Rymden - stock.adobe.com

Vendor-led group vows to fork HashiCorp Terraform

HashiCorp Terraform is a flashpoint of contention in the wake of the vendor's move to a Business Source License, including allegations that it ignored open source contributions.

HashiCorp's Terraform infrastructure-as-code software became the center of controversy over open source contributions since news broke of the company's planned move to a Business Source License.

OpenTF, created by a consortium of vendors whose businesses are based on HashiCorp Terraform, along with individual contributors, could be the site of a forked version of the software, should HashiCorp refuse to reconsider its licensing change. The consortium's organizers and other Terraform community contributors also fired back at a statement HashiCorp made about its rationale for moving all its products to a Business Source License (BSL) -- that competitive vendors had taken the company's source code without contributing.

"This is inaccurate and misleading," read a statement on the OpenTF.org website, which launched this week. "[M]any of the vendors affected by the change to BSL have made considerable contributions to the Terraform community."

The site goes on to list examples of community contributions to Terraform, which include updates to core binaries, Terraform modules, tools such as Terragrunt and tfsec, as well as documentation and learning resources.

OpenTF seeks detente, but threatens fork

OpenTF organizers stated that the best-case scenario would be for HashiCorp to reconsider the shift to BSL for Terraform. The website called a potential project fork a "fallback plan."

"Anytime you fork a product, you're duplicating efforts, and ... it's not in the interest of anyone for there to be duplicate efforts," said Sebastian Stadil, founder and CEO at Scalr, which markets a remote operations back end for Terraform. "Ideally, Terraform remains open source, but if it can't be open source, then the manifesto is about preserving an open path."

However, co-signers to the OpenTF Manifesto also pledged resources, including full-time engineers (FTEs), to a Terraform fork, should it move forward.

These commitments were met with incredulity by one member of the Terraform community, who questioned the timing.

"So you're telling me three companies can commit to 13 FTEs over 5 years," wrote Rick Rackow, expert site reliability engineer at TomTom, a geolocation tech company in Amsterdam, in a LinkedIn post this week. "Weird how 13 FTEs have so few [recent] contributions [to Terraform] unless, maybe, those companies actually haven't had 13 people committed to contribute to [T]erraform until now that they can't build their business on a project that's maintained by another company."

In response to Rackow's post, one official from a company that pledged engineering resources to OpenTF said previous attempts to contribute to Terraform were either rejected or ignored.

"[T]he chance of getting our contributions accepted [was] zero," wrote Marcin Wyszynski, chief product officer at Spacelift, which is among the vendors potentially affected by HashiCorp's switch to a BSL. "Which is super sad because being able to contribute to Terraform would have made our lives so much easier."

OpenTF alleges open source stagnation

Asked to cite a specific example of a rejected contribution in the LinkedIn thread, Wyszynski demurred, saying, "It would be too early to play this card, if our best option is to mend the rift."

Scalr's Stadil pointed to the number of open pull requests, or pending changes that haven't been processed yet, on the Terraform GitHub page -- 188 in all as of this week. There are also more proposed contributions that fell by the wayside among the thousands of closed pull requests, Stadil said.

"There are hundreds and hundreds of contributions people have tried to make, but they haven't accepted those contributions," he said in an interview this week. "They have a very tight stranglehold on where that product goes."

Stadil also said his company's developers had stopped trying to make contributions to the project years ago, after HashiCorp's relationship with the community began to change in the lead-up to its December 2021 IPO.

"In the beginning, [Terraform] was a true open source project, collaborative and licensed [as open source]," Stadil said. "Then, as of a few years ago, it was licensed as open source but not collaborative. And now it's neither collaborative nor licensed under an open source license."

As with Wyszynski, Stadil did not provide a specific example of a pull request on Terraform's GitHub repository from his company that had been rejected or ignored.

However, another Terraform contributor unaffiliated with OpenTF did provide one. Robert Hafner, author of the upcoming book Terraform in Depth, pointed to pull request 28603, titled "standalone client-side remote state encryption."

If you're a developer and you see popular, well-designed and tested pull requests that are being ignored, you aren't going to waste your time trying to contribute back.
Robert HafnerAuthor and Terraform contributor

Opened in May 2021, the proposed change would add security to Terraform, according to Hafner, by allowing state files to be encrypted on the user-controlled client side, instead of the server side. The proposed change included tests, which all passed, and didn't propose any backward-incompatible changes, he said.

