Allow users to add a disabled option to rules in reflex.yaml

[mcbanderson]

If users want to turn off a rule, they should be able to specify enabled: false or something equivalent in their reflex.yaml configuration for a rule instead of having to delete it.

[rjulian]

I'm having trouble reasoning how this would enhance the user-experience. I don't feel like deleting the item is any less work than specifying "enabled" or "disabled". If anything, we're adding confusion about having two possible ways of not enabling a rule.

[mcbanderson]

Here's a scenario in which I view an enabled: false flag being useful:

A team realizes there is an issue with their current usage of a rule (it is changing the configuration of a production resource, leading to an outage. Or they haven't created an exemption in their exemption system for a development account, leading to an inordinate number of alerts to the SOC team).

Because of this issue, they want to temporarily disable the rule while they resolve the underlying issue(s).

With our current setup, their only option is to delete the rule from reflex.yaml. Once the underlying issue is resolved, someone on the team needs to remember that the rule was disabled, go into their Git history and re-add the full rule. But if someone forgets, or there is a miscommunication about who is going to do that, there will be no reminder directly in reflex.yaml that a rule is disabled and needs to be re-enabled, increasing the likelihood that the rule will be forgotten and never re-enabled.

With an enabled: false flag, the risk of this occurring is reduced, and sophisticated teams could even write automation to detect and alert on rules that have been disabled for a certain amount of time, or automatically create PRs to re-enable.