diff --git a/009_define_file_templates.tf b/009_define_file_templates.tf
index b3f55bd9..28328bd4 100644
--- a/009_define_file_templates.tf
+++ b/009_define_file_templates.tf
@@ -66,6 +66,7 @@ locals {
       tower_smtp_starttls_enable    = var.tower_smtp_starttls_enable,
       tower_smtp_starttles_required = var.tower_smtp_starttls_required,
       tower_smtp_ssl_protocols      = var.tower_smtp_ssl_protocols,
+      tower_workflow_cleanup_enabled = var.tower_workflow_cleanup_enabled,
 
       flag_disable_email_login = var.flag_disable_email_login,
 
diff --git a/assets/src/tower_config/tower.yml.tpl b/assets/src/tower_config/tower.yml.tpl
index cbe517ba..3896db51 100644
--- a/assets/src/tower_config/tower.yml.tpl
+++ b/assets/src/tower_config/tower.yml.tpl
@@ -80,7 +80,6 @@ micronaut:
 
 ### The tower scope is used for providing config for your Tower Enterprise installation
 tower:
-
 %{ if flag_disable_email_login == true }
   # As of Tower v23.4.5, the email login option can be disabled.
   # Note: There must be an active OIDC integration configured or else this flag will be ignored.
@@ -88,6 +87,12 @@ tower:
     disable-email: true
 %{ endif ~}
 
+%{ if tower_workflow_cleanup_enabled == true }
+  # As of Tower v25.1.0, the workflow cleanup can be enabled for AWS Batch.
+  workflow-cleanup:
+    enabled: true
+%{ endif ~}
+
   admin:
     # Control user access to personal (i.e. non-Org-based) Workspace.
     user-workspace-enabled: true
diff --git a/scripts/installer/validation/check_configuration.py b/scripts/installer/validation/check_configuration.py
index 6e096c19..465dc7c1 100644
--- a/scripts/installer/validation/check_configuration.py
+++ b/scripts/installer/validation/check_configuration.py
@@ -223,6 +223,14 @@ def verify_email_login_disablement(data: SimpleNamespace):
                 "Seqerakit step cannot execute if email login is not active."
             )
 
+def verify_workflow_cleanup_enabled(data: SimpleNamespace):
+    """Check workflow cleanup enablement scenarios."""
+    if data.tower_workflow_cleanup_enabled:
+
+        if data.tower_container_version < "v25.1.0":
+            log_error_and_exit(
+                "Workflow cleanup can only be enabled on Platform v25.1.0+"
+            )
 
 def verify_subnet_privacy(data: SimpleNamespace):
     """Check that the assigned subnets in tfvars match the intended privacy of the Tower instance."""
@@ -630,6 +638,7 @@ def verify_redis_version(data: SimpleNamespace):
     verify_tower_groundswell(data)
     verify_docker_daemon_loggin(data)
     verify_email_login_disablement(data)
+    verify_workflow_cleanup_enabled(data)
 
     # Verify AWS integrations
     print("\n")
diff --git a/templates/TEMPLATE_terraform.tfvars b/templates/TEMPLATE_terraform.tfvars
index cc9eab57..44c93f59 100644
--- a/templates/TEMPLATE_terraform.tfvars
+++ b/templates/TEMPLATE_terraform.tfvars
@@ -662,6 +662,7 @@ tower_email_trusted_orgs                = "REPLACE_ME"
 tower_email_trusted_users               = "REPLACE_ME"
 
 tower_audit_retention_days              = 1095      # 3 years (value in days)
+tower_workflow_cleanup_enabled          = true      # only applicable for AWS Batch
 
 
 /*
diff --git a/variables.tf b/variables.tf
index ff5b187a..8042755c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -295,6 +295,7 @@ variable "tower_email_trusted_orgs" { type = string }
 variable "tower_email_trusted_users" { type = string }
 
 variable "tower_audit_retention_days" { type = number }
+variable "tower_workflow_cleanup_enabled" { type = bool }
 
 # ------------------------------------------------------------------------------------
 ## TOWER CONFIGURATION - OIDC