chore: Adjust to 2025_07 BCR part 2 (snowflakedb#4174)

- Adjust granting privileges on a database during a share update.
- Add related sections to the BCR migration guide. 

## References
https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_07
snowflakedb#4018

Author: sfc-gh-jmichalak

MIGRATION_GUIDE.md

@@ -136,6 +136,12 @@ If the bundle is disabled, then the `generation` column is not present in Snowfl
 
 No changes in the configuration are necessary.
 
+### *(improvement)* Granting privileges on a database during share update
+
+When updating the `accounts` field in the `share` resource, the provider creates a temporary database from the share. Before, it granted only the `USAGE` grant. Now, it also grants `REFERENCE_USAGE` because of the changes in the [2025_07](./SNOWFLAKE_BCR_MIGRATION_GUIDE.md#disallow-grant-reference_usage-on-a-database-if-grant-usage-isnt-set-first) bundle.
+
+No changes in the configuration are necessary.
+
 ## v2.9.x ➞ v2.10.0
 
 ### *(improvement)* Features promoted to stable

SNOWFLAKE_BCR_MIGRATION_GUIDE.md

@@ -41,6 +41,41 @@ and [grant_privileges_to_database_role](https://registry.terraform.io/providers/
 
 Reference: [BCR-2114](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_07/bcr-2114)
 
+### New default column sizes for string and binary data types
+
+Before this change, the default size was 16 MB for text and 8 MB for binary columns. With the new bundle, the defaults increase to 128 MB for text and 64 MB for binary columns.
+For now, the provider will continue to use the old default size - 16 MB for text and 8 MB for binary. We are planning to adjust even more datatypes because of a new `DATA_TYPE_ALIAS` column in information schema - read [related BCR](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_07/bcr-2061). We'll comeback to this in the future.
+
+The datatype precision and scale can be specified for columns in the provider.
+
+Reference: [BCR-2118](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_07/bcr-2118)
+
+### Disallow setting date and time output formats to AUTO
+
+Snowflake now does not allow setting a number of time output parameters to `AUTO` - see the reference for the exact list. The provider does not validate such values in related resources. If you are using the `AUTO` value, adjust your configurations.
+
+Reference: [BCR-2115](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_07/bcr-2115)
+
+### Python telemetry library automatically installed
+
+Snowflake automatically installs the `snowflake-telemetry-python` package when a function or procedure with a Python handler is created. Read more about packages policy in [Snowflake documentation](https://docs.snowflake.com/en/developer-guide/udf/python/packages-policy). Package policies are not yet supported in the provider.
+
+Reference: [BCR-2120](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_07/bcr-2120)
+
+### Disallow GRANT REFERENCE_USAGE on a database if GRANT USAGE isn’t set first
+
+After enabling this BCR, `GRANT USAGE` on a database must be granted before `GRANT REFERENCE_USAGE`. These operations can be combined like `GRANT USAGE, REFERENCE_USAGE`. You can manage these in Terraform with [grant_privileges_to_share](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/grant_privileges_to_share). You may need to adjust your grant configurations.
+
+Additionally, when updating the `accounts` field in the `share` resource, the provider creates a temporary database from the share. Before, it granted only the `USAGE` grant. Since [v2.11.0](./MIGRATION_GUIDE.md#improvement-granting-privileges-on-a-database-during-share-update), it also grants `REFERENCE_USAGE`. If you have trouble updating or creating the `share` resource, update the provider to this version.
+
+Reference: [BCR-2136](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_07/bcr-2136)
+
+### Default schedule for data metric functions in views
+
+Setting data metric functions in views is now optional. In the provider, the `data_metric_function` field must be set if `data_metric_schedule` is set. The provider will continue to require setting that field for now. We are treating this relaxation as a missing feature, and we'll adjust it in the future.
+
+Reference: [BCR-2101](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_07/bcr-2101)
+
 ### New `generation` column in output in SHOW WAREHOUSES
 
 This bundle adds the `generation` column. The values in `resource_constraint` column remain the same. The provider has been adjusted in [v2.10.1](./MIGRATION_GUIDE.md#improvement-handling-show_output-in-warehouses).

pkg/resources/share.go

@@ -126,14 +126,14 @@ func setShareAccounts(ctx context.Context, client *sdk.Client, shareID sdk.Accou
 	// USAGE can only be granted to one database - granting USAGE on the temp db here
 	// conflicts (and errors) with having a database already shared (i.e. when you
 	// already have a share and are just adding or removing accounts). Instead, use
-	// REFERENCE_USAGE which is intended for multi-database sharing as per Snowflake
+	// USAGE and REFERENCE_USAGE which is intended for multi-database sharing as per Snowflake
 	// documentation here:
 	// https://docs.snowflake.com/en/sql-reference/sql/grant-privilege-share.html#usage-notes
 	// Note however that USAGE will be granted automatically on the temp db for the
 	// case where the main db doesn't already exist, so it will need to be revoked
 	// before deleting the temp db. Where USAGE hasn't been already granted it is not
 	// an error to revoke it, so it's ok to just do the revoke every time.
-	err = client.Grants.GrantPrivilegeToShare(ctx, []sdk.ObjectPrivilege{sdk.ObjectPrivilegeReferenceUsage}, &sdk.ShareGrantOn{
+	err = client.Grants.GrantPrivilegeToShare(ctx, []sdk.ObjectPrivilege{sdk.ObjectPrivilegeUsage, sdk.ObjectPrivilegeReferenceUsage}, &sdk.ShareGrantOn{
 		Database: tempDatabaseID,
 	}, shareID)
 	if err != nil {

