coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go‎
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go‎
Lines changed: 4 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz_test.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/database/dbmetrics/querymetrics.go‎
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbmetrics/querymetrics.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go‎
Lines changed: 15 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎coderd/database/dbpurge/dbpurge.go‎
Lines changed: 20 additions & 0 deletions b/‎coderd/database/dbpurge/dbpurge.go‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎coderd/database/dbpurge/dbpurge_test.go‎
Lines changed: 217 additions & 0 deletions b/‎coderd/database/dbpurge/dbpurge_test.go‎
Lines changed: 217 additions & 0 deletions
diff --git a/‎coderd/database/querier.go‎
Lines changed: 1 addition & 0 deletions b/‎coderd/database/querier.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/queries.sql.go‎
Lines changed: 29 additions & 0 deletions b/‎coderd/database/queries.sql.go‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎coderd/database/queries/connectionlogs.sql‎
Lines changed: 16 additions & 0 deletions b/‎coderd/database/queries/connectionlogs.sql‎
Lines changed: 16 additions & 0 deletions
@@ -1749,6 +1749,13 @@ func (q *querier) DeleteOldAuditLogConnectionEvents(ctx context.Context, thresho
 	return q.db.DeleteOldAuditLogConnectionEvents(ctx, threshold)
 }
 
+func (q *querier) DeleteOldConnectionLogs(ctx context.Context, arg database.DeleteOldConnectionLogsParams) (int64, error) {
+	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
+		return 0, err
+	}
+	return q.db.DeleteOldConnectionLogs(ctx, arg)
+}
+
 func (q *querier) DeleteOldNotificationMessages(ctx context.Context) error {
 	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceNotificationMessage); err != nil {
 		return err
 
@@ -355,6 +355,10 @@ func (s *MethodTestSuite) TestConnectionLogs() {
 		dbm.EXPECT().CountConnectionLogs(gomock.Any(), database.CountConnectionLogsParams{}).Return(int64(0), nil).AnyTimes()
 		check.Args(database.CountConnectionLogsParams{}, emptyPreparedAuthorized{}).Asserts(rbac.ResourceConnectionLog, policy.ActionRead)
 	}))
+	s.Run("DeleteOldConnectionLogs", s.Mocked(func(dbm *dbmock.MockStore, _ *gofakeit.Faker, check *expects) {
+		dbm.EXPECT().DeleteOldConnectionLogs(gomock.Any(), database.DeleteOldConnectionLogsParams{}).Return(int64(0), nil).AnyTimes()
+		check.Args(database.DeleteOldConnectionLogsParams{}).Asserts(rbac.ResourceSystem, policy.ActionDelete)
+	}))
 }
 
 func (s *MethodTestSuite) TestFile() {
 
@@ -25,6 +25,9 @@ const (
 	// but we won't touch the `connection_logs` table.
 	maxAuditLogConnectionEventAge    = 90 * 24 * time.Hour // 90 days
 	auditLogConnectionEventBatchSize = 1000
+	// Batch size for connection log deletion. Smaller batches prevent long-held
+	// locks that could impact concurrent database operations.
+	connectionLogsBatchSize = 1000
 	// Telemetry heartbeats are used to deduplicate events across replicas. We
 	// don't need to persist heartbeat rows for longer than 24 hours, as they
 	// are only used for deduplication across replicas. The time needs to be
@@ -111,9 +114,26 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, vals *coder
 				return xerrors.Errorf("failed to delete old aibridge records: %w", err)
 			}
 
+			var purgedConnectionLogs int64
+			connectionLogsRetention := vals.Retention.ConnectionLogs.Value()
+			if connectionLogsRetention == 0 {
+				connectionLogsRetention = vals.Retention.Global.Value()
+			}
+			if connectionLogsRetention > 0 {
+				deleteConnectionLogsBefore := start.Add(-connectionLogsRetention)
+				purgedConnectionLogs, err = tx.DeleteOldConnectionLogs(ctx, database.DeleteOldConnectionLogsParams{
+					BeforeTime: deleteConnectionLogsBefore,
+					LimitCount: connectionLogsBatchSize,
+				})
+				if err != nil {
+					return xerrors.Errorf("failed to delete old connection logs: %w", err)
+				}
+			}
+
 			logger.Debug(ctx, "purged old database entries",
 				slog.F("expired_api_keys", expiredAPIKeys),
 				slog.F("aibridge_records", purgedAIBridgeRecords),
+				slog.F("connection_logs", purgedConnectionLogs),
 				slog.F("duration", clk.Since(start)),
 			)
 
 
@@ -759,6 +759,223 @@ func TestDeleteOldTelemetryHeartbeats(t *testing.T) {
 	}, testutil.WaitShort, testutil.IntervalFast, "it should delete old telemetry heartbeats")
 }
 
