Ansible: how to run a play with hosts with different passwords?
Normally you would want to pass the sudo password on the command line after Ansible's password prompt after using either the --ask-sudo-password or its short alias -K when running with a user that doesn't have passwordless sudo. This has the benefit of then not being recorded in your Ansible code base anywhere and then not ending up in source control.
However, this is a single prompt and will be applied to all hosts so doesn't really fit your use case.
The ansibe_sudo_pass variable can instead be used to provide the sudo password for the user for any specific host. This should only be used when a sudo password is needed so if you provide this variable to a host with passwordless sudo then it should be ignored.
As your user/password combination seems to be split entirely by group rather than by each and every host then it makes logical sense to put the credentials in group vars.
As pointed out by nikobelia you may want to consider encrypting this sensitive data using something like Ansible's Vault, credstash or something else.
Okay, you kind of have two questions here:
How to connect to different hosts with different SSH keys?
Create a different group_vars file for each set of hosts, and set the credentials in there.
# group_vars/legacy
---
ansible_ssh_user: myuser
ansible_ssh_key: ~/.ssh/legacy_key.pem
Then Ansible will apply a different key based on which group each host is in, simple as that.
How to use different credentials per host for privilege escalation?
Once more, stick them in different group_vars files for each set of hosts:
# group_vars/legacy
---
ansible_become_user: root
ansible_become_pass: "{{ vaulted_legacy_password }}"
Then you can use the keyword become: yes to escalate privileges, and Ansible will apply the right credentials for each group. If you're already root, the become keyword just won't have any effect.
And then... see that {{ vaulted_legacy_password }} variable up there?
Best practice, and the only sensible thing to do if you are ever sharing this code, is to make an Ansible Vault file and keep your passwords in there. Ansible Vault password protects your sensitive variables and lets you decrypt them at the time of running.
You can either make your whole group_vars/legacy file vaulted (if the credentials are the only information in it), or make a group_vars/legacy folder, with one plaintext file and one encrypted file in it. All files in a subdirectory of group_vars will be sourced and applied to the group with the name of the folder.