Crossplane Sovereignty: Infrastructure-as-Code After the License Wars
Your infrastructure-as-code tool defines every resource in your cloud environment — networks, databases, storage, secrets, IAM policies. Whoever controls the IaC platform controls the blueprint of your entire infrastructure.
In August 2023, HashiCorp switched Terraform from MPL 2.0 to the Business Source License (BSL 1.1), restricting how competitors can use the software. In April 2024, IBM acquired HashiCorp for $6.4 billion, placing Terraform under a US corporation with a restrictive license and CLOUD Act obligations. AWS CloudFormation, Azure ARM Templates, and Google Deployment Manager are proprietary and locked to their respective US hyperscaler ecosystems.
Crossplane is a CNCF Graduated project (Apache 2.0 license), Kubernetes-native, and governed by the same foundation that oversees Kubernetes itself. VSHN operates Crossplane on Swiss infrastructure and is a listed Crossplane commercial vendor.
Why Crossplane is the sovereign infrastructure-as-code choice
The HashiCorp acquisition crystallized a risk that was always present with single-vendor open source:
- Apache 2.0 license — permissive, irrevocable for released versions, no usage restrictions. Unlike Terraform's BSL, Crossplane's license cannot be changed retroactively
- CNCF Graduated — the highest level of open-source governance, same as Kubernetes and Prometheus. No single company can change the license or governance
- Kubernetes-native — uses standard Kubernetes APIs and CRDs, no separate state backend or vendor-hosted registry
- Multi-cloud by design — manages resources across any cloud provider via Crossplane Providers, avoiding single-hyperscaler lock-in
- No SaaS dependency — unlike Terraform Cloud (HashiCorp/IBM) or Pulumi Cloud, Crossplane runs entirely on your own Kubernetes cluster
- VSHN is an active contributor — VSHN develops and maintains Crossplane providers used in production
Crossplane sovereignty compared
| Dimension | Terraform (HashiCorp/IBM) | AWS CloudFormation | Azure ARM / Bicep | Google Deployment Manager | VSHN Managed Crossplane |
|---|---|---|---|---|---|
| Governance | IBM (USA) | Amazon (USA) | Microsoft (USA) | Google (USA) | CNCF (open governance) |
| License | BSL 1.1 (restrictive) | Proprietary | Proprietary | Proprietary | Apache 2.0 (permissive) |
| CLOUD Act | Exposed (HCP Cloud) | Exposed | Exposed | Exposed | Not exposed |
| State storage | Terraform Cloud (IBM) or self-managed | AWS-managed | Azure-managed | GCP-managed | Kubernetes etcd (Swiss infrastructure) |
| Cloud lock-in | Multi-cloud (but IBM-governed) | AWS only | Azure only | GCP only | Multi-cloud, Kubernetes-native |
| SaaS dependency | Terraform Cloud for collaboration | AWS Console | Azure Portal | GCP Console | None — runs on your K8s cluster |
| Community governance | Single company (IBM) | Single company | Single company | Single company | CNCF graduated, multi-vendor |
| Operator | Self-managed or IBM SaaS | AWS-managed | Microsoft-managed | Google-managed | VSHN AG (Switzerland) |
The license and acquisition argument
The Terraform license change and IBM acquisition illustrate a fundamental sovereignty risk with single-vendor open source:
-
License revocation — HashiCorp changed Terraform from MPL 2.0 to BSL 1.1, restricting competing commercial use. Organizations that built their infrastructure practice around "open source Terraform" discovered the license was a single board decision away from restriction.
-
Corporate acquisition — IBM's acquisition placed Terraform under a US defense contractor subject to the CLOUD Act, ITAR, and EAR regulations. Terraform Cloud state files — containing the complete blueprint of your infrastructure — are now accessible to IBM under US law.
-
OpenTofu fork — the community responded with OpenTofu (Linux Foundation), but it remains a catch-up fork tied to HashiCorp's HCL design decisions and faces ongoing legal uncertainty around code provenance.
Crossplane avoids these risks structurally: - CNCF governance means no single company can change the license - Apache 2.0 is irrevocable for released versions - Kubernetes-native architecture means state lives in your cluster's etcd, not a vendor SaaS - Provider ecosystem is community-maintained, not controlled by one company
VSHN sovereignty self-assessment
We applied the EU's Cloud Sovereignty Framework (v1.2.1, October 2025) to our own services. This framework was used to score providers in the EU's EUR 180M sovereign cloud tender in April 2026 — three pure-European providers achieved SEAL-3, while a consortium involving Google Cloud scored only SEAL-2.
This is a self-assessment, not a formal SEAL certification. We publish it for transparency so customers can evaluate our sovereignty profile using the same structured criteria the EU uses.
| # | Dimension | Weight | Assessment | Evidence |
|---|---|---|---|---|
| SOV-1 | Strategic | 15% | Strong | Swiss AG, no foreign parent, all shareholders Swiss citizens (Commercial Register) |
| SOV-2 | Legal | 10% | Strong | Swiss law (GTC), no CLOUD Act, EU adequacy decision |
| SOV-3 | Data & AI | 10% | Strong | Swiss DCs by default. Sovereign key management via Managed OpenBao + Swiss HSM |
| SOV-4 | Operational | 15% | Strong | Swiss 24/7 ops, Swiss-only support option. All services on vanilla Kubernetes |
| SOV-5 | Supply Chain | 20% | Strong | Infrastructure-agnostic — customer chooses provider. Open-source software |
| SOV-6 | Technology | 15% | Strong | 100% open source. VSHN contributes to K8up (CNCF), Crossplane providers, Project Syn |
| SOV-7 | Security | 10% | Strong | ISO 27001, ISAE 3402 Type II, Swiss SOC. FINMA-regulated customers |
| SOV-8 | Environmental | 5% | Moderate | DC operators: Green Datacenter AG (ISO 22301/27001/27701), Exoscale sustainability. VSHN CSR policy |
Overall: SEAL-3 equivalent — the same level achieved by the winners of the EU's own sovereignty tender. No provider worldwide achieved SEAL-4, as it requires fully EU/EEA-sourced hardware supply chains and open-source foundations — structural gaps shared by every cloud provider.
Get a sovereignty assessment for your infrastructure-as-code
Still on Terraform after the IBM acquisition? We assess your sovereignty profile against the EU framework and plan a migration to Crossplane on Swiss infrastructure. VSHN is a listed Crossplane commercial vendor and active upstream contributor.