chore: Handle BCR 2025-06 (#4036)

sfc-gh-jmichalak · web-flow · commit a009b165e831 · 2025-09-19T09:43:21.000+02:00
- Update the BCR Migration guide with an 2025_06 entry.
- Add notes about missing features in resource documentation.
- Fix pre-push.
- Adjust service test assertions.

## TODO
- Adjust the authentication policy resource to this BCR (SNOW-2332934)

## References
SNOW-2301041
diff --git a/SNOWFLAKE_BCR_MIGRATION_GUIDE.md b/SNOWFLAKE_BCR_MIGRATION_GUIDE.md
@@ -32,19 +32,48 @@ To use the provider with the bundles containing this change:
 
 Reference: [BCR-1944](https://docs.snowflake.com/release-notes/bcr-bundles/un-bundled/bcr-1944)
 
-### `MFA_AUTHENTICATION_METHODS` property in authentication policies is now deprecated
+## [Bundle 2025_06](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_06_bundle)
+
+### Changes in authentication policies
 <!-- TODO(SNOW-2187814): Update this entry. -->
 
 > [!IMPORTANT]
-> This change has been rolled back from the BCR 2025_04.
+> The [BCR-2086](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_06/bcr-2086) change has been rolled back from the BCR 2025_04 and was moved to 2025_06.
 
 > [!IMPORTANT]
-> This change has not been addressed in the provider yet. This will be addressed in the next versions of the provider.
+> These change has not been addressed in the provider yet. They will be addressed in the next versions of the provider.
+> As a workaround, please use the [execute](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/execute) resource.
 
 The `MFA_AUTHENTICATION_METHODS` property is deprecated. Setting the `MFA_AUTHENTICATION_METHODS` property returns an error. If you use the [authentication_policy](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/authentication_policy) resource with `mfa_authentication_methods` field
 and have this bundle enabled, the provider will return an error.
+The new way of handling authentication methods is `ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION` which will be handled in this resource in the next versions.
 
-Reference: [BCR-1971](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_04/bcr-1971)
+Additionally, the allowed values for `MFA_ENROLLMENT` are changed: `OPTIONAL` is removed and `REQUIRED_PASSWORD_ONLY` and `REQUIRED_SNOWFLAKE_UI_PASSWORD_ONLY` are added.
+
+
+Reference: [BCR-2086](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_06/bcr-2086), [BCR-2097](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_06/bcr-2097)
+
+### Snowflake OAuth authentication: Change in the network policy used for a request from client to Snowflake
+
+This change modifies the behavior of authentication with active network policies. Please verify that your network policy configuration allows connection by the provider after activating this change.
+
+Additionally, this change adds the possibility to assign network policies to External Oauth integrations.
+
+Setting the `network_policy` field in `external_oauth_integration` resource is not yet supported in the provider, and it will be handled in the future. As a workaround, please use the [execute](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/execute) resource.
+
+Reference: [BCR-2094](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_06/bcr-2094)
+
+### Snowpark Container Services job service: Retention-time increase
+
+In the provider, the job_service resource forces setting the `ASYNC` option.
+
+Before the change, Snowflake automatically deletes the job service 7 days after completion.
+
+After the change, Snowflake retains job services for 14 days after completion.
+
+In most cases, this change in Snowflake should have no effect on the provider. Optionally, you can manually drop the completed jobs.
+
+Reference: [BCR-2093](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_06/bcr-2093)
 
 ## [Bundle 2025_05](https://docs.snowflake.com/en/release-notes/bcr-bundles/2025_05_bundle)
 
diff --git a/docs/resources/authentication_policy.md b/docs/resources/authentication_policy.md
@@ -9,6 +9,8 @@ description: |-
 
 !> **Note** According to Snowflake [docs](https://docs.snowflake.com/en/sql-reference/sql/drop-authentication-policy#usage-notes), an authentication policy cannot be dropped successfully if it is currently assigned to another object. Currently, the provider does not unassign such objects automatically. Before dropping the resource, first unassign the policy from the relevant objects. See [guide](../guides/unassigning_policies) for more details.
 
+-> **Note** This resource is not yet adjusted to the changes in BCR 2025_06 (see our [BCR Migration Guide](https://github.com/snowflakedb/terraform-provider-snowflake/blob/main/SNOWFLAKE_BCR_MIGRATION_GUIDE.md#bundle-2025_06)). As a workaround, please use the [execute](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/execute) resource.
+
 # snowflake_authentication_policy (Resource)
 
 Resource used to manage authentication policy objects. For more information, check [authentication policy documentation](https://docs.snowflake.com/en/sql-reference/sql/create-authentication-policy).
diff --git a/docs/resources/external_oauth_integration.md b/docs/resources/external_oauth_integration.md
@@ -7,6 +7,10 @@ description: |-
 
 !> **Note** The provider does not detect external changes on security integration type. In this case, remove the integration of wrong type manually with `terraform destroy` and recreate the resource. It will be addressed in the future.
 
