Getty Images/iStockphoto

Terraform Registry TOS change stokes open source ire

Community members allege that HashiCorp quietly changed the terms of service for its Terraform Registry in order to complicate efforts to fork the code.

Backers of the effort to fork HashiCorp Terraform in the wake of the vendor's pivot away from open source licensing called out a recent change to the Terraform Registry terms of service as a surreptitious move to block their progress.

The Terraform Registry is a repository of software artifacts that integrate Terraform infrastructure as code with third-party software and services, called providers, as well as prepackaged Terraform modules, which are containers for multiple IaC resources that are used together. These components, contributed over the nearly 10 years of Terraform's existence by community projects and software partners, are widely used and key to integrating the tool into enterprise IT environments.

OpenTofu, originally called OpenTF, was formed after HashiCorp disclosed in August that it would move to a Business Source License (BSL) from a purely open source license for future releases of its products, including Terraform. OpenTofu became an official Linux Foundation project in late September, with the goal of an eventual donation to the Cloud Native Computing Foundation.

Meanwhile, in early September, the CEO of a company listed as an OpenTofu supporter, Cloud Posse, called out another, less widely publicized change by HashiCorp: an updated passage in the terms of service (TOS) for the Terraform Registry.

The passage stated: "You may download providers, modules, policy libraries and/or other Services or Content from this website solely for use with, or in support of, HashiCorp Terraform. You may download or copy the Content (and other items displayed on the Services for download) for personal non-commercial use only, provided that you maintain all copyright and other notices contained in such Content."

There isn't a log in the documentation showing when the change was made, but "personal non-commercial use only" echoes the language used by HashiCorp to describe the new terms of its BSL licensing. And it prompted OpenTofu to fork the Terraform Registry, too, creating the OpenTofu Registry alongside the alpha release of its Terraform code fork this month.

OpenTofu founders stated they believe the TOS change was a direct effort to make it more difficult for their project to succeed.

"HashiCorp has changed the terms of service to not allow even their customers to use their registry unless they use their version of Terraform," said Sebastian Stadil, founder and CEO at Scalr, which markets a remote operations back end for Terraform. "This gives OpenTofu the opportunity to create an open registry for both Terraform and OpenTofu users and draw upon the ideas of everyone to out-innovate HashiCorp."

Terraform Registry fork deepens open source divide

Community members and HashiCorp users who were already disenchanted with the BSL change said the Terraform Registry fork only intensified a bad taste in their mouths.

Kyler Middleton, senior principal software engineer, VeradigmKyler Middleton

"Hashi has implied their registry is now proprietary and not part of the open source offering," said Kyler Middleton, senior principal software engineer at healthcare tech company Veradigm. "This feels very enterprise-y, how large companies can play games with licensing and costs in order to maximize profit."

The TOS change "is a low that I thought they would never reach," said Robert Hafner, a past Terraform contributor and author of the book Terraform in Depth. "The fact is, the registry is primarily other people's code and is basically a thin proxy over GitHub. HashiCorp is making decisions that are, frankly, embarrassing and reputation-harming."

Another open source project, package management utility Homebrew, officially deprecated elements of Terraform at the core of its software on Aug. 14 due to the licensing change. It has yet to commit to replacing Terraform with OpenTofu, which has significant momentum from other contributors, Hafner said.

Seeing the number of companies working with OpenTofu ... has proven that every time HashiCorp tries to make a moat, the OpenTofu team will build a bridge.
Robert HafnerTerraform contributor and author

"Seeing the number of companies working with OpenTofu ... has proven that every time HashiCorp tries to make a moat, the OpenTofu team will build a bridge," he said.

Some industry watchers, however, see the Terraform Registry fork as a bad sign for OpenTofu.

"This additional complexity is likely to hurt the project in the short term at least," said Andi Mann, global CTO and founder of Sageable, a tech advisory and consulting firm in Boulder, Colo. "Ease of deployment is a major decision factor for enterprise CTOs. They are not looking for a science project."

A HashiCorp exec interviewed during the lead-up to the annual HashiConf user conference this week declined to comment specifically on the OpenTofu project, but reiterated the company's stance that the overall impact of the change has been minimal.

"For the majority of use cases, and users and customers, there's no impact, and also for the majority of our partners," said Meghan Liese, vice president of product marketing at HashiCorp. "We have a lot of partners who have already reached out to us in good faith. ... Overall, 99% are not impacted by it."

HashiCorp open source competitors poised to pounce

It remains to be seen how widespread the open source defection will become from HashiCorp's products due to the licensing change. Notably, while the BSL change applies to all HashiCorp's products, only Terraform has been forked by the community. And while its code is no longer as freely reusable under the new license, HashiCorp continues to update and support free community editions that make source code available to users.

However, there are signs that at least some enterprises want vendors to embrace the open source ethos fully. A January 2022 IDC survey found that for organizations doing DevOps, 73% indicated they will sometimes seek out open source software over other alternatives, with 12.5% indicating they always do so.

"This isn't something that hasn't played out before. There have been prior examples in the industry, including a conflict between Elasticsearch and AWS over the issue of AWS commercializing Elasticsearch's products," said Katie Norton, an analyst at IDC. "That friction ultimately led to Elasticsearch changing its license, which led to AWS forking the open source Elasticsearch code into a new project called OpenSearch. ... There exists the possibility that the [HashiCorp] licensing change could create [similar] customer uncertainty."

One HashiCorp open source competitor claims to have already benefited from the HashiCorp licensing change.

"Since that happened, we had our best month of new customers ever in response -- all of our metrics are elevated, like 10 times our social media engagement overnight," said Joe Duffy, founder and CEO of infrastructure-as-code vendor Pulumi.

HashiCorp's license change has also prompted prospective customers to question any vendor's ultimate commitment to open source, but Duffy said Pulumi has taken a thoughtful approach to what it commercializes as part of its business model, which will keep it sustainable.

HashiCorp also isn't alone in rethinking open source among IT vendors this year: Red Hat changed how its upstream code is made available, and Docker has shifted away from purely open source security scanning tools in favor of its new Docker Scout commercial product.

Larry Carvalho, independent analyst, Robust CloudLarry Carvalho

But HashiCorp is in a different competitive position than those vendors, especially in infrastructure as code, where the Crossplane open source project has also begun to win Terraform converts, said Larry Carvalho, an independent analyst at Robust Cloud.

"The whole momentum for the last 10 years [in infrastructure as code] has been all open source," he said. "I don't see [Terraform Community Edition] winning customers' attention at this time just because they're still putting new feature sets out there."

Beth Pariseau, senior news writer at TechTarget Editorial, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Systems automation and orchestration