diff --git a/examples/aws-auth/input/configmaps/base.yaml b/examples/aws-auth/input/configmaps/base.yaml
index ca465b6..ee73d00 100644
--- a/examples/aws-auth/input/configmaps/base.yaml
+++ b/examples/aws-auth/input/configmaps/base.yaml
@@ -4,7 +4,7 @@ metadata:
   name: aws-auth-base
   namespace: kube-system
   annotations:
-      aggregate: aws-auth
+      aggregate.auth.annotation: aws-auth
 data:
     mapRoles: |
         - rolearn: arn:aws:iam::111122223333:role/admin-role
diff --git a/examples/aws-auth/input/configmaps/tenant-acme.yaml b/examples/aws-auth/input/configmaps/tenant-acme.yaml
index 49bc42f..8d05292 100644
--- a/examples/aws-auth/input/configmaps/tenant-acme.yaml
+++ b/examples/aws-auth/input/configmaps/tenant-acme.yaml
@@ -4,7 +4,7 @@ metadata:
   name: aws-auth-tenant-acme
   namespace: kube-system
   annotations:
-      aggregate: aws-auth
+      aggregate.auth.annotation: aws-auth
 data:
     mapRoles: |
         - rolearn: arn:aws:iam::111122223333:role/tenant-acme-role
diff --git a/examples/aws-auth/input/configmaps/tenant-umbrella.yaml b/examples/aws-auth/input/configmaps/tenant-umbrella.yaml
index d613a36..3688d9f 100644
--- a/examples/aws-auth/input/configmaps/tenant-umbrella.yaml
+++ b/examples/aws-auth/input/configmaps/tenant-umbrella.yaml
@@ -4,7 +4,7 @@ metadata:
   name: aws-auth-tenant-umbrella
   namespace: kube-system
   annotations:
-      aggregate: aws-auth
+      aggregate.auth.annotation: aws-auth
 data:
     mapRoles: |
         - rolearn: arn:aws:iam::111122223333:role/tenant-umbrella-role
diff --git a/examples/aws-auth/input/templates/aws-auth.yaml b/examples/aws-auth/input/templates/aws-auth.yaml
index 79dfab3..c5ce97d 100644
--- a/examples/aws-auth/input/templates/aws-auth.yaml
+++ b/examples/aws-auth/input/templates/aws-auth.yaml
@@ -8,7 +8,7 @@ spec:
     SELECT cm.data AS cm
     FROM "ConfigMap.core" AS cm
     WHERE cm.namespace = 'kube-system' AND
-    json_extract(cm.data, '$.metadata.annotations.aggregate') = 'aws-auth'
+    json_extract(cm.data, '$.metadata.annotations."aggregate.auth.annotation"') = 'aws-auth'
   template:
     language: cue
     batchModeProcessing: true
diff --git a/examples/aws-auth/readme.md b/examples/aws-auth/readme.md
index 8a7c54f..7e3fa87 100644
--- a/examples/aws-auth/readme.md
+++ b/examples/aws-auth/readme.md
@@ -54,8 +54,8 @@ input `ConfigMap` instances, so each piece of Terraform code can own its own
 resource. Kumquat is the only thing that owns `aws-auth`.
 
 The following template does just that. It also check for the presence of the
-`aggregate` annotation on the inputs, and ensures the value is `aws-auth`.
-This ensure that the template only merges `ConfigMap` instances that belong
+`aggregate.auth.annotation` annotation on the inputs, and ensures the value is `aws-auth`.
+This ensures that the template only merges `ConfigMap` instances that belong
 in `aws-auth`. The choice of aggregation name and value was arbitrary.
 
 ```yaml
@@ -69,7 +69,7 @@ spec:
     SELECT cm.data AS cm
     FROM "ConfigMap.core" AS cm
     WHERE cm.namespace = 'kube-system' AND
-    json_extract(cm.data, '$.metadata.annotations.aggregate') = 'aws-auth'
+    json_extract(cm.data, '$.metadata.annotations."aggregate.auth.annotation"') = 'aws-auth'
   template:
     language: cue
     batchModeProcessing: true
diff --git a/internal/controller/test_resources/delete_scenario/input/configmaps/base.yaml b/internal/controller/test_resources/delete_scenario/input/configmaps/base.yaml
index ca465b6..ee73d00 100644
--- a/internal/controller/test_resources/delete_scenario/input/configmaps/base.yaml
+++ b/internal/controller/test_resources/delete_scenario/input/configmaps/base.yaml
@@ -4,7 +4,7 @@ metadata:
   name: aws-auth-base
   namespace: kube-system
   annotations:
-      aggregate: aws-auth
+      aggregate.auth.annotation: aws-auth
 data:
     mapRoles: |
         - rolearn: arn:aws:iam::111122223333:role/admin-role
diff --git a/internal/controller/test_resources/delete_scenario/input/configmaps/tenant-acme.yaml b/internal/controller/test_resources/delete_scenario/input/configmaps/tenant-acme.yaml
index 49bc42f..8d05292 100644
--- a/internal/controller/test_resources/delete_scenario/input/configmaps/tenant-acme.yaml
+++ b/internal/controller/test_resources/delete_scenario/input/configmaps/tenant-acme.yaml
@@ -4,7 +4,7 @@ metadata:
   name: aws-auth-tenant-acme
   namespace: kube-system
   annotations:
-      aggregate: aws-auth
+      aggregate.auth.annotation: aws-auth
 data:
     mapRoles: |
         - rolearn: arn:aws:iam::111122223333:role/tenant-acme-role
diff --git a/internal/controller/test_resources/delete_scenario/input/configmaps/tenant-umbrella.yaml b/internal/controller/test_resources/delete_scenario/input/configmaps/tenant-umbrella.yaml
index d613a36..3688d9f 100644
--- a/internal/controller/test_resources/delete_scenario/input/configmaps/tenant-umbrella.yaml
+++ b/internal/controller/test_resources/delete_scenario/input/configmaps/tenant-umbrella.yaml
@@ -4,7 +4,7 @@ metadata:
   name: aws-auth-tenant-umbrella
   namespace: kube-system
   annotations:
-      aggregate: aws-auth
+      aggregate.auth.annotation: aws-auth
 data:
     mapRoles: |
         - rolearn: arn:aws:iam::111122223333:role/tenant-umbrella-role
diff --git a/internal/controller/test_resources/delete_scenario/input/templates/test_template.yaml b/internal/controller/test_resources/delete_scenario/input/templates/test_template.yaml
index 079ce2f..1c0602b 100644
--- a/internal/controller/test_resources/delete_scenario/input/templates/test_template.yaml
+++ b/internal/controller/test_resources/delete_scenario/input/templates/test_template.yaml
@@ -8,7 +8,7 @@ spec:
     SELECT cm.data AS cm
     FROM "ConfigMap.core" AS cm
     WHERE cm.namespace = 'kube-system' AND
-    json_extract(cm.data, '$.metadata.annotations.aggregate') = 'aws-auth'
+    json_extract(cm.data, '$.metadata.annotations."aggregate.auth.annotation"') = 'aws-auth'
   template:
     language: cue
     batchModeProcessing: false