pkg/sdk/testint/shares_integration_test.go

@@ -73,6 +73,7 @@ func TestInt_SharesCreate(t *testing.T) {
 			Comment:   sdk.String("test comment"),
 		})
 		require.NoError(t, err)
+		t.Cleanup(testClientHelper().Share.DropShareFunc(t, id))
 		shares, err := client.Shares.Show(ctx, &sdk.ShowShareOptions{
 			Like: &sdk.Like{
 				Pattern: sdk.String(id.Name()),
@@ -85,8 +86,6 @@ func TestInt_SharesCreate(t *testing.T) {
 		assert.Len(t, shares, 1)
 		assert.Equal(t, id.Name(), shares[0].Name.Name())
 		assert.Equal(t, "test comment", shares[0].Comment)
-
-		t.Cleanup(testClientHelper().Share.DropShareFunc(t, id))
 	})
 
 	t.Run("test no options", func(t *testing.T) {
@@ -96,11 +95,10 @@ func TestInt_SharesCreate(t *testing.T) {
 			Comment:   sdk.String("test comment"),
 		})
 		require.NoError(t, err)
+		t.Cleanup(testClientHelper().Share.DropShareFunc(t, id))
 		shares, err := client.Shares.Show(ctx, nil)
 		require.NoError(t, err)
 		assert.GreaterOrEqual(t, len(shares), 1)
-
-		t.Cleanup(testClientHelper().Share.DropShareFunc(t, id))
 	})
 }
 

pkg/testacc/resource_share_acceptance_test.go

@@ -14,6 +14,7 @@ import (
 )
 
 // TODO [SNOW-1284394]: Unskip the test
+// TODO [SNOW-1348347]: Add more tests or merge with other tests.
 func TestAcc_Share(t *testing.T) {
 	t.Skip("second and third account must be set for Share acceptance tests")
 
@@ -70,6 +71,32 @@ func TestAcc_Share(t *testing.T) {
 	})
 }
 
+// TODO [SNOW-1348347]: Add more tests or merge with other tests.
+func TestAcc_Share_basic(t *testing.T) {
+	account2 := secondaryTestClient().Account.GetAccountIdentifier(t)
+
+	id := testClient().Ids.RandomAccountObjectIdentifier()
+
+	resource.Test(t, resource.TestCase{
+		ProtoV6ProviderFactories: TestAccProtoV6ProviderFactories,
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.RequireAbove(tfversion.Version1_5_0),
+		},
+		CheckDestroy: CheckDestroy(t, resources.Share),
+		Steps: []resource.TestStep{
+			{
+				Config: shareConfigOneAccount(id, "", account2.Name()),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("snowflake_share.test", "name", id.Name()),
+					resource.TestCheckResourceAttr("snowflake_share.test", "fully_qualified_name", id.FullyQualifiedName()),
+					resource.TestCheckResourceAttr("snowflake_share.test", "accounts.#", "1"),
+					resource.TestCheckResourceAttr("snowflake_share.test", "accounts.0", account2.Name()),
+				),
+			},
+		},
+	})
+}
+
 func TestAcc_Share_validateAccounts(t *testing.T) {
 	id := testClient().Ids.RandomAccountObjectIdentifier()
 

pkg/testacc/resource_share_account_level_acceptance_test.go

@@ -0,0 +1,54 @@
+//go:build account_level_tests
+
+package testacc
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/config"
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/config/providermodel"
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/testprofiles"
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider/resources"
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/tfversion"
+)
+
+func TestAcc_Share_2025_07(t *testing.T) {
+	secondaryTestClient().BcrBundles.EnableBcrBundle(t, "2025_07")
+	// NOTE: In this case, we swap the test client to the secondary test client from the TestAcc_Share_basic test.
+	// We enable the BCR bundle on the secondary test client, and make a share to the primary test client.
+	account2 := testClient().Account.GetAccountIdentifier(t)
+
+	id := secondaryTestClient().Ids.RandomAccountObjectIdentifier()
+
+	resource.Test(t, resource.TestCase{
+		ProtoV6ProviderFactories: secondaryAccountProviderFactory,
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.RequireAbove(tfversion.Version1_5_0),
+		},
+		CheckDestroy: CheckDestroy(t, resources.Share),
+		Steps: []resource.TestStep{
+			{
+				Config: shareConfigOneAccount(id, "", account2.Name()) + config.FromModels(t, providermodel.SnowflakeProvider().WithProfile(testprofiles.Secondary)),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("snowflake_share.test", "name", id.Name()),
+					resource.TestCheckResourceAttr("snowflake_share.test", "fully_qualified_name", id.FullyQualifiedName()),
+					resource.TestCheckResourceAttr("snowflake_share.test", "accounts.#", "1"),
+					resource.TestCheckResourceAttr("snowflake_share.test", "accounts.0", account2.Name()),
+				),
+			},
+		},
+	})
+}
+
+func shareConfigOneAccount(shareId sdk.AccountObjectIdentifier, comment string, account string) string {
+	return fmt.Sprintf(`
+resource "snowflake_share" "test" {
+	name           = "%s"
+	comment        = "%s"
+	accounts       = ["%s"]
+}
+`, shareId.Name(), comment, account)
+}