Vivian Voss

Read on LinkedIn

The Terms You Did Not Sign

licensing law devops architecture

In the Net ⊣ Episode 06

On 10 August 2023, HashiCorp announced that all future releases of Terraform, Vault, Consul, Nomad, Packer, Boundary, Waypoint and Vagrant would move from the Mozilla Public License v2.0 to the Business Source License v1.1. There was no consultation with users; there was no extended discussion period; the announcement was a press release. Forty-one days later, on 20 September 2023, the Linux Foundation accepted OpenTofu, a community fork of Terraform held under MPL 2.0, with founding sponsorship from Spacelift, Harness, Gruntwork, env0 and Scalr. By January 2024, OpenTofu 1.6 had shipped as a drop-in replacement. On 24 April 2024, IBM announced its intent to acquire HashiCorp for $6.4 billion. The acquisition closed on 27 February 2025, after the U.K. Competition and Markets Authority granted clearance.

The Terraform file in your repository, written before any of this, is on a different licence today than it was on the day you wrote it. That sentence, plainly read, is what this episode is about.

From MPL to BSL to IBM Jul 2014 Terraform 0.1 MPL 2.0 10 Aug 2023 BSL 1.1 press release 25 Aug 2023 OpenTF manifesto 15 days later 20 Sep 2023 LF accepts OpenTofu Apr 2024 IBM announces $6.4 billion Feb 2025 IBM closes licensor: IBM Nine years on the original licence. The change came in three taps of a keyboard.

The Promise

HashiCorp made infrastructure boring, in the best sense. Before Terraform, the path from "I want an EC2 instance" to "an EC2 instance exists" went through AWS CloudFormation YAML (proprietary, AWS-only), Chef recipes (Ruby, mutable), Ansible playbooks (push-based imperative), or a shell script and a prayer. Each had merits; none generalised. Terraform's hcl let you describe an EC2 instance, a Postgres database, an S3 bucket, an IAM policy, a Route 53 record and the dependencies that bound them, then plan the difference between your intent and the cloud's reality, then apply that difference atomically, then store the resulting state file for the next plan to read.

For nine years (Terraform 0.1 shipped in July 2014), the source code was Mozilla Public License v2.0. MPL 2.0 is a copyleft licence in the file-level sense: modifications to MPL-licensed files must be released under MPL, but those files may be combined with code under other licences (including proprietary code) at the file boundary. For the practical purpose of building a business around Terraform, it was permissive enough that a CI provider could host runs, a consultancy could automate it, a wrapper could extend it, all without a negotiation with HashiCorp.

That permissiveness produced the ecosystem. Spacelift, env0, Scalr, Terramate, Atlantis, Atmos, Terragrunt and a long tail of internal tooling at every serious cloud-using organisation grew up around the assumption that Terraform's binary, source, and provider ecosystem were a stable commons. The de facto IaC standard had Open Source mechanics behind it.

The Hooks

The Business Source License 1.1 is not Open Source by the Open Source Initiative's definition. It is "source available", which is to say that you can read the source and use the code for purposes the licensor permits, but you cannot meet the OSI's freedoms-2 and -6: freedom to use for any purpose, freedom to redistribute modified versions for any purpose. The BSL contains what its drafters call an "Additional Use Grant", a paragraph in which the licensor names the things you may not do; the canonical example, used by MariaDB and Sentry before HashiCorp, is "you may not offer a commercial product that competes with us".

HashiCorp's Additional Use Grant forbids "production use that competes with HashiCorp's commercial offering". What constitutes "competition with" is, on the face of the licence text, ambiguous, and that ambiguity is the design point.

"Production Use That Competes With Us" permitted end-user on own infra • tofu apply your stack • CI runner on your VMs • internal platform • in-house wrapper the licence text agrees here the grey zone ambiguous by design • consultancy billing • CI provider hosting • wrapper as a service • managed module registry your lawyer's call, not the docs' forbidden competes with HashiCorp • managed Terraform SaaS • commercial Terraform fork • Vault-clone product • Consul-clone product the design target of the change

HashiCorp has, in its public guidance, said that "end users running Terraform on their own infrastructure" remain permitted. But end users have lawyers, and lawyers read the licence text, and the licence text is not what the public guidance says it is.