+func TestDeleteOldConnectionLogs(t *testing.T) {
+	t.Parallel()
+
+	t.Run("RetentionEnabled", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		clk := quartz.NewMock(t)
+		now := time.Date(2025, 1, 15, 7, 30, 0, 0, time.UTC)
+		retentionPeriod := 30 * 24 * time.Hour                           // 30 days
+		afterThreshold := now.Add(-retentionPeriod).Add(-24 * time.Hour) // 31 days ago (older than threshold)
+		beforeThreshold := now.Add(-15 * 24 * time.Hour)                 // 15 days ago (newer than threshold)
+		clk.Set(now).MustWait(ctx)
+
+		db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
+		logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
+		user := dbgen.User(t, db, database.User{})
+		org := dbgen.Organization(t, db, database.Organization{})
+		_ = dbgen.OrganizationMember(t, db, database.OrganizationMember{UserID: user.ID, OrganizationID: org.ID})
+		tv := dbgen.TemplateVersion(t, db, database.TemplateVersion{OrganizationID: org.ID, CreatedBy: user.ID})
+		tmpl := dbgen.Template(t, db, database.Template{OrganizationID: org.ID, ActiveVersionID: tv.ID, CreatedBy: user.ID})
+		workspace := dbgen.Workspace(t, db, database.WorkspaceTable{
+			OwnerID:        user.ID,
+			OrganizationID: org.ID,
+			TemplateID:     tmpl.ID,
+		})
+
+		// Create old connection log (should be deleted)
+		oldLog := dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+			ID:               uuid.New(),
+			Time:             afterThreshold,
+			OrganizationID:   org.ID,
+			WorkspaceOwnerID: user.ID,
+			WorkspaceID:      workspace.ID,
+			WorkspaceName:    workspace.Name,
+			AgentName:        "agent1",
+			Type:             database.ConnectionTypeSsh,
+			ConnectionStatus: database.ConnectionStatusConnected,
+		})
+
+		// Create recent connection log (should be kept)
+		recentLog := dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+			ID:               uuid.New(),
+			Time:             beforeThreshold,
+			OrganizationID:   org.ID,
+			WorkspaceOwnerID: user.ID,
+			WorkspaceID:      workspace.ID,
+			WorkspaceName:    workspace.Name,
+			AgentName:        "agent2",
+			Type:             database.ConnectionTypeSsh,
+			ConnectionStatus: database.ConnectionStatusConnected,
+		})
+
+		// Run the purge with configured retention period
+		done := awaitDoTick(ctx, t, clk)
+		closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
+			Retention: codersdk.RetentionConfig{
+				ConnectionLogs: serpent.Duration(retentionPeriod),
+			},
+		}, clk)
+		defer closer.Close()
+		testutil.TryReceive(ctx, t, done)
+
+		// Verify results by querying all connection logs
+		logs, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+			LimitOpt: 100,
+		})
+		require.NoError(t, err)
+
+		logIDs := make([]uuid.UUID, len(logs))
+		for i, log := range logs {
+			logIDs[i] = log.ConnectionLog.ID
+		}
+
+		require.NotContains(t, logIDs, oldLog.ID, "old connection log should be deleted")
+		require.Contains(t, logIDs, recentLog.ID, "recent connection log should be kept")
+	})
+
+	t.Run("RetentionDisabled", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		clk := quartz.NewMock(t)
+		now := time.Date(2025, 1, 15, 7, 30, 0, 0, time.UTC)
+		oldTime := now.Add(-365 * 24 * time.Hour) // 1 year ago
+		clk.Set(now).MustWait(ctx)
+
+		db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
+		logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
+		user := dbgen.User(t, db, database.User{})
+		org := dbgen.Organization(t, db, database.Organization{})
+		_ = dbgen.OrganizationMember(t, db, database.OrganizationMember{UserID: user.ID, OrganizationID: org.ID})
+		tv := dbgen.TemplateVersion(t, db, database.TemplateVersion{OrganizationID: org.ID, CreatedBy: user.ID})
+		tmpl := dbgen.Template(t, db, database.Template{OrganizationID: org.ID, ActiveVersionID: tv.ID, CreatedBy: user.ID})
+		workspace := dbgen.Workspace(t, db, database.WorkspaceTable{
+			OwnerID:        user.ID,
+			OrganizationID: org.ID,
+			TemplateID:     tmpl.ID,
+		})
+
+		// Create old connection log (should NOT be deleted when retention is 0)
+		oldLog := dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+			ID:               uuid.New(),
+			Time:             oldTime,
+			OrganizationID:   org.ID,
+			WorkspaceOwnerID: user.ID,
+			WorkspaceID:      workspace.ID,
+			WorkspaceName:    workspace.Name,
+			AgentName:        "agent1",
+			Type:             database.ConnectionTypeSsh,
+			ConnectionStatus: database.ConnectionStatusConnected,