+<!-- TODO(SNOW-1844996): Remove this note.-->
+-> **Note** Field `NETWORK_POLICY` added in BCR 2025_06 (read our [BCR Migration Guide](https://github.com/snowflakedb/terraform-provider-snowflake/blob/main/SNOWFLAKE_BCR_MIGRATION_GUIDE.md#bundle-2025_06)) is currently missing. It will be added in the future.
+As a workaround, please use the [execute](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/execute) resource.
+
 # snowflake_external_oauth_integration (Resource)
 
 Resource used to manage external oauth security integration objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-external).
diff --git a/pkg/acceptance/bettertestspoc/assert/objectassert/semantic_view_describe_snowflake_ext.go b/pkg/acceptance/bettertestspoc/assert/objectassert/semantic_view_describe_snowflake_ext.go
@@ -22,6 +22,7 @@ func SemanticViewDetails(t *testing.T, id sdk.SchemaObjectIdentifier) *SemanticV
 	return &SemanticViewDetailsAssert{
 		assert.NewSnowflakeObjectAssertWithTestClientObjectProvider(sdk.ObjectTypeSemanticView, id, func(testClient *helpers.TestClient) assert.ObjectProvider[SemanticViewDetailsCollection, sdk.SchemaObjectIdentifier] {
 			return func(t *testing.T, id sdk.SchemaObjectIdentifier) (*SemanticViewDetailsCollection, error) {
+				t.Helper()
 				details, err := testClient.SemanticView.Describe(t, id)
 				if err != nil {
 					return nil, err
@@ -61,20 +62,20 @@ func (s *SemanticViewDetailsAssert) ContainsDetail(expected sdk.SemanticViewDeta
 }
 
 func NewSemanticViewDetails(
-	ObjectKind string,
-	ObjectName string,
-	ParentEntity *string,
-	Property string,
-	PropertyValue string,
+	objectKind string,
+	objectName string,
+	parentEntity *string,
+	property string,
+	propertyValue string,
 ) sdk.SemanticViewDetails {
 	details := sdk.SemanticViewDetails{
-		ObjectKind:    ObjectKind,
-		ObjectName:    ObjectName,
-		Property:      Property,
-		PropertyValue: PropertyValue,
+		ObjectKind:    objectKind,
+		ObjectName:    objectName,
+		Property:      property,
+		PropertyValue: propertyValue,
 	}
-	if ParentEntity != nil {
-		details.ParentEntity = ParentEntity
+	if parentEntity != nil {
+		details.ParentEntity = parentEntity
 	}
 
 	return details
diff --git a/pkg/sdk/testint/semantic_view_integration_test.go b/pkg/sdk/testint/semantic_view_integration_test.go
@@ -102,13 +102,13 @@ func TestInt_SemanticView(t *testing.T) {
 		).WithRelationshipAlias(*relAliasRequest).WithRelationshipRefColumnNames([]sdk.SemanticViewColumnRequest{*relRefCol})
 
 		// facts
-		factSynonymRequest := sdk.NewSynonymsRequest().WithWithSynonyms([]sdk.Synonym{{"F1"}})
+		factSynonymRequest := sdk.NewSynonymsRequest().WithWithSynonyms([]sdk.Synonym{{Synonym: "F1"}})
 		factSemanticExpression := sdk.NewSemanticExpressionRequest(&sdk.QualifiedExpressionNameRequest{QualifiedExpressionName: "table1.fact1"}, &sdk.SemanticSqlExpressionRequest{SqlExpression: "FIRST_C"}).
 			WithSynonyms(*factSynonymRequest).
 			WithComment("fact comment")
 
