I was writing my question and then figured out the answer. I’m going to share it here anyway in case someone else has the same problem.
As part of my build-before setup I’ve added an auth.j2 template to authenticate with ACF Pro. They require the license key as the username and the site’s URL as the password.
I was searching for answers to figure out how to retrieve wordpress_sites.[ current site ].site_hosts.canonical from within my auth.j2 template an realised this is done in .env
So I looked up roles/deploy/vars/main.yml and found how wp_siteurl is written to .env
So here’s the answer to the question I was stuck on for the last hour or so:
auth.j2
{
"http-basic": {
"connect.advancedcustomfields.com": {
"username": "{{ vault_wordpress_env_defaults.acf_pro_key }}",
"password": "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}"
}
}
}
build-before.yml
- name: Create composer auth.json
template:
src: "{{ playbook_dir }}/deploy-hooks/auth.json.j2"
dest: "{{ deploy_helper.new_release_path }}/auth.json"
mode: "0600"