diff --git a/modules/acm/README.md b/modules/acm/README.md
index 1a32bf83d..f4dab2a0f 100644
--- a/modules/acm/README.md
+++ b/modules/acm/README.md
@@ -3,9 +3,10 @@
 This module installs [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/) (ACM) in a Kubernetes cluster.
 
 Specifically, this module automates the following steps for [installing ACM](https://cloud.google.com/anthos-config-management/docs/how-to/installing):
-1. Installing the ACM Operator on your cluster.
-2. Generating an SSH key for accessing Git and providing it to the Operator
-3. Configuring the Operator to connect to your ACM repository
+1. Enabling the ACM feature on hub.
+2. Installing the ACM Operator on your cluster.
+3. Optionally, generating an SSH key for accessing Git and providing it to the Operator
+4. Configuring the Operator to connect to your ACM repository
 
 ## Usage
 
diff --git a/modules/acm/main.tf b/modules/acm/main.tf
index 244816f99..e6ae18854 100644
--- a/modules/acm/main.tf
+++ b/modules/acm/main.tf
@@ -14,6 +14,21 @@
  * limitations under the License.
  */
 
+module "enable_acm" {
+  source  = "terraform-google-modules/gcloud/google"
+  version = "~> 2.0"
+
+  platform              = "linux"
+  upgrade               = true
+  additional_components = ["alpha"]
+
+  service_account_key_file = var.service_account_key_file
+  create_cmd_entrypoint    = "gcloud"
+  create_cmd_body          = "alpha container hub config-management enable --project ${var.project_id}"
+  destroy_cmd_entrypoint   = "gcloud"
+  destroy_cmd_body         = "alpha container hub config-management disable --force --project ${var.project_id}"
+}
+
 module "acm_operator" {
 
   source = "../k8s-operator-crd-support"
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index dad03fab3..5ce8de9f3 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -33,6 +33,7 @@ locals {
     "roles/compute.instanceAdmin",
     "roles/iam.roleAdmin",
     "roles/iap.admin",
+    "roles/gkehub.admin",
   ]
   # roles as documented https://cloud.google.com/service-mesh/docs/gke-install-new-cluster#setting_up_your_project
   int_asm_required_roles = [
diff --git a/test/setup/main.tf b/test/setup/main.tf
index 475a9ddf0..6e6090b26 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -65,6 +65,7 @@ module "gke-project-2" {
     "pubsub.googleapis.com",
     "serviceusage.googleapis.com",
     "storage-api.googleapis.com",
+    "gkehub.googleapis.com",
   ]
   activate_api_identities = [
     {