fix(cognito): cannot add multiple route53 targets to the same user pool domain

packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts

@@ -83,6 +83,8 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
   public readonly domainName: string;
   private isCognitoDomain: boolean;
 
+  private cloudFrontCustomResource?: AwsCustomResource;
+
   constructor(scope: Construct, id: string, props: UserPoolDomainProps) {
     super(scope, id);
 
@@ -113,25 +115,27 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain {
    * The domain name of the CloudFront distribution associated with the user pool domain.
    */
   public get cloudFrontDomainName(): string {
-    const sdkCall: AwsSdkCall = {
-      service: 'CognitoIdentityServiceProvider',
-      action: 'describeUserPoolDomain',
-      parameters: {
-        Domain: this.domainName,
-      },
-      physicalResourceId: PhysicalResourceId.of(this.domainName),
-    };
-    const customResource = new AwsCustomResource(this, 'CloudFrontDomainName', {
-      resourceType: 'Custom::UserPoolCloudFrontDomainName',
-      onCreate: sdkCall,
-      onUpdate: sdkCall,
-      policy: AwsCustomResourcePolicy.fromSdkCalls({
-        // DescribeUserPoolDomain only supports access level '*'
-        // https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncognitouserpools.html#amazoncognitouserpools-actions-as-permissions
-        resources: [ '*' ],
-      }),
-    });
-    return customResource.getResponseField('DomainDescription.CloudFrontDistribution');
+    if (!this.cloudFrontCustomResource) {
+      const sdkCall: AwsSdkCall = {
+        service: 'CognitoIdentityServiceProvider',
+        action: 'describeUserPoolDomain',
+        parameters: {
+          Domain: this.domainName,
+        },
+        physicalResourceId: PhysicalResourceId.of(this.domainName),
+      };
+      this.cloudFrontCustomResource = new AwsCustomResource(this, 'CloudFrontDomainName', {
+        resourceType: 'Custom::UserPoolCloudFrontDomainName',
+        onCreate: sdkCall,
+        onUpdate: sdkCall,
+        policy: AwsCustomResourcePolicy.fromSdkCalls({
+          // DescribeUserPoolDomain only supports access level '*'
+          // https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncognitouserpools.html#amazoncognitouserpools-actions-as-permissions
+          resources: [ '*' ],
+        }),
+      });
+    }
+    return this.cloudFrontCustomResource.getResponseField('DomainDescription.CloudFrontDistribution');
   }
 
   /**

packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts

@@ -103,7 +103,7 @@ describe('User Pool Client', () => {
     })).not.toThrow();
   });
 
-  test('custom resource is added when cloudFrontDistribution method is called', () => {
+  test('custom resource is added when cloudFrontDomainName property is used', () => {
     // GIVEN
     const stack = new Stack();
     const pool = new UserPool(stack, 'Pool');
@@ -137,6 +137,21 @@ describe('User Pool Client', () => {
     });
   });
 
+  test('cloudFrontDomainName property can be called multiple times', () => {
+    const stack = new Stack();
+    const pool = new UserPool(stack, 'Pool');
+    const domain = pool.addDomain('Domain', {
+      cognitoDomain: {
+        domainPrefix: 'cognito-domain-prefix',
+      },
+    });
+
+    const cfDomainNameFirst = domain.cloudFrontDomainName;
+    const cfDomainNameSecond = domain.cloudFrontDomainName;
+
+    expect(cfDomainNameSecond).toEqual(cfDomainNameFirst);
+  });
+
   describe('signInUrl', () => {
     test('returns the expected URL', () => {
       // GIVEN