligations that attach in HashiCorp BSL compliance obligations.

The full HashiCorp landscape sits in the HashiCorp and Terraform pillar. When you want every engine, provider, and module license mapped and the single vendor risks flagged, our relicensing exposure review produces the layered map you can act on.

COMMON QUESTIONS

Questions buyers ask.

How does the BSL affect Terraform modules and providers?

The Business Source License applied to the Terraform CLI itself as of August 2023. Modules and providers each carry their own license, which is often a permissive open license set by the author, not automatically the BSL. The license of the engine and the license of the modules and providers you run on it are separate questions that must each be checked.

Are Terraform providers covered by the BSL?

Not automatically. Each provider is a separate codebase with its own license. Many official and community providers remain under permissive open licenses such as the Mozilla Public License or Apache 2.0. You should confirm the license of each provider you depend on rather than assume it follows the CLI.

Do my own Terraform modules become BSL licensed?

No. Modules you write are your own work under whatever license you choose. The BSL on the Terraform engine does not reach into the configuration and modules you author. Third party modules you consume carry the license their authors set, which you should verify.

Does OpenTofu change the module and provider picture?

OpenTofu is an openly licensed fork of Terraform that aims for compatibility with the same modules and providers. Most existing modules and providers continue to work, and OpenTofu maintains its own registry. The compatibility is strong but should be tested for your specific dependencies.

Is this legal advice?

No. We provide commercial and licensing risk advisory, not legal advice. For interpretation of the Business Source License and provider terms, we recommend your own counsel.

CONTAINMENT

Map every layer of your Terraform stack.

A confidential relicensing exposure review. Independent, buyer side, paid only by you.

Not ready to talk? Read the free open source license risk guides first.

Review your exposure