Silent failure in CloudFormation Lambda VpcConfig

I'm trying to add a VPC to a lambda, via CloudFormation. We're using SAM, so it's a "AWS::Serverless::Function". I have added the VpcConfig section of the CF template as per the docs, but the VPC is never attached to the lambda. No error, successful deploy, but no VPC. I can then add the VPC (and later EFS) config via the console. Drift detection shows no discrepancy between actual and expected, either before or after I manually add the VPC. Deploying again later, using "sam deploy", silently removes the VPC config. Below is a minimal CloudFormation template displaying the behavior. I've tried everything I can think of, including a "DependsOn" clause referencing the VPC and subnets. What am I missing? ``` AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Test template for VPC/Lambda config Resources: MyVPC: Type: AWS::EC2::VPC Properties: CidrBlock: "" EnableDnsHostnames: true EnableDnsSupport: true MyVPCSubnetMaster: Type: AWS::EC2::Subnet Properties: VpcId: !Ref MyVPC AvailabilityZone: !Select [0, !GetAZs ""] CidrBlock: "" MapPublicIpOnLaunch: true MyVPCSubnetBackup: Type: AWS::EC2::Subnet Properties: VpcId: !Ref MyVPC AvailabilityZone: !Select [ 1, !GetAZs "" ] CidrBlock: "" MapPublicIpOnLaunch: true MyLambda: Type: AWS::Serverless::Function VpcConfig: SecurityGroupIds: - !GetAtt MyVPC.DefaultSecurityGroup SubnetIds: - !GetAtt MyVPCSubnetMaster.SubnetId - !GetAtt MyVPCSubnetBackup.SubnetId Properties: FunctionName: "MyLambda" Runtime: "python3.8" Handler: "index.handler" CodeUri: test/MyLambda ```
asked 22 days ago