IBM engineers hatch Linux Foundation HashiCorp Vault fork

OpenBao vs. OpenTofu

The author of the OpenBao project's first documentation-related official merge request echoed Pearson's view that OpenBao isn't meant to compete with HashiCorp Vault as an enterprise product.

"I think they are parallel products that will probably diverge over time into different directions," said Andrew Savchyn, principal engineer at Blue Orange Digital, a data warehousing consulting and development firm in New York. "Maybe still kind of competing in some niches but with very different focuses. ... I would see it as an expansion to the available tools on the market."

OpenTofu was already under way within two weeks of HashiCorp's disclosure of its planned licensing change. It quickly garnered the public backing of 100 companies, 10 open source projects and 400 individuals committed to forking Terraform. In contrast, OpenBao is at a much earlier stage, still working on the basics of documentation and project organization with a handful of participants so far.

While OpenTofu's backers published a manifesto calling for HashiCorp to reverse its BSL decision, OpenBao has made no such statements. HashiCorp did not specifically name any companies in its initial BSL announcement but alleged that competitors had been commercializing its open source code without contributing back. Those companies were the target of its licensing change.

While it was immediately obvious which competitors it might be for Terraform -- companies that went on to co-found OpenTofu, including Spacelift, Env0 and Scalr -- it's unclear whether similar commercial competitors exist for HashiCorp Vault, according to industry analysts.

Secrets management tools are also subject to different enterprise market dynamics than infrastructure-as-code, said Katie Norton, an analyst at IDC. In a January 2022 IDC survey, over 73% of organizations doing DevOps indicated that they will sometimes seek out OSS over other alternatives, with 12.5% indicating they always do so.

But secrets management is quickly evolving from standalone tools to more broadly integrated enterprise products. HashiCorp Vault offers enterprise users centralized management that open source projects can't, according to Norton.

"Secrets management can get complex very quickly with so many different technology stacks, platforms, and tools. Many of these come with their own secrets capabilities," Norton said. "Its secrets sync capability, a key feature of HCP Vault Secrets, which is also available in beta for Vault Enterprise, helps better centralize the secrets management processes in multicloud organizations."

HashiCorp headwinds continue

However, other industry observers see OpenBao as a further reproof of HashiCorp's BSL decision.

"I think Hashi didn't expect for the customer base to so quickly and harshly rebuke them for their licensing changes," said Kyler Middleton, senior principal software engineer at healthcare tech company Veradigm and a HashiCorp Ambassador.

Middleton switched to OpenTofu for all her personal projects in response to the licensing change. She hasn't tried OpenBao yet.

"Good tools don't exist in a vacuum. They're popularized and proselytized by tons of people, and an outsized amount of those movers and shakers feel that knowledge ought to be free and available," Middleton said. "Licensing any type of valuable tool like this isn't ever going to be popular, and I don't think Hashi understood that. I hope they learn that lesson soon."

Open source components are also often attractive to enterprise security buyers, said Melinda Marks, an analyst at TechTarget's Enterprise Strategy Group.

"[This is] likely troublesome for Hashi since it is so well known for Vault," Marks said. "With shift-left efforts, you have DevOps and platform engineers using open source tools and customizing them in their environments. And then you also have security vendors trying to incorporate secrets detection and secrets scanning. Those are two areas where OpenBao could be attractive compared to Vault."

OpenTofu organizers and other open source community members have alleged that HashiCorp became less responsive to open source contributions to Terraform around the time of the company's IPO in late 2021. Since then, fiscal pressures on the company have mounted, as its revenue has grown but it has reported net quarterly losses.

The company reported 17% revenue growth in its third quarter of fiscal 2024 on Dec. 7 compared to the same quarter a year ago. While net losses weren't as steep -- $39.5 million as opposed to $72 million a year ago -- the company has yet to reach profitability by generally accepted accounting principles (GAAP). The quarter was the company's first with positive non-GAAP net income, which totaled $5.6 million, according to a HashiCorp press release.

HashiCorp responds to Terraform Cloud pricing critiques

HashiCorp officials also addressed objections made by some commercial Terraform Cloud customers to Terraform Cloud pricing changes which took effect May 16.

HashiCorp officials emphasized that its lowest pricing tier is more valuable due to expanded security features, but some customers took to online forums to complain about rising costs. A few who received updated licensing terms from HashiCorp following the pricing change contended that the updates made their Terraform licenses more expensive than the cloud resources they were managing.

In response, HashiCorp disclosed a pricing breakdown for its Terraform Cloud customers to TechTarget Editorial this month showing that nearly 95% of pay-as-you-go customers pay less than $500 per month, as seen in Figure 1.

"Terraform Cloud has over 270,000 users, and it grows at a rate of over 19,000 per quarter," said Meghan Liese, vice president of product marketing at HashiCorp, in an interview. "And 80% of our pay-as-you-go customers are paying less than $250 per month. Based on our customer feedback, we think it's priced appropriately to the value received."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.