I am working this same thing, and have the same feeling that simply using a description is less reliable. I believe the key will be leveraging cisco.ios.ios_l2_interfaces – L2 interfaces resource module — Ansible Documentation. I think you may have ...
After reading a little about this it looks like you have users enter user exec mode by default and after typing "enable" then entering the TACACS+ password you probably get denied. If this is the case you are kind of left to your own devices. I'll ...