diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2e2901e..f1fff49 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -395,3 +395,7 @@
* 2.10.0 -- 2025-02-05
- config
- add recorder_override_daily to allow specific resource to be recorded daily vs continously
+
+* 2.10.1 -- 2025-02-13
+ - config
+ - add retention_period_in_days with a default of 3 years (down from 7 years)
diff --git a/common/version.tf b/common/version.tf
index a57e56b..80dad4c 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.10.0"
+ _module_version = "2.10.1"
}
diff --git a/config/README.md b/config/README.md
index 95a9d1b..69231a5 100644
--- a/config/README.md
+++ b/config/README.md
@@ -165,6 +165,7 @@ No modules.
| [aws_config_configuration_recorder.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder) | resource |
| [aws_config_configuration_recorder_status.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource |
| [aws_config_delivery_channel.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource |
+| [aws_config_retention_configuration.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_retention_configuration) | resource |
| [aws_iam_policy.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -214,6 +215,7 @@ No modules.
| [name](#input\_name) | Config resource name prefix used for all resources | `string` | `""` | no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [recorder\_override\_daily](#input\_recorder\_override\_daily) | Resource type to record daily instead of continuous | `list(string)` | `[]` | no |
+| [retention\_period\_in\_days](#input\_retention\_period\_in\_days) | Config retion period in days (default is 3 years, down from AWS default of 7 years) | `number` | `1095` | no |
| [s3\_bucket](#input\_s3\_bucket) | Config S3 Bucket to send Config snapshots | `string` | `null` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
| [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no |
diff --git a/config/config.tf b/config/config.tf
index cb54c27..48a4c02 100644
--- a/config/config.tf
+++ b/config/config.tf
@@ -44,3 +44,8 @@ resource "aws_config_delivery_channel" "config" {
depends_on = [aws_config_configuration_recorder.config]
}
+
+resource "aws_config_retention_configuration" "config" {
+ retention_period_in_days = var.retention_period_in_days
+}
+
diff --git a/config/variables.tf b/config/variables.tf
index 7415b2a..55db8ce 100644
--- a/config/variables.tf
+++ b/config/variables.tf
@@ -64,3 +64,9 @@ variable "recorder_override_daily" {
default = []
}
+variable "retention_period_in_days" {
+ description = "Config retion period in days (default is 3 years, down from AWS default of 7 years)"
+ type = number
+ default = 1095
+}
+