diff --git a/.gitignore b/.gitignore
index b6397e13b..a52d539c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -51,6 +51,6 @@ credentials.json
 # File to populate env vars used by Docker test runs
 .envrc
 
-# ignore generated ASM yamls in /workspace/test/fixtures/simple_zonal_with_asm as it is a test
-# in a production scenario these files are expected to be checked in
+# ignore generated ASM yamls in /workspace/test/fixtures/simple_zonal_with_asm
+# as it is a test in a production scenario these files are expected to be checked in
 /test/fixtures/simple_zonal_with_asm/asm-dir
diff --git a/modules/asm/README.md b/modules/asm/README.md
index e0c326438..acc59489a 100644
--- a/modules/asm/README.md
+++ b/modules/asm/README.md
@@ -43,6 +43,7 @@ To deploy this config:
 | cluster\_name | The unique name to identify the cluster in ASM. | `string` | n/a | yes |
 | gcloud\_sdk\_version | The gcloud sdk version to use. Minimum required version is 293.0.0 | `string` | `"296.0.1"` | no |
 | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes |
+| managed | Whether the control plane should be managed. | `bool` | `false` | no |
 | project\_id | The project in which the resource belongs. | `string` | n/a | yes |
 | service\_account\_key\_file | Path to service account key file to auth as for running `gcloud container clusters get-credentials`. | `string` | `""` | no |
 
diff --git a/modules/asm/main.tf b/modules/asm/main.tf
index eb512bf54..1b0c9aaf8 100644
--- a/modules/asm/main.tf
+++ b/modules/asm/main.tf
@@ -18,6 +18,9 @@ data "google_project" "asm_project" {
   project_id = var.project_id
 }
 
+locals {
+  kubectl_create_command_base = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version}"
+}
 
 module "asm_install" {
   source            = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
@@ -32,7 +35,6 @@ module "asm_install" {
   project_id               = var.project_id
   service_account_key_file = var.service_account_key_file
 
-
-  kubectl_create_command  = "${path.module}/scripts/install_asm.sh ${var.project_id} ${var.cluster_name} ${var.location} ${var.asm_version}"
+  kubectl_create_command  = var.managed ? "${local.kubectl_create_command_base} ${var.managed}" : local.kubectl_create_command_base
   kubectl_destroy_command = "kubectl delete ns istio-system"
 }
diff --git a/modules/asm/scripts/.gitignore b/modules/asm/scripts/.gitignore
new file mode 100644
index 000000000..a0e7b1004
--- /dev/null
+++ b/modules/asm/scripts/.gitignore
@@ -0,0 +1 @@
+install_asm
diff --git a/modules/asm/scripts/install_asm.sh b/modules/asm/scripts/install_asm.sh
index dcdb69da2..c63b8d2a4 100755
--- a/modules/asm/scripts/install_asm.sh
+++ b/modules/asm/scripts/install_asm.sh
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
-# Copyright 2018 Google LLC
+
+# Copyright 2021 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -24,11 +25,31 @@ PROJECT_ID=$1
 CLUSTER_NAME=$2
 CLUSTER_LOCATION=$3
 ASM_VERSION=$4
+MANAGED=$5
 MODE="install"
 
-#download the correct version of the install_asm script
+# Download the correct version of the install_asm script
 curl https://storage.googleapis.com/csm-artifacts/asm/install_asm_"${ASM_VERSION}" > install_asm
 chmod u+x install_asm
 
-#run the script with appropriate flags
-./install_asm --verbose --project_id "${PROJECT_ID}" --cluster_name "${CLUSTER_NAME}" --cluster_location "${CLUSTER_LOCATION}" --mode "${MODE}" --enable_cluster_labels --enable_cluster_roles
+declare -a params=(
+    "--verbose"
+    "--project_id ${PROJECT_ID}"
+    "--cluster_name ${CLUSTER_NAME}"
+    "--cluster_location ${CLUSTER_LOCATION}"
+    "--mode ${MODE}"
+    "--enable_cluster_labels"
+    "--enable_cluster_roles"
+)
+
+# Add the --managed param if MANAGED is set to true
+if [[ "${MANAGED}" == true ]]; then
+    params+=("--managed")
+fi
+
+# Run the script with appropriate flags
+echo "Running ./install_asm" "${params[@]}"
+
+# Disable shell linting. Other forms will prevent the command to work
+# shellcheck disable=SC2046,SC2116
+./install_asm $(echo "${params[@]}")
diff --git a/modules/asm/variables.tf b/modules/asm/variables.tf
index b38bdc01d..43ddfa3ab 100644
--- a/modules/asm/variables.tf
+++ b/modules/asm/variables.tf
@@ -56,3 +56,9 @@ variable "asm_version" {
   type        = string
   default     = "1.8"
 }
+
+variable "managed" {
+  description = "Whether the control plane should be managed."
+  type        = bool
+  default     = false
+}