compliant-financial-infrastructure icon indicating copy to clipboard operation
compliant-financial-infrastructure copied to clipboard

Published 20 hours ago verified publisher icon finos

Change to TF Licnese

Open AdrianHammond opened this issue 1 year ago • 6 comments

Support Question

Have been with @mcleo-d today and we were having a discussion on if the change to hashicorp license moving to Business Source License from GPL impacts CFI. James recommendation was to check with FINOS legal. Ahead of me doing that I wanted to check your views @eddie-knight @abdullahgarcia

Thanks Adrian

AdrianHammond avatar Aug 15 '23 12:08 AdrianHammond

Sounds like a good course of action!

eddie-knight avatar Aug 15 '23 12:08 eddie-knight

email sent to FINOS legal team, have cc'd @mcleo-d @eddie-knight @abdullahgarcia

AdrianHammond avatar Aug 16 '23 13:08 AdrianHammond

@AdrianHammond @abdullahgarcia

LF Legal is investigating this to take an official stance right now, but there are a few points to discuss in the open as we continue to consider this.

  1. The language provided by Hashicorp appears to be intentionally unclear, as it leaves many critical things undefined (especially the language "embed or host"). It is left to Hashicorp to interpret, and many companies are going on record with concern about whether the interpretation will fluctuate over time.
  2. The documented intent of CFI is to provide policies, infrastructure as code, and validation tooling. The second pillar currently includes some ansible and terraform resources.
  3. There is not currently any risk introduced by the terraform we have currently created (such as https://github.com/finos/terraform-aws-cfi-eks) but there is concern that any maintenance will bring the modules beyond Terraform v1.5.5 and thus subject us and our users to the whims of the BUSL enforcers.
  4. This may be a moot point entirely, irrespective of the license topic. We do not currently have a large contributor base or consumer base for the IaC resources, following the withdrawal of Hashicorp and Codethink from the project. With the creation of CCC, we hope that technology providers will begin creating their own compliant infrastructure and certifying it through the CFI validator.

Considering the aforementioned, I propose that we make all Terraform repositories private for now. Then, we can make any further decisions later based on what we learn in the coming weeks.

eddie-knight avatar Aug 17 '23 22:08 eddie-knight

@eddie-knight

Let's make all Terraform repositories private for now and take action after the "mud" has cleared.

abdullahgarcia avatar Aug 18 '23 12:08 abdullahgarcia

I agree

AdrianHammond avatar Aug 21 '23 07:08 AdrianHammond

Here are the following repositories that we'll be making private:

  • https://github.com/finos/terraform-google-cfi-gke
  • https://github.com/finos/terraform-azurerm-cfi-aks
  • https://github.com/finos/terraform-aws-cfi-lambda
  • https://github.com/finos/terraform-aws-cfi-dynamodb
  • https://github.com/finos/terraform-azurerm-cfi-postgresql
  • https://github.com/finos/terraform-aws-cfi-redshift
  • https://github.com/finos/terraform-aws-cfi-sqs
  • https://github.com/finos/terraform-aws-cfi-eks
  • https://github.com/finos/cfi-terraform-template-child-module

eddie-knight avatar Aug 22 '23 19:08 eddie-knight