Three further mechanics of the BSL change matter to the user. Every binary built from official HashiCorp source after 10 August 2023 falls under BSL until exactly four years after that version's release, when the licence on that version (and only that version) converts to MPL 2.0. Terraform 1.5.7, the last MPL release, will remain MPL 2.0 forever; Terraform 1.6.0 and onwards is BSL for four years from each individual release date. Forking BSL code as Open Source is forbidden by the BSL itself; forking it as proprietary, source-available or BSL code is permitted. The OpenTofu fork was made from Terraform 1.5.7 (the last MPL version) precisely because the MPL-licensed code was the only fork-target the team could legally relicense. HashiCorp's APIs, SDKs, libraries and provider plugins (the things that talk to AWS, Azure, GCP, on your behalf) remain MPL 2.0.

The Four-Year Clock, Per Release Terraform 1.5.7 (Aug 2023) MPL 2.0 — forever Terraform 1.6.0 (Oct 2023) BSL 1.1 → MPL 2.0 reverts October 2027 Terraform 1.9.0 (Jul 2024) BSL 1.1 2028 reverts July 2028

The Hook, summarised: your existing Terraform code is fine. Your next upgrade is on different legal terms than your last upgrade.

The Standing

OpenTofu was forked very quickly. On 25 August 2023, fifteen days after the BSL announcement, a manifesto signed by initial supporters proposed OpenTF as a Linux Foundation project. On 20 September 2023, the Linux Foundation formally accepted the project, which had by then been renamed OpenTofu. The founding sponsors were Spacelift, Harness, Gruntwork, env0 and Scalr, with subsequent endorsements from Digger, Terrateam, Massdriver, Terramate and others. All of these are vendors whose business model HashiCorp's BSL Additional Use Grant ambiguously threatens.

By January 2024 OpenTofu shipped 1.6, the first stable release, fully compatible with Terraform 1.5.x including module syntax, provider ecosystem and state file format. The tool's vocabulary changed (terraform becomes tofu at the command line), the lockfile differs slightly, and OpenTofu added features Terraform did not have, including OCI registry support for modules and providers. The state file written by either binary remains compatible with the other; a terraform apply followed by a tofu apply on the same state file is, today, a working migration path.

GitHub stars are an imperfect measure of community adoption, but they are visible: OpenTofu crossed 20,000 stars within months of its 1.6 release and continued to climb. Major cloud providers, vendors and large internal platforms migrated. The community voted with its mirror.

Six months later, on 24 April 2024, IBM announced its intent to acquire HashiCorp for $6.4 billion (approximately $35 per share in cash). The acquisition was delayed by regulatory review at the U.S. Federal Trade Commission and the U.K. Competition and Markets Authority, longer than IBM's original "by the end of 2024" guidance suggested. The CMA cleared the deal in late February 2025; the acquisition closed on 27 February 2025. As of that date, the licence on every Terraform release after 10 August 2023 belongs, contractually, to IBM.

The Exit That Isn't

The Business Source License is reversible at the licensor's discretion only. HashiCorp could, in principle, restore MPL 2.0 to its products tomorrow. IBM, the licensor now, could do the same. Either could also extend the four-year BSL period, modify the Additional Use Grant, or replace BSL with a more restrictive licence altogether at future releases. The Terraform file you wrote in 2014 was on a contract you understood; the Terraform file you write today is on a contract that IBM holds and may, with notice, change.

This is Lock-in by Retroactive Adoption. The hooks were not laid when you adopted the tool. The hooks were retrofitted onto the version-stream of the tool you had already adopted, and the retrofit happened because a press release said so, not because you renegotiated. The only practical defences are forks (OpenTofu, OpenBao) and migrations away (Pulumi, Crossplane), and both of those are work you did not budget for when you adopted the original tool.

The Six Genera

The pattern of this episode is the sixth distinct shape of Lock-in this series has named.

