Yeah this is bread and butter for config management tools. You'd either use a template for the config or the lineinfile module for Ansible.
Your template would have something like this:
PermitRootLogin {{ root_login_enabled }}
In it and then you can control which servers allow root login with the root_login_enabled variable.