implement kyverno admission webhook - crossplane.io/external-name cannot be changed once created

[haarchri]

due to a misconfiguration in one of our composition we accidentally created a lot kms cmk keys in our aws accounts which let to a huge amount of unintended cost and a lot of work to cleanup the unused keys.

the problem here is that the id/external-name for a kms-key is created by aws - and provider-aws is still re-creating the kms-key after every composition reconciliation... :/ because of the following patch:
please not do this 👎 in your composition patches ;)

  patchSets:
  - name: Name
    patches:
    - fromFieldPath: metadata.labels[crossplane.io/claim-name]
      toFieldPath: metadata.annotations[crossplane.io/external-name]
      type: FromCompositeFieldPath
[...]
  resources:
  - base:
      apiVersion: kms.aws.crossplane.io/v1alpha1
      kind: Key
      spec:
        providerConfigRef:
          name: default
    name: Key
    patches:
    - patchSetName: Name
      type: PatchSet
[...]

directly after we added a kyverno admission webhook - that the crossplane.io/external-name cannot be changed once created like:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: protect-external-name
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
    policies.kyverno.io/title: Protect external name
    policies.kyverno.io/category: crossplane
    policies.kyverno.io/severity: high
    kyverno.io/kyverno-version: 1.6.0
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/subject: Key,Annotation
    policies.kyverno.io/description: >-
      Prevent updates of external name annotation  
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: external-name
    match:
      any:
      - resources:
          kinds:
          - kms.aws.crossplane.io/v1alpha1/Key
    preconditions:
      all:
      - key: "{{ request.operation }}"
        operator: Equals
        value: UPDATE
    validate:
      message: "The annotation `crossplane.io/external-name` cannot be changed once created."
      deny: 
        conditions: 
          all: 
          - key: "{{ request.oldObject.metadata.annotations.\"crossplane.io/external-name\" }}" 
            operator: Equals
            Value: "*"
          - key: "{{ request.oldObject.metadata.annotations.\"crossplane.io/external-name\" }}" 
            operator: NotEquals
            Value:  "{{ request.object.metadata.annotations.\"crossplane.io/external-name\" }}"