HashiCorp is changing the license on its core products from MPL 2.0 to Business Source License 1.1. That includes Terraform, which is why this announcement lands with more than a little force in infrastructure circles.
If you build, buy, invest in, or depend on software that lives anywhere near Terraform, this is not a trivia question. It is a commercial risk question.
HashiCorp’s own announcement says the company is moving future releases of its products to BSL 1.1, while leaving APIs, SDKs, and most other libraries under MPL 2.0. The company also says it is trying to preserve broad use, but not use that amounts to a competitive offering against HashiCorp itself. That distinction is doing a lot of work here. A lot.
What changed
For years, Terraform sat in the comfortable, familiar lane of permissive or open source licensing. Now the center of gravity has shifted.
The new model is source-available, but not open source in the usual sense. That matters because open source users are used to asking one question: can I use this code? Under BSL, the more important question becomes: can I use this code in a way that competes with the vendor?
That is a very different legal and business posture.
HashiCorp is not saying, “No one can see the code.” It is saying, in effect, “You can still use the code, but not to build a competing commercial service or product.” That is a meaningful line in the sand for cloud vendors, managed service providers, consultancies with productized offerings, and any startup that had vague plans to wrap Terraform into a hosted commercial platform and call it innovation.
Why Terraform is the headline
Terraform is not just another product in the HashiCorp portfolio. It is the infrastructure-as-code tool that became the default verb for a generation of platform teams. People do not just “manage cloud resources.” They “do Terraform.”
That kind of mindshare creates an attractive target. If you control the core tool, you control a lot of the ecosystem gravity around it.
So when HashiCorp moves Terraform under BSL, the practical message is simple: you can still build with Terraform, but you cannot casually build a Terraform business on top of HashiCorp’s source code if that business competes with HashiCorp’s own offerings.
That is the part commercial competitors need to read twice.
The real commercial impact
The obvious question is: does this stop people from using Terraform?
No. At least not in the general sense. The issue is not ordinary internal use. The issue is whether you are embedding, hosting, repackaging, or operating Terraform as part of a paid competitive offering.
In plain English:
- If your team uses Terraform to provision your own infrastructure, that is one thing.
- If your product wraps Terraform into a hosted service and sells that service to customers, that is another.
- If you are a vendor whose business model depends on taking upstream community code and turning it into a competitive commercial product, the license just got a lot less friendly.
And yes, that includes the more awkward cases. The sort of cases that look fine in a pitch deck and slightly less fine in a diligence data room.
Licensing stops being an abstract legal topic here and becomes an enterprise risk question. If a portfolio company’s value proposition depends on software it does not fully control, you have to ask whether the license lets that business model survive intact.
Why this should show up in diligence
License risk belongs in technology due diligence.
At licens.io, license compliance is not a side note. It is part of how we evaluate software risk in M&A and investment decisions. When we review a target, we are not only asking whether the code works. We are asking whether the code can be used, shipped, and commercialized the way management thinks it can.
That distinction matters more than people like to admit.
A licensing shift like this can affect:
- Product roadmap assumptions
- Distribution rights
- Customer contracts
- Partner agreements
- Cloud resale or managed service plans
- Exit value
In other words, it can affect the deal.
And this is one of those annoyingly non-technical truths: the technical team may discover the issue first, but the financial consequences usually arrive last, with interest.
What teams should do now
If Terraform is in your stack, or in a company you are evaluating, do not panic. Do this instead:
- Inventory every place Terraform appears, including forks, wrappers, managed services, and embedded tooling.
- Separate internal operational use from customer-facing or third-party offerings.
- Review whether any product, service, or integration could plausibly be viewed as a competitive offering.
- Check downstream redistribution rights before you assume a hosted product can keep shipping unchanged.
- Revisit your OSS intake process so future license changes do not become a surprise at closing.
If you are a buyer, ask for the software bill of materials, the dependency map, and the licensing policy. If you are a seller, have those answers ready before diligence starts. Guessing is a poor strategy, even when the room is full of smart people and expensive coffee.
The broader lesson
HashiCorp is making a strategic move that many software vendors have considered and fewer have had the nerve to execute. It is drawing a boundary between community adoption and commercial substitution.
That is not a moral judgment. It is a business decision.
Whether you like the decision or not, you should at least recognize the pattern. When infrastructure software becomes mission-critical, licensing is no longer a legal afterthought. It is part of the operating model. Ignoring it is how companies end up discovering, far too late, that the thing holding the product together is not just code. It is code under terms they never really read.
And that is how you end up with a very expensive conversation.
If Terraform is in scope for your company, now is the time to review the exposure, not after a buyer, partner, or board member asks the obvious question: what exactly are we allowed to do with this software?
Related posts
SFC v. Vizio: A Court Says GPL Compliance Is a Contractual Duty
A December 4, 2025 tentative ruling in SFC v. Vizio suggests GPL compliance can sound in contract, not just copyright, with real consequences for end users.
Read moreRedis Goes Source-Available: Valkey Fork Launches Within 30 Days
Redis's March 2024 license change triggered a rapid Valkey fork, reminding buyers that open-source governance can become a real diligence issue overnight.
Read moreCISA and FBI Call for Memory Safety Roadmaps: Is C++ on Borrowed Time?
CISA and the FBI are turning memory safety from an engineering preference into a board-level issue, and C/C++ is suddenly on the defensive.
Read more