OpenSource Risk Experts
Map your blast radius

WHITE PAPER

The HashiCorp and Terraform exposure guide

The HashiCorp Terraform exposure guide is a buyer side white paper on the 2023 move to the Business Source License. It explains what the license restricts, where the real exposure sits, what the OpenTofu fork changes, and a clear method for sizing and containing your risk. Written for the leaders who carry it, the position reflects June 2026.

Jump to the download

What the guide gives you

When HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1 as of August 2023, most enterprises had no map of where those products ran or what the change meant for them. This guide closes that gap. It translates the legal shift into operational terms, separates the uses that are generally permitted from the ones that need attention, and lays out the fork, pay, or remove decision in language a board can act on. Source available is not the same as open source, and the guide is precise about that line.

Table of contents

  1. The 2023 license change, in plain terms
  2. How the Business Source License grant and change date work
  3. Who is affected: internal use versus competitive use
  4. The OpenTofu fork and the migration calculus
  5. A method for mapping your exposure across the estate
  6. Fork, pay, or remove: choosing a defensible path

Key takeaways

  • The HashiCorp Terraform exposure guide treats the Business Source License as a use limitation plus a change date, not a move to closed source.
  • For most teams managing their own infrastructure, internal production use is generally permitted, but the wording governs and your counsel should confirm it.
  • The sharpest exposure sits with vendors and platforms that offer the products to third parties, and with mergers and acquisitions that inherit the use.
  • OpenTofu reframes the decision by offering a return to an open license, at the cost of a migration that should be weighed, not assumed.
  • You cannot price the risk until you map the full footprint, including pipelines, base images, and acquired stacks.
  • A credible fork option is the strongest leverage you can bring to any commercial license negotiation.

GET THE GUIDE

Read the full HashiCorp Terraform exposure guide

Enter your name and work email. The guide opens immediately. We accept corporate email only.

Confidential. We are independent and buyer side. Your details are used to confirm a qualified reader and are not shared.

For the full background, read our pillar on HashiCorp and Terraform licensing. When you are ready to size your own footprint, our relicensing exposure review maps it from the buyer side.

COMMON QUESTIONS

Questions buyers ask.

What does the HashiCorp Terraform exposure guide cover?

The HashiCorp Terraform exposure guide explains the 2023 move to the Business Source License, what the additional use grant restricts, the role of the OpenTofu fork, and a method for sizing and containing your exposure from the buyer side.

Who should read this white paper?

It is written for the CISO, general counsel, procurement, and engineering leaders who carry the risk of running HashiCorp products such as Terraform, Vault, and Consul in production after the license change.

Why does the guide ask for a work email?

The guide asks for a full name and a work email so we can confirm the reader is a qualified buyer. Free and personal email domains are not accepted. Once you submit a valid work email, the paper opens immediately.

Is the guide legal advice?

No. The guide provides commercial and licensing risk analysis, not legal advice. For interpretation of the Business Source License terms, consult your own counsel.