coder
diff --git a/‎cli/testdata/coder_server_--help.golden‎
Lines changed: 5 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden‎
Lines changed: 5 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎coderd/database/dbpurge/dbpurge.go‎
Lines changed: 8 additions & 3 deletions b/‎coderd/database/dbpurge/dbpurge.go‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎coderd/database/dbpurge/dbpurge_test.go‎
Lines changed: 97 additions & 0 deletions b/‎coderd/database/dbpurge/dbpurge_test.go‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎codersdk/deployment.go‎
Lines changed: 14 additions & 0 deletions b/‎codersdk/deployment.go‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎docs/admin/setup/data-retention.md‎
Lines changed: 22 additions & 8 deletions b/‎docs/admin/setup/data-retention.md‎
Lines changed: 22 additions & 8 deletions
@@ -725,6 +725,11 @@ that data type.
           disable (data is kept indefinitely unless individual settings are
           configured).
 
+      --workspace-agent-logs-retention duration, $CODER_WORKSPACE_AGENT_LOGS_RETENTION (default: 7d)
+          How long workspace agent logs are retained. Logs from non-latest
+          workspace builds are deleted after this period to free up storage
+          space. Set to 0 to disable automatic deletion of workspace agent logs.
+
 TELEMETRY OPTIONS: 
 Telemetry is critical to our ability to improve Coder. We strip all personal
 information before sending data to our servers. Please only disable telemetry
 
@@ -780,3 +780,8 @@ retention:
   # an expired key. Set to 0 to disable automatic deletion of expired keys.
   # (default: 7d, type: duration)
   api_keys: 168h0m0s
+  # How long workspace agent logs are retained. Logs from non-latest workspace
+  # builds are deleted after this period to free up storage space. Set to 0 to
+  # disable automatic deletion of workspace agent logs.
+  # (default: 7d, type: duration)
+  workspace_agent_logs: 168h0m0s
@@ -18,8 +18,7 @@ import (
 )
 
 const (
-	delay          = 10 * time.Minute
-	maxAgentLogAge = 7 * 24 * time.Hour
+	delay = 10 * time.Minute
 	// Connection events are now inserted into the `connection_logs` table.
 	// We'll slowly remove old connection events from the `audit_logs` table,
 	// but we won't touch the `connection_logs` table.
@@ -36,6 +35,8 @@ const (
 	// long enough to cover the maximum interval of a heartbeat event (currently
 	// 1 hour) plus some buffer.
 	maxTelemetryHeartbeatAge = 24 * time.Hour
+	// Default retention period for workspace agent logs.
+	defaultWorkspaceAgentLogsRetention = 7 * 24 * time.Hour
 )
 
 // New creates a new periodically purging database instance.
@@ -67,7 +68,11 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, vals *coder
 				return nil
 			}
 
-			deleteOldWorkspaceAgentLogsBefore := start.Add(-maxAgentLogAge)
+			workspaceAgentLogsRetention := vals.Retention.WorkspaceAgentLogs.Value()
+			if workspaceAgentLogsRetention == 0 {
+				workspaceAgentLogsRetention = defaultWorkspaceAgentLogsRetention
+			}
+			deleteOldWorkspaceAgentLogsBefore := start.Add(-workspaceAgentLogsRetention)
 			if err := tx.DeleteOldWorkspaceAgentLogs(ctx, deleteOldWorkspaceAgentLogsBefore); err != nil {
 				return xerrors.Errorf("failed to delete old workspace agent logs: %w", err)
 			}
 
@@ -392,6 +392,103 @@ func mustCreateAgentLogs(ctx context.Context, t *testing.T, db database.Store, a
 	require.NotEmpty(t, agentLogs, "agent logs must be present")
 }
 
