diff --git a/CHANGELOG.md b/CHANGELOG.md
index 946e81166..e13d944be 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file.
 ## [Unreleased]
 - Fix GCS2BQ (issue: 128)
 - make VPC creation optional in `net-vpc` module to allow managing a pre-existing VPC
+- add retention_policy in `gcs` module
 
 ## [3.2.0] - 2020-08-29
 
diff --git a/modules/gcs/README.md b/modules/gcs/README.md
index 839faadd7..1f31a40fd 100644
--- a/modules/gcs/README.md
+++ b/modules/gcs/README.md
@@ -45,12 +45,39 @@ module "buckets" {
   iam_roles = {
     bucket-two = ["roles/storage.admin"]
   }
-  kms_keys = {
+  encryption_keys = {
     bucket-two = local.kms_key.self_link,
   }
 }
 ```
 
+### Example with retention policy
+
+```hcl
+module "buckets" {
+  source     = "./modules/gcs"
+  project_id = "myproject"
+  prefix     = "test"
+  names      = ["bucket-one", "bucket-two"]
+  bucket_policy_only = {
+    bucket-one = false
+  }
+  iam_members = {
+    bucket-two = {
+      "roles/storage.admin" = ["group:storage@example.com"]
+    }
+  }
+  iam_roles = {
+    bucket-two = ["roles/storage.admin"]
+  }
+
+  retention_policies = {
+    bucket-one = { retention_period = 100 , is_locked = true}
+    bucket-two = { retention_period = 900 }
+  }
+}
+```
+
 <!-- BEGIN TFDOC -->
 ## Variables
 
@@ -68,6 +95,7 @@ module "buckets" {
 | *prefix* | Prefix used to generate the bucket name. | <code title="">string</code> |  | <code title="">null</code> |
 | *storage_class* | Bucket storage class. | <code title="">string</code> |  | <code title="">MULTI_REGIONAL</code> |
 | *versioning* | Optional map to set versioning keyed by name, defaults to false. | <code title="map&#40;bool&#41;">map(bool)</code> |  | <code title="">{}</code> |
+| *retention_policies* | Optional map to set up retention policy keyed by bucket name. | <code title="map&#40;bool&#41;">map(map(string))</code> |  | <code title="">{}</code> |
 
 ## Outputs
 
diff --git a/modules/gcs/main.tf b/modules/gcs/main.tf
index f345ed3bc..d2d8616a9 100644
--- a/modules/gcs/main.tf
+++ b/modules/gcs/main.tf
@@ -37,6 +37,7 @@ locals {
     : join("-", [var.prefix, lower(var.location), ""])
   )
   kms_keys = { for name in var.names : name => lookup(var.encryption_keys, name, null) }
+  retention_policy = { for name in var.names : name => lookup(var.retention_policies, name, null) }
 }
 
 resource "google_storage_bucket" "buckets" {
@@ -63,6 +64,14 @@ resource "google_storage_bucket" "buckets" {
       default_kms_key_name = local.kms_keys[each.key]
     }
   }
+
+  dynamic retention_policy {
+    for_each = local.retention_policy[each.key] == null ? [] : [""]
+    content {
+      retention_period = local.retention_policy[each.key]["retention_period"]
+      is_locked = lookup(local.retention_policy[each.key], "is_locked", false)
+    }
+  }
 }
 
 resource "google_storage_bucket_iam_binding" "bindings" {
diff --git a/modules/gcs/variables.tf b/modules/gcs/variables.tf
index cdc63eccd..c3e3360f2 100644
--- a/modules/gcs/variables.tf
+++ b/modules/gcs/variables.tf
@@ -83,3 +83,9 @@ variable "versioning" {
   type        = map(bool)
   default     = {}
 }
+
+variable "retention_policies" {
+  description = "Per-bucket retention policy."
+  type        = map(map(string))
+  default     = {}
+}