eventgrid: add support for shipping audit logs to log analytics

dev-infrastructure/modules/maestro/maestro-infra.bicep

@@ -24,6 +24,9 @@ param maxClientSessionsPerAuthName int
 ])
 param publicNetworkAccess string
 
+@description('Log Analytics Workspace ID if logging to Log Analytics')
+param logAnalyticsWorkspaceId string = ''
+
 param certificateIssuer string
 
 //
@@ -53,6 +56,44 @@ resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2024-12-15-preview'
   }
 }
 
+resource eventGridNamespaceDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (logAnalyticsWorkspaceId != '') {
+  scope: eventGridNamespace
+  name: eventGridNamespaceName
+  properties: {
+    logs: [
+      {
+        category: 'SuccessfulMqttConnections'
+        enabled: true
+      }
+      {
+        category: 'FailedMqttConnections'
+        enabled: true
+      }
+      {
+        category: 'MqttDisconnections'
+        enabled: true
+      }
+      {
+        category: 'FailedMqttPublishedMessages'
+        enabled: true
+      }
+      {
+        category: 'FailedMqttSubscriptionOperations'
+        enabled: true
+      }
+      {
+        category: 'SuccessfulHttpDataPlaneOperations'
+        enabled: true
+      }
+      {
+        category: 'FailedHttpDataPlaneOperations'
+        enabled: true
+      }
+    ]
+    workspaceId: logAnalyticsWorkspaceId
+  }
+}
+
 // find a better way to register the OneCert
 resource certificateSignerCA 'Microsoft.EventGrid/namespaces/caCertificates@2024-12-15-preview' = if (startsWith(
   certificateIssuer,

dev-infrastructure/templates/region.bicep

@@ -158,6 +158,7 @@ module maestroInfra '../modules/maestro/maestro-infra.bicep' = {
     maxClientSessionsPerAuthName: maestroEventGridMaxClientSessionsPerAuthName
     publicNetworkAccess: maestroEventGridPrivate ? 'Disabled' : 'Enabled'
     certificateIssuer: maestroCertificateIssuer
+    logAnalyticsWorkspaceId: logAnalyticsWorkspace.id
   }
 }