diff --git a/modules/asm/README.md b/modules/asm/README.md
index c88a5090d..ef6395257 100644
--- a/modules/asm/README.md
+++ b/modules/asm/README.md
@@ -52,10 +52,10 @@ To deploy this config:
 | asm\_git\_tag | ASM git tag to deploy. This module supports versions `1.8` and `1.9`. You can get the exact `asm_git_tag` by running the command `install_asm --version`. The ASM git tab should be of the form `1.9.3-asm.2+config5`. You can also see all ASM git tags by running `curl https://storage.googleapis.com/csm-artifacts/asm/STABLE_VERSIONS`. You must provide the full and exact git tag. This variable is optional. Leaving it empty (default) will download the latest `install_asm` script for the version provided by the `asm_version` variable. | `string` | `""` | no |
 | asm\_version | ASM version to deploy. This module supports versions `1.8` and `1.9`. Available versions are documented in https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages | `string` | `"1.9"` | no |
 | ca | Sets CA option. Possible values are `meshca` or `citadel`. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `string` | `"meshca"` | no |
-| ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map` | `{}` | no |
+| ca\_certs | Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca. | `map(any)` | `{}` | no |
 | cluster\_endpoint | The GKE cluster endpoint. | `string` | n/a | yes |
 | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes |
-| custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list` | `[]` | no |
+| custom\_overlays | Comma separated list of custom\_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file | `list(any)` | `[]` | no |
 | enable\_all | Sets `--enable_all` option if true. | `bool` | `false` | no |
 | enable\_cluster\_labels | Sets `--enable_cluster_labels` option if true. | `bool` | `false` | no |
 | enable\_cluster\_roles | Sets `--enable_cluster_roles` option if true. | `bool` | `false` | no |
@@ -70,9 +70,10 @@ To deploy this config:
 | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes |
 | managed\_control\_plane | ASM managed control plane boolean. Determines whether to install ASM managed control plane. Installing ASM managed control plane does not install gateways. Documentation on how to install gateways with ASM MCP can be found at https://cloud.google.com/service-mesh/docs/managed-control-plane#install_istio_gateways_optional. | `bool` | `false` | no |
 | mode | ASM mode for deployment. Supported modes are `install` and `upgrade`. | `string` | `"install"` | no |
-| options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list` | `[]` | no |
+| options | Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features. | `list(any)` | `[]` | no |
 | outdir | Sets `--outdir` option. | `string` | `"none"` | no |
 | project\_id | The project in which the resource belongs. | `string` | n/a | yes |
+| revision\_name | Sets `--revision-name` option. | `string` | `"none"` | no |
 | service\_account | The GCP Service Account email address used to deploy ASM. | `string` | `""` | no |
 | service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no |
 | skip\_validation | Sets `_CI_NO_VALIDATE` variable. Determines whether the script should perform validation checks for prerequisites such as IAM roles, Google APIs etc. | `bool` | `false` | no |
diff --git a/modules/asm/main.tf b/modules/asm/main.tf
index b6d6c4996..a2adaa75f 100644
--- a/modules/asm/main.tf
+++ b/modules/asm/main.tf
@@ -28,6 +28,7 @@ locals {
   ca_key                 = lookup(var.ca_certs, "ca_key", "none")
   root_cert              = lookup(var.ca_certs, "root_cert", "none")
   cert_chain             = lookup(var.ca_certs, "cert_chain", "none")
+  revision_name_string   = (var.revision_name == "" ? "none" : var.revision_name)
   # https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/blob/1cf61b679cd369f42a0e735f8e201de1a6a6433b/scripts/asm-installer/install_asm#L1970
   iam_roles = [
     "roles/container.admin",
@@ -96,6 +97,6 @@ module "asm_install" {
   service_account_key_file    = var.service_account_key_file
   impersonate_service_account = var.impersonate_service_account
 
-  kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string}"
+  kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version} ${var.mode} ${var.managed_control_plane} ${var.skip_validation} ${local.options_string} ${local.custom_overlays_string} ${var.enable_all} ${var.enable_cluster_roles} ${var.enable_cluster_labels} ${var.enable_gcp_components} ${var.enable_registration} ${var.outdir} ${var.ca} ${local.ca_cert} ${local.ca_key} ${local.root_cert} ${local.cert_chain} ${local.service_account_string} ${local.key_file_string} ${local.asm_git_tag_string} ${local.revision_name_string}"
   kubectl_destroy_command = "${path.module}/scripts/destroy_asm.sh"
 }
diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh
index eb8470009..5b92aa4dd 100755
--- a/modules/asm/scripts/install_asm.sh
+++ b/modules/asm/scripts/install_asm.sh
@@ -21,15 +21,15 @@ if [ "$#" -lt 5 ]; then
     exit 1
 fi
 
-PROJECT_ID=$1
-CLUSTER_NAME=$2
-CLUSTER_LOCATION=$3
-ASM_VERSION=$4
-MODE=$5
-MCP=$6
-SKIP_VALIDATION=$7
-OPTIONS_LIST=$8
-CUSTOM_OVERLAYS_LIST=$9
+PROJECT_ID=${1}
+CLUSTER_NAME=${2}
+CLUSTER_LOCATION=${3}
+ASM_VERSION=${4}
+MODE=${5}
+MCP=${6}
+SKIP_VALIDATION=${7}
+OPTIONS_LIST=${8}
+CUSTOM_OVERLAYS_LIST=${9}
 ENABLE_ALL=${10}
 ENABLE_CLUSTER_ROLES=${11}
 ENABLE_CLUSTER_LABELS=${12}
@@ -44,6 +44,7 @@ CERT_CHAIN=${20}
 SERVICE_ACCOUNT=${21}
 KEY_FILE=${22}
 ASM_GIT_TAG=${23}
+REVISION_NAME=${24}
 