+//nolint:paralleltest // It uses LockIDDBPurge.
+func TestDeleteOldWorkspaceAgentLogsWithCustomRetention(t *testing.T) {
+	t.Run("CustomRetention30Days", func(t *testing.T) {
+		ctx := testutil.Context(t, testutil.WaitShort)
+		clk := quartz.NewMock(t)
+		now := dbtime.Now()
+		retentionPeriod := 30 * 24 * time.Hour
+		threshold := now.Add(-retentionPeriod)
+		beforeThreshold := threshold.Add(-24 * time.Hour) // 31 days ago
+		afterThreshold := threshold.Add(24 * time.Hour)   // 29 days ago
+		clk.Set(now).MustWait(ctx)
+
+		db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
+		org := dbgen.Organization(t, db, database.Organization{})
+		user := dbgen.User(t, db, database.User{})
+		_ = dbgen.OrganizationMember(t, db, database.OrganizationMember{UserID: user.ID, OrganizationID: org.ID})
+		tv := dbgen.TemplateVersion(t, db, database.TemplateVersion{OrganizationID: org.ID, CreatedBy: user.ID})
+		tmpl := dbgen.Template(t, db, database.Template{OrganizationID: org.ID, ActiveVersionID: tv.ID, CreatedBy: user.ID})
+
+		logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
+
+		// Workspace with two builds, both before the 30-day threshold.
+		ws := dbgen.Workspace(t, db, database.WorkspaceTable{Name: "test-ws", OwnerID: user.ID, OrganizationID: org.ID, TemplateID: tmpl.ID})
+		wb1 := mustCreateWorkspaceBuild(t, db, org, tv, ws.ID, beforeThreshold, 1)
+		wb2 := mustCreateWorkspaceBuild(t, db, org, tv, ws.ID, beforeThreshold, 2)
+		agent1 := mustCreateAgent(t, db, wb1)
+		agent2 := mustCreateAgent(t, db, wb2)
+		mustCreateAgentLogs(ctx, t, db, agent1, &beforeThreshold, "agent 1 logs should be deleted")
+		mustCreateAgentLogs(ctx, t, db, agent2, &beforeThreshold, "agent 2 logs should be retained")
+
+		// Workspace with build after the 30-day threshold.
+		wsRecent := dbgen.Workspace(t, db, database.WorkspaceTable{Name: "recent-ws", OwnerID: user.ID, OrganizationID: org.ID, TemplateID: tmpl.ID})
+		wbRecent := mustCreateWorkspaceBuild(t, db, org, tv, wsRecent.ID, afterThreshold, 1)
+		agentRecent := mustCreateAgent(t, db, wbRecent)
+		mustCreateAgentLogs(ctx, t, db, agentRecent, &afterThreshold, "recent agent logs should be retained")
+
+		done := awaitDoTick(ctx, t, clk)
+		closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
+			Retention: codersdk.RetentionConfig{
+				WorkspaceAgentLogs: serpent.Duration(retentionPeriod),
+			},
+		}, clk)
+		defer closer.Close()
+		testutil.TryReceive(ctx, t, done)
+
+		// Agent 1 logs should be deleted (non-latest build, older than 30 days).
+		assertNoWorkspaceAgentLogs(ctx, t, db, agent1.ID)
+		// Agent 2 logs should be retained (latest build).
+		assertWorkspaceAgentLogs(ctx, t, db, agent2.ID, "agent 2 logs should be retained")
+		// Recent agent logs should be retained (within 30-day threshold).
+		assertWorkspaceAgentLogs(ctx, t, db, agentRecent.ID, "recent agent logs should be retained")
+	})
+
+	t.Run("RetentionDisabled", func(t *testing.T) {
+		ctx := testutil.Context(t, testutil.WaitShort)
+		clk := quartz.NewMock(t)
+		now := dbtime.Now()
+		// Very old logs (60 days ago).
+		veryOld := now.Add(-60 * 24 * time.Hour)
+		clk.Set(now).MustWait(ctx)
+
+		db, _ := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
+		org := dbgen.Organization(t, db, database.Organization{})
+		user := dbgen.User(t, db, database.User{})
+		_ = dbgen.OrganizationMember(t, db, database.OrganizationMember{UserID: user.ID, OrganizationID: org.ID})
+		tv := dbgen.TemplateVersion(t, db, database.TemplateVersion{OrganizationID: org.ID, CreatedBy: user.ID})
+		tmpl := dbgen.Template(t, db, database.Template{OrganizationID: org.ID, ActiveVersionID: tv.ID, CreatedBy: user.ID})
+
+		logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
+
+		// Workspace with old builds.
+		ws := dbgen.Workspace(t, db, database.WorkspaceTable{Name: "test-ws", OwnerID: user.ID, OrganizationID: org.ID, TemplateID: tmpl.ID})
+		wb1 := mustCreateWorkspaceBuild(t, db, org, tv, ws.ID, veryOld, 1)
+		wb2 := mustCreateWorkspaceBuild(t, db, org, tv, ws.ID, veryOld, 2)
+		agent1 := mustCreateAgent(t, db, wb1)
+		agent2 := mustCreateAgent(t, db, wb2)
+		mustCreateAgentLogs(ctx, t, db, agent1, &veryOld, "agent 1 logs should be deleted with default retention")
+		mustCreateAgentLogs(ctx, t, db, agent2, &veryOld, "agent 2 logs should be retained")
+
+		// Note: When retention is set to 0, we fall back to the default 7-day retention.
+		// The logs are 60 days old, so non-latest build logs will still be deleted.
+		done := awaitDoTick(ctx, t, clk)
+		closer := dbpurge.New(ctx, logger, db, &codersdk.DeploymentValues{
+			Retention: codersdk.RetentionConfig{
+				WorkspaceAgentLogs: serpent.Duration(0), // Falls back to default 7 days
+			},
+		}, clk)
+		defer closer.Close()
+		testutil.TryReceive(ctx, t, done)
+
+		// Agent 1 logs should be deleted (non-latest build, older than default 7 days).
+		assertNoWorkspaceAgentLogs(ctx, t, db, agent1.ID)
+		// Agent 2 logs should be retained (latest build).
+		assertWorkspaceAgentLogs(ctx, t, db, agent2.ID, "agent 2 logs should be retained")
+	})
+}
+
 //nolint:paralleltest // It uses LockIDDBPurge.
 func TestDeleteOldProvisionerDaemons(t *testing.T) {
 	// TODO: must refactor DeleteOldProvisionerDaemons to allow passing in cutoff
 