 		// dimensions
-		dimensionSynonymRequest := sdk.NewSynonymsRequest().WithWithSynonyms([]sdk.Synonym{{"D1"}})
+		dimensionSynonymRequest := sdk.NewSynonymsRequest().WithWithSynonyms([]sdk.Synonym{{Synonym: "D1"}})
 		dimensionSemanticExpression := sdk.NewSemanticExpressionRequest(&sdk.QualifiedExpressionNameRequest{QualifiedExpressionName: "table1.FIRST_C"}, &sdk.SemanticSqlExpressionRequest{SqlExpression: "table1.FIRST_C"}).
 			WithSynonyms(*dimensionSynonymRequest).
 			WithComment("dimension comment")
diff --git a/pkg/testacc/resource_service_acceptance_test.go b/pkg/testacc/resource_service_acceptance_test.go
@@ -630,8 +630,8 @@ func TestAcc_Service_basic_fromSpecification(t *testing.T) {
 						HasIsUpgrading(false).
 						HasManagingObjectDomainEmpty().
 						HasManagingObjectNameEmpty(),
-					assert.Check(resource.TestCheckResourceAttrWith(modelBasic.ResourceReference(), "show_output.0.current_instances", customassert.BetweenFunc(0, 1))),
-					assert.Check(resource.TestCheckResourceAttrWith(modelBasic.ResourceReference(), "show_output.0.target_instances", customassert.BetweenFunc(0, 1))),
+					assert.Check(resource.TestCheckResourceAttrWith(modelBasic.ResourceReference(), "show_output.0.current_instances", customassert.BetweenFunc(0, 2))),
+					assert.Check(resource.TestCheckResourceAttrWith(modelBasic.ResourceReference(), "show_output.0.target_instances", customassert.BetweenFunc(0, 2))),
 					assert.Check(resource.TestCheckResourceAttr(modelBasic.ResourceReference(), "describe_output.0.name", id.Name())),
 					assert.Check(resource.TestCheckResourceAttr(modelBasic.ResourceReference(), "describe_output.0.status", string(sdk.ServiceStatusPending))),
 					assert.Check(resource.TestCheckResourceAttr(modelBasic.ResourceReference(), "describe_output.0.database_name", id.DatabaseName())),
@@ -640,8 +640,8 @@ func TestAcc_Service_basic_fromSpecification(t *testing.T) {
 					assert.Check(resource.TestCheckResourceAttr(modelBasic.ResourceReference(), "describe_output.0.compute_pool", computePool.ID().Name())),
 					assert.Check(resource.TestCheckResourceAttrSet(modelBasic.ResourceReference(), "describe_output.0.spec")),
 					assert.Check(resource.TestCheckResourceAttrSet(modelBasic.ResourceReference(), "describe_output.0.dns_name")),
-					assert.Check(resource.TestCheckResourceAttrWith(modelBasic.ResourceReference(), "describe_output.0.current_instances", customassert.BetweenFunc(0, 1))),
-					assert.Check(resource.TestCheckResourceAttrWith(modelBasic.ResourceReference(), "describe_output.0.target_instances", customassert.BetweenFunc(0, 1))),
+					assert.Check(resource.TestCheckResourceAttrWith(modelBasic.ResourceReference(), "describe_output.0.current_instances", customassert.BetweenFunc(0, 2))),
+					assert.Check(resource.TestCheckResourceAttrWith(modelBasic.ResourceReference(), "describe_output.0.target_instances", customassert.BetweenFunc(0, 2))),
 					assert.Check(resource.TestCheckResourceAttr(modelBasic.ResourceReference(), "describe_output.0.min_ready_instances", "1")),
 					assert.Check(resource.TestCheckResourceAttr(modelBasic.ResourceReference(), "describe_output.0.min_instances", "1")),
 					assert.Check(resource.TestCheckResourceAttr(modelBasic.ResourceReference(), "describe_output.0.max_instances", "1")),
diff --git a/templates/resources/authentication_policy.md.tmpl b/templates/resources/authentication_policy.md.tmpl
@@ -13,6 +13,8 @@ description: |-
 
 !> **Note** According to Snowflake [docs](https://docs.snowflake.com/en/sql-reference/sql/drop-authentication-policy#usage-notes), an authentication policy cannot be dropped successfully if it is currently assigned to another object. Currently, the provider does not unassign such objects automatically. Before dropping the resource, first unassign the policy from the relevant objects. See [guide](../guides/unassigning_policies) for more details.
 
+-> **Note** This resource is not yet adjusted to the changes in BCR 2025_06 (see our [BCR Migration Guide](https://github.com/snowflakedb/terraform-provider-snowflake/blob/main/SNOWFLAKE_BCR_MIGRATION_GUIDE.md#bundle-2025_06)). As a workaround, please use the [execute](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/execute) resource.
+
 # {{.Name}} ({{.Type}})
 
 {{ .Description | trimspace }}
diff --git a/templates/resources/external_oauth_integration.md.tmpl b/templates/resources/external_oauth_integration.md.tmpl
@@ -11,6 +11,10 @@ description: |-
 
 !> **Note** The provider does not detect external changes on security integration type. In this case, remove the integration of wrong type manually with `terraform destroy` and recreate the resource. It will be addressed in the future.
 
+<!-- TODO(SNOW-1844996): Remove this note.-->
+-> **Note** Field `NETWORK_POLICY` added in BCR 2025_06 (read our [BCR Migration Guide](https://github.com/snowflakedb/terraform-provider-snowflake/blob/main/SNOWFLAKE_BCR_MIGRATION_GUIDE.md#bundle-2025_06)) is currently missing. It will be added in the future.
+As a workaround, please use the [execute](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/execute) resource.
+
 # {{.Name}} ({{.Type}})
 
 {{ .Description | trimspace }}