 # Set SKIP_VALIDATION variable
 if [[ ${SKIP_VALIDATION} = "true" ]]; then
@@ -93,7 +94,12 @@ echo -e "ENABLE_REGISTRATION is $ENABLE_REGISTRATION"
 echo -e "OUTDIR is $OUTDIR"
 echo -e "SERVICE_ACCOUNT is $SERVICE_ACCOUNT"
 echo -e "KEY_FILE is $KEY_FILE"
-
+echo -e "REVISION_NAME is $REVISION_NAME"
+echo -e "CA is $CA"
+echo -e "CA_CERT is $CA_CERT"
+echo -e "CA_KEY is $CA_KEY"
+echo -e "ROOT_CERT is $ROOT_CERT"
+echo -e "CERT_CHAIN is $CERT_CHAIN"
 #download the correct version of the install_asm script
 if [[ "${ASM_GIT_TAG}" = "none" ]]; then
     echo -e "Downloading install_asm with latest git tag..."
@@ -177,15 +183,21 @@ else
     mkdir -p "${OUTDIR}"
 fi
 
-if [[ "${CA}" = "citadel" ]]; then
-    CA_COMMAND_SNIPPET="--ca citadel --ca_cert ${CA_CERT} --ca_key ${CA_KEY} --root_cert ${ROOT_CERT} --cert_chain ${CERT_CHAIN}"
+if [[ "${CA}" == "citadel" ]]; then
+    CA_COMMAND_SNIPPET="--ca citadel"
 else
     CA_COMMAND_SNIPPET=""
 fi
 
+if [[ "${CA_CERT}" == "none" ]]; then
+    CA_CERTS_COMMAND_SNIPPET=""
+else
+    CA_CERTS_COMMAND_SNIPPET="--ca_cert ${CA_CERT} --ca_key ${CA_KEY} --root_cert ${ROOT_CERT} --cert_chain ${CERT_CHAIN}"
+fi
+
 # Echo the command before executing
-echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}"
+echo -e "install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${CA_CERTS_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET} ${REVISION_NAME_COMMAND_SNIPPET}"
 
 # run the script with appropriate flags
 # shellcheck disable=SC2086
-./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}
+./install_asm_${ASM_VERSION} --verbose --project_id ${PROJECT_ID} --cluster_name ${CLUSTER_NAME} --cluster_location ${CLUSTER_LOCATION} --mode ${MODE} ${MCP_COMMAND_SNIPPET} ${OPTIONS_COMMAND_SNIPPET} ${CUSTOM_OVERLAYS_COMMAND_SNIPPET} ${OUTDIR_COMMAND_SNIPPET} ${ENABLE_ALL_COMMAND_SNIPPET} ${ENABLE_CLUSTER_ROLES_COMMAND_SNIPPET} ${ENABLE_CLUSTER_LABELS_COMMAND_SNIPPET} ${ENABLE_GCP_COMPONENTS_COMMAND_SNIPPET} ${ENABLE_REGISTRATION_COMMAND_SNIPPET} ${CA_COMMAND_SNIPPET} ${CA_CERTS_COMMAND_SNIPPET} ${SERVICE_ACCOUNT_COMMAND_SNIPPET} ${KEY_FILE_COMMAND_SNIPPET}  ${REVISION_NAME_COMMAND_SNIPPET}
diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf
index a6c08679b..9262dc2b0 100644
--- a/modules/asm/variables.tf
+++ b/modules/asm/variables.tf
@@ -95,13 +95,13 @@ variable "impersonate_service_account" {
 
 variable "options" {
   description = "Comma separated list of options. Works with in-cluster control plane only. Supported options are documented in https://cloud.google.com/service-mesh/docs/enable-optional-features."
-  type        = list
+  type        = list(any)
   default     = []
 }
 
 variable "custom_overlays" {
   description = "Comma separated list of custom_overlay file paths. Works with in-cluster control plane only. Additional documentation available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_an_overlay_file"
-  type        = list
+  type        = list(any)
   default     = []
 }
 
@@ -167,7 +167,7 @@ variable "ca" {
 
 variable "ca_certs" {
   description = "Sets CA certificate file paths when `ca` is set to `citadel`. These values must be provided when using Citadel as CA. Additional documentation on Citadel is available at https://cloud.google.com/service-mesh/docs/scripted-install/gke-install#installation_with_citadel_as_the_ca."
-  type        = map
+  type        = map(any)
   default     = {}
   # default = {
   #   "ca_cert"    = "none"
@@ -175,6 +175,10 @@ variable "ca_certs" {
   #   "root_cert"  = "none"
   #   "cert_chain" = "none"
   # }
+  validation {
+    condition     = contains([4, 0], length(compact([for k in ["ca_cert", "ca_key", "root_cert", "cert_chain"] : lookup(var.ca_certs, k, "")])))
+    error_message = "One or more required keys for ca_certs are missing. If you plan to use the self-signed certificate, do not declare the ca_certs variable."
+  }
 }
 
 variable "iam_member" {
@@ -182,3 +186,9 @@ variable "iam_member" {
   type        = string
   default     = ""
 }
+
+variable "revision_name" {
+  description = "Sets `--revision-name` option."
+  type        = string
+  default     = "none"
+}