About Terraform Licensing

About Terraform Licensing

October 03, 2023
Get tips and best practices from Develeap’s experts in your inbox

We all know Terraform. The tool that is indistinguishable today, as well as in the past years, from infrastructure as code. A tool that allows you to control the ever-growing use of the cloud, with almost 40K stars and 9k+ forks on GitHub. Terraform’s importance in the progression of the cloud as we see it today is unquestionable.

As Terraform is to infrastructure as code, Git is to source control. Almost every company today uses Terraform (or a Terraform-based tool) to manage, maintain, and upgrade its cloud infrastructure. If Terraform is not used, one of the first things needed for a stable environment is to implement the infrastructure configuration into code and deploy it as such.

In proportion to Terraform’s importance and universality, so was the effect of Hashicorp’s announcement in August 2023. In their controversial announcement, HashiCorp declared that they are changing the licensing on all their products, including Terraform, Packer, Consul, Vault, and Vagrant from MPL (Mozilla Public License) to BSL (Business Source License).

So what does HashiCorp’s decision mean for you?

5 main licensing software categories

First, let’s talk about Licensing. As with all creations, laws need to be stated as to protect and allow the use of such creations according to their owner’s wishes and requirements. The same goes for software. Definitions need to be made in order to describe how its owner allows the software to be used. The license is a contract-like form, that the user agrees to honor when making use of the software.

Here are the main licensing categories:

  • Permissive – Allows users to use, modify, and distribute the code freely, while typically only requiring that the copyright information be retained when the software is distributed.
    For example: MIT License, Apache License, BSD License.
  • Copyleft and Weak-Copyleft – Both are similar in nature but differ in one important distinction. They both allow the use of the code for any purpose, along with the ability to copy, modify, share, and redistribute the code, with or without a fee.
    The most notable copyleft license is the GPL (General Public License). Under the GPL license, changes must also be licensed by the same terms for published source codes, unlike with weak-copyleft. Programs using the LGPL license (the weak version of GPL) may allow non-GPL licensing to their modified program versions.
    • examples: copyleft: GPL, weak-copyleft: LGPL, MPL
  • Proprietary Licenses – Restrictive licenses that do not grant users the same freedoms as open-source licenses. They often limit the use, distribution, and modification of the code and may require payment or compliance with specific terms and conditions. These licenses can be closed-source or source-available software, each tailored to the product’s properties.
  • Dual licensing – Some projects offer both open-source and proprietary licensing options, depending on the user’s needs. For example, licensors can distribute software to licensees under a proprietary model as well as an open-source model (e.g., GPL).
    Users who do not wish to be subjected to other restrictions and obligations associated with open-source projects can incorporate the underlying source code and follow the definitions of the proprietary license, while also allowing the incorporation of the software into a product that will be distributed under the same open-source model.

The current state of Terraform licensing: Source-available

Since Terraform was first launched about nine years ago, it was under the MPL licensing with the notice “Incompatible With Secondary Licenses” attached, meaning it can’t be combined with GPL-licensed code in the same executable program. This was also true for all Hashicorp products. 

They were open-source and free for all, under the compounds of the Mozilla Public Licence, which in short means anyone could do anything with it while allowing access to the modifications to be readily available to the public.

On August 10, 2023, HashiCorp announced a change of license for its products to the BSL 1.1 license.
Their announcement declared a shift of all their products from being ‘open-source’ to ‘source-available’. Both ‘open-source’ and ‘source-available’ are ‘publicly available’, the difference is that open-source is by definition free-for-all, while ‘publicly available’ has additional restrictions. By doing this, HashiCorp ended its free-for-all licensing.

Of course, this is not the first time a widely used tool changed its license, additional companies in recent years have also alternated their license to BSL, Some notable examples include Couchbase, Cockroach Labs, Sentry, and MariaDB, which developed this license in 2013. Additionally, companies including Confluent, MongoDB, Elastic, and Redis Labs, among others, have also adopted alternative licenses that include restrictions on commercial usage. In all these cases, the license enables the commercial sponsor to have more control over-commercialization.

Deep dive into the Hashicorp BSL License:

Explanation of the BSL license:

BSL is a new alternative to closed source or open core licensing models. Under BSL, the source code is still publicly available. Non-production use of the code is always free, and the licensor can also make an Additional Use Grant allowing limited production use. Source code is guaranteed to become open-source at a certain point in time. Similar to open-source licenses, BSL-licensed source code is publicly available, and anyone is free to use, modify, and/or copy it for non-production purposes. Unlike open-source licenses, the BSL prohibits the licensed code from being used in production without explicit approval from the licensor.

Three key aspects found in Hashicorp’s BSL:

The first HashiCorp’s BSL licensing term is:

“The Licensor hereby grants you the right to copy, modify, create derivative works, redistribute, and make non-production use of the Licensed Work. The Licensor may make an Additional Use Grant, above, permitting limited production use.”

