Confuse about guardduty feature at organization level

Hi everybody,

My goal is to enable GuardDuty protections for many accounts at Org level (the single place)

When I work with GuardDuty in AWS console

  • From the master account, I delegated GuardDuty to an account called “DevOps”
  • Then, In this “DevOps” account, I just go to GuardDuty, click on tab “Accounts” (in the left menu → click on the button “Edit Protection Plans” → then select protections for each (or many) AWS accounts

That’s work and very clear.

Now I would do the same with terraform (skipping the part of account delegation) and found that the resource “aws_guardduty_organization_configuration_feature” seems the same task

But in some example I read, for example How To Implement AWS SSB Controls in Terraform - Part 2 or terraform-aws-mcaf-landing-zone/guardduty.tf at master · schubergphilis/terraform-aws-mcaf-landing-zone · GitHub , we need to run the resource “aws_guardduty_organization_configuration_feature” in the account that we want to enable, not the GuardDuty management account (in my case, “DevOps” account).

So this really confuses me. Anyone could help to clarify if my understanding is right or wrong ?
Is there any way to enable GuardDuty protections for many accounts at Org level (the single place) using terraform ?

Thank you so much.

Best Regards,