diff --git a/node_groups.tf b/node_groups.tf
index 402191f162..b7f24d8f18 100644
--- a/node_groups.tf
+++ b/node_groups.tf
@@ -56,7 +56,12 @@ locals {
   node_sg_name   = coalesce(var.node_security_group_name, "${var.cluster_name}-node")
   create_node_sg = var.create && var.create_node_security_group
 
-  node_security_group_id = local.create_node_sg ? aws_security_group.node[0].id : var.node_security_group_id
+  # Terraform will evaluate locals even when state is empty or after destroy, so
+  # it's critical to NOT refer to list elements that won't existing until apply.
+  # This can be fixed with "splat" syntax, which is lenient to empty lists:
+  #   https://developer.hashicorp.com/terraform/language/expressions/splat#single-values-as-lists
+  # node_security_group_id = local.create_node_sg ? aws_security_group.node[0].id : var.node_security_group_id
+  node_security_group_id = local.create_node_sg ? coalescelist(aws_security_group.node[*].id, [""]) : var.node_security_group_id
 
   node_security_group_rules = {
     egress_cluster_443 = {
@@ -171,7 +176,7 @@ resource "aws_security_group_rule" "node" {
   for_each = { for k, v in merge(local.node_security_group_rules, var.node_security_group_additional_rules) : k => v if local.create_node_sg }
 
   # Required
-  security_group_id = aws_security_group.node[0].id
+  security_group_id = coalescelist(aws_security_group.node[*].id, [""])  # aws_security_group.node[0].id
   protocol          = each.value.protocol
   from_port         = each.value.from_port
   to_port           = each.value.to_port