Add optional transitive members in group data source

internal/services/groups/group_data_source.go

@@ -148,6 +148,13 @@ func groupDataSource() *pluginsdk.Resource {
 				},
 			},
 
+			"include_transitive_members": {
+				Description: "Specifies whether to include transitive members (a flat list of all nested members).",
+				Type:        pluginsdk.TypeBool,
+				Optional:    true,
+				Default:     false,
+			},
+
 			"onpremises_domain_name": {
 				Description: "The on-premises FQDN, also called dnsDomainName, synchronized from the on-premises directory when Azure AD Connect is used",
 				Type:        pluginsdk.TypeString,
@@ -423,9 +430,20 @@ func groupDataSourceRead(ctx context.Context, d *pluginsdk.ResourceData, meta in
 	tf.Set(d, "hide_from_address_lists", hideFromAddressLists)
 	tf.Set(d, "hide_from_outlook_clients", hideFromOutlookClients)
 
-	members, _, err := client.ListMembers(ctx, d.Id())
-	if err != nil {
-		return tf.ErrorDiagF(err, "Could not retrieve group members for group with object ID: %q", d.Id())
+	includeTransitiveMembers := d.Get("include_transitive_members").(bool)
+	var members *[]string
+	if includeTransitiveMembers {
+		var err error
+		members, _, err = client.ListTransitiveMembers(ctx, d.Id())
+		if err != nil {
+			return tf.ErrorDiagF(err, "Could not retrieve transitive group members for group with object ID: %q", d.Id())
+		}
+	} else {
+		var err error
+		members, _, err = client.ListMembers(ctx, d.Id())
+		if err != nil {
+			return tf.ErrorDiagF(err, "Could not retrieve group members for group with object ID: %q", d.Id())
+		}
 	}
 	tf.Set(d, "members", members)
 

internal/services/groups/group_data_source_test.go

@@ -159,6 +159,20 @@ func TestAccGroupDataSource_members(t *testing.T) {
 	})
 }
 
+func TestAccGroupDataSource_transitiveMembers(t *testing.T) {
+	data := acceptance.BuildTestData(t, "data.azuread_group", "test")
+
+	data.DataSourceTest(t, []acceptance.TestStep{
+		{
+			Config: GroupDataSource{}.transitiveMembers(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctestGroup-%d", data.RandomInteger)),
+				check.That(data.ResourceName).Key("members.#").HasValue("4"),
+			),
+		},
+	})
+}
+
 func TestAccGroupDataSource_owners(t *testing.T) {
 	data := acceptance.BuildTestData(t, "data.azuread_group", "test")
 
@@ -314,6 +328,17 @@ data "azuread_group" "test" {
 `, GroupResource{}.withThreeMembers(data))
 }
 
+func (GroupDataSource) transitiveMembers(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%[1]s
+
+data "azuread_group" "test" {
+  object_id                  = azuread_group.test.object_id
+  include_transitive_members = true
+}
+`, GroupResource{}.withTransitiveMembers(data))
+}
+
 func (GroupDataSource) dynamicMembership(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %[1]s

internal/services/groups/group_resource_test.go

@@ -954,6 +954,30 @@ resource "azuread_group" "test" {
 `, r.templateThreeUsers(data), data.RandomInteger)
 }
 
+func (r GroupResource) withTransitiveMembers(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%[1]s
+
+resource "azuread_group" "nested" {
+  display_name     = "acctestGroup-%[2]d-Nested"
+  security_enabled = true
+  members = [
+    azuread_user.test.object_id,
+    azuread_group.member.object_id,
+    azuread_service_principal.test.object_id
+  ]
+}
+
+resource "azuread_group" "test" {
+  display_name     = "acctestGroup-%[2]d"
+  security_enabled = true
+  members = [
+	azuread_group.nested.object_id
+  ]
+}
+`, r.templateDiverseDirectoryObjects(data), data.RandomInteger)
+}
+
 func (r GroupResource) withOwnersAndMembers(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %[1]s