diff --git a/terraform/context_validate_test.go b/terraform/context_validate_test.go
index 657daa736..d9a9a3af6 100644
--- a/terraform/context_validate_test.go
+++ b/terraform/context_validate_test.go
@@ -40,6 +40,30 @@ func TestContext2Validate_badCount(t *testing.T) {
 	}
 }
 
+func TestContext2Validate_badResource_reference(t *testing.T) {
+	p := testProvider("aws")
+	p.GetSchemaReturn = &ProviderSchema{
+		ResourceTypes: map[string]*configschema.Block{
+			"aws_instance": {
+				Attributes: map[string]*configschema.Attribute{},
+			},
+		},
+	}
+
+	m := testModule(t, "validate-bad-resource-count")
+	c := testContext2(t, &ContextOpts{
+		Config: m,
+		Providers: map[addrs.Provider]providers.Factory{
+			addrs.NewDefaultProvider("aws"): testProviderFuncFixed(p),
+		},
+	})
+
+	diags := c.Validate()
+	if !diags.HasErrors() {
+		t.Fatalf("succeeded; want error")
+	}
+}
+
 func TestContext2Validate_badVar(t *testing.T) {
 	p := testProvider("aws")
 	p.GetSchemaReturn = &ProviderSchema{
diff --git a/terraform/node_resource_abstract.go b/terraform/node_resource_abstract.go
index 2945dbedf..11eca0d96 100644
--- a/terraform/node_resource_abstract.go
+++ b/terraform/node_resource_abstract.go
@@ -183,7 +183,7 @@ func (n *NodeAbstractResource) References() []*addrs.Reference {
 		result = append(result, n.DependsOn()...)
 
 		if n.Schema == nil {
-			// Should never happens, but we'll log if it does so that we can
+			// Should never happen, but we'll log if it does so that we can
 			// see this easily when debugging.
 			log.Printf("[WARN] no schema is attached to %s, so config references cannot be detected", n.Name())
 		}
@@ -192,7 +192,12 @@ func (n *NodeAbstractResource) References() []*addrs.Reference {
 		result = append(result, refs...)
 		refs, _ = lang.ReferencesInExpr(c.ForEach)
 		result = append(result, refs...)
-		refs, _ = lang.ReferencesInBlock(c.Config, n.Schema)
+
+		// ReferencesInBlock() requires a schema
+		if n.Schema != nil {
+			refs, _ = lang.ReferencesInBlock(c.Config, n.Schema)
+		}
+
 		result = append(result, refs...)
 		if c.Managed != nil {
 			if c.Managed.Connection != nil {
diff --git a/terraform/testdata/validate-bad-resource-count/main.tf b/terraform/testdata/validate-bad-resource-count/main.tf
new file mode 100644
index 000000000..f852a447e
--- /dev/null
+++ b/terraform/testdata/validate-bad-resource-count/main.tf
@@ -0,0 +1,22 @@
+// a resource named "aws_security_groups" does not exist in the schema
+variable "sg_ports" {
+  type        = list(number)
+  description = "List of ingress ports"
+  default     = [8200, 8201, 8300, 9200, 9500]
+}
+
+
+resource "aws_security_groups" "dynamicsg" {
+  name        = "dynamicsg"
+  description = "Ingress for Vault"
+
+  dynamic "ingress" {
+    for_each = var.sg_ports
+    content {
+      from_port   = ingress.value
+      to_port     = ingress.value
+      protocol    = "tcp"
+      cidr_blocks = ["0.0.0.0/0"]
+    }
+  }
+}