"For some reason, HashiCorp has ignored the pull request completely," Hafner said. "They aren't telling people what needs to change to accept it or providing any feedback at all. They're simply ignoring the pull request altogether.

"The thing about this is, it sends a signal," he added. "If you're a developer and you see popular, well-designed and tested pull requests that are being ignored, you aren't going to waste your time trying to contribute back."

Another example, uncovered by TechTarget Editorial, is pull request 31863, which was opened in September 2022, titled "GitHub Workflows security hardening."

The request was met with a positive response from a HashiCorp official on its GitHub thread, although the response indicated HashiCorp did not typically accept pull requests that had to do with the Terraform build and release process. By December 2022, after requests for follow-up from the contributor, the same HashiCorp employee apologized for the delayed response and said that core maintainers would still need to review the change, but that the HashiCorp security team had approved the general approach. The GitHub thread for that pull request ends there.

Culture shift or staffing shortage?

While some OpenTF organizers saw a change in HashiCorp's attitude behind languishing Terraform pull requests, Rackow pointed to HashiCorp's public statements and documentation that blamed staff shortages for slow responses to community contributions.

"[Pull request 31863] doesn't look like someone blocking things on purpose, [but] rather them being short-staffed, which would match what they stated publicly," Rackow said.

Rackow cited a September 2021 HashiCorp blog post that referred to a "scale challenge" for the company, given Terraform's growth since its inception in 2014 to encompass more than 1,000 Terraform providers, among other project components.

"Although we have many teams, some short-term staffing changes impacted our ability to review changes to Terraform Core in a timely manner," the blog post stated. It also pointed to an update to the project's GitHub contribution documentation meant to "help set expectations for the potential contributors about when a response could be expected."

That update stated, "At this time, we do not have a formal process for reviewing outside proposals that significantly change Terraform's workflow, its primary usage patterns, and its language. Additionally, some seemingly simple proposals can have deep effects across Terraform, which is why we strongly suggest starting with an issue-based proposal."

While this offers an alternative explanation for delays and gaps in reviews for community Terraform contributions, it doesn't contradict OpenTF organizers' contention that HashiCorp maintained strict control over updates to the project.

HashiCorp did not respond to a request for comment on this point as of press time.

Manifesto, fork plan met with skepticism

One user of HashiCorp's products said he agreed with OpenTF's call for HashiCorp to reconsider the license change, at least for Terraform.

"What is interesting [is that] there is nothing like that happening for Packer, Vault and other products," said Andrey Devyatkin, a senior cloud engineering consultant at Hippo, New York City-based makers of an app that manages prescription drug pricing. "If I [were] HashiCorp, I would keep the previous license for Terraform and change it for the rest of the products."

There is one effort to fork HashiCorp Vault on GitHub, started in 2020, that hasn't found widespread support and remains thousands of commits behind the official Vault repository.

By comparison, OpenTF organizers said they'd amassed more than 70 company backers of the manifesto and 1,000 GitHub stars.

Meanwhile, other industry watchers expressed doubts about the viability of forking Terraform.

The goal, should the fork proceed, is to donate the project to an established open source foundation, according to the OpenTF website, but no specific foundation was named. Where one potential home is concerned, the Cloud Native Computing Foundation, HashiCorp is a silver member and unlikely to allow OpenTF to donate a forked Terraform, according to Rackow -- nor is it likely that HashiCorp would make such a donation itself.

"I can't really see HashiCorp donating Terraform, because then they could've just done it right away without the license hassle and bad PR," Rackow said. "No foundation that's in their right state of mind will accept a fork of it right now."

Another industry expert emphasized that there is no fork just yet.

"Until it becomes a reality instead of a claimed threat, I wouldn't put too much credence into it," said Donnie Berkholz, founder and chief analyst at independent analyst firm Platify Insights. "The [OpenTF] repository is a manifesto rather than a fork of the codebase, and the vast majority of the commitments are vague in nature."

A third industry watcher was bluntly dismissive of the entire OpenTF effort, calling it "ridiculous."

"I doubt anyone at HashiCorp is shaking in their boots to see this," said Andi Mann, global CTO and founder of Sageable, a tech advisory and consulting firm in Boulder, Colo. "It just looks like a lot of screaming into the void, tilting at windmills, turning back the tide or any number of hackneyed metaphors for pointless thrash."

Beth Pariseau, senior news writer at TechTarget Editorial, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on DevOps