+		})
+
+		// Run the purge with retention disabled (0)
+		done := awaitDoTick(ctx, t, clk)
+		closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
+			Retention: codersdk.RetentionConfig{
+				ConnectionLogs: serpent.Duration(0), // disabled
+			},
+		}, clk)
+		defer closer.Close()
+		testutil.TryReceive(ctx, t, done)
+
+		// Verify old log is still present
+		logs, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+			LimitOpt: 100,
+		})
+		require.NoError(t, err)
+
+		logIDs := make([]uuid.UUID, len(logs))
+		for i, log := range logs {
+			logIDs[i] = log.ConnectionLog.ID
+		}
+
+		require.Contains(t, logIDs, oldLog.ID, "old connection log should NOT be deleted when retention is disabled")
+	})
+
+	t.Run("GlobalRetentionFallback", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		clk := quartz.NewMock(t)
+		now := time.Date(2025, 1, 15, 7, 30, 0, 0, time.UTC)
+		retentionPeriod := 30 * 24 * time.Hour                           // 30 days
+		afterThreshold := now.Add(-retentionPeriod).Add(-24 * time.Hour) // 31 days ago (older than threshold)
+		beforeThreshold := now.Add(-15 * 24 * time.Hour)                 // 15 days ago (newer than threshold)
+		clk.Set(now).MustWait(ctx)
+
+		db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
+		logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
+		user := dbgen.User(t, db, database.User{})
+		org := dbgen.Organization(t, db, database.Organization{})
+		_ = dbgen.OrganizationMember(t, db, database.OrganizationMember{UserID: user.ID, OrganizationID: org.ID})
+		tv := dbgen.TemplateVersion(t, db, database.TemplateVersion{OrganizationID: org.ID, CreatedBy: user.ID})
+		tmpl := dbgen.Template(t, db, database.Template{OrganizationID: org.ID, ActiveVersionID: tv.ID, CreatedBy: user.ID})
+		workspace := dbgen.Workspace(t, db, database.WorkspaceTable{
+			OwnerID:        user.ID,
+			OrganizationID: org.ID,
+			TemplateID:     tmpl.ID,
+		})
+
+		// Create old connection log (should be deleted)
+		oldLog := dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+			ID:               uuid.New(),
+			Time:             afterThreshold,
+			OrganizationID:   org.ID,
+			WorkspaceOwnerID: user.ID,
+			WorkspaceID:      workspace.ID,
+			WorkspaceName:    workspace.Name,
+			AgentName:        "agent1",
+			Type:             database.ConnectionTypeSsh,
+			ConnectionStatus: database.ConnectionStatusConnected,
+		})
+
+		// Create recent connection log (should be kept)
+		recentLog := dbgen.ConnectionLog(t, db, database.UpsertConnectionLogParams{
+			ID:               uuid.New(),
+			Time:             beforeThreshold,
+			OrganizationID:   org.ID,
+			WorkspaceOwnerID: user.ID,
+			WorkspaceID:      workspace.ID,
+			WorkspaceName:    workspace.Name,
+			AgentName:        "agent2",
+			Type:             database.ConnectionTypeSsh,
+			ConnectionStatus: database.ConnectionStatusConnected,
+		})
+
+		// Run the purge with global retention (connection logs retention is 0, so it falls back)
+		done := awaitDoTick(ctx, t, clk)
+		closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
+			Retention: codersdk.RetentionConfig{
+				Global:         serpent.Duration(retentionPeriod), // Use global
+				ConnectionLogs: serpent.Duration(0),               // Not set, should fall back to global
+			},
+		}, clk)
+		defer closer.Close()
+		testutil.TryReceive(ctx, t, done)
+
+		// Verify results
+		logs, err := db.GetConnectionLogsOffset(ctx, database.GetConnectionLogsOffsetParams{
+			LimitOpt: 100,
+		})
+		require.NoError(t, err)
+
+		logIDs := make([]uuid.UUID, len(logs))
+		for i, log := range logs {
+			logIDs[i] = log.ConnectionLog.ID
+		}
+
+		require.NotContains(t, logIDs, oldLog.ID, "old connection log should be deleted via global retention")
+		require.Contains(t, logIDs, recentLog.ID, "recent connection log should be kept")
+	})
+}
+
 func TestDeleteOldAIBridgeRecords(t *testing.T) {
 	t.Parallel()
 
 
@@ -239,6 +239,22 @@ WHERE
 	-- @authorize_filter
 ;
 
+-- name: DeleteOldConnectionLogs :one
+WITH old_logs AS (
+	SELECT id
+	FROM connection_logs
+	WHERE connect_time < @before_time::timestamp with time zone
+	ORDER BY connect_time ASC
+	LIMIT @limit_count
+),
+deleted_rows AS (
+	DELETE FROM connection_logs
+	USING old_logs
+	WHERE connection_logs.id = old_logs.id
+	RETURNING connection_logs.id
+)
+SELECT COUNT(deleted_rows.id) AS deleted_count FROM deleted_rows;
+
 -- name: UpsertConnectionLog :one
 INSERT INTO connection_logs (
 	id,