Moving log files out of www root

I would like to move the log files outside of the www root based on this warning from WP Site Health tab. The reccommendation makes sense.

Your site is set to log errors to a potentially public fileSecurity

Debug mode is often enabled to gather more details about an error or site failure, but may contain sensitive information which should not be available on a publicly available website.

The value, WP_DEBUG_LOG, has been added to this website’s configuration file. This means any errors on the site will be written to a file which is potentially available to all users.

This path is currently set as en env var via group_vars/all/helpers.yml and is set as follows.
wp_debug_log: "{{ www_root }}/{{ item.key }}/logs/debug.log"

It would seem better to place these outside of the www root. I can see this variable in the build-before.yml hook, but not certain I can use this.
{{ deploy_helper.shared_path }} or ``

Setting the value of wp_debug_log in group_vars/development/wordpress_sites.yml under the env block to wp_debug_log: "{{ project_local_path }}/{{ item.key }}/logs/debug.log" throws an error when reprovisioning development.

The error is
fatal: [default]: FAILED! => {"msg": "The conditional check 'wordpress_sites.keys() | difference(vault_wordpress_sites.keys()) | count' failed. The error was: error while evaluating conditional (wordpress_sites.keys() | difference(vault_wordpress_sites.keys()) | count): {'mysite.com': {'site_hosts': [{'canonical': 'mysite.test', 'redirects': ['www.mysite.test']}], 'local_path': '../site', 'admin_email': 'admin@mysite.test', 'multisite': {'enabled': False}, 'ssl': {'enabled': False, 'provider': 'self-signed'}, 'cache': {'enabled': False}, 'env': {'woocommerce_force_ssl_checkout': False, 'standard_override_original': 'overridden_standard', 'standard_dev': 'dev_new_value', 'wp_debug_log': '{{ project_local_path }}/{{ item.key }}/logs/debug.log'}}}: 'project_local_path' is undefined\n\nThe error appears to be in '/my-computer/work/com.mysite/trellis/roles/common/tasks/main.yml': line 24, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Validate wordpress_sites\n ^ here\n"}

Is there a list of variable trellis variable that can be used in the group_vars similar to the {{ www_root }} variable that is used?

Thank you in advance.

That would be the Validate wordpress_sites task:

It checks whether the number of wordpress sites (by key) in wordpress_sites is equal to the number of vault wordpress sites.
You may have introduced an issue into the YAML file, e.g. wrong indentation.