LICENSE to code: Why one text file can ruin your week

Published in

Instawork Engineering

6 min readMar 31, 2023

At Instawork, we try to utilize (and give back to) the open source community as much as possible. Open source software forms the backbone of the Internet and the entire tech industry and most of us are “standing on the shoulders of giants” whether we realize it or not.

For example, the laptop I am currently typing on, runs on MacOS, which was derived from OpenBSD, Mach, and many other open source projects. When you use Rust, Go, NodeJS, Python, Typescript, React, or pretty much anything else, you’re also using open source software to develop apps and tools. It goes without saying that it would take you and I much longer to do anything from scratch (trust me on that one).

So why the history lesson? Well… we recently ran into an issue with some open source software and I felt it important to share our story and why one little text file can make all the difference.

And yes, there truly is an XKCD for everything…

Infrastructure-As-Code

It all begins with Terraform. At Instawork, we write our infrastructure-as-code using Terraform so that we can spin up, modify, and destroy our environments in a safe and reproducible way. If you’re not doing this, you might want to get on that…

We also have a de-facto policy that, where possible, we use 3rd party vendors in order to speed up development time and focus on what truly matters.

In order to manage these 3rd party services, Terraform provides a way for anyone to create a “provider” that can interact via an API to manage resources that don’t have first class support. (In fact, Terraform creates 1st class providers using the same framework!).

For example, using the AWS provider, we can easily create an EC2 instance with some Terraform HCL:

provider "aws" {
  region = "us-west-2"
}

resource "aws_ec2_host" "test" {
  instance_type     = "c5.18xlarge"
  availability_zone = "us-west-2a"
  host_recovery     = "on"
  auto_placement    = "on"
}

Call terraform apply et voilà, c’est dans le cloud ☁️.

At Instawork, one of these 3rd party vendors is Imgix, an image processor we use for profile photos among other things. If you’ve ever had the need to dynamically resize, crop, center, or rotate images for your application, try them out!

We searched for an open source Terraform provider to use with Imgix and found imgix on the Terraform Registry. Great! 👍 For months, we were as happy as could be. We created, destroyed, updated to our hearts desire.

Until…

It was a normal day like any other. Our CI/CI pipeline was ripping along, making changes to our infrastructure without any issues. That is, until we made a totally unrelated change to our Terraform code and received:

Error reading source: source not found

🤔 Hmmm… That’s strange. We didn’t update any code related to that…

After some digging, we found that Imgix made breaking changes to their API. The Terraform provider, last updated over 2 years ago, no longer worked with the new API. But no problem, right? It looks like it’s open source so we can go submit a PR and get everything fixed… right? Right…? 😅

LICENSE(.txt)?

One of the first things I always check is the LICENSE for a project. The last thing you want to do is get pulled into a meeting with your General Counsel.

choosealicense.com has a good explanation here as to why this might be a bad idea…

If you find software that doesn’t have a license, that generally means you have no permission from the creators of the software to use, modify, or share the software. Although a code host such as GitHub may allow you to view and fork the code, this does not imply that you are permitted to use, modify, or share the software for any purpose.

And unfortunately, this is where things take a turn in our story.

If you go to teamjourney/terraform-provider-imgix you’ll notice something is missing. Look a little closer… See it? A single text file called LICENSE, missing. Thirty seconds of effort to save days of time later down the road.

OK… Well maybe they just forgot?

As soon as we realized the Imgix provider code was missing a LICENSE, we stopped using it in our Terraform code. While it is possible the authors actually intended this project to have no LICENSE (no LICENSE file is needed to state there is no license), considering it was published on the Terraform Registry we assumed it was simply a mistake.

We spent the next two weeks trying to contact the creators via Github, email, and any other channels with a simple request: get a LICENSE added to the project. No success 😒

We tried to search for other providers in the Terraform Registry but funnily enough, we found that those providers were actually forks of the original repo with the missing LICENSE file! All of them were breaking the (non)LICENSE as well…

Recreate the wheel

Unfortunately, at this point, we only had one option. We had to code our own provider from scratch. At first, that may not seem like a big deal. We have the existing source code to help us, so it should be easy, no?

Remember that General Counsel I mentioned, well…. they’d be very upset if we did this.

Coding in a Vacuum

As mentioned above, when there is no LICENSE file, you’re not allowed to modify the source code at all. In fact, you can’t even look at the source code to get inspiration for your own code, because you might accidentally include (read: copy) code over which is against the (non)LICENSE. If you don’t think this is a big deal, search “Oracle vs Google” and then keep on reading.

Solution

So what is the end result? We created our own open source provider from scratch, and we made sure to include a LICENSE!

We chose the “MIT License” due to it’s simplicity, requirement to maintain the LICENSE file in other works (a little bit of credit goes a long way 😉), and the fact that source code is not required to be included if you use the project in a larger code base. All things that we’d want if we were using someone else’s code in our projects.

Examples of projects using the MIT License include:

Babel — LICENSE
React — LICENSE
Rust — LICENSE-MIT (uses dual MIT-Apache 2.0 license)
openai/whisper — LICENSE

So, if you happen to use Imgix and AWS, you can use our provider today! We are adding support for other cloud providers in the future (or even better, fork it and contribute 😎) but for now it supports our small use case.

Check out the code here:
https://github.com/Instawork/terraform-provider-imgixyz
https://registry.terraform.io/providers/Instawork/imgixyz/latest

PSA

Open source can be a beautiful thing, but sharing the code is just one part of the story. Without a LICENSE, the positive impact you can have on the community is very limited. So next time you’re writing something awesome and want to share it with the world, please make sure to add a LICENSE file. You can easily find which one fits your needs at Choose an open source license.