As the license does not explain plainly what production actually means, production in its most generic definition, is using software, authorized to place orders or establish blanket purchase agreements for internal business purposes other than development, evaluation, and acceptance testing. If we take a look at the ‘Additional use grant’ it seems that Hashicorp defines production a bit differently. 

In addition, HashiCorp mentions:

“Additional Use Grant: You may make production use of the Licensed Work, provided such use does not include offering the Licensed Work to third parties on a hosted or embedded basis which is competitive with HashiCorp’s products”

Production use can be made of the Licensed Work (in this case Terraform source-code), as long as it does not include its offering to third parties on a hosted or embedded basis which is competitive with HashiCorp’s products, or in other words products offering services that are aligned or have the same purpose as Hashicorp’s products, as is Terraform Cloud, Otherwise purchasing a license from the Licensor (Hashicorp) is required by the service user.

As you can imagine, there is a large number of companies who are against Hashicorp’s actions and in favor of OpenTofu (previously named OpenTF). Most notable are the ones who use Terraform in production use. Among them are: Env0, Harness, Gruntwork, Spacelift, Scalr, and Doppler (the full list of supporters can be seen on the OpenTofu website).

HashiCorp licensing also states:

“Change Date: Four years from the date the Licensed Work is published”
“Effective on the Change Date, or the fourth anniversary of the first publicly available distribution of a specific version … under this License, whichever comes first, the Licensor hereby grants you rights under the terms of the Change License, and the rights granted in the paragraph above terminate.”

For a period of four years from the earlier of either: (1) the change date or (2) the time the distribution was first publicly available, the user must purchase a license from Hashicorp, After the four years pass, the user can make use of that same (4-year-old) version under the less constraint MPL 2.0 license.
Note the loophole catcher, a user is still required to purchase said license even if the modified work was publicly published, This is to prevent the scheme of having a product make use of published modifications without the need to purchase a license.
Granted, 4 years is an eternity in the life of the source control, a tool that was not published with a new version in 4 years is considered dead, so this moderation isn’t of much benefit to the user.

User – the company, organization, or person making use of the terraform (or terraform products) source code itself or a modified version of it as part of a product in production.

My opinion about Hashicorp’s license change:

I understand Hashicorp’s actions and I do not see them as uncalled for. I greatly respect open-source contributors. While I cannot speak for those who have freely contributed time, effort, and knowledge to Terraform.

A major statement against Hashicorp’s actions is that they took control of the open-source contributors’ work. First of all, it is apparent to say that a substantial amount of Terraform’s contribution was made by Hashicorp employees, while much of it’s not like they sat back and waited for Terraform to be popular just so they could cash out later. They led the vision and development of the product and modeled it into what it is today. Secondly, as a business, I believe it is legitimate for a company that invested resources and took risks in developing a new product to take charge of its share.

Interestingly, many people are worried that Hashicorp’s actions might lead to the commercialization of additional open-source projects, posing risks and worries to the industry. Existing open-source tools can see Hashicorp’s actions as a new pavement for them to try and make a profit from their widely used tool. 

Another statement against the licensing change is that it is a ‘slippery slope’ and that at any time, Hashicorp can change the licensing to their liking. While that’s true, in my opinion, it is very unlikely. 

However, I believe that using Terraform to make a profit contradicts the very concept of open-source itself: free code for all. 

First of all, it is been nine years since a change like this has occurred and hyped up the tech world. Hashicorp probably thought long and hard about this change, not just to make additional changes and vex users even more.

Secondly, changing to a more restrictive licensing – one which might affect the end users as well, will be trouble for Hashicorp, even more so than the current change that resulted in the onset of OpenTofu. Because I believe that that would cross the line, users and contributors alike would not stand for it anymore and would make a hasty escape to support OpenTofu instead.

I see the development of OpenTofu fork as a senseless act in two main ways:
Technically – OpenTofu is currently redundant, because it causes a split in the effort of the development of Terraform replicas (talk about DRY), having requirements that it cannot ignore: firstly support of the HCL syntax (including the countless modules existing today), secondly support of existing Terraform providers.
Ethically – Hashicorp should not be disowned by the fork, as the change does not affect most end users and companies, just the ones looking to make a profit off the back of the innovation and hard work put into Terraform and the additional Hashicorp tools.

HashiCorp’s main intentions, in my opinion, were to ease users with tools that simplify and make their infrastructure management easier and more efficient. Therefore I believe in Hashicorp. I believe they want to keep the popularity and use of Terraform as well as their additional tools as they are today while securing their (some might say rightful) financial share of the products they created and developed (alongside the community) fully open to all for the last decade or so, much longer then they could have.

We’re Hiring!
Develeap is looking for talented DevOps engineers who want to make a difference in the world.