@@ -834,6 +834,9 @@ type RetentionConfig struct {
 	// Keys are only deleted if they have been expired for at least this duration.
 	// Defaults to 7 days to preserve existing behavior.
 	APIKeys serpent.Duration `json:"api_keys" typescript:",notnull"`
+	// WorkspaceAgentLogs controls how long workspace agent logs are retained.
+	// Defaults to 7 days to preserve existing behavior.
+	WorkspaceAgentLogs serpent.Duration `json:"workspace_agent_logs" typescript:",notnull"`
 }
 
 type NotificationsConfig struct {
@@ -3436,6 +3439,17 @@ Write out the current server config as YAML to stdout.`,
 			YAML:        "api_keys",
 			Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
 		},
+		{
+			Name:        "Workspace Agent Logs Retention",
+			Description: "How long workspace agent logs are retained. Logs from non-latest workspace builds are deleted after this period to free up storage space. Set to 0 to disable automatic deletion of workspace agent logs.",
+			Flag:        "workspace-agent-logs-retention",
+			Env:         "CODER_WORKSPACE_AGENT_LOGS_RETENTION",
+			Value:       &c.Retention.WorkspaceAgentLogs,
+			Default:     "7d",
+			Group:       &deploymentGroupRetention,
+			YAML:        "workspace_agent_logs",
+			Annotations: serpent.Annotations{}.Mark(annotationFormatDuration, "true"),
+		},
 		{
 			Name: "Enable Authorization Recordings",
 			Description: "All api requests will have a header including all authorization calls made during the request. " +
 
@@ -1,8 +1,8 @@
 # Data Retention
 
 Coder supports configurable retention policies that automatically purge old
-Audit Logs, Connection Logs, and API keys. These policies help manage database
-growth by removing records older than a specified duration.
+Audit Logs, Connection Logs, Workspace Agent Logs, and API keys. These policies
+help manage database growth by removing records older than a specified duration.
 
