Add DNS proxy support to Azure Firewall module

[Copilot]

This PR adds support for enabling DNS proxy functionality on Azure Firewall through a new optional enableDnsProxy parameter. When enabled, this allows the firewall to act as a DNS proxy and forward DNS requests to configured DNS servers, which is required when using network rules with FQDN destinations.

Changes Made

Core Implementation

• Added enableDnsProxy parameter (optional, defaults to false)
• Updated Azure Firewall resource to conditionally include additionalProperties with Network.DNS.EnableProxy: 'true' when DNS proxy is enabled
• Applied to both VNet and Hub deployment scenarios using union() function for clean conditional merging

Documentation

• Updated README.md with parameter documentation following existing patterns
• Added CHANGELOG.md entry for version 0.8.2

Testing

• Updated max test case to include enableDnsProxy: true for comprehensive testing
• Updated basic test case to validate compatibility with Basic SKU

Example Usage

module azureFirewall 'br/public:avm/res/network/azure-firewall:<version>' = {
  name: 'firewallDeployment'
  params: {
    name: 'my-firewall'
    virtualNetworkResourceId: vnetId
    enableDnsProxy: true  // Enable DNS proxy functionality
    // ... other parameters
  }
}

When enableDnsProxy is true, the generated ARM template will include:

"additionalProperties": {
  "Network.DNS.EnableProxy": "true"
}

This implementation maintains full backwards compatibility as the parameter defaults to false, preserving existing behavior for current deployments.

Fixes #4998.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• live-data.bicep.azure.com
  • Triggering command: bicep build main.bicep (dns block)
  • Triggering command: bicep build main.bicep --stdout (dns block)
  • Triggering command: bicep build test_syntax.bicep (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[microsoft-github-policy-service]

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the BRM Issue Triage documentation.

[microsoft-github-policy-service]

Important

If this is a module-related PR, being submitted by the sole owner of the module, the AVM core team must review and approve it (as module owners can't approve their own PRs).

To indicate this PR needs the core team''s attention, apply the "Needs: Core Team 🧞" label!

The core team will only review and approve PRs that have this label applied!

[microsoft-github-policy-service]

Warning

FAO: AVM Core Team

When merging this PR it will trigger all AVM modules to be triggered! Please consider disabling the GitHub actions prior to merging and then re-enable once merged.

[AlexanderSehr]

Would highly recommend to use shallowMerge() via ...(condition ? { properties} : {}) instead of union to preserve linter support