Six Distinct Lock-In Genera Ep 01 Adobe your file format becomes the subscription Ep 02 LinkedIn your reach belongs to the platform Ep 03 AWS identity, egress and architecture by gravity Ep 04 VMware perpetual licence absorbed in an acquisition Ep 05 Oracle per-employee Java audit, regardless of use Ep 06 HashiCorp / IBM retroactive licence change on the source you adopted None of these are pricing rises. Each is a different shape of the same problem.

The Price

HashiCorp's commercial pricing is not the headline cost. Terraform Cloud SaaS prices per applied resource, per concurrent run and per workspace; the Free tier covers small teams; the Standard, Plus and Enterprise tiers add Sentinel policy enforcement, SSO, audit logging and run pipelines. For a hundred-engineer organisation managing a few thousand resources, the annual bill comfortably reaches six figures. Terraform Enterprise (the self-hosted variant) starts at five-figure annual commitments. Vault Enterprise prices per client (per authenticated identity per month). At the upper end of large estates, the HashiCorp annual spend can reach seven figures.

The pricing was the same pricing before the BSL change as after. The BSL change was not a pricing increase; it was a redefinition of the legal terms on which the free version was available, which has the effect of pushing organisations who built on the free version, at scale, toward either the commercial version or toward a migration. The licence is the leverage; the pricing is the price of staying.

The Escape Route

The migration off HashiCorp's licensed stack is, today, a more concrete proposition than the migration off VMware (Episode 04) or Oracle Java SE (Episode 05), because the community produced a complete replacement.

Four Concrete Escape Routes OpenTofu Linux Foundation • MPL 2.0 drop-in for terraform state files forward-compatible hcl identical, providers reusable OpenBao Linux Foundation • MPL 2.0 forked at Vault 1.14.x GA December 2024 drop-in for most Vault workloads Pulumi Apache 2.0 IaC in Python / Go / TS / C# a real port, not a swap real programming language Crossplane Apache 2.0 Kubernetes-native composition cloud resources as CRDs infrastructure-as-controller

For Terraform: OpenTofu (Linux Foundation, MPL 2.0). Replaces the terraform binary with tofu. State files are forward and backward compatible with Terraform 1.5.x. The hcl syntax is identical. Provider plugins are reusable. The migration, for the existing .tf code in your repository, is a tooling swap rather than a rewrite. For a sufficiently complex enterprise estate, the migration is a several-week project to audit the differences and exercise the new binary in CI; for a small estate, it is an afternoon.

For Vault: OpenBao (Linux Foundation, MPL 2.0). Forked at Vault 1.14.x in late 2023; GA release December 2024. Drop-in for most Vault workloads; some enterprise features (HSM integration, MFA, namespaces in the OSS sense) require additional development or paid alternatives.

For Consul: pinned-version OSS or migration to alternatives. Service mesh capability has largely shifted to Istio and Linkerd; KV-store needs map onto etcd or Consul OSS pinned to a pre-BSL version.

Beyond the BSL stack: Pulumi (Apache 2.0): IaC in Python, Go, TypeScript, C#. Different programming model; a real port rather than a swap. Mature; appropriate when the team prefers a real programming language over hcl. Crossplane (Apache 2.0): Kubernetes- native composition. Defines cloud resources as Kubernetes Custom Resources, reconciled by controllers. Appropriate when the team already runs Kubernetes and wants infrastructure-as-controller rather than infrastructure-as-code.

Practical hygiene for new code from today onwards: avoid Terraform Cloud private registries and sensitive-variable storage; those are extraction points. Pin provider versions explicitly; do not float. Keep CI runners self-hosted where possible. Maintain state file backups that any compatible binary can read.

Coda

The pattern of this episode is the sixth distinct shape of Lock-in this series has named. Adobe took your file format. LinkedIn took your reach. AWS took your identity and your egress. VMware took your perpetual licence in an acquisition you were not party to. Oracle took your Java users and billed your entire workforce. HashiCorp, now IBM, took the licence on the source of the tool you had already adopted, four years deep into your platform, and changed it under your feet. There is no shock; there is no audit; there is no per-employee invoice. There is a press release, a four-year BSL clock, and a Terraform file in your repository whose terms today are not its terms when you wrote it.

You wrote infrastructure as code so the next engineer could read it. You did not promise the next licence-holder would let them.