 ## Overview
 
@@ -25,12 +25,13 @@ a YAML configuration file.
 
 ### Settings
 
-| Setting         | CLI Flag                      | Environment Variable              | Default          | Description                                                              |
-|-----------------|-------------------------------|-----------------------------------|------------------|--------------------------------------------------------------------------|
-| Global          | `--global-retention`          | `CODER_GLOBAL_RETENTION`          | `0` (disabled)   | Default retention for all data types. Individual settings override this. |
-| Audit Logs      | `--audit-logs-retention`      | `CODER_AUDIT_LOGS_RETENTION`      | `0` (use global) | How long to retain Audit Log entries.                                    |
-| Connection Logs | `--connection-logs-retention` | `CODER_CONNECTION_LOGS_RETENTION` | `0` (use global) | How long to retain Connection Log entries.                               |
-| API Keys        | `--api-keys-retention`        | `CODER_API_KEYS_RETENTION`        | `7d`             | How long to retain expired API keys.                                     |
+| Setting              | CLI Flag                           | Environment Variable                   | Default          | Description                                                              |
+|----------------------|------------------------------------|----------------------------------------|------------------|--------------------------------------------------------------------------|
+| Global               | `--global-retention`               | `CODER_GLOBAL_RETENTION`               | `0` (disabled)   | Default retention for all data types. Individual settings override this. |
+| Audit Logs           | `--audit-logs-retention`           | `CODER_AUDIT_LOGS_RETENTION`           | `0` (use global) | How long to retain Audit Log entries.                                    |
+| Connection Logs      | `--connection-logs-retention`      | `CODER_CONNECTION_LOGS_RETENTION`      | `0` (use global) | How long to retain Connection Log entries.                               |
+| API Keys             | `--api-keys-retention`             | `CODER_API_KEYS_RETENTION`             | `7d`             | How long to retain expired API keys.                                     |
+| Workspace Agent Logs | `--workspace-agent-logs-retention` | `CODER_WORKSPACE_AGENT_LOGS_RETENTION` | `7d`             | How long to retain workspace agent logs.                                 |
 
 ### Duration Format
 
@@ -68,6 +69,7 @@ retention:
   audit_logs: 365d
   connection_logs: 0s
   api_keys: 7d
+  workspace_agent_logs: 7d
 ```
 
 ## How Retention Works
@@ -103,6 +105,16 @@ ago. Active keys are never deleted by the retention policy.
 Keeping expired keys for a short period allows Coder to return a more helpful
 error message when users attempt to use an expired key.
 
+### Workspace Agent Logs Behavior
+
+Workspace agent logs are retained based on the retention period, but **logs from
+the latest build of each workspace are always retained** regardless of age. This
+ensures you can always debug issues with active workspaces.
+
+Only logs from non-latest workspace builds that are older than the retention
+period are deleted. Setting `--workspace-agent-logs-retention=7d` keeps all logs
+from the latest build plus logs from previous builds for up to 7 days.
+
 ## Best Practices
 
 ### Recommended Starting Configuration
@@ -115,6 +127,7 @@ retention:
   audit_logs: 365d
   connection_logs: 0s # Use global
   api_keys: 7d
+  workspace_agent_logs: 7d
 ```
 
 ### Compliance Considerations
@@ -160,6 +173,7 @@ retention:
   audit_logs: 0s
   connection_logs: 0s
   api_keys: 0s
+  workspace_agent_logs: 0s
 ```
 
 There is no way to disable retention for a specific data type while global